Bugzilla bug 131427: added softkver.c to softoken Mac build. Set

MWFTP_Post_password to null value to reduce the noise in diffs.

921 files changed, 424412 insertions, 0 deletions

diff --git a/security/nss/lib/Makefile b/security/nss/lib/Makefile
new file mode 100644
index 000000000..92aa6ff63
--- /dev/null
+++ b/security/nss/lib/Makefile
@@ -0,0 +1,89 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+ifdef MOZILLA_SECURITY_BUILD
+FILES=$(shell ls -d $(CORE_DEPTH)/../../ns/security/lib/crypto/*)
+
+export::
+	if test -d $(CORE_DEPTH)/../../ns/security/lib/crypto; then \
+	    $(NSINSTALL) -D crypto; \
+	    for file in $(FILES) ; do \
+		if test -f $$file; then \
+		    $(INSTALL) -m 444 $$file crypto; \
+		fi; \
+	    done;  \
+	    $(INSTALL) -m 444 freebl/sha_fast.c crypto; \
+	    $(INSTALL) -m 444 freebl/sha_fast.h crypto; \
+	fi
+endif
diff --git a/security/nss/lib/asn1/Makefile b/security/nss/lib/asn1/Makefile
new file mode 100644
index 000000000..4cbbfed70
--- /dev/null
+++ b/security/nss/lib/asn1/Makefile
@@ -0,0 +1,40 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+export:: private_export
diff --git a/security/nss/lib/asn1/asn1.c b/security/nss/lib/asn1/asn1.c
new file mode 100644
index 000000000..9c584c770
--- /dev/null
+++ b/security/nss/lib/asn1/asn1.c
@@ -0,0 +1,1727 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * asn1.c
+ *
+ * At this point in time, this file contains the NSS wrappers for
+ * the old "SEC" ASN.1 encoder/decoder stuff.
+ */
+
+#ifndef ASN1M_H
+#include "asn1m.h"
+#endif /* ASN1M_H */
+
+#include "plarena.h"
+#include "secasn1.h"
+
+/*
+ * The pointer-tracking stuff
+ */
+
+#ifdef DEBUG
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker decoder_pointer_tracker;
+
+static PRStatus
+decoder_add_pointer
+(
+  const nssASN1Decoder *decoder
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&decoder_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&decoder_pointer_tracker, decoder);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+static PRStatus
+decoder_remove_pointer
+(
+  const nssASN1Decoder *decoder
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&decoder_pointer_tracker, decoder);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+
+/*
+ * nssASN1Decoder_verify
+ *
+ * This routine is only available in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an nssASN1Decoder
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Decoder_verify
+(
+  nssASN1Decoder *decoder
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&decoder_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&decoder_pointer_tracker, decoder);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_ASN1DECODER);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+static nssPointerTracker encoder_pointer_tracker;
+
+static PRStatus
+encoder_add_pointer
+(
+  const nssASN1Encoder *encoder
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&encoder_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&encoder_pointer_tracker, encoder);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+static PRStatus
+encoder_remove_pointer
+(
+  const nssASN1Encoder *encoder
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&encoder_pointer_tracker, encoder);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+
+/*
+ * nssASN1Encoder_verify
+ *
+ * This routine is only available in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an nssASN1Encoder
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Encoder_verify
+(
+  nssASN1Encoder *encoder
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&encoder_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&encoder_pointer_tracker, encoder);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_ASN1ENCODER);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+/*
+ * nssASN1Decoder_Create
+ *
+ * This routine creates an ASN.1 Decoder, which will use the specified
+ * template to decode a datastream into the specified destination
+ * structure.  If the optional arena argument is non-NULL, blah blah 
+ * blah.  XXX fgmr Should we include an nssASN1EncodingType argument, 
+ * as a hint?  Or is each encoding distinctive?  This routine may 
+ * return NULL upon error, in which case an error will have been 
+ * placed upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  ...
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an ASN.1 Decoder upon success.
+ */
+
+NSS_IMPLEMENT nssASN1Decoder *
+nssASN1Decoder_Create
+(
+  NSSArena *arenaOpt,
+  void *destination,
+  const nssASN1Template template[]
+)
+{
+  SEC_ASN1DecoderContext *rv;
+  PLArenaPool *hack = (PLArenaPool *)arenaOpt;
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (nssASN1Decoder *)NULL;
+    }
+  }
+
+  /* 
+   * May destination be NULL?  I'd think so, since one might
+   * have only a filter proc.  But if not, check the pointer here.
+   */
+
+  if( (nssASN1Template *)NULL == template ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (nssASN1Decoder *)NULL;
+  }
+#endif /* DEBUG */
+
+  rv = SEC_ASN1DecoderStart(hack, destination, template);
+  if( (SEC_ASN1DecoderContext *)NULL == rv ) {
+    nss_SetError(PORT_GetError()); /* also evil */
+    return (nssASN1Decoder *)NULL;
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != decoder_add_pointer(rv) ) {
+    (void)SEC_ASN1DecoderFinish(rv);
+    return (nssASN1Decoder *)NULL;
+  }
+#endif /* DEBUG */
+
+  return (nssASN1Decoder *)rv;
+}
+
+/*
+ * nssASN1Decoder_Update
+ *
+ * This routine feeds data to the decoder.  In the event of an error, 
+ * it will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *  NSS_ERROR_INVALID_BER
+ *  ...
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success.
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Decoder_Update
+(
+  nssASN1Decoder *decoder,
+  const void *data,
+  PRUint32 amount
+)
+{
+  SECStatus rv;
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
+    return PR_FAILURE;
+  }
+
+  if( (void *)NULL == data ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  rv = SEC_ASN1DecoderUpdate((SEC_ASN1DecoderContext *)decoder, 
+                             (const char *)data,
+                             (unsigned long)amount);
+  if( SECSuccess != rv ) {
+    nss_SetError(PORT_GetError()); /* ugly */
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssASN1Decoder_Finish
+ *
+ * This routine finishes the decoding and destroys the decoder.
+ * In the event of an error, it will place an error on the error
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Decoder_Finish
+(
+  nssASN1Decoder *decoder
+)
+{
+  PRStatus rv = PR_SUCCESS;
+  SECStatus srv;
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  srv = SEC_ASN1DecoderFinish((SEC_ASN1DecoderContext *)decoder);
+
+  if( SECSuccess != srv ) {
+    nss_SetError(PORT_GetError()); /* ugly */
+    rv = PR_FAILURE;
+  }
+
+#ifdef DEBUG
+  {
+    PRStatus rv2 = decoder_remove_pointer(decoder);
+    if( PR_SUCCESS == rv ) {
+      rv = rv2;
+    }
+  }
+#endif /* DEBUG */
+
+  return rv;
+}
+
+/*
+ * nssASN1Decoder_SetFilter
+ *
+ * This routine registers a callback filter routine with the decoder,
+ * which will be called blah blah blah.  The specified argument will
+ * be passed as-is to the filter routine.  The routine pointer may
+ * be NULL, in which case no filter callback will be called.  If the
+ * noStore boolean is PR_TRUE, then decoded fields will not be stored
+ * in the destination structure specified when the decoder was 
+ * created.  This routine returns a PRStatus value; in the event of
+ * an error, it will place an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Decoder_SetFilter
+(
+  nssASN1Decoder *decoder,
+  nssASN1DecoderFilterFunction *callback,
+  void *argument,
+  PRBool noStore
+)
+{
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( (nssASN1DecoderFilterFunction *)NULL == callback ) {
+     SEC_ASN1DecoderClearFilterProc((SEC_ASN1DecoderContext *)decoder);
+  } else {
+     SEC_ASN1DecoderSetFilterProc((SEC_ASN1DecoderContext *)decoder,
+                                  (SEC_ASN1WriteProc)callback,
+                                  argument, noStore);
+  }
+
+  /* No error returns defined for those routines */
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssASN1Decoder_GetFilter
+ *
+ * If the optional pCallbackOpt argument to this routine is non-null,
+ * then the pointer to any callback function established for this
+ * decoder with nssASN1Decoder_SetFilter will be stored at the 
+ * location indicated by it.  If the optional pArgumentOpt
+ * pointer is non-null, the filter's closure argument will be stored
+ * there.  If the optional pNoStoreOpt pointer is non-null, the
+ * noStore value specified when setting the filter will be stored
+ * there.  This routine returns a PRStatus value; in the event of
+ * an error it will place an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+NSS_IMPLEMENT PRStatus
+nssASN1Decoder_GetFilter
+(
+  nssASN1Decoder *decoder,
+  nssASN1DecoderFilterFunction **pCallbackOpt,
+  void **pArgumentOpt,
+  PRBool *pNoStoreOpt
+)
+{
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( (nssASN1DecoderFilterFunction **)NULL != pCallbackOpt ) {
+    *pCallbackOpt = (nssASN1DecoderFilterFunction *)NULL;
+  }
+
+  if( (void **)NULL != pArgumentOpt ) {
+    *pArgumentOpt = (void *)NULL;
+  }
+
+  if( (PRBool *)NULL != pNoStoreOpt ) {
+    *pNoStoreOpt = PR_FALSE;
+  }
+
+  /* Error because it's unimplemented */
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  return PR_FAILURE;
+}
+
+/*
+ * nssASN1Decoder_SetNotify
+ *
+ * This routine registers a callback notify routine with the decoder,
+ * which will be called whenever.. The specified argument will be
+ * passed as-is to the notify routine.  The routine pointer may be
+ * NULL, in which case no notify routine will be called.  This routine
+ * returns a PRStatus value; in the event of an error it will place
+ * an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Decoder_SetNotify
+(
+  nssASN1Decoder *decoder,
+  nssASN1NotifyFunction *callback,
+  void *argument
+)
+{
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( (nssASN1NotifyFunction *)NULL == callback ) {
+    SEC_ASN1DecoderClearNotifyProc((SEC_ASN1DecoderContext *)decoder);
+  } else {
+    SEC_ASN1DecoderSetNotifyProc((SEC_ASN1DecoderContext *)decoder,
+                                 (SEC_ASN1NotifyProc)callback,
+                                 argument);
+  }
+
+  /* No error returns defined for those routines */
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssASN1Decoder_GetNotify
+ *
+ * If the optional pCallbackOpt argument to this routine is non-null,
+ * then the pointer to any callback function established for this
+ * decoder with nssASN1Decoder_SetNotify will be stored at the 
+ * location indicated by it.  If the optional pArgumentOpt pointer is
+ * non-null, the filter's closure argument will be stored there.
+ * This routine returns a PRStatus value; in the event of an error it
+ * will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Decoder_GetNotify
+(
+  nssASN1Decoder *decoder,
+  nssASN1NotifyFunction **pCallbackOpt,
+  void **pArgumentOpt
+)
+{
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Decoder_verify(decoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( (nssASN1NotifyFunction **)NULL != pCallbackOpt ) {
+    *pCallbackOpt = (nssASN1NotifyFunction *)NULL;
+  }
+
+  if( (void **)NULL != pArgumentOpt ) {
+    *pArgumentOpt = (void *)NULL;
+  }
+
+  /* Error because it's unimplemented */
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  return PR_FAILURE;
+}
+
+/*
+ * nssASN1_Decode
+ *
+ * This routine will decode the specified data into the specified
+ * destination structure, as specified by the specified template.
+ * This routine returns a PRStatus value; in the event of an error
+ * it will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_BER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1_Decode
+(
+  NSSArena *arenaOpt,
+  void *destination,
+  const nssASN1Template template[],
+  const void *berData,
+  PRUint32 amount
+)
+{
+  PRStatus rv;
+  nssASN1Decoder *decoder;
+
+  /* This call will do our pointer-checking for us! */
+  decoder = nssASN1Decoder_Create(arenaOpt, destination, template);
+  if( (nssASN1Decoder *)NULL == decoder ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssASN1Decoder_Update(decoder, berData, amount);
+  if( PR_SUCCESS != nssASN1Decoder_Finish(decoder) ) {
+    rv = PR_FAILURE;
+  }
+
+  return rv;
+}
+
+/*
+ * nssASN1_DecodeBER
+ *
+ * This routine will decode the data in the specified NSSBER
+ * into the destination structure, as specified by the template.
+ * This routine returns a PRStatus value; in the event of an error
+ * it will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_NSSBER
+ *  NSS_ERROR_INVALID_BER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1_DecodeBER
+(
+  NSSArena *arenaOpt,
+  void *destination,
+  const nssASN1Template template[],
+  const NSSBER *data
+)
+{
+  return nssASN1_Decode(arenaOpt, destination, template, 
+                        data->data, data->size);
+}
+
+/*
+ * nssASN1Encoder_Create
+ *
+ * This routine creates an ASN.1 Encoder, blah blah blah.  This 
+ * may return NULL upon error, in which case an error will have been
+ * placed on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  ...
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an ASN.1 Encoder upon success
+ */
+
+NSS_IMPLEMENT nssASN1Encoder *
+nssASN1Encoder_Create
+(
+  const void *source,
+  const nssASN1Template template[],
+  NSSASN1EncodingType encoding,
+  nssASN1EncoderWriteFunction *sink,
+  void *argument
+)
+{
+  SEC_ASN1EncoderContext *rv;
+
+#ifdef DEBUG
+  if( (void *)NULL == source ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (nssASN1Encoder *)NULL;
+  }
+
+  if( (nssASN1Template *)NULL == template ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (nssASN1Encoder *)NULL;
+  }
+
+  if( (nssASN1EncoderWriteFunction *)NULL == sink ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (nssASN1Encoder *)NULL;
+  }
+#endif /* DEBUG */
+
+  switch( encoding ) {
+  case NSSASN1BER:
+  case NSSASN1DER:
+    break;
+  case NSSASN1CER:
+  case NSSASN1LWER:
+  case NSSASN1PER:
+  case NSSASN1UnknownEncoding:
+  default:
+    nss_SetError(NSS_ERROR_ENCODING_NOT_SUPPORTED);
+    return (nssASN1Encoder *)NULL;
+  }
+
+  rv = SEC_ASN1EncoderStart((void *)source, template, 
+                            (SEC_ASN1WriteProc)sink, argument);
+  if( (SEC_ASN1EncoderContext *)NULL == rv ) {
+    nss_SetError(PORT_GetError()); /* ugly */
+    return (nssASN1Encoder *)NULL;
+  }
+
+  if( NSSASN1DER == encoding ) {
+    sec_ASN1EncoderSetDER(rv);
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != encoder_add_pointer(rv) ) {
+    (void)SEC_ASN1EncoderFinish(rv);
+    return (nssASN1Encoder *)NULL;
+  }
+#endif /* DEBUG */
+
+  return (nssASN1Encoder *)rv;
+}
+
+/*
+ * nssASN1Encoder_Update
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Encoder_Update
+(
+  nssASN1Encoder *encoder,
+  const void *data,
+  PRUint32 length
+)
+{
+  SECStatus rv;
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * Can data legitimately be NULL?  If not, verify..
+   */
+#endif /* DEBUG */
+
+  rv = SEC_ASN1EncoderUpdate((SEC_ASN1EncoderContext *)encoder,
+                             (const char *)data, 
+                             (unsigned long)length);
+  if( SECSuccess != rv ) {
+    nss_SetError(PORT_GetError()); /* ugly */
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssASN1Encoder_Finish
+ *
+ * Destructor.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Encoder_Finish
+(
+  nssASN1Encoder *encoder
+)
+{
+  PRStatus rv;
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  SEC_ASN1EncoderFinish((SEC_ASN1EncoderContext *)encoder);
+  rv = PR_SUCCESS; /* no error return defined for that call */
+
+#ifdef DEBUG
+  {
+    PRStatus rv2 = encoder_remove_pointer(encoder);
+    if( PR_SUCCESS == rv ) {
+      rv = rv2;
+    }
+  }
+#endif /* DEBUG */
+
+  return rv;
+}
+
+/*
+ * nssASN1Encoder_SetNotify
+ *
+ * This routine registers a callback notify routine with the encoder,
+ * which will be called whenever.. The specified argument will be
+ * passed as-is to the notify routine.  The routine pointer may be
+ * NULL, in which case no notify routine will be called.  This routine
+ * returns a PRStatus value; in the event of an error it will place
+ * an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Encoder_SetNotify
+(
+  nssASN1Encoder *encoder,
+  nssASN1NotifyFunction *callback,
+  void *argument
+)
+{
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( (nssASN1NotifyFunction *)NULL == callback ) {
+    SEC_ASN1EncoderClearNotifyProc((SEC_ASN1EncoderContext *)encoder);
+  } else {
+    SEC_ASN1EncoderSetNotifyProc((SEC_ASN1EncoderContext *)encoder,
+                                 (SEC_ASN1NotifyProc)callback,
+                                 argument);
+  }
+
+  /* no error return defined for those routines */
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssASN1Encoder_GetNotify
+ *
+ * If the optional pCallbackOpt argument to this routine is non-null,
+ * then the pointer to any callback function established for this
+ * decoder with nssASN1Encoder_SetNotify will be stored at the 
+ * location indicated by it.  If the optional pArgumentOpt pointer is
+ * non-null, the filter's closure argument will be stored there.
+ * This routine returns a PRStatus value; in the event of an error it
+ * will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Encoder_GetNotify
+(
+  nssASN1Encoder *encoder,
+  nssASN1NotifyFunction **pCallbackOpt,
+  void **pArgumentOpt
+)
+{
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( (nssASN1NotifyFunction **)NULL != pCallbackOpt ) {
+    *pCallbackOpt = (nssASN1NotifyFunction *)NULL;
+  }
+
+  if( (void **)NULL != pArgumentOpt ) {
+    *pArgumentOpt = (void *)NULL;
+  }
+
+  /* Error because it's unimplemented */
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  return PR_FAILURE;
+}
+
+/*
+ * nssASN1Encoder_SetStreaming
+ *
+ * 
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Encoder_SetStreaming
+(
+  nssASN1Encoder *encoder,
+  PRBool streaming
+)
+{
+  SEC_ASN1EncoderContext *cx = (SEC_ASN1EncoderContext *)encoder;
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( streaming ) {
+    SEC_ASN1EncoderSetStreaming(cx);
+  } else {
+    SEC_ASN1EncoderClearStreaming(cx);
+  }
+
+  /* no error return defined for those routines */
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssASN1Encoder_GetStreaming
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_GetStreaming
+(
+  nssASN1Encoder *encoder,
+  PRBool *pStreaming
+)
+{
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( (PRBool *)NULL != pStreaming ) {
+    *pStreaming = PR_FALSE;
+  }
+
+  /* Error because it's unimplemented */
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  return PR_FAILURE;
+}
+
+/*
+ * nssASN1Encoder_SetTakeFromBuffer
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Encoder_SetTakeFromBuffer
+(
+  nssASN1Encoder *encoder,
+  PRBool takeFromBuffer
+)
+{
+  SEC_ASN1EncoderContext *cx = (SEC_ASN1EncoderContext *)encoder;
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( takeFromBuffer ) {
+    SEC_ASN1EncoderSetTakeFromBuf(cx);
+  } else {
+    SEC_ASN1EncoderClearTakeFromBuf(cx);
+  }
+
+  /* no error return defined for those routines */
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssASN1Encoder_GetTakeFromBuffer
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1Encoder_GetTakeFromBuffer
+(
+  nssASN1Encoder *encoder,
+  PRBool *pTakeFromBuffer
+)
+{
+#ifdef DEBUG
+  if( PR_SUCCESS != nssASN1Encoder_verify(encoder) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( (PRBool *)NULL != pTakeFromBuffer ) {
+    *pTakeFromBuffer = PR_FALSE;
+  }
+
+  /* Error because it's unimplemented */
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  return PR_FAILURE;
+}
+
+/*
+ * nssASN1_Encode
+ *
+ * 
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ENCODING_NOT_SUPPORTED
+ *  ...
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1_Encode
+(
+  const void *source,
+  const nssASN1Template template[],
+  NSSASN1EncodingType encoding,
+  nssASN1EncoderWriteFunction *sink,
+  void *argument
+)
+{
+  PRStatus rv;
+  nssASN1Encoder *encoder;
+
+  encoder = nssASN1Encoder_Create(source, template, encoding, sink, argument);
+  if( (nssASN1Encoder *)NULL == encoder ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssASN1Encoder_Update(encoder, (const void *)NULL, 0);
+  if( PR_SUCCESS != nssASN1Encoder_Finish(encoder) ) {
+    rv = PR_FAILURE;
+  }
+
+  return rv;
+}
+
+/*
+ * nssasn1_encode_item_count
+ *
+ * This is a helper function for nssASN1_EncodeItem.  It just counts
+ * up the space required for an encoding.
+ */
+
+static void
+nssasn1_encode_item_count
+(
+  void *arg,
+  const char *buf,
+  unsigned long len,
+  int depth,
+  nssASN1EncodingPart data_kind
+)
+{
+  unsigned long *count;
+
+  count = (unsigned long*)arg;
+  PR_ASSERT (count != NULL);
+
+  *count += len;
+}
+
+/*
+ * nssasn1_encode_item_store
+ *
+ * This is a helper function for nssASN1_EncodeItem.  It appends the
+ * new data onto the destination item.
+ */
+
+static void
+nssasn1_encode_item_store
+(
+  void *arg,
+  const char *buf,
+  unsigned long len,
+  int depth,
+  nssASN1EncodingPart data_kind
+)
+{
+  NSSItem *dest;
+
+  dest = (NSSItem*)arg;
+  PR_ASSERT (dest != NULL);
+
+  memcpy((unsigned char *)dest->data + dest->size, buf, len);
+  dest->size += len;
+}
+
+/*
+ * nssASN1_EncodeItem
+ *
+ * There must be a better name.  If the optional arena argument is
+ * non-null, it'll be used for the space.  If the optional rvOpt is
+ * non-null, it'll be the return value-- if it is null, a new one
+ * will be allocated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ENCODING_NOT_SUPPORTED
+ *
+ * Return value:
+ *  NULL upon error
+ *  A valid pointer to an NSSDER upon success
+ */
+
+NSS_IMPLEMENT NSSDER *
+nssASN1_EncodeItem
+(
+  NSSArena *arenaOpt,
+  NSSDER *rvOpt,
+  const void *source,
+  const nssASN1Template template[],
+  NSSASN1EncodingType encoding
+)
+{
+  NSSDER *rv;
+  PRUint32 len = 0;
+  PRStatus status;
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+
+  if( (void *)NULL == source ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSDER *)NULL;
+  }
+
+  if( (nssASN1Template *)NULL == template ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSDER *)NULL;
+  }
+#endif /* DEBUG */
+
+  status = nssASN1_Encode(source, template, encoding, 
+                          (nssASN1EncoderWriteFunction *)nssasn1_encode_item_count, 
+                          &len);
+  if( PR_SUCCESS != status ) {
+    return (NSSDER *)NULL;
+  }
+
+  if( (NSSDER *)NULL == rvOpt ) {
+    rv = nss_ZNEW(arenaOpt, NSSDER);
+    if( (NSSDER *)NULL == rv ) {
+      return (NSSDER *)NULL;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  rv->size = len;
+  rv->data = nss_ZAlloc(arenaOpt, len);
+  if( (void *)NULL == rv->data ) {
+    if( (NSSDER *)NULL == rvOpt ) {
+      nss_ZFreeIf(rv);
+    }
+    return (NSSDER *)NULL;
+  }
+
+  rv->size = 0; /* for nssasn1_encode_item_store */
+
+  status = nssASN1_Encode(source, template, encoding,
+                          (nssASN1EncoderWriteFunction *)nssasn1_encode_item_store, 
+                          rv);
+  if( PR_SUCCESS != status ) {
+    nss_ZFreeIf(rv->data);
+    if( (NSSDER *)NULL == rvOpt ) {
+      nss_ZFreeIf(rv);
+    }
+    return (NSSDER *)NULL;
+  }
+
+  PR_ASSERT(rv->size == len);
+
+  return rv;
+}
+
+/*
+ * nssASN1_CreatePRUint32FromBER
+ *
+ */
+
+NSS_IMPLEMENT PRStatus
+nssASN1_CreatePRUint32FromBER
+(
+  NSSBER *encoded,
+  PRUint32 *pResult
+)
+{
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  return PR_FALSE;
+}
+
+/*
+ * nssASN1_GetDERFromPRUint32
+ *
+ */
+
+NSS_EXTERN NSSDER *
+nssASN1_GetDERFromPRUint32
+(
+  NSSArena *arenaOpt,
+  NSSDER *rvOpt,
+  PRUint32 value
+)
+{
+  NSSDER *rv;
+  PLArenaPool *hack = (PLArenaPool *)arenaOpt;
+  SECItem *item;
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  if( (NSSDER *)NULL == rvOpt ) {
+    rv = nss_ZNEW(arenaOpt, NSSDER);
+    if( (NSSDER *)NULL == rv ) {
+      return (NSSDER *)NULL;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  item = SEC_ASN1EncodeUnsignedInteger(hack, (SECItem *)rv, value);
+  if( (SECItem *)NULL == item ) {
+    if( (NSSDER *)NULL == rvOpt ) {
+      (void)nss_ZFreeIf(rv);
+    }
+
+    nss_SetError(PORT_GetError()); /* ugly */
+    return (NSSDER *)NULL;
+  }
+
+  /* 
+   * I happen to know that these things look alike.. but I'm only
+   * doing it for these "temporary" wrappers.  This is an evil thing.
+   */
+  return (NSSDER *)item;
+}
+
+/*himom*/
+NSS_IMPLEMENT PRStatus
+nssASN1_CreatePRInt32FromBER
+(
+  NSSBER *encoded,
+  PRInt32 *pResult
+)
+{
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  return PR_FALSE;
+}
+
+/*
+ * nssASN1_GetDERFromPRInt32
+ *
+ */
+
+NSS_IMPLEMENT NSSDER *
+nssASN1_GetDERFromPRInt32
+(
+  NSSArena *arenaOpt,
+  NSSDER *rvOpt,
+  PRInt32 value
+)
+{
+  NSSDER *rv;
+  PLArenaPool *hack = (PLArenaPool *)arenaOpt;
+  SECItem *item;
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  if( (NSSDER *)NULL == rvOpt ) {
+    rv = nss_ZNEW(arenaOpt, NSSDER);
+    if( (NSSDER *)NULL == rv ) {
+      return (NSSDER *)NULL;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  item = SEC_ASN1EncodeInteger(hack, (SECItem *)rv, value);
+  if( (SECItem *)NULL == item ) {
+    if( (NSSDER *)NULL == rvOpt ) {
+      (void)nss_ZFreeIf(rv);
+    }
+
+    nss_SetError(PORT_GetError()); /* ugly */
+    return (NSSDER *)NULL;
+  }
+
+  /* 
+   * I happen to know that these things look alike.. but I'm only
+   * doing it for these "temporary" wrappers.  This is an evil thing.
+   */
+  return (NSSDER *)item;
+}
+
+/*
+ * Generic Templates
+ * One for each of the simple types, plus a special one for ANY, plus:
+ *	- a pointer to each one of those
+ *	- a set of each one of those
+ *
+ * Note that these are alphabetical (case insensitive); please add new
+ * ones in the appropriate place.
+ */
+
+const nssASN1Template *nssASN1Template_Any =                             (nssASN1Template *)SEC_AnyTemplate;
+const nssASN1Template *nssASN1Template_BitString =                       (nssASN1Template *)SEC_BitStringTemplate;
+const nssASN1Template *nssASN1Template_BMPString =                       (nssASN1Template *)SEC_BMPStringTemplate;
+const nssASN1Template *nssASN1Template_Boolean =                         (nssASN1Template *)SEC_BooleanTemplate;
+const nssASN1Template *nssASN1Template_Enumerated =                      (nssASN1Template *)SEC_EnumeratedTemplate;
+const nssASN1Template *nssASN1Template_GeneralizedTime =                 (nssASN1Template *)SEC_GeneralizedTimeTemplate;
+const nssASN1Template *nssASN1Template_IA5String =                       (nssASN1Template *)SEC_IA5StringTemplate;
+const nssASN1Template *nssASN1Template_Integer =                         (nssASN1Template *)SEC_IntegerTemplate;
+const nssASN1Template *nssASN1Template_Null =                            (nssASN1Template *)SEC_NullTemplate;
+const nssASN1Template *nssASN1Template_ObjectID =                        (nssASN1Template *)SEC_ObjectIDTemplate;
+const nssASN1Template *nssASN1Template_OctetString =                     (nssASN1Template *)SEC_OctetStringTemplate;
+const nssASN1Template *nssASN1Template_PrintableString =                 (nssASN1Template *)SEC_PrintableStringTemplate;
+const nssASN1Template *nssASN1Template_T61String =                       (nssASN1Template *)SEC_T61StringTemplate;
+const nssASN1Template *nssASN1Template_UniversalString =                 (nssASN1Template *)SEC_UniversalStringTemplate;
+const nssASN1Template *nssASN1Template_UTCTime =                         (nssASN1Template *)SEC_UTCTimeTemplate;
+const nssASN1Template *nssASN1Template_UTF8String =                      (nssASN1Template *)SEC_UTF8StringTemplate;
+const nssASN1Template *nssASN1Template_VisibleString =                   (nssASN1Template *)SEC_VisibleStringTemplate;
+
+const nssASN1Template *nssASN1Template_PointerToAny =                    (nssASN1Template *)SEC_PointerToAnyTemplate;
+const nssASN1Template *nssASN1Template_PointerToBitString =              (nssASN1Template *)SEC_PointerToBitStringTemplate;
+const nssASN1Template *nssASN1Template_PointerToBMPString =              (nssASN1Template *)SEC_PointerToBMPStringTemplate;
+const nssASN1Template *nssASN1Template_PointerToBoolean =                (nssASN1Template *)SEC_PointerToBooleanTemplate;
+const nssASN1Template *nssASN1Template_PointerToEnumerated =             (nssASN1Template *)SEC_PointerToEnumeratedTemplate;
+const nssASN1Template *nssASN1Template_PointerToGeneralizedTime =        (nssASN1Template *)SEC_PointerToGeneralizedTimeTemplate;
+const nssASN1Template *nssASN1Template_PointerToIA5String =              (nssASN1Template *)SEC_PointerToIA5StringTemplate;
+const nssASN1Template *nssASN1Template_PointerToInteger =                (nssASN1Template *)SEC_PointerToIntegerTemplate;
+const nssASN1Template *nssASN1Template_PointerToNull =                   (nssASN1Template *)SEC_PointerToNullTemplate;
+const nssASN1Template *nssASN1Template_PointerToObjectID =               (nssASN1Template *)SEC_PointerToObjectIDTemplate;
+const nssASN1Template *nssASN1Template_PointerToOctetString =            (nssASN1Template *)SEC_PointerToOctetStringTemplate;
+const nssASN1Template *nssASN1Template_PointerToPrintableString =        (nssASN1Template *)SEC_PointerToPrintableStringTemplate;
+const nssASN1Template *nssASN1Template_PointerToT61String =              (nssASN1Template *)SEC_PointerToT61StringTemplate;
+const nssASN1Template *nssASN1Template_PointerToUniversalString =        (nssASN1Template *)SEC_PointerToUniversalStringTemplate;
+const nssASN1Template *nssASN1Template_PointerToUTCTime =                (nssASN1Template *)SEC_PointerToUTCTimeTemplate;
+const nssASN1Template *nssASN1Template_PointerToUTF8String =             (nssASN1Template *)SEC_PointerToUTF8StringTemplate;
+const nssASN1Template *nssASN1Template_PointerToVisibleString =          (nssASN1Template *)SEC_PointerToVisibleStringTemplate;
+
+const nssASN1Template *nssASN1Template_SetOfAny =                        (nssASN1Template *)SEC_SetOfAnyTemplate;
+const nssASN1Template *nssASN1Template_SetOfBitString =                  (nssASN1Template *)SEC_SetOfBitStringTemplate;
+const nssASN1Template *nssASN1Template_SetOfBMPString =                  (nssASN1Template *)SEC_SetOfBMPStringTemplate;
+const nssASN1Template *nssASN1Template_SetOfBoolean =                    (nssASN1Template *)SEC_SetOfBooleanTemplate;
+const nssASN1Template *nssASN1Template_SetOfEnumerated =                 (nssASN1Template *)SEC_SetOfEnumeratedTemplate;
+const nssASN1Template *nssASN1Template_SetOfGeneralizedTime =            (nssASN1Template *)SEC_SetOfGeneralizedTimeTemplate;
+const nssASN1Template *nssASN1Template_SetOfIA5String =                  (nssASN1Template *)SEC_SetOfIA5StringTemplate;
+const nssASN1Template *nssASN1Template_SetOfInteger =                    (nssASN1Template *)SEC_SetOfIntegerTemplate;
+const nssASN1Template *nssASN1Template_SetOfNull =                       (nssASN1Template *)SEC_SetOfNullTemplate;
+const nssASN1Template *nssASN1Template_SetOfObjectID =                   (nssASN1Template *)SEC_SetOfObjectIDTemplate;
+const nssASN1Template *nssASN1Template_SetOfOctetString =                (nssASN1Template *)SEC_SetOfOctetStringTemplate;
+const nssASN1Template *nssASN1Template_SetOfPrintableString =            (nssASN1Template *)SEC_SetOfPrintableStringTemplate;
+const nssASN1Template *nssASN1Template_SetOfT61String =                  (nssASN1Template *)SEC_SetOfT61StringTemplate;
+const nssASN1Template *nssASN1Template_SetOfUniversalString =            (nssASN1Template *)SEC_SetOfUniversalStringTemplate;
+const nssASN1Template *nssASN1Template_SetOfUTCTime =                    (nssASN1Template *)SEC_SetOfUTCTimeTemplate;
+const nssASN1Template *nssASN1Template_SetOfUTF8String =                 (nssASN1Template *)SEC_SetOfUTF8StringTemplate;
+const nssASN1Template *nssASN1Template_SetOfVisibleString =              (nssASN1Template *)SEC_SetOfVisibleStringTemplate;
+
+/*
+ *
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssUTF8_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  NSSBER *berData
+)
+{
+  NSSUTF8 *rv = NULL;
+  PRUint8 tag;
+  NSSArena *a;
+  NSSItem in;
+  NSSItem out;
+  PRStatus st;
+  const nssASN1Template *templ;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+
+  if( (NSSBER *)NULL == berData ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (void *)NULL == berData->data ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  a = NSSArena_Create();
+  if( (NSSArena *)NULL == a ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  in = *berData;
+
+  /*
+   * By the way, at first I succumbed to the temptation to make
+   * this an incestuous nested switch statement.  Count yourself
+   * lucky I cleaned it up.
+   */
+
+  switch( type ) {
+  case nssStringType_DirectoryString:
+    /*
+     * draft-ietf-pkix-ipki-part1-11 says in part:
+     *
+     * DirectoryString { INTEGER:maxSize } ::= CHOICE {
+     *   teletexString           TeletexString (SIZE (1..maxSize)),
+     *   printableString         PrintableString (SIZE (1..maxSize)),
+     *   universalString         UniversalString (SIZE (1..maxSize)),
+     *   bmpString               BMPString (SIZE(1..maxSize)),
+     *   utf8String              UTF8String (SIZE(1..maxSize))
+     *                       }
+     *
+     * The tags are:
+     *  TeletexString       UNIVERSAL 20
+     *  PrintableString     UNIVERSAL 19
+     *  UniversalString     UNIVERSAL 28
+     *  BMPString           UNIVERSAL 30
+     *  UTF8String          UNIVERSAL 12
+     *
+     * "UNIVERSAL" tags have bits 8 and 7 zero, bit 6 is zero for
+     * primitive encodings, and if the tag value is less than 30,
+     * the tag value is directly encoded in bits 5 through 1.
+     */
+    in.data = (void *)&(((PRUint8 *)berData->data)[1]);
+    in.size = berData->size-1;
+    
+    tag = *(PRUint8 *)berData->data;
+    switch( tag & nssASN1_TAGNUM_MASK ) {
+    case 20:
+      /*
+       * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
+       * below) but is T61 a suitable value for "Latin-1"?
+       */
+      templ = nssASN1Template_T61String;
+      type = nssStringType_TeletexString;
+      break;
+    case 19:
+      templ = nssASN1Template_PrintableString;
+      type = nssStringType_PrintableString;
+      break;
+    case 28:
+      templ = nssASN1Template_UniversalString;
+      type = nssStringType_UniversalString;
+      break;
+    case 30:
+      templ = nssASN1Template_BMPString;
+      type = nssStringType_BMPString;
+      break;
+    case 12:
+      templ = nssASN1Template_UTF8String;
+      type = nssStringType_UTF8String;
+      break;
+    default:
+      nss_SetError(NSS_ERROR_INVALID_POINTER); /* "pointer"? */
+      (void)NSSArena_Destroy(a);
+      return (NSSUTF8 *)NULL;
+    }
+
+    break;
+
+  case nssStringType_TeletexString:
+    /*
+     * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
+     * below) but is T61 a suitable value for "Latin-1"?
+     */
+    templ = nssASN1Template_T61String;
+    break;
+   
+  case nssStringType_PrintableString:
+    templ = nssASN1Template_PrintableString;
+    break;
+
+  case nssStringType_UniversalString:
+    templ = nssASN1Template_UniversalString;
+    break;
+
+  case nssStringType_BMPString:
+    templ = nssASN1Template_BMPString;
+    break;
+
+  case nssStringType_UTF8String:
+    templ = nssASN1Template_UTF8String;
+    break;
+
+  case nssStringType_PHGString:
+    templ = nssASN1Template_IA5String;
+    break;
+
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+    (void)NSSArena_Destroy(a);
+    return (NSSUTF8 *)NULL;
+  }
+    
+  st = nssASN1_DecodeBER(a, &out, templ, &in);
+  
+  if( PR_SUCCESS == st ) {
+    rv = nssUTF8_Create(arenaOpt, type, out.data, out.size);
+  }
+  (void)NSSArena_Destroy(a);
+  
+  return rv;
+}
+
+NSS_EXTERN NSSDER *
+nssUTF8_GetDEREncoding
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  const NSSUTF8 *string
+)
+{
+  NSSDER *rv = (NSSDER *)NULL;
+  NSSItem str;
+  NSSDER *der;
+  const nssASN1Template *templ;
+  NSSArena *a;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+
+  if( (const NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSDER *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  str.data = (void *)string;
+  str.size = nssUTF8_Size(string, (PRStatus *)NULL);
+  if( 0 == str.size ) {
+    return (NSSDER *)NULL;
+  }
+
+  a = NSSArena_Create();
+  if( (NSSArena *)NULL == a ) {
+    return (NSSDER *)NULL;
+  }
+
+  switch( type ) {
+  case nssStringType_DirectoryString:
+    {
+      NSSDER *utf;
+      PRUint8 *c;
+
+      utf = nssASN1_EncodeItem(a, (NSSDER *)NULL, &str, 
+                               nssASN1Template_UTF8String,
+                               NSSASN1DER);
+      if( (NSSDER *)NULL == utf ) {
+        (void)NSSArena_Destroy(a);
+        return (NSSDER *)NULL;
+      }
+
+      rv = nss_ZNEW(arenaOpt, NSSDER);
+      if( (NSSDER *)NULL == rv ) {
+        (void)NSSArena_Destroy(a);
+        return (NSSDER *)NULL;
+      }
+
+      rv->size = utf->size + 1;
+      rv->data = nss_ZAlloc(arenaOpt, rv->size);
+      if( (void *)NULL == rv->data ) {
+        (void)nss_ZFreeIf(rv);
+        (void)NSSArena_Destroy(a);
+        return (NSSDER *)NULL;
+      }
+      
+      c = (PRUint8 *)rv->data;
+      (void)nsslibc_memcpy(&c[1], utf->data, utf->size);
+      *c = 12; /* UNIVERSAL primitive encoding tag for UTF8String */
+
+      (void)NSSArena_Destroy(a);
+      return rv;
+    }
+  case nssStringType_TeletexString:
+    /*
+     * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
+     * below) but is T61 a suitable value for "Latin-1"?
+     */
+    templ = nssASN1Template_T61String;
+    break;
+  case nssStringType_PrintableString:
+    templ = nssASN1Template_PrintableString;
+    break;
+
+  case nssStringType_UniversalString:
+    templ = nssASN1Template_UniversalString;
+    break;
+
+  case nssStringType_BMPString:
+    templ = nssASN1Template_BMPString;
+    break;
+
+  case nssStringType_UTF8String:
+    templ = nssASN1Template_UTF8String;
+    break;
+
+  case nssStringType_PHGString:
+    templ = nssASN1Template_IA5String;
+    break;
+
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+    (void)NSSArena_Destroy(a);
+    return (NSSDER *)NULL;
+  }
+
+  der = nssUTF8_GetDEREncoding(a, type, string);
+  if( (NSSItem *)NULL == der ) {
+    (void)NSSArena_Destroy(a);
+    return (NSSDER *)NULL;
+  }
+
+  rv = nssASN1_EncodeItem(arenaOpt, (NSSDER *)NULL, der, templ, NSSASN1DER);
+  if( (NSSDER *)NULL == rv ) {
+    (void)NSSArena_Destroy(a);
+    return (NSSDER *)NULL;
+  }
+
+  (void)NSSArena_Destroy(a);
+  return rv;
+}
diff --git a/security/nss/lib/asn1/asn1.h b/security/nss/lib/asn1/asn1.h
new file mode 100644
index 000000000..a81f3213d
--- /dev/null
+++ b/security/nss/lib/asn1/asn1.h
@@ -0,0 +1,879 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef ASN1_H
+#define ASN1_H
+
+#ifdef DEBUG
+static const char ASN1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * asn1.h
+ *
+ * This file contains the ASN.1 encoder/decoder routines available
+ * internally within NSS.  It's not clear right now if this file
+ * will be folded into base.h or something, I just needed to get this
+ * going.  At the moment, most of these routines wrap the old SEC_ASN1
+ * calls.
+ */
+
+#ifndef ASN1T_H
+#include "asn1t.h"
+#endif /* ASN1T_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * nssASN1Decoder
+ *
+ * ... description here ...
+ *
+ *  nssASN1Decoder_Create (Factory/Constructor)
+ *  nssASN1Decoder_Update
+ *  nssASN1Decoder_Finish (Destructor)
+ *  nssASN1Decoder_SetFilter
+ *  nssASN1Decoder_GetFilter
+ *  nssASN1Decoder_SetNotify
+ *  nssASN1Decoder_GetNotify
+ *
+ * Debug builds only:
+ *
+ *  nssASN1Decoder_verify
+ *
+ * Related functions that aren't type methods:
+ *
+ *  nssASN1_Decode
+ *  nssASN1_DecodeBER
+ */
+
+/*
+ * nssASN1Decoder_Create
+ *
+ * This routine creates an ASN.1 Decoder, which will use the specified
+ * template to decode a datastream into the specified destination
+ * structure.  If the optional arena argument is non-NULL, blah blah 
+ * blah.  XXX fgmr Should we include an nssASN1EncodingType argument, 
+ * as a hint?  Or is each encoding distinctive?  This routine may 
+ * return NULL upon error, in which case an error will have been 
+ * placed upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  ...
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an ASN.1 Decoder upon success.
+ */
+
+NSS_EXTERN nssASN1Decoder *
+nssASN1Decoder_Create
+(
+  NSSArena *arenaOpt,
+  void *destination,
+  const nssASN1Template template[]
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nssASN1Decoder_Update
+ *
+ * This routine feeds data to the decoder.  In the event of an error, 
+ * it will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *  NSS_ERROR_INVALID_BER
+ *  ...
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success.
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_Update
+(
+  nssASN1Decoder *decoder,
+  const void *data,
+  PRUint32 amount
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+extern const NSSError NSS_ERROR_INVALID_BER;
+
+/*
+ * nssASN1Decoder_Finish
+ *
+ * This routine finishes the decoding and destroys the decoder.
+ * In the event of an error, it will place an error on the error
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_Finish
+(
+  nssASN1Decoder *decoder
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+
+/*
+ * nssASN1Decoder_SetFilter
+ *
+ * This routine registers a callback filter routine with the decoder,
+ * which will be called blah blah blah.  The specified argument will
+ * be passed as-is to the filter routine.  The routine pointer may
+ * be NULL, in which case no filter callback will be called.  If the
+ * noStore boolean is PR_TRUE, then decoded fields will not be stored
+ * in the destination structure specified when the decoder was 
+ * created.  This routine returns a PRStatus value; in the event of
+ * an error, it will place an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_SetFilter
+(
+  nssASN1Decoder *decoder,
+  nssASN1DecoderFilterFunction *callback,
+  void *argument,
+  PRBool noStore
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+
+/*
+ * nssASN1Decoder_GetFilter
+ *
+ * If the optional pCallbackOpt argument to this routine is non-null,
+ * then the pointer to any callback function established for this
+ * decoder with nssASN1Decoder_SetFilter will be stored at the 
+ * location indicated by it.  If the optional pArgumentOpt
+ * pointer is non-null, the filter's closure argument will be stored
+ * there.  If the optional pNoStoreOpt pointer is non-null, the
+ * noStore value specified when setting the filter will be stored
+ * there.  This routine returns a PRStatus value; in the event of
+ * an error it will place an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_GetFilter
+(
+  nssASN1Decoder *decoder,
+  nssASN1DecoderFilterFunction **pCallbackOpt,
+  void **pArgumentOpt,
+  PRBool *pNoStoreOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+
+/*
+ * nssASN1Decoder_SetNotify
+ *
+ * This routine registers a callback notify routine with the decoder,
+ * which will be called whenever.. The specified argument will be
+ * passed as-is to the notify routine.  The routine pointer may be
+ * NULL, in which case no notify routine will be called.  This routine
+ * returns a PRStatus value; in the event of an error it will place
+ * an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_SetNotify
+(
+  nssASN1Decoder *decoder,
+  nssASN1NotifyFunction *callback,
+  void *argument
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+
+/*
+ * nssASN1Decoder_GetNotify
+ *
+ * If the optional pCallbackOpt argument to this routine is non-null,
+ * then the pointer to any callback function established for this
+ * decoder with nssASN1Decoder_SetNotify will be stored at the 
+ * location indicated by it.  If the optional pArgumentOpt pointer is
+ * non-null, the filter's closure argument will be stored there.
+ * This routine returns a PRStatus value; in the event of an error it
+ * will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Decoder_GetNotify
+(
+  nssASN1Decoder *decoder,
+  nssASN1NotifyFunction **pCallbackOpt,
+  void **pArgumentOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+
+/*
+ * nssASN1Decoder_verify
+ *
+ * This routine is only available in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an nssASN1Decoder
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssASN1Decoder_verify
+(
+  nssASN1Decoder *decoder
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1DECODER;
+#endif /* DEBUG */
+
+/*
+ * nssASN1_Decode
+ *
+ * This routine will decode the specified data into the specified
+ * destination structure, as specified by the specified template.
+ * This routine returns a PRStatus value; in the event of an error
+ * it will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_BER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1_Decode
+(
+  NSSArena *arenaOpt,
+  void *destination,
+  const nssASN1Template template[],
+  const void *berData,
+  PRUint32 amount
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_INVALID_BER;
+
+/*
+ * nssASN1_DecodeBER
+ *
+ * This routine will decode the data in the specified NSSBER
+ * into the destination structure, as specified by the template.
+ * This routine returns a PRStatus value; in the event of an error
+ * it will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_NSSBER
+ *  NSS_ERROR_INVALID_BER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1_DecodeBER
+(
+  NSSArena *arenaOpt,
+  void *destination,
+  const nssASN1Template template[],
+  const NSSBER *data
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_INVALID_BER;
+
+/*
+ * nssASN1Encoder
+ *
+ * ... description here ...
+ *
+ *  nssASN1Encoder_Create (Factory/Constructor)
+ *  nssASN1Encoder_Update
+ *  nssASN1Encoder_Finish (Destructor)
+ *  nssASN1Encoder_SetNotify
+ *  nssASN1Encoder_GetNotify
+ *  nssASN1Encoder_SetStreaming
+ *  nssASN1Encoder_GetStreaming
+ *  nssASN1Encoder_SetTakeFromBuffer
+ *  nssASN1Encoder_GetTakeFromBuffer
+ *
+ * Debug builds only:
+ *
+ *  nssASN1Encoder_verify
+ *
+ * Related functions that aren't type methods:
+ *
+ *  nssASN1_Encode
+ *  nssASN1_EncodeItem
+ */
+
+/*
+ * nssASN1Encoder_Create
+ *
+ * This routine creates an ASN.1 Encoder, blah blah blah.  This 
+ * may return NULL upon error, in which case an error will have been
+ * placed on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ENCODING_NOT_SUPPORTED
+ *  ...
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an ASN.1 Encoder upon success
+ */
+
+NSS_EXTERN nssASN1Encoder *
+nssASN1Encoder_Create
+(
+  const void *source,
+  const nssASN1Template template[],
+  NSSASN1EncodingType encoding,
+  nssASN1EncoderWriteFunction *sink,
+  void *argument
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
+
+/*
+ * nssASN1Encoder_Update
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_Update
+(
+  nssASN1Encoder *encoder,
+  const void *data,
+  PRUint32 length
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nssASN1Encoder_Finish
+ *
+ * Destructor.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_Finish
+(
+  nssASN1Encoder *encoder
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+
+/*
+ * nssASN1Encoder_SetNotify
+ *
+ * This routine registers a callback notify routine with the encoder,
+ * which will be called whenever.. The specified argument will be
+ * passed as-is to the notify routine.  The routine pointer may be
+ * NULL, in which case no notify routine will be called.  This routine
+ * returns a PRStatus value; in the event of an error it will place
+ * an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1DECODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_SetNotify
+(
+  nssASN1Encoder *encoder,
+  nssASN1NotifyFunction *callback,
+  void *argument
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+
+/*
+ * nssASN1Encoder_GetNotify
+ *
+ * If the optional pCallbackOpt argument to this routine is non-null,
+ * then the pointer to any callback function established for this
+ * decoder with nssASN1Encoder_SetNotify will be stored at the 
+ * location indicated by it.  If the optional pArgumentOpt pointer is
+ * non-null, the filter's closure argument will be stored there.
+ * This routine returns a PRStatus value; in the event of an error it
+ * will place an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_GetNotify
+(
+  nssASN1Encoder *encoder,
+  nssASN1NotifyFunction **pCallbackOpt,
+  void **pArgumentOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+
+/*
+ * nssASN1Encoder_SetStreaming
+ *
+ * 
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_SetStreaming
+(
+  nssASN1Encoder *encoder,
+  PRBool streaming
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+
+/*
+ * nssASN1Encoder_GetStreaming
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_GetStreaming
+(
+  nssASN1Encoder *encoder,
+  PRBool *pStreaming
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nssASN1Encoder_SetTakeFromBuffer
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_SetTakeFromBuffer
+(
+  nssASN1Encoder *encoder,
+  PRBool takeFromBuffer
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+
+/*
+ * nssASN1Encoder_GetTakeFromBuffer
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1Encoder_GetTakeFromBuffer
+(
+  nssASN1Encoder *encoder,
+  PRBool *pTakeFromBuffer
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nssASN1Encoder_verify
+ *
+ * This routine is only available in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an nssASN1Encoder
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ASN1ENCODER
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssASN1Encoder_verify
+(
+  nssASN1Encoder *encoder
+);
+
+extern const NSSError NSS_ERROR_INVALID_ASN1ENCODER;
+#endif /* DEBUG */
+
+/*
+ * nssASN1_Encode
+ *
+ * 
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ENCODING_NOT_SUPPORTED
+ *  ...
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssASN1_Encode
+(
+  const void *source,
+  const nssASN1Template template[],
+  NSSASN1EncodingType encoding,
+  nssASN1EncoderWriteFunction *sink,
+  void *argument
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
+
+/*
+ * nssASN1_EncodeItem
+ *
+ * There must be a better name.  If the optional arena argument is
+ * non-null, it'll be used for the space.  If the optional rvOpt is
+ * non-null, it'll be the return value-- if it is null, a new one
+ * will be allocated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ENCODING_NOT_SUPPORTED
+ *
+ * Return value:
+ *  NULL upon error
+ *  A valid pointer to an NSSDER upon success
+ */
+
+NSS_EXTERN NSSDER *
+nssASN1_EncodeItem
+(
+  NSSArena *arenaOpt,
+  NSSDER *rvOpt,
+  const void *source,
+  const nssASN1Template template[],
+  NSSASN1EncodingType encoding
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_ENCODING_NOT_SUPPORTED;
+
+/*
+ * Other basic types' encoding and decoding helper functions:
+ *
+ *  nssASN1_CreatePRUint32FromBER
+ *  nssASN1_GetDERFromPRUint32
+ *  nssASN1_CreatePRInt32FromBER
+ *  nssASN1_GetDERFromPRInt32
+ * ..etc..
+ */
+
+/*
+ * nssASN1_CreatePRUint32FromBER
+ *
+ */
+
+NSS_EXTERN PRStatus
+nssASN1_CreatePRUint32FromBER
+(
+  NSSBER *encoded,
+  PRUint32 *pResult
+);
+
+/*
+ * nssASN1_GetDERFromPRUint32
+ *
+ */
+
+NSS_EXTERN NSSDER *
+nssASN1_GetDERFromPRUint32
+(
+  NSSArena *arenaOpt,
+  NSSDER *rvOpt,
+  PRUint32 value
+);
+
+/*
+ * nssASN1_CreatePRInt32FromBER
+ *
+ */
+
+NSS_EXTERN PRStatus
+nssASN1_CreatePRInt32FromBER
+(
+  NSSBER *encoded,
+  PRInt32 *pResult
+);
+
+/*
+ * nssASN1_GetDERFromPRInt32
+ *
+ */
+
+NSS_EXTERN NSSDER *
+nssASN1_GetDERFromPRInt32
+(
+  NSSArena *arenaOpt,
+  NSSDER *rvOpt,
+  PRInt32 value
+);
+
+/*
+ * Builtin templates
+ */
+
+/*
+ * Generic Templates
+ * One for each of the simple types, plus a special one for ANY, plus:
+ *	- a pointer to each one of those
+ *	- a set of each one of those
+ *
+ * Note that these are alphabetical (case insensitive); please add new
+ * ones in the appropriate place.
+ */
+
+extern const nssASN1Template *nssASN1Template_Any;
+extern const nssASN1Template *nssASN1Template_BitString;
+extern const nssASN1Template *nssASN1Template_BMPString;
+extern const nssASN1Template *nssASN1Template_Boolean;
+extern const nssASN1Template *nssASN1Template_Enumerated;
+extern const nssASN1Template *nssASN1Template_GeneralizedTime;
+extern const nssASN1Template *nssASN1Template_IA5String;
+extern const nssASN1Template *nssASN1Template_Integer;
+extern const nssASN1Template *nssASN1Template_Null;
+extern const nssASN1Template *nssASN1Template_ObjectID;
+extern const nssASN1Template *nssASN1Template_OctetString;
+extern const nssASN1Template *nssASN1Template_PrintableString;
+extern const nssASN1Template *nssASN1Template_T61String;
+extern const nssASN1Template *nssASN1Template_UniversalString;
+extern const nssASN1Template *nssASN1Template_UTCTime;
+extern const nssASN1Template *nssASN1Template_UTF8String;
+extern const nssASN1Template *nssASN1Template_VisibleString;
+
+extern const nssASN1Template *nssASN1Template_PointerToAny;
+extern const nssASN1Template *nssASN1Template_PointerToBitString;
+extern const nssASN1Template *nssASN1Template_PointerToBMPString;
+extern const nssASN1Template *nssASN1Template_PointerToBoolean;
+extern const nssASN1Template *nssASN1Template_PointerToEnumerated;
+extern const nssASN1Template *nssASN1Template_PointerToGeneralizedTime;
+extern const nssASN1Template *nssASN1Template_PointerToIA5String;
+extern const nssASN1Template *nssASN1Template_PointerToInteger;
+extern const nssASN1Template *nssASN1Template_PointerToNull;
+extern const nssASN1Template *nssASN1Template_PointerToObjectID;
+extern const nssASN1Template *nssASN1Template_PointerToOctetString;
+extern const nssASN1Template *nssASN1Template_PointerToPrintableString;
+extern const nssASN1Template *nssASN1Template_PointerToT61String;
+extern const nssASN1Template *nssASN1Template_PointerToUniversalString;
+extern const nssASN1Template *nssASN1Template_PointerToUTCTime;
+extern const nssASN1Template *nssASN1Template_PointerToUTF8String;
+extern const nssASN1Template *nssASN1Template_PointerToVisibleString;
+
+extern const nssASN1Template *nssASN1Template_SetOfAny;
+extern const nssASN1Template *nssASN1Template_SetOfBitString;
+extern const nssASN1Template *nssASN1Template_SetOfBMPString;
+extern const nssASN1Template *nssASN1Template_SetOfBoolean;
+extern const nssASN1Template *nssASN1Template_SetOfEnumerated;
+extern const nssASN1Template *nssASN1Template_SetOfGeneralizedTime;
+extern const nssASN1Template *nssASN1Template_SetOfIA5String;
+extern const nssASN1Template *nssASN1Template_SetOfInteger;
+extern const nssASN1Template *nssASN1Template_SetOfNull;
+extern const nssASN1Template *nssASN1Template_SetOfObjectID;
+extern const nssASN1Template *nssASN1Template_SetOfOctetString;
+extern const nssASN1Template *nssASN1Template_SetOfPrintableString;
+extern const nssASN1Template *nssASN1Template_SetOfT61String;
+extern const nssASN1Template *nssASN1Template_SetOfUniversalString;
+extern const nssASN1Template *nssASN1Template_SetOfUTCTime;
+extern const nssASN1Template *nssASN1Template_SetOfUTF8String;
+extern const nssASN1Template *nssASN1Template_SetOfVisibleString;
+
+/*
+ *
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssUTF8_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  NSSBER *berData
+);
+
+NSS_EXTERN NSSDER *
+nssUTF8_GetDEREncoding
+(
+  NSSArena *arenaOpt,
+  /* Should have an NSSDER *rvOpt */
+  nssStringType type,
+  const NSSUTF8 *string
+);
+
+PR_END_EXTERN_C
+
+#endif /* ASN1_H */
diff --git a/security/nss/lib/asn1/asn1m.h b/security/nss/lib/asn1/asn1m.h
new file mode 100644
index 000000000..37ed91919
--- /dev/null
+++ b/security/nss/lib/asn1/asn1m.h
@@ -0,0 +1,80 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef ASN1M_H
+#define ASN1M_H
+
+#ifdef DEBUG
+static const char ASN1M_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * asn1m.h
+ *
+ * This file contains the ASN.1 encoder/decoder routines available
+ * only within the ASN.1 module itself.
+ */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * nssasn1_number_length
+ *
+ */
+
+NSS_EXTERN PRUint32
+nssasn1_length_length
+(
+  PRUint32 number
+);
+
+/*
+ * nssasn1_get_subtemplate
+ *
+ */
+
+NSS_EXTERN const nssASN1Template *
+nssasn1_get_subtemplate
+(
+  const nssASN1Template template[],
+  void *thing,
+  PRBool encoding
+);
+
+PR_END_EXTERN_C
+
+#endif /* ASN1M_H */
diff --git a/security/nss/lib/asn1/asn1t.h b/security/nss/lib/asn1/asn1t.h
new file mode 100644
index 000000000..2f6c52cea
--- /dev/null
+++ b/security/nss/lib/asn1/asn1t.h
@@ -0,0 +1,166 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef ASN1T_H
+#define ASN1T_H
+
+#ifdef DEBUG
+static const char ASN1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * asn1t.h
+ *
+ * This file contains the ASN.1 encoder/decoder types available 
+ * internally within NSS.  It's not clear right now if this file
+ * will be folded into baset.h or something, I just needed to
+ * get this going.  At the moment, these types are wrappers for
+ * the old types.
+ */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#ifndef NSSASN1T_H
+#include "nssasn1t.h"
+#endif /* NSSASN1T_H */
+
+#include "seccomon.h"
+#include "secasn1t.h"
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * XXX fgmr
+ *
+ * This sort of bites.  Let's keep an eye on this, to make sure
+ * we aren't stuck with it forever.
+ */
+
+struct nssASN1ItemStr {
+  PRUint32 reserved;
+  PRUint8 *data;
+  PRUint32 size;
+};
+
+typedef struct nssASN1ItemStr nssASN1Item;
+
+/*
+ * I'm not documenting these here, since this'll require another
+ * pass anyway.
+ */
+
+typedef SEC_ASN1Template nssASN1Template;
+
+#define nssASN1_TAG_MASK               SEC_ASN1_TAG_MASK
+
+#define nssASN1_TAGNUM_MASK            SEC_ASN1_TAGNUM_MASK
+#define nssASN1_BOOLEAN                SEC_ASN1_BOOLEAN
+#define nssASN1_INTEGER                SEC_ASN1_INTEGER
+#define nssASN1_BIT_STRING             SEC_ASN1_BIT_STRING
+#define nssASN1_OCTET_STRING           SEC_ASN1_OCTET_STRING
+#define nssASN1_NULL                   SEC_ASN1_NULL
+#define nssASN1_OBJECT_ID              SEC_ASN1_OBJECT_ID
+#define nssASN1_OBJECT_DESCRIPTOR      SEC_ASN1_OBJECT_DESCRIPTOR
+/* External type and instance-of type   0x08 */
+#define nssASN1_REAL                   SEC_ASN1_REAL
+#define nssASN1_ENUMERATED             SEC_ASN1_ENUMERATED
+#define nssASN1_EMBEDDED_PDV           SEC_ASN1_EMBEDDED_PDV
+#define nssASN1_UTF8_STRING            SEC_ASN1_UTF8_STRING
+#define nssASN1_SEQUENCE               SEC_ASN1_SEQUENCE
+#define nssASN1_SET                    SEC_ASN1_SET
+#define nssASN1_NUMERIC_STRING         SEC_ASN1_NUMERIC_STRING
+#define nssASN1_PRINTABLE_STRING       SEC_ASN1_PRINTABLE_STRING
+#define nssASN1_T61_STRING             SEC_ASN1_T61_STRING
+#define nssASN1_TELETEX_STRING         nssASN1_T61_STRING
+#define nssASN1_VIDEOTEX_STRING        SEC_ASN1_VIDEOTEX_STRING
+#define nssASN1_IA5_STRING             SEC_ASN1_IA5_STRING
+#define nssASN1_UTC_TIME               SEC_ASN1_UTC_TIME
+#define nssASN1_GENERALIZED_TIME       SEC_ASN1_GENERALIZED_TIME
+#define nssASN1_GRAPHIC_STRING         SEC_ASN1_GRAPHIC_STRING
+#define nssASN1_VISIBLE_STRING         SEC_ASN1_VISIBLE_STRING
+#define nssASN1_GENERAL_STRING         SEC_ASN1_GENERAL_STRING
+#define nssASN1_UNIVERSAL_STRING       SEC_ASN1_UNIVERSAL_STRING
+/*                                      0x1d */
+#define nssASN1_BMP_STRING             SEC_ASN1_BMP_STRING
+#define nssASN1_HIGH_TAG_NUMBER        SEC_ASN1_HIGH_TAG_NUMBER
+
+#define nssASN1_METHOD_MASK            SEC_ASN1_METHOD_MASK
+#define nssASN1_PRIMITIVE              SEC_ASN1_PRIMITIVE
+#define nssASN1_CONSTRUCTED            SEC_ASN1_CONSTRUCTED
+                                                                
+#define nssASN1_CLASS_MASK             SEC_ASN1_CLASS_MASK
+#define nssASN1_UNIVERSAL              SEC_ASN1_UNIVERSAL
+#define nssASN1_APPLICATION            SEC_ASN1_APPLICATION
+#define nssASN1_CONTEXT_SPECIFIC       SEC_ASN1_CONTEXT_SPECIFIC
+#define nssASN1_PRIVATE                SEC_ASN1_PRIVATE
+
+#define nssASN1_OPTIONAL               SEC_ASN1_OPTIONAL 
+#define nssASN1_EXPLICIT               SEC_ASN1_EXPLICIT 
+#define nssASN1_ANY                    SEC_ASN1_ANY      
+#define nssASN1_INLINE                 SEC_ASN1_INLINE   
+#define nssASN1_POINTER                SEC_ASN1_POINTER  
+#define nssASN1_GROUP                  SEC_ASN1_GROUP    
+#define nssASN1_DYNAMIC                SEC_ASN1_DYNAMIC  
+#define nssASN1_SKIP                   SEC_ASN1_SKIP     
+#define nssASN1_INNER                  SEC_ASN1_INNER    
+#define nssASN1_SAVE                   SEC_ASN1_SAVE     
+#define nssASN1_MAY_STREAM             SEC_ASN1_MAY_STREAM
+#define nssASN1_SKIP_REST              SEC_ASN1_SKIP_REST
+#define nssASN1_CHOICE                 SEC_ASN1_CHOICE
+
+#define nssASN1_SEQUENCE_OF            SEC_ASN1_SEQUENCE_OF 
+#define nssASN1_SET_OF                 SEC_ASN1_SET_OF      
+#define nssASN1_ANY_CONTENTS           SEC_ASN1_ANY_CONTENTS
+
+typedef SEC_ASN1TemplateChooserPtr nssASN1ChooseTemplateFunction;
+
+typedef SEC_ASN1DecoderContext nssASN1Decoder;
+typedef SEC_ASN1EncoderContext nssASN1Encoder;
+
+typedef enum {
+  nssASN1EncodingPartIdentifier    = SEC_ASN1_Identifier,
+  nssASN1EncodingPartLength        = SEC_ASN1_Length,
+  nssASN1EncodingPartContents      = SEC_ASN1_Contents,
+  nssASN1EncodingPartEndOfContents = SEC_ASN1_EndOfContents
+} nssASN1EncodingPart;
+
+typedef SEC_ASN1NotifyProc nssASN1NotifyFunction;
+
+typedef SEC_ASN1WriteProc nssASN1EncoderWriteFunction;
+typedef SEC_ASN1WriteProc nssASN1DecoderFilterFunction;
+
+PR_END_EXTERN_C
+
+#endif /* ASN1T_H */
diff --git a/security/nss/lib/asn1/config.mk b/security/nss/lib/asn1/config.mk
new file mode 100644
index 000000000..4a9ed7dda
--- /dev/null
+++ b/security/nss/lib/asn1/config.mk
@@ -0,0 +1,48 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/asn1/manifest.mn b/security/nss/lib/asn1/manifest.mn
new file mode 100644
index 000000000..36558ab60
--- /dev/null
+++ b/security/nss/lib/asn1/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	asn1t.h		  \
+	asn1m.h		  \
+	asn1.h		  \
+	nssasn1t.h	  \
+	$(NULL)
+
+EXPORTS =	   \
+	$(NULL)
+
+MODULE = security
+
+CSRCS =		   \
+	asn1.c	   \
+	$(NULL)
+
+REQUIRES = security nspr
+
+LIBRARY_NAME = asn1
diff --git a/security/nss/lib/asn1/nssasn1t.h b/security/nss/lib/asn1/nssasn1t.h
new file mode 100644
index 000000000..2488892b4
--- /dev/null
+++ b/security/nss/lib/asn1/nssasn1t.h
@@ -0,0 +1,67 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSASN1T_H
+#define NSSASN1T_H
+
+#ifdef DEBUG
+static const char NSSASN1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nssasn1t.h
+ *
+ * This file contains the public types related to our ASN.1 encoder 
+ * and decoder.
+ */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSASN1EncodingType
+ *
+ * This type enumerates specific types of ASN.1 encodings.
+ */
+
+typedef enum {
+  NSSASN1BER,               /* Basic Encoding Rules */
+  NSSASN1CER,               /* Canonical Encoding Rules */
+  NSSASN1DER,               /* Distinguished Encoding Rules */
+  NSSASN1LWER,              /* LightWeight Encoding Rules */
+  NSSASN1PER,               /* Packed Encoding Rules */
+  NSSASN1UnknownEncoding = -1
+} NSSASN1EncodingType;
+
+PR_END_EXTERN_C
+
+#endif /* NSSASN1T_H */
diff --git a/security/nss/lib/base/Makefile b/security/nss/lib/base/Makefile
new file mode 100644
index 000000000..4cbbfed70
--- /dev/null
+++ b/security/nss/lib/base/Makefile
@@ -0,0 +1,40 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+export:: private_export
diff --git a/security/nss/lib/base/arena.c b/security/nss/lib/base/arena.c
new file mode 100644
index 000000000..31bf5f485
--- /dev/null
+++ b/security/nss/lib/base/arena.c
@@ -0,0 +1,1141 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * arena.c
+ *
+ * This contains the implementation of NSS's thread-safe arenas.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifdef ARENA_THREADMARK
+#include "prthread.h"
+#endif /* ARENA_THREADMARK */
+
+#include "prlock.h"
+#include "plarena.h"
+
+#include <string.h>
+
+/*
+ * NSSArena
+ *
+ * This is based on NSPR's arena code, but it is threadsafe.
+ *
+ * The public methods relating to this type are:
+ *
+ *  NSSArena_Create  -- constructor
+ *  NSSArena_Destroy
+ *
+ * The nonpublic methods relating to this type are:
+ *
+ *  nssArena_Create  -- constructor
+ *  nssArena_Destroy
+ *  nssArena_Mark
+ *  nssArena_Release
+ *  nssArena_Unmark
+ * 
+ *  nss_ZAlloc
+ *  nss_ZFreeIf
+ *  nss_ZRealloc
+ *
+ * In debug builds, the following calls are available:
+ *
+ *  nssArena_verifyPointer
+ *  nssArena_registerDestructor
+ *  nssArena_deregisterDestructor
+ */
+
+struct NSSArenaStr {
+  PLArenaPool pool;
+  PRLock *lock;
+#ifdef ARENA_THREADMARK
+  PRThread *marking_thread;
+  nssArenaMark *first_mark;
+  nssArenaMark *last_mark;
+#endif /* ARENA_THREADMARK */
+#ifdef ARENA_DESTRUCTOR_LIST
+  struct arena_destructor_node *first_destructor;
+  struct arena_destructor_node *last_destructor;
+#endif /* ARENA_DESTRUCTOR_LIST */
+};
+
+/*
+ * nssArenaMark
+ *
+ * This type is used to mark the current state of an NSSArena.
+ */
+
+struct nssArenaMarkStr {
+  PRUint32 magic;
+  void *mark;
+#ifdef ARENA_THREADMARK
+  nssArenaMark *next;
+#endif /* ARENA_THREADMARK */
+#ifdef ARENA_DESTRUCTOR_LIST
+  struct arena_destructor_node *next_destructor;
+  struct arena_destructor_node *prev_destructor;
+#endif /* ARENA_DESTRUCTOR_LIST */
+};
+
+#define MARK_MAGIC 0x4d41524b /* "MARK" how original */
+
+/*
+ * But first, the pointer-tracking code
+ */
+#ifdef DEBUG
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker arena_pointer_tracker;
+
+static PRStatus
+arena_add_pointer
+(
+  const NSSArena *arena
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&arena_pointer_tracker, arena);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+static PRStatus
+arena_remove_pointer
+(
+  const NSSArena *arena
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&arena_pointer_tracker, arena);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+
+/*
+ * nssArena_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSArena object,
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssArena_verifyPointer
+(
+  const NSSArena *arena
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    /*
+     * This is a little disingenious.  We have to initialize the
+     * tracker, because someone could "legitimately" try to verify
+     * an arena pointer before one is ever created.  And this step
+     * might fail, due to lack of memory.  But the only way that
+     * this step can fail is if it's doing the call_once stuff,
+     * (later calls just no-op).  And if it didn't no-op, there
+     * aren't any valid arenas.. so the argument certainly isn't one.
+     */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&arena_pointer_tracker, arena);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+#ifdef ARENA_DESTRUCTOR_LIST
+
+struct arena_destructor_node {
+  struct arena_destructor_node *next;
+  struct arena_destructor_node *prev;
+  void (*destructor)(void *argument);
+  void *arg;
+};
+
+/*
+ * nssArena_registerDestructor
+ *
+ * This routine stores a pointer to a callback and an arbitrary
+ * pointer-sized argument in the arena, at the current point in
+ * the mark stack.  If the arena is destroyed, or an "earlier"
+ * mark is released, then this destructor will be called at that
+ * time.  Note that the destructor will be called with the arena
+ * locked, which means the destructor may free memory in that
+ * arena, but it may not allocate or cause to be allocated any
+ * memory.  This callback facility was included to support our
+ * debug-version pointer-tracker feature; overuse runs counter to
+ * the the original intent of arenas.  This routine returns a 
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If 
+ * unsuccessful, it will set an error on the error stack and 
+ * return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssArena_registerDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+)
+{
+  struct arena_destructor_node *it;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+  
+  it = nss_ZNEW(arena, struct arena_destructor_node);
+  if( (struct arena_destructor_node *)NULL == it ) {
+    return PR_FAILURE;
+  }
+
+  it->prev = arena->last_destructor;
+  arena->last_destructor->next = it;
+  arena->last_destructor = it;
+  it->destructor = destructor;
+  it->arg = arg;
+
+  if( (nssArenaMark *)NULL != arena->last_mark ) {
+    arena->last_mark->prev_destructor = it->prev;
+    arena->last_mark->next_destructor = it->next;
+  }
+
+  return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssArena_deregisterDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+)
+{
+  struct arena_destructor_node *it;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  for( it = arena->first_destructor; it; it = it->next ) {
+    if( (it->destructor == destructor) && (it->arg == arg) ) {
+      break;
+    }
+  }
+
+  if( (struct arena_destructor_node *)NULL == it ) {
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+  }
+
+  if( it == arena->first_destructor ) {
+    arena->first_destructor = it->next;
+  }
+
+  if( it == arena->last_destructor ) {
+    arena->last_destructor = it->prev;
+  }
+
+  if( (struct arena_destructor_node *)NULL != it->prev ) {
+    it->prev->next = it->next;
+  }
+
+  if( (struct arena_destructor_node *)NULL != it->next ) {
+    it->next->prev = it->prev;
+  }
+
+  {
+    nssArenaMark *m;
+    for( m = arena->first_mark; m; m = m->next ) {
+      if( m->next_destructor == it ) {
+        m->next_destructor = it->next;
+      }
+      if( m->prev_destructor == it ) {
+        m->prev_destructor = it->prev;
+      }
+    }
+  }
+
+  nss_ZFreeIf(it);
+  return PR_SUCCESS;
+}
+
+static void
+nss_arena_call_destructor_chain
+(
+  struct arena_destructor_node *it
+)
+{
+  for( ; it ; it = it->next ) {
+    (*(it->destructor))(it->arg);
+  }
+}
+
+#endif /* ARENA_DESTRUCTOR_LIST */
+
+/*
+ * NSSArena_Create
+ *
+ * This routine creates a new memory arena.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The top-level error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSArena upon success
+ */
+
+NSS_IMPLEMENT NSSArena *
+NSSArena_Create
+(
+  void
+)
+{
+  nss_ClearErrorStack();
+  return nssArena_Create();
+}
+
+/*
+ * nssArena_Create
+ *
+ * This routine creates a new memory arena.  This routine may return
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSArena upon success
+ */
+
+NSS_IMPLEMENT NSSArena *
+nssArena_Create
+(
+  void
+)
+{
+  NSSArena *rv = (NSSArena *)NULL;
+
+  rv = nss_ZNEW((NSSArena *)NULL, NSSArena);
+  if( (NSSArena *)NULL == rv ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSArena *)NULL;
+  }
+
+  rv->lock = PR_NewLock();
+  if( (PRLock *)NULL == rv->lock ) {
+    (void)nss_ZFreeIf(rv);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSArena *)NULL;
+  }
+
+  /*
+   * Arena sizes.  The current security code has 229 occurrences of
+   * PORT_NewArena.  The default chunksizes specified break down as
+   *
+   *  Size    Mult.   Specified as
+   *   512       1    512
+   *  1024       7    1024
+   *  2048       5    2048
+   *  2048       5    CRMF_DEFAULT_ARENA_SIZE
+   *  2048     190    DER_DEFAULT_CHUNKSIZE
+   *  2048      20    SEC_ASN1_DEFAULT_ARENA_SIZE
+   *  4096       1    4096
+   *
+   * Obviously this "default chunksize" flexibility isn't very 
+   * useful to us, so I'll just pick 2048.
+   */
+
+  PL_InitArenaPool(&rv->pool, "NSS", 2048, sizeof(double));
+
+#ifdef DEBUG
+  {
+    PRStatus st;
+    st = arena_add_pointer(rv);
+    if( PR_SUCCESS != st ) {
+      PL_FinishArenaPool(&rv->pool);
+      PR_DestroyLock(rv->lock);
+      (void)nss_ZFreeIf(rv);
+      return (NSSArena *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return rv;
+}
+
+/*
+ * NSSArena_Destroy
+ *
+ * This routine will destroy the specified arena, freeing all memory
+ * allocated from it.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The top-level error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSArena_Destroy
+(
+  NSSArena *arena
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssArena_Destroy(arena);
+}
+
+/*
+ * nssArena_Destroy
+ *
+ * This routine will destroy the specified arena, freeing all memory
+ * allocated from it.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssArena_Destroy
+(
+  NSSArena *arena
+)
+{
+  PRLock *lock;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  PR_Lock(arena->lock);
+  if( (PRLock *)NULL == arena->lock ) {
+    /* Just got destroyed */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
+  
+#ifdef DEBUG
+  if( PR_SUCCESS != arena_remove_pointer(arena) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+#ifdef ARENA_DESTRUCTOR_LIST
+  /* Note that the arena is locked at this time */
+  nss_arena_call_destructor_chain(arena->first_destructor);
+#endif /* ARENA_DESTRUCTOR_LIST */
+
+  PL_FinishArenaPool(&arena->pool);
+  lock = arena->lock;
+  arena->lock = (PRLock *)NULL;
+  PR_Unlock(lock);
+  PR_DestroyLock(lock);
+  (void)nss_ZFreeIf(arena);
+  return PR_SUCCESS;
+}
+
+static void *nss_zalloc_arena_locked(NSSArena *arena, PRUint32 size);
+
+/*
+ * nssArena_Mark
+ *
+ * This routine "marks" the current state of an arena.  Space
+ * allocated after the arena has been marked can be freed by
+ * releasing the arena back to the mark with nssArena_Release,
+ * or committed by calling nssArena_Unmark.  When successful, 
+ * this routine returns a valid nssArenaMark pointer.  This 
+ * routine may return NULL upon error, in which case it will 
+ * have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon failure
+ *  An nssArenaMark pointer upon success
+ */
+
+NSS_IMPLEMENT nssArenaMark *
+nssArena_Mark
+(
+  NSSArena *arena
+)
+{
+  nssArenaMark *rv;
+  void *p;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return (nssArenaMark *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  PR_Lock(arena->lock);
+  if( (PRLock *)NULL == arena->lock ) {
+    /* Just got destroyed */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return (nssArenaMark *)NULL;
+  }
+
+#ifdef ARENA_THREADMARK
+  if( (PRThread *)NULL == arena->marking_thread ) {
+    /* Unmarked.  Store our thread ID */
+    arena->marking_thread = PR_GetCurrentThread();
+    /* This call never fails. */
+  } else {
+    /* Marked.  Verify it's the current thread */
+    if( PR_GetCurrentThread() != arena->marking_thread ) {
+      PR_Unlock(arena->lock);
+      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+      return (nssArenaMark *)NULL;
+    }
+  }
+#endif /* ARENA_THREADMARK */
+
+  p = PL_ARENA_MARK(&arena->pool);
+  /* No error possible */
+
+  /* Do this after the mark */
+  rv = (nssArenaMark *)nss_zalloc_arena_locked(arena, sizeof(nssArenaMark));
+  if( (nssArenaMark *)NULL == rv ) {
+    PR_Unlock(arena->lock);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (nssArenaMark *)NULL;
+  }
+
+#ifdef ARENA_THREADMARK
+  if ( (nssArenaMark *)NULL == arena->first_mark) {
+    arena->first_mark = rv;
+    arena->last_mark = rv;
+  } else {
+    arena->last_mark->next = rv;
+    arena->last_mark = rv;
+  }
+#endif /* ARENA_THREADMARK */
+
+  rv->mark = p;
+  rv->magic = MARK_MAGIC;
+
+#ifdef ARENA_DESTRUCTOR_LIST
+  rv->prev_destructor = arena->last_destructor;
+#endif /* ARENA_DESTRUCTOR_LIST */
+
+  PR_Unlock(arena->lock);
+
+  return rv;
+}
+
+/*
+ * nss_arena_unmark_release
+ *
+ * This static routine implements the routines nssArena_Release
+ * ans nssArena_Unmark, which are almost identical.
+ */
+
+static PRStatus
+nss_arena_unmark_release
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark,
+  PRBool release
+)
+{
+  void *inner_mark;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( MARK_MAGIC != arenaMark->magic ) {
+    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
+    return PR_FAILURE;
+  }
+
+  PR_Lock(arena->lock);
+  if( (PRLock *)NULL == arena->lock ) {
+    /* Just got destroyed */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
+
+#ifdef ARENA_THREADMARK
+  if( (PRThread *)NULL != arena->marking_thread ) {
+    if( PR_GetCurrentThread() != arena->marking_thread ) {
+      PR_Unlock(arena->lock);
+      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+      return PR_FAILURE;
+    }
+  }
+#endif /* ARENA_THREADMARK */
+
+  if( MARK_MAGIC != arenaMark->magic ) {
+    /* Just got released */
+    PR_Unlock(arena->lock);
+    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
+    return PR_FAILURE;
+  }
+
+  arenaMark->magic = 0;
+  inner_mark = arenaMark->mark;
+
+#ifdef ARENA_THREADMARK
+  {
+    nssArenaMark **pMark = &arena->first_mark;
+    nssArenaMark *rest;
+    nssArenaMark *last = (nssArenaMark *)NULL;
+
+    /* Find this mark */
+    while( *pMark != arenaMark ) {
+      last = *pMark;
+      pMark = &(*pMark)->next;
+    }
+
+    /* Remember the pointer, then zero it */
+    rest = (*pMark)->next;
+    *pMark = (nssArenaMark *)NULL;
+
+    arena->last_mark = last;
+
+    /* Invalidate any later marks being implicitly released */
+    for( ; (nssArenaMark *)NULL != rest; rest = rest->next ) {
+      rest->magic = 0;
+    }
+
+    /* If we just got rid of the first mark, clear the thread ID */
+    if( (nssArenaMark *)NULL == arena->first_mark ) {
+      arena->marking_thread = (PRThread *)NULL;
+    }
+  }
+#endif /* ARENA_THREADMARK */
+
+  if( release ) {
+#ifdef ARENA_DESTRUCTOR_LIST
+    if( (struct arena_destructor_node *)NULL != arenaMark->prev_destructor ) {
+      arenaMark->prev_destructor->next = (struct arena_destructor_node *)NULL;
+    }
+    arena->last_destructor = arenaMark->prev_destructor;
+
+    /* Note that the arena is locked at this time */
+    nss_arena_call_destructor_chain(arenaMark->next_destructor);
+#endif /* ARENA_DESTRUCTOR_LIST */
+
+    PR_ARENA_RELEASE(&arena->pool, inner_mark);
+    /* No error return */
+  }
+
+  PR_Unlock(arena->lock);
+  return PR_SUCCESS;
+}
+
+/*
+ * nssArena_Release
+ *
+ * This routine invalidates and releases all memory allocated from
+ * the specified arena after the point at which the specified mark
+ * was obtained.  This routine returns a PRStatus value; if successful,
+ * it will return PR_SUCCESS.  If unsuccessful, it will set an error
+ * on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ARENA_MARK
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssArena_Release
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+)
+{
+  return nss_arena_unmark_release(arena, arenaMark, PR_TRUE);
+}
+
+/*
+ * nssArena_Unmark
+ *
+ * This routine "commits" the indicated mark and any marks after
+ * it, making them unreleasable.  Note that any earlier marks can
+ * still be released, and such a release will invalidate these
+ * later unmarked regions.  If an arena is to be safely shared by
+ * more than one thread, all marks must be either released or
+ * unmarked.  This routine returns a PRStatus value; if successful,
+ * it will return PR_SUCCESS.  If unsuccessful, it will set an error
+ * on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ARENA_MARK
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssArena_Unmark
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+)
+{
+  return nss_arena_unmark_release(arena, arenaMark, PR_FALSE);
+}
+
+/*
+ * We prefix this header to all allocated blocks.  It is a multiple
+ * of the alignment size.  Note that this usage of a header may make
+ * purify spew bogus warnings about "potentially leaked blocks" of
+ * memory; if that gets too annoying we can add in a pointer to the
+ * header in the header itself.  There's not a lot of safety here;
+ * maybe we should add a magic value?
+ */
+struct pointer_header {
+  NSSArena *arena;
+  PRUint32 size;
+};
+
+static void *
+nss_zalloc_arena_locked
+(
+  NSSArena *arena,
+  PRUint32 size
+)
+{
+  void *p;
+  void *rv;
+  struct pointer_header *h;
+  PRUint32 my_size = size + sizeof(struct pointer_header);
+  PR_ARENA_ALLOCATE(p, &arena->pool, my_size);
+  if( (void *)NULL == p ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (void *)NULL;
+  }
+  /* 
+   * Do this before we unlock.  This way if the user is using
+   * an arena in one thread while destroying it in another, he'll
+   * fault/FMR in his code, not ours.
+   */
+  h = (struct pointer_header *)p;
+  h->arena = arena;
+  h->size = size;
+  rv = (void *)((char *)h + sizeof(struct pointer_header));
+  (void)nsslibc_memset(rv, 0, size);
+  return rv;
+}
+
+/*
+ * nss_ZAlloc
+ *
+ * This routine allocates and zeroes a section of memory of the 
+ * size, and returns to the caller a pointer to that memory.  If
+ * the optional arena argument is non-null, the memory will be
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in
+ * which case it will have set an error upon the error stack.  The
+ * value specified for size may be zero; in which case a valid 
+ * zero-length block of memory will be allocated.  This block may
+ * be expanded by calling nss_ZRealloc.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the new segment of zeroed memory
+ */
+
+NSS_IMPLEMENT void *
+nss_ZAlloc
+(
+  NSSArena *arenaOpt,
+  PRUint32 size
+)
+{
+  struct pointer_header *h;
+  PRUint32 my_size = size + sizeof(struct pointer_header);
+
+  if( my_size < sizeof(struct pointer_header) ) {
+    /* Wrapped */
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (void *)NULL;
+  }
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    /* Heap allocation, no locking required. */
+    h = (struct pointer_header *)PR_Calloc(1, my_size);
+    if( (struct pointer_header *)NULL == h ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (void *)NULL;
+    }
+
+    h->arena = (NSSArena *)NULL;
+    h->size = size;
+    /* We used calloc: it's already zeroed */
+
+    return (void *)((char *)h + sizeof(struct pointer_header));
+  } else {
+    void *rv;
+    /* Arena allocation */
+#ifdef NSSDEBUG
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (void *)NULL;
+    }
+#endif /* NSSDEBUG */
+
+    PR_Lock(arenaOpt->lock);
+    if( (PRLock *)NULL == arenaOpt->lock ) {
+      /* Just got destroyed */
+      nss_SetError(NSS_ERROR_INVALID_ARENA);
+      return (void *)NULL;
+    }
+
+#ifdef ARENA_THREADMARK
+    if( (PRThread *)NULL != arenaOpt->marking_thread ) {
+      if( PR_GetCurrentThread() != arenaOpt->marking_thread ) {
+        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+        PR_Unlock(arenaOpt->lock);
+        return (void *)NULL;
+      }
+    }
+#endif /* ARENA_THREADMARK */
+
+    rv = nss_zalloc_arena_locked(arenaOpt, size);
+
+    PR_Unlock(arenaOpt->lock);
+    return rv;
+  }
+  /*NOTREACHED*/
+}
+
+/*
+ * nss_ZFreeIf
+ *
+ * If the specified pointer is non-null, then the region of memory 
+ * to which it points -- which must have been allocated with 
+ * nss_ZAlloc -- will be zeroed and released.  This routine 
+ * returns a PRStatus value; if successful, it will return PR_SUCCESS.
+ * If unsuccessful, it will set an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_ZFreeIf
+(
+  void *pointer
+)
+{
+  struct pointer_header *h;
+
+  if( (void *)NULL == pointer ) {
+    return PR_SUCCESS;
+  }
+
+  h = (struct pointer_header *)&((char *)pointer)
+    [ - sizeof(struct pointer_header) ];
+
+  /* Check any magic here */
+
+  if( (NSSArena *)NULL == h->arena ) {
+    /* Heap */
+    (void)nsslibc_memset(pointer, 0, h->size);
+    PR_Free(h);
+    return PR_SUCCESS;
+  } else {
+    /* Arena */
+#ifdef NSSDEBUG
+    if( PR_SUCCESS != nssArena_verifyPointer(h->arena) ) {
+      return PR_FAILURE;
+    }
+#endif /* NSSDEBUG */
+
+    PR_Lock(h->arena->lock);
+    if( (PRLock *)NULL == h->arena->lock ) {
+      /* Just got destroyed.. so this pointer is invalid */
+      nss_SetError(NSS_ERROR_INVALID_POINTER);
+      return PR_FAILURE;
+    }
+
+    (void)nsslibc_memset(pointer, 0, h->size);
+
+    /* No way to "free" it within an NSPR arena. */
+
+    PR_Unlock(h->arena->lock);
+    return PR_SUCCESS;
+  }
+  /*NOTREACHED*/
+}
+
+/*
+ * nss_ZRealloc
+ *
+ * This routine reallocates a block of memory obtained by calling
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
+ * between the new and old sizes -- which is either being newly
+ * obtained or released -- is in either case zeroed.  This routine 
+ * may return NULL upon failure, in which case it will have placed 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the replacement segment of memory
+ */
+
+NSS_EXTERN void *
+nss_ZRealloc
+(
+  void *pointer,
+  PRUint32 newSize
+)
+{
+  struct pointer_header *h, *new_h;
+  PRUint32 my_newSize = newSize + sizeof(struct pointer_header);
+  void *rv;
+
+  if( my_newSize < sizeof(struct pointer_header) ) {
+    /* Wrapped */
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (void *)NULL;
+  }
+
+  if( (void *)NULL == pointer ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (void *)NULL;
+  }
+
+  h = (struct pointer_header *)&((char *)pointer)
+    [ - sizeof(struct pointer_header) ];
+
+  /* Check any magic here */
+
+  if( newSize == h->size ) {
+    /* saves thrashing */
+    return pointer;
+  }
+
+  if( (NSSArena *)NULL == h->arena ) {
+    /* Heap */
+    new_h = (struct pointer_header *)PR_Calloc(1, my_newSize);
+    if( (struct pointer_header *)NULL == new_h ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (void *)NULL;
+    }
+
+    new_h->arena = (NSSArena *)NULL;
+    new_h->size = newSize;
+    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
+
+    if( newSize > h->size ) {
+      (void)nsslibc_memcpy(rv, pointer, h->size);
+      (void)nsslibc_memset(&((char *)rv)[ h->size ], 
+                           0, (newSize - h->size));
+    } else {
+      (void)nsslibc_memcpy(rv, pointer, newSize);
+    }
+
+    (void)nsslibc_memset(pointer, 0, h->size);
+    h->size = 0;
+    PR_Free(h);
+
+    return rv;
+  } else {
+    void *p;
+    /* Arena */
+#ifdef NSSDEBUG
+    if( PR_SUCCESS != nssArena_verifyPointer(h->arena) ) {
+      return (void *)NULL;
+    }
+#endif /* NSSDEBUG */
+
+    PR_Lock(h->arena->lock);
+    if( (PRLock *)NULL == h->arena->lock ) {
+      /* Just got destroyed.. so this pointer is invalid */
+      nss_SetError(NSS_ERROR_INVALID_POINTER);
+      return (void *)NULL;
+    }
+
+#ifdef ARENA_THREADMARK
+    if( (PRThread *)NULL != h->arena->marking_thread ) {
+      if( PR_GetCurrentThread() != h->arena->marking_thread ) {
+        PR_Unlock(h->arena->lock);
+        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+        return (void *)NULL;
+      }
+    }
+#endif /* ARENA_THREADMARK */
+
+    if( newSize < h->size ) {
+      /*
+       * We have no general way of returning memory to the arena
+       * (mark/release doesn't work because things may have been
+       * allocated after this object), so the memory is gone
+       * anyway.  We might as well just return the same pointer to
+       * the user, saying "yeah, uh-hunh, you can only use less of
+       * it now."  We'll zero the leftover part, of course.  And
+       * in fact we might as well *not* adjust h->size-- this way,
+       * if the user reallocs back up to something not greater than
+       * the original size, then voila, there's the memory!  This
+       * way a thrash big/small/big/small doesn't burn up the arena.
+       */
+      char *extra = &((char *)pointer)[ newSize ];
+      (void)nsslibc_memset(extra, 0, (h->size - newSize));
+      PR_Unlock(h->arena->lock);
+      return pointer;
+    }
+
+    PR_ARENA_ALLOCATE(p, &h->arena->pool, my_newSize);
+    if( (void *)NULL == p ) {
+      PR_Unlock(h->arena->lock);
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (void *)NULL;
+    }
+
+    new_h = (struct pointer_header *)p;
+    new_h->arena = h->arena;
+    new_h->size = newSize;
+    rv = (void *)((char *)h + sizeof(struct pointer_header));
+    (void)nsslibc_memcpy(rv, pointer, h->size);
+    (void)nsslibc_memset(&((char *)rv)[ h->size ], 0, 
+                         (newSize - h->size));
+    (void)nsslibc_memset(pointer, 0, h->size);
+    h->arena = (NSSArena *)NULL;
+    h->size = 0;
+    PR_Unlock(h->arena->lock);
+    return rv;
+  }
+  /*NOTREACHED*/
+}
diff --git a/security/nss/lib/base/base.h b/security/nss/lib/base/base.h
new file mode 100644
index 000000000..492da7259
--- /dev/null
+++ b/security/nss/lib/base/base.h
@@ -0,0 +1,1426 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef BASE_H
+#define BASE_H
+
+#ifdef DEBUG
+static const char BASE_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * base.h
+ *
+ * This header file contains basic prototypes and preprocessor 
+ * definitions used throughout nss but not available publicly.
+ */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#include "plhash.h"
+#include "prthread.h"
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSArena
+ *
+ * The nonpublic methods relating to this type are:
+ *
+ *  nssArena_Create  -- constructor
+ *  nssArena_Destroy
+ *  nssArena_Mark
+ *  nssArena_Release
+ *  nssArena_Unmark
+ *
+ *  nss_ZAlloc
+ *  nss_ZFreeIf
+ *  nss_ZRealloc
+ *
+ * Additionally, there are some preprocessor macros:
+ *
+ *  nss_ZNEW
+ *  nss_ZNEWARRAY
+ *
+ * In debug builds, the following calls are available:
+ *
+ *  nssArena_verifyPointer
+ *  nssArena_registerDestructor
+ *  nssArena_deregisterDestructor
+ *
+ * The following preprocessor macro is also always available:
+ *
+ *  nssArena_VERIFYPOINTER
+ *
+ * A constant PLHashAllocOps structure is available for users
+ * of the NSPL PLHashTable routines.
+ *
+ *  nssArenaHashAllocOps
+ */
+
+/*
+ * nssArena_Create
+ *
+ * This routine creates a new memory arena.  This routine may return
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSArena upon success
+ */
+
+/*
+ * XXX fgmr
+ * Arenas can be named upon creation; this is mostly of use when
+ * debugging.  Should we expose that here, allowing an optional
+ * "const char *name" argument?  Should the public version of this
+ * call (NSSArena_Create) have it too?
+ */
+
+NSS_EXTERN NSSArena *
+nssArena_Create
+(
+  void
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * nssArena_Destroy
+ *
+ * This routine will destroy the specified arena, freeing all memory
+ * allocated from it.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nssArena_Destroy
+(
+  NSSArena *arena
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+
+/*
+ * nssArena_Mark
+ *
+ * This routine "marks" the current state of an arena.  Space
+ * allocated after the arena has been marked can be freed by
+ * releasing the arena back to the mark with nssArena_Release,
+ * or committed by calling nssArena_Unmark.  When successful, 
+ * this routine returns a valid nssArenaMark pointer.  This 
+ * routine may return NULL upon error, in which case it will 
+ * have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon failure
+ *  An nssArenaMark pointer upon success
+ */
+
+NSS_EXTERN nssArenaMark *
+nssArena_Mark
+(
+  NSSArena *arena
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
+
+/*
+ * nssArena_Release
+ *
+ * This routine invalidates and releases all memory allocated from
+ * the specified arena after the point at which the specified mark
+ * was obtained.  This routine returns a PRStatus value; if successful,
+ * it will return PR_SUCCESS.  If unsuccessful, it will set an error
+ * on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ARENA_MARK
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nssArena_Release
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
+
+/*
+ * nssArena_Unmark
+ *
+ * This routine "commits" the indicated mark and any marks after
+ * it, making them unreleasable.  Note that any earlier marks can
+ * still be released, and such a release will invalidate these
+ * later unmarked regions.  If an arena is to be safely shared by
+ * more than one thread, all marks must be either released or
+ * unmarked.  This routine returns a PRStatus value; if successful,
+ * it will return PR_SUCCESS.  If unsuccessful, it will set an error
+ * on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ARENA_MARK
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nssArena_Unmark
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
+extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
+
+#ifdef ARENA_DESTRUCTOR_LIST
+
+/*
+ * nssArena_registerDestructor
+ *
+ * This routine stores a pointer to a callback and an arbitrary
+ * pointer-sized argument in the arena, at the current point in
+ * the mark stack.  If the arena is destroyed, or an "earlier"
+ * mark is released, then this destructor will be called at that
+ * time.  Note that the destructor will be called with the arena
+ * locked, which means the destructor may free memory in that
+ * arena, but it may not allocate or cause to be allocated any
+ * memory.  This callback facility was included to support our
+ * debug-version pointer-tracker feature; overuse runs counter to
+ * the the original intent of arenas.  This routine returns a 
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If 
+ * unsuccessful, it will set an error on the error stack and 
+ * return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nssArena_registerDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * nssArena_deregisterDestructor
+ *
+ * This routine will remove the first destructor in the specified
+ * arena which has the specified destructor and argument values.
+ * The destructor will not be called.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If 
+ * unsuccessful, it will set an error on the error stack and 
+ * return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NOT_FOUND
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nssArena_deregisterDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+);
+
+extern const NSSError NSS_ERROR_INVALID_ITEM;
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+#endif /* ARENA_DESTRUCTOR_LIST */
+
+/*
+ * nss_ZAlloc
+ *
+ * This routine allocates and zeroes a section of memory of the 
+ * size, and returns to the caller a pointer to that memory.  If
+ * the optional arena argument is non-null, the memory will be
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in
+ * which case it will have set an error upon the error stack.  The
+ * value specified for size may be zero; in which case a valid 
+ * zero-length block of memory will be allocated.  This block may
+ * be expanded by calling nss_ZRealloc.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the new segment of zeroed memory
+ */
+
+NSS_EXTERN void *
+nss_ZAlloc
+(
+  NSSArena *arenaOpt,
+  PRUint32 size
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
+
+/*
+ * nss_ZFreeIf
+ *
+ * If the specified pointer is non-null, then the region of memory 
+ * to which it points -- which must have been allocated with 
+ * nss_ZAlloc -- will be zeroed and released.  This routine 
+ * returns a PRStatus value; if successful, it will return PR_SUCCESS.
+ * If unsuccessful, it will set an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_EXTERN PRStatus
+nss_ZFreeIf
+(
+  void *pointer
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nss_ZRealloc
+ *
+ * This routine reallocates a block of memory obtained by calling
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
+ * between the new and old sizes -- which is either being newly
+ * obtained or released -- is in either case zeroed.  This routine 
+ * may return NULL upon failure, in which case it will have placed 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the replacement segment of memory
+ */
+
+NSS_EXTERN void *
+nss_ZRealloc
+(
+  void *pointer,
+  PRUint32 newSize
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
+
+/*
+ * nss_ZNEW
+ *
+ * This preprocessor macro will allocate memory for a new object
+ * of the specified type with nss_ZAlloc, and will cast the
+ * return value appropriately.  If the optional arena argument is 
+ * non-null, the memory will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may 
+ * return NULL upon error, in which case it will have set an error 
+ * upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the new segment of zeroed memory
+ */
+
+/* The following line exceeds 72 characters, but emacs screws up if I split it. */
+#define nss_ZNEW(arenaOpt, type) ((type *)nss_ZAlloc((arenaOpt), sizeof(type)))
+
+/*
+ * nss_ZNEWARRAY
+ *
+ * This preprocessor macro will allocate memory for an array of
+ * new objects, and will cast the return value appropriately.
+ * If the optional arena argument is non-null, the memory will 
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have set an error upon the error 
+ * stack.  The array size may be specified as zero.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the new segment of zeroed memory
+ */
+
+/* The following line exceeds 72 characters, but emacs screws up if I split it. */
+#define nss_ZNEWARRAY(arenaOpt, type, quantity) ((type *)nss_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
+
+/*
+ * nssArena_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSArena object,
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssArena_verifyPointer
+(
+  const NSSArena *arena
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+#endif /* DEBUG */
+
+/*
+ * nssArena_VERIFYPOINTER
+ *
+ * This macro is always available.  In debug builds it will call
+ * nssArena_verifyPointer; in non-debug builds, it will merely
+ * check that the pointer is not null.  Note that in non-debug
+ * builds it cannot place an error on the error stack.
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+#ifdef DEBUG
+#define nssArena_VERIFYPOINTER(p) nssArena_verifyPointer(p)
+#else /* DEBUG */
+/* The following line exceeds 72 characters, but emacs screws up if I split it. */
+#define nssArena_VERIFYPOINTER(p) (((NSSArena *)NULL == (p))?PR_FAILURE:PR_SUCCESS)
+#endif /* DEBUG */
+
+/*
+ * nssArenaHashAllocOps
+ *
+ * This constant structure contains allocation callbacks designed for
+ * use with the NSPL routine PL_NewHashTable.  For example:
+ *
+ *  NSSArena *hashTableArena = nssArena_Create();
+ *  PLHashTable *t = PL_NewHashTable(n, hasher, key_compare, 
+ *    value_compare, nssArenaHashAllocOps, hashTableArena);
+ */
+
+NSS_EXTERN_DATA PLHashAllocOps nssArenaHashAllocOps;
+
+/*
+ * The error stack
+ *
+ * The nonpublic methods relating to the error stack are:
+ *
+ *  nss_SetError
+ *  nss_ClearErrorStack
+ */
+
+/*
+ * nss_SetError
+ *
+ * This routine places a new error code on the top of the calling 
+ * thread's error stack.  Calling this routine wiht an error code
+ * of zero will clear the error stack.
+ */
+
+NSS_EXTERN void
+nss_SetError
+(
+  PRUint32 error
+);
+
+/*
+ * nss_ClearErrorStack
+ *
+ * This routine clears the calling thread's error stack.
+ */
+
+NSS_EXTERN void
+nss_ClearErrorStack
+(
+  void
+);
+
+/*
+ * NSSItem
+ *
+ * nssItem_Create
+ * nssItem_Duplicate
+ * nssItem_Equal
+ */
+
+NSS_EXTERN NSSItem *
+nssItem_Create
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  PRUint32 length,
+  const void *data
+);
+
+NSS_EXTERN void
+nssItem_Destroy
+(
+  NSSItem *item
+);
+
+NSS_EXTERN NSSItem *
+nssItem_Duplicate
+(
+  NSSItem *obj,
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt
+);
+
+NSS_EXTERN PRBool
+nssItem_Equal
+(
+  const NSSItem *one,
+  const NSSItem *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSUTF8
+ *
+ *  nssUTF8_CaseIgnoreMatch
+ *  nssUTF8_Duplicate
+ *  nssUTF8_Size
+ *  nssUTF8_Length
+ *  nssUTF8_CopyIntoFixedBuffer
+ */
+
+/*
+ * nssUTF8_CaseIgnoreMatch
+ * 
+ * Returns true if the two UTF8-encoded strings pointed to by the 
+ * two specified NSSUTF8 pointers differ only in typcase.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if the strings match, ignoring case
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssUTF8_CaseIgnoreMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssUTF8_Duplicate
+ *
+ * This routine duplicates the UTF8-encoded string pointed to by the
+ * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
+ * not null, the memory required will be obtained from that arena;
+ * otherwise, the memory required will be obtained from the heap.
+ * A pointer to the new string will be returned.  In case of error,
+ * an error will be placed on the error stack and NULL will be 
+ * returned.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssUTF8_Duplicate
+(
+  const NSSUTF8 *s,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssUTF8_PrintableMatch
+ *
+ * Returns true if the two Printable strings pointed to by the 
+ * two specified NSSUTF8 pointers match when compared with the 
+ * rules for Printable String (leading and trailing spaces are 
+ * disregarded, extents of whitespace match irregardless of length, 
+ * and case is not significant), then PR_TRUE will be returned.
+ * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
+ * will be returned.  If the optional statusOpt argument is not
+ * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
+ * location.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if the strings match, ignoring case
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssUTF8_PrintableMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssUTF8_Size
+ *
+ * This routine returns the length in bytes (including the terminating
+ * null) of the UTF8-encoded string pointed to by the specified
+ * NSSUTF8 pointer.  Zero is returned on error.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *
+ * Return value:
+ *  nonzero size of the string
+ *  0 on error
+ */
+
+NSS_EXTERN PRUint32
+nssUTF8_Size
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
+
+/*
+ * nssUTF8_Length
+ *
+ * This routine returns the length in characters (not including the
+ * terminating null) of the UTF8-encoded string pointed to by the
+ * specified NSSUTF8 pointer.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  length of the string (which may be zero)
+ *  0 on error
+ */
+
+NSS_EXTERN PRUint32
+nssUTF8_Length
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
+extern const NSSError NSS_ERROR_INVALID_STRING;
+
+/*
+ * nssUTF8_Create
+ *
+ * This routine creates a UTF8 string from a string in some other
+ * format.  Some types of string may include embedded null characters,
+ * so for them the length parameter must be used.  For string types
+ * that are null-terminated, the length parameter is optional; if it
+ * is zero, it will be ignored.  If the optional arena argument is
+ * non-null, the memory used for the new string will be obtained from
+ * that arena, otherwise it will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_UNSUPPORTED_TYPE
+ *
+ * Return value:
+ *  NULL upon error
+ *  A non-null pointer to a new UTF8 string otherwise
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssUTF8_Create
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  const void *inputString,
+  PRUint32 size /* in bytes, not characters */
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_UNSUPPORTED_TYPE;
+
+NSS_EXTERN NSSItem *
+nssUTF8_GetEncoding
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  nssStringType type,
+  NSSUTF8 *string
+);
+
+/*
+ * nssUTF8_CopyIntoFixedBuffer
+ *
+ * This will copy a UTF8 string into a fixed-length buffer, making 
+ * sure that the all characters are valid.  Any remaining space will
+ * be padded with the specified ASCII character, typically either 
+ * null or space.
+ *
+ * Blah, blah, blah.
+ */
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
+
+NSS_EXTERN PRStatus
+nssUTF8_CopyIntoFixedBuffer
+(
+  NSSUTF8 *string,
+  char *buffer,
+  PRUint32 bufferSize,
+  char pad
+);
+
+/*
+ * nssUTF8_Equal
+ *
+ */
+
+NSS_EXTERN PRBool
+nssUTF8_Equal
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssList
+ *
+ * The goal is to provide a simple, optionally threadsafe, linked list
+ * class.  Since NSS did not seem to use the circularity of PRCList
+ * much before, this provides a list that appears to be a linear,
+ * NULL-terminated list.
+ */
+
+/*
+ * nssList_Create
+ *
+ * If threadsafe is true, the list will be locked during modifications
+ * and traversals.
+ */
+NSS_EXTERN nssList *
+nssList_Create
+(
+  NSSArena *arenaOpt,
+  PRBool threadSafe
+);
+
+/*
+ * nssList_Destroy
+ */
+NSS_EXTERN PRStatus
+nssList_Destroy
+(
+  nssList *list
+);
+
+NSS_EXTERN void
+nssList_Clear
+(
+  nssList *list, 
+  nssListElementDestructorFunc destructor
+);
+
+/*
+ * nssList_SetCompareFunction
+ *
+ * By default, two list elements will be compared by comparing their
+ * data pointers.  By setting this function, the user can control
+ * how elements are compared.
+ */
+NSS_EXTERN void
+nssList_SetCompareFunction
+(
+  nssList *list, 
+  nssListCompareFunc compareFunc
+);
+
+/*
+ * nssList_SetSortFunction
+ *
+ * Sort function to use for an ordered list.
+ */
+NSS_EXTERN void
+nssList_SetSortFunction
+(
+  nssList *list, 
+  nssListSortFunc sortFunc
+);
+
+/*
+ * nssList_Add
+ */
+NSS_EXTERN PRStatus
+nssList_Add
+(
+  nssList *list, 
+  void *data
+);
+
+/*
+ * nssList_AddUnique
+ *
+ * This will use the compare function to see if the element is already
+ * in the list.
+ */
+NSS_EXTERN PRStatus
+nssList_AddUnique
+(
+  nssList *list, 
+  void *data
+);
+
+/*
+ * nssList_Remove
+ *
+ * Uses the compare function to locate the element and remove it.
+ */
+NSS_EXTERN PRStatus
+nssList_Remove(nssList *list, void *data);
+
+/*
+ * nssList_Get
+ *
+ * Uses the compare function to locate an element.  Also serves as
+ * nssList_Exists.
+ */
+NSS_EXTERN void *
+nssList_Get
+(
+  nssList *list, 
+  void *data
+);
+
+/*
+ * nssList_Count
+ */
+NSS_EXTERN PRUint32
+nssList_Count
+(
+  nssList *list
+);
+
+/*
+ * nssList_GetArray
+ *
+ * Fill rvArray, up to maxElements, with elements in the list.  The
+ * array is NULL-terminated, so its allocated size must be maxElements + 1.
+ */
+NSS_EXTERN PRStatus
+nssList_GetArray
+(
+  nssList *list, 
+  void **rvArray, 
+  PRUint32 maxElements
+);
+
+/*
+ * nssList_CreateIterator
+ *
+ * Create an iterator for list traversal.
+ */
+NSS_EXTERN nssListIterator *
+nssList_CreateIterator
+(
+  nssList *list
+);
+
+NSS_EXTERN nssList *
+nssList_Clone
+(
+  nssList *list
+);
+
+/*
+ * nssListIterator_Destroy
+ */
+NSS_EXTERN void
+nssListIterator_Destroy
+(
+  nssListIterator *iter
+);
+
+/*
+ * nssListIterator_Start
+ *
+ * Begin a list iteration.  After this call, if the list is threadSafe,
+ * the list is *locked*.
+ */
+NSS_EXTERN void *
+nssListIterator_Start
+(
+  nssListIterator *iter
+);
+
+/*
+ * nssListIterator_Next
+ *
+ * Continue a list iteration.
+ */
+NSS_EXTERN void *
+nssListIterator_Next
+(
+  nssListIterator *iter
+);
+
+/*
+ * nssListIterator_Finish
+ *
+ * Complete a list iteration.  This *must* be called in order for the
+ * lock to be released.
+ */
+NSS_EXTERN PRStatus
+nssListIterator_Finish
+(
+  nssListIterator *iter
+);
+
+/*
+ * nssHash
+ *
+ *  nssHash_Create
+ *  nssHash_Destroy
+ *  nssHash_Add
+ *  nssHash_Remove
+ *  nssHash_Count
+ *  nssHash_Exists
+ *  nssHash_Lookup
+ *  nssHash_Iterate
+ */
+
+/*
+ * nssHash_Create
+ *
+ */
+
+NSS_EXTERN nssHash *
+nssHash_Create
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets,
+  PLHashFunction keyHash,
+  PLHashComparator keyCompare,
+  PLHashComparator valueCompare
+);
+
+NSS_EXTERN nssHash *
+nssHash_CreatePointer
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+);
+
+NSS_EXTERN nssHash *
+nssHash_CreateString
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+);
+
+NSS_EXTERN nssHash *
+nssHash_CreateItem
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+);
+
+/*
+ * nssHash_Destroy
+ *
+ */
+NSS_EXTERN void
+nssHash_Destroy
+(
+  nssHash *hash
+);
+
+/*
+ * nssHash_Add
+ *
+ */
+
+extern const NSSError NSS_ERROR_HASH_COLLISION;
+
+NSS_EXTERN PRStatus
+nssHash_Add
+(
+  nssHash *hash,
+  const void *key,
+  const void *value
+);
+
+/*
+ * nssHash_Remove
+ *
+ */
+NSS_EXTERN void
+nssHash_Remove
+(
+  nssHash *hash,
+  const void *it
+);
+
+/*
+ * nssHash_Count
+ *
+ */
+NSS_EXTERN PRUint32
+nssHash_Count
+(
+  nssHash *hash
+);
+
+/*
+ * nssHash_Exists
+ *
+ */
+NSS_EXTERN PRBool
+nssHash_Exists
+(
+  nssHash *hash,
+  const void *it
+);
+
+/*
+ * nssHash_Lookup
+ *
+ */
+NSS_EXTERN void *
+nssHash_Lookup
+(
+  nssHash *hash,
+  const void *it
+);
+
+/*
+ * nssHash_Iterate
+ *
+ */
+NSS_EXTERN void
+nssHash_Iterate
+(
+  nssHash *hash,
+  nssHashIterator fcn,
+  void *closure
+);
+
+
+/*
+ * nssPointerTracker
+ *
+ * This type and these methods are only present in debug builds.
+ * 
+ * The nonpublic methods relating to this type are:
+ *
+ *  nssPointerTracker_initialize
+ *  nssPointerTracker_finalize
+ *  nssPointerTracker_add
+ *  nssPointerTracker_remove
+ *  nssPointerTracker_verify
+ */
+
+/*
+ * nssPointerTracker_initialize
+ *
+ * This method is only present in debug builds.
+ * 
+ * This routine initializes an nssPointerTracker object.  Note that
+ * the object must have been declared *static* to guarantee that it
+ * is in a zeroed state initially.  This routine is idempotent, and
+ * may even be safely called by multiple threads simultaneously with 
+ * the same argument.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  On failure it will set an 
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssPointerTracker_initialize
+(
+  nssPointerTracker *tracker
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+#endif /* DEBUG */
+
+/*
+ * nssPointerTracker_finalize
+ *
+ * This method is only present in debug builds.
+ * 
+ * This routine returns the nssPointerTracker object to the pre-
+ * initialized state, releasing all resources used by the object.
+ * It will *NOT* destroy the objects being tracked by the pointer
+ * (should any remain), and therefore cannot be used to "sweep up"
+ * remaining objects.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCES.  On failure it will set an
+ * error on the error stack and return PR_FAILURE.  If any objects
+ * remain in the tracker when it is finalized, that will be treated
+ * as an error.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_TRACKER_NOT_EMPTY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssPointerTracker_finalize
+(
+  nssPointerTracker *tracker
+);
+
+extern const NSSError NSS_ERROR_TRACKER_NOT_EMPTY;
+#endif /* DEBUG */
+
+/*
+ * nssPointerTracker_add
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine adds the specified pointer to the nssPointerTracker
+ * object.  It should be called in constructor objects to register
+ * new valid objects.  The nssPointerTracker is threadsafe, but this
+ * call is not idempotent.  This routine returns a PRStatus value;
+ * if successful it will return PR_SUCCESS.  On failure it will set
+ * an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_DUPLICATE_POINTER
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssPointerTracker_add
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
+extern const NSSError NSS_ERROR_DUPLICATE_POINTER;
+#endif /* DEBUG */
+
+/*
+ * nssPointerTracker_remove
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine removes the specified pointer from the 
+ * nssPointerTracker object.  It does not call any destructor for the
+ * object; rather, this should be called from the object's destructor.
+ * The nssPointerTracker is threadsafe, but this call is not 
+ * idempotent.  This routine returns a PRStatus value; if successful 
+ * it will return PR_SUCCESS.  On failure it will set an error on the 
+ * error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_POINTER_NOT_REGISTERED
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssPointerTracker_remove
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+);
+
+extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
+extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
+#endif /* DEBUG */
+
+/*
+ * nssPointerTracker_verify
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine verifies that the specified pointer has been registered
+ * with the nssPointerTracker object.  The nssPointerTracker object is
+ * threadsafe, and this call may be safely called from multiple threads
+ * simultaneously with the same arguments.  This routine returns a
+ * PRStatus value; if the pointer is registered this will return 
+ * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
+ * return PR_FAILURE.  Although the error is suitable for leaving on 
+ * the stack, callers may wish to augment the information available by 
+ * placing a more type-specific error on the stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_POINTER_NOT_REGISTERED
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILRUE
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssPointerTracker_verify
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+);
+
+extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
+#endif /* DEBUG */
+
+/*
+ * libc
+ *
+ * nsslibc_memcpy
+ * nsslibc_memset
+ * nsslibc_offsetof
+ */
+
+/*
+ * nsslibc_memcpy
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  NULL on error
+ *  The destination pointer on success
+ */
+
+NSS_EXTERN void *
+nsslibc_memcpy
+(
+  void *dest,
+  const void *source,
+  PRUint32 n
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nsslibc_memset
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  NULL on error
+ *  The destination pointer on success
+ */
+
+NSS_EXTERN void *
+nsslibc_memset
+(
+  void *dest,
+  PRUint8 byte,
+  PRUint32 n
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+/*
+ * nsslibc_memequal
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if they match
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nsslibc_memequal
+(
+  const void *a,
+  const void *b,
+  PRUint32 len,
+  PRStatus *statusOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+
+#define nsslibc_offsetof(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
+
+/*
+ * nss_NewThreadPrivateIndex
+ * 
+ */
+
+NSS_EXTERN PRStatus
+nss_NewThreadPrivateIndex
+(
+  PRUintn *ip,
+  PRThreadPrivateDTOR dtor
+);
+
+/*
+ * nss_GetThreadPrivate
+ *
+ */
+
+NSS_EXTERN void *
+nss_GetThreadPrivate
+(
+  PRUintn i
+);
+
+/*
+ * nss_SetThreadPrivate
+ *
+ */
+
+NSS_EXTERN void
+nss_SetThreadPrivate
+(
+  PRUintn i,
+  void *v
+);
+
+
+PR_END_EXTERN_C
+
+#endif /* BASE_H */
diff --git a/security/nss/lib/base/baset.h b/security/nss/lib/base/baset.h
new file mode 100644
index 000000000..6df6da5aa
--- /dev/null
+++ b/security/nss/lib/base/baset.h
@@ -0,0 +1,158 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef BASET_H
+#define BASET_H
+
+#ifdef DEBUG
+static const char BASET_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * baset.h
+ *
+ * This file contains definitions for the basic types used throughout
+ * nss but not available publicly.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#include "plhash.h"
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * nssArenaMark
+ *
+ * This type is used to mark the current state of an NSSArena.
+ */
+
+struct nssArenaMarkStr;
+typedef struct nssArenaMarkStr nssArenaMark;
+
+#ifdef DEBUG
+/*
+ * ARENA_THREADMARK
+ * 
+ * Optionally, this arena implementation can be compiled with some
+ * runtime checking enabled, which will catch the situation where
+ * one thread "marks" the arena, another thread allocates memory,
+ * and then the mark is released.  Usually this is a surprise to
+ * the second thread, and this leads to weird runtime errors.
+ * Define ARENA_THREADMARK to catch these cases; we define it for all
+ * (internal and external) debug builds.
+ */
+#define ARENA_THREADMARK
+
+/*
+ * ARENA_DESTRUCTOR_LIST
+ *
+ * Unfortunately, our pointer-tracker facility, used in debug
+ * builds to agressively fight invalid pointers, requries that
+ * pointers be deregistered when objects are destroyed.  This
+ * conflicts with the standard arena usage where "memory-only"
+ * objects (that don't hold onto resources outside the arena)
+ * can be allocated in an arena, and never destroyed other than
+ * when the arena is destroyed.  Therefore we have added a
+ * destructor-registratio facility to our arenas.  This was not
+ * a simple decision, since we're getting ever-further away from
+ * the original arena philosophy.  However, it was felt that
+ * adding this in debug builds wouldn't be so bad; as it would
+ * discourage them from being used for "serious" purposes.
+ * This facility requires ARENA_THREADMARK to be defined.
+ */
+#ifdef ARENA_THREADMARK
+#define ARENA_DESTRUCTOR_LIST
+#endif /* ARENA_THREADMARK */
+
+#endif /* DEBUG */
+
+typedef struct nssListStr nssList;
+typedef struct nssListIteratorStr nssListIterator;
+typedef PRBool (* nssListCompareFunc)(void *a, void *b);
+typedef PRIntn (* nssListSortFunc)(void *a, void *b);
+typedef void (* nssListElementDestructorFunc)(void *el);
+
+typedef struct nssHashStr nssHash;
+typedef void (PR_CALLBACK *nssHashIterator)(const void *key, 
+                                            void *value, 
+                                            void *arg);
+
+/*
+ * nssPointerTracker
+ *
+ * This type is used in debug builds (both external and internal) to
+ * track our object pointers.  Objects of this type must be statically
+ * allocated, which means the structure size must be available to the
+ * compiler.  Therefore we must expose the contents of this structure.
+ * But please don't access elements directly; use the accessors.
+ */
+
+#ifdef DEBUG
+struct nssPointerTrackerStr {
+  PRCallOnceType once;
+  PZLock *lock;
+  PLHashTable *table;
+};
+typedef struct nssPointerTrackerStr nssPointerTracker;
+#endif /* DEBUG */
+
+/*
+ * nssStringType
+ *
+ * There are several types of strings in the real world.  We try to
+ * use only UTF8 and avoid the rest, but that's not always possible.
+ * So we have a couple converter routines to go to and from the other
+ * string types.  We have to be able to specify those string types,
+ * so we have this enumeration.
+ */
+
+enum nssStringTypeEnum {
+  nssStringType_DirectoryString,
+  nssStringType_TeletexString, /* Not "teletext" with trailing 't' */
+  nssStringType_PrintableString,
+  nssStringType_UniversalString,
+  nssStringType_BMPString,
+  nssStringType_UTF8String,
+  nssStringType_PHGString,
+  nssStringType_GeneralString,
+
+  nssStringType_Unknown = -1
+};
+typedef enum nssStringTypeEnum nssStringType;
+
+PR_END_EXTERN_C
+
+#endif /* BASET_H */
diff --git a/security/nss/lib/base/config.mk b/security/nss/lib/base/config.mk
new file mode 100644
index 000000000..4a9ed7dda
--- /dev/null
+++ b/security/nss/lib/base/config.mk
@@ -0,0 +1,48 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/base/error.c b/security/nss/lib/base/error.c
new file mode 100644
index 000000000..3e736b2b0
--- /dev/null
+++ b/security/nss/lib/base/error.c
@@ -0,0 +1,297 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * error.c
+ *
+ * This file contains the code implementing the per-thread error 
+ * stacks upon which most NSS routines report their errors.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * The stack itself has a header, and a sequence of integers.
+ * The header records the amount of space (as measured in stack
+ * slots) already allocated for the stack, and the count of the
+ * number of records currently being used.
+ */
+
+struct stack_header_str {
+  PRUint16 space;
+  PRUint16 count;
+};
+
+struct error_stack_str {
+  struct stack_header_str header;
+  PRInt32 stack[1];
+};
+typedef struct error_stack_str error_stack;
+
+/*
+ * error_stack_index
+ *
+ * Thread-private data must be indexed.  This is that index.
+ * See PR_NewThreadPrivateIndex for more information.
+ */
+
+static PRUintn error_stack_index;
+
+/*
+ * call_once
+ *
+ * The thread-private index must be obtained (once!) at runtime.
+ * This block is used for that one-time call.
+ */
+
+static PRCallOnceType error_call_once;
+
+/*
+ * error_once_function
+ *
+ * This is the once-called callback.
+ */
+
+static PRStatus
+error_once_function
+(
+  void
+)
+{
+  return nss_NewThreadPrivateIndex(&error_stack_index,PR_Free);
+  /* return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free); */
+}
+
+/*
+ * error_get_my_stack
+ *
+ * This routine returns the calling thread's error stack, creating
+ * it if necessary.  It may return NULL upon error, which implicitly
+ * means that it ran out of memory.
+ */
+
+static error_stack *
+error_get_my_stack
+(
+  void
+)
+{
+  PRStatus st;
+  error_stack *rv;
+  PRUintn new_size;
+  PRUint32 new_bytes;
+  error_stack *new_stack;
+
+  if( 0 == error_stack_index ) {
+    st = PR_CallOnce(&error_call_once, error_once_function);
+    if( PR_SUCCESS != st ) {
+      return (error_stack *)NULL;
+    }
+  }
+
+  rv = (error_stack *)nss_GetThreadPrivate(error_stack_index);
+  if( (error_stack *)NULL == rv ) {
+    /* Doesn't exist; create one */
+    new_size = 16;
+  } else {
+    if( rv->header.count == rv->header.space ) {
+      /* Too small, expand it */
+      new_size = rv->header.space + 16;
+    } else {
+      /* Okay, return it */
+      return rv;
+    }
+  }
+
+  new_bytes = (new_size * sizeof(PRInt32)) + 
+    sizeof(struct stack_header_str);
+  /* Use NSPR's calloc/realloc, not NSS's, to avoid loops! */
+  new_stack = PR_Calloc(1, new_bytes);
+  
+  if( (error_stack *)NULL != new_stack ) {
+    if( (error_stack *)NULL != rv ) {
+	(void)nsslibc_memcpy(new_stack,rv,rv->header.space);
+    }
+    new_stack->header.space = new_size;
+  }
+
+  /* Set the value, whether or not the allocation worked */
+  nss_SetThreadPrivate(error_stack_index, new_stack);
+  return new_stack;
+}
+
+/*
+ * The error stack
+ *
+ * The public methods relating to the error stack are:
+ *
+ *  NSS_GetError
+ *  NSS_GetErrorStack
+ *
+ * The nonpublic methods relating to the error stack are:
+ *
+ *  nss_SetError
+ *  nss_ClearErrorStack
+ *
+ */
+
+/*
+ * NSS_GetError
+ *
+ * This routine returns the highest-level (most general) error set
+ * by the most recent NSS library routine called by the same thread
+ * calling this routine.
+ *
+ * This routine cannot fail.  However, it may return zero, which
+ * indicates that the previous NSS library call did not set an error.
+ *
+ * Return value:
+ *  0 if no error has been set
+ *  A nonzero error number
+ */
+
+NSS_IMPLEMENT PRInt32
+NSS_GetError
+(
+  void
+)
+{
+  error_stack *es = error_get_my_stack();
+
+  if( (error_stack *)NULL == es ) {
+    return NSS_ERROR_NO_MEMORY; /* Good guess! */
+  }
+
+  if( 0 == es->header.count ) {
+    return 0;
+  }
+
+  return es->stack[ es->header.count-1 ];
+}
+
+/*
+ * NSS_GetErrorStack
+ *
+ * This routine returns a pointer to an array of integers, containing
+ * the entire sequence or "stack" of errors set by the most recent NSS
+ * library routine called by the same thread calling this routine.
+ * NOTE: the caller DOES NOT OWN the memory pointed to by the return
+ * value.  The pointer will remain valid until the calling thread
+ * calls another NSS routine.  The lowest-level (most specific) error 
+ * is first in the array, and the highest-level is last.  The array is
+ * zero-terminated.  This routine may return NULL upon error; this
+ * indicates a low-memory situation.
+ *
+ * Return value:
+ *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
+ *  A NON-caller-owned pointer to an array of integers
+ */
+
+NSS_IMPLEMENT PRInt32 *
+NSS_GetErrorStack
+(
+  void
+)
+{
+  error_stack *es = error_get_my_stack();
+
+  if( (error_stack *)NULL == es ) {
+    return (PRInt32 *)NULL;
+  }
+
+  /* Make sure it's terminated */
+  es->stack[ es->header.count ] = 0;
+
+  return es->stack;
+}
+
+/*
+ * nss_SetError
+ *
+ * This routine places a new error code on the top of the calling 
+ * thread's error stack.  Calling this routine wiht an error code
+ * of zero will clear the error stack.
+ */
+
+NSS_IMPLEMENT void
+nss_SetError
+(
+  PRUint32 error
+)
+{
+  error_stack *es;
+
+  if( 0 == error ) {
+    nss_ClearErrorStack();
+    return;
+  }
+
+  es = error_get_my_stack();
+  if( (error_stack *)NULL == es ) {
+    /* Oh, well. */
+    return;
+  }
+
+  es->stack[ es->header.count ] = error;
+  es->header.count++;
+  return;
+}
+
+/*
+ * nss_ClearErrorStack
+ *
+ * This routine clears the calling thread's error stack.
+ */
+
+NSS_IMPLEMENT void
+nss_ClearErrorStack
+(
+  void
+)
+{
+  error_stack *es = error_get_my_stack();
+  if( (error_stack *)NULL == es ) {
+    /* Oh, well. */
+    return;
+  }
+
+  es->header.count = 0;
+  es->stack[0] = 0;
+  return;
+}
diff --git a/security/nss/lib/base/errorval.c b/security/nss/lib/base/errorval.c
new file mode 100644
index 000000000..2f2bfcce7
--- /dev/null
+++ b/security/nss/lib/base/errorval.c
@@ -0,0 +1,89 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * errorval.c
+ *
+ * This file contains the actual error constants used in NSS.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+const NSSError NSS_ERROR_NO_ERROR                       =  0;
+const NSSError NSS_ERROR_INTERNAL_ERROR                 =  1;
+const NSSError NSS_ERROR_NO_MEMORY                      =  2;
+const NSSError NSS_ERROR_INVALID_POINTER                =  3;
+const NSSError NSS_ERROR_INVALID_ARENA                  =  4;
+const NSSError NSS_ERROR_INVALID_ARENA_MARK             =  5;
+const NSSError NSS_ERROR_DUPLICATE_POINTER              =  6;
+const NSSError NSS_ERROR_POINTER_NOT_REGISTERED         =  7;
+const NSSError NSS_ERROR_TRACKER_NOT_EMPTY              =  8;
+const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED        =  9;
+const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD = 10;
+const NSSError NSS_ERROR_VALUE_TOO_LARGE                = 11;
+const NSSError NSS_ERROR_UNSUPPORTED_TYPE               = 12;
+const NSSError NSS_ERROR_BUFFER_TOO_SHORT               = 13;
+const NSSError NSS_ERROR_INVALID_ATOB_CONTEXT           = 14;
+const NSSError NSS_ERROR_INVALID_BASE64                 = 15;
+const NSSError NSS_ERROR_INVALID_BTOA_CONTEXT           = 16;
+const NSSError NSS_ERROR_INVALID_ITEM                   = 17;
+const NSSError NSS_ERROR_INVALID_STRING                 = 18;
+const NSSError NSS_ERROR_INVALID_ASN1ENCODER            = 19;
+const NSSError NSS_ERROR_INVALID_ASN1DECODER            = 20;
+
+const NSSError NSS_ERROR_INVALID_BER                    = 21;
+const NSSError NSS_ERROR_INVALID_ATAV                   = 22;
+const NSSError NSS_ERROR_INVALID_ARGUMENT               = 23;
+const NSSError NSS_ERROR_INVALID_UTF8                   = 24;
+const NSSError NSS_ERROR_INVALID_NSSOID                 = 25;
+const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE              = 26;
+
+const NSSError NSS_ERROR_NOT_FOUND                      = 27;
+
+const NSSError NSS_ERROR_INVALID_PASSWORD               = 28;
+const NSSError NSS_ERROR_USER_CANCELED                  = 29;
+
+const NSSError NSS_ERROR_MAXIMUM_FOUND                  = 30;
+
+const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND   = 31;
+
+const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE           = 32;
+
+const NSSError NSS_ERROR_HASH_COLLISION                 = 33;
+
diff --git a/security/nss/lib/base/hash.c b/security/nss/lib/base/hash.c
new file mode 100644
index 000000000..811fcd593
--- /dev/null
+++ b/security/nss/lib/base/hash.c
@@ -0,0 +1,404 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * hash.c
+ *
+ * This is merely a couple wrappers around NSPR's PLHashTable, using
+ * the identity hash and arena-aware allocators.
+ * This is a copy of ckfw/hash.c, with modifications to use NSS types
+ * (not Cryptoki types).  Would like for this to be a single implementation,
+ * but doesn't seem like it will work.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * nssHash
+ *
+ *  nssHash_Create
+ *  nssHash_Destroy
+ *  nssHash_Add
+ *  nssHash_Remove
+ *  nssHash_Count
+ *  nssHash_Exists
+ *  nssHash_Lookup
+ *  nssHash_Iterate
+ */
+
+struct nssHashStr {
+  NSSArena *arena;
+  PRBool i_alloced_arena;
+  PRLock *mutex;
+
+  /*
+   * The invariant that mutex protects is:
+   *   The count accurately reflects the hashtable state.
+   */
+
+  PLHashTable *plHashTable;
+  PRUint32 count;
+};
+
+static PLHashNumber
+nss_identity_hash
+(
+  const void *key
+)
+{
+  PRUint32 i = (PRUint32)key;
+  PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
+  return (PLHashNumber)i;
+}
+
+static PLHashNumber
+nss_item_hash
+(
+  const void *key
+)
+{
+  int i;
+  PLHashNumber h;
+  NSSItem *it = (NSSItem *)key;
+  h = 0;
+  for (i=0; i<it->size; i++)
+    h = (h >> 28) ^ (h << 4) ^ ((unsigned char *)it->data)[i];
+  return h;
+}
+
+static int
+nss_compare_items(const void *v1, const void *v2)
+{
+  PRStatus ignore;
+  return (int)nssItem_Equal((NSSItem *)v1, (NSSItem *)v2, &ignore);
+}
+
+/*
+ * nssHash_create
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_Create
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets,
+  PLHashFunction keyHash,
+  PLHashComparator keyCompare,
+  PLHashComparator valueCompare
+)
+{
+  nssHash *rv;
+  NSSArena *arena;
+  PRBool i_alloced;
+
+#ifdef NSSDEBUG
+  if( arenaOpt && PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (nssHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if (arenaOpt) {
+    arena = arenaOpt;
+    i_alloced = PR_FALSE;
+  } else {
+    arena = nssArena_Create();
+    i_alloced = PR_TRUE;
+  }
+
+  rv = nss_ZNEW(arena, nssHash);
+  if( (nssHash *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->mutex = PZ_NewLock(nssILockOther);
+  if( (PZLock *)NULL == rv->mutex ) {
+    goto loser;
+  }
+
+  rv->plHashTable = PL_NewHashTable(numBuckets, 
+                                    keyHash, keyCompare, valueCompare,
+                                    &nssArenaHashAllocOps, arena);
+  if( (PLHashTable *)NULL == rv->plHashTable ) {
+    (void)PZ_DestroyLock(rv->mutex);
+    goto loser;
+  }
+
+  rv->count = 0;
+  rv->arena = arena;
+  rv->i_alloced_arena = i_alloced;
+
+  return rv;
+loser:
+  (void)nss_ZFreeIf(rv);
+  return (nssHash *)NULL;
+}
+
+/*
+ * nssHash_CreatePointer
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_CreatePointer
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+)
+{
+  return nssHash_Create(arenaOpt, numBuckets, 
+                        nss_identity_hash, PL_CompareValues, PL_CompareValues);
+}
+
+/*
+ * nssHash_CreateString
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_CreateString
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+)
+{
+  return nssHash_Create(arenaOpt, numBuckets, 
+                        PL_HashString, PL_CompareStrings, PL_CompareStrings);
+}
+
+/*
+ * nssHash_CreateItem
+ *
+ */
+NSS_IMPLEMENT nssHash *
+nssHash_CreateItem
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+)
+{
+  return nssHash_Create(arenaOpt, numBuckets, 
+                        nss_item_hash, nss_compare_items, PL_CompareValues);
+}
+
+/*
+ * nssHash_Destroy
+ *
+ */
+NSS_IMPLEMENT void
+nssHash_Destroy
+(
+  nssHash *hash
+)
+{
+  (void)PZ_DestroyLock(hash->mutex);
+  PL_HashTableDestroy(hash->plHashTable);
+  if (hash->i_alloced_arena) {
+    nssArena_Destroy(hash->arena);
+  } else {
+    nss_ZFreeIf(hash);
+  }
+}
+
+/*
+ * nssHash_Add
+ *
+ */
+NSS_IMPLEMENT PRStatus
+nssHash_Add
+(
+  nssHash *hash,
+  const void *key,
+  const void *value
+)
+{
+  PRStatus error = PR_FAILURE;
+  PLHashEntry *he;
+
+  PZ_Lock(hash->mutex);
+  
+  he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
+  if( (PLHashEntry *)NULL == he ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+  } else if (he->value != value) {
+    nss_SetError(NSS_ERROR_HASH_COLLISION);
+  } else {
+    hash->count++;
+    error = PR_SUCCESS;
+  }
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return error;
+}
+
+/*
+ * nssHash_Remove
+ *
+ */
+NSS_IMPLEMENT void
+nssHash_Remove
+(
+  nssHash *hash,
+  const void *it
+)
+{
+  PRBool found;
+
+  PZ_Lock(hash->mutex);
+
+  found = PL_HashTableRemove(hash->plHashTable, it);
+  if( found ) {
+    hash->count--;
+  }
+
+  (void)PZ_Unlock(hash->mutex);
+  return;
+}
+
+/*
+ * nssHash_Count
+ *
+ */
+NSS_IMPLEMENT PRUint32
+nssHash_Count
+(
+  nssHash *hash
+)
+{
+  PRUint32 count;
+
+  PZ_Lock(hash->mutex);
+
+  count = hash->count;
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return count;
+}
+
+/*
+ * nssHash_Exists
+ *
+ */
+NSS_IMPLEMENT PRBool
+nssHash_Exists
+(
+  nssHash *hash,
+  const void *it
+)
+{
+  void *value;
+
+  PZ_Lock(hash->mutex);
+
+  value = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)PZ_Unlock(hash->mutex);
+
+  if( (void *)NULL == value ) {
+    return PR_FALSE;
+  } else {
+    return PR_TRUE;
+  }
+}
+
+/*
+ * nssHash_Lookup
+ *
+ */
+NSS_IMPLEMENT void *
+nssHash_Lookup
+(
+  nssHash *hash,
+  const void *it
+)
+{
+  void *rv;
+
+  PZ_Lock(hash->mutex);
+
+  rv = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return rv;
+}
+
+struct arg_str {
+  nssHashIterator fcn;
+  void *closure;
+};
+
+static PRIntn
+nss_hash_enumerator
+(
+  PLHashEntry *he,
+  PRIntn index,
+  void *arg
+)
+{
+  struct arg_str *as = (struct arg_str *)arg;
+  as->fcn(he->key, he->value, as->closure);
+  return HT_ENUMERATE_NEXT;
+}
+
+/*
+ * nssHash_Iterate
+ *
+ * NOTE that the iteration function will be called with the hashtable locked.
+ */
+NSS_IMPLEMENT void
+nssHash_Iterate
+(
+  nssHash *hash,
+  nssHashIterator fcn,
+  void *closure
+)
+{
+  struct arg_str as;
+  as.fcn = fcn;
+  as.closure = closure;
+
+  PZ_Lock(hash->mutex);
+
+  PL_HashTableEnumerateEntries(hash->plHashTable, nss_hash_enumerator, &as);
+
+  (void)PZ_Unlock(hash->mutex);
+
+  return;
+}
diff --git a/security/nss/lib/base/hashops.c b/security/nss/lib/base/hashops.c
new file mode 100644
index 000000000..031f92649
--- /dev/null
+++ b/security/nss/lib/base/hashops.c
@@ -0,0 +1,117 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * hashops.c
+ *
+ * This file includes a set of PLHashAllocOps that use NSSArenas.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+static void * PR_CALLBACK
+nss_arena_hash_alloc_table
+(
+  void *pool,
+  PRSize size
+)
+{
+  NSSArena *arena = (NSSArena *)NULL;
+
+#ifdef NSSDEBUG
+  if( (void *)NULL != arena ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+      return (void *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  return nss_ZAlloc(arena, size);
+}
+
+static void PR_CALLBACK
+nss_arena_hash_free_table
+(
+  void *pool, 
+  void *item
+)
+{
+  (void)nss_ZFreeIf(item);
+}
+
+static PLHashEntry * PR_CALLBACK
+nss_arena_hash_alloc_entry
+(
+  void *pool,
+  const void *key
+)
+{
+  NSSArena *arena = NULL;
+
+#ifdef NSSDEBUG
+  if( (void *)NULL != arena ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+      return (void *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  return nss_ZNEW(arena, PLHashEntry);
+}
+
+static void PR_CALLBACK
+nss_arena_hash_free_entry
+(
+  void *pool,
+  PLHashEntry *he,
+  PRUintn flag
+)
+{
+  if( HT_FREE_ENTRY == flag ) {
+    (void)nss_ZFreeIf(he);
+  }
+}
+
+NSS_IMPLEMENT_DATA PLHashAllocOps 
+nssArenaHashAllocOps = {
+  nss_arena_hash_alloc_table,
+  nss_arena_hash_free_table,
+  nss_arena_hash_alloc_entry,
+  nss_arena_hash_free_entry
+};
diff --git a/security/nss/lib/base/item.c b/security/nss/lib/base/item.c
new file mode 100644
index 000000000..efa9d1200
--- /dev/null
+++ b/security/nss/lib/base/item.c
@@ -0,0 +1,241 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * item.c
+ *
+ * This contains some item-manipulation code.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * nssItem_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *  NSS_ERROR_INVALID_POINTER
+ *  
+ * Return value:
+ *  A pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSItem *
+nssItem_Create
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  PRUint32 length,
+  const void *data
+)
+{
+  NSSItem *rv = (NSSItem *)NULL;
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSItem *)NULL;
+    }
+  }
+
+  if( (const void *)NULL == data ) {
+    if( length > 0 ) {
+      nss_SetError(NSS_ERROR_INVALID_POINTER);
+      return (NSSItem *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  if( (NSSItem *)NULL == rvOpt ) {
+    rv = (NSSItem *)nss_ZNEW(arenaOpt, NSSItem);
+    if( (NSSItem *)NULL == rv ) {
+      goto loser;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  rv->size = length;
+  rv->data = nss_ZAlloc(arenaOpt, length);
+  if( (void *)NULL == rv->data ) {
+    goto loser;
+  }
+
+  if( length > 0 ) {
+    (void)nsslibc_memcpy(rv->data, data, length);
+  }
+
+  return rv;
+
+ loser:
+  if( rv != rvOpt ) {
+    nss_ZFreeIf(rv);
+  }
+
+  return (NSSItem *)NULL;
+}
+
+NSS_IMPLEMENT void
+nssItem_Destroy
+(
+  NSSItem *item
+)
+{
+  nss_ClearErrorStack();
+
+  nss_ZFreeIf(item->data);
+  nss_ZFreeIf(item);
+
+}
+
+/*
+ * nssItem_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
+ *  NSS_ERROR_INVALID_ITEM
+ *  
+ * Return value:
+ *  A pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSItem *
+nssItem_Duplicate
+(
+  NSSItem *obj,
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt
+)
+{
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSItem *)NULL;
+    }
+  }
+
+  if( (NSSItem *)NULL == obj ) {
+    nss_SetError(NSS_ERROR_INVALID_ITEM);
+    return (NSSItem *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data);
+}
+
+#ifdef DEBUG
+/*
+ * nssItem_verifyPointer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssItem_verifyPointer
+(
+  const NSSItem *item
+)
+{
+  if( ((const NSSItem *)NULL == item) ||
+      (((void *)NULL == item->data) && (item->size > 0)) ) {
+    nss_SetError(NSS_ERROR_INVALID_ITEM);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+/*
+ * nssItem_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_TRUE if the items are identical
+ *  PR_FALSE if they aren't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssItem_Equal
+(
+  const NSSItem *one,
+  const NSSItem *two,
+  PRStatus *statusOpt
+)
+{
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  if( ((const NSSItem *)NULL == one) && ((const NSSItem *)NULL == two) ) {
+    return PR_TRUE;
+  }
+
+  if( ((const NSSItem *)NULL == one) || ((const NSSItem *)NULL == two) ) {
+    return PR_FALSE;
+  }
+
+  if( one->size != two->size ) {
+    return PR_FALSE;
+  }
+
+  return nsslibc_memequal(one->data, two->data, one->size, statusOpt);
+}
diff --git a/security/nss/lib/base/libc.c b/security/nss/lib/base/libc.c
new file mode 100644
index 000000000..68ab9d920
--- /dev/null
+++ b/security/nss/lib/base/libc.c
@@ -0,0 +1,197 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * libc.c
+ *
+ * This file contains our wrappers/reimplementations for "standard" 
+ * libc functions.  Things like "memcpy."  We add to this as we need 
+ * it.  Oh, and let's keep it in alphabetical order, should it ever 
+ * get large.  Most string/character stuff should be in utf8.c, not 
+ * here.  This file (and maybe utf8.c) should be the only ones in
+ * NSS to include files with angle brackets.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#include <string.h> /* memcpy, memset */
+
+/*
+ * nsslibc_memcpy
+ * nsslibc_memset
+ * nsslibc_offsetof
+ * nsslibc_memequal
+ */
+
+/*
+ * nsslibc_memcpy
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  NULL on error
+ *  The destination pointer on success
+ */
+
+NSS_IMPLEMENT void *
+nsslibc_memcpy
+(
+  void *dest,
+  const void *source,
+  PRUint32 n
+)
+{
+#ifdef NSSDEBUG
+  if( ((void *)NULL == dest) || ((const void *)NULL == source) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (void *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return memcpy(dest, source, (size_t)n);
+}
+
+/*
+ * nsslibc_memset
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  NULL on error
+ *  The destination pointer on success
+ */
+
+NSS_IMPLEMENT void *
+nsslibc_memset
+(
+  void *dest,
+  PRUint8 byte,
+  PRUint32 n
+)
+{
+#ifdef NSSDEBUG
+  if( ((void *)NULL == dest) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (void *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return memset(dest, (int)byte, (size_t)n);
+}
+
+/*
+ * nsslibc_memequal
+ *
+ * Errors:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if they match
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nsslibc_memequal
+(
+  const void *a,
+  const void *b,
+  PRUint32 len,
+  PRStatus *statusOpt
+)
+{
+#ifdef NSSDEBUG
+  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  if( 0 == memcmp(a, b, len) ) {
+    return PR_TRUE;
+  } else {
+    return PR_FALSE;
+  }
+}
+
+/*
+ * nsslibc_memcmp
+ */
+
+NSS_IMPLEMENT PRInt32
+nsslibc_memcmp
+(
+  const void *a,
+  const void *b,
+  PRUint32 len,
+  PRStatus *statusOpt
+)
+{
+  int v;
+
+#ifdef NSSDEBUG
+  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return -2;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  v = memcmp(a, b, len);
+  return (PRInt32)v;
+}
+
+/*
+ * offsetof is a preprocessor definition
+ */
diff --git a/security/nss/lib/base/list.c b/security/nss/lib/base/list.c
new file mode 100644
index 000000000..f4ef49b70
--- /dev/null
+++ b/security/nss/lib/base/list.c
@@ -0,0 +1,429 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * list.c
+ *
+ * This contains the implementation of NSS's thread-safe linked list.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+struct nssListElementStr {
+    PRCList  link;
+    void    *data;
+};
+
+typedef struct nssListElementStr nssListElement;
+
+struct nssListStr {
+    NSSArena       *arena;
+    PZLock         *lock;
+    nssListElement *head;
+    PRUint32        count;
+    nssListCompareFunc compareFunc;
+    nssListSortFunc    sortFunc;
+    PRBool i_alloced_arena;
+};
+
+struct nssListIteratorStr {
+    PZLock *lock;
+    nssList *list;
+    nssListElement *current;
+};
+
+#define NSSLIST_LOCK_IF(list) \
+    if ((list)->lock) PZ_Lock((list)->lock)
+
+#define NSSLIST_UNLOCK_IF(list) \
+    if ((list)->lock) PZ_Unlock((list)->lock)
+
+static PRBool
+pointer_compare(void *a, void *b)
+{
+    return (PRBool)(a == b);
+}
+
+static nssListElement *
+nsslist_get_matching_element(nssList *list, void *data)
+{
+    PRCList *link;
+    nssListElement *node;
+    node = list->head;
+    if (!node) {
+	return NULL;
+    }
+    link = &node->link;
+    while (node) {
+	/* using a callback slows things down when it's just compare ... */
+	if (list->compareFunc(node->data, data)) {
+	    break;
+	}
+	link = &node->link;
+	if (link == PR_LIST_TAIL(&list->head->link)) {
+	    node = NULL;
+	    break;
+	}
+	node = (nssListElement *)PR_NEXT_LINK(&node->link);
+    }
+    return node;
+}
+
+NSS_IMPLEMENT nssList *
+nssList_Create
+(
+  NSSArena *arenaOpt,
+  PRBool threadSafe
+)
+{
+    NSSArena *arena;
+    nssList *list;
+    PRBool i_alloced;
+    if (arenaOpt) {
+	arena = arenaOpt;
+	i_alloced = PR_FALSE;
+    } else {
+	arena = nssArena_Create();
+	i_alloced = PR_TRUE;
+    }
+    if (!arena) {
+	return (nssList *)NULL;
+    }
+    list = nss_ZNEW(arena, nssList);
+    if (!list) {
+	if (!arenaOpt) {
+	    NSSArena_Destroy(arena);
+	}
+	return (nssList *)NULL;
+    }
+    if (threadSafe) {
+	list->lock = PZ_NewLock(nssILockOther);
+	if (!list->lock) {
+	    if (arenaOpt) {
+		nss_ZFreeIf(list);
+	    } else {
+		NSSArena_Destroy(arena);
+	    }
+	    return (nssList *)NULL;
+	}
+    }
+    list->arena = arena;
+    list->i_alloced_arena = i_alloced;
+    list->compareFunc = pointer_compare;
+    return list;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_Destroy(nssList *list)
+{
+    if (!list->i_alloced_arena) {
+	nssList_Clear(list, NULL);
+    }
+    if (list->lock) {
+	(void)PZ_DestroyLock(list->lock);
+    }
+    if (list->i_alloced_arena) {
+	NSSArena_Destroy(list->arena);
+	list = NULL;
+    }
+    nss_ZFreeIf(list);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT void
+nssList_SetCompareFunction(nssList *list, nssListCompareFunc compareFunc)
+{
+    list->compareFunc = compareFunc;
+}
+
+NSS_IMPLEMENT void
+nssList_SetSortFunction(nssList *list, nssListSortFunc sortFunc)
+{
+    /* XXX if list already has elements, sort them */
+    list->sortFunc = sortFunc;
+}
+
+NSS_IMPLEMENT nssListCompareFunc
+nssList_GetCompareFunction(nssList *list)
+{
+    return list->compareFunc;
+}
+
+NSS_IMPLEMENT void
+nssList_Clear(nssList *list, nssListElementDestructorFunc destructor)
+{
+    PRCList *link;
+    nssListElement *node, *tmp;
+    NSSLIST_LOCK_IF(list);
+    node = list->head;
+    list->head = NULL;
+    while (node && list->count > 0) {
+	if (destructor) (*destructor)(node->data);
+	link = &node->link;
+	tmp = (nssListElement *)PR_NEXT_LINK(link);
+	PR_REMOVE_LINK(link);
+	nss_ZFreeIf(node);
+	node = tmp;
+	--list->count;
+    }
+    NSSLIST_UNLOCK_IF(list);
+}
+
+static PRStatus
+nsslist_add_element(nssList *list, void *data)
+{
+    nssListElement *node = nss_ZNEW(list->arena, nssListElement);
+    if (!node) {
+	return PR_FAILURE;
+    }
+    PR_INIT_CLIST(&node->link);
+    node->data = data;
+    if (list->head) {
+	if (list->sortFunc) {
+	    PRCList *link;
+	    nssListElement *currNode;
+	    currNode = list->head;
+	    /* insert in ordered list */
+	    while (currNode) {
+		link = &currNode->link;
+		if (list->sortFunc(data, currNode->data) <= 0) {
+		    /* new element goes before current node */
+		    PR_INSERT_BEFORE(&node->link, link);
+		    /* reset head if this is first */
+		    if (currNode == list->head) list->head = node;
+		    break;
+		}
+		if (link == PR_LIST_TAIL(&list->head->link)) {
+		    /* reached end of list, append */
+		    PR_INSERT_AFTER(&node->link, link);
+		    break;
+		}
+		currNode = (nssListElement *)PR_NEXT_LINK(&currNode->link);
+	    }
+	} else {
+	    /* not sorting */
+	    PR_APPEND_LINK(&node->link, &list->head->link);
+	}
+    } else {
+	list->head = node;
+    }
+    ++list->count;
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_Add(nssList *list, void *data)
+{
+    PRStatus nssrv;
+    NSSLIST_LOCK_IF(list);
+    nssrv = nsslist_add_element(list, data);
+    NSSLIST_UNLOCK_IF(list);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_AddUnique(nssList *list, void *data)
+{
+    PRStatus nssrv;
+    nssListElement *node;
+    NSSLIST_LOCK_IF(list);
+    node = nsslist_get_matching_element(list, data);
+    if (node) {
+	/* already in, finish */
+	NSSLIST_UNLOCK_IF(list);
+	return PR_SUCCESS;
+    }
+    nssrv = nsslist_add_element(list, data);
+    NSSLIST_UNLOCK_IF(list);
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_Remove(nssList *list, void *data)
+{
+    nssListElement *node;
+    NSSLIST_LOCK_IF(list);
+    node = nsslist_get_matching_element(list, data);
+    if (node) {
+	if (node == list->head) {
+	    list->head = (nssListElement *)PR_NEXT_LINK(&node->link);
+	}
+	PR_REMOVE_LINK(&node->link);
+	nss_ZFreeIf(node);
+	if (--list->count == 0) {
+	    list->head = NULL;
+	}
+    }
+    NSSLIST_UNLOCK_IF(list);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT void *
+nssList_Get(nssList *list, void *data)
+{
+    nssListElement *node;
+    NSSLIST_LOCK_IF(list);
+    node = nsslist_get_matching_element(list, data);
+    NSSLIST_UNLOCK_IF(list);
+    return (node) ? node->data : NULL;
+}
+
+NSS_IMPLEMENT PRUint32
+nssList_Count(nssList *list)
+{
+    return list->count;
+}
+
+NSS_IMPLEMENT PRStatus
+nssList_GetArray(nssList *list, void **rvArray, PRUint32 maxElements)
+{
+    nssListIterator *iter;
+    void *el;
+    PRUint32 i = 0;
+    PR_ASSERT(maxElements > 0);
+    iter = nssList_CreateIterator(list);
+    for (el = nssListIterator_Start(iter); el != NULL;
+         el = nssListIterator_Next(iter)) 
+    {
+	rvArray[i++] = el;
+	if (i == maxElements) break;
+    }
+    nssListIterator_Finish(iter);
+    nssListIterator_Destroy(iter);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT nssList *
+nssList_Clone(nssList *list)
+{
+    nssList *rvList;
+    nssListElement *node;
+    rvList = nssList_Create(NULL, (list->lock != NULL));
+    if (!rvList) {
+	return NULL;
+    }
+    NSSLIST_LOCK_IF(list);
+    if (list->count > 0) {
+	node = list->head;
+	while (PR_TRUE) {
+	    nssList_Add(rvList, node->data);
+	    node = (nssListElement *)PR_NEXT_LINK(&node->link);
+	    if (node == list->head) {
+		break;
+	    }
+	}
+    }
+    NSSLIST_UNLOCK_IF(list);
+    return rvList;
+}
+
+NSS_IMPLEMENT nssListIterator *
+nssList_CreateIterator(nssList *list)
+{
+    nssListIterator *rvIterator;
+    rvIterator = nss_ZNEW(NULL, nssListIterator);
+    if (!rvIterator) {
+	return NULL;
+    }
+    rvIterator->list = nssList_Clone(list);
+    if (!rvIterator->list) {
+	nss_ZFreeIf(rvIterator);
+	return NULL;
+    }
+    rvIterator->current = rvIterator->list->head;
+    if (list->lock) {
+	rvIterator->lock = PZ_NewLock(nssILockOther);
+	if (!rvIterator->lock) {
+	    nssList_Destroy(rvIterator->list);
+	    nss_ZFreeIf(rvIterator);
+	}
+    }
+    return rvIterator;
+}
+
+NSS_IMPLEMENT void
+nssListIterator_Destroy(nssListIterator *iter)
+{
+    if (iter->lock) {
+	(void)PZ_DestroyLock(iter->lock);
+    }
+    nssList_Destroy(iter->list);
+    nss_ZFreeIf(iter);
+}
+
+NSS_IMPLEMENT void *
+nssListIterator_Start(nssListIterator *iter)
+{
+    NSSLIST_LOCK_IF(iter);
+    if (iter->list->count == 0) {
+	return NULL;
+    }
+    iter->current = iter->list->head;
+    return iter->current->data;
+}
+
+NSS_IMPLEMENT void *
+nssListIterator_Next(nssListIterator *iter)
+{
+    nssListElement *node;
+    PRCList *link;
+    if (iter->list->count == 1 || iter->current == NULL) {
+	/* Reached the end of the list.  Don't change the state, force to
+	 * user to call nssList_Finish to clean up.
+	 */
+	return NULL;
+    }
+    node = (nssListElement *)PR_NEXT_LINK(&iter->current->link);
+    link = &node->link;
+    if (link == PR_LIST_TAIL(&iter->list->head->link)) {
+	/* Signal the end of the list. */
+	iter->current = NULL;
+	return node->data;
+    }
+    iter->current = node;
+    return node->data;
+}
+
+NSS_IMPLEMENT PRStatus
+nssListIterator_Finish(nssListIterator *iter)
+{
+    iter->current = iter->list->head;
+    return (iter->lock) ? PZ_Unlock(iter->lock) : PR_SUCCESS;
+}
+
diff --git a/security/nss/lib/base/manifest.mn b/security/nss/lib/base/manifest.mn
new file mode 100644
index 000000000..13cf9447b
--- /dev/null
+++ b/security/nss/lib/base/manifest.mn
@@ -0,0 +1,65 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	baset.h		  \
+	base.h		  \
+	$(NULL)
+
+EXPORTS =	   \
+	nssbaset.h \
+	nssbase.h  \
+	$(NULL)
+
+MODULE = security
+
+CSRCS =		   \
+	arena.c	   \
+	error.c	   \
+	errorval.c \
+	hashops.c  \
+	libc.c	   \
+	tracker.c  \
+	item.c     \
+	utf8.c	   \
+	list.c     \
+	hash.c     \
+	whatnspr.c \
+	$(NULL)
+
+REQUIRES = security nspr
+
+LIBRARY_NAME = nssb
diff --git a/security/nss/lib/base/nssbase.h b/security/nss/lib/base/nssbase.h
new file mode 100644
index 000000000..3960a7810
--- /dev/null
+++ b/security/nss/lib/base/nssbase.h
@@ -0,0 +1,167 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSBASE_H
+#define NSSBASE_H
+
+#ifdef DEBUG
+static const char NSSBASE_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nssbase.h
+ *
+ * This header file contains the prototypes of the basic public
+ * NSS routines.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSArena
+ *
+ * The public methods relating to this type are:
+ *
+ *  NSSArena_Create  -- constructor
+ *  NSSArena_Destroy
+ */
+
+/*
+ * NSSArena_Create
+ *
+ * This routine creates a new memory arena.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The top-level error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSArena upon success
+ */
+
+NSS_EXTERN NSSArena *
+NSSArena_Create
+(
+  void
+);
+
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSArena_Destroy
+ *
+ * This routine will destroy the specified arena, freeing all memory
+ * allocated from it.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The top-level error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSArena_Destroy
+(
+  NSSArena *arena
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+
+/*
+ * The error stack
+ *
+ * The public methods relating to the error stack are:
+ *
+ *  NSS_GetError
+ *  NSS_GetErrorStack
+ */
+
+/*
+ * NSS_GetError
+ *
+ * This routine returns the highest-level (most general) error set
+ * by the most recent NSS library routine called by the same thread
+ * calling this routine.
+ *
+ * This routine cannot fail.  It may return NSS_ERROR_NO_ERROR, which
+ * indicates that the previous NSS library call did not set an error.
+ *
+ * Return value:
+ *  0 if no error has been set
+ *  A nonzero error number
+ */
+
+NSS_EXTERN NSSError
+NSS_GetError
+(
+  void
+);
+
+extern const NSSError NSS_ERROR_NO_ERROR;
+
+/*
+ * NSS_GetErrorStack
+ *
+ * This routine returns a pointer to an array of NSSError values, 
+ * containingthe entire sequence or "stack" of errors set by the most 
+ * recent NSS library routine called by the same thread calling this 
+ * routine.  NOTE: the caller DOES NOT OWN the memory pointed to by 
+ * the return value.  The pointer will remain valid until the calling 
+ * thread calls another NSS routine.  The lowest-level (most specific) 
+ * error is first in the array, and the highest-level is last.  The 
+ * array is zero-terminated.  This routine may return NULL upon error; 
+ * this indicates a low-memory situation.
+ *
+ * Return value:
+ *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
+ *  A NON-caller-owned pointer to an array of NSSError values
+ */
+
+NSS_EXTERN NSSError *
+NSS_GetErrorStack
+(
+  void
+);
+
+PR_END_EXTERN_C
+
+#endif /* NSSBASE_H */
diff --git a/security/nss/lib/base/nssbaset.h b/security/nss/lib/base/nssbaset.h
new file mode 100644
index 000000000..c3e84c46e
--- /dev/null
+++ b/security/nss/lib/base/nssbaset.h
@@ -0,0 +1,153 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSBASET_H
+#define NSSBASET_H
+
+#ifdef DEBUG
+static const char NSSBASET_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nssbaset.h
+ *
+ * This file contains the most low-level, fundamental public types.
+ */
+
+#include "nspr.h"
+#include "nssilock.h"
+
+/*
+ * NSS_EXTERN, NSS_IMPLEMENT, NSS_EXTERN_DATA, NSS_IMPLEMENT_DATA
+ *
+ * NSS has its own versions of these NSPR macros, in a form which
+ * does not confuse ctags and other related utilities.  NSPR 
+ * defines these macros to take the type as an argument, because
+ * of a requirement to support win16 dlls.  We do not have that
+ * requirement, so we can drop that restriction.
+ */
+
+#define DUMMY	/* dummy */
+#define NSS_EXTERN         PR_EXTERN(DUMMY)
+#define NSS_IMPLEMENT      PR_IMPLEMENT(DUMMY)
+#define NSS_EXTERN_DATA    PR_EXTERN_DATA(DUMMY)
+#define NSS_IMPLEMENT_DATA PR_IMPLEMENT_DATA(DUMMY)
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSError
+ *
+ * Calls to NSS routines may result in one or more errors being placed
+ * on the calling thread's "error stack."  Every possible error that
+ * may be returned from a function is declared where the function is 
+ * prototyped.  All errors are of the following type.
+ */
+
+typedef PRInt32 NSSError;
+
+/*
+ * NSSArena
+ *
+ * Arenas are logical sets of heap memory, from which memory may be
+ * allocated.  When an arena is destroyed, all memory allocated within
+ * that arena is implicitly freed.  These arenas are thread-safe: 
+ * an arena pointer may be used by multiple threads simultaneously.
+ * However, as they are not backed by shared memory, they may only be
+ * used within one process.
+ */
+
+struct NSSArenaStr;
+typedef struct NSSArenaStr NSSArena;
+
+/*
+ * NSSItem
+ *
+ * This is the basic type used to refer to an unconstrained datum of
+ * arbitrary size.
+ */
+
+struct NSSItemStr {
+  void *data;
+  PRUint32 size;
+};
+typedef struct NSSItemStr NSSItem;
+
+
+/*
+ * NSSBER
+ *
+ * Data packed according to the Basic Encoding Rules of ASN.1.
+ */
+
+typedef NSSItem NSSBER;
+
+/*
+ * NSSDER
+ *
+ * Data packed according to the Distinguished Encoding Rules of ASN.1;
+ * this form is also known as the Canonical Encoding Rules form (CER).
+ */
+
+typedef NSSBER NSSDER;
+
+/*
+ * NSSBitString
+ *
+ * Some ASN.1 types use "bit strings," which are passed around as
+ * octet strings but whose length is counted in bits.  We use this
+ * typedef of NSSItem to point out the occasions when the length
+ * is counted in bits, not octets.
+ */
+
+typedef NSSItem NSSBitString;
+
+/*
+ * NSSUTF8
+ *
+ * Character strings encoded in UTF-8, as defined by RFC 2279.
+ */
+
+typedef char NSSUTF8;
+
+/*
+ * NSSASCII7
+ *
+ * Character strings guaranteed to be 7-bit ASCII.
+ */
+
+typedef char NSSASCII7;
+
+PR_END_EXTERN_C
+
+#endif /* NSSBASET_H */
diff --git a/security/nss/lib/base/tracker.c b/security/nss/lib/base/tracker.c
new file mode 100644
index 000000000..5be77b7cf
--- /dev/null
+++ b/security/nss/lib/base/tracker.c
@@ -0,0 +1,543 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * tracker.c
+ * 
+ * This file contains the code used by the pointer-tracking calls used
+ * in the debug builds to catch bad pointers.  The entire contents are
+ * only available in debug builds (both internal and external builds).
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifdef DEBUG
+
+/*
+ * call_once
+ *
+ * Unfortunately, NSPR's PR_CallOnce function doesn't accept a closure
+ * variable.  So I have a static version here which does.  This code 
+ * is based on NSPR's, and uses the NSPR function to initialize the
+ * required lock.
+ */
+
+/*
+ * The is the "once block" that's passed to the "real" PR_CallOnce
+ * function, to call the local initializer myOnceFunction once.
+ */
+static PRCallOnceType myCallOnce;
+
+/*
+ * This structure is used by the call_once function to make sure that
+ * any "other" threads calling the call_once don't return too quickly,
+ * before the initializer has finished.
+ */
+static struct {
+  PZLock *ml;
+  PZCondVar *cv;
+} mod_init;
+
+/*
+ * This is the initializer for the above mod_init structure.
+ */
+static PRStatus
+myOnceFunction
+(
+  void
+)
+{
+  mod_init.ml = PZ_NewLock(nssILockOther);
+  if( (PZLock *)NULL == mod_init.ml ) {
+    return PR_FAILURE;
+  }
+
+  mod_init.cv = PZ_NewCondVar(mod_init.ml);
+  if( (PZCondVar *)NULL == mod_init.cv ) {
+    PZ_DestroyLock(mod_init.ml);
+    mod_init.ml = (PZLock *)NULL;
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * The nss call_once callback takes a closure argument.
+ */
+typedef PRStatus (PR_CALLBACK *nssCallOnceFN)(void *arg);
+
+/*
+ * NSS's call_once function.
+ */
+static PRStatus
+call_once
+(
+  PRCallOnceType *once,
+  nssCallOnceFN func,
+  void *arg
+)
+{
+  PRStatus rv;
+
+  if( !myCallOnce.initialized ) {
+    rv = PR_CallOnce(&myCallOnce, myOnceFunction);
+    if( PR_SUCCESS != rv ) {
+      return rv;
+    }
+  }
+
+  if( !once->initialized ) {
+    if( 0 == PR_AtomicSet(&once->inProgress, 1) ) {
+      once->status = (*func)(arg);
+      PZ_Lock(mod_init.ml);
+      once->initialized = 1;
+      PZ_NotifyAllCondVar(mod_init.cv);
+      PZ_Unlock(mod_init.ml);
+    } else {
+      PZ_Lock(mod_init.ml);
+      while( !once->initialized ) {
+        PZ_WaitCondVar(mod_init.cv, PR_INTERVAL_NO_TIMEOUT);
+      }
+      PZ_Unlock(mod_init.ml);
+    }
+  }
+
+  return once->status;
+}
+
+/*
+ * Now we actually get to my own "call once" payload function.
+ * But wait, to create the hash, I need a hash function!
+ */
+
+/*
+ * identity_hash
+ *
+ * This static callback is a PLHashFunction as defined in plhash.h
+ * It merely returns the value of the object pointer as its hash.
+ * There are no possible errors.
+ */
+
+static PLHashNumber PR_CALLBACK
+identity_hash
+(
+  const void *key
+)
+{
+  return (PLHashNumber)key;
+}
+
+/*
+ * trackerOnceFunc
+ *
+ * This function is called once, using the nssCallOnce function above.
+ * It creates a new pointer tracker object; initialising its hash
+ * table and protective lock.
+ */
+
+static PRStatus
+trackerOnceFunc
+(
+  void *arg
+)
+{
+  nssPointerTracker *tracker = (nssPointerTracker *)arg;
+
+  tracker->lock = PZ_NewLock(nssILockOther);
+  if( (PZLock *)NULL == tracker->lock ) {
+    return PR_FAILURE;
+  }
+
+  tracker->table = PL_NewHashTable(0, 
+                                   identity_hash, 
+                                   PL_CompareValues,
+                                   PL_CompareValues,
+                                   (PLHashAllocOps *)NULL, 
+                                   (void *)NULL);
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_DestroyLock(tracker->lock);
+    tracker->lock = (PZLock *)NULL;
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssPointerTracker_initialize
+ *
+ * This method is only present in debug builds.
+ * 
+ * This routine initializes an nssPointerTracker object.  Note that
+ * the object must have been declared *static* to guarantee that it
+ * is in a zeroed state initially.  This routine is idempotent, and
+ * may even be safely called by multiple threads simultaneously with 
+ * the same argument.  This routine returns a PRStatus value; if 
+ * successful, it will return PR_SUCCESS.  On failure it will set an 
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_initialize
+(
+  nssPointerTracker *tracker
+)
+{
+  PRStatus rv = call_once(&tracker->once, trackerOnceFunc, tracker);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+  }
+
+  return rv;
+}
+
+#ifdef DONT_DESTROY_EMPTY_TABLES
+/* See same #ifdef below */
+/*
+ * count_entries
+ *
+ * This static routine is a PLHashEnumerator, as defined in plhash.h.
+ * It merely causes the enumeration function to count the number of
+ * entries.
+ */
+
+static PRIntn PR_CALLBACK
+count_entries
+(
+  PLHashEntry *he,
+  PRIntn index,
+  void *arg
+)
+{
+  return HT_ENUMERATE_NEXT;
+}
+#endif /* DONT_DESTROY_EMPTY_TABLES */
+
+/*
+ * zero_once
+ *
+ * This is a guaranteed zeroed once block.  It's used to help clear
+ * the tracker.
+ */
+
+static const PRCallOnceType zero_once;
+
+/*
+ * nssPointerTracker_finalize
+ *
+ * This method is only present in debug builds.
+ * 
+ * This routine returns the nssPointerTracker object to the pre-
+ * initialized state, releasing all resources used by the object.
+ * It will *NOT* destroy the objects being tracked by the pointer
+ * (should any remain), and therefore cannot be used to "sweep up"
+ * remaining objects.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCES.  On failure it will set an
+ * error on the error stack and return PR_FAILURE.  If any objects
+ * remain in the tracker when it is finalized, that will be treated
+ * as an error.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_TRACKER_NOT_EMPTY
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_finalize
+(
+  nssPointerTracker *tracker
+)
+{
+  PZLock *lock;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  lock = tracker->lock;
+  PZ_Lock(lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+#ifdef DONT_DESTROY_EMPTY_TABLES
+  /*
+   * I changed my mind; I think we don't want this after all.
+   * Comments?
+   */
+  count = PL_HashTableEnumerateEntries(tracker->table, 
+                                       count_entries,
+                                       (void *)NULL);
+
+  if( 0 != count ) {
+    PZ_Unlock(lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_EMPTY);
+    return PR_FAILURE;
+  }
+#endif /* DONT_DESTROY_EMPTY_TABLES */
+
+  PL_HashTableDestroy(tracker->table);
+  /* memset(tracker, 0, sizeof(nssPointerTracker)); */
+  tracker->once = zero_once;
+  tracker->lock = (PZLock *)NULL;
+  tracker->table = (PLHashTable *)NULL;
+
+  PZ_Unlock(lock);
+  PZ_DestroyLock(lock);
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssPointerTracker_add
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine adds the specified pointer to the nssPointerTracker
+ * object.  It should be called in constructor objects to register
+ * new valid objects.  The nssPointerTracker is threadsafe, but this
+ * call is not idempotent.  This routine returns a PRStatus value;
+ * if successful it will return PR_SUCCESS.  On failure it will set
+ * an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_DUPLICATE_POINTER
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_add
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+)
+{
+  void *check;
+  PLHashEntry *entry;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  PZ_Lock(tracker->lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  check = PL_HashTableLookup(tracker->table, pointer);
+  if( (void *)NULL != check ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_DUPLICATE_POINTER);
+    return PR_FAILURE;
+  }
+
+  entry = PL_HashTableAdd(tracker->table, pointer, (void *)pointer);
+
+  PZ_Unlock(tracker->lock);
+
+  if( (PLHashEntry *)NULL == entry ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+  
+/*
+ * nssPointerTracker_remove
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine removes the specified pointer from the 
+ * nssPointerTracker object.  It does not call any destructor for the
+ * object; rather, this should be called from the object's destructor.
+ * The nssPointerTracker is threadsafe, but this call is not 
+ * idempotent.  This routine returns a PRStatus value; if successful 
+ * it will return PR_SUCCESS.  On failure it will set an error on the 
+ * error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_POINTER_NOT_REGISTERED
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILURE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_remove
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+)
+{
+  PRBool registered;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  PZ_Lock(tracker->lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  registered = PL_HashTableRemove(tracker->table, pointer);
+  PZ_Unlock(tracker->lock);
+
+  if( !registered ) {
+    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssPointerTracker_verify
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine verifies that the specified pointer has been registered
+ * with the nssPointerTracker object.  The nssPointerTracker object is
+ * threadsafe, and this call may be safely called from multiple threads
+ * simultaneously with the same arguments.  This routine returns a
+ * PRStatus value; if the pointer is registered this will return 
+ * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
+ * return PR_FAILURE.  Although the error is suitable for leaving on 
+ * the stack, callers may wish to augment the information available by 
+ * placing a more type-specific error on the stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_TRACKER_NOT_INITIALIZED
+ *  NSS_ERROR_POINTER_NOT_REGISTERED
+ *
+ * Return value:
+ *  PR_SUCCESS
+ *  PR_FAILRUE
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPointerTracker_verify
+(
+  nssPointerTracker *tracker,
+  const void *pointer
+)
+{
+  void *check;
+
+  if( (nssPointerTracker *)NULL == tracker ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( (PZLock *)NULL == tracker->lock ) {
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  PZ_Lock(tracker->lock);
+
+  if( (PLHashTable *)NULL == tracker->table ) {
+    PZ_Unlock(tracker->lock);
+    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+    return PR_FAILURE;
+  }
+
+  check = PL_HashTableLookup(tracker->table, pointer);
+  PZ_Unlock(tracker->lock);
+
+  if( (void *)NULL == check ) {
+    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+#endif /* DEBUG */
diff --git a/security/nss/lib/base/utf8.c b/security/nss/lib/base/utf8.c
new file mode 100644
index 000000000..3a8641f95
--- /dev/null
+++ b/security/nss/lib/base/utf8.c
@@ -0,0 +1,759 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * utf8.c
+ *
+ * This file contains some additional utility routines required for
+ * handling UTF8 strings.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#include "plstr.h"
+
+/*
+ * NOTES:
+ *
+ * There's an "is hex string" function in pki1/atav.c.  If we need
+ * it in more places, pull that one out.
+ */
+
+/*
+ * nssUTF8_CaseIgnoreMatch
+ * 
+ * Returns true if the two UTF8-encoded strings pointed to by the 
+ * two specified NSSUTF8 pointers differ only in typcase.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if the strings match, ignoring case
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssUTF8_CaseIgnoreMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+)
+{
+#ifdef NSSDEBUG
+  if( ((const NSSUTF8 *)NULL == a) ||
+      ((const NSSUTF8 *)NULL == b) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  /*
+   * XXX fgmr
+   *
+   * This is, like, so wrong!
+   */
+  if( 0 == PL_strcasecmp((const char *)a, (const char *)b) ) {
+    return PR_TRUE;
+  } else {
+    return PR_FALSE;
+  }
+}
+
+/*
+ * nssUTF8_PrintableMatch
+ *
+ * Returns true if the two Printable strings pointed to by the 
+ * two specified NSSUTF8 pointers match when compared with the 
+ * rules for Printable String (leading and trailing spaces are 
+ * disregarded, extents of whitespace match irregardless of length, 
+ * and case is not significant), then PR_TRUE will be returned.
+ * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
+ * will be returned.  If the optional statusOpt argument is not
+ * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
+ * location.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  PR_TRUE if the strings match, ignoring case
+ *  PR_FALSE if they don't
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssUTF8_PrintableMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+)
+{
+  PRUint8 *c;
+  PRUint8 *d;
+
+#ifdef NSSDEBUG
+  if( ((const NSSUTF8 *)NULL == a) ||
+      ((const NSSUTF8 *)NULL == b) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  c = (PRUint8 *)a;
+  d = (PRUint8 *)b;
+
+  while( ' ' == *c ) {
+    c++;
+  }
+
+  while( ' ' == *d ) {
+    d++;
+  }
+
+  while( ('\0' != *c) && ('\0' != *d) ) {
+    PRUint8 e, f;
+
+    e = *c;
+    f = *d;
+    
+    if( ('a' <= e) && (e <= 'z') ) {
+      e -= ('a' - 'A');
+    }
+
+    if( ('a' <= f) && (f <= 'z') ) {
+      f -= ('a' - 'A');
+    }
+
+    if( e != f ) {
+      return PR_FALSE;
+    }
+
+    c++;
+    d++;
+
+    if( ' ' == *c ) {
+      while( ' ' == *c ) {
+        c++;
+      }
+      c--;
+    }
+
+    if( ' ' == *d ) {
+      while( ' ' == *d ) {
+        d++;
+      }
+      d--;
+    }
+  }
+
+  while( ' ' == *c ) {
+    c++;
+  }
+
+  while( ' ' == *d ) {
+    d++;
+  }
+
+  if( *c == *d ) {
+    /* And both '\0', btw */
+    return PR_TRUE;
+  } else {
+    return PR_FALSE;
+  }
+}
+
+/*
+ * nssUTF8_Duplicate
+ *
+ * This routine duplicates the UTF8-encoded string pointed to by the
+ * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
+ * not null, the memory required will be obtained from that arena;
+ * otherwise, the memory required will be obtained from the heap.
+ * A pointer to the new string will be returned.  In case of error,
+ * an error will be placed on the error stack and NULL will be 
+ * returned.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssUTF8_Duplicate
+(
+  const NSSUTF8 *s,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  PRUint32 len;
+
+#ifdef NSSDEBUG
+  if( (const NSSUTF8 *)NULL == s ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  len = PL_strlen((const char *)s);
+#ifdef PEDANTIC
+  if( '\0' != ((const char *)s)[ len ] ) {
+    /* must have wrapped, e.g., too big for PRUint32 */
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* PEDANTIC */
+  len++; /* zero termination */
+
+  rv = nss_ZAlloc(arenaOpt, len);
+  if( (void *)NULL == rv ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  (void)nsslibc_memcpy(rv, s, len);
+  return rv;
+}
+
+/*
+ * nssUTF8_Size
+ *
+ * This routine returns the length in bytes (including the terminating
+ * null) of the UTF8-encoded string pointed to by the specified
+ * NSSUTF8 pointer.  Zero is returned on error.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *
+ * Return value:
+ *  0 on error
+ *  nonzero length of the string.
+ */
+
+NSS_IMPLEMENT PRUint32
+nssUTF8_Size
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+)
+{
+  PRUint32 sv;
+
+#ifdef NSSDEBUG
+  if( (const NSSUTF8 *)NULL == s ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return 0;
+  }
+#endif /* NSSDEBUG */
+
+  sv = PL_strlen((const char *)s) + 1;
+#ifdef PEDANTIC
+  if( '\0' != ((const char *)s)[ sv-1 ] ) {
+    /* wrapped */
+    nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return 0;
+  }
+#endif /* PEDANTIC */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  return sv;
+}
+
+/*
+ * nssUTF8_Length
+ *
+ * This routine returns the length in characters (not including the
+ * terminating null) of the UTF8-encoded string pointed to by the
+ * specified NSSUTF8 pointer.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  length of the string (which may be zero)
+ *  0 on error
+ */
+
+NSS_IMPLEMENT PRUint32
+nssUTF8_Length
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+)
+{
+  PRUint32 l = 0;
+  const PRUint8 *c = (const PRUint8 *)s;
+
+#ifdef NSSDEBUG
+  if( (const NSSUTF8 *)NULL == s ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    goto loser;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * From RFC 2044:
+   *
+   * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
+   * 0000 0000-0000 007F   0xxxxxxx
+   * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
+   * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
+   * 0001 0000-001F FFFF   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+   * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
+   * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
+   */  
+
+  while( 0 != *c ) {
+    PRUint32 incr;
+    if( (*c & 0x80) == 0 ) {
+      incr = 1;
+    } else if( (*c & 0xE0) == 0xC0 ) {
+      incr = 2;
+    } else if( (*c & 0xF0) == 0xE0 ) {
+      incr = 3;
+    } else if( (*c & 0xF8) == 0xF0 ) {
+      incr = 4;
+    } else if( (*c & 0xFC) == 0xF8 ) {
+      incr = 5;
+    } else if( (*c & 0xFE) == 0xFC ) {
+      incr = 6;
+    } else {
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      goto loser;
+    }
+
+    l += incr;
+
+#ifdef PEDANTIC
+    if( l < incr ) {
+      /* Wrapped-- too big */
+      nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
+      goto loser;
+    }
+
+    {
+      PRUint8 *d;
+      for( d = &c[1]; d < &c[incr]; d++ ) {
+        if( (*d & 0xC0) != 0xF0 ) {
+          nss_SetError(NSS_ERROR_INVALID_STRING);
+          goto loser;
+        }
+      }
+    }
+#endif /* PEDANTIC */
+
+    c += incr;
+  }
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  return l;
+
+ loser:
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_FAILURE;
+  }
+
+  return 0;
+}
+
+
+/*
+ * nssUTF8_Create
+ *
+ * This routine creates a UTF8 string from a string in some other
+ * format.  Some types of string may include embedded null characters,
+ * so for them the length parameter must be used.  For string types
+ * that are null-terminated, the length parameter is optional; if it
+ * is zero, it will be ignored.  If the optional arena argument is
+ * non-null, the memory used for the new string will be obtained from
+ * that arena, otherwise it will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following:
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_UNSUPPORTED_TYPE
+ *
+ * Return value:
+ *  NULL upon error
+ *  A non-null pointer to a new UTF8 string otherwise
+ */
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR; /* XXX fgmr */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssUTF8_Create
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  const void *inputString,
+  PRUint32 size /* in bytes, not characters */
+)
+{
+  NSSUTF8 *rv = NULL;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+
+  if( (const void *)NULL == inputString ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  switch( type ) {
+  case nssStringType_DirectoryString:
+    /* This is a composite type requiring BER */
+    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+    break;
+  case nssStringType_TeletexString:
+    /*
+     * draft-ietf-pkix-ipki-part1-11 says in part:
+     *
+     * In addition, many legacy implementations support names encoded 
+     * in the ISO 8859-1 character set (Latin1String) but tag them as 
+     * TeletexString.  The Latin1String includes characters used in 
+     * Western European countries which are not part of the 
+     * TeletexString charcter set.  Implementations that process 
+     * TeletexString SHOULD be prepared to handle the entire ISO 
+     * 8859-1 character set.[ISO 8859-1].
+     */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_PrintableString:
+    /*
+     * PrintableString consists of A-Za-z0-9 ,()+,-./:=?
+     * This is a subset of ASCII, which is a subset of UTF8.
+     * So we can just duplicate the string over.
+     */
+
+    if( 0 == size ) {
+      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
+    } else {
+      rv = nss_ZAlloc(arenaOpt, size+1);
+      if( (NSSUTF8 *)NULL == rv ) {
+        return (NSSUTF8 *)NULL;
+      }
+
+      (void)nsslibc_memcpy(rv, inputString, size);
+    }
+
+    break;
+  case nssStringType_UniversalString:
+    /* 4-byte unicode */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_BMPString:
+    /* Base Multilingual Plane of Unicode */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_UTF8String:
+    if( 0 == size ) {
+      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
+    } else {
+      rv = nss_ZAlloc(arenaOpt, size+1);
+      if( (NSSUTF8 *)NULL == rv ) {
+        return (NSSUTF8 *)NULL;
+      }
+
+      (void)nsslibc_memcpy(rv, inputString, size);
+    }
+
+    break;
+  case nssStringType_PHGString:
+    /* 
+     * PHGString is an IA5String (with case-insensitive comparisons).
+     * IA5 is ~almost~ ascii; ascii has dollar-sign where IA5 has
+     * currency symbol.
+     */
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_GeneralString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+    break;
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT NSSItem *
+nssUTF8_GetEncoding
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  nssStringType type,
+  NSSUTF8 *string
+)
+{
+  NSSItem *rv = (NSSItem *)NULL;
+  PRStatus status = PR_SUCCESS;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSItem *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSItem *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  switch( type ) {
+  case nssStringType_DirectoryString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_TeletexString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_PrintableString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_UniversalString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_BMPString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  case nssStringType_UTF8String:
+    {
+      NSSUTF8 *dup = nssUTF8_Duplicate(string, arenaOpt);
+      if( (NSSUTF8 *)NULL == dup ) {
+        return (NSSItem *)NULL;
+      }
+
+      if( (NSSItem *)NULL == rvOpt ) {
+        rv = nss_ZNEW(arenaOpt, NSSItem);
+        if( (NSSItem *)NULL == rv ) {
+          (void)nss_ZFreeIf(dup);
+          return (NSSItem *)NULL;
+        }
+      } else {
+        rv = rvOpt;
+      }
+
+      rv->data = dup;
+      dup = (NSSUTF8 *)NULL;
+      rv->size = nssUTF8_Size(rv->data, &status);
+      if( (0 == rv->size) && (PR_SUCCESS != status) ) {
+        if( (NSSItem *)NULL == rvOpt ) {
+          (void)nss_ZFreeIf(rv);
+        }
+        return (NSSItem *)NULL;
+      }
+    }
+    break;
+  case nssStringType_PHGString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+    break;
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+    break;
+  }
+
+  return rv;
+}
+
+/*
+ * nssUTF8_CopyIntoFixedBuffer
+ *
+ * This will copy a UTF8 string into a fixed-length buffer, making 
+ * sure that the all characters are valid.  Any remaining space will
+ * be padded with the specified ASCII character, typically either 
+ * null or space.
+ *
+ * Blah, blah, blah.
+ */
+
+NSS_IMPLEMENT PRStatus
+nssUTF8_CopyIntoFixedBuffer
+(
+  NSSUTF8 *string,
+  char *buffer,
+  PRUint32 bufferSize,
+  char pad
+)
+{
+  PRUint32 stringSize = 0;
+
+#ifdef NSSDEBUG
+  if( (char *)NULL == buffer ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FALSE;
+  }
+
+  if( 0 == bufferSize ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FALSE;
+  }
+
+  if( (pad & 0x80) != 0x00 ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSUTF8 *)NULL == string ) {
+    string = (NSSUTF8 *) "";
+  }
+
+  stringSize = nssUTF8_Size(string, (PRStatus *)NULL);
+  stringSize--; /* don't count the trailing null */
+  if( stringSize > bufferSize ) {
+    PRUint32 bs = bufferSize;
+    (void)nsslibc_memcpy(buffer, string, bufferSize);
+    
+    if( (            ((buffer[ bs-1 ] & 0x80) == 0x00)) ||
+        ((bs > 1) && ((buffer[ bs-2 ] & 0xE0) == 0xC0)) ||
+        ((bs > 2) && ((buffer[ bs-3 ] & 0xF0) == 0xE0)) ||
+        ((bs > 3) && ((buffer[ bs-4 ] & 0xF8) == 0xF0)) ||
+        ((bs > 4) && ((buffer[ bs-5 ] & 0xFC) == 0xF8)) ||
+        ((bs > 5) && ((buffer[ bs-6 ] & 0xFE) == 0xFC)) ) {
+      /* It fit exactly */
+      return PR_SUCCESS;
+    }
+
+    /* Too long.  We have to trim the last character */
+    for( /*bs*/; bs != 0; bs-- ) {
+      if( (buffer[bs-1] & 0xC0) != 0x80 ) {
+        buffer[bs-1] = pad;
+        break;
+      } else {
+        buffer[bs-1] = pad;
+      }
+    }      
+  } else {
+    (void)nsslibc_memset(buffer, pad, bufferSize);
+    (void)nsslibc_memcpy(buffer, string, stringSize);
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssUTF8_Equal
+ *
+ */
+
+NSS_IMPLEMENT PRBool
+nssUTF8_Equal
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+)
+{
+  PRUint32 la, lb;
+
+#ifdef NSSDEBUG
+  if( ((const NSSUTF8 *)NULL == a) ||
+      ((const NSSUTF8 *)NULL == b) ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  la = nssUTF8_Size(a, statusOpt);
+  if( 0 == la ) {
+    return PR_FALSE;
+  }
+
+  lb = nssUTF8_Size(b, statusOpt);
+  if( 0 == lb ) {
+    return PR_FALSE;
+  }
+
+  if( la != lb ) {
+    return PR_FALSE;
+  }
+
+  return nsslibc_memequal(a, b, la, statusOpt);
+}
diff --git a/security/nss/lib/base/whatnspr.c b/security/nss/lib/base/whatnspr.c
new file mode 100644
index 000000000..5303ec256
--- /dev/null
+++ b/security/nss/lib/base/whatnspr.c
@@ -0,0 +1,171 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * This file isolates us from differences in NSPR versions.
+ * We have to detect the library with which we're running at
+ * runtime, and switch behaviours there.  This lets us do
+ * stuff like load cryptoki modules in Communicator.
+ *
+ * Hey, it's the PORT layer all over again!
+ */
+
+static int whatnspr = 0;
+
+static int
+set_whatnspr
+(
+  void
+)
+{
+  /*
+   * The only runtime difference I could find was the
+   * return value of PR_dtoa.  We can't just look for
+   * a symbol in NSPR >=2, because it'll always be
+   * found (because we compile against NSPR >=2).
+   * Maybe we could look for a symbol merely in NSPR 1?
+   *
+   */
+
+  char buffer[64];
+  int decpt = 0, sign = 0;
+  char *rve = (char *)0;
+  /* extern int PR_dtoa(double, int, int, int *, int *, char **, char *, int); */
+  int r = (int)PR_dtoa((double)1.0, 0, 5, &decpt, &sign, &rve, 
+                       buffer, sizeof(buffer));
+
+  switch( r ) {
+  case 0:
+  case -1:
+    whatnspr = 2;
+    /*
+     * If we needed to, *now* we could look up "libVersionPoint"
+     * and get more data there.. except all current NSPR's (up
+     * to NSPR 4.x at time of writing) still say 2 in their
+     * version structure.
+     */
+    break;
+  default:
+    whatnspr = 1;
+    break;
+  }
+
+  return whatnspr;
+}
+
+#define WHATNSPR (whatnspr ? whatnspr : set_whatnspr())
+
+NSS_IMPLEMENT PRStatus
+nss_NewThreadPrivateIndex
+(
+  PRUintn *ip,
+  PRThreadPrivateDTOR dtor
+)
+{
+  switch( WHATNSPR ) {
+  case 1:
+    {
+      PRLibrary *l = (PRLibrary *)0;
+      void *f = PR_FindSymbolAndLibrary("PR_NewThreadPrivateID", &l);
+      typedef PRInt32 (*ntpt)(void);
+      ntpt ntp = (ntpt) f;
+
+      PR_ASSERT((void *)0 != f);
+
+      *ip = ntp();
+      return PR_SUCCESS;
+    }
+  case 2:
+  default:
+    return PR_NewThreadPrivateIndex(ip, dtor);
+  }
+}
+
+NSS_IMPLEMENT void *
+nss_GetThreadPrivate
+(
+  PRUintn i
+)
+{
+  switch( WHATNSPR ) {
+  case 1:
+    {
+      PRLibrary *l = (PRLibrary *)0;
+      void *f = PR_FindSymbolAndLibrary("PR_GetThreadPrivate", &l);
+      typedef void *(*gtpt)(PRThread *, PRInt32);
+      gtpt gtp = (gtpt) f;
+
+      PR_ASSERT((void *)0 != f);
+
+      return gtp(PR_CurrentThread(), i);
+    }
+  case 2:
+  default:
+    return PR_GetThreadPrivate(i);
+  }
+}
+
+NSS_IMPLEMENT void
+nss_SetThreadPrivate
+(
+  PRUintn i,
+  void *v
+)
+{
+  switch( WHATNSPR ) {
+  case 1:
+    {
+      PRLibrary *l = (PRLibrary *)0;
+      void *f = PR_FindSymbolAndLibrary("PR_SetThreadPrivate", &l);
+      typedef PRStatus (*stpt)(PRThread *, PRInt32, void *);
+      stpt stp = (stpt) f;
+
+      PR_ASSERT((void *)0 != f);
+
+      (void)stp(PR_CurrentThread(), i, v);
+      return;
+    }
+  case 2:
+  default:
+    (void)PR_SetThreadPrivate(i, v);
+    return;
+  }
+}
diff --git a/security/nss/lib/certdb/.cvsignore b/security/nss/lib/certdb/.cvsignore
new file mode 100644
index 000000000..ec60123e5
--- /dev/null
+++ b/security/nss/lib/certdb/.cvsignore
@@ -0,0 +1 @@
+nscertinit.c
diff --git a/security/nss/lib/certdb/Makefile b/security/nss/lib/certdb/Makefile
new file mode 100644
index 000000000..12eff17ab
--- /dev/null
+++ b/security/nss/lib/certdb/Makefile
@@ -0,0 +1,76 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c
new file mode 100644
index 000000000..aa3ea1b3b
--- /dev/null
+++ b/security/nss/lib/certdb/alg1485.c
@@ -0,0 +1,969 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "cert.h"
+#include "xconst.h"
+#include "genname.h"
+#include "secitem.h"
+#include "secerr.h"
+
+struct NameToKind {
+    char *name;
+    SECOidTag kind;
+};
+
+static struct NameToKind name2kinds[] = {
+    { "CN",   		SEC_OID_AVA_COMMON_NAME, 		},
+    { "ST",   		SEC_OID_AVA_STATE_OR_PROVINCE, 		},
+    { "OU",   		SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,	},
+    { "DC",   		SEC_OID_AVA_DC,	},
+    { "C",    		SEC_OID_AVA_COUNTRY_NAME, 		},
+    { "O",    		SEC_OID_AVA_ORGANIZATION_NAME, 		},
+    { "L",    		SEC_OID_AVA_LOCALITY, 			},
+    { "dnQualifier",	SEC_OID_AVA_DN_QUALIFIER, 		},
+    { "E",    		SEC_OID_PKCS9_EMAIL_ADDRESS, 		},
+    { "UID",  		SEC_OID_RFC1274_UID, 			},
+    { "MAIL", 		SEC_OID_RFC1274_MAIL, 			},
+    { 0,      		SEC_OID_UNKNOWN 			},
+};
+
+#define C_DOUBLE_QUOTE '\042'
+
+#define C_BACKSLASH '\134'
+
+#define C_EQUAL '='
+
+#define OPTIONAL_SPACE(c) \
+    (((c) == ' ') || ((c) == '\r') || ((c) == '\n'))
+
+#define SPECIAL_CHAR(c)						\
+    (((c) == ',') || ((c) == '=') || ((c) == C_DOUBLE_QUOTE) ||	\
+     ((c) == '\r') || ((c) == '\n') || ((c) == '+') ||		\
+     ((c) == '<') || ((c) == '>') || ((c) == '#') ||		\
+     ((c) == ';') || ((c) == C_BACKSLASH))
+
+
+
+
+
+
+
+#if 0
+/*
+** Find the start and end of a <string>. Strings can be wrapped in double
+** quotes to protect special characters.
+*/
+static int BracketThing(char **startp, char *end, char *result)
+{
+    char *start = *startp;
+    char c;
+
+    /* Skip leading white space */
+    while (start < end) {
+	c = *start++;
+	if (!OPTIONAL_SPACE(c)) {
+	    start--;
+	    break;
+	}
+    }
+    if (start == end) return 0;
+
+    switch (*start) {
+      case '#':
+	/* Process hex thing */
+	start++;
+	*startp = start;
+	while (start < end) {
+	    c = *start++;
+	    if (((c >= '0') && (c <= '9')) ||
+		((c >= 'a') && (c <= 'f')) ||
+		((c >= 'A') && (c <= 'F'))) {
+		continue;
+	    }
+	    break;
+	}
+	rv = IS_HEX;
+	break;
+
+      case C_DOUBLE_QUOTE:
+	start++;
+	*startp = start;
+	while (start < end) {
+	    c = *start++;
+	    if (c == C_DOUBLE_QUOTE) {
+		break;
+	    }
+	    *result++ = c;
+	}
+	rv = IS_STRING;
+	break;
+
+      default:
+	while (start < end) {
+	    c = *start++;
+	    if (SPECIAL_CHAR(c)) {
+		start--;
+		break;
+	    }
+	    *result++ = c;
+	}
+	rv = IS_STRING;
+	break;
+    }
+
+    /* Terminate result string */
+    *result = 0;
+    return start;
+}
+
+static char *BracketSomething(char **startp, char* end, int spacesOK)
+{
+    char *start = *startp;
+    char c;
+    int stopAtDQ;
+
+    /* Skip leading white space */
+    while (start < end) {
+	c = *start;
+	if (!OPTIONAL_SPACE(c)) {
+	    break;
+	}
+	start++;
+    }
+    if (start == end) return 0;
+    stopAtDQ = 0;
+    if (*start == C_DOUBLE_QUOTE) {
+	stopAtDQ = 1;
+    }
+
+    /*
+    ** Find the end of the something. The something is terminated most of
+    ** the time by a space. However, if spacesOK is true then it is
+    ** terminated by a special character only.
+    */
+    *startp = start;
+    while (start < end) {
+	c = *start;
+	if (stopAtDQ) {
+	    if (c == C_DOUBLE_QUOTE) {
+		*start = ' ';
+		break;
+	    }
+	} else {
+	if (SPECIAL_CHAR(c)) {
+	    break;
+	}
+	if (!spacesOK && OPTIONAL_SPACE(c)) {
+	    break;
+	}
+	}
+	start++;
+    }
+    return start;
+}
+#endif
+
+#define IS_PRINTABLE(c)						\
+    ((((c) >= 'a') && ((c) <= 'z')) ||				\
+     (((c) >= 'A') && ((c) <= 'Z')) ||				\
+     (((c) >= '0') && ((c) <= '9')) ||				\
+     ((c) == ' ') ||						\
+     ((c) == '\'') ||						\
+     ((c) == '\050') ||				/* ( */		\
+     ((c) == '\051') ||				/* ) */		\
+     (((c) >= '+') && ((c) <= '/')) ||		/* + , - . / */	\
+     ((c) == ':') ||						\
+     ((c) == '=') ||						\
+     ((c) == '?'))
+
+static PRBool
+IsPrintable(unsigned char *data, unsigned len)
+{
+    unsigned char ch, *end;
+
+    end = data + len;
+    while (data < end) {
+	ch = *data++;
+	if (!IS_PRINTABLE(ch)) {
+	    return PR_FALSE;
+	}
+    }
+    return PR_TRUE;
+}
+
+static PRBool
+Is7Bit(unsigned char *data, unsigned len)
+{
+    unsigned char ch, *end;
+
+    end = data + len;
+    while (data < end) {
+        ch = *data++;
+        if ((ch & 0x80)) {
+            return PR_FALSE;
+        }
+    }
+    return PR_TRUE;
+}
+
+static void
+skipSpace(char **pbp, char *endptr)
+{
+    char *bp = *pbp;
+    while (bp < endptr && OPTIONAL_SPACE(*bp)) {
+	bp++;
+    }
+    *pbp = bp;
+}
+
+static SECStatus
+scanTag(char **pbp, char *endptr, char *tagBuf, int tagBufSize)
+{
+    char *bp, *tagBufp;
+    int taglen;
+
+    PORT_Assert(tagBufSize > 0);
+    
+    /* skip optional leading space */
+    skipSpace(pbp, endptr);
+    if (*pbp == endptr) {
+	/* nothing left */
+	return SECFailure;
+    }
+    
+    /* fill tagBuf */
+    taglen = 0;
+    bp = *pbp;
+    tagBufp = tagBuf;
+    while (bp < endptr && !OPTIONAL_SPACE(*bp) && (*bp != C_EQUAL)) {
+	if (++taglen >= tagBufSize) {
+	    *pbp = bp;
+	    return SECFailure;
+	}
+	*tagBufp++ = *bp++;
+    }
+    /* null-terminate tagBuf -- guaranteed at least one space left */
+    *tagBufp++ = 0;
+    *pbp = bp;
+    
+    /* skip trailing spaces till we hit something - should be an equal sign */
+    skipSpace(pbp, endptr);
+    if (*pbp == endptr) {
+	/* nothing left */
+	return SECFailure;
+    }
+    if (**pbp != C_EQUAL) {
+	/* should be an equal sign */
+	return SECFailure;
+    }
+    /* skip over the equal sign */
+    (*pbp)++;
+    
+    return SECSuccess;
+}
+
+static SECStatus
+scanVal(char **pbp, char *endptr, char *valBuf, int valBufSize)  
+{
+    char *bp, *valBufp;
+    int vallen;
+    PRBool isQuoted;
+    
+    PORT_Assert(valBufSize > 0);
+    
+    /* skip optional leading space */
+    skipSpace(pbp, endptr);
+    if(*pbp == endptr) {
+	/* nothing left */
+	return SECFailure;
+    }
+    
+    bp = *pbp;
+    
+    /* quoted? */
+    if (*bp == C_DOUBLE_QUOTE) {
+	isQuoted = PR_TRUE;
+	/* skip over it */
+	bp++;
+    } else {
+	isQuoted = PR_FALSE;
+    }
+    
+    valBufp = valBuf;
+    vallen = 0;
+    while (bp < endptr) {
+	char c = *bp;
+	if (c == C_BACKSLASH) {
+	    /* escape character */
+	    bp++;
+	    if (bp >= endptr) {
+		/* escape charater must appear with paired char */
+		*pbp = bp;
+		return SECFailure;
+	    }
+	} else if (!isQuoted && SPECIAL_CHAR(c)) {
+	    /* unescaped special and not within quoted value */
+	    break;
+	} else if (c == C_DOUBLE_QUOTE) {
+	    /* reached unescaped double quote */
+	    break;
+	}
+	/* append character */
+        vallen++;
+	if (vallen >= valBufSize) {
+	    *pbp = bp;
+	    return SECFailure;
+	}
+	*valBufp++ = *bp++;
+    }
+    
+    /* stip trailing spaces from unquoted values */
+    if (!isQuoted) {
+	if (valBufp > valBuf) {
+	    valBufp--;
+	    while ((valBufp > valBuf) && OPTIONAL_SPACE(*valBufp)) {
+		valBufp--;
+	    }
+	    valBufp++;
+	}
+    }
+    
+    if (isQuoted) {
+	/* insist that we stopped on a double quote */
+	if (*bp != C_DOUBLE_QUOTE) {
+	    *pbp = bp;
+	    return SECFailure;
+	}
+	/* skip over the quote and skip optional space */
+	bp++;
+	skipSpace(&bp, endptr);
+    }
+    
+    *pbp = bp;
+    
+    if (valBufp == valBuf) {
+	/* empty value -- not allowed */
+	return SECFailure;
+    }
+    
+    /* null-terminate valBuf -- guaranteed at least one space left */
+    *valBufp++ = 0;
+    
+    return SECSuccess;
+}
+
+CERTAVA *
+CERT_ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr,
+		    PRBool singleAVA) 
+{
+    CERTAVA *a;
+    struct NameToKind *n2k;
+    int vt;
+    int valLen;
+    char *bp;
+
+    char tagBuf[32];
+    char valBuf[384];
+
+    if (scanTag(pbp, endptr, tagBuf, sizeof(tagBuf)) == SECFailure ||
+	scanVal(pbp, endptr, valBuf, sizeof(valBuf)) == SECFailure) {
+	PORT_SetError(SEC_ERROR_INVALID_AVA);
+	return 0;
+    }
+
+    /* insist that if we haven't finished we've stopped on a separator */
+    bp = *pbp;
+    if (bp < endptr) {
+	if (singleAVA || (*bp != ',' && *bp != ';')) {
+	    PORT_SetError(SEC_ERROR_INVALID_AVA);
+	    *pbp = bp;
+	    return 0;
+	}
+	/* ok, skip over separator */
+	bp++;
+    }
+    *pbp = bp;
+
+    for (n2k = name2kinds; n2k->name; n2k++) {
+	if (PORT_Strcasecmp(n2k->name, tagBuf) == 0) {
+	    valLen = PORT_Strlen(valBuf);
+	    if (n2k->kind == SEC_OID_AVA_COUNTRY_NAME) {
+		vt = SEC_ASN1_PRINTABLE_STRING;
+		if (valLen != 2) {
+		    PORT_SetError(SEC_ERROR_INVALID_AVA);
+		    return 0;
+		}
+		if (!IsPrintable((unsigned char*) valBuf, 2)) {
+		    PORT_SetError(SEC_ERROR_INVALID_AVA);
+		    return 0;
+		}
+	    } else if ((n2k->kind == SEC_OID_PKCS9_EMAIL_ADDRESS) ||
+		       (n2k->kind == SEC_OID_RFC1274_MAIL)) {
+		vt = SEC_ASN1_IA5_STRING;
+	    } else {
+		/* Hack -- for rationale see X.520 DirectoryString defn */
+		if (IsPrintable((unsigned char*)valBuf, valLen)) {
+		    vt = SEC_ASN1_PRINTABLE_STRING;
+                } else if (Is7Bit((unsigned char *)valBuf, valLen)) {
+                    vt = SEC_ASN1_T61_STRING;
+		} else {
+		    vt = SEC_ASN1_UNIVERSAL_STRING;
+		}
+	    }
+	    a = CERT_CreateAVA(arena, n2k->kind, vt, (char *) valBuf);
+	    return a;
+	}
+    }
+    /* matched no kind -- invalid tag */
+    PORT_SetError(SEC_ERROR_INVALID_AVA);
+    return 0;
+}
+
+static CERTName *
+ParseRFC1485Name(char *buf, int len)
+{
+    SECStatus rv;
+    CERTName *name;
+    char *bp, *e;
+    CERTAVA *ava;
+    CERTRDN *rdn;
+
+    name = CERT_CreateName(NULL);
+    if (name == NULL) {
+	return NULL;
+    }
+    
+    e = buf + len;
+    bp = buf;
+    while (bp < e) {
+	ava = CERT_ParseRFC1485AVA(name->arena, &bp, e, PR_FALSE);
+	if (ava == 0) goto loser;
+	rdn = CERT_CreateRDN(name->arena, ava, 0);
+	if (rdn == 0) goto loser;
+	rv = CERT_AddRDN(name, rdn);
+	if (rv) goto loser;
+	skipSpace(&bp, e);
+    }
+
+    if (name->rdns[0] == 0) {
+	/* empty name -- illegal */
+	goto loser;
+    }
+
+    /* Reverse order of RDNS to comply with RFC */
+    {
+	CERTRDN **firstRdn;
+	CERTRDN **lastRdn;
+	CERTRDN *tmp;
+	
+	/* get first one */
+	firstRdn = name->rdns;
+	
+	/* find last one */
+	lastRdn = name->rdns;
+	while (*lastRdn) lastRdn++;
+	lastRdn--;
+	
+	/* reverse list */
+	for ( ; firstRdn < lastRdn; firstRdn++, lastRdn--) {
+	    tmp = *firstRdn;
+	    *firstRdn = *lastRdn;
+	    *lastRdn = tmp;
+	}
+    }
+    
+    /* return result */
+    return name;
+    
+  loser:
+    CERT_DestroyName(name);
+    return NULL;
+}
+
+CERTName *
+CERT_AsciiToName(char *string)
+{
+    CERTName *name;
+    name = ParseRFC1485Name(string, PORT_Strlen(string));
+    return name;
+}
+
+/************************************************************************/
+
+static SECStatus
+AppendStr(char **bufp, unsigned *buflenp, char *str)
+{
+    char *buf;
+    unsigned bufLen, bufSize, len;
+
+    /* Figure out how much to grow buf by (add in the '\0') */
+    buf = *bufp;
+    bufLen = *buflenp;
+    len = PORT_Strlen(str);
+    bufSize = bufLen + len;
+    if (buf) {
+	buf = (char*) PORT_Realloc(buf, bufSize);
+    } else {
+	bufSize++;
+	buf = (char*) PORT_Alloc(bufSize);
+    }
+    if (!buf) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    *bufp = buf;
+    *buflenp = bufSize;
+
+    /* Concatenate str onto buf */
+    buf = buf + bufLen;
+    if (bufLen) buf--;			/* stomp on old '\0' */
+    PORT_Memcpy(buf, str, len+1);		/* put in new null */
+    return SECSuccess;
+}
+
+SECStatus
+CERT_RFC1485_EscapeAndQuote(char *dst, int dstlen, char *src, int srclen)
+{
+    int i, reqLen=0;
+    char *d = dst;
+    PRBool needsQuoting = PR_FALSE;
+    
+    /* need to make an initial pass to determine if quoting is needed */
+    for (i = 0; i < srclen; i++) {
+	char c = src[i];
+	reqLen++;
+	if (SPECIAL_CHAR(c)) {
+	    /* entirety will need quoting */
+	    needsQuoting = PR_TRUE;
+	}
+	if (c == C_DOUBLE_QUOTE || c == C_BACKSLASH) {
+	    /* this char will need escaping */
+	    reqLen++;
+	}
+    }
+    /* if it begins or ends in optional space it needs quoting */
+    if (srclen > 0 &&
+	(OPTIONAL_SPACE(src[srclen-1]) || OPTIONAL_SPACE(src[0]))) {
+	needsQuoting = PR_TRUE;
+    }
+    
+    if (needsQuoting) reqLen += 2;
+
+    /* space for terminal null */
+    reqLen++;
+    
+    if (reqLen > dstlen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+    
+    d = dst;
+    if (needsQuoting) *d++ = C_DOUBLE_QUOTE;
+    for (i = 0; i < srclen; i++) {
+	char c = src[i];
+	if (c == C_DOUBLE_QUOTE || c == C_BACKSLASH) {
+	    /* escape it */
+	    *d++ = C_BACKSLASH;
+	}
+	*d++ = c;
+    }
+    if (needsQuoting) *d++ = C_DOUBLE_QUOTE;
+    *d++ = 0;
+    return SECSuccess;
+}
+
+static SECStatus
+AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava)
+{
+    char *tagName;
+    char tmpBuf[384];
+    unsigned len, maxLen;
+    int tag;
+    SECStatus rv;
+    SECItem *avaValue = NULL;
+
+    tag = CERT_GetAVATag(ava);
+    switch (tag) {
+      case SEC_OID_AVA_COUNTRY_NAME:
+	tagName = "C";
+	maxLen = 2;
+	break;
+      case SEC_OID_AVA_ORGANIZATION_NAME:
+	tagName = "O";
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_COMMON_NAME:
+	tagName = "CN";
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_LOCALITY:
+	tagName = "L";
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_STATE_OR_PROVINCE:
+	tagName = "ST";
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
+	tagName = "OU";
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_DC:
+	tagName = "DC";
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_DN_QUALIFIER:
+	tagName = "dnQualifier";
+	maxLen = 0x7fff;
+	break;
+      case SEC_OID_PKCS9_EMAIL_ADDRESS:
+	tagName = "E";
+	maxLen = 128;
+	break;
+      case SEC_OID_RFC1274_UID:
+	tagName = "UID";
+	maxLen = 256;
+	break;
+      case SEC_OID_RFC1274_MAIL:
+	tagName = "MAIL";
+	maxLen = 256;
+	break;
+      default:
+#if 0
+	PORT_SetError(SEC_ERROR_INVALID_AVA);
+	return SECFailure;
+#else
+	rv = AppendStr(bufp, buflenp, "ERR=Unknown AVA");
+	return rv;
+#endif
+    }
+
+    avaValue = CERT_DecodeAVAValue(&ava->value);
+    if(!avaValue) {
+	return SECFailure;
+    }
+
+    /* Check value length */
+    if (avaValue->len > maxLen) {
+	PORT_SetError(SEC_ERROR_INVALID_AVA);
+	return SECFailure;
+    }
+
+    len = PORT_Strlen(tagName);
+    PORT_Memcpy(tmpBuf, tagName, len);
+    tmpBuf[len++] = '=';
+    
+    /* escape and quote as necessary */
+    rv = CERT_RFC1485_EscapeAndQuote(tmpBuf+len, sizeof(tmpBuf)-len, 
+		    		     (char *)avaValue->data, avaValue->len);
+    SECITEM_FreeItem(avaValue, PR_TRUE);
+    if (rv) return SECFailure;
+    
+    rv = AppendStr(bufp, buflenp, tmpBuf);
+    return rv;
+}
+
+char *
+CERT_NameToAscii(CERTName *name)
+{
+    SECStatus rv;
+    CERTRDN** rdns;
+    CERTRDN** lastRdn;
+    CERTRDN** rdn;
+    CERTAVA** avas;
+    CERTAVA* ava;
+    PRBool first = PR_TRUE;
+    char *buf = NULL;
+    unsigned buflen = 0;
+    
+    rdns = name->rdns;
+    if (rdns == NULL) {
+	return NULL;
+    }
+    
+    /* find last RDN */
+    lastRdn = rdns;
+    while (*lastRdn) lastRdn++;
+    lastRdn--;
+    
+    /*
+     * Loop over name contents in _reverse_ RDN order appending to string
+     */
+    for (rdn = lastRdn; rdn >= rdns; rdn--) {
+	avas = (*rdn)->avas;
+	while ((ava = *avas++) != NULL) {
+	    /* Put in comma separator */
+	    if (!first) {
+		rv = AppendStr(&buf, &buflen, ", ");
+		if (rv) goto loser;
+	    } else {
+		first = PR_FALSE;
+	    }
+	    
+	    /* Add in tag type plus value into buf */
+	    rv = AppendAVA(&buf, &buflen, ava);
+	    if (rv) goto loser;
+	}
+    }
+    return buf;
+  loser:
+    PORT_Free(buf);
+    return NULL;
+}
+
+/*
+ * Return the string representation of a DER encoded distinguished name
+ * "dername" - The DER encoded name to convert
+ */
+char *
+CERT_DerNameToAscii(SECItem *dername)
+{
+    int rv;
+    PRArenaPool *arena = NULL;
+    CERTName name;
+    char *retstr = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( arena == NULL) {
+	goto loser;
+    }
+    
+    rv = SEC_ASN1DecodeItem(arena, &name, CERT_NameTemplate, dername);
+    
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    retstr = CERT_NameToAscii(&name);
+
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(retstr);
+}
+
+static char *
+CERT_GetNameElement(CERTName *name, int wantedTag)
+{
+    CERTRDN** rdns;
+    CERTRDN *rdn;
+    CERTAVA** avas;
+    CERTAVA* ava;
+    char *buf = 0;
+    int tag;
+    SECItem *decodeItem = NULL;
+    
+    rdns = name->rdns;
+    while ((rdn = *rdns++) != 0) {
+	avas = rdn->avas;
+	while ((ava = *avas++) != 0) {
+	    tag = CERT_GetAVATag(ava);
+	    if ( tag == wantedTag ) {
+		decodeItem = CERT_DecodeAVAValue(&ava->value);
+		if(!decodeItem) {
+		    return NULL;
+		}
+		buf = (char *)PORT_ZAlloc(decodeItem->len + 1);
+		if ( buf ) {
+		    PORT_Memcpy(buf, decodeItem->data, decodeItem->len);
+		    buf[decodeItem->len] = 0;
+		}
+		SECITEM_FreeItem(decodeItem, PR_TRUE);
+		goto done;
+	    }
+	}
+    }
+    
+  done:
+    return buf;
+}
+
+char *
+CERT_GetCertificateEmailAddress(CERTCertificate *cert)
+{
+    char *rawEmailAddr = NULL;
+    char *emailAddr = NULL;
+    SECItem subAltName;
+    SECStatus rv;
+    CERTGeneralName *nameList = NULL;
+    CERTGeneralName *current;
+    PRArenaPool *arena = NULL;
+    int i;
+    
+    subAltName.data = NULL;
+
+    rawEmailAddr = CERT_GetNameElement(&(cert->subject), SEC_OID_PKCS9_EMAIL_ADDRESS);
+    if ( rawEmailAddr == NULL ) {
+	rawEmailAddr = CERT_GetNameElement(&(cert->subject), SEC_OID_RFC1274_MAIL);
+    }
+    if ( rawEmailAddr == NULL) {
+
+	rv = CERT_FindCertExtension(cert,  SEC_OID_X509_SUBJECT_ALT_NAME, &subAltName);
+	if (rv != SECSuccess) {
+	    goto finish;
+	}
+	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if (!arena) {
+	    goto finish;
+	}
+	nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
+	if (!nameList ) {
+	    goto finish;
+	}
+	if (nameList != NULL) {
+	    do {
+		if (current->type == certDirectoryName) {
+		    rawEmailAddr = CERT_GetNameElement(&(current->name.directoryName), 
+						       SEC_OID_PKCS9_EMAIL_ADDRESS);
+		    if ( rawEmailAddr == NULL ) {
+			rawEmailAddr = CERT_GetNameElement(&(current->name.directoryName), 
+							   SEC_OID_RFC1274_MAIL);
+		    }
+		} else if (current->type == certRFC822Name) {
+		    rawEmailAddr = (char*)PORT_ZAlloc(current->name.other.len + 1);
+		    if (!rawEmailAddr) {
+			goto finish;
+		    }
+		    PORT_Memcpy(rawEmailAddr, current->name.other.data, 
+				current->name.other.len);
+		    rawEmailAddr[current->name.other.len] = '\0';
+		}
+		if (rawEmailAddr) {
+		    break;
+		}
+		current = cert_get_next_general_name(current);
+	    } while (current != nameList);
+	}
+    }
+    if (rawEmailAddr) {
+	emailAddr = (char*)PORT_ArenaZAlloc(cert->arena, PORT_Strlen(rawEmailAddr) + 1);
+	for (i = 0; i <= PORT_Strlen(rawEmailAddr); i++) {
+	    emailAddr[i] = tolower(rawEmailAddr[i]);
+	}
+    } else {
+	emailAddr = NULL;
+    }
+
+finish:
+    if ( rawEmailAddr ) {
+	PORT_Free(rawEmailAddr);
+    }
+
+    /* Don't free nameList, it's part of the arena. */
+
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    if ( subAltName.data ) {
+	SECITEM_FreeItem(&subAltName, PR_FALSE);
+    }
+
+    return(emailAddr);
+}
+
+char *
+CERT_GetCertEmailAddress(CERTName *name)
+{
+    char *rawEmailAddr;
+    char *emailAddr;
+
+    
+    rawEmailAddr = CERT_GetNameElement(name, SEC_OID_PKCS9_EMAIL_ADDRESS);
+    if ( rawEmailAddr == NULL ) {
+	rawEmailAddr = CERT_GetNameElement(name, SEC_OID_RFC1274_MAIL);
+    }
+    emailAddr = CERT_FixupEmailAddr(rawEmailAddr);
+    if ( rawEmailAddr ) {
+	PORT_Free(rawEmailAddr);
+    }
+    return(emailAddr);
+}
+
+char *
+CERT_GetCommonName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_COMMON_NAME));
+}
+
+char *
+CERT_GetCountryName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_COUNTRY_NAME));
+}
+
+char *
+CERT_GetLocalityName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_LOCALITY));
+}
+
+char *
+CERT_GetStateName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_STATE_OR_PROVINCE));
+}
+
+char *
+CERT_GetOrgName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_ORGANIZATION_NAME));
+}
+
+char *
+CERT_GetDomainComponentName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_DC));
+}
+
+char *
+CERT_GetOrgUnitName(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME));
+}
+
+char *
+CERT_GetDnQualifier(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_AVA_DN_QUALIFIER));
+}
+
+char *
+CERT_GetCertUid(CERTName *name)
+{
+    return(CERT_GetNameElement(name, SEC_OID_RFC1274_UID));
+}
+
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
new file mode 100644
index 000000000..ad0f6864e
--- /dev/null
+++ b/security/nss/lib/certdb/cert.h
@@ -0,0 +1,1371 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * cert.h - public data structures and prototypes for the certificate library
+ *
+ * $Id$
+ */
+
+#ifndef _CERT_H_
+#define _CERT_H_
+
+#include "plarena.h"
+#include "plhash.h"
+#include "prlong.h"
+#include "prlog.h"
+
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "keyt.h"
+#include "certt.h"
+
+SEC_BEGIN_PROTOS
+   
+/****************************************************************************
+ *
+ * RFC1485 ascii to/from X.? RelativeDistinguishedName (aka CERTName)
+ *
+ ****************************************************************************/
+
+/*
+** Convert an ascii RFC1485 encoded name into its CERTName equivalent.
+*/
+extern CERTName *CERT_AsciiToName(char *string);
+
+/*
+** Convert an CERTName into its RFC1485 encoded equivalent.
+*/
+extern char *CERT_NameToAscii(CERTName *name);
+
+extern CERTAVA *CERT_CopyAVA(PRArenaPool *arena, CERTAVA *src);
+
+/*
+** Examine an AVA and return the tag that refers to it. The AVA tags are
+** defined as SEC_OID_AVA*.
+*/
+extern SECOidTag CERT_GetAVATag(CERTAVA *ava);
+
+/*
+** Compare two AVA's, returning the difference between them.
+*/
+extern SECComparison CERT_CompareAVA(CERTAVA *a, CERTAVA *b);
+
+/*
+** Create an RDN (relative-distinguished-name). The argument list is a
+** NULL terminated list of AVA's.
+*/
+extern CERTRDN *CERT_CreateRDN(PRArenaPool *arena, CERTAVA *avas, ...);
+
+/*
+** Make a copy of "src" storing it in "dest".
+*/
+extern SECStatus CERT_CopyRDN(PRArenaPool *arena, CERTRDN *dest, CERTRDN *src);
+
+/*
+** Destory an RDN object.
+**	"rdn" the RDN to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void CERT_DestroyRDN(CERTRDN *rdn, PRBool freeit);
+
+/*
+** Add an AVA to an RDN.
+**	"rdn" the RDN to add to
+**	"ava" the AVA to add
+*/
+extern SECStatus CERT_AddAVA(PRArenaPool *arena, CERTRDN *rdn, CERTAVA *ava);
+
+/*
+** Compare two RDN's, returning the difference between them.
+*/
+extern SECComparison CERT_CompareRDN(CERTRDN *a, CERTRDN *b);
+
+/*
+** Create an X.500 style name using a NULL terminated list of RDN's.
+*/
+extern CERTName *CERT_CreateName(CERTRDN *rdn, ...);
+
+/*
+** Make a copy of "src" storing it in "dest". Memory is allocated in
+** "dest" for each of the appropriate sub objects. Memory is not freed in
+** "dest" before allocation is done (use CERT_DestroyName(dest, PR_FALSE) to
+** do that).
+*/
+extern SECStatus CERT_CopyName(PRArenaPool *arena, CERTName *dest, CERTName *src);
+
+/*
+** Destroy a Name object.
+**	"name" the CERTName to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void CERT_DestroyName(CERTName *name);
+
+/*
+** Add an RDN to a name.
+**	"name" the name to add the RDN to
+**	"rdn" the RDN to add to name
+*/
+extern SECStatus CERT_AddRDN(CERTName *name, CERTRDN *rdn);
+
+/*
+** Compare two names, returning the difference between them.
+*/
+extern SECComparison CERT_CompareName(CERTName *a, CERTName *b);
+
+/*
+** Convert a CERTName into something readable
+*/
+extern char *CERT_FormatName (CERTName *name);
+
+/*
+** Convert a der-encoded integer to a hex printable string form.
+** Perhaps this should be a SEC function but it's only used for certs.
+*/
+extern char *CERT_Hexify (SECItem *i, int do_colon);
+
+/******************************************************************************
+ *
+ * Certificate handling operations
+ *
+ *****************************************************************************/
+
+/*
+** Create a new validity object given two unix time values.
+**	"notBefore" the time before which the validity is not valid
+**	"notAfter" the time after which the validity is not valid
+*/
+extern CERTValidity *CERT_CreateValidity(int64 notBefore, int64 notAfter);
+
+/*
+** Destroy a validity object.
+**	"v" the validity to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void CERT_DestroyValidity(CERTValidity *v);
+
+/*
+** Copy the "src" object to "dest". Memory is allocated in "dest" for
+** each of the appropriate sub-objects. Memory in "dest" is not freed
+** before memory is allocated (use CERT_DestroyValidity(v, PR_FALSE) to do
+** that).
+*/
+extern SECStatus CERT_CopyValidity
+   (PRArenaPool *arena, CERTValidity *dest, CERTValidity *src);
+
+/*
+** The cert lib considers a cert or CRL valid if the "notBefore" time is
+** in the not-too-distant future, e.g. within the next 24 hours. This 
+** prevents freshly issued certificates from being considered invalid
+** because the local system's time zone is incorrectly set.  
+** The amount of "pending slop time" is adjustable by the application.
+** Units of SlopTime are seconds.  Default is 86400  (24 hours).
+** Negative SlopTime values are not allowed.
+*/
+PRInt32 CERT_GetSlopTime(void);
+
+SECStatus CERT_SetSlopTime(PRInt32 slop);
+
+/*
+** Create a new certificate object. The result must be wrapped with an
+** CERTSignedData to create a signed certificate.
+**	"serialNumber" the serial number
+**	"issuer" the name of the certificate issuer
+**	"validity" the validity period of the certificate
+**	"req" the certificate request that prompted the certificate issuance
+*/
+extern CERTCertificate *
+CERT_CreateCertificate (unsigned long serialNumber, CERTName *issuer,
+			CERTValidity *validity, CERTCertificateRequest *req);
+
+/*
+** Destroy a certificate object
+**	"cert" the certificate to destroy
+** NOTE: certificate's are reference counted. This call decrements the
+** reference count, and if the result is zero, then the object is destroyed
+** and optionally freed.
+*/
+extern void CERT_DestroyCertificate(CERTCertificate *cert);
+
+/*
+** Make a shallow copy of a certificate "c". Just increments the
+** reference count on "c".
+*/
+extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
+
+/*
+** Create a new certificate request. This result must be wrapped with an
+** CERTSignedData to create a signed certificate request.
+**	"name" the subject name (who the certificate request is from)
+**	"spki" describes/defines the public key the certificate is for
+**	"attributes" if non-zero, some optional attribute data
+*/
+extern CERTCertificateRequest *
+CERT_CreateCertificateRequest (CERTName *name, CERTSubjectPublicKeyInfo *spki,
+			       SECItem **attributes);
+
+/*
+** Destroy a certificate-request object
+**	"r" the certificate-request to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void CERT_DestroyCertificateRequest(CERTCertificateRequest *r);
+
+/*
+** Extract a public key object from a SubjectPublicKeyInfo
+*/
+extern SECKEYPublicKey *CERT_ExtractPublicKey(CERTCertificate *cert);
+
+/*
+ * used to get a public key with Key Material ID. Only used for fortezza V1
+ * certificates.
+ */
+extern SECKEYPublicKey *CERT_KMIDPublicKey(CERTCertificate *cert);
+
+
+/*
+** Retrieve the Key Type associated with the cert we're dealing with
+*/
+
+extern KeyType CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki);
+
+/*
+** Initialize the certificate database.  This is called to create
+**  the initial list of certificates in the database.
+*/
+extern SECStatus CERT_InitCertDB(CERTCertDBHandle *handle);
+
+/*
+** Default certificate database routines
+*/
+extern void CERT_SetDefaultCertDB(CERTCertDBHandle *handle);
+
+extern CERTCertDBHandle *CERT_GetDefaultCertDB(void);
+
+extern CERTCertList *CERT_GetCertChainFromCert(CERTCertificate *cert, 
+					       int64 time, 
+					       SECCertUsage usage);
+extern CERTCertificate *
+CERT_NewTempCertificate (CERTCertDBHandle *handle, SECItem *derCert,
+                         char *nickname, PRBool isperm, PRBool copyDER);
+
+
+/******************************************************************************
+ *
+ * X.500 Name handling operations
+ *
+ *****************************************************************************/
+
+/*
+** Create an AVA (attribute-value-assertion)
+**	"arena" the memory arena to alloc from
+**	"kind" is one of SEC_OID_AVA_*
+**	"valueType" is one of DER_PRINTABLE_STRING, DER_IA5_STRING, or
+**	   DER_T61_STRING
+**	"value" is the null terminated string containing the value
+*/
+extern CERTAVA *CERT_CreateAVA
+   (PRArenaPool *arena, SECOidTag kind, int valueType, char *value);
+
+/*
+** Extract the Distinguished Name from a DER encoded certificate
+**	"derCert" is the DER encoded certificate
+**	"derName" is the SECItem that the name is returned in
+*/
+extern SECStatus CERT_NameFromDERCert(SECItem *derCert, SECItem *derName);
+
+/*
+** Extract the Issuers Distinguished Name from a DER encoded certificate
+**	"derCert" is the DER encoded certificate
+**	"derName" is the SECItem that the name is returned in
+*/
+extern SECStatus CERT_IssuerNameFromDERCert(SECItem *derCert, 
+					    SECItem *derName);
+
+
+
+/*
+** Generate a database search key for a certificate, based on the
+** issuer and serial number.
+**	"arena" the memory arena to alloc from
+**	"derCert" the DER encoded certificate
+**	"key" the returned key
+*/
+extern SECStatus CERT_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key);
+
+extern SECStatus CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer,
+					 SECItem *sn, SECItem *key);
+
+extern SECStatus CERT_SerialNumberFromDERCert(SECItem *derCert, 
+						SECItem *derName);
+
+
+/*
+** Generate a database search key for a crl, based on the
+** issuer.
+**	"arena" the memory arena to alloc from
+**	"derCrl" the DER encoded crl
+**	"key" the returned key
+*/
+extern SECStatus CERT_KeyFromDERCrl(PRArenaPool *arena, SECItem *derCrl, SECItem *key);
+
+/*
+** Open the certificate database.  Use callback to get name of database.
+*/
+extern SECStatus CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly,
+				 CERTDBNameFunc namecb, void *cbarg);
+
+/* Open the certificate database.  Use given filename for database. */
+extern SECStatus CERT_OpenCertDBFilename(CERTCertDBHandle *handle,
+					 char *certdbname, PRBool readOnly);
+
+/*
+** Open and initialize a cert database that is entirely in memory.  This
+** can be used when the permanent database can not be opened or created.
+*/
+extern SECStatus CERT_OpenVolatileCertDB(CERTCertDBHandle *handle);
+
+/*
+** Check the hostname to make sure that it matches the shexp that
+** is given in the common name of the certificate.
+*/
+extern SECStatus CERT_VerifyCertName(CERTCertificate *cert, const char *hostname);
+
+/*
+** Add a domain name to the list of names that the user has explicitly
+** allowed (despite cert name mismatches) for use with a server cert.
+*/
+extern SECStatus CERT_AddOKDomainName(CERTCertificate *cert, const char *hostname);
+
+/*
+** Decode a DER encoded certificate into an CERTCertificate structure
+**	"derSignedCert" is the DER encoded signed certificate
+**	"copyDER" is true if the DER should be copied, false if the
+**		existing copy should be referenced
+**	"nickname" is the nickname to use in the database.  If it is NULL
+**		then a temporary nickname is generated.
+*/
+extern CERTCertificate *
+CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
+/*
+** Decode a DER encoded CRL/KRL into an CERTSignedCrl structure
+**	"derSignedCrl" is the DER encoded signed crl/krl.
+**	"type" is this a CRL or KRL.
+*/
+#define SEC_CRL_TYPE	1
+#define SEC_KRL_TYPE	0
+
+extern CERTSignedCrl *
+CERT_DecodeDERCrl (PRArenaPool *arena, SECItem *derSignedCrl,int type);
+
+/* Validate CRL then import it to the dbase.  If there is already a CRL with the
+ * same CA in the dbase, it will be replaced if derCRL is more up to date.  
+ * If the process successes, a CRL will be returned.  Otherwise, a NULL will 
+ * be returned. The caller should call PORT_GetError() for the exactly error 
+ * code.
+ */
+extern CERTSignedCrl *
+CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url, 
+						int type, void * wincx);
+
+extern void CERT_DestroyCrl (CERTSignedCrl *crl);
+
+/*
+** Decode a certificate and put it into the temporary certificate database
+*/
+extern CERTCertificate *
+CERT_DecodeCertificate (SECItem *derCert, char *nickname,PRBool copyDER);
+
+/*
+** Find a certificate in the database
+**	"key" is the database key to look for
+*/
+extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *key);
+
+/*
+** Find a certificate in the database by name
+**	"name" is the distinguished name to look up
+*/
+extern CERTCertificate *
+CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name);
+
+/*
+** Find a certificate in the database by name
+**	"name" is the distinguished name to look up (in ascii)
+*/
+extern CERTCertificate *
+CERT_FindCertByNameString (CERTCertDBHandle *handle, char *name);
+
+/*
+** Find a certificate in the database by name and keyid
+**	"name" is the distinguished name to look up
+**	"keyID" is the value of the subjectKeyID to match
+*/
+extern CERTCertificate *
+CERT_FindCertByKeyID (CERTCertDBHandle *handle, SECItem *name, SECItem *keyID);
+
+/*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database.  Return the cert if found.
+**	"issuerAndSN" is the issuer and serial number to look for
+*/
+extern CERTCertificate *
+CERT_FindCertByIssuerAndSN (CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN);
+
+/*
+** Find a certificate in the database by a nickname
+**	"nickname" is the ascii string nickname to look for
+*/
+extern CERTCertificate *
+CERT_FindCertByNickname (CERTCertDBHandle *handle, char *nickname);
+
+/*
+** Find a certificate in the database by a DER encoded certificate
+**	"derCert" is the DER encoded certificate
+*/
+extern CERTCertificate *
+CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert);
+
+/*
+** Find a certificate in the database by a email address
+**	"emailAddr" is the email address to look up
+*/
+CERTCertificate *
+CERT_FindCertByEmailAddr(CERTCertDBHandle *handle, char *emailAddr);
+
+/*
+** Find a certificate in the database by a email address or nickname
+**	"name" is the email address or nickname to look up
+*/
+CERTCertificate *
+CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, char *name);
+
+/*
+** Find a certificate in the database by a digest of a subject public key
+**	"spkDigest" is the digest to look up
+*/
+extern CERTCertificate *
+CERT_FindCertBySPKDigest(CERTCertDBHandle *handle, SECItem *spkDigest);
+
+/*
+ * Find the issuer of a cert
+ */
+CERTCertificate *
+CERT_FindCertIssuer(CERTCertificate *cert, int64 validTime, SECCertUsage usage);
+
+/*
+** Check the validity times of a certificate vs. time 't', allowing
+** some slop for broken clocks and stuff.
+**	"cert" is the certificate to be checked
+**	"t" is the time to check against
+**	"allowOverride" if true then check to see if the invalidity has
+**		been overridden by the user.
+*/
+extern SECCertTimeValidity CERT_CheckCertValidTimes(CERTCertificate *cert,
+						    PRTime t,
+						    PRBool allowOverride);
+
+/*
+** WARNING - this function is depricated, and will either go away or have
+**		a new API in the near future.
+**
+** Check the validity times of a certificate vs. the current time, allowing
+** some slop for broken clocks and stuff.
+**	"cert" is the certificate to be checked
+*/
+extern SECStatus CERT_CertTimesValid(CERTCertificate *cert);
+
+/*
+** Extract the validity times from a certificate
+**	"c" is the certificate
+**	"notBefore" is the start of the validity period
+**	"notAfter" is the end of the validity period
+*/
+extern SECStatus
+CERT_GetCertTimes (CERTCertificate *c, PRTime *notBefore, PRTime *notAfter);
+
+/*
+** Extract the issuer and serial number from a certificate
+*/
+extern CERTIssuerAndSN *CERT_GetCertIssuerAndSN(PRArenaPool *, 
+							CERTCertificate *);
+
+/*
+** verify the signature of a signed data object with a given certificate
+**	"sd" the signed data object to be verified
+**	"cert" the certificate to use to check the signature
+*/
+extern SECStatus CERT_VerifySignedData(CERTSignedData *sd,
+				       CERTCertificate *cert,
+				       int64 t,
+				       void *wincx);
+
+/*
+** verify a certificate by checking validity times against a certain time,
+** that we trust the issuer, and that the signature on the certificate is
+** valid.
+**	"cert" the certificate to verify
+**	"checkSig" only check signatures if true
+*/
+extern SECStatus
+CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool checkSig, SECCertUsage certUsage, int64 t,
+		void *wincx, CERTVerifyLog *log);
+
+/* same as above, but uses current time */
+extern SECStatus
+CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
+		   PRBool checkSig, SECCertUsage certUsage, void *wincx);
+
+/*
+** This must only be called on a cert that is known to have an issuer
+** with an invalid time
+*/
+extern CERTCertificate *
+CERT_FindExpiredIssuer (CERTCertDBHandle *handle, CERTCertificate *cert);
+
+/*
+** Read a base64 ascii encoded DER certificate and convert it to our
+** internal format.
+**	"certstr" is a null-terminated string containing the certificate
+*/
+extern CERTCertificate *CERT_ConvertAndDecodeCertificate(char *certstr);
+
+/*
+** Read a certificate in some foreign format, and convert it to our
+** internal format.
+**	"certbuf" is the buffer containing the certificate
+**	"certlen" is the length of the buffer
+** NOTE - currently supports netscape base64 ascii encoded raw certs
+**  and netscape binary DER typed files.
+*/
+extern CERTCertificate *CERT_DecodeCertFromPackage(char *certbuf, int certlen);
+
+extern SECStatus
+CERT_ImportCAChain (SECItem *certs, int numcerts, SECCertUsage certUsage);
+
+extern SECStatus
+CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage);
+
+/*
+** Read a certificate chain in some foreign format, and pass it to a 
+** callback function.
+**	"certbuf" is the buffer containing the certificate
+**	"certlen" is the length of the buffer
+**	"f" is the callback function
+**	"arg" is the callback argument
+*/
+typedef SECStatus (PR_CALLBACK *CERTImportCertificateFunc)
+   (void *arg, SECItem **certs, int numcerts);
+
+extern SECStatus
+CERT_DecodeCertPackage(char *certbuf, int certlen, CERTImportCertificateFunc f,
+		       void *arg);
+
+/*
+** Pretty print a certificate in HTML
+**	"cert" is the certificate to print
+**	"showImages" controls whether or not to use about:security URLs
+**		for subject and issuer images.  This should only be true
+**		in the browser.
+*/
+extern char *CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages,
+			       PRBool showIssuer);
+
+/* 
+** Returns the value of an AVA.  This was a formerly static 
+** function that has been exposed due to the need to decode
+** and convert unicode strings to UTF8.  
+**
+** XXX This function resides in certhtml.c, should it be
+** moved elsewhere?
+*/
+extern SECItem *CERT_DecodeAVAValue(SECItem *derAVAValue);
+
+/*
+ * take a DER certificate and decode it into a certificate structure
+ */
+CERTCertificate *
+CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
+                         char *nickname);
+
+
+
+/*
+** extract various element strings from a distinguished name.
+**	"name" the distinguished name
+*/
+extern char *CERT_GetCommonName(CERTName *name);
+
+extern char *CERT_GetCertificateEmailAddress(CERTCertificate *cert);
+
+extern char *CERT_GetCertEmailAddress(CERTName *name);
+
+extern char *CERT_GetCommonName(CERTName *name);
+
+extern char *CERT_GetCountryName(CERTName *name);
+
+extern char *CERT_GetLocalityName(CERTName *name);
+
+extern char *CERT_GetStateName(CERTName *name);
+
+extern char *CERT_GetOrgName(CERTName *name);
+
+extern char *CERT_GetOrgUnitName(CERTName *name);
+
+extern char *CERT_GetDomainComponentName(CERTName *name);
+
+extern char *CERT_GetCertUid(CERTName *name);
+
+/* manipulate the trust parameters of a certificate */
+
+extern SECStatus CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust);
+
+extern SECStatus
+CERT_ChangeCertTrust (CERTCertDBHandle *handle, CERTCertificate *cert,
+		      CERTCertTrust *trust);
+
+extern SECStatus
+CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb, CERTCertificate *cert,
+			    SECCertUsage usage);
+
+/*************************************************************************
+ *
+ * manipulate the extensions of a certificate
+ *
+ ************************************************************************/
+
+/*
+** Set up a cert for adding X509v3 extensions.  Returns an opaque handle
+** used by the next two routines.
+**	"cert" is the certificate we are adding extensions to
+*/
+extern void *CERT_StartCertExtensions(CERTCertificate *cert);
+
+/*
+** Add an extension to a certificate.
+**	"exthandle" is the handle returned by the previous function
+**	"idtag" is the integer tag for the OID that should ID this extension
+**	"value" is the value of the extension
+**	"critical" is the critical extension flag
+**	"copyData" is a flag indicating whether the value data should be
+**		copied.
+*/
+extern SECStatus CERT_AddExtension (void *exthandle, int idtag, 
+			SECItem *value, PRBool critical, PRBool copyData);
+
+extern SECStatus CERT_AddExtensionByOID (void *exthandle, SECItem *oid,
+			 SECItem *value, PRBool critical, PRBool copyData);
+
+extern SECStatus CERT_EncodeAndAddExtension
+   (void *exthandle, int idtag, void *value, PRBool critical,
+    const SEC_ASN1Template *atemplate);
+
+extern SECStatus CERT_EncodeAndAddBitStrExtension
+   (void *exthandle, int idtag, SECItem *value, PRBool critical);
+
+/*
+** Finish adding cert extensions.  Does final processing on extension
+** data, putting it in the right format, and freeing any temporary
+** storage.
+**	"exthandle" is the handle used to add extensions to a certificate
+*/
+extern SECStatus CERT_FinishExtensions(void *exthandle);
+
+
+/* If the extension is found, return its criticality and value.
+** This allocate storage for the returning extension value.
+*/
+extern SECStatus CERT_GetExtenCriticality
+   (CERTCertExtension **extensions, int tag, PRBool *isCritical);
+
+extern void
+CERT_DestroyOidSequence(CERTOidSequence *oidSeq);
+
+/****************************************************************************
+ *
+ * DER encode and decode extension values
+ *
+ ****************************************************************************/
+
+/* Encode the value of the basicConstraint extension.
+**	arena - where to allocate memory for the encoded value.
+**	value - extension value to encode
+**	encodedValue - output encoded value
+*/
+extern SECStatus CERT_EncodeBasicConstraintValue
+   (PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue);
+
+/*
+** Encode the value of the authorityKeyIdentifier extension.
+*/
+extern SECStatus CERT_EncodeAuthKeyID
+   (PRArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue);
+
+/*
+** Encode the value of the crlDistributionPoints extension.
+*/
+extern SECStatus CERT_EncodeCRLDistributionPoints
+   (PRArenaPool *arena, CERTCrlDistributionPoints *value,SECItem *derValue);
+
+/*
+** Decodes a DER encoded basicConstaint extension value into a readable format
+**	value - decoded value
+**	encodedValue - value to decoded
+*/
+extern SECStatus CERT_DecodeBasicConstraintValue
+   (CERTBasicConstraints *value, SECItem *encodedValue);
+
+/* Decodes a DER encoded authorityKeyIdentifier extension value into a
+** readable format.
+**	arena - where to allocate memory for the decoded value
+**	encodedValue - value to be decoded
+**	Returns a CERTAuthKeyID structure which contains the decoded value
+*/
+extern CERTAuthKeyID *CERT_DecodeAuthKeyID 
+			(PRArenaPool *arena, SECItem *encodedValue);
+
+
+/* Decodes a DER encoded crlDistributionPoints extension value into a 
+** readable format.
+**	arena - where to allocate memory for the decoded value
+**	der - value to be decoded
+**	Returns a CERTCrlDistributionPoints structure which contains the 
+**          decoded value
+*/
+extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints
+   (PRArenaPool *arena, SECItem *der);
+
+/* Extract certain name type from a generalName */
+extern void *CERT_GetGeneralNameByType
+   (CERTGeneralName *genNames, CERTGeneralNameType type, PRBool derFormat);
+
+
+extern CERTOidSequence *
+CERT_DecodeOidSequence(SECItem *seqItem);
+
+
+
+
+/****************************************************************************
+ *
+ * Find extension values of a certificate 
+ *
+ ***************************************************************************/
+
+extern SECStatus CERT_FindCertExtension
+   (CERTCertificate *cert, int tag, SECItem *value);
+
+extern SECStatus CERT_FindNSCertTypeExtension
+   (CERTCertificate *cert, SECItem *value);
+
+extern char * CERT_FindNSStringExtension (CERTCertificate *cert, int oidtag);
+
+extern SECStatus CERT_FindIssuerCertExtension
+   (CERTCertificate *cert, int tag, SECItem *value);
+
+extern SECStatus CERT_FindCertExtensionByOID
+   (CERTCertificate *cert, SECItem *oid, SECItem *value);
+
+extern char *CERT_FindCertURLExtension (CERTCertificate *cert, int tag, 
+								int catag);
+
+/* Returns the decoded value of the authKeyID extension.
+**   Note that this uses passed in the arena to allocate storage for the result
+*/
+extern CERTAuthKeyID * CERT_FindAuthKeyIDExten (PRArenaPool *arena,CERTCertificate *cert);
+
+/* Returns the decoded value of the basicConstraint extension.
+ */
+extern SECStatus CERT_FindBasicConstraintExten
+   (CERTCertificate *cert, CERTBasicConstraints *value);
+
+/* Returns the decoded value of the crlDistributionPoints extension.
+**  Note that the arena in cert is used to allocate storage for the result
+*/
+extern CERTCrlDistributionPoints * CERT_FindCRLDistributionPoints
+   (CERTCertificate *cert);
+
+/* Returns value of the keyUsage extension.  This uses PR_Alloc to allocate 
+** buffer for the decoded value, The caller should free up the storage 
+** allocated in value->data.
+*/
+extern SECStatus CERT_FindKeyUsageExtension (CERTCertificate *cert, 
+							SECItem *value);
+
+/* Return the decoded value of the subjectKeyID extension. The caller should 
+** free up the storage allocated in retItem->data.
+*/
+extern SECStatus CERT_FindSubjectKeyIDExten (CERTCertificate *cert, 
+							   SECItem *retItem);
+
+/*
+** If cert is a v3 certificate, and a critical keyUsage extension is included,
+** then check the usage against the extension value.  If a non-critical 
+** keyUsage extension is included, this will return SECSuccess without 
+** checking, since the extension is an advisory field, not a restriction.  
+** If cert is not a v3 certificate, this will return SECSuccess.
+**	cert - certificate
+**	usage - one of the x.509 v3 the Key Usage Extension flags
+*/
+extern SECStatus CERT_CheckCertUsage (CERTCertificate *cert, 
+							unsigned char usage);
+
+/****************************************************************************
+ *
+ *  CRL v2 Extensions supported routines
+ *
+ ****************************************************************************/
+
+extern SECStatus CERT_FindCRLExtensionByOID
+   (CERTCrl *crl, SECItem *oid, SECItem *value);
+
+extern SECStatus CERT_FindCRLExtension
+   (CERTCrl *crl, int tag, SECItem *value);
+
+extern SECStatus
+   CERT_FindInvalidDateExten (CERTCrl *crl, int64 *value);
+
+extern void *CERT_StartCRLExtensions (CERTCrl *crl);
+
+extern CERTCertNicknames *CERT_GetCertNicknames (CERTCertDBHandle *handle,
+						 int what, void *wincx);
+
+/*
+** Finds the crlNumber extension and decodes its value into 'value'
+*/
+extern SECStatus CERT_FindCRLNumberExten (CERTCrl *crl, CERTCrlNumber *value);
+
+extern void CERT_FreeNicknames(CERTCertNicknames *nicknames);
+
+extern PRBool CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2);
+
+extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1,
+							 CERTCertificate *c2);
+
+/*
+** Generate an array of the Distinguished Names that the given cert database
+** "trusts"
+*/
+extern CERTDistNames *CERT_GetSSLCACerts(CERTCertDBHandle *handle);
+
+extern void CERT_FreeDistNames(CERTDistNames *names);
+
+/*
+** Generate an array of Distinguished names from an array of nicknames
+*/
+extern CERTDistNames *CERT_DistNamesFromNicknames
+   (CERTCertDBHandle *handle, char **nicknames, int nnames);
+
+/*
+** Generate a certificate chain from a certificate.
+*/
+extern CERTCertificateList *
+CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
+		       PRBool includeRoot);
+
+extern CERTCertificateList *
+CERT_CertListFromCert(CERTCertificate *cert);
+
+extern CERTCertificateList *
+CERT_DupCertList(CERTCertificateList * oldList);
+
+extern void CERT_DestroyCertificateList(CERTCertificateList *list);
+
+/* is cert a newer than cert b? */
+PRBool CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb);
+
+/* currently a stub for address book */
+PRBool
+CERT_IsCertRevoked(CERTCertificate *cert);
+
+void
+CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts);
+
+/* convert an email address to lower case */
+char *CERT_FixupEmailAddr(char *emailAddr);
+
+/* decode string representation of trust flags into trust struct */
+SECStatus
+CERT_DecodeTrustString(CERTCertTrust *trust, char *trusts);
+
+/* encode trust struct into string representation of trust flags */
+char *
+CERT_EncodeTrustString(CERTCertTrust *trust);
+
+/* find the next or prev cert in a subject list */
+CERTCertificate *
+CERT_PrevSubjectCert(CERTCertificate *cert);
+CERTCertificate *
+CERT_NextSubjectCert(CERTCertificate *cert);
+
+/*
+ * import a collection of certs into the temporary or permanent cert
+ * database
+ */
+SECStatus
+CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
+		 unsigned int ncerts, SECItem **derCerts,
+		 CERTCertificate ***retCerts, PRBool keepCerts,
+		 PRBool caOnly, char *nickname);
+
+SECStatus
+CERT_SaveImportedCert(CERTCertificate *cert, SECCertUsage usage,
+		      PRBool caOnly, char *nickname);
+
+char *
+CERT_MakeCANickname(CERTCertificate *cert);
+
+PRBool
+CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype);
+
+PRBool
+CERT_IsCADERCert(SECItem *derCert, unsigned int *rettype);
+
+SECStatus
+CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
+		      SECItem *profileTime);
+
+/*
+ * find the smime symmetric capabilities profile for a given cert
+ */
+SECItem *
+CERT_FindSMimeProfile(CERTCertificate *cert);
+
+SECStatus
+CERT_AddNewCerts(CERTCertDBHandle *handle);
+
+CERTPackageType
+CERT_CertPackageType(SECItem *package, SECItem *certitem);
+
+CERTCertificatePolicies *
+CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue);
+
+void
+CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies);
+
+CERTUserNotice *
+CERT_DecodeUserNotice(SECItem *noticeItem);
+
+void
+CERT_DestroyUserNotice(CERTUserNotice *userNotice);
+
+typedef char * (* CERTPolicyStringCallback)(char *org,
+					       unsigned long noticeNumber,
+					       void *arg);
+void
+CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg);
+
+char *
+CERT_GetCertCommentString(CERTCertificate *cert);
+
+PRBool
+CERT_GovtApprovedBitSet(CERTCertificate *cert);
+
+SECStatus
+CERT_AddPermNickname(CERTCertificate *cert, char *nickname);
+
+/*
+ * Given a cert, find the cert with the same subject name that
+ * has the given key usage.  If the given cert has the correct keyUsage, then
+ * return it, otherwise search the list in order.
+ */
+CERTCertificate *
+CERT_FindCertByUsage(CERTCertificate *basecert, unsigned int requiredKeyUsage);
+
+
+CERTCertList *
+CERT_MatchUserCert(CERTCertDBHandle *handle,
+		   SECCertUsage usage,
+		   int nCANames, char **caNames,
+		   void *proto_win);
+
+CERTCertList *
+CERT_NewCertList(void);
+
+void
+CERT_DestroyCertList(CERTCertList *certs);
+
+/* remove the node and free the cert */
+void
+CERT_RemoveCertListNode(CERTCertListNode *node);
+
+SECStatus
+CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert);
+
+SECStatus
+CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert);
+
+SECStatus
+CERT_AddCertToListTailWithData(CERTCertList *certs, CERTCertificate *cert,
+							 void *appData);
+
+SECStatus
+CERT_AddCertToListHeadWithData(CERTCertList *certs, CERTCertificate *cert,
+							 void *appData);
+
+typedef PRBool (* CERTSortCallback)(CERTCertificate *certa,
+				    CERTCertificate *certb,
+				    void *arg);
+SECStatus
+CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
+			 CERTSortCallback f, void *arg);
+
+/* callback for CERT_AddCertToListSorted that sorts based on validity
+ * period and a given time.
+ */
+PRBool
+CERT_SortCBValidity(CERTCertificate *certa,
+		    CERTCertificate *certb,
+		    void *arg);
+
+SECStatus
+CERT_CheckForEvilCert(CERTCertificate *cert);
+
+CERTGeneralName *
+CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena);
+
+int
+CERT_GetNamesLength(CERTGeneralName *names);
+
+CERTCertificate *
+CERT_CompareNameSpace(CERTCertificate  *cert,
+		      CERTGeneralName  *namesList,
+		      SECItem          *namesListIndex,
+		      PRArenaPool      *arena,
+		      CERTCertDBHandle *handle);
+
+SECStatus 
+CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue);
+
+char *
+CERT_GetNickName(CERTCertificate   *cert, CERTCertDBHandle *handle, PRArenaPool *nicknameArena);
+
+/*
+ * Creates or adds to a list of all certs with a give subject name, sorted by
+ * validity time, newest first.  Invalid certs are considered older than
+ * valid certs. If validOnly is set, do not include invalid certs on list.
+ */
+CERTCertList *
+CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
+			   SECItem *name, int64 sorttime, PRBool validOnly);
+
+/*
+ * Creates or adds to a list of all certs with a give nickname, sorted by
+ * validity time, newest first.  Invalid certs are considered older than valid
+ * certs. If validOnly is set, do not include invalid certs on list.
+ */
+CERTCertList *
+CERT_CreateNicknameCertList(CERTCertList *certList, CERTCertDBHandle *handle,
+			    char *nickname, int64 sorttime, PRBool validOnly);
+
+/*
+ * Creates or adds to a list of all certs with a give email addr, sorted by
+ * validity time, newest first.  Invalid certs are considered older than valid
+ * certs. If validOnly is set, do not include invalid certs on list.
+ */
+CERTCertList *
+CERT_CreateEmailAddrCertList(CERTCertList *certList, CERTCertDBHandle *handle,
+			     char *emailAddr, int64 sorttime, PRBool validOnly);
+
+/*
+ * remove certs from a list that don't have keyUsage and certType
+ * that match the given usage.
+ */
+SECStatus
+CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
+			   PRBool ca);
+
+/*
+ * check the key usage of a cert against a set of required values
+ */
+SECStatus
+CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage);
+
+/*
+ * return required key usage and cert type based on cert usage
+ */
+SECStatus
+CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
+				 PRBool ca,
+				 unsigned int *retKeyUsage,
+				 unsigned int *retCertType);
+/*
+ * return required trust flags for various cert usages for CAs
+ */
+SECStatus
+CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
+			      unsigned int *retFlags,
+			      SECTrustType *retTrustType);
+
+/*
+ * Find all user certificates that match the given criteria.
+ * 
+ *	"handle" - database to search
+ *	"usage" - certificate usage to match
+ *	"oneCertPerName" - if set then only return the "best" cert per
+ *			name
+ *	"validOnly" - only return certs that are curently valid
+ *	"proto_win" - window handle passed to pkcs11
+ */
+CERTCertList *
+CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
+			  SECCertUsage usage,
+			  PRBool oneCertPerName,
+			  PRBool validOnly,
+			  void *proto_win);
+
+/*
+ * Find a user certificate that matchs the given criteria.
+ * 
+ *	"handle" - database to search
+ *	"nickname" - nickname to match
+ *	"usage" - certificate usage to match
+ *	"validOnly" - only return certs that are curently valid
+ *	"proto_win" - window handle passed to pkcs11
+ */
+CERTCertificate *
+CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
+			 char *nickname,
+			 SECCertUsage usage,
+			 PRBool validOnly,
+			 void *proto_win);
+
+/*
+ * Filter a list of certificates, removing those certs that do not have
+ * one of the named CA certs somewhere in their cert chain.
+ *
+ *	"certList" - the list of certificates to filter
+ *	"nCANames" - number of CA names
+ *	"caNames" - array of CA names in string(rfc 1485) form
+ *	"usage" - what use the certs are for, this is used when
+ *		selecting CA certs
+ */
+SECStatus
+CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
+			     char **caNames, SECCertUsage usage);
+
+/*
+ * Collect the nicknames from all certs in a CertList.  If the cert is not
+ * valid, append a string to that nickname.
+ *
+ * "certList" - the list of certificates
+ * "expiredString" - the string to append to the nickname of any expired cert
+ * "notYetGoodString" - the string to append to the nickname of any cert
+ *		that is not yet valid
+ */
+CERTCertNicknames *
+CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
+				 char *notYetGoodString);
+
+/*
+ * Extract the nickname from a nickmake string that may have either
+ * expiredString or notYetGoodString appended.
+ *
+ * Args:
+ *	"namestring" - the string containing the nickname, and possibly
+ *		one of the validity label strings
+ *	"expiredString" - the expired validity label string
+ *	"notYetGoodString" - the not yet good validity label string
+ *
+ * Returns the raw nickname
+ */
+char *
+CERT_ExtractNicknameString(char *namestring, char *expiredString,
+			   char *notYetGoodString);
+
+/*
+ * Given a certificate, return a string containing the nickname, and possibly
+ * one of the validity strings, based on the current validity state of the
+ * certificate.
+ *
+ * "arena" - arena to allocate returned string from.  If NULL, then heap
+ *	is used.
+ * "cert" - the cert to get nickname from
+ * "expiredString" - the string to append to the nickname if the cert is
+ *		expired.
+ * "notYetGoodString" - the string to append to the nickname if the cert is
+ *		not yet good.
+ */
+char *
+CERT_GetCertNicknameWithValidity(PRArenaPool *arena, CERTCertificate *cert,
+				 char *expiredString, char *notYetGoodString);
+
+/*
+ * Return the string representation of a DER encoded distinguished name
+ * "dername" - The DER encoded name to convert
+ */
+char *
+CERT_DerNameToAscii(SECItem *dername);
+
+/*
+ * Supported usage values and types:
+ *	certUsageSSLClient
+ *	certUsageSSLServer
+ *	certUsageSSLServerWithStepUp
+ *	certUsageEmailSigner
+ *	certUsageEmailRecipient
+ *	certUsageObjectSigner
+ */
+
+CERTCertificate *
+CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
+		      CERTCertOwner owner, SECCertUsage usage,
+		      PRBool preferTrusted, int64 validTime, PRBool validOnly);
+
+
+/*********************************************************************/
+/* A thread safe implementation of General Names                     */
+/*********************************************************************/
+
+/* Destroy a Single CERTGeneralName */
+void
+CERT_DestroyGeneralName(CERTGeneralName *name);
+
+/* Destroys a CERTGeneralNameList */
+void
+CERT_DestroyGeneralNameList(CERTGeneralNameList *list);
+
+/* Creates a CERTGeneralNameList */
+CERTGeneralNameList *
+CERT_CreateGeneralNameList(CERTGeneralName *name);
+
+/* Compares two CERTGeneralNameList */
+SECStatus
+CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b);
+
+/* returns a copy of the first name of the type requested */
+void *
+CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
+				  CERTGeneralNameType type,
+				  PRArenaPool *arena);
+
+/* Adds a name to the tail of the list */
+void
+CERT_AddGeneralNameToList(CERTGeneralNameList *list, 
+			  CERTGeneralNameType type,
+			  void *data, SECItem *oid);
+
+/* returns a duplicate of the CERTGeneralNameList */
+CERTGeneralNameList *
+CERT_DupGeneralNameList(CERTGeneralNameList *list);
+
+/* returns the length of a CERTGeneralName */
+int
+CERT_GetNamesLength(CERTGeneralName *names);
+
+/*
+ * Acquire the global lock on the cert database.
+ * This lock is currently used for the following operations:
+ *	adding or deleting a cert to either the temp or perm databases
+ *	converting a temp to perm or perm to temp
+ *	changing(maybe just adding?) the trust of a cert
+ *	adjusting the reference count of a cert
+ */
+void
+CERT_LockDB(CERTCertDBHandle *handle);
+
+/*
+ * Free the global cert database lock.
+ */
+void
+CERT_UnlockDB(CERTCertDBHandle *handle);
+
+/*
+ * Get the certificate status checking configuratino data for
+ * the certificate database
+ */
+CERTStatusConfig *
+CERT_GetStatusConfig(CERTCertDBHandle *handle);
+
+/*
+ * Set the certificate status checking information for the
+ * database.  The input structure becomes part of the certificate
+ * database and will be freed by calling the 'Destroy' function in
+ * the configuration object.
+ */
+void
+CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *config);
+
+
+
+/*
+ * Acquire the cert reference count lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void
+CERT_LockCertRefCount(CERTCertificate *cert);
+
+/*
+ * Free the cert reference count lock
+ */
+void
+CERT_UnlockCertRefCount(CERTCertificate *cert);
+
+/*
+ * Acquire the cert trust lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void
+CERT_LockCertTrust(CERTCertificate *cert);
+
+/*
+ * Free the cert trust lock
+ */
+void
+CERT_UnlockCertTrust(CERTCertificate *cert);
+
+/*
+ * Digest the cert's subject public key using the specified algorithm.
+ * The necessary storage for the digest data is allocated.  If "fill" is
+ * non-null, the data is put there, otherwise a SECItem is allocated.
+ * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
+ * results in a NULL being returned (and an appropriate error set).
+ */ 
+extern SECItem *
+CERT_SPKDigestValueForCert(PRArenaPool *arena, CERTCertificate *cert,
+			   SECOidTag digestAlg, SECItem *fill);
+
+/*
+ * fill in nsCertType field of the cert based on the cert extension
+ */
+extern SECStatus CERT_GetCertType(CERTCertificate *cert);
+
+SEC_END_PROTOS
+
+#endif /* _CERT_H_ */
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
new file mode 100644
index 000000000..983908737
--- /dev/null
+++ b/security/nss/lib/certdb/certdb.c
@@ -0,0 +1,2488 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Certificate handling code
+ *
+ * $Id$
+ */
+
+#include "nssilock.h"
+#include "prmon.h"
+#include "prtime.h"
+#include "cert.h"
+#include "secder.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "blapi.h"		/* for SHA1_HashBuf */
+#include "genname.h"
+#include "keyhi.h"
+#include "secitem.h"
+#include "mcom_db.h"
+#include "certdb.h"
+#include "prprf.h"
+#include "sechash.h"
+#include "prlong.h"
+#include "certxutl.h"
+#include "portreg.h"
+#include "secerr.h"
+#include "sslerr.h"
+#include "nsslocks.h"
+#include "pk11func.h"
+
+#ifndef NSS_3_4_CODE
+#define NSS_3_4_CODE
+#endif /* NSS_3_4_CODE */
+#include "pki.h"
+#include "pki3hack.h"
+
+/*
+ * Certificate database handling code
+ */
+
+
+const SEC_ASN1Template CERT_CertExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertExtension) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTCertExtension,id) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
+	  offsetof(CERTCertExtension,critical) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(CERTCertExtension,value) },
+    { 0, }
+};
+
+const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, CERT_CertExtensionTemplate }
+};
+
+const SEC_ASN1Template CERT_CertificateTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+      0, NULL, sizeof(CERTCertificate) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | 0, 		/* XXX DER_DEFAULT */ 
+	  offsetof(CERTCertificate,version),
+	  SEC_IntegerTemplate },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTCertificate,serialNumber) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificate,signature),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_SAVE, 
+	  offsetof(CERTCertificate,derIssuer) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificate,issuer),
+	  CERT_NameTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificate,validity),
+	  CERT_ValidityTemplate },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCertificate,derSubject) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificate,subject),
+	  CERT_NameTemplate },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCertificate,derPublicKey) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificate,subjectPublicKeyInfo),
+	  CERT_SubjectPublicKeyInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(CERTCertificate,issuerID),
+	  SEC_ObjectIDTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+	  offsetof(CERTCertificate,subjectID),
+	  SEC_ObjectIDTemplate },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | 3,
+	  offsetof(CERTCertificate,extensions),
+	  CERT_SequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_SignedCertificateTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertificate) },
+    { SEC_ASN1_SAVE, 
+	  offsetof(CERTCertificate,signatureWrap.data) },
+    { SEC_ASN1_INLINE, 
+	  0, CERT_CertificateTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificate,signatureWrap.signatureAlgorithm),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTCertificate,signatureWrap.signature) },
+    { 0 }
+};
+
+/*
+ * Find the subjectName in a DER encoded certificate
+ */
+const SEC_ASN1Template SEC_CertSubjectTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SECItem) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  0, SEC_SkipTemplate },	/* version */
+    { SEC_ASN1_SKIP },		/* serial number */
+    { SEC_ASN1_SKIP },		/* signature algorithm */
+    { SEC_ASN1_SKIP },		/* issuer */
+    { SEC_ASN1_SKIP },		/* validity */
+    { SEC_ASN1_ANY, 0, NULL },		/* subject */
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+/*
+ * Find the issuerName in a DER encoded certificate
+ */
+const SEC_ASN1Template SEC_CertIssuerTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SECItem) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  0, SEC_SkipTemplate },	/* version */
+    { SEC_ASN1_SKIP },		/* serial number */
+    { SEC_ASN1_SKIP },		/* signature algorithm */
+    { SEC_ASN1_ANY, 0, NULL },		/* issuer */
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+/*
+ * Find the subjectName in a DER encoded certificate
+ */
+const SEC_ASN1Template SEC_CertSerialNumberTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SECItem) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  0, SEC_SkipTemplate },	/* version */
+    { SEC_ASN1_ANY, 0, NULL }, /* serial number */
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+/*
+ * Find the issuer and serialNumber in a DER encoded certificate.
+ * This data is used as the database lookup key since its the unique
+ * identifier of a certificate.
+ */
+const SEC_ASN1Template CERT_CertKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertKey) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  0, SEC_SkipTemplate },	/* version */ 
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTCertKey,serialNumber) },
+    { SEC_ASN1_SKIP },		/* signature algorithm */
+    { SEC_ASN1_ANY,
+	  offsetof(CERTCertKey,derIssuer) },
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SignedCertificateTemplate)
+
+SECStatus
+CERT_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer, SECItem *sn,
+			SECItem *key)
+{
+    key->len = sn->len + issuer->len;
+    
+    key->data = (unsigned char*)PORT_ArenaAlloc(arena, key->len);
+    if ( !key->data ) {
+	goto loser;
+    }
+
+    /* copy the serialNumber */
+    PORT_Memcpy(key->data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+
+/*
+ * Extract the subject name from a DER certificate
+ */
+SECStatus
+CERT_NameFromDERCert(SECItem *derCert, SECItem *derName)
+{
+    int rv;
+    PRArenaPool *arena;
+    CERTSignedData sd;
+    void *tmpptr;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	return(SECFailure);
+    }
+   
+    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
+    rv = SEC_ASN1DecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
+    
+    if ( rv ) {
+	goto loser;
+    }
+    
+    PORT_Memset(derName, 0, sizeof(SECItem));
+    rv = SEC_ASN1DecodeItem(arena, derName, SEC_CertSubjectTemplate, &sd.data);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    tmpptr = derName->data;
+    derName->data = (unsigned char*)PORT_Alloc(derName->len);
+    if ( derName->data == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(derName->data, tmpptr, derName->len);
+    
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECFailure);
+}
+
+SECStatus
+CERT_IssuerNameFromDERCert(SECItem *derCert, SECItem *derName)
+{
+    int rv;
+    PRArenaPool *arena;
+    CERTSignedData sd;
+    void *tmpptr;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	return(SECFailure);
+    }
+   
+    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
+    rv = SEC_ASN1DecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
+    
+    if ( rv ) {
+	goto loser;
+    }
+    
+    PORT_Memset(derName, 0, sizeof(SECItem));
+    rv = SEC_ASN1DecodeItem(arena, derName, SEC_CertIssuerTemplate, &sd.data);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    tmpptr = derName->data;
+    derName->data = (unsigned char*)PORT_Alloc(derName->len);
+    if ( derName->data == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(derName->data, tmpptr, derName->len);
+    
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECFailure);
+}
+
+SECStatus
+CERT_SerialNumberFromDERCert(SECItem *derCert, SECItem *derName)
+{
+    int rv;
+    PRArenaPool *arena;
+    CERTSignedData sd;
+    void *tmpptr;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	return(SECFailure);
+    }
+   
+    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
+    rv = SEC_ASN1DecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
+    
+    if ( rv ) {
+	goto loser;
+    }
+    
+    PORT_Memset(derName, 0, sizeof(SECItem));
+    rv = SEC_ASN1DecodeItem(arena, derName, SEC_CertSerialNumberTemplate, &sd.data);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    tmpptr = derName->data;
+    derName->data = (unsigned char*)PORT_Alloc(derName->len);
+    if ( derName->data == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(derName->data, tmpptr, derName->len);
+    
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECFailure);
+}
+
+/*
+ * Generate a database key, based on serial number and issuer, from a
+ * DER certificate.
+ */
+SECStatus
+CERT_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key)
+{
+    int rv;
+    CERTSignedData sd;
+    CERTCertKey certkey;
+
+    PORT_Memset(&sd, 0, sizeof(CERTSignedData));    
+    PORT_Memset(&certkey, 0, sizeof(CERTCertKey));    
+
+    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
+    rv = SEC_ASN1DecodeItem(arena, &sd, CERT_SignedDataTemplate, derCert);
+    
+    if ( rv ) {
+	goto loser;
+    }
+    
+    PORT_Memset(&certkey, 0, sizeof(CERTCertKey));
+    rv = SEC_ASN1DecodeItem(arena, &certkey, CERT_CertKeyTemplate, &sd.data);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    return(CERT_KeyFromIssuerAndSN(arena, &certkey.derIssuer,
+				   &certkey.serialNumber, key));
+loser:
+    return(SECFailure);
+}
+
+/*
+ * fill in keyUsage field of the cert based on the cert extension
+ * if the extension is not critical, then we allow all uses
+ */
+static SECStatus
+GetKeyUsage(CERTCertificate *cert)
+{
+    SECStatus rv;
+    SECItem tmpitem;
+    
+    rv = CERT_FindKeyUsageExtension(cert, &tmpitem);
+    if ( rv == SECSuccess ) {
+	/* remember the actual value of the extension */
+	cert->rawKeyUsage = tmpitem.data[0];
+	cert->keyUsagePresent = PR_TRUE;
+	cert->keyUsage = tmpitem.data[0];
+
+	PORT_Free(tmpitem.data);
+	tmpitem.data = NULL;
+	
+    } else {
+	/* if the extension is not present, then we allow all uses */
+	cert->keyUsage = KU_ALL;
+	cert->rawKeyUsage = KU_ALL;
+	cert->keyUsagePresent = PR_FALSE;
+    }
+
+    if ( CERT_GovtApprovedBitSet(cert) ) {
+	cert->keyUsage |= KU_NS_GOVT_APPROVED;
+	cert->rawKeyUsage |= KU_NS_GOVT_APPROVED;
+    }
+    
+    return(SECSuccess);
+}
+
+
+/*
+ * determine if a fortezza V1 Cert is a CA or not.
+ */
+static PRBool
+fortezzaIsCA( CERTCertificate *cert) {
+    PRBool isCA = PR_FALSE;
+    CERTSubjectPublicKeyInfo *spki = &cert->subjectPublicKeyInfo;
+    int tag;
+
+    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
+    if ((tag == SEC_OID_MISSI_KEA_DSS_OLD) ||
+       (tag == SEC_OID_MISSI_KEA_DSS) ||
+       (tag == SEC_OID_MISSI_DSS_OLD) ||
+       (tag == SEC_OID_MISSI_DSS) ) {
+	SECItem rawkey;
+	unsigned char *rawptr;
+	unsigned char *end;
+	int len;
+
+	rawkey = spki->subjectPublicKey;
+	DER_ConvertBitString(&rawkey);
+	rawptr = rawkey.data;
+	end = rawkey.data + rawkey.len;
+
+	/* version */	
+	rawptr += sizeof(((SECKEYPublicKey*)0)->u.fortezza.KMID)+2;
+
+	/* clearance (the string up to the first byte with the hi-bit on */
+	while ((rawptr < end) && (*rawptr++ & 0x80));
+	if (rawptr >= end) { return PR_FALSE; }
+
+	/* KEAPrivilege (the string up to the first byte with the hi-bit on */
+	while ((rawptr < end) && (*rawptr++ & 0x80));
+	if (rawptr >= end) { return PR_FALSE; }
+
+	/* skip the key */
+	len = (*rawptr << 8) | rawptr[1];
+	rawptr += 2 + len;
+
+	/* shared key */
+	if (rawptr >= end) { return PR_FALSE; }
+	/* DSS Version is next */
+	rawptr += 2;
+
+	/* DSSPrivilege (the string up to the first byte with the hi-bit on */
+	if (*rawptr & 0x30) isCA = PR_TRUE;
+	
+   }
+   return isCA;
+}
+
+static SECStatus
+findOIDinOIDSeqByTagNum(CERTOidSequence *seq, SECOidTag tagnum)
+{
+    SECItem **oids;
+    SECItem *oid;
+    SECStatus rv = SECFailure;
+    
+    if (seq != NULL) {
+	oids = seq->oids;
+	while (oids != NULL && *oids != NULL) {
+	    oid = *oids;
+	    if (SECOID_FindOIDTag(oid) == tagnum) {
+		rv = SECSuccess;
+		break;
+	    }
+	    oids++;
+	}
+    }
+    return rv;
+}
+
+/*
+ * fill in nsCertType field of the cert based on the cert extension
+ */
+SECStatus
+CERT_GetCertType(CERTCertificate *cert)
+{
+    SECStatus rv;
+    SECItem tmpitem;
+    SECItem encodedExtKeyUsage;
+    CERTOidSequence *extKeyUsage = NULL;
+    PRBool basicConstraintPresent = PR_FALSE;
+    CERTBasicConstraints basicConstraint;
+
+    tmpitem.data = NULL;
+    CERT_FindNSCertTypeExtension(cert, &tmpitem);
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, 
+				&encodedExtKeyUsage);
+    if (rv == SECSuccess) {
+	extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
+    }
+    rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
+    if (rv == SECSuccess) {
+	basicConstraintPresent = PR_TRUE;
+    }
+    if (tmpitem.data != NULL || extKeyUsage != NULL) {
+	if (tmpitem.data == NULL) {
+	    cert->nsCertType = 0;
+	} else {
+	    cert->nsCertType = tmpitem.data[0];
+	}
+
+	/* free tmpitem data pointer to avoid memory leak */
+	PORT_Free(tmpitem.data);
+	tmpitem.data = NULL;
+	
+	/*
+	 * for this release, we will allow SSL certs with an email address
+	 * to be used for email
+	 */
+	if ( ( cert->nsCertType & NS_CERT_TYPE_SSL_CLIENT ) &&
+	    cert->emailAddr ) {
+	    cert->nsCertType |= NS_CERT_TYPE_EMAIL;
+	}
+	/*
+	 * for this release, we will allow SSL intermediate CAs to be
+	 * email intermediate CAs too.
+	 */
+	if ( cert->nsCertType & NS_CERT_TYPE_SSL_CA ) {
+	    cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
+	}
+	/*
+	 * allow a cert with the extended key usage of EMail Protect
+	 * to be used for email or as an email CA, if basic constraints
+	 * indicates that it is a CA.
+	 */
+	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
+				    SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) ==
+	    SECSuccess) {
+	    if (basicConstraintPresent == PR_TRUE &&
+		(basicConstraint.isCA)) {
+		cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
+	    } else {
+		cert->nsCertType |= NS_CERT_TYPE_EMAIL;
+	    }
+	}
+	if (findOIDinOIDSeqByTagNum(extKeyUsage, 
+				    SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) ==
+	    SECSuccess){
+	    if (basicConstraintPresent == PR_TRUE &&
+		(basicConstraint.isCA)) {
+		cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
+	    } else {
+		cert->nsCertType |= NS_CERT_TYPE_SSL_SERVER;
+	    }
+	}
+	if (findOIDinOIDSeqByTagNum(extKeyUsage,
+				    SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) ==
+	    SECSuccess){
+	    if (basicConstraintPresent == PR_TRUE &&
+		(basicConstraint.isCA)) {
+		cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
+	    } else {
+		cert->nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
+	    }
+	}
+	if (findOIDinOIDSeqByTagNum(extKeyUsage,
+				    SEC_OID_EXT_KEY_USAGE_CODE_SIGN) ==
+	    SECSuccess) {
+	    if (basicConstraintPresent == PR_TRUE &&
+		(basicConstraint.isCA)) {
+		cert->nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
+	    } else {
+		cert->nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
+	    }
+	}
+	if (findOIDinOIDSeqByTagNum(extKeyUsage,
+				    SEC_OID_EXT_KEY_USAGE_TIME_STAMP) ==
+	    SECSuccess) {
+	    cert->nsCertType |= EXT_KEY_USAGE_TIME_STAMP;
+	}
+	if (findOIDinOIDSeqByTagNum(extKeyUsage,
+				    SEC_OID_OCSP_RESPONDER) == 
+	    SECSuccess) {
+	    cert->nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
+	}
+    } else {
+	/* if no extension, then allow any ssl or email (no ca or object
+	 * signing)
+	 */
+	cert->nsCertType = NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
+	    NS_CERT_TYPE_EMAIL;
+
+	/* if the basic constraint extension says the cert is a CA, then
+	   allow SSL CA and EMAIL CA and Status Responder */
+	if ((basicConstraintPresent == PR_TRUE)
+	    && (basicConstraint.isCA)) {
+		cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
+		cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
+		cert->nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
+	} else if (CERT_IsCACert(cert, NULL) == PR_TRUE) {
+		cert->nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
+	}
+
+	/* if the cert is a fortezza CA cert, then allow SSL CA and EMAIL CA */
+	if (fortezzaIsCA(cert)) {
+		cert->nsCertType |= NS_CERT_TYPE_SSL_CA;
+		cert->nsCertType |= NS_CERT_TYPE_EMAIL_CA;
+	}
+    }
+
+    if (extKeyUsage != NULL) {
+	PORT_Free(encodedExtKeyUsage.data);
+	CERT_DestroyOidSequence(extKeyUsage);
+    }
+    return(SECSuccess);
+}
+
+/*
+ * cert_GetKeyID() - extract or generate the subjectKeyID from a certificate
+ */
+SECStatus
+cert_GetKeyID(CERTCertificate *cert)
+{
+    SECItem tmpitem;
+    SECStatus rv;
+    SECKEYPublicKey *key;
+    
+    cert->subjectKeyID.len = 0;
+
+    /* see of the cert has a key identifier extension */
+    rv = CERT_FindSubjectKeyIDExten(cert, &tmpitem);
+    if ( rv == SECSuccess ) {
+	cert->subjectKeyID.data = (unsigned char*) PORT_ArenaAlloc(cert->arena, tmpitem.len);
+	if ( cert->subjectKeyID.data != NULL ) {
+	    PORT_Memcpy(cert->subjectKeyID.data, tmpitem.data, tmpitem.len);
+	    cert->subjectKeyID.len = tmpitem.len;
+	    cert->keyIDGenerated = PR_FALSE;
+	}
+	
+	PORT_Free(tmpitem.data);
+    }
+    
+    /* if the cert doesn't have a key identifier extension and the cert is
+     * a V1 fortezza certificate, use the cert's 8 byte KMID as the
+     * key identifier.  */
+    key = CERT_KMIDPublicKey(cert);
+
+    if (key != NULL) {
+	
+	if (key->keyType == fortezzaKey) {
+
+	    cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, 8);
+	    if ( cert->subjectKeyID.data != NULL ) {
+		PORT_Memcpy(cert->subjectKeyID.data, key->u.fortezza.KMID, 8);
+		cert->subjectKeyID.len = 8;
+		cert->keyIDGenerated = PR_FALSE;
+	    }
+	}
+		
+	SECKEY_DestroyPublicKey(key);
+    }
+
+    /* if the cert doesn't have a key identifier extension, then generate one*/
+    if ( cert->subjectKeyID.len == 0 ) {
+	/*
+	 * pkix says that if the subjectKeyID is not present, then we should
+	 * use the SHA-1 hash of the DER-encoded publicKeyInfo from the cert
+	 */
+	cert->subjectKeyID.data = (unsigned char *)PORT_ArenaAlloc(cert->arena, SHA1_LENGTH);
+	if ( cert->subjectKeyID.data != NULL ) {
+	    rv = PK11_HashBuf(SEC_OID_SHA1,cert->subjectKeyID.data,
+			      cert->derPublicKey.data,
+			      cert->derPublicKey.len);
+	    if ( rv == SECSuccess ) {
+		cert->subjectKeyID.len = SHA1_LENGTH;
+	    }
+	}
+    }
+
+    if ( cert->subjectKeyID.len == 0 ) {
+	return(SECFailure);
+    }
+    return(SECSuccess);
+
+}
+
+/*
+ * take a DER certificate and decode it into a certificate structure
+ */
+CERTCertificate *
+CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
+			 char *nickname)
+{
+    CERTCertificate *cert;
+    PRArenaPool *arena;
+    void *data;
+    int rv;
+    int len;
+    char *tmpname;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	return 0;
+    }
+
+    /* allocate the certificate structure */
+    cert = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
+    
+    if ( !cert ) {
+	goto loser;
+    }
+    
+    cert->arena = arena;
+    
+    if ( copyDER ) {
+	/* copy the DER data for the cert into this arena */
+	data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len);
+	if ( !data ) {
+	    goto loser;
+	}
+	cert->derCert.data = (unsigned char *)data;
+	cert->derCert.len = derSignedCert->len;
+	PORT_Memcpy(data, derSignedCert->data, derSignedCert->len);
+    } else {
+	/* point to passed in DER data */
+	cert->derCert = *derSignedCert;
+    }
+
+    /* decode the certificate info */
+    rv = SEC_ASN1DecodeItem(arena, cert, SEC_SignedCertificateTemplate,
+		    &cert->derCert);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    if (cert_HasUnknownCriticalExten (cert->extensions) == PR_TRUE) {
+	PORT_SetError(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
+	goto loser;
+    }
+
+    /* generate and save the database key for the cert */
+    rv = CERT_KeyFromDERCert(arena, &cert->derCert, &cert->certKey);
+    if ( rv ) {
+	goto loser;
+    }
+
+    /* set the nickname */
+    if ( nickname == NULL ) {
+	cert->nickname = NULL;
+    } else {
+	/* copy and install the nickname */
+	len = PORT_Strlen(nickname) + 1;
+	cert->nickname = (char*)PORT_ArenaAlloc(arena, len);
+	if ( cert->nickname == NULL ) {
+	    goto loser;
+	}
+
+	PORT_Memcpy(cert->nickname, nickname, len);
+    }
+
+    /* set the email address */
+    cert->emailAddr = CERT_GetCertificateEmailAddress(cert);
+    
+    /* initialize the subjectKeyID */
+    rv = cert_GetKeyID(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* initialize keyUsage */
+    rv = GetKeyUsage(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* initialize the certType */
+    rv = CERT_GetCertType(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    tmpname = CERT_NameToAscii(&cert->subject);
+    if ( tmpname != NULL ) {
+	cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname);
+	PORT_Free(tmpname);
+    }
+    
+    tmpname = CERT_NameToAscii(&cert->issuer);
+    if ( tmpname != NULL ) {
+	cert->issuerName = PORT_ArenaStrdup(cert->arena, tmpname);
+	PORT_Free(tmpname);
+    }
+    
+    cert->referenceCount = 1;
+    cert->slot = NULL;
+    cert->pkcs11ID = CK_INVALID_HANDLE;
+    cert->dbnickname = NULL;
+    
+    return(cert);
+    
+loser:
+
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(0);
+}
+
+CERTCertificate *
+__CERT_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
+			 char *nickname)
+{
+    return CERT_DecodeDERCertificate(derSignedCert, copyDER, nickname);
+}
+
+
+/*
+** Amount of time that a certifiate is allowed good before it is actually
+** good. This is used for pending certificates, ones that are about to be
+** valid. The slop is designed to allow for some variance in the clocks
+** of the machine checking the certificate.
+*/
+#define PENDING_SLOP (24L*60L*60L)		/* seconds per day */
+static PRInt32 pendingSlop = PENDING_SLOP;	/* seconds */
+
+PRInt32
+CERT_GetSlopTime(void)
+{
+    return pendingSlop;			/* seconds */
+}
+
+SECStatus
+CERT_SetSlopTime(PRInt32 slop)		/* seconds */
+{
+    if (slop < 0)
+	return SECFailure;
+    pendingSlop = slop;
+    return SECSuccess;
+}
+
+SECStatus
+CERT_GetCertTimes(CERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
+{
+    int rv;
+    
+    /* convert DER not-before time */
+    rv = DER_UTCTimeToTime(notBefore, &c->validity.notBefore);
+    if (rv) {
+	return(SECFailure);
+    }
+    
+    /* convert DER not-after time */
+    rv = DER_UTCTimeToTime(notAfter, &c->validity.notAfter);
+    if (rv) {
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+/*
+ * Check the validity times of a certificate
+ */
+SECCertTimeValidity
+CERT_CheckCertValidTimes(CERTCertificate *c, PRTime t, PRBool allowOverride)
+{
+    PRTime notBefore, notAfter, llPendingSlop, tmp1;
+    SECStatus rv;
+
+    /* if cert is already marked OK, then don't bother to check */
+    if ( allowOverride && c->timeOK ) {
+	return(secCertTimeValid);
+    }
+
+    rv = CERT_GetCertTimes(c, &notBefore, &notAfter);
+    
+    if (rv) {
+	return(secCertTimeExpired); /*XXX is this the right thing to do here?*/
+    }
+    
+    LL_I2L(llPendingSlop, pendingSlop);
+    /* convert to micro seconds */
+    LL_I2L(tmp1, PR_USEC_PER_SEC);
+    LL_MUL(llPendingSlop, llPendingSlop, tmp1);
+    LL_SUB(notBefore, notBefore, llPendingSlop);
+    if ( LL_CMP( t, <, notBefore ) ) {
+	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
+	return(secCertTimeNotValidYet);
+    }
+    if ( LL_CMP( t, >, notAfter) ) {
+	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
+	return(secCertTimeExpired);
+    }
+
+    return(secCertTimeValid);
+}
+
+SECStatus
+SEC_GetCrlTimes(CERTCrl *date, PRTime *notBefore, PRTime *notAfter)
+{
+    int rv;
+    
+    /* convert DER not-before time */
+    rv = DER_UTCTimeToTime(notBefore, &date->lastUpdate);
+    if (rv) {
+	return(SECFailure);
+    }
+    
+    /* convert DER not-after time */
+    if (date->nextUpdate.data) {
+	rv = DER_UTCTimeToTime(notAfter, &date->nextUpdate);
+	if (rv) {
+	    return(SECFailure);
+	}
+    }
+    else {
+	LL_I2L(*notAfter, 0L);
+    }
+    return(SECSuccess);
+}
+
+/* These routines should probably be combined with the cert
+ * routines using an common extraction routine.
+ */
+SECCertTimeValidity
+SEC_CheckCrlTimes(CERTCrl *crl, PRTime t) {
+    PRTime notBefore, notAfter, llPendingSlop, tmp1;
+    SECStatus rv;
+
+    rv = SEC_GetCrlTimes(crl, &notBefore, &notAfter);
+    
+    if (rv) {
+	return(secCertTimeExpired); 
+    }
+
+    LL_I2L(llPendingSlop, pendingSlop);
+    /* convert to micro seconds */
+    LL_I2L(tmp1, PR_USEC_PER_SEC);
+    LL_MUL(llPendingSlop, llPendingSlop, tmp1);
+    LL_SUB(notBefore, notBefore, llPendingSlop);
+    if ( LL_CMP( t, <, notBefore ) ) {
+	return(secCertTimeNotValidYet);
+    }
+
+    /* If next update is omitted and the test for notBefore passes, then
+       we assume that the crl is up to date.
+     */
+    if ( LL_IS_ZERO(notAfter) ) {
+	return(secCertTimeValid);
+    }
+
+    if ( LL_CMP( t, >, notAfter) ) {
+	return(secCertTimeExpired);
+    }
+
+    return(secCertTimeValid);
+}
+
+PRBool
+SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old) {
+    PRTime newNotBefore, newNotAfter;
+    PRTime oldNotBefore, oldNotAfter;
+    SECStatus rv;
+
+    /* problems with the new CRL? reject it */
+    rv = SEC_GetCrlTimes(inNew, &newNotBefore, &newNotAfter);
+    if (rv) return PR_FALSE;
+
+    /* problems with the old CRL? replace it */
+    rv = SEC_GetCrlTimes(old, &oldNotBefore, &oldNotAfter);
+    if (rv) return PR_TRUE;
+
+    /* Question: what about the notAfter's? */
+    return ((PRBool)LL_CMP(oldNotBefore, <, newNotBefore));
+}
+   
+/*
+ * return required key usage and cert type based on cert usage 
+ */
+SECStatus
+CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage,
+				 PRBool ca,
+				 unsigned int *retKeyUsage,
+				 unsigned int *retCertType)
+{
+    unsigned int requiredKeyUsage = 0;
+    unsigned int requiredCertType = 0;
+    
+    if ( ca ) {
+	switch ( usage ) {
+	  case certUsageSSLServerWithStepUp:
+	    requiredKeyUsage = KU_NS_GOVT_APPROVED | KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_SSL_CA;
+	    break;
+	  case certUsageSSLClient:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_SSL_CA;
+	    break;
+	  case certUsageSSLServer:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_SSL_CA;
+	    break;
+	  case certUsageSSLCA:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_SSL_CA;
+	    break;
+	  case certUsageEmailSigner:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_EMAIL_CA;
+	    break;
+	  case certUsageEmailRecipient:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_EMAIL_CA;
+	    break;
+	  case certUsageObjectSigner:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA;
+	    break;
+	  case certUsageAnyCA:
+	  case certUsageStatusResponder:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA |
+		NS_CERT_TYPE_EMAIL_CA |
+		    NS_CERT_TYPE_SSL_CA;
+	    break;
+	  default:
+	    PORT_Assert(0);
+	    goto loser;
+	}
+    } else {
+	switch ( usage ) {
+	  case certUsageSSLClient:
+	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
+	    requiredCertType = NS_CERT_TYPE_SSL_CLIENT;
+	    break;
+	  case certUsageSSLServer:
+	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
+	    requiredCertType = NS_CERT_TYPE_SSL_SERVER;
+	    break;
+	  case certUsageSSLServerWithStepUp:
+	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT |
+		KU_NS_GOVT_APPROVED;
+	    requiredCertType = NS_CERT_TYPE_SSL_SERVER;
+	    break;
+	  case certUsageSSLCA:
+	    requiredKeyUsage = KU_KEY_CERT_SIGN;
+	    requiredCertType = NS_CERT_TYPE_SSL_CA;
+	    break;
+	  case certUsageEmailSigner:
+	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
+	    requiredCertType = NS_CERT_TYPE_EMAIL;
+	    break;
+	  case certUsageEmailRecipient:
+	    requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
+	    requiredCertType = NS_CERT_TYPE_EMAIL;
+	    break;
+	  case certUsageObjectSigner:
+	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
+	    requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING;
+	    break;
+	  case certUsageStatusResponder:
+	    requiredKeyUsage = KU_DIGITAL_SIGNATURE;
+	    requiredCertType = EXT_KEY_USAGE_STATUS_RESPONDER;
+	    break;
+	  default:
+	    PORT_Assert(0);
+	    goto loser;
+	}
+    }
+
+    if ( retKeyUsage != NULL ) {
+	*retKeyUsage = requiredKeyUsage;
+    }
+    if ( retCertType != NULL ) {
+	*retCertType = requiredCertType;
+    }
+
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+/*
+ * check the key usage of a cert against a set of required values
+ */
+SECStatus
+CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage)
+{
+    SECKEYPublicKey *key;
+    
+    /* choose between key agreement or key encipherment based on key
+     * type in cert
+     */
+    if ( requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT ) {
+	key = CERT_ExtractPublicKey(cert);
+	if ( ( key->keyType == keaKey ) || ( key->keyType == fortezzaKey ) ||
+	     ( key->keyType == dhKey ) ) {
+	    requiredUsage |= KU_KEY_AGREEMENT;
+	} else {
+	    requiredUsage |= KU_KEY_ENCIPHERMENT;
+	} 
+
+	/* now turn off the special bit */
+	requiredUsage &= (~KU_KEY_AGREEMENT_OR_ENCIPHERMENT);
+	
+	SECKEY_DestroyPublicKey(key);
+    }
+
+    if ( ( cert->keyUsage & requiredUsage ) != requiredUsage ) {
+	return(SECFailure);
+    }
+    return(SECSuccess);
+}
+
+
+CERTCertificate *
+CERT_DupCertificate(CERTCertificate *c)
+{
+    if (c) {
+#ifdef NSS_CLASSIC
+	CERT_LockCertRefCount(c);
+	++c->referenceCount;
+	CERT_UnlockCertRefCount(c);
+#else
+	NSSCertificate *tmp = STAN_GetNSSCertificate(c);
+	nssCertificate_AddRef(tmp);
+#endif
+    }
+    return c;
+}
+
+/*
+ * Allow use of default cert database, so that apps(such as mozilla) don't
+ * have to pass the handle all over the place.
+ */
+static CERTCertDBHandle *default_cert_db_handle = 0;
+
+void
+CERT_SetDefaultCertDB(CERTCertDBHandle *handle)
+{
+    default_cert_db_handle = handle;
+    
+    return;
+}
+
+CERTCertDBHandle *
+CERT_GetDefaultCertDB(void)
+{
+    return(default_cert_db_handle);
+}
+
+/* XXX this would probably be okay/better as an xp routine? */
+static void
+sec_lower_string(char *s)
+{
+    if ( s == NULL ) {
+	return;
+    }
+    
+    while ( *s ) {
+	*s = PORT_Tolower(*s);
+	s++;
+    }
+    
+    return;
+}
+
+/*
+** Add a domain name to the list of names that the user has explicitly
+** allowed (despite cert name mismatches) for use with a server cert.
+*/
+SECStatus
+CERT_AddOKDomainName(CERTCertificate *cert, const char *hn)
+{
+    CERTOKDomainName *domainOK;
+    int	       newNameLen;
+
+    if (!hn || !(newNameLen = strlen(hn))) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    domainOK = (CERTOKDomainName *)PORT_ArenaZAlloc(cert->arena, 
+				  (sizeof *domainOK) + newNameLen);
+    if (!domainOK) 
+    	return SECFailure;	/* error code is already set. */
+
+    PORT_Strcpy(domainOK->name, hn);
+    sec_lower_string(domainOK->name);
+
+    /* put at head of list. */
+    domainOK->next = cert->domainOK;
+    cert->domainOK = domainOK;
+    return SECSuccess;
+}
+
+/* Make sure that the name of the host we are connecting to matches the
+ * name that is incoded in the common-name component of the certificate
+ * that they are using.
+ */
+SECStatus
+CERT_VerifyCertName(CERTCertificate *cert, const char *hn)
+{
+    char *    cn;
+    char *    domain;
+    char *    hndomain;
+    char *    hostname;
+    int       regvalid;
+    int       match;
+    SECStatus rv;
+    CERTOKDomainName *domainOK;
+
+    if (!hn || !strlen(hn)) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    hostname = PORT_Strdup(hn);
+    if ( hostname == NULL ) {
+	return(SECFailure);
+    }
+    sec_lower_string(hostname);
+
+    /* if the name is one that the user has already approved, it's OK. */
+    for (domainOK = cert->domainOK; domainOK; domainOK = domainOK->next) {
+	if (0 == PORT_Strcmp(hostname, domainOK->name)) {
+	    PORT_Free(hostname);
+	    return SECSuccess;
+    	}
+    }
+
+    /* try the cert extension first, then the common name */
+    cn = CERT_FindNSStringExtension(cert, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
+    if ( cn == NULL ) {
+	cn = CERT_GetCommonName(&cert->subject);
+    }
+    
+    sec_lower_string(cn);
+
+    if ( cn ) {
+	if ( ( hndomain = PORT_Strchr(hostname, '.') ) == NULL ) {
+	    /* No domain in server name */
+	    if ( ( domain = PORT_Strchr(cn, '.') ) != NULL ) {
+		/* there is a domain in the cn string, so chop it off */
+		*domain = '\0';
+	    }
+	}
+
+	regvalid = PORT_RegExpValid(cn);
+	
+	if ( regvalid == NON_SXP ) {
+	    /* compare entire hostname with cert name */
+	    if ( PORT_Strcmp(hostname, cn) == 0 ) {
+		rv = SECSuccess;
+		goto done;
+	    }
+	    
+	    if ( hndomain ) {
+		/* compare just domain name with cert name */
+		if ( PORT_Strcmp(hndomain+1, cn) == 0 ) {
+		    rv = SECSuccess;
+		    goto done;
+		}
+	    }
+
+	    PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+	    rv = SECFailure;
+	    goto done;
+	    
+	} else {
+	    /* try to match the shexp */
+	    match = PORT_RegExpCaseSearch(hostname, cn);
+
+	    if ( match == 0 ) {
+		rv = SECSuccess;
+	    } else {
+		PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+		rv = SECFailure;
+	    }
+	    goto done;
+	}
+    }
+
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    rv = SECFailure;
+
+done:
+    /* free the common name */
+    if ( cn ) {
+	PORT_Free(cn);
+    }
+    
+    if ( hostname ) {
+	PORT_Free(hostname);
+    }
+    
+    return(rv);
+}
+
+PRBool
+CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2)
+{
+    SECComparison comp;
+    
+    comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
+    if ( comp == SECEqual ) { /* certs are the same */
+	return(PR_TRUE);
+    } else {
+	return(PR_FALSE);
+    }
+}
+
+static SECStatus
+StringsEqual(char *s1, char *s2) {
+    if ( ( s1 == NULL ) || ( s2 == NULL ) ) {
+	if ( s1 != s2 ) { /* only one is null */
+	    return(SECFailure);
+	}
+	return(SECSuccess); /* both are null */
+    }
+	
+    if ( PORT_Strcmp( s1, s2 ) != 0 ) {
+	return(SECFailure); /* not equal */
+    }
+
+    return(SECSuccess); /* strings are equal */
+}
+
+
+PRBool
+CERT_CompareCertsForRedirection(CERTCertificate *c1, CERTCertificate *c2)
+{
+    SECComparison comp;
+    char *c1str, *c2str;
+    SECStatus eq;
+    
+    comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
+    if ( comp == SECEqual ) { /* certs are the same */
+	return(PR_TRUE);
+    }
+	
+    /* check if they are issued by the same CA */
+    comp = SECITEM_CompareItem(&c1->derIssuer, &c2->derIssuer);
+    if ( comp != SECEqual ) { /* different issuer */
+	return(PR_FALSE);
+    }
+
+    /* check country name */
+    c1str = CERT_GetCountryName(&c1->subject);
+    c2str = CERT_GetCountryName(&c2->subject);
+    eq = StringsEqual(c1str, c2str);
+    PORT_Free(c1str);
+    PORT_Free(c2str);
+    if ( eq != SECSuccess ) {
+	return(PR_FALSE);
+    }
+
+    /* check locality name */
+    c1str = CERT_GetLocalityName(&c1->subject);
+    c2str = CERT_GetLocalityName(&c2->subject);
+    eq = StringsEqual(c1str, c2str);
+    PORT_Free(c1str);
+    PORT_Free(c2str);
+    if ( eq != SECSuccess ) {
+	return(PR_FALSE);
+    }
+	
+    /* check state name */
+    c1str = CERT_GetStateName(&c1->subject);
+    c2str = CERT_GetStateName(&c2->subject);
+    eq = StringsEqual(c1str, c2str);
+    PORT_Free(c1str);
+    PORT_Free(c2str);
+    if ( eq != SECSuccess ) {
+	return(PR_FALSE);
+    }
+
+    /* check org name */
+    c1str = CERT_GetOrgName(&c1->subject);
+    c2str = CERT_GetOrgName(&c2->subject);
+    eq = StringsEqual(c1str, c2str);
+    PORT_Free(c1str);
+    PORT_Free(c2str);
+    if ( eq != SECSuccess ) {
+	return(PR_FALSE);
+    }
+
+#ifdef NOTDEF	
+    /* check orgUnit name */
+    /*
+     * We need to revisit this and decide which fields should be allowed to be
+     * different
+     */
+    c1str = CERT_GetOrgUnitName(&c1->subject);
+    c2str = CERT_GetOrgUnitName(&c2->subject);
+    eq = StringsEqual(c1str, c2str);
+    PORT_Free(c1str);
+    PORT_Free(c2str);
+    if ( eq != SECSuccess ) {
+	return(PR_FALSE);
+    }
+#endif
+
+    return(PR_TRUE); /* all fields but common name are the same */
+}
+
+
+/* CERT_CertChainFromCert and CERT_DestroyCertificateList moved
+   to certhigh.c */
+
+
+CERTIssuerAndSN *
+CERT_GetCertIssuerAndSN(PRArenaPool *arena, CERTCertificate *cert)
+{
+    CERTIssuerAndSN *result;
+    SECStatus rv;
+
+    if ( arena == NULL ) {
+	arena = cert->arena;
+    }
+    
+    result = (CERTIssuerAndSN*)PORT_ArenaZAlloc(arena, sizeof(*result));
+    if (result == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    rv = SECITEM_CopyItem(arena, &result->derIssuer, &cert->derIssuer);
+    if (rv != SECSuccess)
+	return NULL;
+
+    rv = CERT_CopyName(arena, &result->issuer, &cert->issuer);
+    if (rv != SECSuccess)
+	return NULL;
+
+    rv = SECITEM_CopyItem(arena, &result->serialNumber, &cert->serialNumber);
+    if (rv != SECSuccess)
+	return NULL;
+
+    return result;
+}
+
+char *
+CERT_MakeCANickname(CERTCertificate *cert)
+{
+    char *firstname = NULL;
+    char *org = NULL;
+    char *nickname = NULL;
+    int count;
+    CERTCertificate *dummycert;
+    CERTCertDBHandle *handle;
+    
+    handle = cert->dbhandle;
+    
+    nickname = CERT_GetNickName(cert, handle, cert->arena);
+    if (nickname == NULL) {
+	firstname = CERT_GetCommonName(&cert->subject);
+	if ( firstname == NULL ) {
+	    firstname = CERT_GetOrgUnitName(&cert->subject);
+	}
+
+	org = CERT_GetOrgName(&cert->issuer);
+	if (org == NULL) {
+	    org = CERT_GetDomainComponentName(&cert->issuer);
+	    if (org == NULL) {
+		if (firstname) {
+		    org = firstname;
+		    firstname = NULL;
+		} else {
+		    org = PORT_Strdup("Unknown CA");
+		}
+	    }
+	}
+
+	/* can only fail if PORT_Strdup fails, in which case
+	 * we're having memory problems. */
+	if (org == NULL) {
+	    goto loser;
+	}
+
+    
+	count = 1;
+	while ( 1 ) {
+
+	    if ( firstname ) {
+		if ( count == 1 ) {
+		    nickname = PR_smprintf("%s - %s", firstname, org);
+		} else {
+		    nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
+		}
+	    } else {
+		if ( count == 1 ) {
+		    nickname = PR_smprintf("%s", org);
+		} else {
+		    nickname = PR_smprintf("%s #%d", org, count);
+		}
+	    }
+	    if ( nickname == NULL ) {
+		goto loser;
+	    }
+
+	    /* look up the nickname to make sure it isn't in use already */
+	    dummycert = CERT_FindCertByNickname(handle, nickname);
+
+	    if ( dummycert == NULL ) {
+		goto done;
+	    }
+	
+	    /* found a cert, destroy it and loop */
+	    CERT_DestroyCertificate(dummycert);
+
+	    /* free the nickname */
+	    PORT_Free(nickname);
+
+	    count++;
+	}
+    }
+loser:
+    if ( nickname ) {
+	PORT_Free(nickname);
+    }
+
+    nickname = "";
+    
+done:
+    if ( firstname ) {
+	PORT_Free(firstname);
+    }
+    if ( org ) {
+	PORT_Free(org);
+    }
+    
+    return(nickname);
+}
+
+/* CERT_Import_CAChain moved to certhigh.c */
+
+void
+CERT_DestroyCrl (CERTSignedCrl *crl)
+{
+    SEC_DestroyCrl (crl);
+}
+
+
+
+/*
+ * Does a cert belong to a CA?  We decide based on perm database trust
+ * flags, Netscape Cert Type Extension, and KeyUsage Extension.
+ */
+PRBool
+CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype)
+{
+    CERTCertTrust *trust;
+    SECStatus rv;
+    unsigned int type;
+    PRBool ret;
+
+    ret = PR_FALSE;
+    type = 0;
+    
+    if ( cert->trust && (cert->trust->sslFlags|cert->trust->emailFlags|
+				cert->trust->objectSigningFlags)) {
+	trust = cert->trust;
+	if ( ( ( trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
+	   ( ( trust->sslFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) {
+	    ret = PR_TRUE;
+	    type |= NS_CERT_TYPE_SSL_CA;
+	}
+	
+	if ( ( ( trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
+	  ( ( trust->emailFlags & CERTDB_TRUSTED_CA ) == CERTDB_TRUSTED_CA ) ) {
+	    ret = PR_TRUE;
+	    type |= NS_CERT_TYPE_EMAIL_CA;
+	}
+	
+	if ( ( ( trust->objectSigningFlags & CERTDB_VALID_CA ) 
+						== CERTDB_VALID_CA ) ||
+          ( ( trust->objectSigningFlags & CERTDB_TRUSTED_CA ) 
+						== CERTDB_TRUSTED_CA ) ) {
+	    ret = PR_TRUE;
+	    type |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
+	}
+    } else {
+	if ( cert->nsCertType &
+	    ( NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
+	     NS_CERT_TYPE_OBJECT_SIGNING_CA ) ) {
+	    ret = PR_TRUE;
+	    type = (cert->nsCertType & NS_CERT_TYPE_CA);
+	} else {
+	    CERTBasicConstraints constraints;
+	    rv = CERT_FindBasicConstraintExten(cert, &constraints);
+	    if ( rv == SECSuccess ) {
+		if ( constraints.isCA ) {
+		    ret = PR_TRUE;
+		    type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
+		}
+	    } 
+	} 
+
+	/* finally check if it's a FORTEZZA V1 CA */
+	if (ret == PR_FALSE) {
+	    if (fortezzaIsCA(cert)) {
+		ret = PR_TRUE;
+		type = (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
+	    }
+	}
+    }
+    if ( rettype != NULL ) {
+	*rettype = type;
+    }
+    
+    return(ret);
+}
+
+PRBool
+CERT_IsCADERCert(SECItem *derCert, unsigned int *type) {
+    CERTCertificate *cert;
+    PRBool isCA;
+
+    cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+    if (cert == NULL) return PR_FALSE;
+
+    isCA = CERT_IsCACert(cert,type);
+    CERT_DestroyCertificate (cert);
+    return isCA;
+}
+
+
+/*
+ * is certa newer than certb?  If one is expired, pick the other one.
+ */
+PRBool
+CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb)
+{
+    PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now;
+    SECStatus rv;
+    PRBool newerbefore, newerafter;
+    
+    rv = CERT_GetCertTimes(certa, &notBeforeA, &notAfterA);
+    if ( rv != SECSuccess ) {
+	return(PR_FALSE);
+    }
+    
+    rv = CERT_GetCertTimes(certb, &notBeforeB, &notAfterB);
+    if ( rv != SECSuccess ) {
+	return(PR_TRUE);
+    }
+
+    newerbefore = PR_FALSE;
+    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
+	newerbefore = PR_TRUE;
+    }
+
+    newerafter = PR_FALSE;
+    if ( LL_CMP(notAfterA, >, notAfterB) ) {
+	newerafter = PR_TRUE;
+    }
+    
+    if ( newerbefore && newerafter ) {
+	return(PR_TRUE);
+    }
+    
+    if ( ( !newerbefore ) && ( !newerafter ) ) {
+	return(PR_FALSE);
+    }
+
+    /* get current UTC time */
+    now = PR_Now();
+
+    if ( newerbefore ) {
+	/* cert A was issued after cert B, but expires sooner */
+	/* if A is expired, then pick B */
+	if ( LL_CMP(notAfterA, <, now ) ) {
+	    return(PR_FALSE);
+	}
+	return(PR_TRUE);
+    } else {
+	/* cert B was issued after cert A, but expires sooner */
+	/* if B is expired, then pick A */
+	if ( LL_CMP(notAfterB, <, now ) ) {
+	    return(PR_TRUE);
+	}
+	return(PR_FALSE);
+    }
+}
+
+void
+CERT_DestroyCertArray(CERTCertificate **certs, unsigned int ncerts)
+{
+    unsigned int i;
+    
+    if ( certs ) {
+	for ( i = 0; i < ncerts; i++ ) {
+	    if ( certs[i] ) {
+		CERT_DestroyCertificate(certs[i]);
+	    }
+	}
+
+	PORT_Free(certs);
+    }
+    
+    return;
+}
+
+char *
+CERT_FixupEmailAddr(char *emailAddr)
+{
+    char *retaddr;
+    char *str;
+
+    if ( emailAddr == NULL ) {
+	return(NULL);
+    }
+    
+    /* copy the string */
+    str = retaddr = PORT_Strdup(emailAddr);
+    if ( str == NULL ) {
+	return(NULL);
+    }
+    
+    /* make it lower case */
+    while ( *str ) {
+	*str = tolower( *str );
+	str++;
+    }
+    
+    return(retaddr);
+}
+
+/*
+ * NOTE - don't allow encode of govt-approved or invisible bits
+ */
+SECStatus
+CERT_DecodeTrustString(CERTCertTrust *trust, char *trusts)
+{
+    int i;
+    unsigned int *pflags;
+    
+    trust->sslFlags = 0;
+    trust->emailFlags = 0;
+    trust->objectSigningFlags = 0;
+
+    pflags = &trust->sslFlags;
+    
+    for (i=0; i < PORT_Strlen(trusts); i++) {
+	switch (trusts[i]) {
+	  case 'p':
+	      *pflags = *pflags | CERTDB_VALID_PEER;
+	      break;
+
+	  case 'P':
+	      *pflags = *pflags | CERTDB_TRUSTED | CERTDB_VALID_PEER;
+	      break;
+
+	  case 'w':
+	      *pflags = *pflags | CERTDB_SEND_WARN;
+	      break;
+
+	  case 'c':
+	      *pflags = *pflags | CERTDB_VALID_CA;
+	      break;
+
+	  case 'T':
+	      *pflags = *pflags | CERTDB_TRUSTED_CLIENT_CA | CERTDB_VALID_CA;
+	      break;
+
+	  case 'C' :
+	      *pflags = *pflags | CERTDB_TRUSTED_CA | CERTDB_VALID_CA;
+	      break;
+
+	  case 'u':
+	      *pflags = *pflags | CERTDB_USER;
+	      break;
+
+#ifdef DEBUG_NSSTEAM_ONLY
+	  case 'i':
+	      *pflags = *pflags | CERTDB_INVISIBLE_CA;
+	      break;
+	  case 'g':
+	      *pflags = *pflags | CERTDB_GOVT_APPROVED_CA;
+	      break;
+#endif /* DEBUG_NSSTEAM_ONLY */
+
+	  case ',':
+	      if ( pflags == &trust->sslFlags ) {
+		  pflags = &trust->emailFlags;
+	      } else {
+		  pflags = &trust->objectSigningFlags;
+	      }
+	      break;
+	  default:
+	      return SECFailure;
+	}
+    }
+
+    return SECSuccess;
+}
+
+static void
+EncodeFlags(char *trusts, unsigned int flags)
+{
+    if (flags & CERTDB_VALID_CA)
+	if (!(flags & CERTDB_TRUSTED_CA) &&
+	    !(flags & CERTDB_TRUSTED_CLIENT_CA))
+	    PORT_Strcat(trusts, "c");
+    if (flags & CERTDB_VALID_PEER)
+	if (!(flags & CERTDB_TRUSTED))
+	    PORT_Strcat(trusts, "p");
+    if (flags & CERTDB_TRUSTED_CA)
+	PORT_Strcat(trusts, "C");
+    if (flags & CERTDB_TRUSTED_CLIENT_CA)
+	PORT_Strcat(trusts, "T");
+    if (flags & CERTDB_TRUSTED)
+	PORT_Strcat(trusts, "P");
+    if (flags & CERTDB_USER)
+	PORT_Strcat(trusts, "u");
+    if (flags & CERTDB_SEND_WARN)
+	PORT_Strcat(trusts, "w");
+    if (flags & CERTDB_INVISIBLE_CA)
+	PORT_Strcat(trusts, "I");
+    if (flags & CERTDB_GOVT_APPROVED_CA)
+	PORT_Strcat(trusts, "G");
+    return;
+}
+
+char *
+CERT_EncodeTrustString(CERTCertTrust *trust)
+{
+    char tmpTrustSSL[32];
+    char tmpTrustEmail[32];
+    char tmpTrustSigning[32];
+    char *retstr = NULL;
+
+    if ( trust ) {
+	tmpTrustSSL[0] = '\0';
+	tmpTrustEmail[0] = '\0';
+	tmpTrustSigning[0] = '\0';
+    
+	EncodeFlags(tmpTrustSSL, trust->sslFlags);
+	EncodeFlags(tmpTrustEmail, trust->emailFlags);
+	EncodeFlags(tmpTrustSigning, trust->objectSigningFlags);
+    
+	retstr = PR_smprintf("%s,%s,%s", tmpTrustSSL, tmpTrustEmail,
+			     tmpTrustSigning);
+    }
+    
+    return(retstr);
+}
+
+/* in 3.4, this will only set trust */
+SECStatus
+CERT_SaveImportedCert(CERTCertificate *cert, SECCertUsage usage,
+		      PRBool caOnly, char *nickname)
+{
+    SECStatus rv;
+    PRBool saveit;
+    CERTCertTrust trust;
+    PRBool isCA;
+    unsigned int certtype;
+    
+    isCA = CERT_IsCACert(cert, NULL);
+    if ( caOnly && ( !isCA ) ) {
+	return(SECSuccess);
+    }
+    /* In NSS 3.4, certs are given zero trust upon import.  However, this
+    * function needs to set up default CA trust (CERTDB_VALID_CA), or
+    * PKCS#12 imported certs will not show up correctly.  In the case of a
+    * CA cert with zero trust, continue with this function.  But if the cert
+    * does already have some trust bits, exit and do not change them.
+    */
+    if (isCA && cert->trust && 
+        (cert->trust->sslFlags |
+         cert->trust->emailFlags |
+         cert->trust->objectSigningFlags)) {
+	return(SECSuccess);
+    }
+
+    saveit = PR_TRUE;
+    
+    PORT_Memset((void *)&trust, 0, sizeof(trust));
+
+    certtype = cert->nsCertType;
+
+    /* if no CA bits in cert type, then set all CA bits */
+    if ( isCA && ( ! ( certtype & NS_CERT_TYPE_CA ) ) ) {
+	certtype |= NS_CERT_TYPE_CA;
+    }
+
+    /* if no app bits in cert type, then set all app bits */
+    if ( ( !isCA ) && ( ! ( certtype & NS_CERT_TYPE_APP ) ) ) {
+	certtype |= NS_CERT_TYPE_APP;
+    }
+
+    switch ( usage ) {
+      case certUsageEmailSigner:
+      case certUsageEmailRecipient:
+	if ( isCA ) {
+	    if ( certtype & NS_CERT_TYPE_EMAIL_CA ) {
+		trust.emailFlags = CERTDB_VALID_CA;
+	    }
+	} else {
+	    if ( cert->emailAddr == NULL ) {
+		saveit = PR_FALSE;
+	    }
+	    
+	    if ( certtype & NS_CERT_TYPE_EMAIL ) {
+		trust.emailFlags = CERTDB_VALID_PEER;
+		if ( ! ( cert->rawKeyUsage & KU_KEY_ENCIPHERMENT ) ) {
+		    /* don't save it if KeyEncipherment is not allowed */
+		    saveit = PR_FALSE;
+		}
+	    }
+	}
+	break;
+      case certUsageUserCertImport:
+	if ( isCA ) {
+	    if ( certtype & NS_CERT_TYPE_SSL_CA ) {
+		trust.sslFlags = CERTDB_VALID_CA;
+	    }
+	    
+	    if ( certtype & NS_CERT_TYPE_EMAIL_CA ) {
+		trust.emailFlags = CERTDB_VALID_CA;
+	    }
+	    
+	    if ( certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA ) {
+		trust.objectSigningFlags = CERTDB_VALID_CA;
+	    }
+	    
+	} else {
+	    if ( certtype & NS_CERT_TYPE_SSL_CLIENT ) {
+		trust.sslFlags = CERTDB_VALID_PEER;
+	    }
+	    
+	    if ( certtype & NS_CERT_TYPE_EMAIL ) {
+		trust.emailFlags = CERTDB_VALID_PEER;
+	    }
+	    
+	    if ( certtype & NS_CERT_TYPE_OBJECT_SIGNING ) {
+		trust.objectSigningFlags = CERTDB_VALID_PEER;
+	    }
+	}
+	break;
+      case certUsageAnyCA:
+	trust.sslFlags = CERTDB_VALID_CA;
+	break;
+      case certUsageSSLCA:
+	trust.sslFlags = CERTDB_VALID_CA | 
+			CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
+	break;
+      default:	/* XXX added to quiet warnings; no other cases needed? */
+	break;
+    }
+
+    if ( saveit ) {
+	rv = CERT_ChangeCertTrust(cert->dbhandle, cert, &trust);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+
+    rv = SECSuccess;
+    goto done;
+
+loser:
+    rv = SECFailure;
+done:
+    return(rv);
+}
+
+SECStatus
+CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
+		 unsigned int ncerts, SECItem **derCerts,
+		 CERTCertificate ***retCerts, PRBool keepCerts,
+		 PRBool caOnly, char *nickname)
+{
+    int i;
+    CERTCertificate **certs = NULL;
+    SECStatus rv;
+    int fcerts = 0;
+
+    if ( ncerts ) {
+	certs = (CERTCertificate**)PORT_ZAlloc(sizeof(CERTCertificate *) * ncerts );
+	if ( certs == NULL ) {
+	    return(SECFailure);
+	}
+    
+	/* decode all of the certs into the temporary DB */
+	for ( i = 0, fcerts= 0; i < ncerts; i++) {
+	    certs[fcerts] = CERT_DecodeDERCertificate(derCerts[i], PR_FALSE,
+						NULL);
+	    if (certs[fcerts]) fcerts++;
+	}
+
+	if ( keepCerts ) {
+	    for ( i = 0; i < fcerts; i++ ) {
+		SECKEY_UpdateCertPQG(certs[i]);
+		if(CERT_IsCACert(certs[i], NULL) && (fcerts > 1)) {
+		    /* if we are importing only a single cert and specifying
+		     * a nickname, we want to use that nickname if it a CA,
+		     * otherwise if there are more than one cert, we don't
+		     * know which cert it belongs to.
+		     */
+		    rv = PK11_ImportCert(PK11_GetInternalKeySlot(),certs[i],
+				CK_INVALID_HANDLE,NULL,PR_TRUE);
+		} else {
+		    rv = PK11_ImportCert(PK11_GetInternalKeySlot(),certs[i],
+				CK_INVALID_HANDLE,nickname,PR_TRUE);
+		}
+		if (rv == SECSuccess) {
+		    CERT_SaveImportedCert(certs[i], usage, caOnly, NULL);
+		}
+		/* don't care if it fails - keep going */
+	    }
+	}
+    }
+
+    if ( retCerts ) {
+	*retCerts = certs;
+    } else {
+	if (certs) {
+	    CERT_DestroyCertArray(certs, fcerts);
+	}
+    }
+
+    return(SECSuccess);
+    
+#if 0	/* dead code here - why ?? XXX */
+loser:
+    if ( retCerts ) {
+	*retCerts = NULL;
+    }
+    if ( certs ) {
+	CERT_DestroyCertArray(certs, ncerts);
+    }    
+    return(SECFailure);
+#endif
+}
+
+/*
+ * a real list of certificates - need to convert CERTCertificateList
+ * stuff and ASN 1 encoder/decoder over to using this...
+ */
+CERTCertList *
+CERT_NewCertList(void)
+{
+    PRArenaPool *arena = NULL;
+    CERTCertList *ret = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    ret = (CERTCertList *)PORT_ArenaZAlloc(arena, sizeof(CERTCertList));
+    if ( ret == NULL ) {
+	goto loser;
+    }
+    
+    ret->arena = arena;
+    
+    PR_INIT_CLIST(&ret->list);
+    
+    return(ret);
+
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+void
+CERT_DestroyCertList(CERTCertList *certs)
+{
+    PRCList *node;
+
+    while( !PR_CLIST_IS_EMPTY(&certs->list) ) {
+	node = PR_LIST_HEAD(&certs->list);
+	CERT_DestroyCertificate(((CERTCertListNode *)node)->cert);
+	PR_REMOVE_LINK(node);
+    }
+    
+    PORT_FreeArena(certs->arena, PR_FALSE);
+    
+    return;
+}
+
+void
+CERT_RemoveCertListNode(CERTCertListNode *node)
+{
+    CERT_DestroyCertificate(node->cert);
+    PR_REMOVE_LINK(&node->links);
+    return;
+}
+
+
+SECStatus
+CERT_AddCertToListTailWithData(CERTCertList *certs, 
+				CERTCertificate *cert, void *appData)
+{
+    CERTCertListNode *node;
+    
+    node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
+						sizeof(CERTCertListNode));
+    if ( node == NULL ) {
+	goto loser;
+    }
+    
+    PR_INSERT_BEFORE(&node->links, &certs->list);
+    /* certs->count++; */
+    node->cert = cert;
+    node->appData = appData;
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+SECStatus
+CERT_AddCertToListTail(CERTCertList *certs, CERTCertificate *cert)
+{
+    return CERT_AddCertToListTailWithData(certs, cert, NULL);
+}
+
+SECStatus
+CERT_AddCertToListHeadWithData(CERTCertList *certs, 
+					CERTCertificate *cert, void *appData)
+{
+    CERTCertListNode *node;
+    CERTCertListNode *head;
+    
+    head = CERT_LIST_HEAD(certs);
+
+    if (head == NULL) return CERT_AddCertToListTail(certs,cert);
+
+    node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
+						sizeof(CERTCertListNode));
+    if ( node == NULL ) {
+	goto loser;
+    }
+    
+    PR_INSERT_BEFORE(&node->links, &head->links);
+    /* certs->count++; */
+    node->cert = cert;
+    node->appData = appData;
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+SECStatus
+CERT_AddCertToListHead(CERTCertList *certs, CERTCertificate *cert)
+{
+    return CERT_AddCertToListHeadWithData(certs, cert, NULL);
+}
+
+/*
+ * Sort callback function to determine if cert a is newer than cert b.
+ * Not valid certs are considered older than valid certs.
+ */
+PRBool
+CERT_SortCBValidity(CERTCertificate *certa,
+		    CERTCertificate *certb,
+		    void *arg)
+{
+    PRTime sorttime;
+    PRTime notBeforeA, notAfterA, notBeforeB, notAfterB;
+    SECStatus rv;
+    PRBool newerbefore, newerafter;
+    PRBool aNotValid = PR_FALSE, bNotValid = PR_FALSE;
+
+    sorttime = *(PRTime *)arg;
+    
+    rv = CERT_GetCertTimes(certa, &notBeforeA, &notAfterA);
+    if ( rv != SECSuccess ) {
+	return(PR_FALSE);
+    }
+    
+    rv = CERT_GetCertTimes(certb, &notBeforeB, &notAfterB);
+    if ( rv != SECSuccess ) {
+	return(PR_TRUE);
+    }
+    newerbefore = PR_FALSE;
+    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
+	newerbefore = PR_TRUE;
+    }
+    newerafter = PR_FALSE;
+    if ( LL_CMP(notAfterA, >, notAfterB) ) {
+	newerafter = PR_TRUE;
+    }
+
+    /* check if A is valid at sorttime */
+    if ( CERT_CheckCertValidTimes(certa, sorttime, PR_FALSE)
+	!= secCertTimeValid ) {
+	aNotValid = PR_TRUE;
+    }
+
+    /* check if B is valid at sorttime */
+    if ( CERT_CheckCertValidTimes(certb, sorttime, PR_FALSE)
+	!= secCertTimeValid ) {
+	bNotValid = PR_TRUE;
+    }
+
+    /* a is valid, b is not */
+    if ( bNotValid && ( ! aNotValid ) ) {
+	return(PR_TRUE);
+    }
+
+    /* b is valid, a is not */
+    if ( aNotValid && ( ! bNotValid ) ) {
+	return(PR_FALSE);
+    }
+    
+    /* a and b are either valid or not valid */
+    if ( newerbefore && newerafter ) {
+	return(PR_TRUE);
+    }
+    
+    if ( ( !newerbefore ) && ( !newerafter ) ) {
+	return(PR_FALSE);
+    }
+
+    if ( newerbefore ) {
+	/* cert A was issued after cert B, but expires sooner */
+	return(PR_TRUE);
+    } else {
+	/* cert B was issued after cert A, but expires sooner */
+	return(PR_FALSE);
+    }
+}
+
+
+SECStatus
+CERT_AddCertToListSorted(CERTCertList *certs,
+			 CERTCertificate *cert,
+			 CERTSortCallback f,
+			 void *arg)
+{
+    CERTCertListNode *node;
+    CERTCertListNode *head;
+    PRBool ret;
+    
+    node = (CERTCertListNode *)PORT_ArenaZAlloc(certs->arena,
+						sizeof(CERTCertListNode));
+    if ( node == NULL ) {
+	goto loser;
+    }
+    
+    head = CERT_LIST_HEAD(certs);
+    
+    while ( !CERT_LIST_END(head, certs) ) {
+
+	/* if cert is already in the list, then don't add it again */
+	if ( cert == head->cert ) {
+	    /*XXX*/
+	    /* don't keep a reference */
+	    CERT_DestroyCertificate(cert);
+	    goto done;
+	}
+	
+	ret = (* f)(cert, head->cert, arg);
+	/* if sort function succeeds, then insert before current node */
+	if ( ret ) {
+	    PR_INSERT_BEFORE(&node->links, &head->links);
+	    goto done;
+	}
+
+	head = CERT_LIST_NEXT(head);
+    }
+    /* if we get to the end, then just insert it at the tail */
+    PR_INSERT_BEFORE(&node->links, &certs->list);
+
+done:    
+    /* certs->count++; */
+    node->cert = cert;
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+/* This routine is here because pcertdb.c still has a call to it.
+ * The SMIME profile code in pcertdb.c should be split into high (find
+ * the email cert) and low (store the profile) code.  At that point, we
+ * can move this to certhigh.c where it belongs.
+ *
+ * remove certs from a list that don't have keyUsage and certType
+ * that match the given usage.
+ */
+SECStatus
+CERT_FilterCertListByUsage(CERTCertList *certList, SECCertUsage usage,
+			   PRBool ca)
+{
+    unsigned int requiredKeyUsage;
+    unsigned int requiredCertType;
+    CERTCertListNode *node, *savenode;
+    PRBool bad;
+    SECStatus rv;
+    unsigned int certType;
+    PRBool dummyret;
+    
+    if (certList == NULL) goto loser;
+
+    rv = CERT_KeyUsageAndTypeForCertUsage(usage, ca, &requiredKeyUsage,
+					  &requiredCertType);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    node = CERT_LIST_HEAD(certList);
+	
+    while ( !CERT_LIST_END(node, certList) ) {
+
+	bad = PR_FALSE;
+
+	/* bad key usage */
+	if ( CERT_CheckKeyUsage(node->cert, requiredKeyUsage )
+	    != SECSuccess ) {
+	    bad = PR_TRUE;
+	}
+	/* bad cert type */
+	if ( ca ) {
+	    /* This function returns a more comprehensive cert type that
+	     * takes trust flags into consideration.  Should probably
+	     * fix the cert decoding code to do this.
+	     */
+	    dummyret = CERT_IsCACert(node->cert, &certType);
+	} else {
+	    certType = node->cert->nsCertType;
+	}
+	
+	if ( ! ( certType & requiredCertType ) ) {
+	    bad = PR_TRUE;
+	}
+
+	if ( bad ) {
+	    /* remove the node if it is bad */
+	    savenode = CERT_LIST_NEXT(node);
+	    CERT_RemoveCertListNode(node);
+	    node = savenode;
+	} else {
+	    node = CERT_LIST_NEXT(node);
+	}
+    }
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+static PZLock *certRefCountLock = NULL;
+
+/*
+ * Acquire the cert reference count lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void
+CERT_LockCertRefCount(CERTCertificate *cert)
+{
+    if ( certRefCountLock == NULL ) {
+	nss_InitLock(&certRefCountLock, nssILockRefLock);
+	PORT_Assert(certRefCountLock != NULL);
+    }
+    
+    PZ_Lock(certRefCountLock);
+    return;
+}
+
+/*
+ * Free the cert reference count lock
+ */
+void
+CERT_UnlockCertRefCount(CERTCertificate *cert)
+{
+    PRStatus prstat;
+
+    PORT_Assert(certRefCountLock != NULL);
+    
+    prstat = PZ_Unlock(certRefCountLock);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+
+    return;
+}
+
+static PZLock *certTrustLock = NULL;
+
+/*
+ * Acquire the cert trust lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void
+CERT_LockCertTrust(CERTCertificate *cert)
+{
+    if ( certTrustLock == NULL ) {
+	nss_InitLock(&certTrustLock, nssILockCertDB);
+	PORT_Assert(certTrustLock != NULL);
+    }
+    
+    PZ_Lock(certTrustLock);
+    return;
+}
+
+/*
+ * Free the cert trust lock
+ */
+void
+CERT_UnlockCertTrust(CERTCertificate *cert)
+{
+    PRStatus prstat;
+
+    PORT_Assert(certTrustLock != NULL);
+    
+    prstat = PZ_Unlock(certTrustLock);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+
+    return;
+}
+
+
+/*
+ * Get the StatusConfig data for this handle
+ */
+CERTStatusConfig *
+CERT_GetStatusConfig(CERTCertDBHandle *handle)
+{
+  return handle->statusConfig;
+}
+
+/*
+ * Set the StatusConfig data for this handle.  There
+ * should not be another configuration set.
+ */
+void
+CERT_SetStatusConfig(CERTCertDBHandle *handle, CERTStatusConfig *statusConfig)
+{
+  PORT_Assert(handle->statusConfig == NULL);
+  handle->statusConfig = statusConfig;
+}
diff --git a/security/nss/lib/certdb/certdb.h b/security/nss/lib/certdb/certdb.h
new file mode 100644
index 000000000..7340961c2
--- /dev/null
+++ b/security/nss/lib/certdb/certdb.h
@@ -0,0 +1,159 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _CERTDB_H_
+#define _CERTDB_H_
+
+
+/* common flags for all types of certificates */
+#define CERTDB_VALID_PEER	(1<<0)
+#define CERTDB_TRUSTED		(1<<1)
+#define CERTDB_SEND_WARN	(1<<2)
+#define CERTDB_VALID_CA		(1<<3)
+#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
+#define CERTDB_NS_TRUSTED_CA	(1<<5)
+#define CERTDB_USER		(1<<6)
+#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
+#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
+#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
+
+
+SEC_BEGIN_PROTOS
+
+CERTSignedCrl *
+SEC_FindCrlByKey(CERTCertDBHandle *handle, SECItem *crlKey, int type);
+
+CERTSignedCrl *
+SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type);
+
+CERTSignedCrl *
+SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type);
+
+PRBool
+SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
+			 CERTCertDBHandle *handle);
+CERTSignedCrl *
+SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type);
+
+SECStatus
+SEC_DeletePermCRL(CERTSignedCrl *crl);
+
+
+SECStatus
+SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type);
+
+SECStatus 
+SEC_DestroyCrl(CERTSignedCrl *crl);
+
+SECStatus
+CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
+		       CERTCertTrust *trust);
+
+SECStatus SEC_DeletePermCertificate(CERTCertificate *cert);
+
+PRBool
+SEC_CrlIsNewer(CERTCrl *inNew, CERTCrl *old);
+
+SECCertTimeValidity
+SEC_CheckCrlTimes(CERTCrl *crl, PRTime t);
+
+#ifdef notdef
+/*
+** Add a DER encoded certificate to the permanent database.
+**	"derCert" is the DER encoded certificate.
+**	"nickname" is the nickname to use for the cert
+**	"trust" is the trust parameters for the cert
+*/
+SECStatus SEC_AddPermCertificate(PCERTCertDBHandle *handle, SECItem *derCert,
+				char *nickname, PCERTCertTrust *trust);
+
+certDBEntryCert *
+SEC_FindPermCertByKey(PCERTCertDBHandle *handle, SECItem *certKey);
+
+certDBEntryCert
+*SEC_FindPermCertByName(PCERTCertDBHandle *handle, SECItem *name);
+
+SECStatus SEC_OpenPermCertDB(PCERTCertDBHandle *handle,
+			     PRBool readOnly,
+			     PCERTDBNameFunc namecb,
+			     void *cbarg);
+
+
+typedef SECStatus (PR_CALLBACK * PermCertCallback)(PCERTCertificate *cert,
+                                                   SECItem *k, void *pdata);
+/*
+** Traverse the entire permanent database, and pass the certs off to a
+** user supplied function.
+**	"certfunc" is the user function to call for each certificate
+**	"udata" is the user's data, which is passed through to "certfunc"
+*/
+SECStatus
+PCERT_TraversePermCerts(PCERTCertDBHandle *handle,
+		      PermCertCallback certfunc,
+		      void *udata );
+
+SECStatus
+SEC_AddTempNickname(PCERTCertDBHandle *handle, char *nickname, SECItem *certKey);
+
+SECStatus
+SEC_DeleteTempNickname(PCERTCertDBHandle *handle, char *nickname);
+
+
+PRBool
+SEC_CertDBKeyConflict(SECItem *derCert, PCERTCertDBHandle *handle);
+
+SECStatus
+SEC_GetCrlTimes(PCERTCrl *dates, PRTime *notBefore, PRTime *notAfter);
+
+PCERTSignedCrl *
+SEC_AddPermCrlToTemp(PCERTCertDBHandle *handle, certDBEntryRevocation *entry);
+
+SECStatus
+SEC_DeleteTempCrl(PCERTSignedCrl *crl);
+
+
+SECStatus
+SEC_CheckKRL(PCERTCertDBHandle *handle,SECKEYLowPublicKey *key,
+	     PCERTCertificate *rootCert, int64 t, void *wincx);
+
+SECStatus
+SEC_CheckCRL(PCERTCertDBHandle *handle,PCERTCertificate *cert,
+	     PCERTCertificate *caCert, int64 t, void *wincx);
+
+SECStatus
+SEC_CrlReplaceUrl(PCERTSignedCrl *crl,char *url);
+#endif
+
+SEC_END_PROTOS
+
+#endif /* _CERTDB_H_ */
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
new file mode 100644
index 000000000..1c5298383
--- /dev/null
+++ b/security/nss/lib/certdb/certt.h
@@ -0,0 +1,829 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * certt.h - public data structures for the certificate library
+ *
+ * $Id$
+ */
+#ifndef _CERTT_H_
+#define _CERTT_H_
+
+#include "prclist.h"
+#include "pkcs11t.h"
+#include "seccomon.h"
+#include "secmodt.h"
+#include "secoidt.h"
+#include "plarena.h"
+#include "prcvar.h"
+#include "nssilock.h"
+#include "prio.h"
+#include "prmon.h"
+
+/* Stan data types */
+struct NSSCertificateStr;
+struct NSSTrustDomainStr;
+
+/* Non-opaque objects */
+typedef struct CERTAVAStr                        CERTAVA;
+typedef struct CERTAttributeStr                  CERTAttribute;
+typedef struct CERTAuthInfoAccessStr             CERTAuthInfoAccess;
+typedef struct CERTAuthKeyIDStr                  CERTAuthKeyID;
+typedef struct CERTBasicConstraintsStr           CERTBasicConstraints;
+#ifdef NSS_CLASSIC
+typedef struct CERTCertDBHandleStr               CERTCertDBHandle;
+#else
+typedef struct NSSTrustDomainStr                 CERTCertDBHandle;
+#endif
+typedef struct CERTCertExtensionStr              CERTCertExtension;
+typedef struct CERTCertKeyStr                    CERTCertKey;
+typedef struct CERTCertListStr                   CERTCertList;
+typedef struct CERTCertListNodeStr               CERTCertListNode;
+typedef struct CERTCertNicknamesStr              CERTCertNicknames;
+typedef struct CERTCertTrustStr                  CERTCertTrust;
+typedef struct CERTCertificateStr                CERTCertificate;
+typedef struct CERTCertificateListStr            CERTCertificateList;
+typedef struct CERTCertificateRequestStr         CERTCertificateRequest;
+typedef struct CERTCrlStr                        CERTCrl;
+typedef struct CERTCrlDistributionPointsStr      CERTCrlDistributionPoints; 
+typedef struct CERTCrlEntryStr                   CERTCrlEntry;
+typedef struct CERTCrlHeadNodeStr                CERTCrlHeadNode;
+typedef struct CERTCrlKeyStr                     CERTCrlKey;
+typedef struct CERTCrlNodeStr                    CERTCrlNode;
+typedef struct CERTDERCertsStr                   CERTDERCerts;
+typedef struct CERTDistNamesStr                  CERTDistNames;
+typedef struct CERTGeneralNameStr                CERTGeneralName;
+typedef struct CERTGeneralNameListStr            CERTGeneralNameList;
+typedef struct CERTIssuerAndSNStr                CERTIssuerAndSN;
+typedef struct CERTNameStr                       CERTName;
+typedef struct CERTNameConstraintStr             CERTNameConstraint;
+typedef struct CERTNameConstraintsStr            CERTNameConstraints;
+typedef struct CERTOKDomainNameStr               CERTOKDomainName;
+typedef struct CERTPublicKeyAndChallengeStr      CERTPublicKeyAndChallenge;
+typedef struct CERTRDNStr                        CERTRDN;
+typedef struct CERTSignedCrlStr                  CERTSignedCrl;
+typedef struct CERTSignedDataStr                 CERTSignedData;
+typedef struct CERTStatusConfigStr               CERTStatusConfig;
+typedef struct CERTSubjectListStr                CERTSubjectList;
+typedef struct CERTSubjectNodeStr                CERTSubjectNode;
+typedef struct CERTSubjectPublicKeyInfoStr       CERTSubjectPublicKeyInfo;
+typedef struct CERTValidityStr                   CERTValidity;
+typedef struct CERTVerifyLogStr                  CERTVerifyLog;
+typedef struct CERTVerifyLogNodeStr              CERTVerifyLogNode;
+typedef struct CRLDistributionPointStr           CRLDistributionPoint;
+
+/* CRL extensions type */
+typedef unsigned long CERTCrlNumber;
+
+/*
+** An X.500 AVA object
+*/
+struct CERTAVAStr {
+    SECItem type;
+    SECItem value;
+};
+
+/*
+** An X.500 RDN object
+*/
+struct CERTRDNStr {
+    CERTAVA **avas;
+};
+
+/*
+** An X.500 name object
+*/
+struct CERTNameStr {
+    PRArenaPool *arena;
+    CERTRDN **rdns;
+};
+
+/*
+** An X.509 validity object
+*/
+struct CERTValidityStr {
+    PRArenaPool *arena;
+    SECItem notBefore;
+    SECItem notAfter;
+};
+
+/*
+ * A serial number and issuer name, which is used as a database key
+ */
+struct CERTCertKeyStr {
+    SECItem serialNumber;
+    SECItem derIssuer;
+};
+
+/*
+** A signed data object. Used to implement the "signed" macro used
+** in the X.500 specs.
+*/
+struct CERTSignedDataStr {
+    SECItem data;
+    SECAlgorithmID signatureAlgorithm;
+    SECItem signature;
+};
+
+/*
+** An X.509 subject-public-key-info object
+*/
+struct CERTSubjectPublicKeyInfoStr {
+    PRArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem subjectPublicKey;
+};
+
+struct CERTPublicKeyAndChallengeStr {
+    SECItem spki;
+    SECItem challenge;
+};
+
+struct CERTCertTrustStr {
+    unsigned int sslFlags;
+    unsigned int emailFlags;
+    unsigned int objectSigningFlags;
+};
+
+/*
+ * defined the types of trust that exist
+ */
+typedef enum {
+    trustSSL = 0,
+    trustEmail = 1,
+    trustObjectSigning = 2,
+    trustTypeNone = 3
+} SECTrustType;
+
+#define SEC_GET_TRUST_FLAGS(trust,type) \
+        (((type)==trustSSL)?((trust)->sslFlags): \
+	 (((type)==trustEmail)?((trust)->emailFlags): \
+	  (((type)==trustObjectSigning)?((trust)->objectSigningFlags):0)))
+
+/*
+** An X.509.3 certificate extension
+*/
+struct CERTCertExtensionStr {
+    SECItem id;
+    SECItem critical;
+    SECItem value;
+};
+
+struct CERTSubjectNodeStr {
+    struct CERTSubjectNodeStr *next;
+    struct CERTSubjectNodeStr *prev;
+    SECItem certKey;
+    SECItem keyID;
+};
+
+struct CERTSubjectListStr {
+    PRArenaPool *arena;
+    int ncerts;
+    char *emailAddr;
+    CERTSubjectNode *head;
+    CERTSubjectNode *tail; /* do we need tail? */
+    void *entry;
+};
+
+/*
+** An X.509 certificate object (the unsigned form)
+*/
+struct CERTCertificateStr {
+    /* the arena is used to allocate any data structures that have the same
+     * lifetime as the cert.  This is all stuff that hangs off of the cert
+     * structure, and is all freed at the same time.  I is used when the
+     * cert is decoded, destroyed, and at some times when it changes
+     * state
+     */
+    PRArenaPool *arena;
+
+    /* The following fields are static after the cert has been decoded */
+    char *subjectName;
+    char *issuerName;
+    CERTSignedData signatureWrap;	/* XXX */
+    SECItem derCert;			/* original DER for the cert */
+    SECItem derIssuer;			/* DER for issuer name */
+    SECItem derSubject;			/* DER for subject name */
+    SECItem derPublicKey;		/* DER for the public key */
+    SECItem certKey;			/* database key for this cert */
+    SECItem version;
+    SECItem serialNumber;
+    SECAlgorithmID signature;
+    CERTName issuer;
+    CERTValidity validity;
+    CERTName subject;
+    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
+    SECItem issuerID;
+    SECItem subjectID;
+    CERTCertExtension **extensions;
+    char *emailAddr;
+    CERTCertDBHandle *dbhandle;
+    SECItem subjectKeyID;	/* x509v3 subject key identifier */
+    PRBool keyIDGenerated;	/* was the keyid generated? */
+    unsigned int keyUsage;	/* what uses are allowed for this cert */
+    unsigned int rawKeyUsage;	/* value of the key usage extension */
+    PRBool keyUsagePresent;	/* was the key usage extension present */
+    unsigned int nsCertType;	/* value of the ns cert type extension */
+
+    /* these values can be set by the application to bypass certain checks
+     * or to keep the cert in memory for an entire session.
+     * XXX - need an api to set these
+     */
+    PRBool keepSession;			/* keep this cert for entire session*/
+    PRBool timeOK;			/* is the bad validity time ok? */
+    CERTOKDomainName *domainOK;		/* these domain names are ok */
+
+    /*
+     * these values can change when the cert changes state.  These state
+     * changes include transitions from temp to perm or vice-versa, and
+     * changes of trust flags
+     */
+    PRBool isperm;
+    PRBool istemp;
+    char *nickname;
+    char *dbnickname;
+    struct NSSCertificateStr *nssCertificate;	/* This is Stan stuff. */
+    CERTCertTrust *trust;
+
+    /* the reference count is modified whenever someone looks up, dups
+     * or destroys a certificate
+     */
+    int referenceCount;
+
+    /* The subject list is a list of all certs with the same subject name.
+     * It can be modified any time a cert is added or deleted from either
+     * the in-memory(temporary) or on-disk(permanent) database.
+     */
+    CERTSubjectList *subjectList;
+
+    /* these fields are used by client GUI code to keep track of ssl sockets
+     * that are blocked waiting on GUI feedback related to this cert.
+     * XXX - these should be moved into some sort of application specific
+     *       data structure.  They are only used by the browser right now.
+     */
+    struct SECSocketNode *socketlist;
+    int socketcount;
+    struct SECSocketNode *authsocketlist;
+    int authsocketcount;
+
+    /* This is PKCS #11 stuff. */
+    PK11SlotInfo *slot;		/*if this cert came of a token, which is it*/
+    CK_OBJECT_HANDLE pkcs11ID;	/*and which object on that token is it */
+    PRBool ownSlot;		/*true if the cert owns the slot reference */
+};
+#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
+#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
+#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
+
+#define SEC_CRL_VERSION_1		0	/* default */
+#define SEC_CRL_VERSION_2		1	/* v2 extensions */
+
+/*
+ * used to identify class of cert in mime stream code
+ */
+#define SEC_CERT_CLASS_CA	1
+#define SEC_CERT_CLASS_SERVER	2
+#define SEC_CERT_CLASS_USER	3
+#define SEC_CERT_CLASS_EMAIL	4
+
+struct CERTDERCertsStr {
+    PRArenaPool *arena;
+    int numcerts;
+    SECItem *rawCerts;
+};
+
+/*
+** A PKCS ? Attribute
+** XXX this is duplicated through out the code, it *should* be moved
+** to a central location.  Where would be appropriate?
+*/
+struct CERTAttributeStr {
+    SECItem attrType;
+    SECItem **attrValue;
+};
+
+/*
+** A PKCS#10 certificate-request object (the unsigned form)
+*/
+struct CERTCertificateRequestStr {
+    PRArenaPool *arena;
+    SECItem version;
+    CERTName subject;
+    CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
+    SECItem **attributes;
+};
+#define SEC_CERTIFICATE_REQUEST_VERSION		0	/* what we *create* */
+
+
+/*
+** A certificate list object.
+*/
+struct CERTCertificateListStr {
+    SECItem *certs;
+    int len;					/* number of certs */
+    PRArenaPool *arena;
+};
+
+struct CERTCertListNodeStr {
+    PRCList links;
+    CERTCertificate *cert;
+    void *appData;
+};
+
+struct CERTCertListStr {
+    PRCList list;
+    PRArenaPool *arena;
+};
+
+#define CERT_LIST_HEAD(l) ((CERTCertListNode *)PR_LIST_HEAD(&l->list))
+#define CERT_LIST_NEXT(n) ((CERTCertListNode *)n->links.next)
+#define CERT_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
+
+struct CERTCrlEntryStr {
+    SECItem serialNumber;
+    SECItem revocationDate;
+    CERTCertExtension **extensions;    
+};
+
+struct CERTCrlStr {
+    PRArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID signatureAlg;
+    SECItem derName;
+    CERTName name;
+    SECItem lastUpdate;
+    SECItem nextUpdate;				/* optional for x.509 CRL  */
+    CERTCrlEntry **entries;
+    CERTCertExtension **extensions;    
+};
+
+struct CERTCrlKeyStr {
+    SECItem derName;
+    SECItem dummy;			/* The decoder can not skip a primitive,
+					   this serves as a place holder for the
+					   decoder to finish its task only
+					*/
+};
+
+struct CERTSignedCrlStr {
+    PRArenaPool *arena;
+    CERTCrl crl;
+    void *reserved1;
+    PRBool reserved2;
+    PRBool isperm;
+    PRBool istemp;
+    int referenceCount;
+    CERTCertDBHandle *dbhandle;
+    CERTSignedData signatureWrap;	/* XXX */
+    char *url;
+    SECItem *derCrl;
+    PK11SlotInfo *slot;
+    CK_OBJECT_HANDLE pkcs11ID;
+};
+
+
+struct CERTCrlHeadNodeStr {
+    PRArenaPool *arena;
+    CERTCertDBHandle *dbhandle;
+    CERTCrlNode *first;
+    CERTCrlNode *last;
+};
+
+
+struct CERTCrlNodeStr {
+    CERTCrlNode *next;
+    int 	type;
+    CERTSignedCrl *crl;
+};
+
+
+/*
+ * Array of X.500 Distinguished Names
+ */
+struct CERTDistNamesStr {
+    PRArenaPool *arena;
+    int nnames;
+    SECItem  *names;
+    void *head; /* private */
+};
+
+
+#define NS_CERT_TYPE_SSL_CLIENT		(0x80)	/* bit 0 */
+#define NS_CERT_TYPE_SSL_SERVER		(0x40)  /* bit 1 */
+#define NS_CERT_TYPE_EMAIL		(0x20)  /* bit 2 */
+#define NS_CERT_TYPE_OBJECT_SIGNING	(0x10)  /* bit 3 */
+#define NS_CERT_TYPE_RESERVED		(0x08)  /* bit 4 */
+#define NS_CERT_TYPE_SSL_CA		(0x04)  /* bit 5 */
+#define NS_CERT_TYPE_EMAIL_CA		(0x02)  /* bit 6 */
+#define NS_CERT_TYPE_OBJECT_SIGNING_CA	(0x01)  /* bit 7 */
+
+#define EXT_KEY_USAGE_TIME_STAMP        (0x8000)
+#define EXT_KEY_USAGE_STATUS_RESPONDER	(0x4000)
+
+#define NS_CERT_TYPE_APP ( NS_CERT_TYPE_SSL_CLIENT | \
+			  NS_CERT_TYPE_SSL_SERVER | \
+			  NS_CERT_TYPE_EMAIL | \
+			  NS_CERT_TYPE_OBJECT_SIGNING )
+
+#define NS_CERT_TYPE_CA ( NS_CERT_TYPE_SSL_CA | \
+			 NS_CERT_TYPE_EMAIL_CA | \
+			 NS_CERT_TYPE_OBJECT_SIGNING_CA | \
+			 EXT_KEY_USAGE_STATUS_RESPONDER )
+typedef enum {
+    certUsageSSLClient = 0,
+    certUsageSSLServer = 1,
+    certUsageSSLServerWithStepUp = 2,
+    certUsageSSLCA = 3,
+    certUsageEmailSigner = 4,
+    certUsageEmailRecipient = 5,
+    certUsageObjectSigner = 6,
+    certUsageUserCertImport = 7,
+    certUsageVerifyCA = 8,
+    certUsageProtectedObjectSigner = 9,
+    certUsageStatusResponder = 10,
+    certUsageAnyCA = 11
+} SECCertUsage;
+
+/*
+ * Does the cert belong to the user, a peer, or a CA.
+ */
+typedef enum {
+    certOwnerUser = 0,
+    certOwnerPeer = 1,
+    certOwnerCA = 2
+} CERTCertOwner;
+
+/*
+ * This enum represents the state of validity times of a certificate
+ */
+typedef enum {
+    secCertTimeValid = 0,
+    secCertTimeExpired = 1,
+    secCertTimeNotValidYet = 2
+} SECCertTimeValidity;
+
+/*
+ * Interface for getting certificate nickname strings out of the database
+ */
+
+/* these are values for the what argument below */
+#define SEC_CERT_NICKNAMES_ALL		1
+#define SEC_CERT_NICKNAMES_USER		2
+#define SEC_CERT_NICKNAMES_SERVER	3
+#define SEC_CERT_NICKNAMES_CA		4
+
+struct CERTCertNicknamesStr {
+    PRArenaPool *arena;
+    void *head;
+    int numnicknames;
+    char **nicknames;
+    int what;
+    int totallen;
+};
+
+struct CERTIssuerAndSNStr {
+    SECItem derIssuer;
+    CERTName issuer;
+    SECItem serialNumber;
+};
+
+
+/* X.509 v3 Key Usage Extension flags */
+#define KU_DIGITAL_SIGNATURE		(0x80)	/* bit 0 */
+#define KU_NON_REPUDIATION		(0x40)  /* bit 1 */
+#define KU_KEY_ENCIPHERMENT		(0x20)  /* bit 2 */
+#define KU_DATA_ENCIPHERMENT		(0x10)  /* bit 3 */
+#define KU_KEY_AGREEMENT		(0x08)  /* bit 4 */
+#define KU_KEY_CERT_SIGN		(0x04)  /* bit 5 */
+#define KU_CRL_SIGN			(0x02)  /* bit 6 */
+#define KU_ALL				(KU_DIGITAL_SIGNATURE | \
+					 KU_NON_REPUDIATION | \
+					 KU_KEY_ENCIPHERMENT | \
+					 KU_DATA_ENCIPHERMENT | \
+					 KU_KEY_AGREEMENT | \
+					 KU_KEY_CERT_SIGN | \
+					 KU_CRL_SIGN)
+
+/* This value will not occur in certs.  It is used internally for the case
+ * when the key type is not know ahead of time and either key agreement or
+ * key encipherment are the correct value based on key type
+ */
+#define KU_KEY_AGREEMENT_OR_ENCIPHERMENT (0x4000)
+
+/* internal bits that do not match bits in the x509v3 spec, but are used
+ * for similar purposes
+ */
+#define KU_NS_GOVT_APPROVED		(0x8000) /*don't make part of KU_ALL!*/
+/*
+ * x.509 v3 Basic Constraints Extension
+ * If isCA is false, the pathLenConstraint is ignored.
+ * Otherwise, the following pathLenConstraint values will apply:
+ *	< 0 - there is no limit to the certificate path
+ *	0   - CA can issues end-entity certificates only
+ *	> 0 - the number of certificates in the certificate path is
+ *	      limited to this number
+ */
+#define CERT_UNLIMITED_PATH_CONSTRAINT -2
+
+struct CERTBasicConstraintsStr {
+    PRBool isCA;			/* on if is CA */
+    int pathLenConstraint;		/* maximum number of certificates that can be
+					   in the cert path.  Only applies to a CA
+					   certificate; otherwise, it's ignored.
+					 */
+};
+
+/* Maximum length of a certificate chain */
+#define CERT_MAX_CERT_CHAIN 20
+
+/* x.509 v3 Reason Falgs, used in CRLDistributionPoint Extension */
+#define RF_UNUSED			(0x80)	/* bit 0 */
+#define RF_KEY_COMPROMISE		(0x40)  /* bit 1 */
+#define RF_CA_COMPROMISE		(0x20)  /* bit 2 */
+#define RF_AFFILIATION_CHANGED		(0x10)  /* bit 3 */
+#define RF_SUPERSEDED			(0x08)  /* bit 4 */
+#define RF_CESSATION_OF_OPERATION	(0x04)  /* bit 5 */
+#define RF_CERTIFICATE_HOLD		(0x02)  /* bit 6 */
+
+/* If we needed to extract the general name field, use this */
+/* General Name types */
+typedef enum {
+    certOtherName = 1,
+    certRFC822Name = 2,
+    certDNSName = 3,
+    certX400Address = 4,
+    certDirectoryName = 5,
+    certEDIPartyName = 6,
+    certURI = 7,
+    certIPAddress = 8,
+    certRegisterID = 9
+} CERTGeneralNameType;
+
+
+typedef struct OtherNameStr {
+    SECItem          name;
+    SECItem          oid;
+}OtherName;
+
+
+
+struct CERTGeneralNameStr {
+    CERTGeneralNameType type;		/* name type */
+    union {
+	CERTName directoryName;         /* distinguish name */
+	OtherName  OthName;		/* Other Name */
+	SECItem other;                  /* the rest of the name forms */
+    }name;
+    SECItem derDirectoryName;		/* this is saved to simplify directory name
+					   comparison */
+    PRCList l;
+};
+
+struct CERTGeneralNameListStr {
+    PRArenaPool *arena;
+    CERTGeneralName *name;
+    int refCount;
+    int len;
+    PZLock *lock;
+};
+
+struct CERTNameConstraintStr {
+    CERTGeneralName  name;
+    SECItem          DERName;
+    SECItem          min;
+    SECItem          max;
+    PRCList          l;
+};
+
+
+struct CERTNameConstraintsStr {
+    CERTNameConstraint  *permited;
+    CERTNameConstraint  *excluded;
+    SECItem             **DERPermited;
+    SECItem             **DERExcluded;
+};
+
+
+/* X.509 v3 Authority Key Identifier extension.  For the authority certificate
+   issuer field, we only support URI now.
+ */
+struct CERTAuthKeyIDStr {
+    SECItem keyID;			/* unique key identifier */
+    CERTGeneralName *authCertIssuer;	/* CA's issuer name.  End with a NULL */
+    SECItem authCertSerialNumber;	/* CA's certificate serial number */
+    SECItem **DERAuthCertIssuer;	/* This holds the DER encoded format of
+					   the authCertIssuer field. It is used
+					   by the encoding engine. It should be
+					   used as a read only field by the caller.
+					*/
+};
+
+/* x.509 v3 CRL Distributeion Point */
+
+/*
+ * defined the types of CRL Distribution points
+ */
+typedef enum {
+    generalName = 1,			/* only support this for now */
+    relativeDistinguishedName = 2
+} DistributionPointTypes;
+
+struct CRLDistributionPointStr {
+    DistributionPointTypes distPointType;
+    union {
+	CERTGeneralName *fullName;
+	CERTRDN relativeName;
+    } distPoint;
+    SECItem reasons;
+    CERTGeneralName *crlIssuer;
+    
+    /* Reserved for internal use only*/
+    SECItem derDistPoint;
+    SECItem derRelativeName;
+    SECItem **derCrlIssuer;
+    SECItem **derFullName;
+    SECItem bitsmap;
+};
+
+struct CERTCrlDistributionPointsStr {
+    CRLDistributionPoint **distPoints;
+};
+
+/*
+ * This structure is used to keep a log of errors when verifying
+ * a cert chain.  This allows multiple errors to be reported all at
+ * once.
+ */
+struct CERTVerifyLogNodeStr {
+    CERTCertificate *cert;	/* what cert had the error */
+    long error;			/* what error was it? */
+    unsigned int depth;		/* how far up the chain are we */
+    void *arg;			/* error specific argument */
+    struct CERTVerifyLogNodeStr *next; /* next in the list */
+    struct CERTVerifyLogNodeStr *prev; /* next in the list */
+};
+
+
+struct CERTVerifyLogStr {
+    PRArenaPool *arena;
+    unsigned int count;
+    struct CERTVerifyLogNodeStr *head;
+    struct CERTVerifyLogNodeStr *tail;
+};
+
+
+struct CERTOKDomainNameStr {
+    CERTOKDomainName *next;
+    char              name[1]; /* actual length may be longer. */
+};
+
+
+typedef SECStatus (PR_CALLBACK *CERTStatusChecker) (CERTCertDBHandle *handle,
+						    CERTCertificate *cert,
+						    int64 time,
+						    void *pwArg);
+
+typedef SECStatus (PR_CALLBACK *CERTStatusDestroy) (CERTStatusConfig *handle);
+
+struct CERTStatusConfigStr {
+    CERTStatusChecker statusChecker;	/* NULL means no checking enabled */
+    CERTStatusDestroy statusDestroy;	/* enabled or no, will clean up */
+    void *statusContext;		/* cx specific to checking protocol */
+};
+
+struct CERTAuthInfoAccessStr {
+    SECItem method;
+    SECItem derLocation;
+    CERTGeneralName *location;		/* decoded location */
+};
+
+
+/* This is the typedef for the callback passed to CERT_OpenCertDB() */
+/* callback to return database name based on version number */
+typedef char * (*CERTDBNameFunc)(void *arg, int dbVersion);
+
+/*
+ * types of cert packages that we can decode
+ */
+typedef enum {
+    certPackageNone = 0,
+    certPackageCert = 1,
+    certPackagePKCS7 = 2,
+    certPackageNSCertSeq = 3,
+    certPackageNSCertWrap = 4
+} CERTPackageType;
+
+/*
+ * these types are for the PKIX Certificate Policies extension
+ */
+typedef struct {
+    SECOidTag oid;
+    SECItem qualifierID;
+    SECItem qualifierValue;
+} CERTPolicyQualifier;
+
+typedef struct {
+    SECOidTag oid;
+    SECItem policyID;
+    CERTPolicyQualifier **policyQualifiers;
+} CERTPolicyInfo;
+
+typedef struct {
+    PRArenaPool *arena;
+    CERTPolicyInfo **policyInfos;
+} CERTCertificatePolicies;
+
+typedef struct {
+    SECItem organization;
+    SECItem **noticeNumbers;
+} CERTNoticeReference;
+
+typedef struct {
+    PRArenaPool *arena;
+    CERTNoticeReference noticeReference;
+    SECItem derNoticeReference;
+    SECItem displayText;
+} CERTUserNotice;
+
+typedef struct {
+    PRArenaPool *arena;
+    SECItem **oids;
+} CERTOidSequence;
+
+
+/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
+
+#include "secasn1t.h"	/* way down here because I expect template stuff to
+			 * move out of here anyway */
+
+SEC_BEGIN_PROTOS
+
+extern const SEC_ASN1Template CERT_CertificateRequestTemplate[];
+extern const SEC_ASN1Template CERT_CertificateTemplate[];
+extern const SEC_ASN1Template SEC_SignedCertificateTemplate[];
+extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
+extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
+extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
+extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
+extern const SEC_ASN1Template CERT_ValidityTemplate[];
+extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
+extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
+
+extern const SEC_ASN1Template CERT_IssuerAndSNTemplate[];
+extern const SEC_ASN1Template CERT_NameTemplate[];
+extern const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[];
+extern const SEC_ASN1Template CERT_RDNTemplate[];
+extern const SEC_ASN1Template CERT_SignedDataTemplate[];
+extern const SEC_ASN1Template CERT_CrlTemplate[];
+
+/*
+** XXX should the attribute stuff be centralized for all of ns/security?
+*/
+extern const SEC_ASN1Template CERT_AttributeTemplate[];
+extern const SEC_ASN1Template CERT_SetOfAttributeTemplate[];
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateRequestTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_CertificateTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_CrlTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_IssuerAndSNTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_NameTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
+SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
+
+SEC_END_PROTOS
+
+#endif /* _CERTT_H_ */
diff --git a/security/nss/lib/certdb/certv3.c b/security/nss/lib/certdb/certv3.c
new file mode 100644
index 000000000..ea1016234
--- /dev/null
+++ b/security/nss/lib/certdb/certv3.c
@@ -0,0 +1,406 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Code for dealing with X509.V3 extensions.
+ *
+ * $Id$
+ */
+
+#include "cert.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "certxutl.h"
+#include "secerr.h"
+
+SECStatus
+CERT_FindCertExtensionByOID(CERTCertificate *cert, SECItem *oid,
+			    SECItem *value)
+{
+    return (cert_FindExtensionByOID (cert->extensions, oid, value));
+}
+    
+
+SECStatus
+CERT_FindCertExtension(CERTCertificate *cert, int tag, SECItem *value)
+{
+    return (cert_FindExtension (cert->extensions, tag, value));
+}
+
+static void
+SetExts(void *object, CERTCertExtension **exts)
+{
+    CERTCertificate *cert = (CERTCertificate *)object;
+
+    cert->extensions = exts;
+    DER_SetUInteger (cert->arena, &(cert->version), SEC_CERTIFICATE_VERSION_3);
+}
+
+void *
+CERT_StartCertExtensions(CERTCertificate *cert)
+{
+    return (cert_StartExtensions ((void *)cert, cert->arena, SetExts));
+}
+
+/* find the given extension in the certificate of the Issuer of 'cert' */
+SECStatus
+CERT_FindIssuerCertExtension(CERTCertificate *cert, int tag, SECItem *value)
+{
+    CERTCertificate *issuercert;
+    SECStatus rv;
+
+    issuercert = CERT_FindCertByName(cert->dbhandle, &cert->derIssuer);
+    if ( issuercert ) {
+	rv = cert_FindExtension(issuercert->extensions, tag, value);
+	CERT_DestroyCertificate(issuercert);
+    } else {
+	rv = SECFailure;
+    }
+    
+    return(rv);
+}
+
+/* find a URL extension in the cert or its CA
+ * apply the base URL string if it exists
+ */
+char *
+CERT_FindCertURLExtension(CERTCertificate *cert, int tag, int catag)
+{
+    SECStatus rv;
+    SECItem urlitem;
+    SECItem baseitem;
+    SECItem urlstringitem = {siBuffer,0};
+    SECItem basestringitem = {siBuffer,0};
+    PRArenaPool *arena = NULL;
+    PRBool hasbase;
+    char *urlstring;
+    char *str;
+    int len;
+    int i;
+    
+    urlstring = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( ! arena ) {
+	goto loser;
+    }
+    
+    hasbase = PR_FALSE;
+    urlitem.data = NULL;
+    baseitem.data = NULL;
+    
+    rv = cert_FindExtension(cert->extensions, tag, &urlitem);
+    if ( rv == SECSuccess ) {
+	rv = cert_FindExtension(cert->extensions, SEC_OID_NS_CERT_EXT_BASE_URL,
+				   &baseitem);
+	if ( rv == SECSuccess ) {
+	    hasbase = PR_TRUE;
+	}
+	
+    } else if ( catag ) {
+	/* if the cert doesn't have the extensions, see if the issuer does */
+	rv = CERT_FindIssuerCertExtension(cert, catag, &urlitem);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}	    
+	rv = CERT_FindIssuerCertExtension(cert, SEC_OID_NS_CERT_EXT_BASE_URL,
+					 &baseitem);
+	if ( rv == SECSuccess ) {
+	    hasbase = PR_TRUE;
+	}
+    } else {
+	goto loser;
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, &urlstringitem, SEC_IA5StringTemplate, 
+			    &urlitem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    if ( hasbase ) {
+	rv = SEC_ASN1DecodeItem(arena, &basestringitem, SEC_IA5StringTemplate,
+				&baseitem);
+
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+    
+    len = urlstringitem.len + ( hasbase ? basestringitem.len : 0 ) + 1;
+    
+    str = urlstring = (char *)PORT_Alloc(len);
+    if ( urlstring == NULL ) {
+	goto loser;
+    }
+    
+    /* copy the URL base first */
+    if ( hasbase ) {
+
+	/* if the urlstring has a : in it, then we assume it is an absolute
+	 * URL, and will not get the base string pre-pended
+	 */
+	for ( i = 0; i < urlstringitem.len; i++ ) {
+	    if ( urlstringitem.data[i] == ':' ) {
+		goto nobase;
+	    }
+	}
+	
+	PORT_Memcpy(str, basestringitem.data, basestringitem.len);
+	str += basestringitem.len;
+	
+    }
+
+nobase:
+    /* copy the rest (or all) of the URL */
+    PORT_Memcpy(str, urlstringitem.data, urlstringitem.len);
+    str += urlstringitem.len;
+    
+    *str = '\0';
+    goto done;
+    
+loser:
+    if ( urlstring ) {
+	PORT_Free(urlstring);
+    }
+    
+    urlstring = NULL;
+done:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    if ( baseitem.data ) {
+	PORT_Free(baseitem.data);
+    }
+    if ( urlitem.data ) {
+	PORT_Free(urlitem.data);
+    }
+
+    return(urlstring);
+}
+
+/*
+ * get the value of the Netscape Certificate Type Extension
+ */
+SECStatus
+CERT_FindNSCertTypeExtension(CERTCertificate *cert, SECItem *retItem)
+{
+
+    return (CERT_FindBitStringExtension
+	    (cert->extensions, SEC_OID_NS_CERT_EXT_CERT_TYPE, retItem));    
+}
+
+
+/*
+ * get the value of a string type extension
+ */
+char *
+CERT_FindNSStringExtension(CERTCertificate *cert, int oidtag)
+{
+    SECItem wrapperItem, tmpItem = {siBuffer,0};
+    SECStatus rv;
+    PRArenaPool *arena = NULL;
+    char *retstring = NULL;
+    
+    wrapperItem.data = NULL;
+    tmpItem.data = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	goto loser;
+    }
+    
+    rv = cert_FindExtension(cert->extensions, oidtag,
+			       &wrapperItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, &tmpItem, SEC_IA5StringTemplate, 
+			    &wrapperItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    retstring = (char *)PORT_Alloc(tmpItem.len + 1 );
+    if ( retstring == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(retstring, tmpItem.data, tmpItem.len);
+    retstring[tmpItem.len] = '\0';
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    if ( wrapperItem.data ) {
+	PORT_Free(wrapperItem.data);
+    }
+
+    return(retstring);
+}
+
+/*
+ * get the value of the X.509 v3 Key Usage Extension
+ */
+SECStatus
+CERT_FindKeyUsageExtension(CERTCertificate *cert, SECItem *retItem)
+{
+
+    return (CERT_FindBitStringExtension(cert->extensions,
+					SEC_OID_X509_KEY_USAGE, retItem));    
+}
+
+/*
+ * get the value of the X.509 v3 Key Usage Extension
+ */
+SECStatus
+CERT_FindSubjectKeyIDExten(CERTCertificate *cert, SECItem *retItem)
+{
+
+    SECItem encodedValue;
+    SECStatus rv;
+
+    encodedValue.data = NULL;
+    rv = cert_FindExtension
+	 (cert->extensions, SEC_OID_X509_SUBJECT_KEY_ID, &encodedValue);
+    if (rv != SECSuccess)
+	return (rv);
+    rv = SEC_ASN1DecodeItem (NULL, retItem, SEC_OctetStringTemplate,
+			     &encodedValue);
+    PORT_Free (encodedValue.data);
+
+    return (rv);
+}
+
+SECStatus
+CERT_FindBasicConstraintExten(CERTCertificate *cert,
+			      CERTBasicConstraints *value)
+{
+    SECItem encodedExtenValue;
+    SECStatus rv;
+
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_BASIC_CONSTRAINTS,
+			    &encodedExtenValue);
+    if ( rv != SECSuccess ) {
+	return (rv);
+    }
+
+    rv = CERT_DecodeBasicConstraintValue (value, &encodedExtenValue);
+    
+    /* free the raw extension data */
+    PORT_Free(encodedExtenValue.data);
+    encodedExtenValue.data = NULL;
+    
+    return(rv);
+}
+
+CERTAuthKeyID *
+CERT_FindAuthKeyIDExten (PRArenaPool *arena, CERTCertificate *cert)
+{
+    SECItem encodedExtenValue;
+    SECStatus rv;
+    CERTAuthKeyID *ret;
+    
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_AUTH_KEY_ID,
+			    &encodedExtenValue);
+    if ( rv != SECSuccess ) {
+	return (NULL);
+    }
+
+    ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue);
+
+    PORT_Free(encodedExtenValue.data);
+    encodedExtenValue.data = NULL;
+    
+    return(ret);
+}
+
+SECStatus
+CERT_CheckCertUsage(CERTCertificate *cert, unsigned char usage)
+{
+    PRBool critical;    
+    SECItem keyUsage;
+    SECStatus rv;
+
+    /* There is no extension, v1 or v2 certificate */
+    if (cert->extensions == NULL) {
+	return (SECSuccess);
+    }
+    
+    keyUsage.data = NULL;
+
+    do {
+	/* if the keyUsage extension exists and is critical, make sure that the
+	   CA certificate is used for certificate signing purpose only. If the
+	   extension does not exist, we will assum that it can be used for
+	   certificate signing purpose.
+	*/
+	rv = CERT_GetExtenCriticality(cert->extensions,
+				      SEC_OID_X509_KEY_USAGE,
+				      &critical);
+	if (rv == SECFailure) {
+	    rv = (PORT_GetError () == SEC_ERROR_EXTENSION_NOT_FOUND) ?
+		SECSuccess : SECFailure;
+	    break;
+	}
+
+	if (critical == PR_FALSE) {
+	    rv = SECSuccess;
+	    break;
+	}
+
+	rv = CERT_FindKeyUsageExtension(cert, &keyUsage);
+	if (rv != SECSuccess) {
+	    break;
+	}	
+	if (!(keyUsage.data[0] & usage)) {
+	    PORT_SetError (SEC_ERROR_CERT_USAGES_INVALID);
+	    rv = SECFailure;
+	}
+    }while (0);
+    PORT_Free (keyUsage.data);
+    return (rv);
+}
diff --git a/security/nss/lib/certdb/certxutl.c b/security/nss/lib/certdb/certxutl.c
new file mode 100644
index 000000000..619f576b2
--- /dev/null
+++ b/security/nss/lib/certdb/certxutl.c
@@ -0,0 +1,482 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Certificate Extensions handling code
+ *
+ */
+
+#include "cert.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "certxutl.h"
+#include "secerr.h"
+
+#ifdef OLD
+#include "ocspti.h"	/* XXX a better extensions interface would not
+			 * require knowledge of data structures of callers */
+#endif
+
+static CERTCertExtension *
+GetExtension (CERTCertExtension **extensions, SECItem *oid)
+{
+    CERTCertExtension **exts;
+    CERTCertExtension *ext = NULL;
+    SECComparison comp;
+
+    exts = extensions;
+    
+    if (exts) {
+	while ( *exts ) {
+	    ext = *exts;
+	    comp = SECITEM_CompareItem(oid, &ext->id);
+	    if ( comp == SECEqual ) 
+		break;
+
+	    exts++;
+	}
+	return (*exts ? ext : NULL);
+    }
+    return (NULL);
+}
+
+SECStatus
+cert_FindExtensionByOID (CERTCertExtension **extensions, SECItem *oid, SECItem *value)
+{
+    CERTCertExtension *ext;
+    SECStatus rv = SECSuccess;
+    
+    ext = GetExtension (extensions, oid);
+    if (ext == NULL) {
+	PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
+	return (SECFailure);
+    }
+    if (value)
+	rv = SECITEM_CopyItem(NULL, value, &ext->value);
+    return (rv);
+}
+    
+
+SECStatus
+CERT_GetExtenCriticality (CERTCertExtension **extensions, int tag, PRBool *isCritical)
+{
+    CERTCertExtension *ext;
+    SECOidData *oid;
+
+    if (!isCritical)
+	return (SECSuccess);
+    
+    /* find the extension in the extensions list */
+    oid = SECOID_FindOIDByTag((SECOidTag)tag);
+    if ( !oid ) {
+	return(SECFailure);
+    }
+    ext = GetExtension (extensions, &oid->oid);
+    if (ext == NULL) {
+	PORT_SetError (SEC_ERROR_EXTENSION_NOT_FOUND);
+	return (SECFailure);
+    }
+
+    /* If the criticality is omitted, then it is false by default.
+       ex->critical.data is NULL */
+    if (ext->critical.data == NULL)
+	*isCritical = PR_FALSE;
+    else
+	*isCritical = (ext->critical.data[0] == 0xff) ? PR_TRUE : PR_FALSE;
+    return (SECSuccess);    
+}
+
+SECStatus
+cert_FindExtension(CERTCertExtension **extensions, int tag, SECItem *value)
+{
+    SECOidData *oid;
+    
+    oid = SECOID_FindOIDByTag((SECOidTag)tag);
+    if ( !oid ) {
+	return(SECFailure);
+    }
+
+    return(cert_FindExtensionByOID(extensions, &oid->oid, value));
+}
+
+
+typedef struct _extNode {
+    struct _extNode *next;
+    CERTCertExtension *ext;
+} extNode;
+
+typedef struct {
+    void (*setExts)(void *object, CERTCertExtension **exts);
+    void *object;
+    PRArenaPool *ownerArena;
+    PRArenaPool *arena;
+    extNode *head;
+    int count;
+}extRec;
+
+/*
+ * cert_StartExtensions
+ *
+ * NOTE: This interface changed significantly to remove knowledge
+ *   about callers data structures (owner objects)
+ */
+void *
+cert_StartExtensions(void *owner, PRArenaPool *ownerArena,
+   void (*setExts)(void *object, CERTCertExtension **exts))
+{
+    PRArenaPool *arena;
+    extRec *handle;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+	return(0);
+    }
+
+    handle = (extRec *)PORT_ArenaAlloc(arena, sizeof(extRec));
+    if ( !handle ) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return(0);
+    }
+
+    handle->object = owner;
+    handle->ownerArena = ownerArena;
+    handle->setExts = setExts;
+
+    handle->arena = arena;
+    handle->head = 0;
+    handle->count = 0;
+    
+    return(handle);
+}
+
+static unsigned char hextrue = 0xff;
+
+/*
+ * Note - assumes that data pointed to by oid->data will not move
+ */
+SECStatus
+CERT_AddExtensionByOID (void *exthandle, SECItem *oid, SECItem *value,
+			PRBool critical, PRBool copyData)
+{
+    CERTCertExtension *ext;
+    SECStatus rv;
+    extNode *node;
+    extRec *handle;
+    
+    handle = (extRec *)exthandle;
+
+    /* allocate space for extension and list node */
+    ext = (CERTCertExtension*)PORT_ArenaZAlloc(handle->ownerArena,
+                                               sizeof(CERTCertExtension));
+    if ( !ext ) {
+	return(SECFailure);
+    }
+
+    node = (extNode*)PORT_ArenaAlloc(handle->arena, sizeof(extNode));
+    if ( !node ) {
+	return(SECFailure);
+    }
+
+    /* add to list */
+    node->next = handle->head;
+    handle->head = node;
+   
+    /* point to ext struct */
+    node->ext = ext;
+    
+    /* the object ID of the extension */
+    ext->id = *oid;
+    
+    /* set critical field */
+    if ( critical ) {
+	ext->critical.data = (unsigned char*)&hextrue;
+	ext->critical.len = 1;
+    }
+
+    /* set the value */
+    if ( copyData ) {
+	rv = SECITEM_CopyItem(handle->ownerArena, &ext->value, value);
+	if ( rv ) {
+	    return(SECFailure);
+	}
+    } else {
+	ext->value = *value;
+    }
+    
+    handle->count++;
+    
+    return(SECSuccess);
+
+}
+
+SECStatus
+CERT_AddExtension(void *exthandle, int idtag, SECItem *value,
+		     PRBool critical, PRBool copyData)
+{
+    SECOidData *oid;
+    
+    oid = SECOID_FindOIDByTag((SECOidTag)idtag);
+    if ( !oid ) {
+	return(SECFailure);
+    }
+
+    return(CERT_AddExtensionByOID(exthandle, &oid->oid, value, critical, copyData));
+}
+
+SECStatus
+CERT_EncodeAndAddExtension(void *exthandle, int idtag, void *value,
+			   PRBool critical, const SEC_ASN1Template *atemplate)
+{
+    extRec *handle;
+    SECItem *encitem;
+
+    handle = (extRec *)exthandle;
+
+    encitem = SEC_ASN1EncodeItem(handle->ownerArena, NULL, value, atemplate);
+    if ( encitem == NULL ) {
+	return(SECFailure);
+    }
+
+    return CERT_AddExtension(exthandle, idtag, encitem, critical, PR_FALSE);
+}
+
+void
+PrepareBitStringForEncoding (SECItem *bitsmap, SECItem *value)
+{
+  unsigned char onebyte;
+  unsigned int i, len = 0;
+
+  /* to prevent warning on some platform at compile time */ 
+  onebyte = '\0';   
+  /* Get the position of the right-most turn-on bit */ 
+  for (i = 0; i < (value->len ) * 8; ++i) {
+      if (i % 8 == 0)
+	  onebyte = value->data[i/8];
+      if (onebyte & 0x80)
+	  len = i;            
+      onebyte <<= 1;
+      
+  }
+  bitsmap->data = value->data;
+  /* Add one here since we work with base 1 */ 
+  bitsmap->len = len + 1;
+}
+
+SECStatus
+CERT_EncodeAndAddBitStrExtension (void *exthandle, int idtag,
+				  SECItem *value, PRBool critical)
+{
+  SECItem bitsmap;
+  
+  PrepareBitStringForEncoding (&bitsmap, value);
+  return (CERT_EncodeAndAddExtension
+	  (exthandle, idtag, &bitsmap, critical, SEC_BitStringTemplate));
+}
+
+SECStatus
+CERT_FinishExtensions(void *exthandle)
+{
+    extRec *handle;
+    extNode *node;
+    CERTCertExtension **exts;
+    SECStatus rv = SECFailure;
+    
+    handle = (extRec *)exthandle;
+
+    /* allocate space for extensions array */
+    exts = PORT_ArenaNewArray(handle->ownerArena, CERTCertExtension *,
+			      handle->count + 1);
+    if (exts == NULL) {
+	goto loser;
+    }
+
+    /* put extensions in owner object and update its version number */
+
+#ifdef OLD
+    switch (handle->type) {
+      case CertificateExtensions:
+	handle->owner.cert->extensions = exts;
+	DER_SetUInteger (ownerArena, &(handle->owner.cert->version),
+			 SEC_CERTIFICATE_VERSION_3);
+	break;
+      case CrlExtensions:
+	handle->owner.crl->extensions = exts;
+	DER_SetUInteger (ownerArena, &(handle->owner.crl->version),
+			 SEC_CRL_VERSION_2);
+	break;
+      case OCSPRequestExtensions:
+	handle->owner.request->tbsRequest->requestExtensions = exts;
+	break;
+      case OCSPSingleRequestExtensions:
+	handle->owner.singleRequest->singleRequestExtensions = exts;	
+	break;
+      case OCSPResponseSingleExtensions:
+	handle->owner.singleResponse->singleExtensions = exts;	
+	break;
+    }
+#endif
+
+    handle->setExts(handle->object, exts);
+	
+    /* update the version number */
+
+    /* copy each extension pointer */
+    node = handle->head;
+    while ( node ) {
+	*exts = node->ext;
+	
+	node = node->next;
+	exts++;
+    }
+
+    /* terminate the array of extensions */
+    *exts = 0;
+
+    rv = SECSuccess;
+
+loser:
+    /* free working arena */
+    PORT_FreeArena(handle->arena, PR_FALSE);
+    return rv;
+}
+
+/*
+ * get the value of the Netscape Certificate Type Extension
+ */
+SECStatus
+CERT_FindBitStringExtension (CERTCertExtension **extensions, int tag,
+			     SECItem *retItem)
+{
+    SECItem wrapperItem, tmpItem = {siBuffer,0};
+    SECStatus rv;
+    PRArenaPool *arena = NULL;
+    
+    wrapperItem.data = NULL;
+    tmpItem.data = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( ! arena ) {
+	return(SECFailure);
+    }
+    
+    rv = cert_FindExtension(extensions, tag, &wrapperItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, &tmpItem, SEC_BitStringTemplate, 
+			    &wrapperItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    retItem->data = (unsigned char *)PORT_Alloc( ( tmpItem.len + 7 ) >> 3 );
+    if ( retItem->data == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(retItem->data, tmpItem.data, ( tmpItem.len + 7 ) >> 3);
+    retItem->len = tmpItem.len;
+    
+    rv = SECSuccess;
+    goto done;
+    
+loser:
+    rv = SECFailure;
+
+done:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    if ( wrapperItem.data ) {
+	PORT_Free(wrapperItem.data);
+    }
+
+    return(rv);
+}
+
+PRBool
+cert_HasCriticalExtension (CERTCertExtension **extensions)
+{
+    CERTCertExtension **exts;
+    CERTCertExtension *ext = NULL;
+    PRBool hasCriticalExten = PR_FALSE;
+    
+    exts = extensions;
+    
+    if (exts) {
+	while ( *exts ) {
+	    ext = *exts;
+	    /* If the criticality is omitted, it's non-critical */
+	    if (ext->critical.data && ext->critical.data[0] == 0xff) {
+		hasCriticalExten = PR_TRUE;
+		break;
+	    }
+	    exts++;
+	}
+    }
+    return (hasCriticalExten);
+}
+
+PRBool
+cert_HasUnknownCriticalExten (CERTCertExtension **extensions)
+{
+    CERTCertExtension **exts;
+    CERTCertExtension *ext = NULL;
+    PRBool hasUnknownCriticalExten = PR_FALSE;
+    
+    exts = extensions;
+    
+    if (exts) {
+	while ( *exts ) {
+	    ext = *exts;
+	    /* If the criticality is omitted, it's non-critical.
+	       If an extension is critical, make sure that we know
+	       how to process the extension.
+             */
+	    if (ext->critical.data && ext->critical.data[0] == 0xff) {
+		if (SECOID_KnownCertExtenOID (&ext->id) == PR_FALSE) {
+		    hasUnknownCriticalExten = PR_TRUE;
+		    break;
+		}
+	    }
+	    exts++;
+	}
+    }
+    return (hasUnknownCriticalExten);
+}
diff --git a/security/nss/lib/certdb/certxutl.h b/security/nss/lib/certdb/certxutl.h
new file mode 100644
index 000000000..381226a43
--- /dev/null
+++ b/security/nss/lib/certdb/certxutl.h
@@ -0,0 +1,79 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * x.509 v3 certificate extension helper routines
+ *
+ */
+
+
+#ifndef _CERTXUTL_H_
+#define _CERTXUTL_H_
+
+#include "nspr.h"
+
+#ifdef OLD
+typedef enum {
+    CertificateExtensions,
+    CrlExtensions,
+    OCSPRequestExtensions,
+    OCSPSingleRequestExtensions,
+    OCSPResponseSingleExtensions
+} ExtensionsType;
+#endif
+
+extern PRBool
+cert_HasCriticalExtension (CERTCertExtension **extensions);
+
+extern SECStatus
+CERT_FindBitStringExtension (CERTCertExtension **extensions,
+			     int tag, SECItem *retItem);
+extern void *
+cert_StartExtensions (void *owner, PLArenaPool *arena,
+                      void (*setExts)(void *object, CERTCertExtension **exts));
+
+extern SECStatus
+cert_FindExtension (CERTCertExtension **extensions, int tag, SECItem *value);
+
+extern SECStatus
+cert_FindExtensionByOID (CERTCertExtension **extensions,
+			 SECItem *oid, SECItem *value);
+
+extern SECStatus
+cert_GetExtenCriticality (CERTCertExtension **extensions,
+			  int tag, PRBool *isCritical);
+
+extern PRBool
+cert_HasUnknownCriticalExten (CERTCertExtension **extensions);
+
+#endif
diff --git a/security/nss/lib/certdb/config.mk b/security/nss/lib/certdb/config.mk
new file mode 100644
index 000000000..0a00dc61e
--- /dev/null
+++ b/security/nss/lib/certdb/config.mk
@@ -0,0 +1,43 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/certdb/crl.c b/security/nss/lib/certdb/crl.c
new file mode 100644
index 000000000..8eb90005a
--- /dev/null
+++ b/security/nss/lib/certdb/crl.c
@@ -0,0 +1,637 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Moved from secpkcs7.c
+ *
+ * $Id$
+ */
+
+#include "cert.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "certdb.h"
+#include "certxutl.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "pk11func.h"
+
+const SEC_ASN1Template SEC_CERTExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertExtension) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTCertExtension,id) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
+	  offsetof(CERTCertExtension,critical), },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(CERTCertExtension,value) },
+    { 0, }
+};
+
+static const SEC_ASN1Template SEC_CERTExtensionsTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0,  SEC_CERTExtensionTemplate}
+};
+
+/*
+ * XXX Also, these templates, especially the Krl/FORTEZZA ones, need to
+ * be tested; Lisa did the obvious translation but they still should be
+ * verified.
+ */
+
+const SEC_ASN1Template CERT_IssuerAndSNTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTIssuerAndSN) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTIssuerAndSN,derIssuer) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTIssuerAndSN,issuer),
+	  CERT_NameTemplate },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTIssuerAndSN,serialNumber) },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_KrlEntryTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrlEntry) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(CERTCrlEntry,serialNumber) },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrlEntry,revocationDate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_KrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrl) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,signatureAlg),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCrl,derName) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,name),
+	  CERT_NameTemplate },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,lastUpdate) },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,nextUpdate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCrl,entries),
+	  cert_KrlEntryTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_SignedKrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedCrl) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTSignedCrl,signatureWrap.data) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,crl),
+	  cert_KrlTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSignedCrl,signatureWrap.signature) },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_CrlKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrlKey) },
+    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof(CERTCrlKey,dummy) },
+    { SEC_ASN1_SKIP },
+    { SEC_ASN1_ANY, offsetof(CERTCrlKey,derName) },
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_CrlEntryTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrlEntry) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTCrlEntry,serialNumber) },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrlEntry,revocationDate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCrlEntry, extensions),
+	  SEC_CERTExtensionTemplate},
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_CrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCrl) },
+    { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, offsetof (CERTCrl, version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,signatureAlg),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTCrl,derName) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCrl,name),
+	  CERT_NameTemplate },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,lastUpdate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_UTC_TIME,
+	  offsetof(CERTCrl,nextUpdate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCrl,entries),
+	  cert_CrlEntryTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+	  SEC_ASN1_EXPLICIT | 0,
+	  offsetof(CERTCrl,extensions),
+	  SEC_CERTExtensionsTemplate},
+    { 0 }
+};
+
+static const SEC_ASN1Template cert_SignedCrlTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedCrl) },
+    { SEC_ASN1_SAVE,
+	  offsetof(CERTSignedCrl,signatureWrap.data) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,crl),
+	  CERT_CrlTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedCrl,signatureWrap.signatureAlgorithm),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSignedCrl,signatureWrap.signature) },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_SetOfSignedCrlTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, cert_SignedCrlTemplate },
+};
+
+/* Check the version of the CRL.  If there is a critical extension in the crl
+   or crl entry, then the version must be v2. Otherwise, it should be v1.  If
+   the crl contains critical extension(s), then we must recognized the extension's
+   OID.
+   */
+SECStatus cert_check_crl_version (CERTCrl *crl)
+{
+    CERTCrlEntry **entries;
+    CERTCrlEntry *entry;
+    PRBool hasCriticalExten = PR_FALSE;
+    SECStatus rv = SECSuccess;
+    int version;
+
+    /* CRL version is defaulted to v1 */
+    version = SEC_CRL_VERSION_1;
+    if (crl->version.data != 0) 
+	version = (int)DER_GetUInteger (&crl->version);
+	
+    if (version > SEC_CRL_VERSION_2) {
+	PORT_SetError (SEC_ERROR_BAD_DER);
+	return (SECFailure);
+    }
+
+    /* Check the crl extensions for a critial extension.  If one is found,
+       and the version is not v2, then we are done.
+     */
+    if (crl->extensions) {
+	hasCriticalExten = cert_HasCriticalExtension (crl->extensions);
+	if (hasCriticalExten) {
+	    if (version != SEC_CRL_VERSION_2)
+		return (SECFailure);
+	    /* make sure that there is no unknown critical extension */
+	    if (cert_HasUnknownCriticalExten (crl->extensions) == PR_TRUE) {
+		PORT_SetError (SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
+		return (SECFailure);
+	    }
+	}
+    }
+
+	
+    if (crl->entries == NULL) {
+	if (hasCriticalExten == PR_FALSE && version == SEC_CRL_VERSION_2) {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    return (SECFailure);
+	}
+        return (SECSuccess);
+    }
+    /* Look in the crl entry extensions.  If there is a critical extension,
+       then the crl version must be v2; otherwise, it should be v1.
+     */
+    entries = crl->entries;
+    while (*entries) {
+	entry = *entries;
+	if (entry->extensions) {
+	    /* If there is a critical extension in the entries, then the
+	       CRL must be of version 2.  If we already saw a critical extension,
+	       there is no need to check the version again.
+	    */
+	    if (hasCriticalExten == PR_FALSE) {
+		hasCriticalExten = cert_HasCriticalExtension (entry->extensions);
+		if (hasCriticalExten && version != SEC_CRL_VERSION_2) { 
+		    rv = SECFailure;
+		    break;
+		}
+	    }
+
+	    /* For each entry, make sure that it does not contain an unknown
+	       critical extension.  If it does, we must reject the CRL since
+	       we don't know how to process the extension.
+	    */
+	    if (cert_HasUnknownCriticalExten (entry->extensions) == PR_TRUE) {
+		PORT_SetError (SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
+		rv = SECFailure;
+		break;
+	    }
+	}
+	++entries;
+    }
+    if (rv == SECFailure)
+	return (rv);
+
+    return (SECSuccess);
+}
+
+/*
+ * Generate a database key, based on the issuer name from a
+ * DER crl.
+ */
+SECStatus
+CERT_KeyFromDERCrl(PRArenaPool *arena, SECItem *derCrl, SECItem *key)
+{
+    SECStatus rv;
+    CERTSignedData sd;
+    CERTCrlKey crlkey;
+
+    PORT_Memset (&sd, 0, sizeof (sd));
+    rv = SEC_ASN1DecodeItem (arena, &sd, CERT_SignedDataTemplate, derCrl);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    PORT_Memset (&crlkey, 0, sizeof (crlkey));
+    rv = SEC_ASN1DecodeItem(arena, &crlkey, cert_CrlKeyTemplate, &sd.data);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    key->len =  crlkey.derName.len;
+    key->data = crlkey.derName.data;
+
+    return(SECSuccess);
+}
+
+/*
+ * take a DER CRL or KRL  and decode it into a CRL structure
+ */
+CERTSignedCrl *
+CERT_DecodeDERCrl(PRArenaPool *narena, SECItem *derSignedCrl, int type)
+{
+    PRArenaPool *arena;
+    CERTSignedCrl *crl;
+    SECStatus rv;
+
+    /* make a new arena */
+    if (narena == NULL) {
+    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if ( !arena ) {
+	    return NULL;
+	}
+    } else {
+	arena = narena;
+    }
+
+    /* allocate the CRL structure */
+    crl = (CERTSignedCrl *)PORT_ArenaZAlloc(arena, sizeof(CERTSignedCrl));
+    if ( !crl ) {
+	goto loser;
+    }
+    
+    crl->arena = arena;
+
+    crl->derCrl = (SECItem *)PORT_ArenaZAlloc(arena,sizeof(SECItem));
+    if (crl->derCrl == NULL) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, crl->derCrl, derSignedCrl);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* Save the arena in the inner crl for CRL extensions support */
+    crl->crl.arena = arena;
+
+    /* decode the CRL info */
+    switch (type) {
+    case SEC_CRL_TYPE: 
+	rv = SEC_ASN1DecodeItem
+	     (arena, crl, cert_SignedCrlTemplate, derSignedCrl);
+	if (rv != SECSuccess)
+	    break;
+        /* check for critical extentions */
+	rv =  cert_check_crl_version (&crl->crl);
+	break;
+
+    case SEC_KRL_TYPE:
+	rv = SEC_ASN1DecodeItem
+	     (arena, crl, cert_SignedKrlTemplate, derSignedCrl);
+	break;
+    default:
+	rv = SECFailure;
+	break;
+    }
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    crl->referenceCount = 1;
+    
+    return(crl);
+    
+loser:
+
+    if ((narena == NULL) && arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(0);
+}
+
+/*
+ * Lookup a CRL in the databases. We mirror the same fast caching data base
+ *  caching stuff used by certificates....?
+ */
+CERTSignedCrl *
+SEC_FindCrlByKeyOnSlot(PK11SlotInfo *slot, SECItem *crlKey, int type)
+{
+    CERTSignedCrl *crl = NULL;
+    SECItem *derCrl;
+    CK_OBJECT_HANDLE crlHandle;
+    char *url = NULL;
+
+    if (slot) {
+	PK11_ReferenceSlot(slot);
+    }
+     
+    derCrl = PK11_FindCrlByName(&slot, &crlHandle, crlKey, type, &url);
+    if (derCrl == NULL) {
+	goto loser;
+    }
+    PORT_Assert(crlHandle != CK_INVALID_HANDLE);
+    
+    crl = CERT_DecodeDERCrl(NULL, derCrl, type);
+    if (crl) {
+	crl->slot = slot;
+	slot = NULL; /* adopt it */
+	crl->pkcs11ID = crlHandle;
+    }
+    if (url) {
+	crl->url = PORT_ArenaStrdup(crl->arena,url);
+	PORT_Free(url);
+    }
+
+loser:
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    if (derCrl) {
+	SECITEM_FreeItem(derCrl,PR_TRUE);
+    }
+    return(crl);
+}
+
+SECStatus SEC_DestroyCrl(CERTSignedCrl *crl);
+
+CERTSignedCrl *
+crl_storeCRL (PK11SlotInfo *slot,char *url,
+                  CERTSignedCrl *newCrl, SECItem *derCrl, int type)
+{
+    CERTSignedCrl *oldCrl = NULL, *crl = NULL;
+    CK_OBJECT_HANDLE crlHandle;
+
+    oldCrl = SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type);
+
+
+
+    /* if there is an old crl, make sure the one we are installing
+     * is newer. If not, exit out, otherwise delete the old crl.
+     */
+    if (oldCrl != NULL) {
+	/* if it's already there, quietly continue */
+	if (SECITEM_CompareItem(newCrl->derCrl, oldCrl->derCrl) 
+						== SECEqual) {
+	    crl = newCrl;
+	    crl->slot = PK11_ReferenceSlot(slot);
+	    crl->pkcs11ID = oldCrl->pkcs11ID;
+	    goto done;
+	}
+        if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) {
+
+            if (type == SEC_CRL_TYPE) {
+                PORT_SetError(SEC_ERROR_OLD_CRL);
+            } else {
+                PORT_SetError(SEC_ERROR_OLD_KRL);
+            }
+
+            goto done;
+        }
+
+        if ((SECITEM_CompareItem(&newCrl->crl.derName,
+                &oldCrl->crl.derName) != SECEqual) &&
+            (type == SEC_KRL_TYPE) ) {
+
+            PORT_SetError(SEC_ERROR_CKL_CONFLICT);
+            goto done;
+        }
+
+        /* if we have a url in the database, use that one */
+        if (oldCrl->url) {
+	    url = oldCrl->url;
+        }
+
+
+        /* really destroy this crl */
+        /* first drum it out of the permanment Data base */
+        SEC_DeletePermCRL(oldCrl);
+    }
+
+    /* Write the new entry into the data base */
+    crlHandle = PK11_PutCrl(slot, derCrl, &newCrl->crl.derName, url, type);
+    if (crlHandle != CK_INVALID_HANDLE) {
+	crl = newCrl;
+	crl->slot = PK11_ReferenceSlot(slot);
+	crl->pkcs11ID = crlHandle;
+	if (url) {
+	    crl->url = PORT_ArenaStrdup(crl->arena,url);
+	}
+    }
+
+done:
+    if (oldCrl) SEC_DestroyCrl(oldCrl);
+
+    return crl;
+}
+
+CERTSignedCrl *
+SEC_FindCrlByName(CERTCertDBHandle *handle, SECItem *crlKey, int type)
+{
+	return SEC_FindCrlByKeyOnSlot(NULL,crlKey,type);
+}
+
+/*
+ *
+ * create a new CRL from DER material.
+ *
+ * The signature on this CRL must be checked before you
+ * load it. ???
+ */
+CERTSignedCrl *
+SEC_NewCrl(CERTCertDBHandle *handle, char *url, SECItem *derCrl, int type)
+{
+    CERTSignedCrl *newCrl = NULL, *crl = NULL;
+    PK11SlotInfo *slot;
+
+    /* make this decode dates! */
+    newCrl = CERT_DecodeDERCrl(NULL, derCrl, type);
+    if (newCrl == NULL) {
+        if (type == SEC_CRL_TYPE) {
+            PORT_SetError(SEC_ERROR_CRL_INVALID);
+        } else {
+            PORT_SetError(SEC_ERROR_KRL_INVALID);
+        }
+        goto done;
+    }
+
+    slot = PK11_GetInternalKeySlot();
+    crl = crl_storeCRL(slot, url, newCrl, derCrl, type);
+    PK11_FreeSlot(slot);
+
+
+done:
+    if (crl == NULL) {
+	if (newCrl) {
+	    PORT_FreeArena(newCrl->arena, PR_FALSE);
+	}
+    }
+
+    return crl;
+}
+
+
+CERTSignedCrl *
+SEC_FindCrlByDERCert(CERTCertDBHandle *handle, SECItem *derCrl, int type)
+{
+    PRArenaPool *arena;
+    SECItem crlKey;
+    SECStatus rv;
+    CERTSignedCrl *crl = NULL;
+    
+    /* create a scratch arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return(NULL);
+    }
+    
+    /* extract the database key from the cert */
+    rv = CERT_KeyFromDERCrl(arena, derCrl, &crlKey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* find the crl */
+    crl = SEC_FindCrlByName(handle, &crlKey, type);
+    
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(crl);
+}
+
+
+SECStatus
+SEC_DestroyCrl(CERTSignedCrl *crl)
+{
+    if (crl) {
+	if (crl->referenceCount-- <= 1) {
+	    if (crl->slot) {
+		PK11_FreeSlot(crl->slot);
+	    }
+	    PORT_FreeArena(crl->arena, PR_FALSE);
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+SEC_LookupCrls(CERTCertDBHandle *handle, CERTCrlHeadNode **nodes, int type)
+{
+    CERTCrlHeadNode *head;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+
+    *nodes = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return SECFailure;
+    }
+
+    /* build a head structure */
+    head = (CERTCrlHeadNode *)PORT_ArenaAlloc(arena, sizeof(CERTCrlHeadNode));
+    head->arena = arena;
+    head->first = NULL;
+    head->last = NULL;
+    head->dbhandle = handle;
+
+    /* Look up the proper crl types */
+    *nodes = head;
+
+    rv = PK11_LookupCrls(head, type, NULL);
+    
+    if (rv != SECSuccess) {
+	if ( arena ) {
+	    PORT_FreeArena(arena, PR_FALSE);
+	    *nodes = NULL;
+	}
+    }
+
+    return rv;
+}
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_IssuerAndSNTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CrlTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SetOfSignedCrlTemplate)
+
diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c
new file mode 100644
index 000000000..fadf9d15f
--- /dev/null
+++ b/security/nss/lib/certdb/genname.c
@@ -0,0 +1,1613 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "plarena.h"
+#include "seccomon.h"
+#include "secitem.h"
+#include "secoidt.h"
+#include "mcom_db.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "certt.h"
+#include "cert.h"
+#include "xconst.h"
+#include "secerr.h"
+#include "secoid.h"
+#include "prprf.h"
+#include "genname.h"
+
+
+
+static const SEC_ASN1Template CERTNameConstraintTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraint) },
+    { SEC_ASN1_ANY, offsetof(CERTNameConstraint, DERName) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+          offsetof(CERTNameConstraint, min), SEC_IntegerTemplate }, 
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
+          offsetof(CERTNameConstraint, max), SEC_IntegerTemplate },
+    { 0, }
+};
+
+const SEC_ASN1Template CERT_NameConstraintSubtreeSubTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
+};
+
+
+const SEC_ASN1Template CERT_NameConstraintSubtreePermitedTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 0, 0, CERT_NameConstraintSubtreeSubTemplate }
+};
+
+const SEC_ASN1Template CERT_NameConstraintSubtreeExcludedTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 1, 0, CERT_NameConstraintSubtreeSubTemplate }
+};
+
+
+static const SEC_ASN1Template CERTNameConstraintsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTNameConstraints) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+          offsetof(CERTNameConstraints, DERPermited), CERT_NameConstraintSubtreeSubTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
+          offsetof(CERTNameConstraints, DERExcluded), CERT_NameConstraintSubtreeSubTemplate},
+    { 0, }
+};
+
+
+static const SEC_ASN1Template CERTOthNameTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(OtherName) },
+    { SEC_ASN1_OBJECT_ID, 
+	  offsetof(OtherName, oid) },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0,
+          offsetof(OtherName, name), SEC_AnyTemplate },
+    { 0, } 
+};
+
+static const SEC_ASN1Template CERTOtherNameTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 0 ,
+      offsetof(CERTGeneralName, name.OthName), CERTOthNameTemplate, 
+      sizeof(CERTGeneralName) }
+};
+
+static const SEC_ASN1Template CERTOtherName2Template[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_CONTEXT_SPECIFIC | 0 ,
+      0, NULL, sizeof(CERTGeneralName) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, oid) },
+    { SEC_ASN1_ANY,
+	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, name) },
+    { 0, } 
+};
+
+static const SEC_ASN1Template CERT_RFC822NameTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 1 ,
+          offsetof(CERTGeneralName, name.other), SEC_IA5StringTemplate,
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_DNSNameTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 2 ,
+          offsetof(CERTGeneralName, name.other), SEC_IA5StringTemplate,
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_X400AddressTemplate[] = {
+    { SEC_ASN1_ANY | SEC_ASN1_CONTEXT_SPECIFIC | 3,
+          offsetof(CERTGeneralName, name.other), SEC_AnyTemplate,
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_DirectoryNameTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 4,
+          offsetof(CERTGeneralName, derDirectoryName), SEC_AnyTemplate,
+          sizeof (CERTGeneralName)}
+};
+
+
+static const SEC_ASN1Template CERT_EDIPartyNameTemplate[] = {
+    { SEC_ASN1_ANY | SEC_ASN1_CONTEXT_SPECIFIC | 5,
+          offsetof(CERTGeneralName, name.other), SEC_AnyTemplate,
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_URITemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 6 ,
+          offsetof(CERTGeneralName, name.other), SEC_IA5StringTemplate,
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_IPAddressTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 7 ,
+          offsetof(CERTGeneralName, name.other), SEC_OctetStringTemplate,
+          sizeof (CERTGeneralName)}
+};
+
+static const SEC_ASN1Template CERT_RegisteredIDTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 8 ,
+          offsetof(CERTGeneralName, name.other), SEC_ObjectIDTemplate,
+          sizeof (CERTGeneralName)}
+};
+
+
+const SEC_ASN1Template CERT_GeneralNamesTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
+};
+
+
+
+void
+CERT_DestroyGeneralNameList(CERTGeneralNameList *list)
+{
+    PZLock *lock;
+
+    if (list != NULL) {
+	lock = list->lock;
+	PZ_Lock(lock);
+	if (--list->refCount <= 0 && list->arena != NULL) {
+	    PORT_FreeArena(list->arena, PR_FALSE);
+	    PZ_Unlock(lock);
+	    PZ_DestroyLock(lock);
+	} else {
+	    PZ_Unlock(lock);
+	}
+    }
+    return;
+}
+
+CERTGeneralNameList *
+CERT_CreateGeneralNameList(CERTGeneralName *name) {
+    PRArenaPool *arena;
+    CERTGeneralNameList *list = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto done;
+    }
+    list = (CERTGeneralNameList *)
+	PORT_ArenaZAlloc(arena, sizeof(CERTGeneralNameList));
+    if (name != NULL) {
+	list->name = (CERTGeneralName *)
+	    PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName));
+	list->name->l.next = list->name->l.prev = &list->name->l;
+	CERT_CopyGeneralName(arena, list->name, name);
+    }
+    list->lock = PZ_NewLock(nssILockList);
+    list->arena = arena;
+    list->refCount = 1;
+done:
+    return list;
+}
+
+CERTGeneralName *
+cert_get_next_general_name(CERTGeneralName *current)
+{
+    PRCList *next;
+    
+    next = current->l.next;
+    return (CERTGeneralName *) (((char *) next) - offsetof(CERTGeneralName, l));
+}
+
+CERTGeneralName *
+cert_get_prev_general_name(CERTGeneralName *current)
+{
+    PRCList *prev;
+    prev = current->l.prev;
+    return (CERTGeneralName *) (((char *) prev) - offsetof(CERTGeneralName, l));
+}
+
+CERTNameConstraint *
+cert_get_next_name_constraint(CERTNameConstraint *current)
+{
+    PRCList *next;
+    
+    next = current->l.next;
+    return (CERTNameConstraint *) (((char *) next) - offsetof(CERTNameConstraint, l));
+}
+
+CERTNameConstraint *
+cert_get_prev_name_constraint(CERTNameConstraint *current)
+{
+    PRCList *prev;
+    prev = current->l.prev;
+    return (CERTNameConstraint *) (((char *) prev) - offsetof(CERTNameConstraint, l));
+}
+
+SECItem *
+CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PRArenaPool *arena)
+{
+
+
+    PORT_Assert(arena);
+    if (arena == NULL) {
+	goto loser;
+    }
+    if (dest == NULL) {
+	dest = (SECItem *) PORT_ArenaZAlloc(arena, sizeof(SECItem));
+    }
+    switch (genName->type) {
+      case certURI:
+          dest = SEC_ASN1EncodeItem(arena, dest, genName, 
+				    CERT_URITemplate);
+	  break;
+      case certRFC822Name:
+          dest = SEC_ASN1EncodeItem(arena, dest, genName, 
+				    CERT_RFC822NameTemplate);
+	  break;
+      case certDNSName:
+          dest = SEC_ASN1EncodeItem(arena, dest, genName, 
+				    CERT_DNSNameTemplate);
+	  break;
+      case certIPAddress:
+	  dest = SEC_ASN1EncodeItem(arena, dest, genName,
+				    CERT_IPAddressTemplate);
+	  break;
+      case certOtherName:
+	  dest = SEC_ASN1EncodeItem(arena, dest, genName,
+				    CERTOtherNameTemplate);
+	  break;
+      case certRegisterID:
+	  dest = SEC_ASN1EncodeItem(arena, dest, genName,
+				    CERT_RegisteredIDTemplate);
+	  break;
+      case certEDIPartyName:
+	  /* for this type, we expect the value is already encoded */
+	  dest = SEC_ASN1EncodeItem (arena, dest, genName, 
+				     CERT_EDIPartyNameTemplate);
+	  break;
+      case certX400Address:
+	  /* for this type, we expect the value is already encoded */
+	  dest = SEC_ASN1EncodeItem (arena, dest, genName, 
+				     CERT_X400AddressTemplate);
+	  break;
+      case certDirectoryName:
+	  if (genName->derDirectoryName.data == NULL) {
+	      /* The field hasn't been encoded yet. */
+	      SEC_ASN1EncodeItem (arena, &(genName->derDirectoryName),
+				  &(genName->name.directoryName), 
+				  CERT_NameTemplate);
+	  }
+	  if (genName->derDirectoryName.data == NULL) {
+	      goto loser;
+	  }
+	  dest = SEC_ASN1EncodeItem(arena, dest, genName, 
+				    CERT_DirectoryNameTemplate);
+	  break;
+    }
+    if (!dest) {
+	goto loser;
+    }
+    return dest;
+loser:
+    return NULL;
+}
+
+
+
+SECItem **
+cert_EncodeGeneralNames(PRArenaPool *arena, CERTGeneralName *names)
+{
+    CERTGeneralName  *current_name;
+    SECItem          **items = NULL;
+    int              count = 0;
+    int              i;
+    PRCList          *head;
+
+    PORT_Assert(arena);
+    current_name = names;
+    if (names != NULL) {
+	count = 1;
+    }
+    head = &(names->l);
+    while (current_name->l.next != head) {
+	current_name = cert_get_next_general_name(current_name);
+	++count;
+    }
+    current_name = cert_get_next_general_name(current_name);
+    items = (SECItem **) PORT_ArenaAlloc(arena, sizeof(SECItem *) * (count + 1));
+    
+    if (items == NULL) {
+	goto loser;
+    }
+    for (i = 0; i < count; i++) {
+	items[i] = CERT_EncodeGeneralName(current_name, (SECItem *) NULL, arena);
+	if (items[i] == NULL) {
+	    goto loser;
+	}
+	current_name = cert_get_next_general_name(current_name);
+    }
+    items[i] = NULL;
+    return items;
+loser:
+    return NULL;
+}
+
+CERTGeneralName *
+CERT_DecodeGeneralName(PRArenaPool      *arena,
+		       SECItem          *encodedName,
+		       CERTGeneralName  *genName)
+{
+    CERTGeneralNameType              genNameType;
+    SECStatus                        rv = SECSuccess;
+
+    PORT_Assert(arena);
+    if (genName == NULL) {
+	genName = (CERTGeneralName *) PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName));
+    }
+    genNameType = (CERTGeneralNameType)((*(encodedName->data) & 0x0f) + 1);
+    switch (genNameType) {
+      case certURI:
+	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_URITemplate, encodedName);
+	  break;
+      case certRFC822Name:
+	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_RFC822NameTemplate, encodedName);
+	  break;
+      case certDNSName:
+	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_DNSNameTemplate, encodedName);
+	  break;
+      case certIPAddress:
+	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_IPAddressTemplate, encodedName);
+	  break;
+      case certOtherName:
+	  rv = SEC_ASN1DecodeItem(arena, genName, CERTOtherNameTemplate, encodedName);
+	  break;
+      case certRegisterID:
+	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_RegisteredIDTemplate, encodedName);
+	  break;
+      case certEDIPartyName:
+	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_EDIPartyNameTemplate, encodedName);
+	  break;
+      case certX400Address:
+	  rv = SEC_ASN1DecodeItem(arena, genName, CERT_X400AddressTemplate, encodedName);
+	  break;
+      case certDirectoryName:
+		rv = SEC_ASN1DecodeItem
+		     (arena, genName, CERT_DirectoryNameTemplate, encodedName);
+		if (rv != SECSuccess) {
+		    goto loser;
+		}
+		rv = SEC_ASN1DecodeItem
+		      (arena, &(genName->name.directoryName), CERT_NameTemplate,
+		      &(genName->derDirectoryName));
+	  break;
+    }
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    genName->type = genNameType;
+    genName->l.next = (PRCList *) ((char *) genName) + offsetof(CERTGeneralName, l);
+    genName->l.prev = genName->l.next;
+    return genName;
+loser:
+    return NULL;
+}
+
+CERTGeneralName *
+cert_DecodeGeneralNames (PRArenaPool  *arena,
+			 SECItem      **encodedGenName)
+{
+    PRCList                           *head = NULL;
+    PRCList                           *tail = NULL;
+    CERTGeneralName                   *currentName = NULL;
+
+    PORT_Assert(arena);
+    if (!encodedGenName) {
+	goto loser;
+    }
+    while (*encodedGenName != NULL) {
+	currentName = CERT_DecodeGeneralName(arena, *encodedGenName, NULL);
+	if (currentName == NULL) {
+	    goto loser;
+	}
+	if (head == NULL) {
+	    head = &(currentName->l);
+	    tail = head;
+	}
+	currentName->l.next = head;
+	currentName->l.prev = tail;
+	tail = &(currentName->l);
+	(cert_get_prev_general_name(currentName))->l.next = tail;
+	encodedGenName++;
+    }
+    (cert_get_next_general_name(currentName))->l.prev = tail;
+    return cert_get_next_general_name(currentName);
+loser:
+    return NULL;
+}
+
+void
+CERT_DestroyGeneralName(CERTGeneralName *name)
+{
+    cert_DestroyGeneralNames(name);
+}
+
+SECStatus
+cert_DestroyGeneralNames(CERTGeneralName *name)
+{
+    CERTGeneralName    *first;
+    CERTGeneralName    *next = NULL;
+
+
+    first = name;
+    do {
+	next = cert_get_next_general_name(name);
+	PORT_Free(name);
+	name = next;
+    } while (name != first);
+    return SECSuccess;
+}
+
+SECItem *
+cert_EncodeNameConstraint(CERTNameConstraint  *constraint, 
+			 SECItem             *dest,
+			 PRArenaPool         *arena)
+{
+    PORT_Assert(arena);
+    if (dest == NULL) {
+	dest = (SECItem *) PORT_ArenaZAlloc(arena, sizeof(SECItem));
+	if (dest == NULL) {
+	    return NULL;
+	}
+    }
+    CERT_EncodeGeneralName(&(constraint->name), &(constraint->DERName), 
+			   arena);
+    
+    dest = SEC_ASN1EncodeItem (arena, dest, constraint,
+			       CERTNameConstraintTemplate);
+    return dest;
+} 
+
+SECStatus 
+cert_EncodeNameConstraintSubTree(CERTNameConstraint  *constraints,
+			         PRArenaPool         *arena,
+				 SECItem             ***dest,
+				 PRBool              permited)
+{
+    CERTNameConstraint  *current_constraint = constraints;
+    SECItem             **items = NULL;
+    int                 count = 0;
+    int                 i;
+    PRCList             *head;
+
+    PORT_Assert(arena);
+    if (constraints != NULL) {
+	count = 1;
+    }
+    head = (PRCList *) (((char *) constraints) + offsetof(CERTNameConstraint, l));
+    while (current_constraint->l.next != head) {
+	current_constraint = cert_get_next_name_constraint(current_constraint);
+	++count;
+    }
+    current_constraint = cert_get_next_name_constraint(current_constraint);
+    items = (SECItem **) PORT_ArenaZAlloc(arena, sizeof(SECItem *) * (count + 1));
+    
+    if (items == NULL) {
+	goto loser;
+    }
+    for (i = 0; i < count; i++) {
+	items[i] = cert_EncodeNameConstraint(current_constraint, 
+					     (SECItem *) NULL, arena);
+	if (items[i] == NULL) {
+	    goto loser;
+	}
+	current_constraint = cert_get_next_name_constraint(current_constraint);
+    }
+    *dest = items;
+    if (*dest == NULL) {
+	goto loser;
+    }
+    return SECSuccess;
+loser:
+    return SECFailure;
+}
+
+SECStatus 
+cert_EncodeNameConstraints(CERTNameConstraints  *constraints,
+			   PRArenaPool          *arena,
+			   SECItem              *dest)
+{
+    SECStatus    rv = SECSuccess;
+
+    PORT_Assert(arena);
+    if (constraints->permited != NULL) {
+	rv = cert_EncodeNameConstraintSubTree(constraints->permited, arena,
+					      &constraints->DERPermited, PR_TRUE);
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+    }
+    if (constraints->excluded != NULL) {
+	rv = cert_EncodeNameConstraintSubTree(constraints->excluded, arena,
+					      &constraints->DERExcluded, PR_FALSE);
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+    }
+    dest = SEC_ASN1EncodeItem(arena, dest, constraints, 
+			      CERTNameConstraintsTemplate);
+    if (dest == NULL) {
+	goto loser;
+    }
+    return SECSuccess;
+loser:
+    return SECFailure;
+}
+
+
+CERTNameConstraint *
+cert_DecodeNameConstraint(PRArenaPool       *arena,
+			  SECItem           *encodedConstraint)
+{
+    CERTNameConstraint     *constraint;
+    SECStatus              rv = SECSuccess;
+    CERTGeneralName        *temp;
+
+
+
+    PORT_Assert(arena);
+    constraint = (CERTNameConstraint *) PORT_ArenaZAlloc(arena, sizeof(CERTNameConstraint));
+    rv = SEC_ASN1DecodeItem(arena, constraint, CERTNameConstraintTemplate, encodedConstraint);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    temp = CERT_DecodeGeneralName(arena, &(constraint->DERName), &(constraint->name));
+    if (temp != &(constraint->name)) {
+	goto loser;
+    }
+
+    /* ### sjlee: since the name constraint contains only one 
+     *            CERTGeneralName, the list within CERTGeneralName shouldn't 
+     *            point anywhere else.  Otherwise, bad things will happen.
+     */
+    constraint->name.l.prev = constraint->name.l.next = &(constraint->name.l);
+    return constraint;
+loser:
+    return NULL;
+}
+
+
+CERTNameConstraint *
+cert_DecodeNameConstraintSubTree(PRArenaPool   *arena,
+				 SECItem       **subTree,
+				 PRBool        permited)
+{
+    CERTNameConstraint   *current = NULL;
+    CERTNameConstraint   *first = NULL;
+    CERTNameConstraint   *last = NULL;
+    CERTNameConstraint   *next = NULL;
+    int                  i = 0;
+
+    while (subTree[i] != NULL) {
+	current = cert_DecodeNameConstraint(arena, subTree[i]);
+	if (current == NULL) {
+	    goto loser;
+	}
+	if (last == NULL) {
+	    first = last = current;
+	}
+	current->l.prev = &(last->l);
+	current->l.next = last->l.next;
+	last->l.next = &(current->l);
+	i++;
+    }
+    first->l.prev = &(current->l);
+    return first;
+loser:
+    if (first) {
+	current = first;
+	do {
+	    next = cert_get_next_name_constraint(current);
+	    PORT_Free(current);
+	    current = next;
+	}while (current != first);
+    }
+    return NULL;
+}
+
+CERTNameConstraints *
+cert_DecodeNameConstraints(PRArenaPool   *arena,
+			   SECItem       *encodedConstraints)
+{
+    CERTNameConstraints   *constraints;
+    SECStatus             rv;
+
+    PORT_Assert(arena);
+    PORT_Assert(encodedConstraints);
+    constraints = (CERTNameConstraints *) PORT_ArenaZAlloc(arena, 
+							   sizeof(CERTNameConstraints));
+    if (constraints == NULL) {
+	goto loser;
+    }
+    rv = SEC_ASN1DecodeItem(arena, constraints, CERTNameConstraintsTemplate, 
+			    encodedConstraints);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    if (constraints->DERPermited != NULL && constraints->DERPermited[0] != NULL) {
+	constraints->permited = cert_DecodeNameConstraintSubTree(arena,
+								 constraints->DERPermited,
+								 PR_TRUE);
+	if (constraints->permited == NULL) {
+	    goto loser;
+	}
+    }
+    if (constraints->DERExcluded != NULL && constraints->DERExcluded[0] != NULL) {
+	constraints->excluded = cert_DecodeNameConstraintSubTree(arena,
+								 constraints->DERExcluded,
+								 PR_FALSE);
+	if (constraints->excluded == NULL) {
+	    goto loser;
+	}
+    }
+    return constraints;
+loser:
+    return NULL;
+}
+
+
+SECStatus
+CERT_CopyGeneralName(PRArenaPool      *arena, 
+		     CERTGeneralName  *dest, 
+		     CERTGeneralName  *src)
+{
+    SECStatus rv;
+    CERTGeneralName *destHead = dest;
+    CERTGeneralName *srcHead = src;
+    CERTGeneralName *temp;
+
+    PORT_Assert(dest != NULL);
+    dest->type = src->type;
+    do {
+	switch (src->type) {
+	  case certDirectoryName: {
+	      rv = SECITEM_CopyItem(arena, &dest->derDirectoryName, &src->derDirectoryName);
+	      if (rv != SECSuccess) {
+		  return rv;
+	      }
+	      rv = CERT_CopyName(arena, &dest->name.directoryName, &src->name.directoryName);
+	      break;
+	  }
+	  case certOtherName: {
+	      rv = SECITEM_CopyItem(arena, &dest->name.OthName.name, &src->name.OthName.name);
+	      if (rv != SECSuccess) {
+		  return rv;
+	      }
+	      rv = SECITEM_CopyItem(arena, &dest->name.OthName.oid, &src->name.OthName.oid);
+	      break;
+	  }
+	  default: {
+	      rv = SECITEM_CopyItem(arena, &dest->name.other, &src->name.other);
+	  }
+	}
+	src = cert_get_next_general_name(src);
+	/* if there is only one general name, we shouldn't do this */
+	if (src != srcHead) {
+	    if (dest->l.next == &destHead->l) {
+		if (arena) {
+		    temp = (CERTGeneralName *) 
+		      PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName));
+		} else {
+		    temp = (CERTGeneralName *)
+		      PORT_ZAlloc(sizeof(CERTGeneralName));
+		}
+		temp->l.next = &destHead->l;
+		temp->l.prev = &dest->l;
+		destHead->l.prev = &temp->l;
+		dest->l.next = &temp->l;
+		dest = temp;
+	    } else {
+		dest = cert_get_next_general_name(dest);
+	    }
+	}
+    } while (src != srcHead && rv == SECSuccess);
+    return rv;
+}
+
+
+CERTGeneralNameList *
+CERT_DupGeneralNameList(CERTGeneralNameList *list)
+{
+    if (list != NULL) {
+	PZ_Lock(list->lock);
+	list->refCount++;
+	PZ_Unlock(list->lock);
+    }
+    return list;
+}
+
+CERTNameConstraint *
+CERT_CopyNameConstraint(PRArenaPool         *arena, 
+			CERTNameConstraint  *dest, 
+			CERTNameConstraint  *src)
+{
+    SECStatus  rv;
+    
+    if (dest == NULL) {
+	dest = (CERTNameConstraint *) PORT_ArenaZAlloc(arena, sizeof(CERTNameConstraint));
+	/* mark that it is not linked */
+	dest->name.l.prev = dest->name.l.next = &(dest->name.l);
+    }
+    rv = CERT_CopyGeneralName(arena, &dest->name, &src->name);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, &dest->DERName, &src->DERName);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, &dest->min, &src->min);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, &dest->max, &src->max);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    dest->l.prev = dest->l.next = &dest->l;
+    return dest;
+loser:
+    return NULL;
+}
+
+
+CERTGeneralName *
+cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2)
+{
+    PRCList *begin1;
+    PRCList *begin2;
+    PRCList *end1;
+    PRCList *end2;
+
+    if (list1 == NULL){
+	return list2;
+    } else if (list2 == NULL) {
+	return list1;
+    } else {
+	begin1 = &list1->l;
+	begin2 = &list2->l;
+	end1 = list1->l.prev;
+	end2 = list2->l.prev;
+	end1->next = begin2;
+	end2->next = begin1;
+	begin1->prev = end2;
+	begin2->prev = end1;
+	return list1;
+    }
+}
+
+
+CERTNameConstraint *
+cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2)
+{
+    PRCList *begin1;
+    PRCList *begin2;
+    PRCList *end1;
+    PRCList *end2;
+
+    if (list1 == NULL){
+	return list2;
+    } else if (list2 == NULL) {
+	return list1;
+    } else {
+	begin1 = &list1->l;
+	begin2 = &list2->l;
+	end1 = list1->l.prev;
+	end2 = list2->l.prev;
+	end1->next = begin2;
+	end2->next = begin1;
+	begin1->prev = end2;
+	begin2->prev = end1;
+	return list1;
+    }
+}
+
+
+CERTNameConstraint *
+CERT_AddNameConstraint(CERTNameConstraint *list, 
+		       CERTNameConstraint *constraint)
+{
+    PORT_Assert(constraint != NULL);
+    constraint->l.next = constraint->l.prev = &constraint->l;
+    list = cert_CombineConstraintsLists(list, constraint);
+    return list;
+}
+
+
+SECStatus
+CERT_GetNameConstriantByType (CERTNameConstraint *constraints,
+			      CERTGeneralNameType type, 
+			      CERTNameConstraint **returnList,
+			      PRArenaPool *arena)
+{
+    CERTNameConstraint *current;
+    CERTNameConstraint *temp;
+    
+    *returnList = NULL;
+    if (!constraints)
+	return SECSuccess;
+    current = constraints;
+
+    do {
+	if (current->name.type == type || 
+	    (type == certDirectoryName && current->name.type == certRFC822Name)) {
+	    temp = NULL;
+	    temp = CERT_CopyNameConstraint(arena, temp, current);
+	    if (temp == NULL) {
+		goto loser;
+	    }
+	    *returnList = CERT_AddNameConstraint(*returnList, temp);
+	}
+	current = cert_get_next_name_constraint(current);
+    } while (current != constraints);
+    return SECSuccess;
+loser:
+    return SECFailure;
+}
+
+
+void *
+CERT_GetGeneralNameByType (CERTGeneralName *genNames,
+			   CERTGeneralNameType type, PRBool derFormat)
+{
+    CERTGeneralName *current;
+    
+    if (!genNames)
+	return (NULL);
+    current = genNames;
+
+    do {
+	if (current->type == type) {
+	    switch (type) {
+	      case certDNSName:
+	      case certEDIPartyName:
+	      case certIPAddress:
+	      case certRegisterID:
+	      case certRFC822Name:
+	      case certX400Address:
+	      case certURI: {
+		    return &(current->name.other);
+	      }
+	      case certOtherName: {
+		  return &(current->name.OthName);
+		  break;
+	      }
+	      case certDirectoryName: {
+		  if (derFormat) {
+		      return &(current->derDirectoryName);
+		  } else{
+		      return &(current->name.directoryName);
+		  }
+		  break;
+	      }
+	    }
+	}
+	current = cert_get_next_general_name(current);
+    } while (current != genNames);
+    return (NULL);
+}
+
+int
+CERT_GetNamesLength(CERTGeneralName *names)
+{
+    int              length = 0;
+    CERTGeneralName  *first;
+
+    first = names;
+    if (names != NULL) {
+	do {
+	    length++;
+	    names = cert_get_next_general_name(names);
+	} while (names != first);
+    }
+    return length;
+}
+
+CERTGeneralName *
+CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena)
+{
+    CERTGeneralName  *DN;
+    CERTGeneralName  *altName;
+    SECItem          altNameExtension;
+    SECStatus        rv;
+
+
+    DN = (CERTGeneralName *) PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName));
+    if (DN == NULL) {
+	goto loser;
+    }
+    rv = CERT_CopyName(arena, &DN->name.directoryName, &cert->subject);
+    DN->type = certDirectoryName;
+    DN->l.next = DN->l.prev = &DN->l;
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, &DN->derDirectoryName, &cert->derSubject);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
+				&altNameExtension);
+    if (rv != SECSuccess) {
+	return DN;
+    }
+    altName = CERT_DecodeAltNameExtension(arena, &altNameExtension);
+    PORT_Free(altNameExtension.data);
+    if (altName == NULL) {
+	goto loser;
+    }
+    DN = cert_CombineNamesLists(DN, altName);
+    return DN;
+loser:
+
+    return NULL;
+}
+
+static SECStatus
+compareNameToConstraint(char *name, char *constraint, PRBool substring)
+{
+    SECStatus  rv;
+
+    if (*constraint == '\0' && *name == '\0') {
+	return SECSuccess;
+    }
+    if (*constraint == '*') {
+	return compareNameToConstraint(name, constraint + 1, PR_TRUE);
+    }
+    if (substring) {
+	if (*constraint == '\0') {
+	    return SECSuccess;
+	}
+	while (*name != *constraint) {
+	    if (*name == '\0') {
+		return SECFailure;
+	    }
+	    name++;
+	}
+	rv = compareNameToConstraint(name + 1, constraint + 1, PR_FALSE);
+	if (rv == SECSuccess) {
+	    return rv;
+	}
+	name++;
+    } else {
+	if (*name == *constraint) {
+	    name++;
+	    constraint++;
+	} else {
+	    return SECFailure;
+	}
+    }
+    return compareNameToConstraint(name, constraint, substring);
+}
+
+SECStatus
+cert_CompareNameWithConstraints(CERTGeneralName     *name, 
+				CERTNameConstraint  *constraints,
+				PRBool              excluded)
+{
+    SECStatus           rv = SECSuccess;
+    char                *nameString = NULL;
+    char                *constraintString = NULL;
+    int                 start;
+    int                 end;
+    int                 tag;
+    CERTRDN             **nameRDNS, *nameRDN;
+    CERTRDN             **constraintRDNS, *constraintRDN;
+    CERTAVA             **nameAVAS, *nameAVA;
+    CERTAVA             **constraintAVAS, *constraintAVA;
+    CERTNameConstraint  *current;
+    SECItem             *avaValue;
+    CERTName            constraintName;
+    CERTName            certName;
+    SECComparison       status = SECEqual;
+    PRArenaPool         *certNameArena;
+    PRArenaPool         *constraintNameArena;
+
+    certName.arena = NULL;
+    certName.rdns = NULL;
+    constraintName.arena = NULL;
+    constraintName.rdns = NULL;
+    if (constraints != NULL) {
+	current = constraints;
+	if (name->type == certDirectoryName) {
+	    certNameArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	    CERT_CopyName(certNameArena, &certName, &name->name.directoryName);
+	    nameRDNS = certName.rdns;
+	    for (;;) {
+		nameRDN = *nameRDNS++;
+		nameAVAS = nameRDN->avas;
+		for(;;) {
+		    nameAVA = *nameAVAS++;
+		    tag = CERT_GetAVATag(nameAVA);
+		    if ( tag == SEC_OID_PKCS9_EMAIL_ADDRESS ||
+			 tag == SEC_OID_RFC1274_MAIL) {
+			avaValue = CERT_DecodeAVAValue(&nameAVA->value);
+			nameString = (char*)PORT_ZAlloc(avaValue->len + 1);
+			nameString = PORT_Strncpy(nameString, (char *) avaValue->data, avaValue->len);
+			start = 0;
+			while(nameString[start] != '@' && nameString[start + 1] != '\0') {
+			    start++;
+			} 
+			start++;
+			do{
+			    if (current->name.type == certRFC822Name) {
+				constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1);
+				constraintString = PORT_Strncpy(constraintString, 
+								(char *) current->name.name.other.data,
+								current->name.name.other.len);
+				rv = compareNameToConstraint(nameString + start, constraintString, 
+							     PR_FALSE);
+
+				if (constraintString != NULL) {
+				    PORT_Free(constraintString);
+				    constraintString = NULL;
+				}
+				if (nameString != NULL) {
+				    PORT_Free(nameString);
+				    nameString = NULL;
+				}
+				if (rv == SECSuccess && excluded == PR_TRUE) {
+				    goto found;
+				}
+				if (rv == SECSuccess && excluded == PR_FALSE) {
+				    break;
+				}
+			    }
+			    current = cert_get_next_name_constraint(current);
+			} while (current != constraints);
+		    }
+		    if (rv != SECSuccess && excluded == PR_FALSE) {
+			goto loser;
+		    }
+		    if (*nameAVAS == NULL) {
+			break;
+		    }
+		}
+		if (*nameRDNS == NULL) {
+		    break;
+		}
+	    }
+	}
+	current = constraints;
+	do {
+	    switch (name->type) {
+	      case certDNSName:
+		nameString = (char*)PORT_ZAlloc(name->name.other.len + 1);
+		nameString = PORT_Strncpy(nameString, (char *) name->name.other.data, 
+					  name->name.other.len);
+		constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1);
+		constraintString = PORT_Strncpy(constraintString, 
+						(char *) current->name.name.other.data,
+						current->name.name.other.len);
+		rv = compareNameToConstraint(nameString, constraintString, PR_FALSE);
+		if (nameString != NULL) {
+		    PORT_Free(nameString);
+		}
+		if (constraintString != NULL) {
+		    PORT_Free(constraintString);
+		}
+		break;
+	      case certRFC822Name:
+		nameString = (char*)PORT_ZAlloc(name->name.other.len + 1);
+		nameString = PORT_Strncpy(nameString, (char *) name->name.other.data, 
+					  name->name.other.len);
+		start = 0;
+		while(nameString[start] != '@' && nameString[start + 1] != '\0') {
+		    start++;
+		} 
+		start++;
+		constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1);
+		constraintString = PORT_Strncpy(constraintString, 
+						(char *) current->name.name.other.data,
+						current->name.name.other.len);
+		rv = compareNameToConstraint(nameString + start, constraintString, PR_FALSE);
+		if (nameString != NULL) {
+		    PORT_Free(nameString);
+		}
+		if (constraintString != NULL) {
+		    PORT_Free(constraintString);
+		}
+		break;
+	      case certURI:
+	        nameString = (char*)PORT_ZAlloc(name->name.other.len + 1);
+		nameString = PORT_Strncpy(nameString, (char *) name->name.other.data, 
+					  name->name.other.len);
+		start = 0;
+		while(PORT_Strncmp(nameString + start, "://", 3) != 0 && 
+		      nameString[start + 3] != '\0') {
+		    start++;
+		}
+		start +=3;
+		end = 0;
+		while(nameString[start + end] != '/' && 
+		      nameString[start + end] != '\0') {
+		    end++;
+		}
+		nameString[start + end] = '\0';
+		constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1);
+		constraintString = PORT_Strncpy(constraintString, 
+						(char *) current->name.name.other.data,
+						current->name.name.other.len);
+		rv = compareNameToConstraint(nameString + start, constraintString, PR_FALSE);
+		if (nameString != NULL) {
+		    PORT_Free(nameString);
+		}
+		if (constraintString != NULL) {
+		    PORT_Free(constraintString);
+		}
+		break;
+	      case certDirectoryName:  
+		if (current->name.type == certDirectoryName) {
+		    constraintNameArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 
+		    CERT_CopyName(constraintNameArena, &constraintName, &current->name.name.directoryName);
+		    constraintRDNS = constraintName.rdns;  
+		    for (;;) {
+			constraintRDN = *constraintRDNS++;
+			constraintAVAS = constraintRDN->avas;
+			for(;;) {
+			    constraintAVA = *constraintAVAS++;
+			    certNameArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+			    CERT_CopyName(certNameArena, &certName, &name->name.directoryName);
+			    nameRDNS = certName.rdns;
+			    for (;;) {
+				nameRDN = *nameRDNS++;
+				nameAVAS = nameRDN->avas++;
+				for(;;) {
+				    nameAVA = *nameAVAS++;
+				    status = CERT_CompareAVA(constraintAVA, nameAVA);
+				    if (status == SECEqual || *nameAVAS == NULL) {
+					break;
+				    }
+				}
+				if (status == SECEqual || *nameRDNS == NULL) {
+				    break;
+				}
+			    }
+			    if (status != SECEqual || *constraintAVAS == NULL) {
+				break;
+			    }
+			}
+			if (status != SECEqual || *constraintRDNS == NULL) {
+			    break;
+			}
+		    }
+		    if (status == SECEqual) {
+			if (excluded == PR_FALSE) {
+			    goto found;
+			} else {
+			    goto loser;
+			}
+		    }
+		    break;
+		} else if (current->name.type == certRFC822Name) {
+		    current = cert_get_next_name_constraint(current);
+		    continue;
+		}
+	      default:
+		/* other types are not supported */
+		if (excluded) {
+		    goto found;
+		} else {
+		    goto loser;
+		}
+	    }
+	    if (rv == SECSuccess && status == SECEqual) {
+		goto found;
+	    }
+	    current = cert_get_next_name_constraint(current);
+	} while (current !=constraints);
+    } else {
+	goto found;
+    }
+loser:
+    if (certName.arena) {
+	CERT_DestroyName(&certName);
+    }
+    if (constraintName.arena) {
+	CERT_DestroyName(&constraintName);
+    }
+    return SECFailure;
+found:
+    if (certName.arena) {
+	CERT_DestroyName(&certName);
+    }
+    if (constraintName.arena) {
+	CERT_DestroyName(&constraintName);
+    }
+    return SECSuccess;
+}
+
+
+CERTCertificate *
+CERT_CompareNameSpace(CERTCertificate  *cert,
+		      CERTGeneralName  *namesList,
+ 		      SECItem          *namesListIndex,
+ 		      PRArenaPool      *arena,
+ 		      CERTCertDBHandle *handle)
+{
+    SECStatus            rv;
+    SECItem              constraintsExtension;
+    CERTNameConstraints  *constraints;
+    CERTGeneralName      *currentName;
+    int                  count = 0;
+    CERTNameConstraint  *matchingConstraints;
+    CERTCertificate      *badCert = NULL;
+    
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_NAME_CONSTRAINTS, &constraintsExtension);
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+    constraints = cert_DecodeNameConstraints(arena, &constraintsExtension);
+    currentName = namesList;
+    if (constraints == NULL) {
+	goto loser;
+    }
+    do {
+ 	if (constraints->excluded != NULL) {
+ 	    rv = CERT_GetNameConstriantByType(constraints->excluded, currentName->type, 
+ 					      &matchingConstraints, arena);
+ 	    if (rv != SECSuccess) {
+ 		goto loser;
+ 	    }
+ 	    if (matchingConstraints != NULL) {
+ 		rv = cert_CompareNameWithConstraints(currentName, matchingConstraints,
+ 						     PR_TRUE);
+ 		if (rv != SECFailure) {
+ 		    goto loser;
+ 		}
+ 	    }
+ 	}
+ 	if (constraints->permited != NULL) {
+ 	    rv = CERT_GetNameConstriantByType(constraints->permited, currentName->type, 
+ 					      &matchingConstraints, arena);
+            if (rv != SECSuccess) {
+		goto loser;
+	    }
+ 	    if (matchingConstraints != NULL) {
+ 		rv = cert_CompareNameWithConstraints(currentName, matchingConstraints,
+ 						     PR_FALSE);
+ 		if (rv != SECSuccess) {
+ 		    goto loser;
+ 		}
+ 	    } else {
+ 		goto loser;
+ 	    }
+ 	}
+ 	currentName = cert_get_next_general_name(currentName);
+ 	count ++;
+    } while (currentName != namesList);
+    return NULL;
+loser:
+    badCert = CERT_FindCertByName (handle, &namesListIndex[count]);
+    return badCert;
+}
+
+
+
+/* Search the cert for an X509_SUBJECT_ALT_NAME extension.
+** ASN1 Decode it into a list of alternate names.
+** Search the list of alternate names for one with the NETSCAPE_NICKNAME OID.
+** ASN1 Decode that name.  Turn the result into a zString.  
+** Look for duplicate nickname already in the certdb. 
+** If one is found, create a nickname string that is not a duplicate.
+*/
+char *
+CERT_GetNickName(CERTCertificate   *cert,
+ 		 CERTCertDBHandle  *handle,
+		 PRArenaPool      *nicknameArena)
+{ 
+    CERTGeneralName  *current;
+    CERTGeneralName  *names;
+    char             *nickname   = NULL;
+    char             *returnName = NULL;
+    char             *basename   = NULL;
+    PRArenaPool      *arena      = NULL;
+    CERTCertificate  *tmpcert;
+    SECStatus        rv;
+    int              count;
+    int              found = 0;
+    SECItem          altNameExtension;
+    SECItem          nick;
+
+    if (handle == NULL) {
+	handle = CERT_GetDefaultCertDB();
+    }
+    altNameExtension.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, 
+				&altNameExtension);
+    if (rv != SECSuccess) { 
+	goto loser; 
+    }
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+    names = CERT_DecodeAltNameExtension(arena, &altNameExtension);
+    if (names == NULL) {
+	goto loser;
+    } 
+    current = names;
+    do {
+	if (current->type == certOtherName && 
+	    SECOID_FindOIDTag(&current->name.OthName.oid) == 
+	      SEC_OID_NETSCAPE_NICKNAME) {
+	    found = 1;
+	    break;
+	}
+	current = cert_get_next_general_name(current);
+    } while (current != names);
+    if (!found)
+    	goto loser;
+
+    rv = SEC_ASN1DecodeItem(arena, &nick, SEC_IA5StringTemplate, 
+			    &current->name.OthName.name);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* make a null terminated string out of nick, with room enough at
+    ** the end to add on a number of up to 21 digits in length, (a signed
+    ** 64-bit number in decimal) plus a space and a "#". 
+    */
+    nickname = (char*)PORT_ZAlloc(nick.len + 24);
+    if (!nickname) 
+	goto loser;
+    PORT_Strncpy(nickname, (char *)nick.data, nick.len);
+
+    /* Don't let this cert's nickname duplicate one already in the DB.
+    ** If it does, create a variant of the nickname that doesn't.
+    */
+    count = 0;
+    while ((tmpcert = CERT_FindCertByNickname(handle, nickname)) != NULL) {
+	CERT_DestroyCertificate(tmpcert);
+	if (!basename) {
+	    basename = PORT_Strdup(nickname);
+	    if (!basename)
+		goto loser;
+	}
+	count++;
+	sprintf(nickname, "%s #%d", basename, count);
+    }
+
+    /* success */
+    if (nicknameArena) {
+	returnName =  PORT_ArenaStrdup(nicknameArena, nickname);
+    } else {
+	returnName = nickname;
+	nickname = NULL;
+    }
+loser:
+    if (arena != NULL) 
+	PORT_FreeArena(arena, PR_FALSE);
+    if (nickname)
+	PORT_Free(nickname);
+    if (basename)
+	PORT_Free(basename);
+    if (altNameExtension.data)
+    	PORT_Free(altNameExtension.data);
+    return returnName;
+}
+
+
+SECStatus
+CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b)
+{
+    CERTGeneralName *currentA;
+    CERTGeneralName *currentB;
+    PRBool found;
+
+    currentA = a;
+    currentB = b;
+    if (a != NULL) {
+	do { 
+	    if (currentB == NULL) {
+		return SECFailure;
+	    }
+	    currentB = cert_get_next_general_name(currentB);
+	    currentA = cert_get_next_general_name(currentA);
+	} while (currentA != a);
+    }
+    if (currentB != b) {
+	return SECFailure;
+    }
+    currentA = a;
+    do {
+	currentB = b;
+	found = PR_FALSE;
+	do {
+	    if (currentB->type == currentA->type) {
+		switch (currentB->type) {
+		  case certDNSName:
+		  case certEDIPartyName:
+		  case certIPAddress:
+		  case certRegisterID:
+		  case certRFC822Name:
+		  case certX400Address:
+		  case certURI:
+		    if (SECITEM_CompareItem(&currentA->name.other,
+					    &currentB->name.other) 
+			== SECEqual) {
+			found = PR_TRUE;
+		    }
+		    break;
+		  case certOtherName:
+		    if (SECITEM_CompareItem(&currentA->name.OthName.oid,
+					    &currentB->name.OthName.oid) 
+			== SECEqual &&
+			SECITEM_CompareItem(&currentA->name.OthName.name,
+					    &currentB->name.OthName.name)
+			== SECEqual) {
+			found = PR_TRUE;
+		    }
+		    break;
+		  case certDirectoryName:
+		    if (CERT_CompareName(&currentA->name.directoryName,
+					 &currentB->name.directoryName)
+			== SECEqual) {
+			found = PR_TRUE;
+		    }
+		}
+		    
+	    }
+	    currentB = cert_get_next_general_name(currentB);
+	} while (currentB != b && found != PR_TRUE);
+	if (found != PR_TRUE) {
+	    return SECFailure;
+	}
+	currentA = cert_get_next_general_name(currentA);
+    } while (currentA != a);
+    return SECSuccess;
+}
+
+SECStatus
+CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b)
+{
+    SECStatus rv;
+
+    if (a == b) {
+	return SECSuccess;
+    }
+    if (a != NULL && b != NULL) {
+	PZ_Lock(a->lock);
+	PZ_Lock(b->lock);
+	rv = CERT_CompareGeneralName(a->name, b->name);
+	PZ_Unlock(a->lock);
+	PZ_Unlock(b->lock);
+    } else {
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+void *
+CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
+				  CERTGeneralNameType type,
+				  PRArenaPool *arena)
+{
+    CERTName *name = NULL; 
+    SECItem *item = NULL;
+    OtherName *other = NULL;
+    OtherName *tmpOther = NULL;
+    void *data;
+
+    PZ_Lock(list->lock);
+    data = CERT_GetGeneralNameByType(list->name, type, PR_FALSE);
+    if (data != NULL) {
+	switch (type) {
+	  case certDNSName:
+	  case certEDIPartyName:
+	  case certIPAddress:
+	  case certRegisterID:
+	  case certRFC822Name:
+	  case certX400Address:
+	  case certURI:
+	    if (arena != NULL) {
+		item = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
+		if (item != NULL) {
+		    SECITEM_CopyItem(arena, item, (SECItem *) data);
+		}
+	    } else { 
+		item = SECITEM_DupItem((SECItem *) data);
+	    }
+	    PZ_Unlock(list->lock);
+	    return item;
+	  case certOtherName:
+	    other = (OtherName *) data;
+	    if (arena != NULL) {
+		tmpOther = (OtherName *)PORT_ArenaAlloc(arena, 
+							sizeof(OtherName));
+	    } else {
+		tmpOther = (OtherName *) PORT_Alloc(sizeof(OtherName));
+	    }
+	    if (tmpOther != NULL) {
+		SECITEM_CopyItem(arena, &tmpOther->oid, &other->oid);
+		SECITEM_CopyItem(arena, &tmpOther->name, &other->name);
+	    }
+	    PZ_Unlock(list->lock);
+	    return tmpOther;
+	  case certDirectoryName:
+	    if (arena == NULL) {
+		PZ_Unlock(list->lock);
+		return NULL;
+	    } else {
+		name = (CERTName *) PORT_ArenaZAlloc(list->arena, 
+						    sizeof(CERTName));
+		if (name != NULL) {
+		    CERT_CopyName(arena, name, (CERTName *) data);
+		}
+		PZ_Unlock(list->lock);
+		return name;
+	    }
+	}
+    }
+    PZ_Unlock(list->lock);
+    return NULL;
+}
+
+void
+CERT_AddGeneralNameToList(CERTGeneralNameList *list, 
+			  CERTGeneralNameType type,
+			  void *data, SECItem *oid)
+{
+    CERTGeneralName *name;
+
+    if (list != NULL && data != NULL) {
+	PZ_Lock(list->lock);
+	name = (CERTGeneralName *) 
+	    PORT_ArenaZAlloc(list->arena, sizeof(CERTGeneralName));
+	name->type = type;
+	switch (type) {
+	  case certDNSName:
+	  case certEDIPartyName:
+	  case certIPAddress:
+	  case certRegisterID:
+	  case certRFC822Name:
+	  case certX400Address:
+	  case certURI:
+	    SECITEM_CopyItem(list->arena, &name->name.other, (SECItem *)data);
+	    break;
+	  case certOtherName:
+	    SECITEM_CopyItem(list->arena, &name->name.OthName.name,
+			     (SECItem *) data);
+	    SECITEM_CopyItem(list->arena, &name->name.OthName.oid,
+			     oid);
+	    break;
+	  case certDirectoryName:
+	    CERT_CopyName(list->arena, &name->name.directoryName,
+			  (CERTName *) data);
+	    break;
+	}
+	name->l.prev = name->l.next = &name->l;
+	list->name = cert_CombineNamesLists(list->name, name);
+	list->len++;
+	PZ_Unlock(list->lock);
+    }
+    return;
+}
diff --git a/security/nss/lib/certdb/genname.h b/security/nss/lib/certdb/genname.h
new file mode 100644
index 000000000..8e3a58619
--- /dev/null
+++ b/security/nss/lib/certdb/genname.h
@@ -0,0 +1,125 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _GENAME_H_
+#define _GENAME_H_
+
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "certt.h"
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+extern const SEC_ASN1Template CERT_GeneralNamesTemplate[];
+
+extern CERTGeneralName *
+cert_get_next_general_name(CERTGeneralName *current);
+
+extern CERTGeneralName *
+cert_get_prev_general_name(CERTGeneralName *current);
+
+extern SECItem *
+CERT_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest,
+		       PRArenaPool *arena);
+
+extern SECItem **
+cert_EncodeGeneralNames(PRArenaPool *arena, CERTGeneralName *names);
+
+extern CERTGeneralName *
+CERT_DecodeGeneralName(PRArenaPool *arena, SECItem *encodedName,
+		       CERTGeneralName  *genName);
+
+extern CERTGeneralName *
+cert_DecodeGeneralNames(PRArenaPool *arena, SECItem **encodedGenName);
+
+extern SECStatus
+cert_DestroyGeneralNames(CERTGeneralName *name);
+
+extern SECStatus 
+cert_EncodeNameConstraints(CERTNameConstraints *constraints, PRArenaPool *arena,
+			   SECItem *dest);
+
+extern CERTNameConstraints *
+cert_DecodeNameConstraints(PRArenaPool *arena, SECItem *encodedConstraints);
+
+extern CERTGeneralName *
+cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2);
+
+extern CERTNameConstraint *
+cert_CombineConstraintsLists(CERTNameConstraint *list1, CERTNameConstraint *list2);
+
+SECStatus
+CERT_CompareGeneralName(CERTGeneralName *a, CERTGeneralName *b);
+
+SECStatus
+CERT_CopyGeneralName(PRArenaPool      *arena, 
+		     CERTGeneralName  *dest, 
+		     CERTGeneralName  *src);
+
+/* General Name Lists are a thread safe, reference counting layer to 
+ * general names */
+
+void
+CERT_DestroyGeneralNameList(CERTGeneralNameList *list);
+
+CERTGeneralNameList *
+CERT_CreateGeneralNameList(CERTGeneralName *name);
+
+SECStatus
+CERT_CompareGeneralNameLists(CERTGeneralNameList *a, CERTGeneralNameList *b);
+
+void *
+CERT_GetGeneralNameFromListByType(CERTGeneralNameList *list,
+				  CERTGeneralNameType type,
+				  PRArenaPool *arena);
+
+void
+CERT_AddGeneralNameToList(CERTGeneralNameList *list, 
+			  CERTGeneralNameType type,
+			  void *data, SECItem *oid);
+
+
+CERTGeneralNameList *
+CERT_DupGeneralNameList(CERTGeneralNameList *list);
+
+
+int
+CERT_GetNamesLength(CERTGeneralName *names);
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/certdb/manifest.mn b/security/nss/lib/certdb/manifest.mn
new file mode 100644
index 000000000..33b3fb612
--- /dev/null
+++ b/security/nss/lib/certdb/manifest.mn
@@ -0,0 +1,67 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	cert.h \
+	certt.h \
+	certdb.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	genname.h \
+	xconst.h \
+	certxutl.h \
+	$(NULL)
+
+MODULE = security
+
+CSRCS = \
+	alg1485.c \
+	certdb.c \
+	certv3.c \
+	certxutl.c \
+	crl.c \
+	genname.c \
+	stanpcertdb.c \
+	polcyxtn.c \
+	secname.c \
+	xauthkid.c \
+	xbsconst.c \
+	xconst.c \
+	$(NULL)
+
+REQUIRES = security dbm
+
+LIBRARY_NAME = certdb
+
diff --git a/security/nss/lib/certdb/polcyxtn.c b/security/nss/lib/certdb/polcyxtn.c
new file mode 100644
index 000000000..7f3dd3a78
--- /dev/null
+++ b/security/nss/lib/certdb/polcyxtn.c
@@ -0,0 +1,541 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Support for various policy related extensions
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "secport.h"
+#include "secder.h"
+#include "cert.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "nspr.h"
+
+const SEC_ASN1Template CERT_NoticeReferenceTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTNoticeReference) },
+/* NOTE: this should be a choice */
+    { SEC_ASN1_IA5_STRING,
+	  offsetof(CERTNoticeReference, organization) },
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTNoticeReference, noticeNumbers),
+	  SEC_IntegerTemplate }, 
+    { 0 }
+};
+
+/* this template can not be encoded because of the option inline */
+const SEC_ASN1Template CERT_UserNoticeTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTUserNotice) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED,
+	  offsetof(CERTUserNotice, derNoticeReference) }, 
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	  offsetof(CERTUserNotice, displayText) }, 
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_PolicyQualifierTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTPolicyQualifier) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTPolicyQualifier, qualifierID) },
+    { SEC_ASN1_ANY,
+	  offsetof(CERTPolicyQualifier, qualifierValue) },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_PolicyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTPolicyInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTPolicyInfo, policyID) },
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTPolicyInfo, policyQualifiers),
+	  CERT_PolicyQualifierTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_CertificatePoliciesTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTCertificatePolicies, policyInfos),
+	  CERT_PolicyInfoTemplate, sizeof(CERTCertificatePolicies)  }
+};
+
+static void
+breakLines(char *string)
+{
+    char *tmpstr;
+    char *lastspace = NULL;
+    int curlen = 0;
+    int c;
+    
+    tmpstr = string;
+
+    while ( ( c = *tmpstr ) != '\0' ) {
+	switch ( c ) {
+	  case ' ':
+	    lastspace = tmpstr;
+	    break;
+	  case '\n':
+	    lastspace = NULL;
+	    curlen = 0;
+	    break;
+	}
+	
+	if ( ( curlen >= 55 ) && ( lastspace != NULL ) ) {
+	    *lastspace = '\n';
+	    curlen = ( tmpstr - lastspace );
+	    lastspace = NULL;
+	}
+	
+	curlen++;
+	tmpstr++;
+    }
+    
+    return;
+}
+
+CERTCertificatePolicies *
+CERT_DecodeCertificatePoliciesExtension(SECItem *extnValue)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    CERTCertificatePolicies *policies;
+    CERTPolicyInfo **policyInfos, *policyInfo;
+    CERTPolicyQualifier **policyQualifiers, *policyQualifier;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	goto loser;
+    }
+
+    /* allocate the certifiate policies structure */
+    policies = (CERTCertificatePolicies *)
+	PORT_ArenaZAlloc(arena, sizeof(CERTCertificatePolicies));
+    
+    if ( policies == NULL ) {
+	goto loser;
+    }
+    
+    policies->arena = arena;
+
+    /* decode the policy info */
+    rv = SEC_ASN1DecodeItem(arena, policies, CERT_CertificatePoliciesTemplate,
+			    extnValue);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* initialize the oid tags */
+    policyInfos = policies->policyInfos;
+    while (*policyInfos != NULL ) {
+	policyInfo = *policyInfos;
+	policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID);
+	policyQualifiers = policyInfo->policyQualifiers;
+	while ( *policyQualifiers != NULL ) {
+	    policyQualifier = *policyQualifiers;
+	    policyQualifier->oid =
+		SECOID_FindOIDTag(&policyQualifier->qualifierID);
+	    policyQualifiers++;
+	}
+	policyInfos++;
+    }
+
+    return(policies);
+    
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+void
+CERT_DestroyCertificatePoliciesExtension(CERTCertificatePolicies *policies)
+{
+    if ( policies != NULL ) {
+	PORT_FreeArena(policies->arena, PR_FALSE);
+    }
+    return;
+}
+
+
+CERTUserNotice *
+CERT_DecodeUserNotice(SECItem *noticeItem)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    CERTUserNotice *userNotice;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	goto loser;
+    }
+
+    /* allocate the userNotice structure */
+    userNotice = (CERTUserNotice *)PORT_ArenaZAlloc(arena,
+						    sizeof(CERTUserNotice));
+    
+    if ( userNotice == NULL ) {
+	goto loser;
+    }
+    
+    userNotice->arena = arena;
+
+    /* decode the user notice */
+    rv = SEC_ASN1DecodeItem(arena, userNotice, CERT_UserNoticeTemplate, 
+			    noticeItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    if (userNotice->derNoticeReference.data != NULL) {
+	/* sigh, the asn1 parser stripped the sequence encoding, re add it
+	 * before we decode.
+	 */
+	SECItem tmpbuf;
+	int	newBytes;
+
+	newBytes = SEC_ASN1LengthLength(userNotice->derNoticeReference.len)+1;
+	tmpbuf.len = newBytes + userNotice->derNoticeReference.len;
+	tmpbuf.data = PORT_ZAlloc(tmpbuf.len);
+	if (tmpbuf.data == NULL) {
+	    goto loser;
+	}
+	tmpbuf.data[0] = SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED;
+	SEC_ASN1EncodeLength(&tmpbuf.data[1],userNotice->derNoticeReference.len);
+	PORT_Memcpy(&tmpbuf.data[newBytes],userNotice->derNoticeReference.data,
+				userNotice->derNoticeReference.len);
+
+	/* OK, no decode it */
+    	rv = SEC_ASN1DecodeItem(arena, &userNotice->noticeReference, 
+	    CERT_NoticeReferenceTemplate, &tmpbuf);
+
+	PORT_Free(tmpbuf.data); tmpbuf.data = NULL;
+    	if ( rv != SECSuccess ) {
+	    goto loser;
+    	}
+    }
+
+    return(userNotice);
+    
+loser:
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+void
+CERT_DestroyUserNotice(CERTUserNotice *userNotice)
+{
+    if ( userNotice != NULL ) {
+	PORT_FreeArena(userNotice->arena, PR_FALSE);
+    }
+    return;
+}
+
+static CERTPolicyStringCallback policyStringCB = NULL;
+static void *policyStringCBArg = NULL;
+
+void
+CERT_SetCAPolicyStringCallback(CERTPolicyStringCallback cb, void *cbarg)
+{
+    policyStringCB = cb;
+    policyStringCBArg = cbarg;
+    return;
+}
+
+char *
+stringFromUserNotice(SECItem *noticeItem)
+{
+    SECItem *org;
+    unsigned int len, headerlen;
+    char *stringbuf;
+    CERTUserNotice *userNotice;
+    char *policystr;
+    char *retstr = NULL;
+    SECItem *displayText;
+    SECItem **noticeNumbers;
+    unsigned int strnum;
+    
+    /* decode the user notice */
+    userNotice = CERT_DecodeUserNotice(noticeItem);
+    if ( userNotice == NULL ) {
+	return(NULL);
+    }
+    
+    org = &userNotice->noticeReference.organization;
+    if ( (org->len != 0 ) && ( policyStringCB != NULL ) ) {
+	/* has a noticeReference */
+
+	/* extract the org string */
+	len = org->len;
+	stringbuf = (char*)PORT_Alloc(len + 1);
+	if ( stringbuf != NULL ) {
+	    PORT_Memcpy(stringbuf, org->data, len);
+	    stringbuf[len] = '\0';
+
+	    noticeNumbers = userNotice->noticeReference.noticeNumbers;
+	    while ( *noticeNumbers != NULL ) {
+		/* XXX - only one byte integers right now*/
+		strnum = (*noticeNumbers)->data[0];
+		policystr = (* policyStringCB)(stringbuf,
+					       strnum,
+					       policyStringCBArg);
+		if ( policystr != NULL ) {
+		    if ( retstr != NULL ) {
+			retstr = PR_sprintf_append(retstr, "\n%s", policystr);
+		    } else {
+			retstr = PR_sprintf_append(retstr, "%s", policystr);
+		    }
+
+		    PORT_Free(policystr);
+		}
+		
+		noticeNumbers++;
+	    }
+
+	    PORT_Free(stringbuf);
+	}
+    }
+
+    if ( retstr == NULL ) {
+	if ( userNotice->displayText.len != 0 ) {
+	    displayText = &userNotice->displayText;
+
+	    if ( displayText->len > 2 ) {
+		if ( displayText->data[0] == SEC_ASN1_VISIBLE_STRING ) {
+		    headerlen = 2;
+		    if ( displayText->data[1] & 0x80 ) {
+			/* multibyte length */
+			headerlen += ( displayText->data[1] & 0x7f );
+		    }
+
+		    len = displayText->len - headerlen;
+		    retstr = (char*)PORT_Alloc(len + 1);
+		    if ( retstr != NULL ) {
+			PORT_Memcpy(retstr, &displayText->data[headerlen],len);
+			retstr[len] = '\0';
+		    }
+		}
+	    }
+	}
+    }
+    
+    CERT_DestroyUserNotice(userNotice);
+    
+    return(retstr);
+}
+
+char *
+CERT_GetCertCommentString(CERTCertificate *cert)
+{
+    char *retstring = NULL;
+    SECStatus rv;
+    SECItem policyItem;
+    CERTCertificatePolicies *policies = NULL;
+    CERTPolicyInfo **policyInfos;
+    CERTPolicyQualifier **policyQualifiers, *qualifier;
+
+    policyItem.data = NULL;
+    
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_CERTIFICATE_POLICIES,
+				&policyItem);
+    if ( rv != SECSuccess ) {
+	goto nopolicy;
+    }
+
+    policies = CERT_DecodeCertificatePoliciesExtension(&policyItem);
+    if ( policies == NULL ) {
+	goto nopolicy;
+    }
+
+    policyInfos = policies->policyInfos;
+    /* search through policyInfos looking for the verisign policy */
+    while (*policyInfos != NULL ) {
+	if ( (*policyInfos)->oid == SEC_OID_VERISIGN_USER_NOTICES ) {
+	    policyQualifiers = (*policyInfos)->policyQualifiers;
+	    /* search through the policy qualifiers looking for user notice */
+	    while ( *policyQualifiers != NULL ) {
+		qualifier = *policyQualifiers;
+		if ( qualifier->oid == SEC_OID_PKIX_USER_NOTICE_QUALIFIER ) {
+		    retstring =
+			stringFromUserNotice(&qualifier->qualifierValue);
+		    break;
+		}
+
+		policyQualifiers++;
+	    }
+	    break;
+	}
+	policyInfos++;
+    }
+
+nopolicy:
+    if ( policyItem.data != NULL ) {
+	PORT_Free(policyItem.data);
+    }
+
+    if ( policies != NULL ) {
+	CERT_DestroyCertificatePoliciesExtension(policies);
+    }
+    
+    if ( retstring == NULL ) {
+	retstring = CERT_FindNSStringExtension(cert,
+					       SEC_OID_NS_CERT_EXT_COMMENT);
+    }
+    
+    if ( retstring != NULL ) {
+	breakLines(retstring);
+    }
+    
+    return(retstring);
+}
+
+
+const SEC_ASN1Template CERT_OidSeqTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTOidSequence, oids),
+	  SEC_ObjectIDTemplate }
+};
+
+CERTOidSequence *
+CERT_DecodeOidSequence(SECItem *seqItem)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    CERTOidSequence *oidSeq;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	goto loser;
+    }
+
+    /* allocate the userNotice structure */
+    oidSeq = (CERTOidSequence *)PORT_ArenaZAlloc(arena,
+						 sizeof(CERTOidSequence));
+    
+    if ( oidSeq == NULL ) {
+	goto loser;
+    }
+    
+    oidSeq->arena = arena;
+
+    /* decode the user notice */
+    rv = SEC_ASN1DecodeItem(arena, oidSeq, CERT_OidSeqTemplate, seqItem);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    return(oidSeq);
+    
+loser:
+    return(NULL);
+}
+
+
+void
+CERT_DestroyOidSequence(CERTOidSequence *oidSeq)
+{
+    if ( oidSeq != NULL ) {
+	PORT_FreeArena(oidSeq->arena, PR_FALSE);
+    }
+    return;
+}
+
+PRBool
+CERT_GovtApprovedBitSet(CERTCertificate *cert)
+{
+    SECStatus rv;
+    SECItem extItem;
+    CERTOidSequence *oidSeq = NULL;
+    PRBool ret;
+    SECItem **oids;
+    SECItem *oid;
+    SECOidTag oidTag;
+    
+    extItem.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    oidSeq = CERT_DecodeOidSequence(&extItem);
+    if ( oidSeq == NULL ) {
+	goto loser;
+    }
+
+    oids = oidSeq->oids;
+    while ( oids != NULL && *oids != NULL ) {
+	oid = *oids;
+	
+	oidTag = SECOID_FindOIDTag(oid);
+	
+	if ( oidTag == SEC_OID_NS_KEY_USAGE_GOVT_APPROVED ) {
+	    goto success;
+	}
+	
+	oids++;
+    }
+
+loser:
+    ret = PR_FALSE;
+    goto done;
+success:
+    ret = PR_TRUE;
+done:
+    if ( oidSeq != NULL ) {
+	CERT_DestroyOidSequence(oidSeq);
+    }
+    if (extItem.data != NULL) {
+	PORT_Free(extItem.data);
+    }
+    return(ret);
+}
diff --git a/security/nss/lib/certdb/secname.c b/security/nss/lib/certdb/secname.c
new file mode 100644
index 000000000..9296fd86d
--- /dev/null
+++ b/security/nss/lib/certdb/secname.c
@@ -0,0 +1,641 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "cert.h"
+#include "secoid.h"
+#include "secder.h"	/* XXX remove this when remove the DERTemplates */
+#include "secasn1.h"
+#include "secitem.h"
+#include <stdarg.h>
+#include "secerr.h"
+
+static const SEC_ASN1Template cert_AVATemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTAVA) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CERTAVA,type), },
+    { SEC_ASN1_ANY,
+	  offsetof(CERTAVA,value), },
+    { 0, }
+};
+
+const SEC_ASN1Template CERT_RDNTemplate[] = {
+    { SEC_ASN1_SET_OF,
+	  offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
+};
+
+
+static int
+CountArray(void **array)
+{
+    int count = 0;
+    if (array) {
+	while (*array++) {
+	    count++;
+	}
+    }
+    return count;
+}
+
+static void
+**AddToArray(PRArenaPool *arena, void **array, void *element)
+{
+    unsigned count;
+    void **ap;
+
+    /* Count up number of slots already in use in the array */
+    count = 0;
+    ap = array;
+    if (ap) {
+	while (*ap++) {
+	    count++;
+	}
+    }
+
+    if (array) {
+	array = (void**) PORT_ArenaGrow(arena, array,
+					(count + 1) * sizeof(void *),
+					(count + 2) * sizeof(void *));
+    } else {
+	array = (void**) PORT_ArenaAlloc(arena, (count + 2) * sizeof(void *));
+    }
+    if (array) {
+	array[count] = element;
+	array[count+1] = 0;
+    }
+    return array;
+}
+
+#if 0
+static void
+**RemoveFromArray(void **array, void *element)
+{
+    unsigned count;
+    void **ap;
+    int slot;
+
+    /* Look for element */
+    ap = array;
+    if (ap) {
+	count = 1;			/* count the null at the end */
+	slot = -1;
+	for (; *ap; ap++, count++) {
+	    if (*ap == element) {
+		/* Found it */
+		slot = ap - array;
+	    }
+	}
+	if (slot >= 0) {
+	    /* Found it. Squish array down */
+	    PORT_Memmove((void*) (array + slot), (void*) (array + slot + 1),
+		       (count - slot - 1) * sizeof(void*));
+	    /* Don't bother reallocing the memory */
+	}
+    }
+    return array;
+}
+#endif /* 0 */
+
+SECOidTag
+CERT_GetAVATag(CERTAVA *ava)
+{
+    SECOidData *oid;
+    if (!ava->type.data) return (SECOidTag)-1;
+
+    oid = SECOID_FindOID(&ava->type);
+    
+    if ( oid ) {
+	return(oid->offset);
+    }
+    return (SECOidTag)-1;
+}
+
+static SECStatus
+SetupAVAType(PRArenaPool *arena, SECOidTag type, SECItem *it, unsigned *maxLenp)
+{
+    unsigned char *oid;
+    unsigned oidLen;
+    unsigned char *cp;
+    unsigned maxLen;
+    SECOidData *oidrec;
+
+    oidrec = SECOID_FindOIDByTag(type);
+    if (oidrec == NULL)
+	return SECFailure;
+
+    oid = oidrec->oid.data;
+    oidLen = oidrec->oid.len;
+
+    switch (type) {
+      case SEC_OID_AVA_COUNTRY_NAME:
+	maxLen = 2;
+	break;
+      case SEC_OID_AVA_ORGANIZATION_NAME:
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_COMMON_NAME:
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_LOCALITY:
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_STATE_OR_PROVINCE:
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
+	maxLen = 64;
+	break;
+      case SEC_OID_AVA_DC:
+	maxLen = 128;
+	break;
+      case SEC_OID_AVA_DN_QUALIFIER:
+	maxLen = 0x7fff;
+	break;
+      case SEC_OID_PKCS9_EMAIL_ADDRESS:
+	maxLen = 128;
+	break;
+      case SEC_OID_RFC1274_UID:
+	maxLen = 256;  /* RFC 1274 specifies 256 */
+	break;
+      case SEC_OID_RFC1274_MAIL:
+	maxLen = 256;  /* RFC 1274 specifies 256 */
+	break; 
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    it->data = cp = (unsigned char*) PORT_ArenaAlloc(arena, oidLen);
+    if (cp == NULL) {
+	return SECFailure;
+    }
+    it->len = oidLen;
+    PORT_Memcpy(cp, oid, oidLen);
+    *maxLenp = maxLen;
+    return SECSuccess;
+}
+
+static SECStatus
+SetupAVAValue(PRArenaPool *arena, int valueType, char *value, SECItem *it,
+	      unsigned maxLen)
+{
+    unsigned valueLen, valueLenLen, total;
+    unsigned ucs4Len = 0, ucs4MaxLen;
+    unsigned char *cp, *ucs4Val;
+
+    switch (valueType) {
+      case SEC_ASN1_PRINTABLE_STRING:
+      case SEC_ASN1_IA5_STRING:
+      case SEC_ASN1_T61_STRING:
+	valueLen = PORT_Strlen(value);
+	break;
+      case SEC_ASN1_UNIVERSAL_STRING:
+	valueLen = PORT_Strlen(value);
+	ucs4Val = (unsigned char *)PORT_ArenaZAlloc(arena, 
+						    PORT_Strlen(value) * 6);
+	ucs4MaxLen = PORT_Strlen(value) * 6;
+	if(!ucs4Val || !PORT_UCS4_UTF8Conversion(PR_TRUE, (unsigned char *)value, valueLen,
+					ucs4Val, ucs4MaxLen, &ucs4Len)) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	value = (char *)ucs4Val;
+	valueLen = ucs4Len;
+	break;
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (((valueType != SEC_ASN1_UNIVERSAL_STRING) && (valueLen > maxLen)) ||
+      ((valueType == SEC_ASN1_UNIVERSAL_STRING) && (valueLen > (maxLen * 4)))) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    } 
+
+    valueLenLen = DER_LengthLength(valueLen);
+    total = 1 + valueLenLen + valueLen;
+    it->data = cp = (unsigned char*) PORT_ArenaAlloc(arena, total);
+    if (!cp) {
+	return SECFailure;
+    }
+    it->len = total;
+    cp = (unsigned char*) DER_StoreHeader(cp, valueType, valueLen);
+    PORT_Memcpy(cp, value, valueLen);
+    return SECSuccess;
+}
+
+CERTAVA *
+CERT_CreateAVA(PRArenaPool *arena, SECOidTag kind, int valueType, char *value)
+{
+    CERTAVA *ava;
+    int rv;
+    unsigned maxLen;
+
+    ava = (CERTAVA*) PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
+    if (ava) {
+	rv = SetupAVAType(arena, kind, &ava->type, &maxLen);
+	if (rv) {
+	    /* Illegal AVA type */
+	    return 0;
+	}
+	rv = SetupAVAValue(arena, valueType, value, &ava->value, maxLen);
+	if (rv) {
+	    /* Illegal value type */
+	    return 0;
+	}
+    }
+    return ava;
+}
+
+CERTAVA *
+CERT_CopyAVA(PRArenaPool *arena, CERTAVA *from)
+{
+    CERTAVA *ava;
+    int rv;
+
+    ava = (CERTAVA*) PORT_ArenaZAlloc(arena, sizeof(CERTAVA));
+    if (ava) {
+	rv = SECITEM_CopyItem(arena, &ava->type, &from->type);
+	if (rv) goto loser;
+	rv = SECITEM_CopyItem(arena, &ava->value, &from->value);
+	if (rv) goto loser;
+    }
+    return ava;
+
+  loser:
+    return 0;
+}
+
+/************************************************************************/
+/* XXX This template needs to go away in favor of the new SEC_ASN1 version. */
+static const SEC_ASN1Template cert_RDNTemplate[] = {
+    { SEC_ASN1_SET_OF,
+	  offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
+};
+
+
+CERTRDN *
+CERT_CreateRDN(PRArenaPool *arena, CERTAVA *ava0, ...)
+{
+    CERTAVA *ava;
+    CERTRDN *rdn;
+    va_list ap;
+    unsigned count;
+    CERTAVA **avap;
+
+    rdn = (CERTRDN*) PORT_ArenaAlloc(arena, sizeof(CERTRDN));
+    if (rdn) {
+	/* Count number of avas going into the rdn */
+	count = 1;
+	va_start(ap, ava0);
+	while ((ava = va_arg(ap, CERTAVA*)) != 0) {
+	    count++;
+	}
+	va_end(ap);
+
+	/* Now fill in the pointers */
+	rdn->avas = avap =
+	    (CERTAVA**) PORT_ArenaAlloc( arena, (count + 1)*sizeof(CERTAVA*));
+	if (!avap) {
+	    return 0;
+	}
+	*avap++ = ava0;
+	va_start(ap, ava0);
+	while ((ava = va_arg(ap, CERTAVA*)) != 0) {
+	    *avap++ = ava;
+	}
+	va_end(ap);
+	*avap++ = 0;
+    }
+    return rdn;
+}
+
+SECStatus
+CERT_AddAVA(PRArenaPool *arena, CERTRDN *rdn, CERTAVA *ava)
+{
+    rdn->avas = (CERTAVA**) AddToArray(arena, (void**) rdn->avas, ava);
+    return rdn->avas ? SECSuccess : SECFailure;
+}
+
+SECStatus
+CERT_CopyRDN(PRArenaPool *arena, CERTRDN *to, CERTRDN *from)
+{
+    CERTAVA **avas, *fava, *tava;
+    SECStatus rv;
+
+    /* Copy each ava from from */
+    avas = from->avas;
+    while ((fava = *avas++) != 0) {
+	tava = CERT_CopyAVA(arena, fava);
+	if (!tava) return SECFailure;
+	rv = CERT_AddAVA(arena, to, tava);
+	if (rv) return rv;
+    }
+    return SECSuccess;
+}
+
+/************************************************************************/
+
+const SEC_ASN1Template CERT_NameTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(CERTName,rdns), CERT_RDNTemplate, sizeof(CERTName) }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_NameTemplate)
+
+CERTName *
+CERT_CreateName(CERTRDN *rdn0, ...)
+{
+    CERTRDN *rdn;
+    CERTName *name;
+    va_list ap;
+    unsigned count;
+    CERTRDN **rdnp;
+    PRArenaPool *arena;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+	return(0);
+    }
+    
+    name = (CERTName*) PORT_ArenaAlloc(arena, sizeof(CERTName));
+    if (name) {
+	name->arena = arena;
+	
+	/* Count number of RDNs going into the Name */
+	if (!rdn0) {
+	    count = 0;
+	} else {
+	    count = 1;
+	    va_start(ap, rdn0);
+	    while ((rdn = va_arg(ap, CERTRDN*)) != 0) {
+		count++;
+	    }
+	    va_end(ap);
+	}
+
+	/* Allocate space (including space for terminal null ptr) */
+	name->rdns = rdnp =
+	    (CERTRDN**) PORT_ArenaAlloc(arena, (count + 1) * sizeof(CERTRDN*));
+	if (!name->rdns) {
+	    goto loser;
+	}
+
+	/* Now fill in the pointers */
+	if (count > 0) {
+	    *rdnp++ = rdn0;
+	    va_start(ap, rdn0);
+	    while ((rdn = va_arg(ap, CERTRDN*)) != 0) {
+		*rdnp++ = rdn;
+	    }
+	    va_end(ap);
+	}
+
+	/* null terminate the list */
+	*rdnp++ = 0;
+    }
+    return name;
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(0);
+}
+
+void
+CERT_DestroyName(CERTName *name)
+{
+    if (name)
+    {
+        PRArenaPool *arena = name->arena;
+        name->rdns = NULL;
+	name->arena = NULL;
+	if (arena) PORT_FreeArena(arena, PR_FALSE);
+    }
+}
+
+SECStatus
+CERT_AddRDN(CERTName *name, CERTRDN *rdn)
+{
+    name->rdns = (CERTRDN**) AddToArray(name->arena, (void**) name->rdns, rdn);
+    return name->rdns ? SECSuccess : SECFailure;
+}
+
+SECStatus
+CERT_CopyName(PRArenaPool *arena, CERTName *to, CERTName *from)
+{
+    CERTRDN **rdns, *frdn, *trdn;
+    SECStatus rv;
+
+    CERT_DestroyName(to);
+    to->arena = arena;
+
+    /* Copy each rdn from from */
+    rdns = from->rdns;
+    while ((frdn = *rdns++) != 0) {
+	trdn = CERT_CreateRDN(arena, 0);
+	if ( trdn == NULL ) {
+	    return(SECFailure);
+	}
+	rv = CERT_CopyRDN(arena, trdn, frdn);
+	if (rv) return rv;
+	rv = CERT_AddRDN(to, trdn);
+	if (rv) return rv;
+    }
+    return SECSuccess;
+}
+
+/************************************************************************/
+
+SECComparison
+CERT_CompareAVA(CERTAVA *a, CERTAVA *b)
+{
+    SECComparison rv;
+
+    rv = SECITEM_CompareItem(&a->type, &b->type);
+    if (rv) {
+	/*
+	** XXX for now we are going to just assume that a bitwise
+	** comparison of the value codes will do the trick.
+	*/
+    }
+    rv = SECITEM_CompareItem(&a->value, &b->value);
+    return rv;
+}
+
+SECComparison
+CERT_CompareRDN(CERTRDN *a, CERTRDN *b)
+{
+    CERTAVA **aavas, *aava;
+    CERTAVA **bavas, *bava;
+    int ac, bc;
+    SECComparison rv = SECEqual;
+
+    aavas = a->avas;
+    bavas = b->avas;
+
+    /*
+    ** Make sure array of ava's are the same length. If not, then we are
+    ** not equal
+    */
+    ac = CountArray((void**) aavas);
+    bc = CountArray((void**) bavas);
+    if (ac < bc) return SECLessThan;
+    if (ac > bc) return SECGreaterThan;
+
+    for (;;) {
+	aava = *aavas++;
+	bava = *bavas++;
+	if (!aava) {
+	    break;
+	}
+	rv = CERT_CompareAVA(aava, bava);
+	if (rv) return rv;
+    }
+    return rv;
+}
+
+SECComparison
+CERT_CompareName(CERTName *a, CERTName *b)
+{
+    CERTRDN **ardns, *ardn;
+    CERTRDN **brdns, *brdn;
+    int ac, bc;
+    SECComparison rv = SECEqual;
+
+    ardns = a->rdns;
+    brdns = b->rdns;
+
+    /*
+    ** Make sure array of rdn's are the same length. If not, then we are
+    ** not equal
+    */
+    ac = CountArray((void**) ardns);
+    bc = CountArray((void**) brdns);
+    if (ac < bc) return SECLessThan;
+    if (ac > bc) return SECGreaterThan;
+
+    for (;;) {
+	ardn = *ardns++;
+	brdn = *brdns++;
+	if (!ardn) {
+	    break;
+	}
+	rv = CERT_CompareRDN(ardn, brdn);
+	if (rv) return rv;
+    }
+    return rv;
+}
+
+/* Moved from certhtml.c */
+SECItem *
+CERT_DecodeAVAValue(SECItem *derAVAValue)
+{
+          SECItem          *retItem; 
+    const SEC_ASN1Template *theTemplate       = NULL;
+          PRBool            convertUCS4toUTF8 = PR_FALSE;
+          PRBool            convertUCS2toUTF8 = PR_FALSE;
+          SECItem           avaValue          = {siBuffer, 0}; 
+
+    if(!derAVAValue) {
+	return NULL;
+    }
+
+    switch(derAVAValue->data[0]) {
+	case SEC_ASN1_UNIVERSAL_STRING:
+	    convertUCS4toUTF8 = PR_TRUE;
+	    theTemplate = SEC_UniversalStringTemplate;
+	    break;
+	case SEC_ASN1_IA5_STRING:
+	    theTemplate = SEC_IA5StringTemplate;
+	    break;
+	case SEC_ASN1_PRINTABLE_STRING:
+	    theTemplate = SEC_PrintableStringTemplate;
+	    break;
+	case SEC_ASN1_T61_STRING:
+	    theTemplate = SEC_T61StringTemplate;
+	    break;
+	case SEC_ASN1_BMP_STRING:
+	    convertUCS2toUTF8 = PR_TRUE;
+	    theTemplate = SEC_BMPStringTemplate;
+	    break;
+	case SEC_ASN1_UTF8_STRING:
+	    /* No conversion needed ! */
+	    theTemplate = SEC_UTF8StringTemplate;
+	    break;
+	default:
+	    return NULL;
+    }
+
+    PORT_Memset(&avaValue, 0, sizeof(SECItem));
+    if(SEC_ASN1DecodeItem(NULL, &avaValue, theTemplate, derAVAValue) 
+				!= SECSuccess) {
+	return NULL;
+    }
+
+    if (convertUCS4toUTF8) {
+	unsigned int   utf8ValLen = avaValue.len * 3;
+	unsigned char *utf8Val    = (unsigned char*)PORT_ZAlloc(utf8ValLen);
+
+	if(!PORT_UCS4_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len,
+				     utf8Val, utf8ValLen, &utf8ValLen)) {
+	    PORT_Free(utf8Val);
+	    PORT_Free(avaValue.data);
+	    return NULL;
+	}
+
+	PORT_Free(avaValue.data);
+	avaValue.data = utf8Val;
+	avaValue.len = utf8ValLen;
+
+    } else if (convertUCS2toUTF8) {
+
+	unsigned int   utf8ValLen = avaValue.len * 3;
+	unsigned char *utf8Val    = (unsigned char*)PORT_ZAlloc(utf8ValLen);
+
+	if(!PORT_UCS2_UTF8Conversion(PR_FALSE, avaValue.data, avaValue.len,
+				     utf8Val, utf8ValLen, &utf8ValLen)) {
+	    PORT_Free(utf8Val);
+	    PORT_Free(avaValue.data);
+	    return NULL;
+	}
+
+	PORT_Free(avaValue.data);
+	avaValue.data = utf8Val;
+	avaValue.len = utf8ValLen;
+    }
+
+    retItem = SECITEM_DupItem(&avaValue);
+    PORT_Free(avaValue.data);
+    return retItem;
+}
diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c
new file mode 100644
index 000000000..293b33d8a
--- /dev/null
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -0,0 +1,906 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "prtime.h"
+
+#include "cert.h"
+#include "mcom_db.h"
+#include "certdb.h"
+#include "secitem.h"
+#include "secder.h"
+
+/* Call to PK11_FreeSlot below */
+
+#include "secasn1.h"
+#include "secerr.h"
+#include "nssilock.h"
+#include "prmon.h"
+#include "nsslocks.h"
+#include "base64.h"
+#include "sechash.h"
+#include "plhash.h"
+#include "pk11func.h" /* sigh */
+
+#ifndef NSS_3_4_CODE
+#define NSS_3_4_CODE
+#endif /* NSS_3_4_CODE */
+#include "nsspki.h"
+#include "pki.h"
+#include "pkim.h"
+#include "pki3hack.h"
+#include "ckhelper.h"
+#include "base.h"
+#include "pkistore.h"
+#include "dev3hack.h"
+#include "dev.h"
+
+PRBool
+SEC_CertNicknameConflict(char *nickname, SECItem *derSubject,
+			 CERTCertDBHandle *handle)
+{
+    CERTCertificate *cert;
+    PRBool conflict = PR_FALSE;
+
+    cert=CERT_FindCertByNickname(handle, nickname);
+
+    if (!cert) {
+	return conflict;
+    }
+
+    conflict = !SECITEM_ItemsAreEqual(derSubject,&cert->derSubject);
+    CERT_DestroyCertificate(cert);
+    return conflict;
+}
+
+SECStatus
+SEC_DeletePermCertificate(CERTCertificate *cert)
+{
+    PRStatus nssrv;
+    NSSCertificate *c = STAN_GetNSSCertificate(cert);
+    nssrv = NSSCertificate_DeleteStoredObject(c, NULL);
+    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+}
+
+SECStatus
+CERT_GetCertTrust(CERTCertificate *cert, CERTCertTrust *trust)
+{
+    SECStatus rv;
+    CERT_LockCertTrust(cert);
+    if ( cert->trust == NULL ) {
+	rv = SECFailure;
+    } else {
+	*trust = *cert->trust;
+	rv = SECSuccess;
+    }
+    CERT_UnlockCertTrust(cert);
+    return(rv);
+}
+
+#ifdef notdef
+static char *
+cert_parseNickname(char *nickname)
+{
+    char *cp;
+    for (cp=nickname; *cp && *cp != ':'; cp++);
+    if (*cp == ':') return cp+1;
+    return nickname;
+}
+#endif
+
+SECStatus
+CERT_ChangeCertTrust(CERTCertDBHandle *handle, CERTCertificate *cert,
+		    CERTCertTrust *trust)
+{
+    SECStatus rv = SECFailure;
+    PRStatus ret;
+
+    CERT_LockCertTrust(cert);
+    ret = STAN_ChangeCertTrust(cert, trust);
+    rv = (ret == PR_SUCCESS) ? SECSuccess : SECFailure;
+    CERT_UnlockCertTrust(cert);
+    return rv;
+}
+
+SECStatus
+__CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
+		       CERTCertTrust *trust)
+{
+    PRStatus nssrv;
+    NSSUTF8 *stanNick;
+    PK11SlotInfo *slot;
+    NSSToken *internal;
+    NSSCryptoContext *context;
+    NSSCertificate *c = STAN_GetNSSCertificate(cert);
+    context = c->object.cryptoContext;
+    if (!context) {
+	return PR_FAILURE; /* wasn't a temp cert */
+    }
+    stanNick = NSSCertificate_GetNickname(c, NULL);
+    if (stanNick && nickname && strcmp(nickname, stanNick) != 0) {
+	/* take the new nickname */
+	cert->nickname = NULL;
+	stanNick = NULL;
+    }
+    if (!stanNick && nickname) {
+	stanNick = nssUTF8_Duplicate((NSSUTF8 *)nickname, c->object.arena);
+    }
+    /* Delete the temp instance */
+    nssCertificateStore_Remove(context->certStore, c);
+    c->object.cryptoContext = NULL;
+    /* the perm instance will assume the reference */
+    nssList_Clear(c->object.instanceList, NULL);
+    /* Import the perm instance onto the internal token */
+    slot = PK11_GetInternalKeySlot();
+    internal = PK11Slot_GetNSSToken(slot);
+    nssrv = nssToken_ImportCertificate(internal, NULL, c, stanNick, PR_TRUE);
+    if (nssrv != PR_SUCCESS) {
+	return SECFailure;
+    }
+    /* reset the CERTCertificate fields */
+    cert->nssCertificate = NULL;
+    cert = STAN_GetCERTCertificate(c); /* will return same pointer */
+    cert->istemp = PR_FALSE;
+    cert->isperm = PR_TRUE;
+    return (STAN_ChangeCertTrust(cert, trust) == PR_SUCCESS) ? 
+							SECSuccess: SECFailure;
+}
+
+SECStatus
+CERT_AddTempCertToPerm(CERTCertificate *cert, char *nickname,
+		       CERTCertTrust *trust)
+{
+    return __CERT_AddTempCertToPerm(cert, nickname, trust);
+}
+
+CERTCertificate *
+__CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
+			  char *nickname, PRBool isperm, PRBool copyDER)
+{
+    PRStatus nssrv;
+    NSSCertificate *c;
+    NSSCryptoContext *context;
+    NSSArena *arena;
+    CERTCertificate *cc;
+    NSSCertificate *tempCert;
+    NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
+    if (!isperm) {
+	NSSDER encoding;
+	NSSITEM_FROM_SECITEM(&encoding, derCert);
+	/* First, see if it is already a temp cert */
+	c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC, 
+	                                                       &encoding);
+	if (!c) {
+	    /* Then, see if it is already a perm cert */
+	    c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, 
+	                                                           &encoding);
+	}
+	if (c) {
+	    return STAN_GetCERTCertificate(c);
+	}
+    }
+    arena = NSSArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    c = nss_ZNEW(arena, NSSCertificate);
+    if (!c) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+    NSSITEM_FROM_SECITEM(&c->encoding, derCert);
+    nssrv = nssPKIObject_Initialize(&c->object, arena, NULL, NULL);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    /* Forces a decoding of the cert in order to obtain the parts used
+     * below
+     */
+    cc = STAN_GetCERTCertificate(c);
+    nssItem_Create(arena, 
+                   &c->issuer, cc->derIssuer.len, cc->derIssuer.data);
+    nssItem_Create(arena, 
+                   &c->subject, cc->derSubject.len, cc->derSubject.data);
+    if (PR_TRUE) {
+	/* CERTCertificate stores serial numbers decoded.  I need the DER
+	* here.  sigh.
+	*/
+	SECItem derSerial = { 0 };
+	CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
+	if (!derSerial.data) goto loser;
+	nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
+	PORT_Free(derSerial.data);
+    }
+    if (nickname) {
+	c->object.tempName = nssUTF8_Create(arena, 
+                                            nssStringType_UTF8String, 
+                                            (NSSUTF8 *)nickname, 
+                                            PORT_Strlen(nickname));
+    }
+    if (cc->emailAddr) {
+	c->email = nssUTF8_Create(arena, 
+	                          nssStringType_PrintableString, 
+	                          (NSSUTF8 *)cc->emailAddr, 
+	                          PORT_Strlen(cc->emailAddr));
+    }
+    context = STAN_GetDefaultCryptoContext();
+    /* this function cannot detect if the cert exists as a temp cert now, but
+     * didn't when CERT_NewTemp was first called.
+     */
+    nssrv = NSSCryptoContext_ImportCertificate(context, c);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    /* so find the entry in the temp store */
+    tempCert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(context,
+                                                                   &c->issuer,
+                                                                   &c->serial);
+    /* destroy the copy */
+    NSSCertificate_Destroy(c);
+    if (tempCert) {
+	/* and use the "official" entry */
+	c = tempCert;
+	cc = STAN_GetCERTCertificate(c);
+    } else {
+	return NULL;
+    }
+    c->object.trustDomain = STAN_GetDefaultTrustDomain();
+    cc->istemp = PR_TRUE;
+    cc->isperm = PR_FALSE;
+    return cc;
+loser:
+    nssPKIObject_Destroy(&c->object);
+    return NULL;
+}
+
+CERTCertificate *
+CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
+			char *nickname, PRBool isperm, PRBool copyDER)
+{
+    return( __CERT_NewTempCertificate(handle, derCert, nickname,
+                                      isperm, copyDER) );
+}
+
+/* maybe all the wincx's should be some const for internal token login? */
+CERTCertificate *
+CERT_FindCertByIssuerAndSN(CERTCertDBHandle *handle, CERTIssuerAndSN *issuerAndSN)
+{
+    PK11SlotInfo *slot;
+    CERTCertificate *cert;
+
+    cert = PK11_FindCertByIssuerAndSN(&slot,issuerAndSN,NULL);
+    if (cert && slot) {
+        PK11_FreeSlot(slot);
+    }
+
+    return cert;
+}
+
+static NSSCertificate *
+get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp)
+{
+    nssBestCertificateCB best;
+    NSSUsage usage;
+    usage.anyUsage = PR_TRUE;
+    nssBestCertificate_SetArgs(&best, NULL, &usage, NULL);
+    if (ct) {
+	nssBestCertificate_Callback(ct, (void *)&best);
+    }
+    if (cp) {
+	nssBestCertificate_Callback(cp, (void *)&best);
+    }
+    return best.cert;
+}
+
+CERTCertificate *
+CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name)
+{
+    NSSCertificate *cp, *ct, *c;
+    NSSDER subject;
+    NSSUsage usage;
+    NSSCryptoContext *cc;
+    NSSITEM_FROM_SECITEM(&subject, name);
+    usage.anyUsage = PR_TRUE;
+    cc = STAN_GetDefaultCryptoContext();
+    ct = NSSCryptoContext_FindBestCertificateBySubject(cc, &subject, 
+                                                       NULL, &usage, NULL);
+    cp = NSSTrustDomain_FindBestCertificateBySubject(handle, &subject, 
+                                                     NULL, &usage, NULL);
+    c = get_best_temp_or_perm(ct, cp);
+    if (ct) {
+	CERTCertificate *cert = STAN_GetCERTCertificate(ct);
+	CERT_DestroyCertificate(cert);
+    }
+    if (cp) {
+	CERTCertificate *cert = STAN_GetCERTCertificate(cp);
+	CERT_DestroyCertificate(cert);
+    }
+    if (c) {
+	return STAN_GetCERTCertificate(c);
+    } else {
+	return NULL;
+    }
+}
+
+CERTCertificate *
+CERT_FindCertByKeyID(CERTCertDBHandle *handle, SECItem *name, SECItem *keyID)
+{
+   CERTCertList *list =
+                        CERT_CreateSubjectCertList(NULL,handle,name,0,PR_FALSE);
+    CERTCertificate *cert = NULL;
+    CERTCertListNode *node = CERT_LIST_HEAD(list);
+
+    if (list == NULL) return NULL;
+
+    for (node = CERT_LIST_HEAD(list); node ; node = CERT_LIST_NEXT(node)) {
+        if (SECITEM_ItemsAreEqual(&cert->subjectKeyID, keyID) ) {
+            cert = CERT_DupCertificate(node->cert);
+            break;
+        }
+    }
+    return cert;
+}
+
+CERTCertificate *
+CERT_FindCertByNickname(CERTCertDBHandle *handle, char *nickname)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate *c, *ct;
+    CERTCertificate *cert;
+    NSSUsage usage;
+    usage.anyUsage = PR_TRUE;
+    cc = STAN_GetDefaultCryptoContext();
+    ct = NSSCryptoContext_FindBestCertificateByNickname(cc, nickname, 
+                                                       NULL, &usage, NULL);
+    cert = PK11_FindCertFromNickname(nickname, NULL);
+    c = NULL;
+    if (cert) {
+	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
+	CERT_DestroyCertificate(cert);
+	if (ct) {
+	    CERTCertificate *cert2 = STAN_GetCERTCertificate(ct);
+	    CERT_DestroyCertificate(cert2);
+	}
+    } else {
+	c = ct;
+    }
+    if (c) {
+	return STAN_GetCERTCertificate(c);
+    } else {
+	return NULL;
+    }
+}
+
+CERTCertificate *
+CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate *c;
+    NSSDER encoding;
+    NSSITEM_FROM_SECITEM(&encoding, derCert);
+    cc = STAN_GetDefaultCryptoContext();
+    c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding);
+    if (!c) {
+	c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, 
+	                                                       &encoding);
+	if (!c) return NULL;
+    }
+    return STAN_GetCERTCertificate(c);
+}
+
+CERTCertificate *
+CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, char *name)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate *c, *ct;
+    CERTCertificate *cert;
+    NSSUsage usage;
+    usage.anyUsage = PR_TRUE;
+    cc = STAN_GetDefaultCryptoContext();
+    ct = NSSCryptoContext_FindBestCertificateByNickname(cc, name, 
+                                                       NULL, &usage, NULL);
+    if (!ct) {
+	ct = NSSCryptoContext_FindBestCertificateByEmail(cc, name, 
+	                                                NULL, &usage, NULL);
+    }
+    cert = PK11_FindCertFromNickname(name, NULL);
+    if (cert) {
+	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
+	CERT_DestroyCertificate(cert);
+	if (ct) {
+	    CERTCertificate *cert2 = STAN_GetCERTCertificate(ct);
+	    CERT_DestroyCertificate(cert2);
+	}
+    } else {
+	c = ct;
+    }
+    if (c) {
+	return STAN_GetCERTCertificate(c);
+    }
+    return NULL;
+}
+
+static void 
+add_to_subject_list(CERTCertList *certList, CERTCertificate *cert,
+                    PRBool validOnly, int64 sorttime)
+{
+    SECStatus secrv;
+    if (!validOnly ||
+	CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) 
+	 == secCertTimeValid) {
+	    secrv = CERT_AddCertToListSorted(certList, cert, 
+	                                     CERT_SortCBValidity, 
+	                                     (void *)&sorttime);
+	    if (secrv != SECSuccess) {
+		CERT_DestroyCertificate(cert);
+	    }
+    } else {
+	CERT_DestroyCertificate(cert);
+    }
+}
+
+CERTCertList *
+CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
+			   SECItem *name, int64 sorttime, PRBool validOnly)
+{
+    NSSCryptoContext *cc;
+    NSSCertificate **tSubjectCerts, **pSubjectCerts;
+    NSSCertificate **ci;
+    CERTCertificate *cert;
+    NSSDER subject;
+    PRBool myList = PR_FALSE;
+    cc = STAN_GetDefaultCryptoContext();
+    NSSITEM_FROM_SECITEM(&subject, name);
+    /* Collect both temp and perm certs for the subject */
+    tSubjectCerts = NSSCryptoContext_FindCertificatesBySubject(cc,
+                                                               &subject,
+                                                               NULL,
+                                                               0,
+                                                               NULL);
+    pSubjectCerts = NSSTrustDomain_FindCertificatesBySubject(handle,
+                                                             &subject,
+                                                             NULL,
+                                                             0,
+                                                             NULL);
+    if (!tSubjectCerts && !pSubjectCerts) {
+	return NULL;
+    }
+    if (certList == NULL) {
+	certList = CERT_NewCertList();
+	myList = PR_TRUE;
+	if (!certList) goto loser;
+    }
+    /* Iterate over the matching temp certs.  Add them to the list */
+    ci = tSubjectCerts;
+    while (ci && *ci) {
+	cert = STAN_GetCERTCertificate(*ci);
+	add_to_subject_list(certList, cert, validOnly, sorttime);
+	ci++;
+    }
+    /* Iterate over the matching perm certs.  Add them to the list */
+    ci = pSubjectCerts;
+    while (ci && *ci) {
+	cert = STAN_GetCERTCertificate(*ci);
+	add_to_subject_list(certList, cert, validOnly, sorttime);
+	ci++;
+    }
+    nss_ZFreeIf(tSubjectCerts);
+    nss_ZFreeIf(pSubjectCerts);
+    return certList;
+loser:
+    nss_ZFreeIf(tSubjectCerts);
+    nss_ZFreeIf(pSubjectCerts);
+    if (myList && certList != NULL) {
+	CERT_DestroyCertList(certList);
+    }
+    return NULL;
+}
+
+void
+CERT_DestroyCertificate(CERTCertificate *cert)
+{
+    int refCount;
+    CERTCertDBHandle *handle;
+    if ( cert ) {
+	NSSCertificate *tmp = STAN_GetNSSCertificate(cert);
+	handle = cert->dbhandle;
+#ifdef NSS_CLASSIC
+        CERT_LockCertRefCount(cert);
+	PORT_Assert(cert->referenceCount > 0);
+	refCount = --cert->referenceCount;
+        CERT_UnlockCertRefCount(cert);
+	if ( ( refCount == 0 ) && !cert->keepSession ) {
+	    PRArenaPool *arena  = cert->arena;
+	    /* zero cert before freeing. Any stale references to this cert
+	     * after this point will probably cause an exception.  */
+	    PORT_Memset(cert, 0, sizeof *cert);
+	    cert = NULL;
+	    /* free the arena that contains the cert. */
+	    PORT_FreeArena(arena, PR_FALSE);
+        }
+#else
+	if (tmp) {
+	    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+	    refCount = (int)tmp->object.refCount;
+	    /* This is a hack.  For 3.4, there are persistent references
+	     * to 4.0 certificates during the lifetime of a cert.  In the
+	     * case of a temp cert, the persistent reference is in the
+	     * cert store of the global crypto context.  For a perm cert,
+	     * the persistent reference is in the cache.  Thus, the last
+	     * external reference is really the penultimate NSS reference.
+	     * When the count drops to two, it is really one, but the
+	     * persistent reference must be explicitly deleted.  In 4.0,
+	     * this ugliness will not appear.  Crypto contexts will remove
+	     * their own cert references, and the cache will have its
+	     * own management code also.
+	     */
+	    if (refCount == 2) {
+		NSSCryptoContext *cc = tmp->object.cryptoContext;
+		if (cc != NULL) {
+		    nssCertificateStore_Remove(cc->certStore, tmp);
+		} else {
+		    nssTrustDomain_RemoveCertFromCache(td, tmp);
+		}
+	    }
+	    /* delete the NSSCertificate */
+	    NSSCertificate_Destroy(tmp);
+	} 
+#endif
+    }
+    return;
+}
+
+#ifdef notdef
+SECStatus
+CERT_ChangeCertTrustByUsage(CERTCertDBHandle *certdb,
+			    CERTCertificate *cert, SECCertUsage usage)
+{
+    SECStatus rv;
+    CERTCertTrust trust;
+    CERTCertTrust tmptrust;
+    unsigned int certtype;
+    PRBool saveit;
+    
+    saveit = PR_TRUE;
+    
+    PORT_Memset((void *)&trust, 0, sizeof(trust));
+
+    certtype = cert->nsCertType;
+
+    /* if no app bits in cert type, then set all app bits */
+    if ( ! ( certtype & NS_CERT_TYPE_APP ) ) {
+	certtype |= NS_CERT_TYPE_APP;
+    }
+
+    switch ( usage ) {
+      case certUsageEmailSigner:
+      case certUsageEmailRecipient:
+	if ( certtype & NS_CERT_TYPE_EMAIL ) {
+	     trust.emailFlags = CERTDB_VALID_PEER;
+	     if ( ! ( cert->rawKeyUsage & KU_KEY_ENCIPHERMENT ) ) {
+		/* don't save it if KeyEncipherment is not allowed */
+		saveit = PR_FALSE;
+	    }
+	}
+	break;
+      case certUsageUserCertImport:
+	if ( certtype & NS_CERT_TYPE_EMAIL ) {
+	    trust.emailFlags = CERTDB_VALID_PEER;
+	}
+	/* VALID_USER is already set if the cert was imported, 
+	 * in the case that the cert was already in the database
+	 * through SMIME or other means, we should set the USER
+	 * flags, if they are not already set.
+	 */
+	if( cert->isperm ) {
+	    if ( certtype & NS_CERT_TYPE_SSL_CLIENT ) {
+		if( !(cert->trust->sslFlags & CERTDB_USER) ) {
+		    trust.sslFlags |= CERTDB_USER;
+		}
+	    }
+	    
+	    if ( certtype & NS_CERT_TYPE_EMAIL ) {
+		if( !(cert->trust->emailFlags & CERTDB_USER) ) {
+		    trust.emailFlags |= CERTDB_USER;
+		}
+	    }
+	    
+	    if ( certtype & NS_CERT_TYPE_OBJECT_SIGNING ) {
+		if( !(cert->trust->objectSigningFlags & CERTDB_USER) ) {
+		    trust.objectSigningFlags |= CERTDB_USER;
+		}
+	    }
+	}
+	break;
+      default:	/* XXX added to quiet warnings; no other cases needed? */
+	break;
+    }
+
+    if ( (trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) == 0 ){
+	saveit = PR_FALSE;
+    }
+
+    if ( saveit && cert->isperm ) {
+	/* Cert already in the DB.  Just adjust flags */
+	tmptrust = *cert->trust;
+	tmptrust.sslFlags |= trust.sslFlags;
+	tmptrust.emailFlags |= trust.emailFlags;
+	tmptrust.objectSigningFlags |= trust.objectSigningFlags;
+	    
+	rv = CERT_ChangeCertTrust(cert->dbhandle, cert,
+				  &tmptrust);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+
+    rv = SECSuccess;
+    goto done;
+
+loser:
+    rv = SECFailure;
+done:
+
+    return(rv);
+}
+#endif
+
+int
+CERT_GetDBContentVersion(CERTCertDBHandle *handle)
+{
+    /* should read the DB content version from the pkcs #11 device */
+    return 0;
+}
+
+/*
+ *
+ * Manage S/MIME profiles
+ *
+ */
+
+SECStatus
+CERT_SaveSMimeProfile(CERTCertificate *cert, SECItem *emailProfile,
+		      SECItem *profileTime)
+{
+    int64 oldtime;
+    int64 newtime;
+    SECStatus rv = SECFailure;
+    PRBool saveit;
+    char *emailAddr;
+    SECItem oldprof, oldproftime;
+    SECItem *oldProfile = NULL;
+    SECItem *oldProfileTime = NULL;
+    PK11SlotInfo *slot = NULL;
+    NSSCertificate *c;
+    NSSCryptoContext *cc;
+    nssSMIMEProfile *stanProfile = NULL;
+    PRBool freeOldProfile = PR_FALSE;
+    
+    emailAddr = cert->emailAddr;
+    
+    if ( emailAddr == NULL ) {
+	goto loser;
+    }
+
+    c = STAN_GetNSSCertificate(cert);
+    if (!c) return SECFailure;
+    cc = c->object.cryptoContext;
+    if (cc != NULL) {
+	stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
+	if (stanProfile) {
+	    PORT_Assert(stanProfile->profileData);
+	    SECITEM_FROM_NSSITEM(&oldprof, stanProfile->profileData);
+	    oldProfile = &oldprof;
+	    SECITEM_FROM_NSSITEM(&oldproftime, stanProfile->profileTime);
+	    oldProfileTime = &oldproftime;
+	}
+    } else {
+	oldProfile = PK11_FindSMimeProfile(&slot, emailAddr, &cert->derSubject, 
+							&oldProfileTime); 
+	freeOldProfile = PR_TRUE;
+    }
+
+    saveit = PR_FALSE;
+    
+    /* both profileTime and emailProfile have to exist or not exist */
+    if ( emailProfile == NULL ) {
+	profileTime = NULL;
+    } else if ( profileTime == NULL ) {
+	emailProfile = NULL;
+    }
+   
+    if ( oldProfileTime == NULL ) {
+	saveit = PR_TRUE;
+    } else {
+	/* there was already a profile for this email addr */
+	if ( profileTime ) {
+	    /* we have an old and new profile - save whichever is more recent*/
+	    if ( oldProfileTime->len == 0 ) {
+		/* always replace if old entry doesn't have a time */
+		oldtime = LL_MININT;
+	    } else {
+		rv = DER_UTCTimeToTime(&oldtime, oldProfileTime);
+		if ( rv != SECSuccess ) {
+		    goto loser;
+		}
+	    }
+	    
+	    rv = DER_UTCTimeToTime(&newtime, profileTime);
+	    if ( rv != SECSuccess ) {
+		goto loser;
+	    }
+	
+	    if ( LL_CMP(newtime, >, oldtime ) ) {
+		/* this is a newer profile, save it and cert */
+		saveit = PR_TRUE;
+	    }
+	} else {
+	    saveit = PR_TRUE;
+	}
+    }
+
+
+    if (saveit) {
+	if (cc) {
+	    if (stanProfile) {
+		/* stanProfile is already stored in the crypto context,
+		 * overwrite the data
+		 */
+		NSSArena *arena = stanProfile->object.arena;
+		stanProfile->profileTime = nssItem_Create(arena, 
+		                                          NULL,
+		                                          profileTime->len,
+		                                          profileTime->data);
+		stanProfile->profileData = nssItem_Create(arena, 
+		                                          NULL,
+		                                          emailProfile->len,
+		                                          emailProfile->data);
+	    } else if (profileTime && emailProfile) {
+		PRStatus nssrv;
+		NSSDER subject;
+		NSSItem profTime, profData;
+		NSSItem *pprofTime, *pprofData;
+		NSSITEM_FROM_SECITEM(&subject, &cert->derSubject);
+		if (profileTime) {
+		    NSSITEM_FROM_SECITEM(&profTime, profileTime);
+		    pprofTime = &profTime;
+		} else {
+		    pprofTime = NULL;
+		}
+		if (emailProfile) {
+		    NSSITEM_FROM_SECITEM(&profData, emailProfile);
+		    pprofData = &profData;
+		} else {
+		    pprofData = NULL;
+		}
+		stanProfile = nssSMIMEProfile_Create(c, pprofTime, pprofData);
+		if (!stanProfile) goto loser;
+		nssrv = nssCryptoContext_ImportSMIMEProfile(cc, stanProfile);
+		rv = (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+	    }
+	} else {
+	    rv = PK11_SaveSMimeProfile(slot, emailAddr, &cert->derSubject, 
+						emailProfile, profileTime);
+	}
+    } else {
+	rv = SECSuccess;
+    }
+
+loser:
+    if (oldProfile && freeOldProfile) {
+    	SECITEM_FreeItem(oldProfile,PR_TRUE);
+    }
+    if (oldProfileTime && freeOldProfile) {
+    	SECITEM_FreeItem(oldProfileTime,PR_TRUE);
+    }
+    if (stanProfile) {
+	nssSMIMEProfile_Destroy(stanProfile);
+    }
+    
+    return(rv);
+}
+
+SECItem *
+CERT_FindSMimeProfile(CERTCertificate *cert)
+{
+    PK11SlotInfo *slot = NULL;
+    NSSCertificate *c;
+    NSSCryptoContext *cc;
+    c = STAN_GetNSSCertificate(cert);
+    if (!c) return NULL;
+    cc = c->object.cryptoContext;
+    if (cc != NULL) {
+	SECItem *rvItem = NULL;
+	nssSMIMEProfile *stanProfile;
+	stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
+	if (stanProfile) {
+	    rvItem = SECITEM_AllocItem(NULL, NULL, 
+	                               stanProfile->profileData->size);
+	    if (rvItem) {
+		rvItem->data = stanProfile->profileData->data;
+	    }
+	    nssSMIMEProfile_Destroy(stanProfile);
+	}
+	return rvItem;
+    }
+    return 
+	PK11_FindSMimeProfile(&slot, cert->emailAddr, &cert->derSubject, NULL);
+}
+
+/*
+ * depricated functions that are now just stubs.
+ */
+/*
+ * Close the database
+ */
+void
+__CERT_ClosePermCertDB(CERTCertDBHandle *handle)
+{
+    PORT_Assert("CERT_ClosePermCertDB is Depricated" == NULL);
+    return;
+}
+
+SECStatus
+CERT_OpenCertDBFilename(CERTCertDBHandle *handle, char *certdbname,
+                        PRBool readOnly)
+{
+    PORT_Assert("CERT_OpenCertDBFilename is Depricated" == NULL);
+    return SECFailure;
+}
+
+SECItem *
+SECKEY_HashPassword(char *pw, SECItem *salt)
+{
+    PORT_Assert("SECKEY_HashPassword is Depricated" == NULL);
+    return NULL;
+}
+
+SECStatus
+__CERT_TraversePermCertsForSubject(CERTCertDBHandle *handle,
+                                 SECItem *derSubject,
+                                 void *cb, void *cbarg)
+{
+    PORT_Assert("CERT_TraversePermCertsForSubject is Depricated" == NULL);
+    return SECFailure;
+}
+
+
+SECStatus
+__CERT_TraversePermCertsForNickname(CERTCertDBHandle *handle, char *nickname,
+                                  void *cb, void *cbarg)
+{
+    PORT_Assert("CERT_TraversePermCertsForNickname is Depricated" == NULL);
+    return SECFailure;
+}
+
+
+
diff --git a/security/nss/lib/certdb/xauthkid.c b/security/nss/lib/certdb/xauthkid.c
new file mode 100644
index 000000000..8b7ac4a92
--- /dev/null
+++ b/security/nss/lib/certdb/xauthkid.c
@@ -0,0 +1,147 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * X.509 v3 Subject Key Usage Extension 
+ *
+ */
+
+#include "prtypes.h"
+#include "mcom_db.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+#include "secasn1.h"
+#include "secport.h"
+#include "certt.h"  
+#include "genname.h"
+#include "secerr.h"
+
+   
+const SEC_ASN1Template CERTAuthKeyIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTAuthKeyID) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(CERTAuthKeyID,keyID), SEC_OctetStringTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  | 1,
+          offsetof(CERTAuthKeyID, DERAuthCertIssuer), CERT_GeneralNamesTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+	  offsetof(CERTAuthKeyID,authCertSerialNumber), SEC_IntegerTemplate},
+    { 0 }
+};
+
+
+
+SECStatus CERT_EncodeAuthKeyID (PRArenaPool *arena, CERTAuthKeyID *value, SECItem *encodedValue)
+{
+    SECStatus rv = SECFailure;
+ 
+    PORT_Assert (value);
+    PORT_Assert (arena);
+    PORT_Assert (value->DERAuthCertIssuer == NULL);
+    PORT_Assert (encodedValue);
+
+    do {
+	
+	/* If both of the authCertIssuer and the serial number exist, encode
+	   the name first.  Otherwise, it is an error if one exist and the other
+	   is not.
+	 */
+	if (value->authCertIssuer) {
+	    if (!value->authCertSerialNumber.data) {
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		break;
+	    }
+
+	    value->DERAuthCertIssuer = cert_EncodeGeneralNames
+		(arena, value->authCertIssuer);
+	    if (!value->DERAuthCertIssuer) {
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		break;
+	    }
+	}
+	else if (value->authCertSerialNumber.data) {
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		break;
+	}
+
+	if (SEC_ASN1EncodeItem (arena, encodedValue, value,
+				CERTAuthKeyIDTemplate) == NULL)
+	    break;
+	rv = SECSuccess;
+
+    } while (0);
+     return(rv);
+}
+
+CERTAuthKeyID *
+CERT_DecodeAuthKeyID (PRArenaPool *arena, SECItem *encodedValue)
+{
+    CERTAuthKeyID * value = NULL;
+    SECStatus       rv    = SECFailure;
+    void *          mark;
+
+    PORT_Assert (arena);
+   
+    do {
+	mark = PORT_ArenaMark (arena);
+        value = (CERTAuthKeyID*)PORT_ArenaZAlloc (arena, sizeof (*value));
+	value->DERAuthCertIssuer = NULL;
+	if (value == NULL)
+	    break;
+	rv = SEC_ASN1DecodeItem
+	     (arena, value, CERTAuthKeyIDTemplate, encodedValue);
+	if (rv != SECSuccess)
+	    break;
+
+        value->authCertIssuer = cert_DecodeGeneralNames (arena, value->DERAuthCertIssuer);
+	if (value->authCertIssuer == NULL)
+	    break;
+	
+	/* what if the general name contains other format but not URI ?
+	   hl
+	 */
+	if ((value->authCertSerialNumber.data && !value->authCertIssuer) ||
+	    (!value->authCertSerialNumber.data && value->authCertIssuer)){
+	    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+	    break;
+	}
+    } while (0);
+
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease (arena, mark);
+	return ((CERTAuthKeyID *)NULL);	    
+    } 
+    PORT_ArenaUnmark(arena, mark);
+    return (value);
+}
diff --git a/security/nss/lib/certdb/xbsconst.c b/security/nss/lib/certdb/xbsconst.c
new file mode 100644
index 000000000..5c16b651c
--- /dev/null
+++ b/security/nss/lib/certdb/xbsconst.c
@@ -0,0 +1,168 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * X.509 v3 Basic Constraints Extension 
+ */
+
+#include "prtypes.h"
+#include "mcom_db.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+#include "secasn1.h"
+#include "certt.h"
+#include "secder.h"
+#include "prprf.h"
+#include "secerr.h"
+
+typedef struct EncodedContext{
+    SECItem isCA;
+    SECItem pathLenConstraint;
+    SECItem encodedValue;
+    PRArenaPool *arena;
+}EncodedContext;
+
+static const SEC_ASN1Template CERTBasicConstraintsTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(EncodedContext) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,		/* XXX DER_DEFAULT */
+	  offsetof(EncodedContext,isCA)},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
+	  offsetof(EncodedContext,pathLenConstraint) },
+    { 0, }
+};
+
+static unsigned char hexTrue = 0xff;
+static unsigned char hexFalse = 0x00;
+
+#define GEN_BREAK(status) rv = status; break;
+
+SECStatus CERT_EncodeBasicConstraintValue
+   (PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue)
+{
+    EncodedContext encodeContext;
+    PRArenaPool *our_pool = NULL;   
+    SECStatus rv = SECSuccess;
+
+    do {
+	PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
+	if (!value->isCA && value->pathLenConstraint >= 0) {
+	    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+	    GEN_BREAK (SECFailure);
+	}
+
+        encodeContext.arena = arena;
+	if (value->isCA == PR_TRUE) {
+	    encodeContext.isCA.data =  &hexTrue ;
+	    encodeContext.isCA.len = 1;
+	}
+
+	/* If the pathLenConstraint is less than 0, then it should be
+	 * omitted from the encoding.
+	 */
+	if (value->isCA && value->pathLenConstraint >= 0) {
+	    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+	    if (our_pool == NULL) {
+		PORT_SetError (SEC_ERROR_NO_MEMORY);
+		GEN_BREAK (SECFailure);
+	    }
+	    if (SEC_ASN1EncodeUnsignedInteger
+		(our_pool, &encodeContext.pathLenConstraint,
+		 (unsigned long)value->pathLenConstraint) == NULL) {
+		PORT_SetError (SEC_ERROR_NO_MEMORY);
+		GEN_BREAK (SECFailure);
+	    }
+	}
+	if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
+				CERTBasicConstraintsTemplate) == NULL) {
+	    GEN_BREAK (SECFailure);
+	}
+    } while (0);
+    if (our_pool)
+	PORT_FreeArena (our_pool, PR_FALSE);
+    return(rv);
+
+}
+
+SECStatus CERT_DecodeBasicConstraintValue
+   (CERTBasicConstraints *value, SECItem *encodedValue)
+{
+    EncodedContext decodeContext;
+    PRArenaPool *our_pool;
+    SECStatus rv = SECSuccess;
+
+    do {
+	PORT_Memset (&decodeContext, 0, sizeof (decodeContext));
+	/* initialize the value just in case we got "0x30 00", or when the
+	   pathLenConstraint is omitted.
+         */
+	decodeContext.isCA.data =&hexFalse;
+	decodeContext.isCA.len = 1;
+	
+	our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+	if (our_pool == NULL) {
+	    PORT_SetError (SEC_ERROR_NO_MEMORY);
+	    GEN_BREAK (SECFailure);
+	}
+
+	rv = SEC_ASN1DecodeItem
+	     (our_pool, &decodeContext, CERTBasicConstraintsTemplate, encodedValue);
+	if (rv == SECFailure)
+	    break;
+	
+	value->isCA = (PRBool)(*decodeContext.isCA.data);
+	if (decodeContext.pathLenConstraint.data == NULL) {
+	    /* if the pathLenConstraint is not encoded, and the current setting
+	      is CA, then the pathLenConstraint should be set to a negative number
+	      for unlimited certificate path.
+	     */
+	    if (value->isCA)
+		value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
+	}
+	else if (value->isCA)
+	    value->pathLenConstraint = DER_GetUInteger (&decodeContext.pathLenConstraint);
+	else {
+	    /* here we get an error where the subject is not a CA, but
+	       the pathLenConstraint is set */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    GEN_BREAK (SECFailure);
+	    break;
+	}
+	 
+    } while (0);
+    PORT_FreeArena (our_pool, PR_FALSE);
+    return (rv);
+
+}
diff --git a/security/nss/lib/certdb/xconst.c b/security/nss/lib/certdb/xconst.c
new file mode 100644
index 000000000..74a4de08b
--- /dev/null
+++ b/security/nss/lib/certdb/xconst.c
@@ -0,0 +1,253 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * X.509 Extension Encoding  
+ */
+
+#include "prtypes.h"
+#include "mcom_db.h"
+#include "seccomon.h"
+#include "secdert.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+#include "secasn1.h"
+#include "certt.h"
+#include "secder.h"
+#include "prprf.h"
+#include "xconst.h"
+#include "genname.h"
+#include "secasn1.h"
+
+
+
+static const SEC_ASN1Template CERTSubjectKeyIDTemplate[] = {
+{ SEC_ASN1_OCTET_STRING }
+};
+
+
+static const SEC_ASN1Template CERTIA5TypeTemplate[] = {
+{ SEC_ASN1_IA5_STRING }
+};
+
+
+static const SEC_ASN1Template CERTPrivateKeyUsagePeriodTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+      0, NULL, sizeof(PKUPEncodedContext) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC  | 0,	
+	  offsetof(PKUPEncodedContext, notBefore), SEC_GeneralizedTimeTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC  | 1,
+	  offsetof(PKUPEncodedContext, notAfter), SEC_GeneralizedTimeTemplate},
+    { 0, } 
+};
+
+
+const SEC_ASN1Template CERTAltNameTemplate[] = {
+    { SEC_ASN1_CONSTRUCTED, offsetof(AltNameEncodedContext, encodedGenName), 
+      CERT_GeneralNamesTemplate}
+};
+
+const SEC_ASN1Template CERTAuthInfoAccessItemTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+      0, NULL, sizeof(CERTAuthInfoAccess) },
+    { SEC_ASN1_OBJECT_ID,
+      offsetof(CERTAuthInfoAccess, method) },
+    { SEC_ASN1_ANY,
+      offsetof(CERTAuthInfoAccess, derLocation) },
+    { 0, }
+};
+
+const SEC_ASN1Template CERTAuthInfoAccessTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, CERTAuthInfoAccessItemTemplate }
+};
+
+
+SECStatus 
+CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue)
+{
+    SECItem encodeContext;
+    SECStatus rv = SECSuccess;
+
+
+    PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
+    
+    if (value != NULL) {
+	encodeContext.data = (unsigned char *)value;
+	encodeContext.len = len;
+    }
+    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
+			    CERTSubjectKeyIDTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    
+    return(rv);
+}
+
+
+SECStatus
+CERT_EncodePublicKeyUsagePeriod(PRArenaPool *arena, PKUPEncodedContext *pkup, SECItem *encodedValue)
+{
+    SECStatus rv = SECSuccess;
+
+    if (SEC_ASN1EncodeItem (arena, encodedValue, pkup,
+			    CERTPrivateKeyUsagePeriodTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    return(rv);
+}
+
+
+SECStatus 
+CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, SECItem *encodedValue)
+{
+    SECItem encodeContext;
+    SECStatus rv = SECSuccess;
+
+
+    PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
+    
+    if (value != NULL) {
+	encodeContext.data = (unsigned char *)value;
+	encodeContext.len = strlen(value);
+    }
+    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
+			    CERTIA5TypeTemplate) == NULL) {
+	rv = SECFailure;
+    }
+    
+    return(rv);
+}
+
+SECStatus
+CERT_EncodeAltNameExtension(PRArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue)
+{
+    SECItem                **encodedGenName;
+    SECStatus              rv = SECSuccess;
+
+    encodedGenName = cert_EncodeGeneralNames(arena, value);
+    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodedGenName,
+			    CERT_GeneralNamesTemplate) == NULL) {
+	rv = SECFailure;
+    }
+
+    return rv;
+}
+
+CERTGeneralName *
+CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName)
+{
+    SECStatus              rv = SECSuccess;
+    AltNameEncodedContext  encodedContext;
+
+    encodedContext.encodedGenName = NULL;
+    PORT_Memset(&encodedContext, 0, sizeof(AltNameEncodedContext));
+    rv = SEC_ASN1DecodeItem (arena, &encodedContext, CERT_GeneralNamesTemplate,
+			     EncodedAltName);
+    if (rv == SECFailure) {
+	goto loser;
+    }
+    return cert_DecodeGeneralNames(arena, encodedContext.encodedGenName);
+loser:
+    return NULL;
+}
+
+
+SECStatus
+CERT_EncodeNameConstraintsExtension(PRArenaPool          *arena, 
+				    CERTNameConstraints  *value,
+				    SECItem              *encodedValue)
+{
+    SECStatus     rv = SECSuccess;
+    
+    rv = cert_EncodeNameConstraints(value, arena, encodedValue);
+    return rv;
+}
+
+
+CERTNameConstraints *
+CERT_DecodeNameConstraintsExtension(PRArenaPool          *arena,
+				    SECItem              *encodedConstraints)
+{
+    return  cert_DecodeNameConstraints(arena, encodedConstraints);
+}
+
+
+CERTAuthInfoAccess **
+cert_DecodeAuthInfoAccessExtension(PRArenaPool *arena,
+				   SECItem     *encodedExtension)
+{
+    CERTAuthInfoAccess **info = NULL;
+    SECStatus rv;
+    int i;
+
+    rv = SEC_ASN1DecodeItem(arena, &info, CERTAuthInfoAccessTemplate, 
+			    encodedExtension);
+    if (rv != SECSuccess || info == NULL) {
+	return NULL;
+    }
+
+    for (i = 0; info[i] != NULL; i++) {
+	info[i]->location = CERT_DecodeGeneralName(arena,
+						   &(info[i]->derLocation),
+						   NULL);
+    }
+    return info;
+}
+
+SECStatus
+cert_EncodeAuthInfoAccessExtension(PRArenaPool *arena,
+				   CERTAuthInfoAccess **info,
+				   SECItem *dest)
+{
+    SECItem *dummy;
+    int i;
+
+    PORT_Assert(info != NULL);
+    PORT_Assert(dest != NULL);
+    if (info == NULL || dest == NULL) {
+	return SECFailure;
+    }
+
+    for (i = 0; info[i] != NULL; i++) {
+	if (CERT_EncodeGeneralName(info[i]->location, &(info[i]->derLocation),
+				   arena) == NULL)
+	    /* Note that this may leave some of the locations filled in. */
+	    return SECFailure;
+    }
+    dummy = SEC_ASN1EncodeItem(arena, dest, &info,
+			       CERTAuthInfoAccessTemplate);
+    if (dummy == NULL) {
+	return SECFailure;
+    }
+    return SECSuccess;
+}
diff --git a/security/nss/lib/certdb/xconst.h b/security/nss/lib/certdb/xconst.h
new file mode 100644
index 000000000..42c49f2e4
--- /dev/null
+++ b/security/nss/lib/certdb/xconst.h
@@ -0,0 +1,85 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "certt.h"
+
+typedef struct PKUPEncodedContext{
+    SECItem notBefore;
+    SECItem notAfter;
+    /*    SECItem encodedValue; */
+    PRArenaPool *arena;
+}PKUPEncodedContext;
+
+typedef struct AltNameEncodedContext{
+    SECItem **encodedGenName;
+}AltNameEncodedContext;
+
+
+typedef struct NameConstraint{
+    CERTGeneralName  generalName;
+    int              min;
+    int              max;
+}NameConstraint;
+
+
+
+extern SECStatus
+CERT_EncodePublicKeyUsagePeriod(PRArenaPool *arena, PKUPEncodedContext *pkup,
+				SECItem *encodedValue);
+
+extern SECStatus
+CERT_EncodeAltNameExtension(PRArenaPool *arena,  CERTGeneralName  *value, SECItem *encodedValue);
+
+extern SECStatus
+CERT_EncodeNameConstraintsExtension(PRArenaPool *arena, CERTNameConstraints  *value,
+			    SECItem *encodedValue);
+extern CERTGeneralName *
+CERT_DecodeAltNameExtension(PRArenaPool *arena, SECItem *EncodedAltName);
+
+extern CERTNameConstraints *
+CERT_DecodeNameConstraintsExtension(PRArenaPool *arena, SECItem *encodedConstraints);
+
+extern SECStatus 
+CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue);
+
+extern SECStatus 
+CERT_EncodeIA5TypeExtension(PRArenaPool *arena, char *value, SECItem *encodedValue);
+
+CERTAuthInfoAccess **
+cert_DecodeAuthInfoAccessExtension(PRArenaPool *arena,
+				   SECItem     *encodedExtension);
+
+SECStatus
+cert_EncodeAuthInfoAccessExtension(PRArenaPool *arena,
+				   CERTAuthInfoAccess **info,
+				   SECItem *dest);
diff --git a/security/nss/lib/certhigh/Makefile b/security/nss/lib/certhigh/Makefile
new file mode 100644
index 000000000..08b7137d5
--- /dev/null
+++ b/security/nss/lib/certhigh/Makefile
@@ -0,0 +1,76 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+-include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c
new file mode 100644
index 000000000..06cccb43b
--- /dev/null
+++ b/security/nss/lib/certhigh/certhigh.c
@@ -0,0 +1,1217 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include "nspr.h"
+#include "secerr.h"
+#include "secasn1.h"
+#include "seccomon.h"
+#include "pk11func.h"
+#include "certdb.h"
+#include "certt.h"
+#include "cert.h"
+#include "certxutl.h"
+
+#ifndef NSS_3_4_CODE
+#define NSS_3_4_CODE
+#endif
+#include "nsspki.h"
+#include "pkit.h"
+#include "pkitm.h"
+#include "pki3hack.h"
+
+
+CERTSignedCrl * crl_storeCRL (PK11SlotInfo *slot,char *url,
+                  CERTSignedCrl *newCrl, SECItem *derCrl, int type);
+
+PRBool
+CERT_MatchNickname(char *name1, char *name2) {
+    char *nickname1= NULL;
+    char *nickname2 = NULL;
+    char *token1;
+    char *token2;
+    char *token = NULL;
+    int len;
+
+    /* first deal with the straight comparison */
+    if (PORT_Strcmp(name1, name2) == 0) {
+	return PR_TRUE;
+    }
+    /* we need to handle the case where one name has an explicit token and the other
+     * doesn't */
+    token1 = PORT_Strchr(name1,':');
+    token2 = PORT_Strchr(name2,':');
+    if ((token1 && token2) || (!token1 && !token2)) {
+	/* either both token names are specified or neither are, not match */
+	return PR_FALSE;
+    }
+    if (token1) {
+	token=name1;
+	nickname1=token1;
+	nickname2=name2;
+    } else {
+	token=name2;
+	nickname1=token2;
+	nickname2=name1;
+    }
+    len = nickname1-token;
+    nickname1++;
+    if (PORT_Strcmp(nickname1,nickname2) != 0) {
+	return PR_FALSE;
+    }
+    /* compare the other token with the internal slot here */
+    return PR_TRUE;
+}
+
+
+/*
+ * Find all user certificates that match the given criteria.
+ * 
+ *	"handle" - database to search
+ *	"usage" - certificate usage to match
+ *	"oneCertPerName" - if set then only return the "best" cert per
+ *			name
+ *	"validOnly" - only return certs that are curently valid
+ *	"proto_win" - window handle passed to pkcs11
+ */
+CERTCertList *
+CERT_FindUserCertsByUsage(CERTCertDBHandle *handle,
+			  SECCertUsage usage,
+			  PRBool oneCertPerName,
+			  PRBool validOnly,
+			  void *proto_win)
+{
+    CERTCertNicknames *nicknames = NULL;
+    char **nnptr;
+    int nn;
+    CERTCertificate *cert = NULL;
+    CERTCertList *certList = NULL;
+    SECStatus rv;
+    int64 time;
+    CERTCertListNode *node = NULL;
+    CERTCertListNode *freenode = NULL;
+    int n;
+    
+    time = PR_Now();
+    
+    nicknames = CERT_GetCertNicknames(handle, SEC_CERT_NICKNAMES_USER,
+				      proto_win);
+    
+    if ( ( nicknames == NULL ) || ( nicknames->numnicknames == 0 ) ) {
+	goto loser;
+    }
+
+    nnptr = nicknames->nicknames;
+    nn = nicknames->numnicknames;
+
+    while ( nn > 0 ) {
+	cert = NULL;
+	/* use the pk11 call so that we pick up any certs on tokens,
+	 * which may require login
+	 */
+	if ( proto_win != NULL ) {
+	    cert = PK11_FindCertFromNickname(*nnptr,proto_win);
+	}
+
+	/* Sigh, It turns out if the cert is already in the temp db, because
+	 * it's in the perm db, then the nickname lookup doesn't work.
+	 * since we already have the cert here, though, than we can just call
+	 * CERT_CreateSubjectCertList directly. For those cases where we didn't
+	 * find the cert in pkcs #11 (because we didn't have a password arg,
+	 * or because the nickname is for a peer, server, or CA cert, then we
+	 * go look the cert up.
+	 */
+	if (cert == NULL) { 
+	    cert = CERT_FindCertByNickname(handle,*nnptr);
+	}
+
+	if ( cert != NULL ) {
+	   /* collect certs for this nickname, sorting them into the list */
+	    certList = CERT_CreateSubjectCertList(certList, handle, 
+				&cert->derSubject, time, validOnly);
+	
+	    /* drop the extra reference */
+	    CERT_DestroyCertificate(cert);
+	}
+	
+	nnptr++;
+	nn--;
+    }
+
+    /* remove certs with incorrect usage */
+    rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* remove any extra certs for each name */
+    if ( oneCertPerName ) {
+	PRBool *flags;
+
+	nn = nicknames->numnicknames;
+	nnptr = nicknames->nicknames;
+	
+	flags = (PRBool *)PORT_ZAlloc(sizeof(PRBool) * nn);
+	if ( flags == NULL ) {
+	    goto loser;
+	}
+	
+	node = CERT_LIST_HEAD(certList);
+	
+	/* treverse all certs in the list */
+	while ( !CERT_LIST_END(node, certList) ) {
+
+	    /* find matching nickname index */
+	    for ( n = 0; n < nn; n++ ) {
+		if ( CERT_MatchNickname(nnptr[n], node->cert->nickname) ) {
+		    /* We found a match.  If this is the first one, then
+		     * set the flag and move on to the next cert.  If this
+		     * is not the first one then delete it from the list.
+		     */
+		    if ( flags[n] ) {
+			/* We have already seen a cert with this nickname,
+			 * so delete this one.
+			 */
+			freenode = node;
+			node = CERT_LIST_NEXT(node);
+			CERT_RemoveCertListNode(freenode);
+		    } else {
+			/* keep the first cert for each nickname, but set the
+			 * flag so we know to delete any others with the same
+			 * nickname.
+			 */
+			flags[n] = PR_TRUE;
+			node = CERT_LIST_NEXT(node);
+		    }
+		    break;
+		}
+	    }
+	    if ( n == nn ) {
+		/* if we get here it means that we didn't find a matching
+		 * nickname, which should not happen.
+		 */
+		PORT_Assert(0);
+		node = CERT_LIST_NEXT(node);
+	    }
+	}
+	PORT_Free(flags);
+    }
+
+    goto done;
+    
+loser:
+    if ( certList != NULL ) {
+	CERT_DestroyCertList(certList);
+	certList = NULL;
+    }
+
+done:
+    if ( nicknames != NULL ) {
+	CERT_FreeNicknames(nicknames);
+    }
+
+    return(certList);
+}
+
+/*
+ * Find a user certificate that matchs the given criteria.
+ * 
+ *	"handle" - database to search
+ *	"nickname" - nickname to match
+ *	"usage" - certificate usage to match
+ *	"validOnly" - only return certs that are curently valid
+ *	"proto_win" - window handle passed to pkcs11
+ */
+CERTCertificate *
+CERT_FindUserCertByUsage(CERTCertDBHandle *handle,
+			 char *nickname,
+			 SECCertUsage usage,
+			 PRBool validOnly,
+			 void *proto_win)
+{
+    CERTCertificate *cert = NULL;
+    CERTCertList *certList = NULL;
+    SECStatus rv;
+    int64 time;
+    
+    time = PR_Now();
+    
+    /* use the pk11 call so that we pick up any certs on tokens,
+     * which may require login
+     */
+    /* XXX - why is this restricted? */
+    if ( proto_win != NULL ) {
+	cert = PK11_FindCertFromNickname(nickname,proto_win);
+    }
+
+
+    /* sigh, There are still problems find smart cards from the temp
+     * db. This will get smart cards working again. The real fix
+     * is to make sure we can search the temp db by their token nickname.
+     */
+    if (cert == NULL) {
+	cert = CERT_FindCertByNickname(handle,nickname);
+    }
+
+    if ( cert != NULL ) {
+ 	/* collect certs for this nickname, sorting them into the list */
+	certList = CERT_CreateSubjectCertList(certList, handle, 
+					&cert->derSubject, time, validOnly);
+
+	/* drop the extra reference */
+	CERT_DestroyCertificate(cert);
+	cert = NULL;
+    }
+	
+    if ( certList == NULL ) {
+	goto loser;
+    }
+    
+    /* remove certs with incorrect usage */
+    rv = CERT_FilterCertListByUsage(certList, usage, PR_FALSE);
+
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    if ( ! CERT_LIST_END(CERT_LIST_HEAD(certList), certList) ) {
+	cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert);
+    }
+    
+loser:
+    if ( certList != NULL ) {
+	CERT_DestroyCertList(certList);
+    }
+
+    return(cert);
+}
+
+CERTCertList *
+CERT_MatchUserCert(CERTCertDBHandle *handle,
+		   SECCertUsage usage,
+		   int nCANames, char **caNames,
+		   void *proto_win)
+{
+    CERTCertList *certList = NULL;
+    SECStatus rv;
+
+    certList = CERT_FindUserCertsByUsage(handle, usage, PR_TRUE, PR_TRUE,
+					 proto_win);
+    if ( certList == NULL ) {
+	goto loser;
+    }
+    
+    rv = CERT_FilterCertListByCANames(certList, nCANames, caNames, usage);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    goto done;
+    
+loser:
+    if ( certList != NULL ) {
+	CERT_DestroyCertList(certList);
+	certList = NULL;
+    }
+
+done:
+
+    return(certList);
+}
+
+
+typedef struct stringNode {
+    struct stringNode *next;
+    char *string;
+} stringNode;
+    
+static SECStatus
+CollectNicknames( CERTCertificate *cert, SECItem *k, void *data)
+{
+    CERTCertNicknames *names;
+    PRBool saveit = PR_FALSE;
+    CERTCertTrust *trust;
+    stringNode *node;
+    int len;
+    
+    names = (CERTCertNicknames *)data;
+    
+    if ( cert->nickname ) {
+	trust = cert->trust;
+	
+	switch(names->what) {
+	  case SEC_CERT_NICKNAMES_ALL:
+	    if ( ( trust->sslFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
+	      ( trust->emailFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ||
+	      ( trust->objectSigningFlags & (CERTDB_VALID_CA|CERTDB_VALID_PEER) ) ) {
+		saveit = PR_TRUE;
+	    }
+	    
+	    break;
+	  case SEC_CERT_NICKNAMES_USER:
+	    if ( ( trust->sslFlags & CERTDB_USER ) ||
+		( trust->emailFlags & CERTDB_USER ) ||
+		( trust->objectSigningFlags & CERTDB_USER ) ) {
+		saveit = PR_TRUE;
+	    }
+	    
+	    break;
+	  case SEC_CERT_NICKNAMES_SERVER:
+	    if ( trust->sslFlags & CERTDB_VALID_PEER ) {
+		saveit = PR_TRUE;
+	    }
+	    
+	    break;
+	  case SEC_CERT_NICKNAMES_CA:
+	    if ( ( ( trust->sslFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
+		( ( trust->emailFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ||
+		( ( trust->objectSigningFlags & CERTDB_VALID_CA ) == CERTDB_VALID_CA ) ) {
+		saveit = PR_TRUE;
+	    }
+	    break;
+	}
+    }
+
+    /* traverse the list of collected nicknames and make sure we don't make
+     * a duplicate
+     */
+    if ( saveit ) {
+	node = (stringNode *)names->head;
+	while ( node != NULL ) {
+	    if ( PORT_Strcmp(cert->nickname, node->string) == 0 ) { 
+		/* if the string matches, then don't save this one */
+		saveit = PR_FALSE;
+		break;
+	    }
+	    node = node->next;
+	}
+    }
+
+    if ( saveit ) {
+	
+	/* allocate the node */
+	node = (stringNode*)PORT_ArenaAlloc(names->arena, sizeof(stringNode));
+	if ( node == NULL ) {
+	    return(SECFailure);
+	}
+
+	/* copy the string */
+	len = PORT_Strlen(cert->nickname) + 1;
+	node->string = (char*)PORT_ArenaAlloc(names->arena, len);
+	if ( node->string == NULL ) {
+	    return(SECFailure);
+	}
+	PORT_Memcpy(node->string, cert->nickname, len);
+
+	/* link it into the list */
+	node->next = (stringNode *)names->head;
+	names->head = (void *)node;
+
+	/* bump the count */
+	names->numnicknames++;
+    }
+    
+    return(SECSuccess);
+}
+
+CERTCertNicknames *
+CERT_GetCertNicknames(CERTCertDBHandle *handle, int what, void *wincx)
+{
+    PRArenaPool *arena;
+    CERTCertNicknames *names;
+    int i;
+    SECStatus rv;
+    stringNode *node;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return(NULL);
+    }
+    
+    names = (CERTCertNicknames *)PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
+    if ( names == NULL ) {
+	goto loser;
+    }
+
+    names->arena = arena;
+    names->head = NULL;
+    names->numnicknames = 0;
+    names->nicknames = NULL;
+    names->what = what;
+    names->totallen = 0;
+    
+    rv = PK11_TraverseSlotCerts(CollectNicknames, (void *)names, wincx);
+    if ( rv ) {
+	goto loser;
+    }
+
+    if ( names->numnicknames ) {
+	names->nicknames = (char**)PORT_ArenaAlloc(arena,
+					 names->numnicknames * sizeof(char *));
+
+	if ( names->nicknames == NULL ) {
+	    goto loser;
+	}
+    
+	node = (stringNode *)names->head;
+	
+	for ( i = 0; i < names->numnicknames; i++ ) {
+	    PORT_Assert(node != NULL);
+	    
+	    names->nicknames[i] = node->string;
+	    names->totallen += PORT_Strlen(node->string);
+	    node = node->next;
+	}
+
+	PORT_Assert(node == NULL);
+    }
+
+    return(names);
+    
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(NULL);
+}
+
+void
+CERT_FreeNicknames(CERTCertNicknames *nicknames)
+{
+    PORT_FreeArena(nicknames->arena, PR_FALSE);
+    
+    return;
+}
+
+/* [ FROM pcertdb.c ] */
+
+typedef struct dnameNode {
+    struct dnameNode *next;
+    SECItem name;
+} dnameNode;
+
+void
+CERT_FreeDistNames(CERTDistNames *names)
+{
+    PORT_FreeArena(names->arena, PR_FALSE);
+    
+    return;
+}
+
+static SECStatus
+CollectDistNames( CERTCertificate *cert, SECItem *k, void *data)
+{
+    CERTDistNames *names;
+    PRBool saveit = PR_FALSE;
+    CERTCertTrust *trust;
+    dnameNode *node;
+    int len;
+    
+    names = (CERTDistNames *)data;
+    
+    if ( cert->trust ) {
+	trust = cert->trust;
+	
+	/* only collect names of CAs trusted for issuing SSL clients */
+	if (  trust->sslFlags &  CERTDB_TRUSTED_CLIENT_CA )  {
+	    saveit = PR_TRUE;
+	}
+    }
+
+    if ( saveit ) {
+	/* allocate the node */
+	node = (dnameNode*)PORT_ArenaAlloc(names->arena, sizeof(dnameNode));
+	if ( node == NULL ) {
+	    return(SECFailure);
+	}
+
+	/* copy the name */
+	node->name.len = len = cert->derSubject.len;
+	node->name.type = siBuffer;
+	node->name.data = (unsigned char*)PORT_ArenaAlloc(names->arena, len);
+	if ( node->name.data == NULL ) {
+	    return(SECFailure);
+	}
+	PORT_Memcpy(node->name.data, cert->derSubject.data, len);
+
+	/* link it into the list */
+	node->next = (dnameNode *)names->head;
+	names->head = (void *)node;
+
+	/* bump the count */
+	names->nnames++;
+    }
+    
+    return(SECSuccess);
+}
+
+/*
+ * Return all of the CAs that are "trusted" for SSL.
+ */
+CERTDistNames *
+CERT_GetSSLCACerts(CERTCertDBHandle *handle)
+{
+    PRArenaPool *arena;
+    CERTDistNames *names;
+    int i;
+    SECStatus rv;
+    dnameNode *node;
+    
+    /* allocate an arena to use */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return(NULL);
+    }
+    
+    /* allocate the header structure */
+    names = (CERTDistNames *)PORT_ArenaAlloc(arena, sizeof(CERTDistNames));
+    if ( names == NULL ) {
+	goto loser;
+    }
+
+    /* initialize the header struct */
+    names->arena = arena;
+    names->head = NULL;
+    names->nnames = 0;
+    names->names = NULL;
+    
+    /* collect the names from the database */
+    rv = PK11_TraverseSlotCerts(CollectDistNames, (void *)names, NULL);
+    if ( rv ) {
+	goto loser;
+    }
+
+    /* construct the array from the list */
+    if ( names->nnames ) {
+	names->names = (SECItem*)PORT_ArenaAlloc(arena, names->nnames * sizeof(SECItem));
+
+	if ( names->names == NULL ) {
+	    goto loser;
+	}
+    
+	node = (dnameNode *)names->head;
+	
+	for ( i = 0; i < names->nnames; i++ ) {
+	    PORT_Assert(node != NULL);
+	    
+	    names->names[i] = node->name;
+	    node = node->next;
+	}
+
+	PORT_Assert(node == NULL);
+    }
+
+    return(names);
+    
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(NULL);
+}
+
+CERTDistNames *
+CERT_DistNamesFromNicknames(CERTCertDBHandle *handle, char **nicknames,
+			   int nnames)
+{
+    CERTDistNames *dnames = NULL;
+    PRArenaPool *arena;
+    int i, rv;
+    SECItem *names = NULL;
+    CERTCertificate *cert = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) goto loser;
+    dnames = (CERTDistNames*)PORT_Alloc(sizeof(CERTDistNames));
+    if (dnames == NULL) goto loser;
+
+    dnames->arena = arena;
+    dnames->nnames = nnames;
+    dnames->names = names = (SECItem*)PORT_Alloc(nnames * sizeof(SECItem));
+    if (names == NULL) goto loser;
+    
+    for (i = 0; i < nnames; i++) {
+	cert = CERT_FindCertByNicknameOrEmailAddr(handle, nicknames[i]);
+	if (cert == NULL) goto loser;
+	rv = SECITEM_CopyItem(arena, &names[i], &cert->derSubject);
+	if (rv == SECFailure) goto loser;
+	CERT_DestroyCertificate(cert);
+    }
+    return dnames;
+    
+loser:
+    if (cert != NULL)
+	CERT_DestroyCertificate(cert);
+    if (arena != NULL)
+	PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+/* [ from pcertdb.c - calls Ascii to Name ] */
+/*
+ * Lookup a certificate in the database by name
+ */
+CERTCertificate *
+CERT_FindCertByNameString(CERTCertDBHandle *handle, char *nameStr)
+{
+    CERTName *name;
+    SECItem *nameItem;
+    CERTCertificate *cert = NULL;
+    PRArenaPool *arena = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    name = CERT_AsciiToName(nameStr);
+    
+    if ( name ) {
+	nameItem = SEC_ASN1EncodeItem (arena, NULL, (void *)name,
+				       CERT_NameTemplate);
+	if ( nameItem == NULL ) {
+	    goto loser;
+	}
+
+	cert = CERT_FindCertByName(handle, nameItem);
+	CERT_DestroyName(name);
+    }
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(cert);
+}
+
+/* From certv3.c */
+
+CERTCrlDistributionPoints *
+CERT_FindCRLDistributionPoints (CERTCertificate *cert)
+{
+    SECItem encodedExtenValue;
+    SECStatus rv;
+
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension(cert->extensions, SEC_OID_X509_CRL_DIST_POINTS,
+			    &encodedExtenValue);
+    if ( rv != SECSuccess ) {
+	return (NULL);
+    }
+
+    return (CERT_DecodeCRLDistributionPoints (cert->arena,
+					      &encodedExtenValue));
+}
+
+/* From crl.c */
+CERTSignedCrl * CERT_ImportCRL
+   (CERTCertDBHandle *handle, SECItem *derCRL, char *url, int type, void *wincx)
+{
+    CERTCertificate *caCert;
+    CERTSignedCrl *newCrl, *crl;
+    SECStatus rv;
+    PK11SlotInfo *slot;
+
+    newCrl = crl = NULL;
+
+    PORT_Assert (handle != NULL);
+    do {
+
+	newCrl = CERT_DecodeDERCrl(NULL, derCRL, type);
+	if (newCrl == NULL) {
+	    if (type == SEC_CRL_TYPE) {
+		/* only promote error when the error code is too generic */
+		if (PORT_GetError () == SEC_ERROR_BAD_DER)
+			PORT_SetError(SEC_ERROR_CRL_INVALID);
+	    } else {
+		PORT_SetError(SEC_ERROR_KRL_INVALID);
+	    }
+	    break;		
+	}
+    
+	caCert = CERT_FindCertByName (handle, &newCrl->crl.derName);
+	if (caCert == NULL) {
+	    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);	    
+	    break;
+	}
+
+	/* If caCert is a v3 certificate, make sure that it can be used for
+	   crl signing purpose */
+	rv = CERT_CheckCertUsage (caCert, KU_CRL_SIGN);
+	if (rv != SECSuccess) {
+	    break;
+	}
+
+	rv = CERT_VerifySignedData(&newCrl->signatureWrap, caCert,
+				   PR_Now(), wincx);
+	if (rv != SECSuccess) {
+	    if (type == SEC_CRL_TYPE) {
+		PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
+	    } else {
+		PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
+	    }
+	    break;
+	}
+
+	slot = PK11_GetInternalKeySlot();
+	crl = crl_storeCRL(slot, url, newCrl, derCRL, type);
+	PK11_FreeSlot(slot);
+
+    } while (0);
+
+    if (crl == NULL) {
+	SEC_DestroyCrl (newCrl);
+    }
+    return (crl);
+}
+
+/* From certdb.c */
+static SECStatus
+cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool trusted)
+{
+    SECStatus rv;
+    SECItem *derCert;
+    PRArenaPool *arena;
+    CERTCertificate *cert = NULL;
+    CERTCertificate *newcert = NULL;
+    CERTCertDBHandle *handle;
+    CERTCertTrust trust;
+    PRBool isca;
+    char *nickname;
+    unsigned int certtype;
+    
+    handle = CERT_GetDefaultCertDB();
+    
+    arena = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( ! arena ) {
+	goto loser;
+    }
+
+    while (numcerts--) {
+	derCert = certs;
+	certs++;
+
+	/* decode my certificate */
+	newcert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+	if ( newcert == NULL ) {
+	    goto loser;
+	}
+
+	if (!trusted) {
+	    /* make sure that cert is valid */
+	    rv = CERT_CertTimesValid(newcert);
+	    if ( rv == SECFailure ) {
+		goto endloop;
+	    }
+	}
+
+	/* does it have the CA extension */
+	
+	/*
+	 * Make sure that if this is an intermediate CA in the chain that
+	 * it was given permission by its signer to be a CA.
+	 */
+	isca = CERT_IsCACert(newcert, &certtype);
+
+	if ( !isca ) {
+	    if (!trusted) {
+		goto endloop;
+	    }
+	    trust.sslFlags = CERTDB_VALID_CA;
+	    trust.emailFlags = CERTDB_VALID_CA;
+	    trust.objectSigningFlags = CERTDB_VALID_CA;
+	} else {
+	    /* SSL ca's must have the ssl bit set */
+	    if ( ( certUsage == certUsageSSLCA ) &&
+		(( certtype & NS_CERT_TYPE_SSL_CA ) != NS_CERT_TYPE_SSL_CA )) {
+		goto endloop;
+	    }
+
+	    /* it passed all of the tests, so lets add it to the database */
+	    /* mark it as a CA */
+	    PORT_Memset((void *)&trust, 0, sizeof(trust));
+	    switch ( certUsage ) {
+	      case certUsageSSLCA:
+		trust.sslFlags = CERTDB_VALID_CA;
+		break;
+	      case certUsageUserCertImport:
+		if ((certtype & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
+		    trust.sslFlags = CERTDB_VALID_CA;
+		}
+		if ((certtype & NS_CERT_TYPE_EMAIL_CA) 
+						== NS_CERT_TYPE_EMAIL_CA ) {
+		    trust.emailFlags = CERTDB_VALID_CA;
+		}
+		if ( ( certtype & NS_CERT_TYPE_OBJECT_SIGNING_CA ) ==
+					NS_CERT_TYPE_OBJECT_SIGNING_CA ) {
+		     trust.objectSigningFlags = CERTDB_VALID_CA;
+		}
+		break;
+	      default:
+		PORT_Assert(0);
+		break;
+	    }
+	}
+	
+	cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+	if ( cert == NULL ) {
+	    goto loser;
+	}
+	
+	/* get a default nickname for it */
+	nickname = CERT_MakeCANickname(cert);
+
+	cert->trust = &trust;
+	rv = PK11_ImportCert(PK11_GetInternalKeySlot(), cert, 
+			CK_INVALID_HANDLE, nickname, PR_TRUE);
+
+	/* free the nickname */
+	if ( nickname ) {
+	    PORT_Free(nickname);
+	}
+
+	CERT_DestroyCertificate(cert);
+	cert = NULL;
+	
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+
+endloop:
+	if ( newcert ) {
+	    CERT_DestroyCertificate(newcert);
+	    newcert = NULL;
+	}
+	
+    }
+
+    rv = SECSuccess;
+    goto done;
+loser:
+    rv = SECFailure;
+done:
+    
+    if ( newcert ) {
+	CERT_DestroyCertificate(newcert);
+	newcert = NULL;
+    }
+    
+    if ( cert ) {
+	CERT_DestroyCertificate(cert);
+	cert = NULL;
+    }
+    
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    return(rv);
+}
+
+SECStatus
+CERT_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage)
+{
+    return cert_ImportCAChain(certs, numcerts, certUsage, PR_FALSE);
+}
+
+SECStatus
+CERT_ImportCAChainTrusted(SECItem *certs, int numcerts, SECCertUsage certUsage) {
+    return cert_ImportCAChain(certs, numcerts, certUsage, PR_TRUE);
+}
+
+/* Moved from certdb.c */
+/*
+** CERT_CertChainFromCert
+**
+** Construct a CERTCertificateList consisting of the given certificate and all
+** of the issuer certs until we either get to a self-signed cert or can't find
+** an issuer.  Since we don't know how many certs are in the chain we have to
+** build a linked list first as we count them.
+*/
+
+typedef struct certNode {
+    struct certNode *next;
+    CERTCertificate *cert;
+} certNode;
+
+CERTCertificateList *
+CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage,
+		       PRBool includeRoot)
+{
+#ifdef NSS_CLASSIC
+    CERTCertificateList *chain = NULL;
+    CERTCertificate *c;
+    SECItem *p;
+    int rv, len = 0;
+    PRArenaPool *tmpArena, *arena;
+    certNode *head, *tail, *node;
+
+    /*
+     * Initialize stuff so we can goto loser.
+     */
+    head = NULL;
+    arena = NULL;
+
+    /* arena for linked list */
+    tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (tmpArena == NULL) goto no_memory;
+
+    /* arena for SecCertificateList */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) goto no_memory;
+
+    head = tail = (certNode*)PORT_ArenaZAlloc(tmpArena, sizeof(certNode));
+    if (head == NULL) goto no_memory;
+
+    /* put primary cert first in the linked list */
+    head->cert = c = CERT_DupCertificate(cert);
+    if (head->cert == NULL) goto loser;
+    len++;
+
+    /* add certs until we come to a self-signed one */
+    while(SECITEM_CompareItem(&c->derIssuer, &c->derSubject) != SECEqual) {
+	c = CERT_FindCertIssuer(tail->cert, PR_Now(), usage);
+	if (c == NULL) {
+	    /* no root is found, so make sure we don't attempt to delete one
+	     * below
+	     */
+	    includeRoot = PR_TRUE;
+	    break;
+	}
+	
+	tail->next = (certNode*)PORT_ArenaZAlloc(tmpArena, sizeof(certNode));
+	tail = tail->next;
+	if (tail == NULL) goto no_memory;
+	
+	tail->cert = c;
+	len++;
+    }
+
+    /* now build the CERTCertificateList */
+    chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, sizeof(CERTCertificateList));
+    if (chain == NULL) goto no_memory;
+    chain->certs = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
+    if (chain->certs == NULL) goto no_memory;
+    
+    for(node = head, p = chain->certs; node; node = node->next, p++) {
+	rv = SECITEM_CopyItem(arena, p, &node->cert->derCert);
+	CERT_DestroyCertificate(node->cert);
+	node->cert = NULL;
+	if (rv < 0) goto loser;
+    }
+    if ( !includeRoot && len > 1) {
+	chain->len = len - 1;
+    } else {
+	chain->len = len;
+    }
+    
+    chain->arena = arena;
+
+    PORT_FreeArena(tmpArena, PR_FALSE);
+    
+    return chain;
+
+no_memory:
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+loser:
+    if (head != NULL) {
+	for (node = head; node; node = node->next) {
+	    if (node->cert != NULL)
+		CERT_DestroyCertificate(node->cert);
+	}
+    }
+
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    if (tmpArena != NULL) {
+	PORT_FreeArena(tmpArena, PR_FALSE);
+    }
+
+    return NULL;
+#else
+    CERTCertificateList *chain = NULL;
+    NSSCertificate **stanChain;
+    NSSCertificate *stanCert;
+    PRArenaPool *arena;
+    NSSUsage nssUsage;
+    int i, len;
+
+    stanCert = STAN_GetNSSCertificate(cert);
+    nssUsage.anyUsage = PR_FALSE;
+    nssUsage.nss3usage = usage;
+    stanChain = NSSCertificate_BuildChain(stanCert, NULL, &nssUsage, NULL,
+                                                    NULL, 0, NULL, NULL);
+    if (!stanChain) {
+	return NULL;
+    }
+
+    len = 0;
+    stanCert = stanChain[0];
+    while (stanCert) {
+	stanCert = stanChain[++len];
+    }
+
+    arena = PORT_NewArena(4096);
+    if (arena == NULL) {
+	goto loser;
+    }
+
+    chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, 
+                                                 sizeof(CERTCertificateList));
+    if (!chain) goto loser;
+    chain->certs = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
+    if (!chain->certs) goto loser;
+    i = 0;
+    stanCert = stanChain[i];
+    while (stanCert) {
+	SECItem derCert;
+	CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
+	derCert.len = (unsigned int)stanCert->encoding.size;
+	derCert.data = (unsigned char *)stanCert->encoding.data;
+	SECITEM_CopyItem(arena, &chain->certs[i], &derCert);
+	CERT_DestroyCertificate(cCert);
+	stanCert = stanChain[++i];
+    }
+    if ( !includeRoot && len > 1) {
+	chain->len = len - 1;
+    } else {
+	chain->len = len;
+    }
+    
+    chain->arena = arena;
+    nss_ZFreeIf(stanChain);
+    return chain;
+loser:
+    i = 0;
+    stanCert = stanChain[i];
+    while (stanCert) {
+	CERTCertificate *cCert = STAN_GetCERTCertificate(stanCert);
+	CERT_DestroyCertificate(cCert);
+	stanCert = stanChain[++i];
+    }
+    nss_ZFreeIf(stanChain);
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+#endif
+}
+
+/* Builds a CERTCertificateList holding just one DER-encoded cert, namely
+** the one for the cert passed as an argument.
+*/
+CERTCertificateList *
+CERT_CertListFromCert(CERTCertificate *cert)
+{
+    CERTCertificateList *chain = NULL;
+    int rv;
+    PRArenaPool *arena;
+
+    /* arena for SecCertificateList */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) goto no_memory;
+
+    /* build the CERTCertificateList */
+    chain = (CERTCertificateList *)PORT_ArenaAlloc(arena, sizeof(CERTCertificateList));
+    if (chain == NULL) goto no_memory;
+    chain->certs = (SECItem*)PORT_ArenaAlloc(arena, 1 * sizeof(SECItem));
+    if (chain->certs == NULL) goto no_memory;
+    rv = SECITEM_CopyItem(arena, chain->certs, &(cert->derCert));
+    if (rv < 0) goto loser;
+    chain->len = 1;
+    chain->arena = arena;
+
+    return chain;
+
+no_memory:
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+CERTCertificateList *
+CERT_DupCertList(CERTCertificateList * oldList)
+{
+    CERTCertificateList *newList = NULL;
+    PRArenaPool         *arena   = NULL;
+    SECItem             *newItem;
+    SECItem             *oldItem;
+    int                 len      = oldList->len;
+    int                 rv;
+
+    /* arena for SecCertificateList */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) 
+	goto no_memory;
+
+    /* now build the CERTCertificateList */
+    newList = PORT_ArenaNew(arena, CERTCertificateList);
+    if (newList == NULL) 
+	goto no_memory;
+    newList->arena = arena;
+    newItem = (SECItem*)PORT_ArenaAlloc(arena, len * sizeof(SECItem));
+    if (newItem == NULL) 
+	goto no_memory;
+    newList->certs = newItem;
+    newList->len   = len;
+
+    for (oldItem = oldList->certs; len > 0; --len, ++newItem, ++oldItem) {
+	rv = SECITEM_CopyItem(arena, newItem, oldItem);
+	if (rv < 0) 
+	    goto loser;
+    }
+    return newList;
+
+no_memory:
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+void
+CERT_DestroyCertificateList(CERTCertificateList *list)
+{
+    PORT_FreeArena(list->arena, PR_FALSE);
+}
+
diff --git a/security/nss/lib/certhigh/certhtml.c b/security/nss/lib/certhigh/certhtml.c
new file mode 100644
index 000000000..ff5f3c82d
--- /dev/null
+++ b/security/nss/lib/certhigh/certhtml.c
@@ -0,0 +1,605 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * certhtml.c --- convert a cert to html
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "sechash.h"
+#include "cert.h"
+#include "keyhi.h"
+#include "secder.h"
+#include "prprf.h"
+#include "secport.h"
+#include "secasn1.h"
+#include "pk11func.h"
+
+static char *hex = "0123456789ABCDEF";
+
+/*
+** Convert a der-encoded integer to a hex printable string form
+*/
+char *CERT_Hexify (SECItem *i, int do_colon)
+{
+    unsigned char *cp, *end;
+    char *rv, *o;
+
+    if (!i->len) {
+	return PORT_Strdup("00");
+    }
+
+    rv = o = (char*) PORT_Alloc(i->len * 3);
+    if (!rv) return rv;
+
+    cp = i->data;
+    end = cp + i->len;
+    while (cp < end) {
+	unsigned char ch = *cp++;
+	*o++ = hex[(ch >> 4) & 0xf];
+	*o++ = hex[ch & 0xf];
+	if (cp != end) {
+	    if (do_colon) {
+		*o++ = ':';
+	    }
+	} 
+    }
+    *o = 0;           /* Null terminate the string */
+    return rv;
+}
+
+static char *
+gatherStrings(char **strings)
+{
+    char **strs;
+    int len;
+    char *ret;
+    char *s;
+
+    /* find total length of all strings */
+    strs = strings;
+    len = 0;
+    while ( *strs ) {
+	len += PORT_Strlen(*strs);
+	strs++;
+    }
+    
+    /* alloc enough memory for it */
+    ret = (char*)PORT_Alloc(len + 1);
+    if ( !ret ) {
+	return(ret);
+    }
+
+    s = ret;
+    
+    /* copy the strings */
+    strs = strings;
+    while ( *strs ) {
+	PORT_Strcpy(s, *strs);
+	s += PORT_Strlen(*strs);
+	strs++;
+    }
+
+    return( ret );
+}
+
+#define BREAK "<br>"
+#define BREAKLEN 4
+#define COMMA ", "
+#define COMMALEN 2
+
+#define MAX_OUS 20
+#define MAX_DC MAX_OUS
+
+
+char *CERT_FormatName (CERTName *name)
+{
+    CERTRDN** rdns;
+    CERTRDN * rdn;
+    CERTAVA** avas;
+    CERTAVA*  ava;
+    char *    buf	= 0;
+    char *    tmpbuf	= 0;
+    SECItem * cn	= 0;
+    SECItem * email	= 0;
+    SECItem * org	= 0;
+    SECItem * loc	= 0;
+    SECItem * state	= 0;
+    SECItem * country	= 0;
+    SECItem * dq     	= 0;
+
+    unsigned  len 	= 0;
+    int       tag;
+    int       i;
+    int       ou_count = 0;
+    int       dc_count = 0;
+    PRBool    first;
+    SECItem * orgunit[MAX_OUS];
+    SECItem * dc[MAX_DC];
+
+    /* Loop over name components and gather the interesting ones */
+    rdns = name->rdns;
+    while ((rdn = *rdns++) != 0) {
+	avas = rdn->avas;
+	while ((ava = *avas++) != 0) {
+	    tag = CERT_GetAVATag(ava);
+	    switch(tag) {
+	      case SEC_OID_AVA_COMMON_NAME:
+		cn = CERT_DecodeAVAValue(&ava->value);
+		len += cn->len;
+		break;
+	      case SEC_OID_AVA_COUNTRY_NAME:
+		country = CERT_DecodeAVAValue(&ava->value);
+		len += country->len;
+		break;
+	      case SEC_OID_AVA_LOCALITY:
+		loc = CERT_DecodeAVAValue(&ava->value);
+		len += loc->len;
+		break;
+	      case SEC_OID_AVA_STATE_OR_PROVINCE:
+		state = CERT_DecodeAVAValue(&ava->value);
+		len += state->len;
+		break;
+	      case SEC_OID_AVA_ORGANIZATION_NAME:
+		org = CERT_DecodeAVAValue(&ava->value);
+		len += org->len;
+		break;
+	      case SEC_OID_AVA_DN_QUALIFIER:
+		dq = CERT_DecodeAVAValue(&ava->value);
+		len += dq->len;
+		break;
+	      case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME:
+		if (ou_count < MAX_OUS) {
+			orgunit[ou_count] = CERT_DecodeAVAValue(&ava->value);
+			len += orgunit[ou_count++]->len;
+		}
+		break;
+	      case SEC_OID_AVA_DC:
+		if (dc_count < MAX_DC) {
+			dc[dc_count] = CERT_DecodeAVAValue(&ava->value);
+			len += dc[dc_count++]->len;
+		}
+		break;
+	      case SEC_OID_PKCS9_EMAIL_ADDRESS:
+	      case SEC_OID_RFC1274_MAIL:
+		email = CERT_DecodeAVAValue(&ava->value);
+		len += email->len;
+		break;
+	      default:
+		break;
+	    }
+	}
+    }
+
+    /* XXX - add some for formatting */
+    len += 128;
+
+    /* allocate buffer */
+    buf = (char *)PORT_Alloc(len);
+    if ( !buf ) {
+	return(0);
+    }
+
+    tmpbuf = buf;
+    
+    if ( cn ) {
+	PORT_Memcpy(tmpbuf, cn->data, cn->len);
+	tmpbuf += cn->len;
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(cn, PR_TRUE);
+    }
+    if ( email ) {
+	PORT_Memcpy(tmpbuf, email->data, email->len);
+	tmpbuf += ( email->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(email, PR_TRUE);
+    }
+    for (i=ou_count-1; i >= 0; i--) {
+	PORT_Memcpy(tmpbuf, orgunit[i]->data, orgunit[i]->len);
+	tmpbuf += ( orgunit[i]->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(orgunit[i], PR_TRUE);
+    }
+    if ( dq ) {
+	PORT_Memcpy(tmpbuf, dq->data, dq->len);
+	tmpbuf += ( dq->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(dq, PR_TRUE);
+    }
+    if ( org ) {
+	PORT_Memcpy(tmpbuf, org->data, org->len);
+	tmpbuf += ( org->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(org, PR_TRUE);
+    }
+    for (i=dc_count-1; i >= 0; i--) {
+	PORT_Memcpy(tmpbuf, dc[i]->data, dc[i]->len);
+	tmpbuf += ( dc[i]->len );
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+	SECITEM_FreeItem(dc[i], PR_TRUE);
+    }
+    first = PR_TRUE;
+    if ( loc ) {
+	PORT_Memcpy(tmpbuf, loc->data,  loc->len);
+	tmpbuf += ( loc->len );
+	first = PR_FALSE;
+	SECITEM_FreeItem(loc, PR_TRUE);
+    }
+    if ( state ) {
+	if ( !first ) {
+	    PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
+	    tmpbuf += COMMALEN;
+	}
+	PORT_Memcpy(tmpbuf, state->data, state->len);
+	tmpbuf += ( state->len );
+	first = PR_FALSE;
+	SECITEM_FreeItem(state, PR_TRUE);
+    }
+    if ( country ) {
+	if ( !first ) {
+	    PORT_Memcpy(tmpbuf, COMMA, COMMALEN);
+	    tmpbuf += COMMALEN;
+	}
+	PORT_Memcpy(tmpbuf, country->data, country->len);
+	tmpbuf += ( country->len );
+	first = PR_FALSE;
+	SECITEM_FreeItem(country, PR_TRUE);
+    }
+    if ( !first ) {
+	PORT_Memcpy(tmpbuf, BREAK, BREAKLEN);
+	tmpbuf += BREAKLEN;
+    }
+
+    *tmpbuf = 0;
+
+    return(buf);
+}
+
+static char *sec_FortezzaClearance(SECItem *clearance) {
+    unsigned char clr = 0;
+
+    if (clearance->len > 0) { clr = clearance->data[0]; }
+
+    if (clr & 0x4) return "Top Secret";
+    if (clr & 0x8) return "Secret";
+    if (clr & 0x10) return "Confidential";
+    if (clr & 0x20) return "Sensitive";
+    if (clr & 0x40) return "Unclassified";
+    return "None";
+}
+
+static char *sec_FortezzaMessagePrivilege(SECItem *priv) {
+    unsigned char clr = 0;
+
+    if (priv->len > 0) { clr = (priv->data[0]) & 0x78; }
+
+    if (clr == 0x00) {
+	return "None";
+    } else {
+
+	return PR_smprintf("%s%s%s%s%s%s%s",
+
+	    clr&0x40?"Critical/Flash":"",
+	    (clr&0x40) && (clr&0x38) ? ", " : "" ,
+
+	    clr&0x20?"Immediate/Priority":"",
+	    (clr&0x20) && (clr&0x18) ? ", " : "" ,
+
+	    clr&0x10?"Routine/Deferred":"",
+	    (clr&0x10) && (clr&0x08) ? ", " : "" ,
+
+	    clr&0x08?"Rekey Agent":"");
+    }
+
+}
+					
+static char *sec_FortezzaCertPrivilege(SECItem *priv) {
+    unsigned char clr = 0;
+
+    if (priv->len > 0) { clr = priv->data[0]; }
+
+    return PR_smprintf("%s%s%s%s%s%s%s%s%s%s%s%s",
+	clr&0x40?"Organizational Releaser":"",
+	(clr&0x40) && (clr&0x3e) ? "," : "" ,
+	clr&0x20?"Policy Creation Authority":"",
+	(clr&0x20) && (clr&0x1e) ? "," : "" ,
+	clr&0x10?"Certificate Authority":"",
+	(clr&0x10) && (clr&0x0e) ? "," : "" ,
+	clr&0x08?"Local Managment Authority":"",
+	(clr&0x08) && (clr&0x06) ? "," : "" ,
+	clr&0x04?"Configuration Vector Authority":"",
+	(clr&0x04) && (clr&0x02) ? "," : "" ,
+	clr&0x02?"No Signature Capability":"",
+	clr&0x7e?"":"Signing Only"
+    );
+}
+
+static char *htmlcertstrings[] = {
+    "<table border=0 cellspacing=0 cellpadding=0><tr><td valign=top>"
+    "<font size=2><b>This Certificate belongs to:</b><br>"
+    "<table border=0 cellspacing=0 cellpadding=0><tr><td>",
+    0, /* image goes here */
+    0,
+    0,
+    "</td><td width=10> </td><td><font size=2>",
+    0, /* subject name goes here */
+    "</td></tr></table></font></td><td width=20> </td><td valign=top>"
+    "<font size=2><b>This Certificate was issued by:</b><br>"
+    "<table border=0 cellspacing=0 cellpadding=0><tr><td>",
+    0, /* image goes here */
+    0,
+    0,
+    "</td><td width=10> </td><td><font size=2>",
+    0, /* issuer name goes here */
+    "</td></tr></table></font></td></tr></table>"
+    "<b>Serial Number:</b> ",
+    0,
+    "<br><b>This Certificate is valid from ",
+    0, /* notBefore goes here */
+    " to ",
+    0, /* notAfter does here */
+    "</b><br><b>Clearance:</b>",
+    0,
+    "<br><b>DSS Privileges:</b>",
+    0,
+    "<br><b>KEA Privileges:</b>",
+    0,
+    "<br><b>KMID:</b>",
+    0,
+    "<br><b>Certificate Fingerprint:</b>"
+    "<table border=0 cellspacing=0 cellpadding=0><tr>"
+    "<td width=10> </td><td><font size=2>",
+    0, /* fingerprint goes here */
+    "</td></tr></table>",
+    0, /* comment header goes here */
+    0, /* comment goes here */
+    0, /* comment trailer goes here */
+    0
+};
+
+char *
+CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages, PRBool showIssuer)
+{
+    SECStatus rv;
+    char *issuer, *subject, *serialNumber, *version;
+    char *notBefore, *notAfter;
+    char *ret;
+    char *nickname;
+    SECItem dummyitem;
+    unsigned char fingerprint[16];   /* result of MD5, always 16 bytes */
+    char *fpstr;
+    SECItem fpitem;
+    char *commentstring = NULL;
+    SECKEYPublicKey *pubk;
+    char *DSSPriv;
+    char *KMID = NULL;
+    char *servername;
+    
+    if (!cert) {
+	return(0);
+    }
+
+    issuer = CERT_FormatName (&cert->issuer);
+    subject = CERT_FormatName (&cert->subject);
+    version = CERT_Hexify (&cert->version,1);
+    serialNumber = CERT_Hexify (&cert->serialNumber,1);
+    notBefore = DER_UTCDayToAscii(&cert->validity.notBefore);
+    notAfter = DER_UTCDayToAscii(&cert->validity.notAfter);
+    servername = CERT_FindNSStringExtension(cert,
+				   SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
+
+    nickname = cert->nickname;
+    if ( nickname == NULL ) {
+	showImages = PR_FALSE;
+    }
+
+    dummyitem.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
+			       &dummyitem);
+    if ( dummyitem.data ) {
+	PORT_Free(dummyitem.data);
+    }
+    
+    if ( rv || !showImages ) {
+	htmlcertstrings[1] = "";
+	htmlcertstrings[2] = "";
+	htmlcertstrings[3] = "";
+    } else {
+	htmlcertstrings[1] = "<img src=\"about:security?subject-logo=";
+	htmlcertstrings[2] = nickname;
+	htmlcertstrings[3] = "\">";
+    }
+
+    if ( servername ) {
+	char *tmpstr;
+	tmpstr = (char *)PORT_Alloc(PORT_Strlen(subject) +
+				    PORT_Strlen(servername) +
+				    sizeof("<br>") + 1);
+	if ( tmpstr ) {
+	    PORT_Strcpy(tmpstr, servername);
+	    PORT_Strcat(tmpstr, "<br>");
+	    PORT_Strcat(tmpstr, subject);
+	    PORT_Free(subject);
+	    subject = tmpstr;
+	}
+    }
+    
+    htmlcertstrings[5] = subject;
+
+    dummyitem.data = NULL;
+    
+    rv = CERT_FindCertExtension(cert, SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
+			       &dummyitem);
+    if ( dummyitem.data ) {
+	PORT_Free(dummyitem.data);
+    }
+    
+    if ( rv || !showImages ) {
+	htmlcertstrings[7] = "";
+	htmlcertstrings[8] = "";
+	htmlcertstrings[9] = "";
+    } else {
+	htmlcertstrings[7] = "<img src=\"about:security?issuer-logo=";
+	htmlcertstrings[8] = nickname;
+	htmlcertstrings[9] = "\">";
+    }
+
+    
+    if (showIssuer == PR_TRUE) {
+        htmlcertstrings[11] = issuer;
+    } else {
+	htmlcertstrings[11] = "";
+    }
+
+    htmlcertstrings[13] = serialNumber;
+    htmlcertstrings[15] = notBefore;
+    htmlcertstrings[17] = notAfter;
+
+    pubk = CERT_ExtractPublicKey(cert);
+    DSSPriv = NULL;
+    if (pubk && (pubk->keyType == fortezzaKey)) {
+	htmlcertstrings[18] = "</b><br><b>Clearance:</b>";
+	htmlcertstrings[19] = sec_FortezzaClearance(
+					&pubk->u.fortezza.clearance);
+	htmlcertstrings[20] = "<br><b>DSS Privileges:</b>";
+	DSSPriv = sec_FortezzaCertPrivilege(
+					&pubk->u.fortezza.DSSpriviledge);
+	htmlcertstrings[21] = DSSPriv;
+	htmlcertstrings[22] = "<br><b>KEA Privileges:</b>";
+	htmlcertstrings[23] = sec_FortezzaMessagePrivilege(
+					&pubk->u.fortezza.KEApriviledge);
+	htmlcertstrings[24] = "<br><b>KMID:</b>";
+	dummyitem.data = &pubk->u.fortezza.KMID[0];
+	dummyitem.len = sizeof(pubk->u.fortezza.KMID);
+	KMID = CERT_Hexify (&dummyitem,0);
+	htmlcertstrings[25] = KMID;
+    } else {
+	/* clear out the headers in the non-fortezza cases */
+	htmlcertstrings[18] = "";
+	htmlcertstrings[19] = "";
+	htmlcertstrings[20] = "";
+	htmlcertstrings[21] = "";
+	htmlcertstrings[22] = "";
+	htmlcertstrings[23] = "";
+	htmlcertstrings[24] = "";
+	htmlcertstrings[25] = "</b>";
+    }
+
+    if (pubk) {
+      SECKEY_DestroyPublicKey(pubk);
+    }
+
+#define HTML_OFF 27
+    rv = PK11_HashBuf(SEC_OID_MD5, fingerprint, 
+    	              cert->derCert.data, cert->derCert.len);
+    
+    fpitem.data = fingerprint;
+    fpitem.len = sizeof(fingerprint);
+
+    fpstr = CERT_Hexify (&fpitem,1);
+    
+    htmlcertstrings[HTML_OFF] = fpstr;
+
+    commentstring = CERT_GetCertCommentString(cert);
+
+    if (commentstring == NULL) {
+	htmlcertstrings[HTML_OFF+2] = "";
+	htmlcertstrings[HTML_OFF+3] = "";
+	htmlcertstrings[HTML_OFF+4] = "";
+    } else {
+	htmlcertstrings[HTML_OFF+2] =
+	    "<b>Comment:</b>"
+	    "<table border=0 cellspacing=0 cellpadding=0><tr>"
+	    "<td width=10> </td><td><font size=3>"
+	    "<textarea name=foobar rows=4 cols=55 onfocus=\"this.blur()\">";
+	htmlcertstrings[HTML_OFF+3] = commentstring;
+	htmlcertstrings[HTML_OFF+4] = "</textarea></font></td></tr></table>";
+    }
+    
+    ret = gatherStrings(htmlcertstrings);
+    
+    if ( issuer ) {
+	PORT_Free(issuer);
+    }
+    
+    if ( subject ) {
+	PORT_Free(subject);
+    }
+    
+    if ( version ) {
+	PORT_Free(version);
+    }
+    
+    if ( serialNumber ) {
+	PORT_Free(serialNumber);
+    }
+    
+    if ( notBefore ) {
+	PORT_Free(notBefore);
+    }
+    
+    if ( notAfter ) {
+	PORT_Free(notAfter);
+    }
+    
+    if ( fpstr ) {
+	PORT_Free(fpstr);
+    }
+    if (DSSPriv) {
+	PORT_Free(DSSPriv);
+    }
+
+    if (KMID) {
+	PORT_Free(KMID);
+    }
+
+    if ( commentstring ) {
+	PORT_Free(commentstring);
+    }
+    
+    if ( servername ) {
+	PORT_Free(servername);
+    }
+    
+    return(ret);
+}
+
diff --git a/security/nss/lib/certhigh/certreq.c b/security/nss/lib/certhigh/certreq.c
new file mode 100644
index 000000000..1588c1896
--- /dev/null
+++ b/security/nss/lib/certhigh/certreq.c
@@ -0,0 +1,230 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "cert.h"
+#include "secder.h"
+#include "key.h"
+#include "secitem.h"
+#include "secasn1.h"
+
+const SEC_ASN1Template CERT_AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(CERTAttribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(CERTAttribute, attrType) },
+    { SEC_ASN1_SET_OF, offsetof(CERTAttribute, attrValue),
+	SEC_AnyTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template CERT_SetOfAttributeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, CERT_AttributeTemplate },
+};
+
+const SEC_ASN1Template CERT_CertificateRequestTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTCertificateRequest) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(CERTCertificateRequest,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificateRequest,subject),
+	  CERT_NameTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTCertificateRequest,subjectPublicKeyInfo),
+	  CERT_SubjectPublicKeyInfoTemplate },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(CERTCertificateRequest,attributes), 
+	  CERT_SetOfAttributeTemplate },
+    { 0 }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_CertificateRequestTemplate)
+
+CERTCertificate *
+CERT_CreateCertificate(unsigned long serialNumber,
+		      CERTName *issuer,
+		      CERTValidity *validity,
+		      CERTCertificateRequest *req)
+{
+    CERTCertificate *c;
+    int rv;
+    PRArenaPool *arena;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	return(0);
+    }
+
+    c = (CERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
+    
+    if (c) {
+	c->referenceCount = 1;
+	c->arena = arena;
+
+	/*
+	 * Default is a plain version 1.
+	 * If extensions are added, it will get changed as appropriate.
+	 */
+	rv = DER_SetUInteger(arena, &c->version, SEC_CERTIFICATE_VERSION_1);
+	if (rv) goto loser;
+
+	rv = DER_SetUInteger(arena, &c->serialNumber, serialNumber);
+	if (rv) goto loser;
+
+	rv = CERT_CopyName(arena, &c->issuer, issuer);
+	if (rv) goto loser;
+
+	rv = CERT_CopyValidity(arena, &c->validity, validity);
+	if (rv) goto loser;
+
+	rv = CERT_CopyName(arena, &c->subject, &req->subject);
+	if (rv) goto loser;
+	rv = SECKEY_CopySubjectPublicKeyInfo(arena, &c->subjectPublicKeyInfo,
+					  &req->subjectPublicKeyInfo);
+	if (rv) goto loser;
+    }
+    return c;
+
+  loser:
+    CERT_DestroyCertificate(c);
+    return 0;
+}
+
+/************************************************************************/
+
+CERTCertificateRequest *
+CERT_CreateCertificateRequest(CERTName *subject,
+			     CERTSubjectPublicKeyInfo *spki,
+			     SECItem **attributes)
+{
+    CERTCertificateRequest *certreq;
+    PRArenaPool *arena;
+    SECStatus rv;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return NULL;
+    }
+    
+    certreq = (CERTCertificateRequest *)
+			PORT_ArenaZAlloc(arena, sizeof(CERTCertificateRequest));
+
+    if (certreq != NULL) {
+	certreq->arena = arena;
+	
+	rv = DER_SetUInteger(arena, &certreq->version,
+			     SEC_CERTIFICATE_REQUEST_VERSION);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	rv = CERT_CopyName(arena, &certreq->subject, subject);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	rv = SECKEY_CopySubjectPublicKeyInfo(arena,
+					  &certreq->subjectPublicKeyInfo,
+					  spki);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	/* Copy over attribute information */
+	if (attributes) {
+	    int i = 0;
+
+	    /* allocate space for attributes */
+	    while(attributes[i] != NULL) i++;
+	    certreq->attributes = (SECItem**)PORT_ArenaZAlloc(arena, 
+						   	      sizeof(SECItem *) * (i + 1));
+	    if(!certreq->attributes) {
+		goto loser;
+	    }
+
+	    /* copy attributes */
+	    i = 0;
+	    while(attributes[i]) {
+		/*
+		** Attributes are a SetOf Attribute which implies
+		** lexigraphical ordering.  It is assumes that the
+		** attributes are passed in sorted.  If we need to
+		** add functionality to sort them, there is an
+		** example in the PKCS 7 code.
+		*/
+		certreq->attributes[i] = (SECItem*)PORT_ArenaZAlloc(arena, 
+							  	    sizeof(SECItem));
+		if(!certreq->attributes[i]) {
+		    goto loser;
+		};
+		rv = SECITEM_CopyItem(arena, certreq->attributes[i], 
+				      attributes[i]);
+		if (rv != SECSuccess) {
+		    goto loser;
+		}
+		i++;
+	    }
+	    certreq->attributes[i] = NULL;
+	} else {
+	    /*
+	     ** Invent empty attribute information. According to the
+	     ** pkcs#10 spec, attributes has this ASN.1 type:
+	     **
+	     ** attributes [0] IMPLICIT Attributes
+	     ** 
+	     ** Which means, we should create a NULL terminated list
+	     ** with the first entry being NULL;
+	     */
+	    certreq->attributes = (SECItem**)PORT_ArenaZAlloc(arena, sizeof(SECItem *));
+	    if(!certreq->attributes) {
+		goto loser;
+	    }
+	    certreq->attributes[0] = NULL;
+	} 
+    } else {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    return certreq;
+
+loser:
+    CERT_DestroyCertificateRequest(certreq);
+    return NULL;
+}
+
+void
+CERT_DestroyCertificateRequest(CERTCertificateRequest *req)
+{
+    if (req && req->arena) {
+	PORT_FreeArena(req->arena, PR_FALSE);
+    }
+    return;
+}
+
diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c
new file mode 100644
index 000000000..1ae7237de
--- /dev/null
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -0,0 +1,1630 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include "nspr.h"
+#include "secerr.h"
+#include "secport.h"
+#include "seccomon.h"
+#include "secoid.h"
+#include "sslerr.h"
+#include "genname.h"
+#include "keyhi.h"
+#include "cert.h"
+#include "certdb.h"
+#include "cryptohi.h"
+
+#ifndef NSS_3_4_CODE
+#define NSS_3_4_CODE
+#endif /* NSS_3_4_CODE */
+#include "nsspki.h"
+#include "pkitm.h"
+#include "pkim.h"
+#include "pki3hack.h"
+#include "base.h"
+
+#define PENDING_SLOP (24L*60L*60L)
+
+/*
+ * WARNING - this function is depricated, and will go away in the near future.
+ *	It has been superseded by CERT_CheckCertValidTimes().
+ *
+ * Check the validity times of a certificate
+ */
+SECStatus
+CERT_CertTimesValid(CERTCertificate *c)
+{
+    int64 now, notBefore, notAfter, pendingSlop;
+    SECStatus rv;
+    
+    /* if cert is already marked OK, then don't bother to check */
+    if ( c->timeOK ) {
+	return(SECSuccess);
+    }
+    
+    /* get current UTC time */
+    now = PR_Now();
+    rv = CERT_GetCertTimes(c, &notBefore, &notAfter);
+    
+    if (rv) {
+	return(SECFailure);
+    }
+    
+    LL_I2L(pendingSlop, PENDING_SLOP);
+    LL_SUB(notBefore, notBefore, pendingSlop);
+
+    if (LL_CMP(now, <, notBefore) || LL_CMP(now, >, notAfter)) {
+	PORT_SetError(SEC_ERROR_EXPIRED_CERTIFICATE);
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+/*
+ * verify the signature of a signed data object with the given certificate
+ */
+SECStatus
+CERT_VerifySignedData(CERTSignedData *sd, CERTCertificate *cert,
+		      int64 t, void *wincx)
+{
+    SECItem sig;
+    SECKEYPublicKey *pubKey = 0;
+    SECStatus rv;
+    SECCertTimeValidity validity;
+    SECOidTag algid;
+
+    /* check the certificate's validity */
+    validity = CERT_CheckCertValidTimes(cert, t, PR_FALSE);
+    if ( validity != secCertTimeValid ) {
+	return(SECFailure);
+    }
+
+    /* get cert's public key */
+    pubKey = CERT_ExtractPublicKey(cert);
+    if ( !pubKey ) {
+	return(SECFailure);
+    }
+    
+    /* check the signature */
+    sig = sd->signature;
+    DER_ConvertBitString(&sig);
+
+    algid = SECOID_GetAlgorithmTag(&sd->signatureAlgorithm);
+    rv = VFY_VerifyData(sd->data.data, sd->data.len, pubKey, &sig,
+			algid, wincx);
+
+    SECKEY_DestroyPublicKey(pubKey);
+
+    if ( rv ) {
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+
+/*
+ * This must only be called on a cert that is known to have an issuer
+ * with an invalid time
+ */
+CERTCertificate *
+CERT_FindExpiredIssuer(CERTCertDBHandle *handle, CERTCertificate *cert)
+{
+    CERTCertificate *issuerCert = NULL;
+    CERTCertificate *subjectCert;
+    int              count;
+    SECStatus        rv;
+    SECComparison    rvCompare;
+    
+    subjectCert = CERT_DupCertificate(cert);
+    if ( subjectCert == NULL ) {
+	goto loser;
+    }
+    
+    for ( count = 0; count < CERT_MAX_CERT_CHAIN; count++ ) {
+	/* find the certificate of the issuer */
+	issuerCert = CERT_FindCertByName(handle, &subjectCert->derIssuer);
+    
+	if ( ! issuerCert ) {
+	    goto loser;
+	}
+
+	rv = CERT_CertTimesValid(issuerCert);
+	if ( rv == SECFailure ) {
+	    /* this is the invalid issuer */
+	    CERT_DestroyCertificate(subjectCert);
+	    return(issuerCert);
+	}
+
+	/* make sure that the issuer is not self signed.  If it is, then
+	 * stop here to prevent looping.
+	 */
+	rvCompare = SECITEM_CompareItem(&issuerCert->derSubject,
+				 &issuerCert->derIssuer);
+	if (rvCompare == SECEqual) {
+	    PORT_Assert(0);		/* No expired issuer! */
+	    goto loser;
+	}
+	CERT_DestroyCertificate(subjectCert);
+	subjectCert = issuerCert;
+    }
+
+loser:
+    if ( issuerCert ) {
+	CERT_DestroyCertificate(issuerCert);
+    }
+    
+    if ( subjectCert ) {
+	CERT_DestroyCertificate(subjectCert);
+    }
+    
+    return(NULL);
+}
+
+/* Software FORTEZZA installation hack. The software fortezza installer does
+ * not have access to the krl and cert.db file. Accept FORTEZZA Certs without
+ * KRL's in this case. 
+ */
+static int dont_use_krl = 0;
+/* not a public exposed function... */
+void sec_SetCheckKRLState(int value) { dont_use_krl = value; }
+
+SECStatus
+SEC_CheckKRL(CERTCertDBHandle *handle,SECKEYPublicKey *key,
+	     CERTCertificate *rootCert, int64 t, void * wincx)
+{
+    CERTSignedCrl *crl = NULL;
+    SECStatus rv = SECFailure;
+    SECStatus rv2;
+    CERTCrlEntry **crlEntry;
+    SECCertTimeValidity validity;
+    CERTCertificate *issuerCert = NULL;
+
+    if (dont_use_krl) return SECSuccess;
+
+    /* first look up the KRL */
+    crl = SEC_FindCrlByName(handle,&rootCert->derSubject, SEC_KRL_TYPE);
+    if (crl == NULL) {
+	PORT_SetError(SEC_ERROR_NO_KRL);
+	goto done;
+    }
+
+    /* get the issuing certificate */
+    issuerCert = CERT_FindCertByName(handle, &crl->crl.derName);
+    if (issuerCert == NULL) {
+        PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
+        goto done;
+    }
+
+
+    /* now verify the KRL signature */
+    rv2 = CERT_VerifySignedData(&crl->signatureWrap, issuerCert, t, wincx);
+    if (rv2 != SECSuccess) {
+	PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
+    	goto done;
+    }
+
+    /* Verify the date validity of the KRL */
+    validity = SEC_CheckCrlTimes(&crl->crl, t);
+    if (validity == secCertTimeExpired) {
+	PORT_SetError(SEC_ERROR_KRL_EXPIRED);
+	goto done;
+    }
+
+    /* now make sure the key in this cert is still valid */
+    if (key->keyType != fortezzaKey) {
+	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+	goto done; /* This should be an assert? */
+    }
+
+    /* now make sure the key is not on the revocation list */
+    for (crlEntry = crl->crl.entries; crlEntry && *crlEntry; crlEntry++) {
+	if (PORT_Memcmp((*crlEntry)->serialNumber.data,
+				key->u.fortezza.KMID,
+				    (*crlEntry)->serialNumber.len) == 0) {
+	    PORT_SetError(SEC_ERROR_REVOKED_KEY);
+	    goto done;
+	}
+    }
+    rv = SECSuccess;
+
+done:
+    if (issuerCert) CERT_DestroyCertificate(issuerCert);
+    if (crl) SEC_DestroyCrl(crl);
+    return rv;
+}
+
+SECStatus
+SEC_CheckCRL(CERTCertDBHandle *handle,CERTCertificate *cert,
+	     CERTCertificate *caCert, int64 t, void * wincx)
+{
+    CERTSignedCrl *crl = NULL;
+    SECStatus rv = SECSuccess;
+    CERTCrlEntry **crlEntry;
+
+    /* first look up the CRL */
+    crl = SEC_FindCrlByName(handle,&caCert->derSubject, SEC_CRL_TYPE);
+    if (crl == NULL) {
+	/* XXX for now no CRL is ok */
+	goto done;
+    }
+
+    /* now verify the CRL signature */
+    rv = CERT_VerifySignedData(&crl->signatureWrap, caCert, t, wincx);
+    if (rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
+        rv = SECWouldBlock; /* Soft error, ask the user */
+    	goto done;
+    }
+
+    /* now make sure the key is not on the revocation list */
+    for (crlEntry = crl->crl.entries; crlEntry && *crlEntry; crlEntry++) {
+	if (SECITEM_CompareItem(&(*crlEntry)->serialNumber,&cert->serialNumber) == SECEqual) {
+	    PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
+	    rv = SECFailure; /* cert is revoked */
+	    goto done;
+	}
+    }
+
+done:
+    if (crl) SEC_DestroyCrl(crl);
+    return rv;
+}
+
+/*
+ * Find the issuer of a cert.  Use the authorityKeyID if it exists.
+ */
+CERTCertificate *
+CERT_FindCertIssuer(CERTCertificate *cert, int64 validTime, SECCertUsage usage)
+{
+#ifdef NSS_CLASSIC
+    CERTAuthKeyID *   authorityKeyID = NULL;  
+    CERTCertificate * issuerCert     = NULL;
+    SECItem *         caName;
+    PRArenaPool       *tmpArena = NULL;
+
+    tmpArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !tmpArena ) {
+	goto loser;
+    }
+    authorityKeyID = CERT_FindAuthKeyIDExten(tmpArena,cert);
+
+    if ( authorityKeyID != NULL ) {
+	/* has the authority key ID extension */
+	if ( authorityKeyID->keyID.data != NULL ) {
+	    /* extension contains a key ID, so lookup based on it */
+	    issuerCert = CERT_FindCertByKeyID(cert->dbhandle, &cert->derIssuer,
+					      &authorityKeyID->keyID);
+	    if ( issuerCert == NULL ) {
+		PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
+		goto loser;
+	    }
+	    
+	} else if ( authorityKeyID->authCertIssuer != NULL ) {
+	    /* no key ID, so try issuer and serial number */
+	    caName = (SECItem*)CERT_GetGeneralNameByType(authorityKeyID->authCertIssuer,
+					       		 certDirectoryName, PR_TRUE);
+
+	    /*
+	     * caName is NULL when the authCertIssuer field is not
+	     * being used, or other name form is used instead.
+	     * If the directoryName format and serialNumber fields are
+	     * used, we use them to find the CA cert.
+	     * Note:
+	     *	By the time it gets here, we known for sure that if the
+	     *	authCertIssuer exists, then the authCertSerialNumber
+	     *	must also exists (CERT_DecodeAuthKeyID() ensures this).
+	     *	We don't need to check again. 
+	     */
+
+	    if (caName != NULL) {
+		CERTIssuerAndSN issuerSN;
+
+		issuerSN.derIssuer.data = caName->data;
+		issuerSN.derIssuer.len = caName->len;
+		issuerSN.serialNumber.data = 
+			authorityKeyID->authCertSerialNumber.data;
+		issuerSN.serialNumber.len = 
+			authorityKeyID->authCertSerialNumber.len;
+		issuerCert = CERT_FindCertByIssuerAndSN(cert->dbhandle,
+								&issuerSN);
+		if ( issuerCert == NULL ) {
+		    PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
+		    goto loser;
+		}
+	    }
+	}
+    }
+    if ( issuerCert == NULL ) {
+	/* if there is not authorityKeyID, then try to find the issuer */
+	/* find a valid CA cert with correct usage */
+	issuerCert = CERT_FindMatchingCert(cert->dbhandle,
+					   &cert->derIssuer,
+					   certOwnerCA, usage, PR_TRUE,
+					   validTime, PR_TRUE);
+
+	/* if that fails, then fall back to grabbing any cert with right name*/
+	if ( issuerCert == NULL ) {
+	    issuerCert = CERT_FindCertByName(cert->dbhandle, &cert->derIssuer);
+	    if ( issuerCert == NULL ) {
+		PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
+	    }
+	}
+    }
+
+loser:
+    if (tmpArena != NULL) {
+	PORT_FreeArena(tmpArena, PR_FALSE);
+	tmpArena = NULL;
+    }
+
+    return(issuerCert);
+#else
+    NSSCertificate *me;
+    NSSTime *nssTime;
+    NSSUsage nssUsage;
+    NSSCertificate *chain[3];
+    PRStatus status;
+    me = STAN_GetNSSCertificate(cert);
+    nssTime = NSSTime_SetPRTime(NULL, validTime);
+    nssUsage.anyUsage = PR_FALSE;
+    nssUsage.nss3usage = usage;
+    nssUsage.nss3lookingForCA = PR_TRUE;
+    memset(chain, 0, 3*sizeof(NSSCertificate *));
+    if (!me) {
+	PORT_SetError (SEC_ERROR_BAD_DATABASE);
+	return NULL;
+    }
+    (void)NSSCertificate_BuildChain(me, nssTime, &nssUsage, NULL, 
+                                    chain, 2, NULL, &status);
+    nss_ZFreeIf(nssTime);
+    if (status == PR_SUCCESS) {
+	/* if it's a root, the chain will only have one cert */
+	if (!chain[1]) {
+	    /* already has a reference from the call to BuildChain */
+	    return cert;
+	} else {
+	    CERT_DestroyCertificate(cert); /* the first cert in the chain */
+	    return STAN_GetCERTCertificate(chain[1]); /* return the 2nd */
+	}
+    } else {
+	PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER);
+    }
+    return NULL;
+#endif
+}
+
+/*
+ * return required trust flags for various cert usages for CAs
+ */
+SECStatus
+CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
+			      unsigned int *retFlags,
+			      SECTrustType *retTrustType)
+{
+    unsigned int requiredFlags;
+    SECTrustType trustType;
+
+    switch ( usage ) {
+      case certUsageSSLClient:
+	requiredFlags = CERTDB_TRUSTED_CLIENT_CA;
+	trustType = trustSSL;
+        break;
+      case certUsageSSLServer:
+      case certUsageSSLCA:
+	requiredFlags = CERTDB_TRUSTED_CA;
+	trustType = trustSSL;
+        break;
+      case certUsageSSLServerWithStepUp:
+	requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA;
+	trustType = trustSSL;
+        break;
+      case certUsageEmailSigner:
+      case certUsageEmailRecipient:
+	requiredFlags = CERTDB_TRUSTED_CA;
+	trustType = trustEmail;
+	break;
+      case certUsageObjectSigner:
+	requiredFlags = CERTDB_TRUSTED_CA;
+	trustType = trustObjectSigning;
+	break;
+      case certUsageVerifyCA:
+      case certUsageAnyCA:
+      case certUsageStatusResponder:
+	requiredFlags = CERTDB_TRUSTED_CA;
+	trustType = trustTypeNone;
+	break;
+      default:
+	PORT_Assert(0);
+	goto loser;
+    }
+    if ( retFlags != NULL ) {
+	*retFlags = requiredFlags;
+    }
+    if ( retTrustType != NULL ) {
+	*retTrustType = trustType;
+    }
+    
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+
+
+
+
+static void
+AddToVerifyLog(CERTVerifyLog *log, CERTCertificate *cert, unsigned long error,
+	       unsigned int depth, void *arg)
+{
+    CERTVerifyLogNode *node, *tnode;
+
+    PORT_Assert(log != NULL);
+    
+    node = (CERTVerifyLogNode *)PORT_ArenaAlloc(log->arena,
+						sizeof(CERTVerifyLogNode));
+    if ( node != NULL ) {
+	node->cert = CERT_DupCertificate(cert);
+	node->error = error;
+	node->depth = depth;
+	node->arg = arg;
+	
+	if ( log->tail == NULL ) {
+	    /* empty list */
+	    log->head = log->tail = node;
+	    node->prev = NULL;
+	    node->next = NULL;
+	} else if ( depth >= log->tail->depth ) {
+	    /* add to tail */
+	    node->prev = log->tail;
+	    log->tail->next = node;
+	    log->tail = node;
+	    node->next = NULL;
+	} else if ( depth < log->head->depth ) {
+	    /* add at head */
+	    node->prev = NULL;
+	    node->next = log->head;
+	    log->head->prev = node;
+	    log->head = node;
+	} else {
+	    /* add in middle */
+	    tnode = log->tail;
+	    while ( tnode != NULL ) {
+		if ( depth >= tnode->depth ) {
+		    /* insert after tnode */
+		    node->prev = tnode;
+		    node->next = tnode->next;
+		    tnode->next->prev = node;
+		    tnode->next = node;
+		    break;
+		}
+
+		tnode = tnode->prev;
+	    }
+	}
+
+	log->count++;
+    }
+    return;
+}
+
+#define EXIT_IF_NOT_LOGGING(log) \
+    if ( log == NULL ) { \
+	goto loser; \
+    }
+
+#define LOG_ERROR_OR_EXIT(log,cert,depth,arg) \
+    if ( log != NULL ) { \
+	AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
+    } else { \
+	goto loser; \
+    }
+
+#define LOG_ERROR(log,cert,depth,arg) \
+    if ( log != NULL ) { \
+	AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \
+    }
+
+
+
+
+SECStatus
+CERT_VerifyCertChain(CERTCertDBHandle *handle, CERTCertificate *cert,
+		     PRBool checkSig, SECCertUsage certUsage, int64 t,
+		     void *wincx, CERTVerifyLog *log)
+{
+    SECTrustType trustType;
+    CERTBasicConstraints basicConstraint;
+    CERTCertificate *issuerCert = NULL;
+    CERTCertificate *subjectCert = NULL;
+    CERTCertificate *badCert = NULL;
+    PRBool isca;
+    PRBool isFortezzaV1 = PR_FALSE;
+    SECStatus rv;
+    SECComparison rvCompare;
+    SECStatus rvFinal = SECSuccess;
+    int count;
+    int currentPathLen = -1;
+    int flags;
+    unsigned int caCertType;
+    unsigned int requiredCAKeyUsage;
+    unsigned int requiredFlags;
+    PRArenaPool *arena = NULL;
+    CERTGeneralName *namesList = NULL;
+    CERTGeneralName *subjectNameList = NULL;
+    SECItem *namesIndex = NULL;
+    int namesIndexLen = 10;
+    int namesCount = 0;
+
+    enum { cbd_None, cbd_User, cbd_CA } last_type = cbd_None;
+    SECKEYPublicKey *key;
+
+    if (CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
+					 &requiredCAKeyUsage,
+					 &caCertType)
+	!= SECSuccess ) {
+	PORT_Assert(0);
+	EXIT_IF_NOT_LOGGING(log);
+	requiredCAKeyUsage = 0;
+	caCertType = 0;
+    }
+
+    switch ( certUsage ) {
+      case certUsageSSLClient:
+      case certUsageSSLServer:
+      case certUsageSSLCA:
+      case certUsageSSLServerWithStepUp:
+      case certUsageEmailSigner:
+      case certUsageEmailRecipient:
+      case certUsageObjectSigner:
+      case certUsageVerifyCA:
+      case certUsageStatusResponder:
+	if ( CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
+					   &trustType) != SECSuccess ) {
+	    PORT_Assert(0);
+	    EXIT_IF_NOT_LOGGING(log);
+	    requiredFlags = 0;
+	    trustType = trustSSL;
+	}
+	break;
+      default:
+	PORT_Assert(0);
+	EXIT_IF_NOT_LOGGING(log);
+	requiredFlags = 0;
+	trustType = trustSSL;/* This used to be 0, but we need something
+			      * that matches the enumeration type.
+			      */
+	caCertType = 0;
+    }
+    
+    subjectCert = CERT_DupCertificate(cert);
+    if ( subjectCert == NULL ) {
+	goto loser;
+    }
+
+    /* determine if the cert is fortezza. Getting the key is an easy
+     * way to determine it, especially since we need to get the privillege
+     * from the key anyway.
+     */
+    key = CERT_ExtractPublicKey(cert);
+
+    if (key != NULL) {
+	isFortezzaV1 = (PRBool)(key->keyType == fortezzaKey);
+
+	/* find out what type of cert we are starting with */
+	if (isFortezzaV1) {
+	    unsigned char priv = 0;;
+
+	    rv = SEC_CheckKRL(handle, key, NULL, t, wincx);
+	    if (rv == SECFailure) {
+		/**** PORT_SetError is already set by SEC_CheckKRL **/
+		SECKEY_DestroyPublicKey(key);
+		/**** Bob - should we log and continue when logging? **/
+		LOG_ERROR(log,subjectCert,0,0);
+		goto loser;
+	    }                
+
+	    if (key->u.fortezza.DSSpriviledge.len > 0) {
+		priv = key->u.fortezza.DSSpriviledge.data[0];
+	    }
+
+	    last_type = (priv & 0x30) ? cbd_CA : cbd_User;
+	}
+		
+	SECKEY_DestroyPublicKey(key);
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+
+    namesIndex = (SECItem *) PORT_ZAlloc(sizeof(SECItem) * namesIndexLen);
+    if (namesIndex == NULL) {
+	goto loser;
+    }
+
+    for ( count = 0; count < CERT_MAX_CERT_CHAIN; count++ ) {
+	int subjectNameListLen;
+	int i;
+
+	/* Construct a list of names for the current and all previous certifcates 
+	   to be verified against the name constraints extension of the issuer
+	   certificate. */
+	subjectNameList = CERT_GetCertificateNames(subjectCert, arena);
+	subjectNameListLen = CERT_GetNamesLength(subjectNameList);
+	for (i = 0; i < subjectNameListLen; i++) {
+	    if (namesIndexLen <= namesCount + i) {
+		namesIndexLen = namesIndexLen * 2;
+		namesIndex = (SECItem *) PORT_Realloc(namesIndex, namesIndexLen * 
+						       sizeof(SECItem));
+		if (namesIndex == NULL) {
+		    goto loser;
+		}
+	    }
+	    rv = SECITEM_CopyItem(arena, &(namesIndex[namesCount + i]), &(subjectCert->derSubject));
+	}
+	namesCount += subjectNameListLen;
+	namesList = cert_CombineNamesLists(namesList, subjectNameList);
+
+	/* find the certificate of the issuer */
+	issuerCert = CERT_FindCertIssuer(subjectCert, t, certUsage);
+	if ( ! issuerCert ) {
+	    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+	    LOG_ERROR(log,subjectCert,count,0);
+	    goto loser;
+	}
+
+	/* verify the signature on the cert */
+	if ( checkSig ) {
+	    rv = CERT_VerifySignedData(&subjectCert->signatureWrap,
+				       issuerCert, t, wincx);
+    
+	    if ( rv != SECSuccess ) {
+		if ( PORT_GetError() == SEC_ERROR_EXPIRED_CERTIFICATE ) {
+		    PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
+		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+		} else {
+		    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		    LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
+		}
+	    }
+	}
+
+	/*
+	 * XXX - fortezza may need error logging stuff added
+	 */
+	if (isFortezzaV1) {
+	    unsigned char priv = 0;
+
+	    /* read the key */
+	    key = CERT_ExtractPublicKey(issuerCert);
+
+	    /* Cant' get Key? fail. */
+	    if (key == NULL) {
+	    	PORT_SetError(SEC_ERROR_BAD_KEY);
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+		goto fortezzaDone;
+	    }
+
+
+	    /* if the issuer is not an old fortezza cert, we bail */
+	    if (key->keyType != fortezzaKey) {
+	    	SECKEY_DestroyPublicKey(key);
+		/* CA Cert not fortezza */
+	    	PORT_SetError(SEC_ERROR_NOT_FORTEZZA_ISSUER);
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+		goto fortezzaDone;
+	    }
+
+	    /* get the privilege mask */
+	    if (key->u.fortezza.DSSpriviledge.len > 0) {
+		priv = key->u.fortezza.DSSpriviledge.data[0];
+	    }
+
+	    /*
+	     * make sure the CA's keys are OK
+	     */
+            
+	    rv = SEC_CheckKRL(handle, key, NULL, t, wincx);
+	    if (rv != SECSuccess) {
+	    	SECKEY_DestroyPublicKey(key);
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+		goto fortezzaDone;
+		/** fall through looking for more stuff **/
+	    } else {
+	        SECKEY_DestroyPublicKey(key);
+	    }
+
+	    switch (last_type) {
+	      case cbd_User:
+		/* first check for subordination */
+		/*rv = FortezzaSubordinateCheck(cert,issuerCert);*/
+		rv = SECSuccess;
+
+		/* now check for issuer privilege */
+		if ((rv != SECSuccess) || ((priv & 0x10) == 0)) {
+		    /* bail */
+		    PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
+		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+		}
+		break;
+	      case cbd_CA:
+	      case cbd_None:
+		if ((priv & 0x20) == 0) {
+		    /* bail */
+		    PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
+		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+		}
+		break;
+	      default:
+		/* bail */ /* shouldn't ever happen */
+	    	PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+	    }
+
+fortezzaDone:
+	    last_type =  cbd_CA;
+	}
+
+	/* If the basicConstraint extension is included in an immediate CA
+	 * certificate, make sure that the isCA flag is on.  If the
+	 * pathLenConstraint component exists, it must be greater than the
+	 * number of CA certificates we have seen so far.  If the extension
+	 * is omitted, we will assume that this is a CA certificate with
+	 * an unlimited pathLenConstraint (since it already passes the
+	 * netscape-cert-type extension checking).
+	 *
+	 * In the fortezza (V1) case, we've already checked the CA bits
+	 * in the key, so we're presumed to be a CA; however we really don't
+	 * want to bypass Basic constraint or netscape extension parsing.
+         * 
+         * In Fortezza V2, basicConstraint will be set for every CA,PCA,PAA
+	 */
+
+	rv = CERT_FindBasicConstraintExten(issuerCert, &basicConstraint);
+	if ( rv != SECSuccess ) {
+	    if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+	    } else {
+		currentPathLen = CERT_UNLIMITED_PATH_CONSTRAINT;
+	    }
+	    /* no basic constraints found, if we're fortezza, CA bit is already
+	     * verified (isca = PR_TRUE). otherwise, we aren't (yet) a ca
+	     * isca = PR_FALSE */
+	    isca = isFortezzaV1;
+	} else  {
+	    if ( basicConstraint.isCA == PR_FALSE ) {
+		PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+	    }
+	    
+	    /* make sure that the path len constraint is properly set.
+	     */
+	    if ( basicConstraint.pathLenConstraint ==
+		CERT_UNLIMITED_PATH_CONSTRAINT ) {
+		currentPathLen = CERT_UNLIMITED_PATH_CONSTRAINT;
+	    } else if ( currentPathLen == CERT_UNLIMITED_PATH_CONSTRAINT ) {
+		/* error if the previous CA's path length constraint is
+		 * unlimited but its CA's path is not.
+		 */
+		PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,basicConstraint.pathLenConstraint);
+	    } else if (basicConstraint.pathLenConstraint > currentPathLen) {
+		currentPathLen = basicConstraint.pathLenConstraint;
+	    } else {
+		PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
+		LOG_ERROR_OR_EXIT(log,issuerCert,count+1,basicConstraint.pathLenConstraint);
+	    }
+
+	    isca = PR_TRUE;
+	}
+	
+	/* XXX - the error logging may need to go down into CRL stuff at some
+	 * point
+	 */
+	/* check revoked list (issuer) */
+	rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx);
+	if (rv == SECFailure) {
+	    LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
+	} else if (rv == SECWouldBlock) {
+	    /* We found something fishy, so we intend to issue an
+	     * error to the user, but the user may wish to continue
+	     * processing, in which case we better make sure nothing
+	     * worse has happened... so keep cranking the loop */
+	    rvFinal = SECFailure;
+	    LOG_ERROR(log,subjectCert,count,0);
+	}
+
+
+	if ( issuerCert->trust ) {
+	    /*
+	     * check the trust parms of the issuer
+	     */
+	    if ( certUsage == certUsageVerifyCA ) {
+		if ( subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA ) {
+		    trustType = trustEmail;
+		} else if ( subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA ) {
+		    trustType = trustSSL;
+		} else {
+		    trustType = trustObjectSigning;
+		}
+	    }
+	    
+	    flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+	    
+	    if ( (flags & CERTDB_VALID_CA) ||
+		 (certUsage == certUsageStatusResponder)) {
+		if ( ( flags & requiredFlags ) == requiredFlags ||
+		     certUsage == certUsageStatusResponder ) {
+		    /* we found a trusted one, so return */
+		    rv = rvFinal; 
+		    goto done;
+		}
+	    }
+	}
+
+	/*
+	 * Make sure that if this is an intermediate CA in the chain that
+	 * it was given permission by its signer to be a CA.
+	 */
+	if ( isca ) {
+	    /*
+	     * if basicConstraints says it is a ca, then we check the
+	     * nsCertType.  If the nsCertType has any CA bits set, then
+	     * it must have the right one.
+	     */
+	    if ( issuerCert->nsCertType & NS_CERT_TYPE_CA ) {
+		if ( issuerCert->nsCertType & caCertType ) {
+		    isca = PR_TRUE;
+		} else {
+		    isca = PR_FALSE;
+		}
+	    }
+	} else {
+	    if ( issuerCert->nsCertType & caCertType ) {
+		isca = PR_TRUE;
+	    } else {
+		isca = PR_FALSE;
+	    }
+	}
+	
+	if (  !isca  ) {
+	    PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
+	    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
+	}
+	    
+	/* make sure key usage allows cert signing */
+	if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
+	    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,requiredCAKeyUsage);
+	}
+	/* make sure that the entire chain is within the name space of the current issuer
+	 * certificate.
+	 */
+
+	badCert = CERT_CompareNameSpace(issuerCert, namesList, namesIndex, arena, handle);
+	if (badCert != NULL) {
+	    PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
+            LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
+	    goto loser;
+	}
+	/* make sure that the issuer is not self signed.  If it is, then
+	 * stop here to prevent looping.
+	 */
+	rvCompare = SECITEM_CompareItem(&issuerCert->derSubject,
+				 &issuerCert->derIssuer);
+	if (rvCompare == SECEqual) {
+	    PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
+	    LOG_ERROR(log, issuerCert, count+1, 0);
+	    goto loser;
+	}
+
+	CERT_DestroyCertificate(subjectCert);
+	subjectCert = issuerCert;
+    }
+
+    subjectCert = NULL;
+    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+    LOG_ERROR(log,issuerCert,count,0);
+loser:
+    rv = SECFailure;
+done:
+    if (namesIndex != NULL) {
+	PORT_Free(namesIndex);
+    }
+    if ( issuerCert ) {
+	CERT_DestroyCertificate(issuerCert);
+    }
+    
+    if ( subjectCert ) {
+	CERT_DestroyCertificate(subjectCert);
+    }
+
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return rv;
+}
+			
+/*
+ * verify a certificate by checking if its valid and that we
+ * trust the issuer.
+ * Note that this routine does not verify the signature of the certificate.
+ */
+SECStatus
+CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
+		PRBool checkSig, SECCertUsage certUsage, int64 t,
+		void *wincx, CERTVerifyLog *log)
+{
+    SECStatus rv;
+    unsigned int requiredKeyUsage;
+    unsigned int requiredCertType;
+    unsigned int flags;
+    unsigned int certType;
+    PRBool       allowOverride;
+    SECCertTimeValidity validity;
+    CERTStatusConfig *statusConfig;
+   
+#ifdef notdef 
+    /* check if this cert is in the Evil list */
+    rv = CERT_CheckForEvilCert(cert);
+    if ( rv != SECSuccess ) {
+	PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
+	LOG_ERROR_OR_EXIT(log,cert,0,0);
+    }
+#endif
+    
+    /* make sure that the cert is valid at time t */
+    allowOverride = (PRBool)((certUsage == certUsageSSLServer) ||
+                             (certUsage == certUsageSSLServerWithStepUp));
+    validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
+    if ( validity != secCertTimeValid ) {
+	LOG_ERROR_OR_EXIT(log,cert,0,validity);
+    }
+
+    /* check key usage and netscape cert type */
+    CERT_GetCertType(cert);
+    certType = cert->nsCertType;
+    switch ( certUsage ) {
+      case certUsageSSLClient:
+      case certUsageSSLServer:
+      case certUsageSSLServerWithStepUp:
+      case certUsageSSLCA:
+      case certUsageEmailSigner:
+      case certUsageEmailRecipient:
+      case certUsageObjectSigner:
+      case certUsageStatusResponder:
+	rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
+					      &requiredKeyUsage,
+					      &requiredCertType);
+	if ( rv != SECSuccess ) {
+	    PORT_Assert(0);
+	    EXIT_IF_NOT_LOGGING(log);
+	    requiredKeyUsage = 0;
+	    requiredCertType = 0;
+	}
+	break;
+      case certUsageVerifyCA:
+	requiredKeyUsage = KU_KEY_CERT_SIGN;
+	requiredCertType = NS_CERT_TYPE_CA;
+	if ( ! ( certType & NS_CERT_TYPE_CA ) ) {
+	    certType |= NS_CERT_TYPE_CA;
+	}
+	break;
+      default:
+	PORT_Assert(0);
+	EXIT_IF_NOT_LOGGING(log);
+	requiredKeyUsage = 0;
+	requiredCertType = 0;
+    }
+    if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess ) {
+	PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
+	LOG_ERROR_OR_EXIT(log,cert,0,requiredKeyUsage);
+    }
+    if ( !( certType & requiredCertType ) ) {
+	PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
+	LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType);
+    }
+
+    /* check trust flags to see if this cert is directly trusted */
+    if ( cert->trust ) { /* the cert is in the DB */
+	switch ( certUsage ) {
+	  case certUsageSSLClient:
+	  case certUsageSSLServer:
+	    flags = cert->trust->sslFlags;
+	    
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    goto winner;
+		} else { /* don't trust this cert */
+		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
+		}
+	    }
+	    break;
+	  case certUsageSSLServerWithStepUp:
+	    /* XXX - step up certs can't be directly trusted */
+	    break;
+	  case certUsageSSLCA:
+	    break;
+	  case certUsageEmailSigner:
+	  case certUsageEmailRecipient:
+	    flags = cert->trust->emailFlags;
+	    
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) ==
+		( CERTDB_VALID_PEER | CERTDB_TRUSTED ) ) {
+		goto winner;
+	    }
+	    break;
+	  case certUsageObjectSigner:
+	    flags = cert->trust->objectSigningFlags;
+
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( flags & CERTDB_VALID_PEER ) {/*the trust record is valid*/
+		if ( flags & CERTDB_TRUSTED ) {	/* trust this cert */
+		    goto winner;
+		} else { /* don't trust this cert */
+		    PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+		    LOG_ERROR_OR_EXIT(log,cert,0,flags);
+		}
+	    }
+	    break;
+	  case certUsageVerifyCA:
+	  case certUsageStatusResponder:
+	    flags = cert->trust->sslFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		goto winner;
+	    }
+	    flags = cert->trust->emailFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		goto winner;
+	    }
+	    flags = cert->trust->objectSigningFlags;
+	    /* is the cert directly trusted or not trusted ? */
+	    if ( ( flags & ( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) ==
+		( CERTDB_VALID_CA | CERTDB_TRUSTED_CA ) ) {
+		goto winner;
+	    }
+	    break;
+	  case certUsageAnyCA:
+	  case certUsageProtectedObjectSigner:
+	  case certUsageUserCertImport:
+	    /* XXX to make the compiler happy.  Should these be
+	     * explicitly handled?
+	     */
+	    break;
+	}
+    }
+
+    rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
+			      t, wincx, log);
+    if (rv != SECSuccess) {
+	EXIT_IF_NOT_LOGGING(log);
+    }
+
+    /*
+     * Check revocation status, but only if the cert we are checking
+     * is not a status reponder itself.  We only do this in the case
+     * where we checked the cert chain (above); explicit trust "wins"
+     * (avoids status checking, just as it avoids CRL checking, which
+     * is all done inside VerifyCertChain) by bypassing this code.
+     */
+    statusConfig = CERT_GetStatusConfig(handle);
+    if (certUsage != certUsageStatusResponder && statusConfig != NULL) {
+	if (statusConfig->statusChecker != NULL) {
+	    rv = (* statusConfig->statusChecker)(handle, cert,
+							 t, wincx);
+	    if (rv != SECSuccess) {
+		LOG_ERROR_OR_EXIT(log,cert,0,0);
+	    }
+	}
+    }
+
+winner:
+    return(SECSuccess);
+
+loser:
+    rv = SECFailure;
+    
+    return(rv);
+}
+
+/*
+ * verify a certificate by checking if its valid and that we
+ * trust the issuer.  Verify time against now.
+ */
+SECStatus
+CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
+		   PRBool checkSig, SECCertUsage certUsage, void *wincx)
+{
+    return(CERT_VerifyCert(handle, cert, checkSig, 
+		   certUsage, PR_Now(), wincx, NULL));
+}
+
+/* [ FROM pcertdb.c ] */
+/*
+ * Supported usage values and types:
+ *	certUsageSSLClient
+ *	certUsageSSLServer
+ *	certUsageSSLServerWithStepUp
+ *	certUsageEmailSigner
+ *	certUsageEmailRecipient
+ *	certUsageObjectSigner
+ */
+
+CERTCertificate *
+CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
+		      CERTCertOwner owner, SECCertUsage usage,
+		      PRBool preferTrusted, int64 validTime, PRBool validOnly)
+{
+    CERTCertList *certList = NULL;
+    CERTCertificate *cert = NULL;
+    unsigned int requiredTrustFlags;
+    SECTrustType requiredTrustType;
+    unsigned int flags;
+    
+    PRBool lookingForCA = PR_FALSE;
+    SECStatus rv;
+    CERTCertListNode *node;
+    CERTCertificate *saveUntrustedCA = NULL;
+    
+    /* if preferTrusted is set, must be a CA cert */
+    PORT_Assert( ! ( preferTrusted && ( owner != certOwnerCA ) ) );
+    
+    if ( owner == certOwnerCA ) {
+	lookingForCA = PR_TRUE;
+	if ( preferTrusted ) {
+	    rv = CERT_TrustFlagsForCACertUsage(usage, &requiredTrustFlags,
+					       &requiredTrustType);
+	    if ( rv != SECSuccess ) {
+		goto loser;
+	    }
+	    requiredTrustFlags |= CERTDB_VALID_CA;
+	}
+    }
+
+    certList = CERT_CreateSubjectCertList(NULL, handle, derName, validTime,
+					  validOnly);
+    if ( certList != NULL ) {
+	rv = CERT_FilterCertListByUsage(certList, usage, lookingForCA);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+	
+	node = CERT_LIST_HEAD(certList);
+	
+	while ( !CERT_LIST_END(node, certList) ) {
+	    cert = node->cert;
+
+	    /* looking for a trusted CA cert */
+	    if ( ( owner == certOwnerCA ) && preferTrusted &&
+		( requiredTrustType != trustTypeNone ) ) {
+
+		if ( cert->trust == NULL ) {
+		    flags = 0;
+		} else {
+		    flags = SEC_GET_TRUST_FLAGS(cert->trust, requiredTrustType);
+		}
+
+		if ( ( flags & requiredTrustFlags ) != requiredTrustFlags ) {
+		    /* cert is not trusted */
+		    /* if this is the first cert to get this far, then save
+		     * it, so we can use it if we can't find a trusted one
+		     */
+		    if ( saveUntrustedCA == NULL ) {
+			saveUntrustedCA = cert;
+		    }
+		    goto endloop;
+		}
+	    }
+	    /* if we got this far, then this cert meets all criteria */
+	    break;
+	    
+endloop:
+	    node = CERT_LIST_NEXT(node);
+	    cert = NULL;
+	}
+
+	/* use the saved one if we have it */
+	if ( cert == NULL ) {
+	    cert = saveUntrustedCA;
+	}
+
+	/* if we found one then bump the ref count before freeing the list */
+	if ( cert != NULL ) {
+	    /* bump the ref count */
+	    cert = CERT_DupCertificate(cert);
+	}
+	
+	CERT_DestroyCertList(certList);
+    }
+
+    return(cert);
+
+loser:
+    if ( certList != NULL ) {
+	CERT_DestroyCertList(certList);
+    }
+
+    return(NULL);
+}
+
+
+/* [ From certdb.c ] */
+/*
+ * Filter a list of certificates, removing those certs that do not have
+ * one of the named CA certs somewhere in their cert chain.
+ *
+ *	"certList" - the list of certificates to filter
+ *	"nCANames" - number of CA names
+ *	"caNames" - array of CA names in string(rfc 1485) form
+ *	"usage" - what use the certs are for, this is used when
+ *		selecting CA certs
+ */
+SECStatus
+CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
+			     char **caNames, SECCertUsage usage)
+{
+    CERTCertificate *issuerCert = NULL;
+    CERTCertificate *subjectCert;
+    CERTCertListNode *node, *freenode;
+    CERTCertificate *cert;
+    int n;
+    char **names;
+    PRBool found;
+    int64 time;
+    
+    if ( nCANames <= 0 ) {
+	return(SECSuccess);
+    }
+
+    time = PR_Now();
+    
+    node = CERT_LIST_HEAD(certList);
+    
+    while ( ! CERT_LIST_END(node, certList) ) {
+	cert = node->cert;
+	
+	subjectCert = CERT_DupCertificate(cert);
+
+	/* traverse the CA certs for this cert */
+	found = PR_FALSE;
+	while ( subjectCert != NULL ) {
+	    n = nCANames;
+	    names = caNames;
+	   
+            if (subjectCert->issuerName != NULL) { 
+	        while ( n > 0 ) {
+		    if ( PORT_Strcmp(*names, subjectCert->issuerName) == 0 ) {
+		        found = PR_TRUE;
+		        break;
+		    }
+
+		    n--;
+		    names++;
+                }
+	    }
+
+	    if ( found ) {
+		break;
+	    }
+	    
+	    issuerCert = CERT_FindCertIssuer(subjectCert, time, usage);
+	    if ( issuerCert == subjectCert ) {
+		CERT_DestroyCertificate(issuerCert);
+		issuerCert = NULL;
+		break;
+	    }
+	    CERT_DestroyCertificate(subjectCert);
+	    subjectCert = issuerCert;
+
+	}
+	CERT_DestroyCertificate(subjectCert);
+	if ( !found ) {
+	    /* CA was not found, so remove this cert from the list */
+	    freenode = node;
+	    node = CERT_LIST_NEXT(node);
+	    CERT_RemoveCertListNode(freenode);
+	} else {
+	    /* CA was found, so leave it in the list */
+	    node = CERT_LIST_NEXT(node);
+	}
+    }
+    
+    return(SECSuccess);
+}
+
+/*
+ * Given a certificate, return a string containing the nickname, and possibly
+ * one of the validity strings, based on the current validity state of the
+ * certificate.
+ *
+ * "arena" - arena to allocate returned string from.  If NULL, then heap
+ *	is used.
+ * "cert" - the cert to get nickname from
+ * "expiredString" - the string to append to the nickname if the cert is
+ *		expired.
+ * "notYetGoodString" - the string to append to the nickname if the cert is
+ *		not yet good.
+ */
+char *
+CERT_GetCertNicknameWithValidity(PRArenaPool *arena, CERTCertificate *cert,
+				 char *expiredString, char *notYetGoodString)
+{
+    SECCertTimeValidity validity;
+    char *nickname, *tmpstr;
+    
+    validity = CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE);
+
+    /* if the cert is good, then just use the nickname directly */
+    if ( validity == secCertTimeValid ) {
+	if ( arena == NULL ) {
+	    nickname = PORT_Strdup(cert->nickname);
+	} else {
+	    nickname = PORT_ArenaStrdup(arena, cert->nickname);
+	}
+	
+	if ( nickname == NULL ) {
+	    goto loser;
+	}
+    } else {
+	    
+	/* if the cert is not valid, then tack one of the strings on the
+	 * end
+	 */
+	if ( validity == secCertTimeExpired ) {
+	    tmpstr = PR_smprintf("%s%s", cert->nickname,
+				 expiredString);
+	} else {
+	    /* not yet valid */
+	    tmpstr = PR_smprintf("%s%s", cert->nickname,
+				 notYetGoodString);
+	}
+	if ( tmpstr == NULL ) {
+	    goto loser;
+	}
+
+	if ( arena ) {
+	    /* copy the string into the arena and free the malloc'd one */
+	    nickname = PORT_ArenaStrdup(arena, tmpstr);
+	    PORT_Free(tmpstr);
+	} else {
+	    nickname = tmpstr;
+	}
+	if ( nickname == NULL ) {
+	    goto loser;
+	}
+    }    
+    return(nickname);
+
+loser:
+    return(NULL);
+}
+
+/*
+ * Collect the nicknames from all certs in a CertList.  If the cert is not
+ * valid, append a string to that nickname.
+ *
+ * "certList" - the list of certificates
+ * "expiredString" - the string to append to the nickname of any expired cert
+ * "notYetGoodString" - the string to append to the nickname of any cert
+ *		that is not yet valid
+ */
+CERTCertNicknames *
+CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
+				 char *notYetGoodString)
+{
+    CERTCertNicknames *names;
+    PRArenaPool *arena;
+    CERTCertListNode *node;
+    char **nn;
+    
+    /* allocate an arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return(NULL);
+    }
+    
+    /* allocate the structure */
+    names = PORT_ArenaAlloc(arena, sizeof(CERTCertNicknames));
+    if ( names == NULL ) {
+	goto loser;
+    }
+
+    /* init the structure */
+    names->arena = arena;
+    names->head = NULL;
+    names->numnicknames = 0;
+    names->nicknames = NULL;
+    names->totallen = 0;
+
+    /* count the certs in the list */
+    node = CERT_LIST_HEAD(certList);
+    while ( ! CERT_LIST_END(node, certList) ) {
+	names->numnicknames++;
+	node = CERT_LIST_NEXT(node);
+    }
+    
+    /* allocate nicknames array */
+    names->nicknames = PORT_ArenaAlloc(arena,
+				       sizeof(char *) * names->numnicknames);
+    if ( names->nicknames == NULL ) {
+	goto loser;
+    }
+
+    /* just in case printf can't deal with null strings */
+    if (expiredString == NULL ) {
+	expiredString = "";
+    }
+
+    if ( notYetGoodString == NULL ) {
+	notYetGoodString = "";
+    }
+    
+    /* traverse the list of certs and collect the nicknames */
+    nn = names->nicknames;
+    node = CERT_LIST_HEAD(certList);
+    while ( ! CERT_LIST_END(node, certList) ) {
+	*nn = CERT_GetCertNicknameWithValidity(arena, node->cert,
+					       expiredString,
+					       notYetGoodString);
+	if ( *nn == NULL ) {
+	    goto loser;
+	}
+
+	names->totallen += PORT_Strlen(*nn);
+	
+	nn++;
+	node = CERT_LIST_NEXT(node);
+    }
+
+    return(names);
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(NULL);
+}
+
+/*
+ * Extract the nickname from a nickmake string that may have either
+ * expiredString or notYetGoodString appended.
+ *
+ * Args:
+ *	"namestring" - the string containing the nickname, and possibly
+ *		one of the validity label strings
+ *	"expiredString" - the expired validity label string
+ *	"notYetGoodString" - the not yet good validity label string
+ *
+ * Returns the raw nickname
+ */
+char *
+CERT_ExtractNicknameString(char *namestring, char *expiredString,
+			   char *notYetGoodString)
+{
+    int explen, nyglen, namelen;
+    int retlen;
+    char *retstr;
+    
+    namelen = PORT_Strlen(namestring);
+    explen = PORT_Strlen(expiredString);
+    nyglen = PORT_Strlen(notYetGoodString);
+    
+    if ( namelen > explen ) {
+	if ( PORT_Strcmp(expiredString, &namestring[namelen-explen]) == 0 ) {
+	    retlen = namelen - explen;
+	    retstr = (char *)PORT_Alloc(retlen+1);
+	    if ( retstr == NULL ) {
+		goto loser;
+	    }
+	    
+	    PORT_Memcpy(retstr, namestring, retlen);
+	    retstr[retlen] = '\0';
+	    goto done;
+	}
+    }
+
+    if ( namelen > nyglen ) {
+	if ( PORT_Strcmp(notYetGoodString, &namestring[namelen-nyglen]) == 0) {
+	    retlen = namelen - nyglen;
+	    retstr = (char *)PORT_Alloc(retlen+1);
+	    if ( retstr == NULL ) {
+		goto loser;
+	    }
+	    
+	    PORT_Memcpy(retstr, namestring, retlen);
+	    retstr[retlen] = '\0';
+	    goto done;
+	}
+    }
+
+    /* if name string is shorter than either invalid string, then it must
+     * be a raw nickname
+     */
+    retstr = PORT_Strdup(namestring);
+    
+done:
+    return(retstr);
+
+loser:
+    return(NULL);
+}
+
+CERTCertList *
+CERT_GetCertChainFromCert(CERTCertificate *cert, int64 time, SECCertUsage usage)
+{
+    CERTCertList *chain = NULL;
+
+    if (NULL == cert) {
+        return NULL;
+    }
+    
+    cert = CERT_DupCertificate(cert);
+    if (NULL == cert) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return NULL;
+    }
+
+    chain = CERT_NewCertList();
+    if (NULL == chain) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return NULL;
+    }
+
+    while (cert != NULL) {
+	if (SECSuccess != CERT_AddCertToListTail(chain, cert)) {
+            /* return partial chain */
+            PORT_SetError(SEC_ERROR_NO_MEMORY);
+            return chain;
+        }
+
+	if (SECITEM_CompareItem(&cert->derIssuer, &cert->derSubject)
+	    == SECEqual) {
+            /* return complete chain */
+	    return chain;
+	}
+
+	cert = CERT_FindCertIssuer(cert, time, usage);
+    }
+
+    /* return partial chain */
+    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
+    return chain;
+}
diff --git a/security/nss/lib/certhigh/config.mk b/security/nss/lib/certhigh/config.mk
new file mode 100644
index 000000000..0a00dc61e
--- /dev/null
+++ b/security/nss/lib/certhigh/config.mk
@@ -0,0 +1,43 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/certhigh/crlv2.c b/security/nss/lib/certhigh/crlv2.c
new file mode 100644
index 000000000..2600d9878
--- /dev/null
+++ b/security/nss/lib/certhigh/crlv2.c
@@ -0,0 +1,126 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Code for dealing with x.509 v3 crl and crl entries extensions.
+ *
+ * $Id$
+ */
+
+#include "cert.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secoidt.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "certxutl.h"
+
+SECStatus
+CERT_FindCRLExtensionByOID(CERTCrl *crl, SECItem *oid, SECItem *value)
+{
+    return (cert_FindExtensionByOID (crl->extensions, oid, value));
+}
+    
+
+SECStatus
+CERT_FindCRLExtension(CERTCrl *crl, int tag, SECItem *value)
+{
+    return (cert_FindExtension (crl->extensions, tag, value));
+}
+
+
+/* Callback to set extensions and adjust verison */
+static void
+SetCrlExts(void *object, CERTCertExtension **exts)
+{
+    CERTCrl *crl = (CERTCrl *)object;
+
+    crl->extensions = exts;
+    DER_SetUInteger (crl->arena, &crl->version, SEC_CRL_VERSION_2);
+}
+
+void *
+CERT_StartCRLExtensions(CERTCrl *crl)
+{
+    return (cert_StartExtensions ((void *)crl, crl->arena, SetCrlExts));
+}
+
+
+SECStatus CERT_FindCRLNumberExten (CERTCrl *crl, CERTCrlNumber *value)
+{
+    SECItem encodedExtenValue;
+    SECStatus rv;
+
+    encodedExtenValue.data = NULL;
+    encodedExtenValue.len = 0;
+
+    rv = cert_FindExtension
+	 (crl->extensions, SEC_OID_X509_CRL_NUMBER, &encodedExtenValue);
+    if ( rv != SECSuccess )
+	return (rv);
+
+    rv = SEC_ASN1DecodeItem (NULL, value, SEC_IntegerTemplate,
+			     &encodedExtenValue);
+    PORT_Free (encodedExtenValue.data);
+    return (rv);
+}
+
+SECStatus CERT_FindCRLReasonExten (CERTCrl *crl, SECItem *value)
+{
+    return (CERT_FindBitStringExtension
+	    (crl->extensions, SEC_OID_X509_REASON_CODE, value));    
+}
+
+SECStatus CERT_FindInvalidDateExten (CERTCrl *crl, int64 *value)
+{
+    SECItem encodedExtenValue;
+    SECItem decodedExtenValue = {siBuffer,0};
+    SECStatus rv;
+
+    encodedExtenValue.data = decodedExtenValue.data = NULL;
+    encodedExtenValue.len = decodedExtenValue.len = 0;
+
+    rv = cert_FindExtension
+	 (crl->extensions, SEC_OID_X509_INVALID_DATE, &encodedExtenValue);
+    if ( rv != SECSuccess )
+	return (rv);
+
+    rv = SEC_ASN1DecodeItem (NULL, &decodedExtenValue,
+			     SEC_GeneralizedTimeTemplate, &encodedExtenValue);
+    if (rv != SECSuccess)
+	return (rv);
+    rv = DER_GeneralizedTimeToTime(value, &encodedExtenValue);
+    PORT_Free (decodedExtenValue.data);
+    PORT_Free (encodedExtenValue.data);
+    return (rv);
+}
diff --git a/security/nss/lib/certhigh/manifest.mn b/security/nss/lib/certhigh/manifest.mn
new file mode 100644
index 000000000..d7d0a2247
--- /dev/null
+++ b/security/nss/lib/certhigh/manifest.mn
@@ -0,0 +1,59 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	ocsp.h \
+	ocspt.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	ocspti.h \
+	$(NULL)
+
+MODULE = security
+
+CSRCS = \
+	certhtml.c \
+	certreq.c \
+	crlv2.c \
+	ocsp.c \
+	certhigh.c \
+    certvfy.c \
+    xcrldist.c \
+	$(NULL)
+
+REQUIRES = security dbm
+
+LIBRARY_NAME = certhi
+
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
new file mode 100644
index 000000000..4d4c549ac
--- /dev/null
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -0,0 +1,4077 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Implementation of OCSP services, for both client and server.
+ * (XXX, really, mostly just for client right now, but intended to do both.)
+ *
+ * $Id$
+ */
+
+#include "prerror.h"
+#include "prprf.h"
+#include "plarena.h"
+#include "prnetdb.h"
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "secoidt.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "cert.h"
+#include "xconst.h"
+#include "secerr.h"
+#include "secoid.h"
+#include "hasht.h"
+#include "sechash.h"
+#include "secasn1.h"
+#include "keyhi.h"
+#include "cryptohi.h"
+#include "ocsp.h"
+#include "ocspti.h"
+#include "genname.h"
+#include "certxutl.h"
+#include "pk11func.h"	/* for PK11_HashBuf */
+#include <stdarg.h>
+
+
+/*
+ * The following structure is only used internally.  It is allocated when
+ * someone turns on OCSP checking, and hangs off of the status-configuration
+ * structure in the certdb structure.  We use it to keep configuration
+ * information specific to OCSP checking.
+ */
+typedef struct ocspCheckingContextStr {
+    PRBool useDefaultResponder;
+    char *defaultResponderURI;
+    char *defaultResponderNickname;
+    CERTCertificate *defaultResponderCert;
+} ocspCheckingContext;
+
+
+/*
+ * Forward declarations of sub-types, so I can lay out the types in the
+ * same order as the ASN.1 is laid out in the OCSP spec itself.
+ *
+ * These are in alphabetical order (case-insensitive); please keep it that way!
+ */
+extern const SEC_ASN1Template ocsp_CertIDTemplate[];
+extern const SEC_ASN1Template ocsp_PointerToSignatureTemplate[];
+extern const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[];
+extern const SEC_ASN1Template ocsp_ResponseDataTemplate[];
+extern const SEC_ASN1Template ocsp_RevokedInfoTemplate[];
+extern const SEC_ASN1Template ocsp_SingleRequestTemplate[];
+extern const SEC_ASN1Template ocsp_SingleResponseTemplate[];
+extern const SEC_ASN1Template ocsp_TBSRequestTemplate[];
+
+
+/*
+ * Request-related templates...
+ */
+
+/*
+ * OCSPRequest	::=	SEQUENCE {
+ *	tbsRequest		TBSRequest,
+ *	optionalSignature	[0] EXPLICIT Signature OPTIONAL }
+ */
+static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(CERTOCSPRequest) },
+    { SEC_ASN1_POINTER,
+	offsetof(CERTOCSPRequest, tbsRequest),
+	ocsp_TBSRequestTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(CERTOCSPRequest, optionalSignature),
+	ocsp_PointerToSignatureTemplate },
+    { 0 }
+};
+
+/*
+ * TBSRequest	::=	SEQUENCE {
+ *	version			[0] EXPLICIT Version DEFAULT v1,
+ *	requestorName		[1] EXPLICIT GeneralName OPTIONAL,
+ *	requestList		SEQUENCE OF Request,
+ *	requestExtensions	[2] EXPLICIT Extensions OPTIONAL }
+ *
+ * Version	::=	INTEGER { v1(0) }
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_TBSRequestTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspTBSRequest) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |		/* XXX DER_DEFAULT */
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(ocspTBSRequest, version),
+	SEC_IntegerTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	offsetof(ocspTBSRequest, derRequestorName),
+	SEC_PointerToAnyTemplate },
+    { SEC_ASN1_SEQUENCE_OF,
+	offsetof(ocspTBSRequest, requestList),
+	ocsp_SingleRequestTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+	offsetof(ocspTBSRequest, requestExtensions),
+	CERT_SequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+/*
+ * Signature	::=	SEQUENCE {
+ *	signatureAlgorithm	AlgorithmIdentifier,
+ *	signature		BIT STRING,
+ *	certs			[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+static const SEC_ASN1Template ocsp_SignatureTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspSignature) },
+    { SEC_ASN1_INLINE,
+	offsetof(ocspSignature, signatureAlgorithm),
+	SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+	offsetof(ocspSignature, signature) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(ocspSignature, derCerts), 
+	SEC_SequenceOfAnyTemplate },
+    { 0 }
+};
+
+/*
+ * This template is just an extra level to use in an explicitly-tagged
+ * reference to a Signature.
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_PointerToSignatureTemplate[] = {
+    { SEC_ASN1_POINTER, 0, ocsp_SignatureTemplate }
+};
+
+/*
+ * Request	::=	SEQUENCE {
+ *	reqCert			CertID,
+ *	singleRequestExtensions	[0] EXPLICIT Extensions OPTIONAL }
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_SingleRequestTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(ocspSingleRequest) },
+    { SEC_ASN1_POINTER,
+	offsetof(ocspSingleRequest, reqCert),
+	ocsp_CertIDTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(ocspSingleRequest, singleRequestExtensions),
+	CERT_SequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+
+/*
+ * This data structure and template (CertID) is used by both OCSP
+ * requests and responses.  It is the only one that is shared.
+ *
+ * CertID	::=	SEQUENCE {
+ *	hashAlgorithm		AlgorithmIdentifier,
+ *	issuerNameHash		OCTET STRING,	-- Hash of Issuer DN
+ *	issuerKeyHash		OCTET STRING,	-- Hash of Issuer public key
+ *	serialNumber		CertificateSerialNumber }
+ *
+ * CertificateSerialNumber ::=	INTEGER
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_CertIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(CERTOCSPCertID) },
+    { SEC_ASN1_INLINE,
+	offsetof(CERTOCSPCertID, hashAlgorithm),
+	SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(CERTOCSPCertID, issuerNameHash) },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(CERTOCSPCertID, issuerKeyHash) },
+    { SEC_ASN1_INTEGER, 
+	offsetof(CERTOCSPCertID, serialNumber) },
+    { 0 }
+};
+
+
+/*
+ * Response-related templates...
+ */
+
+/*
+ * OCSPResponse	::=	SEQUENCE {
+ *	responseStatus		OCSPResponseStatus,
+ *	responseBytes		[0] EXPLICIT ResponseBytes OPTIONAL }
+ */
+static const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(CERTOCSPResponse) },
+    { SEC_ASN1_ENUMERATED, 
+	offsetof(CERTOCSPResponse, responseStatus) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(CERTOCSPResponse, responseBytes),
+	ocsp_PointerToResponseBytesTemplate },
+    { 0 }
+};
+
+/*
+ * ResponseBytes	::=	SEQUENCE {
+ *	responseType		OBJECT IDENTIFIER,
+ *	response		OCTET STRING }
+ */
+static const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspResponseBytes) },
+    { SEC_ASN1_OBJECT_ID,
+	offsetof(ocspResponseBytes, responseType) },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(ocspResponseBytes, response) },
+    { 0 }
+};
+
+/*
+ * This template is just an extra level to use in an explicitly-tagged
+ * reference to a ResponseBytes.
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[] = {
+    { SEC_ASN1_POINTER, 0, ocsp_ResponseBytesTemplate }
+};
+
+/*
+ * BasicOCSPResponse	::=	SEQUENCE {
+ *	tbsResponseData		ResponseData,
+ *	signatureAlgorithm	AlgorithmIdentifier,
+ *	signature		BIT STRING,
+ *	certs			[0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspBasicOCSPResponse) },
+    { SEC_ASN1_POINTER,
+	offsetof(ocspBasicOCSPResponse, tbsResponseData),
+	ocsp_ResponseDataTemplate },
+    { SEC_ASN1_INLINE,
+	offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm),
+	SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+	offsetof(ocspBasicOCSPResponse, responseSignature.signature) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(ocspBasicOCSPResponse, responseSignature.derCerts),
+	SEC_SequenceOfAnyTemplate },
+    { 0 }
+};
+
+/*
+ * ResponseData	::=	SEQUENCE {
+ *	version			[0] EXPLICIT Version DEFAULT v1,
+ *	responderID		ResponderID,
+ *	producedAt		GeneralizedTime,
+ *	responses		SEQUENCE OF SingleResponse,
+ *	responseExtensions	[1] EXPLICIT Extensions OPTIONAL }
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_ResponseDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspResponseData) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |		/* XXX DER_DEFAULT */
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(ocspResponseData, version),
+	SEC_IntegerTemplate },
+    { SEC_ASN1_ANY,
+	offsetof(ocspResponseData, derResponderID) },
+    { SEC_ASN1_GENERALIZED_TIME,
+	offsetof(ocspResponseData, producedAt) },
+    { SEC_ASN1_SEQUENCE_OF,
+	offsetof(ocspResponseData, responses),
+	ocsp_SingleResponseTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	offsetof(ocspResponseData, responseExtensions),
+	CERT_SequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+/*
+ * ResponderID	::=	CHOICE {
+ *	byName			[1] EXPLICIT Name,
+ *	byKey			[2] EXPLICIT KeyHash }
+ *
+ * KeyHash ::=	OCTET STRING -- SHA-1 hash of responder's public key
+ * (excluding the tag and length fields)
+ *
+ * XXX Because the ASN.1 encoder and decoder currently do not provide
+ * a way to automatically handle a CHOICE, we need to do it in two
+ * steps, looking at the type tag and feeding the exact choice back
+ * to the ASN.1 code.  Hopefully that will change someday and this
+ * can all be simplified down into a single template.  Anyway, for
+ * now we list each choice as its own template:
+ */
+static const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	offsetof(ocspResponderID, responderIDValue.name),
+	CERT_NameTemplate }
+};
+static const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+	offsetof(ocspResponderID, responderIDValue.keyHash),
+	SEC_OctetStringTemplate }
+};
+static const SEC_ASN1Template ocsp_ResponderIDOtherTemplate[] = {
+    { SEC_ASN1_ANY,
+	offsetof(ocspResponderID, responderIDValue.other) }
+};
+
+/*
+ * SingleResponse	::=	SEQUENCE {
+ *	certID			CertID,
+ *	certStatus		CertStatus,
+ *	thisUpdate		GeneralizedTime,
+ *	nextUpdate		[0] EXPLICIT GeneralizedTime OPTIONAL,
+ *	singleExtensions	[1] EXPLICIT Extensions OPTIONAL }
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_SingleResponseTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(CERTOCSPSingleResponse) },
+    { SEC_ASN1_POINTER,
+	offsetof(CERTOCSPSingleResponse, certID),
+	ocsp_CertIDTemplate },
+    { SEC_ASN1_ANY,
+	offsetof(CERTOCSPSingleResponse, derCertStatus) },
+    { SEC_ASN1_GENERALIZED_TIME,
+	offsetof(CERTOCSPSingleResponse, thisUpdate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(CERTOCSPSingleResponse, nextUpdate),
+	SEC_PointerToGeneralizedTimeTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	offsetof(CERTOCSPSingleResponse, singleExtensions),
+	CERT_SequenceOfCertExtensionTemplate },
+    { 0 }
+};
+
+/*
+ * CertStatus	::=	CHOICE {
+ *	good			[0] IMPLICIT NULL,
+ *	revoked			[1] IMPLICIT RevokedInfo,
+ *	unknown			[2] IMPLICIT UnknownInfo }
+ *
+ * Because the ASN.1 encoder and decoder currently do not provide
+ * a way to automatically handle a CHOICE, we need to do it in two
+ * steps, looking at the type tag and feeding the exact choice back
+ * to the ASN.1 code.  Hopefully that will change someday and this
+ * can all be simplified down into a single template.  Anyway, for
+ * now we list each choice as its own template:
+ */
+static const SEC_ASN1Template ocsp_CertStatusGoodTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(ocspCertStatus, certStatusInfo.goodInfo),
+	SEC_NullTemplate }
+};
+static const SEC_ASN1Template ocsp_CertStatusRevokedTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
+	offsetof(ocspCertStatus, certStatusInfo.revokedInfo),
+	ocsp_RevokedInfoTemplate }
+};
+static const SEC_ASN1Template ocsp_CertStatusUnknownTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+	offsetof(ocspCertStatus, certStatusInfo.unknownInfo),
+	SEC_NullTemplate }
+};
+static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = {
+    { SEC_ASN1_POINTER,
+	offsetof(ocspCertStatus, certStatusInfo.otherInfo),
+	SEC_AnyTemplate }
+};
+
+/*
+ * RevokedInfo	::=	SEQUENCE {
+ *	revocationTime		GeneralizedTime,
+ *	revocationReason	[0] EXPLICIT CRLReason OPTIONAL }
+ *
+ * Note: this should be static but the AIX compiler doesn't like it (because it
+ * was forward-declared above); it is not meant to be exported, but this
+ * is the only way it will compile.
+ */
+const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspRevokedInfo) },
+    { SEC_ASN1_GENERALIZED_TIME,
+	offsetof(ocspRevokedInfo, revocationTime) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(ocspRevokedInfo, revocationReason), 
+	SEC_PointerToEnumeratedTemplate },
+    { 0 }
+};
+
+
+/*
+ * OCSP-specific extension templates:
+ */
+
+/*
+ * ServiceLocator	::=	SEQUENCE {
+ *	issuer			Name,
+ *	locator			AuthorityInfoAccessSyntax OPTIONAL }
+ */
+static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(ocspServiceLocator) },
+    { SEC_ASN1_POINTER,
+	offsetof(ocspServiceLocator, issuer),
+	CERT_NameTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	offsetof(ocspServiceLocator, locator) },
+    { 0 }
+};
+
+
+/*
+ * REQUEST SUPPORT FUNCTIONS (encode/create/decode/destroy):
+ */
+
+/* 
+ * FUNCTION: CERT_EncodeOCSPRequest
+ *   DER encodes an OCSP Request, possibly adding a signature as well.
+ *   XXX Signing is not yet supported, however; see comments in code.
+ * INPUTS: 
+ *   PRArenaPool *arena
+ *     The return value is allocated from here.
+ *     If a NULL is passed in, allocation is done from the heap instead.
+ *   CERTOCSPRequest *request
+ *     The request to be encoded.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.  (Definitely
+ *     not needed if not signing.)
+ * RETURN:
+ *   Returns a NULL on error and a pointer to the SECItem with the
+ *   encoded value otherwise.  Any error is likely to be low-level
+ *   (e.g. no memory).
+ */
+SECItem *
+CERT_EncodeOCSPRequest(PRArenaPool *arena, CERTOCSPRequest *request, 
+		       void *pwArg)
+{
+    ocspTBSRequest *tbsRequest;
+    SECStatus rv;
+
+    /* XXX All of these should generate errors if they fail. */
+    PORT_Assert(request);
+    PORT_Assert(request->tbsRequest);
+
+    tbsRequest = request->tbsRequest;
+
+    if (request->tbsRequest->extensionHandle != NULL) {
+	rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle);
+	request->tbsRequest->extensionHandle = NULL;
+	if (rv != SECSuccess)
+	    return NULL;
+    }
+
+    /*
+     * XXX When signed requests are supported and request->optionalSignature
+     * is not NULL:
+     *  - need to encode tbsRequest->requestorName
+     *  - need to encode tbsRequest
+     *  - need to sign that encoded result (using cert in sig), filling in the
+     *    request->optionalSignature structure with the result, the signing
+     *    algorithm and (perhaps?) the cert (and its chain?) in derCerts
+     */
+
+    return SEC_ASN1EncodeItem(arena, NULL, request, ocsp_OCSPRequestTemplate);
+}
+
+
+/*
+ * FUNCTION: CERT_DecodeOCSPRequest
+ *   Decode a DER encoded OCSP Request.
+ * INPUTS:
+ *   SECItem *src
+ *     Pointer to a SECItem holding DER encoded OCSP Request.
+ * RETURN:
+ *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
+ *   On error, returns NULL.  Most likely error is trouble decoding
+ *   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
+ */
+CERTOCSPRequest *
+CERT_DecodeOCSPRequest(SECItem *src)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECFailure;
+    CERTOCSPRequest *dest = NULL;
+    int i;
+
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+    dest = (CERTOCSPRequest *) PORT_ArenaZAlloc(arena, 
+						sizeof(CERTOCSPRequest));
+    if (dest == NULL) {
+	goto loser;
+    }
+    dest->arena = arena;
+
+    rv = SEC_ASN1DecodeItem(arena, dest, ocsp_OCSPRequestTemplate, src);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_BAD_DER)
+	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
+	goto loser;
+    }
+
+    /*
+     * XXX I would like to find a way to get rid of the necessity
+     * of doing this copying of the arena pointer.
+     */
+    for (i = 0; dest->tbsRequest->requestList[i] != NULL; i++) {
+	dest->tbsRequest->requestList[i]->arena = arena;
+    }
+
+    return dest;
+
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+
+/*
+ * Create and fill-in a CertID.  This function fills in the hash values
+ * (issuerNameHash and issuerKeyHash), and is hardwired to use SHA1.
+ * Someday it might need to be more flexible about hash algorithm, but
+ * for now we have no intention/need to create anything else, and until
+ * we have more flexible underlying interfaces, it's just not as easy
+ * as it should be to just take an algorithm id and call some helper
+ * functions to do all the work (no algid->length translation, no function
+ * to hash from and into a SECItem, etc.).
+ *
+ * Error causes a null to be returned; most likely cause is trouble
+ * finding the certificate issuer (SEC_ERROR_UNKNOWN_ISSUER).
+ * Other errors are low-level problems (no memory, bad database, etc.).
+ */
+static CERTOCSPCertID *
+ocsp_CreateCertID(PRArenaPool *arena, CERTCertificate *cert, int64 time)
+{
+    CERTOCSPCertID *certID;
+    CERTCertificate *issuerCert = NULL;
+    SECItem *tempItem = NULL;
+    void *mark = PORT_ArenaMark(arena);
+    SECStatus rv;
+
+    PORT_Assert(arena != NULL);
+
+    certID = PORT_ArenaZNew(arena, CERTOCSPCertID);
+    if (certID == NULL) {
+	goto loser;
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1,
+			       NULL);
+    if (rv != SECSuccess) {
+	goto loser; 
+    }
+
+    issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
+    if (issuerCert == NULL) {
+	goto loser;
+    }
+
+    tempItem = SEC_ASN1EncodeItem(NULL, NULL, &issuerCert->subject,
+				  CERT_NameTemplate);
+    if (tempItem == NULL) {
+	goto loser;
+    }
+
+    if (SECITEM_AllocItem(arena, &(certID->issuerNameHash),
+			  SHA1_LENGTH) == NULL) {
+	goto loser;
+    }
+    rv = PK11_HashBuf(SEC_OID_SHA1, certID->issuerNameHash.data,
+		      tempItem->data, tempItem->len);
+    if (rv != SECSuccess) {
+	goto loser; 
+    }
+    certID->issuerSHA1NameHash.data = certID->issuerNameHash.data;
+    certID->issuerSHA1NameHash.len = certID->issuerNameHash.len;
+    /* cache the other two hash algorithms as well */
+    if (SECITEM_AllocItem(arena, &(certID->issuerMD5NameHash),
+			  MD5_LENGTH) == NULL) {
+	goto loser;
+    }
+    rv = PK11_HashBuf(SEC_OID_MD5, certID->issuerMD5NameHash.data,
+		      tempItem->data, tempItem->len);
+    if (rv != SECSuccess) {
+	goto loser; 
+    }
+    if (SECITEM_AllocItem(arena, &(certID->issuerMD2NameHash),
+			  MD2_LENGTH) == NULL) {
+	goto loser;
+    }
+    rv = PK11_HashBuf(SEC_OID_MD2, certID->issuerMD2NameHash.data,
+		      tempItem->data, tempItem->len);
+    if (rv != SECSuccess) {
+	goto loser; 
+    }
+
+    SECITEM_FreeItem(tempItem, PR_TRUE);
+    tempItem = NULL;
+
+    if (CERT_SPKDigestValueForCert(arena, issuerCert, SEC_OID_SHA1,
+				   &(certID->issuerKeyHash)) == NULL) {
+	goto loser;
+    }
+    certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data;
+    certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len;
+    /* cache the other two hash algorithms as well */
+    if (CERT_SPKDigestValueForCert(arena, issuerCert, SEC_OID_MD5,
+				   &(certID->issuerMD5KeyHash)) == NULL) {
+	goto loser;
+    }
+    if (CERT_SPKDigestValueForCert(arena, issuerCert, SEC_OID_MD2,
+				   &(certID->issuerMD2KeyHash)) == NULL) {
+	goto loser;
+    }
+
+
+    /* now we are done with issuerCert */
+    CERT_DestroyCertificate(issuerCert);
+    issuerCert = NULL;
+
+    rv = SECITEM_CopyItem(arena, &certID->serialNumber, &cert->serialNumber);
+    if (rv != SECSuccess) {
+	goto loser; 
+    }
+
+    PORT_ArenaUnmark(arena, mark);
+    return certID;
+
+loser:
+    if (issuerCert != NULL) {
+	CERT_DestroyCertificate(issuerCert);
+    }
+    if (tempItem != NULL) {
+	SECITEM_FreeItem(tempItem, PR_TRUE);
+    }
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+
+/*
+ * Callback to set Extensions in request object
+ */
+void SetSingleReqExts(void *object, CERTCertExtension **exts)
+{
+  ocspSingleRequest *singleRequest =
+    (ocspSingleRequest *)object;
+
+  singleRequest->singleRequestExtensions = exts;
+}
+
+/*
+ * Add the Service Locator extension to the singleRequestExtensions
+ * for the given singleRequest.
+ *
+ * All errors are internal or low-level problems (e.g. no memory).
+ */
+static SECStatus
+ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest,
+				CERTCertificate *cert)
+{
+    ocspServiceLocator *serviceLocator = NULL;
+    void *extensionHandle = NULL;
+    SECStatus rv = SECFailure;
+
+    serviceLocator = PORT_ZNew(ocspServiceLocator);
+    if (serviceLocator == NULL)
+	goto loser;
+
+    /*
+     * Normally it would be a bad idea to do a direct reference like
+     * this rather than allocate and copy the name *or* at least dup
+     * a reference of the cert.  But all we need is to be able to read
+     * the issuer name during the encoding we are about to do, so a
+     * copy is just a waste of time.
+     */
+    serviceLocator->issuer = &cert->issuer;
+
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
+				&serviceLocator->locator);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND)
+	    goto loser;
+    }
+
+    /* prepare for following loser gotos */
+    rv = SECFailure;
+
+    extensionHandle = cert_StartExtensions(singleRequest,
+                       singleRequest->arena, SetSingleReqExts);
+    if (extensionHandle == NULL)
+	goto loser;
+
+    rv = CERT_EncodeAndAddExtension(extensionHandle,
+				    SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
+				    serviceLocator, PR_FALSE,
+				    ocsp_ServiceLocatorTemplate);
+
+loser:
+    if (extensionHandle != NULL) {
+	/*
+	 * Either way we have to finish out the extension context (so it gets
+	 * freed).  But careful not to override any already-set bad status.
+	 */
+	SECStatus tmprv = CERT_FinishExtensions(extensionHandle);
+	if (rv == SECSuccess)
+	    rv = tmprv;
+    }
+
+    /*
+     * Finally, free the serviceLocator structure itself and we are done.
+     */
+    if (serviceLocator != NULL) {
+	if (serviceLocator->locator.data != NULL)
+	    SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE);
+	PORT_Free(serviceLocator);
+    }
+
+    return rv;
+}
+
+/*
+ * Creates an array of ocspSingleRequest based on a list of certs.
+ * Note that the code which later compares the request list with the
+ * response expects this array to be in the exact same order as the
+ * certs are found in the list.  It would be harder to change that
+ * order than preserve it, but since the requirement is not obvious,
+ * it deserves to be mentioned.
+ *
+ * Any problem causes a null return and error set:
+ *	SEC_ERROR_UNKNOWN_ISSUER
+ * Other errors are low-level problems (no memory, bad database, etc.).
+ */
+static ocspSingleRequest **
+ocsp_CreateSingleRequestList(PRArenaPool *arena, CERTCertList *certList,
+			     int64 time, PRBool includeLocator)
+{
+    ocspSingleRequest **requestList = NULL;
+    CERTCertListNode *node;
+    int i, count;
+    void *mark = PORT_ArenaMark(arena);
+ 
+    node = CERT_LIST_HEAD(certList);
+    for (count = 0; !CERT_LIST_END(node, certList); count++) {
+	node = CERT_LIST_NEXT(node);
+    }
+
+    if (count == 0)
+	goto loser;
+
+    requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, count + 1);
+    if (requestList == NULL)
+	goto loser;
+
+    node = CERT_LIST_HEAD(certList);
+    for (i = 0; !CERT_LIST_END(node, certList); i++) {
+        requestList[i] = PORT_ArenaZNew(arena, ocspSingleRequest);
+	if (requestList[i] == NULL)
+	    goto loser;
+
+	requestList[i]->arena = arena;
+	requestList[i]->reqCert = ocsp_CreateCertID(arena, node->cert, time);
+	if (requestList[i]->reqCert == NULL)
+	    goto loser;
+
+	if (includeLocator == PR_TRUE) {
+	    SECStatus rv;
+
+	    rv = ocsp_AddServiceLocatorExtension(requestList[i], node->cert);
+	    if (rv != SECSuccess)
+		goto loser;
+	}
+
+	node = CERT_LIST_NEXT(node);
+    }
+
+    PORT_Assert(i == count);
+
+    PORT_ArenaUnmark(arena, mark);
+    requestList[i] = NULL;
+    return requestList;
+
+loser:
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+
+/*
+ * FUNCTION: CERT_CreateOCSPRequest
+ *   Creates a CERTOCSPRequest, requesting the status of the certs in 
+ *   the given list.
+ * INPUTS:
+ *   CERTCertList *certList
+ *     A list of certs for which status will be requested.
+ *     Note that all of these certificates should have the same issuer,
+ *     or it's expected the response will be signed by a trusted responder.
+ *     If the certs need to be broken up into multiple requests, that
+ *     must be handled by the caller (and thus by having multiple calls
+ *     to this routine), who knows about where the request(s) are being
+ *     sent and whether there are any trusted responders in place.
+ *   int64 time
+ *     Indicates the time for which the certificate status is to be 
+ *     determined -- this may be used in the search for the cert's issuer
+ *     but has no effect on the request itself.
+ *   PRBool addServiceLocator
+ *     If true, the Service Locator extension should be added to the
+ *     single request(s) for each cert.
+ *   CERTCertificate *signerCert
+ *     If non-NULL, means sign the request using this cert.  Otherwise,
+ *     do not sign.
+ *     XXX note that request signing is not yet supported; see comment in code
+ * RETURN:
+ *   A pointer to a CERTOCSPRequest structure containing an OCSP request
+ *   for the cert list.  On error, null is returned, with an error set
+ *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
+ *   (The issuer is needed to create a request for the certificate.)
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
+CERTOCSPRequest *
+CERT_CreateOCSPRequest(CERTCertList *certList, int64 time, 
+		       PRBool addServiceLocator,
+		       CERTCertificate *signerCert)
+{
+    PRArenaPool *arena = NULL;
+    CERTOCSPRequest *request = NULL;
+    ocspTBSRequest *tbsRequest = NULL;
+
+    /*
+     * XXX This should set an error, but since it is only temporary and
+     * since PSM will not initially provide a way to turn on signing of
+     * requests anyway, I figure we can just skip defining an error that
+     * will be obsolete in the next release.  When we are prepared to
+     * put signing of requests back in, this entire check will go away,
+     * and later in this function we will need to allocate a signature
+     * structure for the request, fill in the "derCerts" field in it,
+     * save the signerCert there, as well as fill in the "requestorName"
+     * field of the tbsRequest.
+     */
+    if (signerCert != NULL) {
+	return NULL;
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+
+    request = PORT_ArenaZNew(arena, CERTOCSPRequest);
+    if (request == NULL) {
+	goto loser;
+    }
+    request->arena = arena;
+
+    tbsRequest = PORT_ArenaZNew(arena, ocspTBSRequest);
+    if (tbsRequest == NULL) {
+	goto loser;
+    }
+    request->tbsRequest = tbsRequest;
+
+    /* version 1 is the default, so we need not fill in a version number */
+
+    /*
+     * Now create the list of single requests, one for each cert.
+     */
+    tbsRequest->requestList = ocsp_CreateSingleRequestList(arena, certList,
+							   time,
+							   addServiceLocator);
+    if (tbsRequest->requestList == NULL) {
+	goto loser;
+    }
+    return request;
+
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+
+/*
+ * FUNCTION: CERT_AddOCSPAcceptableResponses
+ *   Add the AcceptableResponses extension to an OCSP Request.
+ * INPUTS:
+ *   CERTOCSPRequest *request
+ *     The request to which the extension should be added.
+ *   ...
+ *     A list (of one or more) of SECOidTag -- each of the response types
+ *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
+ *     (This marks the end of the list, and it must be specified because a
+ *     client conforming to the OCSP standard is required to handle the basic
+ *     response type.)  The OIDs are not checked in any way.
+ * RETURN:
+ *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
+ *   All errors are internal or low-level problems (e.g. no memory).
+ */
+
+void SetRequestExts(void *object, CERTCertExtension **exts)
+{
+  CERTOCSPRequest *request = (CERTOCSPRequest *)object;
+
+  request->tbsRequest->requestExtensions = exts;
+}
+
+SECStatus
+CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, ...)
+{
+    void *extHandle;
+    va_list ap;
+    int i, count;
+    SECOidTag responseType;
+    SECOidData *responseOid;
+    SECItem **acceptableResponses = NULL;
+    SECStatus rv = SECFailure;
+
+    extHandle = request->tbsRequest->extensionHandle;
+    if (extHandle == NULL) {
+	extHandle = cert_StartExtensions(request, request->arena, SetRequestExts);
+	if (extHandle == NULL)
+	    goto loser;
+    }
+
+    /* Count number of OIDS going into the extension value. */
+    count = 0;
+    va_start(ap, request);
+    do {
+	count++;
+	responseType = va_arg(ap, SECOidTag);
+    } while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+    va_end(ap);
+
+    acceptableResponses = PORT_NewArray(SECItem *, count + 1);
+    if (acceptableResponses == NULL)
+	goto loser;
+
+    va_start(ap, request);
+    for (i = 0; i < count; i++) {
+	responseType = va_arg(ap, SECOidTag);
+	responseOid = SECOID_FindOIDByTag(responseType);
+	acceptableResponses[i] = &(responseOid->oid);
+    }
+    va_end(ap);
+    acceptableResponses[i] = NULL;
+
+    rv = CERT_EncodeAndAddExtension(extHandle, SEC_OID_PKIX_OCSP_RESPONSE,
+				    &acceptableResponses, PR_FALSE,
+				    SEC_SequenceOfObjectIDTemplate);
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_Free(acceptableResponses);
+    if (request->tbsRequest->extensionHandle == NULL)
+	request->tbsRequest->extensionHandle = extHandle;
+    return SECSuccess;
+
+loser:
+    if (acceptableResponses != NULL)
+	PORT_Free(acceptableResponses);
+    if (extHandle != NULL)
+	(void) CERT_FinishExtensions(extHandle);
+    return rv;
+}
+
+
+/*
+ * FUNCTION: CERT_DestroyOCSPRequest
+ *   Frees an OCSP Request structure.
+ * INPUTS:
+ *   CERTOCSPRequest *request
+ *     Pointer to CERTOCSPRequest to be freed.
+ * RETURN:
+ *   No return value; no errors.
+ */
+void
+CERT_DestroyOCSPRequest(CERTOCSPRequest *request)
+{
+    if (request == NULL)
+	return;
+
+    if (request->tbsRequest != NULL) {
+	if (request->tbsRequest->requestorName != NULL)
+	    CERT_DestroyGeneralNameList(request->tbsRequest->requestorName);
+	if (request->tbsRequest->extensionHandle != NULL)
+	    (void) CERT_FinishExtensions(request->tbsRequest->extensionHandle);
+    }
+
+    if (request->optionalSignature != NULL) {
+	if (request->optionalSignature->cert != NULL)
+	    CERT_DestroyCertificate(request->optionalSignature->cert);
+
+	/*
+	 * XXX Need to free derCerts?  Or do they come out of arena?
+	 * (Currently we never fill in derCerts, which is why the
+	 * answer is not obvious.  Once we do, add any necessary code
+	 * here and remove this comment.)
+	 */
+    }
+
+    /*
+     * We should actually never have a request without an arena,
+     * but check just in case.  (If there isn't one, there is not
+     * much we can do about it...)
+     */
+    PORT_Assert(request->arena != NULL);
+    if (request->arena != NULL)
+	PORT_FreeArena(request->arena, PR_FALSE);
+}
+
+
+/*
+ * RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy):
+ */
+
+/*
+ * Helper function for encoding or decoding a ResponderID -- based on the
+ * given type, return the associated template for that choice.
+ */
+static const SEC_ASN1Template *
+ocsp_ResponderIDTemplateByType(ocspResponderIDType responderIDType)
+{
+    const SEC_ASN1Template *responderIDTemplate;
+
+    switch (responderIDType) {
+	case ocspResponderID_byName:
+	    responderIDTemplate = ocsp_ResponderIDByNameTemplate;
+	    break;
+	case ocspResponderID_byKey:
+	    responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
+	    break;
+	case ocspResponderID_other:
+	default:
+	    PORT_Assert(responderIDType == ocspResponderID_other);
+	    responderIDTemplate = ocsp_ResponderIDOtherTemplate;
+	    break;
+    }
+
+    return responderIDTemplate;
+}
+
+/*
+ * Helper function for encoding or decoding a CertStatus -- based on the
+ * given type, return the associated template for that choice.
+ */
+static const SEC_ASN1Template *
+ocsp_CertStatusTemplateByType(ocspCertStatusType certStatusType)
+{
+    const SEC_ASN1Template *certStatusTemplate;
+
+    switch (certStatusType) {
+	case ocspCertStatus_good:
+	    certStatusTemplate = ocsp_CertStatusGoodTemplate;
+	    break;
+	case ocspCertStatus_revoked:
+	    certStatusTemplate = ocsp_CertStatusRevokedTemplate;
+	    break;
+	case ocspCertStatus_unknown:
+	    certStatusTemplate = ocsp_CertStatusUnknownTemplate;
+	    break;
+	case ocspCertStatus_other:
+	default:
+	    PORT_Assert(certStatusType == ocspCertStatus_other);
+	    certStatusTemplate = ocsp_CertStatusOtherTemplate;
+	    break;
+    }
+
+    return certStatusTemplate;
+}
+
+/*
+ * Helper function for decoding a certStatus -- turn the actual DER tag
+ * into our local translation.
+ */
+static ocspCertStatusType
+ocsp_CertStatusTypeByTag(int derTag)
+{
+    ocspCertStatusType certStatusType;
+
+    switch (derTag) {
+	case 0:
+	    certStatusType = ocspCertStatus_good;
+	    break;
+	case 1:
+	    certStatusType = ocspCertStatus_revoked;
+	    break;
+	case 2:
+	    certStatusType = ocspCertStatus_unknown;
+	    break;
+	default:
+	    certStatusType = ocspCertStatus_other;
+	    break;
+    }
+
+    return certStatusType;
+}
+
+/*
+ * Helper function for decoding SingleResponses -- they each contain
+ * a status which is encoded as CHOICE, which needs to be decoded "by hand".
+ *
+ * Note -- on error, this routine does not release the memory it may
+ * have allocated; it expects its caller to do that.
+ */
+static SECStatus
+ocsp_FinishDecodingSingleResponses(PRArenaPool *arena,
+				   CERTOCSPSingleResponse **responses)
+{
+    ocspCertStatus *certStatus;
+    ocspCertStatusType certStatusType;
+    const SEC_ASN1Template *certStatusTemplate;
+    int derTag;
+    int i;
+    SECStatus rv = SECFailure;
+
+    if (responses == NULL)			/* nothing to do */
+	return SECSuccess;
+
+    for (i = 0; responses[i] != NULL; i++) {
+	/*
+	 * The following assert points out internal errors (problems in
+	 * the template definitions or in the ASN.1 decoder itself, etc.).
+	 */
+	PORT_Assert(responses[i]->derCertStatus.data != NULL);
+
+	derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK;
+	certStatusType = ocsp_CertStatusTypeByTag(derTag);
+	certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType);
+
+	certStatus = PORT_ArenaZAlloc(arena, sizeof(ocspCertStatus));
+	if (certStatus == NULL) {
+	    goto loser;
+	}
+	rv = SEC_ASN1DecodeItem(arena, certStatus, certStatusTemplate,
+				&responses[i]->derCertStatus);
+	if (rv != SECSuccess) {
+	    if (PORT_GetError() == SEC_ERROR_BAD_DER)
+		PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	    goto loser;
+	}
+
+	certStatus->certStatusType = certStatusType;
+	responses[i]->certStatus = certStatus;
+    }
+
+    return SECSuccess;
+
+loser:
+    return rv;
+}
+
+/*
+ * Helper function for decoding a responderID -- turn the actual DER tag
+ * into our local translation.
+ */
+static ocspResponderIDType
+ocsp_ResponderIDTypeByTag(int derTag)
+{
+    ocspResponderIDType responderIDType;
+
+    switch (derTag) {
+	case 1:
+	    responderIDType = ocspResponderID_byName;
+	    break;
+	case 2:
+	    responderIDType = ocspResponderID_byKey;
+	    break;
+	default:
+	    responderIDType = ocspResponderID_other;
+	    break;
+    }
+
+    return responderIDType;
+}
+
+/*
+ * Decode "src" as a BasicOCSPResponse, returning the result.
+ */
+static ocspBasicOCSPResponse *
+ocsp_DecodeBasicOCSPResponse(PRArenaPool *arena, SECItem *src)
+{
+    void *mark;
+    ocspBasicOCSPResponse *basicResponse;
+    ocspResponseData *responseData;
+    ocspResponderID *responderID;
+    ocspResponderIDType responderIDType;
+    const SEC_ASN1Template *responderIDTemplate;
+    int derTag;
+    SECStatus rv;
+
+    mark = PORT_ArenaMark(arena);
+
+    basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse));
+    if (basicResponse == NULL) {
+	goto loser;
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, basicResponse,
+			    ocsp_BasicOCSPResponseTemplate, src);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_BAD_DER)
+	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	goto loser;
+    }
+
+    responseData = basicResponse->tbsResponseData;
+
+    /*
+     * The following asserts point out internal errors (problems in
+     * the template definitions or in the ASN.1 decoder itself, etc.).
+     */
+    PORT_Assert(responseData != NULL);
+    PORT_Assert(responseData->derResponderID.data != NULL);
+
+    /*
+     * XXX Because responderID is a CHOICE, which is not currently handled
+     * by our ASN.1 decoder, we have to decode it "by hand".
+     */
+    derTag = responseData->derResponderID.data[0] & SEC_ASN1_TAGNUM_MASK;
+    responderIDType = ocsp_ResponderIDTypeByTag(derTag);
+    responderIDTemplate = ocsp_ResponderIDTemplateByType(responderIDType);
+
+    responderID = PORT_ArenaZAlloc(arena, sizeof(ocspResponderID));
+    if (responderID == NULL) {
+	goto loser;
+    }
+    rv = SEC_ASN1DecodeItem(arena, responderID, responderIDTemplate,
+			    &responseData->derResponderID);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_BAD_DER)
+	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	goto loser;
+    }
+
+    responderID->responderIDType = responderIDType;
+    responseData->responderID = responderID;
+
+    /*
+     * XXX Each SingleResponse also contains a CHOICE, which has to be
+     * fixed up by hand.
+     */
+    rv = ocsp_FinishDecodingSingleResponses(arena, responseData->responses);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(arena, mark);
+    return basicResponse;
+
+loser:
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+
+/*
+ * Decode the responseBytes based on the responseType found in "rbytes",
+ * leaving the resulting translated/decoded information in there as well.
+ */
+static SECStatus
+ocsp_DecodeResponseBytes(PRArenaPool *arena, ocspResponseBytes *rbytes)
+{
+    PORT_Assert(rbytes != NULL);		/* internal error, really */
+    if (rbytes == NULL)
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);	/* XXX set better error? */
+
+    rbytes->responseTypeTag = SECOID_FindOIDTag(&rbytes->responseType);
+    switch (rbytes->responseTypeTag) {
+	case SEC_OID_PKIX_OCSP_BASIC_RESPONSE:
+	    {
+		ocspBasicOCSPResponse *basicResponse;
+
+		basicResponse = ocsp_DecodeBasicOCSPResponse(arena,
+							     &rbytes->response);
+		if (basicResponse == NULL)
+		    return SECFailure;
+
+		rbytes->decodedResponse.basic = basicResponse;
+	    }
+	    break;
+
+	/*
+	 * Add new/future response types here.
+	 */
+
+	default:
+	    PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE);
+	    return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+/*
+ * FUNCTION: CERT_DecodeOCSPResponse
+ *   Decode a DER encoded OCSP Response.
+ * INPUTS:
+ *   SECItem *src
+ *     Pointer to a SECItem holding DER encoded OCSP Response.
+ * RETURN:
+ *   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
+ *   the caller is responsible for destroying it.  Or NULL if error (either
+ *   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
+ *   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
+ *   or a low-level or internal error occurred).
+ */
+CERTOCSPResponse *
+CERT_DecodeOCSPResponse(SECItem *src)
+{
+    PRArenaPool *arena = NULL;
+    CERTOCSPResponse *response = NULL;
+    SECStatus rv = SECFailure;
+    ocspResponseStatus sv;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+    response = (CERTOCSPResponse *) PORT_ArenaZAlloc(arena,
+						     sizeof(CERTOCSPResponse));
+    if (response == NULL) {
+	goto loser;
+    }
+    response->arena = arena;
+
+    rv = SEC_ASN1DecodeItem(arena, response, ocsp_OCSPResponseTemplate, src);
+    if (rv != SECSuccess) {
+	if (PORT_GetError() == SEC_ERROR_BAD_DER)
+	    PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	goto loser;
+    }
+
+    sv = (ocspResponseStatus) DER_GetInteger(&response->responseStatus);
+    response->statusValue = sv;
+    if (sv != ocspResponse_successful) {
+	/*
+	 * If the response status is anything but successful, then we
+	 * are all done with decoding; the status is all there is.
+	 */
+	return response;
+    }
+
+    /*
+     * A successful response contains much more information, still encoded.
+     * Now we need to decode that.
+     */
+    rv = ocsp_DecodeResponseBytes(arena, response->responseBytes);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    return response;
+
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return NULL;
+}
+
+/*
+ * The way an OCSPResponse is defined, there are many levels to descend
+ * before getting to the actual response information.  And along the way
+ * we need to check that the response *type* is recognizable, which for
+ * now means that it is a BasicOCSPResponse, because that is the only
+ * type currently defined.  Rather than force all routines to perform
+ * a bunch of sanity checking every time they want to work on a response,
+ * this function isolates that and gives back the interesting part.
+ * Note that no copying is done, this just returns a pointer into the
+ * substructure of the response which is passed in.
+ *
+ * XXX This routine only works when a valid response structure is passed
+ * into it; this is checked with many assertions.  Assuming the response
+ * was creating by decoding, it wouldn't make it this far without being
+ * okay.  That is a sufficient assumption since the entire OCSP interface
+ * is only used internally.  When this interface is officially exported,
+ * each assertion below will need to be followed-up with setting an error
+ * and returning (null).
+ */
+static ocspResponseData *
+ocsp_GetResponseData(CERTOCSPResponse *response)
+{
+    ocspBasicOCSPResponse *basic;
+    ocspResponseData *responseData;
+
+    PORT_Assert(response != NULL);
+
+    PORT_Assert(response->responseBytes != NULL);
+
+    PORT_Assert(response->responseBytes->responseTypeTag
+		== SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+
+    basic = response->responseBytes->decodedResponse.basic;
+    PORT_Assert(basic != NULL);
+
+    responseData = basic->tbsResponseData;
+    PORT_Assert(responseData != NULL);
+
+    return responseData;
+}
+
+/*
+ * Much like the routine above, except it returns the response signature.
+ * Again, no copy is done.
+ */
+static ocspSignature *
+ocsp_GetResponseSignature(CERTOCSPResponse *response)
+{
+    ocspBasicOCSPResponse *basic;
+
+    PORT_Assert(response != NULL);
+    PORT_Assert(response->responseBytes != NULL);
+    PORT_Assert(response->responseBytes->responseTypeTag
+		== SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+
+    basic = response->responseBytes->decodedResponse.basic;
+    PORT_Assert(basic != NULL);
+
+    return &(basic->responseSignature);
+}
+
+
+/*
+ * FUNCTION: CERT_DestroyOCSPResponse
+ *   Frees an OCSP Response structure.
+ * INPUTS:
+ *   CERTOCSPResponse *request
+ *     Pointer to CERTOCSPResponse to be freed.
+ * RETURN:
+ *   No return value; no errors.
+ */
+void
+CERT_DestroyOCSPResponse(CERTOCSPResponse *response)
+{
+    if (response != NULL) {
+	ocspSignature *signature = ocsp_GetResponseSignature(response);
+	if (signature->cert != NULL)
+	    CERT_DestroyCertificate(signature->cert);
+
+	/*
+	 * We should actually never have a response without an arena,
+	 * but check just in case.  (If there isn't one, there is not
+	 * much we can do about it...)
+	 */
+	PORT_Assert(response->arena != NULL);
+	if (response->arena != NULL) {
+	    PORT_FreeArena(response->arena, PR_FALSE);
+	}
+    }
+}
+
+
+/*
+ * OVERALL OCSP CLIENT SUPPORT (make and send a request, verify a response):
+ */
+
+
+/*
+ * Pick apart a URL, saving the important things in the passed-in pointers.
+ *
+ * We expect to find "http://<hostname>[:<port>]/[path]", though we will
+ * tolerate that final slash character missing, as well as beginning and
+ * trailing whitespace, and any-case-characters for "http".  All of that
+ * tolerance is what complicates this routine.  What we want is just to
+ * pick out the hostname, the port, and the path.
+ *
+ * On a successful return, the caller will need to free the output pieces
+ * of hostname and path, which are copies of the values found in the url.
+ */
+static SECStatus
+ocsp_ParseURL(char *url, char **pHostname, PRUint16 *pPort, char **pPath)
+{
+    unsigned short port = 80;		/* default, in case not in url */
+    char *hostname = NULL;
+    char *path = NULL;
+    char *save;
+    char c;
+    int len;
+
+    if (url == NULL)
+	goto loser;
+
+    /*
+     * Skip beginning whitespace.
+     */
+    c = *url;
+    while ((c == ' ' || c == '\t') && c != '\0') {
+	url++;
+	c = *url;
+    }
+    if (c == '\0')
+	goto loser;
+
+    /*
+     * Confirm, then skip, protocol.  (Since we only know how to do http,
+     * that is all we will accept).
+     */
+    if (PORT_Strncasecmp(url, "http://", 7) != 0)
+	goto loser;
+    url += 7;
+
+    /*
+     * Whatever comes next is the hostname (or host IP address).  We just
+     * save it aside and then search for its end so we can determine its
+     * length and copy it.
+     *
+     * XXX Note that because we treat a ':' as a terminator character
+     * (and below, we expect that to mean there is a port specification
+     * immediately following), we will not handle IPv6 addresses.  That is
+     * apparently an acceptable limitation, for the time being.  Some day,
+     * when there is a clear way to specify a URL with an IPv6 address that
+     * can be parsed unambiguously, this code should be made to do that.
+     */
+    save = url;
+    c = *url;
+    while (c != '/' && c != ':' && c != '\0' && c != ' ' && c != '\t') {
+	url++;
+	c = *url;
+    }
+    len = url - save;
+    hostname = PORT_Alloc(len + 1);
+    if (hostname == NULL)
+	goto loser;
+    PORT_Memcpy(hostname, save, len);
+    hostname[len] = '\0';
+
+    /*
+     * Now we figure out if there was a port specified or not.
+     * If so, we need to parse it (as a number) and skip it.
+     */
+    if (c == ':') {
+	url++;
+	port = (unsigned short) PORT_Atoi(url);
+	c = *url;
+	while (c != '/' && c != '\0' && c != ' ' && c != '\t') {
+	    if (c < '0' || c > '9')
+		goto loser;
+	    url++;
+	    c = *url;
+	}
+    }
+
+    /*
+     * Last thing to find is a path.  There *should* be a slash,
+     * if nothing else -- but if there is not we provide one.
+     */
+    if (c == '/') {
+	save = url;
+	while (c != '\0' && c != ' ' && c != '\t') {
+	    url++;
+	    c = *url;
+	}
+	len = url - save;
+	path = PORT_Alloc(len + 1);
+	if (path == NULL)
+	    goto loser;
+	PORT_Memcpy(path, save, len);
+	path[len] = '\0';
+    } else {
+	path = PORT_Strdup("/");
+    }
+
+    *pHostname = hostname;
+    *pPort = port;
+    *pPath = path;
+    return SECSuccess;
+
+loser:
+    if (hostname != NULL)
+	PORT_Free(hostname);
+    if (path != NULL)
+	PORT_Free(path);
+    PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+    return SECFailure;
+}
+
+/*
+ * Open a socket to the specified host on the specified port, and return it.
+ * The host is either a hostname or an IP address.
+ */
+static PRFileDesc *
+ocsp_ConnectToHost(const char *host, PRUint16 port)
+{
+    PRFileDesc *sock = NULL;
+    PRIntervalTime timeout;
+    PRNetAddr addr;
+    char *netdbbuf = NULL;
+
+    sock = PR_NewTCPSocket();
+    if (sock == NULL)
+	goto loser;
+
+    /* XXX Some day need a way to set (and get?) the following value */
+    timeout = PR_SecondsToInterval(30);
+
+    /*
+     * If the following converts an IP address string in "dot notation"
+     * into a PRNetAddr.  If it fails, we assume that is because we do not
+     * have such an address, but instead a host *name*.  In that case we
+     * then lookup the host by name.  Using the NSPR function this way
+     * means we do not have to have our own logic for distinguishing a
+     * valid numerical IP address from a hostname.
+     */
+    if (PR_StringToNetAddr(host, &addr) != PR_SUCCESS) {
+	PRIntn hostIndex;
+	PRHostEnt hostEntry;
+
+	netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE);
+	if (netdbbuf == NULL)
+	    goto loser;
+
+	if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE,
+			     &hostEntry) != PR_SUCCESS)
+	    goto loser;
+
+	hostIndex = 0;
+	do {
+	    hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr);
+	    if (hostIndex < 0)
+		goto loser;
+	} while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS
+		 && hostIndex > 0);
+
+        if (hostIndex == 0)
+	    goto loser;
+
+	PORT_Free(netdbbuf);
+    } else {
+	/*
+	 * First put the port into the address, then connect.
+	 */
+	if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS)
+	    goto loser;
+	if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS)
+	    goto loser;
+    }
+
+    return sock;
+
+loser:
+    if (sock != NULL)
+	PR_Close(sock);
+    if (netdbbuf != NULL)
+	PORT_Free(netdbbuf);
+    return NULL;
+}
+
+/*
+ * Sends an encoded OCSP request to the server identified by "location",
+ * and returns the socket on which it was sent (so can listen for the reply).
+ * "location" is expected to be a valid URL -- an error parsing it produces
+ * SEC_ERROR_CERT_BAD_ACCESS_LOCATION.  Other errors are likely problems
+ * connecting to it, or writing to it, or allocating memory, and the low-level
+ * errors appropriate to the problem will be set.
+ */
+static PRFileDesc *
+ocsp_SendEncodedRequest(char *location, SECItem *encodedRequest)
+{
+    char *hostname = NULL;
+    char *path = NULL;
+    PRUint16 port;
+    SECStatus rv;
+    PRFileDesc *sock = NULL;
+    PRFileDesc *returnSock = NULL;
+    char *header = NULL;
+
+    /*
+     * Take apart the location, getting the hostname, port, and path.
+     */
+    rv = ocsp_ParseURL(location, &hostname, &port, &path);
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_Assert(hostname != NULL);
+    PORT_Assert(path != NULL);
+
+    sock = ocsp_ConnectToHost(hostname, port);
+    if (sock == NULL)
+	goto loser;
+
+    header = PR_smprintf("POST %s HTTP/1.0\r\n"
+			 "Host: %s:%d\r\n"
+			 "Content-Type: application/ocsp-request\r\n"
+			 "Content-Length: %u\r\n\r\n",
+			 path, hostname, port, encodedRequest->len);
+    if (header == NULL)
+	goto loser;
+
+    /*
+     * The NSPR documentation promises that if it can, it will write the full
+     * amount; this will not return a partial value expecting us to loop.
+     */
+    if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0)
+	goto loser;
+
+    if (PR_Write(sock, encodedRequest->data,
+		 (PRInt32) encodedRequest->len) < 0)
+	goto loser;
+
+    returnSock = sock;
+    sock = NULL;
+
+loser:
+    if (header != NULL)
+	PORT_Free(header);
+    if (sock != NULL)
+	PR_Close(sock);
+    if (path != NULL)
+	PORT_Free(path);
+    if (hostname != NULL)
+	PORT_Free(hostname);
+
+    return returnSock;
+}
+
+/*
+ * Read from "fd" into "buf" -- expect/attempt to read a "minimum" number
+ * of bytes, but do not exceed "maximum".  (Obviously, stop at less than
+ * "minimum" if hit end-of-stream.)  Only problems are low-level i/o errors.
+ */
+static int
+ocsp_MinMaxRead(PRFileDesc *fd, unsigned char *buf, int minimum, int maximum)
+{
+    int total = 0;
+
+    while (total < minimum) {
+	PRInt32 got;
+
+	got = PR_Read(fd, buf + total, (PRInt32) (maximum - total));
+	if (got < 0) {
+	    if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
+		break;
+	    }
+	    continue;
+	} else if (got == 0) {			/* EOS */
+	    break;
+	}
+
+	total += got;
+    }
+
+    return total;
+}
+
+#ifdef BUFSIZ
+#define OCSP_BUFSIZE BUFSIZ
+#else
+#define OCSP_BUFSIZE 1024
+#endif
+
+/*
+ * Listens on the given socket and returns an encoded response when received.
+ * Properly formatted HTTP response headers are expected to be read from the
+ * socket, preceding a binary-encoded OCSP response.  Problems with parsing
+ * cause the error SEC_ERROR_OCSP_BAD_HTTP_RESPONSE to be set; any other
+ * problems are likely low-level i/o or memory allocation errors.
+ */
+static SECItem *
+ocsp_GetEncodedResponse(PRArenaPool *arena, PRFileDesc *sock)
+{
+    unsigned char *buf = NULL;
+    int bufsize, bytesRead, len;
+    const unsigned char *bufEnd;
+    const char *s;
+    const char *newline = NULL;
+    PRBool headersDone = PR_FALSE;
+    PRBool pendingCR = PR_FALSE;
+    PRBool contentTypeOK = PR_FALSE;
+    unsigned int contentLength = 0;
+    void *mark = NULL;
+    SECItem *result = NULL;
+
+
+    bufsize = OCSP_BUFSIZE;
+    buf = PORT_Alloc(bufsize);
+    if (buf == NULL) {
+	goto loser;
+    }
+    /*
+     * I picked 128 because:
+     *	- It is a nice "round" number. ;-)
+     *  - I am sure it should cover at least the first line of the http
+     *	  response (on the order of 20 should be enough but I am allowing
+     *	  for excessive leading whitespace) so that I don't have to keep
+     *	  checking for going past the end of the buffer until after that.
+     *	- I am sure that any interesting response will be bigger than that;
+     *    the exception is one that is status-only, like "tryLater".
+     *  - Given a trim response (no extra whitespace), it should cover
+     *	  all of the http headers, and just a bit of the content.
+     *	  This is what I was aiming for, to minimize data copying.
+     */
+    bytesRead = ocsp_MinMaxRead(sock, buf, 128, bufsize);
+    if (bytesRead <= 0) {
+	if (bytesRead == 0)
+	    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+	goto loser;
+    }
+    bufEnd = buf + bytesRead;
+    /*
+     * Skip leading whitespace.
+     */
+    for (s = (char *)buf; s < (char *)bufEnd; s++) {
+	if (*s != ' ' && *s != '\t') {
+	    break;
+	}
+    }
+    /*
+     * Here we expect to find something like "HTTP/1.x 200 OK\r\n".
+     * (The status code may be anything, but should be 3 digits.
+     * The comment (e.g. "OK") may be anything as well.)  I figure that
+     * the minimal line would be "HTTP/x.y zzz\n", which is 13 chars.
+     * That may not even meet the spec, but we will accept it -- anything
+     * less than that, though, we will not.
+     */
+    if (((char *)bufEnd - s) < 13 || PORT_Strncasecmp(s, "http/", 5) != 0) {
+	PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+	goto loser;
+    }
+    s += 5;			/* skip "http/" */
+    /*
+     * I don't see a reason to look at the version number.  Assuming that
+     * whatever version it is, it supports the one or two headers we are
+     * looking for, and doesn't completely change the interpretation of
+     * status values, it shouldn't matter.  We shouldn't reject something
+     * that would otherwise work just because the code was picky about
+     * version number.  So we just skip it, hoping real incompatibility
+     * will manifest itself in the parsing.
+     */
+    while (*s++ != ' ') {	/* skip "x.y ", without interpretation */
+	/*
+	 * We expect the version number to be only a few characters,
+	 * and that we should easily have enough in the buffer to cover.
+	 * So, if we go past the end, just bail.
+	 */
+	if (s >= (char *)bufEnd) {
+	    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+	    goto loser;
+	}
+    }
+    /*
+     * Now get, and check, the status.  Accept 200-299; reject all else.
+     * There are some 200s that basically have no content, but that will
+     * fall out as bad below, and it's just easier to handle it that way
+     * than to try to know all the different status values.
+     */
+    {
+	int statusCode = PORT_Atoi(s);
+
+	if (statusCode < 200 || statusCode >= 300) {
+	    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+	    goto loser;
+	}
+    }
+    s += 3;			/* skip 3-digit status code */
+    /*
+     * The rest of the line is a comment, which we just want to skip.
+     * The next thing to do is continue through all of the HTTP headers,
+     * watching for the couple we are interested in.  The end of the
+     * headers (and thus the beginning of the content) is marked by
+     * two consecutive newlines.  (According to spec that should be
+     * CRLF followed by CRLF, but we are being generous and allowing
+     * for people who send only CRs or only LFs, too.)
+     *
+     * XXX Explain better about how the following code works.
+     * Especially what the potential values of "newline" are and what
+     * each one means.
+     */
+    while (1) {
+	/*
+	 * Move forward to the next line, stopping when we find a CRLF,
+	 * CR, or LF, or the end of the buffer.  We have to be careful
+	 * when we find a lone CR at the end of the buffer, because if
+	 * the next character read is an LF we want to treat it as one
+	 * newline altogether.
+	 *
+	 * We also need to detect two newlines in a row, which is what
+	 * marks the end of the headers and time for us to quit out of
+	 * the outer loop.
+	 */
+	for (; s < (char *)bufEnd; s++) {
+	    if (*s == '\r' || *s == '\n') {
+		if (s == newline) {
+		    headersDone = PR_TRUE;	/* 2nd consecutive newline */
+		}
+		newline = s;
+		if (newline[0] == '\r') {
+		    if (s == (char *)bufEnd - 1) {
+			/* CR at end - wait for the next character */
+			newline = NULL;
+			pendingCR = PR_TRUE;
+			break;
+		    } else if (newline[1] == '\n') {
+			/* CRLF seen; swallow both */
+			newline++;
+		    }
+		}
+		newline++;
+		break;
+	    }
+	    /*
+	     * After the first time through, we no longer need to remember
+	     * where the previous line started.  We needed it for checking
+	     * for consecutive newlines, but now we need it to be clear in
+	     * case we finish the loop by finishing off the buffer.
+	     */
+	    newline = NULL;
+	}
+	if (headersDone) {
+	    s = newline;
+	    break;
+	}
+	/*
+	 * When we are here, either:
+	 *	- newline is NULL, meaning we're at the end of the buffer
+	 *	  and we need to refill it, or
+	 *	- newline points to the first character on the new line
+	 */
+	if (newline == NULL) {
+	    /* So, we need to refill the buffer. */
+	    len = pendingCR ? 1 : 0;
+	    bytesRead = ocsp_MinMaxRead(sock, buf + len, 64 - len,
+					bufsize - len);
+	    if (bytesRead <= 0) {
+		if (bytesRead == 0)
+		    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+		goto loser;
+	    }
+	    s = (char *)buf;
+	    bufEnd = buf + len + bytesRead;
+	    if (pendingCR) {
+		buf[0] = '\r';
+		pendingCR = PR_FALSE;
+	    }
+	    continue;
+	}
+	/*
+	 * So, we have a good newline pointer (just past a CR, LF or CRLF),
+	 * but now we want to make sure that what it points to is long
+	 * enough to be something we are looking for.  If it isn't, add
+	 * more to the buffer after first copying what's left to the
+	 * beginning.
+	 */
+	if (((char *)bufEnd - newline) < 40) {
+	    len = (char *)bufEnd - newline;
+	    PORT_Memmove(buf, newline, len);
+	    bytesRead = ocsp_MinMaxRead(sock, buf + len, 40 - len,
+					bufsize - len);
+	    if (bytesRead <= 0) {
+		if (bytesRead == 0)
+		    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+		goto loser;
+	    }
+	    newline = (char *)buf;
+	    bufEnd = buf + len + bytesRead;
+	}
+	/*
+	 * Okay, now we know that we are looking at an HTTP header line
+	 * with enough length to be safe for our comparisons.  See if it is
+	 * one of the ones we are interested in.  (That is, "Content-Length"
+	 * or "Content-Type".)
+	 */
+	if (PORT_Strncasecmp(newline, "content-", 8) == 0) {
+	    s = newline + 8;
+	    if (PORT_Strncasecmp(s, "type: ", 6) == 0) {
+		s += 6;
+		if (PORT_Strncasecmp(s, "application/ocsp-response",
+				     25) != 0) {
+		    break;
+		}
+		contentTypeOK = PR_TRUE;
+		s += 25;
+	    } else if (PORT_Strncasecmp(s, "length: ", 8) == 0) {
+		s += 8;
+		contentLength = PORT_Atoi(s);
+	    }
+	    newline = NULL;
+	} else {
+	    /*
+	     * Not an interesting header.  We will go around the loop
+	     * again to find the next line.
+	     */
+	    s = newline;
+	}
+    }
+
+    /*
+     * Check that we got the correct content type.  (If !contentTypeOK,
+     * the content-type header was either bad or missing.)
+     */
+    if (!contentTypeOK) {
+	PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+	goto loser;
+    }
+
+    /*
+     * Now we need to handle the actual content.  We may not have a
+     * good content-length; things are harder if we do not -- in that
+     * case we will just read until we get EOS.
+     */
+
+    /*
+     * We are finally about the allocate the return area; before that
+     * mark the arena so we can release-back on error.
+     */
+    if (arena != NULL) {
+	mark = PORT_ArenaMark(arena);
+    }
+    /*
+     * How much of the content is already in the buffer?
+     */ 
+    if (s == NULL) {
+	len = 0;
+    } else {
+	len = (char *)bufEnd - s;
+	if (contentLength && len > contentLength) {
+	    len = contentLength;
+	}
+    }
+    /*
+     * Now allocate the item to hold the data.
+     */
+    result = SECITEM_AllocItem(arena, NULL,
+			       contentLength ? contentLength : len);
+    if (result == NULL) {
+	goto loser;
+    }
+    /*
+     * And copy the data left in the buffer.
+     */
+    if (len) {
+	PORT_Memcpy(result->data, s, len);
+    }
+
+    /*
+     * Now we need to read all of the (rest of the) content.  If we know
+     * the length, it's easy, just one big read.  If not, we need to loop,
+     * reading until there is nothing left to read.
+     */
+    if (contentLength) {
+	int remaining;
+
+	/*
+	 * It may be the case that our last buffer ended exactly on the
+	 * second CR of the CRLF pair which denotes the end of the headers.
+	 * If so, we have to be prepared to read, and skip over, an LF.
+	 * Since we want to read the rest of the content directly into
+	 * the buffer we are returning, we read one byte specifically and
+	 * see if it is an LF.  If not, we just copy that byte into the
+	 * first byte of our return value.
+	 */
+	if (pendingCR) {
+	    PORT_Assert(len == 0);
+	    bytesRead = ocsp_MinMaxRead(sock, buf, 1, 1);
+	    if (bytesRead < 1) {
+		goto loser;
+	    }
+	    if (buf[0] != '\n') {
+		result->data[0] = buf[0];
+		len = 1;
+	    }
+	}
+	remaining = contentLength - len;
+	if (remaining) {
+	    bytesRead = ocsp_MinMaxRead(sock, result->data + len,
+					remaining, remaining);
+	    if (bytesRead < remaining) {
+		if (bytesRead > 0) {
+		    PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
+		}
+		goto loser;
+	    }
+	}
+    } else while (1) {
+	/*
+	 * Read as much as we can.  There is no real minimum here,
+	 * we will just take whatever we can get and copy it over
+	 * into our result area.
+	 */
+	bytesRead = ocsp_MinMaxRead(sock, buf, 1, bufsize);
+	if (bytesRead < 0) {
+	    goto loser;
+	}
+	if (bytesRead == 0) {		/* EOS: all done reading */
+	    break;
+	}
+	/*
+	 * Now make room for that many more bytes in our result area.
+	 */
+	if (SECITEM_ReallocItem(arena, result, len,
+				len + bytesRead) != SECSuccess) {
+	    goto loser;
+	}
+	/*
+	 * The first time through this loop, it may be the case that
+	 * we have the final LF of our CRLF pair that ended the headers.
+	 * If so, we need to skip over it.
+	 */
+	if (pendingCR && buf[0] == '\n') {
+	    PORT_Memcpy(result->data + len, buf + 1, bytesRead - 1);
+	    len += bytesRead - 1;
+	} else {
+	    PORT_Memcpy(result->data + len, buf, bytesRead);
+	    len += bytesRead;
+	}
+	/*
+	 * In any case, after the first time through, we are done
+	 * looking for that LF.
+	 */
+	pendingCR = PR_FALSE;
+	/*
+	 * If we are reading "slowly", get ourselves a bigger buffer.
+	 */
+	if (bytesRead == bufsize) {
+	    bufsize *= 2;
+	    PORT_Free(buf);
+	    buf = PORT_Alloc(bufsize);
+	    if (buf == NULL) {
+		goto loser;
+	    }
+	}
+    }
+
+    /*
+     * Finally, we are done!  The encoded response (the content of the
+     * HTTP response) is now in "result".  We just have a little cleaning
+     * up to do before we return.
+     */
+    if (mark != NULL) {
+	PORT_ArenaUnmark(arena, mark);
+    }
+    PORT_Free(buf);
+    return result;
+
+loser:
+    if (mark != NULL) {
+	PORT_ArenaRelease(arena, mark);
+    } else if (result != NULL) {
+	SECITEM_FreeItem(result, PR_TRUE);
+    }
+    if (buf != NULL) {
+	PORT_Free(buf);
+    }
+    return NULL;
+}
+
+
+/*
+ * FUNCTION: CERT_GetEncodedOCSPResponse
+ *   Creates and sends a request to an OCSP responder, then reads and
+ *   returns the (encoded) response.
+ * INPUTS:
+ *   PRArenaPool *arena
+ *     Pointer to arena from which return value will be allocated.
+ *     If NULL, result will be allocated from the heap (and thus should
+ *     be freed via SECITEM_FreeItem).
+ *   CERTCertList *certList
+ *     A list of certs for which status will be requested.
+ *     Note that all of these certificates should have the same issuer,
+ *     or it's expected the response will be signed by a trusted responder.
+ *     If the certs need to be broken up into multiple requests, that
+ *     must be handled by the caller (and thus by having multiple calls
+ *     to this routine), who knows about where the request(s) are being
+ *     sent and whether there are any trusted responders in place.
+ *   char *location
+ *     The location of the OCSP responder (a URL).
+ *   int64 time
+ *     Indicates the time for which the certificate status is to be 
+ *     determined -- this may be used in the search for the cert's issuer
+ *     but has no other bearing on the operation.
+ *   PRBool addServiceLocator
+ *     If true, the Service Locator extension should be added to the
+ *     single request(s) for each cert.
+ *   CERTCertificate *signerCert
+ *     If non-NULL, means sign the request using this cert.  Otherwise,
+ *     do not sign.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.  (Definitely
+ *     not needed if not signing.)
+ * OUTPUTS:
+ *   CERTOCSPRequest **pRequest
+ *     Pointer in which to store the OCSP request created for the given
+ *     list of certificates.  It is only filled in if the entire operation
+ *     is successful and the pointer is not null -- and in that case the
+ *     caller is then reponsible for destroying it.
+ * RETURN:
+ *   Returns a pointer to the SECItem holding the response.
+ *   On error, returns null with error set describing the reason:
+ *	SEC_ERROR_UNKNOWN_ISSUER
+ *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
+SECItem *
+CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
+			    char *location, int64 time,
+			    PRBool addServiceLocator,
+			    CERTCertificate *signerCert, void *pwArg,
+			    CERTOCSPRequest **pRequest)
+{
+    CERTOCSPRequest *request = NULL;
+    SECItem *encodedRequest = NULL;
+    SECItem *encodedResponse = NULL;
+    PRFileDesc *sock = NULL;
+    SECStatus rv;
+
+    request = CERT_CreateOCSPRequest(certList, time, addServiceLocator,
+				     signerCert);
+    if (request == NULL)
+	goto loser;
+
+    rv = CERT_AddOCSPAcceptableResponses(request,
+					 SEC_OID_PKIX_OCSP_BASIC_RESPONSE);
+    if (rv != SECSuccess)
+	goto loser;
+
+    encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg);
+    if (encodedRequest == NULL)
+	goto loser;
+
+    sock = ocsp_SendEncodedRequest(location, encodedRequest);
+    if (sock == NULL)
+	goto loser;
+
+    encodedResponse = ocsp_GetEncodedResponse(arena, sock);
+    if (encodedResponse != NULL && pRequest != NULL) {
+	*pRequest = request;
+	request = NULL;			/* avoid destroying below */
+    }
+
+loser:
+    if (request != NULL)
+	CERT_DestroyOCSPRequest(request);
+    if (encodedRequest != NULL)
+	SECITEM_FreeItem(encodedRequest, PR_TRUE);
+    if (sock != NULL)
+	PR_Close(sock);
+
+    return encodedResponse;
+}
+
+
+/* Checks a certificate for the key usage extension of OCSP signer. */
+static PRBool
+ocsp_CertIsOCSPSigner(CERTCertificate *cert)
+{
+    SECStatus rv;
+    SECItem extItem;
+    SECItem **oids;
+    SECItem *oid;
+    SECOidTag oidTag;
+    PRBool retval;
+    CERTOidSequence *oidSeq = NULL;
+
+
+    extItem.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    oidSeq = CERT_DecodeOidSequence(&extItem);
+    if ( oidSeq == NULL ) {
+	goto loser;
+    }
+
+    oids = oidSeq->oids;
+    while ( *oids != NULL ) {
+	oid = *oids;
+	
+	oidTag = SECOID_FindOIDTag(oid);
+	
+	if ( oidTag == SEC_OID_OCSP_RESPONDER ) {
+	    goto success;
+	}
+	
+	oids++;
+    }
+
+loser:
+    retval = PR_FALSE;
+    goto done;
+success:
+    retval = PR_TRUE;
+done:
+    if ( extItem.data != NULL ) {
+	PORT_Free(extItem.data);
+    }
+    if ( oidSeq != NULL ) {
+	CERT_DestroyOidSequence(oidSeq);
+    }
+    
+    return(retval);
+}
+
+
+#ifdef LATER	/*
+		 * XXX This function is not currently used, but will
+		 * be needed later when we do revocation checking of
+		 * the responder certificate.  Of course, it may need
+		 * revising then, if the cert extension interface has
+		 * changed.  (Hopefully it will!)
+		 */
+
+/* Checks a certificate to see if it has the OCSP no check extension. */
+static PRBool
+ocsp_CertHasNoCheckExtension(CERTCertificate *cert)
+{
+    SECStatus rv;
+    SECItem extItem;
+    
+    extItem.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK, 
+				&extItem);
+    if (extItem.data != NULL) {
+	PORT_Free(extItem.data);
+    }
+    if (rv == SECSuccess) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+#endif	/* LATER */
+
+static PRBool
+ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert)
+{
+    SECItem item;
+    unsigned char buf[SHA1_LENGTH]; /* MAX Hash Len */
+
+    item.data = buf;
+    item.len = SHA1_LENGTH;
+
+    if (CERT_SPKDigestValueForCert(NULL,testCert,SEC_OID_SHA1, &item) == NULL) {
+	return PR_FALSE;
+    }
+    if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
+	return PR_TRUE;
+    }
+    if (CERT_SPKDigestValueForCert(NULL,testCert,SEC_OID_MD5, &item) == NULL) {
+	return PR_FALSE;
+    }
+    if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
+	return PR_TRUE;
+    }
+    if (CERT_SPKDigestValueForCert(NULL,testCert,SEC_OID_MD2, &item) == NULL) {
+	return PR_FALSE;
+    }
+    if  (SECITEM_ItemsAreEqual(certIndex,&item)) {
+	return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
+
+static CERTCertificate *
+ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle,CERTOCSPCertID *certID);
+
+/*
+ * Check the signature on some OCSP data.  This is a helper function that
+ * can be used to check either a request or a response.  The result is
+ * saved in the signature structure itself for future reference (to avoid
+ * repeating the expensive verification operation), as well as returned.
+ * In addition to checking the signature, the certificate (and its chain)
+ * are also checked for validity (at the specified time) and usage.
+ *
+ * The type of cert lookup to be performed is specified by "lookupByName":
+ * if true, then "certIndex" is actually a CERTName; otherwise it is a
+ * SECItem which contains a key hash.
+ *
+ * If the signature verifies okay, and the argument "pSignerCert" is not
+ * null, that parameter will be filled-in with a pointer to the signer's
+ * certificate.  The caller is then responsible for destroying the cert.
+ *
+ * A return of SECSuccess means the verification succeeded.  If not,
+ * an error will be set with the reason.  Most likely are:
+ *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
+ *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
+ * Other errors are any of the many possible failures in cert verification
+ * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
+ * verifying the signer's cert, or low-level problems (no memory, etc.)
+ */
+static SECStatus
+ocsp_CheckSignature(ocspSignature *signature, void *tbs,
+		    const SEC_ASN1Template *encodeTemplate,
+		    CERTCertDBHandle *handle, SECCertUsage certUsage,
+		    int64 checkTime, PRBool lookupByName, void *certIndex,
+		    void *pwArg, CERTCertificate **pSignerCert,
+		    CERTCertificate *issuer)
+{
+    SECItem rawSignature;
+    SECItem *encodedTBS = NULL;
+    CERTCertificate *responder = NULL;
+    CERTCertificate *signerCert = NULL;
+    SECKEYPublicKey *signerKey = NULL;
+    CERTCertificate **certs = NULL;
+    SECStatus rv = SECFailure;
+    int certCount;
+    int i;
+
+    /*
+     * If this signature has already gone through verification, just
+     * return the cached result.
+     */
+    if (signature->wasChecked) {
+	if (signature->status == SECSuccess) {
+	    if (pSignerCert != NULL)
+		*pSignerCert = CERT_DupCertificate(signature->cert);
+	} else {
+	    PORT_SetError(signature->failureReason);
+	}
+	return signature->status;
+    }
+
+    /*
+     * If the signature contains some certificates as well, temporarily
+     * import them in case they are needed for verification.
+     *
+     * Note that the result of this is that each cert in "certs" needs
+     * to be destroyed.
+     */
+    certCount = 0;
+    if (signature->derCerts != NULL) {
+	for (; signature->derCerts[certCount] != NULL; certCount++) {
+	    /* just counting */
+	    /*IMPORT CERT TO SPKI TABLE */
+	}
+    }
+    rv = CERT_ImportCerts(handle, certUsage, certCount,
+			  signature->derCerts, &certs,
+			  PR_FALSE, PR_FALSE, NULL);
+    if (rv != SECSuccess)
+	goto finish;
+
+    /*
+     * Now look up the certificate that did the signing.
+     * The signer can be specified either by name or by key hash.
+     */
+    if (lookupByName) {
+	SECItem *encodedName;
+
+	encodedName = SEC_ASN1EncodeItem(NULL, NULL, certIndex,
+					 CERT_NameTemplate);
+	if (encodedName == NULL)
+	    goto finish;
+
+	signerCert = CERT_FindCertByName(handle, encodedName);
+	SECITEM_FreeItem(encodedName, PR_TRUE);
+    } else {
+	/*
+	 * The signer is either 1) a known issuer CA we passed in,
+	 * 2) the default OCSP responder, or 3) and intermediate CA
+	 * passed in the cert list to use. Figure out which it is.
+	 */
+	responder = ocsp_CertGetDefaultResponder(handle,NULL);
+	if (responder && ocsp_matchcert(certIndex,responder)) {
+	    signerCert = CERT_DupCertificate(responder);
+	} else if (issuer && ocsp_matchcert(certIndex,issuer)) {
+	    signerCert = CERT_DupCertificate(issuer);
+	} 
+	for (i=0; (signerCert == NULL) && (i < certCount); i++) {
+	    if (ocsp_matchcert(certIndex,certs[i])) {
+		signerCert = CERT_DupCertificate(certs[i]);
+	    }
+	}
+    }
+
+    if (signerCert == NULL) {
+	rv = SECFailure;
+	if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) {
+	    /* Make the error a little more specific. */
+	    PORT_SetError(SEC_ERROR_UNKNOWN_SIGNER);
+	}
+	goto finish;
+    }
+
+    /*
+     * We could mark this true at the top of this function, or always
+     * below at "finish", but if the problem was just that we could not
+     * find the signer's cert, leave that as if the signature hasn't
+     * been checked in case a subsequent call might have better luck.
+     */
+    signature->wasChecked = PR_TRUE;
+
+    /*
+     * Just because we have a cert does not mean it is any good; check
+     * it for validity, trust and usage.
+     */
+    rv = CERT_VerifyCert(handle, signerCert, PR_TRUE, certUsage, checkTime,
+			 pwArg, NULL);
+    if (rv != SECSuccess)
+	goto finish;
+
+    /*
+     * Now get the public key from the signer's certificate; we need
+     * it to perform the verification.
+     */
+    signerKey = CERT_ExtractPublicKey(signerCert);
+    if (signerKey == NULL)
+	goto finish;
+
+    /*
+     * Prepare the data to be verified; it needs to be DER encoded first.
+     */
+    encodedTBS = SEC_ASN1EncodeItem(NULL, NULL, tbs, encodeTemplate);
+    if (encodedTBS == NULL)
+	goto finish;
+
+    /*
+     * We copy the signature data *pointer* and length, so that we can
+     * modify the length without damaging the original copy.  This is a
+     * simple copy, not a dup, so no destroy/free is necessary.
+     */
+    rawSignature = signature->signature;
+    /*
+     * The raw signature is a bit string, but we need to represent its
+     * length in bytes, because that is what the verify function expects.
+     */
+    DER_ConvertBitString(&rawSignature);
+
+    rv = VFY_VerifyData(encodedTBS->data, encodedTBS->len, signerKey,
+			&rawSignature,
+			SECOID_GetAlgorithmTag(&signature->signatureAlgorithm),
+			pwArg);
+
+finish:
+    if (signature->wasChecked)
+	signature->status = rv;
+
+    if (rv != SECSuccess) {
+	signature->failureReason = PORT_GetError();
+	if (signerCert != NULL)
+	    CERT_DestroyCertificate(signerCert);
+    } else {
+	/*
+	 * Save signer's certificate in signature.
+	 */
+	signature->cert = signerCert;
+	if (pSignerCert != NULL) {
+	    /*
+	     * Pass pointer to signer's certificate back to our caller,
+	     * who is also now responsible for destroying it.
+	     */
+	    *pSignerCert = CERT_DupCertificate(signerCert);
+	}
+    }
+
+    if (encodedTBS != NULL)
+	SECITEM_FreeItem(encodedTBS, PR_TRUE);
+
+    if (signerKey != NULL)
+	SECKEY_DestroyPublicKey(signerKey);
+
+    if (certs != NULL)
+	CERT_DestroyCertArray(certs, certCount);
+	/* Free CERTS from SPKDigest Table */
+
+    return rv;
+}
+
+
+/*
+ * FUNCTION: CERT_VerifyOCSPResponseSignature
+ *   Check the signature on an OCSP Response.  Will also perform a
+ *   verification of the signer's certificate.  Note, however, that a
+ *   successful verification does not make any statement about the
+ *   signer's *authority* to provide status for the certificate(s),
+ *   that must be checked individually for each certificate.
+ * INPUTS:
+ *   CERTOCSPResponse *response
+ *     Pointer to response structure with signature to be checked.
+ *   CERTCertDBHandle *handle
+ *     Pointer to CERTCertDBHandle for certificate DB to use for verification.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.
+ * OUTPUTS:
+ *   CERTCertificate **pSignerCert
+ *     Pointer in which to store signer's certificate; only filled-in if
+ *     non-null.
+ * RETURN:
+ *   Returns SECSuccess when signature is valid, anything else means invalid.
+ *   Possible errors set:
+ *	SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
+ *	SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
+ *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
+ *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
+ *   Other errors are any of the many possible failures in cert verification
+ *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
+ *   verifying the signer's cert, or low-level problems (no memory, etc.)
+ */
+SECStatus
+CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,	
+				 CERTCertDBHandle *handle, void *pwArg,
+				 CERTCertificate **pSignerCert,
+				 CERTCertificate *issuer)
+{
+    ocspResponseData *tbsData;		/* this is what is signed */
+    PRBool byName;
+    void *certIndex;
+    int64 producedAt;
+    SECStatus rv;
+
+    tbsData = ocsp_GetResponseData(response);
+
+    PORT_Assert(tbsData->responderID != NULL);
+    switch (tbsData->responderID->responderIDType) {
+      case ocspResponderID_byName:
+	byName = PR_TRUE;
+	certIndex = &tbsData->responderID->responderIDValue.name;
+	break;
+      case ocspResponderID_byKey:
+	byName = PR_FALSE;
+	certIndex = &tbsData->responderID->responderIDValue.keyHash;
+	break;
+      case ocspResponderID_other:
+      default:
+	PORT_Assert(0);
+	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	return SECFailure;
+    }
+
+    /*
+     * ocsp_CheckSignature will also verify the signer certificate; we
+     * need to tell it *when* that certificate must be valid -- for our
+     * purposes we expect it to be valid when the response was signed.
+     * The value of "producedAt" is the signing time.
+     */
+    rv = DER_GeneralizedTimeToTime(&producedAt, &tbsData->producedAt);
+    if (rv != SECSuccess)
+	return rv;
+
+    return ocsp_CheckSignature(ocsp_GetResponseSignature(response),
+			       tbsData, ocsp_ResponseDataTemplate,
+			       handle, certUsageStatusResponder, producedAt,
+			       byName, certIndex, pwArg, pSignerCert, issuer);
+}
+
+/*
+ * See if two certIDs match.  This can be easy or difficult, depending
+ * on whether the same hash algorithm was used.
+ */
+static PRBool
+ocsp_CertIDsMatch(CERTCertDBHandle *handle,
+		  CERTOCSPCertID *certID1, CERTOCSPCertID *certID2)
+{
+    PRBool match = PR_FALSE;
+    SECItem *foundHash = NULL;
+    SECOidTag hashAlg;
+    SECItem *keyHash = NULL;
+    SECItem *nameHash = NULL;
+
+    /*
+     * In order to match, they must have the same issuer and the same
+     * serial number.
+     *
+     * We just compare the easier things first.
+     */
+    if (SECITEM_CompareItem(&certID1->serialNumber,
+			    &certID2->serialNumber) != SECEqual) {
+	goto done;
+    }
+
+    if (SECOID_CompareAlgorithmID(&certID1->hashAlgorithm,
+				  &certID2->hashAlgorithm) == SECEqual) {
+	/*
+	 * If the hash algorithms match then we can do a simple compare
+	 * of the hash values themselves.
+	 */
+	if ((SECITEM_CompareItem(&certID1->issuerNameHash,
+				 &certID2->issuerNameHash) == SECEqual)
+	    && (SECITEM_CompareItem(&certID1->issuerKeyHash,
+				    &certID2->issuerKeyHash) == SECEqual)) {
+	    match = PR_TRUE;
+	}
+	goto done;
+    }
+
+    hashAlg = SECOID_FindOIDTag(&certID2->hashAlgorithm.algorithm);
+    switch (hashAlg) {
+    case SEC_OID_SHA1:
+	keyHash = &certID1->issuerSHA1KeyHash;
+	nameHash = &certID1->issuerSHA1NameHash;
+	break;
+    case SEC_OID_MD5:
+	keyHash = &certID1->issuerMD5KeyHash;
+	nameHash = &certID1->issuerMD5NameHash;
+	break;
+    case SEC_OID_MD2:
+	keyHash = &certID1->issuerMD2KeyHash;
+	nameHash = &certID1->issuerMD2NameHash;
+	break;
+    default:
+	foundHash = NULL;
+	break;
+    }
+
+    if (foundHash == NULL) {
+	goto done;
+    }
+    PORT_Assert(keyHash && nameHash);
+
+    if ((SECITEM_CompareItem(nameHash, &certID2->issuerNameHash) == SECEqual)
+      && (SECITEM_CompareItem(keyHash, &certID2->issuerKeyHash) == SECEqual)) {
+	match = PR_TRUE;
+    }
+
+done:
+    return match;
+}
+
+/*
+ * Find the single response for the cert specified by certID.
+ * No copying is done; this just returns a pointer to the appropriate
+ * response within responses, if it is found (and null otherwise).
+ * This is fine, of course, since this function is internal-use only.
+ */
+static CERTOCSPSingleResponse *
+ocsp_GetSingleResponseForCertID(CERTOCSPSingleResponse **responses,
+				CERTCertDBHandle *handle,
+				CERTOCSPCertID *certID)
+{
+    CERTOCSPSingleResponse *single;
+    int i;
+
+    if (responses == NULL)
+	return NULL;
+
+    for (i = 0; responses[i] != NULL; i++) {
+	single = responses[i];
+	if (ocsp_CertIDsMatch(handle, certID, single->certID) == PR_TRUE) {
+	    return single;
+	}
+    }
+
+    /*
+     * The OCSP server should have included a response even if it knew
+     * nothing about the certificate in question.  Since it did not,
+     * this will make it look as if it had.
+     * 
+     * XXX Should we make this a separate error to notice the server's
+     * bad behavior?
+     */
+    PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
+    return NULL;
+}
+
+static ocspCheckingContext *
+ocsp_GetCheckingContext(CERTCertDBHandle *handle)
+{
+    CERTStatusConfig *statusConfig;
+    ocspCheckingContext *ocspcx = NULL;
+
+    statusConfig = CERT_GetStatusConfig(handle);
+    if (statusConfig != NULL) {
+	ocspcx = statusConfig->statusContext;
+
+	/*
+	 * This is actually an internal error, because we should never
+	 * have a good statusConfig without a good statusContext, too.
+	 * For lack of anything better, though, we just assert and use
+	 * the same error as if there were no statusConfig (set below).
+	 */
+	PORT_Assert(ocspcx != NULL);
+    }
+
+    if (ocspcx == NULL)
+	PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
+
+    return ocspcx;
+}
+/*
+ * Return true if the given signerCert is the default responder for
+ * the given certID.  If not, or if any error, return false.
+ */
+static CERTCertificate *
+ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle,CERTOCSPCertID *certID)
+{
+    ocspCheckingContext *ocspcx;
+
+    ocspcx = ocsp_GetCheckingContext(handle);
+    if (ocspcx == NULL)
+	goto loser;
+
+   /*
+    * Right now we have only one default responder.  It applies to
+    * all certs when it is used, so the check is simple and certID
+    * has no bearing on the answer.  Someday in the future we may
+    * allow configuration of different responders for different
+    * issuers, and then we would have to use the issuer specified
+    * in certID to determine if signerCert is the right one.
+    */
+    if (ocspcx->useDefaultResponder) {
+	PORT_Assert(ocspcx->defaultResponderCert != NULL);
+	return ocspcx->defaultResponderCert;
+    }
+
+loser:
+    return NULL;
+}
+
+/*
+ * Return true if the given signerCert is the default responder for
+ * the given certID.  If not, or if any error, return false.
+ */
+static PRBool
+ocsp_CertIsDefaultResponderForCertID(CERTCertDBHandle *handle,
+				     CERTCertificate *signerCert,
+				     CERTOCSPCertID *certID)
+{
+    CERTCertificate *defaultResponderCert;
+
+    defaultResponderCert = ocsp_CertGetDefaultResponder(handle, certID);
+    return (PRBool) (defaultResponderCert == signerCert);
+}
+
+/*
+ * Check that the given signer certificate is authorized to sign status
+ * information for the given certID.  Return true if it is, false if not
+ * (or if there is any error along the way).  If false is returned because
+ * the signer is not authorized, the following error will be set:
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
+ * Other errors are low-level problems (no memory, bad database, etc.).
+ *
+ * There are three ways to be authorized.  In the order in which we check,
+ * using the terms used in the OCSP spec, the signer must be one of:
+ *  1.  A "trusted responder" -- it matches a local configuration
+ *      of OCSP signing authority for the certificate in question.
+ *  2.  The CA who issued the certificate in question.
+ *  3.  A "CA designated responder", aka an "authorized responder" -- it
+ *      must be represented by a special cert issued by the CA who issued
+ *      the certificate in question.
+ */
+static PRBool
+ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle,
+				  CERTCertificate *signerCert,
+				  CERTOCSPCertID *certID,
+				  int64 thisUpdate)
+{
+    CERTCertificate *issuerCert = NULL;
+    SECItem *issuerKeyHash = NULL;
+    SECOidTag hashAlg;
+    PRBool okay = PR_FALSE;
+
+    /*
+     * Check first for a trusted responder, which overrides everything else.
+     */
+    if (ocsp_CertIsDefaultResponderForCertID(handle, signerCert, certID))
+	return PR_TRUE;
+
+    /*
+     * In the other two cases, we need to do an issuer comparison.
+     * How we do it depends on whether the signer certificate has the
+     * special extension (for a designated responder) or not.
+     */
+
+    if (ocsp_CertIsOCSPSigner(signerCert)) {
+	/*
+	 * The signer is a designated responder.  Its issuer must match
+	 * the issuer of the cert being checked.
+	 */
+	issuerCert = CERT_FindCertIssuer(signerCert, thisUpdate,
+					 certUsageAnyCA);
+	if (issuerCert == NULL) {
+	    /*
+	     * We could leave the SEC_ERROR_UNKNOWN_ISSUER error alone,
+	     * but the following will give slightly more information.
+	     * Once we have an error stack, things will be much better.
+	     */
+	    PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
+	    goto loser;
+	}
+    } else {
+	/*
+	 * The signer must *be* the issuer of the cert being checked.
+	 */
+	issuerCert = signerCert;
+    }
+
+    hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm);
+    issuerKeyHash = CERT_SPKDigestValueForCert(NULL, issuerCert, hashAlg, NULL);
+    if (issuerKeyHash == NULL)
+	goto loser;
+
+    if (SECITEM_CompareItem(issuerKeyHash,
+			    &certID->issuerKeyHash) != SECEqual) {
+	PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE);
+	goto loser;
+    }
+
+    okay = PR_TRUE;
+
+loser:
+    if (issuerKeyHash != NULL)
+	SECITEM_FreeItem(issuerKeyHash, PR_TRUE);
+
+    if (issuerCert != NULL && issuerCert != signerCert)
+	CERT_DestroyCertificate(issuerCert);
+
+    return okay;
+}
+
+/*
+ * We need to check that a responder gives us "recent" information.
+ * Since a responder can pre-package responses, we need to pick an amount
+ * of time that is acceptable to us, and reject any response that is
+ * older than that.
+ *
+ * XXX This *should* be based on some configuration parameter, so that
+ * different usages could specify exactly what constitutes "sufficiently
+ * recent".  But that is not going to happen right away.  For now, we
+ * want something from within the last 24 hours.  This macro defines that
+ * number in seconds.
+ */
+#define OCSP_ALLOWABLE_LAPSE_SECONDS	(24L * 60L * 60L)
+
+static PRBool
+ocsp_TimeIsRecent(int64 checkTime)
+{
+    int64 now = PR_Now();
+    int64 lapse, tmp;
+
+    LL_I2L(lapse, OCSP_ALLOWABLE_LAPSE_SECONDS);
+    LL_I2L(tmp, PR_USEC_PER_SEC);
+    LL_MUL(lapse, lapse, tmp);		/* allowable lapse in microseconds */
+
+    LL_ADD(checkTime, checkTime, lapse);
+    if (LL_CMP(now, >, checkTime))
+	return PR_FALSE;
+
+    return PR_TRUE;
+}
+
+/*
+ * Check that this single response is okay.  A return of SECSuccess means:
+ *   1. The signer (represented by "signerCert") is authorized to give status
+ *	for the cert represented by the individual response in "single".
+ *   2. The value of thisUpdate is earlier than now.
+ *   3. The value of producedAt is later than or the same as thisUpdate.
+ *   4. If nextUpdate is given:
+ *	- The value of nextUpdate is later than now.
+ *	- The value of producedAt is earlier than nextUpdate.
+ *	Else if no nextUpdate:
+ *	- The value of thisUpdate is fairly recent.
+ *	- The value of producedAt is fairly recent.
+ *	However we do not need to perform an explicit check for this last
+ *	constraint because it is already guaranteed by checking that
+ *	producedAt is later than thisUpdate and thisUpdate is recent.
+ * Oh, and any responder is "authorized" to say that a cert is unknown to it.
+ *
+ * If any of those checks fail, SECFailure is returned and an error is set:
+ *	SEC_ERROR_OCSP_FUTURE_RESPONSE
+ *	SEC_ERROR_OCSP_OLD_RESPONSE
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
+ * Other errors are low-level problems (no memory, bad database, etc.).
+ */ 
+static SECStatus
+ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
+			  CERTCertDBHandle *handle,
+			  CERTCertificate *signerCert,
+			  int64 producedAt)
+{
+    CERTOCSPCertID *certID = single->certID;
+    int64 now, thisUpdate, nextUpdate;
+    SECStatus rv;
+
+    /*
+     * If all the responder said was that the given cert was unknown to it,
+     * that is a valid response.  Not very interesting to us, of course,
+     * but all this function is concerned with is validity of the response,
+     * not the status of the cert.
+     */
+    PORT_Assert(single->certStatus != NULL);
+    if (single->certStatus->certStatusType == ocspCertStatus_unknown)
+	return SECSuccess;
+
+    /*
+     * We need to extract "thisUpdate" for use below and to pass along
+     * to AuthorizedResponderForCertID in case it needs it for doing an
+     * issuer look-up.
+     */
+    rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate);
+    if (rv != SECSuccess)
+	return rv;
+
+    /*
+     * First confirm that signerCert is authorized to give this status.
+     */
+    if (ocsp_AuthorizedResponderForCertID(handle, signerCert, certID,
+					  thisUpdate) != PR_TRUE)
+	return SECFailure;
+
+    /*
+     * Now check the time stuff, as described above.
+     */
+    now = PR_Now();
+    if (LL_CMP(thisUpdate, >, now) || LL_CMP(producedAt, <, thisUpdate)) {
+	PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE);
+	return SECFailure;
+    }
+    if (single->nextUpdate != NULL) {
+	rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate);
+	if (rv != SECSuccess)
+	    return rv;
+
+	if (LL_CMP(nextUpdate, <, now) || LL_CMP(producedAt, >, nextUpdate)) {
+	    PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE);
+	    return SECFailure;
+	}
+    } else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) {
+	PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE);
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+/*
+ * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
+ *   Get the value of the URI of the OCSP responder for the given cert.
+ *   This is found in the (optional) Authority Information Access extension
+ *   in the cert.
+ * INPUTS:
+ *   CERTCertificate *cert
+ *     The certificate being examined.
+ * RETURN:
+ *   char *
+ *     A copy of the URI for the OCSP method, if found.  If either the
+ *     extension is not present or it does not contain an entry for OCSP,
+ *     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
+ *     Any other error will also result in a NULL being returned.
+ *     
+ *     This result should be freed (via PORT_Free) when no longer in use.
+ */
+char *
+CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert)
+{
+    CERTGeneralName *locname = NULL;
+    SECItem *location = NULL;
+    SECItem *encodedAuthInfoAccess = NULL;
+    CERTAuthInfoAccess **authInfoAccess = NULL;
+    char *locURI = NULL;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    int i;
+
+    /*
+     * Allocate this one from the heap because it will get filled in
+     * by CERT_FindCertExtension which will also allocate from the heap,
+     * and we can free the entire thing on our way out.
+     */
+    encodedAuthInfoAccess = SECITEM_AllocItem(NULL, NULL, 0);
+    if (encodedAuthInfoAccess == NULL)
+	goto loser;
+
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS,
+				encodedAuthInfoAccess);
+    if (rv == SECFailure)
+	goto loser;
+
+    /*
+     * The rest of the things allocated in the routine will come out of
+     * this arena, which is temporary just for us to decode and get at the
+     * AIA extension.  The whole thing will be destroyed on our way out,
+     * after we have copied the location string (url) itself (if found).
+     */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+	goto loser;
+
+    authInfoAccess = cert_DecodeAuthInfoAccessExtension(arena,
+							encodedAuthInfoAccess);
+    if (authInfoAccess == NULL)
+	goto loser;
+
+    for (i = 0; authInfoAccess[i] != NULL; i++) {
+	if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP)
+	    locname = authInfoAccess[i]->location;
+    }
+
+    /*
+     * If we found an AIA extension, but it did not include an OCSP method,
+     * that should look to our caller as if we did not find the extension
+     * at all, because it is only an OCSP method that we care about.
+     * So set the same error that would be set if the AIA extension was
+     * not there at all.
+     */
+    if (locname == NULL) {
+	PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
+	goto loser;
+    }
+
+    /*
+     * The following is just a pointer back into locname (i.e. not a copy);
+     * thus it should not be freed.
+     */
+    location = CERT_GetGeneralNameByType(locname, certURI, PR_FALSE);
+    if (location == NULL) {
+	/*
+	 * XXX Appears that CERT_GetGeneralNameByType does not set an
+	 * error if there is no name by that type.  For lack of anything
+	 * better, act as if the extension was not found.  In the future
+	 * this should probably be something more like the extension was
+	 * badly formed.
+	 */
+	PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
+	goto loser;
+    }
+
+    /*
+     * That location is really a string, but it has a specified length
+     * without a null-terminator.  We need a real string that does have
+     * a null-terminator, and we need a copy of it anyway to return to
+     * our caller -- so allocate and copy.
+     */
+    locURI = PORT_Alloc(location->len + 1);
+    if (locURI == NULL) {
+	goto loser;
+    }
+    PORT_Memcpy(locURI, location->data, location->len);
+    locURI[location->len] = '\0';
+
+loser:
+    if (arena != NULL)
+	PORT_FreeArena(arena, PR_FALSE);
+
+    if (encodedAuthInfoAccess != NULL)
+	SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE);
+
+    return locURI;
+}
+
+
+/*
+ * Figure out where we should go to find out the status of the given cert
+ * via OCSP.  If a default responder is set up, that is our answer.
+ * If not, see if the certificate has an Authority Information Access (AIA)
+ * extension for OCSP, and return the value of that.  Otherwise return NULL.
+ * We also let our caller know whether or not the responder chosen was
+ * a default responder or not through the output variable isDefault;
+ * its value has no meaning unless a good (non-null) value is returned
+ * for the location.
+ *
+ * The result needs to be freed (PORT_Free) when no longer in use.
+ */
+static char *
+ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert,
+			  PRBool *isDefault)
+{
+    ocspCheckingContext *ocspcx;
+
+    ocspcx = ocsp_GetCheckingContext(handle);
+    if (ocspcx != NULL && ocspcx->useDefaultResponder) {
+	/*
+	 * A default responder wins out, if specified.
+	 * XXX Someday this may be a more complicated determination based
+	 * on the cert's issuer.  (That is, we could have different default
+	 * responders configured for different issuers.)
+	 */
+	PORT_Assert(ocspcx->defaultResponderURI != NULL);
+	*isDefault = PR_TRUE;
+	return (PORT_Strdup(ocspcx->defaultResponderURI));
+    }
+
+    /*
+     * No default responder set up, so go see if we can find an AIA
+     * extension that has a value for OCSP, and get the url from that.
+     */
+    *isDefault = PR_FALSE;
+    return CERT_GetOCSPAuthorityInfoAccessLocation(cert);
+}
+
+/*
+ * Return SECSuccess if the cert was revoked *after* "time",
+ * SECFailure otherwise.
+ */
+static SECStatus
+ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, int64 time)
+{
+    int64 revokedTime;
+    SECStatus rv;
+
+    rv = DER_GeneralizedTimeToTime(&revokedTime, &revokedInfo->revocationTime);
+    if (rv != SECSuccess)
+	return rv;
+
+    /*
+     * Set the error even if we will return success; someone might care.
+     */
+    PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
+
+    if (LL_CMP(revokedTime, >, time))
+	return SECSuccess;
+
+    return SECFailure;
+}
+
+/*
+ * See if the cert represented in the single response had a good status
+ * at the specified time.
+ */
+static SECStatus
+ocsp_CertHasGoodStatus(CERTOCSPSingleResponse *single, int64 time)
+{
+    ocspCertStatus *status;
+    SECStatus rv;
+
+    status = single->certStatus;
+
+    switch (status->certStatusType) {
+      case ocspCertStatus_good:
+	rv = SECSuccess;
+	break;
+      case ocspCertStatus_revoked:
+	rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time);
+	break;
+      case ocspCertStatus_unknown:
+	PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT);
+	rv = SECFailure;
+	break;
+      case ocspCertStatus_other:
+      default:
+	PORT_Assert(0);
+	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
+	rv = SECFailure;
+	break;
+    }
+
+    return rv;
+}
+
+
+/*
+ * FUNCTION: CERT_CheckOCSPStatus
+ *   Checks the status of a certificate via OCSP.  Will only check status for
+ *   a certificate that has an AIA (Authority Information Access) extension
+ *   for OCSP *or* when a "default responder" is specified and enabled.
+ *   (If no AIA extension for OCSP and no default responder in place, the
+ *   cert is considered to have a good status and SECSuccess is returned.)
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     certificate DB of the cert that is being checked
+ *   CERTCertificate *cert
+ *     the certificate being checked
+ *   XXX in the long term also need a boolean parameter that specifies
+ *	whether to check the cert chain, as well; for now we check only
+ *	the leaf (the specified certificate)
+ *   int64 time
+ *     time for which status is to be determined
+ *   void *pwArg
+ *     argument for password prompting, if needed
+ * RETURN:
+ *   Returns SECSuccess if an approved OCSP responder "knows" the cert
+ *   *and* returns a non-revoked status for it; SECFailure otherwise,
+ *   with an error set describing the reason:
+ *
+ *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
+ *	SEC_ERROR_OCSP_FUTURE_RESPONSE
+ *	SEC_ERROR_OCSP_MALFORMED_REQUEST
+ *	SEC_ERROR_OCSP_MALFORMED_RESPONSE
+ *	SEC_ERROR_OCSP_OLD_RESPONSE
+ *	SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
+ *	SEC_ERROR_OCSP_SERVER_ERROR
+ *	SEC_ERROR_OCSP_TRY_SERVER_LATER
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
+ *	SEC_ERROR_OCSP_UNKNOWN_CERT
+ *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
+ *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
+ *
+ *	SEC_ERROR_BAD_SIGNATURE
+ *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ *	SEC_ERROR_INVALID_TIME
+ *	SEC_ERROR_REVOKED_CERTIFICATE
+ *	SEC_ERROR_UNKNOWN_ISSUER
+ *	SEC_ERROR_UNKNOWN_SIGNER
+ *
+ *   Other errors are any of the many possible failures in cert verification
+ *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
+ *   verifying the signer's cert, or low-level problems (error allocating
+ *   memory, error performing ASN.1 decoding, etc.).
+ */    
+SECStatus 
+CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
+		     int64 time, void *pwArg)
+{
+    char *location = NULL;
+    PRBool locationIsDefault;
+    CERTCertList *certList = NULL;
+    SECItem *encodedResponse = NULL;
+    CERTOCSPRequest *request = NULL;
+    CERTOCSPResponse *response = NULL;
+    CERTCertificate *signerCert = NULL;
+    CERTCertificate *issuerCert = NULL;
+    ocspResponseData *responseData;
+    int64 producedAt;
+    CERTOCSPCertID *certID;
+    CERTOCSPSingleResponse *single;
+    SECStatus rv = SECFailure;
+
+
+    /*
+     * The first thing we need to do is find the location of the responder.
+     * This will be the value of the default responder (if enabled), else
+     * it will come out of the AIA extension in the cert (if present).
+     * If we have no such location, then this cert does not "deserve" to
+     * be checked -- that is, we consider it a success and just return.
+     * The way we tell that is by looking at the error number to see if
+     * the problem was no AIA extension was found; any other error was
+     * a true failure that we unfortunately have to treat as an overall
+     * failure here.
+     */
+    location = ocsp_GetResponderLocation(handle, cert, &locationIsDefault);
+    if (location == NULL) {
+	if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND)
+	    return SECSuccess;
+	else
+	    return SECFailure;
+    }
+
+    /*
+     * For now, create a cert-list of one.
+     * XXX In the fullness of time, we will want/need to handle a
+     * certificate chain.  This will be done either when a new parameter
+     * tells us to, or some configuration variable tells us to.  In any
+     * case, handling it is complicated because we may need to send as
+     * many requests (and receive as many responses) as we have certs
+     * in the chain.  If we are going to talk to a default responder,
+     * and we only support one default responder, we can put all of the
+     * certs together into one request.  Otherwise, we must break them up
+     * into multiple requests.  (Even if all of the requests will go to
+     * the same location, the signature on each response will be different,
+     * because each issuer is different.  Carefully read the OCSP spec
+     * if you do not understand this.)
+     */
+
+    certList = CERT_NewCertList();
+    if (certList == NULL)
+	goto loser;
+
+    /* dup it because freeing the list will destroy the cert, too */
+    cert = CERT_DupCertificate(cert);
+    if (cert == NULL)
+	goto loser;
+
+    if (CERT_AddCertToListTail(certList, cert) != SECSuccess) {
+	CERT_DestroyCertificate(cert);
+	goto loser;
+    }
+
+    /*
+     * XXX If/when signing of requests is supported, that second NULL
+     * should be changed to be the signer certificate.  Not sure if that
+     * should be passed into this function or retrieved via some operation
+     * on the handle/context.
+     */
+    encodedResponse = CERT_GetEncodedOCSPResponse(NULL, certList, location,
+						  time, locationIsDefault,
+						  NULL, pwArg, &request);
+    if (encodedResponse == NULL) {
+	goto loser;
+    }
+
+    response = CERT_DecodeOCSPResponse(encodedResponse);
+    if (response == NULL) {
+	goto loser;
+    }
+
+    /*
+     * Okay, we at least have a response that *looks* like a response!
+     * Now see if the overall response status value is good or not.
+     * If not, we set an error and give up.  (It means that either the
+     * server had a problem, or it didn't like something about our
+     * request.  Either way there is nothing to do but give up.)
+     * Otherwise, we continue to find the actual per-cert status
+     * in the response.
+     */
+    switch (response->statusValue) {
+      case ocspResponse_successful:
+	break;
+      case ocspResponse_malformedRequest:
+	PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST);
+	goto loser;
+      case ocspResponse_internalError:
+	PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR);
+	goto loser;
+      case ocspResponse_tryLater:
+	PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER);
+	goto loser;
+      case ocspResponse_sigRequired:
+	/* XXX We *should* retry with a signature, if possible. */
+	PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG);
+	goto loser;
+      case ocspResponse_unauthorized:
+	PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST);
+	goto loser;
+      case ocspResponse_other:
+      case ocspResponse_unused:
+      default:
+	PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS);
+	goto loser;
+    }
+
+    /*
+     * If we've made it this far, we expect a response with a good signature.
+     * So, check for that.
+     */
+    issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA);
+    rv = CERT_VerifyOCSPResponseSignature(response, handle, pwArg, &signerCert,
+			issuerCert);
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_Assert(signerCert != NULL);	/* internal consistency check */
+    /* XXX probably should set error, return failure if signerCert is null */
+
+    /*
+     * The ResponseData part is the real guts of the response.
+     */
+    responseData = ocsp_GetResponseData(response);
+    if (responseData == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    /*
+     * There is one producedAt time for the entire response (and a separate
+     * thisUpdate time for each individual single response).  We need to
+     * compare them, so get the overall time to pass into the check of each
+     * single response.
+     */
+    rv = DER_GeneralizedTimeToTime(&producedAt, &responseData->producedAt);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * Again, we are only doing one request for one cert.
+     * XXX When we handle cert chains, the following code will obviously
+     * have to be modified, in coordation with the code above that will
+     * have to determine how to make multiple requests, etc.  It will need
+     * to loop, and for each certID in the request, find the matching
+     * single response and check the status specified by it.
+     *
+     * We are helped here in that we know that the requests are made with
+     * the request list in the same order as the order of the certs we hand
+     * to it.  This is why I can directly access the first member of the
+     * single request array for the one cert I care about.
+     */
+
+    certID = request->tbsRequest->requestList[0]->reqCert;
+    single = ocsp_GetSingleResponseForCertID(responseData->responses,
+					     handle, certID);
+    if (single == NULL)
+	goto loser;
+
+    rv = ocsp_VerifySingleResponse(single, handle, signerCert, producedAt);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * Okay, the last step is to check whether the status says revoked,
+     * and if so how that compares to the time value passed into this routine.
+     */
+
+    rv = ocsp_CertHasGoodStatus(single, time);
+
+loser:
+    if (issuerCert != NULL)
+	CERT_DestroyCertificate(issuerCert);
+    if (signerCert != NULL)
+	CERT_DestroyCertificate(signerCert);
+    if (response != NULL)
+	CERT_DestroyOCSPResponse(response);
+    if (request != NULL)
+	CERT_DestroyOCSPRequest(request);
+    if (encodedResponse != NULL)
+	SECITEM_FreeItem(encodedResponse, PR_TRUE);
+    if (certList != NULL)
+	CERT_DestroyCertList(certList);
+    if (location != NULL)
+	PORT_Free(location);
+
+    return rv;
+}
+
+
+/*
+ * Disable status checking and destroy related structures/data.
+ */
+static SECStatus
+ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig)
+{
+    ocspCheckingContext *statusContext;
+
+    /*
+     * Disable OCSP checking
+     */
+    statusConfig->statusChecker = NULL;
+
+    statusContext = statusConfig->statusContext;
+    PORT_Assert(statusContext != NULL);
+    if (statusContext == NULL)
+	return SECFailure;
+
+    if (statusContext->defaultResponderURI != NULL)
+	PORT_Free(statusContext->defaultResponderURI);
+    if (statusContext->defaultResponderNickname != NULL)
+	PORT_Free(statusContext->defaultResponderNickname);
+
+    PORT_Free(statusContext);
+    statusConfig->statusContext = NULL;
+
+    PORT_Free(statusConfig);
+
+    return SECSuccess;
+}
+
+
+/*
+ * FUNCTION: CERT_DisableOCSPChecking
+ *   Turns off OCSP checking for the given certificate database.
+ *   This routine disables OCSP checking.  Though it will return
+ *   SECFailure if OCSP checking is not enabled, it is "safe" to
+ *   call it that way and just ignore the return value, if it is
+ *   easier to just call it than to "remember" whether it is enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Certificate database for which OCSP checking will be disabled.
+ * RETURN:
+ *   Returns SECFailure if an error occurred (usually means that OCSP
+ *   checking was not enabled or status contexts were not initialized --
+ *   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
+ */
+SECStatus
+CERT_DisableOCSPChecking(CERTCertDBHandle *handle)
+{
+    CERTStatusConfig *statusConfig;
+    ocspCheckingContext *statusContext;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    statusConfig = CERT_GetStatusConfig(handle);
+    statusContext = ocsp_GetCheckingContext(handle);
+    if (statusContext == NULL)
+	return SECFailure;
+
+    if (statusConfig->statusChecker != CERT_CheckOCSPStatus) {
+	/*
+	 * Status configuration is present, but either not currently
+	 * enabled or not for OCSP.
+	 */
+	PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED);
+	return SECFailure;
+    }
+
+    /*
+     * This is how we disable status checking.  Everything else remains
+     * in place in case we are enabled again.
+     */
+    statusConfig->statusChecker = NULL;
+
+    return SECSuccess;
+}
+
+/*
+ * Allocate and initialize the informational structures for status checking.
+ * This is done when some configuration of OCSP is being done or when OCSP
+ * checking is being turned on, whichever comes first.
+ */
+static SECStatus
+ocsp_InitStatusChecking(CERTCertDBHandle *handle)
+{
+    CERTStatusConfig *statusConfig = NULL;
+    ocspCheckingContext *statusContext = NULL;
+
+    PORT_Assert(CERT_GetStatusConfig(handle) == NULL);
+    if (CERT_GetStatusConfig(handle) != NULL) {
+	/* XXX or call statusConfig->statusDestroy and continue? */
+	return SECFailure;
+    }
+
+    statusConfig = PORT_ZNew(CERTStatusConfig);
+    if (statusConfig == NULL)
+	goto loser;
+
+    statusContext = PORT_ZNew(ocspCheckingContext);
+    if (statusContext == NULL)
+	goto loser;
+
+    statusConfig->statusDestroy = ocsp_DestroyStatusChecking;
+    statusConfig->statusContext = statusContext;
+
+    CERT_SetStatusConfig(handle, statusConfig);
+
+    return SECSuccess;
+
+loser:
+    if (statusContext != NULL)
+	PORT_Free(statusContext);
+    if (statusConfig != NULL)
+	PORT_Free(statusConfig);
+    return SECFailure;
+}
+
+
+/*
+ * FUNCTION: CERT_EnableOCSPChecking
+ *   Turns on OCSP checking for the given certificate database.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Certificate database for which OCSP checking will be enabled.
+ * RETURN:
+ *   Returns SECFailure if an error occurred (likely only problem
+ *   allocating memory); SECSuccess otherwise.
+ */
+SECStatus
+CERT_EnableOCSPChecking(CERTCertDBHandle *handle)
+{
+    CERTStatusConfig *statusConfig;
+    
+    SECStatus rv;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    statusConfig = CERT_GetStatusConfig(handle);
+    if (statusConfig == NULL) {
+	rv = ocsp_InitStatusChecking(handle);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/* Get newly established value */
+	statusConfig = CERT_GetStatusConfig(handle);
+	PORT_Assert(statusConfig != NULL);
+    }
+
+    /*
+     * Setting the checker function is what really enables the checking
+     * when each cert verification is done.
+     */
+    statusConfig->statusChecker = CERT_CheckOCSPStatus;
+
+    return SECSuccess;
+}
+
+
+/*
+ * FUNCTION: CERT_SetOCSPDefaultResponder
+ *   Specify the location and cert of the default responder.
+ *   If OCSP checking is already enabled *and* use of a default responder
+ *   is also already enabled, all OCSP checking from now on will go directly
+ *   to the specified responder.  If OCSP checking is not enabled, or if
+ *   it is but use of a default responder is not enabled, the information
+ *   will be recorded and take effect whenever both are enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should use the default responder.
+ *   char *url
+ *     The location of the default responder (e.g. "http://foo.com:80/ocsp")
+ *     Note that the location will not be tested until the first attempt
+ *     to send a request there.
+ *   char *name
+ *     The nickname of the cert to trust (expected) to sign the OCSP responses.
+ *     If the corresponding cert cannot be found, SECFailure is returned.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   The most likely error is that the cert for "name" could not be found
+ *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
+ *   bad database, etc.).
+ */
+SECStatus
+CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
+			     const char *url, const char *name)
+{
+    CERTCertificate *cert;
+    ocspCheckingContext *statusContext;
+    char *url_copy = NULL;
+    char *name_copy = NULL;
+    SECStatus rv;
+
+    if (handle == NULL || url == NULL || name == NULL) {
+	/*
+	 * XXX When interface is exported, probably want better errors;
+	 * perhaps different one for each parameter.
+	 */
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /*
+     * Find the certificate for the specified nickname.  Do this first
+     * because it seems the most likely to fail.
+     *
+     * XXX Shouldn't need that cast if the FindCertByNickname interface
+     * used const to convey that it does not modify the name.  Maybe someday.
+     */
+    cert = CERT_FindCertByNickname(handle, (char *) name);
+    if (cert == NULL) {
+      /*
+       * look for the cert on an external token.
+       */
+      cert = PK11_FindCertFromNickname((char *)name, NULL);
+    }
+    if (cert == NULL)
+	return SECFailure;
+
+    /*
+     * Make a copy of the url and nickname.
+     */
+    url_copy = PORT_Strdup(url);
+    name_copy = PORT_Strdup(name);
+    if (url_copy == NULL || name_copy == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    statusContext = ocsp_GetCheckingContext(handle);
+
+    /*
+     * Allocate and init the context if it doesn't already exist.
+     */
+    if (statusContext == NULL) {
+	rv = ocsp_InitStatusChecking(handle);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	statusContext = ocsp_GetCheckingContext(handle);
+	PORT_Assert(statusContext != NULL);	/* extreme paranoia */
+    }
+
+    /*
+     * Note -- we do not touch the status context until after all of
+     * the steps which could cause errors.  If something goes wrong,
+     * we want to leave things as they were.
+     */
+
+    /*
+     * Get rid of old url and name if there.
+     */
+    if (statusContext->defaultResponderNickname != NULL)
+	PORT_Free(statusContext->defaultResponderNickname);
+    if (statusContext->defaultResponderURI != NULL)
+	PORT_Free(statusContext->defaultResponderURI);
+
+    /*
+     * And replace them with the new ones.
+     */
+    statusContext->defaultResponderURI = url_copy;
+    statusContext->defaultResponderNickname = name_copy;
+
+    /*
+     * If there was already a cert in place, get rid of it and replace it.
+     * Otherwise, we are not currently enabled, so we don't want to save it;
+     * it will get re-found and set whenever use of a default responder is
+     * enabled.
+     */
+    if (statusContext->defaultResponderCert != NULL) {
+	CERT_DestroyCertificate(statusContext->defaultResponderCert);
+	statusContext->defaultResponderCert = cert;
+    } else {
+	PORT_Assert(statusContext->useDefaultResponder == PR_FALSE);
+	CERT_DestroyCertificate(cert);
+    }
+
+    return SECSuccess;
+
+loser:
+    CERT_DestroyCertificate(cert);
+    if (url_copy != NULL)
+	PORT_Free(url_copy);
+    if (name_copy != NULL)
+	PORT_Free(name_copy);
+    return rv;
+}
+
+
+/*
+ * FUNCTION: CERT_EnableOCSPDefaultResponder
+ *   Turns on use of a default responder when OCSP checking.
+ *   If OCSP checking is already enabled, this will make subsequent checks
+ *   go directly to the default responder.  (The location of the responder
+ *   and the nickname of the responder cert must already be specified.)
+ *   If OCSP checking is not enabled, this will be recorded and take effect
+ *   whenever it is enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should use the default responder.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   No errors are especially likely unless the caller did not previously
+ *   perform a successful call to SetOCSPDefaultResponder (in which case
+ *   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
+ */
+SECStatus
+CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle)
+{
+    ocspCheckingContext *statusContext;
+    CERTCertificate *cert;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    statusContext = ocsp_GetCheckingContext(handle);
+
+    if (statusContext == NULL) {
+	/*
+	 * Strictly speaking, the error already set is "correct",
+	 * but cover over it with one more helpful in this context.
+	 */
+	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+	return SECFailure;
+    }
+
+    if (statusContext->defaultResponderURI == NULL) {
+	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+	return SECFailure;
+    }
+
+    if (statusContext->defaultResponderNickname == NULL) {
+	PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER);
+	return SECFailure;
+    }
+
+    /*
+     * Find the cert for the nickname.
+     */
+    cert = CERT_FindCertByNickname(handle,
+				   statusContext->defaultResponderNickname);
+    if (cert == NULL) {
+        cert = PK11_FindCertFromNickname(statusContext->defaultResponderNickname,
+                                         NULL);
+    }
+    /*
+     * We should never have trouble finding the cert, because its
+     * existence should have been proven by SetOCSPDefaultResponder.
+     */
+    PORT_Assert(cert != NULL);
+    if (cert == NULL)
+	return SECFailure;
+
+    /*
+     * And hang onto it.
+     */
+    statusContext->defaultResponderCert = cert;
+
+    /*
+     * Finally, record the fact that we now have a default responder enabled.
+     */
+    statusContext->useDefaultResponder = PR_TRUE;
+    return SECSuccess;
+}
+
+
+/*
+ * FUNCTION: CERT_DisableOCSPDefaultResponder
+ *   Turns off use of a default responder when OCSP checking.
+ *   (Does nothing if use of a default responder is not enabled.)
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should stop using a default
+ *     responder.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   Errors very unlikely (like random memory corruption...).
+ */
+SECStatus
+CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle)
+{
+    CERTStatusConfig *statusConfig;
+    ocspCheckingContext *statusContext;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    statusConfig = CERT_GetStatusConfig(handle);
+    if (statusConfig == NULL)
+	return SECSuccess;
+
+    statusContext = ocsp_GetCheckingContext(handle);
+    PORT_Assert(statusContext != NULL);
+    if (statusContext == NULL)
+	return SECFailure;
+
+    if (statusContext->defaultResponderCert != NULL) {
+	CERT_DestroyCertificate(statusContext->defaultResponderCert);
+	statusContext->defaultResponderCert = NULL;
+    }
+
+    /*
+     * Finally, record the fact.
+     */
+    statusContext->useDefaultResponder = PR_FALSE;
+    return SECSuccess;
+}
+static const SECHashObject *
+OidTagToDigestObject(SECOidTag digestAlg)
+{
+    const SECHashObject *rawDigestObject;
+
+    switch (digestAlg) {
+      case SEC_OID_MD2:
+        rawDigestObject = &SECHashObjects[HASH_AlgMD2];
+        break;
+      case SEC_OID_MD5:
+        rawDigestObject = &SECHashObjects[HASH_AlgMD5];
+        break;
+      case SEC_OID_SHA1:
+        rawDigestObject = &SECHashObjects[HASH_AlgSHA1];
+        break;
+      default:
+        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        rawDigestObject = NULL;
+        break;
+    }
+    return(rawDigestObject);
+}
+
+/*
+ * Digest the cert's subject public key using the specified algorithm.
+ * The necessary storage for the digest data is allocated.  If "fill" is
+ * non-null, the data is put there, otherwise a SECItem is allocated.
+ * Allocation from "arena" if it is non-null, heap otherwise.  Any problem
+ * results in a NULL being returned (and an appropriate error set).
+ */
+SECItem *
+CERT_SPKDigestValueForCert(PRArenaPool *arena, CERTCertificate *cert,
+                           SECOidTag digestAlg, SECItem *fill)
+{
+    const SECHashObject *digestObject;
+    void *digestContext;
+    SECItem *result = NULL;
+    void *mark = NULL;
+    SECItem spk;
+
+    if ( arena != NULL ) {
+        mark = PORT_ArenaMark(arena);
+    }
+
+    digestObject = OidTagToDigestObject(digestAlg);
+    if ( digestObject == NULL ) {
+        goto loser;
+    }
+
+    if ((fill == NULL) || (fill->data == NULL)) {
+	result = SECITEM_AllocItem(arena, fill, digestObject->length);
+	if ( result == NULL ) {
+	   goto loser;
+	}
+	fill = result;
+    }
+
+    /*
+     * Copy just the length and data pointer (nothing needs to be freed)
+     * of the subject public key so we can convert the length from bits
+     * to bytes, which is what the digest function expects.
+     */
+    spk = cert->subjectPublicKeyInfo.subjectPublicKey;
+    DER_ConvertBitString(&spk);
+
+    /*
+     * Now digest the value, using the specified algorithm.
+     */
+    digestContext = digestObject->create();
+    if ( digestContext == NULL ) {
+        goto loser;
+    }
+    digestObject->begin(digestContext);
+    digestObject->update(digestContext, spk.data, spk.len);
+    digestObject->end(digestContext, fill->data, &(fill->len), fill->len);
+    digestObject->destroy(digestContext, PR_TRUE);
+
+    if ( arena != NULL ) {
+        PORT_ArenaUnmark(arena, mark);
+    }
+    return(fill);
+
+loser:
+    if ( arena != NULL ) {
+        PORT_ArenaRelease(arena, mark);
+    } else {
+        if ( result != NULL ) {
+            SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE);
+        }
+    }
+    return(NULL);
+}
+
+
diff --git a/security/nss/lib/certhigh/ocsp.h b/security/nss/lib/certhigh/ocsp.h
new file mode 100644
index 000000000..e4bd7dbdd
--- /dev/null
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -0,0 +1,455 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Interface to the OCSP implementation.
+ *
+ * $Id$
+ */
+
+#ifndef _OCSP_H_
+#define _OCSP_H_
+
+
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "keyt.h"
+#include "certt.h"
+#include "ocspt.h"
+
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/*
+ * FUNCTION: CERT_EnableOCSPChecking
+ *   Turns on OCSP checking for the given certificate database.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Certificate database for which OCSP checking will be enabled.
+ * RETURN:
+ *   Returns SECFailure if an error occurred (likely only problem
+ *   allocating memory); SECSuccess otherwise.
+ */
+extern SECStatus
+CERT_EnableOCSPChecking(CERTCertDBHandle *handle);
+
+/*
+ * FUNCTION: CERT_DisableOCSPChecking
+ *   Turns off OCSP checking for the given certificate database.
+ *   This routine disables OCSP checking.  Though it will return
+ *   SECFailure if OCSP checking is not enabled, it is "safe" to
+ *   call it that way and just ignore the return value, if it is
+ *   easier to just call it than to "remember" whether it is enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Certificate database for which OCSP checking will be disabled.
+ * RETURN:
+ *   Returns SECFailure if an error occurred (usually means that OCSP
+ *   checking was not enabled or status contexts were not initialized --
+ *   error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise.
+ */
+extern SECStatus
+CERT_DisableOCSPChecking(CERTCertDBHandle *handle);
+
+/*
+ * FUNCTION: CERT_SetOCSPDefaultResponder
+ *   Specify the location and cert of the default responder.
+ *   If OCSP checking is already enabled *and* use of a default responder
+ *   is also already enabled, all OCSP checking from now on will go directly
+ *   to the specified responder.  If OCSP checking is not enabled, or if
+ *   it is but use of a default responder is not enabled, the information
+ *   will be recorded and take effect whenever both are enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should use the default responder.
+ *   char *url
+ *     The location of the default responder (e.g. "http://foo.com:80/ocsp")
+ *     Note that the location will not be tested until the first attempt
+ *     to send a request there.
+ *   char *name
+ *     The nickname of the cert to trust (expected) to sign the OCSP responses.
+ *     If the corresponding cert cannot be found, SECFailure is returned.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   The most likely error is that the cert for "name" could not be found
+ *   (probably SEC_ERROR_UNKNOWN_CERT).  Other errors are low-level (no memory,
+ *   bad database, etc.).
+ */
+extern SECStatus
+CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle,
+			     const char *url, const char *name);
+
+/*
+ * FUNCTION: CERT_EnableOCSPDefaultResponder
+ *   Turns on use of a default responder when OCSP checking.
+ *   If OCSP checking is already enabled, this will make subsequent checks
+ *   go directly to the default responder.  (The location of the responder
+ *   and the nickname of the responder cert must already be specified.)
+ *   If OCSP checking is not enabled, this will be recorded and take effect
+ *   whenever it is enabled.
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should use the default responder.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   No errors are especially likely unless the caller did not previously
+ *   perform a successful call to SetOCSPDefaultResponder (in which case
+ *   the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER).
+ */
+extern SECStatus
+CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle);
+
+/*
+ * FUNCTION: CERT_DisableOCSPDefaultResponder
+ *   Turns off use of a default responder when OCSP checking.
+ *   (Does nothing if use of a default responder is not enabled.)
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     Cert database on which OCSP checking should stop using a default
+ *     responder.
+ * RETURN:
+ *   Returns SECFailure if an error occurred; SECSuccess otherwise.
+ *   Errors very unlikely (like random memory corruption...).
+ */
+extern SECStatus
+CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle);
+
+/*
+ * -------------------------------------------------------
+ * The Functions above are those expected to be used by a client
+ * providing OCSP status checking along with every cert verification.
+ * The functions below are for OCSP testing, debugging, or clients
+ * or servers performing more specialized OCSP tasks.
+ * -------------------------------------------------------
+ */
+
+/*
+ * FUNCTION: CERT_CreateOCSPRequest
+ *   Creates a CERTOCSPRequest, requesting the status of the certs in 
+ *   the given list.
+ * INPUTS:
+ *   CERTCertList *certList
+ *     A list of certs for which status will be requested.
+ *     Note that all of these certificates should have the same issuer,
+ *     or it's expected the response will be signed by a trusted responder.
+ *     If the certs need to be broken up into multiple requests, that
+ *     must be handled by the caller (and thus by having multiple calls
+ *     to this routine), who knows about where the request(s) are being
+ *     sent and whether there are any trusted responders in place.
+ *   int64 time
+ *     Indicates the time for which the certificate status is to be 
+ *     determined -- this may be used in the search for the cert's issuer
+ *     but has no effect on the request itself.
+ *   PRBool addServiceLocator
+ *     If true, the Service Locator extension should be added to the
+ *     single request(s) for each cert.
+ *   CERTCertificate *signerCert
+ *     If non-NULL, means sign the request using this cert.  Otherwise,
+ *     do not sign.
+ *     XXX note that request signing is not yet supported; see comment in code
+ * RETURN:
+ *   A pointer to a CERTOCSPRequest structure containing an OCSP request
+ *   for the cert list.  On error, null is returned, with an error set
+ *   indicating the reason.  This is likely SEC_ERROR_UNKNOWN_ISSUER.
+ *   (The issuer is needed to create a request for the certificate.)
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
+extern CERTOCSPRequest *
+CERT_CreateOCSPRequest(CERTCertList *certList, int64 time, 
+		       PRBool addServiceLocator,
+		       CERTCertificate *signerCert);
+
+/*
+ * FUNCTION: CERT_AddOCSPAcceptableResponses
+ *   Add the AcceptableResponses extension to an OCSP Request.
+ * INPUTS:
+ *   CERTOCSPRequest *request
+ *     The request to which the extension should be added.
+ *   ...
+ *     A list (of one or more) of SECOidTag -- each of the response types
+ *     to be added.  The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE.
+ *     (This marks the end of the list, and it must be specified because a
+ *     client conforming to the OCSP standard is required to handle the basic
+ *     response type.)  The OIDs are not checked in any way.
+ * RETURN:
+ *   SECSuccess if the extension is added; SECFailure if anything goes wrong.
+ *   All errors are internal or low-level problems (e.g. no memory).
+ */
+extern SECStatus
+CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, ...);
+
+/* 
+ * FUNCTION: CERT_EncodeOCSPRequest
+ *   DER encodes an OCSP Request, possibly adding a signature as well.
+ *   XXX Signing is not yet supported, however; see comments in code.
+ * INPUTS: 
+ *   PRArenaPool *arena
+ *     The return value is allocated from here.
+ *     If a NULL is passed in, allocation is done from the heap instead.
+ *   CERTOCSPRequest *request
+ *     The request to be encoded.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.  (Definitely
+ *     not needed if not signing.)
+ * RETURN:
+ *   Returns a NULL on error and a pointer to the SECItem with the
+ *   encoded value otherwise.  Any error is likely to be low-level
+ *   (e.g. no memory).
+ */
+extern SECItem *
+CERT_EncodeOCSPRequest(PRArenaPool *arena, CERTOCSPRequest *request, 
+		       void *pwArg);
+
+/*
+ * FUNCTION: CERT_DecodeOCSPRequest
+ *   Decode a DER encoded OCSP Request.
+ * INPUTS:
+ *   SECItem *src
+ *     Pointer to a SECItem holding DER encoded OCSP Request.
+ * RETURN:
+ *   Returns a pointer to a CERTOCSPRequest containing the decoded request.
+ *   On error, returns NULL.  Most likely error is trouble decoding
+ *   (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory).
+ */
+extern CERTOCSPRequest *
+CERT_DecodeOCSPRequest(SECItem *src);
+
+/*
+ * FUNCTION: CERT_DestroyOCSPRequest
+ *   Frees an OCSP Request structure.
+ * INPUTS:
+ *   CERTOCSPRequest *request
+ *     Pointer to CERTOCSPRequest to be freed.
+ * RETURN:
+ *   No return value; no errors.
+ */
+extern void
+CERT_DestroyOCSPRequest(CERTOCSPRequest *request);
+
+/*
+ * FUNCTION: CERT_DecodeOCSPResponse
+ *   Decode a DER encoded OCSP Response.
+ * INPUTS:
+ *   SECItem *src
+ *     Pointer to a SECItem holding DER encoded OCSP Response.
+ * RETURN:
+ *   Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response);
+ *   the caller is responsible for destroying it.  Or NULL if error (either
+ *   response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE),
+ *   it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE),
+ *   or a low-level or internal error occurred).
+ */
+extern CERTOCSPResponse *
+CERT_DecodeOCSPResponse(SECItem *src);
+
+/*
+ * FUNCTION: CERT_DestroyOCSPResponse
+ *   Frees an OCSP Response structure.
+ * INPUTS:
+ *   CERTOCSPResponse *request
+ *     Pointer to CERTOCSPResponse to be freed.
+ * RETURN:
+ *   No return value; no errors.
+ */
+extern void
+CERT_DestroyOCSPResponse(CERTOCSPResponse *response);
+
+/*
+ * FUNCTION: CERT_GetEncodedOCSPResponse
+ *   Creates and sends a request to an OCSP responder, then reads and
+ *   returns the (encoded) response.
+ * INPUTS:
+ *   PRArenaPool *arena
+ *     Pointer to arena from which return value will be allocated.
+ *     If NULL, result will be allocated from the heap (and thus should
+ *     be freed via SECITEM_FreeItem).
+ *   CERTCertList *certList
+ *     A list of certs for which status will be requested.
+ *     Note that all of these certificates should have the same issuer,
+ *     or it's expected the response will be signed by a trusted responder.
+ *     If the certs need to be broken up into multiple requests, that
+ *     must be handled by the caller (and thus by having multiple calls
+ *     to this routine), who knows about where the request(s) are being
+ *     sent and whether there are any trusted responders in place.
+ *   char *location
+ *     The location of the OCSP responder (a URL).
+ *   int64 time
+ *     Indicates the time for which the certificate status is to be 
+ *     determined -- this may be used in the search for the cert's issuer
+ *     but has no other bearing on the operation.
+ *   PRBool addServiceLocator
+ *     If true, the Service Locator extension should be added to the
+ *     single request(s) for each cert.
+ *   CERTCertificate *signerCert
+ *     If non-NULL, means sign the request using this cert.  Otherwise,
+ *     do not sign.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.  (Definitely
+ *     not needed if not signing.)
+ * OUTPUTS:
+ *   CERTOCSPRequest **pRequest
+ *     Pointer in which to store the OCSP request created for the given
+ *     list of certificates.  It is only filled in if the entire operation
+ *     is successful and the pointer is not null -- and in that case the
+ *     caller is then reponsible for destroying it.
+ * RETURN:
+ *   Returns a pointer to the SECItem holding the response.
+ *   On error, returns null with error set describing the reason:
+ *	SEC_ERROR_UNKNOWN_ISSUER
+ *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
+ *   Other errors are low-level problems (no memory, bad database, etc.).
+ */
+extern SECItem *
+CERT_GetEncodedOCSPResponse(PRArenaPool *arena, CERTCertList *certList,
+			    char *location, int64 time,
+			    PRBool addServiceLocator,
+			    CERTCertificate *signerCert, void *pwArg,
+			    CERTOCSPRequest **pRequest);
+
+/*
+ * FUNCTION: CERT_VerifyOCSPResponseSignature
+ *   Check the signature on an OCSP Response.  Will also perform a
+ *   verification of the signer's certificate.  Note, however, that a
+ *   successful verification does not make any statement about the
+ *   signer's *authority* to provide status for the certificate(s),
+ *   that must be checked individually for each certificate.
+ * INPUTS:
+ *   CERTOCSPResponse *response
+ *     Pointer to response structure with signature to be checked.
+ *   CERTCertDBHandle *handle
+ *     Pointer to CERTCertDBHandle for certificate DB to use for verification.
+ *   void *pwArg
+ *     Pointer to argument for password prompting, if needed.
+ *   CERTCertificate *issuerCert
+ *     Issuer of the certificate that generated the OCSP request.
+ * OUTPUTS:
+ *   CERTCertificate **pSignerCert
+ *     Pointer in which to store signer's certificate; only filled-in if
+ *     non-null.
+ * RETURN:
+ *   Returns SECSuccess when signature is valid, anything else means invalid.
+ *   Possible errors set:
+ *	SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID
+ *	SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time
+ *	SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found
+ *	SEC_ERROR_BAD_SIGNATURE - the signature did not verify
+ *   Other errors are any of the many possible failures in cert verification
+ *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
+ *   verifying the signer's cert, or low-level problems (no memory, etc.)
+ */
+extern SECStatus
+CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,	
+				 CERTCertDBHandle *handle, void *pwArg,
+				 CERTCertificate **pSignerCert,
+				 CERTCertificate *issuerCert);
+
+/*
+ * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
+ *   Get the value of the URI of the OCSP responder for the given cert.
+ *   This is found in the (optional) Authority Information Access extension
+ *   in the cert.
+ * INPUTS:
+ *   CERTCertificate *cert
+ *     The certificate being examined.
+ * RETURN:
+ *   char *
+ *     A copy of the URI for the OCSP method, if found.  If either the
+ *     extension is not present or it does not contain an entry for OCSP,
+ *     SEC_ERROR_EXTENSION_NOT_FOUND will be set and a NULL returned.
+ *     Any other error will also result in a NULL being returned.
+ *     
+ *     This result should be freed (via PORT_Free) when no longer in use.
+ */
+extern char *
+CERT_GetOCSPAuthorityInfoAccessLocation(CERTCertificate *cert);
+
+/*
+ * FUNCTION: CERT_CheckOCSPStatus
+ *   Checks the status of a certificate via OCSP.  Will only check status for
+ *   a certificate that has an AIA (Authority Information Access) extension
+ *   for OCSP *or* when a "default responder" is specified and enabled.
+ *   (If no AIA extension for OCSP and no default responder in place, the
+ *   cert is considered to have a good status and SECSuccess is returned.)
+ * INPUTS:
+ *   CERTCertDBHandle *handle
+ *     certificate DB of the cert that is being checked
+ *   CERTCertificate *cert
+ *     the certificate being checked
+ *   XXX in the long term also need a boolean parameter that specifies
+ *	whether to check the cert chain, as well; for now we check only
+ *	the leaf (the specified certificate)
+ *   int64 time
+ *     time for which status is to be determined
+ *   void *pwArg
+ *     argument for password prompting, if needed
+ * RETURN:
+ *   Returns SECSuccess if an approved OCSP responder "knows" the cert
+ *   *and* returns a non-revoked status for it; SECFailure otherwise,
+ *   with an error set describing the reason:
+ *
+ *	SEC_ERROR_OCSP_BAD_HTTP_RESPONSE
+ *	SEC_ERROR_OCSP_FUTURE_RESPONSE
+ *	SEC_ERROR_OCSP_MALFORMED_REQUEST
+ *	SEC_ERROR_OCSP_MALFORMED_RESPONSE
+ *	SEC_ERROR_OCSP_OLD_RESPONSE
+ *	SEC_ERROR_OCSP_REQUEST_NEEDS_SIG
+ *	SEC_ERROR_OCSP_SERVER_ERROR
+ *	SEC_ERROR_OCSP_TRY_SERVER_LATER
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
+ *	SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
+ *	SEC_ERROR_OCSP_UNKNOWN_CERT
+ *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
+ *	SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE
+ *
+ *	SEC_ERROR_BAD_SIGNATURE
+ *	SEC_ERROR_CERT_BAD_ACCESS_LOCATION
+ *	SEC_ERROR_INVALID_TIME
+ *	SEC_ERROR_REVOKED_CERTIFICATE
+ *	SEC_ERROR_UNKNOWN_ISSUER
+ *	SEC_ERROR_UNKNOWN_SIGNER
+ *
+ *   Other errors are any of the many possible failures in cert verification
+ *   (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when
+ *   verifying the signer's cert, or low-level problems (error allocating
+ *   memory, error performing ASN.1 decoding, etc.).
+ */    
+extern SECStatus 
+CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
+		     int64 time, void *pwArg);
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _OCSP_H_ */
diff --git a/security/nss/lib/certhigh/ocspt.h b/security/nss/lib/certhigh/ocspt.h
new file mode 100644
index 000000000..3f1563855
--- /dev/null
+++ b/security/nss/lib/certhigh/ocspt.h
@@ -0,0 +1,59 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Public header for exported OCSP types.
+ *
+ * $Id$
+ */
+
+#ifndef _OCSPT_H_
+#define _OCSPT_H_
+
+/*
+ * The following are all opaque types.  If someone needs to get at
+ * a field within, then we need to fix the API.  Try very hard not
+ * make the type available to them.
+ */
+typedef struct CERTOCSPRequestStr CERTOCSPRequest;
+typedef struct CERTOCSPResponseStr CERTOCSPResponse;
+
+/*
+ * XXX I think only those first two above should need to be exported,
+ * but until I know for certain I am leaving the rest of these here, too.
+ */
+typedef struct CERTOCSPCertIDStr CERTOCSPCertID;
+typedef struct CERTOCSPCertStatusStr CERTOCSPCertStatus;
+typedef struct CERTOCSPSingleResponseStr CERTOCSPSingleResponse;
+
+#endif /* _OCSPT_H_ */
diff --git a/security/nss/lib/certhigh/ocspti.h b/security/nss/lib/certhigh/ocspti.h
new file mode 100644
index 000000000..9c739bef4
--- /dev/null
+++ b/security/nss/lib/certhigh/ocspti.h
@@ -0,0 +1,404 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Private header defining OCSP types.
+ *
+ * $Id$
+ */
+
+#ifndef _OCSPTI_H_
+#define _OCSPTI_H_
+
+#include "ocspt.h"
+
+#include "certt.h"
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+
+
+/*
+ * Some notes about naming conventions...
+ *
+ * The public data types all start with "CERTOCSP" (e.g. CERTOCSPRequest).
+ * (Even the public types are opaque, however.  Only their names are
+ * "exported".)
+ *
+ * Internal-only data types drop the "CERT" prefix and use only the
+ * lower-case "ocsp" (e.g. ocspTBSRequest), for brevity sake.
+ *
+ * In either case, the base/suffix of the type name usually matches the
+ * name as defined in the OCSP specification.  The exceptions to this are:
+ *  - When there is overlap between the "OCSP" or "ocsp" prefix and
+ *    the name used in the standard.  That is, you cannot strip off the
+ *    "CERTOCSP" or "ocsp" prefix and necessarily get the name of the
+ *    type as it is defined in the standard; the "real" name will be
+ *    *either* "OCSPSuffix" or just "Suffix".
+ *  - When the name in the standard was a little too generic.  (e.g. The
+ *    standard defines "Request" but we call it a "SingleRequest".)
+ *    In this case a comment above the type definition calls attention
+ *    to the difference.
+ *
+ * The definitions laid out in this header file are intended to follow
+ * the same order as the definitions in the OCSP specification itself.
+ * With the OCSP standard in hand, you should be able to move through
+ * this file and follow along.  To future modifiers of this file: please
+ * try to keep it that way.  The only exceptions are the few cases where
+ * we need to define a type before it is referenced (e.g. enumerations),
+ * whereas in the OCSP specification these are usually defined the other
+ * way around (reference before definition).
+ */
+
+
+/*
+ * Forward-declarations of internal-only data structures.
+ *
+ * These are in alphabetical order (case-insensitive); please keep it that way!
+ */
+typedef struct ocspBasicOCSPResponseStr ocspBasicOCSPResponse;
+typedef struct ocspCertStatusStr ocspCertStatus;
+typedef struct ocspResponderIDStr ocspResponderID;
+typedef struct ocspResponseBytesStr ocspResponseBytes;
+typedef struct ocspResponseDataStr ocspResponseData;
+typedef struct ocspRevokedInfoStr ocspRevokedInfo;
+typedef struct ocspServiceLocatorStr ocspServiceLocator;
+typedef struct ocspSignatureStr ocspSignature;
+typedef struct ocspSingleRequestStr ocspSingleRequest;
+typedef struct ocspSingleResponseStr ocspSingleResponse;
+typedef struct ocspTBSRequestStr ocspTBSRequest;
+
+
+/*
+ * An OCSPRequest; this is what is sent (encoded) to an OCSP responder.
+ */
+struct CERTOCSPRequestStr {
+    PRArenaPool *arena;			/* local; not part of encoding */
+    ocspTBSRequest *tbsRequest;
+    ocspSignature *optionalSignature;
+};
+
+/*
+ * A TBSRequest; when an OCSPRequest is signed, the encoding of this
+ * is what the signature is actually applied to.  ("TBS" == To Be Signed)
+ * Whether signed or not, however, this structure will be present, and
+ * is the "meat" of the OCSPRequest.
+ *
+ * Note that the "requestorName" field cannot be encoded/decoded in the
+ * same pass as the entire request -- it needs to be handled with a special
+ * call to convert to/from our internal form of a GeneralName.  Thus the
+ * "derRequestorName" field, which is the actual DER-encoded bytes.
+ *
+ * The "extensionHandle" field is used on creation only; it holds
+ * in-progress extensions as they are optionally added to the request.
+ */
+struct ocspTBSRequestStr {
+    SECItem version;			/* an INTEGER */
+    SECItem *derRequestorName;		/* encoded GeneralName; see above */
+    CERTGeneralNameList *requestorName;	/* local; not part of encoding */
+    ocspSingleRequest **requestList;
+    CERTCertExtension **requestExtensions;
+    void *extensionHandle;		/* local; not part of encoding */
+};
+
+/*
+ * This is the actual signature information for an OCSPRequest (applied to
+ * the TBSRequest structure) or for a BasicOCSPResponse (applied to a
+ * ResponseData structure).
+ *
+ * Note that the "signature" field itself is a BIT STRING; operations on
+ * it need to keep that in mind, converting the length to bytes as needed
+ * and back again afterward (so that the length is usually expressing bits).
+ *
+ * The "cert" field is the signer's certificate.  In the case of a received
+ * signature, it will be filled in when the signature is verified.  In the
+ * case of a created signature, it is filled in on creation and will be the
+ * cert used to create the signature when the signing-and-encoding occurs,
+ * as well as the cert (and its chain) to fill in derCerts if requested.
+ *
+ * The extra fields cache information about the signature after we have
+ * attempted a verification.  "wasChecked", if true, means the signature
+ * has been checked against the appropriate data and thus that "status"
+ * contains the result of that verification.  If "status" is not SECSuccess,
+ * "failureReason" is a copy of the error code that was set at the time;
+ * presumably it tells why the signature verification failed.
+ */
+struct ocspSignatureStr {
+    SECAlgorithmID signatureAlgorithm;
+    SECItem signature;			/* a BIT STRING */
+    SECItem **derCerts;			/* a SEQUENCE OF Certificate */
+    CERTCertificate *cert;		/* local; not part of encoding */
+    PRBool wasChecked;			/* local; not part of encoding */
+    SECStatus status;			/* local; not part of encoding */
+    int failureReason;			/* local; not part of encoding */
+};
+
+/*
+ * An OCSPRequest contains a SEQUENCE OF these, one for each certificate
+ * whose status is being checked.
+ *
+ * Note that in the OCSP specification this is just called "Request",
+ * but since that seemed confusing (vs. an OCSPRequest) and to be more
+ * consistent with the parallel type "SingleResponse", I called it a
+ * "SingleRequest".
+ * 
+ * XXX figure out how to get rid of that arena -- there must be a way
+ */
+struct ocspSingleRequestStr {
+    PRArenaPool *arena;			/* just a copy of the response arena,
+					 * needed here for extension handling
+					 * routines, on creation only */
+    CERTOCSPCertID *reqCert;
+    CERTCertExtension **singleRequestExtensions;
+};
+
+/*
+ * A CertID is the means of identifying a certificate, used both in requests
+ * and in responses.
+ *
+ * When in a SingleRequest it specifies the certificate to be checked.
+ * When in a SingleResponse it is the cert whose status is being given.
+ */
+struct CERTOCSPCertIDStr {
+    SECAlgorithmID hashAlgorithm;
+    SECItem issuerNameHash;		/* an OCTET STRING */
+    SECItem issuerKeyHash;		/* an OCTET STRING */
+    SECItem serialNumber;		/* an INTEGER */
+    SECItem issuerSHA1NameHash;		/* keep other hashes around when */
+    SECItem issuerMD5NameHash;              /* we have them */
+    SECItem issuerMD2NameHash;
+    SECItem issuerSHA1KeyHash;		/* keep other hashes around when */
+    SECItem issuerMD5KeyHash;              /* we have them */
+    SECItem issuerMD2KeyHash;
+};
+
+/*
+ * This describes the value of the responseStatus field in an OCSPResponse.
+ * The corresponding ASN.1 definition is:
+ *
+ * OCSPResponseStatus	::=	ENUMERATED {
+ *	successful		(0),	--Response has valid confirmations
+ *	malformedRequest	(1),	--Illegal confirmation request
+ *	internalError		(2),	--Internal error in issuer
+ *	tryLater		(3),	--Try again later
+ *					--(4) is not used
+ *	sigRequired		(5),	--Must sign the request
+ *	unauthorized		(6),	--Request unauthorized
+ * }
+ */
+typedef enum {
+    ocspResponse_successful = 0,
+    ocspResponse_malformedRequest = 1,
+    ocspResponse_internalError = 2,
+    ocspResponse_tryLater = 3,
+    ocspResponse_unused = 4,
+    ocspResponse_sigRequired = 5,
+    ocspResponse_unauthorized = 6,
+    ocspResponse_other			/* unknown/unrecognized value */
+} ocspResponseStatus;
+
+/*
+ * An OCSPResponse is what is sent (encoded) by an OCSP responder.
+ *
+ * The field "responseStatus" is the ASN.1 encoded value; the field
+ * "statusValue" is simply that same value translated into our local
+ * type ocspResponseStatus.
+ */
+struct CERTOCSPResponseStr {
+    PRArenaPool *arena;			/* local; not part of encoding */
+    SECItem responseStatus;		/* an ENUMERATED, see above */
+    ocspResponseStatus statusValue;	/* local; not part of encoding */
+    ocspResponseBytes *responseBytes;	/* only when status is successful */
+};
+
+/*
+ * A ResponseBytes (despite appearances) is what contains the meat
+ * of a successful response -- but still in encoded form.  The type
+ * given as "responseType" tells you how to decode the string.
+ *
+ * We look at the OID and translate it into our local OID representation
+ * "responseTypeTag", and use that value to tell us how to decode the
+ * actual response itself.  For now the only kind of OCSP response we
+ * know about is a BasicOCSPResponse.  However, the intention in the
+ * OCSP specification is to allow for other response types, so we are
+ * building in that flexibility from the start and thus put a pointer
+ * to that data structure inside of a union.  Whenever OCSP adds more
+ * response types, just add them to the union.
+ */
+struct ocspResponseBytesStr {
+    SECItem responseType;		/* an OBJECT IDENTIFIER */
+    SECOidTag responseTypeTag;		/* local; not part of encoding */
+    SECItem response;			/* an OCTET STRING */
+    union {
+	ocspBasicOCSPResponse *basic;	/* when type is id-pkix-ocsp-basic */
+    } decodedResponse;			/* local; not part of encoding */
+};
+
+/*
+ * A BasicOCSPResponse -- when the responseType in a ResponseBytes is
+ * id-pkix-ocsp-basic, the "response" OCTET STRING above is the DER
+ * encoding of one of these.
+ *
+ * Note that in the OCSP specification, the signature fields are not
+ * part of a separate sub-structure.  But since they are the same fields
+ * as we define for the signature in a request, it made sense to share
+ * the C data structure here and in some shared code to operate on them.
+ */
+struct ocspBasicOCSPResponseStr {
+    ocspResponseData *tbsResponseData;	/* "tbs" == To Be Signed */
+    ocspSignature responseSignature;
+};
+
+/*
+ * A ResponseData is the part of a BasicOCSPResponse that is signed
+ * (after it is DER encoded).  It contains the real details of the response
+ * (a per-certificate status).
+ */
+struct ocspResponseDataStr {
+    SECItem version;			/* an INTEGER */
+    SECItem derResponderID;
+    ocspResponderID *responderID;	/* local; not part of encoding */
+    SECItem producedAt;			/* a GeneralizedTime */
+    CERTOCSPSingleResponse **responses;
+    CERTCertExtension **responseExtensions;
+};
+
+/*
+ * A ResponderID identifies the responder -- or more correctly, the
+ * signer of the response.  The ASN.1 definition of a ResponderID is:
+ *
+ * ResponderID	::=	CHOICE {
+ *	byName			[1] EXPLICIT Name,
+ *	byKey			[2] EXPLICIT KeyHash }
+ *
+ * Because it is CHOICE, the type of identification used and the
+ * identification itself are actually encoded together.  To represent
+ * this same information internally, we explicitly define a type and
+ * save it, along with the value, into a data structure.
+ */
+
+typedef enum {
+    ocspResponderID_byName,
+    ocspResponderID_byKey,
+    ocspResponderID_other		/* unknown kind of responderID */
+} ocspResponderIDType;
+
+struct ocspResponderIDStr {
+    ocspResponderIDType responderIDType;/* local; not part of encoding */
+    union {
+	CERTName name;			/* when ocspResponderID_byName */
+	SECItem keyHash;		/* when ocspResponderID_byKey */
+	SECItem other;			/* when ocspResponderID_other */
+    } responderIDValue;
+};
+
+/*
+ * The ResponseData in a BasicOCSPResponse contains a SEQUENCE OF
+ * SingleResponse -- one for each certificate whose status is being supplied.
+ * 
+ * XXX figure out how to get rid of that arena -- there must be a way
+ */
+struct CERTOCSPSingleResponseStr {
+    PRArenaPool *arena;			/* just a copy of the response arena,
+					 * needed here for extension handling
+					 * routines, on creation only */
+    CERTOCSPCertID *certID;
+    SECItem derCertStatus;
+    ocspCertStatus *certStatus;		/* local; not part of encoding */
+    SECItem thisUpdate;			/* a GeneralizedTime */
+    SECItem *nextUpdate;		/* a GeneralizedTime */
+    CERTCertExtension **singleExtensions;
+};
+
+/*
+ * A CertStatus is the actual per-certificate status.  Its ASN.1 definition:
+ *
+ * CertStatus	::=	CHOICE {
+ *	good			[0] IMPLICIT NULL,
+ *	revoked			[1] IMPLICIT RevokedInfo,
+ *	unknown			[2] IMPLICIT UnknownInfo }
+ *
+ * (where for now UnknownInfo is defined to be NULL but in the
+ * future may be replaced with an enumeration).
+ *
+ * Because it is CHOICE, the status value and its associated information
+ * (if any) are actually encoded together.  To represent this same
+ * information internally, we explicitly define a type and save it,
+ * along with the value, into a data structure.
+ */
+
+typedef enum {
+    ocspCertStatus_good,		/* cert is not revoked */
+    ocspCertStatus_revoked,		/* cert is revoked */
+    ocspCertStatus_unknown,		/* cert was unknown to the responder */
+    ocspCertStatus_other		/* status was not an expected value */
+} ocspCertStatusType;
+
+/*
+ * This is the actual per-certificate status.
+ *
+ * The "goodInfo" and "unknownInfo" items are only place-holders for a NULL.
+ * (Though someday OCSP may replace UnknownInfo with an enumeration that
+ * gives more detailed information.)
+ */
+struct ocspCertStatusStr {
+    ocspCertStatusType certStatusType;	/* local; not part of encoding */
+    union {
+	SECItem *goodInfo;		/* when ocspCertStatus_good */
+	ocspRevokedInfo *revokedInfo;	/* when ocspCertStatus_revoked */
+	SECItem *unknownInfo;		/* when ocspCertStatus_unknown */
+	SECItem *otherInfo;		/* when ocspCertStatus_other */
+    } certStatusInfo; 
+};
+
+/*
+ * A RevokedInfo gives information about a revoked certificate -- when it
+ * was revoked and why.
+ */
+struct ocspRevokedInfoStr {
+    SECItem revocationTime;		/* a GeneralizedTime */
+    SECItem *revocationReason;		/* a CRLReason; ignored for now */
+};
+
+/*
+ * ServiceLocator can be included as one of the singleRequestExtensions.
+ * When added, it specifies the (name of the) issuer of the cert being
+ * checked, and optionally the value of the AuthorityInfoAccess extension
+ * if the cert has one.
+ */
+struct ocspServiceLocatorStr {
+    CERTName *issuer;
+    SECItem locator;	/* DER encoded authInfoAccess extension from cert */
+};
+
+#endif /* _OCSPTI_H_ */
diff --git a/security/nss/lib/certhigh/xcrldist.c b/security/nss/lib/certhigh/xcrldist.c
new file mode 100644
index 000000000..d560cfd23
--- /dev/null
+++ b/security/nss/lib/certhigh/xcrldist.c
@@ -0,0 +1,222 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Code for dealing with x.509 v3 CRL Distribution Point extension.
+ */
+#include "genname.h"
+#include "certt.h"
+#include "secerr.h"
+
+extern void PrepareBitStringForEncoding (SECItem *bitMap, SECItem *value);
+
+static const SEC_ASN1Template FullNameTemplate[] = {
+    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
+	offsetof (CRLDistributionPoint,derFullName), CERT_GeneralNamesTemplate}
+};
+
+static const SEC_ASN1Template RelativeNameTemplate[] = {
+    {SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, 
+	offsetof (CRLDistributionPoint,distPoint.relativeName), CERT_RDNTemplate}
+};
+	 
+static const SEC_ASN1Template CRLDistributionPointTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRLDistributionPoint) },
+	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
+	    SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0,
+	    offsetof(CRLDistributionPoint,derDistPoint), SEC_AnyTemplate},
+	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	    offsetof(CRLDistributionPoint,bitsmap), SEC_BitStringTemplate},
+	{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |
+	    SEC_ASN1_CONSTRUCTED | 2,
+	    offsetof(CRLDistributionPoint, derCrlIssuer), CERT_GeneralNamesTemplate},
+    { 0 }
+};
+
+const SEC_ASN1Template CERTCRLDistributionPointsTemplate[] = {
+    {SEC_ASN1_SEQUENCE_OF, 0, CRLDistributionPointTemplate}
+};
+
+SECStatus
+CERT_EncodeCRLDistributionPoints (PRArenaPool *arena, CERTCrlDistributionPoints *value,
+				  SECItem *derValue)
+{
+    CRLDistributionPoint **pointList, *point;
+    PRArenaPool *ourPool = NULL;
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert (derValue);
+    PORT_Assert (value && value->distPoints);
+
+    do {
+	ourPool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+	if (ourPool == NULL) {
+	    rv = SECFailure;
+	    break;
+	}    
+	
+	pointList = value->distPoints;
+	while (*pointList) {
+	    point = *pointList;
+	    point->derFullName = NULL;
+	    point->derDistPoint.data = NULL;
+
+	    if (point->distPointType == generalName) {
+		point->derFullName = cert_EncodeGeneralNames
+		    (ourPool, point->distPoint.fullName);
+		
+		if (point->derFullName) {
+		    rv = (SEC_ASN1EncodeItem (ourPool, &point->derDistPoint,
+			  point, FullNameTemplate) == NULL) ? SECFailure : SECSuccess;
+		} else {
+		    rv = SECFailure;
+		}
+	    }
+	    else if (point->distPointType == relativeDistinguishedName) {
+		if (SEC_ASN1EncodeItem
+		     (ourPool, &point->derDistPoint, 
+		      point, RelativeNameTemplate) == NULL) 
+		    rv = SECFailure;
+	    }
+	    /* distributionPointName is omitted */
+	    else if (point->distPointType != 0) {
+		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		rv = SECFailure;
+	    }
+	    if (rv != SECSuccess)
+		break;
+
+	    if (point->reasons.data)
+		PrepareBitStringForEncoding (&point->bitsmap, &point->reasons);
+
+	    if (point->crlIssuer) {
+		point->derCrlIssuer = cert_EncodeGeneralNames
+		    (ourPool, point->crlIssuer);
+		if (!point->crlIssuer)
+		    break;
+	    }
+	    
+	    ++pointList;
+	}
+	if (rv != SECSuccess)
+	    break;
+	if (SEC_ASN1EncodeItem
+	     (arena, derValue, value, CERTCRLDistributionPointsTemplate) == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+    } while (0);
+    PORT_FreeArena (ourPool, PR_FALSE);
+    return (rv);
+}
+
+CERTCrlDistributionPoints *
+CERT_DecodeCRLDistributionPoints (PRArenaPool *arena, SECItem *encodedValue)
+{
+   CERTCrlDistributionPoints *value = NULL;    
+   CRLDistributionPoint **pointList, *point;    
+   SECStatus rv;
+
+   PORT_Assert (arena);
+   do {
+	value = (CERTCrlDistributionPoints*)PORT_ArenaZAlloc (arena, sizeof (*value));
+	if (value == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	    
+	rv = SEC_ASN1DecodeItem
+	     (arena, &value->distPoints, CERTCRLDistributionPointsTemplate,
+	      encodedValue);
+	if (rv != SECSuccess)
+	    break;
+
+	pointList = value->distPoints;
+	while (*pointList) {
+	    point = *pointList;
+
+	    /* get the data if the distributionPointName is not omitted */
+	    if (point->derDistPoint.data != NULL) {
+		point->distPointType = (DistributionPointTypes)
+					((point->derDistPoint.data[0] & 0x1f) +1);
+		if (point->distPointType == generalName) {
+		    SECItem innerDER;
+		
+		    innerDER.data = NULL;
+		    rv = SEC_ASN1DecodeItem
+			 (arena, point, FullNameTemplate, &(point->derDistPoint));
+		    if (rv != SECSuccess)
+			break;
+		    point->distPoint.fullName = cert_DecodeGeneralNames
+			(arena, point->derFullName);
+
+		    if (!point->distPoint.fullName)
+			break;
+		}
+		else if ( relativeDistinguishedName) {
+		    rv = SEC_ASN1DecodeItem
+			 (arena, point, RelativeNameTemplate, &(point->derDistPoint));
+		    if (rv != SECSuccess)
+			break;
+		}
+		else {
+		    PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
+		    break;
+		}
+	    }
+
+	    /* Get the reason code if it's not omitted in the encoding */
+	    if (point->bitsmap.data != NULL) {
+		point->reasons.data = (unsigned char*) PORT_ArenaAlloc
+				      (arena, (point->bitsmap.len + 7) >> 3);
+		if (!point->reasons.data) {
+		    rv = SECFailure;
+		    break;
+		}
+		PORT_Memcpy (point->reasons.data, point->bitsmap.data,
+			     point->reasons.len = ((point->bitsmap.len + 7) >> 3));
+	    }
+
+	    /* Get the crl issuer name if it's not omitted in the encoding */
+	    if (point->derCrlIssuer != NULL) {
+		point->crlIssuer = cert_DecodeGeneralNames
+		    (arena, point->derCrlIssuer);
+
+		if (!point->crlIssuer)
+		    break;
+	    }
+	    ++pointList;
+	}
+   } while (0);
+   return (rv == SECSuccess ? value : NULL);
+}
diff --git a/security/nss/lib/ckfw/.cvsignore b/security/nss/lib/ckfw/.cvsignore
new file mode 100644
index 000000000..988228d5a
--- /dev/null
+++ b/security/nss/lib/ckfw/.cvsignore
@@ -0,0 +1,4 @@
+nssckepv.h
+nssckg.h
+nssckft.h
+nssck.api
diff --git a/security/nss/lib/ckfw/Makefile b/security/nss/lib/ckfw/Makefile
new file mode 100644
index 000000000..34b225db3
--- /dev/null
+++ b/security/nss/lib/ckfw/Makefile
@@ -0,0 +1,49 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# This'll need some help from a build person.
+
+nssckepv.h: ck.api ckapi.perl
+nssckft.h: ck.api ckapi.perl
+nssckg.h: ck.api ckapi.perl
+nssck.api: ck.api ckapi.perl
+	perl ckapi.perl ck.api
+
+export:: private_export
+
diff --git a/security/nss/lib/ckfw/builtins/.cvsignore b/security/nss/lib/ckfw/builtins/.cvsignore
new file mode 100644
index 000000000..ccbbcce86
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/.cvsignore
@@ -0,0 +1 @@
+certdata.c
diff --git a/security/nss/lib/ckfw/builtins/Makefile b/security/nss/lib/ckfw/builtins/Makefile
new file mode 100644
index 000000000..d58e910d9
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/Makefile
@@ -0,0 +1,91 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+
+EXTRA_LIBS = \
+	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+EXTRA_LIBS += \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4_s.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4_s.lib \
+	wsock32.lib \
+	winmm.lib \
+	$(NULL)
+
+else
+
+EXTRA_LIBS += \
+	$(DIST)/lib/$(LIB_PREFIX)plc4.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)plds4.$(LIB_SUFFIX) \
+	$(NULL)
+
+endif
+
+
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# Generate certdata.c.
+generate:
+	perl certdata.perl < certdata.txt
+
+# This'll need some help from a build person.
+
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
+DSO_LDOPTS              = -bM:SRE -bh:4 -bnoentry
+EXTRA_DSO_LDOPTS        = -lc
+MKSHLIB                 = xlC $(DSO_LDOPTS)
+
+$(SHARED_LIBRARY): $(OBJS)
+	@$(MAKE_OBJDIR)
+	rm -f $@
+	$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
+	chmod +x $@
+
+endif
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
+LD      += -G
+endif 
+
+
diff --git a/security/nss/lib/ckfw/builtins/anchor.c b/security/nss/lib/ckfw/builtins/anchor.c
new file mode 100644
index 000000000..12c77a75c
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/anchor.c
@@ -0,0 +1,50 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * builtins/anchor.c
+ *
+ * This file "anchors" the actual cryptoki entry points in this module's
+ * shared library, which is required for dynamic loading.  See the 
+ * comments in nssck.api for more information.
+ */
+
+#include "builtins.h"
+
+#define MODULE_NAME builtins
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_builtins_mdInstance
+#include "nssck.api"
diff --git a/security/nss/lib/ckfw/builtins/bfind.c b/security/nss/lib/ckfw/builtins/bfind.c
new file mode 100644
index 000000000..17b94fa15
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/bfind.c
@@ -0,0 +1,245 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef BUILTINS_H
+#include "builtins.h"
+#endif /* BUILTINS_H */
+
+/*
+ * builtins/find.c
+ *
+ * This file implements the NSSCKMDFindObjects object for the
+ * "builtin objects" cryptoki module.
+ */
+
+struct builtinsFOStr {
+  NSSArena *arena;
+  CK_ULONG n;
+  CK_ULONG i;
+  builtinsInternalObject **objs;
+};
+
+static void
+builtins_mdFindObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  struct builtinsFOStr *fo = (struct builtinsFOStr *)mdFindObjects->etc;
+  NSSArena *arena = fo->arena;
+
+  nss_ZFreeIf(fo->objs);
+  nss_ZFreeIf(fo);
+  nss_ZFreeIf(mdFindObjects);
+  if ((NSSArena *)NULL != arena) {
+    NSSArena_Destroy(arena);
+  }
+
+  return;
+}
+
+static NSSCKMDObject *
+builtins_mdFindObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  struct builtinsFOStr *fo = (struct builtinsFOStr *)mdFindObjects->etc;
+  builtinsInternalObject *io;
+
+  if( fo->i == fo->n ) {
+    *pError = CKR_OK;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  io = fo->objs[ fo->i ];
+  fo->i++;
+
+  return nss_builtins_CreateMDObject(arena, io, pError);
+}
+
+static CK_BBOOL
+builtins_attrmatch
+(
+  CK_ATTRIBUTE_PTR a,
+  const NSSItem *b
+)
+{
+  PRBool prb;
+
+  if( a->ulValueLen != b->size ) {
+    return CK_FALSE;
+  }
+
+  prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
+
+  if( PR_TRUE == prb ) {
+    return CK_TRUE;
+  } else {
+    return CK_FALSE;
+  }
+}
+
+
+static CK_BBOOL
+builtins_match
+(
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  builtinsInternalObject *o
+)
+{
+  CK_ULONG i;
+
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    CK_ULONG j;
+
+    for( j = 0; j < o->n; j++ ) {
+      if( o->types[j] == pTemplate[i].type ) {
+        if( CK_FALSE == builtins_attrmatch(&pTemplate[i], &o->items[j]) ) {
+          return CK_FALSE;
+        } else {
+          break;
+        }
+      }
+    }
+
+    if( j == o->n ) {
+      /* Loop ran to the end: no matching attribute */
+      return CK_FALSE;
+    }
+  }
+
+  /* Every attribute passed */
+  return CK_TRUE;
+}
+
+NSS_IMPLEMENT NSSCKMDFindObjects *
+nss_builtins_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  /* This could be made more efficient.  I'm rather rushed. */
+  NSSArena *arena;
+  NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
+  struct builtinsFOStr *fo = (struct builtinsFOStr *)NULL;
+  builtinsInternalObject **temp = (builtinsInternalObject **)NULL;
+  PRUint32 i;
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    goto loser;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
+  if( (NSSCKMDFindObjects *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fo = nss_ZNEW(arena, struct builtinsFOStr);
+  if( (struct builtinsFOStr *)NULL == fo ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fo->arena = arena;
+  /* fo->n and fo->i are already zero */
+
+  rv->etc = (void *)fo;
+  rv->Final = builtins_mdFindObjects_Final;
+  rv->Next = builtins_mdFindObjects_Next;
+  rv->null = (void *)NULL;
+
+  temp = nss_ZNEWARRAY((NSSArena *)NULL, builtinsInternalObject *, 
+                       nss_builtins_nObjects);
+  if( (builtinsInternalObject **)NULL == temp ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  for( i = 0; i < nss_builtins_nObjects; i++ ) {
+    builtinsInternalObject *o = (builtinsInternalObject *)&nss_builtins_data[i];
+
+    if( CK_TRUE == builtins_match(pTemplate, ulAttributeCount, o) ) {
+      temp[ fo->n ] = o;
+      fo->n++;
+    }
+  }
+
+  fo->objs = nss_ZNEWARRAY(arena, builtinsInternalObject *, fo->n);
+  if( (builtinsInternalObject **)NULL == fo->objs ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  (void)nsslibc_memcpy(fo->objs, temp, sizeof(builtinsInternalObject *) * fo->n);
+  nss_ZFreeIf(temp);
+  temp = (builtinsInternalObject **)NULL;
+
+  return rv;
+
+ loser:
+  nss_ZFreeIf(temp);
+  nss_ZFreeIf(fo);
+  nss_ZFreeIf(rv);
+  if ((NSSArena *)NULL != arena) {
+     NSSArena_Destroy(arena);
+  }
+  return (NSSCKMDFindObjects *)NULL;
+}
+
diff --git a/security/nss/lib/ckfw/builtins/binst.c b/security/nss/lib/ckfw/builtins/binst.c
new file mode 100644
index 000000000..e97c0d4bf
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/binst.c
@@ -0,0 +1,130 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "builtins.h"
+
+/*
+ * builtins/instance.c
+ *
+ * This file implements the NSSCKMDInstance object for the 
+ * "builtin objects" cryptoki module.
+ */
+
+/*
+ * NSSCKMDInstance methods
+ */
+
+static CK_ULONG
+builtins_mdInstance_GetNSlots
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (CK_ULONG)1;
+}
+
+static CK_VERSION
+builtins_mdInstance_GetCryptokiVersion
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_CryptokiVersion;
+}
+
+static NSSUTF8 *
+builtins_mdInstance_GetManufacturerID
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_ManufacturerID;
+}
+
+static NSSUTF8 *
+builtins_mdInstance_GetLibraryDescription
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_LibraryDescription;
+}
+
+static CK_VERSION
+builtins_mdInstance_GetLibraryVersion
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_LibraryVersion;
+}
+
+static CK_RV
+builtins_mdInstance_GetSlots
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *slots[]
+)
+{
+  slots[0] = (NSSCKMDSlot *)&nss_builtins_mdSlot;
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDInstance
+nss_builtins_mdInstance = {
+  (void *)NULL, /* etc */
+  NULL, /* Initialize */
+  NULL, /* Finalize */
+  builtins_mdInstance_GetNSlots,
+  builtins_mdInstance_GetCryptokiVersion,
+  builtins_mdInstance_GetManufacturerID,
+  builtins_mdInstance_GetLibraryDescription,
+  builtins_mdInstance_GetLibraryVersion,
+  NULL, /* ModuleHandlesSessionObjects -- defaults to false */
+  builtins_mdInstance_GetSlots,
+  NULL, /* WaitForSlotEvent */
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/builtins/bobject.c b/security/nss/lib/ckfw/builtins/bobject.c
new file mode 100644
index 000000000..9ad2ccaec
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/bobject.c
@@ -0,0 +1,249 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "builtins.h"
+
+/*
+ * builtins/object.c
+ *
+ * This file implements the NSSCKMDObject object for the
+ * "builtin objects" cryptoki module.
+ */
+
+/*
+ * Finalize - unneeded
+ * Destroy - CKR_SESSION_READ_ONLY
+ * IsTokenObject - CK_TRUE
+ * GetAttributeCount
+ * GetAttributeTypes
+ * GetAttributeSize
+ * GetAttribute
+ * SetAttribute - unneeded
+ * GetObjectSize
+ */
+
+static CK_RV
+builtins_mdObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CKR_SESSION_READ_ONLY;
+}
+
+static CK_BBOOL
+builtins_mdObject_IsTokenObject
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_ULONG
+builtins_mdObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
+  return io->n;
+}
+
+static CK_RV
+builtins_mdObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
+  CK_ULONG i;
+
+  if( io->n != ulCount ) {
+    return CKR_BUFFER_TOO_SMALL;
+  }
+
+  for( i = 0; i < io->n; i++ ) {
+    typeArray[i] = io->types[i];
+  }
+
+  return CKR_OK;
+}
+
+static CK_ULONG
+builtins_mdObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
+  CK_ULONG i;
+
+  for( i = 0; i < io->n; i++ ) {
+    if( attribute == io->types[i] ) {
+      return (CK_ULONG)(io->items[i].size);
+    }
+  }
+
+  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+  return 0;
+}
+
+static const NSSItem *
+builtins_mdObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
+  CK_ULONG i;
+
+  for( i = 0; i < io->n; i++ ) {
+    if( attribute == io->types[i] ) {
+      return &io->items[i];
+    }
+  }
+
+  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+  return (NSSItem *)NULL;
+}
+
+static CK_ULONG
+builtins_mdObject_GetObjectSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc;
+  CK_ULONG i;
+  CK_ULONG rv = sizeof(CK_ULONG);
+
+  for( i = 0; i < io->n; i++ ) {
+    rv += sizeof(CK_ATTRIBUTE_TYPE) + sizeof(NSSItem) + io->items[i].size;
+  }
+
+  return rv;
+}
+
+static const NSSCKMDObject
+builtins_prototype_mdObject = {
+  (void *)NULL, /* etc */
+  NULL, /* Finalize */
+  builtins_mdObject_Destroy,
+  builtins_mdObject_IsTokenObject,
+  builtins_mdObject_GetAttributeCount,
+  builtins_mdObject_GetAttributeTypes,
+  builtins_mdObject_GetAttributeSize,
+  builtins_mdObject_GetAttribute,
+  NULL, /* SetAttribute */
+  builtins_mdObject_GetObjectSize,
+  (void *)NULL /* null terminator */
+};
+
+NSS_IMPLEMENT NSSCKMDObject *
+nss_builtins_CreateMDObject
+(
+  NSSArena *arena,
+  builtinsInternalObject *io,
+  CK_RV *pError
+)
+{
+  if ( (void*)NULL == io->mdObject.etc) {
+    (void) nsslibc_memcpy(&io->mdObject,&builtins_prototype_mdObject,
+					sizeof(builtins_prototype_mdObject));
+    io->mdObject.etc = (void *)io;
+  }
+
+  return &io->mdObject;
+}
diff --git a/security/nss/lib/ckfw/builtins/bsession.c b/security/nss/lib/ckfw/builtins/bsession.c
new file mode 100644
index 000000000..e8d7f7522
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/bsession.c
@@ -0,0 +1,108 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "builtins.h"
+
+/*
+ * builtins/session.c
+ *
+ * This file implements the NSSCKMDSession object for the 
+ * "builtin objects" cryptoki module.
+ */
+
+static NSSCKMDFindObjects *
+builtins_mdSession_FindObjectsInit
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  return nss_builtins_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError);
+}
+
+NSS_IMPLEMENT NSSCKMDSession *
+nss_builtins_CreateSession
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  NSSCKMDSession *rv;
+
+  arena = NSSCKFWSession_GetArena(fwSession, pError);
+  if( (NSSArena *)NULL == arena ) {
+    return (NSSCKMDSession *)NULL;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDSession);
+  if( (NSSCKMDSession *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSession *)NULL;
+  }
+
+  /* 
+   * rv was zeroed when allocated, so we only 
+   * need to set the non-zero members.
+   */
+
+  rv->etc = (void *)fwSession;
+  /* rv->Close */
+  /* rv->GetDeviceError */
+  /* rv->Login */
+  /* rv->Logout */
+  /* rv->InitPIN */
+  /* rv->SetPIN */
+  /* rv->GetOperationStateLen */
+  /* rv->GetOperationState */
+  /* rv->SetOperationState */
+  /* rv->CreateObject */
+  /* rv->CopyObject */
+  rv->FindObjectsInit = builtins_mdSession_FindObjectsInit;
+  /* rv->SeedRandom */
+  /* rv->GetRandom */
+  /* rv->null */
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/builtins/bslot.c b/security/nss/lib/ckfw/builtins/bslot.c
new file mode 100644
index 000000000..1a2df9e70
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/bslot.c
@@ -0,0 +1,124 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "builtins.h"
+
+/*
+ * builtins/slot.c
+ *
+ * This file implements the NSSCKMDSlot object for the
+ * "builtin objects" cryptoki module.
+ */
+
+static NSSUTF8 *
+builtins_mdSlot_GetSlotDescription
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_SlotDescription;
+}
+
+static NSSUTF8 *
+builtins_mdSlot_GetManufacturerID
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_ManufacturerID;
+}
+
+static CK_VERSION
+builtins_mdSlot_GetHardwareVersion
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_HardwareVersion;
+}
+
+static CK_VERSION
+builtins_mdSlot_GetFirmwareVersion
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_FirmwareVersion;
+}
+
+static NSSCKMDToken *
+builtins_mdSlot_GetToken
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSCKMDToken *)&nss_builtins_mdToken;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDSlot
+nss_builtins_mdSlot = {
+  (void *)NULL, /* etc */
+  NULL, /* Initialize */
+  NULL, /* Destroy */
+  builtins_mdSlot_GetSlotDescription,
+  builtins_mdSlot_GetManufacturerID,
+  NULL, /* GetTokenPresent -- defaults to true */
+  NULL, /* GetRemovableDevice -- defaults to false */
+  NULL, /* GetHardwareSlot -- defaults to false */
+  builtins_mdSlot_GetHardwareVersion,
+  builtins_mdSlot_GetFirmwareVersion,
+  builtins_mdSlot_GetToken,
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/builtins/btoken.c b/security/nss/lib/ckfw/builtins/btoken.c
new file mode 100644
index 000000000..ddf068e8e
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/btoken.c
@@ -0,0 +1,184 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "builtins.h"
+
+/*
+ * builtins/token.c
+ *
+ * This file implements the NSSCKMDToken object for the
+ * "builtin objects" cryptoki module.
+ */
+
+static NSSUTF8 *
+builtins_mdToken_GetLabel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_TokenLabel;
+}
+
+static NSSUTF8 *
+builtins_mdToken_GetManufacturerID
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_ManufacturerID;
+}
+
+static NSSUTF8 *
+builtins_mdToken_GetModel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_TokenModel;
+}
+
+static NSSUTF8 *
+builtins_mdToken_GetSerialNumber
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_builtins_TokenSerialNumber;
+}
+
+static CK_BBOOL
+builtins_mdToken_GetIsWriteProtected
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_VERSION
+builtins_mdToken_GetHardwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_HardwareVersion;
+}
+
+static CK_VERSION
+builtins_mdToken_GetFirmwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_builtins_FirmwareVersion;
+}
+
+static NSSCKMDSession *
+builtins_mdToken_OpenSession
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_BBOOL rw,
+  CK_RV *pError
+)
+{
+  return nss_builtins_CreateSession(fwSession, pError);
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDToken
+nss_builtins_mdToken = {
+  (void *)NULL, /* etc */
+  NULL, /* Setup */
+  NULL, /* Invalidate */
+  NULL, /* InitToken -- default errs */
+  builtins_mdToken_GetLabel,
+  builtins_mdToken_GetManufacturerID,
+  builtins_mdToken_GetModel,
+  builtins_mdToken_GetSerialNumber,
+  NULL, /* GetHasRNG -- default is false */
+  builtins_mdToken_GetIsWriteProtected,
+  NULL, /* GetLoginRequired -- default is false */
+  NULL, /* GetUserPinInitialized -- default is false */
+  NULL, /* GetRestoreKeyNotNeeded -- irrelevant */
+  NULL, /* GetHasClockOnToken -- default is false */
+  NULL, /* GetHasProtectedAuthenticationPath -- default is false */
+  NULL, /* GetSupportsDualCryptoOperations -- default is false */
+  NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetMaxPinLen -- irrelevant */
+  NULL, /* GetMinPinLen -- irrelevant */
+  NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  builtins_mdToken_GetHardwareVersion,
+  builtins_mdToken_GetFirmwareVersion,
+  NULL, /* GetUTCTime -- no clock */
+  builtins_mdToken_OpenSession,
+  NULL, /* GetMechanismCount -- default is zero */
+  NULL, /* GetMechanismTypes -- irrelevant */
+  NULL, /* GetMechanism -- irrelevant */
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/builtins/builtins.h b/security/nss/lib/ckfw/builtins/builtins.h
new file mode 100644
index 000000000..e53826fed
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/builtins.h
@@ -0,0 +1,104 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char BUILTINS_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "nssckmdt.h"
+#include "nssckfw.h"
+
+/*
+ * I'm including this for access to the arena functions.
+ * Looks like we should publish that API.
+ */
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * This is where the Netscape extensions live, at least for now.
+ */
+#ifndef CKT_H
+#include "ckt.h"
+#endif /* CKT_H */
+
+struct builtinsInternalObjectStr {
+  CK_ULONG n;
+  const CK_ATTRIBUTE_TYPE *types;
+  const NSSItem *items;
+  NSSCKMDObject mdObject;
+};
+typedef struct builtinsInternalObjectStr builtinsInternalObject;
+
+NSS_EXTERN_DATA builtinsInternalObject nss_builtins_data[];
+NSS_EXTERN_DATA const PRUint32               nss_builtins_nObjects;
+
+NSS_EXTERN_DATA const CK_VERSION   nss_builtins_CryptokiVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_ManufacturerID;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_LibraryDescription;
+NSS_EXTERN_DATA const CK_VERSION   nss_builtins_LibraryVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_SlotDescription;
+NSS_EXTERN_DATA const CK_VERSION   nss_builtins_HardwareVersion;
+NSS_EXTERN_DATA const CK_VERSION   nss_builtins_FirmwareVersion;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenLabel;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenModel;
+NSS_EXTERN_DATA const NSSUTF8 *    nss_builtins_TokenSerialNumber;
+
+NSS_EXTERN_DATA const NSSCKMDInstance nss_builtins_mdInstance;
+NSS_EXTERN_DATA const NSSCKMDSlot     nss_builtins_mdSlot;
+NSS_EXTERN_DATA const NSSCKMDToken    nss_builtins_mdToken;
+
+NSS_EXTERN NSSCKMDSession *
+nss_builtins_CreateSession
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDFindObjects *
+nss_builtins_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDObject *
+nss_builtins_CreateMDObject
+(
+  NSSArena *arena,
+  builtinsInternalObject *io,
+  CK_RV *pError
+);
diff --git a/security/nss/lib/ckfw/builtins/certdata.c b/security/nss/lib/ckfw/builtins/certdata.c
new file mode 100644
index 000000000..d835994fe
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/certdata.c
@@ -0,0 +1,11421 @@
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$""; @(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef BUILTINS_H
+#include "builtins.h"
+#endif /* BUILTINS_H */
+
+static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
+static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
+static const CK_BBOOL ck_false = CK_FALSE;
+static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
+static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
+static const CK_OBJECT_CLASS cko_data = CKO_DATA;
+static const CK_BBOOL ck_true = CK_TRUE;
+static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
+static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
+static const CK_TRUST ckt_netscape_valid_delegator = CKT_NETSCAPE_VALID_DELEGATOR;
+#ifdef DEBUG
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_0 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_APPLICATION,  CKA_VALUE
+};
+#endif /* DEBUG */
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_1 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_2 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_3 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_4 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_5 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_6 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_7 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_8 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_9 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_10 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_11 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_12 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_13 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_14 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_15 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_16 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_17 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_18 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_19 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_20 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_21 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_22 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_23 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_24 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_25 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_26 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_27 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_28 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_29 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_30 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_31 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_32 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_33 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_34 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_35 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_36 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_37 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_38 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_39 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_40 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_41 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_42 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_43 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_44 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_45 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_46 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_47 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_48 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_49 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_50 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_51 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_52 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_53 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_54 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_55 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_56 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_57 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_58 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_59 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_60 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_61 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_62 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_63 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_64 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_65 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_66 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_67 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_68 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_69 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_70 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_71 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_72 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_73 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_74 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_75 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_76 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_77 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_78 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_79 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_80 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_81 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_82 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_83 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_84 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_85 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_86 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_87 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_88 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_89 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_90 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_91 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_92 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_93 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_94 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_95 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_96 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_97 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_98 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_99 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_100 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_101 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_102 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_103 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_104 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_105 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_106 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_107 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_108 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_109 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_110 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_111 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_112 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_113 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_114 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_115 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_116 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_117 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_118 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_119 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_120 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_121 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_122 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_123 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_124 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_125 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_126 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_127 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_128 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_129 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_130 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_131 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_132 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_133 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_134 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_135 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_136 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_137 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_138 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_139 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_140 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_141 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_142 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_143 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_144 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_145 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_146 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_147 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_148 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_149 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_150 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_151 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_152 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_153 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_154 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_155 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_156 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_157 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_158 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_159 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_160 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_161 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_162 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_163 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_164 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_165 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_166 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_167 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_168 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_169 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_170 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_171 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_172 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_173 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_174 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_175 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_176 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_177 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_CERT_MD5_HASH,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_178 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_179 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_180 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERTIFICATE_TYPE,  CKA_SUBJECT,  CKA_ID,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_VALUE
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_181 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING
+};
+#ifdef DEBUG
+static const NSSItem nss_builtins_items_0 [] = {
+  { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"CVS ID", (PRUint32)7 },
+  { (void *)"NSS", (PRUint32)4 },
+  { (void *)"@(#) $RCSfile$ $Revision$ $Date$ $Name$""; @(#) $RCSfile$ $Revision$ $Date$ $Name$", (PRUint32)179 }
+};
+#endif /* DEBUG */
+static const NSSItem nss_builtins_items_1 [] = {
+  { (void *)&cko_netscape_builtin_root_list, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Mozilla Builtin Roots", (PRUint32)22 }
+};
+static const NSSItem nss_builtins_items_2 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign/RSA Secure Server CA", (PRUint32)30 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141"
+"\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143"
+"\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165"
+"\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141"
+"\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143"
+"\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165"
+"\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\002\255\146\176\116\105\376\136\127\157\074\230\031\136\335\300"
+, (PRUint32)16 },
+  { (void *)"\060\202\002\064\060\202\001\241\002\020\002\255\146\176\116\105"
+"\376\136\127\157\074\230\031\136\335\300\060\015\006\011\052\206"
+"\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006"
+"\003\125\004\006\023\002\125\123\061\040\060\036\006\003\125\004"
+"\012\023\027\122\123\101\040\104\141\164\141\040\123\145\143\165"
+"\162\151\164\171\054\040\111\156\143\056\061\056\060\054\006\003"
+"\125\004\013\023\045\123\145\143\165\162\145\040\123\145\162\166"
+"\145\162\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
+"\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\064"
+"\061\061\060\071\060\060\060\060\060\060\132\027\015\061\060\060"
+"\061\060\067\062\063\065\071\065\071\132\060\137\061\013\060\011"
+"\006\003\125\004\006\023\002\125\123\061\040\060\036\006\003\125"
+"\004\012\023\027\122\123\101\040\104\141\164\141\040\123\145\143"
+"\165\162\151\164\171\054\040\111\156\143\056\061\056\060\054\006"
+"\003\125\004\013\023\045\123\145\143\165\162\145\040\123\145\162"
+"\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\060\201\233\060\015"
+"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\211"
+"\000\060\201\205\002\176\000\222\316\172\301\256\203\076\132\252"
+"\211\203\127\254\045\001\166\014\255\256\216\054\067\316\353\065"
+"\170\144\124\003\345\204\100\121\311\277\217\010\342\212\202\010"
+"\322\026\206\067\125\351\261\041\002\255\166\150\201\232\005\242"
+"\113\311\113\045\146\042\126\154\210\007\217\367\201\131\155\204"
+"\007\145\160\023\161\166\076\233\167\114\343\120\211\126\230\110"
+"\271\035\247\051\032\023\056\112\021\131\234\036\025\325\111\124"
+"\054\163\072\151\202\261\227\071\234\155\160\147\110\345\335\055"
+"\326\310\036\173\002\003\001\000\001\060\015\006\011\052\206\110"
+"\206\367\015\001\001\002\005\000\003\176\000\145\335\176\341\262"
+"\354\260\342\072\340\354\161\106\232\031\021\270\323\307\240\264"
+"\003\100\046\002\076\011\234\341\022\263\321\132\366\067\245\267"
+"\141\003\266\133\026\151\073\306\104\010\014\210\123\014\153\227"
+"\111\307\076\065\334\154\271\273\252\337\134\273\072\057\223\140"
+"\266\251\113\115\362\040\367\315\137\177\144\173\216\334\000\134"
+"\327\372\167\312\071\026\131\157\016\352\323\265\203\177\115\115"
+"\102\126\166\264\311\137\004\370\070\370\353\322\137\165\137\315"
+"\173\374\345\216\200\174\374\120"
+, (PRUint32)568 }
+};
+static const NSSItem nss_builtins_items_3 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign/RSA Secure Server CA", (PRUint32)30 },
+  { (void *)"\104\143\305\061\327\314\301\000\147\224\141\053\266\126\323\277"
+"\202\127\204\157"
+, (PRUint32)20 },
+  { (void *)"\164\173\202\003\103\360\000\236\153\263\354\107\277\205\245\223"
+, (PRUint32)16 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141"
+"\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143"
+"\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165"
+"\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\002\255\146\176\116\105\376\136\127\157\074\230\031\136\335\300"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_4 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GTE CyberTrust Root CA", (PRUint32)23 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
+"\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125"
+"\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165"
+"\163\164\040\122\157\157\164"
+, (PRUint32)71 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
+"\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125"
+"\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165"
+"\163\164\040\122\157\157\164"
+, (PRUint32)71 },
+  { (void *)"\001\243"
+, (PRUint32)2 },
+  { (void *)"\060\202\001\372\060\202\001\143\002\002\001\243\060\015\006\011"
+"\052\206\110\206\367\015\001\001\004\005\000\060\105\061\013\060"
+"\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003"
+"\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141"
+"\164\151\157\156\061\034\060\032\006\003\125\004\003\023\023\107"
+"\124\105\040\103\171\142\145\162\124\162\165\163\164\040\122\157"
+"\157\164\060\036\027\015\071\066\060\062\062\063\062\063\060\061"
+"\060\060\132\027\015\060\066\060\062\062\063\062\063\065\071\060"
+"\060\132\060\105\061\013\060\011\006\003\125\004\006\023\002\125"
+"\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040"
+"\103\157\162\160\157\162\141\164\151\157\156\061\034\060\032\006"
+"\003\125\004\003\023\023\107\124\105\040\103\171\142\145\162\124"
+"\162\165\163\164\040\122\157\157\164\060\201\237\060\015\006\011"
+"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
+"\201\211\002\201\201\000\270\346\117\272\333\230\174\161\174\257"
+"\104\267\323\017\106\331\144\345\223\301\102\216\307\272\111\215"
+"\065\055\172\347\213\275\345\005\061\131\306\261\057\012\014\373"
+"\237\247\077\242\011\146\204\126\036\067\051\033\207\351\176\014"
+"\312\232\237\245\177\365\025\224\243\325\242\106\202\330\150\114"
+"\321\067\025\006\150\257\275\370\260\263\360\051\365\225\132\011"
+"\026\141\167\012\042\045\324\117\105\252\307\275\345\226\337\371"
+"\324\250\216\102\314\044\300\036\221\047\112\265\155\006\200\143"
+"\071\304\242\136\070\003\002\003\001\000\001\060\015\006\011\052"
+"\206\110\206\367\015\001\001\004\005\000\003\201\201\000\022\263"
+"\165\306\137\035\341\141\125\200\000\324\201\113\173\061\017\043"
+"\143\347\075\363\003\371\364\066\250\273\331\343\245\227\115\352"
+"\053\051\340\326\152\163\201\346\300\211\243\323\361\340\245\245"
+"\042\067\232\143\302\110\040\264\333\162\343\310\366\331\174\276"
+"\261\257\123\332\024\264\041\270\326\325\226\343\376\116\014\131"
+"\142\266\232\112\371\102\335\214\157\201\251\161\377\364\012\162"
+"\155\155\104\016\235\363\164\164\250\325\064\111\351\136\236\351"
+"\264\172\341\345\132\037\204\060\234\323\237\245\045\330"
+, (PRUint32)510 }
+};
+static const NSSItem nss_builtins_items_5 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GTE CyberTrust Root CA", (PRUint32)23 },
+  { (void *)"\220\336\336\236\114\116\237\157\330\206\027\127\235\323\221\274"
+"\145\246\211\144"
+, (PRUint32)20 },
+  { (void *)"\304\327\360\262\243\305\175\141\147\360\004\315\103\323\272\130"
+, (PRUint32)16 },
+  { (void *)"\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
+"\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125"
+"\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165"
+"\163\164\040\122\157\157\164"
+, (PRUint32)71 },
+  { (void *)"\001\243"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_6 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GTE CyberTrust Global Root", (PRUint32)27 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
+"\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125"
+"\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
+"\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
+"\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105"
+"\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142"
+"\141\154\040\122\157\157\164"
+, (PRUint32)119 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
+"\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125"
+"\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
+"\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
+"\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105"
+"\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142"
+"\141\154\040\122\157\157\164"
+, (PRUint32)119 },
+  { (void *)"\001\245"
+, (PRUint32)2 },
+  { (void *)"\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011"
+"\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060"
+"\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003"
+"\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141"
+"\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107"
+"\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157"
+"\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060"
+"\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145"
+"\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157"
+"\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071"
+"\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060"
+"\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125"
+"\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040"
+"\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006"
+"\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124"
+"\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040"
+"\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107"
+"\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154"
+"\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011"
+"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
+"\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307"
+"\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212"
+"\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341"
+"\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322"
+"\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034"
+"\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215"
+"\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370"
+"\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264"
+"\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052"
+"\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353"
+"\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343"
+"\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203"
+"\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175"
+"\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331"
+"\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277"
+"\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017"
+"\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117"
+"\037\042\265\315\225\255\272\247\314\371\253\013\172\177"
+, (PRUint32)606 }
+};
+static const NSSItem nss_builtins_items_7 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GTE CyberTrust Global Root", (PRUint32)27 },
+  { (void *)"\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061"
+"\066\176\364\164"
+, (PRUint32)20 },
+  { (void *)"\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333"
+, (PRUint32)16 },
+  { (void *)"\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
+"\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125"
+"\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
+"\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
+"\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105"
+"\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142"
+"\141\154\040\122\157\157\164"
+, (PRUint32)119 },
+  { (void *)"\001\245"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_8 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GTE CyberTrust Root 5", (PRUint32)22 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\160\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
+"\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125"
+"\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
+"\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
+"\143\056\061\036\060\034\006\003\125\004\003\023\025\107\124\105"
+"\040\103\171\142\145\162\124\162\165\163\164\040\122\157\157\164"
+"\040\065"
+, (PRUint32)114 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\160\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
+"\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125"
+"\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
+"\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
+"\143\056\061\036\060\034\006\003\125\004\003\023\025\107\124\105"
+"\040\103\171\142\145\162\124\162\165\163\164\040\122\157\157\164"
+"\040\065"
+, (PRUint32)114 },
+  { (void *)"\001\266"
+, (PRUint32)2 },
+  { (void *)"\060\202\003\266\060\202\002\236\240\003\002\001\002\002\002\001"
+"\266\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\060\160\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
+"\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125"
+"\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
+"\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
+"\143\056\061\036\060\034\006\003\125\004\003\023\025\107\124\105"
+"\040\103\171\142\145\162\124\162\165\163\164\040\122\157\157\164"
+"\040\065\060\036\027\015\071\070\060\070\061\064\061\064\065\060"
+"\060\060\132\027\015\061\063\060\070\061\064\062\063\065\071\060"
+"\060\132\060\160\061\013\060\011\006\003\125\004\006\023\002\125"
+"\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040"
+"\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006"
+"\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124"
+"\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040"
+"\111\156\143\056\061\036\060\034\006\003\125\004\003\023\025\107"
+"\124\105\040\103\171\142\145\162\124\162\165\163\164\040\122\157"
+"\157\164\040\065\060\202\001\042\060\015\006\011\052\206\110\206"
+"\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012"
+"\002\202\001\001\000\274\022\156\077\212\174\172\227\001\354\036"
+"\273\071\132\002\364\170\104\242\110\033\216\173\111\122\172\270"
+"\173\107\263\257\224\233\157\273\226\372\053\152\145\134\270\034"
+"\224\163\276\277\211\012\042\200\356\127\374\214\005\273\160\237"
+"\227\071\004\332\243\207\134\250\345\312\257\300\063\232\325\067"
+"\134\113\254\344\200\320\246\043\140\373\375\162\056\224\235\307"
+"\316\302\004\062\357\170\140\135\355\255\207\017\105\145\036\074"
+"\232\012\232\276\135\035\231\354\347\362\321\306\172\027\331\255"
+"\233\124\226\177\304\174\140\277\205\252\025\065\035\100\332\021"
+"\274\354\124\041\050\055\043\241\250\360\317\055\315\335\374\176"
+"\017\136\341\145\007\126\313\007\264\322\126\350\136\061\314\030"
+"\143\304\206\322\055\205\317\223\222\253\155\376\150\071\373\336"
+"\163\275\206\370\344\106\172\352\237\014\313\364\031\376\143\274"
+"\321\054\173\210\063\066\366\344\341\234\014\123\201\140\034\332"
+"\056\253\226\251\026\210\023\120\231\262\275\125\337\025\060\176"
+"\350\345\230\373\160\176\154\265\007\374\374\106\267\320\355\067"
+"\226\176\062\376\041\002\003\001\000\001\243\132\060\130\060\022"
+"\006\003\125\035\023\001\001\377\004\010\060\006\001\001\377\002"
+"\001\005\060\016\006\003\125\035\017\001\001\377\004\004\003\002"
+"\001\006\060\027\006\003\125\035\040\004\020\060\016\060\014\006"
+"\012\052\206\110\206\370\143\001\002\001\003\060\031\006\003\125"
+"\035\016\004\022\004\020\166\012\111\041\070\114\237\336\370\304"
+"\111\307\161\161\221\235\060\015\006\011\052\206\110\206\367\015"
+"\001\001\005\005\000\003\202\001\001\000\101\072\324\030\133\332"
+"\270\336\041\034\341\216\011\345\361\150\064\377\336\226\364\007"
+"\365\247\074\363\254\112\261\233\372\222\372\233\355\346\062\041"
+"\252\112\166\305\334\117\070\345\337\325\206\344\325\310\166\175"
+"\230\327\261\315\217\115\265\221\043\154\213\212\353\352\174\357"
+"\024\224\304\306\360\037\112\055\062\161\143\053\143\221\046\002"
+"\011\266\200\035\355\342\314\270\177\333\207\143\310\341\320\154"
+"\046\261\065\035\100\146\020\033\315\225\124\030\063\141\354\023"
+"\117\332\023\367\231\257\076\320\317\216\246\162\242\263\303\005"
+"\232\311\047\175\222\314\176\122\215\263\253\160\155\236\211\237"
+"\115\353\032\165\302\230\252\325\002\026\327\014\212\277\045\344"
+"\353\055\274\230\351\130\070\031\174\271\067\376\333\342\231\010"
+"\163\006\307\227\203\152\175\020\001\057\062\271\027\005\112\145"
+"\346\057\316\276\136\123\246\202\351\232\123\012\204\164\055\203"
+"\312\310\224\026\166\137\224\141\050\360\205\247\071\273\327\213"
+"\331\250\262\023\035\124\011\064\044\175\040\201\175\146\176\242"
+"\220\164\134\020\306\275\354\253\033\302"
+, (PRUint32)954 }
+};
+static const NSSItem nss_builtins_items_9 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GTE CyberTrust Root 5", (PRUint32)22 },
+  { (void *)"\107\305\114\274\332\135\166\316\142\210\070\021\254\021\146\135"
+"\125\364\054\000"
+, (PRUint32)20 },
+  { (void *)"\175\154\206\344\374\115\321\013\000\272\042\273\116\174\152\216"
+, (PRUint32)16 },
+  { (void *)"\060\160\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157"
+"\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125"
+"\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165"
+"\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156"
+"\143\056\061\036\060\034\006\003\125\004\003\023\025\107\124\105"
+"\040\103\171\142\145\162\124\162\165\163\164\040\122\157\157\164"
+"\040\065"
+, (PRUint32)114 },
+  { (void *)"\001\266"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_10 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GTE CyberTrust Japan Root CA", (PRUint32)29 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\121\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
+"\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124"
+"\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056"
+"\061\041\060\037\006\003\125\004\003\023\030\103\171\142\145\162"
+"\124\162\165\163\164\040\112\101\120\101\116\040\122\157\157\164"
+"\040\103\101"
+, (PRUint32)83 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\121\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
+"\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124"
+"\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056"
+"\061\041\060\037\006\003\125\004\003\023\030\103\171\142\145\162"
+"\124\162\165\163\164\040\112\101\120\101\116\040\122\157\157\164"
+"\040\103\101"
+, (PRUint32)83 },
+  { (void *)"\116"
+, (PRUint32)1 },
+  { (void *)"\060\202\002\021\060\202\001\172\002\001\116\060\015\006\011\052"
+"\206\110\206\367\015\001\001\004\005\000\060\121\061\013\060\011"
+"\006\003\125\004\006\023\002\112\120\061\037\060\035\006\003\125"
+"\004\012\023\026\103\171\142\145\162\124\162\165\163\164\040\112"
+"\141\160\141\156\054\040\111\156\143\056\061\041\060\037\006\003"
+"\125\004\003\023\030\103\171\142\145\162\124\162\165\163\164\040"
+"\112\101\120\101\116\040\122\157\157\164\040\103\101\060\036\027"
+"\015\071\070\060\070\060\064\060\067\065\067\060\060\132\027\015"
+"\060\063\060\070\060\064\062\063\065\071\060\060\132\060\121\061"
+"\013\060\011\006\003\125\004\006\023\002\112\120\061\037\060\035"
+"\006\003\125\004\012\023\026\103\171\142\145\162\124\162\165\163"
+"\164\040\112\141\160\141\156\054\040\111\156\143\056\061\041\060"
+"\037\006\003\125\004\003\023\030\103\171\142\145\162\124\162\165"
+"\163\164\040\112\101\120\101\116\040\122\157\157\164\040\103\101"
+"\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001"
+"\005\000\003\201\215\000\060\201\211\002\201\201\000\267\255\374"
+"\312\107\020\166\211\375\147\254\344\163\006\174\201\113\035\326"
+"\265\174\016\107\257\354\246\124\165\250\304\375\145\257\347\310"
+"\261\261\154\064\065\215\367\271\144\127\050\013\041\132\336\164"
+"\376\334\170\056\206\106\022\114\177\021\037\334\223\275\137\276"
+"\146\230\206\270\267\354\155\111\323\220\331\341\171\000\126\150"
+"\272\255\154\037\054\073\037\311\054\214\103\260\004\102\352\201"
+"\163\246\316\063\165\105\015\212\105\162\057\252\127\125\344\007"
+"\303\103\342\165\072\017\274\074\320\204\316\272\357\002\003\001"
+"\000\001\060\015\006\011\052\206\110\206\367\015\001\001\004\005"
+"\000\003\201\201\000\267\246\144\243\014\200\074\034\304\330\356"
+"\101\073\345\206\244\236\140\135\326\001\062\250\152\144\055\040"
+"\160\100\272\162\116\146\372\007\145\116\003\216\013\375\126\340"
+"\255\073\040\247\062\372\262\022\036\200\337\036\343\172\030\314"
+"\127\333\346\311\064\140\357\165\353\020\026\320\244\056\160\330"
+"\044\043\270\245\167\163\102\371\007\072\335\001\154\010\223\007"
+"\065\046\020\045\140\051\377\011\345\144\237\151\271\026\111\363"
+"\134\335\044\143\106\223\015\260\123\066\165\274\110\040\273\031"
+"\266\217\320\042\375"
+, (PRUint32)533 }
+};
+static const NSSItem nss_builtins_items_11 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GTE CyberTrust Japan Root CA", (PRUint32)29 },
+  { (void *)"\327\237\165\115\072\165\304\327\022\276\200\056\155\367\251\056"
+"\135\022\021\045"
+, (PRUint32)20 },
+  { (void *)"\336\253\377\103\052\145\067\006\233\050\265\172\350\204\323\216"
+, (PRUint32)16 },
+  { (void *)"\060\121\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
+"\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124"
+"\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056"
+"\061\041\060\037\006\003\125\004\003\023\030\103\171\142\145\162"
+"\124\162\165\163\164\040\112\101\120\101\116\040\122\157\157\164"
+"\040\103\101"
+, (PRUint32)83 },
+  { (void *)"\116"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_12 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GTE CyberTrust Japan Secure Server CA", (PRUint32)38 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
+"\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124"
+"\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056"
+"\061\052\060\050\006\003\125\004\003\023\041\103\171\142\145\162"
+"\124\162\165\163\164\040\112\101\120\101\116\040\123\145\143\165"
+"\162\145\040\123\145\162\166\145\162\040\103\101"
+, (PRUint32)92 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
+"\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124"
+"\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056"
+"\061\052\060\050\006\003\125\004\003\023\041\103\171\142\145\162"
+"\124\162\165\163\164\040\112\101\120\101\116\040\123\145\143\165"
+"\162\145\040\123\145\162\166\145\162\040\103\101"
+, (PRUint32)92 },
+  { (void *)"\117"
+, (PRUint32)1 },
+  { (void *)"\060\202\002\043\060\202\001\214\002\001\117\060\015\006\011\052"
+"\206\110\206\367\015\001\001\004\005\000\060\132\061\013\060\011"
+"\006\003\125\004\006\023\002\112\120\061\037\060\035\006\003\125"
+"\004\012\023\026\103\171\142\145\162\124\162\165\163\164\040\112"
+"\141\160\141\156\054\040\111\156\143\056\061\052\060\050\006\003"
+"\125\004\003\023\041\103\171\142\145\162\124\162\165\163\164\040"
+"\112\101\120\101\116\040\123\145\143\165\162\145\040\123\145\162"
+"\166\145\162\040\103\101\060\036\027\015\071\070\060\070\060\064"
+"\060\070\060\066\063\062\132\027\015\060\063\060\070\060\064\062"
+"\063\065\071\060\060\132\060\132\061\013\060\011\006\003\125\004"
+"\006\023\002\112\120\061\037\060\035\006\003\125\004\012\023\026"
+"\103\171\142\145\162\124\162\165\163\164\040\112\141\160\141\156"
+"\054\040\111\156\143\056\061\052\060\050\006\003\125\004\003\023"
+"\041\103\171\142\145\162\124\162\165\163\164\040\112\101\120\101"
+"\116\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040"
+"\103\101\060\201\237\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\254"
+"\046\243\241\270\157\152\300\054\022\371\333\061\005\222\347\375"
+"\372\324\201\264\270\325\052\325\220\372\360\103\145\374\022\025"
+"\312\354\333\271\141\336\063\143\067\117\257\000\074\177\222\067"
+"\033\030\163\345\237\074\210\361\032\023\104\376\171\362\303\046"
+"\225\017\013\360\236\024\007\041\154\127\302\135\303\342\121\260"
+"\315\213\137\315\137\206\070\370\171\227\071\354\350\277\122\056"
+"\261\136\252\251\256\214\355\356\327\310\267\056\061\213\264\071"
+"\222\073\174\201\047\007\032\001\104\057\111\163\040\266\311\002"
+"\003\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001"
+"\004\005\000\003\201\201\000\150\035\173\022\356\132\171\051\061"
+"\312\001\254\213\120\251\047\231\054\000\374\070\032\034\377\302"
+"\325\360\023\376\033\247\071\365\200\024\353\121\372\300\215\173"
+"\204\033\131\256\261\065\121\156\241\076\327\033\354\240\236\337"
+"\340\245\202\226\343\261\077\330\250\361\313\171\200\216\367\360"
+"\104\231\176\024\365\043\243\021\343\150\113\005\066\156\210\343"
+"\253\206\252\070\123\003\102\073\323\271\371\340\277\005\351\323"
+"\137\303\112\247\266\375\267\135\220\111\370\232\262\255\146\246"
+"\202\000\223\256\140\377\040"
+, (PRUint32)551 }
+};
+static const NSSItem nss_builtins_items_13 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GTE CyberTrust Japan Secure Server CA", (PRUint32)38 },
+  { (void *)"\326\371\221\145\061\321\304\017\030\247\073\051\236\031\267\157"
+"\246\302\111\063"
+, (PRUint32)20 },
+  { (void *)"\335\015\015\264\170\113\175\316\060\012\246\065\306\253\114\210"
+, (PRUint32)16 },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\112\120\061"
+"\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124"
+"\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056"
+"\061\052\060\050\006\003\125\004\003\023\041\103\171\142\145\162"
+"\124\162\165\163\164\040\112\101\120\101\116\040\123\145\143\165"
+"\162\145\040\123\145\162\166\145\162\040\103\101"
+, (PRUint32)92 },
+  { (void *)"\117"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_14 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Personal Basic CA", (PRUint32)25 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
+"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
+"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
+"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
+"\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167"
+"\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151"
+"\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015"
+"\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141"
+"\163\151\143\100\164\150\141\167\164\145\056\143\157\155"
+, (PRUint32)206 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
+"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
+"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
+"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
+"\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167"
+"\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151"
+"\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015"
+"\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141"
+"\163\151\143\100\164\150\141\167\164\145\056\143\157\155"
+, (PRUint32)206 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)"\060\202\003\041\060\202\002\212\240\003\002\001\002\002\001\000"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
+"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
+"\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023"
+"\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003"
+"\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163"
+"\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023"
+"\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123"
+"\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156"
+"\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167\164"
+"\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151\143"
+"\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015\001"
+"\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141\163"
+"\151\143\100\164\150\141\167\164\145\056\143\157\155\060\036\027"
+"\015\071\066\060\061\060\061\060\060\060\060\060\060\132\027\015"
+"\062\060\061\062\063\061\062\063\065\071\065\071\132\060\201\313"
+"\061\013\060\011\006\003\125\004\006\023\002\132\101\061\025\060"
+"\023\006\003\125\004\010\023\014\127\145\163\164\145\162\156\040"
+"\103\141\160\145\061\022\060\020\006\003\125\004\007\023\011\103"
+"\141\160\145\040\124\157\167\156\061\032\060\030\006\003\125\004"
+"\012\023\021\124\150\141\167\164\145\040\103\157\156\163\165\154"
+"\164\151\156\147\061\050\060\046\006\003\125\004\013\023\037\103"
+"\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162"
+"\166\151\143\145\163\040\104\151\166\151\163\151\157\156\061\041"
+"\060\037\006\003\125\004\003\023\030\124\150\141\167\164\145\040"
+"\120\145\162\163\157\156\141\154\040\102\141\163\151\143\040\103"
+"\101\061\050\060\046\006\011\052\206\110\206\367\015\001\011\001"
+"\026\031\160\145\162\163\157\156\141\154\055\142\141\163\151\143"
+"\100\164\150\141\167\164\145\056\143\157\155\060\201\237\060\015"
+"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
+"\000\060\201\211\002\201\201\000\274\274\223\123\155\300\120\117"
+"\202\025\346\110\224\065\246\132\276\157\102\372\017\107\356\167"
+"\165\162\335\215\111\233\226\127\240\170\324\312\077\121\263\151"
+"\013\221\166\027\042\007\227\152\304\121\223\113\340\215\357\067"
+"\225\241\014\115\332\064\220\035\027\211\227\340\065\070\127\112"
+"\300\364\010\160\351\074\104\173\120\176\141\232\220\343\043\323"
+"\210\021\106\047\365\013\007\016\273\335\321\177\040\012\210\271"
+"\126\013\056\034\200\332\361\343\236\051\357\024\275\012\104\373"
+"\033\133\030\321\277\043\223\041\002\003\001\000\001\243\023\060"
+"\021\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001"
+"\001\377\060\015\006\011\052\206\110\206\367\015\001\001\004\005"
+"\000\003\201\201\000\055\342\231\153\260\075\172\211\327\131\242"
+"\224\001\037\053\335\022\113\123\302\255\177\252\247\000\134\221"
+"\100\127\045\112\070\252\204\160\271\331\200\017\245\173\134\373"
+"\163\306\275\327\212\141\134\003\343\055\047\250\027\340\204\205"
+"\102\334\136\233\306\267\262\155\273\164\257\344\077\313\247\267"
+"\260\340\135\276\170\203\045\224\322\333\201\017\171\007\155\117"
+"\364\071\025\132\122\001\173\336\062\326\115\070\366\022\134\006"
+"\120\337\005\133\275\024\113\241\337\051\272\073\101\215\367\143"
+"\126\241\337\042\261"
+, (PRUint32)805 }
+};
+static const NSSItem nss_builtins_items_15 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Personal Basic CA", (PRUint32)25 },
+  { (void *)"\100\347\214\035\122\075\034\331\225\117\254\032\032\263\275\074"
+"\272\241\133\374"
+, (PRUint32)20 },
+  { (void *)"\346\013\322\311\312\055\210\333\032\161\016\113\170\353\002\101"
+, (PRUint32)16 },
+  { (void *)"\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
+"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
+"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
+"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
+"\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167"
+"\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151"
+"\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015"
+"\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141"
+"\163\151\143\100\164\150\141\167\164\145\056\143\157\155"
+, (PRUint32)206 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_16 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Personal Premium CA", (PRUint32)27 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
+"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
+"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
+"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
+"\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167"
+"\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155"
+"\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206"
+"\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055"
+"\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143"
+"\157\155"
+, (PRUint32)210 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
+"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
+"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
+"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
+"\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167"
+"\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155"
+"\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206"
+"\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055"
+"\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143"
+"\157\155"
+, (PRUint32)210 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)"\060\202\003\051\060\202\002\222\240\003\002\001\002\002\001\000"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
+"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
+"\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023"
+"\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003"
+"\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163"
+"\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023"
+"\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123"
+"\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156"
+"\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167\164"
+"\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155\151"
+"\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206\367"
+"\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055\160"
+"\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143\157"
+"\155\060\036\027\015\071\066\060\061\060\061\060\060\060\060\060"
+"\060\132\027\015\062\060\061\062\063\061\062\063\065\071\065\071"
+"\132\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132"
+"\101\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164"
+"\145\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004"
+"\007\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030"
+"\006\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157"
+"\156\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004"
+"\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156"
+"\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151"
+"\157\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141"
+"\167\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145"
+"\155\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110"
+"\206\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154"
+"\055\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056"
+"\143\157\155\060\201\237\060\015\006\011\052\206\110\206\367\015"
+"\001\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000"
+"\311\146\331\370\007\104\317\271\214\056\360\241\357\023\105\154"
+"\005\337\336\047\026\121\066\101\021\154\154\073\355\376\020\175"
+"\022\236\345\233\102\232\376\140\061\303\146\267\163\072\110\256"
+"\116\320\062\067\224\210\265\015\266\331\363\362\104\331\325\210"
+"\022\335\166\115\362\032\374\157\043\036\172\361\330\230\105\116"
+"\007\020\357\026\102\320\103\165\155\112\336\342\252\311\061\377"
+"\037\000\160\174\146\317\020\045\010\272\372\356\000\351\106\003"
+"\146\047\021\025\073\252\133\362\230\335\066\102\262\332\210\165"
+"\002\003\001\000\001\243\023\060\021\060\017\006\003\125\035\023"
+"\001\001\377\004\005\060\003\001\001\377\060\015\006\011\052\206"
+"\110\206\367\015\001\001\004\005\000\003\201\201\000\151\066\211"
+"\367\064\052\063\162\057\155\073\324\042\262\270\157\232\305\066"
+"\146\016\033\074\241\261\165\132\346\375\065\323\370\250\362\007"
+"\157\205\147\216\336\053\271\342\027\260\072\240\360\016\242\000"
+"\232\337\363\024\025\156\273\310\205\132\230\200\371\377\276\164"
+"\035\075\363\376\060\045\321\067\064\147\372\245\161\171\060\141"
+"\051\162\300\340\054\114\373\126\344\072\250\157\345\062\131\122"
+"\333\165\050\120\131\014\370\013\031\344\254\331\257\226\215\057"
+"\120\333\007\303\352\037\253\063\340\365\053\061\211"
+, (PRUint32)813 }
+};
+static const NSSItem nss_builtins_items_17 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Personal Premium CA", (PRUint32)27 },
+  { (void *)"\066\206\065\143\375\121\050\307\276\246\360\005\317\351\264\066"
+"\150\010\154\316"
+, (PRUint32)20 },
+  { (void *)"\072\262\336\042\232\040\223\111\371\355\310\322\212\347\150\015"
+, (PRUint32)16 },
+  { (void *)"\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
+"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
+"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
+"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
+"\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167"
+"\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155"
+"\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206"
+"\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055"
+"\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143"
+"\157\155"
+, (PRUint32)210 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_18 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Personal Freemail CA", (PRUint32)28 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
+"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
+"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
+"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
+"\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167"
+"\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145"
+"\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110"
+"\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154"
+"\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145"
+"\056\143\157\155"
+, (PRUint32)212 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
+"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
+"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
+"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
+"\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167"
+"\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145"
+"\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110"
+"\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154"
+"\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145"
+"\056\143\157\155"
+, (PRUint32)212 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)"\060\202\003\055\060\202\002\226\240\003\002\001\002\002\001\000"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
+"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
+"\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023"
+"\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003"
+"\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163"
+"\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023"
+"\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123"
+"\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156"
+"\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167\164"
+"\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145\155"
+"\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110\206"
+"\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154\055"
+"\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145\056"
+"\143\157\155\060\036\027\015\071\066\060\061\060\061\060\060\060"
+"\060\060\060\132\027\015\062\060\061\062\063\061\062\063\065\071"
+"\065\071\132\060\201\321\061\013\060\011\006\003\125\004\006\023"
+"\002\132\101\061\025\060\023\006\003\125\004\010\023\014\127\145"
+"\163\164\145\162\156\040\103\141\160\145\061\022\060\020\006\003"
+"\125\004\007\023\011\103\141\160\145\040\124\157\167\156\061\032"
+"\060\030\006\003\125\004\012\023\021\124\150\141\167\164\145\040"
+"\103\157\156\163\165\154\164\151\156\147\061\050\060\046\006\003"
+"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
+"\163\151\157\156\061\044\060\042\006\003\125\004\003\023\033\124"
+"\150\141\167\164\145\040\120\145\162\163\157\156\141\154\040\106"
+"\162\145\145\155\141\151\154\040\103\101\061\053\060\051\006\011"
+"\052\206\110\206\367\015\001\011\001\026\034\160\145\162\163\157"
+"\156\141\154\055\146\162\145\145\155\141\151\154\100\164\150\141"
+"\167\164\145\056\143\157\155\060\201\237\060\015\006\011\052\206"
+"\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211"
+"\002\201\201\000\324\151\327\324\260\224\144\133\161\351\107\330"
+"\014\121\266\352\162\221\260\204\136\175\055\015\217\173\022\337"
+"\205\045\165\050\164\072\102\054\143\047\237\225\173\113\357\176"
+"\031\207\035\206\352\243\335\271\316\226\144\032\302\024\156\104"
+"\254\174\346\217\350\115\017\161\037\100\070\246\000\243\207\170"
+"\366\371\224\206\136\255\352\300\136\166\353\331\024\243\135\156"
+"\172\174\014\245\113\125\177\006\031\051\177\236\232\046\325\152"
+"\273\070\044\010\152\230\307\261\332\243\230\221\375\171\333\345"
+"\132\304\034\271\002\003\001\000\001\243\023\060\021\060\017\006"
+"\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015"
+"\006\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201"
+"\000\307\354\222\176\116\370\365\226\245\147\142\052\244\360\115"
+"\021\140\320\157\215\140\130\141\254\046\273\122\065\134\010\317"
+"\060\373\250\112\226\212\037\142\102\043\214\027\017\364\272\144"
+"\234\027\254\107\051\337\235\230\136\322\154\140\161\134\242\254"
+"\334\171\343\347\156\000\107\037\265\015\050\350\002\235\344\232"
+"\375\023\364\246\331\174\261\370\334\137\043\046\011\221\200\163"
+"\320\024\033\336\103\251\203\045\362\346\234\057\025\312\376\246"
+"\253\212\007\165\213\014\335\121\204\153\344\370\321\316\167\242"
+"\201"
+, (PRUint32)817 }
+};
+static const NSSItem nss_builtins_items_19 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Personal Freemail CA", (PRUint32)28 },
+  { (void *)"\040\231\000\266\075\225\127\050\024\014\321\066\042\330\306\207"
+"\244\353\000\205"
+, (PRUint32)20 },
+  { (void *)"\036\164\303\206\074\014\065\305\076\302\177\357\074\252\074\331"
+, (PRUint32)16 },
+  { (void *)"\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006"
+"\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013"
+"\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
+"\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157"
+"\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167"
+"\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145"
+"\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110"
+"\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154"
+"\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145"
+"\056\143\157\155"
+, (PRUint32)212 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_20 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Server CA", (PRUint32)17 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
+"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
+"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
+"\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124"
+"\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061"
+"\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027"
+"\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141"
+"\167\164\145\056\143\157\155"
+, (PRUint32)199 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
+"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
+"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
+"\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124"
+"\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061"
+"\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027"
+"\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141"
+"\167\164\145\056\143\157\155"
+, (PRUint32)199 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\003\023\060\202\002\174\240\003\002\001\002\002\001\001"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
+"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
+"\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023"
+"\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003"
+"\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163"
+"\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125"
+"\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163"
+"\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124\150"
+"\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061\046"
+"\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027\163"
+"\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141\167"
+"\164\145\056\143\157\155\060\036\027\015\071\066\060\070\060\061"
+"\060\060\060\060\060\060\132\027\015\062\060\061\062\063\061\062"
+"\063\065\071\065\071\132\060\201\304\061\013\060\011\006\003\125"
+"\004\006\023\002\132\101\061\025\060\023\006\003\125\004\010\023"
+"\014\127\145\163\164\145\162\156\040\103\141\160\145\061\022\060"
+"\020\006\003\125\004\007\023\011\103\141\160\145\040\124\157\167"
+"\156\061\035\060\033\006\003\125\004\012\023\024\124\150\141\167"
+"\164\145\040\103\157\156\163\165\154\164\151\156\147\040\143\143"
+"\061\050\060\046\006\003\125\004\013\023\037\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\123\145\162\166\151\143\145"
+"\163\040\104\151\166\151\163\151\157\156\061\031\060\027\006\003"
+"\125\004\003\023\020\124\150\141\167\164\145\040\123\145\162\166"
+"\145\162\040\103\101\061\046\060\044\006\011\052\206\110\206\367"
+"\015\001\011\001\026\027\163\145\162\166\145\162\055\143\145\162"
+"\164\163\100\164\150\141\167\164\145\056\143\157\155\060\201\237"
+"\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003"
+"\201\215\000\060\201\211\002\201\201\000\323\244\120\156\310\377"
+"\126\153\346\317\135\266\352\014\150\165\107\242\252\302\332\204"
+"\045\374\250\364\107\121\332\205\265\040\164\224\206\036\017\165"
+"\311\351\010\141\365\006\155\060\156\025\031\002\351\122\300\142"
+"\333\115\231\236\342\152\014\104\070\315\376\276\343\144\011\160"
+"\305\376\261\153\051\266\057\111\310\073\324\047\004\045\020\227"
+"\057\347\220\155\300\050\102\231\327\114\103\336\303\365\041\155"
+"\124\237\135\303\130\341\300\344\331\133\260\270\334\264\173\337"
+"\066\072\302\265\146\042\022\326\207\015\002\003\001\000\001\243"
+"\023\060\021\060\017\006\003\125\035\023\001\001\377\004\005\060"
+"\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001"
+"\004\005\000\003\201\201\000\007\372\114\151\134\373\225\314\106"
+"\356\205\203\115\041\060\216\312\331\250\157\111\032\346\332\121"
+"\343\140\160\154\204\141\021\241\032\310\110\076\131\103\175\117"
+"\225\075\241\213\267\013\142\230\172\165\212\335\210\116\116\236"
+"\100\333\250\314\062\164\271\157\015\306\343\263\104\013\331\212"
+"\157\232\051\233\231\030\050\073\321\343\100\050\232\132\074\325"
+"\265\347\040\033\213\312\244\253\215\351\121\331\342\114\054\131"
+"\251\332\271\262\165\033\366\102\362\357\307\362\030\371\211\274"
+"\243\377\212\043\056\160\107"
+, (PRUint32)791 }
+};
+static const NSSItem nss_builtins_items_21 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Server CA", (PRUint32)17 },
+  { (void *)"\043\345\224\224\121\225\362\101\110\003\264\325\144\322\243\243"
+"\365\330\213\214"
+, (PRUint32)20 },
+  { (void *)"\305\160\304\242\355\123\170\014\310\020\123\201\144\313\320\035"
+, (PRUint32)16 },
+  { (void *)"\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
+"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
+"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
+"\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124"
+"\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061"
+"\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027"
+"\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141"
+"\167\164\145\056\143\157\155"
+, (PRUint32)199 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_22 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Premium Server CA", (PRUint32)25 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
+"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
+"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
+"\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124"
+"\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145"
+"\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110"
+"\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055"
+"\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157"
+"\155"
+, (PRUint32)209 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
+"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
+"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
+"\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124"
+"\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145"
+"\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110"
+"\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055"
+"\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157"
+"\155"
+, (PRUint32)209 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\003\047\060\202\002\220\240\003\002\001\002\002\001\001"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
+"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
+"\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023"
+"\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003"
+"\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163"
+"\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125"
+"\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163"
+"\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124\150"
+"\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145\162"
+"\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110\206"
+"\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055\163"
+"\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157\155"
+"\060\036\027\015\071\066\060\070\060\061\060\060\060\060\060\060"
+"\132\027\015\062\060\061\062\063\061\062\063\065\071\065\071\132"
+"\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
+"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
+"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
+"\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124"
+"\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145"
+"\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110"
+"\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055"
+"\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157"
+"\155\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001"
+"\001\005\000\003\201\215\000\060\201\211\002\201\201\000\322\066"
+"\066\152\213\327\302\133\236\332\201\101\142\217\070\356\111\004"
+"\125\326\320\357\034\033\225\026\107\357\030\110\065\072\122\364"
+"\053\152\006\217\073\057\352\126\343\257\206\215\236\027\367\236"
+"\264\145\165\002\115\357\313\011\242\041\121\330\233\320\147\320"
+"\272\015\222\006\024\163\324\223\313\227\052\000\234\134\116\014"
+"\274\372\025\122\374\362\104\156\332\021\112\156\010\237\057\055"
+"\343\371\252\072\206\163\266\106\123\130\310\211\005\275\203\021"
+"\270\163\077\252\007\215\364\102\115\347\100\235\034\067\002\003"
+"\001\000\001\243\023\060\021\060\017\006\003\125\035\023\001\001"
+"\377\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206"
+"\367\015\001\001\004\005\000\003\201\201\000\046\110\054\026\302"
+"\130\372\350\026\164\014\252\252\137\124\077\362\327\311\170\140"
+"\136\136\156\067\143\042\167\066\176\262\027\304\064\271\365\010"
+"\205\374\311\001\070\377\115\276\362\026\102\103\347\273\132\106"
+"\373\301\306\021\037\361\112\260\050\106\311\303\304\102\175\274"
+"\372\253\131\156\325\267\121\210\021\343\244\205\031\153\202\114"
+"\244\014\022\255\351\244\256\077\361\303\111\145\232\214\305\310"
+"\076\045\267\224\231\273\222\062\161\007\360\206\136\355\120\047"
+"\246\015\246\043\371\273\313\246\007\024\102"
+, (PRUint32)811 }
+};
+static const NSSItem nss_builtins_items_23 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Premium Server CA", (PRUint32)25 },
+  { (void *)"\142\177\215\170\047\145\143\231\322\175\177\220\104\311\376\263"
+"\363\076\372\232"
+, (PRUint32)20 },
+  { (void *)"\006\237\151\171\026\146\220\002\033\214\214\242\303\007\157\072"
+, (PRUint32)16 },
+  { (void *)"\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007"
+"\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006"
+"\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156"
+"\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003"
+"\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151"
+"\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124"
+"\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145"
+"\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110"
+"\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055"
+"\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157"
+"\155"
+, (PRUint32)209 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_24 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"American Express CA", (PRUint32)20 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\217\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151"
+"\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160"
+"\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125"
+"\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160"
+"\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145"
+"\163\061\057\060\055\006\003\125\004\003\023\046\101\155\145\162"
+"\151\143\141\156\040\105\170\160\162\145\163\163\040\103\145\162"
+"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
+"\164\171"
+, (PRUint32)146 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\217\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151"
+"\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160"
+"\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125"
+"\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160"
+"\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145"
+"\163\061\057\060\055\006\003\125\004\003\023\046\101\155\145\162"
+"\151\143\141\156\040\105\170\160\162\145\163\163\040\103\145\162"
+"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
+"\164\171"
+, (PRUint32)146 },
+  { (void *)"\000\215"
+, (PRUint32)2 },
+  { (void *)"\060\202\002\220\060\202\001\371\002\002\000\215\060\015\006\011"
+"\052\206\110\206\367\015\001\001\004\005\000\060\201\217\061\013"
+"\060\011\006\003\125\004\006\023\002\125\123\061\047\060\045\006"
+"\003\125\004\012\023\036\101\155\145\162\151\143\141\156\040\105"
+"\170\160\162\145\163\163\040\103\157\155\160\141\156\171\054\040"
+"\111\156\143\056\061\046\060\044\006\003\125\004\013\023\035\101"
+"\155\145\162\151\143\141\156\040\105\170\160\162\145\163\163\040"
+"\124\145\143\150\156\157\154\157\147\151\145\163\061\057\060\055"
+"\006\003\125\004\003\023\046\101\155\145\162\151\143\141\156\040"
+"\105\170\160\162\145\163\163\040\103\145\162\164\151\146\151\143"
+"\141\164\145\040\101\165\164\150\157\162\151\164\171\060\036\027"
+"\015\071\070\060\070\061\064\062\062\060\061\060\060\132\027\015"
+"\060\066\060\070\061\064\062\063\065\071\060\060\132\060\201\217"
+"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\047\060"
+"\045\006\003\125\004\012\023\036\101\155\145\162\151\143\141\156"
+"\040\105\170\160\162\145\163\163\040\103\157\155\160\141\156\171"
+"\054\040\111\156\143\056\061\046\060\044\006\003\125\004\013\023"
+"\035\101\155\145\162\151\143\141\156\040\105\170\160\162\145\163"
+"\163\040\124\145\143\150\156\157\154\157\147\151\145\163\061\057"
+"\060\055\006\003\125\004\003\023\046\101\155\145\162\151\143\141"
+"\156\040\105\170\160\162\145\163\163\040\103\145\162\164\151\146"
+"\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\060"
+"\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005"
+"\000\003\201\215\000\060\201\211\002\201\201\000\311\362\111\222"
+"\205\312\375\025\051\265\006\266\104\354\374\210\243\362\206\316"
+"\377\024\117\044\034\222\371\302\043\301\316\103\337\135\064\310"
+"\270\024\354\325\052\160\221\111\225\327\126\315\224\361\251\223"
+"\320\150\042\334\115\175\240\012\162\052\107\352\045\360\205\000"
+"\137\066\124\141\317\013\371\067\132\147\235\351\037\351\144\077"
+"\160\225\141\247\320\060\002\336\046\050\244\146\003\004\351\060"
+"\373\217\063\007\371\157\141\207\242\162\333\363\150\170\143\146"
+"\131\251\311\267\146\341\025\262\110\066\054\371\002\003\001\000"
+"\001\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000"
+"\003\201\201\000\150\027\142\270\163\213\114\154\353\112\245\076"
+"\253\345\235\056\322\315\212\007\127\363\306\131\227\166\027\027"
+"\370\122\216\047\223\330\130\330\050\154\364\242\004\172\212\302"
+"\166\044\261\002\264\337\050\362\367\363\250\247\176\043\110\141"
+"\210\364\021\150\256\046\135\366\241\113\123\045\152\330\052\024"
+"\002\016\340\207\040\156\236\031\134\163\220\013\043\342\061\227"
+"\043\077\325\042\242\323\006\173\332\067\365\327\265\101\104\027"
+"\172\105\002\331\205\105\146\326\216\307\360\172\014\231\142\042"
+"\151\133\355\322"
+, (PRUint32)660 }
+};
+static const NSSItem nss_builtins_items_25 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"American Express CA", (PRUint32)20 },
+  { (void *)"\254\231\217\200\304\240\005\370\156\362\240\256\110\030\344\117"
+"\110\237\370\177"
+, (PRUint32)20 },
+  { (void *)"\034\325\216\202\276\160\125\216\071\141\337\255\121\333\153\240"
+, (PRUint32)16 },
+  { (void *)"\060\201\217\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151"
+"\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160"
+"\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125"
+"\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160"
+"\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145"
+"\163\061\057\060\055\006\003\125\004\003\023\046\101\155\145\162"
+"\151\143\141\156\040\105\170\160\162\145\163\163\040\103\145\162"
+"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
+"\164\171"
+, (PRUint32)146 },
+  { (void *)"\000\215"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_26 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"American Express Global CA", (PRUint32)27 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\226\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151"
+"\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160"
+"\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125"
+"\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160"
+"\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145"
+"\163\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162"
+"\151\143\141\156\040\105\170\160\162\145\163\163\040\107\154\157"
+"\142\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040"
+"\101\165\164\150\157\162\151\164\171"
+, (PRUint32)153 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\226\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151"
+"\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160"
+"\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125"
+"\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160"
+"\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145"
+"\163\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162"
+"\151\143\141\156\040\105\170\160\162\145\163\163\040\107\154\157"
+"\142\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040"
+"\101\165\164\150\157\162\151\164\171"
+, (PRUint32)153 },
+  { (void *)"\000\205"
+, (PRUint32)2 },
+  { (void *)"\060\202\004\004\060\202\002\354\240\003\002\001\002\002\002\000"
+"\205\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\060\201\226\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151"
+"\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160"
+"\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125"
+"\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160"
+"\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145"
+"\163\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162"
+"\151\143\141\156\040\105\170\160\162\145\163\163\040\107\154\157"
+"\142\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040"
+"\101\165\164\150\157\162\151\164\171\060\036\027\015\071\070\060"
+"\070\061\064\061\071\060\066\060\060\132\027\015\061\063\060\070"
+"\061\064\062\063\065\071\060\060\132\060\201\226\061\013\060\011"
+"\006\003\125\004\006\023\002\125\123\061\047\060\045\006\003\125"
+"\004\012\023\036\101\155\145\162\151\143\141\156\040\105\170\160"
+"\162\145\163\163\040\103\157\155\160\141\156\171\054\040\111\156"
+"\143\056\061\046\060\044\006\003\125\004\013\023\035\101\155\145"
+"\162\151\143\141\156\040\105\170\160\162\145\163\163\040\124\145"
+"\143\150\156\157\154\157\147\151\145\163\061\066\060\064\006\003"
+"\125\004\003\023\055\101\155\145\162\151\143\141\156\040\105\170"
+"\160\162\145\163\163\040\107\154\157\142\141\154\040\103\145\162"
+"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
+"\164\171\060\202\001\042\060\015\006\011\052\206\110\206\367\015"
+"\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202"
+"\001\001\000\360\044\046\146\056\373\353\112\163\161\123\211\107"
+"\313\046\074\123\222\224\114\312\302\205\265\015\370\303\127\275"
+"\057\052\037\152\030\267\127\257\014\000\026\372\240\266\220\246"
+"\367\032\241\056\146\046\307\150\243\212\223\151\146\265\106\126"
+"\055\035\202\352\220\014\012\042\302\211\120\215\005\363\324\253"
+"\163\101\360\317\022\254\050\264\157\024\224\226\131\113\236\220"
+"\165\206\337\342\107\353\341\351\117\103\176\207\312\047\030\146"
+"\236\265\301\100\145\175\374\141\157\255\233\162\317\251\136\330"
+"\363\371\332\156\221\020\372\114\265\352\176\040\336\251\071\057"
+"\365\210\344\212\157\065\306\040\234\053\206\106\063\012\374\061"
+"\125\245\153\254\026\100\351\315\065\131\157\062\004\303\173\265"
+"\017\173\167\160\363\110\273\052\122\202\316\257\051\155\361\021"
+"\157\155\346\007\000\001\357\232\363\046\015\246\171\023\147\257"
+"\370\253\034\165\254\221\265\153\276\100\260\336\234\014\261\151"
+"\205\031\161\221\023\105\312\337\321\375\346\262\312\226\203\171"
+"\333\305\270\252\133\172\220\013\170\126\076\306\327\237\224\110"
+"\021\365\255\002\003\001\000\001\243\132\060\130\060\022\006\003"
+"\125\035\023\001\001\377\004\010\060\006\001\001\377\002\001\005"
+"\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006"
+"\060\027\006\003\125\035\040\004\020\060\016\060\014\006\012\052"
+"\206\110\206\371\017\012\001\005\001\060\031\006\003\125\035\016"
+"\004\022\004\020\127\107\065\173\066\047\021\250\010\374\057\106"
+"\045\353\044\151\060\015\006\011\052\206\110\206\367\015\001\001"
+"\005\005\000\003\202\001\001\000\307\141\105\250\212\161\271\276"
+"\064\351\041\173\041\315\126\023\230\325\060\143\351\030\252\113"
+"\222\025\277\013\035\273\354\222\151\305\056\303\141\213\350\060"
+"\105\313\020\106\301\163\070\134\213\031\322\053\363\100\353\174"
+"\162\263\056\036\047\343\165\225\212\034\233\056\304\225\005\206"
+"\162\320\125\364\241\222\122\171\134\333\364\370\334\345\327\022"
+"\261\100\307\074\206\344\061\145\112\312\067\306\336\166\127\031"
+"\151\114\106\151\374\052\255\026\067\172\223\254\367\041\113\055"
+"\373\353\251\120\313\301\321\100\010\332\003\151\207\247\067\136"
+"\125\301\305\355\304\343\216\014\046\227\233\134\127\113\162\343"
+"\362\003\005\320\002\073\046\003\100\220\236\276\013\133\111\014"
+"\170\361\325\114\125\051\340\366\375\114\003\251\124\002\062\321"
+"\127\132\205\254\103\355\133\073\026\137\240\277\065\333\113\236"
+"\173\350\377\347\015\074\073\250\233\111\101\106\365\163\116\377"
+"\222\145\041\203\023\125\161\353\111\074\177\210\032\302\022\050"
+"\045\241\106\113\101\067\227\177\354\216\361\324\241\226\302\040"
+"\266\136\255\251\034\036\021\240"
+, (PRUint32)1032 }
+};
+static const NSSItem nss_builtins_items_27 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"American Express Global CA", (PRUint32)27 },
+  { (void *)"\005\025\203\065\174\267\267\276\344\016\273\221\377\153\073\274"
+"\361\124\335\126"
+, (PRUint32)20 },
+  { (void *)"\143\033\146\223\214\363\146\313\074\171\127\334\005\111\352\333"
+, (PRUint32)16 },
+  { (void *)"\060\201\226\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151"
+"\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160"
+"\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125"
+"\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160"
+"\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145"
+"\163\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162"
+"\151\143\141\156\040\105\170\160\162\145\163\163\040\107\154\157"
+"\142\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040"
+"\101\165\164\150\157\162\151\164\171"
+, (PRUint32)153 },
+  { (void *)"\000\205"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_28 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Equifax Premium CA", (PRUint32)19 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141"
+"\170\061\056\060\054\006\003\125\004\013\023\045\105\161\165\151"
+"\146\141\170\040\120\162\145\155\151\165\155\040\103\145\162\164"
+"\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)81 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141"
+"\170\061\056\060\054\006\003\125\004\013\023\045\105\161\165\151"
+"\146\141\170\040\120\162\145\155\151\165\155\040\103\145\162\164"
+"\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)81 },
+  { (void *)"\065\341\357\036"
+, (PRUint32)4 },
+  { (void *)"\060\202\003\043\060\202\002\214\240\003\002\001\002\002\004\065"
+"\341\357\036\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\117\061\013\060\011\006\003\125\004\006\023\002\125"
+"\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151"
+"\146\141\170\061\056\060\054\006\003\125\004\013\023\045\105\161"
+"\165\151\146\141\170\040\120\162\145\155\151\165\155\040\103\145"
+"\162\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162"
+"\151\164\171\060\036\027\015\071\070\060\070\062\064\062\062\065"
+"\064\062\063\132\027\015\061\070\060\070\062\064\062\062\065\064"
+"\062\063\132\060\117\061\013\060\011\006\003\125\004\006\023\002"
+"\125\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165"
+"\151\146\141\170\061\056\060\054\006\003\125\004\013\023\045\105"
+"\161\165\151\146\141\170\040\120\162\145\155\151\165\155\040\103"
+"\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150\157"
+"\162\151\164\171\060\201\237\060\015\006\011\052\206\110\206\367"
+"\015\001\001\001\005\000\003\201\215\000\060\201\211\002\201\201"
+"\000\316\241\006\216\006\314\010\013\301\206\250\336\040\325\015"
+"\016\321\015\304\237\352\152\331\263\302\062\107\100\157\212\210"
+"\244\011\275\070\054\035\346\313\346\244\363\066\353\332\353\274"
+"\374\144\263\007\366\055\274\252\316\237\031\110\150\112\374\365"
+"\242\105\176\011\020\365\217\263\111\134\043\006\071\352\023\213"
+"\270\013\315\221\035\166\137\331\067\241\104\373\137\220\362\147"
+"\263\315\030\231\103\037\166\022\153\002\362\225\203\070\103\302"
+"\366\142\064\312\311\170\135\137\322\330\272\232\377\276\020\140"
+"\133\002\003\001\000\001\243\202\001\012\060\202\001\006\060\161"
+"\006\003\125\035\037\004\152\060\150\060\146\240\144\240\142\244"
+"\140\060\136\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146"
+"\141\170\061\056\060\054\006\003\125\004\013\023\045\105\161\165"
+"\151\146\141\170\040\120\162\145\155\151\165\155\040\103\145\162"
+"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
+"\164\171\061\015\060\013\006\003\125\004\003\023\004\103\122\114"
+"\061\060\032\006\003\125\035\020\004\023\060\021\201\017\062\060"
+"\061\070\060\070\062\064\062\062\065\064\062\063\132\060\013\006"
+"\003\125\035\017\004\004\003\002\001\006\060\037\006\003\125\035"
+"\043\004\030\060\026\200\024\025\356\262\050\131\253\156\345\370"
+"\317\213\201\364\044\341\256\077\165\033\230\060\035\006\003\125"
+"\035\016\004\026\004\024\025\356\262\050\131\253\156\345\370\317"
+"\213\201\364\044\341\256\077\165\033\230\060\014\006\003\125\035"
+"\023\004\005\060\003\001\001\377\060\032\006\011\052\206\110\206"
+"\366\175\007\101\000\004\015\060\013\033\005\126\063\056\060\143"
+"\003\002\006\300\060\015\006\011\052\206\110\206\367\015\001\001"
+"\005\005\000\003\201\201\000\275\013\234\047\251\003\333\050\334"
+"\230\251\113\320\321\216\247\250\032\132\221\340\234\361\367\030"
+"\174\056\042\236\066\037\311\250\265\315\106\112\156\372\065\007"
+"\033\206\010\353\237\342\250\371\235\101\055\072\256\134\134\266"
+"\137\064\004\353\374\052\140\260\373\164\344\205\351\145\070\226"
+"\356\025\307\306\167\143\022\275\212\150\037\253\154\175\332\312"
+"\134\023\316\352\311\353\011\134\305\163\347\022\001\325\331\123"
+"\007\236\340\017\226\360\213\264\273\105\110\237\206\305\031\125"
+"\240\313\226\305\003\374\110"
+, (PRUint32)807 }
+};
+static const NSSItem nss_builtins_items_29 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Equifax Premium CA", (PRUint32)19 },
+  { (void *)"\235\021\167\273\103\333\275\240\007\310\252\321\253\220\127\020"
+"\256\170\244\135"
+, (PRUint32)20 },
+  { (void *)"\251\351\250\235\016\163\343\261\057\067\015\350\110\077\206\355"
+, (PRUint32)16 },
+  { (void *)"\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141"
+"\170\061\056\060\054\006\003\125\004\013\023\045\105\161\165\151"
+"\146\141\170\040\120\162\145\155\151\165\155\040\103\145\162\164"
+"\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)81 },
+  { (void *)"\065\341\357\036"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_30 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Equifax Secure CA", (PRUint32)18 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141"
+"\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151"
+"\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151"
+"\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171"
+, (PRUint32)80 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141"
+"\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151"
+"\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151"
+"\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171"
+, (PRUint32)80 },
+  { (void *)"\065\336\364\317"
+, (PRUint32)4 },
+  { (void *)"\060\202\003\040\060\202\002\211\240\003\002\001\002\002\004\065"
+"\336\364\317\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\116\061\013\060\011\006\003\125\004\006\023\002\125"
+"\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151"
+"\146\141\170\061\055\060\053\006\003\125\004\013\023\044\105\161"
+"\165\151\146\141\170\040\123\145\143\165\162\145\040\103\145\162"
+"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
+"\164\171\060\036\027\015\071\070\060\070\062\062\061\066\064\061"
+"\065\061\132\027\015\061\070\060\070\062\062\061\066\064\061\065"
+"\061\132\060\116\061\013\060\011\006\003\125\004\006\023\002\125"
+"\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151"
+"\146\141\170\061\055\060\053\006\003\125\004\013\023\044\105\161"
+"\165\151\146\141\170\040\123\145\143\165\162\145\040\103\145\162"
+"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
+"\164\171\060\201\237\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\301"
+"\135\261\130\147\010\142\356\240\232\055\037\010\155\221\024\150"
+"\230\012\036\376\332\004\157\023\204\142\041\303\321\174\316\237"
+"\005\340\270\001\360\116\064\354\342\212\225\004\144\254\361\153"
+"\123\137\005\263\313\147\200\277\102\002\216\376\335\001\011\354"
+"\341\000\024\117\374\373\360\014\335\103\272\133\053\341\037\200"
+"\160\231\025\127\223\026\361\017\227\152\267\302\150\043\034\314"
+"\115\131\060\254\121\036\073\257\053\326\356\143\105\173\305\331"
+"\137\120\322\343\120\017\072\210\347\277\024\375\340\307\271\002"
+"\003\001\000\001\243\202\001\011\060\202\001\005\060\160\006\003"
+"\125\035\037\004\151\060\147\060\145\240\143\240\141\244\137\060"
+"\135\061\013\060\011\006\003\125\004\006\023\002\125\123\061\020"
+"\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141\170"
+"\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151\146"
+"\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151\146"
+"\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061"
+"\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060\032"
+"\006\003\125\035\020\004\023\060\021\201\017\062\060\061\070\060"
+"\070\062\062\061\066\064\061\065\061\132\060\013\006\003\125\035"
+"\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030"
+"\060\026\200\024\110\346\150\371\053\322\262\225\327\107\330\043"
+"\040\020\117\063\230\220\237\324\060\035\006\003\125\035\016\004"
+"\026\004\024\110\346\150\371\053\322\262\225\327\107\330\043\040"
+"\020\117\063\230\220\237\324\060\014\006\003\125\035\023\004\005"
+"\060\003\001\001\377\060\032\006\011\052\206\110\206\366\175\007"
+"\101\000\004\015\060\013\033\005\126\063\056\060\143\003\002\006"
+"\300\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\003\201\201\000\130\316\051\352\374\367\336\265\316\002\271\027"
+"\265\205\321\271\343\340\225\314\045\061\015\000\246\222\156\177"
+"\266\222\143\236\120\225\321\232\157\344\021\336\143\205\156\230"
+"\356\250\377\132\310\323\125\262\146\161\127\336\300\041\353\075"
+"\052\247\043\111\001\004\206\102\173\374\356\177\242\026\122\265"
+"\147\147\323\100\333\073\046\130\262\050\167\075\256\024\167\141"
+"\326\372\052\146\047\240\015\372\247\163\134\352\160\361\224\041"
+"\145\104\137\372\374\357\051\150\251\242\207\171\357\171\357\117"
+"\254\007\167\070"
+, (PRUint32)804 }
+};
+static const NSSItem nss_builtins_items_31 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Equifax Secure CA", (PRUint32)18 },
+  { (void *)"\322\062\011\255\043\323\024\043\041\164\344\015\177\235\142\023"
+"\227\206\143\072"
+, (PRUint32)20 },
+  { (void *)"\147\313\235\300\023\044\212\202\233\262\027\036\321\033\354\324"
+, (PRUint32)16 },
+  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141"
+"\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151"
+"\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151"
+"\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171"
+, (PRUint32)80 },
+  { (void *)"\065\336\364\317"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_32 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"BelSign Object Publishing CA", (PRUint32)29 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\273\061\013\060\011\006\003\125\004\006\023\002\102\105"
+"\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163"
+"\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145"
+"\154\123\151\147\156\040\116\126\061\070\060\066\006\003\125\004"
+"\013\023\057\102\145\154\123\151\147\156\040\117\142\152\145\143"
+"\164\040\120\165\142\154\151\163\150\151\156\147\040\103\145\162"
+"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
+"\164\171\061\045\060\043\006\003\125\004\003\023\034\102\145\154"
+"\123\151\147\156\040\117\142\152\145\143\164\040\120\165\142\154"
+"\151\163\150\151\156\147\040\103\101\061\043\060\041\006\011\052"
+"\206\110\206\367\015\001\011\001\026\024\167\145\142\155\141\163"
+"\164\145\162\100\142\145\154\163\151\147\156\056\142\145"
+, (PRUint32)190 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\273\061\013\060\011\006\003\125\004\006\023\002\102\105"
+"\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163"
+"\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145"
+"\154\123\151\147\156\040\116\126\061\070\060\066\006\003\125\004"
+"\013\023\057\102\145\154\123\151\147\156\040\117\142\152\145\143"
+"\164\040\120\165\142\154\151\163\150\151\156\147\040\103\145\162"
+"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
+"\164\171\061\045\060\043\006\003\125\004\003\023\034\102\145\154"
+"\123\151\147\156\040\117\142\152\145\143\164\040\120\165\142\154"
+"\151\163\150\151\156\147\040\103\101\061\043\060\041\006\011\052"
+"\206\110\206\367\015\001\011\001\026\024\167\145\142\155\141\163"
+"\164\145\162\100\142\145\154\163\151\147\156\056\142\145"
+, (PRUint32)190 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\003\003\060\202\002\154\240\003\002\001\002\002\001\001"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\273\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163\145"
+"\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145\154"
+"\123\151\147\156\040\116\126\061\070\060\066\006\003\125\004\013"
+"\023\057\102\145\154\123\151\147\156\040\117\142\152\145\143\164"
+"\040\120\165\142\154\151\163\150\151\156\147\040\103\145\162\164"
+"\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164"
+"\171\061\045\060\043\006\003\125\004\003\023\034\102\145\154\123"
+"\151\147\156\040\117\142\152\145\143\164\040\120\165\142\154\151"
+"\163\150\151\156\147\040\103\101\061\043\060\041\006\011\052\206"
+"\110\206\367\015\001\011\001\026\024\167\145\142\155\141\163\164"
+"\145\162\100\142\145\154\163\151\147\156\056\142\145\060\036\027"
+"\015\071\067\060\071\061\071\062\062\060\063\060\060\132\027\015"
+"\060\067\060\071\061\071\062\062\060\063\060\060\132\060\201\273"
+"\061\013\060\011\006\003\125\004\006\023\002\102\105\061\021\060"
+"\017\006\003\125\004\007\023\010\102\162\165\163\163\145\154\163"
+"\061\023\060\021\006\003\125\004\012\023\012\102\145\154\123\151"
+"\147\156\040\116\126\061\070\060\066\006\003\125\004\013\023\057"
+"\102\145\154\123\151\147\156\040\117\142\152\145\143\164\040\120"
+"\165\142\154\151\163\150\151\156\147\040\103\145\162\164\151\146"
+"\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061"
+"\045\060\043\006\003\125\004\003\023\034\102\145\154\123\151\147"
+"\156\040\117\142\152\145\143\164\040\120\165\142\154\151\163\150"
+"\151\156\147\040\103\101\061\043\060\041\006\011\052\206\110\206"
+"\367\015\001\011\001\026\024\167\145\142\155\141\163\164\145\162"
+"\100\142\145\154\163\151\147\156\056\142\145\060\201\237\060\015"
+"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
+"\000\060\201\211\002\201\201\000\304\056\037\266\277\356\202\100"
+"\335\371\267\056\101\325\236\005\261\132\320\046\174\142\125\003"
+"\233\374\313\141\336\113\357\376\350\231\376\207\271\210\317\220"
+"\332\017\011\074\166\337\027\227\266\313\077\045\105\375\264\274"
+"\130\000\276\260\132\266\024\207\217\356\147\144\255\035\210\203"
+"\273\147\237\145\141\000\130\010\200\120\237\200\311\061\366\052"
+"\220\034\055\367\112\154\020\366\043\103\135\070\011\140\210\127"
+"\002\315\026\154\030\374\315\373\222\052\167\320\236\223\243\135"
+"\210\144\320\310\370\135\124\121\002\003\001\000\001\243\025\060"
+"\023\060\021\006\011\140\206\110\001\206\370\102\001\001\004\004"
+"\003\002\000\007\060\015\006\011\052\206\110\206\367\015\001\001"
+"\004\005\000\003\201\201\000\143\166\027\174\226\360\123\245\135"
+"\001\034\123\316\051\302\176\165\254\114\015\242\010\163\264\152"
+"\061\375\002\006\024\231\334\124\004\244\277\310\226\206\237\061"
+"\103\062\045\127\366\205\366\045\273\067\276\241\171\043\311\127"
+"\006\045\161\153\105\117\370\364\002\100\026\202\042\257\124\352"
+"\062\050\366\015\356\231\272\113\010\121\017\156\206\043\041\114"
+"\055\045\210\201\304\056\016\361\023\054\070\212\225\002\044\303"
+"\072\225\143\344\223\216\110\273\010\107\162\137\256\346\072\132"
+"\107\326\161\306\236\232\122"
+, (PRUint32)775 }
+};
+static const NSSItem nss_builtins_items_33 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"BelSign Object Publishing CA", (PRUint32)29 },
+  { (void *)"\373\224\125\030\075\227\133\343\150\140\204\227\152\247\052\201"
+"\125\173\201\051"
+, (PRUint32)20 },
+  { (void *)"\212\002\370\337\270\341\204\237\132\302\140\044\145\321\163\373"
+, (PRUint32)16 },
+  { (void *)"\060\201\273\061\013\060\011\006\003\125\004\006\023\002\102\105"
+"\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163"
+"\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145"
+"\154\123\151\147\156\040\116\126\061\070\060\066\006\003\125\004"
+"\013\023\057\102\145\154\123\151\147\156\040\117\142\152\145\143"
+"\164\040\120\165\142\154\151\163\150\151\156\147\040\103\145\162"
+"\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151"
+"\164\171\061\045\060\043\006\003\125\004\003\023\034\102\145\154"
+"\123\151\147\156\040\117\142\152\145\143\164\040\120\165\142\154"
+"\151\163\150\151\156\147\040\103\101\061\043\060\041\006\011\052"
+"\206\110\206\367\015\001\011\001\026\024\167\145\142\155\141\163"
+"\164\145\162\100\142\145\154\163\151\147\156\056\142\145"
+, (PRUint32)190 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_34 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"BelSign Secure Server CA", (PRUint32)25 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\263\061\013\060\011\006\003\125\004\006\023\002\102\105"
+"\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163"
+"\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145"
+"\154\123\151\147\156\040\116\126\061\064\060\062\006\003\125\004"
+"\013\023\053\102\145\154\123\151\147\156\040\123\145\143\165\162"
+"\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151"
+"\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061\041"
+"\060\037\006\003\125\004\003\023\030\102\145\154\123\151\147\156"
+"\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103"
+"\101\061\043\060\041\006\011\052\206\110\206\367\015\001\011\001"
+"\026\024\167\145\142\155\141\163\164\145\162\100\142\145\154\163"
+"\151\147\156\056\142\145"
+, (PRUint32)182 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\263\061\013\060\011\006\003\125\004\006\023\002\102\105"
+"\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163"
+"\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145"
+"\154\123\151\147\156\040\116\126\061\064\060\062\006\003\125\004"
+"\013\023\053\102\145\154\123\151\147\156\040\123\145\143\165\162"
+"\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151"
+"\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061\041"
+"\060\037\006\003\125\004\003\023\030\102\145\154\123\151\147\156"
+"\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103"
+"\101\061\043\060\041\006\011\052\206\110\206\367\015\001\011\001"
+"\026\024\167\145\142\155\141\163\164\145\162\100\142\145\154\163"
+"\151\147\156\056\142\145"
+, (PRUint32)182 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\002\363\060\202\002\134\240\003\002\001\002\002\001\001"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\263\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163\145"
+"\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145\154"
+"\123\151\147\156\040\116\126\061\064\060\062\006\003\125\004\013"
+"\023\053\102\145\154\123\151\147\156\040\123\145\143\165\162\145"
+"\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143"
+"\141\164\145\040\101\165\164\150\157\162\151\164\171\061\041\060"
+"\037\006\003\125\004\003\023\030\102\145\154\123\151\147\156\040"
+"\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103\101"
+"\061\043\060\041\006\011\052\206\110\206\367\015\001\011\001\026"
+"\024\167\145\142\155\141\163\164\145\162\100\142\145\154\163\151"
+"\147\156\056\142\145\060\036\027\015\071\067\060\067\061\066\062"
+"\062\060\060\065\064\132\027\015\060\067\060\067\061\066\062\062"
+"\060\060\065\064\132\060\201\263\061\013\060\011\006\003\125\004"
+"\006\023\002\102\105\061\021\060\017\006\003\125\004\007\023\010"
+"\102\162\165\163\163\145\154\163\061\023\060\021\006\003\125\004"
+"\012\023\012\102\145\154\123\151\147\156\040\116\126\061\064\060"
+"\062\006\003\125\004\013\023\053\102\145\154\123\151\147\156\040"
+"\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103\145"
+"\162\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162"
+"\151\164\171\061\041\060\037\006\003\125\004\003\023\030\102\145"
+"\154\123\151\147\156\040\123\145\143\165\162\145\040\123\145\162"
+"\166\145\162\040\103\101\061\043\060\041\006\011\052\206\110\206"
+"\367\015\001\011\001\026\024\167\145\142\155\141\163\164\145\162"
+"\100\142\145\154\163\151\147\156\056\142\145\060\201\237\060\015"
+"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
+"\000\060\201\211\002\201\201\000\326\001\022\170\222\370\004\102"
+"\177\311\307\042\203\374\174\107\160\060\053\111\013\076\066\100"
+"\220\050\332\041\163\203\123\362\304\321\026\100\300\123\377\256"
+"\246\306\044\263\047\155\245\263\075\071\167\135\250\006\366\346"
+"\351\274\143\021\116\006\145\160\012\235\223\371\242\100\213\177"
+"\112\204\016\215\026\261\326\314\010\144\022\014\340\050\113\310"
+"\245\204\220\027\373\021\106\056\326\247\205\030\313\030\256\143"
+"\232\260\130\006\364\000\317\370\304\011\032\065\014\241\371\356"
+"\112\375\155\336\376\046\245\073\002\003\001\000\001\243\025\060"
+"\023\060\021\006\011\140\206\110\001\206\370\102\001\001\004\004"
+"\003\002\000\240\060\015\006\011\052\206\110\206\367\015\001\001"
+"\004\005\000\003\201\201\000\154\075\231\303\005\342\035\312\345"
+"\055\252\150\205\213\100\061\040\146\023\150\346\130\072\211\320"
+"\215\165\262\305\142\330\175\202\217\367\331\062\201\167\366\065"
+"\133\205\051\316\147\262\271\274\053\031\170\317\363\207\375\106"
+"\361\225\165\262\011\127\003\060\301\172\315\162\107\161\200\312"
+"\175\235\311\145\074\107\021\042\175\372\007\013\050\170\241\223"
+"\350\005\105\110\342\062\062\112\075\350\123\034\020\267\307\163"
+"\214\007\120\341\371\311\053\123\101\365\203\215\345\011\071\112"
+"\216\003\142\252\100\143\213"
+, (PRUint32)759 }
+};
+static const NSSItem nss_builtins_items_35 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"BelSign Secure Server CA", (PRUint32)25 },
+  { (void *)"\302\305\265\376\203\144\370\243\156\170\035\174\025\010\174\350"
+"\205\241\206\230"
+, (PRUint32)20 },
+  { (void *)"\075\136\202\306\331\255\331\213\223\153\014\020\271\111\012\261"
+, (PRUint32)16 },
+  { (void *)"\060\201\263\061\013\060\011\006\003\125\004\006\023\002\102\105"
+"\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163"
+"\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145"
+"\154\123\151\147\156\040\116\126\061\064\060\062\006\003\125\004"
+"\013\023\053\102\145\154\123\151\147\156\040\123\145\143\165\162"
+"\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151"
+"\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061\041"
+"\060\037\006\003\125\004\003\023\030\102\145\154\123\151\147\156"
+"\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103"
+"\101\061\043\060\041\006\011\052\206\110\206\367\015\001\011\001"
+"\026\024\167\145\142\155\141\163\164\145\162\100\142\145\154\163"
+"\151\147\156\056\142\145"
+, (PRUint32)182 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_36 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TC TrustCenter, Germany, Class 0 CA", (PRUint32)36 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\060\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\060\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\004\065\060\202\003\236\240\003\002\001\002\002\001\001"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061"
+"\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162"
+"\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142"
+"\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103"
+"\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162"
+"\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164"
+"\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061"
+"\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165"
+"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\060"
+"\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001"
+"\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100"
+"\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\036"
+"\027\015\071\070\060\063\060\071\061\063\065\064\064\070\132\027"
+"\015\060\065\061\062\063\061\061\063\065\064\064\070\132\060\201"
+"\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061\020"
+"\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162\147"
+"\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142\165"
+"\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103\040"
+"\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162\040"
+"\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164\141"
+"\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061\042"
+"\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163"
+"\164\103\145\156\164\145\162\040\103\154\141\163\163\040\060\040"
+"\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001\011"
+"\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100\164"
+"\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201\237"
+"\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003"
+"\201\215\000\060\201\211\002\201\201\000\337\175\346\276\277\325"
+"\360\057\155\116\016\321\340\215\013\177\073\124\350\212\342\260"
+"\237\050\305\212\306\271\263\063\047\365\047\312\032\114\124\022"
+"\153\264\262\106\263\035\113\263\364\041\013\113\002\056\241\302"
+"\064\234\205\240\304\170\021\333\333\153\047\053\011\052\030\116"
+"\100\314\237\161\031\147\231\164\242\174\077\301\330\213\043\310"
+"\143\073\212\041\253\134\336\036\364\215\334\264\030\303\005\163"
+"\364\152\264\241\372\001\010\053\001\017\155\067\133\252\070\206"
+"\147\071\327\345\137\372\344\176\314\243\002\003\001\000\001\243"
+"\202\001\103\060\202\001\077\060\100\006\011\140\206\110\001\206"
+"\370\102\001\003\004\063\026\061\150\164\164\160\163\072\057\057"
+"\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162\056"
+"\144\145\057\143\147\151\055\142\151\156\057\143\150\145\143\153"
+"\055\162\145\166\056\143\147\151\077\060\100\006\011\140\206\110"
+"\001\206\370\102\001\004\004\063\026\061\150\164\164\160\163\072"
+"\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145"
+"\162\056\144\145\057\143\147\151\055\142\151\156\057\143\150\145"
+"\143\153\055\162\145\166\056\143\147\151\077\060\074\006\011\140"
+"\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160"
+"\163\072\057\057\167\167\167\056\164\162\165\163\164\143\145\156"
+"\164\145\162\056\144\145\057\143\147\151\055\142\151\156\057\122"
+"\145\156\145\167\056\143\147\151\077\060\076\006\011\140\206\110"
+"\001\206\370\102\001\010\004\061\026\057\150\164\164\160\072\057"
+"\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162"
+"\056\144\145\057\147\165\151\144\145\154\151\156\145\163\057\151"
+"\156\144\145\170\056\150\164\155\154\060\050\006\011\140\206\110"
+"\001\206\370\102\001\015\004\033\026\031\124\103\040\124\162\165"
+"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\060"
+"\040\103\101\060\021\006\011\140\206\110\001\206\370\102\001\001"
+"\004\004\003\002\000\007\060\015\006\011\052\206\110\206\367\015"
+"\001\001\004\005\000\003\201\201\000\115\007\177\137\011\060\031"
+"\222\252\005\107\172\224\165\124\052\256\317\374\330\014\102\341"
+"\105\070\053\044\225\262\312\207\312\171\304\303\227\220\136\142"
+"\030\306\311\070\141\114\150\065\323\114\024\021\353\304\315\241"
+"\251\330\305\236\150\047\062\007\065\105\004\370\137\041\240\140"
+"\036\034\000\110\004\130\322\305\313\256\155\062\156\075\167\225"
+"\214\205\307\345\256\120\235\165\112\173\377\013\047\171\352\115"
+"\244\131\377\354\132\352\046\245\071\203\244\321\170\316\247\251"
+"\176\274\335\053\312\022\223\003\112"
+, (PRUint32)1081 }
+};
+static const NSSItem nss_builtins_items_37 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TC TrustCenter, Germany, Class 0 CA", (PRUint32)36 },
+  { (void *)"\104\201\247\326\311\104\165\204\317\355\212\107\311\256\152\360"
+"\036\071\165\030"
+, (PRUint32)20 },
+  { (void *)"\065\205\111\216\156\127\376\275\227\361\311\106\043\072\266\175"
+, (PRUint32)16 },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\060\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_38 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TC TrustCenter, Germany, Class 1 CA", (PRUint32)36 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\061\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\061\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"\002"
+, (PRUint32)1 },
+  { (void *)"\060\202\004\065\060\202\003\236\240\003\002\001\002\002\001\002"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061"
+"\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162"
+"\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142"
+"\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103"
+"\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162"
+"\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164"
+"\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061"
+"\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165"
+"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\061"
+"\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001"
+"\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100"
+"\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\036"
+"\027\015\071\070\060\063\060\071\061\063\065\066\063\063\132\027"
+"\015\060\065\061\062\063\061\061\063\065\066\063\063\132\060\201"
+"\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061\020"
+"\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162\147"
+"\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142\165"
+"\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103\040"
+"\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162\040"
+"\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164\141"
+"\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061\042"
+"\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163"
+"\164\103\145\156\164\145\162\040\103\154\141\163\163\040\061\040"
+"\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001\011"
+"\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100\164"
+"\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201\237"
+"\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003"
+"\201\215\000\060\201\211\002\201\201\000\260\051\353\264\166\263"
+"\256\327\266\133\264\136\347\275\343\261\234\111\004\127\133\241"
+"\253\331\177\023\033\375\272\141\253\330\347\161\337\055\000\224"
+"\135\121\110\175\043\357\165\142\204\220\074\012\037\131\021\164"
+"\057\216\200\245\375\060\002\075\051\122\315\162\032\111\041\234"
+"\274\313\122\216\110\241\143\226\310\020\205\060\151\127\164\105"
+"\300\132\206\306\325\075\340\150\127\175\061\152\044\215\105\227"
+"\076\061\176\150\146\062\156\044\155\354\062\066\311\101\312\360"
+"\061\104\310\243\141\312\033\240\066\037\002\003\001\000\001\243"
+"\202\001\103\060\202\001\077\060\100\006\011\140\206\110\001\206"
+"\370\102\001\003\004\063\026\061\150\164\164\160\163\072\057\057"
+"\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162\056"
+"\144\145\057\143\147\151\055\142\151\156\057\143\150\145\143\153"
+"\055\162\145\166\056\143\147\151\077\060\100\006\011\140\206\110"
+"\001\206\370\102\001\004\004\063\026\061\150\164\164\160\163\072"
+"\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145"
+"\162\056\144\145\057\143\147\151\055\142\151\156\057\143\150\145"
+"\143\153\055\162\145\166\056\143\147\151\077\060\074\006\011\140"
+"\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160"
+"\163\072\057\057\167\167\167\056\164\162\165\163\164\143\145\156"
+"\164\145\162\056\144\145\057\143\147\151\055\142\151\156\057\122"
+"\145\156\145\167\056\143\147\151\077\060\076\006\011\140\206\110"
+"\001\206\370\102\001\010\004\061\026\057\150\164\164\160\072\057"
+"\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162"
+"\056\144\145\057\147\165\151\144\145\154\151\156\145\163\057\151"
+"\156\144\145\170\056\150\164\155\154\060\050\006\011\140\206\110"
+"\001\206\370\102\001\015\004\033\026\031\124\103\040\124\162\165"
+"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\061"
+"\040\103\101\060\021\006\011\140\206\110\001\206\370\102\001\001"
+"\004\004\003\002\000\007\060\015\006\011\052\206\110\206\367\015"
+"\001\001\004\005\000\003\201\201\000\005\102\122\046\244\014\047"
+"\001\104\254\134\045\050\302\104\102\124\010\271\035\305\076\154"
+"\131\146\304\263\116\120\247\370\370\226\165\241\226\165\350\026"
+"\070\240\315\135\156\372\171\247\033\173\035\036\303\000\271\146"
+"\276\132\326\142\017\347\362\173\270\357\114\340\300\077\131\256"
+"\071\267\204\011\236\253\361\251\056\153\151\342\255\314\362\352"
+"\170\011\005\040\070\102\161\030\176\307\262\227\346\325\002\005"
+"\006\126\243\137\361\252\302\304\117\376\367\357\026\017\235\354"
+"\252\205\317\075\051\044\361\004\315"
+, (PRUint32)1081 }
+};
+static const NSSItem nss_builtins_items_39 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TC TrustCenter, Germany, Class 1 CA", (PRUint32)36 },
+  { (void *)"\332\300\131\013\015\224\374\025\327\025\056\266\171\160\003\133"
+"\215\271\365\053"
+, (PRUint32)20 },
+  { (void *)"\144\077\370\076\122\024\112\131\272\223\126\004\013\043\002\321"
+, (PRUint32)16 },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\061\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"\002"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_40 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TC TrustCenter, Germany, Class 2 CA", (PRUint32)36 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"\003"
+, (PRUint32)1 },
+  { (void *)"\060\202\004\065\060\202\003\236\240\003\002\001\002\002\001\003"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061"
+"\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162"
+"\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142"
+"\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103"
+"\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162"
+"\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164"
+"\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061"
+"\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165"
+"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\062"
+"\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001"
+"\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100"
+"\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\036"
+"\027\015\071\070\060\063\060\071\061\063\065\067\064\064\132\027"
+"\015\060\065\061\062\063\061\061\063\065\067\064\064\132\060\201"
+"\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061\020"
+"\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162\147"
+"\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142\165"
+"\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103\040"
+"\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162\040"
+"\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164\141"
+"\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061\042"
+"\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163"
+"\164\103\145\156\164\145\162\040\103\154\141\163\163\040\062\040"
+"\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001\011"
+"\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100\164"
+"\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201\237"
+"\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003"
+"\201\215\000\060\201\211\002\201\201\000\332\070\350\355\062\000"
+"\051\161\203\001\015\277\214\001\334\332\306\255\071\244\251\212"
+"\057\325\213\134\150\137\120\306\142\365\146\275\312\221\042\354"
+"\252\035\121\327\075\263\121\262\203\116\135\313\111\260\360\114"
+"\125\345\153\055\307\205\013\060\034\222\116\202\324\312\002\355"
+"\367\157\276\334\340\343\024\270\005\123\362\232\364\126\213\132"
+"\236\205\223\321\264\202\126\256\115\273\250\113\127\026\274\376"
+"\370\130\236\370\051\215\260\173\315\170\311\117\254\213\147\014"
+"\361\234\373\374\127\233\127\134\117\015\002\003\001\000\001\243"
+"\202\001\103\060\202\001\077\060\100\006\011\140\206\110\001\206"
+"\370\102\001\003\004\063\026\061\150\164\164\160\163\072\057\057"
+"\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162\056"
+"\144\145\057\143\147\151\055\142\151\156\057\143\150\145\143\153"
+"\055\162\145\166\056\143\147\151\077\060\100\006\011\140\206\110"
+"\001\206\370\102\001\004\004\063\026\061\150\164\164\160\163\072"
+"\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145"
+"\162\056\144\145\057\143\147\151\055\142\151\156\057\143\150\145"
+"\143\153\055\162\145\166\056\143\147\151\077\060\074\006\011\140"
+"\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160"
+"\163\072\057\057\167\167\167\056\164\162\165\163\164\143\145\156"
+"\164\145\162\056\144\145\057\143\147\151\055\142\151\156\057\122"
+"\145\156\145\167\056\143\147\151\077\060\076\006\011\140\206\110"
+"\001\206\370\102\001\010\004\061\026\057\150\164\164\160\072\057"
+"\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162"
+"\056\144\145\057\147\165\151\144\145\154\151\156\145\163\057\151"
+"\156\144\145\170\056\150\164\155\154\060\050\006\011\140\206\110"
+"\001\206\370\102\001\015\004\033\026\031\124\103\040\124\162\165"
+"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\062"
+"\040\103\101\060\021\006\011\140\206\110\001\206\370\102\001\001"
+"\004\004\003\002\000\007\060\015\006\011\052\206\110\206\367\015"
+"\001\001\004\005\000\003\201\201\000\211\033\364\357\351\070\342"
+"\154\014\366\315\157\111\316\051\314\373\246\017\371\215\076\225"
+"\106\326\374\107\062\211\262\310\006\141\172\322\347\015\023\002"
+"\224\013\331\213\126\107\364\273\347\305\137\173\364\143\114\256"
+"\174\064\352\015\242\251\263\054\205\363\343\376\047\124\020\222"
+"\260\217\222\301\230\102\030\160\110\333\116\054\353\015\044\150"
+"\344\321\367\276\011\251\051\207\273\350\332\334\076\243\210\102"
+"\061\365\321\343\177\256\330\216\000\132\164\230\260\117\306\377"
+"\043\173\134\163\000\170\311\333\116"
+, (PRUint32)1081 }
+};
+static const NSSItem nss_builtins_items_41 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TC TrustCenter, Germany, Class 2 CA", (PRUint32)36 },
+  { (void *)"\312\135\207\155\025\113\162\350\014\357\331\346\353\234\366\215"
+"\002\037\253\354"
+, (PRUint32)20 },
+  { (void *)"\341\351\226\123\167\341\360\070\240\002\253\224\306\225\173\374"
+, (PRUint32)16 },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\061\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"\002"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_42 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TC TrustCenter, Germany, Class 3 CA", (PRUint32)36 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"\004"
+, (PRUint32)1 },
+  { (void *)"\060\202\004\065\060\202\003\236\240\003\002\001\002\002\001\004"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061"
+"\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162"
+"\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142"
+"\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103"
+"\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162"
+"\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164"
+"\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061"
+"\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165"
+"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\063"
+"\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001"
+"\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100"
+"\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\036"
+"\027\015\071\070\060\063\060\071\061\063\065\070\064\071\132\027"
+"\015\060\065\061\062\063\061\061\063\065\070\064\071\132\060\201"
+"\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061\020"
+"\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162\147"
+"\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142\165"
+"\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103\040"
+"\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162\040"
+"\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164\141"
+"\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061\042"
+"\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163"
+"\164\103\145\156\164\145\162\040\103\154\141\163\163\040\063\040"
+"\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001\011"
+"\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100\164"
+"\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201\237"
+"\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003"
+"\201\215\000\060\201\211\002\201\201\000\266\264\301\065\005\056"
+"\015\215\354\240\100\152\034\016\047\246\120\222\153\120\033\007"
+"\336\056\347\166\314\340\332\374\204\250\136\214\143\152\053\115"
+"\331\116\002\166\021\301\013\362\215\171\312\000\266\361\260\016"
+"\327\373\244\027\075\257\253\151\172\226\047\277\257\063\241\232"
+"\052\131\252\304\265\067\010\362\022\245\061\266\103\365\062\226"
+"\161\050\050\253\215\050\206\337\273\356\343\014\175\060\326\303"
+"\122\253\217\135\047\234\153\300\243\347\005\153\127\111\104\263"
+"\156\352\144\317\322\216\172\120\167\167\002\003\001\000\001\243"
+"\202\001\103\060\202\001\077\060\100\006\011\140\206\110\001\206"
+"\370\102\001\003\004\063\026\061\150\164\164\160\163\072\057\057"
+"\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162\056"
+"\144\145\057\143\147\151\055\142\151\156\057\143\150\145\143\153"
+"\055\162\145\166\056\143\147\151\077\060\100\006\011\140\206\110"
+"\001\206\370\102\001\004\004\063\026\061\150\164\164\160\163\072"
+"\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145"
+"\162\056\144\145\057\143\147\151\055\142\151\156\057\143\150\145"
+"\143\153\055\162\145\166\056\143\147\151\077\060\074\006\011\140"
+"\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160"
+"\163\072\057\057\167\167\167\056\164\162\165\163\164\143\145\156"
+"\164\145\162\056\144\145\057\143\147\151\055\142\151\156\057\122"
+"\145\156\145\167\056\143\147\151\077\060\076\006\011\140\206\110"
+"\001\206\370\102\001\010\004\061\026\057\150\164\164\160\072\057"
+"\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162"
+"\056\144\145\057\147\165\151\144\145\154\151\156\145\163\057\151"
+"\156\144\145\170\056\150\164\155\154\060\050\006\011\140\206\110"
+"\001\206\370\102\001\015\004\033\026\031\124\103\040\124\162\165"
+"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\063"
+"\040\103\101\060\021\006\011\140\206\110\001\206\370\102\001\001"
+"\004\004\003\002\000\007\060\015\006\011\052\206\110\206\367\015"
+"\001\001\004\005\000\003\201\201\000\204\206\120\142\171\240\047"
+"\341\045\272\011\261\064\017\023\011\355\055\312\243\346\225\371"
+"\060\254\315\027\245\316\075\227\235\354\174\217\046\177\300\141"
+"\312\042\367\221\335\074\066\131\232\233\165\367\274\344\310\355"
+"\354\002\266\042\247\363\054\361\310\222\170\155\266\356\305\050"
+"\354\200\040\117\271\153\010\347\057\247\206\036\175\261\010\237"
+"\124\271\000\067\074\240\330\032\310\226\034\364\062\024\234\071"
+"\225\267\356\360\103\111\302\136\350\313\171\157\123\277\373\111"
+"\212\054\330\113\331\125\362\022\160"
+, (PRUint32)1081 }
+};
+static const NSSItem nss_builtins_items_43 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TC TrustCenter, Germany, Class 3 CA", (PRUint32)36 },
+  { (void *)"\227\057\340\037\171\136\221\210\026\371\201\161\176\162\355\040"
+"\241\377\020\143"
+, (PRUint32)20 },
+  { (void *)"\142\253\266\025\112\264\260\026\167\377\256\317\026\026\053\214"
+, (PRUint32)16 },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"\004"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_44 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TC TrustCenter, Germany, Class 4 CA", (PRUint32)36 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\064\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\064\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"\005"
+, (PRUint32)1 },
+  { (void *)"\060\202\004\065\060\202\003\236\240\003\002\001\002\002\001\005"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061"
+"\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162"
+"\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142"
+"\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103"
+"\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162"
+"\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164"
+"\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061"
+"\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165"
+"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\064"
+"\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001"
+"\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100"
+"\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\036"
+"\027\015\071\070\060\063\060\071\061\064\060\060\062\060\132\027"
+"\015\060\065\061\062\063\061\061\064\060\060\062\060\132\060\201"
+"\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061\020"
+"\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162\147"
+"\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142\165"
+"\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103\040"
+"\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162\040"
+"\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164\141"
+"\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061\042"
+"\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163"
+"\164\103\145\156\164\145\162\040\103\154\141\163\163\040\064\040"
+"\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001\011"
+"\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100\164"
+"\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201\237"
+"\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003"
+"\201\215\000\060\201\211\002\201\201\000\277\057\143\326\066\173"
+"\262\015\323\125\365\144\154\346\045\135\306\264\310\024\272\045"
+"\070\203\353\126\142\245\125\251\145\243\364\043\231\302\113\271"
+"\320\315\124\147\246\243\240\243\251\063\053\166\344\275\255\167"
+"\262\355\134\022\164\303\305\266\017\122\232\162\223\103\220\142"
+"\146\025\017\105\245\335\340\335\270\157\100\156\127\301\171\162"
+"\243\140\252\272\166\035\022\211\123\132\374\002\276\341\011\023"
+"\305\112\057\334\075\213\031\255\327\213\044\105\373\114\364\315"
+"\134\065\035\051\114\121\363\362\154\125\002\003\001\000\001\243"
+"\202\001\103\060\202\001\077\060\100\006\011\140\206\110\001\206"
+"\370\102\001\003\004\063\026\061\150\164\164\160\163\072\057\057"
+"\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162\056"
+"\144\145\057\143\147\151\055\142\151\156\057\143\150\145\143\153"
+"\055\162\145\166\056\143\147\151\077\060\100\006\011\140\206\110"
+"\001\206\370\102\001\004\004\063\026\061\150\164\164\160\163\072"
+"\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145"
+"\162\056\144\145\057\143\147\151\055\142\151\156\057\143\150\145"
+"\143\153\055\162\145\166\056\143\147\151\077\060\074\006\011\140"
+"\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160"
+"\163\072\057\057\167\167\167\056\164\162\165\163\164\143\145\156"
+"\164\145\162\056\144\145\057\143\147\151\055\142\151\156\057\122"
+"\145\156\145\167\056\143\147\151\077\060\076\006\011\140\206\110"
+"\001\206\370\102\001\010\004\061\026\057\150\164\164\160\072\057"
+"\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162"
+"\056\144\145\057\147\165\151\144\145\154\151\156\145\163\057\151"
+"\156\144\145\170\056\150\164\155\154\060\050\006\011\140\206\110"
+"\001\206\370\102\001\015\004\033\026\031\124\103\040\124\162\165"
+"\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\064"
+"\040\103\101\060\021\006\011\140\206\110\001\206\370\102\001\001"
+"\004\004\003\002\000\007\060\015\006\011\052\206\110\206\367\015"
+"\001\001\004\005\000\003\201\201\000\224\150\024\033\045\236\051"
+"\231\261\262\043\322\104\263\225\237\321\236\125\004\335\343\057"
+"\202\063\125\226\167\031\235\053\236\145\034\372\212\343\307\217"
+"\045\374\261\036\125\106\017\217\377\117\067\057\244\166\131\246"
+"\144\353\325\026\160\275\335\225\063\014\244\015\044\353\144\120"
+"\264\103\021\362\103\276\015\161\230\042\354\001\257\354\367\307"
+"\134\161\303\165\221\130\031\350\335\240\364\264\361\274\020\112"
+"\363\223\264\006\111\273\037\146\322\275\164\107\341\232\371\353"
+"\327\253\155\037\272\341\035\054\332"
+, (PRUint32)1081 }
+};
+static const NSSItem nss_builtins_items_45 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TC TrustCenter, Germany, Class 4 CA", (PRUint32)36 },
+  { (void *)"\161\162\311\174\001\016\161\014\375\350\321\363\171\263\300\074"
+"\253\116\274\235"
+, (PRUint32)20 },
+  { (void *)"\277\257\354\304\332\371\060\371\312\065\312\045\344\077\215\211"
+, (PRUint32)16 },
+  { (void *)"\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105"
+"\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165"
+"\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155"
+"\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124"
+"\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157"
+"\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141"
+"\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110"
+"\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162"
+"\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040"
+"\064\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015"
+"\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145"
+"\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145"
+, (PRUint32)191 },
+  { (void *)"\005"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_46 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"ABAecom (sub., Am. Bankers Assn.) Root CA", (PRUint32)42 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060"
+"\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164"
+"\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101"
+"\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006"
+"\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122"
+"\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206"
+"\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147"
+"\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)140 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060"
+"\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164"
+"\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101"
+"\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006"
+"\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122"
+"\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206"
+"\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147"
+"\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)140 },
+  { (void *)"\000\320\036\100\220\000\000\106\122\000\000\000\001\000\000\000"
+"\004"
+, (PRUint32)17 },
+  { (void *)"\060\202\003\265\060\202\002\235\240\003\002\001\002\002\021\000"
+"\320\036\100\220\000\000\106\122\000\000\000\001\000\000\000\004"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060\021"
+"\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164\157"
+"\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101\056"
+"\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006\003"
+"\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122\157"
+"\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206\367"
+"\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147\163"
+"\151\147\164\162\165\163\164\056\143\157\155\060\036\027\015\071"
+"\071\060\067\061\062\061\067\063\063\065\063\132\027\015\060\071"
+"\060\067\060\071\061\067\063\063\065\063\132\060\201\211\061\013"
+"\060\011\006\003\125\004\006\023\002\125\123\061\013\060\011\006"
+"\003\125\004\010\023\002\104\103\061\023\060\021\006\003\125\004"
+"\007\023\012\127\141\163\150\151\156\147\164\157\156\061\027\060"
+"\025\006\003\125\004\012\023\016\101\102\101\056\105\103\117\115"
+"\054\040\111\116\103\056\061\031\060\027\006\003\125\004\003\023"
+"\020\101\102\101\056\105\103\117\115\040\122\157\157\164\040\103"
+"\101\061\044\060\042\006\011\052\206\110\206\367\015\001\011\001"
+"\026\025\141\144\155\151\156\100\144\151\147\163\151\147\164\162"
+"\165\163\164\056\143\157\155\060\202\001\042\060\015\006\011\052"
+"\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060"
+"\202\001\012\002\202\001\001\000\261\323\021\340\171\125\103\007"
+"\010\114\313\005\102\000\342\015\203\106\075\344\223\272\266\006"
+"\323\015\131\275\076\301\316\103\147\001\212\041\250\357\274\314"
+"\320\242\314\260\125\226\123\204\146\005\000\332\104\111\200\330"
+"\124\012\245\045\206\224\355\143\126\377\160\154\243\241\031\322"
+"\170\276\150\052\104\136\057\317\314\030\136\107\274\072\261\106"
+"\075\036\360\271\054\064\137\214\174\114\010\051\235\100\125\353"
+"\074\175\203\336\265\360\367\212\203\016\241\114\264\072\245\263"
+"\137\132\042\227\354\031\233\301\005\150\375\346\267\251\221\224"
+"\054\344\170\110\044\032\045\031\072\353\225\234\071\012\212\317"
+"\102\262\360\034\325\137\373\153\355\150\126\173\071\054\162\070"
+"\260\356\223\251\323\173\167\074\353\161\003\251\070\112\026\154"
+"\211\052\312\332\063\023\171\302\125\214\355\234\273\362\313\133"
+"\020\370\056\141\065\306\051\114\052\320\052\143\321\145\131\264"
+"\370\315\371\364\000\204\266\127\102\205\235\062\250\371\052\124"
+"\373\377\170\101\274\275\161\050\364\273\220\274\377\226\064\004"
+"\343\105\236\241\106\050\100\201\002\003\001\000\001\243\026\060"
+"\024\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001"
+"\001\377\002\001\010\060\015\006\011\052\206\110\206\367\015\001"
+"\001\005\005\000\003\202\001\001\000\004\157\045\206\344\346\226"
+"\047\264\331\102\300\320\311\000\261\177\124\076\207\262\155\044"
+"\251\057\012\176\375\244\104\260\370\124\007\275\033\235\235\312"
+"\173\120\044\173\021\133\111\243\246\277\022\164\325\211\267\267"
+"\057\230\144\045\024\267\141\351\177\140\200\153\323\144\350\253"
+"\275\032\326\121\372\300\264\135\167\032\177\144\010\136\171\306"
+"\005\114\361\172\335\115\175\316\346\110\173\124\322\141\222\201"
+"\326\033\326\000\360\016\236\050\167\240\115\210\307\042\166\031"
+"\303\307\236\033\246\167\170\370\137\233\126\321\360\362\027\254"
+"\216\235\131\346\037\376\127\266\331\136\341\135\237\105\354\141"
+"\150\031\101\341\262\040\046\376\132\060\166\044\377\100\162\074"
+"\171\237\174\042\110\253\106\315\333\263\206\054\217\277\005\101"
+"\323\301\343\024\343\101\027\046\320\174\247\161\114\031\350\112"
+"\017\162\130\061\175\354\140\172\243\042\050\275\031\044\140\077"
+"\073\207\163\300\153\344\313\256\267\253\045\103\262\125\055\173"
+"\253\006\016\165\135\064\345\135\163\155\236\262\165\100\245\131"
+"\311\117\061\161\210\331\210\177\124"
+, (PRUint32)953 }
+};
+static const NSSItem nss_builtins_items_47 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"ABAecom (sub., Am. Bankers Assn.) Root CA", (PRUint32)42 },
+  { (void *)"\172\164\101\017\260\315\134\227\052\066\113\161\277\003\035\210"
+"\246\121\016\236"
+, (PRUint32)20 },
+  { (void *)"\101\270\007\367\250\321\011\356\264\232\216\160\115\374\033\170"
+, (PRUint32)16 },
+  { (void *)"\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060"
+"\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164"
+"\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101"
+"\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006"
+"\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122"
+"\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206"
+"\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147"
+"\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)140 },
+  { (void *)"\000\320\036\100\220\000\000\106\122\000\000\000\001\000\000\000"
+"\004"
+, (PRUint32)17 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_48 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Digital Signature Trust Co. Global CA 1", (PRUint32)40 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
+"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
+"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
+"\104\123\124\103\101\040\105\061"
+, (PRUint32)72 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
+"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
+"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
+"\104\123\124\103\101\040\105\061"
+, (PRUint32)72 },
+  { (void *)"\066\160\025\226"
+, (PRUint32)4 },
+  { (void *)"\060\202\003\051\060\202\002\222\240\003\002\001\002\002\004\066"
+"\160\025\226\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\106\061\013\060\011\006\003\125\004\006\023\002\125"
+"\123\061\044\060\042\006\003\125\004\012\023\033\104\151\147\151"
+"\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124\162"
+"\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004\013"
+"\023\010\104\123\124\103\101\040\105\061\060\036\027\015\071\070"
+"\061\062\061\060\061\070\061\060\062\063\132\027\015\061\070\061"
+"\062\061\060\061\070\064\060\062\063\132\060\106\061\013\060\011"
+"\006\003\125\004\006\023\002\125\123\061\044\060\042\006\003\125"
+"\004\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156"
+"\141\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061"
+"\021\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040"
+"\105\061\060\201\235\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\201\213\000\060\201\207\002\201\201\000\240"
+"\154\201\251\317\064\036\044\335\376\206\050\314\336\203\057\371"
+"\136\324\102\322\350\164\140\146\023\230\006\034\251\121\022\151"
+"\157\061\125\271\111\162\000\010\176\323\245\142\104\067\044\231"
+"\217\331\203\110\217\231\155\225\023\273\103\073\056\111\116\210"
+"\067\301\273\130\177\376\341\275\370\273\141\315\363\107\300\231"
+"\246\361\363\221\350\170\174\000\313\141\311\104\047\161\151\125"
+"\112\176\111\115\355\242\243\276\002\114\000\312\002\250\356\001"
+"\002\061\144\017\122\055\023\164\166\066\265\172\264\055\161\002"
+"\001\003\243\202\001\044\060\202\001\040\060\021\006\011\140\206"
+"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\150\006"
+"\003\125\035\037\004\141\060\137\060\135\240\133\240\131\244\127"
+"\060\125\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
+"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
+"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
+"\104\123\124\103\101\040\105\061\061\015\060\013\006\003\125\004"
+"\003\023\004\103\122\114\061\060\053\006\003\125\035\020\004\044"
+"\060\042\200\017\061\071\071\070\061\062\061\060\061\070\061\060"
+"\062\063\132\201\017\062\060\061\070\061\062\061\060\061\070\061"
+"\060\062\063\132\060\013\006\003\125\035\017\004\004\003\002\001"
+"\006\060\037\006\003\125\035\043\004\030\060\026\200\024\152\171"
+"\176\221\151\106\030\023\012\002\167\245\131\133\140\230\045\016"
+"\242\370\060\035\006\003\125\035\016\004\026\004\024\152\171\176"
+"\221\151\106\030\023\012\002\167\245\131\133\140\230\045\016\242"
+"\370\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060"
+"\031\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012"
+"\033\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\003\201\201\000\042\022\330"
+"\172\035\334\201\006\266\011\145\262\207\310\037\136\264\057\351"
+"\304\036\362\074\301\273\004\220\021\112\203\116\176\223\271\115"
+"\102\307\222\046\240\134\064\232\070\162\370\375\153\026\076\040"
+"\356\202\213\061\052\223\066\205\043\210\212\074\003\150\323\311"
+"\011\017\115\374\154\244\332\050\162\223\016\211\200\260\175\376"
+"\200\157\145\155\030\063\227\213\302\153\211\356\140\075\310\233"
+"\357\177\053\062\142\163\223\313\074\343\173\342\166\170\105\274"
+"\241\223\004\273\206\237\072\133\103\172\303\212\145"
+, (PRUint32)813 }
+};
+static const NSSItem nss_builtins_items_49 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Digital Signature Trust Co. Global CA 1", (PRUint32)40 },
+  { (void *)"\201\226\213\072\357\034\334\160\365\372\062\151\302\222\243\143"
+"\133\321\043\323"
+, (PRUint32)20 },
+  { (void *)"\045\172\272\203\056\266\242\013\332\376\365\002\017\010\327\255"
+, (PRUint32)16 },
+  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
+"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
+"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
+"\104\123\124\103\101\040\105\061"
+, (PRUint32)72 },
+  { (void *)"\066\160\025\226"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_50 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Digital Signature Trust Co. Global CA 3", (PRUint32)40 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
+"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
+"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
+"\104\123\124\103\101\040\105\062"
+, (PRUint32)72 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
+"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
+"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
+"\104\123\124\103\101\040\105\062"
+, (PRUint32)72 },
+  { (void *)"\066\156\323\316"
+, (PRUint32)4 },
+  { (void *)"\060\202\003\051\060\202\002\222\240\003\002\001\002\002\004\066"
+"\156\323\316\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\106\061\013\060\011\006\003\125\004\006\023\002\125"
+"\123\061\044\060\042\006\003\125\004\012\023\033\104\151\147\151"
+"\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124\162"
+"\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004\013"
+"\023\010\104\123\124\103\101\040\105\062\060\036\027\015\071\070"
+"\061\062\060\071\061\071\061\067\062\066\132\027\015\061\070\061"
+"\062\060\071\061\071\064\067\062\066\132\060\106\061\013\060\011"
+"\006\003\125\004\006\023\002\125\123\061\044\060\042\006\003\125"
+"\004\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156"
+"\141\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061"
+"\021\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040"
+"\105\062\060\201\235\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\201\213\000\060\201\207\002\201\201\000\277"
+"\223\217\027\222\357\063\023\030\353\020\177\116\026\277\377\006"
+"\217\052\205\274\136\371\044\246\044\210\266\003\267\301\303\137"
+"\003\133\321\157\256\176\102\352\146\043\270\143\203\126\373\050"
+"\055\341\070\213\264\356\250\001\341\316\034\266\210\052\042\106"
+"\205\373\237\247\160\251\107\024\077\316\336\145\360\250\161\367"
+"\117\046\154\214\274\306\265\357\336\111\047\377\110\052\175\350"
+"\115\003\314\307\262\122\306\027\061\023\073\265\115\333\310\304"
+"\366\303\017\044\052\332\014\235\347\221\133\200\315\224\235\002"
+"\001\003\243\202\001\044\060\202\001\040\060\021\006\011\140\206"
+"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\150\006"
+"\003\125\035\037\004\141\060\137\060\135\240\133\240\131\244\127"
+"\060\125\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
+"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
+"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
+"\104\123\124\103\101\040\105\062\061\015\060\013\006\003\125\004"
+"\003\023\004\103\122\114\061\060\053\006\003\125\035\020\004\044"
+"\060\042\200\017\061\071\071\070\061\062\060\071\061\071\061\067"
+"\062\066\132\201\017\062\060\061\070\061\062\060\071\061\071\061"
+"\067\062\066\132\060\013\006\003\125\035\017\004\004\003\002\001"
+"\006\060\037\006\003\125\035\043\004\030\060\026\200\024\036\202"
+"\115\050\145\200\074\311\101\156\254\065\056\132\313\336\356\370"
+"\071\133\060\035\006\003\125\035\016\004\026\004\024\036\202\115"
+"\050\145\200\074\311\101\156\254\065\056\132\313\336\356\370\071"
+"\133\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060"
+"\031\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012"
+"\033\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\003\201\201\000\107\215\203"
+"\255\142\362\333\260\236\105\042\005\271\242\326\003\016\070\162"
+"\347\236\374\173\346\223\266\232\245\242\224\310\064\035\221\321"
+"\305\327\364\012\045\017\075\170\201\236\017\261\147\304\220\114"
+"\143\335\136\247\342\272\237\365\367\115\245\061\173\234\051\055"
+"\114\376\144\076\354\266\123\376\352\233\355\202\333\164\165\113"
+"\007\171\156\036\330\031\203\163\336\365\076\320\265\336\347\113"
+"\150\175\103\056\052\040\341\176\240\170\104\236\010\365\230\371"
+"\307\177\033\033\326\006\040\002\130\241\303\242\003"
+, (PRUint32)813 }
+};
+static const NSSItem nss_builtins_items_51 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Digital Signature Trust Co. Global CA 3", (PRUint32)40 },
+  { (void *)"\253\110\363\063\333\004\253\271\300\162\332\133\014\301\320\127"
+"\360\066\233\106"
+, (PRUint32)20 },
+  { (void *)"\223\302\216\021\173\324\363\003\031\275\050\165\023\112\105\112"
+, (PRUint32)16 },
+  { (void *)"\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141"
+"\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163"
+"\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010"
+"\104\123\124\103\101\040\105\062"
+, (PRUint32)72 },
+  { (void *)"\066\156\323\316"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_52 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Digital Signature Trust Co. Global CA 2", (PRUint32)40 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
+"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
+"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
+"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
+"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
+"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
+"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
+"\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
+"\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052"
+"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
+"\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)172 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
+"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
+"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
+"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
+"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
+"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
+"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
+"\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
+"\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052"
+"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
+"\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)172 },
+  { (void *)"\000\320\036\100\213\000\000\002\174\000\000\000\002\000\000\000"
+"\001"
+, (PRUint32)17 },
+  { (void *)"\060\202\003\330\060\202\002\300\002\021\000\320\036\100\213\000"
+"\000\002\174\000\000\000\002\000\000\000\001\060\015\006\011\052"
+"\206\110\206\367\015\001\001\005\005\000\060\201\251\061\013\060"
+"\011\006\003\125\004\006\023\002\165\163\061\015\060\013\006\003"
+"\125\004\010\023\004\125\164\141\150\061\027\060\025\006\003\125"
+"\004\007\023\016\123\141\154\164\040\114\141\153\145\040\103\151"
+"\164\171\061\044\060\042\006\003\125\004\012\023\033\104\151\147"
+"\151\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124"
+"\162\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004"
+"\013\023\010\104\123\124\103\101\040\130\061\061\026\060\024\006"
+"\003\125\004\003\023\015\104\123\124\040\122\157\157\164\103\101"
+"\040\130\061\061\041\060\037\006\011\052\206\110\206\367\015\001"
+"\011\001\026\022\143\141\100\144\151\147\163\151\147\164\162\165"
+"\163\164\056\143\157\155\060\036\027\015\071\070\061\062\060\061"
+"\061\070\061\070\065\065\132\027\015\060\070\061\061\062\070\061"
+"\070\061\070\065\065\132\060\201\251\061\013\060\011\006\003\125"
+"\004\006\023\002\165\163\061\015\060\013\006\003\125\004\010\023"
+"\004\125\164\141\150\061\027\060\025\006\003\125\004\007\023\016"
+"\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\044"
+"\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141\154"
+"\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164"
+"\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010\104"
+"\123\124\103\101\040\130\061\061\026\060\024\006\003\125\004\003"
+"\023\015\104\123\124\040\122\157\157\164\103\101\040\130\061\061"
+"\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022"
+"\143\141\100\144\151\147\163\151\147\164\162\165\163\164\056\143"
+"\157\155\060\202\001\042\060\015\006\011\052\206\110\206\367\015"
+"\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202"
+"\001\001\000\322\306\046\266\347\245\075\301\304\150\325\120\157"
+"\123\305\157\111\023\011\270\257\054\110\215\024\152\243\027\137"
+"\132\371\323\056\165\057\330\050\142\321\223\057\374\115\324\253"
+"\207\345\010\307\231\347\222\077\165\275\353\045\264\025\301\233"
+"\031\075\322\104\215\327\164\040\155\067\002\217\151\223\133\212"
+"\304\031\235\364\262\016\374\026\154\271\261\005\222\203\321\205"
+"\054\140\224\076\105\125\240\331\253\010\041\346\140\350\073\164"
+"\362\231\120\121\150\320\003\055\261\200\276\243\330\122\260\104"
+"\315\103\112\160\216\130\205\225\341\116\054\326\055\101\157\326"
+"\204\347\310\230\104\312\107\333\054\044\245\151\046\317\153\270"
+"\047\142\303\364\311\172\222\043\355\023\147\202\256\105\056\105"
+"\345\176\162\077\205\235\224\142\020\346\074\221\241\255\167\000"
+"\340\025\354\363\204\200\162\172\216\156\140\227\307\044\131\020"
+"\064\203\133\341\245\244\151\266\127\065\034\170\131\306\323\057"
+"\072\163\147\356\224\312\004\023\005\142\006\160\043\263\364\174"
+"\356\105\331\144\013\133\111\252\244\103\316\046\304\104\022\154"
+"\270\335\171\002\003\001\000\001\060\015\006\011\052\206\110\206"
+"\367\015\001\001\005\005\000\003\202\001\001\000\242\067\262\077"
+"\151\373\327\206\171\124\111\061\225\063\053\363\321\011\024\111"
+"\142\140\206\245\260\021\342\120\302\035\006\127\076\055\350\063"
+"\144\276\233\252\255\137\033\115\324\231\225\242\213\232\311\142"
+"\162\265\151\352\331\130\253\065\355\025\242\103\326\266\274\007"
+"\171\145\144\163\175\327\171\312\173\325\132\121\306\341\123\004"
+"\226\215\070\317\243\027\254\071\161\153\001\303\213\123\074\143"
+"\351\356\171\300\344\276\222\062\144\172\263\037\227\224\142\275"
+"\352\262\040\025\225\373\227\362\170\057\143\066\100\070\343\106"
+"\017\035\335\254\225\312\347\113\220\173\261\113\251\324\305\353"
+"\232\332\252\325\243\224\024\106\215\055\037\363\072\326\223\072"
+"\366\076\171\374\350\346\260\165\355\356\075\311\160\307\135\252"
+"\201\113\106\045\034\307\154\025\343\225\116\017\252\062\067\224"
+"\012\027\044\222\023\204\130\322\143\157\053\367\346\133\142\013"
+"\023\027\260\015\122\114\376\376\157\134\342\221\156\035\375\244"
+"\142\327\150\372\216\172\117\322\010\332\223\334\360\222\021\172"
+"\320\334\162\223\014\163\223\142\205\150\320\364"
+, (PRUint32)988 }
+};
+static const NSSItem nss_builtins_items_53 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Digital Signature Trust Co. Global CA 2", (PRUint32)40 },
+  { (void *)"\267\057\377\222\322\316\103\336\012\215\114\124\214\120\067\046"
+"\250\036\053\223"
+, (PRUint32)20 },
+  { (void *)"\154\311\247\156\107\361\014\343\123\073\170\114\115\302\152\305"
+, (PRUint32)16 },
+  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
+"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
+"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
+"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
+"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
+"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
+"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
+"\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
+"\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052"
+"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
+"\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)172 },
+  { (void *)"\000\320\036\100\213\000\000\002\174\000\000\000\002\000\000\000"
+"\001"
+, (PRUint32)17 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_54 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Digital Signature Trust Co. Global CA 4", (PRUint32)40 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
+"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
+"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
+"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
+"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
+"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
+"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
+"\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
+"\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052"
+"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
+"\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)172 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
+"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
+"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
+"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
+"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
+"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
+"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
+"\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
+"\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052"
+"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
+"\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)172 },
+  { (void *)"\000\320\036\100\213\000\000\167\155\000\000\000\001\000\000\000"
+"\004"
+, (PRUint32)17 },
+  { (void *)"\060\202\003\330\060\202\002\300\002\021\000\320\036\100\213\000"
+"\000\167\155\000\000\000\001\000\000\000\004\060\015\006\011\052"
+"\206\110\206\367\015\001\001\005\005\000\060\201\251\061\013\060"
+"\011\006\003\125\004\006\023\002\165\163\061\015\060\013\006\003"
+"\125\004\010\023\004\125\164\141\150\061\027\060\025\006\003\125"
+"\004\007\023\016\123\141\154\164\040\114\141\153\145\040\103\151"
+"\164\171\061\044\060\042\006\003\125\004\012\023\033\104\151\147"
+"\151\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124"
+"\162\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004"
+"\013\023\010\104\123\124\103\101\040\130\062\061\026\060\024\006"
+"\003\125\004\003\023\015\104\123\124\040\122\157\157\164\103\101"
+"\040\130\062\061\041\060\037\006\011\052\206\110\206\367\015\001"
+"\011\001\026\022\143\141\100\144\151\147\163\151\147\164\162\165"
+"\163\164\056\143\157\155\060\036\027\015\071\070\061\061\063\060"
+"\062\062\064\066\061\066\132\027\015\060\070\061\061\062\067\062"
+"\062\064\066\061\066\132\060\201\251\061\013\060\011\006\003\125"
+"\004\006\023\002\165\163\061\015\060\013\006\003\125\004\010\023"
+"\004\125\164\141\150\061\027\060\025\006\003\125\004\007\023\016"
+"\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\044"
+"\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141\154"
+"\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164"
+"\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010\104"
+"\123\124\103\101\040\130\062\061\026\060\024\006\003\125\004\003"
+"\023\015\104\123\124\040\122\157\157\164\103\101\040\130\062\061"
+"\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022"
+"\143\141\100\144\151\147\163\151\147\164\162\165\163\164\056\143"
+"\157\155\060\202\001\042\060\015\006\011\052\206\110\206\367\015"
+"\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202"
+"\001\001\000\334\165\360\214\300\165\226\232\300\142\037\046\367"
+"\304\341\232\352\340\126\163\133\231\315\001\104\250\010\266\325"
+"\247\332\032\004\030\071\222\112\170\243\201\302\365\167\172\120"
+"\264\160\377\232\253\306\307\312\156\203\117\102\230\373\046\013"
+"\332\334\155\326\251\231\125\122\147\351\050\003\222\334\345\260"
+"\005\232\017\025\371\153\131\162\126\362\372\071\374\252\150\356"
+"\017\037\020\203\057\374\235\372\027\226\335\202\343\346\105\175"
+"\300\113\200\104\037\355\054\340\204\375\221\134\222\124\151\045"
+"\345\142\151\334\345\356\000\122\275\063\013\255\165\002\205\247"
+"\144\120\055\305\031\031\060\300\046\333\311\323\375\056\231\255"
+"\131\265\013\115\324\101\256\205\110\103\131\334\267\250\342\242"
+"\336\303\217\327\270\241\142\246\150\120\122\344\317\061\247\224"
+"\205\332\237\106\062\027\126\345\362\353\146\075\022\377\103\333"
+"\230\357\167\317\313\201\215\064\261\306\120\112\046\321\344\076"
+"\101\120\257\154\256\042\064\056\325\153\156\203\272\171\270\166"
+"\145\110\332\011\051\144\143\042\271\373\107\166\205\214\206\104"
+"\313\011\333\002\003\001\000\001\060\015\006\011\052\206\110\206"
+"\367\015\001\001\005\005\000\003\202\001\001\000\265\066\016\135"
+"\341\141\050\132\021\145\300\077\203\003\171\115\276\050\246\013"
+"\007\002\122\205\315\370\221\320\020\154\265\152\040\133\034\220"
+"\331\060\074\306\110\236\212\136\144\371\241\161\167\357\004\047"
+"\037\007\353\344\046\367\163\164\311\104\030\032\146\323\340\103"
+"\257\221\073\321\313\054\330\164\124\072\034\115\312\324\150\315"
+"\043\174\035\020\236\105\351\366\000\156\246\315\031\377\117\054"
+"\051\217\127\115\304\167\222\276\340\114\011\373\135\104\206\146"
+"\041\250\271\062\242\126\325\351\214\203\174\131\077\304\361\013"
+"\347\235\354\236\275\234\030\016\076\302\071\171\050\267\003\015"
+"\010\313\306\347\331\001\067\120\020\354\314\141\026\100\324\257"
+"\061\164\173\374\077\061\247\320\107\163\063\071\033\314\116\152"
+"\327\111\203\021\006\376\353\202\130\063\062\114\360\126\254\036"
+"\234\057\126\232\173\301\112\034\245\375\125\066\316\374\226\115"
+"\364\260\360\354\267\154\202\355\057\061\231\102\114\251\262\015"
+"\270\025\135\361\337\272\311\265\112\324\144\230\263\046\251\060"
+"\310\375\246\354\253\226\041\255\177\302\170\266"
+, (PRUint32)988 }
+};
+static const NSSItem nss_builtins_items_55 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Digital Signature Trust Co. Global CA 4", (PRUint32)40 },
+  { (void *)"\147\353\063\173\150\114\353\016\302\260\166\012\264\210\047\214"
+"\335\225\227\335"
+, (PRUint32)20 },
+  { (void *)"\315\073\075\142\133\011\270\011\066\207\236\022\057\161\144\272"
+, (PRUint32)16 },
+  { (void *)"\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163"
+"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
+"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
+"\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004"
+"\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141"
+"\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021"
+"\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130"
+"\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040"
+"\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052"
+"\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147"
+"\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)172 },
+  { (void *)"\000\320\036\100\213\000\000\167\155\000\000\000\001\000\000\000"
+"\004"
+, (PRUint32)17 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_56 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Deutsche Telekom AG Root CA", (PRUint32)28 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\155\061\013\060\011\006\003\125\004\006\023\002\104\105\061"
+"\034\060\032\006\003\125\004\012\023\023\104\145\165\164\163\143"
+"\150\145\040\124\145\154\145\153\157\155\040\101\107\061\035\060"
+"\033\006\003\125\004\013\023\024\124\145\154\145\123\145\143\040"
+"\124\162\165\163\164\040\103\145\156\164\145\162\061\041\060\037"
+"\006\003\125\004\003\023\030\104\145\165\164\163\143\150\145\040"
+"\124\145\154\145\153\157\155\040\122\157\157\164\040\103\101"
+, (PRUint32)111 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\155\061\013\060\011\006\003\125\004\006\023\002\104\105\061"
+"\034\060\032\006\003\125\004\012\023\023\104\145\165\164\163\143"
+"\150\145\040\124\145\154\145\153\157\155\040\101\107\061\035\060"
+"\033\006\003\125\004\013\023\024\124\145\154\145\123\145\143\040"
+"\124\162\165\163\164\040\103\145\156\164\145\162\061\041\060\037"
+"\006\003\125\004\003\023\030\104\145\165\164\163\143\150\145\040"
+"\124\145\154\145\153\157\155\040\122\157\157\164\040\103\101"
+, (PRUint32)111 },
+  { (void *)"\006"
+, (PRUint32)1 },
+  { (void *)"\060\202\002\216\060\202\001\367\240\003\002\001\002\002\001\006"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\155\061\013\060\011\006\003\125\004\006\023\002\104\105\061\034"
+"\060\032\006\003\125\004\012\023\023\104\145\165\164\163\143\150"
+"\145\040\124\145\154\145\153\157\155\040\101\107\061\035\060\033"
+"\006\003\125\004\013\023\024\124\145\154\145\123\145\143\040\124"
+"\162\165\163\164\040\103\145\156\164\145\162\061\041\060\037\006"
+"\003\125\004\003\023\030\104\145\165\164\163\143\150\145\040\124"
+"\145\154\145\153\157\155\040\122\157\157\164\040\103\101\060\036"
+"\027\015\071\070\061\062\060\071\060\071\061\061\060\060\132\027"
+"\015\060\064\061\062\060\071\062\063\065\071\060\060\132\060\155"
+"\061\013\060\011\006\003\125\004\006\023\002\104\105\061\034\060"
+"\032\006\003\125\004\012\023\023\104\145\165\164\163\143\150\145"
+"\040\124\145\154\145\153\157\155\040\101\107\061\035\060\033\006"
+"\003\125\004\013\023\024\124\145\154\145\123\145\143\040\124\162"
+"\165\163\164\040\103\145\156\164\145\162\061\041\060\037\006\003"
+"\125\004\003\023\030\104\145\165\164\163\143\150\145\040\124\145"
+"\154\145\153\157\155\040\122\157\157\164\040\103\101\060\201\237"
+"\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003"
+"\201\215\000\060\201\211\002\201\201\000\335\005\054\371\005\263"
+"\271\022\327\151\161\367\352\126\060\010\127\024\103\173\273\032"
+"\234\155\057\127\141\327\342\365\104\153\356\066\101\226\366\144"
+"\316\341\301\262\271\244\024\004\230\120\350\160\370\216\065\232"
+"\175\111\301\141\035\131\256\332\006\030\225\175\255\316\354\251"
+"\276\321\030\017\100\221\166\052\243\345\375\376\211\025\364\127"
+"\367\340\125\332\165\255\000\364\054\301\065\314\264\103\046\125"
+"\142\104\056\001\045\234\212\133\360\301\320\000\065\170\376\065"
+"\336\224\100\144\170\203\241\314\071\211\002\003\001\000\001\243"
+"\076\060\074\060\017\006\003\125\035\023\004\010\060\006\001\001"
+"\377\002\001\005\060\016\006\003\125\035\017\001\001\377\004\004"
+"\003\002\001\006\060\031\006\003\125\035\016\004\022\004\020\054"
+"\207\131\037\213\023\200\262\371\206\235\076\022\176\130\226\060"
+"\015\006\011\052\206\110\206\367\015\001\001\004\005\000\003\201"
+"\201\000\017\376\163\265\007\210\157\240\013\211\352\312\120\037"
+"\224\336\224\053\013\047\136\117\365\034\225\046\332\214\226\124"
+"\255\031\221\067\103\135\253\311\213\263\315\157\230\071\075\355"
+"\335\065\343\161\267\355\023\223\203\350\206\345\051\063\023\023"
+"\274\065\173\375\050\057\160\131\325\323\264\215\050\023\131\073"
+"\310\325\164\371\105\302\007\140\252\270\030\124\371\245\150\377"
+"\327\005\325\217\266\005\061\056\101\112\364\020\037\140\107\032"
+"\013\213\031\115\222\127\040\322\357\120\031\350\315\320\160\274"
+"\274\066"
+, (PRUint32)658 }
+};
+static const NSSItem nss_builtins_items_57 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Deutsche Telekom AG Root CA", (PRUint32)28 },
+  { (void *)"\342\023\044\000\203\106\103\235\143\067\021\170\043\310\065\246"
+"\354\113\316\102"
+, (PRUint32)20 },
+  { (void *)"\167\336\004\224\167\320\014\137\247\261\364\060\030\207\373\125"
+, (PRUint32)16 },
+  { (void *)"\060\155\061\013\060\011\006\003\125\004\006\023\002\104\105\061"
+"\034\060\032\006\003\125\004\012\023\023\104\145\165\164\163\143"
+"\150\145\040\124\145\154\145\153\157\155\040\101\107\061\035\060"
+"\033\006\003\125\004\013\023\024\124\145\154\145\123\145\143\040"
+"\124\162\165\163\164\040\103\145\156\164\145\162\061\041\060\037"
+"\006\003\125\004\003\023\030\104\145\165\164\163\143\150\145\040"
+"\124\145\154\145\153\157\155\040\122\157\157\164\040\103\101"
+, (PRUint32)111 },
+  { (void *)"\006"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_58 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 1 Public Primary Certification Authority", (PRUint32)56 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\000\315\272\177\126\360\337\344\274\124\376\042\254\263\162\252"
+"\125"
+, (PRUint32)17 },
+  { (void *)"\060\202\002\075\060\202\001\246\002\021\000\315\272\177\126\360"
+"\337\344\274\124\376\042\254\263\162\252\125\060\015\006\011\052"
+"\206\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011"
+"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
+"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
+"\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141"
+"\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151\155"
+"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071"
+"\066\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070"
+"\060\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060"
+"\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003"
+"\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111"
+"\156\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154"
+"\141\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151"
+"\155\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060"
+"\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201"
+"\215\000\060\201\211\002\201\201\000\345\031\277\155\243\126\141"
+"\055\231\110\161\366\147\336\271\215\353\267\236\206\200\012\221"
+"\016\372\070\045\257\106\210\202\345\163\250\240\233\044\135\015"
+"\037\314\145\156\014\260\320\126\204\030\207\232\006\233\020\241"
+"\163\337\264\130\071\153\156\301\366\025\325\250\250\077\252\022"
+"\006\215\061\254\177\260\064\327\217\064\147\210\011\315\024\021"
+"\342\116\105\126\151\037\170\002\200\332\334\107\221\051\273\066"
+"\311\143\134\305\340\327\055\207\173\241\267\062\260\173\060\272"
+"\052\057\061\252\356\243\147\332\333\002\003\001\000\001\060\015"
+"\006\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201"
+"\000\114\077\270\213\306\150\337\356\103\063\016\135\351\246\313"
+"\007\204\115\172\063\377\222\033\364\066\255\330\225\042\066\150"
+"\021\154\174\102\314\363\234\056\304\007\077\024\260\017\117\377"
+"\220\222\166\371\342\274\112\351\217\315\240\200\012\367\305\051"
+"\361\202\042\135\270\261\335\201\043\243\173\045\025\106\060\171"
+"\026\370\352\005\113\224\177\035\302\034\310\343\267\364\020\100"
+"\074\023\303\137\037\123\350\110\344\206\264\173\241\065\260\173"
+"\045\272\270\323\216\253\077\070\235\000\064\000\230\363\321\161"
+"\224"
+, (PRUint32)577 }
+};
+static const NSSItem nss_builtins_items_59 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 1 Public Primary Certification Authority", (PRUint32)56 },
+  { (void *)"\220\256\242\151\205\377\024\200\114\103\111\122\354\351\140\204"
+"\167\257\125\157"
+, (PRUint32)20 },
+  { (void *)"\227\140\350\127\137\323\120\107\345\103\014\224\066\212\260\142"
+, (PRUint32)16 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\000\315\272\177\126\360\337\344\274\124\376\042\254\263\162\252"
+"\125"
+, (PRUint32)17 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_60 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 2 Public Primary Certification Authority", (PRUint32)56 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\055\033\374\112\027\215\243\221\353\347\377\365\213\105\276\013"
+, (PRUint32)16 },
+  { (void *)"\060\202\002\074\060\202\001\245\002\020\055\033\374\112\027\215"
+"\243\221\353\347\377\365\213\105\276\013\060\015\006\011\052\206"
+"\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006"
+"\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004"
+"\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143"
+"\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141\163"
+"\163\040\062\040\120\165\142\154\151\143\040\120\162\151\155\141"
+"\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
+"\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\066"
+"\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070\060"
+"\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060\011"
+"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
+"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
+"\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141"
+"\163\163\040\062\040\120\165\142\154\151\143\040\120\162\151\155"
+"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060\015"
+"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
+"\000\060\201\211\002\201\201\000\266\132\213\243\015\152\043\203"
+"\200\153\317\071\207\364\041\023\063\006\114\045\242\355\125\022"
+"\227\305\247\200\271\372\203\301\040\240\372\057\025\015\174\241"
+"\140\153\176\171\054\372\006\017\072\256\366\033\157\261\322\377"
+"\057\050\122\137\203\175\113\304\172\267\370\146\037\200\124\374"
+"\267\302\216\131\112\024\127\106\321\232\223\276\101\221\003\273"
+"\025\200\223\134\353\347\314\010\154\077\076\263\112\374\377\113"
+"\154\043\325\120\202\046\104\031\216\043\303\161\352\031\044\107"
+"\004\236\165\277\310\246\000\037\002\003\001\000\001\060\015\006"
+"\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201\000"
+"\212\033\053\372\071\301\164\327\136\330\031\144\242\130\112\055"
+"\067\340\063\107\017\254\355\367\252\333\036\344\213\006\134\140"
+"\047\312\105\122\316\026\357\077\006\144\347\224\150\174\140\063"
+"\025\021\151\257\235\142\215\243\003\124\153\246\276\345\356\005"
+"\030\140\004\277\102\200\375\320\250\250\036\001\073\367\243\134"
+"\257\243\334\346\046\200\043\074\270\104\164\367\012\256\111\213"
+"\141\170\314\044\277\210\212\247\016\352\163\031\101\375\115\003"
+"\360\210\321\345\170\215\245\052\117\366\227\015\027\167\312\330"
+, (PRUint32)576 }
+};
+static const NSSItem nss_builtins_items_61 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 2 Public Primary Certification Authority", (PRUint32)56 },
+  { (void *)"\147\202\252\340\355\356\342\032\130\071\323\300\315\024\150\012"
+"\117\140\024\052"
+, (PRUint32)20 },
+  { (void *)"\263\234\045\261\303\056\062\123\200\025\060\235\115\002\167\076"
+, (PRUint32)16 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\055\033\374\112\027\215\243\221\353\347\377\365\213\105\276\013"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_62 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 3 Public Primary Certification Authority", (PRUint32)56 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\160\272\344\035\020\331\051\064\266\070\312\173\003\314\272\277"
+, (PRUint32)16 },
+  { (void *)"\060\202\002\074\060\202\001\245\002\020\160\272\344\035\020\331"
+"\051\064\266\070\312\173\003\314\272\277\060\015\006\011\052\206"
+"\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006"
+"\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004"
+"\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143"
+"\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141\163"
+"\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155\141"
+"\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
+"\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\066"
+"\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070\060"
+"\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060\011"
+"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
+"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
+"\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141"
+"\163\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155"
+"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060\015"
+"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
+"\000\060\201\211\002\201\201\000\311\134\131\236\362\033\212\001"
+"\024\264\020\337\004\100\333\343\127\257\152\105\100\217\204\014"
+"\013\321\063\331\331\021\317\356\002\130\037\045\367\052\250\104"
+"\005\252\354\003\037\170\177\236\223\271\232\000\252\043\175\326"
+"\254\205\242\143\105\307\162\047\314\364\114\306\165\161\322\071"
+"\357\117\102\360\165\337\012\220\306\216\040\157\230\017\370\254"
+"\043\137\160\051\066\244\311\206\347\261\232\040\313\123\245\205"
+"\347\075\276\175\232\376\044\105\063\334\166\025\355\017\242\161"
+"\144\114\145\056\201\150\105\247\002\003\001\000\001\060\015\006"
+"\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201\000"
+"\273\114\022\053\317\054\046\000\117\024\023\335\246\373\374\012"
+"\021\204\214\363\050\034\147\222\057\174\266\305\372\337\360\350"
+"\225\274\035\217\154\054\250\121\314\163\330\244\300\123\360\116"
+"\326\046\300\166\001\127\201\222\136\041\361\321\261\377\347\320"
+"\041\130\315\151\027\343\104\034\234\031\104\071\211\134\334\234"
+"\000\017\126\215\002\231\355\242\220\105\114\344\273\020\244\075"
+"\360\062\003\016\361\316\370\350\311\121\214\346\142\237\346\237"
+"\300\175\267\162\234\311\066\072\153\237\116\250\377\144\015\144"
+, (PRUint32)576 }
+};
+static const NSSItem nss_builtins_items_63 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 3 Public Primary Certification Authority", (PRUint32)56 },
+  { (void *)"\164\054\061\222\346\007\344\044\353\105\111\124\053\341\273\305"
+"\076\141\164\342"
+, (PRUint32)20 },
+  { (void *)"\020\374\143\135\366\046\076\015\363\045\276\137\171\315\147\147"
+, (PRUint32)16 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\160\272\344\035\020\331\051\064\266\070\312\173\003\314\272\277"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_64 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 1 Public Primary Certification Authority - G2", (PRUint32)61 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"\114\307\352\252\230\076\161\323\223\020\370\075\072\211\221\222"
+, (PRUint32)16 },
+  { (void *)"\060\202\003\002\060\202\002\153\002\020\114\307\352\252\230\076"
+"\161\323\223\020\370\075\072\211\221\222\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011"
+"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
+"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
+"\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141"
+"\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151\155"
+"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062"
+"\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061"
+"\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156"
+"\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151"
+"\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035"
+"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
+"\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027"
+"\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015"
+"\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301"
+"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
+"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023"
+"\063\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040"
+"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
+"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
+"\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050"
+"\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
+"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
+"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
+"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
+"\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001"
+"\001\005\000\003\201\215\000\060\201\211\002\201\201\000\252\320"
+"\272\276\026\055\270\203\324\312\322\017\274\166\061\312\224\330"
+"\035\223\214\126\002\274\331\157\032\157\122\066\156\165\126\012"
+"\125\323\337\103\207\041\021\145\212\176\217\275\041\336\153\062"
+"\077\033\204\064\225\005\235\101\065\353\222\353\226\335\252\131"
+"\077\001\123\155\231\117\355\345\342\052\132\220\301\271\304\246"
+"\025\317\310\105\353\246\135\216\234\076\360\144\044\166\245\315"
+"\253\032\157\266\330\173\121\141\156\246\177\207\310\342\267\345"
+"\064\334\101\210\352\011\100\276\163\222\075\153\347\165\002\003"
+"\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\003\201\201\000\251\117\303\015\307\147\276\054\313\331"
+"\250\315\055\165\347\176\025\236\073\162\353\176\353\134\055\011"
+"\207\326\153\155\140\174\345\256\305\220\043\014\134\112\320\257"
+"\261\135\363\307\266\012\333\340\025\223\015\335\003\274\307\166"
+"\212\265\335\117\303\233\023\165\270\001\300\346\311\133\153\245"
+"\270\211\334\254\244\335\162\355\116\241\367\117\274\006\323\352"
+"\310\144\164\173\302\225\101\234\145\163\130\361\220\232\074\152"
+"\261\230\311\304\207\274\317\105\155\105\342\156\042\077\376\274"
+"\017\061\134\350\362\331"
+, (PRUint32)774 }
+};
+static const NSSItem nss_builtins_items_65 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 1 Public Primary Certification Authority - G2", (PRUint32)61 },
+  { (void *)"\047\076\341\044\127\375\304\371\014\125\350\053\126\026\177\142"
+"\365\062\345\107"
+, (PRUint32)20 },
+  { (void *)"\333\043\075\371\151\372\113\271\225\200\104\163\136\175\101\203"
+, (PRUint32)16 },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"\114\307\352\252\230\076\161\323\223\020\370\075\072\211\221\222"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_66 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 2 Public Primary Certification Authority - G2", (PRUint32)61 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"\000\271\057\140\314\210\237\241\172\106\011\270\133\160\154\212"
+"\257"
+, (PRUint32)17 },
+  { (void *)"\060\202\003\003\060\202\002\154\002\021\000\271\057\140\314\210"
+"\237\241\172\106\011\270\133\160\154\212\257\060\015\006\011\052"
+"\206\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060"
+"\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003"
+"\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111"
+"\156\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154"
+"\141\163\163\040\062\040\120\165\142\154\151\143\040\120\162\151"
+"\155\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107"
+"\062\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040"
+"\061\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111"
+"\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162"
+"\151\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060"
+"\035\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156"
+"\040\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036"
+"\027\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027"
+"\015\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201"
+"\301\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027"
+"\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147"
+"\156\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013"
+"\023\063\103\154\141\163\163\040\062\040\120\165\142\154\151\143"
+"\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151"
+"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
+"\040\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061"
+"\050\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147"
+"\156\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165"
+"\164\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154"
+"\171\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151"
+"\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157"
+"\162\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\247"
+"\210\001\041\164\054\347\032\003\360\230\341\227\074\017\041\010"
+"\361\234\333\227\351\232\374\302\004\006\023\276\137\122\310\314"
+"\036\054\022\126\054\270\001\151\054\314\231\037\255\260\226\256"
+"\171\004\362\023\071\301\173\230\272\010\054\350\302\204\023\054"
+"\252\151\351\011\364\307\251\002\244\102\302\043\117\112\330\360"
+"\016\242\373\061\154\311\346\157\231\047\007\365\346\364\114\170"
+"\236\155\353\106\206\372\271\206\311\124\362\262\304\257\324\106"
+"\034\132\311\025\060\377\015\154\365\055\016\155\316\177\167\002"
+"\003\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001"
+"\005\005\000\003\201\201\000\162\056\371\177\321\361\161\373\304"
+"\236\366\305\136\121\212\100\230\270\150\370\233\034\203\330\342"
+"\235\275\377\355\241\346\146\352\057\011\364\312\327\352\245\053"
+"\225\366\044\140\206\115\104\056\203\245\304\055\240\323\256\170"
+"\151\157\162\332\154\256\010\360\143\222\067\346\273\304\060\027"
+"\255\167\314\111\065\252\317\330\217\321\276\267\030\226\107\163"
+"\152\124\042\064\144\055\266\026\233\131\133\264\121\131\072\263"
+"\013\024\364\022\337\147\240\364\255\062\144\136\261\106\162\047"
+"\214\022\173\305\104\264\256"
+, (PRUint32)775 }
+};
+static const NSSItem nss_builtins_items_67 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 2 Public Primary Certification Authority - G2", (PRUint32)61 },
+  { (void *)"\263\352\304\107\166\311\310\034\352\362\235\225\266\314\240\010"
+"\033\147\354\235"
+, (PRUint32)20 },
+  { (void *)"\055\273\345\045\323\321\145\202\072\267\016\372\346\353\342\341"
+, (PRUint32)16 },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"\000\271\057\140\314\210\237\241\172\106\011\270\133\160\154\212"
+"\257"
+, (PRUint32)17 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_68 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 3 Public Primary Certification Authority - G2", (PRUint32)61 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"\175\331\376\007\317\250\036\267\020\171\147\373\247\211\064\306"
+, (PRUint32)16 },
+  { (void *)"\060\202\003\002\060\202\002\153\002\020\175\331\376\007\317\250"
+"\036\267\020\171\147\373\247\211\064\306\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011"
+"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
+"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
+"\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141"
+"\163\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155"
+"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062"
+"\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061"
+"\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156"
+"\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151"
+"\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035"
+"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
+"\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027"
+"\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015"
+"\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301"
+"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
+"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023"
+"\063\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040"
+"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
+"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
+"\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050"
+"\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
+"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
+"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
+"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
+"\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001"
+"\001\005\000\003\201\215\000\060\201\211\002\201\201\000\314\136"
+"\321\021\135\134\151\320\253\323\271\152\114\231\037\131\230\060"
+"\216\026\205\040\106\155\107\077\324\205\040\204\341\155\263\370"
+"\244\355\014\361\027\017\073\371\247\371\045\327\301\317\204\143"
+"\362\174\143\317\242\107\362\306\133\063\216\144\100\004\150\301"
+"\200\271\144\034\105\167\307\330\156\365\225\051\074\120\350\064"
+"\327\170\037\250\272\155\103\221\225\217\105\127\136\176\305\373"
+"\312\244\004\353\352\227\067\124\060\157\273\001\107\062\063\315"
+"\334\127\233\144\151\141\370\233\035\034\211\117\134\147\002\003"
+"\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\003\201\201\000\121\115\315\276\134\313\230\031\234\025"
+"\262\001\071\170\056\115\017\147\160\160\231\306\020\132\224\244"
+"\123\115\124\155\053\257\015\135\100\213\144\323\327\356\336\126"
+"\141\222\137\246\304\035\020\141\066\323\054\047\074\350\051\011"
+"\271\021\144\164\314\265\163\237\034\110\251\274\141\001\356\342"
+"\027\246\014\343\100\010\073\016\347\353\104\163\052\232\361\151"
+"\222\357\161\024\303\071\254\161\247\221\011\157\344\161\006\263"
+"\272\131\127\046\171\000\366\370\015\242\063\060\050\324\252\130"
+"\240\235\235\151\221\375"
+, (PRUint32)774 }
+};
+static const NSSItem nss_builtins_items_69 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 3 Public Primary Certification Authority - G2", (PRUint32)61 },
+  { (void *)"\205\067\034\246\345\120\024\075\316\050\003\107\033\336\072\011"
+"\350\370\167\017"
+, (PRUint32)20 },
+  { (void *)"\242\063\233\114\164\170\163\324\154\347\301\363\215\313\134\351"
+, (PRUint32)16 },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"\175\331\376\007\317\250\036\267\020\171\147\373\247\211\064\306"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_70 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 4 Public Primary Certification Authority - G2", (PRUint32)61 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"\062\210\216\232\322\365\353\023\107\370\177\304\040\067\045\370"
+, (PRUint32)16 },
+  { (void *)"\060\202\003\002\060\202\002\153\002\020\062\210\216\232\322\365"
+"\353\023\107\370\177\304\040\067\045\370\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011"
+"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
+"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
+"\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141"
+"\163\163\040\064\040\120\165\142\154\151\143\040\120\162\151\155"
+"\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062"
+"\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061"
+"\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156"
+"\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151"
+"\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035"
+"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
+"\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027"
+"\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015"
+"\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301"
+"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
+"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023"
+"\063\103\154\141\163\163\040\064\040\120\165\142\154\151\143\040"
+"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
+"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
+"\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050"
+"\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
+"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
+"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
+"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
+"\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001"
+"\001\005\000\003\201\215\000\060\201\211\002\201\201\000\272\360"
+"\344\317\371\304\256\205\124\271\007\127\371\217\305\177\150\021"
+"\370\304\027\260\104\334\343\060\163\325\052\142\052\270\320\314"
+"\034\355\050\133\176\275\152\334\263\221\044\312\101\142\074\374"
+"\002\001\277\034\026\061\224\005\227\166\156\242\255\275\141\027"
+"\154\116\060\206\360\121\067\052\120\307\250\142\201\334\133\112"
+"\252\301\240\264\156\353\057\345\127\305\261\053\100\160\333\132"
+"\115\241\216\037\275\003\037\330\003\324\217\114\231\161\274\342"
+"\202\314\130\350\230\072\206\323\206\070\363\000\051\037\002\003"
+"\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\003\201\201\000\205\214\022\301\247\271\120\025\172\313"
+"\076\254\270\103\212\334\252\335\024\272\211\201\176\001\074\043"
+"\161\041\210\057\202\334\143\372\002\105\254\105\131\327\052\130"
+"\104\133\267\237\201\073\222\150\075\342\067\044\365\173\154\217"
+"\166\065\226\011\250\131\235\271\316\043\253\164\326\203\375\062"
+"\163\047\330\151\076\103\164\366\256\305\211\232\347\123\174\351"
+"\173\366\113\363\301\145\203\336\215\212\234\074\210\215\071\131"
+"\374\252\077\042\215\241\301\146\120\201\162\114\355\042\144\117"
+"\117\312\200\221\266\051"
+, (PRUint32)774 }
+};
+static const NSSItem nss_builtins_items_71 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 4 Public Primary Certification Authority - G2", (PRUint32)61 },
+  { (void *)"\013\167\276\273\313\172\242\107\005\336\314\017\275\152\002\374"
+"\172\275\233\122"
+, (PRUint32)20 },
+  { (void *)"\046\155\054\031\230\266\160\150\070\120\124\031\354\220\064\140"
+, (PRUint32)16 },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"\062\210\216\232\322\365\353\023\107\370\177\304\040\067\045\370"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_72 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GlobalSign Root CA", (PRUint32)19 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
+"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
+"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
+"\156\040\122\157\157\164\040\103\101"
+, (PRUint32)89 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
+"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
+"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
+"\156\040\122\157\157\164\040\103\101"
+, (PRUint32)89 },
+  { (void *)"\002\000\000\000\000\000\326\170\267\224\005"
+, (PRUint32)11 },
+  { (void *)"\060\202\003\165\060\202\002\135\240\003\002\001\002\002\013\002"
+"\000\000\000\000\000\326\170\267\224\005\060\015\006\011\052\206"
+"\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006"
+"\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004"
+"\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166"
+"\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157"
+"\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022"
+"\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040"
+"\103\101\060\036\027\015\071\070\060\071\060\061\061\062\060\060"
+"\060\060\132\027\015\061\064\060\061\062\070\061\062\060\060\060"
+"\060\132\060\127\061\013\060\011\006\003\125\004\006\023\002\102"
+"\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142"
+"\141\154\123\151\147\156\040\156\166\055\163\141\061\020\060\016"
+"\006\003\125\004\013\023\007\122\157\157\164\040\103\101\061\033"
+"\060\031\006\003\125\004\003\023\022\107\154\157\142\141\154\123"
+"\151\147\156\040\122\157\157\164\040\103\101\060\202\001\042\060"
+"\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202"
+"\001\017\000\060\202\001\012\002\202\001\001\000\332\016\346\231"
+"\215\316\243\343\117\212\176\373\361\213\203\045\153\352\110\037"
+"\361\052\260\271\225\021\004\275\360\143\321\342\147\146\317\034"
+"\335\317\033\110\053\356\215\211\216\232\257\051\200\145\253\351"
+"\307\055\022\313\253\034\114\160\007\241\075\012\060\315\025\215"
+"\117\370\335\324\214\120\025\034\357\120\356\304\056\367\374\351"
+"\122\362\221\175\340\155\325\065\060\216\136\103\163\362\101\351"
+"\325\152\343\262\211\072\126\071\070\157\006\074\210\151\133\052"
+"\115\305\247\124\270\154\211\314\233\371\074\312\345\375\211\365"
+"\022\074\222\170\226\326\334\164\156\223\104\141\321\215\307\106"
+"\262\165\016\206\350\031\212\325\155\154\325\170\026\225\242\351"
+"\310\012\070\353\362\044\023\117\163\124\223\023\205\072\033\274"
+"\036\064\265\213\005\214\271\167\213\261\333\037\040\221\253\011"
+"\123\156\220\316\173\067\164\271\160\107\221\042\121\143\026\171"
+"\256\261\256\101\046\010\310\031\053\321\106\252\110\326\144\052"
+"\327\203\064\377\054\052\301\154\031\103\112\007\205\347\323\174"
+"\366\041\150\357\352\362\122\237\177\223\220\317\002\003\001\000"
+"\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377\004"
+"\004\003\002\000\006\060\035\006\003\125\035\016\004\026\004\024"
+"\140\173\146\032\105\015\227\312\211\120\057\175\004\315\064\250"
+"\377\374\375\113\060\017\006\003\125\035\023\001\001\377\004\005"
+"\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001"
+"\001\004\005\000\003\202\001\001\000\256\252\237\374\267\322\313"
+"\037\137\071\051\050\030\236\064\311\154\117\157\032\360\144\242"
+"\160\112\117\023\206\233\140\050\236\350\201\111\230\175\012\273"
+"\345\260\235\075\066\333\217\005\121\377\011\061\052\037\335\211"
+"\167\236\017\056\154\225\004\355\206\313\264\000\077\204\002\115"
+"\200\152\052\055\170\013\256\157\053\242\203\104\203\037\315\120"
+"\202\114\044\257\275\367\245\264\310\132\017\364\347\107\136\111"
+"\216\067\226\376\232\210\005\072\331\300\333\051\207\346\031\226"
+"\107\247\072\246\214\213\074\167\376\106\143\247\123\332\041\321"
+"\254\176\111\242\113\346\303\147\131\057\263\212\016\273\054\275"
+"\251\252\102\174\065\301\330\177\325\247\061\072\116\143\103\071"
+"\257\010\260\141\064\214\323\230\251\103\064\366\017\207\051\073"
+"\235\302\126\130\230\167\303\367\033\254\366\235\370\076\252\247"
+"\124\105\360\365\371\325\061\145\376\153\130\234\161\263\036\327"
+"\122\352\062\027\374\100\140\035\311\171\044\262\366\154\375\250"
+"\146\016\202\335\230\313\332\302\104\117\056\240\173\362\367\153"
+"\054\166\021\204\106\212\170\243\343"
+, (PRUint32)889 }
+};
+static const NSSItem nss_builtins_items_73 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GlobalSign Root CA", (PRUint32)19 },
+  { (void *)"\057\027\077\175\351\226\147\257\245\172\370\012\242\321\261\057"
+"\254\203\003\070"
+, (PRUint32)20 },
+  { (void *)"\253\277\352\343\153\051\246\314\246\170\065\231\357\255\053\200"
+, (PRUint32)16 },
+  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
+"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
+"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
+"\156\040\122\157\157\164\040\103\101"
+, (PRUint32)89 },
+  { (void *)"\002\000\000\000\000\000\326\170\267\224\005"
+, (PRUint32)11 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_74 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GlobalSign Partners CA", (PRUint32)23 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\024\060\022\006\003"
+"\125\004\013\023\013\120\141\162\164\156\145\162\163\040\103\101"
+"\061\037\060\035\006\003\125\004\003\023\026\107\154\157\142\141"
+"\154\123\151\147\156\040\120\141\162\164\156\145\162\163\040\103"
+"\101"
+, (PRUint32)97 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
+"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
+"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
+"\156\040\122\157\157\164\040\103\101"
+, (PRUint32)89 },
+  { (void *)"\002\000\000\000\000\000\326\170\271\321\257"
+, (PRUint32)11 },
+  { (void *)"\060\202\003\236\060\202\002\206\240\003\002\001\002\002\013\002"
+"\000\000\000\000\000\326\170\271\321\257\060\015\006\011\052\206"
+"\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006"
+"\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004"
+"\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166"
+"\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157"
+"\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022"
+"\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040"
+"\103\101\060\036\027\015\071\071\060\061\062\070\061\062\060\060"
+"\060\060\132\027\015\060\071\060\061\062\070\061\062\060\060\060"
+"\060\132\060\137\061\013\060\011\006\003\125\004\006\023\002\102"
+"\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142"
+"\141\154\123\151\147\156\040\156\166\055\163\141\061\024\060\022"
+"\006\003\125\004\013\023\013\120\141\162\164\156\145\162\163\040"
+"\103\101\061\037\060\035\006\003\125\004\003\023\026\107\154\157"
+"\142\141\154\123\151\147\156\040\120\141\162\164\156\145\162\163"
+"\040\103\101\060\202\001\042\060\015\006\011\052\206\110\206\367"
+"\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002"
+"\202\001\001\000\322\054\370\062\254\112\022\172\067\310\051\221"
+"\245\256\214\156\036\016\300\064\063\210\345\063\161\026\034\170"
+"\204\150\303\030\064\120\056\026\076\261\224\202\117\261\232\237"
+"\000\370\306\021\065\306\151\173\230\002\255\000\006\210\154\347"
+"\114\063\050\000\210\047\106\037\207\263\161\165\143\274\062\273"
+"\210\336\146\030\016\120\006\223\264\366\274\024\067\060\075\042"
+"\337\075\377\165\176\331\012\032\305\237\263\374\320\254\263\010"
+"\172\211\323\001\350\000\134\347\112\013\075\115\173\046\242\267"
+"\142\006\213\332\106\335\223\027\077\077\133\002\113\013\266\210"
+"\040\021\222\000\255\273\307\056\324\343\105\256\365\211\132\174"
+"\215\244\255\205\144\062\300\047\214\306\362\212\200\222\206\044"
+"\126\131\215\164\150\242\203\102\263\236\075\120\101\206\157\040"
+"\156\366\375\316\323\031\343\062\314\217\355\232\136\155\037\050"
+"\365\122\254\156\030\136\370\075\321\222\345\272\154\001\210\113"
+"\012\362\055\336\145\063\005\102\240\114\252\061\166\276\375\277"
+"\201\170\371\161\034\106\136\055\025\225\055\060\131\216\114\101"
+"\321\142\253\075\002\003\001\000\001\243\143\060\141\060\016\006"
+"\003\125\035\017\001\001\377\004\004\003\002\000\006\060\035\006"
+"\003\125\035\016\004\026\004\024\103\044\215\160\025\010\142\125"
+"\234\117\014\100\027\135\206\136\017\242\114\373\060\037\006\003"
+"\125\035\043\004\030\060\026\200\024\140\173\146\032\105\015\227"
+"\312\211\120\057\175\004\315\064\250\377\374\375\113\060\017\006"
+"\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015"
+"\006\011\052\206\110\206\367\015\001\001\004\005\000\003\202\001"
+"\001\000\146\355\264\210\151\021\231\202\041\203\254\241\155\213"
+"\233\204\255\017\055\310\036\214\312\173\176\255\252\324\216\336"
+"\007\326\236\105\307\245\270\234\007\071\140\045\125\032\300\117"
+"\031\345\317\027\051\111\211\030\065\146\345\353\050\100\116\127"
+"\311\257\263\344\270\040\005\243\073\225\120\221\111\224\051\175"
+"\054\345\210\101\245\105\210\136\235\202\047\367\322\357\133\265"
+"\117\237\276\376\065\145\054\125\144\237\341\121\332\042\141\167"
+"\272\130\116\217\306\171\131\131\156\060\200\242\117\220\156\041"
+"\013\255\320\150\071\220\020\233\355\042\145\157\036\021\070\346"
+"\177\214\322\363\071\155\107\325\041\350\352\165\072\101\321\255"
+"\366\026\235\135\013\041\275\363\037\143\006\045\035\301\037\065"
+"\161\054\353\040\031\325\301\260\354\075\345\157\355\002\007\077"
+"\023\173\146\222\326\104\301\230\367\137\120\213\172\133\302\157"
+"\155\260\321\370\345\164\240\100\067\243\045\017\344\075\312\144"
+"\061\223\220\134\060\173\271\071\061\232\136\114\315\271\101\117"
+"\120\344\075\070\256\310\146\331\307\073\135\121\107\254\233\253"
+"\362\255"
+, (PRUint32)930 }
+};
+static const NSSItem nss_builtins_items_75 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GlobalSign Partners CA", (PRUint32)23 },
+  { (void *)"\204\304\217\000\351\221\354\336\333\264\030\251\213\357\241\172"
+"\107\355\162\230"
+, (PRUint32)20 },
+  { (void *)"\074\165\315\114\275\251\320\212\171\117\120\026\067\204\364\053"
+, (PRUint32)16 },
+  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
+"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
+"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
+"\156\040\122\157\157\164\040\103\101"
+, (PRUint32)89 },
+  { (void *)"\002\000\000\000\000\000\326\170\271\321\257"
+, (PRUint32)11 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_76 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GlobalSign Primary Class 1 CA", (PRUint32)30 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\155\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\033\060\031\006\003"
+"\125\004\013\023\022\120\162\151\155\141\162\171\040\103\154\141"
+"\163\163\040\061\040\103\101\061\046\060\044\006\003\125\004\003"
+"\023\035\107\154\157\142\141\154\123\151\147\156\040\120\162\151"
+"\155\141\162\171\040\103\154\141\163\163\040\061\040\103\101"
+, (PRUint32)111 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
+"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
+"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
+"\156\040\122\157\157\164\040\103\101"
+, (PRUint32)89 },
+  { (void *)"\002\000\000\000\000\000\326\170\270\067\317"
+, (PRUint32)11 },
+  { (void *)"\060\202\003\254\060\202\002\224\240\003\002\001\002\002\013\002"
+"\000\000\000\000\000\326\170\270\067\317\060\015\006\011\052\206"
+"\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006"
+"\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004"
+"\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166"
+"\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157"
+"\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022"
+"\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040"
+"\103\101\060\036\027\015\071\070\060\071\061\065\061\062\060\060"
+"\060\060\132\027\015\060\071\060\061\062\070\061\062\060\060\060"
+"\060\132\060\155\061\013\060\011\006\003\125\004\006\023\002\102"
+"\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142"
+"\141\154\123\151\147\156\040\156\166\055\163\141\061\033\060\031"
+"\006\003\125\004\013\023\022\120\162\151\155\141\162\171\040\103"
+"\154\141\163\163\040\061\040\103\101\061\046\060\044\006\003\125"
+"\004\003\023\035\107\154\157\142\141\154\123\151\147\156\040\120"
+"\162\151\155\141\162\171\040\103\154\141\163\163\040\061\040\103"
+"\101\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001"
+"\001\000\275\040\065\107\321\050\326\010\243\022\071\043\107\015"
+"\275\160\041\122\016\127\061\225\246\064\127\153\354\176\103\171"
+"\303\006\122\110\315\274\265\241\231\275\330\037\062\274\317\327"
+"\156\162\155\056\167\042\220\202\116\113\217\232\014\001\102\232"
+"\331\160\131\266\235\037\346\143\321\014\255\035\116\370\205\201"
+"\371\256\357\237\246\122\141\104\171\032\165\105\340\141\126\105"
+"\155\102\214\075\162\313\246\244\022\267\232\365\326\140\320\140"
+"\120\263\216\246\246\354\264\364\022\315\177\250\316\357\263\341"
+"\205\060\376\162\304\346\347\167\263\236\130\101\326\121\203\210"
+"\007\306\266\151\117\066\336\321\013\110\077\275\326\237\041\164"
+"\144\157\047\006\076\113\375\016\246\233\277\244\110\127\214\220"
+"\356\211\030\013\002\201\030\276\147\376\123\140\210\047\272\243"
+"\163\064\113\132\126\264\336\163\005\355\230\226\135\354\112\347"
+"\100\374\113\011\142\353\320\343\061\117\205\321\172\253\131\147"
+"\053\373\210\017\353\252\203\275\065\375\141\047\354\146\016\102"
+"\127\367\151\302\014\357\374\152\302\156\111\332\217\101\070\256"
+"\110\251\002\003\001\000\001\243\143\060\141\060\016\006\003\125"
+"\035\017\001\001\377\004\004\003\002\000\006\060\035\006\003\125"
+"\035\016\004\026\004\024\374\340\146\366\132\065\231\353\100\036"
+"\322\270\036\103\274\230\216\037\212\303\060\037\006\003\125\035"
+"\043\004\030\060\026\200\024\140\173\146\032\105\015\227\312\211"
+"\120\057\175\004\315\064\250\377\374\375\113\060\017\006\003\125"
+"\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011"
+"\052\206\110\206\367\015\001\001\004\005\000\003\202\001\001\000"
+"\233\243\010\104\316\362\220\235\161\363\062\263\005\152\265\352"
+"\317\051\230\336\125\076\240\026\175\006\172\104\326\257\322\372"
+"\023\130\214\370\034\307\253\035\264\033\357\151\150\230\134\010"
+"\071\217\340\367\373\110\314\041\347\270\063\333\005\252\064\044"
+"\154\112\345\351\173\140\336\203\263\037\012\276\101\165\374\314"
+"\060\110\267\301\046\035\004\063\252\266\170\355\052\313\272\126"
+"\227\062\156\367\061\225\056\106\362\024\356\047\307\367\142\211"
+"\271\134\132\323\070\212\144\365\067\264\361\263\064\162\325\325"
+"\041\075\113\327\170\223\327\061\146\065\036\243\330\107\111\157"
+"\034\255\341\200\177\370\230\044\154\163\254\016\302\032\167\002"
+"\243\046\007\267\307\153\135\274\202\325\052\110\035\143\317\120"
+"\062\246\373\034\030\107\025\012\133\014\134\070\044\232\004\230"
+"\250\010\110\137\174\064\207\143\253\055\215\114\000\167\224\033"
+"\166\272\365\026\030\243\025\257\057\224\366\051\000\166\301\025"
+"\027\323\351\067\115\166\324\313\113\051\131\044\254\332\112\240"
+"\352\143\336\137\124\261\372\363\321\105\313\305\144\264\163\041"
+, (PRUint32)944 }
+};
+static const NSSItem nss_builtins_items_77 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GlobalSign Primary Class 1 CA", (PRUint32)30 },
+  { (void *)"\353\061\124\315\041\226\363\125\022\053\211\147\267\163\002\102"
+"\355\321\336\113"
+, (PRUint32)20 },
+  { (void *)"\134\254\131\001\244\206\123\313\020\146\265\326\326\161\377\001"
+, (PRUint32)16 },
+  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
+"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
+"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
+"\156\040\122\157\157\164\040\103\101"
+, (PRUint32)89 },
+  { (void *)"\002\000\000\000\000\000\326\170\270\067\317"
+, (PRUint32)11 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_78 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GlobalSign Primary Class 2 CA", (PRUint32)30 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\155\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\033\060\031\006\003"
+"\125\004\013\023\022\120\162\151\155\141\162\171\040\103\154\141"
+"\163\163\040\062\040\103\101\061\046\060\044\006\003\125\004\003"
+"\023\035\107\154\157\142\141\154\123\151\147\156\040\120\162\151"
+"\155\141\162\171\040\103\154\141\163\163\040\062\040\103\101"
+, (PRUint32)111 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
+"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
+"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
+"\156\040\122\157\157\164\040\103\101"
+, (PRUint32)89 },
+  { (void *)"\002\000\000\000\000\000\326\170\270\215\215"
+, (PRUint32)11 },
+  { (void *)"\060\202\003\254\060\202\002\224\240\003\002\001\002\002\013\002"
+"\000\000\000\000\000\326\170\270\215\215\060\015\006\011\052\206"
+"\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006"
+"\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004"
+"\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166"
+"\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157"
+"\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022"
+"\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040"
+"\103\101\060\036\027\015\071\071\060\061\062\070\061\062\060\060"
+"\060\060\132\027\015\060\071\060\061\062\070\061\062\060\060\060"
+"\060\132\060\155\061\013\060\011\006\003\125\004\006\023\002\102"
+"\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142"
+"\141\154\123\151\147\156\040\156\166\055\163\141\061\033\060\031"
+"\006\003\125\004\013\023\022\120\162\151\155\141\162\171\040\103"
+"\154\141\163\163\040\062\040\103\101\061\046\060\044\006\003\125"
+"\004\003\023\035\107\154\157\142\141\154\123\151\147\156\040\120"
+"\162\151\155\141\162\171\040\103\154\141\163\163\040\062\040\103"
+"\101\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001"
+"\001\000\222\214\376\357\364\105\216\027\101\156\374\330\277\041"
+"\157\253\006\235\122\301\054\000\235\077\216\205\270\177\112\217"
+"\275\240\143\052\312\111\047\256\132\202\364\164\342\125\222\377"
+"\302\321\252\171\242\266\372\325\235\202\004\117\306\262\306\136"
+"\143\247\072\272\330\356\353\212\157\237\266\273\050\101\300\042"
+"\373\116\110\032\006\222\327\277\327\317\271\331\275\070\117\073"
+"\015\104\156\125\101\376\374\011\333\330\277\363\216\041\361\350"
+"\022\265\366\023\245\323\306\114\223\042\260\002\377\356\035\014"
+"\304\250\153\117\165\150\126\350\334\050\022\120\367\250\044\235"
+"\056\044\071\373\011\005\336\345\243\144\111\041\320\150\176\161"
+"\060\221\261\140\340\071\364\120\370\172\115\230\000\153\174\171"
+"\272\116\316\112\342\272\066\035\267\305\066\025\225\234\144\102"
+"\352\137\304\272\365\100\005\276\341\072\131\275\204\247\031\270"
+"\336\115\123\120\316\007\321\322\121\323\357\015\201\154\346\347"
+"\155\313\135\174\077\174\314\354\117\203\047\045\377\160\120\366"
+"\203\131\165\204\006\146\130\054\336\211\215\000\246\111\371\245"
+"\103\167\002\003\001\000\001\243\143\060\141\060\016\006\003\125"
+"\035\017\001\001\377\004\004\003\002\000\006\060\035\006\003\125"
+"\035\016\004\026\004\024\174\347\262\261\054\336\261\247\153\351"
+"\166\014\341\243\375\116\154\307\271\366\060\037\006\003\125\035"
+"\043\004\030\060\026\200\024\140\173\146\032\105\015\227\312\211"
+"\120\057\175\004\315\064\250\377\374\375\113\060\017\006\003\125"
+"\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011"
+"\052\206\110\206\367\015\001\001\004\005\000\003\202\001\001\000"
+"\143\335\131\316\212\171\252\230\235\116\305\211\144\067\176\212"
+"\223\147\057\020\352\157\047\303\215\167\155\362\134\126\224\031"
+"\032\151\140\060\106\135\217\362\155\105\074\216\065\227\174\057"
+"\270\121\342\350\211\275\210\317\047\034\010\064\134\210\301\150"
+"\044\333\221\205\344\317\373\373\103\215\350\045\001\033\304\016"
+"\367\000\102\110\206\037\044\010\130\132\214\215\362\153\107\054"
+"\150\221\261\151\102\375\015\215\311\046\346\222\206\246\144\156"
+"\222\305\316\076\074\175\161\343\043\244\253\307\325\250\251\337"
+"\202\247\073\350\206\325\303\117\030\343\104\320\340\334\363\305"
+"\150\056\376\245\057\005\204\310\176\107\102\123\153\207\112\376"
+"\062\377\136\076\160\214\267\250\025\314\027\302\377\106\354\320"
+"\354\055\264\156\022\050\251\371\100\351\353\324\146\227\123\251"
+"\151\125\300\251\252\262\056\315\321\151\364\276\370\273\174\151"
+"\356\124\246\333\236\373\132\246\076\376\232\357\224\121\113\165"
+"\356\330\324\341\232\361\002\126\023\211\016\247\102\213\226\213"
+"\205\014\033\205\276\046\256\253\246\231\274\042\361\163\337\102"
+, (PRUint32)944 }
+};
+static const NSSItem nss_builtins_items_79 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GlobalSign Primary Class 2 CA", (PRUint32)30 },
+  { (void *)"\203\376\336\325\161\343\226\317\307\144\367\073\337\026\166\207"
+"\162\305\037\314"
+, (PRUint32)20 },
+  { (void *)"\251\251\102\131\176\276\132\224\344\054\306\213\034\052\104\266"
+, (PRUint32)16 },
+  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
+"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
+"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
+"\156\040\122\157\157\164\040\103\101"
+, (PRUint32)89 },
+  { (void *)"\002\000\000\000\000\000\326\170\270\215\215"
+, (PRUint32)11 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_80 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GlobalSign Primary Class 3 CA", (PRUint32)30 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\155\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\033\060\031\006\003"
+"\125\004\013\023\022\120\162\151\155\141\162\171\040\103\154\141"
+"\163\163\040\063\040\103\101\061\046\060\044\006\003\125\004\003"
+"\023\035\107\154\157\142\141\154\123\151\147\156\040\120\162\151"
+"\155\141\162\171\040\103\154\141\163\163\040\063\040\103\101"
+, (PRUint32)111 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
+"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
+"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
+"\156\040\122\157\157\164\040\103\101"
+, (PRUint32)89 },
+  { (void *)"\002\000\000\000\000\000\326\170\270\326\303"
+, (PRUint32)11 },
+  { (void *)"\060\202\003\254\060\202\002\224\240\003\002\001\002\002\013\002"
+"\000\000\000\000\000\326\170\270\326\303\060\015\006\011\052\206"
+"\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006"
+"\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004"
+"\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166"
+"\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157"
+"\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022"
+"\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040"
+"\103\101\060\036\027\015\071\071\060\061\062\070\061\062\060\060"
+"\060\060\132\027\015\060\071\060\061\062\070\061\062\060\060\060"
+"\060\132\060\155\061\013\060\011\006\003\125\004\006\023\002\102"
+"\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142"
+"\141\154\123\151\147\156\040\156\166\055\163\141\061\033\060\031"
+"\006\003\125\004\013\023\022\120\162\151\155\141\162\171\040\103"
+"\154\141\163\163\040\063\040\103\101\061\046\060\044\006\003\125"
+"\004\003\023\035\107\154\157\142\141\154\123\151\147\156\040\120"
+"\162\151\155\141\162\171\040\103\154\141\163\163\040\063\040\103"
+"\101\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001"
+"\001\000\221\136\126\145\326\300\300\004\234\277\107\304\134\173"
+"\172\061\001\371\130\226\231\343\034\204\057\334\126\217\255\365"
+"\131\201\325\103\146\135\132\223\214\165\312\251\347\021\301\121"
+"\020\024\140\311\054\324\173\257\306\167\206\253\172\047\256\157"
+"\225\271\013\312\266\106\373\176\032\364\015\024\155\322\311\116"
+"\262\256\360\124\366\134\100\114\066\110\164\350\124\214\145\146"
+"\020\247\275\053\267\040\215\005\111\255\170\175\322\044\043\120"
+"\343\360\264\171\233\001\071\377\257\073\323\055\356\341\111\215"
+"\215\057\074\152\101\105\057\233\343\075\341\022\344\221\165\236"
+"\317\240\076\074\222\201\157\212\056\030\334\340\362\214\214\375"
+"\207\331\007\364\100\224\311\116\117\103\337\147\126\157\275\003"
+"\120\174\231\147\244\271\074\221\154\002\156\204\326\374\106\367"
+"\314\157\030\076\027\360\357\013\144\026\127\346\254\206\361\110"
+"\252\103\301\311\047\170\163\104\105\342\205\175\272\377\263\341"
+"\373\033\005\244\113\073\231\022\045\001\120\024\152\257\135\352"
+"\310\014\356\344\332\354\113\213\134\150\023\225\334\303\265\060"
+"\072\327\002\003\001\000\001\243\143\060\141\060\016\006\003\125"
+"\035\017\001\001\377\004\004\003\002\000\006\060\035\006\003\125"
+"\035\016\004\026\004\024\314\066\314\027\264\105\221\057\355\317"
+"\073\060\110\167\373\265\024\231\276\343\060\037\006\003\125\035"
+"\043\004\030\060\026\200\024\140\173\146\032\105\015\227\312\211"
+"\120\057\175\004\315\064\250\377\374\375\113\060\017\006\003\125"
+"\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011"
+"\052\206\110\206\367\015\001\001\004\005\000\003\202\001\001\000"
+"\127\262\124\314\275\225\027\144\140\211\266\123\221\014\105\222"
+"\303\075\250\154\303\314\262\030\365\170\101\164\330\175\243\047"
+"\257\167\015\131\076\224\035\151\372\211\323\014\275\032\001\364"
+"\077\350\340\167\032\202\050\132\346\142\327\267\343\066\311\016"
+"\237\172\343\302\323\314\131\211\014\357\026\213\360\066\167\042"
+"\312\244\266\267\301\102\147\001\100\143\314\347\070\144\207\133"
+"\024\226\146\173\055\024\356\275\111\155\377\167\320\342\116\133"
+"\323\200\302\115\017\312\270\235\201\227\247\064\156\307\343\234"
+"\110\345\264\252\105\365\366\145\114\110\362\022\302\322\223\214"
+"\302\025\044\363\053\122\377\343\010\256\270\156\326\054\022\317"
+"\071\313\022\052\347\251\173\137\230\075\243\341\314\246\143\211"
+"\134\175\061\165\371\325\326\135\362\320\324\075\337\236\161\250"
+"\016\334\344\040\227\170\346\177\123\244\015\121\117\216\073\003"
+"\256\243\015\132\115\303\171\347\065\130\160\102\311\136\241\136"
+"\264\331\042\243\104\123\065\244\320\317\163\200\305\317\237\126"
+"\230\166\371\024\114\167\207\202\311\334\176\135\064\325\066\165"
+, (PRUint32)944 }
+};
+static const NSSItem nss_builtins_items_81 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"GlobalSign Primary Class 3 CA", (PRUint32)30 },
+  { (void *)"\164\003\311\063\110\252\304\367\016\051\364\320\025\022\364\106"
+"\111\017\165\214"
+, (PRUint32)20 },
+  { (void *)"\230\022\243\113\225\251\226\144\224\347\120\214\076\341\203\132"
+, (PRUint32)16 },
+  { (void *)"\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061"
+"\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154"
+"\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003"
+"\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031"
+"\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147"
+"\156\040\122\157\157\164\040\103\101"
+, (PRUint32)89 },
+  { (void *)"\002\000\000\000\000\000\326\170\270\326\303"
+, (PRUint32)11 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_82 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"ValiCert Class 1 VA", (PRUint32)20 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
+"\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157"
+"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
+"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
+"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
+"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
+"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
+, (PRUint32)190 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
+"\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157"
+"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
+"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
+"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
+"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
+"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
+, (PRUint32)190 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052"
+"\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060"
+"\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164"
+"\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167"
+"\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141"
+"\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063"
+"\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040"
+"\103\154\141\163\163\040\061\040\120\157\154\151\143\171\040\126"
+"\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162"
+"\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164"
+"\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162"
+"\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206"
+"\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151"
+"\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066"
+"\062\065\062\062\062\063\064\070\132\027\015\061\071\060\066\062"
+"\065\062\062\062\063\064\070\132\060\201\273\061\044\060\042\006"
+"\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126"
+"\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162"
+"\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151"
+"\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003"
+"\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154"
+"\141\163\163\040\061\040\120\157\154\151\143\171\040\126\141\154"
+"\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160"
+"\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056"
+"\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015"
+"\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145"
+"\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110"
+"\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002"
+"\201\201\000\330\131\202\172\211\270\226\272\246\057\150\157\130"
+"\056\247\124\034\006\156\364\352\215\110\274\061\224\027\360\363"
+"\116\274\262\270\065\222\166\260\320\245\245\001\327\000\003\022"
+"\042\031\010\370\377\021\043\233\316\007\365\277\151\032\046\376"
+"\116\351\321\177\235\054\100\035\131\150\156\246\370\130\260\235"
+"\032\217\323\077\361\334\031\006\201\250\016\340\072\335\310\123"
+"\105\011\006\346\017\160\303\372\100\246\016\342\126\005\017\030"
+"\115\374\040\202\321\163\125\164\215\166\162\240\035\235\035\300"
+"\335\077\161\002\003\001\000\001\060\015\006\011\052\206\110\206"
+"\367\015\001\001\005\005\000\003\201\201\000\120\150\075\111\364"
+"\054\034\006\224\337\225\140\177\226\173\027\376\117\161\255\144"
+"\310\335\167\322\357\131\125\350\077\350\216\005\052\041\362\007"
+"\322\265\247\122\376\234\261\266\342\133\167\027\100\352\162\326"
+"\043\313\050\201\062\303\000\171\030\354\131\027\211\311\306\152"
+"\036\161\311\375\267\164\245\045\105\151\305\110\253\031\341\105"
+"\212\045\153\031\356\345\273\022\365\177\367\246\215\121\303\360"
+"\235\164\267\251\076\240\245\377\266\111\003\023\332\042\314\355"
+"\161\202\053\231\317\072\267\365\055\162\310"
+, (PRUint32)747 }
+};
+static const NSSItem nss_builtins_items_83 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"ValiCert Class 1 VA", (PRUint32)20 },
+  { (void *)"\345\337\164\074\266\001\304\233\230\103\334\253\214\350\152\201"
+"\020\237\344\216"
+, (PRUint32)20 },
+  { (void *)"\145\130\253\025\255\127\154\036\250\247\265\151\254\277\377\353"
+, (PRUint32)16 },
+  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
+"\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157"
+"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
+"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
+"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
+"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
+"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
+, (PRUint32)190 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_84 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"ValiCert Class 2 VA", (PRUint32)20 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
+"\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157"
+"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
+"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
+"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
+"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
+"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
+, (PRUint32)190 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
+"\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157"
+"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
+"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
+"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
+"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
+"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
+, (PRUint32)190 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052"
+"\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060"
+"\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164"
+"\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167"
+"\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141"
+"\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063"
+"\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040"
+"\103\154\141\163\163\040\062\040\120\157\154\151\143\171\040\126"
+"\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162"
+"\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164"
+"\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162"
+"\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206"
+"\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151"
+"\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066"
+"\062\066\060\060\061\071\065\064\132\027\015\061\071\060\066\062"
+"\066\060\060\061\071\065\064\132\060\201\273\061\044\060\042\006"
+"\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126"
+"\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162"
+"\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151"
+"\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003"
+"\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154"
+"\141\163\163\040\062\040\120\157\154\151\143\171\040\126\141\154"
+"\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160"
+"\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056"
+"\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015"
+"\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145"
+"\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110"
+"\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002"
+"\201\201\000\316\072\161\312\345\253\310\131\222\125\327\253\330"
+"\164\016\371\356\331\366\125\107\131\145\107\016\005\125\334\353"
+"\230\066\074\134\123\135\323\060\317\070\354\275\101\211\355\045"
+"\102\011\044\153\012\136\263\174\335\122\055\114\346\324\326\175"
+"\132\131\251\145\324\111\023\055\044\115\034\120\157\265\301\205"
+"\124\073\376\161\344\323\134\102\371\200\340\221\032\012\133\071"
+"\066\147\363\077\125\174\033\077\264\137\144\163\064\343\264\022"
+"\277\207\144\370\332\022\377\067\047\301\263\103\273\357\173\156"
+"\056\151\367\002\003\001\000\001\060\015\006\011\052\206\110\206"
+"\367\015\001\001\005\005\000\003\201\201\000\073\177\120\157\157"
+"\120\224\231\111\142\070\070\037\113\370\245\310\076\247\202\201"
+"\366\053\307\350\305\316\350\072\020\202\313\030\000\216\115\275"
+"\250\130\177\241\171\000\265\273\351\215\257\101\331\017\064\356"
+"\041\201\031\240\062\111\050\364\304\216\126\325\122\063\375\120"
+"\325\176\231\154\003\344\311\114\374\313\154\253\146\263\112\041"
+"\214\345\265\014\062\076\020\262\314\154\241\334\232\230\114\002"
+"\133\363\316\271\236\245\162\016\112\267\077\074\346\026\150\370"
+"\276\355\164\114\274\133\325\142\037\103\335"
+, (PRUint32)747 }
+};
+static const NSSItem nss_builtins_items_85 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"ValiCert Class 2 VA", (PRUint32)20 },
+  { (void *)"\061\172\052\320\177\053\063\136\365\241\303\116\113\127\350\267"
+"\330\361\374\246"
+, (PRUint32)20 },
+  { (void *)"\251\043\165\233\272\111\066\156\061\302\333\362\347\146\272\207"
+, (PRUint32)16 },
+  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
+"\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157"
+"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
+"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
+"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
+"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
+"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
+, (PRUint32)190 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_86 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"ValiCert Class 3 VA", (PRUint32)20 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
+"\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157"
+"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
+"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
+"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
+"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
+"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
+, (PRUint32)190 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
+"\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157"
+"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
+"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
+"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
+"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
+"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
+, (PRUint32)190 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052"
+"\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060"
+"\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164"
+"\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167"
+"\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141"
+"\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063"
+"\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040"
+"\103\154\141\163\163\040\063\040\120\157\154\151\143\171\040\126"
+"\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162"
+"\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164"
+"\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162"
+"\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206"
+"\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151"
+"\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066"
+"\062\066\060\060\062\062\063\063\132\027\015\061\071\060\066\062"
+"\066\060\060\062\062\063\063\132\060\201\273\061\044\060\042\006"
+"\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126"
+"\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162"
+"\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151"
+"\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003"
+"\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154"
+"\141\163\163\040\063\040\120\157\154\151\143\171\040\126\141\154"
+"\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160"
+"\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056"
+"\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015"
+"\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145"
+"\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110"
+"\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002"
+"\201\201\000\343\230\121\226\034\350\325\261\006\201\152\127\303"
+"\162\165\223\253\317\236\246\374\363\026\122\326\055\115\237\065"
+"\104\250\056\004\115\007\111\212\070\051\365\167\067\347\267\253"
+"\135\337\066\161\024\231\217\334\302\222\361\347\140\222\227\354"
+"\330\110\334\277\301\002\040\306\044\244\050\114\060\132\166\155"
+"\261\134\363\335\336\236\020\161\241\210\307\133\233\101\155\312"
+"\260\270\216\025\356\255\063\053\317\107\004\134\165\161\012\230"
+"\044\230\051\247\111\131\245\335\370\267\103\142\141\363\323\342"
+"\320\125\077\002\003\001\000\001\060\015\006\011\052\206\110\206"
+"\367\015\001\001\005\005\000\003\201\201\000\126\273\002\130\204"
+"\147\010\054\337\037\333\173\111\063\365\323\147\235\364\264\012"
+"\020\263\311\305\054\342\222\152\161\170\047\362\160\203\102\323"
+"\076\317\251\124\364\361\330\222\026\214\321\004\313\113\253\311"
+"\237\105\256\074\212\251\260\161\063\135\310\305\127\337\257\250"
+"\065\263\177\211\207\351\350\045\222\270\177\205\172\256\326\274"
+"\036\067\130\052\147\311\221\317\052\201\076\355\306\071\337\300"
+"\076\031\234\031\314\023\115\202\101\265\214\336\340\075\140\010"
+"\040\017\105\176\153\242\177\243\214\025\356"
+, (PRUint32)747 }
+};
+static const NSSItem nss_builtins_items_87 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"ValiCert Class 3 VA", (PRUint32)20 },
+  { (void *)"\151\275\214\364\234\323\000\373\131\056\027\223\312\125\152\363"
+"\354\252\065\373"
+, (PRUint32)20 },
+  { (void *)"\242\157\123\267\356\100\333\112\150\347\372\030\331\020\113\162"
+, (PRUint32)16 },
+  { (void *)"\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154"
+"\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157"
+"\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125"
+"\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166"
+"\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036"
+"\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146"
+"\157\100\166\141\154\151\143\145\162\164\056\143\157\155"
+, (PRUint32)190 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_88 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Universal CA Root", (PRUint32)25 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\127\061\017\060\015\006\003\125\004\012\023\006\124\150\141"
+"\167\164\145\061\041\060\037\006\003\125\004\013\023\030\124\150"
+"\141\167\164\145\040\125\156\151\166\145\162\163\141\154\040\103"
+"\101\040\122\157\157\164\061\041\060\037\006\003\125\004\003\023"
+"\030\124\150\141\167\164\145\040\125\156\151\166\145\162\163\141"
+"\154\040\103\101\040\122\157\157\164"
+, (PRUint32)89 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\127\061\017\060\015\006\003\125\004\012\023\006\124\150\141"
+"\167\164\145\061\041\060\037\006\003\125\004\013\023\030\124\150"
+"\141\167\164\145\040\125\156\151\166\145\162\163\141\154\040\103"
+"\101\040\122\157\157\164\061\041\060\037\006\003\125\004\003\023"
+"\030\124\150\141\167\164\145\040\125\156\151\166\145\162\163\141"
+"\154\040\103\101\040\122\157\157\164"
+, (PRUint32)89 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)"\060\202\021\042\060\202\011\012\002\001\000\060\015\006\011\052"
+"\206\110\206\367\015\001\001\005\005\000\060\127\061\017\060\015"
+"\006\003\125\004\012\023\006\124\150\141\167\164\145\061\041\060"
+"\037\006\003\125\004\013\023\030\124\150\141\167\164\145\040\125"
+"\156\151\166\145\162\163\141\154\040\103\101\040\122\157\157\164"
+"\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167\164"
+"\145\040\125\156\151\166\145\162\163\141\154\040\103\101\040\122"
+"\157\157\164\060\036\027\015\071\071\061\062\060\065\061\063\065"
+"\066\060\065\132\027\015\063\067\060\064\060\063\061\063\065\066"
+"\060\065\132\060\127\061\017\060\015\006\003\125\004\012\023\006"
+"\124\150\141\167\164\145\061\041\060\037\006\003\125\004\013\023"
+"\030\124\150\141\167\164\145\040\125\156\151\166\145\162\163\141"
+"\154\040\103\101\040\122\157\157\164\061\041\060\037\006\003\125"
+"\004\003\023\030\124\150\141\167\164\145\040\125\156\151\166\145"
+"\162\163\141\154\040\103\101\040\122\157\157\164\060\202\010\042"
+"\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003"
+"\202\010\017\000\060\202\010\012\002\202\010\001\000\342\211\005"
+"\155\303\177\255\246\211\072\377\273\307\315\235\067\261\341\322"
+"\041\036\233\141\052\025\347\173\127\117\125\074\320\273\371\331"
+"\075\076\246\274\354\264\255\123\232\026\002\353\013\162\375\212"
+"\362\217\104\005\305\353\323\345\275\266\104\071\346\373\107\277"
+"\152\236\012\225\030\342\150\342\326\226\326\041\255\210\375\365"
+"\027\365\323\332\102\245\220\355\051\225\226\165\072\332\207\241"
+"\324\365\323\207\336\005\142\246\343\146\164\222\317\245\274\273"
+"\337\150\377\161\165\126\101\131\065\353\063\132\146\121\362\322"
+"\243\012\301\214\316\163\134\021\157\055\214\225\214\221\261\375"
+"\317\345\255\126\225\314\205\222\203\220\125\101\311\302\167\355"
+"\371\243\164\102\012\150\010\363\320\321\145\375\147\054\064\377"
+"\044\177\347\171\310\007\073\045\127\335\244\014\230\075\276\340"
+"\314\031\145\333\362\124\242\257\102\324\235\342\256\204\043\045"
+"\011\063\022\265\152\036\166\304\213\331\111\000\154\136\272\037"
+"\362\033\332\147\312\047\252\243\104\043\033\203\202\316\362\253"
+"\063\355\124\244\334\311\253\131\145\321\070\016\301\076\033\147"
+"\217\326\165\001\340\125\042\335\166\167\354\216\335\364\317\171"
+"\042\155\271\127\003\365\231\010\247\074\076\064\373\304\027\256"
+"\043\130\315\044\363\043\312\152\002\050\224\001\201\064\264\154"
+"\153\256\213\032\303\243\322\011\074\026\124\365\066\137\044\343"
+"\237\112\241\342\144\306\026\303\246\201\172\044\066\107\216\301"
+"\136\016\373\371\025\170\004\326\016\131\331\235\130\146\142\322"
+"\224\051\062\062\310\170\271\146\366\265\126\341\154\306\024\113"
+"\226\122\131\221\002\044\152\125\107\327\077\266\043\032\140\167"
+"\227\056\342\100\257\236\004\127\236\255\021\305\311\103\160\357"
+"\110\264\136\254\034\151\056\056\202\325\133\213\276\202\276\031"
+"\024\136\347\015\042\307\121\033\377\036\233\361\060\217\161\061"
+"\006\263\064\047\217\137\172\146\202\117\212\055\023\253\102\317"
+"\041\126\236\227\216\146\066\017\226\233\345\053\364\002\251\052"
+"\152\214\054\304\303\270\160\054\055\051\036\077\120\167\036\155"
+"\052\124\344\125\012\221\070\241\305\265\146\242\166\132\356\017"
+"\277\264\147\341\050\156\017\341\066\241\202\321\277\324\167\341"
+"\304\147\062\223\170\310\347\124\123\376\043\171\346\150\314\046"
+"\220\366\020\143\135\052\157\221\055\244\163\062\121\041\362\273"
+"\025\337\252\044\010\110\006\336\241\236\046\277\272\203\277\174"
+"\244\310\240\214\275\322\377\274\204\151\047\023\044\030\304\105"
+"\030\043\046\136\030\024\312\056\210\207\142\243\123\346\041\267"
+"\270\205\173\232\205\273\025\046\162\370\271\367\152\164\017\111"
+"\077\222\276\251\005\267\231\047\277\277\011\027\113\231\114\255"
+"\021\020\174\337\164\061\366\217\046\137\252\210\256\070\127\310"
+"\125\055\323\373\330\033\121\231\276\045\033\072\272\300\175\033"
+"\355\316\322\111\271\317\363\305\175\211\220\201\330\151\110\040"
+"\020\243\370\357\222\121\030\062\213\021\030\300\077\033\205\126"
+"\316\127\311\362\202\144\306\337\002\011\056\112\021\057\261\047"
+"\155\067\122\360\360\026\141\361\147\215\337\207\162\257\207\332"
+"\317\373\120\224\156\324\224\205\353\212\054\352\041\365\226\112"
+"\104\325\340\316\152\164\104\115\320\005\323\207\025\355\066\320"
+"\244\213\146\125\160\223\356\107\006\301\176\056\245\030\171\147"
+"\363\050\205\361\160\367\016\203\244\176\124\236\132\166\062\313"
+"\145\033\270\315\373\310\050\003\322\124\221\321\247\305\205\103"
+"\010\027\166\245\346\057\147\010\330\241\242\202\055\014\370\301"
+"\257\143\324\120\167\155\153\106\112\101\205\325\220\137\171\055"
+"\304\354\327\021\207\100\212\341\150\342\144\370\125\062\373\157"
+"\223\054\332\167\331\041\301\027\345\066\054\116\176\220\177\254"
+"\224\053\062\147\276\070\120\166\270\256\101\271\327\041\305\011"
+"\114\140\310\243\121\304\064\233\127\067\337\313\311\063\127\213"
+"\353\373\166\237\031\115\305\152\037\052\105\256\053\355\057\215"
+"\247\245\000\313\004\372\045\142\056\164\110\033\312\052\214\272"
+"\333\266\176\366\273\002\174\251\303\333\130\170\241\277\360\376"
+"\032\020\125\021\316\350\151\116\226\145\306\027\003\326\007\150"
+"\214\124\202\256\034\042\125\077\361\364\011\227\050\300\106\367"
+"\116\013\045\035\367\007\327\011\035\072\030\127\070\073\350\063"
+"\006\347\217\170\106\036\133\365\006\266\354\270\246\015\361\272"
+"\023\113\326\030\040\335\151\063\112\063\025\256\270\310\230\212"
+"\047\054\223\274\055\373\356\063\277\146\346\115\272\266\233\006"
+"\125\140\227\113\274\104\315\176\364\241\330\252\057\300\002\050"
+"\041\026\142\170\333\010\124\362\374\364\064\343\306\217\034\103"
+"\127\316\220\032\113\334\056\073\050\221\211\077\172\332\065\035"
+"\216\054\356\111\354\364\063\255\311\123\250\214\237\004\123\076"
+"\044\034\122\311\022\371\142\127\243\274\356\054\353\100\174\040"
+"\043\160\053\225\371\163\027\212\321\301\034\151\246\267\070\232"
+"\147\367\160\035\172\132\014\100\317\142\017\205\074\302\002\116"
+"\176\265\366\305\052\051\204\263\037\067\052\341\252\162\102\304"
+"\355\153\032\217\222\034\135\276\321\362\133\362\253\252\251\322"
+"\365\270\244\101\053\053\221\156\022\110\312\230\330\067\215\310"
+"\355\000\060\265\266\004\116\176\234\332\204\354\300\372\173\345"
+"\035\210\244\123\106\260\224\344\134\033\241\045\054\017\110\122"
+"\167\227\011\154\354\133\030\063\203\002\345\202\176\315\205\041"
+"\060\021\375\047\117\317\344\036\354\077\245\127\154\351\052\060"
+"\031\052\210\345\303\151\070\253\157\071\161\177\204\341\101\303"
+"\341\314\052\211\040\122\056\203\017\154\071\077\113\055\026\254"
+"\055\360\044\254\000\163\364\233\263\006\077\005\270\024\205\037"
+"\253\236\134\074\236\142\235\016\155\073\200\011\374\002\352\242"
+"\227\164\312\307\371\343\126\341\303\312\245\246\232\300\220\340"
+"\044\022\123\322\302\213\332\276\355\002\103\136\147\341\211\230"
+"\171\356\313\252\312\303\033\334\347\245\106\245\174\153\026\207"
+"\266\132\050\327\333\047\074\136\245\275\266\121\335\037\103\317"
+"\073\046\310\072\215\045\141\301\111\364\074\033\311\104\352\257"
+"\034\302\053\224\001\052\016\060\321\133\213\053\107\345\303\321"
+"\004\003\233\016\071\054\326\047\324\346\160\132\331\165\317\052"
+"\330\311\000\005\344\023\210\354\303\071\373\207\141\060\066\103"
+"\003\310\236\234\242\006\302\057\305\374\360\200\143\261\124\004"
+"\240\114\251\056\306\365\166\172\330\320\344\324\224\021\345\025"
+"\265\170\006\334\270\200\217\231\251\040\063\075\020\205\114\145"
+"\011\312\076\130\136\140\223\232\252\142\135\300\121\006\034\135"
+"\140\240\015\234\113\103\366\247\026\041\244\207\252\362\301\056"
+"\356\222\060\270\236\337\337\020\001\213\206\011\160\330\154\250"
+"\267\120\036\026\226\264\367\147\375\065\072\041\220\052\062\307"
+"\000\173\115\007\020\011\271\057\163\330\030\176\147\231\004\117"
+"\006\374\120\307\205\233\235\100\235\263\226\067\372\245\334\262"
+"\162\116\357\116\011\054\375\221\375\115\367\273\246\241\076\253"
+"\173\242\003\100\246\251\125\047\342\372\371\031\316\207\165\252"
+"\361\165\066\363\363\270\221\370\221\303\213\165\023\216\114\145"
+"\232\026\071\152\345\064\350\172\226\131\177\065\260\000\375\133"
+"\151\374\103\046\372\365\050\156\376\207\331\176\044\373\264\240"
+"\202\156\124\242\377\256\277\142\264\364\162\001\302\313\230\107"
+"\230\341\114\265\027\200\200\316\217\246\050\356\036\105\152\373"
+"\337\361\035\374\132\073\326\352\364\154\035\142\111\127\073\212"
+"\217\206\352\360\123\004\316\234\026\150\377\272\271\374\210\017"
+"\107\367\002\104\162\100\270\312\073\055\123\235\334\074\126\214"
+"\131\173\150\032\054\215\161\273\154\000\307\032\316\157\100\222"
+"\261\243\057\017\331\104\362\243\160\056\236\356\016\256\062\320"
+"\073\076\213\007\352\346\171\263\134\051\342\175\153\250\136\371"
+"\132\061\350\010\226\242\214\003\230\106\361\270\175\220\124\046"
+"\355\166\142\376\236\351\232\156\136\311\111\307\134\064\123\051"
+"\124\331\354\344\106\341\200\073\165\331\337\373\171\325\207\361"
+"\272\236\353\031\316\114\122\163\346\133\207\256\045\117\071\171"
+"\314\306\270\371\020\173\354\360\233\161\244\005\240\323\051\323"
+"\116\177\037\364\055\050\170\314\125\225\173\036\221\057\314\126"
+"\030\163\213\262\333\274\151\007\346\320\330\117\355\242\377\130"
+"\205\243\155\340\112\123\267\147\175\215\014\134\133\173\167\050"
+"\002\065\104\172\004\323\050\103\310\153\060\027\135\062\270\051"
+"\065\272\166\332\073\024\112\166\030\130\244\370\222\074\236\115"
+"\063\157\106\153\010\331\061\110\150\335\364\373\044\126\064\262"
+"\317\151\146\276\110\322\212\146\042\315\362\151\315\302\123\023"
+"\105\051\101\042\326\135\230\037\266\244\262\243\302\356\002\057"
+"\121\033\334\203\244\354\160\045\250\324\010\141\062\157\344\241"
+"\201\056\174\143\162\372\051\145\274\160\104\317\135\002\003\001"
+"\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005\005"
+"\000\003\202\010\001\000\125\232\064\152\042\006\151\011\105\063"
+"\307\256\251\134\307\011\116\233\206\274\101\220\324\224\122\366"
+"\315\043\051\224\113\042\315\350\275\376\235\315\122\362\275\355"
+"\253\207\311\253\253\106\004\264\275\242\077\042\060\107\120\300"
+"\113\214\166\017\003\365\222\322\261\055\304\172\065\234\311\163"
+"\207\353\246\237\336\017\163\215\323\177\231\330\272\217\157\304"
+"\363\276\032\256\213\242\224\066\220\342\345\353\215\005\364\374"
+"\145\337\225\361\304\224\115\027\126\327\237\074\217\120\074\347"
+"\167\277\225\206\046\144\373\152\377\306\332\351\214\256\102\273"
+"\151\345\063\306\330\351\015\306\125\041\111\301\014\264\243\371"
+"\233\113\134\336\203\117\101\003\316\052\171\150\070\175\360\124"
+"\111\040\365\266\020\377\010\334\063\146\226\233\377\006\336\000"
+"\236\327\316\126\103\232\121\374\160\315\366\360\121\243\267\315"
+"\264\134\205\142\315\161\267\306\053\043\053\335\303\156\100\102"
+"\372\067\377\067\034\366\172\127\224\207\205\043\327\324\311\307"
+"\137\301\115\057\311\015\327\134\354\234\045\356\236\060\202\221"
+"\226\162\270\165\035\370\011\150\127\227\262\055\113\356\045\354"
+"\172\044\051\356\162\324\234\023\333\253\334\003\012\330\112\024"
+"\311\010\127\104\135\241\265\123\200\064\362\024\227\317\122\336"
+"\242\016\212\020\351\024\357\320\140\276\141\241\361\045\135\325"
+"\030\163\077\223\020\312\226\356\263\100\322\333\243\125\317\127"
+"\132\245\016\117\165\107\337\352\367\220\232\155\365\160\056\035"
+"\024\034\067\144\004\131\120\260\334\162\206\157\234\067\075\135"
+"\050\257\163\125\357\322\356\044\164\164\023\357\334\333\061\111"
+"\373\077\143\365\323\010\076\063\245\347\235\012\336\123\054\121"
+"\216\147\333\233\101\145\101\120\275\324\244\226\154\207\274\022"
+"\340\224\307\323\300\344\313\163\130\000\203\341\254\047\205\326"
+"\235\123\235\134\275\012\076\003\103\234\014\221\365\155\173\370"
+"\100\162\165\253\021\166\221\053\341\306\252\037\160\151\166\160"
+"\025\011\376\223\320\326\055\267\025\152\233\147\134\264\151\237"
+"\045\246\175\212\373\175\042\251\161\362\316\116\214\270\041\055"
+"\336\376\101\161\015\377\235\354\163\246\273\007\117\210\016\130"
+"\107\056\176\251\302\307\170\335\272\172\236\116\340\060\116\143"
+"\157\205\324\040\101\351\372\376\103\105\347\373\257\172\262\316"
+"\244\005\035\042\232\130\206\337\344\316\114\251\376\330\026\245"
+"\157\373\330\316\126\173\365\326\040\357\344\107\315\143\044\377"
+"\271\276\361\110\243\301\001\162\346\275\300\255\355\046\015\312"
+"\064\237\374\002\055\040\117\005\040\256\041\075\014\302\040\074"
+"\077\360\004\204\334\317\211\375\271\045\221\216\320\103\346\263"
+"\040\253\134\055\325\100\236\240\113\330\364\262\314\175\361\130"
+"\012\216\207\355\210\254\066\226\344\126\240\021\212\362\232\320"
+"\263\127\243\064\273\031\253\070\341\164\153\042\304\061\316\001"
+"\325\033\066\343\036\070\114\063\223\337\100\343\131\127\116\254"
+"\156\173\036\132\075\305\035\133\254\310\020\202\065\002\042\262"
+"\374\165\350\020\221\215\304\175\170\223\107\236\034\235\254\153"
+"\142\002\130\214\326\034\043\326\257\170\302\200\234\244\252\044"
+"\124\024\265\024\230\306\370\053\032\044\313\161\062\012\342\233"
+"\016\151\153\335\176\214\144\321\056\143\357\016\177\261\076\210"
+"\114\235\125\345\311\156\027\004\267\101\377\275\212\101\313\045"
+"\061\157\104\167\077\107\261\374\201\210\007\216\005\111\040\267"
+"\021\331\151\003\052\003\235\271\063\204\232\337\337\172\343\106"
+"\163\243\330\242\214\123\031\210\125\114\164\270\366\104\204\053"
+"\321\024\055\116\071\056\222\150\377\151\374\205\142\033\353\125"
+"\117\357\045\204\142\105\231\326\330\116\157\077\123\010\175\035"
+"\006\225\201\200\177\117\116\164\066\230\265\342\207\160\230\334"
+"\327\365\334\122\025\346\306\326\171\226\071\177\217\225\317\253"
+"\200\123\255\033\013\105\100\016\324\030\275\054\336\212\167\166"
+"\375\362\104\107\306\041\320\344\164\360\330\030\005\310\174\060"
+"\162\307\337\361\273\374\002\060\251\364\102\046\131\015\223\005"
+"\202\241\163\355\064\345\070\135\315\120\220\376\224\374\023\274"
+"\275\374\250\242\210\247\163\304\262\250\321\135\210\304\002\242"
+"\172\361\004\311\376\214\164\311\357\035\144\101\237\254\036\226"
+"\147\144\254\253\050\101\307\235\367\300\230\033\156\007\302\144"
+"\175\132\203\146\126\050\066\234\347\373\034\167\016\050\240\304"
+"\367\153\171\071\004\040\204\307\127\223\274\033\240\352\274\353"
+"\102\345\250\021\376\374\254\145\314\375\370\050\210\364\245\232"
+"\345\163\121\340\250\233\015\003\167\116\345\340\230\263\210\332"
+"\175\346\306\236\174\024\146\301\056\123\112\222\007\067\240\176"
+"\351\075\011\344\025\174\317\375\270\101\245\357\236\146\235\304"
+"\136\007\035\207\370\101\255\352\347\057\322\101\143\030\067\371"
+"\024\343\115\320\345\367\103\375\025\343\371\066\163\006\046\337"
+"\001\117\251\303\116\336\040\106\167\230\264\172\044\053\073\165"
+"\053\116\130\215\233\135\244\307\026\240\274\062\210\077\241\203"
+"\363\000\310\370\330\130\351\143\135\114\053\265\360\162\101\330"
+"\253\167\067\326\162\164\256\266\066\234\310\246\203\111\113\340"
+"\311\126\013\051\276\000\060\313\335\326\310\102\212\000\331\354"
+"\025\321\064\161\362\133\144\207\366\047\322\267\353\206\260\220"
+"\277\051\333\041\236\066\214\343\040\057\225\043\121\154\033\302"
+"\244\325\346\330\002\103\147\240\376\233\120\003\104\177\273\344"
+"\162\325\321\344\332\217\222\024\144\373\135\024\020\022\112\225"
+"\006\311\145\010\051\312\041\243\046\070\021\311\047\337\160\147"
+"\004\375\312\110\062\177\143\262\105\164\061\120\117\207\331\040"
+"\160\322\041\160\261\326\020\235\063\135\170\203\221\155\125\202"
+"\354\332\344\142\143\307\201\106\327\031\145\162\052\103\031\220"
+"\270\327\043\115\114\034\340\104\251\146\147\254\356\161\171\047"
+"\046\170\155\162\016\365\135\113\043\265\174\174\145\351\027\306"
+"\072\013\015\335\136\036\121\303\206\270\354\177\307\047\112\245"
+"\106\350\152\055\031\301\207\243\313\231\223\207\144\242\125\024"
+"\114\267\103\245\223\327\347\322\116\171\100\312\145\231\106\075"
+"\077\172\200\172\210\152\314\036\345\153\063\106\364\120\300\325"
+"\037\011\270\315\212\056\241\047\353\135\163\247\350\153\012\345"
+"\127\202\052\260\374\342\124\122\126\360\253\251\022\306\043\226"
+"\007\044\234\340\274\106\245\264\040\004\332\011\223\143\345\324"
+"\056\302\176\305\061\355\265\025\164\206\027\271\263\363\046\212"
+"\035\002\152\332\032\077\350\272\361\004\155\224\121\124\342\132"
+"\264\131\203\035\140\320\055\163\314\007\265\046\214\371\327\306"
+"\210\221\357\200\317\135\017\241\140\313\105\324\102\042\321\261"
+"\160\035\375\320\267\060\220\072\306\110\155\147\345\062\332\217"
+"\333\343\250\343\035\040\045\242\034\341\114\271\244\366\306\077"
+"\134\130\015\273\306\262\167\001\026\221\237\027\006\015\267\100"
+"\076\314\217\216\234\113\340\235\176\233\036\005\253\210\042\372"
+"\323\050\033\127\024\144\112\076\044\054\070\115\041\151\000\163"
+"\056\320\125\055\164\362\025\350\224\103\076\100\052\306\306\271"
+"\152\133\336\242\314\030\120\124\135\116\052\205\154\366\222\213"
+"\051\031\176\347\352\112\340\042\053\045\274\367\146\317\167\232"
+"\101\164\362\074\024\015\164\151\365\120\203\315\315\057\041\333"
+"\042\106\212\320\367\121\032\225\127\362\005\213\032\031\355\073"
+"\105\350\066\302\156\176\373\127\042\000\037\006\123\251\256\223"
+"\306\217\161\052\061\105\222\347\216\155\346\231\042\300\203\374"
+"\357\334\127\146\167\117\242\066\061\373\241\023\215\345\312\243"
+"\225\175\001\014\144\160\073\123\102\150\200\307\273\235\250\000"
+"\065\151\230\014\250\147\330\103\345\252\317\225\340\121\225\244"
+"\027\077\102\235\270\004\316\323\171\171\310\323\212\026\062\222"
+"\340\327\242\356\327\067\114\057\254\270\173\276\105\366\361\030"
+"\063\234\173\067\246\044\331\274\100\253\000\351\303\067\213\253"
+"\330\266\363\136\201\116\260\024\153\007\076\037\354\302\366\104"
+"\042\225\273\263\346\157\326\371\160\145\272\012\203\145\252\016"
+"\023\057\203\023\043\123\213\100\026\372\316\057\374\115\004\370"
+"\353\330\254\305\066\302\025\127\110\070\354\125\263\264\036\272"
+"\255\322\102\006\027\015\163\310\127\246\276\226\115\251\362\300"
+"\373\172\041\034\365\311\160\251\202\220\265\361\014\324\171\020"
+"\276\201\246\351\134\141\234\167\171\232\244\303\067\046\127\067"
+"\311\122\054\372\010\377\320\137\306\141\300\364\166\276\374\336"
+"\116\317\253\121\231\161\307\337\176\364\326\317\006\126\031\023"
+"\123\013\155\164\131\110\031\233\123\005\055\235\062\124\323\345"
+"\054\123\213\144\076\324\144\173\343\200\011\024\314\376\026\106"
+"\143\153\161\151\370\371\313\047\366\210\124\274\105\263\316\002"
+"\310\224\356\100\133\371\102\002\302\377\260\330\054\353\050\177"
+"\136\311\046\001\231\247"
+, (PRUint32)4390 }
+};
+static const NSSItem nss_builtins_items_89 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Universal CA Root", (PRUint32)25 },
+  { (void *)"\213\302\212\044\257\373\126\135\350\120\025\173\172\153\157\024"
+"\170\114\220\343"
+, (PRUint32)20 },
+  { (void *)"\027\257\161\026\122\173\163\145\042\005\051\050\204\161\235\023"
+, (PRUint32)16 },
+  { (void *)"\060\127\061\017\060\015\006\003\125\004\012\023\006\124\150\141"
+"\167\164\145\061\041\060\037\006\003\125\004\013\023\030\124\150"
+"\141\167\164\145\040\125\156\151\166\145\162\163\141\154\040\103"
+"\101\040\122\157\157\164\061\041\060\037\006\003\125\004\003\023"
+"\030\124\150\141\167\164\145\040\125\156\151\166\145\162\163\141"
+"\154\040\103\101\040\122\157\157\164"
+, (PRUint32)89 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_90 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 1 Public Primary Certification Authority - G3", (PRUint32)61 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"\000\213\133\165\126\204\124\205\013\000\317\257\070\110\316\261"
+"\244"
+, (PRUint32)17 },
+  { (void *)"\060\202\004\032\060\202\003\002\002\021\000\213\133\165\126\204"
+"\124\205\013\000\317\257\070\110\316\261\244\060\015\006\011\052"
+"\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060"
+"\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003"
+"\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111"
+"\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050"
+"\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
+"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
+"\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123"
+"\151\147\156\040\103\154\141\163\163\040\061\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060"
+"\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066"
+"\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003"
+"\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012"
+"\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056"
+"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
+"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
+"\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040"
+"\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111"
+"\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162"
+"\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060"
+"\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156"
+"\040\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040"
+"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
+"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
+"\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206"
+"\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012"
+"\002\202\001\001\000\335\204\324\271\264\371\247\330\363\004\170"
+"\234\336\075\334\154\023\026\331\172\335\044\121\146\300\307\046"
+"\131\015\254\006\010\302\224\321\063\037\360\203\065\037\156\033"
+"\310\336\252\156\025\116\124\047\357\304\155\032\354\013\343\016"
+"\360\104\245\127\307\100\130\036\243\107\037\161\354\140\366\155"
+"\224\310\030\071\355\376\102\030\126\337\344\114\111\020\170\116"
+"\001\166\065\143\022\066\335\146\274\001\004\066\243\125\150\325"
+"\242\066\011\254\253\041\046\124\006\255\077\312\024\340\254\312"
+"\255\006\035\225\342\370\235\361\340\140\377\302\177\165\053\114"
+"\314\332\376\207\231\041\352\272\376\076\124\327\322\131\170\333"
+"\074\156\317\240\023\000\032\270\047\241\344\276\147\226\312\240"
+"\305\263\234\335\311\165\236\353\060\232\137\243\315\331\256\170"
+"\031\077\043\351\134\333\051\275\255\125\310\033\124\214\143\366"
+"\350\246\352\307\067\022\134\243\051\036\002\331\333\037\073\264"
+"\327\017\126\107\201\025\004\112\257\203\047\321\305\130\210\301"
+"\335\366\252\247\243\030\332\150\252\155\021\121\341\277\145\153"
+"\237\226\166\321\075\002\003\001\000\001\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\003\202\001\001\000\253\146"
+"\215\327\263\272\307\232\266\346\125\320\005\361\237\061\215\132"
+"\252\331\252\106\046\017\161\355\245\255\123\126\142\001\107\052"
+"\104\351\376\077\164\013\023\233\271\364\115\033\262\321\137\262"
+"\266\322\210\134\263\237\315\313\324\247\331\140\225\204\072\370"
+"\301\067\035\141\312\347\260\305\345\221\332\124\246\254\061\201"
+"\256\227\336\315\010\254\270\300\227\200\177\156\162\244\347\151"
+"\023\225\145\037\304\223\074\375\171\217\004\324\076\117\352\367"
+"\236\316\315\147\174\117\145\002\377\221\205\124\163\307\377\066"
+"\367\206\055\354\320\136\117\377\021\237\162\006\326\270\032\361"
+"\114\015\046\145\342\104\200\036\307\237\343\335\350\012\332\354"
+"\245\040\200\151\150\241\117\176\341\153\317\007\101\372\203\216"
+"\274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042"
+"\171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170"
+"\023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043"
+"\363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243"
+"\113\336\006\226\161\054\362\333\266\037\244\357\077\356"
+, (PRUint32)1054 }
+};
+static const NSSItem nss_builtins_items_91 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 1 Public Primary Certification Authority - G3", (PRUint32)61 },
+  { (void *)"\040\102\205\334\367\353\166\101\225\127\216\023\153\324\267\321"
+"\351\216\106\245"
+, (PRUint32)20 },
+  { (void *)"\261\107\274\030\127\321\030\240\170\055\354\161\350\052\225\163"
+, (PRUint32)16 },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"\000\213\133\165\126\204\124\205\013\000\317\257\070\110\316\261"
+"\244"
+, (PRUint32)17 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_92 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 2 Public Primary Certification Authority - G3", (PRUint32)61 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"\141\160\313\111\214\137\230\105\051\347\260\246\331\120\133\172"
+, (PRUint32)16 },
+  { (void *)"\060\202\004\031\060\202\003\001\002\020\141\160\313\111\214\137"
+"\230\105\051\347\260\246\331\120\133\172\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060\011"
+"\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125"
+"\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156"
+"\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145\162"
+"\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167"
+"\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050\143"
+"\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156\054"
+"\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164\150"
+"\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171\061"
+"\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123\151"
+"\147\156\040\103\154\141\163\163\040\062\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060\061"
+"\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066\062"
+"\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003\125"
+"\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012\023"
+"\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056\061"
+"\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123\151"
+"\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162\153"
+"\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061"
+"\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111\156"
+"\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151"
+"\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060\103"
+"\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156\040"
+"\103\154\141\163\163\040\062\040\120\165\142\154\151\143\040\120"
+"\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143\141"
+"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\055"
+"\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206\367"
+"\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002"
+"\202\001\001\000\257\012\015\302\325\054\333\147\271\055\345\224"
+"\047\335\245\276\340\260\115\217\263\141\126\074\326\174\303\364"
+"\315\076\206\313\242\210\342\341\330\244\151\305\265\342\277\301"
+"\246\107\120\136\106\071\213\325\226\272\265\157\024\277\020\316"
+"\047\023\236\005\107\233\061\172\023\330\037\331\323\002\067\213"
+"\255\054\107\360\216\201\006\247\015\060\014\353\367\074\017\040"
+"\035\334\162\106\356\245\002\310\133\303\311\126\151\114\305\030"
+"\301\221\173\013\325\023\000\233\274\357\303\110\076\106\140\040"
+"\205\052\325\220\266\315\213\240\314\062\335\267\375\100\125\262"
+"\120\034\126\256\314\215\167\115\307\040\115\247\061\166\357\150"
+"\222\212\220\036\010\201\126\262\255\151\243\122\320\313\034\304"
+"\043\075\037\231\376\114\350\026\143\216\306\010\216\366\061\366"
+"\322\372\345\166\335\265\034\222\243\111\315\315\001\315\150\315"
+"\251\151\272\243\353\035\015\234\244\040\246\301\240\305\321\106"
+"\114\027\155\322\254\146\077\226\214\340\204\324\066\377\042\131"
+"\305\371\021\140\250\137\004\175\362\032\366\045\102\141\017\304"
+"\112\270\076\211\002\003\001\000\001\060\015\006\011\052\206\110"
+"\206\367\015\001\001\005\005\000\003\202\001\001\000\064\046\025"
+"\074\300\215\115\103\111\035\275\351\041\222\327\146\234\267\336"
+"\305\270\320\344\135\137\166\042\300\046\371\204\072\072\371\214"
+"\265\373\354\140\361\350\316\004\260\310\335\247\003\217\060\363"
+"\230\337\244\346\244\061\337\323\034\013\106\334\162\040\077\256"
+"\356\005\074\244\063\077\013\071\254\160\170\163\113\231\053\337"
+"\060\302\124\260\250\073\125\241\376\026\050\315\102\275\164\156"
+"\200\333\047\104\247\316\104\135\324\033\220\230\015\036\102\224"
+"\261\000\054\004\320\164\243\002\005\042\143\143\315\203\265\373"
+"\301\155\142\153\151\165\375\135\160\101\271\365\277\174\337\276"
+"\301\062\163\042\041\213\130\201\173\025\221\172\272\343\144\110"
+"\260\177\373\066\045\332\225\320\361\044\024\027\335\030\200\153"
+"\106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045"
+"\342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317"
+"\162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263"
+"\377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125"
+"\311\130\020\371\252\357\132\266\317\113\113\337\052"
+, (PRUint32)1053 }
+};
+static const NSSItem nss_builtins_items_93 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 2 Public Primary Certification Authority - G3", (PRUint32)61 },
+  { (void *)"\141\357\103\327\177\312\324\141\121\274\230\340\303\131\022\257"
+"\237\353\143\021"
+, (PRUint32)20 },
+  { (void *)"\370\276\304\143\042\311\250\106\164\213\270\035\036\112\053\366"
+, (PRUint32)16 },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"\141\160\313\111\214\137\230\105\051\347\260\246\331\120\133\172"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_94 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 3 Public Primary Certification Authority - G3", (PRUint32)61 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"\000\233\176\006\111\243\076\142\271\325\356\220\110\161\051\357"
+"\127"
+, (PRUint32)17 },
+  { (void *)"\060\202\004\032\060\202\003\002\002\021\000\233\176\006\111\243"
+"\076\142\271\325\356\220\110\161\051\357\127\060\015\006\011\052"
+"\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060"
+"\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003"
+"\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111"
+"\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050"
+"\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
+"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
+"\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123"
+"\151\147\156\040\103\154\141\163\163\040\063\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060"
+"\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066"
+"\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003"
+"\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012"
+"\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056"
+"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
+"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
+"\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040"
+"\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111"
+"\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162"
+"\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060"
+"\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156"
+"\040\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040"
+"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
+"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
+"\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206"
+"\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012"
+"\002\202\001\001\000\313\272\234\122\374\170\037\032\036\157\033"
+"\067\163\275\370\311\153\224\022\060\117\360\066\107\365\320\221"
+"\012\365\027\310\245\141\301\026\100\115\373\212\141\220\345\166"
+"\040\301\021\006\175\253\054\156\246\365\021\101\216\372\055\255"
+"\052\141\131\244\147\046\114\320\350\274\122\133\160\040\004\130"
+"\321\172\311\244\151\274\203\027\144\255\005\213\274\320\130\316"
+"\215\214\365\353\360\102\111\013\235\227\047\147\062\156\341\256"
+"\223\025\034\160\274\040\115\057\030\336\222\210\350\154\205\127"
+"\021\032\351\176\343\046\021\124\242\105\226\125\203\312\060\211"
+"\350\334\330\243\355\052\200\077\177\171\145\127\076\025\040\146"
+"\010\057\225\223\277\252\107\057\250\106\227\360\022\342\376\302"
+"\012\053\121\346\166\346\267\106\267\342\015\246\314\250\303\114"
+"\131\125\211\346\350\123\134\034\352\235\360\142\026\013\247\311"
+"\137\014\360\336\302\166\316\257\367\152\362\372\101\246\242\063"
+"\024\311\345\172\143\323\236\142\067\325\205\145\236\016\346\123"
+"\044\164\033\136\035\022\123\133\307\054\347\203\111\073\025\256"
+"\212\150\271\127\227\002\003\001\000\001\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\003\202\001\001\000\021\024"
+"\226\301\253\222\010\367\077\057\311\262\376\344\132\237\144\336"
+"\333\041\117\206\231\064\166\066\127\335\320\025\057\305\255\177"
+"\025\037\067\142\163\076\324\347\137\316\027\003\333\065\372\053"
+"\333\256\140\011\137\036\137\217\156\273\013\075\352\132\023\036"
+"\014\140\157\265\300\265\043\042\056\007\013\313\251\164\313\107"
+"\273\035\301\327\245\153\314\057\322\102\375\111\335\247\211\317"
+"\123\272\332\000\132\050\277\202\337\370\272\023\035\120\206\202"
+"\375\216\060\217\051\106\260\036\075\065\332\070\142\026\030\112"
+"\255\346\266\121\154\336\257\142\353\001\320\036\044\376\172\217"
+"\022\032\022\150\270\373\146\231\024\024\105\134\256\347\256\151"
+"\027\201\053\132\067\311\136\052\364\306\342\241\134\124\233\246"
+"\124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156"
+"\352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255"
+"\117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126"
+"\200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255"
+"\153\271\012\172\116\117\113\204\356\113\361\175\335\021"
+, (PRUint32)1054 }
+};
+static const NSSItem nss_builtins_items_95 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 3 Public Primary Certification Authority - G3", (PRUint32)61 },
+  { (void *)"\023\055\015\105\123\113\151\227\315\262\325\303\071\342\125\166"
+"\140\233\134\306"
+, (PRUint32)20 },
+  { (void *)"\315\150\266\247\307\304\316\165\340\035\117\127\104\141\222\011"
+, (PRUint32)16 },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"\000\233\176\006\111\243\076\142\271\325\356\220\110\161\051\357"
+"\127"
+, (PRUint32)17 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_96 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 4 Public Primary Certification Authority - G3", (PRUint32)61 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"\000\354\240\247\213\156\165\152\001\317\304\174\314\057\224\136"
+"\327"
+, (PRUint32)17 },
+  { (void *)"\060\202\004\032\060\202\003\002\002\021\000\354\240\247\213\156"
+"\165\152\001\317\304\174\314\057\224\136\327\060\015\006\011\052"
+"\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060"
+"\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003"
+"\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111"
+"\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050"
+"\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164"
+"\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171"
+"\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123"
+"\151\147\156\040\103\154\141\163\163\040\064\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060"
+"\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066"
+"\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003"
+"\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012"
+"\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056"
+"\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123"
+"\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162"
+"\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040"
+"\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111"
+"\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162"
+"\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060"
+"\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156"
+"\040\103\154\141\163\163\040\064\040\120\165\142\154\151\143\040"
+"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
+"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040"
+"\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206"
+"\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012"
+"\002\202\001\001\000\255\313\245\021\151\306\131\253\361\217\265"
+"\031\017\126\316\314\265\037\040\344\236\046\045\113\340\163\145"
+"\211\131\336\320\203\344\365\017\265\273\255\361\174\350\041\374"
+"\344\350\014\356\174\105\042\031\166\222\264\023\267\040\133\011"
+"\372\141\256\250\362\245\215\205\302\052\326\336\146\066\322\233"
+"\002\364\250\222\140\174\234\151\264\217\044\036\320\206\122\366"
+"\062\234\101\130\036\042\275\315\105\142\225\010\156\320\146\335"
+"\123\242\314\360\020\334\124\163\213\004\241\106\063\063\134\027"
+"\100\271\236\115\323\363\276\125\203\350\261\211\216\132\174\232"
+"\226\042\220\073\210\045\362\322\123\210\002\014\013\170\362\346"
+"\067\027\113\060\106\007\344\200\155\246\330\226\056\350\054\370"
+"\021\263\070\015\146\246\233\352\311\043\133\333\216\342\363\023"
+"\216\032\131\055\252\002\360\354\244\207\146\334\301\077\365\330"
+"\271\364\354\202\306\322\075\225\035\345\300\117\204\311\331\243"
+"\104\050\006\152\327\105\254\360\153\152\357\116\137\370\021\202"
+"\036\070\143\064\146\120\324\076\223\163\372\060\303\146\255\377"
+"\223\055\227\357\003\002\003\001\000\001\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\003\202\001\001\000\217\372"
+"\045\153\117\133\344\244\116\047\125\253\042\025\131\074\312\265"
+"\012\324\112\333\253\335\241\137\123\305\240\127\071\302\316\107"
+"\053\276\072\310\126\277\302\331\047\020\072\261\005\074\300\167"
+"\061\273\072\323\005\173\155\232\034\060\214\200\313\223\223\052"
+"\203\253\005\121\202\002\000\021\147\153\363\210\141\107\137\003"
+"\223\325\133\015\340\361\324\241\062\065\205\262\072\333\260\202"
+"\253\321\313\012\274\117\214\133\305\113\000\073\037\052\202\246"
+"\176\066\205\334\176\074\147\000\265\344\073\122\340\250\353\135"
+"\025\371\306\155\360\255\035\016\205\267\251\232\163\024\132\133"
+"\217\101\050\300\325\350\055\115\244\136\315\252\331\355\316\334"
+"\330\325\074\102\035\027\301\022\135\105\070\303\070\363\374\205"
+"\056\203\106\110\262\327\040\137\222\066\217\347\171\017\230\136"
+"\231\350\360\320\244\273\365\123\275\052\316\131\260\257\156\177"
+"\154\273\322\036\000\260\041\355\370\101\142\202\271\330\262\304"
+"\273\106\120\363\061\305\217\001\250\164\353\365\170\047\332\347"
+"\367\146\103\363\236\203\076\040\252\303\065\140\221\316"
+, (PRUint32)1054 }
+};
+static const NSSItem nss_builtins_items_97 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 4 Public Primary Certification Authority - G3", (PRUint32)61 },
+  { (void *)"\310\354\214\207\222\151\313\113\253\071\351\215\176\127\147\363"
+"\024\225\163\235"
+, (PRUint32)20 },
+  { (void *)"\333\310\362\047\056\261\352\152\051\043\135\376\126\076\063\337"
+, (PRUint32)16 },
+  { (void *)"\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125"
+"\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165"
+"\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003"
+"\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106"
+"\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163"
+"\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023"
+"\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040"
+"\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\107\063"
+, (PRUint32)205 },
+  { (void *)"\000\354\240\247\213\156\165\152\001\317\304\174\314\057\224\136"
+"\327"
+, (PRUint32)17 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_98 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Entrust.net Secure Server CA", (PRUint32)29 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
+"\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023"
+"\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
+"\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040"
+"\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141"
+"\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143"
+"\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156"
+"\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003"
+"\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164"
+"\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103"
+"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
+"\150\157\162\151\164\171"
+, (PRUint32)198 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
+"\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023"
+"\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
+"\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040"
+"\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141"
+"\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143"
+"\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156"
+"\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003"
+"\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164"
+"\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103"
+"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
+"\150\157\162\151\164\171"
+, (PRUint32)198 },
+  { (void *)"\067\112\322\103"
+, (PRUint32)4 },
+  { (void *)"\060\202\004\330\060\202\004\101\240\003\002\001\002\002\004\067"
+"\112\322\103\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\201\303\061\013\060\011\006\003\125\004\006\023\002"
+"\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164"
+"\162\165\163\164\056\156\145\164\061\073\060\071\006\003\125\004"
+"\013\023\062\167\167\167\056\145\156\164\162\165\163\164\056\156"
+"\145\164\057\103\120\123\040\151\156\143\157\162\160\056\040\142"
+"\171\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154"
+"\151\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034"
+"\050\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164"
+"\056\156\145\164\040\114\151\155\151\164\145\144\061\072\060\070"
+"\006\003\125\004\003\023\061\105\156\164\162\165\163\164\056\156"
+"\145\164\040\123\145\143\165\162\145\040\123\145\162\166\145\162"
+"\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\060\036\027\015\071\071\060\065"
+"\062\065\061\066\060\071\064\060\132\027\015\061\071\060\065\062"
+"\065\061\066\063\071\064\060\132\060\201\303\061\013\060\011\006"
+"\003\125\004\006\023\002\125\123\061\024\060\022\006\003\125\004"
+"\012\023\013\105\156\164\162\165\163\164\056\156\145\164\061\073"
+"\060\071\006\003\125\004\013\023\062\167\167\167\056\145\156\164"
+"\162\165\163\164\056\156\145\164\057\103\120\123\040\151\156\143"
+"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
+"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
+"\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105"
+"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
+"\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164"
+"\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040"
+"\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141"
+"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\201"
+"\235\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000"
+"\003\201\213\000\060\201\207\002\201\201\000\315\050\203\064\124"
+"\033\211\363\017\257\067\221\061\377\257\061\140\311\250\350\262"
+"\020\150\355\237\347\223\066\361\012\144\273\107\365\004\027\077"
+"\043\107\115\305\047\031\201\046\014\124\162\015\210\055\331\037"
+"\232\022\237\274\263\161\323\200\031\077\107\146\173\214\065\050"
+"\322\271\012\337\044\332\234\326\120\171\201\172\132\323\067\367"
+"\302\112\330\051\222\046\144\321\344\230\154\072\000\212\365\064"
+"\233\145\370\355\343\020\377\375\270\111\130\334\240\336\202\071"
+"\153\201\261\026\031\141\271\124\266\346\103\002\001\003\243\202"
+"\001\327\060\202\001\323\060\021\006\011\140\206\110\001\206\370"
+"\102\001\001\004\004\003\002\000\007\060\202\001\031\006\003\125"
+"\035\037\004\202\001\020\060\202\001\014\060\201\336\240\201\333"
+"\240\201\330\244\201\325\060\201\322\061\013\060\011\006\003\125"
+"\004\006\023\002\125\123\061\024\060\022\006\003\125\004\012\023"
+"\013\105\156\164\162\165\163\164\056\156\145\164\061\073\060\071"
+"\006\003\125\004\013\023\062\167\167\167\056\145\156\164\162\165"
+"\163\164\056\156\145\164\057\103\120\123\040\151\156\143\157\162"
+"\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151"
+"\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125"
+"\004\013\023\034\050\143\051\040\061\071\071\071\040\105\156\164"
+"\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144"
+"\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165"
+"\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145"
+"\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\101\165\164\150\157\162\151\164\171\061\015\060\013"
+"\006\003\125\004\003\023\004\103\122\114\061\060\051\240\047\240"
+"\045\206\043\150\164\164\160\072\057\057\167\167\167\056\145\156"
+"\164\162\165\163\164\056\156\145\164\057\103\122\114\057\156\145"
+"\164\061\056\143\162\154\060\053\006\003\125\035\020\004\044\060"
+"\042\200\017\061\071\071\071\060\065\062\065\061\066\060\071\064"
+"\060\132\201\017\062\060\061\071\060\065\062\065\061\066\060\071"
+"\064\060\132\060\013\006\003\125\035\017\004\004\003\002\001\006"
+"\060\037\006\003\125\035\043\004\030\060\026\200\024\360\027\142"
+"\023\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320"
+"\032\060\035\006\003\125\035\016\004\026\004\024\360\027\142\023"
+"\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320\032"
+"\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060\031"
+"\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012\033"
+"\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206\110"
+"\206\367\015\001\001\005\005\000\003\201\201\000\220\334\060\002"
+"\372\144\164\302\247\012\245\174\041\215\064\027\250\373\107\016"
+"\377\045\174\215\023\012\373\344\230\265\357\214\370\305\020\015"
+"\367\222\276\361\303\325\325\225\152\004\273\054\316\046\066\145"
+"\310\061\306\347\356\077\343\127\165\204\172\021\357\106\117\030"
+"\364\323\230\273\250\207\062\272\162\366\074\342\075\237\327\035"
+"\331\303\140\103\214\130\016\042\226\057\142\243\054\037\272\255"
+"\005\357\253\062\170\207\240\124\163\031\265\134\005\371\122\076"
+"\155\055\105\013\367\012\223\352\355\006\371\262"
+, (PRUint32)1244 }
+};
+static const NSSItem nss_builtins_items_99 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Entrust.net Secure Server CA", (PRUint32)29 },
+  { (void *)"\231\246\233\346\032\376\210\153\115\053\202\000\174\270\124\374"
+"\061\176\025\071"
+, (PRUint32)20 },
+  { (void *)"\337\362\200\163\314\361\346\141\163\374\365\102\351\305\174\356"
+, (PRUint32)16 },
+  { (void *)"\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
+"\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023"
+"\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
+"\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040"
+"\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141"
+"\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143"
+"\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156"
+"\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003"
+"\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164"
+"\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103"
+"\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164"
+"\150\157\162\151\164\171"
+, (PRUint32)198 },
+  { (void *)"\067\112\322\103"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_100 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Entrust.net Secure Personal CA", (PRUint32)31 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
+"\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024"
+"\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
+"\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057"
+"\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162"
+"\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056"
+"\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061"
+"\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040"
+"\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003"
+"\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154"
+"\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\101\165\164\150\157\162\151\164\171"
+, (PRUint32)204 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
+"\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024"
+"\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
+"\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057"
+"\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162"
+"\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056"
+"\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061"
+"\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040"
+"\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003"
+"\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154"
+"\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\101\165\164\150\157\162\151\164\171"
+, (PRUint32)204 },
+  { (void *)"\070\003\221\356"
+, (PRUint32)4 },
+  { (void *)"\060\202\004\355\060\202\004\126\240\003\002\001\002\002\004\070"
+"\003\221\356\060\015\006\011\052\206\110\206\367\015\001\001\004"
+"\005\000\060\201\311\061\013\060\011\006\003\125\004\006\023\002"
+"\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164"
+"\162\165\163\164\056\156\145\164\061\110\060\106\006\003\125\004"
+"\013\024\077\167\167\167\056\145\156\164\162\165\163\164\056\156"
+"\145\164\057\103\154\151\145\156\164\137\103\101\137\111\156\146"
+"\157\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171"
+"\040\162\145\146\056\040\154\151\155\151\164\163\040\154\151\141"
+"\142\056\061\045\060\043\006\003\125\004\013\023\034\050\143\051"
+"\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156\145"
+"\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125"
+"\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040"
+"\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141"
+"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\036"
+"\027\015\071\071\061\060\061\062\061\071\062\064\063\060\132\027"
+"\015\061\071\061\060\061\062\061\071\065\064\063\060\132\060\201"
+"\311\061\013\060\011\006\003\125\004\006\023\002\125\123\061\024"
+"\060\022\006\003\125\004\012\023\013\105\156\164\162\165\163\164"
+"\056\156\145\164\061\110\060\106\006\003\125\004\013\024\077\167"
+"\167\167\056\145\156\164\162\165\163\164\056\156\145\164\057\103"
+"\154\151\145\156\164\137\103\101\137\111\156\146\157\057\103\120"
+"\123\040\151\156\143\157\162\160\056\040\142\171\040\162\145\146"
+"\056\040\154\151\155\151\164\163\040\154\151\141\142\056\061\045"
+"\060\043\006\003\125\004\013\023\034\050\143\051\040\061\071\071"
+"\071\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151"
+"\155\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052"
+"\105\156\164\162\165\163\164\056\156\145\164\040\103\154\151\145"
+"\156\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
+"\040\101\165\164\150\157\162\151\164\171\060\201\235\060\015\006"
+"\011\052\206\110\206\367\015\001\001\001\005\000\003\201\213\000"
+"\060\201\207\002\201\201\000\310\072\231\136\061\027\337\254\047"
+"\157\220\173\344\031\377\105\243\064\302\333\301\250\117\360\150"
+"\352\204\375\237\165\171\317\301\212\121\224\257\307\127\003\107"
+"\144\236\255\202\033\132\332\177\067\170\107\273\067\230\022\226"
+"\316\306\023\175\357\322\014\060\121\251\071\236\125\370\373\261"
+"\347\060\336\203\262\272\076\361\325\211\073\073\205\272\252\164"
+"\054\376\077\061\156\257\221\225\156\006\324\007\115\113\054\126"
+"\107\030\004\122\332\016\020\223\277\143\220\233\341\337\214\346"
+"\002\244\346\117\136\367\213\002\001\003\243\202\001\340\060\202"
+"\001\334\060\021\006\011\140\206\110\001\206\370\102\001\001\004"
+"\004\003\002\000\007\060\202\001\042\006\003\125\035\037\004\202"
+"\001\031\060\202\001\025\060\201\344\240\201\341\240\201\336\244"
+"\201\333\060\201\330\061\013\060\011\006\003\125\004\006\023\002"
+"\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164"
+"\162\165\163\164\056\156\145\164\061\110\060\106\006\003\125\004"
+"\013\024\077\167\167\167\056\145\156\164\162\165\163\164\056\156"
+"\145\164\057\103\154\151\145\156\164\137\103\101\137\111\156\146"
+"\157\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171"
+"\040\162\145\146\056\040\154\151\155\151\164\163\040\154\151\141"
+"\142\056\061\045\060\043\006\003\125\004\013\023\034\050\143\051"
+"\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156\145"
+"\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125"
+"\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040"
+"\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141"
+"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\015"
+"\060\013\006\003\125\004\003\023\004\103\122\114\061\060\054\240"
+"\052\240\050\206\046\150\164\164\160\072\057\057\167\167\167\056"
+"\145\156\164\162\165\163\164\056\156\145\164\057\103\122\114\057"
+"\103\154\151\145\156\164\061\056\143\162\154\060\053\006\003\125"
+"\035\020\004\044\060\042\200\017\061\071\071\071\061\060\061\062"
+"\061\071\062\064\063\060\132\201\017\062\060\061\071\061\060\061"
+"\062\061\071\062\064\063\060\132\060\013\006\003\125\035\017\004"
+"\004\003\002\001\006\060\037\006\003\125\035\043\004\030\060\026"
+"\200\024\304\373\234\051\173\227\315\114\226\374\356\133\263\312"
+"\231\164\213\225\352\114\060\035\006\003\125\035\016\004\026\004"
+"\024\304\373\234\051\173\227\315\114\226\374\356\133\263\312\231"
+"\164\213\225\352\114\060\014\006\003\125\035\023\004\005\060\003"
+"\001\001\377\060\031\006\011\052\206\110\206\366\175\007\101\000"
+"\004\014\060\012\033\004\126\064\056\060\003\002\004\220\060\015"
+"\006\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201"
+"\000\077\256\212\361\327\146\003\005\236\076\372\352\034\106\273"
+"\244\133\217\170\232\022\110\231\371\364\065\336\014\066\007\002"
+"\153\020\072\211\024\201\234\061\246\174\262\101\262\152\347\007"
+"\001\241\113\371\237\045\073\226\312\231\303\076\241\121\034\363"
+"\303\056\104\367\260\147\106\252\222\345\073\332\034\031\024\070"
+"\060\325\342\242\061\045\056\361\354\105\070\355\370\006\130\003"
+"\163\142\260\020\061\217\100\277\144\340\134\076\305\117\037\332"
+"\022\103\377\114\346\006\046\250\233\031\252\104\074\166\262\134"
+"\354"
+, (PRUint32)1265 }
+};
+static const NSSItem nss_builtins_items_101 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Entrust.net Secure Personal CA", (PRUint32)31 },
+  { (void *)"\332\171\301\161\021\120\302\064\071\252\053\013\014\142\375\125"
+"\262\371\365\200"
+, (PRUint32)20 },
+  { (void *)"\014\101\057\023\133\240\124\365\226\146\055\176\315\016\003\364"
+, (PRUint32)16 },
+  { (void *)"\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165"
+"\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024"
+"\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164"
+"\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057"
+"\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162"
+"\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056"
+"\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061"
+"\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040"
+"\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003"
+"\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154"
+"\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\101\165\164\150\157\162\151\164\171"
+, (PRUint32)204 },
+  { (void *)"\070\003\221\356"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_102 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Entrust.net Premium 2048 Secure Server CA", (PRUint32)42 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
+"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
+"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
+"\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143"
+"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
+"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
+"\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105"
+"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
+"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
+"\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151"
+"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
+"\040\050\062\060\064\070\051"
+, (PRUint32)183 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
+"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
+"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
+"\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143"
+"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
+"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
+"\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105"
+"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
+"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
+"\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151"
+"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
+"\040\050\062\060\064\070\051"
+, (PRUint32)183 },
+  { (void *)"\070\143\271\146"
+, (PRUint32)4 },
+  { (void *)"\060\202\004\134\060\202\003\104\240\003\002\001\002\002\004\070"
+"\143\271\146\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\201\264\061\024\060\022\006\003\125\004\012\023\013"
+"\105\156\164\162\165\163\164\056\156\145\164\061\100\060\076\006"
+"\003\125\004\013\024\067\167\167\167\056\145\156\164\162\165\163"
+"\164\056\156\145\164\057\103\120\123\137\062\060\064\070\040\151"
+"\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050"
+"\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060"
+"\043\006\003\125\004\013\023\034\050\143\051\040\061\071\071\071"
+"\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155"
+"\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052\105"
+"\156\164\162\165\163\164\056\156\145\164\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\050\062\060\064\070\051\060\036\027\015\071\071\061"
+"\062\062\064\061\067\065\060\065\061\132\027\015\061\071\061\062"
+"\062\064\061\070\062\060\065\061\132\060\201\264\061\024\060\022"
+"\006\003\125\004\012\023\013\105\156\164\162\165\163\164\056\156"
+"\145\164\061\100\060\076\006\003\125\004\013\024\067\167\167\167"
+"\056\145\156\164\162\165\163\164\056\156\145\164\057\103\120\123"
+"\137\062\060\064\070\040\151\156\143\157\162\160\056\040\142\171"
+"\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151"
+"\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050"
+"\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056"
+"\156\145\164\040\114\151\155\151\164\145\144\061\063\060\061\006"
+"\003\125\004\003\023\052\105\156\164\162\165\163\164\056\156\145"
+"\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\040\050\062\060\064\070\051"
+"\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001"
+"\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001"
+"\000\255\115\113\251\022\206\262\352\243\040\007\025\026\144\052"
+"\053\113\321\277\013\112\115\216\355\200\166\245\147\267\170\100"
+"\300\163\102\310\150\300\333\123\053\335\136\270\166\230\065\223"
+"\213\032\235\174\023\072\016\037\133\267\036\317\345\044\024\036"
+"\261\201\251\215\175\270\314\153\113\003\361\002\014\334\253\245"
+"\100\044\000\177\164\224\241\235\010\051\263\210\013\365\207\167"
+"\235\125\315\344\303\176\327\152\144\253\205\024\206\225\133\227"
+"\062\120\157\075\310\272\146\014\343\374\275\270\111\301\166\211"
+"\111\031\375\300\250\275\211\243\147\057\306\237\274\161\031\140"
+"\270\055\351\054\311\220\166\146\173\224\342\257\170\326\145\123"
+"\135\074\326\234\262\317\051\003\371\057\244\120\262\324\110\316"
+"\005\062\125\212\375\262\144\114\016\344\230\007\165\333\177\337"
+"\271\010\125\140\205\060\051\371\173\110\244\151\206\343\065\077"
+"\036\206\135\172\172\025\275\357\000\216\025\042\124\027\000\220"
+"\046\223\274\016\111\150\221\277\370\107\323\235\225\102\301\016"
+"\115\337\157\046\317\303\030\041\142\146\103\160\326\325\300\007"
+"\341\002\003\001\000\001\243\164\060\162\060\021\006\011\140\206"
+"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\037\006"
+"\003\125\035\043\004\030\060\026\200\024\125\344\201\321\021\200"
+"\276\330\211\271\010\243\061\371\241\044\011\026\271\160\060\035"
+"\006\003\125\035\016\004\026\004\024\125\344\201\321\021\200\276"
+"\330\211\271\010\243\061\371\241\044\011\026\271\160\060\035\006"
+"\011\052\206\110\206\366\175\007\101\000\004\020\060\016\033\010"
+"\126\065\056\060\072\064\056\060\003\002\004\220\060\015\006\011"
+"\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000"
+"\131\107\254\041\204\212\027\311\234\211\123\036\272\200\205\032"
+"\306\074\116\076\261\234\266\174\306\222\135\030\144\002\343\323"
+"\006\010\021\141\174\143\343\053\235\061\003\160\166\322\243\050"
+"\240\364\273\232\143\163\355\155\345\052\333\355\024\251\053\306"
+"\066\021\320\053\353\007\213\245\332\236\134\031\235\126\022\365"
+"\124\051\310\005\355\262\022\052\215\364\003\033\377\347\222\020"
+"\207\260\072\265\303\235\005\067\022\243\307\364\025\271\325\244"
+"\071\026\233\123\072\043\221\361\250\202\242\152\210\150\301\171"
+"\002\042\274\252\246\326\256\337\260\024\137\270\207\320\335\174"
+"\177\173\377\257\034\317\346\333\007\255\136\333\205\235\320\053"
+"\015\063\333\004\321\346\111\100\023\053\166\373\076\351\234\211"
+"\017\025\316\030\260\205\170\041\117\153\117\016\372\066\147\315"
+"\007\362\377\010\320\342\336\331\277\052\257\270\207\206\041\074"
+"\004\312\267\224\150\177\317\074\351\230\327\070\377\354\300\331"
+"\120\360\056\113\130\256\106\157\320\056\303\140\332\162\125\162"
+"\275\114\105\236\141\272\277\204\201\222\003\321\322\151\174\305"
+, (PRUint32)1120 }
+};
+static const NSSItem nss_builtins_items_103 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Entrust.net Premium 2048 Secure Server CA", (PRUint32)42 },
+  { (void *)"\200\035\142\320\173\104\235\134\134\003\134\230\352\141\372\104"
+"\074\052\130\376"
+, (PRUint32)20 },
+  { (void *)"\272\041\352\040\326\335\333\217\301\127\213\100\255\241\374\374"
+, (PRUint32)16 },
+  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
+"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
+"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
+"\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143"
+"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
+"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
+"\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105"
+"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
+"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
+"\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151"
+"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
+"\040\050\062\060\064\070\051"
+, (PRUint32)183 },
+  { (void *)"\070\143\271\146"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_104 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"ValiCert OCSP Responder", (PRUint32)24 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\262\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\054\060\052\006\003\125\004\013\023\043\103\154\141"
+"\163\163\040\061\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\040\055\040\117\103\123\120"
+"\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160\072"
+"\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056\156"
+"\145\164\057\061\040\060\036\006\011\052\206\110\206\367\015\001"
+"\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145\162"
+"\164\056\143\157\155"
+, (PRUint32)181 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\262\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\054\060\052\006\003\125\004\013\023\043\103\154\141"
+"\163\163\040\061\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\040\055\040\117\103\123\120"
+"\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160\072"
+"\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056\156"
+"\145\164\057\061\040\060\036\006\011\052\206\110\206\367\015\001"
+"\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145\162"
+"\164\056\143\157\155"
+, (PRUint32)181 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\003\110\060\202\002\261\240\003\002\001\002\002\001\001"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\201\262\061\044\060\042\006\003\125\004\007\023\033\126\141\154"
+"\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157\156"
+"\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125\004"
+"\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156\143"
+"\056\061\054\060\052\006\003\125\004\013\023\043\103\154\141\163"
+"\163\040\061\040\126\141\154\151\144\141\164\151\157\156\040\101"
+"\165\164\150\157\162\151\164\171\040\055\040\117\103\123\120\061"
+"\041\060\037\006\003\125\004\003\023\030\150\164\164\160\072\057"
+"\057\167\167\167\056\166\141\154\151\143\145\162\164\056\156\145"
+"\164\057\061\040\060\036\006\011\052\206\110\206\367\015\001\011"
+"\001\026\021\151\156\146\157\100\166\141\154\151\143\145\162\164"
+"\056\143\157\155\060\036\027\015\060\060\060\062\061\062\061\061"
+"\065\060\060\065\132\027\015\060\065\060\062\061\060\061\061\065"
+"\060\060\065\132\060\201\262\061\044\060\042\006\003\125\004\007"
+"\023\033\126\141\154\151\103\145\162\164\040\126\141\154\151\144"
+"\141\164\151\157\156\040\116\145\164\167\157\162\153\061\027\060"
+"\025\006\003\125\004\012\023\016\126\141\154\151\103\145\162\164"
+"\054\040\111\156\143\056\061\054\060\052\006\003\125\004\013\023"
+"\043\103\154\141\163\163\040\061\040\126\141\154\151\144\141\164"
+"\151\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040"
+"\117\103\123\120\061\041\060\037\006\003\125\004\003\023\030\150"
+"\164\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145"
+"\162\164\056\156\145\164\057\061\040\060\036\006\011\052\206\110"
+"\206\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154"
+"\151\143\145\162\164\056\143\157\155\060\201\237\060\015\006\011"
+"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
+"\201\211\002\201\201\000\307\214\057\247\303\100\207\073\075\327"
+"\304\232\130\024\144\012\303\010\071\142\032\317\322\353\251\361"
+"\151\164\212\312\016\132\166\314\242\122\116\320\363\304\172\265"
+"\370\246\034\273\243\247\244\123\207\133\215\300\000\273\325\146"
+"\044\347\164\306\026\310\257\310\003\142\325\062\207\242\122\221"
+"\104\224\225\250\107\103\155\245\110\234\366\114\165\325\117\142"
+"\347\311\377\173\364\044\214\247\274\050\166\265\062\240\045\163"
+"\267\107\057\170\370\106\371\207\024\360\167\374\012\167\350\117"
+"\375\214\037\372\142\331\002\003\001\000\001\243\154\060\152\060"
+"\017\006\011\053\006\001\005\005\007\060\001\005\004\002\005\000"
+"\060\023\006\003\125\035\045\004\014\060\012\006\010\053\006\001"
+"\005\005\007\003\011\060\013\006\003\125\035\017\004\004\003\002"
+"\001\206\060\065\006\010\053\006\001\005\005\007\001\001\004\051"
+"\060\047\060\045\006\010\053\006\001\005\005\007\060\001\206\031"
+"\150\164\164\160\072\057\057\157\143\163\160\062\056\166\141\154"
+"\151\143\145\162\164\056\156\145\164\060\015\006\011\052\206\110"
+"\206\367\015\001\001\005\005\000\003\201\201\000\025\305\340\270"
+"\064\162\022\006\040\250\142\225\223\321\274\223\272\220\253\334"
+"\116\215\216\215\230\114\343\062\365\053\077\263\227\373\252\242"
+"\255\100\227\255\150\275\134\255\123\016\320\246\263\015\254\032"
+"\231\215\252\060\036\317\016\160\377\002\260\167\145\203\315\332"
+"\007\134\122\315\131\273\242\310\342\264\026\203\217\324\225\171"
+"\223\055\350\277\104\223\061\222\060\323\064\064\361\020\373\041"
+"\254\056\364\303\135\144\143\172\231\341\232\253\102\035\110\146"
+"\246\167\067\270\125\074\255\376\145\260\142\351"
+, (PRUint32)844 }
+};
+static const NSSItem nss_builtins_items_105 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"ValiCert OCSP Responder", (PRUint32)24 },
+  { (void *)"\133\166\261\274\342\212\360\366\161\221\205\147\046\215\021\151"
+"\017\027\077\163"
+, (PRUint32)20 },
+  { (void *)"\325\036\040\137\321\365\035\202\127\010\122\071\035\372\212\255"
+, (PRUint32)16 },
+  { (void *)"\060\201\262\061\044\060\042\006\003\125\004\007\023\033\126\141"
+"\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157"
+"\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125"
+"\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156"
+"\143\056\061\054\060\052\006\003\125\004\013\023\043\103\154\141"
+"\163\163\040\061\040\126\141\154\151\144\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\040\055\040\117\103\123\120"
+"\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160\072"
+"\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056\156"
+"\145\164\057\061\040\060\036\006\011\052\206\110\206\367\015\001"
+"\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145\162"
+"\164\056\143\157\155"
+, (PRUint32)181 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_106 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Baltimore CyberTrust Code Signing Root", (PRUint32)39 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\147\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
+"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
+"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
+"\142\145\162\124\162\165\163\164\061\057\060\055\006\003\125\004"
+"\003\023\046\102\141\154\164\151\155\157\162\145\040\103\171\142"
+"\145\162\124\162\165\163\164\040\103\157\144\145\040\123\151\147"
+"\156\151\156\147\040\122\157\157\164"
+, (PRUint32)105 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\147\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
+"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
+"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
+"\142\145\162\124\162\165\163\164\061\057\060\055\006\003\125\004"
+"\003\023\046\102\141\154\164\151\155\157\162\145\040\103\171\142"
+"\145\162\124\162\165\163\164\040\103\157\144\145\040\123\151\147"
+"\156\151\156\147\040\122\157\157\164"
+, (PRUint32)105 },
+  { (void *)"\002\000\000\277"
+, (PRUint32)4 },
+  { (void *)"\060\202\003\246\060\202\002\216\240\003\002\001\002\002\004\002"
+"\000\000\277\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\147\061\013\060\011\006\003\125\004\006\023\002\111"
+"\105\061\022\060\020\006\003\125\004\012\023\011\102\141\154\164"
+"\151\155\157\162\145\061\023\060\021\006\003\125\004\013\023\012"
+"\103\171\142\145\162\124\162\165\163\164\061\057\060\055\006\003"
+"\125\004\003\023\046\102\141\154\164\151\155\157\162\145\040\103"
+"\171\142\145\162\124\162\165\163\164\040\103\157\144\145\040\123"
+"\151\147\156\151\156\147\040\122\157\157\164\060\036\027\015\060"
+"\060\060\065\061\067\061\064\060\061\060\060\132\027\015\062\065"
+"\060\065\061\067\062\063\065\071\060\060\132\060\147\061\013\060"
+"\011\006\003\125\004\006\023\002\111\105\061\022\060\020\006\003"
+"\125\004\012\023\011\102\141\154\164\151\155\157\162\145\061\023"
+"\060\021\006\003\125\004\013\023\012\103\171\142\145\162\124\162"
+"\165\163\164\061\057\060\055\006\003\125\004\003\023\046\102\141"
+"\154\164\151\155\157\162\145\040\103\171\142\145\162\124\162\165"
+"\163\164\040\103\157\144\145\040\123\151\147\156\151\156\147\040"
+"\122\157\157\164\060\202\001\042\060\015\006\011\052\206\110\206"
+"\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012"
+"\002\202\001\001\000\310\161\232\030\022\216\172\333\371\232\374"
+"\101\257\330\362\364\011\216\255\077\376\147\067\074\332\311\046"
+"\120\261\261\076\313\350\116\163\000\362\262\334\363\305\106\373"
+"\011\357\030\226\316\247\340\234\204\135\040\016\172\240\252\066"
+"\213\372\050\266\170\056\263\354\350\107\363\004\360\220\043\264"
+"\352\257\345\123\270\005\367\107\135\053\206\361\247\244\306\073"
+"\065\266\322\015\122\101\327\364\222\165\341\242\012\120\126\207"
+"\276\227\013\173\063\205\020\271\050\030\356\063\352\110\021\327"
+"\133\221\107\166\042\324\356\317\135\347\250\116\034\235\226\221"
+"\335\234\275\164\011\250\162\141\252\260\041\072\361\075\054\003"
+"\126\011\322\301\334\303\265\307\124\067\253\346\046\242\262\106"
+"\161\163\312\021\210\356\274\347\144\367\320\021\032\163\100\132"
+"\310\111\054\017\267\357\220\177\150\200\004\070\013\033\017\073"
+"\324\365\240\263\302\216\341\064\264\200\231\155\236\166\324\222"
+"\051\100\261\225\322\067\244\147\022\177\340\142\273\256\065\305"
+"\231\066\202\104\270\346\170\030\063\141\161\223\133\055\215\237"
+"\170\225\202\353\155\002\003\001\000\001\243\132\060\130\060\023"
+"\006\003\125\035\045\004\014\060\012\006\010\053\006\001\005\005"
+"\007\003\003\060\035\006\003\125\035\016\004\026\004\024\310\101"
+"\064\134\025\025\004\345\100\362\321\253\232\157\044\222\172\207"
+"\102\132\060\022\006\003\125\035\023\001\001\377\004\010\060\006"
+"\001\001\377\002\001\003\060\016\006\003\125\035\017\001\001\377"
+"\004\004\003\002\001\006\060\015\006\011\052\206\110\206\367\015"
+"\001\001\005\005\000\003\202\001\001\000\122\164\252\225\113\042"
+"\214\307\075\226\244\376\135\372\057\265\274\353\360\013\351\126"
+"\070\035\321\155\015\241\274\150\213\360\305\200\245\044\064\375"
+"\362\226\030\021\206\241\066\365\067\347\124\100\325\144\037\303"
+"\137\160\102\153\055\071\307\236\122\005\316\347\152\162\322\215"
+"\162\077\107\120\203\253\307\215\045\311\260\343\247\123\026\225"
+"\246\152\123\352\030\235\217\170\251\167\167\032\371\264\227\107"
+"\131\210\047\050\265\312\341\056\327\076\016\242\015\270\042\104"
+"\003\343\321\143\260\101\072\241\365\244\055\367\166\036\004\124"
+"\231\170\062\100\327\053\174\115\272\246\234\260\171\156\007\276"
+"\214\354\356\327\070\151\133\301\014\126\150\237\376\353\321\341"
+"\310\210\371\362\315\177\276\205\264\104\147\000\120\076\364\046"
+"\003\144\352\167\175\350\136\076\034\067\107\310\326\352\244\363"
+"\066\074\227\302\071\162\005\224\031\045\303\327\067\101\017\301"
+"\037\207\212\375\252\276\351\261\144\127\344\333\222\241\317\341"
+"\111\350\073\037\221\023\132\303\217\331\045\130\111\200\107\017"
+"\306\003\256\254\343\277\267\300\252\052"
+, (PRUint32)938 }
+};
+static const NSSItem nss_builtins_items_107 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Baltimore CyberTrust Code Signing Root", (PRUint32)39 },
+  { (void *)"\060\106\330\310\210\377\151\060\303\112\374\315\111\047\010\174"
+"\140\126\173\015"
+, (PRUint32)20 },
+  { (void *)"\220\365\050\111\126\321\135\054\260\123\324\113\357\157\220\042"
+, (PRUint32)16 },
+  { (void *)"\060\147\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
+"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
+"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
+"\142\145\162\124\162\165\163\164\061\057\060\055\006\003\125\004"
+"\003\023\046\102\141\154\164\151\155\157\162\145\040\103\171\142"
+"\145\162\124\162\165\163\164\040\103\157\144\145\040\123\151\147"
+"\156\151\156\147\040\122\157\157\164"
+, (PRUint32)105 },
+  { (void *)"\002\000\000\277"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_108 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Baltimore CyberTrust Root", (PRUint32)26 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
+"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
+"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
+"\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004"
+"\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142"
+"\145\162\124\162\165\163\164\040\122\157\157\164"
+, (PRUint32)92 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
+"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
+"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
+"\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004"
+"\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142"
+"\145\162\124\162\165\163\164\040\122\157\157\164"
+, (PRUint32)92 },
+  { (void *)"\002\000\000\271"
+, (PRUint32)4 },
+  { (void *)"\060\202\003\167\060\202\002\137\240\003\002\001\002\002\004\002"
+"\000\000\271\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\111"
+"\105\061\022\060\020\006\003\125\004\012\023\011\102\141\154\164"
+"\151\155\157\162\145\061\023\060\021\006\003\125\004\013\023\012"
+"\103\171\142\145\162\124\162\165\163\164\061\042\060\040\006\003"
+"\125\004\003\023\031\102\141\154\164\151\155\157\162\145\040\103"
+"\171\142\145\162\124\162\165\163\164\040\122\157\157\164\060\036"
+"\027\015\060\060\060\065\061\062\061\070\064\066\060\060\132\027"
+"\015\062\065\060\065\061\062\062\063\065\071\060\060\132\060\132"
+"\061\013\060\011\006\003\125\004\006\023\002\111\105\061\022\060"
+"\020\006\003\125\004\012\023\011\102\141\154\164\151\155\157\162"
+"\145\061\023\060\021\006\003\125\004\013\023\012\103\171\142\145"
+"\162\124\162\165\163\164\061\042\060\040\006\003\125\004\003\023"
+"\031\102\141\154\164\151\155\157\162\145\040\103\171\142\145\162"
+"\124\162\165\163\164\040\122\157\157\164\060\202\001\042\060\015"
+"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001"
+"\017\000\060\202\001\012\002\202\001\001\000\243\004\273\042\253"
+"\230\075\127\350\046\162\232\265\171\324\051\342\341\350\225\200"
+"\261\260\343\133\216\053\051\232\144\337\241\135\355\260\011\005"
+"\155\333\050\056\316\142\242\142\376\264\210\332\022\353\070\353"
+"\041\235\300\101\053\001\122\173\210\167\323\034\217\307\272\271"
+"\210\265\152\011\347\163\350\021\100\247\321\314\312\142\215\055"
+"\345\217\013\246\120\322\250\120\303\050\352\365\253\045\207\212"
+"\232\226\034\251\147\270\077\014\325\367\371\122\023\057\302\033"
+"\325\160\160\360\217\300\022\312\006\313\232\341\331\312\063\172"
+"\167\326\370\354\271\361\150\104\102\110\023\322\300\302\244\256"
+"\136\140\376\266\246\005\374\264\335\007\131\002\324\131\030\230"
+"\143\365\245\143\340\220\014\175\135\262\006\172\363\205\352\353"
+"\324\003\256\136\204\076\137\377\025\355\151\274\371\071\066\162"
+"\165\317\167\122\115\363\311\220\054\271\075\345\311\043\123\077"
+"\037\044\230\041\134\007\231\051\275\306\072\354\347\156\206\072"
+"\153\227\164\143\063\275\150\030\061\360\170\215\166\277\374\236"
+"\216\135\052\206\247\115\220\334\047\032\071\002\003\001\000\001"
+"\243\105\060\103\060\035\006\003\125\035\016\004\026\004\024\345"
+"\235\131\060\202\107\130\314\254\372\010\124\066\206\173\072\265"
+"\004\115\360\060\022\006\003\125\035\023\001\001\377\004\010\060"
+"\006\001\001\377\002\001\003\060\016\006\003\125\035\017\001\001"
+"\377\004\004\003\002\001\006\060\015\006\011\052\206\110\206\367"
+"\015\001\001\005\005\000\003\202\001\001\000\205\014\135\216\344"
+"\157\121\150\102\005\240\335\273\117\047\045\204\003\275\367\144"
+"\375\055\327\060\343\244\020\027\353\332\051\051\266\171\077\166"
+"\366\031\023\043\270\020\012\371\130\244\324\141\160\275\004\141"
+"\152\022\212\027\325\012\275\305\274\060\174\326\351\014\045\215"
+"\206\100\117\354\314\243\176\070\306\067\021\117\355\335\150\061"
+"\216\114\322\263\001\164\356\276\165\136\007\110\032\177\160\377"
+"\026\134\204\300\171\205\270\005\375\177\276\145\021\243\017\300"
+"\002\264\370\122\067\071\004\325\251\061\172\030\277\240\052\364"
+"\022\231\367\243\105\202\343\074\136\365\235\236\265\310\236\174"
+"\056\310\244\236\116\010\024\113\155\375\160\155\153\032\143\275"
+"\144\346\037\267\316\360\362\237\056\273\033\267\362\120\210\163"
+"\222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021"
+"\356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017"
+"\365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322"
+"\107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374"
+"\347\201\035\031\303\044\102\352\143\071\251"
+, (PRUint32)891 }
+};
+static const NSSItem nss_builtins_items_109 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Baltimore CyberTrust Root", (PRUint32)26 },
+  { (void *)"\324\336\040\320\136\146\374\123\376\032\120\210\054\170\333\050"
+"\122\312\344\164"
+, (PRUint32)20 },
+  { (void *)"\254\266\224\245\234\027\340\327\221\122\233\261\227\006\246\344"
+, (PRUint32)16 },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
+"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
+"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
+"\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004"
+"\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142"
+"\145\162\124\162\165\163\164\040\122\157\157\164"
+, (PRUint32)92 },
+  { (void *)"\002\000\000\271"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_110 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Baltimore CyberTrust Mobile Commerce Root", (PRUint32)42 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
+"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
+"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
+"\142\145\162\124\162\165\163\164\061\051\060\047\006\003\125\004"
+"\003\023\040\102\141\154\164\151\155\157\162\145\040\103\171\142"
+"\145\162\124\162\165\163\164\040\115\157\142\151\154\145\040\122"
+"\157\157\164"
+, (PRUint32)99 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
+"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
+"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
+"\142\145\162\124\162\165\163\164\061\051\060\047\006\003\125\004"
+"\003\023\040\102\141\154\164\151\155\157\162\145\040\103\171\142"
+"\145\162\124\162\165\163\164\040\115\157\142\151\154\145\040\122"
+"\157\157\164"
+, (PRUint32)99 },
+  { (void *)"\002\000\000\270"
+, (PRUint32)4 },
+  { (void *)"\060\202\002\175\060\202\001\346\240\003\002\001\002\002\004\002"
+"\000\000\270\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\141\061\013\060\011\006\003\125\004\006\023\002\111"
+"\105\061\022\060\020\006\003\125\004\012\023\011\102\141\154\164"
+"\151\155\157\162\145\061\023\060\021\006\003\125\004\013\023\012"
+"\103\171\142\145\162\124\162\165\163\164\061\051\060\047\006\003"
+"\125\004\003\023\040\102\141\154\164\151\155\157\162\145\040\103"
+"\171\142\145\162\124\162\165\163\164\040\115\157\142\151\154\145"
+"\040\122\157\157\164\060\036\027\015\060\060\060\065\061\062\061"
+"\070\062\060\060\060\132\027\015\062\060\060\065\061\062\062\063"
+"\065\071\060\060\132\060\141\061\013\060\011\006\003\125\004\006"
+"\023\002\111\105\061\022\060\020\006\003\125\004\012\023\011\102"
+"\141\154\164\151\155\157\162\145\061\023\060\021\006\003\125\004"
+"\013\023\012\103\171\142\145\162\124\162\165\163\164\061\051\060"
+"\047\006\003\125\004\003\023\040\102\141\154\164\151\155\157\162"
+"\145\040\103\171\142\145\162\124\162\165\163\164\040\115\157\142"
+"\151\154\145\040\122\157\157\164\060\201\237\060\015\006\011\052"
+"\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201"
+"\211\002\201\201\000\243\155\261\070\126\254\374\265\126\041\336"
+"\300\220\135\046\107\202\306\175\217\037\240\205\217\057\273\324"
+"\341\034\035\362\044\037\050\260\057\271\244\245\157\242\042\040"
+"\144\376\204\107\074\176\053\154\151\152\270\324\300\226\216\214"
+"\122\015\315\157\101\324\277\004\256\247\201\057\055\230\110\322"
+"\301\224\243\265\031\135\135\121\144\364\216\101\260\233\300\055"
+"\042\240\136\306\330\132\022\143\274\021\112\136\046\022\035\342"
+"\046\005\346\017\137\042\037\172\137\166\224\256\317\132\050\016"
+"\253\105\332\042\061\002\003\001\000\001\243\102\060\100\060\035"
+"\006\003\125\035\016\004\026\004\024\311\342\217\300\002\046\132"
+"\266\300\007\343\177\224\007\030\333\056\245\232\160\060\017\006"
+"\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\016"
+"\006\003\125\035\017\001\001\377\004\004\003\002\001\206\060\015"
+"\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201\201"
+"\000\123\010\013\046\011\170\102\163\324\354\172\167\107\015\343"
+"\013\063\161\357\256\063\024\115\373\372\375\032\267\121\365\344"
+"\231\034\006\161\327\051\031\327\346\025\040\121\121\106\155\117"
+"\336\030\111\230\320\370\170\273\161\350\215\001\006\325\327\144"
+"\217\224\337\107\376\240\205\151\066\251\057\102\172\150\112\022"
+"\326\213\013\160\104\012\244\004\357\046\210\301\065\161\070\135"
+"\033\133\110\102\360\347\224\034\160\225\064\250\253\365\253\342"
+"\170\255\365\360\122\375\233\352\102\014\350\330\124\276\123\146"
+"\365"
+, (PRUint32)641 }
+};
+static const NSSItem nss_builtins_items_111 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Baltimore CyberTrust Mobile Commerce Root", (PRUint32)42 },
+  { (void *)"\264\343\013\234\301\325\356\275\240\040\030\370\271\212\321\377"
+"\151\267\072\161"
+, (PRUint32)20 },
+  { (void *)"\353\264\040\035\017\266\161\003\367\304\367\307\244\162\206\350"
+, (PRUint32)16 },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\111\105\061"
+"\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155"
+"\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171"
+"\142\145\162\124\162\165\163\164\061\051\060\047\006\003\125\004"
+"\003\023\040\102\141\154\164\151\155\157\162\145\040\103\171\142"
+"\145\162\124\162\165\163\164\040\115\157\142\151\154\145\040\122"
+"\157\157\164"
+, (PRUint32)99 },
+  { (void *)"\002\000\000\270"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_112 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Equifax Secure Global eBusiness CA", (PRUint32)35 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
+"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060"
+"\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040"
+"\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102"
+"\165\163\151\156\145\163\163\040\103\101\055\061"
+, (PRUint32)92 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
+"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060"
+"\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040"
+"\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102"
+"\165\163\151\156\145\163\163\040\103\101\055\061"
+, (PRUint32)92 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\002\220\060\202\001\371\240\003\002\001\002\002\001\001"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034"
+"\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170"
+"\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060\053"
+"\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040\123"
+"\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102\165"
+"\163\151\156\145\163\163\040\103\101\055\061\060\036\027\015\071"
+"\071\060\066\062\061\060\064\060\060\060\060\132\027\015\062\060"
+"\060\066\062\061\060\064\060\060\060\060\132\060\132\061\013\060"
+"\011\006\003\125\004\006\023\002\125\123\061\034\060\032\006\003"
+"\125\004\012\023\023\105\161\165\151\146\141\170\040\123\145\143"
+"\165\162\145\040\111\156\143\056\061\055\060\053\006\003\125\004"
+"\003\023\044\105\161\165\151\146\141\170\040\123\145\143\165\162"
+"\145\040\107\154\157\142\141\154\040\145\102\165\163\151\156\145"
+"\163\163\040\103\101\055\061\060\201\237\060\015\006\011\052\206"
+"\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211"
+"\002\201\201\000\272\347\027\220\002\145\261\064\125\074\111\302"
+"\121\325\337\247\321\067\217\321\347\201\163\101\122\140\233\235"
+"\241\027\046\170\255\307\261\350\046\224\062\265\336\063\215\072"
+"\057\333\362\232\172\132\163\230\243\134\351\373\212\163\033\134"
+"\347\303\277\200\154\315\251\364\326\053\300\367\371\231\252\143"
+"\242\261\107\002\017\324\344\121\072\022\074\154\212\132\124\204"
+"\160\333\301\305\220\317\162\105\313\250\131\300\315\063\235\077"
+"\243\226\353\205\063\041\034\076\036\076\140\156\166\234\147\205"
+"\305\310\303\141\002\003\001\000\001\243\146\060\144\060\021\006"
+"\011\140\206\110\001\206\370\102\001\001\004\004\003\002\000\007"
+"\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001"
+"\377\060\037\006\003\125\035\043\004\030\060\026\200\024\276\250"
+"\240\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153"
+"\150\154\060\035\006\003\125\035\016\004\026\004\024\276\250\240"
+"\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153\150"
+"\154\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000"
+"\003\201\201\000\060\342\001\121\252\307\352\137\332\271\320\145"
+"\017\060\326\076\332\015\024\111\156\221\223\047\024\061\357\304"
+"\367\055\105\370\354\307\277\242\101\015\043\264\222\371\031\000"
+"\147\275\001\257\315\340\161\374\132\317\144\304\340\226\230\320"
+"\243\100\342\001\212\357\047\007\361\145\001\212\104\055\006\145"
+"\165\122\300\206\020\040\041\137\154\153\017\154\256\011\034\257"
+"\362\242\030\064\304\165\244\163\034\361\215\334\357\255\371\263"
+"\166\264\222\277\334\225\020\036\276\313\310\073\132\204\140\031"
+"\126\224\251\125"
+, (PRUint32)660 }
+};
+static const NSSItem nss_builtins_items_113 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Equifax Secure Global eBusiness CA", (PRUint32)35 },
+  { (void *)"\176\170\112\020\034\202\145\314\055\341\361\155\107\264\100\312"
+"\331\012\031\105"
+, (PRUint32)20 },
+  { (void *)"\217\135\167\006\047\304\230\074\133\223\170\347\327\175\233\314"
+, (PRUint32)16 },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
+"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060"
+"\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040"
+"\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102"
+"\165\163\151\156\145\163\163\040\103\101\055\061"
+, (PRUint32)92 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_114 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Equifax Secure eBusiness CA 1", (PRUint32)30 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
+"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060"
+"\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040"
+"\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163"
+"\040\103\101\055\061"
+, (PRUint32)85 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
+"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060"
+"\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040"
+"\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163"
+"\040\103\101\055\061"
+, (PRUint32)85 },
+  { (void *)"\004"
+, (PRUint32)1 },
+  { (void *)"\060\202\002\202\060\202\001\353\240\003\002\001\002\002\001\004"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034"
+"\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170"
+"\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060\044"
+"\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040\123"
+"\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163\040"
+"\103\101\055\061\060\036\027\015\071\071\060\066\062\061\060\064"
+"\060\060\060\060\132\027\015\062\060\060\066\062\061\060\064\060"
+"\060\060\060\132\060\123\061\013\060\011\006\003\125\004\006\023"
+"\002\125\123\061\034\060\032\006\003\125\004\012\023\023\105\161"
+"\165\151\146\141\170\040\123\145\143\165\162\145\040\111\156\143"
+"\056\061\046\060\044\006\003\125\004\003\023\035\105\161\165\151"
+"\146\141\170\040\123\145\143\165\162\145\040\145\102\165\163\151"
+"\156\145\163\163\040\103\101\055\061\060\201\237\060\015\006\011"
+"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
+"\201\211\002\201\201\000\316\057\031\274\027\267\167\336\223\251"
+"\137\132\015\027\117\064\032\014\230\364\042\331\131\324\304\150"
+"\106\360\264\065\305\205\003\040\306\257\105\245\041\121\105\101"
+"\353\026\130\066\062\157\342\120\142\144\371\375\121\234\252\044"
+"\331\364\235\203\052\207\012\041\323\022\070\064\154\215\000\156"
+"\132\240\331\102\356\032\041\225\371\122\114\125\132\305\017\070"
+"\117\106\372\155\370\056\065\326\035\174\353\342\360\260\165\200"
+"\310\251\023\254\276\210\357\072\156\253\137\052\070\142\002\260"
+"\022\173\376\217\246\003\002\003\001\000\001\243\146\060\144\060"
+"\021\006\011\140\206\110\001\206\370\102\001\001\004\004\003\002"
+"\000\007\060\017\006\003\125\035\023\001\001\377\004\005\060\003"
+"\001\001\377\060\037\006\003\125\035\043\004\030\060\026\200\024"
+"\112\170\062\122\021\333\131\026\066\136\337\301\024\066\100\152"
+"\107\174\114\241\060\035\006\003\125\035\016\004\026\004\024\112"
+"\170\062\122\021\333\131\026\066\136\337\301\024\066\100\152\107"
+"\174\114\241\060\015\006\011\052\206\110\206\367\015\001\001\004"
+"\005\000\003\201\201\000\165\133\250\233\003\021\346\351\126\114"
+"\315\371\251\114\300\015\232\363\314\145\151\346\045\166\314\131"
+"\267\326\124\303\035\315\231\254\031\335\264\205\325\340\075\374"
+"\142\040\247\204\113\130\145\361\342\371\225\041\077\365\324\176"
+"\130\036\107\207\124\076\130\241\265\265\370\052\357\161\347\274"
+"\303\366\261\111\106\342\327\240\153\345\126\172\232\047\230\174"
+"\106\142\024\347\311\374\156\003\022\171\200\070\035\110\202\215"
+"\374\027\376\052\226\053\265\142\246\246\075\275\177\222\131\315"
+"\132\052\202\262\067\171"
+, (PRUint32)646 }
+};
+static const NSSItem nss_builtins_items_115 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Equifax Secure eBusiness CA 1", (PRUint32)30 },
+  { (void *)"\332\100\030\213\221\211\243\355\356\256\332\227\376\057\235\365"
+"\267\321\212\101"
+, (PRUint32)20 },
+  { (void *)"\144\234\357\056\104\374\306\217\122\007\320\121\163\217\313\075"
+, (PRUint32)16 },
+  { (void *)"\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141"
+"\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060"
+"\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040"
+"\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163"
+"\040\103\101\055\061"
+, (PRUint32)85 },
+  { (void *)"\004"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_116 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Equifax Secure eBusiness CA 2", (PRUint32)30 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141"
+"\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004"
+"\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162"
+"\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062"
+, (PRUint32)80 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141"
+"\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004"
+"\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162"
+"\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062"
+, (PRUint32)80 },
+  { (void *)"\067\160\317\265"
+, (PRUint32)4 },
+  { (void *)"\060\202\003\040\060\202\002\211\240\003\002\001\002\002\004\067"
+"\160\317\265\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\116\061\013\060\011\006\003\125\004\006\023\002\125"
+"\123\061\027\060\025\006\003\125\004\012\023\016\105\161\165\151"
+"\146\141\170\040\123\145\143\165\162\145\061\046\060\044\006\003"
+"\125\004\013\023\035\105\161\165\151\146\141\170\040\123\145\143"
+"\165\162\145\040\145\102\165\163\151\156\145\163\163\040\103\101"
+"\055\062\060\036\027\015\071\071\060\066\062\063\061\062\061\064"
+"\064\065\132\027\015\061\071\060\066\062\063\061\062\061\064\064"
+"\065\132\060\116\061\013\060\011\006\003\125\004\006\023\002\125"
+"\123\061\027\060\025\006\003\125\004\012\023\016\105\161\165\151"
+"\146\141\170\040\123\145\143\165\162\145\061\046\060\044\006\003"
+"\125\004\013\023\035\105\161\165\151\146\141\170\040\123\145\143"
+"\165\162\145\040\145\102\165\163\151\156\145\163\163\040\103\101"
+"\055\062\060\201\237\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\344"
+"\071\071\223\036\122\006\033\050\066\370\262\243\051\305\355\216"
+"\262\021\275\376\353\347\264\164\302\217\377\005\347\331\235\006"
+"\277\022\310\077\016\362\326\321\044\262\021\336\321\163\011\212"
+"\324\261\054\230\011\015\036\120\106\262\203\246\105\215\142\150"
+"\273\205\033\040\160\062\252\100\315\246\226\137\304\161\067\077"
+"\004\363\267\101\044\071\007\032\036\056\141\130\240\022\013\345"
+"\245\337\305\253\352\067\161\314\034\310\067\072\271\227\122\247"
+"\254\305\152\044\224\116\234\173\317\300\152\326\337\041\275\002"
+"\003\001\000\001\243\202\001\011\060\202\001\005\060\160\006\003"
+"\125\035\037\004\151\060\147\060\145\240\143\240\141\244\137\060"
+"\135\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027"
+"\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141\170"
+"\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004\013"
+"\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162\145"
+"\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062\061"
+"\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060\032"
+"\006\003\125\035\020\004\023\060\021\201\017\062\060\061\071\060"
+"\066\062\063\061\062\061\064\064\065\132\060\013\006\003\125\035"
+"\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030"
+"\060\026\200\024\120\236\013\352\257\136\271\040\110\246\120\152"
+"\313\375\330\040\172\247\202\166\060\035\006\003\125\035\016\004"
+"\026\004\024\120\236\013\352\257\136\271\040\110\246\120\152\313"
+"\375\330\040\172\247\202\166\060\014\006\003\125\035\023\004\005"
+"\060\003\001\001\377\060\032\006\011\052\206\110\206\366\175\007"
+"\101\000\004\015\060\013\033\005\126\063\056\060\143\003\002\006"
+"\300\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\003\201\201\000\014\206\202\255\350\116\032\365\216\211\047\342"
+"\065\130\075\051\264\007\217\066\120\225\277\156\301\236\353\304"
+"\220\262\205\250\273\267\102\340\017\007\071\337\373\236\220\262"
+"\321\301\076\123\237\003\104\260\176\113\364\157\344\174\037\347"
+"\342\261\344\270\232\357\303\275\316\336\013\062\064\331\336\050"
+"\355\063\153\304\324\327\075\022\130\253\175\011\055\313\160\365"
+"\023\212\224\241\047\244\326\160\305\155\224\265\311\175\235\240"
+"\322\306\010\111\331\146\233\246\323\364\013\334\305\046\127\341"
+"\221\060\352\315"
+, (PRUint32)804 }
+};
+static const NSSItem nss_builtins_items_117 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Equifax Secure eBusiness CA 2", (PRUint32)30 },
+  { (void *)"\071\117\366\205\013\006\276\122\345\030\126\314\020\341\200\350"
+"\202\263\205\314"
+, (PRUint32)20 },
+  { (void *)"\252\277\277\144\227\332\230\035\157\306\010\072\225\160\063\312"
+, (PRUint32)16 },
+  { (void *)"\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141"
+"\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004"
+"\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162"
+"\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062"
+, (PRUint32)80 },
+  { (void *)"\067\160\317\265"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_118 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Visa International Global Root 1", (PRUint32)33 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156"
+, (PRUint32)79 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156"
+, (PRUint32)79 },
+  { (void *)"\003\035"
+, (PRUint32)2 },
+  { (void *)"\060\202\003\130\060\202\002\100\240\003\002\001\002\002\002\003"
+"\035\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\060"
+"\036\027\015\060\060\060\070\061\066\062\061\065\062\060\060\132"
+"\027\015\062\060\060\070\061\065\062\063\065\071\060\060\132\060"
+"\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015"
+"\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057\060"
+"\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156\164"
+"\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166\151"
+"\143\145\040\101\163\163\157\143\151\141\164\151\157\156\060\202"
+"\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005"
+"\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\305"
+"\035\115\163\101\225\341\040\264\154\154\316\147\352\165\006\254"
+"\304\004\302\140\057\010\222\317\040\355\156\251\311\161\046\126"
+"\242\375\332\273\014\370\225\011\311\371\362\035\317\104\225\355"
+"\061\112\332\155\340\275\374\165\026\226\302\357\012\172\014\307"
+"\270\264\220\106\056\251\027\012\340\107\104\204\174\034\075\040"
+"\106\006\103\103\205\162\353\135\341\003\274\062\232\313\356\011"
+"\306\127\025\263\056\332\062\140\247\022\230\222\233\323\312\043"
+"\102\260\043\367\120\151\116\214\233\150\241\067\060\222\311\041"
+"\057\150\212\240\326\204\251\130\115\014\353\125\075\272\012\106"
+"\110\372\302\276\271\007\300\354\275\223\064\171\071\075\267\232"
+"\064\240\014\075\243\377\232\204\346\372\340\077\252\124\204\001"
+"\063\112\205\306\250\024\136\025\301\327\140\325\360\151\170\151"
+"\144\170\327\024\356\023\330\243\362\377\165\141\070\154\324\046"
+"\262\327\150\210\031\147\016\353\341\277\274\216\232\352\310\224"
+"\351\266\314\370\025\205\223\155\146\167\053\261\027\013\210\046"
+"\154\106\242\337\316\103\245\156\367\375\033\107\156\130\367\002"
+"\003\001\000\001\243\102\060\100\060\016\006\003\125\035\017\001"
+"\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001"
+"\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016"
+"\004\026\004\024\313\303\306\143\312\336\161\177\333\247\327\377"
+"\102\164\366\313\314\266\120\062\060\015\006\011\052\206\110\206"
+"\367\015\001\001\005\005\000\003\202\001\001\000\266\030\204\244"
+"\276\346\177\315\373\106\221\024\175\000\100\167\167\206\271\215"
+"\161\035\234\376\361\330\345\001\077\331\242\140\033\315\272\163"
+"\064\054\356\136\004\222\304\042\104\126\354\352\373\367\311\001"
+"\026\375\350\050\355\370\336\375\074\076\056\230\214\215\343\170"
+"\342\317\216\213\340\257\301\215\140\024\202\202\126\261\207\056"
+"\360\351\022\025\035\076\151\012\255\216\246\130\364\231\374\021"
+"\106\356\367\311\355\306\257\054\271\206\045\322\227\376\117\235"
+"\330\062\341\302\146\121\163\206\015\335\165\343\212\372\364\212"
+"\065\146\335\210\147\255\171\250\374\151\365\333\372\257\225\264"
+"\234\220\037\137\301\026\311\310\010\200\032\327\003\362\136\161"
+"\243\126\143\036\105\066\175\161\276\061\147\164\206\057\331\354"
+"\210\302\040\275\231\115\075\125\005\320\242\132\114\125\042\230"
+"\320\361\165\364\027\372\330\343\376\342\024\340\017\145\372\262"
+"\326\151\054\063\120\311\047\240\254\220\061\113\024\345\353\143"
+"\144\340\075\343\374\022\112\305\226\202\055\332\045\071\376\324"
+"\177\056\101\307\142\110\327\161\105\073\170\222"
+, (PRUint32)860 }
+};
+static const NSSItem nss_builtins_items_119 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Visa International Global Root 1", (PRUint32)33 },
+  { (void *)"\106\260\324\152\346\120\054\267\223\205\000\010\220\373\363\120"
+"\251\310\140\157"
+, (PRUint32)20 },
+  { (void *)"\031\152\006\154\335\311\017\266\024\321\311\373\163\077\005\317"
+, (PRUint32)16 },
+  { (void *)"\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156"
+, (PRUint32)79 },
+  { (void *)"\003\035"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_120 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Visa International Global Root 2", (PRUint32)33 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\062"
+, (PRUint32)99 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\062"
+, (PRUint32)99 },
+  { (void *)"\003\036"
+, (PRUint32)2 },
+  { (void *)"\060\202\003\200\060\202\002\150\240\003\002\001\002\002\002\003"
+"\036\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\062\060\036\027\015\060\060\060\070\061\066\062\062\065"
+"\061\060\060\132\027\015\062\060\060\070\061\065\062\063\065\071"
+"\060\060\132\060\141\061\013\060\011\006\003\125\004\006\023\002"
+"\125\123\061\015\060\013\006\003\125\004\012\023\004\126\111\123"
+"\101\061\057\060\055\006\003\125\004\013\023\046\126\151\163\141"
+"\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\123"
+"\145\162\166\151\143\145\040\101\163\163\157\143\151\141\164\151"
+"\157\156\061\022\060\020\006\003\125\004\003\023\011\107\120\040"
+"\122\157\157\164\040\062\060\202\001\042\060\015\006\011\052\206"
+"\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202"
+"\001\012\002\202\001\001\000\251\001\160\265\252\304\100\360\253"
+"\152\046\141\171\031\000\374\277\233\067\131\014\257\157\144\033"
+"\370\332\225\224\044\151\063\021\160\312\343\126\164\242\027\127"
+"\144\134\040\006\341\326\357\161\267\073\367\253\301\151\320\111"
+"\244\261\004\327\364\127\142\211\134\260\165\055\027\044\151\343"
+"\102\140\344\356\164\326\253\200\126\330\210\050\341\373\155\042"
+"\375\043\174\106\163\117\176\124\163\036\250\054\125\130\165\267"
+"\114\363\132\105\245\002\032\372\332\235\303\105\303\042\136\363"
+"\213\361\140\051\322\307\137\264\014\072\121\203\357\060\370\324"
+"\347\307\362\372\231\243\042\120\276\371\005\067\243\255\355\232"
+"\303\346\354\210\033\266\031\047\033\070\213\200\115\354\271\307"
+"\305\211\313\374\032\062\355\043\360\265\001\130\371\366\217\340"
+"\205\251\114\011\162\071\022\333\263\365\317\116\142\144\332\306"
+"\031\025\072\143\035\351\027\125\241\114\042\074\064\062\106\370"
+"\145\127\272\053\357\066\214\152\372\331\331\104\364\252\335\204"
+"\327\015\034\262\124\254\062\205\264\144\015\336\101\273\261\064"
+"\306\001\206\062\144\325\237\002\003\001\000\001\243\102\060\100"
+"\060\035\006\003\125\035\016\004\026\004\024\236\175\113\064\277"
+"\161\255\302\005\366\003\165\200\316\251\117\032\304\044\114\060"
+"\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377"
+"\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003"
+"\202\001\001\000\041\245\166\024\125\371\255\047\160\217\074\364"
+"\325\154\310\314\012\253\243\230\013\212\006\043\305\311\141\333"
+"\231\007\151\065\046\061\376\307\056\204\302\231\141\324\015\351"
+"\175\056\023\053\174\216\205\266\205\307\113\317\065\266\054\107"
+"\075\316\051\057\330\157\237\211\034\144\223\277\010\275\166\320"
+"\220\212\224\263\177\050\133\156\254\115\063\054\355\145\334\026"
+"\314\342\315\256\244\075\142\222\006\225\046\277\337\271\344\040"
+"\246\163\152\301\276\367\224\104\326\115\157\052\013\153\030\115"
+"\164\020\066\150\152\132\301\152\247\335\066\051\214\270\060\213"
+"\117\041\077\000\056\124\060\007\072\272\212\344\303\236\312\330"
+"\265\330\173\316\165\105\146\007\364\155\055\330\172\312\351\211"
+"\212\362\043\330\057\313\156\000\066\117\373\360\057\001\314\017"
+"\300\042\145\364\253\342\116\141\055\003\202\175\221\026\265\060"
+"\325\024\336\136\307\220\374\241\374\253\020\257\134\153\160\247"
+"\007\357\051\206\350\262\045\307\040\377\046\335\167\357\171\104"
+"\024\304\275\335\073\305\003\233\167\043\354\240\354\273\132\071"
+"\265\314\255\006"
+, (PRUint32)900 }
+};
+static const NSSItem nss_builtins_items_121 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Visa International Global Root 2", (PRUint32)33 },
+  { (void *)"\311\015\033\352\210\075\247\321\027\276\073\171\364\041\016\032"
+"\130\224\247\055"
+, (PRUint32)20 },
+  { (void *)"\065\110\225\066\112\124\132\162\226\216\340\144\314\357\054\214"
+, (PRUint32)16 },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\062"
+, (PRUint32)99 },
+  { (void *)"\003\036"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_122 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Visa International Global Root 3", (PRUint32)33 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\063"
+, (PRUint32)99 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\063"
+, (PRUint32)99 },
+  { (void *)"\003\037"
+, (PRUint32)2 },
+  { (void *)"\060\202\003\200\060\202\002\150\240\003\002\001\002\002\002\003"
+"\037\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\063\060\036\027\015\060\060\060\070\061\066\062\063\063"
+"\064\060\060\132\027\015\062\060\060\070\061\065\062\063\065\071"
+"\060\060\132\060\141\061\013\060\011\006\003\125\004\006\023\002"
+"\125\123\061\015\060\013\006\003\125\004\012\023\004\126\111\123"
+"\101\061\057\060\055\006\003\125\004\013\023\046\126\151\163\141"
+"\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\123"
+"\145\162\166\151\143\145\040\101\163\163\157\143\151\141\164\151"
+"\157\156\061\022\060\020\006\003\125\004\003\023\011\107\120\040"
+"\122\157\157\164\040\063\060\202\001\042\060\015\006\011\052\206"
+"\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202"
+"\001\012\002\202\001\001\000\272\354\103\270\064\352\243\147\337"
+"\167\011\037\032\020\242\036\251\116\225\114\164\347\014\334\154"
+"\306\230\320\253\372\027\044\232\147\243\111\024\144\211\217\223"
+"\022\057\357\217\330\316\020\004\213\205\300\334\057\274\051\230"
+"\257\234\102\305\313\322\226\317\364\245\305\055\156\115\214\070"
+"\216\262\152\010\231\325\221\033\250\355\063\223\111\135\313\347"
+"\025\103\155\122\361\310\350\327\332\060\340\230\052\251\133\243"
+"\303\321\001\003\201\135\176\266\011\225\350\333\062\156\375\072"
+"\303\265\236\233\375\131\031\040\263\043\300\342\152\356\104\226"
+"\200\357\150\011\100\224\302\267\063\111\203\345\311\256\055\040"
+"\067\220\030\075\040\066\332\171\071\257\270\127\237\172\357\140"
+"\052\041\204\370\377\240\071\041\323\330\155\124\307\303\152\074"
+"\310\134\037\056\107\162\024\154\125\113\011\006\315\216\305\153"
+"\013\347\007\107\072\175\222\137\175\017\260\134\063\127\203\203"
+"\077\036\204\250\171\220\237\227\116\042\334\165\042\310\156\057"
+"\326\320\313\166\341\014\127\227\341\046\217\051\204\123\362\345"
+"\216\223\312\113\212\114\065\002\003\001\000\001\243\102\060\100"
+"\060\035\006\003\125\035\016\004\026\004\024\242\134\156\015\145"
+"\010\301\367\116\133\311\155\360\320\126\033\071\202\103\273\060"
+"\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377"
+"\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003"
+"\202\001\001\000\003\215\126\010\263\241\255\375\163\102\331\147"
+"\054\156\232\317\277\036\310\115\362\115\322\331\067\311\070\104"
+"\215\256\211\014\357\214\231\053\112\223\365\155\254\146\112\077"
+"\127\152\020\245\242\032\023\246\054\352\142\347\200\371\275\375"
+"\344\377\332\021\237\071\130\155\365\103\362\364\375\246\277\235"
+"\261\253\232\106\007\337\341\360\133\077\376\135\131\100\006\254"
+"\030\010\107\114\074\114\110\106\316\210\341\250\266\236\165\246"
+"\240\367\176\033\266\304\215\355\360\052\123\025\112\333\051\117"
+"\071\123\347\122\130\243\276\334\344\220\055\265\311\316\230\377"
+"\054\206\241\010\240\310\316\367\202\071\011\014\301\302\324\251"
+"\244\052\016\063\201\307\074\160\313\060\155\244\126\267\233\134"
+"\174\002\042\276\345\007\175\155\044\321\047\261\326\035\036\134"
+"\107\074\277\056\156\370\034\204\110\354\365\341\240\225\021\315"
+"\347\060\353\134\360\051\173\165\202\002\006\262\363\223\071\322"
+"\016\254\337\137\044\023\025\060\103\365\120\324\307\203\240\103"
+"\071\117\145\064\275\246\351\316\341\164\276\040\337\322\162\026"
+"\113\211\106\166"
+, (PRUint32)900 }
+};
+static const NSSItem nss_builtins_items_123 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Visa International Global Root 3", (PRUint32)33 },
+  { (void *)"\000\263\327\076\235\205\161\066\073\147\325\056\136\156\371\022"
+"\242\205\067\122"
+, (PRUint32)20 },
+  { (void *)"\327\276\275\236\373\162\170\072\347\212\275\201\276\013\075\030"
+, (PRUint32)16 },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\063"
+, (PRUint32)99 },
+  { (void *)"\003\037"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_124 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Visa International Global Root 4", (PRUint32)33 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\064"
+, (PRUint32)99 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\064"
+, (PRUint32)99 },
+  { (void *)"\003\040"
+, (PRUint32)2 },
+  { (void *)"\060\202\002\173\060\202\001\344\240\003\002\001\002\002\002\003"
+"\040\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\064\060\036\027\015\060\060\060\070\061\067\060\060\061"
+"\071\060\060\132\027\015\062\060\060\070\061\066\062\063\065\071"
+"\060\060\132\060\141\061\013\060\011\006\003\125\004\006\023\002"
+"\125\123\061\015\060\013\006\003\125\004\012\023\004\126\111\123"
+"\101\061\057\060\055\006\003\125\004\013\023\046\126\151\163\141"
+"\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\123"
+"\145\162\166\151\143\145\040\101\163\163\157\143\151\141\164\151"
+"\157\156\061\022\060\020\006\003\125\004\003\023\011\107\120\040"
+"\122\157\157\164\040\064\060\201\237\060\015\006\011\052\206\110"
+"\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002"
+"\201\201\000\270\353\360\217\240\346\361\343\000\077\136\162\236"
+"\256\004\017\364\117\316\312\332\142\063\352\356\132\302\301\366"
+"\056\070\211\264\015\317\241\256\271\061\263\375\246\307\266\304"
+"\154\203\014\200\141\070\072\012\276\034\001\240\031\033\347\373"
+"\162\155\222\143\233\246\257\063\364\264\133\032\350\050\336\114"
+"\347\067\361\024\361\340\027\340\024\110\354\104\035\171\245\116"
+"\252\341\244\204\167\275\313\115\266\352\160\176\137\252\027\054"
+"\113\133\260\352\205\324\151\250\021\351\053\067\035\273\246\004"
+"\356\233\101\002\003\001\000\001\243\102\060\100\060\035\006\003"
+"\125\035\016\004\026\004\024\103\306\110\100\300\017\306\030\132"
+"\111\111\345\201\200\006\115\137\335\324\205\060\017\006\003\125"
+"\035\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003"
+"\125\035\017\001\001\377\004\004\003\002\001\006\060\015\006\011"
+"\052\206\110\206\367\015\001\001\005\005\000\003\201\201\000\244"
+"\031\075\163\316\207\321\237\126\022\134\310\070\345\356\371\022"
+"\310\331\001\352\235\203\064\306\242\153\213\167\172\222\176\207"
+"\307\125\043\024\215\302\150\115\031\362\151\264\352\107\024\221"
+"\073\121\207\030\372\166\233\342\173\034\023\323\346\146\036\012"
+"\022\271\135\220\306\073\023\024\042\315\065\214\055\105\140\000"
+"\004\310\357\130\002\305\135\231\264\220\155\336\124\327\043\342"
+"\071\204\045\303\150\243\142\243\171\330\230\241\132\322\134\211"
+"\375\345\026\014\364\253\027\110\176\255\353\200\300\125\201"
+, (PRUint32)639 }
+};
+static const NSSItem nss_builtins_items_125 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Visa International Global Root 4", (PRUint32)33 },
+  { (void *)"\231\001\027\355\035\374\376\140\054\136\120\175\140\223\051\223"
+"\214\100\014\146"
+, (PRUint32)20 },
+  { (void *)"\010\107\110\253\040\057\157\302\163\013\262\025\005\041\036\312"
+, (PRUint32)16 },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\064"
+, (PRUint32)99 },
+  { (void *)"\003\040"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_126 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Visa International Global Root 5", (PRUint32)33 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\065"
+, (PRUint32)99 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\065"
+, (PRUint32)99 },
+  { (void *)"\003\041"
+, (PRUint32)2 },
+  { (void *)"\060\202\002\173\060\202\001\344\240\003\002\001\002\002\002\003"
+"\041\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\065\060\036\027\015\060\060\060\070\061\067\060\060\062"
+"\070\060\060\132\027\015\062\060\060\070\061\066\062\063\065\071"
+"\060\060\132\060\141\061\013\060\011\006\003\125\004\006\023\002"
+"\125\123\061\015\060\013\006\003\125\004\012\023\004\126\111\123"
+"\101\061\057\060\055\006\003\125\004\013\023\046\126\151\163\141"
+"\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\123"
+"\145\162\166\151\143\145\040\101\163\163\157\143\151\141\164\151"
+"\157\156\061\022\060\020\006\003\125\004\003\023\011\107\120\040"
+"\122\157\157\164\040\065\060\201\237\060\015\006\011\052\206\110"
+"\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002"
+"\201\201\000\255\000\156\362\240\174\061\021\034\101\260\067\217"
+"\203\242\103\313\227\137\002\040\211\015\156\274\052\261\361\245"
+"\144\357\330\216\112\326\162\235\236\156\037\232\250\371\205\003"
+"\254\301\047\152\204\345\146\110\161\232\136\102\017\212\342\237"
+"\366\200\017\043\254\123\303\301\237\002\304\370\130\106\352\364"
+"\251\202\257\155\007\106\206\361\055\374\006\270\036\125\325\071"
+"\141\222\204\213\361\330\212\063\116\074\023\265\326\161\374\153"
+"\076\264\034\172\013\207\325\065\146\064\303\163\062\143\130\337"
+"\022\153\043\002\003\001\000\001\243\102\060\100\060\035\006\003"
+"\125\035\016\004\026\004\024\043\116\363\002\004\004\327\322\247"
+"\000\126\301\316\111\054\214\025\226\063\057\060\017\006\003\125"
+"\035\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003"
+"\125\035\017\001\001\377\004\004\003\002\001\006\060\015\006\011"
+"\052\206\110\206\367\015\001\001\005\005\000\003\201\201\000\074"
+"\224\001\207\362\310\317\341\217\256\271\013\342\034\175\361\031"
+"\255\321\355\366\001\133\066\123\012\200\076\256\064\126\147\160"
+"\156\103\124\116\171\315\213\325\120\031\062\330\111\070\064\375"
+"\266\163\111\353\016\111\172\277\032\367\352\007\050\045\273\025"
+"\111\034\121\112\125\232\070\057\055\017\130\371\171\321\002\145"
+"\023\214\131\237\020\177\135\027\074\164\362\265\352\167\201\066"
+"\206\157\062\133\005\264\015\243\046\147\360\344\065\016\107\275"
+"\153\301\221\235\013\364\077\232\021\174\224\026\147\266\230"
+, (PRUint32)639 }
+};
+static const NSSItem nss_builtins_items_127 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Visa International Global Root 5", (PRUint32)33 },
+  { (void *)"\367\027\230\102\276\276\302\037\113\055\235\013\234\067\036\064"
+"\206\325\251\317"
+, (PRUint32)20 },
+  { (void *)"\317\200\157\240\170\121\321\126\233\253\310\135\243\157\220\012"
+, (PRUint32)16 },
+  { (void *)"\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057"
+"\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166"
+"\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061"
+"\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157"
+"\164\040\065"
+, (PRUint32)99 },
+  { (void *)"\003\041"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_128 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"beTRUSTed Root CA", (PRUint32)18 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061"
+"\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123"
+"\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145"
+"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163"
+"\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125"
+"\123\124\145\144\040\122\157\157\164\040\103\101"
+, (PRUint32)92 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061"
+"\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123"
+"\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145"
+"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163"
+"\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125"
+"\123\124\145\144\040\122\157\157\164\040\103\101"
+, (PRUint32)92 },
+  { (void *)"\071\117\175\207"
+, (PRUint32)4 },
+  { (void *)"\060\202\005\054\060\202\004\024\240\003\002\001\002\002\004\071"
+"\117\175\207\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\127"
+"\127\061\022\060\020\006\003\125\004\012\023\011\142\145\124\122"
+"\125\123\124\145\144\061\033\060\031\006\003\125\004\003\023\022"
+"\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103"
+"\101\163\061\032\060\030\006\003\125\004\003\023\021\142\145\124"
+"\122\125\123\124\145\144\040\122\157\157\164\040\103\101\060\036"
+"\027\015\060\060\060\066\062\060\061\064\062\061\060\064\132\027"
+"\015\061\060\060\066\062\060\061\063\062\061\060\064\132\060\132"
+"\061\013\060\011\006\003\125\004\006\023\002\127\127\061\022\060"
+"\020\006\003\125\004\012\023\011\142\145\124\122\125\123\124\145"
+"\144\061\033\060\031\006\003\125\004\003\023\022\142\145\124\122"
+"\125\123\124\145\144\040\122\157\157\164\040\103\101\163\061\032"
+"\060\030\006\003\125\004\003\023\021\142\145\124\122\125\123\124"
+"\145\144\040\122\157\157\164\040\103\101\060\202\001\042\060\015"
+"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001"
+"\017\000\060\202\001\012\002\202\001\001\000\324\264\163\172\023"
+"\012\070\125\001\276\211\126\341\224\236\324\276\132\353\112\064"
+"\165\033\141\051\304\341\255\010\140\041\170\110\377\264\320\372"
+"\136\101\215\141\104\207\350\355\311\130\372\374\223\232\337\117"
+"\352\076\065\175\370\063\172\346\361\327\315\157\111\113\075\117"
+"\055\156\016\203\072\030\170\167\243\317\347\364\115\163\330\232"
+"\073\032\035\276\225\123\317\040\227\302\317\076\044\122\154\014"
+"\216\145\131\305\161\377\142\011\217\252\305\217\314\140\240\163"
+"\112\327\070\077\025\162\277\242\227\267\160\350\257\342\176\026"
+"\006\114\365\252\144\046\162\007\045\255\065\374\030\261\046\327"
+"\330\377\031\016\203\033\214\334\170\105\147\064\075\364\257\034"
+"\215\344\155\153\355\040\263\147\232\264\141\313\027\157\211\065"
+"\377\347\116\300\062\022\347\356\354\337\377\227\060\164\355\215"
+"\107\216\353\264\303\104\346\247\114\177\126\103\350\270\274\266"
+"\276\372\203\227\346\273\373\304\266\223\276\031\030\076\214\201"
+"\271\163\210\026\364\226\103\234\147\163\027\220\330\011\156\143"
+"\254\112\266\043\304\001\241\255\244\344\305\002\003\001\000\001"
+"\243\202\001\370\060\202\001\364\060\017\006\003\125\035\023\001"
+"\001\377\004\005\060\003\001\001\377\060\202\001\131\006\003\125"
+"\035\040\004\202\001\120\060\202\001\114\060\202\001\110\006\012"
+"\053\006\001\004\001\261\076\001\000\000\060\202\001\070\060\202"
+"\001\001\006\010\053\006\001\005\005\007\002\002\060\201\364\032"
+"\201\361\122\145\154\151\141\156\143\145\040\157\156\040\164\150"
+"\151\163\040\143\145\162\164\151\146\151\143\141\164\145\040\142"
+"\171\040\141\156\171\040\160\141\162\164\171\040\141\163\163\165"
+"\155\145\163\040\141\143\143\145\160\164\141\156\143\145\040\157"
+"\146\040\164\150\145\040\164\150\145\156\040\141\160\160\154\151"
+"\143\141\142\154\145\040\163\164\141\156\144\141\162\144\040\164"
+"\145\162\155\163\040\141\156\144\040\143\157\156\144\151\164\151"
+"\157\156\163\040\157\146\040\165\163\145\054\040\141\156\144\040"
+"\143\145\162\164\151\146\151\143\141\164\151\157\156\040\160\162"
+"\141\143\164\151\143\145\040\163\164\141\164\145\155\145\156\164"
+"\054\040\167\150\151\143\150\040\143\141\156\040\142\145\040\146"
+"\157\165\156\144\040\141\164\040\142\145\124\122\125\123\124\145"
+"\144\047\163\040\167\145\142\040\163\151\164\145\054\040\150\164"
+"\164\160\163\072\057\057\167\167\167\056\142\145\124\122\125\123"
+"\124\145\144\056\143\157\155\057\166\141\165\154\164\057\164\145"
+"\162\155\163\060\061\006\010\053\006\001\005\005\007\002\001\026"
+"\045\150\164\164\160\163\072\057\057\167\167\167\056\142\145\124"
+"\122\125\123\124\145\144\056\143\157\155\057\166\141\165\154\164"
+"\057\164\145\162\155\163\060\064\006\003\125\035\037\004\055\060"
+"\053\060\051\240\047\240\045\244\043\060\041\061\022\060\020\006"
+"\003\125\004\012\023\011\142\145\124\122\125\123\124\145\144\061"
+"\013\060\011\006\003\125\004\006\023\002\127\127\060\035\006\003"
+"\125\035\016\004\026\004\024\052\271\233\151\056\073\233\330\315"
+"\336\052\061\004\064\153\312\007\030\253\147\060\037\006\003\125"
+"\035\043\004\030\060\026\200\024\052\271\233\151\056\073\233\330"
+"\315\336\052\061\004\064\153\312\007\030\253\147\060\016\006\003"
+"\125\035\017\001\001\377\004\004\003\002\001\376\060\015\006\011"
+"\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000"
+"\171\141\333\243\136\156\026\261\352\166\121\371\313\025\233\313"
+"\151\276\346\201\153\237\050\037\145\076\335\021\205\222\324\350"
+"\101\277\176\063\275\043\347\361\040\277\244\264\246\031\001\306"
+"\214\215\065\174\145\244\117\011\244\326\330\043\025\005\023\247"
+"\103\171\257\333\243\016\233\173\170\032\363\004\206\132\306\366"
+"\214\040\107\070\111\120\006\235\162\147\072\360\230\003\255\226"
+"\147\104\374\077\020\015\206\115\344\000\073\051\173\316\073\073"
+"\231\206\141\045\100\204\334\023\142\267\372\312\131\326\003\036"
+"\326\123\001\315\155\114\150\125\100\341\356\153\307\052\000\000"
+"\110\202\263\012\001\303\140\052\014\367\202\065\356\110\206\226"
+"\344\164\324\075\352\001\161\272\004\165\100\247\251\177\071\071"
+"\232\125\227\051\145\256\031\125\045\005\162\107\323\350\030\334"
+"\270\351\257\103\163\001\022\164\243\341\134\137\025\135\044\363"
+"\371\344\364\266\147\147\022\347\144\042\212\366\245\101\246\034"
+"\266\140\143\105\212\020\264\272\106\020\256\101\127\145\154\077"
+"\043\020\077\041\020\131\267\344\100\335\046\014\043\366\252\256"
+, (PRUint32)1328 }
+};
+static const NSSItem nss_builtins_items_129 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"beTRUSTed Root CA", (PRUint32)18 },
+  { (void *)"\133\315\315\314\146\366\334\344\104\037\343\175\134\303\023\114"
+"\106\364\160\070"
+, (PRUint32)20 },
+  { (void *)"\205\312\166\132\033\321\150\042\334\242\043\022\312\306\200\064"
+, (PRUint32)16 },
+  { (void *)"\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061"
+"\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123"
+"\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145"
+"\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163"
+"\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125"
+"\123\124\145\144\040\122\157\157\164\040\103\101"
+, (PRUint32)92 },
+  { (void *)"\071\117\175\207"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_130 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Xcert Root CA", (PRUint32)14 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\073\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\026\060\024\006\003\125\004\013\023\015"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101"
+, (PRUint32)61 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\073\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\026\060\024\006\003\125\004\013\023\015"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101"
+, (PRUint32)61 },
+  { (void *)"\012\001\001\001\000\000\002\174\000\000\000\002\000\000\000\002"
+, (PRUint32)16 },
+  { (void *)"\060\202\003\143\060\202\002\113\240\003\002\001\002\002\020\012"
+"\001\001\001\000\000\002\174\000\000\000\002\000\000\000\002\060"
+"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\073"
+"\061\041\060\037\006\003\125\004\012\023\030\130\143\145\162\164"
+"\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\111"
+"\156\143\056\061\026\060\024\006\003\125\004\013\023\015\130\143"
+"\145\162\164\040\122\157\157\164\040\103\101\060\036\027\015\060"
+"\060\060\070\061\070\061\070\061\070\061\067\132\027\015\062\065"
+"\060\070\061\065\061\071\060\063\061\067\132\060\073\061\041\060"
+"\037\006\003\125\004\012\023\030\130\143\145\162\164\040\111\156"
+"\164\145\162\156\141\164\151\157\156\141\154\040\111\156\143\056"
+"\061\026\060\024\006\003\125\004\013\023\015\130\143\145\162\164"
+"\040\122\157\157\164\040\103\101\060\202\001\042\060\015\006\011"
+"\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000"
+"\060\202\001\012\002\202\001\001\000\250\264\141\213\035\034\076"
+"\220\173\160\062\100\155\215\026\312\065\141\141\265\342\373\025"
+"\311\364\041\136\201\033\317\042\234\254\253\273\140\320\240\063"
+"\336\021\123\032\011\017\073\032\023\251\324\207\314\130\367\055"
+"\122\251\242\302\251\072\355\317\064\235\241\002\357\270\362\270"
+"\053\127\210\020\223\265\251\065\143\273\005\102\103\042\177\277"
+"\160\136\323\050\245\125\050\040\113\223\111\217\247\277\075\100"
+"\050\015\021\257\162\046\011\005\064\011\305\253\001\223\127\241"
+"\254\146\124\230\042\234\043\353\272\014\144\234\266\075\373\342"
+"\306\226\302\317\013\117\352\310\060\372\212\053\312\034\021\226"
+"\032\051\000\214\353\162\324\121\105\251\235\167\040\325\022\273"
+"\265\362\177\006\070\202\115\175\222\036\350\325\372\310\051\107"
+"\151\032\025\021\214\257\246\054\301\050\364\151\133\151\236\344"
+"\074\023\356\300\241\140\352\101\277\302\142\113\155\242\067\204"
+"\072\076\363\260\062\256\212\153\154\023\363\072\041\012\173\226"
+"\130\063\051\136\156\250\312\151\242\276\216\006\105\135\361\146"
+"\071\125\112\034\132\044\261\113\321\002\003\001\000\001\243\143"
+"\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060\003"
+"\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003"
+"\002\001\006\060\037\006\003\125\035\043\004\030\060\026\200\024"
+"\104\250\111\070\165\061\154\253\050\347\161\362\330\324\310\257"
+"\101\017\107\221\060\035\006\003\125\035\016\004\026\004\024\104"
+"\250\111\070\165\061\154\253\050\347\161\362\330\324\310\257\101"
+"\017\107\221\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\003\202\001\001\000\075\163\136\245\012\273\265\021\303"
+"\361\147\321\022\032\242\107\051\021\114\116\131\067\040\206\011"
+"\100\362\105\361\111\171\071\032\075\045\327\057\051\320\010\005"
+"\025\024\373\344\104\154\077\176\136\265\122\330\221\130\074\226"
+"\373\324\112\357\361\056\301\126\036\114\151\014\331\140\035\112"
+"\107\047\265\003\063\333\030\273\333\123\236\241\173\121\152\220"
+"\323\245\025\310\202\013\300\267\067\062\165\205\124\136\125\020"
+"\174\221\073\251\053\140\306\061\166\254\304\060\111\003\304\266"
+"\126\100\245\360\143\257\151\112\210\257\327\253\013\356\072\333"
+"\275\023\203\250\073\242\351\271\105\365\121\115\224\360\131\251"
+"\333\241\067\147\322\024\236\247\173\327\031\252\025\043\153\151"
+"\165\321\023\076\130\364\363\001\350\210\304\224\126\311\300\376"
+"\337\117\107\125\037\153\201\116\124\355\023\137\162\374\046\206"
+"\004\066\217\117\022\115\234\120\342\116\132\126\254\271\375\054"
+"\037\130\173\005\022\007\143\070\357\031\343\364\074\221\132\242"
+"\045\142\127\274\306\224\240\167\234\317\064\142\340\277\373\165"
+"\074\351\033\046\033\234\144"
+, (PRUint32)871 }
+};
+static const NSSItem nss_builtins_items_131 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Xcert Root CA", (PRUint32)14 },
+  { (void *)"\041\021\164\054\135\202\325\257\325\231\114\122\004\123\125\050"
+"\104\361\154\261"
+, (PRUint32)20 },
+  { (void *)"\226\201\231\014\155\262\211\205\303\331\200\234\063\273\076\031"
+, (PRUint32)16 },
+  { (void *)"\060\073\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\026\060\024\006\003\125\004\013\023\015"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101"
+, (PRUint32)61 },
+  { (void *)"\012\001\001\001\000\000\002\174\000\000\000\002\000\000\000\002"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_132 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Xcert Root CA 1024", (PRUint32)19 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\100\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\033\060\031\006\003\125\004\013\023\022"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101\040\061\060"
+"\062\064"
+, (PRUint32)66 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\100\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\033\060\031\006\003\125\004\013\023\022"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101\040\061\060"
+"\062\064"
+, (PRUint32)66 },
+  { (void *)"\012\001\001\001\000\000\002\174\000\000\000\003\000\000\000\002"
+, (PRUint32)16 },
+  { (void *)"\060\202\002\150\060\202\001\321\240\003\002\001\002\002\020\012"
+"\001\001\001\000\000\002\174\000\000\000\003\000\000\000\002\060"
+"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\100"
+"\061\041\060\037\006\003\125\004\012\023\030\130\143\145\162\164"
+"\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\111"
+"\156\143\056\061\033\060\031\006\003\125\004\013\023\022\130\143"
+"\145\162\164\040\122\157\157\164\040\103\101\040\061\060\062\064"
+"\060\036\027\015\060\060\060\070\061\070\061\070\063\061\063\062"
+"\132\027\015\062\065\060\070\061\065\061\071\060\060\065\066\132"
+"\060\100\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\033\060\031\006\003\125\004\013\023\022"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101\040\061\060"
+"\062\064\060\201\237\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\326"
+"\276\067\211\021\251\242\367\107\054\052\317\152\000\046\145\050"
+"\104\244\212\344\336\240\103\125\231\104\153\274\156\270\307\316"
+"\306\143\266\323\350\157\305\230\053\044\221\270\236\242\272\161"
+"\110\336\064\040\041\172\326\322\305\211\062\245\211\306\334\205"
+"\204\124\362\236\110\355\314\104\266\006\377\216\304\316\131\255"
+"\237\154\351\042\130\301\077\024\012\103\200\207\031\122\120\343"
+"\050\007\310\254\030\342\261\032\252\243\342\140\267\166\121\007"
+"\051\071\136\110\351\146\160\201\056\070\232\275\031\175\353\002"
+"\003\001\000\001\243\143\060\141\060\017\006\003\125\035\023\001"
+"\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017"
+"\001\001\377\004\004\003\002\001\006\060\037\006\003\125\035\043"
+"\004\030\060\026\200\024\204\171\307\117\007\131\261\153\301\072"
+"\065\272\270\364\325\231\047\310\272\016\060\035\006\003\125\035"
+"\016\004\026\004\024\204\171\307\117\007\131\261\153\301\072\065"
+"\272\270\364\325\231\047\310\272\016\060\015\006\011\052\206\110"
+"\206\367\015\001\001\005\005\000\003\201\201\000\163\260\341\000"
+"\355\256\150\322\140\003\106\353\371\034\361\245\246\174\134\062"
+"\174\354\002\141\323\034\035\163\061\054\272\216\275\111\115\310"
+"\335\331\167\165\101\347\222\041\232\154\051\333\247\154\160\206"
+"\240\134\303\344\363\062\314\001\204\131\327\210\071\070\363\250"
+"\342\342\032\260\227\315\053\027\334\144\004\017\252\152\163\224"
+"\326\353\010\306\200\151\115\336\172\325\305\067\361\222\027\074"
+"\155\323\212\041\314\144\020\252\336\142\207\037\217\270\370\252"
+"\165\112\364\010\054\365\334\146\317\303\070\176"
+, (PRUint32)620 }
+};
+static const NSSItem nss_builtins_items_133 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Xcert Root CA 1024", (PRUint32)19 },
+  { (void *)"\054\245\040\131\044\213\336\160\224\354\326\313\143\116\176\051"
+"\207\004\113\220"
+, (PRUint32)20 },
+  { (void *)"\304\040\322\322\017\140\113\244\062\340\221\324\040\113\111\270"
+, (PRUint32)16 },
+  { (void *)"\060\100\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\033\060\031\006\003\125\004\013\023\022"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101\040\061\060"
+"\062\064"
+, (PRUint32)66 },
+  { (void *)"\012\001\001\001\000\000\002\174\000\000\000\003\000\000\000\002"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_134 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Xcert Root CA v1", (PRUint32)17 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\076\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\031\060\027\006\003\125\004\013\023\020"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061"
+, (PRUint32)64 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\076\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\031\060\027\006\003\125\004\013\023\020"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061"
+, (PRUint32)64 },
+  { (void *)"\012\001\001\001\000\000\002\174\000\000\000\004\000\000\000\002"
+, (PRUint32)16 },
+  { (void *)"\060\202\002\377\060\202\001\347\002\020\012\001\001\001\000\000"
+"\002\174\000\000\000\004\000\000\000\002\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\060\076\061\041\060\037\006"
+"\003\125\004\012\023\030\130\143\145\162\164\040\111\156\164\145"
+"\162\156\141\164\151\157\156\141\154\040\111\156\143\056\061\031"
+"\060\027\006\003\125\004\013\023\020\130\143\145\162\164\040\122"
+"\157\157\164\040\103\101\040\166\061\060\036\027\015\060\060\060"
+"\070\061\070\061\070\064\060\065\060\132\027\015\062\065\060\070"
+"\061\065\061\071\060\060\063\070\132\060\076\061\041\060\037\006"
+"\003\125\004\012\023\030\130\143\145\162\164\040\111\156\164\145"
+"\162\156\141\164\151\157\156\141\154\040\111\156\143\056\061\031"
+"\060\027\006\003\125\004\013\023\020\130\143\145\162\164\040\122"
+"\157\157\164\040\103\101\040\166\061\060\202\001\042\060\015\006"
+"\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017"
+"\000\060\202\001\012\002\202\001\001\000\301\222\253\362\266\065"
+"\066\002\110\017\205\364\116\057\202\145\315\110\276\261\267\075"
+"\263\173\256\272\062\064\206\074\230\277\370\260\275\373\302\314"
+"\366\011\227\070\134\215\245\043\116\341\310\204\346\220\147\164"
+"\073\243\366\156\231\053\217\303\007\322\227\121\007\117\004\313"
+"\236\262\370\074\367\070\346\226\112\072\353\025\157\347\142\346"
+"\103\063\007\262\015\132\317\225\051\071\147\210\023\043\324\214"
+"\155\137\216\041\340\061\363\265\334\231\305\304\355\205\020\176"
+"\222\324\242\035\074\037\013\263\043\346\300\313\044\233\154\020"
+"\246\315\024\326\243\235\123\217\367\036\101\232\266\033\035\010"
+"\134\367\071\101\303\036\336\114\046\243\140\174\056\023\207\221"
+"\154\327\302\043\057\347\175\031\037\315\133\352\230\305\271\106"
+"\175\065\106\344\173\213\112\331\223\340\006\253\300\314\112\375"
+"\333\332\013\060\077\270\134\340\007\023\250\305\060\374\274\206"
+"\366\252\277\016\143\057\217\111\162\020\321\236\205\371\101\355"
+"\110\074\170\014\375\240\052\006\033\257\323\335\147\057\354\110"
+"\057\121\111\066\042\267\110\315\111\357\002\003\001\000\001\060"
+"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202"
+"\001\001\000\250\334\263\040\056\375\127\110\020\017\346\215\140"
+"\122\033\166\035\234\146\240\157\372\150\006\330\247\234\313\241"
+"\014\216\045\350\256\307\337\072\160\255\251\370\052\044\274\274"
+"\307\252\307\011\267\273\020\351\037\132\325\242\001\106\213\005"
+"\304\243\165\111\013\100\307\261\153\237\333\130\026\143\062\204"
+"\132\020\215\142\226\253\230\146\233\272\372\126\010\033\272\142"
+"\363\357\071\153\374\144\261\311\256\357\136\224\341\242\200\371"
+"\010\203\026\022\066\226\331\011\220\331\230\072\257\075\205\330"
+"\221\052\222\034\134\271\314\325\134\163\070\216\173\163\122\014"
+"\272\237\362\216\277\310\174\012\023\272\162\221\240\073\040\357"
+"\211\052\303\014\200\151\126\163\020\364\140\031\340\036\026\112"
+"\144\253\374\106\072\320\013\323\227\261\134\331\234\254\030\072"
+"\040\007\172\042\371\267\020\145\272\354\346\123\324\252\344\303"
+"\101\274\233\337\302\335\232\001\106\324\216\105\355\311\312\026"
+"\064\204\215\062\124\074\124\142\220\215\032\146\122\315\372\034"
+"\314\014\374\261\343\223\310\247\331\353\150\143\217\320\176\056"
+"\055\335\051"
+, (PRUint32)771 }
+};
+static const NSSItem nss_builtins_items_135 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Xcert Root CA v1", (PRUint32)17 },
+  { (void *)"\252\070\226\073\042\304\350\333\032\031\107\202\076\257\220\003"
+"\207\102\254\345"
+, (PRUint32)20 },
+  { (void *)"\111\216\265\061\147\112\303\226\274\213\257\160\026\303\005\111"
+, (PRUint32)16 },
+  { (void *)"\060\076\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\031\060\027\006\003\125\004\013\023\020"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061"
+, (PRUint32)64 },
+  { (void *)"\012\001\001\001\000\000\002\174\000\000\000\004\000\000\000\002"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_136 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Xcert Root CA v1 1024", (PRUint32)22 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\103\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\036\060\034\006\003\125\004\013\023\025"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061"
+"\040\061\060\062\064"
+, (PRUint32)69 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\103\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\036\060\034\006\003\125\004\013\023\025"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061"
+"\040\061\060\062\064"
+, (PRUint32)69 },
+  { (void *)"\012\001\001\001\000\000\002\174\000\000\000\005\000\000\000\002"
+, (PRUint32)16 },
+  { (void *)"\060\202\002\004\060\202\001\155\002\020\012\001\001\001\000\000"
+"\002\174\000\000\000\005\000\000\000\002\060\015\006\011\052\206"
+"\110\206\367\015\001\001\005\005\000\060\103\061\041\060\037\006"
+"\003\125\004\012\023\030\130\143\145\162\164\040\111\156\164\145"
+"\162\156\141\164\151\157\156\141\154\040\111\156\143\056\061\036"
+"\060\034\006\003\125\004\013\023\025\130\143\145\162\164\040\122"
+"\157\157\164\040\103\101\040\166\061\040\061\060\062\064\060\036"
+"\027\015\060\060\060\070\061\070\061\070\065\060\065\066\132\027"
+"\015\062\065\060\070\061\065\061\071\060\061\060\070\132\060\103"
+"\061\041\060\037\006\003\125\004\012\023\030\130\143\145\162\164"
+"\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\111"
+"\156\143\056\061\036\060\034\006\003\125\004\013\023\025\130\143"
+"\145\162\164\040\122\157\157\164\040\103\101\040\166\061\040\061"
+"\060\062\064\060\201\237\060\015\006\011\052\206\110\206\367\015"
+"\001\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000"
+"\247\011\303\322\251\246\031\160\354\051\351\105\173\066\340\352"
+"\076\311\231\160\100\321\266\140\364\335\043\307\131\171\235\036"
+"\245\276\065\143\000\346\300\056\154\100\123\346\321\166\106\361"
+"\240\313\203\105\124\230\031\317\173\232\070\370\164\063\063\077"
+"\251\045\040\050\046\135\050\161\106\206\040\075\060\053\253\346"
+"\115\372\077\352\104\100\114\373\163\324\334\226\164\364\116\344"
+"\152\035\033\227\240\174\060\341\300\163\266\015\242\167\172\361"
+"\030\370\112\161\161\236\370\250\165\376\142\370\252\075\317\175"
+"\002\003\001\000\001\060\015\006\011\052\206\110\206\367\015\001"
+"\001\005\005\000\003\201\201\000\173\323\325\114\177\114\242\176"
+"\174\327\126\141\331\225\230\205\212\327\111\334\214\107\252\007"
+"\354\270\333\171\044\236\347\245\222\127\146\011\217\024\260\376"
+"\004\362\275\121\020\270\070\303\241\022\333\220\203\176\265\143"
+"\130\253\063\255\227\036\106\120\102\020\254\310\253\055\035\065"
+"\154\306\346\103\120\050\003\241\254\373\021\225\377\351\325\112"
+"\017\221\345\003\344\210\060\074\034\166\321\227\360\012\324\207"
+"\240\014\232\217\141\316\332\176\162\263\073\120\300\200\204\017"
+"\041\040\224\150\052\332\214\276"
+, (PRUint32)520 }
+};
+static const NSSItem nss_builtins_items_137 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Xcert Root CA v1 1024", (PRUint32)22 },
+  { (void *)"\042\072\107\064\216\347\211\332\165\206\073\031\062\260\146\340"
+"\264\121\247\064"
+, (PRUint32)20 },
+  { (void *)"\100\212\076\322\066\036\040\237\374\055\066\253\350\371\202\062"
+, (PRUint32)16 },
+  { (void *)"\060\103\061\041\060\037\006\003\125\004\012\023\030\130\143\145"
+"\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154"
+"\040\111\156\143\056\061\036\060\034\006\003\125\004\013\023\025"
+"\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061"
+"\040\061\060\062\064"
+, (PRUint32)69 },
+  { (void *)"\012\001\001\001\000\000\002\174\000\000\000\005\000\000\000\002"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_138 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Xcert EZ", (PRUint32)9 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\214\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
+"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
+"\141\153\145\040\103\151\164\171\061\030\060\026\006\003\125\004"
+"\012\023\017\130\143\145\162\164\040\105\132\040\142\171\040\104"
+"\123\124\061\030\060\026\006\003\125\004\003\023\017\130\143\145"
+"\162\164\040\105\132\040\142\171\040\104\123\124\061\041\060\037"
+"\006\011\052\206\110\206\367\015\001\011\001\026\022\143\141\100"
+"\144\151\147\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)143 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\214\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
+"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
+"\141\153\145\040\103\151\164\171\061\030\060\026\006\003\125\004"
+"\012\023\017\130\143\145\162\164\040\105\132\040\142\171\040\104"
+"\123\124\061\030\060\026\006\003\125\004\003\023\017\130\143\145"
+"\162\164\040\105\132\040\142\171\040\104\123\124\061\041\060\037"
+"\006\011\052\206\110\206\367\015\001\011\001\026\022\143\141\100"
+"\144\151\147\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)143 },
+  { (void *)"\000\320\036\100\220\000\000\047\113\000\000\000\001\000\000\000"
+"\004"
+, (PRUint32)17 },
+  { (void *)"\060\202\003\370\060\202\002\340\240\003\002\001\002\002\021\000"
+"\320\036\100\220\000\000\047\113\000\000\000\001\000\000\000\004"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\201\214\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061\027"
+"\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141"
+"\153\145\040\103\151\164\171\061\030\060\026\006\003\125\004\012"
+"\023\017\130\143\145\162\164\040\105\132\040\142\171\040\104\123"
+"\124\061\030\060\026\006\003\125\004\003\023\017\130\143\145\162"
+"\164\040\105\132\040\142\171\040\104\123\124\061\041\060\037\006"
+"\011\052\206\110\206\367\015\001\011\001\026\022\143\141\100\144"
+"\151\147\163\151\147\164\162\165\163\164\056\143\157\155\060\036"
+"\027\015\071\071\060\067\061\064\061\066\061\064\061\070\132\027"
+"\015\060\071\060\067\061\061\061\066\061\064\061\070\132\060\201"
+"\214\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015"
+"\060\013\006\003\125\004\010\023\004\125\164\141\150\061\027\060"
+"\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153"
+"\145\040\103\151\164\171\061\030\060\026\006\003\125\004\012\023"
+"\017\130\143\145\162\164\040\105\132\040\142\171\040\104\123\124"
+"\061\030\060\026\006\003\125\004\003\023\017\130\143\145\162\164"
+"\040\105\132\040\142\171\040\104\123\124\061\041\060\037\006\011"
+"\052\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151"
+"\147\163\151\147\164\162\165\163\164\056\143\157\155\060\202\001"
+"\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000"
+"\003\202\001\017\000\060\202\001\012\002\202\001\001\000\255\124"
+"\030\336\264\277\367\255\350\164\252\355\213\174\217\302\324\165"
+"\032\325\204\271\266\142\374\211\357\344\227\141\222\373\035\270"
+"\341\132\107\064\236\236\006\042\373\323\352\070\313\270\213\007"
+"\367\032\240\027\167\007\132\060\034\324\051\070\040\327\047\100"
+"\330\120\223\103\277\322\030\242\051\166\005\162\252\153\266\151"
+"\230\253\171\036\034\145\365\152\213\374\305\026\252\242\162\332"
+"\140\355\116\156\031\045\172\012\035\060\343\120\233\102\074\104"
+"\353\241\260\040\036\333\002\176\376\075\037\277\320\000\212\333"
+"\100\166\246\030\245\025\247\127\266\122\302\001\027\230\167\217"
+"\212\201\306\032\264\152\052\346\257\251\326\000\254\317\330\025"
+"\111\174\333\033\241\376\201\372\207\371\323\220\301\002\300\371"
+"\320\102\351\221\150\045\137\306\277\207\071\351\225\000\140\050"
+"\277\203\054\300\347\136\266\327\066\026\347\140\207\166\350\347"
+"\047\262\045\015\213\172\345\252\035\345\131\315\316\013\016\157"
+"\306\310\234\343\020\331\205\071\323\267\233\372\306\272\174\164"
+"\322\135\165\126\253\164\244\242\121\277\122\174\356\161\002\003"
+"\001\000\001\243\123\060\121\060\017\006\003\125\035\023\001\001"
+"\377\004\005\060\003\001\001\377\060\037\006\003\125\035\043\004"
+"\030\060\026\200\024\010\040\154\146\353\201\012\154\134\325\265"
+"\246\074\101\335\034\226\221\047\167\060\035\006\003\125\035\016"
+"\004\026\004\024\010\040\154\146\353\201\012\154\134\325\265\246"
+"\074\101\335\034\226\221\047\167\060\015\006\011\052\206\110\206"
+"\367\015\001\001\005\005\000\003\202\001\001\000\132\207\130\217"
+"\055\253\166\041\153\124\014\331\361\101\366\116\315\053\236\343"
+"\037\233\243\055\177\331\053\175\130\310\147\244\051\365\351\354"
+"\325\275\226\077\243\163\370\304\133\066\174\320\143\054\064\071"
+"\233\110\270\075\157\366\024\305\236\143\346\247\064\156\323\350"
+"\063\263\307\074\030\156\043\256\103\222\231\077\230\305\151\060"
+"\361\066\073\255\271\060\202\326\266\131\026\226\002\013\051\022"
+"\141\264\021\211\367\014\057\224\220\205\230\050\234\123\154\176"
+"\143\335\163\364\031\377\112\201\321\262\122\043\375\074\112\064"
+"\316\132\033\340\120\212\355\117\201\225\330\140\347\344\304\015"
+"\273\130\076\130\367\116\150\157\076\147\311\313\172\227\026\047"
+"\354\102\141\024\166\273\000\305\353\010\075\025\177\113\266\042"
+"\135\207\073\220\364\363\300\376\067\263\351\331\142\014\300\303"
+"\131\257\140\275\037\015\333\241\064\037\060\304\075\213\255\260"
+"\035\004\223\355\137\325\344\277\040\060\004\364\110\351\063\001"
+"\321\056\220\047\122\263\233\336\072\034\253\251\227\177\233\353"
+"\302\215\302\155\354\334\023\323\106\305\171\174"
+, (PRUint32)1020 }
+};
+static const NSSItem nss_builtins_items_139 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Xcert EZ", (PRUint32)9 },
+  { (void *)"\150\355\030\263\011\315\122\221\300\323\065\174\035\021\101\277"
+"\210\070\146\261"
+, (PRUint32)20 },
+  { (void *)"\202\022\367\211\341\013\221\140\244\266\042\237\224\150\021\222"
+, (PRUint32)16 },
+  { (void *)"\060\201\214\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061"
+"\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114"
+"\141\153\145\040\103\151\164\171\061\030\060\026\006\003\125\004"
+"\012\023\017\130\143\145\162\164\040\105\132\040\142\171\040\104"
+"\123\124\061\030\060\026\006\003\125\004\003\023\017\130\143\145"
+"\162\164\040\105\132\040\142\171\040\104\123\124\061\041\060\037"
+"\006\011\052\206\110\206\367\015\001\011\001\026\022\143\141\100"
+"\144\151\147\163\151\147\164\162\165\163\164\056\143\157\155"
+, (PRUint32)143 },
+  { (void *)"\000\320\036\100\220\000\000\047\113\000\000\000\001\000\000\000"
+"\004"
+, (PRUint32)17 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_140 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"CertEngine CA", (PRUint32)14 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\103\145\162\164\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\143"
+"\145\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\143\145\162"
+"\164\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\103\145\162\164\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\143"
+"\145\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\143\145\162"
+"\164\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)"\060\202\003\335\060\202\002\305\240\003\002\001\002\002\001\000"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101\061"
+"\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060\016"
+"\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061\030"
+"\060\026\006\003\125\004\012\023\017\103\145\162\164\105\156\147"
+"\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125\004"
+"\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
+"\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151\163"
+"\151\157\156\061\023\060\021\006\003\125\004\003\023\012\143\145"
+"\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052\206"
+"\110\206\367\015\001\011\001\026\021\143\141\100\143\145\162\164"
+"\145\156\147\151\156\145\056\143\157\155\060\036\027\015\071\070"
+"\060\061\060\061\060\060\060\060\060\060\132\027\015\063\070\060"
+"\061\061\067\060\060\060\060\060\060\132\060\201\250\061\013\060"
+"\011\006\003\125\004\006\023\002\103\101\061\013\060\011\006\003"
+"\125\004\010\023\002\117\116\061\020\060\016\006\003\125\004\007"
+"\023\007\124\157\162\157\156\164\157\061\030\060\026\006\003\125"
+"\004\012\023\017\103\145\162\164\105\156\147\151\156\145\040\111"
+"\156\143\056\061\051\060\047\006\003\125\004\013\023\040\103\145"
+"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
+"\157\162\151\164\171\040\104\151\166\151\163\151\157\156\061\023"
+"\060\021\006\003\125\004\003\023\012\143\145\162\164\145\156\147"
+"\151\156\145\061\040\060\036\006\011\052\206\110\206\367\015\001"
+"\011\001\026\021\143\141\100\143\145\162\164\145\156\147\151\156"
+"\145\056\143\157\155\060\202\001\042\060\015\006\011\052\206\110"
+"\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001"
+"\012\002\202\001\001\000\355\244\327\121\024\241\151\345\155\366"
+"\357\335\077\164\066\165\130\233\336\064\302\146\361\062\163\254"
+"\237\244\150\032\141\147\260\135\153\217\340\163\222\174\216\041"
+"\031\226\345\156\231\176\167\062\134\351\030\341\107\352\140\270"
+"\204\155\155\076\105\044\037\022\044\150\321\252\213\243\004\103"
+"\220\073\033\125\265\315\237\214\317\103\252\035\042\072\363\026"
+"\131\056\233\273\021\306\347\221\225\254\160\020\150\356\107\134"
+"\104\234\051\000\132\365\234\215\232\224\227\075\061\001\254\063"
+"\036\217\123\200\030\351\034\347\156\077\115\232\340\024\361\170"
+"\002\042\113\056\114\102\160\377\015\273\065\012\225\155\326\314"
+"\323\022\112\200\255\216\105\012\313\214\043\110\271\100\130\041"
+"\114\321\077\103\177\257\376\147\306\124\101\074\307\240\240\203"
+"\235\301\371\102\174\247\167\260\345\073\002\220\330\234\060\305"
+"\030\130\032\041\225\115\103\164\031\112\273\250\015\165\221\155"
+"\376\276\166\305\172\302\220\136\201\172\243\143\325\307\333\066"
+"\141\173\342\043\143\127\135\110\331\322\225\147\262\161\102\163"
+"\216\117\233\305\350\217\002\003\001\000\001\243\020\060\016\060"
+"\014\006\003\125\035\023\004\005\060\003\001\001\377\060\015\006"
+"\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001"
+"\000\117\375\241\316\050\235\064\002\114\334\364\165\214\325\175"
+"\364\206\125\231\024\026\220\213\212\152\017\205\041\223\317\251"
+"\053\074\360\024\376\103\104\260\116\317\304\330\005\273\135\136"
+"\264\272\207\025\114\257\153\052\132\150\125\222\354\236\245\150"
+"\107\145\254\312\033\041\330\377\055\005\154\345\354\173\000\025"
+"\325\014\161\113\054\173\275\357\075\244\042\257\343\374\064\255"
+"\007\017\367\136\242\035\317\030\375\060\251\233\076\336\041\066"
+"\267\030\207\176\360\177\327\115\240\142\360\140\151\365\177\116"
+"\303\311\266\344\131\204\007\123\123\371\342\160\171\373\337\164"
+"\252\060\217\056\055\112\212\312\165\157\336\046\312\161\066\344"
+"\322\104\151\224\313\301\273\325\156\135\142\370\051\002\134\172"
+"\231\331\307\313\074\104\032\364\130\064\322\066\155\055\042\175"
+"\170\033\020\123\126\251\046\254\366\255\370\171\256\112\072\231"
+"\011\273\304\377\053\045\337\111\276\253\074\353\001\111\275\055"
+"\300\312\060\300\153\102\124\175\202\340\274\077\363\072\064\022"
+"\070\114\245\063\254\075\253\233\343\117\017\255\237\215\103\146"
+"\345"
+, (PRUint32)993 }
+};
+static const NSSItem nss_builtins_items_141 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"CertEngine CA", (PRUint32)14 },
+  { (void *)"\301\202\340\336\254\032\145\113\262\022\013\204\012\205\326\300"
+"\267\077\264\154"
+, (PRUint32)20 },
+  { (void *)"\072\276\220\341\242\032\164\211\157\217\240\057\040\204\350\123"
+, (PRUint32)16 },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\103\145\162\164\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\143"
+"\145\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\143\145\162"
+"\164\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_142 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"BankEngine CA", (PRUint32)14 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\102\141\156\153\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\142"
+"\141\156\153\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\142\141\156"
+"\153\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\102\141\156\153\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\142"
+"\141\156\153\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\142\141\156"
+"\153\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)"\060\202\003\335\060\202\002\305\240\003\002\001\002\002\001\000"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101\061"
+"\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060\016"
+"\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061\030"
+"\060\026\006\003\125\004\012\023\017\102\141\156\153\105\156\147"
+"\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125\004"
+"\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
+"\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151\163"
+"\151\157\156\061\023\060\021\006\003\125\004\003\023\012\142\141"
+"\156\153\145\156\147\151\156\145\061\040\060\036\006\011\052\206"
+"\110\206\367\015\001\011\001\026\021\143\141\100\142\141\156\153"
+"\145\156\147\151\156\145\056\143\157\155\060\036\027\015\071\070"
+"\060\061\060\061\060\060\060\060\060\060\132\027\015\063\070\060"
+"\061\061\067\060\060\060\060\060\060\132\060\201\250\061\013\060"
+"\011\006\003\125\004\006\023\002\103\101\061\013\060\011\006\003"
+"\125\004\010\023\002\117\116\061\020\060\016\006\003\125\004\007"
+"\023\007\124\157\162\157\156\164\157\061\030\060\026\006\003\125"
+"\004\012\023\017\102\141\156\153\105\156\147\151\156\145\040\111"
+"\156\143\056\061\051\060\047\006\003\125\004\013\023\040\103\145"
+"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
+"\157\162\151\164\171\040\104\151\166\151\163\151\157\156\061\023"
+"\060\021\006\003\125\004\003\023\012\142\141\156\153\145\156\147"
+"\151\156\145\061\040\060\036\006\011\052\206\110\206\367\015\001"
+"\011\001\026\021\143\141\100\142\141\156\153\145\156\147\151\156"
+"\145\056\143\157\155\060\202\001\042\060\015\006\011\052\206\110"
+"\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001"
+"\012\002\202\001\001\000\327\202\350\115\100\045\327\370\104\313"
+"\342\241\326\102\307\210\027\126\333\060\367\127\202\041\063\274"
+"\161\115\122\254\142\302\007\347\251\353\353\320\023\114\214\124"
+"\077\176\236\107\067\231\327\176\352\267\120\061\034\130\303\012"
+"\047\144\336\155\124\227\251\171\364\372\350\075\354\135\262\122"
+"\313\063\151\351\063\167\366\162\327\240\372\332\062\211\210\222"
+"\020\222\243\313\062\056\327\021\165\217\332\263\032\114\246\111"
+"\217\370\016\305\313\144\331\075\025\247\063\304\311\077\072\207"
+"\072\072\315\114\334\013\336\254\276\025\033\212\330\041\276\237"
+"\171\035\366\160\202\211\365\015\137\032\354\212\223\270\251\253"
+"\125\320\174\365\274\153\304\340\145\326\307\155\356\324\364\151"
+"\067\211\253\006\060\161\357\245\037\104\247\171\206\156\007\123"
+"\271\017\174\110\021\056\043\007\265\005\100\206\203\363\027\245"
+"\134\270\360\303\127\174\003\050\264\030\006\303\212\145\367\052"
+"\222\214\311\342\330\120\176\023\324\075\014\161\154\331\030\027"
+"\062\254\312\272\217\063\160\374\112\307\151\031\350\012\343\363"
+"\355\273\167\015\234\225\002\003\001\000\001\243\020\060\016\060"
+"\014\006\003\125\035\023\004\005\060\003\001\001\377\060\015\006"
+"\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001"
+"\000\132\272\352\107\137\321\041\244\057\353\347\267\172\157\231"
+"\044\171\153\350\202\174\110\077\337\377\114\356\042\303\172\233"
+"\314\205\304\220\365\346\046\154\025\316\134\350\050\225\252\213"
+"\046\276\153\015\175\110\375\076\033\240\263\260\123\201\243\377"
+"\136\206\154\376\205\237\033\205\205\370\062\071\126\315\176\156"
+"\116\171\041\317\136\366\217\327\316\005\111\253\115\123\344\161"
+"\022\054\353\070\302\017\223\320\000\152\001\074\375\177\145\334"
+"\266\067\176\245\147\105\073\226\015\073\072\230\253\217\374\211"
+"\075\042\136\063\150\364\177\002\005\002\272\042\125\311\057\165"
+"\075\001\127\000\172\113\367\017\150\004\006\076\010\133\156\275"
+"\130\031\051\230\254\312\342\112\377\066\344\202\311\121\374\163"
+"\254\226\056\234\144\175\026\046\075\071\276\376\217\002\160\211"
+"\223\022\340\054\122\076\113\156\267\032\377\336\023\257\257\137"
+"\200\055\056\310\161\126\244\206\020\067\076\346\100\045\267\107"
+"\025\027\045\107\332\214\063\306\201\234\026\146\177\345\057\334"
+"\255\356\205\077\224\007\074\330\353\236\024\365\210\265\045\211"
+"\300"
+, (PRUint32)993 }
+};
+static const NSSItem nss_builtins_items_143 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"BankEngine CA", (PRUint32)14 },
+  { (void *)"\174\366\047\174\203\221\226\137\011\161\303\227\066\111\273\003"
+"\233\175\076\211"
+, (PRUint32)20 },
+  { (void *)"\077\126\162\302\341\064\321\166\123\063\106\341\215\272\223\166"
+, (PRUint32)16 },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\102\141\156\153\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\142"
+"\141\156\153\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\142\141\156"
+"\153\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_144 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"FortEngine CA", (PRUint32)14 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\106\157\162\164\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\146"
+"\157\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\146\157\162"
+"\164\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\106\157\162\164\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\146"
+"\157\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\146\157\162"
+"\164\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)"\060\202\005\335\060\202\003\305\240\003\002\001\002\002\001\000"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101\061"
+"\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060\016"
+"\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061\030"
+"\060\026\006\003\125\004\012\023\017\106\157\162\164\105\156\147"
+"\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125\004"
+"\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
+"\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151\163"
+"\151\157\156\061\023\060\021\006\003\125\004\003\023\012\146\157"
+"\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052\206"
+"\110\206\367\015\001\011\001\026\021\143\141\100\146\157\162\164"
+"\145\156\147\151\156\145\056\143\157\155\060\036\027\015\071\070"
+"\060\061\060\061\060\060\060\060\060\060\132\027\015\063\070\060"
+"\061\061\067\060\060\060\060\060\060\132\060\201\250\061\013\060"
+"\011\006\003\125\004\006\023\002\103\101\061\013\060\011\006\003"
+"\125\004\010\023\002\117\116\061\020\060\016\006\003\125\004\007"
+"\023\007\124\157\162\157\156\164\157\061\030\060\026\006\003\125"
+"\004\012\023\017\106\157\162\164\105\156\147\151\156\145\040\111"
+"\156\143\056\061\051\060\047\006\003\125\004\013\023\040\103\145"
+"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
+"\157\162\151\164\171\040\104\151\166\151\163\151\157\156\061\023"
+"\060\021\006\003\125\004\003\023\012\146\157\162\164\145\156\147"
+"\151\156\145\061\040\060\036\006\011\052\206\110\206\367\015\001"
+"\011\001\026\021\143\141\100\146\157\162\164\145\156\147\151\156"
+"\145\056\143\157\155\060\202\002\042\060\015\006\011\052\206\110"
+"\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002"
+"\012\002\202\002\001\000\312\276\306\156\234\003\307\035\157\334"
+"\106\033\243\110\034\073\351\142\200\110\145\016\241\266\173\273"
+"\277\001\265\206\241\120\052\163\317\252\351\253\224\045\113\163"
+"\342\056\350\207\114\215\151\333\265\243\331\051\135\157\263\236"
+"\110\016\323\071\153\202\061\254\222\252\214\073\132\050\246\234"
+"\323\045\321\162\374\377\040\107\254\165\042\353\367\221\153\127"
+"\072\354\360\074\361\043\277\117\113\132\130\162\046\303\176\241"
+"\116\063\265\065\137\323\262\064\103\334\330\272\227\050\015\016"
+"\174\134\244\141\170\217\112\164\060\166\015\204\246\307\054\000"
+"\131\042\320\300\207\206\321\006\273\202\372\044\171\011\151\222"
+"\011\004\013\273\342\021\347\011\337\276\166\051\160\111\036\170"
+"\173\002\316\165\233\031\345\246\141\272\260\074\272\354\111\142"
+"\034\074\071\264\161\023\106\246\355\236\307\006\006\073\044\031"
+"\000\152\107\234\155\357\344\047\236\330\131\254\337\007\044\160"
+"\350\153\334\340\031\352\141\302\054\341\220\276\070\225\162\305"
+"\140\257\126\345\170\105\155\271\160\331\317\246\001\301\344\242"
+"\104\142\300\076\302\075\342\050\310\075\232\374\227\060\336\176"
+"\141\172\002\223\224\330\135\340\021\106\124\136\211\107\270\005"
+"\070\131\066\101\361\327\212\336\156\266\033\042\217\325\341\227"
+"\265\200\201\005\052\056\010\040\017\323\051\206\243\337\342\166"
+"\072\350\346\124\045\137\131\262\140\176\101\372\174\122\054\301"
+"\321\140\016\172\006\234\264\245\162\106\241\355\105\257\212\040"
+"\105\320\134\333\131\202\067\046\062\117\102\142\103\364\234\206"
+"\312\266\002\227\150\176\276\365\123\007\064\352\362\012\161\104"
+"\356\224\254\270\365\044\312\231\334\025\140\207\031\047\242\024"
+"\355\360\343\016\011\341\313\045\267\020\100\015\014\361\175\033"
+"\271\051\231\345\116\204\015\355\265\151\043\364\067\326\325\127"
+"\023\226\343\254\227\052\350\350\377\071\072\231\334\200\376\072"
+"\246\344\121\320\040\322\010\043\104\247\023\203\031\313\035\337"
+"\300\154\314\311\350\373\034\224\060\337\355\302\354\321\144\245"
+"\304\314\120\107\374\371\154\324\223\326\263\155\117\332\354\212"
+"\375\223\072\027\357\010\034\116\364\003\243\006\052\016\360\362"
+"\316\323\175\207\114\321\002\003\001\000\001\243\020\060\016\060"
+"\014\006\003\125\035\023\004\005\060\003\001\001\377\060\015\006"
+"\011\052\206\110\206\367\015\001\001\005\005\000\003\202\002\001"
+"\000\127\040\151\075\147\323\331\123\262\275\132\154\224\142\261"
+"\362\035\076\011\143\374\162\051\162\200\144\155\144\236\135\000"
+"\234\334\377\375\121\020\001\335\274\257\223\201\236\005\243\075"
+"\335\250\170\127\043\344\115\067\101\151\316\345\232\140\310\326"
+"\145\064\264\220\011\234\071\013\206\143\123\250\340\361\245\074"
+"\162\066\326\223\163\333\332\005\015\062\153\321\231\213\004\236"
+"\011\051\133\004\332\312\011\203\236\143\166\117\114\144\160\073"
+"\053\377\373\034\177\121\262\152\326\144\341\071\015\220\345\257"
+"\032\172\372\166\242\306\023\060\236\123\312\052\053\010\313\321"
+"\215\145\103\352\031\325\026\000\023\035\007\360\124\125\123\145"
+"\065\116\123\265\152\110\135\100\245\061\337\032\371\352\012\160"
+"\213\101\171\205\350\302\101\316\006\230\247\076\100\327\335\311"
+"\105\014\205\037\132\054\064\106\215\074\263\304\253\254\132\221"
+"\361\054\360\156\270\371\331\173\365\104\316\172\240\152\202\216"
+"\171\057\045\313\161\212\023\203\127\263\134\247\032\000\026\062"
+"\031\242\100\350\233\112\272\314\372\353\115\113\013\025\012\057"
+"\076\132\057\163\174\071\206\140\013\210\063\054\205\244\357\023"
+"\131\346\334\373\047\343\044\076\026\124\104\361\352\123\146\264"
+"\042\040\154\251\146\106\102\352\127\063\322\146\032\302\347\226"
+"\161\070\130\130\141\141\124\156\044\265\014\316\216\063\121\260"
+"\334\150\245\157\226\355\301\165\315\004\361\211\145\003\237\022"
+"\012\112\076\340\265\324\066\216\053\233\304\101\041\175\126\240"
+"\257\300\314\264\007\034\065\124\331\125\104\151\032\056\172\116"
+"\233\116\072\352\055\255\072\252\013\355\206\276\045\270\206\134"
+"\157\166\371\256\100\335\016\225\171\124\303\074\366\116\274\134"
+"\025\251\215\236\340\071\342\126\160\377\306\253\056\334\154\026"
+"\141\353\162\163\360\347\177\265\262\233\246\054\075\022\345\111"
+"\061\034\333\270\322\036\213\041\132\131\317\161\376\322\262\363"
+"\270\132\037\115\370\262\062\067\037\053\140\062\035\004\340\120"
+"\046\354\256\370\015\270\260\320\121\274\205\031\127\041\164\125"
+"\044\207\073\127\334\070\104\126\174\147\236\272\130\340\025\143"
+"\101\324\352\130\213\360\356\121\245\112\340\302\217\021\020\000"
+"\347"
+, (PRUint32)1505 }
+};
+static const NSSItem nss_builtins_items_145 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"FortEngine CA", (PRUint32)14 },
+  { (void *)"\101\101\246\125\070\252\007\017\342\231\174\272\223\237\274\221"
+"\355\012\034\116"
+, (PRUint32)20 },
+  { (void *)"\225\015\273\365\336\111\267\072\266\302\311\233\100\106\036\155"
+, (PRUint32)16 },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\106\157\162\164\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\146"
+"\157\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\146\157\162"
+"\164\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_146 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"MailEngine CA", (PRUint32)14 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\115\141\151\154\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\155"
+"\141\151\154\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\155\141\151"
+"\154\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\115\141\151\154\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\155"
+"\141\151\154\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\155\141\151"
+"\154\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)"\060\202\003\335\060\202\002\305\240\003\002\001\002\002\001\000"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101\061"
+"\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060\016"
+"\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061\030"
+"\060\026\006\003\125\004\012\023\017\115\141\151\154\105\156\147"
+"\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125\004"
+"\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157\156"
+"\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151\163"
+"\151\157\156\061\023\060\021\006\003\125\004\003\023\012\155\141"
+"\151\154\145\156\147\151\156\145\061\040\060\036\006\011\052\206"
+"\110\206\367\015\001\011\001\026\021\143\141\100\155\141\151\154"
+"\145\156\147\151\156\145\056\143\157\155\060\036\027\015\071\070"
+"\060\061\060\061\060\060\060\060\060\060\132\027\015\063\070\060"
+"\061\061\067\060\060\060\060\060\060\132\060\201\250\061\013\060"
+"\011\006\003\125\004\006\023\002\103\101\061\013\060\011\006\003"
+"\125\004\010\023\002\117\116\061\020\060\016\006\003\125\004\007"
+"\023\007\124\157\162\157\156\164\157\061\030\060\026\006\003\125"
+"\004\012\023\017\115\141\151\154\105\156\147\151\156\145\040\111"
+"\156\143\056\061\051\060\047\006\003\125\004\013\023\040\103\145"
+"\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150"
+"\157\162\151\164\171\040\104\151\166\151\163\151\157\156\061\023"
+"\060\021\006\003\125\004\003\023\012\155\141\151\154\145\156\147"
+"\151\156\145\061\040\060\036\006\011\052\206\110\206\367\015\001"
+"\011\001\026\021\143\141\100\155\141\151\154\145\156\147\151\156"
+"\145\056\143\157\155\060\202\001\042\060\015\006\011\052\206\110"
+"\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001"
+"\012\002\202\001\001\000\251\171\237\261\117\245\307\343\105\232"
+"\176\255\067\136\321\114\354\232\165\321\352\056\172\377\336\274"
+"\304\014\214\223\365\063\176\264\137\123\033\270\346\053\271\111"
+"\046\270\371\152\264\067\235\061\132\054\137\011\270\320\366\123"
+"\134\377\160\263\360\353\364\327\373\133\104\336\375\302\065\100"
+"\322\215\250\254\311\100\342\123\052\167\114\117\041\060\303\063"
+"\315\366\120\237\102\154\032\003\141\205\154\152\313\070\341\105"
+"\001\255\050\276\076\306\331\374\126\301\177\363\061\240\145\211"
+"\036\356\171\146\124\254\377\026\311\103\025\071\315\242\207\113"
+"\004\001\006\212\357\111\101\057\152\252\226\322\263\155\015\165"
+"\236\213\134\362\366\003\210\223\216\173\015\024\025\267\214\203"
+"\025\042\177\311\125\134\232\311\305\073\271\355\250\026\370\203"
+"\274\263\151\221\126\134\107\260\076\216\062\035\042\351\216\163"
+"\225\122\027\114\273\313\276\034\100\056\130\302\104\166\230\262"
+"\273\120\026\003\053\243\102\143\173\132\374\056\014\360\333\014"
+"\320\132\146\275\031\164\370\015\142\275\233\125\302\242\075\361"
+"\334\103\266\236\307\171\002\003\001\000\001\243\020\060\016\060"
+"\014\006\003\125\035\023\004\005\060\003\001\001\377\060\015\006"
+"\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001"
+"\000\043\174\331\371\004\054\361\312\120\103\152\101\120\031\142"
+"\204\374\376\067\075\030\233\060\341\063\175\336\376\017\066\330"
+"\130\207\244\243\075\342\323\100\360\240\175\333\352\076\040\302"
+"\120\311\104\003\252\341\321\172\374\373\177\270\023\207\016\217"
+"\350\247\347\237\373\321\053\230\243\335\371\350\127\067\330\167"
+"\355\006\334\161\070\063\354\073\125\300\016\042\106\120\321\056"
+"\273\276\046\345\363\117\343\254\010\173\205\144\303\213\047\342"
+"\203\330\220\006\207\165\272\360\230\335\160\271\053\225\312\155"
+"\001\115\060\163\226\216\034\363\337\020\027\110\152\037\062\361"
+"\013\115\315\164\125\316\200\155\363\074\357\200\040\021\221\174"
+"\123\113\153\277\365\006\227\107\130\114\057\102\155\016\004\022"
+"\111\326\172\051\337\022\067\254\263\253\020\376\156\346\003\346"
+"\303\237\046\150\301\027\371\367\226\241\107\064\301\347\234\145"
+"\362\331\060\027\146\322\000\133\067\337\123\160\064\160\143\301"
+"\067\241\131\323\156\232\363\241\333\027\125\370\223\354\154\316"
+"\026\311\273\370\244\163\074\256\132\160\211\042\015\337\115\204"
+"\203"
+, (PRUint32)993 }
+};
+static const NSSItem nss_builtins_items_147 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"MailEngine CA", (PRUint32)14 },
+  { (void *)"\052\175\170\152\226\012\241\132\305\231\364\361\115\344\004\057"
+"\271\134\173\220"
+, (PRUint32)20 },
+  { (void *)"\257\331\256\074\245\337\007\060\040\273\005\006\306\111\161\123"
+, (PRUint32)16 },
+  { (void *)"\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\030\060\026\006\003\125\004\012\023\017\115\141\151\154\105\156"
+"\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125"
+"\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157"
+"\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151"
+"\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\155"
+"\141\151\154\145\156\147\151\156\145\061\040\060\036\006\011\052"
+"\206\110\206\367\015\001\011\001\026\021\143\141\100\155\141\151"
+"\154\145\156\147\151\156\145\056\143\157\155"
+, (PRUint32)171 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_148 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TraderEngine CA", (PRUint32)16 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\256\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\032\060\030\006\003\125\004\012\023\021\124\162\141\144\145\162"
+"\105\156\147\151\156\145\040\111\156\143\056\061\051\060\047\006"
+"\003\125\004\013\023\040\103\145\162\164\151\146\151\143\141\164"
+"\151\157\156\040\101\165\164\150\157\162\151\164\171\040\104\151"
+"\166\151\163\151\157\156\061\025\060\023\006\003\125\004\003\023"
+"\014\164\162\141\144\145\162\145\156\147\151\156\145\061\042\060"
+"\040\006\011\052\206\110\206\367\015\001\011\001\026\023\143\141"
+"\100\164\162\141\144\145\162\145\156\147\151\156\145\056\143\157"
+"\155"
+, (PRUint32)177 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\256\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\032\060\030\006\003\125\004\012\023\021\124\162\141\144\145\162"
+"\105\156\147\151\156\145\040\111\156\143\056\061\051\060\047\006"
+"\003\125\004\013\023\040\103\145\162\164\151\146\151\143\141\164"
+"\151\157\156\040\101\165\164\150\157\162\151\164\171\040\104\151"
+"\166\151\163\151\157\156\061\025\060\023\006\003\125\004\003\023"
+"\014\164\162\141\144\145\162\145\156\147\151\156\145\061\042\060"
+"\040\006\011\052\206\110\206\367\015\001\011\001\026\023\143\141"
+"\100\164\162\141\144\145\162\145\156\147\151\156\145\056\143\157"
+"\155"
+, (PRUint32)177 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)"\060\202\003\351\060\202\002\321\240\003\002\001\002\002\001\000"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\201\256\061\013\060\011\006\003\125\004\006\023\002\103\101\061"
+"\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060\016"
+"\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061\032"
+"\060\030\006\003\125\004\012\023\021\124\162\141\144\145\162\105"
+"\156\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003"
+"\125\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166"
+"\151\163\151\157\156\061\025\060\023\006\003\125\004\003\023\014"
+"\164\162\141\144\145\162\145\156\147\151\156\145\061\042\060\040"
+"\006\011\052\206\110\206\367\015\001\011\001\026\023\143\141\100"
+"\164\162\141\144\145\162\145\156\147\151\156\145\056\143\157\155"
+"\060\036\027\015\071\070\060\061\060\061\060\060\060\060\060\060"
+"\132\027\015\063\070\060\061\061\067\060\060\060\060\060\060\132"
+"\060\201\256\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\032\060\030\006\003\125\004\012\023\021\124\162\141\144\145\162"
+"\105\156\147\151\156\145\040\111\156\143\056\061\051\060\047\006"
+"\003\125\004\013\023\040\103\145\162\164\151\146\151\143\141\164"
+"\151\157\156\040\101\165\164\150\157\162\151\164\171\040\104\151"
+"\166\151\163\151\157\156\061\025\060\023\006\003\125\004\003\023"
+"\014\164\162\141\144\145\162\145\156\147\151\156\145\061\042\060"
+"\040\006\011\052\206\110\206\367\015\001\011\001\026\023\143\141"
+"\100\164\162\141\144\145\162\145\156\147\151\156\145\056\143\157"
+"\155\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001"
+"\001\000\317\045\371\100\117\271\110\337\263\200\331\365\277\174"
+"\351\364\171\217\342\024\016\131\157\026\270\105\110\265\225\117"
+"\365\273\177\306\076\115\170\227\165\223\043\313\375\052\247\027"
+"\152\207\160\275\350\377\276\053\320\146\271\345\242\207\236\054"
+"\012\142\004\023\226\236\104\054\147\320\347\257\020\101\343\175"
+"\304\322\007\265\105\336\112\322\075\314\043\131\311\220\276\341"
+"\212\216\155\323\021\376\053\312\003\365\254\055\365\025\062\135"
+"\245\127\222\163\044\234\365\004\341\064\200\241\030\210\114\263"
+"\200\212\271\240\274\344\077\371\216\136\201\321\275\144\231\017"
+"\140\364\170\166\010\073\272\057\127\147\251\124\122\273\203\272"
+"\176\164\056\020\241\342\024\022\130\276\030\137\314\312\017\074"
+"\165\137\352\232\057\222\311\267\044\331\022\317\135\257\015\207"
+"\156\377\021\065\120\356\101\065\021\247\346\307\261\062\012\242"
+"\041\033\356\145\300\220\062\334\174\007\120\034\000\142\354\343"
+"\212\346\163\346\120\374\151\011\253\361\042\256\277\055\336\070"
+"\177\122\124\336\160\207\166\001\226\263\106\301\064\255\220\104"
+"\225\057\002\003\001\000\001\243\020\060\016\060\014\006\003\125"
+"\035\023\004\005\060\003\001\001\377\060\015\006\011\052\206\110"
+"\206\367\015\001\001\005\005\000\003\202\001\001\000\026\070\360"
+"\024\205\227\167\307\321\020\210\122\134\273\021\123\061\337\152"
+"\153\030\034\256\040\263\046\303\072\017\336\254\140\151\050\367"
+"\024\336\056\025\377\226\275\133\226\045\130\043\220\045\272\232"
+"\013\134\007\114\314\141\311\220\350\032\116\052\312\215\005\353"
+"\027\331\362\230\067\124\130\247\267\116\154\006\241\276\164\327"
+"\251\320\224\176\352\104\253\306\073\170\144\153\112\316\031\022"
+"\266\123\375\211\117\376\020\247\310\207\374\061\142\351\314\214"
+"\270\375\052\362\176\270\110\011\061\145\162\363\122\341\120\136"
+"\247\373\123\364\215\217\066\375\134\224\004\040\007\143\247\267"
+"\230\167\164\033\342\060\354\015\305\364\026\262\214\027\126\225"
+"\257\107\102\016\164\273\152\156\326\115\163\330\010\061\235\112"
+"\103\340\020\161\055\055\202\030\037\171\131\247\233\012\165\126"
+"\175\302\136\005\321\143\105\221\025\221\122\276\300\134\370\360"
+"\347\113\213\231\103\146\050\047\174\045\222\314\030\015\123\104"
+"\324\223\213\265\075\021\312\326\267\103\244\061\151\273\341\075"
+"\226\126\160\040\066\300\357\331\152\326\260\147\343"
+, (PRUint32)1005 }
+};
+static const NSSItem nss_builtins_items_149 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"TraderEngine CA", (PRUint32)16 },
+  { (void *)"\226\137\006\006\205\177\333\000\352\163\325\301\271\274\232\264"
+"\350\273\231\263"
+, (PRUint32)20 },
+  { (void *)"\165\061\224\331\224\242\361\006\237\230\167\323\037\336\157\372"
+, (PRUint32)16 },
+  { (void *)"\060\201\256\061\013\060\011\006\003\125\004\006\023\002\103\101"
+"\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060"
+"\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061"
+"\032\060\030\006\003\125\004\012\023\021\124\162\141\144\145\162"
+"\105\156\147\151\156\145\040\111\156\143\056\061\051\060\047\006"
+"\003\125\004\013\023\040\103\145\162\164\151\146\151\143\141\164"
+"\151\157\156\040\101\165\164\150\157\162\151\164\171\040\104\151"
+"\166\151\163\151\157\156\061\025\060\023\006\003\125\004\003\023"
+"\014\164\162\141\144\145\162\145\156\147\151\156\145\061\042\060"
+"\040\006\011\052\206\110\206\367\015\001\011\001\026\023\143\141"
+"\100\164\162\141\144\145\162\145\156\147\151\156\145\056\143\157"
+"\155"
+, (PRUint32)177 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_150 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"USPS Root", (PRUint32)10 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144"
+"\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123"
+"\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023"
+"\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120"
+"\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123"
+"\040\122\157\157\164\040\103\101"
+, (PRUint32)104 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144"
+"\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123"
+"\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023"
+"\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120"
+"\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123"
+"\040\122\157\157\164\040\103\101"
+, (PRUint32)104 },
+  { (void *)"\047\204"
+, (PRUint32)2 },
+  { (void *)"\060\202\003\132\060\202\002\303\240\003\002\001\002\002\002\047"
+"\204\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144"
+"\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123"
+"\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023"
+"\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120"
+"\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123"
+"\040\122\157\157\164\040\103\101\060\036\027\015\060\061\060\064"
+"\061\063\061\066\063\070\065\060\132\027\015\062\060\060\070\061"
+"\064\061\071\060\060\060\060\132\060\146\061\013\060\011\006\003"
+"\125\004\006\023\002\125\123\061\045\060\043\006\003\125\004\012"
+"\023\034\125\156\151\164\145\144\040\123\164\141\164\145\163\040"
+"\120\157\163\164\141\154\040\123\145\162\166\151\143\145\061\031"
+"\060\027\006\003\125\004\013\023\020\167\167\167\056\165\163\160"
+"\163\056\143\157\155\057\103\120\123\061\025\060\023\006\003\125"
+"\004\003\023\014\125\123\120\123\040\122\157\157\164\040\103\101"
+"\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001"
+"\005\000\003\201\215\000\060\201\211\002\201\201\000\267\251\045"
+"\254\143\332\260\222\317\224\066\260\004\377\026\156\166\004\133"
+"\365\306\074\237\306\271\102\046\125\373\223\161\205\021\145\311"
+"\141\047\210\304\136\233\376\052\170\112\122\152\105\237\250\373"
+"\221\264\343\046\135\365\103\024\046\271\336\074\155\054\146\365"
+"\123\175\336\344\126\127\262\242\171\365\341\264\332\152\367\044"
+"\345\263\050\376\236\167\226\342\016\307\005\003\314\351\121\366"
+"\226\374\021\300\226\055\163\065\377\130\163\137\362\110\065\345"
+"\104\113\320\176\325\000\036\204\155\330\045\330\321\002\003\001"
+"\000\001\243\202\001\025\060\202\001\021\060\154\006\003\125\035"
+"\040\004\145\060\143\060\013\006\011\140\206\110\001\206\371\155"
+"\146\001\060\013\006\011\140\206\110\001\206\371\155\146\002\060"
+"\013\006\011\140\206\110\001\206\371\155\146\003\060\013\006\011"
+"\140\206\110\001\206\371\155\146\004\060\013\006\011\140\206\110"
+"\001\206\371\155\146\005\060\013\006\011\140\206\110\001\206\371"
+"\155\146\006\060\013\006\011\140\206\110\001\206\371\155\146\007"
+"\060\006\006\004\125\035\040\000\060\035\006\003\125\035\016\004"
+"\026\004\024\323\316\202\164\363\057\113\211\140\162\244\136\021"
+"\277\137\165\003\242\002\253\060\037\006\003\125\035\043\004\030"
+"\060\026\200\024\323\316\202\164\363\057\113\211\140\162\244\136"
+"\021\277\137\165\003\242\002\253\060\035\006\003\125\035\022\004"
+"\026\060\024\201\022\162\157\157\164\061\060\060\060\061\100\165"
+"\163\160\163\056\143\157\155\060\041\006\003\125\035\021\004\032"
+"\060\030\201\026\143\141\141\144\155\151\156\100\145\155\141\151"
+"\154\056\165\163\160\163\056\143\157\155\060\016\006\003\125\035"
+"\017\001\001\377\004\004\003\002\001\306\060\017\006\003\125\035"
+"\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011\052"
+"\206\110\206\367\015\001\001\005\005\000\003\201\201\000\065\061"
+"\212\231\336\052\270\273\344\157\330\351\320\215\337\101\136\110"
+"\047\217\146\205\026\022\263\107\023\353\001\011\176\076\370\125"
+"\065\065\205\012\117\263\350\202\247\257\255\227\135\206\116\327"
+"\267\255\254\217\240\240\124\113\245\117\364\165\007\273\057\056"
+"\031\033\036\216\355\155\113\325\115\203\310\166\227\127\206\366"
+"\044\102\005\365\262\354\026\357\274\354\275\346\220\154\217\222"
+"\263\033\031\147\046\072\257\245\307\036\362\364\165\116\151\331"
+"\273\373\017\154\134\072\310\335\255\216\012\227\035\217"
+, (PRUint32)862 }
+};
+static const NSSItem nss_builtins_items_151 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"USPS Root", (PRUint32)10 },
+  { (void *)"\154\041\132\224\112\235\120\245\027\015\202\313\324\371\325\072"
+"\341\237\030\145"
+, (PRUint32)20 },
+  { (void *)"\274\055\035\316\370\036\035\175\021\044\152\231\160\130\175\031"
+, (PRUint32)16 },
+  { (void *)"\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144"
+"\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123"
+"\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023"
+"\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120"
+"\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123"
+"\040\122\157\157\164\040\103\101"
+, (PRUint32)104 },
+  { (void *)"\047\204"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_152 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"USPS Production 1", (PRUint32)18 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\156\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144"
+"\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123"
+"\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023"
+"\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120"
+"\123\061\035\060\033\006\003\125\004\003\023\024\125\123\120\123"
+"\040\120\162\157\144\165\143\164\151\157\156\040\103\101\040\061"
+, (PRUint32)112 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144"
+"\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123"
+"\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023"
+"\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120"
+"\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123"
+"\040\122\157\157\164\040\103\101"
+, (PRUint32)104 },
+  { (void *)"\047\205"
+, (PRUint32)2 },
+  { (void *)"\060\202\010\157\060\202\007\330\240\003\002\001\002\002\002\047"
+"\205\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000"
+"\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144"
+"\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123"
+"\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023"
+"\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120"
+"\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123"
+"\040\122\157\157\164\040\103\101\060\036\027\015\060\061\060\064"
+"\061\063\061\066\065\066\065\064\132\027\015\062\060\060\070\061"
+"\064\061\067\060\060\064\060\132\060\156\061\013\060\011\006\003"
+"\125\004\006\023\002\125\123\061\045\060\043\006\003\125\004\012"
+"\023\034\125\156\151\164\145\144\040\123\164\141\164\145\163\040"
+"\120\157\163\164\141\154\040\123\145\162\166\151\143\145\061\031"
+"\060\027\006\003\125\004\013\023\020\167\167\167\056\165\163\160"
+"\163\056\143\157\155\057\103\120\123\061\035\060\033\006\003\125"
+"\004\003\023\024\125\123\120\123\040\120\162\157\144\165\143\164"
+"\151\157\156\040\103\101\040\061\060\201\237\060\015\006\011\052"
+"\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201"
+"\211\002\201\201\000\306\326\271\357\262\123\070\312\322\167\014"
+"\154\066\050\060\302\320\050\002\170\161\116\015\211\102\307\131"
+"\047\263\220\010\047\324\227\132\036\266\170\104\100\153\164\306"
+"\215\253\121\213\350\246\355\121\246\326\165\027\354\172\124\136"
+"\126\203\347\360\155\304\111\364\027\275\006\013\022\306\125\357"
+"\351\250\341\050\057\240\103\217\165\364\377\331\334\175\376\252"
+"\324\170\363\234\223\305\231\332\142\106\233\365\166\044\124\011"
+"\012\051\353\024\105\102\013\377\015\166\003\037\247\145\210\242"
+"\244\177\157\320\117\002\003\001\000\001\243\202\006\042\060\202"
+"\006\036\060\202\005\167\006\003\125\035\040\004\202\005\156\060"
+"\202\005\152\060\201\303\006\011\140\206\110\001\206\371\155\146"
+"\001\060\201\265\060\043\006\010\053\006\001\005\005\007\002\001"
+"\026\027\150\164\164\160\072\057\057\167\167\167\056\165\163\160"
+"\163\056\143\157\155\057\103\120\123\060\201\215\006\010\053\006"
+"\001\005\005\007\002\002\060\201\200\032\176\123\145\145\040\125"
+"\123\120\123\040\103\120\123\040\141\164\040\150\164\164\160\072"
+"\057\057\167\167\167\056\165\163\160\163\056\143\157\155\057\103"
+"\120\123\056\040\124\150\151\163\040\143\145\162\164\151\146\151"
+"\143\141\164\145\040\151\163\040\164\157\040\142\145\040\165\163"
+"\145\144\040\157\156\154\171\040\151\156\040\141\143\143\157\162"
+"\144\141\156\143\145\040\167\151\164\150\040\125\123\120\123\040"
+"\162\145\147\165\154\141\164\151\157\156\163\040\141\156\144\040"
+"\160\157\154\151\143\151\145\163\056\060\201\303\006\011\140\206"
+"\110\001\206\371\155\146\002\060\201\265\060\043\006\010\053\006"
+"\001\005\005\007\002\001\026\027\150\164\164\160\072\057\057\167"
+"\167\167\056\165\163\160\163\056\143\157\155\057\103\120\123\060"
+"\201\215\006\010\053\006\001\005\005\007\002\002\060\201\200\032"
+"\176\123\145\145\040\125\123\120\123\040\103\120\123\040\141\164"
+"\040\150\164\164\160\072\057\057\167\167\167\056\165\163\160\163"
+"\056\143\157\155\057\103\120\123\056\040\124\150\151\163\040\143"
+"\145\162\164\151\146\151\143\141\164\145\040\151\163\040\164\157"
+"\040\142\145\040\165\163\145\144\040\157\156\154\171\040\151\156"
+"\040\141\143\143\157\162\144\141\156\143\145\040\167\151\164\150"
+"\040\125\123\120\123\040\162\145\147\165\154\141\164\151\157\156"
+"\163\040\141\156\144\040\160\157\154\151\143\151\145\163\056\060"
+"\201\303\006\011\140\206\110\001\206\371\155\146\003\060\201\265"
+"\060\043\006\010\053\006\001\005\005\007\002\001\026\027\150\164"
+"\164\160\072\057\057\167\167\167\056\165\163\160\163\056\143\157"
+"\155\057\103\120\123\060\201\215\006\010\053\006\001\005\005\007"
+"\002\002\060\201\200\032\176\123\145\145\040\125\123\120\123\040"
+"\103\120\123\040\141\164\040\150\164\164\160\072\057\057\167\167"
+"\167\056\165\163\160\163\056\143\157\155\057\103\120\123\056\040"
+"\124\150\151\163\040\143\145\162\164\151\146\151\143\141\164\145"
+"\040\151\163\040\164\157\040\142\145\040\165\163\145\144\040\157"
+"\156\154\171\040\151\156\040\141\143\143\157\162\144\141\156\143"
+"\145\040\167\151\164\150\040\125\123\120\123\040\162\145\147\165"
+"\154\141\164\151\157\156\163\040\141\156\144\040\160\157\154\151"
+"\143\151\145\163\056\060\201\303\006\011\140\206\110\001\206\371"
+"\155\146\004\060\201\265\060\043\006\010\053\006\001\005\005\007"
+"\002\001\026\027\150\164\164\160\072\057\057\167\167\167\056\165"
+"\163\160\163\056\143\157\155\057\103\120\123\060\201\215\006\010"
+"\053\006\001\005\005\007\002\002\060\201\200\032\176\123\145\145"
+"\040\125\123\120\123\040\103\120\123\040\141\164\040\150\164\164"
+"\160\072\057\057\167\167\167\056\165\163\160\163\056\143\157\155"
+"\057\103\120\123\056\040\124\150\151\163\040\143\145\162\164\151"
+"\146\151\143\141\164\145\040\151\163\040\164\157\040\142\145\040"
+"\165\163\145\144\040\157\156\154\171\040\151\156\040\141\143\143"
+"\157\162\144\141\156\143\145\040\167\151\164\150\040\125\123\120"
+"\123\040\162\145\147\165\154\141\164\151\157\156\163\040\141\156"
+"\144\040\160\157\154\151\143\151\145\163\056\060\201\303\006\011"
+"\140\206\110\001\206\371\155\146\005\060\201\265\060\043\006\010"
+"\053\006\001\005\005\007\002\001\026\027\150\164\164\160\072\057"
+"\057\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120"
+"\123\060\201\215\006\010\053\006\001\005\005\007\002\002\060\201"
+"\200\032\176\123\145\145\040\125\123\120\123\040\103\120\123\040"
+"\141\164\040\150\164\164\160\072\057\057\167\167\167\056\165\163"
+"\160\163\056\143\157\155\057\103\120\123\056\040\124\150\151\163"
+"\040\143\145\162\164\151\146\151\143\141\164\145\040\151\163\040"
+"\164\157\040\142\145\040\165\163\145\144\040\157\156\154\171\040"
+"\151\156\040\141\143\143\157\162\144\141\156\143\145\040\167\151"
+"\164\150\040\125\123\120\123\040\162\145\147\165\154\141\164\151"
+"\157\156\163\040\141\156\144\040\160\157\154\151\143\151\145\163"
+"\056\060\201\303\006\011\140\206\110\001\206\371\155\146\006\060"
+"\201\265\060\043\006\010\053\006\001\005\005\007\002\001\026\027"
+"\150\164\164\160\072\057\057\167\167\167\056\165\163\160\163\056"
+"\143\157\155\057\103\120\123\060\201\215\006\010\053\006\001\005"
+"\005\007\002\002\060\201\200\032\176\123\145\145\040\125\123\120"
+"\123\040\103\120\123\040\141\164\040\150\164\164\160\072\057\057"
+"\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120\123"
+"\056\040\124\150\151\163\040\143\145\162\164\151\146\151\143\141"
+"\164\145\040\151\163\040\164\157\040\142\145\040\165\163\145\144"
+"\040\157\156\154\171\040\151\156\040\141\143\143\157\162\144\141"
+"\156\143\145\040\167\151\164\150\040\125\123\120\123\040\162\145"
+"\147\165\154\141\164\151\157\156\163\040\141\156\144\040\160\157"
+"\154\151\143\151\145\163\056\060\201\303\006\011\140\206\110\001"
+"\206\371\155\146\007\060\201\265\060\043\006\010\053\006\001\005"
+"\005\007\002\001\026\027\150\164\164\160\072\057\057\167\167\167"
+"\056\165\163\160\163\056\143\157\155\057\103\120\123\060\201\215"
+"\006\010\053\006\001\005\005\007\002\002\060\201\200\032\176\123"
+"\145\145\040\125\123\120\123\040\103\120\123\040\141\164\040\150"
+"\164\164\160\072\057\057\167\167\167\056\165\163\160\163\056\143"
+"\157\155\057\103\120\123\056\040\124\150\151\163\040\143\145\162"
+"\164\151\146\151\143\141\164\145\040\151\163\040\164\157\040\142"
+"\145\040\165\163\145\144\040\157\156\154\171\040\151\156\040\141"
+"\143\143\157\162\144\141\156\143\145\040\167\151\164\150\040\125"
+"\123\120\123\040\162\145\147\165\154\141\164\151\157\156\163\040"
+"\141\156\144\040\160\157\154\151\143\151\145\163\056\060\035\006"
+"\003\125\035\016\004\026\004\024\045\345\240\357\055\162\117\155"
+"\225\037\067\037\040\326\303\001\104\003\307\320\060\037\006\003"
+"\125\035\043\004\030\060\026\200\024\323\316\202\164\363\057\113"
+"\211\140\162\244\136\021\277\137\165\003\242\002\253\060\035\006"
+"\003\125\035\022\004\026\060\024\201\022\162\157\157\164\061\060"
+"\060\060\061\100\165\163\160\163\056\143\157\155\060\041\006\003"
+"\125\035\021\004\032\060\030\201\026\143\141\141\144\155\151\156"
+"\100\145\155\141\151\154\056\165\163\160\163\056\143\157\155\060"
+"\016\006\003\125\035\017\001\001\377\004\004\003\002\001\306\060"
+"\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003"
+"\201\201\000\140\277\111\155\062\312\204\333\360\226\100\310\254"
+"\130\351\111\351\233\034\162\136\305\006\243\075\064\303\034\256"
+"\015\325\164\031\336\230\327\175\001\075\345\110\230\100\177\275"
+"\042\257\134\172\366\353\142\076\253\274\275\217\142\130\313\202"
+"\072\324\304\100\347\213\270\017\020\120\017\054\070\043\071\224"
+"\345\040\307\324\270\371\341\121\102\104\224\154\143\136\343\176"
+"\136\142\336\357\075\106\264\074\133\250\233\016\172\236\035\126"
+"\355\274\005\264\305\361\131\011\257\157\111\205\131\333\072\021"
+"\145\315\351"
+, (PRUint32)2163 }
+};
+static const NSSItem nss_builtins_items_153 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"USPS Production 1", (PRUint32)18 },
+  { (void *)"\246\153\351\054\171\064\177\363\201\000\013\373\142\054\337\247"
+"\121\331\153\123"
+, (PRUint32)20 },
+  { (void *)"\076\000\040\236\051\317\232\170\303\150\117\206\366\173\341\106"
+, (PRUint32)16 },
+  { (void *)"\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144"
+"\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123"
+"\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023"
+"\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120"
+"\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123"
+"\040\122\157\157\164\040\103\101"
+, (PRUint32)104 },
+  { (void *)"\047\205"
+, (PRUint32)2 },
+  { (void *)&ckt_netscape_valid_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_154 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"AddTrust Non-Validated Services Root", (PRUint32)37 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
+"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
+"\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101"
+"\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040"
+"\103\101\040\122\157\157\164"
+, (PRUint32)103 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
+"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
+"\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101"
+"\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040"
+"\103\101\040\122\157\157\164"
+, (PRUint32)103 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\004\030\060\202\003\000\240\003\002\001\002\002\001\001"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024"
+"\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163"
+"\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101"
+"\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167"
+"\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101\144"
+"\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040\103"
+"\101\040\122\157\157\164\060\036\027\015\060\060\060\065\063\060"
+"\061\060\063\070\063\061\132\027\015\062\060\060\065\063\060\061"
+"\060\063\070\063\061\132\060\145\061\013\060\011\006\003\125\004"
+"\006\023\002\123\105\061\024\060\022\006\003\125\004\012\023\013"
+"\101\144\144\124\162\165\163\164\040\101\102\061\035\060\033\006"
+"\003\125\004\013\023\024\101\144\144\124\162\165\163\164\040\124"
+"\124\120\040\116\145\164\167\157\162\153\061\041\060\037\006\003"
+"\125\004\003\023\030\101\144\144\124\162\165\163\164\040\103\154"
+"\141\163\163\040\061\040\103\101\040\122\157\157\164\060\202\001"
+"\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000"
+"\003\202\001\017\000\060\202\001\012\002\202\001\001\000\226\226"
+"\324\041\111\140\342\153\350\101\007\014\336\304\340\334\023\043"
+"\315\301\065\307\373\326\116\021\012\147\136\365\006\133\153\245"
+"\010\073\133\051\026\072\347\207\262\064\006\305\274\005\245\003"
+"\174\202\313\051\020\256\341\210\201\275\326\236\323\376\055\126"
+"\301\025\316\343\046\235\025\056\020\373\006\217\060\004\336\247"
+"\264\143\264\377\261\234\256\074\257\167\266\126\305\265\253\242"
+"\351\151\072\075\016\063\171\062\077\160\202\222\231\141\155\215"
+"\060\010\217\161\077\246\110\127\031\370\045\334\113\146\134\245"
+"\164\217\230\256\310\371\300\006\042\347\254\163\337\245\056\373"
+"\122\334\261\025\145\040\372\065\146\151\336\337\054\361\156\274"
+"\060\333\054\044\022\333\353\065\065\150\220\313\000\260\227\041"
+"\075\164\041\043\145\064\053\273\170\131\243\326\341\166\071\232"
+"\244\111\216\214\164\257\156\244\232\243\331\233\322\070\134\233"
+"\242\030\314\165\043\204\276\353\342\115\063\161\216\032\360\302"
+"\370\307\035\242\255\003\227\054\370\317\045\306\366\270\044\061"
+"\261\143\135\222\177\143\360\045\311\123\056\037\277\115\002\003"
+"\001\000\001\243\201\322\060\201\317\060\035\006\003\125\035\016"
+"\004\026\004\024\225\261\264\360\224\266\275\307\332\321\021\011"
+"\041\276\301\257\111\375\020\173\060\013\006\003\125\035\017\004"
+"\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004"
+"\005\060\003\001\001\377\060\201\217\006\003\125\035\043\004\201"
+"\207\060\201\204\200\024\225\261\264\360\224\266\275\307\332\321"
+"\021\011\041\276\301\257\111\375\020\173\241\151\244\147\060\145"
+"\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024\060"
+"\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163\164"
+"\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101\144"
+"\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167\157"
+"\162\153\061\041\060\037\006\003\125\004\003\023\030\101\144\144"
+"\124\162\165\163\164\040\103\154\141\163\163\040\061\040\103\101"
+"\040\122\157\157\164\202\001\001\060\015\006\011\052\206\110\206"
+"\367\015\001\001\005\005\000\003\202\001\001\000\054\155\144\033"
+"\037\315\015\335\271\001\372\226\143\064\062\110\107\231\256\227"
+"\355\375\162\026\246\163\107\132\364\353\335\351\365\326\373\105"
+"\314\051\211\104\135\277\106\071\075\350\356\274\115\124\206\036"
+"\035\154\343\027\047\103\341\211\126\053\251\157\162\116\111\063"
+"\343\162\174\052\043\232\274\076\377\050\052\355\243\377\034\043"
+"\272\103\127\011\147\115\113\142\006\055\370\377\154\235\140\036"
+"\330\034\113\175\265\061\057\331\320\174\135\370\336\153\203\030"
+"\170\067\127\057\350\063\007\147\337\036\307\153\052\225\166\256"
+"\217\127\243\360\364\122\264\251\123\010\317\340\117\323\172\123"
+"\213\375\273\034\126\066\362\376\262\266\345\166\273\325\042\145"
+"\247\077\376\321\146\255\013\274\153\231\206\357\077\175\363\030"
+"\062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173"
+"\054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200"
+"\132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317"
+"\213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344"
+"\065\341\035\026\034\320\274\053\216\326\161\331"
+, (PRUint32)1052 }
+};
+static const NSSItem nss_builtins_items_155 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"AddTrust Non-Validated Services Root", (PRUint32)37 },
+  { (void *)"\314\253\016\240\114\043\001\326\151\173\335\067\237\315\022\353"
+"\044\343\224\235"
+, (PRUint32)20 },
+  { (void *)"\036\102\225\002\063\222\153\271\137\300\177\332\326\262\113\374"
+, (PRUint32)16 },
+  { (void *)"\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
+"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
+"\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101"
+"\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040"
+"\103\101\040\122\157\157\164"
+, (PRUint32)103 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_valid, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_156 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"AddTrust External Root", (PRUint32)23 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035"
+"\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
+"\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
+"\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
+"\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
+"\164"
+, (PRUint32)113 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035"
+"\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
+"\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
+"\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
+"\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
+"\164"
+, (PRUint32)113 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\004\066\060\202\003\036\240\003\002\001\002\002\001\001"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024"
+"\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163"
+"\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035\101"
+"\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141\154"
+"\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060\040"
+"\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164\040"
+"\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157\164"
+"\060\036\027\015\060\060\060\065\063\060\061\060\064\070\063\070"
+"\132\027\015\062\060\060\065\063\060\061\060\064\070\063\070\132"
+"\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035"
+"\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
+"\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
+"\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
+"\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
+"\164\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001"
+"\001\000\267\367\032\063\346\362\000\004\055\071\340\116\133\355"
+"\037\274\154\017\315\265\372\043\266\316\336\233\021\063\227\244"
+"\051\114\175\223\237\275\112\274\223\355\003\032\343\217\317\345"
+"\155\120\132\326\227\051\224\132\200\260\111\172\333\056\225\375"
+"\270\312\277\067\070\055\036\076\221\101\255\160\126\307\360\117"
+"\077\350\062\236\164\312\310\220\124\351\306\137\017\170\235\232"
+"\100\074\016\254\141\252\136\024\217\236\207\241\152\120\334\327"
+"\232\116\257\005\263\246\161\224\234\161\263\120\140\012\307\023"
+"\235\070\007\206\002\250\351\250\151\046\030\220\253\114\260\117"
+"\043\253\072\117\204\330\337\316\237\341\151\157\273\327\102\327"
+"\153\104\344\307\255\356\155\101\137\162\132\161\010\067\263\171"
+"\145\244\131\240\224\067\367\000\057\015\302\222\162\332\320\070"
+"\162\333\024\250\105\304\135\052\175\267\264\326\304\356\254\315"
+"\023\104\267\311\053\335\103\000\045\372\141\271\151\152\130\043"
+"\021\267\247\063\217\126\165\131\365\315\051\327\106\267\012\053"
+"\145\266\323\102\157\025\262\270\173\373\357\351\135\123\325\064"
+"\132\047\002\003\001\000\001\243\201\334\060\201\331\060\035\006"
+"\003\125\035\016\004\026\004\024\255\275\230\172\064\264\046\367"
+"\372\304\046\124\357\003\275\340\044\313\124\032\060\013\006\003"
+"\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023"
+"\001\001\377\004\005\060\003\001\001\377\060\201\231\006\003\125"
+"\035\043\004\201\221\060\201\216\200\024\255\275\230\172\064\264"
+"\046\367\372\304\046\124\357\003\275\340\044\313\124\032\241\163"
+"\244\161\060\157\061\013\060\011\006\003\125\004\006\023\002\123"
+"\105\061\024\060\022\006\003\125\004\012\023\013\101\144\144\124"
+"\162\165\163\164\040\101\102\061\046\060\044\006\003\125\004\013"
+"\023\035\101\144\144\124\162\165\163\164\040\105\170\164\145\162"
+"\156\141\154\040\124\124\120\040\116\145\164\167\157\162\153\061"
+"\042\060\040\006\003\125\004\003\023\031\101\144\144\124\162\165"
+"\163\164\040\105\170\164\145\162\156\141\154\040\103\101\040\122"
+"\157\157\164\202\001\001\060\015\006\011\052\206\110\206\367\015"
+"\001\001\005\005\000\003\202\001\001\000\260\233\340\205\045\302"
+"\326\043\342\017\226\006\222\235\101\230\234\331\204\171\201\331"
+"\036\133\024\007\043\066\145\217\260\330\167\273\254\101\154\107"
+"\140\203\121\260\371\062\075\347\374\366\046\023\307\200\026\245"
+"\277\132\374\207\317\170\171\211\041\232\342\114\007\012\206\065"
+"\274\362\336\121\304\322\226\267\334\176\116\356\160\375\034\071"
+"\353\014\002\121\024\055\216\275\026\340\301\337\106\165\347\044"
+"\255\354\364\102\264\205\223\160\020\147\272\235\006\065\112\030"
+"\323\053\172\314\121\102\241\172\143\321\346\273\241\305\053\302"
+"\066\276\023\015\346\275\143\176\171\173\247\011\015\100\253\152"
+"\335\217\212\303\366\366\214\032\102\005\121\324\105\365\237\247"
+"\142\041\150\025\040\103\074\231\347\174\275\044\330\251\221\027"
+"\163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236"
+"\216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163"
+"\111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132"
+"\232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202"
+"\027\132\173\320\274\307\217\116\206\004"
+, (PRUint32)1082 }
+};
+static const NSSItem nss_builtins_items_157 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"AddTrust External Root", (PRUint32)23 },
+  { (void *)"\002\372\363\342\221\103\124\150\140\170\127\151\115\365\344\133"
+"\150\205\030\150"
+, (PRUint32)20 },
+  { (void *)"\035\065\124\004\205\170\260\077\102\102\115\277\040\163\012\077"
+, (PRUint32)16 },
+  { (void *)"\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035"
+"\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
+"\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
+"\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
+"\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
+"\164"
+, (PRUint32)113 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_158 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"AddTrust Public Services Root", (PRUint32)30 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
+"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
+"\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101"
+"\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103"
+"\101\040\122\157\157\164"
+, (PRUint32)102 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
+"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
+"\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101"
+"\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103"
+"\101\040\122\157\157\164"
+, (PRUint32)102 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\004\025\060\202\002\375\240\003\002\001\002\002\001\001"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024"
+"\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163"
+"\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101"
+"\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167"
+"\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101\144"
+"\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103\101"
+"\040\122\157\157\164\060\036\027\015\060\060\060\065\063\060\061"
+"\060\064\061\065\060\132\027\015\062\060\060\065\063\060\061\060"
+"\064\061\065\060\132\060\144\061\013\060\011\006\003\125\004\006"
+"\023\002\123\105\061\024\060\022\006\003\125\004\012\023\013\101"
+"\144\144\124\162\165\163\164\040\101\102\061\035\060\033\006\003"
+"\125\004\013\023\024\101\144\144\124\162\165\163\164\040\124\124"
+"\120\040\116\145\164\167\157\162\153\061\040\060\036\006\003\125"
+"\004\003\023\027\101\144\144\124\162\165\163\164\040\120\165\142"
+"\154\151\143\040\103\101\040\122\157\157\164\060\202\001\042\060"
+"\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202"
+"\001\017\000\060\202\001\012\002\202\001\001\000\351\032\060\217"
+"\203\210\024\301\040\330\074\233\217\033\176\003\164\273\332\151"
+"\323\106\245\370\216\302\014\021\220\121\245\057\146\124\100\125"
+"\352\333\037\112\126\356\237\043\156\364\071\313\241\271\157\362"
+"\176\371\135\207\046\141\236\034\370\342\354\246\201\370\041\305"
+"\044\314\021\014\077\333\046\162\172\307\001\227\007\027\371\327"
+"\030\054\060\175\016\172\036\142\036\306\113\300\375\175\142\167"
+"\323\104\036\047\366\077\113\104\263\267\070\331\071\037\140\325"
+"\121\222\163\003\264\000\151\343\363\024\116\356\321\334\011\317"
+"\167\064\106\120\260\370\021\362\376\070\171\367\007\071\376\121"
+"\222\227\013\133\010\137\064\206\001\255\210\227\353\146\315\136"
+"\321\377\334\175\362\204\332\272\167\255\334\200\010\307\247\207"
+"\326\125\237\227\152\350\310\021\144\272\347\031\051\077\021\263"
+"\170\220\204\040\122\133\021\357\170\320\203\366\325\110\220\320"
+"\060\034\317\200\371\140\376\171\344\210\362\335\000\353\224\105"
+"\353\145\224\151\100\272\300\325\264\270\272\175\004\021\250\353"
+"\061\005\226\224\116\130\041\216\237\320\140\375\002\003\001\000"
+"\001\243\201\321\060\201\316\060\035\006\003\125\035\016\004\026"
+"\004\024\201\076\067\330\222\260\037\167\237\134\264\253\163\252"
+"\347\366\064\140\057\372\060\013\006\003\125\035\017\004\004\003"
+"\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060"
+"\003\001\001\377\060\201\216\006\003\125\035\043\004\201\206\060"
+"\201\203\200\024\201\076\067\330\222\260\037\167\237\134\264\253"
+"\163\252\347\366\064\140\057\372\241\150\244\146\060\144\061\013"
+"\060\011\006\003\125\004\006\023\002\123\105\061\024\060\022\006"
+"\003\125\004\012\023\013\101\144\144\124\162\165\163\164\040\101"
+"\102\061\035\060\033\006\003\125\004\013\023\024\101\144\144\124"
+"\162\165\163\164\040\124\124\120\040\116\145\164\167\157\162\153"
+"\061\040\060\036\006\003\125\004\003\023\027\101\144\144\124\162"
+"\165\163\164\040\120\165\142\154\151\143\040\103\101\040\122\157"
+"\157\164\202\001\001\060\015\006\011\052\206\110\206\367\015\001"
+"\001\005\005\000\003\202\001\001\000\003\367\025\112\370\044\332"
+"\043\126\026\223\166\335\066\050\271\256\033\270\303\361\144\272"
+"\040\030\170\225\051\047\127\005\274\174\052\364\271\121\125\332"
+"\207\002\336\017\026\027\061\370\252\171\056\011\023\273\257\262"
+"\040\031\022\345\223\371\113\371\203\350\104\325\262\101\045\277"
+"\210\165\157\377\020\374\112\124\320\137\360\372\357\066\163\175"
+"\033\066\105\306\041\155\264\025\270\116\317\234\134\245\075\132"
+"\000\216\006\343\074\153\062\173\362\237\360\266\375\337\360\050"
+"\030\110\360\306\274\320\277\064\200\226\302\112\261\155\216\307"
+"\220\105\336\057\147\254\105\004\243\172\334\125\222\311\107\146"
+"\330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341"
+"\341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266"
+"\200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120"
+"\305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046"
+"\136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035"
+"\137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362"
+"\116\072\063\014\053\263\055\220\006"
+, (PRUint32)1049 }
+};
+static const NSSItem nss_builtins_items_159 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"AddTrust Public Services Root", (PRUint32)30 },
+  { (void *)"\052\266\050\110\136\170\373\363\255\236\171\020\335\153\337\231"
+"\162\054\226\345"
+, (PRUint32)20 },
+  { (void *)"\301\142\076\043\305\202\163\234\003\131\113\053\351\167\111\177"
+, (PRUint32)16 },
+  { (void *)"\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035"
+"\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141"
+"\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060"
+"\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164"
+"\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157"
+"\164"
+, (PRUint32)113 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_160 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"AddTrust Qualified Certificates Root", (PRUint32)37 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
+"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
+"\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101"
+"\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145"
+"\144\040\103\101\040\122\157\157\164"
+, (PRUint32)105 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
+"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
+"\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101"
+"\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145"
+"\144\040\103\101\040\122\157\157\164"
+, (PRUint32)105 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)"\060\202\004\036\060\202\003\006\240\003\002\001\002\002\001\001"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024"
+"\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163"
+"\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101"
+"\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167"
+"\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101\144"
+"\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145\144"
+"\040\103\101\040\122\157\157\164\060\036\027\015\060\060\060\065"
+"\063\060\061\060\064\064\065\060\132\027\015\062\060\060\065\063"
+"\060\061\060\064\064\065\060\132\060\147\061\013\060\011\006\003"
+"\125\004\006\023\002\123\105\061\024\060\022\006\003\125\004\012"
+"\023\013\101\144\144\124\162\165\163\164\040\101\102\061\035\060"
+"\033\006\003\125\004\013\023\024\101\144\144\124\162\165\163\164"
+"\040\124\124\120\040\116\145\164\167\157\162\153\061\043\060\041"
+"\006\003\125\004\003\023\032\101\144\144\124\162\165\163\164\040"
+"\121\165\141\154\151\146\151\145\144\040\103\101\040\122\157\157"
+"\164\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001"
+"\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001"
+"\001\000\344\036\232\376\334\011\132\207\244\237\107\276\021\137"
+"\257\204\064\333\142\074\171\170\267\351\060\265\354\014\034\052"
+"\304\026\377\340\354\161\353\212\365\021\156\355\117\015\221\322"
+"\022\030\055\111\025\001\302\244\042\023\307\021\144\377\042\022"
+"\232\271\216\134\057\010\317\161\152\263\147\001\131\361\135\106"
+"\363\260\170\245\366\016\102\172\343\177\033\314\320\360\267\050"
+"\375\052\352\236\263\260\271\004\252\375\366\307\264\261\270\052"
+"\240\373\130\361\031\240\157\160\045\176\076\151\112\177\017\042"
+"\330\357\255\010\021\232\051\231\341\252\104\105\232\022\136\076"
+"\235\155\122\374\347\240\075\150\057\360\113\160\174\023\070\255"
+"\274\025\045\361\326\316\253\242\300\061\326\057\237\340\377\024"
+"\131\374\204\223\331\207\174\114\124\023\353\237\321\055\021\370"
+"\030\072\072\336\045\331\367\323\100\355\244\006\022\304\073\341"
+"\221\301\126\065\360\024\334\145\066\011\156\253\244\007\307\065"
+"\321\302\003\063\066\133\165\046\155\102\361\022\153\103\157\113"
+"\161\224\372\064\035\355\023\156\312\200\177\230\057\154\271\145"
+"\330\351\002\003\001\000\001\243\201\324\060\201\321\060\035\006"
+"\003\125\035\016\004\026\004\024\071\225\213\142\213\134\311\324"
+"\200\272\130\017\227\077\025\010\103\314\230\247\060\013\006\003"
+"\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023"
+"\001\001\377\004\005\060\003\001\001\377\060\201\221\006\003\125"
+"\035\043\004\201\211\060\201\206\200\024\071\225\213\142\213\134"
+"\311\324\200\272\130\017\227\077\025\010\103\314\230\247\241\153"
+"\244\151\060\147\061\013\060\011\006\003\125\004\006\023\002\123"
+"\105\061\024\060\022\006\003\125\004\012\023\013\101\144\144\124"
+"\162\165\163\164\040\101\102\061\035\060\033\006\003\125\004\013"
+"\023\024\101\144\144\124\162\165\163\164\040\124\124\120\040\116"
+"\145\164\167\157\162\153\061\043\060\041\006\003\125\004\003\023"
+"\032\101\144\144\124\162\165\163\164\040\121\165\141\154\151\146"
+"\151\145\144\040\103\101\040\122\157\157\164\202\001\001\060\015"
+"\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001"
+"\001\000\031\253\165\352\370\213\145\141\225\023\272\151\004\357"
+"\206\312\023\240\307\252\117\144\033\077\030\366\250\055\054\125"
+"\217\005\267\060\352\102\152\035\300\045\121\055\247\277\014\263"
+"\355\357\010\177\154\074\106\032\352\030\103\337\166\314\371\146"
+"\206\234\054\150\365\351\027\370\061\263\030\304\326\110\175\043"
+"\114\150\301\176\273\001\024\157\305\331\156\336\273\004\102\152"
+"\370\366\134\175\345\332\372\207\353\015\065\122\147\320\236\227"
+"\166\005\223\077\225\307\001\346\151\125\070\177\020\141\231\311"
+"\343\137\246\312\076\202\143\110\252\342\010\110\076\252\362\262"
+"\205\142\246\264\247\331\275\067\234\150\265\055\126\175\260\267"
+"\077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056"
+"\011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033"
+"\365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130"
+"\211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335"
+"\340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336"
+"\074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350"
+"\306\241"
+, (PRUint32)1058 }
+};
+static const NSSItem nss_builtins_items_161 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"AddTrust Qualified Certificates Root", (PRUint32)37 },
+  { (void *)"\115\043\170\354\221\225\071\265\000\177\165\217\003\073\041\036"
+"\305\115\213\317"
+, (PRUint32)20 },
+  { (void *)"\047\354\071\107\315\332\132\257\342\232\001\145\041\251\114\273"
+, (PRUint32)16 },
+  { (void *)"\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061"
+"\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165"
+"\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024"
+"\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164"
+"\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101"
+"\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145"
+"\144\040\103\101\040\122\157\157\164"
+, (PRUint32)105 },
+  { (void *)"\001"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_162 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 1 Public Primary OCSP Responder", (PRUint32)47 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
+"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
+"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
+"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
+"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
+"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
+"\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003"
+"\125\004\003\023\045\103\154\141\163\163\040\061\040\120\165\142"
+"\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120"
+"\040\122\145\163\160\157\156\144\145\162"
+, (PRUint32)170 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\053\150\324\243\106\236\305\073\050\011\253\070\135\177\047\040"
+, (PRUint32)16 },
+  { (void *)"\060\202\003\236\060\202\003\007\240\003\002\001\002\002\020\053"
+"\150\324\243\106\236\305\073\050\011\253\070\135\177\047\040\060"
+"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137"
+"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
+"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023"
+"\056\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040"
+"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
+"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060"
+"\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060\132"
+"\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132\060"
+"\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162"
+"\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006"
+"\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124"
+"\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071"
+"\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040"
+"\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167"
+"\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
+"\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125"
+"\004\003\023\045\103\154\141\163\163\040\061\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040"
+"\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011"
+"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
+"\201\211\002\201\201\000\271\355\136\172\072\167\137\316\137\072"
+"\122\374\315\144\367\161\265\157\152\226\306\131\222\125\224\135"
+"\057\133\056\301\021\352\046\212\313\247\201\074\366\132\104\336"
+"\172\023\057\375\132\121\331\173\067\046\112\300\047\077\004\003"
+"\152\126\301\203\054\341\157\133\251\124\120\044\112\306\056\172"
+"\114\241\133\067\124\044\041\061\037\241\170\030\166\247\261\160"
+"\332\042\320\152\376\007\142\100\306\367\366\233\175\014\006\270"
+"\113\307\050\344\146\043\204\121\357\106\267\223\330\201\063\313"
+"\345\066\254\306\350\005\002\003\001\000\001\243\202\001\020\060"
+"\202\001\014\060\040\006\003\125\035\021\004\031\060\027\244\025"
+"\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123"
+"\120\040\061\055\061\060\061\006\003\125\035\037\004\052\060\050"
+"\060\046\240\044\240\042\206\040\150\164\164\160\072\057\057\143"
+"\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
+"\160\143\141\061\056\143\162\154\060\023\006\003\125\035\045\004"
+"\014\060\012\006\010\053\006\001\005\005\007\003\011\060\102\006"
+"\010\053\006\001\005\005\007\001\001\004\066\060\064\060\062\006"
+"\010\053\006\001\005\005\007\060\001\246\046\026\044\150\164\164"
+"\160\072\057\057\157\143\163\160\056\166\145\162\151\163\151\147"
+"\156\056\143\157\155\057\157\143\163\160\057\163\164\141\164\165"
+"\163\060\104\006\003\125\035\040\004\075\060\073\060\071\006\013"
+"\140\206\110\001\206\370\105\001\007\001\001\060\052\060\050\006"
+"\010\053\006\001\005\005\007\002\001\026\034\150\164\164\160\163"
+"\072\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056"
+"\143\157\155\057\122\120\101\060\011\006\003\125\035\023\004\002"
+"\060\000\060\013\006\003\125\035\017\004\004\003\002\007\200\060"
+"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201"
+"\201\000\160\220\335\270\344\276\123\027\174\177\002\351\325\367"
+"\213\231\223\061\140\215\176\346\140\153\044\357\140\254\322\316"
+"\221\336\200\155\011\244\323\270\070\345\104\312\162\136\015\055"
+"\301\167\234\275\054\003\170\051\215\244\245\167\207\365\361\053"
+"\046\255\314\007\154\072\124\132\050\340\011\363\115\012\004\312"
+"\324\130\151\013\247\263\365\335\001\245\347\334\360\037\272\301"
+"\135\220\215\263\352\117\301\021\131\227\152\262\053\023\261\332"
+"\255\227\241\263\261\240\040\133\312\062\253\215\317\023\360\037"
+"\051\303"
+, (PRUint32)930 }
+};
+static const NSSItem nss_builtins_items_163 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 1 Public Primary OCSP Responder", (PRUint32)47 },
+  { (void *)"\004\226\110\344\112\311\314\255\105\203\230\331\074\175\221\365"
+"\042\104\033\212"
+, (PRUint32)20 },
+  { (void *)"\176\157\072\123\033\174\276\260\060\333\103\036\036\224\211\262"
+, (PRUint32)16 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\053\150\324\243\106\236\305\073\050\011\253\070\135\177\047\040"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_164 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 2 Public Primary OCSP Responder", (PRUint32)47 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
+"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
+"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
+"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
+"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
+"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
+"\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003"
+"\125\004\003\023\045\103\154\141\163\163\040\062\040\120\165\142"
+"\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120"
+"\040\122\145\163\160\157\156\144\145\162"
+, (PRUint32)170 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\011\106\027\346\035\330\324\034\240\014\240\142\350\171\212\247"
+, (PRUint32)16 },
+  { (void *)"\060\202\003\236\060\202\003\007\240\003\002\001\002\002\020\011"
+"\106\027\346\035\330\324\034\240\014\240\142\350\171\212\247\060"
+"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137"
+"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
+"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023"
+"\056\103\154\141\163\163\040\062\040\120\165\142\154\151\143\040"
+"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
+"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060"
+"\036\027\015\060\060\060\070\060\061\060\060\060\060\060\060\132"
+"\027\015\060\064\060\067\063\061\062\063\065\071\065\071\132\060"
+"\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162"
+"\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006"
+"\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124"
+"\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071"
+"\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040"
+"\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167"
+"\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
+"\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125"
+"\004\003\023\045\103\154\141\163\163\040\062\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040"
+"\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011"
+"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
+"\201\211\002\201\201\000\320\312\143\061\141\177\104\064\174\005"
+"\175\013\075\152\220\313\171\113\167\012\077\113\307\043\345\300"
+"\142\055\176\234\176\076\210\207\221\320\254\350\115\111\207\242"
+"\226\220\212\335\004\245\002\077\214\233\351\211\376\142\240\342"
+"\132\275\310\335\264\170\346\245\102\223\010\147\001\300\040\115"
+"\327\134\364\135\332\263\343\067\246\122\032\054\114\145\115\212"
+"\207\331\250\243\361\111\124\273\074\134\200\121\150\306\373\111"
+"\377\013\125\253\025\335\373\232\301\271\035\164\015\262\214\104"
+"\135\211\374\237\371\203\002\003\001\000\001\243\202\001\020\060"
+"\202\001\014\060\040\006\003\125\035\021\004\031\060\027\244\025"
+"\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123"
+"\120\040\061\055\062\060\061\006\003\125\035\037\004\052\060\050"
+"\060\046\240\044\240\042\206\040\150\164\164\160\072\057\057\143"
+"\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
+"\160\143\141\062\056\143\162\154\060\023\006\003\125\035\045\004"
+"\014\060\012\006\010\053\006\001\005\005\007\003\011\060\102\006"
+"\010\053\006\001\005\005\007\001\001\004\066\060\064\060\062\006"
+"\010\053\006\001\005\005\007\060\001\246\046\026\044\150\164\164"
+"\160\072\057\057\157\143\163\160\056\166\145\162\151\163\151\147"
+"\156\056\143\157\155\057\157\143\163\160\057\163\164\141\164\165"
+"\163\060\104\006\003\125\035\040\004\075\060\073\060\071\006\013"
+"\140\206\110\001\206\370\105\001\007\001\001\060\052\060\050\006"
+"\010\053\006\001\005\005\007\002\001\026\034\150\164\164\160\163"
+"\072\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056"
+"\143\157\155\057\122\120\101\060\011\006\003\125\035\023\004\002"
+"\060\000\060\013\006\003\125\035\017\004\004\003\002\007\200\060"
+"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201"
+"\201\000\037\175\011\156\044\106\165\004\234\363\046\233\343\071"
+"\156\027\357\274\275\242\033\322\002\204\206\253\320\100\227\054"
+"\304\103\210\067\031\153\042\250\003\161\120\235\040\334\066\140"
+"\040\232\163\055\163\125\154\130\233\054\302\264\064\054\172\063"
+"\102\312\221\331\351\103\257\317\036\340\365\304\172\253\077\162"
+"\143\036\251\067\341\133\073\210\263\023\206\202\220\127\313\127"
+"\377\364\126\276\042\335\343\227\250\341\274\042\103\302\335\115"
+"\333\366\201\236\222\024\236\071\017\023\124\336\202\330\300\136"
+"\064\215"
+, (PRUint32)930 }
+};
+static const NSSItem nss_builtins_items_165 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 2 Public Primary OCSP Responder", (PRUint32)47 },
+  { (void *)"\042\171\151\276\320\122\116\115\035\066\262\361\162\041\167\361"
+"\124\123\110\167"
+, (PRUint32)20 },
+  { (void *)"\363\105\275\020\226\015\205\113\357\237\021\142\064\247\136\265"
+, (PRUint32)16 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\011\106\027\346\035\330\324\034\240\014\240\142\350\171\212\247"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_166 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 3 Public Primary OCSP Responder", (PRUint32)47 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
+"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
+"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
+"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
+"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
+"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
+"\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003"
+"\125\004\003\023\045\103\154\141\163\163\040\063\040\120\165\142"
+"\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120"
+"\040\122\145\163\160\157\156\144\145\162"
+, (PRUint32)170 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\056\226\236\277\266\142\154\354\173\351\163\314\343\154\301\204"
+, (PRUint32)16 },
+  { (void *)"\060\202\003\242\060\202\003\013\240\003\002\001\002\002\020\056"
+"\226\236\277\266\142\154\354\173\351\163\314\343\154\301\204\060"
+"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137"
+"\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060"
+"\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156"
+"\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023"
+"\056\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040"
+"\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143"
+"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060"
+"\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060\132"
+"\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132\060"
+"\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162"
+"\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006"
+"\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124"
+"\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071"
+"\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040"
+"\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167"
+"\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
+"\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125"
+"\004\003\023\045\103\154\141\163\163\040\063\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040"
+"\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011"
+"\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060"
+"\201\211\002\201\201\000\361\344\010\016\203\273\165\343\110\345"
+"\270\333\246\360\271\253\351\074\142\307\136\065\133\320\002\124"
+"\021\330\311\321\126\271\166\113\271\253\172\346\315\272\366\014"
+"\004\326\176\326\260\012\145\254\116\071\343\361\367\055\243\045"
+"\071\357\260\213\317\276\333\014\135\156\160\364\007\315\160\367"
+"\072\300\076\065\026\355\170\214\103\317\302\046\056\107\326\206"
+"\175\234\361\276\326\147\014\042\045\244\312\145\346\037\172\170"
+"\050\057\077\005\333\004\041\277\341\105\146\376\074\267\202\355"
+"\132\270\026\025\271\125\002\003\001\000\001\243\202\001\024\060"
+"\202\001\020\060\040\006\003\125\035\021\004\031\060\027\244\025"
+"\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123"
+"\120\040\061\055\063\060\065\006\003\125\035\037\004\056\060\054"
+"\060\052\240\050\240\046\206\044\150\164\164\160\072\057\057\143"
+"\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057"
+"\160\143\141\063\056\061\056\061\056\143\162\154\060\023\006\003"
+"\125\035\045\004\014\060\012\006\010\053\006\001\005\005\007\003"
+"\011\060\102\006\010\053\006\001\005\005\007\001\001\004\066\060"
+"\064\060\062\006\010\053\006\001\005\005\007\060\001\246\046\026"
+"\044\150\164\164\160\072\057\057\157\143\163\160\056\166\145\162"
+"\151\163\151\147\156\056\143\157\155\057\157\143\163\160\057\163"
+"\164\141\164\165\163\060\104\006\003\125\035\040\004\075\060\073"
+"\060\071\006\013\140\206\110\001\206\370\105\001\007\001\001\060"
+"\052\060\050\006\010\053\006\001\005\005\007\002\001\026\034\150"
+"\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151\163"
+"\151\147\156\056\143\157\155\057\122\120\101\060\011\006\003\125"
+"\035\023\004\002\060\000\060\013\006\003\125\035\017\004\004\003"
+"\002\007\200\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\003\201\201\000\002\366\123\143\300\251\036\362\320\213"
+"\063\060\217\110\233\114\260\126\264\203\161\112\276\334\120\330"
+"\365\266\340\013\333\275\170\117\351\317\011\064\332\051\111\235"
+"\001\163\132\221\221\202\124\054\023\012\323\167\043\317\067\374"
+"\143\336\247\343\366\267\265\151\105\050\111\303\221\334\252\107"
+"\034\251\210\231\054\005\052\215\215\212\372\142\342\132\267\000"
+"\040\135\071\304\050\302\313\374\236\250\211\256\133\075\216\022"
+"\352\062\262\374\353\024\327\011\025\032\300\315\033\325\265\025"
+"\116\101\325\226\343\116"
+, (PRUint32)934 }
+};
+static const NSSItem nss_builtins_items_167 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Class 3 Public Primary OCSP Responder", (PRUint32)47 },
+  { (void *)"\265\355\267\332\046\072\126\164\322\042\105\060\324\307\217\172"
+"\007\365\345\137"
+, (PRUint32)20 },
+  { (void *)"\175\121\222\311\166\203\230\026\336\214\263\206\304\175\146\373"
+, (PRUint32)16 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151"
+"\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004"
+"\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151"
+"\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\056\226\236\277\266\142\154\354\173\351\163\314\343\154\301\204"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_168 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Secure Server OCSP Responder", (PRUint32)38 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\236\061\027\060\025\006\003\125\004\012\023\016\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
+"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
+"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
+"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
+"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
+"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
+"\057\122\120\101\040\050\143\051\060\060\061\045\060\043\006\003"
+"\125\004\003\023\034\123\145\143\165\162\145\040\123\145\162\166"
+"\145\162\040\117\103\123\120\040\122\145\163\160\157\156\144\145"
+"\162"
+, (PRUint32)161 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141"
+"\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143"
+"\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165"
+"\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\000\377\105\325\047\135\044\373\263\302\071\044\123\127\341\117"
+"\336"
+, (PRUint32)17 },
+  { (void *)"\060\202\003\237\060\202\003\014\240\003\002\001\002\002\021\000"
+"\377\105\325\047\135\044\373\263\302\071\044\123\127\341\117\336"
+"\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060"
+"\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061\040"
+"\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141\164"
+"\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143\056"
+"\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165\162"
+"\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151"
+"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
+"\060\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060"
+"\132\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132"
+"\060\201\236\061\027\060\025\006\003\125\004\012\023\016\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
+"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
+"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
+"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
+"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
+"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
+"\057\122\120\101\040\050\143\051\060\060\061\045\060\043\006\003"
+"\125\004\003\023\034\123\145\143\165\162\145\040\123\145\162\166"
+"\145\162\040\117\103\123\120\040\122\145\163\160\157\156\144\145"
+"\162\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001"
+"\001\005\000\003\201\215\000\060\201\211\002\201\201\000\270\121"
+"\231\144\205\016\356\263\012\150\360\277\143\166\035\123\365\374"
+"\241\170\214\063\356\237\364\276\071\332\233\017\115\107\251\217"
+"\040\350\113\104\275\316\315\173\220\321\060\350\220\304\045\173"
+"\211\050\336\275\366\223\035\377\271\377\222\265\251\215\344\256"
+"\314\342\303\007\203\152\243\162\020\001\047\142\042\246\065\046"
+"\071\055\236\317\140\014\374\107\244\327\320\102\170\247\035\154"
+"\320\313\117\025\247\051\012\264\225\105\304\261\347\132\011\327"
+"\071\225\330\035\065\236\302\275\263\135\301\014\113\037\002\003"
+"\001\000\001\243\202\001\035\060\202\001\031\060\040\006\003\125"
+"\035\021\004\031\060\027\244\025\060\023\061\021\060\017\006\003"
+"\125\004\003\023\010\117\103\123\120\040\061\055\064\060\076\006"
+"\003\125\035\037\004\067\060\065\060\063\240\061\240\057\206\055"
+"\150\164\164\160\072\057\057\143\162\154\056\166\145\162\151\163"
+"\151\147\156\056\143\157\155\057\122\123\101\123\145\143\165\162"
+"\145\123\145\162\166\145\162\055\160\056\143\162\154\060\023\006"
+"\003\125\035\045\004\014\060\012\006\010\053\006\001\005\005\007"
+"\003\011\060\102\006\010\053\006\001\005\005\007\001\001\004\066"
+"\060\064\060\062\006\010\053\006\001\005\005\007\060\001\246\046"
+"\026\044\150\164\164\160\072\057\057\157\143\163\160\056\166\145"
+"\162\151\163\151\147\156\056\143\157\155\057\157\143\163\160\057"
+"\163\164\141\164\165\163\060\104\006\003\125\035\040\004\075\060"
+"\073\060\071\006\013\140\206\110\001\206\370\105\001\007\001\001"
+"\060\052\060\050\006\010\053\006\001\005\005\007\002\001\026\034"
+"\150\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151"
+"\163\151\147\156\056\143\157\155\057\122\120\101\060\011\006\003"
+"\125\035\023\004\002\060\000\060\013\006\003\125\035\017\004\004"
+"\003\002\007\200\060\015\006\011\052\206\110\206\367\015\001\001"
+"\005\005\000\003\176\000\000\263\020\123\146\234\111\223\056\061"
+"\240\002\102\322\130\127\176\146\241\376\033\212\141\030\120\100"
+"\054\036\053\101\245\326\333\377\254\010\034\132\005\155\002\134"
+"\052\266\226\117\107\333\276\116\333\316\314\272\206\270\030\316"
+"\261\022\221\137\143\367\363\110\076\314\361\115\023\344\155\011"
+"\224\170\000\222\313\243\040\235\006\013\152\240\103\007\316\321"
+"\031\154\217\030\165\232\237\027\063\375\251\046\270\343\342\336"
+"\302\250\304\132\212\177\230\326\007\006\153\314\126\236\206\160"
+"\316\324\357"
+, (PRUint32)931 }
+};
+static const NSSItem nss_builtins_items_169 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Secure Server OCSP Responder", (PRUint32)38 },
+  { (void *)"\161\236\140\141\327\175\054\203\361\242\135\074\366\215\002\274"
+"\224\070\305\056"
+, (PRUint32)20 },
+  { (void *)"\054\142\303\330\200\001\026\011\352\131\352\170\253\020\103\366"
+, (PRUint32)16 },
+  { (void *)"\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061"
+"\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141"
+"\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143"
+"\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165"
+"\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146"
+"\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164"
+"\171"
+, (PRUint32)97 },
+  { (void *)"\000\377\105\325\047\135\044\373\263\302\071\044\123\127\341\117"
+"\336"
+, (PRUint32)17 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_170 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Time Stamping Authority CA", (PRUint32)36 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\245\061\027\060\025\006\003\125\004\012\023\016\126\145"
+"\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035"
+"\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040"
+"\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060"
+"\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146"
+"\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057"
+"\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155"
+"\057\162\160\141\040\050\143\051\060\060\061\054\060\052\006\003"
+"\125\004\003\023\043\126\145\162\151\123\151\147\156\040\124\151"
+"\155\145\040\123\164\141\155\160\151\156\147\040\101\165\164\150"
+"\157\162\151\164\171\040\103\101"
+, (PRUint32)168 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"\123\141\262\140\256\333\161\216\247\224\263\023\063\364\007\011"
+, (PRUint32)16 },
+  { (void *)"\060\202\003\315\060\202\003\066\240\003\002\001\002\002\020\123"
+"\141\262\140\256\333\161\216\247\224\263\023\063\364\007\011\060"
+"\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201"
+"\301\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027"
+"\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147"
+"\156\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013"
+"\023\063\103\154\141\163\163\040\063\040\120\165\142\154\151\143"
+"\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151"
+"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
+"\040\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061"
+"\050\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147"
+"\156\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165"
+"\164\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154"
+"\171\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151"
+"\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157"
+"\162\153\060\036\027\015\060\060\060\071\062\066\060\060\060\060"
+"\060\060\132\027\015\061\060\060\071\062\065\062\063\065\071\065"
+"\071\132\060\201\245\061\027\060\025\006\003\125\004\012\023\016"
+"\126\145\162\151\123\151\147\156\054\040\111\156\143\056\061\037"
+"\060\035\006\003\125\004\013\023\026\126\145\162\151\123\151\147"
+"\156\040\124\162\165\163\164\040\116\145\164\167\157\162\153\061"
+"\073\060\071\006\003\125\004\013\023\062\124\145\162\155\163\040"
+"\157\146\040\165\163\145\040\141\164\040\150\164\164\160\163\072"
+"\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056\143"
+"\157\155\057\162\160\141\040\050\143\051\060\060\061\054\060\052"
+"\006\003\125\004\003\023\043\126\145\162\151\123\151\147\156\040"
+"\124\151\155\145\040\123\164\141\155\160\151\156\147\040\101\165"
+"\164\150\157\162\151\164\171\040\103\101\060\201\237\060\015\006"
+"\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000"
+"\060\201\211\002\201\201\000\322\031\235\147\302\000\041\131\142"
+"\316\264\011\042\104\151\212\370\045\132\333\355\015\267\066\176"
+"\116\340\273\224\076\220\045\207\302\141\107\051\331\275\124\270"
+"\143\314\054\175\151\264\063\066\364\067\007\232\301\335\100\124"
+"\374\340\170\235\240\223\271\011\075\043\121\177\104\302\024\164"
+"\333\012\276\313\311\060\064\100\230\076\320\327\045\020\201\224"
+"\275\007\117\234\326\124\047\337\056\250\277\313\220\214\215\165"
+"\113\274\342\350\104\207\315\346\101\012\045\156\350\364\044\002"
+"\305\122\017\156\354\230\165\002\003\001\000\001\243\201\337\060"
+"\201\334\060\017\006\003\125\035\023\004\010\060\006\001\001\377"
+"\002\001\000\060\105\006\003\125\035\040\004\076\060\074\060\072"
+"\006\014\140\206\110\001\206\370\105\001\007\027\001\003\060\052"
+"\060\050\006\010\053\006\001\005\005\007\002\001\026\034\150\164"
+"\164\160\163\072\057\057\167\167\167\056\166\145\162\151\163\151"
+"\147\156\056\143\157\155\057\162\160\141\060\061\006\003\125\035"
+"\037\004\052\060\050\060\046\240\044\240\042\206\040\150\164\164"
+"\160\072\057\057\143\162\154\056\166\145\162\151\163\151\147\156"
+"\056\143\157\155\057\160\143\141\063\056\143\162\154\060\013\006"
+"\003\125\035\017\004\004\003\002\001\006\060\102\006\010\053\006"
+"\001\005\005\007\001\001\004\066\060\064\060\062\006\010\053\006"
+"\001\005\005\007\060\001\246\046\026\044\150\164\164\160\072\057"
+"\057\157\143\163\160\056\166\145\162\151\163\151\147\156\056\143"
+"\157\155\057\157\143\163\160\057\163\164\141\164\165\163\060\015"
+"\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201\201"
+"\000\202\160\150\225\337\266\015\302\001\160\031\112\322\124\126"
+"\036\254\362\105\114\207\270\365\065\353\170\113\005\251\310\235"
+"\073\031\041\056\160\064\112\242\365\211\340\025\165\105\347\050"
+"\067\000\064\047\051\350\067\113\362\357\104\227\153\027\121\032"
+"\303\126\235\074\032\212\366\112\106\106\067\214\372\313\365\144"
+"\132\070\150\056\034\303\357\160\316\270\106\006\026\277\367\176"
+"\347\265\250\076\105\254\251\045\165\042\173\157\077\260\234\224"
+"\347\307\163\253\254\037\356\045\233\300\026\355\267\312\133\360"
+"\024"
+, (PRUint32)977 }
+};
+static const NSSItem nss_builtins_items_171 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Verisign Time Stamping Authority CA", (PRUint32)36 },
+  { (void *)"\246\017\064\310\142\154\201\366\213\367\175\251\366\147\130\212"
+"\220\077\175\066"
+, (PRUint32)20 },
+  { (void *)"\211\111\124\214\310\150\232\203\051\354\334\006\163\041\253\227"
+, (PRUint32)16 },
+  { (void *)"\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125"
+"\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154"
+"\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+"\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+"\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013"
+"\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123"
+"\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040"
+"\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157"
+"\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145"
+"\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164"
+"\167\157\162\153"
+, (PRUint32)196 },
+  { (void *)"\123\141\262\140\256\333\161\216\247\224\263\023\063\364\007\011"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_172 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Time Stamping CA", (PRUint32)24 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007"
+"\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060"
+"\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035"
+"\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040"
+"\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060"
+"\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124"
+"\151\155\145\163\164\141\155\160\151\156\147\040\103\101"
+, (PRUint32)142 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007"
+"\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060"
+"\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035"
+"\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040"
+"\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060"
+"\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124"
+"\151\155\145\163\164\141\155\160\151\156\147\040\103\101"
+, (PRUint32)142 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)"\060\202\002\241\060\202\002\012\240\003\002\001\002\002\001\000"
+"\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060"
+"\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101\061"
+"\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162"
+"\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007\023"
+"\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060\015"
+"\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035\060"
+"\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040\103"
+"\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060\035"
+"\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124\151"
+"\155\145\163\164\141\155\160\151\156\147\040\103\101\060\036\027"
+"\015\071\067\060\061\060\061\060\060\060\060\060\060\132\027\015"
+"\062\060\061\062\063\061\062\063\065\071\065\071\132\060\201\213"
+"\061\013\060\011\006\003\125\004\006\023\002\132\101\061\025\060"
+"\023\006\003\125\004\010\023\014\127\145\163\164\145\162\156\040"
+"\103\141\160\145\061\024\060\022\006\003\125\004\007\023\013\104"
+"\165\162\142\141\156\166\151\154\154\145\061\017\060\015\006\003"
+"\125\004\012\023\006\124\150\141\167\164\145\061\035\060\033\006"
+"\003\125\004\013\023\024\124\150\141\167\164\145\040\103\145\162"
+"\164\151\146\151\143\141\164\151\157\156\061\037\060\035\006\003"
+"\125\004\003\023\026\124\150\141\167\164\145\040\124\151\155\145"
+"\163\164\141\155\160\151\156\147\040\103\101\060\201\237\060\015"
+"\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215"
+"\000\060\201\211\002\201\201\000\326\053\130\170\141\105\206\123"
+"\352\064\173\121\234\355\260\346\056\030\016\376\340\137\250\047"
+"\323\264\311\340\174\131\116\026\016\163\124\140\301\177\366\237"
+"\056\351\072\205\044\025\074\333\107\004\143\303\236\304\224\032"
+"\132\337\114\172\363\331\103\035\074\020\172\171\045\333\220\376"
+"\360\121\347\060\326\101\000\375\237\050\337\171\276\224\273\235"
+"\266\024\343\043\205\327\251\101\340\114\244\171\260\053\032\213"
+"\362\370\073\212\076\105\254\161\222\000\264\220\101\230\373\137"
+"\355\372\267\056\212\370\210\067\002\003\001\000\001\243\023\060"
+"\021\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001"
+"\001\377\060\015\006\011\052\206\110\206\367\015\001\001\004\005"
+"\000\003\201\201\000\147\333\342\302\346\207\075\100\203\206\067"
+"\065\175\037\316\232\303\014\146\040\250\272\252\004\211\206\302"
+"\365\020\010\015\277\313\242\005\212\320\115\066\076\364\327\357"
+"\151\306\136\344\260\224\157\112\271\347\336\133\210\266\173\333"
+"\343\047\345\166\303\360\065\301\313\265\047\233\063\171\334\220"
+"\246\000\236\167\372\374\315\047\224\102\026\234\323\034\150\354"
+"\277\134\335\345\251\173\020\012\062\164\124\023\061\213\205\003"
+"\204\221\267\130\001\060\024\070\257\050\312\374\261\120\031\031"
+"\011\254\211\111\323"
+, (PRUint32)677 }
+};
+static const NSSItem nss_builtins_items_173 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Thawte Time Stamping CA", (PRUint32)24 },
+  { (void *)"\276\066\244\126\057\262\356\005\333\263\323\043\043\255\364\105"
+"\010\116\326\126"
+, (PRUint32)20 },
+  { (void *)"\177\146\172\161\323\353\151\170\040\232\121\024\235\203\332\040"
+, (PRUint32)16 },
+  { (void *)"\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101"
+"\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145"
+"\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007"
+"\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060"
+"\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035"
+"\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040"
+"\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060"
+"\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124"
+"\151\155\145\163\164\141\155\160\151\156\147\040\103\101"
+, (PRUint32)142 },
+  { (void *)"\000"
+, (PRUint32)1 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_174 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"E-Certify CA", (PRUint32)13 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061"
+"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164"
+"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104"
+"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003"
+"\023\014\105\055\103\145\162\164\151\146\171\040\103\101"
+, (PRUint32)78 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061"
+"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164"
+"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104"
+"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003"
+"\023\014\105\055\103\145\162\164\151\146\171\040\103\101"
+, (PRUint32)78 },
+  { (void *)"\001\115\105\234"
+, (PRUint32)4 },
+  { (void *)"\060\202\003\071\060\202\002\041\240\003\002\001\002\002\004\001"
+"\115\105\234\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\114\061\013\060\011\006\003\125\004\006\023\002\143"
+"\141\061\022\060\020\006\003\125\004\012\023\011\105\055\103\145"
+"\162\164\151\146\171\061\022\060\020\006\003\125\004\013\023\011"
+"\111\104\040\103\145\156\164\145\162\061\025\060\023\006\003\125"
+"\004\003\023\014\105\055\103\145\162\164\151\146\171\040\103\101"
+"\060\036\027\015\071\071\060\071\062\070\061\066\064\070\062\071"
+"\132\027\015\060\064\060\071\062\070\061\066\064\070\062\071\132"
+"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061"
+"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164"
+"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104"
+"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003"
+"\023\014\105\055\103\145\162\164\151\146\171\040\103\101\060\202"
+"\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005"
+"\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\272"
+"\233\246\161\200\125\164\111\051\125\166\033\307\066\225\060\054"
+"\062\011\121\356\060\244\153\150\207\107\330\050\012\027\177\157"
+"\250\232\040\266\253\001\322\256\240\105\106\065\002\002\374\332"
+"\340\040\162\012\063\015\223\160\270\004\220\111\371\150\070\273"
+"\015\021\156\071\135\130\172\306\043\146\351\273\027\062\046\350"
+"\354\022\150\207\051\314\271\345\117\314\210\033\355\225\161\241"
+"\123\042\056\355\203\134\376\062\127\114\122\123\070\341\025\155"
+"\000\125\111\207\044\313\344\026\110\270\231\345\332\172\337\243"
+"\205\230\164\302\371\253\153\111\315\377\102\315\270\055\264\200"
+"\313\114\172\065\374\220\277\115\323\000\355\317\214\377\117\071"
+"\373\172\170\360\016\015\111\177\123\076\024\233\046\250\252\311"
+"\273\341\321\033\335\034\060\257\001\346\233\046\006\144\274\357"
+"\130\114\132\105\225\120\304\054\076\164\130\351\074\257\373\303"
+"\253\122\004\332\044\362\261\304\366\133\323\110\340\301\204\060"
+"\174\321\165\077\344\123\163\135\211\330\356\100\117\011\227\227"
+"\205\143\215\325\240\256\206\203\153\333\124\150\136\350\113\002"
+"\003\001\000\001\243\043\060\041\060\014\006\003\125\035\023\004"
+"\005\060\003\001\001\377\060\021\006\011\140\206\110\001\206\370"
+"\102\001\001\004\004\003\002\000\007\060\015\006\011\052\206\110"
+"\206\367\015\001\001\005\005\000\003\202\001\001\000\163\076\031"
+"\174\330\126\321\305\377\012\235\347\266\315\227\363\247\341\101"
+"\310\176\202\065\377\233\226\322\013\357\161\362\020\345\104\313"
+"\222\350\016\132\346\076\304\364\225\151\002\274\013\126\200\271"
+"\161\027\143\036\101\111\052\065\352\034\325\144\253\111\355\013"
+"\076\213\124\241\115\050\150\352\275\267\201\077\065\171\202\367"
+"\064\274\171\210\045\236\200\347\317\250\025\257\362\341\025\053"
+"\007\121\340\324\215\112\112\003\300\042\053\271\150\112\200\303"
+"\250\205\010\325\247\052\275\313\247\143\175\243\260\312\126\140"
+"\154\105\341\312\277\024\122\012\302\305\145\354\241\075\037\100"
+"\371\120\132\344\064\012\157\302\164\254\174\314\047\352\343\207"
+"\245\123\310\336\174\076\135\102\122\132\353\005\150\246\030\062"
+"\140\040\170\153\160\024\140\041\202\011\075\036\126\300\025\141"
+"\000\121\145\262\061\022\371\306\112\006\274\137\364\071\037\166"
+"\232\211\170\351\066\202\332\265\157\213\177\211\265\114\367\145"
+"\030\134\201\363\356\120\326\335\354\151\110\237\053\265\336\076"
+"\275\372\274\154\153\147\123\233\261\223\271\221\106"
+, (PRUint32)829 }
+};
+static const NSSItem nss_builtins_items_175 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"E-Certify CA", (PRUint32)13 },
+  { (void *)"\133\330\153\206\375\275\330\206\371\233\310\120\106\350\052\112"
+"\211\152\317\357"
+, (PRUint32)20 },
+  { (void *)"\256\065\177\222\227\106\174\217\023\051\341\333\236\102\145\152"
+, (PRUint32)16 },
+  { (void *)"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061"
+"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164"
+"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104"
+"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003"
+"\023\014\105\055\103\145\162\164\151\146\171\040\103\101"
+, (PRUint32)78 },
+  { (void *)"\001\115\105\234"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_176 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"E-Certify RA", (PRUint32)13 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061"
+"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164"
+"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104"
+"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003"
+"\023\014\105\055\103\145\162\164\151\146\171\040\122\101"
+, (PRUint32)78 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061"
+"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164"
+"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104"
+"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003"
+"\023\014\105\055\103\145\162\164\151\146\171\040\103\101"
+, (PRUint32)78 },
+  { (void *)"\001\117\353\020"
+, (PRUint32)4 },
+  { (void *)"\060\202\003\071\060\202\002\041\240\003\002\001\002\002\004\001"
+"\117\353\020\060\015\006\011\052\206\110\206\367\015\001\001\005"
+"\005\000\060\114\061\013\060\011\006\003\125\004\006\023\002\143"
+"\141\061\022\060\020\006\003\125\004\012\023\011\105\055\103\145"
+"\162\164\151\146\171\061\022\060\020\006\003\125\004\013\023\011"
+"\111\104\040\103\145\156\164\145\162\061\025\060\023\006\003\125"
+"\004\003\023\014\105\055\103\145\162\164\151\146\171\040\103\101"
+"\060\036\027\015\071\071\060\071\063\060\061\066\065\070\065\067"
+"\132\027\015\060\064\060\071\062\067\061\066\065\070\065\067\132"
+"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061"
+"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164"
+"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104"
+"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003"
+"\023\014\105\055\103\145\162\164\151\146\171\040\122\101\060\202"
+"\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005"
+"\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\334"
+"\260\267\045\373\356\014\272\330\243\162\104\017\052\243\343\110"
+"\004\321\364\060\164\006\010\016\137\067\307\066\267\202\232\045"
+"\113\254\153\111\231\000\033\027\362\360\337\027\027\351\355\040"
+"\152\024\153\375\311\314\017\346\014\153\206\345\365\244\372\333"
+"\005\052\000\310\015\352\252\145\100\066\312\363\345\165\071\216"
+"\334\146\333\104\034\236\303\213\103\070\313\274\360\232\311\331"
+"\312\067\023\312\122\301\055\351\107\040\345\314\044\170\340\346"
+"\033\114\270\322\124\202\155\016\271\041\140\357\174\264\000\373"
+"\122\304\057\012\367\004\116\204\057\337\030\254\143\006\040\335"
+"\332\261\201\301\341\255\177\030\210\167\363\353\370\255\317\172"
+"\020\120\126\171\236\124\317\336\034\233\327\102\224\341\317\325"
+"\154\365\136\075\315\345\147\023\073\232\315\072\142\204\371\141"
+"\036\155\325\130\216\331\371\255\052\076\226\361\355\252\177\020"
+"\356\366\000\205\074\261\005\013\064\321\134\142\340\215\022\256"
+"\275\114\124\300\342\274\144\161\140\145\206\306\331\204\253\130"
+"\140\152\061\156\175\117\261\210\242\376\024\114\072\214\373\002"
+"\003\001\000\001\243\043\060\041\060\014\006\003\125\035\023\004"
+"\005\060\003\001\001\377\060\021\006\011\140\206\110\001\206\370"
+"\102\001\001\004\004\003\002\000\007\060\015\006\011\052\206\110"
+"\206\367\015\001\001\005\005\000\003\202\001\001\000\255\030\200"
+"\317\060\274\073\350\362\002\025\127\075\350\114\143\346\356\062"
+"\243\177\345\001\360\047\271\052\331\301\250\236\043\036\107\231"
+"\327\056\104\113\024\313\320\275\046\144\003\362\006\217\237\327"
+"\110\250\161\153\026\064\305\076\265\171\230\263\346\340\320\070"
+"\021\231\244\021\173\343\071\245\015\077\235\325\322\305\172\057"
+"\352\104\024\315\020\116\240\064\263\153\211\137\360\256\237\315"
+"\123\325\176\172\120\045\000\041\244\155\351\310\161\000\373\255"
+"\064\027\110\042\356\247\050\154\206\162\333\371\233\206\104\170"
+"\136\005\351\150\064\060\241\025\145\301\251\332\236\135\236\043"
+"\106\116\052\346\116\263\114\237\314\106\010\230\034\074\103\237"
+"\264\316\240\140\357\044\316\116\037\350\302\251\162\273\057\332"
+"\102\006\041\360\232\345\170\107\054\010\164\120\150\140\375\205"
+"\302\373\257\112\222\361\204\235\000\152\310\126\041\216\157\301"
+"\061\313\121\354\166\165\172\337\001\016\162\150\241\362\046\216"
+"\331\270\306\243\144\122\372\155\373\112\075\132\135\270\124\224"
+"\355\125\150\145\235\077\122\114\106\222\026\013\276"
+, (PRUint32)829 }
+};
+static const NSSItem nss_builtins_items_177 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"E-Certify RA", (PRUint32)13 },
+  { (void *)"\217\051\011\013\006\302\070\314\160\305\251\355\227\147\210\315"
+"\066\332\335\131"
+, (PRUint32)20 },
+  { (void *)"\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061"
+"\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164"
+"\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104"
+"\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003"
+"\023\014\105\055\103\145\162\164\151\146\171\040\103\101"
+, (PRUint32)78 },
+  { (void *)"\001\117\353\020"
+, (PRUint32)4 },
+  { (void *)"\245\273\012\243\320\307\124\025\130\336\153\122\020\121\272\050"
+, (PRUint32)16 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_178 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Entrust.net Global Secure Server CA", (PRUint32)36 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156"
+"\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125"
+"\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056"
+"\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157"
+"\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155"
+"\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003"
+"\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156"
+"\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145"
+"\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162"
+"\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123"
+"\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164"
+"\151\157\156\040\101\165\164\150\157\162\151\164\171"
+, (PRUint32)189 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156"
+"\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125"
+"\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056"
+"\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157"
+"\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155"
+"\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003"
+"\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156"
+"\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145"
+"\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162"
+"\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123"
+"\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164"
+"\151\157\156\040\101\165\164\150\157\162\151\164\171"
+, (PRUint32)189 },
+  { (void *)"\070\233\021\074"
+, (PRUint32)4 },
+  { (void *)"\060\202\004\225\060\202\003\376\240\003\002\001\002\002\004\070"
+"\233\021\074\060\015\006\011\052\206\110\206\367\015\001\001\004"
+"\005\000\060\201\272\061\024\060\022\006\003\125\004\012\023\013"
+"\105\156\164\162\165\163\164\056\156\145\164\061\077\060\075\006"
+"\003\125\004\013\024\066\167\167\167\056\145\156\164\162\165\163"
+"\164\056\156\145\164\057\123\123\114\137\103\120\123\040\151\156"
+"\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154"
+"\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043"
+"\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040"
+"\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151"
+"\164\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156"
+"\164\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145"
+"\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143"
+"\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060"
+"\036\027\015\060\060\060\062\060\064\061\067\062\060\060\060\132"
+"\027\015\062\060\060\062\060\064\061\067\065\060\060\060\132\060"
+"\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156\164"
+"\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125\004"
+"\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056\156"
+"\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157\162"
+"\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151"
+"\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125"
+"\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156\164"
+"\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144"
+"\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165"
+"\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145"
+"\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151"
+"\157\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060"
+"\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201"
+"\215\000\060\201\211\002\201\201\000\307\301\137\116\161\361\316"
+"\360\140\206\017\322\130\177\323\063\227\055\027\242\165\060\265"
+"\226\144\046\057\150\303\104\253\250\165\346\000\147\064\127\236"
+"\145\307\042\233\163\346\323\335\010\016\067\125\252\045\106\201"
+"\154\275\376\250\366\165\127\127\214\220\154\112\303\076\213\113"
+"\103\012\311\021\126\232\232\047\042\231\317\125\236\141\331\002"
+"\342\174\266\174\070\007\334\343\177\117\232\271\003\101\200\266"
+"\165\147\023\013\237\350\127\066\310\135\000\066\336\146\024\332"
+"\156\166\037\117\067\214\202\023\211\002\003\001\000\001\243\202"
+"\001\244\060\202\001\240\060\021\006\011\140\206\110\001\206\370"
+"\102\001\001\004\004\003\002\000\007\060\201\343\006\003\125\035"
+"\037\004\201\333\060\201\330\060\201\325\240\201\322\240\201\317"
+"\244\201\314\060\201\311\061\024\060\022\006\003\125\004\012\023"
+"\013\105\156\164\162\165\163\164\056\156\145\164\061\077\060\075"
+"\006\003\125\004\013\024\066\167\167\167\056\145\156\164\162\165"
+"\163\164\056\156\145\164\057\123\123\114\137\103\120\123\040\151"
+"\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050"
+"\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060"
+"\043\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060"
+"\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155"
+"\151\164\145\144\061\072\060\070\006\003\125\004\003\023\061\105"
+"\156\164\162\165\163\164\056\156\145\164\040\123\145\143\165\162"
+"\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151"
+"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
+"\061\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060"
+"\053\006\003\125\035\020\004\044\060\042\200\017\062\060\060\060"
+"\060\062\060\064\061\067\062\060\060\060\132\201\017\062\060\062"
+"\060\060\062\060\064\061\067\065\060\060\060\132\060\013\006\003"
+"\125\035\017\004\004\003\002\001\006\060\037\006\003\125\035\043"
+"\004\030\060\026\200\024\313\154\300\153\343\273\076\313\374\042"
+"\234\376\373\213\222\234\260\362\156\042\060\035\006\003\125\035"
+"\016\004\026\004\024\313\154\300\153\343\273\076\313\374\042\234"
+"\376\373\213\222\234\260\362\156\042\060\014\006\003\125\035\023"
+"\004\005\060\003\001\001\377\060\035\006\011\052\206\110\206\366"
+"\175\007\101\000\004\020\060\016\033\010\126\065\056\060\072\064"
+"\056\060\003\002\004\220\060\015\006\011\052\206\110\206\367\015"
+"\001\001\004\005\000\003\201\201\000\142\333\201\221\316\310\232"
+"\167\102\057\354\275\047\243\123\017\120\033\352\116\222\360\251"
+"\257\251\240\272\110\141\313\357\311\006\357\037\325\364\356\337"
+"\126\055\346\312\152\031\163\252\123\276\222\263\120\002\266\205"
+"\046\162\143\330\165\120\142\165\024\267\263\120\032\077\312\021"
+"\000\013\205\105\151\155\266\245\256\121\341\112\334\202\077\154"
+"\214\064\262\167\153\331\002\366\177\016\352\145\004\361\315\124"
+"\312\272\311\314\340\204\367\310\076\021\227\323\140\011\030\274"
+"\005\377\154\211\063\360\354\025\017"
+, (PRUint32)1177 }
+};
+static const NSSItem nss_builtins_items_179 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Entrust.net Global Secure Server CA", (PRUint32)36 },
+  { (void *)"\211\071\127\156\027\215\367\005\170\017\314\136\310\117\204\366"
+"\045\072\110\223"
+, (PRUint32)20 },
+  { (void *)"\235\146\152\314\377\325\365\103\264\277\214\026\321\053\250\231"
+, (PRUint32)16 },
+  { (void *)"\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156"
+"\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125"
+"\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056"
+"\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157"
+"\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155"
+"\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003"
+"\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156"
+"\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145"
+"\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162"
+"\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123"
+"\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164"
+"\151\157\156\040\101\165\164\150\157\162\151\164\171"
+, (PRUint32)189 },
+  { (void *)"\070\233\021\074"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+static const NSSItem nss_builtins_items_180 [] = {
+  { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Entrust.net Global Secure Personal CA", (PRUint32)38 },
+  { (void *)&ckc_x_509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) },
+  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
+"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
+"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
+"\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143"
+"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
+"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
+"\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105"
+"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
+"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
+"\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040"
+"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
+"\164\150\157\162\151\164\171"
+, (PRUint32)183 },
+  { (void *)"0", (PRUint32)2 },
+  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
+"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
+"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
+"\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143"
+"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
+"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
+"\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105"
+"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
+"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
+"\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040"
+"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
+"\164\150\157\162\151\164\171"
+, (PRUint32)183 },
+  { (void *)"\070\236\366\344"
+, (PRUint32)4 },
+  { (void *)"\060\202\004\203\060\202\003\354\240\003\002\001\002\002\004\070"
+"\236\366\344\060\015\006\011\052\206\110\206\367\015\001\001\004"
+"\005\000\060\201\264\061\024\060\022\006\003\125\004\012\023\013"
+"\105\156\164\162\165\163\164\056\156\145\164\061\100\060\076\006"
+"\003\125\004\013\024\067\167\167\167\056\145\156\164\162\165\163"
+"\164\056\156\145\164\057\107\103\103\101\137\103\120\123\040\151"
+"\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050"
+"\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060"
+"\043\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060"
+"\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155"
+"\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052\105"
+"\156\164\162\165\163\164\056\156\145\164\040\103\154\151\145\156"
+"\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040"
+"\101\165\164\150\157\162\151\164\171\060\036\027\015\060\060\060"
+"\062\060\067\061\066\061\066\064\060\132\027\015\062\060\060\062"
+"\060\067\061\066\064\066\064\060\132\060\201\264\061\024\060\022"
+"\006\003\125\004\012\023\013\105\156\164\162\165\163\164\056\156"
+"\145\164\061\100\060\076\006\003\125\004\013\024\067\167\167\167"
+"\056\145\156\164\162\165\163\164\056\156\145\164\057\107\103\103"
+"\101\137\103\120\123\040\151\156\143\157\162\160\056\040\142\171"
+"\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151"
+"\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050"
+"\143\051\040\062\060\060\060\040\105\156\164\162\165\163\164\056"
+"\156\145\164\040\114\151\155\151\164\145\144\061\063\060\061\006"
+"\003\125\004\003\023\052\105\156\164\162\165\163\164\056\156\145"
+"\164\040\103\154\151\145\156\164\040\103\145\162\164\151\146\151"
+"\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171"
+"\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001"
+"\005\000\003\201\215\000\060\201\211\002\201\201\000\223\164\264"
+"\266\344\305\113\326\241\150\177\142\325\354\367\121\127\263\162"
+"\112\230\365\320\211\311\255\143\315\115\065\121\152\204\324\255"
+"\311\150\171\157\270\353\021\333\207\256\134\044\121\023\361\124"
+"\045\204\257\051\053\237\343\200\342\331\313\335\306\105\111\064"
+"\210\220\136\001\227\357\352\123\246\335\374\301\336\113\052\045"
+"\344\351\065\372\125\005\006\345\211\172\352\244\021\127\073\374"
+"\174\075\066\315\147\065\155\244\251\045\131\275\146\365\371\047"
+"\344\225\147\326\077\222\200\136\362\064\175\053\205\002\003\001"
+"\000\001\243\202\001\236\060\202\001\232\060\021\006\011\140\206"
+"\110\001\206\370\102\001\001\004\004\003\002\000\007\060\201\335"
+"\006\003\125\035\037\004\201\325\060\201\322\060\201\317\240\201"
+"\314\240\201\311\244\201\306\060\201\303\061\024\060\022\006\003"
+"\125\004\012\023\013\105\156\164\162\165\163\164\056\156\145\164"
+"\061\100\060\076\006\003\125\004\013\024\067\167\167\167\056\145"
+"\156\164\162\165\163\164\056\156\145\164\057\107\103\103\101\137"
+"\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162"
+"\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141\142"
+"\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143\051"
+"\040\062\060\060\060\040\105\156\164\162\165\163\164\056\156\145"
+"\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125"
+"\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040"
+"\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141"
+"\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\015"
+"\060\013\006\003\125\004\003\023\004\103\122\114\061\060\053\006"
+"\003\125\035\020\004\044\060\042\200\017\062\060\060\060\060\062"
+"\060\067\061\066\061\066\064\060\132\201\017\062\060\062\060\060"
+"\062\060\067\061\066\064\066\064\060\132\060\013\006\003\125\035"
+"\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030"
+"\060\026\200\024\204\213\164\375\305\215\300\377\047\155\040\067"
+"\105\174\376\055\316\272\323\175\060\035\006\003\125\035\016\004"
+"\026\004\024\204\213\164\375\305\215\300\377\047\155\040\067\105"
+"\174\376\055\316\272\323\175\060\014\006\003\125\035\023\004\005"
+"\060\003\001\001\377\060\035\006\011\052\206\110\206\366\175\007"
+"\101\000\004\020\060\016\033\010\126\065\056\060\072\064\056\060"
+"\003\002\004\220\060\015\006\011\052\206\110\206\367\015\001\001"
+"\004\005\000\003\201\201\000\116\157\065\200\073\321\212\365\016"
+"\247\040\313\055\145\125\320\222\364\347\204\265\006\046\203\022"
+"\204\013\254\073\262\104\356\275\317\100\333\040\016\272\156\024"
+"\352\060\340\073\142\174\177\213\153\174\112\247\325\065\074\276"
+"\250\134\352\113\273\223\216\200\146\253\017\051\375\115\055\277"
+"\032\233\012\220\305\253\332\321\263\206\324\057\044\122\134\172"
+"\155\306\362\376\345\115\032\060\214\220\362\272\327\112\076\103"
+"\176\324\310\120\032\207\370\117\201\307\166\013\204\072\162\235"
+"\316\145\146\227\256\046\136"
+, (PRUint32)1159 }
+};
+static const NSSItem nss_builtins_items_181 [] = {
+  { (void *)&cko_netscape_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Entrust.net Global Secure Personal CA", (PRUint32)38 },
+  { (void *)"\317\164\277\377\233\206\201\133\010\063\124\100\066\076\207\266"
+"\266\360\277\163"
+, (PRUint32)20 },
+  { (void *)"\232\167\031\030\355\226\317\337\033\267\016\365\215\271\210\056"
+, (PRUint32)16 },
+  { (void *)"\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156"
+"\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125"
+"\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056"
+"\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143"
+"\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151"
+"\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006"
+"\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105"
+"\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164"
+"\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164"
+"\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040"
+"\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165"
+"\164\150\157\162\151\164\171"
+, (PRUint32)183 },
+  { (void *)"\070\236\366\344"
+, (PRUint32)4 },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_netscape_trusted_delegator, (PRUint32)sizeof(CK_TRUST) }
+};
+
+PR_IMPLEMENT_DATA(builtinsInternalObject)
+nss_builtins_data[] = {
+#ifdef DEBUG
+  { 7, nss_builtins_types_0, nss_builtins_items_0, {NULL} },
+#endif /* DEBUG */
+  { 5, nss_builtins_types_1, nss_builtins_items_1, {NULL} },
+  { 11, nss_builtins_types_2, nss_builtins_items_2, {NULL} },
+  { 12, nss_builtins_types_3, nss_builtins_items_3, {NULL} },
+  { 11, nss_builtins_types_4, nss_builtins_items_4, {NULL} },
+  { 12, nss_builtins_types_5, nss_builtins_items_5, {NULL} },
+  { 11, nss_builtins_types_6, nss_builtins_items_6, {NULL} },
+  { 12, nss_builtins_types_7, nss_builtins_items_7, {NULL} },
+  { 11, nss_builtins_types_8, nss_builtins_items_8, {NULL} },
+  { 12, nss_builtins_types_9, nss_builtins_items_9, {NULL} },
+  { 11, nss_builtins_types_10, nss_builtins_items_10, {NULL} },
+  { 12, nss_builtins_types_11, nss_builtins_items_11, {NULL} },
+  { 11, nss_builtins_types_12, nss_builtins_items_12, {NULL} },
+  { 12, nss_builtins_types_13, nss_builtins_items_13, {NULL} },
+  { 11, nss_builtins_types_14, nss_builtins_items_14, {NULL} },
+  { 12, nss_builtins_types_15, nss_builtins_items_15, {NULL} },
+  { 11, nss_builtins_types_16, nss_builtins_items_16, {NULL} },
+  { 12, nss_builtins_types_17, nss_builtins_items_17, {NULL} },
+  { 11, nss_builtins_types_18, nss_builtins_items_18, {NULL} },
+  { 12, nss_builtins_types_19, nss_builtins_items_19, {NULL} },
+  { 11, nss_builtins_types_20, nss_builtins_items_20, {NULL} },
+  { 12, nss_builtins_types_21, nss_builtins_items_21, {NULL} },
+  { 11, nss_builtins_types_22, nss_builtins_items_22, {NULL} },
+  { 12, nss_builtins_types_23, nss_builtins_items_23, {NULL} },
+  { 11, nss_builtins_types_24, nss_builtins_items_24, {NULL} },
+  { 12, nss_builtins_types_25, nss_builtins_items_25, {NULL} },
+  { 11, nss_builtins_types_26, nss_builtins_items_26, {NULL} },
+  { 12, nss_builtins_types_27, nss_builtins_items_27, {NULL} },
+  { 11, nss_builtins_types_28, nss_builtins_items_28, {NULL} },
+  { 12, nss_builtins_types_29, nss_builtins_items_29, {NULL} },
+  { 11, nss_builtins_types_30, nss_builtins_items_30, {NULL} },
+  { 12, nss_builtins_types_31, nss_builtins_items_31, {NULL} },
+  { 11, nss_builtins_types_32, nss_builtins_items_32, {NULL} },
+  { 12, nss_builtins_types_33, nss_builtins_items_33, {NULL} },
+  { 11, nss_builtins_types_34, nss_builtins_items_34, {NULL} },
+  { 12, nss_builtins_types_35, nss_builtins_items_35, {NULL} },
+  { 11, nss_builtins_types_36, nss_builtins_items_36, {NULL} },
+  { 12, nss_builtins_types_37, nss_builtins_items_37, {NULL} },
+  { 11, nss_builtins_types_38, nss_builtins_items_38, {NULL} },
+  { 12, nss_builtins_types_39, nss_builtins_items_39, {NULL} },
+  { 11, nss_builtins_types_40, nss_builtins_items_40, {NULL} },
+  { 12, nss_builtins_types_41, nss_builtins_items_41, {NULL} },
+  { 11, nss_builtins_types_42, nss_builtins_items_42, {NULL} },
+  { 12, nss_builtins_types_43, nss_builtins_items_43, {NULL} },
+  { 11, nss_builtins_types_44, nss_builtins_items_44, {NULL} },
+  { 12, nss_builtins_types_45, nss_builtins_items_45, {NULL} },
+  { 11, nss_builtins_types_46, nss_builtins_items_46, {NULL} },
+  { 12, nss_builtins_types_47, nss_builtins_items_47, {NULL} },
+  { 11, nss_builtins_types_48, nss_builtins_items_48, {NULL} },
+  { 12, nss_builtins_types_49, nss_builtins_items_49, {NULL} },
+  { 11, nss_builtins_types_50, nss_builtins_items_50, {NULL} },
+  { 12, nss_builtins_types_51, nss_builtins_items_51, {NULL} },
+  { 11, nss_builtins_types_52, nss_builtins_items_52, {NULL} },
+  { 12, nss_builtins_types_53, nss_builtins_items_53, {NULL} },
+  { 11, nss_builtins_types_54, nss_builtins_items_54, {NULL} },
+  { 12, nss_builtins_types_55, nss_builtins_items_55, {NULL} },
+  { 11, nss_builtins_types_56, nss_builtins_items_56, {NULL} },
+  { 12, nss_builtins_types_57, nss_builtins_items_57, {NULL} },
+  { 11, nss_builtins_types_58, nss_builtins_items_58, {NULL} },
+  { 12, nss_builtins_types_59, nss_builtins_items_59, {NULL} },
+  { 11, nss_builtins_types_60, nss_builtins_items_60, {NULL} },
+  { 12, nss_builtins_types_61, nss_builtins_items_61, {NULL} },
+  { 11, nss_builtins_types_62, nss_builtins_items_62, {NULL} },
+  { 12, nss_builtins_types_63, nss_builtins_items_63, {NULL} },
+  { 11, nss_builtins_types_64, nss_builtins_items_64, {NULL} },
+  { 12, nss_builtins_types_65, nss_builtins_items_65, {NULL} },
+  { 11, nss_builtins_types_66, nss_builtins_items_66, {NULL} },
+  { 12, nss_builtins_types_67, nss_builtins_items_67, {NULL} },
+  { 11, nss_builtins_types_68, nss_builtins_items_68, {NULL} },
+  { 12, nss_builtins_types_69, nss_builtins_items_69, {NULL} },
+  { 11, nss_builtins_types_70, nss_builtins_items_70, {NULL} },
+  { 12, nss_builtins_types_71, nss_builtins_items_71, {NULL} },
+  { 11, nss_builtins_types_72, nss_builtins_items_72, {NULL} },
+  { 12, nss_builtins_types_73, nss_builtins_items_73, {NULL} },
+  { 11, nss_builtins_types_74, nss_builtins_items_74, {NULL} },
+  { 12, nss_builtins_types_75, nss_builtins_items_75, {NULL} },
+  { 11, nss_builtins_types_76, nss_builtins_items_76, {NULL} },
+  { 12, nss_builtins_types_77, nss_builtins_items_77, {NULL} },
+  { 11, nss_builtins_types_78, nss_builtins_items_78, {NULL} },
+  { 12, nss_builtins_types_79, nss_builtins_items_79, {NULL} },
+  { 11, nss_builtins_types_80, nss_builtins_items_80, {NULL} },
+  { 12, nss_builtins_types_81, nss_builtins_items_81, {NULL} },
+  { 11, nss_builtins_types_82, nss_builtins_items_82, {NULL} },
+  { 12, nss_builtins_types_83, nss_builtins_items_83, {NULL} },
+  { 11, nss_builtins_types_84, nss_builtins_items_84, {NULL} },
+  { 12, nss_builtins_types_85, nss_builtins_items_85, {NULL} },
+  { 11, nss_builtins_types_86, nss_builtins_items_86, {NULL} },
+  { 12, nss_builtins_types_87, nss_builtins_items_87, {NULL} },
+  { 11, nss_builtins_types_88, nss_builtins_items_88, {NULL} },
+  { 12, nss_builtins_types_89, nss_builtins_items_89, {NULL} },
+  { 11, nss_builtins_types_90, nss_builtins_items_90, {NULL} },
+  { 12, nss_builtins_types_91, nss_builtins_items_91, {NULL} },
+  { 11, nss_builtins_types_92, nss_builtins_items_92, {NULL} },
+  { 12, nss_builtins_types_93, nss_builtins_items_93, {NULL} },
+  { 11, nss_builtins_types_94, nss_builtins_items_94, {NULL} },
+  { 12, nss_builtins_types_95, nss_builtins_items_95, {NULL} },
+  { 11, nss_builtins_types_96, nss_builtins_items_96, {NULL} },
+  { 12, nss_builtins_types_97, nss_builtins_items_97, {NULL} },
+  { 11, nss_builtins_types_98, nss_builtins_items_98, {NULL} },
+  { 12, nss_builtins_types_99, nss_builtins_items_99, {NULL} },
+  { 11, nss_builtins_types_100, nss_builtins_items_100, {NULL} },
+  { 12, nss_builtins_types_101, nss_builtins_items_101, {NULL} },
+  { 11, nss_builtins_types_102, nss_builtins_items_102, {NULL} },
+  { 12, nss_builtins_types_103, nss_builtins_items_103, {NULL} },
+  { 11, nss_builtins_types_104, nss_builtins_items_104, {NULL} },
+  { 12, nss_builtins_types_105, nss_builtins_items_105, {NULL} },
+  { 11, nss_builtins_types_106, nss_builtins_items_106, {NULL} },
+  { 12, nss_builtins_types_107, nss_builtins_items_107, {NULL} },
+  { 11, nss_builtins_types_108, nss_builtins_items_108, {NULL} },
+  { 12, nss_builtins_types_109, nss_builtins_items_109, {NULL} },
+  { 11, nss_builtins_types_110, nss_builtins_items_110, {NULL} },
+  { 12, nss_builtins_types_111, nss_builtins_items_111, {NULL} },
+  { 11, nss_builtins_types_112, nss_builtins_items_112, {NULL} },
+  { 12, nss_builtins_types_113, nss_builtins_items_113, {NULL} },
+  { 11, nss_builtins_types_114, nss_builtins_items_114, {NULL} },
+  { 12, nss_builtins_types_115, nss_builtins_items_115, {NULL} },
+  { 11, nss_builtins_types_116, nss_builtins_items_116, {NULL} },
+  { 12, nss_builtins_types_117, nss_builtins_items_117, {NULL} },
+  { 11, nss_builtins_types_118, nss_builtins_items_118, {NULL} },
+  { 12, nss_builtins_types_119, nss_builtins_items_119, {NULL} },
+  { 11, nss_builtins_types_120, nss_builtins_items_120, {NULL} },
+  { 12, nss_builtins_types_121, nss_builtins_items_121, {NULL} },
+  { 11, nss_builtins_types_122, nss_builtins_items_122, {NULL} },
+  { 12, nss_builtins_types_123, nss_builtins_items_123, {NULL} },
+  { 11, nss_builtins_types_124, nss_builtins_items_124, {NULL} },
+  { 12, nss_builtins_types_125, nss_builtins_items_125, {NULL} },
+  { 11, nss_builtins_types_126, nss_builtins_items_126, {NULL} },
+  { 12, nss_builtins_types_127, nss_builtins_items_127, {NULL} },
+  { 11, nss_builtins_types_128, nss_builtins_items_128, {NULL} },
+  { 12, nss_builtins_types_129, nss_builtins_items_129, {NULL} },
+  { 11, nss_builtins_types_130, nss_builtins_items_130, {NULL} },
+  { 12, nss_builtins_types_131, nss_builtins_items_131, {NULL} },
+  { 11, nss_builtins_types_132, nss_builtins_items_132, {NULL} },
+  { 12, nss_builtins_types_133, nss_builtins_items_133, {NULL} },
+  { 11, nss_builtins_types_134, nss_builtins_items_134, {NULL} },
+  { 12, nss_builtins_types_135, nss_builtins_items_135, {NULL} },
+  { 11, nss_builtins_types_136, nss_builtins_items_136, {NULL} },
+  { 12, nss_builtins_types_137, nss_builtins_items_137, {NULL} },
+  { 11, nss_builtins_types_138, nss_builtins_items_138, {NULL} },
+  { 12, nss_builtins_types_139, nss_builtins_items_139, {NULL} },
+  { 11, nss_builtins_types_140, nss_builtins_items_140, {NULL} },
+  { 12, nss_builtins_types_141, nss_builtins_items_141, {NULL} },
+  { 11, nss_builtins_types_142, nss_builtins_items_142, {NULL} },
+  { 12, nss_builtins_types_143, nss_builtins_items_143, {NULL} },
+  { 11, nss_builtins_types_144, nss_builtins_items_144, {NULL} },
+  { 12, nss_builtins_types_145, nss_builtins_items_145, {NULL} },
+  { 11, nss_builtins_types_146, nss_builtins_items_146, {NULL} },
+  { 12, nss_builtins_types_147, nss_builtins_items_147, {NULL} },
+  { 11, nss_builtins_types_148, nss_builtins_items_148, {NULL} },
+  { 12, nss_builtins_types_149, nss_builtins_items_149, {NULL} },
+  { 11, nss_builtins_types_150, nss_builtins_items_150, {NULL} },
+  { 12, nss_builtins_types_151, nss_builtins_items_151, {NULL} },
+  { 11, nss_builtins_types_152, nss_builtins_items_152, {NULL} },
+  { 12, nss_builtins_types_153, nss_builtins_items_153, {NULL} },
+  { 11, nss_builtins_types_154, nss_builtins_items_154, {NULL} },
+  { 12, nss_builtins_types_155, nss_builtins_items_155, {NULL} },
+  { 11, nss_builtins_types_156, nss_builtins_items_156, {NULL} },
+  { 12, nss_builtins_types_157, nss_builtins_items_157, {NULL} },
+  { 11, nss_builtins_types_158, nss_builtins_items_158, {NULL} },
+  { 12, nss_builtins_types_159, nss_builtins_items_159, {NULL} },
+  { 11, nss_builtins_types_160, nss_builtins_items_160, {NULL} },
+  { 12, nss_builtins_types_161, nss_builtins_items_161, {NULL} },
+  { 11, nss_builtins_types_162, nss_builtins_items_162, {NULL} },
+  { 12, nss_builtins_types_163, nss_builtins_items_163, {NULL} },
+  { 11, nss_builtins_types_164, nss_builtins_items_164, {NULL} },
+  { 12, nss_builtins_types_165, nss_builtins_items_165, {NULL} },
+  { 11, nss_builtins_types_166, nss_builtins_items_166, {NULL} },
+  { 12, nss_builtins_types_167, nss_builtins_items_167, {NULL} },
+  { 11, nss_builtins_types_168, nss_builtins_items_168, {NULL} },
+  { 12, nss_builtins_types_169, nss_builtins_items_169, {NULL} },
+  { 11, nss_builtins_types_170, nss_builtins_items_170, {NULL} },
+  { 12, nss_builtins_types_171, nss_builtins_items_171, {NULL} },
+  { 11, nss_builtins_types_172, nss_builtins_items_172, {NULL} },
+  { 12, nss_builtins_types_173, nss_builtins_items_173, {NULL} },
+  { 11, nss_builtins_types_174, nss_builtins_items_174, {NULL} },
+  { 12, nss_builtins_types_175, nss_builtins_items_175, {NULL} },
+  { 11, nss_builtins_types_176, nss_builtins_items_176, {NULL} },
+  { 12, nss_builtins_types_177, nss_builtins_items_177, {NULL} },
+  { 11, nss_builtins_types_178, nss_builtins_items_178, {NULL} },
+  { 12, nss_builtins_types_179, nss_builtins_items_179, {NULL} },
+  { 11, nss_builtins_types_180, nss_builtins_items_180, {NULL} },
+  { 12, nss_builtins_types_181, nss_builtins_items_181, {NULL} }
+};
+PR_IMPLEMENT_DATA(const PRUint32)
+#ifdef DEBUG
+  nss_builtins_nObjects = 181+1;
+#else
+  nss_builtins_nObjects = 181;
+#endif /* DEBUG */
diff --git a/security/nss/lib/ckfw/builtins/certdata.perl b/security/nss/lib/ckfw/builtins/certdata.perl
new file mode 100644
index 000000000..81ab8273b
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/certdata.perl
@@ -0,0 +1,292 @@
+#!perl -w
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+my $cvs_id = '@(#) $RCSfile$ $Revision$ $Date$ $Name$';
+use strict;
+
+my %constants;
+my $count = 0;
+my $o;
+my @objects = ();
+my @objsize;
+my $cvsid;
+
+$constants{CKO_DATA} = "static const CK_OBJECT_CLASS cko_data = CKO_DATA;\n";
+$constants{CK_TRUE} = "static const CK_BBOOL ck_true = CK_TRUE;\n";
+$constants{CK_FALSE} = "static const CK_BBOOL ck_false = CK_FALSE;\n";
+
+while(<>) {
+  my @fields = ();
+  my $size;
+
+  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
+  next if (/^\s*$/);
+
+  if( /(^CVS_ID\s+)(.*)/ ) {
+#    print "The CVS ID is $2\n";
+    $cvsid = $2 . "\"; $cvs_id\"";
+    my $scratch = $cvsid;
+    $size = 1 + $scratch =~ s/[^"\n]//g;
+    @{$objects[0][0]} = ( "CKA_CLASS", "&cko_data", "sizeof(CK_OBJECT_CLASS)" );
+    @{$objects[0][1]} = ( "CKA_TOKEN", "&ck_true", "sizeof(CK_BBOOL)" );
+    @{$objects[0][2]} = ( "CKA_PRIVATE", "&ck_false", "sizeof(CK_BBOOL)" );
+    @{$objects[0][3]} = ( "CKA_MODIFIABLE", "&ck_false", "sizeof(CK_BBOOL)" );
+    @{$objects[0][4]} = ( "CKA_LABEL", "\"CVS ID\"", "7" );
+    @{$objects[0][5]} = ( "CKA_APPLICATION", "\"NSS\"", "4" );
+    @{$objects[0][6]} = ( "CKA_VALUE", $cvsid, "$size" );
+    $objsize[0] = 7;
+    next;
+  }
+
+  # This was taken from the perl faq #4.
+  my $text = $_;
+  push(@fields, $+) while $text =~ m{
+      "([^\"\\]*(?:\\.[^\"\\]*)*)"\s?  # groups the phrase inside the quotes
+    | ([^\s]+)\s?
+    | \s
+  }gx;
+  push(@fields, undef) if substr($text,-1,1) eq '\s';
+
+  if( $fields[0] =~ /BEGINDATA/ ) {
+    next;
+  }
+
+  if( $fields[1] =~ /MULTILINE/ ) {
+    $fields[2] = "";
+    while(<>) {
+      last if /END/;
+      chomp;
+      $fields[2] .= "\"$_\"\n";
+    }
+  }
+
+  if( $fields[1] =~ /UTF8/ ) {
+    if( $fields[2] =~ /^"/ ) {
+      ;
+    } else {
+      $fields[2] = "\"" . $fields[2] . "\"";
+    }
+
+    my $scratch = $fields[2];
+    $size = $scratch =~ s/[^"\n]//g; # should supposedly handle multilines, too..
+    $size += 1; # null terminate
+  }
+
+  if( $fields[1] =~ /OCTAL/ ) {
+    if( $fields[2] =~ /^"/ ) {
+      ;
+    } else {
+      $fields[2] = "\"" . $fields[2] . "\"";
+    }
+
+    my $scratch = $fields[2];
+    $size = $scratch =~ tr/\\//;
+    # no null termination
+  }
+
+  if( $fields[1] =~ /^CK_/ ) {
+    my $lcv = $fields[2];
+    $lcv =~ tr/A-Z/a-z/;
+    if( !defined($constants{$fields[2]}) ) {
+      $constants{$fields[2]} = "static const $fields[1] $lcv = $fields[2];\n";
+    }
+    
+    $size = "sizeof($fields[1])";
+    $fields[2] = "&$lcv";
+  }
+
+  if( $fields[0] =~ /CKA_CLASS/ ) {
+    $count++;
+    $objsize[$count] = 0;
+  }
+
+  @{$objects[$count][$objsize[$count]++]} = ( "$fields[0]", $fields[2], "$size" );
+
+ # print "$fields[0] | $fields[1] | $size | $fields[2]\n";
+}
+
+doprint();
+
+sub dudump {
+my $i;
+for( $i = 0; $i <= $count; $i++ ) {
+  print "\n";
+  $o = $objects[$i];
+  my @ob = @{$o};
+  my $l;
+  my $j;
+  for( $j = 0; $j < @ob; $j++ ) {
+    $l = $ob[$j];
+    my @a = @{$l};
+    print "$a[0] ! $a[1] ! $a[2]\n";
+  }
+}
+
+}
+
+sub doprint {
+my $i;
+
+open(CFILE, ">certdata.c") || die "Can't open certdata.c: $!";
+
+print CFILE <<EOD
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifdef DEBUG
+static const char CVS_ID[] = $cvsid;
+#endif /* DEBUG */
+
+#ifndef BUILTINS_H
+#include "builtins.h"
+#endif /* BUILTINS_H */
+
+EOD
+    ;
+
+while(($a,$b) = each(%constants)) {
+  print CFILE $b;
+}
+
+for( $i = 0; $i <= $count; $i++ ) {
+  if( 0 == $i ) {
+    print CFILE "#ifdef DEBUG\n";
+  }
+
+  print CFILE "static const CK_ATTRIBUTE_TYPE nss_builtins_types_$i [] = {\n";
+  $o = $objects[$i];
+ # print STDOUT "type $i object $o \n";
+  my @ob = @{$o};
+  my $j;
+  for( $j = 0; $j < @ob; $j++ ) {
+    my $l = $ob[$j];
+    my @a = @{$l};
+    print CFILE " $a[0]";
+    if( $j+1 != @ob ) {
+      print CFILE ", ";
+    }
+  }
+  print CFILE "\n};\n";
+
+  if( 0 == $i ) {
+    print CFILE "#endif /* DEBUG */\n";
+  }
+}
+
+for( $i = 0; $i <= $count; $i++ ) {
+  if( 0 == $i ) {
+    print CFILE "#ifdef DEBUG\n";
+  }
+
+  print CFILE "static const NSSItem nss_builtins_items_$i [] = {\n";
+  $o = $objects[$i];
+  my @ob = @{$o};
+  my $j;
+  for( $j = 0; $j < @ob; $j++ ) {
+    my $l = $ob[$j];
+    my @a = @{$l};
+    print CFILE "  { (void *)$a[1], (PRUint32)$a[2] }";
+    if( $j+1 != @ob ) {
+      print CFILE ",\n";
+    } else {
+      print CFILE "\n";
+    }
+  }
+  print CFILE "};\n";
+
+  if( 0 == $i ) {
+    print CFILE "#endif /* DEBUG */\n";
+  }
+}
+
+print CFILE "\nPR_IMPLEMENT_DATA(builtinsInternalObject)\n";
+print CFILE "nss_builtins_data[] = {\n";
+
+for( $i = 0; $i <= $count; $i++ ) {
+
+  if( 0 == $i ) {
+    print CFILE "#ifdef DEBUG\n";
+  }
+
+  print CFILE "  { $objsize[$i], nss_builtins_types_$i, nss_builtins_items_$i, {NULL} }";
+
+  if( $i == $count ) {
+    print CFILE "\n";
+  } else {
+    print CFILE ",\n";
+  }
+
+  if( 0 == $i ) {
+    print CFILE "#endif /* DEBUG */\n";
+  }
+}
+
+print CFILE "};\n";
+
+print CFILE "PR_IMPLEMENT_DATA(const PRUint32)\n";
+print CFILE "#ifdef DEBUG\n";
+print CFILE "  nss_builtins_nObjects = $count+1;\n";
+print CFILE "#else\n";
+print CFILE "  nss_builtins_nObjects = $count;\n";
+print CFILE "#endif /* DEBUG */\n";
+}
diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt
new file mode 100644
index 000000000..3bbea9857
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -0,0 +1,11608 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CVS_ID "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+#
+# certdata.txt
+#
+# This file contains the object definitions for the certs and other
+# information "built into" NSS.
+#
+# Object definitions:
+#
+#    Certificates
+#
+#  -- Attribute --          -- type --              -- value --
+#  CKA_CLASS                CK_OBJECT_CLASS         CKO_CERTIFICATE
+#  CKA_TOKEN                CK_BBOOL                CK_TRUE
+#  CKA_PRIVATE              CK_BBOOL                CK_FALSE
+#  CKA_MODIFIABLE           CK_BBOOL                CK_FALSE
+#  CKA_LABEL                UTF8                    (varies)
+#  CKA_CERTIFICATE_TYPE     CK_CERTIFICATE_TYPE     CKC_X_509
+#  CKA_SUBJECT              DER+base64              (varies)
+#  CKA_ID                   byte array              (varies)
+#  CKA_ISSUER               DER+base64              (varies)
+#  CKA_SERIAL_NUMBER        DER+base64              (varies)
+#  CKA_VALUE                DER+base64              (varies)
+#  CKA_NETSCAPE_EMAIL       ASCII7                  (unused here)
+#
+#    Trust
+#
+#  -- Attribute --              -- type --          -- value --
+#  CKA_CLASS                    CK_OBJECT_CLASS     CKO_TRUST
+#  CKA_TOKEN                    CK_BBOOL            CK_TRUE
+#  CKA_PRIVATE                  CK_BBOOL            CK_FALSE
+#  CKA_MODIFIABLE               CK_BBOOL            CK_FALSE
+#  CKA_LABEL                    UTF8                (varies)
+#  CKA_ISSUER                   DER+base64          (varies)
+#  CKA_SERIAL_NUMBER            DER+base64          (varies)
+#  CKA_CERT_HASH                binary+base64       (varies)
+#  CKA_EXPIRES                  CK_DATE             (not used here)
+#  CKA_TRUST_DIGITAL_SIGNATURE  CK_TRUST            (varies)
+#  CKA_TRUST_NON_REPUDIATION    CK_TRUST            (varies)
+#  CKA_TRUST_KEY_ENCIPHERMENT   CK_TRUST            (varies)
+#  CKA_TRUST_DATA_ENCIPHERMENT  CK_TRUST            (varies)
+#  CKA_TRUST_KEY_AGREEMENT      CK_TRUST            (varies)
+#  CKA_TRUST_KEY_CERT_SIGN      CK_TRUST            (varies)
+#  CKA_TRUST_CRL_SIGN           CK_TRUST            (varies)
+#  CKA_TRUST_SERVER_AUTH        CK_TRUST            (varies)
+#  CKA_TRUST_CLIENT_AUTH        CK_TRUST            (varies)
+#  CKA_TRUST_CODE_SIGNING       CK_TRUST            (varies)
+#  CKA_TRUST_EMAIL_PROTECTION   CK_TRUST            (varies)
+#  CKA_TRUST_IPSEC_END_SYSTEM   CK_TRUST            (varies)
+#  CKA_TRUST_IPSEC_TUNNEL       CK_TRUST            (varies)
+#  CKA_TRUST_IPSEC_USER         CK_TRUST            (varies)
+#  CKA_TRUST_TIME_STAMPING      CK_TRUST            (varies)
+#  (other trust attributes can be defined)
+#
+
+#
+# The object to tell NSS that this is a root list and we don't
+# have to go looking for others.
+#
+BEGINDATA
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_BUILTIN_ROOT_LIST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Mozilla Builtin Roots"
+
+#
+# Certificate "Verisign/RSA Secure Server CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign/RSA Secure Server CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141
+\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143
+\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165
+\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141
+\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143
+\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165
+\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\255\146\176\116\105\376\136\127\157\074\230\031\136\335\300
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\064\060\202\001\241\002\020\002\255\146\176\116\105
+\376\136\127\157\074\230\031\136\335\300\060\015\006\011\052\206
+\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006
+\003\125\004\006\023\002\125\123\061\040\060\036\006\003\125\004
+\012\023\027\122\123\101\040\104\141\164\141\040\123\145\143\165
+\162\151\164\171\054\040\111\156\143\056\061\056\060\054\006\003
+\125\004\013\023\045\123\145\143\165\162\145\040\123\145\162\166
+\145\162\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\064
+\061\061\060\071\060\060\060\060\060\060\132\027\015\061\060\060
+\061\060\067\062\063\065\071\065\071\132\060\137\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\040\060\036\006\003\125
+\004\012\023\027\122\123\101\040\104\141\164\141\040\123\145\143
+\165\162\151\164\171\054\040\111\156\143\056\061\056\060\054\006
+\003\125\004\013\023\045\123\145\143\165\162\145\040\123\145\162
+\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\060\201\233\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\211
+\000\060\201\205\002\176\000\222\316\172\301\256\203\076\132\252
+\211\203\127\254\045\001\166\014\255\256\216\054\067\316\353\065
+\170\144\124\003\345\204\100\121\311\277\217\010\342\212\202\010
+\322\026\206\067\125\351\261\041\002\255\166\150\201\232\005\242
+\113\311\113\045\146\042\126\154\210\007\217\367\201\131\155\204
+\007\145\160\023\161\166\076\233\167\114\343\120\211\126\230\110
+\271\035\247\051\032\023\056\112\021\131\234\036\025\325\111\124
+\054\163\072\151\202\261\227\071\234\155\160\147\110\345\335\055
+\326\310\036\173\002\003\001\000\001\060\015\006\011\052\206\110
+\206\367\015\001\001\002\005\000\003\176\000\145\335\176\341\262
+\354\260\342\072\340\354\161\106\232\031\021\270\323\307\240\264
+\003\100\046\002\076\011\234\341\022\263\321\132\366\067\245\267
+\141\003\266\133\026\151\073\306\104\010\014\210\123\014\153\227
+\111\307\076\065\334\154\271\273\252\337\134\273\072\057\223\140
+\266\251\113\115\362\040\367\315\137\177\144\173\216\334\000\134
+\327\372\167\312\071\026\131\157\016\352\323\265\203\177\115\115
+\102\126\166\264\311\137\004\370\070\370\353\322\137\165\137\315
+\173\374\345\216\200\174\374\120
+END
+
+# Trust for Certificate "Verisign/RSA Secure Server CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign/RSA Secure Server CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\104\143\305\061\327\314\301\000\147\224\141\053\266\126\323\277
+\202\127\204\157
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\164\173\202\003\103\360\000\236\153\263\354\107\277\205\245\223
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141
+\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143
+\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165
+\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\255\146\176\116\105\376\136\127\157\074\230\031\136\335\300
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "GTE CyberTrust Root CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125
+\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125
+\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001\243
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\001\372\060\202\001\143\002\002\001\243\060\015\006\011
+\052\206\110\206\367\015\001\001\004\005\000\060\105\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
+\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
+\164\151\157\156\061\034\060\032\006\003\125\004\003\023\023\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\122\157
+\157\164\060\036\027\015\071\066\060\062\062\063\062\063\060\061
+\060\060\132\027\015\060\066\060\062\062\063\062\063\065\071\060
+\060\132\060\105\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
+\103\157\162\160\157\162\141\164\151\157\156\061\034\060\032\006
+\003\125\004\003\023\023\107\124\105\040\103\171\142\145\162\124
+\162\165\163\164\040\122\157\157\164\060\201\237\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
+\201\211\002\201\201\000\270\346\117\272\333\230\174\161\174\257
+\104\267\323\017\106\331\144\345\223\301\102\216\307\272\111\215
+\065\055\172\347\213\275\345\005\061\131\306\261\057\012\014\373
+\237\247\077\242\011\146\204\126\036\067\051\033\207\351\176\014
+\312\232\237\245\177\365\025\224\243\325\242\106\202\330\150\114
+\321\067\025\006\150\257\275\370\260\263\360\051\365\225\132\011
+\026\141\167\012\042\045\324\117\105\252\307\275\345\226\337\371
+\324\250\216\102\314\044\300\036\221\047\112\265\155\006\200\143
+\071\304\242\136\070\003\002\003\001\000\001\060\015\006\011\052
+\206\110\206\367\015\001\001\004\005\000\003\201\201\000\022\263
+\165\306\137\035\341\141\125\200\000\324\201\113\173\061\017\043
+\143\347\075\363\003\371\364\066\250\273\331\343\245\227\115\352
+\053\051\340\326\152\163\201\346\300\211\243\323\361\340\245\245
+\042\067\232\143\302\110\040\264\333\162\343\310\366\331\174\276
+\261\257\123\332\024\264\041\270\326\325\226\343\376\116\014\131
+\142\266\232\112\371\102\335\214\157\201\251\161\377\364\012\162
+\155\155\104\016\235\363\164\164\250\325\064\111\351\136\236\351
+\264\172\341\345\132\037\204\060\234\323\237\245\045\330
+END
+
+# Trust for Certificate "GTE CyberTrust Root CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\220\336\336\236\114\116\237\157\330\206\027\127\235\323\221\274
+\145\246\211\144
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\304\327\360\262\243\305\175\141\147\360\004\315\103\323\272\130
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\105\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\034\060\032\006\003\125
+\004\003\023\023\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001\243
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "GTE CyberTrust Global Root"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Global Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001\245
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011
+\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
+\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
+\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157
+\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060
+\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145
+\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157
+\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071
+\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060
+\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
+\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006
+\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124
+\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040
+\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154
+\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
+\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307
+\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212
+\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341
+\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322
+\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034
+\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215
+\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370
+\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264
+\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052
+\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353
+\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343
+\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203
+\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175
+\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331
+\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277
+\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017
+\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117
+\037\042\265\315\225\255\272\247\314\371\253\013\172\177
+END
+
+# Trust for Certificate "GTE CyberTrust Global Root"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Global Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061
+\066\176\364\164
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
+\141\154\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001\245
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "GTE CyberTrust Root 5"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Root 5"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\160\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\036\060\034\006\003\125\004\003\023\025\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\122\157\157\164
+\040\065
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\160\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\036\060\034\006\003\125\004\003\023\025\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\122\157\157\164
+\040\065
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001\266
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\266\060\202\002\236\240\003\002\001\002\002\002\001
+\266\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\060\160\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\036\060\034\006\003\125\004\003\023\025\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\122\157\157\164
+\040\065\060\036\027\015\071\070\060\070\061\064\061\064\065\060
+\060\060\132\027\015\061\063\060\070\061\064\062\063\065\071\060
+\060\132\060\160\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
+\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006
+\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124
+\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040
+\111\156\143\056\061\036\060\034\006\003\125\004\003\023\025\107
+\124\105\040\103\171\142\145\162\124\162\165\163\164\040\122\157
+\157\164\040\065\060\202\001\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
+\002\202\001\001\000\274\022\156\077\212\174\172\227\001\354\036
+\273\071\132\002\364\170\104\242\110\033\216\173\111\122\172\270
+\173\107\263\257\224\233\157\273\226\372\053\152\145\134\270\034
+\224\163\276\277\211\012\042\200\356\127\374\214\005\273\160\237
+\227\071\004\332\243\207\134\250\345\312\257\300\063\232\325\067
+\134\113\254\344\200\320\246\043\140\373\375\162\056\224\235\307
+\316\302\004\062\357\170\140\135\355\255\207\017\105\145\036\074
+\232\012\232\276\135\035\231\354\347\362\321\306\172\027\331\255
+\233\124\226\177\304\174\140\277\205\252\025\065\035\100\332\021
+\274\354\124\041\050\055\043\241\250\360\317\055\315\335\374\176
+\017\136\341\145\007\126\313\007\264\322\126\350\136\061\314\030
+\143\304\206\322\055\205\317\223\222\253\155\376\150\071\373\336
+\163\275\206\370\344\106\172\352\237\014\313\364\031\376\143\274
+\321\054\173\210\063\066\366\344\341\234\014\123\201\140\034\332
+\056\253\226\251\026\210\023\120\231\262\275\125\337\025\060\176
+\350\345\230\373\160\176\154\265\007\374\374\106\267\320\355\067
+\226\176\062\376\041\002\003\001\000\001\243\132\060\130\060\022
+\006\003\125\035\023\001\001\377\004\010\060\006\001\001\377\002
+\001\005\060\016\006\003\125\035\017\001\001\377\004\004\003\002
+\001\006\060\027\006\003\125\035\040\004\020\060\016\060\014\006
+\012\052\206\110\206\370\143\001\002\001\003\060\031\006\003\125
+\035\016\004\022\004\020\166\012\111\041\070\114\237\336\370\304
+\111\307\161\161\221\235\060\015\006\011\052\206\110\206\367\015
+\001\001\005\005\000\003\202\001\001\000\101\072\324\030\133\332
+\270\336\041\034\341\216\011\345\361\150\064\377\336\226\364\007
+\365\247\074\363\254\112\261\233\372\222\372\233\355\346\062\041
+\252\112\166\305\334\117\070\345\337\325\206\344\325\310\166\175
+\230\327\261\315\217\115\265\221\043\154\213\212\353\352\174\357
+\024\224\304\306\360\037\112\055\062\161\143\053\143\221\046\002
+\011\266\200\035\355\342\314\270\177\333\207\143\310\341\320\154
+\046\261\065\035\100\146\020\033\315\225\124\030\063\141\354\023
+\117\332\023\367\231\257\076\320\317\216\246\162\242\263\303\005
+\232\311\047\175\222\314\176\122\215\263\253\160\155\236\211\237
+\115\353\032\165\302\230\252\325\002\026\327\014\212\277\045\344
+\353\055\274\230\351\130\070\031\174\271\067\376\333\342\231\010
+\163\006\307\227\203\152\175\020\001\057\062\271\027\005\112\145
+\346\057\316\276\136\123\246\202\351\232\123\012\204\164\055\203
+\312\310\224\026\166\137\224\141\050\360\205\247\071\273\327\213
+\331\250\262\023\035\124\011\064\044\175\040\201\175\146\176\242
+\220\164\134\020\306\275\354\253\033\302
+END
+
+# Trust for Certificate "GTE CyberTrust Root 5"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Root 5"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\107\305\114\274\332\135\166\316\142\210\070\021\254\021\146\135
+\125\364\054\000
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\175\154\206\344\374\115\321\013\000\272\042\273\116\174\152\216
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\160\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
+\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
+\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
+\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
+\143\056\061\036\060\034\006\003\125\004\003\023\025\107\124\105
+\040\103\171\142\145\162\124\162\165\163\164\040\122\157\157\164
+\040\065
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001\266
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "GTE CyberTrust Japan Root CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Japan Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\121\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124
+\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056
+\061\041\060\037\006\003\125\004\003\023\030\103\171\142\145\162
+\124\162\165\163\164\040\112\101\120\101\116\040\122\157\157\164
+\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\121\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124
+\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056
+\061\041\060\037\006\003\125\004\003\023\030\103\171\142\145\162
+\124\162\165\163\164\040\112\101\120\101\116\040\122\157\157\164
+\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\116
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\021\060\202\001\172\002\001\116\060\015\006\011\052
+\206\110\206\367\015\001\001\004\005\000\060\121\061\013\060\011
+\006\003\125\004\006\023\002\112\120\061\037\060\035\006\003\125
+\004\012\023\026\103\171\142\145\162\124\162\165\163\164\040\112
+\141\160\141\156\054\040\111\156\143\056\061\041\060\037\006\003
+\125\004\003\023\030\103\171\142\145\162\124\162\165\163\164\040
+\112\101\120\101\116\040\122\157\157\164\040\103\101\060\036\027
+\015\071\070\060\070\060\064\060\067\065\067\060\060\132\027\015
+\060\063\060\070\060\064\062\063\065\071\060\060\132\060\121\061
+\013\060\011\006\003\125\004\006\023\002\112\120\061\037\060\035
+\006\003\125\004\012\023\026\103\171\142\145\162\124\162\165\163
+\164\040\112\141\160\141\156\054\040\111\156\143\056\061\041\060
+\037\006\003\125\004\003\023\030\103\171\142\145\162\124\162\165
+\163\164\040\112\101\120\101\116\040\122\157\157\164\040\103\101
+\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001
+\005\000\003\201\215\000\060\201\211\002\201\201\000\267\255\374
+\312\107\020\166\211\375\147\254\344\163\006\174\201\113\035\326
+\265\174\016\107\257\354\246\124\165\250\304\375\145\257\347\310
+\261\261\154\064\065\215\367\271\144\127\050\013\041\132\336\164
+\376\334\170\056\206\106\022\114\177\021\037\334\223\275\137\276
+\146\230\206\270\267\354\155\111\323\220\331\341\171\000\126\150
+\272\255\154\037\054\073\037\311\054\214\103\260\004\102\352\201
+\163\246\316\063\165\105\015\212\105\162\057\252\127\125\344\007
+\303\103\342\165\072\017\274\074\320\204\316\272\357\002\003\001
+\000\001\060\015\006\011\052\206\110\206\367\015\001\001\004\005
+\000\003\201\201\000\267\246\144\243\014\200\074\034\304\330\356
+\101\073\345\206\244\236\140\135\326\001\062\250\152\144\055\040
+\160\100\272\162\116\146\372\007\145\116\003\216\013\375\126\340
+\255\073\040\247\062\372\262\022\036\200\337\036\343\172\030\314
+\127\333\346\311\064\140\357\165\353\020\026\320\244\056\160\330
+\044\043\270\245\167\163\102\371\007\072\335\001\154\010\223\007
+\065\046\020\045\140\051\377\011\345\144\237\151\271\026\111\363
+\134\335\044\143\106\223\015\260\123\066\165\274\110\040\273\031
+\266\217\320\042\375
+END
+
+# Trust for Certificate "GTE CyberTrust Japan Root CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Japan Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\327\237\165\115\072\165\304\327\022\276\200\056\155\367\251\056
+\135\022\021\045
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\336\253\377\103\052\145\067\006\233\050\265\172\350\204\323\216
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\121\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124
+\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056
+\061\041\060\037\006\003\125\004\003\023\030\103\171\142\145\162
+\124\162\165\163\164\040\112\101\120\101\116\040\122\157\157\164
+\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\116
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "GTE CyberTrust Japan Secure Server CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Japan Secure Server CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124
+\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056
+\061\052\060\050\006\003\125\004\003\023\041\103\171\142\145\162
+\124\162\165\163\164\040\112\101\120\101\116\040\123\145\143\165
+\162\145\040\123\145\162\166\145\162\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124
+\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056
+\061\052\060\050\006\003\125\004\003\023\041\103\171\142\145\162
+\124\162\165\163\164\040\112\101\120\101\116\040\123\145\143\165
+\162\145\040\123\145\162\166\145\162\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\117
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\043\060\202\001\214\002\001\117\060\015\006\011\052
+\206\110\206\367\015\001\001\004\005\000\060\132\061\013\060\011
+\006\003\125\004\006\023\002\112\120\061\037\060\035\006\003\125
+\004\012\023\026\103\171\142\145\162\124\162\165\163\164\040\112
+\141\160\141\156\054\040\111\156\143\056\061\052\060\050\006\003
+\125\004\003\023\041\103\171\142\145\162\124\162\165\163\164\040
+\112\101\120\101\116\040\123\145\143\165\162\145\040\123\145\162
+\166\145\162\040\103\101\060\036\027\015\071\070\060\070\060\064
+\060\070\060\066\063\062\132\027\015\060\063\060\070\060\064\062
+\063\065\071\060\060\132\060\132\061\013\060\011\006\003\125\004
+\006\023\002\112\120\061\037\060\035\006\003\125\004\012\023\026
+\103\171\142\145\162\124\162\165\163\164\040\112\141\160\141\156
+\054\040\111\156\143\056\061\052\060\050\006\003\125\004\003\023
+\041\103\171\142\145\162\124\162\165\163\164\040\112\101\120\101
+\116\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040
+\103\101\060\201\237\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\254
+\046\243\241\270\157\152\300\054\022\371\333\061\005\222\347\375
+\372\324\201\264\270\325\052\325\220\372\360\103\145\374\022\025
+\312\354\333\271\141\336\063\143\067\117\257\000\074\177\222\067
+\033\030\163\345\237\074\210\361\032\023\104\376\171\362\303\046
+\225\017\013\360\236\024\007\041\154\127\302\135\303\342\121\260
+\315\213\137\315\137\206\070\370\171\227\071\354\350\277\122\056
+\261\136\252\251\256\214\355\356\327\310\267\056\061\213\264\071
+\222\073\174\201\047\007\032\001\104\057\111\163\040\266\311\002
+\003\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001
+\004\005\000\003\201\201\000\150\035\173\022\356\132\171\051\061
+\312\001\254\213\120\251\047\231\054\000\374\070\032\034\377\302
+\325\360\023\376\033\247\071\365\200\024\353\121\372\300\215\173
+\204\033\131\256\261\065\121\156\241\076\327\033\354\240\236\337
+\340\245\202\226\343\261\077\330\250\361\313\171\200\216\367\360
+\104\231\176\024\365\043\243\021\343\150\113\005\066\156\210\343
+\253\206\252\070\123\003\102\073\323\271\371\340\277\005\351\323
+\137\303\112\247\266\375\267\135\220\111\370\232\262\255\146\246
+\202\000\223\256\140\377\040
+END
+
+# Trust for Certificate "GTE CyberTrust Japan Secure Server CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTE CyberTrust Japan Secure Server CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\326\371\221\145\061\321\304\017\030\247\073\051\236\031\267\157
+\246\302\111\063
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\335\015\015\264\170\113\175\316\060\012\246\065\306\253\114\210
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\112\120\061
+\037\060\035\006\003\125\004\012\023\026\103\171\142\145\162\124
+\162\165\163\164\040\112\141\160\141\156\054\040\111\156\143\056
+\061\052\060\050\006\003\125\004\003\023\041\103\171\142\145\162
+\124\162\165\163\164\040\112\101\120\101\116\040\123\145\143\165
+\162\145\040\123\145\162\166\145\162\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\117
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Thawte Personal Basic CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Personal Basic CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
+\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
+\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
+\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167
+\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151
+\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015
+\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141
+\163\151\143\100\164\150\141\167\164\145\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
+\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
+\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
+\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167
+\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151
+\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015
+\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141
+\163\151\143\100\164\150\141\167\164\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\041\060\202\002\212\240\003\002\001\002\002\001\000
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101\061
+\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
+\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
+\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003
+\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163
+\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023
+\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123
+\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156
+\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167\164
+\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151\143
+\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015\001
+\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141\163
+\151\143\100\164\150\141\167\164\145\056\143\157\155\060\036\027
+\015\071\066\060\061\060\061\060\060\060\060\060\060\132\027\015
+\062\060\061\062\063\061\062\063\065\071\065\071\132\060\201\313
+\061\013\060\011\006\003\125\004\006\023\002\132\101\061\025\060
+\023\006\003\125\004\010\023\014\127\145\163\164\145\162\156\040
+\103\141\160\145\061\022\060\020\006\003\125\004\007\023\011\103
+\141\160\145\040\124\157\167\156\061\032\060\030\006\003\125\004
+\012\023\021\124\150\141\167\164\145\040\103\157\156\163\165\154
+\164\151\156\147\061\050\060\046\006\003\125\004\013\023\037\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162
+\166\151\143\145\163\040\104\151\166\151\163\151\157\156\061\041
+\060\037\006\003\125\004\003\023\030\124\150\141\167\164\145\040
+\120\145\162\163\157\156\141\154\040\102\141\163\151\143\040\103
+\101\061\050\060\046\006\011\052\206\110\206\367\015\001\011\001
+\026\031\160\145\162\163\157\156\141\154\055\142\141\163\151\143
+\100\164\150\141\167\164\145\056\143\157\155\060\201\237\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
+\000\060\201\211\002\201\201\000\274\274\223\123\155\300\120\117
+\202\025\346\110\224\065\246\132\276\157\102\372\017\107\356\167
+\165\162\335\215\111\233\226\127\240\170\324\312\077\121\263\151
+\013\221\166\027\042\007\227\152\304\121\223\113\340\215\357\067
+\225\241\014\115\332\064\220\035\027\211\227\340\065\070\127\112
+\300\364\010\160\351\074\104\173\120\176\141\232\220\343\043\323
+\210\021\106\047\365\013\007\016\273\335\321\177\040\012\210\271
+\126\013\056\034\200\332\361\343\236\051\357\024\275\012\104\373
+\033\133\030\321\277\043\223\041\002\003\001\000\001\243\023\060
+\021\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
+\001\377\060\015\006\011\052\206\110\206\367\015\001\001\004\005
+\000\003\201\201\000\055\342\231\153\260\075\172\211\327\131\242
+\224\001\037\053\335\022\113\123\302\255\177\252\247\000\134\221
+\100\127\045\112\070\252\204\160\271\331\200\017\245\173\134\373
+\163\306\275\327\212\141\134\003\343\055\047\250\027\340\204\205
+\102\334\136\233\306\267\262\155\273\164\257\344\077\313\247\267
+\260\340\135\276\170\203\045\224\322\333\201\017\171\007\155\117
+\364\071\025\132\122\001\173\336\062\326\115\070\366\022\134\006
+\120\337\005\133\275\024\113\241\337\051\272\073\101\215\367\143
+\126\241\337\042\261
+END
+
+# Trust for Certificate "Thawte Personal Basic CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Personal Basic CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\100\347\214\035\122\075\034\331\225\117\254\032\032\263\275\074
+\272\241\133\374
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\346\013\322\311\312\055\210\333\032\161\016\113\170\353\002\101
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\313\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
+\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
+\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
+\156\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167
+\164\145\040\120\145\162\163\157\156\141\154\040\102\141\163\151
+\143\040\103\101\061\050\060\046\006\011\052\206\110\206\367\015
+\001\011\001\026\031\160\145\162\163\157\156\141\154\055\142\141
+\163\151\143\100\164\150\141\167\164\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Thawte Personal Premium CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Personal Premium CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
+\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
+\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
+\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167
+\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155
+\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206
+\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055
+\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143
+\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
+\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
+\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
+\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167
+\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155
+\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206
+\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055
+\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143
+\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\051\060\202\002\222\240\003\002\001\002\002\001\000
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101\061
+\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
+\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
+\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003
+\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163
+\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023
+\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123
+\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156
+\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167\164
+\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155\151
+\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206\367
+\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055\160
+\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143\157
+\155\060\036\027\015\071\066\060\061\060\061\060\060\060\060\060
+\060\132\027\015\062\060\061\062\063\061\062\063\065\071\065\071
+\132\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132
+\101\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164
+\145\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004
+\007\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030
+\006\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157
+\156\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004
+\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151
+\157\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141
+\167\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145
+\155\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110
+\206\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154
+\055\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056
+\143\157\155\060\201\237\060\015\006\011\052\206\110\206\367\015
+\001\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000
+\311\146\331\370\007\104\317\271\214\056\360\241\357\023\105\154
+\005\337\336\047\026\121\066\101\021\154\154\073\355\376\020\175
+\022\236\345\233\102\232\376\140\061\303\146\267\163\072\110\256
+\116\320\062\067\224\210\265\015\266\331\363\362\104\331\325\210
+\022\335\166\115\362\032\374\157\043\036\172\361\330\230\105\116
+\007\020\357\026\102\320\103\165\155\112\336\342\252\311\061\377
+\037\000\160\174\146\317\020\045\010\272\372\356\000\351\106\003
+\146\047\021\025\073\252\133\362\230\335\066\102\262\332\210\165
+\002\003\001\000\001\243\023\060\021\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\015\006\011\052\206
+\110\206\367\015\001\001\004\005\000\003\201\201\000\151\066\211
+\367\064\052\063\162\057\155\073\324\042\262\270\157\232\305\066
+\146\016\033\074\241\261\165\132\346\375\065\323\370\250\362\007
+\157\205\147\216\336\053\271\342\027\260\072\240\360\016\242\000
+\232\337\363\024\025\156\273\310\205\132\230\200\371\377\276\164
+\035\075\363\376\060\045\321\067\064\147\372\245\161\171\060\141
+\051\162\300\340\054\114\373\126\344\072\250\157\345\062\131\122
+\333\165\050\120\131\014\370\013\031\344\254\331\257\226\215\057
+\120\333\007\303\352\037\253\063\340\365\053\061\211
+END
+
+# Trust for Certificate "Thawte Personal Premium CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Personal Premium CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\066\206\065\143\375\121\050\307\276\246\360\005\317\351\264\066
+\150\010\154\316
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\072\262\336\042\232\040\223\111\371\355\310\322\212\347\150\015
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\317\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
+\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
+\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
+\156\061\043\060\041\006\003\125\004\003\023\032\124\150\141\167
+\164\145\040\120\145\162\163\157\156\141\154\040\120\162\145\155
+\151\165\155\040\103\101\061\052\060\050\006\011\052\206\110\206
+\367\015\001\011\001\026\033\160\145\162\163\157\156\141\154\055
+\160\162\145\155\151\165\155\100\164\150\141\167\164\145\056\143
+\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Thawte Personal Freemail CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Personal Freemail CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
+\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
+\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
+\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167
+\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145
+\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110
+\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154
+\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145
+\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
+\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
+\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
+\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167
+\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145
+\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110
+\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154
+\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145
+\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\055\060\202\002\226\240\003\002\001\002\002\001\000
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101\061
+\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
+\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
+\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006\003
+\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156\163
+\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013\023
+\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123
+\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157\156
+\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167\164
+\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145\155
+\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110\206
+\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154\055
+\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145\056
+\143\157\155\060\036\027\015\071\066\060\061\060\061\060\060\060
+\060\060\060\132\027\015\062\060\061\062\063\061\062\063\065\071
+\065\071\132\060\201\321\061\013\060\011\006\003\125\004\006\023
+\002\132\101\061\025\060\023\006\003\125\004\010\023\014\127\145
+\163\164\145\162\156\040\103\141\160\145\061\022\060\020\006\003
+\125\004\007\023\011\103\141\160\145\040\124\157\167\156\061\032
+\060\030\006\003\125\004\012\023\021\124\150\141\167\164\145\040
+\103\157\156\163\165\154\164\151\156\147\061\050\060\046\006\003
+\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
+\163\151\157\156\061\044\060\042\006\003\125\004\003\023\033\124
+\150\141\167\164\145\040\120\145\162\163\157\156\141\154\040\106
+\162\145\145\155\141\151\154\040\103\101\061\053\060\051\006\011
+\052\206\110\206\367\015\001\011\001\026\034\160\145\162\163\157
+\156\141\154\055\146\162\145\145\155\141\151\154\100\164\150\141
+\167\164\145\056\143\157\155\060\201\237\060\015\006\011\052\206
+\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211
+\002\201\201\000\324\151\327\324\260\224\144\133\161\351\107\330
+\014\121\266\352\162\221\260\204\136\175\055\015\217\173\022\337
+\205\045\165\050\164\072\102\054\143\047\237\225\173\113\357\176
+\031\207\035\206\352\243\335\271\316\226\144\032\302\024\156\104
+\254\174\346\217\350\115\017\161\037\100\070\246\000\243\207\170
+\366\371\224\206\136\255\352\300\136\166\353\331\024\243\135\156
+\172\174\014\245\113\125\177\006\031\051\177\236\232\046\325\152
+\273\070\044\010\152\230\307\261\332\243\230\221\375\171\333\345
+\132\304\034\271\002\003\001\000\001\243\023\060\021\060\017\006
+\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015
+\006\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201
+\000\307\354\222\176\116\370\365\226\245\147\142\052\244\360\115
+\021\140\320\157\215\140\130\141\254\046\273\122\065\134\010\317
+\060\373\250\112\226\212\037\142\102\043\214\027\017\364\272\144
+\234\027\254\107\051\337\235\230\136\322\154\140\161\134\242\254
+\334\171\343\347\156\000\107\037\265\015\050\350\002\235\344\232
+\375\023\364\246\331\174\261\370\334\137\043\046\011\221\200\163
+\320\024\033\336\103\251\203\045\362\346\234\057\025\312\376\246
+\253\212\007\165\213\014\335\121\204\153\344\370\321\316\167\242
+\201
+END
+
+# Trust for Certificate "Thawte Personal Freemail CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Personal Freemail CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\040\231\000\266\075\225\127\050\024\014\321\066\042\330\306\207
+\244\353\000\205
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\036\164\303\206\074\014\065\305\076\302\177\357\074\252\074\331
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\321\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\032\060\030\006
+\003\125\004\012\023\021\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\061\050\060\046\006\003\125\004\013
+\023\037\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\123\145\162\166\151\143\145\163\040\104\151\166\151\163\151\157
+\156\061\044\060\042\006\003\125\004\003\023\033\124\150\141\167
+\164\145\040\120\145\162\163\157\156\141\154\040\106\162\145\145
+\155\141\151\154\040\103\101\061\053\060\051\006\011\052\206\110
+\206\367\015\001\011\001\026\034\160\145\162\163\157\156\141\154
+\055\146\162\145\145\155\141\151\154\100\164\150\141\167\164\145
+\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "Thawte Server CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Server CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
+\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
+\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
+\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
+\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
+\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
+\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
+\167\164\145\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
+\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
+\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
+\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
+\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
+\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
+\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
+\167\164\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\023\060\202\002\174\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101\061
+\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
+\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
+\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003
+\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163
+\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125
+\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163
+\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124\150
+\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061\046
+\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027\163
+\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141\167
+\164\145\056\143\157\155\060\036\027\015\071\066\060\070\060\061
+\060\060\060\060\060\060\132\027\015\062\060\061\062\063\061\062
+\063\065\071\065\071\132\060\201\304\061\013\060\011\006\003\125
+\004\006\023\002\132\101\061\025\060\023\006\003\125\004\010\023
+\014\127\145\163\164\145\162\156\040\103\141\160\145\061\022\060
+\020\006\003\125\004\007\023\011\103\141\160\145\040\124\157\167
+\156\061\035\060\033\006\003\125\004\012\023\024\124\150\141\167
+\164\145\040\103\157\156\163\165\154\164\151\156\147\040\143\143
+\061\050\060\046\006\003\125\004\013\023\037\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\123\145\162\166\151\143\145
+\163\040\104\151\166\151\163\151\157\156\061\031\060\027\006\003
+\125\004\003\023\020\124\150\141\167\164\145\040\123\145\162\166
+\145\162\040\103\101\061\046\060\044\006\011\052\206\110\206\367
+\015\001\011\001\026\027\163\145\162\166\145\162\055\143\145\162
+\164\163\100\164\150\141\167\164\145\056\143\157\155\060\201\237
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\201\215\000\060\201\211\002\201\201\000\323\244\120\156\310\377
+\126\153\346\317\135\266\352\014\150\165\107\242\252\302\332\204
+\045\374\250\364\107\121\332\205\265\040\164\224\206\036\017\165
+\311\351\010\141\365\006\155\060\156\025\031\002\351\122\300\142
+\333\115\231\236\342\152\014\104\070\315\376\276\343\144\011\160
+\305\376\261\153\051\266\057\111\310\073\324\047\004\045\020\227
+\057\347\220\155\300\050\102\231\327\114\103\336\303\365\041\155
+\124\237\135\303\130\341\300\344\331\133\260\270\334\264\173\337
+\066\072\302\265\146\042\022\326\207\015\002\003\001\000\001\243
+\023\060\021\060\017\006\003\125\035\023\001\001\377\004\005\060
+\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001
+\004\005\000\003\201\201\000\007\372\114\151\134\373\225\314\106
+\356\205\203\115\041\060\216\312\331\250\157\111\032\346\332\121
+\343\140\160\154\204\141\021\241\032\310\110\076\131\103\175\117
+\225\075\241\213\267\013\142\230\172\165\212\335\210\116\116\236
+\100\333\250\314\062\164\271\157\015\306\343\263\104\013\331\212
+\157\232\051\233\231\030\050\073\321\343\100\050\232\132\074\325
+\265\347\040\033\213\312\244\253\215\351\121\331\342\114\054\131
+\251\332\271\262\165\033\366\102\362\357\307\362\030\371\211\274
+\243\377\212\043\056\160\107
+END
+
+# Trust for Certificate "Thawte Server CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Server CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\043\345\224\224\121\225\362\101\110\003\264\325\144\322\243\243
+\365\330\213\214
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\305\160\304\242\355\123\170\014\310\020\123\201\144\313\320\035
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
+\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
+\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
+\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
+\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
+\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
+\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
+\167\164\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Thawte Premium Server CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Premium Server CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
+\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
+\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
+\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
+\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
+\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
+\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
+\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
+\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
+\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
+\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
+\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
+\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
+\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
+\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
+\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
+\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\047\060\202\002\220\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101\061
+\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
+\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
+\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003
+\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163
+\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125
+\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163
+\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124\150
+\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145\162
+\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110\206
+\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055\163
+\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157\155
+\060\036\027\015\071\066\060\070\060\061\060\060\060\060\060\060
+\132\027\015\062\060\061\062\063\061\062\063\065\071\065\071\132
+\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
+\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
+\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
+\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
+\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
+\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
+\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
+\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
+\155\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\201\215\000\060\201\211\002\201\201\000\322\066
+\066\152\213\327\302\133\236\332\201\101\142\217\070\356\111\004
+\125\326\320\357\034\033\225\026\107\357\030\110\065\072\122\364
+\053\152\006\217\073\057\352\126\343\257\206\215\236\027\367\236
+\264\145\165\002\115\357\313\011\242\041\121\330\233\320\147\320
+\272\015\222\006\024\163\324\223\313\227\052\000\234\134\116\014
+\274\372\025\122\374\362\104\156\332\021\112\156\010\237\057\055
+\343\371\252\072\206\163\266\106\123\130\310\211\005\275\203\021
+\270\163\077\252\007\215\364\102\115\347\100\235\034\067\002\003
+\001\000\001\243\023\060\021\060\017\006\003\125\035\023\001\001
+\377\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206
+\367\015\001\001\004\005\000\003\201\201\000\046\110\054\026\302
+\130\372\350\026\164\014\252\252\137\124\077\362\327\311\170\140
+\136\136\156\067\143\042\167\066\176\262\027\304\064\271\365\010
+\205\374\311\001\070\377\115\276\362\026\102\103\347\273\132\106
+\373\301\306\021\037\361\112\260\050\106\311\303\304\102\175\274
+\372\253\131\156\325\267\121\210\021\343\244\205\031\153\202\114
+\244\014\022\255\351\244\256\077\361\303\111\145\232\214\305\310
+\076\045\267\224\231\273\222\062\161\007\360\206\136\355\120\047
+\246\015\246\043\371\273\313\246\007\024\102
+END
+
+# Trust for Certificate "Thawte Premium Server CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Premium Server CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\142\177\215\170\047\145\143\231\322\175\177\220\104\311\376\263
+\363\076\372\232
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\006\237\151\171\026\146\220\002\033\214\214\242\303\007\157\072
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
+\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
+\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
+\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
+\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
+\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
+\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
+\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
+\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
+\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
+\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "American Express CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "American Express CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\217\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151
+\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160
+\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125
+\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160
+\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145
+\163\061\057\060\055\006\003\125\004\003\023\046\101\155\145\162
+\151\143\141\156\040\105\170\160\162\145\163\163\040\103\145\162
+\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
+\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\217\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151
+\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160
+\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125
+\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160
+\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145
+\163\061\057\060\055\006\003\125\004\003\023\046\101\155\145\162
+\151\143\141\156\040\105\170\160\162\145\163\163\040\103\145\162
+\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
+\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\215
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\220\060\202\001\371\002\002\000\215\060\015\006\011
+\052\206\110\206\367\015\001\001\004\005\000\060\201\217\061\013
+\060\011\006\003\125\004\006\023\002\125\123\061\047\060\045\006
+\003\125\004\012\023\036\101\155\145\162\151\143\141\156\040\105
+\170\160\162\145\163\163\040\103\157\155\160\141\156\171\054\040
+\111\156\143\056\061\046\060\044\006\003\125\004\013\023\035\101
+\155\145\162\151\143\141\156\040\105\170\160\162\145\163\163\040
+\124\145\143\150\156\157\154\157\147\151\145\163\061\057\060\055
+\006\003\125\004\003\023\046\101\155\145\162\151\143\141\156\040
+\105\170\160\162\145\163\163\040\103\145\162\164\151\146\151\143
+\141\164\145\040\101\165\164\150\157\162\151\164\171\060\036\027
+\015\071\070\060\070\061\064\062\062\060\061\060\060\132\027\015
+\060\066\060\070\061\064\062\063\065\071\060\060\132\060\201\217
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\047\060
+\045\006\003\125\004\012\023\036\101\155\145\162\151\143\141\156
+\040\105\170\160\162\145\163\163\040\103\157\155\160\141\156\171
+\054\040\111\156\143\056\061\046\060\044\006\003\125\004\013\023
+\035\101\155\145\162\151\143\141\156\040\105\170\160\162\145\163
+\163\040\124\145\143\150\156\157\154\157\147\151\145\163\061\057
+\060\055\006\003\125\004\003\023\046\101\155\145\162\151\143\141
+\156\040\105\170\160\162\145\163\163\040\103\145\162\164\151\146
+\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\060
+\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001\005
+\000\003\201\215\000\060\201\211\002\201\201\000\311\362\111\222
+\205\312\375\025\051\265\006\266\104\354\374\210\243\362\206\316
+\377\024\117\044\034\222\371\302\043\301\316\103\337\135\064\310
+\270\024\354\325\052\160\221\111\225\327\126\315\224\361\251\223
+\320\150\042\334\115\175\240\012\162\052\107\352\045\360\205\000
+\137\066\124\141\317\013\371\067\132\147\235\351\037\351\144\077
+\160\225\141\247\320\060\002\336\046\050\244\146\003\004\351\060
+\373\217\063\007\371\157\141\207\242\162\333\363\150\170\143\146
+\131\251\311\267\146\341\025\262\110\066\054\371\002\003\001\000
+\001\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000
+\003\201\201\000\150\027\142\270\163\213\114\154\353\112\245\076
+\253\345\235\056\322\315\212\007\127\363\306\131\227\166\027\027
+\370\122\216\047\223\330\130\330\050\154\364\242\004\172\212\302
+\166\044\261\002\264\337\050\362\367\363\250\247\176\043\110\141
+\210\364\021\150\256\046\135\366\241\113\123\045\152\330\052\024
+\002\016\340\207\040\156\236\031\134\163\220\013\043\342\061\227
+\043\077\325\042\242\323\006\173\332\067\365\327\265\101\104\027
+\172\105\002\331\205\105\146\326\216\307\360\172\014\231\142\042
+\151\133\355\322
+END
+
+# Trust for Certificate "American Express CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "American Express CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\254\231\217\200\304\240\005\370\156\362\240\256\110\030\344\117
+\110\237\370\177
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\034\325\216\202\276\160\125\216\071\141\337\255\121\333\153\240
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\217\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151
+\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160
+\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125
+\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160
+\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145
+\163\061\057\060\055\006\003\125\004\003\023\046\101\155\145\162
+\151\143\141\156\040\105\170\160\162\145\163\163\040\103\145\162
+\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
+\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\215
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "American Express Global CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "American Express Global CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\226\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151
+\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160
+\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125
+\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160
+\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145
+\163\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162
+\151\143\141\156\040\105\170\160\162\145\163\163\040\107\154\157
+\142\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040
+\101\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\226\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151
+\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160
+\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125
+\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160
+\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145
+\163\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162
+\151\143\141\156\040\105\170\160\162\145\163\163\040\107\154\157
+\142\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040
+\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\205
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\004\060\202\002\354\240\003\002\001\002\002\002\000
+\205\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\060\201\226\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151
+\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160
+\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125
+\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160
+\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145
+\163\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162
+\151\143\141\156\040\105\170\160\162\145\163\163\040\107\154\157
+\142\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040
+\101\165\164\150\157\162\151\164\171\060\036\027\015\071\070\060
+\070\061\064\061\071\060\066\060\060\132\027\015\061\063\060\070
+\061\064\062\063\065\071\060\060\132\060\201\226\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\047\060\045\006\003\125
+\004\012\023\036\101\155\145\162\151\143\141\156\040\105\170\160
+\162\145\163\163\040\103\157\155\160\141\156\171\054\040\111\156
+\143\056\061\046\060\044\006\003\125\004\013\023\035\101\155\145
+\162\151\143\141\156\040\105\170\160\162\145\163\163\040\124\145
+\143\150\156\157\154\157\147\151\145\163\061\066\060\064\006\003
+\125\004\003\023\055\101\155\145\162\151\143\141\156\040\105\170
+\160\162\145\163\163\040\107\154\157\142\141\154\040\103\145\162
+\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
+\164\171\060\202\001\042\060\015\006\011\052\206\110\206\367\015
+\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
+\001\001\000\360\044\046\146\056\373\353\112\163\161\123\211\107
+\313\046\074\123\222\224\114\312\302\205\265\015\370\303\127\275
+\057\052\037\152\030\267\127\257\014\000\026\372\240\266\220\246
+\367\032\241\056\146\046\307\150\243\212\223\151\146\265\106\126
+\055\035\202\352\220\014\012\042\302\211\120\215\005\363\324\253
+\163\101\360\317\022\254\050\264\157\024\224\226\131\113\236\220
+\165\206\337\342\107\353\341\351\117\103\176\207\312\047\030\146
+\236\265\301\100\145\175\374\141\157\255\233\162\317\251\136\330
+\363\371\332\156\221\020\372\114\265\352\176\040\336\251\071\057
+\365\210\344\212\157\065\306\040\234\053\206\106\063\012\374\061
+\125\245\153\254\026\100\351\315\065\131\157\062\004\303\173\265
+\017\173\167\160\363\110\273\052\122\202\316\257\051\155\361\021
+\157\155\346\007\000\001\357\232\363\046\015\246\171\023\147\257
+\370\253\034\165\254\221\265\153\276\100\260\336\234\014\261\151
+\205\031\161\221\023\105\312\337\321\375\346\262\312\226\203\171
+\333\305\270\252\133\172\220\013\170\126\076\306\327\237\224\110
+\021\365\255\002\003\001\000\001\243\132\060\130\060\022\006\003
+\125\035\023\001\001\377\004\010\060\006\001\001\377\002\001\005
+\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
+\060\027\006\003\125\035\040\004\020\060\016\060\014\006\012\052
+\206\110\206\371\017\012\001\005\001\060\031\006\003\125\035\016
+\004\022\004\020\127\107\065\173\066\047\021\250\010\374\057\106
+\045\353\044\151\060\015\006\011\052\206\110\206\367\015\001\001
+\005\005\000\003\202\001\001\000\307\141\105\250\212\161\271\276
+\064\351\041\173\041\315\126\023\230\325\060\143\351\030\252\113
+\222\025\277\013\035\273\354\222\151\305\056\303\141\213\350\060
+\105\313\020\106\301\163\070\134\213\031\322\053\363\100\353\174
+\162\263\056\036\047\343\165\225\212\034\233\056\304\225\005\206
+\162\320\125\364\241\222\122\171\134\333\364\370\334\345\327\022
+\261\100\307\074\206\344\061\145\112\312\067\306\336\166\127\031
+\151\114\106\151\374\052\255\026\067\172\223\254\367\041\113\055
+\373\353\251\120\313\301\321\100\010\332\003\151\207\247\067\136
+\125\301\305\355\304\343\216\014\046\227\233\134\127\113\162\343
+\362\003\005\320\002\073\046\003\100\220\236\276\013\133\111\014
+\170\361\325\114\125\051\340\366\375\114\003\251\124\002\062\321
+\127\132\205\254\103\355\133\073\026\137\240\277\065\333\113\236
+\173\350\377\347\015\074\073\250\233\111\101\106\365\163\116\377
+\222\145\041\203\023\125\161\353\111\074\177\210\032\302\022\050
+\045\241\106\113\101\067\227\177\354\216\361\324\241\226\302\040
+\266\136\255\251\034\036\021\240
+END
+
+# Trust for Certificate "American Express Global CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "American Express Global CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\005\025\203\065\174\267\267\276\344\016\273\221\377\153\073\274
+\361\124\335\126
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\143\033\146\223\214\363\146\313\074\171\127\334\005\111\352\333
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\226\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\047\060\045\006\003\125\004\012\023\036\101\155\145\162\151
+\143\141\156\040\105\170\160\162\145\163\163\040\103\157\155\160
+\141\156\171\054\040\111\156\143\056\061\046\060\044\006\003\125
+\004\013\023\035\101\155\145\162\151\143\141\156\040\105\170\160
+\162\145\163\163\040\124\145\143\150\156\157\154\157\147\151\145
+\163\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162
+\151\143\141\156\040\105\170\160\162\145\163\163\040\107\154\157
+\142\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040
+\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\205
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "Equifax Premium CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Equifax Premium CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+\170\061\056\060\054\006\003\125\004\013\023\045\105\161\165\151
+\146\141\170\040\120\162\145\155\151\165\155\040\103\145\162\164
+\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+\170\061\056\060\054\006\003\125\004\013\023\045\105\161\165\151
+\146\141\170\040\120\162\145\155\151\165\155\040\103\145\162\164
+\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\065\341\357\036
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\043\060\202\002\214\240\003\002\001\002\002\004\065
+\341\357\036\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\117\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151
+\146\141\170\061\056\060\054\006\003\125\004\013\023\045\105\161
+\165\151\146\141\170\040\120\162\145\155\151\165\155\040\103\145
+\162\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162
+\151\164\171\060\036\027\015\071\070\060\070\062\064\062\062\065
+\064\062\063\132\027\015\061\070\060\070\062\064\062\062\065\064
+\062\063\132\060\117\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165
+\151\146\141\170\061\056\060\054\006\003\125\004\013\023\045\105
+\161\165\151\146\141\170\040\120\162\145\155\151\165\155\040\103
+\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150\157
+\162\151\164\171\060\201\237\060\015\006\011\052\206\110\206\367
+\015\001\001\001\005\000\003\201\215\000\060\201\211\002\201\201
+\000\316\241\006\216\006\314\010\013\301\206\250\336\040\325\015
+\016\321\015\304\237\352\152\331\263\302\062\107\100\157\212\210
+\244\011\275\070\054\035\346\313\346\244\363\066\353\332\353\274
+\374\144\263\007\366\055\274\252\316\237\031\110\150\112\374\365
+\242\105\176\011\020\365\217\263\111\134\043\006\071\352\023\213
+\270\013\315\221\035\166\137\331\067\241\104\373\137\220\362\147
+\263\315\030\231\103\037\166\022\153\002\362\225\203\070\103\302
+\366\142\064\312\311\170\135\137\322\330\272\232\377\276\020\140
+\133\002\003\001\000\001\243\202\001\012\060\202\001\006\060\161
+\006\003\125\035\037\004\152\060\150\060\146\240\144\240\142\244
+\140\060\136\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146
+\141\170\061\056\060\054\006\003\125\004\013\023\045\105\161\165
+\151\146\141\170\040\120\162\145\155\151\165\155\040\103\145\162
+\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
+\164\171\061\015\060\013\006\003\125\004\003\023\004\103\122\114
+\061\060\032\006\003\125\035\020\004\023\060\021\201\017\062\060
+\061\070\060\070\062\064\062\062\065\064\062\063\132\060\013\006
+\003\125\035\017\004\004\003\002\001\006\060\037\006\003\125\035
+\043\004\030\060\026\200\024\025\356\262\050\131\253\156\345\370
+\317\213\201\364\044\341\256\077\165\033\230\060\035\006\003\125
+\035\016\004\026\004\024\025\356\262\050\131\253\156\345\370\317
+\213\201\364\044\341\256\077\165\033\230\060\014\006\003\125\035
+\023\004\005\060\003\001\001\377\060\032\006\011\052\206\110\206
+\366\175\007\101\000\004\015\060\013\033\005\126\063\056\060\143
+\003\002\006\300\060\015\006\011\052\206\110\206\367\015\001\001
+\005\005\000\003\201\201\000\275\013\234\047\251\003\333\050\334
+\230\251\113\320\321\216\247\250\032\132\221\340\234\361\367\030
+\174\056\042\236\066\037\311\250\265\315\106\112\156\372\065\007
+\033\206\010\353\237\342\250\371\235\101\055\072\256\134\134\266
+\137\064\004\353\374\052\140\260\373\164\344\205\351\145\070\226
+\356\025\307\306\167\143\022\275\212\150\037\253\154\175\332\312
+\134\023\316\352\311\353\011\134\305\163\347\022\001\325\331\123
+\007\236\340\017\226\360\213\264\273\105\110\237\206\305\031\125
+\240\313\226\305\003\374\110
+END
+
+# Trust for Certificate "Equifax Premium CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Equifax Premium CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\235\021\167\273\103\333\275\240\007\310\252\321\253\220\127\020
+\256\170\244\135
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\251\351\250\235\016\163\343\261\057\067\015\350\110\077\206\355
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\117\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+\170\061\056\060\054\006\003\125\004\013\023\045\105\161\165\151
+\146\141\170\040\120\162\145\155\151\165\155\040\103\145\162\164
+\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\065\341\357\036
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Equifax Secure CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Equifax Secure CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
+\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
+\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
+\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
+\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\065\336\364\317
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\040\060\202\002\211\240\003\002\001\002\002\004\065
+\336\364\317\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\116\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151
+\146\141\170\061\055\060\053\006\003\125\004\013\023\044\105\161
+\165\151\146\141\170\040\123\145\143\165\162\145\040\103\145\162
+\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
+\164\171\060\036\027\015\071\070\060\070\062\062\061\066\064\061
+\065\061\132\027\015\061\070\060\070\062\062\061\066\064\061\065
+\061\132\060\116\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151
+\146\141\170\061\055\060\053\006\003\125\004\013\023\044\105\161
+\165\151\146\141\170\040\123\145\143\165\162\145\040\103\145\162
+\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
+\164\171\060\201\237\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\301
+\135\261\130\147\010\142\356\240\232\055\037\010\155\221\024\150
+\230\012\036\376\332\004\157\023\204\142\041\303\321\174\316\237
+\005\340\270\001\360\116\064\354\342\212\225\004\144\254\361\153
+\123\137\005\263\313\147\200\277\102\002\216\376\335\001\011\354
+\341\000\024\117\374\373\360\014\335\103\272\133\053\341\037\200
+\160\231\025\127\223\026\361\017\227\152\267\302\150\043\034\314
+\115\131\060\254\121\036\073\257\053\326\356\143\105\173\305\331
+\137\120\322\343\120\017\072\210\347\277\024\375\340\307\271\002
+\003\001\000\001\243\202\001\011\060\202\001\005\060\160\006\003
+\125\035\037\004\151\060\147\060\145\240\143\240\141\244\137\060
+\135\061\013\060\011\006\003\125\004\006\023\002\125\123\061\020
+\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141\170
+\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151\146
+\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151\146
+\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061
+\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060\032
+\006\003\125\035\020\004\023\060\021\201\017\062\060\061\070\060
+\070\062\062\061\066\064\061\065\061\132\060\013\006\003\125\035
+\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030
+\060\026\200\024\110\346\150\371\053\322\262\225\327\107\330\043
+\040\020\117\063\230\220\237\324\060\035\006\003\125\035\016\004
+\026\004\024\110\346\150\371\053\322\262\225\327\107\330\043\040
+\020\117\063\230\220\237\324\060\014\006\003\125\035\023\004\005
+\060\003\001\001\377\060\032\006\011\052\206\110\206\366\175\007
+\101\000\004\015\060\013\033\005\126\063\056\060\143\003\002\006
+\300\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\003\201\201\000\130\316\051\352\374\367\336\265\316\002\271\027
+\265\205\321\271\343\340\225\314\045\061\015\000\246\222\156\177
+\266\222\143\236\120\225\321\232\157\344\021\336\143\205\156\230
+\356\250\377\132\310\323\125\262\146\161\127\336\300\041\353\075
+\052\247\043\111\001\004\206\102\173\374\356\177\242\026\122\265
+\147\147\323\100\333\073\046\130\262\050\167\075\256\024\167\141
+\326\372\052\146\047\240\015\372\247\163\134\352\160\361\224\041
+\145\104\137\372\374\357\051\150\251\242\207\171\357\171\357\117
+\254\007\167\070
+END
+
+# Trust for Certificate "Equifax Secure CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Equifax Secure CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\322\062\011\255\043\323\024\043\041\164\344\015\177\235\142\023
+\227\206\143\072
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\147\313\235\300\023\044\212\202\233\262\027\036\321\033\354\324
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
+\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
+\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\065\336\364\317
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "BelSign Object Publishing CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "BelSign Object Publishing CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\273\061\013\060\011\006\003\125\004\006\023\002\102\105
+\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163
+\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145
+\154\123\151\147\156\040\116\126\061\070\060\066\006\003\125\004
+\013\023\057\102\145\154\123\151\147\156\040\117\142\152\145\143
+\164\040\120\165\142\154\151\163\150\151\156\147\040\103\145\162
+\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
+\164\171\061\045\060\043\006\003\125\004\003\023\034\102\145\154
+\123\151\147\156\040\117\142\152\145\143\164\040\120\165\142\154
+\151\163\150\151\156\147\040\103\101\061\043\060\041\006\011\052
+\206\110\206\367\015\001\011\001\026\024\167\145\142\155\141\163
+\164\145\162\100\142\145\154\163\151\147\156\056\142\145
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\013\060\011\006\003\125\004\006\023\002\102\105
+\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163
+\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145
+\154\123\151\147\156\040\116\126\061\070\060\066\006\003\125\004
+\013\023\057\102\145\154\123\151\147\156\040\117\142\152\145\143
+\164\040\120\165\142\154\151\163\150\151\156\147\040\103\145\162
+\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
+\164\171\061\045\060\043\006\003\125\004\003\023\034\102\145\154
+\123\151\147\156\040\117\142\152\145\143\164\040\120\165\142\154
+\151\163\150\151\156\147\040\103\101\061\043\060\041\006\011\052
+\206\110\206\367\015\001\011\001\026\024\167\145\142\155\141\163
+\164\145\162\100\142\145\154\163\151\147\156\056\142\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\003\060\202\002\154\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\273\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163\145
+\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145\154
+\123\151\147\156\040\116\126\061\070\060\066\006\003\125\004\013
+\023\057\102\145\154\123\151\147\156\040\117\142\152\145\143\164
+\040\120\165\142\154\151\163\150\151\156\147\040\103\145\162\164
+\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164
+\171\061\045\060\043\006\003\125\004\003\023\034\102\145\154\123
+\151\147\156\040\117\142\152\145\143\164\040\120\165\142\154\151
+\163\150\151\156\147\040\103\101\061\043\060\041\006\011\052\206
+\110\206\367\015\001\011\001\026\024\167\145\142\155\141\163\164
+\145\162\100\142\145\154\163\151\147\156\056\142\145\060\036\027
+\015\071\067\060\071\061\071\062\062\060\063\060\060\132\027\015
+\060\067\060\071\061\071\062\062\060\063\060\060\132\060\201\273
+\061\013\060\011\006\003\125\004\006\023\002\102\105\061\021\060
+\017\006\003\125\004\007\023\010\102\162\165\163\163\145\154\163
+\061\023\060\021\006\003\125\004\012\023\012\102\145\154\123\151
+\147\156\040\116\126\061\070\060\066\006\003\125\004\013\023\057
+\102\145\154\123\151\147\156\040\117\142\152\145\143\164\040\120
+\165\142\154\151\163\150\151\156\147\040\103\145\162\164\151\146
+\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061
+\045\060\043\006\003\125\004\003\023\034\102\145\154\123\151\147
+\156\040\117\142\152\145\143\164\040\120\165\142\154\151\163\150
+\151\156\147\040\103\101\061\043\060\041\006\011\052\206\110\206
+\367\015\001\011\001\026\024\167\145\142\155\141\163\164\145\162
+\100\142\145\154\163\151\147\156\056\142\145\060\201\237\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
+\000\060\201\211\002\201\201\000\304\056\037\266\277\356\202\100
+\335\371\267\056\101\325\236\005\261\132\320\046\174\142\125\003
+\233\374\313\141\336\113\357\376\350\231\376\207\271\210\317\220
+\332\017\011\074\166\337\027\227\266\313\077\045\105\375\264\274
+\130\000\276\260\132\266\024\207\217\356\147\144\255\035\210\203
+\273\147\237\145\141\000\130\010\200\120\237\200\311\061\366\052
+\220\034\055\367\112\154\020\366\043\103\135\070\011\140\210\127
+\002\315\026\154\030\374\315\373\222\052\167\320\236\223\243\135
+\210\144\320\310\370\135\124\121\002\003\001\000\001\243\025\060
+\023\060\021\006\011\140\206\110\001\206\370\102\001\001\004\004
+\003\002\000\007\060\015\006\011\052\206\110\206\367\015\001\001
+\004\005\000\003\201\201\000\143\166\027\174\226\360\123\245\135
+\001\034\123\316\051\302\176\165\254\114\015\242\010\163\264\152
+\061\375\002\006\024\231\334\124\004\244\277\310\226\206\237\061
+\103\062\045\127\366\205\366\045\273\067\276\241\171\043\311\127
+\006\045\161\153\105\117\370\364\002\100\026\202\042\257\124\352
+\062\050\366\015\356\231\272\113\010\121\017\156\206\043\041\114
+\055\045\210\201\304\056\016\361\023\054\070\212\225\002\044\303
+\072\225\143\344\223\216\110\273\010\107\162\137\256\346\072\132
+\107\326\161\306\236\232\122
+END
+
+# Trust for Certificate "BelSign Object Publishing CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "BelSign Object Publishing CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\373\224\125\030\075\227\133\343\150\140\204\227\152\247\052\201
+\125\173\201\051
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\212\002\370\337\270\341\204\237\132\302\140\044\145\321\163\373
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\013\060\011\006\003\125\004\006\023\002\102\105
+\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163
+\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145
+\154\123\151\147\156\040\116\126\061\070\060\066\006\003\125\004
+\013\023\057\102\145\154\123\151\147\156\040\117\142\152\145\143
+\164\040\120\165\142\154\151\163\150\151\156\147\040\103\145\162
+\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
+\164\171\061\045\060\043\006\003\125\004\003\023\034\102\145\154
+\123\151\147\156\040\117\142\152\145\143\164\040\120\165\142\154
+\151\163\150\151\156\147\040\103\101\061\043\060\041\006\011\052
+\206\110\206\367\015\001\011\001\026\024\167\145\142\155\141\163
+\164\145\162\100\142\145\154\163\151\147\156\056\142\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "BelSign Secure Server CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "BelSign Secure Server CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\263\061\013\060\011\006\003\125\004\006\023\002\102\105
+\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163
+\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145
+\154\123\151\147\156\040\116\126\061\064\060\062\006\003\125\004
+\013\023\053\102\145\154\123\151\147\156\040\123\145\143\165\162
+\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151
+\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061\041
+\060\037\006\003\125\004\003\023\030\102\145\154\123\151\147\156
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\101\061\043\060\041\006\011\052\206\110\206\367\015\001\011\001
+\026\024\167\145\142\155\141\163\164\145\162\100\142\145\154\163
+\151\147\156\056\142\145
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\263\061\013\060\011\006\003\125\004\006\023\002\102\105
+\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163
+\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145
+\154\123\151\147\156\040\116\126\061\064\060\062\006\003\125\004
+\013\023\053\102\145\154\123\151\147\156\040\123\145\143\165\162
+\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151
+\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061\041
+\060\037\006\003\125\004\003\023\030\102\145\154\123\151\147\156
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\101\061\043\060\041\006\011\052\206\110\206\367\015\001\011\001
+\026\024\167\145\142\155\141\163\164\145\162\100\142\145\154\163
+\151\147\156\056\142\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\363\060\202\002\134\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\263\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163\145
+\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145\154
+\123\151\147\156\040\116\126\061\064\060\062\006\003\125\004\013
+\023\053\102\145\154\123\151\147\156\040\123\145\143\165\162\145
+\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143
+\141\164\145\040\101\165\164\150\157\162\151\164\171\061\041\060
+\037\006\003\125\004\003\023\030\102\145\154\123\151\147\156\040
+\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103\101
+\061\043\060\041\006\011\052\206\110\206\367\015\001\011\001\026
+\024\167\145\142\155\141\163\164\145\162\100\142\145\154\163\151
+\147\156\056\142\145\060\036\027\015\071\067\060\067\061\066\062
+\062\060\060\065\064\132\027\015\060\067\060\067\061\066\062\062
+\060\060\065\064\132\060\201\263\061\013\060\011\006\003\125\004
+\006\023\002\102\105\061\021\060\017\006\003\125\004\007\023\010
+\102\162\165\163\163\145\154\163\061\023\060\021\006\003\125\004
+\012\023\012\102\145\154\123\151\147\156\040\116\126\061\064\060
+\062\006\003\125\004\013\023\053\102\145\154\123\151\147\156\040
+\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103\145
+\162\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162
+\151\164\171\061\041\060\037\006\003\125\004\003\023\030\102\145
+\154\123\151\147\156\040\123\145\143\165\162\145\040\123\145\162
+\166\145\162\040\103\101\061\043\060\041\006\011\052\206\110\206
+\367\015\001\011\001\026\024\167\145\142\155\141\163\164\145\162
+\100\142\145\154\163\151\147\156\056\142\145\060\201\237\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
+\000\060\201\211\002\201\201\000\326\001\022\170\222\370\004\102
+\177\311\307\042\203\374\174\107\160\060\053\111\013\076\066\100
+\220\050\332\041\163\203\123\362\304\321\026\100\300\123\377\256
+\246\306\044\263\047\155\245\263\075\071\167\135\250\006\366\346
+\351\274\143\021\116\006\145\160\012\235\223\371\242\100\213\177
+\112\204\016\215\026\261\326\314\010\144\022\014\340\050\113\310
+\245\204\220\027\373\021\106\056\326\247\205\030\313\030\256\143
+\232\260\130\006\364\000\317\370\304\011\032\065\014\241\371\356
+\112\375\155\336\376\046\245\073\002\003\001\000\001\243\025\060
+\023\060\021\006\011\140\206\110\001\206\370\102\001\001\004\004
+\003\002\000\240\060\015\006\011\052\206\110\206\367\015\001\001
+\004\005\000\003\201\201\000\154\075\231\303\005\342\035\312\345
+\055\252\150\205\213\100\061\040\146\023\150\346\130\072\211\320
+\215\165\262\305\142\330\175\202\217\367\331\062\201\167\366\065
+\133\205\051\316\147\262\271\274\053\031\170\317\363\207\375\106
+\361\225\165\262\011\127\003\060\301\172\315\162\107\161\200\312
+\175\235\311\145\074\107\021\042\175\372\007\013\050\170\241\223
+\350\005\105\110\342\062\062\112\075\350\123\034\020\267\307\163
+\214\007\120\341\371\311\053\123\101\365\203\215\345\011\071\112
+\216\003\142\252\100\143\213
+END
+
+# Trust for Certificate "BelSign Secure Server CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "BelSign Secure Server CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\302\305\265\376\203\144\370\243\156\170\035\174\025\010\174\350
+\205\241\206\230
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\075\136\202\306\331\255\331\213\223\153\014\020\271\111\012\261
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\263\061\013\060\011\006\003\125\004\006\023\002\102\105
+\061\021\060\017\006\003\125\004\007\023\010\102\162\165\163\163
+\145\154\163\061\023\060\021\006\003\125\004\012\023\012\102\145
+\154\123\151\147\156\040\116\126\061\064\060\062\006\003\125\004
+\013\023\053\102\145\154\123\151\147\156\040\123\145\143\165\162
+\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151
+\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061\041
+\060\037\006\003\125\004\003\023\030\102\145\154\123\151\147\156
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\101\061\043\060\041\006\011\052\206\110\206\367\015\001\011\001
+\026\024\167\145\142\155\141\163\164\145\162\100\142\145\154\163
+\151\147\156\056\142\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "TC TrustCenter, Germany, Class 0 CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 0 CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\060\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\060\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\065\060\202\003\236\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162
+\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142
+\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103
+\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162
+\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164
+\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061
+\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165
+\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\060
+\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001
+\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100
+\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\036
+\027\015\071\070\060\063\060\071\061\063\065\064\064\070\132\027
+\015\060\065\061\062\063\061\061\063\065\064\064\070\132\060\201
+\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061\020
+\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162\147
+\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142\165
+\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103\040
+\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162\040
+\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164\141
+\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061\042
+\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163
+\164\103\145\156\164\145\162\040\103\154\141\163\163\040\060\040
+\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001\011
+\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100\164
+\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201\237
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\201\215\000\060\201\211\002\201\201\000\337\175\346\276\277\325
+\360\057\155\116\016\321\340\215\013\177\073\124\350\212\342\260
+\237\050\305\212\306\271\263\063\047\365\047\312\032\114\124\022
+\153\264\262\106\263\035\113\263\364\041\013\113\002\056\241\302
+\064\234\205\240\304\170\021\333\333\153\047\053\011\052\030\116
+\100\314\237\161\031\147\231\164\242\174\077\301\330\213\043\310
+\143\073\212\041\253\134\336\036\364\215\334\264\030\303\005\163
+\364\152\264\241\372\001\010\053\001\017\155\067\133\252\070\206
+\147\071\327\345\137\372\344\176\314\243\002\003\001\000\001\243
+\202\001\103\060\202\001\077\060\100\006\011\140\206\110\001\206
+\370\102\001\003\004\063\026\061\150\164\164\160\163\072\057\057
+\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162\056
+\144\145\057\143\147\151\055\142\151\156\057\143\150\145\143\153
+\055\162\145\166\056\143\147\151\077\060\100\006\011\140\206\110
+\001\206\370\102\001\004\004\063\026\061\150\164\164\160\163\072
+\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145
+\162\056\144\145\057\143\147\151\055\142\151\156\057\143\150\145
+\143\153\055\162\145\166\056\143\147\151\077\060\074\006\011\140
+\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160
+\163\072\057\057\167\167\167\056\164\162\165\163\164\143\145\156
+\164\145\162\056\144\145\057\143\147\151\055\142\151\156\057\122
+\145\156\145\167\056\143\147\151\077\060\076\006\011\140\206\110
+\001\206\370\102\001\010\004\061\026\057\150\164\164\160\072\057
+\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162
+\056\144\145\057\147\165\151\144\145\154\151\156\145\163\057\151
+\156\144\145\170\056\150\164\155\154\060\050\006\011\140\206\110
+\001\206\370\102\001\015\004\033\026\031\124\103\040\124\162\165
+\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\060
+\040\103\101\060\021\006\011\140\206\110\001\206\370\102\001\001
+\004\004\003\002\000\007\060\015\006\011\052\206\110\206\367\015
+\001\001\004\005\000\003\201\201\000\115\007\177\137\011\060\031
+\222\252\005\107\172\224\165\124\052\256\317\374\330\014\102\341
+\105\070\053\044\225\262\312\207\312\171\304\303\227\220\136\142
+\030\306\311\070\141\114\150\065\323\114\024\021\353\304\315\241
+\251\330\305\236\150\047\062\007\065\105\004\370\137\041\240\140
+\036\034\000\110\004\130\322\305\313\256\155\062\156\075\167\225
+\214\205\307\345\256\120\235\165\112\173\377\013\047\171\352\115
+\244\131\377\354\132\352\046\245\071\203\244\321\170\316\247\251
+\176\274\335\053\312\022\223\003\112
+END
+
+# Trust for Certificate "TC TrustCenter, Germany, Class 0 CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 0 CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\104\201\247\326\311\104\165\204\317\355\212\107\311\256\152\360
+\036\071\165\030
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\065\205\111\216\156\127\376\275\227\361\311\106\043\072\266\175
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\060\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "TC TrustCenter, Germany, Class 1 CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 1 CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\061\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\061\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\065\060\202\003\236\240\003\002\001\002\002\001\002
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162
+\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142
+\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103
+\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162
+\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164
+\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061
+\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165
+\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\061
+\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001
+\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100
+\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\036
+\027\015\071\070\060\063\060\071\061\063\065\066\063\063\132\027
+\015\060\065\061\062\063\061\061\063\065\066\063\063\132\060\201
+\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061\020
+\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162\147
+\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142\165
+\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103\040
+\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162\040
+\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164\141
+\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061\042
+\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163
+\164\103\145\156\164\145\162\040\103\154\141\163\163\040\061\040
+\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001\011
+\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100\164
+\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201\237
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\201\215\000\060\201\211\002\201\201\000\260\051\353\264\166\263
+\256\327\266\133\264\136\347\275\343\261\234\111\004\127\133\241
+\253\331\177\023\033\375\272\141\253\330\347\161\337\055\000\224
+\135\121\110\175\043\357\165\142\204\220\074\012\037\131\021\164
+\057\216\200\245\375\060\002\075\051\122\315\162\032\111\041\234
+\274\313\122\216\110\241\143\226\310\020\205\060\151\127\164\105
+\300\132\206\306\325\075\340\150\127\175\061\152\044\215\105\227
+\076\061\176\150\146\062\156\044\155\354\062\066\311\101\312\360
+\061\104\310\243\141\312\033\240\066\037\002\003\001\000\001\243
+\202\001\103\060\202\001\077\060\100\006\011\140\206\110\001\206
+\370\102\001\003\004\063\026\061\150\164\164\160\163\072\057\057
+\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162\056
+\144\145\057\143\147\151\055\142\151\156\057\143\150\145\143\153
+\055\162\145\166\056\143\147\151\077\060\100\006\011\140\206\110
+\001\206\370\102\001\004\004\063\026\061\150\164\164\160\163\072
+\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145
+\162\056\144\145\057\143\147\151\055\142\151\156\057\143\150\145
+\143\153\055\162\145\166\056\143\147\151\077\060\074\006\011\140
+\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160
+\163\072\057\057\167\167\167\056\164\162\165\163\164\143\145\156
+\164\145\162\056\144\145\057\143\147\151\055\142\151\156\057\122
+\145\156\145\167\056\143\147\151\077\060\076\006\011\140\206\110
+\001\206\370\102\001\010\004\061\026\057\150\164\164\160\072\057
+\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162
+\056\144\145\057\147\165\151\144\145\154\151\156\145\163\057\151
+\156\144\145\170\056\150\164\155\154\060\050\006\011\140\206\110
+\001\206\370\102\001\015\004\033\026\031\124\103\040\124\162\165
+\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\061
+\040\103\101\060\021\006\011\140\206\110\001\206\370\102\001\001
+\004\004\003\002\000\007\060\015\006\011\052\206\110\206\367\015
+\001\001\004\005\000\003\201\201\000\005\102\122\046\244\014\047
+\001\104\254\134\045\050\302\104\102\124\010\271\035\305\076\154
+\131\146\304\263\116\120\247\370\370\226\165\241\226\165\350\026
+\070\240\315\135\156\372\171\247\033\173\035\036\303\000\271\146
+\276\132\326\142\017\347\362\173\270\357\114\340\300\077\131\256
+\071\267\204\011\236\253\361\251\056\153\151\342\255\314\362\352
+\170\011\005\040\070\102\161\030\176\307\262\227\346\325\002\005
+\006\126\243\137\361\252\302\304\117\376\367\357\026\017\235\354
+\252\205\317\075\051\044\361\004\315
+END
+
+# Trust for Certificate "TC TrustCenter, Germany, Class 1 CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 1 CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\332\300\131\013\015\224\374\025\327\025\056\266\171\160\003\133
+\215\271\365\053
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\144\077\370\076\122\024\112\131\272\223\126\004\013\043\002\321
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\061\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "TC TrustCenter, Germany, Class 2 CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 2 CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\062\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\003
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\065\060\202\003\236\240\003\002\001\002\002\001\003
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162
+\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142
+\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103
+\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162
+\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164
+\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061
+\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165
+\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\062
+\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001
+\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100
+\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\036
+\027\015\071\070\060\063\060\071\061\063\065\067\064\064\132\027
+\015\060\065\061\062\063\061\061\063\065\067\064\064\132\060\201
+\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061\020
+\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162\147
+\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142\165
+\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103\040
+\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162\040
+\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164\141
+\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061\042
+\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163
+\164\103\145\156\164\145\162\040\103\154\141\163\163\040\062\040
+\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001\011
+\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100\164
+\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201\237
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\201\215\000\060\201\211\002\201\201\000\332\070\350\355\062\000
+\051\161\203\001\015\277\214\001\334\332\306\255\071\244\251\212
+\057\325\213\134\150\137\120\306\142\365\146\275\312\221\042\354
+\252\035\121\327\075\263\121\262\203\116\135\313\111\260\360\114
+\125\345\153\055\307\205\013\060\034\222\116\202\324\312\002\355
+\367\157\276\334\340\343\024\270\005\123\362\232\364\126\213\132
+\236\205\223\321\264\202\126\256\115\273\250\113\127\026\274\376
+\370\130\236\370\051\215\260\173\315\170\311\117\254\213\147\014
+\361\234\373\374\127\233\127\134\117\015\002\003\001\000\001\243
+\202\001\103\060\202\001\077\060\100\006\011\140\206\110\001\206
+\370\102\001\003\004\063\026\061\150\164\164\160\163\072\057\057
+\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162\056
+\144\145\057\143\147\151\055\142\151\156\057\143\150\145\143\153
+\055\162\145\166\056\143\147\151\077\060\100\006\011\140\206\110
+\001\206\370\102\001\004\004\063\026\061\150\164\164\160\163\072
+\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145
+\162\056\144\145\057\143\147\151\055\142\151\156\057\143\150\145
+\143\153\055\162\145\166\056\143\147\151\077\060\074\006\011\140
+\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160
+\163\072\057\057\167\167\167\056\164\162\165\163\164\143\145\156
+\164\145\162\056\144\145\057\143\147\151\055\142\151\156\057\122
+\145\156\145\167\056\143\147\151\077\060\076\006\011\140\206\110
+\001\206\370\102\001\010\004\061\026\057\150\164\164\160\072\057
+\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162
+\056\144\145\057\147\165\151\144\145\154\151\156\145\163\057\151
+\156\144\145\170\056\150\164\155\154\060\050\006\011\140\206\110
+\001\206\370\102\001\015\004\033\026\031\124\103\040\124\162\165
+\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\062
+\040\103\101\060\021\006\011\140\206\110\001\206\370\102\001\001
+\004\004\003\002\000\007\060\015\006\011\052\206\110\206\367\015
+\001\001\004\005\000\003\201\201\000\211\033\364\357\351\070\342
+\154\014\366\315\157\111\316\051\314\373\246\017\371\215\076\225
+\106\326\374\107\062\211\262\310\006\141\172\322\347\015\023\002
+\224\013\331\213\126\107\364\273\347\305\137\173\364\143\114\256
+\174\064\352\015\242\251\263\054\205\363\343\376\047\124\020\222
+\260\217\222\301\230\102\030\160\110\333\116\054\353\015\044\150
+\344\321\367\276\011\251\051\207\273\350\332\334\076\243\210\102
+\061\365\321\343\177\256\330\216\000\132\164\230\260\117\306\377
+\043\173\134\163\000\170\311\333\116
+END
+
+# Trust for Certificate "TC TrustCenter, Germany, Class 2 CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 2 CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\312\135\207\155\025\113\162\350\014\357\331\346\353\234\366\215
+\002\037\253\354
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\341\351\226\123\167\341\360\070\240\002\253\224\306\225\173\374
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\061\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "TC TrustCenter, Germany, Class 3 CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 3 CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\004
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\065\060\202\003\236\240\003\002\001\002\002\001\004
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162
+\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142
+\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103
+\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162
+\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164
+\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061
+\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165
+\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\063
+\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001
+\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100
+\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\036
+\027\015\071\070\060\063\060\071\061\063\065\070\064\071\132\027
+\015\060\065\061\062\063\061\061\063\065\070\064\071\132\060\201
+\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061\020
+\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162\147
+\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142\165
+\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103\040
+\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162\040
+\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164\141
+\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061\042
+\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163
+\164\103\145\156\164\145\162\040\103\154\141\163\163\040\063\040
+\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001\011
+\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100\164
+\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201\237
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\201\215\000\060\201\211\002\201\201\000\266\264\301\065\005\056
+\015\215\354\240\100\152\034\016\047\246\120\222\153\120\033\007
+\336\056\347\166\314\340\332\374\204\250\136\214\143\152\053\115
+\331\116\002\166\021\301\013\362\215\171\312\000\266\361\260\016
+\327\373\244\027\075\257\253\151\172\226\047\277\257\063\241\232
+\052\131\252\304\265\067\010\362\022\245\061\266\103\365\062\226
+\161\050\050\253\215\050\206\337\273\356\343\014\175\060\326\303
+\122\253\217\135\047\234\153\300\243\347\005\153\127\111\104\263
+\156\352\144\317\322\216\172\120\167\167\002\003\001\000\001\243
+\202\001\103\060\202\001\077\060\100\006\011\140\206\110\001\206
+\370\102\001\003\004\063\026\061\150\164\164\160\163\072\057\057
+\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162\056
+\144\145\057\143\147\151\055\142\151\156\057\143\150\145\143\153
+\055\162\145\166\056\143\147\151\077\060\100\006\011\140\206\110
+\001\206\370\102\001\004\004\063\026\061\150\164\164\160\163\072
+\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145
+\162\056\144\145\057\143\147\151\055\142\151\156\057\143\150\145
+\143\153\055\162\145\166\056\143\147\151\077\060\074\006\011\140
+\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160
+\163\072\057\057\167\167\167\056\164\162\165\163\164\143\145\156
+\164\145\162\056\144\145\057\143\147\151\055\142\151\156\057\122
+\145\156\145\167\056\143\147\151\077\060\076\006\011\140\206\110
+\001\206\370\102\001\010\004\061\026\057\150\164\164\160\072\057
+\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162
+\056\144\145\057\147\165\151\144\145\154\151\156\145\163\057\151
+\156\144\145\170\056\150\164\155\154\060\050\006\011\140\206\110
+\001\206\370\102\001\015\004\033\026\031\124\103\040\124\162\165
+\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\063
+\040\103\101\060\021\006\011\140\206\110\001\206\370\102\001\001
+\004\004\003\002\000\007\060\015\006\011\052\206\110\206\367\015
+\001\001\004\005\000\003\201\201\000\204\206\120\142\171\240\047
+\341\045\272\011\261\064\017\023\011\355\055\312\243\346\225\371
+\060\254\315\027\245\316\075\227\235\354\174\217\046\177\300\141
+\312\042\367\221\335\074\066\131\232\233\165\367\274\344\310\355
+\354\002\266\042\247\363\054\361\310\222\170\155\266\356\305\050
+\354\200\040\117\271\153\010\347\057\247\206\036\175\261\010\237
+\124\271\000\067\074\240\330\032\310\226\034\364\062\024\234\071
+\225\267\356\360\103\111\302\136\350\313\171\157\123\277\373\111
+\212\054\330\113\331\125\362\022\160
+END
+
+# Trust for Certificate "TC TrustCenter, Germany, Class 3 CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 3 CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\227\057\340\037\171\136\221\210\026\371\201\161\176\162\355\040
+\241\377\020\143
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\142\253\266\025\112\264\260\026\167\377\256\317\026\026\053\214
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\063\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\004
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "TC TrustCenter, Germany, Class 4 CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 4 CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\064\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\064\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\005
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\065\060\202\003\236\240\003\002\001\002\002\001\005
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162
+\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142
+\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103
+\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162
+\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164
+\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061
+\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165
+\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\064
+\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001
+\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100
+\164\162\165\163\164\143\145\156\164\145\162\056\144\145\060\036
+\027\015\071\070\060\063\060\071\061\064\060\060\062\060\132\027
+\015\060\065\061\062\063\061\061\064\060\060\062\060\132\060\201
+\274\061\013\060\011\006\003\125\004\006\023\002\104\105\061\020
+\060\016\006\003\125\004\010\023\007\110\141\155\142\165\162\147
+\061\020\060\016\006\003\125\004\007\023\007\110\141\155\142\165
+\162\147\061\072\060\070\006\003\125\004\012\023\061\124\103\040
+\124\162\165\163\164\103\145\156\164\145\162\040\146\157\162\040
+\123\145\143\165\162\151\164\171\040\151\156\040\104\141\164\141
+\040\116\145\164\167\157\162\153\163\040\107\155\142\110\061\042
+\060\040\006\003\125\004\013\023\031\124\103\040\124\162\165\163
+\164\103\145\156\164\145\162\040\103\154\141\163\163\040\064\040
+\103\101\061\051\060\047\006\011\052\206\110\206\367\015\001\011
+\001\026\032\143\145\162\164\151\146\151\143\141\164\145\100\164
+\162\165\163\164\143\145\156\164\145\162\056\144\145\060\201\237
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\201\215\000\060\201\211\002\201\201\000\277\057\143\326\066\173
+\262\015\323\125\365\144\154\346\045\135\306\264\310\024\272\045
+\070\203\353\126\142\245\125\251\145\243\364\043\231\302\113\271
+\320\315\124\147\246\243\240\243\251\063\053\166\344\275\255\167
+\262\355\134\022\164\303\305\266\017\122\232\162\223\103\220\142
+\146\025\017\105\245\335\340\335\270\157\100\156\127\301\171\162
+\243\140\252\272\166\035\022\211\123\132\374\002\276\341\011\023
+\305\112\057\334\075\213\031\255\327\213\044\105\373\114\364\315
+\134\065\035\051\114\121\363\362\154\125\002\003\001\000\001\243
+\202\001\103\060\202\001\077\060\100\006\011\140\206\110\001\206
+\370\102\001\003\004\063\026\061\150\164\164\160\163\072\057\057
+\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162\056
+\144\145\057\143\147\151\055\142\151\156\057\143\150\145\143\153
+\055\162\145\166\056\143\147\151\077\060\100\006\011\140\206\110
+\001\206\370\102\001\004\004\063\026\061\150\164\164\160\163\072
+\057\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145
+\162\056\144\145\057\143\147\151\055\142\151\156\057\143\150\145
+\143\153\055\162\145\166\056\143\147\151\077\060\074\006\011\140
+\206\110\001\206\370\102\001\007\004\057\026\055\150\164\164\160
+\163\072\057\057\167\167\167\056\164\162\165\163\164\143\145\156
+\164\145\162\056\144\145\057\143\147\151\055\142\151\156\057\122
+\145\156\145\167\056\143\147\151\077\060\076\006\011\140\206\110
+\001\206\370\102\001\010\004\061\026\057\150\164\164\160\072\057
+\057\167\167\167\056\164\162\165\163\164\143\145\156\164\145\162
+\056\144\145\057\147\165\151\144\145\154\151\156\145\163\057\151
+\156\144\145\170\056\150\164\155\154\060\050\006\011\140\206\110
+\001\206\370\102\001\015\004\033\026\031\124\103\040\124\162\165
+\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040\064
+\040\103\101\060\021\006\011\140\206\110\001\206\370\102\001\001
+\004\004\003\002\000\007\060\015\006\011\052\206\110\206\367\015
+\001\001\004\005\000\003\201\201\000\224\150\024\033\045\236\051
+\231\261\262\043\322\104\263\225\237\321\236\125\004\335\343\057
+\202\063\125\226\167\031\235\053\236\145\034\372\212\343\307\217
+\045\374\261\036\125\106\017\217\377\117\067\057\244\166\131\246
+\144\353\325\026\160\275\335\225\063\014\244\015\044\353\144\120
+\264\103\021\362\103\276\015\161\230\042\354\001\257\354\367\307
+\134\161\303\165\221\130\031\350\335\240\364\264\361\274\020\112
+\363\223\264\006\111\273\037\146\322\275\164\107\341\232\371\353
+\327\253\155\037\272\341\035\054\332
+END
+
+# Trust for Certificate "TC TrustCenter, Germany, Class 4 CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TC TrustCenter, Germany, Class 4 CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\161\162\311\174\001\016\161\014\375\350\321\363\171\263\300\074
+\253\116\274\235
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\277\257\354\304\332\371\060\371\312\065\312\045\344\077\215\211
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\274\061\013\060\011\006\003\125\004\006\023\002\104\105
+\061\020\060\016\006\003\125\004\010\023\007\110\141\155\142\165
+\162\147\061\020\060\016\006\003\125\004\007\023\007\110\141\155
+\142\165\162\147\061\072\060\070\006\003\125\004\012\023\061\124
+\103\040\124\162\165\163\164\103\145\156\164\145\162\040\146\157
+\162\040\123\145\143\165\162\151\164\171\040\151\156\040\104\141
+\164\141\040\116\145\164\167\157\162\153\163\040\107\155\142\110
+\061\042\060\040\006\003\125\004\013\023\031\124\103\040\124\162
+\165\163\164\103\145\156\164\145\162\040\103\154\141\163\163\040
+\064\040\103\101\061\051\060\047\006\011\052\206\110\206\367\015
+\001\011\001\026\032\143\145\162\164\151\146\151\143\141\164\145
+\100\164\162\165\163\164\143\145\156\164\145\162\056\144\145
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\005
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "ABAecom (sub., Am. Bankers Assn.) Root CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ABAecom (sub., Am. Bankers Assn.) Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060
+\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164
+\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101
+\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006
+\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122
+\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206
+\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147
+\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060
+\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164
+\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101
+\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006
+\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122
+\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206
+\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147
+\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\320\036\100\220\000\000\106\122\000\000\000\001\000\000\000
+\004
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\265\060\202\002\235\240\003\002\001\002\002\021\000
+\320\036\100\220\000\000\106\122\000\000\000\001\000\000\000\004
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060\021
+\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164\157
+\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101\056
+\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006\003
+\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122\157
+\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206\367
+\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147\163
+\151\147\164\162\165\163\164\056\143\157\155\060\036\027\015\071
+\071\060\067\061\062\061\067\063\063\065\063\132\027\015\060\071
+\060\067\060\071\061\067\063\063\065\063\132\060\201\211\061\013
+\060\011\006\003\125\004\006\023\002\125\123\061\013\060\011\006
+\003\125\004\010\023\002\104\103\061\023\060\021\006\003\125\004
+\007\023\012\127\141\163\150\151\156\147\164\157\156\061\027\060
+\025\006\003\125\004\012\023\016\101\102\101\056\105\103\117\115
+\054\040\111\116\103\056\061\031\060\027\006\003\125\004\003\023
+\020\101\102\101\056\105\103\117\115\040\122\157\157\164\040\103
+\101\061\044\060\042\006\011\052\206\110\206\367\015\001\011\001
+\026\025\141\144\155\151\156\100\144\151\147\163\151\147\164\162
+\165\163\164\056\143\157\155\060\202\001\042\060\015\006\011\052
+\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060
+\202\001\012\002\202\001\001\000\261\323\021\340\171\125\103\007
+\010\114\313\005\102\000\342\015\203\106\075\344\223\272\266\006
+\323\015\131\275\076\301\316\103\147\001\212\041\250\357\274\314
+\320\242\314\260\125\226\123\204\146\005\000\332\104\111\200\330
+\124\012\245\045\206\224\355\143\126\377\160\154\243\241\031\322
+\170\276\150\052\104\136\057\317\314\030\136\107\274\072\261\106
+\075\036\360\271\054\064\137\214\174\114\010\051\235\100\125\353
+\074\175\203\336\265\360\367\212\203\016\241\114\264\072\245\263
+\137\132\042\227\354\031\233\301\005\150\375\346\267\251\221\224
+\054\344\170\110\044\032\045\031\072\353\225\234\071\012\212\317
+\102\262\360\034\325\137\373\153\355\150\126\173\071\054\162\070
+\260\356\223\251\323\173\167\074\353\161\003\251\070\112\026\154
+\211\052\312\332\063\023\171\302\125\214\355\234\273\362\313\133
+\020\370\056\141\065\306\051\114\052\320\052\143\321\145\131\264
+\370\315\371\364\000\204\266\127\102\205\235\062\250\371\052\124
+\373\377\170\101\274\275\161\050\364\273\220\274\377\226\064\004
+\343\105\236\241\106\050\100\201\002\003\001\000\001\243\026\060
+\024\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
+\001\377\002\001\010\060\015\006\011\052\206\110\206\367\015\001
+\001\005\005\000\003\202\001\001\000\004\157\045\206\344\346\226
+\047\264\331\102\300\320\311\000\261\177\124\076\207\262\155\044
+\251\057\012\176\375\244\104\260\370\124\007\275\033\235\235\312
+\173\120\044\173\021\133\111\243\246\277\022\164\325\211\267\267
+\057\230\144\045\024\267\141\351\177\140\200\153\323\144\350\253
+\275\032\326\121\372\300\264\135\167\032\177\144\010\136\171\306
+\005\114\361\172\335\115\175\316\346\110\173\124\322\141\222\201
+\326\033\326\000\360\016\236\050\167\240\115\210\307\042\166\031
+\303\307\236\033\246\167\170\370\137\233\126\321\360\362\027\254
+\216\235\131\346\037\376\127\266\331\136\341\135\237\105\354\141
+\150\031\101\341\262\040\046\376\132\060\166\044\377\100\162\074
+\171\237\174\042\110\253\106\315\333\263\206\054\217\277\005\101
+\323\301\343\024\343\101\027\046\320\174\247\161\114\031\350\112
+\017\162\130\061\175\354\140\172\243\042\050\275\031\044\140\077
+\073\207\163\300\153\344\313\256\267\253\045\103\262\125\055\173
+\253\006\016\165\135\064\345\135\163\155\236\262\165\100\245\131
+\311\117\061\161\210\331\210\177\124
+END
+
+# Trust for Certificate "ABAecom (sub., Am. Bankers Assn.) Root CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ABAecom (sub., Am. Bankers Assn.) Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\172\164\101\017\260\315\134\227\052\066\113\161\277\003\035\210
+\246\121\016\236
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\101\270\007\367\250\321\011\356\264\232\216\160\115\374\033\170
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\211\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\013\060\011\006\003\125\004\010\023\002\104\103\061\023\060
+\021\006\003\125\004\007\023\012\127\141\163\150\151\156\147\164
+\157\156\061\027\060\025\006\003\125\004\012\023\016\101\102\101
+\056\105\103\117\115\054\040\111\116\103\056\061\031\060\027\006
+\003\125\004\003\023\020\101\102\101\056\105\103\117\115\040\122
+\157\157\164\040\103\101\061\044\060\042\006\011\052\206\110\206
+\367\015\001\011\001\026\025\141\144\155\151\156\100\144\151\147
+\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\320\036\100\220\000\000\106\122\000\000\000\001\000\000\000
+\004
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Digital Signature Trust Co. Global CA 1"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
+\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
+\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
+\104\123\124\103\101\040\105\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
+\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
+\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
+\104\123\124\103\101\040\105\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\066\160\025\226
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\051\060\202\002\222\240\003\002\001\002\002\004\066
+\160\025\226\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\106\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\044\060\042\006\003\125\004\012\023\033\104\151\147\151
+\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124\162
+\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004\013
+\023\010\104\123\124\103\101\040\105\061\060\036\027\015\071\070
+\061\062\061\060\061\070\061\060\062\063\132\027\015\061\070\061
+\062\061\060\061\070\064\060\062\063\132\060\106\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\044\060\042\006\003\125
+\004\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156
+\141\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061
+\021\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040
+\105\061\060\201\235\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\201\213\000\060\201\207\002\201\201\000\240
+\154\201\251\317\064\036\044\335\376\206\050\314\336\203\057\371
+\136\324\102\322\350\164\140\146\023\230\006\034\251\121\022\151
+\157\061\125\271\111\162\000\010\176\323\245\142\104\067\044\231
+\217\331\203\110\217\231\155\225\023\273\103\073\056\111\116\210
+\067\301\273\130\177\376\341\275\370\273\141\315\363\107\300\231
+\246\361\363\221\350\170\174\000\313\141\311\104\047\161\151\125
+\112\176\111\115\355\242\243\276\002\114\000\312\002\250\356\001
+\002\061\144\017\122\055\023\164\166\066\265\172\264\055\161\002
+\001\003\243\202\001\044\060\202\001\040\060\021\006\011\140\206
+\110\001\206\370\102\001\001\004\004\003\002\000\007\060\150\006
+\003\125\035\037\004\141\060\137\060\135\240\133\240\131\244\127
+\060\125\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
+\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
+\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
+\104\123\124\103\101\040\105\061\061\015\060\013\006\003\125\004
+\003\023\004\103\122\114\061\060\053\006\003\125\035\020\004\044
+\060\042\200\017\061\071\071\070\061\062\061\060\061\070\061\060
+\062\063\132\201\017\062\060\061\070\061\062\061\060\061\070\061
+\060\062\063\132\060\013\006\003\125\035\017\004\004\003\002\001
+\006\060\037\006\003\125\035\043\004\030\060\026\200\024\152\171
+\176\221\151\106\030\023\012\002\167\245\131\133\140\230\045\016
+\242\370\060\035\006\003\125\035\016\004\026\004\024\152\171\176
+\221\151\106\030\023\012\002\167\245\131\133\140\230\045\016\242
+\370\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060
+\031\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012
+\033\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\003\201\201\000\042\022\330
+\172\035\334\201\006\266\011\145\262\207\310\037\136\264\057\351
+\304\036\362\074\301\273\004\220\021\112\203\116\176\223\271\115
+\102\307\222\046\240\134\064\232\070\162\370\375\153\026\076\040
+\356\202\213\061\052\223\066\205\043\210\212\074\003\150\323\311
+\011\017\115\374\154\244\332\050\162\223\016\211\200\260\175\376
+\200\157\145\155\030\063\227\213\302\153\211\356\140\075\310\233
+\357\177\053\062\142\163\223\313\074\343\173\342\166\170\105\274
+\241\223\004\273\206\237\072\133\103\172\303\212\145
+END
+
+# Trust for Certificate "Digital Signature Trust Co. Global CA 1"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\201\226\213\072\357\034\334\160\365\372\062\151\302\222\243\143
+\133\321\043\323
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\045\172\272\203\056\266\242\013\332\376\365\002\017\010\327\255
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
+\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
+\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
+\104\123\124\103\101\040\105\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\066\160\025\226
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Digital Signature Trust Co. Global CA 3"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
+\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
+\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
+\104\123\124\103\101\040\105\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
+\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
+\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
+\104\123\124\103\101\040\105\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\066\156\323\316
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\051\060\202\002\222\240\003\002\001\002\002\004\066
+\156\323\316\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\106\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\044\060\042\006\003\125\004\012\023\033\104\151\147\151
+\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124\162
+\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004\013
+\023\010\104\123\124\103\101\040\105\062\060\036\027\015\071\070
+\061\062\060\071\061\071\061\067\062\066\132\027\015\061\070\061
+\062\060\071\061\071\064\067\062\066\132\060\106\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\044\060\042\006\003\125
+\004\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156
+\141\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061
+\021\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040
+\105\062\060\201\235\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\201\213\000\060\201\207\002\201\201\000\277
+\223\217\027\222\357\063\023\030\353\020\177\116\026\277\377\006
+\217\052\205\274\136\371\044\246\044\210\266\003\267\301\303\137
+\003\133\321\157\256\176\102\352\146\043\270\143\203\126\373\050
+\055\341\070\213\264\356\250\001\341\316\034\266\210\052\042\106
+\205\373\237\247\160\251\107\024\077\316\336\145\360\250\161\367
+\117\046\154\214\274\306\265\357\336\111\047\377\110\052\175\350
+\115\003\314\307\262\122\306\027\061\023\073\265\115\333\310\304
+\366\303\017\044\052\332\014\235\347\221\133\200\315\224\235\002
+\001\003\243\202\001\044\060\202\001\040\060\021\006\011\140\206
+\110\001\206\370\102\001\001\004\004\003\002\000\007\060\150\006
+\003\125\035\037\004\141\060\137\060\135\240\133\240\131\244\127
+\060\125\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
+\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
+\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
+\104\123\124\103\101\040\105\062\061\015\060\013\006\003\125\004
+\003\023\004\103\122\114\061\060\053\006\003\125\035\020\004\044
+\060\042\200\017\061\071\071\070\061\062\060\071\061\071\061\067
+\062\066\132\201\017\062\060\061\070\061\062\060\071\061\071\061
+\067\062\066\132\060\013\006\003\125\035\017\004\004\003\002\001
+\006\060\037\006\003\125\035\043\004\030\060\026\200\024\036\202
+\115\050\145\200\074\311\101\156\254\065\056\132\313\336\356\370
+\071\133\060\035\006\003\125\035\016\004\026\004\024\036\202\115
+\050\145\200\074\311\101\156\254\065\056\132\313\336\356\370\071
+\133\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060
+\031\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012
+\033\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\003\201\201\000\107\215\203
+\255\142\362\333\260\236\105\042\005\271\242\326\003\016\070\162
+\347\236\374\173\346\223\266\232\245\242\224\310\064\035\221\321
+\305\327\364\012\045\017\075\170\201\236\017\261\147\304\220\114
+\143\335\136\247\342\272\237\365\367\115\245\061\173\234\051\055
+\114\376\144\076\354\266\123\376\352\233\355\202\333\164\165\113
+\007\171\156\036\330\031\203\163\336\365\076\320\265\336\347\113
+\150\175\103\056\052\040\341\176\240\170\104\236\010\365\230\371
+\307\177\033\033\326\006\040\002\130\241\303\242\003
+END
+
+# Trust for Certificate "Digital Signature Trust Co. Global CA 3"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\253\110\363\063\333\004\253\271\300\162\332\133\014\301\320\127
+\360\066\233\106
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\223\302\216\021\173\324\363\003\031\275\050\165\023\112\105\112
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\106\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\044\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141
+\154\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163
+\164\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010
+\104\123\124\103\101\040\105\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\066\156\323\316
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Digital Signature Trust Co. Global CA 2"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
+\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
+\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
+\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
+\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
+\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
+\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
+\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
+\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052
+\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
+\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
+\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
+\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
+\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
+\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
+\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
+\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
+\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
+\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052
+\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
+\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\320\036\100\213\000\000\002\174\000\000\000\002\000\000\000
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\330\060\202\002\300\002\021\000\320\036\100\213\000
+\000\002\174\000\000\000\002\000\000\000\001\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\251\061\013\060
+\011\006\003\125\004\006\023\002\165\163\061\015\060\013\006\003
+\125\004\010\023\004\125\164\141\150\061\027\060\025\006\003\125
+\004\007\023\016\123\141\154\164\040\114\141\153\145\040\103\151
+\164\171\061\044\060\042\006\003\125\004\012\023\033\104\151\147
+\151\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124
+\162\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004
+\013\023\010\104\123\124\103\101\040\130\061\061\026\060\024\006
+\003\125\004\003\023\015\104\123\124\040\122\157\157\164\103\101
+\040\130\061\061\041\060\037\006\011\052\206\110\206\367\015\001
+\011\001\026\022\143\141\100\144\151\147\163\151\147\164\162\165
+\163\164\056\143\157\155\060\036\027\015\071\070\061\062\060\061
+\061\070\061\070\065\065\132\027\015\060\070\061\061\062\070\061
+\070\061\070\065\065\132\060\201\251\061\013\060\011\006\003\125
+\004\006\023\002\165\163\061\015\060\013\006\003\125\004\010\023
+\004\125\164\141\150\061\027\060\025\006\003\125\004\007\023\016
+\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\044
+\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141\154
+\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164
+\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010\104
+\123\124\103\101\040\130\061\061\026\060\024\006\003\125\004\003
+\023\015\104\123\124\040\122\157\157\164\103\101\040\130\061\061
+\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022
+\143\141\100\144\151\147\163\151\147\164\162\165\163\164\056\143
+\157\155\060\202\001\042\060\015\006\011\052\206\110\206\367\015
+\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
+\001\001\000\322\306\046\266\347\245\075\301\304\150\325\120\157
+\123\305\157\111\023\011\270\257\054\110\215\024\152\243\027\137
+\132\371\323\056\165\057\330\050\142\321\223\057\374\115\324\253
+\207\345\010\307\231\347\222\077\165\275\353\045\264\025\301\233
+\031\075\322\104\215\327\164\040\155\067\002\217\151\223\133\212
+\304\031\235\364\262\016\374\026\154\271\261\005\222\203\321\205
+\054\140\224\076\105\125\240\331\253\010\041\346\140\350\073\164
+\362\231\120\121\150\320\003\055\261\200\276\243\330\122\260\104
+\315\103\112\160\216\130\205\225\341\116\054\326\055\101\157\326
+\204\347\310\230\104\312\107\333\054\044\245\151\046\317\153\270
+\047\142\303\364\311\172\222\043\355\023\147\202\256\105\056\105
+\345\176\162\077\205\235\224\142\020\346\074\221\241\255\167\000
+\340\025\354\363\204\200\162\172\216\156\140\227\307\044\131\020
+\064\203\133\341\245\244\151\266\127\065\034\170\131\306\323\057
+\072\163\147\356\224\312\004\023\005\142\006\160\043\263\364\174
+\356\105\331\144\013\133\111\252\244\103\316\046\304\104\022\154
+\270\335\171\002\003\001\000\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\202\001\001\000\242\067\262\077
+\151\373\327\206\171\124\111\061\225\063\053\363\321\011\024\111
+\142\140\206\245\260\021\342\120\302\035\006\127\076\055\350\063
+\144\276\233\252\255\137\033\115\324\231\225\242\213\232\311\142
+\162\265\151\352\331\130\253\065\355\025\242\103\326\266\274\007
+\171\145\144\163\175\327\171\312\173\325\132\121\306\341\123\004
+\226\215\070\317\243\027\254\071\161\153\001\303\213\123\074\143
+\351\356\171\300\344\276\222\062\144\172\263\037\227\224\142\275
+\352\262\040\025\225\373\227\362\170\057\143\066\100\070\343\106
+\017\035\335\254\225\312\347\113\220\173\261\113\251\324\305\353
+\232\332\252\325\243\224\024\106\215\055\037\363\072\326\223\072
+\366\076\171\374\350\346\260\165\355\356\075\311\160\307\135\252
+\201\113\106\045\034\307\154\025\343\225\116\017\252\062\067\224
+\012\027\044\222\023\204\130\322\143\157\053\367\346\133\142\013
+\023\027\260\015\122\114\376\376\157\134\342\221\156\035\375\244
+\142\327\150\372\216\172\117\322\010\332\223\334\360\222\021\172
+\320\334\162\223\014\163\223\142\205\150\320\364
+END
+
+# Trust for Certificate "Digital Signature Trust Co. Global CA 2"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\267\057\377\222\322\316\103\336\012\215\114\124\214\120\067\046
+\250\036\053\223
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\154\311\247\156\107\361\014\343\123\073\170\114\115\302\152\305
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
+\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
+\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
+\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
+\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
+\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
+\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
+\061\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
+\122\157\157\164\103\101\040\130\061\061\041\060\037\006\011\052
+\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
+\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\320\036\100\213\000\000\002\174\000\000\000\002\000\000\000
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Digital Signature Trust Co. Global CA 4"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 4"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
+\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
+\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
+\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
+\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
+\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
+\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
+\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
+\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052
+\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
+\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
+\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
+\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
+\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
+\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
+\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
+\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
+\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
+\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052
+\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
+\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\320\036\100\213\000\000\167\155\000\000\000\001\000\000\000
+\004
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\330\060\202\002\300\002\021\000\320\036\100\213\000
+\000\167\155\000\000\000\001\000\000\000\004\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\251\061\013\060
+\011\006\003\125\004\006\023\002\165\163\061\015\060\013\006\003
+\125\004\010\023\004\125\164\141\150\061\027\060\025\006\003\125
+\004\007\023\016\123\141\154\164\040\114\141\153\145\040\103\151
+\164\171\061\044\060\042\006\003\125\004\012\023\033\104\151\147
+\151\164\141\154\040\123\151\147\156\141\164\165\162\145\040\124
+\162\165\163\164\040\103\157\056\061\021\060\017\006\003\125\004
+\013\023\010\104\123\124\103\101\040\130\062\061\026\060\024\006
+\003\125\004\003\023\015\104\123\124\040\122\157\157\164\103\101
+\040\130\062\061\041\060\037\006\011\052\206\110\206\367\015\001
+\011\001\026\022\143\141\100\144\151\147\163\151\147\164\162\165
+\163\164\056\143\157\155\060\036\027\015\071\070\061\061\063\060
+\062\062\064\066\061\066\132\027\015\060\070\061\061\062\067\062
+\062\064\066\061\066\132\060\201\251\061\013\060\011\006\003\125
+\004\006\023\002\165\163\061\015\060\013\006\003\125\004\010\023
+\004\125\164\141\150\061\027\060\025\006\003\125\004\007\023\016
+\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\044
+\060\042\006\003\125\004\012\023\033\104\151\147\151\164\141\154
+\040\123\151\147\156\141\164\165\162\145\040\124\162\165\163\164
+\040\103\157\056\061\021\060\017\006\003\125\004\013\023\010\104
+\123\124\103\101\040\130\062\061\026\060\024\006\003\125\004\003
+\023\015\104\123\124\040\122\157\157\164\103\101\040\130\062\061
+\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022
+\143\141\100\144\151\147\163\151\147\164\162\165\163\164\056\143
+\157\155\060\202\001\042\060\015\006\011\052\206\110\206\367\015
+\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
+\001\001\000\334\165\360\214\300\165\226\232\300\142\037\046\367
+\304\341\232\352\340\126\163\133\231\315\001\104\250\010\266\325
+\247\332\032\004\030\071\222\112\170\243\201\302\365\167\172\120
+\264\160\377\232\253\306\307\312\156\203\117\102\230\373\046\013
+\332\334\155\326\251\231\125\122\147\351\050\003\222\334\345\260
+\005\232\017\025\371\153\131\162\126\362\372\071\374\252\150\356
+\017\037\020\203\057\374\235\372\027\226\335\202\343\346\105\175
+\300\113\200\104\037\355\054\340\204\375\221\134\222\124\151\045
+\345\142\151\334\345\356\000\122\275\063\013\255\165\002\205\247
+\144\120\055\305\031\031\060\300\046\333\311\323\375\056\231\255
+\131\265\013\115\324\101\256\205\110\103\131\334\267\250\342\242
+\336\303\217\327\270\241\142\246\150\120\122\344\317\061\247\224
+\205\332\237\106\062\027\126\345\362\353\146\075\022\377\103\333
+\230\357\167\317\313\201\215\064\261\306\120\112\046\321\344\076
+\101\120\257\154\256\042\064\056\325\153\156\203\272\171\270\166
+\145\110\332\011\051\144\143\042\271\373\107\166\205\214\206\104
+\313\011\333\002\003\001\000\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\202\001\001\000\265\066\016\135
+\341\141\050\132\021\145\300\077\203\003\171\115\276\050\246\013
+\007\002\122\205\315\370\221\320\020\154\265\152\040\133\034\220
+\331\060\074\306\110\236\212\136\144\371\241\161\167\357\004\047
+\037\007\353\344\046\367\163\164\311\104\030\032\146\323\340\103
+\257\221\073\321\313\054\330\164\124\072\034\115\312\324\150\315
+\043\174\035\020\236\105\351\366\000\156\246\315\031\377\117\054
+\051\217\127\115\304\167\222\276\340\114\011\373\135\104\206\146
+\041\250\271\062\242\126\325\351\214\203\174\131\077\304\361\013
+\347\235\354\236\275\234\030\016\076\302\071\171\050\267\003\015
+\010\313\306\347\331\001\067\120\020\354\314\141\026\100\324\257
+\061\164\173\374\077\061\247\320\107\163\063\071\033\314\116\152
+\327\111\203\021\006\376\353\202\130\063\062\114\360\126\254\036
+\234\057\126\232\173\301\112\034\245\375\125\066\316\374\226\115
+\364\260\360\354\267\154\202\355\057\061\231\102\114\251\262\015
+\270\025\135\361\337\272\311\265\112\324\144\230\263\046\251\060
+\310\375\246\354\253\226\041\255\177\302\170\266
+END
+
+# Trust for Certificate "Digital Signature Trust Co. Global CA 4"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Digital Signature Trust Co. Global CA 4"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\147\353\063\173\150\114\353\016\302\260\166\012\264\210\047\214
+\335\225\227\335
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\315\073\075\142\133\011\270\011\066\207\236\022\057\161\144\272
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\251\061\013\060\011\006\003\125\004\006\023\002\165\163
+\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
+\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
+\141\153\145\040\103\151\164\171\061\044\060\042\006\003\125\004
+\012\023\033\104\151\147\151\164\141\154\040\123\151\147\156\141
+\164\165\162\145\040\124\162\165\163\164\040\103\157\056\061\021
+\060\017\006\003\125\004\013\023\010\104\123\124\103\101\040\130
+\062\061\026\060\024\006\003\125\004\003\023\015\104\123\124\040
+\122\157\157\164\103\101\040\130\062\061\041\060\037\006\011\052
+\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151\147
+\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\320\036\100\213\000\000\167\155\000\000\000\001\000\000\000
+\004
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Deutsche Telekom AG Root CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Deutsche Telekom AG Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\034\060\032\006\003\125\004\012\023\023\104\145\165\164\163\143
+\150\145\040\124\145\154\145\153\157\155\040\101\107\061\035\060
+\033\006\003\125\004\013\023\024\124\145\154\145\123\145\143\040
+\124\162\165\163\164\040\103\145\156\164\145\162\061\041\060\037
+\006\003\125\004\003\023\030\104\145\165\164\163\143\150\145\040
+\124\145\154\145\153\157\155\040\122\157\157\164\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\034\060\032\006\003\125\004\012\023\023\104\145\165\164\163\143
+\150\145\040\124\145\154\145\153\157\155\040\101\107\061\035\060
+\033\006\003\125\004\013\023\024\124\145\154\145\123\145\143\040
+\124\162\165\163\164\040\103\145\156\164\145\162\061\041\060\037
+\006\003\125\004\003\023\030\104\145\165\164\163\143\150\145\040
+\124\145\154\145\153\157\155\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\006
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\216\060\202\001\367\240\003\002\001\002\002\001\006
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\155\061\013\060\011\006\003\125\004\006\023\002\104\105\061\034
+\060\032\006\003\125\004\012\023\023\104\145\165\164\163\143\150
+\145\040\124\145\154\145\153\157\155\040\101\107\061\035\060\033
+\006\003\125\004\013\023\024\124\145\154\145\123\145\143\040\124
+\162\165\163\164\040\103\145\156\164\145\162\061\041\060\037\006
+\003\125\004\003\023\030\104\145\165\164\163\143\150\145\040\124
+\145\154\145\153\157\155\040\122\157\157\164\040\103\101\060\036
+\027\015\071\070\061\062\060\071\060\071\061\061\060\060\132\027
+\015\060\064\061\062\060\071\062\063\065\071\060\060\132\060\155
+\061\013\060\011\006\003\125\004\006\023\002\104\105\061\034\060
+\032\006\003\125\004\012\023\023\104\145\165\164\163\143\150\145
+\040\124\145\154\145\153\157\155\040\101\107\061\035\060\033\006
+\003\125\004\013\023\024\124\145\154\145\123\145\143\040\124\162
+\165\163\164\040\103\145\156\164\145\162\061\041\060\037\006\003
+\125\004\003\023\030\104\145\165\164\163\143\150\145\040\124\145
+\154\145\153\157\155\040\122\157\157\164\040\103\101\060\201\237
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\201\215\000\060\201\211\002\201\201\000\335\005\054\371\005\263
+\271\022\327\151\161\367\352\126\060\010\127\024\103\173\273\032
+\234\155\057\127\141\327\342\365\104\153\356\066\101\226\366\144
+\316\341\301\262\271\244\024\004\230\120\350\160\370\216\065\232
+\175\111\301\141\035\131\256\332\006\030\225\175\255\316\354\251
+\276\321\030\017\100\221\166\052\243\345\375\376\211\025\364\127
+\367\340\125\332\165\255\000\364\054\301\065\314\264\103\046\125
+\142\104\056\001\045\234\212\133\360\301\320\000\065\170\376\065
+\336\224\100\144\170\203\241\314\071\211\002\003\001\000\001\243
+\076\060\074\060\017\006\003\125\035\023\004\010\060\006\001\001
+\377\002\001\005\060\016\006\003\125\035\017\001\001\377\004\004
+\003\002\001\006\060\031\006\003\125\035\016\004\022\004\020\054
+\207\131\037\213\023\200\262\371\206\235\076\022\176\130\226\060
+\015\006\011\052\206\110\206\367\015\001\001\004\005\000\003\201
+\201\000\017\376\163\265\007\210\157\240\013\211\352\312\120\037
+\224\336\224\053\013\047\136\117\365\034\225\046\332\214\226\124
+\255\031\221\067\103\135\253\311\213\263\315\157\230\071\075\355
+\335\065\343\161\267\355\023\223\203\350\206\345\051\063\023\023
+\274\065\173\375\050\057\160\131\325\323\264\215\050\023\131\073
+\310\325\164\371\105\302\007\140\252\270\030\124\371\245\150\377
+\327\005\325\217\266\005\061\056\101\112\364\020\037\140\107\032
+\013\213\031\115\222\127\040\322\357\120\031\350\315\320\160\274
+\274\066
+END
+
+# Trust for Certificate "Deutsche Telekom AG Root CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Deutsche Telekom AG Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\342\023\044\000\203\106\103\235\143\067\021\170\043\310\065\246
+\354\113\316\102
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\167\336\004\224\167\320\014\137\247\261\364\060\030\207\373\125
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\104\105\061
+\034\060\032\006\003\125\004\012\023\023\104\145\165\164\163\143
+\150\145\040\124\145\154\145\153\157\155\040\101\107\061\035\060
+\033\006\003\125\004\013\023\024\124\145\154\145\123\145\143\040
+\124\162\165\163\164\040\103\145\156\164\145\162\061\041\060\037
+\006\003\125\004\003\023\030\104\145\165\164\163\143\150\145\040
+\124\145\154\145\153\157\155\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\006
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Class 1 Public Primary Certification Authority"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\315\272\177\126\360\337\344\274\124\376\042\254\263\162\252
+\125
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\075\060\202\001\246\002\021\000\315\272\177\126\360
+\337\344\274\124\376\042\254\263\162\252\125\060\015\006\011\052
+\206\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
+\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
+\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141
+\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151\155
+\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071
+\066\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070
+\060\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003
+\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111
+\156\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154
+\141\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151
+\155\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060
+\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201
+\215\000\060\201\211\002\201\201\000\345\031\277\155\243\126\141
+\055\231\110\161\366\147\336\271\215\353\267\236\206\200\012\221
+\016\372\070\045\257\106\210\202\345\163\250\240\233\044\135\015
+\037\314\145\156\014\260\320\126\204\030\207\232\006\233\020\241
+\163\337\264\130\071\153\156\301\366\025\325\250\250\077\252\022
+\006\215\061\254\177\260\064\327\217\064\147\210\011\315\024\021
+\342\116\105\126\151\037\170\002\200\332\334\107\221\051\273\066
+\311\143\134\305\340\327\055\207\173\241\267\062\260\173\060\272
+\052\057\061\252\356\243\147\332\333\002\003\001\000\001\060\015
+\006\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201
+\000\114\077\270\213\306\150\337\356\103\063\016\135\351\246\313
+\007\204\115\172\063\377\222\033\364\066\255\330\225\042\066\150
+\021\154\174\102\314\363\234\056\304\007\077\024\260\017\117\377
+\220\222\166\371\342\274\112\351\217\315\240\200\012\367\305\051
+\361\202\042\135\270\261\335\201\043\243\173\045\025\106\060\171
+\026\370\352\005\113\224\177\035\302\034\310\343\267\364\020\100
+\074\023\303\137\037\123\350\110\344\206\264\173\241\065\260\173
+\045\272\270\323\216\253\077\070\235\000\064\000\230\363\321\161
+\224
+END
+
+# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\220\256\242\151\205\377\024\200\114\103\111\122\354\351\140\204
+\167\257\125\157
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\227\140\350\127\137\323\120\107\345\103\014\224\066\212\260\142
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\315\272\177\126\360\337\344\274\124\376\042\254\263\162\252
+\125
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "Verisign Class 2 Public Primary Certification Authority"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\055\033\374\112\027\215\243\221\353\347\377\365\213\105\276\013
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\074\060\202\001\245\002\020\055\033\374\112\027\215
+\243\221\353\347\377\365\213\105\276\013\060\015\006\011\052\206
+\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006
+\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004
+\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143
+\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141\163
+\163\040\062\040\120\165\142\154\151\143\040\120\162\151\155\141
+\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\066
+\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070\060
+\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
+\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
+\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141
+\163\163\040\062\040\120\165\142\154\151\143\040\120\162\151\155
+\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
+\000\060\201\211\002\201\201\000\266\132\213\243\015\152\043\203
+\200\153\317\071\207\364\041\023\063\006\114\045\242\355\125\022
+\227\305\247\200\271\372\203\301\040\240\372\057\025\015\174\241
+\140\153\176\171\054\372\006\017\072\256\366\033\157\261\322\377
+\057\050\122\137\203\175\113\304\172\267\370\146\037\200\124\374
+\267\302\216\131\112\024\127\106\321\232\223\276\101\221\003\273
+\025\200\223\134\353\347\314\010\154\077\076\263\112\374\377\113
+\154\043\325\120\202\046\104\031\216\043\303\161\352\031\044\107
+\004\236\165\277\310\246\000\037\002\003\001\000\001\060\015\006
+\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201\000
+\212\033\053\372\071\301\164\327\136\330\031\144\242\130\112\055
+\067\340\063\107\017\254\355\367\252\333\036\344\213\006\134\140
+\047\312\105\122\316\026\357\077\006\144\347\224\150\174\140\063
+\025\021\151\257\235\142\215\243\003\124\153\246\276\345\356\005
+\030\140\004\277\102\200\375\320\250\250\036\001\073\367\243\134
+\257\243\334\346\046\200\043\074\270\104\164\367\012\256\111\213
+\141\170\314\044\277\210\212\247\016\352\163\031\101\375\115\003
+\360\210\321\345\170\215\245\052\117\366\227\015\027\167\312\330
+END
+
+# Trust for Certificate "Verisign Class 2 Public Primary Certification Authority"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\147\202\252\340\355\356\342\032\130\071\323\300\315\024\150\012
+\117\140\024\052
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\263\234\045\261\303\056\062\123\200\025\060\235\115\002\167\076
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\055\033\374\112\027\215\243\221\353\347\377\365\213\105\276\013
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Class 3 Public Primary Certification Authority"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\160\272\344\035\020\331\051\064\266\070\312\173\003\314\272\277
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\074\060\202\001\245\002\020\160\272\344\035\020\331
+\051\064\266\070\312\173\003\314\272\277\060\015\006\011\052\206
+\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006
+\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004
+\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143
+\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141\163
+\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155\141
+\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\066
+\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070\060
+\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
+\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
+\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141
+\163\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155
+\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
+\000\060\201\211\002\201\201\000\311\134\131\236\362\033\212\001
+\024\264\020\337\004\100\333\343\127\257\152\105\100\217\204\014
+\013\321\063\331\331\021\317\356\002\130\037\045\367\052\250\104
+\005\252\354\003\037\170\177\236\223\271\232\000\252\043\175\326
+\254\205\242\143\105\307\162\047\314\364\114\306\165\161\322\071
+\357\117\102\360\165\337\012\220\306\216\040\157\230\017\370\254
+\043\137\160\051\066\244\311\206\347\261\232\040\313\123\245\205
+\347\075\276\175\232\376\044\105\063\334\166\025\355\017\242\161
+\144\114\145\056\201\150\105\247\002\003\001\000\001\060\015\006
+\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201\000
+\273\114\022\053\317\054\046\000\117\024\023\335\246\373\374\012
+\021\204\214\363\050\034\147\222\057\174\266\305\372\337\360\350
+\225\274\035\217\154\054\250\121\314\163\330\244\300\123\360\116
+\326\046\300\166\001\127\201\222\136\041\361\321\261\377\347\320
+\041\130\315\151\027\343\104\034\234\031\104\071\211\134\334\234
+\000\017\126\215\002\231\355\242\220\105\114\344\273\020\244\075
+\360\062\003\016\361\316\370\350\311\121\214\346\142\237\346\237
+\300\175\267\162\234\311\066\072\153\237\116\250\377\144\015\144
+END
+
+# Trust for Certificate "Verisign Class 3 Public Primary Certification Authority"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\164\054\061\222\346\007\344\044\353\105\111\124\053\341\273\305
+\076\141\164\342
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\020\374\143\135\366\046\076\015\363\045\276\137\171\315\147\147
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\160\272\344\035\020\331\051\064\266\070\312\173\003\314\272\277
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Class 1 Public Primary Certification Authority - G2"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority - G2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\114\307\352\252\230\076\161\323\223\020\370\075\072\211\221\222
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\002\060\202\002\153\002\020\114\307\352\252\230\076
+\161\323\223\020\370\075\072\211\221\222\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
+\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
+\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141
+\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151\155
+\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062
+\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061
+\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156
+\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151
+\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035
+\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
+\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027
+\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015
+\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
+\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023
+\063\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040
+\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
+\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
+\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050
+\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
+\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
+\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
+\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
+\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\201\215\000\060\201\211\002\201\201\000\252\320
+\272\276\026\055\270\203\324\312\322\017\274\166\061\312\224\330
+\035\223\214\126\002\274\331\157\032\157\122\066\156\165\126\012
+\125\323\337\103\207\041\021\145\212\176\217\275\041\336\153\062
+\077\033\204\064\225\005\235\101\065\353\222\353\226\335\252\131
+\077\001\123\155\231\117\355\345\342\052\132\220\301\271\304\246
+\025\317\310\105\353\246\135\216\234\076\360\144\044\166\245\315
+\253\032\157\266\330\173\121\141\156\246\177\207\310\342\267\345
+\064\334\101\210\352\011\100\276\163\222\075\153\347\165\002\003
+\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\003\201\201\000\251\117\303\015\307\147\276\054\313\331
+\250\315\055\165\347\176\025\236\073\162\353\176\353\134\055\011
+\207\326\153\155\140\174\345\256\305\220\043\014\134\112\320\257
+\261\135\363\307\266\012\333\340\025\223\015\335\003\274\307\166
+\212\265\335\117\303\233\023\165\270\001\300\346\311\133\153\245
+\270\211\334\254\244\335\162\355\116\241\367\117\274\006\323\352
+\310\144\164\173\302\225\101\234\145\163\130\361\220\232\074\152
+\261\230\311\304\207\274\317\105\155\105\342\156\042\077\376\274
+\017\061\134\350\362\331
+END
+
+# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G2"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority - G2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\047\076\341\044\127\375\304\371\014\125\350\053\126\026\177\142
+\365\062\345\107
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\333\043\075\371\151\372\113\271\225\200\104\163\136\175\101\203
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\061\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\114\307\352\252\230\076\161\323\223\020\370\075\072\211\221\222
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority - G2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\271\057\140\314\210\237\241\172\106\011\270\133\160\154\212
+\257
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\003\060\202\002\154\002\021\000\271\057\140\314\210
+\237\241\172\106\011\270\133\160\154\212\257\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003
+\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111
+\156\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154
+\141\163\163\040\062\040\120\165\142\154\151\143\040\120\162\151
+\155\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107
+\062\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040
+\061\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111
+\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162
+\151\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060
+\035\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156
+\040\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036
+\027\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027
+\015\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201
+\301\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
+\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147
+\156\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013
+\023\063\103\154\141\163\163\040\062\040\120\165\142\154\151\143
+\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\040\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061
+\050\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147
+\156\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165
+\164\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154
+\171\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151
+\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157
+\162\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\247
+\210\001\041\164\054\347\032\003\360\230\341\227\074\017\041\010
+\361\234\333\227\351\232\374\302\004\006\023\276\137\122\310\314
+\036\054\022\126\054\270\001\151\054\314\231\037\255\260\226\256
+\171\004\362\023\071\301\173\230\272\010\054\350\302\204\023\054
+\252\151\351\011\364\307\251\002\244\102\302\043\117\112\330\360
+\016\242\373\061\154\311\346\157\231\047\007\365\346\364\114\170
+\236\155\353\106\206\372\271\206\311\124\362\262\304\257\324\106
+\034\132\311\025\060\377\015\154\365\055\016\155\316\177\167\002
+\003\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001
+\005\005\000\003\201\201\000\162\056\371\177\321\361\161\373\304
+\236\366\305\136\121\212\100\230\270\150\370\233\034\203\330\342
+\235\275\377\355\241\346\146\352\057\011\364\312\327\352\245\053
+\225\366\044\140\206\115\104\056\203\245\304\055\240\323\256\170
+\151\157\162\332\154\256\010\360\143\222\067\346\273\304\060\027
+\255\167\314\111\065\252\317\330\217\321\276\267\030\226\107\163
+\152\124\042\064\144\055\266\026\233\131\133\264\121\131\072\263
+\013\024\364\022\337\147\240\364\255\062\144\136\261\106\162\047
+\214\022\173\305\104\264\256
+END
+
+# Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority - G2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\263\352\304\107\166\311\310\034\352\362\235\225\266\314\240\010
+\033\147\354\235
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\055\273\345\045\323\321\145\202\072\267\016\372\346\353\342\341
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\271\057\140\314\210\237\241\172\106\011\270\133\160\154\212
+\257
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Class 3 Public Primary Certification Authority - G2"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority - G2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\175\331\376\007\317\250\036\267\020\171\147\373\247\211\064\306
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\002\060\202\002\153\002\020\175\331\376\007\317\250
+\036\267\020\171\147\373\247\211\064\306\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
+\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
+\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141
+\163\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155
+\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062
+\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061
+\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156
+\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151
+\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035
+\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
+\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027
+\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015
+\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
+\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023
+\063\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040
+\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
+\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
+\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050
+\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
+\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
+\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
+\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
+\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\201\215\000\060\201\211\002\201\201\000\314\136
+\321\021\135\134\151\320\253\323\271\152\114\231\037\131\230\060
+\216\026\205\040\106\155\107\077\324\205\040\204\341\155\263\370
+\244\355\014\361\027\017\073\371\247\371\045\327\301\317\204\143
+\362\174\143\317\242\107\362\306\133\063\216\144\100\004\150\301
+\200\271\144\034\105\167\307\330\156\365\225\051\074\120\350\064
+\327\170\037\250\272\155\103\221\225\217\105\127\136\176\305\373
+\312\244\004\353\352\227\067\124\060\157\273\001\107\062\063\315
+\334\127\233\144\151\141\370\233\035\034\211\117\134\147\002\003
+\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\003\201\201\000\121\115\315\276\134\313\230\031\234\025
+\262\001\071\170\056\115\017\147\160\160\231\306\020\132\224\244
+\123\115\124\155\053\257\015\135\100\213\144\323\327\356\336\126
+\141\222\137\246\304\035\020\141\066\323\054\047\074\350\051\011
+\271\021\144\164\314\265\163\237\034\110\251\274\141\001\356\342
+\027\246\014\343\100\010\073\016\347\353\104\163\052\232\361\151
+\222\357\161\024\303\071\254\161\247\221\011\157\344\161\006\263
+\272\131\127\046\171\000\366\370\015\242\063\060\050\324\252\130
+\240\235\235\151\221\375
+END
+
+# Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G2"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority - G2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\205\067\034\246\345\120\024\075\316\050\003\107\033\336\072\011
+\350\370\167\017
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\242\063\233\114\164\170\163\324\154\347\301\363\215\313\134\351
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\175\331\376\007\317\250\036\267\020\171\147\373\247\211\064\306
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Class 4 Public Primary Certification Authority - G2"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 4 Public Primary Certification Authority - G2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\062\210\216\232\322\365\353\023\107\370\177\304\040\067\045\370
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\002\060\202\002\153\002\020\062\210\216\232\322\365
+\353\023\107\370\177\304\040\067\045\370\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
+\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
+\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154\141
+\163\163\040\064\040\120\165\142\154\151\143\040\120\162\151\155
+\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107\062
+\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061
+\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111\156
+\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151
+\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060\035
+\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
+\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036\027
+\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027\015
+\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201\301
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
+\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013\023
+\063\103\154\141\163\163\040\064\040\120\165\142\154\151\143\040
+\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
+\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
+\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061\050
+\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
+\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
+\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
+\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
+\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\201\215\000\060\201\211\002\201\201\000\272\360
+\344\317\371\304\256\205\124\271\007\127\371\217\305\177\150\021
+\370\304\027\260\104\334\343\060\163\325\052\142\052\270\320\314
+\034\355\050\133\176\275\152\334\263\221\044\312\101\142\074\374
+\002\001\277\034\026\061\224\005\227\166\156\242\255\275\141\027
+\154\116\060\206\360\121\067\052\120\307\250\142\201\334\133\112
+\252\301\240\264\156\353\057\345\127\305\261\053\100\160\333\132
+\115\241\216\037\275\003\037\330\003\324\217\114\231\161\274\342
+\202\314\130\350\230\072\206\323\206\070\363\000\051\037\002\003
+\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\003\201\201\000\205\214\022\301\247\271\120\025\172\313
+\076\254\270\103\212\334\252\335\024\272\211\201\176\001\074\043
+\161\041\210\057\202\334\143\372\002\105\254\105\131\327\052\130
+\104\133\267\237\201\073\222\150\075\342\067\044\365\173\154\217
+\166\065\226\011\250\131\235\271\316\043\253\164\326\203\375\062
+\163\047\330\151\076\103\164\366\256\305\211\232\347\123\174\351
+\173\366\113\363\301\145\203\336\215\212\234\074\210\215\071\131
+\374\252\077\042\215\241\301\146\120\201\162\114\355\042\144\117
+\117\312\200\221\266\051
+END
+
+# Trust for Certificate "Verisign Class 4 Public Primary Certification Authority - G2"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 4 Public Primary Certification Authority - G2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\013\167\276\273\313\172\242\107\005\336\314\017\275\152\002\374
+\172\275\233\122
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\046\155\054\031\230\266\160\150\070\120\124\031\354\220\064\140
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\064\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\062\210\216\232\322\365\353\023\107\370\177\304\040\067\045\370
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "GlobalSign Root CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
+\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
+\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
+\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
+\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\000\000\000\326\170\267\224\005
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\165\060\202\002\135\240\003\002\001\002\002\013\002
+\000\000\000\000\000\326\170\267\224\005\060\015\006\011\052\206
+\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006
+\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004
+\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166
+\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157
+\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022
+\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040
+\103\101\060\036\027\015\071\070\060\071\060\061\061\062\060\060
+\060\060\132\027\015\061\064\060\061\062\070\061\062\060\060\060
+\060\132\060\127\061\013\060\011\006\003\125\004\006\023\002\102
+\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142
+\141\154\123\151\147\156\040\156\166\055\163\141\061\020\060\016
+\006\003\125\004\013\023\007\122\157\157\164\040\103\101\061\033
+\060\031\006\003\125\004\003\023\022\107\154\157\142\141\154\123
+\151\147\156\040\122\157\157\164\040\103\101\060\202\001\042\060
+\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
+\001\017\000\060\202\001\012\002\202\001\001\000\332\016\346\231
+\215\316\243\343\117\212\176\373\361\213\203\045\153\352\110\037
+\361\052\260\271\225\021\004\275\360\143\321\342\147\146\317\034
+\335\317\033\110\053\356\215\211\216\232\257\051\200\145\253\351
+\307\055\022\313\253\034\114\160\007\241\075\012\060\315\025\215
+\117\370\335\324\214\120\025\034\357\120\356\304\056\367\374\351
+\122\362\221\175\340\155\325\065\060\216\136\103\163\362\101\351
+\325\152\343\262\211\072\126\071\070\157\006\074\210\151\133\052
+\115\305\247\124\270\154\211\314\233\371\074\312\345\375\211\365
+\022\074\222\170\226\326\334\164\156\223\104\141\321\215\307\106
+\262\165\016\206\350\031\212\325\155\154\325\170\026\225\242\351
+\310\012\070\353\362\044\023\117\163\124\223\023\205\072\033\274
+\036\064\265\213\005\214\271\167\213\261\333\037\040\221\253\011
+\123\156\220\316\173\067\164\271\160\107\221\042\121\143\026\171
+\256\261\256\101\046\010\310\031\053\321\106\252\110\326\144\052
+\327\203\064\377\054\052\301\154\031\103\112\007\205\347\323\174
+\366\041\150\357\352\362\122\237\177\223\220\317\002\003\001\000
+\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377\004
+\004\003\002\000\006\060\035\006\003\125\035\016\004\026\004\024
+\140\173\146\032\105\015\227\312\211\120\057\175\004\315\064\250
+\377\374\375\113\060\017\006\003\125\035\023\001\001\377\004\005
+\060\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001
+\001\004\005\000\003\202\001\001\000\256\252\237\374\267\322\313
+\037\137\071\051\050\030\236\064\311\154\117\157\032\360\144\242
+\160\112\117\023\206\233\140\050\236\350\201\111\230\175\012\273
+\345\260\235\075\066\333\217\005\121\377\011\061\052\037\335\211
+\167\236\017\056\154\225\004\355\206\313\264\000\077\204\002\115
+\200\152\052\055\170\013\256\157\053\242\203\104\203\037\315\120
+\202\114\044\257\275\367\245\264\310\132\017\364\347\107\136\111
+\216\067\226\376\232\210\005\072\331\300\333\051\207\346\031\226
+\107\247\072\246\214\213\074\167\376\106\143\247\123\332\041\321
+\254\176\111\242\113\346\303\147\131\057\263\212\016\273\054\275
+\251\252\102\174\065\301\330\177\325\247\061\072\116\143\103\071
+\257\010\260\141\064\214\323\230\251\103\064\366\017\207\051\073
+\235\302\126\130\230\167\303\367\033\254\366\235\370\076\252\247
+\124\105\360\365\371\325\061\145\376\153\130\234\161\263\036\327
+\122\352\062\027\374\100\140\035\311\171\044\262\366\154\375\250
+\146\016\202\335\230\313\332\302\104\117\056\240\173\362\367\153
+\054\166\021\204\106\212\170\243\343
+END
+
+# Trust for Certificate "GlobalSign Root CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\057\027\077\175\351\226\147\257\245\172\370\012\242\321\261\057
+\254\203\003\070
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\253\277\352\343\153\051\246\314\246\170\065\231\357\255\053\200
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
+\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
+\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\000\000\000\326\170\267\224\005
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "GlobalSign Partners CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Partners CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\024\060\022\006\003
+\125\004\013\023\013\120\141\162\164\156\145\162\163\040\103\101
+\061\037\060\035\006\003\125\004\003\023\026\107\154\157\142\141
+\154\123\151\147\156\040\120\141\162\164\156\145\162\163\040\103
+\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
+\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
+\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\000\000\000\326\170\271\321\257
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\236\060\202\002\206\240\003\002\001\002\002\013\002
+\000\000\000\000\000\326\170\271\321\257\060\015\006\011\052\206
+\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006
+\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004
+\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166
+\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157
+\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022
+\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040
+\103\101\060\036\027\015\071\071\060\061\062\070\061\062\060\060
+\060\060\132\027\015\060\071\060\061\062\070\061\062\060\060\060
+\060\132\060\137\061\013\060\011\006\003\125\004\006\023\002\102
+\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142
+\141\154\123\151\147\156\040\156\166\055\163\141\061\024\060\022
+\006\003\125\004\013\023\013\120\141\162\164\156\145\162\163\040
+\103\101\061\037\060\035\006\003\125\004\003\023\026\107\154\157
+\142\141\154\123\151\147\156\040\120\141\162\164\156\145\162\163
+\040\103\101\060\202\001\042\060\015\006\011\052\206\110\206\367
+\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
+\202\001\001\000\322\054\370\062\254\112\022\172\067\310\051\221
+\245\256\214\156\036\016\300\064\063\210\345\063\161\026\034\170
+\204\150\303\030\064\120\056\026\076\261\224\202\117\261\232\237
+\000\370\306\021\065\306\151\173\230\002\255\000\006\210\154\347
+\114\063\050\000\210\047\106\037\207\263\161\165\143\274\062\273
+\210\336\146\030\016\120\006\223\264\366\274\024\067\060\075\042
+\337\075\377\165\176\331\012\032\305\237\263\374\320\254\263\010
+\172\211\323\001\350\000\134\347\112\013\075\115\173\046\242\267
+\142\006\213\332\106\335\223\027\077\077\133\002\113\013\266\210
+\040\021\222\000\255\273\307\056\324\343\105\256\365\211\132\174
+\215\244\255\205\144\062\300\047\214\306\362\212\200\222\206\044
+\126\131\215\164\150\242\203\102\263\236\075\120\101\206\157\040
+\156\366\375\316\323\031\343\062\314\217\355\232\136\155\037\050
+\365\122\254\156\030\136\370\075\321\222\345\272\154\001\210\113
+\012\362\055\336\145\063\005\102\240\114\252\061\166\276\375\277
+\201\170\371\161\034\106\136\055\025\225\055\060\131\216\114\101
+\321\142\253\075\002\003\001\000\001\243\143\060\141\060\016\006
+\003\125\035\017\001\001\377\004\004\003\002\000\006\060\035\006
+\003\125\035\016\004\026\004\024\103\044\215\160\025\010\142\125
+\234\117\014\100\027\135\206\136\017\242\114\373\060\037\006\003
+\125\035\043\004\030\060\026\200\024\140\173\146\032\105\015\227
+\312\211\120\057\175\004\315\064\250\377\374\375\113\060\017\006
+\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015
+\006\011\052\206\110\206\367\015\001\001\004\005\000\003\202\001
+\001\000\146\355\264\210\151\021\231\202\041\203\254\241\155\213
+\233\204\255\017\055\310\036\214\312\173\176\255\252\324\216\336
+\007\326\236\105\307\245\270\234\007\071\140\045\125\032\300\117
+\031\345\317\027\051\111\211\030\065\146\345\353\050\100\116\127
+\311\257\263\344\270\040\005\243\073\225\120\221\111\224\051\175
+\054\345\210\101\245\105\210\136\235\202\047\367\322\357\133\265
+\117\237\276\376\065\145\054\125\144\237\341\121\332\042\141\167
+\272\130\116\217\306\171\131\131\156\060\200\242\117\220\156\041
+\013\255\320\150\071\220\020\233\355\042\145\157\036\021\070\346
+\177\214\322\363\071\155\107\325\041\350\352\165\072\101\321\255
+\366\026\235\135\013\041\275\363\037\143\006\045\035\301\037\065
+\161\054\353\040\031\325\301\260\354\075\345\157\355\002\007\077
+\023\173\146\222\326\104\301\230\367\137\120\213\172\133\302\157
+\155\260\321\370\345\164\240\100\067\243\045\017\344\075\312\144
+\061\223\220\134\060\173\271\071\061\232\136\114\315\271\101\117
+\120\344\075\070\256\310\146\331\307\073\135\121\107\254\233\253
+\362\255
+END
+
+# Trust for Certificate "GlobalSign Partners CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Partners CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\204\304\217\000\351\221\354\336\333\264\030\251\213\357\241\172
+\107\355\162\230
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\074\165\315\114\275\251\320\212\171\117\120\026\067\204\364\053
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
+\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
+\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\000\000\000\326\170\271\321\257
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "GlobalSign Primary Class 1 CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Primary Class 1 CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\033\060\031\006\003
+\125\004\013\023\022\120\162\151\155\141\162\171\040\103\154\141
+\163\163\040\061\040\103\101\061\046\060\044\006\003\125\004\003
+\023\035\107\154\157\142\141\154\123\151\147\156\040\120\162\151
+\155\141\162\171\040\103\154\141\163\163\040\061\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
+\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
+\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\000\000\000\326\170\270\067\317
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\254\060\202\002\224\240\003\002\001\002\002\013\002
+\000\000\000\000\000\326\170\270\067\317\060\015\006\011\052\206
+\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006
+\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004
+\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166
+\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157
+\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022
+\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040
+\103\101\060\036\027\015\071\070\060\071\061\065\061\062\060\060
+\060\060\132\027\015\060\071\060\061\062\070\061\062\060\060\060
+\060\132\060\155\061\013\060\011\006\003\125\004\006\023\002\102
+\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142
+\141\154\123\151\147\156\040\156\166\055\163\141\061\033\060\031
+\006\003\125\004\013\023\022\120\162\151\155\141\162\171\040\103
+\154\141\163\163\040\061\040\103\101\061\046\060\044\006\003\125
+\004\003\023\035\107\154\157\142\141\154\123\151\147\156\040\120
+\162\151\155\141\162\171\040\103\154\141\163\163\040\061\040\103
+\101\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
+\001\000\275\040\065\107\321\050\326\010\243\022\071\043\107\015
+\275\160\041\122\016\127\061\225\246\064\127\153\354\176\103\171
+\303\006\122\110\315\274\265\241\231\275\330\037\062\274\317\327
+\156\162\155\056\167\042\220\202\116\113\217\232\014\001\102\232
+\331\160\131\266\235\037\346\143\321\014\255\035\116\370\205\201
+\371\256\357\237\246\122\141\104\171\032\165\105\340\141\126\105
+\155\102\214\075\162\313\246\244\022\267\232\365\326\140\320\140
+\120\263\216\246\246\354\264\364\022\315\177\250\316\357\263\341
+\205\060\376\162\304\346\347\167\263\236\130\101\326\121\203\210
+\007\306\266\151\117\066\336\321\013\110\077\275\326\237\041\164
+\144\157\047\006\076\113\375\016\246\233\277\244\110\127\214\220
+\356\211\030\013\002\201\030\276\147\376\123\140\210\047\272\243
+\163\064\113\132\126\264\336\163\005\355\230\226\135\354\112\347
+\100\374\113\011\142\353\320\343\061\117\205\321\172\253\131\147
+\053\373\210\017\353\252\203\275\065\375\141\047\354\146\016\102
+\127\367\151\302\014\357\374\152\302\156\111\332\217\101\070\256
+\110\251\002\003\001\000\001\243\143\060\141\060\016\006\003\125
+\035\017\001\001\377\004\004\003\002\000\006\060\035\006\003\125
+\035\016\004\026\004\024\374\340\146\366\132\065\231\353\100\036
+\322\270\036\103\274\230\216\037\212\303\060\037\006\003\125\035
+\043\004\030\060\026\200\024\140\173\146\032\105\015\227\312\211
+\120\057\175\004\315\064\250\377\374\375\113\060\017\006\003\125
+\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011
+\052\206\110\206\367\015\001\001\004\005\000\003\202\001\001\000
+\233\243\010\104\316\362\220\235\161\363\062\263\005\152\265\352
+\317\051\230\336\125\076\240\026\175\006\172\104\326\257\322\372
+\023\130\214\370\034\307\253\035\264\033\357\151\150\230\134\010
+\071\217\340\367\373\110\314\041\347\270\063\333\005\252\064\044
+\154\112\345\351\173\140\336\203\263\037\012\276\101\165\374\314
+\060\110\267\301\046\035\004\063\252\266\170\355\052\313\272\126
+\227\062\156\367\061\225\056\106\362\024\356\047\307\367\142\211
+\271\134\132\323\070\212\144\365\067\264\361\263\064\162\325\325
+\041\075\113\327\170\223\327\061\146\065\036\243\330\107\111\157
+\034\255\341\200\177\370\230\044\154\163\254\016\302\032\167\002
+\243\046\007\267\307\153\135\274\202\325\052\110\035\143\317\120
+\062\246\373\034\030\107\025\012\133\014\134\070\044\232\004\230
+\250\010\110\137\174\064\207\143\253\055\215\114\000\167\224\033
+\166\272\365\026\030\243\025\257\057\224\366\051\000\166\301\025
+\027\323\351\067\115\166\324\313\113\051\131\044\254\332\112\240
+\352\143\336\137\124\261\372\363\321\105\313\305\144\264\163\041
+END
+
+# Trust for Certificate "GlobalSign Primary Class 1 CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Primary Class 1 CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\353\061\124\315\041\226\363\125\022\053\211\147\267\163\002\102
+\355\321\336\113
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\134\254\131\001\244\206\123\313\020\146\265\326\326\161\377\001
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
+\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
+\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\000\000\000\326\170\270\067\317
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "GlobalSign Primary Class 2 CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Primary Class 2 CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\033\060\031\006\003
+\125\004\013\023\022\120\162\151\155\141\162\171\040\103\154\141
+\163\163\040\062\040\103\101\061\046\060\044\006\003\125\004\003
+\023\035\107\154\157\142\141\154\123\151\147\156\040\120\162\151
+\155\141\162\171\040\103\154\141\163\163\040\062\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
+\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
+\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\000\000\000\326\170\270\215\215
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\254\060\202\002\224\240\003\002\001\002\002\013\002
+\000\000\000\000\000\326\170\270\215\215\060\015\006\011\052\206
+\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006
+\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004
+\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166
+\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157
+\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022
+\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040
+\103\101\060\036\027\015\071\071\060\061\062\070\061\062\060\060
+\060\060\132\027\015\060\071\060\061\062\070\061\062\060\060\060
+\060\132\060\155\061\013\060\011\006\003\125\004\006\023\002\102
+\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142
+\141\154\123\151\147\156\040\156\166\055\163\141\061\033\060\031
+\006\003\125\004\013\023\022\120\162\151\155\141\162\171\040\103
+\154\141\163\163\040\062\040\103\101\061\046\060\044\006\003\125
+\004\003\023\035\107\154\157\142\141\154\123\151\147\156\040\120
+\162\151\155\141\162\171\040\103\154\141\163\163\040\062\040\103
+\101\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
+\001\000\222\214\376\357\364\105\216\027\101\156\374\330\277\041
+\157\253\006\235\122\301\054\000\235\077\216\205\270\177\112\217
+\275\240\143\052\312\111\047\256\132\202\364\164\342\125\222\377
+\302\321\252\171\242\266\372\325\235\202\004\117\306\262\306\136
+\143\247\072\272\330\356\353\212\157\237\266\273\050\101\300\042
+\373\116\110\032\006\222\327\277\327\317\271\331\275\070\117\073
+\015\104\156\125\101\376\374\011\333\330\277\363\216\041\361\350
+\022\265\366\023\245\323\306\114\223\042\260\002\377\356\035\014
+\304\250\153\117\165\150\126\350\334\050\022\120\367\250\044\235
+\056\044\071\373\011\005\336\345\243\144\111\041\320\150\176\161
+\060\221\261\140\340\071\364\120\370\172\115\230\000\153\174\171
+\272\116\316\112\342\272\066\035\267\305\066\025\225\234\144\102
+\352\137\304\272\365\100\005\276\341\072\131\275\204\247\031\270
+\336\115\123\120\316\007\321\322\121\323\357\015\201\154\346\347
+\155\313\135\174\077\174\314\354\117\203\047\045\377\160\120\366
+\203\131\165\204\006\146\130\054\336\211\215\000\246\111\371\245
+\103\167\002\003\001\000\001\243\143\060\141\060\016\006\003\125
+\035\017\001\001\377\004\004\003\002\000\006\060\035\006\003\125
+\035\016\004\026\004\024\174\347\262\261\054\336\261\247\153\351
+\166\014\341\243\375\116\154\307\271\366\060\037\006\003\125\035
+\043\004\030\060\026\200\024\140\173\146\032\105\015\227\312\211
+\120\057\175\004\315\064\250\377\374\375\113\060\017\006\003\125
+\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011
+\052\206\110\206\367\015\001\001\004\005\000\003\202\001\001\000
+\143\335\131\316\212\171\252\230\235\116\305\211\144\067\176\212
+\223\147\057\020\352\157\047\303\215\167\155\362\134\126\224\031
+\032\151\140\060\106\135\217\362\155\105\074\216\065\227\174\057
+\270\121\342\350\211\275\210\317\047\034\010\064\134\210\301\150
+\044\333\221\205\344\317\373\373\103\215\350\045\001\033\304\016
+\367\000\102\110\206\037\044\010\130\132\214\215\362\153\107\054
+\150\221\261\151\102\375\015\215\311\046\346\222\206\246\144\156
+\222\305\316\076\074\175\161\343\043\244\253\307\325\250\251\337
+\202\247\073\350\206\325\303\117\030\343\104\320\340\334\363\305
+\150\056\376\245\057\005\204\310\176\107\102\123\153\207\112\376
+\062\377\136\076\160\214\267\250\025\314\027\302\377\106\354\320
+\354\055\264\156\022\050\251\371\100\351\353\324\146\227\123\251
+\151\125\300\251\252\262\056\315\321\151\364\276\370\273\174\151
+\356\124\246\333\236\373\132\246\076\376\232\357\224\121\113\165
+\356\330\324\341\232\361\002\126\023\211\016\247\102\213\226\213
+\205\014\033\205\276\046\256\253\246\231\274\042\361\163\337\102
+END
+
+# Trust for Certificate "GlobalSign Primary Class 2 CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Primary Class 2 CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\203\376\336\325\161\343\226\317\307\144\367\073\337\026\166\207
+\162\305\037\314
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\251\251\102\131\176\276\132\224\344\054\306\213\034\052\104\266
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
+\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
+\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\000\000\000\326\170\270\215\215
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "GlobalSign Primary Class 3 CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Primary Class 3 CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\033\060\031\006\003
+\125\004\013\023\022\120\162\151\155\141\162\171\040\103\154\141
+\163\163\040\063\040\103\101\061\046\060\044\006\003\125\004\003
+\023\035\107\154\157\142\141\154\123\151\147\156\040\120\162\151
+\155\141\162\171\040\103\154\141\163\163\040\063\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
+\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
+\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\000\000\000\326\170\270\326\303
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\254\060\202\002\224\240\003\002\001\002\002\013\002
+\000\000\000\000\000\326\170\270\326\303\060\015\006\011\052\206
+\110\206\367\015\001\001\004\005\000\060\127\061\013\060\011\006
+\003\125\004\006\023\002\102\105\061\031\060\027\006\003\125\004
+\012\023\020\107\154\157\142\141\154\123\151\147\156\040\156\166
+\055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157
+\157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022
+\107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040
+\103\101\060\036\027\015\071\071\060\061\062\070\061\062\060\060
+\060\060\132\027\015\060\071\060\061\062\070\061\062\060\060\060
+\060\132\060\155\061\013\060\011\006\003\125\004\006\023\002\102
+\105\061\031\060\027\006\003\125\004\012\023\020\107\154\157\142
+\141\154\123\151\147\156\040\156\166\055\163\141\061\033\060\031
+\006\003\125\004\013\023\022\120\162\151\155\141\162\171\040\103
+\154\141\163\163\040\063\040\103\101\061\046\060\044\006\003\125
+\004\003\023\035\107\154\157\142\141\154\123\151\147\156\040\120
+\162\151\155\141\162\171\040\103\154\141\163\163\040\063\040\103
+\101\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
+\001\000\221\136\126\145\326\300\300\004\234\277\107\304\134\173
+\172\061\001\371\130\226\231\343\034\204\057\334\126\217\255\365
+\131\201\325\103\146\135\132\223\214\165\312\251\347\021\301\121
+\020\024\140\311\054\324\173\257\306\167\206\253\172\047\256\157
+\225\271\013\312\266\106\373\176\032\364\015\024\155\322\311\116
+\262\256\360\124\366\134\100\114\066\110\164\350\124\214\145\146
+\020\247\275\053\267\040\215\005\111\255\170\175\322\044\043\120
+\343\360\264\171\233\001\071\377\257\073\323\055\356\341\111\215
+\215\057\074\152\101\105\057\233\343\075\341\022\344\221\165\236
+\317\240\076\074\222\201\157\212\056\030\334\340\362\214\214\375
+\207\331\007\364\100\224\311\116\117\103\337\147\126\157\275\003
+\120\174\231\147\244\271\074\221\154\002\156\204\326\374\106\367
+\314\157\030\076\027\360\357\013\144\026\127\346\254\206\361\110
+\252\103\301\311\047\170\163\104\105\342\205\175\272\377\263\341
+\373\033\005\244\113\073\231\022\045\001\120\024\152\257\135\352
+\310\014\356\344\332\354\113\213\134\150\023\225\334\303\265\060
+\072\327\002\003\001\000\001\243\143\060\141\060\016\006\003\125
+\035\017\001\001\377\004\004\003\002\000\006\060\035\006\003\125
+\035\016\004\026\004\024\314\066\314\027\264\105\221\057\355\317
+\073\060\110\167\373\265\024\231\276\343\060\037\006\003\125\035
+\043\004\030\060\026\200\024\140\173\146\032\105\015\227\312\211
+\120\057\175\004\315\064\250\377\374\375\113\060\017\006\003\125
+\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011
+\052\206\110\206\367\015\001\001\004\005\000\003\202\001\001\000
+\127\262\124\314\275\225\027\144\140\211\266\123\221\014\105\222
+\303\075\250\154\303\314\262\030\365\170\101\164\330\175\243\047
+\257\167\015\131\076\224\035\151\372\211\323\014\275\032\001\364
+\077\350\340\167\032\202\050\132\346\142\327\267\343\066\311\016
+\237\172\343\302\323\314\131\211\014\357\026\213\360\066\167\042
+\312\244\266\267\301\102\147\001\100\143\314\347\070\144\207\133
+\024\226\146\173\055\024\356\275\111\155\377\167\320\342\116\133
+\323\200\302\115\017\312\270\235\201\227\247\064\156\307\343\234
+\110\345\264\252\105\365\366\145\114\110\362\022\302\322\223\214
+\302\025\044\363\053\122\377\343\010\256\270\156\326\054\022\317
+\071\313\022\052\347\251\173\137\230\075\243\341\314\246\143\211
+\134\175\061\165\371\325\326\135\362\320\324\075\337\236\161\250
+\016\334\344\040\227\170\346\177\123\244\015\121\117\216\073\003
+\256\243\015\132\115\303\171\347\065\130\160\102\311\136\241\136
+\264\331\042\243\104\123\065\244\320\317\163\200\305\317\237\126
+\230\166\371\024\114\167\207\202\311\334\176\135\064\325\066\165
+END
+
+# Trust for Certificate "GlobalSign Primary Class 3 CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Primary Class 3 CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\164\003\311\063\110\252\304\367\016\051\364\320\025\022\364\106
+\111\017\165\214
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\230\022\243\113\225\251\226\144\224\347\120\214\076\341\203\132
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\013\060\011\006\003\125\004\006\023\002\102\105\061
+\031\060\027\006\003\125\004\012\023\020\107\154\157\142\141\154
+\123\151\147\156\040\156\166\055\163\141\061\020\060\016\006\003
+\125\004\013\023\007\122\157\157\164\040\103\101\061\033\060\031
+\006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\000\000\000\326\170\270\326\303
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "ValiCert Class 1 VA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 1 VA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
+\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
+\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
+\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
+\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
+\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
+\103\154\141\163\163\040\061\040\120\157\154\151\143\171\040\126
+\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
+\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
+\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
+\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
+\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
+\062\065\062\062\062\063\064\070\132\027\015\061\071\060\066\062
+\065\062\062\062\063\064\070\132\060\201\273\061\044\060\042\006
+\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
+\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
+\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
+\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
+\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
+\141\163\163\040\061\040\120\157\154\151\143\171\040\126\141\154
+\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
+\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
+\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
+\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
+\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\330\131\202\172\211\270\226\272\246\057\150\157\130
+\056\247\124\034\006\156\364\352\215\110\274\061\224\027\360\363
+\116\274\262\270\065\222\166\260\320\245\245\001\327\000\003\022
+\042\031\010\370\377\021\043\233\316\007\365\277\151\032\046\376
+\116\351\321\177\235\054\100\035\131\150\156\246\370\130\260\235
+\032\217\323\077\361\334\031\006\201\250\016\340\072\335\310\123
+\105\011\006\346\017\160\303\372\100\246\016\342\126\005\017\030
+\115\374\040\202\321\163\125\164\215\166\162\240\035\235\035\300
+\335\077\161\002\003\001\000\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\201\201\000\120\150\075\111\364
+\054\034\006\224\337\225\140\177\226\173\027\376\117\161\255\144
+\310\335\167\322\357\131\125\350\077\350\216\005\052\041\362\007
+\322\265\247\122\376\234\261\266\342\133\167\027\100\352\162\326
+\043\313\050\201\062\303\000\171\030\354\131\027\211\311\306\152
+\036\161\311\375\267\164\245\045\105\151\305\110\253\031\341\105
+\212\045\153\031\356\345\273\022\365\177\367\246\215\121\303\360
+\235\164\267\251\076\240\245\377\266\111\003\023\332\042\314\355
+\161\202\053\231\317\072\267\365\055\162\310
+END
+
+# Trust for Certificate "ValiCert Class 1 VA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 1 VA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\345\337\164\074\266\001\304\233\230\103\334\253\214\350\152\201
+\020\237\344\216
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\145\130\253\025\255\127\154\036\250\247\265\151\254\277\377\353
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\061\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "ValiCert Class 2 VA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 2 VA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
+\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
+\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
+\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
+\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
+\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
+\103\154\141\163\163\040\062\040\120\157\154\151\143\171\040\126
+\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
+\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
+\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
+\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
+\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
+\062\066\060\060\061\071\065\064\132\027\015\061\071\060\066\062
+\066\060\060\061\071\065\064\132\060\201\273\061\044\060\042\006
+\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
+\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
+\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
+\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
+\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
+\141\163\163\040\062\040\120\157\154\151\143\171\040\126\141\154
+\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
+\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
+\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
+\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
+\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\316\072\161\312\345\253\310\131\222\125\327\253\330
+\164\016\371\356\331\366\125\107\131\145\107\016\005\125\334\353
+\230\066\074\134\123\135\323\060\317\070\354\275\101\211\355\045
+\102\011\044\153\012\136\263\174\335\122\055\114\346\324\326\175
+\132\131\251\145\324\111\023\055\044\115\034\120\157\265\301\205
+\124\073\376\161\344\323\134\102\371\200\340\221\032\012\133\071
+\066\147\363\077\125\174\033\077\264\137\144\163\064\343\264\022
+\277\207\144\370\332\022\377\067\047\301\263\103\273\357\173\156
+\056\151\367\002\003\001\000\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\201\201\000\073\177\120\157\157
+\120\224\231\111\142\070\070\037\113\370\245\310\076\247\202\201
+\366\053\307\350\305\316\350\072\020\202\313\030\000\216\115\275
+\250\130\177\241\171\000\265\273\351\215\257\101\331\017\064\356
+\041\201\031\240\062\111\050\364\304\216\126\325\122\063\375\120
+\325\176\231\154\003\344\311\114\374\313\154\253\146\263\112\041
+\214\345\265\014\062\076\020\262\314\154\241\334\232\230\114\002
+\133\363\316\271\236\245\162\016\112\267\077\074\346\026\150\370
+\276\355\164\114\274\133\325\142\037\103\335
+END
+
+# Trust for Certificate "ValiCert Class 2 VA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 2 VA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\061\172\052\320\177\053\063\136\365\241\303\116\113\127\350\267
+\330\361\374\246
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\251\043\165\233\272\111\066\156\061\302\333\362\347\146\272\207
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\062\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "ValiCert Class 3 VA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 3 VA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\347\060\202\002\120\002\001\001\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\273\061\044\060
+\042\006\003\125\004\007\023\033\126\141\154\151\103\145\162\164
+\040\126\141\154\151\144\141\164\151\157\156\040\116\145\164\167
+\157\162\153\061\027\060\025\006\003\125\004\012\023\016\126\141
+\154\151\103\145\162\164\054\040\111\156\143\056\061\065\060\063
+\006\003\125\004\013\023\054\126\141\154\151\103\145\162\164\040
+\103\154\141\163\163\040\063\040\120\157\154\151\143\171\040\126
+\141\154\151\144\141\164\151\157\156\040\101\165\164\150\157\162
+\151\164\171\061\041\060\037\006\003\125\004\003\023\030\150\164
+\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145\162
+\164\056\143\157\155\057\061\040\060\036\006\011\052\206\110\206
+\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154\151
+\143\145\162\164\056\143\157\155\060\036\027\015\071\071\060\066
+\062\066\060\060\062\062\063\063\132\027\015\061\071\060\066\062
+\066\060\060\062\062\063\063\132\060\201\273\061\044\060\042\006
+\003\125\004\007\023\033\126\141\154\151\103\145\162\164\040\126
+\141\154\151\144\141\164\151\157\156\040\116\145\164\167\157\162
+\153\061\027\060\025\006\003\125\004\012\023\016\126\141\154\151
+\103\145\162\164\054\040\111\156\143\056\061\065\060\063\006\003
+\125\004\013\023\054\126\141\154\151\103\145\162\164\040\103\154
+\141\163\163\040\063\040\120\157\154\151\143\171\040\126\141\154
+\151\144\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160
+\072\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056
+\143\157\155\057\061\040\060\036\006\011\052\206\110\206\367\015
+\001\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145
+\162\164\056\143\157\155\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\343\230\121\226\034\350\325\261\006\201\152\127\303
+\162\165\223\253\317\236\246\374\363\026\122\326\055\115\237\065
+\104\250\056\004\115\007\111\212\070\051\365\167\067\347\267\253
+\135\337\066\161\024\231\217\334\302\222\361\347\140\222\227\354
+\330\110\334\277\301\002\040\306\044\244\050\114\060\132\166\155
+\261\134\363\335\336\236\020\161\241\210\307\133\233\101\155\312
+\260\270\216\025\356\255\063\053\317\107\004\134\165\161\012\230
+\044\230\051\247\111\131\245\335\370\267\103\142\141\363\323\342
+\320\125\077\002\003\001\000\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\201\201\000\126\273\002\130\204
+\147\010\054\337\037\333\173\111\063\365\323\147\235\364\264\012
+\020\263\311\305\054\342\222\152\161\170\047\362\160\203\102\323
+\076\317\251\124\364\361\330\222\026\214\321\004\313\113\253\311
+\237\105\256\074\212\251\260\161\063\135\310\305\127\337\257\250
+\065\263\177\211\207\351\350\045\222\270\177\205\172\256\326\274
+\036\067\130\052\147\311\221\317\052\201\076\355\306\071\337\300
+\076\031\234\031\314\023\115\202\101\265\214\336\340\075\140\010
+\040\017\105\176\153\242\177\243\214\025\356
+END
+
+# Trust for Certificate "ValiCert Class 3 VA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert Class 3 VA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\151\275\214\364\234\323\000\373\131\056\027\223\312\125\152\363
+\354\252\065\373
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\242\157\123\267\356\100\333\112\150\347\372\030\331\020\113\162
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\273\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\065\060\063\006\003\125\004\013\023\054\126\141\154
+\151\103\145\162\164\040\103\154\141\163\163\040\063\040\120\157
+\154\151\143\171\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\003\125
+\004\003\023\030\150\164\164\160\072\057\057\167\167\167\056\166
+\141\154\151\143\145\162\164\056\143\157\155\057\061\040\060\036
+\006\011\052\206\110\206\367\015\001\011\001\026\021\151\156\146
+\157\100\166\141\154\151\143\145\162\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Thawte Universal CA Root"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Universal CA Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\127\061\017\060\015\006\003\125\004\012\023\006\124\150\141
+\167\164\145\061\041\060\037\006\003\125\004\013\023\030\124\150
+\141\167\164\145\040\125\156\151\166\145\162\163\141\154\040\103
+\101\040\122\157\157\164\061\041\060\037\006\003\125\004\003\023
+\030\124\150\141\167\164\145\040\125\156\151\166\145\162\163\141
+\154\040\103\101\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\017\060\015\006\003\125\004\012\023\006\124\150\141
+\167\164\145\061\041\060\037\006\003\125\004\013\023\030\124\150
+\141\167\164\145\040\125\156\151\166\145\162\163\141\154\040\103
+\101\040\122\157\157\164\061\041\060\037\006\003\125\004\003\023
+\030\124\150\141\167\164\145\040\125\156\151\166\145\162\163\141
+\154\040\103\101\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\021\042\060\202\011\012\002\001\000\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\127\061\017\060\015
+\006\003\125\004\012\023\006\124\150\141\167\164\145\061\041\060
+\037\006\003\125\004\013\023\030\124\150\141\167\164\145\040\125
+\156\151\166\145\162\163\141\154\040\103\101\040\122\157\157\164
+\061\041\060\037\006\003\125\004\003\023\030\124\150\141\167\164
+\145\040\125\156\151\166\145\162\163\141\154\040\103\101\040\122
+\157\157\164\060\036\027\015\071\071\061\062\060\065\061\063\065
+\066\060\065\132\027\015\063\067\060\064\060\063\061\063\065\066
+\060\065\132\060\127\061\017\060\015\006\003\125\004\012\023\006
+\124\150\141\167\164\145\061\041\060\037\006\003\125\004\013\023
+\030\124\150\141\167\164\145\040\125\156\151\166\145\162\163\141
+\154\040\103\101\040\122\157\157\164\061\041\060\037\006\003\125
+\004\003\023\030\124\150\141\167\164\145\040\125\156\151\166\145
+\162\163\141\154\040\103\101\040\122\157\157\164\060\202\010\042
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\202\010\017\000\060\202\010\012\002\202\010\001\000\342\211\005
+\155\303\177\255\246\211\072\377\273\307\315\235\067\261\341\322
+\041\036\233\141\052\025\347\173\127\117\125\074\320\273\371\331
+\075\076\246\274\354\264\255\123\232\026\002\353\013\162\375\212
+\362\217\104\005\305\353\323\345\275\266\104\071\346\373\107\277
+\152\236\012\225\030\342\150\342\326\226\326\041\255\210\375\365
+\027\365\323\332\102\245\220\355\051\225\226\165\072\332\207\241
+\324\365\323\207\336\005\142\246\343\146\164\222\317\245\274\273
+\337\150\377\161\165\126\101\131\065\353\063\132\146\121\362\322
+\243\012\301\214\316\163\134\021\157\055\214\225\214\221\261\375
+\317\345\255\126\225\314\205\222\203\220\125\101\311\302\167\355
+\371\243\164\102\012\150\010\363\320\321\145\375\147\054\064\377
+\044\177\347\171\310\007\073\045\127\335\244\014\230\075\276\340
+\314\031\145\333\362\124\242\257\102\324\235\342\256\204\043\045
+\011\063\022\265\152\036\166\304\213\331\111\000\154\136\272\037
+\362\033\332\147\312\047\252\243\104\043\033\203\202\316\362\253
+\063\355\124\244\334\311\253\131\145\321\070\016\301\076\033\147
+\217\326\165\001\340\125\042\335\166\167\354\216\335\364\317\171
+\042\155\271\127\003\365\231\010\247\074\076\064\373\304\027\256
+\043\130\315\044\363\043\312\152\002\050\224\001\201\064\264\154
+\153\256\213\032\303\243\322\011\074\026\124\365\066\137\044\343
+\237\112\241\342\144\306\026\303\246\201\172\044\066\107\216\301
+\136\016\373\371\025\170\004\326\016\131\331\235\130\146\142\322
+\224\051\062\062\310\170\271\146\366\265\126\341\154\306\024\113
+\226\122\131\221\002\044\152\125\107\327\077\266\043\032\140\167
+\227\056\342\100\257\236\004\127\236\255\021\305\311\103\160\357
+\110\264\136\254\034\151\056\056\202\325\133\213\276\202\276\031
+\024\136\347\015\042\307\121\033\377\036\233\361\060\217\161\061
+\006\263\064\047\217\137\172\146\202\117\212\055\023\253\102\317
+\041\126\236\227\216\146\066\017\226\233\345\053\364\002\251\052
+\152\214\054\304\303\270\160\054\055\051\036\077\120\167\036\155
+\052\124\344\125\012\221\070\241\305\265\146\242\166\132\356\017
+\277\264\147\341\050\156\017\341\066\241\202\321\277\324\167\341
+\304\147\062\223\170\310\347\124\123\376\043\171\346\150\314\046
+\220\366\020\143\135\052\157\221\055\244\163\062\121\041\362\273
+\025\337\252\044\010\110\006\336\241\236\046\277\272\203\277\174
+\244\310\240\214\275\322\377\274\204\151\047\023\044\030\304\105
+\030\043\046\136\030\024\312\056\210\207\142\243\123\346\041\267
+\270\205\173\232\205\273\025\046\162\370\271\367\152\164\017\111
+\077\222\276\251\005\267\231\047\277\277\011\027\113\231\114\255
+\021\020\174\337\164\061\366\217\046\137\252\210\256\070\127\310
+\125\055\323\373\330\033\121\231\276\045\033\072\272\300\175\033
+\355\316\322\111\271\317\363\305\175\211\220\201\330\151\110\040
+\020\243\370\357\222\121\030\062\213\021\030\300\077\033\205\126
+\316\127\311\362\202\144\306\337\002\011\056\112\021\057\261\047
+\155\067\122\360\360\026\141\361\147\215\337\207\162\257\207\332
+\317\373\120\224\156\324\224\205\353\212\054\352\041\365\226\112
+\104\325\340\316\152\164\104\115\320\005\323\207\025\355\066\320
+\244\213\146\125\160\223\356\107\006\301\176\056\245\030\171\147
+\363\050\205\361\160\367\016\203\244\176\124\236\132\166\062\313
+\145\033\270\315\373\310\050\003\322\124\221\321\247\305\205\103
+\010\027\166\245\346\057\147\010\330\241\242\202\055\014\370\301
+\257\143\324\120\167\155\153\106\112\101\205\325\220\137\171\055
+\304\354\327\021\207\100\212\341\150\342\144\370\125\062\373\157
+\223\054\332\167\331\041\301\027\345\066\054\116\176\220\177\254
+\224\053\062\147\276\070\120\166\270\256\101\271\327\041\305\011
+\114\140\310\243\121\304\064\233\127\067\337\313\311\063\127\213
+\353\373\166\237\031\115\305\152\037\052\105\256\053\355\057\215
+\247\245\000\313\004\372\045\142\056\164\110\033\312\052\214\272
+\333\266\176\366\273\002\174\251\303\333\130\170\241\277\360\376
+\032\020\125\021\316\350\151\116\226\145\306\027\003\326\007\150
+\214\124\202\256\034\042\125\077\361\364\011\227\050\300\106\367
+\116\013\045\035\367\007\327\011\035\072\030\127\070\073\350\063
+\006\347\217\170\106\036\133\365\006\266\354\270\246\015\361\272
+\023\113\326\030\040\335\151\063\112\063\025\256\270\310\230\212
+\047\054\223\274\055\373\356\063\277\146\346\115\272\266\233\006
+\125\140\227\113\274\104\315\176\364\241\330\252\057\300\002\050
+\041\026\142\170\333\010\124\362\374\364\064\343\306\217\034\103
+\127\316\220\032\113\334\056\073\050\221\211\077\172\332\065\035
+\216\054\356\111\354\364\063\255\311\123\250\214\237\004\123\076
+\044\034\122\311\022\371\142\127\243\274\356\054\353\100\174\040
+\043\160\053\225\371\163\027\212\321\301\034\151\246\267\070\232
+\147\367\160\035\172\132\014\100\317\142\017\205\074\302\002\116
+\176\265\366\305\052\051\204\263\037\067\052\341\252\162\102\304
+\355\153\032\217\222\034\135\276\321\362\133\362\253\252\251\322
+\365\270\244\101\053\053\221\156\022\110\312\230\330\067\215\310
+\355\000\060\265\266\004\116\176\234\332\204\354\300\372\173\345
+\035\210\244\123\106\260\224\344\134\033\241\045\054\017\110\122
+\167\227\011\154\354\133\030\063\203\002\345\202\176\315\205\041
+\060\021\375\047\117\317\344\036\354\077\245\127\154\351\052\060
+\031\052\210\345\303\151\070\253\157\071\161\177\204\341\101\303
+\341\314\052\211\040\122\056\203\017\154\071\077\113\055\026\254
+\055\360\044\254\000\163\364\233\263\006\077\005\270\024\205\037
+\253\236\134\074\236\142\235\016\155\073\200\011\374\002\352\242
+\227\164\312\307\371\343\126\341\303\312\245\246\232\300\220\340
+\044\022\123\322\302\213\332\276\355\002\103\136\147\341\211\230
+\171\356\313\252\312\303\033\334\347\245\106\245\174\153\026\207
+\266\132\050\327\333\047\074\136\245\275\266\121\335\037\103\317
+\073\046\310\072\215\045\141\301\111\364\074\033\311\104\352\257
+\034\302\053\224\001\052\016\060\321\133\213\053\107\345\303\321
+\004\003\233\016\071\054\326\047\324\346\160\132\331\165\317\052
+\330\311\000\005\344\023\210\354\303\071\373\207\141\060\066\103
+\003\310\236\234\242\006\302\057\305\374\360\200\143\261\124\004
+\240\114\251\056\306\365\166\172\330\320\344\324\224\021\345\025
+\265\170\006\334\270\200\217\231\251\040\063\075\020\205\114\145
+\011\312\076\130\136\140\223\232\252\142\135\300\121\006\034\135
+\140\240\015\234\113\103\366\247\026\041\244\207\252\362\301\056
+\356\222\060\270\236\337\337\020\001\213\206\011\160\330\154\250
+\267\120\036\026\226\264\367\147\375\065\072\041\220\052\062\307
+\000\173\115\007\020\011\271\057\163\330\030\176\147\231\004\117
+\006\374\120\307\205\233\235\100\235\263\226\067\372\245\334\262
+\162\116\357\116\011\054\375\221\375\115\367\273\246\241\076\253
+\173\242\003\100\246\251\125\047\342\372\371\031\316\207\165\252
+\361\165\066\363\363\270\221\370\221\303\213\165\023\216\114\145
+\232\026\071\152\345\064\350\172\226\131\177\065\260\000\375\133
+\151\374\103\046\372\365\050\156\376\207\331\176\044\373\264\240
+\202\156\124\242\377\256\277\142\264\364\162\001\302\313\230\107
+\230\341\114\265\027\200\200\316\217\246\050\356\036\105\152\373
+\337\361\035\374\132\073\326\352\364\154\035\142\111\127\073\212
+\217\206\352\360\123\004\316\234\026\150\377\272\271\374\210\017
+\107\367\002\104\162\100\270\312\073\055\123\235\334\074\126\214
+\131\173\150\032\054\215\161\273\154\000\307\032\316\157\100\222
+\261\243\057\017\331\104\362\243\160\056\236\356\016\256\062\320
+\073\076\213\007\352\346\171\263\134\051\342\175\153\250\136\371
+\132\061\350\010\226\242\214\003\230\106\361\270\175\220\124\046
+\355\166\142\376\236\351\232\156\136\311\111\307\134\064\123\051
+\124\331\354\344\106\341\200\073\165\331\337\373\171\325\207\361
+\272\236\353\031\316\114\122\163\346\133\207\256\045\117\071\171
+\314\306\270\371\020\173\354\360\233\161\244\005\240\323\051\323
+\116\177\037\364\055\050\170\314\125\225\173\036\221\057\314\126
+\030\163\213\262\333\274\151\007\346\320\330\117\355\242\377\130
+\205\243\155\340\112\123\267\147\175\215\014\134\133\173\167\050
+\002\065\104\172\004\323\050\103\310\153\060\027\135\062\270\051
+\065\272\166\332\073\024\112\166\030\130\244\370\222\074\236\115
+\063\157\106\153\010\331\061\110\150\335\364\373\044\126\064\262
+\317\151\146\276\110\322\212\146\042\315\362\151\315\302\123\023
+\105\051\101\042\326\135\230\037\266\244\262\243\302\356\002\057
+\121\033\334\203\244\354\160\045\250\324\010\141\062\157\344\241
+\201\056\174\143\162\372\051\145\274\160\104\317\135\002\003\001
+\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005\005
+\000\003\202\010\001\000\125\232\064\152\042\006\151\011\105\063
+\307\256\251\134\307\011\116\233\206\274\101\220\324\224\122\366
+\315\043\051\224\113\042\315\350\275\376\235\315\122\362\275\355
+\253\207\311\253\253\106\004\264\275\242\077\042\060\107\120\300
+\113\214\166\017\003\365\222\322\261\055\304\172\065\234\311\163
+\207\353\246\237\336\017\163\215\323\177\231\330\272\217\157\304
+\363\276\032\256\213\242\224\066\220\342\345\353\215\005\364\374
+\145\337\225\361\304\224\115\027\126\327\237\074\217\120\074\347
+\167\277\225\206\046\144\373\152\377\306\332\351\214\256\102\273
+\151\345\063\306\330\351\015\306\125\041\111\301\014\264\243\371
+\233\113\134\336\203\117\101\003\316\052\171\150\070\175\360\124
+\111\040\365\266\020\377\010\334\063\146\226\233\377\006\336\000
+\236\327\316\126\103\232\121\374\160\315\366\360\121\243\267\315
+\264\134\205\142\315\161\267\306\053\043\053\335\303\156\100\102
+\372\067\377\067\034\366\172\127\224\207\205\043\327\324\311\307
+\137\301\115\057\311\015\327\134\354\234\045\356\236\060\202\221
+\226\162\270\165\035\370\011\150\127\227\262\055\113\356\045\354
+\172\044\051\356\162\324\234\023\333\253\334\003\012\330\112\024
+\311\010\127\104\135\241\265\123\200\064\362\024\227\317\122\336
+\242\016\212\020\351\024\357\320\140\276\141\241\361\045\135\325
+\030\163\077\223\020\312\226\356\263\100\322\333\243\125\317\127
+\132\245\016\117\165\107\337\352\367\220\232\155\365\160\056\035
+\024\034\067\144\004\131\120\260\334\162\206\157\234\067\075\135
+\050\257\163\125\357\322\356\044\164\164\023\357\334\333\061\111
+\373\077\143\365\323\010\076\063\245\347\235\012\336\123\054\121
+\216\147\333\233\101\145\101\120\275\324\244\226\154\207\274\022
+\340\224\307\323\300\344\313\163\130\000\203\341\254\047\205\326
+\235\123\235\134\275\012\076\003\103\234\014\221\365\155\173\370
+\100\162\165\253\021\166\221\053\341\306\252\037\160\151\166\160
+\025\011\376\223\320\326\055\267\025\152\233\147\134\264\151\237
+\045\246\175\212\373\175\042\251\161\362\316\116\214\270\041\055
+\336\376\101\161\015\377\235\354\163\246\273\007\117\210\016\130
+\107\056\176\251\302\307\170\335\272\172\236\116\340\060\116\143
+\157\205\324\040\101\351\372\376\103\105\347\373\257\172\262\316
+\244\005\035\042\232\130\206\337\344\316\114\251\376\330\026\245
+\157\373\330\316\126\173\365\326\040\357\344\107\315\143\044\377
+\271\276\361\110\243\301\001\162\346\275\300\255\355\046\015\312
+\064\237\374\002\055\040\117\005\040\256\041\075\014\302\040\074
+\077\360\004\204\334\317\211\375\271\045\221\216\320\103\346\263
+\040\253\134\055\325\100\236\240\113\330\364\262\314\175\361\130
+\012\216\207\355\210\254\066\226\344\126\240\021\212\362\232\320
+\263\127\243\064\273\031\253\070\341\164\153\042\304\061\316\001
+\325\033\066\343\036\070\114\063\223\337\100\343\131\127\116\254
+\156\173\036\132\075\305\035\133\254\310\020\202\065\002\042\262
+\374\165\350\020\221\215\304\175\170\223\107\236\034\235\254\153
+\142\002\130\214\326\034\043\326\257\170\302\200\234\244\252\044
+\124\024\265\024\230\306\370\053\032\044\313\161\062\012\342\233
+\016\151\153\335\176\214\144\321\056\143\357\016\177\261\076\210
+\114\235\125\345\311\156\027\004\267\101\377\275\212\101\313\045
+\061\157\104\167\077\107\261\374\201\210\007\216\005\111\040\267
+\021\331\151\003\052\003\235\271\063\204\232\337\337\172\343\106
+\163\243\330\242\214\123\031\210\125\114\164\270\366\104\204\053
+\321\024\055\116\071\056\222\150\377\151\374\205\142\033\353\125
+\117\357\045\204\142\105\231\326\330\116\157\077\123\010\175\035
+\006\225\201\200\177\117\116\164\066\230\265\342\207\160\230\334
+\327\365\334\122\025\346\306\326\171\226\071\177\217\225\317\253
+\200\123\255\033\013\105\100\016\324\030\275\054\336\212\167\166
+\375\362\104\107\306\041\320\344\164\360\330\030\005\310\174\060
+\162\307\337\361\273\374\002\060\251\364\102\046\131\015\223\005
+\202\241\163\355\064\345\070\135\315\120\220\376\224\374\023\274
+\275\374\250\242\210\247\163\304\262\250\321\135\210\304\002\242
+\172\361\004\311\376\214\164\311\357\035\144\101\237\254\036\226
+\147\144\254\253\050\101\307\235\367\300\230\033\156\007\302\144
+\175\132\203\146\126\050\066\234\347\373\034\167\016\050\240\304
+\367\153\171\071\004\040\204\307\127\223\274\033\240\352\274\353
+\102\345\250\021\376\374\254\145\314\375\370\050\210\364\245\232
+\345\163\121\340\250\233\015\003\167\116\345\340\230\263\210\332
+\175\346\306\236\174\024\146\301\056\123\112\222\007\067\240\176
+\351\075\011\344\025\174\317\375\270\101\245\357\236\146\235\304
+\136\007\035\207\370\101\255\352\347\057\322\101\143\030\067\371
+\024\343\115\320\345\367\103\375\025\343\371\066\163\006\046\337
+\001\117\251\303\116\336\040\106\167\230\264\172\044\053\073\165
+\053\116\130\215\233\135\244\307\026\240\274\062\210\077\241\203
+\363\000\310\370\330\130\351\143\135\114\053\265\360\162\101\330
+\253\167\067\326\162\164\256\266\066\234\310\246\203\111\113\340
+\311\126\013\051\276\000\060\313\335\326\310\102\212\000\331\354
+\025\321\064\161\362\133\144\207\366\047\322\267\353\206\260\220
+\277\051\333\041\236\066\214\343\040\057\225\043\121\154\033\302
+\244\325\346\330\002\103\147\240\376\233\120\003\104\177\273\344
+\162\325\321\344\332\217\222\024\144\373\135\024\020\022\112\225
+\006\311\145\010\051\312\041\243\046\070\021\311\047\337\160\147
+\004\375\312\110\062\177\143\262\105\164\061\120\117\207\331\040
+\160\322\041\160\261\326\020\235\063\135\170\203\221\155\125\202
+\354\332\344\142\143\307\201\106\327\031\145\162\052\103\031\220
+\270\327\043\115\114\034\340\104\251\146\147\254\356\161\171\047
+\046\170\155\162\016\365\135\113\043\265\174\174\145\351\027\306
+\072\013\015\335\136\036\121\303\206\270\354\177\307\047\112\245
+\106\350\152\055\031\301\207\243\313\231\223\207\144\242\125\024
+\114\267\103\245\223\327\347\322\116\171\100\312\145\231\106\075
+\077\172\200\172\210\152\314\036\345\153\063\106\364\120\300\325
+\037\011\270\315\212\056\241\047\353\135\163\247\350\153\012\345
+\127\202\052\260\374\342\124\122\126\360\253\251\022\306\043\226
+\007\044\234\340\274\106\245\264\040\004\332\011\223\143\345\324
+\056\302\176\305\061\355\265\025\164\206\027\271\263\363\046\212
+\035\002\152\332\032\077\350\272\361\004\155\224\121\124\342\132
+\264\131\203\035\140\320\055\163\314\007\265\046\214\371\327\306
+\210\221\357\200\317\135\017\241\140\313\105\324\102\042\321\261
+\160\035\375\320\267\060\220\072\306\110\155\147\345\062\332\217
+\333\343\250\343\035\040\045\242\034\341\114\271\244\366\306\077
+\134\130\015\273\306\262\167\001\026\221\237\027\006\015\267\100
+\076\314\217\216\234\113\340\235\176\233\036\005\253\210\042\372
+\323\050\033\127\024\144\112\076\044\054\070\115\041\151\000\163
+\056\320\125\055\164\362\025\350\224\103\076\100\052\306\306\271
+\152\133\336\242\314\030\120\124\135\116\052\205\154\366\222\213
+\051\031\176\347\352\112\340\042\053\045\274\367\146\317\167\232
+\101\164\362\074\024\015\164\151\365\120\203\315\315\057\041\333
+\042\106\212\320\367\121\032\225\127\362\005\213\032\031\355\073
+\105\350\066\302\156\176\373\127\042\000\037\006\123\251\256\223
+\306\217\161\052\061\105\222\347\216\155\346\231\042\300\203\374
+\357\334\127\146\167\117\242\066\061\373\241\023\215\345\312\243
+\225\175\001\014\144\160\073\123\102\150\200\307\273\235\250\000
+\065\151\230\014\250\147\330\103\345\252\317\225\340\121\225\244
+\027\077\102\235\270\004\316\323\171\171\310\323\212\026\062\222
+\340\327\242\356\327\067\114\057\254\270\173\276\105\366\361\030
+\063\234\173\067\246\044\331\274\100\253\000\351\303\067\213\253
+\330\266\363\136\201\116\260\024\153\007\076\037\354\302\366\104
+\042\225\273\263\346\157\326\371\160\145\272\012\203\145\252\016
+\023\057\203\023\043\123\213\100\026\372\316\057\374\115\004\370
+\353\330\254\305\066\302\025\127\110\070\354\125\263\264\036\272
+\255\322\102\006\027\015\163\310\127\246\276\226\115\251\362\300
+\373\172\041\034\365\311\160\251\202\220\265\361\014\324\171\020
+\276\201\246\351\134\141\234\167\171\232\244\303\067\046\127\067
+\311\122\054\372\010\377\320\137\306\141\300\364\166\276\374\336
+\116\317\253\121\231\161\307\337\176\364\326\317\006\126\031\023
+\123\013\155\164\131\110\031\233\123\005\055\235\062\124\323\345
+\054\123\213\144\076\324\144\173\343\200\011\024\314\376\026\106
+\143\153\161\151\370\371\313\047\366\210\124\274\105\263\316\002
+\310\224\356\100\133\371\102\002\302\377\260\330\054\353\050\177
+\136\311\046\001\231\247
+END
+
+# Trust for Certificate "Thawte Universal CA Root"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Universal CA Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\213\302\212\044\257\373\126\135\350\120\025\173\172\153\157\024
+\170\114\220\343
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\027\257\161\026\122\173\163\145\042\005\051\050\204\161\235\023
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\127\061\017\060\015\006\003\125\004\012\023\006\124\150\141
+\167\164\145\061\041\060\037\006\003\125\004\013\023\030\124\150
+\141\167\164\145\040\125\156\151\166\145\162\163\141\154\040\103
+\101\040\122\157\157\164\061\041\060\037\006\003\125\004\003\023
+\030\124\150\141\167\164\145\040\125\156\151\166\145\162\163\141
+\154\040\103\101\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority - G3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\213\133\165\126\204\124\205\013\000\317\257\070\110\316\261
+\244
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\032\060\202\003\002\002\021\000\213\133\165\126\204
+\124\205\013\000\317\257\070\110\316\261\244\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003
+\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111
+\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050
+\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
+\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
+\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123
+\151\147\156\040\103\154\141\163\163\040\061\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060
+\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066
+\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003
+\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012
+\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056
+\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
+\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
+\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040
+\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111
+\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162
+\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060
+\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156
+\040\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040
+\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
+\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
+\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
+\002\202\001\001\000\335\204\324\271\264\371\247\330\363\004\170
+\234\336\075\334\154\023\026\331\172\335\044\121\146\300\307\046
+\131\015\254\006\010\302\224\321\063\037\360\203\065\037\156\033
+\310\336\252\156\025\116\124\047\357\304\155\032\354\013\343\016
+\360\104\245\127\307\100\130\036\243\107\037\161\354\140\366\155
+\224\310\030\071\355\376\102\030\126\337\344\114\111\020\170\116
+\001\166\065\143\022\066\335\146\274\001\004\066\243\125\150\325
+\242\066\011\254\253\041\046\124\006\255\077\312\024\340\254\312
+\255\006\035\225\342\370\235\361\340\140\377\302\177\165\053\114
+\314\332\376\207\231\041\352\272\376\076\124\327\322\131\170\333
+\074\156\317\240\023\000\032\270\047\241\344\276\147\226\312\240
+\305\263\234\335\311\165\236\353\060\232\137\243\315\331\256\170
+\031\077\043\351\134\333\051\275\255\125\310\033\124\214\143\366
+\350\246\352\307\067\022\134\243\051\036\002\331\333\037\073\264
+\327\017\126\107\201\025\004\112\257\203\047\321\305\130\210\301
+\335\366\252\247\243\030\332\150\252\155\021\121\341\277\145\153
+\237\226\166\321\075\002\003\001\000\001\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\003\202\001\001\000\253\146
+\215\327\263\272\307\232\266\346\125\320\005\361\237\061\215\132
+\252\331\252\106\046\017\161\355\245\255\123\126\142\001\107\052
+\104\351\376\077\164\013\023\233\271\364\115\033\262\321\137\262
+\266\322\210\134\263\237\315\313\324\247\331\140\225\204\072\370
+\301\067\035\141\312\347\260\305\345\221\332\124\246\254\061\201
+\256\227\336\315\010\254\270\300\227\200\177\156\162\244\347\151
+\023\225\145\037\304\223\074\375\171\217\004\324\076\117\352\367
+\236\316\315\147\174\117\145\002\377\221\205\124\163\307\377\066
+\367\206\055\354\320\136\117\377\021\237\162\006\326\270\032\361
+\114\015\046\145\342\104\200\036\307\237\343\335\350\012\332\354
+\245\040\200\151\150\241\117\176\341\153\317\007\101\372\203\216
+\274\070\335\260\056\021\261\153\262\102\314\232\274\371\110\042
+\171\112\031\017\262\034\076\040\164\331\152\303\276\362\050\170
+\023\126\171\117\155\120\352\033\260\265\127\261\067\146\130\043
+\363\334\017\337\012\207\304\357\206\005\325\070\024\140\231\243
+\113\336\006\226\161\054\362\333\266\037\244\357\077\356
+END
+
+# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority - G3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\040\102\205\334\367\353\166\101\225\127\216\023\153\324\267\321
+\351\216\106\245
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\261\107\274\030\127\321\030\240\170\055\354\161\350\052\225\163
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\061\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\213\133\165\126\204\124\205\013\000\317\257\070\110\316\261
+\244
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority - G3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\141\160\313\111\214\137\230\105\051\347\260\246\331\120\133\172
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\031\060\202\003\001\002\020\141\160\313\111\214\137
+\230\105\051\347\260\246\331\120\133\172\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
+\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
+\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145\162
+\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167
+\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050\143
+\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156\054
+\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164\150
+\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171\061
+\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123\151
+\147\156\040\103\154\141\163\163\040\062\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060\061
+\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066\062
+\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003\125
+\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012\023
+\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056\061
+\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123\151
+\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162\153
+\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040\061
+\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111\156
+\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162\151
+\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060\103
+\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156\040
+\103\154\141\163\163\040\062\040\120\165\142\154\151\143\040\120
+\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040\055
+\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206\367
+\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
+\202\001\001\000\257\012\015\302\325\054\333\147\271\055\345\224
+\047\335\245\276\340\260\115\217\263\141\126\074\326\174\303\364
+\315\076\206\313\242\210\342\341\330\244\151\305\265\342\277\301
+\246\107\120\136\106\071\213\325\226\272\265\157\024\277\020\316
+\047\023\236\005\107\233\061\172\023\330\037\331\323\002\067\213
+\255\054\107\360\216\201\006\247\015\060\014\353\367\074\017\040
+\035\334\162\106\356\245\002\310\133\303\311\126\151\114\305\030
+\301\221\173\013\325\023\000\233\274\357\303\110\076\106\140\040
+\205\052\325\220\266\315\213\240\314\062\335\267\375\100\125\262
+\120\034\126\256\314\215\167\115\307\040\115\247\061\166\357\150
+\222\212\220\036\010\201\126\262\255\151\243\122\320\313\034\304
+\043\075\037\231\376\114\350\026\143\216\306\010\216\366\061\366
+\322\372\345\166\335\265\034\222\243\111\315\315\001\315\150\315
+\251\151\272\243\353\035\015\234\244\040\246\301\240\305\321\106
+\114\027\155\322\254\146\077\226\214\340\204\324\066\377\042\131
+\305\371\021\140\250\137\004\175\362\032\366\045\102\141\017\304
+\112\270\076\211\002\003\001\000\001\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\202\001\001\000\064\046\025
+\074\300\215\115\103\111\035\275\351\041\222\327\146\234\267\336
+\305\270\320\344\135\137\166\042\300\046\371\204\072\072\371\214
+\265\373\354\140\361\350\316\004\260\310\335\247\003\217\060\363
+\230\337\244\346\244\061\337\323\034\013\106\334\162\040\077\256
+\356\005\074\244\063\077\013\071\254\160\170\163\113\231\053\337
+\060\302\124\260\250\073\125\241\376\026\050\315\102\275\164\156
+\200\333\047\104\247\316\104\135\324\033\220\230\015\036\102\224
+\261\000\054\004\320\164\243\002\005\042\143\143\315\203\265\373
+\301\155\142\153\151\165\375\135\160\101\271\365\277\174\337\276
+\301\062\163\042\041\213\130\201\173\025\221\172\272\343\144\110
+\260\177\373\066\045\332\225\320\361\044\024\027\335\030\200\153
+\106\043\071\124\365\216\142\011\004\035\224\220\246\233\346\045
+\342\102\105\252\270\220\255\276\010\217\251\013\102\030\224\317
+\162\071\341\261\103\340\050\317\267\347\132\154\023\153\111\263
+\377\343\030\174\211\213\063\135\254\063\327\247\371\332\072\125
+\311\130\020\371\252\357\132\266\317\113\113\337\052
+END
+
+# Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority - G3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\141\357\103\327\177\312\324\141\121\274\230\340\303\131\022\257
+\237\353\143\021
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\370\276\304\143\042\311\250\106\164\213\270\035\036\112\053\366
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\062\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\141\160\313\111\214\137\230\105\051\347\260\246\331\120\133\172
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority - G3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\233\176\006\111\243\076\142\271\325\356\220\110\161\051\357
+\127
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\032\060\202\003\002\002\021\000\233\176\006\111\243
+\076\142\271\325\356\220\110\161\051\357\127\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003
+\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111
+\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050
+\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
+\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
+\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123
+\151\147\156\040\103\154\141\163\163\040\063\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060
+\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066
+\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003
+\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012
+\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056
+\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
+\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
+\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040
+\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111
+\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162
+\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060
+\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156
+\040\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040
+\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
+\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
+\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
+\002\202\001\001\000\313\272\234\122\374\170\037\032\036\157\033
+\067\163\275\370\311\153\224\022\060\117\360\066\107\365\320\221
+\012\365\027\310\245\141\301\026\100\115\373\212\141\220\345\166
+\040\301\021\006\175\253\054\156\246\365\021\101\216\372\055\255
+\052\141\131\244\147\046\114\320\350\274\122\133\160\040\004\130
+\321\172\311\244\151\274\203\027\144\255\005\213\274\320\130\316
+\215\214\365\353\360\102\111\013\235\227\047\147\062\156\341\256
+\223\025\034\160\274\040\115\057\030\336\222\210\350\154\205\127
+\021\032\351\176\343\046\021\124\242\105\226\125\203\312\060\211
+\350\334\330\243\355\052\200\077\177\171\145\127\076\025\040\146
+\010\057\225\223\277\252\107\057\250\106\227\360\022\342\376\302
+\012\053\121\346\166\346\267\106\267\342\015\246\314\250\303\114
+\131\125\211\346\350\123\134\034\352\235\360\142\026\013\247\311
+\137\014\360\336\302\166\316\257\367\152\362\372\101\246\242\063
+\024\311\345\172\143\323\236\142\067\325\205\145\236\016\346\123
+\044\164\033\136\035\022\123\133\307\054\347\203\111\073\025\256
+\212\150\271\127\227\002\003\001\000\001\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\003\202\001\001\000\021\024
+\226\301\253\222\010\367\077\057\311\262\376\344\132\237\144\336
+\333\041\117\206\231\064\166\066\127\335\320\025\057\305\255\177
+\025\037\067\142\163\076\324\347\137\316\027\003\333\065\372\053
+\333\256\140\011\137\036\137\217\156\273\013\075\352\132\023\036
+\014\140\157\265\300\265\043\042\056\007\013\313\251\164\313\107
+\273\035\301\327\245\153\314\057\322\102\375\111\335\247\211\317
+\123\272\332\000\132\050\277\202\337\370\272\023\035\120\206\202
+\375\216\060\217\051\106\260\036\075\065\332\070\142\026\030\112
+\255\346\266\121\154\336\257\142\353\001\320\036\044\376\172\217
+\022\032\022\150\270\373\146\231\024\024\105\134\256\347\256\151
+\027\201\053\132\067\311\136\052\364\306\342\241\134\124\233\246
+\124\000\317\360\361\301\307\230\060\032\073\066\026\333\243\156
+\352\375\255\262\302\332\357\002\107\023\212\300\361\263\061\255
+\117\034\341\117\234\257\017\014\235\367\170\015\330\364\065\126
+\200\332\267\155\027\217\235\036\201\144\341\376\305\105\272\255
+\153\271\012\172\116\117\113\204\356\113\361\175\335\021
+END
+
+# Trust for Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority - G3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\023\055\015\105\123\113\151\227\315\262\325\303\071\342\125\166
+\140\233\134\306
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\315\150\266\247\307\304\316\165\340\035\117\127\104\141\222\011
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\233\176\006\111\243\076\142\271\325\356\220\110\161\051\357
+\127
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 4 Public Primary Certification Authority - G3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\354\240\247\213\156\165\152\001\317\304\174\314\057\224\136
+\327
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\032\060\202\003\002\002\021\000\354\240\247\213\156
+\165\152\001\317\304\174\314\057\224\136\327\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\060\201\312\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003
+\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111
+\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153\061\072\060\070\006\003\125\004\013\023\061\050
+\143\051\040\061\071\071\071\040\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165\164
+\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154\171
+\061\105\060\103\006\003\125\004\003\023\074\126\145\162\151\123
+\151\147\156\040\103\154\141\163\163\040\064\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\063\060\036\027\015\071\071\061\060\060
+\061\060\060\060\060\060\060\132\027\015\063\066\060\067\061\066
+\062\063\065\071\065\071\132\060\201\312\061\013\060\011\006\003
+\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004\012
+\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143\056
+\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151\123
+\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157\162
+\153\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040
+\061\071\071\071\040\126\145\162\151\123\151\147\156\054\040\111
+\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162
+\151\172\145\144\040\165\163\145\040\157\156\154\171\061\105\060
+\103\006\003\125\004\003\023\074\126\145\162\151\123\151\147\156
+\040\103\154\141\163\163\040\064\040\120\165\142\154\151\143\040
+\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
+\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\040
+\055\040\107\063\060\202\001\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
+\002\202\001\001\000\255\313\245\021\151\306\131\253\361\217\265
+\031\017\126\316\314\265\037\040\344\236\046\045\113\340\163\145
+\211\131\336\320\203\344\365\017\265\273\255\361\174\350\041\374
+\344\350\014\356\174\105\042\031\166\222\264\023\267\040\133\011
+\372\141\256\250\362\245\215\205\302\052\326\336\146\066\322\233
+\002\364\250\222\140\174\234\151\264\217\044\036\320\206\122\366
+\062\234\101\130\036\042\275\315\105\142\225\010\156\320\146\335
+\123\242\314\360\020\334\124\163\213\004\241\106\063\063\134\027
+\100\271\236\115\323\363\276\125\203\350\261\211\216\132\174\232
+\226\042\220\073\210\045\362\322\123\210\002\014\013\170\362\346
+\067\027\113\060\106\007\344\200\155\246\330\226\056\350\054\370
+\021\263\070\015\146\246\233\352\311\043\133\333\216\342\363\023
+\216\032\131\055\252\002\360\354\244\207\146\334\301\077\365\330
+\271\364\354\202\306\322\075\225\035\345\300\117\204\311\331\243
+\104\050\006\152\327\105\254\360\153\152\357\116\137\370\021\202
+\036\070\143\064\146\120\324\076\223\163\372\060\303\146\255\377
+\223\055\227\357\003\002\003\001\000\001\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\003\202\001\001\000\217\372
+\045\153\117\133\344\244\116\047\125\253\042\025\131\074\312\265
+\012\324\112\333\253\335\241\137\123\305\240\127\071\302\316\107
+\053\276\072\310\126\277\302\331\047\020\072\261\005\074\300\167
+\061\273\072\323\005\173\155\232\034\060\214\200\313\223\223\052
+\203\253\005\121\202\002\000\021\147\153\363\210\141\107\137\003
+\223\325\133\015\340\361\324\241\062\065\205\262\072\333\260\202
+\253\321\313\012\274\117\214\133\305\113\000\073\037\052\202\246
+\176\066\205\334\176\074\147\000\265\344\073\122\340\250\353\135
+\025\371\306\155\360\255\035\016\205\267\251\232\163\024\132\133
+\217\101\050\300\325\350\055\115\244\136\315\252\331\355\316\334
+\330\325\074\102\035\027\301\022\135\105\070\303\070\363\374\205
+\056\203\106\110\262\327\040\137\222\066\217\347\171\017\230\136
+\231\350\360\320\244\273\365\123\275\052\316\131\260\257\156\177
+\154\273\322\036\000\260\041\355\370\101\142\202\271\330\262\304
+\273\106\120\363\061\305\217\001\250\164\353\365\170\047\332\347
+\367\146\103\363\236\203\076\040\252\303\065\140\221\316
+END
+
+# Trust for Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 4 Public Primary Certification Authority - G3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\310\354\214\207\222\151\313\113\253\071\351\215\176\127\147\363
+\024\225\163\235
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\333\310\362\047\056\261\352\152\051\043\135\376\126\076\063\337
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\061\071\071\071\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\354\240\247\213\156\165\152\001\317\304\174\314\057\224\136
+\327
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Entrust.net Secure Server CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Secure Server CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
+\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
+\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
+\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
+\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
+\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
+\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
+\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
+\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
+\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
+\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
+\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
+\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\067\112\322\103
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\330\060\202\004\101\240\003\002\001\002\002\004\067
+\112\322\103\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\201\303\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164
+\162\165\163\164\056\156\145\164\061\073\060\071\006\003\125\004
+\013\023\062\167\167\167\056\145\156\164\162\165\163\164\056\156
+\145\164\057\103\120\123\040\151\156\143\157\162\160\056\040\142
+\171\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154
+\151\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034
+\050\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164
+\056\156\145\164\040\114\151\155\151\164\145\144\061\072\060\070
+\006\003\125\004\003\023\061\105\156\164\162\165\163\164\056\156
+\145\164\040\123\145\143\165\162\145\040\123\145\162\166\145\162
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\060\036\027\015\071\071\060\065
+\062\065\061\066\060\071\064\060\132\027\015\061\071\060\065\062
+\065\061\066\063\071\064\060\132\060\201\303\061\013\060\011\006
+\003\125\004\006\023\002\125\123\061\024\060\022\006\003\125\004
+\012\023\013\105\156\164\162\165\163\164\056\156\145\164\061\073
+\060\071\006\003\125\004\013\023\062\167\167\167\056\145\156\164
+\162\165\163\164\056\156\145\164\057\103\120\123\040\151\156\143
+\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
+\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
+\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
+\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
+\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164
+\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040
+\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\201
+\235\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
+\003\201\213\000\060\201\207\002\201\201\000\315\050\203\064\124
+\033\211\363\017\257\067\221\061\377\257\061\140\311\250\350\262
+\020\150\355\237\347\223\066\361\012\144\273\107\365\004\027\077
+\043\107\115\305\047\031\201\046\014\124\162\015\210\055\331\037
+\232\022\237\274\263\161\323\200\031\077\107\146\173\214\065\050
+\322\271\012\337\044\332\234\326\120\171\201\172\132\323\067\367
+\302\112\330\051\222\046\144\321\344\230\154\072\000\212\365\064
+\233\145\370\355\343\020\377\375\270\111\130\334\240\336\202\071
+\153\201\261\026\031\141\271\124\266\346\103\002\001\003\243\202
+\001\327\060\202\001\323\060\021\006\011\140\206\110\001\206\370
+\102\001\001\004\004\003\002\000\007\060\202\001\031\006\003\125
+\035\037\004\202\001\020\060\202\001\014\060\201\336\240\201\333
+\240\201\330\244\201\325\060\201\322\061\013\060\011\006\003\125
+\004\006\023\002\125\123\061\024\060\022\006\003\125\004\012\023
+\013\105\156\164\162\165\163\164\056\156\145\164\061\073\060\071
+\006\003\125\004\013\023\062\167\167\167\056\145\156\164\162\165
+\163\164\056\156\145\164\057\103\120\123\040\151\156\143\157\162
+\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151
+\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125
+\004\013\023\034\050\143\051\040\061\071\071\071\040\105\156\164
+\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144
+\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165
+\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145
+\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\101\165\164\150\157\162\151\164\171\061\015\060\013
+\006\003\125\004\003\023\004\103\122\114\061\060\051\240\047\240
+\045\206\043\150\164\164\160\072\057\057\167\167\167\056\145\156
+\164\162\165\163\164\056\156\145\164\057\103\122\114\057\156\145
+\164\061\056\143\162\154\060\053\006\003\125\035\020\004\044\060
+\042\200\017\061\071\071\071\060\065\062\065\061\066\060\071\064
+\060\132\201\017\062\060\061\071\060\065\062\065\061\066\060\071
+\064\060\132\060\013\006\003\125\035\017\004\004\003\002\001\006
+\060\037\006\003\125\035\043\004\030\060\026\200\024\360\027\142
+\023\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320
+\032\060\035\006\003\125\035\016\004\026\004\024\360\027\142\023
+\125\075\263\377\012\000\153\373\120\204\227\363\355\142\320\032
+\060\014\006\003\125\035\023\004\005\060\003\001\001\377\060\031
+\006\011\052\206\110\206\366\175\007\101\000\004\014\060\012\033
+\004\126\064\056\060\003\002\004\220\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\201\201\000\220\334\060\002
+\372\144\164\302\247\012\245\174\041\215\064\027\250\373\107\016
+\377\045\174\215\023\012\373\344\230\265\357\214\370\305\020\015
+\367\222\276\361\303\325\325\225\152\004\273\054\316\046\066\145
+\310\061\306\347\356\077\343\127\165\204\172\021\357\106\117\030
+\364\323\230\273\250\207\062\272\162\366\074\342\075\237\327\035
+\331\303\140\103\214\130\016\042\226\057\142\243\054\037\272\255
+\005\357\253\062\170\207\240\124\163\031\265\134\005\371\122\076
+\155\055\105\013\367\012\223\352\355\006\371\262
+END
+
+# Trust for Certificate "Entrust.net Secure Server CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Secure Server CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\231\246\233\346\032\376\210\153\115\053\202\000\174\270\124\374
+\061\176\025\071
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\337\362\200\163\314\361\346\141\163\374\365\102\351\305\174\356
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\303\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\073\060\071\006\003\125\004\013\023
+\062\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040
+\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141
+\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143
+\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156
+\145\164\040\114\151\155\151\164\145\144\061\072\060\070\006\003
+\125\004\003\023\061\105\156\164\162\165\163\164\056\156\145\164
+\040\123\145\143\165\162\145\040\123\145\162\166\145\162\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\067\112\322\103
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Entrust.net Secure Personal CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Secure Personal CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024
+\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057
+\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162
+\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056
+\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061
+\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040
+\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003
+\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154
+\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024
+\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057
+\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162
+\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056
+\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061
+\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040
+\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003
+\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154
+\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\070\003\221\356
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\355\060\202\004\126\240\003\002\001\002\002\004\070
+\003\221\356\060\015\006\011\052\206\110\206\367\015\001\001\004
+\005\000\060\201\311\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164
+\162\165\163\164\056\156\145\164\061\110\060\106\006\003\125\004
+\013\024\077\167\167\167\056\145\156\164\162\165\163\164\056\156
+\145\164\057\103\154\151\145\156\164\137\103\101\137\111\156\146
+\157\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171
+\040\162\145\146\056\040\154\151\155\151\164\163\040\154\151\141
+\142\056\061\045\060\043\006\003\125\004\013\023\034\050\143\051
+\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156\145
+\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125
+\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040
+\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\036
+\027\015\071\071\061\060\061\062\061\071\062\064\063\060\132\027
+\015\061\071\061\060\061\062\061\071\065\064\063\060\132\060\201
+\311\061\013\060\011\006\003\125\004\006\023\002\125\123\061\024
+\060\022\006\003\125\004\012\023\013\105\156\164\162\165\163\164
+\056\156\145\164\061\110\060\106\006\003\125\004\013\024\077\167
+\167\167\056\145\156\164\162\165\163\164\056\156\145\164\057\103
+\154\151\145\156\164\137\103\101\137\111\156\146\157\057\103\120
+\123\040\151\156\143\157\162\160\056\040\142\171\040\162\145\146
+\056\040\154\151\155\151\164\163\040\154\151\141\142\056\061\045
+\060\043\006\003\125\004\013\023\034\050\143\051\040\061\071\071
+\071\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151
+\155\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052
+\105\156\164\162\165\163\164\056\156\145\164\040\103\154\151\145
+\156\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\060\201\235\060\015\006
+\011\052\206\110\206\367\015\001\001\001\005\000\003\201\213\000
+\060\201\207\002\201\201\000\310\072\231\136\061\027\337\254\047
+\157\220\173\344\031\377\105\243\064\302\333\301\250\117\360\150
+\352\204\375\237\165\171\317\301\212\121\224\257\307\127\003\107
+\144\236\255\202\033\132\332\177\067\170\107\273\067\230\022\226
+\316\306\023\175\357\322\014\060\121\251\071\236\125\370\373\261
+\347\060\336\203\262\272\076\361\325\211\073\073\205\272\252\164
+\054\376\077\061\156\257\221\225\156\006\324\007\115\113\054\126
+\107\030\004\122\332\016\020\223\277\143\220\233\341\337\214\346
+\002\244\346\117\136\367\213\002\001\003\243\202\001\340\060\202
+\001\334\060\021\006\011\140\206\110\001\206\370\102\001\001\004
+\004\003\002\000\007\060\202\001\042\006\003\125\035\037\004\202
+\001\031\060\202\001\025\060\201\344\240\201\341\240\201\336\244
+\201\333\060\201\330\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\024\060\022\006\003\125\004\012\023\013\105\156\164
+\162\165\163\164\056\156\145\164\061\110\060\106\006\003\125\004
+\013\024\077\167\167\167\056\145\156\164\162\165\163\164\056\156
+\145\164\057\103\154\151\145\156\164\137\103\101\137\111\156\146
+\157\057\103\120\123\040\151\156\143\157\162\160\056\040\142\171
+\040\162\145\146\056\040\154\151\155\151\164\163\040\154\151\141
+\142\056\061\045\060\043\006\003\125\004\013\023\034\050\143\051
+\040\061\071\071\071\040\105\156\164\162\165\163\164\056\156\145
+\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125
+\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040
+\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\015
+\060\013\006\003\125\004\003\023\004\103\122\114\061\060\054\240
+\052\240\050\206\046\150\164\164\160\072\057\057\167\167\167\056
+\145\156\164\162\165\163\164\056\156\145\164\057\103\122\114\057
+\103\154\151\145\156\164\061\056\143\162\154\060\053\006\003\125
+\035\020\004\044\060\042\200\017\061\071\071\071\061\060\061\062
+\061\071\062\064\063\060\132\201\017\062\060\061\071\061\060\061
+\062\061\071\062\064\063\060\132\060\013\006\003\125\035\017\004
+\004\003\002\001\006\060\037\006\003\125\035\043\004\030\060\026
+\200\024\304\373\234\051\173\227\315\114\226\374\356\133\263\312
+\231\164\213\225\352\114\060\035\006\003\125\035\016\004\026\004
+\024\304\373\234\051\173\227\315\114\226\374\356\133\263\312\231
+\164\213\225\352\114\060\014\006\003\125\035\023\004\005\060\003
+\001\001\377\060\031\006\011\052\206\110\206\366\175\007\101\000
+\004\014\060\012\033\004\126\064\056\060\003\002\004\220\060\015
+\006\011\052\206\110\206\367\015\001\001\004\005\000\003\201\201
+\000\077\256\212\361\327\146\003\005\236\076\372\352\034\106\273
+\244\133\217\170\232\022\110\231\371\364\065\336\014\066\007\002
+\153\020\072\211\024\201\234\061\246\174\262\101\262\152\347\007
+\001\241\113\371\237\045\073\226\312\231\303\076\241\121\034\363
+\303\056\104\367\260\147\106\252\222\345\073\332\034\031\024\070
+\060\325\342\242\061\045\056\361\354\105\070\355\370\006\130\003
+\163\142\260\020\061\217\100\277\144\340\134\076\305\117\037\332
+\022\103\377\114\346\006\046\250\233\031\252\104\074\166\262\134
+\354
+END
+
+# Trust for Certificate "Entrust.net Secure Personal CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Secure Personal CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\332\171\301\161\021\120\302\064\071\252\053\013\014\142\375\125
+\262\371\365\200
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\014\101\057\023\133\240\124\365\226\146\055\176\315\016\003\364
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\311\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\024\060\022\006\003\125\004\012\023\013\105\156\164\162\165
+\163\164\056\156\145\164\061\110\060\106\006\003\125\004\013\024
+\077\167\167\167\056\145\156\164\162\165\163\164\056\156\145\164
+\057\103\154\151\145\156\164\137\103\101\137\111\156\146\157\057
+\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162
+\145\146\056\040\154\151\155\151\164\163\040\154\151\141\142\056
+\061\045\060\043\006\003\125\004\013\023\034\050\143\051\040\061
+\071\071\071\040\105\156\164\162\165\163\164\056\156\145\164\040
+\114\151\155\151\164\145\144\061\063\060\061\006\003\125\004\003
+\023\052\105\156\164\162\165\163\164\056\156\145\164\040\103\154
+\151\145\156\164\040\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\070\003\221\356
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Entrust.net Premium 2048 Secure Server CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Premium 2048 Secure Server CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
+\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
+\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
+\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143
+\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
+\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
+\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
+\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
+\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
+\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\040\050\062\060\064\070\051
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
+\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
+\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
+\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143
+\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
+\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
+\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
+\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
+\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
+\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\040\050\062\060\064\070\051
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\070\143\271\146
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\134\060\202\003\104\240\003\002\001\002\002\004\070
+\143\271\146\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\201\264\061\024\060\022\006\003\125\004\012\023\013
+\105\156\164\162\165\163\164\056\156\145\164\061\100\060\076\006
+\003\125\004\013\024\067\167\167\167\056\145\156\164\162\165\163
+\164\056\156\145\164\057\103\120\123\137\062\060\064\070\040\151
+\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050
+\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060
+\043\006\003\125\004\013\023\034\050\143\051\040\061\071\071\071
+\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155
+\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052\105
+\156\164\162\165\163\164\056\156\145\164\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\050\062\060\064\070\051\060\036\027\015\071\071\061
+\062\062\064\061\067\065\060\065\061\132\027\015\061\071\061\062
+\062\064\061\070\062\060\065\061\132\060\201\264\061\024\060\022
+\006\003\125\004\012\023\013\105\156\164\162\165\163\164\056\156
+\145\164\061\100\060\076\006\003\125\004\013\024\067\167\167\167
+\056\145\156\164\162\165\163\164\056\156\145\164\057\103\120\123
+\137\062\060\064\070\040\151\156\143\157\162\160\056\040\142\171
+\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151
+\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050
+\143\051\040\061\071\071\071\040\105\156\164\162\165\163\164\056
+\156\145\164\040\114\151\155\151\164\145\144\061\063\060\061\006
+\003\125\004\003\023\052\105\156\164\162\165\163\164\056\156\145
+\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\040\050\062\060\064\070\051
+\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001
+\000\255\115\113\251\022\206\262\352\243\040\007\025\026\144\052
+\053\113\321\277\013\112\115\216\355\200\166\245\147\267\170\100
+\300\163\102\310\150\300\333\123\053\335\136\270\166\230\065\223
+\213\032\235\174\023\072\016\037\133\267\036\317\345\044\024\036
+\261\201\251\215\175\270\314\153\113\003\361\002\014\334\253\245
+\100\044\000\177\164\224\241\235\010\051\263\210\013\365\207\167
+\235\125\315\344\303\176\327\152\144\253\205\024\206\225\133\227
+\062\120\157\075\310\272\146\014\343\374\275\270\111\301\166\211
+\111\031\375\300\250\275\211\243\147\057\306\237\274\161\031\140
+\270\055\351\054\311\220\166\146\173\224\342\257\170\326\145\123
+\135\074\326\234\262\317\051\003\371\057\244\120\262\324\110\316
+\005\062\125\212\375\262\144\114\016\344\230\007\165\333\177\337
+\271\010\125\140\205\060\051\371\173\110\244\151\206\343\065\077
+\036\206\135\172\172\025\275\357\000\216\025\042\124\027\000\220
+\046\223\274\016\111\150\221\277\370\107\323\235\225\102\301\016
+\115\337\157\046\317\303\030\041\142\146\103\160\326\325\300\007
+\341\002\003\001\000\001\243\164\060\162\060\021\006\011\140\206
+\110\001\206\370\102\001\001\004\004\003\002\000\007\060\037\006
+\003\125\035\043\004\030\060\026\200\024\125\344\201\321\021\200
+\276\330\211\271\010\243\061\371\241\044\011\026\271\160\060\035
+\006\003\125\035\016\004\026\004\024\125\344\201\321\021\200\276
+\330\211\271\010\243\061\371\241\044\011\026\271\160\060\035\006
+\011\052\206\110\206\366\175\007\101\000\004\020\060\016\033\010
+\126\065\056\060\072\064\056\060\003\002\004\220\060\015\006\011
+\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000
+\131\107\254\041\204\212\027\311\234\211\123\036\272\200\205\032
+\306\074\116\076\261\234\266\174\306\222\135\030\144\002\343\323
+\006\010\021\141\174\143\343\053\235\061\003\160\166\322\243\050
+\240\364\273\232\143\163\355\155\345\052\333\355\024\251\053\306
+\066\021\320\053\353\007\213\245\332\236\134\031\235\126\022\365
+\124\051\310\005\355\262\022\052\215\364\003\033\377\347\222\020
+\207\260\072\265\303\235\005\067\022\243\307\364\025\271\325\244
+\071\026\233\123\072\043\221\361\250\202\242\152\210\150\301\171
+\002\042\274\252\246\326\256\337\260\024\137\270\207\320\335\174
+\177\173\377\257\034\317\346\333\007\255\136\333\205\235\320\053
+\015\063\333\004\321\346\111\100\023\053\166\373\076\351\234\211
+\017\025\316\030\260\205\170\041\117\153\117\016\372\066\147\315
+\007\362\377\010\320\342\336\331\277\052\257\270\207\206\041\074
+\004\312\267\224\150\177\317\074\351\230\327\070\377\354\300\331
+\120\360\056\113\130\256\106\157\320\056\303\140\332\162\125\162
+\275\114\105\236\141\272\277\204\201\222\003\321\322\151\174\305
+END
+
+# Trust for Certificate "Entrust.net Premium 2048 Secure Server CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Premium 2048 Secure Server CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\200\035\142\320\173\104\235\134\134\003\134\230\352\141\372\104
+\074\052\130\376
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\272\041\352\040\326\335\333\217\301\127\213\100\255\241\374\374
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
+\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
+\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
+\156\145\164\057\103\120\123\137\062\060\064\070\040\151\156\143
+\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
+\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
+\003\125\004\013\023\034\050\143\051\040\061\071\071\071\040\105
+\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
+\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
+\162\165\163\164\056\156\145\164\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\040\050\062\060\064\070\051
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\070\143\271\146
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "ValiCert OCSP Responder"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert OCSP Responder"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\262\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\054\060\052\006\003\125\004\013\023\043\103\154\141
+\163\163\040\061\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\040\055\040\117\103\123\120
+\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160\072
+\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056\156
+\145\164\057\061\040\060\036\006\011\052\206\110\206\367\015\001
+\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145\162
+\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\262\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\054\060\052\006\003\125\004\013\023\043\103\154\141
+\163\163\040\061\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\040\055\040\117\103\123\120
+\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160\072
+\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056\156
+\145\164\057\061\040\060\036\006\011\052\206\110\206\367\015\001
+\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145\162
+\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\110\060\202\002\261\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\201\262\061\044\060\042\006\003\125\004\007\023\033\126\141\154
+\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157\156
+\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125\004
+\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156\143
+\056\061\054\060\052\006\003\125\004\013\023\043\103\154\141\163
+\163\040\061\040\126\141\154\151\144\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\117\103\123\120\061
+\041\060\037\006\003\125\004\003\023\030\150\164\164\160\072\057
+\057\167\167\167\056\166\141\154\151\143\145\162\164\056\156\145
+\164\057\061\040\060\036\006\011\052\206\110\206\367\015\001\011
+\001\026\021\151\156\146\157\100\166\141\154\151\143\145\162\164
+\056\143\157\155\060\036\027\015\060\060\060\062\061\062\061\061
+\065\060\060\065\132\027\015\060\065\060\062\061\060\061\061\065
+\060\060\065\132\060\201\262\061\044\060\042\006\003\125\004\007
+\023\033\126\141\154\151\103\145\162\164\040\126\141\154\151\144
+\141\164\151\157\156\040\116\145\164\167\157\162\153\061\027\060
+\025\006\003\125\004\012\023\016\126\141\154\151\103\145\162\164
+\054\040\111\156\143\056\061\054\060\052\006\003\125\004\013\023
+\043\103\154\141\163\163\040\061\040\126\141\154\151\144\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040
+\117\103\123\120\061\041\060\037\006\003\125\004\003\023\030\150
+\164\164\160\072\057\057\167\167\167\056\166\141\154\151\143\145
+\162\164\056\156\145\164\057\061\040\060\036\006\011\052\206\110
+\206\367\015\001\011\001\026\021\151\156\146\157\100\166\141\154
+\151\143\145\162\164\056\143\157\155\060\201\237\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
+\201\211\002\201\201\000\307\214\057\247\303\100\207\073\075\327
+\304\232\130\024\144\012\303\010\071\142\032\317\322\353\251\361
+\151\164\212\312\016\132\166\314\242\122\116\320\363\304\172\265
+\370\246\034\273\243\247\244\123\207\133\215\300\000\273\325\146
+\044\347\164\306\026\310\257\310\003\142\325\062\207\242\122\221
+\104\224\225\250\107\103\155\245\110\234\366\114\165\325\117\142
+\347\311\377\173\364\044\214\247\274\050\166\265\062\240\045\163
+\267\107\057\170\370\106\371\207\024\360\167\374\012\167\350\117
+\375\214\037\372\142\331\002\003\001\000\001\243\154\060\152\060
+\017\006\011\053\006\001\005\005\007\060\001\005\004\002\005\000
+\060\023\006\003\125\035\045\004\014\060\012\006\010\053\006\001
+\005\005\007\003\011\060\013\006\003\125\035\017\004\004\003\002
+\001\206\060\065\006\010\053\006\001\005\005\007\001\001\004\051
+\060\047\060\045\006\010\053\006\001\005\005\007\060\001\206\031
+\150\164\164\160\072\057\057\157\143\163\160\062\056\166\141\154
+\151\143\145\162\164\056\156\145\164\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\201\201\000\025\305\340\270
+\064\162\022\006\040\250\142\225\223\321\274\223\272\220\253\334
+\116\215\216\215\230\114\343\062\365\053\077\263\227\373\252\242
+\255\100\227\255\150\275\134\255\123\016\320\246\263\015\254\032
+\231\215\252\060\036\317\016\160\377\002\260\167\145\203\315\332
+\007\134\122\315\131\273\242\310\342\264\026\203\217\324\225\171
+\223\055\350\277\104\223\061\222\060\323\064\064\361\020\373\041
+\254\056\364\303\135\144\143\172\231\341\232\253\102\035\110\146
+\246\167\067\270\125\074\255\376\145\260\142\351
+END
+
+# Trust for Certificate "ValiCert OCSP Responder"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "ValiCert OCSP Responder"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\133\166\261\274\342\212\360\366\161\221\205\147\046\215\021\151
+\017\027\077\163
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\325\036\040\137\321\365\035\202\127\010\122\071\035\372\212\255
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\262\061\044\060\042\006\003\125\004\007\023\033\126\141
+\154\151\103\145\162\164\040\126\141\154\151\144\141\164\151\157
+\156\040\116\145\164\167\157\162\153\061\027\060\025\006\003\125
+\004\012\023\016\126\141\154\151\103\145\162\164\054\040\111\156
+\143\056\061\054\060\052\006\003\125\004\013\023\043\103\154\141
+\163\163\040\061\040\126\141\154\151\144\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\040\055\040\117\103\123\120
+\061\041\060\037\006\003\125\004\003\023\030\150\164\164\160\072
+\057\057\167\167\167\056\166\141\154\151\143\145\162\164\056\156
+\145\164\057\061\040\060\036\006\011\052\206\110\206\367\015\001
+\011\001\026\021\151\156\146\157\100\166\141\154\151\143\145\162
+\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Baltimore CyberTrust Code Signing Root"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Baltimore CyberTrust Code Signing Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\111\105\061
+\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
+\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
+\142\145\162\124\162\165\163\164\061\057\060\055\006\003\125\004
+\003\023\046\102\141\154\164\151\155\157\162\145\040\103\171\142
+\145\162\124\162\165\163\164\040\103\157\144\145\040\123\151\147
+\156\151\156\147\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\111\105\061
+\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
+\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
+\142\145\162\124\162\165\163\164\061\057\060\055\006\003\125\004
+\003\023\046\102\141\154\164\151\155\157\162\145\040\103\171\142
+\145\162\124\162\165\163\164\040\103\157\144\145\040\123\151\147
+\156\151\156\147\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\277
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\246\060\202\002\216\240\003\002\001\002\002\004\002
+\000\000\277\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\147\061\013\060\011\006\003\125\004\006\023\002\111
+\105\061\022\060\020\006\003\125\004\012\023\011\102\141\154\164
+\151\155\157\162\145\061\023\060\021\006\003\125\004\013\023\012
+\103\171\142\145\162\124\162\165\163\164\061\057\060\055\006\003
+\125\004\003\023\046\102\141\154\164\151\155\157\162\145\040\103
+\171\142\145\162\124\162\165\163\164\040\103\157\144\145\040\123
+\151\147\156\151\156\147\040\122\157\157\164\060\036\027\015\060
+\060\060\065\061\067\061\064\060\061\060\060\132\027\015\062\065
+\060\065\061\067\062\063\065\071\060\060\132\060\147\061\013\060
+\011\006\003\125\004\006\023\002\111\105\061\022\060\020\006\003
+\125\004\012\023\011\102\141\154\164\151\155\157\162\145\061\023
+\060\021\006\003\125\004\013\023\012\103\171\142\145\162\124\162
+\165\163\164\061\057\060\055\006\003\125\004\003\023\046\102\141
+\154\164\151\155\157\162\145\040\103\171\142\145\162\124\162\165
+\163\164\040\103\157\144\145\040\123\151\147\156\151\156\147\040
+\122\157\157\164\060\202\001\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
+\002\202\001\001\000\310\161\232\030\022\216\172\333\371\232\374
+\101\257\330\362\364\011\216\255\077\376\147\067\074\332\311\046
+\120\261\261\076\313\350\116\163\000\362\262\334\363\305\106\373
+\011\357\030\226\316\247\340\234\204\135\040\016\172\240\252\066
+\213\372\050\266\170\056\263\354\350\107\363\004\360\220\043\264
+\352\257\345\123\270\005\367\107\135\053\206\361\247\244\306\073
+\065\266\322\015\122\101\327\364\222\165\341\242\012\120\126\207
+\276\227\013\173\063\205\020\271\050\030\356\063\352\110\021\327
+\133\221\107\166\042\324\356\317\135\347\250\116\034\235\226\221
+\335\234\275\164\011\250\162\141\252\260\041\072\361\075\054\003
+\126\011\322\301\334\303\265\307\124\067\253\346\046\242\262\106
+\161\163\312\021\210\356\274\347\144\367\320\021\032\163\100\132
+\310\111\054\017\267\357\220\177\150\200\004\070\013\033\017\073
+\324\365\240\263\302\216\341\064\264\200\231\155\236\166\324\222
+\051\100\261\225\322\067\244\147\022\177\340\142\273\256\065\305
+\231\066\202\104\270\346\170\030\063\141\161\223\133\055\215\237
+\170\225\202\353\155\002\003\001\000\001\243\132\060\130\060\023
+\006\003\125\035\045\004\014\060\012\006\010\053\006\001\005\005
+\007\003\003\060\035\006\003\125\035\016\004\026\004\024\310\101
+\064\134\025\025\004\345\100\362\321\253\232\157\044\222\172\207
+\102\132\060\022\006\003\125\035\023\001\001\377\004\010\060\006
+\001\001\377\002\001\003\060\016\006\003\125\035\017\001\001\377
+\004\004\003\002\001\006\060\015\006\011\052\206\110\206\367\015
+\001\001\005\005\000\003\202\001\001\000\122\164\252\225\113\042
+\214\307\075\226\244\376\135\372\057\265\274\353\360\013\351\126
+\070\035\321\155\015\241\274\150\213\360\305\200\245\044\064\375
+\362\226\030\021\206\241\066\365\067\347\124\100\325\144\037\303
+\137\160\102\153\055\071\307\236\122\005\316\347\152\162\322\215
+\162\077\107\120\203\253\307\215\045\311\260\343\247\123\026\225
+\246\152\123\352\030\235\217\170\251\167\167\032\371\264\227\107
+\131\210\047\050\265\312\341\056\327\076\016\242\015\270\042\104
+\003\343\321\143\260\101\072\241\365\244\055\367\166\036\004\124
+\231\170\062\100\327\053\174\115\272\246\234\260\171\156\007\276
+\214\354\356\327\070\151\133\301\014\126\150\237\376\353\321\341
+\310\210\371\362\315\177\276\205\264\104\147\000\120\076\364\046
+\003\144\352\167\175\350\136\076\034\067\107\310\326\352\244\363
+\066\074\227\302\071\162\005\224\031\045\303\327\067\101\017\301
+\037\207\212\375\252\276\351\261\144\127\344\333\222\241\317\341
+\111\350\073\037\221\023\132\303\217\331\045\130\111\200\107\017
+\306\003\256\254\343\277\267\300\252\052
+END
+
+# Trust for Certificate "Baltimore CyberTrust Code Signing Root"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Baltimore CyberTrust Code Signing Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\060\106\330\310\210\377\151\060\303\112\374\315\111\047\010\174
+\140\126\173\015
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\220\365\050\111\126\321\135\054\260\123\324\113\357\157\220\042
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\111\105\061
+\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
+\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
+\142\145\162\124\162\165\163\164\061\057\060\055\006\003\125\004
+\003\023\046\102\141\154\164\151\155\157\162\145\040\103\171\142
+\145\162\124\162\165\163\164\040\103\157\144\145\040\123\151\147
+\156\151\156\147\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\277
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Baltimore CyberTrust Root"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Baltimore CyberTrust Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061
+\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
+\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
+\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004
+\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142
+\145\162\124\162\165\163\164\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061
+\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
+\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
+\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004
+\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142
+\145\162\124\162\165\163\164\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\271
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\167\060\202\002\137\240\003\002\001\002\002\004\002
+\000\000\271\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\111
+\105\061\022\060\020\006\003\125\004\012\023\011\102\141\154\164
+\151\155\157\162\145\061\023\060\021\006\003\125\004\013\023\012
+\103\171\142\145\162\124\162\165\163\164\061\042\060\040\006\003
+\125\004\003\023\031\102\141\154\164\151\155\157\162\145\040\103
+\171\142\145\162\124\162\165\163\164\040\122\157\157\164\060\036
+\027\015\060\060\060\065\061\062\061\070\064\066\060\060\132\027
+\015\062\065\060\065\061\062\062\063\065\071\060\060\132\060\132
+\061\013\060\011\006\003\125\004\006\023\002\111\105\061\022\060
+\020\006\003\125\004\012\023\011\102\141\154\164\151\155\157\162
+\145\061\023\060\021\006\003\125\004\013\023\012\103\171\142\145
+\162\124\162\165\163\164\061\042\060\040\006\003\125\004\003\023
+\031\102\141\154\164\151\155\157\162\145\040\103\171\142\145\162
+\124\162\165\163\164\040\122\157\157\164\060\202\001\042\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
+\017\000\060\202\001\012\002\202\001\001\000\243\004\273\042\253
+\230\075\127\350\046\162\232\265\171\324\051\342\341\350\225\200
+\261\260\343\133\216\053\051\232\144\337\241\135\355\260\011\005
+\155\333\050\056\316\142\242\142\376\264\210\332\022\353\070\353
+\041\235\300\101\053\001\122\173\210\167\323\034\217\307\272\271
+\210\265\152\011\347\163\350\021\100\247\321\314\312\142\215\055
+\345\217\013\246\120\322\250\120\303\050\352\365\253\045\207\212
+\232\226\034\251\147\270\077\014\325\367\371\122\023\057\302\033
+\325\160\160\360\217\300\022\312\006\313\232\341\331\312\063\172
+\167\326\370\354\271\361\150\104\102\110\023\322\300\302\244\256
+\136\140\376\266\246\005\374\264\335\007\131\002\324\131\030\230
+\143\365\245\143\340\220\014\175\135\262\006\172\363\205\352\353
+\324\003\256\136\204\076\137\377\025\355\151\274\371\071\066\162
+\165\317\167\122\115\363\311\220\054\271\075\345\311\043\123\077
+\037\044\230\041\134\007\231\051\275\306\072\354\347\156\206\072
+\153\227\164\143\063\275\150\030\061\360\170\215\166\277\374\236
+\216\135\052\206\247\115\220\334\047\032\071\002\003\001\000\001
+\243\105\060\103\060\035\006\003\125\035\016\004\026\004\024\345
+\235\131\060\202\107\130\314\254\372\010\124\066\206\173\072\265
+\004\115\360\060\022\006\003\125\035\023\001\001\377\004\010\060
+\006\001\001\377\002\001\003\060\016\006\003\125\035\017\001\001
+\377\004\004\003\002\001\006\060\015\006\011\052\206\110\206\367
+\015\001\001\005\005\000\003\202\001\001\000\205\014\135\216\344
+\157\121\150\102\005\240\335\273\117\047\045\204\003\275\367\144
+\375\055\327\060\343\244\020\027\353\332\051\051\266\171\077\166
+\366\031\023\043\270\020\012\371\130\244\324\141\160\275\004\141
+\152\022\212\027\325\012\275\305\274\060\174\326\351\014\045\215
+\206\100\117\354\314\243\176\070\306\067\021\117\355\335\150\061
+\216\114\322\263\001\164\356\276\165\136\007\110\032\177\160\377
+\026\134\204\300\171\205\270\005\375\177\276\145\021\243\017\300
+\002\264\370\122\067\071\004\325\251\061\172\030\277\240\052\364
+\022\231\367\243\105\202\343\074\136\365\235\236\265\310\236\174
+\056\310\244\236\116\010\024\113\155\375\160\155\153\032\143\275
+\144\346\037\267\316\360\362\237\056\273\033\267\362\120\210\163
+\222\302\342\343\026\215\232\062\002\253\216\030\335\351\020\021
+\356\176\065\253\220\257\076\060\224\172\320\063\075\247\145\017
+\365\374\216\236\142\317\107\104\054\001\135\273\035\265\062\322
+\107\322\070\056\320\376\201\334\062\152\036\265\356\074\325\374
+\347\201\035\031\303\044\102\352\143\071\251
+END
+
+# Trust for Certificate "Baltimore CyberTrust Root"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Baltimore CyberTrust Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\324\336\040\320\136\146\374\123\376\032\120\210\054\170\333\050
+\122\312\344\164
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\254\266\224\245\234\027\340\327\221\122\233\261\227\006\246\344
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\111\105\061
+\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
+\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
+\142\145\162\124\162\165\163\164\061\042\060\040\006\003\125\004
+\003\023\031\102\141\154\164\151\155\157\162\145\040\103\171\142
+\145\162\124\162\165\163\164\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\271
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "Baltimore CyberTrust Mobile Commerce Root"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Baltimore CyberTrust Mobile Commerce Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\111\105\061
+\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
+\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
+\142\145\162\124\162\165\163\164\061\051\060\047\006\003\125\004
+\003\023\040\102\141\154\164\151\155\157\162\145\040\103\171\142
+\145\162\124\162\165\163\164\040\115\157\142\151\154\145\040\122
+\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\111\105\061
+\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
+\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
+\142\145\162\124\162\165\163\164\061\051\060\047\006\003\125\004
+\003\023\040\102\141\154\164\151\155\157\162\145\040\103\171\142
+\145\162\124\162\165\163\164\040\115\157\142\151\154\145\040\122
+\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\270
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\175\060\202\001\346\240\003\002\001\002\002\004\002
+\000\000\270\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\141\061\013\060\011\006\003\125\004\006\023\002\111
+\105\061\022\060\020\006\003\125\004\012\023\011\102\141\154\164
+\151\155\157\162\145\061\023\060\021\006\003\125\004\013\023\012
+\103\171\142\145\162\124\162\165\163\164\061\051\060\047\006\003
+\125\004\003\023\040\102\141\154\164\151\155\157\162\145\040\103
+\171\142\145\162\124\162\165\163\164\040\115\157\142\151\154\145
+\040\122\157\157\164\060\036\027\015\060\060\060\065\061\062\061
+\070\062\060\060\060\132\027\015\062\060\060\065\061\062\062\063
+\065\071\060\060\132\060\141\061\013\060\011\006\003\125\004\006
+\023\002\111\105\061\022\060\020\006\003\125\004\012\023\011\102
+\141\154\164\151\155\157\162\145\061\023\060\021\006\003\125\004
+\013\023\012\103\171\142\145\162\124\162\165\163\164\061\051\060
+\047\006\003\125\004\003\023\040\102\141\154\164\151\155\157\162
+\145\040\103\171\142\145\162\124\162\165\163\164\040\115\157\142
+\151\154\145\040\122\157\157\164\060\201\237\060\015\006\011\052
+\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201
+\211\002\201\201\000\243\155\261\070\126\254\374\265\126\041\336
+\300\220\135\046\107\202\306\175\217\037\240\205\217\057\273\324
+\341\034\035\362\044\037\050\260\057\271\244\245\157\242\042\040
+\144\376\204\107\074\176\053\154\151\152\270\324\300\226\216\214
+\122\015\315\157\101\324\277\004\256\247\201\057\055\230\110\322
+\301\224\243\265\031\135\135\121\144\364\216\101\260\233\300\055
+\042\240\136\306\330\132\022\143\274\021\112\136\046\022\035\342
+\046\005\346\017\137\042\037\172\137\166\224\256\317\132\050\016
+\253\105\332\042\061\002\003\001\000\001\243\102\060\100\060\035
+\006\003\125\035\016\004\026\004\024\311\342\217\300\002\046\132
+\266\300\007\343\177\224\007\030\333\056\245\232\160\060\017\006
+\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\016
+\006\003\125\035\017\001\001\377\004\004\003\002\001\206\060\015
+\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201\201
+\000\123\010\013\046\011\170\102\163\324\354\172\167\107\015\343
+\013\063\161\357\256\063\024\115\373\372\375\032\267\121\365\344
+\231\034\006\161\327\051\031\327\346\025\040\121\121\106\155\117
+\336\030\111\230\320\370\170\273\161\350\215\001\006\325\327\144
+\217\224\337\107\376\240\205\151\066\251\057\102\172\150\112\022
+\326\213\013\160\104\012\244\004\357\046\210\301\065\161\070\135
+\033\133\110\102\360\347\224\034\160\225\064\250\253\365\253\342
+\170\255\365\360\122\375\233\352\102\014\350\330\124\276\123\146
+\365
+END
+
+# Trust for Certificate "Baltimore CyberTrust Mobile Commerce Root"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Baltimore CyberTrust Mobile Commerce Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\264\343\013\234\301\325\356\275\240\040\030\370\271\212\321\377
+\151\267\072\161
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\353\264\040\035\017\266\161\003\367\304\367\307\244\162\206\350
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\111\105\061
+\022\060\020\006\003\125\004\012\023\011\102\141\154\164\151\155
+\157\162\145\061\023\060\021\006\003\125\004\013\023\012\103\171
+\142\145\162\124\162\165\163\164\061\051\060\047\006\003\125\004
+\003\023\040\102\141\154\164\151\155\157\162\145\040\103\171\142
+\145\162\124\162\165\163\164\040\115\157\142\151\154\145\040\122
+\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\000\000\270
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "Equifax Secure Global eBusiness CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Equifax Secure Global eBusiness CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
+\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
+\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
+\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
+\165\163\151\156\145\163\163\040\103\101\055\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
+\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
+\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
+\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
+\165\163\151\156\145\163\163\040\103\101\055\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\220\060\202\001\371\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
+\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170
+\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060\053
+\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040\123
+\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102\165
+\163\151\156\145\163\163\040\103\101\055\061\060\036\027\015\071
+\071\060\066\062\061\060\064\060\060\060\060\132\027\015\062\060
+\060\066\062\061\060\064\060\060\060\060\132\060\132\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\034\060\032\006\003
+\125\004\012\023\023\105\161\165\151\146\141\170\040\123\145\143
+\165\162\145\040\111\156\143\056\061\055\060\053\006\003\125\004
+\003\023\044\105\161\165\151\146\141\170\040\123\145\143\165\162
+\145\040\107\154\157\142\141\154\040\145\102\165\163\151\156\145
+\163\163\040\103\101\055\061\060\201\237\060\015\006\011\052\206
+\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211
+\002\201\201\000\272\347\027\220\002\145\261\064\125\074\111\302
+\121\325\337\247\321\067\217\321\347\201\163\101\122\140\233\235
+\241\027\046\170\255\307\261\350\046\224\062\265\336\063\215\072
+\057\333\362\232\172\132\163\230\243\134\351\373\212\163\033\134
+\347\303\277\200\154\315\251\364\326\053\300\367\371\231\252\143
+\242\261\107\002\017\324\344\121\072\022\074\154\212\132\124\204
+\160\333\301\305\220\317\162\105\313\250\131\300\315\063\235\077
+\243\226\353\205\063\041\034\076\036\076\140\156\166\234\147\205
+\305\310\303\141\002\003\001\000\001\243\146\060\144\060\021\006
+\011\140\206\110\001\206\370\102\001\001\004\004\003\002\000\007
+\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
+\377\060\037\006\003\125\035\043\004\030\060\026\200\024\276\250
+\240\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153
+\150\154\060\035\006\003\125\035\016\004\026\004\024\276\250\240
+\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153\150
+\154\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000
+\003\201\201\000\060\342\001\121\252\307\352\137\332\271\320\145
+\017\060\326\076\332\015\024\111\156\221\223\047\024\061\357\304
+\367\055\105\370\354\307\277\242\101\015\043\264\222\371\031\000
+\147\275\001\257\315\340\161\374\132\317\144\304\340\226\230\320
+\243\100\342\001\212\357\047\007\361\145\001\212\104\055\006\145
+\165\122\300\206\020\040\041\137\154\153\017\154\256\011\034\257
+\362\242\030\064\304\165\244\163\034\361\215\334\357\255\371\263
+\166\264\222\277\334\225\020\036\276\313\310\073\132\204\140\031
+\126\224\251\125
+END
+
+# Trust for Certificate "Equifax Secure Global eBusiness CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Equifax Secure Global eBusiness CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\176\170\112\020\034\202\145\314\055\341\361\155\107\264\100\312
+\331\012\031\105
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\217\135\167\006\047\304\230\074\133\223\170\347\327\175\233\314
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
+\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
+\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
+\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
+\165\163\151\156\145\163\163\040\103\101\055\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Equifax Secure eBusiness CA 1"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Equifax Secure eBusiness CA 1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
+\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060
+\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040
+\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163
+\040\103\101\055\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
+\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060
+\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040
+\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163
+\040\103\101\055\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\004
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\202\060\202\001\353\240\003\002\001\002\002\001\004
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
+\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170
+\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060\044
+\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040\123
+\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163\040
+\103\101\055\061\060\036\027\015\071\071\060\066\062\061\060\064
+\060\060\060\060\132\027\015\062\060\060\066\062\061\060\064\060
+\060\060\060\132\060\123\061\013\060\011\006\003\125\004\006\023
+\002\125\123\061\034\060\032\006\003\125\004\012\023\023\105\161
+\165\151\146\141\170\040\123\145\143\165\162\145\040\111\156\143
+\056\061\046\060\044\006\003\125\004\003\023\035\105\161\165\151
+\146\141\170\040\123\145\143\165\162\145\040\145\102\165\163\151
+\156\145\163\163\040\103\101\055\061\060\201\237\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
+\201\211\002\201\201\000\316\057\031\274\027\267\167\336\223\251
+\137\132\015\027\117\064\032\014\230\364\042\331\131\324\304\150
+\106\360\264\065\305\205\003\040\306\257\105\245\041\121\105\101
+\353\026\130\066\062\157\342\120\142\144\371\375\121\234\252\044
+\331\364\235\203\052\207\012\041\323\022\070\064\154\215\000\156
+\132\240\331\102\356\032\041\225\371\122\114\125\132\305\017\070
+\117\106\372\155\370\056\065\326\035\174\353\342\360\260\165\200
+\310\251\023\254\276\210\357\072\156\253\137\052\070\142\002\260
+\022\173\376\217\246\003\002\003\001\000\001\243\146\060\144\060
+\021\006\011\140\206\110\001\206\370\102\001\001\004\004\003\002
+\000\007\060\017\006\003\125\035\023\001\001\377\004\005\060\003
+\001\001\377\060\037\006\003\125\035\043\004\030\060\026\200\024
+\112\170\062\122\021\333\131\026\066\136\337\301\024\066\100\152
+\107\174\114\241\060\035\006\003\125\035\016\004\026\004\024\112
+\170\062\122\021\333\131\026\066\136\337\301\024\066\100\152\107
+\174\114\241\060\015\006\011\052\206\110\206\367\015\001\001\004
+\005\000\003\201\201\000\165\133\250\233\003\021\346\351\126\114
+\315\371\251\114\300\015\232\363\314\145\151\346\045\166\314\131
+\267\326\124\303\035\315\231\254\031\335\264\205\325\340\075\374
+\142\040\247\204\113\130\145\361\342\371\225\041\077\365\324\176
+\130\036\107\207\124\076\130\241\265\265\370\052\357\161\347\274
+\303\366\261\111\106\342\327\240\153\345\126\172\232\047\230\174
+\106\142\024\347\311\374\156\003\022\171\200\070\035\110\202\215
+\374\027\376\052\226\053\265\142\246\246\075\275\177\222\131\315
+\132\052\202\262\067\171
+END
+
+# Trust for Certificate "Equifax Secure eBusiness CA 1"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Equifax Secure eBusiness CA 1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\332\100\030\213\221\211\243\355\356\256\332\227\376\057\235\365
+\267\321\212\101
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\144\234\357\056\104\374\306\217\122\007\320\121\163\217\313\075
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
+\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060
+\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040
+\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163
+\040\103\101\055\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\004
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Equifax Secure eBusiness CA 2"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Equifax Secure eBusiness CA 2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141
+\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004
+\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162
+\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141
+\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004
+\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162
+\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\067\160\317\265
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\040\060\202\002\211\240\003\002\001\002\002\004\067
+\160\317\265\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\116\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\027\060\025\006\003\125\004\012\023\016\105\161\165\151
+\146\141\170\040\123\145\143\165\162\145\061\046\060\044\006\003
+\125\004\013\023\035\105\161\165\151\146\141\170\040\123\145\143
+\165\162\145\040\145\102\165\163\151\156\145\163\163\040\103\101
+\055\062\060\036\027\015\071\071\060\066\062\063\061\062\061\064
+\064\065\132\027\015\061\071\060\066\062\063\061\062\061\064\064
+\065\132\060\116\061\013\060\011\006\003\125\004\006\023\002\125
+\123\061\027\060\025\006\003\125\004\012\023\016\105\161\165\151
+\146\141\170\040\123\145\143\165\162\145\061\046\060\044\006\003
+\125\004\013\023\035\105\161\165\151\146\141\170\040\123\145\143
+\165\162\145\040\145\102\165\163\151\156\145\163\163\040\103\101
+\055\062\060\201\237\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\344
+\071\071\223\036\122\006\033\050\066\370\262\243\051\305\355\216
+\262\021\275\376\353\347\264\164\302\217\377\005\347\331\235\006
+\277\022\310\077\016\362\326\321\044\262\021\336\321\163\011\212
+\324\261\054\230\011\015\036\120\106\262\203\246\105\215\142\150
+\273\205\033\040\160\062\252\100\315\246\226\137\304\161\067\077
+\004\363\267\101\044\071\007\032\036\056\141\130\240\022\013\345
+\245\337\305\253\352\067\161\314\034\310\067\072\271\227\122\247
+\254\305\152\044\224\116\234\173\317\300\152\326\337\041\275\002
+\003\001\000\001\243\202\001\011\060\202\001\005\060\160\006\003
+\125\035\037\004\151\060\147\060\145\240\143\240\141\244\137\060
+\135\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
+\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141\170
+\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004\013
+\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162\145
+\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062\061
+\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060\032
+\006\003\125\035\020\004\023\060\021\201\017\062\060\061\071\060
+\066\062\063\061\062\061\064\064\065\132\060\013\006\003\125\035
+\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030
+\060\026\200\024\120\236\013\352\257\136\271\040\110\246\120\152
+\313\375\330\040\172\247\202\166\060\035\006\003\125\035\016\004
+\026\004\024\120\236\013\352\257\136\271\040\110\246\120\152\313
+\375\330\040\172\247\202\166\060\014\006\003\125\035\023\004\005
+\060\003\001\001\377\060\032\006\011\052\206\110\206\366\175\007
+\101\000\004\015\060\013\033\005\126\063\056\060\143\003\002\006
+\300\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\003\201\201\000\014\206\202\255\350\116\032\365\216\211\047\342
+\065\130\075\051\264\007\217\066\120\225\277\156\301\236\353\304
+\220\262\205\250\273\267\102\340\017\007\071\337\373\236\220\262
+\321\301\076\123\237\003\104\260\176\113\364\157\344\174\037\347
+\342\261\344\270\232\357\303\275\316\336\013\062\064\331\336\050
+\355\063\153\304\324\327\075\022\130\253\175\011\055\313\160\365
+\023\212\224\241\047\244\326\160\305\155\224\265\311\175\235\240
+\322\306\010\111\331\146\233\246\323\364\013\334\305\046\127\341
+\221\060\352\315
+END
+
+# Trust for Certificate "Equifax Secure eBusiness CA 2"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Equifax Secure eBusiness CA 2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\071\117\366\205\013\006\276\122\345\030\126\314\020\341\200\350
+\202\263\205\314
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\252\277\277\144\227\332\230\035\157\306\010\072\225\160\063\312
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\105\161\165\151\146\141
+\170\040\123\145\143\165\162\145\061\046\060\044\006\003\125\004
+\013\023\035\105\161\165\151\146\141\170\040\123\145\143\165\162
+\145\040\145\102\165\163\151\156\145\163\163\040\103\101\055\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\067\160\317\265
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Visa International Global Root 1"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Visa International Global Root 1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\003\035
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\130\060\202\002\100\240\003\002\001\002\002\002\003
+\035\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\060
+\036\027\015\060\060\060\070\061\066\062\061\065\062\060\060\132
+\027\015\062\060\060\070\061\065\062\063\065\071\060\060\132\060
+\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015
+\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057\060
+\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156\164
+\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166\151
+\143\145\040\101\163\163\157\143\151\141\164\151\157\156\060\202
+\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
+\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\305
+\035\115\163\101\225\341\040\264\154\154\316\147\352\165\006\254
+\304\004\302\140\057\010\222\317\040\355\156\251\311\161\046\126
+\242\375\332\273\014\370\225\011\311\371\362\035\317\104\225\355
+\061\112\332\155\340\275\374\165\026\226\302\357\012\172\014\307
+\270\264\220\106\056\251\027\012\340\107\104\204\174\034\075\040
+\106\006\103\103\205\162\353\135\341\003\274\062\232\313\356\011
+\306\127\025\263\056\332\062\140\247\022\230\222\233\323\312\043
+\102\260\043\367\120\151\116\214\233\150\241\067\060\222\311\041
+\057\150\212\240\326\204\251\130\115\014\353\125\075\272\012\106
+\110\372\302\276\271\007\300\354\275\223\064\171\071\075\267\232
+\064\240\014\075\243\377\232\204\346\372\340\077\252\124\204\001
+\063\112\205\306\250\024\136\025\301\327\140\325\360\151\170\151
+\144\170\327\024\356\023\330\243\362\377\165\141\070\154\324\046
+\262\327\150\210\031\147\016\353\341\277\274\216\232\352\310\224
+\351\266\314\370\025\205\223\155\146\167\053\261\027\013\210\046
+\154\106\242\337\316\103\245\156\367\375\033\107\156\130\367\002
+\003\001\000\001\243\102\060\100\060\016\006\003\125\035\017\001
+\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001
+\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016
+\004\026\004\024\313\303\306\143\312\336\161\177\333\247\327\377
+\102\164\366\313\314\266\120\062\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\202\001\001\000\266\030\204\244
+\276\346\177\315\373\106\221\024\175\000\100\167\167\206\271\215
+\161\035\234\376\361\330\345\001\077\331\242\140\033\315\272\163
+\064\054\356\136\004\222\304\042\104\126\354\352\373\367\311\001
+\026\375\350\050\355\370\336\375\074\076\056\230\214\215\343\170
+\342\317\216\213\340\257\301\215\140\024\202\202\126\261\207\056
+\360\351\022\025\035\076\151\012\255\216\246\130\364\231\374\021
+\106\356\367\311\355\306\257\054\271\206\045\322\227\376\117\235
+\330\062\341\302\146\121\163\206\015\335\165\343\212\372\364\212
+\065\146\335\210\147\255\171\250\374\151\365\333\372\257\225\264
+\234\220\037\137\301\026\311\310\010\200\032\327\003\362\136\161
+\243\126\143\036\105\066\175\161\276\061\147\164\206\057\331\354
+\210\302\040\275\231\115\075\125\005\320\242\132\114\125\042\230
+\320\361\165\364\027\372\330\343\376\342\024\340\017\145\372\262
+\326\151\054\063\120\311\047\240\254\220\061\113\024\345\353\143
+\144\340\075\343\374\022\112\305\226\202\055\332\045\071\376\324
+\177\056\101\307\142\110\327\161\105\073\170\222
+END
+
+# Trust for Certificate "Visa International Global Root 1"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Visa International Global Root 1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\106\260\324\152\346\120\054\267\223\205\000\010\220\373\363\120
+\251\310\140\157
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\031\152\006\154\335\311\017\266\024\321\311\373\163\077\005\317
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\115\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\003\035
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "Visa International Global Root 2"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Visa International Global Root 2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\003\036
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\200\060\202\002\150\240\003\002\001\002\002\002\003
+\036\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\062\060\036\027\015\060\060\060\070\061\066\062\062\065
+\061\060\060\132\027\015\062\060\060\070\061\065\062\063\065\071
+\060\060\132\060\141\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\015\060\013\006\003\125\004\012\023\004\126\111\123
+\101\061\057\060\055\006\003\125\004\013\023\046\126\151\163\141
+\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\123
+\145\162\166\151\143\145\040\101\163\163\157\143\151\141\164\151
+\157\156\061\022\060\020\006\003\125\004\003\023\011\107\120\040
+\122\157\157\164\040\062\060\202\001\042\060\015\006\011\052\206
+\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202
+\001\012\002\202\001\001\000\251\001\160\265\252\304\100\360\253
+\152\046\141\171\031\000\374\277\233\067\131\014\257\157\144\033
+\370\332\225\224\044\151\063\021\160\312\343\126\164\242\027\127
+\144\134\040\006\341\326\357\161\267\073\367\253\301\151\320\111
+\244\261\004\327\364\127\142\211\134\260\165\055\027\044\151\343
+\102\140\344\356\164\326\253\200\126\330\210\050\341\373\155\042
+\375\043\174\106\163\117\176\124\163\036\250\054\125\130\165\267
+\114\363\132\105\245\002\032\372\332\235\303\105\303\042\136\363
+\213\361\140\051\322\307\137\264\014\072\121\203\357\060\370\324
+\347\307\362\372\231\243\042\120\276\371\005\067\243\255\355\232
+\303\346\354\210\033\266\031\047\033\070\213\200\115\354\271\307
+\305\211\313\374\032\062\355\043\360\265\001\130\371\366\217\340
+\205\251\114\011\162\071\022\333\263\365\317\116\142\144\332\306
+\031\025\072\143\035\351\027\125\241\114\042\074\064\062\106\370
+\145\127\272\053\357\066\214\152\372\331\331\104\364\252\335\204
+\327\015\034\262\124\254\062\205\264\144\015\336\101\273\261\064
+\306\001\206\062\144\325\237\002\003\001\000\001\243\102\060\100
+\060\035\006\003\125\035\016\004\026\004\024\236\175\113\064\277
+\161\255\302\005\366\003\165\200\316\251\117\032\304\044\114\060
+\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
+\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
+\202\001\001\000\041\245\166\024\125\371\255\047\160\217\074\364
+\325\154\310\314\012\253\243\230\013\212\006\043\305\311\141\333
+\231\007\151\065\046\061\376\307\056\204\302\231\141\324\015\351
+\175\056\023\053\174\216\205\266\205\307\113\317\065\266\054\107
+\075\316\051\057\330\157\237\211\034\144\223\277\010\275\166\320
+\220\212\224\263\177\050\133\156\254\115\063\054\355\145\334\026
+\314\342\315\256\244\075\142\222\006\225\046\277\337\271\344\040
+\246\163\152\301\276\367\224\104\326\115\157\052\013\153\030\115
+\164\020\066\150\152\132\301\152\247\335\066\051\214\270\060\213
+\117\041\077\000\056\124\060\007\072\272\212\344\303\236\312\330
+\265\330\173\316\165\105\146\007\364\155\055\330\172\312\351\211
+\212\362\043\330\057\313\156\000\066\117\373\360\057\001\314\017
+\300\042\145\364\253\342\116\141\055\003\202\175\221\026\265\060
+\325\024\336\136\307\220\374\241\374\253\020\257\134\153\160\247
+\007\357\051\206\350\262\045\307\040\377\046\335\167\357\171\104
+\024\304\275\335\073\305\003\233\167\043\354\240\354\273\132\071
+\265\314\255\006
+END
+
+# Trust for Certificate "Visa International Global Root 2"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Visa International Global Root 2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\311\015\033\352\210\075\247\321\027\276\073\171\364\041\016\032
+\130\224\247\055
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\065\110\225\066\112\124\132\162\226\216\340\144\314\357\054\214
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\003\036
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "Visa International Global Root 3"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Visa International Global Root 3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\003\037
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\200\060\202\002\150\240\003\002\001\002\002\002\003
+\037\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\063\060\036\027\015\060\060\060\070\061\066\062\063\063
+\064\060\060\132\027\015\062\060\060\070\061\065\062\063\065\071
+\060\060\132\060\141\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\015\060\013\006\003\125\004\012\023\004\126\111\123
+\101\061\057\060\055\006\003\125\004\013\023\046\126\151\163\141
+\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\123
+\145\162\166\151\143\145\040\101\163\163\157\143\151\141\164\151
+\157\156\061\022\060\020\006\003\125\004\003\023\011\107\120\040
+\122\157\157\164\040\063\060\202\001\042\060\015\006\011\052\206
+\110\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202
+\001\012\002\202\001\001\000\272\354\103\270\064\352\243\147\337
+\167\011\037\032\020\242\036\251\116\225\114\164\347\014\334\154
+\306\230\320\253\372\027\044\232\147\243\111\024\144\211\217\223
+\022\057\357\217\330\316\020\004\213\205\300\334\057\274\051\230
+\257\234\102\305\313\322\226\317\364\245\305\055\156\115\214\070
+\216\262\152\010\231\325\221\033\250\355\063\223\111\135\313\347
+\025\103\155\122\361\310\350\327\332\060\340\230\052\251\133\243
+\303\321\001\003\201\135\176\266\011\225\350\333\062\156\375\072
+\303\265\236\233\375\131\031\040\263\043\300\342\152\356\104\226
+\200\357\150\011\100\224\302\267\063\111\203\345\311\256\055\040
+\067\220\030\075\040\066\332\171\071\257\270\127\237\172\357\140
+\052\041\204\370\377\240\071\041\323\330\155\124\307\303\152\074
+\310\134\037\056\107\162\024\154\125\113\011\006\315\216\305\153
+\013\347\007\107\072\175\222\137\175\017\260\134\063\127\203\203
+\077\036\204\250\171\220\237\227\116\042\334\165\042\310\156\057
+\326\320\313\166\341\014\127\227\341\046\217\051\204\123\362\345
+\216\223\312\113\212\114\065\002\003\001\000\001\243\102\060\100
+\060\035\006\003\125\035\016\004\026\004\024\242\134\156\015\145
+\010\301\367\116\133\311\155\360\320\126\033\071\202\103\273\060
+\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
+\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
+\202\001\001\000\003\215\126\010\263\241\255\375\163\102\331\147
+\054\156\232\317\277\036\310\115\362\115\322\331\067\311\070\104
+\215\256\211\014\357\214\231\053\112\223\365\155\254\146\112\077
+\127\152\020\245\242\032\023\246\054\352\142\347\200\371\275\375
+\344\377\332\021\237\071\130\155\365\103\362\364\375\246\277\235
+\261\253\232\106\007\337\341\360\133\077\376\135\131\100\006\254
+\030\010\107\114\074\114\110\106\316\210\341\250\266\236\165\246
+\240\367\176\033\266\304\215\355\360\052\123\025\112\333\051\117
+\071\123\347\122\130\243\276\334\344\220\055\265\311\316\230\377
+\054\206\241\010\240\310\316\367\202\071\011\014\301\302\324\251
+\244\052\016\063\201\307\074\160\313\060\155\244\126\267\233\134
+\174\002\042\276\345\007\175\155\044\321\047\261\326\035\036\134
+\107\074\277\056\156\370\034\204\110\354\365\341\240\225\021\315
+\347\060\353\134\360\051\173\165\202\002\006\262\363\223\071\322
+\016\254\337\137\044\023\025\060\103\365\120\324\307\203\240\103
+\071\117\145\064\275\246\351\316\341\164\276\040\337\322\162\026
+\113\211\106\166
+END
+
+# Trust for Certificate "Visa International Global Root 3"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Visa International Global Root 3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\000\263\327\076\235\205\161\066\073\147\325\056\136\156\371\022
+\242\205\067\122
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\327\276\275\236\373\162\170\072\347\212\275\201\276\013\075\030
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\003\037
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "Visa International Global Root 4"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Visa International Global Root 4"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\064
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\003\040
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\173\060\202\001\344\240\003\002\001\002\002\002\003
+\040\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\064\060\036\027\015\060\060\060\070\061\067\060\060\061
+\071\060\060\132\027\015\062\060\060\070\061\066\062\063\065\071
+\060\060\132\060\141\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\015\060\013\006\003\125\004\012\023\004\126\111\123
+\101\061\057\060\055\006\003\125\004\013\023\046\126\151\163\141
+\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\123
+\145\162\166\151\143\145\040\101\163\163\157\143\151\141\164\151
+\157\156\061\022\060\020\006\003\125\004\003\023\011\107\120\040
+\122\157\157\164\040\064\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\270\353\360\217\240\346\361\343\000\077\136\162\236
+\256\004\017\364\117\316\312\332\142\063\352\356\132\302\301\366
+\056\070\211\264\015\317\241\256\271\061\263\375\246\307\266\304
+\154\203\014\200\141\070\072\012\276\034\001\240\031\033\347\373
+\162\155\222\143\233\246\257\063\364\264\133\032\350\050\336\114
+\347\067\361\024\361\340\027\340\024\110\354\104\035\171\245\116
+\252\341\244\204\167\275\313\115\266\352\160\176\137\252\027\054
+\113\133\260\352\205\324\151\250\021\351\053\067\035\273\246\004
+\356\233\101\002\003\001\000\001\243\102\060\100\060\035\006\003
+\125\035\016\004\026\004\024\103\306\110\100\300\017\306\030\132
+\111\111\345\201\200\006\115\137\335\324\205\060\017\006\003\125
+\035\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003
+\125\035\017\001\001\377\004\004\003\002\001\006\060\015\006\011
+\052\206\110\206\367\015\001\001\005\005\000\003\201\201\000\244
+\031\075\163\316\207\321\237\126\022\134\310\070\345\356\371\022
+\310\331\001\352\235\203\064\306\242\153\213\167\172\222\176\207
+\307\125\043\024\215\302\150\115\031\362\151\264\352\107\024\221
+\073\121\207\030\372\166\233\342\173\034\023\323\346\146\036\012
+\022\271\135\220\306\073\023\024\042\315\065\214\055\105\140\000
+\004\310\357\130\002\305\135\231\264\220\155\336\124\327\043\342
+\071\204\045\303\150\243\142\243\171\330\230\241\132\322\134\211
+\375\345\026\014\364\253\027\110\176\255\353\200\300\125\201
+END
+
+# Trust for Certificate "Visa International Global Root 4"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Visa International Global Root 4"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\231\001\027\355\035\374\376\140\054\136\120\175\140\223\051\223
+\214\100\014\146
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\010\107\110\253\040\057\157\302\163\013\262\025\005\041\036\312
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\003\040
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "Visa International Global Root 5"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Visa International Global Root 5"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\065
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\065
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\003\041
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\173\060\202\001\344\240\003\002\001\002\002\002\003
+\041\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\065\060\036\027\015\060\060\060\070\061\067\060\060\062
+\070\060\060\132\027\015\062\060\060\070\061\066\062\063\065\071
+\060\060\132\060\141\061\013\060\011\006\003\125\004\006\023\002
+\125\123\061\015\060\013\006\003\125\004\012\023\004\126\111\123
+\101\061\057\060\055\006\003\125\004\013\023\046\126\151\163\141
+\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\123
+\145\162\166\151\143\145\040\101\163\163\157\143\151\141\164\151
+\157\156\061\022\060\020\006\003\125\004\003\023\011\107\120\040
+\122\157\157\164\040\065\060\201\237\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211\002
+\201\201\000\255\000\156\362\240\174\061\021\034\101\260\067\217
+\203\242\103\313\227\137\002\040\211\015\156\274\052\261\361\245
+\144\357\330\216\112\326\162\235\236\156\037\232\250\371\205\003
+\254\301\047\152\204\345\146\110\161\232\136\102\017\212\342\237
+\366\200\017\043\254\123\303\301\237\002\304\370\130\106\352\364
+\251\202\257\155\007\106\206\361\055\374\006\270\036\125\325\071
+\141\222\204\213\361\330\212\063\116\074\023\265\326\161\374\153
+\076\264\034\172\013\207\325\065\146\064\303\163\062\143\130\337
+\022\153\043\002\003\001\000\001\243\102\060\100\060\035\006\003
+\125\035\016\004\026\004\024\043\116\363\002\004\004\327\322\247
+\000\126\301\316\111\054\214\025\226\063\057\060\017\006\003\125
+\035\023\001\001\377\004\005\060\003\001\001\377\060\016\006\003
+\125\035\017\001\001\377\004\004\003\002\001\006\060\015\006\011
+\052\206\110\206\367\015\001\001\005\005\000\003\201\201\000\074
+\224\001\207\362\310\317\341\217\256\271\013\342\034\175\361\031
+\255\321\355\366\001\133\066\123\012\200\076\256\064\126\147\160
+\156\103\124\116\171\315\213\325\120\031\062\330\111\070\064\375
+\266\163\111\353\016\111\172\277\032\367\352\007\050\045\273\025
+\111\034\121\112\125\232\070\057\055\017\130\371\171\321\002\145
+\023\214\131\237\020\177\135\027\074\164\362\265\352\167\201\066
+\206\157\062\133\005\264\015\243\046\147\360\344\065\016\107\275
+\153\301\221\235\013\364\077\232\021\174\224\026\147\266\230
+END
+
+# Trust for Certificate "Visa International Global Root 5"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Visa International Global Root 5"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\367\027\230\102\276\276\302\037\113\055\235\013\234\067\036\064
+\206\325\251\317
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\317\200\157\240\170\121\321\126\233\253\310\135\243\157\220\012
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\141\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
+\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
+\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
+\022\060\020\006\003\125\004\003\023\011\107\120\040\122\157\157
+\164\040\065
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\003\041
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "beTRUSTed Root CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "beTRUSTed Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061
+\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123
+\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145
+\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163
+\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125
+\123\124\145\144\040\122\157\157\164\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061
+\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123
+\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145
+\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163
+\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125
+\123\124\145\144\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\071\117\175\207
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\054\060\202\004\024\240\003\002\001\002\002\004\071
+\117\175\207\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\127
+\127\061\022\060\020\006\003\125\004\012\023\011\142\145\124\122
+\125\123\124\145\144\061\033\060\031\006\003\125\004\003\023\022
+\142\145\124\122\125\123\124\145\144\040\122\157\157\164\040\103
+\101\163\061\032\060\030\006\003\125\004\003\023\021\142\145\124
+\122\125\123\124\145\144\040\122\157\157\164\040\103\101\060\036
+\027\015\060\060\060\066\062\060\061\064\062\061\060\064\132\027
+\015\061\060\060\066\062\060\061\063\062\061\060\064\132\060\132
+\061\013\060\011\006\003\125\004\006\023\002\127\127\061\022\060
+\020\006\003\125\004\012\023\011\142\145\124\122\125\123\124\145
+\144\061\033\060\031\006\003\125\004\003\023\022\142\145\124\122
+\125\123\124\145\144\040\122\157\157\164\040\103\101\163\061\032
+\060\030\006\003\125\004\003\023\021\142\145\124\122\125\123\124
+\145\144\040\122\157\157\164\040\103\101\060\202\001\042\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
+\017\000\060\202\001\012\002\202\001\001\000\324\264\163\172\023
+\012\070\125\001\276\211\126\341\224\236\324\276\132\353\112\064
+\165\033\141\051\304\341\255\010\140\041\170\110\377\264\320\372
+\136\101\215\141\104\207\350\355\311\130\372\374\223\232\337\117
+\352\076\065\175\370\063\172\346\361\327\315\157\111\113\075\117
+\055\156\016\203\072\030\170\167\243\317\347\364\115\163\330\232
+\073\032\035\276\225\123\317\040\227\302\317\076\044\122\154\014
+\216\145\131\305\161\377\142\011\217\252\305\217\314\140\240\163
+\112\327\070\077\025\162\277\242\227\267\160\350\257\342\176\026
+\006\114\365\252\144\046\162\007\045\255\065\374\030\261\046\327
+\330\377\031\016\203\033\214\334\170\105\147\064\075\364\257\034
+\215\344\155\153\355\040\263\147\232\264\141\313\027\157\211\065
+\377\347\116\300\062\022\347\356\354\337\377\227\060\164\355\215
+\107\216\353\264\303\104\346\247\114\177\126\103\350\270\274\266
+\276\372\203\227\346\273\373\304\266\223\276\031\030\076\214\201
+\271\163\210\026\364\226\103\234\147\163\027\220\330\011\156\143
+\254\112\266\043\304\001\241\255\244\344\305\002\003\001\000\001
+\243\202\001\370\060\202\001\364\060\017\006\003\125\035\023\001
+\001\377\004\005\060\003\001\001\377\060\202\001\131\006\003\125
+\035\040\004\202\001\120\060\202\001\114\060\202\001\110\006\012
+\053\006\001\004\001\261\076\001\000\000\060\202\001\070\060\202
+\001\001\006\010\053\006\001\005\005\007\002\002\060\201\364\032
+\201\361\122\145\154\151\141\156\143\145\040\157\156\040\164\150
+\151\163\040\143\145\162\164\151\146\151\143\141\164\145\040\142
+\171\040\141\156\171\040\160\141\162\164\171\040\141\163\163\165
+\155\145\163\040\141\143\143\145\160\164\141\156\143\145\040\157
+\146\040\164\150\145\040\164\150\145\156\040\141\160\160\154\151
+\143\141\142\154\145\040\163\164\141\156\144\141\162\144\040\164
+\145\162\155\163\040\141\156\144\040\143\157\156\144\151\164\151
+\157\156\163\040\157\146\040\165\163\145\054\040\141\156\144\040
+\143\145\162\164\151\146\151\143\141\164\151\157\156\040\160\162
+\141\143\164\151\143\145\040\163\164\141\164\145\155\145\156\164
+\054\040\167\150\151\143\150\040\143\141\156\040\142\145\040\146
+\157\165\156\144\040\141\164\040\142\145\124\122\125\123\124\145
+\144\047\163\040\167\145\142\040\163\151\164\145\054\040\150\164
+\164\160\163\072\057\057\167\167\167\056\142\145\124\122\125\123
+\124\145\144\056\143\157\155\057\166\141\165\154\164\057\164\145
+\162\155\163\060\061\006\010\053\006\001\005\005\007\002\001\026
+\045\150\164\164\160\163\072\057\057\167\167\167\056\142\145\124
+\122\125\123\124\145\144\056\143\157\155\057\166\141\165\154\164
+\057\164\145\162\155\163\060\064\006\003\125\035\037\004\055\060
+\053\060\051\240\047\240\045\244\043\060\041\061\022\060\020\006
+\003\125\004\012\023\011\142\145\124\122\125\123\124\145\144\061
+\013\060\011\006\003\125\004\006\023\002\127\127\060\035\006\003
+\125\035\016\004\026\004\024\052\271\233\151\056\073\233\330\315
+\336\052\061\004\064\153\312\007\030\253\147\060\037\006\003\125
+\035\043\004\030\060\026\200\024\052\271\233\151\056\073\233\330
+\315\336\052\061\004\064\153\312\007\030\253\147\060\016\006\003
+\125\035\017\001\001\377\004\004\003\002\001\376\060\015\006\011
+\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000
+\171\141\333\243\136\156\026\261\352\166\121\371\313\025\233\313
+\151\276\346\201\153\237\050\037\145\076\335\021\205\222\324\350
+\101\277\176\063\275\043\347\361\040\277\244\264\246\031\001\306
+\214\215\065\174\145\244\117\011\244\326\330\043\025\005\023\247
+\103\171\257\333\243\016\233\173\170\032\363\004\206\132\306\366
+\214\040\107\070\111\120\006\235\162\147\072\360\230\003\255\226
+\147\104\374\077\020\015\206\115\344\000\073\051\173\316\073\073
+\231\206\141\045\100\204\334\023\142\267\372\312\131\326\003\036
+\326\123\001\315\155\114\150\125\100\341\356\153\307\052\000\000
+\110\202\263\012\001\303\140\052\014\367\202\065\356\110\206\226
+\344\164\324\075\352\001\161\272\004\165\100\247\251\177\071\071
+\232\125\227\051\145\256\031\125\045\005\162\107\323\350\030\334
+\270\351\257\103\163\001\022\164\243\341\134\137\025\135\044\363
+\371\344\364\266\147\147\022\347\144\042\212\366\245\101\246\034
+\266\140\143\105\212\020\264\272\106\020\256\101\127\145\154\077
+\043\020\077\041\020\131\267\344\100\335\046\014\043\366\252\256
+END
+
+# Trust for Certificate "beTRUSTed Root CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "beTRUSTed Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\133\315\315\314\146\366\334\344\104\037\343\175\134\303\023\114
+\106\364\160\070
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\205\312\166\132\033\321\150\042\334\242\043\022\312\306\200\064
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\127\127\061
+\022\060\020\006\003\125\004\012\023\011\142\145\124\122\125\123
+\124\145\144\061\033\060\031\006\003\125\004\003\023\022\142\145
+\124\122\125\123\124\145\144\040\122\157\157\164\040\103\101\163
+\061\032\060\030\006\003\125\004\003\023\021\142\145\124\122\125
+\123\124\145\144\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\071\117\175\207
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Xcert Root CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Xcert Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\073\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\026\060\024\006\003\125\004\013\023\015
+\130\143\145\162\164\040\122\157\157\164\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\073\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\026\060\024\006\003\125\004\013\023\015
+\130\143\145\162\164\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\012\001\001\001\000\000\002\174\000\000\000\002\000\000\000\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\143\060\202\002\113\240\003\002\001\002\002\020\012
+\001\001\001\000\000\002\174\000\000\000\002\000\000\000\002\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\073
+\061\041\060\037\006\003\125\004\012\023\030\130\143\145\162\164
+\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\111
+\156\143\056\061\026\060\024\006\003\125\004\013\023\015\130\143
+\145\162\164\040\122\157\157\164\040\103\101\060\036\027\015\060
+\060\060\070\061\070\061\070\061\070\061\067\132\027\015\062\065
+\060\070\061\065\061\071\060\063\061\067\132\060\073\061\041\060
+\037\006\003\125\004\012\023\030\130\143\145\162\164\040\111\156
+\164\145\162\156\141\164\151\157\156\141\154\040\111\156\143\056
+\061\026\060\024\006\003\125\004\013\023\015\130\143\145\162\164
+\040\122\157\157\164\040\103\101\060\202\001\042\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
+\060\202\001\012\002\202\001\001\000\250\264\141\213\035\034\076
+\220\173\160\062\100\155\215\026\312\065\141\141\265\342\373\025
+\311\364\041\136\201\033\317\042\234\254\253\273\140\320\240\063
+\336\021\123\032\011\017\073\032\023\251\324\207\314\130\367\055
+\122\251\242\302\251\072\355\317\064\235\241\002\357\270\362\270
+\053\127\210\020\223\265\251\065\143\273\005\102\103\042\177\277
+\160\136\323\050\245\125\050\040\113\223\111\217\247\277\075\100
+\050\015\021\257\162\046\011\005\064\011\305\253\001\223\127\241
+\254\146\124\230\042\234\043\353\272\014\144\234\266\075\373\342
+\306\226\302\317\013\117\352\310\060\372\212\053\312\034\021\226
+\032\051\000\214\353\162\324\121\105\251\235\167\040\325\022\273
+\265\362\177\006\070\202\115\175\222\036\350\325\372\310\051\107
+\151\032\025\021\214\257\246\054\301\050\364\151\133\151\236\344
+\074\023\356\300\241\140\352\101\277\302\142\113\155\242\067\204
+\072\076\363\260\062\256\212\153\154\023\363\072\041\012\173\226
+\130\063\051\136\156\250\312\151\242\276\216\006\105\135\361\146
+\071\125\112\034\132\044\261\113\321\002\003\001\000\001\243\143
+\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060\003
+\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
+\002\001\006\060\037\006\003\125\035\043\004\030\060\026\200\024
+\104\250\111\070\165\061\154\253\050\347\161\362\330\324\310\257
+\101\017\107\221\060\035\006\003\125\035\016\004\026\004\024\104
+\250\111\070\165\061\154\253\050\347\161\362\330\324\310\257\101
+\017\107\221\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\003\202\001\001\000\075\163\136\245\012\273\265\021\303
+\361\147\321\022\032\242\107\051\021\114\116\131\067\040\206\011
+\100\362\105\361\111\171\071\032\075\045\327\057\051\320\010\005
+\025\024\373\344\104\154\077\176\136\265\122\330\221\130\074\226
+\373\324\112\357\361\056\301\126\036\114\151\014\331\140\035\112
+\107\047\265\003\063\333\030\273\333\123\236\241\173\121\152\220
+\323\245\025\310\202\013\300\267\067\062\165\205\124\136\125\020
+\174\221\073\251\053\140\306\061\166\254\304\060\111\003\304\266
+\126\100\245\360\143\257\151\112\210\257\327\253\013\356\072\333
+\275\023\203\250\073\242\351\271\105\365\121\115\224\360\131\251
+\333\241\067\147\322\024\236\247\173\327\031\252\025\043\153\151
+\165\321\023\076\130\364\363\001\350\210\304\224\126\311\300\376
+\337\117\107\125\037\153\201\116\124\355\023\137\162\374\046\206
+\004\066\217\117\022\115\234\120\342\116\132\126\254\271\375\054
+\037\130\173\005\022\007\143\070\357\031\343\364\074\221\132\242
+\045\142\127\274\306\224\240\167\234\317\064\142\340\277\373\165
+\074\351\033\046\033\234\144
+END
+
+# Trust for Certificate "Xcert Root CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Xcert Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\041\021\164\054\135\202\325\257\325\231\114\122\004\123\125\050
+\104\361\154\261
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\226\201\231\014\155\262\211\205\303\331\200\234\063\273\076\031
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\073\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\026\060\024\006\003\125\004\013\023\015
+\130\143\145\162\164\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\012\001\001\001\000\000\002\174\000\000\000\002\000\000\000\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Xcert Root CA 1024"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Xcert Root CA 1024"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\100\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\033\060\031\006\003\125\004\013\023\022
+\130\143\145\162\164\040\122\157\157\164\040\103\101\040\061\060
+\062\064
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\100\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\033\060\031\006\003\125\004\013\023\022
+\130\143\145\162\164\040\122\157\157\164\040\103\101\040\061\060
+\062\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\012\001\001\001\000\000\002\174\000\000\000\003\000\000\000\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\150\060\202\001\321\240\003\002\001\002\002\020\012
+\001\001\001\000\000\002\174\000\000\000\003\000\000\000\002\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\100
+\061\041\060\037\006\003\125\004\012\023\030\130\143\145\162\164
+\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\111
+\156\143\056\061\033\060\031\006\003\125\004\013\023\022\130\143
+\145\162\164\040\122\157\157\164\040\103\101\040\061\060\062\064
+\060\036\027\015\060\060\060\070\061\070\061\070\063\061\063\062
+\132\027\015\062\065\060\070\061\065\061\071\060\060\065\066\132
+\060\100\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\033\060\031\006\003\125\004\013\023\022
+\130\143\145\162\164\040\122\157\157\164\040\103\101\040\061\060
+\062\064\060\201\237\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\326
+\276\067\211\021\251\242\367\107\054\052\317\152\000\046\145\050
+\104\244\212\344\336\240\103\125\231\104\153\274\156\270\307\316
+\306\143\266\323\350\157\305\230\053\044\221\270\236\242\272\161
+\110\336\064\040\041\172\326\322\305\211\062\245\211\306\334\205
+\204\124\362\236\110\355\314\104\266\006\377\216\304\316\131\255
+\237\154\351\042\130\301\077\024\012\103\200\207\031\122\120\343
+\050\007\310\254\030\342\261\032\252\243\342\140\267\166\121\007
+\051\071\136\110\351\146\160\201\056\070\232\275\031\175\353\002
+\003\001\000\001\243\143\060\141\060\017\006\003\125\035\023\001
+\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017
+\001\001\377\004\004\003\002\001\006\060\037\006\003\125\035\043
+\004\030\060\026\200\024\204\171\307\117\007\131\261\153\301\072
+\065\272\270\364\325\231\047\310\272\016\060\035\006\003\125\035
+\016\004\026\004\024\204\171\307\117\007\131\261\153\301\072\065
+\272\270\364\325\231\047\310\272\016\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\201\201\000\163\260\341\000
+\355\256\150\322\140\003\106\353\371\034\361\245\246\174\134\062
+\174\354\002\141\323\034\035\163\061\054\272\216\275\111\115\310
+\335\331\167\165\101\347\222\041\232\154\051\333\247\154\160\206
+\240\134\303\344\363\062\314\001\204\131\327\210\071\070\363\250
+\342\342\032\260\227\315\053\027\334\144\004\017\252\152\163\224
+\326\353\010\306\200\151\115\336\172\325\305\067\361\222\027\074
+\155\323\212\041\314\144\020\252\336\142\207\037\217\270\370\252
+\165\112\364\010\054\365\334\146\317\303\070\176
+END
+
+# Trust for Certificate "Xcert Root CA 1024"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Xcert Root CA 1024"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\054\245\040\131\044\213\336\160\224\354\326\313\143\116\176\051
+\207\004\113\220
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\304\040\322\322\017\140\113\244\062\340\221\324\040\113\111\270
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\100\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\033\060\031\006\003\125\004\013\023\022
+\130\143\145\162\164\040\122\157\157\164\040\103\101\040\061\060
+\062\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\012\001\001\001\000\000\002\174\000\000\000\003\000\000\000\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Xcert Root CA v1"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Xcert Root CA v1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\076\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\031\060\027\006\003\125\004\013\023\020
+\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\076\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\031\060\027\006\003\125\004\013\023\020
+\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\012\001\001\001\000\000\002\174\000\000\000\004\000\000\000\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\377\060\202\001\347\002\020\012\001\001\001\000\000
+\002\174\000\000\000\004\000\000\000\002\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\060\076\061\041\060\037\006
+\003\125\004\012\023\030\130\143\145\162\164\040\111\156\164\145
+\162\156\141\164\151\157\156\141\154\040\111\156\143\056\061\031
+\060\027\006\003\125\004\013\023\020\130\143\145\162\164\040\122
+\157\157\164\040\103\101\040\166\061\060\036\027\015\060\060\060
+\070\061\070\061\070\064\060\065\060\132\027\015\062\065\060\070
+\061\065\061\071\060\060\063\070\132\060\076\061\041\060\037\006
+\003\125\004\012\023\030\130\143\145\162\164\040\111\156\164\145
+\162\156\141\164\151\157\156\141\154\040\111\156\143\056\061\031
+\060\027\006\003\125\004\013\023\020\130\143\145\162\164\040\122
+\157\157\164\040\103\101\040\166\061\060\202\001\042\060\015\006
+\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
+\000\060\202\001\012\002\202\001\001\000\301\222\253\362\266\065
+\066\002\110\017\205\364\116\057\202\145\315\110\276\261\267\075
+\263\173\256\272\062\064\206\074\230\277\370\260\275\373\302\314
+\366\011\227\070\134\215\245\043\116\341\310\204\346\220\147\164
+\073\243\366\156\231\053\217\303\007\322\227\121\007\117\004\313
+\236\262\370\074\367\070\346\226\112\072\353\025\157\347\142\346
+\103\063\007\262\015\132\317\225\051\071\147\210\023\043\324\214
+\155\137\216\041\340\061\363\265\334\231\305\304\355\205\020\176
+\222\324\242\035\074\037\013\263\043\346\300\313\044\233\154\020
+\246\315\024\326\243\235\123\217\367\036\101\232\266\033\035\010
+\134\367\071\101\303\036\336\114\046\243\140\174\056\023\207\221
+\154\327\302\043\057\347\175\031\037\315\133\352\230\305\271\106
+\175\065\106\344\173\213\112\331\223\340\006\253\300\314\112\375
+\333\332\013\060\077\270\134\340\007\023\250\305\060\374\274\206
+\366\252\277\016\143\057\217\111\162\020\321\236\205\371\101\355
+\110\074\170\014\375\240\052\006\033\257\323\335\147\057\354\110
+\057\121\111\066\042\267\110\315\111\357\002\003\001\000\001\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202
+\001\001\000\250\334\263\040\056\375\127\110\020\017\346\215\140
+\122\033\166\035\234\146\240\157\372\150\006\330\247\234\313\241
+\014\216\045\350\256\307\337\072\160\255\251\370\052\044\274\274
+\307\252\307\011\267\273\020\351\037\132\325\242\001\106\213\005
+\304\243\165\111\013\100\307\261\153\237\333\130\026\143\062\204
+\132\020\215\142\226\253\230\146\233\272\372\126\010\033\272\142
+\363\357\071\153\374\144\261\311\256\357\136\224\341\242\200\371
+\010\203\026\022\066\226\331\011\220\331\230\072\257\075\205\330
+\221\052\222\034\134\271\314\325\134\163\070\216\173\163\122\014
+\272\237\362\216\277\310\174\012\023\272\162\221\240\073\040\357
+\211\052\303\014\200\151\126\163\020\364\140\031\340\036\026\112
+\144\253\374\106\072\320\013\323\227\261\134\331\234\254\030\072
+\040\007\172\042\371\267\020\145\272\354\346\123\324\252\344\303
+\101\274\233\337\302\335\232\001\106\324\216\105\355\311\312\026
+\064\204\215\062\124\074\124\142\220\215\032\146\122\315\372\034
+\314\014\374\261\343\223\310\247\331\353\150\143\217\320\176\056
+\055\335\051
+END
+
+# Trust for Certificate "Xcert Root CA v1"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Xcert Root CA v1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\252\070\226\073\042\304\350\333\032\031\107\202\076\257\220\003
+\207\102\254\345
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\111\216\265\061\147\112\303\226\274\213\257\160\026\303\005\111
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\076\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\031\060\027\006\003\125\004\013\023\020
+\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\012\001\001\001\000\000\002\174\000\000\000\004\000\000\000\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Xcert Root CA v1 1024"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Xcert Root CA v1 1024"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\103\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\036\060\034\006\003\125\004\013\023\025
+\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061
+\040\061\060\062\064
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\103\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\036\060\034\006\003\125\004\013\023\025
+\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061
+\040\061\060\062\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\012\001\001\001\000\000\002\174\000\000\000\005\000\000\000\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\004\060\202\001\155\002\020\012\001\001\001\000\000
+\002\174\000\000\000\005\000\000\000\002\060\015\006\011\052\206
+\110\206\367\015\001\001\005\005\000\060\103\061\041\060\037\006
+\003\125\004\012\023\030\130\143\145\162\164\040\111\156\164\145
+\162\156\141\164\151\157\156\141\154\040\111\156\143\056\061\036
+\060\034\006\003\125\004\013\023\025\130\143\145\162\164\040\122
+\157\157\164\040\103\101\040\166\061\040\061\060\062\064\060\036
+\027\015\060\060\060\070\061\070\061\070\065\060\065\066\132\027
+\015\062\065\060\070\061\065\061\071\060\061\060\070\132\060\103
+\061\041\060\037\006\003\125\004\012\023\030\130\143\145\162\164
+\040\111\156\164\145\162\156\141\164\151\157\156\141\154\040\111
+\156\143\056\061\036\060\034\006\003\125\004\013\023\025\130\143
+\145\162\164\040\122\157\157\164\040\103\101\040\166\061\040\061
+\060\062\064\060\201\237\060\015\006\011\052\206\110\206\367\015
+\001\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000
+\247\011\303\322\251\246\031\160\354\051\351\105\173\066\340\352
+\076\311\231\160\100\321\266\140\364\335\043\307\131\171\235\036
+\245\276\065\143\000\346\300\056\154\100\123\346\321\166\106\361
+\240\313\203\105\124\230\031\317\173\232\070\370\164\063\063\077
+\251\045\040\050\046\135\050\161\106\206\040\075\060\053\253\346
+\115\372\077\352\104\100\114\373\163\324\334\226\164\364\116\344
+\152\035\033\227\240\174\060\341\300\163\266\015\242\167\172\361
+\030\370\112\161\161\236\370\250\165\376\142\370\252\075\317\175
+\002\003\001\000\001\060\015\006\011\052\206\110\206\367\015\001
+\001\005\005\000\003\201\201\000\173\323\325\114\177\114\242\176
+\174\327\126\141\331\225\230\205\212\327\111\334\214\107\252\007
+\354\270\333\171\044\236\347\245\222\127\146\011\217\024\260\376
+\004\362\275\121\020\270\070\303\241\022\333\220\203\176\265\143
+\130\253\063\255\227\036\106\120\102\020\254\310\253\055\035\065
+\154\306\346\103\120\050\003\241\254\373\021\225\377\351\325\112
+\017\221\345\003\344\210\060\074\034\166\321\227\360\012\324\207
+\240\014\232\217\141\316\332\176\162\263\073\120\300\200\204\017
+\041\040\224\150\052\332\214\276
+END
+
+# Trust for Certificate "Xcert Root CA v1 1024"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Xcert Root CA v1 1024"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\042\072\107\064\216\347\211\332\165\206\073\031\062\260\146\340
+\264\121\247\064
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\100\212\076\322\066\036\040\237\374\055\066\253\350\371\202\062
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\103\061\041\060\037\006\003\125\004\012\023\030\130\143\145
+\162\164\040\111\156\164\145\162\156\141\164\151\157\156\141\154
+\040\111\156\143\056\061\036\060\034\006\003\125\004\013\023\025
+\130\143\145\162\164\040\122\157\157\164\040\103\101\040\166\061
+\040\061\060\062\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\012\001\001\001\000\000\002\174\000\000\000\005\000\000\000\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Xcert EZ"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Xcert EZ"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\214\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
+\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
+\141\153\145\040\103\151\164\171\061\030\060\026\006\003\125\004
+\012\023\017\130\143\145\162\164\040\105\132\040\142\171\040\104
+\123\124\061\030\060\026\006\003\125\004\003\023\017\130\143\145
+\162\164\040\105\132\040\142\171\040\104\123\124\061\041\060\037
+\006\011\052\206\110\206\367\015\001\011\001\026\022\143\141\100
+\144\151\147\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\214\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
+\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
+\141\153\145\040\103\151\164\171\061\030\060\026\006\003\125\004
+\012\023\017\130\143\145\162\164\040\105\132\040\142\171\040\104
+\123\124\061\030\060\026\006\003\125\004\003\023\017\130\143\145
+\162\164\040\105\132\040\142\171\040\104\123\124\061\041\060\037
+\006\011\052\206\110\206\367\015\001\011\001\026\022\143\141\100
+\144\151\147\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\320\036\100\220\000\000\047\113\000\000\000\001\000\000\000
+\004
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\370\060\202\002\340\240\003\002\001\002\002\021\000
+\320\036\100\220\000\000\047\113\000\000\000\001\000\000\000\004
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\201\214\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061\027
+\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141
+\153\145\040\103\151\164\171\061\030\060\026\006\003\125\004\012
+\023\017\130\143\145\162\164\040\105\132\040\142\171\040\104\123
+\124\061\030\060\026\006\003\125\004\003\023\017\130\143\145\162
+\164\040\105\132\040\142\171\040\104\123\124\061\041\060\037\006
+\011\052\206\110\206\367\015\001\011\001\026\022\143\141\100\144
+\151\147\163\151\147\164\162\165\163\164\056\143\157\155\060\036
+\027\015\071\071\060\067\061\064\061\066\061\064\061\070\132\027
+\015\060\071\060\067\061\061\061\066\061\064\061\070\132\060\201
+\214\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015
+\060\013\006\003\125\004\010\023\004\125\164\141\150\061\027\060
+\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
+\145\040\103\151\164\171\061\030\060\026\006\003\125\004\012\023
+\017\130\143\145\162\164\040\105\132\040\142\171\040\104\123\124
+\061\030\060\026\006\003\125\004\003\023\017\130\143\145\162\164
+\040\105\132\040\142\171\040\104\123\124\061\041\060\037\006\011
+\052\206\110\206\367\015\001\011\001\026\022\143\141\100\144\151
+\147\163\151\147\164\162\165\163\164\056\143\157\155\060\202\001
+\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
+\003\202\001\017\000\060\202\001\012\002\202\001\001\000\255\124
+\030\336\264\277\367\255\350\164\252\355\213\174\217\302\324\165
+\032\325\204\271\266\142\374\211\357\344\227\141\222\373\035\270
+\341\132\107\064\236\236\006\042\373\323\352\070\313\270\213\007
+\367\032\240\027\167\007\132\060\034\324\051\070\040\327\047\100
+\330\120\223\103\277\322\030\242\051\166\005\162\252\153\266\151
+\230\253\171\036\034\145\365\152\213\374\305\026\252\242\162\332
+\140\355\116\156\031\045\172\012\035\060\343\120\233\102\074\104
+\353\241\260\040\036\333\002\176\376\075\037\277\320\000\212\333
+\100\166\246\030\245\025\247\127\266\122\302\001\027\230\167\217
+\212\201\306\032\264\152\052\346\257\251\326\000\254\317\330\025
+\111\174\333\033\241\376\201\372\207\371\323\220\301\002\300\371
+\320\102\351\221\150\045\137\306\277\207\071\351\225\000\140\050
+\277\203\054\300\347\136\266\327\066\026\347\140\207\166\350\347
+\047\262\045\015\213\172\345\252\035\345\131\315\316\013\016\157
+\306\310\234\343\020\331\205\071\323\267\233\372\306\272\174\164
+\322\135\165\126\253\164\244\242\121\277\122\174\356\161\002\003
+\001\000\001\243\123\060\121\060\017\006\003\125\035\023\001\001
+\377\004\005\060\003\001\001\377\060\037\006\003\125\035\043\004
+\030\060\026\200\024\010\040\154\146\353\201\012\154\134\325\265
+\246\074\101\335\034\226\221\047\167\060\035\006\003\125\035\016
+\004\026\004\024\010\040\154\146\353\201\012\154\134\325\265\246
+\074\101\335\034\226\221\047\167\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\202\001\001\000\132\207\130\217
+\055\253\166\041\153\124\014\331\361\101\366\116\315\053\236\343
+\037\233\243\055\177\331\053\175\130\310\147\244\051\365\351\354
+\325\275\226\077\243\163\370\304\133\066\174\320\143\054\064\071
+\233\110\270\075\157\366\024\305\236\143\346\247\064\156\323\350
+\063\263\307\074\030\156\043\256\103\222\231\077\230\305\151\060
+\361\066\073\255\271\060\202\326\266\131\026\226\002\013\051\022
+\141\264\021\211\367\014\057\224\220\205\230\050\234\123\154\176
+\143\335\163\364\031\377\112\201\321\262\122\043\375\074\112\064
+\316\132\033\340\120\212\355\117\201\225\330\140\347\344\304\015
+\273\130\076\130\367\116\150\157\076\147\311\313\172\227\026\047
+\354\102\141\024\166\273\000\305\353\010\075\025\177\113\266\042
+\135\207\073\220\364\363\300\376\067\263\351\331\142\014\300\303
+\131\257\140\275\037\015\333\241\064\037\060\304\075\213\255\260
+\035\004\223\355\137\325\344\277\040\060\004\364\110\351\063\001
+\321\056\220\047\122\263\233\336\072\034\253\251\227\177\233\353
+\302\215\302\155\354\334\023\323\106\305\171\174
+END
+
+# Trust for Certificate "Xcert EZ"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Xcert EZ"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\150\355\030\263\011\315\122\221\300\323\065\174\035\021\101\277
+\210\070\146\261
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\202\022\367\211\341\013\221\140\244\266\042\237\224\150\021\222
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\214\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\015\060\013\006\003\125\004\010\023\004\125\164\141\150\061
+\027\060\025\006\003\125\004\007\023\016\123\141\154\164\040\114
+\141\153\145\040\103\151\164\171\061\030\060\026\006\003\125\004
+\012\023\017\130\143\145\162\164\040\105\132\040\142\171\040\104
+\123\124\061\030\060\026\006\003\125\004\003\023\017\130\143\145
+\162\164\040\105\132\040\142\171\040\104\123\124\061\041\060\037
+\006\011\052\206\110\206\367\015\001\011\001\026\022\143\141\100
+\144\151\147\163\151\147\164\162\165\163\164\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\320\036\100\220\000\000\047\113\000\000\000\001\000\000\000
+\004
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "CertEngine CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "CertEngine CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\103\145\162\164\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\143
+\145\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\143\145\162
+\164\145\156\147\151\156\145\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\103\145\162\164\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\143
+\145\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\143\145\162
+\164\145\156\147\151\156\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\335\060\202\002\305\240\003\002\001\002\002\001\000
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101\061
+\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060\016
+\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061\030
+\060\026\006\003\125\004\012\023\017\103\145\162\164\105\156\147
+\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125\004
+\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151\163
+\151\157\156\061\023\060\021\006\003\125\004\003\023\012\143\145
+\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052\206
+\110\206\367\015\001\011\001\026\021\143\141\100\143\145\162\164
+\145\156\147\151\156\145\056\143\157\155\060\036\027\015\071\070
+\060\061\060\061\060\060\060\060\060\060\132\027\015\063\070\060
+\061\061\067\060\060\060\060\060\060\132\060\201\250\061\013\060
+\011\006\003\125\004\006\023\002\103\101\061\013\060\011\006\003
+\125\004\010\023\002\117\116\061\020\060\016\006\003\125\004\007
+\023\007\124\157\162\157\156\164\157\061\030\060\026\006\003\125
+\004\012\023\017\103\145\162\164\105\156\147\151\156\145\040\111
+\156\143\056\061\051\060\047\006\003\125\004\013\023\040\103\145
+\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
+\157\162\151\164\171\040\104\151\166\151\163\151\157\156\061\023
+\060\021\006\003\125\004\003\023\012\143\145\162\164\145\156\147
+\151\156\145\061\040\060\036\006\011\052\206\110\206\367\015\001
+\011\001\026\021\143\141\100\143\145\162\164\145\156\147\151\156
+\145\056\143\157\155\060\202\001\042\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001
+\012\002\202\001\001\000\355\244\327\121\024\241\151\345\155\366
+\357\335\077\164\066\165\130\233\336\064\302\146\361\062\163\254
+\237\244\150\032\141\147\260\135\153\217\340\163\222\174\216\041
+\031\226\345\156\231\176\167\062\134\351\030\341\107\352\140\270
+\204\155\155\076\105\044\037\022\044\150\321\252\213\243\004\103
+\220\073\033\125\265\315\237\214\317\103\252\035\042\072\363\026
+\131\056\233\273\021\306\347\221\225\254\160\020\150\356\107\134
+\104\234\051\000\132\365\234\215\232\224\227\075\061\001\254\063
+\036\217\123\200\030\351\034\347\156\077\115\232\340\024\361\170
+\002\042\113\056\114\102\160\377\015\273\065\012\225\155\326\314
+\323\022\112\200\255\216\105\012\313\214\043\110\271\100\130\041
+\114\321\077\103\177\257\376\147\306\124\101\074\307\240\240\203
+\235\301\371\102\174\247\167\260\345\073\002\220\330\234\060\305
+\030\130\032\041\225\115\103\164\031\112\273\250\015\165\221\155
+\376\276\166\305\172\302\220\136\201\172\243\143\325\307\333\066
+\141\173\342\043\143\127\135\110\331\322\225\147\262\161\102\163
+\216\117\233\305\350\217\002\003\001\000\001\243\020\060\016\060
+\014\006\003\125\035\023\004\005\060\003\001\001\377\060\015\006
+\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
+\000\117\375\241\316\050\235\064\002\114\334\364\165\214\325\175
+\364\206\125\231\024\026\220\213\212\152\017\205\041\223\317\251
+\053\074\360\024\376\103\104\260\116\317\304\330\005\273\135\136
+\264\272\207\025\114\257\153\052\132\150\125\222\354\236\245\150
+\107\145\254\312\033\041\330\377\055\005\154\345\354\173\000\025
+\325\014\161\113\054\173\275\357\075\244\042\257\343\374\064\255
+\007\017\367\136\242\035\317\030\375\060\251\233\076\336\041\066
+\267\030\207\176\360\177\327\115\240\142\360\140\151\365\177\116
+\303\311\266\344\131\204\007\123\123\371\342\160\171\373\337\164
+\252\060\217\056\055\112\212\312\165\157\336\046\312\161\066\344
+\322\104\151\224\313\301\273\325\156\135\142\370\051\002\134\172
+\231\331\307\313\074\104\032\364\130\064\322\066\155\055\042\175
+\170\033\020\123\126\251\046\254\366\255\370\171\256\112\072\231
+\011\273\304\377\053\045\337\111\276\253\074\353\001\111\275\055
+\300\312\060\300\153\102\124\175\202\340\274\077\363\072\064\022
+\070\114\245\063\254\075\253\233\343\117\017\255\237\215\103\146
+\345
+END
+
+# Trust for Certificate "CertEngine CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "CertEngine CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\301\202\340\336\254\032\145\113\262\022\013\204\012\205\326\300
+\267\077\264\154
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\072\276\220\341\242\032\164\211\157\217\240\057\040\204\350\123
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\103\145\162\164\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\143
+\145\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\143\145\162
+\164\145\156\147\151\156\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "BankEngine CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "BankEngine CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\102\141\156\153\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\142
+\141\156\153\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\142\141\156
+\153\145\156\147\151\156\145\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\102\141\156\153\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\142
+\141\156\153\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\142\141\156
+\153\145\156\147\151\156\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\335\060\202\002\305\240\003\002\001\002\002\001\000
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101\061
+\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060\016
+\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061\030
+\060\026\006\003\125\004\012\023\017\102\141\156\153\105\156\147
+\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125\004
+\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151\163
+\151\157\156\061\023\060\021\006\003\125\004\003\023\012\142\141
+\156\153\145\156\147\151\156\145\061\040\060\036\006\011\052\206
+\110\206\367\015\001\011\001\026\021\143\141\100\142\141\156\153
+\145\156\147\151\156\145\056\143\157\155\060\036\027\015\071\070
+\060\061\060\061\060\060\060\060\060\060\132\027\015\063\070\060
+\061\061\067\060\060\060\060\060\060\132\060\201\250\061\013\060
+\011\006\003\125\004\006\023\002\103\101\061\013\060\011\006\003
+\125\004\010\023\002\117\116\061\020\060\016\006\003\125\004\007
+\023\007\124\157\162\157\156\164\157\061\030\060\026\006\003\125
+\004\012\023\017\102\141\156\153\105\156\147\151\156\145\040\111
+\156\143\056\061\051\060\047\006\003\125\004\013\023\040\103\145
+\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
+\157\162\151\164\171\040\104\151\166\151\163\151\157\156\061\023
+\060\021\006\003\125\004\003\023\012\142\141\156\153\145\156\147
+\151\156\145\061\040\060\036\006\011\052\206\110\206\367\015\001
+\011\001\026\021\143\141\100\142\141\156\153\145\156\147\151\156
+\145\056\143\157\155\060\202\001\042\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001
+\012\002\202\001\001\000\327\202\350\115\100\045\327\370\104\313
+\342\241\326\102\307\210\027\126\333\060\367\127\202\041\063\274
+\161\115\122\254\142\302\007\347\251\353\353\320\023\114\214\124
+\077\176\236\107\067\231\327\176\352\267\120\061\034\130\303\012
+\047\144\336\155\124\227\251\171\364\372\350\075\354\135\262\122
+\313\063\151\351\063\167\366\162\327\240\372\332\062\211\210\222
+\020\222\243\313\062\056\327\021\165\217\332\263\032\114\246\111
+\217\370\016\305\313\144\331\075\025\247\063\304\311\077\072\207
+\072\072\315\114\334\013\336\254\276\025\033\212\330\041\276\237
+\171\035\366\160\202\211\365\015\137\032\354\212\223\270\251\253
+\125\320\174\365\274\153\304\340\145\326\307\155\356\324\364\151
+\067\211\253\006\060\161\357\245\037\104\247\171\206\156\007\123
+\271\017\174\110\021\056\043\007\265\005\100\206\203\363\027\245
+\134\270\360\303\127\174\003\050\264\030\006\303\212\145\367\052
+\222\214\311\342\330\120\176\023\324\075\014\161\154\331\030\027
+\062\254\312\272\217\063\160\374\112\307\151\031\350\012\343\363
+\355\273\167\015\234\225\002\003\001\000\001\243\020\060\016\060
+\014\006\003\125\035\023\004\005\060\003\001\001\377\060\015\006
+\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
+\000\132\272\352\107\137\321\041\244\057\353\347\267\172\157\231
+\044\171\153\350\202\174\110\077\337\377\114\356\042\303\172\233
+\314\205\304\220\365\346\046\154\025\316\134\350\050\225\252\213
+\046\276\153\015\175\110\375\076\033\240\263\260\123\201\243\377
+\136\206\154\376\205\237\033\205\205\370\062\071\126\315\176\156
+\116\171\041\317\136\366\217\327\316\005\111\253\115\123\344\161
+\022\054\353\070\302\017\223\320\000\152\001\074\375\177\145\334
+\266\067\176\245\147\105\073\226\015\073\072\230\253\217\374\211
+\075\042\136\063\150\364\177\002\005\002\272\042\125\311\057\165
+\075\001\127\000\172\113\367\017\150\004\006\076\010\133\156\275
+\130\031\051\230\254\312\342\112\377\066\344\202\311\121\374\163
+\254\226\056\234\144\175\026\046\075\071\276\376\217\002\160\211
+\223\022\340\054\122\076\113\156\267\032\377\336\023\257\257\137
+\200\055\056\310\161\126\244\206\020\067\076\346\100\045\267\107
+\025\027\045\107\332\214\063\306\201\234\026\146\177\345\057\334
+\255\356\205\077\224\007\074\330\353\236\024\365\210\265\045\211
+\300
+END
+
+# Trust for Certificate "BankEngine CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "BankEngine CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\174\366\047\174\203\221\226\137\011\161\303\227\066\111\273\003
+\233\175\076\211
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\077\126\162\302\341\064\321\166\123\063\106\341\215\272\223\166
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\102\141\156\153\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\142
+\141\156\153\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\142\141\156
+\153\145\156\147\151\156\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "FortEngine CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "FortEngine CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\106\157\162\164\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\146
+\157\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\146\157\162
+\164\145\156\147\151\156\145\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\106\157\162\164\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\146
+\157\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\146\157\162
+\164\145\156\147\151\156\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\335\060\202\003\305\240\003\002\001\002\002\001\000
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101\061
+\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060\016
+\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061\030
+\060\026\006\003\125\004\012\023\017\106\157\162\164\105\156\147
+\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125\004
+\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151\163
+\151\157\156\061\023\060\021\006\003\125\004\003\023\012\146\157
+\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052\206
+\110\206\367\015\001\011\001\026\021\143\141\100\146\157\162\164
+\145\156\147\151\156\145\056\143\157\155\060\036\027\015\071\070
+\060\061\060\061\060\060\060\060\060\060\132\027\015\063\070\060
+\061\061\067\060\060\060\060\060\060\132\060\201\250\061\013\060
+\011\006\003\125\004\006\023\002\103\101\061\013\060\011\006\003
+\125\004\010\023\002\117\116\061\020\060\016\006\003\125\004\007
+\023\007\124\157\162\157\156\164\157\061\030\060\026\006\003\125
+\004\012\023\017\106\157\162\164\105\156\147\151\156\145\040\111
+\156\143\056\061\051\060\047\006\003\125\004\013\023\040\103\145
+\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
+\157\162\151\164\171\040\104\151\166\151\163\151\157\156\061\023
+\060\021\006\003\125\004\003\023\012\146\157\162\164\145\156\147
+\151\156\145\061\040\060\036\006\011\052\206\110\206\367\015\001
+\011\001\026\021\143\141\100\146\157\162\164\145\156\147\151\156
+\145\056\143\157\155\060\202\002\042\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002
+\012\002\202\002\001\000\312\276\306\156\234\003\307\035\157\334
+\106\033\243\110\034\073\351\142\200\110\145\016\241\266\173\273
+\277\001\265\206\241\120\052\163\317\252\351\253\224\045\113\163
+\342\056\350\207\114\215\151\333\265\243\331\051\135\157\263\236
+\110\016\323\071\153\202\061\254\222\252\214\073\132\050\246\234
+\323\045\321\162\374\377\040\107\254\165\042\353\367\221\153\127
+\072\354\360\074\361\043\277\117\113\132\130\162\046\303\176\241
+\116\063\265\065\137\323\262\064\103\334\330\272\227\050\015\016
+\174\134\244\141\170\217\112\164\060\166\015\204\246\307\054\000
+\131\042\320\300\207\206\321\006\273\202\372\044\171\011\151\222
+\011\004\013\273\342\021\347\011\337\276\166\051\160\111\036\170
+\173\002\316\165\233\031\345\246\141\272\260\074\272\354\111\142
+\034\074\071\264\161\023\106\246\355\236\307\006\006\073\044\031
+\000\152\107\234\155\357\344\047\236\330\131\254\337\007\044\160
+\350\153\334\340\031\352\141\302\054\341\220\276\070\225\162\305
+\140\257\126\345\170\105\155\271\160\331\317\246\001\301\344\242
+\104\142\300\076\302\075\342\050\310\075\232\374\227\060\336\176
+\141\172\002\223\224\330\135\340\021\106\124\136\211\107\270\005
+\070\131\066\101\361\327\212\336\156\266\033\042\217\325\341\227
+\265\200\201\005\052\056\010\040\017\323\051\206\243\337\342\166
+\072\350\346\124\045\137\131\262\140\176\101\372\174\122\054\301
+\321\140\016\172\006\234\264\245\162\106\241\355\105\257\212\040
+\105\320\134\333\131\202\067\046\062\117\102\142\103\364\234\206
+\312\266\002\227\150\176\276\365\123\007\064\352\362\012\161\104
+\356\224\254\270\365\044\312\231\334\025\140\207\031\047\242\024
+\355\360\343\016\011\341\313\045\267\020\100\015\014\361\175\033
+\271\051\231\345\116\204\015\355\265\151\043\364\067\326\325\127
+\023\226\343\254\227\052\350\350\377\071\072\231\334\200\376\072
+\246\344\121\320\040\322\010\043\104\247\023\203\031\313\035\337
+\300\154\314\311\350\373\034\224\060\337\355\302\354\321\144\245
+\304\314\120\107\374\371\154\324\223\326\263\155\117\332\354\212
+\375\223\072\027\357\010\034\116\364\003\243\006\052\016\360\362
+\316\323\175\207\114\321\002\003\001\000\001\243\020\060\016\060
+\014\006\003\125\035\023\004\005\060\003\001\001\377\060\015\006
+\011\052\206\110\206\367\015\001\001\005\005\000\003\202\002\001
+\000\127\040\151\075\147\323\331\123\262\275\132\154\224\142\261
+\362\035\076\011\143\374\162\051\162\200\144\155\144\236\135\000
+\234\334\377\375\121\020\001\335\274\257\223\201\236\005\243\075
+\335\250\170\127\043\344\115\067\101\151\316\345\232\140\310\326
+\145\064\264\220\011\234\071\013\206\143\123\250\340\361\245\074
+\162\066\326\223\163\333\332\005\015\062\153\321\231\213\004\236
+\011\051\133\004\332\312\011\203\236\143\166\117\114\144\160\073
+\053\377\373\034\177\121\262\152\326\144\341\071\015\220\345\257
+\032\172\372\166\242\306\023\060\236\123\312\052\053\010\313\321
+\215\145\103\352\031\325\026\000\023\035\007\360\124\125\123\145
+\065\116\123\265\152\110\135\100\245\061\337\032\371\352\012\160
+\213\101\171\205\350\302\101\316\006\230\247\076\100\327\335\311
+\105\014\205\037\132\054\064\106\215\074\263\304\253\254\132\221
+\361\054\360\156\270\371\331\173\365\104\316\172\240\152\202\216
+\171\057\045\313\161\212\023\203\127\263\134\247\032\000\026\062
+\031\242\100\350\233\112\272\314\372\353\115\113\013\025\012\057
+\076\132\057\163\174\071\206\140\013\210\063\054\205\244\357\023
+\131\346\334\373\047\343\044\076\026\124\104\361\352\123\146\264
+\042\040\154\251\146\106\102\352\127\063\322\146\032\302\347\226
+\161\070\130\130\141\141\124\156\044\265\014\316\216\063\121\260
+\334\150\245\157\226\355\301\165\315\004\361\211\145\003\237\022
+\012\112\076\340\265\324\066\216\053\233\304\101\041\175\126\240
+\257\300\314\264\007\034\065\124\331\125\104\151\032\056\172\116
+\233\116\072\352\055\255\072\252\013\355\206\276\045\270\206\134
+\157\166\371\256\100\335\016\225\171\124\303\074\366\116\274\134
+\025\251\215\236\340\071\342\126\160\377\306\253\056\334\154\026
+\141\353\162\163\360\347\177\265\262\233\246\054\075\022\345\111
+\061\034\333\270\322\036\213\041\132\131\317\161\376\322\262\363
+\270\132\037\115\370\262\062\067\037\053\140\062\035\004\340\120
+\046\354\256\370\015\270\260\320\121\274\205\031\127\041\164\125
+\044\207\073\127\334\070\104\126\174\147\236\272\130\340\025\143
+\101\324\352\130\213\360\356\121\245\112\340\302\217\021\020\000
+\347
+END
+
+# Trust for Certificate "FortEngine CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "FortEngine CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\101\101\246\125\070\252\007\017\342\231\174\272\223\237\274\221
+\355\012\034\116
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\225\015\273\365\336\111\267\072\266\302\311\233\100\106\036\155
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\106\157\162\164\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\146
+\157\162\164\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\146\157\162
+\164\145\156\147\151\156\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "MailEngine CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "MailEngine CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\115\141\151\154\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\155
+\141\151\154\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\155\141\151
+\154\145\156\147\151\156\145\056\143\157\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\115\141\151\154\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\155
+\141\151\154\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\155\141\151
+\154\145\156\147\151\156\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\335\060\202\002\305\240\003\002\001\002\002\001\000
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101\061
+\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060\016
+\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061\030
+\060\026\006\003\125\004\012\023\017\115\141\151\154\105\156\147
+\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125\004
+\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157\156
+\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151\163
+\151\157\156\061\023\060\021\006\003\125\004\003\023\012\155\141
+\151\154\145\156\147\151\156\145\061\040\060\036\006\011\052\206
+\110\206\367\015\001\011\001\026\021\143\141\100\155\141\151\154
+\145\156\147\151\156\145\056\143\157\155\060\036\027\015\071\070
+\060\061\060\061\060\060\060\060\060\060\132\027\015\063\070\060
+\061\061\067\060\060\060\060\060\060\132\060\201\250\061\013\060
+\011\006\003\125\004\006\023\002\103\101\061\013\060\011\006\003
+\125\004\010\023\002\117\116\061\020\060\016\006\003\125\004\007
+\023\007\124\157\162\157\156\164\157\061\030\060\026\006\003\125
+\004\012\023\017\115\141\151\154\105\156\147\151\156\145\040\111
+\156\143\056\061\051\060\047\006\003\125\004\013\023\040\103\145
+\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
+\157\162\151\164\171\040\104\151\166\151\163\151\157\156\061\023
+\060\021\006\003\125\004\003\023\012\155\141\151\154\145\156\147
+\151\156\145\061\040\060\036\006\011\052\206\110\206\367\015\001
+\011\001\026\021\143\141\100\155\141\151\154\145\156\147\151\156
+\145\056\143\157\155\060\202\001\042\060\015\006\011\052\206\110
+\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001
+\012\002\202\001\001\000\251\171\237\261\117\245\307\343\105\232
+\176\255\067\136\321\114\354\232\165\321\352\056\172\377\336\274
+\304\014\214\223\365\063\176\264\137\123\033\270\346\053\271\111
+\046\270\371\152\264\067\235\061\132\054\137\011\270\320\366\123
+\134\377\160\263\360\353\364\327\373\133\104\336\375\302\065\100
+\322\215\250\254\311\100\342\123\052\167\114\117\041\060\303\063
+\315\366\120\237\102\154\032\003\141\205\154\152\313\070\341\105
+\001\255\050\276\076\306\331\374\126\301\177\363\061\240\145\211
+\036\356\171\146\124\254\377\026\311\103\025\071\315\242\207\113
+\004\001\006\212\357\111\101\057\152\252\226\322\263\155\015\165
+\236\213\134\362\366\003\210\223\216\173\015\024\025\267\214\203
+\025\042\177\311\125\134\232\311\305\073\271\355\250\026\370\203
+\274\263\151\221\126\134\107\260\076\216\062\035\042\351\216\163
+\225\122\027\114\273\313\276\034\100\056\130\302\104\166\230\262
+\273\120\026\003\053\243\102\143\173\132\374\056\014\360\333\014
+\320\132\146\275\031\164\370\015\142\275\233\125\302\242\075\361
+\334\103\266\236\307\171\002\003\001\000\001\243\020\060\016\060
+\014\006\003\125\035\023\004\005\060\003\001\001\377\060\015\006
+\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
+\000\043\174\331\371\004\054\361\312\120\103\152\101\120\031\142
+\204\374\376\067\075\030\233\060\341\063\175\336\376\017\066\330
+\130\207\244\243\075\342\323\100\360\240\175\333\352\076\040\302
+\120\311\104\003\252\341\321\172\374\373\177\270\023\207\016\217
+\350\247\347\237\373\321\053\230\243\335\371\350\127\067\330\167
+\355\006\334\161\070\063\354\073\125\300\016\042\106\120\321\056
+\273\276\046\345\363\117\343\254\010\173\205\144\303\213\047\342
+\203\330\220\006\207\165\272\360\230\335\160\271\053\225\312\155
+\001\115\060\163\226\216\034\363\337\020\027\110\152\037\062\361
+\013\115\315\164\125\316\200\155\363\074\357\200\040\021\221\174
+\123\113\153\277\365\006\227\107\130\114\057\102\155\016\004\022
+\111\326\172\051\337\022\067\254\263\253\020\376\156\346\003\346
+\303\237\046\150\301\027\371\367\226\241\107\064\301\347\234\145
+\362\331\060\027\146\322\000\133\067\337\123\160\064\160\143\301
+\067\241\131\323\156\232\363\241\333\027\125\370\223\354\154\316
+\026\311\273\370\244\163\074\256\132\160\211\042\015\337\115\204
+\203
+END
+
+# Trust for Certificate "MailEngine CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "MailEngine CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\052\175\170\152\226\012\241\132\305\231\364\361\115\344\004\057
+\271\134\173\220
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\257\331\256\074\245\337\007\060\040\273\005\006\306\111\161\123
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\250\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\030\060\026\006\003\125\004\012\023\017\115\141\151\154\105\156
+\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003\125
+\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166\151
+\163\151\157\156\061\023\060\021\006\003\125\004\003\023\012\155
+\141\151\154\145\156\147\151\156\145\061\040\060\036\006\011\052
+\206\110\206\367\015\001\011\001\026\021\143\141\100\155\141\151
+\154\145\156\147\151\156\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "TraderEngine CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TraderEngine CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\256\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\032\060\030\006\003\125\004\012\023\021\124\162\141\144\145\162
+\105\156\147\151\156\145\040\111\156\143\056\061\051\060\047\006
+\003\125\004\013\023\040\103\145\162\164\151\146\151\143\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171\040\104\151
+\166\151\163\151\157\156\061\025\060\023\006\003\125\004\003\023
+\014\164\162\141\144\145\162\145\156\147\151\156\145\061\042\060
+\040\006\011\052\206\110\206\367\015\001\011\001\026\023\143\141
+\100\164\162\141\144\145\162\145\156\147\151\156\145\056\143\157
+\155
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\256\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\032\060\030\006\003\125\004\012\023\021\124\162\141\144\145\162
+\105\156\147\151\156\145\040\111\156\143\056\061\051\060\047\006
+\003\125\004\013\023\040\103\145\162\164\151\146\151\143\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171\040\104\151
+\166\151\163\151\157\156\061\025\060\023\006\003\125\004\003\023
+\014\164\162\141\144\145\162\145\156\147\151\156\145\061\042\060
+\040\006\011\052\206\110\206\367\015\001\011\001\026\023\143\141
+\100\164\162\141\144\145\162\145\156\147\151\156\145\056\143\157
+\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\351\060\202\002\321\240\003\002\001\002\002\001\000
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\201\256\061\013\060\011\006\003\125\004\006\023\002\103\101\061
+\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060\016
+\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061\032
+\060\030\006\003\125\004\012\023\021\124\162\141\144\145\162\105
+\156\147\151\156\145\040\111\156\143\056\061\051\060\047\006\003
+\125\004\013\023\040\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\101\165\164\150\157\162\151\164\171\040\104\151\166
+\151\163\151\157\156\061\025\060\023\006\003\125\004\003\023\014
+\164\162\141\144\145\162\145\156\147\151\156\145\061\042\060\040
+\006\011\052\206\110\206\367\015\001\011\001\026\023\143\141\100
+\164\162\141\144\145\162\145\156\147\151\156\145\056\143\157\155
+\060\036\027\015\071\070\060\061\060\061\060\060\060\060\060\060
+\132\027\015\063\070\060\061\061\067\060\060\060\060\060\060\132
+\060\201\256\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\032\060\030\006\003\125\004\012\023\021\124\162\141\144\145\162
+\105\156\147\151\156\145\040\111\156\143\056\061\051\060\047\006
+\003\125\004\013\023\040\103\145\162\164\151\146\151\143\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171\040\104\151
+\166\151\163\151\157\156\061\025\060\023\006\003\125\004\003\023
+\014\164\162\141\144\145\162\145\156\147\151\156\145\061\042\060
+\040\006\011\052\206\110\206\367\015\001\011\001\026\023\143\141
+\100\164\162\141\144\145\162\145\156\147\151\156\145\056\143\157
+\155\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
+\001\000\317\045\371\100\117\271\110\337\263\200\331\365\277\174
+\351\364\171\217\342\024\016\131\157\026\270\105\110\265\225\117
+\365\273\177\306\076\115\170\227\165\223\043\313\375\052\247\027
+\152\207\160\275\350\377\276\053\320\146\271\345\242\207\236\054
+\012\142\004\023\226\236\104\054\147\320\347\257\020\101\343\175
+\304\322\007\265\105\336\112\322\075\314\043\131\311\220\276\341
+\212\216\155\323\021\376\053\312\003\365\254\055\365\025\062\135
+\245\127\222\163\044\234\365\004\341\064\200\241\030\210\114\263
+\200\212\271\240\274\344\077\371\216\136\201\321\275\144\231\017
+\140\364\170\166\010\073\272\057\127\147\251\124\122\273\203\272
+\176\164\056\020\241\342\024\022\130\276\030\137\314\312\017\074
+\165\137\352\232\057\222\311\267\044\331\022\317\135\257\015\207
+\156\377\021\065\120\356\101\065\021\247\346\307\261\062\012\242
+\041\033\356\145\300\220\062\334\174\007\120\034\000\142\354\343
+\212\346\163\346\120\374\151\011\253\361\042\256\277\055\336\070
+\177\122\124\336\160\207\166\001\226\263\106\301\064\255\220\104
+\225\057\002\003\001\000\001\243\020\060\016\060\014\006\003\125
+\035\023\004\005\060\003\001\001\377\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\202\001\001\000\026\070\360
+\024\205\227\167\307\321\020\210\122\134\273\021\123\061\337\152
+\153\030\034\256\040\263\046\303\072\017\336\254\140\151\050\367
+\024\336\056\025\377\226\275\133\226\045\130\043\220\045\272\232
+\013\134\007\114\314\141\311\220\350\032\116\052\312\215\005\353
+\027\331\362\230\067\124\130\247\267\116\154\006\241\276\164\327
+\251\320\224\176\352\104\253\306\073\170\144\153\112\316\031\022
+\266\123\375\211\117\376\020\247\310\207\374\061\142\351\314\214
+\270\375\052\362\176\270\110\011\061\145\162\363\122\341\120\136
+\247\373\123\364\215\217\066\375\134\224\004\040\007\143\247\267
+\230\167\164\033\342\060\354\015\305\364\026\262\214\027\126\225
+\257\107\102\016\164\273\152\156\326\115\163\330\010\061\235\112
+\103\340\020\161\055\055\202\030\037\171\131\247\233\012\165\126
+\175\302\136\005\321\143\105\221\025\221\122\276\300\134\370\360
+\347\113\213\231\103\146\050\047\174\045\222\314\030\015\123\104
+\324\223\213\265\075\021\312\326\267\103\244\061\151\273\341\075
+\226\126\160\040\066\300\357\331\152\326\260\147\343
+END
+
+# Trust for Certificate "TraderEngine CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "TraderEngine CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\226\137\006\006\205\177\333\000\352\163\325\301\271\274\232\264
+\350\273\231\263
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\165\061\224\331\224\242\361\006\237\230\167\323\037\336\157\372
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\256\061\013\060\011\006\003\125\004\006\023\002\103\101
+\061\013\060\011\006\003\125\004\010\023\002\117\116\061\020\060
+\016\006\003\125\004\007\023\007\124\157\162\157\156\164\157\061
+\032\060\030\006\003\125\004\012\023\021\124\162\141\144\145\162
+\105\156\147\151\156\145\040\111\156\143\056\061\051\060\047\006
+\003\125\004\013\023\040\103\145\162\164\151\146\151\143\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171\040\104\151
+\166\151\163\151\157\156\061\025\060\023\006\003\125\004\003\023
+\014\164\162\141\144\145\162\145\156\147\151\156\145\061\042\060
+\040\006\011\052\206\110\206\367\015\001\011\001\026\023\143\141
+\100\164\162\141\144\145\162\145\156\147\151\156\145\056\143\157
+\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "USPS Root"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USPS Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144
+\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123
+\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023
+\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120
+\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123
+\040\122\157\157\164\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144
+\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123
+\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023
+\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120
+\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123
+\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\047\204
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\132\060\202\002\303\240\003\002\001\002\002\002\047
+\204\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144
+\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123
+\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023
+\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120
+\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123
+\040\122\157\157\164\040\103\101\060\036\027\015\060\061\060\064
+\061\063\061\066\063\070\065\060\132\027\015\062\060\060\070\061
+\064\061\071\060\060\060\060\132\060\146\061\013\060\011\006\003
+\125\004\006\023\002\125\123\061\045\060\043\006\003\125\004\012
+\023\034\125\156\151\164\145\144\040\123\164\141\164\145\163\040
+\120\157\163\164\141\154\040\123\145\162\166\151\143\145\061\031
+\060\027\006\003\125\004\013\023\020\167\167\167\056\165\163\160
+\163\056\143\157\155\057\103\120\123\061\025\060\023\006\003\125
+\004\003\023\014\125\123\120\123\040\122\157\157\164\040\103\101
+\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001
+\005\000\003\201\215\000\060\201\211\002\201\201\000\267\251\045
+\254\143\332\260\222\317\224\066\260\004\377\026\156\166\004\133
+\365\306\074\237\306\271\102\046\125\373\223\161\205\021\145\311
+\141\047\210\304\136\233\376\052\170\112\122\152\105\237\250\373
+\221\264\343\046\135\365\103\024\046\271\336\074\155\054\146\365
+\123\175\336\344\126\127\262\242\171\365\341\264\332\152\367\044
+\345\263\050\376\236\167\226\342\016\307\005\003\314\351\121\366
+\226\374\021\300\226\055\163\065\377\130\163\137\362\110\065\345
+\104\113\320\176\325\000\036\204\155\330\045\330\321\002\003\001
+\000\001\243\202\001\025\060\202\001\021\060\154\006\003\125\035
+\040\004\145\060\143\060\013\006\011\140\206\110\001\206\371\155
+\146\001\060\013\006\011\140\206\110\001\206\371\155\146\002\060
+\013\006\011\140\206\110\001\206\371\155\146\003\060\013\006\011
+\140\206\110\001\206\371\155\146\004\060\013\006\011\140\206\110
+\001\206\371\155\146\005\060\013\006\011\140\206\110\001\206\371
+\155\146\006\060\013\006\011\140\206\110\001\206\371\155\146\007
+\060\006\006\004\125\035\040\000\060\035\006\003\125\035\016\004
+\026\004\024\323\316\202\164\363\057\113\211\140\162\244\136\021
+\277\137\165\003\242\002\253\060\037\006\003\125\035\043\004\030
+\060\026\200\024\323\316\202\164\363\057\113\211\140\162\244\136
+\021\277\137\165\003\242\002\253\060\035\006\003\125\035\022\004
+\026\060\024\201\022\162\157\157\164\061\060\060\060\061\100\165
+\163\160\163\056\143\157\155\060\041\006\003\125\035\021\004\032
+\060\030\201\026\143\141\141\144\155\151\156\100\145\155\141\151
+\154\056\165\163\160\163\056\143\157\155\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\306\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\015\006\011\052
+\206\110\206\367\015\001\001\005\005\000\003\201\201\000\065\061
+\212\231\336\052\270\273\344\157\330\351\320\215\337\101\136\110
+\047\217\146\205\026\022\263\107\023\353\001\011\176\076\370\125
+\065\065\205\012\117\263\350\202\247\257\255\227\135\206\116\327
+\267\255\254\217\240\240\124\113\245\117\364\165\007\273\057\056
+\031\033\036\216\355\155\113\325\115\203\310\166\227\127\206\366
+\044\102\005\365\262\354\026\357\274\354\275\346\220\154\217\222
+\263\033\031\147\046\072\257\245\307\036\362\364\165\116\151\331
+\273\373\017\154\134\072\310\335\255\216\012\227\035\217
+END
+
+# Trust for Certificate "USPS Root"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USPS Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\154\041\132\224\112\235\120\245\027\015\202\313\324\371\325\072
+\341\237\030\145
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\274\055\035\316\370\036\035\175\021\044\152\231\160\130\175\031
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144
+\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123
+\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023
+\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120
+\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123
+\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\047\204
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "USPS Production 1"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USPS Production 1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\156\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144
+\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123
+\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023
+\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120
+\123\061\035\060\033\006\003\125\004\003\023\024\125\123\120\123
+\040\120\162\157\144\165\143\164\151\157\156\040\103\101\040\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144
+\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123
+\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023
+\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120
+\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123
+\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\047\205
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\010\157\060\202\007\330\240\003\002\001\002\002\002\047
+\205\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144
+\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123
+\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023
+\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120
+\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123
+\040\122\157\157\164\040\103\101\060\036\027\015\060\061\060\064
+\061\063\061\066\065\066\065\064\132\027\015\062\060\060\070\061
+\064\061\067\060\060\064\060\132\060\156\061\013\060\011\006\003
+\125\004\006\023\002\125\123\061\045\060\043\006\003\125\004\012
+\023\034\125\156\151\164\145\144\040\123\164\141\164\145\163\040
+\120\157\163\164\141\154\040\123\145\162\166\151\143\145\061\031
+\060\027\006\003\125\004\013\023\020\167\167\167\056\165\163\160
+\163\056\143\157\155\057\103\120\123\061\035\060\033\006\003\125
+\004\003\023\024\125\123\120\123\040\120\162\157\144\165\143\164
+\151\157\156\040\103\101\040\061\060\201\237\060\015\006\011\052
+\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201
+\211\002\201\201\000\306\326\271\357\262\123\070\312\322\167\014
+\154\066\050\060\302\320\050\002\170\161\116\015\211\102\307\131
+\047\263\220\010\047\324\227\132\036\266\170\104\100\153\164\306
+\215\253\121\213\350\246\355\121\246\326\165\027\354\172\124\136
+\126\203\347\360\155\304\111\364\027\275\006\013\022\306\125\357
+\351\250\341\050\057\240\103\217\165\364\377\331\334\175\376\252
+\324\170\363\234\223\305\231\332\142\106\233\365\166\044\124\011
+\012\051\353\024\105\102\013\377\015\166\003\037\247\145\210\242
+\244\177\157\320\117\002\003\001\000\001\243\202\006\042\060\202
+\006\036\060\202\005\167\006\003\125\035\040\004\202\005\156\060
+\202\005\152\060\201\303\006\011\140\206\110\001\206\371\155\146
+\001\060\201\265\060\043\006\010\053\006\001\005\005\007\002\001
+\026\027\150\164\164\160\072\057\057\167\167\167\056\165\163\160
+\163\056\143\157\155\057\103\120\123\060\201\215\006\010\053\006
+\001\005\005\007\002\002\060\201\200\032\176\123\145\145\040\125
+\123\120\123\040\103\120\123\040\141\164\040\150\164\164\160\072
+\057\057\167\167\167\056\165\163\160\163\056\143\157\155\057\103
+\120\123\056\040\124\150\151\163\040\143\145\162\164\151\146\151
+\143\141\164\145\040\151\163\040\164\157\040\142\145\040\165\163
+\145\144\040\157\156\154\171\040\151\156\040\141\143\143\157\162
+\144\141\156\143\145\040\167\151\164\150\040\125\123\120\123\040
+\162\145\147\165\154\141\164\151\157\156\163\040\141\156\144\040
+\160\157\154\151\143\151\145\163\056\060\201\303\006\011\140\206
+\110\001\206\371\155\146\002\060\201\265\060\043\006\010\053\006
+\001\005\005\007\002\001\026\027\150\164\164\160\072\057\057\167
+\167\167\056\165\163\160\163\056\143\157\155\057\103\120\123\060
+\201\215\006\010\053\006\001\005\005\007\002\002\060\201\200\032
+\176\123\145\145\040\125\123\120\123\040\103\120\123\040\141\164
+\040\150\164\164\160\072\057\057\167\167\167\056\165\163\160\163
+\056\143\157\155\057\103\120\123\056\040\124\150\151\163\040\143
+\145\162\164\151\146\151\143\141\164\145\040\151\163\040\164\157
+\040\142\145\040\165\163\145\144\040\157\156\154\171\040\151\156
+\040\141\143\143\157\162\144\141\156\143\145\040\167\151\164\150
+\040\125\123\120\123\040\162\145\147\165\154\141\164\151\157\156
+\163\040\141\156\144\040\160\157\154\151\143\151\145\163\056\060
+\201\303\006\011\140\206\110\001\206\371\155\146\003\060\201\265
+\060\043\006\010\053\006\001\005\005\007\002\001\026\027\150\164
+\164\160\072\057\057\167\167\167\056\165\163\160\163\056\143\157
+\155\057\103\120\123\060\201\215\006\010\053\006\001\005\005\007
+\002\002\060\201\200\032\176\123\145\145\040\125\123\120\123\040
+\103\120\123\040\141\164\040\150\164\164\160\072\057\057\167\167
+\167\056\165\163\160\163\056\143\157\155\057\103\120\123\056\040
+\124\150\151\163\040\143\145\162\164\151\146\151\143\141\164\145
+\040\151\163\040\164\157\040\142\145\040\165\163\145\144\040\157
+\156\154\171\040\151\156\040\141\143\143\157\162\144\141\156\143
+\145\040\167\151\164\150\040\125\123\120\123\040\162\145\147\165
+\154\141\164\151\157\156\163\040\141\156\144\040\160\157\154\151
+\143\151\145\163\056\060\201\303\006\011\140\206\110\001\206\371
+\155\146\004\060\201\265\060\043\006\010\053\006\001\005\005\007
+\002\001\026\027\150\164\164\160\072\057\057\167\167\167\056\165
+\163\160\163\056\143\157\155\057\103\120\123\060\201\215\006\010
+\053\006\001\005\005\007\002\002\060\201\200\032\176\123\145\145
+\040\125\123\120\123\040\103\120\123\040\141\164\040\150\164\164
+\160\072\057\057\167\167\167\056\165\163\160\163\056\143\157\155
+\057\103\120\123\056\040\124\150\151\163\040\143\145\162\164\151
+\146\151\143\141\164\145\040\151\163\040\164\157\040\142\145\040
+\165\163\145\144\040\157\156\154\171\040\151\156\040\141\143\143
+\157\162\144\141\156\143\145\040\167\151\164\150\040\125\123\120
+\123\040\162\145\147\165\154\141\164\151\157\156\163\040\141\156
+\144\040\160\157\154\151\143\151\145\163\056\060\201\303\006\011
+\140\206\110\001\206\371\155\146\005\060\201\265\060\043\006\010
+\053\006\001\005\005\007\002\001\026\027\150\164\164\160\072\057
+\057\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120
+\123\060\201\215\006\010\053\006\001\005\005\007\002\002\060\201
+\200\032\176\123\145\145\040\125\123\120\123\040\103\120\123\040
+\141\164\040\150\164\164\160\072\057\057\167\167\167\056\165\163
+\160\163\056\143\157\155\057\103\120\123\056\040\124\150\151\163
+\040\143\145\162\164\151\146\151\143\141\164\145\040\151\163\040
+\164\157\040\142\145\040\165\163\145\144\040\157\156\154\171\040
+\151\156\040\141\143\143\157\162\144\141\156\143\145\040\167\151
+\164\150\040\125\123\120\123\040\162\145\147\165\154\141\164\151
+\157\156\163\040\141\156\144\040\160\157\154\151\143\151\145\163
+\056\060\201\303\006\011\140\206\110\001\206\371\155\146\006\060
+\201\265\060\043\006\010\053\006\001\005\005\007\002\001\026\027
+\150\164\164\160\072\057\057\167\167\167\056\165\163\160\163\056
+\143\157\155\057\103\120\123\060\201\215\006\010\053\006\001\005
+\005\007\002\002\060\201\200\032\176\123\145\145\040\125\123\120
+\123\040\103\120\123\040\141\164\040\150\164\164\160\072\057\057
+\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120\123
+\056\040\124\150\151\163\040\143\145\162\164\151\146\151\143\141
+\164\145\040\151\163\040\164\157\040\142\145\040\165\163\145\144
+\040\157\156\154\171\040\151\156\040\141\143\143\157\162\144\141
+\156\143\145\040\167\151\164\150\040\125\123\120\123\040\162\145
+\147\165\154\141\164\151\157\156\163\040\141\156\144\040\160\157
+\154\151\143\151\145\163\056\060\201\303\006\011\140\206\110\001
+\206\371\155\146\007\060\201\265\060\043\006\010\053\006\001\005
+\005\007\002\001\026\027\150\164\164\160\072\057\057\167\167\167
+\056\165\163\160\163\056\143\157\155\057\103\120\123\060\201\215
+\006\010\053\006\001\005\005\007\002\002\060\201\200\032\176\123
+\145\145\040\125\123\120\123\040\103\120\123\040\141\164\040\150
+\164\164\160\072\057\057\167\167\167\056\165\163\160\163\056\143
+\157\155\057\103\120\123\056\040\124\150\151\163\040\143\145\162
+\164\151\146\151\143\141\164\145\040\151\163\040\164\157\040\142
+\145\040\165\163\145\144\040\157\156\154\171\040\151\156\040\141
+\143\143\157\162\144\141\156\143\145\040\167\151\164\150\040\125
+\123\120\123\040\162\145\147\165\154\141\164\151\157\156\163\040
+\141\156\144\040\160\157\154\151\143\151\145\163\056\060\035\006
+\003\125\035\016\004\026\004\024\045\345\240\357\055\162\117\155
+\225\037\067\037\040\326\303\001\104\003\307\320\060\037\006\003
+\125\035\043\004\030\060\026\200\024\323\316\202\164\363\057\113
+\211\140\162\244\136\021\277\137\165\003\242\002\253\060\035\006
+\003\125\035\022\004\026\060\024\201\022\162\157\157\164\061\060
+\060\060\061\100\165\163\160\163\056\143\157\155\060\041\006\003
+\125\035\021\004\032\060\030\201\026\143\141\141\144\155\151\156
+\100\145\155\141\151\154\056\165\163\160\163\056\143\157\155\060
+\016\006\003\125\035\017\001\001\377\004\004\003\002\001\306\060
+\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003
+\201\201\000\140\277\111\155\062\312\204\333\360\226\100\310\254
+\130\351\111\351\233\034\162\136\305\006\243\075\064\303\034\256
+\015\325\164\031\336\230\327\175\001\075\345\110\230\100\177\275
+\042\257\134\172\366\353\142\076\253\274\275\217\142\130\313\202
+\072\324\304\100\347\213\270\017\020\120\017\054\070\043\071\224
+\345\040\307\324\270\371\341\121\102\104\224\154\143\136\343\176
+\136\142\336\357\075\106\264\074\133\250\233\016\172\236\035\126
+\355\274\005\264\305\361\131\011\257\157\111\205\131\333\072\021
+\145\315\351
+END
+
+# Trust for Certificate "USPS Production 1"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USPS Production 1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\246\153\351\054\171\064\177\363\201\000\013\373\142\054\337\247
+\121\331\153\123
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\076\000\040\236\051\317\232\170\303\150\117\206\366\173\341\106
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\146\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\045\060\043\006\003\125\004\012\023\034\125\156\151\164\145\144
+\040\123\164\141\164\145\163\040\120\157\163\164\141\154\040\123
+\145\162\166\151\143\145\061\031\060\027\006\003\125\004\013\023
+\020\167\167\167\056\165\163\160\163\056\143\157\155\057\103\120
+\123\061\025\060\023\006\003\125\004\003\023\014\125\123\120\123
+\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\047\205
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_VALID_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID_DELEGATOR
+
+#
+# Certificate "AddTrust Non-Validated Services Root"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "AddTrust Non-Validated Services Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
+\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
+\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101
+\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040
+\103\101\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
+\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
+\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101
+\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040
+\103\101\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\030\060\202\003\000\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
+\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
+\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101
+\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167
+\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101\144
+\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040\103
+\101\040\122\157\157\164\060\036\027\015\060\060\060\065\063\060
+\061\060\063\070\063\061\132\027\015\062\060\060\065\063\060\061
+\060\063\070\063\061\132\060\145\061\013\060\011\006\003\125\004
+\006\023\002\123\105\061\024\060\022\006\003\125\004\012\023\013
+\101\144\144\124\162\165\163\164\040\101\102\061\035\060\033\006
+\003\125\004\013\023\024\101\144\144\124\162\165\163\164\040\124
+\124\120\040\116\145\164\167\157\162\153\061\041\060\037\006\003
+\125\004\003\023\030\101\144\144\124\162\165\163\164\040\103\154
+\141\163\163\040\061\040\103\101\040\122\157\157\164\060\202\001
+\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
+\003\202\001\017\000\060\202\001\012\002\202\001\001\000\226\226
+\324\041\111\140\342\153\350\101\007\014\336\304\340\334\023\043
+\315\301\065\307\373\326\116\021\012\147\136\365\006\133\153\245
+\010\073\133\051\026\072\347\207\262\064\006\305\274\005\245\003
+\174\202\313\051\020\256\341\210\201\275\326\236\323\376\055\126
+\301\025\316\343\046\235\025\056\020\373\006\217\060\004\336\247
+\264\143\264\377\261\234\256\074\257\167\266\126\305\265\253\242
+\351\151\072\075\016\063\171\062\077\160\202\222\231\141\155\215
+\060\010\217\161\077\246\110\127\031\370\045\334\113\146\134\245
+\164\217\230\256\310\371\300\006\042\347\254\163\337\245\056\373
+\122\334\261\025\145\040\372\065\146\151\336\337\054\361\156\274
+\060\333\054\044\022\333\353\065\065\150\220\313\000\260\227\041
+\075\164\041\043\145\064\053\273\170\131\243\326\341\166\071\232
+\244\111\216\214\164\257\156\244\232\243\331\233\322\070\134\233
+\242\030\314\165\043\204\276\353\342\115\063\161\216\032\360\302
+\370\307\035\242\255\003\227\054\370\317\045\306\366\270\044\061
+\261\143\135\222\177\143\360\045\311\123\056\037\277\115\002\003
+\001\000\001\243\201\322\060\201\317\060\035\006\003\125\035\016
+\004\026\004\024\225\261\264\360\224\266\275\307\332\321\021\011
+\041\276\301\257\111\375\020\173\060\013\006\003\125\035\017\004
+\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004
+\005\060\003\001\001\377\060\201\217\006\003\125\035\043\004\201
+\207\060\201\204\200\024\225\261\264\360\224\266\275\307\332\321
+\021\011\041\276\301\257\111\375\020\173\241\151\244\147\060\145
+\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024\060
+\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163\164
+\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101\144
+\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167\157
+\162\153\061\041\060\037\006\003\125\004\003\023\030\101\144\144
+\124\162\165\163\164\040\103\154\141\163\163\040\061\040\103\101
+\040\122\157\157\164\202\001\001\060\015\006\011\052\206\110\206
+\367\015\001\001\005\005\000\003\202\001\001\000\054\155\144\033
+\037\315\015\335\271\001\372\226\143\064\062\110\107\231\256\227
+\355\375\162\026\246\163\107\132\364\353\335\351\365\326\373\105
+\314\051\211\104\135\277\106\071\075\350\356\274\115\124\206\036
+\035\154\343\027\047\103\341\211\126\053\251\157\162\116\111\063
+\343\162\174\052\043\232\274\076\377\050\052\355\243\377\034\043
+\272\103\127\011\147\115\113\142\006\055\370\377\154\235\140\036
+\330\034\113\175\265\061\057\331\320\174\135\370\336\153\203\030
+\170\067\127\057\350\063\007\147\337\036\307\153\052\225\166\256
+\217\127\243\360\364\122\264\251\123\010\317\340\117\323\172\123
+\213\375\273\034\126\066\362\376\262\266\345\166\273\325\042\145
+\247\077\376\321\146\255\013\274\153\231\206\357\077\175\363\030
+\062\312\173\306\343\253\144\106\225\370\046\151\331\125\203\173
+\054\226\007\377\131\054\104\243\306\345\351\251\334\241\143\200
+\132\041\136\041\317\123\124\360\272\157\211\333\250\252\225\317
+\213\343\161\314\036\033\040\104\010\300\172\266\100\375\304\344
+\065\341\035\026\034\320\274\053\216\326\161\331
+END
+
+# Trust for Certificate "AddTrust Non-Validated Services Root"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "AddTrust Non-Validated Services Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\314\253\016\240\114\043\001\326\151\173\335\067\237\315\022\353
+\044\343\224\235
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\036\102\225\002\063\222\153\271\137\300\177\332\326\262\113\374
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\145\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
+\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
+\167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101
+\144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040
+\103\101\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_VALID
+
+#
+# Certificate "AddTrust External Root"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "AddTrust External Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
+\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
+\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
+\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
+\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
+\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
+\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
+\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
+\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
+\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
+\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\066\060\202\003\036\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
+\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
+\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035\101
+\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141\154
+\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060\040
+\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164\040
+\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157\164
+\060\036\027\015\060\060\060\065\063\060\061\060\064\070\063\070
+\132\027\015\062\060\060\065\063\060\061\060\064\070\063\070\132
+\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
+\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
+\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
+\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
+\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
+\164\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
+\001\000\267\367\032\063\346\362\000\004\055\071\340\116\133\355
+\037\274\154\017\315\265\372\043\266\316\336\233\021\063\227\244
+\051\114\175\223\237\275\112\274\223\355\003\032\343\217\317\345
+\155\120\132\326\227\051\224\132\200\260\111\172\333\056\225\375
+\270\312\277\067\070\055\036\076\221\101\255\160\126\307\360\117
+\077\350\062\236\164\312\310\220\124\351\306\137\017\170\235\232
+\100\074\016\254\141\252\136\024\217\236\207\241\152\120\334\327
+\232\116\257\005\263\246\161\224\234\161\263\120\140\012\307\023
+\235\070\007\206\002\250\351\250\151\046\030\220\253\114\260\117
+\043\253\072\117\204\330\337\316\237\341\151\157\273\327\102\327
+\153\104\344\307\255\356\155\101\137\162\132\161\010\067\263\171
+\145\244\131\240\224\067\367\000\057\015\302\222\162\332\320\070
+\162\333\024\250\105\304\135\052\175\267\264\326\304\356\254\315
+\023\104\267\311\053\335\103\000\045\372\141\271\151\152\130\043
+\021\267\247\063\217\126\165\131\365\315\051\327\106\267\012\053
+\145\266\323\102\157\025\262\270\173\373\357\351\135\123\325\064
+\132\047\002\003\001\000\001\243\201\334\060\201\331\060\035\006
+\003\125\035\016\004\026\004\024\255\275\230\172\064\264\046\367
+\372\304\046\124\357\003\275\340\044\313\124\032\060\013\006\003
+\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\201\231\006\003\125
+\035\043\004\201\221\060\201\216\200\024\255\275\230\172\064\264
+\046\367\372\304\046\124\357\003\275\340\044\313\124\032\241\163
+\244\161\060\157\061\013\060\011\006\003\125\004\006\023\002\123
+\105\061\024\060\022\006\003\125\004\012\023\013\101\144\144\124
+\162\165\163\164\040\101\102\061\046\060\044\006\003\125\004\013
+\023\035\101\144\144\124\162\165\163\164\040\105\170\164\145\162
+\156\141\154\040\124\124\120\040\116\145\164\167\157\162\153\061
+\042\060\040\006\003\125\004\003\023\031\101\144\144\124\162\165
+\163\164\040\105\170\164\145\162\156\141\154\040\103\101\040\122
+\157\157\164\202\001\001\060\015\006\011\052\206\110\206\367\015
+\001\001\005\005\000\003\202\001\001\000\260\233\340\205\045\302
+\326\043\342\017\226\006\222\235\101\230\234\331\204\171\201\331
+\036\133\024\007\043\066\145\217\260\330\167\273\254\101\154\107
+\140\203\121\260\371\062\075\347\374\366\046\023\307\200\026\245
+\277\132\374\207\317\170\171\211\041\232\342\114\007\012\206\065
+\274\362\336\121\304\322\226\267\334\176\116\356\160\375\034\071
+\353\014\002\121\024\055\216\275\026\340\301\337\106\165\347\044
+\255\354\364\102\264\205\223\160\020\147\272\235\006\065\112\030
+\323\053\172\314\121\102\241\172\143\321\346\273\241\305\053\302
+\066\276\023\015\346\275\143\176\171\173\247\011\015\100\253\152
+\335\217\212\303\366\366\214\032\102\005\121\324\105\365\237\247
+\142\041\150\025\040\103\074\231\347\174\275\044\330\251\221\027
+\163\210\077\126\033\061\070\030\264\161\017\232\315\310\016\236
+\216\056\033\341\214\230\203\313\037\061\361\104\114\306\004\163
+\111\166\140\017\307\370\275\027\200\153\056\351\314\114\016\132
+\232\171\017\040\012\056\325\236\143\046\036\125\222\224\330\202
+\027\132\173\320\274\307\217\116\206\004
+END
+
+# Trust for Certificate "AddTrust External Root"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "AddTrust External Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\002\372\363\342\221\103\124\150\140\170\127\151\115\365\344\133
+\150\205\030\150
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\035\065\124\004\205\170\260\077\102\102\115\277\040\163\012\077
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
+\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
+\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
+\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
+\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
+\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "AddTrust Public Services Root"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "AddTrust Public Services Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
+\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
+\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101
+\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103
+\101\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
+\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
+\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101
+\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103
+\101\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\025\060\202\002\375\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
+\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
+\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101
+\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167
+\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101\144
+\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103\101
+\040\122\157\157\164\060\036\027\015\060\060\060\065\063\060\061
+\060\064\061\065\060\132\027\015\062\060\060\065\063\060\061\060
+\064\061\065\060\132\060\144\061\013\060\011\006\003\125\004\006
+\023\002\123\105\061\024\060\022\006\003\125\004\012\023\013\101
+\144\144\124\162\165\163\164\040\101\102\061\035\060\033\006\003
+\125\004\013\023\024\101\144\144\124\162\165\163\164\040\124\124
+\120\040\116\145\164\167\157\162\153\061\040\060\036\006\003\125
+\004\003\023\027\101\144\144\124\162\165\163\164\040\120\165\142
+\154\151\143\040\103\101\040\122\157\157\164\060\202\001\042\060
+\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
+\001\017\000\060\202\001\012\002\202\001\001\000\351\032\060\217
+\203\210\024\301\040\330\074\233\217\033\176\003\164\273\332\151
+\323\106\245\370\216\302\014\021\220\121\245\057\146\124\100\125
+\352\333\037\112\126\356\237\043\156\364\071\313\241\271\157\362
+\176\371\135\207\046\141\236\034\370\342\354\246\201\370\041\305
+\044\314\021\014\077\333\046\162\172\307\001\227\007\027\371\327
+\030\054\060\175\016\172\036\142\036\306\113\300\375\175\142\167
+\323\104\036\047\366\077\113\104\263\267\070\331\071\037\140\325
+\121\222\163\003\264\000\151\343\363\024\116\356\321\334\011\317
+\167\064\106\120\260\370\021\362\376\070\171\367\007\071\376\121
+\222\227\013\133\010\137\064\206\001\255\210\227\353\146\315\136
+\321\377\334\175\362\204\332\272\167\255\334\200\010\307\247\207
+\326\125\237\227\152\350\310\021\144\272\347\031\051\077\021\263
+\170\220\204\040\122\133\021\357\170\320\203\366\325\110\220\320
+\060\034\317\200\371\140\376\171\344\210\362\335\000\353\224\105
+\353\145\224\151\100\272\300\325\264\270\272\175\004\021\250\353
+\061\005\226\224\116\130\041\216\237\320\140\375\002\003\001\000
+\001\243\201\321\060\201\316\060\035\006\003\125\035\016\004\026
+\004\024\201\076\067\330\222\260\037\167\237\134\264\253\163\252
+\347\366\064\140\057\372\060\013\006\003\125\035\017\004\004\003
+\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060
+\003\001\001\377\060\201\216\006\003\125\035\043\004\201\206\060
+\201\203\200\024\201\076\067\330\222\260\037\167\237\134\264\253
+\163\252\347\366\064\140\057\372\241\150\244\146\060\144\061\013
+\060\011\006\003\125\004\006\023\002\123\105\061\024\060\022\006
+\003\125\004\012\023\013\101\144\144\124\162\165\163\164\040\101
+\102\061\035\060\033\006\003\125\004\013\023\024\101\144\144\124
+\162\165\163\164\040\124\124\120\040\116\145\164\167\157\162\153
+\061\040\060\036\006\003\125\004\003\023\027\101\144\144\124\162
+\165\163\164\040\120\165\142\154\151\143\040\103\101\040\122\157
+\157\164\202\001\001\060\015\006\011\052\206\110\206\367\015\001
+\001\005\005\000\003\202\001\001\000\003\367\025\112\370\044\332
+\043\126\026\223\166\335\066\050\271\256\033\270\303\361\144\272
+\040\030\170\225\051\047\127\005\274\174\052\364\271\121\125\332
+\207\002\336\017\026\027\061\370\252\171\056\011\023\273\257\262
+\040\031\022\345\223\371\113\371\203\350\104\325\262\101\045\277
+\210\165\157\377\020\374\112\124\320\137\360\372\357\066\163\175
+\033\066\105\306\041\155\264\025\270\116\317\234\134\245\075\132
+\000\216\006\343\074\153\062\173\362\237\360\266\375\337\360\050
+\030\110\360\306\274\320\277\064\200\226\302\112\261\155\216\307
+\220\105\336\057\147\254\105\004\243\172\334\125\222\311\107\146
+\330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341
+\341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266
+\200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120
+\305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046
+\136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035
+\137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362
+\116\072\063\014\053\263\055\220\006
+END
+
+# Trust for Certificate "AddTrust Public Services Root"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "AddTrust Public Services Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\052\266\050\110\136\170\373\363\255\236\171\020\335\153\337\231
+\162\054\226\345
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\301\142\076\043\305\202\163\234\003\131\113\053\351\167\111\177
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\046\060\044\006\003\125\004\013\023\035
+\101\144\144\124\162\165\163\164\040\105\170\164\145\162\156\141
+\154\040\124\124\120\040\116\145\164\167\157\162\153\061\042\060
+\040\006\003\125\004\003\023\031\101\144\144\124\162\165\163\164
+\040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
+\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "AddTrust Qualified Certificates Root"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "AddTrust Qualified Certificates Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
+\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
+\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
+\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
+\144\040\103\101\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
+\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
+\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
+\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
+\144\040\103\101\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\036\060\202\003\006\240\003\002\001\002\002\001\001
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
+\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
+\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101
+\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167
+\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101\144
+\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145\144
+\040\103\101\040\122\157\157\164\060\036\027\015\060\060\060\065
+\063\060\061\060\064\064\065\060\132\027\015\062\060\060\065\063
+\060\061\060\064\064\065\060\132\060\147\061\013\060\011\006\003
+\125\004\006\023\002\123\105\061\024\060\022\006\003\125\004\012
+\023\013\101\144\144\124\162\165\163\164\040\101\102\061\035\060
+\033\006\003\125\004\013\023\024\101\144\144\124\162\165\163\164
+\040\124\124\120\040\116\145\164\167\157\162\153\061\043\060\041
+\006\003\125\004\003\023\032\101\144\144\124\162\165\163\164\040
+\121\165\141\154\151\146\151\145\144\040\103\101\040\122\157\157
+\164\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
+\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
+\001\000\344\036\232\376\334\011\132\207\244\237\107\276\021\137
+\257\204\064\333\142\074\171\170\267\351\060\265\354\014\034\052
+\304\026\377\340\354\161\353\212\365\021\156\355\117\015\221\322
+\022\030\055\111\025\001\302\244\042\023\307\021\144\377\042\022
+\232\271\216\134\057\010\317\161\152\263\147\001\131\361\135\106
+\363\260\170\245\366\016\102\172\343\177\033\314\320\360\267\050
+\375\052\352\236\263\260\271\004\252\375\366\307\264\261\270\052
+\240\373\130\361\031\240\157\160\045\176\076\151\112\177\017\042
+\330\357\255\010\021\232\051\231\341\252\104\105\232\022\136\076
+\235\155\122\374\347\240\075\150\057\360\113\160\174\023\070\255
+\274\025\045\361\326\316\253\242\300\061\326\057\237\340\377\024
+\131\374\204\223\331\207\174\114\124\023\353\237\321\055\021\370
+\030\072\072\336\045\331\367\323\100\355\244\006\022\304\073\341
+\221\301\126\065\360\024\334\145\066\011\156\253\244\007\307\065
+\321\302\003\063\066\133\165\046\155\102\361\022\153\103\157\113
+\161\224\372\064\035\355\023\156\312\200\177\230\057\154\271\145
+\330\351\002\003\001\000\001\243\201\324\060\201\321\060\035\006
+\003\125\035\016\004\026\004\024\071\225\213\142\213\134\311\324
+\200\272\130\017\227\077\025\010\103\314\230\247\060\013\006\003
+\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\201\221\006\003\125
+\035\043\004\201\211\060\201\206\200\024\071\225\213\142\213\134
+\311\324\200\272\130\017\227\077\025\010\103\314\230\247\241\153
+\244\151\060\147\061\013\060\011\006\003\125\004\006\023\002\123
+\105\061\024\060\022\006\003\125\004\012\023\013\101\144\144\124
+\162\165\163\164\040\101\102\061\035\060\033\006\003\125\004\013
+\023\024\101\144\144\124\162\165\163\164\040\124\124\120\040\116
+\145\164\167\157\162\153\061\043\060\041\006\003\125\004\003\023
+\032\101\144\144\124\162\165\163\164\040\121\165\141\154\151\146
+\151\145\144\040\103\101\040\122\157\157\164\202\001\001\060\015
+\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001
+\001\000\031\253\165\352\370\213\145\141\225\023\272\151\004\357
+\206\312\023\240\307\252\117\144\033\077\030\366\250\055\054\125
+\217\005\267\060\352\102\152\035\300\045\121\055\247\277\014\263
+\355\357\010\177\154\074\106\032\352\030\103\337\166\314\371\146
+\206\234\054\150\365\351\027\370\061\263\030\304\326\110\175\043
+\114\150\301\176\273\001\024\157\305\331\156\336\273\004\102\152
+\370\366\134\175\345\332\372\207\353\015\065\122\147\320\236\227
+\166\005\223\077\225\307\001\346\151\125\070\177\020\141\231\311
+\343\137\246\312\076\202\143\110\252\342\010\110\076\252\362\262
+\205\142\246\264\247\331\275\067\234\150\265\055\126\175\260\267
+\077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056
+\011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033
+\365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130
+\211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335
+\340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336
+\074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350
+\306\241
+END
+
+# Trust for Certificate "AddTrust Qualified Certificates Root"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "AddTrust Qualified Certificates Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\115\043\170\354\221\225\071\265\000\177\165\217\003\073\041\036
+\305\115\213\317
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\047\354\071\107\315\332\132\257\342\232\001\145\041\251\114\273
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
+\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
+\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
+\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
+\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
+\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
+\144\040\103\101\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Class 1 Public Primary OCSP Responder"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 1 Public Primary OCSP Responder"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
+\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
+\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
+\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
+\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
+\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
+\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003
+\125\004\003\023\045\103\154\141\163\163\040\061\040\120\165\142
+\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120
+\040\122\145\163\160\157\156\144\145\162
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\053\150\324\243\106\236\305\073\050\011\253\070\135\177\047\040
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\236\060\202\003\007\240\003\002\001\002\002\020\053
+\150\324\243\106\236\305\073\050\011\253\070\135\177\047\040\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
+\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023
+\056\103\154\141\163\163\040\061\040\120\165\142\154\151\143\040
+\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
+\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060
+\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060\132
+\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132\060
+\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162
+\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006
+\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124
+\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071
+\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040
+\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167
+\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057
+\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125
+\004\003\023\045\103\154\141\163\163\040\061\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040
+\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
+\201\211\002\201\201\000\271\355\136\172\072\167\137\316\137\072
+\122\374\315\144\367\161\265\157\152\226\306\131\222\125\224\135
+\057\133\056\301\021\352\046\212\313\247\201\074\366\132\104\336
+\172\023\057\375\132\121\331\173\067\046\112\300\047\077\004\003
+\152\126\301\203\054\341\157\133\251\124\120\044\112\306\056\172
+\114\241\133\067\124\044\041\061\037\241\170\030\166\247\261\160
+\332\042\320\152\376\007\142\100\306\367\366\233\175\014\006\270
+\113\307\050\344\146\043\204\121\357\106\267\223\330\201\063\313
+\345\066\254\306\350\005\002\003\001\000\001\243\202\001\020\060
+\202\001\014\060\040\006\003\125\035\021\004\031\060\027\244\025
+\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123
+\120\040\061\055\061\060\061\006\003\125\035\037\004\052\060\050
+\060\046\240\044\240\042\206\040\150\164\164\160\072\057\057\143
+\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057
+\160\143\141\061\056\143\162\154\060\023\006\003\125\035\045\004
+\014\060\012\006\010\053\006\001\005\005\007\003\011\060\102\006
+\010\053\006\001\005\005\007\001\001\004\066\060\064\060\062\006
+\010\053\006\001\005\005\007\060\001\246\046\026\044\150\164\164
+\160\072\057\057\157\143\163\160\056\166\145\162\151\163\151\147
+\156\056\143\157\155\057\157\143\163\160\057\163\164\141\164\165
+\163\060\104\006\003\125\035\040\004\075\060\073\060\071\006\013
+\140\206\110\001\206\370\105\001\007\001\001\060\052\060\050\006
+\010\053\006\001\005\005\007\002\001\026\034\150\164\164\160\163
+\072\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056
+\143\157\155\057\122\120\101\060\011\006\003\125\035\023\004\002
+\060\000\060\013\006\003\125\035\017\004\004\003\002\007\200\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201
+\201\000\160\220\335\270\344\276\123\027\174\177\002\351\325\367
+\213\231\223\061\140\215\176\346\140\153\044\357\140\254\322\316
+\221\336\200\155\011\244\323\270\070\345\104\312\162\136\015\055
+\301\167\234\275\054\003\170\051\215\244\245\167\207\365\361\053
+\046\255\314\007\154\072\124\132\050\340\011\363\115\012\004\312
+\324\130\151\013\247\263\365\335\001\245\347\334\360\037\272\301
+\135\220\215\263\352\117\301\021\131\227\152\262\053\023\261\332
+\255\227\241\263\261\240\040\133\312\062\253\215\317\023\360\037
+\051\303
+END
+
+# Trust for Certificate "Verisign Class 1 Public Primary OCSP Responder"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 1 Public Primary OCSP Responder"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\004\226\110\344\112\311\314\255\105\203\230\331\074\175\221\365
+\042\104\033\212
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\176\157\072\123\033\174\276\260\060\333\103\036\036\224\211\262
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\053\150\324\243\106\236\305\073\050\011\253\070\135\177\047\040
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Class 2 Public Primary OCSP Responder"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 2 Public Primary OCSP Responder"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
+\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
+\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
+\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
+\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
+\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
+\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003
+\125\004\003\023\045\103\154\141\163\163\040\062\040\120\165\142
+\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120
+\040\122\145\163\160\157\156\144\145\162
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\011\106\027\346\035\330\324\034\240\014\240\142\350\171\212\247
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\236\060\202\003\007\240\003\002\001\002\002\020\011
+\106\027\346\035\330\324\034\240\014\240\142\350\171\212\247\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
+\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023
+\056\103\154\141\163\163\040\062\040\120\165\142\154\151\143\040
+\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
+\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060
+\036\027\015\060\060\060\070\060\061\060\060\060\060\060\060\132
+\027\015\060\064\060\067\063\061\062\063\065\071\065\071\132\060
+\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162
+\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006
+\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124
+\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071
+\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040
+\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167
+\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057
+\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125
+\004\003\023\045\103\154\141\163\163\040\062\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040
+\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
+\201\211\002\201\201\000\320\312\143\061\141\177\104\064\174\005
+\175\013\075\152\220\313\171\113\167\012\077\113\307\043\345\300
+\142\055\176\234\176\076\210\207\221\320\254\350\115\111\207\242
+\226\220\212\335\004\245\002\077\214\233\351\211\376\142\240\342
+\132\275\310\335\264\170\346\245\102\223\010\147\001\300\040\115
+\327\134\364\135\332\263\343\067\246\122\032\054\114\145\115\212
+\207\331\250\243\361\111\124\273\074\134\200\121\150\306\373\111
+\377\013\125\253\025\335\373\232\301\271\035\164\015\262\214\104
+\135\211\374\237\371\203\002\003\001\000\001\243\202\001\020\060
+\202\001\014\060\040\006\003\125\035\021\004\031\060\027\244\025
+\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123
+\120\040\061\055\062\060\061\006\003\125\035\037\004\052\060\050
+\060\046\240\044\240\042\206\040\150\164\164\160\072\057\057\143
+\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057
+\160\143\141\062\056\143\162\154\060\023\006\003\125\035\045\004
+\014\060\012\006\010\053\006\001\005\005\007\003\011\060\102\006
+\010\053\006\001\005\005\007\001\001\004\066\060\064\060\062\006
+\010\053\006\001\005\005\007\060\001\246\046\026\044\150\164\164
+\160\072\057\057\157\143\163\160\056\166\145\162\151\163\151\147
+\156\056\143\157\155\057\157\143\163\160\057\163\164\141\164\165
+\163\060\104\006\003\125\035\040\004\075\060\073\060\071\006\013
+\140\206\110\001\206\370\105\001\007\001\001\060\052\060\050\006
+\010\053\006\001\005\005\007\002\001\026\034\150\164\164\160\163
+\072\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056
+\143\157\155\057\122\120\101\060\011\006\003\125\035\023\004\002
+\060\000\060\013\006\003\125\035\017\004\004\003\002\007\200\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201
+\201\000\037\175\011\156\044\106\165\004\234\363\046\233\343\071
+\156\027\357\274\275\242\033\322\002\204\206\253\320\100\227\054
+\304\103\210\067\031\153\042\250\003\161\120\235\040\334\066\140
+\040\232\163\055\163\125\154\130\233\054\302\264\064\054\172\063
+\102\312\221\331\351\103\257\317\036\340\365\304\172\253\077\162
+\143\036\251\067\341\133\073\210\263\023\206\202\220\127\313\127
+\377\364\126\276\042\335\343\227\250\341\274\042\103\302\335\115
+\333\366\201\236\222\024\236\071\017\023\124\336\202\330\300\136
+\064\215
+END
+
+# Trust for Certificate "Verisign Class 2 Public Primary OCSP Responder"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 2 Public Primary OCSP Responder"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\042\171\151\276\320\122\116\115\035\066\262\361\162\041\167\361
+\124\123\110\167
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\363\105\275\020\226\015\205\113\357\237\021\142\064\247\136\265
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\062\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\011\106\027\346\035\330\324\034\240\014\240\142\350\171\212\247
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Class 3 Public Primary OCSP Responder"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 3 Public Primary OCSP Responder"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
+\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
+\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
+\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
+\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
+\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
+\057\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003
+\125\004\003\023\045\103\154\141\163\163\040\063\040\120\165\142
+\154\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120
+\040\122\145\163\160\157\156\144\145\162
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\056\226\236\277\266\142\154\354\173\351\163\314\343\154\301\204
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\242\060\202\003\013\240\003\002\001\002\002\020\056
+\226\236\277\266\142\154\354\173\351\163\314\343\154\301\204\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\137
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027\060
+\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147\156
+\054\040\111\156\143\056\061\067\060\065\006\003\125\004\013\023
+\056\103\154\141\163\163\040\063\040\120\165\142\154\151\143\040
+\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151\143
+\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060
+\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060\132
+\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132\060
+\201\247\061\027\060\025\006\003\125\004\012\023\016\126\145\162
+\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035\006
+\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040\124
+\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060\071
+\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146\040
+\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057\167
+\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155\057
+\122\120\101\040\050\143\051\060\060\061\056\060\054\006\003\125
+\004\003\023\045\103\154\141\163\163\040\063\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\117\103\123\120\040
+\122\145\163\160\157\156\144\145\162\060\201\237\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
+\201\211\002\201\201\000\361\344\010\016\203\273\165\343\110\345
+\270\333\246\360\271\253\351\074\142\307\136\065\133\320\002\124
+\021\330\311\321\126\271\166\113\271\253\172\346\315\272\366\014
+\004\326\176\326\260\012\145\254\116\071\343\361\367\055\243\045
+\071\357\260\213\317\276\333\014\135\156\160\364\007\315\160\367
+\072\300\076\065\026\355\170\214\103\317\302\046\056\107\326\206
+\175\234\361\276\326\147\014\042\045\244\312\145\346\037\172\170
+\050\057\077\005\333\004\041\277\341\105\146\376\074\267\202\355
+\132\270\026\025\271\125\002\003\001\000\001\243\202\001\024\060
+\202\001\020\060\040\006\003\125\035\021\004\031\060\027\244\025
+\060\023\061\021\060\017\006\003\125\004\003\023\010\117\103\123
+\120\040\061\055\063\060\065\006\003\125\035\037\004\056\060\054
+\060\052\240\050\240\046\206\044\150\164\164\160\072\057\057\143
+\162\154\056\166\145\162\151\163\151\147\156\056\143\157\155\057
+\160\143\141\063\056\061\056\061\056\143\162\154\060\023\006\003
+\125\035\045\004\014\060\012\006\010\053\006\001\005\005\007\003
+\011\060\102\006\010\053\006\001\005\005\007\001\001\004\066\060
+\064\060\062\006\010\053\006\001\005\005\007\060\001\246\046\026
+\044\150\164\164\160\072\057\057\157\143\163\160\056\166\145\162
+\151\163\151\147\156\056\143\157\155\057\157\143\163\160\057\163
+\164\141\164\165\163\060\104\006\003\125\035\040\004\075\060\073
+\060\071\006\013\140\206\110\001\206\370\105\001\007\001\001\060
+\052\060\050\006\010\053\006\001\005\005\007\002\001\026\034\150
+\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151\163
+\151\147\156\056\143\157\155\057\122\120\101\060\011\006\003\125
+\035\023\004\002\060\000\060\013\006\003\125\035\017\004\004\003
+\002\007\200\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\003\201\201\000\002\366\123\143\300\251\036\362\320\213
+\063\060\217\110\233\114\260\126\264\203\161\112\276\334\120\330
+\365\266\340\013\333\275\170\117\351\317\011\064\332\051\111\235
+\001\163\132\221\221\202\124\054\023\012\323\167\043\317\067\374
+\143\336\247\343\366\267\265\151\105\050\111\303\221\334\252\107
+\034\251\210\231\054\005\052\215\215\212\372\142\342\132\267\000
+\040\135\071\304\050\302\313\374\236\250\211\256\133\075\216\022
+\352\062\262\374\353\024\327\011\025\032\300\315\033\325\265\025
+\116\101\325\226\343\116
+END
+
+# Trust for Certificate "Verisign Class 3 Public Primary OCSP Responder"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Class 3 Public Primary OCSP Responder"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\265\355\267\332\046\072\126\164\322\042\105\060\324\307\217\172
+\007\365\345\137
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\175\121\222\311\166\203\230\026\336\214\263\206\304\175\146\373
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
+\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
+\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
+\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\056\226\236\277\266\142\154\354\173\351\163\314\343\154\301\204
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Secure Server OCSP Responder"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Secure Server OCSP Responder"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\236\061\027\060\025\006\003\125\004\012\023\016\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
+\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
+\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
+\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
+\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
+\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
+\057\122\120\101\040\050\143\051\060\060\061\045\060\043\006\003
+\125\004\003\023\034\123\145\143\165\162\145\040\123\145\162\166
+\145\162\040\117\103\123\120\040\122\145\163\160\157\156\144\145
+\162
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141
+\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143
+\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165
+\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\377\105\325\047\135\044\373\263\302\071\044\123\127\341\117
+\336
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\237\060\202\003\014\240\003\002\001\002\002\021\000
+\377\105\325\047\135\044\373\263\302\071\044\123\127\341\117\336
+\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
+\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061\040
+\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141\164
+\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143\056
+\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165\162
+\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\060\036\027\015\060\060\060\070\060\064\060\060\060\060\060\060
+\132\027\015\060\064\060\070\060\063\062\063\065\071\065\071\132
+\060\201\236\061\027\060\025\006\003\125\004\012\023\016\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
+\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
+\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
+\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
+\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
+\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
+\057\122\120\101\040\050\143\051\060\060\061\045\060\043\006\003
+\125\004\003\023\034\123\145\143\165\162\145\040\123\145\162\166
+\145\162\040\117\103\123\120\040\122\145\163\160\157\156\144\145
+\162\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\201\215\000\060\201\211\002\201\201\000\270\121
+\231\144\205\016\356\263\012\150\360\277\143\166\035\123\365\374
+\241\170\214\063\356\237\364\276\071\332\233\017\115\107\251\217
+\040\350\113\104\275\316\315\173\220\321\060\350\220\304\045\173
+\211\050\336\275\366\223\035\377\271\377\222\265\251\215\344\256
+\314\342\303\007\203\152\243\162\020\001\047\142\042\246\065\046
+\071\055\236\317\140\014\374\107\244\327\320\102\170\247\035\154
+\320\313\117\025\247\051\012\264\225\105\304\261\347\132\011\327
+\071\225\330\035\065\236\302\275\263\135\301\014\113\037\002\003
+\001\000\001\243\202\001\035\060\202\001\031\060\040\006\003\125
+\035\021\004\031\060\027\244\025\060\023\061\021\060\017\006\003
+\125\004\003\023\010\117\103\123\120\040\061\055\064\060\076\006
+\003\125\035\037\004\067\060\065\060\063\240\061\240\057\206\055
+\150\164\164\160\072\057\057\143\162\154\056\166\145\162\151\163
+\151\147\156\056\143\157\155\057\122\123\101\123\145\143\165\162
+\145\123\145\162\166\145\162\055\160\056\143\162\154\060\023\006
+\003\125\035\045\004\014\060\012\006\010\053\006\001\005\005\007
+\003\011\060\102\006\010\053\006\001\005\005\007\001\001\004\066
+\060\064\060\062\006\010\053\006\001\005\005\007\060\001\246\046
+\026\044\150\164\164\160\072\057\057\157\143\163\160\056\166\145
+\162\151\163\151\147\156\056\143\157\155\057\157\143\163\160\057
+\163\164\141\164\165\163\060\104\006\003\125\035\040\004\075\060
+\073\060\071\006\013\140\206\110\001\206\370\105\001\007\001\001
+\060\052\060\050\006\010\053\006\001\005\005\007\002\001\026\034
+\150\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151
+\163\151\147\156\056\143\157\155\057\122\120\101\060\011\006\003
+\125\035\023\004\002\060\000\060\013\006\003\125\035\017\004\004
+\003\002\007\200\060\015\006\011\052\206\110\206\367\015\001\001
+\005\005\000\003\176\000\000\263\020\123\146\234\111\223\056\061
+\240\002\102\322\130\127\176\146\241\376\033\212\141\030\120\100
+\054\036\053\101\245\326\333\377\254\010\034\132\005\155\002\134
+\052\266\226\117\107\333\276\116\333\316\314\272\206\270\030\316
+\261\022\221\137\143\367\363\110\076\314\361\115\023\344\155\011
+\224\170\000\222\313\243\040\235\006\013\152\240\103\007\316\321
+\031\154\217\030\165\232\237\027\063\375\251\046\270\343\342\336
+\302\250\304\132\212\177\230\326\007\006\153\314\126\236\206\160
+\316\324\357
+END
+
+# Trust for Certificate "Verisign Secure Server OCSP Responder"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Secure Server OCSP Responder"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\161\236\140\141\327\175\054\203\361\242\135\074\366\215\002\274
+\224\070\305\056
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\054\142\303\330\200\001\026\011\352\131\352\170\253\020\103\366
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\040\060\036\006\003\125\004\012\023\027\122\123\101\040\104\141
+\164\141\040\123\145\143\165\162\151\164\171\054\040\111\156\143
+\056\061\056\060\054\006\003\125\004\013\023\045\123\145\143\165
+\162\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000\377\105\325\047\135\044\373\263\302\071\044\123\127\341\117
+\336
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Verisign Time Stamping Authority CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Time Stamping Authority CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\245\061\027\060\025\006\003\125\004\012\023\016\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\061\037\060\035
+\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156\040
+\124\162\165\163\164\040\116\145\164\167\157\162\153\061\073\060
+\071\006\003\125\004\013\023\062\124\145\162\155\163\040\157\146
+\040\165\163\145\040\141\164\040\150\164\164\160\163\072\057\057
+\167\167\167\056\166\145\162\151\163\151\147\156\056\143\157\155
+\057\162\160\141\040\050\143\051\060\060\061\054\060\052\006\003
+\125\004\003\023\043\126\145\162\151\123\151\147\156\040\124\151
+\155\145\040\123\164\141\155\160\151\156\147\040\101\165\164\150
+\157\162\151\164\171\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\123\141\262\140\256\333\161\216\247\224\263\023\063\364\007\011
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\315\060\202\003\066\240\003\002\001\002\002\020\123
+\141\262\140\256\333\161\216\247\224\263\023\063\364\007\011\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
+\301\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
+\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147
+\156\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013
+\023\063\103\154\141\163\163\040\063\040\120\165\142\154\151\143
+\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\040\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061
+\050\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147
+\156\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165
+\164\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154
+\171\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151
+\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157
+\162\153\060\036\027\015\060\060\060\071\062\066\060\060\060\060
+\060\060\132\027\015\061\060\060\071\062\065\062\063\065\071\065
+\071\132\060\201\245\061\027\060\025\006\003\125\004\012\023\016
+\126\145\162\151\123\151\147\156\054\040\111\156\143\056\061\037
+\060\035\006\003\125\004\013\023\026\126\145\162\151\123\151\147
+\156\040\124\162\165\163\164\040\116\145\164\167\157\162\153\061
+\073\060\071\006\003\125\004\013\023\062\124\145\162\155\163\040
+\157\146\040\165\163\145\040\141\164\040\150\164\164\160\163\072
+\057\057\167\167\167\056\166\145\162\151\163\151\147\156\056\143
+\157\155\057\162\160\141\040\050\143\051\060\060\061\054\060\052
+\006\003\125\004\003\023\043\126\145\162\151\123\151\147\156\040
+\124\151\155\145\040\123\164\141\155\160\151\156\147\040\101\165
+\164\150\157\162\151\164\171\040\103\101\060\201\237\060\015\006
+\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000
+\060\201\211\002\201\201\000\322\031\235\147\302\000\041\131\142
+\316\264\011\042\104\151\212\370\045\132\333\355\015\267\066\176
+\116\340\273\224\076\220\045\207\302\141\107\051\331\275\124\270
+\143\314\054\175\151\264\063\066\364\067\007\232\301\335\100\124
+\374\340\170\235\240\223\271\011\075\043\121\177\104\302\024\164
+\333\012\276\313\311\060\064\100\230\076\320\327\045\020\201\224
+\275\007\117\234\326\124\047\337\056\250\277\313\220\214\215\165
+\113\274\342\350\104\207\315\346\101\012\045\156\350\364\044\002
+\305\122\017\156\354\230\165\002\003\001\000\001\243\201\337\060
+\201\334\060\017\006\003\125\035\023\004\010\060\006\001\001\377
+\002\001\000\060\105\006\003\125\035\040\004\076\060\074\060\072
+\006\014\140\206\110\001\206\370\105\001\007\027\001\003\060\052
+\060\050\006\010\053\006\001\005\005\007\002\001\026\034\150\164
+\164\160\163\072\057\057\167\167\167\056\166\145\162\151\163\151
+\147\156\056\143\157\155\057\162\160\141\060\061\006\003\125\035
+\037\004\052\060\050\060\046\240\044\240\042\206\040\150\164\164
+\160\072\057\057\143\162\154\056\166\145\162\151\163\151\147\156
+\056\143\157\155\057\160\143\141\063\056\143\162\154\060\013\006
+\003\125\035\017\004\004\003\002\001\006\060\102\006\010\053\006
+\001\005\005\007\001\001\004\066\060\064\060\062\006\010\053\006
+\001\005\005\007\060\001\246\046\026\044\150\164\164\160\072\057
+\057\157\143\163\160\056\166\145\162\151\163\151\147\156\056\143
+\157\155\057\157\143\163\160\057\163\164\141\164\165\163\060\015
+\006\011\052\206\110\206\367\015\001\001\005\005\000\003\201\201
+\000\202\160\150\225\337\266\015\302\001\160\031\112\322\124\126
+\036\254\362\105\114\207\270\365\065\353\170\113\005\251\310\235
+\073\031\041\056\160\064\112\242\365\211\340\025\165\105\347\050
+\067\000\064\047\051\350\067\113\362\357\104\227\153\027\121\032
+\303\126\235\074\032\212\366\112\106\106\067\214\372\313\365\144
+\132\070\150\056\034\303\357\160\316\270\106\006\026\277\367\176
+\347\265\250\076\105\254\251\045\165\042\173\157\077\260\234\224
+\347\307\163\253\254\037\356\045\233\300\026\355\267\312\133\360
+\024
+END
+
+# Trust for Certificate "Verisign Time Stamping Authority CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Verisign Time Stamping Authority CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\246\017\064\310\142\154\201\366\213\367\175\251\366\147\130\212
+\220\077\175\066
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\211\111\124\214\310\150\232\203\051\354\334\006\163\041\253\227
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
+\004\013\023\063\103\154\141\163\163\040\063\040\120\165\142\154
+\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
+\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
+\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
+\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
+\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
+\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
+\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
+\167\157\162\153
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\123\141\262\140\256\333\161\216\247\224\263\023\063\364\007\011
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Thawte Time Stamping CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Time Stamping CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007
+\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060
+\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035
+\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040
+\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060
+\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124
+\151\155\145\163\164\141\155\160\151\156\147\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007
+\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060
+\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035
+\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040
+\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060
+\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124
+\151\155\145\163\164\141\155\160\151\156\147\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\241\060\202\002\012\240\003\002\001\002\002\001\000
+\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
+\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101\061
+\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
+\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007\023
+\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060\015
+\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035\060
+\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060\035
+\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124\151
+\155\145\163\164\141\155\160\151\156\147\040\103\101\060\036\027
+\015\071\067\060\061\060\061\060\060\060\060\060\060\132\027\015
+\062\060\061\062\063\061\062\063\065\071\065\071\132\060\201\213
+\061\013\060\011\006\003\125\004\006\023\002\132\101\061\025\060
+\023\006\003\125\004\010\023\014\127\145\163\164\145\162\156\040
+\103\141\160\145\061\024\060\022\006\003\125\004\007\023\013\104
+\165\162\142\141\156\166\151\154\154\145\061\017\060\015\006\003
+\125\004\012\023\006\124\150\141\167\164\145\061\035\060\033\006
+\003\125\004\013\023\024\124\150\141\167\164\145\040\103\145\162
+\164\151\146\151\143\141\164\151\157\156\061\037\060\035\006\003
+\125\004\003\023\026\124\150\141\167\164\145\040\124\151\155\145
+\163\164\141\155\160\151\156\147\040\103\101\060\201\237\060\015
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
+\000\060\201\211\002\201\201\000\326\053\130\170\141\105\206\123
+\352\064\173\121\234\355\260\346\056\030\016\376\340\137\250\047
+\323\264\311\340\174\131\116\026\016\163\124\140\301\177\366\237
+\056\351\072\205\044\025\074\333\107\004\143\303\236\304\224\032
+\132\337\114\172\363\331\103\035\074\020\172\171\045\333\220\376
+\360\121\347\060\326\101\000\375\237\050\337\171\276\224\273\235
+\266\024\343\043\205\327\251\101\340\114\244\171\260\053\032\213
+\362\370\073\212\076\105\254\161\222\000\264\220\101\230\373\137
+\355\372\267\056\212\370\210\067\002\003\001\000\001\243\023\060
+\021\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
+\001\377\060\015\006\011\052\206\110\206\367\015\001\001\004\005
+\000\003\201\201\000\147\333\342\302\346\207\075\100\203\206\067
+\065\175\037\316\232\303\014\146\040\250\272\252\004\211\206\302
+\365\020\010\015\277\313\242\005\212\320\115\066\076\364\327\357
+\151\306\136\344\260\224\157\112\271\347\336\133\210\266\173\333
+\343\047\345\166\303\360\065\301\313\265\047\233\063\171\334\220
+\246\000\236\167\372\374\315\047\224\102\026\234\323\034\150\354
+\277\134\335\345\251\173\020\012\062\164\124\023\061\213\205\003
+\204\221\267\130\001\060\024\070\257\050\312\374\261\120\031\031
+\011\254\211\111\323
+END
+
+# Trust for Certificate "Thawte Time Stamping CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Thawte Time Stamping CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\276\066\244\126\057\262\356\005\333\263\323\043\043\255\364\105
+\010\116\326\126
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\177\146\172\161\323\353\151\170\040\232\121\024\235\203\332\040
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\213\061\013\060\011\006\003\125\004\006\023\002\132\101
+\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
+\162\156\040\103\141\160\145\061\024\060\022\006\003\125\004\007
+\023\013\104\165\162\142\141\156\166\151\154\154\145\061\017\060
+\015\006\003\125\004\012\023\006\124\150\141\167\164\145\061\035
+\060\033\006\003\125\004\013\023\024\124\150\141\167\164\145\040
+\103\145\162\164\151\146\151\143\141\164\151\157\156\061\037\060
+\035\006\003\125\004\003\023\026\124\150\141\167\164\145\040\124
+\151\155\145\163\164\141\155\160\151\156\147\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "E-Certify CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "E-Certify CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061
+\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164
+\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104
+\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003
+\023\014\105\055\103\145\162\164\151\146\171\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061
+\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164
+\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104
+\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003
+\023\014\105\055\103\145\162\164\151\146\171\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001\115\105\234
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\071\060\202\002\041\240\003\002\001\002\002\004\001
+\115\105\234\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\114\061\013\060\011\006\003\125\004\006\023\002\143
+\141\061\022\060\020\006\003\125\004\012\023\011\105\055\103\145
+\162\164\151\146\171\061\022\060\020\006\003\125\004\013\023\011
+\111\104\040\103\145\156\164\145\162\061\025\060\023\006\003\125
+\004\003\023\014\105\055\103\145\162\164\151\146\171\040\103\101
+\060\036\027\015\071\071\060\071\062\070\061\066\064\070\062\071
+\132\027\015\060\064\060\071\062\070\061\066\064\070\062\071\132
+\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061
+\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164
+\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104
+\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003
+\023\014\105\055\103\145\162\164\151\146\171\040\103\101\060\202
+\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
+\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\272
+\233\246\161\200\125\164\111\051\125\166\033\307\066\225\060\054
+\062\011\121\356\060\244\153\150\207\107\330\050\012\027\177\157
+\250\232\040\266\253\001\322\256\240\105\106\065\002\002\374\332
+\340\040\162\012\063\015\223\160\270\004\220\111\371\150\070\273
+\015\021\156\071\135\130\172\306\043\146\351\273\027\062\046\350
+\354\022\150\207\051\314\271\345\117\314\210\033\355\225\161\241
+\123\042\056\355\203\134\376\062\127\114\122\123\070\341\025\155
+\000\125\111\207\044\313\344\026\110\270\231\345\332\172\337\243
+\205\230\164\302\371\253\153\111\315\377\102\315\270\055\264\200
+\313\114\172\065\374\220\277\115\323\000\355\317\214\377\117\071
+\373\172\170\360\016\015\111\177\123\076\024\233\046\250\252\311
+\273\341\321\033\335\034\060\257\001\346\233\046\006\144\274\357
+\130\114\132\105\225\120\304\054\076\164\130\351\074\257\373\303
+\253\122\004\332\044\362\261\304\366\133\323\110\340\301\204\060
+\174\321\165\077\344\123\163\135\211\330\356\100\117\011\227\227
+\205\143\215\325\240\256\206\203\153\333\124\150\136\350\113\002
+\003\001\000\001\243\043\060\041\060\014\006\003\125\035\023\004
+\005\060\003\001\001\377\060\021\006\011\140\206\110\001\206\370
+\102\001\001\004\004\003\002\000\007\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\202\001\001\000\163\076\031
+\174\330\126\321\305\377\012\235\347\266\315\227\363\247\341\101
+\310\176\202\065\377\233\226\322\013\357\161\362\020\345\104\313
+\222\350\016\132\346\076\304\364\225\151\002\274\013\126\200\271
+\161\027\143\036\101\111\052\065\352\034\325\144\253\111\355\013
+\076\213\124\241\115\050\150\352\275\267\201\077\065\171\202\367
+\064\274\171\210\045\236\200\347\317\250\025\257\362\341\025\053
+\007\121\340\324\215\112\112\003\300\042\053\271\150\112\200\303
+\250\205\010\325\247\052\275\313\247\143\175\243\260\312\126\140
+\154\105\341\312\277\024\122\012\302\305\145\354\241\075\037\100
+\371\120\132\344\064\012\157\302\164\254\174\314\047\352\343\207
+\245\123\310\336\174\076\135\102\122\132\353\005\150\246\030\062
+\140\040\170\153\160\024\140\041\202\011\075\036\126\300\025\141
+\000\121\145\262\061\022\371\306\112\006\274\137\364\071\037\166
+\232\211\170\351\066\202\332\265\157\213\177\211\265\114\367\145
+\030\134\201\363\356\120\326\335\354\151\110\237\053\265\336\076
+\275\372\274\154\153\147\123\233\261\223\271\221\106
+END
+
+# Trust for Certificate "E-Certify CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "E-Certify CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\133\330\153\206\375\275\330\206\371\233\310\120\106\350\052\112
+\211\152\317\357
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\256\065\177\222\227\106\174\217\023\051\341\333\236\102\145\152
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061
+\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164
+\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104
+\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003
+\023\014\105\055\103\145\162\164\151\146\171\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001\115\105\234
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "E-Certify RA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "E-Certify RA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061
+\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164
+\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104
+\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003
+\023\014\105\055\103\145\162\164\151\146\171\040\122\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061
+\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164
+\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104
+\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003
+\023\014\105\055\103\145\162\164\151\146\171\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001\117\353\020
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\003\071\060\202\002\041\240\003\002\001\002\002\004\001
+\117\353\020\060\015\006\011\052\206\110\206\367\015\001\001\005
+\005\000\060\114\061\013\060\011\006\003\125\004\006\023\002\143
+\141\061\022\060\020\006\003\125\004\012\023\011\105\055\103\145
+\162\164\151\146\171\061\022\060\020\006\003\125\004\013\023\011
+\111\104\040\103\145\156\164\145\162\061\025\060\023\006\003\125
+\004\003\023\014\105\055\103\145\162\164\151\146\171\040\103\101
+\060\036\027\015\071\071\060\071\063\060\061\066\065\070\065\067
+\132\027\015\060\064\060\071\062\067\061\066\065\070\065\067\132
+\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061
+\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164
+\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104
+\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003
+\023\014\105\055\103\145\162\164\151\146\171\040\122\101\060\202
+\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
+\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\334
+\260\267\045\373\356\014\272\330\243\162\104\017\052\243\343\110
+\004\321\364\060\164\006\010\016\137\067\307\066\267\202\232\045
+\113\254\153\111\231\000\033\027\362\360\337\027\027\351\355\040
+\152\024\153\375\311\314\017\346\014\153\206\345\365\244\372\333
+\005\052\000\310\015\352\252\145\100\066\312\363\345\165\071\216
+\334\146\333\104\034\236\303\213\103\070\313\274\360\232\311\331
+\312\067\023\312\122\301\055\351\107\040\345\314\044\170\340\346
+\033\114\270\322\124\202\155\016\271\041\140\357\174\264\000\373
+\122\304\057\012\367\004\116\204\057\337\030\254\143\006\040\335
+\332\261\201\301\341\255\177\030\210\167\363\353\370\255\317\172
+\020\120\126\171\236\124\317\336\034\233\327\102\224\341\317\325
+\154\365\136\075\315\345\147\023\073\232\315\072\142\204\371\141
+\036\155\325\130\216\331\371\255\052\076\226\361\355\252\177\020
+\356\366\000\205\074\261\005\013\064\321\134\142\340\215\022\256
+\275\114\124\300\342\274\144\161\140\145\206\306\331\204\253\130
+\140\152\061\156\175\117\261\210\242\376\024\114\072\214\373\002
+\003\001\000\001\243\043\060\041\060\014\006\003\125\035\023\004
+\005\060\003\001\001\377\060\021\006\011\140\206\110\001\206\370
+\102\001\001\004\004\003\002\000\007\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\202\001\001\000\255\030\200
+\317\060\274\073\350\362\002\025\127\075\350\114\143\346\356\062
+\243\177\345\001\360\047\271\052\331\301\250\236\043\036\107\231
+\327\056\104\113\024\313\320\275\046\144\003\362\006\217\237\327
+\110\250\161\153\026\064\305\076\265\171\230\263\346\340\320\070
+\021\231\244\021\173\343\071\245\015\077\235\325\322\305\172\057
+\352\104\024\315\020\116\240\064\263\153\211\137\360\256\237\315
+\123\325\176\172\120\045\000\041\244\155\351\310\161\000\373\255
+\064\027\110\042\356\247\050\154\206\162\333\371\233\206\104\170
+\136\005\351\150\064\060\241\025\145\301\251\332\236\135\236\043
+\106\116\052\346\116\263\114\237\314\106\010\230\034\074\103\237
+\264\316\240\140\357\044\316\116\037\350\302\251\162\273\057\332
+\102\006\041\360\232\345\170\107\054\010\164\120\150\140\375\205
+\302\373\257\112\222\361\204\235\000\152\310\126\041\216\157\301
+\061\313\121\354\166\165\172\337\001\016\162\150\241\362\046\216
+\331\270\306\243\144\122\372\155\373\112\075\132\135\270\124\224
+\355\125\150\145\235\077\122\114\106\222\026\013\276
+END
+
+# Trust for Certificate "E-Certify RA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "E-Certify RA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\217\051\011\013\006\302\070\314\160\305\251\355\227\147\210\315
+\066\332\335\131
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\114\061\013\060\011\006\003\125\004\006\023\002\143\141\061
+\022\060\020\006\003\125\004\012\023\011\105\055\103\145\162\164
+\151\146\171\061\022\060\020\006\003\125\004\013\023\011\111\104
+\040\103\145\156\164\145\162\061\025\060\023\006\003\125\004\003
+\023\014\105\055\103\145\162\164\151\146\171\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\001\117\353\020
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\245\273\012\243\320\307\124\025\130\336\153\122\020\121\272\050
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Entrust.net Global Secure Server CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Global Secure Server CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156
+\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125
+\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056
+\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157
+\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155
+\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003
+\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156
+\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145
+\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162
+\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123
+\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156
+\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125
+\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056
+\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157
+\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155
+\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003
+\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156
+\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145
+\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162
+\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123
+\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\070\233\021\074
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\225\060\202\003\376\240\003\002\001\002\002\004\070
+\233\021\074\060\015\006\011\052\206\110\206\367\015\001\001\004
+\005\000\060\201\272\061\024\060\022\006\003\125\004\012\023\013
+\105\156\164\162\165\163\164\056\156\145\164\061\077\060\075\006
+\003\125\004\013\024\066\167\167\167\056\145\156\164\162\165\163
+\164\056\156\145\164\057\123\123\114\137\103\120\123\040\151\156
+\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154
+\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043
+\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040
+\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151
+\164\145\144\061\072\060\070\006\003\125\004\003\023\061\105\156
+\164\162\165\163\164\056\156\145\164\040\123\145\143\165\162\145
+\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151\143
+\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060
+\036\027\015\060\060\060\062\060\064\061\067\062\060\060\060\132
+\027\015\062\060\060\062\060\064\061\067\065\060\060\060\132\060
+\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156\164
+\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125\004
+\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056\156
+\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157\162
+\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155\151
+\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003\125
+\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156\164
+\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145\144
+\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162\165
+\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123\145
+\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164\151
+\157\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060
+\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201
+\215\000\060\201\211\002\201\201\000\307\301\137\116\161\361\316
+\360\140\206\017\322\130\177\323\063\227\055\027\242\165\060\265
+\226\144\046\057\150\303\104\253\250\165\346\000\147\064\127\236
+\145\307\042\233\163\346\323\335\010\016\067\125\252\045\106\201
+\154\275\376\250\366\165\127\127\214\220\154\112\303\076\213\113
+\103\012\311\021\126\232\232\047\042\231\317\125\236\141\331\002
+\342\174\266\174\070\007\334\343\177\117\232\271\003\101\200\266
+\165\147\023\013\237\350\127\066\310\135\000\066\336\146\024\332
+\156\166\037\117\067\214\202\023\211\002\003\001\000\001\243\202
+\001\244\060\202\001\240\060\021\006\011\140\206\110\001\206\370
+\102\001\001\004\004\003\002\000\007\060\201\343\006\003\125\035
+\037\004\201\333\060\201\330\060\201\325\240\201\322\240\201\317
+\244\201\314\060\201\311\061\024\060\022\006\003\125\004\012\023
+\013\105\156\164\162\165\163\164\056\156\145\164\061\077\060\075
+\006\003\125\004\013\024\066\167\167\167\056\145\156\164\162\165
+\163\164\056\156\145\164\057\123\123\114\137\103\120\123\040\151
+\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050
+\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060
+\043\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060
+\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155
+\151\164\145\144\061\072\060\070\006\003\125\004\003\023\061\105
+\156\164\162\165\163\164\056\156\145\164\040\123\145\143\165\162
+\145\040\123\145\162\166\145\162\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\061\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060
+\053\006\003\125\035\020\004\044\060\042\200\017\062\060\060\060
+\060\062\060\064\061\067\062\060\060\060\132\201\017\062\060\062
+\060\060\062\060\064\061\067\065\060\060\060\132\060\013\006\003
+\125\035\017\004\004\003\002\001\006\060\037\006\003\125\035\043
+\004\030\060\026\200\024\313\154\300\153\343\273\076\313\374\042
+\234\376\373\213\222\234\260\362\156\042\060\035\006\003\125\035
+\016\004\026\004\024\313\154\300\153\343\273\076\313\374\042\234
+\376\373\213\222\234\260\362\156\042\060\014\006\003\125\035\023
+\004\005\060\003\001\001\377\060\035\006\011\052\206\110\206\366
+\175\007\101\000\004\020\060\016\033\010\126\065\056\060\072\064
+\056\060\003\002\004\220\060\015\006\011\052\206\110\206\367\015
+\001\001\004\005\000\003\201\201\000\142\333\201\221\316\310\232
+\167\102\057\354\275\047\243\123\017\120\033\352\116\222\360\251
+\257\251\240\272\110\141\313\357\311\006\357\037\325\364\356\337
+\126\055\346\312\152\031\163\252\123\276\222\263\120\002\266\205
+\046\162\143\330\165\120\142\165\024\267\263\120\032\077\312\021
+\000\013\205\105\151\155\266\245\256\121\341\112\334\202\077\154
+\214\064\262\167\153\331\002\366\177\016\352\145\004\361\315\124
+\312\272\311\314\340\204\367\310\076\021\227\323\140\011\030\274
+\005\377\154\211\063\360\354\025\017
+END
+
+# Trust for Certificate "Entrust.net Global Secure Server CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Global Secure Server CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\211\071\127\156\027\215\367\005\170\017\314\136\310\117\204\366
+\045\072\110\223
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\235\146\152\314\377\325\365\103\264\277\214\026\321\053\250\231
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\272\061\024\060\022\006\003\125\004\012\023\013\105\156
+\164\162\165\163\164\056\156\145\164\061\077\060\075\006\003\125
+\004\013\024\066\167\167\167\056\145\156\164\162\165\163\164\056
+\156\145\164\057\123\123\114\137\103\120\123\040\151\156\143\157
+\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151\155
+\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006\003
+\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105\156
+\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164\145
+\144\061\072\060\070\006\003\125\004\003\023\061\105\156\164\162
+\165\163\164\056\156\145\164\040\123\145\143\165\162\145\040\123
+\145\162\166\145\162\040\103\145\162\164\151\146\151\143\141\164
+\151\157\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\070\233\021\074
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+
+#
+# Certificate "Entrust.net Global Secure Personal CA"
+#
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Global Secure Personal CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
+\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
+\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
+\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143
+\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
+\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
+\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105
+\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
+\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
+\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040
+\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
+\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
+\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
+\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
+\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143
+\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
+\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
+\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105
+\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
+\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
+\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040
+\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
+\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\070\236\366\344
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\004\203\060\202\003\354\240\003\002\001\002\002\004\070
+\236\366\344\060\015\006\011\052\206\110\206\367\015\001\001\004
+\005\000\060\201\264\061\024\060\022\006\003\125\004\012\023\013
+\105\156\164\162\165\163\164\056\156\145\164\061\100\060\076\006
+\003\125\004\013\024\067\167\167\167\056\145\156\164\162\165\163
+\164\056\156\145\164\057\107\103\103\101\137\103\120\123\040\151
+\156\143\157\162\160\056\040\142\171\040\162\145\146\056\040\050
+\154\151\155\151\164\163\040\154\151\141\142\056\051\061\045\060
+\043\006\003\125\004\013\023\034\050\143\051\040\062\060\060\060
+\040\105\156\164\162\165\163\164\056\156\145\164\040\114\151\155
+\151\164\145\144\061\063\060\061\006\003\125\004\003\023\052\105
+\156\164\162\165\163\164\056\156\145\164\040\103\154\151\145\156
+\164\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\060\036\027\015\060\060\060
+\062\060\067\061\066\061\066\064\060\132\027\015\062\060\060\062
+\060\067\061\066\064\066\064\060\132\060\201\264\061\024\060\022
+\006\003\125\004\012\023\013\105\156\164\162\165\163\164\056\156
+\145\164\061\100\060\076\006\003\125\004\013\024\067\167\167\167
+\056\145\156\164\162\165\163\164\056\156\145\164\057\107\103\103
+\101\137\103\120\123\040\151\156\143\157\162\160\056\040\142\171
+\040\162\145\146\056\040\050\154\151\155\151\164\163\040\154\151
+\141\142\056\051\061\045\060\043\006\003\125\004\013\023\034\050
+\143\051\040\062\060\060\060\040\105\156\164\162\165\163\164\056
+\156\145\164\040\114\151\155\151\164\145\144\061\063\060\061\006
+\003\125\004\003\023\052\105\156\164\162\165\163\164\056\156\145
+\164\040\103\154\151\145\156\164\040\103\145\162\164\151\146\151
+\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
+\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001\001
+\005\000\003\201\215\000\060\201\211\002\201\201\000\223\164\264
+\266\344\305\113\326\241\150\177\142\325\354\367\121\127\263\162
+\112\230\365\320\211\311\255\143\315\115\065\121\152\204\324\255
+\311\150\171\157\270\353\021\333\207\256\134\044\121\023\361\124
+\045\204\257\051\053\237\343\200\342\331\313\335\306\105\111\064
+\210\220\136\001\227\357\352\123\246\335\374\301\336\113\052\045
+\344\351\065\372\125\005\006\345\211\172\352\244\021\127\073\374
+\174\075\066\315\147\065\155\244\251\045\131\275\146\365\371\047
+\344\225\147\326\077\222\200\136\362\064\175\053\205\002\003\001
+\000\001\243\202\001\236\060\202\001\232\060\021\006\011\140\206
+\110\001\206\370\102\001\001\004\004\003\002\000\007\060\201\335
+\006\003\125\035\037\004\201\325\060\201\322\060\201\317\240\201
+\314\240\201\311\244\201\306\060\201\303\061\024\060\022\006\003
+\125\004\012\023\013\105\156\164\162\165\163\164\056\156\145\164
+\061\100\060\076\006\003\125\004\013\024\067\167\167\167\056\145
+\156\164\162\165\163\164\056\156\145\164\057\107\103\103\101\137
+\103\120\123\040\151\156\143\157\162\160\056\040\142\171\040\162
+\145\146\056\040\050\154\151\155\151\164\163\040\154\151\141\142
+\056\051\061\045\060\043\006\003\125\004\013\023\034\050\143\051
+\040\062\060\060\060\040\105\156\164\162\165\163\164\056\156\145
+\164\040\114\151\155\151\164\145\144\061\063\060\061\006\003\125
+\004\003\023\052\105\156\164\162\165\163\164\056\156\145\164\040
+\103\154\151\145\156\164\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\061\015
+\060\013\006\003\125\004\003\023\004\103\122\114\061\060\053\006
+\003\125\035\020\004\044\060\042\200\017\062\060\060\060\060\062
+\060\067\061\066\061\066\064\060\132\201\017\062\060\062\060\060
+\062\060\067\061\066\064\066\064\060\132\060\013\006\003\125\035
+\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030
+\060\026\200\024\204\213\164\375\305\215\300\377\047\155\040\067
+\105\174\376\055\316\272\323\175\060\035\006\003\125\035\016\004
+\026\004\024\204\213\164\375\305\215\300\377\047\155\040\067\105
+\174\376\055\316\272\323\175\060\014\006\003\125\035\023\004\005
+\060\003\001\001\377\060\035\006\011\052\206\110\206\366\175\007
+\101\000\004\020\060\016\033\010\126\065\056\060\072\064\056\060
+\003\002\004\220\060\015\006\011\052\206\110\206\367\015\001\001
+\004\005\000\003\201\201\000\116\157\065\200\073\321\212\365\016
+\247\040\313\055\145\125\320\222\364\347\204\265\006\046\203\022
+\204\013\254\073\262\104\356\275\317\100\333\040\016\272\156\024
+\352\060\340\073\142\174\177\213\153\174\112\247\325\065\074\276
+\250\134\352\113\273\223\216\200\146\253\017\051\375\115\055\277
+\032\233\012\220\305\253\332\321\263\206\324\057\044\122\134\172
+\155\306\362\376\345\115\032\060\214\220\362\272\327\112\076\103
+\176\324\310\120\032\207\370\117\201\307\166\013\204\072\162\235
+\316\145\146\227\256\046\136
+END
+
+# Trust for Certificate "Entrust.net Global Secure Personal CA"
+CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Entrust.net Global Secure Personal CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\317\164\277\377\233\206\201\133\010\063\124\100\066\076\207\266
+\266\360\277\163
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\232\167\031\030\355\226\317\337\033\267\016\365\215\271\210\056
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\264\061\024\060\022\006\003\125\004\012\023\013\105\156
+\164\162\165\163\164\056\156\145\164\061\100\060\076\006\003\125
+\004\013\024\067\167\167\167\056\145\156\164\162\165\163\164\056
+\156\145\164\057\107\103\103\101\137\103\120\123\040\151\156\143
+\157\162\160\056\040\142\171\040\162\145\146\056\040\050\154\151
+\155\151\164\163\040\154\151\141\142\056\051\061\045\060\043\006
+\003\125\004\013\023\034\050\143\051\040\062\060\060\060\040\105
+\156\164\162\165\163\164\056\156\145\164\040\114\151\155\151\164
+\145\144\061\063\060\061\006\003\125\004\003\023\052\105\156\164
+\162\165\163\164\056\156\145\164\040\103\154\151\145\156\164\040
+\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
+\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\070\236\366\344
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
diff --git a/security/nss/lib/ckfw/builtins/config.mk b/security/nss/lib/ckfw/builtins/config.mk
new file mode 100644
index 000000000..cccc96eb8
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/config.mk
@@ -0,0 +1,58 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+#
+#  Override TARGETS variable so that only shared libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(SHARED_LIBRARY)
+LIBRARY        =
+IMPORT_LIBRARY =
+PROGRAM        =
+
+ifeq (,$(filter-out OS2 WIN%,$(OS_TARGET)))
+    SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
+endif
+
+ifdef BUILD_IDG
+    DEFINES += -DNSSDEBUG
+endif
+
+#
+# To create a loadable module on Darwin, we must use -bundle.
+#
+ifeq ($(OS_TARGET),Darwin)
+DSO_LDOPTS := $(subst -dynamiclib,-bundle,$(DSO_LDOPTS))
+endif
diff --git a/security/nss/lib/ckfw/builtins/constants.c b/security/nss/lib/ckfw/builtins/constants.c
new file mode 100644
index 000000000..1491dc940
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/constants.c
@@ -0,0 +1,82 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * builtins/constants.c
+ *
+ * Identification and other constants, all collected here in one place.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_builtins_CryptokiVersion = { 2, 1 };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_ManufacturerID = (NSSUTF8 *) "Netscape Communications Corp.";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_LibraryDescription = (NSSUTF8 *) "NSS Builtin Object Cryptoki Module";
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_builtins_LibraryVersion = { 1, 0 };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_SlotDescription = (NSSUTF8 *) "";
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_builtins_HardwareVersion = { 1, 0 };
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_builtins_FirmwareVersion = { 1, 0 };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_TokenLabel = (NSSUTF8 *) "Builtin Object Token";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_TokenModel = (NSSUTF8 *) "1";
+
+/* should this be e.g. the certdata.txt RCS revision number? */
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_builtins_TokenSerialNumber = (NSSUTF8 *) "1";
+
diff --git a/security/nss/lib/ckfw/builtins/manifest.mn b/security/nss/lib/ckfw/builtins/manifest.mn
new file mode 100644
index 000000000..cc71a7194
--- /dev/null
+++ b/security/nss/lib/ckfw/builtins/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+CORE_DEPTH = ../../../..
+
+MODULE = security
+
+CSRCS =			\
+	anchor.c	\
+	constants.c	\
+	bfind.c		\
+	binst.c	\
+	bobject.c	\
+	bsession.c	\
+	bslot.c		\
+	btoken.c	\
+	certdata.c	\
+	$(NULL)
+
+REQUIRES = security nspr
+
+LIBRARY_NAME = nssckbi
+
+#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
diff --git a/security/nss/lib/ckfw/ck.api b/security/nss/lib/ckfw/ck.api
new file mode 100644
index 000000000..6bae20fd3
--- /dev/null
+++ b/security/nss/lib/ckfw/ck.api
@@ -0,0 +1,571 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+# This file is in part derived from a file "pkcs11f.h" made available
+# by RSA Security at ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/pkcs11f.h
+
+CVS_ID "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+# Fields
+#  FUNCTION introduces a Cryptoki function
+#  CK_type specifies and introduces an argument
+#
+
+# General-purpose
+
+# C_Initialize initializes the Cryptoki library.
+FUNCTION C_Initialize
+CK_VOID_PTR pInitArgs   # if this is not NULL_PTR, it gets
+                        # cast to CK_C_INITIALIZE_ARGS_PTR
+                        # and dereferenced
+
+# C_Finalize indicates that an application is done with the
+# Cryptoki library.
+FUNCTION C_Finalize
+CK_VOID_PTR pReserved   # reserved.  Should be NULL_PTR
+
+# C_GetInfo returns general information about Cryptoki. 
+FUNCTION C_GetInfo
+CK_INFO_PTR pInfo       # location that receives information
+
+# C_GetFunctionList returns the function list. 
+FUNCTION C_GetFunctionList
+CK_FUNCTION_LIST_PTR_PTR ppFunctionList # receives pointer to function 
+                                        # list
+
+
+# Slot and token management 
+
+# C_GetSlotList obtains a list of slots in the system. 
+FUNCTION C_GetSlotList
+CK_BBOOL       tokenPresent # only slots with tokens? 
+CK_SLOT_ID_PTR pSlotList    # receives array of slot IDs 
+CK_ULONG_PTR   pulCount     # receives number of slots 
+
+# C_GetSlotInfo obtains information about a particular slot in the 
+# system.
+FUNCTION C_GetSlotInfo
+CK_SLOT_ID       slotID     # the ID of the slot 
+CK_SLOT_INFO_PTR pInfo      # receives the slot information 
+
+# C_GetTokenInfo obtains information about a particular token in the 
+# system. 
+FUNCTION C_GetTokenInfo
+CK_SLOT_ID        slotID    # ID of the token's slot 
+CK_TOKEN_INFO_PTR pInfo     # receives the token information 
+
+# C_GetMechanismList obtains a list of mechanism types supported by a 
+# token. 
+FUNCTION C_GetMechanismList
+CK_SLOT_ID            slotID            # ID of token's slot 
+CK_MECHANISM_TYPE_PTR pMechanismList    # gets mech. array 
+CK_ULONG_PTR          pulCount          # gets # of mechs. 
+
+# C_GetMechanismInfo obtains information about a particular mechanism 
+# possibly supported by a token. 
+FUNCTION C_GetMechanismInfo
+CK_SLOT_ID            slotID    # ID of the token's slot 
+CK_MECHANISM_TYPE     type      # type of mechanism 
+CK_MECHANISM_INFO_PTR pInfo     # receives mechanism info 
+
+# C_InitToken initializes a token. 
+FUNCTION C_InitToken
+CK_SLOT_ID  slotID      # ID of the token's slot 
+CK_CHAR_PTR pPin        # the SO's initial PIN 
+CK_ULONG    ulPinLen    # length in bytes of the PIN 
+CK_CHAR_PTR pLabel      # 32-byte token label (blank padded) 
+
+# C_InitPIN initializes the normal user's PIN. 
+FUNCTION C_InitPIN
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_CHAR_PTR       pPin      # the normal user's PIN 
+CK_ULONG          ulPinLen  # length in bytes of the PIN 
+
+# C_SetPIN modifies the PIN of the user who is logged in. 
+FUNCTION C_SetPIN
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_CHAR_PTR       pOldPin   # the old PIN 
+CK_ULONG          ulOldLen  # length of the old PIN 
+CK_CHAR_PTR       pNewPin   # the new PIN 
+CK_ULONG          ulNewLen  # length of the new PIN 
+
+
+# Session management 
+
+# C_OpenSession opens a session between an application and a token. 
+FUNCTION C_OpenSession
+CK_SLOT_ID            slotID        # the slot's ID 
+CK_FLAGS              flags         # from CK_SESSION_INFO 
+CK_VOID_PTR           pApplication  # passed to callback 
+CK_NOTIFY             Notify        # callback function 
+CK_SESSION_HANDLE_PTR phSession     # gets session handle 
+
+# C_CloseSession closes a session between an application and a token. 
+FUNCTION C_CloseSession
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+# C_CloseAllSessions closes all sessions with a token. 
+FUNCTION C_CloseAllSessions
+CK_SLOT_ID slotID   # the token's slot 
+
+# C_GetSessionInfo obtains information about the session. 
+FUNCTION C_GetSessionInfo
+CK_SESSION_HANDLE   hSession    # the session's handle 
+CK_SESSION_INFO_PTR pInfo       # receives session info 
+
+# C_GetOperationState obtains the state of the cryptographic 
+# operation in a session. 
+FUNCTION C_GetOperationState
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pOperationState       # gets state 
+CK_ULONG_PTR      pulOperationStateLen  # gets state length 
+
+# C_SetOperationState restores the state of the cryptographic 
+# operation in a session. 
+FUNCTION C_SetOperationState
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR      pOperationState        # holds state 
+CK_ULONG         ulOperationStateLen    # holds state length 
+CK_OBJECT_HANDLE hEncryptionKey         # en/decryption key 
+CK_OBJECT_HANDLE hAuthenticationKey     # sign/verify key 
+
+# C_Login logs a user into a token. 
+FUNCTION C_Login
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_USER_TYPE      userType  # the user type 
+CK_CHAR_PTR       pPin      # the user's PIN 
+CK_ULONG          ulPinLen  # the length of the PIN 
+
+# C_Logout logs a user out from a token. 
+FUNCTION C_Logout
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+
+# Object management 
+
+# C_CreateObject creates a new object. 
+FUNCTION C_CreateObject
+CK_SESSION_HANDLE    hSession   # the session's handle 
+CK_ATTRIBUTE_PTR     pTemplate  # the object's template 
+CK_ULONG             ulCount    # attributes in template 
+CK_OBJECT_HANDLE_PTR phObject   # gets new object's handle. 
+
+# C_CopyObject copies an object, creating a new object for the copy.
+FUNCTION C_CopyObject
+CK_SESSION_HANDLE    hSession       # the session's handle 
+CK_OBJECT_HANDLE     hObject        # the object's handle 
+CK_ATTRIBUTE_PTR     pTemplate      # template for new object 
+CK_ULONG             ulCount        # attributes in template 
+CK_OBJECT_HANDLE_PTR phNewObject    # receives handle of copy 
+
+# C_DestroyObject destroys an object. 
+FUNCTION C_DestroyObject
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_OBJECT_HANDLE  hObject   # the object's handle 
+
+# C_GetObjectSize gets the size of an object in bytes. 
+FUNCTION C_GetObjectSize
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_OBJECT_HANDLE  hObject   # the object's handle 
+CK_ULONG_PTR      pulSize   # receives size of object 
+
+# C_GetAttributeValue obtains the value of one or more object 
+# attributes. 
+FUNCTION C_GetAttributeValue
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_OBJECT_HANDLE  hObject     # the object's handle 
+CK_ATTRIBUTE_PTR  pTemplate   # specifies attrs; gets vals 
+CK_ULONG          ulCount     # attributes in template 
+
+# C_SetAttributeValue modifies the value of one or more object 
+# attributes 
+FUNCTION C_SetAttributeValue
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_OBJECT_HANDLE  hObject     # the object's handle 
+CK_ATTRIBUTE_PTR  pTemplate   # specifies attrs and values 
+CK_ULONG          ulCount     # attributes in template 
+
+# C_FindObjectsInit initializes a search for token and session 
+# objects that match a template. 
+FUNCTION C_FindObjectsInit
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_ATTRIBUTE_PTR  pTemplate   # attribute values to match 
+CK_ULONG          ulCount     # attrs in search template 
+
+# C_FindObjects continues a search for token and session objects that 
+# match a template, obtaining additional object handles. 
+FUNCTION C_FindObjects
+CK_SESSION_HANDLE    hSession           # session's handle 
+CK_OBJECT_HANDLE_PTR phObject           # gets obj. handles 
+CK_ULONG             ulMaxObjectCount   # max handles to get 
+CK_ULONG_PTR         pulObjectCount     # actual # returned 
+
+# C_FindObjectsFinal finishes a search for token and session objects. 
+FUNCTION C_FindObjectsFinal
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+
+# Encryption and decryption 
+
+# C_EncryptInit initializes an encryption operation. 
+FUNCTION C_EncryptInit
+CK_SESSION_HANDLE hSession    # the session's handle 
+CK_MECHANISM_PTR  pMechanism  # the encryption mechanism 
+CK_OBJECT_HANDLE  hKey        # handle of encryption key 
+
+# C_Encrypt encrypts single-part data. 
+FUNCTION C_Encrypt
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pData                 # the plaintext data 
+CK_ULONG          ulDataLen             # bytes of plaintext 
+CK_BYTE_PTR       pEncryptedData        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedDataLen   # gets c-text size 
+
+# C_EncryptUpdate continues a multiple-part encryption operation. 
+FUNCTION C_EncryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pPart                 # the plaintext data 
+CK_ULONG          ulPartLen             # plaintext data len 
+CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text size 
+
+# C_EncryptFinal finishes a multiple-part encryption operation. 
+FUNCTION C_EncryptFinal
+CK_SESSION_HANDLE hSession                  # session handle 
+CK_BYTE_PTR       pLastEncryptedPart        # last c-text 
+CK_ULONG_PTR      pulLastEncryptedPartLen   # gets last size 
+
+# C_DecryptInit initializes a decryption operation. 
+FUNCTION C_DecryptInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the decryption mechanism 
+CK_OBJECT_HANDLE  hKey          # handle of decryption key 
+
+# C_Decrypt decrypts encrypted data in a single part. 
+FUNCTION C_Decrypt
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedData        # ciphertext 
+CK_ULONG          ulEncryptedDataLen    # ciphertext length 
+CK_BYTE_PTR       pData                 # gets plaintext 
+CK_ULONG_PTR      pulDataLen            # gets p-text size 
+
+# C_DecryptUpdate continues a multiple-part decryption operation. 
+FUNCTION C_DecryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedPart        # encrypted data 
+CK_ULONG          ulEncryptedPartLen    # input length 
+CK_BYTE_PTR       pPart                 # gets plaintext 
+CK_ULONG_PTR      pulPartLen            # p-text size 
+
+# C_DecryptFinal finishes a multiple-part decryption operation. 
+FUNCTION C_DecryptFinal
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pLastPart         # gets plaintext 
+CK_ULONG_PTR      pulLastPartLen    # p-text size 
+
+
+# Message digesting 
+
+# C_DigestInit initializes a message-digesting operation. 
+FUNCTION C_DigestInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the digesting mechanism 
+
+# C_Digest digests data in a single part. 
+FUNCTION C_Digest
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_BYTE_PTR       pData         # data to be digested 
+CK_ULONG          ulDataLen     # bytes of data to digest 
+CK_BYTE_PTR       pDigest       # gets the message digest 
+CK_ULONG_PTR      pulDigestLen  # gets digest length 
+
+# C_DigestUpdate continues a multiple-part message-digesting operation.
+FUNCTION C_DigestUpdate
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pPart     # data to be digested 
+CK_ULONG          ulPartLen # bytes of data to be digested 
+
+# C_DigestKey continues a multi-part message-digesting operation, by 
+# digesting the value of a secret key as part of the data already 
+# digested. 
+FUNCTION C_DigestKey
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_OBJECT_HANDLE  hKey      # secret key to digest 
+
+# C_DigestFinal finishes a multiple-part message-digesting operation. 
+FUNCTION C_DigestFinal
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_BYTE_PTR       pDigest       # gets the message digest 
+CK_ULONG_PTR      pulDigestLen  # gets byte count of digest 
+
+
+# Signing and MACing 
+
+# C_SignInit initializes a signature (private key encryption) 
+# operation, where the signature is (will be) an appendix to the 
+# data, and plaintext cannot be recovered from the signature. 
+FUNCTION C_SignInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the signature mechanism 
+CK_OBJECT_HANDLE  hKey          # handle of signature key 
+
+# C_Sign signs (encrypts with private key) data in a single part, 
+# where the signature is (will be) an appendix to the data, and 
+# plaintext cannot be recovered from the signature. 
+FUNCTION C_Sign
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pData             # the data to sign 
+CK_ULONG          ulDataLen         # count of bytes to sign 
+CK_BYTE_PTR       pSignature        # gets the signature 
+CK_ULONG_PTR      pulSignatureLen   # gets signature length 
+
+# C_SignUpdate continues a multiple-part signature operation, where 
+# the signature is (will be) an appendix to the data, and plaintext 
+# cannot be recovered from the signature. 
+FUNCTION C_SignUpdate
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pPart     # the data to sign 
+CK_ULONG          ulPartLen # count of bytes to sign 
+
+# C_SignFinal finishes a multiple-part signature operation, returning 
+# the signature. 
+FUNCTION C_SignFinal
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pSignature        # gets the signature 
+CK_ULONG_PTR      pulSignatureLen   # gets signature length 
+
+# C_SignRecoverInit initializes a signature operation, where the data 
+# can be recovered from the signature. 
+FUNCTION C_SignRecoverInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the signature mechanism 
+CK_OBJECT_HANDLE  hKey          # handle of the signature key 
+
+# C_SignRecover signs data in a single operation, where the data can 
+# be recovered from the signature. 
+FUNCTION C_SignRecover
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pData             # the data to sign 
+CK_ULONG          ulDataLen         # count of bytes to sign 
+CK_BYTE_PTR       pSignature        # gets the signature 
+CK_ULONG_PTR      pulSignatureLen   # gets signature length 
+
+
+# Verifying signatures and MACs 
+
+# C_VerifyInit initializes a verification operation, where the 
+# signature is an appendix to the data, and plaintext cannot cannot 
+# be recovered from the signature (e.g. DSA). 
+FUNCTION C_VerifyInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the verification mechanism 
+CK_OBJECT_HANDLE  hKey          # verification key  
+
+# C_Verify verifies a signature in a single-part operation, where the 
+# signature is an appendix to the data, and plaintext cannot be 
+# recovered from the signature. 
+FUNCTION C_Verify
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pData             # signed data 
+CK_ULONG          ulDataLen         # length of signed data 
+CK_BYTE_PTR       pSignature        # signature 
+CK_ULONG          ulSignatureLen    # signature length
+
+# C_VerifyUpdate continues a multiple-part verification operation, 
+# where the signature is an appendix to the data, and plaintext cannot be 
+# recovered from the signature. 
+FUNCTION C_VerifyUpdate
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pPart     # signed data 
+CK_ULONG          ulPartLen # length of signed data 
+
+# C_VerifyFinal finishes a multiple-part verification operation, 
+# checking the signature. 
+FUNCTION C_VerifyFinal
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pSignature        # signature to verify 
+CK_ULONG          ulSignatureLen    # signature length 
+
+# C_VerifyRecoverInit initializes a signature verification operation, 
+# where the data is recovered from the signature. 
+FUNCTION C_VerifyRecoverInit
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_MECHANISM_PTR  pMechanism    # the verification mechanism 
+CK_OBJECT_HANDLE  hKey          # verification key 
+
+# C_VerifyRecover verifies a signature in a single-part operation, 
+# where the data is recovered from the signature. 
+FUNCTION C_VerifyRecover
+CK_SESSION_HANDLE hSession          # the session's handle 
+CK_BYTE_PTR       pSignature        # signature to verify 
+CK_ULONG          ulSignatureLen    # signature length 
+CK_BYTE_PTR       pData             # gets signed data 
+CK_ULONG_PTR      pulDataLen        # gets signed data len 
+
+
+# Dual-function cryptographic operations 
+
+# C_DigestEncryptUpdate continues a multiple-part digesting and 
+# encryption operation. 
+FUNCTION C_DigestEncryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pPart                 # the plaintext data 
+CK_ULONG          ulPartLen             # plaintext length 
+CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text length 
+
+# C_DecryptDigestUpdate continues a multiple-part decryption and 
+# digesting operation. 
+FUNCTION C_DecryptDigestUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedPart        # ciphertext 
+CK_ULONG          ulEncryptedPartLen    # ciphertext length 
+CK_BYTE_PTR       pPart                 # gets plaintext 
+CK_ULONG_PTR      pulPartLen            # gets plaintext len 
+
+# C_SignEncryptUpdate continues a multiple-part signing and 
+# encryption operation. 
+FUNCTION C_SignEncryptUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pPart                 # the plaintext data 
+CK_ULONG          ulPartLen             # plaintext length 
+CK_BYTE_PTR       pEncryptedPart        # gets ciphertext 
+CK_ULONG_PTR      pulEncryptedPartLen   # gets c-text length 
+
+# C_DecryptVerifyUpdate continues a multiple-part decryption and 
+# verify operation. 
+FUNCTION C_DecryptVerifyUpdate
+CK_SESSION_HANDLE hSession              # session's handle 
+CK_BYTE_PTR       pEncryptedPart        # ciphertext 
+CK_ULONG          ulEncryptedPartLen    # ciphertext length 
+CK_BYTE_PTR       pPart                 # gets plaintext 
+CK_ULONG_PTR      pulPartLen            # gets p-text length 
+
+
+# Key management 
+
+# C_GenerateKey generates a secret key, creating a new key object. 
+FUNCTION C_GenerateKey
+CK_SESSION_HANDLE    hSession   # the session's handle 
+CK_MECHANISM_PTR     pMechanism # key generation mech. 
+CK_ATTRIBUTE_PTR     pTemplate  # template for new key 
+CK_ULONG             ulCount    # # of attrs in template 
+CK_OBJECT_HANDLE_PTR phKey      # gets handle of new key 
+
+# C_GenerateKeyPair generates a public-key/private-key pair, creating 
+# new key objects. 
+FUNCTION C_GenerateKeyPair
+CK_SESSION_HANDLE    hSession                   # session handle
+CK_MECHANISM_PTR     pMechanism                 # key-gen mech.
+CK_ATTRIBUTE_PTR     pPublicKeyTemplate         # template for pub. key
+CK_ULONG             ulPublicKeyAttributeCount  # # pub. attrs.
+CK_ATTRIBUTE_PTR     pPrivateKeyTemplate        # template for priv. key
+CK_ULONG             ulPrivateKeyAttributeCount # # priv. attrs.
+CK_OBJECT_HANDLE_PTR phPublicKey                # gets pub. key handle
+CK_OBJECT_HANDLE_PTR phPrivateKey               # gets priv. key handle
+
+# C_WrapKey wraps (i.e., encrypts) a key. 
+FUNCTION C_WrapKey
+CK_SESSION_HANDLE hSession         # the session's handle 
+CK_MECHANISM_PTR  pMechanism       # the wrapping mechanism 
+CK_OBJECT_HANDLE  hWrappingKey     # wrapping key 
+CK_OBJECT_HANDLE  hKey             # key to be wrapped 
+CK_BYTE_PTR       pWrappedKey      # gets wrapped key 
+CK_ULONG_PTR      pulWrappedKeyLen # gets wrapped key size 
+
+# C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key 
+# object. 
+FUNCTION C_UnwrapKey
+CK_SESSION_HANDLE    hSession           # session's handle 
+CK_MECHANISM_PTR     pMechanism         # unwrapping mech. 
+CK_OBJECT_HANDLE     hUnwrappingKey     # unwrapping key 
+CK_BYTE_PTR          pWrappedKey        # the wrapped key 
+CK_ULONG             ulWrappedKeyLen    # wrapped key len 
+CK_ATTRIBUTE_PTR     pTemplate          # new key template 
+CK_ULONG             ulAttributeCount   # template length 
+CK_OBJECT_HANDLE_PTR phKey              # gets new handle 
+
+# C_DeriveKey derives a key from a base key, creating a new key object.
+FUNCTION C_DeriveKey
+CK_SESSION_HANDLE    hSession           # session's handle 
+CK_MECHANISM_PTR     pMechanism         # key deriv. mech. 
+CK_OBJECT_HANDLE     hBaseKey           # base key 
+CK_ATTRIBUTE_PTR     pTemplate          # new key template 
+CK_ULONG             ulAttributeCount   # template length 
+CK_OBJECT_HANDLE_PTR phKey              # gets new handle 
+
+
+# Random number generation 
+
+# C_SeedRandom mixes additional seed material into the token's random 
+# number generator. 
+FUNCTION C_SeedRandom
+CK_SESSION_HANDLE hSession  # the session's handle 
+CK_BYTE_PTR       pSeed     # the seed material 
+CK_ULONG          ulSeedLen # length of seed material 
+
+# C_GenerateRandom generates random data. 
+FUNCTION C_GenerateRandom
+CK_SESSION_HANDLE hSession      # the session's handle 
+CK_BYTE_PTR       RandomData    # receives the random data 
+CK_ULONG          ulRandomLen   # # of bytes to generate 
+
+
+# Parallel function management 
+
+# C_GetFunctionStatus is a legacy function; it obtains an updated 
+# status of a function running in parallel with an application.
+FUNCTION C_GetFunctionStatus
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+# C_CancelFunction is a legacy function; it cancels a function running 
+# in parallel. 
+FUNCTION C_CancelFunction
+CK_SESSION_HANDLE hSession  # the session's handle 
+
+
+# Functions added in for Cryptoki Version 2.01 or later 
+
+# C_WaitForSlotEvent waits for a slot event (token insertion, removal, 
+# etc.) to occur. 
+FUNCTION C_WaitForSlotEvent
+CK_FLAGS       flags    # blocking/nonblocking flag 
+CK_SLOT_ID_PTR pSlot    # location that receives the slot ID 
+CK_VOID_PTR    pRserved # reserved.  Should be NULL_PTR 
+
+## C_ConfigureSlot passes an installation-specified bytestring to a 
+## slot. 
+#FUNCTION C_ConfigureSlot
+#CK_SLOT_ID slotID      # the slot to configure 
+#CK_BYTE_PTR pConfig    # the configuration string 
+#CK_ULONG ulConfigLen   # length of the config string 
diff --git a/security/nss/lib/ckfw/ck.h b/security/nss/lib/ckfw/ck.h
new file mode 100644
index 000000000..04df10656
--- /dev/null
+++ b/security/nss/lib/ckfw/ck.h
@@ -0,0 +1,121 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef CK_H
+#define CK_H
+
+#ifdef DEBUG
+static const char CK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * ck.h
+ *
+ * This header file consolidates all header files needed by the source
+ * files implementing the NSS Cryptoki Framework.  This makes managing
+ * the source files a bit easier.
+ */
+
+/* Types */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFT_H
+#include "nssckft.h"
+#endif /* NSSCKFT_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKMDT_H
+#include "nssckmdt.h"
+#endif /* NSSCKMDT_H */
+
+#ifndef CKT_H
+#include "ckt.h"
+#endif /* CKT_H */
+
+#ifndef CKFWTM_H
+#include "ckfwtm.h"
+#endif /* CKFWTM_H */
+
+/* Prototypes */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef NSSCKG_H
+#include "nssckg.h"
+#endif /* NSSCKG_H */
+
+#ifndef NSSCKFW_H
+#include "nssckfw.h"
+#endif /* NSSCKFW_H */
+
+#ifndef NSSCKFWC_H
+#include "nssckfwc.h"
+#endif /* NSSCKFWC_H */
+
+#ifndef CKFW_H
+#include "ckfw.h"
+#endif /* CKFW_H */
+
+#ifndef CKFWM_H
+#include "ckfwm.h"
+#endif /* CKFWM_H */
+
+#ifndef CKMD_H
+#include "ckmd.h"
+#endif /* CKMD_H */
+
+/* NSS-private */
+
+/* nss_ZNEW and the like.  We might want to publish the memory APIs.. */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#endif /* CK_H */
diff --git a/security/nss/lib/ckfw/ckapi.perl b/security/nss/lib/ckfw/ckapi.perl
new file mode 100644
index 000000000..baad8c52f
--- /dev/null
+++ b/security/nss/lib/ckfw/ckapi.perl
@@ -0,0 +1,510 @@
+#!perl
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+$cvs_id = '@(#) $RCSfile$ $Revision$ $Date$ $Name$';
+
+$copyright = '/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+';
+
+$count = -1;
+$i = 0;
+
+open(INPUT, "<$ARGV[0]") || die "Can't open $ARGV[0]: $!";
+
+while(<INPUT>) {
+  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
+  next if (/^\s*$/);
+
+#  print;
+
+  /^([\S]+)\s+([^"][\S]*|"[^"]*")/;
+  $name = $1;
+  $value = $2;
+
+  if( ($name =~ "FUNCTION") && !($name =~ "CK_FUNCTION") ) {
+    $count++;
+    $x[$count]{name} = $value;
+    $i = 0;
+  } else {
+    if( $count < 0 ) {
+      $value =~ s/"//g;
+      $g{$name} = $value;
+    } else {
+      $x[$count]{args}[$i]{type} = $name;
+      $x[$count]{args}[$i]{name} = $value;
+      $i++;
+      $x[$count]{nargs} = $i; # rewritten each time, oh well
+    }
+  }
+}
+
+close INPUT;
+
+# dodump();
+doprint();
+
+sub dodump {
+  for( $j = 0; $j <= $count; $j++ ) {
+    print "CK_RV CK_ENTRY $x[$j]{name}\n";
+    for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+      print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+      if( $i == ($x[$j]{nargs} - 1) ) {
+        print "\n";
+      } else {
+        print ",\n";
+      }
+    }
+  }
+}
+
+sub doprint {
+open(PROTOTYPE, ">nssckg.h") || die "Can't open nssckg.h: $!";
+open(TYPEDEF, ">nssckft.h") || die "Can't open nssckft.h: $!";
+open(EPV, ">nssckepv.h") || die "Can't open nssckepv.h: $!";
+open(API, ">nssck.api") || die "Can't open nssck.api: $!";
+
+select PROTOTYPE;
+
+print $copyright;
+print <<EOD
+#ifndef NSSCKG_H
+#define NSSCKG_H
+
+#ifdef DEBUG
+static const char NSSCKG_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssckg.h
+ *
+ * This automatically-generated header file prototypes the Cryptoki
+ * functions specified by PKCS#11.
+ */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+  print "CK_RV CK_ENTRY $x[$j]{name}\n";
+  print "(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ");\n\n";
+}
+
+print <<EOD
+#endif /* NSSCKG_H */
+EOD
+    ;
+
+select TYPEDEF;
+
+print $copyright;
+print <<EOD
+#ifndef NSSCKFT_H
+#define NSSCKFT_H
+
+#ifdef DEBUG
+static const char NSSCKFT_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssckft.h
+ *
+ * The automatically-generated header file declares a typedef
+ * each of the Cryptoki functions specified by PKCS#11.
+ */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+#  print "typedef CK_RV (CK_ENTRY *CK_$x[$j]{name})(\n";
+  print "typedef CK_CALLBACK_FUNCTION(CK_RV, CK_$x[$j]{name})(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ");\n\n";
+}
+
+print <<EOD
+#endif /* NSSCKFT_H */
+EOD
+    ;
+
+select EPV;
+
+print $copyright;
+print <<EOD
+#ifndef NSSCKEPV_H
+#define NSSCKEPV_H
+
+#ifdef DEBUG
+static const char NSSCKEPV_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssckepv.h
+ *
+ * This automatically-generated header file defines the type
+ * CK_FUNCTION_LIST specified by PKCS#11.
+ */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFT_H
+#include "nssckft.h"
+#endif /* NSSCKFT_H */
+
+#include "nssckp.h"
+
+struct CK_FUNCTION_LIST {
+  CK_VERSION version;
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+  print "  CK_$x[$j]{name} $x[$j]{name};\n";
+}
+
+print <<EOD
+};
+
+#include "nsscku.h"
+
+#endif /* NSSCKEPV_H */
+EOD
+    ;
+
+select API;
+
+print $copyright;
+print <<EOD
+
+#ifdef DEBUG
+static const char NSSCKAPI_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+/*
+ * nssck.api
+ *
+ * This automatically-generated file is used to generate a set of
+ * Cryptoki entry points within the object space of a Module using
+ * the NSS Cryptoki Framework.
+ *
+ * The Module should have a .c file with the following:
+ *
+ *  #define MODULE_NAME name
+ *  #define INSTANCE_NAME instance
+ *  #include "nssck.api"
+ *
+ * where "name" is some module-specific name that can be used to
+ * disambiguate various modules.  This included file will then
+ * define the actual Cryptoki routines which pass through to the
+ * Framework calls.  All routines, except C_GetFunctionList, will
+ * be prefixed with the name; C_GetFunctionList will be generated
+ * to return an entry-point vector with these routines.  The
+ * instance specified should be the basic instance of NSSCKMDInstance.
+ *
+ * If, prior to including nssck.api, the .c file also specifies
+ *
+ *  #define DECLARE_STRICT_CRYTPOKI_NAMES
+ *
+ * Then a set of "stub" routines not prefixed with the name will
+ * be included.  This would allow the combined module and framework
+ * to be used in applications which are hard-coded to use the
+ * PKCS#11 names (instead of going through the EPV).  Please note
+ * that such applications should be careful resolving symbols when
+ * more than one PKCS#11 module is loaded.
+ */
+
+#ifndef MODULE_NAME
+#error "Error: MODULE_NAME must be defined."
+#endif /* MODULE_NAME */
+
+#ifndef INSTANCE_NAME
+#error "Error: INSTANCE_NAME must be defined."
+#endif /* INSTANCE_NAME */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKFWC_H
+#include "nssckfwc.h"
+#endif /* NSSCKFWC_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#define __ADJOIN(x,y) x##y
+
+/*
+ * The anchor.  This object is used to store an "anchor" pointer in
+ * the Module's object space, so the wrapper functions can relate
+ * back to this instance.
+ */
+
+static NSSCKFWInstance *fwInstance = (NSSCKFWInstance *)0;
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Initialize)
+(
+  CK_VOID_PTR pInitArgs
+)
+{
+  return NSSCKFWC_Initialize(&fwInstance, INSTANCE_NAME, pInitArgs);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY 
+C_Initialize
+(
+  CK_VOID_PTR pInitArgs
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Initialize)(pInitArgs);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Finalize)
+(
+  CK_VOID_PTR pReserved
+)
+{
+  return NSSCKFWC_Finalize(&fwInstance);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Finalize
+(
+  CK_VOID_PTR pReserved
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Finalize)(pReserved);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetInfo)
+(
+  CK_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetInfo(fwInstance, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetInfo
+(
+  CK_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetInfo)(pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+/*
+ * C_GetFunctionList is defined at the end.
+ */
+
+EOD
+    ;
+
+for( $j = 4; $j <= $count; $j++ ) {
+  print "CK_RV CK_ENTRY\n";
+  print "__ADJOIN(MODULE_NAME,$x[$j]{name})\n";
+  print "(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ")\n";
+  print "{\n";
+  print "  return NSSCKFW$x[$j]{name}(fwInstance, ";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "$x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print ");\n";
+    } else {
+      print ", ";
+    }
+  }
+  print "}\n\n";
+
+  print "#ifdef DECLARE_STRICT_CRYPTOKI_NAMES\n";
+  print "CK_RV CK_ENTRY\n";
+  print "$x[$j]{name}\n";
+  print "(\n";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "  $x[$j]{args}[$i]{type} $x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print "\n";
+    } else {
+      print ",\n";
+    }
+  }
+  print ")\n";
+  print "{\n";
+  print "  return __ADJOIN(MODULE_NAME,$x[$j]{name})(";
+  for( $i = 0; $i < $x[$j]{nargs}; $i++ ) {
+    print "$x[$j]{args}[$i]{name}";
+    if( $i == ($x[$j]{nargs} - 1) ) {
+      print ");\n";
+    } else {
+      print ", ";
+    }
+  }
+  print "}\n";
+  print "#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */\n\n";
+}
+
+print <<EOD
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionList)
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+);
+
+static CK_FUNCTION_LIST FunctionList = {
+  { 2, 1 },
+EOD
+    ;
+
+for( $j = 0; $j <= $count; $j++ ) {
+  print "__ADJOIN(MODULE_NAME,$x[$j]{name})";
+  if( $j < $count ) {
+    print ",\n";
+  } else {
+    print "\n};\n\n";
+  }
+}
+
+print <<EOD
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionList)
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+)
+{
+  *ppFunctionList = &FunctionList;
+  return CKR_OK;
+}
+
+/* This one is always present */
+#ifdef WIN32
+CK_RV _declspec(dllexport)
+#else
+CK_RV CK_ENTRY
+#endif
+C_GetFunctionList
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
+}
+
+#undef __ADJOIN
+
+EOD
+    ;
+
+select STDOUT;
+
+}
diff --git a/security/nss/lib/ckfw/ckfw.h b/security/nss/lib/ckfw/ckfw.h
new file mode 100644
index 000000000..2e83f8c35
--- /dev/null
+++ b/security/nss/lib/ckfw/ckfw.h
@@ -0,0 +1,1858 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef CKFW_H
+#define CKFW_H
+
+#ifdef DEBUG
+static const char CKFW_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * ckfw.h
+ *
+ * This file prototypes the private calls of the NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKMDT_H
+#include "nssckmdt.h"
+#endif /* NSSCKMDT_H */
+
+/*
+ * NSSCKFWInstance
+ *
+ *  -- create/destroy --
+ *  nssCKFWInstance_Create
+ *  nssCKFWInstance_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWInstance_GetMDInstance
+ *  nssCKFWInstance_GetArena
+ *  nssCKFWInstance_MayCreatePthreads
+ *  nssCKFWInstance_CreateMutex
+ *  nssCKFWInstance_GetConfigurationData
+ *
+ *  -- private accessors --
+ *  nssCKFWInstance_CreateSessionHandle
+ *  nssCKFWInstance_ResolveSessionHandle
+ *  nssCKFWInstance_DestroySessionHandle
+ *  nssCKFWInstance_FindSessionHandle
+ *  nssCKFWInstance_CreateObjectHandle
+ *  nssCKFWInstance_ResolveObjectHandle
+ *  nssCKFWInstance_DestroyObjectHandle
+ *  nssCKFWInstance_FindObjectHandle
+ *
+ *  -- module fronts --
+ *  nssCKFWInstance_GetNSlots
+ *  nssCKFWInstance_GetCryptokiVersion
+ *  nssCKFWInstance_GetManufacturerID
+ *  nssCKFWInstance_GetFlags
+ *  nssCKFWInstance_GetLibraryDescription
+ *  nssCKFWInstance_GetLibraryVersion
+ *  nssCKFWInstance_GetModuleHandlesSessionObjects
+ *  nssCKFWInstance_GetSlots
+ *  nssCKFWInstance_WaitForSlotEvent
+ *
+ *  -- debugging versions only --
+ *  nssCKFWInstance_verifyPointer
+ */
+
+/*
+ * nssCKFWInstance_Create
+ *
+ */
+NSS_EXTERN NSSCKFWInstance *
+nssCKFWInstance_Create
+(
+  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
+  NSSCKMDInstance *mdInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWInstance_Destroy
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetMDInstance
+ *
+ */
+NSS_EXTERN NSSCKMDInstance *
+nssCKFWInstance_GetMDInstance
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetArena
+ *
+ */
+NSS_EXTERN NSSArena *
+nssCKFWInstance_GetArena
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_MayCreatePthreads
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWInstance_MayCreatePthreads
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_CreateMutex
+ *
+ */
+NSS_EXTERN NSSCKFWMutex *
+nssCKFWInstance_CreateMutex
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_GetConfigurationData
+ *
+ */
+NSS_EXTERN NSSUTF8 *
+nssCKFWInstance_GetConfigurationData
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_CreateSessionHandle
+ *
+ */
+NSS_EXTERN CK_SESSION_HANDLE
+nssCKFWInstance_CreateSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_ResolveSessionHandle
+ *
+ */
+NSS_EXTERN NSSCKFWSession *
+nssCKFWInstance_ResolveSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * nssCKFWInstance_DestroySessionHandle
+ *
+ */
+NSS_EXTERN void
+nssCKFWInstance_DestroySessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * nssCKFWInstance_FindSessionHandle
+ *
+ */
+NSS_EXTERN CK_SESSION_HANDLE
+nssCKFWInstance_FindSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWInstance_CreateObjectHandle
+ *
+ */
+NSS_EXTERN CK_OBJECT_HANDLE
+nssCKFWInstance_CreateObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_FindObjectHandle
+ *
+ */
+NSS_EXTERN CK_OBJECT_HANDLE
+nssCKFWInstance_FindObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWInstance_ResolveObjectHandle
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWInstance_ResolveObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject
+);
+
+/*
+ * nssCKFWInstance_ReassignObjectHandle
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWInstance_ReassignObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject,
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWInstance_DestroyObjectHandle
+ *
+ */
+NSS_EXTERN void
+nssCKFWInstance_DestroyObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject
+);
+
+/*
+ * nssCKFWInstance_FindObjectHandle
+ *
+ */
+NSS_IMPLEMENT CK_OBJECT_HANDLE
+nssCKFWInstance_FindObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWInstance_GetNSlots
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWInstance_GetNSlots
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_GetCryptokiVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWInstance_GetCryptokiVersion
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetManufacturerID
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWInstance_GetManufacturerID
+(
+  NSSCKFWInstance *fwInstance,
+  CK_CHAR manufacturerID[32]
+);
+
+/*
+ * nssCKFWInstance_GetFlags
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWInstance_GetFlags
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetLibraryDescription
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWInstance_GetLibraryDescription
+(
+  NSSCKFWInstance *fwInstance,
+  CK_CHAR libraryDescription[32]
+);
+
+/*
+ * nssCKFWInstance_GetLibraryVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWInstance_GetLibraryVersion
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetModuleHandlesSessionObjects
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWInstance_GetModuleHandlesSessionObjects
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * nssCKFWInstance_GetSlots
+ *
+ */
+NSS_EXTERN NSSCKFWSlot **
+nssCKFWInstance_GetSlots
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_WaitForSlotEvent
+ *
+ */
+NSS_EXTERN NSSCKFWSlot *
+nssCKFWInstance_WaitForSlotEvent
+(
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL block,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWInstance_verifyPointer
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWInstance_verifyPointer
+(
+  const NSSCKFWInstance *fwInstance
+);
+
+
+/*
+ * NSSCKFWSlot
+ *
+ *  -- create/destroy --
+ *  nssCKFWSlot_Create
+ *  nssCKFWSlot_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWSlot_GetMDSlot
+ *  nssCKFWSlot_GetFWInstance
+ *  nssCKFWSlot_GetMDInstance
+ *
+ *  -- private accessors --
+ *  nssCKFWSlot_GetSlotID
+ *
+ *  -- module fronts --
+ *  nssCKFWSlot_GetSlotDescription
+ *  nssCKFWSlot_GetManufacturerID
+ *  nssCKFWSlot_GetTokenPresent
+ *  nssCKFWSlot_GetRemovableDevice
+ *  nssCKFWSlot_GetHardwareSlot
+ *  nssCKFWSlot_GetHardwareVersion
+ *  nssCKFWSlot_GetFirmwareVersion
+ *  nssCKFWSlot_GetToken
+ */
+
+/*
+ * nssCKFWSlot_Create
+ *
+ */
+NSS_EXTERN NSSCKFWSlot *
+nssCKFWSlot_Create
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *mdSlot,
+  CK_SLOT_ID slotID,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSlot_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSlot_Destroy
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetMDSlot
+ *
+ */
+NSS_EXTERN NSSCKMDSlot *
+nssCKFWSlot_GetMDSlot
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetFWInstance
+ *
+ */
+
+NSS_EXTERN NSSCKFWInstance *
+nssCKFWSlot_GetFWInstance
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetMDInstance
+ *
+ */
+
+NSS_EXTERN NSSCKMDInstance *
+nssCKFWSlot_GetMDInstance
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetSlotID
+ *
+ */
+NSS_EXTERN CK_SLOT_ID
+nssCKFWSlot_GetSlotID
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetSlotDescription
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSlot_GetSlotDescription
+(
+  NSSCKFWSlot *fwSlot,
+  CK_CHAR slotDescription[64]
+);
+
+/*
+ * nssCKFWSlot_GetManufacturerID
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSlot_GetManufacturerID
+(
+  NSSCKFWSlot *fwSlot,
+  CK_CHAR manufacturerID[32]
+);
+
+/*
+ * nssCKFWSlot_GetTokenPresent
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWSlot_GetTokenPresent
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetRemovableDevice
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWSlot_GetRemovableDevice
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetHardwareSlot
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWSlot_GetHardwareSlot
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetHardwareVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWSlot_GetHardwareVersion
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetFirmwareVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWSlot_GetFirmwareVersion
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * nssCKFWSlot_GetToken
+ * 
+ */
+NSS_EXTERN NSSCKFWToken *
+nssCKFWSlot_GetToken
+(
+  NSSCKFWSlot *fwSlot,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSlot_ClearToken
+ *
+ */
+NSS_EXTERN void
+nssCKFWSlot_ClearToken
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * NSSCKFWToken
+ *
+ *  -- create/destroy --
+ *  nssCKFWToken_Create
+ *  nssCKFWToken_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWToken_GetMDToken
+ *  nssCKFWToken_GetFWSlot
+ *  nssCKFWToken_GetMDSlot
+ *  nssCKFWToken_GetSessionState
+ *
+ *  -- private accessors --
+ *  nssCKFWToken_SetSessionState
+ *  nssCKFWToken_RemoveSession
+ *  nssCKFWToken_CloseAllSessions
+ *  nssCKFWToken_GetSessionCount
+ *  nssCKFWToken_GetRwSessionCount
+ *  nssCKFWToken_GetRoSessionCount
+ *  nssCKFWToken_GetSessionObjectHash
+ *  nssCKFWToken_GetMDObjectHash
+ *  nssCKFWToken_GetObjectHandleHash
+ *
+ *  -- module fronts --
+ *  nssCKFWToken_InitToken
+ *  nssCKFWToken_GetLabel
+ *  nssCKFWToken_GetManufacturerID
+ *  nssCKFWToken_GetModel
+ *  nssCKFWToken_GetSerialNumber
+ *  nssCKFWToken_GetHasRNG
+ *  nssCKFWToken_GetIsWriteProtected
+ *  nssCKFWToken_GetLoginRequired
+ *  nssCKFWToken_GetUserPinInitialized
+ *  nssCKFWToken_GetRestoreKeyNotNeeded
+ *  nssCKFWToken_GetHasClockOnToken
+ *  nssCKFWToken_GetHasProtectedAuthenticationPath
+ *  nssCKFWToken_GetSupportsDualCryptoOperations
+ *  nssCKFWToken_GetMaxSessionCount
+ *  nssCKFWToken_GetMaxRwSessionCount
+ *  nssCKFWToken_GetMaxPinLen
+ *  nssCKFWToken_GetMinPinLen
+ *  nssCKFWToken_GetTotalPublicMemory
+ *  nssCKFWToken_GetFreePublicMemory
+ *  nssCKFWToken_GetTotalPrivateMemory
+ *  nssCKFWToken_GetFreePrivateMemory
+ *  nssCKFWToken_GetHardwareVersion
+ *  nssCKFWToken_GetFirmwareVersion
+ *  nssCKFWToken_GetUTCTime
+ *  nssCKFWToken_OpenSession
+ *  nssCKFWToken_GetMechanismCount
+ *  nssCKFWToken_GetMechanismTypes
+ *  nssCKFWToken_GetMechanism
+ */
+
+/*
+ * nssCKFWToken_Create
+ *
+ */
+NSS_EXTERN NSSCKFWToken *
+nssCKFWToken_Create
+(
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDToken *mdToken,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWToken_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_Destroy
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMDToken
+ *
+ */
+NSS_EXTERN NSSCKMDToken *
+nssCKFWToken_GetMDToken
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetArena
+ *
+ */
+NSS_EXTERN NSSArena *
+nssCKFWToken_GetArena
+(
+  NSSCKFWToken *fwToken,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWToken_GetFWSlot
+ *
+ */
+NSS_EXTERN NSSCKFWSlot *
+nssCKFWToken_GetFWSlot
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMDSlot
+ *
+ */
+NSS_EXTERN NSSCKMDSlot *
+nssCKFWToken_GetMDSlot
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetSessionState
+ *
+ */
+NSS_EXTERN CK_STATE
+nssCKFWToken_GetSessionState
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_InitToken
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_InitToken
+(
+  NSSCKFWToken *fwToken,
+  NSSItem *pin,
+  NSSUTF8 *label
+);
+
+/*
+ * nssCKFWToken_GetLabel
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetLabel
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR label[32]
+);
+
+/*
+ * nssCKFWToken_GetManufacturerID
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetManufacturerID
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR manufacturerID[32]
+);
+
+/*
+ * nssCKFWToken_GetModel
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetModel
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR model[16]
+);
+
+/*
+ * nssCKFWToken_GetSerialNumber
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetSerialNumber
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR serialNumber[16]
+);
+
+/*
+ * nssCKFWToken_GetHasRNG
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetHasRNG
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetIsWriteProtected
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetIsWriteProtected
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetLoginRequired
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetLoginRequired
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetUserPinInitialized
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetUserPinInitialized
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetRestoreKeyNotNeeded
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetRestoreKeyNotNeeded
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetHasClockOnToken
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetHasClockOnToken
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetHasProtectedAuthenticationPath
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetHasProtectedAuthenticationPath
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetSupportsDualCryptoOperations
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWToken_GetSupportsDualCryptoOperations
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMaxSessionCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetMaxSessionCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMaxRwSessionCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetMaxRwSessionCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMaxPinLen
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetMaxPinLen
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMinPinLen
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetMinPinLen
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetTotalPublicMemory
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetTotalPublicMemory
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetFreePublicMemory
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetFreePublicMemory
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetTotalPrivateMemory
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetTotalPrivateMemory
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetFreePrivateMemory
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetFreePrivateMemory
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetHardwareVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWToken_GetHardwareVersion
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetFirmwareVersion
+ *
+ */
+NSS_EXTERN CK_VERSION
+nssCKFWToken_GetFirmwareVersion
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetUTCTime
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetUTCTime
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR utcTime[16]
+);
+
+/*
+ * nssCKFWToken_OpenSession
+ *
+ */
+NSS_EXTERN NSSCKFWSession *
+nssCKFWToken_OpenSession
+(
+  NSSCKFWToken *fwToken,
+  CK_BBOOL rw,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWToken_GetMechanismCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetMechanismCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMechanismTypes
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_GetMechanismTypes
+(
+  NSSCKFWToken *fwToken,
+  CK_MECHANISM_TYPE types[]
+);
+
+/*
+ * nssCKFWToken_GetMechanism
+ *
+ */
+NSS_EXTERN NSSCKFWMechanism *
+nssCKFWToken_GetMechanism
+(
+  NSSCKFWToken *fwToken,
+  CK_MECHANISM_TYPE which,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWToken_SetSessionState
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_SetSessionState
+(
+  NSSCKFWToken *fwToken,
+  CK_STATE newState
+);
+
+/*
+ * nssCKFWToken_RemoveSession
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_RemoveSession
+(
+  NSSCKFWToken *fwToken,
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWToken_CloseAllSessions
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWToken_CloseAllSessions
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetSessionCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetSessionCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetRwSessionCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetRwSessionCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetRoSessionCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWToken_GetRoSessionCount
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetSessionObjectHash
+ *
+ */
+NSS_EXTERN nssCKFWHash *
+nssCKFWToken_GetSessionObjectHash
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetMDObjectHash
+ *
+ */
+NSS_EXTERN nssCKFWHash *
+nssCKFWToken_GetMDObjectHash
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * nssCKFWToken_GetObjectHandleHash
+ *
+ */
+NSS_EXTERN nssCKFWHash *
+nssCKFWToken_GetObjectHandleHash
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * NSSCKFWMechanism
+ *
+ *  -- create/destroy --
+ *  nssCKFWMechanism_Create
+ *  nssCKFWMechanism_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWMechanism_GetMDMechanism
+ *  nssCKFWMechanism_GetParameter
+ *
+ *  -- private accessors --
+ *
+ *  -- module fronts --
+ *  nssCKFWMechanism_GetMinKeySize
+ *  nssCKFWMechanism_GetMaxKeySize
+ *  nssCKFWMechanism_GetInHardware
+ */
+
+/*
+ * nssCKFWMechanism_Create
+ *
+ */
+NSS_EXTERN NSSCKFWMechanism *
+nssCKFWMechanism_Create
+(
+  void /* XXX fgmr */
+);
+
+/*
+ * nssCKFWMechanism_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMechanism_Destroy
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * nssCKFWMechanism_GetMDMechanism
+ *
+ */
+
+NSS_EXTERN NSSCKMDMechanism *
+nssCKFWMechanism_GetMDMechanism
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * nssCKFWMechanism_GetParameter
+ *
+ * XXX fgmr-- or as an additional parameter to the crypto ops?
+ */
+NSS_EXTERN NSSItem *
+nssCKFWMechanism_GetParameter
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * nssCKFWMechanism_GetMinKeySize
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWMechanism_GetMinKeySize
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * nssCKFWMechanism_GetMaxKeySize
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWMechanism_GetMaxKeySize
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * nssCKFWMechanism_GetInHardware
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWMechanism_GetInHardware
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * NSSCKFWSession
+ *
+ *  -- create/destroy --
+ *  nssCKFWSession_Create
+ *  nssCKFWSession_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWSession_GetMDSession
+ *  nssCKFWSession_GetArena
+ *  nssCKFWSession_CallNotification
+ *  nssCKFWSession_IsRWSession
+ *  nssCKFWSession_IsSO
+ *
+ *  -- private accessors --
+ *  nssCKFWSession_GetFWSlot
+ *  nssCKFWSession_GetSessionState
+ *  nssCKFWSession_SetFWFindObjects
+ *  nssCKFWSession_GetFWFindObjects
+ *  nssCKFWSession_SetMDSession
+ *  nssCKFWSession_SetHandle
+ *  nssCKFWSession_GetHandle
+ *  nssCKFWSession_RegisterSessionObject
+ *  nssCKFWSession_DeregisterSessionObject
+ *
+ *  -- module fronts --
+ *  nssCKFWSession_GetDeviceError
+ *  nssCKFWSession_Login
+ *  nssCKFWSession_Logout
+ *  nssCKFWSession_InitPIN
+ *  nssCKFWSession_SetPIN
+ *  nssCKFWSession_GetOperationStateLen
+ *  nssCKFWSession_GetOperationState
+ *  nssCKFWSession_SetOperationState
+ *  nssCKFWSession_CreateObject
+ *  nssCKFWSession_CopyObject
+ *  nssCKFWSession_FindObjectsInit
+ *  nssCKFWSession_SeedRandom
+ *  nssCKFWSession_GetRandom
+ */
+
+/*
+ * nssCKFWSession_Create
+ *
+ */
+NSS_EXTERN NSSCKFWSession *
+nssCKFWSession_Create
+(
+  NSSCKFWToken *fwToken,
+  CK_BBOOL rw,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_Destroy
+(
+  NSSCKFWSession *fwSession,
+  CK_BBOOL removeFromTokenHash
+);
+
+/*
+ * nssCKFWSession_GetMDSession
+ *
+ */
+NSS_EXTERN NSSCKMDSession *
+nssCKFWSession_GetMDSession
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_GetArena
+ *
+ */
+NSS_EXTERN NSSArena *
+nssCKFWSession_GetArena
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_CallNotification
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_CallNotification
+(
+  NSSCKFWSession *fwSession,
+  CK_NOTIFICATION event
+);
+
+/*
+ * nssCKFWSession_IsRWSession
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWSession_IsRWSession
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_IsSO
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWSession_IsSO
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_GetFWSlot
+ *
+ */
+NSS_EXTERN NSSCKFWSlot *
+nssCKFWSession_GetFWSlot
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCFKWSession_GetSessionState
+ *
+ */
+NSS_EXTERN CK_STATE
+nssCKFWSession_GetSessionState
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_SetFWFindObjects
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SetFWFindObjects
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWFindObjects *fwFindObjects
+);
+
+/*
+ * nssCKFWSession_GetFWFindObjects
+ *
+ */
+NSS_EXTERN NSSCKFWFindObjects *
+nssCKFWSession_GetFWFindObjects
+(
+  NSSCKFWSession *fwSesssion,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_SetMDSession
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SetMDSession
+(
+  NSSCKFWSession *fwSession,
+  NSSCKMDSession *mdSession
+);
+
+/*
+ * nssCKFWSession_SetHandle
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SetHandle
+(
+  NSSCKFWSession *fwSession,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * nssCKFWSession_GetHandle
+ *
+ */
+NSS_EXTERN CK_SESSION_HANDLE
+nssCKFWSession_GetHandle
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_RegisterSessionObject
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_RegisterSessionObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWSession_DeregisterSessionObject
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_DeregisterSessionObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWSession_GetDeviceError
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWSession_GetDeviceError
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_Login
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_Login
+(
+  NSSCKFWSession *fwSession,
+  CK_USER_TYPE userType,
+  NSSItem *pin
+);
+
+/*
+ * nssCKFWSession_Logout
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_Logout
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * nssCKFWSession_InitPIN
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_InitPIN
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *pin
+);
+
+/*
+ * nssCKFWSession_SetPIN
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SetPIN
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *newPin,
+  NSSItem *oldPin
+);
+
+/*
+ * nssCKFWSession_GetOperationStateLen
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWSession_GetOperationStateLen
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_GetOperationState
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_GetOperationState
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *buffer
+);
+
+/*
+ * nssCKFWSession_SetOperationState
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SetOperationState
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *state,
+  NSSCKFWObject *encryptionKey,
+  NSSCKFWObject *authenticationKey
+);
+
+/*
+ * nssCKFWSession_CreateObject
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWSession_CreateObject
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_CopyObject
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWSession_CopyObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *object,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_FindObjectsInit
+ *
+ */
+NSS_EXTERN NSSCKFWFindObjects *
+nssCKFWSession_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWSession_SeedRandom
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_SeedRandom
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *seed
+);
+
+/*
+ * nssCKFWSession_GetRandom
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWSession_GetRandom
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *buffer
+);
+
+/*
+ * NSSCKFWObject
+ *
+ * -- create/destroy --
+ *  nssCKFWObject_Create
+ *  nssCKFWObject_Finalize
+ *  nssCKFWObject_Destroy
+ *
+ * -- implement public accessors --
+ *  nssCKFWObject_GetMDObject
+ *  nssCKFWObject_GetArena
+ *
+ * -- private accessors --
+ *  nssCKFWObject_SetHandle
+ *  nssCKFWObject_GetHandle
+ *
+ * -- module fronts --
+ *  nssCKFWObject_IsTokenObject
+ *  nssCKFWObject_GetAttributeCount
+ *  nssCKFWObject_GetAttributeTypes
+ *  nssCKFWObject_GetAttributeSize
+ *  nssCKFWObject_GetAttribute
+ *  nssCKFWObject_SetAttribute
+ *  nssCKFWObject_GetObjectSize
+ */
+
+/*
+ * nssCKFWObject_Create
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWObject_Create
+(
+  NSSArena *arena,
+  NSSCKMDObject *mdObject,
+  NSSCKFWSession *fwSession,
+  NSSCKFWToken *fwToken,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWObject_Finalize
+ *
+ */
+NSS_EXTERN void
+nssCKFWObject_Finalize
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWObject_Destroy
+ *
+ */
+NSS_EXTERN void
+nssCKFWObject_Destroy
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWObject_GetMDObject
+ *
+ */
+NSS_EXTERN NSSCKMDObject *
+nssCKFWObject_GetMDObject
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWObject_GetArena
+ *
+ */
+NSS_EXTERN NSSArena *
+nssCKFWObject_GetArena
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWObject_SetHandle
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWObject_SetHandle
+(
+  NSSCKFWObject *fwObject,
+  CK_OBJECT_HANDLE hObject
+);
+
+/*
+ * nssCKFWObject_GetHandle
+ *
+ */
+NSS_IMPLEMENT CK_OBJECT_HANDLE
+nssCKFWObject_GetHandle
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWObject_IsTokenObject
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWObject_IsTokenObject
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * nssCKFWObject_GetAttributeCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWObject_GetAttributeCount
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWObject_GetAttributeTypes
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWObject_GetAttributeTypes
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+);
+
+/*
+ * nssCKFWObject_GetAttributeSize
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWObject_GetAttributeSize
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWObject_GetAttribute
+ *
+ * Usual NSS allocation rules:
+ * If itemOpt is not NULL, it will be returned; otherwise an NSSItem
+ * will be allocated.  If itemOpt is not NULL but itemOpt->data is,
+ * the buffer will be allocated; otherwise, the buffer will be used.
+ * Any allocations will come from the optional arena, if one is
+ * specified.
+ */
+NSS_EXTERN NSSItem *
+nssCKFWObject_GetAttribute
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *itemOpt,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWObject_SetAttribute
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWObject_SetAttribute
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *value
+);
+
+/*
+ * nssCKFWObject_GetObjectSize
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWObject_GetObjectSize
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWFindObjects
+ *
+ *  -- create/destroy --
+ *  nssCKFWFindObjects_Create
+ *  nssCKFWFindObjects_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWFindObjects_GetMDFindObjects
+ *
+ *  -- private accessors --
+ *
+ *  -- module fronts --
+ *  nssCKFWFindObjects_Next
+ */
+
+/*
+ * nssCKFWFindObjects_Create
+ *
+ */
+NSS_EXTERN NSSCKFWFindObjects *
+nssCKFWFindObjects_Create
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWToken *fwToken,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDFindObjects *mdFindObjects1,
+  NSSCKMDFindObjects *mdFindObjects2,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWFindObjects_Destroy
+ *
+ */
+NSS_EXTERN void
+nssCKFWFindObjects_Destroy
+(
+  NSSCKFWFindObjects *fwFindObjects
+);
+
+/*
+ * nssCKFWFindObjects_GetMDFindObjects
+ *
+ */
+NSS_EXTERN NSSCKMDFindObjects *
+nssCKFWFindObjects_GetMDFindObjects
+(
+  NSSCKFWFindObjects *fwFindObjects
+);
+
+/*
+ * nssCKFWFindObjects_Next
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWFindObjects_Next
+(
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWMutex
+ *
+ *  nssCKFWMutex_Create
+ *  nssCKFWMutex_Destroy
+ *  nssCKFWMutex_Lock
+ *  nssCKFWMutex_Unlock
+ *
+ */
+
+/*
+ * nssCKFWMutex_Create
+ *
+ */
+NSS_EXTERN NSSCKFWMutex *
+nssCKFWMutex_Create
+(
+  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWMutex_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Destroy
+(
+  NSSCKFWMutex *mutex
+);
+
+/*
+ * nssCKFWMutex_Lock
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Lock
+(
+  NSSCKFWMutex *mutex
+);
+
+/*
+ * nssCKFWMutex_Unlock
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Unlock
+(
+  NSSCKFWMutex *mutex
+);
+
+#endif /* CKFW_H */
diff --git a/security/nss/lib/ckfw/ckfwm.h b/security/nss/lib/ckfw/ckfwm.h
new file mode 100644
index 000000000..615efe2b6
--- /dev/null
+++ b/security/nss/lib/ckfw/ckfwm.h
@@ -0,0 +1,167 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef CKFWM_H
+#define CKFWM_H
+
+#ifdef DEBUG
+static const char CKFWM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * ckfwm.h
+ *
+ * This file prototypes the module-private calls of the NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+/*
+ * nssCKFWHash
+ *
+ *  nssCKFWHash_Create
+ *  nssCKFWHash_Destroy
+ *  nssCKFWHash_Add
+ *  nssCKFWHash_Remove
+ *  nssCKFWHash_Count
+ *  nssCKFWHash_Exists
+ *  nssCKFWHash_Lookup
+ *  nssCKFWHash_Iterate
+ */
+
+/*
+ * nssCKFWHash_Create
+ *
+ */
+NSS_EXTERN nssCKFWHash *
+nssCKFWHash_Create
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+/*
+ * nssCKFWHash_Destroy
+ *
+ */
+NSS_EXTERN void
+nssCKFWHash_Destroy
+(
+  nssCKFWHash *hash
+);
+
+/*
+ * nssCKFWHash_Add
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWHash_Add
+(
+  nssCKFWHash *hash,
+  const void *key,
+  const void *value
+);
+
+/*
+ * nssCKFWHash_Remove
+ *
+ */
+NSS_EXTERN void
+nssCKFWHash_Remove
+(
+  nssCKFWHash *hash,
+  const void *it
+);
+
+/*
+ * nssCKFWHash_Count
+ *
+ */
+NSS_EXTERN CK_ULONG
+nssCKFWHash_Count
+(
+  nssCKFWHash *hash
+);
+
+/*
+ * nssCKFWHash_Exists
+ *
+ */
+NSS_EXTERN CK_BBOOL
+nssCKFWHash_Exists
+(
+  nssCKFWHash *hash,
+  const void *it
+);
+
+/*
+ * nssCKFWHash_Lookup
+ *
+ */
+NSS_EXTERN void *
+nssCKFWHash_Lookup
+(
+  nssCKFWHash *hash,
+  const void *it
+);
+
+/*
+ * nssCKFWHash_Iterate
+ *
+ */
+NSS_EXTERN void
+nssCKFWHash_Iterate
+(
+  nssCKFWHash *hash,
+  nssCKFWHashIterator fcn,
+  void *closure
+);
+
+NSS_EXTERN void
+nssSetLockArgs(
+   CK_C_INITIALIZE_ARGS_PTR pInitArgs
+);
+
+
+#endif /* CKFWM_H */
diff --git a/security/nss/lib/ckfw/ckfwtm.h b/security/nss/lib/ckfw/ckfwtm.h
new file mode 100644
index 000000000..0f631f02d
--- /dev/null
+++ b/security/nss/lib/ckfw/ckfwtm.h
@@ -0,0 +1,56 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef CKFWTM_H
+#define CKFWTM_H
+
+#ifdef DEBUG
+static const char CKFWTM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * ckfwtm.h
+ *
+ * This file declares the module-private types of the NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+struct nssCKFWHashStr;
+typedef struct nssCKFWHashStr nssCKFWHash;
+
+typedef void (PR_CALLBACK *nssCKFWHashIterator)(const void *key, void *value, void *closure);
+
+#endif /* CKFWTM_H */
diff --git a/security/nss/lib/ckfw/ckmd.h b/security/nss/lib/ckfw/ckmd.h
new file mode 100644
index 000000000..5b7f394f5
--- /dev/null
+++ b/security/nss/lib/ckfw/ckmd.h
@@ -0,0 +1,65 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef CKMD_H
+#define CKMD_H
+
+#ifdef DEBUG
+static const char CKMD_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * ckmd.h
+ *
+ */
+
+NSS_EXTERN NSSCKMDObject *
+nssCKMDSessionObject_Create
+(
+  NSSCKFWToken *fwToken,
+  NSSArena *arena,
+  CK_ATTRIBUTE_PTR attributes,
+  CK_ULONG ulCount,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDFindObjects *
+nssCKMDFindSessionObjects_Create
+(
+  NSSCKFWToken *fwToken,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_RV *pError
+);
+
+#endif /* CKMD_H */
diff --git a/security/nss/lib/ckfw/ckt.h b/security/nss/lib/ckfw/ckt.h
new file mode 100644
index 000000000..bf114dbc0
--- /dev/null
+++ b/security/nss/lib/ckfw/ckt.h
@@ -0,0 +1,37 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/* get back to just one set of PKCS #11 headers. Use the onese that
+ * are easiest to maintain from the RSA website */
+/* this one is the one that defines NSS specific data */
+#include "pkcs11n.h"
diff --git a/security/nss/lib/ckfw/config.mk b/security/nss/lib/ckfw/config.mk
new file mode 100644
index 000000000..521c93d31
--- /dev/null
+++ b/security/nss/lib/ckfw/config.mk
@@ -0,0 +1,54 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+# Hack to see if everything still builds
+#
+
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
+
diff --git a/security/nss/lib/ckfw/dbm/Makefile b/security/nss/lib/ckfw/dbm/Makefile
new file mode 100644
index 000000000..03e1fb4c6
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/Makefile
@@ -0,0 +1,38 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+include manifest.mn
+include config.mk
+include $(CORE_DEPTH)/coreconf/config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
diff --git a/security/nss/lib/ckfw/dbm/anchor.c b/security/nss/lib/ckfw/dbm/anchor.c
new file mode 100644
index 000000000..588fd00e0
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/anchor.c
@@ -0,0 +1,50 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * dbm/anchor.c
+ *
+ * This file "anchors" the actual cryptoki entry points in this module's
+ * shared library, which is required for dynamic loading.  See the 
+ * comments in nssck.api for more information.
+ */
+
+#include "ckdbm.h"
+
+#define MODULE_NAME dbm
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_dbm_mdInstance
+#include "nssck.api"
diff --git a/security/nss/lib/ckfw/dbm/ckdbm.h b/security/nss/lib/ckfw/dbm/ckdbm.h
new file mode 100644
index 000000000..7bab87ec7
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/ckdbm.h
@@ -0,0 +1,281 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CKDBM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef CKDBM_H
+#define CKDBM_H
+
+#include "nssckmdt.h"
+#include "nssckfw.h"
+
+/*
+ * I'm including this for access to the arena functions.
+ * Looks like we should publish that API.
+ */
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/*
+ * This is where the Netscape extensions live, at least for now.
+ */
+#ifndef CKT_H
+#include "ckt.h"
+#endif /* CKT_H */
+
+#include "mcom_db.h"
+
+NSS_EXTERN_DATA NSSCKMDInstance nss_dbm_mdInstance;
+
+typedef struct nss_dbm_db_struct nss_dbm_db_t;
+struct nss_dbm_db_struct {
+  DB *db;
+  NSSCKFWMutex *crustylock;
+};
+
+typedef struct nss_dbm_dbt_struct nss_dbm_dbt_t;
+struct nss_dbm_dbt_struct {
+  DBT dbt;
+  nss_dbm_db_t *my_db;
+};
+
+typedef struct nss_dbm_instance_struct nss_dbm_instance_t;
+struct nss_dbm_instance_struct {
+  NSSArena *arena;
+  CK_ULONG nSlots;
+  char **filenames;
+  int *flags; /* e.g. O_RDONLY, O_RDWR */
+};
+
+typedef struct nss_dbm_slot_struct nss_dbm_slot_t;
+struct nss_dbm_slot_struct {
+  nss_dbm_instance_t *instance;
+  char *filename;
+  int flags;
+  nss_dbm_db_t *token_db;
+};
+
+typedef struct nss_dbm_token_struct nss_dbm_token_t;
+struct nss_dbm_token_struct {
+  NSSArena *arena;
+  nss_dbm_slot_t *slot;
+  nss_dbm_db_t *session_db;
+  NSSUTF8 *label;
+};
+
+struct nss_dbm_dbt_node {
+  struct nss_dbm_dbt_node *next;
+  nss_dbm_dbt_t *dbt;
+};
+
+typedef struct nss_dbm_session_struct nss_dbm_session_t;
+struct nss_dbm_session_struct {
+  NSSArena *arena;
+  nss_dbm_token_t *token;
+  CK_ULONG deviceError;
+  struct nss_dbm_dbt_node *session_objects;
+  NSSCKFWMutex *list_lock;
+};
+
+typedef struct nss_dbm_object_struct nss_dbm_object_t;
+struct nss_dbm_object_struct {
+  NSSArena *arena; /* token or session */
+  nss_dbm_dbt_t *handle;
+};
+
+typedef struct nss_dbm_find_struct nss_dbm_find_t;
+struct nss_dbm_find_struct {
+  NSSArena *arena;
+  struct nss_dbm_dbt_node *found;
+  NSSCKFWMutex *list_lock;
+};
+
+NSS_EXTERN NSSCKMDSlot *
+nss_dbm_mdSlot_factory
+(
+  nss_dbm_instance_t *instance,
+  char *filename,
+  int flags,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDToken *
+nss_dbm_mdToken_factory
+(
+  nss_dbm_slot_t *slot,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDSession *
+nss_dbm_mdSession_factory
+(
+  nss_dbm_token_t *token,
+  NSSCKFWSession *fwSession,
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL rw,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDObject *
+nss_dbm_mdObject_factory
+(
+  nss_dbm_object_t *object,
+  CK_RV *pError
+);
+
+NSS_EXTERN NSSCKMDFindObjects *
+nss_dbm_mdFindObjects_factory
+(
+  nss_dbm_find_t *find,
+  CK_RV *pError
+);
+
+NSS_EXTERN nss_dbm_db_t *
+nss_dbm_db_open
+(
+  NSSArena *arena,
+  NSSCKFWInstance *fwInstance,
+  char *filename,
+  int flags,
+  CK_RV *pError
+);
+
+NSS_EXTERN void
+nss_dbm_db_close
+(
+  nss_dbm_db_t *db
+);
+
+NSS_EXTERN CK_VERSION
+nss_dbm_db_get_format_version
+(
+  nss_dbm_db_t *db
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_set_label
+(
+  nss_dbm_db_t *db,
+  NSSUTF8 *label
+);
+
+NSS_EXTERN NSSUTF8 *
+nss_dbm_db_get_label
+(
+  nss_dbm_db_t *db,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_delete_object
+(
+  nss_dbm_dbt_t *dbt
+);
+
+NSS_EXTERN nss_dbm_dbt_t *
+nss_dbm_db_create_object
+(
+  NSSArena *arena,
+  nss_dbm_db_t *db,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_find_objects
+(
+  nss_dbm_find_t *find,
+  nss_dbm_db_t *db,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_BBOOL
+nss_dbm_db_object_still_exists
+(
+  nss_dbm_dbt_t *dbt
+);
+
+NSS_EXTERN CK_ULONG
+nss_dbm_db_get_object_attribute_count
+(
+  nss_dbm_dbt_t *dbt,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_get_object_attribute_types
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_ULONG
+nss_dbm_db_get_object_attribute_size
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN NSSItem *
+nss_dbm_db_get_object_attribute
+(
+  nss_dbm_dbt_t *dbt,
+  NSSArena *arena,
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+);
+
+NSS_EXTERN CK_RV
+nss_dbm_db_set_object_attribute
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE type,
+  NSSItem *value,
+  CK_ULONG *pdbrv
+);
+
+#endif /* CKDBM_H */
diff --git a/security/nss/lib/ckfw/dbm/config.mk b/security/nss/lib/ckfw/dbm/config.mk
new file mode 100644
index 000000000..80b3135f4
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/config.mk
@@ -0,0 +1,37 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
diff --git a/security/nss/lib/ckfw/dbm/db.c b/security/nss/lib/ckfw/dbm/db.c
new file mode 100644
index 000000000..307c7f21d
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/db.c
@@ -0,0 +1,1065 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+#define PREFIX_METADATA "0000"
+#define PREFIX_OBJECT   "0001"
+#define PREFIX_INDEX    "0002"
+
+static CK_VERSION nss_dbm_db_format_version = { 1, 0 };
+struct handle {
+  char prefix[4];
+  CK_ULONG id;
+};
+
+NSS_IMPLEMENT nss_dbm_db_t *
+nss_dbm_db_open
+(
+  NSSArena *arena,
+  NSSCKFWInstance *fwInstance,
+  char *filename,
+  int flags,
+  CK_RV *pError
+)
+{
+  nss_dbm_db_t *rv;
+  CK_VERSION db_version;
+
+  rv = nss_ZNEW(arena, nss_dbm_db_t);
+  if( (nss_dbm_db_t *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (nss_dbm_db_t *)NULL;
+  }
+
+  rv->db = dbopen(filename, flags, 0600, DB_HASH, (const void *)NULL);
+  if( (DB *)NULL == rv->db ) {
+    *pError = CKR_TOKEN_NOT_PRESENT;
+    return (nss_dbm_db_t *)NULL;
+  }
+
+  rv->crustylock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == rv->crustylock ) {
+    return (nss_dbm_db_t *)NULL;
+  }
+
+  db_version = nss_dbm_db_get_format_version(rv);
+  if( db_version.major != nss_dbm_db_format_version.major ) {
+    nss_dbm_db_close(rv);
+    *pError = CKR_TOKEN_NOT_RECOGNIZED;
+    return (nss_dbm_db_t *)NULL;
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT void
+nss_dbm_db_close
+(
+  nss_dbm_db_t *db
+)
+{
+  if( (NSSCKFWMutex *)NULL != db->crustylock ) {
+    (void)NSSCKFWMutex_Destroy(db->crustylock);
+  }
+
+  if( (DB *)NULL != db->db ) {
+    (void)db->db->close(db->db);
+  }
+
+  nss_ZFreeIf(db);
+}
+
+NSS_IMPLEMENT CK_VERSION
+nss_dbm_db_get_format_version
+(
+  nss_dbm_db_t *db
+)
+{
+  CK_VERSION rv;
+  DBT k, v;
+  int dbrv;
+  char buffer[64];
+
+  rv.major = rv.minor = 0;
+
+  k.data = PREFIX_METADATA "FormatVersion";
+  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
+  (void)memset(&v, 0, sizeof(v));
+
+  /* Locked region */ 
+  {
+    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
+      return rv;
+    }
+
+    dbrv = db->db->get(db->db, &k, &v, 0);
+    if( dbrv == 0 ) {
+      CK_ULONG major = 0, minor = 0;
+      (void)PR_sscanf(v.data, "%ld.%ld", &major, &minor);
+      rv.major = major;
+      rv.minor = minor;
+    } else if( dbrv > 0 ) {
+      (void)PR_snprintf(buffer, sizeof(buffer), "%ld.%ld", nss_dbm_db_format_version.major,
+                        nss_dbm_db_format_version.minor);
+      v.data = buffer;
+      v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
+      dbrv = db->db->put(db->db, &k, &v, 0);
+      (void)db->db->sync(db->db, 0);
+      rv = nss_dbm_db_format_version;
+    } else {
+      /* No error return.. */
+      ;
+    }
+
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_RV
+nss_dbm_db_set_label
+(
+  nss_dbm_db_t *db,
+  NSSUTF8 *label
+)
+{
+  CK_RV rv;
+  DBT k, v;
+  int dbrv;
+
+  k.data = PREFIX_METADATA "Label";
+  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
+  v.data = label;
+  v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
+
+  /* Locked region */ 
+  {
+    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
+      return rv;
+    }
+
+    dbrv = db->db->put(db->db, &k, &v, 0);
+    if( 0 != dbrv ) {
+      rv = CKR_DEVICE_ERROR;
+    }
+
+    dbrv = db->db->sync(db->db, 0);
+    if( 0 != dbrv ) {
+      rv = CKR_DEVICE_ERROR;
+    }
+
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT NSSUTF8 *
+nss_dbm_db_get_label
+(
+  nss_dbm_db_t *db,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  NSSUTF8 *rv = (NSSUTF8 *)NULL;
+  DBT k, v;
+  int dbrv;
+
+  k.data = PREFIX_METADATA "Label";
+  k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
+
+  /* Locked region */ 
+  {
+    if( CKR_OK != NSSCKFWMutex_Lock(db->crustylock) ) {
+      return rv;
+    }
+
+    dbrv = db->db->get(db->db, &k, &v, 0);
+    if( 0 == dbrv ) {
+      rv = nssUTF8_Duplicate((NSSUTF8 *)v.data, arena);
+      if( (NSSUTF8 *)NULL == rv ) {
+        *pError = CKR_HOST_MEMORY;
+      }
+    } else if( dbrv > 0 ) {
+      /* Just return null */
+      ;
+    } else {
+      *pError = CKR_DEVICE_ERROR;
+      ;
+    }
+
+
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_RV
+nss_dbm_db_delete_object
+(
+  nss_dbm_dbt_t *dbt
+)
+{
+  CK_RV rv;
+  int dbrv;
+
+  /* Locked region */
+  {
+    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != rv ) {
+      return rv;
+    }
+
+    dbrv = dbt->my_db->db->del(dbt->my_db->db, &dbt->dbt, 0);
+    if( 0 != dbrv ) {
+      rv = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    dbrv = dbt->my_db->db->sync(dbt->my_db->db, 0);
+    if( 0 != dbrv ) {
+      rv = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+  return rv;
+}
+
+static CK_ULONG
+nss_dbm_db_new_handle
+(
+  nss_dbm_db_t *db,
+  DBT *dbt, /* pre-allocated */
+  CK_RV *pError
+)
+{
+  CK_ULONG rv;
+  DBT k, v;
+  CK_ULONG align = 0, id, myid;
+  struct handle *hp;
+
+  if( sizeof(struct handle) != dbt->size ) {
+    return EINVAL;
+  }
+
+  /* Locked region */
+  {
+    *pError = NSSCKFWMutex_Lock(db->crustylock);
+    if( CKR_OK != *pError ) {
+      return EINVAL;
+    }
+
+    k.data = PREFIX_METADATA "LastID";
+    k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
+    (void)memset(&v, 0, sizeof(v));
+
+    rv = db->db->get(db->db, &k, &v, 0);
+    if( 0 == rv ) {
+      (void)memcpy(&align, v.data, sizeof(CK_ULONG));
+      id = ntohl(align);
+    } else if( rv > 0 ) {
+      id = 0;
+    } else {
+      goto done;
+    }
+
+    myid = id;
+    id++;
+    align = htonl(id);
+    v.data = &align;
+    v.size = sizeof(CK_ULONG);
+
+    rv = db->db->put(db->db, &k, &v, 0);
+    if( 0 != rv ) {
+      goto done;
+    }
+
+    rv = db->db->sync(db->db, 0);
+    if( 0 != rv ) {
+      goto done;
+    }
+
+  done:
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+  if( 0 != rv ) {
+    return rv;
+  }
+
+  hp = (struct handle *)dbt->data;
+  (void)memcpy(&hp->prefix[0], PREFIX_OBJECT, 4);
+  hp->id = myid;
+
+  return 0;
+}
+
+/*
+ * This attribute-type-dependent swapping should probably
+ * be in the Framework, because it'll be a concern of just
+ * about every Module.  Of course any Framework implementation
+ * will have to be augmentable or overridable by a Module.
+ */
+
+enum swap_type { type_byte, type_short, type_long, type_opaque };
+
+static enum swap_type
+nss_dbm_db_swap_type
+(
+  CK_ATTRIBUTE_TYPE type
+)
+{
+  switch( type ) {
+  case CKA_CLASS: return type_long;
+  case CKA_TOKEN: return type_byte;
+  case CKA_PRIVATE: return type_byte;
+  case CKA_LABEL: return type_opaque;
+  case CKA_APPLICATION: return type_opaque;
+  case CKA_VALUE: return type_opaque;
+  case CKA_CERTIFICATE_TYPE: return type_long;
+  case CKA_ISSUER: return type_opaque;
+  case CKA_SERIAL_NUMBER: return type_opaque;
+  case CKA_KEY_TYPE: return type_long;
+  case CKA_SUBJECT: return type_opaque;
+  case CKA_ID: return type_opaque;
+  case CKA_SENSITIVE: return type_byte;
+  case CKA_ENCRYPT: return type_byte;
+  case CKA_DECRYPT: return type_byte;
+  case CKA_WRAP: return type_byte;
+  case CKA_UNWRAP: return type_byte;
+  case CKA_SIGN: return type_byte;
+  case CKA_SIGN_RECOVER: return type_byte;
+  case CKA_VERIFY: return type_byte;
+  case CKA_VERIFY_RECOVER: return type_byte;
+  case CKA_DERIVE: return type_byte;
+  case CKA_START_DATE: return type_opaque;
+  case CKA_END_DATE: return type_opaque;
+  case CKA_MODULUS: return type_opaque;
+  case CKA_MODULUS_BITS: return type_long;
+  case CKA_PUBLIC_EXPONENT: return type_opaque;
+  case CKA_PRIVATE_EXPONENT: return type_opaque;
+  case CKA_PRIME_1: return type_opaque;
+  case CKA_PRIME_2: return type_opaque;
+  case CKA_EXPONENT_1: return type_opaque;
+  case CKA_EXPONENT_2: return type_opaque;
+  case CKA_COEFFICIENT: return type_opaque;
+  case CKA_PRIME: return type_opaque;
+  case CKA_SUBPRIME: return type_opaque;
+  case CKA_BASE: return type_opaque;
+  case CKA_VALUE_BITS: return type_long;
+  case CKA_VALUE_LEN: return type_long;
+  case CKA_EXTRACTABLE: return type_byte;
+  case CKA_LOCAL: return type_byte;
+  case CKA_NEVER_EXTRACTABLE: return type_byte;
+  case CKA_ALWAYS_SENSITIVE: return type_byte;
+  case CKA_MODIFIABLE: return type_byte;
+  case CKA_NETSCAPE_URL: return type_opaque;
+  case CKA_NETSCAPE_EMAIL: return type_opaque;
+  case CKA_NETSCAPE_SMIME_INFO: return type_opaque;
+  case CKA_NETSCAPE_SMIME_TIMESTAMP: return type_opaque;
+  case CKA_NETSCAPE_PKCS8_SALT: return type_opaque;
+  case CKA_NETSCAPE_PASSWORD_CHECK: return type_opaque;
+  case CKA_NETSCAPE_EXPIRES: return type_opaque;
+  case CKA_TRUST_DIGITAL_SIGNATURE: return type_long;
+  case CKA_TRUST_NON_REPUDIATION: return type_long;
+  case CKA_TRUST_KEY_ENCIPHERMENT: return type_long;
+  case CKA_TRUST_DATA_ENCIPHERMENT: return type_long;
+  case CKA_TRUST_KEY_AGREEMENT: return type_long;
+  case CKA_TRUST_KEY_CERT_SIGN: return type_long;
+  case CKA_TRUST_CRL_SIGN: return type_long;
+  case CKA_TRUST_SERVER_AUTH: return type_long;
+  case CKA_TRUST_CLIENT_AUTH: return type_long;
+  case CKA_TRUST_CODE_SIGNING: return type_long;
+  case CKA_TRUST_EMAIL_PROTECTION: return type_long;
+  case CKA_TRUST_IPSEC_END_SYSTEM: return type_long;
+  case CKA_TRUST_IPSEC_TUNNEL: return type_long;
+  case CKA_TRUST_IPSEC_USER: return type_long;
+  case CKA_TRUST_TIME_STAMPING: return type_long;
+  case CKA_NETSCAPE_DB: return type_opaque;
+  case CKA_NETSCAPE_TRUST: return type_opaque;
+  default: return type_opaque;
+  }
+}
+
+static void
+nss_dbm_db_swap_copy
+(
+  CK_ATTRIBUTE_TYPE type,
+  void *dest,
+  void *src,
+  CK_ULONG len
+)
+{
+  switch( nss_dbm_db_swap_type(type) ) {
+  case type_byte:
+  case type_opaque:
+    (void)memcpy(dest, src, len);
+    break;
+  case type_short:
+    {
+      CK_USHORT s, d;
+      (void)memcpy(&s, src, sizeof(CK_USHORT));
+      d = htons(s);
+      (void)memcpy(dest, &d, sizeof(CK_USHORT));
+      break;
+    }
+  case type_long:
+    {
+      CK_ULONG s, d;
+      (void)memcpy(&s, src, sizeof(CK_ULONG));
+      d = htonl(s);
+      (void)memcpy(dest, &d, sizeof(CK_ULONG));
+      break;
+    }
+  }
+}
+
+static CK_RV
+nss_dbm_db_wrap_object
+(
+  NSSArena *arena,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  DBT *object
+)
+{
+  CK_ULONG object_size;
+  CK_ULONG i;
+  CK_ULONG *pulData;
+  char *pcData;
+  CK_ULONG offset;
+
+  object_size = (1 + ulAttributeCount*3) * sizeof(CK_ULONG);
+  offset = object_size;
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    object_size += pTemplate[i].ulValueLen;
+  }
+
+  object->size = object_size;
+  object->data = nss_ZAlloc(arena, object_size);
+  if( (void *)NULL == object->data ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  pulData = (CK_ULONG *)object->data;
+  pcData = (char *)object->data;
+
+  pulData[0] = htonl(ulAttributeCount);
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    CK_ULONG len = pTemplate[i].ulValueLen;
+    pulData[1 + i*3] = htonl(pTemplate[i].type);
+    pulData[2 + i*3] = htonl(len);
+    pulData[3 + i*3] = htonl(offset);
+    nss_dbm_db_swap_copy(pTemplate[i].type, &pcData[offset], pTemplate[i].pValue, len);
+    offset += len;
+  }
+
+  return CKR_OK;
+}
+
+static CK_RV
+nss_dbm_db_unwrap_object
+(
+  NSSArena *arena,
+  DBT *object,
+  CK_ATTRIBUTE_PTR *ppTemplate,
+  CK_ULONG *pulAttributeCount
+)
+{
+  CK_ULONG *pulData;
+  char *pcData;
+  CK_ULONG n, i;
+  CK_ATTRIBUTE_PTR pTemplate;
+
+  pulData = (CK_ULONG *)object->data;
+  pcData = (char *)object->data;
+
+  n = ntohl(pulData[0]);
+  *pulAttributeCount = n;
+  pTemplate = nss_ZNEWARRAY(arena, CK_ATTRIBUTE, n);
+  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  for( i = 0; i < n; i++ ) {
+    CK_ULONG len;
+    CK_ULONG offset;
+    void *p;
+
+    pTemplate[i].type = ntohl(pulData[1 + i*3]);
+    len = ntohl(pulData[2 + i*3]);
+    offset = ntohl(pulData[3 +  i*3]);
+    
+    p = nss_ZAlloc(arena, len);
+    if( (void *)NULL == p ) {
+      return CKR_HOST_MEMORY;
+    }
+    
+    nss_dbm_db_swap_copy(pTemplate[i].type, p, &pcData[offset], len);
+    pTemplate[i].ulValueLen = len;
+    pTemplate[i].pValue = p;
+  }
+
+  *ppTemplate = pTemplate;
+  return CKR_OK;
+}
+
+
+NSS_IMPLEMENT nss_dbm_dbt_t *
+nss_dbm_db_create_object
+(
+  NSSArena *arena,
+  nss_dbm_db_t *db,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+)
+{
+  NSSArena *tmparena = (NSSArena *)NULL;
+  nss_dbm_dbt_t *rv = (nss_dbm_dbt_t *)NULL;
+  DBT object;
+
+  rv = nss_ZNEW(arena, nss_dbm_dbt_t);
+  if( (nss_dbm_dbt_t *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (nss_dbm_dbt_t *)NULL;
+  }
+
+  rv->my_db = db;
+  rv->dbt.size = sizeof(struct handle);
+  rv->dbt.data = nss_ZAlloc(arena, rv->dbt.size);
+  if( (void *)NULL == rv->dbt.data ) {
+    *pError = CKR_HOST_MEMORY;
+    return (nss_dbm_dbt_t *)NULL;
+  }
+
+  *pdbrv = nss_dbm_db_new_handle(db, &rv->dbt, pError);
+  if( 0 != *pdbrv ) {
+    return (nss_dbm_dbt_t *)NULL;
+  }
+
+  tmparena = NSSArena_Create();
+  if( (NSSArena *)NULL == tmparena ) {
+    *pError = CKR_HOST_MEMORY;
+    return (nss_dbm_dbt_t *)NULL;
+  }
+
+  *pError = nss_dbm_db_wrap_object(tmparena, pTemplate, ulAttributeCount, &object);
+  if( CKR_OK != *pError ) {
+    return (nss_dbm_dbt_t *)NULL;
+  }
+  
+  /* Locked region */
+  {
+    *pError = NSSCKFWMutex_Lock(db->crustylock);
+    if( CKR_OK != *pError ) {
+      goto loser;
+    }
+
+    *pdbrv = db->db->put(db->db, &rv->dbt, &object, 0);
+    if( 0 != *pdbrv ) {
+      *pError = CKR_DEVICE_ERROR;
+    }
+
+    (void)db->db->sync(db->db, 0);
+
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+ loser:  
+  if( (NSSArena *)NULL != tmparena ) {
+    (void)NSSArena_Destroy(tmparena);
+  }
+
+  return rv;
+}
+
+
+NSS_IMPLEMENT CK_RV
+nss_dbm_db_find_objects
+(
+  nss_dbm_find_t *find,
+  nss_dbm_db_t *db,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_ULONG *pdbrv
+)
+{
+  CK_RV rv = CKR_OK;
+
+  if( (nss_dbm_db_t *)NULL != db ) {
+    DBT k, v;
+
+    rv = NSSCKFWMutex_Lock(db->crustylock);
+    if( CKR_OK != rv ) {
+      return rv;
+    }
+
+    *pdbrv = db->db->seq(db->db, &k, &v, R_FIRST);
+    while( 0 == *pdbrv ) {
+      CK_ULONG i, j;
+      NSSArena *tmparena = (NSSArena *)NULL;
+      CK_ULONG ulac;
+      CK_ATTRIBUTE_PTR pt;
+
+      if( (k.size < 4) || (0 != memcmp(k.data, PREFIX_OBJECT, 4)) ) {
+        goto nomatch;
+      }
+
+      tmparena = NSSArena_Create();
+
+      rv = nss_dbm_db_unwrap_object(tmparena, &v, &pt, &ulac);
+      if( CKR_OK != rv ) {
+        goto loser;
+      }
+
+      for( i = 0; i < ulAttributeCount; i++ ) {
+        for( j = 0; j < ulac; j++ ) {
+          if( pTemplate[i].type == pt[j].type ) {
+            if( pTemplate[i].ulValueLen != pt[j].ulValueLen ) {
+              goto nomatch;
+            }
+            if( 0 != memcmp(pTemplate[i].pValue, pt[j].pValue, pt[j].ulValueLen) ) {
+              goto nomatch;
+            }
+            break;
+          }
+        }
+        if( j == ulac ) {
+          goto nomatch;
+        }
+      }
+
+      /* entire template matches */
+      {
+        struct nss_dbm_dbt_node *node;
+
+        node = nss_ZNEW(find->arena, struct nss_dbm_dbt_node);
+        if( (struct nss_dbm_dbt_node *)NULL == node ) {
+          rv = CKR_HOST_MEMORY;
+          goto loser;
+        }
+
+        node->dbt = nss_ZNEW(find->arena, nss_dbm_dbt_t);
+        if( (nss_dbm_dbt_t *)NULL == node->dbt ) {
+          rv = CKR_HOST_MEMORY;
+          goto loser;
+        }
+        
+        node->dbt->dbt.size = k.size;
+        node->dbt->dbt.data = nss_ZAlloc(find->arena, k.size);
+        if( (void *)NULL == node->dbt->dbt.data ) {
+          rv = CKR_HOST_MEMORY;
+          goto loser;
+        }
+
+        (void)memcpy(node->dbt->dbt.data, k.data, k.size);
+
+        node->dbt->my_db = db;
+
+        node->next = find->found;
+        find->found = node;
+      }
+
+    nomatch:
+      if( (NSSArena *)NULL != tmparena ) {
+        (void)NSSArena_Destroy(tmparena);
+      }
+      *pdbrv = db->db->seq(db->db, &k, &v, R_NEXT);
+    }
+
+    if( *pdbrv < 0 ) {
+      rv = CKR_DEVICE_ERROR;
+      goto loser;
+    }
+
+    rv = CKR_OK;
+
+  loser:
+    (void)NSSCKFWMutex_Unlock(db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_BBOOL
+nss_dbm_db_object_still_exists
+(
+  nss_dbm_dbt_t *dbt
+)
+{
+  CK_BBOOL rv;
+  CK_RV ckrv;
+  int dbrv;
+  DBT object;
+
+  ckrv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+  if( CKR_OK != ckrv ) {
+    return CK_FALSE;
+  }
+
+  dbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+  if( 0 == dbrv ) {
+    rv = CK_TRUE;
+  } else {
+    rv = CK_FALSE;
+  }
+
+  (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_ULONG
+nss_dbm_db_get_object_attribute_count
+(
+  nss_dbm_dbt_t *dbt,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+)
+{
+  CK_ULONG rv = 0;
+  DBT object;
+  CK_ULONG *pulData;
+
+  /* Locked region */
+  {
+    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != *pError ) {
+      return rv;
+    }
+
+    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 == *pdbrv ) {
+      ;
+    } else if( *pdbrv > 0 ) {
+      *pError = CKR_OBJECT_HANDLE_INVALID;
+      goto done;
+    } else {
+      *pError = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    pulData = (CK_ULONG *)object.data;
+    rv = ntohl(pulData[0]);
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_RV
+nss_dbm_db_get_object_attribute_types
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount,
+  CK_ULONG *pdbrv
+)
+{
+  CK_RV rv = CKR_OK;
+  DBT object;
+  CK_ULONG *pulData;
+  CK_ULONG n, i;
+
+  /* Locked region */
+  {
+    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != rv ) {
+      return rv;
+    }
+
+    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 == *pdbrv ) {
+      ;
+    } else if( *pdbrv > 0 ) {
+      rv = CKR_OBJECT_HANDLE_INVALID;
+      goto done;
+    } else {
+      rv = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    pulData = (CK_ULONG *)object.data;
+    n = ntohl(pulData[0]);
+
+    if( ulCount < n ) {
+      rv = CKR_BUFFER_TOO_SMALL;
+      goto done;
+    }
+
+    for( i = 0; i < n; i++ ) {
+      typeArray[i] = ntohl(pulData[1 + i*3]);
+    }
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_ULONG
+nss_dbm_db_get_object_attribute_size
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+)
+{
+  CK_ULONG rv = 0;
+  DBT object;
+  CK_ULONG *pulData;
+  CK_ULONG n, i;
+
+  /* Locked region */
+  {
+    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != *pError ) {
+      return rv;
+    }
+
+    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 == *pdbrv ) {
+      ;
+    } else if( *pdbrv > 0 ) {
+      *pError = CKR_OBJECT_HANDLE_INVALID;
+      goto done;
+    } else {
+      *pError = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    pulData = (CK_ULONG *)object.data;
+    n = ntohl(pulData[0]);
+
+    for( i = 0; i < n; i++ ) {
+      if( type == ntohl(pulData[1 + i*3]) ) {
+        rv = ntohl(pulData[2 + i*3]);
+      }
+    }
+
+    if( i == n ) {
+      *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+      goto done;
+    }
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT NSSItem *
+nss_dbm_db_get_object_attribute
+(
+  nss_dbm_dbt_t *dbt,
+  NSSArena *arena,
+  CK_ATTRIBUTE_TYPE type,
+  CK_RV *pError,
+  CK_ULONG *pdbrv
+)
+{
+  NSSItem *rv = (NSSItem *)NULL;
+  DBT object;
+  CK_ULONG i;
+  NSSArena *tmp = NSSArena_Create();
+  CK_ATTRIBUTE_PTR pTemplate;
+  CK_ULONG ulAttributeCount;
+
+  /* Locked region */
+  {
+    *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != *pError ) {
+      goto loser;
+    }
+
+    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 == *pdbrv ) {
+      ;
+    } else if( *pdbrv > 0 ) {
+      *pError = CKR_OBJECT_HANDLE_INVALID;
+      goto done;
+    } else {
+      *pError = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    *pError = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
+    if( CKR_OK != *pError ) {
+      goto done;
+    }
+
+    for( i = 0; i < ulAttributeCount; i++ ) {
+      if( type == pTemplate[i].type ) {
+        rv = nss_ZNEW(arena, NSSItem);
+        if( (NSSItem *)NULL == rv ) {
+          *pError = CKR_HOST_MEMORY;
+          goto done;
+        }
+        rv->size = pTemplate[i].ulValueLen;
+        rv->data = nss_ZAlloc(arena, rv->size);
+        if( (void *)NULL == rv->data ) {
+          *pError = CKR_HOST_MEMORY;
+          goto done;
+        }
+        (void)memcpy(rv->data, pTemplate[i].pValue, rv->size);
+        break;
+      }
+    }
+    if( ulAttributeCount == i ) {
+      *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+      goto done;
+    }
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+ loser:
+  if( (NSSArena *)NULL != tmp ) {
+    NSSArena_Destroy(tmp);
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT CK_RV
+nss_dbm_db_set_object_attribute
+(
+  nss_dbm_dbt_t *dbt,
+  CK_ATTRIBUTE_TYPE type,
+  NSSItem *value,
+  CK_ULONG *pdbrv
+)
+{
+  CK_RV rv = CKR_OK;
+  DBT object;
+  CK_ULONG i;
+  NSSArena *tmp = NSSArena_Create();
+  CK_ATTRIBUTE_PTR pTemplate;
+  CK_ULONG ulAttributeCount;
+
+  /* Locked region */
+  {
+    rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
+    if( CKR_OK != rv ) {
+      goto loser;
+    }
+
+    *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 == *pdbrv ) {
+      ;
+    } else if( *pdbrv > 0 ) {
+      rv = CKR_OBJECT_HANDLE_INVALID;
+      goto done;
+    } else {
+      rv = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    rv = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
+    if( CKR_OK != rv ) {
+      goto done;
+    }
+
+    for( i = 0; i < ulAttributeCount; i++ ) {
+      if( type == pTemplate[i].type ) {
+        /* Replacing an existing attribute */
+        pTemplate[i].ulValueLen = value->size;
+        pTemplate[i].pValue = value->data;
+        break;
+      }
+    }
+
+    if( i == ulAttributeCount ) {
+      /* Adding a new attribute */
+      CK_ATTRIBUTE_PTR npt = nss_ZNEWARRAY(tmp, CK_ATTRIBUTE, ulAttributeCount+1);
+      if( (CK_ATTRIBUTE_PTR)NULL == npt ) {
+        rv = CKR_DEVICE_ERROR;
+        goto done;
+      }
+
+      for( i = 0; i < ulAttributeCount; i++ ) {
+        npt[i] = pTemplate[i];
+      }
+
+      npt[ulAttributeCount].type = type;
+      npt[ulAttributeCount].ulValueLen = value->size;
+      npt[ulAttributeCount].pValue = value->data;
+
+      pTemplate = npt;
+      ulAttributeCount++;
+    }
+
+    rv = nss_dbm_db_wrap_object(tmp, pTemplate, ulAttributeCount, &object);
+    if( CKR_OK != rv ) {
+      goto done;
+    }
+
+    *pdbrv = dbt->my_db->db->put(dbt->my_db->db, &dbt->dbt, &object, 0);
+    if( 0 != *pdbrv ) {
+      rv = CKR_DEVICE_ERROR;
+      goto done;
+    }
+
+    (void)dbt->my_db->db->sync(dbt->my_db->db, 0);
+
+  done:
+    (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
+  }
+
+ loser:
+  if( (NSSArena *)NULL != tmp ) {
+    NSSArena_Destroy(tmp);
+  }
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/dbm/find.c b/security/nss/lib/ckfw/dbm/find.c
new file mode 100644
index 000000000..81fe5d8fb
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/find.c
@@ -0,0 +1,166 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static void
+nss_dbm_mdFindObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_find_t *find = (nss_dbm_find_t *)mdFindObjects->etc;
+
+  /* Locks might have system resources associated */
+  (void)NSSCKFWMutex_Destroy(find->list_lock);
+  (void)NSSArena_Destroy(find->arena);
+}
+
+
+static NSSCKMDObject *
+nss_dbm_mdFindObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  nss_dbm_find_t *find = (nss_dbm_find_t *)mdFindObjects->etc;
+  struct nss_dbm_dbt_node *node;
+  nss_dbm_object_t *object;
+  NSSCKMDObject *rv;
+
+  while(1) {
+    /* Lock */
+    {
+      *pError = NSSCKFWMutex_Lock(find->list_lock);
+      if( CKR_OK != *pError ) {
+        return (NSSCKMDObject *)NULL;
+      }
+      
+      node = find->found;
+      if( (struct nss_dbm_dbt_node *)NULL != node ) {
+        find->found = node->next;
+      }
+      
+      *pError = NSSCKFWMutex_Unlock(find->list_lock);
+      if( CKR_OK != *pError ) {
+        /* screwed now */
+        return (NSSCKMDObject *)NULL;
+      }
+    }
+
+    if( (struct nss_dbm_dbt_node *)NULL == node ) {
+      break;
+    }
+
+    if( nss_dbm_db_object_still_exists(node->dbt) ) {
+      break;
+    }
+  }
+
+  if( (struct nss_dbm_dbt_node *)NULL == node ) {
+    *pError = CKR_OK;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object = nss_ZNEW(arena, nss_dbm_object_t);
+  if( (nss_dbm_object_t *)NULL == object ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object->arena = arena;
+  object->handle = nss_ZNEW(arena, nss_dbm_dbt_t);
+  if( (nss_dbm_dbt_t *)NULL == object->handle ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object->handle->my_db = node->dbt->my_db;
+  object->handle->dbt.size = node->dbt->dbt.size;
+  object->handle->dbt.data = nss_ZAlloc(arena, node->dbt->dbt.size);
+  if( (void *)NULL == object->handle->dbt.data ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  (void)memcpy(object->handle->dbt.data, node->dbt->dbt.data, node->dbt->dbt.size);
+
+  rv = nss_dbm_mdObject_factory(object, pError);
+  if( (NSSCKMDObject *)NULL == rv ) {
+    return (NSSCKMDObject *)NULL;
+  }
+
+  return rv;
+}
+
+NSS_IMPLEMENT NSSCKMDFindObjects *
+nss_dbm_mdFindObjects_factory
+(
+  nss_dbm_find_t *find,
+  CK_RV *pError
+)
+{
+  NSSCKMDFindObjects *rv;
+
+  rv = nss_ZNEW(find->arena, NSSCKMDFindObjects);
+  if( (NSSCKMDFindObjects *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  rv->etc = (void *)find;
+  rv->Final = nss_dbm_mdFindObjects_Final;
+  rv->Next = nss_dbm_mdFindObjects_Next;
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/dbm/instance.c b/security/nss/lib/ckfw/dbm/instance.c
new file mode 100644
index 000000000..70681803f
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/instance.c
@@ -0,0 +1,196 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static CK_RV
+nss_dbm_mdInstance_Initialize
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  NSSUTF8 *configurationData
+)
+{
+  CK_RV rv = CKR_OK;
+  NSSArena *arena;
+  nss_dbm_instance_t *instance;
+
+  arena = NSSCKFWInstance_GetArena(fwInstance, &rv);
+  if( ((NSSArena *)NULL == arena) && (CKR_OK != rv) ) {
+    return rv;
+  }
+
+  instance = nss_ZNEW(arena, nss_dbm_instance_t);
+  if( (nss_dbm_instance_t *)NULL == instance ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  instance->arena = arena;
+
+  /*
+   * This should parse the configuration data for information on
+   * number and locations of databases, modes (e.g. readonly), etc.
+   * But for now, we'll have one slot with a creatable read-write
+   * database called "cert8.db."
+   */
+
+  instance->nSlots = 1;
+  instance->filenames = nss_ZNEWARRAY(arena, char *, instance->nSlots);
+  if( (char **)NULL == instance->filenames ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  instance->flags = nss_ZNEWARRAY(arena, int, instance->nSlots);
+  if( (int *)NULL == instance->flags ) {
+    return CKR_HOST_MEMORY;
+  }
+
+  instance->filenames[0] = "cert8.db";
+  instance->flags[0] = O_RDWR|O_CREAT;
+
+  mdInstance->etc = (void *)instance;
+  return CKR_OK;
+}
+
+/* nss_dbm_mdInstance_Finalize is not required */
+
+static CK_ULONG
+nss_dbm_mdInstance_GetNSlots
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  return instance->nSlots;
+}
+
+static CK_VERSION
+nss_dbm_mdInstance_GetCryptokiVersion
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  static CK_VERSION rv = { 2, 1 };
+  return rv;
+}
+
+static NSSUTF8 *
+nss_dbm_mdInstance_GetManufacturerID
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Netscape Communications Corp.";
+}
+
+static NSSUTF8 *
+nss_dbm_mdInstance_GetLibraryDescription
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Berkeley Database Module";
+}
+
+static CK_VERSION
+nss_dbm_mdInstance_GetLibraryVersion
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  static CK_VERSION rv = { 1, 0 }; /* My own version number */
+  return rv;
+}
+
+static CK_BBOOL
+nss_dbm_mdInstance_ModuleHandlesSessionObjects
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_RV
+nss_dbm_mdInstance_GetSlots
+(
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *slots[]
+)
+{
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  CK_ULONG i;
+  CK_RV rv = CKR_OK;
+
+  for( i = 0; i < instance->nSlots; i++ ) {
+    slots[i] = nss_dbm_mdSlot_factory(instance, instance->filenames[i], 
+                                      instance->flags[i], &rv);
+    if( (NSSCKMDSlot *)NULL == slots[i] ) {
+      return rv;
+    }
+  }
+
+  return rv;
+}
+
+/* nss_dbm_mdInstance_WaitForSlotEvent is not relevant */
+
+NSS_IMPLEMENT_DATA NSSCKMDInstance 
+nss_dbm_mdInstance = {
+  NULL, /* etc; filled in later */
+  nss_dbm_mdInstance_Initialize,
+  NULL, /* nss_dbm_mdInstance_Finalize */
+  nss_dbm_mdInstance_GetNSlots,
+  nss_dbm_mdInstance_GetCryptokiVersion,
+  nss_dbm_mdInstance_GetManufacturerID,
+  nss_dbm_mdInstance_GetLibraryDescription,
+  nss_dbm_mdInstance_GetLibraryVersion,
+  nss_dbm_mdInstance_ModuleHandlesSessionObjects,
+  nss_dbm_mdInstance_GetSlots,
+  NULL, /* nss_dbm_mdInstance_WaitForSlotEvent */
+  NULL /* terminator */
+};
diff --git a/security/nss/lib/ckfw/dbm/manifest.mn b/security/nss/lib/ckfw/dbm/manifest.mn
new file mode 100644
index 000000000..193e46bef
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/manifest.mn
@@ -0,0 +1,54 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+CORE_DEPTH = ../../../..
+
+MODULE = security
+
+CSRCS =		   \
+	anchor.c   \
+	instance.c \
+	slot.c	   \
+	token.c	   \
+	session.c  \
+	object.c   \
+	find.c	   \
+	db.c	   \
+	$(NULL)
+
+REQUIRES = security dbm nspr
+
+LIBRARY_NAME = nssckdbm
+
+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -ldbm -lnspr4 -lplc4 -lplds4
diff --git a/security/nss/lib/ckfw/dbm/object.c b/security/nss/lib/ckfw/dbm/object.c
new file mode 100644
index 000000000..2bd7578fd
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/object.c
@@ -0,0 +1,204 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static void
+nss_dbm_mdObject_Finalize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  ;
+}
+
+static CK_RV
+nss_dbm_mdObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  return nss_dbm_db_delete_object(object->handle);
+}
+
+static CK_ULONG
+nss_dbm_mdObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute_count(object->handle, pError, 
+                                               &session->deviceError);
+}
+
+static CK_RV
+nss_dbm_mdObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute_types(object->handle, typeArray,
+                                               ulCount, &session->deviceError);
+}
+
+static CK_ULONG
+nss_dbm_mdObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute_size(object->handle, attribute, pError, 
+                                              &session->deviceError);
+}
+
+static NSSItem *
+nss_dbm_mdObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_get_object_attribute(object->handle, object->arena, attribute,
+                                         pError, &session->deviceError);
+}
+
+static CK_RV
+nss_dbm_mdObject_SetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *value
+)
+{
+  nss_dbm_object_t *object = (nss_dbm_object_t *)mdObject->etc;
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return nss_dbm_db_set_object_attribute(object->handle, attribute, value,
+                                         &session->deviceError);
+}
+
+NSS_IMPLEMENT NSSCKMDObject *
+nss_dbm_mdObject_factory
+(
+  nss_dbm_object_t *object,
+  CK_RV *pError
+)
+{
+  NSSCKMDObject *rv;
+
+  rv = nss_ZNEW(object->arena, NSSCKMDObject);
+  if( (NSSCKMDObject *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  rv->etc = (void *)object;
+  rv->Finalize = nss_dbm_mdObject_Finalize;
+  rv->Destroy = nss_dbm_mdObject_Destroy;
+  /*  IsTokenObject can be deferred */
+  rv->GetAttributeCount = nss_dbm_mdObject_GetAttributeCount;
+  rv->GetAttributeTypes = nss_dbm_mdObject_GetAttributeTypes;
+  rv->GetAttributeSize = nss_dbm_mdObject_GetAttributeSize;
+  rv->GetAttribute = nss_dbm_mdObject_GetAttribute;
+  rv->SetAttribute = nss_dbm_mdObject_SetAttribute;
+  /*  GetObjectSize can be deferred */
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/dbm/session.c b/security/nss/lib/ckfw/dbm/session.c
new file mode 100644
index 000000000..c0969d948
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/session.c
@@ -0,0 +1,298 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static void
+nss_dbm_mdSession_Close
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+
+  struct nss_dbm_dbt_node *w;
+
+  /* Lock */
+  {
+    if( CKR_OK != NSSCKFWMutex_Lock(session->list_lock) ) {
+      return;
+    }
+
+    w = session->session_objects;
+    session->session_objects = (struct nss_dbm_dbt_node *)NULL; /* sanity */
+    
+    (void)NSSCKFWMutex_Unlock(session->list_lock);
+  }
+
+  for( ; (struct nss_dbm_dbt_node *)NULL != w; w = w->next ) {
+    (void)nss_dbm_db_delete_object(w->dbt);
+  }
+}
+
+static CK_ULONG
+nss_dbm_mdSession_GetDeviceError
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  return session->deviceError;
+}
+
+/* Login isn't needed */
+/* Logout isn't needed */
+/* InitPIN is irrelevant */
+/* SetPIN is irrelevant */
+/* GetOperationStateLen is irrelevant */
+/* GetOperationState is irrelevant */
+/* SetOperationState is irrelevant */
+
+static NSSCKMDObject *
+nss_dbm_mdSession_CreateObject
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *handyArenaPointer,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  CK_ULONG i;
+  CK_BBOOL isToken = CK_FALSE; /* defaults to false */
+  NSSCKMDObject *rv;
+  struct nss_dbm_dbt_node *node = (struct nss_dbm_dbt_node *)NULL;
+  nss_dbm_object_t *object;
+  nss_dbm_db_t *which_db;
+
+  /* This framework should really pass this to me */
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    if( CKA_TOKEN == pTemplate[i].type ) {
+      isToken = *(CK_BBOOL *)pTemplate[i].pValue;
+      break;
+    }
+  }
+
+  object = nss_ZNEW(handyArenaPointer, nss_dbm_object_t);
+  if( (nss_dbm_object_t *)NULL == object ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  object->arena = handyArenaPointer;
+  which_db = isToken ? token->slot->token_db : token->session_db;
+
+  /* Do this before the actual database call; it's easier to recover from */
+  rv = nss_dbm_mdObject_factory(object, pError);
+  if( (NSSCKMDObject *)NULL == rv ) {
+    return (NSSCKMDObject *)NULL;
+  }
+
+  if( CK_FALSE == isToken ) {
+    node = nss_ZNEW(session->arena, struct nss_dbm_dbt_node);
+    if( (struct nss_dbm_dbt_node *)NULL == node ) {
+      *pError = CKR_HOST_MEMORY;
+      return (NSSCKMDObject *)NULL;
+    }
+  }
+
+  object->handle = nss_dbm_db_create_object(handyArenaPointer, which_db, 
+                                            pTemplate, ulAttributeCount,
+                                            pError, &session->deviceError);
+  if( (nss_dbm_dbt_t *)NULL == object->handle ) {
+    return (NSSCKMDObject *)NULL;
+  }
+
+  if( CK_FALSE == isToken ) {
+    node->dbt = object->handle;
+    /* Lock */
+    {
+      *pError = NSSCKFWMutex_Lock(session->list_lock);
+      if( CKR_OK != *pError ) {
+        (void)nss_dbm_db_delete_object(object->handle);
+        return (NSSCKMDObject *)NULL;
+      }
+      
+      node->next = session->session_objects;
+      session->session_objects = node;
+      
+      *pError = NSSCKFWMutex_Unlock(session->list_lock);
+    }
+  }
+
+  return rv;
+}
+
+/* CopyObject isn't needed; the framework will use CreateObject */
+
+static NSSCKMDFindObjects *
+nss_dbm_mdSession_FindObjectsInit
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  nss_dbm_session_t *session = (nss_dbm_session_t *)mdSession->etc;
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  NSSArena *arena;
+  nss_dbm_find_t *find;
+  NSSCKMDFindObjects *rv;
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  find = nss_ZNEW(arena, nss_dbm_find_t);
+  if( (nss_dbm_find_t *)NULL == find ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  find->arena = arena;
+  find->list_lock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == find->list_lock ) {
+    goto loser;
+  }
+
+  *pError = nss_dbm_db_find_objects(find, token->slot->token_db, pTemplate, 
+                                    ulAttributeCount, &session->deviceError);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+
+  *pError = nss_dbm_db_find_objects(find, token->session_db, pTemplate, 
+                                    ulAttributeCount, &session->deviceError);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+
+  rv = nss_dbm_mdFindObjects_factory(find, pError);
+  if( (NSSCKMDFindObjects *)NULL == rv ) {
+    goto loser;
+  }
+
+  return rv;
+
+ loser:
+  if( (NSSArena *)NULL != arena ) {
+    (void)NSSArena_Destroy(arena);
+  }
+
+  return (NSSCKMDFindObjects *)NULL;
+}
+
+/* SeedRandom is irrelevant */
+/* GetRandom is irrelevant */
+
+NSS_IMPLEMENT NSSCKMDSession *
+nss_dbm_mdSession_factory
+(
+  nss_dbm_token_t *token,
+  NSSCKFWSession *fwSession,
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL rw,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  nss_dbm_session_t *session;
+  NSSCKMDSession *rv;
+
+  arena = NSSCKFWSession_GetArena(fwSession, pError);
+
+  session = nss_ZNEW(arena, nss_dbm_session_t);
+  if( (nss_dbm_session_t *)NULL == session ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSession *)NULL;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDSession);
+  if( (NSSCKMDSession *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSession *)NULL;
+  }
+
+  session->arena = arena;
+  session->token = token;
+  session->list_lock = NSSCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == session->list_lock ) {
+    return (NSSCKMDSession *)NULL;
+  }
+
+  rv->etc = (void *)session;
+  rv->Close = nss_dbm_mdSession_Close;
+  rv->GetDeviceError = nss_dbm_mdSession_GetDeviceError;
+  /*  Login isn't needed */
+  /*  Logout isn't needed */
+  /*  InitPIN is irrelevant */
+  /*  SetPIN is irrelevant */
+  /*  GetOperationStateLen is irrelevant */
+  /*  GetOperationState is irrelevant */
+  /*  SetOperationState is irrelevant */
+  rv->CreateObject = nss_dbm_mdSession_CreateObject;
+  /*  CopyObject isn't needed; the framework will use CreateObject */
+  rv->FindObjectsInit = nss_dbm_mdSession_FindObjectsInit;
+  rv->null = NULL;
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/dbm/slot.c b/security/nss/lib/ckfw/dbm/slot.c
new file mode 100644
index 000000000..40898897a
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/slot.c
@@ -0,0 +1,214 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static CK_RV
+nss_dbm_mdSlot_Initialize
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  CK_RV rv = CKR_OK;
+
+  slot->token_db = nss_dbm_db_open(instance->arena, fwInstance, slot->filename, 
+                                   slot->flags, &rv);
+  if( (nss_dbm_db_t *)NULL == slot->token_db ) {
+    if( CKR_TOKEN_NOT_PRESENT == rv ) {
+      /* This is not an error-- just means "the token isn't there" */
+      rv = CKR_OK;
+    }
+  }
+
+  return rv;
+}
+
+static void
+nss_dbm_mdSlot_Destroy
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+
+  if( (nss_dbm_db_t *)NULL != slot->token_db ) {
+    nss_dbm_db_close(slot->token_db);
+    slot->token_db = (nss_dbm_db_t *)NULL;
+  }
+}
+
+static NSSUTF8 *
+nss_dbm_mdSlot_GetSlotDescription
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Database";
+}
+
+static NSSUTF8 *
+nss_dbm_mdSlot_GetManufacturerID
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "Berkeley";
+}
+
+static CK_BBOOL
+nss_dbm_mdSlot_GetTokenPresent
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+
+  if( (nss_dbm_db_t *)NULL == slot->token_db ) {
+    return CK_FALSE;
+  } else {
+    return CK_TRUE;
+  }
+}
+
+static CK_BBOOL
+nss_dbm_mdSlot_GetRemovableDevice
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance
+)
+{
+  /*
+   * Well, this supports "tokens" (databases) that aren't there, so in
+   * that sense they're removable.  It'd be nice to handle databases
+   * that suddenly disappear (NFS-mounted home directories and network
+   * errors, for instance) but that's a harder problem.  We'll say
+   * we support removable devices, badly.
+   */
+
+  return CK_TRUE;
+}
+
+/* nss_dbm_mdSlot_GetHardwareSlot defaults to CK_FALSE */
+/* 
+ * nss_dbm_mdSlot_GetHardwareVersion
+ * nss_dbm_mdSlot_GetFirmwareVersion
+ *
+ * These are kinda fuzzy concepts here.  I suppose we could return the
+ * Berkeley DB version for one of them, if we had an actual number we
+ * were confident in.  But mcom's "dbm" has been hacked enough that I
+ * don't really know from what "real" version it stems..
+ */
+
+static NSSCKMDToken *
+nss_dbm_mdSlot_GetToken
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,                                    
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
+  return nss_dbm_mdToken_factory(slot, pError);
+}
+
+NSS_IMPLEMENT NSSCKMDSlot *
+nss_dbm_mdSlot_factory
+(
+  nss_dbm_instance_t *instance,
+  char *filename,
+  int flags,
+  CK_RV *pError
+)
+{
+  nss_dbm_slot_t *slot;
+  NSSCKMDSlot *rv;
+
+  slot = nss_ZNEW(instance->arena, nss_dbm_slot_t);
+  if( (nss_dbm_slot_t *)NULL == slot ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSlot *)NULL;
+  }
+
+  slot->instance = instance;
+  slot->filename = filename;
+  slot->flags = flags;
+  slot->token_db = (nss_dbm_db_t *)NULL;
+
+  rv = nss_ZNEW(instance->arena, NSSCKMDSlot);
+  if( (NSSCKMDSlot *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSlot *)NULL;
+  }
+
+  rv->etc = (void *)slot;
+  rv->Initialize = nss_dbm_mdSlot_Initialize;
+  rv->Destroy = nss_dbm_mdSlot_Destroy;
+  rv->GetSlotDescription = nss_dbm_mdSlot_GetSlotDescription;
+  rv->GetManufacturerID = nss_dbm_mdSlot_GetManufacturerID;
+  rv->GetTokenPresent = nss_dbm_mdSlot_GetTokenPresent;
+  rv->GetRemovableDevice = nss_dbm_mdSlot_GetRemovableDevice;
+  /*  GetHardwareSlot */
+  /*  GetHardwareVersion */
+  /*  GetFirmwareVersion */
+  rv->GetToken = nss_dbm_mdSlot_GetToken;
+  rv->null = (void *)NULL;
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/dbm/token.c b/security/nss/lib/ckfw/dbm/token.c
new file mode 100644
index 000000000..7c7fbf9e5
--- /dev/null
+++ b/security/nss/lib/ckfw/dbm/token.c
@@ -0,0 +1,315 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "ckdbm.h"
+
+static CK_RV
+nss_dbm_mdToken_Setup
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  CK_RV rv = CKR_OK;
+
+  token->arena = NSSCKFWToken_GetArena(fwToken, &rv);
+  token->session_db = nss_dbm_db_open(token->arena, fwInstance, (char *)NULL, 
+                                      O_RDWR|O_CREAT, &rv);
+  if( (nss_dbm_db_t *)NULL == token->session_db ) {
+    return rv;
+  }
+
+  /* Add a label record if there isn't one? */
+
+  return CKR_OK;
+}
+
+static void
+nss_dbm_mdToken_Invalidate
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+
+  if( (nss_dbm_db_t *)NULL != token->session_db ) {
+    nss_dbm_db_close(token->session_db);
+    token->session_db = (nss_dbm_db_t *)NULL;
+  }
+}
+
+static CK_RV
+nss_dbm_mdToken_InitToken
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSItem *pin,
+  NSSUTF8 *label
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  nss_dbm_instance_t *instance = (nss_dbm_instance_t *)mdInstance->etc;
+  CK_RV rv;
+
+  /* Wipe the session object data */
+  
+  if( (nss_dbm_db_t *)NULL != token->session_db ) {
+    nss_dbm_db_close(token->session_db);
+  }
+
+  token->session_db = nss_dbm_db_open(token->arena, fwInstance, (char *)NULL, 
+                                      O_RDWR|O_CREAT, &rv);
+  if( (nss_dbm_db_t *)NULL == token->session_db ) {
+    return rv;
+  }
+
+  /* Wipe the token object data */
+
+  if( token->slot->flags & O_RDWR ) {
+    if( (nss_dbm_db_t *)NULL != token->slot->token_db ) {
+      nss_dbm_db_close(token->slot->token_db);
+    }
+
+    token->slot->token_db = nss_dbm_db_open(instance->arena, fwInstance, 
+                                            token->slot->filename,
+                                            token->slot->flags | O_CREAT | O_TRUNC, 
+                                            &rv);
+    if( (nss_dbm_db_t *)NULL == token->slot->token_db ) {
+      return rv;
+    }
+
+    /* PIN is irrelevant */
+
+    rv = nss_dbm_db_set_label(token->slot->token_db, label);
+    if( CKR_OK != rv ) {
+      return rv;
+    }
+  }
+
+  return CKR_OK;
+}
+
+static NSSUTF8 *
+nss_dbm_mdToken_GetLabel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+
+  if( (NSSUTF8 *)NULL == token->label ) {
+    token->label = nss_dbm_db_get_label(token->slot->token_db, token->arena, pError);
+  }
+
+  /* If no label has been set, return *something* */
+  if( (NSSUTF8 *)NULL == token->label ) {
+    return token->slot->filename;
+  }
+
+  return token->label;
+}
+
+static NSSUTF8 *
+nss_dbm_mdToken_GetManufacturerID
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "mozilla.org NSS";
+}
+
+static NSSUTF8 *
+nss_dbm_mdToken_GetModel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return "dbm";
+}
+
+/* GetSerialNumber is irrelevant */
+/* GetHasRNG defaults to CK_FALSE */
+
+static CK_BBOOL
+nss_dbm_mdToken_GetIsWriteProtected
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+
+  if( token->slot->flags & O_RDWR ) {
+    return CK_FALSE;
+  } else {
+    return CK_TRUE;
+  }
+}
+
+/* GetLoginRequired defaults to CK_FALSE */
+/* GetUserPinInitialized defaults to CK_FALSE */
+/* GetRestoreKeyNotNeeded is irrelevant */
+/* GetHasClockOnToken defaults to CK_FALSE */
+/* GetHasProtectedAuthenticationPath defaults to CK_FALSE */
+/* GetSupportsDualCryptoOperations is irrelevant */
+
+static CK_ULONG
+nss_dbm_mdToken_effectively_infinite
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_EFFECTIVELY_INFINITE;
+}
+
+static CK_VERSION
+nss_dbm_mdToken_GetHardwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  return nss_dbm_db_get_format_version(token->slot->token_db);
+}
+
+/* GetFirmwareVersion is irrelevant */
+/* GetUTCTime is irrelevant */
+
+static NSSCKMDSession *
+nss_dbm_mdToken_OpenSession
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_BBOOL rw,
+  CK_RV *pError
+)
+{
+  nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
+  return nss_dbm_mdSession_factory(token, fwSession, fwInstance, rw, pError);
+}
+
+/* GetMechanismCount defaults to zero */
+/* GetMechanismTypes is irrelevant */
+/* GetMechanism is irrelevant */
+
+NSS_IMPLEMENT NSSCKMDToken *
+nss_dbm_mdToken_factory
+(
+  nss_dbm_slot_t *slot,
+  CK_RV *pError
+)
+{
+  nss_dbm_token_t *token;
+  NSSCKMDToken *rv;
+
+  token = nss_ZNEW(slot->instance->arena, nss_dbm_token_t);
+  if( (nss_dbm_token_t *)NULL == token ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDToken *)NULL;
+  }
+
+  rv = nss_ZNEW(slot->instance->arena, NSSCKMDToken);
+  if( (NSSCKMDToken *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDToken *)NULL;
+  }
+
+  token->slot = slot;
+
+  rv->etc = (void *)token;
+  rv->Setup = nss_dbm_mdToken_Setup;
+  rv->Invalidate = nss_dbm_mdToken_Invalidate;
+  rv->InitToken = nss_dbm_mdToken_InitToken;
+  rv->GetLabel = nss_dbm_mdToken_GetLabel;
+  rv->GetManufacturerID = nss_dbm_mdToken_GetManufacturerID;
+  rv->GetModel = nss_dbm_mdToken_GetModel;
+  /*  GetSerialNumber is irrelevant */
+  /*  GetHasRNG defaults to CK_FALSE */
+  rv->GetIsWriteProtected = nss_dbm_mdToken_GetIsWriteProtected;
+  /*  GetLoginRequired defaults to CK_FALSE */
+  /*  GetUserPinInitialized defaults to CK_FALSE */
+  /*  GetRestoreKeyNotNeeded is irrelevant */
+  /*  GetHasClockOnToken defaults to CK_FALSE */
+  /*  GetHasProtectedAuthenticationPath defaults to CK_FALSE */
+  /*  GetSupportsDualCryptoOperations is irrelevant */
+  rv->GetMaxSessionCount = nss_dbm_mdToken_effectively_infinite;
+  rv->GetMaxRwSessionCount = nss_dbm_mdToken_effectively_infinite;
+  /*  GetMaxPinLen is irrelevant */
+  /*  GetMinPinLen is irrelevant */
+  /*  GetTotalPublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  /*  GetFreePublicMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  /*  GetTotalPrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  /*  GetFreePrivateMemory defaults to CK_UNAVAILABLE_INFORMATION */
+  rv->GetHardwareVersion = nss_dbm_mdToken_GetHardwareVersion;
+  /*  GetFirmwareVersion is irrelevant */
+  /*  GetUTCTime is irrelevant */
+  rv->OpenSession = nss_dbm_mdToken_OpenSession;
+  rv->null = NULL;
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/find.c b/security/nss/lib/ckfw/find.c
new file mode 100644
index 000000000..2569fa100
--- /dev/null
+++ b/security/nss/lib/ckfw/find.c
@@ -0,0 +1,410 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * find.c
+ *
+ * This file implements the nssCKFWFindObjects type and methods.
+ */
+
+#ifndef CK_H
+#include "ck.h"
+#endif /* CK_H */
+
+/*
+ * NSSCKFWFindObjects
+ *
+ *  -- create/destroy --
+ *  nssCKFWFindObjects_Create
+ *  nssCKFWFindObjects_Destroy
+ *
+ *  -- public accessors --
+ *  NSSCKFWFindObjects_GetMDFindObjects
+ * 
+ *  -- implement public accessors --
+ *  nssCKFWFindObjects_GetMDFindObjects
+ *
+ *  -- private accessors --
+ *
+ *  -- module fronts --
+ *  nssCKFWFindObjects_Next
+ */
+
+struct NSSCKFWFindObjectsStr {
+  NSSCKFWMutex *mutex; /* merely to serialise the MDObject calls */
+  NSSCKMDFindObjects *mdfo1;
+  NSSCKMDFindObjects *mdfo2;
+  NSSCKFWSession *fwSession;
+  NSSCKMDSession *mdSession;
+  NSSCKFWToken *fwToken;
+  NSSCKMDToken *mdToken;
+  NSSCKFWInstance *fwInstance;
+  NSSCKMDInstance *mdInstance;
+
+  NSSCKMDFindObjects *mdFindObjects; /* varies */
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do these routines as no-ops.
+ */
+
+static CK_RV
+findObjects_add_pointer
+(
+  const NSSCKFWFindObjects *fwFindObjects
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+findObjects_remove_pointer
+(
+  const NSSCKFWFindObjects *fwFindObjects
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWFindObjects_verifyPointer
+(
+  const NSSCKFWFindObjects *fwFindObjects
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWFindObjects_Create
+ *
+ */
+NSS_EXTERN NSSCKFWFindObjects *
+nssCKFWFindObjects_Create
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWToken *fwToken,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDFindObjects *mdFindObjects1,
+  NSSCKMDFindObjects *mdFindObjects2,
+  CK_RV *pError
+)
+{
+  NSSCKFWFindObjects *fwFindObjects = NULL;
+  NSSArena *arena;
+  NSSCKMDSession *mdSession;
+  NSSCKMDToken *mdToken;
+  NSSCKMDInstance *mdInstance;
+
+  mdSession = nssCKFWSession_GetMDSession(fwSession);
+  mdToken = nssCKFWToken_GetMDToken(fwToken);
+  mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
+
+#ifdef notdef
+  arena = nssCKFWSession_GetArena(fwSession, pError);
+  if( (NSSArena *)NULL == arena ) {
+    goto loser;
+  }
+#endif
+
+  fwFindObjects = nss_ZNEW(NULL, NSSCKFWFindObjects);
+  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fwFindObjects->mdfo1 = mdFindObjects1;
+  fwFindObjects->mdfo2 = mdFindObjects2;
+  fwFindObjects->fwSession = fwSession;
+  fwFindObjects->mdSession = mdSession;
+  fwFindObjects->fwToken = fwToken;
+  fwFindObjects->mdToken = mdToken;
+  fwFindObjects->fwInstance = fwInstance;
+  fwFindObjects->mdInstance = mdInstance;
+
+  fwFindObjects->mutex = nssCKFWInstance_CreateMutex(fwInstance, NULL, pError);
+  if( (NSSCKFWMutex *)NULL == fwFindObjects->mutex ) {
+    goto loser;
+  }
+
+#ifdef DEBUG
+  *pError = findObjects_add_pointer(fwFindObjects);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return fwFindObjects;
+
+ loser:
+  nss_ZFreeIf(fwFindObjects);
+
+  if( (NSSCKMDFindObjects *)NULL != mdFindObjects1 ) {
+    if( (void *)NULL != (void *)mdFindObjects1->Final ) {
+      fwFindObjects->mdFindObjects = mdFindObjects1;
+      mdFindObjects1->Final(mdFindObjects1, fwFindObjects, mdSession, 
+        fwSession, mdToken, fwToken, mdInstance, fwInstance);
+    }
+  }
+
+  if( (NSSCKMDFindObjects *)NULL != mdFindObjects2 ) {
+    if( (void *)NULL != (void *)mdFindObjects2->Final ) {
+      fwFindObjects->mdFindObjects = mdFindObjects2;
+      mdFindObjects2->Final(mdFindObjects2, fwFindObjects, mdSession, 
+        fwSession, mdToken, fwToken, mdInstance, fwInstance);
+    }
+  }
+
+  if( CKR_OK == *pError ) {
+    *pError = CKR_GENERAL_ERROR;
+  }
+
+  return (NSSCKFWFindObjects *)NULL;
+}
+
+
+/*
+ * nssCKFWFindObjects_Destroy
+ *
+ */
+NSS_EXTERN void
+nssCKFWFindObjects_Destroy
+(
+  NSSCKFWFindObjects *fwFindObjects
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nssCKFWMutex_Destroy(fwFindObjects->mutex);
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Final ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
+      fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
+        fwFindObjects->mdSession, fwFindObjects->fwSession, 
+        fwFindObjects->mdToken, fwFindObjects->fwToken,
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+    }
+  }
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Final ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
+      fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
+        fwFindObjects->mdSession, fwFindObjects->fwSession, 
+        fwFindObjects->mdToken, fwFindObjects->fwToken,
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+    }
+  }
+
+  nss_ZFreeIf(fwFindObjects);
+
+#ifdef DEBUG
+  (void)findObjects_remove_pointer(fwFindObjects);
+#endif /* DEBUG */
+
+  return;
+}
+
+/*
+ * nssCKFWFindObjects_GetMDFindObjects
+ *
+ */
+NSS_EXTERN NSSCKMDFindObjects *
+nssCKFWFindObjects_GetMDFindObjects
+(
+  NSSCKFWFindObjects *fwFindObjects
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
+    return (NSSCKMDFindObjects *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwFindObjects->mdFindObjects;
+}
+
+/*
+ * nssCKFWFindObjects_Next
+ *
+ */
+NSS_EXTERN NSSCKFWObject *
+nssCKFWFindObjects_Next
+(
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+)
+{
+  NSSCKMDObject *mdObject;
+  NSSCKFWObject *fwObject = (NSSCKFWObject *)NULL;
+  NSSArena *objArena;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  *pError = nssCKFWFindObjects_verifyPointer(fwFindObjects);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = nssCKFWMutex_Lock(fwFindObjects->mutex);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Next ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
+      mdObject = fwFindObjects->mdfo1->Next(fwFindObjects->mdfo1,
+        fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
+        fwFindObjects->mdToken, fwFindObjects->fwToken, 
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance,
+        arenaOpt, pError);
+      if( (NSSCKMDObject *)NULL == mdObject ) {
+        if( CKR_OK != *pError ) {
+          goto done;
+        }
+
+        /* All done. */
+        fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
+          fwFindObjects->mdSession, fwFindObjects->fwSession,
+          fwFindObjects->mdToken, fwFindObjects->fwToken, 
+          fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+        fwFindObjects->mdfo1 = (NSSCKMDFindObjects *)NULL;
+      } else {
+        goto wrap;
+      }
+    }
+  }
+
+  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
+    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Next ) {
+      fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
+      mdObject = fwFindObjects->mdfo2->Next(fwFindObjects->mdfo2,
+        fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
+        fwFindObjects->mdToken, fwFindObjects->fwToken, 
+        fwFindObjects->mdInstance, fwFindObjects->fwInstance,
+        arenaOpt, pError);
+      if( (NSSCKMDObject *)NULL == mdObject ) {
+        if( CKR_OK != *pError ) {
+          goto done;
+        }
+
+        /* All done. */
+        fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
+          fwFindObjects->mdSession, fwFindObjects->fwSession,
+          fwFindObjects->mdToken, fwFindObjects->fwToken, 
+          fwFindObjects->mdInstance, fwFindObjects->fwInstance);
+        fwFindObjects->mdfo2 = (NSSCKMDFindObjects *)NULL;
+      } else {
+        goto wrap;
+      }
+    }
+  }
+  
+  /* No more objects */
+  *pError = CKR_OK;
+  goto done;
+
+ wrap:
+  /*
+   * This is less than ideal-- we should determine if it's a token
+   * object or a session object, and use the appropriate arena.
+   * But that duplicates logic in nssCKFWObject_IsTokenObject.
+   * Worry about that later.  For now, be conservative, and use
+   * the token arena.
+   */
+  objArena = nssCKFWToken_GetArena(fwFindObjects->fwToken, pError);
+  if( (NSSArena *)NULL == objArena ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_HOST_MEMORY;
+    }
+    goto done;
+  }
+
+  fwObject = nssCKFWObject_Create(objArena, mdObject,
+               fwFindObjects->fwSession, fwFindObjects->fwToken, 
+               fwFindObjects->fwInstance, pError);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+  }
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwFindObjects->mutex);
+  return fwObject;
+}
+
+/*
+ * NSSCKFWFindObjects_GetMDFindObjects
+ *
+ */
+
+NSS_EXTERN NSSCKMDFindObjects *
+NSSCKFWFindObjects_GetMDFindObjects
+(
+  NSSCKFWFindObjects *fwFindObjects
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
+    return (NSSCKMDFindObjects *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWFindObjects_GetMDFindObjects(fwFindObjects);
+}
diff --git a/security/nss/lib/ckfw/hash.c b/security/nss/lib/ckfw/hash.c
new file mode 100644
index 000000000..f9790493b
--- /dev/null
+++ b/security/nss/lib/ckfw/hash.c
@@ -0,0 +1,334 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * hash.c
+ *
+ * This is merely a couple wrappers around NSPR's PLHashTable, using
+ * the identity hash and arena-aware allocators.  The reason I did
+ * this is that hash tables are used in a few places throughout the
+ * NSS Cryptoki Framework in a fairly stereotyped way, and this allows
+ * me to pull the commonalities into one place.  Should we ever want
+ * to change the implementation, it's all right here.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * nssCKFWHash
+ *
+ *  nssCKFWHash_Create
+ *  nssCKFWHash_Destroy
+ *  nssCKFWHash_Add
+ *  nssCKFWHash_Remove
+ *  nssCKFWHash_Count
+ *  nssCKFWHash_Exists
+ *  nssCKFWHash_Lookup
+ *  nssCKFWHash_Iterate
+ */
+
+struct nssCKFWHashStr {
+  NSSCKFWMutex *mutex;
+
+  /*
+   * The invariant that mutex protects is:
+   *   The count accurately reflects the hashtable state.
+   */
+
+  PLHashTable *plHashTable;
+  CK_ULONG count;
+};
+
+static PLHashNumber
+nss_ckfw_identity_hash
+(
+  const void *key
+)
+{
+  PRUint32 i = (PRUint32)key;
+  PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
+  return (PLHashNumber)i;
+}
+
+/*
+ * nssCKFWHash_Create
+ *
+ */
+NSS_IMPLEMENT nssCKFWHash *
+nssCKFWHash_Create
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  nssCKFWHash *rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (nssCKFWHash *)NULL;
+  }
+
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (nssCKFWHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  rv = nss_ZNEW(arena, nssCKFWHash);
+  if( (nssCKFWHash *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (nssCKFWHash *)NULL;
+  }
+
+  rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == rv->mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    return (nssCKFWHash *)NULL;
+  }
+
+  rv->plHashTable = PL_NewHashTable(0, nss_ckfw_identity_hash, 
+    PL_CompareValues, PL_CompareValues, &nssArenaHashAllocOps, arena);
+  if( (PLHashTable *)NULL == rv->plHashTable ) {
+    (void)nssCKFWMutex_Destroy(rv->mutex);
+    (void)nss_ZFreeIf(rv);
+    *pError = CKR_HOST_MEMORY;
+    return (nssCKFWHash *)NULL;
+  }
+
+  rv->count = 0;
+
+  return rv;
+}
+
+/*
+ * nssCKFWHash_Destroy
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWHash_Destroy
+(
+  nssCKFWHash *hash
+)
+{
+  (void)nssCKFWMutex_Destroy(hash->mutex);
+  PL_HashTableDestroy(hash->plHashTable);
+  (void)nss_ZFreeIf(hash);
+}
+
+/*
+ * nssCKFWHash_Add
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWHash_Add
+(
+  nssCKFWHash *hash,
+  const void *key,
+  const void *value
+)
+{
+  CK_RV error = CKR_OK;
+  PLHashEntry *he;
+
+  error = nssCKFWMutex_Lock(hash->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+  
+  he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
+  if( (PLHashEntry *)NULL == he ) {
+    error = CKR_HOST_MEMORY;
+  } else {
+    hash->count++;
+  }
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return error;
+}
+
+/*
+ * nssCKFWHash_Remove
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWHash_Remove
+(
+  nssCKFWHash *hash,
+  const void *it
+)
+{
+  PRBool found;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return;
+  }
+
+  found = PL_HashTableRemove(hash->plHashTable, it);
+  if( found ) {
+    hash->count--;
+  }
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+  return;
+}
+
+/*
+ * nssCKFWHash_Count
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWHash_Count
+(
+  nssCKFWHash *hash
+)
+{
+  CK_ULONG count;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return (CK_ULONG)0;
+  }
+
+  count = hash->count;
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return count;
+}
+
+/*
+ * nssCKFWHash_Exists
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWHash_Exists
+(
+  nssCKFWHash *hash,
+  const void *it
+)
+{
+  void *value;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return CK_FALSE;
+  }
+
+  value = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  if( (void *)NULL == value ) {
+    return CK_FALSE;
+  } else {
+    return CK_TRUE;
+  }
+}
+
+/*
+ * nssCKFWHash_Lookup
+ *
+ */
+NSS_IMPLEMENT void *
+nssCKFWHash_Lookup
+(
+  nssCKFWHash *hash,
+  const void *it
+)
+{
+  void *rv;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return (void *)NULL;
+  }
+
+  rv = PL_HashTableLookup(hash->plHashTable, it);
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return rv;
+}
+
+struct arg_str {
+  nssCKFWHashIterator fcn;
+  void *closure;
+};
+
+static PRIntn
+nss_ckfwhash_enumerator
+(
+  PLHashEntry *he,
+  PRIntn index,
+  void *arg
+)
+{
+  struct arg_str *as = (struct arg_str *)arg;
+  as->fcn(he->key, he->value, as->closure);
+  return HT_ENUMERATE_NEXT;
+}
+
+/*
+ * nssCKFWHash_Iterate
+ *
+ * NOTE that the iteration function will be called with the hashtable locked.
+ */
+NSS_IMPLEMENT void
+nssCKFWHash_Iterate
+(
+  nssCKFWHash *hash,
+  nssCKFWHashIterator fcn,
+  void *closure
+)
+{
+  struct arg_str as;
+  as.fcn = fcn;
+  as.closure = closure;
+
+  if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
+    return;
+  }
+
+  PL_HashTableEnumerateEntries(hash->plHashTable, nss_ckfwhash_enumerator, &as);
+
+  (void)nssCKFWMutex_Unlock(hash->mutex);
+
+  return;
+}
diff --git a/security/nss/lib/ckfw/instance.c b/security/nss/lib/ckfw/instance.c
new file mode 100644
index 000000000..42b8b11ab
--- /dev/null
+++ b/security/nss/lib/ckfw/instance.c
@@ -0,0 +1,1347 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * instance.c
+ *
+ * This file implements the NSSCKFWInstance type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWInstance
+ *
+ *  -- create/destroy --
+ *  nssCKFWInstance_Create
+ *  nssCKFWInstance_Destroy
+ *
+ *  -- public accessors --
+ *  NSSCKFWInstance_GetMDInstance
+ *  NSSCKFWInstance_GetArena
+ *  NSSCKFWInstance_MayCreatePthreads
+ *  NSSCKFWInstance_CreateMutex
+ *  NSSCKFWInstance_GetConfigurationData
+ *  NSSCKFWInstance_GetInitArgs
+ *
+ *  -- implement public accessors --
+ *  nssCKFWInstance_GetMDInstance
+ *  nssCKFWInstance_GetArena
+ *  nssCKFWInstance_MayCreatePthreads
+ *  nssCKFWInstance_CreateMutex
+ *  nssCKFWInstance_GetConfigurationData
+ *  nssCKFWInstance_GetInitArgs 
+ *
+ *  -- private accessors --
+ *  nssCKFWInstance_CreateSessionHandle
+ *  nssCKFWInstance_ResolveSessionHandle
+ *  nssCKFWInstance_DestroySessionHandle
+ *  nssCKFWInstance_FindSessionHandle
+ *  nssCKFWInstance_CreateObjectHandle
+ *  nssCKFWInstance_ResolveObjectHandle
+ *  nssCKFWInstance_DestroyObjectHandle
+ *
+ *  -- module fronts --
+ *  nssCKFWInstance_GetNSlots
+ *  nssCKFWInstance_GetCryptokiVersion
+ *  nssCKFWInstance_GetManufacturerID
+ *  nssCKFWInstance_GetFlags
+ *  nssCKFWInstance_GetLibraryDescription
+ *  nssCKFWInstance_GetLibraryVersion
+ *  nssCKFWInstance_GetModuleHandlesSessionObjects
+ *  nssCKFWInstance_GetSlots
+ *  nssCKFWInstance_WaitForSlotEvent
+ *
+ *  -- debugging versions only --
+ *  nssCKFWInstance_verifyPointer
+ */
+
+struct NSSCKFWInstanceStr {
+  NSSCKFWMutex *mutex;
+  NSSArena *arena;
+  NSSCKMDInstance *mdInstance;
+  CK_C_INITIALIZE_ARGS_PTR pInitArgs;
+  CK_BBOOL mayCreatePthreads;
+  NSSUTF8 *configurationData;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **fwSlotList;
+  NSSCKMDSlot **mdSlotList;
+  CK_BBOOL moduleHandlesSessionObjects;
+
+  /*
+   * Everything above is set at creation time, and then not modified.
+   * The invariants the mutex protects are:
+   *
+   *  1) Each of the cached descriptions (versions, etc.) are in an
+   *     internally consistant state.
+   *
+   *  2) The session handle hashes and count are consistant
+   *
+   *  3) The object handle hashes and count are consistant.
+   *
+   * I could use multiple locks, but let's wait to see if that's 
+   * really necessary.
+   *
+   * Note that the calls accessing the cached descriptions will 
+   * call the NSSCKMDInstance methods with the mutex locked.  Those
+   * methods may then call the public NSSCKFWInstance routines.
+   * Those public routines only access the constant data above, so
+   * there's no problem.  But be careful if you add to this object;
+   * mutexes are in general not reentrant, so don't create deadlock
+   * situations.
+   */
+
+  CK_VERSION cryptokiVersion;
+  NSSUTF8 *manufacturerID;
+  NSSUTF8 *libraryDescription;
+  CK_VERSION libraryVersion;
+
+  CK_ULONG lastSessionHandle;
+  nssCKFWHash *sessionHandleHash;
+
+  CK_ULONG lastObjectHandle;
+  nssCKFWHash *objectHandleHash;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+instance_add_pointer
+(
+  const NSSCKFWInstance *fwInstance
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+instance_remove_pointer
+(
+  const NSSCKFWInstance *fwInstance
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWInstance_verifyPointer
+(
+  const NSSCKFWInstance *fwInstance
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWInstance_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWInstance *
+nssCKFWInstance_Create
+(
+  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
+  NSSCKMDInstance *mdInstance,
+  CK_RV *pError
+)
+{
+  NSSCKFWInstance *fwInstance;
+  NSSArena *arena = (NSSArena *)NULL;
+  CK_ULONG i;
+  CK_BBOOL called_Initialize = CK_FALSE;
+
+#ifdef NSSDEBUG
+  if( (CK_RV)NULL == pError ) {
+    return (NSSCKFWInstance *)NULL;
+  }
+
+  if( (NSSCKMDInstance *)NULL == mdInstance ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWInstance *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKFWInstance *)NULL;
+  }
+
+  fwInstance = nss_ZNEW(arena, NSSCKFWInstance);
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    goto nomem;
+  }
+
+  fwInstance->arena = arena;
+  fwInstance->mdInstance = mdInstance;
+  fwInstance->pInitArgs = pInitArgs;
+
+  if( (CK_C_INITIALIZE_ARGS_PTR)NULL != pInitArgs ) {
+    if( pInitArgs->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS ) {
+      fwInstance->mayCreatePthreads = CK_FALSE;
+    } else {
+      fwInstance->mayCreatePthreads = CK_TRUE;
+    }
+    fwInstance->configurationData = (NSSUTF8 *)(pInitArgs->pReserved);
+  } else {
+    fwInstance->mayCreatePthreads = CK_TRUE;
+  }
+
+  fwInstance->mutex = nssCKFWMutex_Create(pInitArgs, arena, pError);
+  if( (NSSCKFWMutex *)NULL == fwInstance->mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+  if( (void *)NULL != (void *)mdInstance->Initialize ) {
+    *pError = mdInstance->Initialize(mdInstance, fwInstance, fwInstance->configurationData);
+    if( CKR_OK != *pError ) {
+      goto loser;
+    }
+
+    called_Initialize = CK_TRUE;
+  }
+
+  if( (void *)NULL != (void *)mdInstance->ModuleHandlesSessionObjects ) {
+    fwInstance->moduleHandlesSessionObjects = 
+      mdInstance->ModuleHandlesSessionObjects(mdInstance, fwInstance);
+  } else {
+    fwInstance->moduleHandlesSessionObjects = CK_FALSE;
+  }
+
+  if( (void *)NULL == (void *)mdInstance->GetNSlots ) {
+    /* That routine is required */
+    *pError = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  fwInstance->nSlots = mdInstance->GetNSlots(mdInstance, fwInstance, pError);
+  if( (CK_ULONG)0 == fwInstance->nSlots ) {
+    if( CKR_OK == *pError ) {
+      /* Zero is not a legitimate answer */
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+  fwInstance->fwSlotList = nss_ZNEWARRAY(arena, NSSCKFWSlot *, fwInstance->nSlots);
+  if( (NSSCKFWSlot **)NULL == fwInstance->fwSlotList ) {
+    goto nomem;
+  }
+
+  fwInstance->mdSlotList = nss_ZNEWARRAY(arena, NSSCKMDSlot *, fwInstance->nSlots);
+  if( (NSSCKMDSlot **)NULL == fwInstance->mdSlotList ) {
+    goto nomem;
+  }
+
+  fwInstance->sessionHandleHash = nssCKFWHash_Create(fwInstance, 
+    fwInstance->arena, pError);
+  if( (nssCKFWHash *)NULL == fwInstance->sessionHandleHash ) {
+    goto loser;
+  }
+
+  fwInstance->objectHandleHash = nssCKFWHash_Create(fwInstance,
+    fwInstance->arena, pError);
+  if( (nssCKFWHash *)NULL == fwInstance->objectHandleHash ) {
+    goto loser;
+  }
+
+  if( (void *)NULL == (void *)mdInstance->GetSlots ) {
+    /* That routine is required */
+    *pError = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  *pError = mdInstance->GetSlots(mdInstance, fwInstance, fwInstance->mdSlotList);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+
+  for( i = 0; i < fwInstance->nSlots; i++ ) {
+    NSSCKMDSlot *mdSlot = fwInstance->mdSlotList[i];
+
+    if( (NSSCKMDSlot *)NULL == mdSlot ) {
+      *pError = CKR_GENERAL_ERROR;
+      goto loser;
+    }
+
+    fwInstance->fwSlotList[i] = nssCKFWSlot_Create(fwInstance, mdSlot, i, pError);
+    if( CKR_OK != *pError ) {
+      CK_ULONG j;
+
+      for( j = 0; j < i; j++ ) {
+        (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[j]);
+      }
+
+      for( j = i; j < fwInstance->nSlots; j++ ) {
+        NSSCKMDSlot *mds = fwInstance->mdSlotList[j];
+        if( (void *)NULL != (void *)mds->Destroy ) {
+          mds->Destroy(mds, (NSSCKFWSlot *)NULL, mdInstance, fwInstance);
+        }
+      }
+
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  *pError = instance_add_pointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    for( i = 0; i < fwInstance->nSlots; i++ ) {
+      (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[i]);
+    }
+    
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  *pError = CKR_OK;
+  return fwInstance;
+
+ nomem:
+  *pError = CKR_HOST_MEMORY;
+  /*FALLTHROUGH*/
+ loser:
+
+  if( CK_TRUE == called_Initialize ) {
+    if( (void *)NULL != (void *)mdInstance->Finalize ) {
+      mdInstance->Finalize(mdInstance, fwInstance);
+    }
+  }
+
+  (void)NSSArena_Destroy(arena);
+  return (NSSCKFWInstance *)NULL;
+}
+
+/*
+ * nssCKFWInstance_Destroy
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWInstance_Destroy
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+  CK_ULONG i;
+
+#ifdef NSSDEBUG
+  error = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  nssCKFWMutex_Destroy(fwInstance->mutex);
+
+  for( i = 0; i < fwInstance->nSlots; i++ ) {
+    (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[i]);
+  }
+
+  if( (void *)NULL != (void *)fwInstance->mdInstance->Finalize ) {
+    fwInstance->mdInstance->Finalize(fwInstance->mdInstance, fwInstance);
+  }
+
+#ifdef DEBUG
+  (void)instance_remove_pointer(fwInstance);
+#endif /* DEBUG */
+
+  (void)NSSArena_Destroy(fwInstance->arena);
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWInstance_GetMDInstance
+ *
+ */
+NSS_IMPLEMENT NSSCKMDInstance *
+nssCKFWInstance_GetMDInstance
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSCKMDInstance *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwInstance->mdInstance;
+}
+
+/*
+ * nssCKFWInstance_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+nssCKFWInstance_GetArena
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = CKR_OK;
+  return fwInstance->arena;
+}
+
+/*
+ * nssCKFWInstance_MayCreatePthreads
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWInstance_MayCreatePthreads
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  return fwInstance->mayCreatePthreads;
+}
+
+/*
+ * nssCKFWInstance_CreateMutex
+ *
+ */
+NSS_IMPLEMENT NSSCKFWMutex *
+nssCKFWInstance_CreateMutex
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  NSSCKFWMutex *mutex;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWMutex *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWMutex *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  mutex = nssCKFWMutex_Create(fwInstance->pInitArgs, arena, pError);
+  if( (NSSCKFWMutex *)NULL == mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+
+    return (NSSCKFWMutex *)NULL;
+  }
+
+  return mutex;
+}
+
+/*
+ * nssCKFWInstance_GetConfigurationData
+ *
+ */
+NSS_IMPLEMENT NSSUTF8 *
+nssCKFWInstance_GetConfigurationData
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwInstance->configurationData;
+}
+
+/*
+ * nssCKFWInstance_GetInitArgs
+ *
+ */
+CK_C_INITIALIZE_ARGS_PTR
+nssCKFWInstance_GetInitArgs
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (CK_C_INITIALIZE_ARGS_PTR)NULL;
+  }
+#endif /* NSSDEBUG */
+
+    return fwInstance->pInitArgs;
+}
+
+/*
+ * nssCKFWInstance_CreateSessionHandle
+ *
+ */
+NSS_IMPLEMENT CK_SESSION_HANDLE
+nssCKFWInstance_CreateSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+  CK_SESSION_HANDLE hSession;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_SESSION_HANDLE)0;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (CK_SESSION_HANDLE)0;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = nssCKFWMutex_Lock(fwInstance->mutex);
+  if( CKR_OK != *pError ) {
+    return (CK_SESSION_HANDLE)0;
+  }
+
+  hSession = ++(fwInstance->lastSessionHandle);
+
+  /* Alan would say I should unlock for this call. */
+  
+  *pError = nssCKFWSession_SetHandle(fwSession, hSession);
+  if( CKR_OK != *pError ) {
+    goto done;
+  }
+
+  *pError = nssCKFWHash_Add(fwInstance->sessionHandleHash, 
+              (const void *)hSession, (const void *)fwSession);
+  if( CKR_OK != *pError ) {
+    hSession = (CK_SESSION_HANDLE)0;
+    goto done;
+  }
+
+ done:
+  nssCKFWMutex_Unlock(fwInstance->mutex);
+  return hSession;
+}
+
+/*
+ * nssCKFWInstance_ResolveSessionHandle
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSession *
+nssCKFWInstance_ResolveSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  NSSCKFWSession *fwSession;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSCKFWSession *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    return (NSSCKFWSession *)NULL;
+  }
+
+  fwSession = (NSSCKFWSession *)nssCKFWHash_Lookup(
+                fwInstance->sessionHandleHash, (const void *)hSession);
+
+  /* Assert(hSession == nssCKFWSession_GetHandle(fwSession)) */
+
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+
+  return fwSession;
+}
+
+/*
+ * nssCKFWInstance_DestroySessionHandle
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWInstance_DestroySessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  NSSCKFWSession *fwSession;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    return;
+  }
+
+  fwSession = (NSSCKFWSession *)nssCKFWHash_Lookup(
+                fwInstance->sessionHandleHash, (const void *)hSession);
+
+  nssCKFWHash_Remove(fwInstance->sessionHandleHash, (const void *)hSession);
+  nssCKFWSession_SetHandle(fwSession, (CK_SESSION_HANDLE)0);
+
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+
+  return;
+}
+
+/*
+ * nssCKFWInstance_FindSessionHandle
+ *
+ */
+NSS_IMPLEMENT CK_SESSION_HANDLE
+nssCKFWInstance_FindSessionHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (CK_SESSION_HANDLE)0;
+  }
+
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return (CK_SESSION_HANDLE)0;
+  }
+#endif /* NSSDEBUG */
+
+  return nssCKFWSession_GetHandle(fwSession);
+  /* look it up and assert? */
+}
+
+/*
+ * nssCKFWInstance_CreateObjectHandle
+ *
+ */
+NSS_IMPLEMENT CK_OBJECT_HANDLE
+nssCKFWInstance_CreateObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+  CK_OBJECT_HANDLE hObject;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = nssCKFWMutex_Lock(fwInstance->mutex);
+  if( CKR_OK != *pError ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+
+  hObject = ++(fwInstance->lastObjectHandle);
+
+  *pError = nssCKFWObject_SetHandle(fwObject, hObject);
+  if( CKR_OK != *pError ) {
+    hObject = (CK_OBJECT_HANDLE)0;
+    goto done;
+  }
+
+  *pError = nssCKFWHash_Add(fwInstance->objectHandleHash, 
+              (const void *)hObject, (const void *)fwObject);
+  if( CKR_OK != *pError ) {
+    hObject = (CK_OBJECT_HANDLE)0;
+    goto done;
+  }
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return hObject;
+}
+
+/*
+ * nssCKFWInstance_ResolveObjectHandle
+ *
+ */
+NSS_IMPLEMENT NSSCKFWObject *
+nssCKFWInstance_ResolveObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject
+)
+{
+  NSSCKFWObject *fwObject;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  fwObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
+                fwInstance->objectHandleHash, (const void *)hObject);
+
+  /* Assert(hObject == nssCKFWObject_GetHandle(fwObject)) */
+
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return fwObject;
+}
+
+/*
+ * nssCKFWInstance_ReassignObjectHandle
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWInstance_ReassignObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject,
+  NSSCKFWObject *fwObject
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWObject *oldObject;
+
+#ifdef NSSDEBUG
+  error = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwInstance->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  oldObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
+                 fwInstance->objectHandleHash, (const void *)hObject);
+  /* Assert(hObject == nssCKFWObject_GetHandle(oldObject) */
+  (void)nssCKFWObject_SetHandle(oldObject, (CK_SESSION_HANDLE)0);
+  nssCKFWHash_Remove(fwInstance->objectHandleHash, (const void *)hObject);
+
+  error = nssCKFWObject_SetHandle(fwObject, hObject);
+  if( CKR_OK != error ) {
+    goto done;
+  }
+  error = nssCKFWHash_Add(fwInstance->objectHandleHash, 
+            (const void *)hObject, (const void *)fwObject);
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWInstance_DestroyObjectHandle
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWInstance_DestroyObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  CK_OBJECT_HANDLE hObject
+)
+{
+  NSSCKFWObject *fwObject;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    return;
+  }
+
+  fwObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
+                fwInstance->objectHandleHash, (const void *)hObject);
+  /* Assert(hObject = nssCKFWObject_GetHandle(fwObject)) */
+  nssCKFWHash_Remove(fwInstance->objectHandleHash, (const void *)hObject);
+  (void)nssCKFWObject_SetHandle(fwObject, (CK_SESSION_HANDLE)0);
+
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return;
+}
+
+/*
+ * nssCKFWInstance_FindObjectHandle
+ *
+ */
+NSS_IMPLEMENT CK_OBJECT_HANDLE
+nssCKFWInstance_FindObjectHandle
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+#endif /* NSSDEBUG */
+  
+  return nssCKFWObject_GetHandle(fwObject);
+}
+
+/*
+ * nssCKFWInstance_GetNSlots
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWInstance_GetNSlots
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = CKR_OK;
+  return fwInstance->nSlots;
+}  
+
+/*
+ * nssCKFWInstance_GetCryptokiVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWInstance_GetCryptokiVersion
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwInstance->cryptokiVersion.major) ||
+      (0 != fwInstance->cryptokiVersion.minor) ) {
+    rv = fwInstance->cryptokiVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwInstance->mdInstance->GetCryptokiVersion ) {
+    fwInstance->cryptokiVersion = fwInstance->mdInstance->GetCryptokiVersion(
+      fwInstance->mdInstance, fwInstance);
+  } else {
+    fwInstance->cryptokiVersion.major = 2;
+    fwInstance->cryptokiVersion.minor = 1;
+  }
+
+  rv = fwInstance->cryptokiVersion;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWInstance_GetManufacturerID
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWInstance_GetManufacturerID
+(
+  NSSCKFWInstance *fwInstance,
+  CK_CHAR manufacturerID[32]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwInstance->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwInstance->manufacturerID ) {
+    if( (void *)NULL != (void *)fwInstance->mdInstance->GetManufacturerID ) {
+      fwInstance->manufacturerID = fwInstance->mdInstance->GetManufacturerID(
+        fwInstance->mdInstance, fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwInstance->manufacturerID) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwInstance->manufacturerID = (NSSUTF8 *) "";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->manufacturerID, (char *)manufacturerID, 32, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWInstance_GetFlags
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWInstance_GetFlags
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  /* No "instance flags" are yet defined by Cryptoki. */
+  return (CK_ULONG)0;
+}
+
+/*
+ * nssCKFWInstance_GetLibraryDescription
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWInstance_GetLibraryDescription
+(
+  NSSCKFWInstance *fwInstance,
+  CK_CHAR libraryDescription[32]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == libraryDescription ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwInstance->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwInstance->libraryDescription ) {
+    if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryDescription ) {
+      fwInstance->libraryDescription = fwInstance->mdInstance->GetLibraryDescription(
+        fwInstance->mdInstance, fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwInstance->libraryDescription) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwInstance->libraryDescription = (NSSUTF8 *) "";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->libraryDescription, (char *)libraryDescription, 32, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWInstance_GetLibraryVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWInstance_GetLibraryVersion
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwInstance->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwInstance->libraryVersion.major) ||
+      (0 != fwInstance->libraryVersion.minor) ) {
+    rv = fwInstance->libraryVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryVersion ) {
+    fwInstance->libraryVersion = fwInstance->mdInstance->GetLibraryVersion(
+      fwInstance->mdInstance, fwInstance);
+  } else {
+    fwInstance->libraryVersion.major = 0;
+    fwInstance->libraryVersion.minor = 1;
+  }
+
+  rv = fwInstance->libraryVersion;
+ done:
+  (void)nssCKFWMutex_Unlock(fwInstance->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWInstance_GetModuleHandlesSessionObjects
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWInstance_GetModuleHandlesSessionObjects
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  return fwInstance->moduleHandlesSessionObjects;
+}
+
+/*
+ * nssCKFWInstance_GetSlots
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSlot **
+nssCKFWInstance_GetSlots
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWSlot **)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSlot **)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwInstance->fwSlotList;
+}
+
+/*
+ * nssCKFWInstance_WaitForSlotEvent
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSlot *
+nssCKFWInstance_WaitForSlotEvent
+(
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL block,
+  CK_RV *pError
+)
+{
+  NSSCKFWSlot *fwSlot = (NSSCKFWSlot *)NULL;
+  NSSCKMDSlot *mdSlot;
+  CK_ULONG i, n;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  switch( block ) {
+  case CK_TRUE:
+  case CK_FALSE:
+    break;
+  default:
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwInstance->mdInstance->WaitForSlotEvent ) {
+    *pError = CKR_NO_EVENT;
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  mdSlot = fwInstance->mdInstance->WaitForSlotEvent(
+    fwInstance->mdInstance,
+    fwInstance,
+    block,
+    pError
+  );
+
+  if( (NSSCKMDSlot *)NULL == mdSlot ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  n = nssCKFWInstance_GetNSlots(fwInstance, pError);
+  if( ((CK_ULONG)0 == n) && (CKR_OK != *pError) ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  for( i = 0; i < n; i++ ) {
+    if( fwInstance->mdSlotList[i] == mdSlot ) {
+      fwSlot = fwInstance->fwSlotList[i];
+      break;
+    }
+  }
+
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    /* Internal error */
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  return fwSlot;
+}
+
+/*
+ * NSSCKFWInstance_GetMDInstance
+ *
+ */
+NSS_IMPLEMENT NSSCKMDInstance *
+NSSCKFWInstance_GetMDInstance
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSCKMDInstance *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_GetMDInstance(fwInstance);
+}
+
+/*
+ * NSSCKFWInstance_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+NSSCKFWInstance_GetArena
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_GetArena(fwInstance, pError);
+}
+
+/*
+ * NSSCKFWInstance_MayCreatePthreads
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+NSSCKFWInstance_MayCreatePthreads
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return CK_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_MayCreatePthreads(fwInstance);
+}
+
+/*
+ * NSSCKFWInstance_CreateMutex
+ *
+ */
+NSS_IMPLEMENT NSSCKFWMutex *
+NSSCKFWInstance_CreateMutex
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWMutex *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWMutex *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
+}
+
+/*
+ * NSSCKFWInstance_GetConfigurationData
+ *
+ */
+NSS_IMPLEMENT NSSUTF8 *
+NSSCKFWInstance_GetConfigurationData
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_GetConfigurationData(fwInstance);
+}
+
+/*
+ * NSSCKFWInstance_GetInitArgs
+ *
+ */
+NSS_IMPLEMENT CK_C_INITIALIZE_ARGS_PTR
+NSSCKFWInstance_GetInitArgs
+(
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWInstance_verifyPointer(fwInstance) ) {
+    return (CK_C_INITIALIZE_ARGS_PTR)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWInstance_GetInitArgs(fwInstance);
+}
+
diff --git a/security/nss/lib/ckfw/manifest.mn b/security/nss/lib/ckfw/manifest.mn
new file mode 100644
index 000000000..8a4f15086
--- /dev/null
+++ b/security/nss/lib/ckfw/manifest.mn
@@ -0,0 +1,79 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+CORE_DEPTH = ../../..
+
+DIRS = builtins
+
+PRIVATE_EXPORTS = \
+	ck.h		  \
+	ckfw.h		  \
+	ckfwm.h		  \
+	ckfwtm.h	  \
+	ckmd.h		  \
+	ckt.h		  \
+	$(NULL)
+
+EXPORTS =	   \
+	nssck.api  \
+	nssckepv.h \
+	nssckft.h  \
+	nssckfw.h  \
+	nssckfwc.h \
+	nssckfwt.h \
+	nssckg.h   \
+	nssckmdt.h \
+	nssckt.h   \
+	$(NULL)
+
+MODULE = security
+
+CSRCS =		   \
+	find.c	   \
+	hash.c	   \
+	instance.c \
+	mutex.c	   \
+	nsprstub.c \
+	object.c   \
+	session.c  \
+	sessobj.c  \
+	slot.c	   \
+	token.c	   \
+	wrap.c	   \
+	mechanism.c \
+	$(NULL)
+
+REQUIRES = security nspr
+
+LIBRARY_NAME = nssckfw
diff --git a/security/nss/lib/ckfw/mechanism.c b/security/nss/lib/ckfw/mechanism.c
new file mode 100644
index 000000000..634c5ae8b
--- /dev/null
+++ b/security/nss/lib/ckfw/mechanism.c
@@ -0,0 +1,165 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * mechanism.c
+ *
+ * This file implements the NSSCKFWMechanism type and methods.
+ * These functions are currently stubs.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWMechanism
+ *
+ *  -- create/destroy --
+ *  nssCKFWMechanism_Create
+ *  nssCKFWMechanism_Destroy
+ *
+ *  -- implement public accessors --
+ *  nssCKFWMechanism_GetMDMechanism
+ *  nssCKFWMechanism_GetParameter
+ *
+ *  -- private accessors --
+ *
+ *  -- module fronts --
+ *  nssCKFWMechanism_GetMinKeySize
+ *  nssCKFWMechanism_GetMaxKeySize
+ *  nssCKFWMechanism_GetInHardware
+ */
+
+
+struct NSSCKFWMechanismStr {
+   void * dummy;
+};
+
+/*
+ * nssCKFWMechanism_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWMechanism *
+nssCKFWMechanism_Create
+(
+  void /* XXX fgmr */
+)
+{
+  return (NSSCKFWMechanism *)NULL;
+}
+
+/*
+ * nssCKFWMechanism_Destroy
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWMechanism_Destroy
+(
+  NSSCKFWMechanism *fwMechanism
+)
+{
+   return CKR_OK;
+}
+
+/*
+ * nssCKFWMechanism_GetMDMechanism
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDMechanism *
+nssCKFWMechanism_GetMDMechanism
+(
+  NSSCKFWMechanism *fwMechanism
+)
+{
+    return NULL;
+}
+
+/*
+ * nssCKFWMechanism_GetParameter
+ *
+ * XXX fgmr-- or as an additional parameter to the crypto ops?
+ */
+NSS_IMPLEMENT NSSItem *
+nssCKFWMechanism_GetParameter
+(
+  NSSCKFWMechanism *fwMechanism
+)
+{
+	return NULL;
+}
+
+/*
+ * nssCKFWMechanism_GetMinKeySize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWMechanism_GetMinKeySize
+(
+  NSSCKFWMechanism *fwMechanism
+)
+{
+    return 0;
+}
+
+/*
+ * nssCKFWMechanism_GetMaxKeySize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWMechanism_GetMaxKeySize
+(
+  NSSCKFWMechanism *fwMechanism
+)
+{
+   return 0;
+}
+
+/*
+ * nssCKFWMechanism_GetInHardware
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWMechanism_GetInHardware
+(
+  NSSCKFWMechanism *fwMechanism
+)
+{
+    return PR_FALSE;
+}
+
diff --git a/security/nss/lib/ckfw/mutex.c b/security/nss/lib/ckfw/mutex.c
new file mode 100644
index 000000000..789616683
--- /dev/null
+++ b/security/nss/lib/ckfw/mutex.c
@@ -0,0 +1,345 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * mutex.c
+ *
+ * This file implements a mutual-exclusion locking facility for Modules
+ * using the NSS Cryptoki Framework.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWMutex
+ *
+ *  NSSCKFWMutex_Destroy
+ *  NSSCKFWMutex_Lock
+ *  NSSCKFWMutex_Unlock
+ *
+ *  nssCKFWMutex_Create
+ *  nssCKFWMutex_Destroy
+ *  nssCKFWMutex_Lock
+ *  nssCKFWMutex_Unlock
+ *
+ *  -- debugging versions only --
+ *  nssCKFWMutex_verifyPointer
+ *
+ */
+
+struct NSSCKFWMutexStr {
+  CK_VOID_PTR etc;
+
+  CK_DESTROYMUTEX Destroy;
+  CK_LOCKMUTEX Lock;
+  CK_UNLOCKMUTEX Unlock;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+mutex_add_pointer
+(
+  const NSSCKFWMutex *fwMutex
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+mutex_remove_pointer
+(
+  const NSSCKFWMutex *fwMutex
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWMutex_verifyPointer
+(
+  const NSSCKFWMutex *fwMutex
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+static CK_RV
+mutex_noop
+(
+  CK_VOID_PTR pMutex
+)
+{
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWMutex_Create
+ *
+ */
+NSS_EXTERN NSSCKFWMutex *
+nssCKFWMutex_Create
+(
+  CK_C_INITIALIZE_ARGS_PTR pInitArgs,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  NSSCKFWMutex *mutex;
+  CK_ULONG count = (CK_ULONG)0;
+  CK_BBOOL os_ok = CK_FALSE;
+
+  if( (CK_C_INITIALIZE_ARGS_PTR)NULL != pInitArgs ) {
+    if( (CK_CREATEMUTEX )NULL != pInitArgs->CreateMutex  ) count++;
+    if( (CK_DESTROYMUTEX)NULL != pInitArgs->DestroyMutex ) count++;
+    if( (CK_LOCKMUTEX   )NULL != pInitArgs->LockMutex    ) count++;
+    if( (CK_UNLOCKMUTEX )NULL != pInitArgs->UnlockMutex  ) count++;
+    os_ok = (pInitArgs->flags & CKF_OS_LOCKING_OK) ? CK_TRUE : CK_FALSE;
+
+    if( (0 != count) && (4 != count) ) {
+      *pError = CKR_ARGUMENTS_BAD;
+      return (NSSCKFWMutex *)NULL;
+    }
+  }
+
+  if( (0 == count) && (CK_TRUE == os_ok) ) {
+    /*
+     * This is case #2 in the description of C_Initialize:
+     * The library will be called in a multithreaded way, but
+     * no routines were specified: os locking calls should be
+     * used.  Unfortunately, this can be hard.. like, I think
+     * I may have to dynamically look up the entry points in
+     * the instance of NSPR already going in the application.
+     *
+     * I know that *we* always specify routines, so this only
+     * comes up if someone is using NSS to create their own
+     * PCKS#11 modules for other products.  Oh, heck, I'll 
+     * worry about this then.
+     */
+    *pError = CKR_CANT_LOCK;
+    return (NSSCKFWMutex *)NULL;
+  }
+
+  mutex = nss_ZNEW(arena, NSSCKFWMutex);
+  if( (NSSCKFWMutex *)NULL == mutex ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKFWMutex *)NULL;
+  }
+
+  if( 0 == count ) {
+    /*
+     * With the above test out of the way, we know this is case
+     * #1 in the description of C_Initialize: this library will
+     * not be called in a multithreaded way.  I'll just return
+     * an object with noop calls.
+     */
+
+    mutex->Destroy = (CK_DESTROYMUTEX)mutex_noop;
+    mutex->Lock    = (CK_LOCKMUTEX   )mutex_noop;
+    mutex->Unlock  = (CK_UNLOCKMUTEX )mutex_noop;
+  } else {
+    /*
+     * We know that we're in either case #3 or #4 in the description
+     * of C_Initialize.  Case #3 says we should use the specified
+     * functions, case #4 cays we can use either the specified ones
+     * or the OS ones.  I'll use the specified ones.
+     */
+
+    mutex->Destroy = pInitArgs->DestroyMutex;
+    mutex->Lock    = pInitArgs->LockMutex;
+    mutex->Unlock  = pInitArgs->UnlockMutex;
+    
+    *pError = pInitArgs->CreateMutex(&mutex->etc);
+    if( CKR_OK != *pError ) {
+      (void)nss_ZFreeIf(mutex);
+      return (NSSCKFWMutex *)NULL;
+    }
+  }
+
+#ifdef DEBUG
+  *pError = mutex_add_pointer(mutex);
+  if( CKR_OK != *pError ) {
+    (void)nss_ZFreeIf(mutex);
+    return (NSSCKFWMutex *)NULL;
+  }
+#endif /* DEBUG */
+
+  return mutex;
+}  
+
+/*
+ * nssCKFWMutex_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Destroy
+(
+  NSSCKFWMutex *mutex
+)
+{
+  CK_RV rv = CKR_OK;
+
+#ifdef NSSDEBUG
+  rv = nssCKFWMutex_verifyPointer(mutex);
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* NSSDEBUG */
+  
+  rv = mutex->Destroy(mutex->etc);
+
+#ifdef DEBUG
+  (void)mutex_remove_pointer(mutex);
+#endif /* DEBUG */
+
+  (void)nss_ZFreeIf(mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWMutex_Lock
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Lock
+(
+  NSSCKFWMutex *mutex
+)
+{
+#ifdef NSSDEBUG
+  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* NSSDEBUG */
+  
+  return mutex->Lock(mutex->etc);
+}
+
+/*
+ * nssCKFWMutex_Unlock
+ *
+ */
+NSS_EXTERN CK_RV
+nssCKFWMutex_Unlock
+(
+  NSSCKFWMutex *mutex
+)
+{
+#ifdef NSSDEBUG
+  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  return mutex->Unlock(mutex->etc);
+}
+
+/*
+ * NSSCKFWMutex_Destroy
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Destroy
+(
+  NSSCKFWMutex *mutex
+)
+{
+#ifdef DEBUG
+  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* DEBUG */
+  
+  return nssCKFWMutex_Destroy(mutex);
+}
+
+/*
+ * NSSCKFWMutex_Lock
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Lock
+(
+  NSSCKFWMutex *mutex
+)
+{
+#ifdef DEBUG
+  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* DEBUG */
+  
+  return nssCKFWMutex_Lock(mutex);
+}
+
+/*
+ * NSSCKFWMutex_Unlock
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Unlock
+(
+  NSSCKFWMutex *mutex
+)
+{
+#ifdef DEBUG
+  CK_RV rv = nssCKFWMutex_verifyPointer(mutex);
+  if( CKR_OK != rv ) {
+    return rv;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWMutex_Unlock(mutex);
+}
diff --git a/security/nss/lib/ckfw/nsprstub.c b/security/nss/lib/ckfw/nsprstub.c
new file mode 100644
index 000000000..e4c33cdbd
--- /dev/null
+++ b/security/nss/lib/ckfw/nsprstub.c
@@ -0,0 +1,442 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * secport.c - portability interfaces for security libraries
+ *
+ * This file abstracts out libc functionality that libsec depends on
+ * 
+ * NOTE - These are not public interfaces. These stubs are to allow the 
+ * SW FORTEZZA to link with some low level security functions without dragging
+ * in NSPR.
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "prmem.h"
+#include "prerror.h"
+#include "plarena.h"
+#include "secerr.h"
+#include "prmon.h"
+#include "prbit.h"
+#include "ck.h"
+
+#ifdef notdef
+unsigned long port_allocFailures;
+
+/* locations for registering Unicode conversion functions.  
+ *  Is this the appropriate location?  or should they be
+ *     moved to client/server specific locations?
+ */
+PORTCharConversionFunc ucs4Utf8ConvertFunc;
+PORTCharConversionFunc ucs2Utf8ConvertFunc;
+PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
+
+void *
+PORT_Alloc(size_t bytes)
+{
+    void *rv;
+
+    /* Always allocate a non-zero amount of bytes */
+    rv = (void *)malloc(bytes ? bytes : 1);
+    if (!rv) {
+	++port_allocFailures;
+    }
+    return rv;
+}
+
+void *
+PORT_Realloc(void *oldptr, size_t bytes)
+{
+    void *rv;
+
+    rv = (void *)realloc(oldptr, bytes);
+    if (!rv) {
+	++port_allocFailures;
+    }
+    return rv;
+}
+
+void *
+PORT_ZAlloc(size_t bytes)
+{
+    void *rv;
+
+    /* Always allocate a non-zero amount of bytes */
+    rv = (void *)calloc(1, bytes ? bytes : 1);
+    if (!rv) {
+	++port_allocFailures;
+    }
+    return rv;
+}
+
+void
+PORT_Free(void *ptr)
+{
+    if (ptr) {
+	free(ptr);
+    }
+}
+
+void
+PORT_ZFree(void *ptr, size_t len)
+{
+    if (ptr) {
+	memset(ptr, 0, len);
+	free(ptr);
+    }
+}
+
+/********************* Arena code follows *****************************/
+
+
+PLArenaPool *
+PORT_NewArena(unsigned long chunksize)
+{
+    PLArenaPool *arena;
+    
+    arena = (PLArenaPool*)PORT_ZAlloc(sizeof(PLArenaPool));
+    if ( arena != NULL ) {
+	PR_InitArenaPool(arena, "security", chunksize, sizeof(double));
+    }
+    return(arena);
+}
+
+void *
+PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
+{
+    void *p;
+
+    PL_ARENA_ALLOCATE(p, arena, size);
+    if (p == NULL) {
+	++port_allocFailures;
+    }
+
+    return(p);
+}
+
+void *
+PORT_ArenaZAlloc(PLArenaPool *arena, size_t size)
+{
+    void *p;
+
+    PL_ARENA_ALLOCATE(p, arena, size);
+    if (p == NULL) {
+	++port_allocFailures;
+    } else {
+	PORT_Memset(p, 0, size);
+    }
+
+    return(p);
+}
+
+/* need to zeroize!! */
+void
+PORT_FreeArena(PLArenaPool *arena, PRBool zero)
+{
+    PR_FinishArenaPool(arena);
+    PORT_Free(arena);
+}
+
+void *
+PORT_ArenaGrow(PLArenaPool *arena, void *ptr, size_t oldsize, size_t newsize)
+{
+    PORT_Assert(newsize >= oldsize);
+    
+    PL_ARENA_GROW(ptr, arena, oldsize, ( newsize - oldsize ) );
+    
+    return(ptr);
+}
+
+void *
+PORT_ArenaMark(PLArenaPool *arena)
+{
+    void * result;
+
+    result = PL_ARENA_MARK(arena);
+    return result;
+}
+
+void
+PORT_ArenaRelease(PLArenaPool *arena, void *mark)
+{
+    PL_ARENA_RELEASE(arena, mark);
+}
+
+void
+PORT_ArenaUnmark(PLArenaPool *arena, void *mark)
+{
+    /* do nothing */
+}
+
+char *
+PORT_ArenaStrdup(PLArenaPool *arena,char *str) {
+    int len = PORT_Strlen(str)+1;
+    char *newstr;
+
+    newstr = (char*)PORT_ArenaAlloc(arena,len);
+    if (newstr) {
+        PORT_Memcpy(newstr,str,len);
+    }
+    return newstr;
+}
+#endif
+
+/*
+ * replace the nice thread-safe Error stack code with something
+ * that will work without all the NSPR features.
+ */
+static PRInt32 stack[2] = {0, 0};
+
+PR_IMPLEMENT(void)
+nss_SetError(PRUint32 value)
+{	
+    stack[0] = value;
+    return;
+}
+
+PR_IMPLEMENT(PRInt32)
+NSS_GetError(void)
+{
+    return(stack[0]);
+}
+
+
+PR_IMPLEMENT(PRInt32 *)
+NSS_GetErrorStack(void)
+{
+    return(&stack[0]);
+}
+
+PR_IMPLEMENT(void)
+nss_ClearErrorStack(void)
+{
+    stack[0] = 0;
+    return;
+}
+
+#ifdef DEBUG
+/*
+ * replace the pointer tracking stuff for the same reasons.
+ *  If you want to turn pointer tracking on, simply ifdef out this code and 
+ *  link with real NSPR.
+ */
+PR_IMPLEMENT(PRStatus)
+nssPointerTracker_initialize(nssPointerTracker *tracker)
+{
+    return PR_SUCCESS;
+}
+
+
+PR_IMPLEMENT(PRStatus)
+nssPointerTracker_finalize(nssPointerTracker *tracker)
+{
+    return PR_SUCCESS;
+}
+
+PR_IMPLEMENT(PRStatus)
+nssPointerTracker_add(nssPointerTracker *tracker, const void *pointer)
+{
+     return PR_SUCCESS;
+}
+
+PR_IMPLEMENT(PRStatus)
+nssPointerTracker_remove(nssPointerTracker *tracker, const void *pointer)
+{
+     return PR_SUCCESS;
+}
+
+PR_IMPLEMENT(PRStatus)
+nssPointerTracker_verify(nssPointerTracker *tracker, const void *pointer)
+{
+     return PR_SUCCESS;
+}
+#endif
+
+PR_IMPLEMENT(PRThread *)
+PR_GetCurrentThread(void)
+{
+     return (PRThread *)1;
+}
+
+
+
+PR_IMPLEMENT(void)
+PR_Assert(const char *expr, const char *file, int line) {
+    return; 
+}
+
+PR_IMPLEMENT(void *)
+PR_Alloc(PRUint32 bytes) { return malloc(bytes); }
+
+PR_IMPLEMENT(void *)
+PR_Malloc(PRUint32 bytes) { return malloc(bytes); }
+
+PR_IMPLEMENT(void *)
+PR_Calloc(PRUint32 blocks, PRUint32 bytes) { return calloc(blocks,bytes); }
+
+PR_IMPLEMENT(void *)
+PR_Realloc(void * blocks, PRUint32 bytes) { return realloc(blocks,bytes); }
+
+PR_IMPLEMENT(void)
+PR_Free(void *ptr) { free(ptr); }
+
+#ifdef notdef
+/* Old template; want to expunge it eventually. */
+#include "secasn1.h"
+#include "secoid.h"
+
+const SEC_ASN1Template SECOID_AlgorithmIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SECAlgorithmID) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(SECAlgorithmID,algorithm), },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	  offsetof(SECAlgorithmID,parameters), },
+    { 0, }
+};
+
+PR_IMPLEMENT(PRStatus) PR_Sleep(PRIntervalTime ticks) { return PR_SUCCESS; }
+
+/* This is not atomic! */
+PR_IMPLEMENT(PRInt32) PR_AtomicDecrement(PRInt32 *val) { return --(*val); }
+
+PR_IMPLEMENT(PRInt32) PR_AtomicSet(PRInt32 *val) { return ++(*val); }
+
+#endif
+
+/* now make the RNG happy */ /* This is not atomic! */
+PR_IMPLEMENT(PRInt32) PR_AtomicIncrement(PRInt32 *val) { return ++(*val); }
+
+CK_C_INITIALIZE_ARGS_PTR nssstub_initArgs = NULL;
+NSSArena *nssstub_arena = NULL;
+PR_IMPLEMENT(void)
+nssSetLockArgs(CK_C_INITIALIZE_ARGS_PTR pInitArgs)
+{
+    if (nssstub_initArgs == NULL) {
+	nssstub_initArgs = pInitArgs;
+	/* nssstub_arena = NSSArena_Create(); */
+    }
+}
+
+#include "prlock.h"
+PR_IMPLEMENT(PRLock *)
+PR_NewLock(void) {
+	PRLock *lock = NULL;
+	NSSCKFWMutex *mlock = NULL;
+	CK_RV error;
+
+	mlock = nssCKFWMutex_Create(nssstub_initArgs,nssstub_arena,&error);
+	lock = (PRLock *)mlock;
+
+	/* if we don't have a lock, nssCKFWMutex can deal with things */
+	if (lock == NULL) lock=(PRLock *) 1;
+	return lock;
+}
+
+PR_IMPLEMENT(void) 
+PR_DestroyLock(PRLock *lock) {
+	NSSCKFWMutex *mlock = (NSSCKFWMutex *)lock;
+	if (lock == (PRLock *)1) return;
+	nssCKFWMutex_Destroy(mlock);
+}
+
+PR_IMPLEMENT(void) 
+PR_Lock(PRLock *lock) {
+	NSSCKFWMutex *mlock = (NSSCKFWMutex *)lock;
+	if (lock == (PRLock *)1) return;
+	nssCKFWMutex_Lock(mlock);
+}
+
+PR_IMPLEMENT(PRStatus) 
+PR_Unlock(PRLock *lock) {
+	NSSCKFWMutex *mlock = (NSSCKFWMutex *)lock;
+	if (lock == (PRLock *)1) return PR_SUCCESS;
+	nssCKFWMutex_Unlock(mlock);
+	return PR_SUCCESS;
+}
+
+#ifdef notdef
+#endif
+/* this implementation is here to satisfy the PRMonitor use in plarena.c.
+** It appears that it doesn't need re-entrant locks.  It could have used
+** PRLock instead of PRMonitor.  So, this implementation just uses 
+** PRLock for a PRMonitor.
+*/
+PR_IMPLEMENT(PRMonitor*) 
+PR_NewMonitor(void)
+{
+    return (PRMonitor *) PR_NewLock();
+}
+
+
+PR_IMPLEMENT(void) 
+PR_EnterMonitor(PRMonitor *mon)
+{
+    PR_Lock( (PRLock *)mon );
+}
+
+PR_IMPLEMENT(PRStatus) 
+PR_ExitMonitor(PRMonitor *mon)
+{
+    return PR_Unlock( (PRLock *)mon );
+}
+
+#include "prinit.h"
+
+/* This is NOT threadsafe.  It is merely a pseudo-functional stub.
+*/
+PR_IMPLEMENT(PRStatus) PR_CallOnce(
+    PRCallOnceType *once,
+    PRCallOnceFN    func)
+{
+    /* This is not really atomic! */
+    if (1 == PR_AtomicIncrement(&once->initialized)) {
+	once->status = (*func)();
+    }  else {
+    	/* Should wait to be sure that func has finished before returning. */
+    }
+    return once->status;
+}
+
+/*
+** Compute the log of the least power of 2 greater than or equal to n
+*/
+PRIntn PR_CeilingLog2(PRUint32 i) {
+	PRIntn log2;
+	PR_CEILING_LOG2(log2,i);
+	return log2;
+}
+
+/********************** end of arena functions ***********************/
+
diff --git a/security/nss/lib/ckfw/nssck.api b/security/nss/lib/ckfw/nssck.api
new file mode 100644
index 000000000..9abc795c1
--- /dev/null
+++ b/security/nss/lib/ckfw/nssck.api
@@ -0,0 +1,1889 @@
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char NSSCKAPI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$ ; @(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nssck.api
+ *
+ * This automatically-generated file is used to generate a set of
+ * Cryptoki entry points within the object space of a Module using
+ * the NSS Cryptoki Framework.
+ *
+ * The Module should have a .c file with the following:
+ *
+ *  #define MODULE_NAME name
+ *  #define INSTANCE_NAME instance
+ *  #include "nssck.api"
+ *
+ * where "name" is some module-specific name that can be used to
+ * disambiguate various modules.  This included file will then
+ * define the actual Cryptoki routines which pass through to the
+ * Framework calls.  All routines, except C_GetFunctionList, will
+ * be prefixed with the name; C_GetFunctionList will be generated
+ * to return an entry-point vector with these routines.  The
+ * instance specified should be the basic instance of NSSCKMDInstance.
+ *
+ * If, prior to including nssck.api, the .c file also specifies
+ *
+ *  #define DECLARE_STRICT_CRYTPOKI_NAMES
+ *
+ * Then a set of "stub" routines not prefixed with the name will
+ * be included.  This would allow the combined module and framework
+ * to be used in applications which are hard-coded to use the
+ * PKCS#11 names (instead of going through the EPV).  Please note
+ * that such applications should be careful resolving symbols when
+ * more than one PKCS#11 module is loaded.
+ */
+
+#ifndef MODULE_NAME
+#error "Error: MODULE_NAME must be defined."
+#endif /* MODULE_NAME */
+
+#ifndef INSTANCE_NAME
+#error "Error: INSTANCE_NAME must be defined."
+#endif /* INSTANCE_NAME */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKFWC_H
+#include "nssckfwc.h"
+#endif /* NSSCKFWC_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#define __ADJOIN(x,y) x##y
+
+/*
+ * The anchor.  This object is used to store an "anchor" pointer in
+ * the Module's object space, so the wrapper functions can relate
+ * back to this instance.
+ */
+
+static NSSCKFWInstance *fwInstance = (NSSCKFWInstance *)0;
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Initialize)
+(
+  CK_VOID_PTR pInitArgs
+)
+{
+  return NSSCKFWC_Initialize(&fwInstance, INSTANCE_NAME, pInitArgs);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY 
+C_Initialize
+(
+  CK_VOID_PTR pInitArgs
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Initialize)(pInitArgs);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Finalize)
+(
+  CK_VOID_PTR pReserved
+)
+{
+  return NSSCKFWC_Finalize(&fwInstance);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Finalize
+(
+  CK_VOID_PTR pReserved
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Finalize)(pReserved);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetInfo)
+(
+  CK_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetInfo(fwInstance, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetInfo
+(
+  CK_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetInfo)(pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+/*
+ * C_GetFunctionList is defined at the end.
+ */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetSlotList)
+(
+  CK_BBOOL tokenPresent,
+  CK_SLOT_ID_PTR pSlotList,
+  CK_ULONG_PTR pulCount
+)
+{
+  return NSSCKFWC_GetSlotList(fwInstance, tokenPresent, pSlotList, pulCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetSlotList
+(
+  CK_BBOOL tokenPresent,
+  CK_SLOT_ID_PTR pSlotList,
+  CK_ULONG_PTR pulCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetSlotList)(tokenPresent, pSlotList, pulCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetSlotInfo)
+(
+  CK_SLOT_ID slotID,
+  CK_SLOT_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetSlotInfo(fwInstance, slotID, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetSlotInfo
+(
+  CK_SLOT_ID slotID,
+  CK_SLOT_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetSlotInfo)(slotID, pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetTokenInfo)
+(
+  CK_SLOT_ID slotID,
+  CK_TOKEN_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetTokenInfo(fwInstance, slotID, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetTokenInfo
+(
+  CK_SLOT_ID slotID,
+  CK_TOKEN_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetTokenInfo)(slotID, pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetMechanismList)
+(
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE_PTR pMechanismList,
+  CK_ULONG_PTR pulCount
+)
+{
+  return NSSCKFWC_GetMechanismList(fwInstance, slotID, pMechanismList, pulCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetMechanismList
+(
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE_PTR pMechanismList,
+  CK_ULONG_PTR pulCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetMechanismList)(slotID, pMechanismList, pulCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetMechanismInfo)
+(
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE type,
+  CK_MECHANISM_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetMechanismInfo(fwInstance, slotID, type, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetMechanismInfo
+(
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE type,
+  CK_MECHANISM_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetMechanismInfo)(slotID, type, pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_InitToken)
+(
+  CK_SLOT_ID slotID,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen,
+  CK_CHAR_PTR pLabel
+)
+{
+  return NSSCKFWC_InitToken(fwInstance, slotID, pPin, ulPinLen, pLabel);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_InitToken
+(
+  CK_SLOT_ID slotID,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen,
+  CK_CHAR_PTR pLabel
+)
+{
+  return __ADJOIN(MODULE_NAME,C_InitToken)(slotID, pPin, ulPinLen, pLabel);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_InitPIN)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  return NSSCKFWC_InitPIN(fwInstance, hSession, pPin, ulPinLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_InitPIN
+(
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_InitPIN)(hSession, pPin, ulPinLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SetPIN)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pOldPin,
+  CK_ULONG ulOldLen,
+  CK_CHAR_PTR pNewPin,
+  CK_ULONG ulNewLen
+)
+{
+  return NSSCKFWC_SetPIN(fwInstance, hSession, pOldPin, ulOldLen, pNewPin, ulNewLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SetPIN
+(
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pOldPin,
+  CK_ULONG ulOldLen,
+  CK_CHAR_PTR pNewPin,
+  CK_ULONG ulNewLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SetPIN)(hSession, pOldPin, ulOldLen, pNewPin, ulNewLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_OpenSession)
+(
+  CK_SLOT_ID slotID,
+  CK_FLAGS flags,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_SESSION_HANDLE_PTR phSession
+)
+{
+  return NSSCKFWC_OpenSession(fwInstance, slotID, flags, pApplication, Notify, phSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_OpenSession
+(
+  CK_SLOT_ID slotID,
+  CK_FLAGS flags,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_SESSION_HANDLE_PTR phSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_OpenSession)(slotID, flags, pApplication, Notify, phSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_CloseSession)
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return NSSCKFWC_CloseSession(fwInstance, hSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_CloseSession
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_CloseSession)(hSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_CloseAllSessions)
+(
+  CK_SLOT_ID slotID
+)
+{
+  return NSSCKFWC_CloseAllSessions(fwInstance, slotID);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_CloseAllSessions
+(
+  CK_SLOT_ID slotID
+)
+{
+  return __ADJOIN(MODULE_NAME,C_CloseAllSessions)(slotID);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetSessionInfo)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_SESSION_INFO_PTR pInfo
+)
+{
+  return NSSCKFWC_GetSessionInfo(fwInstance, hSession, pInfo);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetSessionInfo
+(
+  CK_SESSION_HANDLE hSession,
+  CK_SESSION_INFO_PTR pInfo
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetSessionInfo)(hSession, pInfo);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetOperationState)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG_PTR pulOperationStateLen
+)
+{
+  return NSSCKFWC_GetOperationState(fwInstance, hSession, pOperationState, pulOperationStateLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetOperationState
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG_PTR pulOperationStateLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetOperationState)(hSession, pOperationState, pulOperationStateLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SetOperationState)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG ulOperationStateLen,
+  CK_OBJECT_HANDLE hEncryptionKey,
+  CK_OBJECT_HANDLE hAuthenticationKey
+)
+{
+  return NSSCKFWC_SetOperationState(fwInstance, hSession, pOperationState, ulOperationStateLen, hEncryptionKey, hAuthenticationKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SetOperationState
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG ulOperationStateLen,
+  CK_OBJECT_HANDLE hEncryptionKey,
+  CK_OBJECT_HANDLE hAuthenticationKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SetOperationState)(hSession, pOperationState, ulOperationStateLen, hEncryptionKey, hAuthenticationKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Login)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_USER_TYPE userType,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  return NSSCKFWC_Login(fwInstance, hSession, userType, pPin, ulPinLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Login
+(
+  CK_SESSION_HANDLE hSession,
+  CK_USER_TYPE userType,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Login)(hSession, userType, pPin, ulPinLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Logout)
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return NSSCKFWC_Logout(fwInstance, hSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Logout
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Logout)(hSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_CreateObject)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phObject
+)
+{
+  return NSSCKFWC_CreateObject(fwInstance, hSession, pTemplate, ulCount, phObject);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_CreateObject
+(
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phObject
+)
+{
+  return __ADJOIN(MODULE_NAME,C_CreateObject)(hSession, pTemplate, ulCount, phObject);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_CopyObject)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phNewObject
+)
+{
+  return NSSCKFWC_CopyObject(fwInstance, hSession, hObject, pTemplate, ulCount, phNewObject);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_CopyObject
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phNewObject
+)
+{
+  return __ADJOIN(MODULE_NAME,C_CopyObject)(hSession, hObject, pTemplate, ulCount, phNewObject);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DestroyObject)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject
+)
+{
+  return NSSCKFWC_DestroyObject(fwInstance, hSession, hObject);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DestroyObject
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DestroyObject)(hSession, hObject);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetObjectSize)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ULONG_PTR pulSize
+)
+{
+  return NSSCKFWC_GetObjectSize(fwInstance, hSession, hObject, pulSize);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetObjectSize
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ULONG_PTR pulSize
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetObjectSize)(hSession, hObject, pulSize);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetAttributeValue)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return NSSCKFWC_GetAttributeValue(fwInstance, hSession, hObject, pTemplate, ulCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetAttributeValue
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetAttributeValue)(hSession, hObject, pTemplate, ulCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SetAttributeValue)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return NSSCKFWC_SetAttributeValue(fwInstance, hSession, hObject, pTemplate, ulCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SetAttributeValue
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SetAttributeValue)(hSession, hObject, pTemplate, ulCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_FindObjectsInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return NSSCKFWC_FindObjectsInit(fwInstance, hSession, pTemplate, ulCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_FindObjectsInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_FindObjectsInit)(hSession, pTemplate, ulCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_FindObjects)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE_PTR phObject,
+  CK_ULONG ulMaxObjectCount,
+  CK_ULONG_PTR pulObjectCount
+)
+{
+  return NSSCKFWC_FindObjects(fwInstance, hSession, phObject, ulMaxObjectCount, pulObjectCount);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_FindObjects
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE_PTR phObject,
+  CK_ULONG ulMaxObjectCount,
+  CK_ULONG_PTR pulObjectCount
+)
+{
+  return __ADJOIN(MODULE_NAME,C_FindObjects)(hSession, phObject, ulMaxObjectCount, pulObjectCount);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_FindObjectsFinal)
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return NSSCKFWC_FindObjectsFinal(fwInstance, hSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_FindObjectsFinal
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_FindObjectsFinal)(hSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_EncryptInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_EncryptInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_EncryptInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_EncryptInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Encrypt)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG_PTR pulEncryptedDataLen
+)
+{
+  return NSSCKFWC_Encrypt(fwInstance, hSession, pData, ulDataLen, pEncryptedData, pulEncryptedDataLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Encrypt
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG_PTR pulEncryptedDataLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Encrypt)(hSession, pData, ulDataLen, pEncryptedData, pulEncryptedDataLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_EncryptUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return NSSCKFWC_EncryptUpdate(fwInstance, hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_EncryptUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_EncryptUpdate)(hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_EncryptFinal)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastEncryptedPart,
+  CK_ULONG_PTR pulLastEncryptedPartLen
+)
+{
+  return NSSCKFWC_EncryptFinal(fwInstance, hSession, pLastEncryptedPart, pulLastEncryptedPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_EncryptFinal
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastEncryptedPart,
+  CK_ULONG_PTR pulLastEncryptedPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_EncryptFinal)(hSession, pLastEncryptedPart, pulLastEncryptedPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DecryptInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_DecryptInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DecryptInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DecryptInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Decrypt)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG ulEncryptedDataLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  return NSSCKFWC_Decrypt(fwInstance, hSession, pEncryptedData, ulEncryptedDataLen, pData, pulDataLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Decrypt
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG ulEncryptedDataLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Decrypt)(hSession, pEncryptedData, ulEncryptedDataLen, pData, pulDataLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DecryptUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return NSSCKFWC_DecryptUpdate(fwInstance, hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DecryptUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DecryptUpdate)(hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DecryptFinal)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastPart,
+  CK_ULONG_PTR pulLastPartLen
+)
+{
+  return NSSCKFWC_DecryptFinal(fwInstance, hSession, pLastPart, pulLastPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DecryptFinal
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastPart,
+  CK_ULONG_PTR pulLastPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DecryptFinal)(hSession, pLastPart, pulLastPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DigestInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism
+)
+{
+  return NSSCKFWC_DigestInit(fwInstance, hSession, pMechanism);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DigestInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DigestInit)(hSession, pMechanism);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Digest)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  return NSSCKFWC_Digest(fwInstance, hSession, pData, ulDataLen, pDigest, pulDigestLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Digest
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Digest)(hSession, pData, ulDataLen, pDigest, pulDigestLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DigestUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return NSSCKFWC_DigestUpdate(fwInstance, hSession, pPart, ulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DigestUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DigestUpdate)(hSession, pPart, ulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DigestKey)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_DigestKey(fwInstance, hSession, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DigestKey
+(
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DigestKey)(hSession, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DigestFinal)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  return NSSCKFWC_DigestFinal(fwInstance, hSession, pDigest, pulDigestLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DigestFinal
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DigestFinal)(hSession, pDigest, pulDigestLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_SignInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Sign)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return NSSCKFWC_Sign(fwInstance, hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Sign
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Sign)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return NSSCKFWC_SignUpdate(fwInstance, hSession, pPart, ulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignUpdate)(hSession, pPart, ulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignFinal)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return NSSCKFWC_SignFinal(fwInstance, hSession, pSignature, pulSignatureLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignFinal
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignFinal)(hSession, pSignature, pulSignatureLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignRecoverInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_SignRecoverInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignRecoverInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignRecoverInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignRecover)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return NSSCKFWC_SignRecover(fwInstance, hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignRecover
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignRecover)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_VerifyInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_VerifyInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_VerifyInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_VerifyInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_Verify)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  return NSSCKFWC_Verify(fwInstance, hSession, pData, ulDataLen, pSignature, ulSignatureLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_Verify
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_Verify)(hSession, pData, ulDataLen, pSignature, ulSignatureLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_VerifyUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return NSSCKFWC_VerifyUpdate(fwInstance, hSession, pPart, ulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_VerifyUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_VerifyUpdate)(hSession, pPart, ulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_VerifyFinal)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  return NSSCKFWC_VerifyFinal(fwInstance, hSession, pSignature, ulSignatureLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_VerifyFinal
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_VerifyFinal)(hSession, pSignature, ulSignatureLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_VerifyRecoverInit)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return NSSCKFWC_VerifyRecoverInit(fwInstance, hSession, pMechanism, hKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_VerifyRecoverInit
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_VerifyRecoverInit)(hSession, pMechanism, hKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_VerifyRecover)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  return NSSCKFWC_VerifyRecover(fwInstance, hSession, pSignature, ulSignatureLen, pData, pulDataLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_VerifyRecover
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_VerifyRecover)(hSession, pSignature, ulSignatureLen, pData, pulDataLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DigestEncryptUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return NSSCKFWC_DigestEncryptUpdate(fwInstance, hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DigestEncryptUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DigestEncryptUpdate)(hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DecryptDigestUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return NSSCKFWC_DecryptDigestUpdate(fwInstance, hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DecryptDigestUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DecryptDigestUpdate)(hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SignEncryptUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return NSSCKFWC_SignEncryptUpdate(fwInstance, hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SignEncryptUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SignEncryptUpdate)(hSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DecryptVerifyUpdate)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return NSSCKFWC_DecryptVerifyUpdate(fwInstance, hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DecryptVerifyUpdate
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DecryptVerifyUpdate)(hSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GenerateKey)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return NSSCKFWC_GenerateKey(fwInstance, hSession, pMechanism, pTemplate, ulCount, phKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GenerateKey
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GenerateKey)(hSession, pMechanism, pTemplate, ulCount, phKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GenerateKeyPair)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+  CK_ULONG ulPublicKeyAttributeCount,
+  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+  CK_ULONG ulPrivateKeyAttributeCount,
+  CK_OBJECT_HANDLE_PTR phPublicKey,
+  CK_OBJECT_HANDLE_PTR phPrivateKey
+)
+{
+  return NSSCKFWC_GenerateKeyPair(fwInstance, hSession, pMechanism, pPublicKeyTemplate, ulPublicKeyAttributeCount, pPrivateKeyTemplate, ulPrivateKeyAttributeCount, phPublicKey, phPrivateKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GenerateKeyPair
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+  CK_ULONG ulPublicKeyAttributeCount,
+  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+  CK_ULONG ulPrivateKeyAttributeCount,
+  CK_OBJECT_HANDLE_PTR phPublicKey,
+  CK_OBJECT_HANDLE_PTR phPrivateKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GenerateKeyPair)(hSession, pMechanism, pPublicKeyTemplate, ulPublicKeyAttributeCount, pPrivateKeyTemplate, ulPrivateKeyAttributeCount, phPublicKey, phPrivateKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_WrapKey)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hWrappingKey,
+  CK_OBJECT_HANDLE hKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG_PTR pulWrappedKeyLen
+)
+{
+  return NSSCKFWC_WrapKey(fwInstance, hSession, pMechanism, hWrappingKey, hKey, pWrappedKey, pulWrappedKeyLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_WrapKey
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hWrappingKey,
+  CK_OBJECT_HANDLE hKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG_PTR pulWrappedKeyLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_WrapKey)(hSession, pMechanism, hWrappingKey, hKey, pWrappedKey, pulWrappedKeyLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_UnwrapKey)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hUnwrappingKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG ulWrappedKeyLen,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return NSSCKFWC_UnwrapKey(fwInstance, hSession, pMechanism, hUnwrappingKey, pWrappedKey, ulWrappedKeyLen, pTemplate, ulAttributeCount, phKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_UnwrapKey
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hUnwrappingKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG ulWrappedKeyLen,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_UnwrapKey)(hSession, pMechanism, hUnwrappingKey, pWrappedKey, ulWrappedKeyLen, pTemplate, ulAttributeCount, phKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_DeriveKey)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hBaseKey,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return NSSCKFWC_DeriveKey(fwInstance, hSession, pMechanism, hBaseKey, pTemplate, ulAttributeCount, phKey);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_DeriveKey
+(
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hBaseKey,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return __ADJOIN(MODULE_NAME,C_DeriveKey)(hSession, pMechanism, hBaseKey, pTemplate, ulAttributeCount, phKey);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_SeedRandom)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSeed,
+  CK_ULONG ulSeedLen
+)
+{
+  return NSSCKFWC_SeedRandom(fwInstance, hSession, pSeed, ulSeedLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_SeedRandom
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSeed,
+  CK_ULONG ulSeedLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_SeedRandom)(hSession, pSeed, ulSeedLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GenerateRandom)
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR RandomData,
+  CK_ULONG ulRandomLen
+)
+{
+  return NSSCKFWC_GenerateRandom(fwInstance, hSession, RandomData, ulRandomLen);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GenerateRandom
+(
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR RandomData,
+  CK_ULONG ulRandomLen
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GenerateRandom)(hSession, RandomData, ulRandomLen);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionStatus)
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return NSSCKFWC_GetFunctionStatus(fwInstance, hSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_GetFunctionStatus
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetFunctionStatus)(hSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_CancelFunction)
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return NSSCKFWC_CancelFunction(fwInstance, hSession);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_CancelFunction
+(
+  CK_SESSION_HANDLE hSession
+)
+{
+  return __ADJOIN(MODULE_NAME,C_CancelFunction)(hSession);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
+(
+  CK_FLAGS flags,
+  CK_SLOT_ID_PTR pSlot,
+  CK_VOID_PTR pRserved
+)
+{
+  return NSSCKFWC_WaitForSlotEvent(fwInstance, flags, pSlot, pRserved);
+}
+
+#ifdef DECLARE_STRICT_CRYPTOKI_NAMES
+CK_RV CK_ENTRY
+C_WaitForSlotEvent
+(
+  CK_FLAGS flags,
+  CK_SLOT_ID_PTR pSlot,
+  CK_VOID_PTR pRserved
+)
+{
+  return __ADJOIN(MODULE_NAME,C_WaitForSlotEvent)(flags, pSlot, pRserved);
+}
+#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionList)
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+);
+
+static CK_FUNCTION_LIST FunctionList = {
+  { 2, 1 },
+__ADJOIN(MODULE_NAME,C_Initialize),
+__ADJOIN(MODULE_NAME,C_Finalize),
+__ADJOIN(MODULE_NAME,C_GetInfo),
+__ADJOIN(MODULE_NAME,C_GetFunctionList),
+__ADJOIN(MODULE_NAME,C_GetSlotList),
+__ADJOIN(MODULE_NAME,C_GetSlotInfo),
+__ADJOIN(MODULE_NAME,C_GetTokenInfo),
+__ADJOIN(MODULE_NAME,C_GetMechanismList),
+__ADJOIN(MODULE_NAME,C_GetMechanismInfo),
+__ADJOIN(MODULE_NAME,C_InitToken),
+__ADJOIN(MODULE_NAME,C_InitPIN),
+__ADJOIN(MODULE_NAME,C_SetPIN),
+__ADJOIN(MODULE_NAME,C_OpenSession),
+__ADJOIN(MODULE_NAME,C_CloseSession),
+__ADJOIN(MODULE_NAME,C_CloseAllSessions),
+__ADJOIN(MODULE_NAME,C_GetSessionInfo),
+__ADJOIN(MODULE_NAME,C_GetOperationState),
+__ADJOIN(MODULE_NAME,C_SetOperationState),
+__ADJOIN(MODULE_NAME,C_Login),
+__ADJOIN(MODULE_NAME,C_Logout),
+__ADJOIN(MODULE_NAME,C_CreateObject),
+__ADJOIN(MODULE_NAME,C_CopyObject),
+__ADJOIN(MODULE_NAME,C_DestroyObject),
+__ADJOIN(MODULE_NAME,C_GetObjectSize),
+__ADJOIN(MODULE_NAME,C_GetAttributeValue),
+__ADJOIN(MODULE_NAME,C_SetAttributeValue),
+__ADJOIN(MODULE_NAME,C_FindObjectsInit),
+__ADJOIN(MODULE_NAME,C_FindObjects),
+__ADJOIN(MODULE_NAME,C_FindObjectsFinal),
+__ADJOIN(MODULE_NAME,C_EncryptInit),
+__ADJOIN(MODULE_NAME,C_Encrypt),
+__ADJOIN(MODULE_NAME,C_EncryptUpdate),
+__ADJOIN(MODULE_NAME,C_EncryptFinal),
+__ADJOIN(MODULE_NAME,C_DecryptInit),
+__ADJOIN(MODULE_NAME,C_Decrypt),
+__ADJOIN(MODULE_NAME,C_DecryptUpdate),
+__ADJOIN(MODULE_NAME,C_DecryptFinal),
+__ADJOIN(MODULE_NAME,C_DigestInit),
+__ADJOIN(MODULE_NAME,C_Digest),
+__ADJOIN(MODULE_NAME,C_DigestUpdate),
+__ADJOIN(MODULE_NAME,C_DigestKey),
+__ADJOIN(MODULE_NAME,C_DigestFinal),
+__ADJOIN(MODULE_NAME,C_SignInit),
+__ADJOIN(MODULE_NAME,C_Sign),
+__ADJOIN(MODULE_NAME,C_SignUpdate),
+__ADJOIN(MODULE_NAME,C_SignFinal),
+__ADJOIN(MODULE_NAME,C_SignRecoverInit),
+__ADJOIN(MODULE_NAME,C_SignRecover),
+__ADJOIN(MODULE_NAME,C_VerifyInit),
+__ADJOIN(MODULE_NAME,C_Verify),
+__ADJOIN(MODULE_NAME,C_VerifyUpdate),
+__ADJOIN(MODULE_NAME,C_VerifyFinal),
+__ADJOIN(MODULE_NAME,C_VerifyRecoverInit),
+__ADJOIN(MODULE_NAME,C_VerifyRecover),
+__ADJOIN(MODULE_NAME,C_DigestEncryptUpdate),
+__ADJOIN(MODULE_NAME,C_DecryptDigestUpdate),
+__ADJOIN(MODULE_NAME,C_SignEncryptUpdate),
+__ADJOIN(MODULE_NAME,C_DecryptVerifyUpdate),
+__ADJOIN(MODULE_NAME,C_GenerateKey),
+__ADJOIN(MODULE_NAME,C_GenerateKeyPair),
+__ADJOIN(MODULE_NAME,C_WrapKey),
+__ADJOIN(MODULE_NAME,C_UnwrapKey),
+__ADJOIN(MODULE_NAME,C_DeriveKey),
+__ADJOIN(MODULE_NAME,C_SeedRandom),
+__ADJOIN(MODULE_NAME,C_GenerateRandom),
+__ADJOIN(MODULE_NAME,C_GetFunctionStatus),
+__ADJOIN(MODULE_NAME,C_CancelFunction),
+__ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
+};
+
+CK_RV CK_ENTRY
+__ADJOIN(MODULE_NAME,C_GetFunctionList)
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+)
+{
+  *ppFunctionList = &FunctionList;
+  return CKR_OK;
+}
+
+/* This one is always present */
+#ifdef WIN32
+CK_RV _declspec(dllexport)
+#else
+CK_RV CK_ENTRY
+#endif
+C_GetFunctionList
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+)
+{
+  return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
+}
+
+#undef __ADJOIN
+
diff --git a/security/nss/lib/ckfw/nssckepv.h b/security/nss/lib/ckfw/nssckepv.h
new file mode 100644
index 000000000..351765b70
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckepv.h
@@ -0,0 +1,39 @@
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifndef NSSCKEPV_H
+#define NSSCKEPV_H
+
+#include "pkcs11.h"
+
+#endif /* NSSCKEPV_H */
diff --git a/security/nss/lib/ckfw/nssckft.h b/security/nss/lib/ckfw/nssckft.h
new file mode 100644
index 000000000..a258144db
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckft.h
@@ -0,0 +1,40 @@
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _NSSCKFT_H_
+#define _NSSCKFT_H_ 1
+
+#include "pkcs11t.h"
+
+#endif /* _NSSCKFT_H_ */
diff --git a/security/nss/lib/ckfw/nssckfw.h b/security/nss/lib/ckfw/nssckfw.h
new file mode 100644
index 000000000..769427ab6
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckfw.h
@@ -0,0 +1,510 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSCKFW_H
+#define NSSCKFW_H
+
+#ifdef DEBUG
+static const char NSSCKFW_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nssckfw.h
+ *
+ * This file prototypes the publicly available calls of the 
+ * NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+/*
+ * NSSCKFWInstance
+ *
+ *  NSSCKFWInstance_GetMDInstance
+ *  NSSCKFWInstance_GetArena
+ *  NSSCKFWInstance_MayCreatePthreads
+ *  NSSCKFWInstance_CreateMutex
+ *  NSSCKFWInstance_GetConfigurationData
+ */
+
+/*
+ * NSSCKFWInstance_GetMDInstance
+ *
+ */
+
+NSS_EXTERN NSSCKMDInstance *
+NSSCKFWInstance_GetMDInstance
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * NSSCKFWInstance_GetArena
+ *
+ */
+
+NSS_EXTERN NSSArena *
+NSSCKFWInstance_GetArena
+(
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWInstance_MayCreatePthreads
+ *
+ */
+
+NSS_EXTERN CK_BBOOL
+NSSCKFWInstance_MayCreatePthreads
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * NSSCKFWInstance_CreateMutex
+ *
+ */
+
+NSS_EXTERN NSSCKFWMutex *
+NSSCKFWInstance_CreateMutex
+(
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWInstance_GetConfigurationData
+ *
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSCKFWInstance_GetConfigurationData
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * NSSCKFWInstance_GetInitArgs
+ *
+ */
+
+NSS_EXTERN CK_C_INITIALIZE_ARGS_PTR
+NSSCKFWInstance_GetInitArgs
+(
+  NSSCKFWInstance *fwInstance
+);
+
+/*
+ * NSSCKFWSlot
+ *
+ *  NSSCKFWSlot_GetMDSlot
+ *  NSSCKFWSlot_GetFWInstance
+ *  NSSCKFWSlot_GetMDInstance
+ *
+ */
+
+/*
+ * NSSCKFWSlot_GetMDSlot
+ *
+ */
+
+NSS_EXTERN NSSCKMDSlot *
+NSSCKFWSlot_GetMDSlot
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * NSSCKFWSlot_GetFWInstance
+ *
+ */
+
+NSS_EXTERN NSSCKFWInstance *
+NSSCKFWSlot_GetFWInstance
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * NSSCKFWSlot_GetMDInstance
+ *
+ */
+
+NSS_EXTERN NSSCKMDInstance *
+NSSCKFWSlot_GetMDInstance
+(
+  NSSCKFWSlot *fwSlot
+);
+
+/*
+ * NSSCKFWToken
+ *
+ *  NSSCKFWToken_GetMDToken
+ *  NSSCKFWToken_GetFWSlot
+ *  NSSCKFWToken_GetMDSlot
+ *  NSSCKFWToken_GetSessionState
+ *
+ */
+
+/*
+ * NSSCKFWToken_GetMDToken
+ *
+ */
+
+NSS_EXTERN NSSCKMDToken *
+NSSCKFWToken_GetMDToken
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * NSSCKFWToken_GetArena
+ *
+ */
+
+NSS_EXTERN NSSArena *
+NSSCKFWToken_GetArena
+(
+  NSSCKFWToken *fwToken,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWToken_GetFWSlot
+ *
+ */
+
+NSS_EXTERN NSSCKFWSlot *
+NSSCKFWToken_GetFWSlot
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * NSSCKFWToken_GetMDSlot
+ *
+ */
+
+NSS_EXTERN NSSCKMDSlot *
+NSSCKFWToken_GetMDSlot
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * NSSCKFWToken_GetSessionState
+ *
+ */
+
+NSS_EXTERN CK_STATE
+NSSCKFWSession_GetSessionState
+(
+  NSSCKFWToken *fwToken
+);
+
+/*
+ * NSSCKFWMechanism
+ *
+ *  NSSKCFWMechanism_GetMDMechanism
+ *  NSSCKFWMechanism_GetParameter
+ *
+ */
+
+/*
+ * NSSKCFWMechanism_GetMDMechanism
+ *
+ */
+
+NSS_EXTERN NSSCKMDMechanism *
+NSSCKFWMechanism_GetMDMechanism
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * NSSCKFWMechanism_GetParameter
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCKFWMechanism_GetParameter
+(
+  NSSCKFWMechanism *fwMechanism
+);
+
+/*
+ * NSSCKFWSession
+ *
+ *  NSSCKFWSession_GetMDSession
+ *  NSSCKFWSession_GetArena
+ *  NSSCKFWSession_CallNotification
+ *  NSSCKFWSession_IsRWSession
+ *  NSSCKFWSession_IsSO
+ *
+ */
+
+/*
+ * NSSCKFWSession_GetMDSession
+ *
+ */
+
+NSS_EXTERN NSSCKMDSession *
+NSSCKFWSession_GetMDSession
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * NSSCKFWSession_GetArena
+ *
+ */
+
+NSS_EXTERN NSSArena *
+NSSCKFWSession_GetArena
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWSession_CallNotification
+ *
+ */
+
+NSS_EXTERN CK_RV
+NSSCKFWSession_CallNotification
+(
+  NSSCKFWSession *fwSession,
+  CK_NOTIFICATION event
+);
+
+/*
+ * NSSCKFWSession_IsRWSession
+ *
+ */
+
+NSS_EXTERN CK_BBOOL
+NSSCKFWSession_IsRWSession
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * NSSCKFWSession_IsSO
+ *
+ */
+
+NSS_EXTERN CK_BBOOL
+NSSCKFWSession_IsSO
+(
+  NSSCKFWSession *fwSession
+);
+
+/*
+ * NSSCKFWObject
+ *
+ *  NSSCKFWObject_GetMDObject
+ *  NSSCKFWObject_GetArena
+ *  NSSCKFWObject_IsTokenObject
+ *  NSSCKFWObject_GetAttributeCount
+ *  NSSCKFWObject_GetAttributeTypes
+ *  NSSCKFWObject_GetAttributeSize
+ *  NSSCKFWObject_GetAttribute
+ *  NSSCKFWObject_GetObjectSize
+ */
+
+/*
+ * NSSCKFWObject_GetMDObject
+ *
+ */
+NSS_EXTERN NSSCKMDObject *
+NSSCKFWObject_GetMDObject
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * NSSCKFWObject_GetArena
+ *
+ */
+NSS_EXTERN NSSArena *
+NSSCKFWObject_GetArena
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWObject_IsTokenObject
+ *
+ */
+NSS_EXTERN CK_BBOOL
+NSSCKFWObject_IsTokenObject
+(
+  NSSCKFWObject *fwObject
+);
+
+/*
+ * NSSCKFWObject_GetAttributeCount
+ *
+ */
+NSS_EXTERN CK_ULONG
+NSSCKFWObject_GetAttributeCount
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWObject_GetAttributeTypes
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWObject_GetAttributeTypes
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+);
+
+/*
+ * NSSCKFWObject_GetAttributeSize
+ *
+ */
+NSS_EXTERN CK_ULONG
+NSSCKFWObject_GetAttributeSize
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWObject_GetAttribute
+ *
+ */
+NSS_EXTERN NSSItem *
+NSSCKFWObject_GetAttribute
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *itemOpt,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWObject_GetObjectSize
+ *
+ */
+NSS_EXTERN CK_ULONG
+NSSCKFWObject_GetObjectSize
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+);
+
+/*
+ * NSSCKFWFindObjects
+ *
+ *  NSSCKFWFindObjects_GetMDFindObjects
+ *
+ */
+
+/*
+ * NSSCKFWFindObjects_GetMDFindObjects
+ *
+ */
+
+NSS_EXTERN NSSCKMDFindObjects *
+NSSCKFWFindObjects_GetMDFindObjects
+(
+  NSSCKFWFindObjects *
+);
+
+/*
+ * NSSCKFWMutex
+ *
+ *  NSSCKFWMutex_Destroy
+ *  NSSCKFWMutex_Lock
+ *  NSSCKFWMutex_Unlock
+ *
+ */
+
+/*
+ * NSSCKFWMutex_Destroy
+ *
+ */
+
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Destroy
+(
+  NSSCKFWMutex *mutex
+);
+
+/*
+ * NSSCKFWMutex_Lock
+ *
+ */
+
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Lock
+(
+  NSSCKFWMutex *mutex
+);
+
+/*
+ * NSSCKFWMutex_Unlock
+ *
+ */
+
+NSS_EXTERN CK_RV
+NSSCKFWMutex_Unlock
+(
+  NSSCKFWMutex *mutex
+);
+
+#endif /* NSSCKFW_H */
+
diff --git a/security/nss/lib/ckfw/nssckfwc.h b/security/nss/lib/ckfw/nssckfwc.h
new file mode 100644
index 000000000..02b15ec35
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckfwc.h
@@ -0,0 +1,1046 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSCKFWC_H
+#define NSSCKFWC_H
+
+#ifdef DEBUG
+static const char NSSCKFWC_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nssckfwc.h
+ *
+ * This file prototypes all of the NSS Cryptoki Framework "wrapper" 
+ * which implement the PKCS#11 API.  Technically, these are public
+ * routines (with capital "NSS" prefixes), since they are called
+ * from (generated) code within a Module using the Framework.
+ * However, they should not be called except from those generated
+ * calls.  Hence, the prototypes have been split out into this file.
+ */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+#ifndef NSSCKMDT_H
+#include "nssckmdt.h"
+#endif /* NSSCKMDT_H */
+
+/*
+ * NSSCKFWC_Initialize
+ * NSSCKFWC_Finalize
+ * NSSCKFWC_GetInfo
+ * -- NSSCKFWC_GetFunctionList -- see the API insert file
+ * NSSCKFWC_GetSlotList
+ * NSSCKFWC_GetSlotInfo
+ * NSSCKFWC_GetTokenInfo
+ * NSSCKFWC_WaitForSlotEvent
+ * NSSCKFWC_GetMechanismList
+ * NSSCKFWC_GetMechanismInfo
+ * NSSCKFWC_InitToken
+ * NSSCKFWC_InitPIN
+ * NSSCKFWC_SetPIN
+ * NSSCKFWC_OpenSession
+ * NSSCKFWC_CloseSession
+ * NSSCKFWC_CloseAllSessions
+ * NSSCKFWC_GetSessionInfo
+ * NSSCKFWC_GetOperationState
+ * NSSCKFWC_SetOperationState
+ * NSSCKFWC_Login
+ * NSSCKFWC_Logout
+ * NSSCKFWC_CreateObject
+ * NSSCKFWC_CopyObject
+ * NSSCKFWC_DestroyObject
+ * NSSCKFWC_GetObjectSize
+ * NSSCKFWC_GetAttributeValue
+ * NSSCKFWC_SetAttributeValue
+ * NSSCKFWC_FindObjectsInit
+ * NSSCKFWC_FindObjects
+ * NSSCKFWC_FindObjectsFinal
+ * NSSCKFWC_EncryptInit
+ * NSSCKFWC_Encrypt
+ * NSSCKFWC_EncryptUpdate
+ * NSSCKFWC_EncryptFinal
+ * NSSCKFWC_DecryptInit
+ * NSSCKFWC_Decrypt
+ * NSSCKFWC_DecryptUpdate
+ * NSSCKFWC_DecryptFinal
+ * NSSCKFWC_DigestInit
+ * NSSCKFWC_Digest
+ * NSSCKFWC_DigestUpdate
+ * NSSCKFWC_DigestKey
+ * NSSCKFWC_DigestFinal
+ * NSSCKFWC_SignInit
+ * NSSCKFWC_Sign
+ * NSSCKFWC_SignUpdate
+ * NSSCKFWC_SignFinal
+ * NSSCKFWC_SignRecoverInit
+ * NSSCKFWC_SignRecover
+ * NSSCKFWC_VerifyInit
+ * NSSCKFWC_Verify
+ * NSSCKFWC_VerifyUpdate
+ * NSSCKFWC_VerifyFinal
+ * NSSCKFWC_VerifyRecoverInit
+ * NSSCKFWC_VerifyRecover
+ * NSSCKFWC_DigestEncryptUpdate
+ * NSSCKFWC_DecryptDigestUpdate
+ * NSSCKFWC_SignEncryptUpdate
+ * NSSCKFWC_DecryptVerifyUpdate
+ * NSSCKFWC_GenerateKey
+ * NSSCKFWC_GenerateKeyPair
+ * NSSCKFWC_WrapKey
+ * NSSCKFWC_UnwrapKey
+ * NSSCKFWC_DeriveKey
+ * NSSCKFWC_SeedRandom
+ * NSSCKFWC_GenerateRandom
+ * NSSCKFWC_GetFunctionStatus
+ * NSSCKFWC_CancelFunction
+ */
+
+/*
+ * NSSCKFWC_Initialize
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Initialize
+(
+  NSSCKFWInstance **pFwInstance,
+  NSSCKMDInstance *mdInstance,
+  CK_VOID_PTR pInitArgs
+);
+
+/*
+ * NSSCKFWC_Finalize
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Finalize
+(
+  NSSCKFWInstance **pFwInstance
+);
+
+/*
+ * NSSCKFWC_GetInfo
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_INFO_PTR pInfo
+);
+  
+/*
+ * C_GetFunctionList is implemented entirely in the Module's file which
+ * includes the Framework API insert file.  It requires no "actual"
+ * NSSCKFW routine.
+ */
+
+/*
+ * NSSCKFWC_GetSlotList
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetSlotList
+(
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL tokenPresent,
+  CK_SLOT_ID_PTR pSlotList,
+  CK_ULONG_PTR pulCount
+);
+ 
+/*
+ * NSSCKFWC_GetSlotInfo
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetSlotInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_SLOT_INFO_PTR pInfo
+);
+
+/*
+ * NSSCKFWC_GetTokenInfo
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetTokenInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_TOKEN_INFO_PTR pInfo
+);
+
+/*
+ * NSSCKFWC_WaitForSlotEvent
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_WaitForSlotEvent
+(
+  NSSCKFWInstance *fwInstance,
+  CK_FLAGS flags,
+  CK_SLOT_ID_PTR pSlot,
+  CK_VOID_PTR pReserved
+);
+
+/*
+ * NSSCKFWC_GetMechanismList
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetMechanismList
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE_PTR pMechanismList,
+  CK_ULONG_PTR pulCount
+);
+
+/*
+ * NSSCKFWC_GetMechanismInfo
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetMechanismInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE type,
+  CK_MECHANISM_INFO_PTR pInfo
+);
+
+/*
+ * NSSCKFWC_InitToken
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_InitToken
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen,
+  CK_CHAR_PTR pLabel
+);
+
+/*
+ * NSSCKFWC_InitPIN
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_InitPIN
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+);
+
+/*
+ * NSSCKFWC_SetPIN
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SetPIN
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pOldPin,
+  CK_ULONG ulOldLen,
+  CK_CHAR_PTR pNewPin,
+  CK_ULONG ulNewLen
+);
+
+/*
+ * NSSCKFWC_OpenSession
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_OpenSession
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_FLAGS flags,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_SESSION_HANDLE_PTR phSession
+);
+
+/*
+ * NSSCKFWC_CloseSession
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_CloseSession
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * NSSCKFWC_CloseAllSessions
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_CloseAllSessions
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID
+);
+
+/*
+ * NSSCKFWC_GetSessionInfo
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetSessionInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_SESSION_INFO_PTR pInfo
+);
+
+/*
+ * NSSCKFWC_GetOperationState
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetOperationState
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG_PTR pulOperationStateLen
+);
+
+/*
+ * NSSCKFWC_SetOperationState
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SetOperationState
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG ulOperationStateLen,
+  CK_OBJECT_HANDLE hEncryptionKey,
+  CK_OBJECT_HANDLE hAuthenticationKey
+);
+
+/*
+ * NSSCKFWC_Login
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Login
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_USER_TYPE userType,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+);
+
+/*
+ * NSSCKFWC_Logout
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Logout
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * NSSCKFWC_CreateObject
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_CreateObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phObject
+);
+
+/*
+ * NSSCKFWC_CopyObject
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_CopyObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phNewObject
+);
+
+/*
+ * NSSCKFWC_DestroyObject
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DestroyObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject
+);
+
+/*
+ * NSSCKFWC_GetObjectSize
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetObjectSize
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ULONG_PTR pulSize
+);
+
+/*
+ * NSSCKFWC_GetAttributeValue
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetAttributeValue
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+);
+  
+/*
+ * NSSCKFWC_SetAttributeValue
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SetAttributeValue
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+);
+
+/*
+ * NSSCKFWC_FindObjectsInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_FindObjectsInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+);
+
+/*
+ * NSSCKFWC_FindObjects
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_FindObjects
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE_PTR phObject,
+  CK_ULONG ulMaxObjectCount,
+  CK_ULONG_PTR pulObjectCount
+);
+
+/*
+ * NSSCKFWC_FindObjectsFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_FindObjectsFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * NSSCKFWC_EncryptInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_EncryptInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_Encrypt
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Encrypt
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG_PTR pulEncryptedDataLen
+);
+
+/*
+ * NSSCKFWC_EncryptUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_EncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+);
+
+/*
+ * NSSCKFWC_EncryptFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_EncryptFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastEncryptedPart,
+  CK_ULONG_PTR pulLastEncryptedPartLen
+);
+
+/*
+ * NSSCKFWC_DecryptInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DecryptInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_Decrypt
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Decrypt
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG ulEncryptedDataLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+);
+
+/*
+ * NSSCKFWC_DecryptUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DecryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+);
+
+/*
+ * NSSCKFWC_DecryptFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DecryptFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastPart,
+  CK_ULONG_PTR pulLastPartLen
+);
+
+/*
+ * NSSCKFWC_DigestInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DigestInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism
+);
+
+/*
+ * NSSCKFWC_Digest
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Digest
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+);
+
+/*
+ * NSSCKFWC_DigestUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DigestUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen
+);
+
+/*
+ * NSSCKFWC_DigestKey
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DigestKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_DigestFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DigestFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+);
+
+/*
+ * NSSCKFWC_SignInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_Sign
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Sign
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+);
+
+/*
+ * NSSCKFWC_SignUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+);
+
+/*
+ * NSSCKFWC_SignFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+);
+
+/*
+ * NSSCKFWC_SignRecoverInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignRecoverInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_SignRecover
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignRecover
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+);
+
+/*
+ * NSSCKFWC_VerifyInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_VerifyInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_Verify
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_Verify
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+);
+
+/*
+ * NSSCKFWC_VerifyUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_VerifyUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+);
+
+/*
+ * NSSCKFWC_VerifyFinal
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_VerifyFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+);
+
+/*
+ * NSSCKFWC_VerifyRecoverInit
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_VerifyRecoverInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+);
+
+/*
+ * NSSCKFWC_VerifyRecover
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_VerifyRecover
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+);
+
+/*
+ * NSSCKFWC_DigestEncryptUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DigestEncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+);
+
+/*
+ * NSSCKFWC_DecryptDigestUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DecryptDigestUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+);
+
+/*
+ * NSSCKFWC_SignEncryptUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SignEncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+);
+
+/*
+ * NSSCKFWC_DecryptVerifyUpdate
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DecryptVerifyUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+);
+
+/*
+ * NSSCKFWC_GenerateKey
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GenerateKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phKey
+);
+
+/*
+ * NSSCKFWC_GenerateKeyPair
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GenerateKeyPair
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+  CK_ULONG ulPublicKeyAttributeCount,
+  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+  CK_ULONG ulPrivateKeyAttributeCount,
+  CK_OBJECT_HANDLE_PTR phPublicKey,
+  CK_OBJECT_HANDLE_PTR phPrivateKey
+);
+
+/*
+ * NSSCKFWC_WrapKey
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_WrapKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hWrappingKey,
+  CK_OBJECT_HANDLE hKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG_PTR pulWrappedKeyLen
+);
+
+/*
+ * NSSCKFWC_UnwrapKey
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_UnwrapKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hUnwrappingKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG ulWrappedKeyLen,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+);
+
+/*
+ * NSSCKFWC_DeriveKey
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_DeriveKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hBaseKey,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+);
+
+/*
+ * NSSCKFWC_SeedRandom
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_SeedRandom
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSeed,
+  CK_ULONG ulSeedLen
+);
+
+/*
+ * NSSCKFWC_GenerateRandom
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GenerateRandom
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pRandomData,
+  CK_ULONG ulRandomLen
+);
+
+/*
+ * NSSCKFWC_GetFunctionStatus
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_GetFunctionStatus
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+/*
+ * NSSCKFWC_CancelFunction
+ *
+ */
+NSS_EXTERN CK_RV
+NSSCKFWC_CancelFunction
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+);
+
+#endif /* NSSCKFWC_H */
diff --git a/security/nss/lib/ckfw/nssckfwt.h b/security/nss/lib/ckfw/nssckfwt.h
new file mode 100644
index 000000000..13be0f325
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckfwt.h
@@ -0,0 +1,111 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSCKFWT_H
+#define NSSCKFWT_H
+
+#ifdef DEBUG
+static const char NSSCKFWT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nssckfwt.h
+ *
+ * This file declares the public types used by the NSS Cryptoki Framework.
+ */
+
+/*
+ * NSSCKFWInstance
+ *
+ */
+
+struct NSSCKFWInstanceStr;
+typedef struct NSSCKFWInstanceStr NSSCKFWInstance;
+
+/*
+ * NSSCKFWSlot
+ *
+ */
+
+struct NSSCKFWSlotStr;
+typedef struct NSSCKFWSlotStr NSSCKFWSlot;
+
+/*
+ * NSSCKFWToken
+ *
+ */
+
+struct NSSCKFWTokenStr;
+typedef struct NSSCKFWTokenStr NSSCKFWToken;
+
+/*
+ * NSSCKFWMechanism
+ *
+ */
+
+struct NSSCKFWMechanismStr;
+typedef struct NSSCKFWMechanismStr NSSCKFWMechanism;
+
+/*
+ * NSSCKFWSession
+ *
+ */
+
+struct NSSCKFWSessionStr;
+typedef struct NSSCKFWSessionStr NSSCKFWSession;
+
+/*
+ * NSSCKFWObject
+ *
+ */
+
+struct NSSCKFWObjectStr;
+typedef struct NSSCKFWObjectStr NSSCKFWObject;
+
+/*
+ * NSSCKFWFindObjects
+ *
+ */
+
+struct NSSCKFWFindObjectsStr;
+typedef struct NSSCKFWFindObjectsStr NSSCKFWFindObjects;
+
+/*
+ * NSSCKFWMutex
+ *
+ */
+
+struct NSSCKFWMutexStr;
+typedef struct NSSCKFWMutexStr NSSCKFWMutex;
+
+#endif /* NSSCKFWT_H */
diff --git a/security/nss/lib/ckfw/nssckg.h b/security/nss/lib/ckfw/nssckg.h
new file mode 100644
index 000000000..ae7dbeb91
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckg.h
@@ -0,0 +1,39 @@
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifndef NSSCKG_H
+#define NSSCKG_H
+
+#include "pkcs11.h"
+
+#endif /* NSSCKG_H */
diff --git a/security/nss/lib/ckfw/nssckmdt.h b/security/nss/lib/ckfw/nssckmdt.h
new file mode 100644
index 000000000..30e4fc33b
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckmdt.h
@@ -0,0 +1,2014 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSCKMDT_H
+#define NSSCKMDT_H
+
+#ifdef DEBUG
+static const char NSSCKMDT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nssckmdt.h
+ *
+ * This file specifies the basic types that must be implemented by
+ * any Module using the NSS Cryptoki Framework.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCKFWT_H
+#include "nssckfwt.h"
+#endif /* NSSCKFWT_H */
+
+typedef struct NSSCKMDInstanceStr NSSCKMDInstance;
+typedef struct NSSCKMDSlotStr NSSCKMDSlot;
+typedef struct NSSCKMDTokenStr NSSCKMDToken;
+typedef struct NSSCKMDSessionStr NSSCKMDSession;
+typedef struct NSSCKMDFindObjectsStr NSSCKMDFindObjects;
+typedef struct NSSCKMDMechanismStr NSSCKMDMechanism;
+typedef struct NSSCKMDObjectStr NSSCKMDObject;
+
+/*
+ * NSSCKMDInstance
+ *
+ * This is the basic handle for an instance of a PKCS#11 Module.
+ * It is returned by the Module's CreateInstance routine, and
+ * may be obtained from the corresponding NSSCKFWInstance object.
+ * It contains a pointer for use by the Module, to store any
+ * instance-related data, and it contains the EPV for a set of
+ * routines which the Module may implement for use by the Framework.
+ * Some of these routines are optional; others are mandatory.
+ */
+
+struct NSSCKMDInstanceStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is called by the Framework to initialize
+   * the Module.  This routine is optional; if unimplemented,
+   * it won't be called.  If this routine returns an error,
+   * then the initialization will fail.
+   */
+  CK_RV (PR_CALLBACK *Initialize)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    NSSUTF8 *configurationData
+  );
+
+  /*
+   * This routine is called when the Framework is finalizing
+   * the PKCS#11 Module.  It is the last thing called before
+   * the NSSCKFWInstance's NSSArena is destroyed.  This routine
+   * is optional; if unimplemented, it merely won't be called.
+   */
+  void (PR_CALLBACK *Finalize)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine gets the number of slots.  This value must
+   * never change, once the instance is initialized.  This 
+   * routine must be implemented.  It may return zero on error.
+   */
+  CK_ULONG (PR_CALLBACK *GetNSlots)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns the version of the Cryptoki standard
+   * to which this Module conforms.  This routine is optional;
+   * if unimplemented, the Framework uses the version to which
+   * ~it~ was implemented.
+   */
+  CK_VERSION (PR_CALLBACK *GetCryptokiVersion)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing the manufacturer ID for this Module.  Only
+   * the characters completely encoded in the first thirty-
+   * two bytes are significant.  This routine is optional.
+   * The string returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing a description of this Module library.  Only
+   * the characters completely encoded in the first thirty-
+   * two bytes are significant.  This routine is optional.
+   * The string returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetLibraryDescription)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns the version of this Module library.
+   * This routine is optional; if unimplemented, the Framework
+   * will assume a Module library version of 0.1.
+   */
+  CK_VERSION (PR_CALLBACK *GetLibraryVersion)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the Module wishes to
+   * handle session objects.  This routine is optional.
+   * If this routine is NULL, or if it exists but returns
+   * CK_FALSE, the Framework will assume responsibility
+   * for managing session objects.
+   */
+  CK_BBOOL (PR_CALLBACK *ModuleHandlesSessionObjects)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine stuffs pointers to NSSCKMDSlot objects into
+   * the specified array; one for each slot supported by this
+   * instance.  The Framework will determine the size needed
+   * for the array by calling GetNSlots.  This routine is
+   * required.
+   */
+  CK_RV (PR_CALLBACK *GetSlots)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDSlot *slots[]
+  );
+
+  /*
+   * This call returns a pointer to the slot in which an event
+   * has occurred.  If the block argument is CK_TRUE, the call 
+   * should block until a slot event occurs; if CK_FALSE, it 
+   * should check to see if an event has occurred, occurred, 
+   * but return NULL (and set *pError to CK_NO_EVENT) if one 
+   * hasn't.  This routine is optional; if unimplemented, the
+   * Framework will assume that no event has happened.  This
+   * routine may return NULL upon error.
+   */
+  NSSCKMDSlot *(PR_CALLBACK *WaitForSlotEvent)(
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_BBOOL block,
+    CK_RV *pError
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+
+/*
+ * NSSCKMDSlot
+ *
+ * This is the basic handle for a PKCS#11 Module Slot.  It is
+ * created by the NSSCKMDInstance->GetSlots call, and may be
+ * obtained from the Framework's corresponding NSSCKFWSlot
+ * object.  It contains a pointer for use by the Module, to
+ * store any slot-related data, and it contains the EPV for
+ * a set of routines which the Module may implement for use
+ * by the Framework.  Some of these routines are optional.
+ */
+
+struct NSSCKMDSlotStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is called during the Framework initialization
+   * step, after the Framework Instance has obtained the list
+   * of slots (by calling NSSCKMDInstance->GetSlots).  Any slot-
+   * specific initialization can be done here.  This routine is
+   * optional; if unimplemented, it won't be called.  Note that
+   * if this routine returns an error, the entire Framework
+   * initialization for this Module will fail.
+   */
+  CK_RV (PR_CALLBACK *Initialize)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is called when the Framework is finalizing
+   * the PKCS#11 Module.  This call (for each of the slots)
+   * is the last thing called before NSSCKMDInstance->Finalize.
+   * This routine is optional; if unimplemented, it merely 
+   * won't be called.  Note: In the rare circumstance that
+   * the Framework initialization cannot complete (due to,
+   * for example, memory limitations), this can be called with
+   * a NULL value for fwSlot.
+   */
+  void (PR_CALLBACK *Destroy)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing a description of this slot.  Only the characters
+   * completely encoded in the first sixty-four bytes are
+   * significant.  This routine is optional.  The string 
+   * returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetSlotDescription)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing a description of the manufacturer of this slot.
+   * Only the characters completely encoded in the first thirty-
+   * two bytes are significant.  This routine is optional.  
+   * The string  returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns CK_TRUE if a token is present in this
+   * slot.  This routine is optional; if unimplemented, CK_TRUE
+   * is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetTokenPresent)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the slot supports removable
+   * tokens.  This routine is optional; if unimplemented, CK_FALSE
+   * is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetRemovableDevice)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if this slot is a hardware
+   * device, or CK_FALSE if this slot is a software device.  This
+   * routine is optional; if unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetHardwareSlot)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the version of this slot's hardware.
+   * This routine is optional; if unimplemented, the Framework
+   * will assume a hardware version of 0.1.
+   */
+  CK_VERSION (PR_CALLBACK *GetHardwareVersion)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the version of this slot's firmware.
+   * This routine is optional; if unimplemented, the Framework
+   * will assume a hardware version of 0.1.
+   */
+  CK_VERSION (PR_CALLBACK *GetFirmwareVersion)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine should return a pointer to an NSSCKMDToken
+   * object corresponding to the token in the specified slot.
+   * The NSSCKFWToken object passed in has an NSSArena
+   * available which is dedicated for this token.  This routine
+   * must be implemented.  This routine may return NULL upon
+   * error.
+   */
+  NSSCKMDToken *(PR_CALLBACK *GetToken)(
+    NSSCKMDSlot *mdSlot,
+    NSSCKFWSlot *fwSlot,
+    NSSCKMDInstance *mdInstance,                                    
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+/*
+ * NSSCKMDToken
+ *
+ * This is the basic handle for a PKCS#11 Token.  It is created by
+ * the NSSCKMDSlot->GetToken call, and may be obtained from the
+ * Framework's corresponding NSSCKFWToken object.  It contains a
+ * pointer for use by the Module, to store any token-related
+ * data, and it contains the EPV for a set of routines which the
+ * Module may implement for use by the Framework.  Some of these
+ * routines are optional.
+ */
+
+struct NSSCKMDTokenStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is used to prepare a Module token object for
+   * use.  It is called after the NSSCKMDToken object is obtained
+   * from NSSCKMDSlot->GetToken.  It is named "Setup" here because
+   * Cryptoki already defines "InitToken" to do the process of
+   * wiping out any existing state on a token and preparing it for
+   * a new use.  This routine is optional; if unimplemented, it
+   * merely won't be called.
+   */
+  CK_RV (PR_CALLBACK *Setup)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is called by the Framework whenever it notices
+   * that the token object is invalid.  (Typically this is when a 
+   * routine indicates an error such as CKR_DEVICE_REMOVED).  This
+   * call is the last thing called before the NSSArena in the
+   * corresponding NSSCKFWToken is destroyed.  This routine is
+   * optional; if unimplemented, it merely won't be called.
+   */
+  void (PR_CALLBACK *Invalidate)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine initialises the token in the specified slot.
+   * This routine is optional; if unimplemented, the Framework
+   * will fail this operation with an error of CKR_DEVICE_ERROR.
+   */
+
+  CK_RV (PR_CALLBACK *InitToken)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *pin,
+    NSSUTF8 *label
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing this token's label.  Only the characters
+   * completely encoded in the first thirty-two bytes are
+   * significant.  This routine is optional.  The string 
+   * returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetLabel)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing this token's manufacturer ID.  Only the characters
+   * completely encoded in the first thirty-two bytes are
+   * significant.  This routine is optional.  The string 
+   * returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetManufacturerID)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing this token's model name.  Only the characters
+   * completely encoded in the first thirty-two bytes are
+   * significant.  This routine is optional.  The string 
+   * returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetModel)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns a pointer to a UTF8-encoded string
+   * containing this token's serial number.  Only the characters
+   * completely encoded in the first thirty-two bytes are
+   * significant.  This routine is optional.  The string 
+   * returned is never freed; if dynamically generated,
+   * the space for it should be allocated from the NSSArena
+   * that may be obtained from the NSSCKFWInstance.  This
+   * routine may return NULL upon error; however if *pError
+   * is CKR_OK, the NULL will be considered the valid response.
+   */
+  NSSUTF8 *(PR_CALLBACK *GetSerialNumber)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns CK_TRUE if the token has its own
+   * random number generator.  This routine is optional; if
+   * unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetHasRNG)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if this token is write-protected.
+   * This routine is optional; if unimplemented, CK_FALSE is
+   * assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetIsWriteProtected)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if this token requires a login.
+   * This routine is optional; if unimplemented, CK_FALSE is
+   * assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetLoginRequired)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the normal user's PIN on this
+   * token has been initialised.  This routine is optional; if
+   * unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetUserPinInitialized)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if a successful save of a
+   * session's cryptographic operations state ~always~ contains
+   * all keys needed to restore the state of the session.  This
+   * routine is optional; if unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetRestoreKeyNotNeeded)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the token has its own
+   * hardware clock.  This routine is optional; if unimplemented,
+   * CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetHasClockOnToken)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the token has a protected
+   * authentication path.  This routine is optional; if
+   * unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetHasProtectedAuthenticationPath)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns CK_TRUE if the token supports dual
+   * cryptographic operations within a single session.  This
+   * routine is optional; if unimplemented, CK_FALSE is assumed.
+   */
+  CK_BBOOL (PR_CALLBACK *GetSupportsDualCryptoOperations)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * XXX fgmr-- should we have a call to return all the flags
+   * at once, for folks who already know about Cryptoki?
+   */
+
+  /*
+   * This routine returns the maximum number of sessions that
+   * may be opened on this token.  This routine is optional;
+   * if unimplemented, the special value CK_UNAVAILABLE_INFORMATION
+   * is assumed.  XXX fgmr-- or CK_EFFECTIVELY_INFINITE?
+   */
+  CK_ULONG (PR_CALLBACK *GetMaxSessionCount)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the maximum number of read/write
+   * sesisons that may be opened on this token.  This routine
+   * is optional; if unimplemented, the special value
+   * CK_UNAVAILABLE_INFORMATION is assumed.  XXX fgmr-- or 
+   * CK_EFFECTIVELY_INFINITE?
+   */
+  CK_ULONG (PR_CALLBACK *GetMaxRwSessionCount)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the maximum PIN code length that is
+   * supported on this token.  This routine is optional;
+   * if unimplemented, the special value CK_UNAVAILABLE_INFORMATION
+   * is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetMaxPinLen)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the minimum PIN code length that is
+   * supported on this token.  This routine is optional; if
+   * unimplemented, the special value CK_UNAVAILABLE_INFORMATION
+   *  is assumed.  XXX fgmr-- or 0?
+   */
+  CK_ULONG (PR_CALLBACK *GetMinPinLen)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the total amount of memory on the token
+   * in which public objects may be stored.  This routine is
+   * optional; if unimplemented, the special value
+   * CK_UNAVAILABLE_INFORMATION is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetTotalPublicMemory)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the amount of unused memory on the
+   * token in which public objects may be stored.  This routine
+   * is optional; if unimplemented, the special value
+   * CK_UNAVAILABLE_INFORMATION is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetFreePublicMemory)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the total amount of memory on the token
+   * in which private objects may be stored.  This routine is
+   * optional; if unimplemented, the special value
+   * CK_UNAVAILABLE_INFORMATION is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetTotalPrivateMemory)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the amount of unused memory on the
+   * token in which private objects may be stored.  This routine
+   * is optional; if unimplemented, the special value
+   * CK_UNAVAILABLE_INFORMATION is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetFreePrivateMemory)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the version number of this token's
+   * hardware.  This routine is optional; if unimplemented,
+   * the value 0.1 is assumed.
+   */
+  CK_VERSION (PR_CALLBACK *GetHardwareVersion)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the version number of this token's
+   * firmware.  This routine is optional; if unimplemented,
+   * the value 0.1 is assumed.
+   */
+  CK_VERSION (PR_CALLBACK *GetFirmwareVersion)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine stuffs the current UTC time, as obtained from
+   * the token, into the sixteen-byte buffer in the form
+   * YYYYMMDDhhmmss00.  This routine need only be implemented
+   * by token which indicate that they have a real-time clock.
+   * XXX fgmr-- think about time formats.
+   */
+  CK_RV (PR_CALLBACK *GetUTCTime)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_CHAR utcTime[16]
+  );
+
+  /*
+   * This routine creates a session on the token, and returns
+   * the corresponding NSSCKMDSession object.  The value of
+   * rw will be CK_TRUE if the session is to be a read/write 
+   * session, or CK_FALSE otherwise.  An NSSArena dedicated to
+   * the new session is available from the specified NSSCKFWSession.
+   * This routine may return NULL upon error.
+   */
+  NSSCKMDSession *(PR_CALLBACK *OpenSession)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKFWSession *fwSession,
+    CK_BBOOL rw,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns the number of PKCS#11 Mechanisms
+   * supported by this token.  This routine is optional; if
+   * unimplemented, zero is assumed.
+   */
+  CK_ULONG (PR_CALLBACK *GetMechanismCount)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine stuffs into the specified array the types
+   * of the mechanisms supported by this token.  The Framework
+   * determines the size of the array by calling GetMechanismCount.
+   */
+  CK_RV (PR_CALLBACK *GetMechanismTypes)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_MECHANISM_TYPE types[]
+  );
+
+  /*
+   * This routine returns a pointer to a Module mechanism
+   * object corresponding to a specified type.  This routine
+   * need only exist for tokens implementing at least one
+   * mechanism.
+   */
+  NSSCKMDMechanism *(PR_CALLBACK *GetMechanism)(
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKFWMechanism *fwMechanism,
+    CK_MECHANISM_TYPE which
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+/*
+ * NSSCKMDSession
+ *
+ * This is the basic handle for a session on a PKCS#11 Token.  It
+ * is created by NSSCKMDToken->OpenSession, and may be obtained
+ * from the Framework's corresponding NSSCKFWSession object.  It
+ * contains a pointer for use by the Module, to store any session-
+ * realted data, and it contains the EPV for a set of routines
+ * which the Module may implement for use by the Framework.  Some
+ * of these routines are optional.
+ */
+
+struct NSSCKMDSessionStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is called by the Framework when a session is
+   * closed.  This call is the last thing called before the
+   * NSSArena in the correspoinding NSSCKFWSession is destroyed.
+   * This routine is optional; if unimplemented, it merely won't
+   * be called.
+   */
+  void (PR_CALLBACK *Close)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is used to get any device-specific error.
+   * This routine is optional.
+   */
+  CK_ULONG (PR_CALLBACK *GetDeviceError)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is used to log in a user to the token.  This
+   * routine is optional, since the Framework's NSSCKFWSession
+   * object keeps track of the login state.
+   */
+  CK_RV (PR_CALLBACK *Login)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_USER_TYPE userType,
+    NSSItem *pin,
+    CK_STATE oldState,
+    CK_STATE newState
+  );
+
+  /*
+   * This routine is used to log out a user from the token.  This
+   * routine is optional, since the Framework's NSSCKFWSession
+   * object keeps track of the login state.
+   */
+  CK_RV (PR_CALLBACK *Logout)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_STATE oldState,
+    CK_STATE newState
+  );
+
+  /*
+   * This routine is used to initialize the normal user's PIN or
+   * password.  This will only be called in the "read/write
+   * security officer functions" state.  If this token has a
+   * protected authentication path, then the pin argument will
+   * be NULL.  This routine is optional; if unimplemented, the
+   * Framework will return the error CKR_TOKEN_WRITE_PROTECTED.
+   */
+  CK_RV (PR_CALLBACK *InitPIN)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *pin
+  );
+
+  /*
+   * This routine is used to modify a user's PIN or password.  This
+   * routine will only be called in the "read/write security officer
+   * functions" or "read/write user functions" state.  If this token
+   * has a protected authentication path, then the pin arguments
+   * will be NULL.  This routine is optional; if unimplemented, the
+   * Framework will return the error CKR_TOKEN_WRITE_PROTECTED.
+   */
+  CK_RV (PR_CALLBACK *SetPIN)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *oldPin,
+    NSSItem *newPin
+  );
+
+  /*
+   * This routine is used to find out how much space would be required
+   * to save the current operational state.  This routine is optional;
+   * if unimplemented, the Framework will reject any attempts to save
+   * the operational state with the error CKR_STATE_UNSAVEABLE.  This
+   * routine may return zero on error.
+   */
+  CK_ULONG (PR_CALLBACK *GetOperationStateLen)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine is used to store the current operational state.  This
+   * routine is only required if GetOperationStateLen is implemented 
+   * and can return a nonzero value.  The buffer in the specified item
+   * will be pre-allocated, and the length will specify the amount of
+   * space available (which may be more than GetOperationStateLen
+   * asked for, but which will not be smaller).
+   */
+  CK_RV (PR_CALLBACK *GetOperationState)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *buffer
+  );
+
+  /*
+   * This routine is used to restore an operational state previously
+   * obtained with GetOperationState.  The Framework will take pains
+   * to be sure that the state is (or was at one point) valid; if the
+   * Module notices that the state is invalid, it should return an
+   * error, but it is not required to be paranoid about the issue.
+   * [XXX fgmr-- should (can?) the framework verify the keys match up?]
+   * This routine is required only if GetOperationState is implemented.
+   */
+  CK_RV (PR_CALLBACK *SetOperationState)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *state,
+    NSSCKMDObject *mdEncryptionKey,
+    NSSCKFWObject *fwEncryptionKey,
+    NSSCKMDObject *mdAuthenticationKey,
+    NSSCKFWObject *fwAuthenticationKey
+  );
+
+  /*
+   * This routine is used to create an object.  The specified template
+   * will only specify a session object if the Module has indicated 
+   * that it wishes to handle its own session objects.  This routine
+   * is optional; if unimplemented, the Framework will reject the
+   * operation with the error CKR_TOKEN_WRITE_PROTECTED.  Space for
+   * token objects should come from the NSSArena available from the
+   * NSSCKFWToken object; space for session objects (if supported)
+   * should come from the NSSArena available from the NSSCKFWSession
+   * object.  The appropriate NSSArena pointer will, as a convenience,
+   * be passed as the handyArenaPointer argument.  This routine may
+   * return NULL upon error.
+   */
+  NSSCKMDObject *(PR_CALLBACK *CreateObject)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSArena *handyArenaPointer,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine is used to make a copy of an object.  It is entirely
+   * optional; if unimplemented, the Framework will try to use
+   * CreateObject instead.  If the Module has indicated that it does
+   * not wish to handle session objects, then this routine will only
+   * be called to copy a token object to another token object.
+   * Otherwise, either the original object or the new may be of
+   * either the token or session variety.  As with CreateObject, the
+   * handyArenaPointer will point to the appropriate arena for the
+   * new object.  This routine may return NULL upon error.
+   */
+  NSSCKMDObject *(PR_CALLBACK *CopyObject)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdOldObject,
+    NSSCKFWObject *fwOldObject,
+    NSSArena *handyArenaPointer,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine is used to begin an object search.  This routine may
+   * be unimplemented only if the Module does not handle session 
+   * objects, and if none of its tokens have token objects.  The
+   * NSSCKFWFindObjects pointer has an NSSArena that may be used for
+   * storage for the life of this "find" operation.  This routine may
+   * return NULL upon error.  If the Module can determine immediately
+   * that the search will not find any matching objects, it may return
+   * NULL, and specify CKR_OK as the error.
+   */
+  NSSCKMDFindObjects *(PR_CALLBACK *FindObjectsInit)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine seeds the random-number generator.  It is
+   * optional, even if GetRandom is implemented.  If unimplemented,
+   * the Framework will issue the error CKR_RANDOM_SEED_NOT_SUPPORTED.
+   */
+  CK_RV (PR_CALLBACK *SeedRandom)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *seed
+  );
+
+  /*
+   * This routine gets random data.  It is optional.  If unimplemented,
+   * the Framework will issue the error CKR_RANDOM_NO_RNG.
+   */
+  CK_RV (PR_CALLBACK *GetRandom)(
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *buffer
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+/*
+ * NSSCKMDFindObjects
+ *
+ * This is the basic handle for an object search.  It is
+ * created by NSSCKMDSession->FindObjectsInit, and may be
+ * obtained from the Framework's corresponding object.
+ * It contains a pointer for use by the Module, to store
+ * any search-related data, and it contains the EPV for a
+ * set of routines which the Module may implement for use
+ * by the Framework.  Some of these routines are optional.
+ */
+
+struct NSSCKMDFindObjectsStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is called by the Framework to finish a
+   * search operation.  Note that the Framework may finish
+   * a search before it has completed.  This routine is
+   * optional; if unimplemented, it merely won't be called.
+   */
+  void (PR_CALLBACK *Final)(
+    NSSCKMDFindObjects *mdFindObjects,
+    NSSCKFWFindObjects *fwFindObjects,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is used to obtain another pointer to an
+   * object matching the search criteria.  This routine is
+   * required.  If no (more) objects match the search, it
+   * should return NULL and set the error to CKR_OK.
+   */
+  NSSCKMDObject *(PR_CALLBACK *Next)(
+    NSSCKMDFindObjects *mdFindObjects,
+    NSSCKFWFindObjects *fwFindObjects,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSArena *arena,
+    CK_RV *pError
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+/*
+ * NSSCKMDMechanism
+ *
+ */
+
+struct NSSCKMDMechanismStr {
+  /*
+   * The Module may use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine returns the minimum key size allowed for
+   * this mechanism.  This routine is optional; if unimplemented,
+   * zero will be assumed.  This routine may return zero on
+   * error; if the error is CKR_OK, zero will be accepted as
+   * a valid response.
+   */
+  CK_ULONG (PR_CALLBACK *GetMinKeySize)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns the maximum key size allowed for
+   * this mechanism.  This routine is optional; if unimplemented,
+   * zero will be assumed.  This routine may return zero on
+   * error; if the error is CKR_OK, zero will be accepted as
+   * a valid response.
+   */
+  CK_ULONG (PR_CALLBACK *GetMaxKeySize)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine is called to determine if the mechanism is
+   * implemented in hardware or software.  It returns CK_TRUE
+   * if it is done in hardware.
+   */
+  CK_BBOOL (PR_CALLBACK *GetInHardware)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * The crypto routines themselves.  Most crypto operations may
+   * be performed in two ways, streaming and single-part.  The
+   * streaming operations involve the use of (typically) three
+   * calls-- an Init method to set up the operation, an Update
+   * method to feed data to the operation, and a Final method to
+   * obtain the final result.  Single-part operations involve
+   * one method, to perform the crypto operation all at once.
+   * The NSS Cryptoki Framework can implement the single-part
+   * operations in terms of the streaming operations on behalf
+   * of the Module.  There are a few variances.
+   * 
+   * For simplicity, the routines are listed in summary here:
+   *
+   *  EncryptInit, EncryptUpdate, EncryptFinal; Encrypt
+   *  DecryptInit, DecryptUpdate, DecryptFinal; Decrypt
+   *  DigestInit, DigestUpdate, DigestKey, DigestFinal; Digest
+   *  SignInit, SignUpdate, SignFinal; Sign
+   *  SignRecoverInit; SignRecover
+   *  VerifyInit, VerifyUpdate, VerifyFinal; Verify
+   *  VerifyRecoverInit; VerifyRecover
+   * 
+   * Also, there are some combined-operation calls:
+   * 
+   *  DigestEncryptUpdate
+   *  DecryptDigestUpdate
+   *  SignEncryptUpdate
+   *  DecryptVerifyUpdate
+   *
+   * The key-management routines are
+   *
+   *  GenerateKey
+   *  GenerateKeyPair
+   *  WrapKey
+   *  UnwrapKey
+   *  DeriveKey
+   *
+   * All of these routines based directly on the Cryptoki API; 
+   * see PKCS#11 for further information.
+   */
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *EncryptInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *EncryptUpdate)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *data, 
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *EncryptFinal)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *Encrypt)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey,
+    NSSItem *data, 
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *DecryptInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *DecryptUpdate)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *data, 
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *DecryptFinal)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *Decrypt)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey,
+    NSSItem *data, 
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *DigestInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *DigestUpdate)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *data
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *DigestKey)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *DigestFinal)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *Digest)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *data, 
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *SignInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *SignUpdate)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *data,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *SignFinal)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *Sign)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey,
+    NSSItem *data,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *VerifyInit)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKFWObject *key
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *VerifyUpdate)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *data
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *VerifyFinish)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *Verify)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKFWObject *key,
+    NSSItem *data,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *SignRecover)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey,
+    NSSItem *data,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *VerifyRecover)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdKey,
+    NSSCKFWObject *fwKey,
+    NSSItem *data,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *DigestEncryptUpdate)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *data,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *DecryptDigestUpdate)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *data,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *SignEncryptUpdate)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *data,
+    NSSItem *buffer
+  );
+
+  /*
+   */
+  CK_RV (PR_CALLBACK *DecryptVerifyUpdate)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSItem *data,
+    NSSItem *buffer
+  );
+
+  /*
+   * Key management operations.
+   */
+
+  /*
+   * This routine generates a key.  This routine may return NULL
+   * upon error.
+   */
+  NSSCKMDObject *(PR_CALLBACK *GenerateKey)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine generates a key pair.
+   */
+  CK_RV (PR_CALLBACK *GenerateKeyPair)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+    CK_ULONG ulPublicKeyAttributeCount,
+    CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+    CK_ULONG ulPrivateKeyAttributeCount,
+    NSSCKMDObject **pPublicKey,
+    NSSCKMDObject **pPrivateKey
+  );
+
+  /*
+   * This routine wraps a key.
+   */
+  CK_RV (PR_CALLBACK *WrapKey)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdWrappingKey,
+    NSSCKFWObject *fwWrappingKey,
+    NSSCKMDObject *mdWrappedKey,
+    NSSCKFWObject *fwWrappedKey,
+    NSSItem *buffer
+  );
+
+  /*
+   * This routine unwraps a key.  This routine may return NULL
+   * upon error.
+   */
+  NSSCKMDObject *(PR_CALLBACK *UnwrapKey)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdWrappingKey,
+    NSSCKFWObject *fwWrappingKey,
+    NSSItem *wrappedKey,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );    
+    
+  /*
+   * This routine derives a key.  This routine may return NULL
+   * upon error.
+   */
+  NSSCKMDObject *(PR_CALLBACK *DeriveKey)(
+    NSSCKMDMechanism *mdMechanism,
+    NSSCKFWMechanism *fwMechanism,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    NSSCKMDObject *mdBaseKey,
+    NSSCKFWObject *fwBaseKey,
+    CK_ATTRIBUTE_PTR pTemplate,
+    CK_ULONG ulAttributeCount,
+    CK_RV *pError
+  );    
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+/*
+ * NSSCKMDObject
+ *
+ * This is the basic handle for any object used by a PKCS#11 Module.
+ * Modules must implement it if they support their own objects, and
+ * the Framework supports it for Modules that do not handle session
+ * objects.  This type contains a pointer for use by the implementor,
+ * to store any object-specific data, and it contains an EPV for a
+ * set of routines used to access the object.
+ */
+
+struct NSSCKMDObjectStr {
+  /*
+   * The implementation my use this pointer for its own purposes.
+   */
+  void *etc;
+
+  /*
+   * This routine is called by the Framework when it is letting
+   * go of an object handle.  It can be used by the Module to
+   * free any resources tied up by an object "in use."  It is
+   * optional.
+   */
+  void (PR_CALLBACK *Finalize)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine is used to completely destroy an object.
+   * It is optional.  The parameter fwObject might be NULL
+   * if the framework runs out of memory at the wrong moment.
+   */
+  CK_RV (PR_CALLBACK *Destroy)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This helper routine is used by the Framework, and is especially
+   * useful when it is managing session objects on behalf of the
+   * Module.  This routine is optional; if unimplemented, the
+   * Framework will actually look up the CKA_TOKEN attribute.  In the
+   * event of an error, just make something up-- the Framework will
+   * find out soon enough anyway.
+   */
+  CK_BBOOL (PR_CALLBACK *IsTokenObject)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance
+  );
+
+  /*
+   * This routine returns the number of attributes of which this
+   * object consists.  It is mandatory.  It can return zero on
+   * error.
+   */
+  CK_ULONG (PR_CALLBACK *GetAttributeCount)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine stuffs the attribute types into the provided array.
+   * The array size (as obtained from GetAttributeCount) is passed in
+   * as a check; return CKR_BUFFER_TOO_SMALL if the count is wrong
+   * (either too big or too small).
+   */
+  CK_RV (PR_CALLBACK *GetAttributeTypes)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_TYPE_PTR typeArray,
+    CK_ULONG ulCount
+  );
+
+  /*
+   * This routine returns the size (in bytes) of the specified
+   * attribute.  It can return zero on error.
+   */
+  CK_ULONG (PR_CALLBACK *GetAttributeSize)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_TYPE attribute,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine returns the specified attribute.  It can return
+   * NULL upon error.  The pointer in the item will not be freed;
+   * any host memory required should come from the object's arena
+   * (which is likely the Framework's token or session arena).
+   * It may return NULL on error.
+   */
+  const NSSItem *(PR_CALLBACK *GetAttribute)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_TYPE attribute,
+    CK_RV *pError
+  );
+
+  /*
+   * This routine changes the specified attribute.  If unimplemented,
+   * the object will be considered read-only.
+   */
+  CK_RV (PR_CALLBACK *SetAttribute)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_ATTRIBUTE_TYPE attribute,
+    NSSItem *value
+  );
+
+  /*
+   * This routine returns the storage requirements of this object,
+   * in bytes.  Cryptoki doesn't strictly define the definition,
+   * but it should relate to the values returned by the "Get Memory"
+   * routines of the NSSCKMDToken.  This routine is optional; if
+   * unimplemented, the Framework will consider this information
+   * sensitive.  This routine may return zero on error.  If the
+   * specified error is CKR_OK, zero will be accepted as a valid
+   * response.
+   */
+  CK_ULONG (PR_CALLBACK *GetObjectSize)(
+    NSSCKMDObject *mdObject,
+    NSSCKFWObject *fwObject,
+    NSSCKMDSession *mdSession,
+    NSSCKFWSession *fwSession,
+    NSSCKMDToken *mdToken,
+    NSSCKFWToken *fwToken,
+    NSSCKMDInstance *mdInstance,
+    NSSCKFWInstance *fwInstance,
+    CK_RV *pError
+  );
+
+  /*
+   * This object may be extended in future versions of the
+   * NSS Cryptoki Framework.  To allow for some flexibility
+   * in the area of binary compatibility, this field should
+   * be NULL.
+   */
+  void *null;
+};
+
+
+#endif /* NSSCKMDT_H */
diff --git a/security/nss/lib/ckfw/nssckt.h b/security/nss/lib/ckfw/nssckt.h
new file mode 100644
index 000000000..f1b2ef1b5
--- /dev/null
+++ b/security/nss/lib/ckfw/nssckt.h
@@ -0,0 +1,42 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifndef _NSSCKT_H_
+#define _NSSCKT_H_ 1
+
+#include "pkcs11t.h"
+
+typedef CK_ATTRIBUTE_TYPE CK_PTR CK_ATTRIBUTE_TYPE_PTR;
+#define CK_ENTRY
+
+#endif /* _NSSCKT_H_ */
+
diff --git a/security/nss/lib/ckfw/object.c b/security/nss/lib/ckfw/object.c
new file mode 100644
index 000000000..de24fb633
--- /dev/null
+++ b/security/nss/lib/ckfw/object.c
@@ -0,0 +1,1039 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * object.c
+ *
+ * This file implements the NSSCKFWObject type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWObject
+ *
+ * -- create/destroy --
+ *  nssCKFWObject_Create
+ *  nssCKFWObject_Finalize
+ *  nssCKFWObject_Destroy
+ *
+ * -- public accessors --
+ *  NSSCKFWObject_GetMDObject
+ *  NSSCKFWObject_GetArena
+ *  NSSCKFWObject_IsTokenObject
+ *  NSSCKFWObject_GetAttributeCount
+ *  NSSCKFWObject_GetAttributeTypes
+ *  NSSCKFWObject_GetAttributeSize
+ *  NSSCKFWObject_GetAttribute
+ *  NSSCKFWObject_SetAttribute
+ *  NSSCKFWObject_GetObjectSize
+ *
+ * -- implement public accessors --
+ *  nssCKFWObject_GetMDObject
+ *  nssCKFWObject_GetArena
+ *
+ * -- private accessors --
+ *  nssCKFWObject_SetHandle
+ *  nssCKFWObject_GetHandle
+ *
+ * -- module fronts --
+ *  nssCKFWObject_IsTokenObject
+ *  nssCKFWObject_GetAttributeCount
+ *  nssCKFWObject_GetAttributeTypes
+ *  nssCKFWObject_GetAttributeSize
+ *  nssCKFWObject_GetAttribute
+ *  nssCKFWObject_SetAttribute
+ *  nssCKFWObject_GetObjectSize
+ */
+
+struct NSSCKFWObjectStr {
+  NSSCKFWMutex *mutex; /* merely to serialise the MDObject calls */
+  NSSArena *arena;
+  NSSCKMDObject *mdObject;
+  NSSCKMDSession *mdSession;
+  NSSCKFWSession *fwSession;
+  NSSCKMDToken *mdToken;
+  NSSCKFWToken *fwToken;
+  NSSCKMDInstance *mdInstance;
+  NSSCKFWInstance *fwInstance;
+  CK_OBJECT_HANDLE hObject;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+object_add_pointer
+(
+  const NSSCKFWObject *fwObject
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+object_remove_pointer
+(
+  const NSSCKFWObject *fwObject
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWObject_verifyPointer
+(
+  const NSSCKFWObject *fwObject
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+
+/*
+ * nssCKFWObject_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWObject *
+nssCKFWObject_Create
+(
+  NSSArena *arena,
+  NSSCKMDObject *mdObject,
+  NSSCKFWSession *fwSession,
+  NSSCKFWToken *fwToken,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  NSSCKFWObject *fwObject;
+  nssCKFWHash *mdObjectHash;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  mdObjectHash = nssCKFWToken_GetMDObjectHash(fwToken);
+  if( (nssCKFWHash *)NULL == mdObjectHash ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( nssCKFWHash_Exists(mdObjectHash, mdObject) ) {
+    fwObject = nssCKFWHash_Lookup(mdObjectHash, mdObject);
+    return fwObject;
+  }
+
+  fwObject = nss_ZNEW(arena, NSSCKFWObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKFWObject *)NULL;
+  }
+
+  fwObject->arena = arena;
+  fwObject->mdObject = mdObject;
+  fwObject->fwSession = fwSession;
+
+  if( (NSSCKFWSession *)NULL != fwSession ) {
+    fwObject->mdSession = nssCKFWSession_GetMDSession(fwSession);
+  }
+
+  fwObject->fwToken = fwToken;
+
+  if( (NSSCKFWToken *)NULL != fwToken ) {
+    fwObject->mdToken = nssCKFWToken_GetMDToken(fwToken);
+  }
+
+  fwObject->fwInstance = fwInstance;
+  fwObject->mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
+  fwObject->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == fwObject->mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    return (NSSCKFWObject *)NULL;
+  }
+
+  *pError = nssCKFWHash_Add(mdObjectHash, mdObject, fwObject);
+  if( CKR_OK != *pError ) {
+    nss_ZFreeIf(fwObject);
+    return (NSSCKFWObject *)NULL;
+  }
+
+#ifdef DEBUG
+  *pError = object_add_pointer(fwObject);
+  if( CKR_OK != *pError ) {
+    nssCKFWHash_Remove(mdObjectHash, mdObject);
+    nss_ZFreeIf(fwObject);
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* DEBUG */
+
+  *pError = CKR_OK;
+  return fwObject;
+}
+
+/*
+ * nssCKFWObject_Finalize
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWObject_Finalize
+(
+  NSSCKFWObject *fwObject
+)
+{
+  nssCKFWHash *mdObjectHash;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nssCKFWMutex_Destroy(fwObject->mutex);
+
+  if( (void *)NULL != (void *)fwObject->mdObject->Finalize ) {
+    fwObject->mdObject->Finalize(fwObject->mdObject, fwObject,
+      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
+      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
+  }
+
+  mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken);
+  if( (nssCKFWHash *)NULL != mdObjectHash ) {
+    nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject);
+  }
+
+  nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
+  nss_ZFreeIf(fwObject);
+
+#ifdef DEBUG
+  (void)object_remove_pointer(fwObject);
+#endif /* DEBUG */
+
+  return;
+}
+
+/*
+ * nssCKFWObject_Destroy
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWObject_Destroy
+(
+  NSSCKFWObject *fwObject
+)
+{
+  nssCKFWHash *mdObjectHash;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nssCKFWMutex_Destroy(fwObject->mutex);
+
+  if( (void *)NULL != (void *)fwObject->mdObject->Destroy ) {
+    fwObject->mdObject->Destroy(fwObject->mdObject, fwObject,
+      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
+      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
+  }
+
+  mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken);
+  if( (nssCKFWHash *)NULL != mdObjectHash ) {
+    nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject);
+  }
+
+  nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
+  nss_ZFreeIf(fwObject);
+
+#ifdef DEBUG
+  (void)object_remove_pointer(fwObject);
+#endif /* DEBUG */
+
+  return;
+}
+
+/*
+ * nssCKFWObject_GetMDObject
+ *
+ */
+NSS_IMPLEMENT NSSCKMDObject *
+nssCKFWObject_GetMDObject
+(
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return (NSSCKMDObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwObject->mdObject;
+}
+
+/*
+ * nssCKFWObject_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+nssCKFWObject_GetArena
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwObject->arena;
+}
+
+/*
+ * nssCKFWObject_SetHandle
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWObject_SetHandle
+(
+  NSSCKFWObject *fwObject,
+  CK_OBJECT_HANDLE hObject
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+
+#ifdef NSSDEBUG
+  error = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  if( (CK_OBJECT_HANDLE)0 != fwObject->hObject ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  fwObject->hObject = hObject;
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWObject_GetHandle
+ *
+ */
+NSS_IMPLEMENT CK_OBJECT_HANDLE
+nssCKFWObject_GetHandle
+(
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return (CK_OBJECT_HANDLE)0;
+  }
+#endif /* NSSDEBUG */
+
+  return fwObject->hObject;
+}
+
+/*
+ * nssCKFWObject_IsTokenObject
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWObject_IsTokenObject
+(
+  NSSCKFWObject *fwObject
+)
+{
+  CK_BBOOL b = CK_FALSE;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->IsTokenObject ) {
+    NSSItem item;
+    NSSItem *pItem;
+    CK_RV rv = CKR_OK;
+
+    item.data = (void *)&b;
+    item.size = sizeof(b);
+
+    pItem = nssCKFWObject_GetAttribute(fwObject, CKA_TOKEN, &item, 
+      (NSSArena *)NULL, &rv);
+    if( (NSSItem *)NULL == pItem ) {
+      /* Error of some type */
+      b = CK_FALSE;
+      goto done;
+    }
+
+    goto done;
+  }
+
+  b = fwObject->mdObject->IsTokenObject(fwObject->mdObject, fwObject, 
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
+
+ done:
+  return b;
+}
+
+/*
+ * nssCKFWObject_GetAttributeCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWObject_GetAttributeCount
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeCount ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWMutex_Lock(fwObject->mutex);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwObject->mdObject->GetAttributeCount(fwObject->mdObject, fwObject,
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+    pError);
+
+  (void)nssCKFWMutex_Unlock(fwObject->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWObject_GetAttributeTypes
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWObject_GetAttributeTypes
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == typeArray ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeTypes ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  error = nssCKFWMutex_Lock(fwObject->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  error = fwObject->mdObject->GetAttributeTypes(fwObject->mdObject, fwObject,
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+    typeArray, ulCount);
+
+  (void)nssCKFWMutex_Unlock(fwObject->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWObject_GetAttributeSize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWObject_GetAttributeSize
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeSize ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (CK_ULONG )0;
+  }
+
+  *pError = nssCKFWMutex_Lock(fwObject->mutex);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwObject->mdObject->GetAttributeSize(fwObject->mdObject, fwObject,
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+    attribute, pError);
+
+  (void)nssCKFWMutex_Unlock(fwObject->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWObject_GetAttribute
+ *
+ * Usual NSS allocation rules:
+ * If itemOpt is not NULL, it will be returned; otherwise an NSSItem
+ * will be allocated.  If itemOpt is not NULL but itemOpt->data is,
+ * the buffer will be allocated; otherwise, the buffer will be used.
+ * Any allocations will come from the optional arena, if one is
+ * specified.
+ */
+NSS_IMPLEMENT NSSItem *
+nssCKFWObject_GetAttribute
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *itemOpt,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+)
+{
+  NSSItem *rv = (NSSItem *)NULL;
+  const NSSItem *mdItem;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSItem *)NULL;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (NSSItem *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->GetAttribute ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSItem *)NULL;
+  }
+
+  *pError = nssCKFWMutex_Lock(fwObject->mutex);
+  if( CKR_OK != *pError ) {
+    return (NSSItem *)NULL;
+  }
+
+  mdItem = fwObject->mdObject->GetAttribute(fwObject->mdObject, fwObject,
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+    attribute, pError);
+
+  if( (NSSItem *)NULL == mdItem ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+
+    goto done;
+  }
+
+  if( (NSSItem *)NULL == itemOpt ) {
+    rv = nss_ZNEW(arenaOpt, NSSItem);
+    if( (NSSItem *)NULL == rv ) {
+      *pError = CKR_HOST_MEMORY;
+      goto done;
+    }
+  } else {
+    rv = itemOpt;
+  }
+
+  if( (void *)NULL == rv->data ) {
+    rv->size = mdItem->size;
+    rv->data = nss_ZAlloc(arenaOpt, rv->size);
+    if( (void *)NULL == rv->data ) {
+      *pError = CKR_HOST_MEMORY;
+      if( (NSSItem *)NULL == itemOpt ) {
+        nss_ZFreeIf(rv);
+      }
+      rv = (NSSItem *)NULL;
+      goto done;
+    }
+  } else {
+    if( rv->size >= mdItem->size ) {
+      rv->size = mdItem->size;
+    } else {
+      *pError = CKR_BUFFER_TOO_SMALL;
+      /* Should we set rv->size to mdItem->size? */
+      /* rv can't have been allocated */
+      rv = (NSSItem *)NULL;
+      goto done;
+    }
+  }
+
+  (void)nsslibc_memcpy(rv->data, mdItem->data, rv->size);
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwObject->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWObject_SetAttribute
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWObject_SetAttribute
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *value
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKA_TOKEN == attribute ) {
+    /*
+     * We're changing from a session object to a token object or 
+     * vice-versa.
+     */
+
+    CK_ATTRIBUTE a;
+    NSSCKFWObject *newFwObject;
+    NSSCKFWObject swab;
+
+    a.type = CKA_TOKEN;
+    a.pValue = value->data;
+    a.ulValueLen = value->size;
+
+    newFwObject = nssCKFWSession_CopyObject(fwObject->fwSession, fwObject,
+                    &a, 1, &error);
+    if( (NSSCKFWObject *)NULL == newFwObject ) {
+      if( CKR_OK == error ) {
+        error = CKR_GENERAL_ERROR;
+      }
+      return error;
+    }
+
+    /*
+     * Actually, I bet the locking is worse than this.. this part of
+     * the code could probably use some scrutiny and reworking.
+     */
+    error = nssCKFWMutex_Lock(fwObject->mutex);
+    if( CKR_OK != error ) {
+      nssCKFWObject_Destroy(newFwObject);
+      return error;
+    }
+
+    error = nssCKFWMutex_Lock(newFwObject->mutex);
+    if( CKR_OK != error ) {
+      nssCKFWMutex_Unlock(fwObject->mutex);
+      nssCKFWObject_Destroy(newFwObject);
+      return error;
+    }
+
+    /* 
+     * Now, we have our new object, but it has a new fwObject pointer,
+     * while we have to keep the existing one.  So quick swap the contents.
+     */
+    swab = *fwObject;
+    *fwObject = *newFwObject;
+    *newFwObject = swab;
+
+    /* But keep the mutexes the same */
+    swab.mutex = fwObject->mutex;
+    fwObject->mutex = newFwObject->mutex;
+    newFwObject->mutex = swab.mutex;
+
+    (void)nssCKFWMutex_Unlock(newFwObject->mutex);
+    (void)nssCKFWMutex_Unlock(fwObject->mutex);
+
+    /*
+     * Either remove or add this to the list of session objects
+     */
+
+    if( CK_FALSE == *(CK_BBOOL *)value->data ) {
+      /* 
+       * New one is a session object, except since we "stole" the fwObject, it's
+       * not in the list.  Add it.
+       */
+      nssCKFWSession_RegisterSessionObject(fwObject->fwSession, fwObject);
+    } else {
+      /*
+       * New one is a token object, except since we "stole" the fwObject, it's
+       * in the list.  Remove it.
+       */
+      nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
+    }
+
+    /*
+     * Now delete the old object.  Remember the names have changed.
+     */
+    nssCKFWObject_Destroy(newFwObject);
+
+    return CKR_OK;
+  } else {
+    /*
+     * An "ordinary" change.
+     */
+    if( (void *)NULL == (void *)fwObject->mdObject->SetAttribute ) {
+      /* We could fake it with copying, like above.. later */
+      return CKR_ATTRIBUTE_READ_ONLY;
+    }
+
+    error = nssCKFWMutex_Lock(fwObject->mutex);
+    if( CKR_OK != error ) {
+      return error;
+    }
+
+    error = fwObject->mdObject->SetAttribute(fwObject->mdObject, fwObject,
+      fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+      fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+      attribute, value);
+
+    (void)nssCKFWMutex_Unlock(fwObject->mutex);
+
+    return error;
+  }
+}
+
+/*
+ * nssCKFWObject_GetObjectSize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWObject_GetObjectSize
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwObject->mdObject->GetObjectSize ) {
+    *pError = CKR_INFORMATION_SENSITIVE;
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWMutex_Lock(fwObject->mutex);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwObject->mdObject->GetObjectSize(fwObject->mdObject, fwObject,
+    fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
+    fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
+    pError);
+
+  (void)nssCKFWMutex_Unlock(fwObject->mutex);
+  return rv;
+}
+
+/*
+ * NSSCKFWObject_GetMDObject
+ *
+ */
+NSS_IMPLEMENT NSSCKMDObject *
+NSSCKFWObject_GetMDObject
+(
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return (NSSCKMDObject *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetMDObject(fwObject);
+}
+
+/*
+ * NSSCKFWObject_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+NSSCKFWObject_GetArena
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetArena(fwObject, pError);
+}
+
+/*
+ * NSSCKFWObject_IsTokenObject
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+NSSCKFWObject_IsTokenObject
+(
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
+    return CK_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_IsTokenObject(fwObject);
+}
+
+/*
+ * NSSCKFWObject_GetAttributeCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+NSSCKFWObject_GetAttributeCount
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetAttributeCount(fwObject, pError);
+}
+
+/*
+ * NSSCKFWObject_GetAttributeTypes
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWObject_GetAttributeTypes
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+#ifdef DEBUG
+  CK_RV error = CKR_OK;
+
+  error = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == typeArray ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetAttributeTypes(fwObject, typeArray, ulCount);
+}
+
+/*
+ * NSSCKFWObject_GetAttributeSize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+NSSCKFWObject_GetAttributeSize
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetAttributeSize(fwObject, attribute, pError);
+}
+
+/*
+ * NSSCKFWObject_GetAttribute
+ *
+ */
+NSS_IMPLEMENT NSSItem *
+NSSCKFWObject_GetAttribute
+(
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *itemOpt,
+  NSSArena *arenaOpt,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSItem *)NULL;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (NSSItem *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetAttribute(fwObject, attribute, itemOpt, arenaOpt, pError);
+}
+
+/*
+ * NSSCKFWObject_GetObjectSize
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+NSSCKFWObject_GetObjectSize
+(
+  NSSCKFWObject *fwObject,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWObject_GetObjectSize(fwObject, pError);
+}
diff --git a/security/nss/lib/ckfw/session.c b/security/nss/lib/ckfw/session.c
new file mode 100644
index 000000000..4e8fe2c18
--- /dev/null
+++ b/security/nss/lib/ckfw/session.c
@@ -0,0 +1,1962 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * session.c
+ *
+ * This file implements the NSSCKFWSession type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWSession
+ *
+ *  -- create/destroy --
+ *  nssCKFWSession_Create
+ *  nssCKFWSession_Destroy
+ *
+ *  -- public accessors --
+ *  NSSCKFWSession_GetMDSession
+ *  NSSCKFWSession_GetArena
+ *  NSSCKFWSession_CallNotification
+ *  NSSCKFWSession_IsRWSession
+ *  NSSCKFWSession_IsSO
+ *
+ *  -- implement public accessors --
+ *  nssCKFWSession_GetMDSession
+ *  nssCKFWSession_GetArena
+ *  nssCKFWSession_CallNotification
+ *  nssCKFWSession_IsRWSession
+ *  nssCKFWSession_IsSO
+ *
+ *  -- private accessors --
+ *  nssCKFWSession_GetSlot
+ *  nssCKFWSession_GetSessionState
+ *  nssCKFWSession_SetFWFindObjects
+ *  nssCKFWSession_GetFWFindObjects
+ *  nssCKFWSession_SetMDSession
+ *  nssCKFWSession_SetHandle
+ *  nssCKFWSession_GetHandle
+ *  nssCKFWSession_RegisterSessionObject
+ *  nssCKFWSession_DeegisterSessionObject
+ *
+ *  -- module fronts --
+ *  nssCKFWSession_GetDeviceError
+ *  nssCKFWSession_Login
+ *  nssCKFWSession_Logout
+ *  nssCKFWSession_InitPIN
+ *  nssCKFWSession_SetPIN
+ *  nssCKFWSession_GetOperationStateLen
+ *  nssCKFWSession_GetOperationState
+ *  nssCKFWSession_SetOperationState
+ *  nssCKFWSession_CreateObject
+ *  nssCKFWSession_CopyObject
+ *  nssCKFWSession_FindObjectsInit
+ *  nssCKFWSession_SeedRandom
+ *  nssCKFWSession_GetRandom
+ */
+
+struct NSSCKFWSessionStr {
+  NSSArena *arena;
+  NSSCKMDSession *mdSession;
+  NSSCKFWToken *fwToken;
+  NSSCKMDToken *mdToken;
+  NSSCKFWInstance *fwInstance;
+  NSSCKMDInstance *mdInstance;
+  CK_VOID_PTR pApplication;
+  CK_NOTIFY Notify;
+
+  /*
+   * Everything above is set at creation time, and then not modified.
+   * The items below are atomic.  No locking required.  If we fear
+   * about pointer-copies being nonatomic, we'll lock fwFindObjects.
+   */
+
+  CK_BBOOL rw;
+  NSSCKFWFindObjects *fwFindObjects;
+  nssCKFWHash *sessionObjectHash;
+  CK_SESSION_HANDLE hSession;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+session_add_pointer
+(
+  const NSSCKFWSession *fwSession
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+session_remove_pointer
+(
+  const NSSCKFWSession *fwSession
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_verifyPointer
+(
+  const NSSCKFWSession *fwSession
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWSession_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSession *
+nssCKFWSession_Create
+(
+  NSSCKFWToken *fwToken,
+  CK_BBOOL rw,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_RV *pError
+)
+{
+  NSSArena *arena = (NSSArena *)NULL;
+  NSSCKFWSession *fwSession;
+  NSSCKFWSlot *fwSlot;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWSession *)NULL;
+  }
+
+  *pError = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSession *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKFWSession *)NULL;
+  }
+
+  fwSession = nss_ZNEW(arena, NSSCKFWSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fwSession->arena = arena;
+  fwSession->mdSession = (NSSCKMDSession *)NULL; /* set later */
+  fwSession->fwToken = fwToken;
+  fwSession->mdToken = nssCKFWToken_GetMDToken(fwToken);
+
+  fwSlot = nssCKFWToken_GetFWSlot(fwToken);
+  fwSession->fwInstance = nssCKFWSlot_GetFWInstance(fwSlot);
+  fwSession->mdInstance = nssCKFWSlot_GetMDInstance(fwSlot);
+
+  fwSession->rw = rw;
+  fwSession->pApplication = pApplication;
+  fwSession->Notify = Notify;
+
+  fwSession->fwFindObjects = (NSSCKFWFindObjects *)NULL;
+
+  fwSession->sessionObjectHash = nssCKFWHash_Create(fwSession->fwInstance, arena, pError);
+  if( (nssCKFWHash *)NULL == fwSession->sessionObjectHash ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+#ifdef DEBUG
+  *pError = session_add_pointer(fwSession);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return fwSession;
+
+ loser:
+  if( (NSSArena *)NULL != arena ) {
+    if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
+      (void)nssCKFWHash_Destroy(fwSession->sessionObjectHash);
+    }
+    NSSArena_Destroy(arena);
+  }
+
+  return (NSSCKFWSession *)NULL;
+}
+
+static void
+nss_ckfw_session_object_destroy_iterator
+(
+  const void *key,
+  void *value,
+  void *closure
+)
+{
+  NSSCKFWObject *fwObject = (NSSCKFWObject *)value;
+  nssCKFWObject_Finalize(fwObject);
+}
+
+/*
+ * nssCKFWSession_Destroy
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_Destroy
+(
+  NSSCKFWSession *fwSession,
+  CK_BBOOL removeFromTokenHash
+)
+{
+  CK_RV error = CKR_OK;
+  nssCKFWHash *sessionObjectHash;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  if( removeFromTokenHash ) {
+    error = nssCKFWToken_RemoveSession(fwSession->fwToken, fwSession);
+  }
+
+  /*
+   * Invalidate session objects
+   */
+
+  sessionObjectHash = fwSession->sessionObjectHash;
+  fwSession->sessionObjectHash = (nssCKFWHash *)NULL;
+
+  nssCKFWHash_Iterate(sessionObjectHash, 
+                      nss_ckfw_session_object_destroy_iterator, 
+                      (void *)NULL);
+
+#ifdef DEBUG
+  (void)session_remove_pointer(fwSession);
+#endif /* DEBUG */
+  (void)nssCKFWHash_Destroy(sessionObjectHash);
+  NSSArena_Destroy(fwSession->arena);
+
+  return error;
+}
+
+/*
+ * nssCKFWSession_GetMDSession
+ *
+ */
+NSS_IMPLEMENT NSSCKMDSession *
+nssCKFWSession_GetMDSession
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return (NSSCKMDSession *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSession->mdSession;
+}
+
+/*
+ * nssCKFWSession_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+nssCKFWSession_GetArena
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSession->arena;
+}
+
+/*
+ * nssCKFWSession_CallNotification
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_CallNotification
+(
+  NSSCKFWSession *fwSession,
+  CK_NOTIFICATION event
+)
+{
+  CK_RV error = CKR_OK;
+  CK_SESSION_HANDLE handle;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  if( (CK_NOTIFY)NULL == fwSession->Notify ) {
+    return CKR_OK;
+  }
+
+  handle = nssCKFWInstance_FindSessionHandle(fwSession->fwInstance, fwSession);
+  if( (CK_SESSION_HANDLE)0 == handle ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  error = fwSession->Notify(handle, event, fwSession->pApplication);
+
+  return error;
+}
+
+/*
+ * nssCKFWSession_IsRWSession
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWSession_IsRWSession
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSession->rw;
+}
+
+/*
+ * nssCKFWSession_IsSO
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWSession_IsSO
+(
+  NSSCKFWSession *fwSession
+)
+{
+  CK_STATE state;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  state = nssCKFWToken_GetSessionState(fwSession->fwToken);
+  switch( state ) {
+  case CKS_RO_PUBLIC_SESSION:
+  case CKS_RO_USER_FUNCTIONS:
+  case CKS_RW_PUBLIC_SESSION:
+  case CKS_RW_USER_FUNCTIONS:
+    return CK_FALSE;
+  case CKS_RW_SO_FUNCTIONS:
+    return CK_TRUE;
+  default:
+    return CK_FALSE;
+  }
+}
+
+/*
+ * nssCKFWSession_GetFWSlot
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSlot *
+nssCKFWSession_GetFWSlot
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return nssCKFWToken_GetFWSlot(fwSession->fwToken);
+}
+
+/*
+ * nssCFKWSession_GetSessionState
+ *
+ */
+NSS_IMPLEMENT CK_STATE
+nssCKFWSession_GetSessionState
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CKS_RO_PUBLIC_SESSION; /* whatever */
+  }
+#endif /* NSSDEBUG */
+
+  return nssCKFWToken_GetSessionState(fwSession->fwToken);
+}
+
+/*
+ * nssCKFWSession_SetFWFindObjects
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SetFWFindObjects
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWFindObjects *fwFindObjects
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  /* fwFindObjects may be null */
+#endif /* NSSDEBUG */
+
+  if( ((NSSCKFWFindObjects *)NULL != fwSession->fwFindObjects) &&
+      ((NSSCKFWFindObjects *)NULL != fwFindObjects) ) {
+    return CKR_OPERATION_ACTIVE;
+  }
+
+  fwSession->fwFindObjects = fwFindObjects;
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_GetFWFindObjects
+ *
+ */
+NSS_IMPLEMENT NSSCKFWFindObjects *
+nssCKFWSession_GetFWFindObjects
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWFindObjects *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWFindObjects *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSCKFWFindObjects *)NULL == fwSession->fwFindObjects ) {
+    *pError = CKR_OPERATION_NOT_INITIALIZED;
+    return (NSSCKFWFindObjects *)NULL;
+  }
+
+  return fwSession->fwFindObjects;
+}
+
+/*
+ * nssCKFWSession_SetMDSession
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SetMDSession
+(
+  NSSCKFWSession *fwSession,
+  NSSCKMDSession *mdSession
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == mdSession ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSCKMDSession *)NULL != fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  fwSession->mdSession = mdSession;
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_SetHandle
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SetHandle
+(
+  NSSCKFWSession *fwSession,
+  CK_SESSION_HANDLE hSession
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  if( (CK_SESSION_HANDLE)0 != fwSession->hSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  fwSession->hSession = hSession;
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_GetHandle
+ *
+ */
+NSS_IMPLEMENT CK_SESSION_HANDLE
+nssCKFWSession_GetHandle
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSession->hSession;
+}
+
+/*
+ * nssCKFWSession_RegisterSessionObject
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_RegisterSessionObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwObject
+)
+{
+  CK_RV rv = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
+    rv = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject);
+  }
+
+  return rv;
+}
+
+/*
+ * nssCKFWSession_DeregisterSessionObject
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_DeregisterSessionObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwObject
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
+    nssCKFWHash_Remove(fwSession->sessionObjectHash, fwObject);
+  }
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_GetDeviceError
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWSession_GetDeviceError
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return (CK_ULONG)0;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->GetDeviceError ) {
+    return (CK_ULONG)0;
+  }
+
+  return fwSession->mdSession->GetDeviceError(fwSession->mdSession, 
+    fwSession, fwSession->mdToken, fwSession->fwToken, 
+    fwSession->mdInstance, fwSession->fwInstance);
+}
+
+/*
+ * nssCKFWSession_Login
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_Login
+(
+  NSSCKFWSession *fwSession,
+  CK_USER_TYPE userType,
+  NSSItem *pin
+)
+{
+  CK_RV error = CKR_OK;
+  CK_STATE oldState;
+  CK_STATE newState;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  switch( userType ) {
+  case CKU_SO:
+  case CKU_USER:
+    break;
+  default:
+    return CKR_USER_TYPE_INVALID;
+  }
+
+  if( (NSSItem *)NULL == pin ) {
+    if( CK_TRUE != nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken) ) {
+      return CKR_ARGUMENTS_BAD;
+    }
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
+
+  /*
+   * It's not clear what happens when you're already logged in.
+   * I'll just fail; but if we decide to change, the logic is
+   * all right here.
+   */
+
+  if( CKU_SO == userType ) {
+    switch( oldState ) {
+    case CKS_RO_PUBLIC_SESSION:      
+      /*
+       * There's no such thing as a read-only security officer
+       * session, so fail.  The error should be CKR_SESSION_READ_ONLY,
+       * except that C_Login isn't defined to return that.  So we'll
+       * do CKR_SESSION_READ_ONLY_EXISTS, which is what is documented.
+       */
+      return CKR_SESSION_READ_ONLY_EXISTS;
+    case CKS_RO_USER_FUNCTIONS:
+      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
+    case CKS_RW_PUBLIC_SESSION:
+      newState = CKS_RW_SO_FUNCTIONS;
+      break;
+    case CKS_RW_USER_FUNCTIONS:
+      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
+    case CKS_RW_SO_FUNCTIONS:
+      return CKR_USER_ALREADY_LOGGED_IN;
+    default:
+      return CKR_GENERAL_ERROR;
+    }
+  } else /* CKU_USER == userType */ {
+    switch( oldState ) {
+    case CKS_RO_PUBLIC_SESSION:      
+      newState = CKS_RO_USER_FUNCTIONS;
+      break;
+    case CKS_RO_USER_FUNCTIONS:
+      return CKR_USER_ALREADY_LOGGED_IN;
+    case CKS_RW_PUBLIC_SESSION:
+      newState = CKS_RW_USER_FUNCTIONS;
+      break;
+    case CKS_RW_USER_FUNCTIONS:
+      return CKR_USER_ALREADY_LOGGED_IN;
+    case CKS_RW_SO_FUNCTIONS:
+      return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
+    default:
+      return CKR_GENERAL_ERROR;
+    }
+  }
+
+  /*
+   * So now we're in one of three cases:
+   *
+   * Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_SO_FUNCTIONS;
+   * Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_USER_FUNCTIONS;
+   * Old == CKS_RO_PUBLIC_SESSION, New == CKS_RO_USER_FUNCTIONS;
+   */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->Login ) {
+    /*
+     * The Module doesn't want to be informed (or check the pin)
+     * it'll just rely on the Framework as needed.
+     */
+    ;
+  } else {
+    error = fwSession->mdSession->Login(fwSession->mdSession, fwSession,
+      fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+      fwSession->fwInstance, userType, pin, oldState, newState);
+    if( CKR_OK != error ) {
+      return error;
+    }
+  }
+
+  (void)nssCKFWToken_SetSessionState(fwSession->fwToken, newState);
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_Logout
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_Logout
+(
+  NSSCKFWSession *fwSession
+)
+{
+  CK_RV error = CKR_OK;
+  CK_STATE oldState;
+  CK_STATE newState;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
+
+  switch( oldState ) {
+  case CKS_RO_PUBLIC_SESSION:
+    return CKR_USER_NOT_LOGGED_IN;
+  case CKS_RO_USER_FUNCTIONS:
+    newState = CKS_RO_PUBLIC_SESSION;
+    break;
+  case CKS_RW_PUBLIC_SESSION:
+    return CKR_USER_NOT_LOGGED_IN;
+  case CKS_RW_USER_FUNCTIONS:
+    newState = CKS_RW_PUBLIC_SESSION;
+    break;
+  case CKS_RW_SO_FUNCTIONS:
+    newState = CKS_RW_PUBLIC_SESSION;
+    break;
+  default:
+    return CKR_GENERAL_ERROR;
+  }
+
+  /*
+   * So now we're in one of three cases:
+   *
+   * Old == CKS_RW_SO_FUNCTIONS,   New == CKS_RW_PUBLIC_SESSION;
+   * Old == CKS_RW_USER_FUNCTIONS, New == CKS_RW_PUBLIC_SESSION;
+   * Old == CKS_RO_USER_FUNCTIONS, New == CKS_RO_PUBLIC_SESSION;
+   */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->Logout ) {
+    /*
+     * The Module doesn't want to be informed.  Okay.
+     */
+    ;
+  } else {
+    error = fwSession->mdSession->Logout(fwSession->mdSession, fwSession,
+      fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+      fwSession->fwInstance, oldState, newState);
+    if( CKR_OK != error ) {
+      /*
+       * Now what?!  A failure really should end up with the Framework
+       * considering it logged out, right?
+       */
+      ;
+    }
+  }
+
+  (void)nssCKFWToken_SetSessionState(fwSession->fwToken, newState);
+  return error;
+}
+
+/*
+ * nssCKFWSession_InitPIN
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_InitPIN
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *pin
+)
+{
+  CK_RV error = CKR_OK;
+  CK_STATE state;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  state = nssCKFWToken_GetSessionState(fwSession->fwToken);
+  if( CKS_RW_SO_FUNCTIONS != state ) {
+    return CKR_USER_NOT_LOGGED_IN;
+  }
+
+  if( (NSSItem *)NULL == pin ) {
+    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
+    if( CK_TRUE != has ) {
+      return CKR_ARGUMENTS_BAD;
+    }
+  }
+
+  if( (void *)NULL == (void *)fwSession->mdSession->InitPIN ) {
+    return CKR_TOKEN_WRITE_PROTECTED;
+  }
+
+  error = fwSession->mdSession->InitPIN(fwSession->mdSession, fwSession,
+    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, pin);
+
+  return error;
+}
+
+/*
+ * nssCKFWSession_SetPIN
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SetPIN
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *newPin,
+  NSSItem *oldPin
+)
+{
+  CK_RV error = CKR_OK;
+  CK_STATE state;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  state = nssCKFWToken_GetSessionState(fwSession->fwToken);
+  if( (CKS_RW_SO_FUNCTIONS != state) &&
+      (CKS_RW_USER_FUNCTIONS != state) ) {
+    return CKR_USER_NOT_LOGGED_IN;
+  }
+
+  if( (NSSItem *)NULL == newPin ) {
+    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
+    if( CK_TRUE != has ) {
+      return CKR_ARGUMENTS_BAD;
+    }
+  }
+
+  if( (NSSItem *)NULL == oldPin ) {
+    CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
+    if( CK_TRUE != has ) {
+      return CKR_ARGUMENTS_BAD;
+    }
+  }
+
+  if( (void *)NULL == (void *)fwSession->mdSession->SetPIN ) {
+    return CKR_TOKEN_WRITE_PROTECTED;
+  }
+
+  error = fwSession->mdSession->SetPIN(fwSession->mdSession, fwSession,
+    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, newPin, oldPin);
+
+  return error;
+}
+
+/*
+ * nssCKFWSession_GetOperationStateLen
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWSession_GetOperationStateLen
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+  CK_ULONG mdAmt;
+  CK_ULONG fwAmt;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (CK_ULONG)0;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (CK_ULONG)0;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->GetOperationStateLen ) {
+    *pError = CKR_STATE_UNSAVEABLE;
+  }
+
+  /*
+   * We could check that the session is actually in some state..
+   */
+
+  mdAmt = fwSession->mdSession->GetOperationStateLen(fwSession->mdSession,
+    fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, pError);
+
+  if( ((CK_ULONG)0 == mdAmt) && (CKR_OK != *pError) ) {
+    return (CK_ULONG)0;
+  }
+
+  /*
+   * Add a bit of sanity-checking
+   */
+  fwAmt = mdAmt + 2*sizeof(CK_ULONG);
+
+  return fwAmt;
+}
+
+/*
+ * nssCKFWSession_GetOperationState
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_GetOperationState
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *buffer
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG fwAmt;
+  CK_ULONG *ulBuffer;
+  NSSItem i2;
+  CK_ULONG n, i;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSItem *)NULL == buffer ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (void *)NULL == buffer->data ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->GetOperationState ) {
+    return CKR_STATE_UNSAVEABLE;
+  }
+
+  /*
+   * Sanity-check the caller's buffer.
+   */
+
+  error = CKR_OK;
+  fwAmt = nssCKFWSession_GetOperationStateLen(fwSession, &error);
+  if( ((CK_ULONG)0 == fwAmt) && (CKR_OK != error) ) {
+    return error;
+  }
+
+  if( buffer->size < fwAmt ) {
+    return CKR_BUFFER_TOO_SMALL;
+  }
+
+  ulBuffer = (CK_ULONG *)buffer->data;
+
+  i2.size = buffer->size - 2*sizeof(CK_ULONG);
+  i2.data = (void *)&ulBuffer[2];
+
+  error = fwSession->mdSession->GetOperationState(fwSession->mdSession,
+    fwSession, fwSession->mdToken, fwSession->fwToken, 
+    fwSession->mdInstance, fwSession->fwInstance, &i2);
+
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  /*
+   * Add a little integrety/identity check.  
+   * NOTE: right now, it's pretty stupid.  
+   * A CRC or something would be better.
+   */
+
+  ulBuffer[0] = 0x434b4657; /* CKFW */
+  ulBuffer[1] = 0;
+  n = i2.size/sizeof(CK_ULONG);
+  for( i = 0; i < n; i++ ) {
+    ulBuffer[1] ^= ulBuffer[2+i];
+  }
+
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWSession_SetOperationState
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SetOperationState
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *state,
+  NSSCKFWObject *encryptionKey,
+  NSSCKFWObject *authenticationKey
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG *ulBuffer;
+  CK_ULONG n, i;
+  CK_ULONG x;
+  NSSItem s;
+  NSSCKMDObject *mdek;
+  NSSCKMDObject *mdak;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSItem *)NULL == state ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (void *)NULL == state->data ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (NSSCKFWObject *)NULL != encryptionKey ) {
+    error = nssCKFWObject_verifyPointer(encryptionKey);
+    if( CKR_OK != error ) {
+      return error;
+    }
+  }
+
+  if( (NSSCKFWObject *)NULL != authenticationKey ) {
+    error = nssCKFWObject_verifyPointer(authenticationKey);
+    if( CKR_OK != error ) {
+      return error;
+    }
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  ulBuffer = (CK_ULONG *)state->data;
+  if( 0x43b4657 != ulBuffer[0] ) {
+    return CKR_SAVED_STATE_INVALID;
+  }
+  n = (state->size / sizeof(CK_ULONG)) - 2;
+  x = (CK_ULONG)0;
+  for( i = 0; i < n; i++ ) {
+    x ^= ulBuffer[2+i];
+  }
+
+  if( x != ulBuffer[1] ) {
+    return CKR_SAVED_STATE_INVALID;
+  }
+
+  if( (void *)NULL == (void *)fwSession->mdSession->SetOperationState ) {
+    return CKR_GENERAL_ERROR;
+  }
+
+  s.size = state->size - 2*sizeof(CK_ULONG);
+  s.data = (void *)&ulBuffer[2];
+
+  if( (NSSCKFWObject *)NULL != encryptionKey ) {
+    mdek = nssCKFWObject_GetMDObject(encryptionKey);
+  } else {
+    mdek = (NSSCKMDObject *)NULL;
+  }
+
+  if( (NSSCKFWObject *)NULL != authenticationKey ) {
+    mdak = nssCKFWObject_GetMDObject(authenticationKey);
+  } else {
+    mdak = (NSSCKMDObject *)NULL;
+  }
+
+  error = fwSession->mdSession->SetOperationState(fwSession->mdSession, 
+    fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, &s, mdek, encryptionKey, mdak, authenticationKey);
+
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  /*
+   * Here'd we restore any session data
+   */
+  
+  return CKR_OK;
+}
+
+static CK_BBOOL
+nss_attributes_form_token_object
+(
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount
+)
+{
+  CK_ULONG i;
+  CK_BBOOL rv;
+
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    if( CKA_TOKEN == pTemplate[i].type ) {
+      /* If we sanity-check, we can remove this sizeof check */
+      if( sizeof(CK_BBOOL) == pTemplate[i].ulValueLen ) {
+        (void)nsslibc_memcpy(&rv, pTemplate[i].pValue, sizeof(CK_BBOOL));
+        return rv;
+      } else {
+        return CK_FALSE;
+      }
+    }
+  }
+
+  return CK_FALSE;
+}
+
+/*
+ * nssCKFWSession_CreateObject
+ *
+ */
+NSS_IMPLEMENT NSSCKFWObject *
+nssCKFWSession_CreateObject
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  NSSCKMDObject *mdObject;
+  NSSCKFWObject *fwObject;
+  CK_BBOOL isTokenObject;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * Here would be an excellent place to sanity-check the object.
+   */
+
+  isTokenObject = nss_attributes_form_token_object(pTemplate, ulAttributeCount);
+  if( CK_TRUE == isTokenObject ) {
+    /* === TOKEN OBJECT === */
+
+    if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) {
+      *pError = CKR_TOKEN_WRITE_PROTECTED;
+      return (NSSCKFWObject *)NULL;
+    }
+
+    arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
+    if( (NSSArena *)NULL == arena ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWObject *)NULL;
+    }
+
+    goto callmdcreateobject;
+  } else {
+    /* === SESSION OBJECT === */
+
+    arena = nssCKFWSession_GetArena(fwSession, pError);
+    if( (NSSArena *)NULL == arena ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWObject *)NULL;
+    }
+
+    if( CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
+                     fwSession->fwInstance) ) {
+      /* --- module handles the session object -- */
+
+      if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) {
+        *pError = CKR_GENERAL_ERROR;
+        return (NSSCKFWObject *)NULL;
+      }
+      
+      goto callmdcreateobject;
+    } else {
+      /* --- framework handles the session object -- */
+      mdObject = nssCKMDSessionObject_Create(fwSession->fwToken, 
+        arena, pTemplate, ulAttributeCount, pError);
+      goto gotmdobject;
+    }
+  }
+
+ callmdcreateobject:
+  mdObject = fwSession->mdSession->CreateObject(fwSession->mdSession,
+    fwSession, fwSession->mdToken, fwSession->fwToken,
+    fwSession->mdInstance, fwSession->fwInstance, arena, pTemplate,
+    ulAttributeCount, pError);
+
+ gotmdobject:
+  if( (NSSCKMDObject *)NULL == mdObject ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    return (NSSCKFWObject *)NULL;
+  }
+
+  fwObject = nssCKFWObject_Create(arena, mdObject, fwSession, 
+    fwSession->fwToken, fwSession->fwInstance, pError);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    
+    if( (void *)NULL != (void *)mdObject->Destroy ) {
+      (void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL,
+        fwSession->mdSession, fwSession, fwSession->mdToken,
+        fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance);
+    }
+    
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( CK_FALSE == isTokenObject ) {
+    if( CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, fwObject) ) {
+      *pError = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject);
+      if( CKR_OK != *pError ) {
+        nssCKFWObject_Finalize(fwObject);
+        return (NSSCKFWObject *)NULL;
+      }
+    }
+  }
+  
+  return fwObject;
+}
+
+/*
+ * nssCKFWSession_CopyObject
+ *
+ */
+NSS_IMPLEMENT NSSCKFWObject *
+nssCKFWSession_CopyObject
+(
+  NSSCKFWSession *fwSession,
+  NSSCKFWObject *fwObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  CK_BBOOL oldIsToken;
+  CK_BBOOL newIsToken;
+  CK_ULONG i;
+  NSSCKFWObject *rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  *pError = nssCKFWObject_verifyPointer(fwObject);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWObject *)NULL;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * Sanity-check object
+   */
+
+  oldIsToken = nssCKFWObject_IsTokenObject(fwObject);
+
+  newIsToken = oldIsToken;
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    if( CKA_TOKEN == pTemplate[i].type ) {
+      /* Since we sanity-checked the object, we know this is the right size. */
+      (void)nsslibc_memcpy(&newIsToken, pTemplate[i].pValue, sizeof(CK_BBOOL));
+      break;
+    }
+  }
+
+  /*
+   * If the Module handles its session objects, or if both the new
+   * and old object are token objects, use CopyObject if it exists.
+   */
+
+  if( ((void *)NULL != (void *)fwSession->mdSession->CopyObject) &&
+      (((CK_TRUE == oldIsToken) && (CK_TRUE == newIsToken)) ||
+       (CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
+                     fwSession->fwInstance))) ) {
+    /* use copy object */
+    NSSArena *arena;
+    NSSCKMDObject *mdOldObject;
+    NSSCKMDObject *mdObject;
+
+    mdOldObject = nssCKFWObject_GetMDObject(fwObject);
+
+    if( CK_TRUE == newIsToken ) {
+      arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
+    } else {
+      arena = nssCKFWSession_GetArena(fwSession, pError);
+    }
+    if( (NSSArena *)NULL == arena ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWObject *)NULL;
+    }
+
+    mdObject = fwSession->mdSession->CopyObject(fwSession->mdSession,
+      fwSession, fwSession->mdToken, fwSession->fwToken,
+      fwSession->mdInstance, fwSession->fwInstance, mdOldObject,
+      fwObject, arena, pTemplate, ulAttributeCount, pError);
+    if( (NSSCKMDObject *)NULL == mdObject ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWObject *)NULL;
+    }
+
+    rv = nssCKFWObject_Create(arena, mdObject, fwSession,
+      fwSession->fwToken, fwSession->fwInstance, pError);
+    if( (NSSCKFWObject *)NULL == fwObject ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+
+      if( (void *)NULL != (void *)mdObject->Destroy ) {
+        (void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL,
+          fwSession->mdSession, fwSession, fwSession->mdToken,
+          fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance);
+      }
+    
+      return (NSSCKFWObject *)NULL;
+    }
+
+    if( CK_FALSE == newIsToken ) {
+      if( CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, rv) ) {
+        *pError = nssCKFWHash_Add(fwSession->sessionObjectHash, rv, rv);
+        if( CKR_OK != *pError ) {
+          nssCKFWObject_Finalize(rv);
+          return (NSSCKFWObject *)NULL;
+        }
+      }
+    }
+
+    return rv;
+  } else {
+    /* use create object */
+    NSSArena *tmpArena;
+    CK_ATTRIBUTE_PTR newTemplate;
+    CK_ULONG i, j, n, newLength, k;
+    CK_ATTRIBUTE_TYPE_PTR oldTypes;
+    NSSCKFWObject *rv;
+    
+    tmpArena = NSSArena_Create();
+    if( (NSSArena *)NULL == tmpArena ) {
+      *pError = CKR_HOST_MEMORY;
+      return (NSSCKFWObject *)NULL;
+    }
+
+    n = nssCKFWObject_GetAttributeCount(fwObject, pError);
+    if( (0 == n) && (CKR_OK != *pError) ) {
+      return (NSSCKFWObject *)NULL;
+    }
+
+    oldTypes = nss_ZNEWARRAY(tmpArena, CK_ATTRIBUTE_TYPE, n);
+    if( (CK_ATTRIBUTE_TYPE_PTR)NULL == oldTypes ) {
+      NSSArena_Destroy(tmpArena);
+      *pError = CKR_HOST_MEMORY;
+      return (NSSCKFWObject *)NULL;
+    }
+
+    *pError = nssCKFWObject_GetAttributeTypes(fwObject, oldTypes, n);
+    if( CKR_OK != *pError ) {
+      NSSArena_Destroy(tmpArena);
+      return (NSSCKFWObject *)NULL;
+    }
+
+    newLength = n;
+    for( i = 0; i < ulAttributeCount; i++ ) {
+      for( j = 0; j < n; j++ ) {
+        if( oldTypes[j] == pTemplate[i].type ) {
+          if( (CK_VOID_PTR)NULL == pTemplate[i].pValue ) {
+            /* Removing the attribute */
+            newLength--;
+          }
+          break;
+        }
+      }
+      if( j == n ) {
+        /* Not found */
+        newLength++;
+      }
+    }
+
+    newTemplate = nss_ZNEWARRAY(tmpArena, CK_ATTRIBUTE, newLength);
+    if( (CK_ATTRIBUTE_PTR)NULL == newTemplate ) {
+      NSSArena_Destroy(tmpArena);
+      *pError = CKR_HOST_MEMORY;
+      return (NSSCKFWObject *)NULL;
+    }
+
+    k = 0;
+    for( j = 0; j < n; j++ ) {
+      for( i = 0; i < ulAttributeCount; i++ ) {
+        if( oldTypes[j] == pTemplate[i].type ) {
+          if( (CK_VOID_PTR)NULL == pTemplate[i].pValue ) {
+            /* This attribute is being deleted */
+            ;
+          } else {
+            /* This attribute is being replaced */
+            newTemplate[k].type = pTemplate[i].type;
+            newTemplate[k].pValue = pTemplate[i].pValue;
+            newTemplate[k].ulValueLen = pTemplate[i].ulValueLen;
+            k++;
+          }
+          break;
+        }
+      }
+      if( i == ulAttributeCount ) {
+        /* This attribute is being copied over from the old object */
+        NSSItem item, *it;
+        item.size = 0;
+        item.data = (void *)NULL;
+        it = nssCKFWObject_GetAttribute(fwObject, oldTypes[j],
+          &item, tmpArena, pError);
+        if( (NSSItem *)NULL == it ) {
+          if( CKR_OK == *pError ) {
+            *pError = CKR_GENERAL_ERROR;
+          }
+          NSSArena_Destroy(tmpArena);
+          return (NSSCKFWObject *)NULL;
+        }
+        newTemplate[k].type = oldTypes[j];
+        newTemplate[k].pValue = it->data;
+        newTemplate[k].ulValueLen = it->size;
+        k++;
+      }
+    }
+    /* assert that k == newLength */
+
+    rv = nssCKFWSession_CreateObject(fwSession, newTemplate, newLength, pError);
+    if( (NSSCKFWObject *)NULL == rv ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      NSSArena_Destroy(tmpArena);
+      return (NSSCKFWObject *)NULL;
+    }
+
+    NSSArena_Destroy(tmpArena);
+    return rv;
+  }
+}
+
+/*
+ * nssCKFWSession_FindObjectsInit
+ *
+ */
+NSS_IMPLEMENT NSSCKFWFindObjects *
+nssCKFWSession_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  NSSCKMDFindObjects *mdfo1 = (NSSCKMDFindObjects *)NULL;
+  NSSCKMDFindObjects *mdfo2 = (NSSCKMDFindObjects *)NULL;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWFindObjects *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWFindObjects *)NULL;
+  }
+
+  if( ((CK_ATTRIBUTE_PTR)NULL == pTemplate) && (ulAttributeCount != 0) ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWFindObjects *)NULL;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWFindObjects *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
+                   fwSession->fwInstance) ) {
+    CK_ULONG i;
+
+    /*
+     * Does the search criteria restrict us to token or session
+     * objects?
+     */
+
+    for( i = 0; i < ulAttributeCount; i++ ) {
+      if( CKA_TOKEN == pTemplate[i].type ) {
+        /* Yes, it does. */
+        CK_BBOOL isToken;
+        if( sizeof(CK_BBOOL) != pTemplate[i].ulValueLen ) {
+          *pError = CKR_ATTRIBUTE_VALUE_INVALID;
+          return (NSSCKFWFindObjects *)NULL;
+        }
+        (void)nsslibc_memcpy(&isToken, pTemplate[i].pValue, sizeof(CK_BBOOL));
+
+        if( CK_TRUE == isToken ) {
+          /* Pass it on to the module's search routine */
+          if( (void *)NULL == (void *)fwSession->mdSession->FindObjectsInit ) {
+            goto wrap;
+          }
+
+          mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
+                    fwSession, fwSession->mdToken, fwSession->fwToken,
+                    fwSession->mdInstance, fwSession->fwInstance, 
+                    pTemplate, ulAttributeCount, pError);
+        } else {
+          /* Do the search ourselves */
+          mdfo1 = nssCKMDFindSessionObjects_Create(fwSession->fwToken, 
+                    pTemplate, ulAttributeCount, pError);
+        }
+
+        if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
+          if( CKR_OK == *pError ) {
+            *pError = CKR_GENERAL_ERROR;
+          }
+          return (NSSCKFWFindObjects *)NULL;
+        }
+        
+        goto wrap;
+      }
+    }
+
+    if( i == ulAttributeCount ) {
+      /* No, it doesn't.  Do a hybrid search. */
+      mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
+                fwSession, fwSession->mdToken, fwSession->fwToken,
+                fwSession->mdInstance, fwSession->fwInstance, 
+                pTemplate, ulAttributeCount, pError);
+
+      if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
+        if( CKR_OK == *pError ) {
+          *pError = CKR_GENERAL_ERROR;
+        }
+        return (NSSCKFWFindObjects *)NULL;
+      }
+
+      mdfo2 = nssCKMDFindSessionObjects_Create(fwSession->fwToken,
+                pTemplate, ulAttributeCount, pError);
+      if( (NSSCKMDFindObjects *)NULL == mdfo2 ) {
+        if( CKR_OK == *pError ) {
+          *pError = CKR_GENERAL_ERROR;
+        }
+        if( (void *)NULL != (void *)mdfo1->Final ) {
+          mdfo1->Final(mdfo1, (NSSCKFWFindObjects *)NULL, fwSession->mdSession,
+            fwSession, fwSession->mdToken, fwSession->fwToken, 
+            fwSession->mdInstance, fwSession->fwInstance);
+        }
+        return (NSSCKFWFindObjects *)NULL;
+      }
+
+      goto wrap;
+    }
+    /*NOTREACHED*/
+  } else {
+    /* Module handles all its own objects.  Pass on to module's search */
+    mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
+              fwSession, fwSession->mdToken, fwSession->fwToken,
+              fwSession->mdInstance, fwSession->fwInstance, 
+              pTemplate, ulAttributeCount, pError);
+
+    if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWFindObjects *)NULL;
+    }
+
+    goto wrap;
+  }
+
+ wrap:
+  return nssCKFWFindObjects_Create(fwSession, fwSession->fwToken,
+           fwSession->fwInstance, mdfo1, mdfo2, pError);
+}
+
+/*
+ * nssCKFWSession_SeedRandom
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_SeedRandom
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *seed
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSItem *)NULL == seed ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (void *)NULL == seed->data ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( 0 == seed->size ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->SeedRandom ) {
+    return CKR_RANDOM_SEED_NOT_SUPPORTED;
+  }
+
+  error = fwSession->mdSession->SeedRandom(fwSession->mdSession, fwSession,
+    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, seed);
+
+  return error;
+}
+
+/*
+ * nssCKFWSession_GetRandom
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSession_GetRandom
+(
+  NSSCKFWSession *fwSession,
+  NSSItem *buffer
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSItem *)NULL == buffer ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (void *)NULL == buffer->data ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+    return CKR_GENERAL_ERROR;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSession->mdSession->GetRandom ) {
+    if( CK_TRUE == nssCKFWToken_GetHasRNG(fwSession->fwToken) ) {
+      return CKR_GENERAL_ERROR;
+    } else {
+      return CKR_RANDOM_NO_RNG;
+    }
+  }
+
+  if( 0 == buffer->size ) {
+    return CKR_OK;
+  }
+
+  error = fwSession->mdSession->GetRandom(fwSession->mdSession, fwSession,
+    fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
+    fwSession->fwInstance, buffer);
+
+  return error;
+}
+
+/*
+ * NSSCKFWSession_GetMDSession
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDSession *
+NSSCKFWSession_GetMDSession
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return (NSSCKMDSession *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSession_GetMDSession(fwSession);
+}
+
+/*
+ * NSSCKFWSession_GetArena
+ *
+ */
+
+NSS_IMPLEMENT NSSArena *
+NSSCKFWSession_GetArena
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSession_GetArena(fwSession, pError);
+}
+
+/*
+ * NSSCKFWSession_CallNotification
+ *
+ */
+
+NSS_IMPLEMENT CK_RV
+NSSCKFWSession_CallNotification
+(
+  NSSCKFWSession *fwSession,
+  CK_NOTIFICATION event
+)
+{
+#ifdef DEBUG
+  CK_RV error = CKR_OK;
+
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSession_CallNotification(fwSession, event);
+}
+
+/*
+ * NSSCKFWSession_IsRWSession
+ *
+ */
+
+NSS_IMPLEMENT CK_BBOOL
+NSSCKFWSession_IsRWSession
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CK_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSession_IsRWSession(fwSession);
+}
+
+/*
+ * NSSCKFWSession_IsSO
+ *
+ */
+
+NSS_IMPLEMENT CK_BBOOL
+NSSCKFWSession_IsSO
+(
+  NSSCKFWSession *fwSession
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
+    return CK_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSession_IsSO(fwSession);
+}
diff --git a/security/nss/lib/ckfw/sessobj.c b/security/nss/lib/ckfw/sessobj.c
new file mode 100644
index 000000000..11de006ba
--- /dev/null
+++ b/security/nss/lib/ckfw/sessobj.c
@@ -0,0 +1,1095 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * sessobj.c
+ *
+ * This file contains an NSSCKMDObject implementation for session 
+ * objects.  The framework uses this implementation to manage
+ * session objects when a Module doesn't wish to be bothered.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * nssCKMDSessionObject
+ *
+ *  -- create --
+ *  nssCKMDSessionObject_Create
+ *
+ *  -- EPV calls --
+ *  nss_ckmdSessionObject_Finalize
+ *  nss_ckmdSessionObject_IsTokenObject
+ *  nss_ckmdSessionObject_GetAttributeCount
+ *  nss_ckmdSessionObject_GetAttributeTypes
+ *  nss_ckmdSessionObject_GetAttributeSize
+ *  nss_ckmdSessionObject_GetAttribute
+ *  nss_ckmdSessionObject_SetAttribute
+ *  nss_ckmdSessionObject_GetObjectSize
+ */
+
+struct nssCKMDSessionObjectStr {
+  CK_ULONG n;
+  NSSArena *arena;
+  NSSItem *attributes;
+  CK_ATTRIBUTE_TYPE_PTR types;
+  nssCKFWHash *hash;
+};
+typedef struct nssCKMDSessionObjectStr nssCKMDSessionObject;
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+nss_ckmdSessionObject_add_pointer
+(
+  const NSSCKMDObject *mdObject
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+nss_ckmdSessionObject_remove_pointer
+(
+  const NSSCKMDObject *mdObject
+)
+{
+  return CKR_OK;
+}
+
+#ifdef NSS_DEBUG
+static CK_RV
+nss_ckmdSessionObject_verifyPointer
+(
+  const NSSCKMDObject *mdObject
+)
+{
+  return CKR_OK;
+}
+#endif
+
+#endif /* DEBUG */
+
+/*
+ * We must forward-declare these routines
+ */
+static void
+nss_ckmdSessionObject_Finalize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+);
+
+static CK_RV
+nss_ckmdSessionObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+);
+
+static CK_BBOOL
+nss_ckmdSessionObject_IsTokenObject
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+);
+
+static CK_ULONG
+nss_ckmdSessionObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+static CK_RV
+nss_ckmdSessionObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+);
+
+static CK_ULONG
+nss_ckmdSessionObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+);
+
+static const NSSItem *
+nss_ckmdSessionObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+);
+
+static CK_RV
+nss_ckmdSessionObject_SetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *value
+);
+
+static CK_ULONG
+nss_ckmdSessionObject_GetObjectSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+);
+
+/*
+ * nssCKMDSessionObject_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKMDObject *
+nssCKMDSessionObject_Create
+(
+  NSSCKFWToken *fwToken,
+  NSSArena *arena,
+  CK_ATTRIBUTE_PTR attributes,
+  CK_ULONG ulCount,
+  CK_RV *pError
+)
+{
+  NSSCKMDObject *mdObject = (NSSCKMDObject *)NULL;
+  nssCKMDSessionObject *mdso = (nssCKMDSessionObject *)NULL;
+  CK_ULONG i;
+  nssCKFWHash *hash;
+
+  mdso = nss_ZNEW(arena, nssCKMDSessionObject);
+  if( (nssCKMDSessionObject *)NULL == mdso ) {
+    goto loser;
+  }
+
+  mdso->arena = arena;
+  mdso->n = ulCount;
+  mdso->attributes = nss_ZNEWARRAY(arena, NSSItem, ulCount);
+  if( (NSSItem *)NULL == mdso->attributes ) {
+    goto loser;
+  }
+
+  mdso->types = nss_ZNEWARRAY(arena, CK_ATTRIBUTE_TYPE, ulCount);
+
+  for( i = 0; i < ulCount; i++ ) {
+    mdso->types[i] = attributes[i].type;
+    mdso->attributes[i].size = attributes[i].ulValueLen;
+    mdso->attributes[i].data = nss_ZAlloc(arena, attributes[i].ulValueLen);
+    if( (void *)NULL == mdso->attributes[i].data ) {
+      goto loser;
+    }
+    (void)nsslibc_memcpy(mdso->attributes[i].data, attributes[i].pValue,
+      attributes[i].ulValueLen);
+  }
+
+  mdObject = nss_ZNEW(arena, NSSCKMDObject);
+  if( (NSSCKMDObject *)NULL == mdObject ) {
+    goto loser;
+  }
+
+  mdObject->etc = (void *)mdso;
+  mdObject->Finalize = nss_ckmdSessionObject_Finalize;
+  mdObject->Destroy = nss_ckmdSessionObject_Destroy;
+  mdObject->IsTokenObject = nss_ckmdSessionObject_IsTokenObject;
+  mdObject->GetAttributeCount = nss_ckmdSessionObject_GetAttributeCount;
+  mdObject->GetAttributeTypes = nss_ckmdSessionObject_GetAttributeTypes;
+  mdObject->GetAttributeSize = nss_ckmdSessionObject_GetAttributeSize;
+  mdObject->GetAttribute = nss_ckmdSessionObject_GetAttribute;
+  mdObject->SetAttribute = nss_ckmdSessionObject_SetAttribute;
+  mdObject->GetObjectSize = nss_ckmdSessionObject_GetObjectSize;
+
+  hash = nssCKFWToken_GetSessionObjectHash(fwToken);
+  if( (nssCKFWHash *)NULL == hash ) {
+    *pError = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  mdso->hash = hash;
+
+  *pError = nssCKFWHash_Add(hash, mdObject, mdObject);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+
+#ifdef DEBUG
+  if( CKR_OK != nss_ckmdSessionObject_add_pointer(mdObject) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  *pError = CKR_OK;
+  return mdObject;
+
+ loser:
+  if( (nssCKMDSessionObject *)NULL != mdso ) {
+    if( (NSSItem *)NULL != mdso->attributes ) {
+      for( i = 0; i < ulCount; i++ ) {
+        nss_ZFreeIf(mdso->attributes[i].data);
+      }
+
+      nss_ZFreeIf(mdso->attributes);
+    }
+
+    nss_ZFreeIf(mdso->types);
+    nss_ZFreeIf(mdso);
+  }
+
+  nss_ZFreeIf(mdObject);
+  *pError = CKR_HOST_MEMORY;
+  return (NSSCKMDObject *)NULL;
+}
+
+/*
+ * nss_ckmdSessionObject_Finalize
+ *
+ */
+static void
+nss_ckmdSessionObject_Finalize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  /* This shouldn't ever be called */
+  return;
+}
+
+/*
+ * nss_ckmdSessionObject_Destroy
+ *
+ */
+
+static CK_RV
+nss_ckmdSessionObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+  nssCKMDSessionObject *mdso;
+  CK_ULONG i;
+
+#ifdef NSSDEBUG
+  error = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  mdso = (nssCKMDSessionObject *)mdObject->etc;
+
+  nssCKFWHash_Remove(mdso->hash, mdObject);
+
+  for( i = 0; i < mdso->n; i++ ) {
+    nss_ZFreeIf(mdso->attributes[i].data);
+  }
+  nss_ZFreeIf(mdso->attributes);
+  nss_ZFreeIf(mdso->types);
+  nss_ZFreeIf(mdso);
+  nss_ZFreeIf(mdObject);
+
+#ifdef DEBUG
+  (void)nss_ckmdSessionObject_remove_pointer(mdObject);
+#endif /* DEBUG */
+
+  return CKR_OK;
+}
+
+/*
+ * nss_ckmdSessionObject_IsTokenObject
+ *
+ */
+
+static CK_BBOOL
+nss_ckmdSessionObject_IsTokenObject
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nss_ckmdSessionObject_verifyPointer(mdObject) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * This implementation is only ever used for session objects.
+   */
+  return CK_FALSE;
+}
+
+/*
+ * nss_ckmdSessionObject_GetAttributeCount
+ *
+ */
+static CK_ULONG
+nss_ckmdSessionObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nssCKMDSessionObject *obj;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return 0;
+  }
+
+  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != *pError ) {
+    return 0;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  return obj->n;
+}
+
+/*
+ * nss_ckmdSessionObject_GetAttributeTypes
+ *
+ */
+static CK_RV
+nss_ckmdSessionObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+#ifdef NSSDEBUG
+  CK_RV error = CKR_OK;
+#endif /* NSSDEBUG */
+  nssCKMDSessionObject *obj;
+
+#ifdef NSSDEBUG
+  error = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  if( ulCount < obj->n ) {
+    return CKR_BUFFER_TOO_SMALL;
+  }
+
+  (void)nsslibc_memcpy(typeArray, obj->types, 
+    sizeof(CK_ATTRIBUTE_TYPE) * obj->n);
+
+  return CKR_OK;
+}
+
+/*
+ * nss_ckmdSessionObject_GetAttributeSize
+ *
+ */
+static CK_ULONG
+nss_ckmdSessionObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  nssCKMDSessionObject *obj;
+  CK_ULONG i;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return 0;
+  }
+
+  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != *pError ) {
+    return 0;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  for( i = 0; i < obj->n; i++ ) {
+    if( attribute == obj->types[i] ) {
+      return (CK_ULONG)(obj->attributes[i].size);
+    }
+  }
+
+  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+  return 0;
+}
+
+/*
+ * nss_ckmdSessionObject_GetAttribute
+ *
+ */
+static const NSSItem *
+nss_ckmdSessionObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  nssCKMDSessionObject *obj;
+  CK_ULONG i;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return 0;
+  }
+
+  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != *pError ) {
+    return 0;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  for( i = 0; i < obj->n; i++ ) {
+    if( attribute == obj->types[i] ) {
+      return &obj->attributes[i];
+    }
+  }
+
+  *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+  return 0;
+}
+
+/*
+ * nss_ckmdSessionObject_SetAttribute
+ *
+ */
+
+/*
+ * Okay, so this implementation sucks.  It doesn't support removing
+ * an attribute (if value == NULL), and could be more graceful about
+ * memory.  It should allow "blank" slots in the arrays, with some
+ * invalid attribute type, and then it could support removal much
+ * more easily.  Do this later.
+ */
+static CK_RV
+nss_ckmdSessionObject_SetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSItem *value
+)
+{
+  nssCKMDSessionObject *obj;
+  CK_ULONG i;
+  NSSItem n;
+  NSSItem *ra;
+  CK_ATTRIBUTE_TYPE_PTR rt;
+#ifdef NSSDEBUG
+  CK_RV error;
+#endif /* NSSDEBUG */
+
+#ifdef NSSDEBUG
+  error = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != error ) {
+    return 0;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  n.size = value->size;
+  n.data = nss_ZAlloc(obj->arena, n.size);
+  if( (void *)NULL == n.data ) {
+    return CKR_HOST_MEMORY;
+  }
+  (void)nsslibc_memcpy(n.data, value->data, n.size);
+
+  for( i = 0; i < obj->n; i++ ) {
+    if( attribute == obj->types[i] ) {
+      nss_ZFreeIf(obj->attributes[i].data);
+      obj->attributes[i] = n;
+      return CKR_OK;
+    }
+  }
+
+  /*
+   * It's new.
+   */
+
+  ra = (NSSItem *)nss_ZRealloc(obj->attributes, sizeof(NSSItem) * (obj->n + 1));
+  if( (NSSItem *)NULL == ra ) {
+    nss_ZFreeIf(n.data);
+    return CKR_HOST_MEMORY;
+  }
+
+  rt = (CK_ATTRIBUTE_TYPE_PTR)nss_ZRealloc(obj->types, (obj->n + 1));
+  if( (CK_ATTRIBUTE_TYPE_PTR)NULL == rt ) {
+    nss_ZFreeIf(n.data);
+    obj->attributes = (NSSItem *)nss_ZRealloc(ra, sizeof(NSSItem) * obj->n);
+    if( (NSSItem *)NULL == obj->attributes ) {
+      return CKR_GENERAL_ERROR;
+    }
+    return CKR_HOST_MEMORY;
+  }
+
+  obj->attributes = ra;
+  obj->types = rt;
+  obj->attributes[obj->n] = n;
+  obj->types[obj->n] = attribute;
+  obj->n++;
+
+  return CKR_OK;
+}
+
+/*
+ * nss_ckmdSessionObject_GetObjectSize
+ *
+ */
+static CK_ULONG
+nss_ckmdSessionObject_GetObjectSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  nssCKMDSessionObject *obj;
+  CK_ULONG i;
+  CK_ULONG rv = (CK_ULONG)0;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return 0;
+  }
+
+  *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
+  if( CKR_OK != *pError ) {
+    return 0;
+  }
+
+  /* We could even check all the other arguments, for sanity. */
+#endif /* NSSDEBUG */
+
+  obj = (nssCKMDSessionObject *)mdObject->etc;
+
+  for( i = 0; i < obj->n; i++ ) {
+    rv += obj->attributes[i].size;
+  }
+
+  rv += sizeof(NSSItem) * obj->n;
+  rv += sizeof(CK_ATTRIBUTE_TYPE) * obj->n;
+  rv += sizeof(nssCKMDSessionObject);
+
+  return rv;
+}
+
+/*
+ * nssCKMDFindSessionObjects
+ *
+ *  -- create --
+ *  nssCKMDFindSessionObjects_Create
+ *
+ *  -- EPV calls --
+ *  nss_ckmdFindSessionObjects_Final
+ *  nss_ckmdFindSessionObjects_Next
+ */
+
+struct nodeStr {
+  struct nodeStr *next;
+  NSSCKMDObject *mdObject;
+};
+
+struct nssCKMDFindSessionObjectsStr {
+  NSSArena *arena;
+  CK_RV error;
+  CK_ATTRIBUTE_PTR pTemplate;
+  CK_ULONG ulCount;
+  struct nodeStr *list;
+  nssCKFWHash *hash;
+
+};
+typedef struct nssCKMDFindSessionObjectsStr nssCKMDFindSessionObjects;
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+nss_ckmdFindSessionObjects_add_pointer
+(
+  const NSSCKMDFindObjects *mdFindObjects
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+nss_ckmdFindSessionObjects_remove_pointer
+(
+  const NSSCKMDFindObjects *mdFindObjects
+)
+{
+  return CKR_OK;
+}
+
+#ifdef NSS_DEBUG
+static CK_RV
+nss_ckmdFindSessionObjects_verifyPointer
+(
+  const NSSCKMDFindObjects *mdFindObjects
+)
+{
+  return CKR_OK;
+}
+#endif
+
+#endif /* DEBUG */
+
+/*
+ * We must forward-declare these routines.
+ */
+static void
+nss_ckmdFindSessionObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+);
+
+static NSSCKMDObject *
+nss_ckmdFindSessionObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+);
+
+static CK_BBOOL
+items_match
+(
+  NSSItem *a,
+  CK_VOID_PTR pValue,
+  CK_ULONG ulValueLen
+)
+{
+  if( a->size != ulValueLen ) {
+    return CK_FALSE;
+  }
+
+  if( PR_TRUE == nsslibc_memequal(a->data, pValue, ulValueLen, (PRStatus *)NULL) ) {
+    return CK_TRUE;
+  } else {
+    return CK_FALSE;
+  }
+}
+
+/*
+ * Our hashtable iterator
+ */
+static void
+findfcn
+(
+  const void *key,
+  void *value,
+  void *closure
+)
+{
+  NSSCKMDObject *mdObject = (NSSCKMDObject *)value;
+  nssCKMDSessionObject *mdso = (nssCKMDSessionObject *)mdObject->etc;
+  nssCKMDFindSessionObjects *mdfso = (nssCKMDFindSessionObjects *)closure;
+  CK_ULONG i, j;
+  struct nodeStr *node;
+
+  if( CKR_OK != mdfso->error ) {
+    return;
+  }
+
+  for( i = 0; i < mdfso->ulCount; i++ ) {
+    CK_ATTRIBUTE_PTR p = &mdfso->pTemplate[i];
+
+    for( j = 0; j < mdso->n; j++ ) {
+      if( mdso->types[j] == p->type ) {
+        if( !items_match(&mdso->attributes[j], p->pValue, p->ulValueLen) ) {
+          return;
+        } else {
+          break;
+        }
+      }
+    }
+
+    if( j == mdso->n ) {
+      /* Attribute not found */
+      return;
+    }
+  }
+
+  /* Matches */
+  node = nss_ZNEW(mdfso->arena, struct nodeStr);
+  if( (struct nodeStr *)NULL == node ) {
+    mdfso->error = CKR_HOST_MEMORY;
+    return;
+  }
+
+  node->mdObject = mdObject;
+  node->next = mdfso->list;
+  mdfso->list = node;
+
+  return;
+}
+
+/*
+ * nssCKMDFindSessionObjects_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKMDFindObjects *
+nssCKMDFindSessionObjects_Create
+(
+  NSSCKFWToken *fwToken,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  nssCKMDFindSessionObjects *mdfso;
+  nssCKFWHash *hash;
+  NSSCKMDFindObjects *rv;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  *pError = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != *pError ) {
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKMDFindObjects *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  hash = nssCKFWToken_GetSessionObjectHash(fwToken);
+  if( (nssCKFWHash *)NULL == hash ) {
+    *pError= CKR_GENERAL_ERROR;
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  mdfso = nss_ZNEW(arena, nssCKMDFindSessionObjects);
+  if( (nssCKMDFindSessionObjects *)NULL == mdfso ) {
+    NSSArena_Destroy(arena);
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
+
+  mdfso->error = CKR_OK;
+  mdfso->pTemplate = pTemplate;
+  mdfso->ulCount = ulCount;
+  mdfso->hash = hash;
+
+  nssCKFWHash_Iterate(hash, findfcn, mdfso);
+
+  if( CKR_OK != mdfso->error ) {
+    NSSArena_Destroy(arena);
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDFindObjects *)NULL;
+  }
+
+  rv->etc = (void *)mdfso;
+  rv->Final = nss_ckmdFindSessionObjects_Final;
+  rv->Next = nss_ckmdFindSessionObjects_Next;
+
+#ifdef DEBUG
+  if( (*pError = nss_ckmdFindSessionObjects_add_pointer(rv)) != CKR_OK ) {
+    NSSArena_Destroy(arena);
+    return (NSSCKMDFindObjects *)NULL;
+  }
+#endif /* DEBUG */    
+  mdfso->arena = arena;
+
+  return rv;
+}
+
+static void
+nss_ckmdFindSessionObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nssCKMDFindSessionObjects *mdfso;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nss_ckmdFindSessionObjects_verifyPointer(mdFindObjects) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  mdfso = (nssCKMDFindSessionObjects *)mdFindObjects->etc;
+  if (mdfso->arena) NSSArena_Destroy(mdfso->arena);
+
+#ifdef DEBUG
+  (void)nss_ckmdFindSessionObjects_remove_pointer(mdFindObjects);
+#endif /* DEBUG */
+
+  return;
+}
+
+static NSSCKMDObject *
+nss_ckmdFindSessionObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  nssCKMDFindSessionObjects *mdfso;
+  NSSCKMDObject *rv = (NSSCKMDObject *)NULL;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nss_ckmdFindSessionObjects_verifyPointer(mdFindObjects) ) {
+    return (NSSCKMDObject *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  mdfso = (nssCKMDFindSessionObjects *)mdFindObjects->etc;
+
+  while( (NSSCKMDObject *)NULL == rv ) {
+    if( (struct nodeStr *)NULL == mdfso->list ) {
+      *pError = CKR_OK;
+      return (NSSCKMDObject *)NULL;
+    }
+
+    if( nssCKFWHash_Exists(mdfso->hash, mdfso->list->mdObject) ) {
+      rv = mdfso->list->mdObject;
+    }
+
+    mdfso->list = mdfso->list->next;
+  }
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/slot.c b/security/nss/lib/ckfw/slot.c
new file mode 100644
index 000000000..4e2b0831c
--- /dev/null
+++ b/security/nss/lib/ckfw/slot.c
@@ -0,0 +1,753 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * slot.c
+ *
+ * This file implements the NSSCKFWSlot type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWSlot
+ *
+ *  -- create/destroy --
+ *  nssCKFWSlot_Create
+ *  nssCKFWSlot_Destroy
+ *
+ *  -- public accessors --
+ *  NSSCKFWSlot_GetMDSlot
+ *  NSSCKFWSlot_GetFWInstance
+ *  NSSCKFWSlot_GetMDInstance
+ *
+ *  -- implement public accessors --
+ *  nssCKFWSlot_GetMDSlot
+ *  nssCKFWSlot_GetFWInstance
+ *  nssCKFWSlot_GetMDInstance
+ *
+ *  -- private accessors --
+ *  nssCKFWSlot_GetSlotID
+ *  nssCKFWSlot_ClearToken
+ *
+ *  -- module fronts --
+ *  nssCKFWSlot_GetSlotDescription
+ *  nssCKFWSlot_GetManufacturerID
+ *  nssCKFWSlot_GetTokenPresent
+ *  nssCKFWSlot_GetRemovableDevice
+ *  nssCKFWSlot_GetHardwareSlot
+ *  nssCKFWSlot_GetHardwareVersion
+ *  nssCKFWSlot_GetFirmwareVersion
+ *  nssCKFWSlot_InitToken
+ *  nssCKFWSlot_GetToken
+ */
+
+struct NSSCKFWSlotStr {
+  NSSCKFWMutex *mutex;
+  NSSCKMDSlot *mdSlot;
+  NSSCKFWInstance *fwInstance;
+  NSSCKMDInstance *mdInstance;
+  CK_SLOT_ID slotID;
+
+  /*
+   * Everything above is set at creation time, and then not modified.
+   * The invariants the mutex protects are:
+   *
+   * 1) Each of the cached descriptions (versions, etc.) are in an
+   *    internally consistant state.
+   *
+   * 2) The fwToken points to the token currently in the slot, and
+   *    it is in a consistant state.
+   *
+   * Note that the calls accessing the cached descriptions will
+   * call the NSSCKMDSlot methods with the mutex locked.  Those
+   * methods may then call the public NSSCKFWSlot routines.  Those
+   * public routines only access the constant data above, so there's
+   * no problem.  But be careful if you add to this object; mutexes
+   * are in general not reentrant, so don't create deadlock situations.
+   */
+
+  NSSUTF8 *slotDescription;
+  NSSUTF8 *manufacturerID;
+  CK_VERSION hardwareVersion;
+  CK_VERSION firmwareVersion;
+  NSSCKFWToken *fwToken;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+slot_add_pointer
+(
+  const NSSCKFWSlot *fwSlot
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+slot_remove_pointer
+(
+  const NSSCKFWSlot *fwSlot
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWSlot_verifyPointer
+(
+  const NSSCKFWSlot *fwSlot
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWSlot_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSlot *
+nssCKFWSlot_Create
+(
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *mdSlot,
+  CK_SLOT_ID slotID,
+  CK_RV *pError
+)
+{
+  NSSCKFWSlot *fwSlot;
+  NSSCKMDInstance *mdInstance;
+  NSSArena *arena;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  *pError = nssCKFWInstance_verifyPointer(fwInstance);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
+  if( (NSSCKMDInstance *)NULL == mdInstance ) {
+    *pError = CKR_GENERAL_ERROR;
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  arena = nssCKFWInstance_GetArena(fwInstance, pError);
+  if( (NSSArena *)NULL == arena ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+  }
+
+  fwSlot = nss_ZNEW(arena, NSSCKFWSlot);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  fwSlot->mdSlot = mdSlot;
+  fwSlot->fwInstance = fwInstance;
+  fwSlot->mdInstance = mdInstance;
+  fwSlot->slotID = slotID;
+
+  fwSlot->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == fwSlot->mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    (void)nss_ZFreeIf(fwSlot);
+    return (NSSCKFWSlot *)NULL;
+  }
+
+  if( (void *)NULL != (void *)mdSlot->Initialize ) {
+    *pError = CKR_OK;
+    *pError = mdSlot->Initialize(mdSlot, fwSlot, mdInstance, fwInstance);
+    if( CKR_OK != *pError ) {
+      (void)nssCKFWMutex_Destroy(fwSlot->mutex);
+      (void)nss_ZFreeIf(fwSlot);
+      return (NSSCKFWSlot *)NULL;
+    }
+  }
+
+#ifdef DEBUG
+  *pError = slot_add_pointer(fwSlot);
+  if( CKR_OK != *pError ) {
+    if( (void *)NULL != (void *)mdSlot->Destroy ) {
+      mdSlot->Destroy(mdSlot, fwSlot, mdInstance, fwInstance);
+    }
+
+    (void)nssCKFWMutex_Destroy(fwSlot->mutex);
+    (void)nss_ZFreeIf(fwSlot);
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* DEBUG */
+
+  return fwSlot;
+}
+
+/*
+ * nssCKFWSlot_Destroy
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSlot_Destroy
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWSlot_verifyPointer(fwSlot);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nssCKFWMutex_Destroy(fwSlot->mutex);
+
+  if( (void *)NULL != (void *)fwSlot->mdSlot->Destroy ) {
+    fwSlot->mdSlot->Destroy(fwSlot->mdSlot, fwSlot, 
+      fwSlot->mdInstance, fwSlot->fwInstance);
+  }
+
+#ifdef DEBUG
+  error = slot_remove_pointer(fwSlot);
+#endif /* DEBUG */
+  (void)nss_ZFreeIf(fwSlot);
+  return error;
+}
+
+/*
+ * nssCKFWSlot_GetMDSlot
+ *
+ */
+NSS_IMPLEMENT NSSCKMDSlot *
+nssCKFWSlot_GetMDSlot
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKMDSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSlot->mdSlot;
+}
+
+/*
+ * nssCKFWSlot_GetFWInstance
+ *
+ */
+
+NSS_IMPLEMENT NSSCKFWInstance *
+nssCKFWSlot_GetFWInstance
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKFWInstance *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSlot->fwInstance;
+}
+
+/*
+ * nssCKFWSlot_GetMDInstance
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDInstance *
+nssCKFWSlot_GetMDInstance
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKMDInstance *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSlot->mdInstance;
+}
+
+/*
+ * nssCKFWSlot_GetSlotID
+ *
+ */
+NSS_IMPLEMENT CK_SLOT_ID
+nssCKFWSlot_GetSlotID
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (CK_SLOT_ID)0;
+  }
+#endif /* NSSDEBUG */
+
+  return fwSlot->slotID;
+}
+
+/*
+ * nssCKFWSlot_GetSlotDescription
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSlot_GetSlotDescription
+(
+  NSSCKFWSlot *fwSlot,
+  CK_CHAR slotDescription[64]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == slotDescription ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWSlot_verifyPointer(fwSlot);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwSlot->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwSlot->slotDescription ) {
+    if( (void *)NULL != (void *)fwSlot->mdSlot->GetSlotDescription ) {
+      fwSlot->slotDescription = fwSlot->mdSlot->GetSlotDescription(
+        fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, 
+        fwSlot->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwSlot->slotDescription) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwSlot->slotDescription = (NSSUTF8 *) "";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->slotDescription, (char *)slotDescription, 64, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWSlot_GetManufacturerID
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWSlot_GetManufacturerID
+(
+  NSSCKFWSlot *fwSlot,
+  CK_CHAR manufacturerID[32]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWSlot_verifyPointer(fwSlot);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwSlot->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwSlot->manufacturerID ) {
+    if( (void *)NULL != (void *)fwSlot->mdSlot->GetManufacturerID ) {
+      fwSlot->manufacturerID = fwSlot->mdSlot->GetManufacturerID(
+        fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, 
+        fwSlot->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwSlot->manufacturerID) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwSlot->manufacturerID = (NSSUTF8 *) "";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->manufacturerID, (char *)manufacturerID, 32, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWSlot_GetTokenPresent
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWSlot_GetTokenPresent
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSlot->mdSlot->GetTokenPresent ) {
+    return CK_TRUE;
+  }
+
+  return fwSlot->mdSlot->GetTokenPresent(fwSlot->mdSlot, fwSlot,
+    fwSlot->mdInstance, fwSlot->fwInstance);
+}
+
+/*
+ * nssCKFWSlot_GetRemovableDevice
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWSlot_GetRemovableDevice
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSlot->mdSlot->GetRemovableDevice ) {
+    return CK_FALSE;
+  }
+
+  return fwSlot->mdSlot->GetRemovableDevice(fwSlot->mdSlot, fwSlot,
+    fwSlot->mdInstance, fwSlot->fwInstance);
+}
+
+/*
+ * nssCKFWSlot_GetHardwareSlot
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWSlot_GetHardwareSlot
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwSlot->mdSlot->GetHardwareSlot ) {
+    return CK_FALSE;
+  }
+
+  return fwSlot->mdSlot->GetHardwareSlot(fwSlot->mdSlot, fwSlot,
+    fwSlot->mdInstance, fwSlot->fwInstance);
+}
+
+/*
+ * nssCKFWSlot_GetHardwareVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWSlot_GetHardwareVersion
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwSlot->hardwareVersion.major) ||
+      (0 != fwSlot->hardwareVersion.minor) ) {
+    rv = fwSlot->hardwareVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwSlot->mdSlot->GetHardwareVersion ) {
+    fwSlot->hardwareVersion = fwSlot->mdSlot->GetHardwareVersion(
+      fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
+  } else {
+    fwSlot->hardwareVersion.major = 0;
+    fwSlot->hardwareVersion.minor = 1;
+  }
+
+  rv = fwSlot->hardwareVersion;
+ done:
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWSlot_GetFirmwareVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWSlot_GetFirmwareVersion
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwSlot->firmwareVersion.major) ||
+      (0 != fwSlot->firmwareVersion.minor) ) {
+    rv = fwSlot->firmwareVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwSlot->mdSlot->GetFirmwareVersion ) {
+    fwSlot->firmwareVersion = fwSlot->mdSlot->GetFirmwareVersion(
+      fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
+  } else {
+    fwSlot->firmwareVersion.major = 0;
+    fwSlot->firmwareVersion.minor = 1;
+  }
+
+  rv = fwSlot->firmwareVersion;
+ done:
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWSlot_GetToken
+ * 
+ */
+NSS_IMPLEMENT NSSCKFWToken *
+nssCKFWSlot_GetToken
+(
+  NSSCKFWSlot *fwSlot,
+  CK_RV *pError
+)
+{
+  NSSCKMDToken *mdToken;
+  NSSCKFWToken *fwToken;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWToken *)NULL;
+  }
+
+  *pError = nssCKFWSlot_verifyPointer(fwSlot);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWToken *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = nssCKFWMutex_Lock(fwSlot->mutex);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWToken *)NULL;
+  }
+
+  if( (NSSCKFWToken *)NULL == fwSlot->fwToken ) {
+    if( (void *)NULL == (void *)fwSlot->mdSlot->GetToken ) {
+      *pError = CKR_GENERAL_ERROR;
+      fwToken = (NSSCKFWToken *)NULL;
+      goto done;
+    }
+
+    mdToken = fwSlot->mdSlot->GetToken(fwSlot->mdSlot, fwSlot,
+      fwSlot->mdInstance, fwSlot->fwInstance, pError);
+    if( (NSSCKMDToken *)NULL == mdToken ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      return (NSSCKFWToken *)NULL;
+    }
+
+    fwToken = nssCKFWToken_Create(fwSlot, mdToken, pError);
+    fwSlot->fwToken = fwToken;
+  } else {
+    fwToken = fwSlot->fwToken;
+  }
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return fwToken;
+}
+
+/*
+ * nssCKFWSlot_ClearToken
+ *
+ */
+NSS_IMPLEMENT void
+nssCKFWSlot_ClearToken
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwSlot->mutex) ) {
+    /* Now what? */
+    return;
+  }
+
+  fwSlot->fwToken = (NSSCKFWToken *)NULL;
+  (void)nssCKFWMutex_Unlock(fwSlot->mutex);
+  return;
+}
+
+/*
+ * NSSCKFWSlot_GetMDSlot
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDSlot *
+NSSCKFWSlot_GetMDSlot
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKMDSlot *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSlot_GetMDSlot(fwSlot);
+}
+
+/*
+ * NSSCKFWSlot_GetFWInstance
+ *
+ */
+
+NSS_IMPLEMENT NSSCKFWInstance *
+NSSCKFWSlot_GetFWInstance
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKFWInstance *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSlot_GetFWInstance(fwSlot);
+}
+
+/*
+ * NSSCKFWSlot_GetMDInstance
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDInstance *
+NSSCKFWSlot_GetMDInstance
+(
+  NSSCKFWSlot *fwSlot
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
+    return (NSSCKMDInstance *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWSlot_GetMDInstance(fwSlot);
+}
diff --git a/security/nss/lib/ckfw/token.c b/security/nss/lib/ckfw/token.c
new file mode 100644
index 000000000..6e4aa247b
--- /dev/null
+++ b/security/nss/lib/ckfw/token.c
@@ -0,0 +1,1855 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * token.c
+ *
+ * This file implements the NSSCKFWToken type and methods.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWToken
+ *
+ *  -- create/destroy --
+ *  nssCKFWToken_Create
+ *  nssCKFWToken_Destroy
+ *
+ *  -- public accessors --
+ *  NSSCKFWToken_GetMDToken
+ *  NSSCKFWToken_GetFWSlot
+ *  NSSCKFWToken_GetMDSlot
+ *  NSSCKFWToken_GetSessionState
+ *
+ *  -- implement public accessors --
+ *  nssCKFWToken_GetMDToken
+ *  nssCKFWToken_GetFWSlot
+ *  nssCKFWToken_GetMDSlot
+ *  nssCKFWToken_GetSessionState
+ *  nssCKFWToken_SetSessionState
+ *
+ *  -- private accessors --
+ *  nssCKFWToken_SetSessionState
+ *  nssCKFWToken_RemoveSession
+ *  nssCKFWToken_CloseAllSessions
+ *  nssCKFWToken_GetSessionCount
+ *  nssCKFWToken_GetRwSessionCount
+ *  nssCKFWToken_GetRoSessionCount
+ *  nssCKFWToken_GetSessionObjectHash
+ *  nssCKFWToken_GetMDObjectHash
+ *  nssCKFWToken_GetObjectHandleHash
+ *
+ *  -- module fronts --
+ *  nssCKFWToken_InitToken
+ *  nssCKFWToken_GetLabel
+ *  nssCKFWToken_GetManufacturerID
+ *  nssCKFWToken_GetModel
+ *  nssCKFWToken_GetSerialNumber
+ *  nssCKFWToken_GetHasRNG
+ *  nssCKFWToken_GetIsWriteProtected
+ *  nssCKFWToken_GetLoginRequired
+ *  nssCKFWToken_GetUserPinInitialized
+ *  nssCKFWToken_GetRestoreKeyNotNeeded
+ *  nssCKFWToken_GetHasClockOnToken
+ *  nssCKFWToken_GetHasProtectedAuthenticationPath
+ *  nssCKFWToken_GetSupportsDualCryptoOperations
+ *  nssCKFWToken_GetMaxSessionCount
+ *  nssCKFWToken_GetMaxRwSessionCount
+ *  nssCKFWToken_GetMaxPinLen
+ *  nssCKFWToken_GetMinPinLen
+ *  nssCKFWToken_GetTotalPublicMemory
+ *  nssCKFWToken_GetFreePublicMemory
+ *  nssCKFWToken_GetTotalPrivateMemory
+ *  nssCKFWToken_GetFreePrivateMemory
+ *  nssCKFWToken_GetHardwareVersion
+ *  nssCKFWToken_GetFirmwareVersion
+ *  nssCKFWToken_GetUTCTime
+ *  nssCKFWToken_OpenSession
+ *  nssCKFWToken_GetMechanismCount
+ *  nssCKFWToken_GetMechanismTypes
+ *  nssCKFWToken_GetMechanism
+ */
+
+struct NSSCKFWTokenStr {
+  NSSCKFWMutex *mutex;
+  NSSArena *arena;
+  NSSCKMDToken *mdToken;
+  NSSCKFWSlot *fwSlot;
+  NSSCKMDSlot *mdSlot;
+  NSSCKFWInstance *fwInstance;
+  NSSCKMDInstance *mdInstance;
+
+  /*
+   * Everything above is set at creation time, and then not modified.
+   * The invariants the mutex protects are:
+   *
+   * 1) Each of the cached descriptions (versions, etc.) are in an
+   *    internally consistant state.
+   *
+   * 2) The session counts and hashes are consistant.
+   *
+   * 3) The object hashes are consistant.
+   *
+   * Note that the calls accessing the cached descriptions will call
+   * the NSSCKMDToken methods with the mutex locked.  Those methods
+   * may then call the public NSSCKFWToken routines.  Those public
+   * routines only access the constant data above and the atomic
+   * CK_STATE session state variable below, so there's no problem.
+   * But be careful if you add to this object; mutexes are in
+   * general not reentrant, so don't create deadlock situations.
+   */
+
+  NSSUTF8 *label;
+  NSSUTF8 *manufacturerID;
+  NSSUTF8 *model;
+  NSSUTF8 *serialNumber;
+  CK_VERSION hardwareVersion;
+  CK_VERSION firmwareVersion;
+
+  CK_ULONG sessionCount;
+  CK_ULONG rwSessionCount;
+  nssCKFWHash *sessions;
+  nssCKFWHash *sessionObjectHash;
+  nssCKFWHash *mdObjectHash;
+
+  CK_STATE state;
+};
+
+#ifdef DEBUG
+/*
+ * But first, the pointer-tracking stuff.
+ *
+ * NOTE: the pointer-tracking support in NSS/base currently relies
+ * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
+ * locking, which is tied into the runtime.  We need a pointer-tracker
+ * implementation that uses the locks supplied through C_Initialize.
+ * That support, however, can be filled in later.  So for now, I'll
+ * just do this routines as no-ops.
+ */
+
+static CK_RV
+token_add_pointer
+(
+  const NSSCKFWToken *fwToken
+)
+{
+  return CKR_OK;
+}
+
+static CK_RV
+token_remove_pointer
+(
+  const NSSCKFWToken *fwToken
+)
+{
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_verifyPointer
+(
+  const NSSCKFWToken *fwToken
+)
+{
+  return CKR_OK;
+}
+
+#endif /* DEBUG */
+
+/*
+ * nssCKFWToken_Create
+ *
+ */
+NSS_IMPLEMENT NSSCKFWToken *
+nssCKFWToken_Create
+(
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDToken *mdToken,
+  CK_RV *pError
+)
+{
+  NSSArena *arena = (NSSArena *)NULL;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+  CK_BBOOL called_setup = CK_FALSE;
+
+  /*
+   * We have already verified the arguments in nssCKFWSlot_GetToken.
+   */
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fwToken = nss_ZNEW(arena, NSSCKFWToken);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }    
+
+  fwToken->arena = arena;
+  fwToken->mdToken = mdToken;
+  fwToken->fwSlot = fwSlot;
+  fwToken->fwInstance = nssCKFWSlot_GetFWInstance(fwSlot);
+  fwToken->mdInstance = nssCKFWSlot_GetMDInstance(fwSlot);
+  fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
+  fwToken->sessionCount = 0;
+  fwToken->rwSessionCount = 0;
+
+  fwToken->mutex = nssCKFWInstance_CreateMutex(fwToken->fwInstance, arena, pError);
+  if( (NSSCKFWMutex *)NULL == fwToken->mutex ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+  fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, arena, pError);
+  if( (nssCKFWHash *)NULL == fwToken->sessions ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+  if( CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
+                   fwToken->fwInstance) ) {
+    fwToken->sessionObjectHash = nssCKFWHash_Create(fwToken->fwInstance, 
+                                   arena, pError);
+    if( (nssCKFWHash *)NULL == fwToken->sessionObjectHash ) {
+      if( CKR_OK == *pError ) {
+        *pError = CKR_GENERAL_ERROR;
+      }
+      goto loser;
+    }
+  }
+
+  fwToken->mdObjectHash = nssCKFWHash_Create(fwToken->fwInstance, 
+                            arena, pError);
+  if( (nssCKFWHash *)NULL == fwToken->mdObjectHash ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto loser;
+  }
+
+  /* More here */
+
+  if( (void *)NULL != (void *)mdToken->Setup ) {
+    *pError = mdToken->Setup(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
+    if( CKR_OK != *pError ) {
+      goto loser;
+    }
+  }
+
+  called_setup = CK_TRUE;
+
+#ifdef DEBUG
+  *pError = token_add_pointer(fwToken);
+  if( CKR_OK != *pError ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  *pError = CKR_OK;
+  return fwToken;
+
+ loser:
+
+  if( CK_TRUE == called_setup ) {
+    if( (void *)NULL != (void *)mdToken->Invalidate ) {
+      mdToken->Invalidate(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
+    }
+  }
+
+  if( (NSSArena *)NULL != arena ) {
+    (void)NSSArena_Destroy(arena);
+  }
+
+  return (NSSCKFWToken *)NULL;
+}
+
+/*
+ * nssCKFWToken_Destroy
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_Destroy
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nssCKFWMutex_Destroy(fwToken->mutex);
+  
+  if( (void *)NULL != (void *)fwToken->mdToken->Invalidate ) {
+    fwToken->mdToken->Invalidate(fwToken->mdToken, fwToken,
+      fwToken->mdInstance, fwToken->fwInstance);
+  }
+
+  nssCKFWSlot_ClearToken(fwToken->fwSlot);
+  
+#ifdef DEBUG
+  error = token_remove_pointer(fwToken);
+#endif /* DEBUG */
+
+  (void)NSSArena_Destroy(fwToken->arena);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetMDToken
+ *
+ */
+NSS_IMPLEMENT NSSCKMDToken *
+nssCKFWToken_GetMDToken
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKMDToken *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->mdToken;
+}
+
+/*
+ * nssCKFWToken_GetArena
+ *
+ */
+NSS_IMPLEMENT NSSArena *
+nssCKFWToken_GetArena
+(
+  NSSCKFWToken *fwToken,
+  CK_RV *pError
+)
+{
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  *pError = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != *pError ) {
+    return (NSSArena *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->arena;
+}
+
+/*
+ * nssCKFWToken_GetFWSlot
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSlot *
+nssCKFWToken_GetFWSlot
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->fwSlot;
+}
+
+/*
+ * nssCKFWToken_GetMDSlot
+ *
+ */
+NSS_IMPLEMENT NSSCKMDSlot *
+nssCKFWToken_GetMDSlot
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKMDSlot *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->mdSlot;
+}
+
+/*
+ * nssCKFWToken_GetSessionState
+ *
+ */
+NSS_IMPLEMENT CK_STATE
+nssCKFWToken_GetSessionState
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CKS_RO_PUBLIC_SESSION; /* whatever */
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * BTW, do not lock the token in this method.
+   */
+
+  /*
+   * Theoretically, there is no state if there aren't any
+   * sessions open.  But then we'd need to worry about
+   * reporting an error, etc.  What the heck-- let's just
+   * revert to CKR_RO_PUBLIC_SESSION as the "default."
+   */
+
+  return fwToken->state;
+}
+
+/*
+ * nssCKFWToken_InitToken
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_InitToken
+(
+  NSSCKFWToken *fwToken,
+  NSSItem *pin,
+  NSSUTF8 *label
+)
+{
+  CK_RV error;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( fwToken->sessionCount > 0 ) {
+    error = CKR_SESSION_EXISTS;
+    goto done;
+  }
+
+  if( (void *)NULL == (void *)fwToken->mdToken->InitToken ) {
+    error = CKR_DEVICE_ERROR;
+    goto done;
+  }
+
+  if( (NSSItem *)NULL == pin ) {
+    if( nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken) ) {
+      ; /* okay */
+    } else {
+      error = CKR_PIN_INCORRECT;
+      goto done;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == label ) {
+    label = (NSSUTF8 *) "";
+  }
+
+  error = fwToken->mdToken->InitToken(fwToken->mdToken, fwToken,
+            fwToken->mdInstance, fwToken->fwInstance, pin, label);
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetLabel
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetLabel
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR label[32]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == label ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwToken->label ) {
+    if( (void *)NULL != (void *)fwToken->mdToken->GetLabel ) {
+      fwToken->label = fwToken->mdToken->GetLabel(fwToken->mdToken, fwToken,
+        fwToken->mdInstance, fwToken->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwToken->label) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwToken->label = (NSSUTF8 *) "";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->label, (char *)label, 32, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetManufacturerID
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetManufacturerID
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR manufacturerID[32]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == manufacturerID ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwToken->manufacturerID ) {
+    if( (void *)NULL != (void *)fwToken->mdToken->GetManufacturerID ) {
+      fwToken->manufacturerID = fwToken->mdToken->GetManufacturerID(fwToken->mdToken,
+        fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwToken->manufacturerID) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwToken->manufacturerID = (NSSUTF8 *)"";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->manufacturerID, (char *)manufacturerID, 32, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetModel
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetModel
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR model[16]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == model ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwToken->model ) {
+    if( (void *)NULL != (void *)fwToken->mdToken->GetModel ) {
+      fwToken->model = fwToken->mdToken->GetModel(fwToken->mdToken, fwToken,
+        fwToken->mdInstance, fwToken->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwToken->model) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwToken->model = (NSSUTF8 *)"";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->model, (char *)model, 16, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetSerialNumber
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetSerialNumber
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR serialNumber[16]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  if( (CK_CHAR_PTR)NULL == serialNumber ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (NSSUTF8 *)NULL == fwToken->serialNumber ) {
+    if( (void *)NULL != (void *)fwToken->mdToken->GetSerialNumber ) {
+      fwToken->serialNumber = fwToken->mdToken->GetSerialNumber(fwToken->mdToken, 
+        fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
+      if( ((NSSUTF8 *)NULL == fwToken->serialNumber) && (CKR_OK != error) ) {
+        goto done;
+      }
+    } else {
+      fwToken->serialNumber = (NSSUTF8 *)"";
+    }
+  }
+
+  (void)nssUTF8_CopyIntoFixedBuffer(fwToken->serialNumber, (char *)serialNumber, 16, ' ');
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+
+/*
+ * nssCKFWToken_GetHasRNG
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetHasRNG
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetHasRNG ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetHasRNG(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetIsWriteProtected
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetIsWriteProtected
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetIsWriteProtected ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetIsWriteProtected(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetLoginRequired
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetLoginRequired
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetLoginRequired ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetLoginRequired(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetUserPinInitialized
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetUserPinInitialized
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetUserPinInitialized ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetUserPinInitialized(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetRestoreKeyNotNeeded
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetRestoreKeyNotNeeded
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetRestoreKeyNotNeeded ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetRestoreKeyNotNeeded(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetHasClockOnToken
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetHasClockOnToken
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetHasClockOnToken ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetHasClockOnToken(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetHasProtectedAuthenticationPath
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetHasProtectedAuthenticationPath
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetHasProtectedAuthenticationPath ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetHasProtectedAuthenticationPath(fwToken->mdToken, 
+    fwToken, fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetSupportsDualCryptoOperations
+ *
+ */
+NSS_IMPLEMENT CK_BBOOL
+nssCKFWToken_GetSupportsDualCryptoOperations
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetSupportsDualCryptoOperations ) {
+    return CK_FALSE;
+  }
+
+  return fwToken->mdToken->GetSupportsDualCryptoOperations(fwToken->mdToken, 
+    fwToken, fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetMaxSessionCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetMaxSessionCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxSessionCount ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetMaxSessionCount(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetMaxRwSessionCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetMaxRwSessionCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxRwSessionCount ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetMaxRwSessionCount(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetMaxPinLen
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetMaxPinLen
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxPinLen ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetMaxPinLen(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetMinPinLen
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetMinPinLen
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMinPinLen ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetMinPinLen(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetTotalPublicMemory
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetTotalPublicMemory
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPublicMemory ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetTotalPublicMemory(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetFreePublicMemory
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetFreePublicMemory
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetFreePublicMemory ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetFreePublicMemory(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetTotalPrivateMemory
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetTotalPrivateMemory
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPrivateMemory ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetTotalPrivateMemory(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetFreePrivateMemory
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetFreePrivateMemory
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetFreePrivateMemory ) {
+    return CK_UNAVAILABLE_INFORMATION;
+  }
+
+  return fwToken->mdToken->GetFreePrivateMemory(fwToken->mdToken, fwToken, 
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetHardwareVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWToken_GetHardwareVersion
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwToken->hardwareVersion.major) ||
+      (0 != fwToken->hardwareVersion.minor) ) {
+    rv = fwToken->hardwareVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwToken->mdToken->GetHardwareVersion ) {
+    fwToken->hardwareVersion = fwToken->mdToken->GetHardwareVersion(
+      fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
+  } else {
+    fwToken->hardwareVersion.major = 0;
+    fwToken->hardwareVersion.minor = 1;
+  }
+
+  rv = fwToken->hardwareVersion;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWToken_GetFirmwareVersion
+ *
+ */
+NSS_IMPLEMENT CK_VERSION
+nssCKFWToken_GetFirmwareVersion
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_VERSION rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
+    rv.major = rv.minor = 0;
+    return rv;
+  }
+
+  if( (0 != fwToken->firmwareVersion.major) ||
+      (0 != fwToken->firmwareVersion.minor) ) {
+    rv = fwToken->firmwareVersion;
+    goto done;
+  }
+
+  if( (void *)NULL != (void *)fwToken->mdToken->GetFirmwareVersion ) {
+    fwToken->firmwareVersion = fwToken->mdToken->GetFirmwareVersion(
+      fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
+  } else {
+    fwToken->firmwareVersion.major = 0;
+    fwToken->firmwareVersion.minor = 1;
+  }
+
+  rv = fwToken->firmwareVersion;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWToken_GetUTCTime
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetUTCTime
+(
+  NSSCKFWToken *fwToken,
+  CK_CHAR utcTime[16]
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( (CK_CHAR_PTR)NULL == utcTime ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* DEBUG */
+
+  if( CK_TRUE != nssCKFWToken_GetHasClockOnToken(fwToken) ) {
+    /* return CKR_DEVICE_ERROR; */
+    (void)nssUTF8_CopyIntoFixedBuffer((NSSUTF8 *)NULL, (char *)utcTime, 16, ' ');
+    return CKR_OK;
+  }
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetUTCTime ) {
+    /* It said it had one! */
+    return CKR_GENERAL_ERROR;
+  }
+
+  error = fwToken->mdToken->GetUTCTime(fwToken->mdToken, fwToken, 
+            fwToken->mdInstance, fwToken->fwInstance, utcTime);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  /* Sanity-check the data */
+  {
+    /* Format is YYYYMMDDhhmmss00 */
+    int i;
+    int Y, M, D, h, m, s, z;
+    static int dims[] = { 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
+
+    for( i = 0; i < 16; i++ ) {
+      if( (utcTime[i] < '0') || (utcTime[i] > '9') ) {
+        goto badtime;
+      }
+    }
+
+    Y = ((utcTime[ 0] - '0') * 1000) + ((utcTime[1] - '0') * 100) +
+        ((utcTime[ 2] - '0') * 10) + (utcTime[ 3] - '0');
+    M = ((utcTime[ 4] - '0') * 10) + (utcTime[ 5] - '0');
+    D = ((utcTime[ 6] - '0') * 10) + (utcTime[ 7] - '0');
+    h = ((utcTime[ 8] - '0') * 10) + (utcTime[ 9] - '0');
+    m = ((utcTime[10] - '0') * 10) + (utcTime[11] - '0');
+    s = ((utcTime[12] - '0') * 10) + (utcTime[13] - '0');
+    z = ((utcTime[14] - '0') * 10) + (utcTime[15] - '0');
+
+    if( (Y < 1990) || (Y > 3000) ) goto badtime; /* Y3K problem.  heh heh heh */
+    if( (M < 1) || (M > 12) ) goto badtime;
+    if( (D < 1) || (D > 31) ) goto badtime;
+
+    if( D > dims[M-1] ) goto badtime; /* per-month check */
+    if( (2 == M) && (((Y%4)||!(Y%100))&&(Y%400)) && (D > 28) ) goto badtime; /* leap years */
+
+    if( (h < 0) || (h > 23) ) goto badtime;
+    if( (m < 0) || (m > 60) ) goto badtime;
+    if( (s < 0) || (s > 61) ) goto badtime;
+
+    /* 60m and 60 or 61s is only allowed for leap seconds. */
+    if( (60 == m) || (s >= 60) ) {
+      if( (23 != h) || (60 != m) || (s < 60) ) goto badtime;
+      /* leap seconds can only happen on June 30 or Dec 31.. I think */
+      /* if( ((6 != M) || (30 != D)) && ((12 != M) || (31 != D)) ) goto badtime; */
+    }
+  }
+
+  return CKR_OK;
+
+ badtime:
+  return CKR_GENERAL_ERROR;
+}
+
+/*
+ * nssCKFWToken_OpenSession
+ *
+ */
+NSS_IMPLEMENT NSSCKFWSession *
+nssCKFWToken_OpenSession
+(
+  NSSCKFWToken *fwToken,
+  CK_BBOOL rw,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_RV *pError
+)
+{
+  NSSCKFWSession *fwSession = (NSSCKFWSession *)NULL;
+  NSSCKMDSession *mdSession;
+
+#ifdef NSSDEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSCKFWSession *)NULL;
+  }
+
+  *pError = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSession *)NULL;
+  }
+
+  switch( rw ) {
+  case CK_TRUE:
+  case CK_FALSE:
+    break;
+  default:
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSCKFWSession *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  *pError = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != *pError ) {
+    return (NSSCKFWSession *)NULL;
+  }
+
+  if( CK_TRUE == rw ) {
+    /* Read-write session desired */
+    if( CK_TRUE == nssCKFWToken_GetIsWriteProtected(fwToken) ) {
+      *pError = CKR_TOKEN_WRITE_PROTECTED;
+      goto done;
+    }
+  } else {
+    /* Read-only session desired */
+    if( CKS_RW_SO_FUNCTIONS == nssCKFWToken_GetSessionState(fwToken) ) {
+      *pError = CKR_SESSION_READ_WRITE_SO_EXISTS;
+      goto done;
+    }
+  }
+
+  /* We could compare sesion counts to any limits we know of, I guess.. */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->OpenSession ) {
+    /*
+     * I'm not sure that the Module actually needs to implement
+     * mdSessions -- the Framework can keep track of everything 
+     * needed, really.  But I'll sort out that detail later..
+     */
+    *pError = CKR_GENERAL_ERROR;
+    goto done;
+  }
+
+  fwSession = nssCKFWSession_Create(fwToken, rw, pApplication, Notify, pError);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto done;
+  }
+
+  mdSession = fwToken->mdToken->OpenSession(fwToken->mdToken, fwToken,
+                fwToken->mdInstance, fwToken->fwInstance, fwSession,
+                rw, pError);
+  if( (NSSCKMDSession *)NULL == mdSession ) {
+    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
+    if( CKR_OK == *pError ) {
+      *pError = CKR_GENERAL_ERROR;
+    }
+    goto done;
+  }
+
+  *pError = nssCKFWSession_SetMDSession(fwSession, mdSession);
+  if( CKR_OK != *pError ) {
+    if( (void *)NULL != (void *)mdSession->Close ) {
+      mdSession->Close(mdSession, fwSession, fwToken->mdToken, fwToken,
+      fwToken->mdInstance, fwToken->fwInstance);
+    }
+    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
+    goto done;
+  }
+
+  *pError = nssCKFWHash_Add(fwToken->sessions, fwSession, fwSession);
+  if( CKR_OK != *pError ) {
+    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
+    fwSession = (NSSCKFWSession *)NULL;
+    goto done;
+  }
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return fwSession;
+}
+
+/*
+ * nssCKFWToken_GetMechanismCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetMechanismCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return 0;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMechanismCount ) {
+    return 0;
+  }
+
+  return fwToken->mdToken->GetMechanismCount(fwToken->mdToken, fwToken,
+    fwToken->mdInstance, fwToken->fwInstance);
+}
+
+/*
+ * nssCKFWToken_GetMechanismTypes
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_GetMechanismTypes
+(
+  NSSCKFWToken *fwToken,
+  CK_MECHANISM_TYPE types[]
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+
+  if( (CK_MECHANISM_TYPE *)NULL == types ) {
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* NSSDEBUG */
+
+  if( (void *)NULL == (void *)fwToken->mdToken->GetMechanismTypes ) {
+    /*
+     * This should only be called with a sufficiently-large
+     * "types" array, which can only be done if GetMechanismCount
+     * is implemented.  If that's implemented (and returns nonzero),
+     * then this should be too.  So return an error.
+     */
+    return CKR_GENERAL_ERROR;
+  }
+
+  return fwToken->mdToken->GetMechanismTypes(fwToken->mdToken, fwToken,
+    fwToken->mdInstance, fwToken->fwInstance, types);
+}
+
+
+/*
+ * nssCKFWToken_GetMechanism
+ *
+ */
+NSS_IMPLEMENT NSSCKFWMechanism *
+nssCKFWToken_GetMechanism
+(
+  NSSCKFWToken *fwToken,
+  CK_MECHANISM_TYPE which,
+  CK_RV *pError
+)
+{
+  /* XXX fgmr */
+  return (NSSCKFWMechanism *)NULL;
+}
+
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_SetSessionState
+(
+  NSSCKFWToken *fwToken,
+  CK_STATE newState
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  switch( newState ) {
+  case CKS_RO_PUBLIC_SESSION:
+  case CKS_RO_USER_FUNCTIONS:
+  case CKS_RW_PUBLIC_SESSION:
+  case CKS_RW_USER_FUNCTIONS:
+  case CKS_RW_SO_FUNCTIONS:
+    break;
+  default:
+    return CKR_ARGUMENTS_BAD;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  fwToken->state = newState;
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return CKR_OK;
+}
+
+/*
+ * nssCKFWToken_RemoveSession
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_RemoveSession
+(
+  NSSCKFWToken *fwToken,
+  NSSCKFWSession *fwSession
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  error = nssCKFWSession_verifyPointer(fwSession);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  if( CK_TRUE != nssCKFWHash_Exists(fwToken->sessions, fwSession) ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto done;
+  }
+
+  nssCKFWHash_Remove(fwToken->sessions, fwSession);
+  fwToken->sessionCount--;
+
+  if( nssCKFWSession_IsRWSession(fwSession) ) {
+    fwToken->rwSessionCount--;
+  }
+
+  if( 0 == fwToken->sessionCount ) {
+    fwToken->rwSessionCount = 0; /* sanity */
+    fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
+  }
+
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+static void
+nss_ckfwtoken_session_iterator
+(
+  const void *key,
+  void *value,
+  void *closure
+)
+{
+  /*
+   * Remember that the fwToken->mutex is locked
+   */
+  NSSCKFWSession *fwSession = (NSSCKFWSession *)value;
+  (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
+  return;
+}
+
+/*
+ * nssCKFWToken_CloseAllSessions
+ *
+ */
+NSS_IMPLEMENT CK_RV
+nssCKFWToken_CloseAllSessions
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_RV error = CKR_OK;
+
+#ifdef NSSDEBUG
+  error = nssCKFWToken_verifyPointer(fwToken);
+  if( CKR_OK != error ) {
+    return error;
+  }
+#endif /* NSSDEBUG */
+
+  error = nssCKFWMutex_Lock(fwToken->mutex);
+  if( CKR_OK != error ) {
+    return error;
+  }
+
+  nssCKFWHash_Iterate(fwToken->sessions, nss_ckfwtoken_session_iterator, (void *)NULL);
+
+  nssCKFWHash_Destroy(fwToken->sessions);
+
+  fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, fwToken->arena, &error);
+  if( (nssCKFWHash *)NULL == fwToken->sessions ) {
+    if( CKR_OK == error ) {
+      error = CKR_GENERAL_ERROR;
+    }
+    goto done;
+  }
+
+  fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
+  fwToken->sessionCount = 0;
+  fwToken->rwSessionCount = 0;
+
+  error = CKR_OK;
+
+ done:
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return error;
+}
+
+/*
+ * nssCKFWToken_GetSessionCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetSessionCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwToken->sessionCount;
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWToken_GetRwSessionCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetRwSessionCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwToken->rwSessionCount;
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWToken_GetRoSessionCount
+ *
+ */
+NSS_IMPLEMENT CK_ULONG
+nssCKFWToken_GetRoSessionCount
+(
+  NSSCKFWToken *fwToken
+)
+{
+  CK_ULONG rv;
+
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (CK_ULONG)0;
+  }
+#endif /* NSSDEBUG */
+
+  if( CKR_OK != nssCKFWMutex_Lock(fwToken->mutex) ) {
+    return (CK_ULONG)0;
+  }
+
+  rv = fwToken->sessionCount - fwToken->rwSessionCount;
+  (void)nssCKFWMutex_Unlock(fwToken->mutex);
+  return rv;
+}
+
+/*
+ * nssCKFWToken_GetSessionObjectHash
+ *
+ */
+NSS_IMPLEMENT nssCKFWHash *
+nssCKFWToken_GetSessionObjectHash
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (nssCKFWHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->sessionObjectHash;
+}
+
+/*
+ * nssCKFWToken_GetMDObjectHash
+ *
+ */
+NSS_IMPLEMENT nssCKFWHash *
+nssCKFWToken_GetMDObjectHash
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (nssCKFWHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->mdObjectHash;
+}
+
+/*
+ * nssCKFWToken_GetObjectHandleHash
+ *
+ */
+NSS_IMPLEMENT nssCKFWHash *
+nssCKFWToken_GetObjectHandleHash
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef NSSDEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (nssCKFWHash *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return fwToken->mdObjectHash;
+}
+
+/*
+ * NSSCKFWToken_GetMDToken
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDToken *
+NSSCKFWToken_GetMDToken
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKMDToken *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWToken_GetMDToken(fwToken);
+}
+
+/*
+ * NSSCKFWToken_GetArena
+ *
+ */
+
+NSS_IMPLEMENT NSSArena *
+NSSCKFWToken_GetArena
+(
+  NSSCKFWToken *fwToken,
+  CK_RV *pError
+)
+{
+#ifdef DEBUG
+  if( (CK_RV *)NULL == pError ) {
+    return (NSSArena *)NULL;
+  }
+
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    *pError = CKR_ARGUMENTS_BAD;
+    return (NSSArena *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWToken_GetArena(fwToken, pError);
+}
+
+/*
+ * NSSCKFWToken_GetFWSlot
+ *
+ */
+
+NSS_IMPLEMENT NSSCKFWSlot *
+NSSCKFWToken_GetFWSlot
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKFWSlot *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWToken_GetFWSlot(fwToken);
+}
+
+/*
+ * NSSCKFWToken_GetMDSlot
+ *
+ */
+
+NSS_IMPLEMENT NSSCKMDSlot *
+NSSCKFWToken_GetMDSlot
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return (NSSCKMDSlot *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWToken_GetMDSlot(fwToken);
+}
+
+/*
+ * NSSCKFWToken_GetSessionState
+ *
+ */
+
+NSS_IMPLEMENT CK_STATE
+NSSCKFWSession_GetSessionState
+(
+  NSSCKFWToken *fwToken
+)
+{
+#ifdef DEBUG
+  if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
+    return CKS_RO_PUBLIC_SESSION;
+  }
+#endif /* DEBUG */
+
+  return nssCKFWToken_GetSessionState(fwToken);
+}
diff --git a/security/nss/lib/ckfw/wrap.c b/security/nss/lib/ckfw/wrap.c
new file mode 100644
index 000000000..073df399c
--- /dev/null
+++ b/security/nss/lib/ckfw/wrap.c
@@ -0,0 +1,3420 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * wrap.c
+ *
+ * This file contains the routines that actually implement the cryptoki
+ * API, using the internal APIs of the NSS Cryptoki Framework.  There is
+ * one routine here for every cryptoki routine.  For linking reasons
+ * the actual entry points passed back with C_GetFunctionList have to
+ * exist in one of the Module's source files; however, those are merely
+ * simple wrappers that call these routines.  The intelligence of the
+ * implementations is here.
+ */
+
+#ifndef CK_T
+#include "ck.h"
+#endif /* CK_T */
+
+/*
+ * NSSCKFWC_Initialize
+ * NSSCKFWC_Finalize
+ * NSSCKFWC_GetInfo
+ * -- NSSCKFWC_GetFunctionList -- see the API insert file
+ * NSSCKFWC_GetSlotList
+ * NSSCKFWC_GetSlotInfo
+ * NSSCKFWC_GetTokenInfo
+ * NSSCKFWC_WaitForSlotEvent
+ * NSSCKFWC_GetMechanismList
+ * NSSCKFWC_GetMechanismInfo
+ * NSSCKFWC_InitToken
+ * NSSCKFWC_InitPIN
+ * NSSCKFWC_SetPIN
+ * NSSCKFWC_OpenSession
+ * NSSCKFWC_CloseSession
+ * NSSCKFWC_CloseAllSessions
+ * NSSCKFWC_GetSessionInfo
+ * NSSCKFWC_GetOperationState
+ * NSSCKFWC_SetOperationState
+ * NSSCKFWC_Login
+ * NSSCKFWC_Logout
+ * NSSCKFWC_CreateObject
+ * NSSCKFWC_CopyObject
+ * NSSCKFWC_DestroyObject
+ * NSSCKFWC_GetObjectSize
+ * NSSCKFWC_GetAttributeValue
+ * NSSCKFWC_SetAttributeValue
+ * NSSCKFWC_FindObjectsInit
+ * NSSCKFWC_FindObjects
+ * NSSCKFWC_FindObjectsFinal
+ * NSSCKFWC_EncryptInit
+ * NSSCKFWC_Encrypt
+ * NSSCKFWC_EncryptUpdate
+ * NSSCKFWC_EncryptFinal
+ * NSSCKFWC_DecryptInit
+ * NSSCKFWC_Decrypt
+ * NSSCKFWC_DecryptUpdate
+ * NSSCKFWC_DecryptFinal
+ * NSSCKFWC_DigestInit
+ * NSSCKFWC_Digest
+ * NSSCKFWC_DigestUpdate
+ * NSSCKFWC_DigestKey
+ * NSSCKFWC_DigestFinal
+ * NSSCKFWC_SignInit
+ * NSSCKFWC_Sign
+ * NSSCKFWC_SignUpdate
+ * NSSCKFWC_SignFinal
+ * NSSCKFWC_SignRecoverInit
+ * NSSCKFWC_SignRecover
+ * NSSCKFWC_VerifyInit
+ * NSSCKFWC_Verify
+ * NSSCKFWC_VerifyUpdate
+ * NSSCKFWC_VerifyFinal
+ * NSSCKFWC_VerifyRecoverInit
+ * NSSCKFWC_VerifyRecover
+ * NSSCKFWC_DigestEncryptUpdate
+ * NSSCKFWC_DecryptDigestUpdate
+ * NSSCKFWC_SignEncryptUpdate
+ * NSSCKFWC_DecryptVerifyUpdate
+ * NSSCKFWC_GenerateKey
+ * NSSCKFWC_GenerateKeyPair
+ * NSSCKFWC_WrapKey
+ * NSSCKFWC_UnwrapKey
+ * NSSCKFWC_DeriveKey
+ * NSSCKFWC_SeedRandom
+ * NSSCKFWC_GenerateRandom
+ * NSSCKFWC_GetFunctionStatus
+ * NSSCKFWC_CancelFunction
+ */
+
+/*
+ * NSSCKFWC_Initialize
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Initialize
+(
+  NSSCKFWInstance **pFwInstance,
+  NSSCKMDInstance *mdInstance,
+  CK_VOID_PTR pInitArgs
+)
+{
+  CK_RV error = CKR_OK;
+
+  if( (NSSCKFWInstance **)NULL == pFwInstance ) {
+    error = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  if( (NSSCKFWInstance *)NULL != *pFwInstance ) {
+    error = CKR_CRYPTOKI_ALREADY_INITIALIZED;
+    goto loser;
+  }
+
+  if( (NSSCKMDInstance *)NULL == mdInstance ) {
+    error = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  /* remember the locking args for those times we need to get a lock in code
+   * outside the framework.
+   */
+  nssSetLockArgs(pInitArgs);
+
+  *pFwInstance = nssCKFWInstance_Create(pInitArgs, mdInstance, &error);
+  if( (NSSCKFWInstance *)NULL == *pFwInstance ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_ARGUMENTS_BAD:
+  case CKR_CANT_LOCK:
+  case CKR_CRYPTOKI_ALREADY_INITIALIZED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_NEED_TO_CREATE_THREADS:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_Finalize
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Finalize
+(
+  NSSCKFWInstance **pFwInstance
+)
+{
+  CK_RV error = CKR_OK;
+
+  if( (NSSCKFWInstance **)NULL == pFwInstance ) {
+    error = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  if( (NSSCKFWInstance *)NULL == *pFwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  error = nssCKFWInstance_Destroy(*pFwInstance);
+
+  /* In any case */
+  *pFwInstance = (NSSCKFWInstance *)NULL;
+
+ loser:
+  switch( error ) {
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OK:
+    break;
+  default:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetInfo
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_INFO_PTR pInfo
+)
+{
+  CK_RV error = CKR_OK;
+
+  if( (CK_INFO_PTR)CK_NULL_PTR == pInfo ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here means a caller error
+   */
+  (void)nsslibc_memset(pInfo, 0, sizeof(CK_INFO));
+
+  pInfo->cryptokiVersion = nssCKFWInstance_GetCryptokiVersion(fwInstance);
+
+  error = nssCKFWInstance_GetManufacturerID(fwInstance, pInfo->manufacturerID);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  pInfo->flags = nssCKFWInstance_GetFlags(fwInstance);
+
+  error = nssCKFWInstance_GetLibraryDescription(fwInstance, pInfo->libraryDescription);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  pInfo->libraryVersion = nssCKFWInstance_GetLibraryVersion(fwInstance);
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+    break;
+  default:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+  
+/*
+ * C_GetFunctionList is implemented entirely in the Module's file which
+ * includes the Framework API insert file.  It requires no "actual"
+ * NSSCKFW routine.
+ */
+
+/*
+ * NSSCKFWC_GetSlotList
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetSlotList
+(
+  NSSCKFWInstance *fwInstance,
+  CK_BBOOL tokenPresent,
+  CK_SLOT_ID_PTR pSlotList,
+  CK_ULONG_PTR pulCount
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  switch( tokenPresent ) {
+  case CK_TRUE:
+  case CK_FALSE:
+    break;
+  default:
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  if( (CK_ULONG_PTR)CK_NULL_PTR == pulCount ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (CK_SLOT_ID_PTR)CK_NULL_PTR == pSlotList ) {
+    *pulCount = nSlots;
+    return CKR_OK;
+  } 
+    
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pSlotList, 0, *pulCount * sizeof(CK_SLOT_ID));
+
+  if( *pulCount < nSlots ) {
+    *pulCount = nSlots;
+    error = CKR_BUFFER_TOO_SMALL;
+    goto loser;
+  } else {
+    CK_ULONG i;
+    *pulCount = nSlots;
+    
+    /* 
+     * Our secret "mapping": CK_SLOT_IDs are integers [1,N], and we
+     * just index one when we need it.
+     */
+
+    for( i = 0; i < nSlots; i++ ) {
+      pSlotList[i] = i+1;
+    }
+
+    return CKR_OK;
+  }
+
+ loser:
+  switch( error ) {
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+ 
+/*
+ * NSSCKFWC_GetSlotInfo
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetSlotInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_SLOT_INFO_PTR pInfo
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  if( (CK_SLOT_INFO_PTR)CK_NULL_PTR == pInfo ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pInfo, 0, sizeof(CK_SLOT_INFO));
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  error = nssCKFWSlot_GetSlotDescription(fwSlot, pInfo->slotDescription);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  error = nssCKFWSlot_GetManufacturerID(fwSlot, pInfo->manufacturerID);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  if( nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    pInfo->flags |= CKF_TOKEN_PRESENT;
+  }
+
+  if( nssCKFWSlot_GetRemovableDevice(fwSlot) ) {
+    pInfo->flags |= CKF_REMOVABLE_DEVICE;
+  }
+
+  if( nssCKFWSlot_GetHardwareSlot(fwSlot) ) {
+    pInfo->flags |= CKF_HW_SLOT;
+  }
+
+  pInfo->hardwareVersion = nssCKFWSlot_GetHardwareVersion(fwSlot);
+  pInfo->firmwareVersion = nssCKFWSlot_GetFirmwareVersion(fwSlot);
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SLOT_ID_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetTokenInfo
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetTokenInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_TOKEN_INFO_PTR pInfo
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  if( (CK_TOKEN_INFO_PTR)CK_NULL_PTR == pInfo ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pInfo, 0, sizeof(CK_TOKEN_INFO));
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  error = nssCKFWToken_GetLabel(fwToken, pInfo->label);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  error = nssCKFWToken_GetManufacturerID(fwToken, pInfo->manufacturerID);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  error = nssCKFWToken_GetModel(fwToken, pInfo->model);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  error = nssCKFWToken_GetSerialNumber(fwToken, pInfo->serialNumber);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  if( nssCKFWToken_GetHasRNG(fwToken) ) {
+    pInfo->flags |= CKF_RNG;
+  }
+
+  if( nssCKFWToken_GetIsWriteProtected(fwToken) ) {
+    pInfo->flags |= CKF_WRITE_PROTECTED;
+  }
+
+  if( nssCKFWToken_GetLoginRequired(fwToken) ) {
+    pInfo->flags |= CKF_LOGIN_REQUIRED;
+  }
+
+  if( nssCKFWToken_GetUserPinInitialized(fwToken) ) {
+    pInfo->flags |= CKF_USER_PIN_INITIALIZED;
+  }
+
+  if( nssCKFWToken_GetRestoreKeyNotNeeded(fwToken) ) {
+    pInfo->flags |= CKF_RESTORE_KEY_NOT_NEEDED;
+  }
+
+  if( nssCKFWToken_GetHasClockOnToken(fwToken) ) {
+    pInfo->flags |= CKF_CLOCK_ON_TOKEN;
+  }
+
+  if( nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken) ) {
+    pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
+  }
+
+  if( nssCKFWToken_GetSupportsDualCryptoOperations(fwToken) ) {
+    pInfo->flags |= CKF_DUAL_CRYPTO_OPERATIONS;
+  }
+
+  pInfo->ulMaxSessionCount = nssCKFWToken_GetMaxSessionCount(fwToken);
+  pInfo->ulSessionCount = nssCKFWToken_GetSessionCount(fwToken);
+  pInfo->ulMaxRwSessionCount = nssCKFWToken_GetMaxRwSessionCount(fwToken);
+  pInfo->ulRwSessionCount= nssCKFWToken_GetRwSessionCount(fwToken);
+  pInfo->ulMaxPinLen = nssCKFWToken_GetMaxPinLen(fwToken);
+  pInfo->ulMinPinLen = nssCKFWToken_GetMinPinLen(fwToken);
+  pInfo->ulTotalPublicMemory = nssCKFWToken_GetTotalPublicMemory(fwToken);
+  pInfo->ulFreePublicMemory = nssCKFWToken_GetFreePublicMemory(fwToken);
+  pInfo->ulTotalPrivateMemory = nssCKFWToken_GetTotalPrivateMemory(fwToken);
+  pInfo->ulFreePrivateMemory = nssCKFWToken_GetFreePrivateMemory(fwToken);
+  pInfo->hardwareVersion = nssCKFWToken_GetHardwareVersion(fwToken);
+  pInfo->firmwareVersion = nssCKFWToken_GetFirmwareVersion(fwToken);
+  
+  error = nssCKFWToken_GetUTCTime(fwToken, pInfo->utcTime);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_DEVICE_REMOVED:
+  case CKR_TOKEN_NOT_PRESENT:
+    (void)nssCKFWToken_Destroy(fwToken);
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_RECOGNIZED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_WaitForSlotEvent
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_WaitForSlotEvent
+(
+  NSSCKFWInstance *fwInstance,
+  CK_FLAGS flags,
+  CK_SLOT_ID_PTR pSlot,
+  CK_VOID_PTR pReserved
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  CK_BBOOL block;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  CK_ULONG i;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  if( flags & ~CKF_DONT_BLOCK ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  block = (flags & CKF_DONT_BLOCK) ? CK_TRUE : CK_FALSE;
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (CK_SLOT_ID_PTR)CK_NULL_PTR == pSlot ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  if( (CK_VOID_PTR)CK_NULL_PTR != pReserved ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = nssCKFWInstance_WaitForSlotEvent(fwInstance, block, &error);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    goto loser;
+  }
+
+  for( i = 0; i < nSlots; i++ ) {
+    if( fwSlot == slots[i] ) {
+      *pSlot = (CK_SLOT_ID)(CK_ULONG)(i+1);
+      return CKR_OK;
+    }
+  }
+
+  error = CKR_GENERAL_ERROR; /* returned something not in the slot list */
+
+ loser:
+  switch( error ) {
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_NO_EVENT:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetMechanismList
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetMechanismList
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE_PTR pMechanismList,
+  CK_ULONG_PTR pulCount
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+  CK_ULONG count;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  if( (CK_ULONG_PTR)CK_NULL_PTR == pulCount ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  count = nssCKFWToken_GetMechanismCount(fwToken);
+
+  if( (CK_MECHANISM_TYPE_PTR)CK_NULL_PTR == pMechanismList ) {
+    *pulCount = count;
+    return CKR_OK;
+  }
+
+  if( *pulCount < count ) {
+    *pulCount = count;
+    error = CKR_BUFFER_TOO_SMALL;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pMechanismList, 0, *pulCount * sizeof(CK_MECHANISM_TYPE));
+
+  *pulCount = count;
+
+  if( 0 != count ) {
+    error = nssCKFWToken_GetMechanismTypes(fwToken, pMechanismList);
+  } else {
+    error = CKR_OK;
+  }
+
+  if( CKR_OK == error ) {
+    return CKR_OK;
+  }
+
+ loser:
+  switch( error ) {
+  case CKR_DEVICE_REMOVED:
+  case CKR_TOKEN_NOT_PRESENT:
+    (void)nssCKFWToken_Destroy(fwToken);
+    break;
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_RECOGNIZED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetMechanismInfo
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetMechanismInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_MECHANISM_TYPE type,
+  CK_MECHANISM_INFO_PTR pInfo
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+  NSSCKFWMechanism *fwMechanism;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  if( (CK_MECHANISM_INFO_PTR)CK_NULL_PTR == pInfo ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pInfo, 0, sizeof(CK_MECHANISM_INFO));
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwMechanism = nssCKFWToken_GetMechanism(fwToken, type, &error);
+  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+    goto loser;
+  }
+
+  pInfo->ulMinKeySize = nssCKFWMechanism_GetMinKeySize(fwMechanism);
+  pInfo->ulMaxKeySize = nssCKFWMechanism_GetMaxKeySize(fwMechanism);
+
+  if( nssCKFWMechanism_GetInHardware(fwMechanism) ) {
+    pInfo->flags |= CKF_HW;
+  }
+
+  /* More here... */
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_DEVICE_REMOVED:
+  case CKR_TOKEN_NOT_PRESENT:
+    (void)nssCKFWToken_Destroy(fwToken);
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_MECHANISM_INVALID:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_RECOGNIZED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_InitToken
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_InitToken
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen,
+  CK_CHAR_PTR pLabel
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+  NSSItem pin;
+  NSSUTF8 *label;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  pin.size = (PRUint32)ulPinLen;
+  pin.data = (void *)pPin;
+  label = (NSSUTF8 *)pLabel; /* identity conversion */
+
+  error = nssCKFWToken_InitToken(fwToken, &pin, label);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_DEVICE_REMOVED:
+  case CKR_TOKEN_NOT_PRESENT:
+    (void)nssCKFWToken_Destroy(fwToken);
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_PIN_INCORRECT:
+  case CKR_PIN_LOCKED:
+  case CKR_SESSION_EXISTS:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_RECOGNIZED:
+  case CKR_TOKEN_WRITE_PROTECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_InitPIN
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_InitPIN
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSItem pin, *arg;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_CHAR_PTR)CK_NULL_PTR == pPin ) {
+    arg = (NSSItem *)NULL;
+  } else {
+    arg = &pin;
+    pin.size = (PRUint32)ulPinLen;
+    pin.data = (void *)pPin;
+  }
+
+  error = nssCKFWSession_InitPIN(fwSession, arg);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_PIN_INVALID:
+  case CKR_PIN_LEN_RANGE:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_TOKEN_WRITE_PROTECTED:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_SetPIN
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SetPIN
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_CHAR_PTR pOldPin,
+  CK_ULONG ulOldLen,
+  CK_CHAR_PTR pNewPin,
+  CK_ULONG ulNewLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSItem oldPin, newPin, *oldArg, *newArg;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_CHAR_PTR)CK_NULL_PTR == pOldPin ) {
+    oldArg = (NSSItem *)NULL;
+  } else {
+    oldArg = &oldPin;
+    oldPin.size = (PRUint32)ulOldLen;
+    oldPin.data = (void *)pOldPin;
+  }
+
+  if( (CK_CHAR_PTR)CK_NULL_PTR == pNewPin ) {
+    newArg = (NSSItem *)NULL;
+  } else {
+    newArg = &newPin;
+    newPin.size = (PRUint32)ulNewLen;
+    newPin.data = (void *)pNewPin;
+  }
+
+  error = nssCKFWSession_SetPIN(fwSession, oldArg, newArg);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_PIN_INCORRECT:
+  case CKR_PIN_INVALID:
+  case CKR_PIN_LEN_RANGE:
+  case CKR_PIN_LOCKED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TOKEN_WRITE_PROTECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_OpenSession
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_OpenSession
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID,
+  CK_FLAGS flags,
+  CK_VOID_PTR pApplication,
+  CK_NOTIFY Notify,
+  CK_SESSION_HANDLE_PTR phSession
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+  NSSCKFWSession *fwSession;
+  CK_BBOOL rw;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  if( flags & CKF_RW_SESSION ) {
+    rw = CK_TRUE;
+  } else {
+    rw = CK_FALSE;
+  }
+
+  if( flags & CKF_SERIAL_SESSION ) {
+    ;
+  } else {
+    error = CKR_SESSION_PARALLEL_NOT_SUPPORTED;
+    goto loser;
+  }
+
+  if( flags & ~(CKF_RW_SESSION|CKF_SERIAL_SESSION) ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  if( (CK_SESSION_HANDLE_PTR)CK_NULL_PTR == phSession ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  *phSession = (CK_SESSION_HANDLE)0;
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  fwSession = nssCKFWToken_OpenSession(fwToken, rw, pApplication,
+               Notify, &error);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    goto loser;
+  }
+
+  *phSession = nssCKFWInstance_CreateSessionHandle(fwInstance,
+                 fwSession, &error);
+  if( (CK_SESSION_HANDLE)0 == *phSession ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SESSION_COUNT:
+  case CKR_SESSION_EXISTS:
+  case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
+  case CKR_SESSION_READ_WRITE_SO_EXISTS:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_PRESENT:
+  case CKR_TOKEN_NOT_RECOGNIZED:
+  case CKR_TOKEN_WRITE_PROTECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_CloseSession
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_CloseSession
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  nssCKFWInstance_DestroySessionHandle(fwInstance, hSession);
+  error = nssCKFWSession_Destroy(fwSession, CK_TRUE);
+
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_CloseAllSessions
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_CloseAllSessions
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SLOT_ID slotID
+)
+{
+  CK_RV error = CKR_OK;
+  CK_ULONG nSlots;
+  NSSCKFWSlot **slots;
+  NSSCKFWSlot *fwSlot;
+  NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
+  if( (CK_ULONG)0 == nSlots ) {
+    goto loser;
+  }
+
+  if( (slotID < 1) || (slotID > nSlots) ) {
+    error = CKR_SLOT_ID_INVALID;
+    goto loser;
+  }
+
+  slots = nssCKFWInstance_GetSlots(fwInstance, &error);
+  if( (NSSCKFWSlot **)NULL == slots ) {
+    goto loser;
+  }
+
+  fwSlot = slots[ slotID-1 ];
+
+  if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
+    error = CKR_TOKEN_NOT_PRESENT;
+    goto loser;
+  }
+
+  fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
+  if( (NSSCKFWToken *)NULL == fwToken ) {
+    goto loser;
+  }
+
+  error = nssCKFWToken_CloseAllSessions(fwToken);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SLOT_ID_INVALID:
+  case CKR_TOKEN_NOT_PRESENT:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetSessionInfo
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetSessionInfo
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_SESSION_INFO_PTR pInfo
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWSlot *fwSlot;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_SESSION_INFO_PTR)CK_NULL_PTR == pInfo ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pInfo, 0, sizeof(CK_SESSION_INFO));
+
+  fwSlot = nssCKFWSession_GetFWSlot(fwSession);
+  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+    error = CKR_GENERAL_ERROR;
+    goto loser;
+  }
+
+  pInfo->slotID = nssCKFWSlot_GetSlotID(fwSlot);
+  pInfo->state = nssCKFWSession_GetSessionState(fwSession);
+
+  if( CK_TRUE == nssCKFWSession_IsRWSession(fwSession) ) {
+    pInfo->flags |= CKF_RW_SESSION;
+  }
+
+  pInfo->flags |= CKF_SERIAL_SESSION; /* Always true */
+
+  pInfo->ulDeviceError = nssCKFWSession_GetDeviceError(fwSession);
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetOperationState
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetOperationState
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG_PTR pulOperationStateLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  CK_ULONG len;
+  NSSItem buf;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_ULONG_PTR)CK_NULL_PTR == pulOperationStateLen ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  len = nssCKFWSession_GetOperationStateLen(fwSession, &error);
+  if( ((CK_ULONG)0 == len) && (CKR_OK != error) ) {
+    goto loser;
+  }
+
+  if( (CK_BYTE_PTR)CK_NULL_PTR == pOperationState ) {
+    *pulOperationStateLen = len;
+    return CKR_OK;
+  }
+
+  if( *pulOperationStateLen < len ) {
+    *pulOperationStateLen = len;
+    error = CKR_BUFFER_TOO_SMALL;
+    goto loser;
+  }
+
+  buf.size = (PRUint32)*pulOperationStateLen;
+  buf.data = (void *)pOperationState;
+  *pulOperationStateLen = len;
+  error = nssCKFWSession_GetOperationState(fwSession, &buf);
+
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_STATE_UNSAVEABLE:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_SetOperationState
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SetOperationState
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pOperationState,
+  CK_ULONG ulOperationStateLen,
+  CK_OBJECT_HANDLE hEncryptionKey,
+  CK_OBJECT_HANDLE hAuthenticationKey
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *eKey;
+  NSSCKFWObject *aKey;
+  NSSItem state;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  if( (CK_BYTE_PTR)CK_NULL_PTR == pOperationState ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /* 
+   * We could loop through the buffer, to catch any purify errors
+   * in a place with a "user error" note.
+   */
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_OBJECT_HANDLE)0 == hEncryptionKey ) {
+    eKey = (NSSCKFWObject *)NULL;
+  } else {
+    eKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hEncryptionKey);
+    if( (NSSCKFWObject *)NULL == eKey ) {
+      error = CKR_KEY_HANDLE_INVALID;
+      goto loser;
+    }
+  }
+
+  if( (CK_OBJECT_HANDLE)0 == hAuthenticationKey ) {
+    aKey = (NSSCKFWObject *)NULL;
+  } else {
+    aKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hAuthenticationKey);
+    if( (NSSCKFWObject *)NULL == aKey ) {
+      error = CKR_KEY_HANDLE_INVALID;
+      goto loser;
+    }
+  }
+
+  error = nssCKFWSession_SetOperationState(fwSession, &state, eKey, aKey);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_KEY_CHANGED:
+  case CKR_KEY_NEEDED:
+  case CKR_KEY_NOT_NEEDED:
+  case CKR_SAVED_STATE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_Login
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Login
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_USER_TYPE userType,
+  CK_CHAR_PTR pPin,
+  CK_ULONG ulPinLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSItem pin, *arg;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_CHAR_PTR)CK_NULL_PTR == pPin ) {
+    arg = (NSSItem *)NULL;
+  } else {
+    arg = &pin;
+    pin.size = (PRUint32)ulPinLen;
+    pin.data = (void *)pPin;
+  }
+
+  error = nssCKFWSession_Login(fwSession, userType, arg);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_PIN_EXPIRED:
+  case CKR_PIN_INCORRECT:
+  case CKR_PIN_LOCKED:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY_EXISTS:
+  case CKR_USER_ALREADY_LOGGED_IN:
+  case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:
+  case CKR_USER_PIN_NOT_INITIALIZED:
+  case CKR_USER_TOO_MANY_TYPES:
+  case CKR_USER_TYPE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_Logout
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Logout
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  error = nssCKFWSession_Logout(fwSession);
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_CreateObject
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_CreateObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phObject
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  *phObject = (CK_OBJECT_HANDLE)0;
+
+  fwObject = nssCKFWSession_CreateObject(fwSession, pTemplate,
+               ulCount, &error);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    goto loser;
+  }
+
+  *phObject = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
+  if( (CK_OBJECT_HANDLE)0 == *phObject ) {
+    nssCKFWObject_Destroy(fwObject);
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ATTRIBUTE_READ_ONLY:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TEMPLATE_INCOMPLETE:
+  case CKR_TEMPLATE_INCONSISTENT:
+  case CKR_TOKEN_WRITE_PROTECTED:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_CopyObject
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_CopyObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phNewObject
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWObject *fwNewObject;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phNewObject ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  *phNewObject = (CK_OBJECT_HANDLE)0;
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_OBJECT_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwNewObject = nssCKFWSession_CopyObject(fwSession, fwObject,
+                  pTemplate, ulCount, &error);
+  if( (NSSCKFWObject *)NULL == fwNewObject ) {
+    goto loser;
+  }
+
+  *phNewObject = nssCKFWInstance_CreateObjectHandle(fwInstance, 
+                   fwNewObject, &error);
+  if( (CK_OBJECT_HANDLE)0 == *phNewObject ) {
+    nssCKFWObject_Destroy(fwNewObject);
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ATTRIBUTE_READ_ONLY:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OBJECT_HANDLE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TEMPLATE_INCONSISTENT:
+  case CKR_TOKEN_WRITE_PROTECTED:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_DestroyObject
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DestroyObject
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_OBJECT_HANDLE_INVALID;
+    goto loser;
+  }
+
+  nssCKFWObject_Destroy(fwObject);
+  nssCKFWInstance_DestroyObjectHandle(fwInstance, hObject);
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OBJECT_HANDLE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TOKEN_WRITE_PROTECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetObjectSize
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetObjectSize
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ULONG_PTR pulSize
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_OBJECT_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_ULONG_PTR)CK_NULL_PTR == pulSize ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  *pulSize = (CK_ULONG)0;
+
+  *pulSize = nssCKFWObject_GetObjectSize(fwObject, &error);
+  if( ((CK_ULONG)0 == *pulSize) && (CKR_OK != error) ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_INFORMATION_SENSITIVE:
+  case CKR_OBJECT_HANDLE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetAttributeValue
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetAttributeValue
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  CK_BBOOL sensitive = CK_FALSE;
+  CK_BBOOL invalid = CK_FALSE;
+  CK_BBOOL tooSmall = CK_FALSE;
+  CK_ULONG i;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_OBJECT_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  for( i = 0; i < ulCount; i++ ) {
+    CK_ULONG size = nssCKFWObject_GetAttributeSize(fwObject, 
+                      pTemplate[i].type, &error);
+    if( (CK_ULONG)0 == size ) {
+      switch( error ) {
+      case CKR_ATTRIBUTE_SENSITIVE:
+      case CKR_INFORMATION_SENSITIVE:
+        sensitive = CK_TRUE;
+        pTemplate[i].ulValueLen = (CK_ULONG)(-1);
+        continue;
+      case CKR_ATTRIBUTE_TYPE_INVALID:
+        invalid = CK_TRUE;
+        pTemplate[i].ulValueLen = (CK_ULONG)(-1);
+        continue;
+      case CKR_OK:
+        break;
+      default:
+        goto loser;
+      }
+    }
+
+    if( (CK_VOID_PTR)CK_NULL_PTR == pTemplate[i].pValue ) {
+      pTemplate[i].ulValueLen = size;
+    } else {
+      NSSItem it, *p;
+
+      if( pTemplate[i].ulValueLen < size ) {
+        tooSmall = CK_TRUE;
+        continue;
+      }
+
+      it.size = (PRUint32)pTemplate[i].ulValueLen;
+      it.data = (void *)pTemplate[i].pValue;
+      p = nssCKFWObject_GetAttribute(fwObject, pTemplate[i].type, &it, 
+            (NSSArena *)NULL, &error);
+      if( (NSSItem *)NULL == p ) {
+        switch( error ) {
+        case CKR_ATTRIBUTE_SENSITIVE:
+        case CKR_INFORMATION_SENSITIVE:
+          sensitive = CK_TRUE;
+          pTemplate[i].ulValueLen = (CK_ULONG)(-1);
+          continue;
+        case CKR_ATTRIBUTE_TYPE_INVALID:
+          invalid = CK_TRUE;
+          pTemplate[i].ulValueLen = (CK_ULONG)(-1);
+          continue;
+        default:
+          goto loser;
+        }
+      }
+
+      pTemplate[i].ulValueLen = size;
+    }
+  }
+
+  if( sensitive ) {
+    error = CKR_ATTRIBUTE_SENSITIVE;
+    goto loser;
+  } else if( invalid ) {
+    error = CKR_ATTRIBUTE_TYPE_INVALID;
+    goto loser;
+  } else if( tooSmall ) {
+    error = CKR_BUFFER_TOO_SMALL;
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ATTRIBUTE_SENSITIVE:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_BUFFER_TOO_SMALL:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OBJECT_HANDLE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+  
+/*
+ * NSSCKFWC_SetAttributeValue
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SetAttributeValue
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hObject,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWObject *fwObject;
+  NSSCKFWObject *newFwObject;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
+  if( (NSSCKFWObject *)NULL == fwObject ) {
+    error = CKR_OBJECT_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  newFwObject = nssCKFWSession_CopyObject(fwSession, fwObject, pTemplate, 
+                  ulCount, &error);
+  if( (NSSCKFWObject *)NULL == newFwObject ) {
+    goto loser;
+  }
+
+  error = nssCKFWInstance_ReassignObjectHandle(fwInstance, hObject, newFwObject);
+  nssCKFWObject_Destroy(fwObject);
+
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ATTRIBUTE_READ_ONLY:
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OBJECT_HANDLE_INVALID:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_SESSION_READ_ONLY:
+  case CKR_TEMPLATE_INCONSISTENT:
+  case CKR_TOKEN_WRITE_PROTECTED:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_FindObjectsInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_FindObjectsInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWFindObjects *fwFindObjects;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( ((CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate) && (ulCount != 0) ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
+  if( (NSSCKFWFindObjects *)NULL != fwFindObjects ) {
+    error = CKR_OPERATION_ACTIVE;
+    goto loser;
+  }
+
+  if( CKR_OPERATION_NOT_INITIALIZED != error ) {
+    goto loser;
+  }
+
+  fwFindObjects = nssCKFWSession_FindObjectsInit(fwSession,
+                    pTemplate, ulCount, &error);
+  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+    goto loser;
+  }
+
+  error = nssCKFWSession_SetFWFindObjects(fwSession, fwFindObjects);
+
+  if( CKR_OK != error ) {
+    nssCKFWFindObjects_Destroy(fwFindObjects);
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_ATTRIBUTE_TYPE_INVALID:
+  case CKR_ATTRIBUTE_VALUE_INVALID:
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_FindObjects
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_FindObjects
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE_PTR phObject,
+  CK_ULONG ulMaxObjectCount,
+  CK_ULONG_PTR pulObjectCount
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWFindObjects *fwFindObjects;
+  CK_ULONG i;
+  NSSArena *arena;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+#ifdef notdef
+  arena = nssCKFWSession_GetArena(fwSession, &error);
+  if( (NSSArena *)NULL == arena ) {
+    goto loser;
+  }
+#endif
+
+  if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(phObject, 0, sizeof(CK_OBJECT_HANDLE) * ulMaxObjectCount);
+  *pulObjectCount = (CK_ULONG)0;
+
+  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
+  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+    goto loser;
+  }
+
+  for( i = 0; i < ulMaxObjectCount; i++ ) {
+    NSSCKFWObject *fwObject = nssCKFWFindObjects_Next(fwFindObjects,
+                                NULL, &error);
+    if( (NSSCKFWObject *)NULL == fwObject ) {
+      break;
+    }
+
+    phObject[i] = nssCKFWInstance_FindObjectHandle(fwInstance, fwObject);
+    if( (CK_OBJECT_HANDLE)0 == phObject[i] ) {
+      phObject[i] = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
+    }
+    if( (CK_OBJECT_HANDLE)0 == phObject[i] ) {
+      /* This isn't right either, is it? */
+      nssCKFWObject_Destroy(fwObject);
+      goto loser;
+    }
+  }
+
+  *pulObjectCount = i;
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_FindObjectsFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_FindObjectsFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSCKFWFindObjects *fwFindObjects;
+  
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+  
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
+  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+    error = CKR_OPERATION_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  nssCKFWFindObjects_Destroy(fwFindObjects);
+  error = nssCKFWSession_SetFWFindObjects(fwSession, (NSSCKFWFindObjects *)NULL);
+
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_NOT_INITIALIZED:
+  case CKR_SESSION_HANDLE_INVALID:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_EncryptInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_EncryptInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_Encrypt
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Encrypt
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG_PTR pulEncryptedDataLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_EncryptUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_EncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_EncryptFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_EncryptFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastEncryptedPart,
+  CK_ULONG_PTR pulLastEncryptedPartLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_DecryptInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DecryptInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_Decrypt
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Decrypt
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedData,
+  CK_ULONG ulEncryptedDataLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_DecryptUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DecryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_DecryptFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DecryptFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pLastPart,
+  CK_ULONG_PTR pulLastPartLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_DigestInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DigestInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_Digest
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Digest
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_DigestUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DigestUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_DigestKey
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DigestKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_DigestFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DigestFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pDigest,
+  CK_ULONG_PTR pulDigestLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_SignInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_Sign
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Sign
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_SignUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_SignFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_SignRecoverInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignRecoverInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_SignRecover
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignRecover
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG_PTR pulSignatureLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_VerifyInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_VerifyInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_Verify
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_Verify
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_VerifyUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_VerifyUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_VerifyFinal
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_VerifyFinal
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_VerifyRecoverInit
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_VerifyRecoverInit
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hKey
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_VerifyRecover
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_VerifyRecover
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSignature,
+  CK_ULONG ulSignatureLen,
+  CK_BYTE_PTR pData,
+  CK_ULONG_PTR pulDataLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_DigestEncryptUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DigestEncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_DecryptDigestUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DecryptDigestUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_SignEncryptUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SignEncryptUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pPart,
+  CK_ULONG ulPartLen,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG_PTR pulEncryptedPartLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_DecryptVerifyUpdate
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DecryptVerifyUpdate
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pEncryptedPart,
+  CK_ULONG ulEncryptedPartLen,
+  CK_BYTE_PTR pPart,
+  CK_ULONG_PTR pulPartLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_GenerateKey
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GenerateKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_GenerateKeyPair
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GenerateKeyPair
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+  CK_ULONG ulPublicKeyAttributeCount,
+  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+  CK_ULONG ulPrivateKeyAttributeCount,
+  CK_OBJECT_HANDLE_PTR phPublicKey,
+  CK_OBJECT_HANDLE_PTR phPrivateKey
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_WrapKey
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_WrapKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hWrappingKey,
+  CK_OBJECT_HANDLE hKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG_PTR pulWrappedKeyLen
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_UnwrapKey
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_UnwrapKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hUnwrappingKey,
+  CK_BYTE_PTR pWrappedKey,
+  CK_ULONG ulWrappedKeyLen,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_DeriveKey
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_DeriveKey
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_MECHANISM_PTR pMechanism,
+  CK_OBJECT_HANDLE hBaseKey,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_OBJECT_HANDLE_PTR phKey
+)
+{
+  return CKR_FUNCTION_FAILED;
+}
+
+/*
+ * NSSCKFWC_SeedRandom
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_SeedRandom
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pSeed,
+  CK_ULONG ulSeedLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSItem seed;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_BYTE_PTR)CK_NULL_PTR == pSeed ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /* We could read through the buffer in a Purify trap */
+
+  seed.size = (PRUint32)ulSeedLen;
+  seed.data = (void *)pSeed;
+
+  error = nssCKFWSession_SeedRandom(fwSession, &seed);
+
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_RANDOM_SEED_NOT_SUPPORTED:
+  case CKR_RANDOM_NO_RNG:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GenerateRandom
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GenerateRandom
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession,
+  CK_BYTE_PTR pRandomData,
+  CK_ULONG ulRandomLen
+)
+{
+  CK_RV error = CKR_OK;
+  NSSCKFWSession *fwSession;
+  NSSItem buffer;
+
+  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+    error = CKR_CRYPTOKI_NOT_INITIALIZED;
+    goto loser;
+  }
+
+  fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
+  if( (NSSCKFWSession *)NULL == fwSession ) {
+    error = CKR_SESSION_HANDLE_INVALID;
+    goto loser;
+  }
+
+  if( (CK_BYTE_PTR)CK_NULL_PTR == pRandomData ) {
+    error = CKR_ARGUMENTS_BAD;
+    goto loser;
+  }
+
+  /*
+   * A purify error here indicates caller error.
+   */
+  (void)nsslibc_memset(pRandomData, 0, ulRandomLen);
+
+  buffer.size = (PRUint32)ulRandomLen;
+  buffer.data = (void *)pRandomData;
+
+  error = nssCKFWSession_GetRandom(fwSession, &buffer);
+
+  if( CKR_OK != error ) {
+    goto loser;
+  }
+
+  return CKR_OK;
+
+ loser:
+  switch( error ) {
+  case CKR_SESSION_CLOSED:
+    /* destroy session? */
+    break;
+  case CKR_DEVICE_REMOVED:
+    /* (void)nssCKFWToken_Destroy(fwToken); */
+    break;
+  case CKR_CRYPTOKI_NOT_INITIALIZED:
+  case CKR_DEVICE_ERROR:
+  case CKR_DEVICE_MEMORY:
+  case CKR_FUNCTION_CANCELED:
+  case CKR_FUNCTION_FAILED:
+  case CKR_GENERAL_ERROR:
+  case CKR_HOST_MEMORY:
+  case CKR_OPERATION_ACTIVE:
+  case CKR_RANDOM_NO_RNG:
+  case CKR_SESSION_HANDLE_INVALID:
+  case CKR_USER_NOT_LOGGED_IN:
+    break;
+  default:
+  case CKR_OK:
+    error = CKR_GENERAL_ERROR;
+    break;
+  }
+
+  return error;
+}
+
+/*
+ * NSSCKFWC_GetFunctionStatus
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_GetFunctionStatus
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  return CKR_FUNCTION_NOT_PARALLEL;
+}
+
+/*
+ * NSSCKFWC_CancelFunction
+ *
+ */
+NSS_IMPLEMENT CK_RV
+NSSCKFWC_CancelFunction
+(
+  NSSCKFWInstance *fwInstance,
+  CK_SESSION_HANDLE hSession
+)
+{
+  return CKR_FUNCTION_NOT_PARALLEL;
+}
diff --git a/security/nss/lib/crmf/Makefile b/security/nss/lib/crmf/Makefile
new file mode 100644
index 000000000..a376529c7
--- /dev/null
+++ b/security/nss/lib/crmf/Makefile
@@ -0,0 +1,77 @@
+#! gmake
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+# 
+
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+export:: private_export
diff --git a/security/nss/lib/crmf/asn1cmn.c b/security/nss/lib/crmf/asn1cmn.c
new file mode 100644
index 000000000..59ce5b4a8
--- /dev/null
+++ b/security/nss/lib/crmf/asn1cmn.c
@@ -0,0 +1,247 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nssrenam.h"
+#include "cmmf.h"
+#include "cmmfi.h"
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SEC_SignedCertificateTemplate)
+
+static const SEC_ASN1Template CMMFCertResponseTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertResponse)},
+    { SEC_ASN1_INTEGER, offsetof(CMMFCertResponse, certReqId)},
+    { SEC_ASN1_INLINE, offsetof(CMMFCertResponse, status), 
+      CMMFPKIStatusInfoTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER, 
+      offsetof(CMMFCertResponse, certifiedKeyPair),
+      CMMFCertifiedKeyPairTemplate},
+    { 0 }
+};
+
+static const SEC_ASN1Template CMMFCertOrEncCertTemplate[] = {
+    { SEC_ASN1_ANY, offsetof(CMMFCertOrEncCert, derValue), NULL, 
+      sizeof(CMMFCertOrEncCert)},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFCertifiedKeyPairTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertifiedKeyPair)},
+    { SEC_ASN1_INLINE, offsetof(CMMFCertifiedKeyPair, certOrEncCert),
+      CMMFCertOrEncCertTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 0,
+      offsetof(CMMFCertifiedKeyPair, privateKey),
+      CRMFEncryptedValueTemplate},
+    { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
+      SEC_ASN1_XTRN | 1,
+      offsetof (CMMFCertifiedKeyPair, derPublicationInfo),
+      SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFPKIStatusInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFPKIStatusInfo)},
+    { SEC_ASN1_INTEGER, offsetof(CMMFPKIStatusInfo, status)},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_UTF8_STRING, 
+      offsetof(CMMFPKIStatusInfo, statusString)},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BIT_STRING, 
+      offsetof(CMMFPKIStatusInfo, failInfo)},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFSequenceOfCertsTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF| SEC_ASN1_XTRN, 0, 
+			SEC_ASN1_SUB(SEC_SignedCertificateTemplate)}
+};
+
+const SEC_ASN1Template CMMFRandTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFRand)},
+    { SEC_ASN1_INTEGER, offsetof(CMMFRand, integer)},
+    { SEC_ASN1_OCTET_STRING, offsetof(CMMFRand, senderHash)},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFPOPODecKeyRespContentTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 
+      offsetof(CMMFPOPODecKeyRespContent, responses),
+      SEC_ASN1_SUB(SEC_IntegerTemplate), 
+      sizeof(CMMFPOPODecKeyRespContent)},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFCertOrEncCertEncryptedCertTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 1,
+      0,
+      CRMFEncryptedValueTemplate},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFCertOrEncCertCertificateTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+      0,
+      SEC_ASN1_SUB(SEC_SignedCertificateTemplate)},
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFCertRepContentTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFCertRepContent)},
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL |
+      SEC_ASN1_CONTEXT_SPECIFIC | 1,
+      offsetof(CMMFCertRepContent, caPubs),
+      CMMFSequenceOfCertsTemplate },
+    { SEC_ASN1_SEQUENCE_OF, offsetof(CMMFCertRepContent, response),
+      CMMFCertResponseTemplate},
+    { 0 }
+};
+
+static const SEC_ASN1Template CMMFChallengeTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFChallenge)},
+    { SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN, 
+      offsetof(CMMFChallenge, owf),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, witness) },
+    { SEC_ASN1_ANY, offsetof(CMMFChallenge, senderDER) },
+    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, key) },
+    { SEC_ASN1_OCTET_STRING, offsetof(CMMFChallenge, challenge) },
+    { 0 }
+};
+
+const SEC_ASN1Template CMMFPOPODecKeyChallContentTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF,offsetof(CMMFPOPODecKeyChallContent, challenges),
+      CMMFChallengeTemplate, sizeof(CMMFPOPODecKeyChallContent) },
+    { 0 }
+};
+
+SECStatus
+cmmf_decode_process_cert_response(PRArenaPool      *poolp, 
+				  CERTCertDBHandle *db,
+				  CMMFCertResponse *inCertResp)
+{
+    SECStatus rv = SECSuccess;
+  
+    if (inCertResp->certifiedKeyPair != NULL) {
+        rv = cmmf_decode_process_certified_key_pair(poolp, 
+						    db,
+						inCertResp->certifiedKeyPair);
+    }
+    return rv;
+}
+
+static CERTCertificate*
+cmmf_DecodeDERCertificate(CERTCertDBHandle *db, SECItem *derCert)
+{
+    CERTCertificate *newCert;
+
+    newCert = CERT_DecodeDERCertificate(derCert, PR_TRUE, NULL);
+    if (newCert != NULL && newCert->dbhandle == NULL) {
+        newCert->dbhandle = db;
+    }
+    return newCert;
+}
+
+static CMMFCertOrEncCertChoice
+cmmf_get_certorenccertchoice_from_der(SECItem *der)
+{
+    CMMFCertOrEncCertChoice retChoice; 
+
+    switch(der->data[0] & 0x0f) {
+    case 0:
+        retChoice = cmmfCertificate;
+	break;
+    case 1:
+        retChoice = cmmfEncryptedCert;
+	break;
+    default:
+        retChoice = cmmfNoCertOrEncCert;
+	break;
+    }
+    return retChoice;
+}
+
+static SECStatus
+cmmf_decode_process_certorenccert(PRArenaPool       *poolp,
+				  CERTCertDBHandle  *db,
+				  CMMFCertOrEncCert *inCertOrEncCert)
+{
+    SECStatus rv = SECSuccess;
+
+    inCertOrEncCert->choice = 
+        cmmf_get_certorenccertchoice_from_der(&inCertOrEncCert->derValue);
+
+    switch (inCertOrEncCert->choice) {
+    case cmmfCertificate:
+        {
+	    /* The DER has implicit tagging, so we gotta switch it to 
+	     * un-tagged in order for the ASN1 parser to understand it.
+	     * Saving the bits that were changed.
+	     */ 
+	    inCertOrEncCert->derValue.data[0] = 0x30;
+	    inCertOrEncCert->cert.certificate = 
+	        cmmf_DecodeDERCertificate(db, &inCertOrEncCert->derValue);
+	    if (inCertOrEncCert->cert.certificate == NULL) {
+	        rv = SECFailure;
+	    }
+	
+	}
+	break;
+    case cmmfEncryptedCert:
+        inCertOrEncCert->cert.encryptedCert =
+	    PORT_ArenaZNew(poolp, CRMFEncryptedValue);
+	if (inCertOrEncCert->cert.encryptedCert == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	rv = SEC_ASN1Decode(poolp, inCertOrEncCert->cert.encryptedCert, 
+			    CMMFCertOrEncCertEncryptedCertTemplate, 
+			    (const char*)inCertOrEncCert->derValue.data,
+			    inCertOrEncCert->derValue.len);
+	break;
+    default:
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+SECStatus 
+cmmf_decode_process_certified_key_pair(PRArenaPool          *poolp,
+				       CERTCertDBHandle     *db,
+				       CMMFCertifiedKeyPair *inCertKeyPair)
+{
+    return cmmf_decode_process_certorenccert (poolp,
+					      db,
+					      &inCertKeyPair->certOrEncCert);
+}
+
+
diff --git a/security/nss/lib/crmf/challcli.c b/security/nss/lib/crmf/challcli.c
new file mode 100644
index 000000000..bf385609a
--- /dev/null
+++ b/security/nss/lib/crmf/challcli.c
@@ -0,0 +1,285 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "secitem.h"
+#include "pk11func.h"
+#include "secder.h"
+
+CMMFPOPODecKeyChallContent*
+CMMF_CreatePOPODecKeyChallContentFromDER(const char *buf, long len)
+{
+    PRArenaPool                *poolp;
+    CMMFPOPODecKeyChallContent *challContent;
+    SECStatus                   rv;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    challContent = PORT_ArenaZNew(poolp, CMMFPOPODecKeyChallContent);
+    if (challContent == NULL) {
+        goto loser;
+    }
+    challContent->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, challContent, 
+			CMMFPOPODecKeyChallContentTemplate, buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (challContent->challenges) {
+      while (challContent->challenges[challContent->numChallenges] != NULL) {
+	  challContent->numChallenges++;
+      }
+      challContent->numAllocated = challContent->numChallenges;
+    }
+    return challContent;
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+int
+CMMF_POPODecKeyChallContentGetNumChallenges 
+                              (CMMFPOPODecKeyChallContent *inKeyChallCont)
+{
+    PORT_Assert(inKeyChallCont != NULL);
+    if (inKeyChallCont == NULL) {
+        return 0;
+    }
+    return inKeyChallCont->numChallenges;
+}
+
+SECItem* 
+CMMF_POPODecKeyChallContentGetPublicValue
+                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
+				    int                         inIndex)
+{
+    PORT_Assert(inKeyChallCont != NULL);
+    if (inKeyChallCont == NULL || (inIndex > inKeyChallCont->numChallenges-1)||
+	inIndex < 0) {
+        return NULL;
+    }
+    return SECITEM_DupItem(&inKeyChallCont->challenges[inIndex]->key);
+}
+
+static SECAlgorithmID*
+cmmf_get_owf(CMMFPOPODecKeyChallContent *inChalCont, 
+	     int                         inIndex)
+{
+   int i;
+   
+   for (i=inIndex; i >= 0; i--) {
+       if (inChalCont->challenges[i]->owf != NULL) {
+	   return inChalCont->challenges[i]->owf;
+       }
+   }
+   return NULL;
+}
+
+SECStatus 
+CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
+					 int                         inIndex,
+					 SECKEYPrivateKey           *inPrivKey)
+{
+    CMMFChallenge  *challenge;
+    SECItem        *decryptedRand=NULL;
+    SECStatus       rv = SECFailure;
+    PK11SlotInfo   *slot;
+    PK11SymKey     *symKey = NULL;
+    CMMFRand        randStr;
+    SECAlgorithmID *owf;
+    unsigned char   hash[SHA1_LENGTH]; /*SHA1 is the longest, so we'll use
+					*it's length.
+					*/
+    SECItem         hashItem;
+    SECOidTag       tag;
+
+    PORT_Assert(inChalCont != NULL && inPrivKey != NULL);
+    if (inChalCont == NULL || inIndex <0 || inIndex > inChalCont->numChallenges
+	|| inPrivKey == NULL){
+        return SECFailure;
+    }
+    challenge = inChalCont->challenges[inIndex];
+    decryptedRand = PORT_ZNew(SECItem);
+    if (decryptedRand == NULL) {
+        goto loser;
+    }
+    decryptedRand->data = 
+        PORT_NewArray(unsigned char, challenge->challenge.len);
+    if (decryptedRand->data == NULL) {
+        goto loser;
+    }
+    slot = inPrivKey->pkcs11Slot;
+    symKey = PK11_PubUnwrapSymKey(inPrivKey, &challenge->challenge, 
+				  CKM_RSA_PKCS, CKA_VALUE, 0);
+    if (symKey == NULL) {
+      rv = SECFailure;
+      goto loser;
+    }
+    rv = PK11_ExtractKeyValue(symKey);
+    if (rv != SECSuccess) {
+      goto loser;
+    }
+    decryptedRand = PK11_GetKeyData(symKey);
+    rv = SEC_ASN1DecodeItem(NULL, &randStr, CMMFRandTemplate,
+			    decryptedRand); 
+    /* The decryptedRand returned points to a member within the symKey structure,
+     * so we don't want to free it. Let the symKey destruction function deal with
+     * freeing that memory.
+     */
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = SECFailure; /* Just so that when we do go to loser,
+		      * I won't have to set it again.
+		      */
+    owf = cmmf_get_owf(inChalCont, inIndex);
+    if (owf == NULL) {
+        /* No hashing algorithm came with the challenges.  Can't verify */
+        goto loser;
+    }
+    /* Verify the hashes in the challenge */
+    tag = SECOID_FindOIDTag(&owf->algorithm);
+    switch (tag) {
+    case SEC_OID_MD2:
+        hashItem.len = MD2_LENGTH;
+	break;
+    case SEC_OID_MD5:
+        hashItem.len = MD5_LENGTH;
+	break;
+    case SEC_OID_SHA1:
+        hashItem.len = SHA1_LENGTH;
+	break;
+    default:
+        goto loser;
+    }
+    rv = PK11_HashBuf(tag, hash, randStr.integer.data, randStr.integer.len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    hashItem.data = hash;
+    if (SECITEM_CompareItem(&hashItem, &challenge->witness) != SECEqual) {
+        /* The hash for the data we decrypted doesn't match the hash provided
+	 * in the challenge.  Bail out.
+	 */
+        rv = SECFailure;
+	goto loser;
+    }
+    rv = PK11_HashBuf(tag, hash, challenge->senderDER.data, 
+		      challenge->senderDER.len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (SECITEM_CompareItem(&hashItem, &randStr.senderHash) != SECEqual) {
+        /* The hash for the data we decrypted doesn't match the hash provided
+	 * in the challenge.  Bail out.
+	 */
+        rv = SECFailure;
+	goto loser;
+    }
+    /* All of the hashes have verified, so we can now store the integer away.*/
+    rv = SECITEM_CopyItem(inChalCont->poolp, &challenge->randomNumber,
+			  &randStr.integer);
+ loser:
+    if (symKey != NULL) {
+        PK11_FreeSymKey(symKey);
+    }
+    return rv;
+}
+
+SECStatus
+CMMF_POPODecKeyChallContentGetRandomNumber
+                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
+				    int                          inIndex,
+				    long                        *inDest)
+{
+    CMMFChallenge *challenge;
+    
+    PORT_Assert(inKeyChallCont != NULL);
+    if (inKeyChallCont == NULL || inIndex > 0 || inIndex >= 
+	inKeyChallCont->numChallenges) {
+        return SECFailure;
+    }
+    challenge = inKeyChallCont->challenges[inIndex];
+    if (challenge->randomNumber.data == NULL) {
+        /* There is no random number here, nothing to see. */
+        return SECFailure;
+    }
+    *inDest = DER_GetInteger(&challenge->randomNumber);
+    return (*inDest == -1) ? SECFailure : SECSuccess;
+}
+
+SECStatus 
+CMMF_EncodePOPODecKeyRespContent(long                     *inDecodedRand,
+				 int                       inNumRand,
+				 CRMFEncoderOutputCallback inCallback,
+				 void                     *inArg)
+{
+    PRArenaPool *poolp;
+    CMMFPOPODecKeyRespContent *response;
+    SECItem *currItem;
+    SECStatus rv=SECFailure;
+    int i;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return SECFailure;
+    }
+    response = PORT_ArenaZNew(poolp, CMMFPOPODecKeyRespContent);
+    if (response == NULL) {
+        goto loser;
+    }
+    response->responses = PORT_ArenaZNewArray(poolp, SECItem*, inNumRand+1);
+    if (response->responses == NULL) {
+        goto loser;
+    }
+    for (i=0; i<inNumRand; i++) {
+        currItem = response->responses[i] = PORT_ArenaZNew(poolp,SECItem);
+	if (currItem == NULL) {
+	    goto loser;
+	}
+	SEC_ASN1EncodeInteger(poolp, currItem,inDecodedRand[i]);
+    }
+    rv = cmmf_user_encode(response, inCallback, inArg,
+			  CMMFPOPODecKeyRespContentTemplate);
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return rv;
+}
diff --git a/security/nss/lib/crmf/cmmf.h b/security/nss/lib/crmf/cmmf.h
new file mode 100644
index 000000000..a10220429
--- /dev/null
+++ b/security/nss/lib/crmf/cmmf.h
@@ -0,0 +1,1119 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _CMMF_H_
+#define _CMMF_H_
+/*
+ * These are the functions exported by the security library for 
+ * implementing Certificate Management Message Formats (CMMF).
+ *
+ * This API is designed against July 1998 CMMF draft.  Please read this
+ * draft before trying to use this API in an application that use CMMF.
+ */
+#include "seccomon.h"
+#include "cmmft.h"
+#include "crmf.h"
+
+SEC_BEGIN_PROTOS
+
+/******************* Creation Functions *************************/
+
+/*
+ * FUNCTION: CMMF_CreateCertRepContent
+ * INPUTS:
+ *    NONE
+ * NOTES:
+ *    This function will create an empty CMMFCertRepContent Structure.  
+ *    The client of the library must set the CMMFCertResponses.
+ *    Call CMMF_CertRepContentSetCertResponse to accomplish this task.
+ *    If the client of the library also wants to include the chain of 
+ *    CA certs required to make the certificates in CMMFCertResponse valid, 
+ *    then the user must also set the caPubs field of CMMFCertRepContent.
+ *    Call CMMF_CertRepContentSetCAPubs to accomplish this.  After setting
+ *    the desired fields, the user can then call CMMF_EncodeCertRepContent 
+ *    to DER-encode the CertRepContent.
+ * RETURN:
+ *    A pointer to the CMMFCertRepContent.  A NULL return value indicates 
+ *    an error in allocating memory or failure to initialize the structure.
+ */
+extern CMMFCertRepContent* CMMF_CreateCertRepContent(void);
+
+/*
+ * FUNCTION: CMMF_CreateCertRepContentFromDER
+ * INPUTS
+ *    db
+ *        The certificate database where the certificates will be placed.
+ *        The certificates will be placed in the temporary database associated
+ *        with the handle. 
+ *    buf
+ *        A buffer to the DER-encoded CMMFCertRepContent
+ *    len
+ *        The length in bytes of the buffer 'buf'
+ * NOTES:
+ *    This function passes the buffer to the ASN1 decoder and creates a
+ *    CMMFCertRepContent structure.  The user must call 
+ *    CMMF_DestroyCertRepContent after the return value is no longer needed.
+ *
+ * RETURN:
+ *    A pointer to the CMMFCertRepContent structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */
+extern CMMFCertRepContent* 
+       CMMF_CreateCertRepContentFromDER(CERTCertDBHandle *db, 
+					const char       *buf, 
+					long              len);
+
+/*
+ * FUNCTION: CMMF_CreateCertResponse
+ * INPUTS:
+ *    inCertReqId
+ *        The Certificate Request Id this response is for.
+ * NOTES:
+ *    This creates a CMMFCertResponse.  This response should correspond
+ *    to a request that was received via CRMF.  From the CRMF message you
+ *    can get the Request Id to pass in as inCertReqId, in essence binding 
+ *    a CMRFCertRequest message to the CMMFCertResponse created by this
+ *    function.  If no requuest id is associated with the response to create
+ *    then the user should pass in -1 for 'inCertReqId'.
+ *
+ * RETURN:
+ *    A pointer to the new CMMFCertResponse corresponding to the request id 
+ *    passed in.  A NULL return value indicates an error while trying to 
+ *    create the CMMFCertResponse.
+ */
+extern CMMFCertResponse* CMMF_CreateCertResponse(long inCertReqId);
+
+/*
+ * FUNCTION: CMMF_CreateKeyRecRepContent
+ * INPUTS:
+ *    NONE
+ * NOTES:
+ *    This function creates a new empty CMMFKeyRecRepContent structure.
+ *    At the very minimum, the user  must call 
+ *    CMMF_KeyRecRepContentSetPKIStatusInfoStatus field to have an
+ *    encodable structure.  Depending on what the response is, the user may
+ *    have to set other fields as well to properly build up the structure so
+ *    that it can be encoded.  Refer to the CMMF draft for how to properly
+ *    set up a CMMFKeyRecRepContent. This is the structure that an RA returns
+ *    to an end entity when doing key recovery.
+
+ *    The user must call CMMF_DestroyKeyRecRepContent when the return value
+ *    is no longer needed.
+ * RETURN:
+ *    A pointer to the empty CMMFKeyRecRepContent.  A return value of NULL
+ *    indicates an error in allocating memory or initializing the structure.
+ */
+extern CMMFKeyRecRepContent *CMMF_CreateKeyRecRepContent(void);
+
+/*
+ * FUNCTION: CMMF_CreateKeyRecRepContentFromDER
+ * INPUTS:
+ *    db
+ *        The handle for the certificate database where the decoded 
+ *        certificates will be placed.  The decoded certificates will
+ *        be placed in the temporary database associated with the 
+ *        handle.
+ *    buf
+ *        A buffer contatining the DER-encoded CMMFKeyRecRepContent
+ *    len
+ *        The length in bytes of the buffer 'buf'
+ * NOTES
+ *    This function passes the buffer to the ASN1 decoder and creates a 
+ *    CMMFKeyRecRepContent structure.
+ *
+ * RETURN:
+ *    A pointer to the CMMFKeyRecRepContent structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */
+extern CMMFKeyRecRepContent* 
+       CMMF_CreateKeyRecRepContentFromDER(CERTCertDBHandle *db,
+					  const char       *buf,
+					  long              len);
+
+/*
+ * FUNCTION: CMMF_CreatePOPODecKeyChallContent
+ * INPUTS:
+ *    NONE
+ * NOTES:
+ *    This function creates an empty CMMFPOPODecKeyChallContent.  The user
+ *    must add the challenges individually specifying the random number to
+ *    be used and the public key to be used when creating each individual 
+ *    challenge.  User can accomplish this by calling the function 
+ *    CMMF_POPODecKeyChallContentSetNextChallenge.
+ * RETURN:
+ *    A pointer to a CMMFPOPODecKeyChallContent structure.  Ther user can
+ *    then call CMMF_EncodePOPODecKeyChallContent passing in the return
+ *    value from this function after setting all of the challenges.  A 
+ *    return value of NULL indicates an error while creating the 
+ *    CMMFPOPODecKeyChallContent structure.
+ */
+extern CMMFPOPODecKeyChallContent*
+       CMMF_CreatePOPODecKeyChallContent(void);
+
+/*
+ * FUNCTION: CMMF_CreatePOPODecKeyChallContentFromDER
+ * INPUTS
+ *    buf
+ *        A buffer containing the DER-encoded CMMFPOPODecKeyChallContent
+ *    len
+ *        The length in bytes of the buffer 'buf'
+ * NOTES:
+ *    This function passes the buffer to the ASN1 decoder and creates a
+ *    CMMFPOPODecKeyChallContent structure.  
+ *
+ * RETURN:
+ *    A pointer to the CMMFPOPODecKeyChallContent structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */
+extern CMMFPOPODecKeyChallContent*
+       CMMF_CreatePOPODecKeyChallContentFromDER(const char *buf, long len);
+
+/*
+ * FUNCTION: CMMF_CreatePOPODecKeyRespContentFromDER
+ * INPUTS:
+ *    buf
+ *        A buffer contatining the DER-encoded CMMFPOPODecKeyRespContent
+ *    len
+ *        The length in bytes of the buffer 'buf'
+ * NOTES
+ *    This function passes the buffer to the ASN1 decoder and creates a 
+ *    CMMFPOPODecKeyRespContent structure.
+ *
+ * RETURN:
+ *    A pointer to the CMMFPOPODecKeyRespContent structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */
+extern CMMFPOPODecKeyRespContent*
+       CMMF_CreatePOPODecKeyRespContentFromDER(const char *buf, long len);
+
+/************************** Set Functions *************************/
+
+/*
+ * FUNCTION: CMMF_CertRepContentSetCertResponses
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to operate on.
+ *    inCertResponses
+ *        An array of pointers to CMMFCertResponse structures to 
+ *        add to the CMMFCertRepContent structure.
+ *    inNumResponses
+ *        The length of the array 'inCertResponses'
+ * NOTES:
+ *    This function will add the CMMFCertResponse structure to the 
+ *    CMMFCertRepContent passed in.  The CMMFCertResponse field of 
+ *    CMMFCertRepContent is required, so the client must call this function
+ *    before calling CMMF_EncodeCertRepContent.  If the user calls 
+ *    CMMF_EncodeCertRepContent before calling this function, 
+ *    CMMF_EncodeCertRepContent will fail.
+ *
+ * RETURN:
+ *    SECSuccess if adding the CMMFCertResponses to the CMMFCertRepContent
+ *    structure was successful.  Any other return value indicates an error
+ *    while trying to add the CMMFCertResponses.
+ */
+extern SECStatus 
+      CMMF_CertRepContentSetCertResponses(CMMFCertRepContent *inCertRepContent,
+					  CMMFCertResponse  **inCertResponses,
+					  int                 inNumResponses);
+
+/*
+ * FUNCTION: CMMF_CertRepContentSetCAPubs
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to operate on.
+ *    inCAPubs
+ *        The certificate list which makes up the chain of CA certificates
+ *        required to make the issued cert valid.
+ * NOTES:
+ *    This function will set the the certificates in the CA chain as part
+ *    of the CMMFCertRepContent.  This field is an optional member of the 
+ *    CMMFCertRepContent structure, so the client is not required to call
+ *    this function before calling CMMF_EncodeCertRepContent.
+ *
+ * RETURN:
+ *    SECSuccess if adding the 'inCAPubs' to the CERTRepContent was successful.
+ *    Any other return value indicates an error while adding 'inCAPubs' to the 
+ *    CMMFCertRepContent structure.
+ * 
+ */
+extern SECStatus 
+       CMMF_CertRepContentSetCAPubs (CMMFCertRepContent  *inCertRepContent,
+				     CERTCertList        *inCAPubs);
+
+/*
+ * FUNCTION: CMMF_CertResponseSetPKIStatusInfoStatus
+ * INPUTS:
+ *    inCertResp
+ *        The CMMFCertResponse to operate on.
+ *     inPKIStatus
+ *        The value to set for the PKIStatusInfo.status field.
+ * NOTES:
+ *    This function will set the CertResponse.status.status field of 
+ *    the CMMFCertResponse structure.  (View the definition of CertResponse
+ *    in the CMMF draft to see exactly which value this talks about.)  This
+ *    field is a required member of the structure, so the user must call this
+ *    function in order to have a CMMFCertResponse that can be encoded.
+ *
+ * RETURN:
+ *    SECSuccess if setting the field with the passed in value was successful.
+ *    Any other return value indicates an error while trying to set the field.
+ */
+extern SECStatus 
+     CMMF_CertResponseSetPKIStatusInfoStatus (CMMFCertResponse *inCertResp,
+					      CMMFPKIStatus     inPKIStatus);
+
+/*
+ * FUNCTION: CMMF_CertResponseSetCertificate
+ * INPUTS:
+ *    inCertResp
+ *        The CMMFCertResponse to operate on.
+ *    inCertificate
+ *        The certificate to add to the 
+ *        CertResponse.CertifiedKeyPair.certOrEncCert.certificate field.
+ * NOTES:
+ *    This function will take the certificate and make it a member of the
+ *    CMMFCertResponse.  The certificate should be the actual certificate
+ *    being issued via the response.
+ *
+ * RETURN:
+ *    SECSuccess if adding the certificate to the response was successful.
+ *    Any other return value indicates an error in adding the certificate to
+ *    the CertResponse.
+ */
+extern SECStatus 
+       CMMF_CertResponseSetCertificate (CMMFCertResponse *inCertResp,
+					CERTCertificate  *inCertificate);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentSetPKIStatusInfoStatus
+ * INPUTS: 
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ *    inPKIStatus
+ *        The value to set the PKIStatusInfo.status field to.
+ * NOTES:
+ *    This function sets the only required field for the KeyRecRepContent.
+ *    In most cases, the user will set this field and other fields of the
+ *    structure to properly create the CMMFKeyRecRepContent structure.  
+ *    Refer to the CMMF draft to see which fields need to be set in order
+ *    to create the desired CMMFKeyRecRepContent.
+ * 
+ * RETURN:
+ *    SECSuccess if setting the PKIStatusInfo.status field was successful.
+ *    Any other return value indicates an error in setting the field.
+ */
+extern SECStatus 
+CMMF_KeyRecRepContentSetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep,
+					    CMMFPKIStatus         inPKIStatus);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentSetNewSignCert
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ *    inNewSignCert
+ *        The new signing cert to add to the CMMFKeyRecRepContent structure.
+ * NOTES:
+ *    This function sets the new signeing cert in the CMMFKeyRecRepContent
+ *    structure.
+ *
+ * RETURN:
+ *    SECSuccess if setting the new signing cert was successful.  Any other 
+ *    return value indicates an error occurred while trying to add the
+ *    new signing certificate.
+ */
+extern SECStatus 
+       CMMF_KeyRecRepContentSetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep,
+					   CERTCertificate     *inNewSignCert);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentSetCACerts
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ *    inCACerts
+ *        The list of CA certificates required to construct a valid 
+ *        certificate chain with the certificates that will be returned
+ *        to the end user via this KeyRecRepContent.
+ * NOTES:
+ *    This function sets the caCerts that are required to form a chain with the
+ *    end entity certificates that are being re-issued in this 
+ *    CMMFKeyRecRepContent structure.
+ *
+ * RETURN:
+ *    SECSuccess if adding the caCerts was successful.  Any other return value
+ *    indicates an error while tring to add the caCerts.
+ */
+extern SECStatus 
+       CMMF_KeyRecRepContentSetCACerts(CMMFKeyRecRepContent *inKeyRecRep,
+				       CERTCertList         *inCACerts);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentSetCertifiedKeyPair
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ *    inCert
+ *        The certificate to add to the CMMFKeyRecRepContent structure.
+ *    inPrivKey
+ *        The private key associated with the certificate above passed in.
+ *    inPubKey
+ *        The public key to use for wrapping the private key.
+ * NOTES:
+ *    This function adds another certificate-key pair to the 
+ *    CMMFKeyRecRepcontent structure.  There may be more than one 
+ *    certificate-key pair in the structure, so the user must call this 
+ *    function multiple times to add more than one cert-key pair.
+ *
+ * RETURN:
+ *    SECSuccess if adding the certified key pair was successful.  Any other
+ *    return value indicates an error in adding certified key pair to 
+ *    CMMFKeyRecRepContent structure.
+ */
+extern SECStatus 
+    CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
+					     CERTCertificate      *inCert,
+					     SECKEYPrivateKey     *inPrivKey,
+					     SECKEYPublicKey      *inPubKey);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentSetNextChallenge
+ * INPUTS:
+ *    inDecKeyChall
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ *    inRandom
+ *        The random number to use when generating the challenge,
+ *    inSender
+ *        The GeneralName representation of the sender of the challenge.
+ *    inPubKey
+ *        The public key to use when encrypting the challenge.
+ *    passwdArg
+ *        This value will be passed to the function used for getting a
+ *        password.  The password for getting a password should be registered
+ *        by calling PK11_SetPasswordFunc before this function is called. 
+ *        If no password callback is registered and the library needs to 
+ *        authenticate to the slot for any reason, this function will fail.
+ * NOTES:
+ *    This function adds a challenge to the end of the list of challenges
+ *    contained by 'inDecKeyChall'.  Refer to the CMMF draft on how the
+ *    the random number passed in and the sender's GeneralName are used
+ *    to generate the challenge and witness fields of the challenge.  This
+ *    library will use SHA1 as the one-way function for generating the 
+ *    witess field of the challenge.
+ *
+ * RETURN:
+ *    SECSuccess if generating the challenge and adding to the end of list
+ *    of challenges was successful.  Any other return value indicates an error
+ *    while trying to generate the challenge.
+ */
+extern SECStatus
+CMMF_POPODecKeyChallContentSetNextChallenge
+                                   (CMMFPOPODecKeyChallContent *inDecKeyChall,
+				    long                        inRandom,
+				    CERTGeneralName            *inSender,
+				    SECKEYPublicKey            *inPubKey,
+				    void                       *passwdArg);
+
+
+/************************** Encoding Functions *************************/
+
+/*
+ * FUNCTION: CMMF_EncodeCertRepContent
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to DER-encode.
+ *    inCallback
+ *        A callback function that the ASN1 encoder will call whenever it 
+ *        wants to write out DER-encoded bytes.  Look at the defintion of 
+ *        CRMFEncoderOutputCallback in crmft.h for a description of the
+ *        parameters to the function.
+ *    inArg
+ *        An opaque pointer to a user-supplied argument that will be passed
+ *        to the callback funtion whenever the function is called.
+ * NOTES:
+ *    The CMMF library will use the same DER-encoding scheme as the CRMF 
+ *    library.  In other words, when reading CRMF comments that pertain to
+ *    encoding, those comments apply to the CMMF libray as well.  
+ *    The callback function will be called multiple times, each time supplying
+ *    the next chunk of DER-encoded bytes.  The user must concatenate the 
+ *    output of each successive call to the callback in order to get the
+ *    entire DER-encoded CMMFCertRepContent structure.
+ *
+ * RETURN:
+ *    SECSuccess if encoding the CMMFCertRepContent was successful.  Any 
+ *    other return value indicates an error while decoding the structure.
+ */
+extern SECStatus 
+       CMMF_EncodeCertRepContent (CMMFCertRepContent        *inCertRepContent,
+				  CRMFEncoderOutputCallback  inCallback,
+				  void                      *inArg);
+
+/*
+ * FUNCTION: CMMF_EncodeKeyRecRepContent
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRepContent to DER-encode.
+ *    inCallback
+ *        A callback function that the ASN1 encoder will call whenever it 
+ *        wants to write out DER-encoded bytes.  Look at the defintion of 
+ *        CRMFEncoderOutputCallback in crmft.h for a description of the
+ *        parameters to the function.
+ *    inArg
+ *        An opaque pointer to a user-supplied argument that will be passed
+ *        to the callback funtion whenever the function is called.
+ * NOTES:
+ *    The CMMF library will use the same DER-encoding scheme as the CRMF 
+ *    library.  In other words, when reading CRMF comments that pertain to
+ *    encoding, those comments apply to the CMMF libray as well.  
+ *    The callback function will be called multiple times, each time supplying
+ *    the next chunk of DER-encoded bytes.  The user must concatenate the 
+ *    output of each successive call to the callback in order to get the
+ *    entire DER-encoded CMMFCertRepContent structure.
+ *
+ * RETURN:
+ *    SECSuccess if encoding the CMMFKeyRecRepContent was successful.  Any 
+ *    other return value indicates an error while decoding the structure.
+ */
+extern SECStatus
+       CMMF_EncodeKeyRecRepContent(CMMFKeyRecRepContent      *inKeyRecRep,
+				   CRMFEncoderOutputCallback  inCallback,
+				   void                      *inArg);
+
+/*
+ * FUNCTION: CMMF_EncodePOPODecKeyChallContent
+ * INPUTS:
+ *    inDecKeyChall
+ *        The CMMFDecKeyChallContent to operate on.
+ *    inCallback
+ *        A callback function that the ASN1 encoder will call whenever it 
+ *        wants to write out DER-encoded bytes.  Look at the defintion of 
+ *        CRMFEncoderOutputCallback in crmft.h for a description of the
+ *        parameters to the function.
+ *    inArg
+ *        An opaque pointer to a user-supplied argument that will be passed
+ *        to the callback function whenever the function is called.
+ * NOTES:
+ *    The CMMF library will use the same DER-encoding scheme as the CRMF 
+ *    library.  In other words, when reading CRMF comments that pertain to
+ *    encoding, those comments apply to the CMMF libray as well.  
+ *    The callback function will be called multiple times, each time supplying
+ *    the next chunk of DER-encoded bytes.  The user must concatenate the 
+ *    output of each successive call to the callback in order to get the
+ *    entire DER-encoded CMMFCertRepContent structure.
+ *    The DER will be an encoding of the type POPODecKeyChallContents, which
+ *    is just a sequence of challenges.
+ *
+ * RETURN:
+ *    SECSuccess if encoding was successful.  Any other return value indicates
+ *    an error in trying to encode the Challenges.
+ */
+extern SECStatus 
+CMMF_EncodePOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyChall,
+				  CRMFEncoderOutputCallback inCallback,
+				  void                     *inArg);
+
+/*
+ * FUNCTION: CMMF_EncodePOPODecKeyRespContent
+ * INPUTS:
+ *    inDecodedRand
+ *        An array of integers to encode as the responses to 
+ *        CMMFPOPODecKeyChallContent.  The integers must be in the same order
+ *        as the challenges extracted from CMMFPOPODecKeyChallContent.
+ *    inNumRand
+ *        The number of random integers contained in the array 'inDecodedRand'
+ *    inCallback
+ *        A callback function that the ASN1 encoder will call whenever it 
+ *        wants to write out DER-encoded bytes.  Look at the defintion of 
+ *        CRMFEncoderOutputCallback in crmft.h for a description of the
+ *        parameters to the function.
+ *    inArg
+ *        An opaque pointer to a user-supplied argument that will be passed
+ *        to the callback funtion whenever the function is called.
+ * NOTES:
+ *    The CMMF library will use the same DER-encoding scheme as the CRMF 
+ *    library.  In other words, when reading CRMF comments that pertain to
+ *    encoding, those comments apply to the CMMF libray as well.  
+ *    The callback function will be called multiple times, each time supplying
+ *    the next chunk of DER-encoded bytes.  The user must concatenate the 
+ *    output of each successive call to the callback in order to get the
+ *    entire DER-encoded  POPODecKeyRespContent.
+ *
+ * RETURN:
+ *    SECSuccess if encoding was successful.  Any other return value indicates
+ *    an error in trying to encode the Challenges.
+ */
+extern SECStatus 
+      CMMF_EncodePOPODecKeyRespContent(long                     *inDecodedRand,
+				       int                       inNumRand,
+				       CRMFEncoderOutputCallback inCallback,
+				       void                     *inArg); 
+
+/***************  Accessor function  ***********************************/
+
+/*
+ * FUNCTION: CMMF_CertRepContentGetCAPubs
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to extract the caPubs from.
+ * NOTES:
+ *    This function will return a copy of the list of certificates that
+ *    make up the chain of CA's required to make the cert issued valid.
+ *    The user must call CERT_DestroyCertList on the return value when 
+ *    done using the return value.  
+ *
+ *    Only call this function on a CertRepContent that has been decoded.
+ *    The client must call CERT_DestroyCertList when the certificate list
+ *    is no longer needed. 
+ *
+ *    The certs in the list will not be in the temporary database.  In order
+ *    to make these certificates a part of the permanent CA internal database,
+ *    the user must collect the der for all of these certs and call 
+ *    CERT_ImportCAChain.  Afterwards the certs will be part of the permanent
+ *    database.
+ *    
+ * RETURN:
+ *    A pointer to the CERTCertList representing the CA chain associated 
+ *    with the issued cert.  A NULL return value indicates  that no CA Pubs
+ *    were available in the CMMFCertRepContent structure. 
+ */
+extern CERTCertList* 
+       CMMF_CertRepContentGetCAPubs (CMMFCertRepContent *inCertRepContent);
+
+
+/*
+ * FUNCTION: CMMF_CertRepContentGetNumResponses
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to operate on.
+ * NOTES:
+ *    This function will return the number of CertResponses that are contained
+ *    by the CMMFCertRepContent passed in.
+ * 
+ * RETURN:
+ *    The number of CMMFCertResponses contained in the structure passed in.
+ */
+extern int 
+ CMMF_CertRepContentGetNumResponses (CMMFCertRepContent *inCertRepContent);
+
+/*
+ * FUNCTION: CMMF_CertRepContentGetResponseAtIndex
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to operate on.
+ *    inIndex
+ *        The index of the CMMFCertResponse the user wants a copy of.
+ * NOTES:
+ *    This funciton creates a copy of the CMMFCertResponse at the index 
+ *    corresponding to the parameter 'inIndex'.  Indexing is done like a
+ *    traditional C array, ie the valid indexes are (0...numResponses-1).
+ *    The user must call CMMF_DestroyCertResponse after the return value is 
+ *    no longer needed.
+ *
+ * RETURN:
+ *    A pointer to the CMMFCertResponse at the index corresponding to 
+ *    'inIndex'.  A return value of NULL indicates an error in copying 
+ *    the CMMFCertResponse.
+ */
+extern CMMFCertResponse*
+CMMF_CertRepContentGetResponseAtIndex (CMMFCertRepContent *inCertRepContent,
+				       int                 inIndex);
+
+/*
+ * FUNCTION: CMMF_CertResponseGetCertReqId
+ * INPUTS:
+ *    inCertResp
+ *        The CMMFCertResponse to operate on.
+ * NOTES:
+ *    This function returns the CertResponse.certReqId from the 
+ *    CMMFCertResponse structure passed in.  If the return value is -1, that
+ *    means there is no associated certificate request with the CertResponse.
+ * RETURN:
+ *    A long representing the id of the certificate request this 
+ *    CMMFCertResponse corresponds to.  A return value of -1 indicates an
+ *    error in extracting the value of the integer.
+ */
+extern long CMMF_CertResponseGetCertReqId(CMMFCertResponse *inCertResp);
+
+/*
+ * FUNCTION: CMMF_CertResponseGetPKIStatusInfoStatus
+ * INPUTS:
+ *    inCertResp
+ *        The CMMFCertResponse to operate on.
+ * NOTES:
+ *    This function returns the CertResponse.status.status field of the 
+ *    CMMFCertResponse structure.
+ *
+ * RETURN:
+ *    The enumerated value corresponding to the PKIStatus defined in the CMMF
+ *    draft.  See the CMMF draft for the definition of PKIStatus.  See crmft.h
+ *    for the definition of CMMFPKIStatus.
+ */
+extern CMMFPKIStatus 
+       CMMF_CertResponseGetPKIStatusInfoStatus(CMMFCertResponse *inCertResp);
+
+/*
+ * FUNCTION: CMMF_CertResponseGetCertificate
+ * INPUTS:
+ *    inCertResp
+ *        The Certificate Response to operate on.
+ *    inCertdb
+ *        This is the certificate database where the function will place the
+ *        newly issued certificate.
+ * NOTES:
+ *    This function retrieves the CertResponse.certifiedKeyPair.certificate
+ *    from the CMMFCertResponse.  The user will get a copy of that certificate
+ *    so  the user must call CERT_DestroyCertificate when the return value is 
+ *    no longer needed.  The certificate returned will be in the temporary 
+ *    certificate database.
+ *
+ * RETURN:
+ *    A pointer to a copy of the certificate contained within the 
+ *    CMMFCertResponse.  A return value of NULL indicates an error while trying
+ *    to make a copy of the certificate.
+ */
+extern CERTCertificate*
+       CMMF_CertResponseGetCertificate(CMMFCertResponse *inCertResp,
+                                       CERTCertDBHandle *inCertdb);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentGetPKIStatusInfoStatus
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent structure to operate on.
+ * NOTES:
+ *    This function retrieves the KeyRecRepContent.status.status field of 
+ *    the CMMFKeyRecRepContent structure.
+ * RETURN:
+ *    The CMMFPKIStatus corresponding to the value held in the 
+ *    CMMFKeyRecRepContent structure.
+ */
+extern CMMFPKIStatus 
+CMMF_KeyRecRepContentGetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentGetNewSignCert
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ * NOTES:
+ *    This function retrieves the KeyRecRepContent.newSignCert field of the
+ *    CMMFKeyRecRepContent structure.  The user must call 
+ *    CERT_DestroyCertificate when the return value is no longer needed. The
+ *    returned certificate will be in the temporary database.  The user 
+ *    must then place the certificate permanently in whatever token the
+ *    user determines is the proper destination.  A return value of NULL
+ *    indicates the newSigCert field was not present.
+ */
+extern CERTCertificate*
+       CMMF_KeyRecRepContentGetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentGetCACerts
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ * NOTES:
+ *    This function returns a CERTCertList which contains all of the 
+ *    certficates that are in the sequence KeyRecRepContent.caCerts
+ *    User must call CERT_DestroyCertList when the return value is no longer 
+ *    needed.  All of these certificates will be placed in the tempoaray
+ *    database.
+ *
+ * RETURN:
+ *    A pointer to the list of caCerts contained in the CMMFKeyRecRepContent
+ *    structure.  A return value of NULL indicates the library was not able to 
+ *    make a copy of the certifcates.  This may be because there are no caCerts
+ *    included in the CMMFKeyRecRepContent strucure or an internal error.  Call
+ *    CMMF_KeyRecRepContentHasCACerts to find out if there are any caCerts 
+ *    included in 'inKeyRecRep'.
+ */
+extern CERTCertList*
+       CMMF_KeyRecRepContentGetCACerts(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentGetNumKeyPairs
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to operate on.
+ * RETURN:
+ *    This function returns the number of CMMFCertifiedKeyPair structures that
+ *    that are stored in the KeyRecRepContent structure.
+ */
+extern int 
+       CMMF_KeyRecRepContentGetNumKeyPairs(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentGetCertKeyAtIndex
+ * INPUTS:
+ *    inKeyRecRepContent
+ *        The CMMFKeyRecRepContent to operate on.
+ *    inIndex
+ *        The index of the desired CMMFCertifiedKeyPair
+ * NOTES:
+ *    This function retrieves the CMMFCertifiedKeyPair structure at the index
+ *    'inIndex'.  Valid indexes are 0...(numKeyPairs-1)  The user must call 
+ *    CMMF_DestroyCertifiedKeyPair when the return value is no longer needed.
+ *
+ * RETURN:
+ *    A pointer to the Certified Key Pair at the desired index.  A return value
+ *    of NULL indicates an error in extracting the Certified Key Pair at the 
+ *    desired index.
+ */
+extern CMMFCertifiedKeyPair*
+      CMMF_KeyRecRepContentGetCertKeyAtIndex(CMMFKeyRecRepContent *inKeyRecRep,
+					     int                   inIndex);
+
+/*
+ * FUNCTION: CMMF_CertifiedKeyPairGetCertificate
+ * INPUTS:
+ *    inCertKeyPair
+ *        The CMMFCertifiedKeyPair to operate on.
+ *    inCertdb
+ *        The database handle for the database you want this certificate
+ *        to wind up in.
+ * NOTES:
+ *    This function retrieves the certificate at 
+ *    CertifiedKeyPair.certOrEncCert.certificate
+ *    The user must call CERT_DestroyCertificate when the return value is no
+ *    longer needed.  The user must import this certificate as a token object
+ *    onto PKCS#11 slot in order to make it a permanent object.  The returned
+ *    certificate will be in the temporary database.
+ * 
+ * RETURN:
+ *    A pointer to the certificate contained within the certified key pair.
+ *    A return value of NULL indicates an error in creating the copy of the 
+ *    certificate.
+ */
+extern CERTCertificate*
+      CMMF_CertifiedKeyPairGetCertificate(CMMFCertifiedKeyPair *inCertKeyPair,
+					  CERTCertDBHandle     *inCertdb);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentGetNumChallenges
+ * INPUTS:
+ *    inKeyChallCont
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ * RETURN:
+ *    This function returns the number of CMMFChallenges are contained in 
+ *    the CMMFPOPODecKeyChallContent structure.
+ */
+extern int CMMF_POPODecKeyChallContentGetNumChallenges
+                                  (CMMFPOPODecKeyChallContent *inKeyChallCont);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentGetPublicValue
+ * ---------------------------------------------------
+ * INPUTS:
+ *    inKeyChallCont
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ *    inIndex
+ *        The index of the Challenge within inKeyChallCont to operate on.
+ *        Indexes start from 0, ie the Nth Challenge corresponds to index
+ *        N-1.
+ * NOTES:
+ * This function retrieves the public value stored away in the Challenge at
+ * index inIndex of inKeyChallCont.
+ * RETURN:
+ * A pointer to a SECItem containing the public value.  User must call 
+ * SECITEM_FreeItem on the return value when the value is no longer necessary.
+ * A return value of NULL indicates an error while retrieving the public value.
+ */
+extern SECItem* CMMF_POPODecKeyChallContentGetPublicValue
+                                   (CMMFPOPODecKeyChallContent *inKeyChallCont,
+				    int                         inIndex);
+
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentGetRandomNumber
+ * INPUTS:
+ *    inChallContent
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ *    inIndex
+ *        The index of the challenge to look at.  Valid indexes are 0 through
+ *        (CMMF_POPODecKeyChallContentGetNumChallenges(inChallContent) - 1).
+ *    inDest
+ *        A pointer to a user supplied buffer where the library
+ *        can place a copy of the random integer contatained in the
+ *        challenge.
+ * NOTES:
+ *    This function returns the value held in the decrypted Rand structure
+ *    corresponding to the random integer.  The user must call 
+ *    CMMF_POPODecKeyChallContentDecryptChallenge before calling this function.  Call 
+ *    CMMF_ChallengeIsDecrypted to find out if the challenge has been 
+ *    decrypted.
+ *
+ * RETURN:
+ *    SECSuccess indicates the witness field has been previously decrypted
+ *    and the value for the random integer was successfully placed at *inDest.
+ *    Any other return value indicates an error and that the value at *inDest
+ *    is not a valid value.
+ */
+extern SECStatus CMMF_POPODecKeyChallContentGetRandomNumber
+                                      (CMMFPOPODecKeyChallContent *inKeyChallCont,
+				       int                          inIndex,
+				       long                        *inDest);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyRespContentGetNumResponses
+ * INPUTS:
+ *    inRespCont
+ *        The POPODecKeyRespContent to operate on.
+ * RETURN:
+ * This function returns the number of responses contained in inRespContent.
+ */
+extern int 
+ CMMF_POPODecKeyRespContentGetNumResponses(CMMFPOPODecKeyRespContent *inRespCont);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyRespContentGetResponse
+ * INPUTS:
+ *    inRespCont
+ *        The POPODecKeyRespContent to operate on.
+ *    inIndex
+ *        The index of the response to retrieve.
+ *        The Nth response is at index N-1, ie the 1st response is at index 0,
+ *        the 2nd response is at index 1, and so on.
+ *    inDest
+ *        A pointer to a pre-allocated buffer where the library can put the 
+ *        value of the response located at inIndex.
+ * NOTES:
+ * The function returns the response contained at index inIndex.  
+ * CMMFPOPODecKeyRespContent is a structure that the server will generally 
+ * get in response to a CMMFPOPODecKeyChallContent.  The server will expect
+ * to see the responses in the same order as it constructed them in 
+ * the CMMFPOPODecKeyChallContent structure.
+ * RETURN:
+ * SECSuccess if getting the response at the desired index was successful.  Any
+ * other return value indicates an errror.
+ */
+extern SECStatus
+     CMMF_POPODecKeyRespContentGetResponse (CMMFPOPODecKeyRespContent *inRespCont,
+					    int                        inIndex,
+					    long                      *inDest);
+
+/************************* Destructor Functions ******************************/
+
+/*
+ * FUNCTION: CMMF_DestroyCertResponse
+ * INPUTS:
+ *    inCertResp
+ *        The CMMFCertResponse to destroy.
+ * NOTES:
+ *    This function frees all the memory associated with the CMMFCertResponse
+ *    passed in.
+ * RETURN:
+ *    SECSuccess if freeing the memory was successful.  Any other return value
+ *    indicates an error while freeing the memory.
+ */
+extern SECStatus CMMF_DestroyCertResponse(CMMFCertResponse *inCertResp);
+
+/*
+ * FUNCTION: CMMF_DestroyCertRepContent
+ * INPUTS:
+ *    inCertRepContent
+ *        The CMMFCertRepContent to destroy
+ * NOTES:
+ *    This function frees the memory associated with the CMMFCertRepContent
+ *    passed in.
+ * RETURN:
+ *    SECSuccess if freeing all the memory associated with the 
+ *    CMMFCertRepContent passed in is successful.  Any other return value 
+ *    indicates an error while freeing the memory.
+ */
+extern SECStatus 
+       CMMF_DestroyCertRepContent (CMMFCertRepContent *inCertRepContent);
+
+/*
+ * FUNCTION: CMMF_DestroyKeyRecRepContent
+ * INPUTS:
+ *    inKeyRecRep
+ *        The CMMFKeyRecRepContent to destroy.
+ * NOTES:
+ *    This function destroys all the memory associated with the 
+ *    CMMFKeyRecRepContent passed in.
+ *
+ * RETURN:
+ *    SECSuccess if freeing all the memory is successful.  Any other return 
+ *    value indicates an error in freeing the memory.
+ */
+extern SECStatus 
+       CMMF_DestroyKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_DestroyCertifiedKeyPair
+ * INPUTS:
+ *    inCertKeyPair
+ *        The CMMFCertifiedKeyPair to operate on.
+ * NOTES: 
+ *    This function frees up all the memory associated with 'inCertKeyPair'
+ *
+ * RETURN:
+ *    SECSuccess if freeing all the memory associated with 'inCertKeyPair'
+ *    is successful.  Any other return value indicates an error while trying
+ *    to free the memory.
+ */
+extern SECStatus 
+       CMMF_DestroyCertifiedKeyPair(CMMFCertifiedKeyPair *inCertKeyPair);
+
+/*
+ * FUNCTION: CMMF_DestroyPOPODecKeyRespContent
+ * INPUTS:
+ *    inDecKeyResp
+ *        The CMMFPOPODecKeyRespContent structure to free.
+ * NOTES:
+ *    This function frees up all the memory associate with the 
+ *    CMMFPOPODecKeyRespContent.
+ *
+ * RETURN:
+ *    SECSuccess if freeing up all the memory associated with the
+ *    CMMFPOPODecKeyRespContent structure is successful.  Any other
+ *    return value indicates an error while freeing the memory.
+ */
+extern SECStatus
+       CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp);
+
+
+/************************** Miscellaneous Functions *************************/
+ 
+/*
+ * FUNCTION: CMMF_CertifiedKeyPairUnwrapPrivKey
+ * INPUTS:
+ *    inCertKeyPair
+ *        The CMMFCertifiedKeyPair to operate on.
+ *    inPrivKey
+ *        The private key to use to un-wrap the private key
+ *    inNickName
+ *        This is the nickname that will be associated with the private key
+ *        to be unwrapped.
+ *    inSlot
+ *        The PKCS11 slot where the unwrapped private key should end up.
+ *    inCertdb
+ *        The Certificate database with which the new key will be associated.
+ *    destPrivKey
+ *        A pointer to memory where the library can place a pointer to the
+ *        private key after importing the key onto the specified slot.
+ *    wincx
+ *        An opaque pointer that the library will use in a callback function
+ *        to get the password if necessary.
+ *    
+ * NOTES:
+ *    This function uses the private key passed in to unwrap the private key
+ *    contained within the CMMFCertifiedKeyPair structure. After this 
+ *    function successfully returns, the private key has been unwrapped and
+ *    placed in the specified slot. 
+ *
+ * RETURN:
+ *    SECSuccess if unwrapping the private key was successful.  Any other 
+ *    return value indicates an error while trying to un-wrap the private key.
+ */
+extern SECStatus 
+       CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
+					  SECKEYPrivateKey     *inPrivKey,
+					  SECItem              *inNickName,
+					  PK11SlotInfo         *inSlot,
+                                          CERTCertDBHandle     *inCertdb,
+					  SECKEYPrivateKey    **destPrivKey,
+					  void                 *wincx);
+
+/*
+ * FUNCTION: CMMF_KeyRecRepContentHasCACerts
+ * INPUTS:
+ *    inKeyRecRecp
+ *        The CMMFKeyRecRepContent to operate on.
+ * RETURN:
+ *    This function returns PR_TRUE if there are one or more certificates in 
+ *    the sequence KeyRecRepContent.caCerts within the CMMFKeyRecRepContent
+ *    structure.  The function will return PR_FALSE if there are 0 certificate
+ *    in the above mentioned sequence.
+ */
+extern PRBool 
+       CMMF_KeyRecRepContentHasCACerts(CMMFKeyRecRepContent *inKeyRecRep);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContDecryptChallenge
+ * INPUTS:
+ *    inChalCont
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ *    inIndex
+ *        The index of the Challenge to operate on.  The 1st Challenge is
+ *        at index 0, the second at index 1 and so forth.
+ *    inPrivKey
+ *        The private key to use to decrypt the witness field.
+ * NOTES:
+ *    This function uses the private key to decrypt the challenge field
+ *    contained in the appropriate challenge.  Make sure the private key matches 
+ *    the public key that was used to encrypt the witness.  Use 
+ *    CMMF_POPODecKeyChallContentGetPublicValue to get the public value of
+ *    the key used to encrypt the witness and then use that to determine the
+ *    appropriate private key.  This can be done by calling PK11_MakeIDFromPubKey
+ *    and then passing that return value to PK11_FindKeyByKeyID.  The creator of 
+ *    the challenge will most likely be an RA that has the public key
+ *    from a Cert request.  So the private key should be the private key
+ *    associated with public key in that request.  This function will also
+ *    verify the witness field of the challenge.  This function also verifies
+ *    that the sender and witness hashes match within the challenge.
+ *
+ * RETURN:
+ *    SECSuccess if decrypting the witness field was successful.  This does
+ *    not indicate that the decrypted data is valid, since the private key 
+ *    passed in may not be the actual key needed to properly decrypt the 
+ *    witness field.  Meaning that there is a decrypted structure now, but
+ *    may be garbage because the private key was incorrect.
+ *    Any other return value indicates the function could not complete the
+ *    decryption process.
+ */
+extern SECStatus 
+  CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
+					   int                         inIndex,
+					   SECKEYPrivateKey           *inPrivKey);
+
+/*
+ * FUNCTION: CMMF_DestroyPOPODecKeyChallContent
+ * INPUTS:
+ *    inDecKeyCont
+ *        The CMMFPOPODecKeyChallContent to free
+ * NOTES:
+ *    This function frees up all the memory associated with the 
+ *    CMMFPOPODecKeyChallContent 
+ * RETURN:
+ *    SECSuccess if freeing up all the memory associatd with the 
+ *    CMMFPOPODecKeyChallContent is successful.  Any other return value
+ *    indicates an error while freeing the memory.
+ *
+ */
+extern SECStatus 
+ CMMF_DestroyPOPODecKeyChallContent (CMMFPOPODecKeyChallContent *inDecKeyCont);
+
+SEC_END_PROTOS
+#endif /* _CMMF_H_ */
diff --git a/security/nss/lib/crmf/cmmfasn1.c b/security/nss/lib/crmf/cmmfasn1.c
new file mode 100644
index 000000000..c9ab99a5a
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfasn1.c
@@ -0,0 +1,161 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "secasn1.h"
+#include "secitem.h"
+
+SEC_ASN1_MKSUB(SEC_SignedCertificateTemplate)
+
+static const SEC_ASN1Template CMMFSequenceOfCertifiedKeyPairsTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, CMMFCertifiedKeyPairTemplate}
+};
+
+static const SEC_ASN1Template CMMFKeyRecRepContentTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CMMFKeyRecRepContent)},
+    { SEC_ASN1_INLINE, offsetof(CMMFKeyRecRepContent, status), 
+      CMMFPKIStatusInfoTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+		SEC_ASN1_XTRN | 0,
+      offsetof(CMMFKeyRecRepContent, newSigCert),
+      SEC_ASN1_SUB(SEC_SignedCertificateTemplate)},
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+      offsetof(CMMFKeyRecRepContent, caCerts),
+      CMMFSequenceOfCertsTemplate},
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+      offsetof(CMMFKeyRecRepContent, keyPairHist),
+      CMMFSequenceOfCertifiedKeyPairsTemplate},
+    { 0 }
+};
+
+SECStatus
+CMMF_EncodeCertRepContent (CMMFCertRepContent        *inCertRepContent,
+			   CRMFEncoderOutputCallback  inCallback,
+			   void                      *inArg)
+{
+    return cmmf_user_encode(inCertRepContent, inCallback, inArg,
+			    CMMFCertRepContentTemplate);
+}
+
+SECStatus
+CMMF_EncodePOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyChall,
+				  CRMFEncoderOutputCallback inCallback,
+				  void                     *inArg)
+{
+    return cmmf_user_encode(inDecKeyChall, inCallback, inArg,
+			    CMMFPOPODecKeyChallContentTemplate);
+}
+
+CMMFPOPODecKeyRespContent*
+CMMF_CreatePOPODecKeyRespContentFromDER(const char *buf, long len)
+{
+    PRArenaPool               *poolp;
+    CMMFPOPODecKeyRespContent *decKeyResp;
+    SECStatus                  rv;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    decKeyResp = PORT_ArenaZNew(poolp, CMMFPOPODecKeyRespContent);
+    if (decKeyResp == NULL) {
+        goto loser;
+    }
+    decKeyResp->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, decKeyResp, CMMFPOPODecKeyRespContentTemplate,
+			buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return decKeyResp;
+    
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+SECStatus
+CMMF_EncodeKeyRecRepContent(CMMFKeyRecRepContent      *inKeyRecRep,
+			    CRMFEncoderOutputCallback  inCallback,
+			    void                      *inArg)
+{
+    return cmmf_user_encode(inKeyRecRep, inCallback, inArg,
+			    CMMFKeyRecRepContentTemplate);
+}
+
+CMMFKeyRecRepContent* 
+CMMF_CreateKeyRecRepContentFromDER(CERTCertDBHandle *db, const char *buf, 
+				   long len)
+{
+    PRArenaPool          *poolp;
+    CMMFKeyRecRepContent *keyRecContent;
+    SECStatus             rv;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    keyRecContent = PORT_ArenaZNew(poolp, CMMFKeyRecRepContent);
+    if (keyRecContent == NULL) {
+        goto loser;
+    }
+    keyRecContent->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, keyRecContent, CMMFKeyRecRepContentTemplate,
+			buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (keyRecContent->keyPairHist != NULL) {
+        while(keyRecContent->keyPairHist[keyRecContent->numKeyPairs] != NULL) {
+	    rv = cmmf_decode_process_certified_key_pair(poolp, db,
+		       keyRecContent->keyPairHist[keyRecContent->numKeyPairs]);
+	    if (rv != SECSuccess) {
+	        goto loser;
+	    }
+	    keyRecContent->numKeyPairs++;
+	}
+	keyRecContent->allocKeyPairs = keyRecContent->numKeyPairs;
+    }
+    keyRecContent->isDecoded = PR_TRUE;
+    return keyRecContent;
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
diff --git a/security/nss/lib/crmf/cmmfchal.c b/security/nss/lib/crmf/cmmfchal.c
new file mode 100644
index 000000000..3d7ad2319
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfchal.c
@@ -0,0 +1,319 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "sechash.h"
+#include "genname.h"
+#include "pk11func.h"
+#include "cert.h"
+#include "secitem.h"
+#include "secmod.h"
+#include "keyhi.h"
+
+static int
+cmmf_create_witness_and_challenge(PRArenaPool     *poolp,
+				  CMMFChallenge   *challenge,
+				  long             inRandom,
+				  SECItem         *senderDER,
+				  SECKEYPublicKey *inPubKey,
+				  void            *passwdArg)
+{
+    SECItem       *encodedRandNum;
+    SECItem        encodedRandStr = {siBuffer, NULL, 0};
+    SECItem       *dummy;
+    unsigned char *randHash, *senderHash, *encChal=NULL;
+    unsigned       modulusLen = 0;
+    SECStatus      rv = SECFailure;
+    CMMFRand       randStr= { {siBuffer, NULL, 0}, {siBuffer, NULL, 0}};
+    PK11SlotInfo  *slot;
+    PK11SymKey    *symKey = NULL;
+    CK_OBJECT_HANDLE id;
+    CERTSubjectPublicKeyInfo *spki = NULL;
+
+    
+    encodedRandNum = SEC_ASN1EncodeInteger(poolp, &challenge->randomNumber,
+					   inRandom);
+    encodedRandNum = &challenge->randomNumber;
+    randHash   = PORT_ArenaNewArray(poolp, unsigned char, SHA1_LENGTH);
+    senderHash = PORT_ArenaNewArray(poolp, unsigned char, SHA1_LENGTH);
+    if (randHash == NULL) {
+        goto loser;
+    }
+    rv = PK11_HashBuf(SEC_OID_SHA1, randHash, encodedRandNum->data, 
+		      (uint32)encodedRandNum->len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = PK11_HashBuf(SEC_OID_SHA1, senderHash, senderDER->data,
+		      (uint32)senderDER->len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    challenge->witness.data = randHash;
+    challenge->witness.len  = SHA1_LENGTH;
+
+    randStr.integer    = *encodedRandNum;
+    randStr.senderHash.data = senderHash;
+    randStr.senderHash.len  = SHA1_LENGTH;
+    dummy = SEC_ASN1EncodeItem(NULL, &encodedRandStr, &randStr, 
+			       CMMFRandTemplate);
+    if (dummy != &encodedRandStr) {
+        rv = SECFailure;
+        goto loser;
+    }
+    /* XXXX Now I have to encrypt encodedRandStr and stash it away. */
+    modulusLen = SECKEY_PublicKeyStrength(inPubKey);
+    encChal = PORT_ArenaNewArray(poolp, unsigned char, modulusLen);
+    if (encChal == NULL) {
+        rv = SECFailure;
+        goto loser;
+    }
+    slot =PK11_GetBestSlot(CKM_RSA_PKCS, passwdArg);
+    if (slot == NULL) {
+        rv = SECFailure;
+        goto loser;
+    }
+    id = PK11_ImportPublicKey(slot, inPubKey, PR_FALSE);
+    /* In order to properly encrypt the data, we import as a symmetric
+     * key, and then wrap that key.  That in essence encrypts the data.
+     * This is the method recommended in the PK11 world in order
+     * to prevent threading issues as well as breaking any other semantics
+     * the PK11 libraries depend on.
+     */
+    symKey = PK11_ImportSymKey(slot, CKM_RSA_PKCS, PK11_OriginGenerated,
+			       CKA_VALUE, &encodedRandStr, passwdArg);
+    if (symKey == NULL) {
+        rv = SECFailure;
+	goto loser;
+    }
+    challenge->challenge.data = encChal;
+    challenge->challenge.len  = modulusLen;
+    rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, inPubKey, symKey, 
+			    &challenge->challenge);
+    PK11_FreeSlot(slot);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(poolp, &challenge->senderDER, senderDER);
+    crmf_get_public_value(inPubKey, &challenge->key);
+    /* Fall through */
+ loser:
+    if (spki != NULL) {
+        SECKEY_DestroySubjectPublicKeyInfo(spki);
+    }
+    if (encodedRandStr.data != NULL) {
+        PORT_Free(encodedRandStr.data);
+    }
+    if (encodedRandNum != NULL) {
+        SECITEM_FreeItem(encodedRandNum, PR_TRUE);
+    }
+    if (symKey != NULL) {
+        PK11_FreeSymKey(symKey);
+    }
+    return rv;
+}
+
+static SECStatus
+cmmf_create_first_challenge(CMMFPOPODecKeyChallContent *challContent, 
+			    long                        inRandom, 
+			    SECItem                    *senderDER, 
+			    SECKEYPublicKey            *inPubKey,
+			    void                       *passwdArg)
+{
+    SECOidData     *oidData;
+    CMMFChallenge  *challenge;
+    SECAlgorithmID *algId;
+    PRArenaPool    *poolp;
+    SECStatus       rv;
+
+    oidData = SECOID_FindOIDByTag(SEC_OID_SHA1);
+    if (oidData == NULL) {
+        return SECFailure;
+    }
+    poolp = challContent->poolp;
+    challenge = PORT_ArenaZNew(poolp, CMMFChallenge);
+    if (challenge == NULL) {
+        return SECFailure;
+    }
+    algId = challenge->owf = PORT_ArenaZNew(poolp, SECAlgorithmID);
+    if (algId == NULL) {
+        return SECFailure;
+    }
+    rv = SECITEM_CopyItem(poolp, &algId->algorithm, &oidData->oid);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    rv = cmmf_create_witness_and_challenge(poolp, challenge, inRandom, 
+					   senderDER, inPubKey, passwdArg);
+    challContent->challenges[0] = (rv == SECSuccess) ? challenge : NULL;
+    challContent->numChallenges++;
+    return rv ;
+}
+
+CMMFPOPODecKeyChallContent*
+CMMF_CreatePOPODecKeyChallContent (void)
+{
+    PRArenaPool *poolp;
+    CMMFPOPODecKeyChallContent *challContent;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    challContent = PORT_ArenaZNew(poolp, CMMFPOPODecKeyChallContent);
+    if (challContent == NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+	return NULL;
+    }
+    challContent->poolp = poolp;
+    return challContent;
+}
+
+SECStatus
+CMMF_POPODecKeyChallContentSetNextChallenge
+                                    (CMMFPOPODecKeyChallContent *inDecKeyChall,
+				     long                        inRandom,
+				     CERTGeneralName            *inSender,
+				     SECKEYPublicKey            *inPubKey,
+				     void                       *passwdArg)
+{
+    CMMFChallenge               *curChallenge;
+    PRArenaPool                 *genNamePool = NULL, *poolp;
+    SECStatus                    rv;
+    SECItem                     *genNameDER;
+    void                        *mark;
+
+    PORT_Assert (inDecKeyChall != NULL &&
+		 inSender      != NULL &&
+		 inPubKey      != NULL);
+
+    if (inDecKeyChall == NULL || 
+	inSender      == NULL || inPubKey == NULL) {
+        return SECFailure;
+    }
+    poolp = inDecKeyChall->poolp;
+    mark = PORT_ArenaMark(poolp);
+
+    genNamePool = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    genNameDER = CERT_EncodeGeneralName(inSender, NULL, genNamePool);
+    if (genNameDER == NULL) {
+        rv = SECFailure;
+        goto loser;
+    }
+    if (inDecKeyChall->challenges == NULL) {
+        inDecKeyChall->challenges =
+	    PORT_ArenaZNewArray(poolp, CMMFChallenge*,(CMMF_MAX_CHALLENGES+1));
+	inDecKeyChall->numAllocated = CMMF_MAX_CHALLENGES;
+    }
+
+    if (inDecKeyChall->numChallenges >= inDecKeyChall->numAllocated) {
+        rv = SECFailure;
+        goto loser;
+    }
+
+    if (inDecKeyChall->numChallenges == 0) {
+        rv = cmmf_create_first_challenge(inDecKeyChall, inRandom, 
+					 genNameDER, inPubKey, passwdArg);
+    } else {
+        curChallenge = PORT_ArenaZNew(poolp, CMMFChallenge);
+	if (curChallenge == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	rv = cmmf_create_witness_and_challenge(poolp, curChallenge, inRandom, 
+					       genNameDER, inPubKey, 
+					       passwdArg);
+	if (rv == SECSuccess) {
+	    inDecKeyChall->challenges[inDecKeyChall->numChallenges] =
+	        curChallenge;
+	    inDecKeyChall->numChallenges++;
+	}
+    }
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    PORT_FreeArena(genNamePool, PR_FALSE);
+    return SECSuccess;
+
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    if (genNamePool != NULL) {
+        PORT_FreeArena(genNamePool, PR_FALSE);
+    }
+    PORT_Assert(rv != SECSuccess);
+    return rv;
+}
+
+SECStatus
+CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp)
+{
+    PORT_Assert(inDecKeyResp != NULL);
+    if (inDecKeyResp != NULL && inDecKeyResp->poolp != NULL) {
+        PORT_FreeArena(inDecKeyResp->poolp, PR_FALSE);
+    }
+    return SECSuccess;
+}
+
+int 
+CMMF_POPODecKeyRespContentGetNumResponses(CMMFPOPODecKeyRespContent *inRespCont)
+{
+    int numResponses = 0;
+
+    PORT_Assert(inRespCont != NULL);
+    if (inRespCont == NULL) {
+        return 0;
+    }
+
+    while (inRespCont->responses[numResponses] != NULL) {
+        numResponses ++;
+    }
+    return numResponses;
+}
+
+SECStatus
+CMMF_POPODecKeyRespContentGetResponse (CMMFPOPODecKeyRespContent *inRespCont,
+				       int                        inIndex,
+				       long                      *inDest)
+{
+    PORT_Assert(inRespCont != NULL);
+    
+    if (inRespCont == NULL || inIndex < 0 || 
+	inIndex >= CMMF_POPODecKeyRespContentGetNumResponses(inRespCont)) {
+        return SECFailure;
+    }
+    *inDest = DER_GetInteger(inRespCont->responses[inIndex]);
+    return (*inDest == -1) ? SECFailure : SECSuccess;
+}
diff --git a/security/nss/lib/crmf/cmmfi.h b/security/nss/lib/crmf/cmmfi.h
new file mode 100644
index 000000000..0a476badd
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfi.h
@@ -0,0 +1,127 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * These are the definitions needed by the library internally to implement
+ * CMMF.  Most of these will be helper utilities for manipulating internal
+ * data strucures.
+ */
+#ifndef _CMMFI_H_
+#define _CMMFI_H_
+#include "cmmfit.h"
+#include "crmfi.h"
+
+#define CMMF_MAX_CHALLENGES 10
+#define CMMF_MAX_KEY_PAIRS  50
+
+/*
+ * Some templates that the code will need to implement CMMF.
+ */
+extern const SEC_ASN1Template CMMFCertOrEncCertCertificateTemplate[];
+extern const SEC_ASN1Template CMMFCertOrEncCertEncryptedCertTemplate[];
+extern const SEC_ASN1Template CMMFPOPODecKeyRespContentTemplate[];
+extern const SEC_ASN1Template CMMFRandTemplate[];
+extern const SEC_ASN1Template CMMFSequenceOfCertsTemplate[];
+extern const SEC_ASN1Template CMMFPKIStatusInfoTemplate[];
+extern const SEC_ASN1Template CMMFCertifiedKeyPairTemplate[];
+
+
+/*
+ * Some utility functions that are shared by multiple files in this 
+ * implementation.
+ */
+
+extern SECStatus cmmf_CopyCertResponse (PRArenaPool      *poolp, 
+					CMMFCertResponse *dest, 
+					CMMFCertResponse *src);
+
+extern SECStatus cmmf_CopyPKIStatusInfo (PRArenaPool       *poolp, 
+					 CMMFPKIStatusInfo *dest,
+					 CMMFPKIStatusInfo *src);
+
+extern SECStatus cmmf_CopyCertifiedKeyPair(PRArenaPool          *poolp, 
+					   CMMFCertifiedKeyPair *dest,
+					   CMMFCertifiedKeyPair *src);
+
+extern SECStatus cmmf_DestroyPKIStatusInfo(CMMFPKIStatusInfo *info, 
+					   PRBool freeit);
+
+extern SECStatus cmmf_DestroyCertOrEncCert(CMMFCertOrEncCert *certOrEncCert, 
+					   PRBool freeit);
+
+extern SECStatus cmmf_PKIStatusInfoSetStatus(CMMFPKIStatusInfo    *statusInfo,
+					     PRArenaPool          *poolp,
+					     CMMFPKIStatus         inStatus);
+
+extern SECStatus cmmf_ExtractCertsFromList(CERTCertList      *inCertList,
+					   PRArenaPool       *poolp,
+					   CERTCertificate ***certArray);
+
+extern SECStatus 
+       cmmf_CertOrEncCertSetCertificate(CMMFCertOrEncCert *certOrEncCert,
+					PRArenaPool       *poolp,
+					CERTCertificate   *inCert);
+
+extern CMMFPKIStatus 
+       cmmf_PKIStatusInfoGetStatus(CMMFPKIStatusInfo *inStatus);
+
+extern CERTCertList*
+       cmmf_MakeCertList(CERTCertificate **inCerts);
+
+extern CERTCertificate*
+cmmf_CertOrEncCertGetCertificate(CMMFCertOrEncCert *certOrEncCert,
+                                 CERTCertDBHandle  *certdb);
+
+extern SECStatus
+cmmf_decode_process_cert_response(PRArenaPool      *poolp, 
+				  CERTCertDBHandle *db,
+				  CMMFCertResponse *inCertResp);
+
+extern SECStatus
+cmmf_decode_process_certified_key_pair(PRArenaPool          *poolp,
+				       CERTCertDBHandle     *db,
+				       CMMFCertifiedKeyPair *inCertKeyPair);
+
+extern SECStatus
+cmmf_user_encode(void *src, CRMFEncoderOutputCallback inCallback, void *inArg,
+		 const SEC_ASN1Template *inTemplate);
+
+extern SECStatus
+cmmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src);
+#endif /*_CMMFI_H_*/
+
+
+
+
+
diff --git a/security/nss/lib/crmf/cmmfit.h b/security/nss/lib/crmf/cmmfit.h
new file mode 100644
index 000000000..e6ef02f96
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfit.h
@@ -0,0 +1,145 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _CMMFIT_H_
+#define _CMMFIT_H_
+
+/*
+ * All fields marked by a PKIStausInfo in comments is an integer
+ * with the following possible values.
+ *
+ *  Integer Value          Meaning
+ *  -------------          -------
+ *         0               granted- got exactly what you asked for.
+ *
+ *         1               grantedWithMods-got something like what you asked 
+ *                          for;requester is responsible for ascertainging the
+ *                          differences.
+ *
+ *         2               rejection-you don't get what you asked for; more 
+ *                          information elsewhere in the message
+ *
+ *         3               waiting-the request body part has not yet been 
+ *                          processed, expect to hear more later.
+ *
+ *         4               revocationWarning-this message contains a warning 
+ *                          that a revocation is imminent.
+ *
+ *         5               revocationNotification-notification that a 
+ *                          revocation has occurred.
+ *
+ *         6               keyUpdateWarning-update already done for the 
+ *                          oldCertId specified in FullCertTemplate.
+ */
+
+struct CMMFPKIStatusInfoStr {
+    SECItem status;
+    SECItem statusString;
+    SECItem failInfo;
+};
+
+struct CMMFCertOrEncCertStr {
+    union { 
+        CERTCertificate    *certificate;
+        CRMFEncryptedValue *encryptedCert;
+    } cert;
+    CMMFCertOrEncCertChoice choice;
+    SECItem                 derValue;
+};
+
+struct CMMFCertifiedKeyPairStr {
+    CMMFCertOrEncCert   certOrEncCert;
+    CRMFEncryptedValue *privateKey;
+    SECItem             derPublicationInfo; /* We aren't creating 
+					     * PKIPublicationInfo's, so 
+					     * we'll store away the der 
+					     * here if we decode one that
+					     * does have pubInfo.
+					     */
+    SECItem unwrappedPrivKey;
+};
+
+struct CMMFCertResponseStr {
+    SECItem               certReqId;
+    CMMFPKIStatusInfo     status; /*PKIStatusInfo*/
+    CMMFCertifiedKeyPair *certifiedKeyPair;
+};
+
+struct CMMFCertRepContentStr {
+    CERTCertificate  **caPubs;
+    CMMFCertResponse **response;
+    PRArenaPool       *poolp;
+    PRBool             isDecoded;
+};
+
+struct CMMFChallengeStr {
+    SECAlgorithmID  *owf;
+    SECItem          witness;
+    SECItem          senderDER;
+    SECItem          key;
+    SECItem          challenge;
+    SECItem          randomNumber;
+};
+
+struct CMMFRandStr {
+    SECItem          integer;
+    SECItem          senderHash;
+    CERTGeneralName *sender;
+};
+
+struct CMMFPOPODecKeyChallContentStr {
+    CMMFChallenge **challenges;
+    PRArenaPool    *poolp;
+    int             numChallenges;
+    int             numAllocated;
+};
+
+struct CMMFPOPODecKeyRespContentStr {
+    SECItem     **responses;
+    PRArenaPool  *poolp;
+};
+
+struct CMMFKeyRecRepContentStr {
+    CMMFPKIStatusInfo      status; /* PKIStatusInfo */
+    CERTCertificate       *newSigCert;
+    CERTCertificate      **caCerts;
+    CMMFCertifiedKeyPair **keyPairHist;
+    PRArenaPool           *poolp;
+    int                    numKeyPairs;
+    int                    allocKeyPairs;
+    PRBool                 isDecoded;
+};
+
+#endif /* _CMMFIT_H_ */
+
diff --git a/security/nss/lib/crmf/cmmfrec.c b/security/nss/lib/crmf/cmmfrec.c
new file mode 100644
index 000000000..e58b86aad
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfrec.c
@@ -0,0 +1,338 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * This file will implement the functions related to key recovery in 
+ * CMMF
+ */
+
+#include "nssrenam.h"
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "secitem.h"
+#include "keyhi.h"
+
+CMMFKeyRecRepContent*
+CMMF_CreateKeyRecRepContent(void)
+{
+    PRArenaPool          *poolp;
+    CMMFKeyRecRepContent *keyRecContent;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    keyRecContent = PORT_ArenaZNew(poolp, CMMFKeyRecRepContent);
+    if (keyRecContent == NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+	return NULL;
+    }
+    keyRecContent->poolp = poolp;
+    return keyRecContent;
+}
+
+SECStatus
+CMMF_DestroyKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    if (inKeyRecRep != NULL && inKeyRecRep->poolp != NULL) {
+        if (!inKeyRecRep->isDecoded) {
+	    int i;
+
+	    CERT_DestroyCertificate(inKeyRecRep->newSigCert);
+	    if (inKeyRecRep->caCerts != NULL) {
+	        for (i=0; inKeyRecRep->caCerts[i] != NULL; i++) {
+		    CERT_DestroyCertificate(inKeyRecRep->caCerts[i]);
+		}
+	    }
+	    if (inKeyRecRep->keyPairHist != NULL) {
+	        for (i=0; inKeyRecRep->keyPairHist[i] != NULL; i++) {
+		    if (inKeyRecRep->keyPairHist[i]->certOrEncCert.choice ==
+			cmmfCertificate) {
+		        CERT_DestroyCertificate(inKeyRecRep->keyPairHist[i]->
+					       certOrEncCert.cert.certificate);
+		    }
+		}
+	    }
+	}
+        PORT_FreeArena(inKeyRecRep->poolp, PR_TRUE);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CMMF_KeyRecRepContentSetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep,
+					    CMMFPKIStatus         inPKIStatus)
+{
+    PORT_Assert(inKeyRecRep != NULL && inPKIStatus >= cmmfGranted &&
+		inPKIStatus < cmmfNumPKIStatus);
+    if (inKeyRecRep == NULL) {
+        return SECFailure;
+    }
+    
+    return cmmf_PKIStatusInfoSetStatus(&inKeyRecRep->status, 
+				       inKeyRecRep->poolp,
+				       inPKIStatus);
+}
+
+SECStatus
+CMMF_KeyRecRepContentSetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep,
+				    CERTCertificate      *inNewSignCert)
+{
+    PORT_Assert (inKeyRecRep != NULL && inNewSignCert != NULL);
+    if (inKeyRecRep == NULL || inNewSignCert == NULL) {
+        return SECFailure;
+    }
+    inKeyRecRep->newSigCert = CERT_DupCertificate(inNewSignCert);
+    return (inKeyRecRep->newSigCert == NULL) ? SECFailure : SECSuccess;    
+}
+
+SECStatus
+CMMF_KeyRecRepContentSetCACerts(CMMFKeyRecRepContent *inKeyRecRep,
+				CERTCertList         *inCACerts)
+{
+    SECStatus rv;
+    void *mark;
+
+    PORT_Assert (inKeyRecRep != NULL && inCACerts != NULL);
+    if (inKeyRecRep == NULL || inCACerts == NULL) {
+        return SECFailure;
+    }
+    mark = PORT_ArenaMark(inKeyRecRep->poolp);
+    rv = cmmf_ExtractCertsFromList(inCACerts, inKeyRecRep->poolp,
+				   &inKeyRecRep->caCerts);
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease(inKeyRecRep->poolp, mark);
+    } else {
+        PORT_ArenaUnmark(inKeyRecRep->poolp, mark);
+    }
+    return rv;
+}
+
+SECStatus
+CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
+					 CERTCertificate      *inCert,
+					 SECKEYPrivateKey     *inPrivKey,
+					 SECKEYPublicKey      *inPubKey)
+{
+    CMMFCertifiedKeyPair *keyPair;
+    CRMFEncryptedValue   *dummy;
+    PRArenaPool          *poolp;
+    void                 *mark;
+    SECStatus             rv;
+
+    PORT_Assert (inKeyRecRep != NULL &&
+		 inCert      != NULL &&
+		 inPrivKey   != NULL &&
+		 inPubKey    != NULL);
+    if (inKeyRecRep == NULL ||
+	inCert      == NULL ||
+	inPrivKey   == NULL ||
+	inPubKey    == NULL) {
+        return SECFailure;
+    }
+    poolp = inKeyRecRep->poolp;
+    mark = PORT_ArenaMark(poolp);
+    if (inKeyRecRep->keyPairHist == NULL) {
+        inKeyRecRep->keyPairHist = PORT_ArenaNewArray(poolp, 
+						      CMMFCertifiedKeyPair*,
+						      (CMMF_MAX_KEY_PAIRS+1));
+	if (inKeyRecRep->keyPairHist == NULL) {
+	    goto loser;
+	}
+	inKeyRecRep->allocKeyPairs = CMMF_MAX_KEY_PAIRS;
+	inKeyRecRep->numKeyPairs   = 0;
+    }
+
+    if (inKeyRecRep->allocKeyPairs == inKeyRecRep->numKeyPairs) {
+        goto loser;
+    }
+    
+    keyPair = PORT_ArenaZNew(poolp, CMMFCertifiedKeyPair);
+    if (keyPair == NULL) {
+        goto loser;
+    }
+    rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert,
+					  poolp, inCert);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    keyPair->privateKey = PORT_ArenaZNew(poolp, CRMFEncryptedValue);
+    if (keyPair->privateKey == NULL) {
+        goto loser;
+    }
+    dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey, inPubKey, 
+							keyPair->privateKey);
+    PORT_Assert(dummy = keyPair->privateKey);
+    if (dummy != keyPair->privateKey) {
+        crmf_destroy_encrypted_value(dummy, PR_TRUE);
+	goto loser;
+    }
+    inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = keyPair;
+    inKeyRecRep->numKeyPairs++;
+    inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = NULL;
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+CMMFPKIStatus
+CMMF_KeyRecRepContentGetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    if (inKeyRecRep == NULL) {
+        return cmmfNoPKIStatus;
+    }
+    return cmmf_PKIStatusInfoGetStatus(&inKeyRecRep->status);
+}
+
+CERTCertificate*
+CMMF_KeyRecRepContentGetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    if (inKeyRecRep             == NULL ||
+	inKeyRecRep->newSigCert == NULL) {
+        return NULL;
+    }
+    return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), 
+			          &inKeyRecRep->newSigCert->signatureWrap.data,
+				   NULL, PR_FALSE, PR_TRUE);
+}
+
+CERTCertList*
+CMMF_KeyRecRepContentGetCACerts(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    if (inKeyRecRep == NULL || inKeyRecRep->caCerts == NULL) {
+        return NULL;
+    }
+    return cmmf_MakeCertList(inKeyRecRep->caCerts);
+}
+
+int 
+CMMF_KeyRecRepContentGetNumKeyPairs(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    return (inKeyRecRep == NULL) ? 0 : inKeyRecRep->numKeyPairs;
+}
+
+PRBool
+cmmf_KeyRecRepContentIsValidIndex(CMMFKeyRecRepContent *inKeyRecRep,
+				  int                   inIndex)
+{
+    int numKeyPairs = CMMF_KeyRecRepContentGetNumKeyPairs(inKeyRecRep);
+    
+    return (PRBool)(inIndex >= 0 && inIndex < numKeyPairs);
+}
+
+CMMFCertifiedKeyPair*
+CMMF_KeyRecRepContentGetCertKeyAtIndex(CMMFKeyRecRepContent *inKeyRecRep,
+				       int                   inIndex)
+{
+    CMMFCertifiedKeyPair *newKeyPair;
+    SECStatus             rv;
+
+    PORT_Assert(inKeyRecRep != NULL &&
+		cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex));
+    if (inKeyRecRep == NULL ||
+	!cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex)) {
+        return NULL;
+    }
+    newKeyPair = PORT_ZNew(CMMFCertifiedKeyPair);
+    if (newKeyPair == NULL) {
+        return NULL;
+    }
+    rv = cmmf_CopyCertifiedKeyPair(NULL, newKeyPair, 
+				   inKeyRecRep->keyPairHist[inIndex]);
+    if (rv != SECSuccess) {
+        CMMF_DestroyCertifiedKeyPair(newKeyPair);
+	newKeyPair = NULL;
+    }
+    return newKeyPair;
+}
+
+SECStatus 
+CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
+				   SECKEYPrivateKey     *inPrivKey,
+				   SECItem              *inNickName,
+				   PK11SlotInfo         *inSlot,
+				   CERTCertDBHandle     *inCertdb,
+				   SECKEYPrivateKey    **destPrivKey,
+				   void                 *wincx)
+{
+    CERTCertificate *cert;
+    SECItem keyUsageValue = {siBuffer, NULL, 0};
+    unsigned char keyUsage = 0x0;
+    SECKEYPublicKey *pubKey;
+    SECStatus rv;
+
+    PORT_Assert(inKeyPair != NULL &&
+		inPrivKey != NULL && inCertdb != NULL);
+    if (inKeyPair             == NULL ||
+	inPrivKey             == NULL ||
+	inKeyPair->privateKey == NULL ||
+	inCertdb              == NULL) {
+        return SECFailure;
+    }
+    
+    cert = CMMF_CertifiedKeyPairGetCertificate(inKeyPair, inCertdb);
+    CERT_FindKeyUsageExtension(cert, &keyUsageValue);
+    if (keyUsageValue.data != NULL) {
+        keyUsage = keyUsageValue.data[3];
+	PORT_Free(keyUsageValue.data);
+    }
+    pubKey = CERT_ExtractPublicKey(cert);
+    rv = crmf_encrypted_value_unwrap_priv_key(NULL, inKeyPair->privateKey,
+					      inPrivKey, pubKey, 
+					      inNickName, inSlot, keyUsage, 
+					      destPrivKey, wincx);
+    SECKEY_DestroyPublicKey(pubKey);
+    CERT_DestroyCertificate(cert);
+    return rv;
+}
+
+
+PRBool 
+CMMF_KeyRecRepContentHasCACerts(CMMFKeyRecRepContent *inKeyRecRep)
+{
+    PORT_Assert(inKeyRecRep != NULL);
+    if (inKeyRecRep == NULL) {
+        return PR_FALSE;
+    }
+    return (PRBool)(inKeyRecRep->caCerts    != NULL && 
+		    inKeyRecRep->caCerts[0] != NULL);
+}
diff --git a/security/nss/lib/crmf/cmmfresp.c b/security/nss/lib/crmf/cmmfresp.c
new file mode 100644
index 000000000..b26fb39fb
--- /dev/null
+++ b/security/nss/lib/crmf/cmmfresp.c
@@ -0,0 +1,312 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * This file will contain all routines dealing with creating a 
+ * CMMFCertRepContent structure through Create/Set functions.
+ */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "crmf.h"
+#include "crmfi.h"
+#include "secitem.h"
+#include "secder.h"
+
+CMMFCertRepContent*
+CMMF_CreateCertRepContent(void)
+{
+    CMMFCertRepContent *retCertRep;
+    PRArenaPool        *poolp;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        goto loser;
+    }
+    retCertRep = PORT_ArenaZNew(poolp, CMMFCertRepContent);
+    if (retCertRep == NULL) {
+        goto loser;
+    }
+    retCertRep->poolp = poolp;
+    return retCertRep;
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+SECStatus 
+cmmf_CertOrEncCertSetCertificate(CMMFCertOrEncCert *certOrEncCert,
+				 PRArenaPool       *poolp,
+				 CERTCertificate   *inCert)
+{
+    SECItem               *derDest = NULL;
+    SECStatus             rv = SECFailure;
+
+    if (inCert->derCert.data == NULL) {
+        derDest = SEC_ASN1EncodeItem(NULL, NULL, inCert, 
+				     CMMFCertOrEncCertCertificateTemplate);
+	if (derDest == NULL) {
+	    goto loser;
+	}
+    } else {
+        derDest = SECITEM_DupItem(&inCert->derCert);
+	if (derDest == NULL) {
+	    goto loser;
+	}
+    }
+    PORT_Assert(certOrEncCert->cert.certificate == NULL);
+    certOrEncCert->cert.certificate = CERT_DupCertificate(inCert);
+    certOrEncCert->choice = cmmfCertificate;
+    if (poolp != NULL) {
+        rv = SECITEM_CopyItem(poolp, &certOrEncCert->derValue, derDest);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    } else {
+        certOrEncCert->derValue = *derDest;
+    }
+    PORT_Free(derDest);
+    return SECSuccess;
+ loser:
+    if (derDest != NULL) {
+        SECITEM_FreeItem(derDest, PR_TRUE);
+    }
+    return rv;
+}
+
+SECStatus
+cmmf_ExtractCertsFromList(CERTCertList      *inCertList,
+			  PRArenaPool       *poolp,
+			  CERTCertificate ***certArray)
+{
+    CERTCertificate  **arrayLocalCopy;
+    CERTCertListNode  *node;
+    int                numNodes = 0, i;
+
+    for (node = CERT_LIST_HEAD(inCertList); !CERT_LIST_END(node, inCertList);
+	 node = CERT_LIST_NEXT(node)) {
+        numNodes++;
+    }
+
+    arrayLocalCopy = *certArray = (poolp == NULL) ?
+                    PORT_NewArray(CERTCertificate*, (numNodes+1)) :
+                    PORT_ArenaNewArray(poolp, CERTCertificate*, (numNodes+1));
+    if (arrayLocalCopy == NULL) {
+        return SECFailure;
+    }
+    for (node = CERT_LIST_HEAD(inCertList), i=0; 
+	 !CERT_LIST_END(node, inCertList);
+	 node = CERT_LIST_NEXT(node), i++) {
+        arrayLocalCopy[i] = CERT_DupCertificate(node->cert);
+	if (arrayLocalCopy[i] == NULL) {
+	    int j;
+	    
+	    for (j=0; j<i; j++) {
+	        CERT_DestroyCertificate(arrayLocalCopy[j]);
+	    }
+	    if (poolp == NULL) {
+	        PORT_Free(arrayLocalCopy);
+	    }
+	    *certArray = NULL;
+	    return SECFailure;
+	}
+    }
+    arrayLocalCopy[numNodes] = NULL;
+    return SECSuccess;
+}
+
+SECStatus
+CMMF_CertRepContentSetCertResponses(CMMFCertRepContent *inCertRepContent,
+				    CMMFCertResponse  **inCertResponses,
+				    int                 inNumResponses)
+{
+    PRArenaPool       *poolp;
+    CMMFCertResponse **respArr, *newResp;
+    void              *mark;
+    SECStatus          rv;
+    int                i;
+
+    PORT_Assert (inCertRepContent != NULL &&
+		 inCertResponses  != NULL &&
+		 inNumResponses    > 0);
+    if (inCertRepContent == NULL ||
+	inCertResponses  == NULL ||
+	inCertRepContent->response != NULL) {
+        return SECFailure;
+    }
+    poolp = inCertRepContent->poolp;
+    mark = PORT_ArenaMark(poolp);
+    respArr = inCertRepContent->response = 
+        PORT_ArenaZNewArray(poolp, CMMFCertResponse*, (inNumResponses+1));
+    if (respArr == NULL) {
+        goto loser;
+    }
+    for (i=0; i<inNumResponses; i++) {
+        newResp = PORT_ArenaZNew(poolp, CMMFCertResponse);
+	if (newResp == NULL) {
+	    goto loser;
+	}
+        rv = cmmf_CopyCertResponse(poolp, newResp, inCertResponses[i]);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+	respArr[i] = newResp;
+    }
+    respArr[inNumResponses] = NULL;
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+CMMFCertResponse*
+CMMF_CreateCertResponse(long inCertReqId)
+{
+    SECItem          *dummy;
+    CMMFCertResponse *newResp;
+    
+    newResp = PORT_ZNew(CMMFCertResponse);
+    if (newResp == NULL) {
+        goto loser;
+    }
+    dummy = SEC_ASN1EncodeInteger(NULL, &newResp->certReqId, inCertReqId);
+    if (dummy != &newResp->certReqId) {
+        goto loser;
+    }
+    return newResp;
+
+ loser:
+    if (newResp != NULL) {
+        CMMF_DestroyCertResponse(newResp);
+    }
+    return NULL;
+}
+
+SECStatus
+CMMF_CertResponseSetPKIStatusInfoStatus(CMMFCertResponse *inCertResp,
+					CMMFPKIStatus     inPKIStatus)
+{
+    PORT_Assert (inCertResp != NULL && inPKIStatus >= cmmfGranted
+		 && inPKIStatus < cmmfNumPKIStatus);
+
+    if  (inCertResp == NULL) {
+        return SECFailure;
+    }
+    return cmmf_PKIStatusInfoSetStatus(&inCertResp->status, NULL,
+				       inPKIStatus);
+}
+
+SECStatus
+CMMF_CertResponseSetCertificate (CMMFCertResponse *inCertResp,
+				 CERTCertificate  *inCertificate)
+{
+    CMMFCertifiedKeyPair *keyPair = NULL;
+    SECStatus             rv = SECFailure;
+
+    PORT_Assert(inCertResp != NULL && inCertificate != NULL);
+    if (inCertResp == NULL || inCertificate == NULL) {
+        return SECFailure;
+    }
+    if (inCertResp->certifiedKeyPair == NULL) {
+        keyPair = inCertResp->certifiedKeyPair = 
+	    PORT_ZNew(CMMFCertifiedKeyPair);
+    } else {
+        keyPair = inCertResp->certifiedKeyPair;
+    }
+    if (keyPair == NULL) {
+        goto loser;
+    }
+    rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert, NULL,
+					  inCertificate);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return SECSuccess;
+ loser:
+    if (keyPair) {
+        if (keyPair->certOrEncCert.derValue.data) {
+	    PORT_Free(keyPair->certOrEncCert.derValue.data);
+	}
+	PORT_Free(keyPair);
+    }
+    return rv;
+}
+
+
+SECStatus
+CMMF_CertRepContentSetCAPubs(CMMFCertRepContent *inCertRepContent,
+			     CERTCertList       *inCAPubs)
+{
+    PRArenaPool      *poolp;
+    void             *mark;
+    SECStatus         rv;
+
+    PORT_Assert(inCertRepContent != NULL &&
+		inCAPubs         != NULL &&
+		inCertRepContent->caPubs == NULL);
+    
+    if (inCertRepContent == NULL ||
+	inCAPubs == NULL || inCertRepContent == NULL) {
+        return SECFailure;
+    }
+
+    poolp = inCertRepContent->poolp;
+    mark = PORT_ArenaMark(poolp);
+
+    rv = cmmf_ExtractCertsFromList(inCAPubs, poolp,
+				   &inCertRepContent->caPubs);
+
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease(poolp, mark);
+    } else {
+        PORT_ArenaUnmark(poolp, mark);
+    }
+    return rv;
+}
+
+CERTCertificate*
+CMMF_CertifiedKeyPairGetCertificate(CMMFCertifiedKeyPair *inCertKeyPair,
+				    CERTCertDBHandle     *inCertdb)
+{
+    PORT_Assert(inCertKeyPair != NULL);
+    if (inCertKeyPair == NULL) {
+        return NULL;
+    }
+    return cmmf_CertOrEncCertGetCertificate(&inCertKeyPair->certOrEncCert,
+					    inCertdb);
+}
diff --git a/security/nss/lib/crmf/cmmft.h b/security/nss/lib/crmf/cmmft.h
new file mode 100644
index 000000000..078253057
--- /dev/null
+++ b/security/nss/lib/crmf/cmmft.h
@@ -0,0 +1,102 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _CMMFT_H_
+#define _CMMFT_H_
+
+#include "secasn1.h"
+
+/*
+ * These are the enumerations used to distinguish between the different
+ * choices available for the CMMFCertOrEncCert structure.
+ */
+typedef enum {
+    cmmfNoCertOrEncCert = 0,
+    cmmfCertificate = 1,
+    cmmfEncryptedCert = 2
+} CMMFCertOrEncCertChoice;
+
+/*
+ * This is the enumeration and the corresponding values used to 
+ * represent the CMMF type PKIStatus
+ */
+typedef enum {
+    cmmfNoPKIStatus = -1,
+    cmmfGranted = 0,
+    cmmfGrantedWithMods = 1,
+    cmmfRejection = 2,
+    cmmfWaiting = 3,
+    cmmfRevocationWarning = 4,
+    cmmfRevocationNotification = 5,
+    cmmfKeyUpdateWarning = 6,
+    cmmfNumPKIStatus
+} CMMFPKIStatus;
+
+/*
+ * These enumerations are used to represent the corresponding values
+ * in PKIFailureInfo defined in CMMF.
+ */
+typedef enum {
+    cmmfBadAlg = 0,
+    cmmfBadMessageCheck = 1,
+    cmmfBadRequest = 2,
+    cmmfBadTime = 3,
+    cmmfBadCertId = 4,
+    cmmfBadDataFormat = 5,
+    cmmfWrongAuthority = 6,
+    cmmfIncorrectData = 7,
+    cmmfMissingTimeStamp = 8,
+    cmmfNoFailureInfo = 9
+} CMMFPKIFailureInfo;
+
+typedef struct CMMFPKIStatusInfoStr          CMMFPKIStatusInfo;
+typedef struct CMMFCertOrEncCertStr          CMMFCertOrEncCert;
+typedef struct CMMFCertifiedKeyPairStr       CMMFCertifiedKeyPair;
+typedef struct CMMFCertResponseStr           CMMFCertResponse;
+typedef struct CMMFCertResponseSeqStr        CMMFCertResponseSeq;
+typedef struct CMMFPOPODecKeyChallContentStr CMMFPOPODecKeyChallContent;
+typedef struct CMMFChallengeStr              CMMFChallenge;
+typedef struct CMMFRandStr                   CMMFRand;
+typedef struct CMMFPOPODecKeyRespContentStr  CMMFPOPODecKeyRespContent;
+typedef struct CMMFKeyRecRepContentStr       CMMFKeyRecRepContent;
+typedef struct CMMFCertRepContentStr         CMMFCertRepContent;
+
+/* Export this so people can call SEC_ASN1EncodeItem instead of having to 
+ * write callbacks that are passed in to the high level encode function
+ * for CMMFCertRepContent.
+ */
+extern const SEC_ASN1Template CMMFCertRepContentTemplate[];
+extern const SEC_ASN1Template CMMFPOPODecKeyChallContentTemplate[];
+
+#endif /*_CMMFT_H_*/
diff --git a/security/nss/lib/crmf/config.mk b/security/nss/lib/crmf/config.mk
new file mode 100644
index 000000000..3b647d954
--- /dev/null
+++ b/security/nss/lib/crmf/config.mk
@@ -0,0 +1,44 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+# 
+
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/crmf/crmf.h b/security/nss/lib/crmf/crmf.h
new file mode 100644
index 000000000..cf7b91095
--- /dev/null
+++ b/security/nss/lib/crmf/crmf.h
@@ -0,0 +1,1779 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#ifndef _CRMF_H_
+#define _CRMF_H_
+
+#include "seccomon.h"
+#include "cert.h"
+#include "crmft.h"
+#include "secoid.h"
+#include "secpkcs7.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * FUNCTION: CRMF_EncodeCertReqMsg
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to be encoded.
+ *    fn
+ *        A Callback function that the ASN1 encoder calls whenever
+ *        the encoder wants to write out some DER encoded bytes.
+ *    arg
+ *        An opaque pointer that gets passed to the function fn
+ * OUTPUT:
+ *    The function fn will be called multiple times.  Look at the
+ *    comments in crmft.h where the CRMFEncoderOutputCallback type is 
+ *    defined for information on proper behavior of the function fn.
+ * RETURN:
+ *    SECSuccess if encoding was successful.  Any other return value
+ *    indicates an error occurred during encoding.
+ */
+extern SECStatus 
+        CRMF_EncodeCertReqMsg (CRMFCertReqMsg            *inCertReqMsg, 
+			       CRMFEncoderOutputCallback  fn,
+			       void                      *arg);
+
+/*
+ * FUNCTION: CRMF_EncoderCertRequest
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to be encoded.
+ *    fn
+ *        A Callback function that the ASN1 encoder calls whenever
+ *        the encoder wants to write out some DER encoded bytes.
+ *    arg
+ *        An opaque pointer that gets passed to the function fn.
+ * OUTPUT:
+ *    The function fn will be called, probably multiple times whenever 
+ *    the ASN1 encoder wants to write out DER-encoded bytes.  Look at the 
+ *    comments in crmft.h where the CRMFEncoderOuputCallback type is
+ *    defined for information on proper behavior of the funciton fn.
+ * RETURN:
+ *    SECSuccess if encoding was successful.  Any other return value 
+ *    indicates an error occured during encoding.
+ */
+extern SECStatus CRMF_EncodeCertRequest (CRMFCertRequest           *inCertReq,
+					 CRMFEncoderOutputCallback  fn,
+					 void                      *arg);
+/*
+ * FUNCTION: CRMF_EncodeCertReqMessages
+ * INPUTS:
+ *    inCertReqMsgs
+ *        An array of pointers to the Certificate Request Messages
+ *        to encode.  The user must place a NULL pointer in the index
+ *        after the last message to be encoded.  When the library runs
+ *        into the NULL pointer, the library assumes there are no more
+ *        messages to encode.
+ *    fn
+ *        A Callback function that the ASN1 encoder calls whenever
+ *        the encoder wants to write out some DER encoded byts.
+ *    arg
+ *        An opaque pointer that gets passed to the function fn.
+ *
+ * NOTES:
+ *    The parameter inCertReqMsgs needs to be an array with a NULL pointer
+ *    to signal the end of messages.  An array in the form of 
+ *    {m1, m2, m3, NULL, m4, ...} will only encode the messages m1, m2, and
+ *    m3.  All messages from m4 on will not be looked at by the library.
+ *
+ * OUTPUT:
+ *    The function fn will be called, probably multiple times.  Look at the 
+ *    comments in crmft.h where the CRMFEncoderOuputCallback type is
+ *    defined for information on proper behavior of the funciton fn.
+ *
+ * RETURN:
+ * SECSuccess if encoding the Certificate Request Messages was successful. 
+ * Any other return value indicates an error occurred while encoding the
+ * certificate request messages.
+ */
+extern SECStatus 
+       CRMF_EncodeCertReqMessages(CRMFCertReqMsg           **inCertReqMsgs,
+				  CRMFEncoderOutputCallback  fn,
+				  void                      *arg);
+
+
+/*
+ * FUNCTION: CRMF_CreateCertReqMsg
+ * INPUTS:
+ *    NONE
+ * OUTPUT:
+ *    An empty CRMF Certificate Request Message.
+ *    Before encoding this message, the user must set
+ *    the ProofOfPossession field and the certificate 
+ *    request which are necessary for the full message.
+ *    After the user no longer needs this CertReqMsg,
+ *    the user must call CRMF_DestroyCertReqMsg to free
+ *    all memory associated with the Certificate Request
+ *    Message.
+ * RETURN:
+ *    A pointer to a Certificate Request Message.  The user 
+ *    must pass the return value of this function to 
+ *    CRMF_DestroyCertReqMsg after the Certificate Request
+ *    Message is no longer necessary.
+ */
+extern CRMFCertReqMsg* CRMF_CreateCertReqMsg(void);
+
+/*
+ * FUNCTION: CRMF_DestroyCertReqMsg
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to destroy.
+ *  NOTES:
+ *    This function frees all the memory used for the Certificate
+ *    Request Message and all the memory used in making copies of
+ *    fields of elelments of the message, eg. the Proof Of Possession
+ *    filed and the Cetificate Request.  
+ * RETURN:
+ *    SECSuccess if destruction was successful.  Any other return value
+ *    indicates an error while trying to free the memory associated
+ *    with inCertReqMsg.
+ *    
+ */
+extern SECStatus CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgSetCertRequest
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message that the function will set
+ *        the certificate request for.
+ *    inCertReq
+ *        The Certificate Request that will be added to the Certificate
+ *        Request Message.
+ * NOTES:
+ *    This function will make a copy of the Certificate Request passed in
+ *    and store it as part of the Certificate Request Message.  Therefore,
+ *    the user must not call this function until the Certificate Request
+ *    has been fully built and is ready to be encoded.
+ * RETURN:
+ *    SECSuccess 
+ *        If copying the Certificate as a member of the Certificate
+ *        request message was successful.
+ *    Any other return value indicates a failure to copy the Certificate
+ *    Request and make it a part of the Certificate Request Message.
+ */
+extern SECStatus CRMF_CertReqMsgSetCertRequest(CRMFCertReqMsg  *inCertReqMsg, 
+					       CRMFCertRequest *inCertReq);
+
+/*
+ * FUNCTION: CRMF_CreateCertRequest
+ * INPUTS:
+ *    inRequestID
+ *        The ID that will be associated with this certificate request.
+ * OUTPUTS:
+ *    A certificate request which only has the requestID set.
+ * NOTES:
+ *    The user must call the function CRMF_DestroyCertRequest when
+ *    the returned value is no longer needed.  This is usually the
+ *    case after fully constructing the Certificate Request and then
+ *    calling the function CRMF_CertReqMsgSetCertRequest.
+ * RETURN:
+ *    A pointer to the new Certificate Request.  A NULL return value
+ *    indicates an error in creating the Certificate Request.
+ */
+extern CRMFCertRequest *CRMF_CreateCertRequest (long inRequestID);
+
+/*
+ * FUNCTION: CRMF_DestroyCertRequest
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request that will be destroyed.
+ * RETURN:
+ *    SECSuccess
+ *        If freeing the memory associated with the certificate request 
+ *        was successful.
+ *    Any other return value indicates an error while trying to free the 
+ *    memory.
+ */
+extern SECStatus CRMF_DestroyCertRequest (CRMFCertRequest *inCertReq);
+
+/*
+ * FUNCTION: CRMF_CreateCertExtension
+ * INPUTS:
+ *    id
+ *        The SECOidTag to associate with this CertExtension.  This must
+ *        correspond to a valid Certificate Extension, if not the function
+ *        will fail.
+ *    isCritical
+ *        A boolean value stating if the extension value is crtical.  PR_TRUE
+ *        means the value is crtical.  PR_FALSE indicates the value is not 
+ *        critical.
+ *    data
+ *        This is the data associated with the extension.  The user of the
+ *        library is responsible for making sure the value passed in is a
+ *        valid interpretation of the certificate extension.
+ * NOTES:
+ * Use this function to create CRMFCertExtension Structures which will 
+ * then be passed to CRMF_AddFieldToCertTemplate as part of the 
+ * CRMFCertCreationInfo.extensions  The user must call 
+ * CRMF_DestroyCertExtension after the extension has been added to a certifcate
+ * and the extension is no longer needed.
+ *
+ * RETURN:
+ * A pointer to a newly created CertExtension.  A return value of NULL
+ * indicates the id passed in was an invalid certificate extension.
+ */
+extern CRMFCertExtension *CRMF_CreateCertExtension(SECOidTag      id, 
+						   PRBool         isCritical,
+						   SECItem       *data);
+
+/*
+ * FUNCTION: CMRF_DestroyCertExtension
+ * INPUTS:
+ *    inExtension
+ *        The Cert Extension to destroy
+ * NOTES:
+ * Destroy a structure allocated by CRMF_CreateCertExtension.
+ *
+ * RETURN:
+ * SECSuccess if freeing the memory associated with the certificate extension
+ * was successful.  Any other error indicates an error while freeing the 
+ * memory.
+ */
+extern SECStatus CRMF_DestroyCertExtension(CRMFCertExtension *inExtension);
+
+/* 
+ * FUNCTION: CRMF_CertRequestSetTemplateField
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    inTemplateField
+ *        An enumeration that indicates which field of the Certificate
+ *        template to add.
+ *    data
+ *        A generic pointer that will be type cast according to the
+ *        table under NOTES and used as the key for adding to the
+ *        certificate template;
+ * NOTES:
+ *
+ * Below is a table that tells what type to pass in as data
+ * depending on the template field one wants to set.
+ *
+ * Look in crmft.h for the definition of CRMFCertTemplateField.
+ * 
+ * In all cases, the library makes copies of the data passed in.
+ *
+ *   CRMFCertTemplateField    Type of data    What data means
+ *   ---------------------    ------------    ---------------
+ *   crmfVersion              long *          The version of
+ *                                            the certificate
+ *                                            to be created.
+ *
+ *   crmfSerialNumber         long *          The serial number
+ *                                            for the cert to be
+ *                                            created.
+ *   
+ *   crmfSigningAlg           SECAlgorithm *  The ASN.1 object ID for
+ *                                            the algorithm used in encoding
+ *                                            the certificate.
+ *
+ *   crmfIssuer               CERTName *      Certificate Library 
+ *                                            representation of the ASN1 type
+ *                                            Name from X.509
+ *
+ *   crmfValidity     CRMFValidityCreationInfo *  At least one of the two
+ *                                                fields in the structure must
+ *                                                be present.  A NULL pointer 
+ *                                                in the structure indicates
+ *                                                that member should not be 
+ *                                                added.
+ *
+ *   crmfSubject              CERTName *      Certificate Library 
+ *                                            representation of the ASN1 type
+ *                                            Name from X.509
+ *
+ *   crmfPublicKey    CERTSubjectPublicKeyInfo *  The public key info for the
+ *                                                certificate being requested.
+ *
+ *   crmfIssuerUID            SECItem *           A bit string representation
+ *                                                of the issuer UID. NOTE: The
+ *                                                length is the number of bits
+ *                                                and not the number of bytes.
+ *
+ *   crmfSubjectUID           SECItem*            A bit string representation
+ *                                                of the subject UID. NOTE: The
+ *                                                length is the number of bits
+ *                                                and not the number of bytes.
+ *
+ *   crmfExtension   CRMFCertExtCreationInfo *     A pointer to the structure
+ *                                                 populated with an array of 
+ *                                                 of certificate extensions
+ *                                                 and an integer that tells
+ *                                                 how many elements are in the
+ *                                                 array. Look in crmft.h for
+ *                                                 the definition of 
+ *                                                 CRMFCertExtCreationInfo
+ * RETURN:
+ *    SECSuccess if adding the desired field to the template was successful.
+ *    Any other return value indicates failure when trying to add the field 
+ *    to the template.
+ *                                                
+ */
+extern SECStatus
+  CRMF_CertRequestSetTemplateField(CRMFCertRequest       *inCertReq, 
+				   CRMFCertTemplateField  inTemplateField,
+				   void                  *data);
+
+/*
+ * FUNCTION: CRMF_CertRequestIsFieldPresent
+ * INPUTS:
+ *    inCertReq
+ *        The certificate request to operate on.
+ *    inTemplateField
+ *        The enumeration for the template field the user wants to query
+ *        about.
+ * NOTES:
+ * This function checks to see if the the field associated with inTemplateField
+ * enumeration is already present in the certificate request passed in.
+ *
+ * RETURN:
+ * The function returns PR_TRUE if the field associated with inTemplateField
+ * is already present in the certificate request.  If the field is not present
+ * the function returns PR_FALSE.
+ */
+extern PRBool
+  CRMF_CertRequestIsFieldPresent(CRMFCertRequest       *inCertReq,
+				 CRMFCertTemplateField  inTemplateField);
+
+/*
+ * FUNCTION: CRMF_CertRequestIsControlPresent
+ * INPUTS:
+ *    inCertReq
+ *        The certificate request to operate on.
+ *    inControlType
+ *        The type of control to look for.
+ * NOTES:
+ * This function looks at the control present in the certificate request
+ * and returns PR_TRUE iff a control of type inControlType already exists.
+ * The CRMF draft does not explicitly state that two controls of the same
+ * type can not exist within the same request.  So the library will not
+ * cause an error if you try to add a control and one of the same type
+ * already exists.  It is up to the application to ensure that multiple
+ * controls of the same type do not exist, if that is the desired behavior
+ * by the application.
+ *
+ * RETURN:
+ * The function returns PR_TRUE if a control of type inControlType already
+ * exists in the certificate request.  If a control of type inControlType
+ * does not exist, the function will return PR_FALSE.
+ */
+extern PRBool
+  CRMF_CertRequestIsControlPresent(CRMFCertRequest *inCertReq,
+				   CRMFControlType  inControlType);
+				   
+
+/*
+ * FUNCTION: CRMF_CertRequestSetRegTokenControl
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    value
+ *        The UTF8 value which will be the Registration Token Control
+ *        for this Certificate Request.
+ * NOTES:
+ *    The library does no verification that the value passed in is 
+ *    a valid UTF8 value.  The caller must make sure of this in order
+ *    to get an encoding that is valid.  The library will ultimately
+ *    encode this value as it was passed in.
+ * RETURN:
+ *    SECSucces on successful addition of the Registration Token Control.
+ *    Any other return value indicates an unsuccessful attempt to add the
+ *    control.
+ *
+ */
+extern SECStatus CRMF_CertRequestSetRegTokenControl(CRMFCertRequest *inCertReq,
+						    SECItem         *value);
+
+/*
+ * FUNCTION: CRMF_CertRequestSetAuthenticatorControl
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    value
+ *        The UTF8 value that will become the Authenticator Control
+ *        for the passed in Certificate Request.
+ * NOTES:
+ *    The library does no verification that the value passed in is 
+ *    a valid UTF8 value.  The caller must make sure of this in order
+ *    to get an encoding that is valid.  The library will ultimately
+ *    encode this value as it was passed in.
+ * RETURN:
+ *    SECSucces on successful addition of the Authenticator Control.
+ *    Any other return value indicates an unsuccessful attempt to add the
+ *    control.
+ */
+extern SECStatus 
+       CRMF_CertRequestSetAuthenticatorControl (CRMFCertRequest *inCertReq,
+						SECItem         *value);
+
+/*
+ * FUNCTION: CRMF_CreateEncryptedKeyWithencryptedValue
+ * INPUTS:
+ *    inPrivKey
+ *        This is the private key associated with a certificate that is
+ *        being requested.  This structure will eventually wind up as 
+ *        a part of the PKIArchiveOptions Control.  
+ *    inCACert
+ *        This is the certificate for the CA that will be receiving the 
+ *        certificate request for the private key passed in.
+ * OUTPUT:
+ *    A CRMFEncryptedKey that can ultimately be used as part of the 
+ *    PKIArchiveOptions Control.
+ *
+ * RETURN:
+ *    A pointer to a CRMFEncyptedKey.  A NULL return value indicates an erro
+ *    during the creation of the encrypted key.
+ */
+extern CRMFEncryptedKey* 
+       CRMF_CreateEncryptedKeyWithEncryptedValue(SECKEYPrivateKey *inPrivKey,
+						 CERTCertificate  *inCACert);
+
+/*
+ * FUNCTION: CRMF_DestroyEncryptedKey
+ * INPUTS:
+ *    inEncrKey
+ *        The CRMFEncryptedKey to be destroyed.
+ * NOTES:
+ *    Frees all memory associated with the CRMFEncryptedKey passed in.
+ * RETURN:
+ *    SECSuccess if freeing the memory was successful.  Any other return
+ *    value indicates an error while freeig the memroy.
+ */
+extern SECStatus CRMF_DestroyEncryptedKey(CRMFEncryptedKey *inEncrKey);
+						
+/*
+ * FUNCTION: CRMF_CreatePKIArchiveOptions
+ * INPUTS:
+ *    inType
+ *        An enumeration value indicating which option for 
+ *        PKIArchiveOptions to use.
+ *    data
+ *        A pointer that will be type-cast and de-referenced according
+ *        to the table under NOTES.
+ * NOTES:
+ * A table listing what should be passed in as data
+ * ------------------------------------------------
+ *
+ * inType                            data
+ * ------                            ----
+ * crmfEncryptedPrivateKey           CRMFEncryptedKey*
+ * crmfKeyGenParameters              SECItem*(This needs to be an octet string)
+ * crmfArchiveRemGenPrivKey          PRBool*
+ *
+ * RETURN:
+ *    A pointer the a CRMFPKIArchiveOptions that can be added to a Certificate
+ *    Request.  A NULL pointer indicates an error occurred while creating
+ *    the CRMFPKIArchiveOptions Structure.
+ */
+extern CRMFPKIArchiveOptions*
+       CRMF_CreatePKIArchiveOptions(CRMFPKIArchiveOptionsType  inType,
+				    void                      *data);
+/*
+ * FUNCTION: CRMF_DestroyPKIArchiveOptions
+ * INPUTS:
+ *    inArchOpt
+ *        A pointer to the CRMFPKIArchiveOptions structure to free.
+ * NOTES:
+ *    Will free all memory associated with 'inArchOpt'.
+ * RETURN:
+ *    SECSuccess if successful in freeing the memory used by 'inArchOpt'
+ *    Any other return value indicates an error while freeing the memory.
+ */
+extern SECStatus 
+       CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inArchOpt);
+
+/*
+ * FUNCTION: CRMF_CertRequestSetPKIArchiveOptions
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to add the the options to.
+ *    inOptions
+ *        The Archive Options to add to the Certificate Request.
+ * NOTES:
+ *    Adds the PKIArchiveOption to the Certificate Request.  This is what
+ *    enables Key Escrow to take place through CRMF.  The library makes
+ *    its own copy of the information.
+ * RETURN:
+ *    SECSuccess if successful in adding the ArchiveOptions to the Certificate
+ *    request.  Any other return value indicates an error when trying to add
+ *    the Archive Options  to the Certificate Request.
+ */
+extern SECStatus 
+       CRMF_CertRequestSetPKIArchiveOptions(CRMFCertRequest       *inCertReq,
+					    CRMFPKIArchiveOptions *inOptions);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetPOPType
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to operate on.
+ * NOTES:
+ *    Returns an enumeration value indicating the method of Proof
+ *    of Possession that was used for the passed in Certificate Request
+ *    Message.
+ * RETURN:
+ *    An enumeration indicating what method for Proof Of Possession is
+ *    being used in this Certificate Request Message.  Look in the file
+ *    crmft.h for the definition of CRMFPOPChoice for the possible return
+ *    values.
+ */
+extern CRMFPOPChoice CRMF_CertReqMsgGetPOPType(CRMFCertReqMsg *inCertReqMsg);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgSetRAVerifiedPOP
+ * INPUT:
+ *    InCertReqMsg
+ *        The Certificate Request Message to operate on.
+ * NOTES:
+ *    This function will set the method of Proof Of Possession to 
+ *    crmfRAVerified which means the RA has already verified the 
+ *    requester does possess the private key.
+ * RETURN:
+ *    SECSuccess if adding RAVerified to the message is successful.  
+ *    Any other message indicates an error while trying to add RAVerified
+ *    as the Proof of Possession.
+ */
+extern SECStatus CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgSetSignaturePOP
+ * INPUT:
+ *    inCertReqMsg
+ *        The Certificate Request Message to add the SignaturePOP to.
+ *    inPrivKey
+ *        The Private Key which corresponds to the the Certificate Request
+ *        Message.
+ *    inPubKey
+ *        The Public Key which corresponds to the Private Key passed in.
+ *    inCertForInput
+ *        A Certificate that in the future may be used to create 
+ *        POPOSigningKeyInput.
+ *    fn
+ *        A callback for retrieving a password which may be used in the
+ *       future to generate POPOSigningKeyInput.
+ *    arg
+ *        An opaque pointer that would be passed to fn whenever it is
+ *        called.
+ * NOTES:
+ * Adds Proof Of Possession to the CertRequest using the signature field 
+ * of the ProofOfPossession field.  NOTE: In order to use this option, 
+ * the certificate template must contain the publicKey at the very minimum.
+ * 
+ * If you don't want the function to generate POPOSigningKeyInput, then
+ * make sure the cert template already contains the subject and public key
+ * values.  Currently creating POPOSigningKeyInput is not supported, so 
+ * a Message passed to this function must have the publicKey and the subject
+ * as part of the template
+ *
+ * This will take care of creating the entire POPOSigningKey structure
+ * that will become part of the message.
+ *
+ * inPrivKey is the key to be used in the signing operation when creating
+ * POPOSigningKey structure.  This should be the key corresponding to
+ * the certificate being requested.
+ *
+ * inCertForInput will be used if POPOSigningKeyInput needs to be generated.
+ * It will be used in generating the authInfo.sender field.  If the parameter
+ * is not passed in then authInfo.publicKeyMAC will be generated instead.
+ * If passed in, this certificate needs to be a valid certificate.
+ *
+ * The last 3 arguments are for future compatibility in case we ever want to
+ * support generating POPOSigningKeyInput.  Pass in NULL for all 3 if you 
+ * definitely don't want the funciton to even try to generate 
+ * POPOSigningKeyInput.  If you try to use POPOSigningKeyInput, the function
+ * will fail.
+ *
+ * RETURN:
+ *    SECSuccess if adding the Signature Proof Of Possession worked.
+ *    Any other return value indicates an error in trying to add
+ *    the Signature Proof Of Possession.
+ */
+extern SECStatus 
+       CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg   *inCertReqMsg,
+				      SECKEYPrivateKey *inPrivKey,
+				      SECKEYPublicKey  *inPubKey,
+				      CERTCertificate  *inCertForInput,
+				      CRMFMACPasswordCallback  fn,
+				      void                    *arg);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgSetKeyEnciphermentPOP
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to operate on.
+ *    inKeyChoice
+ *        An enumeration indicating which POPOPrivKey Choice to use
+ *        in constructing the KeyEnciphermentPOP.
+ *    subseqMess
+ *        This parameter must be provided iff inKeyChoice is 
+ *        crmfSubsequentMessage.  This details how the RA is to respond
+ *        in order to perform Proof Of Possession.  Look in crmft.h under
+ *        the definition of CRMFSubseqMessOptions for possible values.
+ *    encPrivKey
+ *        This parameter only needs to be provided if inKeyChoice is
+ *        crmfThisMessage.  The item should contain the encrypted private
+ *        key.
+ *        
+ * NOTES:
+ * Adds Proof Of Possession using the keyEncipherment field of
+ * ProofOfPossession.
+ *
+ * The funciton looks at the the inKeyChoice parameter and interprets it in
+ * in the following manner.
+ *
+ * If a parameter is not mentioned under interpretation, the funciton will not
+ * look at its value when implementing that case.
+ *
+ * inKeyChoice          Interpretation
+ * -----------          --------------
+ * crmfThisMessage      This options requires that the encrypted private key
+ *                      be included in the thisMessage field of POPOPrivKey.
+ *                      We don't support this yet, so any clients who want
+ *                      to use this feature have to implement a wrapping
+ *                      function and agree with the server on how to properly
+ *                      wrap the key.  That encrypted key must be passed in
+ *                      as the encPrivKey parameter.
+ *
+ * crmfSubequentMessage Must pass in a value for subseqMess.  The value must
+ *                      be either CRMFEncrCert or CRMFChallengeResp.  The
+ *                      parameter encPrivKey will not be looked at in this
+ *                      case.
+ *
+ * crmfDHMAC            This is not a valid option for this function.  Passing
+ *                      in this value will result in the function returning
+ *                      SECFailure.
+ * RETURN:
+ *    SECSuccess if adding KeyEnciphermentPOP was successful.  Any other return
+ *    value indicates an error in adding KeyEnciphermentPOP.
+ */
+extern SECStatus 
+      CRMF_CertReqMsgSetKeyEnciphermentPOP(CRMFCertReqMsg        *inCertReqMsg,
+					   CRMFPOPOPrivKeyChoice  inKeyChoice,
+					   CRMFSubseqMessOptions  subseqMess,
+					   SECItem               *encPrivKey);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgSetKeyAgreementPOP
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to operate on.
+ *    inKeyChoice
+ *        An enumeration indicating which POPOPrivKey Choice to use
+ *        in constructing the KeyAgreementPOP.
+ *    subseqMess
+ *        This parameter must be provided iff inKeyChoice is 
+ *        crmfSubsequentMessage.  This details how the RA is to respond
+ *        in order to perform Proof Of Possession.  Look in crmft.h under
+ *        the definition of CRMFSubseqMessOptions for possible values.
+ *    encPrivKey
+ *        This parameter only needs to be provided if inKeyChoice is
+ *        crmfThisMessage.  The item should contain the encrypted private
+ *        key.
+ * Adds Proof Of Possession using the keyAgreement field of
+ * ProofOfPossession.
+ *
+ * The funciton looks at the the inKeyChoice parameter and interprets it in
+ * in the following manner.
+ *
+ * If a parameter is not mentioned under interpretation, the funciton will not
+ * look at its value when implementing that case.
+ *
+ * inKeyChoice          Interpretation
+ * -----------          --------------
+ * crmfThisMessage      This options requires that the encrypted private key
+ *                      be included in the thisMessage field of POPOPrivKey.
+ *                      We don't support this yet, so any clients who want
+ *                      to use this feature have to implement a wrapping
+ *                      function and agree with the server on how to properly
+ *                      wrap the key.  That encrypted key must be passed in
+ *                      as the encPrivKey parameter.
+ *
+ * crmfSubequentMessage Must pass in a value for subseqMess.  The value must
+ *                      be either crmfEncrCert or crmfChallengeResp.  The
+ *                      parameter encPrivKey will not be looked at in this
+ *                      case.
+ *
+ * crmfDHMAC            This option is not supported.
+ */
+extern SECStatus 
+       CRMF_CertReqMsgSetKeyAgreementPOP(CRMFCertReqMsg        *inCertReqMsg,
+					 CRMFPOPOPrivKeyChoice  inKeyChoice,
+					 CRMFSubseqMessOptions  subseqMess,
+					 SECItem               *encPrivKey);
+
+/*
+ * FUNCTION: CRMF_CreateCertReqMsgFromDER
+ * INPUTS:
+ *    buf
+ *        A buffer to the DER-encoded Certificate Request Message.
+ *    len
+ *        The length in bytes of the buffer 'buf'
+ * NOTES:
+ * This function passes the buffer to the ASN1 decoder and creates a 
+ * CRMFCertReqMsg structure.  Do not try adding any fields to a message
+ * returned from this function.  Specifically adding more Controls or 
+ * Extensions may cause your program to crash.
+ *
+ * RETURN:
+ *    A pointer to the Certificate Request Message structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */
+extern CRMFCertReqMsg* CRMF_CreateCertReqMsgFromDER(const char *buf, long len);
+
+/*
+ * FUNCTION: CRMF_CreateCertReqMessagesFromDER
+ * INPUTS:
+ *    buf
+ *        A buffer to the DER-encoded Certificate Request Messages.
+ *    len
+ *        The length in bytes of buf
+ * NOTES:
+ * This function passes the buffer to the ASN1 decoder and creates a 
+ * CRMFCertReqMessages structure.  Do not try adding any fields to a message
+ * derived from this function.  Specifically adding more Controls or 
+ * Extensions may cause your program to crash.
+ * The user must call CRMF_DestroyCertReqMessages after the return value is 
+ * no longer needed, ie when all individual messages have been extracted.
+ *  
+ * RETURN:
+ *    A pointer to the Certificate Request Messages structure.  A NULL return
+ *    value indicates the library was unable to parse the DER.
+ */ 
+extern CRMFCertReqMessages*
+       CRMF_CreateCertReqMessagesFromDER(const char *buf, long len);
+
+/*
+ * FUNCTION: CRMF_DestroyCertReqMessages
+ * INPUTS
+ *    inCertReqMsgs
+ *        The Messages to destroy.
+ * RETURN:
+ *    SECSuccess if freeing the memory was done successfully.  Any other
+ *    return value indicates an error in freeing up memory.
+ */ 
+extern SECStatus 
+       CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs);
+
+/*
+ * FUNCTION: CRMF_CertReqMessagesGetNumMessages
+ * INPUTS:
+ *    inCertReqMsgs
+ *        The Request Messages to operate on.
+ * RETURN:
+ *    The number of messages contained in the in the Request Messages 
+ *    strucure.
+ */
+extern int 
+       CRMF_CertReqMessagesGetNumMessages(CRMFCertReqMessages *inCertReqMsgs);
+
+/*
+ * FUNCTION: CRMF_CertReqMessagesGetCertReqMsgAtIndex
+ * INPUTS:
+ *    inReqMsgs
+ *        The Certificate Request Messages to operate on.
+ *    index
+ *        The index of the single message the user wants a copy of.
+ * NOTES:
+ * This function returns a copy of the request messages stored at the 
+ * index corresponding to the parameter 'index'.  Indexing of the messages
+ * is done in the same manner as a C array.  Meaning the valid index are 
+ * 0...numMessages-1.  User must call CRMF_DestroyCertReqMsg when done using
+ * the return value of this function.
+ *
+ * RETURN:
+ * SECSuccess if copying the message at the requested index was successful.
+ * Any other return value indicates an invalid index or error while copying
+ * the single request message.
+ */
+extern CRMFCertReqMsg*
+       CRMF_CertReqMessagesGetCertReqMsgAtIndex(CRMFCertReqMessages *inReqMsgs,
+						int                  index);
+
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetID
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to get the ID from.
+ *    destID
+ *        A pointer to where the library can place the ID of the Message.
+ * RETURN:
+ *    SECSuccess if the function was able to retrieve the ID and place it
+ *    at *destID.  Any other return value indicates an error meaning the value
+ *    in *destId is un-reliable and should not be used by the caller of this 
+ *    function.
+ *    
+ */
+extern SECStatus CRMF_CertReqMsgGetID(CRMFCertReqMsg *inCertReqMsg, 
+				      long           *destID);
+
+/*
+ * FUNCTION: CRMF_DoesRequestHaveField
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    inField
+ *        An enumeration indicating which filed of the certificate template
+ *        to look for.
+ * NOTES:
+ * All the fields in a certificate template are optional.  This function
+ * checks to see if the requested field is present.  Look in crmft.h at the
+ * definition of CRMFCertTemplateField for possible values for possible 
+ * querying.
+ *
+ * RETURN:
+ * PR_TRUE iff the field corresponding to 'inField' has been specified as part
+ *         of 'inCertReq'
+ * PR_FALSE iff the field corresponding to 'inField' has not been speicified
+ *          as part of 'inCertReq'
+ *        
+ */
+extern PRBool CRMF_DoesRequestHaveField(CRMFCertRequest       *inCertReq,
+					CRMFCertTemplateField  inField);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetCertRequest
+ * INPUTS:
+ *    inCertReqMsg
+ *        The Certificate Request Message to operate on.
+ * NOTES:
+ *    This function returns a copy of the Certificate Request to the user.
+ *    The user can keep adding to this request and then making it a part
+ *    of another message.  After the user no longer wants to use the
+ *    returned request, the user must call CRMF_DestroyCertRequest and
+ *    pass it the request returned by this function.
+ * RETURN:
+ *    A pointer to a copy of the certificate request contained by the message.
+ *    A NULL return value indicates an error occurred while copying the 
+ *   certificate request.
+ */
+extern CRMFCertRequest *
+       CRMF_CertReqMsgGetCertRequest(CRMFCertReqMsg *inCertReqMsg);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateVersion
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    version
+ *        A pointer to where the library can store the version contatined
+ *        in the certificate template within the certifcate request.
+ * RETURN:
+ *    SECSuccess if the Certificate template contains the version field.  In 
+ *    this case, *version will hold the value of the certificate template 
+ *    version.
+ *    SECFailure indicates that version field was not present as part of
+ *    of the certificate template.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateVersion(CRMFCertRequest *inCertReq, 
+					      long            *version);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateSerialNumber
+ * INPUTS:
+ *    inCertReq
+ *        The certificate request to operate on.
+ *    serialNumber
+ *        A pointer where the library can put the serial number contained
+ *        in the certificate request's certificate template.
+ * RETURN:
+ * If a serial number exists in the CertTemplate of the request, the function 
+ * returns SECSuccess and the value at *serialNumber contains the serial 
+ * number.
+ * If no serial number is present, then the function returns SECFailure and
+ * the value at *serialNumber is un-changed.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateSerialNumber(CRMFCertRequest *inCertReq, 
+						   long         *serialNumber);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateSigningAlg
+ * INPUT:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    destAlg
+ *        A Pointer to where the library can place a copy of the signing alg
+ *        used in the cert request's cert template.
+ * RETURN:
+ * If the signingAlg is present in the CertRequest's CertTemplate, then
+ * the function returns SECSuccess and places a copy of sigingAlg in 
+ * *destAlg.
+ * If no signingAlg is present, then the function returns SECFailure and
+ * the value at *destAlg is un-changed
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateSigningAlg(CRMFCertRequest *inCertReq,
+						 SECAlgorithmID  *destAlg);
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateIssuer
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    destIssuer
+ *        A pointer to where the library can place a copy of the cert
+ *        request's cert template issuer field.
+ * RETURN:
+ * If the issuer is present in the cert request cert template, the function 
+ * returns SECSuccess and places a  copy of the issuer in *destIssuer.
+ * If there is no issuer present, the funciton returns SECFailure and the
+ * value at *destIssuer is unchanged.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateIssuer(CRMFCertRequest *inCertReq,
+					     CERTName        *destIssuer);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateValidity
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    destValdity
+ *        A pointer to where the library can place a copy of the validity
+ *        info in the cert request cert template.
+ * NOTES:
+ * Pass the pointer to 
+ * RETURN: 
+ * If there is an OptionalValidity field, the function will return SECSuccess
+ * and place the appropriate values in *destValidity->notBefore and 
+ * *destValidity->notAfter. (Each field is optional, but at least one will
+ * be present if the function returns SECSuccess)
+ *
+ * If there is no OptionalValidity field, the function will return SECFailure
+ * and the values at *destValidity will be un-changed.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateValidity(CRMFCertRequest *inCertReq,
+					       CRMFGetValidity *destValidity);
+/*
+ * FUNCTION: CRMF_DestroyGetValidity
+ * INPUTS:
+ *    inValidity
+ *        A pointer to the memroy to be freed.
+ * NOTES:
+ * The function will free the memory allocated by the function 
+ * CRMF_CertRequestGetCertTemplateValidity.  That means only memory pointed
+ * to within the CRMFGetValidity structure.  Since 
+ * CRMF_CertRequestGetCertTemplateValidity does not allocate memory for the
+ * structure passed into it, it will not free it.  Meaning this function will
+ * free the memory at inValidity->notBefore and inValidity->notAfter, but not
+ * the memory directly at inValdity.
+ *
+ * RETURN:
+ * SECSuccess if freeing the memory was successful.  Any other return value
+ * indicates an error while freeing the memory.
+ */
+extern SECStatus 
+       CRMF_DestroyGetValidity(CRMFGetValidity *inValidity);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateSubject
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ *    destSubject
+ *        A pointer to where the library can place a copy of the subject
+ *        contained in the request's cert template.
+ * RETURN:
+ * If there is a subject in the CertTemplate, then the function returns 
+ * SECSuccess and a copy of the subject is placed in *destSubject.
+ *
+ * If there is no subject, the function returns SECFailure and the values at
+ * *destSubject is unchanged.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateSubject (CRMFCertRequest *inCertReq,
+					       CERTName        *destSubject);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplatePublicKey
+ * INPUTS:
+ *    inCertReq
+ *        The Cert request to operate on.
+ *    destPublicKey
+ *        A pointer to where the library can place a copy of the request's
+ *        cert template public key.
+ * RETURN:
+ * If there is a publicKey parameter in the CertRequest, the function returns
+ * SECSuccess, and places a copy of the publicKey in *destPublicKey.
+ *
+ * If there is no publicKey, the function returns SECFailure and the value
+ * at *destPublicKey is un-changed.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplatePublicKey(CRMFCertRequest *inCertReq,
+				      CERTSubjectPublicKeyInfo *destPublicKey);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateIssuerUID
+ * INPUTS:
+ *    inCertReq
+ *        The Cert request to operate on.
+ *    destIssuerUID
+ *        A pointer to where the library can store a copy of the request's
+ *        cert template destIssuerUID.
+ *
+ * NOTES: 
+ * destIssuerUID is a bit string and will be returned in a SECItem as
+ * a bit string.  Meaning the len field contains the number of valid bits as
+ * opposed to the number of bytes allocated.
+ *
+ * RETURN:
+ * If the CertTemplate has an issuerUID, the function returns SECSuccess and
+ * places a copy of the issuerUID in *destIssuerUID.
+ *
+ * If there is no issuerUID, the function returns SECFailure and the value
+ * *destIssuerUID is unchanged.
+ */
+extern SECStatus 
+       CRMF_CertRequestGetCertTemplateIssuerUID(CRMFCertRequest *inCertReq,
+						SECItem        *destIssuerUID);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetCertTemplateSubjectUID
+ *    inCertReq
+ *        The Cert request to operate on.
+ *    destSubjectUID
+ *        A pointer to where the library can store a copy of the request's
+ *        cert template destIssuerUID.
+ *
+ * NOTES: 
+ * destSubjectUID is a bit string and will be returned in a SECItem as
+ * a bit string.  Meaning the len field contains the number of valid bits as
+ * opposed to the number of bytes allocated.
+ *
+ * RETURN:
+ * If the CertTemplate has an issuerUID, the function returns SECSuccess and
+ * places a copy of the issuerUID in *destIssuerUID.
+ *
+ * If there is no issuerUID, the function returns SECSuccess and the value
+ * *destIssuerUID is unchanged.
+ */
+extern SECStatus CRMF_GetCertTemplateSubjectUID(CRMFCertRequest *inCertReq,
+						SECItem       *destSubjectUID);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetNumberOfExtensions
+ * INPUTS:
+ *    inCertReq
+ *        The cert request to operate on.
+ * RETURN:
+ *    Returns the number of extensions contained by the Cert Request.
+ */
+extern int CRMF_CertRequestGetNumberOfExtensions(CRMFCertRequest *inCertReq);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetExtensionAtIndex
+ * INPUTS:
+ *    inCertReq
+ *        The Certificate request to operate on.
+ *    index
+ *        The index of the extension array whihc the user wants to access.
+ * NOTES:
+ * This function retrieves the extension at the index corresponding to the 
+ * parameter "index" indicates.  Indexing is done like a C array.  
+ * (0 ... numElements-1)
+ *
+ * Call CRMF_DestroyCertExtension when done using the return value.
+ *
+ * RETURN:
+ *    A pointer to a copy of the extension at the desired index.  A NULL 
+ *    return value indicates an invalid index or an error while copying 
+ *    the extension.
+ */
+extern CRMFCertExtension *
+       CRMF_CertRequestGetExtensionAtIndex(CRMFCertRequest *inCertReq,
+					   int              index);
+/*
+ * FUNCTION: CRMF_CertExtensionGetOidTag
+ * INPUTS:
+ *    inExtension
+
+ *        The extension to operate on.
+ * RETURN:
+ *    Returns the SECOidTag associated with the cert extension passed in.
+ */
+extern SECOidTag CRMF_CertExtensionGetOidTag(CRMFCertExtension *inExtension);
+
+/*
+ * FUNCTION: CRMF_CertExtensionGetIsCritical
+ * INPUT:
+ *    inExt
+ *        The cert extension to operate on.
+ *
+ * RETURN:
+ * PR_TRUE if the extension is critical.
+ * PR_FALSE if the extension is not critical.
+ */
+extern PRBool CRMF_CertExtensionGetIsCritical(CRMFCertExtension *inExt);
+             
+/*
+ * FUNCTION: CRMF_CertExtensionGetValue
+ * INPUT:
+ *    inExtension
+ *        The extension to operate on.
+ * NOTES:
+ * Caller is responsible for freeing the memory associated with the return
+ * value.  Call SECITEM_FreeItem(retVal, PR_TRUE) when done using the return
+ * value.
+ *
+ * RETURN:
+ * A pointer to an item containig the value for the certificate extension.
+ * A NULL return value indicates an error in copying the information.
+ */
+extern SECItem*  CRMF_CertExtensionGetValue(CRMFCertExtension *inExtension);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetPOPOSigningKey
+ * INPUTS:
+ *    inCertReqMsg
+ *        The certificate request message to operate on.
+ *    destKey
+ *        A pointer to where the library can place a pointer to
+ *        a copy of the Proof Of Possession Signing Key used 
+ *        by the message.
+ *
+ * RETURN:
+ * Get the POPOSigningKey associated with this CRMFCertReqMsg.  
+ * If the CertReqMsg does not have a pop, the function returns
+ * SECFailure and the value at *destKey is un-changed..
+ *
+ * If the CertReqMsg does have a pop, then the CertReqMsg's 
+ * POPOSigningKey will be placed at *destKey.
+ */
+extern SECStatus 
+       CRMF_CertReqMsgGetPOPOSigningKey(CRMFCertReqMsg      *inCertReqMsg,
+					CRMFPOPOSigningKey **destKey);
+
+/*
+ * FUNCTION: CRMF_DestroyPOPOSigningKey
+ * INPUTS:
+ *    inKey
+ *        The signing key to free.
+ *
+ * RETURN:
+ * SECSuccess if freeing the memory was successful.  Any other return value
+ * indicates an error while freeing memory.
+ */
+extern SECStatus CRMF_DestroyPOPOSigningKey (CRMFPOPOSigningKey *inKey);
+
+/*
+ * FUNCTION: CRMF_POPOSigningKeyGetAlgID
+ * INPUTS:
+ *    inSignKey
+ *        The Signing Key to operate on.
+ * RETURN:
+ * Return the algorithmID used by the CRMFPOPOSigningKey.  User must
+ * call SECOID_DestroyAlgorithmID(destID, PR_TRUE) when done using the
+ * return value.
+ */
+extern SECAlgorithmID* 
+       CRMF_POPOSigningKeyGetAlgID(CRMFPOPOSigningKey *inSignKey);
+
+/*
+ * FUNCTION: CRMF_POPOSigningKeyGetSignature
+ * INPUTS:
+ *    inSignKey
+ *        The Signing Key to operate on.
+ *
+ * RETURN:        
+ * Get the actual signature stored away in the CRMFPOPOSigningKey.  SECItem
+ * returned is a BIT STRING, so the len field is the number of bits as opposed
+ * to the total number of bytes allocatd.  User must call 
+ * SECITEM_FreeItem(retVal,PR_TRUE) when done using the return value.
+ */
+extern SECItem* CRMF_POPOSigningKeyGetSignature(CRMFPOPOSigningKey *inSignKey);
+
+/*
+ * FUNCTION: CRMF_POPOSigningKeyGetInput
+ * INPUTS:
+ *    inSignKey
+ *        The Signing Key to operate on.
+ * NOTES:
+ * This function will return the der encoded input that was read in while 
+ * decoding.  The API does not support this option when creating, so you
+ * cannot add this field.
+ *
+ * RETURN:
+ * Get the poposkInput that is part of the of the POPOSigningKey. If the
+ * optional field is not part of the POPOSigningKey, the function returns
+ * NULL.
+ *
+ * If the optional field is part of the POPOSingingKey, the function will
+ * return a copy of the der encoded poposkInput.
+ */
+extern SECItem* CRMF_POPOSigningKeyGetInput(CRMFPOPOSigningKey *inSignKey);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetPOPKeyEncipherment
+ * INPUTS:
+ *    inCertReqMsg
+ *        The certificate request message to operate on.
+ *    destKey
+ *        A pointer to where the library can place a pointer to a 
+ *        copy of the POPOPrivKey representing Key Encipherment 
+ *        Proof of Possession.
+ *NOTES:
+ * This function gets the POPOPrivKey associated with this CRMFCertReqMsg 
+ * for Key Encipherment.  
+ *
+ * RETURN:
+ * If the CertReqMsg did not use Key Encipherment for Proof Of Possession, the
+ * function returns SECFailure and the value at *destKey is un-changed.
+ *
+ * If the CertReqMsg did use Key Encipherment for ProofOfPossession, the
+ * function returns SECSuccess and places the POPOPrivKey representing the
+ * Key Encipherment Proof Of Possessin at *destKey.
+ */
+extern SECStatus 
+       CRMF_CertReqMsgGetPOPKeyEncipherment(CRMFCertReqMsg   *inCertReqMsg,
+					    CRMFPOPOPrivKey **destKey);
+
+/*
+ * FUNCTION: CRMF_CertReqMsgGetPOPKeyAgreement
+ * INPUTS:
+ *    inCertReqMsg
+ *        The certificate request message to operate on.
+ *    destKey
+ *        A pointer to where the library can place a pointer to a 
+ *        copy of the POPOPrivKey representing Key Agreement 
+ *        Proof of Possession.
+ * NOTES:
+ * This function gets the POPOPrivKey associated with this CRMFCertReqMsg for 
+ * Key Agreement.  
+ *
+ * RETURN:
+ * If the CertReqMsg used Key Agreement for Proof Of Possession, the
+ * function returns SECSuccess and the POPOPrivKey for Key Agreement
+ * is placed at *destKey.
+ *
+ * If the CertReqMsg did not use Key Agreement for Proof Of Possession, the
+ * function return SECFailure and the value at *destKey is unchanged.
+ */
+extern SECStatus 
+       CRMF_CertReqMsgGetPOPKeyAgreement(CRMFCertReqMsg   *inCertReqMsg,
+					 CRMFPOPOPrivKey **destKey);
+
+/* 
+ * FUNCTION: CRMF_DestroyPOPOPrivKey
+ * INPUTS:
+ *    inPrivKey
+ *        The POPOPrivKey to destroy.
+ * NOTES:
+ * Destroy a structure allocated by CRMF_GetPOPKeyEncipherment or
+ * CRMF_GetPOPKeyAgreement.
+ *
+ * RETURN:
+ * SECSuccess on successful destruction of the POPOPrivKey.
+ * Any other return value indicates an error in freeing the 
+ * memory.
+ */
+extern SECStatus CRMF_DestroyPOPOPrivKey(CRMFPOPOPrivKey *inPrivKey);
+
+/* 
+ * FUNCTION: CRMF_POPOPrivKeyGetChoice
+ * INPUT:
+ *    inKey
+ *        The POPOPrivKey to operate on.
+ * RETURN:
+ * Returns which choice was used in constructing the POPPOPrivKey. Look at
+ * the definition of CRMFPOPOPrivKeyChoice in crmft.h for the possible return
+ * values.
+ */
+extern CRMFPOPOPrivKeyChoice CRMF_POPOPrivKeyGetChoice(CRMFPOPOPrivKey *inKey);
+
+/*
+ * FUNCTION: CRMF_POPOPrivKeyGetThisMessage
+ * INPUTS:
+ *    inKey
+ *        The POPOPrivKey to operate on.
+ *    destString
+ *        A pointer to where the library can place a copy of the This Message
+ *        field stored in the POPOPrivKey
+ *
+ * RETURN:
+ * Returns the field thisMessage from the POPOPrivKey.  
+ * If the POPOPrivKey did not use the field thisMessage, the function
+ * returns SECFailure and the value at *destString is unchanged.
+ *
+ * If the POPOPrivKey did use the field thisMessage, the function returns
+ * SECSuccess and the BIT STRING representing thisMessage is placed
+ * at *destString. BIT STRING representation means the len field is the
+ * number of valid bits as opposed to the total number of bytes.
+ */
+extern SECStatus CRMF_POPOPrivKeyGetThisMessage(CRMFPOPOPrivKey  *inKey,
+						SECItem          *destString);
+
+/*
+ * FUNCTION: CRMF_POPOPrivKeyGetSubseqMess
+ * INPUTS:
+ *    inKey
+ *        The POPOPrivKey to operate on.
+ *    destOpt
+ *        A pointer to where the library can place the value of the 
+ *        Subsequent Message option used by POPOPrivKey.
+ *
+ * RETURN:
+ * Retrieves the field subsequentMessage from the POPOPrivKey.  
+ * If the POPOPrivKey used the subsequentMessage option, the function 
+ * returns SECSuccess and places the appropriate enumerated value at
+ * *destMessageOption.
+ *
+ * If the POPOPrivKey did not use the subsequenMessage option, the function
+ * returns SECFailure and the value at *destOpt is un-changed.
+ */
+extern SECStatus CRMF_POPOPrivKeyGetSubseqMess(CRMFPOPOPrivKey       *inKey,
+					       CRMFSubseqMessOptions *destOpt);
+
+/*
+ * FUNCTION: CRMF_POPOPrivKeyGetDHMAC
+ * INPUTS:
+ *    inKey
+ *        The POPOPrivKey to operate on.
+ *    destMAC
+ *        A pointer to where the library can place a copy of the dhMAC
+ *        field of the POPOPrivKey.
+ *        
+ * NOTES:
+ * Returns the field dhMAC from the POPOPrivKey.  The populated SECItem 
+ * is in BIT STRING format.
+ *
+ * RETURN:
+ * If the POPOPrivKey used the dhMAC option, the function returns SECSuccess
+ * and the BIT STRING for dhMAC will be placed at *destMAC.  The len field in
+ * destMAC (ie destMAC->len) will be the valid number of bits as opposed to
+ * the number of allocated bytes.
+ *
+ * If the POPOPrivKey did not use the dhMAC option, the function returns
+ * SECFailure and the value at *destMAC is unchanged.
+ * 
+ */
+extern SECStatus CRMF_POPOPrivKeyGetDHMAC(CRMFPOPOPrivKey *inKey,
+					  SECItem         *destMAC);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetNumControls
+ * INPUTS: 
+ *    inCertReq
+ *        The Certificate Request to operate on.
+ * RETURN:
+ * Returns the number of Controls registered with this CertRequest.
+ */
+extern int CRMF_CertRequestGetNumControls (CRMFCertRequest *inCertReq);
+
+/*
+ * FUNCTION: CRMF_CertRequestGetControlAtIndex
+ * INPUTS:
+ *    inCertReq
+ *        The certificate request to operate on.
+ *    index
+ *        The index of the control the user wants a copy of.
+ * NOTES:
+ * Function retrieves the Control at located at index.  The Controls 
+ * are numbered like a traditional C array (0 ... numElements-1)
+ *
+ * RETURN:
+ * Returns a copy of the control at the index specified.  This is a copy
+ * so the user must call CRMF_DestroyControl after the return value is no 
+ * longer needed.  A return value of NULL indicates an error while copying
+ * the control or that the index was invalid.
+ */
+extern CRMFControl* 
+       CRMF_CertRequestGetControlAtIndex(CRMFCertRequest *inCertReq, 
+					 int              index);
+
+/*
+ * FUNCTION: CRMF_DestroyControl
+ * INPUTS:
+ *    inControl
+ *        The Control to destroy.
+ * NOTES:
+ * Destroy a CRMFControl allocated by CRMF_GetControlAtIndex.
+ *
+ * RETURN:
+ * SECSuccess if freeing the memory was successful.  Any other return
+ * value indicates an error while freeing the memory.
+ */
+extern SECStatus CRMF_DestroyControl(CRMFControl *inControl);
+
+/*
+ * FUNCTION: CRMF_ControlGetControlType
+ * INPUTS:
+ *    inControl
+ *        The control to operate on.
+ * NOTES:
+ * The function returns an enumertion which indicates the type of control
+ * 'inControl'.
+ *
+ * RETURN:
+ * Look in crmft.h at the definition of the enumerated type CRMFControlType
+ * for the possible return values.
+ */
+extern CRMFControlType CRMF_ControlGetControlType(CRMFControl *inControl);
+
+/*
+ * FUNCTION: CRMF_ControlGetRegTokenControlValue
+ * INPUTS:
+ *    inControl
+ *        The Control to operate on.
+ * NOTES:
+ * The user must call SECITEM_FreeItem passing in the return value
+ * after the returnvalue is no longer needed.
+
+ * RETURN:
+ * Return the value for a Registration Token Control.
+ * The SECItem returned should be in UTF8 format.  A NULL
+ * return value indicates there was no Registration Control associated
+ * with the Control.
+ * (This library will not verify format.  It assumes the client properly 
+ * formatted the strings when adding it or the message decoded was properly 
+ * formatted.  The library will just give back the bytes it was given.)
+ */
+extern SECItem* CRMF_ControlGetRegTokenControlValue(CRMFControl *inControl);
+
+/*
+ * FUNCTION: CRMF_ControlGetAuthenticatorControlValue
+ * INPUTS:
+ *    inControl
+ *        The Control to operate on.
+ * NOTES:
+ * The user must call SECITEM_FreeItem passing in the return value
+ * after the returnvalue is no longer needed.
+ *
+ * RETURN:
+ * Return the value for the Authenticator Control.
+ * The SECItem returned should be in UTF8 format.  A NULL
+ * return value indicates there was no Authenticator Control associated
+ * with the CRMFControl..
+ * (This library will not verify format.  It assumes the client properly 
+ * formatted the strings when adding it or the message decoded was properly 
+ * formatted.  The library will just give back the bytes it was given.)
+ */
+extern SECItem* CRMF_ControlGetAuthicatorControlValue(CRMFControl *inControl);
+
+/*
+ * FUNCTION: CRMF_ControlGetPKIArchiveOptions
+ * INPUTS:inControl
+ *    The Control tooperate on.
+ * NOTES:
+ * This function returns a copy of the PKIArchiveOptions.  The user must call
+ * the function CRMF_DestroyPKIArchiveOptions when the return value is no
+ * longer needed.
+ *
+ * RETURN:
+ * Get the PKIArchiveOptions associated with the Control.  A return
+ * value of NULL indicates the Control was not a PKIArchiveOptions 
+ * Control.
+ */
+extern CRMFPKIArchiveOptions* 
+       CRMF_ControlGetPKIArchiveOptions(CRMFControl *inControl);
+  
+/*
+ * FUNCTION: CMRF_DestroyPKIArchiveOptions
+ * INPUTS:
+ *    inOptions
+ *        The ArchiveOptions to destroy.
+ * NOTE:
+ * Destroy the CRMFPKIArchiveOptions structure.
+ *
+ * RETURN:
+ * SECSuccess if successful in freeing all the memory associated with 
+ * the PKIArchiveOptions.  Any other return value indicates an error while
+ * freeing the PKIArchiveOptions.
+ */
+extern SECStatus 
+       CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inOptions);
+
+/*
+ * FUNCTION: CRMF_PKIArchiveOptionsGetOptionType
+ * INPUTS:
+ *    inOptions
+ *        The PKIArchiveOptions to operate on.
+ * RETURN:
+ * Returns the choice used for the PKIArchiveOptions.  Look at the definition
+ * of CRMFPKIArchiveOptionsType in crmft.h for possible return values.
+ */
+extern CRMFPKIArchiveOptionsType
+       CRMF_PKIArchiveOptionsGetOptionType(CRMFPKIArchiveOptions *inOptions);
+
+/*
+ * FUNCTION: CRMF_PKIArchiveOptionsGetEncryptedPrivKey
+ * INPUTS:
+ *    inOpts
+ *        The PKIArchiveOptions to operate on.
+ * 
+ * NOTES:
+ * The user must call CRMF_DestroyEncryptedKey when done using this return
+ * value.
+ *
+ * RETURN:
+ * Get the encryptedPrivKey field of the PKIArchiveOptions structure.
+ * A return value of NULL indicates that encryptedPrivKey was not used as
+ * the choice for this PKIArchiveOptions.
+ */
+extern CRMFEncryptedKey*
+      CRMF_PKIArchiveOptionsGetEncryptedPrivKey(CRMFPKIArchiveOptions *inOpts);
+
+/*
+ * FUNCTION: CRMF_EncryptedKeyGetChoice
+ * INPUTS:
+ *    inEncrKey
+ *        The EncryptedKey to operate on.
+ *
+ * NOTES:
+ * Get the choice used for representing the EncryptedKey.
+ *
+ * RETURN:
+ * Returns the Choice used in representing the EncryptedKey.  Look in 
+ * crmft.h at the definition of CRMFEncryptedKeyChoice for possible return
+ * values.
+ */
+extern CRMFEncryptedKeyChoice 
+       CRMF_EncryptedKeyGetChoice(CRMFEncryptedKey *inEncrKey);
+
+
+/*
+ * FUNCTION: CRMF_EncryptedKeyGetEncryptedValue
+ * INPUTS:
+ *    inKey
+ *        The EncryptedKey to operate on.
+ *
+ * NOTES:
+ * The user must call CRMF_DestroyEncryptedValue passing in 
+ * CRMF_GetEncryptedValue's return value.
+ *
+ * RETURN:
+ * A pointer to a copy of the EncryptedValue contained as a member of
+ * the EncryptedKey.
+ */
+extern CRMFEncryptedValue* 
+       CRMF_EncryptedKeyGetEncryptedValue(CRMFEncryptedKey *inKey);
+
+/*
+ * FUNCTION: CRMF_DestroyEncryptedValue
+ * INPUTS:
+ *    inEncrValue
+ *        The EncryptedValue to destroy.
+ *
+ * NOTES:
+ * Free up all memory associated with 'inEncrValue'.
+ *
+ * RETURN:
+ * SECSuccess if freeing up the memory associated with the EncryptedValue
+ * is successful. Any other return value indicates an error while freeing the
+ * memory.
+ */
+extern SECStatus CRMF_DestroyEncryptedValue(CRMFEncryptedValue *inEncrValue);
+
+/*
+ * FUNCTION: CRMF_EncryptedValueGetEncValue
+ * INPUTS:
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ * NOTES:
+ * Function retrieves the encValue from an EncryptedValue structure.
+ *
+ * RETURN:
+ * A poiner to a SECItem containing the encValue of the EncryptedValue
+ * structure.  The return value is in BIT STRING format, meaning the
+ * len field of the return structure represents the number of valid bits
+ * as opposed to the allocated number of bytes.
+ * ANULL return value indicates an error in copying the encValue field.
+ */
+extern SECItem* CRMF_EncryptedValueGetEncValue(CRMFEncryptedValue *inEncValue);
+
+/*
+ * FUNCTION: CRMF_EncryptedValueGetIntendedAlg
+ * INPUTS
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ * NOTES:
+ * Retrieve the IntendedAlg field from the EncryptedValue structure.
+ * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
+ * the return value.  When present, this alogorithm is the alogrithm for
+ * which the private key will be used.
+ *
+ * RETURN:
+ * A Copy of the intendedAlg field.  A NULL return value indicates the
+ * optional field was not present in the structure.
+ */
+extern SECAlgorithmID* 
+       CRMF_EncryptedValueGetIntendedAlg(CRMFEncryptedValue  *inEncValue);
+
+
+/*
+ * FUNCTION: CRMF_EncryptedValueGetSymmAlg
+ * INPUTS
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ * NOTES:
+ * Retrieve the symmAlg field from the EncryptedValue structure.
+ * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
+ * the return value.  When present, this is algorithm used to
+ * encrypt the encValue of the EncryptedValue.
+ *
+ * RETURN:
+ * A Copy of the symmAlg field.  A NULL return value indicates the
+ * optional field was not present in the structure.
+ */
+extern SECAlgorithmID* 
+       CRMF_EncryptedValueGetSymmAlg(CRMFEncryptedValue  *inEncValue);
+
+
+/*
+ * FUNCTION: CRMF_EncryptedValueGetKeyAlg
+ * INPUTS
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ * NOTES:
+ * Retrieve the keyAlg field from the EncryptedValue structure.
+ * Call SECOID_DestroyAlgorithmID (destAlgID, PR_TRUE) after done using
+ * the return value.  When present, this is the algorithm used to encrypt
+ * the symmetric key in the encSymmKey field of the EncryptedValue structure.
+ *
+ * RETURN:
+ * A Copy of the keyAlg field.  A NULL return value indicates the
+ * optional field was not present in the structure.
+ */
+extern SECAlgorithmID* 
+       CRMF_EncryptedValueGetKeyAlg(CRMFEncryptedValue *inEncValue);
+
+/*
+ * FUNCTION: CRMF_EncryptedValueGetValueHint
+ * INPUTS:
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ *
+ * NOTES:
+ * Return a copy of the der-encoded value hint.
+ * User must call SECITEM_FreeItem(retVal, PR_TRUE) when done using the
+ * return value.  When, present, this is a value that the client which
+ * originally issued a certificate request can use to reproduce any data
+ * it wants.  The RA does not know how to interpret this data.
+ *
+ * RETURN:
+ * A copy of the valueHint field of the EncryptedValue.  A NULL return
+ * value indicates the optional valueHint field is not present in the
+ * EncryptedValue.
+ */
+extern SECItem* 
+       CRMF_EncryptedValueGetValueHint(CRMFEncryptedValue  *inEncValue);
+
+/*
+ * FUNCTION: CRMF_EncrypteValueGetEncSymmKey
+ * INPUTS: 
+ *    inEncValue
+ *        The EncryptedValue to operate on.
+ *
+ * NOTES:
+ * Return a copy of the encSymmKey field. This field is the encrypted
+ * symmetric key that the client uses in doing Public Key wrap of a private
+ * key.  When present, this is the symmetric key that was used to wrap the
+ * private key.  (The encrypted private key will be stored in encValue
+ * of the same EncryptedValue structure.)  The user must call 
+ * SECITEM_FreeItem(retVal, PR_TRUE) when the return value is no longer
+ * needed.
+ *
+ * RETURN:
+ * A copy of the optional encSymmKey field of the EncryptedValue structure.
+ * The return value will be in BIT STRING format, meaning the len field will
+ * be the number of valid bits as opposed to the number of bytes. A return 
+ * value of NULL means the optional encSymmKey field was not present in
+ * the EncryptedValue structure.
+ */
+extern SECItem* 
+       CRMF_EncryptedValueGetEncSymmKey(CRMFEncryptedValue *inEncValue);
+
+/*
+ * FUNCTION: CRMF_PKIArchiveOptionsGetKeyGenParameters
+ * INPUTS:
+ *    inOptions
+ *        The PKiArchiveOptions to operate on.
+ *
+ * NOTES:
+ * User must call SECITEM_FreeItem(retVal, PR_TRUE) after the return 
+ * value is no longer needed.
+ *
+ * RETURN:
+ * Get the keyGenParameters field of the PKIArchiveOptions.
+ * A NULL return value indicates that keyGenParameters was not 
+ * used as the choice for this PKIArchiveOptions.
+ *
+ * The SECItem returned is in BIT STRING format (ie, the len field indicates
+ * number of valid bits as opposed to allocated number of bytes.)
+ */
+extern SECItem* 
+   CRMF_PKIArchiveOptionsGetKeyGenParameters(CRMFPKIArchiveOptions *inOptions);
+
+/*
+ * FUNCTION: CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey
+ * INPUTS:
+ *    inOpt
+ *        The PKIArchiveOptions to operate on.
+ *    destVal
+ *        A pointer to where the library can place the value for 
+ *        arciveRemGenPrivKey
+ * RETURN:
+ * If the PKIArchiveOptions used the archiveRemGenPrivKey field, the
+ * function returns SECSuccess and fills the value at *destValue with either
+ * PR_TRUE or PR_FALSE, depending on what the PKIArchiveOptions has as a 
+ * value. 
+ *
+ * If the PKIArchiveOptions does not use the archiveRemGenPrivKey field, the
+ * function returns SECFailure and the value at *destValue is unchanged.
+ */
+extern SECStatus 
+    CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey(CRMFPKIArchiveOptions *inOpt,
+						  PRBool             *destVal);
+
+/* Helper functions that can be used by other libraries. */
+/*
+ * A quick helper funciton to get the best wrap mechanism.
+ */
+extern CK_MECHANISM_TYPE CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot); 
+
+/*
+ * A helper function to get a randomly generated IV from a mechanism 
+ * type.
+ */
+extern SECItem* CRMF_GetIVFromMechanism(CK_MECHANISM_TYPE mechType);
+ 
+SEC_END_PROTOS
+#endif /*_CRMF_H_*/
+
+
diff --git a/security/nss/lib/crmf/crmfcont.c b/security/nss/lib/crmf/crmfcont.c
new file mode 100644
index 000000000..3b4b9a98b
--- /dev/null
+++ b/security/nss/lib/crmf/crmfcont.c
@@ -0,0 +1,1166 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "pk11func.h"
+#include "keyhi.h"
+#include "secoid.h"
+
+static SECStatus
+crmf_modify_control_array (CRMFCertRequest *inCertReq, int count)
+{
+    if (count > 0) {
+        void *dummy = PORT_Realloc(inCertReq->controls, 
+				   sizeof(CRMFControl*)*(count+2));
+	if (dummy == NULL) {
+	    return SECFailure;
+	}
+	inCertReq->controls = dummy;
+    } else {
+        inCertReq->controls = PORT_ZNewArray(CRMFControl*, 2);
+    }
+    return (inCertReq->controls == NULL) ? SECFailure : SECSuccess ;
+}
+
+static SECStatus
+crmf_add_new_control(CRMFCertRequest *inCertReq,SECOidTag inTag,
+		     CRMFControl **destControl)
+{
+    SECOidData  *oidData;
+    SECStatus    rv;
+    PRArenaPool *poolp;
+    int          numControls = 0;
+    CRMFControl *newControl;
+    CRMFControl **controls;
+    void        *mark;
+
+    poolp = inCertReq->poolp;
+    if (poolp == NULL) {
+        return SECFailure;
+    }
+    mark = PORT_ArenaMark(poolp);
+    if (inCertReq->controls != NULL) {
+        while (inCertReq->controls[numControls] != NULL)
+	    numControls++;
+    }
+    rv = crmf_modify_control_array(inCertReq, numControls);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    controls = inCertReq->controls;
+    oidData = SECOID_FindOIDByTag(inTag);
+    newControl = *destControl = PORT_ArenaZNew(poolp,CRMFControl);
+    if (newControl == NULL) {
+        goto loser;
+    }
+    rv = SECITEM_CopyItem(poolp, &newControl->derTag, &oidData->oid);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    newControl->tag = inTag;
+    controls[numControls] = newControl;
+    controls[numControls+1] = NULL;
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    *destControl = NULL;
+    return SECFailure;
+			  
+}
+
+SECStatus
+crmf_add_secitem_control(CRMFCertRequest *inCertReq, SECItem *value,
+			 SECOidTag inTag)
+{
+    SECStatus    rv;
+    CRMFControl *newControl;
+    void        *mark;
+
+    rv = crmf_add_new_control(inCertReq, inTag, &newControl);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    mark = PORT_ArenaMark(inCertReq->poolp);
+    rv = SECITEM_CopyItem(inCertReq->poolp, &newControl->derValue, value);
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease(inCertReq->poolp, mark);
+	return rv;
+    }
+    PORT_ArenaUnmark(inCertReq->poolp, mark);
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_CertRequestSetRegTokenControl(CRMFCertRequest *inCertReq, SECItem *value)
+{
+    return crmf_add_secitem_control(inCertReq, value, 
+				    SEC_OID_PKIX_REGCTRL_REGTOKEN);
+}
+
+SECStatus
+CRMF_CertRequestSetAuthenticatorControl (CRMFCertRequest *inCertReq, 
+					 SECItem         *value)
+{
+    return crmf_add_secitem_control(inCertReq, value, 
+				    SEC_OID_PKIX_REGCTRL_AUTHENTICATOR);
+}
+
+SECStatus
+crmf_destroy_encrypted_value(CRMFEncryptedValue *inEncrValue, PRBool freeit)
+{
+    if (inEncrValue != NULL) {
+        if (inEncrValue->intendedAlg) {
+	    SECOID_DestroyAlgorithmID(inEncrValue->intendedAlg, PR_TRUE);
+	}
+	if (inEncrValue->symmAlg) {
+	    SECOID_DestroyAlgorithmID(inEncrValue->symmAlg, PR_TRUE);
+	}
+        if (inEncrValue->encSymmKey.data) {
+	    PORT_Free(inEncrValue->encSymmKey.data);
+	}
+	if (inEncrValue->keyAlg) {
+	    SECOID_DestroyAlgorithmID(inEncrValue->keyAlg, PR_TRUE);
+	}
+	if (inEncrValue->valueHint.data) {
+	    PORT_Free(inEncrValue->valueHint.data);
+	}
+        if (inEncrValue->encValue.data) {
+	    PORT_Free(inEncrValue->encValue.data);
+	}
+	if (freeit) {
+	    PORT_Free(inEncrValue);
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_DestroyEncryptedValue(CRMFEncryptedValue *inEncrValue)
+{
+    return crmf_destroy_encrypted_value(inEncrValue, PR_TRUE);
+}
+
+SECStatus
+crmf_copy_encryptedvalue_secalg(PRArenaPool     *poolp,
+				SECAlgorithmID  *srcAlgId,
+				SECAlgorithmID **destAlgId)
+{
+    SECAlgorithmID *newAlgId;
+
+    *destAlgId = newAlgId = (poolp != NULL) ?
+                            PORT_ArenaZNew(poolp, SECAlgorithmID) :
+                            PORT_ZNew(SECAlgorithmID);
+    if (newAlgId == NULL) {
+        return SECFailure;
+    }
+    
+    return SECOID_CopyAlgorithmID(poolp, newAlgId, srcAlgId);
+}
+
+SECStatus
+crmf_copy_encryptedvalue(PRArenaPool        *poolp,
+			 CRMFEncryptedValue *srcValue,
+			 CRMFEncryptedValue *destValue)
+{
+    SECStatus           rv;
+
+    if (srcValue->intendedAlg != NULL) {
+        rv = crmf_copy_encryptedvalue_secalg(poolp,
+					     srcValue->intendedAlg,
+					     &destValue->intendedAlg);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValue->symmAlg != NULL) {
+        rv = crmf_copy_encryptedvalue_secalg(poolp, 
+					     srcValue->symmAlg,
+					     &destValue->symmAlg);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValue->encSymmKey.data != NULL) {
+        rv = crmf_make_bitstring_copy(poolp, 
+				      &destValue->encSymmKey,
+				      &srcValue->encSymmKey);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValue->keyAlg != NULL) {
+        rv = crmf_copy_encryptedvalue_secalg(poolp,
+					     srcValue->keyAlg,
+					     &destValue->keyAlg);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValue->valueHint.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, 
+			      &destValue->valueHint,
+			      &srcValue->valueHint);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValue->encValue.data != NULL) {
+        rv = crmf_make_bitstring_copy(poolp,
+				      &destValue->encValue,
+				      &srcValue->encValue);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    return SECSuccess;
+ loser:
+    if (poolp == NULL && destValue != NULL) {
+        crmf_destroy_encrypted_value(destValue, PR_TRUE);
+    }
+    return SECFailure;
+}
+
+SECStatus 
+crmf_copy_encryptedkey(PRArenaPool       *poolp,
+		       CRMFEncryptedKey  *srcEncrKey,
+		       CRMFEncryptedKey  *destEncrKey)
+{
+    SECStatus          rv;
+    void              *mark = NULL;
+
+    if (poolp != NULL) {
+        mark = PORT_ArenaMark(poolp);
+    }
+
+    switch (srcEncrKey->encKeyChoice) {
+    case crmfEncryptedValueChoice:
+        rv = crmf_copy_encryptedvalue(poolp, 
+				      &srcEncrKey->value.encryptedValue,
+				      &destEncrKey->value.encryptedValue);
+	break;
+    case crmfEnvelopedDataChoice:
+        destEncrKey->value.envelopedData = 
+	    SEC_PKCS7CopyContentInfo(srcEncrKey->value.envelopedData);
+        rv = (destEncrKey->value.envelopedData != NULL) ? SECSuccess:
+	                                                  SECFailure;
+        break;
+    default:
+        rv = SECFailure;
+    }
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    destEncrKey->encKeyChoice = srcEncrKey->encKeyChoice;
+    if (mark) {
+    	PORT_ArenaUnmark(poolp, mark);
+    }
+    return SECSuccess;
+
+ loser:
+    if (mark) {
+        PORT_ArenaRelease(poolp, mark);
+    }
+    return SECFailure;
+}
+
+CRMFPKIArchiveOptions*
+crmf_create_encr_pivkey_option(CRMFEncryptedKey *inEncryptedKey)
+{
+    CRMFPKIArchiveOptions *newArchOpt;
+    SECStatus              rv;
+
+    newArchOpt = PORT_ZNew(CRMFPKIArchiveOptions);
+    if (newArchOpt == NULL) {
+        goto loser;
+    }
+
+    rv = crmf_copy_encryptedkey(NULL, inEncryptedKey,
+				&newArchOpt->option.encryptedKey);
+    
+    if (rv != SECSuccess) {
+      goto loser;
+    }
+    newArchOpt->archOption = crmfEncryptedPrivateKey;
+    return newArchOpt;
+ loser:
+    if (newArchOpt != NULL) {
+        CRMF_DestroyPKIArchiveOptions(newArchOpt);
+    }
+    return NULL;
+}
+
+static CRMFPKIArchiveOptions*
+crmf_create_keygen_param_option(SECItem *inKeyGenParams)
+{
+    CRMFPKIArchiveOptions *newArchOptions;
+    SECStatus              rv;
+
+    newArchOptions = PORT_ZNew(CRMFPKIArchiveOptions);
+    if (newArchOptions == NULL) {
+        goto loser;
+    }
+    newArchOptions->archOption = crmfKeyGenParameters;
+    rv = SECITEM_CopyItem(NULL, &newArchOptions->option.keyGenParameters,
+			  inKeyGenParams);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newArchOptions;
+ loser:
+    if (newArchOptions != NULL) {
+        CRMF_DestroyPKIArchiveOptions(newArchOptions);
+    }
+    return NULL;
+}
+
+static CRMFPKIArchiveOptions*
+crmf_create_arch_rem_gen_privkey(PRBool archiveRemGenPrivKey)
+{
+    unsigned char          value;
+    SECItem               *dummy;
+    CRMFPKIArchiveOptions *newArchOptions;
+
+    value = (archiveRemGenPrivKey) ? hexTrue : hexFalse;
+    newArchOptions = PORT_ZNew(CRMFPKIArchiveOptions);
+    if (newArchOptions == NULL) {
+        goto loser;
+    }
+    dummy = SEC_ASN1EncodeItem(NULL, 
+			       &newArchOptions->option.archiveRemGenPrivKey,
+			       &value, SEC_ASN1_GET(SEC_BooleanTemplate));
+    PORT_Assert (dummy == &newArchOptions->option.archiveRemGenPrivKey);
+    if (dummy != &newArchOptions->option.archiveRemGenPrivKey) {
+        SECITEM_FreeItem (dummy, PR_TRUE);
+	goto loser;
+    }
+    newArchOptions->archOption = crmfArchiveRemGenPrivKey;
+    return newArchOptions;
+ loser:
+    if (newArchOptions != NULL) {
+        CRMF_DestroyPKIArchiveOptions(newArchOptions);
+    }
+    return NULL;
+}
+
+CRMFPKIArchiveOptions*
+CRMF_CreatePKIArchiveOptions(CRMFPKIArchiveOptionsType inType, void *data)
+{
+    CRMFPKIArchiveOptions* retOptions;
+
+    PORT_Assert(data != NULL);
+    if (data == NULL) {
+        return NULL;
+    }
+    switch(inType) {
+    case crmfEncryptedPrivateKey:
+        retOptions = crmf_create_encr_pivkey_option((CRMFEncryptedKey*)data);
+	break;
+    case crmfKeyGenParameters:
+        retOptions = crmf_create_keygen_param_option((SECItem*)data);
+	break;
+    case crmfArchiveRemGenPrivKey:
+        retOptions = crmf_create_arch_rem_gen_privkey(*(PRBool*)data);
+	break;
+    default:
+        retOptions = NULL;
+    }
+    return retOptions;
+}
+
+static SECStatus
+crmf_destroy_encrypted_key(CRMFEncryptedKey *inEncrKey, PRBool freeit)
+{ 
+    PORT_Assert(inEncrKey != NULL);
+    if (inEncrKey != NULL) {
+        switch (inEncrKey->encKeyChoice){
+	case crmfEncryptedValueChoice:
+            crmf_destroy_encrypted_value(&inEncrKey->value.encryptedValue, 
+					 PR_FALSE);
+	    break;
+	case crmfEnvelopedDataChoice:
+	    SEC_PKCS7DestroyContentInfo(inEncrKey->value.envelopedData);
+            break;
+        default:
+            break;
+        }
+        if (freeit) {
+            PORT_Free(inEncrKey);
+        }
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+crmf_destroy_pkiarchiveoptions(CRMFPKIArchiveOptions *inArchOptions, 
+			       PRBool                 freeit)
+{
+    PORT_Assert(inArchOptions != NULL);
+    if (inArchOptions != NULL) {
+        switch (inArchOptions->archOption) {
+	case crmfEncryptedPrivateKey:
+	    crmf_destroy_encrypted_key(&inArchOptions->option.encryptedKey,
+				       PR_FALSE);
+	    break;
+	case crmfKeyGenParameters:
+	case crmfArchiveRemGenPrivKey:
+	    /* This is a union, so having a pointer to one is like
+	     * having a pointer to both.  
+	     */
+	    SECITEM_FreeItem(&inArchOptions->option.keyGenParameters, 
+			     PR_FALSE);
+	    break;
+        case crmfNoArchiveOptions:
+            break;
+	}
+	if (freeit) {
+	    PORT_Free(inArchOptions);
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_DestroyPKIArchiveOptions(CRMFPKIArchiveOptions *inArchOptions) 
+{
+    return crmf_destroy_pkiarchiveoptions(inArchOptions, PR_TRUE);
+}
+
+static CK_MECHANISM_TYPE
+crmf_get_non_pad_mechanism(CK_MECHANISM_TYPE type)
+{
+    switch (type) {
+    case CKM_DES3_CBC_PAD:
+        return CKM_DES3_CBC;
+    case CKM_CAST5_CBC_PAD:
+        return CKM_CAST5_CBC;
+    case CKM_DES_CBC_PAD:
+        return CKM_DES_CBC;
+    case CKM_IDEA_CBC_PAD:
+        return CKM_IDEA_CBC;
+    case CKM_CAST3_CBC_PAD:
+        return CKM_CAST3_CBC;
+    case CKM_CAST_CBC_PAD:
+        return CKM_CAST_CBC;
+    case CKM_RC5_CBC_PAD:
+        return CKM_RC5_CBC;
+    case CKM_RC2_CBC_PAD:
+        return CKM_RC2_CBC;
+    case CKM_CDMF_CBC_PAD:
+        return CKM_CDMF_CBC;
+    }
+    return type;
+}
+
+static CK_MECHANISM_TYPE
+crmf_get_pad_mech_from_tag(SECOidTag oidTag)
+{
+    CK_MECHANISM_TYPE  mechType;
+    SECOidData        *oidData;
+
+    oidData = SECOID_FindOIDByTag(oidTag);
+    mechType = (CK_MECHANISM_TYPE)oidData->mechanism;
+    return PK11_GetPadMechanism(mechType);
+}
+
+static CK_MECHANISM_TYPE
+crmf_get_best_privkey_wrap_mechanism(PK11SlotInfo *slot) 
+{
+    CK_MECHANISM_TYPE privKeyPadMechs[] = { CKM_DES3_CBC_PAD,
+					    CKM_CAST5_CBC_PAD,
+					    CKM_DES_CBC_PAD,
+					    CKM_IDEA_CBC_PAD,
+					    CKM_CAST3_CBC_PAD,
+					    CKM_CAST_CBC_PAD,
+					    CKM_RC5_CBC_PAD,
+					    CKM_RC2_CBC_PAD,
+					    CKM_CDMF_CBC_PAD };
+    int mechCount = sizeof(privKeyPadMechs)/sizeof(privKeyPadMechs[0]);
+    int i;
+
+    for (i=0; i < mechCount; i++) {
+        if (PK11_DoesMechanism(slot, privKeyPadMechs[i])) {
+	    return privKeyPadMechs[i];
+	}
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+CK_MECHANISM_TYPE
+CRMF_GetBestWrapPadMechanism(PK11SlotInfo *slot)
+{
+    return crmf_get_best_privkey_wrap_mechanism(slot);
+}
+
+static SECItem*
+crmf_get_iv(CK_MECHANISM_TYPE mechType)
+{
+    int        iv_size = PK11_GetIVLength(mechType);
+    SECItem   *iv;
+    SECStatus  rv; 
+
+    iv = PORT_ZNew(SECItem);
+    if (iv == NULL) {
+        return NULL;
+    }
+    if (iv_size == 0) {
+        iv->data = NULL;
+	iv->len  = 0;
+	return iv;
+    }
+    iv->data = PORT_NewArray(unsigned char, iv_size);
+    if (iv->data == NULL) {
+        iv->len = 0;
+	return iv;
+    }
+    iv->len = iv_size;
+    rv = PK11_GenerateRandom(iv->data, iv->len);
+    if (rv != SECSuccess) {
+        PORT_Free(iv->data);
+	iv->data = NULL;
+	iv->len  = 0;
+    }
+    return iv;
+}
+
+SECItem*
+CRMF_GetIVFromMechanism(CK_MECHANISM_TYPE mechType)
+{
+    return crmf_get_iv(mechType);
+}
+
+CK_MECHANISM_TYPE
+crmf_get_mechanism_from_public_key(SECKEYPublicKey *inPubKey)
+{
+    CERTSubjectPublicKeyInfo *spki = NULL;
+    SECOidTag                 tag;
+    
+
+    spki = SECKEY_CreateSubjectPublicKeyInfo(inPubKey);
+    if (spki == NULL) {
+        return CKM_INVALID_MECHANISM;
+    }
+    tag = SECOID_FindOIDTag(&spki->algorithm.algorithm);
+    SECKEY_DestroySubjectPublicKeyInfo(spki);
+    spki = NULL;
+    return PK11_AlgtagToMechanism(tag);
+}
+
+SECItem*
+crmf_get_public_value(SECKEYPublicKey *pubKey, SECItem *dest)
+{
+    SECItem *pubValue;
+
+    if (dest != NULL) {
+        pubValue = dest;
+    } else {
+        pubValue = PORT_ZNew(SECItem);
+    }
+    switch(pubKey->keyType) {
+        case dsaKey:
+	    SECITEM_CopyItem(NULL, pubValue, &pubKey->u.dsa.publicValue);
+            break;
+        case rsaKey:
+	    SECITEM_CopyItem(NULL, pubValue, &pubKey->u.rsa.modulus);
+            break;
+        case dhKey:
+	    SECITEM_CopyItem(NULL, pubValue, &pubKey->u.dh.publicValue);
+	    break;
+        default:
+	    if (dest == NULL) {
+	        PORT_Free(pubValue);
+	    }
+            pubValue = NULL;
+	    break;
+    }
+    return pubValue;
+}
+
+static SECItem*
+crmf_decode_params(SECItem *inParams)
+{
+    SECItem   *params;
+    SECStatus  rv;
+    
+    params = PORT_ZNew(SECItem);
+    rv = SEC_ASN1DecodeItem(NULL, params, 
+                            SEC_ASN1_GET(SEC_OctetStringTemplate),
+			    inParams);
+    if (rv != SECSuccess) {
+        SECITEM_FreeItem(params, PR_TRUE);
+	return NULL;
+    }
+    return params;
+}
+
+int
+crmf_get_key_size_from_mech(CK_MECHANISM_TYPE mechType)
+{
+    CK_MECHANISM_TYPE keyGen = PK11_GetKeyGen(mechType);
+
+    switch (keyGen) {
+    case CKM_CDMF_KEY_GEN:
+    case CKM_DES_KEY_GEN:
+        return 8;
+    case CKM_DES2_KEY_GEN:
+	return 16;
+    case CKM_DES3_KEY_GEN:
+	return 24;
+    }
+    return 0;
+}
+
+SECStatus
+crmf_encrypted_value_unwrap_priv_key(PRArenaPool        *poolp,
+				     CRMFEncryptedValue *encValue,
+				     SECKEYPrivateKey   *privKey,
+				     SECKEYPublicKey    *newPubKey,
+				     SECItem            *nickname,
+				     PK11SlotInfo       *slot,
+				     unsigned char       keyUsage,
+				     SECKEYPrivateKey  **unWrappedKey,
+				     void               *wincx)
+{
+    PK11SymKey        *wrappingKey = NULL;
+    CK_MECHANISM_TYPE  wrapMechType;
+    SECOidTag          oidTag;
+    SECItem           *params = NULL, *publicValue = NULL;
+    int                keySize, origLen;
+    CK_KEY_TYPE        keyType;
+    CK_ATTRIBUTE_TYPE *usage = NULL;
+    CK_ATTRIBUTE_TYPE rsaUsage[] = {
+      CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER };
+    CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN };
+    CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE };
+    int usageCount = 0;
+
+    oidTag = SECOID_GetAlgorithmTag(encValue->symmAlg);
+    wrapMechType = crmf_get_pad_mech_from_tag(oidTag);
+    keySize = crmf_get_key_size_from_mech(wrapMechType);
+    wrappingKey = PK11_PubUnwrapSymKey(privKey, &encValue->encSymmKey, 
+				       wrapMechType, CKA_UNWRAP, keySize);
+    if (wrappingKey == NULL) {
+        goto loser;
+    }/* Make the length a byte length instead of bit length*/
+    params = (encValue->symmAlg != NULL) ? 
+              crmf_decode_params(&encValue->symmAlg->parameters) : NULL;
+    origLen = encValue->encValue.len;
+    encValue->encValue.len = CRMF_BITS_TO_BYTES(origLen);
+    publicValue = crmf_get_public_value(newPubKey, NULL);
+    switch(newPubKey->keyType) {
+    default:
+    case rsaKey:
+        keyType = CKK_RSA;
+        switch  (keyUsage & (KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE)) {
+        case KU_KEY_ENCIPHERMENT:
+            usage = rsaUsage;
+            usageCount = 2;
+            break;
+        case KU_DIGITAL_SIGNATURE:
+            usage = &rsaUsage[2];
+            usageCount = 2;
+            break;
+        case KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE:
+        case 0: /* default to everything */
+            usage = rsaUsage;
+            usageCount = 4;
+            break;
+        }
+	break;
+    case dhKey:
+        keyType = CKK_DH;
+        usage = dhUsage;
+        usageCount = sizeof(dhUsage)/sizeof(dhUsage[0]);
+        break;
+    case dsaKey:
+        keyType = CKK_DSA;
+        usage = dsaUsage;
+        usageCount = sizeof(dsaUsage)/sizeof(dsaUsage[0]);
+        break;
+    }
+    PORT_Assert(usage != NULL);
+    PORT_Assert(usageCount != 0);
+    *unWrappedKey = PK11_UnwrapPrivKey(slot, wrappingKey, wrapMechType, params,
+				       &encValue->encValue, nickname,
+				       publicValue, PR_TRUE,PR_TRUE, 
+				       keyType, usage, usageCount, wincx);
+    encValue->encValue.len = origLen;
+    if (*unWrappedKey == NULL) {
+        goto loser;
+    }
+    SECITEM_FreeItem (publicValue, PR_TRUE);
+    if (params!= NULL) {
+        SECITEM_FreeItem(params, PR_TRUE);
+    } 
+    PK11_FreeSymKey(wrappingKey);
+    return SECSuccess;
+ loser:
+    *unWrappedKey = NULL;
+    return SECFailure;
+}
+
+CRMFEncryptedValue *
+crmf_create_encrypted_value_wrapped_privkey(SECKEYPrivateKey   *inPrivKey,
+					    SECKEYPublicKey    *inCAKey,
+					    CRMFEncryptedValue *destValue)
+{
+    SECItem                   wrappedPrivKey, wrappedSymKey;
+    SECItem                   encodedParam, *dummy;
+    SECStatus                 rv;
+    CK_MECHANISM_TYPE         pubMechType, symKeyType;
+    unsigned char            *wrappedSymKeyBits;
+    unsigned char            *wrappedPrivKeyBits;
+    SECItem                  *iv = NULL;
+    SECOidTag                 tag;
+    PK11SymKey               *symKey;
+    PK11SlotInfo             *slot;
+    SECAlgorithmID           *symmAlg;
+    CRMFEncryptedValue       *myEncrValue = NULL;
+
+    encodedParam.data = NULL;
+    wrappedSymKeyBits  = PORT_NewArray(unsigned char, MAX_WRAPPED_KEY_LEN);
+    wrappedPrivKeyBits = PORT_NewArray(unsigned char, MAX_WRAPPED_KEY_LEN);
+    if (wrappedSymKeyBits == NULL || wrappedPrivKeyBits == NULL) {
+        goto loser;
+    }
+    if (destValue == NULL) {
+        myEncrValue = destValue = PORT_ZNew(CRMFEncryptedValue);
+	if (destValue == NULL) {
+	    goto loser;
+	}
+    }
+
+    pubMechType = crmf_get_mechanism_from_public_key(inCAKey);
+    if (pubMechType == CKM_INVALID_MECHANISM) {
+        /* XXX I should probably do something here for non-RSA 
+	 *     keys that are in certs. (ie DSA)
+	 */
+        goto loser;
+    }
+    slot = inPrivKey->pkcs11Slot; 
+    PORT_Assert(slot != NULL);
+    symKeyType = crmf_get_best_privkey_wrap_mechanism(slot);
+    symKey = PK11_KeyGen(slot, symKeyType, NULL, 0, NULL);
+    if (symKey == NULL) {
+        goto loser;
+    }
+
+    wrappedSymKey.data = wrappedSymKeyBits;
+    wrappedSymKey.len  = MAX_WRAPPED_KEY_LEN;
+    rv = PK11_PubWrapSymKey(pubMechType, inCAKey, symKey, &wrappedSymKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* Make the length of the result a Bit String length. */
+    wrappedSymKey.len <<= 3;
+
+    wrappedPrivKey.data = wrappedPrivKeyBits;
+    wrappedPrivKey.len  = MAX_WRAPPED_KEY_LEN;
+    iv = crmf_get_iv(symKeyType);
+    rv = PK11_WrapPrivKey(slot, symKey, inPrivKey, symKeyType, iv, 
+			  &wrappedPrivKey, NULL);
+    PK11_FreeSymKey(symKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* Make the length of the result a Bit String length. */
+    wrappedPrivKey.len <<= 3;
+    rv = crmf_make_bitstring_copy(NULL, 
+				  &destValue->encValue, 
+				  &wrappedPrivKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = crmf_make_bitstring_copy(NULL,
+				  &destValue->encSymmKey, 
+				  &wrappedSymKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    destValue->symmAlg = symmAlg = PORT_ZNew(SECAlgorithmID);
+    if (symmAlg == NULL) {
+        goto loser;
+    }
+
+    dummy = SEC_ASN1EncodeItem(NULL, &encodedParam, iv, 
+                               SEC_ASN1_GET(SEC_OctetStringTemplate));
+    if (dummy != &encodedParam) {
+        SECITEM_FreeItem(dummy, PR_TRUE);
+	goto loser;
+    }
+
+    symKeyType = crmf_get_non_pad_mechanism(symKeyType);
+    tag = PK11_MechanismToAlgtag(symKeyType);
+    rv = SECOID_SetAlgorithmID(NULL, symmAlg, tag, &encodedParam);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_Free(encodedParam.data);
+    PORT_Free(wrappedPrivKeyBits);
+    PORT_Free(wrappedSymKeyBits);
+    if (iv->data != NULL) {
+        PORT_Free(iv->data);
+    }
+    PORT_Free(iv);
+    return destValue;
+ loser:
+    if (iv != NULL) {
+        if (iv->data) {
+	    PORT_Free(iv->data);
+	}
+        PORT_Free(iv);
+    }
+    if (myEncrValue != NULL) {
+        crmf_destroy_encrypted_value(myEncrValue, PR_TRUE);
+    }
+    if (wrappedSymKeyBits != NULL) {
+        PORT_Free(wrappedSymKeyBits);
+    }
+    if (wrappedPrivKeyBits != NULL) {
+        PORT_Free(wrappedPrivKeyBits);
+    }
+    if (encodedParam.data != NULL) {
+        PORT_Free(encodedParam.data);
+    }
+    return NULL;
+}
+
+CRMFEncryptedKey*
+CRMF_CreateEncryptedKeyWithEncryptedValue (SECKEYPrivateKey *inPrivKey,
+					   CERTCertificate  *inCACert)
+{
+    SECKEYPublicKey          *caPubKey = NULL;
+    CRMFEncryptedKey         *encKey = NULL;
+    CRMFEncryptedValue       *dummy;
+
+    PORT_Assert(inPrivKey != NULL && inCACert != NULL);
+    if (inPrivKey == NULL || inCACert == NULL) {
+        return NULL;
+    }
+
+    caPubKey = CERT_ExtractPublicKey(inCACert);
+    if (caPubKey == NULL) {
+        goto loser;
+    }
+
+    encKey = PORT_ZNew(CRMFEncryptedKey);
+    if (encKey == NULL) {
+        goto loser;
+    }
+    dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey,
+							caPubKey,
+					       &encKey->value.encryptedValue);
+    PORT_Assert(dummy == &encKey->value.encryptedValue);
+    /* We won't add the der value here, but rather when it 
+     * becomes part of a certificate request.
+     */
+    SECKEY_DestroyPublicKey(caPubKey);
+    encKey->encKeyChoice = crmfEncryptedValueChoice;
+    return encKey;
+ loser:
+    if (encKey != NULL) {
+        CRMF_DestroyEncryptedKey(encKey);
+    }
+    if (caPubKey != NULL) {
+        SECKEY_DestroyPublicKey(caPubKey);
+    }
+    return NULL;
+}
+
+SECStatus
+CRMF_DestroyEncryptedKey(CRMFEncryptedKey *inEncrKey)
+{
+    return crmf_destroy_encrypted_key(inEncrKey, PR_TRUE);
+}
+
+SECStatus
+crmf_copy_pkiarchiveoptions(PRArenaPool           *poolp,
+			    CRMFPKIArchiveOptions *destOpt,
+			    CRMFPKIArchiveOptions *srcOpt)
+{
+    SECStatus rv;
+    destOpt->archOption = srcOpt->archOption;
+    switch (srcOpt->archOption) {
+    case crmfEncryptedPrivateKey:
+        rv = crmf_copy_encryptedkey(poolp,
+				    &srcOpt->option.encryptedKey,
+				    &destOpt->option.encryptedKey);
+        break;
+    case crmfKeyGenParameters:
+    case crmfArchiveRemGenPrivKey:
+        /* We've got a union, so having a pointer to one is just
+	 * like having a pointer to the other one.
+	 */
+        rv = SECITEM_CopyItem(poolp, 
+			      &destOpt->option.keyGenParameters,
+			      &srcOpt->option.keyGenParameters);
+	break;
+    default:
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+static SECStatus
+crmf_check_and_adjust_archoption(CRMFControl *inControl)
+{
+    CRMFPKIArchiveOptions *options;
+
+    options = &inControl->value.archiveOptions;
+    if (options->archOption == crmfNoArchiveOptions) {
+        /* It hasn't been set, so figure it out from the 
+	 * der.
+	 */
+        switch (inControl->derValue.data[0] & 0x0f) {
+	case 0:
+	    options->archOption = crmfEncryptedPrivateKey;
+	    break;
+	case 1:
+	    options->archOption = crmfKeyGenParameters;
+	    break;
+	case 2:
+	    options->archOption = crmfArchiveRemGenPrivKey;
+	    break;
+	default:
+	    /* We've got bad DER.  Return an error. */
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+static const SEC_ASN1Template *
+crmf_get_pkiarchive_subtemplate(CRMFControl *inControl)
+{
+    const SEC_ASN1Template *retTemplate;
+    SECStatus               rv;
+    /*
+     * We could be in the process of decoding, in which case the
+     * archOption field will not be set.  Let's check it and set 
+     * it accordingly.
+     */
+
+    rv = crmf_check_and_adjust_archoption(inControl);
+    if (rv != SECSuccess) {
+        return NULL;
+    }
+
+    switch (inControl->value.archiveOptions.archOption) {
+    case crmfEncryptedPrivateKey:
+        retTemplate = CRMFEncryptedKeyWithEncryptedValueTemplate;
+	inControl->value.archiveOptions.option.encryptedKey.encKeyChoice =
+	  crmfEncryptedValueChoice;
+	break;
+    default:
+        retTemplate = NULL;
+    }
+    return retTemplate;
+}
+
+const SEC_ASN1Template*
+crmf_get_pkiarchiveoptions_subtemplate(CRMFControl *inControl)
+{
+    const SEC_ASN1Template *retTemplate;
+
+    switch (inControl->tag) {
+    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
+    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
+        retTemplate = SEC_ASN1_GET(SEC_UTF8StringTemplate);
+	break;
+    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
+        retTemplate = crmf_get_pkiarchive_subtemplate(inControl);
+	break;
+    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
+    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
+    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
+        /* We don't support these controls, so we fail for now.*/
+        retTemplate = NULL;
+	break;
+    default:
+        retTemplate = NULL;
+    }
+    return retTemplate;
+}
+
+static SECStatus
+crmf_encode_pkiarchiveoptions(PRArenaPool *poolp, CRMFControl *inControl)
+{
+    const SEC_ASN1Template *asn1Template;
+
+    asn1Template = crmf_get_pkiarchiveoptions_subtemplate(inControl);
+    /* We've got a union, so passing a pointer to one element of the 
+     * union, is the same as passing a pointer to any of the other
+     * members of the union.
+     */
+    SEC_ASN1EncodeItem(poolp, &inControl->derValue,
+                       &inControl->value.archiveOptions, asn1Template);
+
+    if (inControl->derValue.data == NULL) {
+        goto loser;
+    }
+    return SECSuccess;
+ loser:
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestSetPKIArchiveOptions(CRMFCertRequest       *inCertReq,
+				     CRMFPKIArchiveOptions *inOptions)
+{
+    CRMFControl *newControl;
+    PRArenaPool *poolp;
+    SECStatus    rv;
+    void        *mark;
+    
+    PORT_Assert(inCertReq != NULL && inOptions != NULL);
+    if (inCertReq == NULL || inOptions == NULL) {
+        return SECFailure;
+    }
+    poolp = inCertReq->poolp;
+    mark = PORT_ArenaMark(poolp);
+    rv = crmf_add_new_control(inCertReq, 
+			      SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS,
+			      &newControl);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = crmf_copy_pkiarchiveoptions(poolp, 
+				     &newControl->value.archiveOptions,
+				     inOptions);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = crmf_encode_pkiarchiveoptions(poolp, newControl); 
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+SECStatus
+crmf_destroy_control(CRMFControl *inControl, PRBool freeit)
+{
+    PORT_Assert(inControl != NULL);
+    if (inControl != NULL) {
+        SECITEM_FreeItem(&inControl->derTag, PR_FALSE);
+        SECITEM_FreeItem(&inControl->derValue, PR_FALSE);
+	/* None of the other tags require special processing at 
+	 * the moment when freeing because they are not supported,
+	 * but if/when they are, add the necessary routines here.  
+	 * If all controls are supported, then every member of the 
+	 * union inControl->value will have a case that deals with 
+	 * it in the following switch statement.
+	 */
+	switch (inControl->tag) {
+	case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
+	    crmf_destroy_pkiarchiveoptions(&inControl->value.archiveOptions,
+					   PR_FALSE);
+	    break;
+        default:
+           /* Put this here to get rid of all those annoying warnings.*/
+           break;
+	}
+	if (freeit) {
+	    PORT_Free(inControl);
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_DestroyControl(CRMFControl *inControl)
+{
+    return crmf_destroy_control(inControl, PR_TRUE);
+}
+
+static SECOidTag
+crmf_controltype_to_tag(CRMFControlType inControlType)
+{
+    SECOidTag retVal;
+
+    switch(inControlType) {
+    case crmfRegTokenControl:
+      retVal = SEC_OID_PKIX_REGCTRL_REGTOKEN; 
+      break;
+    case crmfAuthenticatorControl:
+      retVal = SEC_OID_PKIX_REGCTRL_AUTHENTICATOR;
+      break;
+    case crmfPKIPublicationInfoControl:
+      retVal = SEC_OID_PKIX_REGCTRL_PKIPUBINFO;
+      break;
+    case crmfPKIArchiveOptionsControl:
+      retVal = SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS;
+      break;
+    case crmfOldCertIDControl:
+      retVal = SEC_OID_PKIX_REGCTRL_OLD_CERT_ID;
+      break;
+    case crmfProtocolEncrKeyControl:
+      retVal = SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY;
+      break;
+    default:
+      retVal = SEC_OID_UNKNOWN;
+      break;
+    }
+    return retVal;
+}
+
+PRBool
+CRMF_CertRequestIsControlPresent(CRMFCertRequest *inCertReq,
+				 CRMFControlType  inControlType)
+{
+    SECOidTag controlTag;
+    int       i;
+
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL || inCertReq->controls == NULL) {
+        return PR_FALSE;
+    }
+    controlTag = crmf_controltype_to_tag(inControlType);
+    for (i=0; inCertReq->controls[i] != NULL; i++) {
+        if (inCertReq->controls[i]->tag == controlTag) {
+	    return PR_TRUE;
+	}
+    }
+    return PR_FALSE;
+}
+
diff --git a/security/nss/lib/crmf/crmfdec.c b/security/nss/lib/crmf/crmfdec.c
new file mode 100644
index 000000000..cce945e6d
--- /dev/null
+++ b/security/nss/lib/crmf/crmfdec.c
@@ -0,0 +1,380 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "secitem.h"
+
+static CRMFPOPChoice
+crmf_get_popchoice_from_der(SECItem *derPOP)
+{
+    CRMFPOPChoice retChoice;
+
+    switch (derPOP->data[0] & 0x0f) {
+    case 0:
+        retChoice = crmfRAVerified;
+	break;
+    case 1:
+        retChoice = crmfSignature;
+	break;
+    case 2:
+        retChoice = crmfKeyEncipherment;
+	break;
+    case 3:
+        retChoice = crmfKeyAgreement;
+	break;
+    default:
+        retChoice = crmfNoPOPChoice;
+	break;
+    }
+    return retChoice;
+}
+
+static SECStatus
+crmf_decode_process_raverified(CRMFCertReqMsg *inCertReqMsg)
+{   
+    CRMFProofOfPossession *pop;
+    /* Just set up the structure so that the message structure
+     * looks like one that was created using the API
+     */
+    pop = inCertReqMsg->pop;
+    pop->popChoice.raVerified.data = NULL;
+    pop->popChoice.raVerified.len  = 0;
+    return SECSuccess;
+}
+
+static SECStatus
+crmf_decode_process_signature(CRMFCertReqMsg *inCertReqMsg)
+{
+    return SEC_ASN1Decode(inCertReqMsg->poolp,
+			  &inCertReqMsg->pop->popChoice.signature,
+			  CRMFPOPOSigningKeyTemplate, 
+			  (const char*)inCertReqMsg->derPOP.data,
+			  inCertReqMsg->derPOP.len);
+}
+
+static CRMFPOPOPrivKeyChoice
+crmf_get_messagechoice_from_der(SECItem *derPOP)
+{
+    CRMFPOPOPrivKeyChoice retChoice;
+
+    switch (derPOP->data[2] & 0x0f) {
+    case 0:
+        retChoice = crmfThisMessage;
+	break;
+    case 1:
+        retChoice = crmfSubsequentMessage;
+	break;
+    case 2:
+        retChoice = crmfDHMAC;
+	break;
+    default:
+        retChoice = crmfNoMessage;
+    }
+    return retChoice;
+}
+
+static SECStatus
+crmf_decode_process_popoprivkey(CRMFCertReqMsg *inCertReqMsg)
+{
+    /* We've got a union, so a pointer to one POPOPrivKey
+     * struct is the same as having a pointer to the other 
+     * one.
+     */
+    CRMFPOPOPrivKey *popoPrivKey = 
+                    &inCertReqMsg->pop->popChoice.keyEncipherment;
+    SECItem         *derPOP, privKeyDer;
+    SECStatus        rv;
+
+    derPOP = &inCertReqMsg->derPOP;
+    popoPrivKey->messageChoice = crmf_get_messagechoice_from_der(derPOP);
+    if (popoPrivKey->messageChoice == crmfNoMessage) {
+        return SECFailure;
+    }
+    /* If we ever encounter BER encodings of this, we'll get in trouble*/
+    switch (popoPrivKey->messageChoice) {
+    case crmfThisMessage:
+    case crmfDHMAC:
+        privKeyDer.data = &derPOP->data[5];
+	privKeyDer.len  = derPOP->len - 5;
+	break;
+    case crmfSubsequentMessage:
+        privKeyDer.data = &derPOP->data[4];
+	privKeyDer.len  = derPOP->len - 4;
+	break;
+    default:
+        rv = SECFailure;
+    }
+
+    rv = SECITEM_CopyItem(inCertReqMsg->poolp, 
+			  &popoPrivKey->message.subsequentMessage,
+			  &privKeyDer);
+
+    if (rv != SECSuccess) {
+        return rv;
+    }
+
+    if (popoPrivKey->messageChoice == crmfThisMessage ||
+	popoPrivKey->messageChoice == crmfDHMAC) {
+
+        popoPrivKey->message.thisMessage.len = 
+	    CRMF_BYTES_TO_BITS(privKeyDer.len) - (int)derPOP->data[4];
+        
+    }
+    return SECSuccess;    
+}
+
+static SECStatus
+crmf_decode_process_keyagreement(CRMFCertReqMsg *inCertReqMsg)
+{
+    return crmf_decode_process_popoprivkey(inCertReqMsg);
+}
+
+static SECStatus
+crmf_decode_process_keyencipherment(CRMFCertReqMsg *inCertReqMsg)
+{
+    SECStatus rv;
+
+    rv = crmf_decode_process_popoprivkey(inCertReqMsg);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    if (inCertReqMsg->pop->popChoice.keyEncipherment.messageChoice == 
+	crmfDHMAC) {
+        /* Key Encipherment can not use the dhMAC option for
+	 * POPOPrivKey. 
+	 */
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+crmf_decode_process_pop(CRMFCertReqMsg *inCertReqMsg)
+{
+     SECItem               *derPOP;
+     PRArenaPool           *poolp;
+     CRMFProofOfPossession *pop;
+     void                  *mark;
+     SECStatus              rv;
+
+     derPOP = &inCertReqMsg->derPOP;
+     poolp  = inCertReqMsg->poolp;
+     if (derPOP->data == NULL) {
+         /* There is no Proof of Possession field in this message. */
+         return SECSuccess;
+     }
+     mark = PORT_ArenaMark(poolp);
+     pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+     if (pop == NULL) {
+         goto loser;
+     }
+     pop->popUsed = crmf_get_popchoice_from_der(derPOP);
+     if (pop->popUsed == crmfNoPOPChoice) {
+         /* A bad encoding of CRMF.  Not a valid tag was given to the
+	  * Proof Of Possession field.
+	  */
+         goto loser;
+     }
+     inCertReqMsg->pop = pop;
+     switch (pop->popUsed) {
+     case crmfRAVerified:
+         rv = crmf_decode_process_raverified(inCertReqMsg);
+	 break;
+     case crmfSignature:
+         rv = crmf_decode_process_signature(inCertReqMsg);
+	 break;
+     case crmfKeyEncipherment:
+         rv = crmf_decode_process_keyencipherment(inCertReqMsg);
+	 break;
+     case crmfKeyAgreement:
+         rv = crmf_decode_process_keyagreement(inCertReqMsg);
+	 break;
+     default:
+         rv = SECFailure;
+     }
+     if (rv != SECSuccess) {
+         goto loser;
+     }
+     PORT_ArenaUnmark(poolp, mark);
+     return SECSuccess;
+
+ loser:
+     PORT_ArenaRelease(poolp, mark);
+     inCertReqMsg->pop = NULL;
+     return SECFailure;
+     
+}
+
+static SECStatus
+crmf_decode_process_single_control(PRArenaPool *poolp, 
+				   CRMFControl *inControl)
+{
+    const SEC_ASN1Template *asn1Template = NULL;
+
+    inControl->tag = SECOID_FindOIDTag(&inControl->derTag);
+    asn1Template = crmf_get_pkiarchiveoptions_subtemplate(inControl);
+
+    PORT_Assert (asn1Template != NULL);
+    /* We've got a union, so passing a pointer to one element of the
+     * union is the same as passing a pointer to any of the other
+     * members of the union.
+     */
+    return SEC_ASN1Decode(poolp, &inControl->value.archiveOptions, 
+			  asn1Template, (const char*)inControl->derValue.data,
+			  inControl->derValue.len);
+}
+
+static SECStatus 
+crmf_decode_process_controls(CRMFCertReqMsg *inCertReqMsg)
+{
+    int           i, numControls;
+    SECStatus     rv;
+    PRArenaPool  *poolp;
+    CRMFControl **controls;
+    
+    numControls = CRMF_CertRequestGetNumControls(inCertReqMsg->certReq);
+    controls = inCertReqMsg->certReq->controls;
+    poolp    = inCertReqMsg->poolp;
+    for (i=0; i < numControls; i++) {
+        rv = crmf_decode_process_single_control(poolp, controls[i]);
+	if (rv != SECSuccess) {
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+crmf_decode_process_single_reqmsg(CRMFCertReqMsg *inCertReqMsg)
+{
+    SECStatus rv;
+
+    rv = crmf_decode_process_pop(inCertReqMsg);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = crmf_decode_process_controls(inCertReqMsg);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    inCertReqMsg->certReq->certTemplate.numExtensions = 
+        CRMF_CertRequestGetNumberOfExtensions(inCertReqMsg->certReq);
+    inCertReqMsg->isDecoded = PR_TRUE;
+    rv = SECSuccess;
+ loser:
+    return rv;
+}
+
+CRMFCertReqMsg*
+CRMF_CreateCertReqMsgFromDER (const char * buf, long len)
+{
+    PRArenaPool    *poolp;
+    CRMFCertReqMsg *certReqMsg;
+    SECStatus       rv;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        goto loser;
+    }
+    certReqMsg = PORT_ArenaZNew (poolp, CRMFCertReqMsg);
+    if (certReqMsg == NULL) {
+        goto loser;
+    }
+    certReqMsg->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, certReqMsg, CRMFCertReqMsgTemplate, buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = crmf_decode_process_single_reqmsg(certReqMsg);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    return certReqMsg;
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+CRMFCertReqMessages*
+CRMF_CreateCertReqMessagesFromDER(const char *buf, long len)
+{
+    long                 arenaSize;
+    int                  i;
+    SECStatus            rv;
+    PRArenaPool         *poolp;
+    CRMFCertReqMessages *certReqMsgs;
+
+    PORT_Assert (buf != NULL);
+    /* Wanna make sure the arena is big enough to store all of the requests
+     * coming in.  We'll guestimate according to the length of the buffer.
+     */
+    arenaSize = len * 1.5;
+    poolp = PORT_NewArena(arenaSize);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    certReqMsgs = PORT_ArenaZNew(poolp, CRMFCertReqMessages);
+    if (certReqMsgs == NULL) {
+        goto loser;
+    }
+    certReqMsgs->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, certReqMsgs, CRMFCertReqMessagesTemplate,
+			buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    for (i=0; certReqMsgs->messages[i] != NULL; i++) {
+        /* The sub-routines expect the individual messages to have 
+	 * an arena.  We'll give them one temporarily.
+	 */
+        certReqMsgs->messages[i]->poolp = poolp;
+        rv = crmf_decode_process_single_reqmsg(certReqMsgs->messages[i]);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+        certReqMsgs->messages[i]->poolp = NULL;
+    }
+    return certReqMsgs;
+
+ loser:
+    PORT_FreeArena(poolp, PR_FALSE);
+    return NULL;
+}
diff --git a/security/nss/lib/crmf/crmfenc.c b/security/nss/lib/crmf/crmfenc.c
new file mode 100644
index 000000000..f96041c96
--- /dev/null
+++ b/security/nss/lib/crmf/crmfenc.c
@@ -0,0 +1,84 @@
+/* -*- Mode: C; tab-width: 8 -*- */
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#include "crmf.h"
+#include "crmfi.h"
+
+SECStatus 
+CRMF_EncodeCertReqMsg(CRMFCertReqMsg            *inCertReqMsg,
+		      CRMFEncoderOutputCallback  fn,
+		      void                      *arg)
+{
+    struct crmfEncoderOutput output;
+
+    output.fn        = fn;
+    output.outputArg = arg;
+    return SEC_ASN1Encode(inCertReqMsg,CRMFCertReqMsgTemplate, 
+			  crmf_encoder_out, &output);
+    
+}
+
+
+SECStatus
+CRMF_EncodeCertRequest(CRMFCertRequest           *inCertReq,
+		       CRMFEncoderOutputCallback  fn,
+		       void                      *arg)
+{
+    struct crmfEncoderOutput output;
+
+    output.fn        = fn;
+    output.outputArg = arg;
+    return SEC_ASN1Encode(inCertReq, CRMFCertRequestTemplate, 
+			  crmf_encoder_out, &output);
+}
+
+SECStatus
+CRMF_EncodeCertReqMessages(CRMFCertReqMsg              **inCertReqMsgs,
+			   CRMFEncoderOutputCallback     fn,
+			   void                         *arg)
+{
+    struct crmfEncoderOutput output;
+    CRMFCertReqMessages msgs;
+    
+    output.fn        = fn;
+    output.outputArg = arg;
+    msgs.messages = inCertReqMsgs;
+    return SEC_ASN1Encode(&msgs, CRMFCertReqMessagesTemplate,
+			  crmf_encoder_out, &output);
+}
+
+
+
+
diff --git a/security/nss/lib/crmf/crmffut.h b/security/nss/lib/crmf/crmffut.h
new file mode 100644
index 000000000..e4244f3e6
--- /dev/null
+++ b/security/nss/lib/crmf/crmffut.h
@@ -0,0 +1,390 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * These functions to be implemented in the future if the features
+ * which these functions would implement wind up being needed.
+ */
+
+/*
+ * Use this functionto create the CRMFSinglePubInfo* variables that will 
+ * populate the inPubInfoArray paramter for the funciton
+ * CRMF_CreatePKIPublicationInfo.
+ *
+ * "inPubMethod" specifies which publication method will be used
+ * "pubLocation" is a representation of the location where 
+ */
+extern CRMFSinglePubInfo* 
+      CRMF_CreateSinglePubInfo(CRMFPublicationMethod  inPubMethod,
+			       CRMFGeneralName       *pubLocation);
+
+/*
+ * Create a PKIPublicationInfo that can later be passed to the function
+ * CRMFAddPubInfoControl.
+ */
+extern CRMFPKIPublicationInfo *
+     CRMF_CreatePKIPublicationInfo(CRMFPublicationAction  inAction,
+				   CRMFSinglePubInfo    **inPubInfoArray,
+				   int                    numPubInfo);
+
+/*
+ * Only call this function on a CRMFPublicationInfo that was created by
+ * CRMF_CreatePKIPublicationInfo that was passed in NULL for arena.
+ */
+
+extern SECStatus 
+       CRMF_DestroyPKIPublicationInfo(CRMFPKIPublicationInfo *inPubInfo);
+
+extern SECStatus CRMF_AddPubInfoControl(CRMFCertRequest        *inCertReq,
+					CRMFPKIPublicationInfo *inPubInfo);
+
+/*
+ * This is to create a Cert ID Control which can later be added to 
+ * a certificate request.
+ */
+extern CRMFCertID* CRMF_CreateCertID(CRMFGeneralName *issuer,
+				     long             serialNumber);
+
+extern SECStatus CRMF_DestroyCertID(CRMFCertID* certID);
+
+extern SECStatus CRMF_AddCertIDControl(CRMFCertRequest *inCertReq,
+				       CRMFCertID      *certID);
+
+extern SECStatus 
+       CRMF_AddProtocolEncryptioKeyControl(CRMFCertRequest          *inCertReq,
+					   CERTSubjectPublicKeyInfo *spki);
+
+/*
+ * Add the ASCII Pairs Registration Info to the Certificate Request.
+ * The SECItem must be an OCTET string representation.
+ */
+extern SECStatus
+       CRMF_AddUTF8PairsRegInfo(CRMFCertRequest *inCertReq,
+				 SECItem         *asciiPairs);
+
+/*
+ * This takes a CertRequest and adds it to another CertRequest.  
+ */
+extern SECStatus
+       CRMF_AddCertReqToRegInfo(CRMFCertRequest *certReqToAddTo,
+				CRMFCertRequest *certReqBeingAdded);
+
+/*
+ * Returns which option was used for the authInfo field of POPOSigningKeyInput
+ */
+extern CRMFPOPOSkiInputAuthChoice 
+       CRMF_GetSignKeyInputAuthChoice(CRMFPOPOSigningKeyInput *inKeyInput);
+
+/*
+ * Gets the PKMACValue associated with the POPOSigningKeyInput.
+ * If the POPOSigningKeyInput did not use authInfo.publicKeyMAC 
+ * the function returns SECFailure and the value at *destValue is unchanged.
+ *
+ * If the POPOSigningKeyInput did use authInfo.publicKeyMAC, the function
+ * returns SECSuccess and places the PKMACValue at *destValue.
+ */
+extern SECStatus 
+       CRMF_GetSignKeyInputPKMACValue(CRMFPOPOSigningKeyInput *inKeyInput,
+				      CRMFPKMACValue          **destValue);
+/*
+ * Gets the SubjectPublicKeyInfo from the POPOSigningKeyInput
+ */
+extern CERTSubjectPublicKeyInfo *
+       CRMF_GetSignKeyInputPublicKey(CRMFPOPOSigningKeyInput *inKeyInput);
+
+
+/*
+ * Return the value for the PKIPublicationInfo Control.
+ * A return value of NULL indicates that the Control was 
+ * not a PKIPublicationInfo Control.  Call 
+ * CRMF_DestroyPKIPublicationInfo on the return value when done
+ * using the pointer.
+ */
+extern CRMFPKIPublicationInfo* CRMF_GetPKIPubInfo(CRMFControl *inControl);
+
+/*
+ * Free up a CRMFPKIPublicationInfo structure.
+ */
+extern SECStatus 
+       CRMF_DestroyPKIPublicationInfo(CRMFPKIPublicationInfo *inPubInfo);
+
+/*
+ * Get the choice used for action in this PKIPublicationInfo.
+ */
+extern CRMFPublicationAction 
+       CRMF_GetPublicationAction(CRMFPKIPublicationInfo *inPubInfo);
+
+/*
+ * Get the number of pubInfos are stored in the PKIPubicationInfo.
+ */
+extern int CRMF_GetNumPubInfos(CRMFPKIPublicationInfo *inPubInfo);
+
+/*
+ * Get the pubInfo at index for the given PKIPubicationInfo.
+ * Indexing is done like a traditional C Array. (0 .. numElements-1)
+ */
+extern CRMFSinglePubInfo* 
+       CRMF_GetPubInfoAtIndex(CRMFPKIPublicationInfo *inPubInfo,
+			      int                     index);
+
+/*
+ * Destroy the CRMFSinglePubInfo.
+ */
+extern SECStatus CRMF_DestroySinglePubInfo(CRMFSinglePubInfo *inPubInfo);
+
+/*
+ * Get the pubMethod used by the SinglePubInfo.
+ */
+extern CRMFPublicationMethod 
+       CRMF_GetPublicationMethod(CRMFSinglePubInfo *inPubInfo);
+
+/*
+ * Get the pubLocation associated with the SinglePubInfo.
+ * A NULL return value indicates there was no pubLocation associated
+ * with the SinglePuInfo.
+ */
+extern CRMFGeneralName* CRMF_GetPubLocation(CRMFSinglePubInfo *inPubInfo);
+
+/*
+ * Get the authInfo.sender field out of the POPOSigningKeyInput.
+ * If the POPOSigningKeyInput did not use the authInfo the function
+ * returns SECFailure and the value at *destName is unchanged.
+ *
+ * If the POPOSigningKeyInput did use authInfo.sender, the function returns
+ * SECSuccess and puts the authInfo.sender at *destName/
+ */
+extern SECStatus CRMF_GetSignKeyInputSender(CRMFPOPOSigningKeyInput *keyInput,
+					    CRMFGeneralName        **destName);
+
+/**************** CMMF Functions that need to be added. **********************/
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentSetNextChallenge
+ * INPUTS:
+ *    inDecKeyChall
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ *    inRandom
+ *        The random number to use when generating the challenge,
+ *    inSender
+ *        The GeneralName representation of the sender of the challenge.
+ *    inPubKey
+ *        The public key to use when encrypting the challenge.
+ * NOTES:
+ *    This function adds a challenge to the end of the list of challenges
+ *    contained by 'inDecKeyChall'.  Refer to the CMMF draft on how the
+ *    the random number passed in and the sender's GeneralName are used
+ *    to generate the challenge and witness fields of the challenge.  This
+ *    library will use SHA1 as the one-way function for generating the 
+ *    witess field of the challenge.
+ *
+ * RETURN:
+ *    SECSuccess if generating the challenge and adding to the end of list
+ *    of challenges was successful.  Any other return value indicates an error
+ *    while trying to generate the challenge.
+ */
+extern SECStatus
+CMMF_POPODecKeyChallContentSetNextChallenge
+                                   (CMMFPOPODecKeyChallContent *inDecKeyChall,
+				    long                        inRandom,
+				    CERTGeneralName            *inSender,
+				    SECKEYPublicKey            *inPubKey);
+
+/*
+ * FUNCTION: CMMF_POPODecKeyChallContentGetNumChallenges
+ * INPUTS:
+ *    inKeyChallCont
+ *        The CMMFPOPODecKeyChallContent to operate on.
+ * RETURN:
+ *    This function returns the number of CMMFChallenges are contained in 
+ *    the CMMFPOPODecKeyChallContent structure.
+ */
+extern int CMMF_POPODecKeyChallContentGetNumChallenges
+                                  (CMMFPOPODecKeyChallContent *inKeyChallCont);
+
+/*
+ * FUNCTION: CMMF_ChallengeGetRandomNumber
+ * INPUTS:
+ *    inChallenge
+ *        The CMMFChallenge to operate on.
+ *    inDest
+ *        A pointer to a user supplied buffer where the library
+ *        can place a copy of the random integer contatained in the
+ *        challenge.
+ * NOTES:
+ *    This function returns the value held in the decrypted Rand structure
+ *    corresponding to the random integer.  The user must call 
+ *    CMMF_ChallengeDecryptWitness before calling this function.  Call 
+ *    CMMF_ChallengeIsDecrypted to find out if the challenge has been 
+ *    decrypted.
+ *
+ * RETURN:
+ *    SECSuccess indicates the witness field has been previously decrypted
+ *    and the value for the random integer was successfully placed at *inDest.
+ *    Any other return value indicates an error and that the value at *inDest
+ *    is not a valid value.
+ */
+extern SECStatus CMMF_ChallengeGetRandomNumber(CMMFChallenge *inChallenge,
+					       long          *inDest);
+
+/*
+ * FUNCTION: CMMF_ChallengeGetSender
+ * INPUTS:
+ *    inChallenge
+ *        the CMMFChallenge to operate on.
+ * NOTES:
+ *    This function returns the value held in the decrypted Rand structure
+ *    corresponding to the sender.  The user must call 
+ *    CMMF_ChallengeDecryptWitness before calling this function.  Call 
+ *    CMMF_ChallengeIsDecrypted to find out if the witness field has been
+ *    decrypted.  The user must call CERT_DestroyGeneralName after the return
+ *    value is no longer needed.
+ *
+ * RETURN:
+ *    A pointer to a copy of the sender CERTGeneralName.  A return value of
+ *    NULL indicates an error in trying to copy the information or that the
+ *    witness field has not been decrypted.
+ */
+extern CERTGeneralName* CMMF_ChallengeGetSender(CMMFChallenge *inChallenge);
+
+/*
+ * FUNCTION: CMMF_ChallengeGetAlgId
+ * INPUTS:
+ *    inChallenge
+ *        The CMMFChallenge to operate on.
+ *    inDestAlgId
+ *        A pointer to memory where a pointer to a copy of the algorithm
+ *        id can be placed.
+ * NOTES:
+ *    This function retrieves the one way function algorithm identifier 
+ *    contained within the CMMFChallenge if the optional field is present.
+ *
+ * RETURN:
+ *    SECSucces indicates the function was able to place a pointer to a copy of
+ *    the alogrithm id at *inAlgId.  If the value at *inDestAlgId is NULL, 
+ *    that means there was no algorithm identifier present in the 
+ *    CMMFChallenge.  Any other return value indicates the function was not 
+ *    able to make a copy of the algorithm identifier.  In this case the value 
+ *    at *inDestAlgId is not valid.
+ */
+extern SECStatus CMMF_ChallengeGetAlgId(CMMFChallenge  *inChallenge,
+					SECAlgorithmID *inAlgId);
+
+/*
+ * FUNCTION: CMMF_DestroyChallenge
+ * INPUTS:
+ *    inChallenge
+ *        The CMMFChallenge to free up.
+ * NOTES:
+ *    This function frees up all the memory associated with the CMMFChallenge 
+ *    passed in.
+ * RETURN:
+ *    SECSuccess if freeing all the memory associated with the CMMFChallenge
+ *    passed in is successful.  Any other return value indicates an error 
+ *    while freeing the memory.
+ */
+extern SECStatus CMMF_DestroyChallenge (CMMFChallenge *inChallenge);
+
+/*
+ * FUNCTION: CMMF_DestroyPOPODecKeyRespContent
+ * INPUTS:
+ *    inDecKeyResp
+ *        The CMMFPOPODecKeyRespContent structure to free.
+ * NOTES:
+ *    This function frees up all the memory associate with the 
+ *    CMMFPOPODecKeyRespContent.
+ *
+ * RETURN:
+ *    SECSuccess if freeint up all the memory associated with the
+ *    CMMFPOPODecKeyRespContent structure is successful.  Any other
+ *    return value indicates an error while freeing the memory.
+ */
+extern SECStatus
+     CMMF_DestroyPOPODecKeyRespContent(CMMFPOPODecKeyRespContent *inDecKeyResp);
+
+/*
+ * FUNCTION: CMMF_ChallengeDecryptWitness
+ * INPUTS:
+ *    inChallenge
+ *        The CMMFChallenge to operate on.
+ *    inPrivKey
+ *        The private key to use to decrypt the witness field.
+ * NOTES:
+ *    This function uses the private key to decrypt the challenge field
+ *    contained in the CMMFChallenge.  Make sure the private key matches the
+ *    public key that was used to encrypt the witness.  The creator of 
+ *    the challenge will most likely be an RA that has the public key
+ *    from a Cert request.  So the private key should be the private key
+ *    associated with public key in that request.  This function will also
+ *    verify the witness field of the challenge.
+ *
+ * RETURN:
+ *    SECSuccess if decrypting the witness field was successful.  This does
+ *    not indicate that the decrypted data is valid, since the private key 
+ *    passed in may not be the actual key needed to properly decrypt the 
+ *    witness field.  Meaning that there is a decrypted structure now, but
+ *    may be garbage because the private key was incorrect.
+ *    Any other return value indicates the function could not complete the
+ *    decryption process.
+ */
+extern SECStatus CMMF_ChallengeDecryptWitness(CMMFChallenge    *inChallenge,
+					      SECKEYPrivateKey *inPrivKey);
+
+/*
+ * FUNCTION: CMMF_ChallengeIsDecrypted
+ * INPUTS:
+ *    inChallenge
+ *        The CMMFChallenge to operate on.
+ * RETURN:
+ *    This is a predicate function that returns PR_TRUE if the decryption 
+ *    process has already been performed.  The function return PR_FALSE if 
+ *    the decryption process has not been performed yet.
+ */
+extern PRBool CMMF_ChallengeIsDecrypted(CMMFChallenge *inChallenge);
+
+/*
+ * FUNCTION: CMMF_DestroyPOPODecKeyChallContent
+ * INPUTS:
+ *    inDecKeyCont
+ *        The CMMFPOPODecKeyChallContent to free
+ * NOTES:
+ *    This function frees up all the memory associated with the 
+ *    CMMFPOPODecKeyChallContent 
+ * RETURN:
+ *    SECSuccess if freeing up all the memory associatd with the 
+ *    CMMFPOPODecKeyChallContent is successful.  Any other return value
+ *    indicates an error while freeing the memory.
+ *
+ */
+extern SECStatus 
+ CMMF_DestroyPOPODecKeyChallContent (CMMFPOPODecKeyChallContent *inDecKeyCont);
+
diff --git a/security/nss/lib/crmf/crmfget.c b/security/nss/lib/crmf/crmfget.c
new file mode 100644
index 000000000..11f27a72d
--- /dev/null
+++ b/security/nss/lib/crmf/crmfget.c
@@ -0,0 +1,478 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "keyhi.h"
+#include "secder.h"
+
+
+CRMFPOPChoice
+CRMF_CertReqMsgGetPOPType(CRMFCertReqMsg *inCertReqMsg)
+{
+    PORT_Assert(inCertReqMsg != NULL);
+    if (inCertReqMsg != NULL && inCertReqMsg->pop != NULL) {
+        return inCertReqMsg->pop->popUsed;
+    }
+    return crmfNoPOPChoice;
+}
+
+static SECStatus
+crmf_destroy_validity(CRMFOptionalValidity *inValidity, PRBool freeit)
+{
+    if (inValidity != NULL){
+        if (inValidity->notBefore.data != NULL) {
+	    PORT_Free(inValidity->notBefore.data);
+	}
+	if (inValidity->notAfter.data != NULL) {
+	    PORT_Free(inValidity->notAfter.data);
+	}
+	if (freeit) {
+	    PORT_Free(inValidity);
+	}
+    }
+    return SECSuccess;
+}
+
+static SECStatus 
+crmf_copy_cert_request_validity(PRArenaPool           *poolp,
+				CRMFOptionalValidity **destValidity,
+				CRMFOptionalValidity  *srcValidity)
+{
+    CRMFOptionalValidity *myValidity = NULL;
+    SECStatus             rv;
+
+    *destValidity = myValidity = (poolp == NULL) ?
+                                  PORT_ZNew(CRMFOptionalValidity) :
+                                  PORT_ArenaZNew(poolp, CRMFOptionalValidity);
+    if (myValidity == NULL) {
+        goto loser;
+    }
+    if (srcValidity->notBefore.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &myValidity->notBefore, 
+			      &srcValidity->notBefore);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcValidity->notAfter.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &myValidity->notAfter, 
+			      &srcValidity->notAfter);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    return SECSuccess;
+ loser:
+    if (myValidity != NULL && poolp == NULL) {
+        crmf_destroy_validity(myValidity, PR_TRUE);
+    }
+    return SECFailure;
+}
+
+static SECStatus
+crmf_copy_extensions(PRArenaPool        *poolp, 
+		     CRMFCertTemplate   *destTemplate,
+		     CRMFCertExtension **srcExt)
+{
+    int       numExt = 0, i;
+    CRMFCertExtension **myExtArray = NULL;
+
+    while (srcExt[numExt] != NULL) {
+        numExt++;
+    }
+    if (numExt == 0) {
+        /*No extensions to copy.*/
+        destTemplate->extensions = NULL;
+	destTemplate->numExtensions = 0;
+        return SECSuccess;
+    }
+    destTemplate->extensions = myExtArray = 
+                           PORT_NewArray(CRMFCertExtension*, numExt+1);
+    if (myExtArray == NULL) {
+        goto loser;
+    }
+     
+    for (i=0; i<numExt; i++) {
+        myExtArray[i] = crmf_copy_cert_extension(poolp, srcExt[i]);
+	if (myExtArray[i] == NULL) {
+	    goto loser;
+	}
+    }
+    destTemplate->numExtensions = numExt;
+    myExtArray[numExt] = NULL;
+    return SECSuccess;
+ loser:
+    if (myExtArray != NULL) {
+        if (poolp == NULL) {
+	    for (i=0; myExtArray[i] != NULL; i++) {
+	        CRMF_DestroyCertExtension(myExtArray[i]);
+	    }
+	}
+	PORT_Free(myExtArray);
+    }
+    destTemplate->extensions = NULL;
+    destTemplate->numExtensions = 0;
+    return SECFailure;
+}
+
+static SECStatus
+crmf_copy_cert_request_template(PRArenaPool      *poolp, 
+				CRMFCertTemplate *destTemplate,
+				CRMFCertTemplate *srcTemplate)
+{
+    SECStatus rv;
+
+    if (srcTemplate->version.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &destTemplate->version, 
+			      &srcTemplate->version);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->serialNumber.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &destTemplate->serialNumber,
+			      &srcTemplate->serialNumber);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->signingAlg != NULL) {
+        rv = crmf_template_copy_secalg(poolp, &destTemplate->signingAlg,
+				       srcTemplate->signingAlg);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->issuer != NULL) {
+        rv = crmf_copy_cert_name(poolp, &destTemplate->issuer,
+				 srcTemplate->issuer);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->validity != NULL) {
+        rv = crmf_copy_cert_request_validity(poolp, &destTemplate->validity,
+					     srcTemplate->validity);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->subject != NULL) {
+        rv = crmf_copy_cert_name(poolp, &destTemplate->subject, 
+				 srcTemplate->subject);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->publicKey != NULL) {
+        rv = crmf_template_add_public_key(poolp, &destTemplate->publicKey,
+					  srcTemplate->publicKey);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->issuerUID.data != NULL) {
+        rv = crmf_make_bitstring_copy(poolp, &destTemplate->issuerUID,
+				      &srcTemplate->issuerUID);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->subjectUID.data != NULL) {
+        rv = crmf_make_bitstring_copy(poolp, &destTemplate->subjectUID,
+				      &srcTemplate->subjectUID);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (srcTemplate->extensions != NULL) {
+        rv = crmf_copy_extensions(poolp, destTemplate,
+				  srcTemplate->extensions);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    return SECSuccess;
+ loser:
+    return SECFailure;
+}
+
+static CRMFControl*
+crmf_copy_control(PRArenaPool *poolp, CRMFControl *srcControl)
+{
+    CRMFControl *newControl;
+    SECStatus    rv;
+
+    newControl = (poolp == NULL) ? PORT_ZNew(CRMFControl) :
+                                   PORT_ArenaZNew(poolp, CRMFControl);
+    if (newControl == NULL) {
+        goto loser;
+    }
+    newControl->tag = srcControl->tag;
+    rv = SECITEM_CopyItem(poolp, &newControl->derTag, &srcControl->derTag);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = SECITEM_CopyItem(poolp, &newControl->derValue, &srcControl->derValue);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* We only handle PKIArchiveOptions Control right now.  But if in
+     * the future, more controls that are part of the union are added,
+     * then they need to be handled here as well.
+     */
+    switch (newControl->tag) {
+    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
+        rv = crmf_copy_pkiarchiveoptions(poolp, 
+					 &newControl->value.archiveOptions,
+					 &srcControl->value.archiveOptions);
+      break;
+    default:
+        rv = SECSuccess;
+    }
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newControl;
+
+ loser:
+    if (poolp == NULL && newControl != NULL) {
+        CRMF_DestroyControl(newControl);
+    }
+    return NULL;
+}
+
+static SECStatus
+crmf_copy_cert_request_controls(PRArenaPool     *poolp, 
+				CRMFCertRequest *destReq, 
+				CRMFCertRequest *srcReq)
+{
+    int           numControls, i;
+    CRMFControl **myControls = NULL;
+
+    numControls = CRMF_CertRequestGetNumControls(srcReq);
+    if (numControls == 0) {
+        /* No Controls To Copy*/
+        return SECSuccess;
+    }
+    myControls = destReq->controls = PORT_NewArray(CRMFControl*, 
+						   numControls+1);
+    if (myControls == NULL) {
+        goto loser;
+    }
+    for (i=0; i<numControls; i++) {
+        myControls[i] = crmf_copy_control(poolp, srcReq->controls[i]);
+	if (myControls[i] == NULL) {
+	    goto loser;
+	}
+    }
+    myControls[numControls] = NULL;
+    return SECSuccess;
+ loser:
+    if (myControls != NULL) {
+        if (poolp == NULL) {
+	    for (i=0; myControls[i] != NULL; i++) {
+	        CRMF_DestroyControl(myControls[i]);
+	    }
+	}
+	PORT_Free(myControls);
+    }
+    return SECFailure;
+}
+
+
+CRMFCertRequest*
+crmf_copy_cert_request(PRArenaPool *poolp, CRMFCertRequest *srcReq)
+{
+    CRMFCertRequest *newReq = NULL;
+    SECStatus        rv;
+
+    if (srcReq == NULL) {
+        return NULL;
+    }
+    newReq = (poolp == NULL) ? PORT_ZNew(CRMFCertRequest) :
+                               PORT_ArenaZNew(poolp, CRMFCertRequest);
+    if (newReq == NULL) {
+        goto loser;
+    }
+    rv = SECITEM_CopyItem(poolp, &newReq->certReqId, &srcReq->certReqId);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = crmf_copy_cert_request_template(poolp, &newReq->certTemplate, 
+					 &srcReq->certTemplate);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = crmf_copy_cert_request_controls(poolp, newReq, srcReq);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newReq;
+ loser:
+    if (newReq != NULL && poolp == NULL) {
+        CRMF_DestroyCertRequest(newReq);
+    }
+    return NULL;
+}
+
+SECStatus 
+CRMF_DestroyGetValidity(CRMFGetValidity *inValidity)
+{
+    PORT_Assert(inValidity != NULL);
+    if (inValidity != NULL) {
+        if (inValidity->notAfter) {
+	    PORT_Free(inValidity->notAfter);
+	    inValidity->notAfter = NULL;
+	}
+	if (inValidity->notBefore) {
+	    PORT_Free(inValidity->notBefore);
+	    inValidity->notBefore = NULL;
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+crmf_make_bitstring_copy(PRArenaPool *arena, SECItem *dest, SECItem *src)
+{
+    int origLenBits;
+    int bytesToCopy;
+    SECStatus rv;
+
+    origLenBits = src->len;
+    bytesToCopy = CRMF_BITS_TO_BYTES(origLenBits);
+    src->len = bytesToCopy;         
+    rv = SECITEM_CopyItem(arena, dest, src);
+    src->len = origLenBits;
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    dest->len = origLenBits;
+    return SECSuccess;
+}
+
+int
+CRMF_CertRequestGetNumberOfExtensions(CRMFCertRequest *inCertReq)
+{
+    CRMFCertTemplate *certTemplate;
+    int count = 0;
+    
+    certTemplate = &inCertReq->certTemplate;
+    if (certTemplate->extensions) {
+        while (certTemplate->extensions[count] != NULL)
+	    count++;
+    }
+    return count;
+}
+
+SECOidTag
+CRMF_CertExtensionGetOidTag(CRMFCertExtension *inExtension)
+{
+    PORT_Assert(inExtension != NULL);
+    if (inExtension == NULL) {
+        return SEC_OID_UNKNOWN;
+    }
+    return SECOID_FindOIDTag(&inExtension->id);
+}
+
+PRBool
+CRMF_CertExtensionGetIsCritical(CRMFCertExtension *inExt)
+{
+    PORT_Assert(inExt != NULL);
+    if (inExt == NULL) {
+        return PR_FALSE;
+    }
+    return inExt->critical.data != NULL;
+}
+
+SECItem*
+CRMF_CertExtensionGetValue(CRMFCertExtension *inExtension)
+{
+    PORT_Assert(inExtension != NULL);
+    if (inExtension == NULL) {
+        return NULL;
+    }
+    
+    return SECITEM_DupItem(&inExtension->value);
+}
+			  
+
+SECStatus
+CRMF_DestroyPOPOSigningKey(CRMFPOPOSigningKey *inKey)
+{
+    PORT_Assert(inKey != NULL);
+    if (inKey != NULL) {
+        if (inKey->derInput.data != NULL) {
+	    SECITEM_FreeItem(&inKey->derInput, PR_FALSE);
+	}
+	if (inKey->algorithmIdentifier != NULL) {
+	    SECOID_DestroyAlgorithmID(inKey->algorithmIdentifier, PR_TRUE);
+	}
+	if (inKey->signature.data != NULL) {
+	    SECITEM_FreeItem(&inKey->signature, PR_FALSE);
+	}
+	PORT_Free(inKey);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_DestroyPOPOPrivKey(CRMFPOPOPrivKey *inPrivKey)
+{
+    PORT_Assert(inPrivKey != NULL);
+    if (inPrivKey != NULL) {
+        SECITEM_FreeItem(&inPrivKey->message.thisMessage, PR_FALSE);
+	PORT_Free(inPrivKey);
+    }
+    return SECSuccess;
+}
+
+int
+CRMF_CertRequestGetNumControls(CRMFCertRequest *inCertReq)
+{
+    int              count = 0;
+
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return 0;
+    }
+    if (inCertReq->controls) {
+        while (inCertReq->controls[count] != NULL)
+	    count++;
+    }
+    return count;
+}
+
diff --git a/security/nss/lib/crmf/crmfi.h b/security/nss/lib/crmf/crmfi.h
new file mode 100644
index 000000000..2a950452d
--- /dev/null
+++ b/security/nss/lib/crmf/crmfi.h
@@ -0,0 +1,186 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#ifndef _CRMFI_H_
+#define _CRMFI_H_
+/* This file will contain all declarations common to both 
+ * encoding and decoding of CRMF Cert Requests.  This header 
+ * file should only be included internally by CRMF implementation
+ * files.
+ */
+#include "secasn1.h"
+#include "crmfit.h"
+
+#define CRMF_DEFAULT_ARENA_SIZE   1024
+#define MAX_WRAPPED_KEY_LEN       2048
+
+
+#define CRMF_BITS_TO_BYTES(bits) (((bits)+7)/8)
+#define CRMF_BYTES_TO_BITS(bytes) ((bytes)*8)
+
+struct crmfEncoderArg {
+    SECItem *buffer;
+    long     allocatedLen;
+};
+
+struct crmfEncoderOutput {
+    CRMFEncoderOutputCallback fn;
+    void *outputArg;
+};
+
+/*
+ * This funciton is used by the API for encoding functions that are 
+ * exposed through the API, ie all of the CMMF_Encode* and CRMF_Encode*
+ * functions.
+ */
+extern void
+       crmf_encoder_out(void *arg, const char *buf, unsigned long len,
+                        int depth, SEC_ASN1EncodingPart data_kind);
+
+/*
+ * This function is used when we want to encode something locally within
+ * the library, ie the CertRequest so that we can produce its signature.
+ */
+extern SECStatus 
+       crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg,
+				       SECItem               *derDest);
+
+/*
+ * This is the callback function we feed to the ASN1 encoder when doing
+ * internal DER-encodings.  ie, encoding the cert request so we can 
+ * produce a signature.
+ */
+extern void
+crmf_generic_encoder_callback(void *arg, const char* buf, unsigned long len,
+			      int depth, SEC_ASN1EncodingPart data_kind);
+
+/* The ASN1 templates that need to be seen by internal files
+ * in order to implement CRMF.
+ */
+extern const SEC_ASN1Template CRMFCertReqMsgTemplate[];
+extern const SEC_ASN1Template CRMFRAVerifiedTemplate[];
+extern const SEC_ASN1Template CRMFPOPOSigningKeyTemplate[];
+extern const SEC_ASN1Template CRMFPOPOKeyEnciphermentTemplate[];
+extern const SEC_ASN1Template CRMFPOPOKeyAgreementTemplate[];
+extern const SEC_ASN1Template CRMFThisMessageTemplate[];
+extern const SEC_ASN1Template CRMFSubsequentMessageTemplate[];
+extern const SEC_ASN1Template CRMFDHMACTemplate[];
+extern const SEC_ASN1Template CRMFEncryptedKeyWithEncryptedValueTemplate[];
+extern const SEC_ASN1Template CRMFEncryptedValueTemplate[];
+
+/*
+ * Use these two values for encoding Boolean values.
+ */
+extern const unsigned char hexTrue;
+extern const unsigned char hexFalse;
+/*
+ * Prototypes for helper routines used internally by multiple files.
+ */
+extern SECStatus crmf_encode_integer(PRArenaPool *poolp, SECItem *dest, 
+				     long value);
+extern SECStatus crmf_make_bitstring_copy(PRArenaPool *arena, SECItem *dest, 
+					  SECItem *src);
+
+extern SECStatus crmf_copy_pkiarchiveoptions(PRArenaPool           *poolp, 
+					     CRMFPKIArchiveOptions *destOpt,
+					     CRMFPKIArchiveOptions *srcOpt);
+extern SECStatus  
+       crmf_destroy_pkiarchiveoptions(CRMFPKIArchiveOptions *inArchOptions,
+				      PRBool                 freeit);
+extern const SEC_ASN1Template*
+       crmf_get_pkiarchiveoptions_subtemplate(CRMFControl *inControl);
+
+extern SECStatus crmf_copy_encryptedkey(PRArenaPool       *poolp,
+					CRMFEncryptedKey  *srcEncrKey,
+					CRMFEncryptedKey  *destEncrKey);
+extern SECStatus
+crmf_copy_encryptedvalue(PRArenaPool        *poolp,
+			 CRMFEncryptedValue *srcValue,
+			 CRMFEncryptedValue *destValue);
+
+extern SECStatus
+crmf_copy_encryptedvalue_secalg(PRArenaPool     *poolp,
+				SECAlgorithmID  *srcAlgId,
+				SECAlgorithmID **destAlgId);
+
+extern SECStatus crmf_template_copy_secalg(PRArenaPool *poolp, 
+					   SECAlgorithmID **dest,
+					   SECAlgorithmID *src);
+
+extern SECStatus crmf_copy_cert_name(PRArenaPool *poolp, CERTName **dest, 
+				     CERTName *src);
+
+extern SECStatus crmf_template_add_public_key(PRArenaPool               *poolp,
+					      CERTSubjectPublicKeyInfo **dest,
+					      CERTSubjectPublicKeyInfo  *pubKey);
+
+extern CRMFCertExtension* crmf_create_cert_extension(PRArenaPool *poolp, 
+						     SECOidTag    tag, 
+						     PRBool       isCritical,
+						     SECItem     *data);
+extern CRMFCertRequest*
+crmf_copy_cert_request(PRArenaPool *poolp, CRMFCertRequest *srcReq);
+
+extern SECStatus crmf_destroy_encrypted_value(CRMFEncryptedValue *inEncrValue, 
+					      PRBool freeit);
+
+extern CRMFEncryptedValue *
+crmf_create_encrypted_value_wrapped_privkey(SECKEYPrivateKey   *inPrivKey,
+					    SECKEYPublicKey    *inPubKey,
+					    CRMFEncryptedValue *destValue);
+
+extern CK_MECHANISM_TYPE 
+       crmf_get_mechanism_from_public_key(SECKEYPublicKey *inPubKey);
+
+extern SECStatus
+crmf_encrypted_value_unwrap_priv_key(PRArenaPool        *poolp,
+				     CRMFEncryptedValue *encValue,
+				     SECKEYPrivateKey   *privKey,
+				     SECKEYPublicKey    *newPubKey,
+				     SECItem            *nickname,
+				     PK11SlotInfo       *slot,
+				     unsigned char       keyUsage,
+				     SECKEYPrivateKey  **unWrappedKey,
+				     void               *wincx);
+
+extern SECItem*
+crmf_get_public_value(SECKEYPublicKey *pubKey, SECItem *dest);
+
+extern CRMFCertExtension*
+crmf_copy_cert_extension(PRArenaPool *poolp, CRMFCertExtension *inExtension);
+
+extern SECStatus
+crmf_create_prtime(SECItem *src, PRTime **dest);
+#endif /*_CRMFI_H_*/
diff --git a/security/nss/lib/crmf/crmfit.h b/security/nss/lib/crmf/crmfit.h
new file mode 100644
index 000000000..4cc95319a
--- /dev/null
+++ b/security/nss/lib/crmf/crmfit.h
@@ -0,0 +1,216 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#ifndef _CRMFIT_H_
+#define _CRMFIT_H_
+
+struct CRMFCertReqMessagesStr {
+    CRMFCertReqMsg **messages;
+    PRArenaPool     *poolp;
+};
+
+struct CRMFCertExtensionStr {
+    SECItem id;
+    SECItem critical;
+    SECItem value;
+};
+
+
+struct CRMFOptionalValidityStr {
+    SECItem notBefore; 
+    SECItem notAfter;
+};
+
+struct CRMFCertTemplateStr {
+    SECItem                   version;
+    SECItem                   serialNumber;
+    SECAlgorithmID           *signingAlg;
+    CERTName                 *issuer;
+    CRMFOptionalValidity     *validity;
+    CERTName                 *subject;
+    CERTSubjectPublicKeyInfo *publicKey;
+    SECItem                   issuerUID;
+    SECItem                   subjectUID; 
+    CRMFCertExtension       **extensions;
+    int                       numExtensions;
+};
+
+struct CRMFCertIDStr {
+    SECItem issuer; /* General Name */
+    SECItem serialNumber; /*INTEGER*/
+};
+
+struct CRMFEncryptedValueStr {
+    SECAlgorithmID *intendedAlg;
+    SECAlgorithmID *symmAlg;
+    SECItem         encSymmKey; /*BIT STRING   */
+    SECAlgorithmID *keyAlg;
+    SECItem         valueHint;  /*OCTET STRING */
+    SECItem         encValue;   /*BIT STRING   */
+};
+
+/*
+ * The field derValue will contain the actual der
+ * to include in the encoding or that was read in
+ * from a der blob. 
+ */
+struct CRMFEncryptedKeyStr {
+    union {
+        SEC_PKCS7ContentInfo   *envelopedData;
+        CRMFEncryptedValue      encryptedValue; 
+    } value;
+    CRMFEncryptedKeyChoice encKeyChoice;
+    SECItem derValue;
+};
+
+/* ASN1 must only have one of the following 3 options. */
+struct CRMFPKIArchiveOptionsStr {
+    union {
+        CRMFEncryptedKey  encryptedKey;
+        SECItem           keyGenParameters;
+        SECItem           archiveRemGenPrivKey; /* BOOLEAN */
+    } option;
+    CRMFPKIArchiveOptionsType archOption;
+};
+
+struct CRMFPKIPublicationInfoStr {
+    SECItem action; /* Possible values                    */
+                    /* dontPublish (0), pleasePublish (1) */
+    CRMFSinglePubInfo **pubInfos; 
+};
+
+struct CRMFControlStr {
+    SECOidTag  tag;
+    SECItem    derTag;
+    SECItem    derValue;
+    /* These will be C structures used to represent the various 
+     * options.  Values that can't be stored as der right away.
+     * After creating these structures, we'll place their der
+     * encoding in derValue so the encoder knows how to get to
+     * it.
+     */
+    union {
+        CRMFCertID              oldCertId;
+        CRMFPKIArchiveOptions   archiveOptions;
+        CRMFPKIPublicationInfo  pubInfo;
+        CRMFProtocolEncrKey     protEncrKey; 
+    } value;
+};
+
+struct CRMFCertRequestStr {
+    SECItem            certReqId;
+    CRMFCertTemplate   certTemplate;
+    CRMFControl      **controls;
+    /* The following members are used by the internal implementation, but
+     * are not part of the encoding.
+     */
+    PRArenaPool *poolp;
+    long         requestID; /* This is the value that will be encoded into
+			     * the certReqId field.
+			     */
+};                                   
+
+struct CRMFAttributeStr {
+    SECItem derTag;
+    SECItem derValue;
+};
+
+struct CRMFCertReqMsgStr {
+    CRMFCertRequest            *certReq;
+    CRMFProofOfPossession      *pop;
+    CRMFAttribute             **regInfo;
+    SECItem                     derPOP;
+    /* This arena will be used for allocating memory when decoding.
+     */
+    PRArenaPool *poolp;
+    PRBool       isDecoded;
+};
+
+struct CRMFPOPOSigningKeyInputStr {
+    /* ASN1 must have only one of the next 2 options */
+    union {
+        SECItem          sender; /*General Name*/
+        CRMFPKMACValue  *publicKeyMAC;
+    }authInfo;
+    CERTSubjectPublicKeyInfo publicKey;
+};
+
+struct CRMFPOPOSigningKeyStr {
+    SECItem                  derInput; /*If in the future we support 
+                                        *POPOSigningKeyInput, this will
+                                        *a C structure representation
+                                        *instead.
+                                        */
+    SECAlgorithmID          *algorithmIdentifier;
+    SECItem                  signature; /* This is a BIT STRING. Remember */
+};                                      /* that when interpreting.        */
+
+/* ASN1 must only choose one of these members */
+struct CRMFPOPOPrivKeyStr {
+    union {
+        SECItem thisMessage; /* BIT STRING */
+        SECItem subsequentMessage; /*INTEGER*/ 
+        SECItem dhMAC; /*BIT STRING*/
+    } message;
+    CRMFPOPOPrivKeyChoice messageChoice;
+};
+
+/* ASN1 must only have one of these options. */
+struct CRMFProofOfPossessionStr {
+    union {
+        SECItem             raVerified;
+        CRMFPOPOSigningKey  signature;
+        CRMFPOPOPrivKey     keyEncipherment;
+        CRMFPOPOPrivKey     keyAgreement;
+    } popChoice;
+    CRMFPOPChoice       popUsed; /*Not part of encoding*/
+};
+
+struct CRMFPKMACValueStr {
+    SECAlgorithmID algID;
+    SECItem        value; /*BIT STRING*/
+};
+
+struct CRMFSinglePubInfoStr {
+    SECItem pubMethod; /* Possible Values:
+			*   dontCare (0)
+			*   x500     (1)
+			*   web      (2)
+			*   ldap     (3)
+			*/
+    CERTGeneralName *pubLocation; /* General Name */
+};
+
+#endif /* _CRMFIT_H_ */
diff --git a/security/nss/lib/crmf/crmfpop.c b/security/nss/lib/crmf/crmfpop.c
new file mode 100644
index 000000000..d6ec26827
--- /dev/null
+++ b/security/nss/lib/crmf/crmfpop.c
@@ -0,0 +1,604 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "secasn1.h"
+#include "keyhi.h"
+#include "cryptohi.h"
+
+#define CRMF_DEFAULT_ALLOC_SIZE 1024
+
+SECStatus
+crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg, 
+				SECItem               *derDest) 
+{
+    derDest->data = PORT_ZNewArray(unsigned char, CRMF_DEFAULT_ALLOC_SIZE);
+    if (derDest->data == NULL) {
+        return SECFailure;
+    }
+    derDest->len = 0;
+    encoderArg->allocatedLen = CRMF_DEFAULT_ALLOC_SIZE;
+    encoderArg->buffer = derDest;
+    return SECSuccess;
+
+}
+
+/* Caller should release or unmark the pool, instead of doing it here.
+** But there are NO callers of this function at present...
+*/
+SECStatus 
+CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg)
+{
+    SECItem               *dummy;
+    CRMFProofOfPossession *pop;
+    PRArenaPool           *poolp;
+    void                  *mark;
+
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
+    poolp = inCertReqMsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice) {
+        return SECFailure;
+    }
+    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+    if (pop == NULL) {
+        goto loser;
+    }
+    pop->popUsed = crmfRAVerified;
+    pop->popChoice.raVerified.data = NULL;
+    pop->popChoice.raVerified.len  = 0;
+    inCertReqMsg->pop = pop;
+    dummy = SEC_ASN1EncodeItem(poolp, &(inCertReqMsg->derPOP),
+			       &(pop->popChoice.raVerified),
+			       CRMFRAVerifiedTemplate);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+SECOidTag
+crmf_map_keytag_to_signtag(SECOidTag inTag)
+{
+    switch (inTag) {
+    case SEC_OID_PKCS1_RSA_ENCRYPTION:
+        return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+    case SEC_OID_ANSIX9_DSA_SIGNATURE:
+    case SEC_OID_MISSI_KEA_DSS:
+    case SEC_OID_MISSI_DSS:
+        return SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+    default:
+        /* Put this in here to kill warnings. */
+        break;
+    }
+    return inTag;
+}
+
+SECOidTag
+crmf_get_key_sign_tag(SECKEYPublicKey *inPubKey)
+{
+    CERTSubjectPublicKeyInfo *spki;
+    SECOidTag                 tag;
+
+    spki = SECKEY_CreateSubjectPublicKeyInfo(inPubKey);
+    if (spki == NULL) {
+        return SEC_OID_UNKNOWN;
+    }
+    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
+    SECKEY_DestroySubjectPublicKeyInfo(spki);
+    return crmf_map_keytag_to_signtag(tag);
+}
+
+SECAlgorithmID*
+crmf_create_poposignkey_algid(PRArenaPool      *poolp,
+			      SECKEYPublicKey  *inPubKey)
+{
+    SECAlgorithmID *algID;
+    SECOidTag       tag;
+    SECStatus       rv;
+    void           *mark;
+
+    mark = PORT_ArenaMark(poolp);
+    algID = PORT_ArenaZNew(poolp, SECAlgorithmID);
+    if (algID == NULL) {
+        goto loser;
+    }
+    tag = crmf_get_key_sign_tag(inPubKey);
+    if (tag == SEC_OID_UNKNOWN) {
+        goto loser;
+    }
+    rv = SECOID_SetAlgorithmID(poolp, algID, tag, NULL);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return algID;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+static CRMFPOPOSigningKeyInput*
+crmf_create_poposigningkeyinput(PRArenaPool *poolp, CERTCertificate *inCert,
+				CRMFMACPasswordCallback fn, void *arg)
+{
+  /* PSM isn't going to do this, so we'll fail here for now.*/
+     return NULL;
+}
+
+void
+crmf_generic_encoder_callback(void *arg, const char* buf, unsigned long len,
+			      int depth, SEC_ASN1EncodingPart data_kind)
+{
+    struct crmfEncoderArg *encoderArg = (struct crmfEncoderArg*)arg;
+    unsigned char *cursor;
+    
+   if (encoderArg->buffer->len + len > encoderArg->allocatedLen) {
+        int newSize = encoderArg->buffer->len+CRMF_DEFAULT_ALLOC_SIZE;
+        void *dummy = PORT_Realloc(encoderArg->buffer->data, newSize);
+	if (dummy == NULL) {
+	    /* I really want to return an error code here */
+	    PORT_Assert(0);
+	    return;
+	}
+	encoderArg->buffer->data = dummy;
+	encoderArg->allocatedLen = newSize;
+    }
+    cursor = &(encoderArg->buffer->data[encoderArg->buffer->len]);
+    PORT_Memcpy (cursor, buf, len);
+    encoderArg->buffer->len += len;    
+}
+
+static SECStatus
+crmf_encode_certreq(CRMFCertRequest *inCertReq, SECItem *derDest)
+{
+    struct crmfEncoderArg encoderArg;
+    SECStatus             rv;
+  
+    rv = crmf_init_encoder_callback_arg (&encoderArg, derDest);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    return SEC_ASN1Encode(inCertReq, CRMFCertRequestTemplate, 
+			  crmf_generic_encoder_callback, &encoderArg);
+}
+
+static SECStatus
+crmf_sign_certreq(PRArenaPool        *poolp, 
+		  CRMFPOPOSigningKey *crmfSignKey, 
+		  CRMFCertRequest    *certReq,
+		  SECKEYPrivateKey   *inKey,
+		  SECAlgorithmID     *inAlgId)
+{
+    SECItem                      derCertReq;
+    SECItem                      certReqSig;
+    SECStatus                    rv = SECSuccess;
+
+    rv = crmf_encode_certreq(certReq, &derCertReq);
+    if (rv != SECSuccess) {
+       goto loser;
+    }
+    rv = SEC_SignData(&certReqSig, derCertReq.data, derCertReq.len,
+		      inKey,SECOID_GetAlgorithmTag(inAlgId));
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+ 
+    /* Now make it a part of the POPOSigningKey */
+    rv = SECITEM_CopyItem(poolp, &(crmfSignKey->signature), &certReqSig);
+    /* Convert this length to number of bits */
+    crmfSignKey->signature.len <<= 3; 
+   
+ loser:
+    if (derCertReq.data != NULL) {
+        PORT_Free(derCertReq.data);
+    }
+    if (certReqSig.data != NULL) {
+        PORT_Free(certReqSig.data);
+    }
+    return rv;
+}
+
+static SECStatus
+crmf_create_poposignkey(PRArenaPool             *poolp, 
+			CRMFCertReqMsg          *inCertReqMsg, 
+			CRMFPOPOSigningKeyInput *signKeyInput, 
+			SECKEYPrivateKey        *inPrivKey,
+			SECAlgorithmID          *inAlgID,
+			CRMFPOPOSigningKey      *signKey) 
+{
+    CRMFCertRequest    *certReq;
+    void               *mark;
+    PRBool              useSignKeyInput;
+    SECStatus           rv;
+    
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->certReq != NULL);
+    mark = PORT_ArenaMark(poolp);
+    if (signKey == NULL) {
+        goto loser;
+    }
+    certReq = inCertReqMsg->certReq;
+    useSignKeyInput = !(CRMF_DoesRequestHaveField(certReq,crmfSubject)  &&
+			CRMF_DoesRequestHaveField(certReq,crmfPublicKey));
+
+    if (useSignKeyInput) {
+        goto loser; 
+    } else {
+        rv = crmf_sign_certreq(poolp, signKey, certReq,inPrivKey, inAlgID);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    PORT_ArenaUnmark(poolp,mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp,mark);
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertReqMsgSetSignaturePOP(CRMFCertReqMsg   *inCertReqMsg,
+			       SECKEYPrivateKey *inPrivKey,
+			       SECKEYPublicKey  *inPubKey,
+			       CERTCertificate  *inCertForInput,
+			       CRMFMACPasswordCallback  fn,
+			       void                    *arg)
+{
+    SECAlgorithmID  *algID;
+    PRArenaPool     *poolp;
+    SECItem          derDest = {siBuffer, NULL, 0};
+    void            *mark;
+    SECStatus        rv;
+    CRMFPOPOSigningKeyInput *signKeyInput = NULL;
+    CRMFCertRequest         *certReq;
+    CRMFProofOfPossession   *pop;
+    struct crmfEncoderArg    encoderArg;
+
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->certReq != NULL &&
+		inCertReqMsg->pop == NULL);
+    certReq = inCertReqMsg->certReq;
+    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice || 
+	!CRMF_DoesRequestHaveField(certReq, crmfPublicKey)) {
+        return SECFailure;
+    } 
+    poolp = inCertReqMsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+    algID = crmf_create_poposignkey_algid(poolp, inPubKey);
+
+    if(!CRMF_DoesRequestHaveField(certReq,crmfSubject)) {
+        signKeyInput = crmf_create_poposigningkeyinput(poolp, inCertForInput,
+						       fn, arg);
+	if (signKeyInput == NULL) {
+	    goto loser;
+	}
+    }
+
+    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+    if (pop == NULL) {
+        goto loser;
+    }
+    
+    rv = crmf_create_poposignkey(poolp, inCertReqMsg, 
+				 signKeyInput, inPrivKey, algID,
+				 &(pop->popChoice.signature));
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    pop->popUsed = crmfSignature;
+    pop->popChoice.signature.algorithmIdentifier = algID;
+    inCertReqMsg->pop = pop;
+  
+    rv = crmf_init_encoder_callback_arg (&encoderArg, &derDest);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = SEC_ASN1Encode(&pop->popChoice.signature, 
+			CRMFPOPOSigningKeyTemplate,
+			crmf_generic_encoder_callback, &encoderArg);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = SECITEM_CopyItem(poolp, &(inCertReqMsg->derPOP), &derDest);
+    PORT_Free (derDest.data);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp,mark);
+    return SECSuccess;
+
+ loser:
+    PORT_ArenaRelease(poolp,mark);
+    if (derDest.data != NULL) {
+        PORT_Free(derDest.data);
+    }
+    return SECFailure;
+}
+
+static const SEC_ASN1Template*
+crmf_get_popoprivkey_subtemplate(CRMFPOPOPrivKey *inPrivKey) 
+{
+    const SEC_ASN1Template *retTemplate = NULL;
+
+    switch (inPrivKey->messageChoice) {
+    case crmfThisMessage:
+        retTemplate = CRMFThisMessageTemplate;
+	break;
+    case crmfSubsequentMessage:
+        retTemplate = CRMFSubsequentMessageTemplate;
+	break;
+    case crmfDHMAC:
+        retTemplate = CRMFDHMACTemplate;
+	break;
+    default:
+        retTemplate = NULL;
+    }
+    return retTemplate;
+}
+
+static SECStatus
+crmf_encode_popoprivkey(PRArenaPool            *poolp, 
+			CRMFCertReqMsg         *inCertReqMsg,
+			CRMFPOPOPrivKey        *popoPrivKey,
+			const SEC_ASN1Template *privKeyTemplate)
+{
+    struct crmfEncoderArg   encoderArg;
+    SECItem                 derDest; 
+    SECStatus               rv;
+    void                   *mark;
+    const SEC_ASN1Template *subDerTemplate;
+
+    mark = PORT_ArenaMark(poolp);
+    rv = crmf_init_encoder_callback_arg(&encoderArg, &derDest);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    subDerTemplate = crmf_get_popoprivkey_subtemplate(popoPrivKey);
+    /* We've got a union, so a pointer to one item is a pointer to 
+     * all the items in the union.
+     */
+    rv = SEC_ASN1Encode(&popoPrivKey->message.thisMessage, 
+			subDerTemplate,
+			crmf_generic_encoder_callback, &encoderArg);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (encoderArg.allocatedLen > derDest.len+2) {
+        void *dummy = PORT_Realloc(derDest.data, derDest.len+2);
+	if (dummy == NULL) {
+	    goto loser;
+	}
+	derDest.data = dummy;
+    }
+    PORT_Memmove(&derDest.data[2], &derDest.data[0], derDest.len);
+    /* I couldn't figure out how to get the ASN1 encoder to implicitly
+     * tag an implicitly tagged der blob.  So I'm putting in the outter-
+     * most tag myself. -javi
+     */
+    derDest.data[0] = (unsigned char)privKeyTemplate->kind;
+    derDest.data[1] = (unsigned char)derDest.len;
+    derDest.len += 2;
+    rv = SECITEM_CopyItem(poolp, &inCertReqMsg->derPOP, &derDest);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_Free(derDest.data);
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    if (derDest.data) {
+        PORT_Free(derDest.data);
+    }
+    return SECFailure;
+}
+
+static const SEC_ASN1Template*
+crmf_get_template_for_privkey(CRMFPOPChoice inChoice) 
+{
+    switch (inChoice) {
+    case crmfKeyAgreement:
+        return CRMFPOPOKeyAgreementTemplate;
+    case crmfKeyEncipherment:
+        return CRMFPOPOKeyEnciphermentTemplate;
+    default:
+        break;
+    }
+    return NULL;
+}
+
+static SECStatus
+crmf_add_privkey_thismessage(CRMFCertReqMsg *inCertReqMsg, SECItem *encPrivKey,
+			     CRMFPOPChoice inChoice)
+{
+    PRArenaPool           *poolp;
+    void                  *mark;
+    CRMFPOPOPrivKey       *popoPrivKey;
+    CRMFProofOfPossession *pop;
+    SECStatus              rv;
+
+    PORT_Assert(inCertReqMsg != NULL && encPrivKey != NULL);
+    poolp = inCertReqMsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+    if (pop == NULL) {
+        goto loser;
+    }
+    pop->popUsed = inChoice;
+    /* popChoice is a union, so getting a pointer to one
+     * field gives me a pointer to the other fields as
+     * well.  This in essence points to both 
+     * pop->popChoice.keyEncipherment and
+     * pop->popChoice.keyAgreement
+     */
+    popoPrivKey = &pop->popChoice.keyEncipherment;
+
+    rv = SECITEM_CopyItem(poolp, &(popoPrivKey->message.thisMessage),
+			  encPrivKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    popoPrivKey->message.thisMessage.len <<= 3;
+    popoPrivKey->messageChoice = crmfThisMessage;
+    inCertReqMsg->pop = pop;
+    rv = crmf_encode_popoprivkey(poolp, inCertReqMsg, popoPrivKey,
+				 crmf_get_template_for_privkey(inChoice));
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+    
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+static SECStatus
+crmf_add_privkey_subseqmessage(CRMFCertReqMsg        *inCertReqMsg,
+			       CRMFSubseqMessOptions  subsequentMessage,
+			       CRMFPOPChoice          inChoice)
+{
+    void                  *mark;
+    PRArenaPool           *poolp;
+    CRMFProofOfPossession *pop;
+    CRMFPOPOPrivKey       *popoPrivKey;
+    SECStatus              rv;
+    const SEC_ASN1Template *privKeyTemplate;
+
+    if (subsequentMessage == crmfNoSubseqMess) {
+        return SECFailure;
+    }
+    poolp = inCertReqMsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+    pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+    if (pop == NULL) {
+        goto loser;
+    }
+
+    pop->popUsed = inChoice;
+    /* 
+     * We have a union, so a pointer to one member of the union
+     * is also a member to another member of that same union.
+     */
+    popoPrivKey = &pop->popChoice.keyEncipherment;
+
+    switch (subsequentMessage) {
+    case crmfEncrCert:
+        rv = crmf_encode_integer(poolp, 
+				 &(popoPrivKey->message.subsequentMessage),
+				 0);
+	break;
+    case crmfChallengeResp:
+        rv = crmf_encode_integer(poolp,
+				 &(popoPrivKey->message.subsequentMessage),
+				 1);
+	break;
+    default:
+        goto loser;
+    }
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    popoPrivKey->messageChoice = crmfSubsequentMessage;
+    privKeyTemplate = crmf_get_template_for_privkey(inChoice);
+    inCertReqMsg->pop = pop;
+    rv = crmf_encode_popoprivkey(poolp, inCertReqMsg, popoPrivKey,
+				 privKeyTemplate);
+
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+SECStatus 
+CRMF_CertReqMsgSetKeyEnciphermentPOP(CRMFCertReqMsg        *inCertReqMsg,
+				     CRMFPOPOPrivKeyChoice  inKeyChoice,
+				     CRMFSubseqMessOptions  subseqMess,
+				     SECItem               *encPrivKey)
+{
+    SECStatus rv;
+
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
+    if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice) {
+        return SECFailure;
+    }
+    switch (inKeyChoice) {    
+    case crmfThisMessage:
+        rv = crmf_add_privkey_thismessage(inCertReqMsg, encPrivKey,
+					  crmfKeyEncipherment);
+	break;
+    case crmfSubsequentMessage:
+        rv = crmf_add_privkey_subseqmessage(inCertReqMsg, subseqMess, 
+					    crmfKeyEncipherment);
+        break;
+    case crmfDHMAC:
+    default:
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+SECStatus 
+CRMF_CertReqMsgSetKeyAgreementPOP (CRMFCertReqMsg        *inCertReqMsg,
+				   CRMFPOPOPrivKeyChoice  inKeyChoice,
+				   CRMFSubseqMessOptions  subseqMess,
+				   SECItem               *encPrivKey)
+{
+    SECStatus rv;
+
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
+    switch (inKeyChoice) {    
+    case crmfThisMessage:
+        rv = crmf_add_privkey_thismessage(inCertReqMsg, encPrivKey,
+					  crmfKeyAgreement);
+	break;
+    case crmfSubsequentMessage:
+        rv = crmf_add_privkey_subseqmessage(inCertReqMsg, subseqMess, 
+					    crmfKeyAgreement);
+    case crmfDHMAC:
+        /* This case should be added in the future. */
+    default:
+        rv = SECFailure;
+    }
+    return rv;
+}
+
diff --git a/security/nss/lib/crmf/crmfreq.c b/security/nss/lib/crmf/crmfreq.c
new file mode 100644
index 000000000..7367f7d26
--- /dev/null
+++ b/security/nss/lib/crmf/crmfreq.c
@@ -0,0 +1,697 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "keyhi.h"
+#include "secder.h"
+
+/*
+ * Macro that returns PR_TRUE if the pointer is not NULL.
+ * If the pointer is NULL, then the macro will return PR_FALSE.
+ */
+#define IS_NOT_NULL(ptr) ((ptr) == NULL) ? PR_FALSE : PR_TRUE
+
+const unsigned char hexTrue  = 0xff;
+const unsigned char hexFalse = 0x00;
+
+
+SECStatus
+crmf_encode_integer(PRArenaPool *poolp, SECItem *dest, long value) 
+{
+    SECItem *dummy;
+
+    dummy = SEC_ASN1EncodeInteger(poolp, dest, value);
+    PORT_Assert (dummy == dest);
+    if (dummy == NULL) {
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+crmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src)
+{
+    return  SECITEM_CopyItem (poolp, dest, src); 
+}
+
+PRBool
+CRMF_DoesRequestHaveField (CRMFCertRequest       *inCertReq, 
+			   CRMFCertTemplateField  inField)
+{
+  
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return PR_FALSE;
+    }
+    switch (inField) {
+    case crmfVersion:
+        return inCertReq->certTemplate.version.data != NULL;
+    case crmfSerialNumber:
+        return inCertReq->certTemplate.serialNumber.data != NULL;
+    case crmfSigningAlg:
+        return inCertReq->certTemplate.signingAlg != NULL;
+    case crmfIssuer:
+        return inCertReq->certTemplate.issuer != NULL;
+    case crmfValidity:
+        return inCertReq->certTemplate.validity != NULL;
+    case crmfSubject:
+        return inCertReq->certTemplate.subject != NULL;
+    case crmfPublicKey:
+        return inCertReq->certTemplate.publicKey != NULL;
+    case crmfIssuerUID:
+        return inCertReq->certTemplate.issuerUID.data != NULL;
+    case crmfSubjectUID:
+        return inCertReq->certTemplate.subjectUID.data != NULL;
+    case crmfExtension:
+        return CRMF_CertRequestGetNumberOfExtensions(inCertReq) != 0;
+    }
+    return PR_FALSE;
+}
+
+CRMFCertRequest *
+CRMF_CreateCertRequest (long inRequestID) {
+    PRArenaPool     *poolp;
+    CRMFCertRequest *certReq;
+    SECStatus        rv;
+    
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        goto loser;
+    }
+    
+    certReq=PORT_ArenaZNew(poolp,CRMFCertRequest);
+    if (certReq == NULL) {
+        goto loser;
+    }
+
+    certReq->poolp = poolp;
+    certReq->requestID = inRequestID;
+    
+    rv = crmf_encode_integer(poolp, &(certReq->certReqId), inRequestID);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    return certReq;
+ loser:
+    if (poolp) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+SECStatus
+CRMF_DestroyCertRequest(CRMFCertRequest *inCertReq)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq != NULL) {
+        if (inCertReq->certTemplate.extensions) {
+	    PORT_Free(inCertReq->certTemplate.extensions);
+	}
+	if (inCertReq->controls) {
+	    /* Right now we don't support EnveloppedData option,
+	     * so we won't go through and delete each occurrence of 
+	     * an EnveloppedData in the control.
+	     */
+	    PORT_Free(inCertReq->controls);
+	}
+	if (inCertReq->poolp) {
+	    PORT_FreeArena(inCertReq->poolp, PR_TRUE);
+	}
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+crmf_template_add_version(PRArenaPool *poolp, SECItem *dest, long version)
+{
+    return (crmf_encode_integer(poolp, dest, version));
+}
+
+static SECStatus
+crmf_template_add_serialnumber(PRArenaPool *poolp, SECItem *dest, long serial)
+{
+    return (crmf_encode_integer(poolp, dest, serial));
+}
+
+SECStatus
+crmf_template_copy_secalg (PRArenaPool *poolp, SECAlgorithmID **dest, 
+			   SECAlgorithmID* src)
+{
+    SECStatus         rv;
+    void             *mark = NULL;
+    SECAlgorithmID   *mySecAlg;
+
+    if (poolp != NULL) {
+        mark = PORT_ArenaMark(poolp);
+    }
+    *dest = mySecAlg = PORT_ArenaZNew(poolp, SECAlgorithmID);
+    if (mySecAlg == NULL) {
+        goto loser;
+    }
+    rv = SECOID_CopyAlgorithmID(poolp, mySecAlg, src);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (mark) {
+        PORT_ArenaUnmark(poolp, mark);
+    }
+    return SECSuccess;
+
+ loser:
+    *dest = NULL;
+    if (mark) {
+        PORT_ArenaRelease(poolp, mark);
+    }
+    return SECFailure;
+}
+
+SECStatus
+crmf_copy_cert_name(PRArenaPool *poolp, CERTName **dest, 
+		    CERTName *src)
+{
+    CERTName *newName;
+    SECStatus rv;
+    void     *mark;
+
+    mark = PORT_ArenaMark(poolp);
+    *dest = newName = PORT_ArenaZNew(poolp, CERTName);
+    if (newName == NULL) {
+        goto loser;
+    }
+
+    rv = CERT_CopyName(poolp, newName, src);
+    if (rv != SECSuccess) {
+      goto loser;
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    *dest = NULL;
+    return SECFailure;
+}
+
+static SECStatus
+crmf_template_add_issuer (PRArenaPool *poolp, CERTName **dest, 
+			  CERTName* issuerName)
+{
+    return crmf_copy_cert_name(poolp, dest, issuerName);
+}
+
+
+static SECStatus
+crmf_encode_utctime(PRArenaPool *poolp, SECItem *destTime, PRTime time)
+{
+    SECItem   tmpItem;
+    SECStatus rv;
+
+
+    rv = DER_TimeToUTCTime (&tmpItem, time);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    rv = SECITEM_CopyItem(poolp, destTime, &tmpItem);
+    PORT_Free(tmpItem.data);
+    return rv;
+}
+
+static SECStatus
+crmf_template_add_validity (PRArenaPool *poolp, CRMFOptionalValidity **dest,
+			    CRMFValidityCreationInfo *info)
+{
+    SECStatus             rv;
+    void                 *mark; 
+    CRMFOptionalValidity *myValidity;
+
+    /*First off, let's make sure at least one of the two fields is present*/
+    if (!info  || (!info->notBefore && !info->notAfter)) {
+        return SECFailure;
+    }
+    mark = PORT_ArenaMark (poolp);
+    *dest = myValidity = PORT_ArenaZNew(poolp, CRMFOptionalValidity);
+    if (myValidity == NULL) {
+        goto loser;
+    }
+
+    if (info->notBefore) {
+        rv = crmf_encode_utctime (poolp, &myValidity->notBefore, 
+				  *info->notBefore);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    if (info->notAfter) {
+        rv = crmf_encode_utctime (poolp, &myValidity->notAfter,
+				  *info->notAfter);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    *dest = NULL;
+    return SECFailure;
+}
+
+static SECStatus
+crmf_template_add_subject (PRArenaPool *poolp, CERTName **dest,
+			   CERTName *subject)
+{
+    return crmf_copy_cert_name(poolp, dest, subject);
+}
+
+SECStatus
+crmf_template_add_public_key(PRArenaPool *poolp, 
+			     CERTSubjectPublicKeyInfo **dest,
+			     CERTSubjectPublicKeyInfo  *pubKey)
+{
+    CERTSubjectPublicKeyInfo *spki;
+    SECStatus rv;
+
+    *dest = spki = (poolp == NULL) ?
+                              PORT_ZNew(CERTSubjectPublicKeyInfo) :
+                              PORT_ArenaZNew (poolp, CERTSubjectPublicKeyInfo);
+    if (spki == NULL) {
+        goto loser;
+    }
+    rv = SECKEY_CopySubjectPublicKeyInfo (poolp, spki, pubKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return SECSuccess;
+ loser:
+    if (poolp == NULL && spki != NULL) {
+        SECKEY_DestroySubjectPublicKeyInfo(spki);
+    }
+    *dest = NULL;
+    return SECFailure;
+}
+
+static SECStatus
+crmf_copy_bitstring (PRArenaPool *poolp, SECItem *dest, SECItem *src)
+{
+    SECStatus rv;
+    int origLenBits, numBytesToCopy;
+    
+    origLenBits = src->len;
+    numBytesToCopy = CRMF_BITS_TO_BYTES(origLenBits);
+    rv = crmf_copy_secitem(poolp, dest, src);
+    src->len = origLenBits;
+    dest->len = origLenBits;
+    return rv;
+}
+
+static SECStatus
+crmf_template_add_issuer_uid(PRArenaPool *poolp, SECItem *dest,
+			     SECItem *issuerUID)
+{
+    return crmf_copy_bitstring (poolp, dest, issuerUID);
+}
+
+static SECStatus
+crmf_template_add_subject_uid(PRArenaPool *poolp, SECItem *dest, 
+			      SECItem *subjectUID)
+{
+    return crmf_copy_bitstring (poolp, dest, subjectUID);
+}
+
+static void
+crmf_zeroize_new_extensions (CRMFCertExtension **extensions,
+			     int numToZeroize) 
+{
+    PORT_Memset((void*)extensions, 0, sizeof(CERTCertExtension*)*numToZeroize);
+}
+
+/*
+ * The strategy for adding templates will differ from all the other
+ * attributes in the template.  First, we want to allow the client
+ * of this API to set extensions more than just once.  So we will
+ * need the ability grow the array of extensions.  Since arenas don't
+ * give us the realloc function, we'll use the generic PORT_* functions
+ * to allocate the array of pointers *ONLY*.  Then we will allocate each
+ * individual extension from the arena that comes along with the certReq
+ * structure that owns this template.
+ */
+static SECStatus
+crmf_template_add_extensions(PRArenaPool *poolp, CRMFCertTemplate *inTemplate,
+			     CRMFCertExtCreationInfo *extensions)
+{
+    void               *mark;
+    int                 newSize, oldSize, i;
+    SECStatus           rv;
+    CRMFCertExtension **extArray;
+    CRMFCertExtension  *newExt, *currExt;
+
+    mark = PORT_ArenaMark(poolp);
+    if (inTemplate->extensions == NULL) {
+        newSize = extensions->numExtensions;
+        extArray = PORT_ZNewArray(CRMFCertExtension*,newSize+1);
+    } else {
+        newSize = inTemplate->numExtensions + extensions->numExtensions;
+        extArray = PORT_Realloc(inTemplate->extensions, 
+				sizeof(CRMFCertExtension*)*(newSize+1));
+    }
+    if (extArray == NULL) {
+        goto loser;
+    }
+    oldSize                   = inTemplate->numExtensions;
+    inTemplate->extensions    = extArray;
+    inTemplate->numExtensions = newSize;
+    for (i=oldSize; i < newSize; i++) {
+        newExt = PORT_ArenaZNew(poolp, CRMFCertExtension);
+	if (newExt == NULL) {
+	    goto loser2;
+	}
+	currExt = extensions->extensions[i-oldSize];
+	rv = crmf_copy_secitem(poolp, &(newExt->id), &(currExt->id));
+	if (rv != SECSuccess) {
+	    goto loser2;
+	}
+	rv = crmf_copy_secitem(poolp, &(newExt->critical),
+			       &(currExt->critical));
+	if (rv != SECSuccess) {
+	    goto loser2;
+	}
+	rv = crmf_copy_secitem(poolp, &(newExt->value), &(currExt->value));
+	if (rv != SECSuccess) {
+	    goto loser2;
+	}
+	extArray[i] = newExt;
+    }
+    extArray[newSize] = NULL;
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+ loser2:
+    crmf_zeroize_new_extensions (&(inTemplate->extensions[oldSize]),
+				 extensions->numExtensions);
+    inTemplate->numExtensions = oldSize;
+ loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestSetTemplateField(CRMFCertRequest       *inCertReq, 
+				 CRMFCertTemplateField  inTemplateField,
+				 void                  *data)
+{
+    CRMFCertTemplate *certTemplate;
+    PRArenaPool      *poolp;
+    SECStatus         rv = SECFailure;
+    void             *mark;
+    
+
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+
+    certTemplate = &(inCertReq->certTemplate);
+
+    poolp = inCertReq->poolp;
+    mark = PORT_ArenaMark(poolp);
+    switch (inTemplateField) {
+    case crmfVersion:
+      rv = crmf_template_add_version(poolp,&(certTemplate->version), 
+				     *(long*)data);
+      break;
+    case crmfSerialNumber:
+      rv = crmf_template_add_serialnumber(poolp, 
+					  &(certTemplate->serialNumber),
+					  *(long*)data);
+      break;
+    case crmfSigningAlg:
+      rv = crmf_template_copy_secalg (poolp, &(certTemplate->signingAlg),
+				      (SECAlgorithmID*)data);
+      break;
+    case crmfIssuer:
+      rv = crmf_template_add_issuer (poolp, &(certTemplate->issuer), 
+				     (CERTName*)data);
+      break;
+    case crmfValidity:
+      rv = crmf_template_add_validity (poolp, &(certTemplate->validity),
+				       (CRMFValidityCreationInfo*)data);
+      break;
+    case crmfSubject:
+      rv = crmf_template_add_subject (poolp, &(certTemplate->subject),
+				      (CERTName*)data);
+      break;
+    case crmfPublicKey:
+      rv = crmf_template_add_public_key(poolp, &(certTemplate->publicKey),
+					(CERTSubjectPublicKeyInfo*)data);
+      break;
+    case crmfIssuerUID:
+      rv = crmf_template_add_issuer_uid(poolp, &(certTemplate->issuerUID),
+					(SECItem*)data);
+      break;
+    case crmfSubjectUID:
+      rv = crmf_template_add_subject_uid(poolp, &(certTemplate->subjectUID),
+					 (SECItem*)data);
+      break;
+    case crmfExtension:
+      rv = crmf_template_add_extensions(poolp, certTemplate, 
+					(CRMFCertExtCreationInfo*)data);
+      break;
+    }
+    if (rv != SECSuccess) {
+        PORT_ArenaRelease(poolp, mark);
+    } else {
+        PORT_ArenaUnmark(poolp, mark);
+    }
+    return rv;
+}
+
+SECStatus
+CRMF_CertReqMsgSetCertRequest (CRMFCertReqMsg  *inCertReqMsg, 
+			       CRMFCertRequest *inCertReq)
+{
+    PORT_Assert (inCertReqMsg != NULL && inCertReq != NULL);
+    if (inCertReqMsg == NULL || inCertReq == NULL) {
+        return SECFailure;
+    }
+    inCertReqMsg->certReq = crmf_copy_cert_request(inCertReqMsg->poolp,
+						   inCertReq);
+    return (inCertReqMsg->certReq == NULL) ? SECFailure : SECSuccess;
+}
+
+CRMFCertReqMsg*
+CRMF_CreateCertReqMsg(void)
+{
+    PRArenaPool    *poolp;
+    CRMFCertReqMsg *reqMsg;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        goto loser;
+    }
+    reqMsg = PORT_ArenaZNew(poolp, CRMFCertReqMsg);
+    if (reqMsg == NULL) {
+        goto loser;
+    }
+    reqMsg->poolp = poolp;
+    return reqMsg;
+    
+ loser:
+    if (poolp) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+SECStatus 
+CRMF_DestroyCertReqMsg(CRMFCertReqMsg *inCertReqMsg)
+{
+    PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->poolp != NULL);
+    if (!inCertReqMsg->isDecoded) {
+        if (inCertReqMsg->certReq->certTemplate.extensions != NULL) {
+	    PORT_Free(inCertReqMsg->certReq->certTemplate.extensions);
+	}
+	if (inCertReqMsg->certReq->controls != NULL) {
+	    PORT_Free(inCertReqMsg->certReq->controls);
+	}
+    }
+    PORT_FreeArena(inCertReqMsg->poolp, PR_TRUE);
+    return SECSuccess;
+}
+
+CRMFCertExtension*
+crmf_create_cert_extension(PRArenaPool *poolp, 
+			   SECOidTag    id,
+			   PRBool       isCritical,
+			   SECItem     *data)
+{
+    CRMFCertExtension *newExt;
+    SECOidData        *oidData;
+    SECStatus          rv;
+
+    newExt = (poolp == NULL) ? PORT_ZNew(CRMFCertExtension) :
+                               PORT_ArenaZNew(poolp, CRMFCertExtension);
+    if (newExt == NULL) {
+        goto loser;
+    }
+    oidData = SECOID_FindOIDByTag(id);
+    if (oidData == NULL || 
+	oidData->supportedExtension != SUPPORTED_CERT_EXTENSION) {
+       goto loser;
+    }
+
+    rv = SECITEM_CopyItem(poolp, &(newExt->id), &(oidData->oid));
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = SECITEM_CopyItem(poolp, &(newExt->value), data);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    if (isCritical) {
+        newExt->critical.data = (poolp == NULL) ? 
+	                                PORT_New(unsigned char) :
+	                                PORT_ArenaNew(poolp, unsigned char);
+	if (newExt->critical.data == NULL) {
+	    goto loser;
+	}
+	newExt->critical.data[0] = hexTrue;
+	newExt->critical.len = 1;
+    }
+    return newExt;
+ loser:
+    if (newExt != NULL && poolp == NULL) {
+        CRMF_DestroyCertExtension(newExt);
+    }
+    return NULL;
+}
+
+CRMFCertExtension *
+CRMF_CreateCertExtension(SECOidTag id,
+			 PRBool    isCritical,
+			 SECItem  *data) 
+{
+    return crmf_create_cert_extension(NULL, id, isCritical, data);
+}
+
+SECStatus
+crmf_destroy_cert_extension(CRMFCertExtension *inExtension, PRBool freeit)
+{
+    if (inExtension != NULL) {
+        SECITEM_FreeItem (&(inExtension->id), PR_FALSE);
+	SECITEM_FreeItem (&(inExtension->value), PR_FALSE);
+	SECITEM_FreeItem (&(inExtension->critical), PR_FALSE);
+	if (freeit) {
+	    PORT_Free(inExtension);
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CRMF_DestroyCertExtension(CRMFCertExtension *inExtension)
+{
+    return crmf_destroy_cert_extension(inExtension, PR_TRUE);
+}
+
+SECStatus
+CRMF_DestroyCertReqMessages(CRMFCertReqMessages *inCertReqMsgs) 
+{
+    PORT_Assert (inCertReqMsgs != NULL);
+    if (inCertReqMsgs != NULL) {
+        PORT_FreeArena(inCertReqMsgs->poolp, PR_TRUE);
+    }
+    return SECSuccess;
+}
+
+static PRBool
+crmf_item_has_data(SECItem *item)
+{
+    if (item != NULL && item->data != NULL) {
+        return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+PRBool
+CRMF_CertRequestIsFieldPresent(CRMFCertRequest       *inCertReq,
+			       CRMFCertTemplateField  inTemplateField)
+{
+    PRBool             retVal;
+    CRMFCertTemplate *certTemplate;
+
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        /* This is probably some kind of error, but this is 
+	 * the safest return value for this function.
+	 */
+        return PR_FALSE;
+    }
+    certTemplate = &inCertReq->certTemplate;
+    switch (inTemplateField) {
+    case crmfVersion:
+      retVal = crmf_item_has_data(&certTemplate->version);
+      break;
+    case crmfSerialNumber:
+      retVal = crmf_item_has_data(&certTemplate->serialNumber);
+      break;
+    case crmfSigningAlg:
+      retVal = IS_NOT_NULL(certTemplate->signingAlg);
+      break;
+    case crmfIssuer:
+      retVal = IS_NOT_NULL(certTemplate->issuer);
+      break;
+    case crmfValidity:
+      retVal = IS_NOT_NULL(certTemplate->validity);
+      break;
+    case crmfSubject:
+      retVal = IS_NOT_NULL(certTemplate->subject);
+      break;
+    case crmfPublicKey:
+      retVal = IS_NOT_NULL(certTemplate->publicKey);
+      break;
+    case crmfIssuerUID:
+      retVal = crmf_item_has_data(&certTemplate->issuerUID);
+      break;
+    case crmfSubjectUID:
+      retVal = crmf_item_has_data(&certTemplate->subjectUID);
+      break;
+    case crmfExtension:
+      retVal = IS_NOT_NULL(certTemplate->extensions);
+      break;
+    default:
+      retVal = PR_FALSE;
+    }
+    return retVal;
+}
diff --git a/security/nss/lib/crmf/crmft.h b/security/nss/lib/crmf/crmft.h
new file mode 100644
index 000000000..3bc4d3826
--- /dev/null
+++ b/security/nss/lib/crmf/crmft.h
@@ -0,0 +1,217 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+/* Header file with all of the structures and types that will be exported 
+ * by the security library for implementation of CRMF.
+ */
+
+#ifndef _CRMFT_H_
+#define _CRMFT_H_
+
+/* Use these enumerated values for adding fields to the certificate request */
+typedef enum {
+    crmfVersion = 0,
+    crmfSerialNumber = 1,
+    crmfSigningAlg = 2,
+    crmfIssuer = 3,
+    crmfValidity = 4,
+    crmfSubject = 5,
+    crmfPublicKey = 6,
+    crmfIssuerUID = 7,
+    crmfSubjectUID = 8,
+    crmfExtension = 9
+} CRMFCertTemplateField;
+
+/*
+ * An enumeration for the different types of controls.
+ */
+typedef enum {
+    crmfNoControl = 0,
+    crmfRegTokenControl = 1,
+    crmfAuthenticatorControl = 2,
+    crmfPKIPublicationInfoControl = 3,
+    crmfPKIArchiveOptionsControl = 4,
+    crmfOldCertIDControl = 5,
+    crmfProtocolEncrKeyControl = 6
+} CRMFControlType;
+
+/*
+ * The possible values that are passed into CRMF_CreatePKIPublicationInfo
+ */
+typedef enum {
+    crmfDontPublish = 0,
+    crmfPleasePublish = 1
+} CRMFPublicationAction;
+
+/*
+ * An enumeration for the possible for pubMethod which is a part of 
+ * the SinglePubInfo ASN1 type.
+ */
+typedef enum {
+    crmfDontCare = 0,
+    crmfX500 = 1,
+    crmfWeb = 2,
+    crmfLdap = 3
+} CRMFPublicationMethod;
+
+/*
+ * An enumeration for the different options for PKIArchiveOptions type.
+ */
+typedef enum {
+    crmfNoArchiveOptions = 0,
+    crmfEncryptedPrivateKey = 1,
+    crmfKeyGenParameters = 2,
+    crmfArchiveRemGenPrivKey = 3
+} CRMFPKIArchiveOptionsType;
+
+/*
+ * An enumeration for the different options for ProofOfPossession
+ */
+typedef enum {
+    crmfNoPOPChoice = 0,
+    crmfRAVerified = 1,
+    crmfSignature = 2,
+    crmfKeyEncipherment = 3,
+    crmfKeyAgreement = 4
+} CRMFPOPChoice;
+
+/*
+ * An enumertion type for options for the authInfo field of the 
+ * CRMFPOPOSigningKeyInput structure.
+ */
+typedef enum {
+    crmfSender = 0,
+    crmfPublicKeyMAC = 1
+} CRMFPOPOSkiInputAuthChoice;
+
+/*
+ * An enumeration for the SubsequentMessage Options.
+ */
+typedef enum {
+    crmfNoSubseqMess = 0,
+    crmfEncrCert = 1,
+    crmfChallengeResp = 2
+} CRMFSubseqMessOptions;
+
+/*
+ * An enumeration for the choice used by POPOPrivKey.
+ */
+typedef enum {
+    crmfNoMessage = 0,
+    crmfThisMessage = 1,
+    crmfSubsequentMessage = 2,
+    crmfDHMAC = 3
+} CRMFPOPOPrivKeyChoice;
+
+/*
+ * An enumeration for the choices for the EncryptedKey type.
+ */
+typedef enum {
+    crmfNoEncryptedKeyChoice = 0,
+    crmfEncryptedValueChoice = 1,
+    crmfEnvelopedDataChoice = 2
+} CRMFEncryptedKeyChoice;
+
+/*
+ * TYPE: CRMFEncoderOutputCallback
+ *     This function type defines a prototype for a function that the CRMF
+ *     library expects when encoding is performed.
+ *
+ * ARGUMENTS:
+ *     arg
+ *         This will be a pointer the user passed into an encoding function.
+ *         The user of the library is free to use this pointer in any way.
+ *         The most common use is to keep around a buffer for writing out
+ *         the DER encoded bytes.
+ *     buf
+ *         The DER encoded bytes that should be written out.
+ *     len
+ *         The number of DER encoded bytes to write out.
+ *
+ */
+typedef void (*CRMFEncoderOutputCallback) (void *arg,
+					   const char *buf,
+					   unsigned long len);
+
+/*
+ * Type for the function that gets a password.  Just in case we ever
+ * need to support publicKeyMAC for POPOSigningKeyInput
+ */
+typedef SECItem* (*CRMFMACPasswordCallback) (void *arg);
+
+typedef struct CRMFOptionalValidityStr      CRMFOptionalValidity;
+typedef struct CRMFValidityCreationInfoStr  CRMFGetValidity;
+typedef struct CRMFCertTemplateStr          CRMFCertTemplate;
+typedef struct CRMFCertRequestStr           CRMFCertRequest;
+typedef struct CRMFCertReqMsgStr            CRMFCertReqMsg;
+typedef struct CRMFCertReqMessagesStr       CRMFCertReqMessages;
+typedef struct CRMFProofOfPossessionStr     CRMFProofOfPossession;
+typedef struct CRMFPOPOSigningKeyStr        CRMFPOPOSigningKey;
+typedef struct CRMFPOPOSigningKeyInputStr   CRMFPOPOSigningKeyInput;
+typedef struct CRMFPOPOPrivKeyStr           CRMFPOPOPrivKey;
+typedef struct CRMFPKIPublicationInfoStr    CRMFPKIPublicationInfo;
+typedef struct CRMFSinglePubInfoStr         CRMFSinglePubInfo;
+typedef struct CRMFPKIArchiveOptionsStr     CRMFPKIArchiveOptions;
+typedef struct CRMFEncryptedKeyStr          CRMFEncryptedKey;
+typedef struct CRMFEncryptedValueStr        CRMFEncryptedValue;
+typedef struct CRMFCertIDStr                CRMFCertID;
+typedef struct CRMFCertIDStr                CRMFOldCertID;
+typedef CERTSubjectPublicKeyInfo            CRMFProtocolEncrKey;
+typedef struct CRMFValidityCreationInfoStr  CRMFValidityCreationInfo;
+typedef struct CRMFCertExtCreationInfoStr   CRMFCertExtCreationInfo;
+typedef struct CRMFPKMACValueStr            CRMFPKMACValue;
+typedef struct CRMFAttributeStr             CRMFAttribute;
+typedef struct CRMFControlStr               CRMFControl;
+typedef CERTGeneralName                     CRMFGeneralName;
+typedef struct CRMFCertExtensionStr         CRMFCertExtension;
+
+struct CRMFValidityCreationInfoStr {
+    PRTime *notBefore;
+    PRTime *notAfter;
+};
+
+struct CRMFCertExtCreationInfoStr {
+    CRMFCertExtension **extensions;
+    int numExtensions;
+};
+
+/*
+ * Some ASN1 Templates that may be needed.
+ */
+extern const SEC_ASN1Template CRMFCertReqMessagesTemplate[];
+extern const SEC_ASN1Template CRMFCertRequestTemplate[];
+
+
+#endif /*_CRMFT_H_*/
diff --git a/security/nss/lib/crmf/crmftmpl.c b/security/nss/lib/crmf/crmftmpl.c
new file mode 100644
index 000000000..a65a074a1
--- /dev/null
+++ b/security/nss/lib/crmf/crmftmpl.c
@@ -0,0 +1,299 @@
+/* -*- Mode: C; tab-width: 8 -*- */
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "crmf.h"
+#include "crmfi.h"
+#include "secoid.h"
+#include "secasn1.h"
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_NullTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_UTCTimeTemplate)
+SEC_ASN1_MKSUB(CERT_SubjectPublicKeyInfoTemplate)
+SEC_ASN1_MKSUB(CERT_NameTemplate)
+
+/* 
+ * It's all implicit tagging.
+ */
+
+const SEC_ASN1Template CRMFControlTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFControl)},
+    { SEC_ASN1_OBJECT_ID, offsetof(CRMFControl, derTag)},
+    { SEC_ASN1_ANY, offsetof(CRMFControl, derValue) },
+    { 0 }
+};
+
+static const SEC_ASN1Template CRMFCertExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CRMFCertExtension) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(CRMFCertExtension,id) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN,
+	  offsetof(CRMFCertExtension,critical) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(CRMFCertExtension,value) },
+    { 0, }
+};
+
+static const SEC_ASN1Template CRMFSequenceOfCertExtensionTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, CRMFCertExtensionTemplate }
+};
+
+static const SEC_ASN1Template CRMFOptionalValidityTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFOptionalValidity) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_NO_STREAM |
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 0, 
+      offsetof (CRMFOptionalValidity, notBefore),
+      SEC_ASN1_SUB(SEC_UTCTimeTemplate) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_NO_STREAM |
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 1, 
+      offsetof (CRMFOptionalValidity, notAfter),
+      SEC_ASN1_SUB(SEC_UTCTimeTemplate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template crmfPointerToNameTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(CERT_NameTemplate)},
+    { 0 }
+};
+
+static const SEC_ASN1Template CRMFCertTemplateTemplate[] = {
+   { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFCertTemplate) },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, 
+     offsetof(CRMFCertTemplate, version), 
+     SEC_ASN1_SUB(SEC_IntegerTemplate) },
+   { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | SEC_ASN1_XTRN | 1 ,
+     offsetof (CRMFCertTemplate, serialNumber), 
+     SEC_ASN1_SUB(SEC_IntegerTemplate) },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+     SEC_ASN1_XTRN | 2, 
+     offsetof (CRMFCertTemplate, signingAlg), 
+     SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
+     SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 3, 
+     offsetof (CRMFCertTemplate, issuer), crmfPointerToNameTemplate },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 4, 
+     offsetof (CRMFCertTemplate, validity), 
+     CRMFOptionalValidityTemplate },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
+     SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 5, 
+     offsetof (CRMFCertTemplate, subject), crmfPointerToNameTemplate },
+   { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+     SEC_ASN1_XTRN | 6, 
+     offsetof (CRMFCertTemplate, publicKey), 
+     SEC_ASN1_SUB(CERT_SubjectPublicKeyInfoTemplate) }, 
+   { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 
+     SEC_ASN1_XTRN | 7,
+     offsetof (CRMFCertTemplate, issuerUID), 
+     SEC_ASN1_SUB(SEC_BitStringTemplate) },
+   { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL |
+     SEC_ASN1_XTRN | 8,
+     offsetof (CRMFCertTemplate, subjectUID), 
+     SEC_ASN1_SUB(SEC_BitStringTemplate) },
+   { SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | 
+     SEC_ASN1_CONTEXT_SPECIFIC | 9, 
+     offsetof (CRMFCertTemplate, extensions), 
+     CRMFSequenceOfCertExtensionTemplate },
+   { 0 }
+};
+
+static const SEC_ASN1Template CRMFAttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFAttribute)},
+    { SEC_ASN1_OBJECT_ID, offsetof(CRMFAttribute, derTag)},
+    { SEC_ASN1_ANY, offsetof(CRMFAttribute, derValue) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFCertRequestTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFCertRequest) },
+    { SEC_ASN1_INTEGER, offsetof(CRMFCertRequest, certReqId)},
+    { SEC_ASN1_INLINE, offsetof(CRMFCertRequest, certTemplate), 
+      CRMFCertTemplateTemplate},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+      offsetof(CRMFCertRequest,controls), 
+      CRMFControlTemplate}, /* SEQUENCE SIZE (1...MAX)*/
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFCertReqMsgTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFCertReqMsg) },
+    { SEC_ASN1_POINTER, offsetof(CRMFCertReqMsg, certReq),
+      CRMFCertRequestTemplate },
+    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
+      offsetof(CRMFCertReqMsg, derPOP) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
+      offsetof(CRMFCertReqMsg, regInfo), 
+      CRMFAttributeTemplate}, /* SEQUENCE SIZE (1...MAX)*/
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFCertReqMessagesTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, offsetof(CRMFCertReqMessages, messages), 
+      CRMFCertReqMsgTemplate, sizeof (CRMFCertReqMessages)}
+};
+
+static const SEC_ASN1Template CRMFPOPOSigningKeyInputTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL,sizeof(CRMFPOPOSigningKeyInput) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+      SEC_ASN1_CONTEXT_SPECIFIC | 0,
+      offsetof(CRMFPOPOSigningKeyInput, authInfo.sender) },
+    { SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL | 1,
+      offsetof (CRMFPOPOSigningKeyInput, authInfo.publicKeyMAC) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, 
+      offsetof(CRMFPOPOSigningKeyInput, publicKey), 
+      SEC_ASN1_SUB(CERT_SubjectPublicKeyInfoTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFRAVerifiedTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_XTRN, 
+      0,
+      SEC_ASN1_SUB(SEC_NullTemplate) },
+    { 0 }
+};
+
+
+/* This template will need to add POPOSigningKeyInput eventually, maybe*/
+static const SEC_ASN1Template crmfPOPOSigningKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPOPOSigningKey) },
+    { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
+      SEC_ASN1_XTRN | 0,
+      offsetof(CRMFPOPOSigningKey, derInput), 
+      SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN, 
+      offsetof(CRMFPOPOSigningKey, algorithmIdentifier),
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_BIT_STRING | SEC_ASN1_XTRN, 
+      offsetof(CRMFPOPOSigningKey, signature),
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFPOPOSigningKeyTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | 1,
+      0,
+      crmfPOPOSigningKeyTemplate},
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFThisMessageTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+      0,
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFSubsequentMessageTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+      0, 
+      SEC_ASN1_SUB(SEC_IntegerTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFDHMACTemplate[] = {
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+      0,
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFPOPOKeyEnciphermentTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
+      0,
+      SEC_ASN1_SUB(SEC_AnyTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFPOPOKeyAgreementTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 3,
+      0,
+      SEC_ASN1_SUB(SEC_AnyTemplate)},
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFEncryptedValueTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFEncryptedValue)},
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+      SEC_ASN1_XTRN | 0,
+      offsetof(CRMFEncryptedValue, intendedAlg), 
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+      SEC_ASN1_XTRN | 1,
+      offsetof (CRMFEncryptedValue, symmAlg), 
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_NO_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 
+      SEC_ASN1_XTRN | 2, 
+      offsetof(CRMFEncryptedValue, encSymmKey), 
+      SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_POINTER | 
+      SEC_ASN1_XTRN | 3,
+      offsetof(CRMFEncryptedValue, keyAlg), 
+      SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_NO_STREAM | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
+      SEC_ASN1_XTRN | 4,
+      offsetof(CRMFEncryptedValue, valueHint),
+      SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+    { SEC_ASN1_BIT_STRING, offsetof(CRMFEncryptedValue, encValue) },
+    { 0 }
+};
+
+const SEC_ASN1Template CRMFEncryptedKeyWithEncryptedValueTemplate [] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
+      SEC_ASN1_CONTEXT_SPECIFIC | 0,
+      0,
+      CRMFEncryptedValueTemplate},
+    { 0 }
+};
+
+static const SEC_ASN1Template CRMFSinglePubInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFSinglePubInfo)},
+    { SEC_ASN1_INTEGER, offsetof(CRMFSinglePubInfo, pubMethod) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC,
+      offsetof(CRMFSinglePubInfo, pubLocation) },
+    { 0 }
+};
+
+static const SEC_ASN1Template CRMFPublicationInfoTemplate[] ={ 
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPKIPublicationInfo) },
+    { SEC_ASN1_INTEGER, offsetof(CRMFPKIPublicationInfo, action) },
+    { SEC_ASN1_POINTER, offsetof(CRMFPKIPublicationInfo, pubInfos),
+      CRMFSinglePubInfoTemplate},
+    { 0 }
+};
diff --git a/security/nss/lib/crmf/encutil.c b/security/nss/lib/crmf/encutil.c
new file mode 100644
index 000000000..7862e1482
--- /dev/null
+++ b/security/nss/lib/crmf/encutil.c
@@ -0,0 +1,63 @@
+/* -*- Mode: C; tab-width: 8 -*- */
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "secasn1.h"
+#include "crmf.h"
+#include "crmfi.h"
+
+void
+crmf_encoder_out(void *arg, const char *buf, unsigned long len,
+		 int depth, SEC_ASN1EncodingPart data_kind)
+{
+    struct crmfEncoderOutput *output;
+
+    output = (struct crmfEncoderOutput*) arg;
+    output->fn (output->outputArg, buf, len);
+}
+
+SECStatus
+cmmf_user_encode(void *src, CRMFEncoderOutputCallback inCallback, void *inArg,
+		 const SEC_ASN1Template *inTemplate)
+{
+    struct crmfEncoderOutput output;
+
+    PORT_Assert(src != NULL);
+    if (src == NULL) {
+        return SECFailure;
+    }
+    output.fn        = inCallback;
+    output.outputArg = inArg;
+    return SEC_ASN1Encode(src, inTemplate, crmf_encoder_out, &output);    
+}
+
diff --git a/security/nss/lib/crmf/manifest.mn b/security/nss/lib/crmf/manifest.mn
new file mode 100644
index 000000000..67e145d09
--- /dev/null
+++ b/security/nss/lib/crmf/manifest.mn
@@ -0,0 +1,73 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+# 
+
+CORE_DEPTH = ../../..
+
+MODULE = security
+
+EXPORTS = \
+	crmf.h	\
+	crmft.h	\
+	cmmf.h  \
+	cmmft.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	crmfi.h   \
+	crmfit.h  \
+	cmmfi.h   \
+	cmmfit.h  \
+	$(NULL)
+
+CSRCS = crmfenc.c	\
+	crmftmpl.c	\
+	crmfreq.c	\
+	crmfpop.c	\
+	crmfdec.c	\
+	crmfget.c	\
+	crmfcont.c	\
+	cmmfasn1.c	\
+	cmmfresp.c	\
+	cmmfrec.c	\
+	cmmfchal.c	\
+	servget.c	\
+	encutil.c	\
+	respcli.c	\
+	respcmn.c	\
+	challcli.c	\
+	asn1cmn.c	\
+	$(NULL)
+
+REQUIRES = dbm
+
+LIBRARY_NAME = crmf
diff --git a/security/nss/lib/crmf/respcli.c b/security/nss/lib/crmf/respcli.c
new file mode 100644
index 000000000..9dac74a5e
--- /dev/null
+++ b/security/nss/lib/crmf/respcli.c
@@ -0,0 +1,167 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+/*
+ * This file will contain all routines needed by a client that has 
+ * to parse a CMMFCertRepContent structure and retirieve the appropriate
+ * data.
+ */
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "crmf.h"
+#include "crmfi.h"
+#include "secitem.h"
+#include "secder.h"
+#include "secasn1.h"
+
+CMMFCertRepContent*
+CMMF_CreateCertRepContentFromDER(CERTCertDBHandle *db, const char *buf, 
+				 long len)
+{
+    PRArenaPool        *poolp;
+    CMMFCertRepContent *certRepContent;
+    SECStatus           rv;
+    int                 i;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    certRepContent = PORT_ArenaZNew(poolp, CMMFCertRepContent);
+    if (certRepContent == NULL) {
+        goto loser;
+    }
+    certRepContent->poolp = poolp;
+    rv = SEC_ASN1Decode(poolp, certRepContent, CMMFCertRepContentTemplate,
+			buf, len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (certRepContent->response != NULL) {
+        for (i=0; certRepContent->response[i] != NULL; i++) {
+	    rv = cmmf_decode_process_cert_response(poolp, db,
+					       certRepContent->response[i]);
+	    if (rv != SECSuccess) {
+	        goto loser;
+	    }
+	}
+    }
+    certRepContent->isDecoded = PR_TRUE;
+    return certRepContent;
+ loser:
+    PORT_FreeArena(poolp, PR_FALSE);
+    return NULL;
+}
+
+long
+CMMF_CertResponseGetCertReqId(CMMFCertResponse *inCertResp)
+{
+    PORT_Assert(inCertResp != NULL);
+    if (inCertResp == NULL) {
+        return -1;
+    }
+    return DER_GetInteger(&inCertResp->certReqId);
+}
+
+PRBool
+cmmf_CertRepContentIsIndexValid(CMMFCertRepContent *inCertRepContent,
+                                int                 inIndex)
+{
+    int numResponses;
+
+    PORT_Assert(inCertRepContent != NULL);
+    numResponses = CMMF_CertRepContentGetNumResponses(inCertRepContent);
+    return (PRBool)(inIndex >= 0 && inIndex < numResponses);
+}
+
+CMMFCertResponse*
+CMMF_CertRepContentGetResponseAtIndex(CMMFCertRepContent *inCertRepContent,
+				      int                 inIndex)
+{
+    CMMFCertResponse *certResponse;
+    SECStatus         rv;
+
+    PORT_Assert(inCertRepContent != NULL &&
+		cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex));
+    if (inCertRepContent == NULL ||
+	!cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex)) {
+        return NULL;
+    }
+    certResponse = PORT_ZNew(CMMFCertResponse);
+    rv = cmmf_CopyCertResponse(NULL, certResponse, 
+			       inCertRepContent->response[inIndex]);
+    if (rv != SECSuccess) {
+        CMMF_DestroyCertResponse(certResponse);
+	certResponse = NULL;
+    }
+    return certResponse;
+}
+
+CMMFPKIStatus
+CMMF_CertResponseGetPKIStatusInfoStatus(CMMFCertResponse *inCertResp)
+{
+    PORT_Assert(inCertResp != NULL);
+    if (inCertResp == NULL) {
+        return cmmfNoPKIStatus;
+    }
+    return cmmf_PKIStatusInfoGetStatus(&inCertResp->status);
+}
+
+CERTCertificate*
+CMMF_CertResponseGetCertificate(CMMFCertResponse *inCertResp,
+				CERTCertDBHandle *inCertdb)
+{
+    PORT_Assert(inCertResp != NULL);
+    if (inCertResp == NULL || inCertResp->certifiedKeyPair == NULL) {
+        return NULL;
+    }
+    
+    return cmmf_CertOrEncCertGetCertificate
+                                (&inCertResp->certifiedKeyPair->certOrEncCert,
+				 inCertdb);
+				   
+}
+
+CERTCertList*
+CMMF_CertRepContentGetCAPubs (CMMFCertRepContent *inCertRepContent)
+{
+    PORT_Assert (inCertRepContent != NULL);
+    if (inCertRepContent == NULL || inCertRepContent->caPubs == NULL) {
+        return NULL;
+    }
+    return cmmf_MakeCertList(inCertRepContent->caPubs);
+}
+
diff --git a/security/nss/lib/crmf/respcmn.c b/security/nss/lib/crmf/respcmn.c
new file mode 100644
index 000000000..d7c703ec0
--- /dev/null
+++ b/security/nss/lib/crmf/respcmn.c
@@ -0,0 +1,415 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nssrenam.h"
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "secitem.h"
+#include "secder.h"
+
+SECStatus 
+cmmf_DestroyPKIStatusInfo (CMMFPKIStatusInfo *info, PRBool freeit)
+{
+    if (info->status.data != NULL) {
+        PORT_Free(info->status.data);
+    }
+    if (info->statusString.data != NULL) {
+        PORT_Free(info->statusString.data);
+    }
+    if (info->failInfo.data != NULL) {
+        PORT_Free(info->failInfo.data);
+    }
+    if (freeit) {
+        PORT_Free(info);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CMMF_DestroyCertResponse(CMMFCertResponse *inCertResp)
+{
+    PORT_Assert(inCertResp != NULL);
+    if (inCertResp != NULL) {
+        if (inCertResp->certReqId.data != NULL) {
+	    PORT_Free(inCertResp->certReqId.data);
+	}
+	cmmf_DestroyPKIStatusInfo(&inCertResp->status, PR_FALSE);
+	if (inCertResp->certifiedKeyPair != NULL) {
+	    CMMF_DestroyCertifiedKeyPair(inCertResp->certifiedKeyPair);
+	}
+	PORT_Free(inCertResp);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CMMF_DestroyCertRepContent(CMMFCertRepContent *inCertRepContent)
+{
+    CMMFCertifiedKeyPair *certKeyPair;
+    int i;
+
+    PORT_Assert(inCertRepContent != NULL);
+    if (inCertRepContent != NULL && inCertRepContent->poolp != NULL) {
+	if (!inCertRepContent->isDecoded) {
+	  if (inCertRepContent->response != NULL) {
+	    for (i=0; inCertRepContent->response[i] != NULL; i++) {
+	        certKeyPair = inCertRepContent->response[i]->certifiedKeyPair;
+		if (certKeyPair != NULL                    &&
+		    certKeyPair->certOrEncCert.choice == cmmfCertificate &&
+		    certKeyPair->certOrEncCert.cert.certificate != NULL) {
+		    CERT_DestroyCertificate
+		                 (certKeyPair->certOrEncCert.cert.certificate);
+		}
+	    }
+	  }
+	  if (inCertRepContent->caPubs != NULL) {
+	    for (i=0; inCertRepContent->caPubs[i] != NULL; i++) {
+	        CERT_DestroyCertificate(inCertRepContent->caPubs[i]);
+	    }
+	  }
+	}
+        PORT_FreeArena(inCertRepContent->poolp, PR_TRUE);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+CMMF_DestroyPOPODecKeyChallContent(CMMFPOPODecKeyChallContent *inDecKeyCont)
+{
+    PORT_Assert(inDecKeyCont != NULL);
+    if (inDecKeyCont != NULL && inDecKeyCont->poolp) {
+        PORT_FreeArena(inDecKeyCont->poolp, PR_FALSE);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+crmf_create_prtime(SECItem *src, PRTime **dest)
+{
+   *dest = PORT_ZNew(PRTime);
+    return DER_UTCTimeToTime(*dest, src);
+}
+
+CRMFCertExtension*
+crmf_copy_cert_extension(PRArenaPool *poolp, CRMFCertExtension *inExtension)
+{
+    PRBool             isCritical;
+    SECOidTag          id;
+    SECItem           *data;
+    CRMFCertExtension *newExt;
+
+    PORT_Assert(inExtension != NULL);
+    if (inExtension == NULL) {
+        return NULL;
+    }
+    id         = CRMF_CertExtensionGetOidTag(inExtension);
+    isCritical = CRMF_CertExtensionGetIsCritical(inExtension);
+    data       = CRMF_CertExtensionGetValue(inExtension);
+    newExt = crmf_create_cert_extension(poolp, id, 
+					isCritical,
+					data);
+    SECITEM_FreeItem(data, PR_TRUE);
+    return newExt;    
+}
+
+static SECItem*
+cmmf_encode_certificate(CERTCertificate *inCert)
+{
+    return SEC_ASN1EncodeItem(NULL, NULL, inCert, 
+			      SEC_ASN1_GET(SEC_SignedCertificateTemplate));
+}
+
+CERTCertList*
+cmmf_MakeCertList(CERTCertificate **inCerts)
+{
+    CERTCertList    *certList;
+    CERTCertificate *currCert;
+    SECItem         *derCert, *freeCert = NULL;
+    SECStatus        rv;
+    int              i;
+
+    certList = CERT_NewCertList();
+    if (certList == NULL) {
+        return NULL;
+    }
+    for (i=0; inCerts[i] != NULL; i++) {
+        derCert = &inCerts[i]->derCert;
+	if (derCert->data == NULL) {
+	    derCert = freeCert = cmmf_encode_certificate(inCerts[i]);
+	}
+	currCert=CERT_DecodeDERCertificate(derCert, PR_TRUE, NULL);
+	if (freeCert != NULL) {
+	    SECITEM_FreeItem(freeCert, PR_TRUE);
+	    freeCert = NULL;
+	}
+	if (currCert == NULL) {
+	    goto loser;
+	}
+	rv = CERT_AddCertToListTail(certList, currCert);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+    return certList;
+ loser:
+    CERT_DestroyCertList(certList);
+    return NULL;
+}
+
+CMMFPKIStatus
+cmmf_PKIStatusInfoGetStatus(CMMFPKIStatusInfo *inStatus)
+{
+    long derVal;
+
+    derVal = DER_GetInteger(&inStatus->status);
+    if (derVal == -1 || derVal < cmmfGranted || derVal >= cmmfNumPKIStatus) {
+        return cmmfNoPKIStatus;
+    }
+    return (CMMFPKIStatus)derVal;
+}
+
+int
+CMMF_CertRepContentGetNumResponses(CMMFCertRepContent *inCertRepContent)
+{
+    int numResponses = 0;
+    PORT_Assert (inCertRepContent != NULL);
+    if (inCertRepContent != NULL && inCertRepContent->response != NULL) {
+        while (inCertRepContent->response[numResponses] != NULL) {
+	    numResponses++;
+	}
+    }
+    return numResponses;
+}
+
+
+SECStatus
+cmmf_DestroyCertOrEncCert(CMMFCertOrEncCert *certOrEncCert, PRBool freeit)
+{
+    switch (certOrEncCert->choice) {
+    case cmmfCertificate:
+        CERT_DestroyCertificate(certOrEncCert->cert.certificate);
+	break;
+    case cmmfEncryptedCert:
+        crmf_destroy_encrypted_value(certOrEncCert->cert.encryptedCert,
+				     PR_TRUE);
+	break;
+    default:
+        break;
+    }
+    if (freeit) {
+        PORT_Free(certOrEncCert);
+    }
+    return SECSuccess;
+}
+
+SECStatus
+cmmf_copy_secitem (PRArenaPool *poolp, SECItem *dest, SECItem *src)
+{
+    SECStatus rv;
+
+    if (src->data != NULL) {
+        rv = SECITEM_CopyItem(poolp, dest, src);
+    } else {
+        dest->data = NULL;
+	dest->len  = 0;
+	rv = SECSuccess;
+    }
+    return rv;
+}
+
+SECStatus
+CMMF_DestroyCertifiedKeyPair(CMMFCertifiedKeyPair *inCertKeyPair)
+{
+    PORT_Assert(inCertKeyPair != NULL);
+    if (inCertKeyPair != NULL) {
+        cmmf_DestroyCertOrEncCert(&inCertKeyPair->certOrEncCert, PR_FALSE);
+    }
+    if (inCertKeyPair->privateKey) {
+        crmf_destroy_encrypted_value(inCertKeyPair->privateKey, PR_TRUE);
+    }
+    if (inCertKeyPair->derPublicationInfo.data) {
+        PORT_Free(inCertKeyPair->derPublicationInfo.data);
+    }
+    PORT_Free(inCertKeyPair);
+    return SECSuccess;
+}
+
+SECStatus
+cmmf_CopyCertResponse(PRArenaPool      *poolp, 
+		      CMMFCertResponse *dest,
+		      CMMFCertResponse *src)
+{
+    SECStatus rv;
+
+    if (src->certReqId.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &dest->certReqId, &src->certReqId);
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+    }
+    rv = cmmf_CopyPKIStatusInfo(poolp, &dest->status, &src->status);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    if (src->certifiedKeyPair != NULL) {
+        dest->certifiedKeyPair = (poolp == NULL) ?
+                                  PORT_ZNew(CMMFCertifiedKeyPair) :
+	                          PORT_ArenaZNew(poolp, CMMFCertifiedKeyPair);
+	if (dest->certifiedKeyPair == NULL) {
+	    return SECFailure;
+	}
+        rv = cmmf_CopyCertifiedKeyPair(poolp, dest->certifiedKeyPair,
+				       src->certifiedKeyPair);
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+cmmf_CopyCertOrEncCert(PRArenaPool *poolp, CMMFCertOrEncCert *dest,
+		       CMMFCertOrEncCert *src)
+{
+    SECStatus           rv = SECSuccess;
+    CRMFEncryptedValue *encVal;
+
+    dest->choice = src->choice;
+    rv = cmmf_copy_secitem(poolp, &dest->derValue, &src->derValue);
+    switch (src->choice) {
+    case cmmfCertificate:
+        dest->cert.certificate = CERT_DupCertificate(src->cert.certificate);
+	break;
+    case cmmfEncryptedCert:
+        dest->cert.encryptedCert = encVal = (poolp == NULL) ?
+	                             PORT_ZNew(CRMFEncryptedValue) :
+				     PORT_ArenaZNew(poolp, CRMFEncryptedValue);
+	if (encVal == NULL) {
+	    return SECFailure;
+	}
+        rv = crmf_copy_encryptedvalue(poolp, src->cert.encryptedCert, encVal);
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+	break;
+    default:
+        rv = SECFailure;
+    }
+    return rv;
+}
+
+SECStatus
+cmmf_CopyCertifiedKeyPair(PRArenaPool *poolp, CMMFCertifiedKeyPair *dest,
+			  CMMFCertifiedKeyPair *src)
+{
+    SECStatus rv;
+
+    rv = cmmf_CopyCertOrEncCert(poolp, &dest->certOrEncCert, 
+				&src->certOrEncCert);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+
+    if (src->privateKey != NULL) {
+        CRMFEncryptedValue *encVal;
+
+	encVal = dest->privateKey = (poolp == NULL) ?
+	                             PORT_ZNew(CRMFEncryptedValue) :
+                                     PORT_ArenaZNew(poolp, CRMFEncryptedValue);
+	if (encVal == NULL) {
+	    return SECFailure;
+	}
+        rv = crmf_copy_encryptedvalue(poolp, src->privateKey, 
+				      dest->privateKey);
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+    }
+    rv = cmmf_copy_secitem(poolp, &dest->derPublicationInfo, 
+			   &src->derPublicationInfo);
+    return rv;
+}
+
+SECStatus
+cmmf_CopyPKIStatusInfo(PRArenaPool *poolp, CMMFPKIStatusInfo *dest,
+		       CMMFPKIStatusInfo *src)
+{
+    SECStatus rv;
+
+    rv = cmmf_copy_secitem (poolp, &dest->status, &src->status);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    rv = cmmf_copy_secitem (poolp, &dest->statusString, &src->statusString);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    rv = cmmf_copy_secitem (poolp, &dest->failInfo, &src->failInfo);
+    return rv;
+}
+
+CERTCertificate*
+cmmf_CertOrEncCertGetCertificate(CMMFCertOrEncCert *certOrEncCert,
+				 CERTCertDBHandle  *certdb)
+{
+    if (certOrEncCert->choice           != cmmfCertificate || 
+	certOrEncCert->cert.certificate == NULL) {
+        return NULL;
+    }
+    return CERT_NewTempCertificate(certdb,
+				   &certOrEncCert->cert.certificate->derCert,
+				   NULL, PR_FALSE, PR_TRUE);
+}
+
+SECStatus 
+cmmf_PKIStatusInfoSetStatus(CMMFPKIStatusInfo    *statusInfo,
+			    PRArenaPool          *poolp,
+			    CMMFPKIStatus         inStatus)
+{
+    SECItem *dummy;
+    
+    if (inStatus <cmmfGranted || inStatus >= cmmfNumPKIStatus) {
+        return SECFailure;
+    }
+
+    dummy = SEC_ASN1EncodeInteger(poolp, &statusInfo->status, inStatus); 
+    PORT_Assert(dummy == &statusInfo->status);
+    if (dummy != &statusInfo->status) {
+        SECITEM_FreeItem(dummy, PR_TRUE);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
diff --git a/security/nss/lib/crmf/servget.c b/security/nss/lib/crmf/servget.c
new file mode 100644
index 000000000..7b863d337
--- /dev/null
+++ b/security/nss/lib/crmf/servget.c
@@ -0,0 +1,1008 @@
+/* -*- Mode: C; tab-width: 8 -*-*/
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#include "cmmf.h"
+#include "cmmfi.h"
+#include "secitem.h"
+#include "keyhi.h"
+#include "secder.h"
+
+CRMFEncryptedKeyChoice
+CRMF_EncryptedKeyGetChoice(CRMFEncryptedKey *inEncrKey)
+{
+    PORT_Assert(inEncrKey != NULL);
+    if (inEncrKey == NULL) {
+        return crmfNoEncryptedKeyChoice;
+    }
+    return inEncrKey->encKeyChoice;
+}
+
+CRMFEncryptedValue*
+CRMF_EncryptedKeyGetEncryptedValue(CRMFEncryptedKey *inEncrKey)
+{
+    CRMFEncryptedValue *newEncrValue = NULL;
+    SECStatus           rv;
+
+    PORT_Assert(inEncrKey != NULL);
+    if (inEncrKey == NULL ||
+	CRMF_EncryptedKeyGetChoice(inEncrKey) != crmfEncryptedValueChoice) {
+        goto loser;
+    }
+    newEncrValue = PORT_ZNew(CRMFEncryptedValue);
+    if (newEncrValue == NULL) {
+        goto loser;
+    }
+    rv = crmf_copy_encryptedvalue(NULL, &inEncrKey->value.encryptedValue,
+				  newEncrValue);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newEncrValue;
+ loser:
+    if (newEncrValue != NULL) {
+        CRMF_DestroyEncryptedValue(newEncrValue);
+    }
+    return NULL;
+}
+
+static SECItem*
+crmf_get_encvalue_bitstring(SECItem *srcItem)
+{
+    SECItem   *newItem = NULL;
+    SECStatus rv;
+    
+    if (srcItem->data == NULL) {
+        return NULL;
+    }
+    newItem = PORT_ZNew(SECItem);
+    if (newItem == NULL) {
+        goto loser;
+    }
+    rv = crmf_make_bitstring_copy(NULL, newItem, srcItem);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newItem;
+ loser:
+    if (newItem != NULL) {
+        SECITEM_FreeItem(newItem, PR_TRUE);
+    }
+    return NULL;
+}
+
+SECItem*
+CRMF_EncryptedValueGetEncSymmKey(CRMFEncryptedValue *inEncValue)
+{
+    if (inEncValue == NULL) {
+        return NULL;
+    }
+    return crmf_get_encvalue_bitstring(&inEncValue->encSymmKey);
+}
+
+SECItem*
+CRMF_EncryptedValueGetEncValue(CRMFEncryptedValue *inEncrValue)
+{
+    if (inEncrValue == NULL || inEncrValue->encValue.data == NULL) {
+        return NULL;
+    }
+    return crmf_get_encvalue_bitstring(&inEncrValue->encValue);
+}
+
+static SECAlgorithmID*
+crmf_get_encvalue_algid(SECAlgorithmID *srcAlg)
+{
+    SECStatus       rv;
+    SECAlgorithmID *newAlgID;
+    
+    if (srcAlg == NULL) {
+        return NULL;
+    }
+    rv = crmf_copy_encryptedvalue_secalg(NULL, srcAlg, &newAlgID);
+    if (rv != SECSuccess) {
+        return NULL;
+    }
+    return newAlgID;
+}
+
+SECAlgorithmID*
+CRMF_EncryptedValueGetIntendedAlg(CRMFEncryptedValue *inEncValue)
+{
+    if (inEncValue == NULL) {
+        return NULL;
+    }
+    return crmf_get_encvalue_algid(inEncValue->intendedAlg);
+}
+
+SECAlgorithmID*
+CRMF_EncryptedValueGetKeyAlg(CRMFEncryptedValue *inEncValue)
+{
+    if (inEncValue == NULL) {
+        return NULL;
+    }
+    return crmf_get_encvalue_algid(inEncValue->keyAlg);
+}
+
+SECAlgorithmID*
+CRMF_EncryptedValueGetSymmAlg(CRMFEncryptedValue *inEncValue)
+{
+    if (inEncValue == NULL) {
+        return NULL;
+    }
+    return crmf_get_encvalue_algid(inEncValue->symmAlg);
+}
+
+SECItem*
+CRMF_EncryptedValueGetValueHint(CRMFEncryptedValue *inEncValue)
+{
+    if (inEncValue == NULL || inEncValue->valueHint.data == NULL) {
+        return NULL;
+    }
+    return SECITEM_DupItem(&inEncValue->valueHint);
+}
+
+SECStatus
+CRMF_PKIArchiveOptionsGetArchiveRemGenPrivKey(CRMFPKIArchiveOptions *inOpt, 
+					      PRBool                *destVal)
+{
+    if (inOpt == NULL || destVal == NULL ||
+	CRMF_PKIArchiveOptionsGetOptionType(inOpt) != crmfArchiveRemGenPrivKey){
+        return SECFailure;
+    }
+    *destVal = (inOpt->option.archiveRemGenPrivKey.data[0] == hexFalse) 
+                                                                 ? PR_FALSE:
+                                                                   PR_TRUE;
+    return SECSuccess;
+}
+			     
+CRMFEncryptedKey*
+CRMF_PKIArchiveOptionsGetEncryptedPrivKey(CRMFPKIArchiveOptions *inOpts)
+{
+    CRMFEncryptedKey *newEncrKey = NULL;
+    SECStatus         rv;
+
+    PORT_Assert(inOpts != NULL);
+    if (inOpts == NULL ||
+	CRMF_PKIArchiveOptionsGetOptionType(inOpts) != crmfEncryptedPrivateKey){
+        return NULL;
+    }
+    newEncrKey = PORT_ZNew(CRMFEncryptedKey);
+    if (newEncrKey == NULL) {
+        goto loser;
+    }
+    rv = crmf_copy_encryptedkey(NULL, &inOpts->option.encryptedKey,
+				newEncrKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newEncrKey;
+ loser:
+    if (newEncrKey != NULL) {
+        CRMF_DestroyEncryptedKey(newEncrKey);
+    }
+    return NULL;
+}
+
+SECItem*
+CRMF_PKIArchiveOptionsGetKeyGenParameters(CRMFPKIArchiveOptions *inOptions)
+{
+    if (inOptions == NULL ||
+	CRMF_PKIArchiveOptionsGetOptionType(inOptions) != crmfKeyGenParameters ||
+	inOptions->option.keyGenParameters.data == NULL) {
+        return NULL;
+    }
+    return SECITEM_DupItem(&inOptions->option.keyGenParameters);
+}
+
+CRMFPKIArchiveOptionsType
+CRMF_PKIArchiveOptionsGetOptionType(CRMFPKIArchiveOptions *inOptions)
+{
+    PORT_Assert (inOptions != NULL);
+    if (inOptions == NULL) {
+        return crmfNoArchiveOptions;
+    }
+    return inOptions->archOption;
+}
+
+static SECStatus
+crmf_extract_long_from_item(SECItem *intItem, long *destLong)
+{
+    *destLong = DER_GetInteger(intItem);
+    return (*destLong == -1) ? SECFailure : SECSuccess;
+}
+
+SECStatus
+CRMF_POPOPrivGetKeySubseqMess(CRMFPOPOPrivKey       *inKey,
+			      CRMFSubseqMessOptions *destOpt)
+{
+    long      value;
+    SECStatus rv;
+
+    PORT_Assert(inKey != NULL);
+    if (inKey == NULL ||
+	inKey->messageChoice != crmfSubsequentMessage) {
+        return SECFailure;
+    }
+    rv = crmf_extract_long_from_item(&inKey->message.subsequentMessage,&value);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    switch (value) {
+    case 0:
+        *destOpt = crmfEncrCert;
+	break;
+    case 1:
+        *destOpt = crmfChallengeResp;
+	break;
+    default:
+        rv = SECFailure;
+    }
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    return SECSuccess;
+}
+
+CRMFPOPOPrivKeyChoice
+CRMF_POPOPrivKeyGetChoice(CRMFPOPOPrivKey *inPrivKey)
+{
+    PORT_Assert(inPrivKey != NULL);
+    if (inPrivKey != NULL) {
+        return inPrivKey->messageChoice;
+    }
+    return crmfNoMessage;
+}
+
+SECStatus
+CRMF_POPOPrivKeyGetDHMAC(CRMFPOPOPrivKey *inKey, SECItem *destMAC)
+{
+    PORT_Assert(inKey != NULL);
+    if (inKey == NULL || inKey->message.dhMAC.data == NULL) {
+        return SECFailure;
+    }
+    return crmf_make_bitstring_copy(NULL, destMAC, &inKey->message.dhMAC);
+}
+
+SECStatus
+CRMF_POPOPrivKeyGetThisMessage(CRMFPOPOPrivKey  *inKey,
+			       SECItem          *destString)
+{
+    PORT_Assert(inKey != NULL);
+    if (inKey == NULL           ||
+	inKey->messageChoice != crmfThisMessage) {
+        return SECFailure;
+    }
+
+    return crmf_make_bitstring_copy(NULL, destString, 
+				    &inKey->message.thisMessage);
+}
+
+SECAlgorithmID*
+CRMF_POPOSigningKeyGetAlgID(CRMFPOPOSigningKey *inSignKey)
+{
+    SECAlgorithmID *newAlgId = NULL;
+    SECStatus       rv;
+
+    PORT_Assert(inSignKey != NULL);
+    if (inSignKey == NULL) {
+        return NULL;
+    }
+    newAlgId = PORT_ZNew(SECAlgorithmID);
+    if (newAlgId == NULL) {
+        goto loser;
+    }
+    rv = SECOID_CopyAlgorithmID(NULL, newAlgId, 
+				inSignKey->algorithmIdentifier);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newAlgId;
+
+ loser:
+    if (newAlgId != NULL) {
+        SECOID_DestroyAlgorithmID(newAlgId, PR_TRUE);
+    }
+    return NULL;
+}
+
+SECItem*
+CRMF_POPOSigningKeyGetInput(CRMFPOPOSigningKey *inSignKey)
+{
+    PORT_Assert(inSignKey != NULL);
+    if (inSignKey == NULL || inSignKey->derInput.data == NULL) {
+        return NULL;
+    }
+    return SECITEM_DupItem(&inSignKey->derInput);
+}
+
+SECItem*
+CRMF_POPOSigningKeyGetSignature(CRMFPOPOSigningKey *inSignKey)
+{
+    SECItem   *newSig = NULL;
+    SECStatus  rv;
+
+    PORT_Assert(inSignKey != NULL);
+    if (inSignKey == NULL) {
+        return NULL;
+    }
+    newSig = PORT_ZNew(SECItem);
+    if (newSig == NULL) {
+        goto loser;
+    }
+    rv = crmf_make_bitstring_copy(NULL, newSig, &inSignKey->signature);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newSig;
+ loser:
+    if (newSig != NULL) {
+        SECITEM_FreeItem(newSig, PR_TRUE);
+    }
+    return NULL;
+}
+
+static SECStatus 
+crmf_copy_poposigningkey(PRArenaPool        *poolp, 
+			 CRMFPOPOSigningKey *inPopoSignKey,
+			 CRMFPOPOSigningKey *destPopoSignKey)
+{
+    SECStatus rv;
+
+    /* We don't support use of the POPOSigningKeyInput, so we'll only 
+     * store away the DER encoding.
+     */
+    if (inPopoSignKey->derInput.data != NULL) {
+        rv = SECITEM_CopyItem(poolp, &destPopoSignKey->derInput, 
+			      &inPopoSignKey->derInput);
+    }
+    destPopoSignKey->algorithmIdentifier = (poolp == NULL) ? 
+                                         PORT_ZNew(SECAlgorithmID) :
+                                         PORT_ArenaZNew(poolp, SECAlgorithmID);
+
+    if (destPopoSignKey->algorithmIdentifier == NULL) {
+        goto loser;
+    }
+    rv = SECOID_CopyAlgorithmID(poolp, destPopoSignKey->algorithmIdentifier,
+				inPopoSignKey->algorithmIdentifier);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    
+    rv = crmf_make_bitstring_copy(poolp, &destPopoSignKey->signature, 
+				  &inPopoSignKey->signature);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return SECSuccess;
+ loser:
+    if (destPopoSignKey && poolp == NULL) {
+        CRMF_DestroyPOPOSigningKey(destPopoSignKey);
+    }
+    return SECFailure;
+}
+
+static SECStatus
+crmf_copy_popoprivkey(PRArenaPool     *poolp,
+		      CRMFPOPOPrivKey *srcPrivKey,
+		      CRMFPOPOPrivKey *destPrivKey)
+{
+    SECStatus        rv;
+
+    destPrivKey->messageChoice = srcPrivKey->messageChoice;
+    switch (destPrivKey->messageChoice) {
+    case crmfThisMessage:
+    case crmfDHMAC:
+        /* I've got a union, so taking the address of one, will also give
+	 * me a pointer to the other (eg, message.dhMAC)
+	 */
+        rv = crmf_make_bitstring_copy(poolp, &destPrivKey->message.thisMessage,
+				      &srcPrivKey->message.thisMessage);
+	break;
+    case crmfSubsequentMessage:
+        rv = SECITEM_CopyItem(poolp, &destPrivKey->message.subsequentMessage,
+			      &srcPrivKey->message.subsequentMessage);
+	break;
+    default:
+        rv = SECFailure;
+    }
+
+    if (rv != SECSuccess) {
+        if (destPrivKey && poolp == NULL) {
+	    CRMF_DestroyPOPOPrivKey(destPrivKey);
+	}
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static CRMFProofOfPossession*
+crmf_copy_pop(PRArenaPool *poolp, CRMFProofOfPossession *srcPOP)
+{
+    CRMFProofOfPossession *newPOP;
+    SECStatus              rv;
+
+    /* 
+     * Proof Of Possession structures are always part of the Request
+     * message, so there will always be an arena for allocating memory.
+     */
+    if (poolp == NULL) {
+        return NULL;
+    }
+    newPOP = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
+    if (newPOP == NULL) {
+        return NULL;
+    }
+    switch (srcPOP->popUsed) {
+    case crmfRAVerified:
+        newPOP->popChoice.raVerified.data = NULL;
+	newPOP->popChoice.raVerified.len  = 0;
+	break;
+    case crmfSignature:
+        rv = crmf_copy_poposigningkey(poolp, &srcPOP->popChoice.signature,
+				      &newPOP->popChoice.signature);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+	break;
+    case crmfKeyEncipherment:
+    case crmfKeyAgreement:
+        /* We've got a union, so a pointer to one, is a pointer to the
+	 * other one.
+	 */
+        rv = crmf_copy_popoprivkey(poolp, &srcPOP->popChoice.keyEncipherment,
+				   &newPOP->popChoice.keyEncipherment);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+	break;
+    default:
+        goto loser;
+    }
+    newPOP->popUsed = srcPOP->popUsed;
+    return newPOP;
+
+ loser:
+    return NULL;
+}
+
+static CRMFCertReqMsg*
+crmf_copy_cert_req_msg(CRMFCertReqMsg *srcReqMsg)
+{
+    CRMFCertReqMsg *newReqMsg;
+    PRArenaPool    *poolp;
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        return NULL;
+    }
+    newReqMsg = PORT_ArenaZNew(poolp, CRMFCertReqMsg);
+    newReqMsg->poolp = poolp;
+    if (newReqMsg == NULL) {
+        goto loser;
+    }
+    newReqMsg->certReq = crmf_copy_cert_request(poolp, srcReqMsg->certReq);
+    if (newReqMsg->certReq == NULL) {
+        goto loser;
+    }
+    newReqMsg->pop = crmf_copy_pop(poolp, srcReqMsg->pop);
+    if (newReqMsg->pop == NULL) {
+        goto loser;
+    }
+    /* None of my set/get routines operate on the regInfo field, so
+     * for now, that won't get copied over.
+     */
+    return newReqMsg;
+
+ loser:
+    if (newReqMsg != NULL) {
+        CRMF_DestroyCertReqMsg(newReqMsg);
+    }
+    return NULL;
+}
+
+CRMFCertReqMsg*
+CRMF_CertReqMessagesGetCertReqMsgAtIndex(CRMFCertReqMessages *inReqMsgs,
+					 int                  index)
+{
+    int numMsgs;
+
+    PORT_Assert(inReqMsgs != NULL && index >= 0);
+    if (inReqMsgs == NULL) {
+        return NULL;
+    }
+    numMsgs = CRMF_CertReqMessagesGetNumMessages(inReqMsgs);
+    if (index < 0 || index >= numMsgs) {
+        return NULL;
+    }
+    return crmf_copy_cert_req_msg(inReqMsgs->messages[index]);
+}
+
+int
+CRMF_CertReqMessagesGetNumMessages(CRMFCertReqMessages *inCertReqMsgs)
+{
+    int numMessages = 0;
+
+    PORT_Assert(inCertReqMsgs != NULL);
+    if (inCertReqMsgs == NULL) {
+        return 0;
+    }
+    while (inCertReqMsgs->messages[numMessages] != NULL) {
+        numMessages++;
+    }
+    return numMessages;
+}
+
+CRMFCertRequest*
+CRMF_CertReqMsgGetCertRequest(CRMFCertReqMsg *inCertReqMsg)
+{
+    PRArenaPool     *poolp      = NULL;
+    CRMFCertRequest *newCertReq = NULL;
+
+    PORT_Assert(inCertReqMsg != NULL);
+
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+    if (poolp == NULL) {
+        goto loser;
+    }
+    newCertReq = crmf_copy_cert_request(poolp, inCertReqMsg->certReq);
+    if (newCertReq == NULL) {
+        goto loser;
+    }
+    newCertReq->poolp = poolp;
+    return newCertReq;
+ loser:
+    if (poolp != NULL) {
+        PORT_FreeArena(poolp, PR_FALSE);
+    }
+    return NULL;
+}
+
+SECStatus
+CRMF_CertReqMsgGetID(CRMFCertReqMsg *inCertReqMsg, long *destID)
+{
+    PORT_Assert(inCertReqMsg != NULL && destID != NULL);
+    if (inCertReqMsg == NULL || inCertReqMsg->certReq == NULL) {
+        return SECFailure;
+    }
+    return crmf_extract_long_from_item(&inCertReqMsg->certReq->certReqId, 
+				       destID);
+}
+
+SECStatus
+CRMF_CertReqMsgGetPOPKeyAgreement(CRMFCertReqMsg   *inCertReqMsg,
+				  CRMFPOPOPrivKey **destKey)
+{
+    PORT_Assert(inCertReqMsg != NULL && destKey != NULL);
+    if (inCertReqMsg == NULL || destKey == NULL ||
+	CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfKeyAgreement) {
+        return SECFailure;
+    }
+    *destKey = PORT_ZNew(CRMFPOPOPrivKey);
+    if (*destKey == NULL) {
+        return SECFailure;
+    }
+    return crmf_copy_popoprivkey(NULL,
+				 &inCertReqMsg->pop->popChoice.keyAgreement,
+				 *destKey);
+}
+
+SECStatus
+CRMF_CertReqMsgGetPOPKeyEncipherment(CRMFCertReqMsg   *inCertReqMsg,
+				     CRMFPOPOPrivKey **destKey)
+{
+    PORT_Assert(inCertReqMsg != NULL && destKey != NULL);
+    if (inCertReqMsg == NULL || destKey == NULL ||
+	CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfKeyEncipherment) {
+        return SECFailure;
+    }
+    *destKey = PORT_ZNew(CRMFPOPOPrivKey);
+    if (destKey == NULL) {
+       return SECFailure;
+    }
+    return crmf_copy_popoprivkey(NULL,
+				 &inCertReqMsg->pop->popChoice.keyEncipherment,
+				 *destKey);
+}
+
+SECStatus
+CRMF_CertReqMsgGetPOPOSigningKey(CRMFCertReqMsg      *inCertReqMsg,
+				 CRMFPOPOSigningKey **destKey)
+{
+    CRMFProofOfPossession *pop;
+    PORT_Assert(inCertReqMsg != NULL);
+    if (inCertReqMsg  == NULL) {
+        return SECFailure;
+    }
+    pop = inCertReqMsg->pop;;
+    if (pop->popUsed != crmfSignature) {
+        return SECFailure;
+    }
+    *destKey = PORT_ZNew(CRMFPOPOSigningKey);
+    if (*destKey == NULL) {
+        return SECFailure;
+    }
+    return crmf_copy_poposigningkey(NULL,&pop->popChoice.signature, *destKey);
+}
+
+static SECStatus
+crmf_copy_name(CERTName *destName, CERTName *srcName)
+{
+  PRArenaPool *poolp = NULL;
+  SECStatus rv;
+
+  if (destName->arena != NULL) {
+    poolp = destName->arena;
+  } else {
+    poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
+  }
+  if (poolp == NULL) {
+    return SECFailure;
+  }
+  /* Need to do this so that CERT_CopyName doesn't free out
+   * the arena from underneath us.
+   */
+  destName->arena = NULL;
+  rv = CERT_CopyName(poolp, destName, srcName); 
+  destName->arena = poolp;
+  return rv;
+}
+
+SECStatus
+CRMF_CertRequestGetCertTemplateIssuer(CRMFCertRequest *inCertReq,
+				      CERTName        *destIssuer)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfIssuer)) {
+        return crmf_copy_name(destIssuer, 
+			      inCertReq->certTemplate.issuer);
+    }
+    return SECFailure;
+}
+
+SECStatus 
+CRMF_CertRequestGetCertTemplateIssuerUID(CRMFCertRequest *inCertReq,
+					 SECItem         *destIssuerUID)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfIssuerUID)) {
+        return crmf_make_bitstring_copy(NULL, destIssuerUID,
+					&inCertReq->certTemplate.issuerUID);
+    }
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestGetCertTemplatePublicKey(CRMFCertRequest          *inCertReq,
+				       CERTSubjectPublicKeyInfo *destPublicKey)
+{
+    PORT_Assert (inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfPublicKey)) {
+        return SECKEY_CopySubjectPublicKeyInfo(NULL, destPublicKey,
+					inCertReq->certTemplate.publicKey);
+    }
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestGetCertTemplateSerialNumber(CRMFCertRequest *inCertReq,
+					    long            *serialNumber)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfSerialNumber)) {
+        return 
+	  crmf_extract_long_from_item(&inCertReq->certTemplate.serialNumber,
+				      serialNumber);
+    }
+    return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestGetCertTemplateSigningAlg(CRMFCertRequest *inCertReq,
+					  SECAlgorithmID  *destAlg)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfSigningAlg)) {
+        return SECOID_CopyAlgorithmID(NULL, destAlg, 
+				      inCertReq->certTemplate.signingAlg);
+    }
+    return SECFailure;
+}
+
+SECStatus 
+CRMF_CertRequestGetCertTemplateSubject(CRMFCertRequest *inCertReq,
+				       CERTName        *destSubject)
+{
+  PORT_Assert(inCertReq != NULL);
+  if (inCertReq == NULL) {
+      return SECFailure;
+  }
+  if (CRMF_DoesRequestHaveField(inCertReq, crmfSubject)) {
+      return crmf_copy_name(destSubject, inCertReq->certTemplate.subject);
+  }
+  return SECFailure;
+}
+
+SECStatus
+CRMF_CertRequestGetCertTemplateSubjectUID(CRMFCertRequest *inCertReq,
+					  SECItem         *destSubjectUID)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfSubjectUID)) {
+        return crmf_make_bitstring_copy(NULL, destSubjectUID, 
+					&inCertReq->certTemplate.subjectUID);
+    }
+    return SECFailure;
+}
+
+SECStatus 
+CRMF_CertRequestGetCertTemplateVersion(CRMFCertRequest *inCertReq, 
+				       long            *version)
+{
+    PORT_Assert (inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfVersion)) {
+        return crmf_extract_long_from_item(&inCertReq->certTemplate.version,
+					   version);
+    } 
+    return SECFailure;
+}
+
+static SECStatus
+crmf_copy_validity(CRMFGetValidity      *destValidity,
+		   CRMFOptionalValidity *src)
+{
+    SECStatus rv;
+    
+    destValidity->notBefore = destValidity->notAfter = NULL;
+    if (src->notBefore.data != NULL) {
+        rv = crmf_create_prtime(&src->notBefore, 
+				&destValidity->notBefore);
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+    }
+    if (src->notAfter.data != NULL) {
+        rv = crmf_create_prtime(&src->notAfter,
+				&destValidity->notAfter);
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+CRMF_CertRequestGetCertTemplateValidity(CRMFCertRequest *inCertReq,
+					CRMFGetValidity *destValidity)
+{
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return SECFailure;
+    }
+    if (CRMF_DoesRequestHaveField(inCertReq, crmfValidity)) {
+        return crmf_copy_validity(destValidity, 
+				  inCertReq->certTemplate.validity);
+    }
+    return SECFailure;
+}
+
+CRMFControl*
+CRMF_CertRequestGetControlAtIndex(CRMFCertRequest *inCertReq, int index)
+{
+    CRMFControl *newControl, *srcControl;
+    int          numControls;
+    SECStatus    rv;
+
+    PORT_Assert(inCertReq != NULL);
+    if (inCertReq == NULL) {
+        return NULL;
+    }
+    numControls = CRMF_CertRequestGetNumControls(inCertReq);
+    if (index >= numControls || index < 0) {
+        return NULL;
+    }
+    newControl = PORT_ZNew(CRMFControl);
+    if (newControl == NULL) {
+        return NULL;
+    }
+    srcControl = inCertReq->controls[index];
+    newControl->tag = srcControl->tag;
+    rv = SECITEM_CopyItem (NULL, &newControl->derTag, &srcControl->derTag);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = SECITEM_CopyItem(NULL, &newControl->derValue, 
+			  &srcControl->derValue);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* Copy over the PKIArchiveOptions stuff */
+    switch (srcControl->tag) {
+    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
+    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
+        /* No further processing necessary for these types. */
+        rv = SECSuccess;
+	break;
+    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
+    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
+    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
+        /* These aren't supported yet, so no post-processing will
+	 * be done at this time.  But we don't want to fail in case
+	 * we read in DER that has one of these options.
+	 */
+        rv = SECSuccess;
+	break;
+    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
+        rv = crmf_copy_pkiarchiveoptions(NULL, 
+					 &newControl->value.archiveOptions,
+					 &srcControl->value.archiveOptions);
+	break;
+    default:
+        rv = SECFailure;
+    }
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    return newControl;
+ loser:
+    if (newControl != NULL) {
+        CRMF_DestroyControl(newControl);
+    }
+    return NULL;
+}
+
+static SECItem*
+crmf_copy_control_value(CRMFControl *inControl)
+{
+    return SECITEM_DupItem(&inControl->derValue);
+}
+
+SECItem*
+CRMF_ControlGetAuthenticatorControlValue(CRMFControl *inControl)
+{
+    PORT_Assert (inControl!= NULL);
+    if (inControl == NULL ||
+	CRMF_ControlGetControlType(inControl) != crmfAuthenticatorControl) {
+        return NULL;
+    }
+    return crmf_copy_control_value(inControl);
+}
+
+CRMFControlType
+CRMF_ControlGetControlType(CRMFControl *inControl)
+{
+    CRMFControlType retType;
+
+    PORT_Assert(inControl != NULL);
+    switch (inControl->tag) {
+    case SEC_OID_PKIX_REGCTRL_REGTOKEN:
+        retType = crmfRegTokenControl;
+	break;
+    case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR:
+        retType = crmfAuthenticatorControl;
+	break;
+    case SEC_OID_PKIX_REGCTRL_PKIPUBINFO:
+        retType = crmfPKIPublicationInfoControl;
+	break;
+    case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS:
+        retType = crmfPKIArchiveOptionsControl;
+	break;
+    case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID:
+        retType = crmfOldCertIDControl;
+	break;
+    case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY:
+        retType = crmfProtocolEncrKeyControl;
+	break;
+    default:
+        retType = crmfNoControl;
+    }
+    return retType;
+}
+
+CRMFPKIArchiveOptions*
+CRMF_ControlGetPKIArchiveOptions(CRMFControl *inControl)
+{
+    CRMFPKIArchiveOptions *newOpt = NULL;
+    SECStatus rv;
+
+    PORT_Assert(inControl != NULL);
+    if (inControl == NULL ||
+	CRMF_ControlGetControlType(inControl) != crmfPKIArchiveOptionsControl){
+        goto loser;
+    }
+    newOpt = PORT_ZNew(CRMFPKIArchiveOptions);
+    if (newOpt == NULL) {
+        goto loser;
+    }
+    rv = crmf_copy_pkiarchiveoptions(NULL, newOpt, 
+				     &inControl->value.archiveOptions);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+ loser:
+    if (newOpt != NULL) {
+        CRMF_DestroyPKIArchiveOptions(newOpt);
+    }
+    return NULL;
+}
+
+SECItem*
+CRMF_ControlGetRegTokenControlValue(CRMFControl *inControl)
+{
+    PORT_Assert(inControl != NULL);
+    if (inControl == NULL ||
+	CRMF_ControlGetControlType(inControl) != crmfRegTokenControl) {
+        return NULL;
+    }
+    return crmf_copy_control_value(inControl);;
+}
+
+CRMFCertExtension*
+CRMF_CertRequestGetExtensionAtIndex(CRMFCertRequest *inCertReq,
+				    int              index)
+{
+    int numExtensions;
+
+    PORT_Assert(inCertReq != NULL);
+    numExtensions = CRMF_CertRequestGetNumberOfExtensions(inCertReq);
+    if (index >= numExtensions || index < 0) {
+        return NULL;
+    }
+    return 
+      crmf_copy_cert_extension(NULL, 
+			       inCertReq->certTemplate.extensions[index]);
+}
+
diff --git a/security/nss/lib/cryptohi/Makefile b/security/nss/lib/cryptohi/Makefile
new file mode 100644
index 000000000..ced902117
--- /dev/null
+++ b/security/nss/lib/cryptohi/Makefile
@@ -0,0 +1,77 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+-include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+export:: private_export
+
diff --git a/security/nss/lib/cryptohi/config.mk b/security/nss/lib/cryptohi/config.mk
new file mode 100644
index 000000000..0a00dc61e
--- /dev/null
+++ b/security/nss/lib/cryptohi/config.mk
@@ -0,0 +1,43 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/cryptohi/cryptohi.h b/security/nss/lib/cryptohi/cryptohi.h
new file mode 100644
index 000000000..28359cb65
--- /dev/null
+++ b/security/nss/lib/cryptohi/cryptohi.h
@@ -0,0 +1,249 @@
+/*
+ * crypto.h - public data structures and prototypes for the crypto library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef _CRYPTOHI_H_
+#define _CRYPTOHI_H_
+
+#include "blapi.h"
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secdert.h"
+#include "cryptoht.h"
+#include "keyt.h"
+#include "certt.h"
+
+
+SEC_BEGIN_PROTOS
+
+
+/****************************************/
+/*
+** DER encode/decode DSA signatures
+*/
+
+/* ANSI X9.57 defines DSA signatures as DER encoded data.  Our DSA code (and
+ * most of the rest of the world) just generates 40 bytes of raw data.  These
+ * functions convert between formats.
+ */
+extern SECStatus DSAU_EncodeDerSig(SECItem *dest, SECItem *src);
+extern SECItem *DSAU_DecodeDerSig(SECItem *item);
+
+
+
+/****************************************/
+/*
+** Signature creation operations
+*/
+
+/*
+** Create a new signature context used for signing a data stream.
+**	"alg" the signature algorithm to use (e.g. SEC_OID_RSA_WITH_MD5)
+**	"privKey" the private key to use
+*/
+extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey);
+
+/*
+** Destroy a signature-context object
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void SGN_DestroyContext(SGNContext *cx, PRBool freeit);
+
+/*
+** Reset the signing context "cx" to its initial state, preparing it for
+** another stream of data.
+*/
+extern SECStatus SGN_Begin(SGNContext *cx);
+
+/*
+** Update the signing context with more data to sign.
+**	"cx" the context
+**	"input" the input data to sign
+**	"inputLen" the length of the input data
+*/
+extern SECStatus SGN_Update(SGNContext *cx, unsigned char *input,
+			   unsigned int inputLen);
+
+/*
+** Finish the signature process. Use either k0 or k1 to sign the data
+** stream that was input using SGN_Update. The resulting signature is
+** formatted using PKCS#1 and then encrypted using RSA private or public
+** encryption.
+**	"cx" the context
+**	"result" the final signature data (memory is allocated)
+*/
+extern SECStatus SGN_End(SGNContext *cx, SECItem *result);
+
+/*
+** Sign a single block of data using private key encryption and given
+** signature/hash algorithm.
+**	"result" the final signature data (memory is allocated)
+**	"buf" the input data to sign
+**	"len" the amount of data to sign
+**	"pk" the private key to encrypt with
+**	"algid" the signature/hash algorithm to sign with 
+**		(must be compatible with the key type).
+*/
+extern SECStatus SEC_SignData(SECItem *result, unsigned char *buf, int len,
+			     SECKEYPrivateKey *pk, SECOidTag algid);
+
+/*
+** Sign a pre-digested block of data using private key encryption, encoding
+**  The given signature/hash algorithm.
+**	"result" the final signature data (memory is allocated)
+**	"digest" the digest to sign
+**	"pk" the private key to encrypt with
+**	"algtag" The algorithm tag to encode (need for RSA only)
+*/
+extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey,
+                SECOidTag algtag, SECItem *result, SECItem *digest);
+
+/*
+** DER sign a single block of data using private key encryption and the
+** MD5 hashing algorithm. This routine first computes a digital signature
+** using SEC_SignData, then wraps it with an CERTSignedData and then der
+** encodes the result.
+**	"arena" is the memory arena to use to allocate data from
+** 	"result" the final der encoded data (memory is allocated)
+** 	"buf" the input data to sign
+** 	"len" the amount of data to sign
+** 	"pk" the private key to encrypt with
+*/
+extern SECStatus SEC_DerSignData(PRArenaPool *arena, SECItem *result,
+				unsigned char *buf, int len,
+				SECKEYPrivateKey *pk, SECOidTag algid);
+
+/*
+** Destroy a signed-data object.
+**	"sd" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void SEC_DestroySignedData(CERTSignedData *sd, PRBool freeit);
+
+/****************************************/
+/*
+** Signature verification operations
+*/
+
+/*
+** Create a signature verification context.
+**	"key" the public key to verify with
+**	"sig" the encrypted signature data if sig is NULL then
+**	   VFY_EndWithSignature must be called with the correct signature at
+**	   the end of the processing.
+**	"algid" specifies the signing algorithm to use.  This must match
+**	    the key type.
+**	"wincx" void pointer to the window context
+*/
+extern VFYContext *VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig,
+				     SECOidTag algid, void *wincx);
+
+/*
+** Destroy a verification-context object.
+**	"cx" the context to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void VFY_DestroyContext(VFYContext *cx, PRBool freeit);
+
+extern SECStatus VFY_Begin(VFYContext *cx);
+
+/*
+** Update a verification context with more input data. The input data
+** is fed to a secure hash function (depending on what was in the
+** encrypted signature data).
+**	"cx" the context
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus VFY_Update(VFYContext *cx, unsigned char *input,
+			    unsigned int inputLen);
+
+/*
+** Finish the verification process. The return value is a status which
+** indicates success or failure. On success, the SECSuccess value is
+** returned. Otherwise, SECFailure is returned and the error code found
+** using PORT_GetError() indicates what failure occurred.
+** 	"cx" the context
+*/
+extern SECStatus VFY_End(VFYContext *cx);
+
+/*
+** Finish the verification process. The return value is a status which
+** indicates success or failure. On success, the SECSuccess value is
+** returned. Otherwise, SECFailure is returned and the error code found
+** using PORT_GetError() indicates what failure occurred. If signature is
+** supplied the verification uses this signature to verify, otherwise the
+** signature passed in VFY_CreateContext() is used. 
+** VFY_EndWithSignature(cx,NULL); is identical to VFY_End(cx);.
+** 	"cx" the context
+** 	"sig" the encrypted signature data
+*/
+extern SECStatus VFY_EndWithSignature(VFYContext *cx, SECItem *sig);
+
+
+/*
+** Verify the signature on a block of data for which we already have
+** the digest. The signature data is an RSA private key encrypted
+** block of data formatted according to PKCS#1.
+** 	"dig" the digest
+** 	"key" the public key to check the signature with
+** 	"sig" the encrypted signature data
+**	"algid" specifies the signing algorithm to use.  This must match
+**	    the key type.
+**/
+extern SECStatus VFY_VerifyDigest(SECItem *dig, SECKEYPublicKey *key,
+				  SECItem *sig, SECOidTag algid, void *wincx);
+
+/*
+** Verify the signature on a block of data. The signature data is an RSA
+** private key encrypted block of data formatted according to PKCS#1.
+** 	"buf" the input data
+** 	"len" the length of the input data
+** 	"key" the public key to check the signature with
+** 	"sig" the encrypted signature data
+**	"algid" specifies the signing algorithm to use.  This must match
+**	    the key type.
+*/
+extern SECStatus VFY_VerifyData(unsigned char *buf, int len,
+				SECKEYPublicKey *key, SECItem *sig,
+				SECOidTag algid, void *wincx);
+
+
+SEC_END_PROTOS
+
+#endif /* _CRYPTOHI_H_ */
diff --git a/security/nss/lib/cryptohi/cryptoht.h b/security/nss/lib/cryptohi/cryptoht.h
new file mode 100644
index 000000000..3116db279
--- /dev/null
+++ b/security/nss/lib/cryptohi/cryptoht.h
@@ -0,0 +1,45 @@
+/*
+ * cryptoht.h - public data structures for the crypto library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef _CRYPTOHT_H_
+#define _CRYPTOHT_H_
+
+typedef struct SGNContextStr SGNContext;
+typedef struct VFYContextStr VFYContext;
+
+
+#endif /* _CRYPTOHT_H_ */
diff --git a/security/nss/lib/cryptohi/dsautil.c b/security/nss/lib/cryptohi/dsautil.c
new file mode 100644
index 000000000..c592ec7df
--- /dev/null
+++ b/security/nss/lib/cryptohi/dsautil.c
@@ -0,0 +1,232 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include "secasn1.h"
+#include "secitem.h"
+#include "prerr.h"
+
+#ifndef DSA_SUBPRIME_LEN
+#define DSA_SUBPRIME_LEN 20	/* bytes */
+#endif
+
+typedef struct {
+    SECItem r;
+    SECItem s;
+} DSA_ASN1Signature;
+
+const SEC_ASN1Template DSA_SignatureTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(DSA_ASN1Signature) },
+    { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature,r) },
+    { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature,s) },
+    { 0, }
+};
+
+/* Input is variable length multi-byte integer, MSB first (big endian).
+** Most signficant bit of first byte is NOT treated as a sign bit. 
+** May be one or more leading bytes of zeros. 
+** Output is variable length multi-byte integer, MSB first (big endian).
+** Most significant bit of first byte will be zero (positive sign bit)
+** No more than one leading zero byte.
+** Caller supplies dest buffer, and assures that it is long enough,
+** e.g. at least one byte longer that src's buffer.
+*/
+void
+DSAU_ConvertUnsignedToSigned(SECItem *dest, SECItem *src)
+{
+    unsigned char *pSrc = src->data;
+    unsigned char *pDst = dest->data;
+    unsigned int   cntSrc = src->len;
+    unsigned char  c;
+
+    /* skip any leading zeros. */
+    while (cntSrc && !(c = *pSrc)) { 
+    	pSrc++; 
+	cntSrc--;
+    }
+    if (!cntSrc) {
+    	*pDst = 0; 
+	dest->len = 1; 
+	return; 
+    }
+
+    if (c & 0x80)
+    	*pDst++ = 0;
+
+    PORT_Memcpy(pDst, pSrc, cntSrc);
+    dest->len = (pDst - dest->data) + cntSrc;
+}
+
+/*
+** src is a buffer holding a signed variable length integer.
+** dest is a buffer which will be filled with an unsigned integer,
+** MSB first (big endian) with leading zeros, so that the last byte
+** of src will be the LSB of the integer.  The result will be exactly
+** the length specified by the caller in dest->len.
+** src can be shorter than dest.  src can be longer than dst, but only
+** if the extra leading bytes are zeros.
+*/
+SECStatus
+DSAU_ConvertSignedToFixedUnsigned(SECItem *dest, SECItem *src)
+{
+    unsigned char *pSrc = src->data;
+    unsigned char *pDst = dest->data;
+    unsigned int   cntSrc = src->len;
+    unsigned int   cntDst = dest->len;
+    int            zCount = cntDst - cntSrc;
+
+    if (zCount > 0) {
+    	PORT_Memset(pDst, 0, zCount);
+	PORT_Memcpy(pDst + zCount, pSrc, cntSrc);
+	return SECSuccess;
+    }
+    if (zCount <= 0) {
+	/* Source is longer than destination.  Check for leading zeros. */
+	while (zCount++ < 0) {
+	    if (*pSrc++ != 0)
+		goto loser;
+	}
+    }
+    PORT_Memcpy(pDst, pSrc, cntDst);
+    return SECSuccess;
+
+loser:
+    PORT_SetError( PR_INVALID_ARGUMENT_ERROR );
+    return SECFailure;
+}
+
+/* src is a "raw" DSA signature, 20 bytes of r followed by 20 bytes of s.
+** dest is the signature DER encoded. ?
+*/
+SECStatus
+DSAU_EncodeDerSig(SECItem *dest, SECItem *src)
+{
+    SECItem *         item;
+    SECItem           srcItem;
+    DSA_ASN1Signature sig;
+    unsigned char     signedR[DSA_SUBPRIME_LEN + 1];
+    unsigned char     signedS[DSA_SUBPRIME_LEN + 1];
+
+    PORT_Memset(&sig, 0, sizeof(sig));
+
+    PORT_Assert(src->len == 2 * DSA_SUBPRIME_LEN);
+    if (src->len != 2 * DSA_SUBPRIME_LEN) {
+    	PORT_SetError( PR_INVALID_ARGUMENT_ERROR );
+	return SECFailure;
+    }
+
+    /* Must convert r and s from "unsigned" integers to "signed" integers.
+    ** If the high order bit of the first byte (MSB) is 1, then must
+    ** prepend with leading zero.  
+    ** Must remove all but one leading zero byte from numbers.
+    */
+    sig.r.type = siUnsignedInteger;
+    sig.r.data = signedR;
+    sig.r.len  = sizeof signedR;
+    sig.s.type = siUnsignedInteger;
+    sig.s.data = signedS;
+    sig.s.len  = sizeof signedR;
+
+    srcItem.data = src->data;
+    srcItem.len  = DSA_SUBPRIME_LEN;
+
+    DSAU_ConvertUnsignedToSigned(&sig.r, &srcItem);
+    srcItem.data += DSA_SUBPRIME_LEN;
+    DSAU_ConvertUnsignedToSigned(&sig.s, &srcItem);
+
+    item = SEC_ASN1EncodeItem(NULL, dest, &sig, DSA_SignatureTemplate);
+    if (item == NULL)
+	return SECFailure;
+
+    /* XXX leak item? */
+    return SECSuccess;
+}
+
+/* src is a DER-encoded DSA signature.
+** Returns a newly-allocated SECItem structure, pointing at a newly allocated
+** buffer containing the "raw" DSA signature, which is 20 bytes of r,
+** followed by 20 bytes of s.
+*/
+SECItem *
+DSAU_DecodeDerSig(SECItem *item)
+{
+    SECItem *         result = NULL;
+    SECStatus         status;
+    DSA_ASN1Signature sig;
+    SECItem           dst;
+
+    PORT_Memset(&sig, 0, sizeof(sig));
+
+    result = PORT_ZNew(SECItem);
+    if (result == NULL)
+	goto loser;
+
+    result->len  = 2 * DSA_SUBPRIME_LEN;
+    result->data = (unsigned char*)PORT_Alloc(2 * DSA_SUBPRIME_LEN);
+    if (result->data == NULL)
+	goto loser;
+
+    sig.r.type = siUnsignedInteger;
+    sig.s.type = siUnsignedInteger;
+    status = SEC_ASN1DecodeItem(NULL, &sig, DSA_SignatureTemplate, item);
+    if (status != SECSuccess)
+	goto loser;
+
+    /* Convert sig.r and sig.s from variable  length signed integers to 
+    ** fixed length unsigned integers.
+    */
+    dst.data = result->data;
+    dst.len  = DSA_SUBPRIME_LEN;
+    status = DSAU_ConvertSignedToFixedUnsigned(&dst, &sig.r);
+    if (status != SECSuccess)
+    	goto loser;
+
+    dst.data += DSA_SUBPRIME_LEN;
+    status = DSAU_ConvertSignedToFixedUnsigned(&dst, &sig.s);
+    if (status != SECSuccess)
+    	goto loser;
+
+done:
+    if (sig.r.data != NULL)
+	PORT_Free(sig.r.data);
+    if (sig.s.data != NULL)
+	PORT_Free(sig.s.data);
+
+    return result;
+
+loser:
+    if (result != NULL) {
+	SECITEM_FreeItem(result, PR_TRUE);
+	result = NULL;
+    }
+    goto done;
+}
diff --git a/security/nss/lib/cryptohi/hasht.h b/security/nss/lib/cryptohi/hasht.h
new file mode 100644
index 000000000..143e37486
--- /dev/null
+++ b/security/nss/lib/cryptohi/hasht.h
@@ -0,0 +1,93 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * hasht.h - public data structures for the hashing library
+ *
+ * $Id$
+ */
+
+#ifndef _HASHT_H_
+#define _HASHT_H_
+
+/* Opaque objects */
+typedef struct SECHashObjectStr SECHashObject;
+typedef struct HASHContextStr HASHContext;
+
+/*
+ * The hash functions the security library supports
+ * NOTE the order must match the definition of SECHashObjects[]!
+ */
+typedef enum {
+    HASH_AlgNULL = 0,
+    HASH_AlgMD2 = 1,
+    HASH_AlgMD5 = 2,
+    HASH_AlgSHA1 = 3,
+    HASH_AlgTOTAL
+} HASH_HashType;
+
+/*
+ * Number of bytes each hash algorithm produces
+ */
+#define MD2_LENGTH	16
+#define MD5_LENGTH	16
+#define SHA1_LENGTH	20
+
+/*
+ * Structure to hold hash computation info and routines
+ */
+struct SECHashObjectStr {
+    unsigned int length;
+    void * (*create)(void);
+    void * (*clone)(void *);
+    void (*destroy)(void *, PRBool);
+    void (*begin)(void *);
+    void (*update)(void *, const unsigned char *, unsigned int);
+    void (*end)(void *, unsigned char *, unsigned int *, unsigned int);
+};
+
+struct HASHContextStr {
+    const struct SECHashObjectStr *hashobj;
+    void *hash_context;
+};
+
+/* This symbol is NOT exported from the NSS DLL.  Code that needs a 
+ * pointer to one of the SECHashObjects should call HASH_GetHashObject()
+ * instead. See "sechash.h".
+ */
+extern const SECHashObject SECHashObjects[];
+
+/* Only those functions below the PKCS #11 line should use SECRawHashObjects.
+ * This symbol is not exported from the NSS DLL.
+ */
+extern const SECHashObject SECRawHashObjects[];
+
+#endif /* _HASHT_H_ */
diff --git a/security/nss/lib/cryptohi/key.h b/security/nss/lib/cryptohi/key.h
new file mode 100644
index 000000000..678beafd8
--- /dev/null
+++ b/security/nss/lib/cryptohi/key.h
@@ -0,0 +1,43 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * key.h - public data structures and prototypes for the private key library
+ *
+ * $Id$
+ */
+
+#ifndef _KEY_H_
+#define _KEY_H_
+
+#include "keyhi.h"
+
+#endif /* _KEY_H_ */
diff --git a/security/nss/lib/cryptohi/keyhi.h b/security/nss/lib/cryptohi/keyhi.h
new file mode 100644
index 000000000..844a44877
--- /dev/null
+++ b/security/nss/lib/cryptohi/keyhi.h
@@ -0,0 +1,273 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ *	Dr Stephen Henson <stephen.henson@gemplus.com>
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * key.h - public data structures and prototypes for the private key library
+ *
+ * $Id$
+ */
+
+#ifndef _KEYHI_H_
+#define _KEYHI_H_
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secdert.h"
+#include "keythi.h"
+#include "certt.h"
+/*#include "secpkcs5.h" */
+
+SEC_BEGIN_PROTOS
+
+
+/*
+** Destroy a subject-public-key-info object.
+*/
+extern void SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki);
+
+/*
+** Copy subject-public-key-info "src" to "dst". "dst" is filled in
+** appropriately (memory is allocated for each of the sub objects).
+*/
+extern SECStatus SECKEY_CopySubjectPublicKeyInfo(PRArenaPool *arena,
+					     CERTSubjectPublicKeyInfo *dst,
+					     CERTSubjectPublicKeyInfo *src);
+
+/*
+** Update the PQG parameters for a cert's public key.
+** Only done for DSA and Fortezza certs
+*/
+extern SECStatus
+SECKEY_UpdateCertPQG(CERTCertificate * subjectCert);
+
+
+/* Compare the KEA parameters of two public keys.  
+ * Only used by fortezza.      */
+
+extern SECStatus
+SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2);
+
+/*
+** Return the strength of the public key
+*/
+extern unsigned SECKEY_PublicKeyStrength(SECKEYPublicKey *pubk);
+
+
+/*
+** Make a copy of the private key "privKey"
+*/
+extern SECKEYPrivateKey *SECKEY_CopyPrivateKey(SECKEYPrivateKey *privKey);
+
+/*
+** Make a copy of the public key "pubKey"
+*/
+extern SECKEYPublicKey *SECKEY_CopyPublicKey(SECKEYPublicKey *pubKey);
+
+/*
+** Convert a private key "privateKey" into a public key
+*/
+extern SECKEYPublicKey *SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privateKey);
+
+/*
+ * create a new RSA key pair. The private Key is returned...
+ */
+SECKEYPrivateKey *SECKEY_CreateRSAPrivateKey(int keySizeInBits,
+					   SECKEYPublicKey **pubk, void *cx);
+	
+/*
+ * create a new DH key pair. The private Key is returned...
+ */
+SECKEYPrivateKey *SECKEY_CreateDHPrivateKey(SECKEYDHParams *param,
+					   SECKEYPublicKey **pubk, void *cx);
+/*
+** Create a subject-public-key-info based on a public key.
+*/
+extern CERTSubjectPublicKeyInfo *
+SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *k);
+
+/*
+** Decode a DER encoded public key into an SECKEYPublicKey structure.
+*/
+extern SECKEYPublicKey *SECKEY_DecodeDERPublicKey(SECItem *pubkder);
+
+/*
+** Convert a base64 ascii encoded DER public key to our internal format.
+*/
+extern SECKEYPublicKey *SECKEY_ConvertAndDecodePublicKey(char *pubkstr);
+
+/*
+** Convert a base64 ascii encoded DER public key and challenge to spki,
+** and verify the signature and challenge data are correct
+*/
+extern CERTSubjectPublicKeyInfo *
+SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge,
+								void *cx);
+
+/*
+** Encode a  CERTSubjectPublicKeyInfo structure. into a
+** DER encoded subject public key info. 
+*/
+SECItem *
+SECKEY_EncodeDERSubjectPublicKeyInfo(SECKEYPublicKey *pubk);
+
+/*
+** Decode a DER encoded subject public key info into a
+** CERTSubjectPublicKeyInfo structure.
+*/
+extern CERTSubjectPublicKeyInfo *
+SECKEY_DecodeDERSubjectPublicKeyInfo(SECItem *spkider);
+
+/*
+** Convert a base64 ascii encoded DER subject public key info to our
+** internal format.
+*/
+extern CERTSubjectPublicKeyInfo *
+SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(char *spkistr);
+
+/*
+ * extract the public key from a subject Public Key info structure.
+ * (used by JSS).
+ */
+extern SECKEYPublicKey *
+SECKEY_ExtractPublicKey(CERTSubjectPublicKeyInfo *);
+
+/*
+** Destroy a private key object.
+**	"key" the object
+*/
+extern void SECKEY_DestroyPrivateKey(SECKEYPrivateKey *key);
+
+
+/*
+** Destroy a public key object.
+**	"key" the object
+*/
+extern void SECKEY_DestroyPublicKey(SECKEYPublicKey *key);
+
+/* Destroy and zero out a private key info structure.  for now this
+ * function zero's out memory allocated in an arena for the key 
+ * since PORT_FreeArena does not currently do this.  
+ *
+ * NOTE -- If a private key info is allocated in an arena, one should 
+ * not call this function with freeit = PR_FALSE.  The function should 
+ * destroy the arena.  
+ */
+extern void
+SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk, PRBool freeit);
+
+/* Destroy and zero out an encrypted private key info.
+ *
+ * NOTE -- If a encrypted private key info is allocated in an arena, one should 
+ * not call this function with freeit = PR_FALSE.  The function should 
+ * destroy the arena.  
+ */
+extern void
+SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
+				      PRBool freeit);
+
+/* Copy private key info structure.  
+ *  poolp is the arena into which the contents of from is to be copied.
+ *	NULL is a valid entry.
+ *  to is the destination private key info
+ *  from is the source private key info
+ * if either from or to is NULL or an error occurs, SECFailure is 
+ * returned.  otherwise, SECSuccess is returned.
+ */
+extern SECStatus
+SECKEY_CopyPrivateKeyInfo(PRArenaPool *poolp,
+			  SECKEYPrivateKeyInfo *to,
+			  SECKEYPrivateKeyInfo *from);
+
+/* Copy encrypted private key info structure.  
+ *  poolp is the arena into which the contents of from is to be copied.
+ *	NULL is a valid entry.
+ *  to is the destination encrypted private key info
+ *  from is the source encrypted private key info
+ * if either from or to is NULL or an error occurs, SECFailure is 
+ * returned.  otherwise, SECSuccess is returned.
+ */
+extern SECStatus
+SECKEY_CopyEncryptedPrivateKeyInfo(PRArenaPool *poolp,
+				   SECKEYEncryptedPrivateKeyInfo *to,
+				   SECKEYEncryptedPrivateKeyInfo *from);
+/*
+ * Accessor functions for key type of public and private keys.
+ */
+KeyType SECKEY_GetPrivateKeyType(SECKEYPrivateKey *privKey);
+KeyType SECKEY_GetPublicKeyType(SECKEYPublicKey *pubKey);
+
+/*
+ * Creates a PublicKey from its DER encoding.
+ * Currently only supports RSA and DSA keys.
+ */
+SECKEYPublicKey*
+SECKEY_ImportDERPublicKey(SECItem *derKey, CK_KEY_TYPE type);
+
+SECKEYPrivateKeyList*
+SECKEY_NewPrivateKeyList(void);
+
+void
+SECKEY_DestroyPrivateKeyList(SECKEYPrivateKeyList *keys);
+
+void
+SECKEY_RemovePrivateKeyListNode(SECKEYPrivateKeyListNode *node);
+
+SECStatus
+SECKEY_AddPrivateKeyToListTail( SECKEYPrivateKeyList *list,
+                                SECKEYPrivateKey *key);
+
+#define PRIVKEY_LIST_HEAD(l) ((SECKEYPrivateKeyListNode*)PR_LIST_HEAD(&l->list))
+#define PRIVKEY_LIST_NEXT(n) ((SECKEYPrivateKeyListNode *)n->links.next)
+#define PRIVKEY_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
+
+SECKEYPublicKeyList*
+SECKEY_NewPublicKeyList(void);
+
+void
+SECKEY_DestroyPublicKeyList(SECKEYPublicKeyList *keys);
+
+void
+SECKEY_RemovePublicKeyListNode(SECKEYPublicKeyListNode *node);
+
+SECStatus
+SECKEY_AddPublicKeyToListTail( SECKEYPublicKeyList *list,
+                                SECKEYPublicKey *key);
+
+#define PUBKEY_LIST_HEAD(l) ((SECKEYPublicKeyListNode*)PR_LIST_HEAD(&l->list))
+#define PUBKEY_LIST_NEXT(n) ((SECKEYPublicKeyListNode *)n->links.next)
+#define PUBKEY_LIST_END(n,l) (((void *)n) == ((void *)&l->list))
+
+SEC_END_PROTOS
+
+#endif /* _KEYHI_H_ */
diff --git a/security/nss/lib/cryptohi/keyt.h b/security/nss/lib/cryptohi/keyt.h
new file mode 100644
index 000000000..1b104b96a
--- /dev/null
+++ b/security/nss/lib/cryptohi/keyt.h
@@ -0,0 +1,43 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * keyt.h - public data structures for the private key library
+ *
+ * $Id$
+ */
+
+#ifndef _KEYT_H_
+#define _KEYT_H_
+
+#include "keythi.h"
+
+#endif /* _KEYT_H_ */
diff --git a/security/nss/lib/cryptohi/keythi.h b/security/nss/lib/cryptohi/keythi.h
new file mode 100644
index 000000000..7b864b868
--- /dev/null
+++ b/security/nss/lib/cryptohi/keythi.h
@@ -0,0 +1,223 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifndef _KEYTHI_H_
+#define _KEYTHI_H_ 1
+
+#include "plarena.h"
+#include "pkcs11t.h"
+#include "secmodt.h"
+#include "prclist.h"
+
+typedef enum { 
+    nullKey = 0, 
+    rsaKey = 1, 
+    dsaKey = 2, 
+    fortezzaKey = 3,
+    dhKey = 4, 
+    keaKey = 5
+} KeyType;
+
+/*
+** Template Definitions
+**/
+
+SEC_BEGIN_PROTOS
+extern const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[];
+extern const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[];
+extern const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[];
+extern const SEC_ASN1Template SECKEY_DHParamKeyTemplate[];
+extern const SEC_ASN1Template SECKEY_PQGParamsTemplate[];
+extern const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[];
+
+/* Windows DLL accessor functions */
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_DSAPublicKeyTemplate;
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_RSAPublicKeyTemplate;
+SEC_END_PROTOS
+
+
+/*
+** RSA Public Key structures
+** member names from PKCS#1, section 7.1 
+*/
+
+struct SECKEYRSAPublicKeyStr {
+    PRArenaPool * arena;
+    SECItem modulus;
+    SECItem publicExponent;
+};
+typedef struct SECKEYRSAPublicKeyStr SECKEYRSAPublicKey;
+
+
+/*
+** DSA Public Key and related structures
+*/
+
+struct SECKEYPQGParamsStr {
+    PRArenaPool *arena;
+    SECItem prime;    /* p */
+    SECItem subPrime; /* q */
+    SECItem base;     /* g */
+    /* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
+};
+typedef struct SECKEYPQGParamsStr SECKEYPQGParams;
+
+struct SECKEYDSAPublicKeyStr {
+    SECKEYPQGParams params;
+    SECItem publicValue;
+};
+typedef struct SECKEYDSAPublicKeyStr SECKEYDSAPublicKey;
+
+
+/*
+** Diffie-Hellman Public Key structure
+** Structure member names suggested by PKCS#3.
+*/
+struct SECKEYDHParamsStr {
+    PRArenaPool * arena;
+    SECItem prime; /* p */
+    SECItem base; /* g */
+};
+typedef struct SECKEYDHParamsStr SECKEYDHParams;
+
+struct SECKEYDHPublicKeyStr {
+    PRArenaPool * arena;
+    SECItem prime;
+    SECItem base;
+    SECItem publicValue;
+};
+typedef struct SECKEYDHPublicKeyStr SECKEYDHPublicKey;
+
+
+/*
+** FORTEZZA Public Key structures
+*/
+struct SECKEYFortezzaPublicKeyStr {
+    int      KEAversion;
+    int      DSSversion;
+    unsigned char    KMID[8];
+    SECItem clearance;
+    SECItem KEApriviledge;
+    SECItem DSSpriviledge;
+    SECItem KEAKey;
+    SECItem DSSKey;
+    SECKEYPQGParams params;
+    SECKEYPQGParams keaParams;
+};
+typedef struct SECKEYFortezzaPublicKeyStr SECKEYFortezzaPublicKey;
+
+struct SECKEYDiffPQGParamsStr {
+    SECKEYPQGParams DiffKEAParams;
+    SECKEYPQGParams DiffDSAParams;
+};
+typedef struct SECKEYDiffPQGParamsStr SECKEYDiffPQGParams;
+
+struct SECKEYPQGDualParamsStr {
+    SECKEYPQGParams CommParams;
+    SECKEYDiffPQGParams DiffParams;
+};
+typedef struct SECKEYPQGDualParamsStr SECKEYPQGDualParams;
+
+struct SECKEYKEAParamsStr {
+    PLArenaPool *arena;
+    SECItem hash;
+};
+typedef struct SECKEYKEAParamsStr SECKEYKEAParams;
+ 
+struct SECKEYKEAPublicKeyStr {
+    SECKEYKEAParams params;
+    SECItem publicValue;
+};
+typedef struct SECKEYKEAPublicKeyStr SECKEYKEAPublicKey;
+
+/*
+** A Generic  public key object.
+*/
+struct SECKEYPublicKeyStr {
+    PLArenaPool *arena;
+    KeyType keyType;
+    PK11SlotInfo *pkcs11Slot;
+    CK_OBJECT_HANDLE pkcs11ID;
+    union {
+        SECKEYRSAPublicKey rsa;
+	SECKEYDSAPublicKey dsa;
+	SECKEYDHPublicKey  dh;
+        SECKEYKEAPublicKey kea;
+        SECKEYFortezzaPublicKey fortezza;
+    } u;
+};
+typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
+
+/*
+** A generic key structure
+*/ 
+struct SECKEYPrivateKeyStr {
+    PLArenaPool *arena;
+    KeyType keyType;
+    PK11SlotInfo *pkcs11Slot;	/* pkcs11 slot this key lives in */
+    CK_OBJECT_HANDLE pkcs11ID;  /* ID of pkcs11 object */
+    PRBool pkcs11IsTemp;	/* temp pkcs11 object, delete it when done */
+    void *wincx;		/* context for errors and pw prompts */
+};
+typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey;
+
+/* Despite the name, this struct isn't used by any pkcs5 code.
+** It's used by pkcs7 and pkcs12 code.
+*/
+typedef struct {
+    SECItem *pwitem;
+    PK11SymKey *key;
+    PK11SlotInfo *slot;
+    void *wincx;
+} SEC_PKCS5KeyAndPassword;
+
+typedef struct {
+    PRCList links;
+    SECKEYPrivateKey *key;
+} SECKEYPrivateKeyListNode;
+
+typedef struct {
+    PRCList list;
+    PRArenaPool *arena;
+} SECKEYPrivateKeyList;
+
+typedef struct {
+    PRCList links;
+    SECKEYPublicKey *key;
+} SECKEYPublicKeyListNode;
+
+typedef struct {
+    PRCList list;
+    PRArenaPool *arena;
+} SECKEYPublicKeyList;
+#endif /* _KEYTHI_H_ */
+
diff --git a/security/nss/lib/cryptohi/manifest.mn b/security/nss/lib/cryptohi/manifest.mn
new file mode 100644
index 000000000..a4a76a7df
--- /dev/null
+++ b/security/nss/lib/cryptohi/manifest.mn
@@ -0,0 +1,64 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../../..
+
+MODULE = security
+
+REQUIRES = dbm
+
+LIBRARY_NAME = cryptohi
+
+EXPORTS = \
+	cryptohi.h \
+	cryptoht.h \
+	hasht.h   \
+	key.h     \
+	keyhi.h   \
+	keyt.h    \
+	keythi.h  \
+	sechash.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	$(NULL)
+
+LIBSRCS = \
+	sechash.c \
+	seckey.c  \
+	secsign.c \
+	secvfy.c  \
+	dsautil.c \
+	$(NULL)
+
+CSRCS = $(LIBSRCS)
+
diff --git a/security/nss/lib/cryptohi/sechash.c b/security/nss/lib/cryptohi/sechash.c
new file mode 100644
index 000000000..36ee1efd2
--- /dev/null
+++ b/security/nss/lib/cryptohi/sechash.c
@@ -0,0 +1,281 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include "sechash.h"
+#include "secoidt.h"
+#include "blapi.h"
+#include "pk11func.h"	/* for the PK11_ calls below. */
+
+static void *
+null_hash_new_context(void)
+{
+    return NULL;
+}
+
+static void *
+null_hash_clone_context(void *v)
+{
+    PORT_Assert(v == NULL);
+    return NULL;
+}
+
+static void
+null_hash_begin(void *v)
+{
+}
+
+static void
+null_hash_update(void *v, const unsigned char *input, unsigned int length)
+{
+}
+
+static void
+null_hash_end(void *v, unsigned char *output, unsigned int *outLen,
+	      unsigned int maxOut)
+{
+    *outLen = 0;
+}
+
+static void
+null_hash_destroy_context(void *v, PRBool b)
+{
+    PORT_Assert(v == NULL);
+}
+
+
+static void *
+md2_NewContext(void) {
+	return (void *) PK11_CreateDigestContext(SEC_OID_MD2);
+}
+
+static void *
+md5_NewContext(void) {
+	return (void *) PK11_CreateDigestContext(SEC_OID_MD5);
+}
+
+static void *
+sha1_NewContext(void) {
+	return (void *) PK11_CreateDigestContext(SEC_OID_SHA1);
+}
+
+const SECHashObject SECHashObjects[] = {
+  { 0,
+    (void * (*)(void)) null_hash_new_context,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) null_hash_destroy_context,
+    (void (*)(void *)) null_hash_begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) null_hash_update,
+    (void (*)(void *, unsigned char *, unsigned int *,
+	      unsigned int)) null_hash_end
+  },
+  { MD2_LENGTH,
+    (void * (*)(void)) md2_NewContext,
+    (void * (*)(void *)) PK11_CloneContext,
+    (void (*)(void *, PRBool)) PK11_DestroyContext,
+    (void (*)(void *)) PK11_DigestBegin,
+    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
+							PK11_DigestFinal
+  },
+  { MD5_LENGTH,
+    (void * (*)(void)) md5_NewContext,
+    (void * (*)(void *)) PK11_CloneContext,
+    (void (*)(void *, PRBool)) PK11_DestroyContext,
+    (void (*)(void *)) PK11_DigestBegin,
+    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
+							PK11_DigestFinal
+  },
+  { SHA1_LENGTH,
+    (void * (*)(void)) sha1_NewContext,
+    (void * (*)(void *)) PK11_CloneContext,
+    (void (*)(void *, PRBool)) PK11_DestroyContext,
+    (void (*)(void *)) PK11_DigestBegin,
+    (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) 
+							PK11_DigestFinal
+  },
+};
+
+const SECHashObject * 
+HASH_GetHashObject(HASH_HashType type)
+{
+    return &SECHashObjects[type];
+}
+
+
+unsigned int
+HASH_ResultLen(HASH_HashType type)
+{
+    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
+	return(0);
+    }
+    
+    return(SECHashObjects[type].length);
+}
+
+unsigned int
+HASH_ResultLenContext(HASHContext *context)
+{
+    return(context->hashobj->length);
+}
+
+
+
+SECStatus
+HASH_HashBuf(HASH_HashType type,
+	     unsigned char *dest,
+	     unsigned char *src,
+	     uint32 src_len)
+{
+    HASHContext *cx;
+    unsigned int part;
+    
+    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
+	return(SECFailure);
+    }
+    
+    cx = HASH_Create(type);
+    if ( cx == NULL ) {
+	return(SECFailure);
+    }
+    HASH_Begin(cx);
+    HASH_Update(cx, src, src_len);
+    HASH_End(cx, dest, &part, HASH_ResultLenContext(cx));
+    HASH_Destroy(cx);
+
+    return(SECSuccess);
+}
+
+HASHContext *
+HASH_Create(HASH_HashType type)
+{
+    void *hash_context = NULL;
+    HASHContext *ret = NULL;
+    
+    if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
+	return(NULL);
+    }
+    
+    hash_context = (* SECHashObjects[type].create)();
+    if ( hash_context == NULL ) {
+	goto loser;
+    }
+
+    ret = (HASHContext *)PORT_Alloc(sizeof(HASHContext));
+    if ( ret == NULL ) {
+	goto loser;
+    }
+
+    ret->hash_context = hash_context;
+    ret->hashobj = &SECHashObjects[type];
+    
+    return(ret);
+    
+loser:
+    if ( hash_context != NULL ) {
+	(* SECHashObjects[type].destroy)(hash_context, PR_TRUE);
+    }
+    
+    return(NULL);
+}
+
+
+HASHContext *
+HASH_Clone(HASHContext *context)
+{
+    void *hash_context = NULL;
+    HASHContext *ret = NULL;
+    
+    hash_context = (* context->hashobj->clone)(context->hash_context);
+    if ( hash_context == NULL ) {
+	goto loser;
+    }
+
+    ret = (HASHContext *)PORT_Alloc(sizeof(HASHContext));
+    if ( ret == NULL ) {
+	goto loser;
+    }
+
+    ret->hash_context = hash_context;
+    ret->hashobj = context->hashobj;
+    
+    return(ret);
+    
+loser:
+    if ( hash_context != NULL ) {
+	(* context->hashobj->destroy)(hash_context, PR_TRUE);
+    }
+    
+    return(NULL);
+
+}
+
+void
+HASH_Destroy(HASHContext *context)
+{
+    (* context->hashobj->destroy)(context->hash_context, PR_TRUE);
+    PORT_Free(context);
+    return;
+}
+
+
+void
+HASH_Begin(HASHContext *context)
+{
+    (* context->hashobj->begin)(context->hash_context);
+    return;
+}
+
+
+void
+HASH_Update(HASHContext *context,
+	    const unsigned char *src,
+	    unsigned int len)
+{
+    (* context->hashobj->update)(context->hash_context, src, len);
+    return;
+}
+
+void
+HASH_End(HASHContext *context,
+	 unsigned char *result,
+	 unsigned int *result_len,
+	 unsigned int max_result_len)
+{
+    (* context->hashobj->end)(context->hash_context, result, result_len,
+			      max_result_len);
+    return;
+}
+
+
+
diff --git a/security/nss/lib/cryptohi/sechash.h b/security/nss/lib/cryptohi/sechash.h
new file mode 100644
index 000000000..0e5a92e3b
--- /dev/null
+++ b/security/nss/lib/cryptohi/sechash.h
@@ -0,0 +1,79 @@
+#ifndef _HASH_H_
+#define _HASH_H_
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * hash.h - public data structures and prototypes for the hashing library
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "hasht.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+** Generic hash api.  
+*/
+
+extern unsigned int  HASH_ResultLen(HASH_HashType type);
+
+extern unsigned int  HASH_ResultLenContext(HASHContext *context);
+
+extern SECStatus     HASH_HashBuf(HASH_HashType type,
+				 unsigned char *dest,
+				 unsigned char *src,
+				 uint32 src_len);
+
+extern HASHContext * HASH_Create(HASH_HashType type);
+
+extern HASHContext * HASH_Clone(HASHContext *context);
+
+extern void          HASH_Destroy(HASHContext *context);
+
+extern void          HASH_Begin(HASHContext *context);
+
+extern void          HASH_Update(HASHContext *context,
+				const unsigned char *src,
+				unsigned int len);
+
+extern void          HASH_End(HASHContext *context,
+			     unsigned char *result,
+			     unsigned int *result_len,
+			     unsigned int max_result_len);
+
+extern const SECHashObject * HASH_GetHashObject(HASH_HashType type);
+
+SEC_END_PROTOS
+
+#endif /* _HASH_H_ */
diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c
new file mode 100644
index 000000000..1c1bd24af
--- /dev/null
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -0,0 +1,1965 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ *	Dr Stephen Henson <stephen.henson@gemplus.com>
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "secrng.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secder.h"
+#include "base64.h"
+#include "secasn1.h"
+#include "cert.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "secdig.h"
+#include "prtime.h"
+
+const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSubjectPublicKeyInfo) },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSubjectPublicKeyInfo,algorithm),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSubjectPublicKeyInfo,subjectPublicKey), },
+    { 0, }
+};
+
+const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPublicKeyAndChallenge) },
+    { SEC_ASN1_ANY, offsetof(CERTPublicKeyAndChallenge,spki) },
+    { SEC_ASN1_IA5_STRING, offsetof(CERTPublicKeyAndChallenge,challenge) },
+    { 0 }
+};
+
+const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPublicKey) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.modulus), },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.publicExponent), },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dsa.publicValue), },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.publicValue), },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_DHParamKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,  0, NULL, sizeof(SECKEYPublicKey) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.prime), },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.base), },
+    /* XXX chrisk: this needs to be expanded for decoding of j and validationParms (RFC2459 7.3.2) */
+    { SEC_ASN1_SKIP_REST },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_FortezzaParameterTemplate[] = {
+    { SEC_ASN1_SEQUENCE,  0, NULL, sizeof(SECKEYPQGParams) },
+    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,prime), },
+    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,subPrime), },
+    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,base), },
+    { 0 },
+};
+ 
+const SEC_ASN1Template SECKEY_FortezzaDiffParameterTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYDiffPQGParams) },
+    { SEC_ASN1_INLINE, offsetof(SECKEYDiffPQGParams,DiffKEAParams), 
+                       SECKEY_FortezzaParameterTemplate},
+    { SEC_ASN1_INLINE, offsetof(SECKEYDiffPQGParams,DiffDSAParams), 
+                       SECKEY_FortezzaParameterTemplate},
+    { 0 },
+};
+
+const SEC_ASN1Template SECKEY_FortezzaPreParamTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_CONTEXT_SPECIFIC | 1, offsetof(SECKEYPQGDualParams,CommParams),
+                SECKEY_FortezzaParameterTemplate},
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_FortezzaAltPreParamTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+      SEC_ASN1_CONTEXT_SPECIFIC | 0, offsetof(SECKEYPQGDualParams,DiffParams),
+                SECKEY_FortezzaDiffParameterTemplate},
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_KEAPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.kea.publicValue), },
+    { 0, }
+};
+
+const SEC_ASN1Template SECKEY_KEAParamsTemplate[] = {
+    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPublicKey,u.kea.params.hash), }, 
+    { 0, }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_DSAPublicKeyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPublicKeyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SubjectPublicKeyInfoTemplate)
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+static void
+prepare_rsa_pub_key_for_asn1(SECKEYPublicKey *pubk)
+{
+    pubk->u.rsa.modulus.type = siUnsignedInteger;
+    pubk->u.rsa.publicExponent.type = siUnsignedInteger;
+}
+
+static void
+prepare_dsa_pub_key_for_asn1(SECKEYPublicKey *pubk)
+{
+    pubk->u.dsa.publicValue.type = siUnsignedInteger;
+}
+
+static void
+prepare_pqg_params_for_asn1(SECKEYPQGParams *params)
+{
+    params->prime.type = siUnsignedInteger;
+    params->subPrime.type = siUnsignedInteger;
+    params->base.type = siUnsignedInteger;
+}
+
+static void
+prepare_dh_pub_key_for_asn1(SECKEYPublicKey *pubk)
+{
+    pubk->u.dh.prime.type = siUnsignedInteger;
+    pubk->u.dh.base.type = siUnsignedInteger;
+    pubk->u.dh.publicValue.type = siUnsignedInteger;
+}
+
+static void
+prepare_kea_pub_key_for_asn1(SECKEYPublicKey *pubk)
+{
+    pubk->u.kea.publicValue.type = siUnsignedInteger;
+}
+
+/* Create an RSA key pair is any slot able to do so.
+** The created keys are "session" (temporary), not "token" (permanent), 
+** and they are "sensitive", which makes them costly to move to another token.
+*/
+SECKEYPrivateKey *
+SECKEY_CreateRSAPrivateKey(int keySizeInBits,SECKEYPublicKey **pubk, void *cx)
+{
+    SECKEYPrivateKey *privk;
+    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN,cx);
+    PK11RSAGenParams param;
+
+    param.keySizeInBits = keySizeInBits;
+    param.pe = 65537L;
+    
+    privk = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN,&param,pubk,
+					PR_FALSE, PR_TRUE, cx);
+    PK11_FreeSlot(slot);
+    return(privk);
+}
+
+/* Create a DH key pair in any slot able to do so, 
+** This is a "session" (temporary), not "token" (permanent) key. 
+** Because of the high probability that this key will need to be moved to
+** another token, and the high cost of moving "sensitive" keys, we attempt
+** to create this key pair without the "sensitive" attribute, but revert to 
+** creating a "sensitive" key if necessary.
+*/
+SECKEYPrivateKey *
+SECKEY_CreateDHPrivateKey(SECKEYDHParams *param, SECKEYPublicKey **pubk, void *cx)
+{
+    SECKEYPrivateKey *privk;
+    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN,cx);
+
+    privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, param, 
+                                 pubk, PR_FALSE, PR_FALSE, cx);
+    if (!privk) 
+	privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, param, 
+	                             pubk, PR_FALSE, PR_TRUE, cx);
+
+    PK11_FreeSlot(slot);
+    return(privk);
+}
+
+void
+SECKEY_DestroyPrivateKey(SECKEYPrivateKey *privk)
+{
+    if (privk) {
+	if (privk->pkcs11Slot) {
+	    if (privk->pkcs11IsTemp) {
+	    	PK11_DestroyObject(privk->pkcs11Slot,privk->pkcs11ID);
+	    }
+	    PK11_FreeSlot(privk->pkcs11Slot);
+
+	}
+    	if (privk->arena) {
+	    PORT_FreeArena(privk->arena, PR_TRUE);
+	}
+    }
+}
+
+void
+SECKEY_DestroyPublicKey(SECKEYPublicKey *pubk)
+{
+    if (pubk) {
+	if (pubk->pkcs11Slot) {
+	    if (!PK11_IsPermObject(pubk->pkcs11Slot,pubk->pkcs11ID)) {
+		PK11_DestroyObject(pubk->pkcs11Slot,pubk->pkcs11ID);
+	    }
+	    PK11_FreeSlot(pubk->pkcs11Slot);
+	}
+    	if (pubk->arena) {
+	    PORT_FreeArena(pubk->arena, PR_FALSE);
+	}
+    }
+}
+
+SECStatus
+SECKEY_CopySubjectPublicKeyInfo(PRArenaPool *arena,
+			     CERTSubjectPublicKeyInfo *to,
+			     CERTSubjectPublicKeyInfo *from)
+{
+    SECStatus rv;
+
+    rv = SECOID_CopyAlgorithmID(arena, &to->algorithm, &from->algorithm);
+    if (rv == SECSuccess)
+	rv = SECITEM_CopyItem(arena, &to->subjectPublicKey, &from->subjectPublicKey);
+
+    return rv;
+}
+
+SECStatus
+SECKEY_KEASetParams(SECKEYKEAParams * params, SECKEYPublicKey * pubKey) {
+
+    if (pubKey->keyType == fortezzaKey) {
+        /* the key is a fortezza V1 public key  */
+
+	/* obtain hash of pubkey->u.fortezza.params.prime.data +
+		          pubkey->u.fortezza.params.subPrime.data +
+			  pubkey->u.fortezza.params.base.data  */
+
+	/* store hash in params->hash */
+
+    } else if (pubKey->keyType == keaKey) {
+
+        /* the key is a new fortezza KEA public key. */
+        SECITEM_CopyItem(pubKey->arena, &params->hash, 
+	                 &pubKey->u.kea.params.hash );
+
+    } else {
+
+	/* the key has no KEA parameters */
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
+SECStatus
+SECKEY_KEAParamCompare(CERTCertificate *cert1,CERTCertificate *cert2) 
+{
+
+    SECStatus rv;
+
+    SECKEYPublicKey *pubKey1 = 0;
+    SECKEYPublicKey *pubKey2 = 0;
+
+    SECKEYKEAParams params1;
+    SECKEYKEAParams params2;
+
+
+    rv = SECFailure;
+
+    /* get cert1's public key */
+    pubKey1 = CERT_ExtractPublicKey(cert1);
+    if ( !pubKey1 ) {
+	return(SECFailure);
+    }
+    
+
+    /* get cert2's public key */
+    pubKey2 = CERT_ExtractPublicKey(cert2);
+    if ( !pubKey2 ) {
+	return(SECFailure);
+    }
+
+    /* handle the case when both public keys are new
+     * fortezza KEA public keys.    */
+
+    if ((pubKey1->keyType == keaKey) &&
+        (pubKey2->keyType == keaKey) ) {
+
+        rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.kea.params.hash,
+	                         &pubKey2->u.kea.params.hash);
+	goto done;
+    }
+
+    /* handle the case when both public keys are old fortezza
+     * public keys.              */
+
+    if ((pubKey1->keyType == fortezzaKey) &&
+        (pubKey2->keyType == fortezzaKey) ) {
+
+        rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.prime,
+	                         &pubKey2->u.fortezza.keaParams.prime);
+
+	if (rv == SECEqual) {
+	    rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.subPrime,
+	                             &pubKey2->u.fortezza.keaParams.subPrime);
+	}
+
+	if (rv == SECEqual) {
+	    rv = (SECStatus)SECITEM_CompareItem(&pubKey1->u.fortezza.keaParams.base,
+	                             &pubKey2->u.fortezza.keaParams.base);
+	}
+	
+	goto done;
+    }
+
+
+    /* handle the case when the public keys are a mixture of 
+     * old and new.                          */
+
+    rv = SECKEY_KEASetParams(&params1, pubKey1);
+    if (rv != SECSuccess) return rv;
+
+    rv = SECKEY_KEASetParams(&params2, pubKey2);
+    if (rv != SECSuccess) return rv;
+
+    rv = (SECStatus)SECITEM_CompareItem(&params1.hash, &params2.hash);
+
+done:
+    SECKEY_DestroyPublicKey(pubKey1);
+    SECKEY_DestroyPublicKey(pubKey2);
+
+    return rv;   /* returns SECEqual if parameters are equal */
+
+}
+
+
+/* Procedure to update the pqg parameters for a cert's public key.
+ * pqg parameters only need to be updated for DSA and fortezza certificates.
+ * The procedure uses calls to itself recursively to update a certificate
+ * issuer's pqg parameters.  Some important rules are:
+ *    - Do nothing if the cert already has PQG parameters.
+ *    - If the cert does not have PQG parameters, obtain them from the issuer.
+ *    - A valid cert chain cannot have a DSA or Fortezza cert without
+ *      pqg parameters that has a parent that is not a DSA or Fortezza cert.
+ *    - pqg paramters are stored in two different formats: the standard
+ *      DER encoded format and the fortezza-only wrapped format.  The params
+ *      should be copied from issuer to subject cert without modifying the
+ *      formats.  The public key extraction code will deal with the different
+ *      formats at the time of extraction.  */
+
+SECStatus
+seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count)
+{
+    SECStatus rv, rvCompare;
+    SECOidData *oid=NULL;
+    int tag;
+    CERTSubjectPublicKeyInfo * subjectSpki=NULL;
+    CERTSubjectPublicKeyInfo * issuerSpki=NULL;
+    CERTCertificate *issuerCert = NULL;
+
+    rv = SECSuccess;
+
+    /* increment cert chain length counter*/
+    count++;
+
+    /* check if cert chain length exceeds the maximum length*/
+    if (count > CERT_MAX_CERT_CHAIN) {
+	return SECFailure;
+    }
+
+    oid = SECOID_FindOID(&subjectCert->subjectPublicKeyInfo.algorithm.algorithm);            
+    if (oid != NULL) {  
+        tag = oid->offset;
+             
+        /* Check if cert has a DSA or Fortezza public key. If not, return
+         * success since no PQG params need to be updated.  */
+
+	if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
+	     (tag != SEC_OID_MISSI_DSS_OLD) &&
+             (tag != SEC_OID_MISSI_KEA_DSS) &&
+             (tag != SEC_OID_MISSI_DSS) &&               
+             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_SDN702_DSA_SIGNATURE) ) {
+            
+            return SECSuccess;
+        }
+    } else {
+        return SECFailure;  /* return failure if oid is NULL */  
+    }
+
+    /* if cert has PQG parameters, return success */
+
+    subjectSpki=&subjectCert->subjectPublicKeyInfo;
+
+    if (subjectSpki->algorithm.parameters.len != 0) {
+        return SECSuccess;
+    }
+
+    /* check if the cert is self-signed */
+    rvCompare = (SECStatus)SECITEM_CompareItem(&subjectCert->derSubject,
+				    &subjectCert->derIssuer);
+	if (rvCompare == SECEqual) {
+	  /* fail since cert is self-signed and has no pqg params. */
+            return SECFailure;     
+	}
+     
+    /* get issuer cert */
+    issuerCert = CERT_FindCertIssuer(subjectCert, PR_Now(), certUsageAnyCA);
+	if ( ! issuerCert ) {
+            return SECFailure;
+	}
+
+    /* if parent is not DSA or fortezza, return failure since
+       we don't allow this case. */
+
+    oid = SECOID_FindOID(&issuerCert->subjectPublicKeyInfo.algorithm.algorithm);
+    if (oid != NULL) {  
+        tag = oid->offset;
+             
+        /* Check if issuer cert has a DSA or Fortezza public key. If not,
+         * return failure.   */
+
+	if ( (tag != SEC_OID_MISSI_KEA_DSS_OLD) &&
+	     (tag != SEC_OID_MISSI_DSS_OLD) &&
+             (tag != SEC_OID_MISSI_KEA_DSS) &&
+             (tag != SEC_OID_MISSI_DSS) &&               
+             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+             (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+             (tag != SEC_OID_SDN702_DSA_SIGNATURE) ) {
+            
+            return SECFailure;
+        }
+    } else {
+        return SECFailure;  /* return failure if oid is NULL */  
+    }
+
+
+    /* at this point the subject cert has no pqg parameters and the
+     * issuer cert has a DSA or fortezza public key.  Update the issuer's
+     * pqg parameters with a recursive call to this same function. */
+
+    rv = seckey_UpdateCertPQGChain(issuerCert, count);
+    if (rv != SECSuccess) return rv;
+
+    /* ensure issuer has pqg parameters */
+
+    issuerSpki=&issuerCert->subjectPublicKeyInfo;
+    if (issuerSpki->algorithm.parameters.len == 0) {
+        rv = SECFailure; 
+    }
+
+    /* if update was successful and pqg params present, then copy the
+     * parameters to the subject cert's key. */
+
+    if (rv == SECSuccess) {
+        rv = SECITEM_CopyItem(subjectCert->arena,
+                              &subjectSpki->algorithm.parameters, 
+	   		      &issuerSpki->algorithm.parameters);
+    }
+
+    return rv;
+
+}
+ 
+
+SECStatus
+SECKEY_UpdateCertPQG(CERTCertificate * subjectCert)
+{
+    return(seckey_UpdateCertPQGChain(subjectCert,0));
+}
+   
+
+/* Decode the PQG parameters.  The params could be stored in two
+ * possible formats, the old fortezza-only wrapped format or
+ * the standard DER encoded format.   Store the decoded parameters in an
+ * old fortezza cert data structure */
+ 
+SECStatus
+SECKEY_FortezzaDecodePQGtoOld(PRArenaPool *arena, SECKEYPublicKey *pubk,
+                              SECItem *params) {
+        SECStatus rv;
+	SECKEYPQGDualParams dual_params;
+
+    if (params == NULL) return SECFailure; 
+    
+    if (params->data == NULL) return SECFailure;
+
+    /* Check if params use the standard format.
+     * The value 0xa1 will appear in the first byte of the parameter data
+     * if the PQG parameters are not using the standard format. This
+     * code should be changed to use a better method to detect non-standard
+     * parameters.    */
+
+    if ((params->data[0] != 0xa1) &&
+        (params->data[0] != 0xa0)) {
+
+            /* PQG params are in the standard format */
+
+	    /* Store DSA PQG parameters */
+	    prepare_pqg_params_for_asn1(&pubk->u.fortezza.params);
+            rv = SEC_ASN1DecodeItem(arena, &pubk->u.fortezza.params,
+                              SECKEY_PQGParamsTemplate,
+                              params);
+
+	    if (rv == SECSuccess) {
+
+	        /* Copy the DSA PQG parameters to the KEA PQG parameters. */
+	        rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
+                                      &pubk->u.fortezza.params.prime);
+                if (rv != SECSuccess) return rv;
+                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
+                                      &pubk->u.fortezza.params.subPrime);
+                if (rv != SECSuccess) return rv;
+                rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
+                                      &pubk->u.fortezza.params.base);
+                if (rv != SECSuccess) return rv;
+            }
+
+    } else {
+
+	dual_params.CommParams.prime.len = 0;
+        dual_params.CommParams.subPrime.len = 0;
+	dual_params.CommParams.base.len = 0;
+	dual_params.DiffParams.DiffDSAParams.prime.len = 0;
+        dual_params.DiffParams.DiffDSAParams.subPrime.len = 0;
+	dual_params.DiffParams.DiffDSAParams.base.len = 0;
+
+        /* else the old fortezza-only wrapped format is used. */
+
+	if (params->data[0] == 0xa1) {
+            rv = SEC_ASN1DecodeItem(arena, &dual_params, 
+				SECKEY_FortezzaPreParamTemplate, params);
+	} else {
+            rv = SEC_ASN1DecodeItem(arena, &dual_params, 
+	   			    SECKEY_FortezzaAltPreParamTemplate, params);
+        }
+
+        if (rv < 0) return rv;
+	
+        if ( (dual_params.CommParams.prime.len > 0) &&
+             (dual_params.CommParams.subPrime.len > 0) && 
+             (dual_params.CommParams.base.len > 0) ) {
+            /* copy in common params */
+	    
+	    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
+                                  &dual_params.CommParams.prime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
+                                  &dual_params.CommParams.subPrime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
+                                  &dual_params.CommParams.base);
+
+	    /* Copy the DSA PQG parameters to the KEA PQG parameters. */
+	    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
+                                  &pubk->u.fortezza.params.prime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
+                                  &pubk->u.fortezza.params.subPrime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
+                                  &pubk->u.fortezza.params.base);
+            if (rv != SECSuccess) return rv;
+
+        } else {
+
+	    /* else copy in different params */
+
+	    /* copy DSA PQG parameters */
+	    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime,
+                                  &dual_params.DiffParams.DiffDSAParams.prime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime,
+                                  &dual_params.DiffParams.DiffDSAParams.subPrime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base,
+                                  &dual_params.DiffParams.DiffDSAParams.base);
+
+	    /* copy KEA PQG parameters */
+
+	    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime,
+                                  &dual_params.DiffParams.DiffKEAParams.prime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime,
+                                  &dual_params.DiffParams.DiffKEAParams.subPrime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base,
+                                  &dual_params.DiffParams.DiffKEAParams.base);
+        }
+       
+    }
+    return rv;
+}
+
+
+/* Decode the DSA PQG parameters.  The params could be stored in two
+ * possible formats, the old fortezza-only wrapped format or
+ * the normal standard format.  Store the decoded parameters in
+ * a V3 certificate data structure.  */ 
+
+SECStatus
+SECKEY_DSADecodePQG(PRArenaPool *arena, SECKEYPublicKey *pubk, SECItem *params) {
+        SECStatus rv;
+	SECKEYPQGDualParams dual_params;
+
+    if (params == NULL) return SECFailure; 
+    
+    if (params->data == NULL) return SECFailure;
+
+    /* Check if params use the standard format.
+     * The value 0xa1 will appear in the first byte of the parameter data
+     * if the PQG parameters are not using the standard format.  This
+     * code should be changed to use a better method to detect non-standard
+     * parameters.    */
+
+    if ((params->data[0] != 0xa1) &&
+        (params->data[0] != 0xa0)) {
+    
+         /* PQG params are in the standard format */
+         prepare_pqg_params_for_asn1(&pubk->u.dsa.params);
+         rv = SEC_ASN1DecodeItem(arena, &pubk->u.dsa.params,
+                             SECKEY_PQGParamsTemplate,
+                             params);
+    } else {
+
+	dual_params.CommParams.prime.len = 0;
+        dual_params.CommParams.subPrime.len = 0;
+	dual_params.CommParams.base.len = 0;
+	dual_params.DiffParams.DiffDSAParams.prime.len = 0;
+        dual_params.DiffParams.DiffDSAParams.subPrime.len = 0;
+	dual_params.DiffParams.DiffDSAParams.base.len = 0;
+
+        /* else the old fortezza-only wrapped format is used. */
+        if (params->data[0] == 0xa1) {
+            rv = SEC_ASN1DecodeItem(arena, &dual_params, 
+				SECKEY_FortezzaPreParamTemplate, params);
+	} else {
+            rv = SEC_ASN1DecodeItem(arena, &dual_params, 
+	   			    SECKEY_FortezzaAltPreParamTemplate, params);
+        }
+
+        if (rv < 0) return rv;
+
+        if ( (dual_params.CommParams.prime.len > 0) &&
+             (dual_params.CommParams.subPrime.len > 0) && 
+             (dual_params.CommParams.base.len > 0) ) {
+            /* copy in common params */
+	    
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+                                  &dual_params.CommParams.prime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+                                  &dual_params.CommParams.subPrime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+                                  &dual_params.CommParams.base);
+
+        } else {
+
+	    /* else copy in different params */
+
+	    /* copy DSA PQG parameters */
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+                                  &dual_params.DiffParams.DiffDSAParams.prime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+                                  &dual_params.DiffParams.DiffDSAParams.subPrime);
+            if (rv != SECSuccess) return rv;
+            rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+                                  &dual_params.DiffParams.DiffDSAParams.base);
+
+        }
+    }
+    return rv;
+}
+
+
+
+/* Decodes the DER encoded fortezza public key and stores the results in a
+ * structure of type SECKEYPublicKey. */
+
+SECStatus
+SECKEY_FortezzaDecodeCertKey(PRArenaPool *arena, SECKEYPublicKey *pubk,
+                             SECItem *rawkey, SECItem *params) {
+
+	unsigned char *rawptr = rawkey->data;
+	unsigned char *end = rawkey->data + rawkey->len;
+	unsigned char *clearptr;
+
+	/* first march down and decode the raw key data */
+
+	/* version */	
+	pubk->u.fortezza.KEAversion = *rawptr++;
+	if (*rawptr++ != 0x01) {
+		return SECFailure;
+	}
+
+	/* KMID */
+	PORT_Memcpy(pubk->u.fortezza.KMID,rawptr,
+				sizeof(pubk->u.fortezza.KMID));
+	rawptr += sizeof(pubk->u.fortezza.KMID);
+
+	/* clearance (the string up to the first byte with the hi-bit on */
+	clearptr = rawptr;
+	while ((rawptr < end) && (*rawptr++ & 0x80));
+
+	if (rawptr >= end) { return SECFailure; }
+	pubk->u.fortezza.clearance.len = rawptr - clearptr;
+	pubk->u.fortezza.clearance.data = 
+		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.clearance.len);
+	if (pubk->u.fortezza.clearance.data == NULL) {
+		return SECFailure;
+	}
+	PORT_Memcpy(pubk->u.fortezza.clearance.data,clearptr,
+					pubk->u.fortezza.clearance.len);
+
+	/* KEAPrivilege (the string up to the first byte with the hi-bit on */
+	clearptr = rawptr;
+	while ((rawptr < end) && (*rawptr++ & 0x80));
+	if (rawptr >= end) { return SECFailure; }
+	pubk->u.fortezza.KEApriviledge.len = rawptr - clearptr;
+	pubk->u.fortezza.KEApriviledge.data = 
+		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.KEApriviledge.len);
+	if (pubk->u.fortezza.KEApriviledge.data == NULL) {
+		return SECFailure;
+	}
+	PORT_Memcpy(pubk->u.fortezza.KEApriviledge.data,clearptr,
+				pubk->u.fortezza.KEApriviledge.len);
+
+
+	/* now copy the key. The next to bytes are the key length, and the
+	 * key follows */
+	pubk->u.fortezza.KEAKey.len = (*rawptr << 8) | rawptr[1];
+
+	rawptr += 2;
+	if (rawptr+pubk->u.fortezza.KEAKey.len > end) { return SECFailure; }
+	pubk->u.fortezza.KEAKey.data = 
+			(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.KEAKey.len);
+	if (pubk->u.fortezza.KEAKey.data == NULL) {
+		return SECFailure;
+	}
+	PORT_Memcpy(pubk->u.fortezza.KEAKey.data,rawptr,
+					pubk->u.fortezza.KEAKey.len);
+	rawptr += pubk->u.fortezza.KEAKey.len;
+
+	/* shared key */
+	if (rawptr >= end) {
+	    pubk->u.fortezza.DSSKey.len = pubk->u.fortezza.KEAKey.len;
+	    /* this depends on the fact that we are going to get freed with an
+	     * ArenaFree call. We cannot free DSSKey and KEAKey separately */
+	    pubk->u.fortezza.DSSKey.data=
+					pubk->u.fortezza.KEAKey.data;
+	    pubk->u.fortezza.DSSpriviledge.len = 
+				pubk->u.fortezza.KEApriviledge.len;
+	    pubk->u.fortezza.DSSpriviledge.data =
+			pubk->u.fortezza.DSSpriviledge.data;
+	    goto done;
+	}
+		
+
+	/* DSS Version is next */
+	pubk->u.fortezza.DSSversion = *rawptr++;
+
+	if (*rawptr++ != 2) {
+		return SECFailure;
+	}
+
+	/* DSSPrivilege (the string up to the first byte with the hi-bit on */
+	clearptr = rawptr;
+	while ((rawptr < end) && (*rawptr++ & 0x80));
+	if (rawptr >= end) { return SECFailure; }
+	pubk->u.fortezza.DSSpriviledge.len = rawptr - clearptr;
+	pubk->u.fortezza.DSSpriviledge.data = 
+		(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.DSSpriviledge.len);
+	if (pubk->u.fortezza.DSSpriviledge.data == NULL) {
+		return SECFailure;
+	}
+	PORT_Memcpy(pubk->u.fortezza.DSSpriviledge.data,clearptr,
+				pubk->u.fortezza.DSSpriviledge.len);
+
+	/* finally copy the DSS key. The next to bytes are the key length,
+	 *  and the key follows */
+	pubk->u.fortezza.DSSKey.len = (*rawptr << 8) | rawptr[1];
+
+	rawptr += 2;
+	if (rawptr+pubk->u.fortezza.DSSKey.len > end){ return SECFailure; }
+	pubk->u.fortezza.DSSKey.data = 
+			(unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.DSSKey.len);
+	if (pubk->u.fortezza.DSSKey.data == NULL) {
+		return SECFailure;
+	}
+	PORT_Memcpy(pubk->u.fortezza.DSSKey.data,rawptr,
+					pubk->u.fortezza.DSSKey.len);
+
+	/* ok, now we decode the parameters */
+done:
+
+        return SECKEY_FortezzaDecodePQGtoOld(arena, pubk, params);
+}
+
+
+/* Function used to determine what kind of cert we are dealing with. */
+KeyType 
+CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki) {
+    int tag;
+    KeyType keyType;
+
+    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
+    switch (tag) {
+      case SEC_OID_X500_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	keyType = rsaKey;
+	break;
+      case SEC_OID_ANSIX9_DSA_SIGNATURE:
+	keyType = dsaKey;
+	break;
+      case SEC_OID_MISSI_KEA_DSS_OLD:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_DSS_OLD:
+      case SEC_OID_MISSI_DSS:  
+	keyType = fortezzaKey;
+	break;
+      case SEC_OID_MISSI_KEA:
+      case SEC_OID_MISSI_ALT_KEA:
+	keyType = keaKey;
+	break;
+      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+	keyType = dhKey;
+      default:
+	keyType = nullKey;
+    }
+    return keyType;
+}
+
+static SECKEYPublicKey *
+seckey_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki)
+{
+    SECKEYPublicKey *pubk;
+    SECItem os;
+    SECStatus rv;
+    PRArenaPool *arena;
+    SECOidTag tag;
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+	return NULL;
+
+    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
+    if (pubk == NULL) {
+	PORT_FreeArena (arena, PR_FALSE);
+	return NULL;
+    }
+
+    pubk->arena = arena;
+    pubk->pkcs11Slot = 0;
+    pubk->pkcs11ID = CK_INVALID_HANDLE;
+
+
+    /* Convert bit string length from bits to bytes */
+    os = spki->subjectPublicKey;
+    DER_ConvertBitString (&os);
+
+    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
+    switch ( tag ) {
+      case SEC_OID_X500_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	pubk->keyType = rsaKey;
+	prepare_rsa_pub_key_for_asn1(pubk);
+	rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_RSAPublicKeyTemplate, &os);
+	if (rv == SECSuccess)
+	    return pubk;
+	break;
+      case SEC_OID_ANSIX9_DSA_SIGNATURE:
+      case SEC_OID_SDN702_DSA_SIGNATURE:
+	pubk->keyType = dsaKey;
+	prepare_dsa_pub_key_for_asn1(pubk);
+	rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_DSAPublicKeyTemplate, &os);
+	if (rv != SECSuccess) break;
+
+        rv = SECKEY_DSADecodePQG(arena, pubk,
+                                 &spki->algorithm.parameters); 
+
+	if (rv == SECSuccess) return pubk;
+	break;
+      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+	pubk->keyType = dhKey;
+	prepare_dh_pub_key_for_asn1(pubk);
+	rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_DHPublicKeyTemplate, &os);
+	if (rv != SECSuccess) break;
+
+        rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_DHParamKeyTemplate,
+                                 &spki->algorithm.parameters); 
+
+	if (rv == SECSuccess) return pubk;
+	break;
+      case SEC_OID_MISSI_KEA_DSS_OLD:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_DSS_OLD:
+      case SEC_OID_MISSI_DSS:
+	pubk->keyType = fortezzaKey;
+	rv = SECKEY_FortezzaDecodeCertKey(arena, pubk, &os,
+				          &spki->algorithm.parameters);
+	if (rv == SECSuccess)
+	    return pubk;
+	break;
+
+      case SEC_OID_MISSI_KEA:
+	pubk->keyType = keaKey;
+
+	prepare_kea_pub_key_for_asn1(pubk);
+        rv = SEC_ASN1DecodeItem(arena, pubk,
+                                SECKEY_KEAPublicKeyTemplate, &os);
+        if (rv != SECSuccess) break;
+
+
+        rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_KEAParamsTemplate,
+                        &spki->algorithm.parameters);
+
+	if (rv == SECSuccess)
+	    return pubk;
+
+        break;
+
+      case SEC_OID_MISSI_ALT_KEA:
+	pubk->keyType = keaKey;
+
+        rv = SECITEM_CopyItem(arena,&pubk->u.kea.publicValue,&os);
+        if (rv != SECSuccess) break;
+ 
+        rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_KEAParamsTemplate,
+                        &spki->algorithm.parameters);
+
+	if (rv == SECSuccess)
+	    return pubk;
+
+        break;
+
+
+      default:
+	rv = SECFailure;
+	break;
+    }
+
+    SECKEY_DestroyPublicKey (pubk);
+    return NULL;
+}
+
+
+/* required for JSS */
+SECKEYPublicKey *
+SECKEY_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki)
+{
+    return seckey_ExtractPublicKey(spki);
+}
+
+SECKEYPublicKey *
+CERT_ExtractPublicKey(CERTCertificate *cert)
+{
+    SECStatus rv;
+
+    rv = SECKEY_UpdateCertPQG(cert);
+    if (rv != SECSuccess) return NULL;
+
+    return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
+}
+
+/*
+ * Get the public key for the fortezza KMID. NOTE this requires the
+ * PQG paramters to be set. We probably should have a fortezza call that 
+ * just extracts the kmid for us directly so this function can work
+ * without having the whole cert chain
+ */
+SECKEYPublicKey *
+CERT_KMIDPublicKey(CERTCertificate *cert)
+{
+    return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo);
+}
+
+/* returns key strength in bytes (not bits) */
+unsigned
+SECKEY_PublicKeyStrength(SECKEYPublicKey *pubk)
+{
+    unsigned char b0;
+
+    /* interpret modulus length as key strength... in
+     * fortezza that's the public key length */
+
+    switch (pubk->keyType) {
+    case rsaKey:
+    	b0 = pubk->u.rsa.modulus.data[0];
+    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
+    case dsaKey:
+    	b0 = pubk->u.dsa.publicValue.data[0];
+    	return b0 ? pubk->u.dsa.publicValue.len :
+	    pubk->u.dsa.publicValue.len - 1;
+    case dhKey:
+    	b0 = pubk->u.dh.publicValue.data[0];
+    	return b0 ? pubk->u.dh.publicValue.len :
+	    pubk->u.dh.publicValue.len - 1;
+    case fortezzaKey:
+	return PR_MAX(pubk->u.fortezza.KEAKey.len, pubk->u.fortezza.DSSKey.len);
+    default:
+	break;
+    }
+    return 0;
+}
+
+SECKEYPrivateKey *
+SECKEY_CopyPrivateKey(SECKEYPrivateKey *privk)
+{
+    SECKEYPrivateKey *copyk;
+    PRArenaPool *arena;
+    
+    if (privk == NULL) {
+	return NULL;
+    }
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    copyk = (SECKEYPrivateKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPrivateKey));
+    if (copyk) {
+	copyk->arena = arena;
+	copyk->keyType = privk->keyType;
+
+	/* copy the PKCS #11 parameters */
+	copyk->pkcs11Slot = PK11_ReferenceSlot(privk->pkcs11Slot);
+	/* if the key we're referencing was a temparary key we have just
+	 * created, that we want to go away when we're through, we need
+	 * to make a copy of it */
+	if (privk->pkcs11IsTemp) {
+	    copyk->pkcs11ID = 
+			PK11_CopyKey(privk->pkcs11Slot,privk->pkcs11ID);
+	    if (copyk->pkcs11ID == CK_INVALID_HANDLE) goto fail;
+	} else {
+	    copyk->pkcs11ID = privk->pkcs11ID;
+	}
+	copyk->pkcs11IsTemp = privk->pkcs11IsTemp;
+	copyk->wincx = privk->wincx;
+	return copyk;
+    } else {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+    }
+
+fail:
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+
+SECKEYPublicKey *
+SECKEY_CopyPublicKey(SECKEYPublicKey *pubk)
+{
+    SECKEYPublicKey *copyk;
+    PRArenaPool *arena;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    copyk = (SECKEYPublicKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPublicKey));
+    if (copyk != NULL) {
+	SECStatus rv = SECSuccess;
+
+	copyk->arena = arena;
+	copyk->keyType = pubk->keyType;
+	if (pubk->pkcs11Slot && 
+			PK11_IsPermObject(pubk->pkcs11Slot,pubk->pkcs11ID)) {
+	    copyk->pkcs11Slot = PK11_ReferenceSlot(pubk->pkcs11Slot);
+	    copyk->pkcs11ID = pubk->pkcs11ID;
+	} else {
+	    copyk->pkcs11Slot = NULL;	/* go get own reference */
+	    copyk->pkcs11ID = CK_INVALID_HANDLE;
+	}
+	switch (pubk->keyType) {
+	  case rsaKey:
+	    rv = SECITEM_CopyItem(arena, &copyk->u.rsa.modulus,
+				  &pubk->u.rsa.modulus);
+	    if (rv == SECSuccess) {
+		rv = SECITEM_CopyItem (arena, &copyk->u.rsa.publicExponent,
+				       &pubk->u.rsa.publicExponent);
+		if (rv == SECSuccess)
+		    return copyk;
+	    }
+	    break;
+	  case dsaKey:
+	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.publicValue,
+				  &pubk->u.dsa.publicValue);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.prime,
+				  &pubk->u.dsa.params.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.subPrime,
+				  &pubk->u.dsa.params.subPrime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.dsa.params.base,
+				  &pubk->u.dsa.params.base);
+	    break;
+          case keaKey:
+            rv = SECITEM_CopyItem(arena, &copyk->u.kea.publicValue,
+                                  &pubk->u.kea.publicValue);
+            if (rv != SECSuccess) break;
+            rv = SECITEM_CopyItem(arena, &copyk->u.kea.params.hash,
+                                  &pubk->u.kea.params.hash);
+            break;
+	  case fortezzaKey:
+	    copyk->u.fortezza.KEAversion = pubk->u.fortezza.KEAversion;
+	    copyk->u.fortezza.DSSversion = pubk->u.fortezza.DSSversion;
+	    PORT_Memcpy(copyk->u.fortezza.KMID, pubk->u.fortezza.KMID,
+			sizeof(pubk->u.fortezza.KMID));
+	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.clearance, 
+				  &pubk->u.fortezza.clearance);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.KEApriviledge, 
+				&pubk->u.fortezza.KEApriviledge);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.DSSpriviledge, 
+				&pubk->u.fortezza.DSSpriviledge);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.KEAKey, 
+				&pubk->u.fortezza.KEAKey);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.DSSKey, 
+				&pubk->u.fortezza.DSSKey);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.prime, 
+				  &pubk->u.fortezza.params.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.subPrime, 
+				&pubk->u.fortezza.params.subPrime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.params.base, 
+				&pubk->u.fortezza.params.base);
+            if (rv != SECSuccess) break;
+            rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.prime, 
+				  &pubk->u.fortezza.keaParams.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.subPrime, 
+				&pubk->u.fortezza.keaParams.subPrime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.fortezza.keaParams.base, 
+				&pubk->u.fortezza.keaParams.base);
+	    break;
+	  case dhKey:
+            rv = SECITEM_CopyItem(arena,&copyk->u.dh.prime,&pubk->u.dh.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena,&copyk->u.dh.base,&pubk->u.dh.base);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &copyk->u.dh.publicValue, 
+				&pubk->u.dh.publicValue);
+	    break;
+	  case nullKey:
+	    return copyk;
+	  default:
+	    rv = SECFailure;
+	    break;
+	}
+	if (rv == SECSuccess)
+	    return copyk;
+
+	SECKEY_DestroyPublicKey (copyk);
+    } else {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+    }
+
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+
+
+SECKEYPublicKey *
+SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
+{
+    SECKEYPublicKey *pubk;
+    PRArenaPool *arena;
+    CERTCertificate *cert;
+    SECStatus rv;
+
+    /*
+     * First try to look up the cert.
+     */
+    cert = PK11_GetCertFromPrivateKey(privk);
+    if (cert) {
+	pubk = CERT_ExtractPublicKey(cert);
+	CERT_DestroyCertificate(cert);
+	return pubk;
+    }
+
+    /* couldn't find the cert, build pub key by hand */
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+    pubk = (SECKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						   sizeof (SECKEYPublicKey));
+    if (pubk == NULL) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+    pubk->keyType = privk->keyType;
+    pubk->pkcs11Slot = NULL;
+    pubk->pkcs11ID = CK_INVALID_HANDLE;
+    pubk->arena = arena;
+
+    /*
+     * fortezza is at the head of this switch, since we don't want to
+     * allocate an arena... CERT_ExtractPublicKey will to that for us.
+     */
+    switch(privk->keyType) {
+      case fortezzaKey:
+      case nullKey:
+      case dhKey:
+      case dsaKey:
+	/* Nothing to query, if the cert isn't there, we're done -- no way
+	 * to get the public key */
+	break;
+      case rsaKey:
+	rv = PK11_ReadAttribute(privk->pkcs11Slot,privk->pkcs11ID,
+				CKA_MODULUS,arena,&pubk->u.rsa.modulus);
+	if (rv != SECSuccess)  break;
+	rv = PK11_ReadAttribute(privk->pkcs11Slot,privk->pkcs11ID,
+			CKA_PUBLIC_EXPONENT,arena,&pubk->u.rsa.publicExponent);
+	if (rv != SECSuccess)  break;
+	return pubk;
+	break;
+    default:
+	break;
+    }
+
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+
+CERTSubjectPublicKeyInfo *
+SECKEY_CreateSubjectPublicKeyInfo(SECKEYPublicKey *pubk)
+{
+    CERTSubjectPublicKeyInfo *spki;
+    PRArenaPool *arena;
+    SECItem params = { siBuffer, NULL, 0 };
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    spki = (CERTSubjectPublicKeyInfo *) PORT_ArenaZAlloc(arena, sizeof (*spki));
+    if (spki != NULL) {
+	SECStatus rv;
+	SECItem *rv_item;
+	
+	spki->arena = arena;
+	switch(pubk->keyType) {
+	  case rsaKey:
+	    rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
+				     SEC_OID_PKCS1_RSA_ENCRYPTION, 0);
+	    if (rv == SECSuccess) {
+		/*
+		 * DER encode the public key into the subjectPublicKeyInfo.
+		 */
+		prepare_rsa_pub_key_for_asn1(pubk);
+		rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey,
+					     pubk, SECKEY_RSAPublicKeyTemplate);
+		if (rv_item != NULL) {
+		    /*
+		     * The stored value is supposed to be a BIT_STRING,
+		     * so convert the length.
+		     */
+		    spki->subjectPublicKey.len <<= 3;
+		    /*
+		     * We got a good one; return it.
+		     */
+		    return spki;
+		}
+	    }
+	    break;
+	  case dsaKey:
+	    /* DER encode the params. */
+	    prepare_pqg_params_for_asn1(&pubk->u.dsa.params);
+	    rv_item = SEC_ASN1EncodeItem(arena, &params, &pubk->u.dsa.params,
+					 SECKEY_PQGParamsTemplate);
+	    if (rv_item != NULL) {
+		rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
+					   SEC_OID_ANSIX9_DSA_SIGNATURE,
+					   &params);
+		if (rv == SECSuccess) {
+		    /*
+		     * DER encode the public key into the subjectPublicKeyInfo.
+		     */
+		    prepare_dsa_pub_key_for_asn1(pubk);
+		    rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey,
+						 pubk,
+						 SECKEY_DSAPublicKeyTemplate);
+		    if (rv_item != NULL) {
+			/*
+			 * The stored value is supposed to be a BIT_STRING,
+			 * so convert the length.
+			 */
+			spki->subjectPublicKey.len <<= 3;
+			/*
+			 * We got a good one; return it.
+			 */
+			return spki;
+		    }
+		}
+	    }
+	    SECITEM_FreeItem(&params, PR_FALSE);
+	    break;
+	  case keaKey:
+	  case dhKey: /* later... */
+
+	  break;  
+	  case fortezzaKey:
+#ifdef notdef
+	    /* encode the DSS parameters (PQG) */
+	    rv = FortezzaBuildParams(&params,pubk);
+	    if (rv != SECSuccess) break;
+
+	    /* set the algorithm */
+	    rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
+				       SEC_OID_MISSI_KEA_DSS, &params);
+	    PORT_Free(params.data);
+	    if (rv == SECSuccess) {
+		/*
+		 * Encode the public key into the subjectPublicKeyInfo.
+		 * Fortezza key material is not standard DER
+		 */
+		rv = FortezzaEncodeCertKey(arena,&spki->subjectPublicKey,pubk);
+		if (rv == SECSuccess) {
+		    /*
+		     * The stored value is supposed to be a BIT_STRING,
+		     * so convert the length.
+		     */
+		    spki->subjectPublicKey.len <<= 3;
+
+		    /*
+		     * We got a good one; return it.
+		     */
+		    return spki;
+		}
+	    }
+#endif
+	    break;
+	  default:
+	    break;
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+void
+SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki)
+{
+    if (spki && spki->arena) {
+	PORT_FreeArena(spki->arena, PR_FALSE);
+    }
+}
+
+/*
+ * this only works for RSA keys... need to do something
+ * similiar to CERT_ExtractPublicKey for other key times.
+ */
+SECKEYPublicKey *
+SECKEY_DecodeDERPublicKey(SECItem *pubkder)
+{
+    PRArenaPool *arena;
+    SECKEYPublicKey *pubk;
+    SECStatus rv;
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPublicKey));
+    if (pubk != NULL) {
+	pubk->arena = arena;
+	pubk->pkcs11Slot = NULL;
+	pubk->pkcs11ID = 0;
+	prepare_rsa_pub_key_for_asn1(pubk);
+	rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_RSAPublicKeyTemplate,
+				pubkder);
+	if (rv == SECSuccess)
+	    return pubk;
+	SECKEY_DestroyPublicKey (pubk);
+    } else {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+    }
+
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+
+/*
+ * Decode a base64 ascii encoded DER encoded public key.
+ */
+SECKEYPublicKey *
+SECKEY_ConvertAndDecodePublicKey(char *pubkstr)
+{
+    SECKEYPublicKey *pubk;
+    SECStatus rv;
+    SECItem der;
+
+    rv = ATOB_ConvertAsciiToItem (&der, pubkstr);
+    if (rv != SECSuccess)
+	return NULL;
+
+    pubk = SECKEY_DecodeDERPublicKey (&der);
+
+    PORT_Free (der.data);
+    return pubk;
+}
+
+SECItem *
+SECKEY_EncodeDERSubjectPublicKeyInfo(SECKEYPublicKey *pubk)
+{
+    CERTSubjectPublicKeyInfo *spki=NULL;
+    SECItem *spkiDER=NULL;
+
+    /* get the subjectpublickeyinfo */
+    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
+    if( spki == NULL ) {
+	goto finish;
+    }
+
+    /* DER-encode the subjectpublickeyinfo */
+    spkiDER = SEC_ASN1EncodeItem(NULL /*arena*/, NULL/*dest*/, spki,
+					CERT_SubjectPublicKeyInfoTemplate);
+finish:
+    if (spki!=NULL) {
+	SECKEY_DestroySubjectPublicKeyInfo(spki);
+    }
+    return spkiDER;
+}
+
+
+CERTSubjectPublicKeyInfo *
+SECKEY_DecodeDERSubjectPublicKeyInfo(SECItem *spkider)
+{
+    PRArenaPool *arena;
+    CERTSubjectPublicKeyInfo *spki;
+    SECStatus rv;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    spki = (CERTSubjectPublicKeyInfo *)
+		PORT_ArenaZAlloc(arena, sizeof (CERTSubjectPublicKeyInfo));
+    if (spki != NULL) {
+	spki->arena = arena;
+	rv = SEC_ASN1DecodeItem(arena,spki,
+				CERT_SubjectPublicKeyInfoTemplate,spkider);
+	if (rv == SECSuccess)
+	    return spki;
+	SECKEY_DestroySubjectPublicKeyInfo(spki);
+    } else {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+/*
+ * Decode a base64 ascii encoded DER encoded subject public key info.
+ */
+CERTSubjectPublicKeyInfo *
+SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(char *spkistr)
+{
+    CERTSubjectPublicKeyInfo *spki;
+    SECStatus rv;
+    SECItem der;
+
+    rv = ATOB_ConvertAsciiToItem(&der, spkistr);
+    if (rv != SECSuccess)
+	return NULL;
+
+    spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der);
+
+    PORT_Free(der.data);
+    return spki;
+}
+
+/*
+ * Decode a base64 ascii encoded DER encoded public key and challenge
+ * Verify digital signature and make sure challenge matches
+ */
+CERTSubjectPublicKeyInfo *
+SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge,
+								void *wincx)
+{
+    CERTSubjectPublicKeyInfo *spki = NULL;
+    CERTPublicKeyAndChallenge pkac;
+    SECStatus rv;
+    SECItem signedItem;
+    PRArenaPool *arena = NULL;
+    CERTSignedData sd;
+    SECItem sig;
+    SECKEYPublicKey *pubKey = NULL;
+    unsigned int len;
+    
+    signedItem.data = NULL;
+    
+    /* convert the base64 encoded data to binary */
+    rv = ATOB_ConvertAsciiToItem(&signedItem, pkacstr);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* create an arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+
+    /* decode the outer wrapping of signed data */
+    PORT_Memset(&sd, 0, sizeof(CERTSignedData));
+    rv = SEC_ASN1DecodeItem(arena, &sd, CERT_SignedDataTemplate, &signedItem );
+    if ( rv ) {
+	goto loser;
+    }
+
+    /* decode the public key and challenge wrapper */
+    PORT_Memset(&pkac, 0, sizeof(CERTPublicKeyAndChallenge));
+    rv = SEC_ASN1DecodeItem(arena, &pkac, CERT_PublicKeyAndChallengeTemplate, 
+			    &sd.data);
+    if ( rv ) {
+	goto loser;
+    }
+
+    /* decode the subject public key info */
+    spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&pkac.spki);
+    if ( spki == NULL ) {
+	goto loser;
+    }
+    
+    /* get the public key */
+    pubKey = seckey_ExtractPublicKey(spki);
+    if ( pubKey == NULL ) {
+	goto loser;
+    }
+
+    /* check the signature */
+    sig = sd.signature;
+    DER_ConvertBitString(&sig);
+    rv = VFY_VerifyData(sd.data.data, sd.data.len, pubKey, &sig,
+			SECOID_GetAlgorithmTag(&(sd.signatureAlgorithm)), wincx);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    /* check the challenge */
+    if ( challenge ) {
+	len = PORT_Strlen(challenge);
+	/* length is right */
+	if ( len != pkac.challenge.len ) {
+	    goto loser;
+	}
+	/* actual data is right */
+	if ( PORT_Memcmp(challenge, pkac.challenge.data, len) != 0 ) {
+	    goto loser;
+	}
+    }
+    goto done;
+
+loser:
+    /* make sure that we return null if we got an error */
+    if ( spki ) {
+	SECKEY_DestroySubjectPublicKeyInfo(spki);
+    }
+    spki = NULL;
+    
+done:
+    if ( signedItem.data ) {
+	PORT_Free(signedItem.data);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    if ( pubKey ) {
+	SECKEY_DestroyPublicKey(pubKey);
+    }
+    
+    return spki;
+}
+
+void
+SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk,
+			     PRBool freeit)
+{
+    PRArenaPool *poolp;
+
+    if(pvk != NULL) {
+	if(pvk->arena) {
+	    poolp = pvk->arena;
+	    /* zero structure since PORT_FreeArena does not support
+	     * this yet.
+	     */
+	    PORT_Memset(pvk->privateKey.data, 0, pvk->privateKey.len);
+	    PORT_Memset((char *)pvk, 0, sizeof(*pvk));
+	    if(freeit == PR_TRUE) {
+		PORT_FreeArena(poolp, PR_TRUE);
+	    } else {
+		pvk->arena = poolp;
+	    }
+	} else {
+	    SECITEM_ZfreeItem(&pvk->version, PR_FALSE);
+	    SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE);
+	    SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE);
+	    PORT_Memset((char *)pvk, 0, sizeof(pvk));
+	    if(freeit == PR_TRUE) {
+		PORT_Free(pvk);
+	    }
+	}
+    }
+}
+
+void
+SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki,
+				      PRBool freeit)
+{
+    PRArenaPool *poolp;
+
+    if(epki != NULL) {
+	if(epki->arena) {
+	    poolp = epki->arena;
+	    /* zero structure since PORT_FreeArena does not support
+	     * this yet.
+	     */
+	    PORT_Memset(epki->encryptedData.data, 0, epki->encryptedData.len);
+	    PORT_Memset((char *)epki, 0, sizeof(*epki));
+	    if(freeit == PR_TRUE) {
+		PORT_FreeArena(poolp, PR_TRUE);
+	    } else {
+		epki->arena = poolp;
+	    }
+	} else {
+	    SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE);
+	    SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE);
+	    PORT_Memset((char *)epki, 0, sizeof(epki));
+	    if(freeit == PR_TRUE) {
+		PORT_Free(epki);
+	    }
+	}
+    }
+}
+
+SECStatus
+SECKEY_CopyPrivateKeyInfo(PRArenaPool *poolp,
+			  SECKEYPrivateKeyInfo *to,
+			  SECKEYPrivateKeyInfo *from)
+{
+    SECStatus rv = SECFailure;
+
+    if((to == NULL) || (from == NULL)) {
+	return SECFailure;
+    }
+
+    rv = SECOID_CopyAlgorithmID(poolp, &to->algorithm, &from->algorithm);
+    if(rv != SECSuccess) {
+	return SECFailure;
+    }
+    rv = SECITEM_CopyItem(poolp, &to->privateKey, &from->privateKey);
+    if(rv != SECSuccess) {
+	return SECFailure;
+    }
+    rv = SECITEM_CopyItem(poolp, &to->version, &from->version);
+
+    return rv;
+}
+
+SECStatus
+SECKEY_CopyEncryptedPrivateKeyInfo(PRArenaPool *poolp, 
+				   SECKEYEncryptedPrivateKeyInfo *to,
+				   SECKEYEncryptedPrivateKeyInfo *from)
+{
+    SECStatus rv = SECFailure;
+
+    if((to == NULL) || (from == NULL)) {
+	return SECFailure;
+    }
+
+    rv = SECOID_CopyAlgorithmID(poolp, &to->algorithm, &from->algorithm);
+    if(rv != SECSuccess) {
+	return SECFailure;
+    }
+    rv = SECITEM_CopyItem(poolp, &to->encryptedData, &from->encryptedData);
+
+    return rv;
+}
+
+KeyType
+SECKEY_GetPrivateKeyType(SECKEYPrivateKey *privKey)
+{
+   return privKey->keyType;
+}
+
+KeyType
+SECKEY_GetPublicKeyType(SECKEYPublicKey *pubKey)
+{
+   return pubKey->keyType;
+}
+
+SECKEYPublicKey*
+SECKEY_ImportDERPublicKey(SECItem *derKey, CK_KEY_TYPE type)
+{
+    SECKEYPublicKey *pubk = NULL;
+    SECStatus rv = SECFailure;
+
+    pubk = PORT_ZNew(SECKEYPublicKey);
+    if(pubk == NULL) {
+        goto finish;
+    }
+    pubk->arena = NULL;
+    pubk->pkcs11Slot = NULL;
+    pubk->pkcs11ID = CK_INVALID_HANDLE;
+
+    switch( type ) {
+      case CKK_RSA:
+	prepare_rsa_pub_key_for_asn1(pubk);
+        rv = SEC_ASN1DecodeItem(NULL, pubk, SECKEY_RSAPublicKeyTemplate,derKey);
+        pubk->keyType = rsaKey;
+        break;
+      case CKK_DSA:
+	prepare_dsa_pub_key_for_asn1(pubk);
+        rv = SEC_ASN1DecodeItem(NULL, pubk, SECKEY_DSAPublicKeyTemplate,derKey);
+        pubk->keyType = dsaKey;
+        break;
+      case CKK_DH:
+	prepare_dh_pub_key_for_asn1(pubk);
+        rv = SEC_ASN1DecodeItem(NULL, pubk, SECKEY_DHPublicKeyTemplate, derKey);
+        pubk->keyType = dhKey;
+        break;
+      default:
+        rv = SECFailure;
+        break;
+    }
+
+finish:
+    if( rv != SECSuccess && pubk != NULL) {
+        PORT_Free(pubk);
+        pubk = NULL;
+    }
+    return pubk;
+}
+
+SECKEYPrivateKeyList*
+SECKEY_NewPrivateKeyList(void)
+{
+    PRArenaPool *arena = NULL;
+    SECKEYPrivateKeyList *ret = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+        goto loser;
+    }
+
+    ret = (SECKEYPrivateKeyList *)PORT_ArenaZAlloc(arena,
+                sizeof(SECKEYPrivateKeyList));
+    if ( ret == NULL ) {
+        goto loser;
+    }
+
+    ret->arena = arena;
+
+    PR_INIT_CLIST(&ret->list);
+
+    return(ret);
+
+loser:
+    if ( arena != NULL ) {
+        PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    return(NULL);
+}
+
+void
+SECKEY_DestroyPrivateKeyList(SECKEYPrivateKeyList *keys)
+{
+    while( !PR_CLIST_IS_EMPTY(&keys->list) ) {
+        SECKEY_RemovePrivateKeyListNode(
+            (SECKEYPrivateKeyListNode*)(PR_LIST_HEAD(&keys->list)) );
+    }
+
+    PORT_FreeArena(keys->arena, PR_FALSE);
+
+    return;
+}
+
+
+void
+SECKEY_RemovePrivateKeyListNode(SECKEYPrivateKeyListNode *node)
+{
+    PR_ASSERT(node->key);
+    SECKEY_DestroyPrivateKey(node->key);
+    node->key = NULL;
+    PR_REMOVE_LINK(&node->links);
+    return;
+
+}
+
+SECStatus
+SECKEY_AddPrivateKeyToListTail( SECKEYPrivateKeyList *list,
+                                SECKEYPrivateKey *key)
+{
+    SECKEYPrivateKeyListNode *node;
+
+    node = (SECKEYPrivateKeyListNode *)PORT_ArenaZAlloc(list->arena,
+                sizeof(SECKEYPrivateKeyListNode));
+    if ( node == NULL ) {
+        goto loser;
+    }
+
+    PR_INSERT_BEFORE(&node->links, &list->list);
+    node->key = key;
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+
+SECKEYPublicKeyList*
+SECKEY_NewPublicKeyList(void)
+{
+    PRArenaPool *arena = NULL;
+    SECKEYPublicKeyList *ret = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+        goto loser;
+    }
+
+    ret = (SECKEYPublicKeyList *)PORT_ArenaZAlloc(arena,
+                sizeof(SECKEYPublicKeyList));
+    if ( ret == NULL ) {
+        goto loser;
+    }
+
+    ret->arena = arena;
+
+    PR_INIT_CLIST(&ret->list);
+
+    return(ret);
+
+loser:
+    if ( arena != NULL ) {
+        PORT_FreeArena(arena, PR_FALSE);
+    }
+
+    return(NULL);
+}
+
+void
+SECKEY_DestroyPublicKeyList(SECKEYPublicKeyList *keys)
+{
+    while( !PR_CLIST_IS_EMPTY(&keys->list) ) {
+        SECKEY_RemovePublicKeyListNode(
+            (SECKEYPublicKeyListNode*)(PR_LIST_HEAD(&keys->list)) );
+    }
+
+    PORT_FreeArena(keys->arena, PR_FALSE);
+
+    return;
+}
+
+
+void
+SECKEY_RemovePublicKeyListNode(SECKEYPublicKeyListNode *node)
+{
+    PR_ASSERT(node->key);
+    SECKEY_DestroyPublicKey(node->key);
+    node->key = NULL;
+    PR_REMOVE_LINK(&node->links);
+    return;
+
+}
+
+SECStatus
+SECKEY_AddPublicKeyToListTail( SECKEYPublicKeyList *list,
+                                SECKEYPublicKey *key)
+{
+    SECKEYPublicKeyListNode *node;
+
+    node = (SECKEYPublicKeyListNode *)PORT_ArenaZAlloc(list->arena,
+                sizeof(SECKEYPublicKeyListNode));
+    if ( node == NULL ) {
+        goto loser;
+    }
+
+    PR_INSERT_BEFORE(&node->links, &list->list);
+    node->key = key;
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c
new file mode 100644
index 000000000..98131c6eb
--- /dev/null
+++ b/security/nss/lib/cryptohi/secsign.c
@@ -0,0 +1,500 @@
+/*
+ * Signature stuff.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include "cryptohi.h"
+#include "sechash.h"
+#include "secder.h"
+#include "keyhi.h"
+#include "secoid.h"
+#include "secdig.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+struct SGNContextStr {
+    SECOidTag signalg;
+    SECOidTag hashalg;
+    void *hashcx;
+    const SECHashObject *hashobj;
+    SECKEYPrivateKey *key;
+};
+
+SGNContext *
+SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key)
+{
+    SGNContext *cx;
+    SECOidTag hashalg, signalg;
+    KeyType keyType;
+
+    /* OK, map a PKCS #7 hash and encrypt algorithm into
+     * a standard hashing algorithm. Why did we pass in the whole
+     * PKCS #7 algTag if we were just going to change here you might
+     * ask. Well the answer is for some cards we may have to do the
+     * hashing on card. It may not support CKM_RSA_PKCS sign algorithm,
+     * it may just support CKM_RSA_PKCS_WITH_SHA1 and/or CKM_RSA_PKCS_WITH_MD5.
+     */
+    switch (alg) {
+      /* We probably shouldn't be generating MD2 signatures either */
+      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+	hashalg = SEC_OID_MD2;
+	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
+	keyType = rsaKey;
+	break;
+      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+        hashalg = SEC_OID_MD5;
+	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
+	keyType = rsaKey;
+	break;
+      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+      case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
+	hashalg = SEC_OID_SHA1;
+	signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
+	keyType = rsaKey;
+	break;
+      /* what about normal DSA? */
+      case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+      case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+	hashalg = SEC_OID_SHA1;
+	signalg = SEC_OID_ANSIX9_DSA_SIGNATURE;
+	keyType = dsaKey;
+	break;
+      case SEC_OID_MISSI_DSS:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_KEA_DSS_OLD:
+      case SEC_OID_MISSI_DSS_OLD:
+	hashalg = SEC_OID_SHA1;
+	signalg = SEC_OID_MISSI_DSS; /* XXX Is there a better algid? */
+	keyType = fortezzaKey;
+	break;
+      /* we don't implement MD4 hashes. 
+       * we *CERTAINLY* don't want to sign one! */
+      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return 0;
+    }
+
+    /* verify our key type */
+    if (key->keyType != keyType &&
+	!((key->keyType == dsaKey) && (keyType == fortezzaKey)) &&
+	!((key->keyType == fortezzaKey) && (keyType == dsaKey)) ) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return 0;
+    }
+
+    cx = (SGNContext*) PORT_ZAlloc(sizeof(SGNContext));
+    if (cx) {
+	cx->hashalg = hashalg;
+	cx->signalg = signalg;
+	cx->key = key;
+    }
+    return cx;
+}
+
+void
+SGN_DestroyContext(SGNContext *cx, PRBool freeit)
+{
+    if (cx) {
+	if (cx->hashcx != NULL) {
+	    (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
+	    cx->hashcx = NULL;
+	}
+	if (freeit) {
+	    PORT_ZFree(cx, sizeof(SGNContext));
+	}
+    }
+}
+
+SECStatus
+SGN_Begin(SGNContext *cx)
+{
+    if (cx->hashcx != NULL) {
+	(*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
+	cx->hashcx = NULL;
+    }
+
+    switch (cx->hashalg) {
+      case SEC_OID_MD2:
+	cx->hashobj = &SECHashObjects[HASH_AlgMD2];
+	break;
+      case SEC_OID_MD5:
+	cx->hashobj = &SECHashObjects[HASH_AlgMD5];
+	break;
+      case SEC_OID_SHA1:
+	cx->hashobj = &SECHashObjects[HASH_AlgSHA1];
+	break;
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return SECFailure;
+    }
+
+    cx->hashcx = (*cx->hashobj->create)();
+    if (cx->hashcx == NULL)
+	return SECFailure;
+
+    (*cx->hashobj->begin)(cx->hashcx);
+    return SECSuccess;
+}
+
+SECStatus
+SGN_Update(SGNContext *cx, unsigned char *input, unsigned inputLen)
+{
+    if (cx->hashcx == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    (*cx->hashobj->update)(cx->hashcx, input, inputLen);
+    return SECSuccess;
+}
+
+SECStatus
+SGN_End(SGNContext *cx, SECItem *result)
+{
+    unsigned char digest[32];
+    unsigned part1, signatureLen;
+    SECStatus rv;
+    SECItem digder, sigitem;
+    PRArenaPool *arena = 0;
+    SECKEYPrivateKey *privKey = cx->key;
+    SGNDigestInfo *di = 0;
+
+
+    result->data = 0;
+    digder.data = 0;
+
+    /* Finish up digest function */
+    if (cx->hashcx == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    (*cx->hashobj->end)(cx->hashcx, digest, &part1, sizeof(digest));
+
+
+    if (privKey->keyType == rsaKey) {
+
+	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if ( !arena ) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+    
+	/* Construct digest info */
+	di = SGN_CreateDigestInfo(cx->hashalg, digest, part1);
+	if (!di) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* Der encode the digest as a DigestInfo */
+	rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    } else {
+	digder.data = digest;
+	digder.len = part1;
+    }
+
+    /*
+    ** Encrypt signature after constructing appropriate PKCS#1 signature
+    ** block
+    */
+    signatureLen = PK11_SignatureLen(privKey);
+    sigitem.len = signatureLen;
+    sigitem.data = (unsigned char*) PORT_Alloc(signatureLen);
+
+    if (sigitem.data == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = PK11_Sign(privKey, &sigitem, &digder);
+    if (rv != SECSuccess) {
+	PORT_Free(sigitem.data);
+	sigitem.data = NULL;
+    }
+
+    if (cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) {
+	rv = DSAU_EncodeDerSig(result, &sigitem);
+	PORT_Free(sigitem.data);
+	if (rv != SECSuccess)
+	    goto loser;
+    } else {
+	result->len = sigitem.len;
+	result->data = sigitem.data;
+    }
+
+  loser:
+    SGN_DestroyDigestInfo(di);
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return rv;
+}
+
+/************************************************************************/
+
+/*
+** Sign a block of data returning in result a bunch of bytes that are the
+** signature. Returns zero on success, an error code on failure.
+*/
+SECStatus
+SEC_SignData(SECItem *res, unsigned char *buf, int len,
+	     SECKEYPrivateKey *pk, SECOidTag algid)
+{
+    SECStatus rv;
+    SGNContext *sgn;
+
+
+    sgn = SGN_NewContext(algid, pk);
+
+    if (sgn == NULL)
+	return SECFailure;
+
+    rv = SGN_Begin(sgn);
+    if (rv != SECSuccess)
+	goto loser;
+
+    rv = SGN_Update(sgn, buf, len);
+    if (rv != SECSuccess)
+	goto loser;
+
+    rv = SGN_End(sgn, res);
+
+  loser:
+    SGN_DestroyContext(sgn, PR_TRUE);
+    return rv;
+}
+
+/*
+** Sign the input file's contents returning in result a bunch of bytes
+** that are the signature. Returns zero on success, an error code on
+** failure.
+*/
+SECStatus
+SEC_SignFile(SECItem *result, FILE *input, 
+	     SECKEYPrivateKey *pk, SECOidTag algid)
+{
+    unsigned char buf[1024];
+    SECStatus rv;
+    int nb;
+    SGNContext *sgn;
+
+    sgn = SGN_NewContext(algid, pk);
+    if (sgn == NULL)
+	return SECFailure;
+    rv = SGN_Begin(sgn);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+    ** Now feed the contents of the input file into the digest
+    ** algorithm, one chunk at a time, until we have exhausted the
+    ** input
+    */
+    for (;;) {
+	if (feof(input)) break;
+	nb = fread(buf, 1, sizeof(buf), input);
+	if (nb == 0) {
+	    if (ferror(input)) {
+		PORT_SetError(SEC_ERROR_IO);
+		rv = SECFailure;
+		goto loser;
+	    }
+	    break;
+	}
+	rv = SGN_Update(sgn, buf, nb);
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    /* Sign the digest */
+    rv = SGN_End(sgn, result);
+    /* FALL THROUGH */
+
+  loser:
+    SGN_DestroyContext(sgn, PR_TRUE);
+    return rv;
+}
+
+/************************************************************************/
+    
+DERTemplate CERTSignedDataTemplate[] =
+{
+    { DER_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedData) },
+    { DER_ANY,
+	  offsetof(CERTSignedData,data), },
+    { DER_INLINE,
+	  offsetof(CERTSignedData,signatureAlgorithm),
+	  SECAlgorithmIDTemplate, },
+    { DER_BIT_STRING,
+	  offsetof(CERTSignedData,signature), },
+    { 0, }
+};
+
+const SEC_ASN1Template CERT_SignedDataTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTSignedData) },
+    { SEC_ASN1_ANY,
+	  offsetof(CERTSignedData,data), },
+    { SEC_ASN1_INLINE,
+	  offsetof(CERTSignedData,signatureAlgorithm),
+	  SECOID_AlgorithmIDTemplate, },
+    { SEC_ASN1_BIT_STRING,
+	  offsetof(CERTSignedData,signature), },
+    { 0, }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedDataTemplate)
+
+
+SECStatus
+SEC_DerSignData(PRArenaPool *arena, SECItem *result, 
+	unsigned char *buf, int len, SECKEYPrivateKey *pk, SECOidTag algID)
+{
+    SECItem it;
+    CERTSignedData sd;
+    SECStatus rv;
+
+    it.data = 0;
+
+    /* XXX We should probably have some asserts here to make sure the key type
+     * and algID match
+     */
+
+    if (algID == SEC_OID_UNKNOWN) {
+	switch(pk->keyType) {
+	  case rsaKey:
+	    algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+	    break;
+	  case dsaKey:
+	    algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+	    break;
+	  default:
+	    return SECFailure;
+	    break;
+	}
+    }
+
+    /* Sign input buffer */
+    rv = SEC_SignData(&it, buf, len, pk, algID);
+    if (rv) goto loser;
+
+    /* Fill out SignedData object */
+    PORT_Memset(&sd, 0, sizeof(sd));
+    sd.data.data = buf;
+    sd.data.len = len;
+    sd.signature.data = it.data;
+    sd.signature.len = it.len << 3;		/* convert to bit string */
+    rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algID, 0);
+    if (rv) goto loser;
+
+    /* DER encode the signed data object */
+    rv = DER_Encode(arena, result, CERTSignedDataTemplate, &sd);
+    /* FALL THROUGH */
+
+  loser:
+    PORT_Free(it.data);
+    return rv;
+}
+
+SECStatus
+SGN_Digest(SECKEYPrivateKey *privKey,
+		SECOidTag algtag, SECItem *result, SECItem *digest)
+{
+    unsigned modulusLen;
+    SECStatus rv;
+    SECItem digder;
+    PRArenaPool *arena = 0;
+    SGNDigestInfo *di = 0;
+
+
+    result->data = 0;
+
+    if (privKey->keyType == rsaKey) {
+
+	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if ( !arena ) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+    
+	/* Construct digest info */
+	di = SGN_CreateDigestInfo(algtag, digest->data, digest->len);
+	if (!di) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* Der encode the digest as a DigestInfo */
+	rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    } else {
+	digder.data = digest->data;
+	digder.len = digest->len;
+    }
+
+    /*
+    ** Encrypt signature after constructing appropriate PKCS#1 signature
+    ** block
+    */
+    modulusLen = PK11_SignatureLen(privKey);
+    result->len = modulusLen;
+    result->data = (unsigned char*) PORT_Alloc(modulusLen);
+
+    if (result->data == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = PK11_Sign(privKey, result, &digder);
+    if (rv != SECSuccess) {
+	PORT_Free(result->data);
+	result->data = NULL;
+    }
+
+  loser:
+    SGN_DestroyDigestInfo(di);
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return rv;
+}
diff --git a/security/nss/lib/cryptohi/secvfy.c b/security/nss/lib/cryptohi/secvfy.c
new file mode 100644
index 000000000..bf63dd070
--- /dev/null
+++ b/security/nss/lib/cryptohi/secvfy.c
@@ -0,0 +1,494 @@
+/*
+ * Verification stuff.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include "cryptohi.h"
+#include "sechash.h"
+#include "keyhi.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secdig.h"
+#include "secerr.h"
+
+/*
+** Decrypt signature block using public key (in place)
+** XXX this is assuming that the signature algorithm has WITH_RSA_ENCRYPTION
+*/
+static SECStatus
+DecryptSigBlock(int *tagp, unsigned char *digest, SECKEYPublicKey *key,
+		SECItem *sig, char *wincx)
+{
+    SGNDigestInfo *di   = NULL;
+    unsigned char *dsig = NULL;
+    unsigned char *buf  = NULL;
+    SECStatus      rv;
+    SECOidTag      tag;
+    SECItem        it;
+
+    if (key == NULL) goto loser;
+
+    it.len  = SECKEY_PublicKeyStrength(key);
+    if (!it.len) goto loser;
+    it.data = buf = (unsigned char *)PORT_Alloc(it.len);
+    if (!buf) goto loser;
+
+    /* Decrypt signature block */
+    dsig = (unsigned char*) PORT_Alloc(sig->len);
+    if (dsig == NULL) goto loser;
+
+    /* decrypt the block */
+    rv = PK11_VerifyRecover(key, sig, &it, wincx);
+    if (rv != SECSuccess) goto loser;
+
+    di = SGN_DecodeDigestInfo(&it);
+    if (di == NULL) goto sigloser;
+
+    /*
+    ** Finally we have the digest info; now we can extract the algorithm
+    ** ID and the signature block
+    */
+    tag = SECOID_GetAlgorithmTag(&di->digestAlgorithm);
+    /* XXX Check that tag is an appropriate algorithm? */
+    if (di->digest.len > 32) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	goto loser;
+    }
+    PORT_Memcpy(digest, di->digest.data, di->digest.len);
+    *tagp = tag;
+    goto done;
+
+  sigloser:
+    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+
+  loser:
+    rv = SECFailure;
+
+  done:
+    if (di   != NULL) SGN_DestroyDigestInfo(di);
+    if (dsig != NULL) PORT_Free(dsig);
+    if (buf  != NULL) PORT_Free(buf);
+    
+    return rv;
+}
+
+typedef enum { VFY_RSA, VFY_DSA} VerifyType;
+
+struct VFYContextStr {
+    SECOidTag alg;
+    VerifyType type;
+    SECKEYPublicKey *key;
+    /* digest holds the full dsa signature... 40 bytes */
+    unsigned char digest[DSA_SIGNATURE_LEN];
+    void * wincx;
+    void *hashcx;
+    const SECHashObject *hashobj;
+    SECOidTag sigAlg;
+    PRBool hasSignature;
+};
+
+/*
+ * decode the DSA signature from it's DER wrapping.
+ */
+static SECStatus
+decodeDSASignature(SECOidTag algid, SECItem *sig, unsigned char *digest) {
+    SECItem *dsasig = NULL;
+    SECStatus rv=SECSuccess;
+
+    /* if this is a DER encoded signature, decode it first */
+    if ((algid == SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) ||
+	(algid == SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) ||
+	(algid == SEC_OID_ANSIX9_DSA_SIGNATURE)) {
+	dsasig = DSAU_DecodeDerSig(sig);
+	if ((dsasig == NULL) || (dsasig->len != DSA_SIGNATURE_LEN)) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	PORT_Memcpy(digest, dsasig->data, dsasig->len);
+    } else {
+	if (sig->len != DSA_SIGNATURE_LEN) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	PORT_Memcpy(digest, sig->data, sig->len);
+    }
+
+loser:
+    if (dsasig != NULL)
+	SECITEM_FreeItem(dsasig, PR_TRUE);
+    return rv;
+     
+}
+/*
+ * Pulls the hash algorithm, signing algorithm, and key type out of a
+ * composite algorithm.
+ *
+ * alg: the composite algorithm to dissect.
+ * hashalg: address of a SECOidTag which will be set with the hash algorithm.
+ * signalg: address of a SECOidTag which will be set with the signing alg.
+ * keyType: address of a KeyType which will be set with the key type.
+ * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the
+ *	algorithm was not found or was not a signing algorithm.
+ */
+static SECStatus
+decodeSigAlg(SECOidTag alg, SECOidTag *hashalg)
+{
+    PR_ASSERT(hashalg!=NULL);
+
+    switch (alg) {
+      /* We probably shouldn't be generating MD2 signatures either */
+      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+        *hashalg = SEC_OID_MD2;
+	return SECSuccess;
+      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+        *hashalg = SEC_OID_MD5;
+	return SECSuccess;
+      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+      case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
+        *hashalg = SEC_OID_SHA1;
+	return SECSuccess;
+      /* what about normal DSA? */
+      case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+      case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+        *hashalg = SEC_OID_SHA1;
+	return SECSuccess;
+      case SEC_OID_MISSI_DSS:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_KEA_DSS_OLD:
+      case SEC_OID_MISSI_DSS_OLD:
+        *hashalg = SEC_OID_SHA1;
+	return SECSuccess;
+      /* we don't implement MD4 hashes */
+      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+      default:
+        break;
+    }
+    return SECFailure;
+}
+
+VFYContext *
+VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, SECOidTag algid,
+		  void *wincx)
+{
+    VFYContext *cx;
+    SECStatus rv;
+
+    cx = (VFYContext*) PORT_ZAlloc(sizeof(VFYContext));
+    if (cx) {
+        cx->wincx = wincx;
+	cx->hasSignature = (sig != NULL);
+	cx->sigAlg = algid;
+	rv = SECSuccess;
+	switch (key->keyType) {
+	  case rsaKey:
+	    cx->type = VFY_RSA;
+	    cx->key = SECKEY_CopyPublicKey(key); /* extra safety precautions */
+	    if (sig) {
+		int hashid;
+	    	rv = DecryptSigBlock(&hashid, &cx->digest[0], 
+						key, sig, (char*)wincx);
+		cx->alg = hashid;
+	    } else {
+		rv = decodeSigAlg(algid,&cx->alg);
+	    }
+	    break;
+	  case fortezzaKey:
+	  case dsaKey:
+	    cx->type = VFY_DSA;
+	    cx->alg = SEC_OID_SHA1;
+	    cx->key = SECKEY_CopyPublicKey(key);
+	    if (sig) {
+	    	rv = decodeDSASignature(algid,sig,&cx->digest[0]);
+	    }
+	    break;
+	  default:
+	    rv = SECFailure;
+	    break;
+	}
+	if (rv) goto loser;
+	switch (cx->alg) {
+	  case SEC_OID_MD2:
+	  case SEC_OID_MD5:
+	  case SEC_OID_SHA1:
+	    break;
+	  default:
+	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	    goto loser;
+	}
+    }
+    return cx;
+
+  loser:
+    VFY_DestroyContext(cx, PR_TRUE);
+    return 0;
+}
+
+void
+VFY_DestroyContext(VFYContext *cx, PRBool freeit)
+{
+    if (cx) {
+	if (cx->hashcx != NULL) {
+	    (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
+	    cx->hashcx = NULL;
+	}
+	if (cx->key) {
+	    SECKEY_DestroyPublicKey(cx->key);
+	}
+	if (freeit) {
+	    PORT_ZFree(cx, sizeof(VFYContext));
+	}
+    }
+}
+
+SECStatus
+VFY_Begin(VFYContext *cx)
+{
+    if (cx->hashcx != NULL) {
+	(*cx->hashobj->destroy)(cx->hashcx, PR_TRUE);
+	cx->hashcx = NULL;
+    }
+
+    switch (cx->alg) {
+      case SEC_OID_MD2:
+	cx->hashobj = &SECHashObjects[HASH_AlgMD2];
+	break;
+      case SEC_OID_MD5:
+	cx->hashobj = &SECHashObjects[HASH_AlgMD5];
+	break;
+      case SEC_OID_SHA1:
+	cx->hashobj = &SECHashObjects[HASH_AlgSHA1];
+	break;
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return SECFailure;
+    }
+
+    cx->hashcx = (*cx->hashobj->create)();
+    if (cx->hashcx == NULL)
+	return SECFailure;
+
+    (*cx->hashobj->begin)(cx->hashcx);
+    return SECSuccess;
+}
+
+SECStatus
+VFY_Update(VFYContext *cx, unsigned char *input, unsigned inputLen)
+{
+    if (cx->hashcx == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    (*cx->hashobj->update)(cx->hashcx, input, inputLen);
+    return SECSuccess;
+}
+
+SECStatus
+VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
+{
+    unsigned char final[32];
+    unsigned part;
+    SECItem hash,dsasig;
+    SECStatus rv;
+
+    if ((cx->hasSignature == PR_FALSE) && (sig == NULL)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (cx->hashcx == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final));
+    switch (cx->type) {
+      case VFY_DSA:
+	if (sig) {
+	    rv = decodeDSASignature(cx->sigAlg,sig,&cx->digest[0]);
+	    if (rv != SECSuccess) {
+		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		return SECFailure;
+	    }
+	} 
+	dsasig.data = cx->digest;
+	dsasig.len = DSA_SIGNATURE_LEN; /* magic size of dsa signature */
+	hash.data = final;
+	hash.len = part;
+	if (PK11_Verify(cx->key,&dsasig,&hash,cx->wincx) != SECSuccess) {
+		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		return SECFailure;
+	}
+	break;
+      case VFY_RSA:
+	if (sig) {
+	    int hashid;
+	    rv = DecryptSigBlock(&hashid, &cx->digest[0], 
+					    cx->key, sig, (char*)cx->wincx);
+	    if ((rv != SECSuccess) || (hashid != cx->alg)) {
+		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		return SECFailure;
+	    }
+	}
+	if (PORT_Memcmp(final, cx->digest, part)) {
+	    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	    return SECFailure;
+	}
+	break;
+      default:
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	return SECFailure; /* shouldn't happen */
+    }
+    return SECSuccess;
+}
+
+SECStatus
+VFY_End(VFYContext *cx)
+{
+    return VFY_EndWithSignature(cx,NULL);
+}
+
+/************************************************************************/
+/*
+ * Verify that a previously-computed digest matches a signature.
+ * XXX This should take a parameter that specifies the digest algorithm,
+ * and we should compare that the algorithm found in the DigestInfo
+ * matches it!
+ */
+SECStatus
+VFY_VerifyDigest(SECItem *digest, SECKEYPublicKey *key, SECItem *sig,
+		 SECOidTag algid, void *wincx)
+{
+    SECStatus rv;
+    VFYContext *cx;
+    SECItem dsasig;
+
+    rv = SECFailure;
+
+    cx = VFY_CreateContext(key, sig, algid, wincx);
+    if (cx != NULL) {
+	switch (key->keyType) {
+	case rsaKey:
+	    if (PORT_Memcmp(digest->data, cx->digest, digest->len)) {
+		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	    } else {
+		rv = SECSuccess;
+	    }
+	    break;
+	case fortezzaKey:
+	case dsaKey:
+	    dsasig.data = &cx->digest[0];
+	    dsasig.len = DSA_SIGNATURE_LEN; /* magic size of dsa signature */
+	    if (PK11_Verify(cx->key, &dsasig, digest, cx->wincx) != SECSuccess) {
+		PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	    } else {
+		rv = SECSuccess;
+	    }
+	    break;
+	default:
+	    break;
+	}
+	VFY_DestroyContext(cx, PR_TRUE);
+    }
+    return rv;
+}
+
+SECStatus
+VFY_VerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
+	       SECItem *sig, SECOidTag algid, void *wincx)
+{
+    SECStatus rv;
+    VFYContext *cx;
+
+    cx = VFY_CreateContext(key, sig, algid, wincx);
+    if (cx == NULL)
+	return SECFailure;
+
+    rv = VFY_Begin(cx);
+    if (rv == SECSuccess) {
+	rv = VFY_Update(cx, buf, len);
+	if (rv == SECSuccess)
+	    rv = VFY_End(cx);
+    }
+
+    VFY_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+SECStatus
+SEC_VerifyFile(FILE *input, SECKEYPublicKey *key, SECItem *sig,
+	       SECOidTag algid, void *wincx)
+{
+    unsigned char buf[1024];
+    SECStatus rv;
+    int nb;
+    VFYContext *cx;
+
+    cx = VFY_CreateContext(key, sig, algid, wincx);
+    if (cx == NULL)
+	rv = SECFailure;
+
+    rv = VFY_Begin(cx);
+    if (rv == SECSuccess) {
+	/*
+	 * Now feed the contents of the input file into the digest algorithm,
+	 * one chunk at a time, until we have exhausted the input.
+	 */
+	for (;;) {
+	    if (feof(input))
+		break;
+	    nb = fread(buf, 1, sizeof(buf), input);
+	    if (nb == 0) {
+		if (ferror(input)) {
+		    PORT_SetError(SEC_ERROR_IO);
+		    VFY_DestroyContext(cx, PR_TRUE);
+		    return SECFailure;
+		}
+		break;
+	    }
+	    rv = VFY_Update(cx, buf, nb);
+	    if (rv != SECSuccess)
+		goto loser;
+	}
+    }
+
+    /* Verify the digest */
+    rv = VFY_End(cx);
+    /* FALL THROUGH */
+
+  loser:
+    VFY_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
diff --git a/security/nss/lib/dev/Makefile b/security/nss/lib/dev/Makefile
new file mode 100644
index 000000000..4cbbfed70
--- /dev/null
+++ b/security/nss/lib/dev/Makefile
@@ -0,0 +1,40 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+export:: private_export
diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c
new file mode 100644
index 000000000..85283ff1f
--- /dev/null
+++ b/security/nss/lib/dev/ckhelper.c
@@ -0,0 +1,292 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifdef NSS_3_4_CODE
+#include "pkcs11.h"
+#else
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+#endif /* NSS_3_4_CODE */
+
+#ifndef CKHELPER_H
+#include "ckhelper.h"
+#endif /* CKHELPER_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+static const CK_BBOOL s_true = CK_TRUE;
+NSS_IMPLEMENT_DATA const NSSItem
+g_ck_true = { (CK_VOID_PTR)&s_true, sizeof(s_true) };
+
+static const CK_BBOOL s_false = CK_FALSE;
+NSS_IMPLEMENT_DATA const NSSItem
+g_ck_false = { (CK_VOID_PTR)&s_false, sizeof(s_false) };
+
+static const CK_OBJECT_CLASS s_class_cert = CKO_CERTIFICATE;
+NSS_IMPLEMENT_DATA const NSSItem
+g_ck_class_cert = { (CK_VOID_PTR)&s_class_cert, sizeof(s_class_cert) };
+
+static const CK_OBJECT_CLASS s_class_pubkey = CKO_PUBLIC_KEY;
+NSS_IMPLEMENT_DATA const NSSItem
+g_ck_class_pubkey = { (CK_VOID_PTR)&s_class_pubkey, sizeof(s_class_pubkey) };
+
+static const CK_OBJECT_CLASS s_class_privkey = CKO_PRIVATE_KEY;
+NSS_IMPLEMENT_DATA const NSSItem
+g_ck_class_privkey = { (CK_VOID_PTR)&s_class_privkey, sizeof(s_class_privkey) };
+
+static PRBool
+is_string_attribute
+(
+  CK_ATTRIBUTE_TYPE aType
+)
+{
+    PRBool isString;
+    switch (aType) {
+    case CKA_LABEL:
+    case CKA_NETSCAPE_EMAIL:
+	isString = PR_TRUE;
+	break;
+    default:
+	isString = PR_FALSE;
+	break;
+    }
+    return isString;
+}
+
+NSS_IMPLEMENT PRStatus 
+nssCKObject_GetAttributes
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG count,
+  NSSArena *arenaOpt,
+  nssSession *session,
+  NSSSlot *slot
+)
+{
+    nssArenaMark *mark = NULL;
+    CK_SESSION_HANDLE hSession;
+    CK_ULONG i = 0;
+    CK_RV ckrv;
+    PRStatus nssrv;
+    PRBool alloced = PR_FALSE;
+    hSession = session->handle; 
+    if (arenaOpt) {
+	mark = nssArena_Mark(arenaOpt);
+	if (!mark) {
+	    goto loser;
+	}
+    }
+    nssSession_EnterMonitor(session);
+    /* XXX kinda hacky, if the storage size is already in the first template
+     * item, then skip the alloc portion
+     */
+    if (obj_template[0].ulValueLen == 0) {
+	/* Get the storage size needed for each attribute */
+	ckrv = CKAPI(slot)->C_GetAttributeValue(hSession,
+	                                        object, obj_template, count);
+	if (ckrv != CKR_OK && 
+	    ckrv != CKR_ATTRIBUTE_TYPE_INVALID &&
+	    ckrv != CKR_ATTRIBUTE_SENSITIVE) 
+	{
+	    nssSession_ExitMonitor(session);
+	    /* set an error here */
+	    goto loser;
+	}
+	/* Allocate memory for each attribute. */
+	for (i=0; i<count; i++) {
+	    CK_ULONG ulValueLen = obj_template[i].ulValueLen;
+	    if (ulValueLen == 0) continue;
+	    if (ulValueLen == (CK_ULONG) -1) {
+		obj_template[i].ulValueLen = 0;
+		continue;
+	    }
+	    if (is_string_attribute(obj_template[i].type)) {
+		ulValueLen++;
+	    }
+	    obj_template[i].pValue = nss_ZAlloc(arenaOpt, ulValueLen);
+	    if (!obj_template[i].pValue) {
+		nssSession_ExitMonitor(session);
+		goto loser;
+	    }
+	}
+	alloced = PR_TRUE;
+    }
+    /* Obtain the actual attribute values. */
+    ckrv = CKAPI(slot)->C_GetAttributeValue(hSession,
+                                            object, obj_template, count);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK && 
+        ckrv != CKR_ATTRIBUTE_TYPE_INVALID &&
+        ckrv != CKR_ATTRIBUTE_SENSITIVE) 
+    {
+	/* set an error here */
+	goto loser;
+    }
+    if (alloced && arenaOpt) {
+	nssrv = nssArena_Unmark(arenaOpt, mark);
+	if (nssrv != PR_SUCCESS) {
+	    goto loser;
+	}
+    }
+
+    if (count > 1 && ((ckrv == CKR_ATTRIBUTE_TYPE_INVALID) || 
+					(ckrv == CKR_ATTRIBUTE_SENSITIVE))) {
+	/* old tokens would keep the length of '0' and not deal with any
+	 * of the attributes we passed. For those tokens read them one at
+	 * a time */
+	for (i=0; i < count; i++) {
+	    if (obj_template[i].ulValueLen == 0) {
+		(void) nssCKObject_GetAttributes(object,&obj_template[i], 1,
+			arenaOpt, session, slot);
+	    }
+	}
+    }
+    return PR_SUCCESS;
+loser:
+    if (alloced) {
+	if (arenaOpt) {
+	    /* release all arena memory allocated before the failure. */
+	    (void)nssArena_Release(arenaOpt, mark);
+	} else {
+	    CK_ULONG j;
+	    /* free each heap object that was allocated before the failure. */
+	    for (j=0; j<i; j++) {
+		nss_ZFreeIf(obj_template[j].pValue);
+	    }
+	}
+    }
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCKObject_GetAttributeItem
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSArena *arenaOpt,
+  nssSession *session,
+  NSSSlot *slot,
+  NSSItem *rvItem
+)
+{
+    CK_ATTRIBUTE attr = { 0, NULL, 0 };
+    PRStatus nssrv;
+    attr.type = attribute;
+    nssrv = nssCKObject_GetAttributes(object, &attr, 1, 
+                                      arenaOpt, session, slot);
+    if (nssrv != PR_SUCCESS) {
+	return nssrv;
+    }
+    rvItem->data = (void *)attr.pValue;
+    rvItem->size = (PRUint32)attr.ulValueLen;
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRBool
+nssCKObject_IsAttributeTrue
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_TYPE attribute,
+  nssSession *session,
+  NSSSlot *slot,
+  PRStatus *rvStatus
+)
+{
+    CK_BBOOL bool;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE atemplate = { 0, NULL, 0 };
+    CK_RV ckrv;
+    attr = &atemplate;
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, attribute, bool);
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(slot)->C_GetAttributeValue(session->handle, object, 
+                                            &atemplate, 1);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK) {
+	*rvStatus = PR_FAILURE;
+	return PR_FALSE;
+    }
+    *rvStatus = PR_SUCCESS;
+    return (PRBool)(bool == CK_TRUE);
+}
+
+NSS_IMPLEMENT PRStatus 
+nssCKObject_SetAttributes
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG count,
+  nssSession *session,
+  NSSSlot  *slot
+)
+{
+    CK_RV ckrv;
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(slot)->C_SetAttributeValue(session->handle, object, 
+                                            obj_template, count);
+    nssSession_ExitMonitor(session);
+    if (ckrv == CKR_OK) {
+	return PR_SUCCESS;
+    } else {
+	return PR_FAILURE;
+    }
+}
+
+NSS_IMPLEMENT PRBool
+nssCKObject_IsTokenObjectTemplate
+(
+  CK_ATTRIBUTE_PTR objectTemplate, 
+  CK_ULONG otsize
+)
+{
+    CK_ULONG ul;
+    for (ul=0; ul<otsize; ul++) {
+	if (objectTemplate[ul].type == CKA_TOKEN) {
+	    return (*((CK_BBOOL*)objectTemplate[ul].pValue) == CK_TRUE);
+	}
+    }
+    return PR_FALSE;
+}
+
diff --git a/security/nss/lib/dev/ckhelper.h b/security/nss/lib/dev/ckhelper.h
new file mode 100644
index 000000000..1d92eec0e
--- /dev/null
+++ b/security/nss/lib/dev/ckhelper.h
@@ -0,0 +1,178 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * ckhelper.h
+ *
+ * This file contains some helper utilities for interaction with cryptoki.
+ */
+
+#ifndef CKHELPER_H
+#define CKHELPER_H
+
+#ifdef DEBUG
+static const char CKHELPER_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+PR_BEGIN_EXTERN_C
+
+/* Shortcut to cryptoki API functions. */
+#define CKAPI(x) \
+    ((CK_FUNCTION_LIST_PTR)((x)->epv))
+
+/* Some globals to keep from constantly redeclaring common cryptoki
+ * attribute types on the stack.
+ */
+
+/* Boolean values */
+NSS_EXTERN_DATA const NSSItem g_ck_true;
+NSS_EXTERN_DATA const NSSItem g_ck_false;
+
+/* Object classes */
+NSS_EXTERN_DATA const NSSItem g_ck_class_cert;
+NSS_EXTERN_DATA const NSSItem g_ck_class_pubkey;
+NSS_EXTERN_DATA const NSSItem g_ck_class_privkey;
+
+#define NSS_CK_TEMPLATE_START(_template, attr, size)   \
+    attr = _template;                                  \
+    size = 0;
+
+#define NSS_CK_SET_ATTRIBUTE_ITEM(pattr, kind, item)  \
+    (pattr)->type = kind;                             \
+    (pattr)->pValue = (CK_VOID_PTR)(item)->data;      \
+    (pattr)->ulValueLen = (CK_ULONG)(item)->size;     \
+    (pattr)++;
+
+#define NSS_CK_SET_ATTRIBUTE_UTF8(pattr, kind, utf8)  \
+    (pattr)->type = kind;                             \
+    (pattr)->pValue = (CK_VOID_PTR)utf8;              \
+    (pattr)->ulValueLen = (CK_ULONG)nssUTF8_Size(utf8, NULL); \
+    if ((pattr)->ulValueLen) ((pattr)->ulValueLen)--; \
+    (pattr)++;
+
+#define NSS_CK_SET_ATTRIBUTE_VAR(pattr, kind, var)    \
+    (pattr)->type = kind;                             \
+    (pattr)->pValue = (CK_VOID_PTR)&var;              \
+    (pattr)->ulValueLen = (CK_ULONG)sizeof(var);      \
+    (pattr)++;
+
+#define NSS_CK_TEMPLATE_FINISH(_template, attr, size) \
+    size = (attr) - (_template);                      \
+    PR_ASSERT(size <= sizeof(_template)/sizeof(_template[0]));
+
+/* NSS_CK_ATTRIBUTE_TO_ITEM(attrib, item)
+ *
+ * Convert a CK_ATTRIBUTE to an NSSItem.
+ */
+#define NSS_CK_ATTRIBUTE_TO_ITEM(attrib, item)         \
+    if ((CK_LONG)(attrib)->ulValueLen > 0) {           \
+	(item)->data = (void *)(attrib)->pValue;       \
+	(item)->size = (PRUint32)(attrib)->ulValueLen; \
+    } else {                                           \
+	(item)->data = 0;                              \
+	(item)->size = 0;                              \
+    }
+
+/* NSS_CK_ATTRIBUTE_TO_UTF8(attrib, str)
+ *
+ * Convert a CK_ATTRIBUTE to a string.
+ */
+#define NSS_CK_ATTRIBUTE_TO_UTF8(attrib, str)      \
+    str = (NSSUTF8 *)((attrib)->pValue);
+
+/* NSS_CK_ITEM_TO_ATTRIBUTE(item, attrib)
+ *
+ * Convert an NSSItem to a  CK_ATTRIBUTE.
+ */
+#define NSS_CK_ITEM_TO_ATTRIBUTE(item, attrib)     \
+    (attrib)->pValue = (CK_VOID_PTR)(item)->data;  \
+    (attrib)->ulValueLen = (CK_ULONG)(item)->size; \
+
+/* Get an array of attributes from an object. */
+NSS_EXTERN PRStatus 
+nssCKObject_GetAttributes
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG count,
+  NSSArena *arenaOpt,
+  nssSession *session,
+  NSSSlot  *slot
+);
+
+/* Get a single attribute as an item. */
+NSS_EXTERN PRStatus
+nssCKObject_GetAttributeItem
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_TYPE attribute,
+  NSSArena *arenaOpt,
+  nssSession *session,
+  NSSSlot *slot,
+  NSSItem *rvItem
+);
+
+NSS_EXTERN PRBool
+nssCKObject_IsAttributeTrue
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_TYPE attribute,
+  nssSession *session,
+  NSSSlot *slot,
+  PRStatus *rvStatus
+);
+
+NSS_EXTERN PRStatus 
+nssCKObject_SetAttributes
+(
+  CK_OBJECT_HANDLE object,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG count,
+  nssSession *session,
+  NSSSlot  *slot
+);
+
+NSS_EXTERN PRBool
+nssCKObject_IsTokenObjectTemplate
+(
+  CK_ATTRIBUTE_PTR objectTemplate, 
+  CK_ULONG otsize
+);
+
+PR_END_EXTERN_C
+
+#endif /* CKHELPER_H */
diff --git a/security/nss/lib/dev/config.mk b/security/nss/lib/dev/config.mk
new file mode 100644
index 000000000..4a9ed7dda
--- /dev/null
+++ b/security/nss/lib/dev/config.mk
@@ -0,0 +1,48 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h
new file mode 100644
index 000000000..65dee8d63
--- /dev/null
+++ b/security/nss/lib/dev/dev.h
@@ -0,0 +1,492 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef DEV_H
+#define DEV_H
+
+#ifdef DEBUG
+static const char DEV_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef DEVT_H
+#include "devt.h"
+#endif /* DEVT_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+/*
+ * nssdev.h
+ *
+ * This file prototypes the methods of the low-level cryptoki devices.
+ *
+ *  |-----------|---> NSSSlot <--> NSSToken
+ *  | NSSModule |---> NSSSlot <--> NSSToken
+ *  |-----------|---> NSSSlot <--> NSSToken
+ */
+
+PR_BEGIN_EXTERN_C
+
+NSS_EXTERN NSSModule *
+nssModule_Create
+(
+  NSSUTF8 *moduleOpt,
+  NSSUTF8 *uriOpt,
+  NSSUTF8 *opaqueOpt, /* XXX is this where the mech flags go??? */
+  void    *reserved
+  /* XXX more?  */
+);
+
+/* This is to use the new loading mechanism. */
+NSS_EXTERN NSSModule *
+nssModule_CreateFromSpec
+(
+  NSSUTF8 *moduleSpec
+);
+
+NSS_EXTERN PRStatus
+nssModule_Destroy
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN NSSModule *
+nssModule_AddRef
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN PRStatus
+nssModule_Load
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN PRStatus
+nssModule_Unload
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN PRStatus
+nssModule_LogoutAllSlots
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN NSSSlot **
+nssModule_GetSlots
+(
+  NSSModule *mod
+);
+
+NSS_EXTERN NSSSlot *
+nssModule_FindSlotByName
+(
+  NSSModule *mod,
+  NSSUTF8 *slotName
+);
+
+NSS_EXTERN NSSToken *
+nssModule_FindTokenByName
+(
+  NSSModule *mod,
+  NSSUTF8 *tokenName
+);
+
+/* This descends from NSSTrustDomain_TraverseCertificates, a questionable
+ * function.  Do we want NSS to have access to this at the module level?
+ */
+NSS_EXTERN PRStatus *
+nssModule_TraverseCertificates
+(
+  NSSModule *mod,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+);
+
+NSS_EXTERN NSSSlot *
+nssSlot_Create
+(
+  NSSArena *arenaOpt,
+  CK_SLOT_ID slotId,
+  NSSModule *parent
+);
+
+NSS_EXTERN PRStatus
+nssSlot_Destroy
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN PRBool
+nssSlot_IsPermanent
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN PRStatus
+nssSlot_Refresh
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN NSSSlot *
+nssSlot_AddRef
+(
+  NSSSlot *slot
+);
+
+NSS_EXTERN NSSUTF8 *
+nssSlot_GetName
+(
+  NSSSlot *slot,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN PRStatus
+nssSlot_Login
+(
+  NSSSlot *slot,
+  PRBool asSO,
+  NSSCallback *pwcb
+);
+extern const NSSError NSS_ERROR_INVALID_PASSWORD;
+extern const NSSError NSS_ERROR_USER_CANCELED;
+
+NSS_EXTERN PRStatus
+nssSlot_Logout
+(
+  NSSSlot *slot,
+  nssSession *sessionOpt
+);
+
+#define NSSSLOT_ASK_PASSWORD_FIRST_TIME -1
+#define NSSSLOT_ASK_PASSWORD_EVERY_TIME  0
+NSS_EXTERN void
+nssSlot_SetPasswordDefaults
+(
+  NSSSlot *slot,
+  PRInt32 askPasswordTimeout
+);
+
+NSS_EXTERN PRStatus
+nssSlot_SetPassword
+(
+  NSSSlot *slot,
+  NSSCallback *pwcb
+);
+extern const NSSError NSS_ERROR_INVALID_PASSWORD;
+extern const NSSError NSS_ERROR_USER_CANCELED;
+
+/*
+ * nssSlot_IsLoggedIn
+ */
+
+NSS_EXTERN nssSession *
+nssSlot_CreateSession
+(
+  NSSSlot *slot,
+  NSSArena *arenaOpt,
+  PRBool readWrite /* so far, this is the only flag used */
+);
+
+NSS_EXTERN NSSToken *
+nssToken_Create
+(
+  NSSArena *arenaOpt,
+  CK_SLOT_ID slotID,
+  NSSSlot *parent
+);
+
+NSS_EXTERN PRStatus
+nssToken_Destroy
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN PRBool
+nssToken_IsPresent
+(
+  NSSToken *token
+);
+
+NSS_EXTERN NSSToken *
+nssToken_AddRef
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN NSSUTF8 *
+nssToken_GetName
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN PRStatus
+nssToken_ImportCertificate
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSCertificate *cert,
+  NSSUTF8 *nickname,
+  PRBool asTokenObject
+);
+ 
+NSS_EXTERN PRStatus
+nssToken_ImportTrust
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSTrust *trust,
+  PRBool asTokenObject
+);
+
+NSS_EXTERN PRStatus
+nssToken_SetTrustCache
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN PRStatus
+nssToken_SetCrlCache
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN PRBool
+nssToken_HasCrls
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN PRStatus
+nssToken_SetHasCrls
+(
+  NSSToken *tok
+);
+
+NSS_EXTERN NSSPublicKey *
+nssToken_GenerateKeyPair
+(
+  NSSToken *tok,
+  nssSession *sessionOpt
+  /* algorithm and parameters */
+);
+
+NSS_EXTERN NSSSymmetricKey *
+nssToken_GenerateSymmetricKey
+(
+  NSSToken *tok,
+  nssSession *sessionOpt
+  /* algorithm and parameters */
+);
+
+/* Permanently remove an object from the token. */
+NSS_EXTERN PRStatus
+nssToken_DeleteStoredObject
+(
+  nssCryptokiInstance *instance
+);
+
+NSS_EXTERN NSSTrust *
+nssToken_FindTrustForCert
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSCertificate *c,
+  nssTokenSearchType searchType
+);
+
+NSS_EXTERN PRStatus
+nssToken_TraverseCertificates
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  nssTokenCertSearch *search
+);
+
+NSS_EXTERN PRStatus
+nssToken_TraverseCertificatesBySubject
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *subject,
+  nssTokenCertSearch *search
+);
+
+NSS_EXTERN PRStatus
+nssToken_TraverseCertificatesByNickname
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSUTF8 *name,
+  nssTokenCertSearch *search
+);
+
+NSS_EXTERN PRStatus
+nssToken_TraverseCertificatesByEmail
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSASCII7 *email,
+  nssTokenCertSearch *search
+);
+
+NSS_EXTERN NSSCertificate *
+nssToken_FindCertificateByIssuerAndSerialNumber
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *issuer,
+  NSSDER *serial,
+  nssTokenSearchType searchType
+);
+
+NSS_EXTERN NSSCertificate *
+nssToken_FindCertificateByEncodedCertificate
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSBER *encodedCertificate,
+  nssTokenSearchType searchType
+);
+
+NSS_EXTERN NSSTrust *
+nssToken_FindTrustForCert
+(
+  NSSToken *token,
+  nssSession *session,
+  NSSCertificate *c,
+  nssTokenSearchType searchType
+);
+
+NSS_EXTERN NSSItem *
+nssToken_Digest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSAlgorithmAndParameters *ap,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN PRStatus
+nssToken_BeginDigest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSAlgorithmAndParameters *ap
+);
+
+NSS_EXTERN PRStatus
+nssToken_ContinueDigest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSItem *item
+);
+
+NSS_EXTERN NSSItem *
+nssToken_FinishDigest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN PRStatus
+nssSession_Destroy
+(
+  nssSession *s
+);
+
+/* would like to inline */
+NSS_EXTERN PRStatus
+nssSession_EnterMonitor
+(
+  nssSession *s
+);
+
+/* would like to inline */
+NSS_EXTERN PRStatus
+nssSession_ExitMonitor
+(
+  nssSession *s
+);
+
+/* would like to inline */
+NSS_EXTERN PRBool
+nssSession_IsReadWrite
+(
+  nssSession *s
+);
+
+NSS_EXTERN NSSAlgorithmAndParameters *
+NSSAlgorithmAndParameters_CreateSHA1Digest
+(
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSAlgorithmAndParameters *
+NSSAlgorithmAndParameters_CreateMD5Digest
+(
+  NSSArena *arenaOpt
+);
+
+#ifdef NSS_3_4_CODE
+/* exposing this for the smart card cache code */
+NSS_EXTERN nssCryptokiInstance *
+nssCryptokiInstance_Create
+(
+  NSSArena *arena,
+  NSSToken *t, 
+  CK_OBJECT_HANDLE h,
+  PRBool isTokenObject
+);
+#endif
+
+PR_END_EXTERN_C
+
+#endif /* DEV_H */
diff --git a/security/nss/lib/dev/devm.h b/security/nss/lib/dev/devm.h
new file mode 100644
index 000000000..d226069c9
--- /dev/null
+++ b/security/nss/lib/dev/devm.h
@@ -0,0 +1,66 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef DEVM_H
+#define DEVM_H
+
+#ifdef DEBUG
+static const char DEVM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef DEVT_H
+#include "devt.h"
+#endif /* DEVT_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+PR_BEGIN_EXTERN_C
+
+/* PKCS#11 stores strings in a fixed-length buffer padded with spaces.  This
+ * function gets the length of the actual string.
+ */
+NSS_EXTERN PRUint32
+nssPKCS11StringLength(
+  CK_CHAR *pkcs11str, 
+  PRUint32 bufLen
+);
+
+PR_END_EXTERN_C
+
+#endif /* DEV_H */
diff --git a/security/nss/lib/dev/devmod.c b/security/nss/lib/dev/devmod.c
new file mode 100644
index 000000000..455d063e8
--- /dev/null
+++ b/security/nss/lib/dev/devmod.c
@@ -0,0 +1,396 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "nspr.h"
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef DEVM_H
+#include "devm.h"
+#endif /* DEVM_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#ifndef CKHELPER_H
+#include "ckhelper.h"
+#endif /* CKHELPER_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/* Threading callbacks for C_Initialize.  Use NSPR threads. */
+
+CK_RV PR_CALLBACK 
+nss_ck_CreateMutex(CK_VOID_PTR_PTR pMutex)
+{
+    CK_VOID_PTR mutex = (CK_VOID_PTR)PZ_NewLock(nssILockOther);
+    if (mutex != NULL) {
+	*pMutex = (CK_VOID_PTR)mutex;
+	return CKR_OK;
+    }
+    return CKR_HOST_MEMORY;
+}
+
+CK_RV PR_CALLBACK
+nss_ck_DestroyMutex(CK_VOID_PTR mutex)
+{
+    PZ_DestroyLock((PZLock *)mutex);
+    return CKR_OK;
+}
+
+CK_RV PR_CALLBACK
+nss_ck_LockMutex(CK_VOID_PTR mutex)
+{
+    PZ_Lock((PZLock *)mutex);
+    return CKR_OK;
+}
+
+CK_RV PR_CALLBACK
+nss_ck_UnlockMutex(CK_VOID_PTR mutex)
+{
+    return (PZ_Unlock((PZLock *)mutex) == PR_SUCCESS) ? 
+	CKR_OK : CKR_MUTEX_NOT_LOCKED;
+}
+
+/* Default callback args to C_Initialize */
+static CK_C_INITIALIZE_ARGS 
+s_ck_initialize_args = {
+    nss_ck_CreateMutex,         /* CreateMutex  */
+    nss_ck_DestroyMutex,        /* DestroyMutex */
+    nss_ck_LockMutex,           /* LockMutex    */
+    nss_ck_UnlockMutex,         /* UnlockMutex  */
+    CKF_LIBRARY_CANT_CREATE_OS_THREADS |
+    CKF_OS_LOCKING_OK,          /* flags        */
+    NULL                        /* pReserved    */
+};
+
+/* Alloc memory for a module.  Copy in the module name and library path
+ *  if provided.  XXX use the opaque arg also, right? 
+ */
+NSS_IMPLEMENT NSSModule *
+nssModule_Create
+(
+  NSSUTF8 *moduleOpt,
+  NSSUTF8 *uriOpt,
+  NSSUTF8 *opaqueOpt,
+  void    *reserved
+)
+{
+    NSSArena *arena;
+    NSSModule *rvMod;
+    arena = NSSArena_Create();
+    if(!arena) {
+	return (NSSModule *)NULL;
+    }
+    rvMod = nss_ZNEW(arena, NSSModule);
+    if (!rvMod) {
+	goto loser;
+    }
+    if (moduleOpt) {
+	/* XXX making the gross assumption this is just the module name */
+	/* if the name is a duplicate, should that be tested here?  or
+	 *  wait for Load? 
+	 */
+	rvMod->name = nssUTF8_Duplicate(moduleOpt, arena);
+	if (!rvMod->name) {
+	    goto loser;
+	}
+    }
+    if (uriOpt) {
+	/* Load the module from a URI. */
+	/* XXX at this time - only file URI (even worse, no file:// for now) */
+	rvMod->libraryPath = nssUTF8_Duplicate(uriOpt, arena);
+	if (!rvMod->libraryPath) {
+	    goto loser;
+	}
+    }
+    rvMod->arena = arena;
+    rvMod->refCount = 1;
+    /* everything else is 0/NULL at this point. */
+    return rvMod;
+loser:
+    nssArena_Destroy(arena);
+    return (NSSModule *)NULL;
+}
+
+/* load all slots in a module. */
+static PRStatus
+module_load_slots(NSSModule *mod)
+{
+    CK_ULONG i, ulNumSlots;
+    CK_SLOT_ID *slotIDs;
+    nssArenaMark *mark = NULL;
+    NSSSlot **slots;
+    PRStatus nssrv;
+    CK_RV ckrv;
+    /* Get the number of slots */
+    ckrv = CKAPI(mod)->C_GetSlotList(CK_FALSE, NULL, &ulNumSlots);
+    if (ckrv != CKR_OK) {
+	/* what is the error? */
+	return PR_FAILURE;
+    }
+    /* Alloc memory for the array of slot ID's */
+    slotIDs = nss_ZNEWARRAY(NULL, CK_SLOT_ID, ulNumSlots);
+    if (!slotIDs) {
+	goto loser;
+    }
+    /* Get the actual slot list */
+    ckrv = CKAPI(mod)->C_GetSlotList(CK_FALSE, slotIDs, &ulNumSlots);
+    if (ckrv != CKR_OK) {
+	/* what is the error? */
+	goto loser;
+    }
+    /* Alloc memory for the array of slots, in the module's arena */
+    mark = nssArena_Mark(mod->arena);
+    if (!mark) {
+	return PR_FAILURE;
+    }
+    slots = nss_ZNEWARRAY(mod->arena, NSSSlot *, ulNumSlots);
+    if (!slots) {
+	goto loser;
+    }
+    /* Initialize each slot */
+    for (i=0; i<ulNumSlots; i++) {
+	slots[i] = nssSlot_Create(mod->arena, slotIDs[i], mod);
+    }
+    nss_ZFreeIf(slotIDs);
+    nssrv = nssArena_Unmark(mod->arena, mark);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    mod->slots = slots;
+    mod->numSlots = ulNumSlots;
+    return PR_SUCCESS;
+loser:
+    if (mark) {
+	nssArena_Release(mod->arena, mark);
+    }
+    nss_ZFreeIf(slotIDs);
+    return PR_FAILURE;
+}
+
+/* This is going to take much more thought.  The module has a list of slots,
+ * each of which points to a token.  Presumably, all are ref counted.  Some
+ * kind of consistency check is needed here, or perhaps at a higher level.
+ */
+NSS_IMPLEMENT PRStatus
+nssModule_Destroy
+(
+  NSSModule *mod
+)
+{
+    PRUint32 i;
+    if (--mod->refCount == 0) {
+	/* Ignore any failure here.  */
+	for (i=0; i<mod->numSlots; i++) {
+	    nssSlot_Destroy(mod->slots[i]);
+	}
+	(void)nssModule_Unload(mod);
+	return NSSArena_Destroy(mod->arena);
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT NSSModule *
+nssModule_AddRef
+(
+  NSSModule *mod
+)
+{
+    ++mod->refCount;
+    return mod;
+}
+
+NSS_IMPLEMENT PRStatus
+nssModule_Load
+(
+  NSSModule *mod
+)
+{
+    PRLibrary *library = NULL;
+    CK_C_GetFunctionList ep;
+    CK_RV ckrv;
+    /* Use NSPR to load the library */
+    library = PR_LoadLibrary((char *)mod->libraryPath);
+    if (!library) {
+	/* what's the error to set? */
+	return PR_FAILURE;
+    }
+    mod->library = library;
+    /* TODO: semantics here in SECMOD_LoadModule about module db */
+    /* Load the cryptoki entry point function */
+    ep = (CK_C_GetFunctionList)PR_FindSymbol(library, "C_GetFunctionList");
+    if (ep == NULL) {
+	goto loser;
+    }
+    /* Load the cryptoki entry point vector (function list) */
+    ckrv = (*ep)((CK_FUNCTION_LIST_PTR *)&mod->epv);
+    if (ckrv != CKR_OK) {
+	goto loser;
+    }
+    /* Initialize the module */
+    /* XXX This is where some additional parameters may need to come in,
+     *     SECMOD_LoadModule has LibraryParameters
+     */
+    ckrv = CKAPI(mod)->C_Initialize(&s_ck_initialize_args);
+    if (ckrv != CKR_OK) {
+	/* Apparently the token is not thread safe.  Retry without 
+	 * threading parameters. 
+	 */
+        mod->flags |= NSSMODULE_FLAGS_NOT_THREADSAFE;
+	ckrv = CKAPI(mod)->C_Initialize((CK_VOID_PTR)NULL);
+	if (ckrv != CKR_OK) {
+	    goto loser;
+	}
+    }
+    /* TODO: check the version # using C_GetInfo */
+    /* TODO: if the name is not set, get it from info.libraryDescription */
+    /* Now load the slots */
+    if (module_load_slots(mod) != PR_SUCCESS) {
+	goto loser;
+    }
+    /* Module has successfully loaded */
+    return PR_SUCCESS;
+loser:
+    if (library) {
+	PR_UnloadLibrary(library);
+    }
+    /* clear all values set above, they are invalid now */
+    mod->library = NULL;
+    mod->epv = NULL;
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssModule_Unload
+(
+  NSSModule *mod
+)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    if (mod->library) {
+	(void)CKAPI(mod)->C_Finalize(NULL);
+	nssrv = PR_UnloadLibrary(mod->library);
+    }
+    /* Free the slots, yes? */
+    mod->library = NULL;
+    mod->epv = NULL;
+    return nssrv;
+}
+
+NSS_IMPLEMENT NSSSlot *
+nssModule_FindSlotByName
+(
+  NSSModule *mod,
+  NSSUTF8 *slotName
+)
+{
+    PRUint32 i;
+    PRStatus nssrv;
+    for (i=0; i<mod->numSlots; i++) {
+	if (nssUTF8_Equal(mod->slots[i]->name, slotName, &nssrv)) {
+	    return nssSlot_AddRef(mod->slots[i]);
+	}
+	if (nssrv != PR_SUCCESS) {
+	    break;
+	}
+    }
+    return (NSSSlot *)NULL;
+}
+
+NSS_EXTERN NSSToken *
+nssModule_FindTokenByName
+(
+  NSSModule *mod,
+  NSSUTF8 *tokenName
+)
+{
+    PRUint32 i;
+    PRStatus nssrv;
+    NSSToken *tok;
+    for (i=0; i<mod->numSlots; i++) {
+	tok = mod->slots[i]->token;
+	if (nssUTF8_Equal(tok->name, tokenName, &nssrv)) {
+	    return nssToken_AddRef(tok);
+	}
+	if (nssrv != PR_SUCCESS) {
+	    break;
+	}
+    }
+    return (NSSToken *)NULL;
+}
+
+NSS_IMPLEMENT PRStatus *
+nssModule_TraverseCertificates
+(
+  NSSModule *mod,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+)
+{
+    return NULL;
+}
+
+#ifdef DEBUG
+void
+nssModule_Debug(NSSModule *m)
+{
+    PRUint32 i;
+    printf("\n");
+    printf("Module Name: %s\n", m->name);
+    printf("Module Path: %s\n", m->libraryPath);
+    printf("Number of Slots in Module: %d\n\n", m->numSlots);
+    for (i=0; i<m->numSlots; i++) {
+	printf("\tSlot #%d\n", i);
+	if (m->slots[i]->name) {
+	    printf("\tSlot Name: %s\n", m->slots[i]->name);
+	} else {
+	    printf("\tSlot Name: <NULL>\n");
+	}
+	if (m->slots[i]->token) {
+	    printf("\tToken Name: %s\n", m->slots[i]->token->name);
+	} else {
+	    printf("\tToken: <NULL>\n");
+	}
+    }
+}
+#endif
diff --git a/security/nss/lib/dev/devobject.c b/security/nss/lib/dev/devobject.c
new file mode 100644
index 000000000..06150df50
--- /dev/null
+++ b/security/nss/lib/dev/devobject.c
@@ -0,0 +1,1093 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef DEVM_H
+#include "devm.h"
+#endif /* DEVM_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#ifndef CKHELPER_H
+#include "ckhelper.h"
+#endif /* CKHELPER_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/* XXX */
+#ifndef PKI_H
+#include "pki.h"
+#endif /* PKI_H */
+
+/* XXX */
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifdef NSS_3_4_CODE
+#include "pkim.h" /* for cert decoding */
+#include "pk11func.h" /* for PK11_HasRootCerts */
+#endif
+
+/* The number of object handles to grab during each call to C_FindObjects */
+#define OBJECT_STACK_SIZE 16
+
+NSS_IMPLEMENT PRStatus
+nssToken_DeleteStoredObject
+(
+  nssCryptokiInstance *instance
+)
+{
+    CK_RV ckrv;
+    PRStatus nssrv;
+    PRBool createdSession = PR_FALSE;
+    NSSToken *token = instance->token;
+    nssSession *session = NULL;
+    if (nssCKObject_IsAttributeTrue(instance->handle, CKA_TOKEN, 
+                                    token->defaultSession,
+	                            token->slot, &nssrv)) {
+       if (nssSession_IsReadWrite(token->defaultSession)) {
+	   session = token->defaultSession;
+       } else {
+	   session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
+	   createdSession = PR_TRUE;
+       }
+    }
+    if (session == NULL) {
+	return PR_FAILURE;
+    }
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(token)->C_DestroyObject(session->handle, instance->handle);
+    nssSession_ExitMonitor(session);
+    if (createdSession) {
+	nssSession_Destroy(session);
+    }
+    if (ckrv != CKR_OK) {
+	return PR_FAILURE;
+    }
+    return PR_SUCCESS;
+}
+
+static CK_OBJECT_HANDLE
+import_object
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  CK_ATTRIBUTE_PTR objectTemplate,
+  CK_ULONG otsize
+)
+{
+    nssSession *session = NULL;
+    PRBool createdSession = PR_FALSE;
+    CK_OBJECT_HANDLE object;
+    CK_RV ckrv;
+    if (nssCKObject_IsTokenObjectTemplate(objectTemplate, otsize)) {
+	if (sessionOpt) {
+	    if (!nssSession_IsReadWrite(sessionOpt)) {
+		return CK_INVALID_HANDLE;
+	    } else {
+		session = sessionOpt;
+	    }
+	} else if (nssSession_IsReadWrite(tok->defaultSession)) {
+	    session = tok->defaultSession;
+	} else {
+	    session = nssSlot_CreateSession(tok->slot, NULL, PR_TRUE);
+	    createdSession = PR_TRUE;
+	}
+    } else {
+	session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    }
+    if (session == NULL) {
+	return CK_INVALID_HANDLE;
+    }
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(tok->slot)->C_CreateObject(session->handle, 
+                                            objectTemplate, otsize,
+                                            &object);
+    nssSession_ExitMonitor(session);
+    if (createdSession) {
+	nssSession_Destroy(session);
+    }
+    if (ckrv != CKR_OK) {
+	return CK_INVALID_HANDLE;
+    }
+    return object;
+}
+
+static CK_OBJECT_HANDLE
+find_object_by_template
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  CK_ATTRIBUTE_PTR cktemplate,
+  CK_ULONG ctsize
+)
+{
+    CK_SESSION_HANDLE hSession;
+    CK_OBJECT_HANDLE rvObject = CK_INVALID_HANDLE;
+    CK_ULONG count = 0;
+    CK_RV ckrv;
+    nssSession *session;
+    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    hSession = session->handle;
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(tok)->C_FindObjectsInit(hSession, cktemplate, ctsize);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	return CK_INVALID_HANDLE;
+    }
+    ckrv = CKAPI(tok)->C_FindObjects(hSession, &rvObject, 1, &count);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	return CK_INVALID_HANDLE;
+    }
+    ckrv = CKAPI(tok)->C_FindObjectsFinal(hSession);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK) {
+	return CK_INVALID_HANDLE;
+    }
+    return rvObject;
+}
+
+static PRStatus 
+traverse_objects_by_template
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  CK_ATTRIBUTE_PTR obj_template,
+  CK_ULONG otsize,
+  PRStatus (*callback)(NSSToken *t, nssSession *session,
+                       CK_OBJECT_HANDLE h, void *arg),
+  void *arg
+)
+{
+    NSSSlot *slot;
+    PRStatus cbrv;
+    PRUint32 i;
+    CK_RV ckrv;
+    CK_ULONG count;
+    CK_OBJECT_HANDLE *objectStack;
+    CK_OBJECT_HANDLE startOS[OBJECT_STACK_SIZE];
+    CK_SESSION_HANDLE hSession;
+    NSSArena *objectArena = NULL;
+    nssSession *session;
+    nssList *objectList = NULL;
+    int objectStackSize = OBJECT_STACK_SIZE;
+    slot = tok->slot;
+    objectStack = startOS;
+    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    hSession = session->handle;
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(slot)->C_FindObjectsInit(hSession, obj_template, otsize);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	goto loser;
+    }
+    while (PR_TRUE) {
+	ckrv = CKAPI(slot)->C_FindObjects(hSession, objectStack, 
+	                                  objectStackSize, &count);
+	if (ckrv != CKR_OK) {
+	    nssSession_ExitMonitor(session);
+	    goto loser;
+	}
+	if (count == objectStackSize) {
+	    if (!objectList) {
+		objectArena = NSSArena_Create();
+		objectList = nssList_Create(objectArena, PR_FALSE);
+	    }
+	    nssList_Add(objectList, objectStack);
+	    objectStackSize = objectStackSize * 2;
+	    objectStack = nss_ZNEWARRAY(objectArena, CK_OBJECT_HANDLE, 
+	                                objectStackSize);
+	    if (objectStack == NULL) {
+		count =0;
+		break;
+		/* return what we can */
+	    }
+	} else {
+	    break;
+	}
+    }
+    ckrv = CKAPI(slot)->C_FindObjectsFinal(hSession);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK) {
+	goto loser;
+    }
+    if (objectList) {
+	nssListIterator *objects;
+	CK_OBJECT_HANDLE *localStack;
+	objects = nssList_CreateIterator(objectList);
+	objectStackSize = OBJECT_STACK_SIZE;
+	for (localStack = (CK_OBJECT_HANDLE *)nssListIterator_Start(objects);
+	     localStack != NULL;
+	     localStack = (CK_OBJECT_HANDLE *)nssListIterator_Next(objects)) {
+	    for (i=0; i< objectStackSize; i++) {
+		cbrv = (*callback)(tok, session, localStack[i], arg);
+	    }
+	    objectStackSize = objectStackSize * 2;
+	}
+	nssListIterator_Finish(objects);
+	nssListIterator_Destroy(objects);
+    }
+    for (i=0; i<count; i++) {
+	cbrv = (*callback)(tok, session, objectStack[i], arg);
+    }
+    if (objectArena)
+	NSSArena_Destroy(objectArena);
+    return PR_SUCCESS;
+loser:
+    if (objectArena)
+	NSSArena_Destroy(objectArena);
+    return PR_FAILURE;
+}
+
+static nssCryptokiInstance *
+create_cryptoki_instance
+(
+  NSSArena *arena,
+  NSSToken *t, 
+  CK_OBJECT_HANDLE h,
+  PRBool isTokenObject
+)
+{
+    PRStatus nssrv;
+    nssCryptokiInstance *instance;
+    CK_ATTRIBUTE cert_template = { CKA_LABEL, NULL, 0 };
+    nssrv = nssCKObject_GetAttributes(h, &cert_template, 1,
+                                      arena, t->defaultSession, t->slot);
+    if (nssrv != PR_SUCCESS) {
+	/* a failure here indicates a device error */
+	return NULL;
+    }
+    instance = nss_ZNEW(arena, nssCryptokiInstance);
+    if (!instance) {
+	return NULL;
+    }
+    instance->handle = h;
+    instance->token = t;
+    instance->isTokenObject = isTokenObject;
+    NSS_CK_ATTRIBUTE_TO_UTF8(&cert_template, instance->label);
+    return instance;
+}
+
+#ifdef NSS_3_4_CODE
+/* exposing this for the smart card cache code */
+NSS_IMPLEMENT nssCryptokiInstance *
+nssCryptokiInstance_Create
+(
+  NSSArena *arena,
+  NSSToken *t, 
+  CK_OBJECT_HANDLE h,
+  PRBool isTokenObject
+)
+{
+    return create_cryptoki_instance(arena, t, h, isTokenObject);
+}
+#endif
+
+static NSSCertificateType
+nss_cert_type_from_ck_attrib(CK_ATTRIBUTE_PTR attrib)
+{
+    CK_CERTIFICATE_TYPE ckCertType;
+    if (!attrib->pValue) {
+	/* default to PKIX */
+	return NSSCertificateType_PKIX;
+    }
+    ckCertType = *((CK_ULONG *)attrib->pValue);
+    switch (ckCertType) {
+    case CKC_X_509:
+	return NSSCertificateType_PKIX;
+    default:
+	break;
+    }
+    return NSSCertificateType_Unknown;
+}
+
+/* Create a certificate from an object handle. */
+static NSSCertificate *
+get_token_cert
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  CK_OBJECT_HANDLE handle
+)
+{
+    NSSCertificate *rvCert;
+    NSSArena *arena;
+    nssSession *session;
+    PRStatus nssrv;
+    CK_ULONG template_size;
+    CK_ATTRIBUTE cert_template[] = {
+	{ CKA_CERTIFICATE_TYPE, NULL, 0 },
+	{ CKA_ID,               NULL, 0 },
+	{ CKA_VALUE,            NULL, 0 },
+	{ CKA_ISSUER,           NULL, 0 },
+	{ CKA_SERIAL_NUMBER,    NULL, 0 },
+	{ CKA_SUBJECT,          NULL, 0 },
+	{ CKA_NETSCAPE_EMAIL,   NULL, 0 }
+    };
+    template_size = sizeof(cert_template) / sizeof(cert_template[0]);
+    session = (sessionOpt) ? sessionOpt : token->defaultSession;
+    arena = nssArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    rvCert = nss_ZNEW(arena, NSSCertificate);
+    if (!rvCert) {
+	NSSArena_Destroy(arena);
+	return NULL;
+    }
+    nssrv = nssPKIObject_Initialize(&rvCert->object, arena, 
+                                    token->trustDomain, NULL);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    nssrv = nssCKObject_GetAttributes(handle, 
+                                      cert_template, template_size,
+                                      arena, session, token->slot);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    rvCert->type = nss_cert_type_from_ck_attrib(&cert_template[0]);
+    NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[1], &rvCert->id);
+    NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[2], &rvCert->encoding);
+    NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[3], &rvCert->issuer);
+    NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[4], &rvCert->serial);
+    NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[5], &rvCert->subject);
+    NSS_CK_ATTRIBUTE_TO_UTF8(&cert_template[6],  rvCert->email);
+    /* XXX this would be better accomplished by dividing attributes to
+     * retrieve into "required" and "optional"
+     */
+    if (rvCert->encoding.size == 0 ||
+        rvCert->issuer.size == 0 ||
+        rvCert->serial.size == 0 ||
+        rvCert->subject.size == 0) 
+    {
+	/* received a bum object from the token */
+	goto loser;
+    }
+#ifdef NSS_3_4_CODE
+    /* nss 3.4 database doesn't associate email address with cert */
+    if (!rvCert->email) {
+	nssDecodedCert *dc;
+	NSSASCII7 *email;
+	dc = nssCertificate_GetDecoding(rvCert);
+	if (dc) {
+	    email = dc->getEmailAddress(dc);
+	    if (email) 
+	    	rvCert->email = nssUTF8_Duplicate(email, arena);
+	} else {
+	    goto loser;
+	}
+    }
+    /* nss 3.4 must deal with tokens that do not follow the PKCS#11
+     * standard and return decoded serial numbers.  The easiest way to
+     * work around this is just to grab the serial # from the full encoding
+     */
+    if (PR_TRUE) {
+	nssDecodedCert *dc;
+	dc = nssCertificate_GetDecoding(rvCert);
+	if (dc) {
+	    PRStatus sn_stat;
+	    sn_stat = dc->getDERSerialNumber(dc, &rvCert->serial, arena);
+	    if (sn_stat != PR_SUCCESS) {
+		goto loser;
+	    }
+	} else {
+	    goto loser;
+	}
+    }
+#endif
+    return rvCert;
+loser:
+    nssPKIObject_Destroy(&rvCert->object);
+    return (NSSCertificate *)NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_ImportCertificate
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSCertificate *cert,
+  NSSUTF8 *nickname,
+  PRBool asTokenObject
+)
+{
+    nssCryptokiInstance *instance;
+    CK_CERTIFICATE_TYPE cert_type = CKC_X_509;
+    CK_OBJECT_HANDLE handle;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_tmpl[9];
+    CK_ULONG ctsize;
+    NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
+    if (asTokenObject) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    } else {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS,            &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CERTIFICATE_TYPE,  cert_type);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID,               &cert->id);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL,             nickname);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE,            &cert->encoding);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,           &cert->issuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT,          &cert->subject);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,    &cert->serial);
+    NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
+    /* Import the certificate onto the token */
+    handle = import_object(tok, sessionOpt, cert_tmpl, ctsize);
+    if (handle == CK_INVALID_HANDLE) {
+	return PR_FAILURE;
+    }
+    instance = create_cryptoki_instance(cert->object.arena, 
+                                        tok, handle, asTokenObject);
+    if (!instance) {
+	/* XXX destroy object */
+	return PR_FAILURE;
+    }
+    nssList_Add(cert->object.instanceList, instance);
+    /* XXX Fix this! */
+    nssListIterator_Destroy(cert->object.instances);
+    cert->object.instances = nssList_CreateIterator(cert->object.instanceList);
+    return PR_SUCCESS;
+}
+
+static PRBool 
+compare_cert_by_encoding(void *a, void *b)
+{
+    NSSCertificate *c1 = (NSSCertificate *)a;
+    NSSCertificate *c2 = (NSSCertificate *)b;
+    return  (nssItem_Equal(&c1->encoding, &c2->encoding, NULL));
+}
+
+static PRStatus
+retrieve_cert(NSSToken *t, nssSession *session, CK_OBJECT_HANDLE h, void *arg)
+{
+    PRStatus nssrv;
+    PRBool found, inCache;
+    nssTokenCertSearch *search = (nssTokenCertSearch *)arg;
+    NSSCertificate *cert = NULL;
+    nssListIterator *instances;
+    nssCryptokiInstance *ci;
+    CK_ATTRIBUTE derValue = { CKA_VALUE, NULL, 0 };
+    inCache = PR_FALSE;
+    if (search->cached) {
+	NSSCertificate csi; /* a fake cert for indexing */
+	nssrv = nssCKObject_GetAttributes(h, &derValue, 1,
+	                                  NULL, session, t->slot);
+	NSS_CK_ATTRIBUTE_TO_ITEM(&derValue, &csi.encoding);
+	cert = (NSSCertificate *)nssList_Get(search->cached, &csi);
+	nss_ZFreeIf(csi.encoding.data);
+    }
+    found = PR_FALSE;
+    if (cert) {
+	inCache = PR_TRUE;
+	nssCertificate_AddRef(cert);
+	instances = cert->object.instances;
+	for (ci  = (nssCryptokiInstance *)nssListIterator_Start(instances);
+	     ci != (nssCryptokiInstance *)NULL;
+	     ci  = (nssCryptokiInstance *)nssListIterator_Next(instances))
+	{
+	    /* The builtins token will not return the same handle for objects
+	     * during the lifetime of the token.  Thus, assuming the found
+	     * object is the same as the cached object if there is already an
+	     * instance for the token.
+	     */
+	    if (ci->token == t) {
+		found = PR_TRUE;
+		break;
+	    }
+	}
+	nssListIterator_Finish(instances);
+    } else {
+	cert = get_token_cert(t, session, h);
+	if (!cert) return PR_FAILURE;
+    }
+    if (!found) {
+	PRBool isTokenObject;
+	/* XXX this is incorrect if the search is over both types */
+	isTokenObject = (search->searchType == nssTokenSearchType_TokenOnly) ?
+	                PR_TRUE : PR_FALSE;
+	ci = create_cryptoki_instance(cert->object.arena, t, h, isTokenObject);
+	if (!ci) {
+	    NSSCertificate_Destroy(cert);
+	    return PR_FAILURE;
+	}
+	nssList_Add(cert->object.instanceList, ci);
+	/* XXX Fix this! */
+	nssListIterator_Destroy(cert->object.instances);
+	cert->object.instances = nssList_CreateIterator(cert->object.instanceList);
+    }
+    if (!inCache) {
+	nssrv = (*search->callback)(cert, search->cbarg);
+    } else {
+	nssrv = PR_SUCCESS; /* cached entries already handled */
+    }
+    NSSCertificate_Destroy(cert);
+    return nssrv;
+}
+
+/* traverse all certificates - this should only happen if the token
+ * has been marked as "traversable"
+ */
+NSS_IMPLEMENT PRStatus 
+nssToken_TraverseCertificates
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  nssTokenCertSearch *search
+)
+{
+    PRStatus nssrv;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_template[2];
+    CK_ULONG ctsize;
+    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
+    /* Set the search to token/session only if provided */
+    if (search->searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (search->searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
+    if (search->cached) {
+	nssList_SetCompareFunction(search->cached, compare_cert_by_encoding);
+    }
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+                                         cert_template, ctsize,
+                                         retrieve_cert, search);
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_TraverseCertificatesBySubject
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *subject,
+  nssTokenCertSearch *search
+)
+{
+    PRStatus nssrv;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE subj_template[3];
+    CK_ULONG stsize;
+    NSS_CK_TEMPLATE_START(subj_template, attr, stsize);
+    /* Set the search to token/session only if provided */
+    if (search->searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (search->searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
+    NSS_CK_TEMPLATE_FINISH(subj_template, attr, stsize);
+    if (search->cached) {
+	nssList_SetCompareFunction(search->cached, compare_cert_by_encoding);
+    }
+    /* now traverse the token certs matching this template */
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+	                                 subj_template, stsize,
+                                         retrieve_cert, search);
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_TraverseCertificatesByNickname
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSUTF8 *name,
+  nssTokenCertSearch *search
+)
+{
+    PRStatus nssrv;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE nick_template[3];
+    CK_ULONG ntsize;
+    NSS_CK_TEMPLATE_START(nick_template, attr, ntsize);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, name);
+    /* Set the search to token/session only if provided */
+    if (search->searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (search->searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_TEMPLATE_FINISH(nick_template, attr, ntsize);
+    if (search->cached) {
+	nssList_SetCompareFunction(search->cached, compare_cert_by_encoding);
+    }
+    /* now traverse the token certs matching this template */
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+	                                 nick_template, ntsize, 
+                                         retrieve_cert, search);
+    if (nssrv != PR_SUCCESS) {
+	return nssrv;
+    }
+    /* This is to workaround the fact that PKCS#11 doesn't specify
+     * whether the '\0' should be included.  XXX Is that still true?
+     * im - this is not needed by the current softoken.  However, I'm 
+     * leaving it in until I have surveyed more tokens to see if it needed.
+     * well, its needed by the builtin token...
+     */
+    nick_template[0].ulValueLen++;
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+	                                 nick_template, ntsize,
+                                         retrieve_cert, search);
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_TraverseCertificatesByEmail
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSASCII7 *email,
+  nssTokenCertSearch *search
+)
+{
+    PRStatus nssrv;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE email_template[3];
+    CK_ULONG etsize;
+    NSS_CK_TEMPLATE_START(email_template, attr, etsize);
+    NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NETSCAPE_EMAIL, email);
+    /* Set the search to token/session only if provided */
+    if (search->searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (search->searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_TEMPLATE_FINISH(email_template, attr, etsize);
+    if (search->cached) {
+	nssList_SetCompareFunction(search->cached, compare_cert_by_encoding);
+    }
+    /* now traverse the token certs matching this template */
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+	                                 email_template, etsize,
+                                         retrieve_cert, search);
+    if (nssrv != PR_SUCCESS) {
+	return nssrv;
+    }
+#if 0
+    /* This is to workaround the fact that PKCS#11 doesn't specify
+     * whether the '\0' should be included.  XXX Is that still true?
+     */
+    email_tmpl[0].ulValueLen--;
+    nssrv = traverse_objects_by_template(token, sessionOpt,
+	                                 email_tmpl, etsize,
+                                         retrieve_cert, search);
+#endif
+    return nssrv;
+}
+
+/* XXX these next two need to create instances as needed */
+
+NSS_IMPLEMENT NSSCertificate *
+nssToken_FindCertificateByIssuerAndSerialNumber
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSDER *issuer,
+  NSSDER *serial,
+  nssTokenSearchType searchType
+)
+{
+    NSSCertificate *rvCert = NULL;
+    nssSession *session;
+    PRStatus nssrv;
+    CK_OBJECT_HANDLE object;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_template[4];
+    CK_ULONG ctsize;
+    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
+    /* Set the search to token/session only if provided */
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    /* Set the unique id */
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS,         &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,         issuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,  serial);
+    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
+    /* get the object handle */
+    object = find_object_by_template(token, sessionOpt, cert_template, ctsize);
+    if (object == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    session = (sessionOpt) ? sessionOpt : token->defaultSession;
+    rvCert = get_token_cert(token, sessionOpt, object);
+    if (rvCert) {
+	PRBool isTokenObject;
+	nssCryptokiInstance *instance;
+	isTokenObject = nssCKObject_IsAttributeTrue(object, CKA_TOKEN,
+	                                            session, token->slot, 
+	                                            &nssrv);
+	instance = create_cryptoki_instance(rvCert->object.arena,
+	                                    token, object, isTokenObject);
+	if (!instance) {
+	    NSSCertificate_Destroy(rvCert);
+	    return NULL;
+	}
+	nssList_Add(rvCert->object.instanceList, instance);
+	/* XXX Fix this! */
+	nssListIterator_Destroy(rvCert->object.instances);
+	rvCert->object.instances = nssList_CreateIterator(rvCert->object.instanceList);
+    }
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+nssToken_FindCertificateByEncodedCertificate
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSBER *encodedCertificate,
+  nssTokenSearchType searchType
+)
+{
+    NSSCertificate *rvCert = NULL;
+    nssSession *session;
+    PRStatus nssrv;
+    CK_OBJECT_HANDLE object;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE cert_template[3];
+    CK_ULONG ctsize;
+    NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
+    /* Set the search to token/session only if provided */
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encodedCertificate);
+    NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
+    /* get the object handle */
+    object = find_object_by_template(token, sessionOpt, cert_template, ctsize);
+    if (object == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    session = (sessionOpt) ? sessionOpt : token->defaultSession;
+    rvCert = get_token_cert(token, sessionOpt, object);
+    if (rvCert) {
+	PRBool isTokenObject;
+	nssCryptokiInstance *instance;
+	isTokenObject = nssCKObject_IsAttributeTrue(object, CKA_TOKEN,
+	                                            session, token->slot, 
+	                                            &nssrv);
+	instance = create_cryptoki_instance(rvCert->object.arena,
+	                                    token, object, isTokenObject);
+	if (!instance) {
+	    NSSCertificate_Destroy(rvCert);
+	    return NULL;
+	}
+	nssList_Add(rvCert->object.instanceList, instance);
+	/* XXX Fix this! */
+	nssListIterator_Destroy(rvCert->object.instances);
+	rvCert->object.instances = nssList_CreateIterator(rvCert->object.instanceList);
+    }
+    return rvCert;
+}
+
+static void
+sha1_hash(NSSItem *input, NSSItem *output)
+{
+    NSSAlgorithmAndParameters *ap;
+    NSSToken *token = STAN_GetDefaultCryptoToken();
+    ap = NSSAlgorithmAndParameters_CreateSHA1Digest(NULL);
+    (void)nssToken_Digest(token, NULL, ap, input, output, NULL);
+#ifdef NSS_3_4_CODE
+    PK11_FreeSlot(token->pk11slot);
+#endif
+    nss_ZFreeIf(ap);
+}
+
+static void
+md5_hash(NSSItem *input, NSSItem *output)
+{
+    NSSAlgorithmAndParameters *ap;
+    NSSToken *token = STAN_GetDefaultCryptoToken();
+    ap = NSSAlgorithmAndParameters_CreateMD5Digest(NULL);
+    (void)nssToken_Digest(token, NULL, ap, input, output, NULL);
+#ifdef NSS_3_4_CODE
+    PK11_FreeSlot(token->pk11slot);
+#endif
+    nss_ZFreeIf(ap);
+}
+ 
+NSS_IMPLEMENT PRStatus
+nssToken_ImportTrust
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSTrust *trust,
+  PRBool asTokenObject
+)
+{
+    CK_OBJECT_HANDLE handle;
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE trust_tmpl[10];
+    CK_ULONG tsize;
+    PRUint8 sha1[20]; /* this is cheating... */
+    PRUint8 md5[16];
+    NSSItem sha1_result, md5_result;
+    NSSCertificate *c = trust->certificate;
+    sha1_result.data = sha1; sha1_result.size = sizeof sha1;
+    md5_result.data = md5; md5_result.size = sizeof md5;
+    sha1_hash(&c->encoding, &sha1_result);
+    md5_hash(&c->encoding, &md5_result);
+    NSS_CK_TEMPLATE_START(trust_tmpl, attr, tsize);
+    if (asTokenObject) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    } else {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    }
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,           tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,         &c->issuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER,  &c->serial);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, &sha1_result);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_MD5_HASH,  &md5_result);
+    /* now set the trust values */
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH,  trust->serverAuth);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH,  trust->clientAuth);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING, trust->codeSigning);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, 
+                                                       trust->emailProtection);
+    NSS_CK_TEMPLATE_FINISH(trust_tmpl, attr, tsize);
+    /* import the trust object onto the token */
+    handle = import_object(tok, NULL, trust_tmpl, tsize);
+    if (handle != CK_INVALID_HANDLE) {
+	nssCryptokiInstance *instance;
+	instance = create_cryptoki_instance(trust->object.arena,
+	                                    tok, handle, asTokenObject);
+	if (!instance) {
+	    return PR_FAILURE;
+	}
+	nssList_Add(trust->object.instanceList, instance);
+	/* XXX Fix this! */
+	nssListIterator_Destroy(trust->object.instances);
+	trust->object.instances = nssList_CreateIterator(trust->object.instanceList);
+	tok->hasNoTrust = PR_FALSE;
+	return PR_SUCCESS;
+    } 
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_SetTrustCache
+(
+  NSSToken *token
+)
+{
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE tobj_template[2];
+    CK_ULONG tobj_size;
+    CK_OBJECT_HANDLE obj;
+    nssSession *session = token->defaultSession;
+
+    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
+
+    obj = find_object_by_template(token, session,
+                                   tobj_template, tobj_size);
+    token->hasNoTrust = PR_FALSE;
+    if (obj == CK_INVALID_HANDLE) {
+	token->hasNoTrust = PR_TRUE;
+    } 
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_SetCrlCache
+(
+  NSSToken *token
+)
+{
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_CRL;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE tobj_template[2];
+    CK_ULONG tobj_size;
+    CK_OBJECT_HANDLE obj;
+    nssSession *session = token->defaultSession;
+
+    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS, tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
+
+    obj = find_object_by_template(token, session,
+                                   tobj_template, tobj_size);
+    token->hasNoCrls = PR_TRUE;
+    if (obj == CK_INVALID_HANDLE) {
+	token->hasNoCrls = PR_TRUE;
+    }
+    return PR_SUCCESS;
+}
+
+static CK_OBJECT_HANDLE
+get_cert_trust_handle
+(
+  NSSToken *token,
+  nssSession *session,
+  NSSCertificate *c,
+  nssTokenSearchType searchType
+)
+{
+    CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE tobj_template[5];
+    CK_ULONG tobj_size;
+    PRUint8 sha1[20]; /* this is cheating... */
+    NSSItem sha1_result;
+
+    if (token->hasNoTrust) {
+	return CK_INVALID_HANDLE;
+    }
+    sha1_result.data = sha1; sha1_result.size = sizeof sha1;
+    sha1_hash(&c->encoding, &sha1_result);
+    NSS_CK_TEMPLATE_START(tobj_template, attr, tobj_size);
+    if (searchType == nssTokenSearchType_SessionOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
+	NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
+    }
+    NSS_CK_SET_ATTRIBUTE_VAR( attr, CKA_CLASS,          tobjc);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, &sha1_result);
+#ifdef NSS_3_4_CODE
+    if (!PK11_HasRootCerts(token->pk11slot)) {
+#endif
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER,         &c->issuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER , &c->serial);
+#ifdef NSS_3_4_CODE
+    }
+    /*
+     * we need to arrange for the built-in token to lose the bottom 2 
+     * attributes so that old built-in tokens will continue to work.
+     */
+#endif
+    NSS_CK_TEMPLATE_FINISH(tobj_template, attr, tobj_size);
+    return find_object_by_template(token, session,
+                                   tobj_template, tobj_size);
+}
+
+NSS_IMPLEMENT NSSTrust *
+nssToken_FindTrustForCert
+(
+  NSSToken *token,
+  nssSession *sessionOpt,
+  NSSCertificate *c,
+  nssTokenSearchType searchType
+)
+{
+    PRStatus nssrv;
+    NSSTrust *rvTrust;
+    nssSession *session;
+    NSSArena *arena;
+    nssCryptokiInstance *instance;
+    PRBool isTokenObject;
+    CK_BBOOL isToken;
+    CK_TRUST saTrust, caTrust, epTrust, csTrust;
+    CK_OBJECT_HANDLE tobjID;
+    CK_ATTRIBUTE_PTR attr;
+    CK_ATTRIBUTE trust_template[5];
+    CK_ULONG trust_size;
+    session = (sessionOpt) ? sessionOpt : token->defaultSession;
+    tobjID = get_cert_trust_handle(token, session, c, searchType);
+    if (tobjID == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    /* Then use the trust object to find the trust settings */
+    NSS_CK_TEMPLATE_START(trust_template, attr, trust_size);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TOKEN,                  isToken);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH,      saTrust);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH,      caTrust);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, epTrust);
+    NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING,     csTrust);
+    NSS_CK_TEMPLATE_FINISH(trust_template, attr, trust_size);
+    nssrv = nssCKObject_GetAttributes(tobjID,
+                                      trust_template, trust_size,
+                                      NULL, session, token->slot);
+    if (nssrv != PR_SUCCESS) {
+	return NULL;
+    }
+    arena = nssArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    rvTrust = nss_ZNEW(arena, NSSTrust);
+    if (!rvTrust) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+    nssrv = nssPKIObject_Initialize(&rvTrust->object, arena, 
+                                    token->trustDomain, NULL);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    isTokenObject = (isToken == CK_TRUE) ? PR_TRUE : PR_FALSE;
+    instance = create_cryptoki_instance(arena, token, tobjID, isTokenObject);
+    if (!instance) {
+	goto loser;
+    }
+    rvTrust->serverAuth = saTrust;
+    rvTrust->clientAuth = caTrust;
+    rvTrust->emailProtection = epTrust;
+    rvTrust->codeSigning = csTrust;
+    return rvTrust;
+loser:
+    nssPKIObject_Destroy(&rvTrust->object);
+    return (NSSTrust *)NULL;
+}
+
diff --git a/security/nss/lib/dev/devslot.c b/security/nss/lib/dev/devslot.c
new file mode 100644
index 000000000..a113b46f5
--- /dev/null
+++ b/security/nss/lib/dev/devslot.c
@@ -0,0 +1,541 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef DEVM_H
+#include "devm.h"
+#endif /* DEVM_H */
+
+#ifdef NSS_3_4_CODE
+#include "pkcs11.h"
+#else
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+#endif /* NSS_3_4_CODE */
+
+#ifndef CKHELPER_H
+#include "ckhelper.h"
+#endif /* CKHELPER_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/* The flags needed to open a read-only session. */
+static const CK_FLAGS s_ck_readonly_flags = CKF_SERIAL_SESSION;
+
+#ifdef PURE_STAN
+/* In pk11slot.c, this was a no-op.  So it is here also. */
+static CK_RV PR_CALLBACK
+nss_ck_slot_notify
+(
+  CK_SESSION_HANDLE session,
+  CK_NOTIFICATION event,
+  CK_VOID_PTR pData
+)
+{
+    return CKR_OK;
+}
+#endif
+
+/* maybe this should really inherit completely from the module...  I dunno,
+ * any uses of slots where independence is needed?
+ */
+NSS_IMPLEMENT NSSSlot *
+nssSlot_Create
+(
+  NSSArena *arenaOpt,
+  CK_SLOT_ID slotID,
+  NSSModule *parent
+)
+{
+    NSSArena *arena = NULL;
+    nssArenaMark *mark = NULL;
+    NSSSlot *rvSlot;
+    NSSToken *token = NULL;
+    NSSUTF8 *slotName = NULL;
+    PRUint32 length;
+    PRBool newArena;
+    PRStatus nssrv;
+    CK_SLOT_INFO slotInfo;
+    CK_RV ckrv;
+    if (arenaOpt) {
+	arena = arenaOpt;
+	mark = nssArena_Mark(arena);
+	if (!mark) {
+	    return (NSSSlot *)NULL;
+	}
+	newArena = PR_FALSE;
+    } else {
+	arena = NSSArena_Create();
+	if(!arena) {
+	    return (NSSSlot *)NULL;
+	}
+	newArena = PR_TRUE;
+    }
+    rvSlot = nss_ZNEW(arena, NSSSlot);
+    if (!rvSlot) {
+	goto loser;
+    }
+    /* Get slot information */
+    ckrv = CKAPI(parent)->C_GetSlotInfo(slotID, &slotInfo);
+    if (ckrv != CKR_OK) {
+	/* set an error here, eh? */
+	goto loser;
+    }
+    /* Grab the slot description from the PKCS#11 fixed-length buffer */
+    length = nssPKCS11StringLength(slotInfo.slotDescription, 
+                                   sizeof(slotInfo.slotDescription));
+    if (length > 0) {
+	slotName = nssUTF8_Create(arena, nssStringType_UTF8String, 
+	                          (void *)slotInfo.slotDescription, length);
+	if (!slotName) {
+	    goto loser;
+	}
+    }
+    if (!arenaOpt) {
+	/* Avoid confusion now - only set the slot's arena to a non-NULL value
+	 * if a new arena is created.  Otherwise, depend on the caller (having
+	 * passed arenaOpt) to free the arena.
+	 */
+	rvSlot->arena = arena;
+    }
+    rvSlot->refCount = 1;
+    rvSlot->epv = parent->epv;
+    rvSlot->module = parent;
+    rvSlot->name = slotName;
+    rvSlot->slotID = slotID;
+    rvSlot->ckFlags = slotInfo.flags;
+    /* Initialize the token if present. */
+    if (slotInfo.flags & CKF_TOKEN_PRESENT) {
+	token = nssToken_Create(arena, slotID, rvSlot);
+	if (!token) {
+	    goto loser;
+	}
+    }
+    rvSlot->token = token;
+    if (mark) {
+	nssrv = nssArena_Unmark(arena, mark);
+	if (nssrv != PR_SUCCESS) {
+	    goto loser;
+	}
+    }
+    return rvSlot;
+loser:
+    if (newArena) {
+	nssArena_Destroy(arena);
+    } else {
+	if (mark) {
+	    nssArena_Release(arena, mark);
+	}
+    }
+    /* everything was created in the arena, nothing to see here, move along */
+    return (NSSSlot *)NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+nssSlot_Destroy
+(
+  NSSSlot *slot
+)
+{
+    if (--slot->refCount == 0) {
+#ifndef NSS_3_4_CODE
+	/* Not going to do this in 3.4, maybe never */
+	nssToken_Destroy(slot->token);
+#endif
+	if (slot->arena) {
+	    return NSSArena_Destroy(slot->arena);
+	} else {
+	    nss_ZFreeIf(slot);
+	}
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT NSSSlot *
+nssSlot_AddRef
+(
+  NSSSlot *slot
+)
+{
+    ++slot->refCount;
+    return slot;
+}
+
+NSS_IMPLEMENT NSSUTF8 *
+nssSlot_GetName
+(
+  NSSSlot *slot,
+  NSSArena *arenaOpt
+)
+{
+    if (slot->name) {
+	return nssUTF8_Duplicate(slot->name, arenaOpt);
+    }
+    return (NSSUTF8 *)NULL;
+}
+
+static PRStatus
+nssslot_login(NSSSlot *slot, nssSession *session, 
+              CK_USER_TYPE userType, NSSCallback *pwcb)
+{
+    PRStatus nssrv;
+    PRUint32 attempts;
+    PRBool keepTrying;
+    NSSUTF8 *password = NULL;
+    CK_ULONG pwLen;
+    CK_RV ckrv;
+    if (!pwcb->getPW) {
+	/* set error INVALID_ARG */
+	return PR_FAILURE;
+    }
+    keepTrying = PR_TRUE;
+    nssrv = PR_FAILURE;
+    attempts = 0;
+    while (keepTrying) {
+	nssrv = pwcb->getPW(slot->name, &attempts, pwcb->arg, &password);
+	if (nssrv != PR_SUCCESS) {
+	    nss_SetError(NSS_ERROR_USER_CANCELED);
+	    break;
+	}
+	pwLen = (CK_ULONG)nssUTF8_Length(password, &nssrv); 
+	if (nssrv != PR_SUCCESS) {
+	    break;
+	}
+	nssSession_EnterMonitor(session);
+	ckrv = CKAPI(slot)->C_Login(session->handle, userType, 
+                                    (CK_CHAR_PTR)password, pwLen);
+	nssSession_ExitMonitor(session);
+	switch (ckrv) {
+	case CKR_OK:
+	case CKR_USER_ALREADY_LOGGED_IN:
+	    slot->authInfo.lastLogin = PR_Now();
+	    nssrv = PR_SUCCESS;
+	    keepTrying = PR_FALSE;
+	    break;
+	case CKR_PIN_INCORRECT:
+	    nss_SetError(NSS_ERROR_INVALID_PASSWORD);
+	    keepTrying = PR_TRUE; /* received bad pw, keep going */
+	    break;
+	default:
+	    nssrv = PR_FAILURE;
+	    keepTrying = PR_FALSE;
+	    break;
+	}
+	nss_ZFreeIf(password);
+	password = NULL;
+	++attempts;
+    }
+    nss_ZFreeIf(password);
+    return nssrv;
+}
+
+static PRStatus
+nssslot_init_password(NSSSlot *slot, nssSession *rwSession, NSSCallback *pwcb)
+{
+    NSSUTF8 *userPW = NULL;
+    NSSUTF8 *ssoPW = NULL;
+    PRStatus nssrv;
+    CK_ULONG userPWLen, ssoPWLen;
+    CK_RV ckrv;
+    if (!pwcb->getInitPW) {
+	/* set error INVALID_ARG */
+	return PR_FAILURE;
+    }
+    /* Get the SO and user passwords */
+    nssrv = pwcb->getInitPW(slot->name, pwcb->arg, &ssoPW, &userPW);
+    if (nssrv != PR_SUCCESS) goto loser;
+    userPWLen = (CK_ULONG)nssUTF8_Length(userPW, &nssrv); 
+    if (nssrv != PR_SUCCESS) goto loser;
+    ssoPWLen = (CK_ULONG)nssUTF8_Length(ssoPW, &nssrv); 
+    if (nssrv != PR_SUCCESS) goto loser;
+    /* First log in as SO */
+    ckrv = CKAPI(slot)->C_Login(rwSession->handle, CKU_SO, 
+                                (CK_CHAR_PTR)ssoPW, ssoPWLen);
+    if (ckrv != CKR_OK) {
+	/* set error ...SO_LOGIN_FAILED */
+	goto loser;
+    }
+	/* Now change the user PIN */
+    ckrv = CKAPI(slot)->C_InitPIN(rwSession->handle, 
+                                  (CK_CHAR_PTR)userPW, userPWLen);
+    if (ckrv != CKR_OK) {
+	/* set error */
+	goto loser;
+    }
+    nss_ZFreeIf(ssoPW);
+    nss_ZFreeIf(userPW);
+    return PR_SUCCESS;
+loser:
+    nss_ZFreeIf(ssoPW);
+    nss_ZFreeIf(userPW);
+    return PR_FAILURE;
+}
+
+static PRStatus
+nssslot_change_password(NSSSlot *slot, nssSession *rwSession, NSSCallback *pwcb)
+{
+    NSSUTF8 *userPW = NULL;
+    NSSUTF8 *newPW = NULL;
+    PRUint32 attempts;
+    PRStatus nssrv;
+    PRBool keepTrying = PR_TRUE;
+    CK_ULONG userPWLen, newPWLen;
+    CK_RV ckrv;
+    if (!pwcb->getNewPW) {
+	/* set error INVALID_ARG */
+	return PR_FAILURE;
+    }
+    attempts = 0;
+    while (keepTrying) {
+	nssrv = pwcb->getNewPW(slot->name, &attempts, pwcb->arg, 
+	                       &userPW, &newPW);
+	if (nssrv != PR_SUCCESS) {
+	    nss_SetError(NSS_ERROR_USER_CANCELED);
+	    break;
+	}
+	userPWLen = (CK_ULONG)nssUTF8_Length(userPW, &nssrv); 
+	if (nssrv != PR_SUCCESS) return nssrv;
+	newPWLen = (CK_ULONG)nssUTF8_Length(newPW, &nssrv); 
+	if (nssrv != PR_SUCCESS) return nssrv;
+	nssSession_EnterMonitor(rwSession);
+	ckrv = CKAPI(slot)->C_SetPIN(rwSession->handle,
+	                             (CK_CHAR_PTR)userPW, userPWLen,
+	                             (CK_CHAR_PTR)newPW, newPWLen);
+	nssSession_ExitMonitor(rwSession);
+	switch (ckrv) {
+	case CKR_OK:
+	    slot->authInfo.lastLogin = PR_Now();
+	    nssrv = PR_SUCCESS;
+	    keepTrying = PR_FALSE;
+	    break;
+	case CKR_PIN_INCORRECT:
+	    nss_SetError(NSS_ERROR_INVALID_PASSWORD);
+	    keepTrying = PR_TRUE; /* received bad pw, keep going */
+	    break;
+	default:
+	    nssrv = PR_FAILURE;
+	    keepTrying = PR_FALSE;
+	    break;
+	}
+	nss_ZFreeIf(userPW);
+	nss_ZFreeIf(newPW);
+	userPW = NULL;
+	newPW = NULL;
+	++attempts;
+    }
+    nss_ZFreeIf(userPW);
+    nss_ZFreeIf(newPW);
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssSlot_Login
+(
+  NSSSlot *slot,
+  PRBool asSO,
+  NSSCallback *pwcb
+)
+{
+    PRBool needsLogin, needsInit;
+    CK_USER_TYPE userType;
+    userType = (asSO) ? CKU_SO : CKU_USER;
+    needsInit = PR_FALSE; /* XXX */
+    needsLogin = PR_TRUE; /* XXX */
+    if (needsInit) {
+	return nssSlot_SetPassword(slot, pwcb);
+    } else if (needsLogin) {
+	return nssslot_login(slot, slot->token->defaultSession, 
+	                     userType, pwcb);
+    }
+    return PR_SUCCESS; /* login not required */
+}
+
+NSS_IMPLEMENT PRStatus
+nssSlot_Logout
+(
+  NSSSlot *slot,
+  nssSession *sessionOpt
+)
+{
+    nssSession *session;
+    PRStatus nssrv = PR_SUCCESS;
+    CK_RV ckrv;
+    session = (sessionOpt) ? sessionOpt : slot->token->defaultSession;
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(slot)->C_Logout(session->handle);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK) {
+	/* translate the error */
+	nssrv = PR_FAILURE;
+    }
+    return nssrv;
+}
+
+NSS_IMPLEMENT void
+nssSlot_SetPasswordDefaults
+(
+  NSSSlot *slot,
+  PRInt32 askPasswordTimeout
+)
+{
+    slot->authInfo.askPasswordTimeout = askPasswordTimeout;
+}
+
+NSS_IMPLEMENT PRStatus
+nssSlot_SetPassword
+(
+  NSSSlot *slot,
+  NSSCallback *pwcb
+)
+{
+    PRStatus nssrv;
+    nssSession *rwSession;
+    PRBool needsInit;
+    needsInit = PR_FALSE; /* XXX */
+    rwSession = nssSlot_CreateSession(slot, NULL, PR_TRUE);
+    if (needsInit) {
+	nssrv = nssslot_init_password(slot, rwSession, pwcb);
+    } else {
+	nssrv = nssslot_change_password(slot, rwSession, pwcb);
+    }
+    nssSession_Destroy(rwSession);
+    return nssrv;
+}
+
+#ifdef PURE_STAN
+NSS_IMPLEMENT nssSession *
+nssSlot_CreateSession
+(
+  NSSSlot *slot,
+  NSSArena *arenaOpt,
+  PRBool readWrite /* so far, this is the only flag used */
+)
+{
+    CK_RV ckrv;
+    CK_FLAGS ckflags;
+    CK_SESSION_HANDLE session;
+    nssSession *rvSession;
+    ckflags = s_ck_readonly_flags;
+    if (readWrite) {
+	ckflags |= CKF_RW_SESSION;
+    }
+    /* does the opening and closing of sessions need to be done in a
+     * threadsafe manner?  should there be a "meta-lock" controlling
+     * calls like this?
+     */
+    ckrv = CKAPI(slot)->C_OpenSession(slot->slotID, ckflags,
+                                      slot, nss_ck_slot_notify, &session);
+    if (ckrv != CKR_OK) {
+	/* set an error here, eh? */
+	return (nssSession *)NULL;
+    }
+    rvSession = nss_ZNEW(arenaOpt, nssSession);
+    if (!rvSession) {
+	return (nssSession *)NULL;
+    }
+    if (slot->module->flags & NSSMODULE_FLAGS_NOT_THREADSAFE) {
+	/* If the parent module is not threadsafe, create lock to manage 
+	 * session within threads.
+	 */
+	rvSession->lock = PZ_NewLock(nssILockOther);
+	if (!rvSession->lock) {
+	    /* need to translate NSPR error? */
+	    if (arenaOpt) {
+	    } else {
+		nss_ZFreeIf(rvSession);
+	    }
+	    return (nssSession *)NULL;
+	}
+    }
+    rvSession->handle = session;
+    rvSession->slot = slot;
+    rvSession->isRW = readWrite;
+    return rvSession;
+}
+
+NSS_IMPLEMENT PRStatus
+nssSession_Destroy
+(
+  nssSession *s
+)
+{
+    CK_RV ckrv = CKR_OK;
+    if (s) {
+	ckrv = CKAPI(s->slot)->C_CloseSession(s->handle);
+	if (s->lock) {
+	    PZ_DestroyLock(s->lock);
+	}
+	nss_ZFreeIf(s);
+    }
+    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
+}
+#endif
+
+NSS_IMPLEMENT PRStatus
+nssSession_EnterMonitor
+(
+  nssSession *s
+)
+{
+    if (s->lock) PZ_Lock(s->lock);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssSession_ExitMonitor
+(
+  nssSession *s
+)
+{
+    return (s->lock) ? PZ_Unlock(s->lock) : PR_SUCCESS;
+}
+
+NSS_EXTERN PRBool
+nssSession_IsReadWrite
+(
+  nssSession *s
+)
+{
+    return s->isRW;
+}
+
diff --git a/security/nss/lib/dev/devt.h b/security/nss/lib/dev/devt.h
new file mode 100644
index 000000000..ef031524b
--- /dev/null
+++ b/security/nss/lib/dev/devt.h
@@ -0,0 +1,205 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef DEVT_H
+#define DEVT_H
+
+#ifdef DEBUG
+static const char DEVT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * devt.h
+ *
+ * This file contains definitions for the low-level cryptoki devices.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+#ifndef NSSDEVT_H
+#include "nssdevt.h"
+#endif /* NSSDEVT_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#ifdef NSS_3_4_CODE
+#include "secmodt.h"
+#endif /* NSS_3_4_CODE */
+
+PR_BEGIN_EXTERN_C
+
+typedef struct nssSessionStr nssSession;
+
+/* The list of boolean flags used to describe properties of a
+ * module.
+ */
+#define NSSMODULE_FLAGS_NOT_THREADSAFE 0x0001 /* isThreadSafe */
+
+struct NSSModuleStr {
+    NSSArena    *arena;
+    PRInt32      refCount;
+    NSSUTF8     *name;
+    NSSUTF8     *libraryPath;
+    PRLibrary   *library;
+    void        *epv;
+    NSSSlot    **slots;
+    PRUint32     numSlots;
+    PRUint32     flags;
+};
+
+/* The list of boolean flags used to describe properties of a
+ * slot.
+ */
+#define NSSSLOT_FLAGS_LOGIN_REQUIRED  0x0001 /* needLogin */
+/*#define NSSSLOT_FLAGS_READONLY        0x0002*/ /* readOnly */
+
+/* this should track global and per-transaction login information */
+struct nssSlotAuthInfoStr
+{
+    PRTime  lastLogin;
+    PRInt32 askPasswordTimeout;
+};
+
+struct NSSSlotStr
+{
+    NSSArena *arena;
+    PRInt32 refCount;
+    NSSModule *module; /* Parent */
+    NSSToken *token;  /* Child (or peer, if you will) */
+    NSSUTF8 *name;
+    CK_SLOT_ID slotID;
+    void *epv;
+    CK_FLAGS ckFlags; /* from CK_SLOT_INFO.flags */
+    PRUint32 flags;
+    struct nssSlotAuthInfoStr authInfo;
+    NSSTrustDomain *trustDomain;
+#ifdef NSS_3_4_CODE
+    PK11SlotInfo *pk11slot;
+#endif
+};
+
+struct NSSTokenStr
+{
+    NSSArena *arena;
+    PRInt32 refCount;
+    NSSSlot *slot;  /* Parent (or peer, if you will) */
+    NSSUTF8 *name;
+    CK_FLAGS ckFlags; /* from CK_TOKEN_INFO.flags */
+    PRUint32 flags;
+    void *epv;
+    nssSession *defaultSession;
+    NSSTrustDomain *trustDomain;
+    PRIntervalTime lastTime;
+    PRBool hasNoTrust;
+    PRBool hasNoCrls;
+#ifdef NSS_3_4_CODE
+    PK11SlotInfo *pk11slot;
+    nssList *certList; /* local cache of certs for slow tokens */
+    PRBool loggedIn;
+#endif
+};
+
+struct nssSessionStr
+{
+    PZLock *lock;
+    CK_SESSION_HANDLE handle;
+    NSSSlot *slot;
+    PRBool isRW;
+};
+
+typedef enum {
+    NSSCertificateType_Unknown = 0,
+    NSSCertificateType_PKIX = 1
+} NSSCertificateType;
+
+#ifdef nodef
+typedef enum {
+    nssTrustLevel_Unknown = 0,
+    nssTrustLevel_NotTrusted = 1,
+    nssTrustLevel_Trusted = 2,
+    nssTrustLevel_TrustedDelegator = 3,
+    nssTrustLevel_Valid = 4
+} nssTrustLevel;
+#else
+typedef CK_ULONG nssTrustLevel; /* for now */
+#endif
+
+typedef struct nssCryptokiInstanceStr nssCryptokiInstance;
+
+struct nssCryptokiInstanceStr
+{
+    CK_OBJECT_HANDLE handle;
+    NSSToken *token;
+    PRBool isTokenObject;
+    NSSUTF8 *label;
+};
+
+typedef struct nssTokenCertSearchStr nssTokenCertSearch;
+
+typedef enum {
+    nssTokenSearchType_AllObjects = 0,
+    nssTokenSearchType_SessionOnly = 1,
+    nssTokenSearchType_TokenOnly = 2
+} nssTokenSearchType;
+
+struct nssTokenCertSearchStr
+{
+    nssTokenSearchType searchType;
+    PRStatus (* callback)(NSSCertificate *c, void *arg);
+    void *cbarg;
+    nssList *cached;
+    /* TODO: add a cache query callback if the list would be large 
+     *       (traversal) 
+     */
+};
+
+struct NSSAlgorithmAndParametersStr
+{
+    CK_MECHANISM mechanism;
+};
+
+PR_END_EXTERN_C
+
+#endif /* DEVT_H */
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
new file mode 100644
index 000000000..b3b168a5f
--- /dev/null
+++ b/security/nss/lib/dev/devtoken.c
@@ -0,0 +1,490 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef DEVM_H
+#include "devm.h"
+#endif /* DEVM_H */
+
+#ifndef NSSCKEPV_H
+#include "nssckepv.h"
+#endif /* NSSCKEPV_H */
+
+#ifndef CKHELPER_H
+#include "ckhelper.h"
+#endif /* CKHELPER_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+/* maybe this should really inherit completely from the module...  I dunno,
+ * any uses of slots where independence is needed?
+ */
+NSS_IMPLEMENT NSSToken *
+nssToken_Create
+(
+  NSSArena *arenaOpt,
+  CK_SLOT_ID slotID,
+  NSSSlot *parent
+)
+{
+    NSSArena *arena;
+    nssArenaMark *mark = NULL;
+    NSSToken *rvToken;
+    nssSession *session = NULL;
+    NSSUTF8 *tokenName = NULL;
+    PRUint32 length;
+    PRBool newArena;
+    PRBool readWrite;
+    PRStatus nssrv;
+    CK_TOKEN_INFO tokenInfo;
+    CK_RV ckrv;
+    if (arenaOpt) {
+	arena = arenaOpt;
+	mark = nssArena_Mark(arena);
+	if (!mark) {
+	    return (NSSToken *)NULL;
+	}
+	newArena = PR_FALSE;
+    } else {
+	arena = NSSArena_Create();
+	if(!arena) {
+	    return (NSSToken *)NULL;
+	}
+	newArena = PR_TRUE;
+    }
+    rvToken = nss_ZNEW(arena, NSSToken);
+    if (!rvToken) {
+	goto loser;
+    }
+    /* Get token information */
+    ckrv = CKAPI(parent)->C_GetTokenInfo(slotID, &tokenInfo);
+    if (ckrv != CKR_OK) {
+	/* set an error here, eh? */
+	goto loser;
+    }
+    /* Grab the slot description from the PKCS#11 fixed-length buffer */
+    length = nssPKCS11StringLength(tokenInfo.label, sizeof(tokenInfo.label));
+    if (length > 0) {
+	tokenName = nssUTF8_Create(arena, nssStringType_UTF8String, 
+	                           (void *)tokenInfo.label, length);
+	if (!tokenName) {
+	    goto loser;
+	}
+    }
+    /* Open a default session handle for the token. */
+    if (tokenInfo.ulMaxSessionCount == 1) {
+	/* if the token can only handle one session, it must be RW. */
+	readWrite = PR_TRUE;
+    } else {
+	readWrite = PR_FALSE;
+    }
+    session = nssSlot_CreateSession(parent, arena, readWrite);
+    if (session == NULL) {
+	goto loser;
+    }
+    /* TODO: seed the RNG here */
+    if (!arenaOpt) {
+	/* Avoid confusion now - only set the token's arena to a non-NULL value
+	 * if a new arena is created.  Otherwise, depend on the caller (having
+	 * passed arenaOpt) to free the arena.
+	 */
+	rvToken->arena = arena;
+    }
+    rvToken->refCount = 1;
+    rvToken->slot = parent;
+    rvToken->name = tokenName;
+    rvToken->ckFlags = tokenInfo.flags;
+    rvToken->defaultSession = session;
+    rvToken->hasNoTrust = PR_FALSE;
+    rvToken->hasNoCrls = PR_FALSE;
+    if (mark) {
+	nssrv = nssArena_Unmark(arena, mark);
+	if (nssrv != PR_SUCCESS) {
+	    goto loser;
+	}
+    }
+    return rvToken;
+loser:
+    if (session) {
+	nssSession_Destroy(session);
+    }
+    if (newArena) {
+	nssArena_Destroy(arena);
+    } else {
+	if (mark) {
+	    nssArena_Release(arena, mark);
+	}
+    }
+    return (NSSToken *)NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_Destroy
+(
+  NSSToken *tok
+)
+{
+    if (--tok->refCount == 0) {
+#ifndef NSS_3_4_CODE
+	/* don't do this in 3.4 -- let PK11SlotInfo handle it */
+	if (tok->defaultSession) {
+	    nssSession_Destroy(tok->defaultSession);
+	}
+	if (tok->arena) {
+	    return NSSArena_Destroy(tok->arena);
+	} else {
+	    nss_ZFreeIf(tok);
+	}
+#else
+	    nss_ZFreeIf(tok);
+#endif
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT NSSToken *
+nssToken_AddRef
+(
+  NSSToken *tok
+)
+{
+    ++tok->refCount;
+    return tok;
+}
+
+NSS_IMPLEMENT NSSUTF8 *
+nssToken_GetName
+(
+  NSSToken *tok
+)
+{
+    if (tok->name[0] == 0) {
+	(void) nssToken_IsPresent(tok);
+    } 
+    return tok->name;
+}
+
+NSS_IMPLEMENT PRBool
+nssToken_IsPresent
+(
+  NSSToken *token
+)
+{
+    CK_RV ckrv;
+    PRStatus nssrv;
+    nssSession *session;
+    CK_SLOT_INFO slotInfo;
+    NSSSlot *slot = token->slot;
+    PRIntervalTime time,lastTime;
+    static PRIntervalTime delayTime = 0;
+    
+    session = token->defaultSession;
+    /* permanent slots are always present */
+    if (nssSlot_IsPermanent(slot) && session != CK_INVALID_SESSION) {
+	return PR_TRUE;
+    }
+
+    if (delayTime == 0) {
+	delayTime = PR_SecondsToInterval(10);
+    }
+    
+    time = PR_IntervalNow();
+    lastTime = token->lastTime;
+    if ((time > lastTime) && ((time - lastTime) < delayTime)) {
+	return (PRBool) ((slot->ckFlags & CKF_TOKEN_PRESENT) != 0);
+    }
+    token->lastTime = time;
+    nssSession_EnterMonitor(session);
+    /* First obtain the slot info */
+    ckrv = CKAPI(slot)->C_GetSlotInfo(slot->slotID, &slotInfo);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	token->name[0] = 0;
+	return PR_FALSE;
+    }
+    slot->ckFlags = slotInfo.flags;
+    /* check for the presence of the token */
+    if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
+	/* token is not present */
+	if (session->handle != CK_INVALID_SESSION) {
+	    /* session is valid, close and invalidate it */
+	    CKAPI(slot)->C_CloseSession(session->handle);
+	    session->handle = CK_INVALID_SESSION;
+	}
+	nssSession_ExitMonitor(session);
+	token->name[0] = 0;
+	return PR_FALSE;
+    }
+    /* token is present, use the session info to determine if the card
+     * has been removed and reinserted.
+     */
+    if (session != CK_INVALID_SESSION) {
+	CK_SESSION_INFO sessionInfo;
+	ckrv = CKAPI(slot)->C_GetSessionInfo(session->handle, &sessionInfo);
+	if (ckrv != CKR_OK) {
+	    /* session is screwy, close and invalidate it */
+	    CKAPI(slot)->C_CloseSession(session->handle);
+	    session->handle = CK_INVALID_SESSION;
+	}
+    }
+    nssSession_ExitMonitor(session);
+    /* token not removed, finished */
+    if (session->handle != CK_INVALID_SESSION) {
+	return PR_TRUE;
+    } else {
+	/* token has been removed, need to refresh with new session */
+	nssrv = nssSlot_Refresh(slot);
+	if (nssrv != PR_SUCCESS) {
+	    token->name[0] = 0;
+	    return PR_FALSE;
+	}
+	return PR_TRUE;
+    }
+}
+
+NSS_IMPLEMENT PRBool
+nssToken_HasCrls
+(
+    NSSToken *tok
+)
+{
+    return !tok->hasNoCrls;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_SetHasCrls
+(
+    NSSToken *tok
+)
+{
+    tok->hasNoCrls = PR_FALSE;
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT NSSItem *
+nssToken_Digest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSAlgorithmAndParameters *ap,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    CK_RV ckrv;
+    CK_ULONG digestLen;
+    CK_BYTE_PTR digest;
+    NSSItem *rvItem = NULL;
+    nssSession *session;
+    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(tok)->C_DigestInit(session->handle, &ap->mechanism);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	return NULL;
+    }
+#if 0
+    /* XXX the standard says this should work, but it doesn't */
+    ckrv = CKAPI(tok)->C_Digest(session->handle, NULL, 0, NULL, &digestLen);
+    if (ckrv != CKR_OK) {
+	nssSession_ExitMonitor(session);
+	return NULL;
+    }
+#endif
+    digestLen = 0; /* XXX for now */
+    digest = NULL;
+    if (rvOpt) {
+	if (rvOpt->size > 0 && rvOpt->size < digestLen) {
+	    nssSession_ExitMonitor(session);
+	    /* the error should be bad args */
+	    return NULL;
+	}
+	if (rvOpt->data) {
+	    digest = rvOpt->data;
+	}
+	digestLen = rvOpt->size;
+    }
+    if (!digest) {
+	digest = (CK_BYTE_PTR)nss_ZAlloc(arenaOpt, digestLen);
+	if (!digest) {
+	    nssSession_ExitMonitor(session);
+	    return NULL;
+	}
+    }
+    ckrv = CKAPI(tok)->C_Digest(session->handle, 
+                                (CK_BYTE_PTR)data->data, 
+                                (CK_ULONG)data->size,
+                                (CK_BYTE_PTR)digest,
+                                &digestLen);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK) {
+	nss_ZFreeIf(digest);
+	return NULL;
+    }
+    if (!rvOpt) {
+	rvItem = nssItem_Create(arenaOpt, NULL, digestLen, (void *)digest);
+    }
+    return rvItem;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_BeginDigest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSAlgorithmAndParameters *ap
+)
+{
+    CK_RV ckrv;
+    nssSession *session;
+    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(tok)->C_DigestInit(session->handle, &ap->mechanism);
+    nssSession_ExitMonitor(session);
+    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_ContinueDigest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSItem *item
+)
+{
+    CK_RV ckrv;
+    nssSession *session;
+    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(tok)->C_DigestUpdate(session->handle, 
+                                      (CK_BYTE_PTR)item->data, 
+                                      (CK_ULONG)item->size);
+    nssSession_ExitMonitor(session);
+    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+nssToken_FinishDigest
+(
+  NSSToken *tok,
+  nssSession *sessionOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    CK_RV ckrv;
+    CK_ULONG digestLen;
+    CK_BYTE_PTR digest;
+    NSSItem *rvItem = NULL;
+    nssSession *session;
+    session = (sessionOpt) ? sessionOpt : tok->defaultSession;
+    nssSession_EnterMonitor(session);
+    ckrv = CKAPI(tok)->C_DigestFinal(session->handle, NULL, &digestLen);
+    if (ckrv != CKR_OK || digestLen == 0) {
+	nssSession_ExitMonitor(session);
+	return NULL;
+    }
+    digest = NULL;
+    if (rvOpt) {
+	if (rvOpt->size > 0 && rvOpt->size < digestLen) {
+	    nssSession_ExitMonitor(session);
+	    /* the error should be bad args */
+	    return NULL;
+	}
+	if (rvOpt->data) {
+	    digest = rvOpt->data;
+	}
+	digestLen = rvOpt->size;
+    }
+    if (!digest) {
+	digest = (CK_BYTE_PTR)nss_ZAlloc(arenaOpt, digestLen);
+	if (!digest) {
+	    nssSession_ExitMonitor(session);
+	    return NULL;
+	}
+    }
+    ckrv = CKAPI(tok)->C_DigestFinal(session->handle, digest, &digestLen);
+    nssSession_ExitMonitor(session);
+    if (ckrv != CKR_OK) {
+	nss_ZFreeIf(digest);
+	return NULL;
+    }
+    if (!rvOpt) {
+	rvItem = nssItem_Create(arenaOpt, NULL, digestLen, (void *)digest);
+    }
+    return rvItem;
+}
+
+/* XXX of course this doesn't belong here */
+NSS_IMPLEMENT NSSAlgorithmAndParameters *
+NSSAlgorithmAndParameters_CreateSHA1Digest
+(
+  NSSArena *arenaOpt
+)
+{
+    NSSAlgorithmAndParameters *rvAP = NULL;
+    rvAP = nss_ZNEW(arenaOpt, NSSAlgorithmAndParameters);
+    if (rvAP) {
+	rvAP->mechanism.mechanism = CKM_SHA_1;
+	rvAP->mechanism.pParameter = NULL;
+	rvAP->mechanism.ulParameterLen = 0;
+    }
+    return rvAP;
+}
+
+NSS_IMPLEMENT NSSAlgorithmAndParameters *
+NSSAlgorithmAndParameters_CreateMD5Digest
+(
+  NSSArena *arenaOpt
+)
+{
+    NSSAlgorithmAndParameters *rvAP = NULL;
+    rvAP = nss_ZNEW(arenaOpt, NSSAlgorithmAndParameters);
+    if (rvAP) {
+	rvAP->mechanism.mechanism = CKM_MD5;
+	rvAP->mechanism.pParameter = NULL;
+	rvAP->mechanism.ulParameterLen = 0;
+    }
+    return rvAP;
+}
+
diff --git a/security/nss/lib/dev/devutil.c b/security/nss/lib/dev/devutil.c
new file mode 100644
index 000000000..02db7831b
--- /dev/null
+++ b/security/nss/lib/dev/devutil.c
@@ -0,0 +1,52 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef DEVM_H
+#include "devm.h"
+#endif /* DEVM_H */
+
+NSS_IMPLEMENT PRUint32
+nssPKCS11StringLength(CK_CHAR *pkcs11Str, PRUint32 bufLen)
+{
+    PRInt32 i;
+    for (i = bufLen - 1; i>=0; ) {
+	if (pkcs11Str[i] != ' ') break;
+	--i;
+    }
+    return (PRUint32)(i + 1);
+}
+
diff --git a/security/nss/lib/dev/manifest.mn b/security/nss/lib/dev/manifest.mn
new file mode 100644
index 000000000..46013ab5e
--- /dev/null
+++ b/security/nss/lib/dev/manifest.mn
@@ -0,0 +1,65 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	ckhelper.h \
+	devt.h     \
+	dev.h      \
+	nssdevt.h  \
+	$(NULL)
+
+EXPORTS =	   \
+	$(NULL)
+
+MODULE = security
+
+CSRCS =		        \
+	devmod.c        \
+	devslot.c       \
+	devobject.c     \
+	devtoken.c      \
+	devutil.c       \
+	ckhelper.c      \
+	$(NULL)
+
+# here is where the 3.4 glue code is added
+ifndef PURE_STAN_BUILD
+DEFINES = -DNSS_3_4_CODE
+endif
+
+REQUIRES = security nspr
+
+LIBRARY_NAME = nssdev
diff --git a/security/nss/lib/dev/nssdevt.h b/security/nss/lib/dev/nssdevt.h
new file mode 100644
index 000000000..a603ce545
--- /dev/null
+++ b/security/nss/lib/dev/nssdevt.h
@@ -0,0 +1,69 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSDEVT_H
+#define NSSDEVT_H
+
+#ifdef DEBUG
+static const char NSSDEVT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nssdevt.h
+ *
+ * This file contains definitions for the low-level cryptoki devices.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSModule and NSSSlot -- placeholders for the PKCS#11 types
+ */
+
+typedef struct NSSModuleStr NSSModule;
+
+typedef struct NSSSlotStr NSSSlot;
+
+typedef struct NSSTokenStr NSSToken;
+
+PR_END_EXTERN_C
+
+#endif /* NSSDEVT_H */
diff --git a/security/nss/lib/fortcrypt/Makefile b/security/nss/lib/fortcrypt/Makefile
new file mode 100644
index 000000000..40609cb98
--- /dev/null
+++ b/security/nss/lib/fortcrypt/Makefile
@@ -0,0 +1,168 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+# 
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+
+CILIB                   = $(OBJDIR)/cilib.$(LIB_SUFFIX)
+ORIG_CILIB              = libci/$(OS_TARGET)$(OS_RELEASE).$(LIB_SUFFIX)
+
+ifeq (,$(filter-out WINNT WINCE,$(OS_TARGET)))  # omits WIN16 WIN95
+ORIG_CILIB              = libci/tssp32.lib
+endif
+
+ifeq ($(OS_TARGET), WIN16)
+ORIG_CILIB              = libci/tssp.lib
+endif
+
+ifeq ($(OS_TARGET), WIN95)
+ORIG_CILIB              = libci/tssp32.lib
+endif
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+STUBDLL                 = $(OBJDIR)/stub.$(DLL_SUFFIX)
+endif
+
+STUBLIB                 = $(OBJDIR)/stub.$(LIB_SUFFIX)
+
+ifeq ($(OS_TARGET), WIN16)
+W16LIBS         += $(CILIB)
+else
+EXTRA_LIBS      += $(CILIB)
+endif
+
+INST_JS                 = inst.js
+LIBCI_JAR               = $(OBJDIR)/libfort.jar
+LIBCI_JAR_SRC           = $(INST_JS) $(SHARED_LIBRARY)
+
+ifneq ($(OS_TARGET), WIN16)
+TARGETS : $(LIBCI_JAR) 
+endif
+
+ifeq ($(OS_TARGET), WIN16)
+# note that rules.mk is not included below for WIN16
+all:
+	@echo Skipping fortcrypt directory for 16-bit windows builds
+
+all_platforms alltags clean clobber clobber_all realclean: all
+
+boot export install libs program release: all
+
+endif
+
+$(SHARED_LIBRARY): $(CILIB) $(DIRS)
+
+cilib_name:
+	@echo $(CILIB)
+
+$(CILIB):
+	@$(MAKE_OBJDIR)
+	@if test -f $(ORIG_CILIB); then \
+		echo "Copying $(ORIG_CILIB) to $@"; \
+		cp $(ORIG_CILIB) $@; \
+	else \
+		echo "Making empty stub $@"; \
+		$(MAKE) $(STUBLIB); \
+	fi
+	@$(RANLIB) $@
+
+$(STUBLIB): $(OBJDIR)/maci$(OBJ_SUFFIX)
+	@$(MAKE_OBJDIR)
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+	$(MAKE) $(STUBDLL)
+else
+	$(AR) $<
+endif
+	cp $@ $(CILIB)
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+$(STUBDLL): $(OBJDIR)/maci.o
+	$(LINK_DLL) -MAP $(DLLBASE) $(subst /,\\,$(OBJDIR)/maci.o $(OS_LIBS))
+
+$(OBJDIR)/maci.o: maci.c
+	$(CC) -Fo$@ -c $(CFLAGS) $<
+endif
+
+#
+# The following rules packages the shared library into a JAR,
+# ready to be signed
+#
+$(OBJDIR)/replace: replace.c
+	$(CC) -o $@ $<
+
+# ZIP options:
+# -5 means medium compression
+# -q means quiet
+# -j means do not store tree structure, all files go into one dir
+#
+$(LIBCI_JAR): $(DIRS) $(LIBCI_JAR_SRC)
+	@echo +++ building $@ from $(LIBCI_JAR_SRC)
+	@rm -f $@
+	zip -5qj $@ $(LIBCI_JAR_SRC) 
+
+force:
+	(cd swfort ; $(MAKE))
+
+
+MD_FILES += $(LIBCI_JAR)
+
+# coreconf doesn't build the AIX shared library for FORTEZZA,
+# so I'm going to override their shared library command and build the shared
+# library the way config used to.
+#
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
+DSO_LDOPTS              = -bM:SRE -bh:4 -bnoentry
+EXTRA_DSO_LDOPTS        = -lc
+MKSHLIB                 = svld $(DSO_LDOPTS)
+
+$(SHARED_LIBRARY): $(OBJS)
+	@$(MAKE_OBJDIR)
+	rm -f $@
+	$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
+	chmod +x $@
+endif
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
+LD      += -G
+endif 
+
+
+ifneq ($(OS_TARGET), WIN16)
+include $(CORE_DEPTH)/coreconf/rules.mk
+endif
+
+export:: private_export
+
+
diff --git a/security/nss/lib/fortcrypt/config.mk b/security/nss/lib/fortcrypt/config.mk
new file mode 100644
index 000000000..d54a9dfc0
--- /dev/null
+++ b/security/nss/lib/fortcrypt/config.mk
@@ -0,0 +1,43 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only shared libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(SHARED_LIBRARY)
+LIBRARY        =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/fortcrypt/cryptint.h b/security/nss/lib/fortcrypt/cryptint.h
new file mode 100644
index 000000000..c4de00ff2
--- /dev/null
+++ b/security/nss/lib/fortcrypt/cryptint.h
@@ -0,0 +1,703 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/* @(#)cryptint.h	1.26\t10 Nov 1995 */
+/*****************************************************************************
+  Definitive Fortezza header file.
+  Application Level Interface to Fortezza CI Library.
+
+  Version for CI Library 1.52
+    November 8, 1995
+
+
+  NOTICE: Fortezza Export Policy
+
+    The Fortezza Cryptologic Interface (CI) Library (both source and 
+    object) and Fortezza CI Library based applications are defense 
+    articles, as defined in the International Traffic In Arms 
+    Regulations (ITAR), and are subject to export controls under the 
+    ITAR and the Arms Export Control Act. Any export to any country 
+    of (a) the Fortezza CI Library, related documentation, and 
+    technical data, or (b) your cryptographic application, process, 
+    or service that is the direct product of, or contains the 
+    Fortezza CI Library must comply with the requirements of the ITAR. 
+    If you or your customer intends to engage in such export, contact 
+    the United States Department of State, Office of Defense Trade 
+    Controls for specific guidance.
+
+
+ ****************************************************************************/
+#ifndef __CRYPTINT_H
+#define __CRYPTINT_H
+
+#if __cplusplus__ || __cplusplus
+extern "C"
+{
+#endif /* C++ */
+
+#ifndef PROTO_LIST
+#ifdef _K_AND_R_
+#define PROTO_LIST(list)  ()
+#else
+#define PROTO_LIST(list)  list
+#endif /*_K_AND_R_ */
+#endif /* PROTO_LIST */
+
+
+#ifndef RETURN_TYPE
+#if defined( _WIN32 ) || defined( __WIN32__ )
+#define RETURN_TYPE  __declspec(dllimport) int
+#elif defined( _WINDOWS ) || defined( _Windows )
+#define RETURN_TYPE  extern int _far _pascal
+#else
+#define RETURN_TYPE  extern int
+#endif /* Windows */
+#endif /* RETURN_TYPE */
+
+/* MS Visual C++ defines _MSDOS and _WINDOWS    */
+/* Borland C/C++ defines __MSDOS__ and _Windows */
+#if defined( _WIN32 ) ||  defined ( __WIN32__ )
+#define CI_FAR
+#elif defined( _WINDOWS ) || defined( _Windows )
+#define CI_FAR  _far
+#else
+#define CI_FAR
+#endif /* MS DOS or Windows */
+
+
+/*****************************************************************************
+  Constants
+ ****************************************************************************/
+#define CI_LIB_VERSION_VAL        0x0152    /* Version 1.52 */
+
+#define CI_CERT_SIZE              2048
+#define CI_CERT_FLAGS_SIZE        16
+#define CI_CERT_NAME_SIZE         32
+#define CI_CHALLENGE_SIZE         20
+
+#define CI_G_SIZE                 128
+
+#define CI_HASHVALUE_SIZE         20
+
+#define CI_IV_SIZE                24
+
+#define CI_KEY_SIZE               12
+#define CI_KS_SIZE                10
+
+#define CI_NAME_SIZE              32
+
+#define CI_PASSWORD_SIZE          24
+#define CI_PIN_SIZE               12
+#define CI_P_SIZE                 128
+
+#define CI_Q_SIZE                 20
+
+#define CI_R_SIZE                 40
+#define CI_RANDOM_NO_SIZE         20
+#define CI_RANDOM_SEED_SIZE       8
+#define CI_RA_SIZE                128
+#define CI_RB_SIZE                128
+#define CI_REG_FLAGS_SIZE         4
+
+#define CI_S_SIZE                 40
+#define CI_SAVE_DATA_SIZE         28
+#define CI_SERIAL_NUMBER_SIZE     8
+#define CI_SIGNATURE_SIZE         40
+#define CI_STATUS_FLAGS_SIZE      4
+
+#define CI_TIME_SIZE              16
+#define CI_TIMESTAMP_SIZE         16
+
+#define CI_WRAPPED_X_SIZE         24
+
+#define CI_Y_SIZE                 128
+
+#define CI_X_SIZE                 20
+
+
+/* Miscellaneous */
+#define CI_NULL_FLAG              0 
+#define CI_POWER_DOWN_FLAG        2
+#define CI_NO_LOG_OFF_FLAG        4
+#define CI_INITIATOR_FLAG         0
+#define CI_RECIPIENT_FLAG         1
+
+#define CI_BLOCK_LOCK_FLAG        1
+#define CI_SSO_LOGGED_ON          0x40
+#define CI_USER_LOGGED_ON         0x00
+#define CI_FAST_MODE              0x10
+#define CI_SLOW_MODE              0x00
+#define CI_WORST_CASE_MODE        0x40
+#define CI_TYPICAL_CASE_MODE      0x00
+
+/* Card Public Key Algorithms Types */
+#define CI_DSA_TYPE               0xA
+#define CI_KEA_TYPE               0x5
+#define CI_DSA_KEA_TYPE           0xF
+
+/* Fortezza Pin Types */
+#define CI_SSO_PIN                0x25
+#define CI_USER_PIN               0x2A
+
+/* Crypto Types */
+#define CI_ENCRYPT_TYPE           0
+#define CI_DECRYPT_TYPE           1
+#define CI_HASH_TYPE              2
+
+/* Save and Restore Types */
+#define CI_ENCRYPT_INT_TYPE       0x00      /* Internal Encryption */
+#define CI_ENCRYPT_EXT_TYPE       0x10      /* External Encryption */
+#define CI_DECRYPT_INT_TYPE       0x01      /* Internal Decryption */
+#define CI_DECRYPT_EXT_TYPE       0x11      /* External Decryption */
+#define CI_HASH_INT_TYPE          0x02      /* Internal Hash */
+#define CI_HASH_EXT_TYPE          0x12      /* External Hash */
+#define CI_TYPE_EXT_FLAG          0x10      /* Used to differentiate */
+
+/* Configuration types */
+#define CI_SET_SPEED_TYPE         1
+#define CI_SET_TIMING_TYPE        2
+
+/* Lock States */
+#define CI_SOCKET_UNLOCKED        0
+#define CI_HOLD_LOCK              1
+#define CI_SOCKET_LOCKED          2
+
+/* Fortezza Crypto Types Modes */
+#define CI_ECB64_MODE             0
+#define CI_CBC64_MODE             1
+#define CI_OFB64_MODE             2
+#define CI_CFB64_MODE             3
+#define CI_CFB32_MODE             4
+#define CI_CFB16_MODE             5
+#define CI_CFB8_MODE              6
+
+/* Card States */
+#define CI_POWER_UP               0
+#define CI_UNINITIALIZED          1
+#define CI_INITIALIZED            2
+#define CI_SSO_INITIALIZED        3
+#define CI_LAW_INITIALIZED        4
+#define CI_USER_INITIALIZED       5
+#define CI_STANDBY                6
+#define CI_READY                  7
+#define CI_ZEROIZE                8
+#define CI_INTERNAL_FAILURE       (-1)
+
+/* Flags for Firmware Update. */
+#define CI_NOT_LAST_BLOCK_FLAG    0x00000000UL
+#define CI_LAST_BLOCK_FLAG        0x80000000UL
+#define CI_DESTRUCTIVE_FLAG       0x000000FFUL
+#define CI_NONDESTRUCTIVE_FLAG    0x0000FF00UL
+
+
+/****************************************************************************
+  Fortezza Library Return Codes
+ ***************************************************************************/
+
+/* Card Responses */
+#define CI_OK                     0
+#define CI_FAIL                   1
+#define CI_CHECKWORD_FAIL         2
+#define CI_INV_TYPE               3
+#define CI_INV_MODE               4
+#define CI_INV_KEY_INDEX          5
+#define CI_INV_CERT_INDEX         6
+#define CI_INV_SIZE               7
+#define CI_INV_HEADER             8
+#define CI_INV_STATE              9
+#define CI_EXEC_FAIL              10
+#define CI_NO_KEY                 11
+#define CI_NO_IV                  12
+#define CI_NO_X                   13
+
+#define CI_NO_SAVE                15
+#define CI_REG_IN_USE             16
+#define CI_INV_COMMAND            17
+#define CI_INV_POINTER            18
+#define CI_BAD_CLOCK              19
+#define CI_NO_DSA_PARMS           20
+
+/* Library Errors */
+#define CI_ERROR                  (-1)
+#define CI_LIB_NOT_INIT           (-2)
+#define CI_CARD_NOT_READY         (-3)
+#define CI_CARD_IN_USE            (-4)
+#define CI_TIME_OUT               (-5)
+#define CI_OUT_OF_MEMORY          (-6)
+#define CI_NULL_PTR               (-7)
+#define CI_BAD_SIZE               (-8)
+#define CI_NO_DECRYPT             (-9)
+#define CI_NO_ENCRYPT             (-10)
+#define CI_NO_EXECUTE             (-11)
+#define CI_BAD_PARAMETER          (-12)
+#define CI_OUT_OF_RESOURCES       (-13)
+
+#define CI_NO_CARD                (-20)
+#define CI_NO_DRIVER              (-21)
+#define CI_NO_CRDSRV              (-22)
+#define CI_NO_SCTSRV              (-23)
+
+#define CI_BAD_CARD               (-30)
+#define CI_BAD_IOCTL              (-31)
+#define CI_BAD_READ               (-32)
+#define CI_BAD_SEEK               (-33)
+#define CI_BAD_WRITE              (-34)
+#define CI_BAD_FLUSH              (-35)
+#define CI_BAD_IOSEEK             (-36)
+#define CI_BAD_ADDR               (-37)
+
+#define CI_INV_SOCKET_INDEX       (-40)
+#define CI_SOCKET_IN_USE          (-41)
+#define CI_NO_SOCKET              (-42)
+#define CI_SOCKET_NOT_OPENED      (-43)
+#define CI_BAD_TUPLES             (-44)
+#define CI_NOT_A_CRYPTO_CARD      (-45)
+
+#define CI_INVALID_FUNCTION       (-50)
+#define CI_LIB_ALRDY_INIT         (-51)
+#define CI_SRVR_ERROR             (-52)
+
+
+/*****************************************************************************
+  Data Structures
+ ****************************************************************************/
+
+typedef unsigned char   CI_CERTIFICATE[CI_CERT_SIZE];
+
+typedef unsigned char   CI_CERT_FLAGS[CI_CERT_FLAGS_SIZE];
+
+typedef unsigned char   CI_CERT_STR[CI_CERT_NAME_SIZE+4];
+
+typedef unsigned char   CI_FAR *CI_DATA;
+
+typedef unsigned char   CI_G[CI_G_SIZE];
+
+typedef unsigned char   CI_HASHVALUE[CI_HASHVALUE_SIZE];
+
+typedef unsigned char   CI_IV[CI_IV_SIZE];
+
+typedef unsigned char   CI_KEY[CI_KEY_SIZE];
+
+typedef unsigned char   CI_KS[CI_KS_SIZE];
+
+typedef unsigned char   CI_P[CI_P_SIZE];
+
+typedef unsigned char   CI_PASSWORD[CI_PASSWORD_SIZE + 4];
+
+typedef unsigned char   CI_PIN[CI_PIN_SIZE + 4];
+
+typedef unsigned char   CI_Q[CI_Q_SIZE];
+
+typedef unsigned char   CI_RA[CI_RA_SIZE];
+
+typedef unsigned char   CI_RB[CI_RB_SIZE];
+
+typedef unsigned char   CI_RANDOM[CI_RANDOM_NO_SIZE];
+
+typedef unsigned char   CI_RANDSEED[CI_RANDOM_SEED_SIZE];
+
+typedef unsigned char   CI_REG_FLAGS[CI_REG_FLAGS_SIZE];
+
+typedef unsigned char   CI_SIGNATURE[CI_SIGNATURE_SIZE];
+
+typedef unsigned char   CI_SAVE_DATA[CI_SAVE_DATA_SIZE];
+
+typedef unsigned char   CI_SERIAL_NUMBER[CI_SERIAL_NUMBER_SIZE];
+
+typedef unsigned int    CI_STATE, CI_FAR *CI_STATE_PTR;
+
+typedef unsigned char   CI_TIME[CI_TIME_SIZE];
+
+typedef unsigned char   CI_TIMESTAMP[CI_TIMESTAMP_SIZE];
+
+typedef unsigned char   CI_WRAPPED_X[CI_WRAPPED_X_SIZE];
+
+typedef unsigned char   CI_Y[CI_Y_SIZE];
+
+typedef unsigned char   CI_X[CI_X_SIZE];
+
+typedef struct {
+    int     LibraryVersion;                 /* CI Library version */
+    int     ManufacturerVersion;            /* Card's hardware version */
+    char    ManufacturerName[CI_NAME_SIZE+4]; /* Card manufacturer's name*/
+    char    ProductName[CI_NAME_SIZE+4];    /* Card's product name */
+    char    ProcessorType[CI_NAME_SIZE+4];  /* Card's processor type */
+    unsigned long  UserRAMSize;             /* Amount of User RAM in bytes */
+    unsigned long  LargestBlockSize;        /* Largest block of data to pass in */
+    int     KeyRegisterCount;               /* Number of key registers */
+    int     CertificateCount;               /* Maximum number of personalities (# certs-1) */
+    int     CryptoCardFlag;                 /* A flag that if non-zero indicates that there is
+                                               a Crypto-Card in the socket. If this value is
+                                               zero then there is NOT a Crypto-Card in the
+                                               sockets. */
+    int     ICDVersion;                     /* The ICD compliance level */
+    int     ManufacturerSWVer;              /* The Manufacturer's Software Version */
+    int     DriverVersion;                  /* Driver Version */
+} CI_CONFIG, CI_FAR *CI_CONFIG_PTR;
+
+typedef struct {
+    int          CertificateIndex;          /* Index from 1 to CertificateCount */
+    CI_CERT_STR  CertLabel;                 /* The certificate label */
+} CI_PERSON, CI_FAR *CI_PERSON_PTR;
+
+typedef struct {
+     int    CurrentSocket;                  /* The currently selected socket */
+     int    LockState;                      /* Lock status of the current socket */
+     CI_SERIAL_NUMBER  SerialNumber;        /* Serial number of the Crypto Engine chip */
+     CI_STATE  CurrentState;                /* State of The Card */
+     int    DecryptionMode;                 /* Decryption mode of The Card */
+     int    EncryptionMode;                 /* Encryption mode of The Card */
+     int    CurrentPersonality;             /* Index of the current personality */
+     int    KeyRegisterCount;               /* No. of Key Register on The Card */
+     CI_REG_FLAGS   KeyRegisterFlags;       /* Bit Masks indicating Key Register use */
+     int    CertificateCount;               /* No. of Certificates on The Card */
+     CI_CERT_FLAGS  CertificateFlags;       /* Bit Mask indicating certificate use */
+     unsigned char  Flags[CI_STATUS_FLAGS_SIZE];  
+                                            /* Flag[0] : bit 6 for Condition mode */
+                                            /*           bit 4 for Clock mode */
+} CI_STATUS, CI_FAR *CI_STATUS_PTR;
+
+
+/*****************************************************************************
+  Function Call Prototypes
+ ****************************************************************************/
+
+RETURN_TYPE
+CI_ChangePIN PROTO_LIST( (
+    int            PINType,
+    CI_PIN CI_FAR  pOldPIN,
+    CI_PIN CI_FAR  pNewPIN ) );
+
+RETURN_TYPE
+CI_CheckPIN PROTO_LIST( (
+    int            PINType,
+    CI_PIN CI_FAR  pPIN ) );
+
+RETURN_TYPE
+CI_Close PROTO_LIST( (
+    unsigned int  Flags,
+    int           SocketIndex ) );
+
+RETURN_TYPE
+CI_Decrypt PROTO_LIST( (
+    unsigned int  CipherSize,
+    CI_DATA       pCipher,
+    CI_DATA       pPlain ) );
+
+RETURN_TYPE
+CI_DeleteCertificate PROTO_LIST( (
+    int  CertificateIndex ) );
+
+RETURN_TYPE
+CI_DeleteKey PROTO_LIST( (
+    int  RegisterIndex ) );
+
+RETURN_TYPE
+CI_Encrypt PROTO_LIST( (
+    unsigned int  PlainSize,
+    CI_DATA       pPlain,
+    CI_DATA       pCipher ) );
+
+RETURN_TYPE
+CI_ExtractX PROTO_LIST( (
+    int                  CertificateIndex,
+    int                  AlgorithmType,
+    CI_PASSWORD CI_FAR   pPassword,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_WRAPPED_X CI_FAR  pX,
+    CI_RA CI_FAR         pRa,
+    unsigned int         PandGSize,
+    unsigned int         QSize,
+    CI_P CI_FAR          pP,
+    CI_Q CI_FAR          pQ,
+    CI_G CI_FAR          pG ) );
+
+RETURN_TYPE
+CI_FirmwareUpdate PROTO_LIST( (
+    unsigned long  Flags,
+    long           Cksum,
+    unsigned int   CksumLength,
+    unsigned int   DataSize,
+    CI_DATA        pData ) );
+
+RETURN_TYPE
+CI_GenerateIV PROTO_LIST( (
+    CI_IV CI_FAR  pIV ) );
+
+RETURN_TYPE
+CI_GenerateMEK PROTO_LIST( (
+    int  RegisterIndex,
+    int  Reserved ) );
+
+RETURN_TYPE
+CI_GenerateRa PROTO_LIST( (
+    CI_RA CI_FAR  pRa ) );
+
+RETURN_TYPE
+CI_GenerateRandom PROTO_LIST( (
+    CI_RANDOM CI_FAR  pRandom ) );
+
+RETURN_TYPE
+CI_GenerateTEK PROTO_LIST( (
+    int           Flags,
+    int           RegisterIndex,
+    CI_RA CI_FAR  pRa,
+    CI_RB CI_FAR  pRb,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) );
+
+RETURN_TYPE
+CI_GenerateX PROTO_LIST( (
+    int           CertificateIndex,
+    int           AlgorithmType,
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) );
+
+RETURN_TYPE
+CI_GetCertificate PROTO_LIST( (
+    int                    CertificateIndex,
+    CI_CERTIFICATE CI_FAR  pCertificate ) );
+
+RETURN_TYPE
+CI_GetConfiguration PROTO_LIST( (
+    CI_CONFIG_PTR  pConfiguration ) );
+
+RETURN_TYPE
+CI_GetHash PROTO_LIST( (
+    unsigned int         DataSize,
+    CI_DATA              pData,
+    CI_HASHVALUE CI_FAR  pHashValue ) );
+
+RETURN_TYPE
+CI_GetPersonalityList PROTO_LIST( (
+    int               EntryCount,
+    CI_PERSON CI_FAR  pPersonalityList[] ) );
+
+RETURN_TYPE
+CI_GetState PROTO_LIST( (
+    CI_STATE_PTR  pState ) );
+
+RETURN_TYPE
+CI_GetStatus PROTO_LIST( (
+    CI_STATUS_PTR  pStatus ) );
+
+RETURN_TYPE
+CI_GetTime PROTO_LIST( (
+    CI_TIME CI_FAR  pTime ) );
+
+RETURN_TYPE
+CI_Hash PROTO_LIST( (
+    unsigned int  DataSize,
+    CI_DATA       pData ) );
+
+RETURN_TYPE
+CI_Initialize PROTO_LIST( (
+    int CI_FAR  *SocketCount ) );
+
+RETURN_TYPE
+CI_InitializeHash PROTO_LIST( (
+    void ) );
+
+RETURN_TYPE
+CI_InstallX PROTO_LIST( (
+    int                  CertificateIndex,
+    int                  AlgorithmType,
+    CI_PASSWORD CI_FAR   pPassword,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_WRAPPED_X CI_FAR  pWrappedX,
+    CI_RA CI_FAR         pRa,
+    unsigned int         PandGSize,
+    unsigned int         QSize,
+    CI_P CI_FAR          pP,
+    CI_Q CI_FAR          pQ,
+    CI_G CI_FAR          pG ) );
+
+RETURN_TYPE
+CI_LoadCertificate PROTO_LIST( (
+    int                    CertificateIndex,
+    CI_CERT_STR CI_FAR     pCertLabel,
+    CI_CERTIFICATE CI_FAR  pCertificate,
+    long                   Reserved ) );
+
+RETURN_TYPE
+CI_LoadDSAParameters PROTO_LIST( (
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG ) );
+
+RETURN_TYPE
+CI_LoadInitValues PROTO_LIST( (
+    CI_RANDSEED CI_FAR  pRandSeed,
+    CI_KS CI_FAR        pKs ) );
+
+RETURN_TYPE
+CI_LoadIV PROTO_LIST( (
+    CI_IV CI_FAR  pIV ) );
+
+RETURN_TYPE
+CI_LoadX PROTO_LIST( (
+    int           CertificateIndex,
+    int           AlgorithmType,
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG,
+    CI_X CI_FAR   pX,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) );
+
+RETURN_TYPE
+CI_Lock PROTO_LIST( (
+    int  Flags ) );
+
+RETURN_TYPE
+CI_Open PROTO_LIST( (
+    unsigned int  Flags,
+    int           SocketIndex ) );
+
+RETURN_TYPE
+CI_RelayX PROTO_LIST( (
+    CI_PASSWORD CI_FAR   pOldPassword,
+    unsigned int         OldYSize,
+    CI_Y CI_FAR          pOldY,
+    CI_RA CI_FAR         pOldRa,
+    CI_WRAPPED_X CI_FAR  pOldWrappedX,
+    CI_PASSWORD CI_FAR   pNewPassword,
+    unsigned int         NewYSize,
+    CI_Y CI_FAR          pNewY,
+    CI_RA CI_FAR         pNewRa,
+    CI_WRAPPED_X CI_FAR  pNewWrappedX ) );
+
+RETURN_TYPE
+CI_Reset PROTO_LIST( (
+    void ) );
+
+RETURN_TYPE
+CI_Restore PROTO_LIST( (
+    int                  CryptoType,
+    CI_SAVE_DATA CI_FAR  pData ) );
+
+RETURN_TYPE
+CI_Save PROTO_LIST( (
+    int                  CryptoType,
+    CI_SAVE_DATA CI_FAR  pData ) );
+
+RETURN_TYPE
+CI_Select PROTO_LIST( (
+    int  SocketIndex ) );
+
+RETURN_TYPE
+CI_SetConfiguration PROTO_LIST( (
+    int           Type,
+    unsigned int  DataSize,
+    CI_DATA       pData ) );
+
+RETURN_TYPE
+CI_SetKey PROTO_LIST( (
+    int  RegisterIndex ) );
+
+RETURN_TYPE
+CI_SetMode PROTO_LIST( (
+    int  CryptoType,
+    int  CryptoMode ) );
+
+RETURN_TYPE
+CI_SetPersonality PROTO_LIST( (
+    int  CertificateIndex ) );
+
+RETURN_TYPE
+CI_SetTime PROTO_LIST( (
+    CI_TIME CI_FAR  pTime ) );
+
+RETURN_TYPE
+CI_Sign PROTO_LIST( (
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature ) );
+
+RETURN_TYPE
+CI_Terminate PROTO_LIST( (
+    void ) );
+
+RETURN_TYPE
+CI_TimeStamp PROTO_LIST( (
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature,
+    CI_TIMESTAMP CI_FAR  pTimeStamp ) );
+
+RETURN_TYPE
+CI_Unlock PROTO_LIST( (
+    void ) );
+
+RETURN_TYPE
+CI_UnwrapKey PROTO_LIST( (
+    int            UnwrapIndex,
+    int            KeyIndex,
+    CI_KEY CI_FAR  pKey ) );
+
+RETURN_TYPE
+CI_VerifySignature PROTO_LIST( (
+    CI_HASHVALUE CI_FAR  pHashValue,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_SIGNATURE CI_FAR  pSignature ) );
+
+RETURN_TYPE
+CI_VerifyTimeStamp PROTO_LIST( (
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature,
+    CI_TIMESTAMP CI_FAR  pTimeStamp ) );
+
+RETURN_TYPE
+CI_WrapKey PROTO_LIST( (
+    int            WrapIndex,
+    int            KeyIndex,
+    CI_KEY CI_FAR  pKey ) );
+
+RETURN_TYPE
+CI_Zeroize PROTO_LIST( (
+    void ) );
+
+#if __cplusplus__ || __cplusplus
+}
+#endif /* C++ */
+
+#endif /* CRYPTINT_H */
diff --git a/security/nss/lib/fortcrypt/fmutex.c b/security/nss/lib/fortcrypt/fmutex.c
new file mode 100644
index 000000000..ad98c04b6
--- /dev/null
+++ b/security/nss/lib/fortcrypt/fmutex.c
@@ -0,0 +1,113 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include "fmutex.h"
+#include "fpkmem.h"
+#include <stdio.h>
+
+typedef struct PKMutexFunctions {
+  CK_CREATEMUTEX  CreateMutex;
+  CK_DESTROYMUTEX DestroyMutex;
+  CK_LOCKMUTEX    LockMutex;
+  CK_UNLOCKMUTEX  UnlockMutex;
+  int  useMutex;
+} PKMutexFunctions;
+
+static PKMutexFunctions   gMutex = {NULL, NULL, NULL, NULL, 0};
+static int gInit = 0;
+
+#define FMUTEX_CHECKS()                            \
+    if (gInit == 0) {                              \
+        return CKR_GENERAL_ERROR;                  \
+    }                                              \
+    if (!gMutex.useMutex) {                        \
+        return CKR_GENERAL_ERROR;                  \
+    }			 
+
+CK_RV FMUTEX_Init(CK_C_INITIALIZE_ARGS_PTR pArgs) {
+    if (gInit != 0) {
+        return CKR_GENERAL_ERROR;
+    }
+
+    if (pArgs && pArgs->CreateMutex && pArgs->DestroyMutex &&
+	pArgs->LockMutex   && pArgs->UnlockMutex) {
+
+        gMutex.CreateMutex    = pArgs->CreateMutex;
+	gMutex.DestroyMutex   = pArgs->DestroyMutex;
+	gMutex.LockMutex      = pArgs->LockMutex;
+	gMutex.UnlockMutex    = pArgs->UnlockMutex;
+	gMutex.useMutex       = 1;
+	gInit                 = 1;
+    } else {
+        gInit = 0;
+	return CKR_GENERAL_ERROR;
+    }
+    
+    return CKR_OK;
+}
+
+
+CK_RV FMUTEX_Create(CK_VOID_PTR_PTR pMutex) {
+    CK_RV rv;
+    FMUTEX_CHECKS()
+
+    rv = gMutex.CreateMutex(pMutex);
+    return rv;
+}
+
+CK_RV FMUTEX_Destroy(CK_VOID_PTR pMutex) {
+    CK_RV rv;
+    FMUTEX_CHECKS()
+
+    rv = gMutex.DestroyMutex(pMutex);
+    return rv;
+}
+
+CK_RV FMUTEX_Lock(CK_VOID_PTR pMutex) {
+    CK_RV rv;
+    FMUTEX_CHECKS()
+
+    rv = gMutex.LockMutex(pMutex);
+    return rv;
+}
+
+CK_RV FMUTEX_Unlock(CK_VOID_PTR pMutex) {
+    CK_RV rv;
+    FMUTEX_CHECKS()
+
+    rv = gMutex.UnlockMutex(pMutex);
+    return rv;
+}
+
+int FMUTEX_MutexEnabled (void) {
+    return gMutex.useMutex;
+}
diff --git a/security/nss/lib/fortcrypt/fmutex.h b/security/nss/lib/fortcrypt/fmutex.h
new file mode 100644
index 000000000..589eea786
--- /dev/null
+++ b/security/nss/lib/fortcrypt/fmutex.h
@@ -0,0 +1,57 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifndef _FMUTEX_H_
+#define _FMUTEX_H_ 1
+
+#include "fpkcs11t.h"
+
+/*
+ * All of these functions will return CK_RV  values.
+ */
+extern CK_RV FMUTEX_Init(CK_C_INITIALIZE_ARGS_PTR pArgs);
+
+
+extern CK_RV FMUTEX_Create(CK_VOID_PTR_PTR pMutex);
+
+extern CK_RV FMUTEX_Destroy(CK_VOID_PTR pMutex);
+
+extern CK_RV FMUTEX_Lock(CK_VOID_PTR pMutex);
+
+extern CK_RV FMUTEX_Unlock(CK_VOID_PTR pMutex);
+
+/* Returns 0 if mutexes have not been enabled.
+ * Returns 1 if mutexes have been enabled.
+ */
+extern int FMUTEX_MutexEnabled(void);
+
+#endif /*_FMUTEX_H_*/
diff --git a/security/nss/lib/fortcrypt/forsock.c b/security/nss/lib/fortcrypt/forsock.c
new file mode 100644
index 000000000..eb4d5ef87
--- /dev/null
+++ b/security/nss/lib/fortcrypt/forsock.c
@@ -0,0 +1,816 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include "fortsock.h"
+#include "fpkmem.h"
+#include "fmutex.h"
+#include <string.h>
+#include <stdlib.h>
+
+#define DEF_ENCRYPT_SIZE 0x8000
+
+static unsigned char Fortezza_mail_Rb[128] = { 
+0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,
+0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,1,
+};
+
+int InitSocket (FortezzaSocket *inSocket, int inSlotID) {
+    int        ci_rv;
+    CK_RV      mrv;
+
+    if (inSocket == NULL)
+        return SOCKET_FAILURE;
+
+    inSocket->isLoggedIn          = PR_FALSE;
+    inSocket->personalitiesLoaded = PR_FALSE;
+    inSocket->isOpen              = PR_FALSE;
+    inSocket->personalityList     = NULL;
+    inSocket->keyRegisters        = NULL;
+    inSocket->keys                = NULL;
+    inSocket->numPersonalities    = 0;
+    inSocket->numKeyRegisters     = 0;
+    inSocket->hitCount            = 0;
+
+    inSocket->slotID = inSlotID;
+    ci_rv = MACI_GetSessionID(&(inSocket->maciSession));
+    if (ci_rv != CI_OK)
+      return SOCKET_FAILURE;
+
+    ci_rv = MACI_Open (inSocket->maciSession, 0, inSlotID);
+    if (ci_rv == CI_OK) { 
+        inSocket->isOpen = PR_TRUE;
+    }  else {
+        MACI_Close (inSocket->maciSession, CI_NULL_FLAG, inSlotID);
+    }
+
+    if (FMUTEX_MutexEnabled()) {
+        mrv = FMUTEX_Create(&inSocket->registersLock);
+	if (mrv != CKR_OK) {
+	    inSocket->registersLock = NULL;
+	}
+    } else {
+        inSocket->registersLock = NULL;
+    }
+
+    return SOCKET_SUCCESS;
+}
+
+int FreeSocket (FortezzaSocket *inSocket) {
+    if (inSocket->registersLock) {
+        FMUTEX_Destroy(inSocket->registersLock);
+    }
+    MACI_Close(inSocket->maciSession, CI_NULL_FLAG, inSocket->slotID);
+    return SOCKET_SUCCESS;
+}
+
+int LoginToSocket (FortezzaSocket *inSocket, int inUserType, CI_PIN inPin) {
+    int ci_rv, i;
+    CI_STATUS ciStatus;
+    CI_CONFIG ciConfig;
+    FortezzaKey **oldRegisters, **newRegisters;
+    int oldCount;
+    HSESSION hs;
+
+    if (inSocket == NULL || inSocket->isLoggedIn)
+        return SOCKET_FAILURE;
+
+    hs = inSocket->maciSession;
+    ci_rv = MACI_Select (hs, inSocket->slotID);
+    if (ci_rv != CI_OK)
+        return ci_rv;
+    
+    ci_rv = MACI_CheckPIN(hs, inUserType, inPin);
+
+    if (ci_rv != CI_OK) {
+        return ci_rv;
+    }
+
+    ci_rv = MACI_GetStatus(hs, &ciStatus);
+
+    if (ci_rv != CI_OK) {
+        if (ci_rv == CI_FAIL) {
+	    ci_rv = CI_EXEC_FAIL;
+	}
+	return ci_rv;
+    }
+
+    ci_rv = MACI_GetConfiguration(hs, &ciConfig);
+    if (ci_rv != CI_OK) {
+      return ci_rv;
+    }
+
+    inSocket->isLoggedIn  = PR_TRUE;
+    inSocket->hasLoggedIn = PR_TRUE;
+    PORT_Memcpy (inSocket->openCardSerial, ciStatus.SerialNumber, 
+		 sizeof (CI_SERIAL_NUMBER));
+    inSocket->openCardState = ciStatus.CurrentState;
+    inSocket->numPersonalities = ciStatus.CertificateCount;
+    inSocket->numKeyRegisters  = ciConfig.KeyRegisterCount;
+    newRegisters     = 
+     (FortezzaKey**)PORT_Alloc (sizeof(FortezzaKey)*ciConfig.KeyRegisterCount);
+
+    FMUTEX_Lock(inSocket->registersLock);
+    oldRegisters = inSocket->keyRegisters;
+    oldCount = inSocket->numKeyRegisters;
+    inSocket->keyRegisters = newRegisters;
+    if (oldRegisters) {
+	for (i=0; i<oldCount; i++) {
+	    if (oldRegisters[i]) {
+		oldRegisters[i]->keyRegister = KeyNotLoaded;
+	    }
+            oldRegisters[i] = NULL;
+	}
+	PORT_Free(oldRegisters);
+    }
+
+    if (inSocket->keyRegisters == NULL) {
+        FMUTEX_Unlock(inSocket->registersLock);
+        return SOCKET_FAILURE;
+    }
+
+    for (i=0; i<ciConfig.KeyRegisterCount; i++) {
+        inSocket->keyRegisters[i] = NULL;
+    }
+    FMUTEX_Unlock(inSocket->registersLock);
+
+    return SOCKET_SUCCESS;
+}
+
+int LogoutFromSocket (FortezzaSocket *inSocket) {
+    if (inSocket == NULL)
+        return SOCKET_FAILURE;
+
+    inSocket->isLoggedIn  = PR_FALSE;
+    inSocket->hasLoggedIn = PR_FALSE;
+    if (UnloadPersonalityList(inSocket) != SOCKET_SUCCESS)
+        return SOCKET_FAILURE;
+    
+
+    return SOCKET_SUCCESS;
+}
+
+
+int FetchPersonalityList(FortezzaSocket *inSocket) {
+    int rv;
+
+    if (inSocket == NULL || inSocket->numPersonalities == 0) {
+        return SOCKET_FAILURE;
+    }
+
+    rv = MACI_Select (inSocket->maciSession, inSocket->slotID);
+
+    inSocket->personalityList = 
+        (CI_PERSON*)PORT_Alloc (sizeof(CI_PERSON)*inSocket->numPersonalities);
+
+    if (inSocket->personalityList == NULL) {
+        return SOCKET_FAILURE;
+    }
+
+    rv = MACI_GetPersonalityList(inSocket->maciSession, 
+				 inSocket->numPersonalities, 
+				 inSocket->personalityList);
+
+    if (rv != CI_OK) {
+        return SOCKET_FAILURE;
+    }
+
+    inSocket->personalitiesLoaded = PR_TRUE;
+    return SOCKET_SUCCESS;
+}
+
+int UnloadPersonalityList(FortezzaSocket *inSocket) {
+    if (inSocket == NULL)
+        return SOCKET_FAILURE;
+
+    inSocket->personalitiesLoaded = PR_FALSE;
+    if (inSocket->personalityList) {
+        PORT_Free(inSocket->personalityList);
+    }
+    inSocket->numPersonalities = 0;
+    inSocket->personalityList = NULL;
+
+    return SOCKET_SUCCESS;
+}
+
+PRBool SocketIsLoggedIn(CI_STATE status) {
+	
+    return (PRBool)((status == CI_READY) || (status == CI_STANDBY));
+}
+
+PRBool SocketStateUnchanged(FortezzaSocket* inSocket) {
+    CI_STATUS ciStatus;
+    int       ciRV;
+
+    ciRV = MACI_Select (inSocket->maciSession, inSocket->slotID);
+    if (ciRV != CI_OK)
+        return PR_FALSE;
+
+    if (inSocket->hasLoggedIn && !inSocket->isLoggedIn) 
+        return PR_FALSE;  /* User Logged out from the socket */
+
+    /*
+     * Some vendor cards are slow. so if we think we are logged in, 
+     * and the card still thinks we're logged in, we must have the same
+     * card.
+     */
+    if (inSocket->isLoggedIn) {
+	CI_STATE state;
+	ciRV = MACI_GetState(inSocket->maciSession, &state);
+	if (ciRV != CI_OK) return PR_FALSE;
+
+	return SocketIsLoggedIn(state);
+    }
+	
+    ciRV = MACI_GetStatus(inSocket->maciSession, &ciStatus);
+    if(ciRV != CI_OK) {
+        return PR_FALSE;
+    }
+    if (inSocket->isLoggedIn) {
+ 	if (PORT_Memcmp(ciStatus.SerialNumber, inSocket->openCardSerial, 
+			sizeof (CI_SERIAL_NUMBER)) != 0)
+	  return PR_FALSE;  /* Serial Number of card in slot has changed */
+	                    /* Probably means there is a new card        */
+    }
+    
+    if (inSocket->isLoggedIn  && !SocketIsLoggedIn(ciStatus.CurrentState))
+        return PR_FALSE;  /* State of card changed.         */
+                         /* Probably re-inserted same card */ 
+
+    return PR_TRUE;  /* No change in the state of the socket */
+}
+
+/*
+ * can we regenerate this key on the fly?
+ */
+static PRBool
+FortezzaIsRegenerating(FortezzaKey *key) {
+    /* TEK's are the only type of key that can't be regenerated */
+    if (key->keyType != TEK) return PR_TRUE;
+    /* Client TEK's can never be regenerated */
+    if (key->keyData.tek.flags == CI_INITIATOR_FLAG) return PR_FALSE; 
+    /* Only Server TEK's that use the Mail protocol can be regenerated */
+    return ((PRBool)(memcmp(key->keyData.tek.Rb,Fortezza_mail_Rb,
+			sizeof(key->keyData.tek.Rb)) == 0));
+}
+
+int GetBestKeyRegister(FortezzaSocket *inSocket) {
+    int i, candidate = -1, candidate2 = 1;
+    CK_ULONG minHitCount = 0xffffffff;
+    CK_ULONG minRegHitCount = 0xffffffff;  
+    FortezzaKey **registers;
+
+    registers = inSocket->keyRegisters;
+    for (i=1; i< inSocket->numKeyRegisters; i++) {
+        if (registers[i] == NULL)
+	    return i;
+    }
+
+    for (i=1; i < inSocket->numKeyRegisters; i++) {
+        if (registers[i]->hitCount < minHitCount) {
+	    minHitCount = registers[i]->hitCount;
+	    candidate2 = i;
+	}
+
+	if (FortezzaIsRegenerating(registers[i]) &&
+	    (registers[i]->hitCount < minRegHitCount)) {
+	    minRegHitCount = registers[i]->hitCount;
+	    candidate = i;
+	}
+    }
+
+    if (candidate == -1)
+        candidate = candidate2;
+
+    return candidate;
+}
+
+int  SetFortezzaKeyHandle (FortezzaKey *inKey, CK_OBJECT_HANDLE inHandle) {
+    inKey->keyHandle = inHandle;
+    return SOCKET_SUCCESS;
+}
+
+void
+RemoveKey (FortezzaKey *inKey) {
+    if (inKey != NULL && inKey->keySocket->keyRegisters != NULL) {
+	if (inKey->keyRegister != KeyNotLoaded) {
+	    FortezzaKey **registers = inKey->keySocket->keyRegisters;
+	    registers[inKey->keyRegister] = NULL;
+	    MACI_DeleteKey(inKey->keySocket->maciSession, inKey->keyRegister);
+	}
+	
+	PORT_Free(inKey);
+    }
+}
+
+FortezzaKey *NewFortezzaKey(FortezzaSocket  *inSocket, 
+			    FortezzaKeyType  inKeyType,
+			    CreateTEKInfo   *TEKinfo,
+			    int              inKeyRegister) {
+    FortezzaKey  *newKey, *oldKey;
+    FortezzaKey **registers;
+    HSESSION      hs = inSocket->maciSession;
+    int ciRV;
+
+    newKey = (FortezzaKey*)PORT_Alloc (sizeof(FortezzaKey));
+    if (newKey == NULL) {
+        return NULL;
+    }
+
+    newKey->keyHandle    = 0;
+    newKey->keyRegister  = KeyNotLoaded;
+    newKey->keyType      = inKeyType;
+    newKey->keySocket    = inSocket;
+    newKey->hitCount     = 0;
+    newKey->id           = TEKinfo ? TEKinfo->personality : 0;
+
+    if (inKeyType != Ks && inSocket->keyRegisters) {
+	registers = inSocket->keyRegisters;
+	oldKey    = registers[inKeyRegister];
+	if (oldKey != NULL) {
+	    oldKey->keyRegister = KeyNotLoaded;
+	}
+
+	registers[inKeyRegister] = newKey;
+	newKey->hitCount = inSocket->hitCount++;
+
+	MACI_DeleteKey (hs, inKeyRegister);
+    }
+    newKey->keyRegister = inKeyRegister;
+
+    MACI_Lock(hs, CI_BLOCK_LOCK_FLAG);
+    switch (inKeyType) {
+    case MEK:
+        ciRV = MACI_GenerateMEK (hs, inKeyRegister, 0);
+	if (ciRV != CI_OK) {
+	    RemoveKey(newKey);
+	    MACI_Unlock(hs);
+	    return NULL;
+        }
+	MACI_WrapKey(hs, 0, inKeyRegister, newKey->keyData.mek);
+	break;
+    case TEK:
+        PORT_Memcpy (newKey->keyData.tek.Rb, TEKinfo->Rb, TEKinfo->randomLen);
+	PORT_Memcpy (newKey->keyData.tek.Ra, TEKinfo->Ra, TEKinfo->randomLen);
+	PORT_Memcpy (newKey->keyData.tek.pY, TEKinfo->pY, TEKinfo->YSize);
+	newKey->keyData.tek.ySize = TEKinfo->YSize;
+	newKey->keyData.tek.randomLen = TEKinfo->randomLen;
+	newKey->keyData.tek.registerIndex = TEKinfo->personality;
+	newKey->keyData.tek.flags = TEKinfo->flag;
+
+	ciRV = MACI_SetPersonality(hs,TEKinfo->personality);
+	if (ciRV != CI_OK) {
+	    RemoveKey(newKey);
+	    MACI_Unlock(hs);
+	    return NULL;
+	}
+	ciRV = MACI_GenerateTEK(hs, TEKinfo->flag, inKeyRegister,
+			 newKey->keyData.tek.Ra, TEKinfo->Rb, 
+			 TEKinfo->YSize, TEKinfo->pY);
+	if (ciRV != CI_OK) {
+	    RemoveKey(newKey);
+	    MACI_Unlock(hs);
+	    return NULL;
+	}
+
+	
+        break;
+    case Ks:
+	break;
+    default:
+        RemoveKey(newKey);
+	MACI_Unlock(hs);
+	return NULL;
+    }
+    MACI_Unlock(hs);
+    return newKey;
+}
+
+FortezzaKey *NewUnwrappedKey(int inKeyRegister, int id,
+			     FortezzaSocket *inSocket) {
+    FortezzaKey *newKey;
+
+    newKey = (FortezzaKey*)PORT_Alloc (sizeof(FortezzaKey));
+    if (newKey == NULL) {
+        return NULL;
+    }
+ 
+    newKey->keyRegister = inKeyRegister;
+    newKey->keyType     = UNWRAP;
+    newKey->keySocket   = inSocket;
+    newKey->id          = id;
+    newKey->hitCount    = inSocket->hitCount++; 
+    MACI_WrapKey(inSocket->maciSession,0 , inKeyRegister, newKey->keyData.mek);
+    inSocket->keyRegisters[inKeyRegister] = newKey;
+
+    return newKey;
+}
+
+int LoadKeyIntoRegister (FortezzaKey *inKey) {
+    int              registerIndex = GetBestKeyRegister(inKey->keySocket);
+    FortezzaSocket  *socket        = inKey->keySocket;
+    FortezzaKey    **registers     = socket->keyRegisters;
+    HSESSION         hs            = socket->maciSession;
+    FortezzaTEK     *tek           = &inKey->keyData.tek;
+    FortezzaKey     *oldKey;
+    int              rv = CI_FAIL;
+
+    if (inKey->keyRegister != KeyNotLoaded) {
+        return inKey->keyRegister;
+    }
+
+    oldKey = registers[registerIndex];
+
+    MACI_Select(hs, socket->slotID);
+    if (oldKey) {
+        oldKey->keyRegister = KeyNotLoaded;
+    }
+    MACI_DeleteKey (hs, registerIndex);
+
+    switch (inKey->keyType) {
+    case TEK:
+        if (!FortezzaIsRegenerating(inKey)) {
+	  return KeyNotLoaded;
+	}
+        if (MACI_SetPersonality(hs, tek->registerIndex) == CI_OK) {
+	    rv = MACI_GenerateTEK (hs, tek->flags, registerIndex, 
+				   tek->Ra, tek->Rb, tek->ySize, 
+				   tek->pY);   
+	} 
+	if (rv != CI_OK)
+	    return KeyNotLoaded;
+	break;
+    case MEK:
+    case UNWRAP:
+        rv = MACI_UnwrapKey (hs, 0, registerIndex, inKey->keyData.mek);
+	if (rv != CI_OK) 
+	    return KeyNotLoaded;
+	break;
+    default:
+        return KeyNotLoaded;
+    }
+    inKey->keyRegister = registerIndex;
+    registers[registerIndex] = inKey;
+ 
+    return registerIndex;
+}
+
+int InitCryptoOperation (FortezzaContext *inContext, 
+			 CryptoType inCryptoOperation) {
+    inContext->cryptoOperation = inCryptoOperation;
+    return SOCKET_SUCCESS;
+}
+
+int EndCryptoOperation (FortezzaContext *inContext, 
+			CryptoType inCryptoOperation) {
+    if (inCryptoOperation != inContext->cryptoOperation) {
+      return SOCKET_FAILURE;
+    }
+    inContext->cryptoOperation = None;
+    return SOCKET_SUCCESS;
+}
+
+CryptoType GetCryptoOperation (FortezzaContext *inContext) {
+    return inContext->cryptoOperation;
+}
+
+void InitContext(FortezzaContext *inContext, FortezzaSocket *inSocket,
+		 CK_OBJECT_HANDLE hKey) {
+    inContext->fortezzaKey     = NULL;
+    inContext->fortezzaSocket  = inSocket;
+    inContext->session         = NULL;
+    inContext->mechanism       = NO_MECHANISM;
+    inContext->userRamSize     = 0;
+    inContext->cryptoOperation = None;
+    inContext->hKey            = hKey;
+}
+
+extern PRBool fort11_FortezzaIsUserCert(unsigned char *label);
+
+static int
+GetValidPersonality (FortezzaSocket *inSocket) {
+    int index = -1; /* return an invalid personalidyt if one isn't found */
+    int i;
+    PRBool unLoadList = PR_FALSE;
+    int numPersonalities = 0;
+
+    if (!inSocket->personalitiesLoaded) {
+        numPersonalities = inSocket->numPersonalities;
+        FetchPersonalityList (inSocket);
+	unLoadList = PR_TRUE;
+    }
+
+    for (i=0; i<inSocket->numPersonalities; i++) {
+        if (fort11_FortezzaIsUserCert(inSocket->personalityList[i].CertLabel)) {
+	    index = inSocket->personalityList[i].CertificateIndex;
+	    break;
+	}
+    }
+
+    if (unLoadList) {
+        UnloadPersonalityList(inSocket);
+	/* UnloadPersonality sets numPersonalities to zero,
+	 * so we set it back to what it was when this function
+	 * was called.
+	 */
+	inSocket->numPersonalities = numPersonalities;
+    }
+    return index;
+}
+
+int RestoreState (FortezzaContext *inContext, CryptoType inType) {
+    FortezzaKey    *key    = inContext->fortezzaKey;
+    FortezzaSocket *socket = inContext->fortezzaSocket;
+    HSESSION        hs     = socket->maciSession; 
+    CI_IV           bogus_iv;
+    int             rv, cryptoType = -1;
+    int             personality = inContext->fortezzaKey->id;
+
+    if (key == NULL)
+        return SOCKET_FAILURE;
+
+    if (personality == 0) {
+        personality = GetValidPersonality (socket);
+    }
+    rv = MACI_SetPersonality(hs, personality);
+    if (rv != CI_OK) {
+        return SOCKET_FAILURE;
+    }
+    /*
+     * The cards need to have some state bits set because
+     * save and restore don't necessarily save all the state.
+     * Instead of fixing the cards, they decided to change the
+     * protocol :(.
+     */
+    switch (inType) {
+    case Encrypt:
+        rv = MACI_SetKey(hs, key->keyRegister);
+	if (rv != CI_OK)
+	    break;
+	rv = MACI_GenerateIV (hs, bogus_iv);
+	cryptoType = CI_ENCRYPT_EXT_TYPE;
+	break;
+    case Decrypt:
+	rv = MACI_SetKey(hs, key->keyRegister);
+        rv = MACI_LoadIV (hs, inContext->cardIV);
+	cryptoType = CI_DECRYPT_EXT_TYPE;
+	break;
+    default:
+      rv = CI_INV_POINTER;
+      break;
+    }
+
+    if (rv != CI_OK) {
+        return SOCKET_FAILURE;
+    }
+    /*PORT_Assert(cryptoType != -1); */
+
+    rv = MACI_Restore(hs, cryptoType, inContext->cardState);
+    if (rv != CI_OK) {
+        return SOCKET_FAILURE;
+    }
+
+    return SOCKET_SUCCESS;
+}
+
+int SaveState (FortezzaContext *inContext, CI_IV inIV, 
+	       PK11Session *inSession, FortezzaKey *inKey,
+	       int inCryptoType, CK_MECHANISM_TYPE inMechanism){
+    int             ciRV;
+    FortezzaSocket *socket = inContext->fortezzaSocket;
+    HSESSION        hs     = socket->maciSession;
+    CI_CONFIG       ciConfig;
+
+    ciRV = MACI_Select (hs, socket->slotID);
+    if (ciRV != CI_OK) {
+        return SOCKET_FAILURE;
+    }
+    inContext->session     = inSession;
+    inContext->fortezzaKey = inKey;
+    inContext->mechanism   = inMechanism;
+    PORT_Memcpy (inContext->cardIV, inIV, sizeof (CI_IV));
+    ciRV = MACI_Save(hs, inCryptoType, inContext->cardState);
+    if (ciRV != CI_OK) {
+        return SOCKET_FAILURE;
+    }
+    ciRV = MACI_GetConfiguration (hs, &ciConfig);
+    if (ciRV == CI_OK) {
+      inContext->userRamSize = ciConfig.LargestBlockSize;
+    }
+
+    if (inContext->userRamSize == 0) inContext->userRamSize = 0x4000;
+    
+    return SOCKET_SUCCESS;
+}
+
+int SocketSaveState (FortezzaContext *inContext, int inCryptoType) {
+    int ciRV;
+
+    ciRV = MACI_Save (inContext->fortezzaSocket->maciSession, inCryptoType, 
+		      inContext->cardState);
+    if (ciRV != CI_OK) {
+        return SOCKET_FAILURE;
+    }
+    return SOCKET_SUCCESS;
+}
+
+int DecryptData (FortezzaContext *inContext, 
+		 CK_BYTE_PTR inData,
+		 CK_ULONG inDataLen, 
+		 CK_BYTE_PTR inDest, 
+		 CK_ULONG inDestLen) {
+    FortezzaSocket *socket = inContext->fortezzaSocket;
+    FortezzaKey    *key    = inContext->fortezzaKey;
+    HSESSION        hs     = socket->maciSession;
+    CK_ULONG        defaultEncryptSize;
+    CK_ULONG        left = inDataLen;
+    CK_BYTE_PTR    loopin, loopout;
+    int             rv = CI_OK;    
+    
+    MACI_Select (hs, socket->slotID);
+
+    defaultEncryptSize = (inContext->userRamSize > DEF_ENCRYPT_SIZE) 
+                          ? DEF_ENCRYPT_SIZE : inContext->userRamSize;
+
+    if (key->keyRegister == KeyNotLoaded) {
+        rv = LoadKeyIntoRegister(key);
+	if (rv == KeyNotLoaded) {
+	    return SOCKET_FAILURE;
+	}
+    }
+
+    key->hitCount = socket->hitCount++;
+    loopin  = inData; 
+    loopout = inDest;
+    left    = inDataLen;
+    rv = CI_OK;
+
+    MACI_Lock(hs, CI_BLOCK_LOCK_FLAG);
+    RestoreState (inContext, Decrypt);
+
+    while ((left > 0) && (rv  == CI_OK)) {
+        CK_ULONG current = (left > defaultEncryptSize) 
+	                         ? defaultEncryptSize : left;
+	rv = MACI_Decrypt(hs, current, loopin, loopout);
+	loopin  += current;
+	loopout += current;
+	left    -= current;
+    }
+
+    MACI_Unlock(hs);
+
+    if (rv != CI_OK) {
+        return SOCKET_FAILURE;
+    }
+
+
+    rv = SocketSaveState (inContext, CI_DECRYPT_EXT_TYPE);
+    if (rv != SOCKET_SUCCESS) {
+      return rv;
+    }
+
+
+    return SOCKET_SUCCESS;
+}
+
+int EncryptData (FortezzaContext *inContext, 
+		 CK_BYTE_PTR inData,
+		 CK_ULONG inDataLen, 
+		 CK_BYTE_PTR inDest, 
+		 CK_ULONG inDestLen) {
+    FortezzaSocket *socket = inContext->fortezzaSocket;
+    FortezzaKey    *key    = inContext->fortezzaKey;
+    HSESSION        hs     = socket->maciSession;
+    CK_ULONG        defaultEncryptSize;
+    CK_ULONG        left = inDataLen;
+    CK_BYTE_PTR    loopin, loopout;
+    int             rv = CI_OK;
+    
+    MACI_Select (hs, socket->slotID);
+
+    defaultEncryptSize = (inContext->userRamSize > DEF_ENCRYPT_SIZE) 
+                          ? DEF_ENCRYPT_SIZE : inContext->userRamSize;
+    if (key->keyRegister == KeyNotLoaded) {
+        rv = LoadKeyIntoRegister(key);
+	if (rv == KeyNotLoaded) {
+	    return rv;
+	}
+    }
+
+    key->hitCount = socket->hitCount++;
+    loopin  = inData;
+    loopout = inDest;
+
+    RestoreState (inContext,Encrypt);
+
+    rv = CI_OK;
+    while ((left > 0) && (rv == CI_OK)) {
+      CK_ULONG current = (left > defaultEncryptSize) ? defaultEncryptSize : 
+	                                               left;
+      rv = MACI_Encrypt(hs, current, loopin, loopout);
+      loopin  += current;
+      loopout += current; 
+      left    -= current;
+    }
+
+    if (rv != CI_OK) {
+        return SOCKET_FAILURE;
+    }
+
+    rv = SocketSaveState (inContext, CI_ENCRYPT_EXT_TYPE);
+    if (rv != SOCKET_SUCCESS) {
+      return rv;
+    }
+
+    return SOCKET_SUCCESS;
+}
+
+int WrapKey (FortezzaKey *wrappingKey, FortezzaKey *srcKey,
+	     CK_BYTE_PTR pDest, CK_ULONG ulDestLen) {
+    int ciRV;
+    HSESSION hs = wrappingKey->keySocket->maciSession;
+
+    if (wrappingKey->keyRegister == KeyNotLoaded) {
+      if (LoadKeyIntoRegister(wrappingKey) == KeyNotLoaded) {
+	  return SOCKET_FAILURE;
+      }
+    }
+
+    if (srcKey->id == 0) srcKey->id = wrappingKey->id;
+
+    ciRV = MACI_WrapKey (hs, wrappingKey->keyRegister, 
+			 srcKey->keyRegister, pDest);
+    if (ciRV != CI_OK) {
+        return SOCKET_FAILURE;
+    }
+
+    return SOCKET_SUCCESS;
+}
+
+int UnwrapKey (CK_BYTE_PTR inWrappedKey, FortezzaKey *inUnwrapKey) {
+    int newIndex;
+    int ciRV;
+    FortezzaSocket *socket = inUnwrapKey->keySocket;
+    HSESSION        hs     = socket->maciSession;
+    FortezzaKey    *oldKey;
+
+    if (inUnwrapKey->keyRegister == KeyNotLoaded) {
+        if (LoadKeyIntoRegister(inUnwrapKey) == KeyNotLoaded) {
+	    return KeyNotLoaded;
+	}
+    }
+
+    ciRV = MACI_Select(hs, socket->slotID);
+    if (ciRV != CI_OK) {
+        return KeyNotLoaded;
+    }
+
+    newIndex = GetBestKeyRegister(inUnwrapKey->keySocket);
+    oldKey = socket->keyRegisters[newIndex];
+
+    MACI_Select(hs, socket->slotID);
+    if (oldKey) {
+        oldKey->keyRegister = KeyNotLoaded;
+        socket->keyRegisters[newIndex] = NULL;
+    }
+    MACI_DeleteKey (hs, newIndex);
+    ciRV = MACI_UnwrapKey(hs,inUnwrapKey->keyRegister, newIndex, inWrappedKey);
+    if (ciRV != CI_OK) {
+        inUnwrapKey->keyRegister = KeyNotLoaded;
+	socket->keyRegisters[newIndex] = NULL;
+        return KeyNotLoaded;
+    }
+    
+    return newIndex;
+}
+
diff --git a/security/nss/lib/fortcrypt/fortinst.htm b/security/nss/lib/fortcrypt/fortinst.htm
new file mode 100644
index 000000000..649012c82
--- /dev/null
+++ b/security/nss/lib/fortcrypt/fortinst.htm
@@ -0,0 +1,161 @@
+<HTML>
+<TITLE>Generic PKCS #11 Installer</TITLE>
+<--
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   - 
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   - 
+   - The Original Code is the Netscape security libraries.
+   - 
+   - The Initial Developer of the Original Code is Netscape
+   - Communications Corporation.  Portions created by Netscape are 
+   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+   - Rights Reserved.
+   - 
+   - Contributor(s):
+   - 
+   - Alternatively, the contents of this file may be used under the
+   - terms of the GNU General Public License Version 2 or later (the
+   - "GPL"), in which case the provisions of the GPL are applicable 
+   - instead of those above.  If you wish to allow use of your 
+   - version of this file only under the terms of the GPL and not to
+   - allow others to use your version of this file under the MPL,
+   - indicate your decision by deleting the provisions above and
+   - replace them with the notice and other provisions required by
+   - the GPL.  If you do not delete the provisions above, a recipient
+   - may use your version of this file under either the MPL or the
+   - GPL.
+-->
+
+<SCRIPT>
+// Crypto Mechanism Flags 
+PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
+PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
+PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
+PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
+PKCS11_MECH_DES_FLAG           =  0x1<<4; 
+PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
+PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
+PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
+PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
+PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
+PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
+PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
+PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
+PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
+
+// Important: 
+// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should always be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which mechanisms should be turned on by 
+pkcs11MechanismFlags = 0;
+  
+
+// Ciphers that support SSL or S/MIME 
+PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
+
+// Important: 
+// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should ALWAYS be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which SSL ciphers are supported 
+pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
+  
+
+// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
+// success codes 
+JS_OK_ADD_MODULE                 = 3 // Successfully added a module 
+JS_OK_DEL_EXTERNAL_MODULE        = 2 // Successfully deleted ext. module 
+JS_OK_DEL_INTERNAL_MODULE        = 1 // Successfully deleted int. module 
+
+// failure codes 
+JS_ERR_OTHER                     = -1 // Other errors than the followings 
+JS_ERR_USER_CANCEL_ACTION        = -2 // User abort an action 
+JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect # of arguments 
+JS_ERR_DEL_MODULE                = -4 // Error deleting a module 
+JS_ERR_ADD_MODULE                = -5 // Error adding a module 
+JS_ERR_BAD_MODULE_NAME           = -6 // The module name is invalid 
+JS_ERR_BAD_DLL_NAME              = -7 // The DLL name is bad 
+JS_ERR_BAD_MECHANISM_FLAGS       = -8 // The mechanism flags are invalid 
+JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9 // The SSL, S/MIME cipher flags are invalid 
+
+var new_window;
+var has_new_window = 0;
+
+function HandleCipher(checkBox) {
+	if (checkBox.checked) {
+		pkcs11MechanismFlags |= checkBox.value;
+	} else {
+		pkcs11MechanismFlags &= ~checkBox.value;
+	}
+}
+
+function HandleSSL(checkBox) {
+	if (checkBox.checked) {
+		pkcs11CipherFlags |= checkBox.value;
+	} else {
+		pkcs11CipherFlags &= ~checkBox.value;
+	}
+}
+
+function colonize(string) {
+	len = string.length;
+	end = len -1;
+
+	if (len == 0) return string;
+
+
+	for (i=0; i < len; i++) {
+	   if (string.charAt(i) == "/") {
+		if (i == 0) {
+		    new_string = ":" + string.substring(1,len);
+		} else if (i == end) {
+		    new_string = string.substring(0,i)+':';
+		} else {
+		    new_string = string.substring(0,i)+':'+
+						string.substring(i+1,len);
+		}
+		string = new_string;
+	   }
+	}
+
+	if (string.charAt(0) == ":") string = string.substring(1,len);
+	return string;
+}
+
+function DoInstall(name,module) {
+	if ((navigator.platform == "MacPPC") 
+			|| (navigator.platform == "Mac68K")) {
+	    module = colonize(module);
+	}
+	result = pkcs11.addmodule(name, module, 
+			pkcs11MechanismFlags, pkcs11CipherFlags); 
+	if ( result < 0) { 
+	  window.alert("New module setup failed.  Error code: " + result); 
+	}
+	if (has_new_window) new_window.close();
+}
+
+default_name = "Netscape FORTEZZA Module"
+
+default_module = "D:/dogbert/ns/dist/WIN32_D.OBJ/bin/fort32.dll"
+document.writeln("<FORM name=instform target=_self> <H2>FORTEZZA PKCS #11 Installer version 1.5</H2>");
+document.writeln(" Module name: <Input Type=Text Name=modName value=\""+default_name+"\" size=50 required><br>");
+document.writeln(" Module Library: <Input Type=FILE required Name=module><br>");
+document.writeln("<i>Note: If you use the browse button, be sure to change the filter to show all the files (*), not just the HTML files (*.html).</i><p>");
+document.writeln("<hr>");
+document.write("<Input type=submit Name=Install Value=Install onclick=DoInstall(");
+document.writeln(  "document.instform.modName.value,document.instform.module.value) >");
+document.writeln("</FORM>");
+</SCRIPT>
diff --git a/security/nss/lib/fortcrypt/fortpk11.c b/security/nss/lib/fortcrypt/fortpk11.c
new file mode 100644
index 000000000..e28fd7909
--- /dev/null
+++ b/security/nss/lib/fortcrypt/fortpk11.c
@@ -0,0 +1,4553 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * This file implements PKCS 11 for FORTEZZA using MACI
+ *   drivers.  Except for the Mac.  They only have CI libraries, so
+ *   that's what we use there.
+ *
+ *   For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ *
+ *   This implementations queries the MACI to figure out how 
+ *    many slots exist on a given system.  There is an artificial boundary
+ *    of 32 slots, because allocating slots dynamically caused memory
+ *    problems in the client when first this module was first developed.
+ *    Some how the heap was being corrupted and we couldn't find out where.
+ *    Subsequent attempts to allocate dynamic memory caused no problem.
+ *
+ *   In this implementation, session objects are only visible to the session
+ *   that created or generated them.
+ */
+
+#include "fpkmem.h"
+#include "seccomon.h"
+#include "fpkcs11.h"
+#include "fpkcs11i.h"
+#include "cryptint.h"
+#include "pk11func.h"
+#include "fortsock.h"
+#include "fmutex.h"
+#ifdef notdef
+#include <ctype.h>
+#include <stdio.h>
+#endif
+
+/* sigh */
+#ifndef EOF
+/* stdio was not included */
+extern int sprintf(char *out, char *fmt, ...);
+#endif
+
+#ifdef XP_MAC 
+#ifndef __POWERPC__
+#include <A4Stuff.h>
+#endif
+
+
+/* This is not a 4.0 project, so I can't depend on
+ * 4.0 defines, so instead I depend on CodeWarrior 
+ * defines.  I define XP_MAC in fpkmem.h
+ */
+#if __POWERPC__
+#elif __CFM68K__
+#else
+/* These include are taken fromn npmac.cpp which are used
+ * by the plugin group to properly set-up a plug-in for 
+ * dynamic loading on 68K.
+ */
+
+#include <Quickdraw.h>
+
+/*
+** The Mixed Mode procInfos defined in npupp.h assume Think C-
+** style calling conventions.  These conventions are used by
+** Metrowerks with the exception of pointer return types, which
+** in Metrowerks 68K are returned in A0, instead of the standard
+** D0. Thus, since NPN_MemAlloc and NPN_UserAgent return pointers,
+** Mixed Mode will return the values to a 68K plugin in D0, but 
+** a 68K plugin compiled by Metrowerks will expect the result in
+** A0.  The following pragma forces Metrowerks to use D0 instead.
+*/
+#ifdef __MWERKS__
+#ifndef powerc
+#pragma pointers_in_D0
+#endif
+#endif
+
+#ifdef __MWERKS__
+#ifndef powerc
+#pragma pointers_in_A0
+#endif
+#endif
+
+/* The following fix for static initializers fixes a previous
+** incompatibility with some parts of PowerPlant.
+*/
+#ifdef __MWERKS__
+#ifdef __cplusplus
+    extern "C" {
+#endif
+#ifndef powerc
+    extern void	__InitCode__(void);
+#else
+    extern void __sinit(void);
+#endif
+    extern void	__destroy_global_chain(void);
+#ifdef __cplusplus
+    }
+#endif /* __cplusplus */
+#endif /* __MWERKS__ */
+
+#endif
+#endif
+
+
+typedef struct {
+   unsigned char *data;
+   int len;
+} CertItem;
+
+
+/*
+ * ******************** Static data *******************************
+ */
+
+/* The next three strings must be exactly 32 characters long */
+static char *manufacturerID      = "Netscape Communications Corp    ";
+static char *libraryDescription  = "Communicator Fortezza Crypto Svc";
+
+typedef enum {DSA_KEY, KEA_KEY, V1_KEY, INVALID_KEY } PrivKeyType;
+
+static PK11Slot           fort11_slot[NUM_SLOTS];
+static FortezzaSocket     fortezzaSockets[NUM_SLOTS];
+static PRBool             init = PR_FALSE;
+static CK_ULONG           kNumSockets    = 0;
+
+#define __PASTE(x,y)    x##y
+ 
+ 
+#undef CK_FUNC
+#undef CK_EXTERN
+#undef CK_NEED_ARG_LIST
+#undef _CK_RV
+
+#define fort11_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
+#define fort11_SlotFromSession  pk11_SlotFromSession
+#define fort11_isToken          pk11_isToken
+
+static CK_FUNCTION_LIST fort11_funcList = {
+    { 2, 1 },
+ 
+#undef CK_FUNC
+#undef CK_EXTERN
+#undef CK_NEED_ARG_LIST
+#undef _CK_RV
+ 
+#define CK_EXTERN
+#define CK_FUNC(name) name,
+#define _CK_RV
+ 
+#include "fpkcs11f.h"
+ 
+};
+ 
+#undef CK_FUNC
+#undef CK_EXTERN
+#undef _CK_RV
+ 
+ 
+#undef __PASTE
+#undef pk11_SlotFromSessionHandle
+#undef pk11_SlotFromID
+
+#define MAJOR_VERSION_MASK 0xFF00
+#define MINOR_VERSION_MASK 0x00FF
+
+/* Mechanisms */
+struct mechanismList {
+    CK_MECHANISM_TYPE	type;
+    CK_MECHANISM_INFO	domestic;
+    PRBool              privkey; 
+};
+
+static struct mechanismList mechanisms[] = {
+     {CKM_DSA,              {512,1024,CKF_SIGN},                 PR_TRUE},
+     {CKM_SKIPJACK_KEY_GEN, {92, 92, CKF_GENERATE},              PR_TRUE},
+     {CKM_SKIPJACK_CBC64,   {92, 92, CKF_ENCRYPT | CKF_DECRYPT}, PR_TRUE},
+     {CKM_SKIPJACK_WRAP,    {92, 92, CKF_WRAP},                  PR_TRUE},
+     {CKM_KEA_KEY_DERIVE,   {128, 128, CKF_DERIVE},              PR_TRUE},
+};
+static CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]);
+
+/*************Static function prototypes********************************/
+static PRBool          fort11_isTrue(PK11Object *object,CK_ATTRIBUTE_TYPE type);
+static void            fort11_FreeAttribute(PK11Attribute *attribute);
+static void            fort11_DestroyAttribute(PK11Attribute *attribute);
+static PK11Object*     fort11_NewObject(PK11Slot *slot);
+static PK11FreeStatus  fort11_FreeObject(PK11Object *object);
+static CK_RV           fort11_AddAttributeType(PK11Object *object,
+					     CK_ATTRIBUTE_TYPE type,
+					     void *valPtr,
+					     CK_ULONG length);
+static void            fort11_AddSlotObject(PK11Slot *slot, PK11Object *object);
+static PK11Attribute*  fort11_FindAttribute(PK11Object *object,
+					  CK_ATTRIBUTE_TYPE type);
+static PK11Attribute*  fort11_NewAttribute(CK_ATTRIBUTE_TYPE type, 
+					 CK_VOID_PTR value, CK_ULONG len);
+static void            fort11_DeleteAttributeType(PK11Object *object,
+						CK_ATTRIBUTE_TYPE type);
+static void            fort11_AddAttribute(PK11Object *object,
+					 PK11Attribute *attribute);
+static void            fort11_AddObject(PK11Session *session, 
+				      PK11Object *object);
+static PK11Object *    fort11_ObjectFromHandle(CK_OBJECT_HANDLE handle, 
+					     PK11Session *session);
+static void            fort11_DeleteObject(PK11Session *session,PK11Object *object);
+static CK_RV           fort11_DestroyObject(PK11Object *object);
+void   fort11_FreeSession(PK11Session *session);
+
+#define FIRST_SLOT_SESS_ID   0x00000100L
+#define ADD_NEXT_SESS_ID     0x00000100L
+#define SLOT_MASK            0x000000FFL
+
+#define FAILED CKR_FUNCTION_FAILED
+
+static void
+fort11_FreeFortezzaKey (void *inFortezzaKey) {
+    RemoveKey ((FortezzaKey*) inFortezzaKey);
+}
+
+static void
+fort11_DestroySlotObjects (PK11Slot *slot, PK11Session *session) {
+    PK11Object *currObject, *nextObject = NULL, *oldObject;
+    int i;
+
+    for (i=0; i<HASH_SIZE; i++) {
+      currObject = slot->tokObjects[i];
+      slot->tokObjects[i] = NULL;
+      do {
+	  FMUTEX_Lock(slot->sessionLock);
+
+	  if (currObject) {
+	      nextObject = currObject->next;
+	      FMUTEX_Lock(currObject->refLock);
+	      currObject->refCount++;
+	      FMUTEX_Unlock(currObject->refLock);
+	      fort11_DeleteObject(session, currObject);
+	  }
+	  FMUTEX_Unlock(slot->sessionLock);
+	  if (currObject) {
+	      oldObject = currObject;
+	      currObject = nextObject;
+	      fort11_FreeObject(oldObject);
+	  }
+      } while (currObject != NULL);
+    }
+}
+
+static void
+fort11_TokenRemoved(PK11Slot *slot, PK11Session *session) {
+    FortezzaSocket *socket = &fortezzaSockets[slot->slotID-1];
+
+    LogoutFromSocket (socket);
+    slot->isLoggedIn = PR_FALSE;
+    if (session && session->notify) { 
+        /*If no session pointer exists, lots of leaked memory*/
+        session->notify (session->handle, CKN_SURRENDER,
+			 session->appData);
+	fort11_FreeSession(session); /* Release the reference held
+				      * by the slot with the session
+				      */
+    }
+
+    fort11_DestroySlotObjects(slot, session);
+    fort11_FreeSession(session); /* Release the reference held
+				  * by the slot with the session
+				  */
+
+    /* All keys will have been freed at this point so we can
+     * NULL out this pointer
+     */
+    socket->keys = NULL;
+
+}
+
+PRBool
+fort11_FortezzaIsUserCert(unsigned char * label) {
+
+    if ( (!PORT_Memcmp(label, "KEAK", 4)) ||   /* v3 user certs */
+         (!PORT_Memcmp(label, "DSA1", 4)) ||
+	 (!PORT_Memcmp(label, "DSAI", 4)) ||
+         (!PORT_Memcmp(label, "DSAO", 4)) ||
+         (!PORT_Memcmp(label, "INKS", 4)) ||   /* v1 user certs */ 
+         (!PORT_Memcmp(label, "INKX", 4)) ||
+         (!PORT_Memcmp(label, "ONKS", 4)) ||
+         (!PORT_Memcmp(label, "ONKX", 4)) ||
+         (!PORT_Memcmp(label, "3IXS", 4)) ||   /* old v3 user certs */
+         (!PORT_Memcmp(label, "3OXS", 4)) ||
+         (!PORT_Memcmp(label, "3IKX", 4)) ) {  
+
+         return PR_TRUE;
+
+    } else { return PR_FALSE; }
+    
+}
+
+static PRBool
+fort11_FortezzaIsACert(unsigned char * label) {
+    if (label == NULL) return PR_FALSE;
+
+    if ( (!PORT_Memcmp(label, "DSA1", 4)) ||   /* v3 certs */
+         (!PORT_Memcmp(label, "DSAI", 4)) ||
+	 (!PORT_Memcmp(label, "DSAO", 4)) || 
+         (!PORT_Memcmp(label, "DSAX", 4)) ||
+         (!PORT_Memcmp(label, "KEAK", 4)) ||
+         (!PORT_Memcmp(label, "KEAX", 4)) ||
+         (!PORT_Memcmp(label, "CAX1", 4)) ||
+         (!PORT_Memcmp(label, "PCA1", 4)) ||
+         (!PORT_Memcmp(label, "PAA1", 4)) ||
+         (!PORT_Memcmp(label, "ICA1", 4)) ||
+
+         (!PORT_Memcmp(label, "3IXS", 4)) ||   /* old v3 certs */    
+         (!PORT_Memcmp(label, "3OXS", 4)) ||    
+         (!PORT_Memcmp(label, "3CAX", 4)) ||
+         (!PORT_Memcmp(label, "3IKX", 4)) ||
+         (!PORT_Memcmp(label, "3PCA", 4)) ||
+         (!PORT_Memcmp(label, "3PAA", 4)) ||
+         (!PORT_Memcmp(label, "3ICA", 4)) ||
+
+         (!PORT_Memcmp(label, "INKS", 4)) ||   /* v1 certs */    
+         (!PORT_Memcmp(label, "INKX", 4)) ||
+         (!PORT_Memcmp(label, "ONKS", 4)) ||
+         (!PORT_Memcmp(label, "ONKX", 4)) ||
+         (!PORT_Memcmp(label, "RRXX", 4)) ||
+         (!PORT_Memcmp(label, "RTXX", 4)) ||
+         (!PORT_Memcmp(label, "LAXX", 4)) ) {  
+
+         return PR_TRUE;
+
+    } 
+
+    return PR_FALSE; 
+}
+ 
+static 
+int fort11_cert_length(unsigned char *buf, int length) {
+    unsigned char tag;
+    int used_length= 0;
+    int data_length;
+
+    tag = buf[used_length++];
+
+    /* blow out when we come to the end */
+    if (tag == 0) {
+	return 0;
+    }
+
+    data_length = buf[used_length++];
+
+    if (data_length&0x80) {
+	int  len_count = data_length & 0x7f;
+
+	data_length = 0;
+
+	while (len_count-- > 0) {
+	    data_length = (data_length << 8) | buf[used_length++];
+	} 
+    }
+
+    if (data_length > (length-used_length) ) {
+	return length;
+    }
+
+    return (data_length + used_length);	
+}
+
+unsigned char *fort11_data_start(unsigned char *buf, int length, 
+				 int *data_length, PRBool includeTag) {
+    unsigned char tag;
+    int used_length= 0;
+
+    tag = buf[used_length++];
+
+    /* blow out when we come to the end */
+    if (tag == 0) {
+	return NULL;
+    }
+
+    *data_length = buf[used_length++];
+
+    if (*data_length&0x80) {
+	int  len_count = *data_length & 0x7f;
+
+	*data_length = 0;
+
+	while (len_count-- > 0) {
+	    *data_length = (*data_length << 8) | buf[used_length++];
+	} 
+    }
+
+    if (*data_length > (length-used_length) ) {
+	*data_length = length-used_length;
+	return NULL;
+    }
+    if (includeTag) *data_length += used_length;
+
+    return (buf + (includeTag ? 0 : used_length));	
+}
+
+int
+fort11_GetCertFields(unsigned char *cert,int cert_length,CertItem *issuer,
+		     CertItem *serial,CertItem *subject)
+{
+	unsigned char *buf;
+	int buf_length;
+	unsigned char *date;
+	int datelen;
+
+	/* get past the signature wrap */
+	buf = fort11_data_start(cert,cert_length,&buf_length,PR_FALSE);
+	if (buf == NULL) return FAILED;
+	/* get into the raw cert data */
+	buf = fort11_data_start(buf,buf_length,&buf_length,PR_FALSE);
+	if (buf == NULL) return FAILED;
+	/* skip past any optional version number */
+        if ((buf[0] & 0xa0) == 0xa0) {
+            date = fort11_data_start(buf,buf_length,&datelen,PR_FALSE);
+            if (date == NULL) return FAILED;
+            buf_length -= (date-buf) + datelen;
+            buf = date + datelen;
+        }
+        /* serial number */
+	serial->data = fort11_data_start(buf,buf_length,&serial->len,PR_FALSE);
+	if (serial->data == NULL) return FAILED;
+	buf_length -= (serial->data-buf) + serial->len;
+	buf = serial->data + serial->len;
+	/* skip the OID */
+	date = fort11_data_start(buf,buf_length,&datelen,PR_FALSE);
+	if (date == NULL) return FAILED;
+	buf_length -= (date-buf) + datelen;
+	buf = date + datelen;
+	/* issuer */
+	issuer->data = fort11_data_start(buf,buf_length,&issuer->len,PR_TRUE);
+	if (issuer->data == NULL) return FAILED;
+	buf_length -= (issuer->data-buf) + issuer->len;
+	buf = issuer->data + issuer->len;
+	/* skip the date */
+	date = fort11_data_start(buf,buf_length,&datelen,PR_FALSE);
+	if (date == NULL) return FAILED;
+	buf_length -= (date-buf) + datelen;
+	buf = date + datelen;
+	/*subject */
+	subject->data=fort11_data_start(buf,buf_length,&subject->len,PR_TRUE);
+	if (subject->data == NULL) return FAILED;
+	buf_length -= (subject->data-buf) + subject->len;
+	buf = subject->data +subject->len;
+	/*subject */
+	return CKR_OK;
+}
+
+/* quick tohex function to get rid of scanf */
+static
+int fort11_tohex(char *s) {
+    int val = 0;
+
+    for(;*s;s++) {
+	if ((*s >= '0') && (*s <= '9')) {
+	    val = (val << 4) + (*s - '0');
+	    continue;
+	} else if ((*s >= 'a') && (*s <= 'f')) {
+	    val = (val << 4) + (*s - 'a') + 10;
+	    continue;
+	} else if ((*s >= 'A') && (*s <= 'F')) {
+	    val = (val << 4) + (*s - 'A') + 10;
+	    continue;
+	}
+	break;
+    }
+    return val;
+}
+
+/* only should be called for V3 KEA cert labels. */
+
+static int
+fort11_GetSibling(CI_CERT_STR label)  {
+
+	int value = 0;
+        char s[3];
+
+        label +=4;
+
+        strcpy(s,"00");
+        memcpy(s, label, 2);
+	value = fort11_tohex(s);
+        
+	/*  sibling of 255 means no sibling */
+        if (value == 255) {
+	    value = -1;
+	}
+
+	return value;
+}
+
+
+static PrivKeyType
+fort11_GetKeyType(CI_CERT_STR label) { 
+    if (label == NULL) return INVALID_KEY;
+
+    if ( (!PORT_Memcmp(label, "DSA1", 4)) ||   /* v3 certs */ 
+         (!PORT_Memcmp(label, "DSAI", 4)) ||
+	 (!PORT_Memcmp(label, "DSAO", 4)) ||
+         (!PORT_Memcmp(label, "3IXS", 4)) ||   /* old v3 certs */ 
+         (!PORT_Memcmp(label, "3OXS", 4)) ) {
+
+        return DSA_KEY;
+    }
+
+
+    if ( (!PORT_Memcmp(label, "KEAK", 4)) || 
+         (!PORT_Memcmp(label, "3IKX", 4)) ) {
+        return KEA_KEY;
+    }
+ 
+    if ( (!PORT_Memcmp(label, "INKS", 4)) ||  /* V1 Certs*/
+         (!PORT_Memcmp(label, "INKX", 4)) ||
+         (!PORT_Memcmp(label, "ONKS", 4)) ||
+         (!PORT_Memcmp(label, "ONKX", 4)) ||  
+         (!PORT_Memcmp(label, "RRXX", 4)) ||
+         (!PORT_Memcmp(label, "RTXX", 4)) ||
+         (!PORT_Memcmp(label, "LAXX", 4)) ) { 
+
+         return V1_KEY;
+    }
+
+    return INVALID_KEY;
+} 
+
+static CK_RV
+fort11_ConvertToDSAKey(PK11Object *privateKey, PK11Slot *slot) {
+    CK_KEY_TYPE     key_type  = CKK_DSA;
+    CK_BBOOL        cktrue    = TRUE;
+    CK_BBOOL        ckfalse   = FALSE;
+    CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
+    CK_CHAR         label[]   = "A DSA Private Key";
+
+
+    /* Fill in the common Default values */
+    if (fort11_AddAttributeType(privateKey,CKA_START_DATE, NULL, 0) != CKR_OK) {
+	return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey,CKA_END_DATE, NULL, 0) != CKR_OK) {
+	return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey,CKA_SUBJECT, NULL, 0) != CKR_OK) {
+	return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_CLASS, &privClass, 
+			      sizeof (CK_OBJECT_CLASS)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_KEY_TYPE, &key_type, 
+			      sizeof(CK_KEY_TYPE)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType (privateKey, CKA_TOKEN, &cktrue, 
+			      sizeof (CK_BBOOL)) != CKR_OK) {
+       return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType (privateKey, CKA_LABEL, label,
+			       PORT_Strlen((char*)label)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_SENSITIVE, &cktrue, 
+			      sizeof (CK_BBOOL)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_SIGN, &cktrue, 
+			      sizeof (CK_BBOOL)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+
+    if (fort11_AddAttributeType(privateKey, CKA_DERIVE, &cktrue,
+			      sizeof(cktrue)) != CKR_OK) {
+	return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_LOCAL, &ckfalse,
+			      sizeof(ckfalse)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_DECRYPT, &ckfalse,
+			      sizeof(ckfalse)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_SIGN_RECOVER, &ckfalse,
+			      sizeof(ckfalse)) != CKR_OK) {
+ 	return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_UNWRAP, &ckfalse,
+			      sizeof(ckfalse)) != CKR_OK) {
+ 	return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_EXTRACTABLE, &ckfalse,
+			      sizeof(ckfalse))  != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_ALWAYS_SENSITIVE, &cktrue,
+			      sizeof(cktrue)) != CKR_OK) {
+       return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_NEVER_EXTRACTABLE, &cktrue,
+			      sizeof(ckfalse)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_PRIME, NULL, 0) != CKR_OK){
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_SUBPRIME, NULL, 0) != CKR_OK){
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_BASE, NULL, 0) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_VALUE, NULL, 0) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_PRIVATE, &cktrue,
+			      sizeof(cktrue)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_MODIFIABLE,&ckfalse,
+			      sizeof(ckfalse)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+
+    FMUTEX_Lock(slot->objectLock);
+    privateKey->handle = slot->tokenIDCount++;
+    privateKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
+    FMUTEX_Unlock(slot->objectLock);
+    privateKey->objclass = privClass;
+    privateKey->slot = slot;
+    privateKey->inDB = PR_TRUE;
+
+
+    return CKR_OK;
+}
+
+static int
+fort11_LoadRootPAAKey(PK11Slot *slot, PK11Session *session) {
+    CK_OBJECT_CLASS theClass   = CKO_SECRET_KEY;
+    int              id      = 0;
+    CK_BBOOL         True    = TRUE;
+    CK_BBOOL          False   = FALSE;
+    CK_CHAR          label[] = "Trusted Root PAA Key";
+    PK11Object      *rootKey;
+    FortezzaKey     *newKey;
+    FortezzaSocket *socket  = &fortezzaSockets[slot->slotID-1];
+    
+    /*Don't know the key type.  Does is matter?*/
+
+    rootKey = fort11_NewObject(slot);
+
+    if (rootKey == NULL) {
+        return CKR_HOST_MEMORY;
+    }
+
+    if (fort11_AddAttributeType(rootKey, CKA_CLASS, &theClass,
+			      sizeof(theClass)) != CKR_OK) {
+	return CKR_GENERAL_ERROR;
+    }
+
+    if (fort11_AddAttributeType(rootKey, CKA_TOKEN, &True,
+			      sizeof(True)) != CKR_OK) {        
+	return CKR_GENERAL_ERROR;
+    }
+
+    if (fort11_AddAttributeType(rootKey, CKA_LABEL, label,
+			      sizeof(label)) != CKR_OK) {
+	return CKR_GENERAL_ERROR;
+    }
+
+    if (fort11_AddAttributeType(rootKey, CKA_PRIVATE, &True,
+			      sizeof (True)) != CKR_OK) {
+	return CKR_GENERAL_ERROR;
+    }
+
+    if (fort11_AddAttributeType(rootKey,CKA_MODIFIABLE, &False, 
+			      sizeof(False)) != CKR_OK) {
+	return CKR_GENERAL_ERROR;
+    }
+    
+    if (fort11_AddAttributeType(rootKey, CKA_ID, &id,
+			      sizeof(int)) != CKR_OK) {
+	return CKR_GENERAL_ERROR;
+    }
+
+    if (fort11_AddAttributeType(rootKey, CKA_DERIVE, &True,
+			      sizeof(True)) != CKR_OK) {
+	return CKR_GENERAL_ERROR;
+    }
+
+    if (fort11_AddAttributeType(rootKey, CKA_SENSITIVE, &True,
+			      sizeof(True)) != CKR_OK) {
+	return CKR_GENERAL_ERROR;
+    }
+
+    FMUTEX_Lock(slot->objectLock);
+    rootKey->handle = slot->tokenIDCount++;
+    rootKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
+    FMUTEX_Unlock(slot->objectLock);
+
+    rootKey->objclass = theClass;
+    rootKey->slot = slot;
+    rootKey->inDB = PR_TRUE;
+
+    newKey = NewFortezzaKey(socket, Ks, NULL, 0);
+    if (newKey == NULL) {
+        fort11_FreeObject(rootKey);
+        return CKR_HOST_MEMORY;
+    }
+
+    rootKey->objectInfo = (void*)newKey;
+    rootKey->infoFree   = fort11_FreeFortezzaKey;
+    fort11_AddObject(session, rootKey);
+
+    return CKR_OK;
+}
+
+static CK_RV
+fort11_ConvertToKEAKey (PK11Object *privateKey, PK11Slot *slot) {
+    CK_OBJECT_CLASS theClass   = CKO_PRIVATE_KEY;
+    CK_KEY_TYPE     keyType = CKK_KEA;
+    CK_CHAR         label[] = "A KEA private key Object";
+    CK_BBOOL        True    = TRUE;
+    CK_BBOOL        False   = FALSE;
+
+    if (fort11_AddAttributeType(privateKey, CKA_CLASS, &theClass,
+			      sizeof (CK_OBJECT_CLASS)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_KEY_TYPE, &keyType,
+			      sizeof (CK_KEY_TYPE)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_TOKEN, &True, 
+			      sizeof(CK_BBOOL)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType (privateKey, CKA_LABEL, label,
+			       PORT_Strlen((char*)label)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType (privateKey, CKA_SENSITIVE, 
+			       &True, sizeof(CK_BBOOL)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }    
+    if (fort11_AddAttributeType (privateKey, CKA_DERIVE, 
+			       &True, sizeof(CK_BBOOL)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_PRIVATE, &True,
+			      sizeof(True)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_START_DATE, NULL, 0) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    } 
+    if (fort11_AddAttributeType(privateKey, CKA_END_DATE, NULL, 0) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+    if (fort11_AddAttributeType(privateKey, CKA_LOCAL, &False,
+			      sizeof(False)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+
+    FMUTEX_Lock(slot->objectLock);
+    privateKey->handle = slot->tokenIDCount++;
+    privateKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
+    FMUTEX_Unlock(slot->objectLock);
+    privateKey->objclass = theClass;
+    privateKey->slot = slot;
+    privateKey->inDB = PR_TRUE;
+
+    return CKR_OK;
+}
+
+static CK_RV
+fort11_ConvertToV1Key (PK11Object* privateKey, PK11Slot *slot) {
+    CK_RV    rv;
+    CK_BBOOL True = TRUE;
+
+    rv = fort11_ConvertToDSAKey(privateKey, slot);
+    if (rv != CKR_OK) {
+        return rv;
+    }
+
+    if (fort11_AddAttributeType(privateKey, CKA_DERIVE, &True, 
+			      sizeof (CK_BBOOL)) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+
+    return CKR_OK;
+}
+
+static CK_RV
+fort11_NewPrivateKey(PK11Object *privKeyObject, PK11Slot *slot,CI_PERSON currPerson) {
+  PrivKeyType keyType = fort11_GetKeyType(currPerson.CertLabel);
+  CK_RV       rv;
+
+  switch (keyType) {
+  case DSA_KEY:
+    rv = fort11_ConvertToDSAKey(privKeyObject, slot);
+    break;
+  case KEA_KEY:
+    rv = fort11_ConvertToKEAKey(privKeyObject, slot);
+    break;
+  case V1_KEY:
+    rv = fort11_ConvertToV1Key(privKeyObject, slot);
+    break;
+  default:
+    rv = CKR_GENERAL_ERROR;
+    break;
+  }
+  return rv;
+}
+
+
+PRBool
+fort11_LoadCertObjectForSearch(CI_PERSON currPerson, PK11Slot *slot, 
+			PK11Session *session, CI_PERSON *pers_array) {
+    PK11Object          *certObject, *privKeyObject;
+    PK11Attribute       *attribute, *newAttribute;
+    int                  ci_rv;
+    CI_CERTIFICATE       cert;
+    CK_OBJECT_CLASS      certClass = CKO_CERTIFICATE;
+    CK_CERTIFICATE_TYPE  certType  = CKC_X_509;
+    CK_BBOOL             cktrue    = TRUE;
+    CK_BBOOL             ckfalse   = FALSE;
+    CertItem             issuer, serial, subject;
+    int			 certSize;
+    char                 nickname[50];
+    char                *cursor; 
+    PrivKeyType		 priv_key;
+    int			 sibling;
+  
+
+    certObject = fort11_NewObject(slot);
+    if (certObject == NULL)
+        return PR_FALSE;
+
+    ci_rv = MACI_GetCertificate (fortezzaSockets[slot->slotID-1].maciSession,
+				 currPerson.CertificateIndex, cert);
+    if (ci_rv != CI_OK){
+        fort11_FreeObject(certObject);
+	return PR_FALSE;
+    }
+
+    ci_rv = fort11_GetCertFields(cert,CI_CERT_SIZE,&issuer,&serial,&subject);
+
+    if (ci_rv != CKR_OK) {
+        fort11_FreeObject(certObject);
+	return PR_FALSE;
+    }
+
+    if (fort11_AddAttributeType(certObject, CKA_CLASS, &certClass,
+			      sizeof (CK_OBJECT_CLASS)) != CKR_OK) {
+        fort11_FreeObject (certObject);
+	return PR_FALSE;
+    }
+    if (fort11_AddAttributeType(certObject, CKA_TOKEN, &cktrue,
+			      sizeof (CK_BBOOL)) != CKR_OK) {
+        fort11_FreeObject(certObject);
+	return PR_FALSE;
+    }
+    if (fort11_AddAttributeType(certObject, CKA_PRIVATE, &ckfalse,
+			      sizeof (CK_BBOOL)) != CKR_OK) {
+        fort11_FreeObject(certObject);
+	return PR_FALSE;
+    }
+
+    
+    /* check if the label represents a KEA key. if so, the
+       nickname should be made the same as the corresponding DSA
+       sibling cert. */
+        
+    priv_key = fort11_GetKeyType(currPerson.CertLabel);
+
+    if (priv_key == KEA_KEY) {
+	sibling = fort11_GetSibling(currPerson.CertLabel);
+
+	/* check for failure of fort11_GetSibling.  also check that
+	   the sibling is not zero.  */
+
+	if (sibling > 0) {
+	    /* assign the KEA cert label to be the same as the
+	       sibling DSA label */
+
+	    sprintf (nickname, "%s", &pers_array[sibling-1].CertLabel[8] );
+	} else {
+	    sprintf (nickname, "%s", &currPerson.CertLabel[8]);
+	}
+    } else {
+        sprintf (nickname, "%s", &currPerson.CertLabel[8]);
+    }
+
+    cursor = nickname+PORT_Strlen(nickname)-1;
+    while ((*cursor) == ' ') {
+        cursor--;
+    }
+    cursor[1] = '\0';
+    if (fort11_AddAttributeType(certObject, CKA_LABEL, nickname,
+			      PORT_Strlen(nickname)) != CKR_OK) {
+        fort11_FreeObject(certObject);
+	return PR_FALSE;
+    }
+
+ 
+
+    if (fort11_AddAttributeType(certObject, CKA_CERTIFICATE_TYPE, &certType,
+			      sizeof(CK_CERTIFICATE_TYPE)) != CKR_OK) {
+        fort11_FreeObject(certObject);
+	return PR_FALSE;
+    }
+    certSize = fort11_cert_length(cert,CI_CERT_SIZE);
+    if (fort11_AddAttributeType (certObject, CKA_VALUE, cert, certSize)
+	                                                        != CI_OK) {
+        fort11_FreeObject(certObject);
+	return PR_FALSE;
+    }
+    if (fort11_AddAttributeType(certObject, CKA_ISSUER, issuer.data,
+			  issuer.len) != CKR_OK) {
+        fort11_FreeObject (certObject);
+	return PR_FALSE;
+    }
+    if (fort11_AddAttributeType(certObject, CKA_SUBJECT, subject.data,
+			      subject.len) != CKR_OK) {
+        fort11_FreeObject (certObject);
+	return PR_FALSE;
+    }
+    if (fort11_AddAttributeType(certObject, CKA_SERIAL_NUMBER,
+			      serial.data, serial.len) != CKR_OK) {
+        fort11_FreeObject(certObject);
+	return PR_FALSE;
+    }
+    /*Change this to a byte array later*/
+    if (fort11_AddAttributeType(certObject, CKA_ID, 
+				&currPerson.CertificateIndex,
+				sizeof(int)) != CKR_OK) {
+        fort11_FreeObject(certObject);
+	return PR_FALSE;
+    }
+    certObject->objectInfo = NULL;
+    certObject->infoFree   = NULL;
+
+    certObject->objclass = certClass;
+    certObject->slot  = slot;
+    certObject->inDB  = PR_TRUE;
+
+    FMUTEX_Lock(slot->objectLock);
+      
+    certObject->handle  = slot->tokenIDCount++;
+    certObject->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_CERT);
+
+    FMUTEX_Unlock(slot->objectLock);
+
+    if (fort11_FortezzaIsUserCert (currPerson.CertLabel)) {
+        privKeyObject = fort11_NewObject(slot);
+        if (fort11_NewPrivateKey(privKeyObject, slot, currPerson) != CKR_OK) {
+	    fort11_FreeObject(privKeyObject);
+	    fort11_FreeObject(certObject);
+	    return PR_FALSE;
+	}
+	if(fort11_AddAttributeType(privKeyObject,CKA_ID,
+				 &currPerson.CertificateIndex,
+				 sizeof(int)) != CKR_OK) {
+	    fort11_FreeObject(privKeyObject);
+	    fort11_FreeObject(certObject);
+	    return PR_FALSE;
+	}	    
+	attribute = fort11_FindAttribute(certObject,CKA_SUBJECT);
+	newAttribute=
+	  fort11_NewAttribute(pk11_attr_expand(&attribute->attrib));
+	fort11_FreeAttribute(attribute);
+	if (newAttribute != NULL) {
+	    fort11_DeleteAttributeType(privKeyObject,
+				     CKA_SUBJECT);
+	    fort11_AddAttribute(privKeyObject,
+			      newAttribute);
+	}
+	fort11_AddObject (session, privKeyObject);
+    }
+
+
+    fort11_AddObject (session, certObject);
+
+    
+    return PR_TRUE;
+}
+
+#define TRUSTED_PAA "00000000Trusted Root PAA"
+
+static int
+fort11_BuildCertObjects(FortezzaSocket *currSocket, PK11Slot *slot, 
+		       PK11Session *session) {
+		       
+    int i;
+    CI_PERSON rootPAA;
+
+    PORT_Memcpy (rootPAA.CertLabel, TRUSTED_PAA, 1+PORT_Strlen (TRUSTED_PAA));
+    rootPAA.CertificateIndex = 0;
+
+    if (!fort11_LoadCertObjectForSearch(rootPAA, slot, session, 
+				 currSocket->personalityList)) {
+        return CKR_GENERAL_ERROR;
+    }
+
+    if (fort11_LoadRootPAAKey(slot, session) != CKR_OK) {
+        return CKR_GENERAL_ERROR;
+    }
+
+    for (i=0 ; i < currSocket->numPersonalities; i++) {
+        if (fort11_FortezzaIsACert (currSocket->personalityList[i].CertLabel)){
+	    if (!fort11_LoadCertObjectForSearch(currSocket->personalityList[i],
+						slot, session, 
+						currSocket->personalityList)){
+	        return CKR_GENERAL_ERROR;
+	}
+      }
+    }
+
+    return CKR_OK;
+}
+
+PK11Slot*
+fort11_SlotFromSessionHandle(CK_SESSION_HANDLE inHandle) {
+ CK_SESSION_HANDLE whichSlot = inHandle & SLOT_MASK;
+
+ if (whichSlot >= kNumSockets) return NULL_PTR;
+
+ return &fort11_slot[whichSlot];
+}
+
+PK11Slot* 
+fort11_SlotFromID (CK_SLOT_ID inSlotID) {
+  if (inSlotID == 0 || inSlotID > kNumSockets)
+    return NULL;
+
+  return &fort11_slot[inSlotID-1];
+}
+
+CK_ULONG fort11_firstSessionID (int inSlotNum) {
+        return (CK_ULONG)(inSlotNum);
+}
+
+/*
+ * Utility to convert passed in PIN to a CI_PIN
+ */
+void fort11_convertToCIPin (CI_PIN ciPin,CK_CHAR_PTR pPin, CK_ULONG ulLen) {
+  unsigned long i;
+
+  for (i=0; i<ulLen; i++) {
+    ciPin[i] = pPin[i];
+  }
+  ciPin[ulLen] = '\0';
+}
+
+
+/*
+ * return true if object has attribute
+ */
+static PRBool
+fort11_hasAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
+    PK11Attribute *attribute;
+
+    FMUTEX_Lock(object->attributeLock);
+    pk11queue_find(attribute,type,object->head,HASH_SIZE);
+    FMUTEX_Unlock(object->attributeLock);
+
+    return (PRBool)(attribute != NULL);
+}
+
+/*
+ * create a new attribute with type, value, and length. Space is allocated
+ * to hold value.
+ */
+static PK11Attribute *
+fort11_NewAttribute(CK_ATTRIBUTE_TYPE type, CK_VOID_PTR value, CK_ULONG len) {
+    PK11Attribute *attribute;
+    CK_RV mrv;
+
+    attribute = (PK11Attribute*)PORT_Alloc(sizeof(PK11Attribute));
+    if (attribute == NULL) return NULL;
+
+    attribute->attrib.type = type;
+    if (value) {
+	attribute->attrib.pValue = (CK_VOID_PTR)PORT_Alloc(len);
+	if (attribute->attrib.pValue == NULL) {
+	    PORT_Free(attribute);
+	    return NULL;
+	}
+	PORT_Memcpy(attribute->attrib.pValue,value,len);
+	attribute->attrib.ulValueLen = len;
+    } else {
+	attribute->attrib.pValue = NULL;
+	attribute->attrib.ulValueLen = 0;
+    }
+    attribute->handle = type;
+    attribute->next = attribute->prev = NULL;
+    attribute->refCount = 1;
+    if (FMUTEX_MutexEnabled()) {
+        mrv = FMUTEX_Create (&attribute->refLock);
+	if (mrv != CKR_OK) {
+	    if (attribute->attrib.pValue) PORT_Free(attribute->attrib.pValue);
+	    PORT_Free(attribute);
+	    return NULL;
+	}
+    } else {
+        attribute->refLock = NULL;
+    }
+
+    return attribute;
+}
+
+/*
+ * add an attribute to an object
+ */
+static
+void fort11_AddAttribute(PK11Object *object,PK11Attribute *attribute) {
+    FMUTEX_Lock (object->attributeLock);
+    pk11queue_add(attribute,attribute->handle,object->head,HASH_SIZE);
+    FMUTEX_Unlock(object->attributeLock);
+}
+
+static CK_RV
+fort11_AddAttributeType(PK11Object *object,CK_ATTRIBUTE_TYPE type,void *valPtr,
+							CK_ULONG length) {
+    PK11Attribute *attribute;
+    attribute = fort11_NewAttribute(type,valPtr,length);
+    if (attribute == NULL) { return CKR_HOST_MEMORY; }
+    fort11_AddAttribute(object,attribute);
+    return CKR_OK;
+}
+
+
+
+/* Make sure a given attribute exists. If it doesn't, initialize it to
+ * value and len
+ */
+static CK_RV
+fort11_forceAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type,void *value,
+							unsigned int len) {
+    if ( !fort11_hasAttribute(object, type)) {
+	return fort11_AddAttributeType(object,type,value,len);
+    }
+    return CKR_OK;
+}
+
+/*
+ * look up and attribute structure from a type and Object structure.
+ * The returned attribute is referenced and needs to be freed when 
+ * it is no longer needed.
+ */
+static PK11Attribute *
+fort11_FindAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
+    PK11Attribute *attribute;
+
+    FMUTEX_Lock(object->attributeLock);
+    pk11queue_find(attribute,type,object->head,HASH_SIZE);
+    if (attribute) {
+	/* atomic increment would be nice here */
+        FMUTEX_Lock(attribute->refLock);
+	attribute->refCount++;
+	FMUTEX_Unlock(attribute->refLock);
+    }
+    FMUTEX_Unlock(object->attributeLock);
+
+    return(attribute);
+}
+
+/*
+ * this is only valid for CK_BBOOL type attributes. Return the state
+ * of that attribute.
+ */
+static PRBool
+fort11_isTrue(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
+    PK11Attribute *attribute;
+    PRBool tok = PR_FALSE;
+
+    attribute=fort11_FindAttribute(object,type);
+    if (attribute == NULL) { return PR_FALSE; }
+    tok = (PRBool)(*(CK_BBOOL *)attribute->attrib.pValue);
+    fort11_FreeAttribute(attribute);
+
+    return tok;
+}
+
+/*
+ * add an object to a slot and session queue
+ */
+static
+void fort11_AddSlotObject(PK11Slot *slot, PK11Object *object) {
+    FMUTEX_Lock(slot->objectLock);
+    pk11queue_add(object,object->handle,slot->tokObjects,HASH_SIZE);
+    FMUTEX_Unlock(slot->objectLock);
+}
+
+static
+void fort11_AddObject(PK11Session *session, PK11Object *object) {
+    PK11Slot *slot = fort11_SlotFromSession(session);
+
+    if (!fort11_isToken(object->handle)) {
+        FMUTEX_Lock(session->objectLock);
+	pk11queue_add(&object->sessionList,0,session->objects,0);
+	FMUTEX_Unlock(session->objectLock);
+    }
+    fort11_AddSlotObject(slot,object);
+} 
+
+/*
+ * free all the data associated with an object. Object reference count must
+ * be 'zero'.
+ */
+static CK_RV
+fort11_DestroyObject(PK11Object *object) {
+    int i;
+    CK_RV crv = CKR_OK;
+/*    PORT_Assert(object->refCount == 0);*/
+
+    if (object->label) PORT_Free(object->label);
+
+    /* clean out the attributes */
+    /* since no one is referencing us, it's safe to walk the chain
+     * without a lock */
+    for (i=0; i < HASH_SIZE; i++) {
+	PK11Attribute *ap,*next;
+	for (ap = object->head[i]; ap != NULL; ap = next) {
+	    next = ap->next;
+	    /* paranoia */
+	    ap->next = ap->prev = NULL;
+	    fort11_FreeAttribute(ap);
+	}
+	object->head[i] = NULL;
+    }
+    FMUTEX_Destroy(object->attributeLock);
+    FMUTEX_Destroy(object->refLock);
+    if (object->objectInfo) {
+	(*object->infoFree)(object->objectInfo);
+    }
+    PORT_Free(object);
+    return crv;
+}
+
+
+/*
+ * release a reference to an attribute structure
+ */
+static void
+fort11_FreeAttribute(PK11Attribute *attribute) {
+    PRBool destroy = PR_FALSE;
+
+    FMUTEX_Lock(attribute->refLock);
+    if (attribute->refCount == 1) destroy = PR_TRUE;
+    attribute->refCount--;
+    FMUTEX_Unlock(attribute->refLock);
+
+    if (destroy) fort11_DestroyAttribute(attribute);
+}
+
+
+/*
+ * release a reference to an object handle
+ */
+static PK11FreeStatus
+fort11_FreeObject(PK11Object *object) {
+    PRBool destroy = PR_FALSE;
+    CK_RV crv;
+
+    FMUTEX_Lock(object->refLock);
+    if (object->refCount == 1) destroy = PR_TRUE;
+    object->refCount--;
+    FMUTEX_Unlock(object->refLock);
+      
+    if (destroy) {
+      crv = fort11_DestroyObject(object);
+      if (crv != CKR_OK) {
+	return PK11_DestroyFailure;
+      } 
+      return PK11_Destroyed;
+    }
+    return PK11_Busy;
+}
+
+static void
+fort11_update_state(PK11Slot *slot,PK11Session *session) {
+    if (slot->isLoggedIn) {
+	if (slot->ssoLoggedIn) {
+    	    session->info.state = CKS_RW_SO_FUNCTIONS;
+	} else if (session->info.flags & CKF_RW_SESSION) {
+    	    session->info.state = CKS_RW_USER_FUNCTIONS;
+	} else {
+    	    session->info.state = CKS_RO_USER_FUNCTIONS;
+	}
+    } else {
+	if (session->info.flags & CKF_RW_SESSION) {
+    	    session->info.state = CKS_RW_PUBLIC_SESSION;
+	} else {
+    	    session->info.state = CKS_RO_PUBLIC_SESSION;
+	}
+    }
+}
+
+/* update the state of all the sessions on a slot */
+static void
+fort11_update_all_states(PK11Slot *slot) {
+    int i;
+    PK11Session *session;
+
+    for (i=0; i < SESSION_HASH_SIZE; i++) {
+        FMUTEX_Lock(slot->sessionLock);
+	for (session = slot->head[i]; session; session = session->next) {
+	    fort11_update_state(slot,session);
+	}
+	FMUTEX_Unlock(slot->sessionLock);
+    }
+}
+
+
+/*
+ * Create a new object
+ */
+static PK11Object *
+fort11_NewObject(PK11Slot *slot) {
+    PK11Object *object;
+    CK_RV mrv;
+    int i;
+
+    object = (PK11Object*)PORT_Alloc(sizeof(PK11Object));
+    if (object == NULL) return NULL;
+
+    object->handle = 0;
+    object->next = object->prev = NULL;
+    object->sessionList.next = NULL;
+    object->sessionList.prev = NULL;
+    object->sessionList.parent = object;
+    object->inDB = PR_FALSE;
+    object->label = NULL;
+    object->refCount = 1;
+    object->session = NULL;
+    object->slot = slot;
+    object->objclass = 0xffff;
+    if (FMUTEX_MutexEnabled()) {
+        mrv = FMUTEX_Create(&object->refLock);
+	if (mrv != CKR_OK) {
+	    PORT_Free(object);
+	    return NULL;
+	}
+	mrv = FMUTEX_Create(&object->attributeLock);
+	if (mrv != CKR_OK) {
+	    FMUTEX_Destroy(object->refLock);
+	    PORT_Free(object);
+	    return NULL;
+	}
+    } else {
+        object->attributeLock = NULL;
+	object->refLock       = NULL;
+    }   
+    for (i=0; i < HASH_SIZE; i++) {
+	object->head[i] = NULL;
+    }
+    object->objectInfo = NULL;
+    object->infoFree = NULL;
+    return object;
+}
+
+/*
+ * look up and object structure from a handle. OBJECT_Handles only make
+ * sense in terms of a given session.  make a reference to that object
+ * structure returned.
+ */
+static PK11Object * fort11_ObjectFromHandle(CK_OBJECT_HANDLE handle, 
+					    PK11Session *session) {
+    PK11Object **head;
+    void *lock;
+    PK11Slot *slot = fort11_SlotFromSession(session);
+    PK11Object *object;
+
+    /*
+     * Token objects are stored in the slot. Session objects are stored
+     * with the session.
+     */
+    head = slot->tokObjects;
+    lock = slot->objectLock;
+
+    FMUTEX_Lock(lock);
+    pk11queue_find(object,handle,head,HASH_SIZE);
+    if (object) {
+        FMUTEX_Lock(object->refLock);
+	object->refCount++;
+	FMUTEX_Unlock(object->refLock);
+    }
+    FMUTEX_Unlock(lock);
+
+    return(object);
+}
+
+/*
+ * add an object to a slot andsession queue
+ */
+static
+void fort11_DeleteObject(PK11Session *session, PK11Object *object) {
+    PK11Slot *slot;
+    
+    if (session == NULL) 
+        return;
+    slot = fort11_SlotFromSession(session);
+    if (!fort11_isToken(object->handle)) {
+        FMUTEX_Lock(session->objectLock);
+	pk11queue_delete(&object->sessionList,0,session->objects,0);
+	FMUTEX_Unlock(session->objectLock);
+    }
+    FMUTEX_Lock(slot->objectLock);
+    pk11queue_delete(object,object->handle,slot->tokObjects,HASH_SIZE);
+    FMUTEX_Unlock(slot->objectLock);
+    fort11_FreeObject(object);
+}
+
+
+
+/*
+ * ******************** Search Utilities *******************************
+ */
+
+/* add an object to a search list */
+CK_RV
+fort11_AddToList(PK11ObjectListElement **list,PK11Object *object) {
+     PK11ObjectListElement *newelem = 
+	(PK11ObjectListElement *)PORT_Alloc(sizeof(PK11ObjectListElement));
+
+     if (newelem == NULL) return CKR_HOST_MEMORY;
+
+     newelem->next = *list;
+     newelem->object = object;
+     FMUTEX_Lock(object->refLock);
+     object->refCount++;
+     FMUTEX_Unlock(object->refLock);
+
+    *list = newelem;
+    return CKR_OK;
+}
+
+
+/*
+ * free a single list element. Return the Next object in the list.
+ */
+PK11ObjectListElement *
+fort11_FreeObjectListElement(PK11ObjectListElement *objectList) {
+    PK11ObjectListElement *ol = objectList->next;
+
+    fort11_FreeObject(objectList->object);
+    PORT_Free(objectList);
+    return ol;
+}
+
+/* free an entire object list */
+void
+fort11_FreeObjectList(PK11ObjectListElement *objectList) {
+    PK11ObjectListElement *ol;
+
+    for (ol= objectList; ol != NULL; ol = fort11_FreeObjectListElement(ol)) {}
+}
+
+/*
+ * free a search structure
+ */
+void
+fort11_FreeSearch(PK11SearchResults *search) {
+    if (search->handles) {
+	PORT_Free(search->handles);
+    }
+    PORT_Free(search);
+}
+
+
+/*
+ * Free up all the memory associated with an attribute. Reference count
+ * must be zero to call this.
+ */
+static void
+fort11_DestroyAttribute(PK11Attribute *attribute) {
+    /*PORT_Assert(attribute->refCount == 0);*/
+    FMUTEX_Destroy(attribute->refLock);
+    if (attribute->attrib.pValue) {
+	 /* clear out the data in the attribute value... it may have been
+	  * sensitive data */
+	 PORT_Memset(attribute->attrib.pValue,0,attribute->attrib.ulValueLen);
+	 PORT_Free(attribute->attrib.pValue);
+    }
+    PORT_Free(attribute);
+}
+        
+/*
+ * delete an attribute from an object
+ */
+static void
+fort11_DeleteAttribute(PK11Object *object, PK11Attribute *attribute) {
+    FMUTEX_Lock(object->attributeLock);
+    if (attribute->next || attribute->prev) {
+	pk11queue_delete(attribute,attribute->handle,
+						object->head,HASH_SIZE);
+    }
+    FMUTEX_Unlock(object->attributeLock);
+    fort11_FreeAttribute(attribute);
+}
+
+/*
+ * decode when a particular attribute may be modified
+ * 	PK11_NEVER: This attribute must be set at object creation time and
+ *  can never be modified.
+ *	PK11_ONCOPY: This attribute may be modified only when you copy the
+ *  object.
+ *	PK11_SENSITIVE: The CKA_SENSITIVE attribute can only be changed from
+ *  FALSE to TRUE.
+ *	PK11_ALWAYS: This attribute can always be modified.
+ * Some attributes vary their modification type based on the class of the 
+ *   object.
+ */
+PK11ModifyType
+fort11_modifyType(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass) {
+    /* if we don't know about it, user user defined, always allow modify */
+    PK11ModifyType mtype = PK11_ALWAYS; 
+
+    switch(type) {
+    /* NEVER */
+    case CKA_CLASS:
+    case CKA_CERTIFICATE_TYPE:
+    case CKA_KEY_TYPE:
+    case CKA_MODULUS:
+    case CKA_MODULUS_BITS:
+    case CKA_PUBLIC_EXPONENT:
+    case CKA_PRIVATE_EXPONENT:
+    case CKA_PRIME:
+    case CKA_SUBPRIME:
+    case CKA_BASE:
+    case CKA_PRIME_1:
+    case CKA_PRIME_2:
+    case CKA_EXPONENT_1:
+    case CKA_EXPONENT_2:
+    case CKA_COEFFICIENT:
+    case CKA_VALUE_LEN:
+	mtype = PK11_NEVER;
+	break;
+
+    /* ONCOPY */
+    case CKA_TOKEN:
+    case CKA_PRIVATE:
+	mtype = PK11_ONCOPY;
+	break;
+
+    /* SENSITIVE */
+    case CKA_SENSITIVE:
+	mtype = PK11_SENSITIVE;
+	break;
+
+    /* ALWAYS */
+    case CKA_LABEL:
+    case CKA_APPLICATION:
+    case CKA_ID:
+    case CKA_SERIAL_NUMBER:
+    case CKA_START_DATE:
+    case CKA_END_DATE:
+    case CKA_DERIVE:
+    case CKA_ENCRYPT:
+    case CKA_DECRYPT:
+    case CKA_SIGN:
+    case CKA_VERIFY:
+    case CKA_SIGN_RECOVER:
+    case CKA_VERIFY_RECOVER:
+    case CKA_WRAP:
+    case CKA_UNWRAP:
+	mtype = PK11_ALWAYS;
+	break;
+
+    /* DEPENDS ON CLASS */
+    case CKA_VALUE:
+	mtype = (inClass == CKO_DATA) ? PK11_ALWAYS : PK11_NEVER;
+	break;
+
+    case CKA_SUBJECT:
+	mtype = (inClass == CKO_CERTIFICATE) ? PK11_NEVER : PK11_ALWAYS;
+	break;
+    default:
+	break;
+    }
+    return mtype;
+}
+
+/* decode if a particular attribute is sensitive (cannot be read
+ * back to the user of if the object is set to SENSITIVE) */
+PRBool
+fort11_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass) {
+    switch(type) {
+    /* ALWAYS */
+    case CKA_PRIVATE_EXPONENT:
+    case CKA_PRIME_1:
+    case CKA_PRIME_2:
+    case CKA_EXPONENT_1:
+    case CKA_EXPONENT_2:
+    case CKA_COEFFICIENT:
+	return PR_TRUE;
+
+    /* DEPENDS ON CLASS */
+    case CKA_VALUE:
+	/* PRIVATE and SECRET KEYS have SENSITIVE values */
+	return (PRBool)((inClass == CKO_PRIVATE_KEY) || 
+			(inClass == CKO_SECRET_KEY));
+
+    default:
+	break;
+    }
+    return PR_FALSE;
+}
+
+static void
+fort11_DeleteAttributeType(PK11Object *object,CK_ATTRIBUTE_TYPE type) {
+    PK11Attribute *attribute;
+    attribute = fort11_FindAttribute(object, type);
+    if (attribute == NULL) return ;
+    fort11_DeleteAttribute(object,attribute);
+}
+
+
+/*
+ * create a new nession. NOTE: The session handle is not set, and the
+ * session is not added to the slot's session queue.
+ */
+static PK11Session *
+fort11_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, 
+		  CK_VOID_PTR pApplication,
+		  CK_FLAGS flags) {
+    PK11Session *session;
+    PK11Slot *slot = &fort11_slot[slotID-1];
+    CK_RV mrv;
+
+    if (slot == NULL) return NULL;
+
+    session = (PK11Session*)PORT_Alloc(sizeof(PK11Session));
+    if (session == NULL) return NULL;
+
+    session->next = session->prev = NULL;
+    session->refCount = 1;
+    session->context = NULL;
+    session->search = NULL;
+    session->objectIDCount = 1;
+    session->fortezzaContext.fortezzaKey = NULL;
+    session->fortezzaContext.fortezzaSocket = NULL;
+
+    if (FMUTEX_MutexEnabled()) {
+        mrv = FMUTEX_Create(&session->refLock);
+	if (mrv != CKR_OK) {
+	    PORT_Free(session);
+	    return NULL;
+	}
+	mrv = FMUTEX_Create(&session->objectLock);
+	if (mrv != CKR_OK) {
+	    FMUTEX_Destroy(session->refLock);
+	    PORT_Free(session);
+	    return NULL;
+	}
+    } else {
+        session->refLock    = NULL;
+	session->objectLock = NULL;
+    }
+
+    session->objects[0] = NULL;
+
+    session->slot = slot;
+    session->notify = notify;
+    session->appData = pApplication;
+    session->info.flags = flags;
+    session->info.slotID = slotID;
+    fort11_update_state(slot,session);
+    return session;
+}
+
+
+/*
+ * look up a session structure from a session handle
+ * generate a reference to it.
+ */
+PK11Session *
+fort11_SessionFromHandle(CK_SESSION_HANDLE handle, PRBool isCloseSession) {
+    PK11Slot	*slot = fort11_SlotFromSessionHandle(handle);
+    PK11Session *session;
+
+    if (!isCloseSession && 
+	!SocketStateUnchanged(&fortezzaSockets[slot->slotID-1]))
+        return NULL;
+
+    FMUTEX_Lock(slot->sessionLock);
+    pk11queue_find(session,handle,slot->head,SESSION_HASH_SIZE);
+    if (session) session->refCount++;
+    FMUTEX_Unlock(slot->sessionLock);
+
+    return (session);
+}
+
+/* free all the data associated with a session. */
+static void
+fort11_DestroySession(PK11Session *session)
+{
+    PK11ObjectList *op,*next;
+/*    PORT_Assert(session->refCount == 0);*/
+
+    /* clean out the attributes */
+    FMUTEX_Lock(session->objectLock);
+    for (op = session->objects[0]; op != NULL; op = next) {
+        next = op->next;
+        /* paranoia */
+	op->next = op->prev = NULL;
+	fort11_DeleteObject(session,op->parent);
+    }
+    FMUTEX_Unlock(session->objectLock);
+
+    FMUTEX_Destroy(session->objectLock);
+    FMUTEX_Destroy(session->refLock);
+
+    if (session->search) {
+	fort11_FreeSearch(session->search);
+    }
+
+    pk11queue_delete(session, session->handle, session->slot->head,
+		     SESSION_HASH_SIZE);
+
+    PORT_Free(session);
+}
+
+
+/*
+ * release a reference to a session handle
+ */
+void
+fort11_FreeSession(PK11Session *session) {
+    PRBool destroy = PR_FALSE;
+    PK11Slot *slot = NULL;
+
+    if (!session) return;  /*Quick fix to elminate crash*/
+                           /*Fix in later version       */
+
+    if (FMUTEX_MutexEnabled()) {
+        slot = fort11_SlotFromSession(session);
+	FMUTEX_Lock(slot->sessionLock);
+    }
+    if (session->refCount == 1) destroy = PR_TRUE;
+    session->refCount--;
+    if (FMUTEX_MutexEnabled()) {
+        FMUTEX_Unlock(slot->sessionLock);
+    }
+
+    if (destroy) {
+      fort11_DestroySession(session);
+    }
+}
+
+
+/* return true if the object matches the template */
+PRBool
+fort11_objectMatch(PK11Object *object,CK_ATTRIBUTE_PTR theTemplate,int count) {
+    int i;
+
+    for (i=0; i < count; i++) {
+	PK11Attribute *attribute = 
+	    fort11_FindAttribute(object,theTemplate[i].type);
+	if (attribute == NULL) {
+	    return PR_FALSE;
+	}
+	if (attribute->attrib.ulValueLen == theTemplate[i].ulValueLen) {
+	    if (PORT_Memcmp(attribute->attrib.pValue,theTemplate[i].pValue,
+					theTemplate[i].ulValueLen) == 0) {
+                fort11_FreeAttribute(attribute);
+		continue;
+	    }
+	}
+        fort11_FreeAttribute(attribute);
+	return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
+/* search through all the objects in the queue and return the template matches
+ * in the object list.
+ */
+CK_RV
+fort11_searchObjectList(PK11ObjectListElement **objectList,PK11Object **head,
+			void *lock, CK_ATTRIBUTE_PTR theTemplate, int count) {
+    int i;
+    PK11Object *object;
+    CK_RV rv;
+
+    for(i=0; i < HASH_SIZE; i++) {
+        /* We need to hold the lock to copy a consistant version of
+         * the linked list. */
+        FMUTEX_Lock(lock);
+	for (object = head[i]; object != NULL; object= object->next) {
+	    if (fort11_objectMatch(object,theTemplate,count)) {
+	        rv = fort11_AddToList(objectList,object);
+		if (rv != CKR_OK) {
+		    return rv;
+		}
+	    }
+	}
+	FMUTEX_Unlock(lock);
+    }
+    return CKR_OK;
+}
+
+static PRBool
+fort11_NotAllFuncsNULL (CK_C_INITIALIZE_ARGS_PTR pArgs) {
+    return (PRBool)(pArgs && pArgs->CreateMutex && pArgs->DestroyMutex &&
+		    pArgs->LockMutex   && pArgs->UnlockMutex);
+}
+
+static PRBool
+fort11_InArgCheck(CK_C_INITIALIZE_ARGS_PTR pArgs) {
+    PRBool rv;
+    /* The only check for now, is to make sure that all of the
+     * function pointers are either all NULL or all Non-NULL.
+     * We also need to make sure the pReserved field in pArgs is
+     * set to NULL.
+     */
+    if (pArgs == NULL) {
+        return  PR_TRUE; /* If the argument is NULL, no
+			  * inconsistencies can exist.
+			  */
+    }
+
+    if (pArgs->pReserved != NULL) {
+        return PR_FALSE;
+    }
+
+    if (pArgs->CreateMutex != NULL) {
+        rv = (PRBool) (pArgs->DestroyMutex != NULL &&
+		       pArgs->LockMutex    != NULL &&
+		       pArgs->UnlockMutex  != NULL);
+    } else { /*pArgs->CreateMutex == NULL*/
+        rv = (PRBool) (pArgs->DestroyMutex == NULL &&
+		       pArgs->LockMutex    == NULL &&
+		       pArgs->UnlockMutex  == NULL);
+    }
+    return rv;
+}
+
+
+
+/**********************************************************************
+ *
+ *     Start of PKCS 11 functions 
+ *
+ **********************************************************************/
+ 
+ 
+/**********************************************************************
+ *
+ * In order to get this to work on 68K, we have to do some special tricks,
+ * First trick is that we need to make the module a Code Resource, and
+ * all Code Resources on 68K have to have a main function.  So we 
+ * define main to be a wrapper for C_GetFunctionList which will be the
+ * first funnction called by any software that uses the PKCS11 module.
+ *
+ * The second trick is that whenever you access a global variable from
+ * the Code Resource, it does funny things to the stack on 68K, so we 
+ * need to call some macros that handle the stack for us.  First thing
+ * you do is call EnterCodeResource() first thing in a function that 
+ * accesses a global, right before you leave that function, you call 
+ * ExitCodeResource.  This will take care of stack management.
+ *
+ * Third trick is to call __InitCode__() when we first enter the module
+ * so that all of the global variables get initialized properly.
+ *
+ **********************************************************************/ 
+ 
+#if defined(XP_MAC) && !defined(__POWERPC__)
+
+#define FORT11_RETURN(exp)  {ExitCodeResource(); return (exp);}
+#define FORT11_ENTER() EnterCodeResource();
+
+#else /*XP_MAC*/
+
+#define FORT11_RETURN(exp)  return (exp);
+#define FORT11_ENTER() 
+
+#endif /*XP_MAC*/
+
+#define CARD_OK(rv)   if ((rv) != CI_OK) FORT11_RETURN (CKR_DEVICE_ERROR); 
+#define SLOT_OK(slot) if ((slot) > kNumSockets) FORT11_RETURN (CKR_SLOT_ID_INVALID);
+ 
+#ifdef XP_MAC 
+/* This is not a 4.0 project, so I can't depend on
+ * 4.0 defines, so instead I depend on CodeWarrior 
+ * defines.
+ */
+#if __POWERPC__
+#elif __CFM68K__
+#else
+/* To get this to work on 68K, we need to have
+ * the symbol main.  So we just make it a wrapper for C_GetFunctionList.
+ */
+PR_PUBLIC_API(CK_RV) main(CK_FUNCTION_LIST_PTR *pFunctionList) {
+    FORT11_ENTER()
+    CK_RV rv;
+  
+    __InitCode__();
+  
+    rv = C_GetFunctionList(pFunctionList);
+    FORT11_RETURN (rv);
+}
+#endif
+
+#endif /*XP_MAC*/
+
+/* Return the function list */
+PR_PUBLIC_API(CK_RV) C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) {
+    /* No need to do a FORT11_RETURN as this function will never be directly
+     * called in the case where we need to do stack management.  
+     * The main function will call this after taking care of stack stuff.
+     */
+    *pFunctionList = &fort11_funcList;
+    return CKR_OK;
+}
+
+
+/* C_Initialize initializes the Cryptoki library. */
+PR_PUBLIC_API(CK_RV) C_Initialize(CK_VOID_PTR pReserved) {
+    FORT11_ENTER()
+    int i,j, tempNumSockets;
+    int rv = 1;
+    CK_C_INITIALIZE_ARGS_PTR pArgs = (CK_C_INITIALIZE_ARGS_PTR)pReserved;
+    CK_RV mrv;
+
+    /* intialize all the slots */
+    if (!init) {
+      init = PR_TRUE;
+
+      /* need to initialize locks before MACI_Initialize is called in
+       * software fortezza. */
+      if (pArgs) {
+	  if (!fort11_InArgCheck(pArgs)) {
+	      FORT11_RETURN (CKR_ARGUMENTS_BAD);
+	  }
+	  if (pArgs->flags & CKF_OS_LOCKING_OK){
+	      if (!fort11_NotAllFuncsNULL(pArgs)) {
+		  FORT11_RETURN (CKR_CANT_LOCK);
+	      }
+	  }
+	  if (fort11_NotAllFuncsNULL(pArgs)) {
+	      mrv = FMUTEX_Init(pArgs);
+	      if (mrv != CKR_OK) {
+		  return CKR_GENERAL_ERROR;
+	      }
+	  }
+      }
+      rv = MACI_Initialize (&tempNumSockets);
+      kNumSockets = (CK_ULONG)tempNumSockets;
+      
+      CARD_OK (rv);
+      for (i=0; i < (int) kNumSockets; i++) {
+	if (FMUTEX_MutexEnabled()) {
+	    mrv = FMUTEX_Create(&fort11_slot[i].sessionLock);
+	    if (mrv != CKR_OK) {
+	        FORT11_RETURN (CKR_GENERAL_ERROR);
+	    }
+	    mrv = FMUTEX_Create(&fort11_slot[i].objectLock);
+	    if (mrv != CKR_OK) {
+	        FMUTEX_Destroy(fort11_slot[i].sessionLock);
+	        FORT11_RETURN (CKR_GENERAL_ERROR);
+	    }
+	} else {
+	    fort11_slot[i].sessionLock = NULL;
+	    fort11_slot[i].objectLock  = NULL;
+	}
+	for(j=0; j < SESSION_HASH_SIZE; j++) {
+	  fort11_slot[i].head[j] = NULL;
+	}
+	for(j=0; j < HASH_SIZE; j++) {
+	  fort11_slot[i].tokObjects[j] = NULL;
+	}
+	fort11_slot[i].password = NULL;
+	fort11_slot[i].hasTokens = PR_FALSE;
+	fort11_slot[i].sessionIDCount = fort11_firstSessionID (i);
+	fort11_slot[i].sessionCount = 0;
+	fort11_slot[i].rwSessionCount = 0;
+	fort11_slot[i].tokenIDCount = 1;
+	fort11_slot[i].needLogin = PR_TRUE;
+	fort11_slot[i].isLoggedIn = PR_FALSE;
+	fort11_slot[i].ssoLoggedIn = PR_FALSE;
+	fort11_slot[i].DB_loaded = PR_FALSE;
+	fort11_slot[i].slotID= i+1;
+	InitSocket(&fortezzaSockets[i], i+1);
+      }
+    }
+    FORT11_RETURN (CKR_OK);
+}
+
+/*C_Finalize indicates that an application is done with the Cryptoki library.*/
+PR_PUBLIC_API(CK_RV) C_Finalize (CK_VOID_PTR pReserved) {
+    FORT11_ENTER()
+    int i;
+
+    for (i=0; i< (int) kNumSockets; i++) {
+        FreeSocket(&fortezzaSockets[i]);
+    }
+    MACI_Terminate(fortezzaSockets[0].maciSession);
+    init = PR_FALSE;
+    FORT11_RETURN (CKR_OK);
+}
+
+
+
+
+/* C_GetInfo returns general information about Cryptoki. */
+PR_PUBLIC_API(CK_RV)  C_GetInfo(CK_INFO_PTR pInfo) {
+    FORT11_ENTER()
+    pInfo->cryptokiVersion = fort11_funcList.version;
+    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
+    pInfo->libraryVersion.major = 1;
+    pInfo->libraryVersion.minor = 7;
+    PORT_Memcpy(pInfo->libraryDescription,libraryDescription,32);
+    pInfo->flags = 0;
+    FORT11_RETURN (CKR_OK);
+}
+
+/* C_GetSlotList obtains a list of slots in the system. */
+PR_PUBLIC_API(CK_RV) C_GetSlotList(CK_BBOOL	   tokenPresent,
+				   CK_SLOT_ID_PTR pSlotList, 
+				   CK_ULONG_PTR   pulCount) {
+    FORT11_ENTER()
+    int i;
+
+    if (pSlotList != NULL) {
+      if (*pulCount >= kNumSockets) {
+	for (i=0; i < (int) kNumSockets; i++) {
+	  pSlotList[i] = i+1; 
+	}
+      } else {
+	FORT11_RETURN (CKR_BUFFER_TOO_SMALL); 
+      }
+    } else {
+      *pulCount = kNumSockets;
+    }
+    FORT11_RETURN (CKR_OK);
+}
+	
+/* C_GetSlotInfo obtains information about a particular slot in the system. */
+PR_PUBLIC_API(CK_RV) C_GetSlotInfo(CK_SLOT_ID       slotID, 
+				   CK_SLOT_INFO_PTR pInfo) {
+  FORT11_ENTER()
+    int        rv;
+    CI_CONFIG  ciConfig;
+    CI_STATE   ciState;
+    HSESSION   maciSession;
+    char       slotDescription[65];
+    FortezzaSocket *socket;
+    
+
+    SLOT_OK(slotID);
+    
+    socket = &fortezzaSockets[slotID-1];
+    if (!socket->isOpen) {
+        InitSocket(socket, slotID);
+    }
+    maciSession = socket->maciSession;
+
+    rv = MACI_Select(maciSession, slotID);
+
+    CARD_OK (rv)
+
+    rv = MACI_GetConfiguration (maciSession, &ciConfig);
+
+
+    pInfo->firmwareVersion.major = 0;
+    pInfo->firmwareVersion.minor = 0;
+#ifdef SWFORT
+    PORT_Memcpy (pInfo->manufacturerID,"Netscape Communications Corp    ",32);
+    PORT_Memcpy (slotDescription,"Netscape Software Slot #        ",32);
+#define _local_BASE 24
+#else
+    PORT_Memcpy (pInfo->manufacturerID,"LITRONIC                        ",32);
+    PORT_Memcpy (slotDescription,"Litronic MACI Slot #            ",32);
+#define _local_BASE 20
+#endif
+    slotDescription[_local_BASE] = (char )((slotID < 10) ? slotID : 
+							slotID/10) + '0';
+    if (slotID >= 10) slotDescription[_local_BASE+1] = 
+						(char)(slotID % 10) + '0';
+    PORT_Memcpy (&slotDescription[32],"                                ",32);
+    PORT_Memcpy (pInfo->slotDescription, slotDescription          , 64);
+    if (rv == CI_OK) {
+        pInfo->hardwareVersion.major = 
+	    (ciConfig.ManufacturerVersion & MAJOR_VERSION_MASK) >> 8;
+	pInfo->hardwareVersion.minor = 
+	    ciConfig.ManufacturerVersion & MINOR_VERSION_MASK;
+	pInfo->flags = CKF_TOKEN_PRESENT;
+    } else {
+       pInfo->hardwareVersion.major = 0;
+       pInfo->hardwareVersion.minor = 0;
+       pInfo->flags = 0;
+    }
+#ifdef SWFORT
+    /* do we need to make it a removable device as well?? */
+    pInfo->flags |= CKF_REMOVABLE_DEVICE;
+#else
+    pInfo->flags |= (CKF_REMOVABLE_DEVICE | CKF_HW_SLOT);
+#endif
+    
+    rv = MACI_GetState(maciSession, &ciState);
+ 
+    if (rv == CI_OK) {
+        switch (ciState) {
+	case CI_ZEROIZE:
+	case CI_INTERNAL_FAILURE:
+	    pInfo->flags &= (~CKF_TOKEN_PRESENT);
+	default:
+	    break;
+	}
+    } else {
+        pInfo->flags &= (~CKF_TOKEN_PRESENT);
+    }
+
+    FORT11_RETURN (CKR_OK);
+}
+
+#define CKF_THREAD_SAFE 0x8000 
+
+/* C_GetTokenInfo obtains information about a particular token
+   in the system. */
+PR_PUBLIC_API(CK_RV) C_GetTokenInfo(CK_SLOT_ID        slotID,
+				    CK_TOKEN_INFO_PTR pInfo) {
+	FORT11_ENTER()
+    CI_STATUS cardStatus;
+    CI_CONFIG ciConfig;
+    PK11Slot *slot;
+    int rv, i;
+    char tmp[33];
+    FortezzaSocket *socket;
+
+    SLOT_OK (slotID);
+    
+    slot = &fort11_slot[slotID-1];
+    
+    socket = &fortezzaSockets[slotID-1];
+    if (!socket->isOpen) {
+        InitSocket(socket, slotID);
+    }
+
+    rv = MACI_Select (socket->maciSession, slotID);
+    rv = MACI_GetStatus (socket->maciSession, &cardStatus);
+    if (rv != CI_OK) {
+        FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+#ifdef SWFORT
+    sprintf (tmp, "Software FORTEZZA Slot #%d", (int) slotID);
+#else
+    sprintf (tmp, "FORTEZZA Slot #%d", (int) slotID);
+#endif
+    
+    PORT_Memcpy (pInfo->label, tmp, PORT_Strlen(tmp)+1);
+
+    for (i=0; i<8; i++) {
+        int serNum;
+
+	serNum = (int)cardStatus.SerialNumber[i];
+	sprintf ((char*)&pInfo->serialNumber[2*i], "%.2x", serNum);
+    }
+
+    rv = MACI_GetTime (fortezzaSockets[slotID-1].maciSession, pInfo->utcTime);
+    if (rv == CI_OK) {
+      pInfo->flags = CKF_CLOCK_ON_TOKEN;  
+    } else {
+      switch (rv) {
+      case CI_LIB_NOT_INIT:
+      case CI_INV_POINTER:
+      case CI_NO_CARD:
+      case CI_NO_SOCKET:
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+      default:
+	pInfo->flags = 0;
+	break;
+      }
+    }
+    
+    rv = MACI_GetConfiguration (fortezzaSockets[slotID-1].maciSession, 
+				&ciConfig);
+
+    if (rv == CI_OK) {
+        PORT_Memcpy(pInfo->manufacturerID,ciConfig.ManufacturerName,
+		    PORT_Strlen(ciConfig.ManufacturerName));
+	for (i=PORT_Strlen(ciConfig.ManufacturerName); i<32; i++) {
+	    pInfo->manufacturerID[i] = ' ';
+	}
+	PORT_Memcpy(pInfo->model,ciConfig.ProcessorType,16);    
+    }
+    pInfo->ulMaxPinLen = CI_PIN_SIZE;
+    pInfo->ulMinPinLen = 0;
+    pInfo->ulTotalPublicMemory = 0;
+    pInfo->ulFreePublicMemory  = 0;
+    pInfo->flags |= CKF_RNG | CKF_LOGIN_REQUIRED| CKF_USER_PIN_INITIALIZED | 
+                    CKF_THREAD_SAFE | CKF_WRITE_PROTECTED;
+
+    pInfo->ulMaxSessionCount = 0; 
+    pInfo->ulSessionCount = slot->sessionCount; 
+    pInfo->ulMaxRwSessionCount = 0; 
+    pInfo->ulRwSessionCount = slot->rwSessionCount; 
+
+    if (rv == CI_OK) {    
+        pInfo->firmwareVersion.major = 
+	    (ciConfig.ManufacturerSWVer & MAJOR_VERSION_MASK) >> 8; 
+	pInfo->firmwareVersion.minor = 
+	    ciConfig.ManufacturerSWVer & MINOR_VERSION_MASK;
+	pInfo->hardwareVersion.major = 
+	    (ciConfig.ManufacturerVersion & MAJOR_VERSION_MASK) >> 8;
+	pInfo->hardwareVersion.minor = 
+	    ciConfig.ManufacturerVersion & MINOR_VERSION_MASK;
+    }
+    FORT11_RETURN (CKR_OK);
+}
+
+
+
+/* C_GetMechanismList obtains a list of mechanism types supported by a 
+   token. */
+PR_PUBLIC_API(CK_RV) C_GetMechanismList(CK_SLOT_ID            slotID,
+					CK_MECHANISM_TYPE_PTR pMechanismList, 
+					CK_ULONG_PTR          pulCount) {
+  FORT11_ENTER()
+  CK_RV rv = CKR_OK;
+  int i;
+  
+  SLOT_OK (slotID);
+
+  if (pMechanismList == NULL) {
+    *pulCount = mechanismCount;
+  } else {
+    if (*pulCount >= mechanismCount) {
+      *pulCount = mechanismCount;
+      for (i=0; i< (int)mechanismCount; i++) {
+	pMechanismList[i] = mechanisms[i].type;
+      }
+    } else {
+      rv = CKR_BUFFER_TOO_SMALL;
+    }
+  }
+  FORT11_RETURN (rv);
+}
+
+
+/* C_GetMechanismInfo obtains information about a particular mechanism 
+ * possibly supported by a token. */
+PR_PUBLIC_API(CK_RV) C_GetMechanismInfo(CK_SLOT_ID            slotID, 
+					CK_MECHANISM_TYPE     type,
+					CK_MECHANISM_INFO_PTR pInfo) {
+  int i;
+  FORT11_ENTER()
+  SLOT_OK (slotID);
+
+  for (i=0; i< (int)mechanismCount; i++) {
+    if (type == mechanisms[i].type) {
+      PORT_Memcpy (pInfo, &mechanisms[i].domestic, sizeof (CK_MECHANISM_INFO));
+      FORT11_RETURN (CKR_OK);
+    }
+  }
+  FORT11_RETURN (CKR_MECHANISM_INVALID);
+}
+
+
+/* C_InitToken initializes a token. */
+PR_PUBLIC_API(CK_RV) C_InitToken(CK_SLOT_ID  slotID,
+				 CK_CHAR_PTR pPin,
+				 CK_ULONG    ulPinLen,
+				 CK_CHAR_PTR pLabel) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+PR_PUBLIC_API(CK_RV) C_InitPIN(CK_SESSION_HANDLE hSession,
+			       CK_CHAR_PTR       pPin, 
+			       CK_ULONG          ulPinLen) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_SetPIN modifies the PIN of user that is currently logged in. */
+/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
+PR_PUBLIC_API(CK_RV) C_SetPIN(CK_SESSION_HANDLE hSession, 
+			      CK_CHAR_PTR       pOldPin,
+			      CK_ULONG          ulOldLen, 
+			      CK_CHAR_PTR       pNewPin, 
+			      CK_ULONG          ulNewLen) {
+  FORT11_ENTER()
+#ifndef SWFORT
+  CI_PIN       ciOldPin, ciNewPin;
+#endif
+  PK11Session *session;
+  PK11Slot    *slot;
+  int          rv;
+
+  session = fort11_SessionFromHandle (hSession, PR_FALSE);
+
+  slot = fort11_SlotFromSession (session);
+  SLOT_OK(slot->slotID)
+
+  if (session == NULL) {
+      session = fort11_SessionFromHandle (hSession, PR_TRUE);
+      fort11_TokenRemoved(slot, session);
+      FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+  }
+
+  rv = MACI_Select (fortezzaSockets[slot->slotID-1].maciSession, slot->slotID);
+  CARD_OK (rv)
+  
+  if (slot->needLogin && session->info.state != CKS_RW_USER_FUNCTIONS) {
+    fort11_FreeSession (session);
+    FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
+  }
+
+  fort11_FreeSession (session);
+
+  if (ulNewLen > CI_PIN_SIZE || ulOldLen > CI_PIN_SIZE) 
+    FORT11_RETURN (CKR_PIN_LEN_RANGE);
+
+#ifndef SWFORT
+  fort11_convertToCIPin (ciOldPin,pOldPin, ulOldLen);
+  fort11_convertToCIPin (ciNewPin,pNewPin, ulNewLen);
+
+  rv = MACI_ChangePIN (fortezzaSockets[slot->slotID-1].maciSession, 
+		       CI_USER_PIN, ciOldPin, ciNewPin);
+#else
+  rv = MACI_ChangePIN (fortezzaSockets[slot->slotID-1].maciSession, 
+		       CI_USER_PIN,  pOldPin, pNewPin);
+#endif
+
+  if (rv != CI_OK) {
+    switch (rv) {
+    case CI_FAIL:
+      FORT11_RETURN (CKR_PIN_INCORRECT);
+    default:
+      FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+  } 
+  FORT11_RETURN (CKR_OK);
+}
+
+/* C_OpenSession opens a session between an application and a token. */
+PR_PUBLIC_API(CK_RV) C_OpenSession(CK_SLOT_ID            slotID, 
+				   CK_FLAGS              flags,
+				   CK_VOID_PTR           pApplication,
+				   CK_NOTIFY             Notify,
+				   CK_SESSION_HANDLE_PTR phSession) {
+  FORT11_ENTER()
+  PK11Slot          *slot;
+  CK_SESSION_HANDLE  sessionID;
+  PK11Session       *session;
+  FortezzaSocket    *socket;
+
+  SLOT_OK (slotID)
+  slot = &fort11_slot[slotID-1];
+  socket = &fortezzaSockets[slotID-1];
+
+  if (!socket->isOpen) {
+      if (InitSocket(socket, slotID) != SOCKET_SUCCESS) {
+	  FORT11_RETURN (CKR_TOKEN_NOT_PRESENT);
+      }
+  }
+
+  session = fort11_NewSession (slotID, Notify, pApplication, 
+			       flags | CKF_SERIAL_SESSION);
+
+  if (session == NULL) FORT11_RETURN (CKR_HOST_MEMORY);
+
+  FMUTEX_Lock(slot->sessionLock);
+
+  slot->sessionIDCount += ADD_NEXT_SESS_ID;
+  sessionID = slot->sessionIDCount;
+  fort11_update_state (slot, session);
+  pk11queue_add (session, sessionID, slot->head, SESSION_HASH_SIZE);
+  slot->sessionCount++;
+  if (session->info.flags & CKF_RW_SESSION) {
+    slot->rwSessionCount++;
+  }
+  session->handle = sessionID;
+  session->info.ulDeviceError = 0;
+
+  FMUTEX_Unlock(slot->sessionLock);
+  
+  *phSession = sessionID;
+  FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_CloseSession closes a session between an application and a token. */
+PR_PUBLIC_API(CK_RV) C_CloseSession(CK_SESSION_HANDLE hSession) {
+  FORT11_ENTER()
+  PK11Slot    *slot;
+  PK11Session *session;
+  
+  session = fort11_SessionFromHandle  (hSession, PR_TRUE);
+  slot = fort11_SlotFromSessionHandle (hSession);
+
+  if (session == NULL) {
+      FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+  }
+  
+  FMUTEX_Lock(slot->sessionLock);
+  if (session->next || session->prev) {
+    session->refCount--;
+    if (session->info.flags & CKF_RW_SESSION) {
+      slot->rwSessionCount--;
+    }
+    if (slot->sessionCount == 0) {
+      slot->isLoggedIn = PR_FALSE;
+      slot->password = NULL;
+    }
+  }
+
+  FMUTEX_Unlock(slot->sessionLock);
+  
+  fort11_FreeSession (session);
+  FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+PR_PUBLIC_API(CK_RV) C_CloseAllSessions (CK_SLOT_ID slotID) {
+  FORT11_ENTER()
+  PK11Slot *slot;
+  PK11Session *session;
+  int i;
+  
+  
+  slot = fort11_SlotFromID(slotID);
+  if (slot == NULL) FORT11_RETURN (CKR_SLOT_ID_INVALID);
+  
+  /* first log out the card */
+  FMUTEX_Lock(slot->sessionLock);
+  slot->isLoggedIn = PR_FALSE;
+  slot->password = NULL;
+  FMUTEX_Unlock(slot->sessionLock);
+  
+  /* now close all the current sessions */
+  /* NOTE: If you try to open new sessions before C_CloseAllSessions
+   * completes, some of those new sessions may or may not be closed by
+   * C_CloseAllSessions... but any session running when this code starts
+   * will guarrenteed be close, and no session will be partially closed */
+  for (i=0; i < SESSION_HASH_SIZE; i++) {
+    do {
+      FMUTEX_Lock(slot->sessionLock);
+      session = slot->head[i];
+      /* hand deque */
+      /* this duplicates much of C_close session functionality, but because
+       * we know that we are freeing all the sessions, we and do some
+       * more efficient processing */
+      if (session) {
+	slot->head[i] = session->next;
+	if (session->next) session->next->prev = NULL;
+	session->next = session->prev = NULL;
+	slot->sessionCount--;
+	if (session->info.flags & CKF_RW_SESSION) {
+	  slot->rwSessionCount--;
+	}
+      }
+      FMUTEX_Unlock(slot->sessionLock);
+      if (session) fort11_FreeSession(session);
+    } while (session != NULL);
+  }
+  FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_GetSessionInfo obtains information about the session. */
+PR_PUBLIC_API(CK_RV) C_GetSessionInfo(CK_SESSION_HANDLE   hSession,
+				      CK_SESSION_INFO_PTR pInfo) {
+    FORT11_ENTER()
+    PK11Session    *session;
+    PK11Slot       *slot;
+    CI_STATE        cardState;
+    FortezzaSocket *socket;
+    int             ciRV;
+    
+    session = fort11_SessionFromHandle (hSession, PR_FALSE);
+    slot    = fort11_SlotFromSessionHandle(hSession);
+    socket  = &fortezzaSockets[slot->slotID-1];
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+    PORT_Memcpy (pInfo, &session->info, sizeof (CK_SESSION_INFO));
+    fort11_FreeSession(session);
+
+    ciRV = MACI_Select(socket->maciSession, slot->slotID);
+    CARD_OK(ciRV)
+
+    ciRV = MACI_GetState(socket->maciSession, &cardState);
+    CARD_OK(ciRV)
+
+    if (socket->isLoggedIn) { 
+        switch (cardState) {
+	case CI_POWER_UP:
+	case CI_UNINITIALIZED:
+	case CI_INITIALIZED:
+	case CI_SSO_INITIALIZED:
+	case CI_LAW_INITIALIZED:
+	case CI_USER_INITIALIZED:
+	  pInfo->state = CKS_RO_PUBLIC_SESSION;
+	  break;
+	case CI_STANDBY:
+	case CI_READY:
+	  pInfo->state = CKS_RO_USER_FUNCTIONS;
+	  break;
+	default:
+	  pInfo->state = CKS_RO_PUBLIC_SESSION;
+	  break;
+	}
+    } else {
+        pInfo->state = CKS_RO_PUBLIC_SESSION;
+    }
+
+    FORT11_RETURN (CKR_OK);
+}
+
+/* C_Login logs a user into a token. */
+PR_PUBLIC_API(CK_RV) C_Login(CK_SESSION_HANDLE hSession,
+			     CK_USER_TYPE      userType,
+			     CK_CHAR_PTR       pPin, 
+			     CK_ULONG          ulPinLen) {
+  FORT11_ENTER()
+  PK11Slot    *slot;
+  PK11Session *session;
+#ifndef SWFORT
+  CI_PIN       ciPin;
+#endif
+  int          rv, ciUserType;
+
+  slot = fort11_SlotFromSessionHandle (hSession);
+  session = fort11_SessionFromHandle(hSession, PR_FALSE);
+
+  if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+  }
+
+  fort11_FreeSession(session);
+
+  if (slot->isLoggedIn) FORT11_RETURN (CKR_USER_ALREADY_LOGGED_IN);
+  slot->ssoLoggedIn = PR_FALSE;
+
+#ifndef SWFORT
+  if (ulPinLen > CI_PIN_SIZE) FORT11_RETURN (CKR_PIN_LEN_RANGE);
+
+  fort11_convertToCIPin (ciPin, pPin, ulPinLen);
+#endif
+  switch (userType) {
+  case CKU_SO:
+    ciUserType = CI_SSO_PIN;
+    break;
+  case CKU_USER:
+    ciUserType = CI_USER_PIN;
+    break;
+  default:
+    FORT11_RETURN (CKR_USER_TYPE_INVALID);
+  }
+  
+#ifndef SWFORT
+  rv = LoginToSocket(&fortezzaSockets[slot->slotID-1], ciUserType, ciPin);
+#else
+  rv = LoginToSocket(&fortezzaSockets[slot->slotID-1], ciUserType, pPin);
+#endif
+
+  switch (rv) {
+  case SOCKET_SUCCESS:
+    break;
+  case CI_FAIL:
+    FORT11_RETURN (CKR_PIN_INCORRECT);
+  default:
+    FORT11_RETURN (CKR_DEVICE_ERROR);
+  }
+
+  FMUTEX_Lock(slot->sessionLock);
+  slot->isLoggedIn = PR_TRUE;
+  if (userType == CKU_SO) {
+    slot->ssoLoggedIn = PR_TRUE;
+  }
+  FMUTEX_Unlock(slot->sessionLock);
+  
+  fort11_update_all_states(slot);
+  FORT11_RETURN (CKR_OK);
+}
+
+/* C_Logout logs a user out from a token. */
+PR_PUBLIC_API(CK_RV) C_Logout(CK_SESSION_HANDLE hSession) {
+    FORT11_ENTER()
+    PK11Slot    *slot    = fort11_SlotFromSessionHandle(hSession);
+    PK11Session *session = fort11_SessionFromHandle(hSession, PR_FALSE);
+    
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    if (!slot->isLoggedIn)
+      FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
+    
+    FMUTEX_Lock(slot->sessionLock);
+
+    slot->isLoggedIn  = PR_FALSE;
+    slot->ssoLoggedIn = PR_FALSE;
+    slot->password    = NULL;
+    LogoutFromSocket  (&fortezzaSockets[slot->slotID-1]);
+
+    FMUTEX_Unlock(slot->sessionLock);
+      
+    fort11_update_all_states(slot);
+    FORT11_RETURN (CKR_OK);
+}
+
+/* C_CreateObject creates a new object. */
+PR_PUBLIC_API(CK_RV) C_CreateObject(CK_SESSION_HANDLE    hSession,
+				    CK_ATTRIBUTE_PTR     pTemplate, 
+				    CK_ULONG             ulCount, 
+				    CK_OBJECT_HANDLE_PTR phObject) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_CopyObject copies an object, creating a new object for the copy. */
+PR_PUBLIC_API(CK_RV) C_CopyObject(CK_SESSION_HANDLE    hSession,
+				  CK_OBJECT_HANDLE     hObject, 
+				  CK_ATTRIBUTE_PTR     pTemplate, 
+				  CK_ULONG             ulCount,
+				  CK_OBJECT_HANDLE_PTR phNewObject) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_DestroyObject destroys an object. */
+PR_PUBLIC_API(CK_RV) C_DestroyObject(CK_SESSION_HANDLE hSession,
+				     CK_OBJECT_HANDLE  hObject) {
+    FORT11_ENTER()
+    PK11Slot *slot = fort11_SlotFromSessionHandle(hSession);
+    PK11Session *session;
+    PK11Object *object;
+    PK11FreeStatus status;
+
+    /*
+     * This whole block just makes sure we really can destroy the
+     * requested object.
+     */
+    session = fort11_SessionFromHandle(hSession, PR_FALSE);
+    if (session == NULL) {
+        session = fort11_SessionFromHandle(hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+        FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    object = fort11_ObjectFromHandle(hObject,session);
+    if (object == NULL) {
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_OBJECT_HANDLE_INVALID);
+    }
+
+    /* don't destroy a private object if we aren't logged in */
+    if ((!slot->isLoggedIn) && (slot->needLogin) &&
+				(fort11_isTrue(object,CKA_PRIVATE))) {
+	fort11_FreeSession(session);
+	fort11_FreeObject(object);
+	FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
+    }
+
+    /* don't destroy a token object if we aren't in a rw session */
+
+    if (((session->info.flags & CKF_RW_SESSION) == 0) &&
+				(fort11_isTrue(object,CKA_TOKEN))) {
+	fort11_FreeSession(session);
+	fort11_FreeObject(object);
+	FORT11_RETURN (CKR_SESSION_READ_ONLY);
+    }
+
+    /* ACTUALLY WE NEED TO DEAL WITH TOKEN OBJECTS AS WELL */
+    FMUTEX_Lock(session->objectLock);
+    fort11_DeleteObject(session,object);
+    FMUTEX_Unlock(session->objectLock);
+
+    fort11_FreeSession(session);
+
+    /*
+     * get some indication if the object is destroyed. Note: this is not
+     * 100%. Someone may have an object reference outstanding (though that
+     * should not be the case by here. Also now that the object is "half"
+     * destroyed. Our internal representation is destroyed, but it is still
+     * in the data base.
+     */
+    status = fort11_FreeObject(object);
+
+    FORT11_RETURN ((status != PK11_DestroyFailure) ? CKR_OK : CKR_DEVICE_ERROR);
+}
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+PR_PUBLIC_API(CK_RV) C_GetObjectSize(CK_SESSION_HANDLE hSession,
+				     CK_OBJECT_HANDLE  hObject, 
+				     CK_ULONG_PTR      pulSize) {
+	/* For functions that don't access globals, we don't have to worry about the
+     * stack.
+     */	
+    *pulSize = 0;
+    return CKR_OK;
+}
+
+
+/* C_GetAttributeValue obtains the value of one or more object attributes. */
+PR_PUBLIC_API(CK_RV) C_GetAttributeValue(CK_SESSION_HANDLE hSession,
+					 CK_OBJECT_HANDLE  hObject,
+					 CK_ATTRIBUTE_PTR  pTemplate,
+					 CK_ULONG          ulCount) {
+    FORT11_ENTER()
+    PK11Slot *slot = fort11_SlotFromSessionHandle(hSession);
+    PK11Session *session;
+    PK11Object *object;
+    PK11Attribute *attribute;
+    PRBool sensitive;
+    int i;
+
+    /*
+     * make sure we're allowed
+     */
+    session = fort11_SessionFromHandle(hSession, PR_FALSE);
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+        FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    object = fort11_ObjectFromHandle(hObject,session);
+    fort11_FreeSession(session);
+    if (object == NULL) {
+	FORT11_RETURN (CKR_OBJECT_HANDLE_INVALID);
+    }
+
+    /* don't read a private object if we aren't logged in */
+    if ((!slot->isLoggedIn) && (slot->needLogin) &&
+				(fort11_isTrue(object,CKA_PRIVATE))) {
+	fort11_FreeObject(object);
+	FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
+    }
+
+    sensitive = fort11_isTrue(object,CKA_SENSITIVE);
+    for (i=0; i <  (int)ulCount; i++) {
+	/* Make sure that this attribute is retrievable */
+	if (sensitive && fort11_isSensitive(pTemplate[i].type,object->objclass)) {
+	    fort11_FreeObject(object);
+	    FORT11_RETURN (CKR_ATTRIBUTE_SENSITIVE);
+	}
+	attribute = fort11_FindAttribute(object,pTemplate[i].type);
+	if (attribute == NULL) {
+	    fort11_FreeObject(object);
+	    FORT11_RETURN (CKR_ATTRIBUTE_TYPE_INVALID);
+	}
+	if (pTemplate[i].pValue != NULL) {
+	    PORT_Memcpy(pTemplate[i].pValue,attribute->attrib.pValue,
+			attribute->attrib.ulValueLen);
+	}
+	pTemplate[i].ulValueLen = attribute->attrib.ulValueLen;
+	fort11_FreeAttribute(attribute);
+    }
+
+    fort11_FreeObject(object);
+    FORT11_RETURN (CKR_OK);
+}
+
+/* C_SetAttributeValue modifies the value of one or more object attributes */
+PR_PUBLIC_API(CK_RV) C_SetAttributeValue (CK_SESSION_HANDLE hSession,
+					  CK_OBJECT_HANDLE  hObject,
+					  CK_ATTRIBUTE_PTR  pTemplate,
+					  CK_ULONG          ulCount) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+/* C_FindObjectsInit initializes a search for token and session objects 
+ * that match a template. */
+PR_PUBLIC_API(CK_RV) C_FindObjectsInit(CK_SESSION_HANDLE hSession,
+				       CK_ATTRIBUTE_PTR  pTemplate,
+				       CK_ULONG          ulCount) {
+    FORT11_ENTER()
+    PK11Slot              *slot = fort11_SlotFromSessionHandle(hSession);
+    PK11Session           *session;
+    PK11ObjectListElement *objectList = NULL;
+    PK11ObjectListElement *olp;
+    PK11SearchResults     *search, *freeSearch;
+    FortezzaSocket        *currSocket;
+    int                    rv, count, i;
+
+    if (slot == NULL) {
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    
+    if ((!slot->isLoggedIn) && (slot->needLogin)) 
+        FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
+
+    session = fort11_SessionFromHandle(hSession, PR_FALSE);
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+        FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+    currSocket = &fortezzaSockets[slot->slotID-1];
+    if (currSocket->personalityList == NULL) {
+        rv = FetchPersonalityList(currSocket);
+	if (rv != SOCKET_SUCCESS) {
+	    fort11_FreeSession(session);
+	    FORT11_RETURN (CKR_DEVICE_ERROR);
+	}
+
+	rv = fort11_BuildCertObjects(currSocket, slot, session);
+
+	if (rv != CKR_OK) {
+	    fort11_FreeSession(session);
+	    FORT11_RETURN (rv);
+	}
+
+	
+    }
+    rv = fort11_searchObjectList(&objectList, slot->tokObjects, 
+				slot->objectLock, pTemplate, ulCount);
+    if (rv != CKR_OK) {
+      fort11_FreeObjectList(objectList);
+      fort11_FreeSession(session);
+      FORT11_RETURN (rv);
+    }
+
+    /*copy list to session*/
+
+    count = 0;
+    for(olp = objectList; olp != NULL; olp = olp->next) {
+      count++;
+    } 
+
+    search = (PK11SearchResults *)PORT_Alloc(sizeof(PK11SearchResults));
+    if (search != NULL) {
+	search->handles = (CK_OBJECT_HANDLE *)
+				PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * count);
+	if (search->handles != NULL) {
+	    for (i=0; i < count; i++) {
+		search->handles[i] = objectList->object->handle;
+		objectList = fort11_FreeObjectListElement(objectList);
+	    }
+	} else {
+	    PORT_Free(search);
+	    search = NULL;
+	}
+    }
+    if (search == NULL) {
+	fort11_FreeObjectList(objectList);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_OK);
+    }
+
+    /* store the search info */
+    search->index = 0;
+    search->size = count;
+    if ((freeSearch = session->search) != NULL) {
+	session->search = NULL;
+	fort11_FreeSearch(freeSearch);
+    }
+    session->search = search;
+    fort11_FreeSession(session);
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_FindObjects continues a search for token and session objects 
+ * that match a template, obtaining additional object handles. */
+PR_PUBLIC_API(CK_RV) C_FindObjects(CK_SESSION_HANDLE    hSession,
+				   CK_OBJECT_HANDLE_PTR phObject,
+				   CK_ULONG             ulMaxObjectCount,
+				   CK_ULONG_PTR         pulObjectCount) {
+    FORT11_ENTER()
+    PK11Session       *session;
+    PK11SearchResults *search;
+    PK11Slot          *slot;
+    int	transfer;
+    unsigned long left;
+
+    *pulObjectCount = 0;
+    session = fort11_SessionFromHandle(hSession,PR_FALSE);
+    slot    = fort11_SlotFromSessionHandle(hSession);
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+    if (session->search == NULL) {
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_OK);
+    }
+    search = session->search;
+    left = session->search->size - session->search->index;
+    transfer = (ulMaxObjectCount > left) ? left : ulMaxObjectCount;
+    PORT_Memcpy(phObject,&search->handles[search->index],
+					transfer*sizeof(CK_OBJECT_HANDLE_PTR));
+    search->index += transfer;
+    if (search->index == search->size) {
+	session->search = NULL;
+	fort11_FreeSearch(search);
+    }
+    fort11_FreeSession(session);
+    *pulObjectCount = transfer;
+    FORT11_RETURN (CKR_OK);
+}
+
+/* C_FindObjectsFinal finishes a search for token and session objects. */
+PR_PUBLIC_API(CK_RV) C_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
+    FORT11_ENTER()
+    PK11Session       *session;
+    PK11SearchResults *search;
+    PK11Slot          *slot;
+
+    session = fort11_SessionFromHandle(hSession, PR_FALSE);
+    slot    = fort11_SlotFromSessionHandle(hSession);
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+    search = session->search;
+    session->search = NULL;
+    if (search == NULL) {
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_OK);
+    }
+    fort11_FreeSearch(search);
+
+    /* UnloadPersonalityList(&fortezzaSockets[session->slot->slotID-1]); */
+    fort11_FreeSession(session);
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_EncryptInit initializes an encryption operation. */
+PR_PUBLIC_API(CK_RV) C_EncryptInit(CK_SESSION_HANDLE hSession,
+				   CK_MECHANISM_PTR  pMechanism, 
+				   CK_OBJECT_HANDLE  hKey) {
+    FORT11_ENTER()
+    PK11Session     *session   = fort11_SessionFromHandle(hSession, PR_FALSE);
+    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
+    PK11Object      *keyObject;
+    FortezzaSocket  *socket    = &fortezzaSockets[slot->slotID-1];
+    FortezzaContext *context;
+    HSESSION         hs        = socket->maciSession;
+    FortezzaKey     *fortezzaKey;
+    CI_IV            fortezzaIV;
+    int              ciRV, registerIndex;
+    
+
+    if (pMechanism->mechanism != CKM_SKIPJACK_CBC64) {
+        if (session) {
+	    fort11_FreeSession(session);
+	}
+        FORT11_RETURN (CKR_MECHANISM_INVALID);
+    }
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+    
+    keyObject = fort11_ObjectFromHandle (hKey, session);
+
+    if (keyObject == NULL) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
+    }
+
+    ciRV = MACI_Select (hs, slot->slotID);
+    if (ciRV != CI_OK) {
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+    ciRV = MACI_SetMode(hs, CI_ENCRYPT_TYPE, CI_CBC64_MODE);
+    if (ciRV != CI_OK) {
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+    /*Load the correct key into a key register*/
+    fortezzaKey = (FortezzaKey*)keyObject->objectInfo;
+    fort11_FreeObject (keyObject);
+    if (fortezzaKey == NULL) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    if (fortezzaKey->keyRegister == KeyNotLoaded) {
+        registerIndex = LoadKeyIntoRegister (fortezzaKey);
+    } else {
+        registerIndex = fortezzaKey->keyRegister;
+    }
+
+    if (registerIndex == KeyNotLoaded) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+    ciRV = MACI_SetKey (hs,registerIndex);
+    if (ciRV != CI_OK) {
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+    ciRV = MACI_GenerateIV(hs, fortezzaIV);
+    if (ciRV != CI_OK) {
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+    context = &session->fortezzaContext;
+    InitContext(context, socket, hKey);
+    ciRV = SaveState(context, fortezzaIV, session, fortezzaKey, 
+		     CI_ENCRYPT_EXT_TYPE, pMechanism->mechanism);
+    if (ciRV != SOCKET_SUCCESS) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    if (pMechanism->pParameter != NULL && 
+	pMechanism->ulParameterLen >= sizeof(CI_IV)) {
+        PORT_Memcpy (pMechanism->pParameter, fortezzaIV, sizeof(CI_IV));
+    }
+
+    InitCryptoOperation(context, Encrypt);
+    fort11_FreeSession(session);
+
+    FORT11_RETURN (CKR_OK);
+}
+
+/* C_Encrypt encrypts single-part data. */
+PR_PUBLIC_API(CK_RV) C_Encrypt (CK_SESSION_HANDLE hSession, 
+				CK_BYTE_PTR       pData,
+				CK_ULONG          ulDataLen, 
+				CK_BYTE_PTR       pEncryptedData,
+				CK_ULONG_PTR      pulEncryptedDataLen) {
+    FORT11_ENTER()
+    PK11Session     *session = fort11_SessionFromHandle (hSession, PR_FALSE);
+    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
+    FortezzaSocket  *socket  = &fortezzaSockets[slot->slotID-1];
+    FortezzaContext *context;
+    HSESSION         hs;
+    CK_RV            rv;
+
+    
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession , PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    context = &session->fortezzaContext;
+    if (GetCryptoOperation(context) != Encrypt) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_OPERATION_NOT_INITIALIZED);
+    }
+
+    *pulEncryptedDataLen = ulDataLen;
+    if (pEncryptedData == NULL) {
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_OK);
+    }
+
+    hs = socket->maciSession;
+    FMUTEX_Lock(socket->registersLock);
+    MACI_Lock(hs, CI_BLOCK_LOCK_FLAG);
+    rv = EncryptData (context, pData, ulDataLen, 
+		      pEncryptedData, *pulEncryptedDataLen);
+    MACI_Unlock(hs);
+    FMUTEX_Unlock(socket->registersLock);
+
+    if (rv != SOCKET_SUCCESS) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    EndCryptoOperation(context, Encrypt);
+    fort11_FreeSession(session);	      
+
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_EncryptUpdate continues a multiple-part encryption operation. */
+PR_PUBLIC_API(CK_RV) C_EncryptUpdate(CK_SESSION_HANDLE hSession,
+				     CK_BYTE_PTR       pPart, 
+				     CK_ULONG          ulPartLen, 
+				     CK_BYTE_PTR       pEncryptedPart,	
+				     CK_ULONG_PTR      pulEncryptedPartLen) {
+    FORT11_ENTER()
+    PK11Session     *session = fort11_SessionFromHandle(hSession,PR_FALSE);
+    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
+    FortezzaSocket  *socket  = &fortezzaSockets[slot->slotID-1];
+    FortezzaContext *context;
+    int              rv;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle(hSession, PR_TRUE);
+	fort11_TokenRemoved (slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    context = &session->fortezzaContext;
+    
+    if (GetCryptoOperation(context) != Encrypt) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_OPERATION_NOT_INITIALIZED);
+    }
+    
+    if (pEncryptedPart == NULL) {
+        *pulEncryptedPartLen = ulPartLen;
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_OK);
+    }
+
+    if (*pulEncryptedPartLen < ulPartLen) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_BUFFER_TOO_SMALL);
+    }
+
+    *pulEncryptedPartLen = ulPartLen;
+    
+    FMUTEX_Lock(socket->registersLock);
+    MACI_Lock(socket->maciSession, CI_BLOCK_LOCK_FLAG);
+    rv = EncryptData(context,pPart, ulPartLen, pEncryptedPart, 
+		     *pulEncryptedPartLen);
+    MACI_Unlock(socket->maciSession);
+    FMUTEX_Unlock(socket->registersLock);
+
+    fort11_FreeSession(session);
+    if (rv != SOCKET_SUCCESS) {
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_EncryptFinal finishes a multiple-part encryption operation. */
+PR_PUBLIC_API(CK_RV) C_EncryptFinal(CK_SESSION_HANDLE hSession,
+				    CK_BYTE_PTR       pLastEncryptedPart, 
+				    CK_ULONG_PTR      pulLastEncryptedPartLen){
+    FORT11_ENTER()
+    PK11Session     *session = fort11_SessionFromHandle(hSession, PR_FALSE);
+    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
+    FortezzaContext *context;
+    int              rv;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle(hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+  
+    context = &session->fortezzaContext;
+
+    rv = EndCryptoOperation(context, Encrypt);
+    fort11_FreeSession(session);
+
+    FORT11_RETURN (CKR_OK);
+}
+/* C_DecryptInit initializes a decryption operation. */
+PR_PUBLIC_API(CK_RV) C_DecryptInit( CK_SESSION_HANDLE hSession,
+				    CK_MECHANISM_PTR  pMechanism, 
+				    CK_OBJECT_HANDLE  hKey) {
+    FORT11_ENTER()
+    PK11Session     *session   = fort11_SessionFromHandle(hSession, PR_FALSE);
+    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
+    PK11Object      *keyObject;
+    FortezzaSocket  *socket    = &fortezzaSockets[slot->slotID-1];
+    FortezzaContext *context;
+    HSESSION         hs        = socket->maciSession;
+    FortezzaKey     *fortezzaKey;
+    CI_IV            fortezzaIV;
+    int              ciRV, registerIndex;
+
+    if (pMechanism->mechanism != CKM_SKIPJACK_CBC64) {
+        if (session) fort11_FreeSession(session);
+        FORT11_RETURN (CKR_MECHANISM_INVALID);
+    }
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);        
+    }
+
+    keyObject = fort11_ObjectFromHandle (hKey, session);
+
+    if (keyObject == NULL) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
+    }
+
+    fortezzaKey = (FortezzaKey*)keyObject->objectInfo;
+    fort11_FreeObject(keyObject);
+
+    if (fortezzaKey == NULL) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    ciRV = MACI_Select (hs, slot->slotID);
+    if (ciRV != CI_OK) {
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+    ciRV = MACI_SetMode(hs, CI_DECRYPT_TYPE, CI_CBC64_MODE);
+    if (ciRV != CI_OK) {
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+    FMUTEX_Lock(socket->registersLock);
+    if (fortezzaKey->keyRegister == KeyNotLoaded) {
+        registerIndex = LoadKeyIntoRegister(fortezzaKey);
+    } else {
+        registerIndex = fortezzaKey->keyRegister;
+    }
+
+    if (registerIndex == KeyNotLoaded) {
+        FMUTEX_Unlock(socket->registersLock);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+    if (pMechanism->pParameter == NULL ||
+	pMechanism->ulParameterLen < sizeof (CI_IV)) {
+        FORT11_RETURN (CKR_MECHANISM_PARAM_INVALID);
+    }
+
+    PORT_Memcpy (fortezzaIV, pMechanism->pParameter, sizeof(CI_IV));
+
+    ciRV = MACI_SetKey (hs, registerIndex);
+    if (ciRV != CI_OK) {
+        FMUTEX_Unlock(socket->registersLock);
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+    ciRV = MACI_LoadIV (hs, fortezzaIV);
+    if (ciRV != CI_OK) {
+        FMUTEX_Unlock(socket->registersLock);
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+    context = &session->fortezzaContext;
+    InitContext(context, socket, hKey);
+    ciRV = SaveState (context, fortezzaIV, session, fortezzaKey, 
+		      CI_DECRYPT_EXT_TYPE, pMechanism->mechanism);
+
+    FMUTEX_Unlock(socket->registersLock);
+
+    if (ciRV != SOCKET_SUCCESS) {
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    InitCryptoOperation (context, Decrypt);
+    fort11_FreeSession (session);
+
+    FORT11_RETURN (CKR_OK);
+}
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+PR_PUBLIC_API(CK_RV) C_Decrypt(CK_SESSION_HANDLE hSession,
+			       CK_BYTE_PTR       pEncryptedData,
+			       CK_ULONG          ulEncryptedDataLen,
+			       CK_BYTE_PTR       pData, 
+			       CK_ULONG_PTR      pulDataLen) {
+    FORT11_ENTER()
+    PK11Session     *session = fort11_SessionFromHandle (hSession, PR_FALSE);
+    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
+    FortezzaSocket  *socket  = &fortezzaSockets[slot->slotID-1];
+    FortezzaContext *context;
+    HSESSION         hs;
+    CK_RV            rv;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle(hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    context = &session->fortezzaContext;
+
+    if (GetCryptoOperation(context) != Decrypt) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_OPERATION_NOT_INITIALIZED);
+    }
+
+    *pulDataLen = ulEncryptedDataLen;
+    if (pData == NULL) {
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_OK);
+    }
+
+    hs = socket->maciSession;
+    FMUTEX_Lock(socket->registersLock);
+    MACI_Lock(hs, CI_NULL_FLAG);
+    rv = DecryptData (context, pEncryptedData, ulEncryptedDataLen, 
+		      pData, *pulDataLen);
+    MACI_Unlock(hs);
+    FMUTEX_Unlock(socket->registersLock);
+    if (rv != SOCKET_SUCCESS) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    EndCryptoOperation (context, Decrypt);
+    fort11_FreeSession(session);
+
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_DecryptUpdate continues a multiple-part decryption operation. */
+PR_PUBLIC_API(CK_RV) C_DecryptUpdate(CK_SESSION_HANDLE hSession, 
+				     CK_BYTE_PTR       pEncryptedPart, 
+				     CK_ULONG          ulEncryptedPartLen,
+				     CK_BYTE_PTR       pPart, 
+				     CK_ULONG_PTR      pulPartLen) {
+    FORT11_ENTER()
+    PK11Session     *session = fort11_SessionFromHandle(hSession,PR_FALSE);
+    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
+    FortezzaSocket  *socket  = &fortezzaSockets[slot->slotID-1];
+    FortezzaContext *context;
+    HSESSION         hs;
+    int              rv;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle(hSession, PR_TRUE);
+	fort11_TokenRemoved (slot, session);
+	fort11_FreeSession (session);
+        FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    context = &session->fortezzaContext;
+    hs = socket->maciSession;
+
+    if (GetCryptoOperation(context) != Decrypt) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_OPERATION_NOT_INITIALIZED);
+    }
+
+    if (pPart == NULL) {
+        *pulPartLen = ulEncryptedPartLen;
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_OK);
+    }
+
+    *pulPartLen = ulEncryptedPartLen;
+    
+    FMUTEX_Lock(socket->registersLock);
+    MACI_Lock (hs, CI_NULL_FLAG);
+    rv = DecryptData (context, pEncryptedPart, ulEncryptedPartLen, pPart, 
+		      *pulPartLen);
+    MACI_Unlock(hs);
+    FMUTEX_Unlock(socket->registersLock);
+
+    fort11_FreeSession(session);
+
+    if (rv != SOCKET_SUCCESS) {
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_DecryptFinal finishes a multiple-part decryption operation. */
+PR_PUBLIC_API(CK_RV) C_DecryptFinal(CK_SESSION_HANDLE hSession, 
+				    CK_BYTE_PTR       pLastPart, 
+				    CK_ULONG_PTR      pulLastPartLen) {
+    FORT11_ENTER()
+    PK11Session     *session = fort11_SessionFromHandle(hSession, PR_FALSE);
+    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
+    FortezzaContext *context;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved (slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    context = &session->fortezzaContext;
+    EndCryptoOperation (context, Decrypt);
+
+    fort11_FreeSession(session);
+
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/*
+ ************** Crypto Functions:     Digest (HASH)  ************************
+ */
+
+/* C_DigestInit initializes a message-digesting operation. */
+PR_PUBLIC_API(CK_RV) C_DigestInit(CK_SESSION_HANDLE hSession,
+				  CK_MECHANISM_PTR  pMechanism) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_Digest digests data in a single part. */
+PR_PUBLIC_API(CK_RV) C_Digest(CK_SESSION_HANDLE hSession, 
+			      CK_BYTE_PTR       pData, 
+			      CK_ULONG          ulDataLen, 
+			      CK_BYTE_PTR       pDigest,
+			      CK_ULONG_PTR      pulDigestLen) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting operation. */
+PR_PUBLIC_API(CK_RV) C_DigestUpdate(CK_SESSION_HANDLE hSession,
+				    CK_BYTE_PTR       pPart,
+				    CK_ULONG          ulPartLen) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting operation. */
+PR_PUBLIC_API(CK_RV) C_DigestFinal(CK_SESSION_HANDLE hSession,
+				   CK_BYTE_PTR       pDigest,
+				   CK_ULONG_PTR      pulDigestLen) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/*
+ ************** Crypto Functions:     Sign  ************************
+ */
+
+/* C_SignInit initializes a signature (private key encryption) operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+PR_PUBLIC_API(CK_RV) C_SignInit(CK_SESSION_HANDLE hSession,
+				CK_MECHANISM_PTR  pMechanism, 
+				CK_OBJECT_HANDLE  hKey) {
+    FORT11_ENTER()
+    PK11Session     *session   = fort11_SessionFromHandle (hSession, PR_FALSE);
+    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
+    PK11Object      *keyObject;
+    FortezzaSocket  *socket    = &fortezzaSockets[slot->slotID-1]; 
+    FortezzaContext *context;
+    PK11Attribute   *idAttribute;
+    int              personalityIndex;
+    HSESSION         hs = socket->maciSession;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle(hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    if (pMechanism->mechanism != CKM_DSA) {
+        FORT11_RETURN (CKR_MECHANISM_INVALID);
+    }
+
+    keyObject = fort11_ObjectFromHandle (hKey, session);
+
+    if (keyObject == NULL) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
+    }
+
+    context = &session->fortezzaContext;
+    InitContext(context, socket, hKey);
+    InitCryptoOperation (context, Sign);
+    fort11_FreeSession(session);
+
+    idAttribute = fort11_FindAttribute(keyObject, CKA_ID);
+    fort11_FreeObject(keyObject);
+
+    if (idAttribute == NULL) {
+        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
+    }
+
+    personalityIndex = *(int*)(idAttribute->attrib.pValue);
+    fort11_FreeAttribute(idAttribute);
+    
+    MACI_Select (hs, slot->slotID);
+    if (MACI_SetPersonality (hs,personalityIndex) != CI_OK) {
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_Sign signs (encrypts with private key) data in a single part,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+PR_PUBLIC_API(CK_RV) C_Sign(CK_SESSION_HANDLE hSession, 
+			    CK_BYTE_PTR       pData,
+			    CK_ULONG          ulDataLen,
+			    CK_BYTE_PTR       pSignature,
+			    CK_ULONG_PTR      pulSignatureLen) {
+
+    FORT11_ENTER()
+    PK11Session     *session   = fort11_SessionFromHandle(hSession, PR_FALSE);
+    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
+    FortezzaContext *context;
+    FortezzaSocket  *socket    = &fortezzaSockets[slot->slotID-1];
+    HSESSION         hs        = socket->maciSession;
+    PK11Object      *keyObject;
+    PK11Attribute   *idAttribute;
+    int              ciRV, personalityIndex;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle(hSession, PR_TRUE);
+	fort11_TokenRemoved (slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+	
+    context = &session->fortezzaContext;
+    if (GetCryptoOperation(context) != Sign) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_OPERATION_NOT_INITIALIZED);
+    }
+
+    if (pSignature == NULL) {
+        *pulSignatureLen = 40;
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_OK);
+    }
+
+    if (ulDataLen > 20) {
+        FORT11_RETURN (CKR_DATA_LEN_RANGE);
+    }
+
+    if (*pulSignatureLen < 40) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_BUFFER_TOO_SMALL);
+    }
+    *pulSignatureLen = 40;
+
+    keyObject = fort11_ObjectFromHandle(context->hKey, session);
+    if (keyObject == NULL) {
+        fort11_FreeSession(session);
+	FORT11_RETURN(CKR_GENERAL_ERROR);
+    }
+
+    idAttribute = fort11_FindAttribute(keyObject, CKA_ID);
+    fort11_FreeObject(keyObject);
+
+    personalityIndex = *(int*)(idAttribute->attrib.pValue);
+    fort11_FreeAttribute(idAttribute);
+
+    MACI_Select(hs, slot->slotID);
+
+    MACI_Lock(hs, CI_BLOCK_LOCK_FLAG);
+    ciRV = MACI_SetPersonality(hs, personalityIndex);
+    if (ciRV != CI_OK) {
+        MACI_Unlock(hs);
+        fort11_FreeSession(session);
+	FORT11_RETURN(CKR_DEVICE_ERROR);
+    }
+
+    ciRV = MACI_Sign (hs, pData, pSignature);
+    if (ciRV != CI_OK) {
+        MACI_Unlock(hs);
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+    MACI_Unlock(hs);
+    EndCryptoOperation (context, Sign);
+    fort11_FreeSession(session);
+
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+PR_PUBLIC_API(CK_RV) C_SignUpdate(CK_SESSION_HANDLE hSession,
+				  CK_BYTE_PTR       pPart,
+				  CK_ULONG          ulPartLen) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_SignFinal finishes a multiple-part signature operation, 
+ * FORT11_RETURNing the signature. */
+PR_PUBLIC_API(CK_RV) C_SignFinal(CK_SESSION_HANDLE hSession,
+				 CK_BYTE_PTR       pSignature,
+				 CK_ULONG_PTR      pulSignatureLen) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+/*
+ ************** Crypto Functions:     Sign Recover  ************************
+ */
+/* C_SignRecoverInit initializes a signature operation,
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+PR_PUBLIC_API(CK_RV) C_SignRecoverInit(CK_SESSION_HANDLE hSession,
+				       CK_MECHANISM_PTR  pMechanism,
+				       CK_OBJECT_HANDLE  hKey) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_SignRecover signs data in a single operation
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+PR_PUBLIC_API(CK_RV) C_SignRecover(CK_SESSION_HANDLE hSession,
+				   CK_BYTE_PTR       pData,
+				   CK_ULONG          ulDataLen, 
+				   CK_BYTE_PTR       pSignature, 
+				   CK_ULONG_PTR      pulSignatureLen) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+/*
+ ************** Crypto Functions:     verify  ************************
+ */
+
+/* C_VerifyInit initializes a verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature (e.g. DSA) */
+PR_PUBLIC_API(CK_RV) C_VerifyInit(CK_SESSION_HANDLE hSession,
+				  CK_MECHANISM_PTR  pMechanism,
+				  CK_OBJECT_HANDLE  hKey) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+PR_PUBLIC_API(CK_RV) C_Verify(CK_SESSION_HANDLE hSession, 
+			      CK_BYTE_PTR       pData,
+			      CK_ULONG          ulDataLen, 
+			      CK_BYTE_PTR       pSignature, 
+			      CK_ULONG          ulSignatureLen) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_VerifyUpdate continues a multiple-part verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+PR_PUBLIC_API(CK_RV) C_VerifyUpdate( CK_SESSION_HANDLE hSession, 
+				     CK_BYTE_PTR       pPart,
+				     CK_ULONG          ulPartLen) {
+   return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_VerifyFinal finishes a multiple-part verification operation, 
+ * checking the signature. */
+PR_PUBLIC_API(CK_RV) C_VerifyFinal(CK_SESSION_HANDLE hSession,
+				   CK_BYTE_PTR       pSignature,
+				   CK_ULONG          ulSignatureLen) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+/*
+ ************** Crypto Functions:     Verify  Recover ************************
+ */
+
+/* C_VerifyRecoverInit initializes a signature verification operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+PR_PUBLIC_API(CK_RV) C_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
+					 CK_MECHANISM_PTR  pMechanism,
+					 CK_OBJECT_HANDLE  hKey) {
+  /* For functions that don't access globals, we don't have to worry about the
+   * stack.
+   */	
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_VerifyRecover verifies a signature in a single-part operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+PR_PUBLIC_API(CK_RV) C_VerifyRecover(CK_SESSION_HANDLE hSession,
+				     CK_BYTE_PTR       pSignature,
+				     CK_ULONG          ulSignatureLen,
+				     CK_BYTE_PTR       pData,
+				     CK_ULONG_PTR      pulDataLen) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+/*
+ **************************** Key Functions:  ************************
+ */
+
+#define MAX_KEY_LEN 256
+/* C_GenerateKey generates a secret key, creating a new key object. */
+PR_PUBLIC_API(CK_RV) C_GenerateKey(CK_SESSION_HANDLE    hSession, 
+				   CK_MECHANISM_PTR     pMechanism,
+				   CK_ATTRIBUTE_PTR     pTemplate,
+				   CK_ULONG             ulCount,
+				   CK_OBJECT_HANDLE_PTR phKey) {
+    FORT11_ENTER()
+    PK11Session    *session = fort11_SessionFromHandle(hSession, PR_FALSE);
+    PK11Slot       *slot    = fort11_SlotFromSessionHandle(hSession);
+    FortezzaSocket *socket  = &fortezzaSockets[slot->slotID-1];
+    PK11Object     *key;
+    FortezzaKey    *newKey;
+    int             i, keyRegister;
+    CK_ULONG        key_length = 0;
+    CK_RV           crv        = CKR_OK;
+    CK_OBJECT_CLASS secretKey  = CKO_SECRET_KEY;
+    CK_BBOOL        False      = FALSE;
+    CK_BBOOL        cktrue     = TRUE;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+        fort11_TokenRemoved (slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+    if (pMechanism->mechanism != CKM_SKIPJACK_KEY_GEN) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_MECHANISM_INVALID);
+    }
+
+    key = fort11_NewObject(slot);
+
+    if (key == NULL) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_HOST_MEMORY);
+    }
+
+    for (i=0; i < (int) ulCount; i++) {
+        if (pTemplate[i].type == CKA_VALUE_LEN) {
+	    key_length = *(CK_ULONG *)pTemplate[i].pValue;
+	    continue;
+	}
+	crv = fort11_AddAttributeType (key, pk11_attr_expand (&pTemplate[i]));
+	if (crv != CKR_OK) 
+	  break;
+    } 
+
+    if (crv != CKR_OK) {
+        fort11_FreeObject(key);
+	fort11_FreeSession(session);
+	FORT11_RETURN (crv);
+    }
+
+    /* make sure we don't have any class, key_type, or value fields */
+    fort11_DeleteAttributeType(key,CKA_CLASS);
+    fort11_DeleteAttributeType(key,CKA_KEY_TYPE);
+    fort11_DeleteAttributeType(key,CKA_VALUE);
+
+    if (MAX_KEY_LEN < key_length) {
+        crv = CKR_TEMPLATE_INCONSISTENT;
+    }
+
+    if (crv != CKR_OK) {
+        fort11_FreeObject(key);
+	fort11_FreeSession(session);
+	FORT11_RETURN (crv);
+    }
+    
+    if (fort11_AddAttributeType(key, CKA_CLASS,&secretKey,
+			      sizeof(CK_OBJECT_CLASS)) != CKR_OK) {
+        fort11_FreeObject(key);
+	fort11_FreeSession(session);
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    if (fort11_AddAttributeType(key, CKA_TOKEN, &False,
+			      sizeof(CK_BBOOL)) != CKR_OK) {
+        fort11_FreeObject(key);
+	fort11_FreeSession(session);
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+ 
+    if (fort11_isTrue(key,CKA_SENSITIVE)) {
+	fort11_forceAttribute(key,CKA_ALWAYS_SENSITIVE,&cktrue,
+			      sizeof(CK_BBOOL));
+    }
+    if (!fort11_isTrue(key,CKA_EXTRACTABLE)) {
+	fort11_forceAttribute(key,CKA_NEVER_EXTRACTABLE,&cktrue,
+			    sizeof(CK_BBOOL));
+    }
+
+    FMUTEX_Lock(socket->registersLock);
+
+    keyRegister = GetBestKeyRegister(socket);
+    newKey = NewFortezzaKey(socket, MEK, NULL, keyRegister);
+
+    FMUTEX_Unlock(socket->registersLock);
+
+    if (newKey == NULL) {
+        fort11_FreeObject(key);
+	fort11_FreeSession(session);
+        FORT11_RETURN (CKR_HOST_MEMORY);
+    }
+
+    key->objectInfo = (void*)newKey;
+    key->infoFree   = fort11_FreeFortezzaKey;
+
+    FMUTEX_Lock(slot->objectLock);
+    key->handle = slot->tokenIDCount++;
+    key->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
+    FMUTEX_Unlock(slot->objectLock);
+
+    key->objclass = secretKey;
+    key->slot = slot;
+    key->inDB = PR_TRUE;
+
+    fort11_AddObject(session, key);
+    fort11_FreeSession(session);
+    SetFortezzaKeyHandle(newKey, key->handle);
+    *phKey = key->handle;
+
+    FORT11_RETURN (CKR_OK);
+    
+}
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+PR_PUBLIC_API(CK_RV) C_GenerateKeyPair 
+                     (CK_SESSION_HANDLE    hSession,
+		      CK_MECHANISM_PTR     pMechanism, 
+		      CK_ATTRIBUTE_PTR     pPublicKeyTemplate,
+		      CK_ULONG             ulPublicKeyAttributeCount, 
+		      CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,
+		      CK_ULONG             ulPrivateKeyAttributeCount, 
+		      CK_OBJECT_HANDLE_PTR phPrivateKey,
+		      CK_OBJECT_HANDLE_PTR phPublicKey) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+PR_PUBLIC_API(CK_RV) C_WrapKey(CK_SESSION_HANDLE hSession,
+			       CK_MECHANISM_PTR  pMechanism, 
+			       CK_OBJECT_HANDLE  hWrappingKey,
+			       CK_OBJECT_HANDLE  hKey, 
+			       CK_BYTE_PTR       pWrappedKey,
+			       CK_ULONG_PTR      pulWrappedKeyLen) {
+    FORT11_ENTER()
+    PK11Session    *session = fort11_SessionFromHandle (hSession, PR_FALSE);
+    PK11Slot       *slot    = fort11_SlotFromSessionHandle(hSession);
+    FortezzaSocket *socket  = &fortezzaSockets[slot->slotID-1];
+    PK11Object     *wrapKey;
+    PK11Object     *srcKey;
+    FortezzaKey    *wrapFortKey;
+    FortezzaKey    *srcFortKey;
+    int             rv;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    if (!socket->isLoggedIn) {
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
+    }
+
+    if (pMechanism->mechanism != CKM_SKIPJACK_WRAP) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_MECHANISM_INVALID);
+    }
+
+    wrapKey = fort11_ObjectFromHandle (hWrappingKey, session);
+    if ((wrapKey == NULL) || (wrapKey->objectInfo == NULL)) {
+        if (wrapKey) 
+	    fort11_FreeObject(wrapKey);
+	fort11_FreeSession(session);
+        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
+    }
+
+    srcKey = fort11_ObjectFromHandle (hKey, session);
+    fort11_FreeSession(session);
+    if ((srcKey == NULL) || (srcKey->objectInfo == NULL)) {
+        FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
+    }
+
+    wrapFortKey = (FortezzaKey*)wrapKey->objectInfo;
+    fort11_FreeObject(wrapKey);
+
+    srcFortKey = (FortezzaKey*)srcKey->objectInfo;
+    fort11_FreeObject(srcKey);
+
+    FMUTEX_Lock(socket->registersLock);
+    if (wrapFortKey->keyRegister == KeyNotLoaded) {
+      if (LoadKeyIntoRegister(wrapFortKey) == KeyNotLoaded) {
+	  FORT11_RETURN (CKR_DEVICE_ERROR);
+      }
+    }
+
+    if (srcFortKey->keyRegister == KeyNotLoaded) {
+      if (LoadKeyIntoRegister(srcFortKey) == KeyNotLoaded) {
+	  FMUTEX_Unlock(socket->registersLock);
+	  FORT11_RETURN (CKR_DEVICE_ERROR);
+      }
+    }
+
+    MACI_Lock(socket->maciSession, CI_BLOCK_LOCK_FLAG);
+    rv = WrapKey (wrapFortKey, srcFortKey, pWrappedKey, *pulWrappedKeyLen);
+    MACI_Unlock(socket->maciSession);
+    FMUTEX_Unlock(socket->registersLock);
+
+    if (rv != SOCKET_SUCCESS) {
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
+PR_PUBLIC_API(CK_RV) C_UnwrapKey(CK_SESSION_HANDLE    hSession,
+				 CK_MECHANISM_PTR     pMechanism, 
+				 CK_OBJECT_HANDLE     hUnwrappingKey,
+				 CK_BYTE_PTR          pWrappedKey, 
+				 CK_ULONG             ulWrappedKeyLen,
+				 CK_ATTRIBUTE_PTR     pTemplate, 
+				 CK_ULONG             ulAttributeCount,
+				 CK_OBJECT_HANDLE_PTR phKey) {
+    FORT11_ENTER()
+    PK11Session    *session = fort11_SessionFromHandle(hSession, PR_FALSE);
+    PK11Slot       *slot    = fort11_SlotFromSessionHandle(hSession);
+    FortezzaSocket *socket  = &fortezzaSockets[slot->slotID-1];
+    PK11Object     *wrapKey;
+    PK11Object     *newKey;
+    FortezzaKey    *fortKey;
+    FortezzaKey    *unwrapFort;
+    CK_ULONG        key_length;
+    int             i, newKeyRegister;
+    CK_RV           crv = CKR_OK;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle(hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    if (pMechanism->mechanism != CKM_SKIPJACK_WRAP){
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_MECHANISM_INVALID);
+    }
+
+    if (!socket->isLoggedIn) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_USER_NOT_LOGGED_IN);
+    }    
+
+    wrapKey = fort11_ObjectFromHandle(hUnwrappingKey, session);
+    if (wrapKey == NULL || wrapKey->objectInfo == NULL) {
+        if (wrapKey)
+	    fort11_FreeObject(wrapKey);
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_UNWRAPPING_KEY_HANDLE_INVALID);
+    }
+
+    fortKey = (FortezzaKey*)wrapKey->objectInfo;
+    fort11_FreeObject(wrapKey);
+
+    newKey = fort11_NewObject(slot);
+    if (newKey == NULL) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_HOST_MEMORY);
+    }
+
+    for (i=0; i< (int)ulAttributeCount; i++) {
+        if (pTemplate[i].type == CKA_VALUE_LEN) {
+	    key_length = *(CK_ULONG*)pTemplate[i].pValue;
+	    continue;
+	}
+	crv=fort11_AddAttributeType(newKey,fort11_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) {
+	    break;
+	}
+    }
+
+    if (crv != CKR_OK) {
+        fort11_FreeSession(session);
+        fort11_FreeObject(newKey);
+	FORT11_RETURN (crv);
+    }
+
+    /* make sure we don't have any class, key_type, or value fields */
+    if (!fort11_hasAttribute(newKey,CKA_CLASS)) {
+	fort11_FreeObject(newKey);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_TEMPLATE_INCOMPLETE);
+    }
+    if (!fort11_hasAttribute(newKey,CKA_KEY_TYPE)) {
+	fort11_FreeObject(newKey);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_TEMPLATE_INCOMPLETE);
+    }
+
+    FMUTEX_Lock(socket->registersLock);
+    newKeyRegister = UnwrapKey (pWrappedKey, fortKey);
+    if (newKeyRegister == KeyNotLoaded) {
+        /*Couldn't Unwrap the key*/
+        fort11_FreeObject(newKey);
+        fort11_FreeSession(session);
+	FMUTEX_Unlock(socket->registersLock);
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    unwrapFort = NewUnwrappedKey(newKeyRegister, fortKey->id, socket);
+    FMUTEX_Unlock(socket->registersLock);
+
+    if (unwrapFort == NULL) {
+        fort11_FreeObject(newKey);
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_HOST_MEMORY);
+    }
+    newKey->objectInfo = unwrapFort;
+    newKey->infoFree   = fort11_FreeFortezzaKey;
+
+    FMUTEX_Lock(slot->objectLock);
+    newKey->handle = slot->tokenIDCount++;
+    newKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
+    FMUTEX_Unlock(slot->objectLock);
+    newKey->objclass = CKO_SECRET_KEY;
+    newKey->slot  = slot;
+    newKey->inDB  = PR_TRUE;
+
+    fort11_AddObject (session, newKey);
+    fort11_FreeSession(session);
+    
+    SetFortezzaKeyHandle(unwrapFort, newKey->handle);
+    *phKey = newKey->handle;
+
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key object. */
+PR_PUBLIC_API(CK_RV) C_DeriveKey( CK_SESSION_HANDLE    hSession,
+				  CK_MECHANISM_PTR     pMechanism, 
+				  CK_OBJECT_HANDLE     hBaseKey,
+				  CK_ATTRIBUTE_PTR     pTemplate, 
+				  CK_ULONG             ulAttributeCount, 
+				  CK_OBJECT_HANDLE_PTR phKey) {
+    FORT11_ENTER()
+    PK11Session     *session = fort11_SessionFromHandle(hSession, PR_FALSE);
+    PK11Slot        *slot    = fort11_SlotFromSessionHandle(hSession);
+    FortezzaSocket  *socket  = &fortezzaSockets[slot->slotID-1];
+    PK11Object      *key, *sourceKey;
+    CK_ULONG         i;
+    CK_ULONG         key_length = 0;
+    CK_RV            crv        = 0;
+    CK_KEY_TYPE      keyType    = CKK_SKIPJACK;
+    CK_OBJECT_CLASS  classType  = CKO_SECRET_KEY;  
+    CK_BBOOL	     ckTrue     = TRUE;
+    CK_BBOOL         ckFalse    = FALSE;
+    int              ciRV;
+    int              personality;
+    PK11Attribute   *att;
+
+    CK_KEA_DERIVE_PARAMS_PTR  params;
+    FortezzaKey              *derivedKey;
+    CreateTEKInfo             tekInfo;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle(hSession, PR_TRUE);
+	fort11_TokenRemoved (slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    if (pMechanism->mechanism != CKM_KEA_KEY_DERIVE) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_MECHANISM_INVALID);
+    }
+
+    key = fort11_NewObject (slot);
+
+    if (key == NULL) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_HOST_MEMORY);
+    }
+
+    for (i = 0; i < ulAttributeCount; i++) {
+        crv = fort11_AddAttributeType (key, fort11_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) {
+	    break;
+	}
+	if (pTemplate[i].type == CKA_KEY_TYPE) {
+	    keyType = *(CK_KEY_TYPE*)pTemplate[i].pValue;
+	} else if (pTemplate[i].type == CKA_VALUE_LEN) {
+	    key_length = *(CK_ULONG*)pTemplate[i].pValue;
+	}	  
+    }
+
+    if (crv != CKR_OK) {
+        fort11_FreeObject(key);
+	fort11_FreeSession(session);
+	FORT11_RETURN (crv);
+    }
+
+    if (key_length == 0) {
+        key_length = 12;
+    }
+
+    classType = CKO_SECRET_KEY;
+    crv = fort11_forceAttribute (key, CKA_CLASS, &classType, 
+				 sizeof(classType));
+    if (crv != CKR_OK) {
+        fort11_FreeObject(key);
+	fort11_FreeSession(session);
+	FORT11_RETURN (crv);
+    }
+    crv = fort11_forceAttribute (key, CKA_SENSITIVE, &ckTrue, 
+				 sizeof(CK_BBOOL));
+    if (crv != CKR_OK) {
+        fort11_FreeObject(key);
+	fort11_FreeSession(session);
+	FORT11_RETURN (crv);
+    }
+    crv = fort11_forceAttribute (key, CKA_EXTRACTABLE, &ckFalse, 
+			       sizeof(CK_BBOOL));
+    if (crv != CKR_OK) {
+        fort11_FreeSession(session);
+	fort11_FreeObject(key);
+	FORT11_RETURN (crv);
+    }
+
+    sourceKey = fort11_ObjectFromHandle (hBaseKey, session);
+
+    if (sourceKey == NULL) {
+        fort11_FreeObject(key);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
+    }
+
+    att = fort11_FindAttribute(sourceKey,CKA_ID);
+    fort11_FreeObject(sourceKey);
+    if (att == NULL) {
+	fort11_FreeObject(key);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_KEY_TYPE_INCONSISTENT);
+    }
+    personality = *(int *) att->attrib.pValue;
+    fort11_FreeAttribute(att);
+
+    params = (CK_KEA_DERIVE_PARAMS_PTR)pMechanism->pParameter;
+
+    if (params == NULL) {
+	fort11_FreeObject(key);
+	fort11_FreeSession(session);
+        FORT11_RETURN (CKR_MECHANISM_PARAM_INVALID);
+    }
+    
+    ciRV = MACI_SetPersonality(socket->maciSession,personality);
+    if (ciRV != CI_OK) {
+	fort11_FreeObject(key);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+    /*
+     * If we're sending, generate our own RA.
+     */
+    if (params->isSender) {
+	ciRV = MACI_GenerateRa(socket->maciSession,params->pRandomA);
+	if (ciRV != CI_OK) {
+	    fort11_FreeObject(key);
+	    fort11_FreeSession(session);
+	    FORT11_RETURN (CKR_DEVICE_ERROR);
+	}
+    }
+    PORT_Memcpy (tekInfo.Ra, params->pRandomA, params->ulRandomLen);
+    PORT_Memcpy (tekInfo.Rb, params->pRandomB, params->ulRandomLen);
+    tekInfo.randomLen = params->ulRandomLen;
+    tekInfo.personality = personality;
+    tekInfo.flag = (params->isSender) ? CI_INITIATOR_FLAG : CI_RECIPIENT_FLAG;
+    
+    PORT_Memcpy (tekInfo.pY, params->pPublicData, params->ulPublicDataLen);
+    tekInfo.YSize = params->ulPublicDataLen;
+
+    FMUTEX_Lock(socket->registersLock);
+    derivedKey = NewFortezzaKey(socket, TEK, &tekInfo, 
+				GetBestKeyRegister(socket));
+    FMUTEX_Unlock(socket->registersLock);
+
+    if (derivedKey == NULL) {
+	fort11_FreeObject(key);
+	fort11_FreeSession(session);
+        FORT11_RETURN (CKR_GENERAL_ERROR);
+    }
+
+    key->objectInfo = derivedKey;
+    key->infoFree   = fort11_FreeFortezzaKey;
+
+    FMUTEX_Lock(slot->objectLock);
+    key->handle = slot->tokenIDCount++;
+    key->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
+    FMUTEX_Unlock(slot->objectLock);
+    key->objclass = classType;
+    key->slot = slot;
+    key->inDB = PR_TRUE;
+
+    fort11_AddObject (session, key);
+    fort11_FreeSession(session);
+    
+    SetFortezzaKeyHandle(derivedKey, key->handle);
+    *phKey = key->handle;
+
+    FORT11_RETURN (CKR_OK);
+}
+
+/*
+ **************************** Random Functions:  ************************
+ */
+
+/* C_SeedRandom mixes additional seed material into the token's random number 
+ * generator. */
+PR_PUBLIC_API(CK_RV) C_SeedRandom(CK_SESSION_HANDLE hSession, 
+				  CK_BYTE_PTR       pSeed,
+				  CK_ULONG          ulSeedLen) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_GenerateRandom generates random data. */
+PR_PUBLIC_API(CK_RV) C_GenerateRandom(CK_SESSION_HANDLE hSession,
+				      CK_BYTE_PTR	pRandomData, 
+				      CK_ULONG          ulRandomLen) {
+    FORT11_ENTER()
+    PK11Slot    *slot    = fort11_SlotFromSessionHandle(hSession);
+    PK11Session *session = fort11_SessionFromHandle(hSession,PR_FALSE);
+    CI_RANDOM    randomNum;
+    CK_ULONG     randomSize = sizeof (CI_RANDOM);
+    int          ciRV;
+    CK_ULONG     bytesCopied = 0, bytesToCopy;
+    CK_ULONG     bufferSize  = 0, bytesRemaining;
+
+    if (session == NULL) {
+        session = fort11_SessionFromHandle (hSession, PR_TRUE);
+	fort11_TokenRemoved(slot, session);
+	fort11_FreeSession(session);
+        FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    fort11_FreeSession(session);
+    ciRV = MACI_Select(fortezzaSockets[slot->slotID-1].maciSession, 
+		       slot->slotID);
+    if (ciRV != CI_OK) {
+        FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+    
+    while (bytesCopied < ulRandomLen) {
+      bytesRemaining = ulRandomLen - bytesCopied;
+      if (bufferSize < bytesRemaining) {
+	  ciRV = 
+	    MACI_GenerateRandom(fortezzaSockets[slot->slotID-1].maciSession, 
+				randomNum);
+	  if (ciRV != CI_OK)
+	      FORT11_RETURN (CKR_DEVICE_ERROR);
+	  bufferSize = randomSize;
+      }
+      bytesToCopy = (bytesRemaining > randomSize) ? randomSize : 
+	                                            bytesRemaining;
+
+      PORT_Memcpy (&pRandomData[bytesCopied], 
+		   &randomNum[randomSize-bufferSize], bytesToCopy);
+
+      bytesCopied += bytesToCopy;
+      bufferSize  -= bytesToCopy; 
+    }
+
+    FORT11_RETURN (CKR_OK);
+}
+
+
+/* C_GetFunctionStatus obtains an updated status of a function running 
+ * in parallel with an application. */
+PR_PUBLIC_API(CK_RV) C_GetFunctionStatus(CK_SESSION_HANDLE hSession) {
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_CancelFunction cancels a function running in parallel */
+PR_PUBLIC_API(CK_RV) C_CancelFunction(CK_SESSION_HANDLE hSession) {
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+/* C_GetOperationState saves the state of the cryptographic 
+ *operation in a session. */
+PR_PUBLIC_API(CK_RV) C_GetOperationState(CK_SESSION_HANDLE hSession, 
+					 CK_BYTE_PTR       pOperationState, 
+					 CK_ULONG_PTR      pulOperationStateLen) {
+    FORT11_ENTER()
+    PK11Session     *session   = fort11_SessionFromHandle(hSession, PR_FALSE);
+    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
+    FortezzaContext *context;
+
+    if (session  == NULL) {
+        session = fort11_SessionFromHandle(hSession, PR_TRUE);
+	fort11_TokenRemoved (slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    if (pOperationState == NULL) {
+        *pulOperationStateLen = sizeof (FortezzaContext);
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_OK);
+    }
+
+    if (*pulOperationStateLen < sizeof (FortezzaContext)) {
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_BUFFER_TOO_SMALL);
+    }
+
+    context = &session->fortezzaContext;
+    fort11_FreeSession(session);
+    PORT_Memcpy (pOperationState, context, sizeof(FortezzaContext));
+    ((FortezzaContext *)pOperationState)->session = NULL;
+    ((FortezzaContext *)pOperationState)->fortezzaKey = NULL;
+    *pulOperationStateLen = sizeof(FortezzaContext);
+    FORT11_RETURN (CKR_OK);
+}
+
+
+
+/* C_SetOperationState restores the state of the cryptographic operation in a session. */
+PR_PUBLIC_API(CK_RV) C_SetOperationState(CK_SESSION_HANDLE hSession, 
+					 CK_BYTE_PTR       pOperationState, 
+					 CK_ULONG          ulOperationStateLen,
+					 CK_OBJECT_HANDLE  hEncryptionKey, 
+					 CK_OBJECT_HANDLE  hAuthenticationKey){
+    FORT11_ENTER()
+    PK11Session     *session   = fort11_SessionFromHandle(hSession, PR_FALSE);
+    PK11Slot        *slot      = fort11_SlotFromSessionHandle(hSession);
+    FortezzaContext *context;
+    FortezzaContext  passedInCxt;
+    PK11Object      *keyObject;
+    FortezzaKey     *fortKey;
+
+    if (session  == NULL) {
+        session = fort11_SessionFromHandle(hSession, PR_TRUE);
+	fort11_TokenRemoved (slot, session);
+	fort11_FreeSession(session);
+	FORT11_RETURN (CKR_SESSION_HANDLE_INVALID);
+    }
+
+    if (ulOperationStateLen != sizeof(FortezzaContext)) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_SAVED_STATE_INVALID);
+    }
+
+    PORT_Memcpy(&passedInCxt, pOperationState, sizeof(FortezzaContext));
+    if (passedInCxt.fortezzaSocket->slotID != slot->slotID) {
+        fort11_FreeSession(session);
+        FORT11_RETURN (CKR_SAVED_STATE_INVALID);
+    }
+    passedInCxt.session = NULL;
+    passedInCxt.fortezzaKey = NULL;
+    
+    if (hEncryptionKey != 0) {
+        keyObject = fort11_ObjectFromHandle(hEncryptionKey, session);
+	if (keyObject == NULL) {
+	    fort11_FreeSession(session);
+	    FORT11_RETURN (CKR_KEY_HANDLE_INVALID);
+	}
+	fortKey = (FortezzaKey*)keyObject->objectInfo;
+	fort11_FreeObject(keyObject);
+	if (fortKey == NULL) {
+	    fort11_FreeSession(session);
+	    FORT11_RETURN (CKR_SAVED_STATE_INVALID);
+	}
+	if (fortKey->keyRegister == KeyNotLoaded) {
+	    if (LoadKeyIntoRegister (fortKey) == KeyNotLoaded) {
+	        fort11_FreeSession(session);
+		FORT11_RETURN (CKR_DEVICE_ERROR);
+	    }
+	}
+	passedInCxt.fortezzaKey = fortKey;
+
+    } 
+    if (hAuthenticationKey != 0) {
+        fort11_FreeSession(session);
+	FORT11_RETURN (CKR_DEVICE_ERROR);
+    }
+
+    passedInCxt.session = session;
+    context = &session->fortezzaContext;
+    fort11_FreeSession (session);    
+    PORT_Memcpy (context, &passedInCxt, sizeof(passedInCxt));
+
+    FORT11_RETURN (CKR_OK);
+}
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting and 
+   encryption operation. */
+PR_PUBLIC_API(CK_RV) C_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, 
+					   CK_BYTE_PTR       pPart,
+					   CK_ULONG          ulPartLen, 
+					   CK_BYTE_PTR       pEncryptedPart,
+					   CK_ULONG_PTR      pulEncryptedPartLen){
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and digesting 
+   operation. */
+PR_PUBLIC_API(CK_RV) C_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
+					   CK_BYTE_PTR       pEncryptedPart, 
+					   CK_ULONG          ulEncryptedPartLen,
+					   CK_BYTE_PTR       pPart, 
+			    CK_ULONG_PTR      pulPartLen){
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and encryption
+   operation. */
+PR_PUBLIC_API(CK_RV) C_SignEncryptUpdate(CK_SESSION_HANDLE hSession, 
+					 CK_BYTE_PTR       pPart,
+					 CK_ULONG          ulPartLen, 
+					 CK_BYTE_PTR       pEncryptedPart,
+					 CK_ULONG_PTR      pulEncryptedPartLen){
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and verify 
+   operation. */
+PR_PUBLIC_API(CK_RV) C_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, 
+					   CK_BYTE_PTR       pEncryptedData, 
+					   CK_ULONG          ulEncryptedDataLen, 
+					   CK_BYTE_PTR       pData, 
+					   CK_ULONG_PTR      pulDataLen){
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+/* C_DigestKey continues a multi-part message-digesting operation,
+ * by digesting the value of a secret key as part of the data already digested.
+ */
+PR_PUBLIC_API(CK_RV) C_DigestKey(CK_SESSION_HANDLE hSession, 
+				 CK_OBJECT_HANDLE  hKey) {
+  return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+PR_PUBLIC_API(CK_RV) C_WaitForSlotEvent(CK_FLAGS flags,
+					CK_SLOT_ID_PTR pSlot,
+					CK_VOID_PTR pRserved) {
+  return CKR_FUNCTION_FAILED;
+}
+
diff --git a/security/nss/lib/fortcrypt/fortsock.h b/security/nss/lib/fortcrypt/fortsock.h
new file mode 100644
index 000000000..f74fc80b8
--- /dev/null
+++ b/security/nss/lib/fortcrypt/fortsock.h
@@ -0,0 +1,105 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifndef FORSOCK_H_
+#define FORSOCK_H_
+
+#include "seccomon.h"
+#include "fpkcs11.h"
+#include "fpkcs11i.h"
+#include "fpkstrs.h"
+
+
+#ifndef prtypes_h___
+typedef enum { PR_FALSE, PR_TRUE }PRBool;
+#endif
+
+
+#define SOCKET_SUCCESS  0
+#define SOCKET_FAILURE  1
+
+#define KeyNotLoaded    -1
+#define NoCryptoType    -1
+#define NoCryptoMode    -1
+#define NO_MECHANISM    0xFFFFFFFFL
+
+
+/*Get the Fortezza context in here*/
+
+int InitSocket (FortezzaSocket *inSocket, int inSlotID);
+int FreeSocket (FortezzaSocket *inSocket);
+
+int FetchPersonalityList (FortezzaSocket *inSocket);
+int UnloadPersonalityList(FortezzaSocket *inSocket);
+
+int LoginToSocket (FortezzaSocket *inSocket, int inUserType, CI_PIN inPin); 
+
+int LogoutFromSocket (FortezzaSocket *inSocket);
+
+PRBool SocketStateUnchanged(FortezzaSocket* inSocket);
+
+int GetBestKeyRegister(FortezzaSocket *inSocket);
+
+FortezzaKey *NewFortezzaKey(FortezzaSocket  *inSocket, 
+			    FortezzaKeyType  inKeyType,
+			    CreateTEKInfo   *TEKinfo,
+			    int              inKeyRegister);
+FortezzaKey *NewUnwrappedKey(int inKeyRegister, int i, 
+			     FortezzaSocket *inSocket);
+
+int  LoadKeyIntoRegister (FortezzaKey *inKey);
+int  SetFortezzaKeyHandle (FortezzaKey *inKey, CK_OBJECT_HANDLE inHandle);
+void RemoveKey (FortezzaKey *inKey);
+
+void InitContext(FortezzaContext *inContext, FortezzaSocket *inSocket,
+		 CK_OBJECT_HANDLE hKey);
+int InitCryptoOperation (FortezzaContext *inContext, 
+			 CryptoType inCryptoOperation);
+int EndCryptoOperation  (FortezzaContext *inContext, 
+			 CryptoType inCryptoOperation);
+CryptoType GetCryptoOperation (FortezzaContext *inContext);
+int EncryptData (FortezzaContext *inContext, CK_BYTE_PTR inData,
+		 CK_ULONG inDataLen, CK_BYTE_PTR inDest, 
+		 CK_ULONG inDestLen);
+int DecryptData (FortezzaContext *inContext, CK_BYTE_PTR inData,
+		 CK_ULONG inDataLen, CK_BYTE_PTR inDest, 
+		 CK_ULONG inDestLen);
+
+int SaveState (FortezzaContext *inContext, CI_IV inIV, 
+	       PK11Session *inSession, FortezzaKey *inKey,
+	       int inCryptoType, CK_MECHANISM_TYPE inMechanism);
+
+int WrapKey (FortezzaKey *wrappingKey, FortezzaKey *srcKey,
+	     CK_BYTE_PTR pDest, CK_ULONG ulDestLen);
+int UnwrapKey (CK_BYTE_PTR inWrappedKey, FortezzaKey *inKey);
+
+#endif /*SOCKET_H_*/
diff --git a/security/nss/lib/fortcrypt/fpkcs11.h b/security/nss/lib/fortcrypt/fpkcs11.h
new file mode 100644
index 000000000..09f3dfe29
--- /dev/null
+++ b/security/nss/lib/fortcrypt/fpkcs11.h
@@ -0,0 +1,170 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security In.c Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/* Define API */
+#ifndef _FPKCS11_H_
+#define _FPKCS11_H_ 1
+
+#include "seccomon.h"
+
+#ifndef FALSE
+#define FALSE 0
+#endif
+
+#ifndef TRUE
+#define TRUE (!FALSE)
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* All the various pkcs11 types and #define'd values are in the file */
+/* pkcs11t.h.  CK_PTR should be defined there, too; it's the recipe for */
+/* making pointers. */
+#include "fpkcs11t.h"
+
+#define __PASTE(x,y)	x##y
+
+/* ================================================================= */
+/* Define the "extern" form of all the entry points */
+
+#define CK_EXTERN	extern
+#define CK_FUNC(name)	CK_ENTRY name
+#define CK_NEED_ARG_LIST	1
+#define _CK_RV		PR_PUBLIC_API(CK_RV)
+
+/* pkcs11f.h has all the information about the PKCS #11 functions. */
+#include "fpkcs11f.h"
+
+#undef CK_FUNC
+#undef CK_EXTERN
+#undef CK_NEED_ARG_LIST
+#undef _CK_RV
+
+/* ================================================================= */
+/* Define the typedef form of all the entry points. */
+/* That is, for each Cryptoki function C_XXX, define a type CK_C_XXX */
+/* which is a pointer to that kind of function. */
+
+#define CK_EXTERN               typedef
+#define CK_FUNC(name)           CK_ENTRY (CK_PTR __PASTE(CK_,name))
+#define CK_NEED_ARG_LIST	1
+#define _CK_RV		        CK_RV
+
+#include "fpkcs11f.h"
+
+#undef CK_FUNC
+#undef CK_EXTERN
+#undef CK_NEED_ARG_LIST
+#undef _CK_RV
+
+/* =================================================================
+ * Define structed vector of entry points.
+ * The CK_FUNCTION_LIST contains a CK_VERSION indicating the PKCS #11
+ * version, and then a whole slew of function pointers to the routines
+ * in the library.  This type was declared, but not defined, in
+ * pkcs11t.h. */
+
+
+/* These data types are platform/implementation dependent. */
+#if defined(XP_WIN) 
+#if defined(_WIN32)
+#define CK_ENTRY	
+#define CK_PTR		*	/* definition for Win32 */ 
+#define NULL_PTR 	0	/* NULL pointer */
+#pragma pack(push, cryptoki, 1)
+#else /* win16 */
+#if defined(__WATCOMC__)
+#define CK_ENTRY	
+#define CK_PTR		*	/* definition for Win16 */ 
+#define NULL_PTR 	0	/* NULL pointer */
+#pragma pack(push, 1)
+#else /* not Watcom 16-bit */
+#define CK_ENTRY	
+#define CK_PTR		*	/* definition for Win16 */ 
+#define NULL_PTR 	0	/* NULL pointer */
+#pragma pack(1)
+#endif
+#endif
+#else /* not windows */
+#define CK_ENTRY
+#define CK_PTR		*	/* definition for UNIX */ 
+#define NULL_PTR 	0	/* NULL pointer */
+#endif
+
+
+#define CK_EXTERN 
+#define CK_FUNC(name) __PASTE(CK_,name) name;
+#define _CK_RV
+
+struct CK_FUNCTION_LIST {
+
+    CK_VERSION		version;	/* PKCS #11 version */
+
+/* Pile all the function pointers into it. */
+#include "fpkcs11f.h"
+
+};
+
+#undef CK_FUNC
+#undef CK_EXTERN
+#undef _CK_RV
+
+
+#if defined(XP_WIN)
+#if defined(_WIN32)
+#pragma pack(pop, cryptoki)
+#else /* win16 */
+#if defined(__WATCOMC__)
+#pragma pack(pop)
+#else /* not Watcom 16-bit */
+#pragma pack()
+#endif
+#endif
+#endif
+
+
+#undef __PASTE
+/* ================================================================= */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/security/nss/lib/fortcrypt/fpkcs11f.h b/security/nss/lib/fortcrypt/fpkcs11f.h
new file mode 100644
index 000000000..6fa7e755d
--- /dev/null
+++ b/security/nss/lib/fortcrypt/fpkcs11f.h
@@ -0,0 +1,953 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security In.c Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/* This function contains pretty much everything about all */
+/* the PKCS #11 function prototypes. */
+
+/* General-purpose */
+
+/* C_Initialize initializes the PKCS #11 library. */
+CK_EXTERN _CK_RV CK_FUNC(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the PKCS #11
+ * library. */
+CK_EXTERN _CK_RV CK_FUNC(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about PKCS #11. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_INFO_PTR   pInfo  /* location that receives the information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives ptr to function
+list */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_BBOOL       tokenPresent,  /* only slots with token present */
+  CK_SLOT_ID_PTR pSlotList,     /* receives the array of slot IDs */
+  CK_ULONG_PTR   pulCount       /* receives the number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in the
+system. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID       slotID,  /* the ID of the slot */
+  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token in the
+ * system. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID        slotID,  /* ID of the token's slot */
+  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types supported by
+ * a token. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,          /* ID of the token's slot */
+  CK_MECHANISM_TYPE_PTR pMechanismList,  /* receives mech. types array
+*/
+  CK_ULONG_PTR          pulCount         /* receives number of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular mechanism 
+ * possibly supported by a token. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,  /* ID of the token's slot */
+  CK_MECHANISM_TYPE     type,    /* type of mechanism */
+  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism information */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_EXTERN _CK_RV CK_FUNC(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID     slotID,    /* ID of the token's slot */
+  CK_CHAR_PTR    pPin,      /* the SO's initial PIN */
+  CK_ULONG       ulPinLen,  /* length in bytes of the PIN */
+  CK_CHAR_PTR    pLabel     /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_EXTERN _CK_RV CK_FUNC(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_CHAR_PTR       pPin,      /* the normal user's PIN */
+  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of user that is currently logged in. */
+CK_EXTERN _CK_RV CK_FUNC(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_CHAR_PTR       pOldPin,   /* the old PIN */
+  CK_ULONG          ulOldLen,  /* length of the old PIN */
+  CK_CHAR_PTR       pNewPin,   /* the new PIN */
+  CK_ULONG          ulNewLen   /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a token. */
+CK_EXTERN _CK_RV CK_FUNC(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,        /* the slot's ID */
+  CK_FLAGS              flags,         /* defined in CK_SESSION_INFO */
+  CK_VOID_PTR           pApplication,  /* pointer passed to callback */
+  CK_NOTIFY             Notify,        /* notification callback function
+*/
+  CK_SESSION_HANDLE_PTR phSession      /* receives new session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a token.
+*/
+CK_EXTERN _CK_RV CK_FUNC(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_EXTERN _CK_RV CK_FUNC(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID     slotID  /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE   hSession,  /* the session's handle */
+  CK_SESSION_INFO_PTR pInfo      /* receives session information */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,             /* the session's handle */
+  CK_BYTE_PTR       pOperationState,      /* location receiving state */
+  CK_ULONG_PTR      pulOperationStateLen  /* location receiving state
+length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic operation
+ * in a session. */
+CK_EXTERN _CK_RV CK_FUNC(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* the session's handle */
+  CK_BYTE_PTR      pOperationState,      /* the location holding the
+state */
+  CK_ULONG         ulOperationStateLen,  /* location holding state
+length */
+  CK_OBJECT_HANDLE hEncryptionKey,       /* handle of en/decryption key
+*/
+  CK_OBJECT_HANDLE hAuthenticationKey    /* handle of sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_EXTERN _CK_RV CK_FUNC(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_USER_TYPE      userType,  /* the user type */
+  CK_CHAR_PTR       pPin,      /* the user's PIN */
+  CK_ULONG          ulPinLen   /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_EXTERN _CK_RV CK_FUNC(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_EXTERN _CK_RV CK_FUNC(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
+  CK_ULONG          ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phObject  /* receives new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the copy. */
+CK_EXTERN _CK_RV CK_FUNC(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
+  CK_ULONG             ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_EXTERN _CK_RV CK_FUNC(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject    /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
+  CK_ULONG_PTR      pulSize    /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+attributes. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attributes, gets values */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+attributes */
+CK_EXTERN _CK_RV CK_FUNC(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attributes and values */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session objects 
+ * that match a template. */
+CK_EXTERN _CK_RV CK_FUNC(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
+  CK_ULONG          ulCount     /* attributes in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session objects 
+ * that match a template, obtaining additional object handles. */
+CK_EXTERN _CK_RV CK_FUNC(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE    hSession,          /* the session's handle */
+ CK_OBJECT_HANDLE_PTR phObject,          /* receives object handle array
+*/
+ CK_ULONG             ulMaxObjectCount,  /* max handles to be returned
+*/
+ CK_ULONG_PTR         pulObjectCount     /* actual number returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session objects.
+*/
+CK_EXTERN _CK_RV CK_FUNC(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_EXTERN _CK_RV CK_FUNC(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_EXTERN _CK_RV CK_FUNC(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* the session's handle */
+  CK_BYTE_PTR       pData,               /* the plaintext data */
+  CK_ULONG          ulDataLen,           /* bytes of plaintext data */
+  CK_BYTE_PTR       pEncryptedData,      /* receives encrypted data */
+  CK_ULONG_PTR      pulEncryptedDataLen  /* receives encrypted byte
+count */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption operation. */
+CK_EXTERN _CK_RV CK_FUNC(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* the session's handle */
+  CK_BYTE_PTR       pPart,              /* the plaintext data */
+  CK_ULONG          ulPartLen,          /* bytes of plaintext data */
+  CK_BYTE_PTR       pEncryptedPart,     /* receives encrypted data */
+  CK_ULONG_PTR      pulEncryptedPartLen /* receives encrypted byte count
+*/
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption operation. */
+CK_EXTERN _CK_RV CK_FUNC(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,                /* the session's handle */
+  CK_BYTE_PTR       pLastEncryptedPart,      /* receives encrypted last
+part */
+  CK_ULONG_PTR      pulLastEncryptedPartLen  /* receives byte count */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_EXTERN _CK_RV CK_FUNC(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of the decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_EXTERN _CK_RV CK_FUNC(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* the session's handle */
+  CK_BYTE_PTR       pEncryptedData,     /* input encrypted data */
+  CK_ULONG          ulEncryptedDataLen, /* count of bytes of input */
+  CK_BYTE_PTR       pData,              /* receives decrypted output */
+  CK_ULONG_PTR      pulDataLen          /* receives decrypted byte count
+*/
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption operation. */
+CK_EXTERN _CK_RV CK_FUNC(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* the session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* input encrypted data */
+  CK_ULONG          ulEncryptedPartLen,  /* count of bytes of input */
+  CK_BYTE_PTR       pPart,               /* receives decrypted output */
+  CK_ULONG_PTR      pulPartLen           /* receives decrypted byte
+count */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption operation. */
+CK_EXTERN _CK_RV CK_FUNC(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pLastPart,      /* receives decrypted output */
+  CK_ULONG_PTR      pulLastPartLen  /* receives decrypted byte count */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_EXTERN _CK_RV CK_FUNC(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_EXTERN _CK_RV CK_FUNC(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pData,        /* data to be digested */
+  CK_ULONG          ulDataLen,    /* bytes of data to be digested */
+  CK_BYTE_PTR       pDigest,      /* receives the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* receives byte length of digest */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting operation.
+*/
+CK_EXTERN _CK_RV CK_FUNC(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* data to be digested */
+  CK_ULONG          ulPartLen  /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting operation, by
+ * digesting the value of a secret key as part of the data already
+digested.
+ */
+CK_EXTERN _CK_RV CK_FUNC(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hKey       /* handle of secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting operation.
+*/
+CK_EXTERN _CK_RV CK_FUNC(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pDigest,      /* receives the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* receives byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_EXTERN _CK_RV CK_FUNC(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of the signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single part,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_EXTERN _CK_RV CK_FUNC(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data (digest) to be signed
+*/
+  CK_ULONG          ulDataLen,       /* count of bytes to be signed */
+  CK_BYTE_PTR       pSignature,      /* receives the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* receives byte count of signature
+*/
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_EXTERN _CK_RV CK_FUNC(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* the data (digest) to be signed */
+  CK_ULONG          ulPartLen  /* count of bytes to be signed */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation, 
+ * returning the signature. */
+CK_EXTERN _CK_RV CK_FUNC(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* receives the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* receives byte count of signature
+*/
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation,
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+CK_EXTERN _CK_RV CK_FUNC(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+CK_EXTERN _CK_RV CK_FUNC(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data (digest) to be signed
+*/
+  CK_ULONG          ulDataLen,       /* count of bytes to be signed */
+  CK_BYTE_PTR       pSignature,      /* receives the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* receives byte count of signature
+*/
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature (e.g. DSA) */
+CK_EXTERN _CK_RV CK_FUNC(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of the verification key */ 
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_EXTERN _CK_RV CK_FUNC(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pData,          /* plaintext data (digest) to
+compare */
+  CK_ULONG          ulDataLen,      /* length of data (digest) in bytes
+*/
+  CK_BYTE_PTR       pSignature,     /* the signature to be verified */
+  CK_ULONG          ulSignatureLen  /* count of bytes of signature */
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_EXTERN _CK_RV CK_FUNC(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* plaintext data (digest) to compare */
+  CK_ULONG          ulPartLen  /* length of data (digest) in bytes */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification operation, 
+ * checking the signature. */
+CK_EXTERN _CK_RV CK_FUNC(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pSignature,     /* the signature to be verified */
+  CK_ULONG          ulSignatureLen  /* count of bytes of signature */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+CK_EXTERN _CK_RV CK_FUNC(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of the verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+CK_EXTERN _CK_RV CK_FUNC(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* the signature to be verified */
+  CK_ULONG          ulSignatureLen,  /* count of bytes of signature */
+  CK_BYTE_PTR       pData,           /* receives decrypted data (digest)
+*/
+  CK_ULONG_PTR      pulDataLen       /* receives byte count of data */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting and
+encryption operation. */
+CK_EXTERN _CK_RV CK_FUNC(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* the session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* bytes of plaintext data */
+  CK_BYTE_PTR       pEncryptedPart,      /* receives encrypted data */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* receives encrypted byte
+count */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation. */
+CK_EXTERN _CK_RV CK_FUNC(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* the session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* input encrypted data */
+  CK_ULONG          ulEncryptedPartLen,  /* count of bytes of input */
+  CK_BYTE_PTR       pPart,               /* receives decrypted output */
+  CK_ULONG_PTR      pulPartLen           /* receives decrypted byte
+count */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation. */
+CK_EXTERN _CK_RV CK_FUNC(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* the session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* bytes of plaintext data */
+  CK_BYTE_PTR       pEncryptedPart,      /* receives encrypted data */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* receives encrypted byte
+count */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation. */
+CK_EXTERN _CK_RV CK_FUNC(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* the session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* input encrypted data */
+  CK_ULONG          ulEncryptedPartLen,  /* count of byes of input */
+  CK_BYTE_PTR       pPart,               /* receives decrypted output */
+  CK_ULONG_PTR      pulPartLen           /* receives decrypted byte
+count */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key object. */
+CK_EXTERN _CK_RV CK_FUNC(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_MECHANISM_PTR     pMechanism,  /* the key generation mechanism */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for the new key */
+  CK_ULONG             ulCount,     /* number of attributes in template
+*/
+  CK_OBJECT_HANDLE_PTR phKey        /* receives handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+CK_EXTERN _CK_RV CK_FUNC(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,                    /* the session's
+handle */
+  CK_MECHANISM_PTR     pMechanism,                  /* the key gen.
+mech. */
+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* pub. attr.
+template */
+  CK_ULONG             ulPublicKeyAttributeCount,   /* # of pub. attrs.
+*/
+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* priv. attr.
+template */
+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # of priv. attrs.
+*/
+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub. key
+handle */
+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets priv. key
+handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_EXTERN _CK_RV CK_FUNC(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
+  CK_OBJECT_HANDLE  hWrappingKey,    /* handle of the wrapping key */
+  CK_OBJECT_HANDLE  hKey,            /* handle of the key to be wrapped
+*/
+  CK_BYTE_PTR       pWrappedKey,     /* receives the wrapped key */
+  CK_ULONG_PTR      pulWrappedKeyLen /* receives byte size of wrapped
+key */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key
+object. */
+CK_EXTERN _CK_RV CK_FUNC(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* the session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* the unwrapping mechanism */
+  CK_OBJECT_HANDLE     hUnwrappingKey,    /* handle of the unwrapping
+key */
+  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
+  CK_ULONG             ulWrappedKeyLen,   /* bytes length of wrapped key
+*/
+  CK_ATTRIBUTE_PTR     pTemplate,         /* template for the new key */
+  CK_ULONG             ulAttributeCount,  /* # of attributes in template
+*/
+  CK_OBJECT_HANDLE_PTR phKey              /* gets handle of recovered
+key */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key object.
+*/
+CK_EXTERN _CK_RV CK_FUNC(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* the session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* the key derivation
+mechanism */
+  CK_OBJECT_HANDLE     hBaseKey,          /* handle of the base key */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* template for the new key */
+  CK_ULONG             ulAttributeCount,  /* # of attributes in template
+*/
+  CK_OBJECT_HANDLE_PTR phKey              /* gets handle of derived key
+*/
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's random
+number 
+ * generator. */
+CK_EXTERN _CK_RV CK_FUNC(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pSeed,     /* the seed material */
+  CK_ULONG          ulSeedLen  /* count of bytes of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_EXTERN _CK_RV CK_FUNC(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_BYTE_PTR       RandomData,  /* receives the random data */
+  CK_ULONG          ulRandomLen  /* number of bytes to be generated */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus obtains an updated status of a function running 
+ * in parallel with an application. */
+CK_EXTERN _CK_RV CK_FUNC(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction cancels a function running in parallel. */
+CK_EXTERN _CK_RV CK_FUNC(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Functions added in for PKCS #11 Version 2.01 or later */
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur. */
+CK_EXTERN _CK_RV CK_FUNC(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FLAGS flags,        /* blocking/nonblocking flag */
+  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
+  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
+);
+#endif
diff --git a/security/nss/lib/fortcrypt/fpkcs11i.h b/security/nss/lib/fortcrypt/fpkcs11i.h
new file mode 100644
index 000000000..9359bb8d6
--- /dev/null
+++ b/security/nss/lib/fortcrypt/fpkcs11i.h
@@ -0,0 +1,269 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Internal data structures used by pkcs11.c
+ */
+#ifndef _FPKCS11I_H_
+#define _FPKCS11I_H_ 1
+
+#include "fpkstrs.h"
+#ifdef SWFORT
+#ifndef RETURN_TYPE
+#define RETURN_TYPE int
+#endif
+#endif
+#include "genci.h"
+
+typedef struct PK11AttributeStr PK11Attribute;
+typedef struct PK11ObjectListStr PK11ObjectList;
+typedef struct PK11ObjectListElementStr PK11ObjectListElement;
+typedef struct PK11ObjectStr PK11Object;
+typedef struct PK11SessionStr PK11Session;
+typedef struct PK11SlotStr PK11Slot;
+typedef struct PK11SessionContextStr PK11SessionContext;
+typedef struct PK11SearchResultsStr PK11SearchResults;
+
+typedef void (*PK11Destroy)(void *, PRBool);
+typedef SECStatus (*PK11Cipher)(void *,void *,unsigned int *,unsigned int,
+					void *, unsigned int);
+typedef SECStatus (*PK11Verify)(void *,void *,unsigned int,void *,unsigned int);
+typedef void (*PK11Hash)(void *,void *,unsigned int);
+typedef void (*PK11End)(void *,void *,unsigned int *,unsigned int);
+typedef void (*PK11Free)(void *);
+
+#define HASH_SIZE 32
+#define SESSION_HASH_SIZE 64
+
+/* Value to tell if an attribute is modifiable or not.
+ *    NEVER: attribute is only set on creation.
+ *    ONCOPY: attribute is set on creation and can only be changed on copy.
+ *    SENSITIVE: attribute can only be changed to TRUE.
+ *    ALWAYS: attribute can always be changed.
+ */
+typedef enum {
+	PK11_NEVER = 0,
+	PK11_ONCOPY = 1,
+	PK11_SENSITIVE = 2,
+	PK11_ALWAYS = 3
+} PK11ModifyType;
+
+/*
+ * Free Status Enum... tell us more information when we think we're
+ * deleting an object.
+ */
+typedef enum {
+	PK11_DestroyFailure,
+	PK11_Destroyed,
+	PK11_Busy
+} PK11FreeStatus;
+
+/*
+ * attribute values of an object.
+ */
+struct PK11AttributeStr {
+    PK11Attribute  	*next;
+    PK11Attribute  	*prev;
+    int 		refCount;
+    void 		*refLock; 
+    /*must be called handle to make pk11queue_find work */
+    CK_ATTRIBUTE_TYPE	handle;
+    CK_ATTRIBUTE 	attrib;
+};
+
+struct PK11ObjectListStr {
+    PK11ObjectList *next;
+    PK11ObjectList *prev;
+    PK11Object	   *parent;
+};
+
+/*
+ * PKCS 11 crypto object structure
+ */
+struct PK11ObjectStr {
+    PK11Object *next;
+    PK11Object *prev;
+    PK11ObjectList sessionList;
+    CK_OBJECT_HANDLE handle;
+    int refCount;
+    void 		*refLock;
+    void		*attributeLock;
+    PK11Session   	*session;
+    PK11Slot	   	*slot;
+    CK_OBJECT_CLASS 	objclass;
+    void 		*objectInfo;
+    PK11Free 		infoFree;
+    char		*label;
+    PRBool		inDB;
+    PK11Attribute 	*head[HASH_SIZE];
+};
+
+/*
+ * struct to deal with a temparary list of objects
+ */
+struct PK11ObjectListElementStr {
+    PK11ObjectListElement	*next;
+    PK11Object 			*object;
+};
+
+/*
+ * Area to hold Search results
+ */
+struct PK11SearchResultsStr {
+    CK_OBJECT_HANDLE	*handles;
+    int			size;
+    int			index;
+};
+
+
+/* 
+ * the universal crypto/hash/sign/verify context structure
+ */
+typedef enum {
+    PK11_ENCRYPT,
+    PK11_DECRYPT,
+    PK11_HASH,
+    PK11_SIGN,
+    PK11_SIGN_RECOVER,
+    PK11_VERIFY,
+    PK11_VERIFY_RECOVER
+} PK11ContextType;
+
+
+struct PK11SessionContextStr {
+    PK11ContextType	type;
+    PRBool		multi; /* is multipart */
+    void		*cipherInfo;
+    unsigned int	cipherInfoLen;
+    CK_MECHANISM_TYPE	currentMech;
+    PK11Cipher		update;
+    PK11Hash		hashUpdate;
+    PK11End		end;
+    PK11Destroy		destroy;
+    PK11Verify		verify;
+    unsigned int	maxLen;
+};
+
+/*
+ * Sessions (have objects)
+ */
+struct PK11SessionStr {
+    PK11Session        *next;
+    PK11Session        *prev;
+    CK_SESSION_HANDLE	handle;
+    int			refCount;
+    void 		*refLock;
+    void		*objectLock;
+    int			objectIDCount;
+    CK_SESSION_INFO	info;
+    CK_NOTIFY		notify;
+    CK_VOID_PTR		appData;
+    PK11Slot		*slot;
+    PK11SearchResults	*search;
+    PK11SessionContext	*context;
+    PK11ObjectList	*objects[1];
+    FortezzaContext     fortezzaContext;
+};
+
+/*
+ * slots (have sessions and objects)
+ */
+struct PK11SlotStr {
+    CK_SLOT_ID		slotID;
+    void		*sessionLock;
+    void		*objectLock;
+    SECItem      	*password;
+    PRBool		hasTokens;
+    PRBool		isLoggedIn;
+    PRBool		ssoLoggedIn;
+    PRBool		needLogin;
+    PRBool		DB_loaded;
+    int			sessionIDCount;
+    int			sessionCount;
+    int			rwSessionCount;
+    int			tokenIDCount;
+    PK11Object		*tokObjects[HASH_SIZE];
+    PK11Session		*head[SESSION_HASH_SIZE];
+};
+
+/*
+ * session handle modifiers
+ */
+#define PK11_PRIVATE_KEY_FLAG	0x80000000L
+
+/*
+ * object handle modifiers
+ */
+#define PK11_TOKEN_MASK		0x80000000L
+#define PK11_TOKEN_MAGIC	0x80000000L
+#define PK11_TOKEN_TYPE_MASK	0x70000000L
+#define PK11_TOKEN_TYPE_CERT	0x00000000L
+#define PK11_TOKEN_TYPE_PRIV	0x10000000L
+
+/* how big a password/pin we can deal with */
+#define PK11_MAX_PIN	255
+
+/* slot helper macros */
+#define pk11_SlotFromSessionHandle(handle) (((handle) & PK11_PRIVATE_KEY_FLAG)\
+			 ? &pk11_slot[1] : &pk11_slot[0])
+#define PK11_TOSLOT1(handle) handle &= ~PK11_PRIVATE_KEY_FLAG
+#define PK11_TOSLOT2(handle) handle |= PK11_PRIVATE_KEY_FLAG
+#define pk11_SlotFromSession(sp) ((sp)->slot)
+#define pk11_SlotFromID(id) ((id) == NETSCAPE_SLOT_ID ? \
+	&pk11_slot[0] : (((id) == PRIVATE_KEY_SLOT_ID) ? &pk11_slot[1] : NULL))
+#define pk11_isToken(id) (((id) & PK11_TOKEN_MASK) == PK11_TOKEN_MAGIC)
+
+/* queueing helper macros */
+#define pk11_hash(value,size) ((value) & (size-1))/*size must be a power of 2*/
+#define pk11queue_add(element,id,head,hash_size) \
+	{ int tmp = pk11_hash(id,hash_size); \
+	(element)->next = (head)[tmp]; \
+	(element)->prev = NULL; \
+	if ((head)[tmp]) (head)[tmp]->prev = (element); \
+	(head)[tmp] = (element); }
+#define pk11queue_find(element,id,head,hash_size) \
+	for( (element) = (head)[pk11_hash(id,hash_size)]; (element) != NULL; \
+					 (element) = (element)->next) { \
+	    if ((element)->handle == (id)) { break; } }
+#define pk11queue_delete(element,id,head,hash_size) \
+	if ((element)->next) (element)->next->prev = (element)->prev; \
+	if ((element)->prev) (element)->prev->next = (element)->next; \
+	   else (head)[pk11_hash(id,hash_size)] = ((element)->next); \
+	(element)->next = NULL; \
+	(element)->prev = NULL; \
+
+/* expand an attribute & secitem structures out */
+#define pk11_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
+#define pk11_item_expand(ip) (ip)->data,(ip)->len
+
+#endif
+	
diff --git a/security/nss/lib/fortcrypt/fpkcs11t.h b/security/nss/lib/fortcrypt/fpkcs11t.h
new file mode 100644
index 000000000..f3c6b0470
--- /dev/null
+++ b/security/nss/lib/fortcrypt/fpkcs11t.h
@@ -0,0 +1,1098 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security In.c Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+/* an unsigned 8-bit value */
+typedef unsigned char 	CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE 	CK_CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE		CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+/* CK_LONG is new for v2.0 */
+typedef long int	CK_LONG;
+
+/* at least 32 bits, each bit is a Boolean flag */
+typedef CK_ULONG 	CK_FLAGS;
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION (~0UL)
+#define CK_EFFECTIVELY_INFINITE    0
+
+/* these data types are platform/implementation dependent. */
+#if defined(XP_WIN) 
+#if defined(_WIN32)
+#define CK_ENTRY	
+#define CK_PTR		*	/* definition for Win32 */ 
+#define NULL_PTR 	0	/* NULL pointer */
+#pragma pack(push, cryptoki, 1)
+#else /* win16 */
+#if defined(__WATCOMC__)
+#define CK_ENTRY
+#define CK_PTR		*	/* definition for Win16 */ 
+#define NULL_PTR 	0	/* NULL pointer */
+#pragma pack(push, 1)
+#else /* not Watcom 16-bit */
+#define CK_ENTRY
+#define CK_PTR		*	/* definition for Win16 */ 
+#define NULL_PTR 	0	/* NULL pointer */
+#pragma pack(1)
+#endif
+#endif
+#else /* not windows */
+#define CK_ENTRY
+#define CK_PTR		*	/* definition for UNIX */ 
+#define NULL_PTR 	0	/* NULL pointer */
+#endif
+
+
+typedef CK_BYTE     CK_PTR	CK_BYTE_PTR;     /* Pointer to a CK_BYTE */
+typedef CK_CHAR     CK_PTR	CK_CHAR_PTR;     /* Pointer to a CK_CHAR */
+typedef CK_ULONG    CK_PTR	CK_ULONG_PTR;    /* Pointer to a CK_ULONG */
+typedef void        CK_PTR	CK_VOID_PTR;     /* Pointer to a void */
+typedef CK_VOID_PTR CK_PTR      CK_VOID_PTR_PTR; /* Pointer to a CK_VOID_PTR */
+
+/* The following value is always invalid if used as a session */
+/* handle or object handle */
+#define CK_INVALID_HANDLE 0
+
+typedef struct CK_VERSION {
+    CK_BYTE	major;	/* integer    portion of the version number */
+    CK_BYTE	minor;  /* hundredths portion of the version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR; /* points to a CK_VERSION */
+
+
+typedef struct CK_INFO {
+    CK_VERSION	cryptokiVersion;	/* PKCS #11 interface version number */
+    CK_CHAR	manufacturerID[32];	/* blank padded */
+    CK_FLAGS	flags;			/* must be zero */
+
+    /* libraryDescription and libraryVersion are new for v2.0 */
+    CK_CHAR	libraryDescription[32];	/* blank padded */
+    CK_VERSION	libraryVersion;		/* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR	CK_INFO_PTR;	/* points to a CK_INFO structure */
+
+
+/* CK_NOTIFICATION enumerates the types of notifications 
+ * that PKCS #11 provides to an application.  */
+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG for v2.0 */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER		0
+
+
+typedef CK_ULONG	CK_SLOT_ID;
+
+/* CK_SLOT_ID_PTR points to a CK_SLOT_ID.  */
+typedef CK_SLOT_ID CK_PTR	CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot. */
+typedef struct CK_SLOT_INFO {
+    CK_CHAR	slotDescription[64];	/* blank padded */
+    CK_CHAR	manufacturerID[32];	/* blank padded */
+    CK_FLAGS	flags;
+
+    /* hardwareVersion and firmwareVersion are new for v2.0 */
+    CK_VERSION	hardwareVersion;	/* version of hardware */
+    CK_VERSION  firmwareVersion;	/* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags:	bits flags that provide capabilities of the slot.
+ *	Bit Flag		Mask		Meaning
+ */
+#define CKF_TOKEN_PRESENT	0x00000001	/* a token is present in the slot */
+#define CKF_REMOVABLE_DEVICE	0x00000002	/* reader supports removable devices*/
+#define CKF_HW_SLOT		0x00000004	/* a hardware slot, not a "soft token"*/
+
+/* CK_SLOT_INFO_PTR points to a CK_SLOT_INFO. */
+typedef CK_SLOT_INFO CK_PTR	CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token. */
+typedef struct CK_TOKEN_INFO {
+    CK_CHAR	label[32];		/* blank padded */
+    CK_CHAR	manufacturerID[32];	/* blank padded */
+    CK_CHAR	model[16];		/* blank padded */
+    CK_CHAR	serialNumber[16];	/* blank padded */
+    CK_FLAGS	flags;			/* see below */
+
+    /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
+     * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
+     * changed from CK_USHORT to CK_ULONG for v2.0 */
+    CK_ULONG	ulMaxSessionCount;	/* max open sessions */
+    CK_ULONG	ulSessionCount;		/* sessions currently open */
+    CK_ULONG	ulMaxRwSessionCount;	/* max R/W sessions */
+    CK_ULONG	ulRwSessionCount;	/* R/W sessions currently open */
+    CK_ULONG	ulMaxPinLen;		/* in bytes */
+    CK_ULONG	ulMinPinLen;		/* in bytes */
+    CK_ULONG	ulTotalPublicMemory;	/* in bytes */
+    CK_ULONG	ulFreePublicMemory;	/* in bytes */
+    CK_ULONG	ulTotalPrivateMemory;	/* in bytes */
+    CK_ULONG	ulFreePrivateMemory;	/* in bytes */
+
+    /* hardwareVersion, firmwareVersion, and time are new for v2.0 */
+    CK_VERSION	hardwareVersion;	/* version of hardware */
+    CK_VERSION	firmwareVersion;	/* version of firmware */
+    CK_CHAR	utcTime[16];		/* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ * Table 7-2, Token Information Flags
+ *	Bit Flag		Mask		Meaning 
+ */
+#define CKF_RNG			       0x00000001  /* has random number generator */
+#define CKF_WRITE_PROTECTED	       0x00000002  /* token is write-protected */
+#define CKF_LOGIN_REQUIRED	       0x00000004  /* a user must be logged in  */
+#define CKF_USER_PIN_INITIALIZED       0x00000008  /* normal user's PIN is initialized */
+
+
+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set, then that means */
+/* that *every* time the state of cryptographic operations of a session is */
+/* successfully saved, all keys needed to continue those operations are */
+/* stored in the state. */
+#define CKF_RESTORE_KEY_NOT_NEEDED   0x00000020  /* key always saved in saved sessions */
+
+/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, then that means that */
+/* the token has some sort of clock.  The time on that clock is returned in */
+/* the token info structure. */
+#define CKF_CLOCK_ON_TOKEN           0x00000040  /* token has a clock */
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is true, that means */
+/* that there is some way for the user to login without sending a PIN through */
+/* the PKCS #11 library itself. */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100  /* token has protected path */
+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true, that
+ * means that a single session with the token can perform dual
+ * simultaneous cryptographic operations (digest and encrypt;
+ * decrypt and digest; sign and encrypt; and decrypt and sign) */
+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200  /* dual crypto operations */
+
+/* CK_TOKEN_INFO_PTR points to a CK_TOKEN_INFO. */
+typedef CK_TOKEN_INFO CK_PTR	CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a PKCS #11-assigned value that identifies a session. */
+typedef CK_ULONG 	CK_SESSION_HANDLE;
+
+/* CK_SESSION_HANDLE_PTR points to a CK_SESSION_HANDLE. */
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; 
+
+
+/* CK_USER_TYPE enumerates the types of PKCS #11 users */
+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for v2.0 */
+typedef CK_ULONG	CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO		0
+/* Normal user */
+#define CKU_USER	1
+
+
+/* CK_STATE enumerates the session states */
+/* CK_STATE has been changed from an enum to a CK_ULONG for v2.0 */
+typedef CK_ULONG	CK_STATE;
+#define CKS_RO_PUBLIC_SESSION	0
+#define CKS_RO_USER_FUNCTIONS	1
+#define CKS_RW_PUBLIC_SESSION	2
+#define CKS_RW_SO_FUNCTIONS	3
+#define CKS_RW_USER_FUNCTIONS	4
+
+
+/* CK_SESSION_INFO provides information about a session. */
+typedef struct CK_SESSION_INFO {
+    CK_SLOT_ID	slotID;
+    CK_STATE	state;
+    CK_FLAGS	flags;		/* see below */
+
+    /* ulDeviceError was changed from CK_USHORT to CK_ULONG for v2.0 */
+    CK_ULONG	ulDeviceError;	/* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table. */
+/* Table 7-3, Session Information Flags */
+/* 	Bit Flag		Mask	   Meaning
+ */
+#define CKF_RW_SESSION		0x00000002 /* session is read/write; not R/O */
+#define CKF_SERIAL_SESSION	0x00000004 /* session doesn't support parallel */
+
+/* CK_SESSION_INFO_PTR points to a CK_SESSION_INFO. */
+typedef CK_SESSION_INFO CK_PTR	CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an object.  */
+typedef CK_ULONG 	CK_OBJECT_HANDLE;
+
+/* CK_OBJECT_HANDLE_PTR points to a CK_OBJECT_HANDLE. */
+typedef CK_OBJECT_HANDLE CK_PTR	CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or types) 
+ * of objects that PKCS #11 recognizes.  It is defined as follows: */
+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG	CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+#define CKO_DATA            0x00000000
+#define CKO_CERTIFICATE     0x00000001
+#define CKO_PUBLIC_KEY      0x00000002
+#define CKO_PRIVATE_KEY     0x00000003
+#define CKO_SECRET_KEY      0x00000004
+#define CKO_VENDOR_DEFINED  0x80000000L
+
+/* CK_OBJECT_CLASS_PTR points to a CK_OBJECT_CLASS structure. */
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+
+/* CK_KEY_TYPE is a value that identifies a key type. */
+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG 	CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA			0x00000000
+#define CKK_DSA			0x00000001
+#define CKK_DH			0x00000002
+
+/* CKK_ECDSA, and CKK_KEA are new for v2.0 */
+#define CKK_ECDSA		0x00000003
+#define CKK_KEA			0x00000005
+
+#define CKK_GENERIC_SECRET	0x00000010
+#define CKK_RC2			0x00000011
+#define CKK_RC4			0x00000012
+#define CKK_DES			0x00000013
+#define CKK_DES2		0x00000014
+#define CKK_DES3		0x00000015
+
+/* all these key types are new for v2.0 */
+#define CKK_CAST		0x00000016
+#define CKK_CAST3		0x00000017
+#define CKK_CAST5		0x00000018
+#define CKK_RC5			0x00000019
+#define CKK_IDEA		0x0000001A
+#define CKK_SKIPJACK		0x0000001B
+#define CKK_BATON		0x0000001C
+#define CKK_JUNIPER		0x0000001D
+#define CKK_CDMF		0x0000001E
+
+#define CKK_VENDOR_DEFINED	0x80000000L
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate type. */
+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG 	CK_CERTIFICATE_TYPE;
+
+/* The following certificate types are defined: */
+#define CKC_X_509           0x00000000
+#define CKC_VENDOR_DEFINED  0x80000000L
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute type. */
+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG	CK_ATTRIBUTE_TYPE;
+
+/* The following attribute types are defined: */
+#define CKA_CLASS              0x00000000
+#define CKA_TOKEN              0x00000001
+#define CKA_PRIVATE            0x00000002
+#define CKA_LABEL              0x00000003
+#define CKA_APPLICATION        0x00000010
+#define CKA_VALUE              0x00000011
+#define CKA_CERTIFICATE_TYPE   0x00000080
+#define CKA_ISSUER             0x00000081
+#define CKA_SERIAL_NUMBER      0x00000082
+#define CKA_KEY_TYPE           0x00000100
+#define CKA_SUBJECT            0x00000101
+#define CKA_ID                 0x00000102
+#define CKA_SENSITIVE          0x00000103
+#define CKA_ENCRYPT            0x00000104
+#define CKA_DECRYPT            0x00000105
+#define CKA_WRAP               0x00000106
+#define CKA_UNWRAP             0x00000107
+#define CKA_SIGN               0x00000108
+#define CKA_SIGN_RECOVER       0x00000109
+#define CKA_VERIFY             0x0000010A
+#define CKA_VERIFY_RECOVER     0x0000010B
+#define CKA_DERIVE             0x0000010C
+#define CKA_START_DATE         0x00000110
+#define CKA_END_DATE           0x00000111
+#define CKA_MODULUS            0x00000120
+#define CKA_MODULUS_BITS       0x00000121
+#define CKA_PUBLIC_EXPONENT    0x00000122
+#define CKA_PRIVATE_EXPONENT   0x00000123
+#define CKA_PRIME_1            0x00000124
+#define CKA_PRIME_2            0x00000125
+#define CKA_EXPONENT_1         0x00000126
+#define CKA_EXPONENT_2         0x00000127
+#define CKA_COEFFICIENT        0x00000128
+#define CKA_PRIME              0x00000130
+#define CKA_SUBPRIME           0x00000131
+#define CKA_BASE               0x00000132
+#define CKA_VALUE_BITS         0x00000160
+#define CKA_VALUE_LEN          0x00000161
+
+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, */
+/* and CKA_MODIFIABLE are new for v2.0 */
+#define CKA_EXTRACTABLE        0x00000162
+#define CKA_LOCAL              0x00000163
+#define CKA_NEVER_EXTRACTABLE  0x00000164
+#define CKA_ALWAYS_SENSITIVE   0x00000165
+#define CKA_MODIFIABLE         0x00000170
+
+#define CKA_VENDOR_DEFINED     0x80000000L
+
+/* CK_ATTRIBUTE is a structure that includes the type, length and value 
+ * of an attribute.  */
+typedef struct CK_ATTRIBUTE {
+    CK_ATTRIBUTE_TYPE	type;
+    CK_VOID_PTR		pValue;
+
+    /* ulValueLen was changed from CK_USHORT to CK_ULONG for v2.0 */
+    CK_ULONG		ulValueLen;	/* in bytes */
+} CK_ATTRIBUTE;
+
+/* CK_ATTRIBUTE_PTR points to a CK_ATTRIBUTE. */
+typedef CK_ATTRIBUTE CK_PTR	CK_ATTRIBUTE_PTR;
+
+
+/* CK_DATE is a structure that defines a date. */
+typedef struct CK_DATE{
+    CK_CHAR		year[4];	/* the year ("1900" - "9999")	*/
+    CK_CHAR		month[2];	/* the month ("01" - "12")	*/
+    CK_CHAR		day[2];		/* the day   ("01" - "31")	*/
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism type. */
+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG	CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
+#define CKM_RSA_PKCS                   0x00000001
+#define CKM_RSA_9796                   0x00000002
+#define CKM_RSA_X_509                  0x00000003
+
+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS are */
+/* new for v2.0.  They are mechanisms which hash and sign */
+#define CKM_MD2_RSA_PKCS               0x00000004
+#define CKM_MD5_RSA_PKCS               0x00000005
+#define CKM_SHA1_RSA_PKCS              0x00000006
+
+#define CKM_DSA_KEY_PAIR_GEN           0x00000010
+#define CKM_DSA                        0x00000011
+#define CKM_DSA_SHA1                   0x00000012
+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
+#define CKM_DH_PKCS_DERIVE             0x00000021
+#define CKM_RC2_KEY_GEN                0x00000100
+#define CKM_RC2_ECB                    0x00000101
+#define CKM_RC2_CBC                    0x00000102
+#define CKM_RC2_MAC                    0x00000103
+
+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new to v2.0 */
+#define CKM_RC2_MAC_GENERAL            0x00000104
+#define CKM_RC2_CBC_PAD                0x00000105
+
+#define CKM_RC4_KEY_GEN                0x00000110
+#define CKM_RC4                        0x00000111
+#define CKM_DES_KEY_GEN                0x00000120
+#define CKM_DES_ECB                    0x00000121
+#define CKM_DES_CBC                    0x00000122
+#define CKM_DES_MAC                    0x00000123
+
+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new to v2.0 */
+#define CKM_DES_MAC_GENERAL            0x00000124
+#define CKM_DES_CBC_PAD                0x00000125
+
+#define CKM_DES2_KEY_GEN               0x00000130
+#define CKM_DES3_KEY_GEN               0x00000131
+#define CKM_DES3_ECB                   0x00000132
+#define CKM_DES3_CBC                   0x00000133
+#define CKM_DES3_MAC                   0x00000134
+
+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN, */
+/* CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC, CKM_CDMF_MAC_GENERAL, */
+/* and CKM_CDMF_CBC_PAD are new to v2.0 */
+#define CKM_DES3_MAC_GENERAL           0x00000135
+#define CKM_DES3_CBC_PAD               0x00000136
+#define CKM_CDMF_KEY_GEN               0x00000140
+#define CKM_CDMF_ECB                   0x00000141
+#define CKM_CDMF_CBC                   0x00000142
+#define CKM_CDMF_MAC                   0x00000143
+#define CKM_CDMF_MAC_GENERAL           0x00000144
+#define CKM_CDMF_CBC_PAD               0x00000145
+
+#define CKM_MD2                        0x00000200
+
+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new to v2.0 */
+#define CKM_MD2_HMAC                   0x00000201
+#define CKM_MD2_HMAC_GENERAL           0x00000202
+
+#define CKM_MD5                        0x00000210
+
+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new to v2.0 */
+#define CKM_MD5_HMAC                   0x00000211
+#define CKM_MD5_HMAC_GENERAL           0x00000212
+
+#define CKM_SHA_1                      0x00000220
+
+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new to v2.0 */
+#define CKM_SHA_1_HMAC                 0x00000221
+#define CKM_SHA_1_HMAC_GENERAL         0x00000222
+
+/* All the following mechanisms are new to v2.0 */
+#define CKM_CAST_KEY_GEN               0x00000300
+#define CKM_CAST_ECB                   0x00000301
+#define CKM_CAST_CBC                   0x00000302
+#define CKM_CAST_MAC                   0x00000303
+#define CKM_CAST_MAC_GENERAL           0x00000304
+#define CKM_CAST_CBC_PAD               0x00000305
+#define CKM_CAST3_KEY_GEN              0x00000310
+#define CKM_CAST3_ECB                  0x00000311
+#define CKM_CAST3_CBC                  0x00000312
+#define CKM_CAST3_MAC                  0x00000313
+#define CKM_CAST3_MAC_GENERAL          0x00000314
+#define CKM_CAST3_CBC_PAD              0x00000315
+#define CKM_CAST5_KEY_GEN              0x00000320
+#define CKM_CAST5_ECB                  0x00000321
+#define CKM_CAST5_CBC                  0x00000322
+#define CKM_CAST5_MAC                  0x00000323
+#define CKM_CAST5_MAC_GENERAL          0x00000324
+#define CKM_CAST5_CBC_PAD              0x00000325
+#define CKM_RC5_KEY_GEN                0x00000330
+#define CKM_RC5_ECB                    0x00000331
+#define CKM_RC5_CBC                    0x00000332
+#define CKM_RC5_MAC                    0x00000333
+#define CKM_RC5_MAC_GENERAL            0x00000334
+#define CKM_RC5_CBC_PAD                0x00000335
+#define CKM_IDEA_KEY_GEN               0x00000340
+#define CKM_IDEA_ECB                   0x00000341
+#define CKM_IDEA_CBC                   0x00000342
+#define CKM_IDEA_MAC                   0x00000343
+#define CKM_IDEA_MAC_GENERAL           0x00000344
+#define CKM_IDEA_CBC_PAD               0x00000345
+#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
+#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
+#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
+#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
+#define CKM_XOR_BASE_AND_DATA          0x00000364
+#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
+#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
+#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
+#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
+#define CKM_SSL3_MD5_MAC               0x00000380
+#define CKM_SSL3_SHA1_MAC              0x00000381
+#define CKM_MD5_KEY_DERIVATION         0x00000390
+#define CKM_MD2_KEY_DERIVATION         0x00000391
+#define CKM_SHA1_KEY_DERIVATION        0x00000392
+#define CKM_PBE_MD2_DES_CBC            0x000003A0
+#define CKM_PBE_MD5_DES_CBC            0x000003A1
+#define CKM_PBE_MD5_CAST_CBC           0x000003A2
+#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
+#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
+#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
+#define CKM_PBE_SHA1_RC4_128           0x000003A6
+#define CKM_PBE_SHA1_RC4_40            0x000003A7
+#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
+#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
+#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
+#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
+#define CKM_KEY_WRAP_LYNKS             0x00000400
+#define CKM_KEY_WRAP_SET_OAEP          0x00000401
+
+/* Fortezza mechanisms */
+#define CKM_SKIPJACK_KEY_GEN           0x00001000
+#define CKM_SKIPJACK_ECB64             0x00001001
+#define CKM_SKIPJACK_CBC64             0x00001002
+#define CKM_SKIPJACK_OFB64             0x00001003
+#define CKM_SKIPJACK_CFB64             0x00001004
+#define CKM_SKIPJACK_CFB32             0x00001005
+#define CKM_SKIPJACK_CFB16             0x00001006
+#define CKM_SKIPJACK_CFB8              0x00001007
+#define CKM_SKIPJACK_WRAP              0x00001008
+#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
+#define CKM_SKIPJACK_RELAYX            0x0000100a
+#define CKM_KEA_KEY_PAIR_GEN           0x00001010
+#define CKM_KEA_KEY_DERIVE             0x00001011
+#define CKM_FORTEZZA_TIMESTAMP         0x00001020
+#define CKM_BATON_KEY_GEN              0x00001030
+#define CKM_BATON_ECB128               0x00001031
+#define CKM_BATON_ECB96                0x00001032
+#define CKM_BATON_CBC128               0x00001033
+#define CKM_BATON_COUNTER              0x00001034
+#define CKM_BATON_SHUFFLE              0x00001035
+#define CKM_BATON_WRAP                 0x00001036
+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
+#define CKM_ECDSA                      0x00001041
+#define CKM_ECDSA_SHA1                 0x00001042
+#define CKM_JUNIPER_KEY_GEN            0x00001060
+#define CKM_JUNIPER_ECB128             0x00001061
+#define CKM_JUNIPER_CBC128             0x00001062
+#define CKM_JUNIPER_COUNTER            0x00001063
+#define CKM_JUNIPER_SHUFFLE            0x00001064
+#define CKM_JUNIPER_WRAP               0x00001065
+#define CKM_FASTHASH                   0x00001070
+
+#define CKM_VENDOR_DEFINED	       0x80000000L
+
+
+/* CK_MECHANISM_TYPE_PTR points to a CK_MECHANISM_TYPE structure. */
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular mechanism.  */
+typedef struct CK_MECHANISM {
+    CK_MECHANISM_TYPE	mechanism;
+    CK_VOID_PTR		pParameter;
+
+    /* ulParameterLen was changed from CK_USHORT to CK_ULONG for v2.0 */
+    CK_ULONG		ulParameterLen;	/* in bytes */
+} CK_MECHANISM;
+
+/* CK_MECHANISM_PTR points to a CK_MECHANISM structure. */
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular mechanism. */
+typedef struct CK_MECHANISM_INFO {
+    CK_ULONG		ulMinKeySize;
+    CK_ULONG		ulMaxKeySize;
+    CK_FLAGS		flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows.
+ *	Table 7-4, Mechanism Information FLags
+ *	Bit Flag	Mask	Meaning */
+#define CKF_HW			0x00000001 /* performed by HW device; not SW */
+
+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN, CKG_SIGN_RECOVER, */
+/* CKF_VERIFY, CKF_VERIFY_RECOVER, CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, */
+/* CKF_UNWRAP, and CKF_DERIVE are new for v2.0 */
+#define CKF_ENCRYPT		0x00000100 /* can be used with C_EncryptInit */
+#define CKF_DECRYPT		0x00000200 /* can be used with C_DecryptInit */
+#define CKF_DIGEST		0x00000400 /* can be used with C_DigestInit */
+#define CKF_SIGN 		0x00000800 /* can be used with C_SignInit */
+#define CKF_SIGN_RECOVER	0x00001000 /* can use with C_SignRecoverInit */
+#define CKF_VERIFY		0x00002000 /* can be used with C_VerifyInit */
+#define CKF_VERIFY_RECOVER	0x00004000 /* can use w/ C_VerifyRecoverInit */
+#define CKF_GENERATE		0x00008000L /* can be used with C_GenerateKey */
+#define CKF_GENERATE_KEY_PAIR	0x00010000L /* can use with C_GenerateKeyPair */
+#define CKF_WRAP		0x00020000L /* can be used with C_WrapKey */
+#define CKF_UNWRAP		0x00040000L /* can be used with C_UnwrapKey */
+#define CKF_DERIVE		0x00080000L /* can be used with C_DeriveKey */
+
+#define CKF_EXTENSION		0x80000000L /* Must be FALSE for this version */
+
+/* CK_MECHANISM_INFO_PTR points to a CK_MECHANISM_INFO structure. */
+typedef CK_MECHANISM_INFO CK_PTR	CK_MECHANISM_INFO_PTR;
+
+
+/* CK_RV is a value that identifies the return value of a PKCS #11 function. */
+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_RV;
+
+#define CKR_OK                                0x00000000
+#define CKR_CANCEL                            0x00000001
+#define CKR_HOST_MEMORY                       0x00000002
+#define CKR_SLOT_ID_INVALID                   0x00000003
+
+/* CKR_FLAGS_INVALID was removed for v2.0 */
+
+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
+#define CKR_GENERAL_ERROR                     0x00000005
+#define CKR_FUNCTION_FAILED                   0x00000006
+
+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
+ * and CKR_CANT_LOCK are new for v2.01 */
+#define CKR_ARGUMENTS_BAD                     0x00000007
+#define CKR_NO_EVENT                          0x00000008
+#define CKR_NEED_TO_CREATE_THREADS            0x00000009
+#define CKR_CANT_LOCK                         0x0000000A
+
+#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
+#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
+#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
+#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
+#define CKR_DATA_INVALID                      0x00000020
+#define CKR_DATA_LEN_RANGE                    0x00000021
+#define CKR_DEVICE_ERROR                      0x00000030
+#define CKR_DEVICE_MEMORY                     0x00000031
+#define CKR_DEVICE_REMOVED                    0x00000032
+#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
+#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
+#define CKR_FUNCTION_CANCELED                 0x00000050
+#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
+
+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
+#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
+
+#define CKR_KEY_HANDLE_INVALID                0x00000060
+
+/* CKR_KEY_SENSITIVE was removed for v2.0 */
+
+#define CKR_KEY_SIZE_RANGE                    0x00000062
+#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
+
+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are
+ * new for v2.0 */
+#define CKR_KEY_NOT_NEEDED                    0x00000064
+#define CKR_KEY_CHANGED                       0x00000065
+#define CKR_KEY_NEEDED                        0x00000066
+#define CKR_KEY_INDIGESTIBLE                  0x00000067
+#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
+#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
+#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
+
+#define CKR_MECHANISM_INVALID                 0x00000070
+#define CKR_MECHANISM_PARAM_INVALID           0x00000071
+
+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
+ * were removed for v2.0 */
+#define CKR_OBJECT_HANDLE_INVALID             0x00000082
+#define CKR_OPERATION_ACTIVE                  0x00000090
+#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
+#define CKR_PIN_INCORRECT                     0x000000A0
+#define CKR_PIN_INVALID                       0x000000A1
+#define CKR_PIN_LEN_RANGE                     0x000000A2
+
+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
+#define CKR_PIN_EXPIRED                       0x000000A3
+#define CKR_PIN_LOCKED                        0x000000A4
+
+#define CKR_SESSION_CLOSED                    0x000000B0
+#define CKR_SESSION_COUNT                     0x000000B1
+#define CKR_SESSION_HANDLE_INVALID            0x000000B3
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
+#define CKR_SESSION_READ_ONLY                 0x000000B5
+#define CKR_SESSION_EXISTS                    0x000000B6
+
+/* CKR_SESSION_READ_ONLY_EXISTS and CKR_SESSION_READ_WRITE_SO_EXISTS
+ * are new for v2.0 */
+#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
+#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
+
+#define CKR_SIGNATURE_INVALID                 0x000000C0
+#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
+#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
+#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
+#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
+#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
+#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
+#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
+#define CKR_USER_NOT_LOGGED_IN                0x00000101
+#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
+#define CKR_USER_TYPE_INVALID                 0x00000103
+
+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
+ * are new to v2.01 */
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
+#define CKR_USER_TOO_MANY_TYPES               0x00000105
+
+#define CKR_WRAPPED_KEY_INVALID               0x00000110
+#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
+#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
+#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
+#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
+
+/* These are new to v2.0 */
+#define CKR_RANDOM_NO_RNG                     0x00000121
+#define CKR_INSERTION_CALLBACK_SET            0x00000140
+#define CKR_INSERTION_CALLBACK_NOT_SUPPORTED  0x00000141
+#define CKR_BUFFER_TOO_SMALL                  0x00000150
+#define CKR_SAVED_STATE_INVALID               0x00000160
+#define CKR_INFORMATION_SENSITIVE             0x00000170
+#define CKR_STATE_UNSAVEABLE                  0x00000180
+
+/* These are new to v2.01 */
+#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
+#define CKR_MUTEX_BAD                         0x000001A0
+#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
+
+#define CKR_VENDOR_DEFINED                    0x80000000L
+
+
+/* CK_NOTIFY is an application callback that processes events. */
+typedef CK_RV (CK_ENTRY CK_PTR CK_NOTIFY)(
+    CK_SESSION_HANDLE	hSession,	/* the session's handle */
+    CK_NOTIFICATION	event,
+    CK_VOID_PTR		pApplication	/* same as passed to C_OpenSession. */
+);
+
+/* CK_FUNCTION_LIST is going to be a structure holding a PKCS #11 spec */
+/* version and pointers of appropriate types to all the PKCS #11 functions. */
+/* CK_FUNCTION_LIST is new for v2.0 */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR	CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+/* CK_CREATEMUTEX is an application callback for creating a mutex */
+typedef CK_RV CK_ENTRY (CK_PTR CK_CREATEMUTEX)(
+  CK_VOID_PTR_PTR ppMutex  /* location to receive pointer to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a mutex */
+typedef CK_RV CK_ENTRY (CK_PTR CK_DESTROYMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_RV CK_ENTRY (CK_PTR CK_LOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a mutex */
+typedef CK_RV CK_ENTRY (CK_PTR CK_UNLOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to C_Initialize
+*/
+typedef struct CK_C_INITIALIZE_ARGS {
+  CK_CREATEMUTEX CreateMutex;
+  CK_DESTROYMUTEX DestroyMutex;
+  CK_LOCKMUTEX LockMutex;
+  CK_UNLOCKMUTEX UnlockMutex;
+  CK_FLAGS flags;
+  CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag                           Mask       Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001 /* library may not
+                                                       * spawn its own
+                                                       * threads */
+#define CKF_OS_LOCKING_OK                  0x00000002 /* library can use
+                                                       * native operating
+                                                       * system thread
+                                                       * synchronization */
+
+/* CK_C_INITIALIZE_ARGS_PTR is a pointer to a CK_C_INITIALIZE_ARGS */
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK     1
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the CKM_KEA_DERIVE 
+ * mechanism. */
+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
+typedef struct CK_KEA_DERIVE_PARAMS {
+    CK_BBOOL	isSender;
+    CK_ULONG	ulRandomLen;
+    CK_BYTE_PTR	pRandomA;
+    CK_BYTE_PTR	pRandomB;
+    CK_ULONG	ulPublicDataLen;
+    CK_BYTE_PTR	pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+/* CK_KEA_DERIVE_PARAMS_PTR points to a CK_KEA_DERIVE_PARAMS. */
+typedef CK_KEA_DERIVE_PARAMS CK_PTR	CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and CKM_RC2_MAC */
+/* mechanisms.  An instance of CK_RC2_PARAMS just holds the effective keysize. */
+typedef CK_ULONG	CK_RC2_PARAMS;
+
+
+/* CK_RC2_PARAMS_PTR points to a CK_RC2_PARAMS. */
+typedef CK_RC2_PARAMS CK_PTR	CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC mechanism. */
+typedef struct CK_RC2_CBC_PARAMS {
+    /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for v2.0 */
+    CK_ULONG	ulEffectiveBits;	/* effective bits (1-1024) */
+
+    CK_BYTE	iv[8];			/* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+/* CK_RC2_CBC_PARAMS_PTR points to a CK_RC2_CBC_PARAMS. */
+typedef CK_RC2_CBC_PARAMS CK_PTR	CK_RC2_CBC_PARAMS_PTR;
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the */
+/* CKM_RC2_MAC_GENERAL mechanism. */
+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+    CK_ULONG	ulEffectiveBits;	/* effective bits (1-1024) */
+    CK_ULONG	ulMacLength;	/* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR	CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and CKM_RC5_MAC */
+/* mechanisms. */
+/* CK_RC5_PARAMS is new for v2.0 */
+typedef struct CK_RC5_PARAMS {
+    CK_ULONG	ulWordsize;		/* wordsize in bits */
+    CK_ULONG	ulRounds;		/* number of rounds */
+} CK_RC5_PARAMS;
+
+/* CK_RC5_PARAMS_PTR points to a CK_RC5_PARAMS. */
+typedef CK_RC5_PARAMS CK_PTR	CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC mechanism. */
+/* CK_RC5_CBC_PARAMS is new for v2.0 */
+typedef struct CK_RC5_CBC_PARAMS {
+    CK_ULONG	ulWordsize;		/* wordsize in bits */
+    CK_ULONG	ulRounds;		/* number of rounds */
+    CK_BYTE_PTR	pIv;			/* pointer to IV */
+    CK_ULONG	ulIvLen;		/* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+/* CK_RC5_CBC_PARAMS_PTR points to a CK_RC5_CBC_PARAMS. */
+typedef CK_RC5_CBC_PARAMS CK_PTR	CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the */
+/* CKM_RC5_MAC_GENERAL mechanism. */
+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+    CK_ULONG	ulWordsize;		/* wordsize in bits */
+    CK_ULONG	ulRounds;		/* number of rounds */
+    CK_ULONG	ulMacLength;	        /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR	CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block ciphers' */
+/* MAC_GENERAL mechanisms.  Its value is the length of the MAC. */
+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef CK_ULONG		CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR	CK_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+  CK_ULONG      ulPasswordLen;
+  CK_BYTE_PTR   pPassword;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+  CK_ULONG      ulPAndGLen;
+  CK_ULONG      ulQLen;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pPrimeP;
+  CK_BYTE_PTR   pBaseG;
+  CK_BYTE_PTR   pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR points to a 
+ * CK_SKIPJACK_PRIVATE_WRAP_PARAMS */
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+  CK_SKIPJACK_PRIVATE_WRAP_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism */
+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+  CK_ULONG      ulOldWrappedXLen;
+  CK_BYTE_PTR   pOldWrappedX;
+  CK_ULONG      ulOldPasswordLen;
+  CK_BYTE_PTR   pOldPassword;
+  CK_ULONG      ulOldPublicDataLen;
+  CK_BYTE_PTR   pOldPublicData;
+  CK_ULONG      ulOldRandomLen;
+  CK_BYTE_PTR   pOldRandomA;
+  CK_ULONG      ulNewPasswordLen;
+  CK_BYTE_PTR   pNewPassword;
+  CK_ULONG      ulNewPublicDataLen;
+  CK_BYTE_PTR   pNewPublicData;
+  CK_ULONG      ulNewRandomLen;
+  CK_BYTE_PTR   pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+/* CK_SKIPJACK_RELAYX_PARAMS_PTR points to a CK_SKIPJACK_RELAYX_PARAMS
+*/
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+typedef struct CK_PBE_PARAMS {
+    CK_CHAR_PTR		pInitVector;
+    CK_CHAR_PTR		pPassword;
+    CK_ULONG		ulPasswordLen;
+    CK_CHAR_PTR		pSalt;
+    CK_ULONG		ulSaltLen;
+    CK_ULONG		ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the */
+/* CKM_KEY_WRAP_SET_OAEP mechanism. */
+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+    CK_BYTE		bBC;			/* block contents byte */
+    CK_BYTE_PTR	pX;			/* extra data */
+    CK_ULONG	ulXLen;		/* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS_PTR points to a CK_KEY_WRAP_SET_OAEP_PARAMS. */
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR	CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+/* CK_BATON_PARAMS provides the parameters to the CKM_BATON_ECB128, */
+/* CKM_BATON_ECB96, CKM_BATON_CBC128, CKM_BATON_COUNTER, and */
+/* CKM_BATON_SHUFFLE mechanisms. */
+/* CK_BATON_PARAMS is new for v2.0 */
+typedef struct CK_BATON_PARAMS {
+    CK_BYTE	iv[24];
+} CK_BATON_PARAMS;
+
+/* CK_BATON_PARAMS_PTR points to a CK_BATON_PARAMS. */
+typedef CK_BATON_PARAMS CK_PTR		CK_BATON_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_RANDOM_DATA {
+  CK_BYTE_PTR  pClientRandom;
+  CK_ULONG     ulClientRandomLen;
+  CK_BYTE_PTR  pServerRandom;
+  CK_ULONG     ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+  CK_SSL3_RANDOM_DATA RandomInfo;
+  CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hClientMacSecret;
+  CK_OBJECT_HANDLE hServerMacSecret;
+  CK_OBJECT_HANDLE hClientKey;
+  CK_OBJECT_HANDLE hServerKey;
+  CK_BYTE_PTR      pIVClient;
+  CK_BYTE_PTR      pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_BBOOL                bIsExport;
+  CK_SSL3_RANDOM_DATA     RandomInfo;
+  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+/* The CK_DERIVATION_STRING_DATA is used for bunches of Deriviation 
+ * Mechanisms. */
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+    CK_BYTE_PTR pData;
+    CK_ULONG ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+/* The CK_EXTRACT_PARAMS is used for the CKM_EXTRACT_KEY_FROM_KEY mechanism. */
+/* CK_EXTRACT_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+/* CK_EXTRACT_PARAMS_PTR points to a CK_EXTRACT_PARAMS. */
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+
+/* Do not attempt to use these. They are only used by NETSCAPE's internal
+ * PKCS #11 interface. Most of these are place holders for other mechanism
+ * and will change in the future.
+ */
+#define CKM_NETSCAPE_PBE_KEY_GEN		0x80000001L
+#define CKM_NETSCAPE_PBE_SHA1_DES_CBC		0x80000002L
+#define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC	0x80000003L
+#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC	0x80000004L
+#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC	0x80000005L
+#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4	0x80000006L
+#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4	0x80000007L
+#define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC	0x80000008L
+#define CKM_TLS_MASTER_KEY_DERIVE		0x80000371L
+#define CKM_TLS_KEY_AND_MAC_DERIVE		0x80000372L
+
+/* define used to pass in the database key for DSA private keys */
+#define CKA_NETSCAPE_DB				0xD5A0DB00L
+#define CKA_NETSCAPE_TRUST			0x80000001L
+
+#if defined(XP_WIN)
+#if defined(_WIN32)
+#pragma pack(pop, cryptoki)
+#else /* win16 */
+#if defined(__WATCOMC__)
+#pragma pack(pop)
+#else /* not Watcom 16-bit */
+#pragma pack()
+#endif
+#endif
+#endif
+
+#endif
diff --git a/security/nss/lib/fortcrypt/fpkmem.h b/security/nss/lib/fortcrypt/fpkmem.h
new file mode 100644
index 000000000..5097828c6
--- /dev/null
+++ b/security/nss/lib/fortcrypt/fpkmem.h
@@ -0,0 +1,48 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifndef _FPKMEM_H_
+#define _FPKMEM_H_
+
+#define PORT_Free   free
+#define PORT_Alloc  malloc
+
+#define PORT_Memcmp memcmp
+#define PORT_Memcpy memcpy
+
+#define NUM_SLOTS   32
+
+#if !defined (XP_UNIX) && !defined (_WINDOWS) && !defined (XP_OS2) && !defined (XP_BEOS)
+#define XP_MAC 1 /*Make sure we get this define in for Mac builds*/
+#endif
+
+#endif /*_FPKMEM_H_*/
diff --git a/security/nss/lib/fortcrypt/fpkstrs.h b/security/nss/lib/fortcrypt/fpkstrs.h
new file mode 100644
index 000000000..144ea1ee7
--- /dev/null
+++ b/security/nss/lib/fortcrypt/fpkstrs.h
@@ -0,0 +1,122 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifndef _context_h_
+#define _context_h_
+
+#ifdef SWFORT
+#ifndef RETURN_TYPE
+#define RETURN_TYPE int
+#endif
+#endif
+#include "cryptint.h"
+#include "genci.h"
+#include "maci.h"
+
+typedef enum {NOKEY, TEK, MEK, UNWRAP, Ks} FortezzaKeyType;
+typedef enum {Encrypt, Decrypt, Sign, None} CryptoType;
+
+typedef struct FortezzaKeyStr *FortezzaKeyPtr;
+typedef struct FortezzaSocketStr *FortezzaSocketPtr;
+typedef struct FortezzaKeyStr FortezzaKey;
+typedef unsigned char FortezzaMEK[12]; 
+
+
+typedef struct CreateTEKInfoStr {
+    CI_RA         Ra;
+    CI_RB         Rb;
+    unsigned long randomLen;
+    int		  personality;
+    int           flag; /*Either CI_INITIATOR_FLAG or CI_RECIPIENT_FLAG*/ 
+    CI_Y          pY;
+    unsigned int  YSize; 
+} CreateTEKInfo;
+
+typedef struct FortezzaTEKStr {
+    CI_RA  Ra;  /*All the parameters necessary to create a TEK */
+    CI_RB  Rb;
+    unsigned long randomLen;
+    CI_Y   pY;
+    int    flags;
+    int    registerIndex;
+    unsigned int  ySize;
+} FortezzaTEK;
+
+struct FortezzaKeyStr {
+    FortezzaKeyPtr    next, prev;
+    CK_OBJECT_HANDLE  keyHandle;
+    int               keyRegister;
+    FortezzaKeyType   keyType;
+    FortezzaSocketPtr keySocket;
+    unsigned long     id;
+    unsigned long     hitCount;
+    union {
+        FortezzaTEK tek;
+        FortezzaMEK mek;
+    } keyData;
+};
+
+typedef struct FortezzaSocketStr {
+    PRBool            isOpen;
+    PRBool            isLoggedIn;
+    PRBool            hasLoggedIn;
+    PRBool            personalitiesLoaded;
+    unsigned long     slotID;
+    unsigned long     hitCount;
+    HSESSION          maciSession;
+    CI_SERIAL_NUMBER  openCardSerial;
+    CI_STATE          openCardState;
+    CI_PERSON        *personalityList;
+    int               numPersonalities;
+    int               numKeyRegisters;
+    FortezzaKey     **keyRegisters; /*Array of pointers to keys in registers*/
+    FortezzaKey      *keys;         /*Linked list of all the keys*/
+    void             *registersLock;
+} FortezzaSocket;
+
+typedef struct PK11SessionStr *PK11SessionPtr;
+
+typedef struct FortezzaConstextStr {
+    FortezzaKey         *fortezzaKey;
+    FortezzaSocket      *fortezzaSocket;
+    PK11SessionPtr       session;
+    CryptoType           cryptoOperation;
+    CK_MECHANISM_TYPE    mechanism;
+    CI_SAVE_DATA         cardState;
+    CI_IV                cardIV;
+    unsigned long        userRamSize;
+    CK_OBJECT_HANDLE     hKey;
+} FortezzaContext;
+
+
+
+#endif /*_context_h_*/
diff --git a/security/nss/lib/fortcrypt/genci.h b/security/nss/lib/fortcrypt/genci.h
new file mode 100644
index 000000000..6a44cd7a7
--- /dev/null
+++ b/security/nss/lib/fortcrypt/genci.h
@@ -0,0 +1,145 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * the following header file switches between MACI and CI based on
+ * compile options. That lest the rest of the source code operate
+ * without change, even if it only suports CI_ calls, not MACI_ calls
+ */
+#ifndef _GENCI_H_
+#define _GENCI_H_ 1
+#include "seccomon.h"
+
+#if defined (XP_UNIX) || defined (XP_WIN32) || defined (XP_OS2) || defined (XP_BEOS)
+
+/*
+ * On unix, NT, Windows '95, and OS/2 we use full maci
+ */
+#include "maci.h"
+
+#define MACI_SEL(x) 
+
+/*
+ * for sec-for.c
+ */
+#define CI_Initialize	MACI_Initialize
+#define CI_Terminate()  { HSESSION hs;\
+			  MACI_GetSessionID(&hs);\
+			  MACI_Terminate(hs); }
+
+#else
+
+/*
+ * On Mac we use the original CI_LIB
+ */
+#include "cryptint.h"
+
+/*
+ * MACI specific values not defined for CI lib
+ */
+#define MACI_SESSION_EXCEEDED     (-53)
+
+#ifndef HSESSION_DEFINE
+typedef unsigned int HSESSION;
+#define HSESSION_DEFINE
+#endif
+
+/*
+ * Map MACI_ calls to CI_ calls. NOTE: this assumes the proper CI_Select
+ * calls are issued in the CI_ case
+ */
+#define MACI_ChangePIN(s,pin,old,new)		CI_ChangePIN(pin,old,new)
+#define MACI_CheckPIN(s,type,pin)   		CI_CheckPIN(type,pin)
+#define MACI_Close(s,flag,socket)		CI_Close(flag,socket)
+#define MACI_Decrypt(s,size,in,out)		CI_Decrypt(size,in,out)
+#define MACI_DeleteCertificate(s,cert)		CI_DeleteCertificate(cert)
+#define MACI_DeleteKey(s,index)			CI_DeleteKey(index)
+#define MACI_Encrypt(s,size,in,out)		CI_Encrypt(size,in,out)
+#define MACI_ExtractX(s,cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g) \
+		CI_ExtractX(cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g)
+#define MACI_FirmwareUpdate(s,flags,Cksum,len,size,data) \
+			CI_FirmwareUpdate(flags,Cksum,len,size,data)
+#define MACI_GenerateIV(s,iv)			CI_GenerateIV(iv)
+#define MACI_GenerateMEK(s,index,res)		CI_GenerateMEK(index,res)
+#define MACI_GenerateRa(s,Ra)			CI_GenerateRa(Ra)
+#define MACI_GenerateRandom(s,ran)		CI_GenerateRandom(ran)
+#define MACI_GenerateTEK(s,flag,index,Ra,Rb,size,Y) \
+				CI_GenerateTEK(flag,index,Ra,Rb,size,Y)
+#define MACI_GenerateX(s,cert,type,pgSize,qSize,p,q,g,ySize,y) \
+			CI_GenerateX(cert,type,pgSize,qSize,p,q,g,ySize,y)
+#define MACI_GetCertificate(s,cert,val)		CI_GetCertificate(cert,val)
+#define MACI_GetConfiguration(s,config)		CI_GetConfiguration(config)
+#define MACI_GetHash(s,size,data,val)		CI_GetHash(size,data,val)
+#define MACI_GetPersonalityList(s,cnt,list)	CI_GetPersonalityList(cnt,list)
+#define MACI_GetSessionID(s)			CI_OK
+#define MACI_GetState(s,state)			CI_GetState(state)
+#define MACI_GetStatus(s,status)		CI_GetStatus(status)
+#define MACI_GetTime(s,time)			CI_GetTime(time)
+#define MACI_Hash(s,size,data)			CI_Hash(size,data)
+#define MACI_Initialize(count)			CI_Initialize(count)
+#define MACI_InitializeHash(s)			CI_InitializeHash()
+#define MACI_InstallX(s,cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g) \
+		CI_InstallX(cert,type,pass,ySize,y,x,Ra,pgSize,qSize,p,q,g)
+#define MACI_LoadCertificate(s,cert,label,data,res) \
+					CI_LoadCertificate(cert,label,data,res)
+#define MACI_LoadDSAParameters(s,pgSize,qSize,p,q,g) \
+				CI_LoadDSAParameters(pgSize,qSize,p,q,g)
+#define MACI_LoadInitValues(s,seed,Ks)		CI_LoadInitValues(seed,Ks)
+#define MACI_LoadIV(s,iv)			CI_LoadIV(iv)
+#define MACI_LoadX(s,cert,type,pgSize,qSize,p,q,g,x,ySize,y) \
+			CI_LoadX(cert,type,pgSize,qSize,p,q,g,x,ySize,y)
+#define MACI_Lock(s,flags)			CI_Lock(flags)
+#define MACI_Open(s,flags,index)		CI_Open(flags,index)
+#define MACI_RelayX(s,oPass,oSize,oY,oRa,oX,nPass,nSize,nY,nRa,nX) \
+			CI_RelayX(oPass,oSize,oY,oRa,oX,nPass,nSize,nY,nRa,nX)
+#define MACI_Reset(s)				CI_Reset()
+#define MACI_Restore(s,type,data)		CI_Restore(type,data)
+#define MACI_Save(s,type,data)			CI_Save(type,data)
+#define MACI_Select(s,socket)			CI_Select(socket)
+#define MACI_SetConfiguration(s,typ,sz,d)	CI_SetConfiguration(typ,sz,d)
+#define MACI_SetKey(s,key)			CI_SetKey(key)
+#define MACI_SetMode(s,type,mode)		CI_SetMode(type,mode)
+#define MACI_SetPersonality(s,index)		CI_SetPersonality(index)
+#define MACI_SetTime(s,time)			CI_SetTime(time)
+#define MACI_Sign(s,hash,sig)			CI_Sign(hash,sig)
+#define MACI_Terminate(s)			CI_Terminate()
+#define MACI_TimeStamp(s,val,sig,time)		CI_TimeStamp(val,sig,time)
+#define MACI_Unlock(s)				CI_Unlock()
+#define MACI_UnwrapKey(s,targ,wrap,key)		CI_UnwrapKey(targ,wrap,key)
+#define MACI_VerifySignature(s,h,siz,y,sig)	CI_VerifySignature(h,siz,y,sig)
+#define MACI_VerifyTimeStamp(s,hash,sig,tim)	CI_VerityTimeStap(hash,sig,tim)
+#define MACI_WrapKey(s,src,wrap,key)		CI_WrapKey(src,wrap,key)
+#define MACI_Zeroize(s)				CI_Zeroize()
+
+#define MACI_SEL(x)	CI_Select(x)
+#endif /* ! XP_UNIX */
+#endif /* _GENCI_H_ */
diff --git a/security/nss/lib/fortcrypt/globinst.htm b/security/nss/lib/fortcrypt/globinst.htm
new file mode 100644
index 000000000..cd0a194d4
--- /dev/null
+++ b/security/nss/lib/fortcrypt/globinst.htm
@@ -0,0 +1,139 @@
+<HTML>
+<--
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   - 
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   - 
+   - The Original Code is the Netscape security libraries.
+   - 
+   - The Initial Developer of the Original Code is Netscape
+   - Communications Corporation.  Portions created by Netscape are 
+   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+   - Rights Reserved.
+   - 
+   - Contributor(s):
+   - 
+   - Alternatively, the contents of this file may be used under the
+   - terms of the GNU General Public License Version 2 or later (the
+   - "GPL"), in which case the provisions of the GPL are applicable 
+   - instead of those above.  If you wish to allow use of your 
+   - version of this file only under the terms of the GPL and not to
+   - allow others to use your version of this file under the MPL,
+   - indicate your decision by deleting the provisions above and
+   - replace them with the notice and other provisions required by
+   - the GPL.  If you do not delete the provisions above, a recipient
+   - may use your version of this file under either the MPL or the
+   - GPL.
+-->
+<SCRIPT>
+
+
+// ---------------------- Configuration variables ----------------
+var pkcs11jar="fortpk11.jar";
+//var pkcs11base="file://d|/dogbert/ns/dist/";
+pkcs11base="";
+
+var comm_platforms = pk_init_array (
+	"Win32", "Win16", "Mac68k", "MacPPC", 
+	"AIX4.1", "HP-UXA.09", "HP-UXB.10", 
+	"SunOS4.1.3_U1", "SunOS5.4", "SunOS5.5.1" );
+var directories = pk_init_array (
+	"win32", "win16", "none", "macppc",
+	"aix", "hpux", "hpux",
+	"sunos", "sol24", 
+	"sol251" );
+
+function mapPlatform(InPlat)
+{
+	for (i=0; i < comm_platforms.length; i++) {
+	    if (InPlat == comm_platforms[i]) {
+		return directories[i];
+	    }
+	}
+	return InPlat;
+}
+
+
+function pk_init_array()
+{
+	var numArgs = pk_init_array.arguments.length;
+	var a = new Array(numArgs);
+
+	for (var i = 0; i < numArgs; i++) {
+	    a[i] = pk_init_array.arguments[i];
+	}
+	return a;
+}
+
+function getPlatform() {
+	return navigator.platform;
+//	var string = navigator.appVersion;
+//	start = string.indexOf("(",0);
+//	if (start == -1) {
+//	    return "unknown";
+//	}
+//	end = string.indexOf(";",start);
+//	if (end == -1) {
+//	    end = string.indexOf(")",start);
+//	}
+//	if (end == -1) {
+//	   end = string.length;
+//	}
+//	platform = string.substring(start+1,end);
+//	return platform;
+}
+
+function getURLPath() {
+	var string = window.location.href;
+	end = string.lastIndexOf("/");
+	if (end == -1) {
+	   end = string.length-1;
+	}
+	return string.substring(0,end+1);
+}
+
+
+
+plat=getPlatform();
+platDir = mapPlatform(plat);
+if (pkcs11base == "") pkcs11base=getURLPath();
+
+if (plat == "MacPPC") {
+   pkcs11jar= "macinst.htm"
+}
+
+function DoInstall(url) {
+	window.location.href = url;
+}
+
+function DoCancel() {
+	// set window.location.href to your home page if you wish
+	//alert('Cancel Installation?');
+	history.back();
+}
+
+// ------  Change the following for your own Message --------
+document.write("<CENTER><H1>Netscape Fortezza PKCS #11 Module Installer</H1>");
+document.write("</CENTER>");
+document.write("<Table><TR><TD>");
+document.write("<DD><p><IMG SRC=about:logo WIDTH=90 Height=77 NAME=LITRONIC></TD>");
+document.write("<TD VAlign=Center><i> Netscape Fortezza PKCS #11 Modules require Litronic's MACI drivers to be installed on your platform.");
+document.write(" If you haven't already installed theLitronic MACI drivers, please to do so now.</I>");
+document.write("</TD></TR></Table>");
+// ----- end of generic message section --------
+document.write("<p>Netscape has detected you are installing on <b>"+plat+"</b>.<br>");
+document.write("Installing: <b>"+pkcs11base+platDir+"/"+pkcs11jar+"</b><br>");
+document.write("<FORM>");
+document.write("<CENTER><Table><TR><TD><Input Type=Button name=install value='Install Now' onclick=DoInstall("+ "\"" +pkcs11base+platDir+"/"+pkcs11jar+"\""+")>");
+document.write("</TD><TD><Input type=Button name=cancel value=Cancel Onclick=DoCancel()>");
+document.write("</TD></TR></Table></CENTER>");
+document.write("</FORM>");
+document.close();
+</SCRIPT>
+</HTML>
diff --git a/security/nss/lib/fortcrypt/handinst.htm b/security/nss/lib/fortcrypt/handinst.htm
new file mode 100644
index 000000000..f816432e1
--- /dev/null
+++ b/security/nss/lib/fortcrypt/handinst.htm
@@ -0,0 +1,180 @@
+<HTML>
+<TITLE>Generic PKCS #11 Installer</TITLE>
+<--
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   - 
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   - 
+   - The Original Code is the Netscape security libraries.
+   - 
+   - The Initial Developer of the Original Code is Netscape
+   - Communications Corporation.  Portions created by Netscape are 
+   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+   - Rights Reserved.
+   - 
+   - Contributor(s):
+   - 
+   - Alternatively, the contents of this file may be used under the
+   - terms of the GNU General Public License Version 2 or later (the
+   - "GPL"), in which case the provisions of the GPL are applicable 
+   - instead of those above.  If you wish to allow use of your 
+   - version of this file only under the terms of the GPL and not to
+   - allow others to use your version of this file under the MPL,
+   - indicate your decision by deleting the provisions above and
+   - replace them with the notice and other provisions required by
+   - the GPL.  If you do not delete the provisions above, a recipient
+   - may use your version of this file under either the MPL or the
+   - GPL.
+-->
+<SCRIPT>
+// Crypto Mechanism Flags 
+PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
+PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
+PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
+PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
+PKCS11_MECH_DES_FLAG           =  0x1<<4; 
+PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
+PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
+PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
+PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
+PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
+PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
+PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
+PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
+PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
+
+// Important: 
+// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should always be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which mechanisms should be turned on by 
+pkcs11MechanismFlags = PKCS11_MECH_RANDOM_FLAG; 
+  
+
+// Ciphers that support SSL or S/MIME 
+PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
+
+// Important: 
+// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should ALWAYS be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which SSL ciphers are supported 
+pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
+  
+
+// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
+// success codes 
+JS_OK_ADD_MODULE                 = 3 // Successfully added a module 
+JS_OK_DEL_EXTERNAL_MODULE        = 2 // Successfully deleted ext. module 
+JS_OK_DEL_INTERNAL_MODULE        = 1 // Successfully deleted int. module 
+
+// failure codes 
+JS_ERR_OTHER                     = -1 // Other errors than the followings 
+JS_ERR_USER_CANCEL_ACTION        = -2 // User abort an action 
+JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect # of arguments 
+JS_ERR_DEL_MODULE                = -4 // Error deleting a module 
+JS_ERR_ADD_MODULE                = -5 // Error adding a module 
+JS_ERR_BAD_MODULE_NAME           = -6 // The module name is invalid 
+JS_ERR_BAD_DLL_NAME              = -7 // The DLL name is bad 
+JS_ERR_BAD_MECHANISM_FLAGS       = -8 // The mechanism flags are invalid 
+JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9 // The SSL, S/MIME cipher flags are invalid 
+
+var new_window;
+var has_new_window = 0;
+
+function HandleCipher(checkBox) {
+	if (checkBox.checked) {
+		pkcs11MechanismFlags |= checkBox.value;
+	} else {
+		pkcs11MechanismFlags &= ~checkBox.value;
+	}
+}
+
+function HandleSSL(checkBox) {
+	if (checkBox.checked) {
+		pkcs11CipherFlags |= checkBox.value;
+	} else {
+		pkcs11CipherFlags &= ~checkBox.value;
+	}
+}
+
+function colonize(string) {
+	len = string.length;
+	end = len -1;
+
+	if (len == 0) return string;
+
+
+	for (i=0; i < len; i++) {
+	   if (string.charAt(i) == "/") {
+		if (i == 0) {
+		    new_string = ":" + string.substring(1,len);
+		} else if (i == end) {
+		    new_string = string.substring(0,i)+':';
+		} else {
+		    new_string = string.substring(0,i)+':'+
+						string.substring(i+1,len);
+		}
+		string = new_string;
+	   }
+	}
+
+	if (string.charAt(0) == ":") string = string.substring(1,len);
+	return string;
+}
+
+function DoInstall(name,module) {
+	if ((navigator.platform == "MacPPC") 
+			|| (navigator.platform == "Mac68K")) {
+	    module = colonize(module);
+	}
+	result = pkcs11.addmodule(name, module, 
+			pkcs11MechanismFlags, pkcs11CipherFlags); 
+	if ( result < 0) { 
+	  window.alert("New module setup failed.  Error code: " + result); 
+	}
+	if (has_new_window) new_window.close();
+}
+
+default_name = "Netscape FORTEZZA Module"
+
+default_module = "D:/dogbert/ns/dist/WIN32_D.OBJ/bin/fort32.dll"
+document.writeln("<FORM name=instform target=_self> <H2>PKCS #11 Installer</H2>");
+document.writeln(" Module name: <Input Type=Text Name=modName value=\""+default_name+"\" size=50 required><br>");
+document.writeln(" Module Library: <Input Type=FILE required Name=module><p>");
+document.writeln("<hr><TABLE><TR><TD>");
+document.writeln("<Input type=Checkbox name=RSA value="+PKCS11_MECH_RSA_FLAG+" onclick=HandleCipher(document.instform.RSA)> RSA<br>");
+document.writeln("<Input type=Checkbox name=DSA value="+PKCS11_MECH_DSA_FLAG+" onclick=HandleCipher(document.instform.DSA)> DSA<br>");
+document.writeln("<Input type=Checkbox name=RC2 value="+PKCS11_MECH_RC2_FLAG+" onclick=HandleCipher(document.instform.RC2)> RC2<br>");
+document.writeln("<Input type=Checkbox name=RC4 value="+PKCS11_MECH_RC4_FLAG+" onclick=HandleCipher(document.instform.RC4)> RC4<br>");
+document.writeln("</TD><TD>");
+document.writeln("<Input type=Checkbox name=DES value="+PKCS11_MECH_DES_FLAG+" onclick=HandleCipher(document.instform.DES)> DES<br>");
+document.writeln("<Input type=Checkbox name=DH value="+PKCS11_MECH_DH_FLAG+" onclick=HandleCipher(document.instform.DH)> DH<br>");
+document.writeln("<Input type=Checkbox name=SKIPJACK value="+PKCS11_MECH_SKIPJACK_FLAG+" onclick=HandleCipher(document.instform.SKIPJACK)> SKIPJACK<br>");
+document.writeln("<Input type=Checkbox name=RC5 value="+PKCS11_MECH_RC5_FLAG+" onclick=HandleCipher(document.instform.RC5)> RC5<br>");
+document.writeln("</TD><TD>");
+document.writeln("<Input type=Checkbox name=SHA1 value="+PKCS11_MECH_SHA1_FLAG+" onclick=HandleCipher(document.instform.SHA1)> SHA1<br>");
+document.writeln("<Input type=Checkbox name=MD5 value="+PKCS11_MECH_MD5_FLAG+" onclick=HandleCipher(document.instform.MD5)> MD5<br>");
+document.writeln("<Input type=Checkbox name=MD2 value="+PKCS11_MECH_MD2_FLAG+" onclick=HandleCipher(document.instform.MD2)> MD2<br>");
+document.writeln("</TD><TD>");
+document.writeln("<Input type=Checkbox name=Random value="+PKCS11_MECH_RANDOM_FLAG+" CHECKED onclick=HandleCipher(document.instform.Random)> Random Number Generation<br>");
+document.writeln("<Input type=Checkbox name=readCert value="+PKCS11_PUB_READABLE_CERT_FLAG+" onclick=HandleCipher(document.instform.ReadCert)> Public Readable Certificates<br>");
+document.writeln("<Input type=Checkbox name=Disable value="+PKCS11_DISABLE_FLAG+" onclick=HandleCipher(document.instform.Disable)> Disable<br>");
+document.writeln("</TD></TR></TABLE>");
+document.writeln("<hr>");
+document.writeln("<Input type=Checkbox name=fortssl value="+ PKCS11_CIPHER_FORTEZZA_FLAG +" checked onclick=HandleSSL(document.instform.fortssl)> Enable FORTEZZA menus<br>");
+document.writeln("<hr>");
+document.write("<Input type=submit Name=Install Value=Install onclick=DoInstall(");
+document.writeln(  "document.instform.modName.value,document.instform.module.value) >");
+document.writeln("</FORM>");
+</SCRIPT>
diff --git a/security/nss/lib/fortcrypt/homeinst.htm b/security/nss/lib/fortcrypt/homeinst.htm
new file mode 100644
index 000000000..a0583fbc7
--- /dev/null
+++ b/security/nss/lib/fortcrypt/homeinst.htm
@@ -0,0 +1,211 @@
+<HTML>
+<--
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   - 
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   - 
+   - The Original Code is the Netscape security libraries.
+   - 
+   - The Initial Developer of the Original Code is Netscape
+   - Communications Corporation.  Portions created by Netscape are 
+   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+   - Rights Reserved.
+   - 
+   - Contributor(s):
+   - 
+   - Alternatively, the contents of this file may be used under the
+   - terms of the GNU General Public License Version 2 or later (the
+   - "GPL"), in which case the provisions of the GPL are applicable 
+   - instead of those above.  If you wish to allow use of your 
+   - version of this file only under the terms of the GPL and not to
+   - allow others to use your version of this file under the MPL,
+   - indicate your decision by deleting the provisions above and
+   - replace them with the notice and other provisions required by
+   - the GPL.  If you do not delete the provisions above, a recipient
+   - may use your version of this file under either the MPL or the
+   - GPL.
+-->
+<SCRIPT>
+
+
+// ---------------------- Configuration variables ----------------
+var pkcs11jar="bin/fortWIN32.jar";
+var pkcs11base="ftp://sweetlou/products/client/dogbert/new";
+//pkcs11base="";
+win_file = "libfort.jar"
+unix = "libfort-v404b9."
+mac_file = "macinst.htm"
+
+
+var winDates = pk_init_array (
+	"oct_02a_404", "oct_01a_404" );
+
+var unixDates = pk_init_array (
+	"current", "Oct_02", "Oct_O1");
+	
+
+var comm_platforms = pk_init_array (
+	"Win32", "Win16", "Mac68k", "MacPPC", 
+	"AIX4.1", "HP-UXA.09", "HP-UXB.10", 
+	"SunOS4.1.3_U1", "SunOS5.4", "SunOS5.5.1", 
+	"BSD_3861.1","BSD_3862.1", "FreeBSD2", "IRIX5.3", "IRIX6.2",
+	"LinuxELF1.2","LinusELF2.0","NCR4.0","NEC4.2","OSF1V3","SCOOS5.0",
+	"SINIX-N5.42","SunOS5.4_i86pc","UNIXWARE2.1",
+	"OS23.0","OS24.0");
+var isSupport = pk_init_array ( 1, 1, 0, 1,
+	1, 1, 1,
+	1, 1, 1, 1,
+	0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0,
+	0, 0, 0,
+	0, 0 );
+var directories = pk_init_array (
+	"32bit/fortezza", "16bit/fortezza", "", "404-fortezza-items",
+	"aix4", "hpux", "hpux10",
+	"sunos4", "sol24", "sol251",
+	// not really supported
+	"bsdi", "bsdi2", "freebsd", "irix53", "irix62",
+	"linux12","linux20","ncr","nec","osf132","sco",
+	"sinix","solx86","unixware",
+	"" ,"" );
+var files = pk_init_array (
+	win_file, win_file, mac_file, mac_file,
+	unix+"rs6000-ibm-aix4.jar",unix+"hppa1.1-hp-hpux9.jar",
+	unix+"hppa1.1-hp-hpux10.jar",
+	unix+"sparc-sun-sunos4.1.3_U1.jar",unix+"sparc-sun-solaris2.4.jar",
+	unix+"sparc-sun-solaris2.5.1.jar",
+	unix+"x86-bsdi-bsd.jar",unix+"x86-bsdi-bsd2.jar",
+	unix+"x86-unknown-freebsd.jar",
+	unix+"mips-sgi-irix5.3.jar",unix+"mips-sgi-irix6.2.jar",
+	unix+"x86-unknown-linix1.2.jar",unix+"x86-unknown-linix2.0.jar",
+	unix+"x86-ncr-sysv5.jar",unix+"mips-nec-uxv4.2.jar",
+	unix+"alpha-dec-osf3.2.jar",unix+"x86-sco-opensv5.0.2",
+	unix+"mips-sni-reliantunix.jar",unix+"x86-sun-solaris2.4.jar",
+	unix+"x86-sco-unixware2.1.jar",
+	win_file, win_file );
+
+function isSupported(InPlat)
+{
+	for (i=0; i < comm_platforms.length; i++) {
+	    if (InPlat == comm_platforms[i]) {
+		return isSupport[i];
+	    }
+	}
+	return 0;
+}
+
+function mapPlatform(InPlat)
+{
+	for (i=0; i < comm_platforms.length; i++) {
+	    if (InPlat == comm_platforms[i]) {
+		return directories[i];
+	    }
+	}
+	return InPlat;
+}
+
+function mapFile(InPlat)
+{
+	for (i=0; i < comm_platforms.length; i++) {
+	    if (InPlat == comm_platforms[i]) {
+		return files[i];
+	    }
+	}
+	return unix+"unknown-unknown-unknown.jar";
+}
+
+function mapDate(platform) {
+	if ((platform == "MacPPC") || (platform == "Mac68K")) {
+	    return "";
+	} else if ((platform == "Win32") || (platform == "Win16")) {
+	    return "/oct_2a_404";
+	} else if ((platform == "OS23.0") || (platform == "OS24.0")) {
+	    return "";
+	}
+	return "/current/signed";
+}
+function mapBaseDir(platform) {
+	if ((platform == "MacPPC") || (platform == "Mac68K")) {
+	    return "mac";
+	} else if ((platform == "Win32") || (platform == "Win16")) {
+	    return "windows"
+	} else if ((platform == "OS23.0") || (platform == "OS24.0")) {
+	    return "os2";
+	}
+	return "unix/Fortezza";
+}
+
+function pk_init_array()
+{
+	var numArgs = pk_init_array.arguments.length;
+	var a = new Array(numArgs);
+
+	for (var i = 0; i < numArgs; i++) {
+	    a[i] = pk_init_array.arguments[i];
+	}
+	return a;
+}
+
+function getPlatform() {
+	return navigator.platform;
+}
+
+function getURLPath() {
+	var string = window.location.href;
+	end = string.lastIndexOf("/");
+	if (end == -1) {
+	   end = string.length-1;
+	}
+	return string.substring(0,end+1);
+}
+
+
+
+plat=getPlatform();
+platDir = mapPlatform(plat);
+platFile = mapFile(plat);
+platBase = mapBaseDir(plat);
+platDate = mapDate(plat);
+if (pkcs11base == "") pkcs11base=getURLPath();
+pkcs11loc=pkcs11base+"/"+platBase+"/"+platDir + platDate + "/" + platFile;
+
+
+
+function DoInstall(url) {
+	window.location.href = url;
+}
+
+function DoCancel() {
+	// set window.location.href to your home page if you wish
+	//alert('Cancel Installation?');
+	history.back();
+}
+
+// ------  Change the following for your own Message --------
+document.write("<CENTER><H1>Netscape Fortezza PKCS #11 Module Installer</H1>");
+document.write("</CENTER>");
+document.write("<Table><TR><TD>");
+document.write("<DD><p><IMG SRC=litronic.gif WIDTH=110 Height=63 NAME=LITRONIC></TD>");
+document.write("<TD VAlign=Center><i> Netscape Fortezza PKCS #11 Modules require Litronic's MACI drivers to be installed on your platform.");
+document.write(" If you haven't already installed theLitronic MACI drivers, please to do so now.</I>");
+document.write("</TD></TR></Table>");
+// ----- end of generic message section --------
+document.write("<p>Netscape has detected you are installing on <b>"+plat+"</b>.<br>");
+if (!isSupported(plat)) {
+	document.write("<b>This platform is currently not suppported for FORTEZZA</b><br>");
+}
+document.write("Installing: <b>"+pkcs11loc+"</b><br>");
+document.write("<FORM>");
+document.write("<CENTER><Table><TR><TD><Input Type=Button name=install value='Install Now' onclick=DoInstall("+ "\"" +pkcs11loc+"\""+")>");
+document.write("</TD><TD><Input type=Button name=cancel value=Cancel Onclick=DoCancel()>");
+document.write("</TD></TR></Table></CENTER>");
+document.write("</FORM>");
+document.close();
+</SCRIPT>
+</HTML>
diff --git a/security/nss/lib/fortcrypt/inst.js b/security/nss/lib/fortcrypt/inst.js
new file mode 100644
index 000000000..2c2b1ab64
--- /dev/null
+++ b/security/nss/lib/fortcrypt/inst.js
@@ -0,0 +1,268 @@
+//
+// The contents of this file are subject to the Mozilla Public
+// License Version 1.1 (the "License"); you may not use this file
+// except in compliance with the License. You may obtain a copy of
+// the License at http://www.mozilla.org/MPL/
+// 
+// Software distributed under the License is distributed on an "AS
+// IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+// implied. See the License for the specific language governing
+// rights and limitations under the License.
+// 
+// The Original Code is the Netscape security libraries.
+// 
+// The Initial Developer of the Original Code is Netscape
+// Communications Corporation.  Portions created by Netscape are 
+// Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+// Rights Reserved.
+// 
+// Contributor(s):
+// 
+// Alternatively, the contents of this file may be used under the
+// terms of the GNU General Public License Version 2 or later (the
+// "GPL"), in which case the provisions of the GPL are applicable 
+// instead of those above.  If you wish to allow use of your 
+// version of this file only under the terms of the GPL and not to
+// allow others to use your version of this file under the MPL,
+// indicate your decision by deleting the provisions above and
+// replace them with the notice and other provisions required by
+// the GPL.  If you do not delete the provisions above, a recipient
+// may use your version of this file under either the MPL or the
+// GPL.
+//
+////////////////////////////////////////////////////////////////////////////////////////
+// Crypto Mechanism Flags
+PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
+PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
+PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
+PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
+PKCS11_MECH_DES_FLAG           =  0x1<<4; 
+PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
+PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
+PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
+PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
+PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
+PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
+PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
+PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
+PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
+
+// Important: 
+// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should always be set to 0; otherwise,
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which mechanisms should be turned on by 
+var pkcs11MechanismFlags = PKCS11_MECH_RANDOM_FLAG; 
+  
+////////////////////////////////////////////////////////////////////////////////////////
+// Ciphers that support SSL or S/MIME 
+PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
+
+// Important: 
+// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should ALWAYS be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which SSL ciphers are supported 
+var pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
+  
+////////////////////////////////////////////////////////////////////////////////////////
+// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
+// success codes 
+JS_OK_ADD_MODULE                 = 3; // Successfully added a module 
+JS_OK_DEL_EXTERNAL_MODULE        = 2; // Successfully deleted ext. module 
+JS_OK_DEL_INTERNAL_MODULE        = 1; // Successfully deleted int. module 
+
+// failure codes 
+JS_ERR_OTHER                     = -1; // Other errors than the followings 
+JS_ERR_USER_CANCEL_ACTION        = -2; // User abort an action 
+JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3; // Calling a method w/ incorrect # of arguments 
+JS_ERR_DEL_MODULE                = -4; // Error deleting a module 
+JS_ERR_ADD_MODULE                = -5; // Error adding a module 
+JS_ERR_BAD_MODULE_NAME           = -6; // The module name is invalid 
+JS_ERR_BAD_DLL_NAME              = -7; // The DLL name is bad 
+JS_ERR_BAD_MECHANISM_FLAGS       = -8; // The mechanism flags are invalid 
+JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9; // The SSL, S/MIME cipher flags are invalid 
+JS_ERR_ADD_MODULE_DULICATE       =-10; // Module with the same name already installed
+
+////////////////////////////////////////////////////////////////////////////////////////
+// Find out which library is to be installed depending on the platform
+
+// pathname seperator is platform specific
+var sep = "/";
+var vendor = "netscape";
+var moduleName = "not_supported";
+var plat = navigator.platform;
+ 
+var dir = "pkcs11/" + vendor + "/" + plat + "/";
+if (plat == "Win16") {
+    dir = "pkcs11/";
+}
+
+bAbort = false;
+if (plat == "Win32") {
+    moduleName = "fort32.dll";
+    sep = "\\";
+} else if (plat == "Win16") {
+    moduleName = "FORT16.DLL";
+    sep = "\\";
+} else if (plat == "MacPPC") {
+    moduleName = "FortPK11Lib";
+    sep = ":";
+} else if (plat == "AIX4.1") {
+    moduleName = "libfort_shr.a";
+} else if (plat == "SunOS4.1.3_U1") {
+    moduleName = "libfort.so.1.0";        
+} else if ((plat == "SunOS5.4") || (plat == "SunOS5.5.1")){
+    moduleName = "libfort.so";
+} else if ((plat == "HP-UXA.09") || (plat == "HP-UXB.10")){
+    moduleName = "libfort.sl";
+} else if (plat == "IRIX6.2"){
+    // The module only works on 6.3, but Communicator returns 6.2 even when
+    // running 6.3.  So in order to prevent the user from thinking
+    // the module actually works on 6.2, we will force the name to 
+    // say 6.3 instead of 6.2.  In the even the user tries to install
+    // on 6.2, the user will see 6.3 instead.  If they don't get it that
+    // it's not going to work at this point in time, then the entire install
+    // process wil just fail miserably, and that is OK.
+    plat = "IRIX6.3";
+    moduleName = "libfort.so";
+} else {
+    window.alert("Sorry, platform "+plat+" is not supported.");
+    bAbort = true;
+}
+
+////////////////////////////////////////////////////////////////////////////////////////
+// Installation Begins...
+if (!bAbort) {
+if (confirm("This script will install a security module. \nIt may over-write older files having the same name. \nDo you want to continue?")) { 
+ // Step 1. Create a version object and a software update object 
+ vi = new netscape.softupdate.VersionInfo(1, 6, 0, 0); 
+ su = new netscape.softupdate.SoftwareUpdate(this, "Fortezza Card PKCS#11 Module"); 
+                 // "Fortezza ... Module" is the logical name of the bundle 
+
+ ////////////////////////////////////////
+ // Step 2. Start the install process 
+ bAbort = false; 
+ err = su.StartInstall("NSfortezza", // NSfortezza is the component folder (logical) 
+                       vi, 
+                       netscape.softupdate.SoftwareUpdate.FULL_INSTALL); 
+                            
+ bAbort = (err!=0); 
+
+ if (err == 0) { 
+     ////////////////////////////////////////
+    // Step 3. Find out the physical location of the Program dir 
+    Folder = su.GetFolder("Program"); 
+
+     ////////////////////////////////////////
+    // Step 4. Install the files. Unpack them and list where they go 
+
+    err = su.AddSubcomponent("FortezzaLibrary_"+plat, //component name (logical) 
+                                    vi, // version info 
+                                    moduleName, // source file in JAR (physical) 
+                                    Folder, // target folder (physical) 
+                                    dir + moduleName, // target path & filename (physical) 
+                                    true); // forces update 
+    if (err != 0) {
+        if (err == -200) {
+             errmsg = "Bad Package Name.";
+        } else if (err == -201) {
+             errmsg = "Unexpected error.";
+        } else if (err == -203) {
+             errmsg = "Installation script was signed by more than one certificate.";
+        } else if (err == -204) {
+             errmsg = "Installation script was not signed."
+        } else if (err == -205) {
+             errmsg = "The file to be installed is not signed."
+        } else if (err == -206) {
+             errmsg = "The file to be installed is not present, or it was signed with a different certificate than the one used to sign the install script.";
+        } else if (err == -207) {
+             errmsg = "JAR archive has not been opened."
+        } else if (err == -208) {
+             errmsg = "Bad arguments to AddSubcomponent( )."
+        } else if (err == -209) {
+             errmsg = "Illegal relative path( )."
+        } else if (err == -210) {
+             errmsg = "User cancelled installation."
+        } else if (err == -211) {
+             errmsg = "A problem occurred with the StartInstall( )."
+        } else {
+             errmsg = "Unknown error";
+        }
+        window.alert("Error adding sub-component: "+"("+err+")"+errmsg); 
+        //window.alert("Aborting, Folder="+Folder+" module="+dir+moduleName);
+        bAbort = true;
+    }
+ } 
+
+ ////////////////////////////////////////
+ // Step 5. Unless there was a problem, move files to final location 
+ // and update the Client Version Registry 
+ if (bAbort) { 
+    su.AbortInstall(); 
+ } else { 
+    err = su.FinalizeInstall(); 
+
+    if (err != 0) {
+
+        if (err == -900) {
+             errmsg = "Restart the computer, and install again.";
+        } else if (err == -201) {
+             errmsg = "Unexpected error.";
+        } else if (err == -202) {
+             errmsg = "Access denied. Make sure you have the permissions to write to the disk.";    
+        } else if (err == -203) {
+             errmsg = "Installation script was signed by more than one certificate.";
+        } else if (err == -204) {
+             errmsg = "Installation script was not signed."
+        } else if (err == -205) {
+             errmsg = "The file to be installed is not signed."
+        } else if (err == -206) {
+             errmsg = "The file to be installed is not present, or it was signed with a different certificate than the one used to sign the install script." 
+        } else if (err == -207) {
+             errmsg = "JAR archive has not been opened."
+        } else if (err == -208) {
+             errmsg = "Bad arguments to AddSubcomponent( )."
+        } else if (err == -209) {
+             errmsg = "Illegal relative path( )."
+        } else if (err == -210) {
+             errmsg = "User cancelled installation."
+        } else if (err == -211) {
+             errmsg = "A problem occurred with the StartInstall( )."
+        } else {
+             errmsg = "\nIf you have FORTEZZA module already installed, try deleting it first.";
+        }
+        window.alert("Error Finalizing Install: "+"("+err+")"+errmsg); 
+        //window.alert("Aborting, Folder="+Folder+" module="+dir+moduleName);
+
+    } else {
+
+        // Platform specific full path 
+        if (plat=="Win16") { 
+            fullpath = Folder +  "pkcs11" + sep + moduleName; 
+        } else { 
+            fullpath = Folder +  "pkcs11" + sep + vendor + sep + plat + sep + moduleName; 
+        } 
+ 
+         ////////////////////////////////////////
+        // Step 6: Call pkcs11.addmodule() to register the newly downloaded module
+        moduleCommonName = "Netscape FORTEZZA Module " + plat;
+        result = pkcs11.addmodule(moduleCommonName, 
+                              fullpath, 
+                              pkcs11MechanismFlags, 
+                              pkcs11CipherFlags); 
+       if (result == -10) {
+           window.alert("New module was copied to destination, \nbut setup failed because a module "
+                   +"with the same name has been installed. \nTry deleting the module "
+                   + moduleCommonName +" first.")
+       } else if (result < 0) {
+           window.alert("New module was copied to destination, but setup failed.  Error code: " + result); 
+       }           
+    } 
+ } 
+}
+}
diff --git a/security/nss/lib/fortcrypt/inst_PPC.js b/security/nss/lib/fortcrypt/inst_PPC.js
new file mode 100644
index 000000000..490910fff
--- /dev/null
+++ b/security/nss/lib/fortcrypt/inst_PPC.js
@@ -0,0 +1,134 @@
+//
+// The contents of this file are subject to the Mozilla Public
+// License Version 1.1 (the "License"); you may not use this file
+// except in compliance with the License. You may obtain a copy of
+// the License at http://www.mozilla.org/MPL/
+// 
+// Software distributed under the License is distributed on an "AS
+// IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+// implied. See the License for the specific language governing
+// rights and limitations under the License.
+// 
+// The Original Code is the Netscape security libraries.
+// 
+// The Initial Developer of the Original Code is Netscape
+// Communications Corporation.  Portions created by Netscape are 
+// Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+// Rights Reserved.
+// 
+// Contributor(s):
+// 
+// Alternatively, the contents of this file may be used under the
+// terms of the GNU General Public License Version 2 or later (the
+// "GPL"), in which case the provisions of the GPL are applicable 
+// instead of those above.  If you wish to allow use of your 
+// version of this file only under the terms of the GPL and not to
+// allow others to use your version of this file under the MPL,
+// indicate your decision by deleting the provisions above and
+// replace them with the notice and other provisions required by
+// the GPL.  If you do not delete the provisions above, a recipient
+// may use your version of this file under either the MPL or the
+// GPL.
+//
+// Crypto Mechanism Flags 
+PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
+PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
+PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
+PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
+PKCS11_MECH_DES_FLAG           =  0x1<<4; 
+PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
+PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
+PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
+PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
+PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
+PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
+PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
+PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
+PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
+
+// Important: 
+// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should always be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which mechanisms should be turned on by 
+pkcs11MechanismFlags = PKCS11_MECH_RANDOM_FLAG; 
+  
+
+// Ciphers that support SSL or S/MIME 
+PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
+
+// Important: 
+// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should ALWAYS be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which SSL ciphers are supported 
+pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
+  
+
+// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
+// success codes 
+JS_OK_ADD_MODULE                 = 3 // Successfully added a module 
+JS_OK_DEL_EXTERNAL_MODULE        = 2 // Successfully deleted ext. module 
+JS_OK_DEL_INTERNAL_MODULE        = 1 // Successfully deleted int. module 
+
+// failure codes 
+JS_ERR_OTHER                     = -1 // Other errors than the followings 
+JS_ERR_USER_CANCEL_ACTION        = -2 // User abort an action 
+JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect # of arguments 
+JS_ERR_DEL_MODULE                = -4 // Error deleting a module 
+JS_ERR_ADD_MODULE                = -5 // Error adding a module 
+JS_ERR_BAD_MODULE_NAME           = -6 // The module name is invalid 
+JS_ERR_BAD_DLL_NAME              = -7 // The DLL name is bad 
+JS_ERR_BAD_MECHANISM_FLAGS       = -8 // The mechanism flags are invalid 
+JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9 // The SSL, S/MIME cipher flags are invalid 
+  
+
+if (confirm("This script will install and configure a security module, do you want to continue?")) { 
+ // Step 1. Create a version object and a software update object 
+ vi = new netscape.softupdate.VersionInfo(1, 6, 0, 0); 
+ su = new netscape.softupdate.SoftwareUpdate(this, "Fortezza Card PKCS#11 Module"); 
+                 // "Fortezza ... Module" is the logical name of the bundle 
+
+ // Step 2. Start the install process 
+ bAbort = false; 
+ err = su.StartInstall("NSfortezza", vi, netscape.softupdate.SoftwareUpdate.FULL_INSTALL); 
+                            // nsfortezza is the component folder (logical) 
+        bAbort = bAbort || (err !=0); 
+
+ if (err == 0) { 
+
+    // Step 3. Find out the physical location of the Program dir 
+    Folder = su.GetFolder("Program"); 
+
+    // Step 4. Install the files. Unpack them and list where they go 
+    err = su.AddSubcomponent("FortezzaCardDLL", //component name (logical) 
+                                    vi, // version info 
+                                    "FortPK11Lib", // source file in JAR (physical) 
+                                    Folder, // target folder (physical) 
+                                    "FortPK11Lib", // target path & filename (physical) 
+                                    this.force); // forces update 
+    bAbort = bAbort || (err !=0); 
+ } 
+
+ // Step 5. Unless there was a problem, move files to final location 
+ // and update the Client Version Registry 
+ if (bAbort) { 
+    window.alert("Installation Aborted"); 
+    su.AbortInstall(); 
+ } else { 
+    err = su.FinalizeInstall(); 
+    window.alert("Files have been installed.\nContinue to setup the newly isntalled module..."); 
+    // Add Module 
+    compFolder = su.GetComponentFolder("NSfortezza/FortezzaCardDLL") + "/FortPK11Lib"; 
+    result = pkcs11.addmodule("Netscape FORTEZZA Module", compFolder, pkcs11MechanismFlags, pkcs11CipherFlags); 
+           if ( result < 0) { 
+               window.alert("New module setup failed.  Error code: " + result); 
+           } else { 
+               window.alert("New module setup completed."); 
+           } 
+ } 
+} 
diff --git a/security/nss/lib/fortcrypt/install.js b/security/nss/lib/fortcrypt/install.js
new file mode 100644
index 000000000..e823e213b
--- /dev/null
+++ b/security/nss/lib/fortcrypt/install.js
@@ -0,0 +1,134 @@
+//
+// The contents of this file are subject to the Mozilla Public
+// License Version 1.1 (the "License"); you may not use this file
+// except in compliance with the License. You may obtain a copy of
+// the License at http://www.mozilla.org/MPL/
+// 
+// Software distributed under the License is distributed on an "AS
+// IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+// implied. See the License for the specific language governing
+// rights and limitations under the License.
+// 
+// The Original Code is the Netscape security libraries.
+// 
+// The Initial Developer of the Original Code is Netscape
+// Communications Corporation.  Portions created by Netscape are 
+// Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+// Rights Reserved.
+// 
+// Contributor(s):
+// 
+// Alternatively, the contents of this file may be used under the
+// terms of the GNU General Public License Version 2 or later (the
+// "GPL"), in which case the provisions of the GPL are applicable 
+// instead of those above.  If you wish to allow use of your 
+// version of this file only under the terms of the GPL and not to
+// allow others to use your version of this file under the MPL,
+// indicate your decision by deleting the provisions above and
+// replace them with the notice and other provisions required by
+// the GPL.  If you do not delete the provisions above, a recipient
+// may use your version of this file under either the MPL or the
+// GPL.
+//
+// Crypto Mechanism Flags 
+PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
+PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
+PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
+PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
+PKCS11_MECH_DES_FLAG           =  0x1<<4; 
+PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
+PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
+PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
+PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
+PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
+PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
+PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
+PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
+PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
+
+// Important: 
+// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should always be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which mechanisms should be turned on by 
+pkcs11MechanismFlags = PKCS11_MECH_RANDOM_FLAG; 
+  
+
+// Ciphers that support SSL or S/MIME 
+PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
+
+// Important: 
+// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should ALWAYS be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which SSL ciphers are supported 
+pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
+  
+
+// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
+// success codes 
+JS_OK_ADD_MODULE                 = 3 // Successfully added a module 
+JS_OK_DEL_EXTERNAL_MODULE        = 2 // Successfully deleted ext. module 
+JS_OK_DEL_INTERNAL_MODULE        = 1 // Successfully deleted int. module 
+
+// failure codes 
+JS_ERR_OTHER                     = -1 // Other errors than the followings 
+JS_ERR_USER_CANCEL_ACTION        = -2 // User abort an action 
+JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect # of arguments 
+JS_ERR_DEL_MODULE                = -4 // Error deleting a module 
+JS_ERR_ADD_MODULE                = -5 // Error adding a module 
+JS_ERR_BAD_MODULE_NAME           = -6 // The module name is invalid 
+JS_ERR_BAD_DLL_NAME              = -7 // The DLL name is bad 
+JS_ERR_BAD_MECHANISM_FLAGS       = -8 // The mechanism flags are invalid 
+JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9 // The SSL, S/MIME cipher flags are invalid 
+  
+
+if (confirm("This script will install and configure a security module, do you want to continue?")) { 
+ // Step 1. Create a version object and a software update object 
+ vi = new netscape.softupdate.VersionInfo(1, 6, 0, 0); 
+ su = new netscape.softupdate.SoftwareUpdate(this, "Fortezza Card PKCS#11 Module"); 
+                 // "Fortezza ... Module" is the logical name of the bundle 
+
+ // Step 2. Start the install process 
+ bAbort = false; 
+ err = su.StartInstall("NSfortezza", vi, netscape.softupdate.SoftwareUpdate.FULL_INSTALL); 
+                            // nsfortezza is the component folder (logical) 
+        bAbort = bAbort || (err !=0); 
+
+ if (err == 0) { 
+
+    // Step 3. Find out the physical location of the Program dir 
+    Folder = su.GetFolder("Program"); 
+
+    // Step 4. Install the files. Unpack them and list where they go 
+    err = su.AddSubcomponent("FortezzaCardDLL", //component name (logical) 
+                                    vi, // version info 
+                                    "DUMMY_DLL", // source file in JAR (physical) 
+                                    Folder, // target folder (physical) 
+                                    "DUMMY_DLL", // target path & filename (physical) 
+                                    this.force); // forces update 
+    bAbort = bAbort || (err !=0); 
+ } 
+
+ // Step 5. Unless there was a problem, move files to final location 
+ // and update the Client Version Registry 
+ if (bAbort) { 
+    window.alert("Installation Aborted"); 
+    su.AbortInstall(); 
+ } else { 
+    err = su.FinalizeInstall(); 
+    window.alert("Files have been installed.\nContinue to setup the newly isntalled module..."); 
+    // Add Module 
+    compFolder = su.GetComponentFolder("NSfortezza/FortezzaCardDLL") + "/DUMMY_DLL"; 
+    result = pkcs11.addmodule("Netscape FORTEZZA Module", compFolder, pkcs11MechanismFlags, pkcs11CipherFlags); 
+           if ( result < 0) { 
+               window.alert("New module setup failed.  Error code: " + result); 
+           } else { 
+               window.alert("New module setup completed."); 
+           } 
+ } 
+} 
diff --git a/security/nss/lib/fortcrypt/maci.c b/security/nss/lib/fortcrypt/maci.c
new file mode 100644
index 000000000..a0120b771
--- /dev/null
+++ b/security/nss/lib/fortcrypt/maci.c
@@ -0,0 +1,901 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include "seccomon.h"
+
+#if defined( _WIN32 ) || defined( __WIN32__ )
+#define RETURN_TYPE  extern _declspec( dllexport ) int _cdecl
+#endif /* Windows */
+#include "maci.h"
+
+
+RETURN_TYPE
+MACI_ChangePIN PROTO_LIST( (
+    HSESSION       hSession,
+    int            PINType,
+    CI_PIN CI_FAR  pOldPIN,
+    CI_PIN CI_FAR  pNewPIN ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_CheckPIN PROTO_LIST( (
+    HSESSION       hSession,
+    int            PINType,
+    CI_PIN CI_FAR  pPIN ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Close PROTO_LIST( (
+    HSESSION       hSession,
+    unsigned int   Flags,
+    int            SocketIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Decrypt PROTO_LIST( (
+    HSESSION       hSession,
+    unsigned int   CipherSize,
+    CI_DATA        pCipher,
+    CI_DATA        pPlain ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_DeleteCertificate PROTO_LIST( (
+    HSESSION       hSession,
+    int            CertificateIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_DeleteKey PROTO_LIST( (
+    HSESSION       hSession,
+    int            RegisterIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Encrypt PROTO_LIST( (
+    HSESSION       hSession,
+    unsigned int   PlainSize,
+    CI_DATA        pPlain,
+    CI_DATA        pCipher ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_ExtractX PROTO_LIST( (
+    HSESSION             hSession,
+    int                  CertificateIndex,
+    int                  AlgorithmType,
+    CI_PASSWORD CI_FAR   pPassword,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_WRAPPED_X CI_FAR  pX,
+    CI_RA CI_FAR         pRa,
+    unsigned int         PandGSize,
+    unsigned int         QSize,
+    CI_P CI_FAR          pP,
+    CI_Q CI_FAR          pQ,
+    CI_G CI_FAR          pG ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_FirmwareUpdate PROTO_LIST( (
+    HSESSION       hSession,
+    unsigned long  Flags,
+    long           Cksum,
+    unsigned int   CksumLength,
+    unsigned int   DataSize,
+    CI_DATA        pData ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GenerateIV PROTO_LIST( (
+    HSESSION       hSession,
+    CI_IV CI_FAR  pIV ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GenerateMEK PROTO_LIST( (
+    HSESSION       hSession,
+    int  RegisterIndex,
+    int  Reserved ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GenerateRa PROTO_LIST( (
+    HSESSION       hSession,
+    CI_RA CI_FAR   pRa ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GenerateRandom PROTO_LIST( (
+    HSESSION          hSession,
+    CI_RANDOM CI_FAR  pRandom ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GenerateTEK PROTO_LIST( (
+    HSESSION      hSession,
+    int           Flags,
+    int           RegisterIndex,
+    CI_RA CI_FAR  pRa,
+    CI_RB CI_FAR  pRb,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GenerateX PROTO_LIST( (
+    HSESSION      hSession,
+    int           CertificateIndex,
+    int           AlgorithmType,
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GetCertificate PROTO_LIST( (
+    HSESSION               hSession,
+    int                    CertificateIndex,
+    CI_CERTIFICATE CI_FAR  pCertificate ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GetConfiguration PROTO_LIST( (
+    HSESSION       hSession,
+    CI_CONFIG_PTR  pConfiguration ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GetHash PROTO_LIST( (
+    HSESSION             hSession,
+    unsigned int         DataSize,
+    CI_DATA              pData,
+    CI_HASHVALUE CI_FAR  pHashValue ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GetPersonalityList PROTO_LIST( (
+    HSESSION          hSession,
+    int               EntryCount,
+    CI_PERSON CI_FAR  pPersonalityList[] ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GetSessionID PROTO_LIST( (
+    HSESSION     *hSession ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GetState PROTO_LIST( (
+    HSESSION       hSession,
+    CI_STATE_PTR   pState ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GetStatus PROTO_LIST( (
+    HSESSION       hSession,
+    CI_STATUS_PTR  pStatus ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_GetTime PROTO_LIST( (
+    HSESSION        hSession,
+    CI_TIME CI_FAR  pTime ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Hash PROTO_LIST( (
+    HSESSION      hSession,
+    unsigned int  DataSize,
+    CI_DATA       pData ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Initialize PROTO_LIST( (
+    int CI_FAR  *SocketCount ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_InitializeHash PROTO_LIST( (
+    HSESSION          hSession ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_InstallX PROTO_LIST( (
+    HSESSION             hSession,
+    int                  CertificateIndex,
+    int                  AlgorithmType,
+    CI_PASSWORD CI_FAR   pPassword,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_WRAPPED_X CI_FAR  pWrappedX,
+    CI_RA CI_FAR         pRa,
+    unsigned int         PandGSize,
+    unsigned int         QSize,
+    CI_P CI_FAR          pP,
+    CI_Q CI_FAR          pQ,
+    CI_G CI_FAR          pG ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_LoadCertificate PROTO_LIST( (
+    HSESSION               hSession,
+    int                    CertificateIndex,
+    CI_CERT_STR CI_FAR     pCertLabel,
+    CI_CERTIFICATE CI_FAR  pCertificate,
+    long                   Reserved ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_LoadDSAParameters PROTO_LIST( (
+    HSESSION      hSession,
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_LoadInitValues PROTO_LIST( (
+    HSESSION            hSession,
+    CI_RANDSEED CI_FAR  pRandSeed,
+    CI_KS CI_FAR        pKs ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_LoadIV PROTO_LIST( (
+    HSESSION      hSession,
+    CI_IV CI_FAR  pIV ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_LoadX PROTO_LIST( (
+    HSESSION      hSession,
+    int           CertificateIndex,
+    int           AlgorithmType,
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG,
+    CI_X CI_FAR   pX,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Lock PROTO_LIST( (
+    HSESSION  hSession,
+    int       Flags ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Open PROTO_LIST( (
+    HSESSION      hSession,
+    unsigned int  Flags,
+    int           SocketIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_RelayX PROTO_LIST( (
+    HSESSION             hSession,
+    CI_PASSWORD CI_FAR   pOldPassword,
+    unsigned int         OldYSize,
+    CI_Y CI_FAR          pOldY,
+    CI_RA CI_FAR         pOldRa,
+    CI_WRAPPED_X CI_FAR  pOldWrappedX,
+    CI_PASSWORD CI_FAR   pNewPassword,
+    unsigned int         NewYSize,
+    CI_Y CI_FAR          pNewY,
+    CI_RA CI_FAR         pNewRa,
+    CI_WRAPPED_X CI_FAR  pNewWrappedX ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Reset PROTO_LIST( (
+    HSESSION          hSession ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Restore PROTO_LIST( (
+    HSESSION             hSession,
+    int                  CryptoType,
+    CI_SAVE_DATA CI_FAR  pData ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Save PROTO_LIST( (
+    HSESSION             hSession,
+    int                  CryptoType,
+    CI_SAVE_DATA CI_FAR  pData ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Select PROTO_LIST( (
+    HSESSION  hSession,
+    int       SocketIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_SetConfiguration PROTO_LIST( (
+    HSESSION      hSession,
+    int           Type,
+    unsigned int  DataSize,
+    CI_DATA       pData ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_SetKey PROTO_LIST( (
+    HSESSION     hSession,
+    int  RegisterIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_SetMode PROTO_LIST( (
+    HSESSION hSession,
+    int      CryptoType,
+    int      CryptoMode ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_SetPersonality PROTO_LIST( (
+    HSESSION hSession,
+    int      CertificateIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_SetTime PROTO_LIST( (
+    HSESSION        hSession,
+    CI_TIME CI_FAR  pTime ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Sign PROTO_LIST( (
+    HSESSION             hSession,
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Terminate PROTO_LIST( (
+    HSESSION          hSession ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_TimeStamp PROTO_LIST( (
+    HSESSION             hSession,
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature,
+    CI_TIMESTAMP CI_FAR  pTimeStamp ) ) {
+    return CI_ERROR;
+}
+  
+RETURN_TYPE
+MACI_Unlock PROTO_LIST( (
+    HSESSION          hSession)  ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_UnwrapKey PROTO_LIST( (
+    HSESSION       hSession,
+    int            UnwrapIndex,
+    int            KeyIndex,
+    CI_KEY CI_FAR  pKey ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_VerifySignature PROTO_LIST( (
+    HSESSION             hSession,
+    CI_HASHVALUE CI_FAR  pHashValue,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_SIGNATURE CI_FAR  pSignature ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_VerifyTimeStamp PROTO_LIST( (
+    HSESSION             hSession,
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature,
+    CI_TIMESTAMP CI_FAR  pTimeStamp ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_WrapKey PROTO_LIST( (
+    HSESSION       hSession,
+    int            WrapIndex,
+    int            KeyIndex,
+    CI_KEY CI_FAR  pKey ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+MACI_Zeroize PROTO_LIST( (
+    HSESSION          hSession ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_ChangePIN PROTO_LIST( (
+    int            PINType,
+    CI_PIN CI_FAR  pOldPIN,
+    CI_PIN CI_FAR  pNewPIN ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_CheckPIN PROTO_LIST( (
+    int            PINType,
+    CI_PIN CI_FAR  pPIN ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Close PROTO_LIST( (
+    unsigned int   Flags,
+    int            SocketIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Decrypt PROTO_LIST( (
+    unsigned int   CipherSize,
+    CI_DATA        pCipher,
+    CI_DATA        pPlain ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_DeleteCertificate PROTO_LIST( (
+    int            CertificateIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_DeleteKey PROTO_LIST( (
+    int            RegisterIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Encrypt PROTO_LIST( (
+    unsigned int   PlainSize,
+    CI_DATA        pPlain,
+    CI_DATA        pCipher ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_ExtractX PROTO_LIST( (
+    int                  CertificateIndex,
+    int                  AlgorithmType,
+    CI_PASSWORD CI_FAR   pPassword,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_WRAPPED_X CI_FAR  pX,
+    CI_RA CI_FAR         pRa,
+    unsigned int         PandGSize,
+    unsigned int         QSize,
+    CI_P CI_FAR          pP,
+    CI_Q CI_FAR          pQ,
+    CI_G CI_FAR          pG ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_FirmwareUpdate PROTO_LIST( (
+    unsigned long  Flags,
+    long           Cksum,
+    unsigned int   CksumLength,
+    unsigned int   DataSize,
+    CI_DATA        pData ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GenerateIV PROTO_LIST( (
+    CI_IV CI_FAR  pIV ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GenerateMEK PROTO_LIST( (
+    int  RegisterIndex,
+    int  Reserved ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GenerateRa PROTO_LIST( (
+    CI_RA CI_FAR   pRa ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GenerateRandom PROTO_LIST( (
+    CI_RANDOM CI_FAR  pRandom ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GenerateTEK PROTO_LIST( (
+    int           Flags,
+    int           RegisterIndex,
+    CI_RA CI_FAR  pRa,
+    CI_RB CI_FAR  pRb,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GenerateX PROTO_LIST( (
+    int           CertificateIndex,
+    int           AlgorithmType,
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GetCertificate PROTO_LIST( (
+    int                    CertificateIndex,
+    CI_CERTIFICATE CI_FAR  pCertificate ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GetConfiguration PROTO_LIST( (
+    CI_CONFIG_PTR  pConfiguration ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GetHash PROTO_LIST( (
+    unsigned int         DataSize,
+    CI_DATA              pData,
+    CI_HASHVALUE CI_FAR  pHashValue ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GetPersonalityList PROTO_LIST( (
+    int               EntryCount,
+    CI_PERSON CI_FAR  pPersonalityList[] ) ) {
+    return CI_ERROR;
+}
+
+
+RETURN_TYPE
+CI_GetState PROTO_LIST( (
+    CI_STATE_PTR   pState ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GetStatus PROTO_LIST( (
+    CI_STATUS_PTR  pStatus ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_GetTime PROTO_LIST( (
+    CI_TIME CI_FAR  pTime ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Hash PROTO_LIST( (
+    unsigned int  DataSize,
+    CI_DATA       pData ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Initialize PROTO_LIST( (
+    int CI_FAR  *SocketCount ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_InitializeHash PROTO_LIST( () ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_InstallX PROTO_LIST( (
+    int                  CertificateIndex,
+    int                  AlgorithmType,
+    CI_PASSWORD CI_FAR   pPassword,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_WRAPPED_X CI_FAR  pWrappedX,
+    CI_RA CI_FAR         pRa,
+    unsigned int         PandGSize,
+    unsigned int         QSize,
+    CI_P CI_FAR          pP,
+    CI_Q CI_FAR          pQ,
+    CI_G CI_FAR          pG ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_LoadCertificate PROTO_LIST( (
+    int                    CertificateIndex,
+    CI_CERT_STR CI_FAR     pCertLabel,
+    CI_CERTIFICATE CI_FAR  pCertificate,
+    long                   Reserved ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_LoadDSAParameters PROTO_LIST( (
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_LoadInitValues PROTO_LIST( (
+    CI_RANDSEED CI_FAR  pRandSeed,
+    CI_KS CI_FAR        pKs ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_LoadIV PROTO_LIST( (
+    CI_IV CI_FAR  pIV ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_LoadX PROTO_LIST( (
+    int           CertificateIndex,
+    int           AlgorithmType,
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG,
+    CI_X CI_FAR   pX,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Lock PROTO_LIST( (
+    int       Flags ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Open PROTO_LIST( (
+    unsigned int  Flags,
+    int           SocketIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_RelayX PROTO_LIST( (
+    CI_PASSWORD CI_FAR   pOldPassword,
+    unsigned int         OldYSize,
+    CI_Y CI_FAR          pOldY,
+    CI_RA CI_FAR         pOldRa,
+    CI_WRAPPED_X CI_FAR  pOldWrappedX,
+    CI_PASSWORD CI_FAR   pNewPassword,
+    unsigned int         NewYSize,
+    CI_Y CI_FAR          pNewY,
+    CI_RA CI_FAR         pNewRa,
+    CI_WRAPPED_X CI_FAR  pNewWrappedX ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Reset PROTO_LIST( ( ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Restore PROTO_LIST( (
+    int                  CryptoType,
+    CI_SAVE_DATA CI_FAR  pData ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Save PROTO_LIST( (
+    int                  CryptoType,
+    CI_SAVE_DATA CI_FAR  pData ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Select PROTO_LIST( (
+    int       SocketIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_SetConfiguration PROTO_LIST( (
+    int           Type,
+    unsigned int  DataSize,
+    CI_DATA       pData ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_SetKey PROTO_LIST( (
+    int  RegisterIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_SetMode PROTO_LIST( (
+    int      CryptoType,
+    int      CryptoMode ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_SetPersonality PROTO_LIST( (
+    int      CertificateIndex ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_SetTime PROTO_LIST( (
+    CI_TIME CI_FAR  pTime ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Sign PROTO_LIST( (
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_Terminate PROTO_LIST( ( ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_TimeStamp PROTO_LIST( (
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature,
+    CI_TIMESTAMP CI_FAR  pTimeStamp ) ) {
+    return CI_ERROR;
+}
+  
+RETURN_TYPE
+CI_Unlock PROTO_LIST( ()  ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_UnwrapKey PROTO_LIST( (
+    int            UnwrapIndex,
+    int            KeyIndex,
+    CI_KEY CI_FAR  pKey ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_VerifySignature PROTO_LIST( (
+    CI_HASHVALUE CI_FAR  pHashValue,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_SIGNATURE CI_FAR  pSignature ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_VerifyTimeStamp PROTO_LIST( (
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature,
+    CI_TIMESTAMP CI_FAR  pTimeStamp ) ) {
+    return CI_ERROR;
+}
+
+RETURN_TYPE
+CI_WrapKey PROTO_LIST( (
+    int            WrapIndex,
+    int            KeyIndex,
+    CI_KEY CI_FAR  pKey ) ) {
+    return CI_ERROR;
+}
+
diff --git a/security/nss/lib/fortcrypt/maci.h b/security/nss/lib/fortcrypt/maci.h
new file mode 100644
index 000000000..eb38ff81c
--- /dev/null
+++ b/security/nss/lib/fortcrypt/maci.h
@@ -0,0 +1,776 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/* @(#)maci.h	1.27\t05 Jan 1996 */
+/*****************************************************************************
+  Definitive Fortezza header file.
+  Application Level Interface to Fortezza MACI Library.
+ 
+  Version for CI Library 1.52
+    January 5, 1996
+
+
+  NOTICE: Fortezza Export Policy
+
+    The Fortezza Cryptologic Interface (CI) Library (both source and 
+    object) and Fortezza CI Library based applications are defense 
+    articles, as defined in the International Traffic In Arms 
+    Regulations (ITAR), and are subject to export controls under the 
+    ITAR and the Arms Export Control Act. Any export to any country 
+    of (a) the Fortezza CI Library, related documentation, and 
+    technical data, or (b) your cryptographic application, process, 
+    or service that is the direct product of, or contains the 
+    Fortezza CI Library must comply with the requirements of the ITAR. 
+    If you or your customer intends to engage in such export, contact 
+    the United States Department of State, Office of Defense Trade 
+    Controls for specific guidance.
+
+
+ ****************************************************************************/
+#ifndef __MACI_H
+#define __MACI_H
+
+#if __cplusplus__ || __cplusplus
+extern "C"
+{
+#endif /* C++ */
+
+
+#ifndef __CRYPTINT_H
+
+#ifndef PROTO_LIST
+#ifdef _K_AND_R_
+#define PROTO_LIST(list)  ()
+#else
+#define PROTO_LIST(list)  list
+#endif /*_K_AND_R_ */
+#endif /* PROTO_LIST */
+
+
+#ifndef RETURN_TYPE
+#if defined( _WIN32 ) || defined( __WIN32__ )
+#define RETURN_TYPE  extern _declspec( dllimport ) int _cdecl
+#elif defined( _WINDOWS ) || defined( _Windows )
+#define RETURN_TYPE  extern int _far _pascal
+#else
+#define RETURN_TYPE  extern int
+#endif /* Windows */
+#endif /* RETURN_TYPE */
+
+/* MS Visual C++ defines _MSDOS and _WINDOWS    */
+/* Borland C/C++ defines __MSDOS__ and _Windows */
+#if (defined( _WINDOWS ) || defined( _Windows )) && \
+    !(defined( _WIN32 ) || defined( __WIN32__ ))
+#define CI_FAR  _far
+#else
+#define CI_FAR
+#endif /* MS DOS or Windows */
+
+
+/*****************************************************************************
+  Constants
+ ****************************************************************************/
+#define CI_LIB_VERSION_VAL        0x0152    /* Version 1.52 */
+
+#define CI_CERT_SIZE              2048
+#define CI_CERT_FLAGS_SIZE        16
+#define CI_CERT_NAME_SIZE         32
+#define CI_CHALLENGE_SIZE         20
+
+#define CI_G_SIZE                 128
+
+#define CI_HASHVALUE_SIZE         20
+
+#define CI_IV_SIZE                24
+
+#define CI_KEY_SIZE               12
+#define CI_KS_SIZE                10
+
+#define CI_NAME_SIZE              32
+
+#define CI_PASSWORD_SIZE          24
+#define CI_PIN_SIZE               12
+#define CI_P_SIZE                 128
+
+#define CI_Q_SIZE                 20
+
+#define CI_R_SIZE                 40
+#define CI_RANDOM_NO_SIZE         20
+#define CI_RANDOM_SEED_SIZE       8
+#define CI_RA_SIZE                128
+#define CI_RB_SIZE                128
+#define CI_REG_FLAGS_SIZE         4
+
+#define CI_S_SIZE                 40
+#define CI_SAVE_DATA_SIZE         28
+#define CI_SERIAL_NUMBER_SIZE     8
+#define CI_SIGNATURE_SIZE         40
+#define CI_STATUS_FLAGS_SIZE      4
+
+#define CI_TIME_SIZE              16
+#define CI_TIMESTAMP_SIZE         16
+
+#define CI_WRAPPED_X_SIZE         24
+
+#define CI_Y_SIZE                 128
+
+#define CI_X_SIZE                 20
+
+
+/* Miscellaneous */
+#define CI_NULL_FLAG              0 
+#define CI_POWER_DOWN_FLAG        2
+#define CI_NO_LOG_OFF_FLAG        4
+#define CI_INITIATOR_FLAG         0
+#define CI_RECIPIENT_FLAG         1
+
+#define CI_BLOCK_LOCK_FLAG        1
+#define CI_SSO_LOGGED_ON          0x40
+#define CI_USER_LOGGED_ON         0x00
+#define CI_FAST_MODE              0x10
+#define CI_SLOW_MODE              0x00
+#define CI_WORST_CASE_MODE        0x40
+#define CI_TYPICAL_CASE_MODE      0x00
+
+/* Card Public Key Algorithms Types */
+#define CI_DSA_TYPE               0xA
+#define CI_KEA_TYPE               0x5
+#define CI_DSA_KEA_TYPE           0xF
+
+/* Fortezza Pin Types */
+#define CI_SSO_PIN                0x25
+#define CI_USER_PIN               0x2A
+
+/* Crypto Types */
+#define CI_ENCRYPT_TYPE           0
+#define CI_DECRYPT_TYPE           1
+#define CI_HASH_TYPE              2
+
+/* Save and Restore Types */
+#define CI_ENCRYPT_INT_TYPE       0x00      /* Internal Encryption */
+#define CI_ENCRYPT_EXT_TYPE       0x10      /* External Encryption */
+#define CI_DECRYPT_INT_TYPE       0x01      /* Internal Decryption */
+#define CI_DECRYPT_EXT_TYPE       0x11      /* External Decryption */
+#define CI_HASH_INT_TYPE          0x02      /* Internal Hash */
+#define CI_HASH_EXT_TYPE          0x12      /* External Hash */
+#define CI_TYPE_EXT_FLAG          0x10      /* Used to differentiate */
+
+/* Configuration types */
+#define CI_SET_SPEED_TYPE         1
+#define CI_SET_TIMING_TYPE        2
+
+/* Lock States */
+#define CI_SOCKET_UNLOCKED        0
+#define CI_HOLD_LOCK              1
+#define CI_SOCKET_LOCKED          2
+   
+/* Fortezza Crypto Types Modes */
+#define CI_ECB64_MODE             0
+#define CI_CBC64_MODE             1
+#define CI_OFB64_MODE             2
+#define CI_CFB64_MODE             3
+#define CI_CFB32_MODE             4
+#define CI_CFB16_MODE             5
+#define CI_CFB8_MODE              6
+
+/* Card States */
+#define CI_POWER_UP               0
+#define CI_UNINITIALIZED          1
+#define CI_INITIALIZED            2
+#define CI_SSO_INITIALIZED        3
+#define CI_LAW_INITIALIZED        4
+#define CI_USER_INITIALIZED       5
+#define CI_STANDBY                6
+#define CI_READY                  7
+#define CI_ZEROIZE                8
+#define CI_INTERNAL_FAILURE       (-1)
+
+/* Flags for Firmware Update. */
+#if !defined( _K_AND_R_ )
+
+#define CI_NOT_LAST_BLOCK_FLAG    0x00000000UL
+#define CI_LAST_BLOCK_FLAG        0x80000000UL
+#define CI_DESTRUCTIVE_FLAG       0x000000FFUL
+#define CI_NONDESTRUCTIVE_FLAG    0x0000FF00UL
+
+#else
+
+#define CI_NOT_LAST_BLOCK_FLAG    0x00000000L
+#define CI_LAST_BLOCK_FLAG        0x80000000L
+#define CI_DESTRUCTIVE_FLAG       0x000000FFL
+#define CI_NONDESTRUCTIVE_FLAG    0x0000FF00L
+
+#endif /* _K_AND_R_ */
+
+/****************************************************************************
+  Fortezza Library Return Codes
+ ***************************************************************************/
+
+/* Card Responses */
+#define CI_OK                     0
+#define CI_FAIL                   1
+#define CI_CHECKWORD_FAIL         2
+#define CI_INV_TYPE               3
+#define CI_INV_MODE               4
+#define CI_INV_KEY_INDEX          5
+#define CI_INV_CERT_INDEX         6
+#define CI_INV_SIZE               7
+#define CI_INV_HEADER             8
+#define CI_INV_STATE              9
+#define CI_EXEC_FAIL              10
+#define CI_NO_KEY                 11
+#define CI_NO_IV                  12
+#define CI_NO_X                   13
+
+#define CI_NO_SAVE                15
+#define CI_REG_IN_USE             16
+#define CI_INV_COMMAND            17
+#define CI_INV_POINTER            18
+#define CI_BAD_CLOCK              19
+#define CI_NO_DSA_PARMS           20
+
+/* Library Errors */
+#define CI_ERROR                  (-1)
+#define CI_LIB_NOT_INIT           (-2)
+#define CI_CARD_NOT_READY         (-3)
+#define CI_CARD_IN_USE            (-4)
+#define CI_TIME_OUT               (-5)
+#define CI_OUT_OF_MEMORY          (-6)
+#define CI_NULL_PTR               (-7)
+#define CI_BAD_SIZE               (-8)
+#define CI_NO_DECRYPT             (-9)
+#define CI_NO_ENCRYPT             (-10)
+#define CI_NO_EXECUTE             (-11)
+#define CI_BAD_PARAMETER          (-12)
+#define CI_OUT_OF_RESOURCES       (-13)
+
+#define CI_NO_CARD                (-20)
+#define CI_NO_DRIVER              (-21)
+#define CI_NO_CRDSRV              (-22)
+#define CI_NO_SCTSRV              (-23)
+
+#define CI_BAD_CARD               (-30)
+#define CI_BAD_IOCTL              (-31)
+#define CI_BAD_READ               (-32)
+#define CI_BAD_SEEK               (-33)
+#define CI_BAD_WRITE              (-34)
+#define CI_BAD_FLUSH              (-35)
+#define CI_BAD_IOSEEK             (-36)
+#define CI_BAD_ADDR               (-37)
+
+#define CI_INV_SOCKET_INDEX       (-40)
+#define CI_SOCKET_IN_USE          (-41)
+#define CI_NO_SOCKET              (-42)
+#define CI_SOCKET_NOT_OPENED      (-43)
+#define CI_BAD_TUPLES             (-44)
+#define CI_NOT_A_CRYPTO_CARD      (-45)
+
+#define CI_INVALID_FUNCTION       (-50)
+#define CI_LIB_ALRDY_INIT         (-51)
+#define CI_SRVR_ERROR             (-52)
+#define MACI_SESSION_EXCEEDED     (-53)
+
+
+/*****************************************************************************
+  Data Structures
+ ****************************************************************************/
+
+
+typedef unsigned char   CI_CERTIFICATE[CI_CERT_SIZE];
+
+typedef unsigned char   CI_CERT_FLAGS[CI_CERT_FLAGS_SIZE];
+
+typedef unsigned char   CI_CERT_STR[CI_CERT_NAME_SIZE+4];
+
+typedef unsigned char   CI_FAR *CI_DATA;
+
+typedef unsigned char   CI_G[CI_G_SIZE];
+
+typedef unsigned char   CI_HASHVALUE[CI_HASHVALUE_SIZE];
+
+typedef unsigned char   CI_IV[CI_IV_SIZE];
+
+typedef unsigned char   CI_KEY[CI_KEY_SIZE];
+
+typedef unsigned char   CI_KS[CI_KS_SIZE];
+
+typedef unsigned char   CI_P[CI_P_SIZE];
+
+typedef unsigned char   CI_PASSWORD[CI_PASSWORD_SIZE + 4];
+
+typedef unsigned char   CI_PIN[CI_PIN_SIZE + 4];
+
+typedef unsigned char   CI_Q[CI_Q_SIZE];
+
+typedef unsigned char   CI_RA[CI_RA_SIZE];
+
+typedef unsigned char   CI_RB[CI_RB_SIZE];
+
+typedef unsigned char   CI_RANDOM[CI_RANDOM_NO_SIZE];
+
+typedef unsigned char   CI_RANDSEED[CI_RANDOM_SEED_SIZE];
+
+typedef unsigned char   CI_REG_FLAGS[CI_REG_FLAGS_SIZE];
+
+typedef unsigned char   CI_SIGNATURE[CI_SIGNATURE_SIZE];
+
+typedef unsigned char   CI_SAVE_DATA[CI_SAVE_DATA_SIZE];
+
+typedef unsigned char   CI_SERIAL_NUMBER[CI_SERIAL_NUMBER_SIZE];
+
+typedef unsigned int    CI_STATE, CI_FAR *CI_STATE_PTR;
+
+typedef unsigned char   CI_TIME[CI_TIME_SIZE];
+
+typedef unsigned char   CI_TIMESTAMP[CI_TIMESTAMP_SIZE];
+
+typedef unsigned char   CI_WRAPPED_X[CI_WRAPPED_X_SIZE];
+
+typedef unsigned char   CI_Y[CI_Y_SIZE];
+
+typedef unsigned char   CI_X[CI_X_SIZE];
+
+typedef struct {
+    int     LibraryVersion;                 /* CI Library version */
+    int     ManufacturerVersion;            /* Card's hardware version */
+    char    ManufacturerName[CI_NAME_SIZE+4]; /* Card manufacturer's name*/
+    char    ProductName[CI_NAME_SIZE+4];    /* Card's product name */
+    char    ProcessorType[CI_NAME_SIZE+4];  /* Card's processor type */
+    unsigned long  UserRAMSize;             /* Amount of User RAM in bytes */
+    unsigned long  LargestBlockSize;        /* Largest block of data to pass in */
+    int     KeyRegisterCount;               /* Number of key registers */
+    int     CertificateCount;               /* Maximum number of personalities (# certs-1) */
+    int     CryptoCardFlag;                 /* A flag that if non-zero indicates that there is
+                                               a Crypto-Card in the socket. If this value is
+                                               zero then there is NOT a Crypto-Card in the
+                                               sockets. */
+    int     ICDVersion;                     /* The ICD compliance level */
+    int     ManufacturerSWVer;              /* The Manufacturer's Software Version */
+    int     DriverVersion;                  /* Driver Version */
+} CI_CONFIG, CI_FAR *CI_CONFIG_PTR;
+
+typedef struct {
+    int          CertificateIndex;          /* Index from 1 to CertificateCount */
+    CI_CERT_STR  CertLabel;                 /* The certificate label */
+} CI_PERSON, CI_FAR *CI_PERSON_PTR;
+
+typedef struct {
+     int    CurrentSocket;                  /* The currently selected socket */
+     int    LockState;                      /* Lock status of the current socket */
+     CI_SERIAL_NUMBER  SerialNumber;        /* Serial number of the Crypto Engine chip */
+     CI_STATE  CurrentState;                /* State of The Card */
+     int    DecryptionMode;                 /* Decryption mode of The Card */
+     int    EncryptionMode;                 /* Encryption mode of The Card */
+     int    CurrentPersonality;             /* Index of the current personality */
+     int    KeyRegisterCount;               /* No. of Key Register on The Card */
+     CI_REG_FLAGS   KeyRegisterFlags;       /* Bit Masks indicating Key Register use */
+     int    CertificateCount;               /* No. of Certificates on The Card */
+     CI_CERT_FLAGS  CertificateFlags;       /* Bit Mask indicating certificate use */
+     unsigned char  Flags[CI_STATUS_FLAGS_SIZE];  
+                                            /* Flag[0] : bit 6 for Condition mode */
+                                            /*           bit 4 for Clock mode */
+} CI_STATUS, CI_FAR *CI_STATUS_PTR;
+
+#endif
+
+/*  Session constants */
+#ifndef HSESSION_DEFINE
+typedef unsigned int    HSESSION;
+#define HSESSION_DEFINE
+#endif
+#define MAXSESSION 100
+
+/*****************************************************************************
+  Function Call Prototypes
+ ****************************************************************************/
+
+RETURN_TYPE
+MACI_ChangePIN PROTO_LIST( (
+    HSESSION       hSession,
+    int            PINType,
+    CI_PIN CI_FAR  pOldPIN,
+    CI_PIN CI_FAR  pNewPIN ) );
+
+RETURN_TYPE
+MACI_CheckPIN PROTO_LIST( (
+    HSESSION       hSession,
+    int            PINType,
+    CI_PIN CI_FAR  pPIN ) );
+
+RETURN_TYPE
+MACI_Close PROTO_LIST( (
+    HSESSION       hSession,
+    unsigned int   Flags,
+    int            SocketIndex ) );
+
+RETURN_TYPE
+MACI_Decrypt PROTO_LIST( (
+    HSESSION       hSession,
+    unsigned int   CipherSize,
+    CI_DATA        pCipher,
+    CI_DATA        pPlain ) );
+
+RETURN_TYPE
+MACI_DeleteCertificate PROTO_LIST( (
+    HSESSION       hSession,
+    int            CertificateIndex ) );
+
+RETURN_TYPE
+MACI_DeleteKey PROTO_LIST( (
+    HSESSION       hSession,
+    int            RegisterIndex ) );
+
+RETURN_TYPE
+MACI_Encrypt PROTO_LIST( (
+    HSESSION       hSession,
+    unsigned int   PlainSize,
+    CI_DATA        pPlain,
+    CI_DATA        pCipher ) );
+
+RETURN_TYPE
+MACI_ExtractX PROTO_LIST( (
+    HSESSION             hSession,
+    int                  CertificateIndex,
+    int                  AlgorithmType,
+    CI_PASSWORD CI_FAR   pPassword,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_WRAPPED_X CI_FAR  pX,
+    CI_RA CI_FAR         pRa,
+    unsigned int         PandGSize,
+    unsigned int         QSize,
+    CI_P CI_FAR          pP,
+    CI_Q CI_FAR          pQ,
+    CI_G CI_FAR          pG ) );
+
+RETURN_TYPE
+MACI_FirmwareUpdate PROTO_LIST( (
+    HSESSION       hSession,
+    unsigned long  Flags,
+    long           Cksum,
+    unsigned int   CksumLength,
+    unsigned int   DataSize,
+    CI_DATA        pData ) );
+
+RETURN_TYPE
+MACI_GenerateIV PROTO_LIST( (
+    HSESSION       hSession,
+    CI_IV CI_FAR  pIV ) );
+
+RETURN_TYPE
+MACI_GenerateMEK PROTO_LIST( (
+    HSESSION       hSession,
+    int  RegisterIndex,
+    int  Reserved ) );
+
+RETURN_TYPE
+MACI_GenerateRa PROTO_LIST( (
+    HSESSION       hSession,
+    CI_RA CI_FAR   pRa ) );
+
+RETURN_TYPE
+MACI_GenerateRandom PROTO_LIST( (
+    HSESSION          hSession,
+    CI_RANDOM CI_FAR  pRandom ) );
+
+RETURN_TYPE
+MACI_GenerateTEK PROTO_LIST( (
+    HSESSION      hSession,
+    int           Flags,
+    int           RegisterIndex,
+    CI_RA CI_FAR  pRa,
+    CI_RB CI_FAR  pRb,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) );
+
+RETURN_TYPE
+MACI_GenerateX PROTO_LIST( (
+    HSESSION      hSession,
+    int           CertificateIndex,
+    int           AlgorithmType,
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) );
+
+RETURN_TYPE
+MACI_GetCertificate PROTO_LIST( (
+    HSESSION               hSession,
+    int                    CertificateIndex,
+    CI_CERTIFICATE CI_FAR  pCertificate ) );
+
+RETURN_TYPE
+MACI_GetConfiguration PROTO_LIST( (
+    HSESSION       hSession,
+    CI_CONFIG_PTR  pConfiguration ) );
+
+RETURN_TYPE
+MACI_GetHash PROTO_LIST( (
+    HSESSION             hSession,
+    unsigned int         DataSize,
+    CI_DATA              pData,
+    CI_HASHVALUE CI_FAR  pHashValue ) );
+
+RETURN_TYPE
+MACI_GetPersonalityList PROTO_LIST( (
+    HSESSION          hSession,
+    int               EntryCount,
+    CI_PERSON CI_FAR  pPersonalityList[] ) );
+
+RETURN_TYPE
+MACI_GetSessionID PROTO_LIST( (
+    HSESSION     *hSession ) );
+
+RETURN_TYPE
+MACI_GetState PROTO_LIST( (
+    HSESSION       hSession,
+    CI_STATE_PTR   pState ) );
+
+RETURN_TYPE
+MACI_GetStatus PROTO_LIST( (
+    HSESSION       hSession,
+    CI_STATUS_PTR  pStatus ) );
+
+RETURN_TYPE
+MACI_GetTime PROTO_LIST( (
+    HSESSION        hSession,
+    CI_TIME CI_FAR  pTime ) );
+
+RETURN_TYPE
+MACI_Hash PROTO_LIST( (
+    HSESSION      hSession,
+    unsigned int  DataSize,
+    CI_DATA       pData ) );
+
+RETURN_TYPE
+MACI_Initialize PROTO_LIST( (
+    int CI_FAR  *SocketCount ) );
+
+RETURN_TYPE
+MACI_InitializeHash PROTO_LIST( (
+    HSESSION          hSession ) );
+
+RETURN_TYPE
+MACI_InstallX PROTO_LIST( (
+    HSESSION             hSession,
+    int                  CertificateIndex,
+    int                  AlgorithmType,
+    CI_PASSWORD CI_FAR   pPassword,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_WRAPPED_X CI_FAR  pWrappedX,
+    CI_RA CI_FAR         pRa,
+    unsigned int         PandGSize,
+    unsigned int         QSize,
+    CI_P CI_FAR          pP,
+    CI_Q CI_FAR          pQ,
+    CI_G CI_FAR          pG ) );
+
+RETURN_TYPE
+MACI_LoadCertificate PROTO_LIST( (
+    HSESSION               hSession,
+    int                    CertificateIndex,
+    CI_CERT_STR CI_FAR     pCertLabel,
+    CI_CERTIFICATE CI_FAR  pCertificate,
+    long                   Reserved ) );
+
+RETURN_TYPE
+MACI_LoadDSAParameters PROTO_LIST( (
+    HSESSION      hSession,
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG ) );
+
+RETURN_TYPE
+MACI_LoadInitValues PROTO_LIST( (
+    HSESSION            hSession,
+    CI_RANDSEED CI_FAR  pRandSeed,
+    CI_KS CI_FAR        pKs ) );
+
+RETURN_TYPE
+MACI_LoadIV PROTO_LIST( (
+    HSESSION      hSession,
+    CI_IV CI_FAR  pIV ) );
+
+RETURN_TYPE
+MACI_LoadX PROTO_LIST( (
+    HSESSION      hSession,
+    int           CertificateIndex,
+    int           AlgorithmType,
+    unsigned int  PandGSize,
+    unsigned int  QSize,
+    CI_P CI_FAR   pP,
+    CI_Q CI_FAR   pQ,
+    CI_G CI_FAR   pG,
+    CI_X CI_FAR   pX,
+    unsigned int  YSize,
+    CI_Y CI_FAR   pY ) );
+
+RETURN_TYPE
+MACI_Lock PROTO_LIST( (
+    HSESSION  hSession,
+    int       Flags ) );
+
+RETURN_TYPE
+MACI_Open PROTO_LIST( (
+    HSESSION      hSession,
+    unsigned int  Flags,
+    int           SocketIndex ) );
+
+RETURN_TYPE
+MACI_RelayX PROTO_LIST( (
+    HSESSION             hSession,
+    CI_PASSWORD CI_FAR   pOldPassword,
+    unsigned int         OldYSize,
+    CI_Y CI_FAR          pOldY,
+    CI_RA CI_FAR         pOldRa,
+    CI_WRAPPED_X CI_FAR  pOldWrappedX,
+    CI_PASSWORD CI_FAR   pNewPassword,
+    unsigned int         NewYSize,
+    CI_Y CI_FAR          pNewY,
+    CI_RA CI_FAR         pNewRa,
+    CI_WRAPPED_X CI_FAR  pNewWrappedX ) );
+
+RETURN_TYPE
+MACI_Reset PROTO_LIST( (
+    HSESSION          hSession ) );
+
+RETURN_TYPE
+MACI_Restore PROTO_LIST( (
+    HSESSION             hSession,
+    int                  CryptoType,
+    CI_SAVE_DATA CI_FAR  pData ) );
+
+RETURN_TYPE
+MACI_Save PROTO_LIST( (
+    HSESSION             hSession,
+    int                  CryptoType,
+    CI_SAVE_DATA CI_FAR  pData ) );
+
+RETURN_TYPE
+MACI_Select PROTO_LIST( (
+    HSESSION  hSession,
+    int       SocketIndex ) );
+
+RETURN_TYPE
+MACI_SetConfiguration PROTO_LIST( (
+    HSESSION      hSession,
+    int           Type,
+    unsigned int  DataSize,
+    CI_DATA       pData ) );
+
+RETURN_TYPE
+MACI_SetKey PROTO_LIST( (
+    HSESSION     hSession,
+    int  RegisterIndex ) );
+
+RETURN_TYPE
+MACI_SetMode PROTO_LIST( (
+    HSESSION hSession,
+    int      CryptoType,
+    int      CryptoMode ) );
+
+RETURN_TYPE
+MACI_SetPersonality PROTO_LIST( (
+    HSESSION hSession,
+    int      CertificateIndex ) );
+
+RETURN_TYPE
+MACI_SetTime PROTO_LIST( (
+    HSESSION        hSession,
+    CI_TIME CI_FAR  pTime ) );
+
+RETURN_TYPE
+MACI_Sign PROTO_LIST( (
+    HSESSION             hSession,
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature ) );
+
+RETURN_TYPE
+MACI_Terminate PROTO_LIST( (
+    HSESSION          hSession ) );
+
+RETURN_TYPE
+MACI_TimeStamp PROTO_LIST( (
+    HSESSION             hSession,
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature,
+    CI_TIMESTAMP CI_FAR  pTimeStamp ) );
+  
+RETURN_TYPE
+MACI_Unlock PROTO_LIST( (
+    HSESSION          hSession)  );
+
+RETURN_TYPE
+MACI_UnwrapKey PROTO_LIST( (
+    HSESSION       hSession,
+    int            UnwrapIndex,
+    int            KeyIndex,
+    CI_KEY CI_FAR  pKey ) );
+
+RETURN_TYPE
+MACI_VerifySignature PROTO_LIST( (
+    HSESSION             hSession,
+    CI_HASHVALUE CI_FAR  pHashValue,
+    unsigned int         YSize,
+    CI_Y CI_FAR          pY,
+    CI_SIGNATURE CI_FAR  pSignature ) );
+
+RETURN_TYPE
+MACI_VerifyTimeStamp PROTO_LIST( (
+    HSESSION             hSession,
+    CI_HASHVALUE CI_FAR  pHashValue,
+    CI_SIGNATURE CI_FAR  pSignature,
+    CI_TIMESTAMP CI_FAR  pTimeStamp ) );
+
+RETURN_TYPE
+MACI_WrapKey PROTO_LIST( (
+    HSESSION       hSession,
+    int            WrapIndex,
+    int            KeyIndex,
+    CI_KEY CI_FAR  pKey ) );
+
+RETURN_TYPE
+MACI_Zeroize PROTO_LIST( (
+    HSESSION          hSession ) );
+
+#if __cplusplus__ || __cplusplus
+}
+#endif /* C++ */
+
+#endif /* CRYPTINT_H */
+
diff --git a/security/nss/lib/fortcrypt/macinst.htm b/security/nss/lib/fortcrypt/macinst.htm
new file mode 100644
index 000000000..cf3988157
--- /dev/null
+++ b/security/nss/lib/fortcrypt/macinst.htm
@@ -0,0 +1,148 @@
+<HTML>
+<--
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   - 
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   - 
+   - The Original Code is the Netscape security libraries.
+   - 
+   - The Initial Developer of the Original Code is Netscape
+   - Communications Corporation.  Portions created by Netscape are 
+   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+   - Rights Reserved.
+   - 
+   - Contributor(s):
+   - 
+   - Alternatively, the contents of this file may be used under the
+   - terms of the GNU General Public License Version 2 or later (the
+   - "GPL"), in which case the provisions of the GPL are applicable 
+   - instead of those above.  If you wish to allow use of your 
+   - version of this file only under the terms of the GPL and not to
+   - allow others to use your version of this file under the MPL,
+   - indicate your decision by deleting the provisions above and
+   - replace them with the notice and other provisions required by
+   - the GPL.  If you do not delete the provisions above, a recipient
+   - may use your version of this file under either the MPL or the
+   - GPL.
+-->
+<TITLE>MAC Installer</TITLE>
+
+<SCRIPT>
+// Crypto Mechanism Flags 
+PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
+PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
+PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
+PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
+PKCS11_MECH_DES_FLAG           =  0x1<<4; 
+PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
+PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
+PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
+PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
+PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
+PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
+PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
+PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
+PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
+
+// Important: 
+// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should always be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which mechanisms should be turned on by 
+pkcs11MechanismFlags = PKCS11_MECH_RANDOM_FLAG; 
+  
+
+// Ciphers that support SSL or S/MIME 
+PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
+
+// Important: 
+// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should ALWAYS be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which SSL ciphers are supported 
+pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
+  
+
+// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
+// success codes 
+JS_OK_ADD_MODULE                 = 3 // Successfully added a module 
+JS_OK_DEL_EXTERNAL_MODULE        = 2 // Successfully deleted ext. module 
+JS_OK_DEL_INTERNAL_MODULE        = 1 // Successfully deleted int. module 
+
+// failure codes 
+JS_ERR_OTHER                     = -1 // Other errors than the followings 
+JS_ERR_USER_CANCEL_ACTION        = -2 // User abort an action 
+JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect # of arguments 
+JS_ERR_DEL_MODULE                = -4 // Error deleting a module 
+JS_ERR_ADD_MODULE                = -5 // Error adding a module 
+JS_ERR_BAD_MODULE_NAME           = -6 // The module name is invalid 
+JS_ERR_BAD_DLL_NAME              = -7 // The DLL name is bad 
+JS_ERR_BAD_MECHANISM_FLAGS       = -8 // The mechanism flags are invalid 
+JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9 // The SSL, S/MIME cipher flags are invalid 
+
+var new_window;
+var has_new_window = 0;
+
+function colonize(string) {
+	len = string.length;
+	end = len -1;
+
+	if (len == 0) return string;
+
+
+	for (i=0; i < len; i++) {
+	   if (string.charAt(i) == "/") {
+		if (i == 0) {
+		    new_string = ":" + string.substring(1,len);
+		} else if (i == end) {
+		    new_string = string.substring(0,i)+':';
+		} else {
+		    new_string = string.substring(0,i)+':'+
+						string.substring(i+1,len);
+		}
+		string = new_string;
+	   }
+	}
+
+	if (string.charAt(0) == ":") string = string.substring(1,len);
+	return string;
+}
+
+function DoInstall(module) {
+	    module = colonize(module);
+	result = pkcs11.addmodule("Netscape FORTEZZA Module", module, pkcs11MechanismFlags, pkcs11CipherFlags); 
+	if ( result < 0) { 
+	  window.alert("New module setup failed.  Error code: " + result); 
+	}
+	if (has_new_window) new_window.close();
+}
+
+function DoUnpack(name) {
+	new_window = open(name,"unpacking","toolbar=no,location=no,status=yes,scrollbar=no,width=50,height=50");
+	has_new_window = 1;
+}
+
+filename=navigator.platform+".hqx"
+
+default_module = "D:/dogbert/ns/dist/WIN32_D.OBJ/bin/fort32.dll"
+document.writeln("<FORM name=instform target=_self> <H2>Mac Fortezza Installer</H2>");
+document.writeln("<I>You must first unpack the <b>"+filename+"</b> file.");
+document.writeln(" Do that by clicking on button below.</i><p>");
+document.writeln("<Input type=button value=Unpack name=unpack onclick=DoUnpack(\""+filename+"\"); ><p>");
+document.writeln("<I>Then move <b>FortPK11Lib</b> to an appropriate directory ");
+document.writeln(" enter that directory below, then click the Install button.</i><p>");
+document.writeln(" Module Name: <Input Type=FILE Name=module><p>");
+document.write("<Input type=submit Name=Install Value=Install onclick=DoInstall(");
+document.writeln(  "document.instform.module.value) >");
+document.writeln("</FORM>");
+</SCRIPT>
diff --git a/security/nss/lib/fortcrypt/manifest.mn b/security/nss/lib/fortcrypt/manifest.mn
new file mode 100644
index 000000000..6dc9019c4
--- /dev/null
+++ b/security/nss/lib/fortcrypt/manifest.mn
@@ -0,0 +1,50 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH		= ../../..
+
+MODULE		= security
+LIBRARY_NAME	= fort
+#LIBRARY_VERSION	= 32
+
+DIRS = swfort
+
+CSRCS		= forsock.c  \
+		  fortpk11.c \
+		  fmutex.c   \
+		  $(NULL)
+
+EXPORTS		= 
+PRIVATE_EXPORTS = maci.h cryptint.h
+
+REQUIRES	= security dbm
+
diff --git a/security/nss/lib/fortcrypt/replace.c b/security/nss/lib/fortcrypt/replace.c
new file mode 100644
index 000000000..b4c5edd18
--- /dev/null
+++ b/security/nss/lib/fortcrypt/replace.c
@@ -0,0 +1,101 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+# include <stdio.h>
+# include <string.h>
+
+int main(int argc, char* argv[]) {
+    FILE *templ;
+    FILE *target;
+    unsigned char buffer[81];
+    unsigned char *find, *replace;
+    int matchcount = 0;
+    int ch;
+    int len;
+
+    buffer[0] = '\0';
+
+    if (argc != 5) {
+        fprintf(stderr, "usuage: replace template.js searchstring replacestring target.js \n");
+        return 1;
+    }
+
+    templ = fopen(argv[1], "r");
+    if (!templ) {
+        fprintf(stderr, "Cannot open template script %s\n", argv[1]);
+        return 2;
+    }
+
+    find = (unsigned char*) argv[2];
+    replace = (unsigned char*) argv[3];
+
+    target = fopen(argv[4], "w");
+    if (!target) {
+        fclose(templ);
+        fprintf(stderr, "Cannot write to target script %s\n", argv[4]);
+        return 3;
+    }
+
+    for (len = 0; find[len]!='\0'; len++);
+
+    if (len > 80) {
+        fprintf(stderr, "length of searchstring exceeds 80 chars");
+        return 4;
+    }
+
+    /* get a char from templ */
+    while ((int)(ch=fgetc(templ)) != EOF) {
+        if ((unsigned char)ch == find[matchcount]) {
+            /* if it matches find[matchcount], 
+             * then store one more char in buffer,
+             * increase match count, and checks if 
+             * the whole word has been found */
+            buffer[matchcount] = (unsigned char) ch;
+            buffer[++matchcount] = '\0';
+            
+            if (matchcount == len) {
+                matchcount = 0;
+                fprintf(target, "%s", replace);
+            } 
+        } else {
+            /* reset matchcount, flush buffer */
+            if (matchcount > 0) {
+                fprintf(target, "%s", buffer);
+                matchcount = 0;
+            }
+            fputc(ch, target);
+        }
+    }
+    fclose(templ);
+    fclose(target);
+    return 0;
+}
diff --git a/security/nss/lib/fortcrypt/secmodjar.html b/security/nss/lib/fortcrypt/secmodjar.html
new file mode 100644
index 000000000..f093a5965
--- /dev/null
+++ b/security/nss/lib/fortcrypt/secmodjar.html
@@ -0,0 +1,441 @@
+<HTML>
+<--
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   - 
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   - 
+   - The Original Code is the Netscape security libraries.
+   - 
+   - The Initial Developer of the Original Code is Netscape
+   - Communications Corporation.  Portions created by Netscape are 
+   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+   - Rights Reserved.
+   - 
+   - Contributor(s):
+   - 
+   - Alternatively, the contents of this file may be used under the
+   - terms of the GNU General Public License Version 2 or later (the
+   - "GPL"), in which case the provisions of the GPL are applicable 
+   - instead of those above.  If you wish to allow use of your 
+   - version of this file only under the terms of the GPL and not to
+   - allow others to use your version of this file under the MPL,
+   - indicate your decision by deleting the provisions above and
+   - replace them with the notice and other provisions required by
+   - the GPL.  If you do not delete the provisions above, a recipient
+   - may use your version of this file under either the MPL or the
+   - GPL.
+-->
+<HEAD>
+   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
+   <META NAME="Author" CONTENT="Hoi-Sheung Wilson So">
+   <META NAME="GENERATOR" CONTENT="Mozilla/4.02 [en] (WinNT; I) [Netscape]">
+   <TITLE>How to Package Your Security Module for use with SmartUpdate</TITLE>
+</HEAD>
+<BODY>
+<FONT SIZE=+2>Using
+JAR Installation Manager Technology to Install Your PKCS11 Security Module</FONT>
+
+<P>Table of contents
+<BR><A HREF="#intro">I. Introduction</A>
+<BR><A HREF="#procedure">II. How to Create a Security Module JAR</A>
+<BR><A HREF="#samplescript">III. Sample Installer Script</A>
+<BR><A HREF="#reference">IV. Programmers' Reference</A>
+<BR><A HREF="#copyright">VI. Copyright Notice</A>
+<BR><A NAME="intro"></A><FONT SIZE=+1>I. Introduction</FONT>
+<BR>This docuemnt describes how to prepare your security module so that
+users can download it from the Internet, verify its integrity, and install
+by only pointing and clicking mouses.&nbsp; The packaged module is a signed
+JAR archive. This JAR archive contains a dynamically-linked library which
+implements the Security Module and a pice of installer script (.js) that
+registers and configures the newly installed module.&nbsp; SmartUpdate
+allows users to download JAR archinve that has been signed digitally by
+the software vendor.&nbsp; SmartUpdate then decompresses the JAR file,
+verify the signature and validity of the files packaged into the archive.&nbsp;
+If the signature is valid, SmartUpdate will run the installer script found
+in the archive.&nbsp; The installer script will instruct SmartUpdate to
+move the downloaded security module library to a specified location.&nbsp;
+Next, the script will register the module with Navigator, and configure
+it.
+
+<P>This document does not describe how SmartUpdate works.&nbsp; For more
+information about SmartUpdate, check out <A HREF="http://developer.netscape.com/library/documentation/communicator/jarman/index.htm">JAR
+Installation Manager</A>.
+
+<P><A NAME="procedure"></A><FONT SIZE=+1>II. How to Create a Security Module
+JAR</FONT>
+<OL>
+<LI>
+Obtain a copy of PKCS#11: Cryptographic Token Interface Standard Version
+2.00, published by <A HREF="http://www.rsa.com">RSA Laboratories</A>, Redwood
+City, California.</LI>
+
+<LI>
+Implement a PKCS#11 library according to PKCS#11 standards.</LI>
+
+<LI>
+Write a installer script that will register the module with Navigator.</LI>
+
+<LI>
+Use either JAR Packager or command line tool to package the library and
+the script in a signed JAR archive.</LI>
+
+<LI>
+Publish the JAR file on the web, and notify users to install/upgrade their
+library.</LI>
+</OL>
+<A NAME="samplescript"></A><FONT SIZE=+1>III. Sample Installer Script</FONT>
+
+<P>Functions of the following installer script:
+<BR>1. Start SmartUpdate and declares the version and the name of the module
+to be installed.
+<BR>2. Extract a library called DUMMY_DLL from the JAR archive and install
+it under the Netscape Program folder.
+<BR>3. Register the installed module by calling pkcs11.addmodule( ) method
+with information about the capabilities of the module.
+<BR>4. Check to see if pkcs11.addmodule( ) has been successful, and display
+appropriate messages.
+
+<P><TT>// Crypto Mechanism Flags</TT>
+<BR><TT>PKCS11_MECH_RSA_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;0;</TT>
+<BR><TT>PKCS11_MECH_DSA_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;1;</TT>
+<BR><TT>PKCS11_MECH_RC2_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;2;</TT>
+<BR><TT>PKCS11_MECH_RC4_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;3;</TT>
+<BR><TT>PKCS11_MECH_DES_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;4;</TT>
+<BR><TT>PKCS11_MECH_DH_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;5; //Diffie-Hellman</TT>
+<BR><TT>PKCS11_MECH_SKIPJACK_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =&nbsp;
+0x1&lt;&lt;6; //SKIPJACK algorithm as in Fortezza cards</TT>
+<BR><TT>PKCS11_MECH_RC5_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;7;</TT>
+<BR><TT>PKCS11_MECH_SHA1_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;8;</TT>
+<BR><TT>PKCS11_MECH_MD5_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;9;</TT>
+<BR><TT>PKCS11_MECH_MD2_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;10;</TT>
+<BR><TT>PKCS11_MECH_RANDOM_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;27; //Random number generator</TT>
+<BR><TT>PKCS11_PUB_READABLE_CERT_FLAG&nbsp; =&nbsp; 0x1&lt;&lt;28; //Stored
+certs can be read off the token w/o logging in</TT>
+<BR><TT>PKCS11_DISABLE_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;30; //tell Navigator to disable this slot by default</TT>
+
+<P><TT>// Important:</TT>
+<BR><TT>// 0x1&lt;&lt;11, 0x1&lt;&lt;12, ... , 0x1&lt;&lt;26, and 0x1&lt;&lt;31
+are reserved</TT>
+<BR><TT>// for internal use in Navigator.</TT>
+<BR><TT>// Therefore, these bits should always be set to 0; otherwise,</TT>
+<BR><TT>// Navigator might exhibit unpredictable behavior.</TT>
+
+<P><TT>// These flags indicate which mechanisms should be turned on by</TT>
+<BR><TT>pkcs11MechanismFlags = PKCS11_MECH_DSA_FLAG | PKCS11_MECH_SKIPJACK_FLAG
+| PKCS11_MECH_RANDOM_FLAG;</TT>
+<BR><TT>&nbsp;</TT>
+
+<P><TT>// Ciphers that support SSL or S/MIME</TT>
+<BR><TT>PKCS11_CIPHER_FORTEZZA_FLAG&nbsp;&nbsp;&nbsp; = 0x1&lt;&lt;0;</TT>
+
+<P><TT>// Important:</TT>
+<BR><TT>// 0x1&lt;&lt;11, 0x1&lt;&lt;12, ... , 0x1&lt;&lt;26, 0x1&lt;&lt;29,
+and 0x1&lt;&lt;31 are reserved</TT>
+<BR><TT>// for internal use in Navigator.</TT>
+<BR><TT>// Therefore, these bits should ALWAYS be set to 0; otherwise,</TT>
+<BR><TT>// Navigator might exhibit unpredictable behavior.</TT>
+
+<P><TT>// These flags indicate which SSL ciphers are supported</TT>
+<BR><TT>pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG;</TT>
+<BR><TT>&nbsp;</TT>
+
+<P><TT>// Return values of pkcs11.addmodule() &amp; pkcs11.delmodule()</TT>
+<BR><TT>// success codes</TT>
+<BR><TT>JS_OK_ADD_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= 3 // Successfully added a module</TT>
+<BR><TT>JS_OK_DEL_EXTERNAL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= 2 // Successfully deleted ext. module</TT>
+<BR><TT>JS_OK_DEL_INTERNAL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= 1 // Successfully deleted int. module</TT>
+
+<P><TT>// failure codes</TT>
+<BR><TT>JS_ERR_OTHER&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -1 // Other errors than the followings</TT>
+<BR><TT>JS_ERR_USER_CANCEL_ACTION&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -2 // User abort an action</TT>
+<BR><TT>JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect
+# of arguments</TT>
+<BR><TT>JS_ERR_DEL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -4 // Error deleting a module</TT>
+<BR><TT>JS_ERR_ADD_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -5 // Error adding a module</TT>
+<BR><TT>JS_ERR_BAD_MODULE_NAME&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -6 // The module name is invalid</TT>
+<BR><TT>JS_ERR_BAD_DLL_NAME&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -7 // The DLL name is bad</TT>
+<BR><TT>JS_ERR_BAD_MECHANISM_FLAGS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -8 // The mechanism flags are invalid</TT>
+<BR><TT>JS_ERR_BAD_CIPHER_ENABLE_FLAGS&nbsp;&nbsp; = -9 // The SSL, S/MIME
+cipher flags are invalid</TT>
+<BR>&nbsp;
+
+<P><TT>if (confirm("This script will install and configure a security module,
+do you want to continue?")) {</TT>
+<BR><TT>&nbsp;// Step 1. Create a version object and a software update
+object</TT>
+<BR><TT>&nbsp;vi = new netscape.softupdate.VersionInfo(1, 6, 0, 0);</TT>
+<BR><TT>&nbsp;su = new netscape.softupdate.SoftwareUpdate(this, "Fortezza
+Card PKCS#11 Module");</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+// "Fortezza ... Module" is the logical name of the bundle</TT>
+
+<P><TT>&nbsp;// Step 2. Start the install process</TT>
+<BR><TT>&nbsp;bAbort = false;</TT>
+<BR><TT>&nbsp;err = su.StartInstall("litronic", vi, netscape.softupdate.SoftwareUpdate.FULL_INSTALL);</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+// litronic is the component folder (logical)</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bAbort = bAbort || (err
+!=0);</TT>
+
+<P><TT>&nbsp;if (err == 0) {</TT>
+
+<P><TT>&nbsp;&nbsp;&nbsp; // Step 3. Find out the physical location of
+the Program dir</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp; Folder = su.GetFolder("Program");</TT>
+
+<P><TT>&nbsp;&nbsp;&nbsp; // Step 4. Install the files. Unpack them and
+list where they go</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp; err = su.AddSubcomponent("FortezzaCardDLL",
+//component name (logical)</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+vi, // version info</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+"DUMMY_DLL", // source file in JAR (physical)</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+Folder, // target folder (physical)</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+"DUMMY_DLL", // target path &amp; filename (physical)</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+this.force); // forces update</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp; bAbort = bAbort || (err !=0);</TT>
+<BR><TT>&nbsp;}</TT>
+
+<P><TT>&nbsp;// Step 5. Unless there was a problem, move files to final
+location</TT>
+<BR><TT>&nbsp;// and update the Client Version Registry</TT>
+<BR><TT>&nbsp;if (bAbort) {</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp; window.alert("Installation Aborted");</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp; su.AbortInstall();</TT>
+<BR><TT>&nbsp;} else {</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp; err = su.FinalizeInstall();</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp; window.alert("Files have been installed.\nContinue
+to setup the newly isntalled module...");</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp; // Add Module</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp; compFolder = su.GetComponentFolder("litronic/FortezzaCardDLL")
++ "/DUMMY_DLL";</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp; result = pkcs11.addmodule("Fortezza", compFolder,
+pkcs11MechanismFlags, pkcs11CipherFlags);</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if
+( result &lt; 0) {</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+window.alert("New module setup failed.&nbsp; Error code: " + result);</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }
+else {</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+window.alert("New module setup completed.");</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</TT>
+<BR><TT>&nbsp;}</TT>
+<BR><TT>}</TT>
+
+<P><A NAME="reference"></A><FONT SIZE=+1>IV. Appendix A: Programmers' Refernce</FONT>
+<UL>
+<LI>
+<A HREF="#delmodule">pkcs11.addmodule( )</A></LI>
+
+<LI>
+<A HREF="#delmodule">pkcs11.delmodule( )</A></LI>
+</UL>
+
+<HR ALIGN=LEFT WIDTH="70%">
+<BR><A NAME="addmodule"></A>Name
+<BR><TT>addmodule</TT>
+<BR>Adds a PKCS#11 security module to the security module database, and
+notifies Communicator which cryptographic mechanisms should be turned on
+by default, and which SSL or S/MIME ciphers are supported.&nbsp; For security
+reasons, it will pop up a dialog box to ask the user to confirm this action.&nbsp;
+It might pop up other dialog boxes if necessary.
+
+<P>Method of
+<BR><TT>pkcs11</TT>
+
+<P>Syntax
+<BR><TT>int pkcs11.addmodule( string ModuleName,</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+string LibraryFullPath,</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+int CryptoMechanismFlags,</TT>
+<BR><TT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+int CipherFlags);</TT>
+<BR>&nbsp;
+<BR>Parameters
+<TABLE BORDER WIDTH="90%" >
+<TR>
+<TD><TT>ModuleName</TT></TD>
+
+<TD>Name of the module</TD>
+</TR>
+
+<TR>
+<TD><TT>LibraryFullPath</TT></TD>
+
+<TD>The filename of the library prepended with its full path</TD>
+</TR>
+
+<TR>
+<TD><TT>CryptoMechanismFlags</TT></TD>
+
+<TD>A bit vector indicating all cryptographic mechanisms should be turned
+on by default&nbsp; (See below)</TD>
+</TR>
+
+<TR>
+<TD><TT>CipherFlags</TT></TD>
+
+<TD>A bit vector indicating all SSL or S/MIME cipher functions supported
+by the module (Seel below)</TD>
+</TR>
+</TABLE>
+Cryptographic Mechanism Flags
+<BR><TT>PKCS11_MECH_RSA_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;0;</TT>
+<BR><TT>PKCS11_MECH_DSA_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;1;</TT>
+<BR><TT>PKCS11_MECH_RC2_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;2;</TT>
+<BR><TT>PKCS11_MECH_RC4_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;3;</TT>
+<BR><TT>PKCS11_MECH_DES_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;4;</TT>
+<BR><TT>PKCS11_MECH_DH_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;5; //Diffie-Hellman</TT>
+<BR><TT>PKCS11_MECH_SKIPJACK_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =&nbsp;
+0x1&lt;&lt;6; //SKIPJACK algorithm as in Fortezza cards</TT>
+<BR><TT>PKCS11_MECH_RC5_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;7;</TT>
+<BR><TT>PKCS11_MECH_SHA1_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;8;</TT>
+<BR><TT>PKCS11_MECH_MD5_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;9;</TT>
+<BR><TT>PKCS11_MECH_MD2_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;10;</TT>
+<BR><TT>PKCS11_MECH_RANDOM_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;27; //Random number generator</TT>
+<BR><TT>PKCS11_PUB_READABLE_CERT_FLAG&nbsp; =&nbsp; 0x1&lt;&lt;28; //Stored
+certs can be read off the token w/o logging in</TT>
+<BR><TT>PKCS11_DISABLE_FLAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+=&nbsp; 0x1&lt;&lt;30; //tell Navigator to disable this slot by default</TT>
+
+<P>Supported SSL or S/MIME Ciphers
+<BR><TT>PKCS11_CIPHER_FORTEZZA_FLAG&nbsp;&nbsp;&nbsp; = 0x1&lt;&lt;0;</TT>
+
+<P>Important for CryptoMechanismFlags:
+<BR><TT>0x1&lt;&lt;11</TT>, <TT>0x1&lt;&lt;12</TT>, ... , <TT>0x1&lt;&lt;26</TT>,
+<TT>0x1&lt;&lt;29, </TT>and <TT>0x1&lt;&lt;31</TT> are reserved for internal
+use in Navigator.
+<BR>Therefore, these bits should always be set to 0; otherwise, Navigator
+might exhibit unpredictable behavior.
+
+<P>Important for CipherFlags:
+<BR><TT>0x1&lt;&lt;1</TT>, <TT>0x1&lt;&lt;2</TT>, ... , <TT>0x1&lt;&lt;31</TT>
+are reserved for internal use in Navigator.
+<BR>Therefore, these bits should ALWAYS be set to 0; otherwise, Navigator
+might exhibit unpredictable behavior.
+
+<P>Example of CryptoMechanismFlags and CipherFlags:
+<BR><TT>pkcs11MechanismFlags = PKCS11_MECH_DSA_FLAG | PKCS11_MECH_SKIPJACK_FLAG
+| PKCS11_MECH_RANDOM_FLAG;</TT>
+<BR><TT>pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG;</TT>
+<BR><TT>&nbsp;</TT>
+<BR>Return Values:
+<BR><TT>// Return values of pkcs11.addmod()</TT>
+<BR><TT>// success codes</TT>
+<BR><TT>JS_OK_ADD_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= 3 // Successfully added a module</TT>
+
+<P><TT>// failure codes</TT>
+<BR><TT>JS_ERR_OTHER&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -1 // Other errors than the followings</TT>
+<BR><TT>JS_ERR_USER_CANCEL_ACTION&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -2 // User abort an action</TT>
+<BR><TT>JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect
+# of arguments</TT>
+<BR><TT>JS_ERR_ADD_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -5 // Error adding a module</TT>
+<BR><TT>JS_ERR_BAD_MODULE_NAME&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -6 // The module name is invalid</TT>
+<BR><TT>JS_ERR_BAD_DLL_NAME&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -7 // The DLL name is bad</TT>
+<BR><TT>JS_ERR_BAD_MECHANISM_FLAGS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -8 // The mechanism flags are invalid</TT>
+<BR><TT>JS_ERR_BAD_CIPHER_ENABLE_FLAGS&nbsp;&nbsp; = -9 // The SSL, S/MIME
+cipher flags are invalid</TT>
+<BR>&nbsp;
+<HR ALIGN=LEFT WIDTH="70%">
+<BR><A NAME="delmodule"></A>Name
+<BR><TT>delmodule</TT>
+<BR>Deletes a PKCS#11 security module from the module database, but does
+not physically remove the file.&nbsp; For security reasons, it will pop
+up a dialog box to ask the user to confirm this action.&nbsp; It might
+pop up other dialog boxes if necessary.
+
+<P>Method of
+<BR><TT>pkcs11</TT>
+
+<P>Syntax
+<BR><TT>int pkcs11.delmodule( string ModuleName);</TT>
+<BR>&nbsp;
+<BR>Parameters
+<TABLE BORDER WIDTH="90%" >
+<TR>
+<TD><TT>ModuleName</TT></TD>
+
+<TD>Name of the module</TD>
+</TR>
+</TABLE>
+<TT>&nbsp;</TT>
+<BR>Return Values:
+<BR><TT>// Return values of pkcs11.addmod() &amp; pkcs11.delmod()</TT>
+<BR><TT>// success codes</TT>
+<BR><TT>JS_OK_DEL_EXTERNAL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= 2 // Successfully deleted ext. module</TT>
+<BR><TT>JS_OK_DEL_INTERNAL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= 1 // Successfully deleted int. module</TT>
+
+<P><TT>// failure codes</TT>
+<BR><TT>JS_ERR_OTHER&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -1 // Other errors than the followings</TT>
+<BR><TT>JS_ERR_USER_CANCEL_ACTION&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -2 // User abort an action</TT>
+<BR><TT>JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3 // Calling a method w/ incorrect
+# of arguments</TT>
+<BR><TT>JS_ERR_DEL_MODULE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -4 // Error deleting a module</TT>
+<BR><TT>JS_ERR_BAD_MODULE_NAME&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+= -6 // The module name is invalid</TT>
+
+<P><A NAME="copyright"></A><FONT SIZE=+1>VI. Copyright Notice</FONT>
+<BR>&nbsp;
+
+<P><FONT SIZE=+4>XXX Don't know what to put here!!!</FONT>
+
+<P>Last modified 9/26/97
+</BODY>
+</HTML>
diff --git a/security/nss/lib/fortcrypt/swfort/Makefile b/security/nss/lib/fortcrypt/swfort/Makefile
new file mode 100644
index 000000000..9c5e39de2
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/Makefile
@@ -0,0 +1,83 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+$(OBJDIR)/nslib.c: nsmap.h swflib.c
+	@$(MAKE_OBJDIR)
+	rm -f $@
+	cat $+ > $@
+
+export:: private_export
+
+
diff --git a/security/nss/lib/fortcrypt/swfort/config.mk b/security/nss/lib/fortcrypt/swfort/config.mk
new file mode 100644
index 000000000..0a00dc61e
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/config.mk
@@ -0,0 +1,43 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/fortcrypt/swfort/manifest.mn b/security/nss/lib/fortcrypt/swfort/manifest.mn
new file mode 100644
index 000000000..6320cdd62
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/manifest.mn
@@ -0,0 +1,52 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH		= ../../../..
+
+MODULE		= security
+LIBRARY_NAME	= swfci
+#LIBRARY_VERSION	= 12
+
+BUILT_CSRCS	= nslib.c    \
+		  $(NULL)
+
+CSRCS		= swfalg.c  \
+		  swfparse.c \
+		  swflib.c   \
+		  swfutl.c   \
+		  $(NULL)
+DIRS = pkcs11
+
+EXPORTS		= swfort.h swfortt.h
+PRIVATE_EXPORTS = swforti.h swfortti.h
+
+REQUIRES	= security dbm nspr
diff --git a/security/nss/lib/fortcrypt/swfort/nsmap.h b/security/nss/lib/fortcrypt/swfort/nsmap.h
new file mode 100644
index 000000000..b5e1c2cda
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/nsmap.h
@@ -0,0 +1,86 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#define MACI_ChangePIN			NSCI_ChangePIN
+#define MACI_CheckPIN			NSCI_CheckPIN
+#define MACI_Close			NSCI_Close
+#define MACI_Decrypt			NSCI_Decrypt
+#define MACI_DeleteCertificate		NSCI_DeleteCertificate
+#define MACI_DeleteKey			NSCI_DeleteKey
+#define MACI_Encrypt			NSCI_Encrypt
+#define MACI_ExtractX 			NSCI_ExtractX
+#define MACI_FirmwareUpdate 		NSCI_FirmwareUpdate
+#define MACI_GenerateIV			NSCI_GenerateIV
+#define MACI_GenerateMEK		NSCI_GenerateMEK
+#define MACI_GenerateRa			NSCI_GenerateRa
+#define MACI_GenerateRandom		NSCI_GenerateRandom
+#define MACI_GenerateTEK 		NSCI_GenerateTEK
+#define MACI_GenerateX 			NSCI_GenerateX
+#define MACI_GetCertificate		NSCI_GetCertificate
+#define MACI_GetConfiguration		NSCI_GetConfiguration
+#define MACI_GetHash			NSCI_GetHash
+#define MACI_GetPersonalityList		NSCI_GetPersonalityList
+#define MACI_GetSessionID		NSCI_GetSessionID
+#define MACI_GetState			NSCI_GetState
+#define MACI_GetStatus			NSCI_GetStatus
+#define MACI_GetTime			NSCI_GetTime
+#define MACI_Hash			NSCI_Hash
+#define MACI_Initialize			NSCI_Initialize
+#define MACI_InitializeHash		NSCI_InitializeHash
+#define MACI_InstallX 			NSCI_InstallX
+#define MACI_LoadCertificate 		NSCI_LoadCertificate
+#define MACI_LoadDSAParameters	 	NSCI_LoadDSAParameters
+#define MACI_LoadInitValues		NSCI_LoadInitValues
+#define MACI_LoadIV			NSCI_LoadIV
+#define MACI_LoadX 			NSCI_LoadX
+#define MACI_Lock			NSCI_Lock
+#define MACI_Open			NSCI_Open
+#define MACI_RelayX 			NSCI_RelayX
+#define MACI_Reset			NSCI_Reset
+#define MACI_Restore			NSCI_Restore
+#define MACI_Save			NSCI_Save
+#define MACI_Select			NSCI_Select
+#define MACI_SetConfiguration		NSCI_SetConfiguration
+#define MACI_SetKey			NSCI_SetKey
+#define MACI_SetMode			NSCI_SetMode
+#define MACI_SetPersonality		NSCI_SetPersonality
+#define MACI_SetTime			NSCI_SetTime
+#define MACI_Sign			NSCI_Sign
+#define MACI_Terminate			NSCI_Terminate
+#define MACI_TimeStamp			NSCI_TimeStamp
+#define MACI_Unlock			NSCI_Unlock
+#define MACI_UnwrapKey			NSCI_UnwrapKey
+#define MACI_VerifySignature		NSCI_VerifySignature
+#define MACI_VerifyTimeStamp		NSCI_VerityTimeStap
+#define MACI_WrapKey			NSCI_WrapKey
+#define MACI_Zeroize			NSCI_Zeroize
+
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/.cvsignore b/security/nss/lib/fortcrypt/swfort/pkcs11/.cvsignore
new file mode 100644
index 000000000..6532d294d
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/pkcs11/.cvsignore
@@ -0,0 +1,15 @@
+forsock.c
+cryptint.h
+fmutex.h
+fortsock.h
+fpkcs11.h
+fpkcs11f.h
+fpkcs11i.h
+fpkcs11t.h
+fpkmem.h
+fpkstrs.h
+genci.h
+maci.h
+fortpk11.c
+fmutex.c
+
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/Makefile b/security/nss/lib/fortcrypt/swfort/pkcs11/Makefile
new file mode 100644
index 000000000..c148b325c
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/pkcs11/Makefile
@@ -0,0 +1,157 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+# 
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+
+CRYPTO_LIB = $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) 
+#SWCILI    = ../$(OBJDIR)/$(LIB_PREFIX)swfci.$(LIB_SUFFIX)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+ifdef MOZILLA_SECURITY_BUILD
+CRYPTO_LIB = $(DIST)/lib/crypto.lib
+endif
+ifdef MOZILLA_BSAFE_BUILD
+CRYPTO_LIB += $(DIST)/lib/bsafe$(BSAFEVER).lib
+CRYPTO_LIB += $(DIST)/lib/freebl.lib 
+endif
+
+EXTRA_LIBS = \
+	$(DIST)/lib/swfci.lib \
+	$(DIST)/lib/softokn.lib \
+	$(CRYPTO_LIB) \
+	$(DIST)/lib/secutil.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4_s.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4_s.lib \
+	wsock32.lib \
+	winmm.lib \
+	$(NULL)
+
+else
+
+ifdef MOZILLA_SECURITY_BUILD
+CRYPTO_LIB = $(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
+endif
+ifdef MOZILLA_BSAFE_BUILD
+CRYPTO_LIB += $(DIST)/lib/$(LIB_PREFIX)bsafe.$(LIB_SUFFIX)
+CRYPTO_LIB += $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+endif
+
+EXTRA_LIBS += \
+	$(DIST)/lib/$(LIB_PREFIX)swfci.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \
+	$(CRYPTO_LIB) \
+	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)plc4.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)plds4.$(LIB_SUFFIX) \
+	$(NULL)
+
+endif
+
+INST_JS                 = inst.js
+LIBCI_JAR               = $(OBJDIR)/lib$(LIBRARY_NAME).jar
+LIBCI_JAR_SRC           = $(INST_JS) pk11inst $(SHARED_LIBRARY)
+
+ifneq ($(OS_TARGET), WIN16)
+TARGETS : $(LIBCI_JAR)
+endif
+
+ifeq ($(OS_TARGET), WIN16)
+# note that rules.mk is not included below for WIN16
+all:
+	@echo Skipping fortcrypt directory for 16-bit windows builds
+
+all_platforms alltags clean clobber clobber_all realclean: all
+
+boot export install libs program release: all
+
+endif
+
+#$(SHARED_LIBRARY): $(SWCILIB)
+
+#
+# The following rules packages the shared library into a JAR,
+# ready to be signed
+#
+$(OBJDIR)/replace: replace.c
+	$(CC) -o $@ $<
+
+# ZIP options:
+# -5 means medium compression
+# -q means quiet
+# -j means do not store tree structure, all files go into one dir
+#
+$(LIBCI_JAR): $(LIBCI_JAR_SRC)
+	@echo +++ building $@ from $(LIBCI_JAR_SRC)
+	@rm -f $@
+	zip -5qj $@ $(LIBCI_JAR_SRC) 
+
+$(LIBSWCI_JAR): $(LIBSWCI_JAR_SRC)
+	@echo +++ building $@ from $(LIBSWCI_JAR_SRC)
+	@rm -f $@
+	zip -5qj $@ $(LIBSWCI_JAR_SRC) 
+
+
+MD_FILES += $(LIBCI_JAR) $(LIBSWCI_JAR)
+
+# coreconf doesn't build the AIX shared library for FORTEZZA,
+# so I'm going to override their shared library command and build the shared
+# library the way config used to.
+#
+
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
+DSO_LDOPTS              = -bM:SRE -bh:4 -bnoentry
+EXTRA_DSO_LDOPTS        = -lc
+MKSHLIB                 = xlC $(DSO_LDOPTS)
+
+$(SHARED_LIBRARY): $(OBJS)
+	@$(MAKE_OBJDIR)
+	rm -f $@
+	$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
+	chmod +x $@
+
+endif
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
+LD      += -G
+endif 
+
+ifneq ($(OS_TARGET), WIN16)
+include $(CORE_DEPTH)/coreconf/rules.mk
+endif
+
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/config.mk b/security/nss/lib/fortcrypt/swfort/pkcs11/config.mk
new file mode 100644
index 000000000..960774691
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/pkcs11/config.mk
@@ -0,0 +1,43 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only shared libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(SHARED_LIBRARY) $(SHARED_SW_LIBRARY) $(LIBCI_JAR) $(LIBCI_SW_JAR)
+LIBRARY        =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/inst.js b/security/nss/lib/fortcrypt/swfort/pkcs11/inst.js
new file mode 100644
index 000000000..2f7574717
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/pkcs11/inst.js
@@ -0,0 +1,189 @@
+//
+// The contents of this file are subject to the Mozilla Public
+// License Version 1.1 (the "License"); you may not use this file
+// except in compliance with the License. You may obtain a copy of
+// the License at http://www.mozilla.org/MPL/
+// 
+// Software distributed under the License is distributed on an "AS
+// IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+// implied. See the License for the specific language governing
+// rights and limitations under the License.
+// 
+// The Original Code is the Netscape security libraries.
+// 
+// The Initial Developer of the Original Code is Netscape
+// Communications Corporation.  Portions created by Netscape are 
+// Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+// Rights Reserved.
+// 
+// Contributor(s):
+// 
+// Alternatively, the contents of this file may be used under the
+// terms of the GNU General Public License Version 2 or later (the
+// "GPL"), in which case the provisions of the GPL are applicable 
+// instead of those above.  If you wish to allow use of your 
+// version of this file only under the terms of the GPL and not to
+// allow others to use your version of this file under the MPL,
+// indicate your decision by deleting the provisions above and
+// replace them with the notice and other provisions required by
+// the GPL.  If you do not delete the provisions above, a recipient
+// may use your version of this file under either the MPL or the
+// GPL.
+//
+////////////////////////////////////////////////////////////////////////////////////////
+// Crypto Mechanism Flags
+PKCS11_MECH_RSA_FLAG           =  0x1<<0; 
+PKCS11_MECH_DSA_FLAG           =  0x1<<1; 
+PKCS11_MECH_RC2_FLAG           =  0x1<<2; 
+PKCS11_MECH_RC4_FLAG           =  0x1<<3; 
+PKCS11_MECH_DES_FLAG           =  0x1<<4; 
+PKCS11_MECH_DH_FLAG            =  0x1<<5; //Diffie-Hellman 
+PKCS11_MECH_SKIPJACK_FLAG      =  0x1<<6; //SKIPJACK algorithm as in Fortezza cards 
+PKCS11_MECH_RC5_FLAG           =  0x1<<7; 
+PKCS11_MECH_SHA1_FLAG          =  0x1<<8; 
+PKCS11_MECH_MD5_FLAG           =  0x1<<9; 
+PKCS11_MECH_MD2_FLAG           =  0x1<<10; 
+PKCS11_MECH_RANDOM_FLAG        =  0x1<<27; //Random number generator 
+PKCS11_PUB_READABLE_CERT_FLAG  =  0x1<<28; //Stored certs can be read off the token w/o logging in 
+PKCS11_DISABLE_FLAG            =  0x1<<30; //tell Navigator to disable this slot by default 
+
+// Important: 
+// 0x1<<11, 0x1<<12, ... , 0x1<<26, 0x1<<29, and 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should always be set to 0; otherwise,
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which mechanisms should be turned on by 
+var pkcs11MechanismFlags = 0;
+  
+////////////////////////////////////////////////////////////////////////////////////////
+// Ciphers that support SSL or S/MIME 
+PKCS11_CIPHER_FORTEZZA_FLAG    = 0x1<<0; 
+
+// Important: 
+// 0x1<<1, 0x1<<2, ... , 0x1<<31 are reserved 
+// for internal use in Navigator. 
+// Therefore, these bits should ALWAYS be set to 0; otherwise, 
+// Navigator might exhibit unpredictable behavior. 
+
+// These flags indicate which SSL ciphers are supported 
+var pkcs11CipherFlags = PKCS11_CIPHER_FORTEZZA_FLAG; 
+  
+////////////////////////////////////////////////////////////////////////////////////////
+// Return values of pkcs11.addmodule() & pkcs11.delmodule() 
+// success codes 
+JS_OK_ADD_MODULE                 = 3; // Successfully added a module 
+JS_OK_DEL_EXTERNAL_MODULE        = 2; // Successfully deleted ext. module 
+JS_OK_DEL_INTERNAL_MODULE        = 1; // Successfully deleted int. module 
+
+// failure codes 
+JS_ERR_OTHER                     = -1; // Other errors than the followings 
+JS_ERR_USER_CANCEL_ACTION        = -2; // User abort an action 
+JS_ERR_INCORRECT_NUM_OF_ARGUMENTS= -3; // Calling a method w/ incorrect # of arguments 
+JS_ERR_DEL_MODULE                = -4; // Error deleting a module 
+JS_ERR_ADD_MODULE                = -5; // Error adding a module 
+JS_ERR_BAD_MODULE_NAME           = -6; // The module name is invalid 
+JS_ERR_BAD_DLL_NAME              = -7; // The DLL name is bad 
+JS_ERR_BAD_MECHANISM_FLAGS       = -8; // The mechanism flags are invalid 
+JS_ERR_BAD_CIPHER_ENABLE_FLAGS   = -9; // The SSL, S/MIME cipher flags are invalid 
+
+
+////////////////////////////////////////////////////////////////////////////////////////
+// Find out which library is to be installed depending on the platform
+
+// pathname seperator is platform specific
+var sep = "/";
+var vendor = "netscape";
+var moduleName = "not_supported";
+
+// platform-independent relative path
+var dir = "pkcs11/" + vendor + "/";
+
+var plat = navigator.platform;
+
+bAbort = false;
+progName = "instinit";
+if (plat == "Win32") {
+    moduleName = "swft32.dll";
+    // progName = "instinit.exe";
+    sep = "\\";
+} else if (plat == "AIX4.1") {
+    moduleName = "libswft.so";
+} else if (plat == "SunOS4.1.3_U1") {
+    moduleName = "libswft.so.1.0";        
+} else if ((plat == "SunOS5.4") || (plat == "SunOS5.5.1")){
+    moduleName = "libswft.so";
+} else if ((plat == "HP-UXA.09") || (plat == "HP-UXB.10")){
+    moduleName = "libswft.sl";
+} else {
+    window.alert("Sorry, platform "+plat+" is not supported.");
+    bAbort = true;
+}
+
+////////////////////////////////////////////////////////////////////////////////////////
+// Installation Begins...
+if (!bAbort) {
+if (confirm("This script will install and configure a security module, do you want to continue?")) { 
+ // Step 1. Create a version object and a software update object 
+ vi = new netscape.softupdate.VersionInfo(1, 5, 0, 0); 
+ su = new netscape.softupdate.SoftwareUpdate(this, "Fortezza Card PKCS#11 Module"); 
+                 // "Fortezza ... Module" is the logical name of the bundle 
+
+ ////////////////////////////////////////
+ // Step 2. Start the install process 
+ bAbort = false; 
+ err = su.StartInstall("NSfortezza", // NSfortezza is the component folder (logical) 
+                       vi, 
+                       netscape.softupdate.SoftwareUpdate.FULL_INSTALL); 
+                            
+ bAbort = bAbort || (err !=0); 
+
+ if (err == 0) { 
+     ////////////////////////////////////////
+    // Step 3. Find out the physical location of the Program dir 
+    Folder = su.GetFolder("Program"); 
+
+     ////////////////////////////////////////
+    // Step 4. Install the files. Unpack them and list where they go 
+    err = su.AddSubcomponent("FortezzaLibrary", //component name (logical) 
+                                    vi, // version info 
+                                    moduleName, // source file in JAR (physical) 
+                                    Folder, // target folder (physical) 
+                                    dir + moduleName, // target path & filename (physical) 
+                                    this.force); // forces update 
+    bAbort = bAbort || (err !=0); 
+    if (err != 0) window.alert("Add sub err= "+ err);
+ } 
+
+ if (err == 0) {
+    /// Try installing the init program 
+    err = su.AddSubcomponent("FortezzaInitProg", vi, progName, Folder, progName,		this.force);
+    // don't fail because it didn't install, may just not be part of the package
+}
+
+ ////////////////////////////////////////
+ // Step 5. Unless there was a problem, move files to final location 
+ // and update the Client Version Registry 
+ if (bAbort) { 
+    window.alert("Aborting, Folder="+Folder+" module="+dir+moduleName);
+    su.AbortInstall(); 
+ } else { 
+    err = su.FinalizeInstall(); 
+    // Platform specific full path 
+    fullpath = Folder +  "pkcs11" + sep + vendor + sep + moduleName;
+
+     ////////////////////////////////////////
+    // Step 6: Call pkcs11.addmodule() to register the newly downloaded module
+    result = pkcs11.addmodule("Netscape Software FORTEZZA Module", 
+                              fullpath, 
+                              pkcs11MechanismFlags, 
+                              pkcs11CipherFlags); 
+
+    if ( result < 0) { 
+       window.alert("New module setup failed.  Error code: " + result); 
+   } else { 
+       window.alert("New module setup completed."); 
+   } 
+ } 
+} 
+}
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/manifest.mn b/security/nss/lib/fortcrypt/swfort/pkcs11/manifest.mn
new file mode 100644
index 000000000..7ef8c2009
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/pkcs11/manifest.mn
@@ -0,0 +1,63 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+CORE_DEPTH		= ../../../../..
+
+MODULE		= security
+LIBRARY_NAME	= swft
+#LIBRARY_VERSION	= 32
+
+COPIED_CSRCS	= forsock.c  \
+		  fortpk11.c \
+		  fmutex.c   \
+		  $(NULL)
+
+CSRCS		= \
+		  $(COPIED_CSRCS) \
+		  stub.c \
+		  $(NULL)
+
+vpath %.c ../../
+INCLUDES	= -I../..
+
+EXPORTS		= 
+
+REQUIRES	= security dbm
+
+
+DEFINES		= -DSWFORT
+
+GARBAGE		= $(COPIED_CSRCS) cryptint.h fmutex.h fortsock.h fpkcs11.h \
+	fpkcs11f.h fpkcs11i.h fpkcs11t.h fpkmem.h fpkstrs.h genci.h maci.h 
+
+
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/pk11inst b/security/nss/lib/fortcrypt/swfort/pkcs11/pk11inst
new file mode 100755
index 000000000..31d73eb4a
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/pkcs11/pk11inst
@@ -0,0 +1,49 @@
+ForwardCompatible { HPUX:10:hppa1.1 Solaris:5.5.1:sparc AIX:4.1:rs6000 }
+    Platforms {
+	WINNT::x86 {
+	    ModuleName { "Netscape Software FORTEZZA Module" }
+	    ModuleFile { %root%/pkcs11/netscape/swft32.dll }
+	    DefaultMechanismFlags{0x0000}
+	    DefaultCipherFlags{0x0001}
+	    Files {
+		swft32.dll {
+                     RelativePath { %root%/pkcs11/netscape/swft32.dll }
+		}
+	    }
+	WIN95::x86 {
+	    EquivalentPlatform {WINNT::x86}
+	}
+	Solaris:5.5.1:sparc {
+	    ModuleName { "Netscape Software FORTEZZA Module" }
+	    ModuleFile { %root%/pkcs11/netscape/libswft.so }
+	    DefaultMechanismFlags{0x0000}
+	    DefaultCipherFlags{0x0001}
+	    Files {
+		libswft.so {
+                     RelativePath { %root%/pkcs11/netscape/libswft.so }
+		}
+	    }
+	}
+	AIX:4.1:rs6000 {
+	    ModuleName { "Netscape Software FORTEZZA Module" }
+	    ModuleFile { %root%/pkcs11/netscape/libswft.so }
+	    DefaultMechanismFlags{0x0000}
+	    DefaultCipherFlags{0x0001}
+	    Files {
+		libswft.so {
+                     RelativePath { %root%/pkcs11/netscape/libswft.so }
+		}
+	    }
+	}
+	HPUX:10:hppa1.1 {
+	    ModuleName { "Netscape Software FORTEZZA Module" }
+	    ModuleFile { %root%/pkcs11/netscape/libswft.sl }
+	    DefaultMechanismFlags{0x0000}
+	    DefaultCipherFlags{0x0001}
+	    Files {
+		libswft.so {
+                     RelativePath { %root%/pkcs11/netscape/libswft.sl }
+		}
+	    }
+	}
+    }
diff --git a/security/nss/lib/fortcrypt/swfort/pkcs11/stub.c b/security/nss/lib/fortcrypt/swfort/pkcs11/stub.c
new file mode 100644
index 000000000..e3b854f3d
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/pkcs11/stub.c
@@ -0,0 +1,350 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * secport.c - portability interfaces for security libraries
+ *
+ * This file abstracts out libc functionality that libsec depends on
+ * 
+ * NOTE - These are not public interfaces. These stubs are to allow the 
+ * SW FORTEZZA to link with some low level security functions without dragging
+ * in NSPR.
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "prmem.h"
+#include "prerror.h"
+#include "plarena.h"
+#include "secerr.h"
+#include "prmon.h"
+#include "prbit.h"
+
+unsigned long port_allocFailures;
+
+/* locations for registering Unicode conversion functions.  
+ *  Is this the appropriate location?  or should they be
+ *     moved to client/server specific locations?
+ */
+PORTCharConversionFunc ucs4Utf8ConvertFunc;
+PORTCharConversionFunc ucs2Utf8ConvertFunc;
+PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
+
+void *
+PORT_Alloc(size_t bytes)
+{
+    void *rv;
+
+    /* Always allocate a non-zero amount of bytes */
+    rv = (void *)malloc(bytes ? bytes : 1);
+    if (!rv) {
+	++port_allocFailures;
+    }
+    return rv;
+}
+
+void *
+PORT_Realloc(void *oldptr, size_t bytes)
+{
+    void *rv;
+
+    rv = (void *)realloc(oldptr, bytes);
+    if (!rv) {
+	++port_allocFailures;
+    }
+    return rv;
+}
+
+void *
+PORT_ZAlloc(size_t bytes)
+{
+    void *rv;
+
+    /* Always allocate a non-zero amount of bytes */
+    rv = (void *)calloc(1, bytes ? bytes : 1);
+    if (!rv) {
+	++port_allocFailures;
+    }
+    return rv;
+}
+
+void
+PORT_Free(void *ptr)
+{
+    if (ptr) {
+	free(ptr);
+    }
+}
+
+void
+PORT_ZFree(void *ptr, size_t len)
+{
+    if (ptr) {
+	memset(ptr, 0, len);
+	free(ptr);
+    }
+}
+
+void
+PORT_SetError(int value)
+{	
+    return;
+}
+
+int
+PORT_GetError(void)
+{
+    return(1);
+}
+
+/********************* Arena code follows *****************************/
+
+
+PLArenaPool *
+PORT_NewArena(unsigned long chunksize)
+{
+    PLArenaPool *arena;
+    
+    arena = (PLArenaPool*)PORT_ZAlloc(sizeof(PLArenaPool));
+    if ( arena != NULL ) {
+	PR_InitArenaPool(arena, "security", chunksize, sizeof(double));
+    }
+    return(arena);
+}
+
+void *
+PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
+{
+    void *p;
+
+    PL_ARENA_ALLOCATE(p, arena, size);
+    if (p == NULL) {
+	++port_allocFailures;
+    }
+
+    return(p);
+}
+
+void *
+PORT_ArenaZAlloc(PLArenaPool *arena, size_t size)
+{
+    void *p;
+
+    PL_ARENA_ALLOCATE(p, arena, size);
+    if (p == NULL) {
+	++port_allocFailures;
+    } else {
+	PORT_Memset(p, 0, size);
+    }
+
+    return(p);
+}
+
+/* need to zeroize!! */
+void
+PORT_FreeArena(PLArenaPool *arena, PRBool zero)
+{
+    PR_FinishArenaPool(arena);
+    PORT_Free(arena);
+}
+
+void *
+PORT_ArenaGrow(PLArenaPool *arena, void *ptr, size_t oldsize, size_t newsize)
+{
+    PORT_Assert(newsize >= oldsize);
+    
+    PL_ARENA_GROW(ptr, arena, oldsize, ( newsize - oldsize ) );
+    
+    return(ptr);
+}
+
+void *
+PORT_ArenaMark(PLArenaPool *arena)
+{
+    void * result;
+
+    result = PL_ARENA_MARK(arena);
+    return result;
+}
+
+void
+PORT_ArenaRelease(PLArenaPool *arena, void *mark)
+{
+    PL_ARENA_RELEASE(arena, mark);
+}
+
+void
+PORT_ArenaUnmark(PLArenaPool *arena, void *mark)
+{
+    /* do nothing */
+}
+
+char *
+PORT_ArenaStrdup(PLArenaPool *arena,char *str) {
+    int len = PORT_Strlen(str)+1;
+    char *newstr;
+
+    newstr = (char*)PORT_ArenaAlloc(arena,len);
+    if (newstr) {
+        PORT_Memcpy(newstr,str,len);
+    }
+    return newstr;
+}
+
+PR_IMPLEMENT(void)
+PR_Assert(const char *expr, const char *file, int line) {
+    return; 
+}
+
+PR_IMPLEMENT(void *)
+PR_Alloc(PRUint32 bytes) { return malloc(bytes); }
+
+PR_IMPLEMENT(void *)
+PR_Malloc(PRUint32 bytes) { return malloc(bytes); }
+
+PR_IMPLEMENT(void *)
+PR_Calloc(PRUint32 blocks, PRUint32 bytes) { return calloc(blocks,bytes); }
+
+PR_IMPLEMENT(void)
+PR_Free(void *ptr) { free(ptr); }
+
+PR_IMPLEMENT(void)
+PR_SetError(PRErrorCode errorCode, PRInt32 oserr) { return; }
+
+PR_IMPLEMENT(void)
+PR_SetErrorText(PRIntn textLength, const char *text) { return; }
+
+
+/* Old template; want to expunge it eventually. */
+#include "secasn1.h"
+#include "secoid.h"
+
+const SEC_ASN1Template SECOID_AlgorithmIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SECAlgorithmID) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(SECAlgorithmID,algorithm), },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	  offsetof(SECAlgorithmID,parameters), },
+    { 0, }
+};
+
+/* now make the RNG happy */ /* This is not atomic! */
+PR_IMPLEMENT(PRInt32) PR_AtomicIncrement(PRInt32 *val) { return ++(*val); }
+/* This is not atomic! */
+PR_IMPLEMENT(PRInt32) PR_AtomicDecrement(PRInt32 *val) { return --(*val); }
+
+PR_IMPLEMENT(PRStatus) PR_Sleep(PRIntervalTime ticks) { return PR_SUCCESS; }
+
+#include "nssilock.h"
+#include "fmutex.h"
+PR_IMPLEMENT(PRLock *)
+PR_NewLock(void) {
+	PRLock *lock = NULL;
+
+	FMUTEX_Create((void **)&lock);
+
+	/* if we don't have a lock, FMUTEX can deal with things */
+	if (lock == NULL) lock=(PRLock *) 1;
+	return lock;
+}
+
+PR_IMPLEMENT(void) 
+PR_DestroyLock(PRLock *lock) {
+	FMUTEX_Destroy(lock);
+}
+
+PR_IMPLEMENT(void) 
+PR_Lock(PRLock *lock) {
+	FMUTEX_Lock(lock);
+}
+
+PR_IMPLEMENT(PRStatus) 
+PR_Unlock(PRLock *lock) {
+	FMUTEX_Unlock(lock);
+	return PR_SUCCESS;
+}
+
+/* this implementation is here to satisfy the PRMonitor use in plarena.c.
+** It appears that it doesn't need re-entrant locks.  It could have used
+** PRLock instead of PRMonitor.  So, this implementation just uses 
+** PRLock for a PRMonitor.
+*/
+PR_IMPLEMENT(PRMonitor*) 
+PR_NewMonitor(void)
+{
+    return (PRMonitor *) PR_NewLock();
+}
+
+
+PR_IMPLEMENT(void) 
+PR_EnterMonitor(PRMonitor *mon)
+{
+    PR_Lock( (PRLock *)mon );
+}
+
+PR_IMPLEMENT(PRStatus) 
+PR_ExitMonitor(PRMonitor *mon)
+{
+    return PR_Unlock( (PRLock *)mon );
+}
+
+#include "prinit.h"
+
+/* This is NOT threadsafe.  It is merely a pseudo-functional stub.
+*/
+PR_IMPLEMENT(PRStatus) PR_CallOnce(
+    PRCallOnceType *once,
+    PRCallOnceFN    func)
+{
+    /* This is not really atomic! */
+    if (1 == PR_AtomicIncrement(&once->initialized)) {
+	once->status = (*func)();
+    }  else {
+    	/* Should wait to be sure that func has finished before returning. */
+    }
+    return once->status;
+}
+
+
+/*
+** Compute the log of the least power of 2 greater than or equal to n
+*/
+PRIntn PR_CeilingLog2(PRUint32 i) {
+	PRIntn log2;
+	PR_CEILING_LOG2(log2,i);
+	return log2;
+}
+
+/********************** end of arena functions ***********************/
+
diff --git a/security/nss/lib/fortcrypt/swfort/swfalg.c b/security/nss/lib/fortcrypt/swfort/swfalg.c
new file mode 100644
index 000000000..6f8ab9f6c
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/swfalg.c
@@ -0,0 +1,506 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Software implementation of FORTEZZA skipjack primatives
+ */
+#include "maci.h"
+#include "seccomon.h"
+#include "swforti.h" 
+
+/*
+ * Xor the IV into the plaintext buffer either just before encryption, or
+ * just after decryption.
+ */
+static void
+fort_XorIV(unsigned char *obuffer, unsigned char *buffer, unsigned char *iv) {
+    int i;
+#ifdef USE_INT32
+    if ((buffer & 0x3) == 0) && ((iv & 0x3) == 0)) {
+	int32 *ibuffer = (int32 *)buffer;
+	int32 *iobuffer = (int32 *)obuffer;
+	int32 *iiv = (int32 *)iv;
+
+	iobuffer[0] = ibuffer[0] ^ iiv[0];
+	iobuffer[1] = ibuffer[1] ^ iiv[1];
+	return;
+    }
+#endif
+
+    for (i=0; i < SKIPJACK_BLOCK_SIZE; i++) {
+	obuffer[i] = buffer[i] ^ iv[i];
+    }
+}
+
+
+/* the F-table for Skipjack */
+unsigned char F[256] = { 
+    0xa3, 0xd7, 0x09, 0x83, 0xf8, 0x48, 0xf6, 0xf4,
+    0xb3, 0x21, 0x15, 0x78, 0x99, 0xb1, 0xaf, 0xf9,
+    0xe7, 0x2d, 0x4d, 0x8a, 0xce, 0x4c, 0xca, 0x2e,
+    0x52, 0x95, 0xd9, 0x1e, 0x4e, 0x38, 0x44, 0x28,
+    0x0a, 0xdf, 0x02, 0xa0, 0x17, 0xf1, 0x60, 0x68,
+    0x12, 0xb7, 0x7a, 0xc3, 0xe9, 0xfa, 0x3d, 0x53,
+    0x96, 0x84, 0x6b, 0xba, 0xf2, 0x63, 0x9a, 0x19,
+    0x7c, 0xae, 0xe5, 0xf5, 0xf7, 0x16, 0x6a, 0xa2,
+    0x39, 0xb6, 0x7b, 0x0f, 0xc1, 0x93, 0x81, 0x1b,
+    0xee, 0xb4, 0x1a, 0xea, 0xd0, 0x91, 0x2f, 0xb8,
+    0x55, 0xb9, 0xda, 0x85, 0x3f, 0x41, 0xbf, 0xe0,
+    0x5a, 0x58, 0x80, 0x5f, 0x66, 0x0b, 0xd8, 0x90,
+    0x35, 0xd5, 0xc0, 0xa7, 0x33, 0x06, 0x65, 0x69,
+    0x45, 0x00, 0x94, 0x56, 0x6d, 0x98, 0x9b, 0x76,
+    0x97, 0xfc, 0xb2, 0xc2, 0xb0, 0xfe, 0xdb, 0x20,
+    0xe1, 0xeb, 0xd6, 0xe4, 0xdd, 0x47, 0x4a, 0x1d,
+    0x42, 0xed, 0x9e, 0x6e, 0x49, 0x3c, 0xcd, 0x43,
+    0x27, 0xd2, 0x07, 0xd4, 0xde, 0xc7, 0x67, 0x18,
+    0x89, 0xcb, 0x30, 0x1f, 0x8d, 0xc6, 0x8f, 0xaa,
+    0xc8, 0x74, 0xdc, 0xc9, 0x5d, 0x5c, 0x31, 0xa4,
+    0x70, 0x88, 0x61, 0x2c, 0x9f, 0x0d, 0x2b, 0x87,
+    0x50, 0x82, 0x54, 0x64, 0x26, 0x7d, 0x03, 0x40,
+    0x34, 0x4b, 0x1c, 0x73, 0xd1, 0xc4, 0xfd, 0x3b,
+    0xcc, 0xfb, 0x7f, 0xab, 0xe6, 0x3e, 0x5b, 0xa5,
+    0xad, 0x04, 0x23, 0x9c, 0x14, 0x51, 0x22, 0xf0,
+    0x29, 0x79, 0x71, 0x7e, 0xff, 0x8c, 0x0e, 0xe2,
+    0x0c, 0xef, 0xbc, 0x72, 0x75, 0x6f, 0x37, 0xa1,
+    0xec, 0xd3, 0x8e, 0x62, 0x8b, 0x86, 0x10, 0xe8,
+    0x08, 0x77, 0x11, 0xbe, 0x92, 0x4f, 0x24, 0xc5,
+    0x32, 0x36, 0x9d, 0xcf, 0xf3, 0xa6, 0xbb, 0xac,
+    0x5e, 0x6c, 0xa9, 0x13, 0x57, 0x25, 0xb5, 0xe3,
+    0xbd, 0xa8, 0x3a, 0x01, 0x05, 0x59, 0x2a, 0x46
+};
+
+typedef unsigned char fort_keysched[32*4];
+
+/* do the key schedule work once for efficency */
+static void
+fort_skipKeySchedule(FORTSkipjackKeyPtr key,fort_keysched keysched)
+{
+    unsigned char *keyptr = key;
+    unsigned char *first = keyptr +sizeof(FORTSkipjackKey)-1;
+    int i;
+
+    keyptr = first;
+
+    for (i=0; i < (32*4); i++) {
+	keysched[i] = *keyptr--;
+	if (keyptr < key) keyptr = first;
+    }
+    return;
+}
+
+static void
+fort_clearShedule(fort_keysched keysched)
+{
+    PORT_Memset(keysched, 0, sizeof(keysched));
+}
+
+
+static unsigned int 
+G(fort_keysched cv, int k, unsigned int wordIn)
+{
+    unsigned char g1, g2, g3, g4, g5, g6;
+
+    g1 = (unsigned char) (wordIn >> 8) & 0xff;
+    g2 = (unsigned char) wordIn & 0xff;
+
+    g3 = F[g2^cv[4*k]]^g1;
+    g4 = F[g3^cv[4*k+1]]^g2;
+    g5 = F[g4^cv[4*k+2]]^g3;
+    g6 = F[g5^cv[4*k+3]]^g4;
+
+    return ((g5<<8)+g6);
+}
+
+static unsigned int 
+G1(fort_keysched cv, int k, unsigned int wordIn)
+{
+    unsigned char g1, g2, g3, g4, g5, g6;
+
+    g5 = (unsigned char) (wordIn >> 8) & 0xff;
+    g6 = (unsigned char) wordIn & 0xff;
+
+    g4 = F[g5^cv[4*k+3]]^g6;
+    g3 = F[g4^cv[4*k+2]]^g5;
+    g2 = F[g3^cv[4*k+1]]^g4;
+    g1 = F[g2^cv[4*k]]^g3;
+
+    return ((g1<<8)+g2);
+}
+
+static void 
+ruleA(fort_keysched cv,int round,unsigned int *w)
+{
+    unsigned int w4;
+    int i;
+
+    for(i=0; i<8; i++) {
+	int k = round*16+i;
+	int counter = k+1;
+
+	w4 = w[4];
+	w[4] = w[3];
+	w[3] = w[2];
+	w[2] = G(cv,k,w[1]);
+	w[1] = G(cv,k,w[1]) ^ w4 ^ counter;
+    }
+    return;
+}
+
+static void 
+ruleB(fort_keysched cv,int round,unsigned int *w)
+{
+    unsigned int w4;
+    int i;
+
+    for(i=0; i<8; i++) {
+	int k = round*16+i+8;
+	int counter = k+1;
+
+	w4 = w[4];
+	w[4] = w[3];
+	w[3] = w[1] ^ w[2] ^ counter; 
+	w[2] = G(cv,k,w[1]);
+	w[1] = w4;
+    }
+    return;
+}
+
+static void 
+ruleA1(fort_keysched cv,int round,unsigned int *w)
+{
+    unsigned int w4;
+    int i;
+
+    for(i=7; i>=0; i--) {
+	int k = round*16+i;
+	int counter = k+1;
+
+	w4 = w[4];
+	w[4] = w[1] ^ w[2] ^ counter;
+	w[1] = G1(cv,k,w[2]);
+	w[2] = w[3];
+	w[3] = w4;
+    }
+    return;
+}
+
+static void 
+ruleB1(fort_keysched cv,int round,unsigned int *w)
+{
+    unsigned int w4;
+    int i;
+
+    for(i=7; i>=0; i--) {
+	int k = round*16+i+8;
+	int counter = k+1;
+
+	w4 = w[4];
+	w[4] = w[1];
+	w[1] = G1(cv,k,w[2]);
+	w[2] = G1(cv,k,w[2]) ^ w[3] ^ counter; 
+	w[3] = w4;
+    }
+    return;
+}
+
+
+static void 
+fort_doskipD(fort_keysched cv,unsigned char *cipherIn,
+						 unsigned char *plainOut) {
+  unsigned int w[5]; /* ignore w[0] so the code matches the doc */
+
+  /* initial byte swap */
+  w[1]=(cipherIn[7]<<8)+cipherIn[6];
+  w[2]=(cipherIn[5]<<8)+cipherIn[4];
+  w[3]=(cipherIn[3]<<8)+cipherIn[2];
+  w[4]=(cipherIn[1]<<8)+cipherIn[0];
+
+  ruleB1(cv,1,w);
+  ruleA1(cv,1,w);
+  ruleB1(cv,0,w);
+  ruleA1(cv,0,w);
+
+  /* final byte swap */
+  plainOut[0] = w[4] & 0xff;
+  plainOut[1] = (w[4] >> 8) & 0xff;
+  plainOut[2] = w[3] & 0xff;
+  plainOut[3] = (w[3] >> 8) & 0xff;
+  plainOut[4] = w[2] & 0xff;
+  plainOut[5] = (w[2] >> 8) & 0xff;
+  plainOut[6] = w[1] & 0xff;
+  plainOut[7] = (w[1] >> 8) & 0xff;
+  return;
+}
+
+static void 
+fort_doskipE(fort_keysched cv,unsigned char *cipherIn,
+						 unsigned char *plainOut) {
+  unsigned int w[5]; /* ignore w[0] so the code matches the doc */
+
+  /* initial byte swap */
+  w[1]=(cipherIn[7]<<8)+cipherIn[6];
+  w[2]=(cipherIn[5]<<8)+cipherIn[4];
+  w[3]=(cipherIn[3]<<8)+cipherIn[2];
+  w[4]=(cipherIn[1]<<8)+cipherIn[0];
+
+  ruleA(cv,0,w);
+  ruleB(cv,0,w);
+  ruleA(cv,1,w);
+  ruleB(cv,1,w);
+
+  /* final byte swap */
+  plainOut[0] = w[4] & 0xff;
+  plainOut[1] = (w[4] >> 8) & 0xff;
+  plainOut[2] = w[3] & 0xff;
+  plainOut[3] = (w[3] >> 8) & 0xff;
+  plainOut[4] = w[2] & 0xff;
+  plainOut[5] = (w[2] >> 8) & 0xff;
+  plainOut[6] = w[1] & 0xff;
+  plainOut[7] = (w[1] >> 8) & 0xff;
+  return;
+}
+
+/* Checksums are calculated by encrypted a fixed string with the key, then
+ * taking 16 bytes of the result from the block */
+static int
+fort_CalcKeyChecksum(FORTSkipjackKeyPtr key, unsigned char *sum) {
+    unsigned char ckdata[8] = {
+		 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55 };
+    unsigned char ckres[8];
+    fort_keysched keysched;
+
+
+    fort_skipKeySchedule(key,keysched);
+
+    fort_doskipE(keysched,ckdata,ckres);
+    fort_clearShedule(keysched);
+    PORT_Memcpy(sum,&ckres[1],2);
+    return CI_OK;
+}
+
+/* These function actually implements skipjack CBC Decrypt */
+int
+fort_skipjackDecrypt(FORTSkipjackKeyPtr key, unsigned char *iv, 
+		unsigned long size, unsigned char *cipherIn, 
+						unsigned char *plainOut) {
+    unsigned char ivdata1[SKIPJACK_BLOCK_SIZE];
+    unsigned char ivdata2[SKIPJACK_BLOCK_SIZE];
+    unsigned char *lastiv, *nextiv, *tmpiv;
+    fort_keysched keysched;
+
+    /* do the key schedule work once for efficency */
+    fort_skipKeySchedule(key,keysched);
+
+    /* As we decrypt, we need to save the last block so that we can
+     * Xor it out of decrypted text to get the real plain text. We actually
+     * have to save it because cipherIn and plainOut may point to the same
+     * buffer. */
+    lastiv =ivdata1;
+    nextiv = ivdata2;
+    PORT_Memcpy(lastiv,iv,SKIPJACK_BLOCK_SIZE);
+    while (size >= SKIPJACK_BLOCK_SIZE) {
+	/* save the IV for the next block */
+	PORT_Memcpy(nextiv,cipherIn,SKIPJACK_BLOCK_SIZE);
+   	fort_doskipD(keysched,cipherIn,plainOut);
+	/* xor out the last IV */
+	fort_XorIV(plainOut,plainOut,lastiv);
+
+	/* swap the IV buffers */
+	tmpiv = lastiv;
+	lastiv = nextiv;
+	nextiv =tmpiv;
+
+	/* increment the loop pointers... be sure to get the input, output,
+	 * and size (decrement) each fortdoskipD operates on an entire block*/
+	cipherIn += SKIPJACK_BLOCK_SIZE;
+	plainOut += SKIPJACK_BLOCK_SIZE;
+	size -= SKIPJACK_BLOCK_SIZE;
+    }
+    fort_clearShedule(keysched); /* don't leave the key lying around the stack*/
+    if (size != 0) return CI_INV_SIZE;
+    return CI_OK;
+}
+
+/* These function actually implements skipjack CBC Encrypt */
+int
+fort_skipjackEncrypt(FORTSkipjackKeyPtr key, unsigned char *iv, 
+		unsigned long size, unsigned char *plainIn, 
+						unsigned char *cipherOut) {
+    unsigned char *tmpiv;
+    fort_keysched keysched;
+    unsigned char plain[SKIPJACK_BLOCK_SIZE];
+
+    fort_skipKeySchedule(key,keysched);
+    tmpiv = iv;
+    while (size >= SKIPJACK_BLOCK_SIZE) {
+	/* We Xor into a temp buffer because we don't want to modify plainIn,
+	 * doing so may make the caller very unhappy:). */
+	fort_XorIV(plain,plainIn,tmpiv);
+   	fort_doskipE(keysched,plain,cipherOut);
+	tmpiv = cipherOut;
+	cipherOut += SKIPJACK_BLOCK_SIZE;
+	plainIn += SKIPJACK_BLOCK_SIZE;
+	size -= SKIPJACK_BLOCK_SIZE;
+    }
+    fort_clearShedule(keysched); /* don't leave the key lying around the stack*/
+    if (size != 0) return CI_INV_SIZE;
+    return CI_OK;
+}
+
+   
+
+/*
+ * unwrap is used for key generation and mixing
+ */
+int
+fort_skipjackUnwrap(FORTSkipjackKeyPtr key,unsigned long len, 
+			unsigned char *cipherIn, unsigned char *plainOut) {
+    unsigned char low[10];
+    fort_keysched keysched;
+    int i,ret;
+
+    /* unwrap can only unwrap 80 bit symetric keys and 160 private keys 
+     * sometimes these values have checksums. When they do, we should verify
+     * those checksums. */
+    switch (len) {
+    case 20:	/* private key */
+    case 24:   /* private key with checksum */
+	ret = fort_skipjackUnwrap(key,len/2,cipherIn,plainOut);
+	if (ret != CI_OK) return ret;
+	ret = fort_skipjackUnwrap(key,len/2,&cipherIn[len/2],low);
+
+	/* unmunge the low word */
+	for (i=0; i < 10; i++) {
+	    low[i] = low[i] ^ plainOut[i];
+	}
+
+	/* the unwrap will fail above because the checkword is on
+	 * low, not low ^ high.
+	 */
+	if (ret == CI_CHECKWORD_FAIL) {
+	    unsigned char checksum[2];
+
+            ret = fort_CalcKeyChecksum(low,checksum);
+	    if (ret != CI_OK) return ret;
+	    if (PORT_Memcmp(checksum,&cipherIn[len-2],2) != 0) {
+		return CI_CHECKWORD_FAIL;
+	    }
+	}
+	if (ret != CI_OK) return ret;
+
+	/* re-order the low word */
+	PORT_Memcpy(&plainOut[10],&low[8],2);
+	PORT_Memcpy(&plainOut[12],&low[0],8);
+	return CI_OK;
+    case 10: /* 80 bit skipjack key */
+    case 12: /* 80 bit skipjack key with checksum */
+	fort_skipKeySchedule(key,keysched);
+	fort_doskipD(keysched,cipherIn,plainOut);
+	plainOut[8] = cipherIn[8] ^ plainOut[0];
+	plainOut[9] = cipherIn[9] ^ plainOut[1];
+	fort_doskipD(keysched,plainOut,plainOut);
+	fort_clearShedule(keysched); 
+	/* if we have a checkum, verify it */
+	if (len == 12) {
+	    unsigned char checksum[2];
+
+            ret = fort_CalcKeyChecksum(plainOut,checksum);
+	    if (ret != CI_OK) return ret;
+	    if (PORT_Memcmp(checksum,&cipherIn[10],2) != 0) {
+		return CI_CHECKWORD_FAIL;
+	    }
+        }
+	return CI_OK;
+    default:
+	break;
+    }
+    return CI_INV_SIZE;
+}
+
+/*
+ * unwrap is used for key generation and mixing
+ */
+int
+fort_skipjackWrap(FORTSkipjackKeyPtr key,unsigned long len, 
+			unsigned char *plainIn, unsigned char *cipherOut) {
+    unsigned char low[10];
+    unsigned char checksum[2];
+    fort_keysched keysched;
+    int i,ret;
+
+
+    /* NOTE: length refers to the target in the case of wrap */
+    /* Wrap can only Wrap 80 bit symetric keys and 160 private keys 
+     * sometimes these values have checksums. When they do, we should verify
+     * those checksums. */
+    switch (len) {
+    case 20:	/* private key */
+    case 24:   /* private key with checksum */
+	/* re-order the low word */
+	PORT_Memcpy(&low[8],&plainIn[10],2);
+	PORT_Memcpy(&low[0],&plainIn[12],8);
+	if (len == 24) {
+            ret = fort_CalcKeyChecksum(low,checksum);
+	    if (ret != CI_OK) return ret;
+	}
+	/* munge the low word */
+	for (i=0; i < 10; i++) {
+	    low[i] = low[i] ^ plainIn[i];
+	}
+	ret = fort_skipjackWrap(key,len/2,plainIn,cipherOut);
+	ret = fort_skipjackWrap(key,len/2,low,&cipherOut[len/2]);
+	if (len == 24) {
+	    PORT_Memcpy(&cipherOut[len - 2], checksum, sizeof(checksum));
+	}
+
+	return CI_OK;
+    case 10: /* 80 bit skipjack key */
+    case 12: /* 80 bit skipjack key with checksum */
+
+	fort_skipKeySchedule(key,keysched);
+	fort_doskipE(keysched,plainIn,cipherOut);
+	cipherOut[8] = plainIn[8] ^ cipherOut[0];
+	cipherOut[9] = plainIn[9] ^ cipherOut[1];
+	fort_doskipE(keysched,cipherOut,cipherOut);
+	fort_clearShedule(keysched); 
+	/* if we need a checkum, get it */
+	if (len == 12) {
+            ret = fort_CalcKeyChecksum(plainIn,&cipherOut[10]);
+	    if (ret != CI_OK) return ret;
+        }
+	return CI_OK;
+    default:
+	break;
+    }
+    return CI_INV_SIZE;
+}
+
diff --git a/security/nss/lib/fortcrypt/swfort/swflib.c b/security/nss/lib/fortcrypt/swfort/swflib.c
new file mode 100644
index 000000000..c41a878fb
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/swflib.c
@@ -0,0 +1,1028 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * implement the MACI calls as Software Fortezza Calls.
+ * only do the ones Nescape Needs. This provides a single software slot,
+ * with 100 key registers, and 50 backup Ra private registers. Since we only
+ * create one session per slot, this implementation only uses one session.
+ * One future enhancement may be to try to improve on this for better threading
+ * support.
+ */
+
+#include "prtypes.h"
+#include "prio.h"
+
+#include "swforti.h"
+/*#include "keytlow.h"*/
+/* #include "dh.h" */
+#include "blapi.h"
+#include "maci.h"
+/* #include "dsa.h" */
+/* #include "hasht.h" */
+#include "secitem.h"
+#include "secrng.h"
+/*#include "keylow.h" */
+#include "secder.h"
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+#include <unistd.h>
+#endif
+
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+
+/* currently we only support one software token. In the future we can use the
+ * session to determin which of many possible tokens we are talking about.
+ * all the calls which need tokens take a pointer to the software token as a
+ * target.
+ */
+static FORTSWToken *swtoken = NULL;
+
+#define SOCKET_ID 1
+
+
+/* can't change the pin on SW fortezza for now */
+int
+MACI_ChangePIN(HSESSION session, int PINType, CI_PIN CI_FAR pOldPIN,
+						 CI_PIN CI_FAR pNewPin)
+{
+    return CI_INV_STATE;
+}
+
+
+/*
+ * Check pin checks the pin, then logs the user in or out depending on if
+ * the pin succedes. The General implementation would support both SSO and 
+ * User mode our's only needs User mode. Pins are checked by whether or not
+ * they can produce our valid Ks for this 'card'.
+ */
+int
+MACI_CheckPIN(HSESSION session, int PINType, CI_PIN CI_FAR pin)
+{
+    FORTSkipjackKeyPtr Ks;
+    FORTSWFile *config_file = NULL;
+    FORTSkipjackKey seed;
+    unsigned char pinArea[13];
+    unsigned char *padPin = NULL;
+
+    /* This SW module can only log in as USER */
+    if (PINType != CI_USER_PIN) return CI_INV_TYPE;
+
+    if (swtoken == NULL) return CI_NO_CARD;
+    /* we can't check a pin if we haven't been initialized yet */
+    if (swtoken->config_file == NULL) return CI_NO_CARD;
+    config_file = swtoken->config_file;
+
+    /* Make sure the pin value meets minimum lengths */
+    if (PORT_Strlen((char *)pin) < 12) {
+	PORT_Memset(pinArea, ' ', sizeof(pinArea));
+	PORT_Memcpy(pinArea,pin,PORT_Strlen((char *)pin));
+	pinArea[12] = 0;
+	padPin = pinArea;
+    }
+
+    /* get the Ks by unwrapping it from the memphrase with the pbe generated
+     * from the pin */
+    Ks = fort_CalculateKMemPhrase(config_file, 
+			&config_file->fortezzaPhrase, (char *)pin, NULL);
+
+    if (Ks == 0) {
+	Ks = fort_CalculateKMemPhrase(config_file, 
+		&config_file->fortezzaPhrase, (char *)padPin, NULL);
+	if (Ks == 0) {
+	    PORT_Memset(pinArea, 0, sizeof(pinArea));
+	    fort_Logout(swtoken);
+	    return CI_FAIL;
+	}
+    }
+
+    /* use Ks and hash to verify that pin is correct */
+    if (! fort_CheckMemPhrase(config_file, &config_file->fortezzaPhrase, 
+						(char *)pin, Ks) ) {
+	if ((padPin == NULL) ||
+    	   ! fort_CheckMemPhrase(config_file, &config_file->fortezzaPhrase, 
+						(char *)padPin, Ks) )  {
+	    PORT_Memset(pinArea, 0, sizeof(pinArea));
+	    fort_Logout(swtoken);
+	    return CI_FAIL;
+	}
+    }
+
+    PORT_Memset(pinArea, 0, sizeof(pinArea));
+
+
+    /* OK, add the random Seed value into the random number generator */
+    fort_skipjackUnwrap(Ks,config_file->wrappedRandomSeed.len,
+	config_file->wrappedRandomSeed.data,seed);
+    RNG_RandomUpdate(seed,sizeof(seed));
+
+    /* it is, go ahead and log in */
+    swtoken->login = PR_TRUE;
+    /* Ks is always stored in keyReg[0] when we log in */
+    PORT_Memcpy(swtoken->keyReg[0].data, Ks, sizeof (FORTSkipjackKey));
+    swtoken->keyReg[0].present = PR_TRUE;
+    PORT_Memset(Ks, 0, sizeof(FORTSkipjackKey));
+    PORT_Free(Ks);
+
+
+    return CI_OK;
+}
+
+/*
+ * close an open socket. Power_Down flag is set when we want to reset the
+ * cards complete state.
+ */
+int
+MACI_Close(HSESSION session, unsigned int flags, int socket)
+{
+    if (socket != SOCKET_ID) return CI_BAD_CARD;
+    if (swtoken == NULL) return CI_BAD_CARD;
+
+    if (flags == CI_POWER_DOWN_FLAG) {
+	fort_Logout(swtoken);
+    }
+    return CI_OK;
+}
+
+/*
+ * Decrypt keeps track of it's own IV.
+ */
+int
+MACI_Decrypt(HSESSION session, unsigned int size, CI_DATA cipherIn,
+				 			CI_DATA plainOut)
+{
+    int ret;
+    unsigned char IV[SKIPJACK_BLOCK_SIZE];
+
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    if ((ret = fort_KeyOK(swtoken,swtoken->key,PR_TRUE)) != CI_OK)  return ret;
+
+    /*fort_AddNoise();*/
+
+    /* save the IV, before we potentially trash the new one when we decrypt.
+     * (it's permissible to decrypt into the cipher text buffer by passing the
+     * same buffers for both cipherIn and plainOut.
+     */
+    PORT_Memcpy(IV,swtoken->IV, sizeof(IV));
+    fort_UpdateIV(cipherIn,size,swtoken->IV);
+    return fort_skipjackDecrypt(swtoken->keyReg[swtoken->key].data,
+						IV,size,cipherIn,plainOut);
+}
+
+/*
+ * Clear a key from one of the key registers (indicated by index).
+ * return an error if no key exists.
+ */
+int
+MACI_DeleteKey(HSESSION session, int index)
+{
+    int ret;
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+
+    /* can't delete Ks */
+    if (index == 0) return CI_INV_KEY_INDEX;
+
+    if ((ret = fort_KeyOK(swtoken,index,PR_TRUE)) != CI_OK)  return ret;
+    fort_ClearKey(&swtoken->keyReg[index]);
+    return CI_OK;
+}
+
+
+/*
+ * encrypt  some blocks of data and update the IV.
+ */ 
+int
+MACI_Encrypt(HSESSION session, unsigned int size, CI_DATA plainIn,
+				 			CI_DATA cipherOut)
+{
+    int ret;
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    if ((ret = fort_KeyOK(swtoken,swtoken->key,PR_TRUE)) != CI_OK)  return ret;
+
+    /*fort_AddNoise();*/
+
+    ret = fort_skipjackEncrypt(swtoken->keyReg[swtoken->key].data,
+				swtoken->IV,size,plainIn,cipherOut);
+    fort_UpdateIV(cipherOut,size,swtoken->IV);
+
+    return ret;
+
+}
+
+/*
+ * create a new IV and encode it.
+ */
+
+static char *leafbits="THIS IS NOT LEAF";
+
+int
+MACI_GenerateIV(HSESSION Session, CI_IV CI_FAR pIV)
+{
+    int ret;
+
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    if ((ret = fort_KeyOK(swtoken,swtoken->key,PR_TRUE)) != CI_OK)  return ret;
+
+    ret = fort_GenerateRandom(swtoken->IV,SKIPJACK_BLOCK_SIZE);
+    if (ret != CI_OK) return ret;
+
+    PORT_Memcpy(pIV,leafbits,SKIPJACK_LEAF_SIZE);
+    PORT_Memcpy(&pIV[SKIPJACK_LEAF_SIZE],swtoken->IV,SKIPJACK_BLOCK_SIZE);
+   
+    return CI_OK;
+}
+
+
+/*
+ * create a new Key
+ */
+int
+MACI_GenerateMEK(HSESSION session, int index, int reserved)
+{
+    int ret;
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    if ((ret = fort_KeyOK(swtoken,index,PR_FALSE)) != CI_OK)  return ret;
+
+    ret = fort_GenerateRandom(swtoken->keyReg[index].data,
+					sizeof (swtoken->keyReg[index].data));
+    if (ret == CI_OK) swtoken->keyReg[index].present = PR_TRUE;
+
+    return ret;
+}
+
+/*
+ * build a new Ra/ra pair for a KEA exchange.
+ */
+int
+MACI_GenerateRa(HSESSION session, CI_RA CI_FAR pRa)
+{
+    int ret;
+    int counter;
+    int RaLen,raLen;
+    DSAPrivateKey *privKey = NULL;
+    PQGParams params;
+    SECStatus rv;
+    int crv = CI_EXEC_FAIL;
+    fortSlotEntry *certEntry = NULL;
+    unsigned char *unsignedRa = NULL;
+    unsigned char *unsignedra = NULL;
+    fortKeyInformation *key_info = NULL;
+	
+
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    /* make sure the personality is set */
+    if (swtoken->certIndex == 0) return CI_INV_STATE;
+
+    /* pick next Ra circular buffer */
+    counter = swtoken->nextRa;
+    swtoken->nextRa++;
+    if (swtoken->nextRa >= MAX_RA_SLOTS) swtoken->nextRa = 0;
+
+    /* now get the params for diffie -helman key gen */
+    certEntry = fort_GetCertEntry(swtoken->config_file,swtoken->certIndex);
+    if (certEntry == NULL) return CI_INV_CERT_INDEX;
+    if (certEntry->exchangeKeyInformation) {
+	key_info = certEntry->exchangeKeyInformation;
+    } else {
+	key_info = certEntry->signatureKeyInformation;
+    }
+    if (key_info == NULL) return CI_NO_X;
+   
+    /* Generate Diffie Helman key Pair -- but we use DSA key gen to do it */
+    rv = SECITEM_CopyItem(NULL,&params.prime,&key_info->p);
+    if (rv != SECSuccess) return CI_EXEC_FAIL;
+    rv = SECITEM_CopyItem(NULL,&params.subPrime,&key_info->q);
+    if (rv != SECSuccess) return CI_EXEC_FAIL;
+    rv = SECITEM_CopyItem(NULL,&params.base,&key_info->g);
+    if (rv != SECSuccess) return CI_EXEC_FAIL;
+
+    /* KEA uses DSA like key generation with short DSA keys that have to
+     * maintain a relationship to q */
+    rv = DSA_NewKey(&params, &privKey);
+    SECITEM_FreeItem(&params.prime,PR_FALSE);
+    SECITEM_FreeItem(&params.subPrime,PR_FALSE);
+    SECITEM_FreeItem(&params.base,PR_FALSE);
+    if (rv != SECSuccess) return CI_EXEC_FAIL;
+    
+    /* save private key, public key, and param in Ra Circular buffer */
+    unsignedRa = privKey->publicValue.data;
+    RaLen      = privKey->publicValue.len;
+    while ((unsignedRa[0] == 0) && (RaLen > CI_RA_SIZE)) {
+	unsignedRa++;
+	RaLen--;
+    }
+    if (RaLen > CI_RA_SIZE) goto loser;
+
+    unsignedra = privKey->privateValue.data;
+    raLen      = privKey->privateValue.len;
+    while ((unsignedra[0] == 0) && (raLen > sizeof(fortRaPrivate))) {
+	unsignedra++;
+	raLen--;
+    }
+
+    if (raLen > sizeof(fortRaPrivate)) goto loser;
+
+    PORT_Memset(swtoken->RaValues[counter].private, 0, sizeof(fortRaPrivate));
+    PORT_Memcpy(
+	&swtoken->RaValues[counter].private[sizeof(fortRaPrivate) - raLen],
+							unsignedra, raLen);
+    PORT_Memset(pRa, 0, CI_RA_SIZE);
+    PORT_Memcpy(&pRa[CI_RA_SIZE-RaLen], unsignedRa, RaLen);
+    PORT_Memcpy(swtoken->RaValues[counter].public, pRa, CI_RA_SIZE);
+    crv = CI_OK;
+
+loser:
+    PORT_FreeArena(privKey->params.arena, PR_TRUE);
+
+    return crv;
+}
+
+
+/*
+ * return some random data.
+ */
+int
+MACI_GenerateRandom(HSESSION session, CI_RANDOM CI_FAR random)
+{
+    int ret;
+    if ((ret = fort_CardExists(swtoken,PR_FALSE)) != CI_OK) return ret;
+    return fort_GenerateRandom(random,sizeof (CI_RANDOM));
+}
+
+
+static CI_RA Remail = {
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
+};
+
+/*
+ * build a new Token exchange key using KEA.
+ */
+int
+MACI_GenerateTEK(HSESSION hSession, int flags, int target, 
+     CI_RA CI_FAR Ra, CI_RA CI_FAR Rb, unsigned int YSize, CI_Y CI_FAR pY )
+{
+    FORTEZZAPrivateKey *key 		= NULL;
+    fortSlotEntry *      certEntry;
+    unsigned char *      w		= NULL;
+    SECItem              *q;
+    SECStatus            rv;
+    int                  ret,i;
+    PRBool               email 		= PR_TRUE;
+    SECItem              R;		/* public */
+    SECItem              Y;		/* public */
+    SECItem              r;		/* private */
+    SECItem              x;		/* private */
+    SECItem              wItem;		/* derived secret */
+    fortRaPrivatePtr     ra;
+    FORTSkipjackKey      cover_key;
+
+    unsigned char pad[10] = { 0x72, 0xf1, 0xa8, 0x7e, 0x92,
+			      0x82, 0x41, 0x98, 0xab, 0x0b };
+
+    /* verify that everything is ok with the token, keys and certs */
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    /* make sure the personality is set */
+    if (swtoken->certIndex == 0) return CI_INV_STATE;
+    if ((ret = fort_KeyOK(swtoken,target,PR_FALSE)) != CI_OK)  return ret;
+
+    /* get the cert from the entry, then look up the key from that cert */
+    certEntry = fort_GetCertEntry(swtoken->config_file,swtoken->certIndex);
+    if (certEntry == NULL) return CI_INV_CERT_INDEX;
+    key = fort_GetPrivKey(swtoken,fortezzaDHKey,certEntry);
+    if (key == NULL) return CI_NO_X; 
+
+    if (certEntry->exchangeKeyInformation) {
+	q = &certEntry->exchangeKeyInformation->q;
+    } else {
+	q = &certEntry->signatureKeyInformation->q;
+    }
+
+    email = (PORT_Memcmp(Rb,Remail,sizeof(Rb)) == 0) ? PR_TRUE: PR_FALSE;
+
+
+    /* load the common elements */
+    Y.data = pY;
+    Y.len = YSize;
+    x.data = key->u.dh.privateValue.data;
+    x.len = key->u.dh.privateValue.len;
+
+    /* now initialize the rest of the values */
+    if (flags == CI_INITIATOR_FLAG) {
+	if (email) { 
+	    R.data = Y.data;
+	    R.len = Y.len;
+	} else {
+	    R.data = Rb;
+	    R.len = sizeof(CI_RA);
+	}
+        ra = fort_LookupPrivR(swtoken,Ra);
+	if (ra == NULL) {
+	    ret = CI_EXEC_FAIL;
+	    goto loser;
+	}
+	r.data = ra;
+	r.len = sizeof(fortRaPrivate);
+    } else {
+	R.data = Ra;
+	R.len = sizeof(CI_RA);
+	if (email) {
+	    r.data = x.data;
+	    r.len = x.len;
+	} else {
+            ra = fort_LookupPrivR(swtoken,Rb);
+	    if (ra == NULL) {
+		ret = CI_EXEC_FAIL;
+		goto loser;
+	    }
+	    r.data = ra;
+	    r.len = sizeof(fortRaPrivate);
+	}
+    }
+
+
+    if (!KEA_Verify(&Y,&key->u.dh.prime,q)) {
+	ret = CI_EXEC_FAIL;
+	goto loser;
+    }
+    if (!KEA_Verify(&R,&key->u.dh.prime,q)) {
+	ret = CI_EXEC_FAIL;
+	goto loser;
+    }
+
+    /* calculate the base key */
+    rv = KEA_Derive(&key->u.dh.prime, &Y, &R, &r, &x, &wItem);
+    if (rv != SECSuccess) {
+	ret = CI_EXEC_FAIL;
+	goto loser;
+    }
+
+    w = wItem.data;
+    /* use the skipjack wrapping function to 'mix' the key up */
+    for (i=0; i < sizeof(FORTSkipjackKey); i++) 
+    	cover_key[i] = pad[i] ^ w[i];
+
+    ret = fort_skipjackWrap(cover_key,sizeof(FORTSkipjackKey),
+		&w[sizeof(FORTSkipjackKey)],swtoken->keyReg[target].data);
+    if (ret != CI_OK) goto loser;
+
+    swtoken->keyReg[target].present = PR_TRUE;
+
+    ret = CI_OK;
+loser:
+    if (w) PORT_Free(w);
+    if (key) fort_DestroyPrivateKey(key);
+    
+    return ret;
+}
+
+
+/*
+ * return the bytes of a certificate.
+ */
+int
+MACI_GetCertificate(HSESSION hSession, int certIndex,
+						 CI_CERTIFICATE CI_FAR cert)
+{
+    int len;
+    int ret;
+    fortSlotEntry *certEntry = NULL;
+
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+
+    certEntry = fort_GetCertEntry(swtoken->config_file,certIndex);
+    if (certEntry == NULL) return CI_INV_CERT_INDEX;
+
+    len = certEntry->certificateData.dataEncryptedWithKs.len;
+    PORT_Memset(cert,0,sizeof(CI_CERTIFICATE));
+    PORT_Memcpy(cert, certEntry->certificateData.dataEncryptedWithKs.data,len);
+
+    /* Ks is always stored in keyReg[0] when we log in */
+    return fort_skipjackDecrypt(swtoken->keyReg[0].data,
+	&certEntry->certificateData.dataIV.data[SKIPJACK_LEAF_SIZE],
+						len,cert,cert);
+}
+
+
+/*
+ * return out sofware configuration bytes. Those field not used by the PKCS #11
+ * module may not be filled in exactly.
+ */
+#define NETSCAPE "Netscape Communications Corp    "
+#define PRODUCT  "Netscape Software FORTEZZA Lib  "
+#define SOFTWARE "Software FORTEZZA Implementation"
+
+int
+MACI_GetConfiguration(HSESSION hSession, CI_CONFIG_PTR config)
+{
+    config->LibraryVersion = 0x0100;
+    config->ManufacturerVersion = 0x0100;
+    PORT_Memcpy(config->ManufacturerName,NETSCAPE,sizeof(NETSCAPE));
+    PORT_Memcpy(config->ProductName,PRODUCT,sizeof(PRODUCT));
+    PORT_Memcpy(config->ProcessorType,SOFTWARE,sizeof(SOFTWARE));
+    config->UserRAMSize = 0;
+    config->LargestBlockSize = 0x10000;
+    config->KeyRegisterCount = KEY_REGISTERS;
+    config->CertificateCount = 
+		swtoken ? fort_GetCertCount(swtoken->config_file): 0;
+    config->CryptoCardFlag = 0;
+    config->ICDVersion = 0;
+    config->ManufacturerSWVer = 0x0100;
+    config->DriverVersion = 0x0100;
+    return CI_OK;
+}
+
+/*
+ * return a list of all the personalities (up to the value 'EntryCount')
+ */
+int
+MACI_GetPersonalityList(HSESSION hSession, int EntryCount, 
+						CI_PERSON CI_FAR personList[])
+{
+    int count;
+    int i,ret;
+    FORTSWFile *config_file = NULL;
+    unsigned char tmp[32];
+
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    config_file = swtoken->config_file;
+
+    /* search for the index */
+    count= fort_GetCertCount(config_file);
+
+    /* don't return more than the user asked for */
+    if (count > EntryCount) count = EntryCount;
+    for (i=0; i < count ;i ++) {
+	int len, dataLen;
+	personList[i].CertificateIndex =
+				config_file->slotEntries[i]->certIndex;
+	len = config_file->slotEntries[i]->certificateLabel.
+						dataEncryptedWithKs.len;
+	if (len > sizeof(tmp)) len = sizeof(tmp);
+        PORT_Memset(personList[i].CertLabel, ' ',
+					sizeof(personList[i].CertLabel));
+        PORT_Memcpy(tmp, 
+	     config_file->slotEntries[i]->
+			certificateLabel.dataEncryptedWithKs.data,
+								len);
+	/* Ks is always stored in keyReg[0] when we log in */
+	ret = fort_skipjackDecrypt(swtoken->keyReg[0].data,
+	 &config_file->slotEntries[i]->
+			certificateLabel.dataIV.data[SKIPJACK_LEAF_SIZE],len,
+			tmp,tmp);
+	if (ret != CI_OK) return ret;
+	dataLen = DER_GetInteger(&config_file->slotEntries[i]->
+			certificateLabel.length);
+	if (dataLen > sizeof(tmp)) dataLen = sizeof(tmp);
+        PORT_Memcpy(personList[i].CertLabel, tmp, dataLen);
+        personList[i].CertLabel[32] = 0;
+        personList[i].CertLabel[33] = 0;
+        personList[i].CertLabel[34] = 0;
+        personList[i].CertLabel[35] = 0;
+    }
+    return CI_OK;
+}
+
+
+/*
+ * get a new session ID. This function is only to make the interface happy,
+ * the PKCS #11 module only uses one session per token.
+ */
+int
+MACI_GetSessionID(HSESSION *session)
+{
+    *session = 1;
+    return CI_OK;
+}
+
+/*
+ * return the current card state.
+ */
+int
+MACI_GetState(HSESSION hSession, CI_STATE_PTR state)
+{
+    int ret;
+    if ((ret = fort_CardExists(swtoken,PR_FALSE)) != CI_OK) return ret;
+    *state = fort_GetState(swtoken);
+    return CI_OK;
+}
+
+/*
+ * return the status. NOTE that KeyRegisterFlags and CertificateFlags are never
+ * really used by the PKCS #11 module, so they are not implemented.
+ */
+int
+MACI_GetStatus(HSESSION hSession, CI_STATUS_PTR status)
+{
+    int ret;
+    FORTSWFile *config_file = NULL;
+
+    if ((ret = fort_CardExists(swtoken,PR_FALSE)) != CI_OK) return ret;
+    config_file = swtoken->config_file;
+    status->CurrentSocket = 1;
+    status->LockState = swtoken->lock;
+    PORT_Memcpy(status->SerialNumber,
+		config_file->serialID.data, config_file->serialID.len);
+    status->CurrentState = fort_GetState(swtoken);
+    status->DecryptionMode = CI_CBC64_MODE;
+    status->EncryptionMode = CI_CBC64_MODE;
+    status->CurrentPersonality = swtoken->certIndex;
+    status->KeyRegisterCount = KEY_REGISTERS;
+    /* our code doesn't use KeyRegisters, which is good, because there's not
+     * enough of them .... */
+    PORT_Memset(status->KeyRegisterFlags,0,sizeof(status->KeyRegisterFlags));
+    status->CertificateCount = fort_GetCertCount(config_file);
+    PORT_Memset(status->CertificateFlags,0,sizeof(status->CertificateFlags));
+    PORT_Memset(status->Flags,0,sizeof(status->Flags));
+
+    return CI_OK;
+}
+
+/*
+ * add the time call because the PKCS #11 module calls it, but always pretend
+ * the clock is bad, so it never uses the returned time.
+ */
+int
+MACI_GetTime(HSESSION hSession, CI_TIME CI_FAR time)
+{
+   return CI_BAD_CLOCK;
+}
+
+
+/* This function is copied from NSPR so that the PKCS #11 module can be
+ * independent of NSPR */
+PRInt32 local_getFileInfo(const char *fn, PRFileInfo *info);
+
+/*
+ * initialize the SW module, and return the number of slots we support (1).
+ */
+int
+MACI_Initialize(int CI_FAR *count)
+{
+    char *filename = NULL;
+    SECItem file;
+    FORTSignedSWFile *decode_file = NULL;
+    PRFileInfo info;
+    /*PRFileDesc *fd = NULL;*/
+    int fd = -1;
+    PRStatus err;
+    int ret = CI_OK;
+    int fcount;
+
+    file.data = NULL;
+    file.len = 0;
+
+    *count = 1;
+
+    /* allocate swtoken structure */
+    swtoken = PORT_ZNew(FORTSWToken);
+    if (swtoken == NULL) return CI_OUT_OF_MEMORY;
+
+    filename = (char *)fort_LookupFORTEZZAInitFile();
+    if (filename == NULL) {
+	ret = CI_BAD_READ;
+	goto failed;
+    }
+    
+    fd = open(filename,O_RDONLY|O_BINARY,0);
+    if (fd < 0) {
+	ret = CI_BAD_READ;
+	goto failed;
+    }
+
+    err = local_getFileInfo(filename,&info);
+    if ((err != 0) || (info.size == 0)) {
+	ret = CI_BAD_READ;
+	goto failed;
+    }
+
+    file.data = PORT_ZAlloc(info.size);
+    if (file.data == NULL) {
+	ret = CI_OUT_OF_MEMORY;
+	goto failed;
+    }
+
+    fcount = read(fd,file.data,info.size);
+    close(fd);  fd = -1;
+    if (fcount != (int)info.size) {
+	ret = CI_BAD_READ;
+	goto failed;
+    }
+
+    file.len = fcount;
+
+    decode_file = FORT_GetSWFile(&file);
+    if (decode_file == NULL) {
+	ret = CI_BAD_READ;
+	goto failed;
+    }
+    swtoken->config_file = &decode_file->file;
+
+    RNG_SystemInfoForRNG();
+    RNG_FileForRNG(filename);
+
+
+failed:
+    if (filename) PORT_Free(filename);
+    if (fd != -1) close(fd);
+    if (file.data) PORT_Free(file.data);
+    if (ret != CI_OK) {
+	if (decode_file) FORT_DestroySignedSWFile(decode_file);
+	if (swtoken) PORT_Free(swtoken);
+	swtoken = NULL;
+    }
+
+    return CI_OK;
+}
+
+/*
+ * load an IV from an external source. We technically should check it with the
+ * key we received.
+ */
+int
+MACI_LoadIV(HSESSION session, CI_IV CI_FAR iv)
+{
+    int ret;
+
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    PORT_Memcpy(swtoken->IV,&iv[SKIPJACK_LEAF_SIZE],SKIPJACK_BLOCK_SIZE);
+    return CI_OK;
+}
+
+/* implement token lock (should call PR_Monitor here) */
+int
+MACI_Lock(HSESSION session, int flags)
+{
+    int ret;
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    swtoken->lock = 1;
+
+    return CI_OK;
+}
+
+/* open a token. For software there isn't much to do that hasn't already been
+ * done by initialize. */
+int
+MACI_Open(HSESSION session, unsigned int flags, int socket)
+{
+    if (socket != SOCKET_ID) return CI_NO_CARD;
+    if (swtoken == NULL) return CI_NO_CARD;
+    return CI_OK;
+}
+
+/*
+ * Reset logs out the token...
+ */
+int
+MACI_Reset(HSESSION session)
+{
+    if (swtoken) fort_Logout(swtoken);
+    return CI_OK;
+}
+
+/*
+ * restore and encrypt/decrypt state. NOTE: there is no error checking in this
+ * or the save function.
+ */
+int
+MACI_Restore(HSESSION session, int type, CI_SAVE_DATA CI_FAR data)
+{
+    int ret;
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    PORT_Memcpy(swtoken->IV,data, sizeof (swtoken->IV));
+    return CI_OK;
+}
+
+/*
+ * save and encrypt/decrypt state. NOTE: there is no error checking in this
+ * or the restore function.
+ */
+int
+MACI_Save(HSESSION session, int type,CI_SAVE_DATA CI_FAR data)
+{
+    int ret;
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    PORT_Memcpy(data,swtoken->IV, sizeof (swtoken->IV));
+    return CI_OK;
+}
+
+/*
+ * picks a token to operate against. In our case there can be only one.
+ */
+int
+MACI_Select(HSESSION session, int socket)
+{
+    if (socket == SOCKET_ID) return CKR_OK;
+    return CI_NO_CARD;
+}
+
+/*
+ * set a register as the key to use for encrypt/decrypt operations.
+ */
+int
+MACI_SetKey(HSESSION session, int index)
+{
+    int ret;
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    if ((ret = fort_KeyOK(swtoken,index,PR_TRUE)) != CI_OK)  return ret;
+
+    swtoken->key = index;
+    return CI_OK;
+}
+
+/*
+ * only CBC64 is supported. Keep setmode for compatibility */
+int
+MACI_SetMode(HSESSION session, int type, int mode)
+{
+    if (mode != CI_CBC64_MODE) return CI_INV_MODE;
+    return CI_OK;
+}
+
+/* set the personality to use for sign/verify */
+int
+MACI_SetPersonality(HSESSION session, int cert)
+{
+    int ret;
+    fortSlotEntry *certEntry = NULL;
+
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+
+    certEntry = fort_GetCertEntry(swtoken->config_file,cert);
+    if ((certEntry == NULL) ||
+	   ((certEntry->exchangeKeyInformation == NULL) &&
+			(certEntry->signatureKeyInformation == NULL)) )
+						 return CI_INV_CERT_INDEX;
+    swtoken->certIndex = cert;
+    return CI_OK;
+}
+
+
+/* DSA sign some data */
+int
+MACI_Sign(HSESSION session, CI_HASHVALUE CI_FAR hash, CI_SIGNATURE CI_FAR sig)
+{
+    FORTEZZAPrivateKey *key 		= NULL;
+    fortSlotEntry *      certEntry	= NULL;
+    int                  ret 		= CI_OK;
+    SECStatus            rv;
+    SECItem              signItem;
+    SECItem              hashItem;
+    unsigned char        random[DSA_SUBPRIME_LEN];
+
+    /* standard checks */
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    /* make sure the personality is set */
+    if (swtoken->certIndex == 0) return CI_INV_STATE;
+
+    /* get the current personality */
+    certEntry = fort_GetCertEntry(swtoken->config_file,swtoken->certIndex);
+    if (certEntry == NULL) return CI_INV_CERT_INDEX;
+
+    /* extract the private key from the personality */
+    ret = CI_OK;
+    key = fort_GetPrivKey(swtoken,fortezzaDSAKey,certEntry);
+    if (key == NULL) {
+	ret = CI_NO_X;
+	goto loser;
+    }
+
+    /* create a random value for the signature */
+    ret = fort_GenerateRandom(random, sizeof(random));
+    if (ret != CI_OK) goto loser;
+
+    /* Sign with that private key */
+    signItem.data = sig;
+    signItem.len  = DSA_SIGNATURE_LEN;
+
+    hashItem.data = hash;
+    hashItem.len  = SHA1_LENGTH;
+
+    rv = DSA_SignDigestWithSeed(&key->u.dsa, &signItem, &hashItem, random);
+    if (rv != SECSuccess) {
+	ret = CI_EXEC_FAIL;
+    }
+
+    /* clean up */
+loser:
+    if (key != NULL) fort_DestroyPrivateKey(key);
+
+    return ret;
+}
+
+/*
+ * clean up after ourselves.
+ */
+int
+MACI_Terminate(HSESSION session)
+{
+    if (swtoken == NULL) return CI_OUT_OF_MEMORY;
+
+    /* clear all the keys */
+    fort_Logout(swtoken);
+    
+    FORT_DestroySWFile(swtoken->config_file);
+    PORT_Free(swtoken);
+    swtoken = NULL;
+    return CI_OK;
+}
+
+
+
+/* implement token unlock (should call PR_Monitor here) */
+int
+MACI_Unlock(HSESSION session)
+{
+    int ret;
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    swtoken->lock = 0;
+    return CI_OK;
+}
+
+/*
+ * unwrap a key into our software token. NOTE: this function does not
+ * verify that the wrapping key is Ks or a TEK. This is because our higher
+ * level software doesn't try to wrap MEKs with MEKs. If this API was exposed
+ * generically, then we would have to worry about things like this.
+ */
+int
+MACI_UnwrapKey(HSESSION session, int wrapKey, int target, 
+						CI_KEY CI_FAR keyData)
+{
+    int ret = CI_OK;
+
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    if ((ret = fort_KeyOK(swtoken,target,PR_FALSE)) != CI_OK)  return ret;
+    if ((ret = fort_KeyOK(swtoken,wrapKey,PR_TRUE)) != CI_OK)  return ret;
+    ret = fort_skipjackUnwrap(swtoken->keyReg[wrapKey].data,
+	sizeof(CI_KEY), keyData, swtoken->keyReg[target].data);
+    if (ret != CI_OK) goto loser;
+
+    swtoken->keyReg[target].present = PR_TRUE;
+
+loser:
+    return ret;
+}
+
+/*
+ * Wrap a key out of our software token. NOTE: this function does not
+ * verify that the wrapping key is Ks or a TEK, or that the source key is
+ * a MEK. This is because our higher level software doesn't try to wrap MEKs 
+ * with MEKs, or wrap out TEKS and Ks. If this API was exposed
+ * generically, then we would have to worry about things like this.
+ */
+int
+MACI_WrapKey(HSESSION session, int wrapKey, int source, CI_KEY CI_FAR keyData)
+{
+    int ret;
+
+    if ((ret = fort_CardExists(swtoken,PR_TRUE)) != CI_OK) return ret;
+    if ((ret = fort_KeyOK(swtoken,source,PR_TRUE)) != CI_OK)  return ret;
+    if ((ret = fort_KeyOK(swtoken,wrapKey,PR_TRUE)) != CI_OK)  return ret;
+    ret = fort_skipjackWrap(swtoken->keyReg[wrapKey].data,
+	sizeof(CI_KEY), swtoken->keyReg[source].data,keyData);
+
+    return ret;
+}
+
diff --git a/security/nss/lib/fortcrypt/swfort/swfort.h b/security/nss/lib/fortcrypt/swfort/swfort.h
new file mode 100644
index 000000000..d0cefb098
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/swfort.h
@@ -0,0 +1,70 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Software implementation of FORTEZZA skipjack primatives
+ */
+#ifndef _SWFORT_H_
+#define _SWFORT_H_
+
+#include "seccomon.h"
+#include "swfortt.h" 
+/*#include "genci.h"*/
+
+
+SEC_BEGIN_PROTOS
+
+FORTSignedSWFile *
+FORT_GetSWFile(SECItem *initBits);
+
+SECStatus
+FORT_CheckInitPhrase(FORTSignedSWFile *sw_init_file, char *initMemPhrase);
+
+SECStatus
+FORT_CheckUserPhrase(FORTSignedSWFile *sw_init_file, char *userMemPhrase);
+
+void
+FORT_DestroySWFile(FORTSWFile *file);
+
+void
+FORT_DestroySignedSWFile(FORTSignedSWFile *swfile);
+
+SECItem *
+FORT_GetDERCert(FORTSignedSWFile *swfile, int index);
+
+SECItem *
+FORT_PutSWFile(FORTSignedSWFile *sw_init_file);
+
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/fortcrypt/swfort/swforti.h b/security/nss/lib/fortcrypt/swfort/swforti.h
new file mode 100644
index 000000000..bcc07ee62
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/swforti.h
@@ -0,0 +1,177 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Software implementation of FORTEZZA Skipjack primatives and helper functions.
+ */
+#ifndef _SWFORTI_H_
+#define _SWFORTI_H_
+
+#ifndef RETURN_TYPE
+#define RETURN_TYPE int
+#endif
+
+#include "seccomon.h"
+#include "swfort.h"
+#include "swfortti.h"
+#include "maci.h"
+
+
+SEC_BEGIN_PROTOS
+/*
+ * Check to see if the index is ok, and that key is appropriately present or
+ * absent.
+ */
+int fort_KeyOK(FORTSWToken *token, int index, PRBool isPresent);
+
+/*
+ * clear out a key register
+ */
+void fort_ClearKey(FORTKeySlot *key);
+
+/*
+ * clear out an Ra register
+ */
+void fort_ClearRaSlot(FORTRaRegisters *ra);
+
+/*
+ * provide a helper function to do all the loggin out functions.
+ * NOTE: Logging in only happens in MACI_CheckPIN
+ */
+void fort_Logout(FORTSWToken *token);
+
+/*
+ * update the new IV value based on the current cipherText (should be the last 
+ * block of the cipher text).
+ */
+int fort_UpdateIV(unsigned char *cipherText, unsigned int size,unsigned char *IV);
+
+
+/*
+ * verify that we have a card initialized, and if necessary, logged in.
+ */
+int fort_CardExists(FORTSWToken *token,PRBool needLogin);
+
+/*
+ * walk down the cert slot entries, counting them.
+ * return that count.
+ */
+int fort_GetCertCount(FORTSWFile *file);
+
+/*
+ * copy an unsigned SECItem to a signed SecItem. (if the high bit is on,
+ * pad with a leading 0.
+ */
+SECStatus fort_CopyUnsigned(PRArenaPool *arena, SECItem *to, const SECItem *from);
+
+/*
+ * return the private key based on the token and entry.
+ */
+FORTEZZAPrivateKey *fort_GetPrivKey(FORTSWToken *token,FORTEZZAKeyType keyType,fortSlotEntry *certEntry);
+
+/*
+ * Free the key acquired above.
+ */
+void fort_DestroyPrivateKey(FORTEZZAPrivateKey *key);
+
+/*
+ * find a particulare certificate entry from the config
+ * file.
+ */
+fortSlotEntry * fort_GetCertEntry(FORTSWFile *file,int index);
+
+/*
+ * use the token to termine it's CI_State.
+ */
+CI_STATE fort_GetState(FORTSWToken *token);
+
+/*
+ * find the private ra value for a given public Ra value.
+ */
+fortRaPrivatePtr fort_LookupPrivR(FORTSWToken *token,CI_RA Ra);
+
+/*
+ * go add more noise to the random number generator
+ */
+void fort_AddNoise(void);
+
+/*
+ * Get a random number
+ */
+int fort_GenerateRandom(unsigned char *buf, int bytes);
+
+
+/*
+ * We're deep in the bottom of MACI and PKCS #11... We need to
+ * find our fortezza key file. This function lets us search manual paths to 
+ * find our key file.
+ */
+char *fort_FindFileInPath(char *path, char *fn);
+
+
+char *fort_LookupFORTEZZAInitFile(void);
+
+
+FORTSkipjackKeyPtr fort_CalculateKMemPhrase(FORTSWFile *file, 
+  fortProtectedPhrase * prot_phrase, char *phrase, FORTSkipjackKeyPtr wrapKey);
+
+
+PRBool fort_CheckMemPhrase(FORTSWFile *file, 
+  fortProtectedPhrase * prot_phrase, char *phrase, FORTSkipjackKeyPtr wrapKey);
+
+
+/* These function actually implements skipjack CBC64 Decrypt */
+int fort_skipjackDecrypt(FORTSkipjackKeyPtr key, unsigned char *iv, 
+		unsigned long size, unsigned char *cipherIn, 
+						unsigned char *plainOut);
+
+/* These function actually implements skipjack CBC64 Encrypt */
+int fort_skipjackEncrypt(FORTSkipjackKeyPtr key, unsigned char *iv, 
+		unsigned long size, unsigned char *plainIn, 
+						unsigned char *cipherOut);
+
+/*
+ * unwrap is used for key generation and mixing
+ */
+int fort_skipjackUnwrap(FORTSkipjackKeyPtr key,unsigned long len, 
+			unsigned char *cipherIn, unsigned char *plainOut);
+
+/*
+ * unwrap is used for key generation and mixing
+ */
+int
+fort_skipjackWrap(FORTSkipjackKeyPtr key,unsigned long len, 
+			unsigned char *plainIn, unsigned char *cipherOut);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/fortcrypt/swfort/swfortt.h b/security/nss/lib/fortcrypt/swfort/swfortt.h
new file mode 100644
index 000000000..a5ee7b2b5
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/swfortt.h
@@ -0,0 +1,56 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * All the data structures for Software fortezza are internal only.
+ * The external API for Software fortezza is MACI (which is only used by
+ * the PKCS #11 module.
+ */
+
+#ifndef _SWFORTT_H_
+#define _SWFORTT_H_
+
+/* structure typedefs */
+typedef struct FORTKeySlotStr FORTKeySlot;
+typedef struct FORTRaRegistersStr  FORTRaRegisters;
+typedef struct FORTSWTokenStr  FORTSWToken;
+
+/* Der parsing typedefs */
+typedef struct fortKeyInformationStr fortKeyInformation;
+typedef struct fortProtectedDataStr fortProtectedData;
+typedef struct fortSlotEntryStr fortSlotEntry;
+typedef struct fortProtectedPhraseStr fortProtectedPhrase;
+typedef struct FORTSWFileStr FORTSWFile;
+typedef struct FORTSignedSWFileStr FORTSignedSWFile;
+
+
+#endif
diff --git a/security/nss/lib/fortcrypt/swfort/swfortti.h b/security/nss/lib/fortcrypt/swfort/swfortti.h
new file mode 100644
index 000000000..0fd2d0e34
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/swfortti.h
@@ -0,0 +1,176 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * All the data structures for Software fortezza are internal only.
+ * The external API for Software fortezza is MACI (which is only used by
+ * the PKCS #11 module.
+ */
+
+#ifndef _SWFORTTI_H_
+#define _SWFORTTI_H_
+
+#include "maci.h"
+#include "seccomon.h"
+#include "mcom_db.h"  /* really should be included by certt.h */
+#include "certt.h"
+/*#include "keyt.h"*/
+#include "blapit.h"
+#include "swfortt.h"
+
+
+typedef enum { 
+    fortezzaDSAKey = 0, 
+    fortezzaDHKey = 1
+} FORTEZZAKeyType;
+
+/*
+** Low Level private key object
+** This is only used by the raw Crypto engines (crypto), keydb (keydb),
+** and PKCS #11. Everyone else uses the high level key structure.
+*/
+struct FORTEZZAPrivateKeyStr {
+    PLArenaPool *arena;
+    FORTEZZAKeyType keyType;
+    union {
+	DSAPrivateKey dsa;
+	DHPrivateKey  dh;
+    } u;
+};
+typedef struct FORTEZZAPrivateKeyStr FORTEZZAPrivateKey;
+
+
+/* the following parameters are tunable. The bigger the key registers are,
+ * the less likely the PKCS #11 module will thrash. */
+#define KEY_REGISTERS	100
+#define MAX_RA_SLOTS	20
+
+/* SKIPJACK algorithm constants */
+#define SKIPJACK_KEY_SIZE 10
+#define SKIPJACK_BLOCK_SIZE 8
+#define SKIPJACK_LEAF_SIZE 16
+
+/* private typedefs */
+typedef unsigned char FORTSkipjackKey[SKIPJACK_KEY_SIZE];
+typedef unsigned char *FORTSkipjackKeyPtr;
+typedef unsigned char fortRaPrivate[20];
+typedef unsigned char *fortRaPrivatePtr;
+
+/* save a public/private key pair */
+struct FORTRaRegistersStr {
+    CI_RA	public;
+    fortRaPrivate private;
+};
+
+/* FORTEZZA Key Register */
+struct FORTKeySlotStr {
+    FORTSkipjackKey data;
+    PRBool   present;
+};
+
+/* structure to hole private key information */
+struct fortKeyInformationStr {
+    SECItem	keyFlags;
+    SECItem	privateKeyWrappedWithKs;
+    SECItem     derPublicKey;
+    SECItem	p;
+    SECItem	g;
+    SECItem	q;
+};
+
+/* struture to hole Ks wrapped data */
+struct fortProtectedDataStr {
+    SECItem	length;
+    SECItem	dataIV;
+    SECItem	dataEncryptedWithKs;
+};
+
+/* This structure represents a fortezza personality */
+struct fortSlotEntryStr {
+    SECItem	trusted;
+    SECItem	certificateIndex;
+    int 	certIndex;
+    fortProtectedData certificateLabel;
+    fortProtectedData certificateData;
+    fortKeyInformation *exchangeKeyInformation;
+    fortKeyInformation *signatureKeyInformation;
+};
+
+/* this structure represents a K value wrapped by a protected pin */
+struct fortProtectedPhraseStr {
+    SECItem	kValueIV;
+    SECItem	wrappedKValue;
+    SECItem	memPhraseIV;
+    SECItem	hashedEncryptedMemPhrase;
+};
+
+
+/* This structure represents all the relevant data stored in a der encoded
+ * fortezza slot file. */
+struct FORTSWFileStr {
+    PRArenaPool *arena;
+    SECItem	version;
+    SECItem	derIssuer;
+    SECItem	serialID;
+    fortProtectedPhrase initMemPhrase;
+#define fortezzaPhrase initMemPhrase 
+    fortProtectedPhrase ssoMemPhrase;
+    fortProtectedPhrase userMemPhrase;
+    fortProtectedPhrase ssoPinPhrase;
+    fortProtectedPhrase userPinPhrase;
+    SECItem	wrappedRandomSeed;
+    fortSlotEntry **slotEntries;
+};
+
+/* This data structed represents a signed data structure */
+struct FORTSignedSWFileStr {
+    FORTSWFile  file;
+    CERTSignedData signatureWrap;
+    FORTSkipjackKeyPtr Kinit;
+    FORTSkipjackKeyPtr Ks;
+};
+
+
+/* collect all the data that makes up a token */
+struct FORTSWTokenStr {
+    PRBool	login;		       /* has this token been logged in? */
+    int		lock;		       /* the current lock state */
+    int		certIndex;	       /* index of the current personality */
+    int		key;		       /* currently selected key */
+    int		nextRa;		       /* where the next Ra/ra pair will go */
+    FORTSWFile *config_file;           /* parsed Fortezza Config file */
+    unsigned char IV[SKIPJACK_BLOCK_SIZE];
+    FORTKeySlot keyReg[KEY_REGISTERS]; /* sw fortezza key slots */
+    FORTRaRegisters RaValues[MAX_RA_SLOTS];  /* Ra/ra values */
+};
+
+#endif
diff --git a/security/nss/lib/fortcrypt/swfort/swfparse.c b/security/nss/lib/fortcrypt/swfort/swfparse.c
new file mode 100644
index 000000000..4422cb18a
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/swfparse.c
@@ -0,0 +1,531 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * The following program decodes the FORTEZZA Init File, and stores the result
+ * into the fortezza directory.
+ */
+#include "secasn1.h"
+#include "swforti.h"
+#include "blapi.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secder.h"
+
+
+/*
+ * templates for parsing the FORTEZZA Init File. These were taken from DER
+ * definitions on SWF Initialization File Format Version 1.0 pp1-3.
+ */
+
+/* Key info structure... There are up to two of these per slot entry  */
+static const SEC_ASN1Template fortKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(fortKeyInformation) },
+    { SEC_ASN1_INTEGER,
+          offsetof(fortKeyInformation,keyFlags) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(fortKeyInformation,privateKeyWrappedWithKs) },
+    { SEC_ASN1_ANY ,
+          offsetof(fortKeyInformation, derPublicKey) },
+    { SEC_ASN1_OCTET_STRING, offsetof(fortKeyInformation,p) },
+    { SEC_ASN1_OCTET_STRING, offsetof(fortKeyInformation,g) },
+    { SEC_ASN1_OCTET_STRING, offsetof(fortKeyInformation,q) },
+    { 0 }
+}; 
+
+/* This is data that has been wrapped by Ks */
+static const SEC_ASN1Template fortProtDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(fortProtectedData) },
+    { SEC_ASN1_INTEGER,
+          offsetof(fortProtectedData,length) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(fortProtectedData,dataIV) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(fortProtectedData,dataEncryptedWithKs) },
+    { 0 }
+};
+
+/* DER to describe each Certificate Slot ... there are an arbitrary number */
+static const SEC_ASN1Template fortSlotEntryTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(fortSlotEntry) },
+    { SEC_ASN1_BOOLEAN,
+          offsetof(fortSlotEntry,trusted) },
+    { SEC_ASN1_INTEGER,
+          offsetof(fortSlotEntry,certificateIndex) },
+    { SEC_ASN1_INLINE,
+          offsetof(fortSlotEntry,certificateLabel), fortProtDataTemplate },
+    { SEC_ASN1_INLINE,
+          offsetof(fortSlotEntry,certificateData), fortProtDataTemplate },
+    { SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC |  
+				SEC_ASN1_CONSTRUCTED | 0,
+          offsetof(fortSlotEntry, exchangeKeyInformation),
+						 fortKeyInfoTemplate },
+    { SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 
+				SEC_ASN1_CONSTRUCTED | 1,
+          offsetof(fortSlotEntry, signatureKeyInformation), 
+						 fortKeyInfoTemplate },
+    { 0 }
+};
+
+/* This data is used to check MemPhrases, and to generate Ks
+ * each file has two mem phrases, one for SSO, one for User */
+static const SEC_ASN1Template fortProtectedMemPhrase[]  = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(fortProtectedPhrase) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(fortProtectedPhrase,kValueIV) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(fortProtectedPhrase,wrappedKValue) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(fortProtectedPhrase,memPhraseIV) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(fortProtectedPhrase,hashedEncryptedMemPhrase) },
+    { 0 }
+};
+
+/* This data is used to check the Mem Init Phrases, and to generate Kinit
+ * each file has one mem init phrase, which is used only in transport of
+ * this file */
+static const SEC_ASN1Template fortMemInitPhrase[]  = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(fortProtectedPhrase) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(fortProtectedPhrase,wrappedKValue) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(fortProtectedPhrase,memPhraseIV) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(fortProtectedPhrase,hashedEncryptedMemPhrase) },
+    { 0 }
+};
+
+static const SEC_ASN1Template fortSlotEntriesTemplate[]  = {
+    { SEC_ASN1_SEQUENCE_OF, 0, fortSlotEntryTemplate }
+};
+
+/* This is the complete file with all it's data, but has not been signed
+ * yet. */
+static const SEC_ASN1Template fortSwFortezzaInitFileToSign[]  = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(FORTSWFile) },
+    { SEC_ASN1_INTEGER,
+          offsetof(FORTSWFile,version) },
+    { SEC_ASN1_ANY,
+          offsetof(FORTSWFile,derIssuer) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(FORTSWFile,serialID) },
+    { SEC_ASN1_INLINE,
+          offsetof(FORTSWFile,initMemPhrase), fortMemInitPhrase },
+    { SEC_ASN1_INLINE,
+          offsetof(FORTSWFile,ssoMemPhrase), fortProtectedMemPhrase },
+    { SEC_ASN1_INLINE,
+          offsetof(FORTSWFile,userMemPhrase), fortProtectedMemPhrase },
+    { SEC_ASN1_INLINE,
+          offsetof(FORTSWFile,ssoPinPhrase), fortProtectedMemPhrase },
+    { SEC_ASN1_INLINE,
+          offsetof(FORTSWFile,userPinPhrase), fortProtectedMemPhrase },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(FORTSWFile,wrappedRandomSeed) },
+    { SEC_ASN1_SEQUENCE_OF, offsetof(FORTSWFile,slotEntries),
+						 fortSlotEntryTemplate },
+    /* optional extentions to ignore here... */
+    { 0 }
+};
+
+/* The complete, signed init file */
+static const SEC_ASN1Template fortSwFortezzaInitFile[]  = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(FORTSignedSWFile) },
+    { SEC_ASN1_SAVE,
+          offsetof(FORTSignedSWFile,signatureWrap.data) },
+    { SEC_ASN1_INLINE,
+          offsetof(FORTSignedSWFile,file),
+          fortSwFortezzaInitFileToSign },
+    { SEC_ASN1_INLINE,
+          offsetof(FORTSignedSWFile,signatureWrap.signatureAlgorithm),
+          SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+          offsetof(FORTSignedSWFile,signatureWrap.signature) },
+    { 0 }
+};
+
+FORTSkipjackKeyPtr
+fort_CalculateKMemPhrase(FORTSWFile *file, 
+  fortProtectedPhrase * prot_phrase, char *phrase, FORTSkipjackKeyPtr wrapKey)
+{
+    unsigned char *data = NULL;
+    unsigned char hashout[SHA1_LENGTH];
+    int data_len = prot_phrase->wrappedKValue.len;
+    int ret;
+    unsigned int len;
+    unsigned int version;
+    unsigned char enc_version[2];
+    FORTSkipjackKeyPtr Kout = NULL;
+    FORTSkipjackKey Kfek;
+    SHA1Context *sha;
+
+    data = (unsigned char *) PORT_ZAlloc(data_len);
+    if (data == NULL) goto fail;
+    
+    PORT_Memcpy(data,prot_phrase->wrappedKValue.data,data_len);
+
+    /* if it's a real protected mem phrase, it's been wrapped by kinit, which
+     * was passed to us. */
+    if (wrapKey) {
+	fort_skipjackDecrypt(wrapKey,
+		&prot_phrase->kValueIV.data[SKIPJACK_LEAF_SIZE],data_len,
+								data,data);
+	data_len = sizeof(CI_KEY);
+    }
+
+    /* now calculate the PBE key for fortezza */
+    sha = SHA1_NewContext();
+    if (sha == NULL) goto fail;
+    SHA1_Begin(sha);
+    version = DER_GetUInteger(&file->version);
+    enc_version[0] = (version >> 8) & 0xff;
+    enc_version[1] = version & 0xff;
+    SHA1_Update(sha,enc_version,sizeof(enc_version));
+    SHA1_Update(sha,file->derIssuer.data, file->derIssuer.len);
+    SHA1_Update(sha,file->serialID.data, file->serialID.len);
+    SHA1_Update(sha,(unsigned char *)phrase,strlen(phrase));
+    SHA1_End(sha,hashout,&len,SHA1_LENGTH);
+    SHA1_DestroyContext(sha, PR_TRUE);
+    PORT_Memcpy(Kfek,hashout,sizeof(FORTSkipjackKey));
+
+    /* now use that key to unwrap */
+    Kout = (FORTSkipjackKeyPtr) PORT_Alloc(sizeof(FORTSkipjackKey));
+    ret = fort_skipjackUnwrap(Kfek,data_len,data,Kout);
+    if (ret != CI_OK) {
+	PORT_Free(Kout);
+	Kout = NULL;
+    }
+
+fail:
+    PORT_Memset(&Kfek, 0, sizeof(FORTSkipjackKey));
+    if (data) PORT_ZFree(data,data_len);
+    return Kout;
+}
+
+
+PRBool
+fort_CheckMemPhrase(FORTSWFile *file, 
+  fortProtectedPhrase * prot_phrase, char *phrase, FORTSkipjackKeyPtr wrapKey) 
+{
+    unsigned char *data = NULL;
+    unsigned char hashout[SHA1_LENGTH];
+    int data_len = prot_phrase->hashedEncryptedMemPhrase.len;
+    unsigned int len;
+    SHA1Context *sha;
+    PRBool pinOK = PR_FALSE;
+    unsigned char cw[4];
+    int i;
+
+
+    /* first, decrypt the hashed/Encrypted Memphrase */
+    data = (unsigned char *) PORT_ZAlloc(data_len);
+    if (data == NULL) goto failed;
+
+    PORT_Memcpy(data,prot_phrase->hashedEncryptedMemPhrase.data,data_len);
+    fort_skipjackDecrypt(wrapKey,
+		&prot_phrase->memPhraseIV.data[SKIPJACK_LEAF_SIZE],data_len,
+								data,data);
+
+    /* now build the hash for comparisons */
+    sha = SHA1_NewContext();
+    if (sha == NULL) goto failed;
+    SHA1_Begin(sha);
+    SHA1_Update(sha,(unsigned char *)phrase,strlen(phrase));
+    SHA1_End(sha,hashout,&len,SHA1_LENGTH);
+    SHA1_DestroyContext(sha, PR_TRUE);
+
+    /* hashes don't match... must not be the right pass mem */
+    if (PORT_Memcmp(data,hashout,len) != 0) goto failed;
+
+    /* now calcuate the checkword and compare it */
+    cw[0] = cw[1] = cw[2] = cw[3] = 0;
+    for (i=0; i <5 ; i++) {
+	cw[0] = cw[0] ^ hashout[i*4];
+	cw[1] = cw[1] ^ hashout[i*4+1];
+	cw[2] = cw[2] ^ hashout[i*4+2];
+	cw[3] = cw[3] ^ hashout[i*4+3];
+    }
+
+    /* checkword doesn't match, must not be the right pass mem */
+    if (PORT_Memcmp(data+len,cw,4) != 0) goto failed;
+
+    /* pased all our test, its OK */
+    pinOK = PR_TRUE;
+
+failed:
+    PORT_Free(data);
+
+    return pinOK;
+}
+
+/*
+ * walk through the list of memphrases. This function allows us to use a
+ * for loop to walk down them.
+ */
+fortProtectedPhrase *
+fort_getNextPhrase( FORTSWFile *file, fortProtectedPhrase *last)
+{
+    if (last == &file->userMemPhrase) {
+	return &file->userPinPhrase;
+    }
+    /* we can add more test here if we want to support SSO mode someday. */
+
+    return NULL;
+}
+
+/*
+ * decode the DER file data into our nice data structures, including turning
+ * cert indexes into integers.
+ */
+FORTSignedSWFile *
+FORT_GetSWFile(SECItem *initBits)
+{
+    FORTSignedSWFile *sw_init_file;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    int i, count;
+
+    /* get the local arena... be sure to free this at the end */
+
+    /* get the local arena... be sure to free this at the end */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) goto fail;
+
+    sw_init_file = (FORTSignedSWFile *)
+		PORT_ArenaZAlloc(arena,sizeof(FORTSignedSWFile));
+    if (sw_init_file == NULL) goto fail;
+
+    /* ANS1 decode the complete init file */
+    rv = SEC_ASN1DecodeItem(arena,sw_init_file,fortSwFortezzaInitFile,initBits);
+    if (rv != SECSuccess) {
+	goto fail;
+    }
+
+    /* count the certs */
+    count = 0;
+    while (sw_init_file->file.slotEntries[count]) count++;
+
+    for (i=0; i < count; i++) {
+	/* update the cert Index Pointers */
+	sw_init_file->file.slotEntries[i]->certIndex =
+		DER_GetInteger(&sw_init_file->
+				file.slotEntries[i]->certificateIndex );
+    }
+
+    /* now start checking the mem phrases and pins, as well as calculating the
+     * file's 'K' values. First we start with K(init). */
+    sw_init_file->file.arena = arena; 
+
+    return sw_init_file;
+    /* OK now that we've read in the init file, and now have Kinit, Ks, and the
+     * appropriate Pin Phrase, we need to build our database file. */
+   
+fail: 
+    if (arena) PORT_FreeArena(arena,PR_TRUE);
+    return NULL;
+}
+
+/*
+ * Check the init memphrases and the user mem phrases. Remove all the init
+ * memphrase wrappings. Save the Kinit and Ks values for use.
+ */
+SECStatus
+FORT_CheckInitPhrase(FORTSignedSWFile *sw_init_file, char *initMemPhrase)
+{
+    SECStatus rv = SECFailure;
+
+    sw_init_file->Kinit = fort_CalculateKMemPhrase(&sw_init_file->file,
+		 &sw_init_file->file.initMemPhrase, initMemPhrase, NULL);
+    if (sw_init_file->Kinit == NULL)  goto fail;
+
+    /* now check the init Mem phrase */
+    if (!fort_CheckMemPhrase(&sw_init_file->file,
+			&sw_init_file->file.initMemPhrase, 
+				initMemPhrase, sw_init_file->Kinit)) {
+	goto fail;
+    }
+    rv = SECSuccess;
+
+fail:
+    return rv;
+}
+
+    /* now check user user mem phrase and calculate Ks */
+SECStatus
+FORT_CheckUserPhrase(FORTSignedSWFile *sw_init_file, char *userMemPhrase)
+{
+    SECStatus rv = SECFailure;
+    char tmp_data[13];
+    char *padMemPhrase = NULL;
+    fortProtectedPhrase *phrase_store;
+
+    if (strlen(userMemPhrase) < 12) {
+	PORT_Memset(tmp_data, ' ', sizeof(tmp_data));
+	PORT_Memcpy(tmp_data,userMemPhrase,strlen(userMemPhrase));
+	tmp_data[12] = 0;
+	padMemPhrase = tmp_data;
+    }
+
+    for (phrase_store = &sw_init_file->file.userMemPhrase; phrase_store;
+     phrase_store = fort_getNextPhrase(&sw_init_file->file,phrase_store)) {
+	sw_init_file->Ks = fort_CalculateKMemPhrase(&sw_init_file->file,
+		 phrase_store, userMemPhrase, sw_init_file->Kinit);
+ 
+	if ((sw_init_file->Ks == NULL) && (padMemPhrase != NULL)) {
+		sw_init_file->Ks = fort_CalculateKMemPhrase(&sw_init_file->file,
+		     phrase_store, padMemPhrase, sw_init_file->Kinit);
+		userMemPhrase = padMemPhrase;
+	}
+	if (sw_init_file->Ks == NULL) {
+	    continue;
+	}
+
+	/* now check the User Mem phrase */
+	if (fort_CheckMemPhrase(&sw_init_file->file, phrase_store, 
+				userMemPhrase, sw_init_file->Ks)) {
+	    break;
+	}
+	PORT_Free(sw_init_file->Ks);
+	sw_init_file->Ks = NULL;
+    }
+
+
+    if (phrase_store == NULL) goto fail;
+
+    /* strip the Kinit wrapping */
+    fort_skipjackDecrypt(sw_init_file->Kinit,
+		&phrase_store->kValueIV.data[SKIPJACK_LEAF_SIZE],
+	phrase_store->wrappedKValue.len, phrase_store->wrappedKValue.data,
+	phrase_store->wrappedKValue.data);
+    phrase_store->wrappedKValue.len = 12;
+
+    PORT_Memset(phrase_store->kValueIV.data,0,phrase_store->kValueIV.len);
+
+    sw_init_file->file.initMemPhrase = *phrase_store;
+    sw_init_file->file.ssoMemPhrase = *phrase_store;
+    sw_init_file->file.ssoPinPhrase = *phrase_store;
+    sw_init_file->file.userMemPhrase = *phrase_store;
+    sw_init_file->file.userPinPhrase = *phrase_store;
+
+
+    rv = SECSuccess;
+   
+fail: 
+    /* don't keep the pin around */
+    PORT_Memset(tmp_data, 0, sizeof(tmp_data));
+    return rv;
+}
+
+void
+FORT_DestroySWFile(FORTSWFile *file)
+{
+    PORT_FreeArena(file->arena,PR_FALSE);
+}
+
+void
+FORT_DestroySignedSWFile(FORTSignedSWFile *swfile)
+{
+    FORT_DestroySWFile(&swfile->file);
+}
+
+
+SECItem *
+FORT_GetDERCert(FORTSignedSWFile *swfile,int index)
+{
+    SECItem *newItem = NULL;
+    unsigned char *cert = NULL;
+    int len,ret;
+    fortSlotEntry *certEntry = NULL;
+   
+
+    newItem = PORT_ZNew(SECItem);
+    if (newItem == NULL) return NULL;
+
+    certEntry = fort_GetCertEntry(&swfile->file,index);
+    if (certEntry == NULL) {
+	PORT_Free(newItem);
+	return NULL;
+    }
+
+    newItem->len = len = certEntry->certificateData.dataEncryptedWithKs.len;
+    newItem->data = cert = PORT_ZAlloc(len);
+    if (cert == NULL) {
+	PORT_Free(newItem);
+	return NULL;
+    }
+    newItem->len = DER_GetUInteger(&certEntry->certificateData.length);
+    
+
+    PORT_Memcpy(cert, certEntry->certificateData.dataEncryptedWithKs.data,len);
+
+    /* Ks is always stored in keyReg[0] when we log in */
+    ret = fort_skipjackDecrypt(swfile->Ks,
+	&certEntry->certificateData.dataIV.data[SKIPJACK_LEAF_SIZE],
+						len,cert,cert);
+    if (ret != CI_OK) {
+	SECITEM_FreeItem(newItem,PR_TRUE);
+	return NULL;
+    }
+    return newItem;
+}
+
+/*
+ * decode the DER file data into our nice data structures, including turning
+ * cert indexes into integers.
+ */
+SECItem *
+FORT_PutSWFile(FORTSignedSWFile *sw_init_file)
+{
+    SECItem *outBits, *tmpBits;
+
+    outBits = PORT_ZNew(SECItem);
+    if (outBits == NULL) goto fail;
+
+    /* ANS1 encode the complete init file */
+    tmpBits = SEC_ASN1EncodeItem(NULL,outBits,sw_init_file,fortSwFortezzaInitFile);
+    if (tmpBits == NULL) {
+	goto fail;
+    }
+
+    return outBits;
+   
+fail: 
+    if (outBits) SECITEM_FreeItem(outBits,PR_TRUE);
+    return NULL;
+}
diff --git a/security/nss/lib/fortcrypt/swfort/swfutl.c b/security/nss/lib/fortcrypt/swfort/swfutl.c
new file mode 100644
index 000000000..eee677f65
--- /dev/null
+++ b/security/nss/lib/fortcrypt/swfort/swfutl.c
@@ -0,0 +1,750 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * This File includes utility functions used by cilib. and swfparse.c
+ */
+
+#include "prtypes.h"
+#include "prsystem.h"
+#include "prio.h"
+
+#include "swforti.h"
+#include "keyt.h"
+/* #include "dh.h" */
+#include "maci.h"
+#include "secport.h"
+#include "secrng.h"
+#ifdef XP_OS2
+#include <sys/stat.h>
+#endif
+
+#ifdef XP_WIN
+#include <windows.h>
+#include <winsock.h>
+#include <direct.h>
+#endif
+
+/* no platform seem to agree on where this function is defined */
+static char *local_index(char *source, char target) {
+   while ((*source != target) && (*source != 0)) {
+	source++;
+   }
+   return (*source != 0) ? source : NULL;
+}
+
+/*
+ * Check to see if the index is ok, and that key is appropriately present or
+ * absent.
+ */
+int
+fort_KeyOK(FORTSWToken *token, int index, PRBool isPresent)
+{
+    if (index < 0) return CI_INV_KEY_INDEX;
+    if (index >= KEY_REGISTERS) return CI_INV_KEY_INDEX;
+
+    return (token->keyReg[index].present == isPresent) ? CI_OK : 
+			(isPresent ? CI_NO_KEY : CI_REG_IN_USE);
+}
+
+/*
+ * clear out a key register
+ */
+void
+fort_ClearKey(FORTKeySlot *key)
+{
+    key->present = PR_FALSE;
+    PORT_Memset(key->data, 0, sizeof (key->data));
+    return;
+}
+
+/*
+ * clear out an Ra register
+ */
+void
+fort_ClearRaSlot(FORTRaRegisters *ra)
+{
+    PORT_Memset(ra->public, 0, sizeof(ra->public));
+    PORT_Memset(ra->private, 0, sizeof(ra->private));
+    return;
+}
+
+/*
+ * provide a helper function to do all the loggin out functions.
+ * NOTE: Logining in only happens in MACI_CheckPIN
+ */
+void
+fort_Logout(FORTSWToken *token)
+{
+    int i;
+
+    /* ditch all the stored keys */
+    for (i=0; i < KEY_REGISTERS; i++) {
+	fort_ClearKey(&token->keyReg[i]);
+    }
+    for (i=0; i < MAX_RA_SLOTS; i++) {
+	fort_ClearRaSlot(&token->RaValues[i]);
+    }
+
+    /* mark as logged out */
+    token->login = PR_FALSE;
+    token->certIndex = 0;
+    token->key = 0;
+    return;
+}
+
+/*
+ * update the new IV value based on the current cipherText (should be the last 
+ * block of the cipher text).
+ */
+int
+fort_UpdateIV(unsigned char *cipherText, unsigned int size,unsigned char *IV)
+{
+    if (size == 0) return CI_INV_SIZE;
+    if ((size & (SKIPJACK_BLOCK_SIZE-1)) != 0) return CI_INV_SIZE;
+    size -= SKIPJACK_BLOCK_SIZE;
+    PORT_Memcpy(IV,&cipherText[size],SKIPJACK_BLOCK_SIZE);
+    return CI_OK;
+}
+
+
+/*
+ * verify that we have a card initialized, and if necessary, logged in.
+ */
+int
+fort_CardExists(FORTSWToken *token,PRBool needLogin)
+{
+    if (token == NULL ) return CI_LIB_NOT_INIT; 
+    if (token->config_file == NULL) return CI_NO_CARD;
+    if (needLogin && !token->login) return CI_INV_STATE;
+    return CI_OK;
+}
+
+/*
+ * walk down the cert slot entries, counting them.
+ * return that count.
+ */
+int
+fort_GetCertCount(FORTSWFile *file)
+{
+    int i;
+
+    if (file->slotEntries == NULL) return 0;
+
+    for (i=0; file->slotEntries[i]; i++) 
+	/* no body */ ;
+
+    return i;
+}
+
+/*
+ * copy an unsigned SECItem to a signed SecItem. (if the high bit is on,
+ * pad with a leading 0.
+ */
+SECStatus
+fort_CopyUnsigned(PRArenaPool *arena, SECItem *to, const SECItem *from)
+{
+    int offset = 0;
+
+    if (from->data && from->len) {
+	if (from->data[0] & 0x80) offset = 1;
+	if ( arena ) {
+	    to->data = (unsigned char*) PORT_ArenaZAlloc(arena,
+							 from->len+offset);
+	} else {
+	    to->data = (unsigned char*) PORT_ZAlloc(from->len+offset);
+	}
+	
+	if (!to->data) {
+	    return SECFailure;
+	}
+	PORT_Memcpy(to->data+offset, from->data, from->len);
+	to->len = from->len+offset;
+    } else {
+	to->data = 0;
+	to->len = 0;
+    }
+    return SECSuccess;
+}
+
+/*
+ * NOTE: these keys do not have the public values, and cannot be used to
+ * extract the public key from the private key. Since we never do this in
+ * this code, and this function is static, we're reasonably safe (as long as
+ * any of your callees do not try to extract the public value as well).
+ * Also -- the token must be logged in before this function is called.
+ */
+FORTEZZAPrivateKey *
+fort_GetPrivKey(FORTSWToken *token,FORTEZZAKeyType keyType,
+						fortSlotEntry *certEntry)
+{
+    FORTEZZAPrivateKey *returnKey = NULL;
+    SECStatus rv = SECFailure;
+    PRArenaPool *poolp;
+    fortKeyInformation *keyInfo = NULL;
+    unsigned char *keyData;
+    int len, ret;
+
+
+    /* select the right keyinfo */
+    switch (keyType) {
+    case fortezzaDSAKey:
+	keyInfo = certEntry->signatureKeyInformation;
+	if (keyInfo ==  NULL) keyInfo = certEntry->exchangeKeyInformation;
+	break;
+    case fortezzaDHKey:
+	keyInfo = certEntry->exchangeKeyInformation;
+	if (keyInfo == NULL) keyInfo = certEntry->signatureKeyInformation;
+	break;
+    }
+
+    /* if we don't have any key information, blow out of here */
+    if (keyInfo == NULL) return NULL;
+
+    poolp = PORT_NewArena(2048);
+    if(!poolp) {
+	return NULL;
+    }
+
+    returnKey = (FORTEZZAPrivateKey*)PORT_ArenaZAlloc(poolp, sizeof(FORTEZZAPrivateKey));
+    if(!returnKey) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    returnKey->keyType = keyType;
+    returnKey->arena = poolp;
+
+    /*
+     * decrypt the private key
+     */
+    len = keyInfo->privateKeyWrappedWithKs.len;
+    keyData = PORT_ArenaZAlloc(poolp,len);
+    if (keyData == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    /* keys must be 160 bits (20 bytes) if that's not the case the Unwrap will
+     * fail.. */
+    ret = fort_skipjackUnwrap(token->keyReg[0].data, len, 
+			keyInfo->privateKeyWrappedWithKs.data, keyData);
+    if (ret != CI_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    switch(keyType) {
+	case dsaKey:
+	    returnKey->u.dsa.privateValue.data = keyData;
+	    returnKey->u.dsa.privateValue.len = 20;
+	    returnKey->u.dsa.params.arena = poolp;
+	    rv = fort_CopyUnsigned(poolp, &(returnKey->u.dsa.params.prime),
+					&(keyInfo->p));
+	    if(rv != SECSuccess) break;
+	    rv = fort_CopyUnsigned(poolp, &(returnKey->u.dsa.params.subPrime),
+					&(keyInfo->q));
+	    if(rv != SECSuccess) break;
+	    rv = fort_CopyUnsigned(poolp, &(returnKey->u.dsa.params.base),
+					&(keyInfo->g));
+	    if(rv != SECSuccess) break;
+	    break;
+	case dhKey:
+	    returnKey->u.dh.arena = poolp;
+	    returnKey->u.dh.privateValue.data = keyData;
+	    returnKey->u.dh.privateValue.len = 20;
+	    rv = fort_CopyUnsigned(poolp, &(returnKey->u.dh.prime),
+					&(keyInfo->p));
+	    if(rv != SECSuccess) break;
+	    rv = fort_CopyUnsigned(poolp, &(returnKey->u.dh.base),
+					&(keyInfo->g));
+	    if(rv != SECSuccess) break;
+	    rv = SECSuccess;
+	    break;
+	default:
+	    rv = SECFailure;
+    }
+
+loser:
+
+    if(rv != SECSuccess) {
+	PORT_FreeArena(poolp, PR_TRUE);
+	returnKey = NULL;
+    }
+
+    return returnKey;
+}
+
+
+void
+fort_DestroyPrivateKey(FORTEZZAPrivateKey *key)
+{
+    if (key && key->arena) {
+	PORT_FreeArena(key->arena, PR_TRUE);
+    }
+}
+
+/*
+ * find a particulare certificate entry from the config
+ * file.
+ */
+fortSlotEntry *
+fort_GetCertEntry(FORTSWFile *file,int index)
+{
+    /* search for the index */
+    int i,count= fort_GetCertCount(file);
+
+    /* make sure the given index exists & has key material */
+    for (i=0; i < count ;i ++) {
+	if (file->slotEntries[i]->certIndex == index) {
+	    return file->slotEntries[i];
+	}
+    }
+    return NULL;
+}
+
+/*
+ * use the token to determine it's CI_State.
+ */
+CI_STATE
+fort_GetState(FORTSWToken *token)
+{
+    /* no file? then the token has not been initialized */
+    if (!token->config_file) {
+	return CI_UNINITIALIZED;
+    }
+    /* we're initialized, are we logged in (CI_USER_INITIALIZED is not logged
+     * in) */
+    if (!token->login) {
+	return CI_USER_INITIALIZED;
+    }
+    /* We're logged in, do we have a personality set */
+    if (token->certIndex) {
+	return CI_READY;
+    }
+    /* We're logged in, with no personality set */
+    return CI_STANDBY;
+}
+
+/*
+ * find the private ra value for a given public Ra value.
+ */
+fortRaPrivatePtr
+fort_LookupPrivR(FORTSWToken *token,CI_RA Ra)
+{
+    int i;
+
+    /* probably a more efficient way of doing this would be to search first
+     * several entries before nextRa (or search backwards from next Ra)
+     */
+    for (i=0; i < MAX_RA_SLOTS; i++) {
+	if (PORT_Memcmp(token->RaValues[i].public,Ra,CI_RA_SIZE) == 0) {
+	    return token->RaValues[i].private;
+	}
+    }
+    return NULL;
+}
+
+/*
+ * go add more noise to the random number generator
+ */
+void
+fort_AddNoise(void)
+{
+    unsigned char seed[20];
+
+    /* note: GetNoise doesn't always get 20 bytes, but adding more
+     * random data from the stack doesn't subtract entropy from the
+     * Random number generator, so just send it all.
+     */
+    RNG_GetNoise(seed,sizeof(seed));
+    RNG_RandomUpdate(seed,sizeof(seed));
+}
+
+/*
+ * Get a random number
+ */
+int
+fort_GenerateRandom(unsigned char *buf, int bytes)
+{
+    SECStatus rv;
+
+    fort_AddNoise();
+    rv = RNG_GenerateGlobalRandomBytes(buf,bytes);
+    if (rv != SECSuccess) return CI_EXEC_FAIL;
+    return CI_OK;
+}
+
+/*
+ * NOTE: that MAC is missing below.
+ */
+#if defined (XP_UNIX) || defined (XP_OS2) || defined (XP_BEOS)
+#if defined (XP_UNIX) || defined (XP_BEOS)
+#define NS_PATH_SEP ':'
+#define NS_DIR_SEP '/'
+#define NS_DEFAULT_PATH ".:/bin/netscape:/etc/netscape/:/etc"
+#endif
+
+#ifdef XP_OS2		/* for OS/2 */
+#define NS_PATH_SEP ';'
+#define NS_DIR_SEP '\\'
+#define NS_DEFAULT_PATH ".:\\bin\\netscape:\\etc\\netscape\\:\\etc"
+#endif
+
+PRInt32
+local_getFileInfo(const char *fn, PRFileInfo *info)
+{
+    PRInt32 rv;
+    struct stat sb;
+
+    rv = stat(fn, &sb);
+    if (rv < 0)
+	return -1;
+    else if (NULL != info)
+    {
+        if (S_IFREG & sb.st_mode)
+            info->type = PR_FILE_FILE;
+        else if (S_IFDIR & sb.st_mode)
+            info->type = PR_FILE_DIRECTORY;
+        else
+            info->type = PR_FILE_OTHER;
+
+#if defined(OSF1)
+        if (0x7fffffffLL < sb.st_size)
+        {
+            return -1;
+        }
+#endif /* defined(OSF1) */
+        info->size = sb.st_size;
+
+    }
+    return rv;
+}
+#endif /* UNIX, OS/2, and BEOS */
+
+#ifdef XP_WIN
+#define NS_PATH_SEP ';'
+#define NS_DIR_SEP '\\'
+#define NS_DEFAULT_PATH ".;c:\\program files\\netscape\\communicator\\program\\pkcs11\\netscape;c:\\netscape\\communicator\\program\\pkcs11\\netscape;c:\\windows\\system"
+
+
+/*
+ * Since we're a pkcs #11 module, we may get 
+ * loaded into lots of different binaries, each with different or no versions
+ * of NSPR running... so we copy the one function we need.
+ */
+
+#define _PR_IS_SLASH(ch) ((ch) == '/' || (ch) == '\\')
+
+/*
+ * IsRootDirectory --
+ *
+ * Return PR_TRUE if the pathname 'fn' is a valid root directory,
+ * else return PR_FALSE.  The char buffer pointed to by 'fn' must
+ * be writable.  During the execution of this function, the contents
+ * of the buffer pointed to by 'fn' may be modified, but on return
+ * the original contents will be restored.  'buflen' is the size of
+ * the buffer pointed to by 'fn'.
+ *
+ * Root directories come in three formats:
+ * 1. / or \, meaning the root directory of the current drive.
+ * 2. C:/ or C:\, where C is a drive letter.
+ * 3. \\<server name>\<share point name>\ or
+ *    \\<server name>\<share point name>, meaning the root directory
+ *    of a UNC (Universal Naming Convention) name.
+ */
+
+static PRBool
+IsRootDirectory(char *fn, size_t buflen)
+{
+    char *p;
+    PRBool slashAdded = PR_FALSE;
+    PRBool rv = PR_FALSE;
+
+    if (_PR_IS_SLASH(fn[0]) && fn[1] == '\0') {
+        return PR_TRUE;
+    }
+
+    if (isalpha(fn[0]) && fn[1] == ':' && _PR_IS_SLASH(fn[2])
+            && fn[3] == '\0') {
+        rv = GetDriveType(fn) > 1 ? PR_TRUE : PR_FALSE;
+        return rv;
+    }
+
+    /* The UNC root directory */
+
+    if (_PR_IS_SLASH(fn[0]) && _PR_IS_SLASH(fn[1])) {
+        /* The 'server' part should have at least one character. */
+        p = &fn[2];
+        if (*p == '\0' || _PR_IS_SLASH(*p)) {
+            return PR_FALSE;
+        }
+
+        /* look for the next slash */
+        do {
+            p++;
+        } while (*p != '\0' && !_PR_IS_SLASH(*p));
+        if (*p == '\0') {
+            return PR_FALSE;
+        }
+
+        /* The 'share' part should have at least one character. */
+        p++;
+        if (*p == '\0' || _PR_IS_SLASH(*p)) {
+            return PR_FALSE;
+        }
+
+        /* look for the final slash */
+        do {
+            p++;
+        } while (*p != '\0' && !_PR_IS_SLASH(*p));
+        if (_PR_IS_SLASH(*p) && p[1] != '\0') {
+            return PR_FALSE;
+        }
+        if (*p == '\0') {
+            /*
+             * GetDriveType() doesn't work correctly if the
+             * path is of the form \\server\share, so we add
+             * a final slash temporarily.
+             */
+            if ((p + 1) < (fn + buflen)) {
+                *p++ = '\\';
+                *p = '\0';
+                slashAdded = PR_TRUE;
+            } else {
+                return PR_FALSE; /* name too long */
+            }
+        }
+        rv = GetDriveType(fn) > 1 ? PR_TRUE : PR_FALSE;
+        /* restore the 'fn' buffer */
+        if (slashAdded) {
+            *--p = '\0';
+        }
+    }
+    return rv;
+}
+
+PRInt32
+local_getFileInfo(const char *fn, PRFileInfo *info)
+{
+    HANDLE hFindFile;
+    WIN32_FIND_DATA findFileData;
+    char pathbuf[MAX_PATH + 1];
+    
+    if (NULL == fn || '\0' == *fn) {
+        return -1;
+    }
+
+    /*
+     * FindFirstFile() expands wildcard characters.  So
+     * we make sure the pathname contains no wildcard.
+     */
+    if (NULL != strpbrk(fn, "?*")) {
+        return -1;
+    }
+
+    hFindFile = FindFirstFile(fn, &findFileData);
+    if (INVALID_HANDLE_VALUE == hFindFile) {
+        DWORD len;
+        char *filePart;
+
+        /*
+         * FindFirstFile() does not work correctly on root directories.
+         * It also doesn't work correctly on a pathname that ends in a
+         * slash.  So we first check to see if the pathname specifies a
+         * root directory.  If not, and if the pathname ends in a slash,
+         * we remove the final slash and try again.
+         */
+
+        /*
+         * If the pathname does not contain ., \, and /, it cannot be
+         * a root directory or a pathname that ends in a slash.
+         */
+        if (NULL == strpbrk(fn, ".\\/")) {
+            return -1;
+        } 
+        len = GetFullPathName(fn, sizeof(pathbuf), pathbuf,
+                &filePart);
+        if (len > sizeof(pathbuf)) {
+            return -1;
+        }
+        if (IsRootDirectory(pathbuf, sizeof(pathbuf))) {
+            info->type = PR_FILE_DIRECTORY;
+            info->size = 0;
+            /*
+             * These timestamps don't make sense for root directories.
+             */
+            info->modifyTime = 0;
+            info->creationTime = 0;
+            return 0;
+        }
+        if (!((pathbuf[len - 1] == '/') || (pathbuf[len-1] == '\\'))) {
+            return -1;
+        } else {
+            pathbuf[len - 1] = '\0';
+            hFindFile = FindFirstFile(pathbuf, &findFileData);
+            if (INVALID_HANDLE_VALUE == hFindFile) {
+                return -1;
+            }
+        }
+    }
+
+    FindClose(hFindFile);
+
+    if (findFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
+        info->type = PR_FILE_DIRECTORY;
+    } else {
+        info->type = PR_FILE_FILE;
+    }
+
+    info->size = findFileData.nFileSizeLow;
+
+    return 0;
+}
+
+#endif /* XP_WIN */
+
+#ifdef XP_MAC
+#error Need to write fort_FindFileInPath for Mac
+#define NS_PATH_SEP ','
+#define NS_DIR_SEP ':'
+#define NS_DEFAULT_PATH ",System Folder,System Folder:Netscape f:pkcs11:netscape"
+#endif
+
+#define NETSCAPE_INIT_FILE "nsswft.swf"
+
+/*
+ * OK, We're deep in the bottom of MACI and PKCS #11... We need to
+ * find our fortezza key file. We have no clue of where the our binary lives
+ * or where our key file lives. This function lets us search manual paths 
+ * to find our key file.
+ */
+char *fort_FindFileInPath(char *path, char *fn)
+{
+    char *next;
+    char *holdData;
+    char *ret = NULL;
+    int len = 0;
+    int fn_len = PORT_Strlen(fn)+1; /* include the NULL */
+    PRFileInfo info;
+    char dirSep = NS_DIR_SEP;
+
+    holdData = PORT_Alloc(strlen(path)+1+fn_len);
+
+    while ((next = local_index(path,NS_PATH_SEP)) != NULL) {
+	len = next - path;
+
+	PORT_Memcpy(holdData,path,len);
+	if ((len != 0) && (holdData[len-1] != dirSep)) {
+	  PORT_Memcpy(&holdData[len],&dirSep,1);
+	  len++;
+	}
+	PORT_Memcpy(&holdData[len],fn,fn_len);
+	
+	if ((local_getFileInfo(holdData,&info) == 0) &&
+		(info.type == PR_FILE_FILE) && (info.size != 0)) {
+	    ret = PORT_Strdup(holdData);
+	    PORT_Free(holdData);
+	    return ret;
+	}
+	path = next+1;
+    }
+
+    len = strlen(path);
+    PORT_Memcpy(holdData,path,len);
+    if ((len != 0) && (holdData[len-1] != dirSep)) {
+	  PORT_Memcpy(&holdData[len],&dirSep,1);
+	  len++;
+    }
+    PORT_Memcpy(&holdData[len],fn,fn_len);
+	
+    if ((local_getFileInfo(holdData,&info) == 0) &&
+		(info.type == PR_FILE_FILE) && (info.size != 0)) {
+	    ret = PORT_Strdup(holdData);
+    }
+    PORT_Free(holdData);
+    return ret;
+}
+
+static char *path_table[] = {
+   "PATH","LD_LIBRARY_PATH","LIBPATH"
+};
+
+static int path_table_size = sizeof(path_table)/sizeof(path_table[0]);
+
+char *fort_LookupFORTEZZAInitFile(void)
+{
+    char *fname = NULL;
+    char *home = NULL;
+#ifdef XP_UNIX
+    char unix_home[512];
+#endif
+    int i;
+
+    /* first try to get it from the environment */
+    fname = getenv("SW_FORTEZZA_FILE");
+    if (fname != NULL) {
+	return PORT_Strdup(fname);
+    }
+
+#ifdef XP_UNIX
+    home = getenv("HOME");
+    if (home) {
+	strncpy(unix_home,home, sizeof(unix_home)-sizeof("/.netscape"));
+	strcat(unix_home,"/.netscape");
+	fname = fort_FindFileInPath(unix_home,NETSCAPE_INIT_FILE);
+	if (fname) return fname;
+    }
+#endif
+#ifdef XP_WIN
+    home = getenv("windir");
+    if (home) {
+	fname = fort_FindFileInPath(home,NETSCAPE_INIT_FILE);
+	if (fname) return fname;
+    }
+#endif
+	
+    fname = fort_FindFileInPath(NS_DEFAULT_PATH,NETSCAPE_INIT_FILE);
+    if (fname) return fname;
+
+    /* now search the system paths */
+    for (i=0; i < path_table_size; i++) {
+    	char *path = getenv(path_table[i]);
+
+	if (path != NULL) {
+	    fname = fort_FindFileInPath(path,NETSCAPE_INIT_FILE);
+	    if (fname) return fname;
+	}
+    }
+
+
+    return NULL;
+}
diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile
new file mode 100644
index 000000000..eaaff9658
--- /dev/null
+++ b/security/nss/lib/freebl/Makefile
@@ -0,0 +1,313 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+-include config.mk
+
+ifdef USE_64
+	DEFINES += -DNSS_USE_64
+endif
+
+ifdef USE_HYBRID
+	DEFINES += -DNSS_USE_HYBRID
+endif
+
+# des.c wants _X86_ defined for intel CPUs.  
+# coreconf does this for windows, but not for Linux, FreeBSD, etc.
+ifeq ($(CPU_ARCH),x86)
+ifneq (,$(filter-out WIN%,$(OS_TARGET)))
+	OS_REL_CFLAGS += -D_X86_
+endif
+endif
+
+ifeq ($(OS_TARGET),OSF1)
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD
+    MPI_SRCS += mpvalpha.c
+endif
+
+ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))  #omits WIN16 and WINCE
+    ASFILES  = mpi_x86.asm
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
+endif
+
+ifeq ($(OS_TARGET),WINCE)
+    DEFINES += -DMP_ARGCHK=0	# no assert in WinCE
+endif
+
+ifdef XP_OS2_VACPP
+    ASFILES  = mpi_x86.asm
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
+endif
+
+ifeq ($(OS_TARGET),IRIX)
+ifeq ($(USE_N32),1)
+    ASFILES  = mpi_mips.s
+ifeq ($(NS_USE_GCC),1)
+    ASFLAGS = -Wp,-P -Wp,-traditional -O -mips3
+else
+    ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 
+endif
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+    DEFINES += -DMP_USE_UINT_DIGIT
+else
+endif
+endif
+
+ifeq ($(OS_TARGET),Linux)
+ifeq ($(CPU_ARCH),x86)
+    ASFILES  = mpi_x86.s
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
+endif
+endif
+
+ifeq ($(OS_TARGET),AIX)
+DEFINES += -DMP_USE_UINT_DIGIT
+ifndef USE_64
+DEFINES += -DMP_NO_DIV_WORD -DMP_NO_ADD_WORD -DMP_NO_SUB_WORD
+endif
+endif
+
+ifeq ($(OS_TARGET), HP-UX)
+MKSHLIB += +k +vshlibunsats -u FREEBL_GetVector +e FREEBL_GetVector
+ifndef FREEBL_EXTENDED_BUILD
+ifdef USE_PURE_32
+# build for DA1.1 (HP PA 1.1) pure 32 bit model
+    DEFINES  += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
+else
+ifdef USE_64
+# this builds for DA2.0W (HP PA 2.0 Wide), the LP64 ABI, using 32-bit digits 
+    MPI_SRCS += mpi_hp.c 
+    ASFILES  += hpma512.s hppa20.s 
+    DEFINES  += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+else
+# this builds for DA2.0 (HP PA 2.0 Narrow) hybrid model 
+# (the 32-bit ABI with 64-bit registers) using 32-bit digits
+    MPI_SRCS += mpi_hp.c 
+    ASFILES  += hpma512.s hppa20.s 
+    DEFINES  += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+# This is done in coreconf by defining USE_LONG_LONGS
+#   OS_CFLAGS += -Aa +e +DA2.0 +DS2.0
+endif
+endif
+endif
+endif
+
+# Note: -xarch=v8 or v9 is now done in coreconf
+ifeq ($(OS_TARGET),SunOS)
+ifeq ($(CPU_ARCH),sparc)
+ifndef NS_USE_GCC
+ifdef USE_HYBRID
+    OS_CFLAGS += -xchip=ultra2
+endif
+endif
+ifeq (5.5.1,$(firstword $(sort 5.5.1 $(OS_RELEASE))))
+    SYSV_SPARC = 1
+endif
+ifeq ($(SYSV_SPARC),1)
+SOLARIS_AS = /usr/ccs/bin/as
+ifdef NS_USE_GCC
+LD = gcc
+DSO_LDOPTS += -shared -Wl,-B,symbolic,-z,defs,-z,now,-z,text,-M,mapfile.Solaris
+else
+MKSHLIB += -B symbolic -z defs -z now -z text -M mapfile.Solaris
+endif
+ifdef USE_PURE_32
+# this builds for Sparc v8 pure 32-bit architecture
+    DEFINES += -DMP_USE_LONG_LONG_MULTIPLY -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
+else
+ifdef USE_64
+# this builds for Sparc v9a pure 64-bit architecture
+    MPI_SRCS += mpi_sparc.c
+    ASFILES   = mpv_sparcv9.s montmulfv9.s
+    DEFINES  += -DMP_ASSEMBLY_MULTIPLY -DMP_USING_MONT_MULF
+    DEFINES  += -DMP_USE_UINT_DIGIT 
+#   MPI_SRCS += mpv_sparc.c
+# removed -xdepend from the following line
+    SOLARIS_FLAGS = -fast -xO5 -xrestrict=%all -xchip=ultra -xarch=v9a -KPIC -mt
+    SOLARIS_AS_FLAGS = -xarch=v9a -K PIC
+else
+# this builds for Sparc v8+a hybrid architecture, 64-bit registers, 32-bit ABI
+    MPI_SRCS += mpi_sparc.c
+    ASFILES  = mpv_sparcv8.s montmulfv8.s
+    DEFINES  += -DMP_NO_MP_WORD -DMP_ASSEMBLY_MULTIPLY -DMP_USING_MONT_MULF
+    DEFINES  += -DMP_USE_UINT_DIGIT 
+    SOLARIS_AS_FLAGS = -xarch=v8plusa -K PIC
+#   ASM_SUFFIX = .S
+endif
+endif
+endif
+else
+# Solaris x86
+    DEFINES += -DMP_USE_UINT_DIGIT
+    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
+    ASFILES  = mpi_i86pc.s
+ifdef NS_USE_GCC
+    LD = gcc
+    AS = gcc
+    ASFLAGS =
+endif
+
+endif
+endif
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+rijndael_tables:
+	$(CC) -o $(OBJDIR)/make_rijndael_tab rijndael_tables.c \
+	         $(DEFINES) $(INCLUDES) $(OBJDIR)/libfreebl.a
+	$(OBJDIR)/make_rijndael_tab
+
+ifdef MOZILLA_BSAFE_BUILD
+
+private_export::
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+	rm -f $(DIST)/lib/bsafe$(BSAFEVER).lib
+endif
+	$(NSINSTALL) -R $(BSAFEPATH) $(DIST)/lib
+endif
+
+ifdef USE_PURE_32 
+vpath %.h $(FREEBL_PARENT)/mpi:$(FREEBL_PARENT)
+vpath %.c $(FREEBL_PARENT)/mpi:$(FREEBL_PARENT)
+vpath %.S $(FREEBL_PARENT)/mpi:$(FREEBL_PARENT)
+vpath %.s $(FREEBL_PARENT)/mpi:$(FREEBL_PARENT)
+vpath %.asm $(FREEBL_PARENT)/mpi:$(FREEBL_PARENT)
+INCLUDES += -I$(FREEBL_PARENT) -I$(FREEBL_PARENT)/mpi
+else
+vpath %.h mpi
+vpath %.c mpi
+vpath %.S mpi
+vpath %.s mpi
+vpath %.asm mpi
+INCLUDES += -Impi
+endif
+
+
+DEFINES += -DMP_API_COMPATIBLE
+
+MPI_USERS = dh.c pqg.c dsa.c rsa.c 
+
+MPI_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(MPI_SRCS:.c=$(OBJ_SUFFIX)))
+MPI_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(MPI_USERS:.c=$(OBJ_SUFFIX)))
+
+$(MPI_OBJS): $(MPI_HDRS)
+
+$(OBJDIR)/$(PROG_PREFIX)mpprime$(OBJ_SUFFIX): primes.c
+
+$(OBJDIR)/ldvector$(OBJ_SUFFIX) $(OBJDIR)/loader$(OBJ_SUFFIX) : loader.h
+
+ifeq ($(SYSV_SPARC),1)
+
+$(OBJDIR)/mpv_sparcv8.o $(OBJDIR)/montmulfv8.o : $(OBJDIR)/%.o : %.s 
+	@$(MAKE_OBJDIR)
+	$(SOLARIS_AS) -o $@ $(SOLARIS_AS_FLAGS) $<
+
+$(OBJDIR)/mpv_sparcv9.o $(OBJDIR)/montmulfv9.o : $(OBJDIR)/%.o : %.s
+	@$(MAKE_OBJDIR)
+	$(SOLARIS_AS) -o $@ $(SOLARIS_AS_FLAGS) $<
+
+$(OBJDIR)/mpmontg.o: mpmontg.c montmulf.h
+
+endif
+
+ifdef FREEBL_EXTENDED_BUILD
+
+PURE32DIR = $(OBJDIR)/$(OS_TARGET)pure32
+ALL_TRASH += $(PURE32DIR)
+
+FILES2LN = \
+ $(wildcard *.tab) \
+ $(wildcard mapfile.*) \
+ Makefile manifest.mn config.mk 
+
+LINKEDFILES = $(addprefix $(PURE32DIR)/, $(FILES2LN))
+
+CDDIR := $(shell pwd)
+
+$(PURE32DIR):
+	-mkdir $(PURE32DIR)
+	-ln -s $(CDDIR)/mpi $(PURE32DIR)
+
+$(LINKEDFILES) : $(PURE32DIR)/% : % 
+	ln -s $(CDDIR)/$* $(PURE32DIR)
+
+libs:: 
+	$(MAKE) FREEBL_RECURSIVE_BUILD=1 USE_HYBRID=1 libs
+
+libs:: $(PURE32DIR) $(LINKEDFILES)
+	cd $(PURE32DIR) && $(MAKE) FREEBL_RECURSIVE_BUILD=1 USE_PURE_32=1 FREEBL_PARENT=$(CDDIR) CORE_DEPTH=$(CDDIR)/$(CORE_DEPTH) libs
+
+release_md::
+	$(MAKE) FREEBL_RECURSIVE_BUILD=1 USE_HYBRID=1 $@
+	cd $(PURE32DIR) && $(MAKE) FREEBL_RECURSIVE_BUILD=1 USE_PURE_32=1 FREEBL_PARENT=$(CDDIR) CORE_DEPTH=$(CDDIR)/$(CORE_DEPTH) $@
+
+endif
diff --git a/security/nss/lib/freebl/alg2268.c b/security/nss/lib/freebl/alg2268.c
new file mode 100644
index 000000000..af720f733
--- /dev/null
+++ b/security/nss/lib/freebl/alg2268.c
@@ -0,0 +1,493 @@
+/*
+ * alg2268.c - implementation of the algorithm in RFC 2268
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+
+#include "blapi.h"
+#include "secerr.h"
+#ifdef XP_UNIX_XXX
+#include <stddef.h>	/* for ptrdiff_t */
+#endif
+
+/*
+** RC2 symmetric block cypher
+*/
+
+typedef SECStatus (rc2Func)(RC2Context *cx, unsigned char *output,
+		           const unsigned char *input, unsigned int inputLen);
+
+/* forward declarations */
+static rc2Func rc2_EncryptECB;
+static rc2Func rc2_DecryptECB;
+static rc2Func rc2_EncryptCBC;
+static rc2Func rc2_DecryptCBC;
+
+typedef union {
+    PRUint32	l[2];
+    PRUint16	s[4];
+    PRUint8	b[8];
+} RC2Block;
+
+struct RC2ContextStr {
+    union {
+    	PRUint8  Kb[128];
+	PRUint16 Kw[64];
+    } u;
+    RC2Block     iv;
+    rc2Func      *enc;
+    rc2Func      *dec;
+};
+
+#define B u.Kb
+#define K u.Kw
+#define BYTESWAP(x) ((x) << 8 | (x) >> 8)
+#define SWAPK(i)  cx->K[i] = (tmpS = cx->K[i], BYTESWAP(tmpS))
+#define RC2_BLOCK_SIZE 8
+
+#define LOAD_HARD(R) \
+    R[0] = (PRUint16)input[1] << 8 | input[0]; \
+    R[1] = (PRUint16)input[3] << 8 | input[2]; \
+    R[2] = (PRUint16)input[5] << 8 | input[4]; \
+    R[3] = (PRUint16)input[7] << 8 | input[6];
+#define LOAD_EASY(R) \
+    R[0] = ((PRUint16 *)input)[0]; \
+    R[1] = ((PRUint16 *)input)[1]; \
+    R[2] = ((PRUint16 *)input)[2]; \
+    R[3] = ((PRUint16 *)input)[3];
+#define STORE_HARD(R) \
+    output[0] =  (PRUint8)(R[0]);   output[1] = (PRUint8)(R[0] >> 8); \
+    output[2] =  (PRUint8)(R[1]);   output[3] = (PRUint8)(R[1] >> 8); \
+    output[4] =  (PRUint8)(R[2]);   output[5] = (PRUint8)(R[2] >> 8); \
+    output[6] =  (PRUint8)(R[3]);   output[7] = (PRUint8)(R[3] >> 8);
+#define STORE_EASY(R) \
+    ((PRUint16 *)output)[0] =  R[0]; \
+    ((PRUint16 *)output)[1] =  R[1]; \
+    ((PRUint16 *)output)[2] =  R[2]; \
+    ((PRUint16 *)output)[3] =  R[3];   
+
+#if defined (_X86_)
+#define LOAD(R)  LOAD_EASY(R)
+#define STORE(R) STORE_EASY(R)
+#elif !defined(IS_LITTLE_ENDIAN)
+#define LOAD(R)  LOAD_HARD(R)
+#define STORE(R) STORE_HARD(R)
+#else
+#define LOAD(R) if ((ptrdiff_t)input & 1) { LOAD_HARD(R) } else { LOAD_EASY(R) }
+#define STORE(R) if ((ptrdiff_t)input & 1) { STORE_HARD(R) } else { STORE_EASY(R) }
+#endif
+
+static const PRUint8 S[256] = {
+0331,0170,0371,0304,0031,0335,0265,0355,0050,0351,0375,0171,0112,0240,0330,0235,
+0306,0176,0067,0203,0053,0166,0123,0216,0142,0114,0144,0210,0104,0213,0373,0242,
+0027,0232,0131,0365,0207,0263,0117,0023,0141,0105,0155,0215,0011,0201,0175,0062,
+0275,0217,0100,0353,0206,0267,0173,0013,0360,0225,0041,0042,0134,0153,0116,0202,
+0124,0326,0145,0223,0316,0140,0262,0034,0163,0126,0300,0024,0247,0214,0361,0334,
+0022,0165,0312,0037,0073,0276,0344,0321,0102,0075,0324,0060,0243,0074,0266,0046,
+0157,0277,0016,0332,0106,0151,0007,0127,0047,0362,0035,0233,0274,0224,0103,0003,
+0370,0021,0307,0366,0220,0357,0076,0347,0006,0303,0325,0057,0310,0146,0036,0327,
+0010,0350,0352,0336,0200,0122,0356,0367,0204,0252,0162,0254,0065,0115,0152,0052,
+0226,0032,0322,0161,0132,0025,0111,0164,0113,0237,0320,0136,0004,0030,0244,0354,
+0302,0340,0101,0156,0017,0121,0313,0314,0044,0221,0257,0120,0241,0364,0160,0071,
+0231,0174,0072,0205,0043,0270,0264,0172,0374,0002,0066,0133,0045,0125,0227,0061,
+0055,0135,0372,0230,0343,0212,0222,0256,0005,0337,0051,0020,0147,0154,0272,0311,
+0323,0000,0346,0317,0341,0236,0250,0054,0143,0026,0001,0077,0130,0342,0211,0251,
+0015,0070,0064,0033,0253,0063,0377,0260,0273,0110,0014,0137,0271,0261,0315,0056,
+0305,0363,0333,0107,0345,0245,0234,0167,0012,0246,0040,0150,0376,0177,0301,0255
+};
+
+/*
+** Create a new RC2 context suitable for RC2 encryption/decryption.
+** 	"key" raw key data
+** 	"len" the number of bytes of key data
+** 	"iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
+** 	"mode" one of NSS_RC2 or NSS_RC2_CBC
+**	"effectiveKeyLen" in bytes, not bits.
+**
+** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block
+** chaining" mode.
+*/
+RC2Context *
+RC2_CreateContext(unsigned char *key, unsigned int len,
+		  unsigned char *input, int mode, unsigned efLen8)
+{
+    RC2Context *cx;
+    PRUint8    *L,*L2;
+    int         i;
+#if !defined(IS_LITTLE_ENDIAN)
+    PRUint16    tmpS;
+#endif
+    PRUint8     tmpB;
+
+    if (!key || len == 0 || len > (sizeof cx->B) || efLen8 > (sizeof cx->B)) {
+    	return NULL;
+    }
+    if (mode == NSS_RC2) {
+    	/* groovy */
+    } else if (mode == NSS_RC2_CBC) {
+    	if (!input) {
+	    return NULL;	/* not groovy */
+	}
+    } else {
+    	return NULL;
+    }
+
+    cx = PORT_ZNew(RC2Context);
+    if (!cx)
+    	return cx;
+
+    if (mode == NSS_RC2_CBC) {
+    	cx->enc = & rc2_EncryptCBC;
+	cx->dec = & rc2_DecryptCBC;
+	LOAD(cx->iv.s);
+    } else {
+    	cx->enc = & rc2_EncryptECB;
+	cx->dec = & rc2_DecryptECB;
+    }
+
+    /* Step 0. Copy key into table. */
+    memcpy(cx->B, key, len);
+
+    /* Step 1. Compute all values to the right of the key. */
+    L2 = cx->B;
+    L = L2 + len;
+    tmpB = L[-1];
+    for (i = (sizeof cx->B) - len; i > 0; --i) {
+	*L++ = tmpB = S[ (PRUint8)(tmpB + *L2++) ];
+    }
+
+    /* step 2. Adjust left most byte of effective key. */
+    i = (sizeof cx->B) - efLen8;
+    L = cx->B + i;
+    *L = tmpB = S[*L];				/* mask is always 0xff */
+
+    /* step 3. Recompute all values to the left of effective key. */
+    L2 = --L + efLen8;
+    while(L >= cx->B) {
+	*L-- = tmpB = S[ tmpB ^ *L2-- ];
+    }
+
+#if !defined(IS_LITTLE_ENDIAN)
+    for (i = 63; i >= 0; --i) {
+        SWAPK(i);		/* candidate for unrolling */
+    }
+#endif
+    return cx;
+}
+
+/*
+** Destroy an RC2 encryption/decryption context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+void 
+RC2_DestroyContext(RC2Context *cx, PRBool freeit)
+{
+    if (cx) {
+	memset(cx, 0, sizeof *cx);
+	if (freeit) {
+	    PORT_Free(cx);
+	}
+    }
+}
+
+#define ROL(x,k) (x << k | x >> (16-k))
+#define MIX(j) \
+    R0 = R0 + cx->K[ 4*j+0] + (R3 & R2) + (~R3 & R1);  R0 = ROL(R0,1);\
+    R1 = R1 + cx->K[ 4*j+1] + (R0 & R3) + (~R0 & R2);  R1 = ROL(R1,2);\
+    R2 = R2 + cx->K[ 4*j+2] + (R1 & R0) + (~R1 & R3);  R2 = ROL(R2,3);\
+    R3 = R3 + cx->K[ 4*j+3] + (R2 & R1) + (~R2 & R0);  R3 = ROL(R3,5)
+#define MASH \
+    R0 = R0 + cx->K[R3 & 63];\
+    R1 = R1 + cx->K[R0 & 63];\
+    R2 = R2 + cx->K[R1 & 63];\
+    R3 = R3 + cx->K[R2 & 63]
+
+/* Encrypt one block */
+static void 
+rc2_Encrypt1Block(RC2Context *cx, RC2Block *output, RC2Block *input)
+{
+    register PRUint16 R0, R1, R2, R3;
+
+    /* step 1. Initialize input. */
+    R0 = input->s[0];
+    R1 = input->s[1];
+    R2 = input->s[2];
+    R3 = input->s[3];
+
+    /* step 2.  Expand Key (already done, in context) */
+    /* step 3.  j = 0 */
+    /* step 4.  Perform 5 mixing rounds. */
+
+    MIX(0);
+    MIX(1);
+    MIX(2);
+    MIX(3);
+    MIX(4);
+
+    /* step 5. Perform 1 mashing round. */
+    MASH;
+
+    /* step 6. Perform 6 mixing rounds. */
+
+    MIX(5);
+    MIX(6);
+    MIX(7);
+    MIX(8);
+    MIX(9);
+    MIX(10);
+
+    /* step 7. Perform 1 mashing round. */
+    MASH;
+
+    /* step 8. Perform 5 mixing rounds. */
+
+    MIX(11);
+    MIX(12);
+    MIX(13);
+    MIX(14);
+    MIX(15);
+
+    /* output results */
+    output->s[0] = R0;
+    output->s[1] = R1;
+    output->s[2] = R2;
+    output->s[3] = R3;
+}
+
+#define ROR(x,k) (x >> k | x << (16-k))
+#define R_MIX(j) \
+    R3 = ROR(R3,5); R3 = R3 - cx->K[ 4*j+3] - (R2 & R1) - (~R2 & R0);  \
+    R2 = ROR(R2,3); R2 = R2 - cx->K[ 4*j+2] - (R1 & R0) - (~R1 & R3);  \
+    R1 = ROR(R1,2); R1 = R1 - cx->K[ 4*j+1] - (R0 & R3) - (~R0 & R2);  \
+    R0 = ROR(R0,1); R0 = R0 - cx->K[ 4*j+0] - (R3 & R2) - (~R3 & R1)
+#define R_MASH \
+    R3 = R3 - cx->K[R2 & 63];\
+    R2 = R2 - cx->K[R1 & 63];\
+    R1 = R1 - cx->K[R0 & 63];\
+    R0 = R0 - cx->K[R3 & 63]
+
+/* Encrypt one block */
+static void 
+rc2_Decrypt1Block(RC2Context *cx, RC2Block *output, RC2Block *input)
+{
+    register PRUint16 R0, R1, R2, R3;
+
+    /* step 1. Initialize input. */
+    R0 = input->s[0];
+    R1 = input->s[1];
+    R2 = input->s[2];
+    R3 = input->s[3];
+
+    /* step 2.  Expand Key (already done, in context) */
+    /* step 3.  j = 63 */
+    /* step 4.  Perform 5 r_mixing rounds. */
+    R_MIX(15);
+    R_MIX(14);
+    R_MIX(13);
+    R_MIX(12);
+    R_MIX(11);
+
+    /* step 5.  Perform 1 r_mashing round. */
+    R_MASH;
+
+    /* step 6.  Perform 6 r_mixing rounds. */
+    R_MIX(10);
+    R_MIX(9);
+    R_MIX(8);
+    R_MIX(7);
+    R_MIX(6);
+    R_MIX(5);
+
+    /* step 7.  Perform 1 r_mashing round. */
+    R_MASH;
+
+    /* step 8.  Perform 5 r_mixing rounds. */
+    R_MIX(4);
+    R_MIX(3);
+    R_MIX(2);
+    R_MIX(1);
+    R_MIX(0);
+
+    /* output results */
+    output->s[0] = R0;
+    output->s[1] = R1;
+    output->s[2] = R2;
+    output->s[3] = R3;
+}
+
+static SECStatus
+rc2_EncryptECB(RC2Context *cx, unsigned char *output,
+	       const unsigned char *input, unsigned int inputLen)
+{
+    RC2Block  iBlock;
+
+    while (inputLen > 0) {
+    	LOAD(iBlock.s)
+	rc2_Encrypt1Block(cx, &iBlock, &iBlock);
+	STORE(iBlock.s)
+	output   += RC2_BLOCK_SIZE;
+	input    += RC2_BLOCK_SIZE;
+	inputLen -= RC2_BLOCK_SIZE;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+rc2_DecryptECB(RC2Context *cx, unsigned char *output,
+	       const unsigned char *input, unsigned int inputLen)
+{
+    RC2Block  iBlock;
+
+    while (inputLen > 0) {
+    	LOAD(iBlock.s)
+	rc2_Decrypt1Block(cx, &iBlock, &iBlock);
+	STORE(iBlock.s)
+	output   += RC2_BLOCK_SIZE;
+	input    += RC2_BLOCK_SIZE;
+	inputLen -= RC2_BLOCK_SIZE;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+rc2_EncryptCBC(RC2Context *cx, unsigned char *output,
+	       const unsigned char *input, unsigned int inputLen)
+{
+    RC2Block  iBlock;
+
+    while (inputLen > 0) {
+
+	LOAD(iBlock.s)
+	iBlock.l[0] ^= cx->iv.l[0];
+	iBlock.l[1] ^= cx->iv.l[1];
+	rc2_Encrypt1Block(cx, &iBlock, &iBlock);
+	cx->iv = iBlock;
+	STORE(iBlock.s)
+	output   += RC2_BLOCK_SIZE;
+	input    += RC2_BLOCK_SIZE;
+	inputLen -= RC2_BLOCK_SIZE;
+    }
+    return SECSuccess;
+}
+
+static SECStatus
+rc2_DecryptCBC(RC2Context *cx, unsigned char *output,
+	       const unsigned char *input, unsigned int inputLen)
+{
+    RC2Block  iBlock;
+    RC2Block  oBlock;
+
+    while (inputLen > 0) {
+	LOAD(iBlock.s)
+	rc2_Decrypt1Block(cx, &oBlock, &iBlock);
+	oBlock.l[0] ^= cx->iv.l[0];
+	oBlock.l[1] ^= cx->iv.l[1];
+	cx->iv = iBlock;
+	STORE(oBlock.s)
+	output   += RC2_BLOCK_SIZE;
+	input    += RC2_BLOCK_SIZE;
+	inputLen -= RC2_BLOCK_SIZE;
+    }
+    return SECSuccess;
+}
+
+
+/*
+** Perform RC2 encryption.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output,
+		      unsigned int *outputLen, unsigned int maxOutputLen,
+		      const unsigned char *input, unsigned int inputLen)
+{
+    SECStatus rv = SECSuccess;
+    if (inputLen) {
+	if (inputLen % RC2_BLOCK_SIZE) {
+	    PORT_SetError(SEC_ERROR_INPUT_LEN);
+	    return SECFailure;
+	}
+	if (maxOutputLen < inputLen) {
+	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	    return SECFailure;
+	}
+	rv = (*cx->enc)(cx, output, input, inputLen);
+    }
+    if (rv == SECSuccess) {
+    	*outputLen = inputLen;
+    }
+    return rv;
+}
+
+/*
+** Perform RC2 decryption.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output,
+		      unsigned int *outputLen, unsigned int maxOutputLen,
+		      const unsigned char *input, unsigned int inputLen)
+{
+    SECStatus rv = SECSuccess;
+    if (inputLen) {
+	if (inputLen % RC2_BLOCK_SIZE) {
+	    PORT_SetError(SEC_ERROR_INPUT_LEN);
+	    return SECFailure;
+	}
+	if (maxOutputLen < inputLen) {
+	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	    return SECFailure;
+	}
+	rv = (*cx->dec)(cx, output, input, inputLen);
+    }
+    if (rv == SECSuccess) {
+	*outputLen = inputLen;
+    }
+    return rv;
+}
+
diff --git a/security/nss/lib/freebl/arcfive.c b/security/nss/lib/freebl/arcfive.c
new file mode 100644
index 000000000..2ee3f5447
--- /dev/null
+++ b/security/nss/lib/freebl/arcfive.c
@@ -0,0 +1,114 @@
+/*
+ * arcfive.c - stubs for RC5 - NOT a working implementation!
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "blapi.h"
+#include "prerror.h"
+
+/******************************************/
+/*
+** RC5 symmetric block cypher -- 64-bit block size
+*/
+
+/*
+** Create a new RC5 context suitable for RC5 encryption/decryption.
+**      "key" raw key data
+**      "len" the number of bytes of key data
+**      "iv" is the CBC initialization vector (if mode is NSS_RC5_CBC)
+**      "mode" one of NSS_RC5 or NSS_RC5_CBC
+**
+** When mode is set to NSS_RC5_CBC the RC5 cipher is run in "cipher block
+** chaining" mode.
+*/
+RC5Context *
+RC5_CreateContext(SECItem *key, unsigned int rounds,
+                  unsigned int wordSize, unsigned char *iv, int mode)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return NULL;
+}
+
+/*
+** Destroy an RC5 encryption/decryption context.
+**      "cx" the context
+**      "freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+void 
+RC5_DestroyContext(RC5Context *cx, PRBool freeit) 
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+}
+
+/*
+** Perform RC5 encryption.
+**      "cx" the context
+**      "output" the output buffer to store the encrypted data.
+**      "outputLen" how much data is stored in "output". Set by the routine
+**         after some data is stored in output.
+**      "maxOutputLen" the maximum amount of data that can ever be
+**         stored in "output"
+**      "input" the input data
+**      "inputLen" the amount of input data
+*/
+SECStatus 
+RC5_Encrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, 
+	    const unsigned char *input, unsigned int inputLen)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+/*
+** Perform RC5 decryption.
+**      "cx" the context
+**      "output" the output buffer to store the decrypted data.
+**      "outputLen" how much data is stored in "output". Set by the routine
+**         after some data is stored in output.
+**      "maxOutputLen" the maximum amount of data that can ever be
+**         stored in "output"
+**      "input" the input data
+**      "inputLen" the amount of input data
+*/
+SECStatus 
+RC5_Decrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
diff --git a/security/nss/lib/freebl/arcfour.c b/security/nss/lib/freebl/arcfour.c
new file mode 100644
index 000000000..71de64b2d
--- /dev/null
+++ b/security/nss/lib/freebl/arcfour.c
@@ -0,0 +1,562 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "blapi.h"
+
+/* Architecture-dependent defines */
+
+#if defined(SOLARIS) || defined(HPUX) || defined(i386) || defined(IRIX)
+/* Convert the byte-stream to a word-stream */
+#define CONVERT_TO_WORDS
+#endif
+
+#if defined(AIX) || defined(OSF1)
+/* Treat array variables as longs, not bytes */
+#define USE_LONG
+#endif
+
+#if defined(NSS_USE_HYBRID) && !defined(SOLARIS) && !defined(NSS_USE_64) 
+typedef unsigned long long WORD;
+#else
+typedef unsigned long WORD;
+#endif
+#define WORDSIZE sizeof(WORD)
+
+#ifdef USE_LONG
+typedef unsigned long Stype;
+#else
+typedef PRUint8 Stype;
+#endif
+
+#define ARCFOUR_STATE_SIZE 256
+
+#define MASK1BYTE (WORD)(0xff)
+
+#define SWAP(a, b) \
+	tmp = a; \
+	a = b; \
+	b = tmp;
+
+/*
+ * State information for stream cipher.
+ */
+struct RC4ContextStr
+{
+	Stype S[ARCFOUR_STATE_SIZE];
+	PRUint8 i;
+	PRUint8 j;
+};
+
+/*
+ * array indices [0..255] to initialize cx->S array (faster than loop).
+ */
+static const Stype Kinit[256] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+	0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+	0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+	0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
+	0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
+	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
+	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
+	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
+	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
+	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
+	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
+	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
+};
+
+/*
+ * Initialize a new generator.
+ */
+RC4Context *
+RC4_CreateContext(unsigned char *key, int len)
+{
+	int i;
+	PRUint8 j, tmp;
+	RC4Context *cx;
+	PRUint8 K[256];
+	PRUint8 *L;
+	/* verify the key length. */
+	PORT_Assert(len > 0 && len < ARCFOUR_STATE_SIZE);
+	if (len < 0 || len >= ARCFOUR_STATE_SIZE) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return NULL;
+	}
+	/* Create space for the context. */
+	cx = (RC4Context *)PORT_ZAlloc(sizeof(RC4Context));
+	if (cx == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return NULL;
+	}
+	/* Initialize the state using array indices. */
+	memcpy(cx->S, Kinit, sizeof cx->S);
+	/* Fill in K repeatedly with values from key. */
+	L = K;
+	for (i = sizeof K; i > len; i-= len) {
+		memcpy(L, key, len);
+		L += len;
+	}
+	memcpy(L, key, i);
+	/* Stir the state of the generator.  At this point it is assumed
+	 * that the key is the size of the state buffer.  If this is not
+	 * the case, the key bytes are repeated to fill the buffer.
+	 */
+	j = 0;
+#define ARCFOUR_STATE_STIR(ii) \
+	j = j + cx->S[ii] + K[ii]; \
+	SWAP(cx->S[ii], cx->S[j]);
+	for (i=0; i<ARCFOUR_STATE_SIZE; i++) {
+		ARCFOUR_STATE_STIR(i);
+	}
+	cx->i = 0;
+	cx->j = 0;
+	return cx;
+}
+
+void 
+RC4_DestroyContext(RC4Context *cx, PRBool freeit)
+{
+	if (freeit)
+		PORT_ZFree(cx, sizeof(*cx));
+}
+
+/*
+ * Generate the next byte in the stream.
+ */
+#define ARCFOUR_NEXT_BYTE() \
+	tmpSi = cx->S[++tmpi]; \
+	tmpj += tmpSi; \
+	tmpSj = cx->S[tmpj]; \
+	cx->S[tmpi] = tmpSj; \
+	cx->S[tmpj] = tmpSi; \
+	t = tmpSi + tmpSj;
+
+#ifdef CONVERT_TO_WORDS
+/*
+ * Straight RC4 op.  No optimization.
+ */
+static SECStatus 
+rc4_no_opt(RC4Context *cx, unsigned char *output,
+           unsigned int *outputLen, unsigned int maxOutputLen,
+           const unsigned char *input, unsigned int inputLen)
+{
+    PRUint8 t;
+	Stype tmpSi, tmpSj;
+	register PRUint8 tmpi = cx->i;
+	register PRUint8 tmpj = cx->j;
+	unsigned int index;
+	PORT_Assert(maxOutputLen >= inputLen);
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	for (index=0; index < inputLen; index++) {
+		/* Generate next byte from stream. */
+		ARCFOUR_NEXT_BYTE();
+		/* output = next stream byte XOR next input byte */
+		output[index] = cx->S[t] ^ input[index];
+	}
+	*outputLen = inputLen;
+	cx->i = tmpi;
+	cx->j = tmpj;
+	return SECSuccess;
+}
+#endif
+
+#ifndef CONVERT_TO_WORDS
+/*
+ * Byte-at-a-time RC4, unrolling the loop into 8 pieces.
+ */
+static SECStatus 
+rc4_unrolled(RC4Context *cx, unsigned char *output,
+             unsigned int *outputLen, unsigned int maxOutputLen,
+             const unsigned char *input, unsigned int inputLen)
+{
+	PRUint8 t;
+	Stype tmpSi, tmpSj;
+	register PRUint8 tmpi = cx->i;
+	register PRUint8 tmpj = cx->j;
+	int index;
+	PORT_Assert(maxOutputLen >= inputLen);
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	for (index = inputLen / 8; index-- > 0; input += 8, output += 8) {
+		ARCFOUR_NEXT_BYTE();
+		output[0] = cx->S[t] ^ input[0];
+		ARCFOUR_NEXT_BYTE();
+		output[1] = cx->S[t] ^ input[1];
+		ARCFOUR_NEXT_BYTE();
+		output[2] = cx->S[t] ^ input[2];
+		ARCFOUR_NEXT_BYTE();
+		output[3] = cx->S[t] ^ input[3];
+		ARCFOUR_NEXT_BYTE();
+		output[4] = cx->S[t] ^ input[4];
+		ARCFOUR_NEXT_BYTE();
+		output[5] = cx->S[t] ^ input[5];
+		ARCFOUR_NEXT_BYTE();
+		output[6] = cx->S[t] ^ input[6];
+		ARCFOUR_NEXT_BYTE();
+		output[7] = cx->S[t] ^ input[7];
+	}
+	index = inputLen % 8;
+	if (index) {
+		input += index;
+		output += index;
+		switch (index) {
+		case 7:
+			ARCFOUR_NEXT_BYTE();
+			output[-7] = cx->S[t] ^ input[-7]; /* FALLTHRU */
+		case 6:
+			ARCFOUR_NEXT_BYTE();
+			output[-6] = cx->S[t] ^ input[-6]; /* FALLTHRU */
+		case 5:
+			ARCFOUR_NEXT_BYTE();
+			output[-5] = cx->S[t] ^ input[-5]; /* FALLTHRU */
+		case 4:
+			ARCFOUR_NEXT_BYTE();
+			output[-4] = cx->S[t] ^ input[-4]; /* FALLTHRU */
+		case 3:
+			ARCFOUR_NEXT_BYTE();
+			output[-3] = cx->S[t] ^ input[-3]; /* FALLTHRU */
+		case 2:
+			ARCFOUR_NEXT_BYTE();
+			output[-2] = cx->S[t] ^ input[-2]; /* FALLTHRU */
+		case 1:
+			ARCFOUR_NEXT_BYTE();
+			output[-1] = cx->S[t] ^ input[-1]; /* FALLTHRU */
+		default:
+			/* FALLTHRU */
+			; /* hp-ux build breaks without this */
+		}
+	}
+	cx->i = tmpi;
+	cx->j = tmpj;
+	*outputLen = inputLen;
+	return SECSuccess;
+}
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+#define ARCFOUR_NEXT4BYTES_L(n) \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n     ); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n +  8); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 16); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 24);
+#else
+#define ARCFOUR_NEXT4BYTES_B(n) \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 24); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 16); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n +  8); \
+	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n     );
+#endif
+
+#if (defined(NSS_USE_HYBRID) && !defined(SOLARIS)) || defined(NSS_USE_64)
+/* 64-bit wordsize */
+#ifdef IS_LITTLE_ENDIAN
+#define ARCFOUR_NEXT_WORD() \
+	{ streamWord = 0; ARCFOUR_NEXT4BYTES_L(0); ARCFOUR_NEXT4BYTES_L(32); }
+#else
+#define ARCFOUR_NEXT_WORD() \
+	{ streamWord = 0; ARCFOUR_NEXT4BYTES_B(32); ARCFOUR_NEXT4BYTES_B(0); }
+#endif
+#else
+/* 32-bit wordsize */
+#ifdef IS_LITTLE_ENDIAN
+#define ARCFOUR_NEXT_WORD() \
+	{ streamWord = 0; ARCFOUR_NEXT4BYTES_L(0); }
+#else
+#define ARCFOUR_NEXT_WORD() \
+	{ streamWord = 0; ARCFOUR_NEXT4BYTES_B(0); }
+#endif
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+#define RSH <<
+#define LSH >>
+#else
+#define RSH >>
+#define LSH <<
+#endif
+
+#ifdef CONVERT_TO_WORDS
+/*
+ * Convert input and output buffers to words before performing
+ * RC4 operations.
+ */
+static SECStatus 
+rc4_wordconv(RC4Context *cx, unsigned char *output,
+             unsigned int *outputLen, unsigned int maxOutputLen,
+             const unsigned char *input, unsigned int inputLen)
+{
+	ptrdiff_t inOffset = (ptrdiff_t)input % WORDSIZE;
+	ptrdiff_t outOffset = (ptrdiff_t)output % WORDSIZE;
+	register WORD streamWord, mask;
+	register WORD *pInWord, *pOutWord;
+	register WORD inWord, nextInWord;
+	PRUint8 t;
+	register Stype tmpSi, tmpSj;
+	register PRUint8 tmpi = cx->i;
+	register PRUint8 tmpj = cx->j;
+	unsigned int byteCount;
+	unsigned int bufShift, invBufShift;
+	int i;
+
+	PORT_Assert(maxOutputLen >= inputLen);
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	if (inputLen < 2*WORDSIZE) {
+		/* Ignore word conversion, do byte-at-a-time */
+		return rc4_no_opt(cx, output, outputLen, maxOutputLen, input, inputLen);
+	}
+	*outputLen = inputLen;
+	pInWord = (WORD *)(input - inOffset);
+	if (inOffset < outOffset) {
+		bufShift = 8*(outOffset - inOffset);
+		invBufShift = 8*WORDSIZE - bufShift;
+	} else {
+		invBufShift = 8*(inOffset - outOffset);
+		bufShift = 8*WORDSIZE - invBufShift;
+	}
+	/*****************************************************************/
+	/* Step 1:                                                       */
+	/* If the first output word is partial, consume the bytes in the */
+	/* first partial output word by loading one or two words of      */
+	/* input and shifting them accordingly.  Otherwise, just load    */
+	/* in the first word of input.  At the end of this block, at     */
+	/* least one partial word of input should ALWAYS be loaded.      */
+	/*****************************************************************/
+	if (outOffset) {
+		/* Generate input and stream words aligned relative to the
+		 * partial output buffer.
+		 */
+		byteCount = WORDSIZE - outOffset; 
+		pOutWord = (WORD *)(output - outOffset);
+		mask = streamWord = 0;
+#ifdef IS_LITTLE_ENDIAN
+		for (i = WORDSIZE - byteCount; i < WORDSIZE; i++) {
+#else
+		for (i = byteCount - 1; i >= 0; --i) {
+#endif
+			ARCFOUR_NEXT_BYTE();
+			streamWord |= (WORD)(cx->S[t]) << 8*i;
+			mask |= MASK1BYTE << 8*i;
+		} /* } */
+		inWord = *pInWord++;
+		/* If buffers are relatively misaligned, shift the bytes in inWord
+		 * to be aligned to the output buffer.
+		 */
+		nextInWord = 0;
+		if (inOffset < outOffset) {
+			/* Have more bytes than needed, shift remainder into nextInWord */
+			nextInWord = inWord LSH 8*(inOffset + byteCount);
+			inWord = inWord RSH bufShift;
+		} else if (inOffset > outOffset) {
+			/* Didn't get enough bytes from current input word, load another
+			 * word and then shift remainder into nextInWord.
+			 */
+			nextInWord = *pInWord++;
+			inWord = (inWord LSH invBufShift) | 
+			         (nextInWord RSH bufShift);
+			nextInWord = nextInWord LSH invBufShift;
+		}
+		/* Store output of first partial word */
+		*pOutWord = (*pOutWord & ~mask) | ((inWord ^ streamWord) & mask);
+		/* Consumed byteCount bytes of input */
+		inputLen -= byteCount;
+		/* move to next word of output */
+		pOutWord++;
+		/* inWord has been consumed, but there may be bytes in nextInWord */
+		inWord = nextInWord;
+	} else {
+		/* output is word-aligned */
+		pOutWord = (WORD *)output;
+		if (inOffset) {
+			/* Input is not word-aligned.  The first word load of input 
+			 * will not produce a full word of input bytes, so one word
+			 * must be pre-loaded.  The main loop below will load in the
+			 * next input word and shift some of its bytes into inWord
+			 * in order to create a full input word.  Note that the main
+			 * loop must execute at least once because the input must
+			 * be at least two words.
+			 */
+			inWord = *pInWord++;
+			inWord = inWord LSH invBufShift;
+		} else {
+			/* Input is word-aligned.  The first word load of input 
+			 * will produce a full word of input bytes, so nothing
+			 * needs to be loaded here.
+			 */
+			inWord = 0;
+		}
+	}
+	/* Output buffer is aligned, inOffset is now measured relative to
+	 * outOffset (and not a word boundary).
+	 */
+	inOffset = (inOffset + WORDSIZE - outOffset) % WORDSIZE;
+	/*****************************************************************/
+	/* Step 2: main loop                                             */
+	/* At this point the output buffer is word-aligned.  Any unused  */
+	/* bytes from above will be in inWord (shifted correctly).  If   */
+	/* the input buffer is unaligned relative to the output buffer,  */
+	/* shifting has to be done.                                      */
+	/*****************************************************************/
+	if (inOffset) {
+		for (; inputLen >= WORDSIZE; inputLen -= WORDSIZE) {
+			nextInWord = *pInWord++;
+			inWord |= nextInWord RSH bufShift;
+			nextInWord = nextInWord LSH invBufShift;
+			ARCFOUR_NEXT_WORD();
+			*pOutWord++ = inWord ^ streamWord;
+			inWord = nextInWord;
+		}
+		if (inputLen == 0) {
+			/* Nothing left to do. */
+			cx->i = tmpi;
+			cx->j = tmpj;
+			return SECSuccess;
+		}
+		/* If the amount of remaining input is greater than the amount
+		 * bytes pulled from the current input word, need to do another
+		 * word load.  What's left in inWord will be consumed in step 3.
+		 */
+		if (inputLen > WORDSIZE - inOffset)
+			inWord |= *pInWord RSH bufShift;
+	} else {
+		for (; inputLen >= WORDSIZE; inputLen -= WORDSIZE) {
+			inWord = *pInWord++;
+			ARCFOUR_NEXT_WORD();
+			*pOutWord++ = inWord ^ streamWord;
+		}
+		if (inputLen == 0) {
+			/* Nothing left to do. */
+			cx->i = tmpi;
+			cx->j = tmpj;
+			return SECSuccess;
+		} else {
+			/* A partial input word remains at the tail.  Load it.  The
+			 * relevant bytes will be consumed in step 3.
+			 */
+			inWord = *pInWord;
+		}
+	}
+	/*****************************************************************/
+	/* Step 3:                                                       */
+	/* A partial word of input remains, and it is already loaded     */
+	/* into nextInWord.  Shift appropriately and consume the bytes   */
+	/* used in the partial word.                                     */
+	/*****************************************************************/
+	mask = streamWord = 0;
+#ifdef IS_LITTLE_ENDIAN
+	for (i = 0; i < inputLen; ++i) {
+#else
+	for (i = WORDSIZE - 1; i >= WORDSIZE - inputLen; --i) {
+#endif
+		ARCFOUR_NEXT_BYTE();
+		streamWord |= (WORD)(cx->S[t]) << 8*i;
+		mask |= MASK1BYTE << 8*i;
+	} /* } */
+	*pOutWord = (*pOutWord & ~mask) | ((inWord ^ streamWord) & mask);
+	cx->i = tmpi;
+	cx->j = tmpj;
+	return SECSuccess;
+}
+#endif
+
+SECStatus 
+RC4_Encrypt(RC4Context *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+	PORT_Assert(maxOutputLen >= inputLen);
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+#ifdef CONVERT_TO_WORDS
+	/* Convert the byte-stream to a word-stream */
+	return rc4_wordconv(cx, output, outputLen, maxOutputLen, input, inputLen);
+#else
+	/* Operate on bytes, but unroll the main loop */
+	return rc4_unrolled(cx, output, outputLen, maxOutputLen, input, inputLen);
+#endif
+}
+
+SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output,
+                      unsigned int *outputLen, unsigned int maxOutputLen,
+                      const unsigned char *input, unsigned int inputLen)
+{
+	PORT_Assert(maxOutputLen >= inputLen);
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	/* decrypt and encrypt are same operation. */
+#ifdef CONVERT_TO_WORDS
+	/* Convert the byte-stream to a word-stream */
+	return rc4_wordconv(cx, output, outputLen, maxOutputLen, input, inputLen);
+#else
+	/* Operate on bytes, but unroll the main loop */
+	return rc4_unrolled(cx, output, outputLen, maxOutputLen, input, inputLen);
+#endif
+}
+
+#undef CONVERT_TO_WORDS
+#undef USE_LONG
diff --git a/security/nss/lib/freebl/blapi.h b/security/nss/lib/freebl/blapi.h
new file mode 100644
index 000000000..c41691e5b
--- /dev/null
+++ b/security/nss/lib/freebl/blapi.h
@@ -0,0 +1,814 @@
+/*
+ * crypto.h - public data structures and prototypes for the crypto library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef _BLAPI_H_
+#define _BLAPI_H_
+
+#include "blapit.h"
+
+
+SEC_BEGIN_PROTOS
+
+/*
+** RSA encryption/decryption. When encrypting/decrypting the output
+** buffer must be at least the size of the public key modulus.
+*/
+
+/*
+** Generate and return a new RSA public and private key.
+**	Both keys are encoded in a single RSAPrivateKey structure.
+**	"cx" is the random number generator context
+**	"keySizeInBits" is the size of the key to be generated, in bits.
+**	   512, 1024, etc.
+**	"publicExponent" when not NULL is a pointer to some data that
+**	   represents the public exponent to use. The data is a byte
+**	   encoded integer, in "big endian" order.
+*/
+extern RSAPrivateKey *RSA_NewKey(int         keySizeInBits,
+				 SECItem *   publicExponent);
+
+/*
+** Perform a raw public-key operation 
+**	Length of input and output buffers are equal to key's modulus len.
+*/
+extern SECStatus RSA_PublicKeyOp(RSAPublicKey *   key,
+				 unsigned char *  output,
+				 const unsigned char *  input);
+
+/*
+** Perform a raw private-key operation 
+**	Length of input and output buffers are equal to key's modulus len.
+*/
+extern SECStatus RSA_PrivateKeyOp(RSAPrivateKey *  key,
+				  unsigned char *  output,
+				  const unsigned char *  input);
+
+/*
+** Perform a raw private-key operation, and check the parameters used in
+** the operation for validity by performing a test operation first.
+**	Length of input and output buffers are equal to key's modulus len.
+*/
+extern SECStatus RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *  key,
+				               unsigned char *  output,
+				               const unsigned char *  input);
+
+/*
+** Perform a check of private key parameters for consistency.
+*/
+extern SECStatus RSA_PrivateKeyCheck(RSAPrivateKey *key);
+
+
+/********************************************************************
+** DSA signing algorithm
+*/
+
+/*
+** Generate and return a new DSA public and private key pair,
+**	both of which are encoded into a single DSAPrivateKey struct.
+**	"params" is a pointer to the PQG parameters for the domain
+**	Uses a random seed.
+*/
+extern SECStatus DSA_NewKey(const PQGParams *     params, 
+		            DSAPrivateKey **      privKey);
+
+/* signature is caller-supplied buffer of at least 20 bytes.
+** On input,  signature->len == size of buffer to hold signature.
+**            digest->len    == size of digest.
+** On output, signature->len == size of signature in buffer.
+** Uses a random seed.
+*/
+extern SECStatus DSA_SignDigest(DSAPrivateKey *   key,
+				SECItem *         signature,
+				const SECItem *   digest);
+
+/* signature is caller-supplied buffer of at least 20 bytes.
+** On input,  signature->len == size of buffer to hold signature.
+**            digest->len    == size of digest.
+*/
+extern SECStatus DSA_VerifyDigest(DSAPublicKey *  key,
+				  const SECItem * signature,
+				  const SECItem * digest);
+
+/* For FIPS compliance testing. Seed must be exactly 20 bytes long */
+extern SECStatus DSA_NewKeyFromSeed(const PQGParams *params, 
+                                    const unsigned char * seed,
+                                    DSAPrivateKey **privKey);
+
+/* For FIPS compliance testing. Seed must be exactly 20 bytes. */
+extern SECStatus DSA_SignDigestWithSeed(DSAPrivateKey * key,
+                                        SECItem *       signature,
+                                        const SECItem * digest,
+                                        const unsigned char * seed);
+
+/******************************************************
+** Diffie Helman key exchange algorithm 
+*/
+
+/* Generates parameters for Diffie-Helman key generation.
+**	primeLen is the length in bytes of prime P to be generated.
+*/
+extern SECStatus DH_GenParam(int primeLen, DHParams ** params);
+
+/* Generates a public and private key, both of which are encoded in a single
+**	DHPrivateKey struct. Params is input, privKey are output.  
+**	This is Phase 1 of Diffie Hellman.
+*/
+extern SECStatus DH_NewKey(DHParams *           params, 
+                           DHPrivateKey **	privKey);
+
+/* 
+** DH_Derive does the Diffie-Hellman phase 2 calculation, using the 
+** other party's publicValue, and the prime and our privateValue.
+** maxOutBytes is the requested length of the generated secret in bytes.  
+** A zero value means produce a value of any length up to the size of 
+** the prime.   If successful, derivedSecret->data is set 
+** to the address of the newly allocated buffer containing the derived 
+** secret, and derivedSecret->len is the size of the secret produced.
+** The size of the secret produced will never be larger than the length
+** of the prime, and it may be smaller than maxOutBytes.
+** It is the caller's responsibility to free the allocated buffer 
+** containing the derived secret.
+*/
+extern SECStatus DH_Derive(SECItem *    publicValue, 
+		           SECItem *    prime, 
+			   SECItem *    privateValue, 
+			   SECItem *    derivedSecret,
+			   unsigned int maxOutBytes);
+
+/* 
+** KEA_CalcKey returns octet string with the private key for a dual
+** Diffie-Helman  key generation as specified for government key exchange.
+*/
+extern SECStatus KEA_Derive(SECItem *prime, 
+                            SECItem *public1, 
+                            SECItem *public2, 
+			    SECItem *private1, 
+			    SECItem *private2,
+			    SECItem *derivedSecret);
+
+/*
+ * verify that a KEA or DSA public key is a valid key for this prime and
+ * subprime domain.
+ */
+extern PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime);
+
+
+/******************************************/
+/*
+** RC4 symmetric stream cypher
+*/
+
+/*
+** Create a new RC4 context suitable for RC4 encryption/decryption.
+**	"key" raw key data
+**	"len" the number of bytes of key data
+*/
+extern RC4Context *RC4_CreateContext(unsigned char *key, int len);
+
+/*
+** Destroy an RC4 encryption/decryption context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void RC4_DestroyContext(RC4Context *cx, PRBool freeit);
+
+/*
+** Perform RC4 encryption.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus RC4_Encrypt(RC4Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform RC4 decryption.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/******************************************/
+/*
+** RC2 symmetric block cypher
+*/
+
+/*
+** Create a new RC2 context suitable for RC2 encryption/decryption.
+** 	"key" raw key data
+** 	"len" the number of bytes of key data
+** 	"iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
+** 	"mode" one of NSS_RC2 or NSS_RC2_CBC
+**	"effectiveKeyLen" is the effective key length (as specified in 
+**	    RFC 2268) in bytes (not bits).
+**
+** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block
+** chaining" mode.
+*/
+extern RC2Context *RC2_CreateContext(unsigned char *key, unsigned int len,
+		     unsigned char *iv, int mode, unsigned effectiveKeyLen);
+
+/*
+** Destroy an RC2 encryption/decryption context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void RC2_DestroyContext(RC2Context *cx, PRBool freeit);
+
+/*
+** Perform RC2 encryption.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform RC2 decryption.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/******************************************/
+/*
+** RC5 symmetric block cypher -- 64-bit block size
+*/
+
+/*
+** Create a new RC5 context suitable for RC5 encryption/decryption.
+**      "key" raw key data
+**      "len" the number of bytes of key data
+**      "iv" is the CBC initialization vector (if mode is NSS_RC5_CBC)
+**      "mode" one of NSS_RC5 or NSS_RC5_CBC
+**
+** When mode is set to NSS_RC5_CBC the RC5 cipher is run in "cipher block
+** chaining" mode.
+*/
+extern RC5Context *RC5_CreateContext(SECItem *key, unsigned int rounds,
+                     unsigned int wordSize, unsigned char *iv, int mode);
+
+/*
+** Destroy an RC5 encryption/decryption context.
+**      "cx" the context
+**      "freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void RC5_DestroyContext(RC5Context *cx, PRBool freeit);
+
+/*
+** Perform RC5 encryption.
+**      "cx" the context
+**      "output" the output buffer to store the encrypted data.
+**      "outputLen" how much data is stored in "output". Set by the routine
+**         after some data is stored in output.
+**      "maxOutputLen" the maximum amount of data that can ever be
+**         stored in "output"
+**      "input" the input data
+**      "inputLen" the amount of input data
+*/
+extern SECStatus RC5_Encrypt(RC5Context *cx, unsigned char *output,
+                            unsigned int *outputLen, unsigned int maxOutputLen,
+                            const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform RC5 decryption.
+**      "cx" the context
+**      "output" the output buffer to store the decrypted data.
+**      "outputLen" how much data is stored in "output". Set by the routine
+**         after some data is stored in output.
+**      "maxOutputLen" the maximum amount of data that can ever be
+**         stored in "output"
+**      "input" the input data
+**      "inputLen" the amount of input data
+*/
+
+extern SECStatus RC5_Decrypt(RC5Context *cx, unsigned char *output,
+                            unsigned int *outputLen, unsigned int maxOutputLen,
+                            const unsigned char *input, unsigned int inputLen);
+
+
+
+/******************************************/
+/*
+** DES symmetric block cypher
+*/
+
+/*
+** Create a new DES context suitable for DES encryption/decryption.
+** 	"key" raw key data
+** 	"len" the number of bytes of key data
+** 	"iv" is the CBC initialization vector (if mode is NSS_DES_CBC or
+** 	   mode is DES_EDE3_CBC)
+** 	"mode" one of NSS_DES, NSS_DES_CBC, NSS_DES_EDE3 or NSS_DES_EDE3_CBC
+**	"encrypt" is PR_TRUE if the context will be used for encryption
+**
+** When mode is set to NSS_DES_CBC or NSS_DES_EDE3_CBC then the DES
+** cipher is run in "cipher block chaining" mode.
+*/
+extern DESContext *DES_CreateContext(unsigned char *key, unsigned char *iv,
+				     int mode, PRBool encrypt);
+
+/*
+** Destroy an DES encryption/decryption context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void DES_DestroyContext(DESContext *cx, PRBool freeit);
+
+/*
+** Perform DES encryption.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+**
+** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH
+*/
+extern SECStatus DES_Encrypt(DESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform DES decryption.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+**
+** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH
+*/
+extern SECStatus DES_Decrypt(DESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+/******************************************/
+/*
+** AES symmetric block cypher (Rijndael)
+*/
+
+/*
+** Create a new AES context suitable for AES encryption/decryption.
+** 	"key" raw key data
+** 	"keylen" the number of bytes of key data (16, 24, or 32)
+**      "blocklen" is the blocksize to use (16, 24, or 32)
+**                        XXX currently only blocksize==16 has been tested!
+*/
+extern AESContext *
+AES_CreateContext(unsigned char *key, unsigned char *iv, int mode, int encrypt,
+                  unsigned int keylen, unsigned int blocklen);
+
+/*
+** Destroy a AES encryption/decryption context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void 
+AES_DestroyContext(AESContext *cx, PRBool freeit);
+
+/*
+** Perform AES encryption.
+**	"cx" the context
+**	"output" the output buffer to store the encrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus 
+AES_Encrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen);
+
+/*
+** Perform AES decryption.
+**	"cx" the context
+**	"output" the output buffer to store the decrypted data.
+**	"outputLen" how much data is stored in "output". Set by the routine
+**	   after some data is stored in output.
+**	"maxOutputLen" the maximum amount of data that can ever be
+**	   stored in "output"
+**	"input" the input data
+**	"inputLen" the amount of input data
+*/
+extern SECStatus 
+AES_Decrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen);
+
+
+/******************************************/
+/*
+** MD5 secure hash function
+*/
+
+/*
+** Hash a null terminated string "src" into "dest" using MD5
+*/
+extern SECStatus MD5_Hash(unsigned char *dest, const char *src);
+
+/*
+** Hash a non-null terminated string "src" into "dest" using MD5
+*/
+extern SECStatus MD5_HashBuf(unsigned char *dest, const unsigned char *src,
+			     uint32 src_length);
+
+/*
+** Create a new MD5 context
+*/
+extern MD5Context *MD5_NewContext(void);
+
+
+/*
+** Destroy an MD5 secure hash context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void MD5_DestroyContext(MD5Context *cx, PRBool freeit);
+
+/*
+** Reset an MD5 context, preparing it for a fresh round of hashing
+*/
+extern void MD5_Begin(MD5Context *cx);
+
+/*
+** Update the MD5 hash function with more data.
+**	"cx" the context
+**	"input" the data to hash
+**	"inputLen" the amount of data to hash
+*/
+extern void MD5_Update(MD5Context *cx,
+		       const unsigned char *input, unsigned int inputLen);
+
+/*
+** Finish the MD5 hash function. Produce the digested results in "digest"
+**	"cx" the context
+**	"digest" where the 16 bytes of digest data are stored
+**	"digestLen" where the digest length (16) is stored
+**	"maxDigestLen" the maximum amount of data that can ever be
+**	   stored in "digest"
+*/
+extern void MD5_End(MD5Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen);
+/*
+ * Return the the size of a buffer needed to flatten the MD5 Context into
+ *    "cx" the context
+ *  returns size;
+ */
+extern unsigned int MD5_FlattenSize(MD5Context *cx);
+
+/*
+ * Flatten the MD5 Context into a buffer:
+ *    "cx" the context
+ *    "space" the buffer to flatten to
+ *  returns status;
+ */
+extern SECStatus MD5_Flatten(MD5Context *cx,unsigned char *space);
+
+/*
+ * Resurrect a flattened context into a MD5 Context
+ *    "space" the buffer of the flattend buffer
+ *    "arg" ptr to void used by cryptographic resurrect
+ *  returns resurected context;
+ */
+extern MD5Context * MD5_Resurrect(unsigned char *space, void *arg);
+
+/*
+** trace the intermediate state info of the MD5 hash.
+*/
+extern void MD5_TraceState(MD5Context *cx);
+
+
+/******************************************/
+/*
+** MD2 secure hash function
+*/
+
+/*
+** Hash a null terminated string "src" into "dest" using MD2
+*/
+extern SECStatus MD2_Hash(unsigned char *dest, const char *src);
+
+/*
+** Create a new MD2 context
+*/
+extern MD2Context *MD2_NewContext(void);
+
+
+/*
+** Destroy an MD2 secure hash context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void MD2_DestroyContext(MD2Context *cx, PRBool freeit);
+
+/*
+** Reset an MD2 context, preparing it for a fresh round of hashing
+*/
+extern void MD2_Begin(MD2Context *cx);
+
+/*
+** Update the MD2 hash function with more data.
+**	"cx" the context
+**	"input" the data to hash
+**	"inputLen" the amount of data to hash
+*/
+extern void MD2_Update(MD2Context *cx,
+		       const unsigned char *input, unsigned int inputLen);
+
+/*
+** Finish the MD2 hash function. Produce the digested results in "digest"
+**	"cx" the context
+**	"digest" where the 16 bytes of digest data are stored
+**	"digestLen" where the digest length (16) is stored
+**	"maxDigestLen" the maximum amount of data that can ever be
+**	   stored in "digest"
+*/
+extern void MD2_End(MD2Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen);
+
+/*
+ * Return the the size of a buffer needed to flatten the MD2 Context into
+ *    "cx" the context
+ *  returns size;
+ */
+extern unsigned int MD2_FlattenSize(MD2Context *cx);
+
+/*
+ * Flatten the MD2 Context into a buffer:
+ *    "cx" the context
+ *    "space" the buffer to flatten to
+ *  returns status;
+ */
+extern SECStatus MD2_Flatten(MD2Context *cx,unsigned char *space);
+
+/*
+ * Resurrect a flattened context into a MD2 Context
+ *    "space" the buffer of the flattend buffer
+ *    "arg" ptr to void used by cryptographic resurrect
+ *  returns resurected context;
+ */
+extern MD2Context * MD2_Resurrect(unsigned char *space, void *arg);
+
+/******************************************/
+/*
+** SHA-1 secure hash function
+*/
+
+/*
+** Hash a null terminated string "src" into "dest" using SHA-1
+*/
+extern SECStatus SHA1_Hash(unsigned char *dest, const char *src);
+
+/*
+** Hash a non-null terminated string "src" into "dest" using SHA-1
+*/
+extern SECStatus SHA1_HashBuf(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+
+/*
+** Create a new SHA-1 context
+*/
+extern SHA1Context *SHA1_NewContext(void);
+
+
+/*
+** Destroy a SHA-1 secure hash context.
+**	"cx" the context
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void SHA1_DestroyContext(SHA1Context *cx, PRBool freeit);
+
+/*
+** Reset a SHA-1 context, preparing it for a fresh round of hashing
+*/
+extern void SHA1_Begin(SHA1Context *cx);
+
+/*
+** Update the SHA-1 hash function with more data.
+**	"cx" the context
+**	"input" the data to hash
+**	"inputLen" the amount of data to hash
+*/
+extern void SHA1_Update(SHA1Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+
+/*
+** Finish the SHA-1 hash function. Produce the digested results in "digest"
+**	"cx" the context
+**	"digest" where the 16 bytes of digest data are stored
+**	"digestLen" where the digest length (20) is stored
+**	"maxDigestLen" the maximum amount of data that can ever be
+**	   stored in "digest"
+*/
+extern void SHA1_End(SHA1Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+
+/*
+** trace the intermediate state info of the SHA1 hash.
+*/
+extern void SHA1_TraceState(SHA1Context *cx);
+
+/*
+ * Return the the size of a buffer needed to flatten the SHA-1 Context into
+ *    "cx" the context
+ *  returns size;
+ */
+extern unsigned int SHA1_FlattenSize(SHA1Context *cx);
+
+/*
+ * Flatten the SHA-1 Context into a buffer:
+ *    "cx" the context
+ *    "space" the buffer to flatten to
+ *  returns status;
+ */
+extern SECStatus SHA1_Flatten(SHA1Context *cx,unsigned char *space);
+
+/*
+ * Resurrect a flattened context into a SHA-1 Context
+ *    "space" the buffer of the flattend buffer
+ *    "arg" ptr to void used by cryptographic resurrect
+ *  returns resurected context;
+ */
+extern SHA1Context * SHA1_Resurrect(unsigned char *space, void *arg);
+
+
+/******************************************/
+/*
+** Pseudo Random Number Generation.  FIPS compliance desirable.
+*/
+
+/*
+** Initialize the global RNG context and give it some seed input taken
+** from the system.  This function is thread-safe and will only allow
+** the global context to be initialized once.  The seed input is likely
+** small, so it is imperative that RNG_RandomUpdate() be called with
+** additional seed data before the generator is used.  A good way to
+** provide the generator with additional entropy is to call
+** RNG_SystemInfoForRNG().  Note that NSS_Init() does exactly that.
+*/
+extern SECStatus RNG_RNGInit(void);
+
+/*
+** Update the global random number generator with more seeding
+** material
+*/
+extern SECStatus RNG_RandomUpdate(const void *data, size_t bytes);
+
+/*
+** Generate some random bytes, using the global random number generator
+** object.
+*/
+extern SECStatus RNG_GenerateGlobalRandomBytes(void *dest, size_t len);
+
+/* Destroy the global RNG context.  After a call to RNG_RNGShutdown()
+** a call to RNG_RNGInit() is required in order to use the generator again,
+** along with seed data (see the comment above RNG_RNGInit()).
+*/
+extern void  RNG_RNGShutdown(void);
+
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of seed and length of h both equal length of P. 
+ * All lengths are specified by "j", according to the table above.
+ */
+extern SECStatus
+PQG_ParamGen(unsigned int j, 	   /* input : determines length of P. */
+             PQGParams **pParams,  /* output: P Q and G returned here */
+	     PQGVerify **pVfy);    /* output: counter and seed. */
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of P specified by j.  Length of h will match length of P.
+ * Length of SEED in bytes specified in seedBytes.
+ * seedBbytes must be in the range [20..255] or an error will result.
+ */
+extern SECStatus
+PQG_ParamGenSeedLen(
+             unsigned int j, 	     /* input : determines length of P. */
+	     unsigned int seedBytes, /* input : length of seed in bytes.*/
+             PQGParams **pParams,    /* output: P Q and G returned here */
+	     PQGVerify **pVfy);      /* output: counter and seed. */
+
+
+/*  Test PQGParams for validity as DSS PQG values.
+ *  If vfy is non-NULL, test PQGParams to make sure they were generated
+ *       using the specified seed, counter, and h values.
+ *
+ *  Return value indicates whether Verification operation ran succesfully
+ *  to completion, but does not indicate if PQGParams are valid or not.
+ *  If return value is SECSuccess, then *pResult has these meanings:
+ *       SECSuccess: PQGParams are valid.
+ *       SECFailure: PQGParams are invalid.
+ *
+ * Verify the following 12 facts about PQG counter SEED g and h
+ * 1.  Q is 160 bits long.
+ * 2.  P is one of the 9 valid lengths.
+ * 3.  G < P
+ * 4.  P % Q == 1
+ * 5.  Q is prime
+ * 6.  P is prime
+ * Steps 7-12 are done only if the optional PQGVerify is supplied.
+ * 7.  counter < 4096
+ * 8.  g >= 160 and g < 2048   (g is length of seed in bits)
+ * 9.  Q generated from SEED matches Q in PQGParams.
+ * 10. P generated from (L, counter, g, SEED, Q) matches P in PQGParams.
+ * 11. 1 < h < P-1
+ * 12. G generated from h matches G in PQGParams.
+ */
+
+extern SECStatus   PQG_VerifyParams(const PQGParams *params, 
+                                    const PQGVerify *vfy, SECStatus *result);
+
+
+/*
+ * clean-up any global tables freebl may have allocated after it starts up.
+ * This function is not thread safe and should be called only after the
+ * library has been quiessed.
+ */
+extern void BL_Cleanup(void);
+
+/**************************************************************************
+ *  Free the PQGParams struct and the things it points to.                *
+ **************************************************************************/
+extern void PQG_DestroyParams(PQGParams *params);
+
+/**************************************************************************
+ *  Free the PQGVerify struct and the things it points to.                *
+ **************************************************************************/
+extern void PQG_DestroyVerify(PQGVerify *vfy);
+
+SEC_END_PROTOS
+
+#endif /* _BLAPI_H_ */
diff --git a/security/nss/lib/freebl/blapi_bsf.c b/security/nss/lib/freebl/blapi_bsf.c
new file mode 100644
index 000000000..1204306d9
--- /dev/null
+++ b/security/nss/lib/freebl/blapi_bsf.c
@@ -0,0 +1,2114 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*****************************************************************************
+**
+**	Implementation of BLAPI using RSA BSAFE Crypto-C 4.1
+**
+******************************************************************************/
+
+/*
+**  Notes:
+**
+**  1.  SHA1, MD2, and MD5 are not implemented here.  This is because 
+**      BSAFE Crypto-C 4.1 does not provide a mechanism for saving and 
+**      restoring intermediate hash values.  BLAPI uses the functions 
+**      <hash>_Flatten and <hash>_Resurrect to accomplish this, so the 
+**      hashes are implemented elsewhere.
+**
+**  2.  The DSA and PQG functions which use seeds are not consistent across
+**      implementations.  In this BSAFE-dependent implementation of BLAPI, 
+**      the seed is understood to be an initial value sent to a random number 
+**      generator used during the key/param generation.  In the implementation
+**      used by Netscape-branded products, the seed is understood to be actual 
+**      bytes used for the creation of a key or parameters.  This means that 
+**      while the BSAFE-dependent implementation may be self-consistent (using 
+**      the same seed will produce the same key/parameters), it is not 
+**      consistent with the Netscape-branded implementation.  
+**      Also, according to the BSAFE Crypto-C 4.0 Library Reference Manual, the
+**      SHA1 Random Number Generator is implemented according to the X9.62
+**      Draft Standard.  Random number generation in the Netscape-branded
+**      implementation of BLAPI is compliant with FIPS-186, thus random
+**      numbers generated using the same seed will differ across 
+**      implementations.
+**
+**  3.  PQG_VerifyParams is not implemented here.  BSAFE Crypto-C 4.1 
+**      allows access to the seed and counter values used in generating
+**      p and q, but does not provide a mechanism for verifying that
+**      p, q, and g were generated from that seed and counter.  At this
+**      time, this implementation will set a PR_NOT_IMPLEMENTED_ERROR 
+**      in a call to PQG_VerifyParams.
+**
+*/
+
+#include "prerr.h"
+#include "secerr.h"
+
+/* BSAFE headers */
+#include "aglobal.h"
+#include "bsafe.h"
+
+/* BLAPI definition */
+#include "blapi.h"
+
+/* default block sizes for algorithms */
+#define DES_BLOCK_SIZE       8
+#define RC2_BLOCK_SIZE       8
+#define RC5_BLOCK_SIZE       8
+
+#define MAX_RC5_KEY_BYTES 255
+#define MAX_RC5_ROUNDS    255
+#define RC5_VERSION_NUMBER   0x10
+
+#define SECITEMFROMITEM(arena, to, from) \
+	tmp.data = from.data; tmp.len = from.len; to.type = siBuffer; \
+	if (SECITEM_CopyItem(arena, &to, &tmp) != SECSuccess) goto loser;
+
+#define ITEMFROMSECITEM(to, from) \
+	to.data = from.data; to.len = from.len;
+
+static const B_ALGORITHM_METHOD *rand_chooser[] = {
+	&AM_SHA_RANDOM,
+	(B_ALGORITHM_METHOD *)NULL_PTR
+};
+
+static B_ALGORITHM_OBJ 
+generateRandomAlgorithm(int numBytes, unsigned char *seedData)
+{
+	SECItem seed = { siBuffer, 0, 0 };
+	B_ALGORITHM_OBJ randomAlgorithm = NULL_PTR;
+	int status;
+
+	/*  Allocate space for random seed.  */
+	if (seedData) {
+		seed.len = numBytes;
+		seed.data = seedData;
+	} else {
+		if (SECITEM_AllocItem(NULL, &seed, numBytes) == NULL) {
+			PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+			goto loser;
+		}
+		if ((status = RNG_GenerateGlobalRandomBytes(seed.data, seed.len)) 
+		     != 0) {
+			PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+			goto loser;
+		}
+	}
+
+	/*  Generate the random seed.  */
+	if ((status = B_CreateAlgorithmObject(&randomAlgorithm)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_SetAlgorithmInfo(randomAlgorithm, AI_SHA1Random, 
+	                                 NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = B_RandomInit(randomAlgorithm, rand_chooser,
+	                           (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = B_RandomUpdate(randomAlgorithm, seed.data, seed.len,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		goto loser;
+	}
+
+	if (seedData == NULL)
+		SECITEM_FreeItem(&seed, PR_FALSE);
+
+	return randomAlgorithm;
+
+loser:
+	if (randomAlgorithm != NULL_PTR)
+		B_DestroyAlgorithmObject(&randomAlgorithm);
+	if (seedData == NULL)
+		SECITEM_FreeItem(&seed, PR_FALSE);
+	return NULL_PTR;
+}
+
+/*****************************************************************************
+** BLAPI implementation of DES
+******************************************************************************/
+
+struct DESContextStr {
+    B_ALGORITHM_OBJ     algobj;
+	B_ALGORITHM_METHOD *alg_chooser[3];
+	B_KEY_OBJ           keyobj;
+};
+
+DESContext *
+DES_CreateContext(unsigned char *key, unsigned char *iv,
+                  int mode, PRBool encrypt)
+{
+    /* BLAPI */
+	DESContext *cx;
+	/* BSAFE */
+	B_BLK_CIPHER_W_FEEDBACK_PARAMS fbParams;
+	ITEM                           ivItem;
+	unsigned int                   blockLength = DES_BLOCK_SIZE;
+	int status;
+
+	cx = (DESContext *)PORT_ZAlloc(sizeof(DESContext));
+	if (cx == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return NULL;
+	}
+
+	/* Create an encryption object. */
+	cx->algobj = (B_ALGORITHM_OBJ)NULL_PTR;
+	if ((status = B_CreateAlgorithmObject(&cx->algobj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	/* Set the IV. */
+	ivItem.data = iv;
+	ivItem.len = DES_BLOCK_SIZE;
+
+	/* Create the key. */
+	cx->keyobj = (B_KEY_OBJ)NULL_PTR;
+	if ((status = B_CreateKeyObject(&cx->keyobj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	/* Set fields common to all DES modes. */
+	fbParams.encryptionParams     = NULL_PTR;
+	fbParams.paddingMethodName    = (unsigned char *)"nopad";
+	fbParams.paddingParams        = NULL_PTR;
+
+	/* Set mode-specific fields. */
+	switch (mode) {
+	case NSS_DES:
+		fbParams.encryptionMethodName = (unsigned char *)"des";
+		fbParams.feedbackMethodName   = (unsigned char *)"ecb";
+		fbParams.feedbackParams       = (POINTER)&blockLength;
+		if ((status = B_SetKeyInfo(cx->keyobj, KI_DES8Strong, (POINTER)key)) 
+		     != 0) {
+			PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+			goto loser;
+		}
+		if (encrypt) {
+			cx->alg_chooser[0] = &AM_DES_ENCRYPT;
+			cx->alg_chooser[1] = &AM_ECB_ENCRYPT;
+		} else {
+			cx->alg_chooser[0] = &AM_DES_DECRYPT;
+			cx->alg_chooser[1] = &AM_ECB_DECRYPT;
+		}
+		cx->alg_chooser[2] = (B_ALGORITHM_METHOD *)NULL_PTR;
+		break;
+
+	case NSS_DES_CBC:
+		fbParams.encryptionMethodName = (unsigned char *)"des";
+		fbParams.feedbackMethodName   = (unsigned char *)"cbc";
+		fbParams.feedbackParams       = (POINTER)&ivItem;
+		if ((status = B_SetKeyInfo(cx->keyobj, KI_DES8Strong, (POINTER)key)) 
+		     != 0) {
+			PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+			goto loser;
+		}
+		if (encrypt) {
+			cx->alg_chooser[0] = &AM_DES_ENCRYPT;
+			cx->alg_chooser[1] = &AM_CBC_ENCRYPT;
+		} else {
+			cx->alg_chooser[0] = &AM_DES_DECRYPT;
+			cx->alg_chooser[1] = &AM_CBC_DECRYPT;
+		}
+		cx->alg_chooser[2] = (B_ALGORITHM_METHOD *)NULL_PTR;
+		break;
+
+	case NSS_DES_EDE3:
+		fbParams.encryptionMethodName = (unsigned char *)"des_ede";
+		fbParams.feedbackMethodName   = (unsigned char *)"ecb";
+		fbParams.feedbackParams       = (POINTER)&blockLength;
+		if ((status = B_SetKeyInfo(cx->keyobj, KI_DES24Strong, (POINTER)key)) 
+		     != 0) {
+			PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+			goto loser;
+		}
+		if (encrypt) {
+			cx->alg_chooser[0] = &AM_DES_EDE_ENCRYPT;
+			cx->alg_chooser[1] = &AM_ECB_ENCRYPT;
+		} else {
+			cx->alg_chooser[0] = &AM_DES_EDE_DECRYPT;
+			cx->alg_chooser[1] = &AM_ECB_DECRYPT;
+		}
+		cx->alg_chooser[2] = (B_ALGORITHM_METHOD *)NULL_PTR;
+		break;
+
+	case NSS_DES_EDE3_CBC:
+		fbParams.encryptionMethodName = (unsigned char *)"des_ede";
+		fbParams.feedbackMethodName   = (unsigned char *)"cbc";
+		fbParams.feedbackParams       = (POINTER)&ivItem;
+		if ((status = B_SetKeyInfo(cx->keyobj, KI_DES24Strong, (POINTER)key)) 
+		     != 0) {
+			PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+			goto loser;
+		}
+		if (encrypt) {
+			cx->alg_chooser[0] = &AM_DES_EDE_ENCRYPT;
+			cx->alg_chooser[1] = &AM_CBC_ENCRYPT;
+		} else {
+			cx->alg_chooser[0] = &AM_DES_EDE_DECRYPT;
+			cx->alg_chooser[1] = &AM_CBC_DECRYPT;
+		}
+		cx->alg_chooser[2] = (B_ALGORITHM_METHOD *)NULL_PTR;
+		break;
+
+	default:
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_SetAlgorithmInfo(cx->algobj, AI_FeedbackCipher,
+	                                 (POINTER)&fbParams)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	return cx;
+
+loser:
+	DES_DestroyContext(cx, PR_TRUE);
+	return NULL;
+}
+
+void 
+DES_DestroyContext(DESContext *cx, PRBool freeit)
+{
+	if (freeit) {
+		PORT_Assert(cx != NULL);
+		if (cx == NULL) {
+			PORT_SetError(SEC_ERROR_INVALID_ARGS);
+			return;
+		}
+		if (cx->keyobj != NULL_PTR)
+			B_DestroyKeyObject(&cx->keyobj);
+		if (cx->algobj != NULL_PTR)
+			B_DestroyAlgorithmObject(&cx->algobj);
+		PORT_ZFree(cx, sizeof(DESContext));
+	}
+}
+
+SECStatus 
+DES_Encrypt(DESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            unsigned char *input, unsigned int inputLen)
+{
+	unsigned int outputLenUpdate, outputLenFinal;
+	int status;
+
+	PORT_Assert(cx != NULL);
+	if (cx == NULL) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	PORT_Assert((inputLen & (DES_BLOCK_SIZE -1 )) == 0);
+	if (inputLen & (DES_BLOCK_SIZE -1 )) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	PORT_Assert(maxOutputLen >= inputLen); /* check for enough room */
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+
+	if ((status = B_EncryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
+	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	if ((status = B_EncryptUpdate(cx->algobj, 
+	                              output, 
+	                              &outputLenUpdate,
+	                              maxOutputLen, 
+	                              input, 
+	                              inputLen,
+	                              (B_ALGORITHM_OBJ)NULL_PTR,
+	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	if ((status = B_EncryptFinal(cx->algobj, 
+	                             output + outputLenUpdate, 
+	                             &outputLenFinal, 
+	                             maxOutputLen - outputLenUpdate,
+	                             (B_ALGORITHM_OBJ)NULL_PTR,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	*outputLen = outputLenUpdate + outputLenFinal;
+	return SECSuccess;
+}
+
+SECStatus 
+DES_Decrypt(DESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            unsigned char *input, unsigned int inputLen)
+{
+	unsigned int outputLenUpdate, outputLenFinal;
+	int status;
+	ptrdiff_t inpptr;
+	unsigned char *inp = NULL;
+	PRBool cpybuffer = PR_FALSE;
+
+	/*  The BSAFE Crypto-C 4.1 library with which we tested on a Sun 
+	 *  UltraSparc crashed when the input to an DES CBC decryption operation
+	 *  was not 4-byte aligned.
+	 *  So, we work around this problem by aligning unaligned input in a
+	 *  temporary buffer.
+	 */
+	inpptr = (ptrdiff_t)input;
+	if (inpptr & 0x03) {
+		inp = PORT_ZAlloc(inputLen);
+		if (inp == NULL) {
+			PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+			return SECFailure;
+		}
+		PORT_Memcpy(inp, input, inputLen);
+		cpybuffer = PR_TRUE;
+	} else {
+		inp = input;
+	}
+
+	PORT_Assert(cx != NULL);
+	if (cx == NULL) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+	PORT_Assert((inputLen & (DES_BLOCK_SIZE - 1)) == 0);
+	if (inputLen & (DES_BLOCK_SIZE - 1)) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_DecryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
+	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+	if ((status = B_DecryptUpdate(cx->algobj, 
+	                              output, 
+	                              &outputLenUpdate,
+	                              maxOutputLen, 
+	                              input, 
+	                              inputLen,
+	                              (B_ALGORITHM_OBJ)NULL_PTR,
+	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		goto loser;
+	}
+	if ((status = B_DecryptFinal(cx->algobj, 
+	                             output + outputLenUpdate, 
+	                             &outputLenFinal, 
+	                             maxOutputLen - outputLenUpdate,
+	                             (B_ALGORITHM_OBJ)NULL_PTR,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		goto loser;
+	}
+	*outputLen = outputLenUpdate + outputLenFinal;
+
+	if (cpybuffer)
+		PORT_ZFree(inp, inputLen);
+	return SECSuccess;
+
+loser:
+	if (cpybuffer)
+		PORT_ZFree(inp, inputLen);
+	return SECFailure;
+}
+}
+
+/*****************************************************************************
+** BLAPI implementation of RC2
+******************************************************************************/
+
+struct RC2ContextStr
+{
+	B_ALGORITHM_OBJ     algobj;
+	B_ALGORITHM_METHOD *alg_chooser[6];
+	B_KEY_OBJ           keyobj;
+};
+
+RC2Context *
+RC2_CreateContext(unsigned char *key, unsigned int len,
+                  unsigned char *iv, int mode, unsigned effectiveKeyLen)
+{
+	/* BLAPI */
+	RC2Context *cx;
+	/* BSAFE */
+	B_BLK_CIPHER_W_FEEDBACK_PARAMS fbParams;
+	A_RC2_PARAMS                   rc2Params;
+	ITEM                           ivItem;
+	ITEM                           keyItem;
+	unsigned int                   blockLength = RC2_BLOCK_SIZE;
+	int status;
+
+	if (mode == NSS_RC2_CBC && iv == NULL) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return NULL;
+	}
+
+	cx = (RC2Context *)PORT_ZAlloc(sizeof(RC2Context));
+	if (cx == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return NULL;
+	}
+	cx->algobj = (B_ALGORITHM_OBJ)NULL_PTR;
+	if ((status = B_CreateAlgorithmObject(&cx->algobj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	cx->keyobj = (B_KEY_OBJ)NULL_PTR;
+	if ((status = B_CreateKeyObject(&cx->keyobj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	rc2Params.effectiveKeyBits = effectiveKeyLen * BITS_PER_BYTE;
+	ivItem.data = iv;
+	ivItem.len = RC2_BLOCK_SIZE;
+
+	fbParams.encryptionMethodName = (unsigned char *)"rc2";
+	fbParams.encryptionParams = (POINTER)&rc2Params;
+	fbParams.paddingMethodName = (unsigned char *)"nopad";
+	fbParams.paddingParams = NULL_PTR;
+	cx->alg_chooser[0] = &AM_RC2_ENCRYPT;
+	cx->alg_chooser[1] = &AM_RC2_DECRYPT;
+	cx->alg_chooser[4] = &AM_SHA_RANDOM;
+	cx->alg_chooser[5] = (B_ALGORITHM_METHOD *)NULL;
+
+	switch (mode) {
+	case NSS_RC2:
+		fbParams.feedbackMethodName = (unsigned char *)"ecb";
+		fbParams.feedbackParams = (POINTER)&blockLength;
+		cx->alg_chooser[2] = &AM_ECB_ENCRYPT;
+		cx->alg_chooser[3] = &AM_ECB_DECRYPT;
+		break;
+	case NSS_RC2_CBC:
+		fbParams.feedbackMethodName = (unsigned char *)"cbc";
+		fbParams.feedbackParams = (POINTER)&ivItem;
+		cx->alg_chooser[2] = &AM_CBC_ENCRYPT;
+		cx->alg_chooser[3] = &AM_CBC_DECRYPT;
+		break;
+	default:
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_SetAlgorithmInfo(cx->algobj, AI_FeedbackCipher,
+	                                 (POINTER)&fbParams)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	keyItem.len = len;
+	keyItem.data = key;
+	if ((status = B_SetKeyInfo(cx->keyobj, KI_Item, (POINTER)&keyItem)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	return cx;
+
+loser:
+	RC2_DestroyContext(cx, PR_TRUE);
+	return NULL;
+}
+
+void 
+RC2_DestroyContext(RC2Context *cx, PRBool freeit)
+{
+	if (freeit) {
+		PORT_Assert(cx != NULL);
+		if (cx == NULL) {
+			PORT_SetError(SEC_ERROR_INVALID_ARGS);
+			return;
+		}
+		if (cx->keyobj != NULL_PTR)
+			B_DestroyKeyObject(&cx->keyobj);
+		if (cx->algobj != NULL_PTR)
+			B_DestroyAlgorithmObject(&cx->algobj);
+		PORT_ZFree(cx, sizeof(RC2Context));
+	}
+}
+
+SECStatus 
+RC2_Encrypt(RC2Context *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            unsigned char *input, unsigned int inputLen)
+{
+	int status;
+	unsigned int outputLenUpdate, outputLenFinal;
+
+	PORT_Assert(cx != NULL);
+	if (cx == NULL) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	PORT_Assert((inputLen & (RC2_BLOCK_SIZE - 1)) == 0);
+	if (inputLen & (RC2_BLOCK_SIZE - 1)) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+
+	if ((status = B_EncryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
+	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	if ((status = B_EncryptUpdate(cx->algobj, 
+	                              output, 
+	                              &outputLenUpdate,
+	                              maxOutputLen, 
+	                              input, 
+	                              inputLen,
+	                              (B_ALGORITHM_OBJ)NULL_PTR,
+	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	if ((status = B_EncryptFinal(cx->algobj, 
+	                             output + outputLenUpdate,
+	                             &outputLenFinal, 
+	                             maxOutputLen - outputLenUpdate,
+	                             (B_ALGORITHM_OBJ)NULL_PTR,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	*outputLen = outputLenUpdate + outputLenFinal;
+	return SECSuccess;
+}
+
+SECStatus 
+RC2_Decrypt(RC2Context *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            unsigned char *input, unsigned int inputLen)
+{
+	int status;
+	unsigned int outputLenUpdate, outputLenFinal;
+	ptrdiff_t inpptr;
+	unsigned char *inp = NULL;
+	PRBool cpybuffer = PR_FALSE;
+
+	/*  The BSAFE Crypto-C 4.1 library with which we tested on a Sun 
+	 *  UltraSparc crashed when the input to an RC2 CBC decryption operation
+	 *  was not 4-byte aligned.
+	 *  So, we work around this problem by aligning unaligned input in a
+	 *  temporary buffer.
+	 */
+	inpptr = (ptrdiff_t)input;
+	if (inpptr & 0x03) {
+		inp = PORT_ZAlloc(inputLen);
+		if (inp == NULL) {
+			PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+			return SECFailure;
+		}
+		PORT_Memcpy(inp, input, inputLen);
+		cpybuffer = PR_TRUE;
+	} else {
+		inp = input;
+	}
+
+	PORT_Assert(cx != NULL);
+	if (cx == NULL) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+	PORT_Assert((inputLen & (RC2_BLOCK_SIZE - 1)) == 0);
+	if (inputLen & (RC2_BLOCK_SIZE - 1)) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_DecryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
+	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+	if ((status = B_DecryptUpdate(cx->algobj, 
+	                              output, 
+	                              &outputLenUpdate,
+	                              maxOutputLen, 
+	                              inp,
+	                              inputLen,
+	                              (B_ALGORITHM_OBJ)NULL_PTR,
+	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		goto loser;
+	}
+	if ((status = B_DecryptFinal(cx->algobj, 
+	                             output + outputLenUpdate,
+	                             &outputLenFinal, 
+	                             maxOutputLen - outputLenUpdate,
+	                             (B_ALGORITHM_OBJ)NULL_PTR,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		goto loser;
+	}
+	*outputLen = outputLenUpdate + outputLenFinal;
+
+	if (cpybuffer)
+		PORT_ZFree(inp, inputLen);
+	return SECSuccess;
+
+loser:
+	if (cpybuffer)
+		PORT_ZFree(inp, inputLen);
+	return SECFailure;
+}
+
+/*****************************************************************************
+** BLAPI implementation of RC4
+******************************************************************************/
+
+struct RC4ContextStr
+{
+	B_ALGORITHM_OBJ     algobj;
+	B_ALGORITHM_METHOD *alg_chooser[3];
+	B_KEY_OBJ           keyobj;
+};
+
+RC4Context *
+RC4_CreateContext(unsigned char *key, int len)
+{
+	/* BLAPI */
+	RC4Context *cx;
+	/* BSAFE */
+	ITEM keyItem;
+	int status;
+
+	cx = (RC4Context *)PORT_ZAlloc(sizeof(RC4Context));
+	if (cx == NULL) {
+		/* set out of memory error */
+		return NULL;
+	}
+
+	cx->algobj = (B_ALGORITHM_OBJ)NULL_PTR;
+	if ((status = B_CreateAlgorithmObject(&cx->algobj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	cx->keyobj = (B_KEY_OBJ)NULL_PTR;
+	if ((status = B_CreateKeyObject(&cx->keyobj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_SetAlgorithmInfo(cx->algobj, AI_RC4, NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	cx->alg_chooser[0] = &AM_RC4_ENCRYPT;
+	cx->alg_chooser[1] = &AM_RC4_DECRYPT;
+	cx->alg_chooser[2] = (B_ALGORITHM_METHOD *)NULL;
+
+	keyItem.len = len;
+	keyItem.data = key;
+	if ((status = B_SetKeyInfo(cx->keyobj, KI_Item, (POINTER)&keyItem)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	return cx;
+
+loser:
+	RC4_DestroyContext(cx, PR_TRUE);
+	return NULL;
+}
+
+void 
+RC4_DestroyContext(RC4Context *cx, PRBool freeit)
+{
+	if (freeit) {
+		PORT_Assert(cx != NULL);
+		if (cx == NULL) {
+			PORT_SetError(SEC_ERROR_INVALID_ARGS);
+			return;
+		}
+		if (cx->keyobj != NULL_PTR)
+			B_DestroyKeyObject(&cx->keyobj);
+		if (cx->algobj != NULL_PTR)
+			B_DestroyAlgorithmObject(&cx->algobj);
+		PORT_ZFree(cx, sizeof(RC4Context));
+	}
+}
+
+SECStatus 
+RC4_Encrypt(RC4Context *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+	int status;
+	unsigned int outputLenUpdate, outputLenFinal;
+
+	PORT_Assert(cx != NULL);
+	if (cx == NULL) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+
+	if ((status = B_EncryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
+	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	if ((status = B_EncryptUpdate(cx->algobj, 
+	                              output, 
+	                              &outputLenUpdate,
+	                              maxOutputLen, 
+	                              input, 
+	                              inputLen,
+	                              (B_ALGORITHM_OBJ)NULL_PTR,
+	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	if ((status = B_EncryptFinal(cx->algobj, 
+	                             output + outputLenUpdate,
+	                             &outputLenFinal, 
+	                             maxOutputLen - outputLenUpdate,
+	                             (B_ALGORITHM_OBJ)NULL_PTR,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	*outputLen = outputLenUpdate + outputLenFinal;
+	return SECSuccess;
+}
+
+SECStatus 
+RC4_Decrypt(RC4Context *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+	int status;
+	unsigned int outputLenUpdate, outputLenFinal;
+
+	PORT_Assert(cx != NULL);
+	if (cx == NULL) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+
+	if ((status = B_DecryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
+	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	if ((status = B_DecryptUpdate(cx->algobj, 
+	                              output, 
+	                              &outputLenUpdate,
+	                              maxOutputLen, 
+	                              input, 
+	                              inputLen,
+	                              (B_ALGORITHM_OBJ)NULL_PTR,
+	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	if ((status = B_DecryptFinal(cx->algobj, 
+	                             output + outputLenUpdate,
+	                             &outputLenFinal, 
+	                             maxOutputLen - outputLenUpdate,
+	                             (B_ALGORITHM_OBJ)NULL_PTR,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	*outputLen = outputLenUpdate + outputLenFinal;
+	return SECSuccess;
+}
+
+
+/*****************************************************************************
+** BLAPI implementation of RC5
+******************************************************************************/
+
+struct RC5ContextStr
+{
+	B_ALGORITHM_OBJ     algobj;
+	B_ALGORITHM_METHOD *alg_chooser[6];
+	B_KEY_OBJ           keyobj;
+	unsigned int        blocksize;
+};
+
+RC5Context *
+RC5_CreateContext(SECItem *key, unsigned int rounds,
+                  unsigned int wordSize, unsigned char *iv, int mode)
+{
+	/* BLAPI */
+	RC5Context *cx;
+	/* BSAFE */
+	B_BLK_CIPHER_W_FEEDBACK_PARAMS fbParams;
+	A_RC5_PARAMS                   rc5Params;
+	ITEM                           keyItem;
+	ITEM                           ivItem;
+	unsigned int                   blocksize;
+	int status;
+
+	if (rounds > MAX_RC5_ROUNDS) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return NULL;
+	}
+	if (key->len > MAX_RC5_KEY_BYTES) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return NULL;
+	}
+	if (mode == NSS_RC5_CBC && (iv == NULL)) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return NULL;
+	}
+
+	cx = (RC5Context *)PORT_ZAlloc(sizeof(RC5Context));
+	if (cx == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return NULL;
+	}
+	cx->algobj = (B_ALGORITHM_OBJ)NULL_PTR;
+	if ((status = B_CreateAlgorithmObject(&cx->algobj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	cx->keyobj = (B_KEY_OBJ)NULL_PTR;
+	if ((status = B_CreateKeyObject(&cx->keyobj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	rc5Params.version = RC5_VERSION_NUMBER;
+	rc5Params.rounds = rounds;
+	rc5Params.wordSizeInBits = wordSize * BITS_PER_BYTE;
+	if (rc5Params.wordSizeInBits == 64) {
+		fbParams.encryptionMethodName = (unsigned char *)"rc5_64";
+		cx->alg_chooser[0] = &AM_RC5_64ENCRYPT;
+		cx->alg_chooser[1] = &AM_RC5_64DECRYPT;
+	} else {
+		fbParams.encryptionMethodName = (unsigned char *)"rc5";
+		cx->alg_chooser[0] = &AM_RC5_ENCRYPT;
+		cx->alg_chooser[1] = &AM_RC5_DECRYPT;
+	}
+	fbParams.encryptionParams = (POINTER)&rc5Params;
+	fbParams.paddingMethodName = (unsigned char *)"nopad";
+	fbParams.paddingParams = NULL_PTR;
+	cx->alg_chooser[4] = &AM_SHA_RANDOM;
+	cx->alg_chooser[5] = (B_ALGORITHM_METHOD *)NULL;
+	switch (mode) {
+	case NSS_RC5:  
+		blocksize = 2 * wordSize;
+		cx->blocksize = blocksize;
+		fbParams.feedbackMethodName = (unsigned char *)"ecb";
+		fbParams.feedbackParams = (POINTER)&blocksize;
+		cx->alg_chooser[2] = &AM_ECB_ENCRYPT;
+		cx->alg_chooser[3] = &AM_ECB_DECRYPT;
+		break;
+	case NSS_RC5_CBC: 
+		ivItem.len = 2 * wordSize;
+		ivItem.data = iv;
+		cx->blocksize = RC5_BLOCK_SIZE;
+		fbParams.feedbackMethodName = (unsigned char *)"cbc";
+		fbParams.feedbackParams = (POINTER)&ivItem;
+		cx->alg_chooser[2] = &AM_CBC_ENCRYPT;
+		cx->alg_chooser[3] = &AM_CBC_DECRYPT;
+		break;
+	default:
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+	if ((status = B_SetAlgorithmInfo(cx->algobj, AI_FeedbackCipher,
+	                                 (POINTER)&fbParams)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	keyItem.len = key->len;
+	keyItem.data = key->data;
+	if ((status = B_SetKeyInfo(cx->keyobj, KI_Item, (POINTER)&keyItem)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	return cx;
+
+loser:
+	RC5_DestroyContext(cx, PR_TRUE);
+	return NULL;
+}
+
+void RC5_DestroyContext(RC5Context *cx, PRBool freeit)
+{
+	if (freeit) {
+		PORT_Assert(cx != NULL);
+		if (cx == NULL) {
+			PORT_SetError(SEC_ERROR_INVALID_ARGS);
+			return;
+		}
+		if (cx->keyobj != NULL_PTR)
+			B_DestroyKeyObject(&cx->keyobj);
+		if (cx->algobj != NULL_PTR)
+			B_DestroyAlgorithmObject(&cx->algobj);
+		PORT_ZFree(cx, sizeof(RC5Context));
+	}
+}
+
+SECStatus 
+RC5_Encrypt(RC5Context *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            unsigned char *input, unsigned int inputLen)
+{
+	int status;
+	unsigned int outputLenUpdate, outputLenFinal;
+
+	PORT_Assert(cx != NULL);
+	if (cx == NULL) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	PORT_Assert((inputLen & (RC5_BLOCK_SIZE - 1)) == 0);
+	if (inputLen & (RC5_BLOCK_SIZE - 1)) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+
+	if ((status = B_EncryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
+	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	if ((status = B_EncryptUpdate(cx->algobj, 
+	                              output, 
+	                              &outputLenUpdate,
+	                              maxOutputLen, 
+	                              input, 
+	                              inputLen,
+	                              (B_ALGORITHM_OBJ)NULL_PTR,
+	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	if ((status = B_EncryptFinal(cx->algobj, 
+	                             output + outputLenUpdate,
+	                             &outputLenFinal, 
+	                             maxOutputLen - outputLenUpdate,
+	                             (B_ALGORITHM_OBJ)NULL_PTR,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	*outputLen = outputLenUpdate + outputLenFinal;
+	return SECSuccess;
+}
+
+SECStatus 
+RC5_Decrypt(RC5Context *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            unsigned char *input, unsigned int inputLen)
+{
+	int status;
+	unsigned int outputLenUpdate, outputLenFinal;
+	ptrdiff_t inpptr;
+	unsigned char *inp = NULL;
+	PRBool cpybuffer = PR_FALSE;
+
+	/*  The BSAFE Crypto-C 4.1 library with which we tested on a Sun 
+	 *  UltraSparc crashed when the input to an RC5 CBC decryption operation
+	 *  was not 4-byte aligned.
+	 *  So, we work around this problem by aligning unaligned input in a
+	 *  temporary buffer.
+	 */
+	inpptr = (ptrdiff_t)input;
+	if (inpptr & 0x03) {
+		inp = PORT_ZAlloc(inputLen);
+		if (inp == NULL) {
+			PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+			return SECFailure;
+		}
+		PORT_Memcpy(inp, input, inputLen);
+		cpybuffer = PR_TRUE;
+	} else {
+		inp = input;
+	}
+
+	PORT_Assert(cx != NULL);
+	if (cx == NULL) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	PORT_Assert((inputLen & (cx->blocksize - 1)) == 0);
+	if (inputLen & (cx->blocksize - 1)) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	PORT_Assert(maxOutputLen >= inputLen);  /* check for enough room */
+	if (maxOutputLen < inputLen) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+
+	if ((status = B_DecryptInit(cx->algobj, cx->keyobj, cx->alg_chooser,
+	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	if ((status = B_DecryptUpdate(cx->algobj, 
+	                              output, 
+	                              &outputLenUpdate,
+	                              maxOutputLen, 
+	                              input, 
+	                              inputLen,
+	                              (B_ALGORITHM_OBJ)NULL_PTR,
+	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	if ((status = B_DecryptFinal(cx->algobj, 
+	                             output + outputLenUpdate,
+	                             &outputLenFinal, 
+	                             maxOutputLen - outputLenUpdate,
+	                             (B_ALGORITHM_OBJ)NULL_PTR,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	*outputLen = outputLenUpdate + outputLenFinal;
+	return SECSuccess;
+}
+
+/*****************************************************************************
+** BLAPI implementation of RSA
+******************************************************************************/
+
+static const SECItem defaultPublicExponent = 
+{
+	siBuffer,
+	(unsigned char *)"\001\000\001",
+	3
+};
+
+static const B_ALGORITHM_METHOD *rsa_alg_chooser[] = {
+	&AM_SHA_RANDOM,
+	&AM_RSA_KEY_GEN,
+	&AM_RSA_ENCRYPT,
+	&AM_RSA_DECRYPT,
+	&AM_RSA_CRT_ENCRYPT,
+	&AM_RSA_CRT_DECRYPT,
+	(B_ALGORITHM_METHOD *)NULL_PTR
+};
+
+static SECStatus
+rsaZFreePrivateKeyInfo(A_PKCS_RSA_PRIVATE_KEY *privateKeyInfo)
+{
+	PORT_ZFree(privateKeyInfo->modulus.data, privateKeyInfo->modulus.len);
+	PORT_ZFree(privateKeyInfo->publicExponent.data, 
+	           privateKeyInfo->publicExponent.len);
+	PORT_ZFree(privateKeyInfo->privateExponent.data, 
+	           privateKeyInfo->privateExponent.len);
+	PORT_ZFree(privateKeyInfo->prime[0].data, privateKeyInfo->prime[0].len);
+	PORT_ZFree(privateKeyInfo->prime[1].data, privateKeyInfo->prime[1].len);
+	PORT_ZFree(privateKeyInfo->primeExponent[0].data, 
+	           privateKeyInfo->primeExponent[0].len);
+	PORT_ZFree(privateKeyInfo->primeExponent[1].data, 
+	           privateKeyInfo->primeExponent[1].len);
+	PORT_ZFree(privateKeyInfo->coefficient.data, 
+	           privateKeyInfo->coefficient.len);
+	return SECSuccess;
+}
+
+static SECStatus
+rsaConvertKeyInfoToBLKey(A_PKCS_RSA_PRIVATE_KEY *keyInfo, RSAPrivateKey *key)
+{
+	PRArenaPool *arena = key->arena;
+	SECItem tmp;
+
+	SECITEMFROMITEM(arena, key->modulus,         keyInfo->modulus);
+	SECITEMFROMITEM(arena, key->publicExponent,  keyInfo->publicExponent);
+	SECITEMFROMITEM(arena, key->privateExponent, keyInfo->privateExponent);
+	SECITEMFROMITEM(arena, key->prime1,          keyInfo->prime[0]);
+	SECITEMFROMITEM(arena, key->prime2,          keyInfo->prime[1]);
+	SECITEMFROMITEM(arena, key->exponent1,       keyInfo->primeExponent[0]);
+	SECITEMFROMITEM(arena, key->exponent2,       keyInfo->primeExponent[1]);
+	SECITEMFROMITEM(arena, key->coefficient,     keyInfo->coefficient);
+	/* Version field is to be handled at a higher level. */
+	key->version.data = NULL;
+	key->version.len = 0;
+	return SECSuccess;
+
+loser:
+	PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+	return SECFailure;
+}
+
+static SECStatus
+rsaConvertBLKeyToKeyInfo(RSAPrivateKey *key, A_PKCS_RSA_PRIVATE_KEY *keyInfo)
+{
+	ITEMFROMSECITEM(keyInfo->modulus,          key->modulus);
+	ITEMFROMSECITEM(keyInfo->publicExponent,   key->publicExponent);
+	ITEMFROMSECITEM(keyInfo->privateExponent,  key->privateExponent);
+	ITEMFROMSECITEM(keyInfo->prime[0],         key->prime1);
+	ITEMFROMSECITEM(keyInfo->prime[1],         key->prime2);
+	ITEMFROMSECITEM(keyInfo->primeExponent[0], key->exponent1);
+	ITEMFROMSECITEM(keyInfo->primeExponent[1], key->exponent2);
+	ITEMFROMSECITEM(keyInfo->coefficient,      key->coefficient);
+	return SECSuccess;
+}
+
+RSAPrivateKey *
+RSA_NewKey(int         keySizeInBits,
+           SECItem *   publicExponent)
+{
+	/* BLAPI */
+	RSAPrivateKey *privateKey;
+	/* BSAFE */
+	A_RSA_KEY_GEN_PARAMS    keygenParams;
+	A_PKCS_RSA_PRIVATE_KEY *privateKeyInfo = (A_PKCS_RSA_PRIVATE_KEY *)NULL_PTR;
+	B_ALGORITHM_OBJ         keypairGenerator = (B_ALGORITHM_OBJ)NULL_PTR;
+	B_ALGORITHM_OBJ         randomAlgorithm = NULL;
+	B_KEY_OBJ               publicKeyObj = (B_KEY_OBJ)NULL_PTR;
+	B_KEY_OBJ               privateKeyObj = (B_KEY_OBJ)NULL_PTR;
+	PRArenaPool *arena;
+	int status;
+
+	/*  Allocate space for key structure. */
+	arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+	if (arena == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+	privateKey = (RSAPrivateKey *)PORT_ArenaZAlloc(arena, 
+	                                               sizeof(RSAPrivateKey));
+	if (privateKey == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+	privateKey->arena = arena;
+
+	randomAlgorithm = generateRandomAlgorithm(keySizeInBits / BITS_PER_BYTE, 0);
+	if (randomAlgorithm == NULL_PTR) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_CreateAlgorithmObject(&keypairGenerator)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_CreateKeyObject(&publicKeyObj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_CreateKeyObject(&privateKeyObj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if (publicExponent == NULL) publicExponent = &defaultPublicExponent;
+	keygenParams.modulusBits = keySizeInBits;
+	keygenParams.publicExponent.data = publicExponent->data;
+	keygenParams.publicExponent.len = publicExponent->len;
+
+	if ((status = B_SetAlgorithmInfo(keypairGenerator, AI_RSAKeyGen,
+	                                 (POINTER)&keygenParams)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_GenerateInit(keypairGenerator, rsa_alg_chooser,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = B_GenerateKeypair(keypairGenerator, publicKeyObj,
+	                                privateKeyObj, randomAlgorithm,
+	                                (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_GetKeyInfo((POINTER *)&privateKeyInfo, privateKeyObj,
+	                           KI_PKCS_RSAPrivate)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	/*  Convert the BSAFE key info to an RSAPrivateKey.  */
+	if ((status = rsaConvertKeyInfoToBLKey(privateKeyInfo, privateKey)) != 0) {
+		goto loser;
+	}
+
+	B_DestroyAlgorithmObject(&publicKeyObj);
+	B_DestroyKeyObject(&publicKeyObj);
+	B_DestroyKeyObject(&privateKeyObj);
+	rsaZFreePrivateKeyInfo(privateKeyInfo);
+	B_DestroyAlgorithmObject(&randomAlgorithm);
+	return privateKey;
+
+loser:
+	if (keypairGenerator != NULL_PTR)
+		B_DestroyAlgorithmObject(&keypairGenerator);
+	if (publicKeyObj != NULL_PTR)
+		B_DestroyKeyObject(&publicKeyObj);
+	if (privateKeyObj != NULL_PTR)
+		B_DestroyKeyObject(&privateKeyObj);
+	if (privateKeyInfo != (A_PKCS_RSA_PRIVATE_KEY *)NULL_PTR)
+		rsaZFreePrivateKeyInfo(privateKeyInfo);
+	if (randomAlgorithm != NULL_PTR)
+		B_DestroyAlgorithmObject(&randomAlgorithm);
+	PORT_FreeArena(arena, PR_TRUE);
+	return NULL;
+}
+
+static unsigned int
+rsa_modulusLen(SECItem *modulus)
+{
+	unsigned char byteZero = modulus->data[0];
+	unsigned int modLen = modulus->len - !byteZero;
+	return modLen;
+}
+
+SECStatus 
+RSA_PublicKeyOp(RSAPublicKey *   key,
+                unsigned char *  output,
+                unsigned char *  input)
+{
+	B_ALGORITHM_OBJ rsaPubKeyAlg = (B_ALGORITHM_OBJ)NULL_PTR;
+	B_KEY_OBJ       publicKeyObj = (B_KEY_OBJ)NULL_PTR;
+	A_RSA_KEY       pubKeyInfo;
+	unsigned int outputLenUpdate;
+	unsigned int modulusLen;
+	int status;
+
+	PORT_Assert(key != NULL);
+	if (key == NULL) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+
+	if ((status = B_CreateAlgorithmObject(&rsaPubKeyAlg)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_CreateKeyObject(&publicKeyObj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_SetAlgorithmInfo(rsaPubKeyAlg, AI_RSAPublic,
+	                                 NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	modulusLen = rsa_modulusLen(&key->modulus);
+	pubKeyInfo.modulus.len = key->modulus.len;
+	pubKeyInfo.modulus.data = key->modulus.data;
+	pubKeyInfo.exponent.len = key->publicExponent.len;
+	pubKeyInfo.exponent.data = key->publicExponent.data;
+
+	if ((status = B_SetKeyInfo(publicKeyObj, KI_RSAPublic, 
+	                           (POINTER)&pubKeyInfo)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_EncryptInit(rsaPubKeyAlg, publicKeyObj, rsa_alg_chooser,
+	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+	if ((status = B_EncryptUpdate(rsaPubKeyAlg,
+	                              output, 
+	                              &outputLenUpdate,
+	                              modulusLen, 
+	                              input, 
+	                              modulusLen,
+	                              (B_ALGORITHM_OBJ)NULL_PTR,
+	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		goto loser;
+	}
+	if ((status = B_EncryptFinal(rsaPubKeyAlg,
+	                             output + outputLenUpdate,
+	                             &outputLenUpdate, 
+	                             modulusLen - outputLenUpdate,
+	                             (B_ALGORITHM_OBJ)NULL_PTR,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		goto loser;
+	}
+
+	B_DestroyAlgorithmObject(&rsaPubKeyAlg);
+	B_DestroyAlgorithmObject(&publicKeyObj);
+	/*  Don't delete pubKeyInfo data -- it was a shallow copy.  */
+	return SECSuccess;
+
+loser:
+	if (rsaPubKeyAlg != NULL_PTR)
+		B_DestroyAlgorithmObject(&rsaPubKeyAlg);
+	if (publicKeyObj != NULL_PTR)
+		B_DestroyAlgorithmObject(&publicKeyObj);
+	return SECFailure;
+}
+
+SECStatus 
+RSA_PrivateKeyOp(RSAPrivateKey *  key,
+                 unsigned char *  output,
+                 unsigned char *  input)
+{
+	A_PKCS_RSA_PRIVATE_KEY privKeyInfo;
+	B_ALGORITHM_OBJ        rsaPrivKeyAlg = (B_ALGORITHM_OBJ)NULL_PTR;
+	B_KEY_OBJ              privateKeyObj = (B_KEY_OBJ)NULL_PTR;
+	unsigned int outputLenUpdate;
+	unsigned int modulusLen;
+	int status;
+
+	if ((status = B_CreateAlgorithmObject(&rsaPrivKeyAlg)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_CreateKeyObject(&privateKeyObj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_SetAlgorithmInfo(rsaPrivKeyAlg, AI_RSAPrivate,
+	                                 NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = rsaConvertBLKeyToKeyInfo(key, &privKeyInfo)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_SetKeyInfo(privateKeyObj, KI_PKCS_RSAPrivate,
+	                           (POINTER)&privKeyInfo)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	modulusLen = rsa_modulusLen(&key->modulus);
+
+	if ((status = B_DecryptInit(rsaPrivKeyAlg, privateKeyObj, rsa_alg_chooser,
+	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+	if ((status = B_DecryptUpdate(rsaPrivKeyAlg,
+	                              output, 
+	                              &outputLenUpdate,
+	                              modulusLen, 
+	                              input, 
+	                              modulusLen,
+	                              (B_ALGORITHM_OBJ)NULL_PTR,
+	                              (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		goto loser;
+	}
+	if ((status = B_DecryptFinal(rsaPrivKeyAlg,
+	                             output + outputLenUpdate,
+	                             &outputLenUpdate, 
+	                             modulusLen - outputLenUpdate,
+	                             (B_ALGORITHM_OBJ)NULL_PTR,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		goto loser;
+	}
+
+	B_DestroyAlgorithmObject(&rsaPrivKeyAlg);
+	B_DestroyAlgorithmObject(&privateKeyObj);
+	/*  Don't delete privKeyInfo data -- it was a shallow copy.  */
+	return SECSuccess;
+
+loser:
+	if (rsaPrivKeyAlg != NULL_PTR)
+		B_DestroyAlgorithmObject(&rsaPrivKeyAlg);
+	if (privateKeyObj != NULL_PTR)
+		B_DestroyAlgorithmObject(&privateKeyObj);
+	return SECFailure;
+}
+
+/*
+ * this should check the operation!!!!
+ */
+SECStatus
+RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key,
+                              unsigned char *output,
+                              const unsigned char *input)
+{
+    return RSA_PrivateKeyOp(key, output, input);
+}
+
+/*
+ * this should check the key!!!
+ */
+SECStatus
+RSA_PrivateKeyCheck(RSAPrivateKey *key)
+{
+    return SECSuccess;
+}
+
+/*****************************************************************************
+** BLAPI implementation of DSA
+******************************************************************************/
+
+static const B_ALGORITHM_METHOD *dsa_pk_gen_chooser[] = {
+	&AM_SHA_RANDOM,
+	&AM_DSA_PARAM_GEN,
+	&AM_DSA_KEY_GEN,
+	(B_ALGORITHM_METHOD *)NULL_PTR
+};
+
+static SECStatus
+dsaConvertKeyInfoToBLKey(A_DSA_PRIVATE_KEY *privateKeyInfo, 
+                         A_DSA_PUBLIC_KEY *publicKeyInfo, 
+                         DSAPrivateKey *privateKey)
+{
+	PRArenaPool *arena;
+	SECItem tmp;
+
+	arena = privateKey->params.arena;
+	SECITEMFROMITEM(arena, privateKey->params.prime, 
+	                       privateKeyInfo->params.prime);
+	SECITEMFROMITEM(arena, privateKey->params.subPrime, 
+	                       privateKeyInfo->params.subPrime);
+	SECITEMFROMITEM(arena, privateKey->params.base, 
+	                       privateKeyInfo->params.base);
+	SECITEMFROMITEM(arena, privateKey->privateValue,
+	                       privateKeyInfo->x);
+	SECITEMFROMITEM(arena, privateKey->publicValue,
+	                       publicKeyInfo->y);
+
+	return SECSuccess;
+
+loser:
+	PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+	return SECFailure;
+}
+
+static SECStatus
+dsaConvertBLKeyToPrKeyInfo(DSAPrivateKey *privateKey,
+                           A_DSA_PRIVATE_KEY *privateKeyInfo)
+{
+	ITEMFROMSECITEM(privateKeyInfo->params.prime, privateKey->params.prime)
+	ITEMFROMSECITEM(privateKeyInfo->params.subPrime,
+	                privateKey->params.subPrime);
+	ITEMFROMSECITEM(privateKeyInfo->params.base, privateKey->params.base);
+	ITEMFROMSECITEM(privateKeyInfo->x, privateKey->privateValue);
+	return SECSuccess;
+}
+
+static SECStatus
+dsaConvertBLKeyToPubKeyInfo(DSAPublicKey *publicKey,
+                            A_DSA_PUBLIC_KEY *publicKeyInfo)
+{
+	ITEMFROMSECITEM(publicKeyInfo->params.prime, publicKey->params.prime)
+	ITEMFROMSECITEM(publicKeyInfo->params.subPrime,
+	                publicKey->params.subPrime);
+	ITEMFROMSECITEM(publicKeyInfo->params.base, publicKey->params.base);
+	ITEMFROMSECITEM(publicKeyInfo->y, publicKey->publicValue);
+	return SECSuccess;
+}
+
+static SECStatus
+dsaZFreeKeyInfoParams(A_DSA_PARAMS *params)
+{
+	PORT_ZFree(params->prime.data, 
+	           params->prime.len);
+	PORT_ZFree(params->subPrime.data, 
+	           params->subPrime.len);
+	PORT_ZFree(params->base.data, 
+	           params->base.len);
+	return SECSuccess;
+}
+
+static SECStatus
+dsaZFreePrivateKeyInfo(A_DSA_PRIVATE_KEY *privateKeyInfo)
+{
+	dsaZFreeKeyInfoParams(&privateKeyInfo->params);
+	PORT_ZFree(privateKeyInfo->x.data,
+	           privateKeyInfo->x.len);
+	return SECSuccess;
+}
+
+static SECStatus
+dsaZFreePublicKeyInfo(A_DSA_PUBLIC_KEY *publicKeyInfo)
+{
+	dsaZFreeKeyInfoParams(&publicKeyInfo->params);
+	PORT_ZFree(publicKeyInfo->y.data,
+	           publicKeyInfo->y.len);
+	return SECSuccess;
+}
+
+SECStatus 
+DSA_NewKey(PQGParams *           params, 
+           DSAPrivateKey **      privKey)
+{
+	return DSA_NewKeyFromSeed(params, NULL, privKey);
+}
+
+SECStatus 
+DSA_SignDigest(DSAPrivateKey *   key,
+               SECItem *         signature,
+               SECItem *         digest)
+{
+	return DSA_SignDigestWithSeed(key, signature, digest, NULL);
+}
+
+SECStatus 
+DSA_VerifyDigest(DSAPublicKey *  key,
+                 SECItem *       signature,
+                 SECItem *       digest)
+{
+	B_ALGORITHM_OBJ           dsaVerifier = (B_ALGORITHM_OBJ)NULL_PTR;
+	B_KEY_OBJ                 publicKeyObj = (B_KEY_OBJ)NULL_PTR;
+	A_DSA_PUBLIC_KEY          publicKeyInfo;
+	const B_ALGORITHM_METHOD *dsa_verify_chooser[] = {
+	                            &AM_DSA_VERIFY,
+	                            (B_ALGORITHM_METHOD *)NULL_PTR
+	};
+	int status;
+
+	if ((status = B_CreateAlgorithmObject(&dsaVerifier)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_CreateKeyObject(&publicKeyObj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = dsaConvertBLKeyToPubKeyInfo(key, &publicKeyInfo)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_SetKeyInfo(publicKeyObj, KI_DSAPublic, 
+	                           (POINTER)&publicKeyInfo)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_SetAlgorithmInfo(dsaVerifier, AI_DSA, NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = B_VerifyInit(dsaVerifier, publicKeyObj, dsa_verify_chooser,
+	                           (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = B_VerifyUpdate(dsaVerifier, digest->data, digest->len,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		goto loser;
+	}
+
+	if ((status = B_VerifyFinal(dsaVerifier, signature->data, signature->len,
+	                            (B_ALGORITHM_OBJ)NULL_PTR,
+	                            (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		if (status == BE_SIGNATURE) {
+			PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		} else {
+			PORT_SetError(SEC_ERROR_BAD_DATA);
+			goto loser;
+		}
+	}
+
+	B_DestroyAlgorithmObject(&dsaVerifier);
+	B_DestroyKeyObject(&publicKeyObj);
+	/*  publicKeyInfo data is shallow copy */
+	return (status == BE_SIGNATURE) ? SECFailure : SECSuccess;
+
+loser:
+	if (dsaVerifier != NULL_PTR)
+		B_DestroyAlgorithmObject(&dsaVerifier);
+	if (publicKeyObj != NULL_PTR)
+		B_DestroyKeyObject(&publicKeyObj);
+	return SECFailure;
+}
+
+SECStatus 
+DSA_NewKeyFromSeed(PQGParams *params, unsigned char * seed,
+                   DSAPrivateKey **privKey)
+{
+	PRArenaPool *arena;
+	DSAPrivateKey *privateKey;
+	/* BSAFE */
+	B_ALGORITHM_OBJ           dsaKeyGenObj = (B_ALGORITHM_OBJ)NULL_PTR;
+	B_ALGORITHM_OBJ           randomAlgorithm = NULL_PTR;
+	A_DSA_PRIVATE_KEY        *privateKeyInfo = (A_DSA_PRIVATE_KEY *)NULL_PTR;
+	A_DSA_PUBLIC_KEY         *publicKeyInfo = (A_DSA_PUBLIC_KEY *)NULL_PTR;
+	A_DSA_PARAMS              dsaParamInfo;
+	B_KEY_OBJ                 publicKeyObj = (B_KEY_OBJ)NULL_PTR;
+	B_KEY_OBJ                 privateKeyObj = (B_KEY_OBJ)NULL_PTR;
+	int status;
+
+	/*  Allocate space for key structure. */
+	arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+	if (arena == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+	privateKey = (DSAPrivateKey *)
+	              PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
+	if (privateKey == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+	privateKey->params.arena = arena;
+
+	if ((status = B_CreateAlgorithmObject(&dsaKeyGenObj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_CreateKeyObject(&publicKeyObj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_CreateKeyObject(&privateKeyObj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	randomAlgorithm = generateRandomAlgorithm(DSA_SUBPRIME_LEN, seed);
+	if (randomAlgorithm == NULL_PTR) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	ITEMFROMSECITEM(dsaParamInfo.prime,    params->prime);
+	ITEMFROMSECITEM(dsaParamInfo.subPrime, params->subPrime);
+	ITEMFROMSECITEM(dsaParamInfo.base,     params->base);
+
+	if ((status = B_SetAlgorithmInfo(dsaKeyGenObj, AI_DSAKeyGen, 
+	                                 (POINTER)&dsaParamInfo)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_GenerateInit(dsaKeyGenObj, dsa_pk_gen_chooser,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = B_GenerateKeypair(dsaKeyGenObj, publicKeyObj, privateKeyObj,
+	                                randomAlgorithm,
+	                                (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = B_GetKeyInfo((POINTER *)&privateKeyInfo, privateKeyObj,
+	                           KI_DSAPrivate)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = B_GetKeyInfo((POINTER *)&publicKeyInfo, publicKeyObj,
+	                           KI_DSAPublic)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = dsaConvertKeyInfoToBLKey(privateKeyInfo, publicKeyInfo,
+	                                       privateKey)) != 0) {
+		goto loser;
+	}
+
+	B_DestroyAlgorithmObject(&dsaKeyGenObj);
+	B_DestroyAlgorithmObject(&randomAlgorithm);
+	B_DestroyKeyObject(&publicKeyObj);
+	B_DestroyKeyObject(&privateKeyObj);
+	dsaZFreePrivateKeyInfo(privateKeyInfo);
+	dsaZFreePublicKeyInfo(publicKeyInfo);
+	/* dsaParamInfo contains only public info, no need to ZFree */
+
+	*privKey = privateKey;
+	return SECSuccess;
+
+loser:
+	if (dsaKeyGenObj != NULL_PTR)
+		B_DestroyAlgorithmObject(&dsaKeyGenObj);
+	if (randomAlgorithm != NULL_PTR)
+		B_DestroyAlgorithmObject(&randomAlgorithm);
+	if (privateKeyObj != NULL_PTR)
+		B_DestroyKeyObject(&privateKeyObj);
+	if (publicKeyObj != NULL_PTR)
+		B_DestroyKeyObject(&publicKeyObj);
+	if (privateKeyInfo != (A_DSA_PRIVATE_KEY *)NULL_PTR)
+		dsaZFreePrivateKeyInfo(privateKeyInfo);
+	if (publicKeyInfo != (A_DSA_PUBLIC_KEY *)NULL_PTR)
+		dsaZFreePublicKeyInfo(publicKeyInfo);
+	if (arena != NULL)
+		PORT_FreeArena(arena, PR_TRUE);
+	*privKey = NULL;
+	return SECFailure;
+}
+
+SECStatus 
+DSA_SignDigestWithSeed(DSAPrivateKey * key,
+                       SECItem *       signature,
+                       SECItem *       digest,
+                       unsigned char * seed)
+{
+	B_ALGORITHM_OBJ           dsaSigner = (B_ALGORITHM_OBJ)NULL_PTR;
+	B_ALGORITHM_OBJ           randomAlgorithm = NULL_PTR;
+	B_KEY_OBJ                 privateKeyObj = (B_KEY_OBJ)NULL_PTR;
+	A_DSA_PRIVATE_KEY         privateKeyInfo;
+	const B_ALGORITHM_METHOD *dsa_sign_chooser[] = {
+	                            &AM_DSA_SIGN,
+	                            (B_ALGORITHM_METHOD *)NULL_PTR
+	};
+	int status;
+	unsigned int siglen;
+
+	randomAlgorithm = generateRandomAlgorithm(DSA_SUBPRIME_LEN, seed);
+
+	if ((status = B_CreateAlgorithmObject(&dsaSigner)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_CreateKeyObject(&privateKeyObj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = dsaConvertBLKeyToPrKeyInfo(key, &privateKeyInfo)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_SetKeyInfo(privateKeyObj, KI_DSAPrivate, 
+	                           (POINTER)&privateKeyInfo)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_SetAlgorithmInfo(dsaSigner, AI_DSA, NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_SignInit(dsaSigner, privateKeyObj, dsa_sign_chooser,
+	                         (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_SignUpdate(dsaSigner, digest->data, digest->len,
+	                           (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_SignFinal(dsaSigner, signature->data, &siglen,
+	                          signature->len, randomAlgorithm,
+	                          (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	SECITEM_ReallocItem(NULL, signature, signature->len, siglen);
+	signature->len = siglen; /* shouldn't realloc do this? */
+
+	B_DestroyAlgorithmObject(&dsaSigner);
+	B_DestroyKeyObject(&privateKeyObj);
+	B_DestroyAlgorithmObject(&randomAlgorithm);
+	/*  privateKeyInfo is shallow copy */
+	return SECSuccess;
+
+loser:
+	if (dsaSigner != NULL_PTR)
+		B_DestroyAlgorithmObject(&dsaSigner);
+	if (privateKeyObj != NULL_PTR)
+		B_DestroyKeyObject(&privateKeyObj);
+	if (randomAlgorithm != NULL_PTR)
+		B_DestroyAlgorithmObject(&randomAlgorithm);
+	return SECFailure;
+}
+
+SECStatus
+PQG_ParamGen(unsigned int j, 	   /* input : determines length of P. */
+             PQGParams **pParams,  /* output: P Q and G returned here */
+             PQGVerify **pVfy)     /* output: counter and seed. */
+{
+	return PQG_ParamGenSeedLen(j, DSA_SUBPRIME_LEN, pParams, pVfy);
+}
+
+SECStatus
+PQG_ParamGenSeedLen(
+                  unsigned int j,         /* input : determines length of P. */
+                  unsigned int seedBytes, /* input : length of seed in bytes.*/
+                  PQGParams **pParams,    /* output: P Q and G returned here */
+                  PQGVerify **pVfy)       /* output: counter and seed. */
+{
+	B_DSA_PARAM_GEN_PARAMS    dsaParams;
+	B_ALGORITHM_OBJ           dsaKeyGenObj = (B_ALGORITHM_OBJ)NULL_PTR;
+	B_ALGORITHM_OBJ           dsaParamGenerator = (B_ALGORITHM_OBJ)NULL_PTR;
+	B_ALGORITHM_OBJ           randomAlgorithm = NULL_PTR;
+	A_DSA_PARAMS             *dsaParamInfo;
+	SECItem tmp;
+	PQGParams *params;
+	PRArenaPool *arena;
+	int status;
+
+	if (!pParams || j > 8) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+
+	/*  Allocate space for key structure. */
+	arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+	if (arena == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+	params = (PQGParams *)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
+	if (params == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+	params->arena = arena;
+
+	if ((status = B_CreateAlgorithmObject(&dsaParamGenerator)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	if ((status = B_CreateAlgorithmObject(&dsaKeyGenObj)) != 0) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		goto loser;
+	}
+
+	randomAlgorithm = generateRandomAlgorithm(seedBytes, NULL);
+
+	dsaParams.primeBits = 512 + (j * 64);
+	if ((status = B_SetAlgorithmInfo(dsaParamGenerator, AI_DSAParamGen,
+	                                 (POINTER)&dsaParams)) != 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		goto loser;
+	}
+
+	if ((status = B_GenerateInit(dsaParamGenerator, dsa_pk_gen_chooser,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = B_GenerateParameters(dsaParamGenerator, dsaKeyGenObj,
+	                                   randomAlgorithm,
+	                                   (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	if ((status = B_GetAlgorithmInfo((POINTER *)&dsaParamInfo, dsaKeyGenObj,
+	                                 AI_DSAKeyGen)) != 0) {
+		PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+		goto loser;
+	}
+
+	SECITEMFROMITEM(arena, params->prime,    dsaParamInfo->prime);
+	SECITEMFROMITEM(arena, params->subPrime, dsaParamInfo->subPrime);
+	SECITEMFROMITEM(arena, params->base,     dsaParamInfo->base);
+
+	B_DestroyAlgorithmObject(&dsaKeyGenObj);
+	B_DestroyAlgorithmObject(&dsaParamGenerator);
+	B_DestroyAlgorithmObject(&randomAlgorithm);
+	dsaZFreeKeyInfoParams(dsaParamInfo);
+
+	*pParams = params;
+	return SECSuccess;
+
+loser:
+	if (dsaParamGenerator != NULL_PTR)
+		B_DestroyAlgorithmObject(&dsaParamGenerator);
+	if (dsaKeyGenObj != NULL_PTR)
+		B_DestroyAlgorithmObject(&dsaKeyGenObj);
+	if (randomAlgorithm != NULL_PTR)
+		B_DestroyAlgorithmObject(&randomAlgorithm);
+	if (dsaParamInfo != NULL)
+		dsaZFreeKeyInfoParams(dsaParamInfo);
+	if (arena != NULL)
+		PORT_FreeArena(arena, PR_TRUE);
+	*pParams = NULL;
+	return SECFailure;
+}
+
+SECStatus
+PQG_VerifyParams(const PQGParams *params, 
+                 const PQGVerify *vfy, SECStatus *result)
+{
+	/*  BSAFE does not provide access to h.
+	 *  Verification is thus skipped.
+	 */
+	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+	return SECFailure;
+}
+
+/*  Destroy functions are implemented in util/pqgutil.c */
+
+/*****************************************************************************
+** BLAPI implementation of RNG
+******************************************************************************/
+
+static SECItem globalseed;
+static B_ALGORITHM_OBJ globalrng = NULL_PTR;
+
+SECStatus 
+RNG_RNGInit(void)
+{
+	int status;
+	PRInt32 nBytes;
+	if (globalrng == NULL) {
+		globalseed.len = 20;
+		globalseed.data = (unsigned char *)PORT_Alloc(globalseed.len);
+	} else {
+		B_DestroyAlgorithmObject(&globalrng);
+	}
+	nBytes = RNG_GetNoise(globalseed.data, globalseed.len);
+	globalrng = generateRandomAlgorithm(globalseed.len, globalseed.data);
+	if (globalrng == NULL_PTR) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return SECFailure;
+	}
+	return SECSuccess;
+}
+
+SECStatus 
+RNG_RandomUpdate(const void *data, size_t bytes)
+{
+	int status;
+	if (data == NULL || bytes <= 0) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	if (globalrng == NULL_PTR) {
+		PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+		return SECFailure;
+	}
+	if ((status = B_RandomUpdate(globalrng, data, bytes,
+	                             (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	return SECSuccess;
+}
+
+SECStatus 
+RNG_GenerateGlobalRandomBytes(void *dest, size_t len)
+{
+	int status;
+	if (dest == NULL) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return SECFailure;
+	}
+	if (globalrng == NULL_PTR) {
+		PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+		return SECFailure;
+	}
+	if ((status = B_GenerateRandomBytes(globalrng, dest, len,
+	                                    (A_SURRENDER_CTX *)NULL_PTR)) != 0) {
+		PORT_SetError(SEC_ERROR_BAD_DATA);
+		return SECFailure;
+	}
+	return SECSuccess;
+}
+
+void 
+RNG_RNGShutdown(void)
+{
+	if (globalrng == NULL_PTR)
+		/* no-op */
+		return;
+	B_DestroyAlgorithmObject(&globalrng);
+	SECITEM_ZfreeItem(&globalseed, PR_FALSE);
+	globalrng = NULL_PTR;
+}
diff --git a/security/nss/lib/freebl/blapit.h b/security/nss/lib/freebl/blapit.h
new file mode 100644
index 000000000..0e1b2b0e2
--- /dev/null
+++ b/security/nss/lib/freebl/blapit.h
@@ -0,0 +1,230 @@
+/*
+ * blapit.h - public data structures for the crypto library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef _BLAPIT_H_
+#define _BLAPIT_H_
+
+#include "seccomon.h"
+#include "plarena.h"
+
+/* RC2 operation modes */
+#define NSS_RC2			0
+#define NSS_RC2_CBC		1
+
+/* RC5 operation modes */
+#define NSS_RC5                 0
+#define NSS_RC5_CBC             1
+
+/* DES operation modes */
+#define NSS_DES			0
+#define NSS_DES_CBC		1
+#define NSS_DES_EDE3		2
+#define NSS_DES_EDE3_CBC	3
+
+#define DES_KEY_LENGTH		8	/* Bytes */
+
+/* AES operation modes */
+#define NSS_AES                 0
+#define NSS_AES_CBC             1
+
+#define DSA_SIGNATURE_LEN 	40	/* Bytes */
+#define DSA_SUBPRIME_LEN	20	/* Bytes */
+
+/*
+ * Number of bytes each hash algorithm produces
+ */
+#define MD2_LENGTH		16	/* Bytes */
+#define MD5_LENGTH		16	/* Bytes */
+#define SHA1_LENGTH		20	/* Bytes */
+
+#define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048
+
+/*
+ * The FIPS 186 algorithm for generating primes P and Q allows only 9
+ * distinct values for the length of P, and only one value for the
+ * length of Q.
+ * The algorithm uses a variable j to indicate which of the 9 lengths
+ * of P is to be used.
+ * The following table relates j to the lengths of P and Q in bits.
+ *
+ *	j	bits in P	bits in Q
+ *	_	_________	_________
+ *	0	 512		160
+ *	1	 576		160
+ *	2	 640		160
+ *	3	 704		160
+ *	4	 768		160
+ *	5	 832		160
+ *	6	 896		160
+ *	7	 960		160
+ *	8	1024		160
+ *
+ * The FIPS-186 compliant PQG generator takes j as an input parameter.
+ */
+
+#define DSA_Q_BITS       160
+#define DSA_MAX_P_BITS	1024
+#define DSA_MIN_P_BITS	 512
+
+/*
+ * function takes desired number of bits in P,
+ * returns index (0..8) or -1 if number of bits is invalid.
+ */
+#define PQG_PBITS_TO_INDEX(bits) ((((bits)-512) % 64) ? -1 : (int)((bits)-512)/64)
+
+/*
+ * function takes index (0-8)
+ * returns number of bits in P for that index, or -1 if index is invalid.
+ */
+#define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (512 + 64 * (j)))
+
+
+/***************************************************************************
+** Opaque objects 
+*/
+
+struct DESContextStr        ;
+struct RC2ContextStr        ;
+struct RC4ContextStr        ;
+struct RC5ContextStr        ;
+struct AESContextStr        ;
+struct MD2ContextStr        ;
+struct MD5ContextStr        ;
+struct SHA1ContextStr       ;
+
+typedef struct DESContextStr        DESContext;
+typedef struct RC2ContextStr        RC2Context;
+typedef struct RC4ContextStr        RC4Context;
+typedef struct RC5ContextStr        RC5Context;
+typedef struct AESContextStr        AESContext;
+typedef struct MD2ContextStr        MD2Context;
+typedef struct MD5ContextStr        MD5Context;
+typedef struct SHA1ContextStr       SHA1Context;
+
+/***************************************************************************
+** RSA Public and Private Key structures
+*/
+
+/* member names from PKCS#1, section 7.1 */
+struct RSAPublicKeyStr {
+    PRArenaPool * arena;
+    SECItem modulus;
+    SECItem publicExponent;
+};
+typedef struct RSAPublicKeyStr RSAPublicKey;
+
+/* member names from PKCS#1, section 7.2 */
+struct RSAPrivateKeyStr {
+    PRArenaPool * arena;
+    SECItem version;
+    SECItem modulus;
+    SECItem publicExponent;
+    SECItem privateExponent;
+    SECItem prime1;
+    SECItem prime2;
+    SECItem exponent1;
+    SECItem exponent2;
+    SECItem coefficient;
+};
+typedef struct RSAPrivateKeyStr RSAPrivateKey;
+
+
+/***************************************************************************
+** DSA Public and Private Key and related structures
+*/
+
+struct PQGParamsStr {
+    PRArenaPool *arena;
+    SECItem prime;    /* p */
+    SECItem subPrime; /* q */
+    SECItem base;     /* g */
+    /* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
+};
+typedef struct PQGParamsStr PQGParams;
+
+struct PQGVerifyStr {
+    PRArenaPool * arena;	/* includes this struct, seed, & h. */
+    unsigned int  counter;
+    SECItem       seed;
+    SECItem       h;
+};
+typedef struct PQGVerifyStr PQGVerify;
+
+struct DSAPublicKeyStr {
+    PQGParams params;
+    SECItem publicValue;
+};
+typedef struct DSAPublicKeyStr DSAPublicKey;
+
+struct DSAPrivateKeyStr {
+    PQGParams params;
+    SECItem publicValue;
+    SECItem privateValue;
+};
+typedef struct DSAPrivateKeyStr DSAPrivateKey;
+
+/***************************************************************************
+** Diffie-Hellman Public and Private Key and related structures
+** Structure member names suggested by PKCS#3.
+*/
+
+struct DHParamsStr {
+    PRArenaPool * arena;
+    SECItem prime; /* p */
+    SECItem base; /* g */
+};
+typedef struct DHParamsStr DHParams;
+
+struct DHPublicKeyStr {
+    PRArenaPool * arena;
+    SECItem prime;
+    SECItem base;
+    SECItem publicValue;
+};
+typedef struct DHPublicKeyStr DHPublicKey;
+
+struct DHPrivateKeyStr {
+    PRArenaPool * arena;
+    SECItem prime;
+    SECItem base;
+    SECItem publicValue;
+    SECItem privateValue;
+};
+typedef struct DHPrivateKeyStr DHPrivateKey;
+
+
+#endif /* _BLAPIT_H_ */
diff --git a/security/nss/lib/freebl/config.mk b/security/nss/lib/freebl/config.mk
new file mode 100644
index 000000000..476e7743f
--- /dev/null
+++ b/security/nss/lib/freebl/config.mk
@@ -0,0 +1,101 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+# only do this in the outermost freebl build.
+ifndef FREEBL_RECURSIVE_BUILD
+# we only do this stuff for some of the 32-bit builds, no 64-bit builds
+ifndef USE_64
+
+ifeq ($(OS_TARGET), HP-UX)
+  FREEBL_EXTENDED_BUILD = 1
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+  ifeq ($(CPU_ARCH),sparc)
+    FREEBL_EXTENDED_BUILD = 1
+  endif
+endif
+
+ifdef FREEBL_EXTENDED_BUILD
+# We're going to change this build so that it builds libfreebl.a with
+# just loader.c.  Then we have to build this directory twice again to 
+# build the two DSOs.
+# To build libfreebl.a with just loader.c, we must now override many
+# of the make variables setup by the prior inclusion of CORECONF's config.mk
+
+CSRCS		= loader.c sysrand.c
+SIMPLE_OBJS 	= $(CSRCS:.c=$(OBJ_SUFFIX))
+OBJS 		= $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(SIMPLE_OBJS))
+ALL_TRASH :=    $(TARGETS) $(OBJS) $(OBJDIR) LOGS TAGS $(GARBAGE) \
+                $(NOSUCHFILE) so_locations 
+endif
+
+#end of 32-bit only stuff.
+endif
+
+# Override the values defined in coreconf's ruleset.mk.
+#
+# - (1) LIBRARY: a static (archival) library
+# - (2) SHARED_LIBRARY: a shared (dynamic link) library
+# - (3) IMPORT_LIBRARY: an import library, used only on Windows
+# - (4) PROGRAM: an executable binary
+#
+# override these variables to prevent building a DSO/DLL.
+  TARGETS        = $(LIBRARY)
+  SHARED_LIBRARY =
+  IMPORT_LIBRARY =
+  PROGRAM        =
+
+else
+# This is a recursive build.  
+
+TARGETS	     = $(SHARED_LIBRARY)
+LIBRARY      =
+PROGRAM      =
+
+#ifeq ($(OS_TARGET), HP-UX)
+  EXTRA_LIBS        += \
+	$(DIST)/lib/libsecutil.$(LIB_SUFFIX) \
+	$(NULL)
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+  EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib/ \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	-lc
+#endif
+
+endif
diff --git a/security/nss/lib/freebl/des.c b/security/nss/lib/freebl/des.c
new file mode 100644
index 000000000..9b44f8c35
--- /dev/null
+++ b/security/nss/lib/freebl/des.c
@@ -0,0 +1,683 @@
+/*
+ *  des.c
+ *
+ *  core source file for DES-150 library
+ *  Make key schedule from DES key.
+ *  Encrypt/Decrypt one 8-byte block.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the DES-150 library.
+ *
+ * The Initial Developer of the Original Code is Nelson B. Bolyard,
+ * nelsonb@iname.com.  Portions created by Nelson B. Bolyard are 
+ * Copyright (C) 1990, 2000  Nelson B. Bolyard, All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ */
+
+#include "des.h"
+#include <stddef.h>	/* for ptrdiff_t */
+/* #define USE_INDEXING 1 */
+
+/*
+ * The tables below are the 8 sbox functions, with the 6-bit input permutation 
+ * and the 32-bit output permutation pre-computed.
+ * They are shifted circularly to the left 3 bits, which removes 2 shifts
+ * and an or from each round by reducing the number of sboxes whose
+ * indices cross word broundaries from 2 to 1.  
+ */
+
+static const HALF SP[8][64] = {
+/* Box S1 */ { 
+	0x04041000, 0x00000000, 0x00040000, 0x04041010, 
+	0x04040010, 0x00041010, 0x00000010, 0x00040000, 
+	0x00001000, 0x04041000, 0x04041010, 0x00001000, 
+	0x04001010, 0x04040010, 0x04000000, 0x00000010, 
+	0x00001010, 0x04001000, 0x04001000, 0x00041000, 
+	0x00041000, 0x04040000, 0x04040000, 0x04001010, 
+	0x00040010, 0x04000010, 0x04000010, 0x00040010, 
+	0x00000000, 0x00001010, 0x00041010, 0x04000000, 
+	0x00040000, 0x04041010, 0x00000010, 0x04040000, 
+	0x04041000, 0x04000000, 0x04000000, 0x00001000, 
+	0x04040010, 0x00040000, 0x00041000, 0x04000010, 
+	0x00001000, 0x00000010, 0x04001010, 0x00041010, 
+	0x04041010, 0x00040010, 0x04040000, 0x04001010, 
+	0x04000010, 0x00001010, 0x00041010, 0x04041000, 
+	0x00001010, 0x04001000, 0x04001000, 0x00000000, 
+	0x00040010, 0x00041000, 0x00000000, 0x04040010
+    },
+/* Box S2 */ { 
+	0x00420082, 0x00020002, 0x00020000, 0x00420080, 
+	0x00400000, 0x00000080, 0x00400082, 0x00020082, 
+	0x00000082, 0x00420082, 0x00420002, 0x00000002, 
+	0x00020002, 0x00400000, 0x00000080, 0x00400082, 
+	0x00420000, 0x00400080, 0x00020082, 0x00000000, 
+	0x00000002, 0x00020000, 0x00420080, 0x00400002, 
+	0x00400080, 0x00000082, 0x00000000, 0x00420000, 
+	0x00020080, 0x00420002, 0x00400002, 0x00020080, 
+	0x00000000, 0x00420080, 0x00400082, 0x00400000, 
+	0x00020082, 0x00400002, 0x00420002, 0x00020000, 
+	0x00400002, 0x00020002, 0x00000080, 0x00420082, 
+	0x00420080, 0x00000080, 0x00020000, 0x00000002, 
+	0x00020080, 0x00420002, 0x00400000, 0x00000082, 
+	0x00400080, 0x00020082, 0x00000082, 0x00400080, 
+	0x00420000, 0x00000000, 0x00020002, 0x00020080, 
+	0x00000002, 0x00400082, 0x00420082, 0x00420000 
+    },
+/* Box S3 */ { 
+	0x00000820, 0x20080800, 0x00000000, 0x20080020, 
+	0x20000800, 0x00000000, 0x00080820, 0x20000800, 
+	0x00080020, 0x20000020, 0x20000020, 0x00080000, 
+	0x20080820, 0x00080020, 0x20080000, 0x00000820, 
+	0x20000000, 0x00000020, 0x20080800, 0x00000800, 
+	0x00080800, 0x20080000, 0x20080020, 0x00080820, 
+	0x20000820, 0x00080800, 0x00080000, 0x20000820, 
+	0x00000020, 0x20080820, 0x00000800, 0x20000000, 
+	0x20080800, 0x20000000, 0x00080020, 0x00000820, 
+	0x00080000, 0x20080800, 0x20000800, 0x00000000, 
+	0x00000800, 0x00080020, 0x20080820, 0x20000800, 
+	0x20000020, 0x00000800, 0x00000000, 0x20080020, 
+	0x20000820, 0x00080000, 0x20000000, 0x20080820, 
+	0x00000020, 0x00080820, 0x00080800, 0x20000020, 
+	0x20080000, 0x20000820, 0x00000820, 0x20080000, 
+	0x00080820, 0x00000020, 0x20080020, 0x00080800 
+    },
+/* Box S4 */ { 
+	0x02008004, 0x00008204, 0x00008204, 0x00000200, 
+	0x02008200, 0x02000204, 0x02000004, 0x00008004, 
+	0x00000000, 0x02008000, 0x02008000, 0x02008204, 
+	0x00000204, 0x00000000, 0x02000200, 0x02000004, 
+	0x00000004, 0x00008000, 0x02000000, 0x02008004, 
+	0x00000200, 0x02000000, 0x00008004, 0x00008200, 
+	0x02000204, 0x00000004, 0x00008200, 0x02000200, 
+	0x00008000, 0x02008200, 0x02008204, 0x00000204, 
+	0x02000200, 0x02000004, 0x02008000, 0x02008204, 
+	0x00000204, 0x00000000, 0x00000000, 0x02008000, 
+	0x00008200, 0x02000200, 0x02000204, 0x00000004, 
+	0x02008004, 0x00008204, 0x00008204, 0x00000200, 
+	0x02008204, 0x00000204, 0x00000004, 0x00008000, 
+	0x02000004, 0x00008004, 0x02008200, 0x02000204, 
+	0x00008004, 0x00008200, 0x02000000, 0x02008004, 
+	0x00000200, 0x02000000, 0x00008000, 0x02008200 
+    },
+/* Box S5 */ { 
+	0x00000400, 0x08200400, 0x08200000, 0x08000401, 
+	0x00200000, 0x00000400, 0x00000001, 0x08200000, 
+	0x00200401, 0x00200000, 0x08000400, 0x00200401, 
+	0x08000401, 0x08200001, 0x00200400, 0x00000001, 
+	0x08000000, 0x00200001, 0x00200001, 0x00000000, 
+	0x00000401, 0x08200401, 0x08200401, 0x08000400, 
+	0x08200001, 0x00000401, 0x00000000, 0x08000001, 
+	0x08200400, 0x08000000, 0x08000001, 0x00200400, 
+	0x00200000, 0x08000401, 0x00000400, 0x08000000, 
+	0x00000001, 0x08200000, 0x08000401, 0x00200401, 
+	0x08000400, 0x00000001, 0x08200001, 0x08200400, 
+	0x00200401, 0x00000400, 0x08000000, 0x08200001, 
+	0x08200401, 0x00200400, 0x08000001, 0x08200401, 
+	0x08200000, 0x00000000, 0x00200001, 0x08000001, 
+	0x00200400, 0x08000400, 0x00000401, 0x00200000, 
+	0x00000000, 0x00200001, 0x08200400, 0x00000401
+    },
+/* Box S6 */ { 
+	0x80000040, 0x81000000, 0x00010000, 0x81010040, 
+	0x81000000, 0x00000040, 0x81010040, 0x01000000, 
+	0x80010000, 0x01010040, 0x01000000, 0x80000040, 
+	0x01000040, 0x80010000, 0x80000000, 0x00010040, 
+	0x00000000, 0x01000040, 0x80010040, 0x00010000, 
+	0x01010000, 0x80010040, 0x00000040, 0x81000040, 
+	0x81000040, 0x00000000, 0x01010040, 0x81010000, 
+	0x00010040, 0x01010000, 0x81010000, 0x80000000, 
+	0x80010000, 0x00000040, 0x81000040, 0x01010000, 
+	0x81010040, 0x01000000, 0x00010040, 0x80000040, 
+	0x01000000, 0x80010000, 0x80000000, 0x00010040, 
+	0x80000040, 0x81010040, 0x01010000, 0x81000000, 
+	0x01010040, 0x81010000, 0x00000000, 0x81000040, 
+	0x00000040, 0x00010000, 0x81000000, 0x01010040, 
+	0x00010000, 0x01000040, 0x80010040, 0x00000000, 
+	0x81010000, 0x80000000, 0x01000040, 0x80010040 
+    },
+/* Box S7 */ { 
+	0x00800000, 0x10800008, 0x10002008, 0x00000000, 
+	0x00002000, 0x10002008, 0x00802008, 0x10802000, 
+	0x10802008, 0x00800000, 0x00000000, 0x10000008, 
+	0x00000008, 0x10000000, 0x10800008, 0x00002008, 
+	0x10002000, 0x00802008, 0x00800008, 0x10002000, 
+	0x10000008, 0x10800000, 0x10802000, 0x00800008, 
+	0x10800000, 0x00002000, 0x00002008, 0x10802008, 
+	0x00802000, 0x00000008, 0x10000000, 0x00802000, 
+	0x10000000, 0x00802000, 0x00800000, 0x10002008, 
+	0x10002008, 0x10800008, 0x10800008, 0x00000008, 
+	0x00800008, 0x10000000, 0x10002000, 0x00800000, 
+	0x10802000, 0x00002008, 0x00802008, 0x10802000, 
+	0x00002008, 0x10000008, 0x10802008, 0x10800000, 
+	0x00802000, 0x00000000, 0x00000008, 0x10802008, 
+	0x00000000, 0x00802008, 0x10800000, 0x00002000, 
+	0x10000008, 0x10002000, 0x00002000, 0x00800008 
+    },
+/* Box S8 */ { 
+	0x40004100, 0x00004000, 0x00100000, 0x40104100, 
+	0x40000000, 0x40004100, 0x00000100, 0x40000000, 
+	0x00100100, 0x40100000, 0x40104100, 0x00104000, 
+	0x40104000, 0x00104100, 0x00004000, 0x00000100, 
+	0x40100000, 0x40000100, 0x40004000, 0x00004100, 
+	0x00104000, 0x00100100, 0x40100100, 0x40104000, 
+	0x00004100, 0x00000000, 0x00000000, 0x40100100, 
+	0x40000100, 0x40004000, 0x00104100, 0x00100000, 
+	0x00104100, 0x00100000, 0x40104000, 0x00004000, 
+	0x00000100, 0x40100100, 0x00004000, 0x00104100, 
+	0x40004000, 0x00000100, 0x40000100, 0x40100000, 
+	0x40100100, 0x40000000, 0x00100000, 0x40004100, 
+	0x00000000, 0x40104100, 0x00100100, 0x40000100, 
+	0x40100000, 0x40004000, 0x40004100, 0x00000000, 
+	0x40104100, 0x00104000, 0x00104000, 0x00004100, 
+	0x00004100, 0x00100100, 0x40000000, 0x40104000 
+    }
+};
+
+static const HALF PC2[8][64] = {
+/* table 0 */ {
+    0x00000000, 0x00001000, 0x04000000, 0x04001000, 
+    0x00100000, 0x00101000, 0x04100000, 0x04101000, 
+    0x00008000, 0x00009000, 0x04008000, 0x04009000, 
+    0x00108000, 0x00109000, 0x04108000, 0x04109000, 
+    0x00000004, 0x00001004, 0x04000004, 0x04001004, 
+    0x00100004, 0x00101004, 0x04100004, 0x04101004, 
+    0x00008004, 0x00009004, 0x04008004, 0x04009004, 
+    0x00108004, 0x00109004, 0x04108004, 0x04109004, 
+    0x08000000, 0x08001000, 0x0c000000, 0x0c001000, 
+    0x08100000, 0x08101000, 0x0c100000, 0x0c101000, 
+    0x08008000, 0x08009000, 0x0c008000, 0x0c009000, 
+    0x08108000, 0x08109000, 0x0c108000, 0x0c109000, 
+    0x08000004, 0x08001004, 0x0c000004, 0x0c001004, 
+    0x08100004, 0x08101004, 0x0c100004, 0x0c101004, 
+    0x08008004, 0x08009004, 0x0c008004, 0x0c009004, 
+    0x08108004, 0x08109004, 0x0c108004, 0x0c109004
+  },
+/* table 1 */ {
+    0x00000000, 0x00002000, 0x80000000, 0x80002000, 
+    0x00000008, 0x00002008, 0x80000008, 0x80002008, 
+    0x00200000, 0x00202000, 0x80200000, 0x80202000, 
+    0x00200008, 0x00202008, 0x80200008, 0x80202008, 
+    0x20000000, 0x20002000, 0xa0000000, 0xa0002000, 
+    0x20000008, 0x20002008, 0xa0000008, 0xa0002008, 
+    0x20200000, 0x20202000, 0xa0200000, 0xa0202000, 
+    0x20200008, 0x20202008, 0xa0200008, 0xa0202008, 
+    0x00000400, 0x00002400, 0x80000400, 0x80002400, 
+    0x00000408, 0x00002408, 0x80000408, 0x80002408, 
+    0x00200400, 0x00202400, 0x80200400, 0x80202400, 
+    0x00200408, 0x00202408, 0x80200408, 0x80202408, 
+    0x20000400, 0x20002400, 0xa0000400, 0xa0002400, 
+    0x20000408, 0x20002408, 0xa0000408, 0xa0002408, 
+    0x20200400, 0x20202400, 0xa0200400, 0xa0202400, 
+    0x20200408, 0x20202408, 0xa0200408, 0xa0202408
+  },
+/* table 2 */ {
+    0x00000000, 0x00004000, 0x00000020, 0x00004020, 
+    0x00080000, 0x00084000, 0x00080020, 0x00084020, 
+    0x00000800, 0x00004800, 0x00000820, 0x00004820, 
+    0x00080800, 0x00084800, 0x00080820, 0x00084820, 
+    0x00000010, 0x00004010, 0x00000030, 0x00004030, 
+    0x00080010, 0x00084010, 0x00080030, 0x00084030, 
+    0x00000810, 0x00004810, 0x00000830, 0x00004830, 
+    0x00080810, 0x00084810, 0x00080830, 0x00084830, 
+    0x00400000, 0x00404000, 0x00400020, 0x00404020, 
+    0x00480000, 0x00484000, 0x00480020, 0x00484020, 
+    0x00400800, 0x00404800, 0x00400820, 0x00404820, 
+    0x00480800, 0x00484800, 0x00480820, 0x00484820, 
+    0x00400010, 0x00404010, 0x00400030, 0x00404030, 
+    0x00480010, 0x00484010, 0x00480030, 0x00484030, 
+    0x00400810, 0x00404810, 0x00400830, 0x00404830, 
+    0x00480810, 0x00484810, 0x00480830, 0x00484830 
+  },
+/* table 3 */ {
+    0x00000000, 0x40000000, 0x00000080, 0x40000080, 
+    0x00040000, 0x40040000, 0x00040080, 0x40040080, 
+    0x00000040, 0x40000040, 0x000000c0, 0x400000c0, 
+    0x00040040, 0x40040040, 0x000400c0, 0x400400c0, 
+    0x10000000, 0x50000000, 0x10000080, 0x50000080, 
+    0x10040000, 0x50040000, 0x10040080, 0x50040080, 
+    0x10000040, 0x50000040, 0x100000c0, 0x500000c0, 
+    0x10040040, 0x50040040, 0x100400c0, 0x500400c0, 
+    0x00800000, 0x40800000, 0x00800080, 0x40800080, 
+    0x00840000, 0x40840000, 0x00840080, 0x40840080, 
+    0x00800040, 0x40800040, 0x008000c0, 0x408000c0, 
+    0x00840040, 0x40840040, 0x008400c0, 0x408400c0, 
+    0x10800000, 0x50800000, 0x10800080, 0x50800080, 
+    0x10840000, 0x50840000, 0x10840080, 0x50840080, 
+    0x10800040, 0x50800040, 0x108000c0, 0x508000c0, 
+    0x10840040, 0x50840040, 0x108400c0, 0x508400c0 
+  },
+/* table 4 */ {
+    0x00000000, 0x00000008, 0x08000000, 0x08000008, 
+    0x00040000, 0x00040008, 0x08040000, 0x08040008, 
+    0x00002000, 0x00002008, 0x08002000, 0x08002008, 
+    0x00042000, 0x00042008, 0x08042000, 0x08042008, 
+    0x80000000, 0x80000008, 0x88000000, 0x88000008, 
+    0x80040000, 0x80040008, 0x88040000, 0x88040008, 
+    0x80002000, 0x80002008, 0x88002000, 0x88002008, 
+    0x80042000, 0x80042008, 0x88042000, 0x88042008, 
+    0x00080000, 0x00080008, 0x08080000, 0x08080008, 
+    0x000c0000, 0x000c0008, 0x080c0000, 0x080c0008, 
+    0x00082000, 0x00082008, 0x08082000, 0x08082008, 
+    0x000c2000, 0x000c2008, 0x080c2000, 0x080c2008, 
+    0x80080000, 0x80080008, 0x88080000, 0x88080008, 
+    0x800c0000, 0x800c0008, 0x880c0000, 0x880c0008, 
+    0x80082000, 0x80082008, 0x88082000, 0x88082008, 
+    0x800c2000, 0x800c2008, 0x880c2000, 0x880c2008 
+  },
+/* table 5 */ {
+    0x00000000, 0x00400000, 0x00008000, 0x00408000, 
+    0x40000000, 0x40400000, 0x40008000, 0x40408000, 
+    0x00000020, 0x00400020, 0x00008020, 0x00408020, 
+    0x40000020, 0x40400020, 0x40008020, 0x40408020, 
+    0x00001000, 0x00401000, 0x00009000, 0x00409000, 
+    0x40001000, 0x40401000, 0x40009000, 0x40409000, 
+    0x00001020, 0x00401020, 0x00009020, 0x00409020, 
+    0x40001020, 0x40401020, 0x40009020, 0x40409020, 
+    0x00100000, 0x00500000, 0x00108000, 0x00508000, 
+    0x40100000, 0x40500000, 0x40108000, 0x40508000, 
+    0x00100020, 0x00500020, 0x00108020, 0x00508020, 
+    0x40100020, 0x40500020, 0x40108020, 0x40508020, 
+    0x00101000, 0x00501000, 0x00109000, 0x00509000, 
+    0x40101000, 0x40501000, 0x40109000, 0x40509000, 
+    0x00101020, 0x00501020, 0x00109020, 0x00509020, 
+    0x40101020, 0x40501020, 0x40109020, 0x40509020 
+  },
+/* table 6 */ {
+    0x00000000, 0x00000040, 0x04000000, 0x04000040, 
+    0x00000800, 0x00000840, 0x04000800, 0x04000840, 
+    0x00800000, 0x00800040, 0x04800000, 0x04800040, 
+    0x00800800, 0x00800840, 0x04800800, 0x04800840, 
+    0x10000000, 0x10000040, 0x14000000, 0x14000040, 
+    0x10000800, 0x10000840, 0x14000800, 0x14000840, 
+    0x10800000, 0x10800040, 0x14800000, 0x14800040, 
+    0x10800800, 0x10800840, 0x14800800, 0x14800840, 
+    0x00000080, 0x000000c0, 0x04000080, 0x040000c0, 
+    0x00000880, 0x000008c0, 0x04000880, 0x040008c0, 
+    0x00800080, 0x008000c0, 0x04800080, 0x048000c0, 
+    0x00800880, 0x008008c0, 0x04800880, 0x048008c0, 
+    0x10000080, 0x100000c0, 0x14000080, 0x140000c0, 
+    0x10000880, 0x100008c0, 0x14000880, 0x140008c0, 
+    0x10800080, 0x108000c0, 0x14800080, 0x148000c0, 
+    0x10800880, 0x108008c0, 0x14800880, 0x148008c0 
+  },
+/* table 7 */ {
+    0x00000000, 0x00000010, 0x00000400, 0x00000410, 
+    0x00000004, 0x00000014, 0x00000404, 0x00000414, 
+    0x00004000, 0x00004010, 0x00004400, 0x00004410, 
+    0x00004004, 0x00004014, 0x00004404, 0x00004414, 
+    0x20000000, 0x20000010, 0x20000400, 0x20000410, 
+    0x20000004, 0x20000014, 0x20000404, 0x20000414, 
+    0x20004000, 0x20004010, 0x20004400, 0x20004410, 
+    0x20004004, 0x20004014, 0x20004404, 0x20004414, 
+    0x00200000, 0x00200010, 0x00200400, 0x00200410, 
+    0x00200004, 0x00200014, 0x00200404, 0x00200414, 
+    0x00204000, 0x00204010, 0x00204400, 0x00204410, 
+    0x00204004, 0x00204014, 0x00204404, 0x00204414, 
+    0x20200000, 0x20200010, 0x20200400, 0x20200410, 
+    0x20200004, 0x20200014, 0x20200404, 0x20200414, 
+    0x20204000, 0x20204010, 0x20204400, 0x20204410, 
+    0x20204004, 0x20204014, 0x20204404, 0x20204414 
+  }
+};
+
+/*
+ * The PC-1 Permutation
+ * If we number the bits of the 8 bytes of key input like this (in octal):
+ *     00 01 02 03 04 05 06 07 
+ *     10 11 12 13 14 15 16 17 
+ *     20 21 22 23 24 25 26 27 
+ *     30 31 32 33 34 35 36 37 
+ *     40 41 42 43 44 45 46 47 
+ *     50 51 52 53 54 55 56 57 
+ *     60 61 62 63 64 65 66 67 
+ *     70 71 72 73 74 75 76 77 
+ * then after the PC-1 permutation, 
+ * C0 is
+ *     70 60 50 40 30 20 10 00 
+ *     71 61 51 41 31 21 11 01 
+ *     72 62 52 42 32 22 12 02 
+ *     73 63 53 43 
+ * D0 is
+ *     76 66 56 46 36 26 16 06 
+ *     75 65 55 45 35 25 15 05 
+ *     74 64 54 44 34 24 14 04 
+ *                 33 23 13 03 
+ * and these parity bits have been discarded:
+ *     77 67 57 47 37 27 17 07 
+ * 
+ * We achieve this by flipping the input matrix about the diagonal from 70-07,
+ * getting left = 
+ *     77 67 57 47 37 27 17 07 	(these are the parity bits)
+ *     76 66 56 46 36 26 16 06 
+ *     75 65 55 45 35 25 15 05 
+ *     74 64 54 44 34 24 14 04 
+ * right = 
+ *     73 63 53 43 33 23 13 03 
+ *     72 62 52 42 32 22 12 02 
+ *     71 61 51 41 31 21 11 01 
+ *     70 60 50 40 30 20 10 00 
+ * then byte swap right, ala htonl() on a little endian machine.
+ * right = 
+ *     70 60 50 40 30 20 10 00 
+ *     71 67 57 47 37 27 11 07 
+ *     72 62 52 42 32 22 12 02 
+ *     73 63 53 43 33 23 13 03 
+ * then
+ *     c0 = right >> 4;
+ *     d0 = ((left & 0x00ffffff) << 4) | (right & 0xf);
+*/
+
+#define FLIP_RIGHT_DIAGONAL(word, temp) \
+    temp  = (word ^ (word >> 18)) & 0x00003333; \
+    word ^=  temp | (temp << 18); \
+    temp  = (word ^ (word >> 9)) & 0x00550055; \
+    word ^=  temp | (temp << 9);
+
+#define BYTESWAP(word, temp) \
+    word = (word >> 16) | (word << 16); \
+    temp = 0x00ff00ff; \
+    word = ((word & temp) << 8) | ((word >> 8) & temp); 
+
+#define PC1(left, right, c0, d0, temp) \
+    right ^= temp = ((left >> 4) ^ right) & 0x0f0f0f0f; \
+    left  ^= temp << 4; \
+    FLIP_RIGHT_DIAGONAL(left, temp); \
+    FLIP_RIGHT_DIAGONAL(right, temp); \
+    BYTESWAP(right, temp); \
+    c0 = right >> 4; \
+    d0 = ((left & 0x00ffffff) << 4) | (right & 0xf); 
+
+#define LEFT_SHIFT_1( reg ) (((reg << 1) | (reg >> 27)) & 0x0FFFFFFF)
+#define LEFT_SHIFT_2( reg ) (((reg << 2) | (reg >> 26)) & 0x0FFFFFFF)
+
+/*
+ *   setup key schedules from key
+ */
+
+void 
+DES_MakeSchedule( HALF * ks, BYTE * key,   DESDirection direction)
+{
+    register HALF left, right;
+    register HALF c0, d0;
+    register HALF temp;
+    int           delta;
+    unsigned int  ls;
+
+#if defined(_X86_)
+    left  = HALFPTR(key)[0]; 
+    right = HALFPTR(key)[1]; 
+    BYTESWAP(left, temp);
+    BYTESWAP(right, temp);
+#else
+    if (((ptrdiff_t)key & 0x03) == 0) {
+	left  = HALFPTR(key)[0]; 
+	right = HALFPTR(key)[1]; 
+#if defined(IS_LITTLE_ENDIAN)
+	BYTESWAP(left, temp);
+	BYTESWAP(right, temp);
+#endif
+    } else {
+	left    = ((HALF)key[0] << 24) | ((HALF)key[1] << 16) | 
+		  ((HALF)key[2] << 8)  | key[3];
+	right   = ((HALF)key[4] << 24) | ((HALF)key[5] << 16) | 
+		  ((HALF)key[6] << 8)  | key[7];
+    }
+#endif
+
+    PC1(left, right, c0, d0, temp);
+
+    if (direction == DES_ENCRYPT) {
+	delta = 2 * (int)sizeof(HALF);
+    } else {
+	ks += 30;
+	delta = (-2) * (int)sizeof(HALF);
+    }
+
+    for (ls = 0x8103; ls; ls >>= 1) {
+	if ( ls & 1 ) {
+	    c0 = LEFT_SHIFT_1( c0 );
+	    d0 = LEFT_SHIFT_1( d0 );
+	} else {
+	    c0 = LEFT_SHIFT_2( c0 );
+	    d0 = LEFT_SHIFT_2( d0 );
+	}
+
+#ifdef USE_INDEXING
+#define PC2LOOKUP(b,c) PC2[b][c]
+
+	left   = PC2LOOKUP(0, ((c0 >> 22) & 0x3F) );
+	left  |= PC2LOOKUP(1, ((c0 >> 13) & 0x3F) );
+	left  |= PC2LOOKUP(2, ((c0 >>  4) & 0x38) | (c0 & 0x7) );
+	left  |= PC2LOOKUP(3, ((c0>>18)&0xC) | ((c0>>11)&0x3) | (c0&0x30));
+
+	right  = PC2LOOKUP(4, ((d0 >> 22) & 0x3F) );
+	right |= PC2LOOKUP(5, ((d0 >> 15) & 0x30) | ((d0 >> 14) & 0xf) );
+	right |= PC2LOOKUP(6, ((d0 >>  7) & 0x3F) );
+	right |= PC2LOOKUP(7, ((d0 >>  1) & 0x3C) | (d0 & 0x3));
+#else
+#define PC2LOOKUP(b,c) *(HALF *)((BYTE *)&PC2[b][0]+(c))
+
+	left   = PC2LOOKUP(0, ((c0 >> 20) & 0xFC) );
+	left  |= PC2LOOKUP(1, ((c0 >> 11) & 0xFC) );
+	left  |= PC2LOOKUP(2, ((c0 >>  2) & 0xE0) | ((c0 <<  2) & 0x1C) );
+	left  |= PC2LOOKUP(3, ((c0>>16)&0x30)|((c0>>9)&0xC)|((c0<<2)&0xC0));
+
+	right  = PC2LOOKUP(4, ((d0 >> 20) & 0xFC) );
+	right |= PC2LOOKUP(5, ((d0 >> 13) & 0xC0) | ((d0 >> 12) & 0x3C) );
+	right |= PC2LOOKUP(6, ((d0 >>  5) & 0xFC) );
+	right |= PC2LOOKUP(7, ((d0 <<  1) & 0xF0) | ((d0 << 2) & 0x0C));
+#endif
+	/* left  contains key bits for S1 S3 S2 S4 */
+	/* right contains key bits for S6 S8 S5 S7 */
+	temp = (left  << 16)        /* S2 S4 XX XX */
+	     | (right >> 16);       /* XX XX S6 S8 */
+	ks[0] = temp;
+
+	temp = (left  & 0xffff0000) /* S1 S3 XX XX */
+	     | (right & 0x0000ffff);/* XX XX S5 S7 */
+	ks[1] = temp;
+
+	ks = (HALF*)((BYTE *)ks + delta);
+    }
+}
+
+/*
+ * The DES Initial Permutation
+ * if we number the bits of the 8 bytes of input like this (in octal):
+ *     00 01 02 03 04 05 06 07 
+ *     10 11 12 13 14 15 16 17 
+ *     20 21 22 23 24 25 26 27 
+ *     30 31 32 33 34 35 36 37 
+ *     40 41 42 43 44 45 46 47 
+ *     50 51 52 53 54 55 56 57 
+ *     60 61 62 63 64 65 66 67 
+ *     70 71 72 73 74 75 76 77 
+ * then after the initial permutation, they will be in this order. 
+ *     71 61 51 41 31 21 11 01 
+ *     73 63 53 43 33 23 13 03 
+ *     75 65 55 45 35 25 15 05 
+ *     77 67 57 47 37 27 17 07 
+ *     70 60 50 40 30 20 10 00 
+ *     72 62 52 42 32 22 12 02 
+ *     74 64 54 44 34 24 14 04 
+ *     76 66 56 46 36 26 16 06 
+ *
+ * One way to do this is in two steps:
+ * 1. Flip this matrix about the diagonal from 70-07 as done for PC1.
+ * 2. Rearrange the bytes (rows in the matrix above) with the following code.
+ *
+ * #define swapHiLo(word, temp) \
+ *   temp  = (word ^ (word >> 24)) & 0x000000ff; \
+ *   word ^=  temp | (temp << 24); 
+ *
+ *   right ^= temp = ((left << 8) ^ right) & 0xff00ff00; 
+ *   left  ^= temp >> 8; 
+ *   swapHiLo(left, temp);
+ *   swapHiLo(right,temp);
+ *
+ * However, the two steps can be combined, so that the rows are rearranged
+ * while the matrix is being flipped, reducing the number of bit exchange
+ * operations from 8 ot 5.  
+ *
+ * Initial Permutation */
+#define IP(left, right, temp) \
+    right ^= temp = ((left >> 4) ^  right) & 0x0f0f0f0f; \
+    left  ^= temp << 4; \
+    right ^= temp = ((left >> 16) ^ right) & 0x0000ffff; \
+    left  ^= temp << 16; \
+    right ^= temp = ((left << 2) ^ right) & 0xcccccccc; \
+    left  ^= temp >> 2; \
+    right ^= temp = ((left << 8) ^ right) & 0xff00ff00; \
+    left  ^= temp >> 8; \
+    right ^= temp = ((left >> 1) ^ right) & 0x55555555; \
+    left  ^= temp << 1; 
+
+/* The Final (Inverse Initial) permutation is done by reversing the 
+** steps of the Initital Permutation 
+*/
+
+#define FP(left, right, temp) \
+    right ^= temp = ((left >> 1) ^ right) & 0x55555555; \
+    left  ^= temp << 1; \
+    right ^= temp = ((left << 8) ^ right) & 0xff00ff00; \
+    left  ^= temp >> 8; \
+    right ^= temp = ((left << 2) ^ right) & 0xcccccccc; \
+    left  ^= temp >> 2; \
+    right ^= temp = ((left >> 16) ^ right) & 0x0000ffff; \
+    left  ^= temp << 16; \
+    right ^= temp = ((left >> 4) ^  right) & 0x0f0f0f0f; \
+    left  ^= temp << 4; 
+
+void 
+DES_Do1Block(HALF * ks, const BYTE * inbuf, BYTE * outbuf)
+{
+    register HALF left, right;
+    register HALF temp;
+
+#if defined(_X86_)
+    left  = HALFPTR(inbuf)[0]; 
+    right = HALFPTR(inbuf)[1]; 
+    BYTESWAP(left, temp);
+    BYTESWAP(right, temp);
+#else
+    if (((ptrdiff_t)inbuf & 0x03) == 0) {
+	left  = HALFPTR(inbuf)[0]; 
+	right = HALFPTR(inbuf)[1]; 
+#if defined(IS_LITTLE_ENDIAN)
+	BYTESWAP(left, temp);
+	BYTESWAP(right, temp);
+#endif
+    } else {
+	left    = ((HALF)inbuf[0] << 24) | ((HALF)inbuf[1] << 16) | 
+		  ((HALF)inbuf[2] << 8)  | inbuf[3];
+	right   = ((HALF)inbuf[4] << 24) | ((HALF)inbuf[5] << 16) | 
+		  ((HALF)inbuf[6] << 8)  | inbuf[7];
+    }
+#endif
+
+    IP(left, right, temp);
+
+    /* shift the values left circularly 3 bits. */
+    left  = (left  << 3) | (left  >> 29);
+    right = (right << 3) | (right >> 29);
+
+#ifdef USE_INDEXING
+#define KSLOOKUP(s,b) SP[s][((temp >> (b+2)) & 0x3f)]
+#else
+#define KSLOOKUP(s,b) *(HALF*)((BYTE*)&SP[s][0]+((temp >> b) & 0xFC))
+#endif
+#define ROUND(out, in, r) \
+    temp  = in ^ ks[2*r]; \
+    out ^= KSLOOKUP( 1,  24 ); \
+    out ^= KSLOOKUP( 3,  16 ); \
+    out ^= KSLOOKUP( 5,   8 ); \
+    out ^= KSLOOKUP( 7,   0 ); \
+    temp  = ((in >> 4) | (in << 28)) ^ ks[2*r+1]; \
+    out ^= KSLOOKUP( 0,  24 ); \
+    out ^= KSLOOKUP( 2,  16 ); \
+    out ^= KSLOOKUP( 4,   8 ); \
+    out ^= KSLOOKUP( 6,   0 ); 
+
+    /* Do the 16 Feistel rounds */
+    ROUND(left, right, 0)
+    ROUND(right, left, 1)
+    ROUND(left, right, 2)
+    ROUND(right, left, 3)
+    ROUND(left, right, 4)
+    ROUND(right, left, 5)
+    ROUND(left, right, 6)
+    ROUND(right, left, 7)
+    ROUND(left, right, 8)
+    ROUND(right, left, 9)
+    ROUND(left, right, 10)
+    ROUND(right, left, 11)
+    ROUND(left, right, 12)
+    ROUND(right, left, 13)
+    ROUND(left, right, 14)
+    ROUND(right, left, 15)
+
+    /* now shift circularly right 3 bits to undo the shifting done 
+    ** above.  switch left and right here. 
+    */
+    temp  = (left >> 3) | (left << 29); 
+    left  = (right >> 3) | (right << 29); 
+    right = temp;
+
+    FP(left, right, temp);
+
+#if defined(_X86_)
+    BYTESWAP(left, temp);
+    BYTESWAP(right, temp);
+    HALFPTR(outbuf)[0]  = left; 
+    HALFPTR(outbuf)[1]  = right; 
+#else
+    if (((ptrdiff_t)inbuf & 0x03) == 0) {
+#if defined(IS_LITTLE_ENDIAN)
+	BYTESWAP(left, temp);
+	BYTESWAP(right, temp);
+#endif
+	HALFPTR(outbuf)[0]  = left; 
+	HALFPTR(outbuf)[1]  = right; 
+    } else {
+	outbuf[0] = (BYTE)(left >> 24);
+	outbuf[1] = (BYTE)(left >> 16);
+	outbuf[2] = (BYTE)(left >>  8);
+	outbuf[3] = (BYTE)(left      );
+
+	outbuf[4] = (BYTE)(right >> 24);
+	outbuf[5] = (BYTE)(right >> 16);
+	outbuf[6] = (BYTE)(right >>  8);
+	outbuf[7] = (BYTE)(right      );
+    }
+#endif
+
+}
+
+/* Ackowledgements:
+** Two ideas used in this implementation were shown to me by Dennis Ferguson 
+** in 1990.  He credits them to Richard Outerbridge and Dan Hoey.  They were:
+** 1. The method of computing the Initial and Final permutations.
+** 2. Circularly rotating the SP tables and the initial values of left and 
+**	right to reduce the number of shifts required during the 16 rounds.
+*/
diff --git a/security/nss/lib/freebl/des.h b/security/nss/lib/freebl/des.h
new file mode 100644
index 000000000..472896ef1
--- /dev/null
+++ b/security/nss/lib/freebl/des.h
@@ -0,0 +1,69 @@
+/*
+ *  des.h
+ *
+ *  header file for DES-150 library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the DES-150 library.
+ *
+ * The Initial Developer of the Original Code is Nelson B. Bolyard,
+ * nelsonb@iname.com.  Portions created by Nelson B. Bolyard are 
+ * Copyright (C) 1990, 2000  Nelson B. Bolyard, All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ */
+
+#ifndef _DES_H_
+#define _DES_H_ 1
+
+#include "blapi.h"
+
+typedef unsigned char BYTE;
+typedef unsigned int  HALF;
+
+#define HALFPTR(x) ((HALF *)(x))
+#define SHORTPTR(x) ((unsigned short *)(x))
+#define BYTEPTR(x) ((BYTE *)(x))
+
+typedef enum {
+    DES_ENCRYPT = 0x5555,
+    DES_DECRYPT = 0xAAAA
+} DESDirection;
+
+typedef void DESFunc(struct DESContextStr *cx, BYTE *out, const BYTE *in, 
+                     unsigned int len);
+
+struct DESContextStr {
+    /* key schedule, 16 internal keys, each with 8 6-bit parts */
+    HALF ks0 [32];
+    HALF ks1 [32];
+    HALF ks2 [32];
+    HALF iv  [2];
+    DESDirection direction;
+    DESFunc  *worker;
+};
+
+void DES_MakeSchedule( HALF * ks, BYTE * key,   DESDirection direction);
+void DES_Do1Block(     HALF * ks, const BYTE * inbuf, BYTE * outbuf);
+
+#endif
diff --git a/security/nss/lib/freebl/desblapi.c b/security/nss/lib/freebl/desblapi.c
new file mode 100644
index 000000000..af7e9ca2d
--- /dev/null
+++ b/security/nss/lib/freebl/desblapi.c
@@ -0,0 +1,275 @@
+/*
+ *  desblapi.c
+ *
+ *  core source file for DES-150 library
+ *  Implement DES Modes of Operation and Triple-DES.
+ *  Adapt DES-150 to blapi API.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the DES-150 library.
+ *
+ * The Initial Developer of the Original Code is Nelson B. Bolyard,
+ * nelsonb@iname.com.  Portions created by Nelson B. Bolyard are 
+ * Copyright (C) 1990, 2000  Nelson B. Bolyard, All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ */
+
+#include "des.h"
+#include <stddef.h>
+#include "secerr.h"
+
+#if defined(_X86_)
+/* Intel X86 CPUs do unaligned loads and stores without complaint. */
+#define COPY8B(to, from, ptr) \
+    	HALFPTR(to)[0] = HALFPTR(from)[0]; \
+    	HALFPTR(to)[1] = HALFPTR(from)[1]; 
+#elif defined(USE_MEMCPY)
+#define COPY8B(to, from, ptr) memcpy(to, from, 8)
+#else
+#define COPY8B(to, from, ptr) \
+    if (((ptrdiff_t)(ptr) & 0x3) == 0) { \
+    	HALFPTR(to)[0] = HALFPTR(from)[0]; \
+    	HALFPTR(to)[1] = HALFPTR(from)[1]; \
+    } else if (((ptrdiff_t)(ptr) & 0x1) == 0) { \
+    	SHORTPTR(to)[0] = SHORTPTR(from)[0]; \
+    	SHORTPTR(to)[1] = SHORTPTR(from)[1]; \
+    	SHORTPTR(to)[2] = SHORTPTR(from)[2]; \
+    	SHORTPTR(to)[3] = SHORTPTR(from)[3]; \
+    } else { \
+    	BYTEPTR(to)[0] = BYTEPTR(from)[0]; \
+    	BYTEPTR(to)[1] = BYTEPTR(from)[1]; \
+    	BYTEPTR(to)[2] = BYTEPTR(from)[2]; \
+    	BYTEPTR(to)[3] = BYTEPTR(from)[3]; \
+    	BYTEPTR(to)[4] = BYTEPTR(from)[4]; \
+    	BYTEPTR(to)[5] = BYTEPTR(from)[5]; \
+    	BYTEPTR(to)[6] = BYTEPTR(from)[6]; \
+    	BYTEPTR(to)[7] = BYTEPTR(from)[7]; \
+    } 
+#endif
+#define COPY8BTOHALF(to, from) COPY8B(to, from, from)
+#define COPY8BFROMHALF(to, from) COPY8B(to, from, to)
+
+static void 
+DES_ECB(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    while (len) {
+	DES_Do1Block(cx->ks0, in, out);
+	len -= 8;
+	in  += 8;
+	out += 8;
+    }
+}
+
+static void 
+DES_EDE3_ECB(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    while (len) {
+	DES_Do1Block(cx->ks0,  in, out);
+	len -= 8;
+	in  += 8;
+	DES_Do1Block(cx->ks1, out, out);
+	DES_Do1Block(cx->ks2, out, out);
+	out += 8;
+    }
+}
+
+static void 
+DES_CBCEn(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    const BYTE * bufend = in + len;
+    HALF  vec[2];
+
+    while (in != bufend) {
+	COPY8BTOHALF(vec, in);
+	in += 8;
+	vec[0] ^= cx->iv[0];
+	vec[1] ^= cx->iv[1];
+	DES_Do1Block( cx->ks0, (BYTE *)vec, (BYTE *)cx->iv);
+	COPY8BFROMHALF(out, cx->iv);
+	out += 8;
+    }
+}
+
+static void 
+DES_CBCDe(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    const BYTE * bufend;
+    HALF oldciphertext[2];
+    HALF plaintext    [2];
+
+    for (bufend = in + len; in != bufend; ) {
+	oldciphertext[0] = cx->iv[0];
+	oldciphertext[1] = cx->iv[1];
+	COPY8BTOHALF(cx->iv, in);
+	in += 8;
+	DES_Do1Block(cx->ks0, (BYTE *)cx->iv, (BYTE *)plaintext);
+	plaintext[0] ^= oldciphertext[0];
+	plaintext[1] ^= oldciphertext[1];
+	COPY8BFROMHALF(out, plaintext);
+	out += 8;
+    }
+}
+
+static void 
+DES_EDE3CBCEn(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    const BYTE * bufend = in + len;
+    HALF  vec[2];
+
+    while (in != bufend) {
+	COPY8BTOHALF(vec, in);
+	in += 8;
+	vec[0] ^= cx->iv[0];
+	vec[1] ^= cx->iv[1];
+	DES_Do1Block( cx->ks0, (BYTE *)vec,    (BYTE *)cx->iv);
+	DES_Do1Block( cx->ks1, (BYTE *)cx->iv, (BYTE *)cx->iv);
+	DES_Do1Block( cx->ks2, (BYTE *)cx->iv, (BYTE *)cx->iv);
+	COPY8BFROMHALF(out, cx->iv);
+	out += 8;
+    }
+}
+
+static void 
+DES_EDE3CBCDe(DESContext *cx, BYTE *out, const BYTE *in, unsigned int len)
+{
+    const BYTE * bufend;
+    HALF oldciphertext[2];
+    HALF plaintext    [2];
+
+    for (bufend = in + len; in != bufend; ) {
+	oldciphertext[0] = cx->iv[0];
+	oldciphertext[1] = cx->iv[1];
+	COPY8BTOHALF(cx->iv, in);
+	in += 8;
+	DES_Do1Block(cx->ks0, (BYTE *)cx->iv,    (BYTE *)plaintext);
+	DES_Do1Block(cx->ks1, (BYTE *)plaintext, (BYTE *)plaintext);
+	DES_Do1Block(cx->ks2, (BYTE *)plaintext, (BYTE *)plaintext);
+	plaintext[0] ^= oldciphertext[0];
+	plaintext[1] ^= oldciphertext[1];
+	COPY8BFROMHALF(out, plaintext);
+	out += 8;
+    }
+}
+
+DESContext *
+DES_CreateContext(BYTE * key, BYTE *iv, int mode, PRBool encrypt)
+{
+    DESContext *cx = PORT_ZNew(DESContext);
+    DESDirection opposite;
+    if (!cx) 
+    	return 0;
+    cx->direction = encrypt ? DES_ENCRYPT : DES_DECRYPT;
+    opposite      = encrypt ? DES_DECRYPT : DES_ENCRYPT;
+    switch (mode) {
+    case NSS_DES:	/* DES ECB */
+	DES_MakeSchedule( cx->ks0, key, cx->direction);
+	cx->worker = &DES_ECB;
+	break;
+
+    case NSS_DES_EDE3:	/* DES EDE ECB */
+	cx->worker = &DES_EDE3_ECB;
+	if (encrypt) {
+	    DES_MakeSchedule(cx->ks0, key,      cx->direction);
+	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
+	    DES_MakeSchedule(cx->ks2, key + 16, cx->direction);
+	} else {
+	    DES_MakeSchedule(cx->ks2, key,      cx->direction);
+	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
+	    DES_MakeSchedule(cx->ks0, key + 16, cx->direction);
+	}
+	break;
+
+    case NSS_DES_CBC:	/* DES CBC */
+	COPY8BTOHALF(cx->iv, iv);
+	cx->worker = encrypt ? &DES_CBCEn : &DES_CBCDe;
+	DES_MakeSchedule(cx->ks0, key, cx->direction);
+	break;
+
+    case NSS_DES_EDE3_CBC:	/* DES EDE CBC */
+	COPY8BTOHALF(cx->iv, iv);
+	if (encrypt) {
+	    cx->worker = &DES_EDE3CBCEn;
+	    DES_MakeSchedule(cx->ks0, key,      cx->direction);
+	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
+	    DES_MakeSchedule(cx->ks2, key + 16, cx->direction);
+	} else {
+	    cx->worker = &DES_EDE3CBCDe;
+	    DES_MakeSchedule(cx->ks2, key,      cx->direction);
+	    DES_MakeSchedule(cx->ks1, key +  8, opposite);
+	    DES_MakeSchedule(cx->ks0, key + 16, cx->direction);
+	}
+	break;
+
+    default:
+    	PORT_Free(cx);
+	cx = 0;
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	break;
+    }
+    return cx;
+}
+
+void
+DES_DestroyContext(DESContext *cx, PRBool freeit)
+{
+    if (cx) {
+    	memset(cx, 0, sizeof *cx);
+	if (freeit)
+	    PORT_Free(cx);
+    }
+}
+
+SECStatus
+DES_Encrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
+            unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
+{
+
+    if (inLen < 0 || (inLen % 8) != 0 || maxOutLen < inLen || !cx || 
+        cx->direction != DES_ENCRYPT) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    cx->worker(cx, out, in, inLen);
+    if (outLen)
+	*outLen = inLen;
+    return SECSuccess;
+}
+
+SECStatus
+DES_Decrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
+            unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
+{
+
+    if (inLen < 0 || (inLen % 8) != 0 || maxOutLen < inLen || !cx || 
+        cx->direction != DES_DECRYPT) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    cx->worker(cx, out, in, inLen);
+    if (outLen)
+	*outLen = inLen;
+    return SECSuccess;
+}
diff --git a/security/nss/lib/freebl/dh.c b/security/nss/lib/freebl/dh.c
new file mode 100644
index 000000000..6c369b6dd
--- /dev/null
+++ b/security/nss/lib/freebl/dh.c
@@ -0,0 +1,385 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Diffie-Hellman parameter generation, key generation, and secret derivation.
+ * KEA secret generation and verification.
+ *
+ * $Id$
+ */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "blapi.h"
+#include "secitem.h"
+#include "mpi.h"
+#include "mpprime.h"
+#include "secmpi.h"
+
+#define DH_SECRET_KEY_LEN      20
+#define KEA_DERIVED_SECRET_LEN 128
+
+SECStatus 
+DH_GenParam(int primeLen, DHParams **params)
+{
+    PRArenaPool *arena;
+    DHParams *dhparams;
+    unsigned char *pb = NULL;
+    unsigned char *ab = NULL;
+    unsigned long counter = 0;
+    mp_int p, q, a, h, psub1, test;
+    mp_err err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    if (!params || primeLen < 0) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    dhparams = (DHParams *)PORT_ArenaZAlloc(arena, sizeof(DHParams));
+    if (!dhparams) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+    dhparams->arena = arena;
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&q) = 0;
+    MP_DIGITS(&a) = 0;
+    MP_DIGITS(&h) = 0;
+    MP_DIGITS(&psub1) = 0;
+    MP_DIGITS(&test) = 0;
+    CHECK_MPI_OK( mp_init(&p) );
+    CHECK_MPI_OK( mp_init(&q) );
+    CHECK_MPI_OK( mp_init(&a) );
+    CHECK_MPI_OK( mp_init(&h) );
+    CHECK_MPI_OK( mp_init(&psub1) );
+    CHECK_MPI_OK( mp_init(&test) );
+    /* generate prime with MPI, uses Miller-Rabin to generate strong prime. */
+    pb = PORT_Alloc(primeLen);
+    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(pb, primeLen) );
+    pb[0]          |= 0x80; /* set high-order bit */
+    pb[primeLen-1] |= 0x01; /* set low-order bit  */
+    CHECK_MPI_OK( mp_read_unsigned_octets(&p, pb, primeLen) );
+    CHECK_MPI_OK( mpp_make_prime(&p, primeLen * 8, PR_TRUE, &counter) );
+    /* construct Sophie-Germain prime q = (p-1)/2. */
+    CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );
+    CHECK_MPI_OK( mp_div_2(&psub1, &q)    );
+    /* construct a generator from the prime. */
+    ab = PORT_Alloc(primeLen);
+    /* generate a candidate number a in p's field */
+    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(ab, primeLen) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&a, ab, primeLen) );
+    /* force a < p (note that quot(a/p) <= 1) */
+    if ( mp_cmp(&a, &p) > 0 )
+	CHECK_MPI_OK( mp_sub(&a, &p, &a) );
+    do {
+	/* check that a is in the range [2..p-1] */
+	if ( mp_cmp_d(&a, 2) < 0 || mp_cmp(&a, &psub1) >= 0) {
+	    /* a is outside of the allowed range.  Set a=3 and keep going. */
+            mp_set(&a, 3);
+	}
+	/* if a**q mod p != 1 then a is a generator */
+	CHECK_MPI_OK( mp_exptmod(&a, &q, &p, &test) );
+	if ( mp_cmp_d(&test, 1) != 0 )
+	    break;
+	/* increment the candidate and try again. */
+	CHECK_MPI_OK( mp_add_d(&a, 1, &a) );
+    } while (PR_TRUE);
+    MPINT_TO_SECITEM(&p, &dhparams->prime, arena);
+    MPINT_TO_SECITEM(&a, &dhparams->base, arena);
+    *params = dhparams;
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&a);
+    mp_clear(&h);
+    mp_clear(&psub1);
+    mp_clear(&test);
+    if (pb) PORT_ZFree(pb, primeLen);
+    if (ab) PORT_ZFree(ab, primeLen);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    if (rv)
+	PORT_FreeArena(arena, PR_TRUE);
+    return rv;
+}
+
+SECStatus 
+DH_NewKey(DHParams *params, DHPrivateKey **privKey)
+{
+    PRArenaPool *arena;
+    DHPrivateKey *key;
+    mp_int g, xa, p, Ya;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    if (!params || !privKey) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    key = (DHPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DHPrivateKey));
+    if (!key) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+    key->arena = arena;
+    MP_DIGITS(&g)  = 0;
+    MP_DIGITS(&xa) = 0;
+    MP_DIGITS(&p)  = 0;
+    MP_DIGITS(&Ya) = 0;
+    CHECK_MPI_OK( mp_init(&g)  );
+    CHECK_MPI_OK( mp_init(&xa) );
+    CHECK_MPI_OK( mp_init(&p)  );
+    CHECK_MPI_OK( mp_init(&Ya) );
+    /* Set private key's p */
+    CHECK_SEC_OK( SECITEM_CopyItem(arena, &key->prime, &params->prime) );
+    SECITEM_TO_MPINT(key->prime, &p);
+    /* Set private key's g */
+    CHECK_SEC_OK( SECITEM_CopyItem(arena, &key->base, &params->base) );
+    SECITEM_TO_MPINT(key->base, &g);
+    /* Generate private key xa */
+    SECITEM_AllocItem(arena, &key->privateValue, DH_SECRET_KEY_LEN);
+    RNG_GenerateGlobalRandomBytes(key->privateValue.data, 
+                                  key->privateValue.len);
+    SECITEM_TO_MPINT( key->privateValue, &xa );
+    /* xa < p */
+    CHECK_MPI_OK( mp_mod(&xa, &p, &xa) );
+    /* Compute public key Ya = g ** xa mod p */
+    CHECK_MPI_OK( mp_exptmod(&g, &xa, &p, &Ya) );
+    MPINT_TO_SECITEM(&Ya, &key->publicValue, key->arena);
+    *privKey = key;
+cleanup:
+    mp_clear(&g);
+    mp_clear(&xa);
+    mp_clear(&p);
+    mp_clear(&Ya);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    if (rv)
+	PORT_FreeArena(arena, PR_TRUE);
+    return rv;
+}
+
+SECStatus 
+DH_Derive(SECItem *publicValue, 
+          SECItem *prime, 
+          SECItem *privateValue, 
+          SECItem *derivedSecret, 
+          unsigned int maxOutBytes)
+{
+    mp_int p, Xa, Yb, ZZ;
+    mp_err err = MP_OKAY;
+    unsigned int len = 0, nb;
+    unsigned char *secret = NULL;
+    if (!publicValue || !prime || !privateValue || !derivedSecret) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    memset(derivedSecret, 0, sizeof *derivedSecret);
+    MP_DIGITS(&p)  = 0;
+    MP_DIGITS(&Xa) = 0;
+    MP_DIGITS(&Yb) = 0;
+    MP_DIGITS(&ZZ) = 0;
+    CHECK_MPI_OK( mp_init(&p)  );
+    CHECK_MPI_OK( mp_init(&Xa) );
+    CHECK_MPI_OK( mp_init(&Yb) );
+    CHECK_MPI_OK( mp_init(&ZZ) );
+    SECITEM_TO_MPINT(*publicValue,  &Yb);
+    SECITEM_TO_MPINT(*privateValue, &Xa);
+    SECITEM_TO_MPINT(*prime,        &p);
+    /* ZZ = (Yb)**Xa mod p */
+    CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) );
+    /* number of bytes in the derived secret */
+    len = mp_unsigned_octet_size(&ZZ);
+    /* allocate a buffer which can hold the entire derived secret. */
+    secret = PORT_Alloc(len);
+    /* grab the derived secret */
+    err = mp_to_unsigned_octets(&ZZ, secret, len);
+    if (err >= 0) err = MP_OKAY;
+    /* Take minimum of bytes requested and bytes in derived secret,
+    ** if maxOutBytes is 0 take all of the bytes from the derived secret.
+    */
+    if (maxOutBytes > 0)
+	nb = PR_MIN(len, maxOutBytes);
+    else
+	nb = len;
+    SECITEM_AllocItem(NULL, derivedSecret, nb);
+    memcpy(derivedSecret->data, secret, nb);
+cleanup:
+    mp_clear(&p);
+    mp_clear(&Xa);
+    mp_clear(&Yb);
+    mp_clear(&ZZ);
+    if (secret) {
+	/* free the buffer allocated for the full secret. */
+	PORT_ZFree(secret, len);
+    }
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	if (derivedSecret->data) 
+	    PORT_ZFree(derivedSecret->data, derivedSecret->len);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+KEA_Derive(SECItem *prime, 
+           SECItem *public1, 
+           SECItem *public2, 
+           SECItem *private1, 
+           SECItem *private2,
+           SECItem *derivedSecret)
+{
+    mp_int p, Y, R, r, x, t, u, w;
+    mp_err err;
+    unsigned char *secret = NULL;
+    unsigned int len = 0, offset;
+    if (!prime || !public1 || !public2 || !private1 || !private2 ||
+        !derivedSecret) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    memset(derivedSecret, 0, sizeof *derivedSecret);
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&Y) = 0;
+    MP_DIGITS(&R) = 0;
+    MP_DIGITS(&r) = 0;
+    MP_DIGITS(&x) = 0;
+    MP_DIGITS(&t) = 0;
+    MP_DIGITS(&u) = 0;
+    MP_DIGITS(&w) = 0;
+    CHECK_MPI_OK( mp_init(&p) );
+    CHECK_MPI_OK( mp_init(&Y) );
+    CHECK_MPI_OK( mp_init(&R) );
+    CHECK_MPI_OK( mp_init(&r) );
+    CHECK_MPI_OK( mp_init(&x) );
+    CHECK_MPI_OK( mp_init(&t) );
+    CHECK_MPI_OK( mp_init(&u) );
+    CHECK_MPI_OK( mp_init(&w) );
+    SECITEM_TO_MPINT(*prime,    &p);
+    SECITEM_TO_MPINT(*public1,  &Y);
+    SECITEM_TO_MPINT(*public2,  &R);
+    SECITEM_TO_MPINT(*private1, &r);
+    SECITEM_TO_MPINT(*private2, &x);
+    /* t = DH(Y, r, p) = Y ** r mod p */
+    CHECK_MPI_OK( mp_exptmod(&Y, &r, &p, &t) );
+    /* u = DH(R, x, p) = R ** x mod p */
+    CHECK_MPI_OK( mp_exptmod(&R, &x, &p, &u) );
+    /* w = (t + u) mod p */
+    CHECK_MPI_OK( mp_addmod(&t, &u, &p, &w) );
+    /* allocate a buffer for the full derived secret */
+    len = mp_unsigned_octet_size(&w);
+    secret = PORT_Alloc(len);
+    /* grab the secret */
+    err = mp_to_unsigned_octets(&w, secret, len);
+    if (err > 0) err = MP_OKAY;
+    /* allocate output buffer */
+    SECITEM_AllocItem(NULL, derivedSecret, KEA_DERIVED_SECRET_LEN);
+    memset(derivedSecret->data, 0, derivedSecret->len);
+    /* copy in the 128 lsb of the secret */
+    if (len >= KEA_DERIVED_SECRET_LEN) {
+	memcpy(derivedSecret->data, secret + (len - KEA_DERIVED_SECRET_LEN),
+	       KEA_DERIVED_SECRET_LEN);
+    } else {
+	offset = KEA_DERIVED_SECRET_LEN - len;
+	memcpy(derivedSecret->data + offset, secret, len);
+    }
+cleanup:
+    mp_clear(&p);
+    mp_clear(&Y);
+    mp_clear(&R);
+    mp_clear(&r);
+    mp_clear(&x);
+    mp_clear(&t);
+    mp_clear(&u);
+    mp_clear(&w);
+    if (secret)
+	PORT_ZFree(secret, len);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+PRBool 
+KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
+{
+    mp_int p, q, y, r;
+    mp_err err;
+    int cmp = 1;  /* default is false */
+    if (!Y || !prime || !subPrime) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&q) = 0;
+    MP_DIGITS(&y) = 0;
+    MP_DIGITS(&r) = 0;
+    CHECK_MPI_OK( mp_init(&p) );
+    CHECK_MPI_OK( mp_init(&q) );
+    CHECK_MPI_OK( mp_init(&y) );
+    CHECK_MPI_OK( mp_init(&r) );
+    SECITEM_TO_MPINT(*prime,    &p);
+    SECITEM_TO_MPINT(*subPrime, &q);
+    SECITEM_TO_MPINT(*Y,        &y);
+    /* compute r = y**q mod p */
+    CHECK_MPI_OK( mp_exptmod(&y, &q, &p, &r) );
+    /* compare to 1 */
+    cmp = mp_cmp_d(&r, 1);
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&y);
+    mp_clear(&r);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	return PR_FALSE;
+    }
+    return (cmp == 0) ? PR_TRUE : PR_FALSE;
+}
diff --git a/security/nss/lib/freebl/dh_bsf.c b/security/nss/lib/freebl/dh_bsf.c
new file mode 100644
index 000000000..f366363bf
--- /dev/null
+++ b/security/nss/lib/freebl/dh_bsf.c
@@ -0,0 +1,82 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "blapi.h"
+
+SECStatus 
+DH_GenParam(int primeLen, DHParams ** params)
+{
+	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+	return SECFailure;
+}
+
+SECStatus 
+DH_NewKey(DHParams *           params, 
+          DHPrivateKey **      privKey)
+{
+	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+	return SECFailure;
+}
+
+SECStatus 
+DH_Derive(SECItem *    publicValue, 
+          SECItem *    prime, 
+          SECItem *    privateValue, 
+          SECItem *    derivedSecret,
+          unsigned int maxOutBytes)
+{
+	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+	return SECFailure;
+}
+
+SECStatus 
+KEA_Derive(SECItem *prime, 
+           SECItem *public1, 
+           SECItem *public2, 
+           SECItem *private1, 
+           SECItem *private2,
+           SECItem *derivedSecret)
+{
+	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+	return SECFailure;
+}
+
+PRBool 
+KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
+{
+	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+	return PR_FALSE;
+}
diff --git a/security/nss/lib/freebl/dsa.c b/security/nss/lib/freebl/dsa.c
new file mode 100644
index 000000000..63a5e08b3
--- /dev/null
+++ b/security/nss/lib/freebl/dsa.c
@@ -0,0 +1,415 @@
+/*
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "prinit.h"
+#include "blapi.h"
+#include "nssilock.h"
+#include "secitem.h"
+#include "blapi.h"
+#include "mpi.h"
+
+ /* XXX to be replaced by define in blapit.h */
+#define NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE 2048
+
+#define CHECKOK(func) if (MP_OKAY > (err = func)) goto cleanup
+
+#define SECITEM_TO_MPINT(it, mp) \
+    CHECKOK(mp_read_unsigned_octets((mp), (it).data, (it).len))
+
+/* DSA-specific random number functions defined in prng_fips1861.c. */
+extern SECStatus 
+DSA_RandomUpdate(void *data, size_t bytes, unsigned char *q);
+
+extern SECStatus 
+DSA_GenerateGlobalRandomBytes(void *dest, size_t len, unsigned char *q);
+
+static void translate_mpi_error(mp_err err)
+{
+    switch (err) {
+    case MP_MEM:    PORT_SetError(SEC_ERROR_NO_MEMORY);       break;
+    case MP_RANGE:  PORT_SetError(SEC_ERROR_BAD_DATA);        break;
+    case MP_BADARG: PORT_SetError(SEC_ERROR_INVALID_ARGS);    break;
+    default:        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); break;
+    }
+}
+
+SECStatus 
+dsa_NewKey(const PQGParams *params, DSAPrivateKey **privKey, 
+           const unsigned char *xb)
+{
+    unsigned int y_len;
+    mp_int p, g;
+    mp_int x, y;
+    mp_err err;
+    PRArenaPool *arena;
+    DSAPrivateKey *key;
+    /* Check args. */
+    if (!params || !privKey) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* Initialize an arena for the DSA key. */
+    arena = PORT_NewArena(NSS_FREEBL_DSA_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    key = (DSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
+    if (!key) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+    key->params.arena = arena;
+    /* Initialize MPI integers. */
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&g) = 0;
+    MP_DIGITS(&x) = 0;
+    MP_DIGITS(&y) = 0;
+    CHECKOK( mp_init(&p) );
+    CHECKOK( mp_init(&g) );
+    CHECKOK( mp_init(&x) );
+    CHECKOK( mp_init(&y) );
+    /* Copy over the PQG params */
+    CHECKOK( SECITEM_CopyItem(arena, &key->params.prime, &params->prime) );
+    CHECKOK( SECITEM_CopyItem(arena, &key->params.subPrime, &params->subPrime));
+    CHECKOK( SECITEM_CopyItem(arena, &key->params.base, &params->base) );
+    /* Convert stored p, g, and received x into MPI integers. */
+    SECITEM_TO_MPINT(params->prime, &p);
+    SECITEM_TO_MPINT(params->base,  &g);
+    CHECKOK( mp_read_unsigned_octets(&x, xb, DSA_SUBPRIME_LEN) );
+    /* Store x in private key */
+    SECITEM_AllocItem(arena, &key->privateValue, DSA_SUBPRIME_LEN);
+    memcpy(key->privateValue.data, xb, DSA_SUBPRIME_LEN);
+    /* Compute public key y = g**x mod p */
+    CHECKOK( mp_exptmod(&g, &x, &p, &y) );
+    /* Store y in public key */
+    y_len = mp_unsigned_octet_size(&y);
+    SECITEM_AllocItem(arena, &key->publicValue, y_len);
+    err = mp_to_unsigned_octets(&y, key->publicValue.data, y_len);
+    /*   mp_to_unsigned_octets returns bytes written (y_len) if okay */
+    if (err < 0) goto cleanup; else err = MP_OKAY;
+    *privKey = key;
+    key = NULL;
+cleanup:
+    mp_clear(&p);
+    mp_clear(&g);
+    mp_clear(&x);
+    mp_clear(&y);
+    if (key)
+	PORT_FreeArena(key->params.arena, PR_TRUE);
+    if (err) {
+	translate_mpi_error(err);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+** Generate and return a new DSA public and private key pair,
+**	both of which are encoded into a single DSAPrivateKey struct.
+**	"params" is a pointer to the PQG parameters for the domain
+**	Uses a random seed.
+*/
+SECStatus 
+DSA_NewKey(const PQGParams *params, DSAPrivateKey **privKey)
+{
+    SECStatus rv;
+    unsigned char seed[DSA_SUBPRIME_LEN];
+    /* Generate seed bytes for x according to FIPS 186-1 appendix 3 */
+    if (DSA_GenerateGlobalRandomBytes(seed, DSA_SUBPRIME_LEN, 
+                                      params->subPrime.data))
+	return SECFailure;
+    /* Generate a new DSA key using random seed. */
+    rv = dsa_NewKey(params, privKey, seed);
+    return rv;
+}
+
+/* For FIPS compliance testing. Seed must be exactly 20 bytes long */
+SECStatus 
+DSA_NewKeyFromSeed(const PQGParams *params, 
+                   const unsigned char *seed,
+                   DSAPrivateKey **privKey)
+{
+    SECStatus rv;
+    rv = dsa_NewKey(params, privKey, seed);
+    return rv;
+}
+
+SECStatus 
+dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
+               const unsigned char *kb)
+{
+    mp_int p, q, g;  /* PQG parameters */
+    mp_int x, k;     /* private key & pseudo-random integer */
+    mp_int r, s;     /* tuple (r, s) is signature) */
+    mp_err err;
+
+    /* FIPS-compliance dictates that digest is a SHA1 hash. */
+    /* Check args. */
+    if (!key || !signature || !digest ||
+        (signature->len != DSA_SIGNATURE_LEN) ||
+	(digest->len != SHA1_LENGTH)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* Initialize MPI integers. */
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&q) = 0;
+    MP_DIGITS(&g) = 0;
+    MP_DIGITS(&x) = 0;
+    MP_DIGITS(&k) = 0;
+    MP_DIGITS(&r) = 0;
+    MP_DIGITS(&s) = 0;
+    CHECKOK( mp_init(&p) );
+    CHECKOK( mp_init(&q) );
+    CHECKOK( mp_init(&g) );
+    CHECKOK( mp_init(&x) );
+    CHECKOK( mp_init(&k) );
+    CHECKOK( mp_init(&r) );
+    CHECKOK( mp_init(&s) );
+    /*
+    ** Convert stored PQG and private key into MPI integers.
+    */
+    SECITEM_TO_MPINT(key->params.prime,    &p);
+    SECITEM_TO_MPINT(key->params.subPrime, &q);
+    SECITEM_TO_MPINT(key->params.base,     &g);
+    SECITEM_TO_MPINT(key->privateValue,    &x);
+    CHECKOK( mp_read_unsigned_octets(&k, kb, DSA_SUBPRIME_LEN) );
+    /*
+    ** FIPS 186-1, Section 5, Step 1
+    **
+    ** r = (g**k mod p) mod q
+    */
+    CHECKOK( mp_exptmod(&g, &k, &p, &r) ); /* r = g**k mod p */
+    CHECKOK(     mp_mod(&r, &q, &r) );     /* r = r mod q    */
+    /*                                  
+    ** FIPS 186-1, Section 5, Step 2
+    **
+    ** s = (k**-1 * (SHA1(M) + x*r)) mod q
+    */
+    SECITEM_TO_MPINT(*digest, &s);         /* s = SHA1(M)     */
+    CHECKOK( mp_invmod(&k, &q, &k) );      /* k = k**-1 mod q */
+    CHECKOK( mp_mulmod(&x, &r, &q, &x) );  /* x = x * r mod q */
+    CHECKOK( mp_addmod(&s, &x, &q, &s) );  /* s = s + x mod q */
+    CHECKOK( mp_mulmod(&s, &k, &q, &s) );  /* s = s * k mod q */
+    /*
+    ** verify r != 0 and s != 0
+    ** mentioned as optional in FIPS 186-1.
+    */
+    if (mp_cmp_z(&r) == 0 || mp_cmp_z(&s) == 0) {
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	err = MP_UNDEF;
+	goto cleanup;
+    }
+    /*
+    ** Step 4
+    **
+    ** Signature is tuple (r, s)
+    */
+    err = mp_to_fixlen_octets(&r, signature->data, DSA_SUBPRIME_LEN);
+    if (err < 0) goto cleanup; else err = MP_OKAY;
+    err = mp_to_fixlen_octets(&s, signature->data + DSA_SUBPRIME_LEN, 
+                                  DSA_SUBPRIME_LEN);
+    if (err < 0) goto cleanup; else err = MP_OKAY;
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&g);
+    mp_clear(&x);
+    mp_clear(&k);
+    mp_clear(&r);
+    mp_clear(&s);
+    if (err) {
+	translate_mpi_error(err);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* signature is caller-supplied buffer of at least 20 bytes.
+** On input,  signature->len == size of buffer to hold signature.
+**            digest->len    == size of digest.
+** On output, signature->len == size of signature in buffer.
+** Uses a random seed.
+*/
+SECStatus 
+DSA_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest)
+{
+    SECStatus rv;
+    int prerr = 0;
+    unsigned char KSEED[DSA_SUBPRIME_LEN];
+    rv = DSA_GenerateGlobalRandomBytes(KSEED, DSA_SUBPRIME_LEN, 
+                                       key->params.subPrime.data);
+    if (rv) return rv;
+    do {
+	rv = dsa_SignDigest(key, signature, digest, KSEED);
+	if (rv) prerr = PORT_GetError();
+    } while (prerr == SEC_ERROR_NEED_RANDOM);
+    return rv;
+}
+
+/* For FIPS compliance testing. Seed must be exactly 20 bytes. */
+SECStatus 
+DSA_SignDigestWithSeed(DSAPrivateKey * key,
+                       SECItem *       signature,
+                       const SECItem * digest,
+                       const unsigned char * seed)
+{
+    SECStatus rv;
+    rv = dsa_SignDigest(key, signature, digest, seed);
+    return rv;
+}
+
+/* signature is caller-supplied buffer of at least 20 bytes.
+** On input,  signature->len == size of buffer to hold signature.
+**            digest->len    == size of digest.
+*/
+SECStatus 
+DSA_VerifyDigest(DSAPublicKey *key, const SECItem *signature, 
+                 const SECItem *digest)
+{
+    /* FIPS-compliance dictates that digest is a SHA1 hash. */
+    mp_int p, q, g;      /* PQG parameters */
+    mp_int r_, s_;       /* tuple (r', s') is received signature) */
+    mp_int u1, u2, v, w; /* intermediate values used in verification */
+    mp_int y;            /* public key */
+    mp_err err;
+    SECStatus verified = SECFailure;
+
+    /* Check args. */
+    if (!key || !signature || !digest ||
+        (signature->len != DSA_SIGNATURE_LEN) ||
+	(digest->len != SHA1_LENGTH)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* Initialize MPI integers. */
+    MP_DIGITS(&p)  = 0;
+    MP_DIGITS(&q)  = 0;
+    MP_DIGITS(&g)  = 0;
+    MP_DIGITS(&y)  = 0;
+    MP_DIGITS(&r_) = 0;
+    MP_DIGITS(&s_) = 0;
+    MP_DIGITS(&u1) = 0;
+    MP_DIGITS(&u2) = 0;
+    MP_DIGITS(&v)  = 0;
+    MP_DIGITS(&w)  = 0;
+    CHECKOK( mp_init(&p)  );
+    CHECKOK( mp_init(&q)  );
+    CHECKOK( mp_init(&g)  );
+    CHECKOK( mp_init(&y)  );
+    CHECKOK( mp_init(&r_) );
+    CHECKOK( mp_init(&s_) );
+    CHECKOK( mp_init(&u1) );
+    CHECKOK( mp_init(&u2) );
+    CHECKOK( mp_init(&v)  );
+    CHECKOK( mp_init(&w)  );
+    /*
+    ** Convert stored PQG and public key into MPI integers.
+    */
+    SECITEM_TO_MPINT(key->params.prime,    &p);
+    SECITEM_TO_MPINT(key->params.subPrime, &q);
+    SECITEM_TO_MPINT(key->params.base,     &g);
+    SECITEM_TO_MPINT(key->publicValue,     &y);
+    /*
+    ** Convert received signature (r', s') into MPI integers.
+    */
+    CHECKOK( mp_read_unsigned_octets(&r_, signature->data, DSA_SUBPRIME_LEN) );
+    CHECKOK( mp_read_unsigned_octets(&s_, signature->data + DSA_SUBPRIME_LEN, 
+                                          DSA_SUBPRIME_LEN) );
+    /*
+    ** Verify that 0 < r' < q and 0 < s' < q
+    */
+    if (mp_cmp_z(&r_) <= 0 || mp_cmp_z(&s_) <= 0 ||
+        mp_cmp(&r_, &q) >= 0 || mp_cmp(&s_, &q) >= 0)
+	goto cleanup; /* will return verified == SECFailure */
+    /*
+    ** FIPS 186-1, Section 6, Step 1
+    **
+    ** w = (s')**-1 mod q
+    */
+    CHECKOK( mp_invmod(&s_, &q, &w) );      /* w = (s')**-1 mod q */
+    /*
+    ** FIPS 186-1, Section 6, Step 2
+    **
+    ** u1 = ((SHA1(M')) * w) mod q
+    */
+    SECITEM_TO_MPINT(*digest, &u1);         /* u1 = SHA1(M')     */
+    CHECKOK( mp_mulmod(&u1, &w, &q, &u1) ); /* u1 = u1 * w mod q */
+    /*
+    ** FIPS 186-1, Section 6, Step 3
+    **
+    ** u2 = ((r') * w) mod q
+    */
+    CHECKOK( mp_mulmod(&r_, &w, &q, &u2) );
+    /*
+    ** FIPS 186-1, Section 6, Step 4
+    **
+    ** v = ((g**u1 * y**u2) mod p) mod q
+    */
+    CHECKOK( mp_exptmod(&g, &u1, &p, &g) ); /* g = g**u1 mod p */
+    CHECKOK( mp_exptmod(&y, &u2, &p, &y) ); /* y = y**u2 mod p */
+    CHECKOK(  mp_mulmod(&g, &y, &p, &v)  ); /* v = g * y mod p */
+    CHECKOK(     mp_mod(&v, &q, &v)      ); /* v = v mod q     */
+    /*
+    ** Verification:  v == r'
+    */
+    if (mp_cmp(&v, &r_)) {
+	PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+	verified = SECFailure; /* Signature failed to verify. */
+    } else {
+	verified = SECSuccess; /* Signature verified. */
+    }
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&g);
+    mp_clear(&y);
+    mp_clear(&r_);
+    mp_clear(&s_);
+    mp_clear(&u1);
+    mp_clear(&u2);
+    mp_clear(&v);
+    mp_clear(&w);
+    if (err) {
+	translate_mpi_error(err);
+    }
+    return verified;
+}
diff --git a/security/nss/lib/freebl/fblstdlib.c b/security/nss/lib/freebl/fblstdlib.c
new file mode 100755
index 000000000..7aeb8efef
--- /dev/null
+++ b/security/nss/lib/freebl/fblstdlib.c
@@ -0,0 +1,120 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <plstr.h>
+#include "aglobal.h"
+#include "bsafe.h"
+#include "secport.h"
+
+void CALL_CONV T_memset (p, c, count)
+POINTER p;
+int c;
+unsigned int count;
+{
+	if (count >= 0)
+		memset(p, c, count);
+}
+
+void CALL_CONV T_memcpy (d, s, count)
+POINTER d, s;
+unsigned int count;
+{
+	if (count >= 0)
+		memcpy(d, s, count);
+}
+
+void CALL_CONV T_memmove (d, s, count)
+POINTER d, s;
+unsigned int count;
+{
+	if (count >= 0)
+		PORT_Memmove(d, s, count);
+}
+
+int CALL_CONV T_memcmp (s1, s2, count)
+POINTER s1, s2;
+unsigned int count;
+{
+	if (count == 0)
+		return (0);
+	else
+		return(memcmp(s1, s2, count));
+}
+
+POINTER CALL_CONV T_malloc (size)
+unsigned int size;
+{
+	return((POINTER)PORT_Alloc(size == 0 ? 1 : size));
+}
+
+POINTER CALL_CONV T_realloc (p, size)
+POINTER p;
+unsigned int size;
+{
+	POINTER result;
+  
+	if (p == NULL_PTR)
+		return (T_malloc(size));
+
+	if ((result = (POINTER)PORT_Realloc(p, size == 0 ? 1 : size)) == NULL_PTR)
+		PORT_Free(p);
+  return (result);
+}
+
+void CALL_CONV T_free (p)
+POINTER p;
+{
+	if (p != NULL_PTR)
+		PORT_Free(p);
+}
+
+unsigned int CALL_CONV T_strlen(p)
+char *p;
+{
+    return PL_strlen(p);
+}
+
+void CALL_CONV T_strcpy(dest, src)
+char *dest;
+char *src;
+{
+    PL_strcpy(dest, src);
+}
+
+int CALL_CONV T_strcmp (a, b)
+char *a, *b;
+{
+  return (PL_strcmp (a, b));
+}
diff --git a/security/nss/lib/freebl/ldvector.c b/security/nss/lib/freebl/ldvector.c
new file mode 100644
index 000000000..ef97116e3
--- /dev/null
+++ b/security/nss/lib/freebl/ldvector.c
@@ -0,0 +1,127 @@
+/*
+ * ldvector.c - platform dependent DSO containing freebl implementation.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "loader.h"
+
+static const struct FREEBLVectorStr vector = {
+
+    sizeof vector,
+    FREEBL_VERSION,
+
+    RSA_NewKey,
+    RSA_PublicKeyOp,
+    RSA_PrivateKeyOp,
+    DSA_NewKey,
+    DSA_SignDigest,
+    DSA_VerifyDigest,
+    DSA_NewKeyFromSeed,
+    DSA_SignDigestWithSeed,
+    DH_GenParam,
+    DH_NewKey,
+    DH_Derive,
+    KEA_Derive,
+    KEA_Verify,
+    RC4_CreateContext,
+    RC4_DestroyContext,
+    RC4_Encrypt,
+    RC4_Decrypt,
+    RC2_CreateContext,
+    RC2_DestroyContext,
+    RC2_Encrypt,
+    RC2_Decrypt,
+    RC5_CreateContext,
+    RC5_DestroyContext,
+    RC5_Encrypt,
+    RC5_Decrypt,
+    DES_CreateContext,
+    DES_DestroyContext,
+    DES_Encrypt,
+    DES_Decrypt,
+    AES_CreateContext,
+    AES_DestroyContext,
+    AES_Encrypt,
+    AES_Decrypt,
+    MD5_Hash,
+    MD5_HashBuf,
+    MD5_NewContext,
+    MD5_DestroyContext,
+    MD5_Begin,
+    MD5_Update,
+    MD5_End,
+    MD5_FlattenSize,
+    MD5_Flatten,
+    MD5_Resurrect,
+    MD5_TraceState,
+    MD2_Hash,
+    MD2_NewContext,
+    MD2_DestroyContext,
+    MD2_Begin,
+    MD2_Update,
+    MD2_End,
+    MD2_FlattenSize,
+    MD2_Flatten,
+    MD2_Resurrect,
+    SHA1_Hash,
+    SHA1_HashBuf,
+    SHA1_NewContext,
+    SHA1_DestroyContext,
+    SHA1_Begin,
+    SHA1_Update,
+    SHA1_End,
+    SHA1_TraceState,
+    SHA1_FlattenSize,
+    SHA1_Flatten,
+    SHA1_Resurrect,
+    RNG_RNGInit,
+    RNG_RandomUpdate,
+    RNG_GenerateGlobalRandomBytes,
+    RNG_RNGShutdown,
+    PQG_ParamGen,
+    PQG_ParamGenSeedLen,
+    PQG_VerifyParams,
+    RSA_PrivateKeyOpDoubleChecked,
+    RSA_PrivateKeyCheck,
+    BL_Cleanup,
+};
+
+
+const FREEBLVector * 
+FREEBL_GetVector(void)
+{
+  return &vector;
+}
+
diff --git a/security/nss/lib/freebl/loader.c b/security/nss/lib/freebl/loader.c
new file mode 100644
index 000000000..c1045faef
--- /dev/null
+++ b/security/nss/lib/freebl/loader.c
@@ -0,0 +1,959 @@
+/*
+ * loader.c - load platform dependent DSO containing freebl implementation.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "loader.h"
+#include "prmem.h"
+#include "prerror.h"
+#include "prinit.h"
+
+#if defined(SOLARIS)
+#include <stddef.h>
+#include <strings.h>
+#include <sys/systeminfo.h>
+#if defined(SOLARIS2_5)
+static int
+isHybrid(void)
+{
+    long buflen;
+    int  rv             = 0;    /* false */
+    char buf[256];
+    buflen = sysinfo(SI_MACHINE, buf, sizeof buf);
+    if (buflen > 0) {
+        rv = (!strcmp(buf, "sun4u") || !strcmp(buf, "sun4u1"));
+    }
+    return rv;
+}
+#else   /* SunOS2.6or higher has SI_ISALIST */
+
+static int
+isHybrid(void)
+{
+    long buflen;
+    int  rv             = 0;    /* false */
+    char buf[256];
+    buflen = sysinfo(SI_ISALIST, buf, sizeof buf);
+    if (buflen > 0) {
+#if defined(NSS_USE_64)
+        char * found = strstr(buf, "sparcv9+vis");
+#else
+        char * found = strstr(buf, "sparcv8plus+vis");
+#endif
+        rv = (found != 0);
+    }
+    return rv;
+}
+#endif
+#elif defined(HPUX)
+/* This code tests to see if we're running on a PA2.x CPU.
+** It returns true (1) if so, and false (0) otherwise.
+*/
+static int 
+isHybrid(void)
+{
+    long cpu = sysconf(_SC_CPU_VERSION);
+    return (cpu == CPU_PA_RISC2_0);
+}
+
+#else
+#error "code for this platform is missing."
+#endif
+
+/*
+ * On Solaris, if an application using libnss3.so is linked
+ * with the -R linker option, the -R search patch is only used
+ * to search for the direct dependencies of the application
+ * (such as libnss3.so) and is not used to search for the
+ * dependencies of libnss3.so.  So we build libnss3.so with
+ * the -R '$ORIGIN' linker option to instruct it to search for
+ * its dependencies (libfreebl_*.so) in the same directory
+ * where it resides.  This requires that libnss3.so, not
+ * libnspr4.so, be the shared library that calls dlopen().
+ * Therefore we have to duplicate the relevant code in the PR
+ * load library functions here.
+ */
+
+#if defined(SOLARIS)
+
+#include <dlfcn.h>
+
+typedef struct {
+    void *dlh;
+} BLLibrary;
+
+static BLLibrary *
+bl_LoadLibrary(const char *name)
+{
+    BLLibrary *lib;
+    const char *error;
+
+    lib = PR_NEWZAP(BLLibrary);
+    if (NULL == lib) {
+        PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
+        return NULL;
+    }
+    lib->dlh = dlopen(name, RTLD_NOW | RTLD_LOCAL);
+    if (NULL == lib->dlh) {
+        PR_SetError(PR_LOAD_LIBRARY_ERROR, 0);
+        error = dlerror();
+        if (NULL != error)
+            PR_SetErrorText(strlen(error), error);
+        PR_Free(lib);
+        return NULL;
+    }
+    return lib;
+}
+
+static void *
+bl_FindSymbol(BLLibrary *lib, const char *name)
+{
+    void *f;
+    const char *error;
+
+    f = dlsym(lib->dlh, name);
+    if (NULL == f) {
+        PR_SetError(PR_FIND_SYMBOL_ERROR, 0);
+        error = dlerror();
+        if (NULL != error)
+            PR_SetErrorText(strlen(error), error);
+    }
+    return f;
+}
+
+static PRStatus
+bl_UnloadLibrary(BLLibrary *lib)
+{
+    const char *error;
+
+    if (dlclose(lib->dlh) == -1) {
+        PR_SetError(PR_UNLOAD_LIBRARY_ERROR, 0);
+        error = dlerror();
+        if (NULL != error)
+            PR_SetErrorText(strlen(error), error);
+        return PR_FAILURE;
+    }
+    PR_Free(lib);
+    return PR_SUCCESS;
+}
+
+#elif defined(HPUX)
+
+#include <dl.h>
+#include <string.h>
+#include <errno.h>
+
+typedef struct {
+    shl_t dlh;
+} BLLibrary;
+
+static BLLibrary *
+bl_LoadLibrary(const char *name)
+{
+    BLLibrary *lib;
+    const char *error;
+
+    lib = PR_NEWZAP(BLLibrary);
+    if (NULL == lib) {
+        PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
+        return NULL;
+    }
+    lib->dlh = shl_load(name, DYNAMIC_PATH | BIND_IMMEDIATE, 0L);
+    if (NULL == lib->dlh) {
+        PR_SetError(PR_LOAD_LIBRARY_ERROR, errno);
+        error = strerror(errno);
+        if (NULL != error)
+            PR_SetErrorText(strlen(error), error);
+        PR_Free(lib);
+        return NULL;
+    }
+    return lib;
+}
+
+static void *
+bl_FindSymbol(BLLibrary *lib, const char *name)
+{
+    void *f;
+    const char *error;
+
+    if (shl_findsym(&lib->dlh, name, TYPE_PROCEDURE, &f) == -1) {
+        f = NULL;
+        PR_SetError(PR_FIND_SYMBOL_ERROR, errno);
+        error = strerror(errno);
+        if (NULL != error)
+            PR_SetErrorText(strlen(error), error);
+    }
+    return f;
+}
+
+static PRStatus
+bl_UnloadLibrary(BLLibrary *lib)
+{
+    const char *error;
+
+    if (shl_unload(lib->dlh) == -1) {
+        PR_SetError(PR_UNLOAD_LIBRARY_ERROR, errno);
+        error = strerror(errno);
+        if (NULL != error)
+            PR_SetErrorText(strlen(error), error);
+        return PR_FAILURE;
+    }
+    PR_Free(lib);
+    return PR_SUCCESS;
+}
+
+#else
+#error "code for this platform is missing."
+#endif
+
+#define LSB(x) ((x)&0xff)
+#define MSB(x) ((x)>>8)
+
+static const FREEBLVector *vector;
+
+/* This function must be run only once. */
+/*  determine if hybrid platform, then actually load the DSO. */
+static PRStatus
+freebl_LoadDSO( void ) 
+{
+  int          hybrid   = isHybrid();
+  BLLibrary *  handle;
+  const char * name;
+
+  name = hybrid ?
+#if defined( AIX )
+	       "libfreebl_hybrid_3_shr.a" : "libfreebl_pure32_3_shr.a";
+#elif defined( HPUX )
+               "libfreebl_hybrid_3.sl"    : "libfreebl_pure32_3.sl";
+#else
+               "libfreebl_hybrid_3.so"    : "libfreebl_pure32_3.so";
+#endif
+
+  handle = bl_LoadLibrary(name);
+  if (handle) {
+    void * address = bl_FindSymbol(handle, "FREEBL_GetVector");
+    if (address) {
+      FREEBLGetVectorFn  * getVector = (FREEBLGetVectorFn *)address;
+      const FREEBLVector * dsoVector = getVector();
+      if (dsoVector) {
+	unsigned short dsoVersion = dsoVector->version;
+	unsigned short  myVersion = FREEBL_VERSION;
+	if (MSB(dsoVersion) == MSB(myVersion) && 
+	    LSB(dsoVersion) >= LSB(myVersion) &&
+	    dsoVector->length >= sizeof(FREEBLVector)) {
+	  vector = dsoVector;
+	  return PR_SUCCESS;
+	}
+      }
+    }
+    bl_UnloadLibrary(handle);
+  }
+  return PR_FAILURE;
+}
+
+static PRStatus
+freebl_RunLoaderOnce( void )
+{
+  PRStatus status;
+  static PRCallOnceType once;
+
+  status = PR_CallOnce(&once, &freebl_LoadDSO);
+  return status;
+}
+
+
+RSAPrivateKey * 
+RSA_NewKey(int keySizeInBits, SECItem * publicExponent)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_RSA_NewKey)(keySizeInBits, publicExponent);
+}
+
+SECStatus 
+RSA_PublicKeyOp(RSAPublicKey *   key,
+				 unsigned char *  output,
+				 const unsigned char *  input)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RSA_PublicKeyOp)(key, output, input);
+}
+
+SECStatus 
+RSA_PrivateKeyOp(RSAPrivateKey *  key,
+				  unsigned char *  output,
+				  const unsigned char *  input)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RSA_PrivateKeyOp)(key, output, input);
+}
+
+SECStatus
+RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key,
+                              unsigned char *output,
+                              const unsigned char *input)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RSA_PrivateKeyOpDoubleChecked)(key, output, input);
+}
+
+SECStatus
+RSA_PrivateKeyCheck(RSAPrivateKey *key)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RSA_PrivateKeyCheck)(key);
+}
+
+SECStatus 
+DSA_NewKey(const PQGParams * params, DSAPrivateKey ** privKey)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DSA_NewKey)(params, privKey);
+}
+
+SECStatus 
+DSA_SignDigest(DSAPrivateKey * key, SECItem * signature, const SECItem * digest)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DSA_SignDigest)( key,  signature,  digest);
+}
+
+SECStatus 
+DSA_VerifyDigest(DSAPublicKey * key, const SECItem * signature, 
+                 const SECItem * digest)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DSA_VerifyDigest)( key,  signature,  digest);
+}
+
+SECStatus 
+DSA_NewKeyFromSeed(const PQGParams *params, const unsigned char * seed,
+                   DSAPrivateKey **privKey)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DSA_NewKeyFromSeed)(params,  seed, privKey);
+}
+
+SECStatus 
+DSA_SignDigestWithSeed(DSAPrivateKey * key, SECItem * signature,
+		       const SECItem * digest, const unsigned char * seed)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DSA_SignDigestWithSeed)( key, signature, digest, seed);
+}
+
+SECStatus 
+DH_GenParam(int primeLen, DHParams ** params)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DH_GenParam)(primeLen, params);
+}
+
+SECStatus 
+DH_NewKey(DHParams * params, DHPrivateKey ** privKey)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DH_NewKey)( params, privKey);
+}
+
+SECStatus 
+DH_Derive(SECItem * publicValue, SECItem * prime, SECItem * privateValue, 
+			 SECItem * derivedSecret, unsigned int maxOutBytes)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DH_Derive)( publicValue, prime, privateValue, 
+				derivedSecret, maxOutBytes);
+}
+
+SECStatus 
+KEA_Derive(SECItem *prime, SECItem *public1, SECItem *public2, 
+	   SECItem *private1, SECItem *private2, SECItem *derivedSecret)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_KEA_Derive)(prime, public1, public2, 
+	                        private1, private2, derivedSecret);
+}
+
+PRBool 
+KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return PR_FALSE;
+  return (vector->p_KEA_Verify)(Y, prime, subPrime);
+}
+
+RC4Context *
+RC4_CreateContext(unsigned char *key, int len)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_RC4_CreateContext)(key, len);
+}
+
+void 
+RC4_DestroyContext(RC4Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_RC4_DestroyContext)(cx, freeit);
+}
+
+SECStatus 
+RC4_Encrypt(RC4Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC4_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+SECStatus 
+RC4_Decrypt(RC4Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC4_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+RC2Context *
+RC2_CreateContext(unsigned char *key, unsigned int len,
+		  unsigned char *iv, int mode, unsigned effectiveKeyLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_RC2_CreateContext)(key, len, iv, mode, effectiveKeyLen);
+}
+
+void 
+RC2_DestroyContext(RC2Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_RC2_DestroyContext)(cx, freeit);
+}
+
+SECStatus 
+RC2_Encrypt(RC2Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC2_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+SECStatus 
+RC2_Decrypt(RC2Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC2_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+RC5Context *
+RC5_CreateContext(SECItem *key, unsigned int rounds,
+                     unsigned int wordSize, unsigned char *iv, int mode)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_RC5_CreateContext)(key, rounds, wordSize, iv, mode);
+}
+
+void 
+RC5_DestroyContext(RC5Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_RC5_DestroyContext)(cx, freeit);
+}
+
+SECStatus 
+RC5_Encrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC5_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
+				 inputLen);
+}
+
+SECStatus 
+RC5_Decrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RC5_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+DESContext *
+DES_CreateContext(unsigned char *key, unsigned char *iv,
+				     int mode, PRBool encrypt)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_DES_CreateContext)(key, iv, mode, encrypt);
+}
+
+void 
+DES_DestroyContext(DESContext *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_DES_DestroyContext)(cx, freeit);
+}
+
+SECStatus 
+DES_Encrypt(DESContext *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DES_Encrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+SECStatus 
+DES_Decrypt(DESContext *cx, unsigned char *output, unsigned int *outputLen, 
+	    unsigned int maxOutputLen, const unsigned char *input, 
+	    unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_DES_Decrypt)(cx, output, outputLen, maxOutputLen, input, 
+	                         inputLen);
+}
+
+AESContext *
+AES_CreateContext(unsigned char *key, unsigned char *iv, int mode, int encrypt,
+                  unsigned int keylen, unsigned int blocklen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_AES_CreateContext)(key, iv, mode, encrypt, keylen, 
+				       blocklen);
+}
+
+void 
+AES_DestroyContext(AESContext *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_AES_DestroyContext)(cx, freeit);
+}
+
+SECStatus 
+AES_Encrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_AES_Encrypt)(cx, output, outputLen, maxOutputLen, 
+				 input, inputLen);
+}
+
+SECStatus 
+AES_Decrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_AES_Decrypt)(cx, output, outputLen, maxOutputLen, 
+				 input, inputLen);
+}
+
+SECStatus 
+MD5_Hash(unsigned char *dest, const char *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_MD5_Hash)(dest, src);
+}
+
+SECStatus 
+MD5_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_MD5_HashBuf)(dest, src, src_length);
+}
+
+MD5Context *
+MD5_NewContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_MD5_NewContext)();
+}
+
+void 
+MD5_DestroyContext(MD5Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_MD5_DestroyContext)(cx, freeit);
+}
+
+void 
+MD5_Begin(MD5Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_MD5_Begin)(cx);
+}
+
+void 
+MD5_Update(MD5Context *cx, const unsigned char *input, unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_MD5_Update)(cx, input, inputLen);
+}
+
+void 
+MD5_End(MD5Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_MD5_End)(cx, digest, digestLen, maxDigestLen);
+}
+
+unsigned int 
+MD5_FlattenSize(MD5Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return 0;
+  return (vector->p_MD5_FlattenSize)(cx);
+}
+
+SECStatus 
+MD5_Flatten(MD5Context *cx,unsigned char *space)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_MD5_Flatten)(cx, space);
+}
+
+MD5Context * 
+MD5_Resurrect(unsigned char *space, void *arg)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_MD5_Resurrect)(space, arg);
+}
+
+void 
+MD5_TraceState(MD5Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_MD5_TraceState)(cx);
+}
+
+SECStatus 
+MD2_Hash(unsigned char *dest, const char *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_MD2_Hash)(dest, src);
+}
+
+MD2Context *
+MD2_NewContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_MD2_NewContext)();
+}
+
+void 
+MD2_DestroyContext(MD2Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_MD2_DestroyContext)(cx, freeit);
+}
+
+void 
+MD2_Begin(MD2Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_MD2_Begin)(cx);
+}
+
+void 
+MD2_Update(MD2Context *cx, const unsigned char *input, unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_MD2_Update)(cx, input, inputLen);
+}
+
+void 
+MD2_End(MD2Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_MD2_End)(cx, digest, digestLen, maxDigestLen);
+}
+
+unsigned int 
+MD2_FlattenSize(MD2Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return 0;
+  return (vector->p_MD2_FlattenSize)(cx);
+}
+
+SECStatus 
+MD2_Flatten(MD2Context *cx,unsigned char *space)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_MD2_Flatten)(cx, space);
+}
+
+MD2Context * 
+MD2_Resurrect(unsigned char *space, void *arg)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_MD2_Resurrect)(space, arg);
+}
+
+
+SECStatus 
+SHA1_Hash(unsigned char *dest, const char *src)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA1_Hash)(dest, src);
+}
+
+SECStatus 
+SHA1_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA1_HashBuf)(dest, src, src_length);
+}
+
+SHA1Context *
+SHA1_NewContext(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA1_NewContext)();
+}
+
+void 
+SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA1_DestroyContext)(cx, freeit);
+}
+
+void 
+SHA1_Begin(SHA1Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA1_Begin)(cx);
+}
+
+void 
+SHA1_Update(SHA1Context *cx, const unsigned char *input,
+			unsigned int inputLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA1_Update)(cx, input, inputLen);
+}
+
+void 
+SHA1_End(SHA1Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA1_End)(cx, digest, digestLen, maxDigestLen);
+}
+
+void 
+SHA1_TraceState(SHA1Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_SHA1_TraceState)(cx);
+}
+
+unsigned int 
+SHA1_FlattenSize(SHA1Context *cx)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return 0;
+  return (vector->p_SHA1_FlattenSize)(cx);
+}
+
+SECStatus 
+SHA1_Flatten(SHA1Context *cx,unsigned char *space)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_SHA1_Flatten)(cx, space);
+}
+
+SHA1Context * 
+SHA1_Resurrect(unsigned char *space, void *arg)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return NULL;
+  return (vector->p_SHA1_Resurrect)(space, arg);
+}
+
+SECStatus 
+RNG_RNGInit(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RNG_RNGInit)();
+}
+
+SECStatus 
+RNG_RandomUpdate(const void *data, size_t bytes)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RNG_RandomUpdate)(data, bytes);
+}
+
+SECStatus 
+RNG_GenerateGlobalRandomBytes(void *dest, size_t len)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_RNG_GenerateGlobalRandomBytes)(dest, len);
+}
+
+void  
+RNG_RNGShutdown(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return ;
+  (vector->p_RNG_RNGShutdown)();
+}
+
+SECStatus
+PQG_ParamGen(unsigned int j, PQGParams **pParams, PQGVerify **pVfy)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_PQG_ParamGen)(j, pParams, pVfy); 
+}
+
+SECStatus
+PQG_ParamGenSeedLen( unsigned int j, unsigned int seedBytes, 
+                     PQGParams **pParams, PQGVerify **pVfy)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_PQG_ParamGenSeedLen)(j, seedBytes, pParams, pVfy);
+}
+
+SECStatus   
+PQG_VerifyParams(const PQGParams *params, const PQGVerify *vfy, 
+		 SECStatus *result)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_PQG_VerifyParams)(params, vfy, result);
+}
+#if 0
+void 
+PQG_DestroyParams(PQGParams *params)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_PQG_DestroyParams)( params);
+}
+
+void 
+PQG_DestroyVerify(PQGVerify *vfy)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_PQG_DestroyVerify)( vfy);
+}
+#endif
+
+void 
+BL_Cleanup(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return;
+  (vector->p_BL_Cleanup)();
+}
diff --git a/security/nss/lib/freebl/loader.h b/security/nss/lib/freebl/loader.h
new file mode 100644
index 000000000..33a4d1bdf
--- /dev/null
+++ b/security/nss/lib/freebl/loader.h
@@ -0,0 +1,273 @@
+/*
+ * loader.h - load platform dependent DSO containing freebl implementation.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef _LOADER_H_
+#define _LOADER_H_ 1
+
+#include "blapi.h"
+
+#define FREEBL_VERSION 0x0302
+
+struct FREEBLVectorStr {
+
+  unsigned short length;  /* of this struct in bytes */
+  unsigned short version; /* of this struct. */
+
+  RSAPrivateKey * (* p_RSA_NewKey)(int         keySizeInBits,
+				 SECItem *   publicExponent);
+
+  SECStatus (* p_RSA_PublicKeyOp) (RSAPublicKey *   key,
+				 unsigned char *  output,
+				 const unsigned char *  input);
+
+  SECStatus (* p_RSA_PrivateKeyOp)(RSAPrivateKey *  key,
+				  unsigned char *  output,
+				  const unsigned char *  input);
+
+  SECStatus (* p_DSA_NewKey)(const PQGParams *    params, 
+		            DSAPrivateKey **      privKey);
+
+  SECStatus (* p_DSA_SignDigest)(DSAPrivateKey *   key,
+				SECItem *         signature,
+				const SECItem *   digest);
+
+  SECStatus (* p_DSA_VerifyDigest)(DSAPublicKey *  key,
+				  const SECItem *  signature,
+				  const SECItem *  digest);
+
+  SECStatus (* p_DSA_NewKeyFromSeed)(const PQGParams *params, 
+				     const unsigned char * seed,
+                                     DSAPrivateKey **privKey);
+
+  SECStatus (* p_DSA_SignDigestWithSeed)(DSAPrivateKey * key,
+				        SECItem *             signature,
+				        const SECItem *       digest,
+				        const unsigned char * seed);
+
+ SECStatus (* p_DH_GenParam)(int primeLen, DHParams ** params);
+
+ SECStatus (* p_DH_NewKey)(DHParams *           params, 
+                           DHPrivateKey **	privKey);
+
+ SECStatus (* p_DH_Derive)(SECItem *    publicValue, 
+		           SECItem *    prime, 
+			   SECItem *    privateValue, 
+			   SECItem *    derivedSecret,
+			   unsigned int maxOutBytes);
+
+ SECStatus (* p_KEA_Derive)(SECItem *prime, 
+                            SECItem *public1, 
+                            SECItem *public2, 
+			    SECItem *private1, 
+			    SECItem *private2,
+			    SECItem *derivedSecret);
+
+ PRBool (* p_KEA_Verify)(SECItem *Y, SECItem *prime, SECItem *subPrime);
+
+ RC4Context * (* p_RC4_CreateContext)(unsigned char *key, int len);
+
+ void (* p_RC4_DestroyContext)(RC4Context *cx, PRBool freeit);
+
+ SECStatus (* p_RC4_Encrypt)(RC4Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_RC4_Decrypt)(RC4Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ RC2Context * (* p_RC2_CreateContext)(unsigned char *key, unsigned int len,
+		     unsigned char *iv, int mode, unsigned effectiveKeyLen);
+
+ void (* p_RC2_DestroyContext)(RC2Context *cx, PRBool freeit);
+
+ SECStatus (* p_RC2_Encrypt)(RC2Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_RC2_Decrypt)(RC2Context *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ RC5Context *(* p_RC5_CreateContext)(SECItem *key, unsigned int rounds,
+                     unsigned int wordSize, unsigned char *iv, int mode);
+
+ void (* p_RC5_DestroyContext)(RC5Context *cx, PRBool freeit);
+
+ SECStatus (* p_RC5_Encrypt)(RC5Context *cx, unsigned char *output,
+                            unsigned int *outputLen, unsigned int maxOutputLen,
+                            const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_RC5_Decrypt)(RC5Context *cx, unsigned char *output,
+                            unsigned int *outputLen, unsigned int maxOutputLen,
+                            const unsigned char *input, unsigned int inputLen);
+
+ DESContext *(* p_DES_CreateContext)(unsigned char *key, unsigned char *iv,
+				     int mode, PRBool encrypt);
+
+ void (* p_DES_DestroyContext)(DESContext *cx, PRBool freeit);
+
+ SECStatus (* p_DES_Encrypt)(DESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_DES_Decrypt)(DESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ AESContext * (* p_AES_CreateContext)(unsigned char *key, unsigned char *iv, 
+			    int mode, int encrypt, unsigned int keylen, 
+			    unsigned int blocklen);
+
+ void (* p_AES_DestroyContext)(AESContext *cx, PRBool freeit);
+
+ SECStatus (* p_AES_Encrypt)(AESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_AES_Decrypt)(AESContext *cx, unsigned char *output,
+			    unsigned int *outputLen, unsigned int maxOutputLen,
+			    const unsigned char *input, unsigned int inputLen);
+
+ SECStatus (* p_MD5_Hash)(unsigned char *dest, const char *src);
+
+ SECStatus (* p_MD5_HashBuf)(unsigned char *dest, const unsigned char *src,
+			     uint32 src_length);
+
+ MD5Context *(* p_MD5_NewContext)(void);
+
+ void (* p_MD5_DestroyContext)(MD5Context *cx, PRBool freeit);
+
+ void (* p_MD5_Begin)(MD5Context *cx);
+
+ void (* p_MD5_Update)(MD5Context *cx,
+		       const unsigned char *input, unsigned int inputLen);
+
+ void (* p_MD5_End)(MD5Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen);
+
+ unsigned int (* p_MD5_FlattenSize)(MD5Context *cx);
+
+ SECStatus (* p_MD5_Flatten)(MD5Context *cx,unsigned char *space);
+
+ MD5Context * (* p_MD5_Resurrect)(unsigned char *space, void *arg);
+
+ void (* p_MD5_TraceState)(MD5Context *cx);
+
+ SECStatus (* p_MD2_Hash)(unsigned char *dest, const char *src);
+
+ MD2Context *(* p_MD2_NewContext)(void);
+
+ void (* p_MD2_DestroyContext)(MD2Context *cx, PRBool freeit);
+
+ void (* p_MD2_Begin)(MD2Context *cx);
+
+ void (* p_MD2_Update)(MD2Context *cx,
+		       const unsigned char *input, unsigned int inputLen);
+
+ void (* p_MD2_End)(MD2Context *cx, unsigned char *digest,
+		    unsigned int *digestLen, unsigned int maxDigestLen);
+
+ unsigned int (* p_MD2_FlattenSize)(MD2Context *cx);
+
+ SECStatus (* p_MD2_Flatten)(MD2Context *cx,unsigned char *space);
+
+ MD2Context * (* p_MD2_Resurrect)(unsigned char *space, void *arg);
+
+ SECStatus (* p_SHA1_Hash)(unsigned char *dest, const char *src);
+
+ SECStatus (* p_SHA1_HashBuf)(unsigned char *dest, const unsigned char *src,
+			      uint32 src_length);
+
+ SHA1Context *(* p_SHA1_NewContext)(void);
+
+ void (* p_SHA1_DestroyContext)(SHA1Context *cx, PRBool freeit);
+
+ void (* p_SHA1_Begin)(SHA1Context *cx);
+
+ void (* p_SHA1_Update)(SHA1Context *cx, const unsigned char *input,
+			unsigned int inputLen);
+
+ void (* p_SHA1_End)(SHA1Context *cx, unsigned char *digest,
+		     unsigned int *digestLen, unsigned int maxDigestLen);
+
+ void (* p_SHA1_TraceState)(SHA1Context *cx);
+
+ unsigned int (* p_SHA1_FlattenSize)(SHA1Context *cx);
+
+ SECStatus (* p_SHA1_Flatten)(SHA1Context *cx,unsigned char *space);
+
+ SHA1Context * (* p_SHA1_Resurrect)(unsigned char *space, void *arg);
+
+ SECStatus (* p_RNG_RNGInit)(void);
+
+ SECStatus (* p_RNG_RandomUpdate)(const void *data, size_t bytes);
+
+ SECStatus (* p_RNG_GenerateGlobalRandomBytes)(void *dest, size_t len);
+
+ void  (* p_RNG_RNGShutdown)(void);
+
+ SECStatus (* p_PQG_ParamGen)(unsigned int j, PQGParams **pParams,  
+	                      PQGVerify **pVfy);    
+
+ SECStatus (* p_PQG_ParamGenSeedLen)( unsigned int j, unsigned int seedBytes, 
+                                     PQGParams **pParams, PQGVerify **pVfy); 
+
+ SECStatus (* p_PQG_VerifyParams)(const PQGParams *params, 
+                                  const PQGVerify *vfy, SECStatus *result);
+
+  SECStatus (* p_RSA_PrivateKeyOpDoubleChecked)(RSAPrivateKey *key,
+                              unsigned char *output,
+                              const unsigned char *input);
+
+  SECStatus (* p_RSA_PrivateKeyCheck)(RSAPrivateKey *key);
+
+  void (* p_BL_Cleanup)(void);
+
+};
+
+typedef struct FREEBLVectorStr FREEBLVector;
+
+SEC_BEGIN_PROTOS
+
+typedef const FREEBLVector * FREEBLGetVectorFn(void);
+
+extern FREEBLGetVectorFn FREEBL_GetVector;
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/freebl/mac_rand.c b/security/nss/lib/freebl/mac_rand.c
new file mode 100644
index 000000000..8578dfa08
--- /dev/null
+++ b/security/nss/lib/freebl/mac_rand.c
@@ -0,0 +1,315 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef notdef
+#include "xp_core.h"
+#include "xp_file.h"
+#endif
+#include "secrng.h"
+#include "mcom_db.h"
+#ifdef XP_MAC
+#include <Events.h>
+#include <OSUtils.h>
+#include <QDOffscreen.h>
+#include <PPCToolbox.h>
+#include <Processes.h>
+#include <LowMem.h>
+#include <Scrap.h>
+
+/* Static prototypes */
+static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen);
+void FE_ReadScreen();
+
+static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen)
+{
+    union endianness {
+        int32 i;
+        char c[4];
+    } u;
+
+    if (srclen <= dstlen) {
+        memcpy(dst, src, srclen);
+        return srclen;
+    }
+    u.i = 0x01020304;
+    if (u.c[0] == 0x01) {
+        /* big-endian case */
+        memcpy(dst, (char*)src + (srclen - dstlen), dstlen);
+    } else {
+        /* little-endian case */
+        memcpy(dst, src, dstlen);
+    }
+    return dstlen;
+}
+
+size_t RNG_GetNoise(void *buf, size_t maxbytes)
+{
+    UnsignedWide microTickCount;
+    Microseconds(&microTickCount);
+    return CopyLowBits(buf, maxbytes,  &microTickCount, sizeof(microTickCount));
+}
+
+void RNG_FileForRNG(const char *filename)
+{   
+    unsigned char buffer[BUFSIZ];
+    size_t bytes;
+#ifdef notdef /*sigh*/
+    XP_File file;
+	unsigned long totalFileBytes = 0;
+
+	if (filename == NULL)	/* For now, read in global history if filename is null */
+		file = XP_FileOpen(NULL, xpGlobalHistory,XP_FILE_READ_BIN);
+	else
+		file = XP_FileOpen(NULL, xpURL,XP_FILE_READ_BIN);
+    if (file != NULL) {
+        for (;;) {
+            bytes = XP_FileRead(buffer, sizeof(buffer), file);
+            if (bytes == 0) break;
+            RNG_RandomUpdate( buffer, bytes);
+            totalFileBytes += bytes;
+            if (totalFileBytes > 100*1024) break;	/* No more than 100 K */
+        }
+		XP_FileClose(file);
+    }
+#endif
+    /*
+     * Pass yet another snapshot of our highest resolution clock into
+     * the hash function.
+     */
+    bytes = RNG_GetNoise(buffer, sizeof(buffer));
+    RNG_RandomUpdate(buffer, sizeof(buffer));
+}
+
+void RNG_SystemInfoForRNG()
+{
+/* Time */
+	{
+		unsigned long sec;
+		size_t bytes;
+		GetDateTime(&sec);	/* Current time since 1970 */
+		RNG_RandomUpdate( &sec, sizeof(sec));
+	    bytes = RNG_GetNoise(&sec, sizeof(sec));
+	    RNG_RandomUpdate(&sec, bytes);
+    }
+/* User specific variables */
+	{
+		MachineLocation loc;
+		ReadLocation(&loc);
+		RNG_RandomUpdate( &loc, sizeof(loc));
+	}
+#if !TARGET_CARBON
+/* User name */
+	{
+		unsigned long userRef;
+		Str32 userName;
+		GetDefaultUser(&userRef, userName);
+		RNG_RandomUpdate( &userRef, sizeof(userRef));
+		RNG_RandomUpdate( userName, sizeof(userName));
+	}
+#endif
+/* Mouse location */
+	{
+		Point mouseLoc;
+		GetMouse(&mouseLoc);
+		RNG_RandomUpdate( &mouseLoc, sizeof(mouseLoc));
+	}
+/* Keyboard time threshold */
+	{
+		SInt16 keyTresh = LMGetKeyThresh();
+		RNG_RandomUpdate( &keyTresh, sizeof(keyTresh));
+	}
+/* Last key pressed */
+	{
+		SInt8 keyLast;
+		keyLast = LMGetKbdLast();
+		RNG_RandomUpdate( &keyLast, sizeof(keyLast));
+	}
+/* Volume */
+	{
+		UInt8 volume = LMGetSdVolume();
+		RNG_RandomUpdate( &volume, sizeof(volume));
+	}
+#if !TARGET_CARBON
+/* Current directory */
+	{
+		SInt32 dir = LMGetCurDirStore();
+		RNG_RandomUpdate( &dir, sizeof(dir));
+	}
+#endif
+/* Process information about all the processes in the machine */
+	{
+		ProcessSerialNumber 	process;
+		ProcessInfoRec pi;
+	
+		process.highLongOfPSN = process.lowLongOfPSN  = kNoProcess;
+		
+		while (GetNextProcess(&process) == noErr)
+		{
+			FSSpec fileSpec;
+			pi.processInfoLength = sizeof(ProcessInfoRec);
+			pi.processName = NULL;
+			pi.processAppSpec = &fileSpec;
+			GetProcessInformation(&process, &pi);
+			RNG_RandomUpdate( &pi, sizeof(pi));
+			RNG_RandomUpdate( &fileSpec, sizeof(fileSpec));
+		}
+	}
+	
+#if !TARGET_CARBON
+/* Heap */
+	{
+		THz zone = LMGetTheZone();
+		RNG_RandomUpdate( &zone, sizeof(zone));
+	}
+#endif
+	
+/* Screen */
+	{
+		GDHandle h = GetMainDevice();		/* GDHandle is **GDevice */
+		RNG_RandomUpdate( *h, sizeof(GDevice));
+	}
+
+#if !TARGET_CARBON
+/* Scrap size */
+	{
+		SInt32 scrapSize = LMGetScrapSize();
+		RNG_RandomUpdate( &scrapSize, sizeof(scrapSize));
+	}
+/* Scrap count */
+	{
+		SInt16 scrapCount = LMGetScrapCount();
+		RNG_RandomUpdate( &scrapCount, sizeof(scrapCount));
+	}
+#else
+	{
+	    ScrapRef scrap;
+        if (GetCurrentScrap(&scrap) == noErr) {
+            UInt32 flavorCount;
+            if (GetScrapFlavorCount(scrap, &flavorCount) == noErr) {
+                ScrapFlavorInfo* flavorInfo = (ScrapFlavorInfo*) malloc(flavorCount * sizeof(ScrapFlavorInfo));
+                if (flavorInfo != NULL) {
+                    if (GetScrapFlavorInfoList(scrap, &flavorCount, flavorInfo) == noErr) {
+                        UInt32 i;
+                        RNG_RandomUpdate(&flavorCount, sizeof(flavorCount));
+                        for (i = 0; i < flavorCount; ++i) {
+                            Size flavorSize;
+                            if (GetScrapFlavorSize(scrap, flavorInfo[i].flavorType, &flavorSize) == noErr)
+                                RNG_RandomUpdate(&flavorSize, sizeof(flavorSize));
+                        }
+                    }
+                    free(flavorInfo);
+                }
+            }
+        }
+    }
+#endif
+/*  File stuff, last modified, etc. */
+	{
+		HParamBlockRec			pb;
+		GetVolParmsInfoBuffer	volInfo;
+		pb.ioParam.ioVRefNum = 0;
+		pb.ioParam.ioNamePtr = nil;
+		pb.ioParam.ioBuffer = (Ptr) &volInfo;
+		pb.ioParam.ioReqCount = sizeof(volInfo);
+		PBHGetVolParmsSync(&pb);
+		RNG_RandomUpdate( &volInfo, sizeof(volInfo));
+	}
+#if !TARGET_CARBON
+/* Event queue */
+	{
+		EvQElPtr		eventQ;
+		for (eventQ = (EvQElPtr) LMGetEventQueue()->qHead; 
+				eventQ; 
+				eventQ = (EvQElPtr)eventQ->qLink)
+			RNG_RandomUpdate( &eventQ->evtQWhat, sizeof(EventRecord));
+	}
+#endif
+	FE_ReadScreen();
+	RNG_FileForRNG(NULL);
+}
+
+void FE_ReadScreen()
+{
+	UInt16				coords[4];
+	PixMapHandle 		pmap;
+	GDHandle			gh;	
+	UInt16				screenHeight;
+	UInt16				screenWidth;			/* just what they say */
+	UInt32				bytesToRead;			/* number of bytes we're giving */
+	UInt32				offset;					/* offset into the graphics buffer */
+	UInt16				rowBytes;
+	UInt32				rowsToRead;
+	float				bytesPerPixel;			/* dependent on buffer depth */
+	Ptr					p;						/* temporary */
+	UInt16				x, y, w, h;
+
+	gh = LMGetMainDevice();
+	if ( !gh )
+		return;
+	pmap = (**gh).gdPMap;
+	if ( !pmap )
+		return;
+		
+	RNG_GenerateGlobalRandomBytes( coords, sizeof( coords ) );
+	
+	/* make x and y inside the screen rect */	
+	screenHeight = (**pmap).bounds.bottom - (**pmap).bounds.top;
+	screenWidth = (**pmap).bounds.right - (**pmap).bounds.left;
+	x = coords[0] % screenWidth;
+	y = coords[1] % screenHeight;
+	w = ( coords[2] & 0x7F ) | 0x40;		/* Make sure that w is in the range 64..128 */
+	h = ( coords[3] & 0x7F ) | 0x40;		/* same for h */
+
+	bytesPerPixel = (**pmap).pixelSize / 8;
+	rowBytes = (**pmap).rowBytes & 0x7FFF;
+
+	/* starting address */
+	offset = ( rowBytes * y ) + (UInt32)( (float)x * bytesPerPixel );
+	
+	/* don't read past the end of the pixmap's rowbytes */
+	bytesToRead = MIN(	(UInt32)( w * bytesPerPixel ),
+						(UInt32)( rowBytes - ( x * bytesPerPixel ) ) );
+
+	/* don't read past the end of the graphics device pixmap */
+	rowsToRead = MIN(	h, 
+						( screenHeight - y ) );
+	
+	p = GetPixBaseAddr( pmap ) + offset;
+	
+	while ( rowsToRead-- )
+	{
+		RNG_RandomUpdate( p, bytesToRead );
+		p += rowBytes;
+	}
+}
+#endif
diff --git a/security/nss/lib/freebl/manifest.mn b/security/nss/lib/freebl/manifest.mn
new file mode 100644
index 000000000..0a102e6ed
--- /dev/null
+++ b/security/nss/lib/freebl/manifest.mn
@@ -0,0 +1,128 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../../..
+
+MODULE = security
+
+ifndef FREEBL_RECURSIVE_BUILD
+  LIBRARY_NAME = freebl
+else
+  ifdef USE_PURE_32
+    CORE_DEPTH = ../../../..
+    LIBRARY_NAME = freebl_pure32
+  else
+    LIBRARY_NAME = freebl_hybrid
+  endif
+endif
+
+# same version as rest of freebl
+LIBRARY_VERSION = _3
+
+REQUIRES = 
+
+EXPORTS = \
+	blapi.h \
+	blapit.h \
+	secrng.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	secmpi.h \
+	$(NULL)
+
+MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h
+MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c 
+
+ifdef MOZILLA_BSAFE_BUILD
+CSRCS = \
+	fblstdlib.c \
+	sha_fast.c \
+	md2.c \
+	md5.c \
+	blapi_bsf.c \
+	$(MPI_SRCS) \
+	dh.c \
+	$(NULL)
+else
+CSRCS = \
+	ldvector.c \
+	prng_fips1861.c \
+	sysrand.c \
+	sha_fast.c \
+	md2.c \
+	md5.c \
+	alg2268.c \
+	arcfour.c \
+	arcfive.c \
+	desblapi.c \
+	des.c \
+	rijndael.c \
+	dh.c \
+	pqg.c \
+	dsa.c \
+	rsa.c \
+	$(MPI_SRCS) \
+	$(NULL)
+endif
+
+ALL_CSRCS := $(CSRCS)
+
+ALL_HDRS =  \
+	blapi.h \
+	blapit.h \
+	des.h \
+	loader.h \
+	rijndael.h \
+	secmpi.h \
+	sha.h \
+	sha_fast.h \
+	vis_proto.h \
+	$(NULL)
+
+ifdef AES_GEN_TBL
+DEFINES += -DRIJNDAEL_GENERATE_TABLES
+else 
+ifdef AES_GEN_TBL_M
+DEFINES += -DRIJNDAEL_GENERATE_TABLES_MACRO
+else
+ifdef AES_GEN_VAL
+DEFINES += -DRIJNDAEL_GENERATE_VALUES
+else
+ifdef AES_GEN_VAL_M
+DEFINES += -DRIJNDAEL_GENERATE_VALUES_MACRO
+else
+DEFINES += -DRIJNDAEL_INCLUDE_TABLES
+endif
+endif
+endif
+endif
diff --git a/security/nss/lib/freebl/mapfile.Solaris b/security/nss/lib/freebl/mapfile.Solaris
new file mode 100644
index 000000000..8a39ceceb
--- /dev/null
+++ b/security/nss/lib/freebl/mapfile.Solaris
@@ -0,0 +1,39 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+libfreebl_3.so {
+	global:
+		FREEBL_GetVector;
+	local:
+		*;
+};
diff --git a/security/nss/lib/freebl/md2.c b/security/nss/lib/freebl/md2.c
new file mode 100644
index 000000000..3f7427c14
--- /dev/null
+++ b/security/nss/lib/freebl/md2.c
@@ -0,0 +1,288 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+
+#include "blapi.h"
+
+#define MD2_DIGEST_LEN    16
+#define MD2_BUFSIZE       16
+#define MD2_X_SIZE        48  /* The X array, [CV | INPUT | TMP VARS] */
+#define MD2_CV             0  /* index into X for chaining variables */
+#define MD2_INPUT         16  /* index into X for input */
+#define MD2_TMPVARS       32  /* index into X for temporary variables */
+#define MD2_CHECKSUM_SIZE 16
+
+struct MD2ContextStr {
+	unsigned char checksum[MD2_BUFSIZE];
+	unsigned char X[MD2_X_SIZE];
+	PRUint8 unusedBuffer;
+};
+
+static const PRUint8 MD2S[256] = {
+ 0051, 0056, 0103, 0311, 0242, 0330, 0174, 0001,
+ 0075, 0066, 0124, 0241, 0354, 0360, 0006, 0023,
+ 0142, 0247, 0005, 0363, 0300, 0307, 0163, 0214,
+ 0230, 0223, 0053, 0331, 0274, 0114, 0202, 0312,
+ 0036, 0233, 0127, 0074, 0375, 0324, 0340, 0026,
+ 0147, 0102, 0157, 0030, 0212, 0027, 0345, 0022,
+ 0276, 0116, 0304, 0326, 0332, 0236, 0336, 0111,
+ 0240, 0373, 0365, 0216, 0273, 0057, 0356, 0172,
+ 0251, 0150, 0171, 0221, 0025, 0262, 0007, 0077,
+ 0224, 0302, 0020, 0211, 0013, 0042, 0137, 0041,
+ 0200, 0177, 0135, 0232, 0132, 0220, 0062, 0047,
+ 0065, 0076, 0314, 0347, 0277, 0367, 0227, 0003,
+ 0377, 0031, 0060, 0263, 0110, 0245, 0265, 0321,
+ 0327, 0136, 0222, 0052, 0254, 0126, 0252, 0306,
+ 0117, 0270, 0070, 0322, 0226, 0244, 0175, 0266,
+ 0166, 0374, 0153, 0342, 0234, 0164, 0004, 0361,
+ 0105, 0235, 0160, 0131, 0144, 0161, 0207, 0040,
+ 0206, 0133, 0317, 0145, 0346, 0055, 0250, 0002,
+ 0033, 0140, 0045, 0255, 0256, 0260, 0271, 0366,
+ 0034, 0106, 0141, 0151, 0064, 0100, 0176, 0017,
+ 0125, 0107, 0243, 0043, 0335, 0121, 0257, 0072,
+ 0303, 0134, 0371, 0316, 0272, 0305, 0352, 0046,
+ 0054, 0123, 0015, 0156, 0205, 0050, 0204, 0011,
+ 0323, 0337, 0315, 0364, 0101, 0201, 0115, 0122,
+ 0152, 0334, 0067, 0310, 0154, 0301, 0253, 0372,
+ 0044, 0341, 0173, 0010, 0014, 0275, 0261, 0112,
+ 0170, 0210, 0225, 0213, 0343, 0143, 0350, 0155,
+ 0351, 0313, 0325, 0376, 0073, 0000, 0035, 0071,
+ 0362, 0357, 0267, 0016, 0146, 0130, 0320, 0344,
+ 0246, 0167, 0162, 0370, 0353, 0165, 0113, 0012,
+ 0061, 0104, 0120, 0264, 0217, 0355, 0037, 0032,
+ 0333, 0231, 0215, 0063, 0237, 0021, 0203, 0024
+};
+
+SECStatus 
+MD2_Hash(unsigned char *dest, const char *src)
+{
+	unsigned int len;
+	MD2Context *cx = MD2_NewContext();
+	if (!cx) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return SECFailure;
+	}
+	MD2_Begin(cx);
+	MD2_Update(cx, (unsigned char *)src, PL_strlen(src));
+	MD2_End(cx, dest, &len, MD2_DIGEST_LEN);
+	MD2_DestroyContext(cx, PR_TRUE);
+	return SECSuccess;
+}
+
+MD2Context *
+MD2_NewContext(void)
+{
+	MD2Context *cx = (MD2Context *)PORT_ZAlloc(sizeof(MD2Context));
+	if (cx == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return NULL;
+	}
+	return cx;
+}
+
+void 
+MD2_DestroyContext(MD2Context *cx, PRBool freeit)
+{
+	if (freeit)
+		PORT_ZFree(cx, sizeof(*cx));
+}
+
+void 
+MD2_Begin(MD2Context *cx)
+{
+	memset(cx, 0, sizeof(*cx));
+	cx->unusedBuffer = MD2_BUFSIZE;
+}
+
+static void
+md2_compress(MD2Context *cx)
+{
+	int j;
+	unsigned char P;
+	P = cx->checksum[MD2_CHECKSUM_SIZE-1];
+	/* Compute the running checksum, and set the tmp variables to be 
+	 * CV[i] XOR input[i] 
+	 */
+#define CKSUMFN(n) \
+	P = cx->checksum[n] ^ MD2S[cx->X[MD2_INPUT+n] ^ P]; \
+	cx->checksum[n] = P; \
+	cx->X[MD2_TMPVARS+n] = cx->X[n] ^ cx->X[MD2_INPUT+n];
+	CKSUMFN(0);
+	CKSUMFN(1);
+	CKSUMFN(2);
+	CKSUMFN(3);
+	CKSUMFN(4);
+	CKSUMFN(5);
+	CKSUMFN(6);
+	CKSUMFN(7);
+	CKSUMFN(8);
+	CKSUMFN(9);
+	CKSUMFN(10);
+	CKSUMFN(11);
+	CKSUMFN(12);
+	CKSUMFN(13);
+	CKSUMFN(14);
+	CKSUMFN(15);
+	/* The compression function. */
+#define COMPRESS(n) \
+	P = cx->X[n] ^ MD2S[P]; \
+	cx->X[n] = P;
+	P = 0x00;
+	for (j=0; j<18; j++) {
+		COMPRESS(0);
+		COMPRESS(1);
+		COMPRESS(2);
+		COMPRESS(3);
+		COMPRESS(4);
+		COMPRESS(5);
+		COMPRESS(6);
+		COMPRESS(7);
+		COMPRESS(8);
+		COMPRESS(9);
+		COMPRESS(10);
+		COMPRESS(11);
+		COMPRESS(12);
+		COMPRESS(13);
+		COMPRESS(14);
+		COMPRESS(15);
+		COMPRESS(16);
+		COMPRESS(17);
+		COMPRESS(18);
+		COMPRESS(19);
+		COMPRESS(20);
+		COMPRESS(21);
+		COMPRESS(22);
+		COMPRESS(23);
+		COMPRESS(24);
+		COMPRESS(25);
+		COMPRESS(26);
+		COMPRESS(27);
+		COMPRESS(28);
+		COMPRESS(29);
+		COMPRESS(30);
+		COMPRESS(31);
+		COMPRESS(32);
+		COMPRESS(33);
+		COMPRESS(34);
+		COMPRESS(35);
+		COMPRESS(36);
+		COMPRESS(37);
+		COMPRESS(38);
+		COMPRESS(39);
+		COMPRESS(40);
+		COMPRESS(41);
+		COMPRESS(42);
+		COMPRESS(43);
+		COMPRESS(44);
+		COMPRESS(45);
+		COMPRESS(46);
+		COMPRESS(47);
+		P = (P + j) % 256;
+	}
+	cx->unusedBuffer = MD2_BUFSIZE;
+}
+
+void 
+MD2_Update(MD2Context *cx, const unsigned char *input, unsigned int inputLen)
+{
+	PRUint32 bytesToConsume;
+	
+	/* Fill the remaining input buffer. */
+	if (cx->unusedBuffer != MD2_BUFSIZE) {
+		bytesToConsume = PR_MIN(inputLen, cx->unusedBuffer);
+		memcpy(&cx->X[MD2_INPUT + (MD2_BUFSIZE - cx->unusedBuffer)],
+		            input, bytesToConsume);
+		if (cx->unusedBuffer + bytesToConsume >= MD2_BUFSIZE)
+			md2_compress(cx);
+		inputLen -= bytesToConsume;
+		input += bytesToConsume;
+	}
+
+	/* Iterate over 16-byte chunks of the input. */
+	while (inputLen >= MD2_BUFSIZE) {
+		memcpy(&cx->X[MD2_INPUT], input, MD2_BUFSIZE);
+		md2_compress(cx);
+		inputLen -= MD2_BUFSIZE;
+		input += MD2_BUFSIZE;
+	}
+
+	/* Copy any input that remains into the buffer. */
+	if (inputLen)
+		memcpy(&cx->X[MD2_INPUT], input, inputLen);
+	cx->unusedBuffer = MD2_BUFSIZE - inputLen;
+}
+
+void 
+MD2_End(MD2Context *cx, unsigned char *digest,
+        unsigned int *digestLen, unsigned int maxDigestLen)
+{
+	PRUint8 padStart;
+	if (maxDigestLen < MD2_BUFSIZE) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return;
+	}
+	padStart = MD2_BUFSIZE - cx->unusedBuffer;
+	memset(&cx->X[MD2_INPUT + padStart], cx->unusedBuffer, 
+	            cx->unusedBuffer);
+	md2_compress(cx);
+	memcpy(&cx->X[MD2_INPUT], cx->checksum, MD2_BUFSIZE);
+	md2_compress(cx);
+	*digestLen = MD2_DIGEST_LEN;
+	memcpy(digest, &cx->X[MD2_CV], MD2_DIGEST_LEN);
+}
+
+unsigned int 
+MD2_FlattenSize(MD2Context *cx)
+{
+	return sizeof(*cx);
+}
+
+SECStatus 
+MD2_Flatten(MD2Context *cx, unsigned char *space)
+{
+	memcpy(space, cx, sizeof(*cx));
+	return SECSuccess;
+}
+
+MD2Context * 
+MD2_Resurrect(unsigned char *space, void *arg)
+{
+	MD2Context *cx = MD2_NewContext();
+	if (cx)
+		memcpy(cx, space, sizeof(*cx));
+	return cx;
+}
diff --git a/security/nss/lib/freebl/md5.c b/security/nss/lib/freebl/md5.c
new file mode 100644
index 000000000..c1e55902c
--- /dev/null
+++ b/security/nss/lib/freebl/md5.c
@@ -0,0 +1,531 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "prlong.h"
+
+#include "blapi.h"
+
+#define MD5_HASH_LEN 16
+#define MD5_BUFFER_SIZE 64
+#define MD5_END_BUFFER (MD5_BUFFER_SIZE - 8)
+
+#define CV0_1 0x67452301
+#define CV0_2 0xefcdab89
+#define CV0_3 0x98badcfe
+#define CV0_4 0x10325476
+
+#define T1_0  0xd76aa478
+#define T1_1  0xe8c7b756
+#define T1_2  0x242070db
+#define T1_3  0xc1bdceee
+#define T1_4  0xf57c0faf
+#define T1_5  0x4787c62a
+#define T1_6  0xa8304613
+#define T1_7  0xfd469501
+#define T1_8  0x698098d8
+#define T1_9  0x8b44f7af
+#define T1_10 0xffff5bb1
+#define T1_11 0x895cd7be
+#define T1_12 0x6b901122
+#define T1_13 0xfd987193
+#define T1_14 0xa679438e
+#define T1_15 0x49b40821
+
+#define T2_0  0xf61e2562
+#define T2_1  0xc040b340
+#define T2_2  0x265e5a51
+#define T2_3  0xe9b6c7aa
+#define T2_4  0xd62f105d
+#define T2_5  0x02441453
+#define T2_6  0xd8a1e681
+#define T2_7  0xe7d3fbc8
+#define T2_8  0x21e1cde6
+#define T2_9  0xc33707d6
+#define T2_10 0xf4d50d87
+#define T2_11 0x455a14ed
+#define T2_12 0xa9e3e905
+#define T2_13 0xfcefa3f8
+#define T2_14 0x676f02d9
+#define T2_15 0x8d2a4c8a
+
+#define T3_0  0xfffa3942
+#define T3_1  0x8771f681
+#define T3_2  0x6d9d6122
+#define T3_3  0xfde5380c
+#define T3_4  0xa4beea44
+#define T3_5  0x4bdecfa9
+#define T3_6  0xf6bb4b60
+#define T3_7  0xbebfbc70
+#define T3_8  0x289b7ec6
+#define T3_9  0xeaa127fa
+#define T3_10 0xd4ef3085
+#define T3_11 0x04881d05
+#define T3_12 0xd9d4d039
+#define T3_13 0xe6db99e5
+#define T3_14 0x1fa27cf8
+#define T3_15 0xc4ac5665
+
+#define T4_0  0xf4292244
+#define T4_1  0x432aff97
+#define T4_2  0xab9423a7
+#define T4_3  0xfc93a039
+#define T4_4  0x655b59c3
+#define T4_5  0x8f0ccc92
+#define T4_6  0xffeff47d
+#define T4_7  0x85845dd1
+#define T4_8  0x6fa87e4f
+#define T4_9  0xfe2ce6e0
+#define T4_10 0xa3014314
+#define T4_11 0x4e0811a1
+#define T4_12 0xf7537e82
+#define T4_13 0xbd3af235
+#define T4_14 0x2ad7d2bb
+#define T4_15 0xeb86d391
+
+#define R1B0  0
+#define R1B1  1
+#define R1B2  2
+#define R1B3  3
+#define R1B4  4
+#define R1B5  5
+#define R1B6  6
+#define R1B7  7
+#define R1B8  8
+#define R1B9  9
+#define R1B10 10
+#define R1B11 11
+#define R1B12 12
+#define R1B13 13
+#define R1B14 14
+#define R1B15 15
+
+#define R2B0  1
+#define R2B1  6
+#define R2B2  11
+#define R2B3  0
+#define R2B4  5
+#define R2B5  10
+#define R2B6  15
+#define R2B7  4
+#define R2B8  9
+#define R2B9  14
+#define R2B10 3 
+#define R2B11 8 
+#define R2B12 13
+#define R2B13 2 
+#define R2B14 7 
+#define R2B15 12
+
+#define R3B0  5
+#define R3B1  8
+#define R3B2  11
+#define R3B3  14
+#define R3B4  1
+#define R3B5  4
+#define R3B6  7
+#define R3B7  10
+#define R3B8  13
+#define R3B9  0
+#define R3B10 3 
+#define R3B11 6 
+#define R3B12 9 
+#define R3B13 12
+#define R3B14 15
+#define R3B15 2 
+
+#define R4B0  0
+#define R4B1  7
+#define R4B2  14
+#define R4B3  5
+#define R4B4  12
+#define R4B5  3
+#define R4B6  10
+#define R4B7  1
+#define R4B8  8
+#define R4B9  15
+#define R4B10 6 
+#define R4B11 13
+#define R4B12 4 
+#define R4B13 11
+#define R4B14 2 
+#define R4B15 9 
+
+#define S1_0 7
+#define S1_1 12
+#define S1_2 17
+#define S1_3 22
+
+#define S2_0 5
+#define S2_1 9
+#define S2_2 14
+#define S2_3 20
+
+#define S3_0 4
+#define S3_1 11
+#define S3_2 16
+#define S3_3 23
+
+#define S4_0 6
+#define S4_1 10
+#define S4_2 15
+#define S4_3 21
+
+struct MD5ContextStr {
+	PRUint32      lsbInput;
+	PRUint32      msbInput;
+	PRUint32      cv[4];
+	union {
+		PRUint8 b[64];
+		PRUint32 w[16];
+	} u;
+};
+
+#define inBuf u.b
+
+SECStatus 
+MD5_Hash(unsigned char *dest, const char *src)
+{
+	return MD5_HashBuf(dest, (unsigned char *)src, PL_strlen(src));
+}
+
+SECStatus 
+MD5_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+	unsigned int len;
+	MD5Context *cx = MD5_NewContext();
+	if (cx == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return SECFailure;
+	}
+	MD5_Begin(cx);
+	MD5_Update(cx, src, src_length);
+	MD5_End(cx, dest, &len, MD5_HASH_LEN);
+	MD5_DestroyContext(cx, PR_TRUE);
+	return SECSuccess;
+}
+
+MD5Context *
+MD5_NewContext(void)
+{
+	MD5Context *cx = (MD5Context *)PORT_ZAlloc(sizeof(MD5Context));
+	if (cx == NULL) {
+		PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+		return NULL;
+	}
+	return cx;
+}
+
+void 
+MD5_DestroyContext(MD5Context *cx, PRBool freeit)
+{
+	if (freeit) {
+		PORT_ZFree(cx, sizeof(MD5Context));
+	}
+}
+
+void 
+MD5_Begin(MD5Context *cx)
+{
+	cx->lsbInput = 0;
+	cx->msbInput = 0;
+	memset(cx->inBuf, 0, sizeof(cx->inBuf));
+	cx->cv[0] = CV0_1;
+	cx->cv[1] = CV0_2;
+	cx->cv[2] = CV0_3;
+	cx->cv[3] = CV0_4;
+}
+
+#define cls(i32, s) (tmp = i32, tmp << s | tmp >> (32 - s))
+
+#define MASK 0x00ff00ff
+#ifdef IS_LITTLE_ENDIAN
+#define lendian(i32) \
+	(i32)
+#else
+#define lendian(i32) \
+	(tmp = i32 >> 16 | i32 << 16, (tmp & MASK) << 8 | tmp >> 8 & MASK)
+#endif
+
+#if defined(SOLARIS) || defined(HPUX)
+#define addto64(sumhigh, sumlow, addend) \
+	sumlow += addend; sumhigh += (sumlow < addend);
+#else
+#define addto64(sumhigh, sumlow, addend) \
+	sumlow += addend; if (sumlow < addend) ++sumhigh;
+#endif
+
+#define F(X, Y, Z) \
+	((X & Y) | ((~X) & Z))
+
+#define G(X, Y, Z) \
+	((X & Z) | (Y & (~Z)))
+
+#define H(X, Y, Z) \
+	(X ^ Y ^ Z)
+
+#define I(X, Y, Z) \
+	(Y ^ (X | (~Z)))
+
+#define FF(a, b, c, d, bufint, s, ti) \
+	a = b + cls(a + F(b, c, d) + bufint + ti, s)
+
+#define GG(a, b, c, d, bufint, s, ti) \
+	a = b + cls(a + G(b, c, d) + bufint + ti, s)
+
+#define HH(a, b, c, d, bufint, s, ti) \
+	a = b + cls(a + H(b, c, d) + bufint + ti, s)
+
+#define II(a, b, c, d, bufint, s, ti) \
+	a = b + cls(a + I(b, c, d) + bufint + ti, s)
+
+static void
+md5_compress(MD5Context *cx)
+{
+	PRUint32 a, b, c, d;
+	PRUint32 tmp;
+	a = cx->cv[0];
+	b = cx->cv[1];
+	c = cx->cv[2];
+	d = cx->cv[3];
+#ifndef IS_LITTLE_ENDIAN
+	cx->u.w[0] = lendian(cx->u.w[0]);
+	cx->u.w[1] = lendian(cx->u.w[1]);
+	cx->u.w[2] = lendian(cx->u.w[2]);
+	cx->u.w[3] = lendian(cx->u.w[3]);
+	cx->u.w[4] = lendian(cx->u.w[4]);
+	cx->u.w[5] = lendian(cx->u.w[5]);
+	cx->u.w[6] = lendian(cx->u.w[6]);
+	cx->u.w[7] = lendian(cx->u.w[7]);
+	cx->u.w[8] = lendian(cx->u.w[8]);
+	cx->u.w[9] = lendian(cx->u.w[9]);
+	cx->u.w[10] = lendian(cx->u.w[10]);
+	cx->u.w[11] = lendian(cx->u.w[11]);
+	cx->u.w[12] = lendian(cx->u.w[12]);
+	cx->u.w[13] = lendian(cx->u.w[13]);
+	cx->u.w[14] = lendian(cx->u.w[14]);
+	cx->u.w[15] = lendian(cx->u.w[15]);
+#endif
+	FF(a, b, c, d, cx->u.w[R1B0 ], S1_0, T1_0);
+	FF(d, a, b, c, cx->u.w[R1B1 ], S1_1, T1_1);
+	FF(c, d, a, b, cx->u.w[R1B2 ], S1_2, T1_2);
+	FF(b, c, d, a, cx->u.w[R1B3 ], S1_3, T1_3);
+	FF(a, b, c, d, cx->u.w[R1B4 ], S1_0, T1_4);
+	FF(d, a, b, c, cx->u.w[R1B5 ], S1_1, T1_5);
+	FF(c, d, a, b, cx->u.w[R1B6 ], S1_2, T1_6);
+	FF(b, c, d, a, cx->u.w[R1B7 ], S1_3, T1_7);
+	FF(a, b, c, d, cx->u.w[R1B8 ], S1_0, T1_8);
+	FF(d, a, b, c, cx->u.w[R1B9 ], S1_1, T1_9);
+	FF(c, d, a, b, cx->u.w[R1B10], S1_2, T1_10);
+	FF(b, c, d, a, cx->u.w[R1B11], S1_3, T1_11);
+	FF(a, b, c, d, cx->u.w[R1B12], S1_0, T1_12);
+	FF(d, a, b, c, cx->u.w[R1B13], S1_1, T1_13);
+	FF(c, d, a, b, cx->u.w[R1B14], S1_2, T1_14);
+	FF(b, c, d, a, cx->u.w[R1B15], S1_3, T1_15);
+	GG(a, b, c, d, cx->u.w[R2B0 ], S2_0, T2_0);
+	GG(d, a, b, c, cx->u.w[R2B1 ], S2_1, T2_1);
+	GG(c, d, a, b, cx->u.w[R2B2 ], S2_2, T2_2);
+	GG(b, c, d, a, cx->u.w[R2B3 ], S2_3, T2_3);
+	GG(a, b, c, d, cx->u.w[R2B4 ], S2_0, T2_4);
+	GG(d, a, b, c, cx->u.w[R2B5 ], S2_1, T2_5);
+	GG(c, d, a, b, cx->u.w[R2B6 ], S2_2, T2_6);
+	GG(b, c, d, a, cx->u.w[R2B7 ], S2_3, T2_7);
+	GG(a, b, c, d, cx->u.w[R2B8 ], S2_0, T2_8);
+	GG(d, a, b, c, cx->u.w[R2B9 ], S2_1, T2_9);
+	GG(c, d, a, b, cx->u.w[R2B10], S2_2, T2_10);
+	GG(b, c, d, a, cx->u.w[R2B11], S2_3, T2_11);
+	GG(a, b, c, d, cx->u.w[R2B12], S2_0, T2_12);
+	GG(d, a, b, c, cx->u.w[R2B13], S2_1, T2_13);
+	GG(c, d, a, b, cx->u.w[R2B14], S2_2, T2_14);
+	GG(b, c, d, a, cx->u.w[R2B15], S2_3, T2_15);
+	HH(a, b, c, d, cx->u.w[R3B0 ], S3_0, T3_0);
+	HH(d, a, b, c, cx->u.w[R3B1 ], S3_1, T3_1);
+	HH(c, d, a, b, cx->u.w[R3B2 ], S3_2, T3_2);
+	HH(b, c, d, a, cx->u.w[R3B3 ], S3_3, T3_3);
+	HH(a, b, c, d, cx->u.w[R3B4 ], S3_0, T3_4);
+	HH(d, a, b, c, cx->u.w[R3B5 ], S3_1, T3_5);
+	HH(c, d, a, b, cx->u.w[R3B6 ], S3_2, T3_6);
+	HH(b, c, d, a, cx->u.w[R3B7 ], S3_3, T3_7);
+	HH(a, b, c, d, cx->u.w[R3B8 ], S3_0, T3_8);
+	HH(d, a, b, c, cx->u.w[R3B9 ], S3_1, T3_9);
+	HH(c, d, a, b, cx->u.w[R3B10], S3_2, T3_10);
+	HH(b, c, d, a, cx->u.w[R3B11], S3_3, T3_11);
+	HH(a, b, c, d, cx->u.w[R3B12], S3_0, T3_12);
+	HH(d, a, b, c, cx->u.w[R3B13], S3_1, T3_13);
+	HH(c, d, a, b, cx->u.w[R3B14], S3_2, T3_14);
+	HH(b, c, d, a, cx->u.w[R3B15], S3_3, T3_15);
+	II(a, b, c, d, cx->u.w[R4B0 ], S4_0, T4_0);
+	II(d, a, b, c, cx->u.w[R4B1 ], S4_1, T4_1);
+	II(c, d, a, b, cx->u.w[R4B2 ], S4_2, T4_2);
+	II(b, c, d, a, cx->u.w[R4B3 ], S4_3, T4_3);
+	II(a, b, c, d, cx->u.w[R4B4 ], S4_0, T4_4);
+	II(d, a, b, c, cx->u.w[R4B5 ], S4_1, T4_5);
+	II(c, d, a, b, cx->u.w[R4B6 ], S4_2, T4_6);
+	II(b, c, d, a, cx->u.w[R4B7 ], S4_3, T4_7);
+	II(a, b, c, d, cx->u.w[R4B8 ], S4_0, T4_8);
+	II(d, a, b, c, cx->u.w[R4B9 ], S4_1, T4_9);
+	II(c, d, a, b, cx->u.w[R4B10], S4_2, T4_10);
+	II(b, c, d, a, cx->u.w[R4B11], S4_3, T4_11);
+	II(a, b, c, d, cx->u.w[R4B12], S4_0, T4_12);
+	II(d, a, b, c, cx->u.w[R4B13], S4_1, T4_13);
+	II(c, d, a, b, cx->u.w[R4B14], S4_2, T4_14);
+	II(b, c, d, a, cx->u.w[R4B15], S4_3, T4_15);
+	cx->cv[0] += a;
+	cx->cv[1] += b;
+	cx->cv[2] += c;
+	cx->cv[3] += d;
+}
+
+void 
+MD5_Update(MD5Context *cx, const unsigned char *input, unsigned int inputLen)
+{
+	PRUint32 bytesToConsume;
+	PRUint32 inBufIndex = cx->lsbInput & 63;
+
+	/* Add the number of input bytes to the 64-bit input counter. */
+	addto64(cx->msbInput, cx->lsbInput, inputLen);
+	if (inBufIndex) {
+		/* There is already data in the buffer.  Fill with input. */
+		bytesToConsume = PR_MIN(inputLen, MD5_BUFFER_SIZE - inBufIndex);
+		memcpy(&cx->inBuf[inBufIndex], input, bytesToConsume);
+		if (inBufIndex + bytesToConsume >= MD5_BUFFER_SIZE)
+			/* The buffer is filled.  Run the compression function. */
+			md5_compress(cx);
+		/* Remaining input. */
+		inputLen -= bytesToConsume;
+		input += bytesToConsume;
+	}
+
+	/* Iterate over 64-byte chunks of the message. */
+	while (inputLen >= MD5_BUFFER_SIZE) {
+		memcpy(cx->inBuf, input, MD5_BUFFER_SIZE);
+		md5_compress(cx);
+		inputLen -= MD5_BUFFER_SIZE;
+		input += MD5_BUFFER_SIZE;
+	}
+
+	/* Tail of message (message bytes mod 64). */
+	if (inputLen)
+		memcpy(cx->inBuf, input, inputLen);
+}
+
+static const unsigned char padbytes[] = {
+	0x80, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,
+	0x00, 0x00, 0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00
+};
+
+void 
+MD5_End(MD5Context *cx, unsigned char *digest,
+        unsigned int *digestLen, unsigned int maxDigestLen)
+{
+#ifndef IS_LITTLE_ENDIAN
+	PRUint32 tmp;
+#endif
+	PRUint32 lowInput, highInput;
+	PRUint32 inBufIndex = cx->lsbInput & 63;
+
+	if (maxDigestLen < MD5_HASH_LEN) {
+		PORT_SetError(SEC_ERROR_INVALID_ARGS);
+		return;
+	}
+
+	/* Copy out the length of bits input before padding. */
+	lowInput = cx->lsbInput; 
+	highInput = (cx->msbInput << 3) | (lowInput >> 29);
+	lowInput <<= 3;
+
+	if (inBufIndex < MD5_END_BUFFER) {
+		MD5_Update(cx, padbytes, MD5_END_BUFFER - inBufIndex);
+	} else {
+		MD5_Update(cx, padbytes, 
+		           MD5_END_BUFFER + MD5_BUFFER_SIZE - inBufIndex);
+	}
+
+	/* Store the number of bytes input (before padding) in final 64 bits. */
+	cx->u.w[14] = lendian(lowInput);
+	cx->u.w[15] = lendian(highInput);
+
+	/* Final call to compress. */
+	md5_compress(cx);
+
+	/* Copy the resulting values out of the chain variables into return buf. */
+	*digestLen = MD5_HASH_LEN;
+#ifndef IS_LITTLE_ENDIAN
+	cx->cv[0] = lendian(cx->cv[0]);
+	cx->cv[1] = lendian(cx->cv[1]);
+	cx->cv[2] = lendian(cx->cv[2]);
+	cx->cv[3] = lendian(cx->cv[3]);
+#endif
+	memcpy(digest, cx->cv, MD5_HASH_LEN);
+}
+
+unsigned int 
+MD5_FlattenSize(MD5Context *cx)
+{
+	return sizeof(*cx);
+}
+
+SECStatus 
+MD5_Flatten(MD5Context *cx, unsigned char *space)
+{
+	memcpy(space, cx, sizeof(*cx));
+	return SECSuccess;
+}
+
+MD5Context * 
+MD5_Resurrect(unsigned char *space, void *arg)
+{
+	MD5Context *cx = MD5_NewContext();
+	if (cx)
+		memcpy(cx, space, sizeof(*cx));
+	return cx;
+}
+
+void 
+MD5_TraceState(MD5Context *cx)
+{
+	PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+}
diff --git a/security/nss/lib/freebl/mknewpc2.c b/security/nss/lib/freebl/mknewpc2.c
new file mode 100644
index 000000000..3bd3f0cf0
--- /dev/null
+++ b/security/nss/lib/freebl/mknewpc2.c
@@ -0,0 +1,236 @@
+/*
+ *  mknewpc2.c
+ *
+ *  Generate PC-2 tables for DES-150 library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the DES-150 library.
+ *
+ * The Initial Developer of the Original Code is Nelson B. Bolyard,
+ * nelsonb@iname.com.  Portions created by Nelson B. Bolyard are 
+ * Copyright (C) 1990, 2000  Nelson B. Bolyard, All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ */
+
+typedef unsigned char BYTE;
+typedef unsigned int  HALF;
+
+#define DES_ENCRYPT 0
+#define DES_DECRYPT 1
+
+/* two 28-bit registers defined in key schedule production process */
+static HALF C0, D0;
+
+static HALF L0, R0;
+
+/* key schedule, 16 internal keys, each with 8 6-bit parts */
+static BYTE KS [8] [16];
+
+
+/*
+ * This table takes the 56 bits in C0 and D0 and shows show they are 
+ * permuted into the 8 6-bit parts of the key in the key schedule.
+ * The bits of C0 are numbered left to right, 1-28.
+ * The bits of D0 are numbered left to right, 29-56.
+ * Zeros in this table represent bits that are always zero.
+ * Note that all the bits in the first  4 rows come from C0, 
+ *       and all the bits in the second 4 rows come from D0.
+ */
+static const BYTE PC2[64] = {
+    14, 17, 11, 24,  1,  5,  0,  0,	/* S1 */
+     3, 28, 15,  6, 21, 10,  0,  0,	/* S2 */
+    23, 19, 12,  4, 26,  8,  0,  0,	/* S3 */
+    16,  7, 27, 20, 13,  2,  0,  0,	/* S4 */
+
+    41, 52, 31, 37, 47, 55,  0,  0,	/* S5 */
+    30, 40, 51, 45, 33, 48,  0,  0,	/* S6 */
+    44, 49, 39, 56, 34, 53,  0,  0,	/* S7 */
+    46, 42, 50, 36, 29, 32,  0,  0	/* S8 */
+};
+
+/* This table represents the same info as PC2, except that 
+ * The bits of C0 and D0 are each numbered right to left, 0-27.
+ * -1 values indicate bits that are always zero.
+ * As before all the bits in the first  4 rows come from C0, 
+ *       and all the bits in the second 4 rows come from D0.
+ */
+static       signed char PC2a[64] = {
+/* bits of C0 */
+    14, 11, 17,  4, 27, 23, -1, -1,	/* S1 */
+    25,  0, 13, 22,  7, 18, -1, -1,	/* S2 */
+     5,  9, 16, 24,  2, 20, -1, -1,	/* S3 */
+    12, 21,  1,  8, 15, 26, -1, -1,	/* S4 */
+/* bits of D0 */
+    15,  4, 25, 19,  9,  1, -1, -1,	/* S5 */
+    26, 16,  5, 11, 23,  8, -1, -1,	/* S6 */
+    12,  7, 17,  0, 22,  3, -1, -1,	/* S7 */
+    10, 14,  6, 20, 27, 24, -1, -1 	/* S8 */
+};
+
+/* This table represents the same info as PC2a, except that 
+ * The order of of the rows has been changed to increase the efficiency
+ * with which the key sechedule is created.
+ * Fewer shifts and ANDs are required to make the KS from these.
+ */
+static const signed char PC2b[64] = {
+/* bits of C0 */
+    14, 11, 17,  4, 27, 23, -1, -1,	/* S1 */
+     5,  9, 16, 24,  2, 20, -1, -1,	/* S3 */
+    25,  0, 13, 22,  7, 18, -1, -1,	/* S2 */
+    12, 21,  1,  8, 15, 26, -1, -1,	/* S4 */
+/* bits of D0 */
+    26, 16,  5, 11, 23,  8, -1, -1,	/* S6 */
+    10, 14,  6, 20, 27, 24, -1, -1,	/* S8 */
+    15,  4, 25, 19,  9,  1, -1, -1,	/* S5 */
+    12,  7, 17,  0, 22,  3, -1, -1 	/* S7 */
+};
+
+/* Only 24 of the 28 bits in C0 and D0 are used in PC2.
+ * The used bits of C0 and D0 are grouped into 4 groups of 6,
+ * so that the PC2 permutation can be accomplished with 4 lookups
+ * in tables of 64 entries.
+ * The following table shows how the bits of C0 and D0 are grouped
+ * into indexes for the respective table lookups.  
+ * Bits are numbered right-to-left, 0-27, as in PC2b.
+ */
+static BYTE NDX[48] = {
+/* Bits of C0 */
+    27, 26, 25, 24, 23, 22,	/* C0 table 0 */
+    18, 17, 16, 15, 14, 13,	/* C0 table 1 */
+     9,  8,  7,  2,  1,  0,	/* C0 table 2 */
+     5,  4, 21, 20, 12, 11,	/* C0 table 3 */
+/* bits of D0 */
+    27, 26, 25, 24, 23, 22,	/* D0 table 0 */
+    20, 19, 17, 16, 15, 14,	/* D0 table 1 */
+    12, 11, 10,  9,  8,  7,	/* D0 table 2 */
+     6,  5,  4,  3,  1,  0	/* D0 table 3 */
+};
+
+/* Here's the code that does that grouping. 
+	left   = PC2LOOKUP(0, 0, ((c0 >> 22) & 0x3F) );
+	left  |= PC2LOOKUP(0, 1, ((c0 >> 13) & 0x3F) );
+	left  |= PC2LOOKUP(0, 2, ((c0 >>  4) & 0x38) | (c0 & 0x7) );
+	left  |= PC2LOOKUP(0, 3, ((c0>>18)&0xC) | ((c0>>11)&0x3) | (c0&0x30));
+
+	right  = PC2LOOKUP(1, 0, ((d0 >> 22) & 0x3F) );
+	right |= PC2LOOKUP(1, 1, ((d0 >> 15) & 0x30) | ((d0 >> 14) & 0xf) );
+	right |= PC2LOOKUP(1, 2, ((d0 >>  7) & 0x3F) );
+	right |= PC2LOOKUP(1, 3, ((d0 >>  1) & 0x3C) | (d0 & 0x3));
+*/
+
+void
+make_pc2a( void )
+{
+
+    int i, j;
+
+    for ( i = 0; i < 64; ++i ) {
+	j = PC2[i];
+	if (j == 0)
+	    j = -1;
+	else if ( j < 29 )
+	    j = 28 - j ;
+	else
+	    j = 56 - j;
+	PC2a[i] = j;
+    }
+    for ( i = 0; i < 64; i += 8 ) {
+	printf("%3d,%3d,%3d,%3d,%3d,%3d,%3d,%3d,\n",
+		PC2a[i+0],PC2a[i+1],PC2a[i+2],PC2a[i+3],
+		PC2a[i+4],PC2a[i+5],PC2a[i+6],PC2a[i+7] );
+    }
+}
+
+HALF PC2cd0[64];
+
+HALF PC_2H[8][64];
+
+void
+mktable( )
+{
+    int i;
+    int table;
+    const BYTE * ndx   = NDX;
+    HALF         mask;
+
+    mask  = 0x80000000;
+    for (i = 0; i < 32; ++i, mask >>= 1) {
+	int bit = PC2b[i];
+	if (bit < 0)
+	    continue;
+	PC2cd0[bit + 32] = mask;
+    }
+
+    mask  = 0x80000000;
+    for (i = 32; i < 64; ++i, mask >>= 1) {
+	int bit = PC2b[i];
+	if (bit < 0)
+	    continue;
+	PC2cd0[bit] = mask;
+    }
+
+#if DEBUG
+    for (i = 0; i < 64; ++i) {
+    	printf("0x%08x,\n", PC2cd0[i]);
+    }
+#endif
+    for (i = 0; i < 24; ++i) {
+    	NDX[i] += 32;	/* because c0 is the upper half */
+    }
+
+    for (table = 0; table < 8; ++table) {
+	HALF bitvals[6];
+    	for (i = 0; i < 6; ++i) {
+	    bitvals[5-i] = PC2cd0[*ndx++];
+	}
+	for (i = 0; i < 64; ++i) {
+	    int  j;
+	    int  k     = 0;
+	    HALF value = 0;
+
+	    for (j = i; j; j >>= 1, ++k) {
+	    	if (j & 1) {
+		    value |= bitvals[k];
+		}
+	    }
+	    PC_2H[table][i] = value;
+	}
+	printf("/* table %d */ {\n", table );
+	for (i = 0; i < 64; i += 4) {
+	    printf("    0x%08x, 0x%08x, 0x%08x, 0x%08x, \n",
+		    PC_2H[table][i],   PC_2H[table][i+1],
+		    PC_2H[table][i+2], PC_2H[table][i+3]);
+	}
+	printf("  },\n");
+    }
+}
+
+
+int
+main(void)
+{
+/*   make_pc2a(); */
+   mktable();
+   return 0;
+}
diff --git a/security/nss/lib/freebl/mksp.c b/security/nss/lib/freebl/mksp.c
new file mode 100644
index 000000000..17ce7bc2a
--- /dev/null
+++ b/security/nss/lib/freebl/mksp.c
@@ -0,0 +1,153 @@
+/*
+ *  mksp.c
+ *
+ *  Generate SP tables for DES-150 library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the DES-150 library.
+ *
+ * The Initial Developer of the Original Code is Nelson B. Bolyard,
+ * nelsonb@iname.com.  Portions created by Nelson B. Bolyard are 
+ * Copyright (C) 1990, 2000  Nelson B. Bolyard, All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ */
+
+#include <stdio.h>
+
+/*
+ * sboxes - the tables for the s-box functions
+ *        from FIPS 46, pages 15-16.
+ */
+unsigned char S[8][64] = {
+/* Func S1 = */ {
+	14,  0,  4, 15, 13,  7,  1,  4,  2, 14, 15,  2, 11, 13,  8,  1,
+	 3, 10, 10,  6,  6, 12, 12, 11,  5,  9,  9,  5,  0,  3,  7,  8,
+	 4, 15,  1, 12, 14,  8,  8,  2, 13,  4,  6,  9,  2,  1, 11,  7,
+	15,  5, 12, 11,  9,  3,  7, 14,  3, 10, 10,  0,  5,  6,  0, 13
+    },
+/* Func S2 = */ {
+	15,  3,  1, 13,  8,  4, 14,  7,  6, 15, 11,  2,  3,  8,  4, 14,
+	 9, 12,  7,  0,  2,  1, 13, 10, 12,  6,  0,  9,  5, 11, 10,  5,
+	 0, 13, 14,  8,  7, 10, 11,  1, 10,  3,  4, 15, 13,  4,  1,  2,
+	 5, 11,  8,  6, 12,  7,  6, 12,  9,  0,  3,  5,  2, 14, 15,  9
+    },
+/* Func S3 = */ {
+	10, 13,  0,  7,  9,  0, 14,  9,  6,  3,  3,  4, 15,  6,  5, 10,
+	 1,  2, 13,  8, 12,  5,  7, 14, 11, 12,  4, 11,  2, 15,  8,  1,
+	13,  1,  6, 10,  4, 13,  9,  0,  8,  6, 15,  9,  3,  8,  0,  7,
+	11,  4,  1, 15,  2, 14, 12,  3,  5, 11, 10,  5, 14,  2,  7, 12
+    },
+/* Func S4 = */ {
+	 7, 13, 13,  8, 14, 11,  3,  5,  0,  6,  6, 15,  9,  0, 10,  3,
+	 1,  4,  2,  7,  8,  2,  5, 12, 11,  1, 12, 10,  4, 14, 15,  9,
+	10,  3,  6, 15,  9,  0,  0,  6, 12, 10, 11,  1,  7, 13, 13,  8,
+	15,  9,  1,  4,  3,  5, 14, 11,  5, 12,  2,  7,  8,  2,  4, 14
+    },
+/* Func S5 = */ {
+	 2, 14, 12, 11,  4,  2,  1, 12,  7,  4, 10,  7, 11, 13,  6,  1,
+	 8,  5,  5,  0,  3, 15, 15, 10, 13,  3,  0,  9, 14,  8,  9,  6,
+	 4, 11,  2,  8,  1, 12, 11,  7, 10,  1, 13, 14,  7,  2,  8, 13,
+	15,  6,  9, 15, 12,  0,  5,  9,  6, 10,  3,  4,  0,  5, 14,  3
+    },
+/* Func S6 = */ {
+	12, 10,  1, 15, 10,  4, 15,  2,  9,  7,  2, 12,  6,  9,  8,  5,
+	 0,  6, 13,  1,  3, 13,  4, 14, 14,  0,  7, 11,  5,  3, 11,  8,
+	 9,  4, 14,  3, 15,  2,  5, 12,  2,  9,  8,  5, 12, 15,  3, 10,
+	 7, 11,  0, 14,  4,  1, 10,  7,  1,  6, 13,  0, 11,  8,  6, 13
+    },
+/* Func S7 = */ {
+	 4, 13, 11,  0,  2, 11, 14,  7, 15,  4,  0,  9,  8,  1, 13, 10,
+	 3, 14, 12,  3,  9,  5,  7, 12,  5,  2, 10, 15,  6,  8,  1,  6,
+	 1,  6,  4, 11, 11, 13, 13,  8, 12,  1,  3,  4,  7, 10, 14,  7,
+	10,  9, 15,  5,  6,  0,  8, 15,  0, 14,  5,  2,  9,  3,  2, 12
+    },
+/* Func S8 = */ {
+	13,  1,  2, 15,  8, 13,  4,  8,  6, 10, 15,  3, 11,  7,  1,  4,
+	10, 12,  9,  5,  3,  6, 14, 11,  5,  0,  0, 14, 12,  9,  7,  2,
+	 7,  2, 11,  1,  4, 14,  1,  7,  9,  4, 12, 10, 14,  8,  2, 13,
+	 0, 15,  6, 12, 10,  9, 13,  0, 15,  3,  3,  5,  5,  6,  8, 11
+    }
+};
+
+/*
+ * Permutation function for results from s-boxes
+ *   from FIPS 46 pages 12 and 16.
+ * P = 
+ */
+unsigned char P[32] = {
+	16,   7,  20,  21,  29,  12,  28,  17,
+	 1,  15,  23,  26,   5,  18,  31,  10,
+	 2,   8,  24,  14,  32,  27,   3,   9,
+	19,  13,  30,   6,  22,  11,   4,  25
+};
+
+unsigned int Pinv[32];
+unsigned int SP[8][64];
+
+void
+makePinv(void)
+{
+    int i;
+    unsigned int Pi = 0x80000000;
+    for (i = 0; i < 32; ++i) {
+    	int j = 32 - P[i];
+	Pinv[j] = Pi;
+	Pi >>= 1;
+    }
+}
+
+void
+makeSP(void)
+{
+    int box;
+    for (box = 0; box < 8; ++box) {
+	int item;
+	printf("/* box S%d */ {\n", box + 1);
+    	for (item = 0; item < 64; ++item ) {
+	    unsigned int s = S[box][item];
+	    unsigned int val = 0;
+	    unsigned int bitnum = (7-box) * 4;
+	    for (; s; s >>= 1, ++bitnum) {
+		if (s & 1) {
+		    val |= Pinv[bitnum];
+		}
+	    }
+	    val = (val << 3) | (val >> 29);
+	    SP[box][item] = val;
+	}
+	for (item = 0; item < 64; item += 4) {
+	    printf("\t0x%08x, 0x%08x, 0x%08x, 0x%08x,\n",
+	    SP[box][item], SP[box][item+1], SP[box][item+2], SP[box][item+3]);
+	}
+	printf("    },\n");
+    }
+}
+
+int
+main()
+{
+    makePinv();
+    makeSP();
+    return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/Makefile b/security/nss/lib/freebl/mpi/Makefile
new file mode 100644
index 000000000..a4724af90
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/Makefile
@@ -0,0 +1,424 @@
+##
+## Makefile for MPI library
+##
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+##
+## Contributor(s):
+##	Netscape Communications Corporation
+## 	Richard C. Swift	(swift@netscape.com)
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the
+## GPL.
+## 
+##
+## $Id$
+##
+
+## Define CC to be the C compiler you wish to use.  The GNU cc
+## compiler (gcc) should work, at the very least
+#CC=cc
+#CC=gcc
+
+## 
+## Define PERL to point to your local Perl interpreter.  It
+## should be Perl 5.x, although it's conceivable that Perl 4
+## might work ... I haven't tested it.
+##
+#PERL=/usr/bin/perl
+PERL=perl
+
+##
+## Define CFLAGS to contain any local options your compiler
+## setup requires.
+##
+## Conditional compilation options are no longer here; see
+## the file 'mpi-config.h' instead.
+##
+MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC
+CFLAGS= -O $(MPICMN)
+#CFLAGS=-ansi -fullwarn -woff 1521 -O3 $(MPICMN)
+#CFLAGS=-ansi -pedantic -Wall -O3 $(MPICMN)
+#CFLAGS=-ansi -pedantic -Wall -g -O2 -DMP_DEBUG=1 $(MPICMN)
+
+ifeq ($(TARGET),mipsIRIX)
+#IRIX
+#MPICMN += -DMP_MONT_USE_MP_MUL 
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+MPICMN += -DMP_USE_UINT_DIGIT
+#MPICMN += -DMP_NO_MP_WORD
+AS_OBJS = mpi_mips.o
+#ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 -exceptions
+ASFLAGS = -O -OPT:Olimit=4000 -dollar -fullwarn -xansi -n32 -mips3 
+#CFLAGS=-ansi -n32 -O3 -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN)
+CFLAGS=-ansi -n32 -O2 -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN)
+#CFLAGS=-ansi -n32 -g -fullwarn -woff 1429 -D_SGI_SOURCE $(MPICMN)
+#CFLAGS=-ansi -64 -O2 -fullwarn -woff 1429 -D_SGI_SOURCE -DMP_NO_MP_WORD \
+ $(MPICMN)
+endif
+
+ifeq ($(TARGET),alphaOSF1)
+#Alpha/OSF1
+MPICMN += -DMP_ASSEMBLY_MULTIPLY
+AS_OBJS+= mpvalpha.o
+#CFLAGS= -O -Olimit 4000 -ieee_with_inexact -std1 -DOSF1 -D_REENTRANT $(MPICMN)
+CFLAGS= -O -Olimit 4000 -ieee_with_inexact -std1 -DOSF1 -D_REENTRANT \
+ -DMP_NO_MP_WORD $(MPICMN)
+endif
+
+ifeq ($(TARGET),v9SOLARIS)
+#Solaris 64
+SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xchip=ultra -xarch=v9a -KPIC -mt
+#SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v9a -KPIC -mt
+SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v9a -KPIC -mt 
+AS_OBJS += montmulfv9.o 
+AS_OBJS += mpi_sparc.o mpv_sparcv9.o
+MPICMN += -DMP_USE_UINT_DIGIT 
+#MPICMN += -DMP_NO_MP_WORD 
+MPICMN += -DMP_ASSEMBLY_MULTIPLY 
+MPICMN += -DMP_USING_MONT_MULF
+CFLAGS= -O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
+ -DSOLARIS2_8 -D_SVID_GETTOD -xarch=v9 -DXP_UNIX $(MPICMN)
+#CFLAGS= -g -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
+ -DSOLARIS2_8 -D_SVID_GETTOD -xarch=v9 -DXP_UNIX $(MPICMN)
+endif
+
+ifeq ($(TARGET),v8plusSOLARIS)
+#Solaris 32
+SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v8plusa -KPIC -mt
+SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v8plusa -KPIC -mt 
+AS_OBJS = montmulfv8.o mpi_sparc.o mpv_sparcv8.o
+#AS_OBJS = montmulf.o
+MPICMN += -DMP_ASSEMBLY_MULTIPLY 
+MPICMN += -DMP_USING_MONT_MULF -DMP_USE_UINT_DIGIT
+MPICMN += -DMP_NO_MP_WORD
+CFLAGS=-O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
+ -DSOLARIS2_6 -D_SVID_GETTOD -xarch=v8plus -DXP_UNIX $(MPICMN)
+endif
+
+ifeq ($(TARGET),v8SOLARIS)
+#Solaris 32
+#SOLARIS_FPU_FLAGS = -fast -xO5 -xrestrict=%all -xdepend -xchip=ultra -xarch=v8 -KPIC -mt
+#SOLARIS_ASM_FLAGS = -xchip=ultra -xarch=v8plusa -KPIC -mt 
+#AS_OBJS = montmulfv8.o mpi_sparc.o mpv_sparcv8.o
+#AS_OBJS = montmulf.o
+#MPICMN += -DMP_USING_MONT_MULF
+#MPICMN += -DMP_ASSEMBLY_MULTIPLY 
+MPICMN += -DMP_USE_LONG_LONG_MULTIPLY -DMP_USE_UINT_DIGIT
+MPICMN += -DMP_NO_MP_WORD
+CFLAGS=-O -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT \
+ -DSOLARIS2_6 -D_SVID_GETTOD -xarch=v8 -DXP_UNIX $(MPICMN)
+endif
+
+ifeq ($(TARGET),PA2.0WHPUX)
+#HPUX64 (HP PA 2.0 Wide) using MAXPY and 64-bit digits
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+AS_OBJS = mpi_hp.o hpma512.o hppa20.o 
+CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +DA2.0W +DS2.0 +O3 +DChpux -DHPUX11  -DXP_UNIX \
+ $(MPICMN)
+AS = $(CC) $(CFLAGS) -c
+endif
+
+ifeq ($(TARGET),PA2.0NHPUX)
+#HPUX32 (HP PA 2.0 Narrow) hybrid model, using 32-bit digits
+# This one is for DA2.0 (N) which is the 32-bit ABI with 64-bit registers.
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
+AS_OBJS = mpi_hp.o hpma512.o hppa20.o 
+CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +DA2.0 +DS2.0 +O3 +DChpux -DHPUX11  -DXP_UNIX \
+ -Wl,+k $(MPICMN)
+#CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE -Aa +e -z +DA2.0 +DS2.0 +DChpux -DHPUX11  -DXP_UNIX \
+ -Wl,+k $(MPICMN)
+AS = $(CC) $(CFLAGS) -c
+endif
+
+ifeq ($(TARGET),PA1.1HPUX)
+#HPUX32 (HP PA 1.1) Pure 32 bit
+MPICMN += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
+#MPICMN += -DMP_USE_LONG_LONG_MULTIPLY
+CFLAGS= -O -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+ -D_HPUX_SOURCE +DAportable +DS1.1 -DHPUX11 -DXP_UNIX $(MPICMN)
+##CFLAGS= -g -DHPUX10 -D_POSIX_C_SOURCE=199506L -Ae +Z -DHPUX -Dhppa \
+# -D_HPUX_SOURCE +DAportable +DS1.1 -DHPUX11 -DXP_UNIX $(MPICMN)
+endif
+
+ifeq ($(TARGET),32AIX)
+#
+CC = xlC_r
+MPICMN += -DMP_USE_UINT_DIGIT
+MPICMN += -DMP_NO_DIV_WORD
+#MPICMN += -DMP_NO_MUL_WORD
+MPICMN += -DMP_NO_ADD_WORD
+MPICMN += -DMP_NO_SUB_WORD
+#MPICMN += -DMP_NO_MP_WORD
+#MPICMN += -DMP_USE_LONG_LONG_MULTIPLY
+CFLAGS = -O -DAIX -DSYSV -qarch=com -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG  $(MPICMN)
+#CFLAGS = -g -DAIX -DSYSV -qarch=com -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG  $(MPICMN)
+#CFLAGS += -pg
+endif
+
+ifeq ($(TARGET),64AIX)
+#
+CC = xlC_r
+MPICMN += -DMP_USE_UINT_DIGIT
+CFLAGS = -O -O2 -DAIX -DSYSV -qarch=com -DAIX_64BIT -DAIX4_3 -DXP_UNIX -UDEBUG -DNDEBUG $(MPICMN)
+OBJECT_MODE=64
+export OBJECT_MODE
+endif
+
+ifeq ($(TARGET),x86LINUX)
+#Linux
+AS_OBJS = mpi_x86.o
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
+MPICMN += -DMP_MONT_USE_MP_MUL
+CFLAGS= -O2 -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \
+ -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \
+ -DXP_UNIX -UDEBUG -DNDEBUG -D_REENTRANT $(MPICMN)
+#CFLAGS= -g -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \
+ -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \
+ -DXP_UNIX -DDEBUG -UNDEBUG -D_REENTRANT $(MPICMN)
+#CFLAGS= -g -fPIC -DLINUX1_2 -Di386 -D_XOPEN_SOURCE -DLINUX2_1 -ansi -Wall \
+ -pipe -DLINUX -Dlinux -D_POSIX_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR \
+ -DXP_UNIX -UDEBUG -DNDEBUG -D_REENTRANT $(MPICMN)
+endif
+
+##
+## Define LIBS to include any libraries you need to link against.
+## If NO_TABLE is define, LIBS should include '-lm' or whatever is
+## necessary to bring in the math library.  Otherwise, it can be
+## left alone, unless your system has other peculiar requirements.
+##
+LIBS=#-lmalloc#-lefence#-lm
+
+## 
+## Define RANLIB to be the library header randomizer; you might not
+## need this on some systems (just set it to 'echo' on these systems,
+## such as IRIX)
+##
+RANLIB=echo
+
+##
+## This is the version string used for the documentation and 
+## building the distribution tarball.  Don't mess with it unless
+## you are releasing a new version
+VERS=1.7p6
+
+## ----------------------------------------------------------------------
+## You probably don't need to change anything below this line...
+##
+
+##
+## This is the list of source files that need to be packed into
+## the distribution file
+SRCS=   mpi.c mpprime.c mplogic.c mpmontg.c mpi-test.c primes.c tests/ \
+	utils/gcd.c utils/invmod.c utils/lap.c \
+	utils/ptab.pl utils/sieve.c utils/isprime.c\
+	utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \
+	utils/bbsrand.c utils/prng.c utils/primegen.c \
+	utils/basecvt.c utils/makeprime.c\
+	utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \
+	utils/mpi.h utils/mpprime.h mulsqr.c \
+	make-test-arrays test-arrays.txt all-tests make-logtab \
+	types.pl stats timetest multest
+
+## These are the header files that go into the distribution file
+HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h \
+     utils/bbs_rand.h tests/mpi.h tests/mpprime.h
+
+## These are the documentation files that go into the distribution file
+DOCS=README doc utils/README utils/PRIMES 
+
+## This is the list of tools built by 'make tools'
+TOOLS=gcd invmod isprime lap dec2hex hex2dec primegen prng \
+	basecvt fact exptmod pi makeprime identest
+
+LIBOBJS = mpprime.o mpmontg.o mplogic.o mpi.o $(AS_OBJS)
+LIBHDRS = mpi-config.h mpi-priv.h mpi.h
+APPHDRS = mpi-config.h mpi.h mplogic.h mpprime.h
+
+help:
+	@ echo ""
+	@ echo "The following targets can be built with this Makefile:"
+	@ echo ""
+	@ echo "libmpi.a     - arithmetic and prime testing library"
+	@ echo "mpi-test     - test driver (requires MP_IOFUNC)"
+	@ echo "tools        - command line tools"
+	@ echo "doc          - manual pages for tools"
+	@ echo "clean        - clean up objects and such"
+	@ echo "distclean    - get ready for distribution"
+	@ echo "dist         - distribution tarball"
+	@ echo ""
+
+.SUFFIXES: .c .o .i
+
+.c.i:
+	$(CC) $(CFLAGS) -E $< > $@
+
+#.c.o: $*.h $*.c
+#	$(CC) $(CFLAGS) -c $<
+
+#---------------------------------------
+
+$(LIBOBJS): $(LIBHDRS)
+
+logtab.h: make-logtab
+	$(PERL) make-logtab > logtab.h
+
+mpi.o: mpi.c logtab.h $(LIBHDRS)
+
+mplogic.o: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS)
+
+mpmontg.o: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS)
+
+mpprime.o: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS)
+
+mpi_mips.o: mpi_mips.s
+	$(CC) -o $@ $(ASFLAGS) -c mpi_mips.s
+
+mpi_sparc.o : montmulf.h
+
+mpv_sparcv9.s: vis_64.il mpv_sparc.c
+	$(CC) -o $@ $(SOLARIS_FPU_FLAGS) -S vis_64.il mpv_sparc.c
+
+mpv_sparcv8.s: vis_64.il mpv_sparc.c
+	$(CC) -o $@ $(SOLARIS_FPU_FLAGS) -S vis_32.il mpv_sparc.c
+
+montmulfv8.o montmulfv9.o mpv_sparcv8.o mpv_sparcv9.o : %.o : %.s 
+	$(CC) -o $@ $(SOLARIS_ASM_FLAGS) -c $<
+
+# This rule is used to build the .s sources, which are then hand optimized.
+#montmulfv8.s montmulfv9.s : montmulf%.s : montmulf%.il montmulf.c montmulf.h 
+#	$(CC) -o $@ $(SOLARIS_ASM_FLAGS) -S montmulf$*.il montmulf.c
+
+
+libmpi.a: $(LIBOBJS)
+	ar -cvr libmpi.a $(LIBOBJS)
+	$(RANLIB) libmpi.a
+
+lib libs: libmpi.a
+
+mpi.i: mpi.h
+
+#---------------------------------------
+
+MPTESTOBJS = mptest1.o mptest2.o mptest3.o mptest3a.o mptest4.o mptest4a.o \
+	mptest4b.o mptest6.o mptest7.o mptest8.o mptest9.o
+MPTESTS = $(MPTESTOBJS:.o=)
+
+$(MPTESTOBJS): mptest%.o: tests/mptest-%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -o $@ -c $<
+
+$(MPTESTS): mptest%: mptest%.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^  $(LIBS)
+
+tests: mptest1 mptest2 mptest3 mptest3a mptest4 mptest4a mptest4b mptest6 \
+	bbsrand
+
+utests: mptest7 mptest8 mptest9
+
+#---------------------------------------
+
+EXTRAOBJS = bbsrand.o bbs_rand.o prng.o
+UTILOBJS = primegen.o metime.o identest.o basecvt.o fact.o exptmod.o pi.o \
+	makeprime.o gcd.o invmod.o lap.o isprime.o \
+	dec2hex.o hex2dec.o
+UTILS = $(UTILOBJS:.o=) 
+
+$(UTILS): % : %.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+$(UTILOBJS) $(EXTRAOBJS): %.o : utils/%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -o $@ -c $<
+
+prng: prng.o bbs_rand.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+bbsrand: bbsrand.o bbs_rand.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+utils: $(UTILS) prng bbsrand
+
+#---------------------------------------
+
+test-info.c: test-arrays.txt
+	$(PERL) make-test-arrays test-arrays.txt > test-info.c
+
+mpi-test.o: mpi-test.c test-info.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -o $@ -c $<
+
+mpi-test: mpi-test.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+mdxptest.o: mdxptest.c $(LIBHDRS) mpi-priv.h
+
+mdxptest: mdxptest.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+mulsqr.o: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h 
+	$(CC) $(CFLAGS) -DMP_SQUARE=1 -o $@ -c mulsqr.c 
+
+mulsqr: mulsqr.o libmpi.a
+	$(CC) $(CFLAGS) -o $@ $^ $(LIBS)
+
+#---------------------------------------
+
+alltests: tests utests mpi-test
+
+tools: $(TOOLS)
+
+doc:
+	(cd doc; ./build)
+
+clean:
+	rm -f *.o *.a *.i
+	rm -f core
+	rm -f *~ .*~
+	rm -f utils/*.o
+	rm -f utils/core
+	rm -f utils/*~ utils/.*~
+
+clobber: clean
+	rm -f $(TOOLS) $(UTILS)
+
+distclean: clean
+	rm -f mptest? mpi-test metime mulsqr karatsuba
+	rm -f mptest?a mptest?b
+	rm -f utils/mptest?
+	rm -f test-info.c logtab.h
+	rm -f libmpi.a
+	rm -f $(TOOLS)
+
+dist: Makefile $(HDRS) $(SRCS) $(DOCS)
+	tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS)
+	pgps -ab mpi-$(VERS).tar
+	chmod +r mpi-$(VERS).tar.asc
+	gzip -9 mpi-$(VERS).tar
+
+# END
diff --git a/security/nss/lib/freebl/mpi/Makefile.os2 b/security/nss/lib/freebl/mpi/Makefile.os2
new file mode 100644
index 000000000..e81b64649
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/Makefile.os2
@@ -0,0 +1,277 @@
+##
+## Makefile.win - gmake Makefile for building MPI with VACPP on OS/2
+##
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+##
+## Contributor(s):
+##	Netscape Communications Corporation
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the
+## GPL.
+## 
+##
+## $Id$
+##
+
+## Define CC to be the C compiler you wish to use.  The GNU cc
+## compiler (gcc) should work, at the very least
+#CC=cc
+#CC=gcc
+CC=icc.exe
+AS=alp.exe
+
+## 
+## Define PERL to point to your local Perl interpreter.  It
+## should be Perl 5.x, although it's conceivable that Perl 4
+## might work ... I haven't tested it.
+##
+#PERL=/usr/bin/perl
+PERL=perl
+
+##
+## Define CFLAGS to contain any local options your compiler
+## setup requires.
+##
+## Conditional compilation options are no longer here; see
+## the file 'mpi-config.h' instead.
+##
+MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD
+
+#OS/2
+AS_SRCS = mpi_x86.asm
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
+#CFLAGS= -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC \
+ -DDEBUG -D_DEBUG -UNDEBUG -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+#CFLAGS = -O2 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+#CFLAGS = -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+CFLAGS = /Ti+ -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ $(MPICMN)
+ASFLAGS =
+
+##
+## Define LIBS to include any libraries you need to link against.
+## If NO_TABLE is define, LIBS should include '-lm' or whatever is
+## necessary to bring in the math library.  Otherwise, it can be
+## left alone, unless your system has other peculiar requirements.
+##
+LIBS=#-lmalloc#-lefence#-lm
+
+## 
+## Define RANLIB to be the library header randomizer; you might not
+## need this on some systems (just set it to 'echo' on these systems,
+## such as IRIX)
+##
+RANLIB=echo
+
+##
+## This is the version string used for the documentation and 
+## building the distribution tarball.  Don't mess with it unless
+## you are releasing a new version
+VERS=1.7p6
+
+## ----------------------------------------------------------------------
+## You probably don't need to change anything below this line...
+##
+
+##
+## This is the list of source files that need to be packed into
+## the distribution file
+SRCS=   mpi.c mpprime.c mplogic.c mpmontg.c mpi-test.c primes.c tests/ \
+	utils/gcd.c utils/invmod.c utils/lap.c \
+	utils/ptab.pl utils/sieve.c utils/isprime.c\
+	utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \
+	utils/bbsrand.c utils/prng.c utils/primegen.c \
+	utils/basecvt.c utils/makeprime.c\
+	utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \
+	utils/mpi.h utils/mpprime.h mulsqr.c \
+	make-test-arrays test-arrays.txt all-tests make-logtab \
+	types.pl stats timetest multest
+
+## These are the header files that go into the distribution file
+HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h \
+     utils/bbs_rand.h tests/mpi.h tests/mpprime.h
+
+## These are the documentation files that go into the distribution file
+DOCS=README doc utils/README utils/PRIMES 
+
+## This is the list of tools built by 'make tools'
+TOOLS=gcd.exe invmod.exe isprime.exe lap.exe dec2hex.exe hex2dec.exe \
+ primegen.exe prng.exe basecvt.exe fact.exe exptmod.exe pi.exe makeprime.exe
+
+AS_OBJS = $(AS_SRCS:.asm=.obj)
+LIBOBJS = mpprime.obj mpmontg.obj mplogic.obj mpi.obj $(AS_OBJS)
+LIBHDRS = mpi-config.h mpi-priv.h mpi.h
+APPHDRS = mpi-config.h mpi.h mplogic.h mpprime.h
+
+
+help:
+	@ echo ""
+	@ echo "The following targets can be built with this Makefile:"
+	@ echo ""
+	@ echo "mpi.lib      - arithmetic and prime testing library"
+	@ echo "mpi-test.exe - test driver (requires MP_IOFUNC)"
+	@ echo "tools        - command line tools"
+	@ echo "doc          - manual pages for tools"
+	@ echo "clean        - clean up objects and such"
+	@ echo "distclean    - get ready for distribution"
+	@ echo "dist         - distribution tarball"
+	@ echo ""
+
+.SUFFIXES: .c .obj .i .lib .exe .asm
+
+.c.i:
+	$(CC) $(CFLAGS) -E $< > $@
+
+.c.obj: 
+	$(CC) $(CFLAGS) -c $<
+
+.asm.obj:
+	$(AS) $(ASFLAGS) $<
+
+.obj.exe:
+	$(CC) $(CFLAGS) -Fo$@ $<
+
+#---------------------------------------
+
+$(LIBOBJS): $(LIBHDRS)
+
+logtab.h: make-logtab
+	$(PERL) make-logtab > logtab.h
+
+mpi.obj: mpi.c logtab.h $(LIBHDRS)
+
+mplogic.obj: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS)
+
+mpmontg.obj: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS)
+
+mpprime.obj: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS)
+
+mpi_mips.obj: mpi_mips.s
+	$(CC) -Fo$@ $(ASFLAGS) -c mpi_mips.s
+
+mpi.lib: $(LIBOBJS)
+	ilib /out:mpi.lib $(LIBOBJS)
+	$(RANLIB) mpi.lib
+
+lib libs: mpi.lib
+
+#---------------------------------------
+
+MPTESTOBJS = mptest1.obj mptest2.obj mptest3.obj mptest3a.obj mptest4.obj \
+ mptest4a.obj mptest4b.obj mptest6.obj mptest7.obj mptest8.obj mptest9.obj
+MPTESTS = $(MPTESTOBJS:.obj=.exe)
+
+$(MPTESTOBJS): mptest%.obj: tests/mptest-%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+$(MPTESTS): mptest%.exe: mptest%.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^ 
+
+tests: mptest1.exe mptest2.exe mptest3.exe mptest3a.exe mptest4.exe \
+ mptest4a.exe mptest4b.exe mptest6.exe bbsrand.exe
+
+utests: mptest7.exe mptest8.exe mptest9.exe
+
+#---------------------------------------
+
+EXTRAOBJS = bbsrand.obj bbs_rand.obj prng.obj
+UTILOBJS = primegen.obj metime.obj identest.obj basecvt.obj fact.obj \
+ exptmod.obj pi.obj makeprime.obj karatsuba.obj gcd.obj invmod.obj lap.obj \
+ isprime.obj dec2hex.obj hex2dec.obj
+UTILS = $(UTILOBJS:.obj=.exe) 
+
+$(UTILS): %.exe : %.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^ 
+
+$(UTILOBJS) $(EXTRAOBJS): %.obj : utils/%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+prng.exe: prng.obj bbs_rand.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+bbsrand.exe: bbsrand.obj bbs_rand.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+utils: $(UTILS) prng.exe bbsrand.exe
+
+#---------------------------------------
+
+test-info.c: test-arrays.txt
+	$(PERL) make-test-arrays test-arrays.txt > test-info.c
+
+mpi-test.obj: mpi-test.c test-info.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+mpi-test.exe: mpi-test.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+mdxptest.obj: mdxptest.c $(LIBHDRS) mpi-priv.h
+
+mdxptest.exe: mdxptest.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+mulsqr.obj: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h 
+	$(CC) $(CFLAGS) -DMP_SQUARE=1 -Fo$@ -c mulsqr.c 
+
+mulsqr.exe: mulsqr.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+#---------------------------------------
+
+alltests: tests utests mpi-test.exe
+
+tools: $(TOOLS)
+
+doc:
+	(cd doc; ./build)
+
+clean:
+	rm -f *.obj *.lib *.pdb *.ilk
+	cd utils; rm -f *.obj *.lib *.pdb *.ilk
+
+distclean: clean
+	rm -f mptest? mpi-test metime mulsqr karatsuba
+	rm -f mptest?a mptest?b
+	rm -f utils/mptest?
+	rm -f test-info.c logtab.h
+	rm -f mpi.lib
+	rm -f $(TOOLS)
+
+dist: Makefile $(HDRS) $(SRCS) $(DOCS)
+	tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS)
+	pgps -ab mpi-$(VERS).tar
+	chmod +r mpi-$(VERS).tar.asc
+	gzip -9 mpi-$(VERS).tar
+
+
+print: 
+	@echo LIBOBJS = $(LIBOBJS)
+# END
diff --git a/security/nss/lib/freebl/mpi/Makefile.win b/security/nss/lib/freebl/mpi/Makefile.win
new file mode 100644
index 000000000..1c403f4d3
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/Makefile.win
@@ -0,0 +1,277 @@
+##
+## Makefile.win - gmake Makefile for building MPI with MSVC on NT
+##
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+##
+## Contributor(s):
+##	Netscape Communications Corporation
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the
+## GPL.
+## 
+##
+## $Id$
+##
+
+## Define CC to be the C compiler you wish to use.  The GNU cc
+## compiler (gcc) should work, at the very least
+#CC=cc
+#CC=gcc
+CC=cl.exe
+AS=ml.exe
+
+## 
+## Define PERL to point to your local Perl interpreter.  It
+## should be Perl 5.x, although it's conceivable that Perl 4
+## might work ... I haven't tested it.
+##
+#PERL=/usr/bin/perl
+PERL=perl
+
+##
+## Define CFLAGS to contain any local options your compiler
+## setup requires.
+##
+## Conditional compilation options are no longer here; see
+## the file 'mpi-config.h' instead.
+##
+MPICMN = -I. -DMP_API_COMPATIBLE -DMP_IOFUNC
+
+#NT
+AS_SRCS = mpi_x86.asm
+MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
+#CFLAGS= -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC \
+ -DDEBUG -D_DEBUG -UNDEBUG -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+#CFLAGS = -O2 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+#CFLAGS = -Od -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+CFLAGS = -O2 -Z7 -MD -W3 -nologo -D_X86_ -DXP_PC -UDEBUG -U_DEBUG -DNDEBUG \
+ -DWIN32 -D_WINDOWS -DWIN95 $(MPICMN)
+ASFLAGS = -Cp -Sn -Zi -coff -I. 
+
+##
+## Define LIBS to include any libraries you need to link against.
+## If NO_TABLE is define, LIBS should include '-lm' or whatever is
+## necessary to bring in the math library.  Otherwise, it can be
+## left alone, unless your system has other peculiar requirements.
+##
+LIBS=#-lmalloc#-lefence#-lm
+
+## 
+## Define RANLIB to be the library header randomizer; you might not
+## need this on some systems (just set it to 'echo' on these systems,
+## such as IRIX)
+##
+RANLIB=echo
+
+##
+## This is the version string used for the documentation and 
+## building the distribution tarball.  Don't mess with it unless
+## you are releasing a new version
+VERS=1.7p6
+
+## ----------------------------------------------------------------------
+## You probably don't need to change anything below this line...
+##
+
+##
+## This is the list of source files that need to be packed into
+## the distribution file
+SRCS=   mpi.c mpprime.c mplogic.c mpmontg.c mpi-test.c primes.c tests/ \
+	utils/gcd.c utils/invmod.c utils/lap.c \
+	utils/ptab.pl utils/sieve.c utils/isprime.c\
+	utils/dec2hex.c utils/hex2dec.c utils/bbs_rand.c \
+	utils/bbsrand.c utils/prng.c utils/primegen.c \
+	utils/basecvt.c utils/makeprime.c\
+	utils/fact.c utils/exptmod.c utils/pi.c utils/metime.c \
+	utils/mpi.h utils/mpprime.h mulsqr.c \
+	make-test-arrays test-arrays.txt all-tests make-logtab \
+	types.pl stats timetest multest
+
+## These are the header files that go into the distribution file
+HDRS=mpi.h mpi-config.h utils/mpi.h utils/mpi-config.h mpprime.h mplogic.h \
+     utils/bbs_rand.h tests/mpi.h tests/mpprime.h
+
+## These are the documentation files that go into the distribution file
+DOCS=README doc utils/README utils/PRIMES 
+
+## This is the list of tools built by 'make tools'
+TOOLS=gcd.exe invmod.exe isprime.exe lap.exe dec2hex.exe hex2dec.exe \
+ primegen.exe prng.exe basecvt.exe fact.exe exptmod.exe pi.exe makeprime.exe
+
+AS_OBJS = $(AS_SRCS:.asm=.obj)
+LIBOBJS = mpprime.obj mpmontg.obj mplogic.obj mpi.obj $(AS_OBJS)
+LIBHDRS = mpi-config.h mpi-priv.h mpi.h
+APPHDRS = mpi-config.h mpi.h mplogic.h mpprime.h
+
+
+help:
+	@ echo ""
+	@ echo "The following targets can be built with this Makefile:"
+	@ echo ""
+	@ echo "mpi.lib     - arithmetic and prime testing library"
+	@ echo "mpi-test     - test driver (requires MP_IOFUNC)"
+	@ echo "tools        - command line tools"
+	@ echo "doc          - manual pages for tools"
+	@ echo "clean        - clean up objects and such"
+	@ echo "distclean    - get ready for distribution"
+	@ echo "dist         - distribution tarball"
+	@ echo ""
+
+.SUFFIXES: .c .obj .i .lib .exe .asm
+
+.c.i:
+	$(CC) $(CFLAGS) -E $< > $@
+
+.c.obj: 
+	$(CC) $(CFLAGS) -c $<
+
+.asm.obj:
+	$(AS) $(ASFLAGS) -c $<
+
+.obj.exe:
+	$(CC) $(CFLAGS) -Fo$@ $<
+
+#---------------------------------------
+
+$(LIBOBJS): $(LIBHDRS)
+
+logtab.h: make-logtab
+	$(PERL) make-logtab > logtab.h
+
+mpi.obj: mpi.c logtab.h $(LIBHDRS)
+
+mplogic.obj: mplogic.c mpi-priv.h mplogic.h $(LIBHDRS)
+
+mpmontg.obj: mpmontg.c mpi-priv.h mplogic.h mpprime.h $(LIBHDRS)
+
+mpprime.obj: mpprime.c mpi-priv.h mpprime.h mplogic.h primes.c $(LIBHDRS)
+
+mpi_mips.obj: mpi_mips.s
+	$(CC) -Fo$@ $(ASFLAGS) -c mpi_mips.s
+
+mpi.lib: $(LIBOBJS)
+	ar -cvr mpi.lib $(LIBOBJS)
+	$(RANLIB) mpi.lib
+
+lib libs: mpi.lib
+
+#---------------------------------------
+
+MPTESTOBJS = mptest1.obj mptest2.obj mptest3.obj mptest3a.obj mptest4.obj \
+ mptest4a.obj mptest4b.obj mptest6.obj mptest7.obj mptest8.obj mptest9.obj
+MPTESTS = $(MPTESTOBJS:.obj=.exe)
+
+$(MPTESTOBJS): mptest%.obj: tests/mptest-%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+$(MPTESTS): mptest%.exe: mptest%.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^ 
+
+tests: mptest1.exe mptest2.exe mptest3.exe mptest3a.exe mptest4.exe \
+ mptest4a.exe mptest4b.exe mptest6.exe bbsrand.exe
+
+utests: mptest7.exe mptest8.exe mptest9.exe
+
+#---------------------------------------
+
+EXTRAOBJS = bbsrand.obj bbs_rand.obj prng.obj
+UTILOBJS = primegen.obj metime.obj identest.obj basecvt.obj fact.obj \
+ exptmod.obj pi.obj makeprime.obj karatsuba.obj gcd.obj invmod.obj lap.obj \
+ isprime.obj dec2hex.obj hex2dec.obj
+UTILS = $(UTILOBJS:.obj=.exe) 
+
+$(UTILS): %.exe : %.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^ 
+
+$(UTILOBJS) $(EXTRAOBJS): %.obj : utils/%.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+prng.exe: prng.obj bbs_rand.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+bbsrand.exe: bbsrand.obj bbs_rand.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+utils: $(UTILS) prng.exe bbsrand.exe
+
+#---------------------------------------
+
+test-info.c: test-arrays.txt
+	$(PERL) make-test-arrays test-arrays.txt > test-info.c
+
+mpi-test.obj: mpi-test.c test-info.c $(LIBHDRS)
+	$(CC) $(CFLAGS) -Fo$@ -c $<
+
+mpi-test.exe: mpi-test.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+mdxptest.obj: mdxptest.c $(LIBHDRS) mpi-priv.h
+
+mdxptest.exe: mdxptest.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+mulsqr.obj: mulsqr.c logtab.h mpi.h mpi-config.h mpprime.h 
+	$(CC) $(CFLAGS) -DMP_SQUARE=1 -Fo$@ -c mulsqr.c 
+
+mulsqr.exe: mulsqr.obj mpi.lib $(LIBS)
+	$(CC) $(CFLAGS) -Fo$@ $^
+
+#---------------------------------------
+
+alltests: tests utests mpi-test.exe
+
+tools: $(TOOLS)
+
+doc:
+	(cd doc; ./build)
+
+clean:
+	rm -f *.obj *.lib *.pdb *.ilk
+	cd utils; rm -f *.obj *.lib *.pdb *.ilk
+
+distclean: clean
+	rm -f mptest? mpi-test metime mulsqr karatsuba
+	rm -f mptest?a mptest?b
+	rm -f utils/mptest?
+	rm -f test-info.c logtab.h
+	rm -f mpi.lib
+	rm -f $(TOOLS)
+
+dist: Makefile $(HDRS) $(SRCS) $(DOCS)
+	tar -cvf mpi-$(VERS).tar Makefile $(HDRS) $(SRCS) $(DOCS)
+	pgps -ab mpi-$(VERS).tar
+	chmod +r mpi-$(VERS).tar.asc
+	gzip -9 mpi-$(VERS).tar
+
+
+print: 
+	@echo LIBOBJS = $(LIBOBJS)
+# END
diff --git a/security/nss/lib/freebl/mpi/README b/security/nss/lib/freebl/mpi/README
new file mode 100644
index 000000000..3c5cbdaa6
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/README
@@ -0,0 +1,795 @@
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is 
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+
+Portions created by Michael J. Fromberger are 
+Copyright (C) 1997, 1998, 1999, 2000 Michael J. Fromberger. 
+All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable
+instead of those above.  If you wish to allow use of your
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the GPL.
+
+About the MPI Library
+---------------------
+
+The files 'mpi.h' and 'mpi.c' define a simple, arbitrary precision
+signed integer arithmetic package.  The implementation is not the most
+efficient possible, but the code is small and should be fairly easily
+portable to just about any machine that supports an ANSI C compiler,
+as long as it is capable of at least 16-bit arithmetic (but also see
+below for more on this).
+
+This library was written with an eye to cryptographic applications;
+thus, some care is taken to make sure that temporary values are not
+left lying around in memory when they are no longer in use.  This adds
+some overhead for zeroing buffers before they are released back into
+the free pool; however, it gives you the assurance that there is only
+one copy of your important values residing in your process's address
+space at a time.  Obviously, it is difficult to guarantee anything, in
+a pre-emptive multitasking environment, but this at least helps you
+keep a lid on the more obvious ways your data can get spread around in
+memory.
+
+
+Using the Library
+-----------------
+
+To use the MPI library in your program, you must include the header:
+
+#include "mpi.h"
+
+This header provides all the type and function declarations you'll
+need to use the library.  Almost all the names defined by the library
+begin with the prefix 'mp_', so it should be easy to keep them from
+clashing with your program's namespace (he says, glibly, knowing full
+well there are always pathological cases).
+
+There are a few things you may want to configure about the library.
+By default, the MPI library uses an unsigned short for its digit type,
+and an unsigned int for its word type.  The word type must be big
+enough to contain at least two digits, for the primitive arithmetic to
+work out.  On my machine, a short is 2 bytes and an int is 4 bytes --
+but if you have 64-bit ints, you might want to use a 4-byte digit and
+an 8-byte word.  I have tested the library using 1-byte digits and
+2-byte words, as well.  Whatever you choose to do, the things you need
+to change are:
+
+(1) The type definitions for mp_digit and mp_word.
+
+(2) The macro DIGIT_FMT which tells mp_print() how to display a
+    single digit.  This is just a printf() format string, so you
+    can adjust it appropriately.
+
+(3) The macros DIGIT_MAX and MP_WORD_MAX, which specify the 
+    largest value expressible in an mp_digit and an mp_word,
+    respectively.
+
+Both the mp_digit and mp_word should be UNSIGNED integer types.  The
+code relies on having the full positive precision of the type used for
+digits and words.
+
+The remaining type definitions should be left alone, for the most
+part.  The code in the library does not make any significant
+assumptions about the sizes of things, but there is little if any
+reason to change the other parameters, so I would recommend you leave
+them as you found them.
+
+The library comes with a Perl script, 'types.pl', which will scan your
+current Makefile settings, and attempt to find good definitions for
+these types.  It relies on a Unix sort of build environment, so it
+probably won't work under MacOS or Windows, but it can be convenient
+if you're porting to a new flavour of Unix.  Just run 'types.pl' at
+the command line, and it will spit out its results to the standard
+output.
+
+
+Conventions
+-----------
+
+Most functions in the library return a value of type mp_err.  This
+permits the library to communicate success or various kinds of failure
+to the calling program.  The return values currently defined are:
+
+        MP_OKAY         - okay, operation succeeded, all's well
+        MP_YES          - okay, the answer is yes (same as MP_OKAY)
+        MP_NO           - okay, but answer is no (not MP_OKAY)
+        MP_MEM          - operation ran out of memory
+        MP_RANGE        - input parameter was out of range
+        MP_BADARG       - an invalid input parameter was provided
+        MP_UNDEF        - no output value is defined for this input
+
+The only function which currently uses MP_UNDEF is mp_invmod().
+Division by zero is undefined, but the division functions will return
+MP_RANGE for a zero divisor.  MP_BADARG usually means you passed a
+bogus mp_int structure to the function.  MP_YES and MP_NO are not used
+by the library itself; they're defined so you can use them in your own
+extensions.
+
+If you need a readable interpretation of these error codes in your
+program, you may also use the mp_strerror() function.  This function
+takes an mp_err as input, and returns a pointer to a human-readable
+string describing the meaning of the error.  These strings are stored
+as constants within the library, so the caller should not attempt to
+modify or free the memory associated with these strings.
+
+The library represents values in signed-magnitude format.  Values
+strictly less than zero are negative, all others are considered
+positive (zero is positive by fiat).  You can access the 'sign' member
+of the mp_int structure directly, but better is to use the mp_cmp_z()
+function, to find out which side of zero the value lies on.
+
+Most arithmetic functions have a single-digit variant, as well as the
+full arbitrary-precision.  An mp_digit is an unsigned value between 0
+and DIGIT_MAX inclusive.  The radix is available as RADIX.  The number
+of bits in a given digit is given as DIGIT_BIT.
+
+Generally, input parameters are given before output parameters.
+Unless otherwise specified, any input parameter can be re-used as an
+output parameter, without confusing anything.
+
+The basic numeric type defined by the library is an mp_int.  Virtually
+all the functions in the library take a pointer to an mp_int as one of
+their parameters.  An explanation of how to create and use these
+<HR>
+<A NAME="p23">
+<H3>Problem 23:</H3>
+
+structures follows.  And so, without further ado...
+
+
+Initialization and Cleanup
+--------------------------
+
+The basic numeric type defined by the library is an 'mp_int'.
+However, it is not sufficient to simply declare a variable of type
+mp_int in your program.  These variables also need to be initialized
+before they can be used, to allocate the internal storage they require
+for computation.
+
+This is done using one of the following functions:
+
+        mp_init(mp_int *mp);
+        mp_init_copy(mp_int *mp, mp_int *from);
+        mp_init_size(mp_int *mp, mp_size p);
+
+Each of these requires a pointer to a structure of type mp_int.  The
+basic mp_init() simply initializes the mp_int to a default size, and
+sets its value to zero.  If you would like to initialize a copy of an
+existing mp_int, use mp_init_copy(), where the 'from' parameter is the
+mp_int you'd like to make a copy of.  The third function,
+mp_init_size(), permits you to specify how many digits of precision
+should be preallocated for your mp_int.  This can help the library
+avoid unnecessary re-allocations later on.
+
+The default precision used by mp_init() can be retrieved using:
+
+        precision = mp_get_prec();
+
+This returns the number of digits that will be allocated.  You can
+change this value by using:
+
+        mp_set_prec(unsigned int prec);
+
+Any positive value is acceptable -- if you pass zero, the default
+precision will be re-set to the compiled-in library default (this is
+specified in the header file 'mpi-config.h', and typically defaults to
+8 or 16).
+
+Just as you must allocate an mp_int before you can use it, you must
+clean up the structure when you are done with it.  This is performed
+using the mp_clear() function.  Remember that any mp_int that you
+create as a local variable in a function must be mp_clear()'d before
+that function exits, or else the memory allocated to that mp_int will
+be orphaned and unrecoverable.
+
+To set an mp_int to a given value, the following functions are given:
+
+        mp_set(mp_int *mp, mp_digit d);
+        mp_set_int(mp_int *mp, long z);
+
+The mp_set() function sets the mp_int to a single digit value, while
+mp_set_int() sets the mp_int to a signed long integer value.
+
+To set an mp_int to zero, use:
+
+        mp_zero(mp_int *mp);
+
+
+Copying and Moving
+------------------
+
+If you have two initialized mp_int's, and you want to copy the value
+of one into the other, use:
+
+        mp_copy(from, to)
+
+This takes care of clearing the old value of 'to', and copies the new
+value into it.  If 'to' is not yet initialized, use mp_init_copy()
+instead (see above).
+
+Note:   The library tries, whenever possible, to avoid allocating
+----    new memory.  Thus, mp_copy() tries first to satisfy the needs
+        of the copy by re-using the memory already allocated to 'to'.
+        Only if this proves insufficient will mp_copy() actually
+        allocate new memory.
+
+        For this reason, if you know a priori that 'to' has enough
+        available space to hold 'from', you don't need to check the
+        return value of mp_copy() for memory failure.  The USED()
+        macro tells you how many digits are used by an mp_int, and
+        the ALLOC() macro tells you how many are allocated.
+
+If you have two initialized mp_int's, and you want to exchange their
+values, use:
+
+        mp_exch(a, b)
+
+This is better than using mp_copy() with a temporary, since it will
+not (ever) touch the memory allocator -- it just swaps the exact
+contents of the two structures.  The mp_exch() function cannot fail;
+if you pass it an invalid structure, it just ignores it, and does
+nothing.
+
+
+Basic Arithmetic
+----------------
+
+Once you have initialized your integers, you can operate on them.  The
+basic arithmetic functions on full mp_int values are:
+
+mp_add(a, b, c)         - computes c = a + b
+mp_sub(a, b, c)         - computes c = a - b
+mp_mul(a, b, c)         - computes c = a * b
+mp_sqr(a, b)            - computes b = a * a
+mp_div(a, b, q, r)      - computes q, r such that a = bq + r
+mp_div_2d(a, d, q, r)   - computes q = a / 2^d, r = a % 2^d
+mp_expt(a, b, c)        - computes c = a ** b
+mp_2expt(a, k)          - computes a = 2^k
+mp_sqrt(a, c)           - computes c = floor(sqrt(a))
+
+The mp_div_2d() function efficiently computes division by powers of
+two.  Either the q or r parameter may be NULL, in which case that
+portion of the computation will be discarded.
+
+The algorithms used for some of the computations here are described in
+the following files which are included with this distribution:
+
+mul.txt         Describes the multiplication algorithm
+div.txt         Describes the division algorithm
+expt.txt        Describes the exponentiation algorithm
+sqrt.txt        Describes the square-root algorithm
+square.txt      Describes the squaring algorithm
+
+There are single-digit versions of most of these routines, as well.
+In the following prototypes, 'd' is a single mp_digit:
+
+mp_add_d(a, d, c)       - computes c = a + d
+mp_sub_d(a, d, c)       - computes c = a - d
+mp_mul_d(a, d, c)       - computes c = a * d
+mp_mul_2(a, c)          - computes c = a * 2
+mp_div_d(a, d, q, r)    - computes q, r such that a = bq + r
+mp_div_2(a, c)          - computes c = a / 2
+mp_expt_d(a, d, c)      - computes c = a ** d
+
+The mp_mul_2() and mp_div_2() functions take advantage of the internal
+representation of an mp_int to do multiplication by two more quickly
+than mp_mul_d() would.  Other basic functions of an arithmetic variety
+include:
+
+mp_zero(a)              - assign 0 to a
+mp_neg(a, c)            - negate a: c = -a
+mp_abs(a, c)            - absolute value: c = |a|
+
+
+Comparisons
+-----------
+
+Several comparison functions are provided.  Each of these, unless
+otherwise specified, returns zero if the comparands are equal, < 0 if
+the first is less than the second, and > 0 if the first is greater
+than the second:
+
+mp_cmp_z(a)             - compare a <=> 0
+mp_cmp_d(a, d)          - compare a <=> d, d is a single digit
+mp_cmp(a, b)            - compare a <=> b
+mp_cmp_mag(a, b)        - compare |a| <=> |b|
+mp_cmp_int(a, z)        - compare a <=> z, z is a signed long integer
+mp_isodd(a)             - return nonzero if odd, zero otherwise
+mp_iseven(a)            - return nonzero if even, zero otherwise
+
+
+Modular Arithmetic
+------------------
+
+Modular variations of the basic arithmetic functions are also
+supported.  These are available if the MP_MODARITH parameter in
+mpi-config.h is turned on (it is by default).  The modular arithmetic
+functions are:
+
+mp_mod(a, m, c)         - compute c = a (mod m), 0 <= c < m
+mp_mod_d(a, d, c)       - compute c = a (mod d), 0 <= c < d (see below)
+mp_addmod(a, b, m, c)   - compute c = (a + b) mod m
+mp_submod(a, b, m, c)   - compute c = (a - b) mod m
+mp_mulmod(a, b, m, c)   - compute c = (a * b) mod m
+mp_sqrmod(a, m, c)      - compute c = (a * a) mod m
+mp_exptmod(a, b, m, c)  - compute c = (a ** b) mod m
+mp_exptmod_d(a, d, m, c)- compute c = (a ** d) mod m
+
+The mp_sqr() function squares its input argument.  A call to mp_sqr(a,
+c) is identical in meaning to mp_mul(a, a, c); however, if the
+MP_SQUARE variable is set true in mpi-config.h (see below), then it
+will be implemented with a different algorithm, that is supposed to
+take advantage of the redundant computation that takes place during
+squaring.  Unfortunately, some compilers result in worse performance
+on this code, so you can change the behaviour at will.  There is a
+utility program "mulsqr.c" that lets you test which does better on
+your system.
+
+The mp_sqrmod() function is analogous to the mp_sqr() function; it
+uses the mp_sqr() function rather than mp_mul(), and then performs the
+modular reduction.  This probably won't help much unless you are doing
+a lot of them.
+
+See the file 'square.txt' for a synopsis of the algorithm used.
+
+Note:   The mp_mod_d() function computes a modular reduction around
+----    a single digit d.  The result is a single digit c.
+
+Because an inverse is defined for a (mod m) if and only if (a, m) = 1
+(that is, if a and m are relatively prime), mp_invmod() may not be
+able to compute an inverse for the arguments.  In this case, it
+returns the value MP_UNDEF, and does not modify c.  If an inverse is
+defined, however, it returns MP_OKAY, and sets c to the value of the
+inverse (mod m).
+
+See the file 'redux.txt' for a description of the modular reduction
+algorithm used by mp_exptmod().
+
+
+Greatest Common Divisor
+-----------------------
+
+If The greates common divisor of two values can be found using one of the
+following functions:
+
+mp_gcd(a, b, c)         - compute c = (a, b) using binary algorithm
+mp_lcm(a, b, c)         - compute c = [a, b] = ab / (a, b)
+mp_xgcd(a, b, g, x, y)  - compute g, x, y so that ax + by = g = (a, b)
+
+Also provided is a function to compute modular inverses, if they
+exist:
+
+mp_invmod(a, m, c)      - compute c = a^-1 (mod m), if it exists
+
+The function mp_xgcd() computes the greatest common divisor, and also
+returns values of x and y satisfying Bezout's identity.  This is used
+by mp_invmod() to find modular inverses.  However, if you do not need
+these values, you will find that mp_gcd() is MUCH more efficient,
+since it doesn't need all the intermediate values that mp_xgcd()
+requires in order to compute x and y. 
+
+The mp_gcd() (and mp_xgcd()) functions use the binary (extended) GCD
+algorithm due to Josef Stein.
+
+
+Input & Output Functions
+------------------------
+
+The following basic I/O routines are provided.  These are present at
+all times:
+
+mp_read_radix(mp, str, r)  - convert a string in radix r to an mp_int
+mp_read_raw(mp, s, len)    - convert a string of bytes to an mp_int
+mp_radix_size(mp, r)       - return length of buffer needed by mp_toradix()
+mp_raw_size(mp)            - return length of buffer needed by mp_toraw()
+mp_toradix(mp, str, r)     - convert an mp_int to a string of radix r 
+                             digits
+mp_toraw(mp, str)          - convert an mp_int to a string of bytes
+mp_tovalue(ch, r)          - convert ch to its value when taken as
+                             a radix r digit, or -1 if invalid
+mp_strerror(err)           - get a string describing mp_err value 'err'
+
+If you compile the MPI library with MP_IOFUNC defined, you will also
+have access to the following additional I/O function:
+
+mp_print(mp, ofp)       - print an mp_int as text to output stream ofp
+
+Note that mp_radix_size() returns a size in bytes guaranteed to be AT
+LEAST big enough for the digits output by mp_toradix().  Because it
+uses an approximation technique to figure out how many digits will be
+needed, it may return a figure which is larger than necessary.  Thus,
+the caller should not rely on the value to determine how many bytes
+will actually be written by mp_toradix().  The string mp_toradix()
+creates will be NUL terminated, so the standard C library function
+strlen() should be able to ascertain this for you, if you need it.
+
+The mp_read_radix() and mp_toradix() functions support bases from 2 to
+64 inclusive.  If you require more general radix conversion facilities
+than this, you will need to write them yourself (that's why mp_div_d()
+is provided, after all).
+
+Note:   mp_read_radix() will accept as digits either capital or 
+----    lower-case letters.  However, the current implementation of
+        mp_toradix() only outputs upper-case letters, when writing
+        bases betwee 10 and 36.  The underlying code supports using
+        lower-case letters, but the interface stub does not have a
+        selector for it.  You can add one yourself if you think it
+        is worthwhile -- I do not.  Bases from 36 to 64 use lower-
+        case letters as distinct from upper-case.  Bases 63 and
+        64 use the characters '+' and '/' as digits.
+
+        Note also that compiling with MP_IOFUNC defined will cause
+        inclusion of <stdio.h>, so if you are trying to write code
+        which does not depend on the standard C library, you will
+        probably want to avoid this option.  This is needed because
+        the mp_print() function takes a standard library FILE * as
+        one of its parameters, and uses the fprintf() function.
+
+The mp_toraw() function converts the integer to a sequence of bytes,
+in big-endian ordering (most-significant byte first).  Assuming your
+bytes are 8 bits wide, this corresponds to base 256.  The sign is
+encoded as a single leading byte, whose value is 0 for zero or
+positive values, or 1 for negative values.  The mp_read_raw() function
+reverses this process -- it takes a buffer of bytes, interprets the
+first as a sign indicator (0 = zero/positive, nonzero = negative), and
+the rest as a sequence of 1-byte digits in big-endian ordering.
+
+The mp_raw_size() function returns the exact number of bytes required
+to store the given integer in "raw" format (as described in the
+previous paragraph).  Zero is returned in case of error; a valid
+integer will require at least three bytes of storage.
+
+In previous versions of the MPI library, an "external representation
+format" was supported.  This was removed, however, because I found I
+was never using it, it was not as portable as I would have liked, and
+I decided it was a waste of space.
+
+
+Other Functions
+---------------
+
+The files 'mpprime.h' and 'mpprime.c' define some routines which are
+useful for divisibility testing and probabilistic primality testing.
+The routines defined are:
+
+mpp_divis(a, b)          - is a divisible by b?
+mpp_divis_d(a, d)        - is a divisible by digit d?
+mpp_random(a)            - set a to random value at current precision
+mpp_random_size(a, prec) - set a to random value at given precision
+
+Note:  The mpp_random() and mpp_random_size() functions use the C
+----   library's rand() function to generate random values.  It is
+       up to the caller to seed this generator before it is called.
+       These functions are not suitable for generating quantities
+       requiring cryptographic-quality randomness; they are intended
+       primarily for use in primality testing.
+
+       Note too that the MPI library does not call srand(), so your
+       application should do this, if you ever want the sequence
+       to change.
+
+mpp_divis_vector(a, v, s, w)  - is a divisible by any of the s digits
+                                in v?  If so, let w be the index of 
+                                that digit
+
+mpp_divis_primes(a, np)       - is a divisible by any of the first np
+                                primes?  If so, set np to the prime 
+                                which divided a.
+
+mpp_fermat(a, d)              - test if w^a = w (mod a).  If so, 
+                                returns MP_YES, otherwise MP_NO.
+
+mpp_pprime(a, nt)             - perform nt iterations of the Rabin-
+                                Miller probabilistic primality test
+                                on a.  Returns MP_YES if all tests
+                                passed, or MP_NO if any test fails.
+
+The mpp_fermat() function works based on Fermat's little theorem, a
+consequence of which is that if p is a prime, and (w, p) = 1, then:
+
+        w^p = w (mod p)
+
+Put another way, if w^p != w (mod p), then p is not prime.  The test
+is expensive to compute, but it helps to quickly eliminate an enormous
+class of composite numbers prior to Rabin-Miller testing.
+
+Building the Library
+--------------------
+
+The MPI library is designed to be as self-contained as possible.  You
+should be able to compile it with your favourite ANSI C compiler, and
+link it into your program directly.  If you are on a Unix system using
+the GNU C compiler (gcc), the following should work:
+
+% gcc -ansi -pedantic -Wall -O2 -c mpi.c
+
+The file 'mpi-config.h' defines several configurable parameters for
+the library, which you can adjust to suit your application.  At the
+time of this writing, the available options are:
+
+MP_IOFUNC       - Define true to include the mp_print() function, 
+                  which is moderately useful for debugging.  This
+                  implicitly includes <stdio.h>.
+
+MP_MODARITH     - Define true to include the modular arithmetic
+                  functions.  If you don't need modular arithmetic
+                  in your application, you can set this to zero to
+                  leave out all the modular routines.
+
+MP_NUMTH        - Define true to include number theoretic functions
+                  such as mp_gcd(), mp_lcm(), and mp_invmod().
+
+MP_LOGTAB       - If true, the file "logtab.h" is included, which
+                  is basically a static table of base 2 logarithms.
+                  These are used to compute how big the buffers for
+                  radix conversion need to be.  If you set this false,
+                  the library includes <math.h> and uses log().  This
+                  typically forces you to link against math libraries.
+
+MP_MEMSET       - If true, use memset() to zero buffers.  If you run
+                  into weird alignment related bugs, set this to zero
+                  and an explicit loop will be used.
+
+MP_MEMCPY       - If true, use memcpy() to copy buffers.  If you run
+                  into weird alignment bugs, set this to zero and an
+                  explicit loop will be used.
+
+MP_CRYPTO       - If true, whenever arrays of digits are free'd, they
+                  are zeroed first.  This is useful if you're using
+                  the library in a cryptographic environment; however,
+                  it does add overhead to each free operation.  For
+                  performance, if you don't care about zeroing your
+                  buffers, set this to false.
+
+MP_ARGCHK       - Set to 0, 1, or 2.  This defines how the argument
+                  checking macro, ARGCHK(), gets expanded.  If this 
+                  is set to zero, ARGCHK() expands to nothing; no 
+                  argument checks are performed.  If this is 1, the
+                  ARGCHK() macro expands to code that returns MP_BADARG
+                  or similar at runtime.  If it is 2, ARGCHK() expands 
+                  to an assert() call that aborts the program on a 
+                  bad input.
+
+MP_DEBUG        - Turns on debugging output.  This is probably not at
+                  all useful unless you are debugging the library.  It
+                  tends to spit out a LOT of output.
+
+MP_DEFPREC      - The default precision of a newly-created mp_int, in
+                  digits.  The precision can be changed at runtime by
+                  the mp_set_prec() function, but this is its initial
+                  value.
+
+MP_SQUARE       - If this is set to a nonzero value, the mp_sqr() 
+                  function will use an alternate algorithm that takes
+                  advantage of the redundant inner product computation
+                  when both multiplicands are identical.  Unfortunately,
+                  with some compilers this is actually SLOWER than just
+                  calling mp_mul() with the same argument twice.  So
+                  if you set MP_SQUARE to zero, mp_sqr() will be expan-
+                  ded into a call to mp_mul().  This applies to all 
+                  the uses of mp_sqr(), including mp_sqrmod() and the
+                  internal calls to s_mp_sqr() inside mpi.c
+
+                  The program 'mulsqr' (mulsqr.c) can be used to test
+                  which works best for your configuration.  Set up the
+                  CC and CFLAGS variables in the Makefile, then type:
+
+                        make mulsqr
+
+                  Invoke it with arguments similar to the following:
+
+                        mulsqr 25000 1024
+
+                  That is, 25000 products computed on 1024-bit values.
+                  The output will compare the two timings, and recommend
+                  a setting for MP_SQUARE.  It is off by default.
+
+If you would like to use the mp_print() function (see above), be sure
+to define MP_IOFUNC in mpi-config.h.  Many of the test drivers in the
+'tests' subdirectory expect this to be defined (although the test
+driver 'mpi-test' doesn't need it)
+
+The Makefile which comes with the library should take care of building
+the library for you, if you have set the CC and CFLAGS variables at
+the top of the file appropriately.  By default, they are set up to
+use the GNU C compiler:
+
+CC=gcc
+CFLAGS=-ansi -pedantic -Wall -O2
+
+If all goes well, the library should compile without warnings using
+this combination.  You should, of course, make whatever adjustments
+you find necessary.  
+
+The MPI library distribution comes with several additional programs
+which are intended to demonstrate the use of the library, and provide
+a framework for testing it.  There are a handful of test driver
+programs, in the files named 'mptest-X.c', where X is a digit.  Also,
+there are some simple command-line utilities (in the 'utils'
+directory) for manipulating large numbers.  These include:
+
+basecvt.c       A radix-conversion program, supporting bases from
+                2 to 64 inclusive.
+
+bbsrand.c       A BBS (quadratic residue) pseudo-random number 
+                generator.  The file 'bbsrand.c' is just the driver
+                for the program; the real code lives in the files
+                'bbs_rand.h' and 'bbs_rand.c'
+
+dec2hex.c       Converts decimal to hexadecimal
+
+gcd.c           Computes the greatest common divisor of two values.
+                If invoked as 'xgcd', also computes constants x and
+                y such that (a, b) = ax + by, in accordance with
+                Bezout's identity.
+
+hex2dec.c       Converts hexadecimal to decimal
+
+invmod.c        Computes modular inverses
+
+isprime.c       Performs the Rabin-Miller probabilistic primality
+                test on a number.  Values which fail this test are
+                definitely composite, and those which pass are very
+                likely to be prime (although there are no guarantees)
+
+lap.c           Computes the order (least annihilating power) of
+                a value v modulo m.  Very dumb algorithm.
+
+primegen.c      Generates large (probable) primes.
+
+prng.c          A pseudo-random number generator based on the
+                BBS generator code in 'bbs_rand.c'
+
+sieve.c         Implements the Sieve of Eratosthenes, using a big
+                bitmap, to generate a list of prime numbers.
+
+fact.c          Computes the factorial of an arbitrary precision
+                integer (iterative).
+
+exptmod.c       Computes arbitrary precision modular exponentiation
+                from the command line (exptmod a b m -> a^b (mod m))
+
+Most of these can be built from the Makefile that comes with the
+library.  Try 'make tools', if your environment supports it.  (If you
+are compiling on a Macintosh, I'm afraid you'll have to build them by
+hand -- fortunately, this is not difficult -- the library itself
+should compile just fine under Metrowerks CodeWarrior).
+
+
+Testing the Library
+-------------------
+
+Automatic test vectors are included, in the form of a program called
+'mpi-test'.  To build this program and run all the tests, simply
+invoke the shell script 'all-tests'.  If all the tests pass, you
+should see a message:
+
+        All tests passed
+
+If something went wrong, you'll get:
+
+        One or more tests failed.
+
+If this happens, scan back through the preceding lines, to see which
+test failed.  Any failure indicates a bug in the library, which needs
+to be fixed before it will give accurate results.  If you get any such
+thing, please let me know, and I'll try to fix it.  Please let me know
+what platform and compiler you were using, as well as which test
+failed.  If a reason for failure was given, please send me that text
+as well.
+
+If you're on a system such as the Macintosh, where the standard Unix
+build tools don't work, you can build the 'mpi-test' program manually,
+and run it by hand.  This is tedious and obnoxious, sorry.
+
+Further manual testing can be performed by building the manual testing
+programs, whose source is found in the 'tests' subdirectory.  Each
+test is in a source file called 'mptest-X.c'.  The Makefile contains a
+target to build all of them at once:
+
+        make tests
+
+Read the comments at the top of each source file to see what the
+driver is supposed to test.  You probably don't need to do this; these
+programs were only written to help me as I was developing the library.
+
+The relevant files are:
+
+mpi-test.c              The source for the test driver
+
+make-test-arrays        A Perl script to generate some of the internal
+                        data structures used by mpi-test.c
+
+test-arrays.txt         The source file for make-test-arrays
+
+all-tests               A Bourne shell script which runs all the
+                        tests in the mpi-test suite
+
+Running 'make mpi-test' should build the mpi-test program.  If you
+cannot use make, here is what needs to be done:
+
+(1) Use 'make-test-arrays' to generate the file 'test-info.c' from
+    the 'test-arrays.txt' file.  Since Perl can be found everywhere,
+    even on the Macintosh, this should be no trouble.  Under Unix, 
+    this looks like:
+
+        make-test-arrays test-arrays.txt > test-info.c
+
+(2) Build the MPI library:
+
+        gcc -ansi -pedantic -Wall -c mpi.c
+
+(3) Build the mpi-test program:
+
+        gcc -ansi -pedantic -Wall -o mpi-test mpi.o mpi-test.c
+
+When you've got mpi-test, you can use 'all-tests' to run all the tests
+made available by mpi-test.  If any of them fail, there should be a
+diagnostic indicating what went wrong.  These are fairly high-level
+diagnostics, and won't really help you debug the problem; they're
+simply intended to help you isolate which function caused the problem.
+If you encounter a problem of this sort, feel free to e-mail me, and I
+will certainly attempt to help you debug it.
+
+Note:   Several of the tests hard-wired into 'mpi-test' operate under
+----    the assumption that you are using at least a 16-bit mp_digit 
+        type.  If that is not true, several tests might fail, because 
+        of range problems with the maximum digit value.
+
+        If you are using an 8-bit digit, you will also need to 
+        modify the code for mp_read_raw(), which assumes that
+        multiplication by 256 can be done with mp_mul_d(), a
+        fact that fails when DIGIT_MAX is 255.  You can replace
+        the call with s_mp_lshd(), which will give you the same
+        effect, and without doing as much work. :)
+
+Acknowledgements:
+----------------
+
+The algorithms used in this library were drawn primarily from Volume
+2 of Donald Knuth's magnum opus, _The Art of Computer Programming_, 
+"Semi-Numerical Methods".  Barrett's algorithm for modular reduction
+came from Menezes, Oorschot, and Vanstone's _Handbook of Applied
+Cryptography_, Chapter 14.
+
+Thanks are due to Tom St. Denis, for finding an obnoxious sign-related
+bug in mp_read_raw() that made things break on platforms which use
+signed chars.
+
+About the Author
+----------------
+
+This software was written by Michael J. Fromberger.  You can contact
+the author as follows:
+
+E-mail:   <sting@linguist.dartmouth.edu>
+
+Postal:   8000 Cummings Hall, Thayer School of Engineering
+          Dartmouth College, Hanover, New Hampshire, USA
+
+PGP key:  http://linguist.dartmouth.edu/~sting/keys/mjf.html
+          9736 188B 5AFA 23D6 D6AA  BE0D 5856 4525 289D 9907
+
+Last updated:  16-Jan-2000
diff --git a/security/nss/lib/freebl/mpi/all-tests b/security/nss/lib/freebl/mpi/all-tests
new file mode 100755
index 000000000..fa60e95ed
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/all-tests
@@ -0,0 +1,112 @@
+#!/bin/sh
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 1997, 1998, 1999, 2000 Michael J. Fromberger. 
+## All Rights Reserved.
+##
+## Contributor(s):
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the GPL.
+
+ECHO=/bin/echo
+MAKE=gmake
+
+$ECHO "\n** Running unit tests for MPI library\n"
+
+# Build the mpi-test program, which comprises all the unit tests for
+# the MPI library...
+
+$ECHO "Bringing mpi-test up to date ... "
+if $MAKE mpi-test ; then
+  :
+else
+  $ECHO " "
+  $ECHO "Make failed to build mpi-test."
+  $ECHO " "
+  exit 1
+fi
+
+if [ ! -x mpi-test ] ; then
+  $ECHO " "
+  $ECHO "Cannot find 'mpi-test' program, testing cannot continue."
+  $ECHO " "
+  exit 1
+fi
+
+# Get the list of available test suites...
+tests=`mpi-test list | awk '{print $1}'`
+errs=0
+
+# Run each test suite and check the result code of mpi-test
+for test in $tests ; do
+  $ECHO "$test ... \c"
+  if mpi-test $test ; then
+    $ECHO "passed"
+  else
+    $ECHO "FAILED"
+    errs=1
+  fi
+done
+
+# If any tests failed, we'll stop at this point
+if [ "$errs" = "0" ] ; then
+  $ECHO "All unit tests passed"
+else
+  $ECHO "One or more tests failed"
+  exit 1
+fi
+
+# Now try to build the 'pi' program, and see if it can compute the
+# first thousand digits of pi correctly
+$ECHO "\n** Running other tests\n"
+
+$ECHO "Bringing 'pi' up to date ... "
+if $MAKE pi ; then
+    :
+else
+    $ECHO "\nMake failed to build pi.\n"
+    exit 1
+fi
+
+if [ ! -x pi ] ; then
+    $ECHO "\nCannot find 'pi' program; testing cannot continue.\n"
+    exit 1
+fi
+
+./pi 2000 > /tmp/pi.tmp.$$
+if cmp tests/pi2k.txt /tmp/pi.tmp.$$ ; then
+    $ECHO "Okay!  The pi test passes."
+else
+    $ECHO "Oops!  The pi test failed. :("
+    exit 1
+fi
+
+rm -f /tmp/pi.tmp.$$
+
+exit 0
+
+# Here there be dragons
diff --git a/security/nss/lib/freebl/mpi/doc/LICENSE b/security/nss/lib/freebl/mpi/doc/LICENSE
new file mode 100644
index 000000000..35cca68ce
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/LICENSE
@@ -0,0 +1,11 @@
+Within this directory, each of the file listed below is licensed under 
+the terms given in the file LICENSE-MPL, also in this directory.
+
+basecvt.pod
+gcd.pod
+invmod.pod
+isprime.pod
+lap.pod
+mpi-test.pod
+prime.txt
+prng.pod
diff --git a/security/nss/lib/freebl/mpi/doc/LICENSE-MPL b/security/nss/lib/freebl/mpi/doc/LICENSE-MPL
new file mode 100644
index 000000000..9ff410e4b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/LICENSE-MPL
@@ -0,0 +1,32 @@
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the Netscape security libraries.
+
+The Initial Developer of the Original Code is Netscape
+Communications Corporation.  Portions created by Netscape are 
+Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable 
+instead of those above.  If you wish to allow use of your 
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the
+GPL.
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/basecvt.pod b/security/nss/lib/freebl/mpi/doc/basecvt.pod
new file mode 100644
index 000000000..5c072ccd6
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/basecvt.pod
@@ -0,0 +1,63 @@
+=head1 NAME
+
+ basecvt - radix conversion for arbitrary precision integers
+
+=head1 SYNOPSIS
+
+ basecvt <ibase> <obase> [values]
+
+=head1 DESCRIPTION
+
+The B<basecvt> program is a command-line tool for converting integers
+of arbitrary precision from one radix to another.  The current version
+supports radix values from 2 (binary) to 64, inclusive.  The first two
+command line arguments specify the input and output radix, in base 10.
+Any further arguments are taken to be integers notated in the input
+radix, and these are converted to the output radix.  The output is
+written, one integer per line, to standard output.
+
+When reading integers, only digits considered "valid" for the input
+radix are considered.  Processing of an integer terminates when an
+invalid input digit is encountered.  So, for example, if you set the
+input radix to 10 and enter '10ACF', B<basecvt> would assume that you
+had entered '10' and ignore the rest of the string.
+
+If no values are provided, no output is written, but the program
+simply terminates with a zero exit status.  Error diagnostics are
+written to standard error in the event of out-of-range radix
+specifications.  Regardless of the actual values of the input and
+output radix, the radix arguments are taken to be in base 10 (decimal)
+notation.
+
+=head1 DIGITS
+
+For radices from 2-10, standard ASCII decimal digits 0-9 are used for
+both input and output.  For radices from 11-36, the ASCII letters A-Z
+are also included, following the convention used in hexadecimal.  In
+this range, input is accepted in either upper or lower case, although
+on output only lower-case letters are used.
+
+For radices from 37-62, the output includes both upper- and lower-case
+ASCII letters, and case matters.  In this range, case is distinguished
+both for input and for output values.
+
+For radices 63 and 64, the characters '+' (plus) and '/' (forward
+solidus) are also used.  These are derived from the MIME base64
+encoding scheme.  The overall encoding is not the same as base64,
+because the ASCII digits are used for the bottom of the range, and the
+letters are shifted upward; however, the output will consist of the
+same character set.
+
+This input and output behaviour is inherited from the MPI library used
+by B<basecvt>, and so is not configurable at runtime.
+
+=head1 SEE ALSO
+
+ dec2hex(1), hex2dec(1)
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+
+ $Date$
diff --git a/security/nss/lib/freebl/mpi/doc/build b/security/nss/lib/freebl/mpi/doc/build
new file mode 100755
index 000000000..5b6f921fc
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/build
@@ -0,0 +1,63 @@
+#!/bin/sh
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+##
+## Contributor(s):
+##	Netscape Communications Corporation
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the
+## GPL.
+## 
+## $Id$
+##
+
+VERS="1.7p6"
+SECT="1"
+NAME="MPI Tools"
+
+echo "Building manual pages ..."
+case $# in
+  0)
+    files=`ls *.pod`
+    ;;
+  *)
+    files=$*
+    ;;
+esac
+
+for name in $files
+do
+   echo -n "$name ... "
+#  sname=`noext $name`
+   sname=`basename $name .pod`
+   pod2man --section="$SECT" --center="$NAME" --release="$VERS" $name > $sname.$SECT
+   echo "(done)"
+done
+
+echo "Finished building."
+
diff --git a/security/nss/lib/freebl/mpi/doc/div.txt b/security/nss/lib/freebl/mpi/doc/div.txt
new file mode 100644
index 000000000..b1ca744e1
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/div.txt
@@ -0,0 +1,96 @@
+Division
+
+This describes the division algorithm used by the MPI library.
+
+Input:    a, b; a > b
+Compute:  Q, R; a = Qb + R
+
+The input numbers are normalized so that the high-order digit of b is
+at least half the radix.  This guarantees that we have a reasonable
+way to guess at the digits of the quotient (this method was taken from
+Knuth, vol. 2, with adaptations).
+
+To normalize, test the high-order digit of b.  If it is less than half
+the radix, multiply both a and b by d, where:
+
+             radix - 1
+	d = -----------
+              bmax + 1
+
+...where bmax is the high-order digit of b.  Otherwise, set d = 1.
+
+Given normalize values for a and b, let the notation a[n] denote the
+nth digit of a.  Let #a be the number of significant figures of a (not
+including any leading zeroes).
+
+	Let R = 0
+	Let p = #a - 1
+
+	while(p >= 0)
+	  do
+	    R = (R * radix) + a[p]
+	    p = p - 1
+	  while(R < b and p >= 0)
+
+	  if(R < b)
+	    break
+
+	  q = (R[#R - 1] * radix) + R[#R - 2]
+	  q = q / b[#b - 1]
+
+	  T = b * q
+
+	  while(T > L)
+	    q = q - 1
+	    T = T - b
+	  endwhile
+
+	  L = L - T
+
+	  Q = (Q * radix) + q
+
+	endwhile
+
+At this point, Q is the quotient, and R is the normalized remainder.
+To denormalize R, compute:
+
+	R = (R / d)
+
+At this point, you are finished.
+
+------------------------------------------------------------------
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is 
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+
+Portions created by Michael J. Fromberger are 
+Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable
+instead of those above.  If you wish to allow use of your
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the GPL.
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/expt.txt b/security/nss/lib/freebl/mpi/doc/expt.txt
new file mode 100644
index 000000000..4c12eb2af
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/expt.txt
@@ -0,0 +1,127 @@
+Exponentiation
+
+For exponentiation, the MPI library uses a simple and fairly standard
+square-and-multiply method.  The algorithm is this:
+
+Input:	a, b
+Output: a ** b
+
+	s = 1
+
+	while(b != 0)
+	  if(b is odd)
+	    s = s * a
+	  endif
+
+	  b = b / 2
+
+	  x = x * x
+	endwhile
+
+	return s
+
+The modular exponentiation is done the same way, except replacing:
+
+	s = s * a
+
+with
+	s = (s * a) mod m
+
+and replacing
+
+	x = x * x
+
+with
+
+	x = (x * x) mod m
+
+Here is a sample exponentiation using the MPI library, as compared to
+the same problem solved by the Unix 'bc' program on my system:
+
+Computation of 2,381,283 ** 235
+
+'bc' says:
+
+4385CA4A804D199FBEAD95FAD0796FAD0D0B51FC9C16743C45568C789666985DB719\
+4D90E393522F74C9601262C0514145A49F3B53D00983F95FDFCEA3D0043ECEF6227E\
+6FB59C924C3EE74447B359B5BF12A555D46CB819809EF423F004B55C587D6F0E8A55\
+4988036A42ACEF9F71459F97CEF6E574BD7373657111648626B1FF8EE15F663B2C0E\
+6BBE5082D4CDE8E14F263635AE8F35DB2C280819517BE388B5573B84C5A19C871685\
+FD408A6471F9D6AFAF5129A7548EAE926B40874B340285F44765BF5468CE20A13267\
+CD88CE6BC786ACED36EC7EA50F67FF27622575319068A332C3C0CB23E26FB55E26F4\
+5F732753A52B8E2FB4D4F42D894242613CA912A25486C3DEC9C66E5DB6182F6C1761\
+CF8CD0D255BE64B93836B27D452AE38F950EB98B517D4CF50D48F0165EF0CCCE1F5C\
+49BF18219FDBA0EEDD1A7E8B187B70C2BAED5EC5C6821EF27FAFB1CFF70111C52235\
+5E948B93A015AA1AE152B110BB5658CB14D3E45A48BFE7F082C1182672A455A695CD\
+A1855E8781E625F25B41B516E77F589FA420C3B058861EA138CF7A2C58DB3C7504FD\
+D29554D78237834CC5AE710D403CC4F6973D5012B7E117A8976B14A0B5AFA889BD47\
+92C461F0F96116F00A97AE9E83DC5203680CAF9A18A062566C145650AB86BE4F907F\
+A9F7AB4A700B29E1E5BACCD6DCBFA513E10832815F710807EED2E279081FEC61D619\
+AB270BEB3D3A1787B35A9DD41A8766CF21F3B5C693B3BAB1C2FA14A4ED202BC35743\
+E5CBE2391624D4F8C9BFBBC78D69764E7C6C5B11BF005677BFAD17D9278FFC1F158F\
+1B3683FF7960FA0608103792C4163DC0AF3E06287BB8624F8FE3A0FFBDF82ACECA2F\
+CFFF2E1AC93F3CA264A1B
+
+MPI says:
+
+4385CA4A804D199FBEAD95FAD0796FAD0D0B51FC9C16743C45568C789666985DB719\
+4D90E393522F74C9601262C0514145A49F3B53D00983F95FDFCEA3D0043ECEF6227E\
+6FB59C924C3EE74447B359B5BF12A555D46CB819809EF423F004B55C587D6F0E8A55\
+4988036A42ACEF9F71459F97CEF6E574BD7373657111648626B1FF8EE15F663B2C0E\
+6BBE5082D4CDE8E14F263635AE8F35DB2C280819517BE388B5573B84C5A19C871685\
+FD408A6471F9D6AFAF5129A7548EAE926B40874B340285F44765BF5468CE20A13267\
+CD88CE6BC786ACED36EC7EA50F67FF27622575319068A332C3C0CB23E26FB55E26F4\
+5F732753A52B8E2FB4D4F42D894242613CA912A25486C3DEC9C66E5DB6182F6C1761\
+CF8CD0D255BE64B93836B27D452AE38F950EB98B517D4CF50D48F0165EF0CCCE1F5C\
+49BF18219FDBA0EEDD1A7E8B187B70C2BAED5EC5C6821EF27FAFB1CFF70111C52235\
+5E948B93A015AA1AE152B110BB5658CB14D3E45A48BFE7F082C1182672A455A695CD\
+A1855E8781E625F25B41B516E77F589FA420C3B058861EA138CF7A2C58DB3C7504FD\
+D29554D78237834CC5AE710D403CC4F6973D5012B7E117A8976B14A0B5AFA889BD47\
+92C461F0F96116F00A97AE9E83DC5203680CAF9A18A062566C145650AB86BE4F907F\
+A9F7AB4A700B29E1E5BACCD6DCBFA513E10832815F710807EED2E279081FEC61D619\
+AB270BEB3D3A1787B35A9DD41A8766CF21F3B5C693B3BAB1C2FA14A4ED202BC35743\
+E5CBE2391624D4F8C9BFBBC78D69764E7C6C5B11BF005677BFAD17D9278FFC1F158F\
+1B3683FF7960FA0608103792C4163DC0AF3E06287BB8624F8FE3A0FFBDF82ACECA2F\
+CFFF2E1AC93F3CA264A1B
+
+Diff says:
+% diff bc.txt mp.txt
+%
+
+------------------------------------------------------------------
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is 
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+
+Portions created by Michael J. Fromberger are 
+Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable
+instead of those above.  If you wish to allow use of your
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the GPL.
+
+$Id$
+
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/gcd.pod b/security/nss/lib/freebl/mpi/doc/gcd.pod
new file mode 100644
index 000000000..53b955f7e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/gcd.pod
@@ -0,0 +1,27 @@
+=head1 NAME
+
+ gcd - compute greatest common divisor of two integers
+
+=head1 SYNOPSIS
+
+ gcd <a> <b>
+
+=head1 DESCRIPTION
+
+The B<gcd> program computes the greatest common divisor of two
+arbitrary-precision integers I<a> and I<b>.  The result is written in
+standard decimal notation to the standard output.
+
+If I<b> is zero, B<gcd> will print an error message and exit.
+
+=head1 SEE ALSO
+
+invmod(1), isprime(1), lap(1)
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+ 
+ $Date$
+
diff --git a/security/nss/lib/freebl/mpi/doc/invmod.pod b/security/nss/lib/freebl/mpi/doc/invmod.pod
new file mode 100644
index 000000000..faa8f9d0c
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/invmod.pod
@@ -0,0 +1,33 @@
+=head1 NAME
+
+ invmod - compute modular inverse of an integer
+
+=head1 SYNOPSIS
+
+ invmod <a> <m>
+
+=head1 DESCRIPTION
+
+The B<invmod> program computes the inverse of I<a>, modulo I<m>, if
+that inverse exists.  Both I<a> and I<m> are arbitrary-precision
+integers in decimal notation.  The result is written in standard
+decimal notation to the standard output.
+
+If there is no inverse, the message:
+
+ No inverse
+
+...will be printed to the standard output (an inverse exists if and
+only if the greatest common divisor of I<a> and I<m> is 1).
+
+=head1 SEE ALSO
+
+gcd(1), isprime(1), lap(1)
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+ 
+ $Date$
+
diff --git a/security/nss/lib/freebl/mpi/doc/isprime.pod b/security/nss/lib/freebl/mpi/doc/isprime.pod
new file mode 100644
index 000000000..a17c1c1bd
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/isprime.pod
@@ -0,0 +1,62 @@
+=head1 NAME
+
+ isprime - probabilistic primality testing
+
+=head1 SYNOPSIS
+
+ isprime <a>
+
+=head1 DESCRIPTION
+
+The B<isprime> program attempts to determine whether the arbitrary
+precision integer I<a> is prime.  It first tests I<a> for divisibility
+by the first 170 or so small primes, and assuming I<a> is not
+divisible by any of these, applies 15 iterations of the Rabin-Miller
+probabilistic primality test.
+
+If the program discovers that the number is composite, it will print:
+
+ Not prime (reason)
+
+Where I<reason> is either:
+
+	divisible by small prime x
+
+Or:
+
+	failed nth pseudoprime test
+
+In the first case, I<x> indicates the first small prime factor that
+was found.  In the second case, I<n> indicates which of the
+pseudoprime tests failed (numbered from 1)
+
+If this happens, the number is definitely not prime.  However, if the
+number succeeds, this message results:
+
+ Probably prime, 1 in 4^15 chance of false positive
+
+If this happens, the number is prime with very high probability, but
+its primality has not been absolutely proven, only demonstrated to a
+very convincing degree.
+
+The value I<a> can be input in standard decimal notation, or, if it is
+prefixed with I<Ox>, it will be read as hexadecimal.
+
+=head1 ENVIRONMENT
+
+You can control how many iterations of Rabin-Miller are performed on
+the candidate number by setting the I<RM_TESTS> environment variable
+to an integer value before starting up B<isprime>.  This will change
+the output slightly if the number passes all the tests.
+
+=head1 SEE ALSO
+
+gcd(1), invmod(1), lap(1)
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+ 
+ $Date$
+
diff --git a/security/nss/lib/freebl/mpi/doc/lap.pod b/security/nss/lib/freebl/mpi/doc/lap.pod
new file mode 100644
index 000000000..ac100639b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/lap.pod
@@ -0,0 +1,35 @@
+=head1 NAME
+
+ lap - compute least annihilating power of a number
+
+=head1 SYNOPSIS
+
+ lap <a> <m>
+
+=head1 DESCRIPTION
+
+The B<lap> program computes the order of I<a> modulo I<m>, for
+arbitrary precision integers I<a> and I<m>.  The B<order> of I<a>
+modulo I<m> is defined as the smallest positive value I<n> for which
+I<a> raised to the I<n>th power, modulo I<m>, is equal to 1.  The
+order may not exist, if I<m> is composite.
+
+=head1 RESTRICTIONS
+
+This program is very slow, especially for large moduli.  It is
+intended as a way to help find primitive elements in a modular field,
+but it does not do so in a particularly inefficient manner.  It was
+written simply to help verify that a particular candidate does not
+have an obviously short cycle mod I<m>.
+
+=head1 SEE ALSO
+
+gcd(1), invmod(1), isprime(1)
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+ 
+ $Date$
+
diff --git a/security/nss/lib/freebl/mpi/doc/mpi-test.pod b/security/nss/lib/freebl/mpi/doc/mpi-test.pod
new file mode 100644
index 000000000..16050f09f
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/mpi-test.pod
@@ -0,0 +1,49 @@
+=head1 NAME
+
+ mpi-test - automated test program for MPI library
+
+=head1 SYNOPSIS
+
+ mpi-test <suite-name> [quiet]
+ mpi-test list
+ mpi-test help
+
+=head1 DESCRIPTION
+
+The B<mpi-test> program is a general unit test driver for the MPI
+library.  It is used to verify that the library works as it is
+supposed to on your architecture.  As with most such things, passing
+all the tests in B<mpi-test> does not guarantee the code is correct,
+but if any of them fail, there are certainly problems.
+
+Each major function of the library can be tested individually.  For a
+list of the test suites understood by B<mpi-test>, run it with the
+I<list> command line option:
+
+ mpi-test list
+
+This will display a list of the available test suites and a brief
+synopsis of what each one does.  For a brief overview of this
+document, run B<mpi-test> I<help>.
+
+B<mpi-test> exits with a zero status if the selected test succeeds, or
+a nonzero status if it fails.  If a I<suite-name> which is not
+understood by B<mpi-test> is given, a diagnostic is printed to the
+standard error, and the program exits with a result code of 2.  If a
+test fails, the result code will be 1, and a diagnostic is ordinarily
+printed to the standard error.  However, if the I<quiet> option is
+provided, these diagnostics will be suppressed.
+
+=head1 RESTRICTIONS
+
+Only a few canned test cases are provided.  The solutions have been
+verified using the GNU bc(1) program, so bugs there may cause problems
+here; however, this is very unlikely, so if a test fails, it is almost
+certainly my fault, not bc(1)'s.
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Thayer School of Engineering, Hanover, New Hampshire, USA
+ 
+ $Date$
diff --git a/security/nss/lib/freebl/mpi/doc/mul.txt b/security/nss/lib/freebl/mpi/doc/mul.txt
new file mode 100644
index 000000000..436d01bf7
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/mul.txt
@@ -0,0 +1,109 @@
+Multiplication
+
+This describes the multiplication algorithm used by the MPI library.
+
+This is basically a standard "schoolbook" algorithm.  It is slow --
+O(mn) for m = #a, n = #b -- but easy to implement and verify.
+Basically, we run two nested loops, as illustrated here (R is the
+radix):
+
+k = 0
+for j <- 0 to (#b - 1)
+  for i <- 0 to (#a - 1)
+    w = (a[j] * b[i]) + k + c[i+j]
+    c[i+j] = w mod R
+    k = w div R
+  endfor
+  c[i+j] = k;
+  k = 0;
+endfor
+
+It is necessary that 'w' have room for at least two radix R digits.
+The product of any two digits in radix R is at most:
+
+	(R - 1)(R - 1) = R^2 - 2R + 1
+
+Since a two-digit radix-R number can hold R^2 - 1 distinct values,
+this insures that the product will fit into the two-digit register.
+
+To insure that two digits is enough for w, we must also show that
+there is room for the carry-in from the previous multiplication, and
+the current value of the product digit that is being recomputed.
+Assuming each of these may be as big as R - 1 (and no larger,
+certainly), two digits will be enough if and only if:
+
+	(R^2 - 2R + 1) + 2(R - 1) <= R^2 - 1
+
+Solving this equation shows that, indeed, this is the case:
+
+	R^2 - 2R + 1 + 2R - 2 <= R^2 - 1
+
+	R^2 - 1 <= R^2 - 1
+
+This suggests that a good radix would be one more than the largest
+value that can be held in half a machine word -- so, for example, as
+in this implementation, where we used a radix of 65536 on a machine
+with 4-byte words.  Another advantage of a radix of this sort is that
+binary-level operations are easy on numbers in this representation.
+
+Here's an example multiplication worked out longhand in radix-10,
+using the above algorithm:
+
+   a =     999
+   b =   x 999
+  -------------
+   p =   98001
+
+w = (a[jx] * b[ix]) + kin + c[ix + jx]
+c[ix+jx] = w % RADIX
+k = w / RADIX
+                                                               product
+ix	jx	a[jx]	b[ix]	kin	w	c[i+j]	kout	000000
+0	0	9	9	0	81+0+0	1	8	000001
+0	1	9	9	8	81+8+0	9	8	000091
+0	2	9	9	8	81+8+0	9	8	000991
+				8			0	008991
+1	0	9	9	0	81+0+9	0	9	008901
+1	1	9	9	9	81+9+9	9	9	008901
+1	2	9	9	9	81+9+8	8	9	008901
+				9			0	098901
+2	0	9	9	0	81+0+9	0	9	098001
+2	1	9	9	9	81+9+8	8	9	098001
+2	2	9	9	9	81+9+9	9	9	098001
+
+------------------------------------------------------------------
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is 
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+
+Portions created by Michael J. Fromberger are 
+Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable
+instead of those above.  If you wish to allow use of your
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the GPL.
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/pi.txt b/security/nss/lib/freebl/mpi/doc/pi.txt
new file mode 100644
index 000000000..5edfdb4cb
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/pi.txt
@@ -0,0 +1,85 @@
+This file describes how pi is computed by the program in 'pi.c' (see
+the utils subdirectory).
+
+Basically, we use Machin's formula, which is what everyone in the
+world uses as a simple method for computing approximations to pi.
+This works for up to a few thousand digits without too much effort.
+Beyond that, though, it gets too slow.
+
+Machin's formula states:
+
+	 pi := 16 * arctan(1/5) - 4 * arctan(1/239)
+
+We compute this in integer arithmetic by first multiplying everything
+through by 10^d, where 'd' is the number of digits of pi we wanted to
+compute.  It turns out, the last few digits will be wrong, but the
+number that are wrong is usually very small (ordinarly only 2-3).
+Having done this, we compute the arctan() function using the formula:
+
+                       1      1       1       1       1     
+       arctan(1/x) := --- - ----- + ----- - ----- + ----- - ...
+                       x    3 x^3   5 x^5   7 x^7   9 x^9
+
+This is done iteratively by computing the first term manually, and
+then iteratively dividing x^2 and k, where k = 3, 5, 7, ... out of the
+current figure.  This is then added to (or subtracted from) a running
+sum, as appropriate.  The iteration continues until we overflow our
+available precision and the current figure goes to zero under integer
+division.  At that point, we're finished.
+
+Actually, we get a couple extra bits of precision out of the fact that
+we know we're computing y * arctan(1/x), by setting up the multiplier
+as:
+
+      y * 10^d
+
+... instead of just 10^d.  There is also a bit of cleverness in how
+the loop is constructed, to avoid special-casing the first term.
+Check out the code for arctan() in 'pi.c', if you are interested in
+seeing how it is set up.
+
+Thanks to Jason P. for this algorithm, which I assembled from notes
+and programs found on his cool "Pile of Pi Programs" page, at:
+
+      http://www.isr.umd.edu/~jasonp/pipage.html
+
+Thanks also to Henrik Johansson <Henrik.Johansson@Nexus.Comm.SE>, from
+whose pi program I borrowed the clever idea of pre-multiplying by x in
+order to avoid a special case on the loop iteration.
+
+------------------------------------------------------------------
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is 
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+
+Portions created by Michael J. Fromberger are 
+Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable
+instead of those above.  If you wish to allow use of your
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the GPL.
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/prime.txt b/security/nss/lib/freebl/mpi/doc/prime.txt
new file mode 100644
index 000000000..694797d5f
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/prime.txt
@@ -0,0 +1,6542 @@
+2
+3
+5
+7
+11
+13
+17
+19
+23
+29
+31
+37
+41
+43
+47
+53
+59
+61
+67
+71
+73
+79
+83
+89
+97
+101
+103
+107
+109
+113
+127
+131
+137
+139
+149
+151
+157
+163
+167
+173
+179
+181
+191
+193
+197
+199
+211
+223
+227
+229
+233
+239
+241
+251
+257
+263
+269
+271
+277
+281
+283
+293
+307
+311
+313
+317
+331
+337
+347
+349
+353
+359
+367
+373
+379
+383
+389
+397
+401
+409
+419
+421
+431
+433
+439
+443
+449
+457
+461
+463
+467
+479
+487
+491
+499
+503
+509
+521
+523
+541
+547
+557
+563
+569
+571
+577
+587
+593
+599
+601
+607
+613
+617
+619
+631
+641
+643
+647
+653
+659
+661
+673
+677
+683
+691
+701
+709
+719
+727
+733
+739
+743
+751
+757
+761
+769
+773
+787
+797
+809
+811
+821
+823
+827
+829
+839
+853
+857
+859
+863
+877
+881
+883
+887
+907
+911
+919
+929
+937
+941
+947
+953
+967
+971
+977
+983
+991
+997
+1009
+1013
+1019
+1021
+1031
+1033
+1039
+1049
+1051
+1061
+1063
+1069
+1087
+1091
+1093
+1097
+1103
+1109
+1117
+1123
+1129
+1151
+1153
+1163
+1171
+1181
+1187
+1193
+1201
+1213
+1217
+1223
+1229
+1231
+1237
+1249
+1259
+1277
+1279
+1283
+1289
+1291
+1297
+1301
+1303
+1307
+1319
+1321
+1327
+1361
+1367
+1373
+1381
+1399
+1409
+1423
+1427
+1429
+1433
+1439
+1447
+1451
+1453
+1459
+1471
+1481
+1483
+1487
+1489
+1493
+1499
+1511
+1523
+1531
+1543
+1549
+1553
+1559
+1567
+1571
+1579
+1583
+1597
+1601
+1607
+1609
+1613
+1619
+1621
+1627
+1637
+1657
+1663
+1667
+1669
+1693
+1697
+1699
+1709
+1721
+1723
+1733
+1741
+1747
+1753
+1759
+1777
+1783
+1787
+1789
+1801
+1811
+1823
+1831
+1847
+1861
+1867
+1871
+1873
+1877
+1879
+1889
+1901
+1907
+1913
+1931
+1933
+1949
+1951
+1973
+1979
+1987
+1993
+1997
+1999
+2003
+2011
+2017
+2027
+2029
+2039
+2053
+2063
+2069
+2081
+2083
+2087
+2089
+2099
+2111
+2113
+2129
+2131
+2137
+2141
+2143
+2153
+2161
+2179
+2203
+2207
+2213
+2221
+2237
+2239
+2243
+2251
+2267
+2269
+2273
+2281
+2287
+2293
+2297
+2309
+2311
+2333
+2339
+2341
+2347
+2351
+2357
+2371
+2377
+2381
+2383
+2389
+2393
+2399
+2411
+2417
+2423
+2437
+2441
+2447
+2459
+2467
+2473
+2477
+2503
+2521
+2531
+2539
+2543
+2549
+2551
+2557
+2579
+2591
+2593
+2609
+2617
+2621
+2633
+2647
+2657
+2659
+2663
+2671
+2677
+2683
+2687
+2689
+2693
+2699
+2707
+2711
+2713
+2719
+2729
+2731
+2741
+2749
+2753
+2767
+2777
+2789
+2791
+2797
+2801
+2803
+2819
+2833
+2837
+2843
+2851
+2857
+2861
+2879
+2887
+2897
+2903
+2909
+2917
+2927
+2939
+2953
+2957
+2963
+2969
+2971
+2999
+3001
+3011
+3019
+3023
+3037
+3041
+3049
+3061
+3067
+3079
+3083
+3089
+3109
+3119
+3121
+3137
+3163
+3167
+3169
+3181
+3187
+3191
+3203
+3209
+3217
+3221
+3229
+3251
+3253
+3257
+3259
+3271
+3299
+3301
+3307
+3313
+3319
+3323
+3329
+3331
+3343
+3347
+3359
+3361
+3371
+3373
+3389
+3391
+3407
+3413
+3433
+3449
+3457
+3461
+3463
+3467
+3469
+3491
+3499
+3511
+3517
+3527
+3529
+3533
+3539
+3541
+3547
+3557
+3559
+3571
+3581
+3583
+3593
+3607
+3613
+3617
+3623
+3631
+3637
+3643
+3659
+3671
+3673
+3677
+3691
+3697
+3701
+3709
+3719
+3727
+3733
+3739
+3761
+3767
+3769
+3779
+3793
+3797
+3803
+3821
+3823
+3833
+3847
+3851
+3853
+3863
+3877
+3881
+3889
+3907
+3911
+3917
+3919
+3923
+3929
+3931
+3943
+3947
+3967
+3989
+4001
+4003
+4007
+4013
+4019
+4021
+4027
+4049
+4051
+4057
+4073
+4079
+4091
+4093
+4099
+4111
+4127
+4129
+4133
+4139
+4153
+4157
+4159
+4177
+4201
+4211
+4217
+4219
+4229
+4231
+4241
+4243
+4253
+4259
+4261
+4271
+4273
+4283
+4289
+4297
+4327
+4337
+4339
+4349
+4357
+4363
+4373
+4391
+4397
+4409
+4421
+4423
+4441
+4447
+4451
+4457
+4463
+4481
+4483
+4493
+4507
+4513
+4517
+4519
+4523
+4547
+4549
+4561
+4567
+4583
+4591
+4597
+4603
+4621
+4637
+4639
+4643
+4649
+4651
+4657
+4663
+4673
+4679
+4691
+4703
+4721
+4723
+4729
+4733
+4751
+4759
+4783
+4787
+4789
+4793
+4799
+4801
+4813
+4817
+4831
+4861
+4871
+4877
+4889
+4903
+4909
+4919
+4931
+4933
+4937
+4943
+4951
+4957
+4967
+4969
+4973
+4987
+4993
+4999
+5003
+5009
+5011
+5021
+5023
+5039
+5051
+5059
+5077
+5081
+5087
+5099
+5101
+5107
+5113
+5119
+5147
+5153
+5167
+5171
+5179
+5189
+5197
+5209
+5227
+5231
+5233
+5237
+5261
+5273
+5279
+5281
+5297
+5303
+5309
+5323
+5333
+5347
+5351
+5381
+5387
+5393
+5399
+5407
+5413
+5417
+5419
+5431
+5437
+5441
+5443
+5449
+5471
+5477
+5479
+5483
+5501
+5503
+5507
+5519
+5521
+5527
+5531
+5557
+5563
+5569
+5573
+5581
+5591
+5623
+5639
+5641
+5647
+5651
+5653
+5657
+5659
+5669
+5683
+5689
+5693
+5701
+5711
+5717
+5737
+5741
+5743
+5749
+5779
+5783
+5791
+5801
+5807
+5813
+5821
+5827
+5839
+5843
+5849
+5851
+5857
+5861
+5867
+5869
+5879
+5881
+5897
+5903
+5923
+5927
+5939
+5953
+5981
+5987
+6007
+6011
+6029
+6037
+6043
+6047
+6053
+6067
+6073
+6079
+6089
+6091
+6101
+6113
+6121
+6131
+6133
+6143
+6151
+6163
+6173
+6197
+6199
+6203
+6211
+6217
+6221
+6229
+6247
+6257
+6263
+6269
+6271
+6277
+6287
+6299
+6301
+6311
+6317
+6323
+6329
+6337
+6343
+6353
+6359
+6361
+6367
+6373
+6379
+6389
+6397
+6421
+6427
+6449
+6451
+6469
+6473
+6481
+6491
+6521
+6529
+6547
+6551
+6553
+6563
+6569
+6571
+6577
+6581
+6599
+6607
+6619
+6637
+6653
+6659
+6661
+6673
+6679
+6689
+6691
+6701
+6703
+6709
+6719
+6733
+6737
+6761
+6763
+6779
+6781
+6791
+6793
+6803
+6823
+6827
+6829
+6833
+6841
+6857
+6863
+6869
+6871
+6883
+6899
+6907
+6911
+6917
+6947
+6949
+6959
+6961
+6967
+6971
+6977
+6983
+6991
+6997
+7001
+7013
+7019
+7027
+7039
+7043
+7057
+7069
+7079
+7103
+7109
+7121
+7127
+7129
+7151
+7159
+7177
+7187
+7193
+7207
+7211
+7213
+7219
+7229
+7237
+7243
+7247
+7253
+7283
+7297
+7307
+7309
+7321
+7331
+7333
+7349
+7351
+7369
+7393
+7411
+7417
+7433
+7451
+7457
+7459
+7477
+7481
+7487
+7489
+7499
+7507
+7517
+7523
+7529
+7537
+7541
+7547
+7549
+7559
+7561
+7573
+7577
+7583
+7589
+7591
+7603
+7607
+7621
+7639
+7643
+7649
+7669
+7673
+7681
+7687
+7691
+7699
+7703
+7717
+7723
+7727
+7741
+7753
+7757
+7759
+7789
+7793
+7817
+7823
+7829
+7841
+7853
+7867
+7873
+7877
+7879
+7883
+7901
+7907
+7919
+7927
+7933
+7937
+7949
+7951
+7963
+7993
+8009
+8011
+8017
+8039
+8053
+8059
+8069
+8081
+8087
+8089
+8093
+8101
+8111
+8117
+8123
+8147
+8161
+8167
+8171
+8179
+8191
+8209
+8219
+8221
+8231
+8233
+8237
+8243
+8263
+8269
+8273
+8287
+8291
+8293
+8297
+8311
+8317
+8329
+8353
+8363
+8369
+8377
+8387
+8389
+8419
+8423
+8429
+8431
+8443
+8447
+8461
+8467
+8501
+8513
+8521
+8527
+8537
+8539
+8543
+8563
+8573
+8581
+8597
+8599
+8609
+8623
+8627
+8629
+8641
+8647
+8663
+8669
+8677
+8681
+8689
+8693
+8699
+8707
+8713
+8719
+8731
+8737
+8741
+8747
+8753
+8761
+8779
+8783
+8803
+8807
+8819
+8821
+8831
+8837
+8839
+8849
+8861
+8863
+8867
+8887
+8893
+8923
+8929
+8933
+8941
+8951
+8963
+8969
+8971
+8999
+9001
+9007
+9011
+9013
+9029
+9041
+9043
+9049
+9059
+9067
+9091
+9103
+9109
+9127
+9133
+9137
+9151
+9157
+9161
+9173
+9181
+9187
+9199
+9203
+9209
+9221
+9227
+9239
+9241
+9257
+9277
+9281
+9283
+9293
+9311
+9319
+9323
+9337
+9341
+9343
+9349
+9371
+9377
+9391
+9397
+9403
+9413
+9419
+9421
+9431
+9433
+9437
+9439
+9461
+9463
+9467
+9473
+9479
+9491
+9497
+9511
+9521
+9533
+9539
+9547
+9551
+9587
+9601
+9613
+9619
+9623
+9629
+9631
+9643
+9649
+9661
+9677
+9679
+9689
+9697
+9719
+9721
+9733
+9739
+9743
+9749
+9767
+9769
+9781
+9787
+9791
+9803
+9811
+9817
+9829
+9833
+9839
+9851
+9857
+9859
+9871
+9883
+9887
+9901
+9907
+9923
+9929
+9931
+9941
+9949
+9967
+9973
+10007
+10009
+10037
+10039
+10061
+10067
+10069
+10079
+10091
+10093
+10099
+10103
+10111
+10133
+10139
+10141
+10151
+10159
+10163
+10169
+10177
+10181
+10193
+10211
+10223
+10243
+10247
+10253
+10259
+10267
+10271
+10273
+10289
+10301
+10303
+10313
+10321
+10331
+10333
+10337
+10343
+10357
+10369
+10391
+10399
+10427
+10429
+10433
+10453
+10457
+10459
+10463
+10477
+10487
+10499
+10501
+10513
+10529
+10531
+10559
+10567
+10589
+10597
+10601
+10607
+10613
+10627
+10631
+10639
+10651
+10657
+10663
+10667
+10687
+10691
+10709
+10711
+10723
+10729
+10733
+10739
+10753
+10771
+10781
+10789
+10799
+10831
+10837
+10847
+10853
+10859
+10861
+10867
+10883
+10889
+10891
+10903
+10909
+10937
+10939
+10949
+10957
+10973
+10979
+10987
+10993
+11003
+11027
+11047
+11057
+11059
+11069
+11071
+11083
+11087
+11093
+11113
+11117
+11119
+11131
+11149
+11159
+11161
+11171
+11173
+11177
+11197
+11213
+11239
+11243
+11251
+11257
+11261
+11273
+11279
+11287
+11299
+11311
+11317
+11321
+11329
+11351
+11353
+11369
+11383
+11393
+11399
+11411
+11423
+11437
+11443
+11447
+11467
+11471
+11483
+11489
+11491
+11497
+11503
+11519
+11527
+11549
+11551
+11579
+11587
+11593
+11597
+11617
+11621
+11633
+11657
+11677
+11681
+11689
+11699
+11701
+11717
+11719
+11731
+11743
+11777
+11779
+11783
+11789
+11801
+11807
+11813
+11821
+11827
+11831
+11833
+11839
+11863
+11867
+11887
+11897
+11903
+11909
+11923
+11927
+11933
+11939
+11941
+11953
+11959
+11969
+11971
+11981
+11987
+12007
+12011
+12037
+12041
+12043
+12049
+12071
+12073
+12097
+12101
+12107
+12109
+12113
+12119
+12143
+12149
+12157
+12161
+12163
+12197
+12203
+12211
+12227
+12239
+12241
+12251
+12253
+12263
+12269
+12277
+12281
+12289
+12301
+12323
+12329
+12343
+12347
+12373
+12377
+12379
+12391
+12401
+12409
+12413
+12421
+12433
+12437
+12451
+12457
+12473
+12479
+12487
+12491
+12497
+12503
+12511
+12517
+12527
+12539
+12541
+12547
+12553
+12569
+12577
+12583
+12589
+12601
+12611
+12613
+12619
+12637
+12641
+12647
+12653
+12659
+12671
+12689
+12697
+12703
+12713
+12721
+12739
+12743
+12757
+12763
+12781
+12791
+12799
+12809
+12821
+12823
+12829
+12841
+12853
+12889
+12893
+12899
+12907
+12911
+12917
+12919
+12923
+12941
+12953
+12959
+12967
+12973
+12979
+12983
+13001
+13003
+13007
+13009
+13033
+13037
+13043
+13049
+13063
+13093
+13099
+13103
+13109
+13121
+13127
+13147
+13151
+13159
+13163
+13171
+13177
+13183
+13187
+13217
+13219
+13229
+13241
+13249
+13259
+13267
+13291
+13297
+13309
+13313
+13327
+13331
+13337
+13339
+13367
+13381
+13397
+13399
+13411
+13417
+13421
+13441
+13451
+13457
+13463
+13469
+13477
+13487
+13499
+13513
+13523
+13537
+13553
+13567
+13577
+13591
+13597
+13613
+13619
+13627
+13633
+13649
+13669
+13679
+13681
+13687
+13691
+13693
+13697
+13709
+13711
+13721
+13723
+13729
+13751
+13757
+13759
+13763
+13781
+13789
+13799
+13807
+13829
+13831
+13841
+13859
+13873
+13877
+13879
+13883
+13901
+13903
+13907
+13913
+13921
+13931
+13933
+13963
+13967
+13997
+13999
+14009
+14011
+14029
+14033
+14051
+14057
+14071
+14081
+14083
+14087
+14107
+14143
+14149
+14153
+14159
+14173
+14177
+14197
+14207
+14221
+14243
+14249
+14251
+14281
+14293
+14303
+14321
+14323
+14327
+14341
+14347
+14369
+14387
+14389
+14401
+14407
+14411
+14419
+14423
+14431
+14437
+14447
+14449
+14461
+14479
+14489
+14503
+14519
+14533
+14537
+14543
+14549
+14551
+14557
+14561
+14563
+14591
+14593
+14621
+14627
+14629
+14633
+14639
+14653
+14657
+14669
+14683
+14699
+14713
+14717
+14723
+14731
+14737
+14741
+14747
+14753
+14759
+14767
+14771
+14779
+14783
+14797
+14813
+14821
+14827
+14831
+14843
+14851
+14867
+14869
+14879
+14887
+14891
+14897
+14923
+14929
+14939
+14947
+14951
+14957
+14969
+14983
+15013
+15017
+15031
+15053
+15061
+15073
+15077
+15083
+15091
+15101
+15107
+15121
+15131
+15137
+15139
+15149
+15161
+15173
+15187
+15193
+15199
+15217
+15227
+15233
+15241
+15259
+15263
+15269
+15271
+15277
+15287
+15289
+15299
+15307
+15313
+15319
+15329
+15331
+15349
+15359
+15361
+15373
+15377
+15383
+15391
+15401
+15413
+15427
+15439
+15443
+15451
+15461
+15467
+15473
+15493
+15497
+15511
+15527
+15541
+15551
+15559
+15569
+15581
+15583
+15601
+15607
+15619
+15629
+15641
+15643
+15647
+15649
+15661
+15667
+15671
+15679
+15683
+15727
+15731
+15733
+15737
+15739
+15749
+15761
+15767
+15773
+15787
+15791
+15797
+15803
+15809
+15817
+15823
+15859
+15877
+15881
+15887
+15889
+15901
+15907
+15913
+15919
+15923
+15937
+15959
+15971
+15973
+15991
+16001
+16007
+16033
+16057
+16061
+16063
+16067
+16069
+16073
+16087
+16091
+16097
+16103
+16111
+16127
+16139
+16141
+16183
+16187
+16189
+16193
+16217
+16223
+16229
+16231
+16249
+16253
+16267
+16273
+16301
+16319
+16333
+16339
+16349
+16361
+16363
+16369
+16381
+16411
+16417
+16421
+16427
+16433
+16447
+16451
+16453
+16477
+16481
+16487
+16493
+16519
+16529
+16547
+16553
+16561
+16567
+16573
+16603
+16607
+16619
+16631
+16633
+16649
+16651
+16657
+16661
+16673
+16691
+16693
+16699
+16703
+16729
+16741
+16747
+16759
+16763
+16787
+16811
+16823
+16829
+16831
+16843
+16871
+16879
+16883
+16889
+16901
+16903
+16921
+16927
+16931
+16937
+16943
+16963
+16979
+16981
+16987
+16993
+17011
+17021
+17027
+17029
+17033
+17041
+17047
+17053
+17077
+17093
+17099
+17107
+17117
+17123
+17137
+17159
+17167
+17183
+17189
+17191
+17203
+17207
+17209
+17231
+17239
+17257
+17291
+17293
+17299
+17317
+17321
+17327
+17333
+17341
+17351
+17359
+17377
+17383
+17387
+17389
+17393
+17401
+17417
+17419
+17431
+17443
+17449
+17467
+17471
+17477
+17483
+17489
+17491
+17497
+17509
+17519
+17539
+17551
+17569
+17573
+17579
+17581
+17597
+17599
+17609
+17623
+17627
+17657
+17659
+17669
+17681
+17683
+17707
+17713
+17729
+17737
+17747
+17749
+17761
+17783
+17789
+17791
+17807
+17827
+17837
+17839
+17851
+17863
+17881
+17891
+17903
+17909
+17911
+17921
+17923
+17929
+17939
+17957
+17959
+17971
+17977
+17981
+17987
+17989
+18013
+18041
+18043
+18047
+18049
+18059
+18061
+18077
+18089
+18097
+18119
+18121
+18127
+18131
+18133
+18143
+18149
+18169
+18181
+18191
+18199
+18211
+18217
+18223
+18229
+18233
+18251
+18253
+18257
+18269
+18287
+18289
+18301
+18307
+18311
+18313
+18329
+18341
+18353
+18367
+18371
+18379
+18397
+18401
+18413
+18427
+18433
+18439
+18443
+18451
+18457
+18461
+18481
+18493
+18503
+18517
+18521
+18523
+18539
+18541
+18553
+18583
+18587
+18593
+18617
+18637
+18661
+18671
+18679
+18691
+18701
+18713
+18719
+18731
+18743
+18749
+18757
+18773
+18787
+18793
+18797
+18803
+18839
+18859
+18869
+18899
+18911
+18913
+18917
+18919
+18947
+18959
+18973
+18979
+19001
+19009
+19013
+19031
+19037
+19051
+19069
+19073
+19079
+19081
+19087
+19121
+19139
+19141
+19157
+19163
+19181
+19183
+19207
+19211
+19213
+19219
+19231
+19237
+19249
+19259
+19267
+19273
+19289
+19301
+19309
+19319
+19333
+19373
+19379
+19381
+19387
+19391
+19403
+19417
+19421
+19423
+19427
+19429
+19433
+19441
+19447
+19457
+19463
+19469
+19471
+19477
+19483
+19489
+19501
+19507
+19531
+19541
+19543
+19553
+19559
+19571
+19577
+19583
+19597
+19603
+19609
+19661
+19681
+19687
+19697
+19699
+19709
+19717
+19727
+19739
+19751
+19753
+19759
+19763
+19777
+19793
+19801
+19813
+19819
+19841
+19843
+19853
+19861
+19867
+19889
+19891
+19913
+19919
+19927
+19937
+19949
+19961
+19963
+19973
+19979
+19991
+19993
+19997
+20011
+20021
+20023
+20029
+20047
+20051
+20063
+20071
+20089
+20101
+20107
+20113
+20117
+20123
+20129
+20143
+20147
+20149
+20161
+20173
+20177
+20183
+20201
+20219
+20231
+20233
+20249
+20261
+20269
+20287
+20297
+20323
+20327
+20333
+20341
+20347
+20353
+20357
+20359
+20369
+20389
+20393
+20399
+20407
+20411
+20431
+20441
+20443
+20477
+20479
+20483
+20507
+20509
+20521
+20533
+20543
+20549
+20551
+20563
+20593
+20599
+20611
+20627
+20639
+20641
+20663
+20681
+20693
+20707
+20717
+20719
+20731
+20743
+20747
+20749
+20753
+20759
+20771
+20773
+20789
+20807
+20809
+20849
+20857
+20873
+20879
+20887
+20897
+20899
+20903
+20921
+20929
+20939
+20947
+20959
+20963
+20981
+20983
+21001
+21011
+21013
+21017
+21019
+21023
+21031
+21059
+21061
+21067
+21089
+21101
+21107
+21121
+21139
+21143
+21149
+21157
+21163
+21169
+21179
+21187
+21191
+21193
+21211
+21221
+21227
+21247
+21269
+21277
+21283
+21313
+21317
+21319
+21323
+21341
+21347
+21377
+21379
+21383
+21391
+21397
+21401
+21407
+21419
+21433
+21467
+21481
+21487
+21491
+21493
+21499
+21503
+21517
+21521
+21523
+21529
+21557
+21559
+21563
+21569
+21577
+21587
+21589
+21599
+21601
+21611
+21613
+21617
+21647
+21649
+21661
+21673
+21683
+21701
+21713
+21727
+21737
+21739
+21751
+21757
+21767
+21773
+21787
+21799
+21803
+21817
+21821
+21839
+21841
+21851
+21859
+21863
+21871
+21881
+21893
+21911
+21929
+21937
+21943
+21961
+21977
+21991
+21997
+22003
+22013
+22027
+22031
+22037
+22039
+22051
+22063
+22067
+22073
+22079
+22091
+22093
+22109
+22111
+22123
+22129
+22133
+22147
+22153
+22157
+22159
+22171
+22189
+22193
+22229
+22247
+22259
+22271
+22273
+22277
+22279
+22283
+22291
+22303
+22307
+22343
+22349
+22367
+22369
+22381
+22391
+22397
+22409
+22433
+22441
+22447
+22453
+22469
+22481
+22483
+22501
+22511
+22531
+22541
+22543
+22549
+22567
+22571
+22573
+22613
+22619
+22621
+22637
+22639
+22643
+22651
+22669
+22679
+22691
+22697
+22699
+22709
+22717
+22721
+22727
+22739
+22741
+22751
+22769
+22777
+22783
+22787
+22807
+22811
+22817
+22853
+22859
+22861
+22871
+22877
+22901
+22907
+22921
+22937
+22943
+22961
+22963
+22973
+22993
+23003
+23011
+23017
+23021
+23027
+23029
+23039
+23041
+23053
+23057
+23059
+23063
+23071
+23081
+23087
+23099
+23117
+23131
+23143
+23159
+23167
+23173
+23189
+23197
+23201
+23203
+23209
+23227
+23251
+23269
+23279
+23291
+23293
+23297
+23311
+23321
+23327
+23333
+23339
+23357
+23369
+23371
+23399
+23417
+23431
+23447
+23459
+23473
+23497
+23509
+23531
+23537
+23539
+23549
+23557
+23561
+23563
+23567
+23581
+23593
+23599
+23603
+23609
+23623
+23627
+23629
+23633
+23663
+23669
+23671
+23677
+23687
+23689
+23719
+23741
+23743
+23747
+23753
+23761
+23767
+23773
+23789
+23801
+23813
+23819
+23827
+23831
+23833
+23857
+23869
+23873
+23879
+23887
+23893
+23899
+23909
+23911
+23917
+23929
+23957
+23971
+23977
+23981
+23993
+24001
+24007
+24019
+24023
+24029
+24043
+24049
+24061
+24071
+24077
+24083
+24091
+24097
+24103
+24107
+24109
+24113
+24121
+24133
+24137
+24151
+24169
+24179
+24181
+24197
+24203
+24223
+24229
+24239
+24247
+24251
+24281
+24317
+24329
+24337
+24359
+24371
+24373
+24379
+24391
+24407
+24413
+24419
+24421
+24439
+24443
+24469
+24473
+24481
+24499
+24509
+24517
+24527
+24533
+24547
+24551
+24571
+24593
+24611
+24623
+24631
+24659
+24671
+24677
+24683
+24691
+24697
+24709
+24733
+24749
+24763
+24767
+24781
+24793
+24799
+24809
+24821
+24841
+24847
+24851
+24859
+24877
+24889
+24907
+24917
+24919
+24923
+24943
+24953
+24967
+24971
+24977
+24979
+24989
+25013
+25031
+25033
+25037
+25057
+25073
+25087
+25097
+25111
+25117
+25121
+25127
+25147
+25153
+25163
+25169
+25171
+25183
+25189
+25219
+25229
+25237
+25243
+25247
+25253
+25261
+25301
+25303
+25307
+25309
+25321
+25339
+25343
+25349
+25357
+25367
+25373
+25391
+25409
+25411
+25423
+25439
+25447
+25453
+25457
+25463
+25469
+25471
+25523
+25537
+25541
+25561
+25577
+25579
+25583
+25589
+25601
+25603
+25609
+25621
+25633
+25639
+25643
+25657
+25667
+25673
+25679
+25693
+25703
+25717
+25733
+25741
+25747
+25759
+25763
+25771
+25793
+25799
+25801
+25819
+25841
+25847
+25849
+25867
+25873
+25889
+25903
+25913
+25919
+25931
+25933
+25939
+25943
+25951
+25969
+25981
+25997
+25999
+26003
+26017
+26021
+26029
+26041
+26053
+26083
+26099
+26107
+26111
+26113
+26119
+26141
+26153
+26161
+26171
+26177
+26183
+26189
+26203
+26209
+26227
+26237
+26249
+26251
+26261
+26263
+26267
+26293
+26297
+26309
+26317
+26321
+26339
+26347
+26357
+26371
+26387
+26393
+26399
+26407
+26417
+26423
+26431
+26437
+26449
+26459
+26479
+26489
+26497
+26501
+26513
+26539
+26557
+26561
+26573
+26591
+26597
+26627
+26633
+26641
+26647
+26669
+26681
+26683
+26687
+26693
+26699
+26701
+26711
+26713
+26717
+26723
+26729
+26731
+26737
+26759
+26777
+26783
+26801
+26813
+26821
+26833
+26839
+26849
+26861
+26863
+26879
+26881
+26891
+26893
+26903
+26921
+26927
+26947
+26951
+26953
+26959
+26981
+26987
+26993
+27011
+27017
+27031
+27043
+27059
+27061
+27067
+27073
+27077
+27091
+27103
+27107
+27109
+27127
+27143
+27179
+27191
+27197
+27211
+27239
+27241
+27253
+27259
+27271
+27277
+27281
+27283
+27299
+27329
+27337
+27361
+27367
+27397
+27407
+27409
+27427
+27431
+27437
+27449
+27457
+27479
+27481
+27487
+27509
+27527
+27529
+27539
+27541
+27551
+27581
+27583
+27611
+27617
+27631
+27647
+27653
+27673
+27689
+27691
+27697
+27701
+27733
+27737
+27739
+27743
+27749
+27751
+27763
+27767
+27773
+27779
+27791
+27793
+27799
+27803
+27809
+27817
+27823
+27827
+27847
+27851
+27883
+27893
+27901
+27917
+27919
+27941
+27943
+27947
+27953
+27961
+27967
+27983
+27997
+28001
+28019
+28027
+28031
+28051
+28057
+28069
+28081
+28087
+28097
+28099
+28109
+28111
+28123
+28151
+28163
+28181
+28183
+28201
+28211
+28219
+28229
+28277
+28279
+28283
+28289
+28297
+28307
+28309
+28319
+28349
+28351
+28387
+28393
+28403
+28409
+28411
+28429
+28433
+28439
+28447
+28463
+28477
+28493
+28499
+28513
+28517
+28537
+28541
+28547
+28549
+28559
+28571
+28573
+28579
+28591
+28597
+28603
+28607
+28619
+28621
+28627
+28631
+28643
+28649
+28657
+28661
+28663
+28669
+28687
+28697
+28703
+28711
+28723
+28729
+28751
+28753
+28759
+28771
+28789
+28793
+28807
+28813
+28817
+28837
+28843
+28859
+28867
+28871
+28879
+28901
+28909
+28921
+28927
+28933
+28949
+28961
+28979
+29009
+29017
+29021
+29023
+29027
+29033
+29059
+29063
+29077
+29101
+29123
+29129
+29131
+29137
+29147
+29153
+29167
+29173
+29179
+29191
+29201
+29207
+29209
+29221
+29231
+29243
+29251
+29269
+29287
+29297
+29303
+29311
+29327
+29333
+29339
+29347
+29363
+29383
+29387
+29389
+29399
+29401
+29411
+29423
+29429
+29437
+29443
+29453
+29473
+29483
+29501
+29527
+29531
+29537
+29567
+29569
+29573
+29581
+29587
+29599
+29611
+29629
+29633
+29641
+29663
+29669
+29671
+29683
+29717
+29723
+29741
+29753
+29759
+29761
+29789
+29803
+29819
+29833
+29837
+29851
+29863
+29867
+29873
+29879
+29881
+29917
+29921
+29927
+29947
+29959
+29983
+29989
+30011
+30013
+30029
+30047
+30059
+30071
+30089
+30091
+30097
+30103
+30109
+30113
+30119
+30133
+30137
+30139
+30161
+30169
+30181
+30187
+30197
+30203
+30211
+30223
+30241
+30253
+30259
+30269
+30271
+30293
+30307
+30313
+30319
+30323
+30341
+30347
+30367
+30389
+30391
+30403
+30427
+30431
+30449
+30467
+30469
+30491
+30493
+30497
+30509
+30517
+30529
+30539
+30553
+30557
+30559
+30577
+30593
+30631
+30637
+30643
+30649
+30661
+30671
+30677
+30689
+30697
+30703
+30707
+30713
+30727
+30757
+30763
+30773
+30781
+30803
+30809
+30817
+30829
+30839
+30841
+30851
+30853
+30859
+30869
+30871
+30881
+30893
+30911
+30931
+30937
+30941
+30949
+30971
+30977
+30983
+31013
+31019
+31033
+31039
+31051
+31063
+31069
+31079
+31081
+31091
+31121
+31123
+31139
+31147
+31151
+31153
+31159
+31177
+31181
+31183
+31189
+31193
+31219
+31223
+31231
+31237
+31247
+31249
+31253
+31259
+31267
+31271
+31277
+31307
+31319
+31321
+31327
+31333
+31337
+31357
+31379
+31387
+31391
+31393
+31397
+31469
+31477
+31481
+31489
+31511
+31513
+31517
+31531
+31541
+31543
+31547
+31567
+31573
+31583
+31601
+31607
+31627
+31643
+31649
+31657
+31663
+31667
+31687
+31699
+31721
+31723
+31727
+31729
+31741
+31751
+31769
+31771
+31793
+31799
+31817
+31847
+31849
+31859
+31873
+31883
+31891
+31907
+31957
+31963
+31973
+31981
+31991
+32003
+32009
+32027
+32029
+32051
+32057
+32059
+32063
+32069
+32077
+32083
+32089
+32099
+32117
+32119
+32141
+32143
+32159
+32173
+32183
+32189
+32191
+32203
+32213
+32233
+32237
+32251
+32257
+32261
+32297
+32299
+32303
+32309
+32321
+32323
+32327
+32341
+32353
+32359
+32363
+32369
+32371
+32377
+32381
+32401
+32411
+32413
+32423
+32429
+32441
+32443
+32467
+32479
+32491
+32497
+32503
+32507
+32531
+32533
+32537
+32561
+32563
+32569
+32573
+32579
+32587
+32603
+32609
+32611
+32621
+32633
+32647
+32653
+32687
+32693
+32707
+32713
+32717
+32719
+32749
+32771
+32779
+32783
+32789
+32797
+32801
+32803
+32831
+32833
+32839
+32843
+32869
+32887
+32909
+32911
+32917
+32933
+32939
+32941
+32957
+32969
+32971
+32983
+32987
+32993
+32999
+33013
+33023
+33029
+33037
+33049
+33053
+33071
+33073
+33083
+33091
+33107
+33113
+33119
+33149
+33151
+33161
+33179
+33181
+33191
+33199
+33203
+33211
+33223
+33247
+33287
+33289
+33301
+33311
+33317
+33329
+33331
+33343
+33347
+33349
+33353
+33359
+33377
+33391
+33403
+33409
+33413
+33427
+33457
+33461
+33469
+33479
+33487
+33493
+33503
+33521
+33529
+33533
+33547
+33563
+33569
+33577
+33581
+33587
+33589
+33599
+33601
+33613
+33617
+33619
+33623
+33629
+33637
+33641
+33647
+33679
+33703
+33713
+33721
+33739
+33749
+33751
+33757
+33767
+33769
+33773
+33791
+33797
+33809
+33811
+33827
+33829
+33851
+33857
+33863
+33871
+33889
+33893
+33911
+33923
+33931
+33937
+33941
+33961
+33967
+33997
+34019
+34031
+34033
+34039
+34057
+34061
+34123
+34127
+34129
+34141
+34147
+34157
+34159
+34171
+34183
+34211
+34213
+34217
+34231
+34253
+34259
+34261
+34267
+34273
+34283
+34297
+34301
+34303
+34313
+34319
+34327
+34337
+34351
+34361
+34367
+34369
+34381
+34403
+34421
+34429
+34439
+34457
+34469
+34471
+34483
+34487
+34499
+34501
+34511
+34513
+34519
+34537
+34543
+34549
+34583
+34589
+34591
+34603
+34607
+34613
+34631
+34649
+34651
+34667
+34673
+34679
+34687
+34693
+34703
+34721
+34729
+34739
+34747
+34757
+34759
+34763
+34781
+34807
+34819
+34841
+34843
+34847
+34849
+34871
+34877
+34883
+34897
+34913
+34919
+34939
+34949
+34961
+34963
+34981
+35023
+35027
+35051
+35053
+35059
+35069
+35081
+35083
+35089
+35099
+35107
+35111
+35117
+35129
+35141
+35149
+35153
+35159
+35171
+35201
+35221
+35227
+35251
+35257
+35267
+35279
+35281
+35291
+35311
+35317
+35323
+35327
+35339
+35353
+35363
+35381
+35393
+35401
+35407
+35419
+35423
+35437
+35447
+35449
+35461
+35491
+35507
+35509
+35521
+35527
+35531
+35533
+35537
+35543
+35569
+35573
+35591
+35593
+35597
+35603
+35617
+35671
+35677
+35729
+35731
+35747
+35753
+35759
+35771
+35797
+35801
+35803
+35809
+35831
+35837
+35839
+35851
+35863
+35869
+35879
+35897
+35899
+35911
+35923
+35933
+35951
+35963
+35969
+35977
+35983
+35993
+35999
+36007
+36011
+36013
+36017
+36037
+36061
+36067
+36073
+36083
+36097
+36107
+36109
+36131
+36137
+36151
+36161
+36187
+36191
+36209
+36217
+36229
+36241
+36251
+36263
+36269
+36277
+36293
+36299
+36307
+36313
+36319
+36341
+36343
+36353
+36373
+36383
+36389
+36433
+36451
+36457
+36467
+36469
+36473
+36479
+36493
+36497
+36523
+36527
+36529
+36541
+36551
+36559
+36563
+36571
+36583
+36587
+36599
+36607
+36629
+36637
+36643
+36653
+36671
+36677
+36683
+36691
+36697
+36709
+36713
+36721
+36739
+36749
+36761
+36767
+36779
+36781
+36787
+36791
+36793
+36809
+36821
+36833
+36847
+36857
+36871
+36877
+36887
+36899
+36901
+36913
+36919
+36923
+36929
+36931
+36943
+36947
+36973
+36979
+36997
+37003
+37013
+37019
+37021
+37039
+37049
+37057
+37061
+37087
+37097
+37117
+37123
+37139
+37159
+37171
+37181
+37189
+37199
+37201
+37217
+37223
+37243
+37253
+37273
+37277
+37307
+37309
+37313
+37321
+37337
+37339
+37357
+37361
+37363
+37369
+37379
+37397
+37409
+37423
+37441
+37447
+37463
+37483
+37489
+37493
+37501
+37507
+37511
+37517
+37529
+37537
+37547
+37549
+37561
+37567
+37571
+37573
+37579
+37589
+37591
+37607
+37619
+37633
+37643
+37649
+37657
+37663
+37691
+37693
+37699
+37717
+37747
+37781
+37783
+37799
+37811
+37813
+37831
+37847
+37853
+37861
+37871
+37879
+37889
+37897
+37907
+37951
+37957
+37963
+37967
+37987
+37991
+37993
+37997
+38011
+38039
+38047
+38053
+38069
+38083
+38113
+38119
+38149
+38153
+38167
+38177
+38183
+38189
+38197
+38201
+38219
+38231
+38237
+38239
+38261
+38273
+38281
+38287
+38299
+38303
+38317
+38321
+38327
+38329
+38333
+38351
+38371
+38377
+38393
+38431
+38447
+38449
+38453
+38459
+38461
+38501
+38543
+38557
+38561
+38567
+38569
+38593
+38603
+38609
+38611
+38629
+38639
+38651
+38653
+38669
+38671
+38677
+38693
+38699
+38707
+38711
+38713
+38723
+38729
+38737
+38747
+38749
+38767
+38783
+38791
+38803
+38821
+38833
+38839
+38851
+38861
+38867
+38873
+38891
+38903
+38917
+38921
+38923
+38933
+38953
+38959
+38971
+38977
+38993
+39019
+39023
+39041
+39043
+39047
+39079
+39089
+39097
+39103
+39107
+39113
+39119
+39133
+39139
+39157
+39161
+39163
+39181
+39191
+39199
+39209
+39217
+39227
+39229
+39233
+39239
+39241
+39251
+39293
+39301
+39313
+39317
+39323
+39341
+39343
+39359
+39367
+39371
+39373
+39383
+39397
+39409
+39419
+39439
+39443
+39451
+39461
+39499
+39503
+39509
+39511
+39521
+39541
+39551
+39563
+39569
+39581
+39607
+39619
+39623
+39631
+39659
+39667
+39671
+39679
+39703
+39709
+39719
+39727
+39733
+39749
+39761
+39769
+39779
+39791
+39799
+39821
+39827
+39829
+39839
+39841
+39847
+39857
+39863
+39869
+39877
+39883
+39887
+39901
+39929
+39937
+39953
+39971
+39979
+39983
+39989
+40009
+40013
+40031
+40037
+40039
+40063
+40087
+40093
+40099
+40111
+40123
+40127
+40129
+40151
+40153
+40163
+40169
+40177
+40189
+40193
+40213
+40231
+40237
+40241
+40253
+40277
+40283
+40289
+40343
+40351
+40357
+40361
+40387
+40423
+40427
+40429
+40433
+40459
+40471
+40483
+40487
+40493
+40499
+40507
+40519
+40529
+40531
+40543
+40559
+40577
+40583
+40591
+40597
+40609
+40627
+40637
+40639
+40693
+40697
+40699
+40709
+40739
+40751
+40759
+40763
+40771
+40787
+40801
+40813
+40819
+40823
+40829
+40841
+40847
+40849
+40853
+40867
+40879
+40883
+40897
+40903
+40927
+40933
+40939
+40949
+40961
+40973
+40993
+41011
+41017
+41023
+41039
+41047
+41051
+41057
+41077
+41081
+41113
+41117
+41131
+41141
+41143
+41149
+41161
+41177
+41179
+41183
+41189
+41201
+41203
+41213
+41221
+41227
+41231
+41233
+41243
+41257
+41263
+41269
+41281
+41299
+41333
+41341
+41351
+41357
+41381
+41387
+41389
+41399
+41411
+41413
+41443
+41453
+41467
+41479
+41491
+41507
+41513
+41519
+41521
+41539
+41543
+41549
+41579
+41593
+41597
+41603
+41609
+41611
+41617
+41621
+41627
+41641
+41647
+41651
+41659
+41669
+41681
+41687
+41719
+41729
+41737
+41759
+41761
+41771
+41777
+41801
+41809
+41813
+41843
+41849
+41851
+41863
+41879
+41887
+41893
+41897
+41903
+41911
+41927
+41941
+41947
+41953
+41957
+41959
+41969
+41981
+41983
+41999
+42013
+42017
+42019
+42023
+42043
+42061
+42071
+42073
+42083
+42089
+42101
+42131
+42139
+42157
+42169
+42179
+42181
+42187
+42193
+42197
+42209
+42221
+42223
+42227
+42239
+42257
+42281
+42283
+42293
+42299
+42307
+42323
+42331
+42337
+42349
+42359
+42373
+42379
+42391
+42397
+42403
+42407
+42409
+42433
+42437
+42443
+42451
+42457
+42461
+42463
+42467
+42473
+42487
+42491
+42499
+42509
+42533
+42557
+42569
+42571
+42577
+42589
+42611
+42641
+42643
+42649
+42667
+42677
+42683
+42689
+42697
+42701
+42703
+42709
+42719
+42727
+42737
+42743
+42751
+42767
+42773
+42787
+42793
+42797
+42821
+42829
+42839
+42841
+42853
+42859
+42863
+42899
+42901
+42923
+42929
+42937
+42943
+42953
+42961
+42967
+42979
+42989
+43003
+43013
+43019
+43037
+43049
+43051
+43063
+43067
+43093
+43103
+43117
+43133
+43151
+43159
+43177
+43189
+43201
+43207
+43223
+43237
+43261
+43271
+43283
+43291
+43313
+43319
+43321
+43331
+43391
+43397
+43399
+43403
+43411
+43427
+43441
+43451
+43457
+43481
+43487
+43499
+43517
+43541
+43543
+43573
+43577
+43579
+43591
+43597
+43607
+43609
+43613
+43627
+43633
+43649
+43651
+43661
+43669
+43691
+43711
+43717
+43721
+43753
+43759
+43777
+43781
+43783
+43787
+43789
+43793
+43801
+43853
+43867
+43889
+43891
+43913
+43933
+43943
+43951
+43961
+43963
+43969
+43973
+43987
+43991
+43997
+44017
+44021
+44027
+44029
+44041
+44053
+44059
+44071
+44087
+44089
+44101
+44111
+44119
+44123
+44129
+44131
+44159
+44171
+44179
+44189
+44201
+44203
+44207
+44221
+44249
+44257
+44263
+44267
+44269
+44273
+44279
+44281
+44293
+44351
+44357
+44371
+44381
+44383
+44389
+44417
+44449
+44453
+44483
+44491
+44497
+44501
+44507
+44519
+44531
+44533
+44537
+44543
+44549
+44563
+44579
+44587
+44617
+44621
+44623
+44633
+44641
+44647
+44651
+44657
+44683
+44687
+44699
+44701
+44711
+44729
+44741
+44753
+44771
+44773
+44777
+44789
+44797
+44809
+44819
+44839
+44843
+44851
+44867
+44879
+44887
+44893
+44909
+44917
+44927
+44939
+44953
+44959
+44963
+44971
+44983
+44987
+45007
+45013
+45053
+45061
+45077
+45083
+45119
+45121
+45127
+45131
+45137
+45139
+45161
+45179
+45181
+45191
+45197
+45233
+45247
+45259
+45263
+45281
+45289
+45293
+45307
+45317
+45319
+45329
+45337
+45341
+45343
+45361
+45377
+45389
+45403
+45413
+45427
+45433
+45439
+45481
+45491
+45497
+45503
+45523
+45533
+45541
+45553
+45557
+45569
+45587
+45589
+45599
+45613
+45631
+45641
+45659
+45667
+45673
+45677
+45691
+45697
+45707
+45737
+45751
+45757
+45763
+45767
+45779
+45817
+45821
+45823
+45827
+45833
+45841
+45853
+45863
+45869
+45887
+45893
+45943
+45949
+45953
+45959
+45971
+45979
+45989
+46021
+46027
+46049
+46051
+46061
+46073
+46091
+46093
+46099
+46103
+46133
+46141
+46147
+46153
+46171
+46181
+46183
+46187
+46199
+46219
+46229
+46237
+46261
+46271
+46273
+46279
+46301
+46307
+46309
+46327
+46337
+46349
+46351
+46381
+46399
+46411
+46439
+46441
+46447
+46451
+46457
+46471
+46477
+46489
+46499
+46507
+46511
+46523
+46549
+46559
+46567
+46573
+46589
+46591
+46601
+46619
+46633
+46639
+46643
+46649
+46663
+46679
+46681
+46687
+46691
+46703
+46723
+46727
+46747
+46751
+46757
+46769
+46771
+46807
+46811
+46817
+46819
+46829
+46831
+46853
+46861
+46867
+46877
+46889
+46901
+46919
+46933
+46957
+46993
+46997
+47017
+47041
+47051
+47057
+47059
+47087
+47093
+47111
+47119
+47123
+47129
+47137
+47143
+47147
+47149
+47161
+47189
+47207
+47221
+47237
+47251
+47269
+47279
+47287
+47293
+47297
+47303
+47309
+47317
+47339
+47351
+47353
+47363
+47381
+47387
+47389
+47407
+47417
+47419
+47431
+47441
+47459
+47491
+47497
+47501
+47507
+47513
+47521
+47527
+47533
+47543
+47563
+47569
+47581
+47591
+47599
+47609
+47623
+47629
+47639
+47653
+47657
+47659
+47681
+47699
+47701
+47711
+47713
+47717
+47737
+47741
+47743
+47777
+47779
+47791
+47797
+47807
+47809
+47819
+47837
+47843
+47857
+47869
+47881
+47903
+47911
+47917
+47933
+47939
+47947
+47951
+47963
+47969
+47977
+47981
+48017
+48023
+48029
+48049
+48073
+48079
+48091
+48109
+48119
+48121
+48131
+48157
+48163
+48179
+48187
+48193
+48197
+48221
+48239
+48247
+48259
+48271
+48281
+48299
+48311
+48313
+48337
+48341
+48353
+48371
+48383
+48397
+48407
+48409
+48413
+48437
+48449
+48463
+48473
+48479
+48481
+48487
+48491
+48497
+48523
+48527
+48533
+48539
+48541
+48563
+48571
+48589
+48593
+48611
+48619
+48623
+48647
+48649
+48661
+48673
+48677
+48679
+48731
+48733
+48751
+48757
+48761
+48767
+48779
+48781
+48787
+48799
+48809
+48817
+48821
+48823
+48847
+48857
+48859
+48869
+48871
+48883
+48889
+48907
+48947
+48953
+48973
+48989
+48991
+49003
+49009
+49019
+49031
+49033
+49037
+49043
+49057
+49069
+49081
+49103
+49109
+49117
+49121
+49123
+49139
+49157
+49169
+49171
+49177
+49193
+49199
+49201
+49207
+49211
+49223
+49253
+49261
+49277
+49279
+49297
+49307
+49331
+49333
+49339
+49363
+49367
+49369
+49391
+49393
+49409
+49411
+49417
+49429
+49433
+49451
+49459
+49463
+49477
+49481
+49499
+49523
+49529
+49531
+49537
+49547
+49549
+49559
+49597
+49603
+49613
+49627
+49633
+49639
+49663
+49667
+49669
+49681
+49697
+49711
+49727
+49739
+49741
+49747
+49757
+49783
+49787
+49789
+49801
+49807
+49811
+49823
+49831
+49843
+49853
+49871
+49877
+49891
+49919
+49921
+49927
+49937
+49939
+49943
+49957
+49991
+49993
+49999
+50021
+50023
+50033
+50047
+50051
+50053
+50069
+50077
+50087
+50093
+50101
+50111
+50119
+50123
+50129
+50131
+50147
+50153
+50159
+50177
+50207
+50221
+50227
+50231
+50261
+50263
+50273
+50287
+50291
+50311
+50321
+50329
+50333
+50341
+50359
+50363
+50377
+50383
+50387
+50411
+50417
+50423
+50441
+50459
+50461
+50497
+50503
+50513
+50527
+50539
+50543
+50549
+50551
+50581
+50587
+50591
+50593
+50599
+50627
+50647
+50651
+50671
+50683
+50707
+50723
+50741
+50753
+50767
+50773
+50777
+50789
+50821
+50833
+50839
+50849
+50857
+50867
+50873
+50891
+50893
+50909
+50923
+50929
+50951
+50957
+50969
+50971
+50989
+50993
+51001
+51031
+51043
+51047
+51059
+51061
+51071
+51109
+51131
+51133
+51137
+51151
+51157
+51169
+51193
+51197
+51199
+51203
+51217
+51229
+51239
+51241
+51257
+51263
+51283
+51287
+51307
+51329
+51341
+51343
+51347
+51349
+51361
+51383
+51407
+51413
+51419
+51421
+51427
+51431
+51437
+51439
+51449
+51461
+51473
+51479
+51481
+51487
+51503
+51511
+51517
+51521
+51539
+51551
+51563
+51577
+51581
+51593
+51599
+51607
+51613
+51631
+51637
+51647
+51659
+51673
+51679
+51683
+51691
+51713
+51719
+51721
+51749
+51767
+51769
+51787
+51797
+51803
+51817
+51827
+51829
+51839
+51853
+51859
+51869
+51871
+51893
+51899
+51907
+51913
+51929
+51941
+51949
+51971
+51973
+51977
+51991
+52009
+52021
+52027
+52051
+52057
+52067
+52069
+52081
+52103
+52121
+52127
+52147
+52153
+52163
+52177
+52181
+52183
+52189
+52201
+52223
+52237
+52249
+52253
+52259
+52267
+52289
+52291
+52301
+52313
+52321
+52361
+52363
+52369
+52379
+52387
+52391
+52433
+52453
+52457
+52489
+52501
+52511
+52517
+52529
+52541
+52543
+52553
+52561
+52567
+52571
+52579
+52583
+52609
+52627
+52631
+52639
+52667
+52673
+52691
+52697
+52709
+52711
+52721
+52727
+52733
+52747
+52757
+52769
+52783
+52807
+52813
+52817
+52837
+52859
+52861
+52879
+52883
+52889
+52901
+52903
+52919
+52937
+52951
+52957
+52963
+52967
+52973
+52981
+52999
+53003
+53017
+53047
+53051
+53069
+53077
+53087
+53089
+53093
+53101
+53113
+53117
+53129
+53147
+53149
+53161
+53171
+53173
+53189
+53197
+53201
+53231
+53233
+53239
+53267
+53269
+53279
+53281
+53299
+53309
+53323
+53327
+53353
+53359
+53377
+53381
+53401
+53407
+53411
+53419
+53437
+53441
+53453
+53479
+53503
+53507
+53527
+53549
+53551
+53569
+53591
+53593
+53597
+53609
+53611
+53617
+53623
+53629
+53633
+53639
+53653
+53657
+53681
+53693
+53699
+53717
+53719
+53731
+53759
+53773
+53777
+53783
+53791
+53813
+53819
+53831
+53849
+53857
+53861
+53881
+53887
+53891
+53897
+53899
+53917
+53923
+53927
+53939
+53951
+53959
+53987
+53993
+54001
+54011
+54013
+54037
+54049
+54059
+54083
+54091
+54101
+54121
+54133
+54139
+54151
+54163
+54167
+54181
+54193
+54217
+54251
+54269
+54277
+54287
+54293
+54311
+54319
+54323
+54331
+54347
+54361
+54367
+54371
+54377
+54401
+54403
+54409
+54413
+54419
+54421
+54437
+54443
+54449
+54469
+54493
+54497
+54499
+54503
+54517
+54521
+54539
+54541
+54547
+54559
+54563
+54577
+54581
+54583
+54601
+54617
+54623
+54629
+54631
+54647
+54667
+54673
+54679
+54709
+54713
+54721
+54727
+54751
+54767
+54773
+54779
+54787
+54799
+54829
+54833
+54851
+54869
+54877
+54881
+54907
+54917
+54919
+54941
+54949
+54959
+54973
+54979
+54983
+55001
+55009
+55021
+55049
+55051
+55057
+55061
+55073
+55079
+55103
+55109
+55117
+55127
+55147
+55163
+55171
+55201
+55207
+55213
+55217
+55219
+55229
+55243
+55249
+55259
+55291
+55313
+55331
+55333
+55337
+55339
+55343
+55351
+55373
+55381
+55399
+55411
+55439
+55441
+55457
+55469
+55487
+55501
+55511
+55529
+55541
+55547
+55579
+55589
+55603
+55609
+55619
+55621
+55631
+55633
+55639
+55661
+55663
+55667
+55673
+55681
+55691
+55697
+55711
+55717
+55721
+55733
+55763
+55787
+55793
+55799
+55807
+55813
+55817
+55819
+55823
+55829
+55837
+55843
+55849
+55871
+55889
+55897
+55901
+55903
+55921
+55927
+55931
+55933
+55949
+55967
+55987
+55997
+56003
+56009
+56039
+56041
+56053
+56081
+56087
+56093
+56099
+56101
+56113
+56123
+56131
+56149
+56167
+56171
+56179
+56197
+56207
+56209
+56237
+56239
+56249
+56263
+56267
+56269
+56299
+56311
+56333
+56359
+56369
+56377
+56383
+56393
+56401
+56417
+56431
+56437
+56443
+56453
+56467
+56473
+56477
+56479
+56489
+56501
+56503
+56509
+56519
+56527
+56531
+56533
+56543
+56569
+56591
+56597
+56599
+56611
+56629
+56633
+56659
+56663
+56671
+56681
+56687
+56701
+56711
+56713
+56731
+56737
+56747
+56767
+56773
+56779
+56783
+56807
+56809
+56813
+56821
+56827
+56843
+56857
+56873
+56891
+56893
+56897
+56909
+56911
+56921
+56923
+56929
+56941
+56951
+56957
+56963
+56983
+56989
+56993
+56999
+57037
+57041
+57047
+57059
+57073
+57077
+57089
+57097
+57107
+57119
+57131
+57139
+57143
+57149
+57163
+57173
+57179
+57191
+57193
+57203
+57221
+57223
+57241
+57251
+57259
+57269
+57271
+57283
+57287
+57301
+57329
+57331
+57347
+57349
+57367
+57373
+57383
+57389
+57397
+57413
+57427
+57457
+57467
+57487
+57493
+57503
+57527
+57529
+57557
+57559
+57571
+57587
+57593
+57601
+57637
+57641
+57649
+57653
+57667
+57679
+57689
+57697
+57709
+57713
+57719
+57727
+57731
+57737
+57751
+57773
+57781
+57787
+57791
+57793
+57803
+57809
+57829
+57839
+57847
+57853
+57859
+57881
+57899
+57901
+57917
+57923
+57943
+57947
+57973
+57977
+57991
+58013
+58027
+58031
+58043
+58049
+58057
+58061
+58067
+58073
+58099
+58109
+58111
+58129
+58147
+58151
+58153
+58169
+58171
+58189
+58193
+58199
+58207
+58211
+58217
+58229
+58231
+58237
+58243
+58271
+58309
+58313
+58321
+58337
+58363
+58367
+58369
+58379
+58391
+58393
+58403
+58411
+58417
+58427
+58439
+58441
+58451
+58453
+58477
+58481
+58511
+58537
+58543
+58549
+58567
+58573
+58579
+58601
+58603
+58613
+58631
+58657
+58661
+58679
+58687
+58693
+58699
+58711
+58727
+58733
+58741
+58757
+58763
+58771
+58787
+58789
+58831
+58889
+58897
+58901
+58907
+58909
+58913
+58921
+58937
+58943
+58963
+58967
+58979
+58991
+58997
+59009
+59011
+59021
+59023
+59029
+59051
+59053
+59063
+59069
+59077
+59083
+59093
+59107
+59113
+59119
+59123
+59141
+59149
+59159
+59167
+59183
+59197
+59207
+59209
+59219
+59221
+59233
+59239
+59243
+59263
+59273
+59281
+59333
+59341
+59351
+59357
+59359
+59369
+59377
+59387
+59393
+59399
+59407
+59417
+59419
+59441
+59443
+59447
+59453
+59467
+59471
+59473
+59497
+59509
+59513
+59539
+59557
+59561
+59567
+59581
+59611
+59617
+59621
+59627
+59629
+59651
+59659
+59663
+59669
+59671
+59693
+59699
+59707
+59723
+59729
+59743
+59747
+59753
+59771
+59779
+59791
+59797
+59809
+59833
+59863
+59879
+59887
+59921
+59929
+59951
+59957
+59971
+59981
+59999
+60013
+60017
+60029
+60037
+60041
+60077
+60083
+60089
+60091
+60101
+60103
+60107
+60127
+60133
+60139
+60149
+60161
+60167
+60169
+60209
+60217
+60223
+60251
+60257
+60259
+60271
+60289
+60293
+60317
+60331
+60337
+60343
+60353
+60373
+60383
+60397
+60413
+60427
+60443
+60449
+60457
+60493
+60497
+60509
+60521
+60527
+60539
+60589
+60601
+60607
+60611
+60617
+60623
+60631
+60637
+60647
+60649
+60659
+60661
+60679
+60689
+60703
+60719
+60727
+60733
+60737
+60757
+60761
+60763
+60773
+60779
+60793
+60811
+60821
+60859
+60869
+60887
+60889
+60899
+60901
+60913
+60917
+60919
+60923
+60937
+60943
+60953
+60961
+61001
+61007
+61027
+61031
+61043
+61051
+61057
+61091
+61099
+61121
+61129
+61141
+61151
+61153
+61169
+61211
+61223
+61231
+61253
+61261
+61283
+61291
+61297
+61331
+61333
+61339
+61343
+61357
+61363
+61379
+61381
+61403
+61409
+61417
+61441
+61463
+61469
+61471
+61483
+61487
+61493
+61507
+61511
+61519
+61543
+61547
+61553
+61559
+61561
+61583
+61603
+61609
+61613
+61627
+61631
+61637
+61643
+61651
+61657
+61667
+61673
+61681
+61687
+61703
+61717
+61723
+61729
+61751
+61757
+61781
+61813
+61819
+61837
+61843
+61861
+61871
+61879
+61909
+61927
+61933
+61949
+61961
+61967
+61979
+61981
+61987
+61991
+62003
+62011
+62017
+62039
+62047
+62053
+62057
+62071
+62081
+62099
+62119
+62129
+62131
+62137
+62141
+62143
+62171
+62189
+62191
+62201
+62207
+62213
+62219
+62233
+62273
+62297
+62299
+62303
+62311
+62323
+62327
+62347
+62351
+62383
+62401
+62417
+62423
+62459
+62467
+62473
+62477
+62483
+62497
+62501
+62507
+62533
+62539
+62549
+62563
+62581
+62591
+62597
+62603
+62617
+62627
+62633
+62639
+62653
+62659
+62683
+62687
+62701
+62723
+62731
+62743
+62753
+62761
+62773
+62791
+62801
+62819
+62827
+62851
+62861
+62869
+62873
+62897
+62903
+62921
+62927
+62929
+62939
+62969
+62971
+62981
+62983
+62987
+62989
+63029
+63031
+63059
+63067
+63073
+63079
+63097
+63103
+63113
+63127
+63131
+63149
+63179
+63197
+63199
+63211
+63241
+63247
+63277
+63281
+63299
+63311
+63313
+63317
+63331
+63337
+63347
+63353
+63361
+63367
+63377
+63389
+63391
+63397
+63409
+63419
+63421
+63439
+63443
+63463
+63467
+63473
+63487
+63493
+63499
+63521
+63527
+63533
+63541
+63559
+63577
+63587
+63589
+63599
+63601
+63607
+63611
+63617
+63629
+63647
+63649
+63659
+63667
+63671
+63689
+63691
+63697
+63703
+63709
+63719
+63727
+63737
+63743
+63761
+63773
+63781
+63793
+63799
+63803
+63809
+63823
+63839
+63841
+63853
+63857
+63863
+63901
+63907
+63913
+63929
+63949
+63977
+63997
+64007
+64013
+64019
+64033
+64037
+64063
+64067
+64081
+64091
+64109
+64123
+64151
+64153
+64157
+64171
+64187
+64189
+64217
+64223
+64231
+64237
+64271
+64279
+64283
+64301
+64303
+64319
+64327
+64333
+64373
+64381
+64399
+64403
+64433
+64439
+64451
+64453
+64483
+64489
+64499
+64513
+64553
+64567
+64577
+64579
+64591
+64601
+64609
+64613
+64621
+64627
+64633
+64661
+64663
+64667
+64679
+64693
+64709
+64717
+64747
+64763
+64781
+64783
+64793
+64811
+64817
+64849
+64853
+64871
+64877
+64879
+64891
+64901
+64919
+64921
+64927
+64937
+64951
+64969
+64997
+65003
+65011
+65027
+65029
+65033
+65053
+65063
+65071
+65089
+65099
+65101
+65111
+65119
+65123
+65129
+65141
+65147
+65167
+65171
+65173
+65179
+65183
+65203
+65213
+65239
+65257
+65267
+65269
+65287
+65293
+65309
+65323
+65327
+65353
+65357
+65371
+65381
+65393
+65407
+65413
+65419
+65423
+65437
+65447
+65449
+65479
+65497
+65519
+65521
diff --git a/security/nss/lib/freebl/mpi/doc/prng.pod b/security/nss/lib/freebl/mpi/doc/prng.pod
new file mode 100644
index 000000000..1ae75da82
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/prng.pod
@@ -0,0 +1,41 @@
+=head1 NAME
+
+ prng - pseudo-random number generator
+
+=head1 SYNOPSIS
+
+ prng [count]
+
+=head1 DESCRIPTION
+
+B<Prng> generates 32-bit pseudo-random integers using the
+Blum-Blum-Shub (BBS) quadratic residue generator.  It is seeded using
+the standard C library's rand() function, which itself seeded from the
+system clock and the process ID number.  Thus, the values generated
+are not particularly useful for cryptographic applications, but they
+are in general much better than the typical output of the usual
+multiplicative congruency generator used by most runtime libraries.
+
+You may optionally specify how many random values should be generated
+by giving a I<count> argument on the command line.  If you do not
+specify a count, only one random value will be generated.  The results
+are output to the standard output in decimal notation, one value per
+line.
+
+=head1 RESTRICTIONS
+
+As stated above, B<prng> uses the C library's rand() function to seed
+the generator, so it is not terribly suitable for cryptographic
+applications.  Also note that each time you run the program, a new
+seed is generated, so it is better to run it once with a I<count>
+parameter than it is to run it multiple times to generate several
+values.
+
+=head1 AUTHOR
+
+ Michael J. Fromberger <sting@linguist.dartmouth.edu>
+ Copyright (C) 1998 Michael J. Fromberger, All Rights Reserved
+ Thayer School of Engineering, Dartmouth College, Hanover, NH  USA
+
+ $Date$
+
diff --git a/security/nss/lib/freebl/mpi/doc/redux.txt b/security/nss/lib/freebl/mpi/doc/redux.txt
new file mode 100644
index 000000000..f6f8b6ad4
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/redux.txt
@@ -0,0 +1,118 @@
+Modular Reduction
+
+Usually, modular reduction is accomplished by long division, using the
+mp_div() or mp_mod() functions.  However, when performing modular
+exponentiation, you spend a lot of time reducing by the same modulus
+again and again.  For this purpose, doing a full division for each
+multiplication is quite inefficient.
+
+For this reason, the mp_exptmod() function does not perform modular
+reductions in the usual way, but instead takes advantage of an
+algorithm due to Barrett, as described by Menezes, Oorschot and
+VanStone in their book _Handbook of Applied Cryptography_, published
+by the CRC Press (see Chapter 14 for details).  This method reduces
+most of the computation of reduction to efficient shifting and masking
+operations, and avoids the multiple-precision division entirely.
+
+Here is a brief synopsis of Barrett reduction, as it is implemented in
+this library.
+
+Let b denote the radix of the computation (one more than the maximum
+value that can be denoted by an mp_digit).  Let m be the modulus, and
+let k be the number of significant digits of m.  Let x be the value to
+be reduced modulo m.  By the Division Theorem, there exist unique
+integers Q and R such that:
+
+	 x = Qm + R, 0 <= R < m
+
+Barrett reduction takes advantage of the fact that you can easily
+approximate Q to within two, given a value M such that:
+
+	                  2k
+	                 b
+	    M = floor( ----- )
+	                 m
+
+Computation of M requires a full-precision division step, so if you
+are only doing a single reduction by m, you gain no advantage.
+However, when multiple reductions by the same m are required, this
+division need only be done once, beforehand.  Using this, we can use
+the following equation to compute Q', an approximation of Q:
+
+                     x
+            floor( ------ ) M
+                      k-1
+                     b
+Q' = floor( ----------------- )
+                    k+1
+                   b
+
+The divisions by b^(k-1) and b^(k+1) and the floor() functions can be
+efficiently implemented with shifts and masks, leaving only a single
+multiplication to be performed to get this approximation.  It can be
+shown that Q - 2 <= Q' <= Q, so in the worst case, we can get out with
+two additional subtractions to bring the value into line with the
+actual value of Q.
+
+Once we've got Q', we basically multiply that by m and subtract from
+x, yielding:
+
+   x - Q'm = Qm + R - Q'm
+
+Since we know the constraint on Q', this is one of:
+
+      R
+      m + R
+      2m + R
+
+Since R < m by the Division Theorem, we can simply subtract off m
+until we get a value in the correct range, which will happen with no
+more than 2 subtractions:
+
+     v = x - Q'm
+
+     while(v >= m)
+       v = v - m
+     endwhile
+
+
+In random performance trials, modular exponentiation using this method
+of reduction gave around a 40% speedup over using the division for
+reduction.
+
+------------------------------------------------------------------
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is 
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+
+Portions created by Michael J. Fromberger are 
+Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable
+instead of those above.  If you wish to allow use of your
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the GPL.
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/sqrt.txt b/security/nss/lib/freebl/mpi/doc/sqrt.txt
new file mode 100644
index 000000000..e14157caa
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/sqrt.txt
@@ -0,0 +1,82 @@
+Square Root
+
+A simple iterative algorithm is used to compute the greatest integer
+less than or equal to the square root.  Essentially, this is Newton's
+linear approximation, computed by finding successive values of the
+equation:
+
+		    x[k]^2 - V
+x[k+1]	 =  x[k] - ------------
+	             2 x[k]
+
+...where V is the value for which the square root is being sought.  In
+essence, what is happening here is that we guess a value for the
+square root, then figure out how far off we were by squaring our guess
+and subtracting the target.  Using this value, we compute a linear
+approximation for the error, and adjust the "guess".  We keep doing
+this until the precision gets low enough that the above equation
+yields a quotient of zero.  At this point, our last guess is one
+greater than the square root we're seeking.
+
+The initial guess is computed by dividing V by 4, which is a heuristic
+I have found to be fairly good on average.  This also has the
+advantage of being very easy to compute efficiently, even for large
+values.
+
+So, the resulting algorithm works as follows:
+
+    x = V / 4   /* compute initial guess */
+    
+    loop
+	t = (x * x) - V   /* Compute absolute error  */
+	u = 2 * x         /* Adjust by tangent slope */
+	t = t / u
+
+	/* Loop is done if error is zero */
+	if(t == 0)
+	    break
+
+	/* Adjust guess by error term    */
+	x = x - t
+    end
+
+    x = x - 1
+
+The result of the computation is the value of x.
+
+------------------------------------------------------------------
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is 
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+
+Portions created by Michael J. Fromberger are 
+Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable
+instead of those above.  If you wish to allow use of your
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the GPL.
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/square.txt b/security/nss/lib/freebl/mpi/doc/square.txt
new file mode 100644
index 000000000..e0d28798a
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/square.txt
@@ -0,0 +1,104 @@
+Squaring Algorithm
+
+When you are squaring a value, you can take advantage of the fact that
+half the multiplications performed by the more general multiplication
+algorithm (see 'mul.txt' for a description) are redundant when the
+multiplicand equals the multiplier.
+
+In particular, the modified algorithm is:
+
+k = 0
+for j <- 0 to (#a - 1)
+  w = c[2*j] + (a[j] ^ 2);
+  k = w div R
+
+  for i <- j+1 to (#a - 1)
+    w = (2 * a[j] * a[i]) + k + c[i+j]
+    c[i+j] = w mod R
+    k = w div R
+  endfor
+  c[i+j] = k;
+  k = 0;
+endfor
+
+On the surface, this looks identical to the multiplication algorithm;
+however, note the following differences:
+
+  - precomputation of the leading term in the outer loop
+
+  - i runs from j+1 instead of from zero
+
+  - doubling of a[i] * a[j] in the inner product
+
+Unfortunately, the construction of the inner product is such that we
+need more than two digits to represent the inner product, in some
+cases.  In a C implementation, this means that some gymnastics must be
+performed in order to handle overflow, for which C has no direct
+abstraction.  We do this by observing the following:
+
+If we have multiplied a[i] and a[j], and the product is more than half
+the maximum value expressible in two digits, then doubling this result
+will overflow into a third digit.  If this occurs, we take note of the
+overflow, and double it anyway -- C integer arithmetic ignores
+overflow, so the two digits we get back should still be valid, modulo
+the overflow.
+
+Having doubled this value, we now have to add in the remainders and
+the digits already computed by earlier steps.  If we did not overflow
+in the previous step, we might still cause an overflow here.  That
+will happen whenever the maximum value expressible in two digits, less
+the amount we have to add, is greater than the result of the previous
+step.  Thus, the overflow computation is:
+
+
+  u = 0
+  w = a[i] * a[j]
+
+  if(w > (R - 1)/ 2)
+    u = 1;
+
+  w = w * 2
+  v = c[i + j] + k
+
+  if(u == 0 && (R - 1 - v) < w)
+    u = 1
+
+If there is an overflow, u will be 1, otherwise u will be 0.  The rest
+of the parameters are the same as they are in the above description.
+
+------------------------------------------------------------------
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is 
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+
+Portions created by Michael J. Fromberger are 
+Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable
+instead of those above.  If you wish to allow use of your
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the GPL.
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/doc/timing.txt b/security/nss/lib/freebl/mpi/doc/timing.txt
new file mode 100644
index 000000000..c1701063a
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/doc/timing.txt
@@ -0,0 +1,245 @@
+MPI Library Timing Tests
+
+Hardware/OS
+(A) SGI O2 1 x MIPS R10000 250MHz IRIX 6.5.3
+(B) IBM RS/6000 43P-240 1 x PowerPC 603e 223MHz AIX 4.3
+(C) Dell GX1/L+ 1 x Pentium III 550MHz Linux 2.2.12-20
+(D) PowerBook G3 1 x PowerPC 750 266MHz LinuxPPC 2.2.6-15apmac
+(E) PowerBook G3 1 x PowerPC 750 266MHz MacOS 8.5.1
+(F) PowerBook G3 1 x PowerPC 750 400MHz MacOS 9.0.2
+
+Compiler
+(1) MIPSpro C 7.2.1 -O3 optimizations
+(2) GCC 2.95.1 -O3 optimizations
+(3) IBM AIX xlc -O3 optimizations (version unknown)
+(4) EGCS 2.91.66 -O3 optimizations
+(5) Metrowerks CodeWarrior 5.0 C, all optimizations
+(6) MIPSpro C 7.30 -O3 optimizations
+(7) same as (6), with optimized libmalloc.so
+
+Timings are given in seconds, computed using the C library's clock()
+function.  The first column gives the hardware and compiler
+configuration used for the test. The second column indicates the
+number of tests that were aggregated to get the statistics for that
+size.  These were compiled using 16 bit digits.
+
+Source data were generated randomly using a fixed seed, so they should
+be internally consistent, but may vary on different systems depending
+on the C library.  Also, since the resolution of the timer accessed by
+clock() varies, there may be some variance in the precision of these
+measurements.
+
+Prime Generation (primegen)
+
+128 bits:
+A1      200     min=0.03, avg=0.19, max=0.72, sum=38.46
+A2      200     min=0.02, avg=0.16, max=0.62, sum=32.55
+B3      200     min=0.01, avg=0.07, max=0.22, sum=13.29
+C4      200     min=0.00, avg=0.03, max=0.20, sum=6.14
+D4      200     min=0.00, avg=0.05, max=0.33, sum=9.70
+A6      200     min=0.01, avg=0.09, max=0.36, sum=17.48
+A7      200     min=0.00, avg=0.05, max=0.24, sum=10.07
+
+192 bits:
+A1      200     min=0.05, avg=0.45, max=3.13, sum=89.96
+A2      200     min=0.04, avg=0.39, max=2.61, sum=77.55
+B3      200     min=0.02, avg=0.18, max=1.25, sum=36.97
+C4      200     min=0.01, avg=0.09, max=0.33, sum=18.24
+D4      200     min=0.02, avg=0.15, max=0.54, sum=29.63
+A6      200     min=0.02, avg=0.24, max=1.70, sum=47.84
+A7      200     min=0.01, avg=0.15, max=1.05, sum=30.88
+
+256 bits:
+A1      200     min=0.08, avg=0.92, max=6.13, sum=184.79
+A2      200     min=0.06, avg=0.76, max=5.03, sum=151.11
+B3      200     min=0.04, avg=0.41, max=2.68, sum=82.35
+C4      200     min=0.02, avg=0.19, max=0.69, sum=37.91
+D4      200     min=0.03, avg=0.31, max=1.15, sum=63.00
+A6      200     min=0.04, avg=0.48, max=3.13, sum=95.46
+A7      200     min=0.03, avg=0.37, max=2.36, sum=73.60
+
+320 bits:
+A1      200     min=0.11, avg=1.59, max=6.14, sum=318.81
+A2      200     min=0.09, avg=1.27, max=4.93, sum=254.03
+B3      200     min=0.07, avg=0.82, max=3.13, sum=163.80
+C4      200     min=0.04, avg=0.44, max=1.91, sum=87.59
+D4      200     min=0.06, avg=0.73, max=3.22, sum=146.73
+A6      200     min=0.07, avg=0.93, max=3.50, sum=185.01
+A7      200     min=0.05, avg=0.76, max=2.94, sum=151.78
+
+384 bits:
+A1      200     min=0.16, avg=2.69, max=11.41, sum=537.89
+A2      200     min=0.13, avg=2.15, max=9.03, sum=429.14
+B3      200     min=0.11, avg=1.54, max=6.49, sum=307.78
+C4      200     min=0.06, avg=0.81, max=4.84, sum=161.13
+D4      200     min=0.10, avg=1.38, max=8.31, sum=276.81
+A6      200     min=0.11, avg=1.73, max=7.36, sum=345.55
+A7      200     min=0.09, avg=1.46, max=6.12, sum=292.02
+
+448 bits:
+A1      200     min=0.23, avg=3.36, max=15.92, sum=672.63
+A2      200     min=0.17, avg=2.61, max=12.25, sum=522.86
+B3      200     min=0.16, avg=2.10, max=9.83, sum=420.86
+C4      200     min=0.09, avg=1.44, max=7.64, sum=288.36
+D4      200     min=0.16, avg=2.50, max=13.29, sum=500.17
+A6      200     min=0.15, avg=2.31, max=10.81, sum=461.58
+A7      200     min=0.14, avg=2.03, max=9.53, sum=405.16
+
+512 bits:
+A1      200     min=0.30, avg=6.12, max=22.18, sum=1223.35
+A2      200     min=0.25, avg=4.67, max=16.90, sum=933.18
+B3      200     min=0.23, avg=4.13, max=14.94, sum=825.45
+C4      200     min=0.13, avg=2.08, max=9.75, sum=415.22
+D4      200     min=0.24, avg=4.04, max=20.18, sum=808.11
+A6      200     min=0.22, avg=4.47, max=16.19, sum=893.83
+A7      200     min=0.20, avg=4.03, max=14.65, sum=806.02
+
+Modular Exponentation (metime)
+
+The following results are aggregated from 200 pseudo-randomly
+generated tests, based on a fixed seed. 
+
+                      base, exponent, and modulus size (bits)
+P/C       128   192   256   320   384   448   512   640   768   896  1024
+------- -----------------------------------------------------------------
+A1      0.015 0.027 0.047 0.069 0.098 0.133 0.176 0.294 0.458 0.680 1.040
+A2      0.013 0.024 0.037 0.053 0.077 0.102 0.133 0.214 0.326 0.476 0.668
+B3      0.005 0.011 0.021 0.036 0.056 0.084 0.121 0.222 0.370 0.573 0.840
+C4      0.002 0.006 0.011 0.020 0.032 0.048 0.069 0.129 0.223 0.344 0.507
+D4      0.004 0.010 0.019 0.034 0.056 0.085 0.123 0.232 0.390 0.609 0.899
+E5      0.007 0.015 0.031 0.055 0.088 0.133 0.183 0.342 0.574 0.893 1.317
+A6      0.008 0.016 0.038 0.042 0.064 0.093 0.133 0.239 0.393 0.604 0.880
+A7      0.005 0.011 0.020 0.036 0.056 0.083 0.121 0.223 0.374 0.583 0.855
+
+Multiplication and Squaring tests, (mulsqr)
+
+The following results are aggregated from 500000 pseudo-randomly
+generated tests, based on a per-run wall-clock seed.  Times are given
+in seconds, except where indicated in microseconds (us).
+
+(A1)
+
+bits    multiply    square  ad  percent time/mult   time/square
+64      9.33        9.15    >   1.9     18.7us      18.3us
+128     10.88       10.44   >   4.0     21.8us      20.9us
+192     13.30       11.89   >   10.6    26.7us      23.8us
+256     14.88       12.64   >   15.1    29.8us      25.3us
+320     18.64       15.01   >   19.5    37.3us      30.0us
+384     23.11       17.70   >   23.4    46.2us      35.4us
+448     28.28       20.88   >   26.2    56.6us      41.8us
+512     34.09       24.51   >   28.1    68.2us      49.0us
+640     47.86       33.25   >   30.5    95.7us      66.5us
+768     64.91       43.54   >   32.9    129.8us     87.1us
+896     84.49       55.48   >   34.3    169.0us     111.0us
+1024    107.25      69.21   >   35.5    214.5us     138.4us
+1536    227.97      141.91  >   37.8    456.0us     283.8us
+2048    394.05      242.15  >   38.5    788.1us     484.3us
+
+(A2)
+
+bits    multiply    square  ad  percent time/mult   time/square
+64      7.87        7.95    <   1.0     15.7us      15.9us
+128     9.40        9.19    >   2.2     18.8us      18.4us
+192     11.15       10.59   >   5.0     22.3us      21.2us
+256     12.02       11.16   >   7.2     24.0us      22.3us
+320     14.62       13.43   >   8.1     29.2us      26.9us
+384     17.72       15.80   >   10.8    35.4us      31.6us
+448     21.24       18.51   >   12.9    42.5us      37.0us
+512     25.36       21.78   >   14.1    50.7us      43.6us
+640     34.57       29.00   >   16.1    69.1us      58.0us
+768     46.10       37.60   >   18.4    92.2us      75.2us
+896     58.94       47.72   >   19.0    117.9us     95.4us
+1024    73.76       59.12   >   19.8    147.5us     118.2us
+1536    152.00      118.80  >   21.8    304.0us     237.6us
+2048    259.41      199.57  >   23.1    518.8us     399.1us
+
+(B3)
+
+bits    multiply    square  ad  percent time/mult   time/square
+64      2.60        2.47    >   5.0     5.20us      4.94us
+128     4.43        4.06    >   8.4     8.86us      8.12us
+192     7.03        6.10    >   13.2    14.1us      12.2us
+256     10.44       8.59    >   17.7    20.9us      17.2us
+320     14.44       11.64   >   19.4    28.9us      23.3us
+384     19.12       15.08   >   21.1    38.2us      30.2us
+448     24.55       19.09   >   22.2    49.1us      38.2us
+512     31.03       23.53   >   24.2    62.1us      47.1us
+640     45.05       33.80   >   25.0    90.1us      67.6us
+768     63.02       46.05   >   26.9    126.0us     92.1us
+896     83.74       60.29   >   28.0    167.5us     120.6us
+1024    106.73      76.65   >   28.2    213.5us     153.3us
+1536    228.94      160.98  >   29.7    457.9us     322.0us
+2048    398.08      275.93  >   30.7    796.2us     551.9us
+
+(C4)
+
+bits    multiply    square  ad  percent time/mult   time/square
+64      1.34        1.28    >   4.5     2.68us      2.56us
+128     2.76        2.59    >   6.2     5.52us      5.18us
+192     4.52        4.16    >   8.0     9.04us      8.32us
+256     6.64        5.99    >   9.8     13.3us      12.0us
+320     9.20        8.13    >   11.6    18.4us      16.3us
+384     12.01       10.58   >   11.9    24.0us      21.2us
+448     15.24       13.33   >   12.5    30.5us      26.7us
+512     19.02       16.46   >   13.5    38.0us      32.9us
+640     27.56       23.54   >   14.6    55.1us      47.1us
+768     37.89       31.78   >   16.1    75.8us      63.6us
+896     49.24       41.42   >   15.9    98.5us      82.8us
+1024    62.59       52.18   >   16.6    125.2us     104.3us
+1536    131.66      107.72  >   18.2    263.3us     215.4us
+2048    226.45      182.95  >   19.2    453.0us     365.9us
+
+(A7)
+
+bits    multiply    square  ad  percent time/mult   time/square
+64      1.74        1.71    >   1.7     3.48us      3.42us
+128     3.48        2.96    >   14.9    6.96us      5.92us
+192     5.74        4.60    >   19.9    11.5us      9.20us
+256     8.75        6.61    >   24.5    17.5us      13.2us
+320     12.5        8.99    >   28.1    25.0us      18.0us
+384     16.9        11.9    >   29.6    33.8us      23.8us
+448     22.2        15.2    >   31.7    44.4us      30.4us
+512     28.3        19.0    >   32.7    56.6us      38.0us
+640     42.4        28.0    >   34.0    84.8us      56.0us
+768     59.4        38.5    >   35.2    118.8us     77.0us
+896     79.5        51.2    >   35.6    159.0us     102.4us
+1024    102.6	    65.5    >	36.2	205.2us	    131.0us
+1536    224.3	    140.6   >	37.3	448.6us	    281.2us
+2048    393.4	    244.3   >	37.9	786.8us	    488.6us
+
+------------------------------------------------------------------
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is 
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+
+Portions created by Michael J. Fromberger are 
+Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable
+instead of those above.  If you wish to allow use of your
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the GPL.
+
+$Id$
+
+
diff --git a/security/nss/lib/freebl/mpi/hpma512.s b/security/nss/lib/freebl/mpi/hpma512.s
new file mode 100644
index 000000000..f8241ac3e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/hpma512.s
@@ -0,0 +1,640 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is multacc512 multiple-precision integer arithmetic.
+ * 
+ * The Initial Developer of the Original Code is Hewlett-Packard Company.
+ * Portions created by Hewlett-Packard Company are 
+ * Copyright (C) March 1999, Hewlett-Packard Company. All Rights Reserved.
+ * 
+ * Contributor(s):
+ *  coded by:   Bill Worley, Hewlett-Packard labs
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ *  This PA-RISC 2.0 function computes the product of two unsigned integers,
+ *  and adds the result to a previously computed integer.  The multiplicand
+ *  is a 512-bit (64-byte, eight doubleword) unsigned integer, stored in
+ *  memory in little-double-wordian order.  The multiplier is an unsigned
+ *  64-bit integer.  The previously computed integer to which the product is
+ *  added is located in the result ("res") area, and is assumed to be a
+ *  576-bit (72-byte, nine doubleword) unsigned integer, stored in memory
+ *  in little-double-wordian order.  This value normally will be the result
+ *  of a previously computed nine doubleword result.  It is not necessary
+ *  to pad the multiplicand with an additional 64-bit zero doubleword.
+ *
+ *  Multiplicand, multiplier, and addend ideally should be aligned at
+ *  16-byte boundaries for best performance.  The code will function
+ *  correctly for alignment at eight-byte boundaries which are not 16-byte
+ *  boundaries, but the execution may be slightly slower due to even/odd
+ *  bank conflicts on PA-RISC 8000 processors.
+ *
+ *  This function is designed to accept the same calling sequence as Bill
+ *  Ackerman's "maxpy_little" function.  The carry from the ninth doubleword
+ *  of the result is written to the tenth word of the result, as is done by
+ *  Bill Ackerman's function.  The final carry also is returned as an
+ *  integer, which may be ignored.  The function prototype may be either
+ *  of the following:
+ *
+ *      void multacc512( int l, chunk* m, const chunk* a, chunk* res );
+ *          or
+ *      int multacc512( int l, chunk* m, const chunk* a, chunk* res );
+ *
+ *  where:  "l" originally denoted vector lengths.  This parameter is
+ *      ignored.  This function always assumes a multiplicand length of
+ *      512 bits (eight doublewords), and addend and result lengths of
+ *      576 bits (nine doublewords).
+ *
+ *      "m" is a pointer to the doubleword multiplier, ideally aligned
+ *      on a 16-byte boundary.
+ *
+ *      "a" is a pointer to the eight-doubleword multiplicand, stored
+ *      in little-double-wordian order, and ideally aligned on a 16-byte
+ *      boundary.
+ *
+ *      "res" is a pointer to the nine doubleword addend, and to the
+ *      nine-doubleword product computed by this function.  The result
+ *      also is stored in little-double-wordian order, and ideally is
+ *      aligned on a 16-byte boundary. It is expected that the alignment
+ *      of the "res" area may alternate between even/odd doubleword
+ *      boundaries for successive calls for 512-bit x 512-bit
+ *      multiplications.
+ *
+ *  The code for this function has been scheduled to use the parallelism
+ *  of the PA-RISC 8000 series microprocessors as well as the author was
+ *  able.  Comments and/or suggestions for improvement are welcomed.
+ *
+ *  The code is "64-bit safe".  This means it may be called in either
+ *  the 32ILP context or the 64LP context.  All 64-bits of registers are
+ *  saved and restored.
+ *
+ *  This code is self-contained.  It requires no other header files in order
+ *  to compile and to be linkable on a PA-RISC 2.0 machine.  Symbolic
+ *  definitions for registers and stack offsets are included within this
+ *  one source file.
+ *
+ *  This is a leaf routine.  As such, minimal use is made of the stack area.
+ *  Of the 192 bytes allocated, 64 bytes are used for saving/restoring eight
+ *  general registers, and 128 bytes are used to move intermediate products
+ *  from the floating-point registers to the general registers.  Stack
+ *  protocols assure proper alignment of these areas.
+ *
+ */
+
+
+/*  ====================================================================*/
+/*      symbolic definitions for PA-RISC registers      */
+/*      in the MIPS style, avoids lots of case shifts       */
+/*      assigments (except t4) preserve register number parity  */
+/*  ====================================================================*/
+
+#define zero    %r0         /* permanent zero */
+#define t5      %r1         /* temp register, altered by addil */
+
+#define rp      %r2         /* return pointer */
+
+#define s1      %r3         /* callee saves register*/
+#define s0      %r4         /* callee saves register*/
+#define s3      %r5         /* callee saves register*/
+#define s2      %r6         /* callee saves register*/
+#define s5      %r7         /* callee saves register*/
+#define s4      %r8         /* callee saves register*/
+#define s7      %r9         /* callee saves register*/
+#define s6      %r10        /* callee saves register*/
+
+#define t1      %r19        /* caller saves register*/
+#define t0      %r20        /* caller saves register*/
+#define t3      %r21        /* caller saves register*/
+#define t2      %r22        /* caller saves register*/
+
+#define a3      %r23        /* fourth argument register, high word */
+#define a2      %r24        /* third argument register, low word*/
+#define a1      %r25        /* second argument register, high word*/
+#define a0      %r26        /* first argument register, low word*/
+
+#define v0      %r28        /* high order return value*/
+#define v1      %r29        /* low order return value*/
+
+#define sp      %r30        /* stack pointer*/
+#define t4      %r31        /* temporary register   */
+
+#define fa0     %fr4        /* first argument register*/
+#define fa1     %fr5        /* second argument register*/
+#define fa2     %fr6        /* third argument register*/
+#define fa3     %fr7        /* fourth argument register*/
+
+#define fa0r    %fr4R       /* first argument register*/
+#define fa1r    %fr5R       /* second argument register*/
+#define fa2r    %fr6R       /* third argument register*/
+#define fa3r    %fr7R       /* fourth argument register*/
+
+#define ft0     %fr8        /* caller saves register*/
+#define ft1     %fr9        /* caller saves register*/
+#define ft2     %fr10       /* caller saves register*/
+#define ft3     %fr11       /* caller saves register*/
+
+#define ft0r    %fr8R       /* caller saves register*/
+#define ft1r    %fr9R       /* caller saves register*/
+#define ft2r    %fr10R      /* caller saves register*/
+#define ft3r    %fr11R      /* caller saves register*/
+
+#define ft4     %fr22       /* caller saves register*/
+#define ft5     %fr23       /* caller saves register*/
+#define ft6     %fr24       /* caller saves register*/
+#define ft7     %fr25       /* caller saves register*/
+#define ft8     %fr26       /* caller saves register*/
+#define ft9     %fr27       /* caller saves register*/
+#define ft10    %fr28       /* caller saves register*/
+#define ft11    %fr29       /* caller saves register*/
+#define ft12    %fr30       /* caller saves register*/
+#define ft13    %fr31       /* caller saves register*/
+
+#define ft4r    %fr22R      /* caller saves register*/
+#define ft5r    %fr23R      /* caller saves register*/
+#define ft6r    %fr24R      /* caller saves register*/
+#define ft7r    %fr25R      /* caller saves register*/
+#define ft8r    %fr26R      /* caller saves register*/
+#define ft9r    %fr27R      /* caller saves register*/
+#define ft10r   %fr28R      /* caller saves register*/
+#define ft11r   %fr29R      /* caller saves register*/
+#define ft12r   %fr30R      /* caller saves register*/
+#define ft13r   %fr31R      /* caller saves register*/
+
+
+
+/*  ================================================================== */
+/*      functional definitions for PA-RISC registers           */
+/*  ================================================================== */
+
+/*              general registers           */
+
+#define T1      a0          /* temp, (length parameter ignored)             */
+
+#define pM      a1          /* -> 64-bit multiplier                         */
+#define T2      a1          /* temp, (after fetching multiplier)            */
+
+#define pA      a2          /* -> multiplicand vector (8 64-bit words)      */
+#define T3      a2          /* temp, (after fetching multiplicand)          */
+
+#define pR      a3          /* -> addend vector (8 64-bit doublewords,
+                                  result vector (9 64-bit words)            */
+
+#define S0      s0          /* callee saves summand registers               */
+#define S1      s1
+#define S2      s2
+#define S3      s3
+#define S4      s4
+#define S5      s5
+#define S6      s6
+#define S7      s7
+
+#define S8      v0          /* caller saves summand registers               */
+#define S9      v1
+#define S10     t0
+#define S11     t1
+#define S12     t2
+#define S13     t3
+#define S14     t4
+#define S15     t5
+
+
+
+/*              floating-point registers                                    */
+
+#define M       fa0         /* multiplier double word                       */
+#define MR      fa0r        /* low order half of multiplier double word     */
+#define ML      fa0         /* high order half of multiplier double word    */
+
+#define A0      fa2         /* multiplicand double word 0                   */
+#define A0R     fa2r        /* low order half of multiplicand double word   */
+#define A0L     fa2         /* high order half of multiplicand double word  */
+
+#define A1      fa3         /* multiplicand double word 1                   */
+#define A1R     fa3r        /* low order half of multiplicand double word   */
+#define A1L     fa3         /* high order half of multiplicand double word  */
+
+#define A2      ft0         /* multiplicand double word 2                   */
+#define A2R     ft0r        /* low order half of multiplicand double word   */
+#define A2L     ft0         /* high order half of multiplicand double word  */
+
+#define A3      ft1         /* multiplicand double word 3                   */
+#define A3R     ft1r        /* low order half of multiplicand double word   */
+#define A3L     ft1         /* high order half of multiplicand double word  */
+
+#define A4      ft2         /* multiplicand double word 4                   */
+#define A4R     ft2r        /* low order half of multiplicand double word   */
+#define A4L     ft2         /* high order half of multiplicand double word  */
+
+#define A5      ft3         /* multiplicand double word 5                   */
+#define A5R     ft3r        /* low order half of multiplicand double word   */
+#define A5L     ft3         /* high order half of multiplicand double word  */
+
+#define A6      ft4         /* multiplicand double word 6                   */
+#define A6R     ft4r        /* low order half of multiplicand double word   */
+#define A6L     ft4         /* high order half of multiplicand double word  */
+
+#define A7      ft5         /* multiplicand double word 7                   */
+#define A7R     ft5r        /* low order half of multiplicand double word   */
+#define A7L     ft5         /* high order half of multiplicand double word  */
+
+#define P0      ft6         /* product word 0                               */
+#define P1      ft7         /* product word 0                               */
+#define P2      ft8         /* product word 0                               */
+#define P3      ft9         /* product word 0                               */
+#define P4      ft10        /* product word 0                               */
+#define P5      ft11        /* product word 0                               */
+#define P6      ft12        /* product word 0                               */
+#define P7      ft13        /* product word 0                               */
+
+
+
+
+/*  ======================================================================  */
+/*      symbolic definitions for HP-UX stack offsets                        */
+/*      symbolic definitions for memory NOPs                                */
+/*  ======================================================================  */
+
+#define ST_SZ       192         /* stack area total size                    */
+
+#define SV0         -192(sp)    /* general register save area               */
+#define SV1         -184(sp)
+#define SV2         -176(sp)
+#define SV3         -168(sp)
+#define SV4         -160(sp)
+#define SV5         -152(sp)
+#define SV6         -144(sp)
+#define SV7         -136(sp)
+
+#define XF0         -128(sp)    /* data transfer area                       */
+#define XF1         -120(sp)    /* for floating-pt to integer regs          */
+#define XF2         -112(sp)
+#define XF3         -104(sp)
+#define XF4         -96(sp)
+#define XF5         -88(sp)
+#define XF6         -80(sp)
+#define XF7         -72(sp)
+#define XF8         -64(sp)
+#define XF9         -56(sp)
+#define XF10        -48(sp)
+#define XF11        -40(sp)
+#define XF12        -32(sp)
+#define XF13        -24(sp)
+#define XF14        -16(sp)
+#define XF15        -8(sp)
+
+#define mnop    proberi (sp),3,zero     /* memory NOP                       */
+
+
+
+
+/*  ======================================================================  */
+/*      assembler formalities                                               */
+/*  ======================================================================  */
+
+#ifdef __LP64__
+                .level  2.0W
+#else
+                .level  2.0
+#endif
+                .space    $TEXT$
+                .subspa   $CODE$
+                .align    16
+
+/*  ======================================================================  */
+/*      here to compute 64-bit x 512-bit product + 512-bit addend           */
+/*  ======================================================================  */
+
+multacc512
+        .PROC
+        .CALLINFO
+        .ENTER
+    fldd    0(pM),M                 ; multiplier double word
+    ldo     ST_SZ(sp),sp            ; push stack
+
+    fldd    0(pA),A0                ; multiplicand double word 0
+    std     S1,SV1                  ; save s1
+
+    fldd    16(pA),A2               ; multiplicand double word 2
+    std     S3,SV3                  ; save s3
+
+    fldd    32(pA),A4               ; multiplicand double word 4
+    std     S5,SV5                  ; save s5
+
+    fldd    48(pA),A6               ; multiplicand double word 6
+    std     S7,SV7                  ; save s7
+
+
+    std     S0,SV0                  ; save s0
+    fldd    8(pA),A1                ; multiplicand double word 1
+    xmpyu   MR,A0L,P0               ; A0 cross 32-bit word products
+    xmpyu   ML,A0R,P2
+
+    std     S2,SV2                  ; save s2
+    fldd    24(pA),A3               ; multiplicand double word 3
+    xmpyu   MR,A2L,P4               ; A2 cross 32-bit word products
+    xmpyu   ML,A2R,P6
+
+    std     S4,SV4                  ; save s4
+    fldd    40(pA),A5               ; multiplicand double word 5
+
+    std     S6,SV6                  ; save s6
+    fldd    56(pA),A7               ; multiplicand double word 7
+
+
+    fstd    P0,XF0                  ; MR * A0L
+    xmpyu   MR,A0R,P0               ; A0 right 32-bit word product
+    xmpyu   MR,A1L,P1               ; A1 cross 32-bit word product
+
+    fstd    P2,XF2                  ; ML * A0R
+    xmpyu   ML,A0L,P2               ; A0 left 32-bit word product
+    xmpyu   ML,A1R,P3               ; A1 cross 32-bit word product
+
+    fstd    P4,XF4                  ; MR * A2L
+    xmpyu   MR,A2R,P4               ; A2 right 32-bit word product
+    xmpyu   MR,A3L,P5               ; A3 cross 32-bit word product
+
+    fstd    P6,XF6                  ; ML * A2R
+    xmpyu   ML,A2L,P6               ; A2 parallel 32-bit word product
+    xmpyu   ML,A3R,P7               ; A3 cross 32-bit word product
+
+
+    ldd     XF0,S0                  ; MR * A0L
+    fstd    P1,XF1                  ; MR * A1L
+
+    ldd     XF2,S2                  ; ML * A0R
+    fstd    P3,XF3                  ; ML * A1R
+
+    ldd     XF4,S4                  ; MR * A2L
+    fstd    P5,XF5                  ; MR * A3L
+    xmpyu   MR,A1R,P1               ; A1 parallel 32-bit word products
+    xmpyu   ML,A1L,P3
+
+    ldd     XF6,S6                  ; ML * A2R
+    fstd    P7,XF7                  ; ML * A3R
+    xmpyu   MR,A3R,P5               ; A3 parallel 32-bit word products
+    xmpyu   ML,A3L,P7
+
+
+    fstd    P0,XF0                  ; MR * A0R
+    ldd     XF1,S1                  ; MR * A1L
+    nop
+    add     S0,S2,T1                ; A0 cross product sum
+
+    fstd    P2,XF2                  ; ML * A0L
+    ldd     XF3,S3                  ; ML * A1R
+    add,dc  zero,zero,S0            ; A0 cross product sum carry
+    depd,z  T1,31,32,S2             ; A0 cross product sum << 32
+
+    fstd    P4,XF4                  ; MR * A2R
+    ldd     XF5,S5                  ; MR * A3L
+    shrpd   S0,T1,32,S0             ; A0 carry | cross product sum >> 32
+    add     S4,S6,T3                ; A2 cross product sum
+
+    fstd    P6,XF6                  ; ML * A2L
+    ldd     XF7,S7                  ; ML * A3R
+    add,dc  zero,zero,S4            ; A2 cross product sum carry
+    depd,z  T3,31,32,S6             ; A2 cross product sum << 32
+
+
+    ldd     XF0,S8                  ; MR * A0R
+    fstd    P1,XF1                  ; MR * A1R
+    xmpyu   MR,A4L,P0               ; A4 cross 32-bit word product
+    xmpyu   MR,A5L,P1               ; A5 cross 32-bit word product
+
+    ldd     XF2,S10                 ; ML * A0L
+    fstd    P3,XF3                  ; ML * A1L
+    xmpyu   ML,A4R,P2               ; A4 cross 32-bit word product
+    xmpyu   ML,A5R,P3               ; A5 cross 32-bit word product
+
+    ldd     XF4,S12                 ; MR * A2R
+    fstd    P5,XF5                  ; MR * A3L
+    xmpyu   MR,A6L,P4               ; A6 cross 32-bit word product
+    xmpyu   MR,A7L,P5               ; A7 cross 32-bit word product
+
+    ldd     XF6,S14                 ; ML * A2L
+    fstd    P7,XF7                  ; ML * A3L
+    xmpyu   ML,A6R,P6               ; A6 cross 32-bit word product
+    xmpyu   ML,A7R,P7               ; A7 cross 32-bit word product
+
+
+    fstd    P0,XF0                  ; MR * A4L
+    ldd     XF1,S9                  ; MR * A1R
+    shrpd   S4,T3,32,S4             ; A2 carry | cross product sum >> 32
+    add     S1,S3,T1                ; A1 cross product sum
+
+    fstd    P2,XF2                  ; ML * A4R
+    ldd     XF3,S11                 ; ML * A1L
+    add,dc  zero,zero,S1            ; A1 cross product sum carry
+    depd,z  T1,31,32,S3             ; A1 cross product sum << 32
+
+    fstd    P4,XF4                  ; MR * A6L
+    ldd     XF5,S13                 ; MR * A3R
+    shrpd   S1,T1,32,S1             ; A1 carry | cross product sum >> 32
+    add     S5,S7,T3                ; A3 cross product sum
+
+    fstd    P6,XF6                  ; ML * A6R
+    ldd     XF7,S15                 ; ML * A3L
+    add,dc  zero,zero,S5            ; A3 cross product sum carry
+    depd,z  T3,31,32,S7             ; A3 cross product sum << 32
+
+
+    shrpd   S5,T3,32,S5             ; A3 carry | cross product sum >> 32
+    add     S2,S8,S8                ; M * A0 right doubleword, P0 doubleword
+
+    add,dc  S0,S10,S10              ; M * A0 left doubleword
+    add     S3,S9,S9                ; M * A1 right doubleword
+
+    add,dc  S1,S11,S11              ; M * A1 left doubleword
+    add     S6,S12,S12              ; M * A2 right doubleword
+
+
+    ldd     24(pR),S3               ; Addend word 3
+    fstd    P1,XF1                  ; MR * A5L
+    add,dc  S4,S14,S14              ; M * A2 left doubleword
+    xmpyu   MR,A5R,P1               ; A5 right 32-bit word product
+
+    ldd     8(pR),S1                ; Addend word 1
+    fstd    P3,XF3                  ; ML * A5R
+    add     S7,S13,S13              ; M * A3 right doubleword
+    xmpyu   ML,A5L,P3               ; A5 left 32-bit word product
+
+    ldd     0(pR),S7                ; Addend word 0
+    fstd    P5,XF5                  ; MR * A7L
+    add,dc  S5,S15,S15              ; M * A3 left doubleword
+    xmpyu   MR,A7R,P5               ; A7 right 32-bit word product
+
+    ldd     16(pR),S5               ; Addend word 2
+    fstd    P7,XF7                  ; ML * A7R
+    add     S10,S9,S9               ; P1 doubleword
+    xmpyu   ML,A7L,P7               ; A7 left 32-bit word products
+
+
+    ldd     XF0,S0                  ; MR * A4L
+    fstd    P1,XF9                  ; MR * A5R
+    add,dc  S11,S12,S12             ; P2 doubleword
+    xmpyu   MR,A4R,P0               ; A4 right 32-bit word product
+
+    ldd     XF2,S2                  ; ML * A4R
+    fstd    P3,XF11                 ; ML * A5L
+    add,dc  S14,S13,S13             ; P3 doubleword
+    xmpyu   ML,A4L,P2               ; A4 left 32-bit word product
+
+    ldd     XF6,S6                  ; ML * A6R
+    fstd    P5,XF13                 ; MR * A7R
+    add,dc  zero,S15,T2             ; P4 partial doubleword
+    xmpyu   MR,A6R,P4               ; A6 right 32-bit word product
+
+    ldd     XF4,S4                  ; MR * A6L
+    fstd    P7,XF15                 ; ML * A7L
+    add     S7,S8,S8                ; R0 + P0, new R0 doubleword
+    xmpyu   ML,A6L,P6               ; A6 left 32-bit word product
+
+
+    fstd    P0,XF0                  ; MR * A4R
+    ldd     XF7,S7                  ; ML * A7R
+    add,dc  S1,S9,S9                ; c + R1 + P1, new R1 doubleword
+
+    fstd    P2,XF2                  ; ML * A4L
+    ldd     XF1,S1                  ; MR * A5L
+    add,dc  S5,S12,S12              ; c + R2 + P2, new R2 doubleword
+
+    fstd    P4,XF4                  ; MR * A6R
+    ldd     XF5,S5                  ; MR * A7L
+    add,dc  S3,S13,S13              ; c + R3 + P3, new R3 doubleword
+
+    fstd    P6,XF6                  ; ML * A6L
+    ldd     XF3,S3                  ; ML * A5R
+    add,dc  zero,T2,T2              ; c + partial P4
+    add     S0,S2,T1                ; A4 cross product sum
+
+
+    std     S8,0(pR)                ; save R0
+    add,dc  zero,zero,S0            ; A4 cross product sum carry
+    depd,z  T1,31,32,S2             ; A4 cross product sum << 32
+
+    std     S9,8(pR)                ; save R1
+    shrpd   S0,T1,32,S0             ; A4 carry | cross product sum >> 32
+    add     S4,S6,T3                ; A6 cross product sum
+
+    std     S12,16(pR)              ; save R2
+    add,dc  zero,zero,S4            ; A6 cross product sum carry
+    depd,z  T3,31,32,S6             ; A6 cross product sum << 32
+
+
+    std     S13,24(pR)              ; save R3
+    shrpd   S4,T3,32,S4             ; A6 carry | cross product sum >> 32
+    add     S1,S3,T1                ; A5 cross product sum
+
+    ldd     XF0,S8                  ; MR * A4R
+    add,dc  zero,zero,S1            ; A5 cross product sum carry
+    depd,z  T1,31,32,S3             ; A5 cross product sum << 32
+
+    ldd     XF2,S10                 ; ML * A4L
+    ldd     XF9,S9                  ; MR * A5R
+    shrpd   S1,T1,32,S1             ; A5 carry | cross product sum >> 32
+    add     S5,S7,T3                ; A7 cross product sum
+
+    ldd     XF4,S12                 ; MR * A6R
+    ldd     XF11,S11                ; ML * A5L
+    add,dc  zero,zero,S5            ; A7 cross product sum carry
+    depd,z  T3,31,32,S7             ; A7 cross product sum << 32
+
+    ldd     XF6,S14                 ; ML * A6L
+    ldd     XF13,S13                ; MR * A7R
+    shrpd   S5,T3,32,S5             ; A7 carry | cross product sum >> 32
+    add     S2,S8,S8                ; M * A4 right doubleword
+
+
+    ldd     XF15,S15                ; ML * A7L
+    add,dc  S0,S10,S10              ; M * A4 left doubleword
+    add     S3,S9,S9                ; M * A5 right doubleword
+
+    add,dc  S1,S11,S11              ; M * A5 left doubleword
+    add     S6,S12,S12              ; M * A6 right doubleword
+
+    ldd     32(pR),S0               ; Addend word 4
+    ldd     40(pR),S1               ; Addend word 5
+    add,dc  S4,S14,S14              ; M * A6 left doubleword
+    add     S7,S13,S13              ; M * A7 right doubleword
+
+    ldd     48(pR),S2               ; Addend word 6
+    ldd     56(pR),S3               ; Addend word 7
+    add,dc  S5,S15,S15              ; M * A7 left doubleword
+    add     S8,T2,S8                ; P4 doubleword
+
+    ldd     64(pR),S4               ; Addend word 8
+    ldd     SV5,s5                  ; restore s5
+    add,dc  S10,S9,S9               ; P5 doubleword
+    add,dc  S11,S12,S12             ; P6 doubleword
+
+
+    ldd     SV6,s6                  ; restore s6
+    ldd     SV7,s7                  ; restore s7
+    add,dc  S14,S13,S13             ; P7 doubleword
+    add,dc  zero,S15,S15            ; P8 doubleword
+
+    add     S0,S8,S8                ; new R4 doubleword
+
+    ldd     SV0,s0                  ; restore s0
+    std     S8,32(pR)               ; save R4
+    add,dc  S1,S9,S9                ; new R5 doubleword
+
+    ldd     SV1,s1                  ; restore s1
+    std     S9,40(pR)               ; save R5
+    add,dc  S2,S12,S12              ; new R6 doubleword
+
+    ldd     SV2,s2                  ; restore s2
+    std     S12,48(pR)              ; save R6
+    add,dc  S3,S13,S13              ; new R7 doubleword
+
+    ldd     SV3,s3                  ; restore s3
+    std     S13,56(pR)              ; save R7
+    add,dc  S4,S15,S15              ; new R8 doubleword
+
+    ldd     SV4,s4                  ; restore s4
+    std     S15,64(pR)              ; save result[8]
+    add,dc  zero,zero,v0            ; return carry from R8
+
+    CMPIB,*= 0,v0,$L0               ; if no overflow, exit
+    LDO     8(pR),pR
+
+$FINAL1                             ; Final carry propagation
+    LDD     64(pR),v0
+    LDO     8(pR),pR
+    ADDI    1,v0,v0
+    CMPIB,*= 0,v0,$FINAL1           ; Keep looping if there is a carry.
+    STD     v0,56(pR)
+$L0
+    bv      zero(rp)                ; -> caller
+    ldo     -ST_SZ(sp),sp           ; pop stack
+
+/*  ======================================================================  */
+/*      end of module                                                       */
+/*  ======================================================================  */
+
+                .LEAVE
+
+                .PROCEND
+                .SPACE         $TEXT$
+                .SUBSPA        $CODE$
+                .EXPORT        multacc512,ENTRY
+
+        .end
diff --git a/security/nss/lib/freebl/mpi/hppa20.s b/security/nss/lib/freebl/mpi/hppa20.s
new file mode 100644
index 000000000..f7579b805
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/hppa20.s
@@ -0,0 +1,929 @@
+; The contents of this file are subject to the Mozilla Public
+; License Version 1.1 (the "License"); you may not use this file
+; except in compliance with the License. You may obtain a copy of
+; the License at http://www.mozilla.org/MPL/
+; 
+; Software distributed under the License is distributed on an "AS
+; IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+; implied. See the License for the specific language governing
+; rights and limitations under the License.
+; 
+; The Original Code is MAXPY multiple-precision integer arithmetic.
+; 
+; The Initial Developer of the Original Code is the Hewlett-Packard Company.
+; Portions created by Hewlett-Packard Company are 
+; Copyright (C) 1997 Hewlett-Packard Company.  All Rights Reserved.
+; 
+; Contributor(s):
+;  coded by:   William B. Ackerman
+; 
+; Alternatively, the contents of this file may be used under the
+; terms of the GNU General Public License Version 2 or later (the
+; "GPL"), in which case the provisions of the GPL are applicable 
+; instead of those above.  If you wish to allow use of your 
+; version of this file only under the terms of the GPL and not to
+; allow others to use your version of this file under the MPL,
+; indicate your decision by deleting the provisions above and
+; replace them with the notice and other provisions required by
+; the GPL.  If you do not delete the provisions above, a recipient
+; may use your version of this file under either the MPL or the
+; GPL.
+
+#ifdef __LP64__
+        .LEVEL   2.0W
+#else
+;       .LEVEL   1.1
+;       .ALLOW   2.0N
+        .LEVEL   2.0N
+#endif
+        .SPACE   $TEXT$,SORT=8
+        .SUBSPA  $CODE$,QUAD=0,ALIGN=4,ACCESS=0x2c,CODE_ONLY,SORT=24
+
+; ***************************************************************
+;
+;                 maxpy_[little/big]
+;
+; ***************************************************************
+
+; There is no default -- you must specify one or the other.
+#define LITTLE_WORDIAN 1
+
+#ifdef LITTLE_WORDIAN
+#define EIGHT 8
+#define SIXTEEN 16
+#define THIRTY_TWO 32
+#define UN_EIGHT -8
+#define UN_SIXTEEN -16
+#define UN_TWENTY_FOUR -24
+#endif
+
+#ifdef BIG_WORDIAN
+#define EIGHT -8
+#define SIXTEEN -16
+#define THIRTY_TWO -32
+#define UN_EIGHT 8
+#define UN_SIXTEEN 16
+#define UN_TWENTY_FOUR 24
+#endif
+
+; This performs a multiple-precision integer version of "daxpy",
+; Using the selected addressing direction.  "Little-wordian" means that
+; the least significant word of a number is stored at the lowest address.
+; "Big-wordian" means that the most significant word is at the lowest
+; address.  Either way, the incoming address of the vector is that
+; of the least significant word.  That means that, for little-wordian
+; addressing, we move the address upward as we propagate carries
+; from the least significant word to the most significant.  For
+; big-wordian we move the address downward.
+
+; We use the following registers:
+;
+;     r2   return PC, of course
+;     r26 = arg1 =  length
+;     r25 = arg2 =  address of scalar
+;     r24 = arg3 =  multiplicand vector
+;     r23 = arg4 =  result vector
+;
+;     fr9 = scalar loaded once only from r25
+
+; The cycle counts shown in the bodies below are simply the result of a
+; scheduling by hand.  The actual PCX-U hardware does it differently.
+; The intention is that the overall speed is the same.
+
+; The pipeline startup and shutdown code is constructed in the usual way,
+; by taking the loop bodies and removing unnecessary instructions.
+; We have left the comments describing cycle numbers in the code.
+; These are intended for reference when comparing with the main loop,
+; and have no particular relationship to actual cycle numbers.
+
+#ifdef LITTLE_WORDIAN
+maxpy_little
+#else
+maxpy_big
+#endif
+        .PROC
+        .CALLINFO FRAME=120,ENTRY_GR=%r4
+        .ENTER
+
+; Of course, real men don't use the sissy "enter" and "leave" commands.
+; They write their own stack manipulation stuff.  Unfortunately,
+; that doesn't generate complete unwind info, whereas "enter" and
+; "leave" (if the documentation is to be believed) do so.  Therefore,
+; we use the sissy commands.  We have verified (by real-man methods)
+; that the above command generates what we want:
+;       STW,MA  %r3,128(%sp)
+;       STW     %r4,-124(%sp)
+
+        ADDIB,< -1,%r26,$L0         ; If N = 0, exit immediately.
+        FLDD    0(%r25),%fr9        ; fr9 = scalar
+
+; First startup
+
+        FLDD    0(%r24),%fr24       ; Cycle 1
+        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
+        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
+        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
+        CMPIB,> 3,%r26,$N_IS_SMALL  ; Pick out cases N = 1, 2, or 3
+        XMPYU   %fr9L,%fr24R,%fr24  ; Cycle 6
+        FLDD    EIGHT(%r24),%fr28   ; Cycle 8
+        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
+        FSTD    %fr24,-96(%sp)
+        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
+        FSTD    %fr25,-80(%sp)
+        LDO     SIXTEEN(%r24),%r24  ; Cycle 12
+        FSTD    %fr31,-64(%sp)
+        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
+        FSTD    %fr27,-48(%sp)
+
+; Second startup
+
+        XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
+        FSTD    %fr30,-56(%sp)
+        FLDD    0(%r24),%fr24
+
+        FSTD    %fr26,-88(%sp)      ; Cycle 2
+
+        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
+        FSTD    %fr28,-104(%sp)
+
+        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
+        LDD     -96(%sp),%r3
+        FSTD    %fr29,-72(%sp)
+
+        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
+        LDD     -64(%sp),%r19
+        LDD     -80(%sp),%r21
+
+        XMPYU   %fr9L,%fr24R,%fr24  ; Cycle 6
+        LDD     -56(%sp),%r20
+        ADD     %r21,%r3,%r3
+
+        ADD,DC  %r20,%r19,%r19      ; Cycle 7
+        LDD     -88(%sp),%r4
+        SHRPD   %r3,%r0,32,%r21
+        LDD     -48(%sp),%r1
+
+        FLDD    EIGHT(%r24),%fr28   ; Cycle 8
+        LDD     -104(%sp),%r31
+        ADD,DC  %r0,%r0,%r20
+        SHRPD   %r19,%r3,32,%r3
+
+        LDD     -72(%sp),%r29       ; Cycle 9
+        SHRPD   %r20,%r19,32,%r20
+        ADD     %r21,%r1,%r1
+
+        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
+        ADD,DC  %r3,%r4,%r4
+        FSTD    %fr24,-96(%sp)
+
+        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
+        ADD,DC  %r0,%r20,%r20
+        LDD     0(%r23),%r3
+        FSTD    %fr25,-80(%sp)
+
+        LDO     SIXTEEN(%r24),%r24  ; Cycle 12
+        FSTD    %fr31,-64(%sp)
+
+        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
+        ADD     %r0,%r0,%r0         ; clear the carry bit
+        ADDIB,<= -4,%r26,$ENDLOOP   ; actually happens in cycle 12
+        FSTD    %fr27,-48(%sp)
+;        MFCTL   %cr16,%r21         ; for timing
+;        STD     %r21,-112(%sp)
+
+; Here is the loop.
+
+$LOOP   XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
+        ADD,DC  %r29,%r4,%r4
+        FSTD    %fr30,-56(%sp)
+        FLDD    0(%r24),%fr24
+
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        ADD,DC  %r0,%r20,%r20
+        FSTD    %fr26,-88(%sp)
+
+        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
+        ADD     %r3,%r1,%r1
+        FSTD    %fr28,-104(%sp)
+        LDD     UN_EIGHT(%r23),%r21
+
+        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
+        ADD,DC  %r21,%r4,%r28
+        FSTD    %fr29,-72(%sp)    
+        LDD     -96(%sp),%r3
+
+        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
+        ADD,DC  %r20,%r31,%r22
+        LDD     -64(%sp),%r19
+        LDD     -80(%sp),%r21
+
+        XMPYU   %fr9L,%fr24R,%fr24  ; Cycle 6
+        ADD     %r21,%r3,%r3
+        LDD     -56(%sp),%r20
+        STD     %r1,UN_SIXTEEN(%r23)
+
+        ADD,DC  %r20,%r19,%r19      ; Cycle 7
+        SHRPD   %r3,%r0,32,%r21
+        LDD     -88(%sp),%r4
+        LDD     -48(%sp),%r1
+
+        ADD,DC  %r0,%r0,%r20        ; Cycle 8
+        SHRPD   %r19,%r3,32,%r3
+        FLDD    EIGHT(%r24),%fr28
+        LDD     -104(%sp),%r31
+
+        SHRPD   %r20,%r19,32,%r20   ; Cycle 9
+        ADD     %r21,%r1,%r1
+        STD     %r28,UN_EIGHT(%r23)
+        LDD     -72(%sp),%r29
+
+        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
+        ADD,DC  %r3,%r4,%r4
+        FSTD    %fr24,-96(%sp)
+
+        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
+        ADD,DC  %r0,%r20,%r20
+        FSTD    %fr25,-80(%sp)
+        LDD     0(%r23),%r3
+
+        LDO     SIXTEEN(%r24),%r24  ; Cycle 12
+        FSTD    %fr31,-64(%sp)
+
+        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
+        ADD     %r22,%r1,%r1
+        ADDIB,> -2,%r26,$LOOP       ; actually happens in cycle 12
+        FSTD    %fr27,-48(%sp)
+
+$ENDLOOP
+
+; Shutdown code, first stage.
+
+;        MFCTL   %cr16,%r21         ; for timing
+;        STD     %r21,UN_SIXTEEN(%r23)
+;        LDD     -112(%sp),%r21
+;        STD     %r21,UN_EIGHT(%r23)
+
+        XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
+        ADD,DC  %r29,%r4,%r4
+        CMPIB,= 0,%r26,$ONEMORE
+        FSTD    %fr30,-56(%sp)
+
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        ADD,DC  %r0,%r20,%r20
+        FSTD    %fr26,-88(%sp)
+
+        ADD     %r3,%r1,%r1         ; Cycle 3
+        FSTD    %fr28,-104(%sp)
+        LDD     UN_EIGHT(%r23),%r21
+
+        ADD,DC  %r21,%r4,%r28       ; Cycle 4
+        FSTD    %fr29,-72(%sp)    
+        STD     %r28,UN_EIGHT(%r23) ; moved up from cycle 9
+        LDD     -96(%sp),%r3
+
+        ADD,DC  %r20,%r31,%r22      ; Cycle 5
+        STD     %r1,UN_SIXTEEN(%r23)
+$JOIN4
+        LDD     -64(%sp),%r19
+        LDD     -80(%sp),%r21
+
+        ADD     %r21,%r3,%r3        ; Cycle 6
+        LDD     -56(%sp),%r20
+
+        ADD,DC  %r20,%r19,%r19      ; Cycle 7
+        SHRPD   %r3,%r0,32,%r21
+        LDD     -88(%sp),%r4
+        LDD     -48(%sp),%r1
+
+        ADD,DC  %r0,%r0,%r20        ; Cycle 8
+        SHRPD   %r19,%r3,32,%r3
+        LDD     -104(%sp),%r31
+
+        SHRPD   %r20,%r19,32,%r20   ; Cycle 9
+        ADD     %r21,%r1,%r1
+        LDD     -72(%sp),%r29
+
+        ADD,DC  %r3,%r4,%r4         ; Cycle 10
+
+        ADD,DC  %r0,%r20,%r20       ; Cycle 11
+        LDD     0(%r23),%r3
+
+        ADD     %r22,%r1,%r1        ; Cycle 13
+
+; Shutdown code, second stage.
+
+        ADD,DC  %r29,%r4,%r4        ; Cycle 1
+
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        ADD,DC  %r0,%r20,%r20
+
+        LDD     UN_EIGHT(%r23),%r21 ; Cycle 3
+        ADD     %r3,%r1,%r1
+
+        ADD,DC  %r21,%r4,%r28       ; Cycle 4
+
+        ADD,DC  %r20,%r31,%r22      ; Cycle 5
+
+        STD     %r1,UN_SIXTEEN(%r23); Cycle 6
+
+        STD     %r28,UN_EIGHT(%r23) ; Cycle 9
+
+        LDD     0(%r23),%r3         ; Cycle 11
+
+; Shutdown code, third stage.
+
+        LDO     SIXTEEN(%r23),%r23
+        ADD     %r3,%r22,%r1
+$JOIN1  ADD,DC  %r0,%r0,%r21
+        CMPIB,*= 0,%r21,$L0         ; if no overflow, exit
+        STD     %r1,UN_SIXTEEN(%r23)
+
+; Final carry propagation
+
+$FINAL1 LDO     EIGHT(%r23),%r23
+        LDD     UN_SIXTEEN(%r23),%r21
+        ADDI    1,%r21,%r21
+        CMPIB,*= 0,%r21,$FINAL1     ; Keep looping if there is a carry.
+        STD     %r21,UN_SIXTEEN(%r23)
+        B       $L0
+        NOP
+
+; Here is the code that handles the difficult cases N=1, N=2, and N=3.
+; We do the usual trick -- branch out of the startup code at appropriate
+; points, and branch into the shutdown code.
+
+$N_IS_SMALL
+        CMPIB,= 0,%r26,$N_IS_ONE
+        FSTD    %fr24,-96(%sp)      ; Cycle 10
+        FLDD    EIGHT(%r24),%fr28   ; Cycle 8
+        XMPYU   %fr9L,%fr28R,%fr31  ; Cycle 10
+        XMPYU   %fr9R,%fr28L,%fr30  ; Cycle 11
+        FSTD    %fr25,-80(%sp)
+        FSTD    %fr31,-64(%sp)      ; Cycle 12
+        XMPYU   %fr9R,%fr28R,%fr29  ; Cycle 13
+        FSTD    %fr27,-48(%sp)
+        XMPYU   %fr9L,%fr28L,%fr28  ; Cycle 1
+        CMPIB,= 2,%r26,$N_IS_THREE
+        FSTD    %fr30,-56(%sp)
+
+; N = 2
+        FSTD    %fr26,-88(%sp)      ; Cycle 2
+        FSTD    %fr28,-104(%sp)     ; Cycle 3
+        LDD     -96(%sp),%r3        ; Cycle 4
+        FSTD    %fr29,-72(%sp)
+        B       $JOIN4
+        ADD     %r0,%r0,%r22
+
+$N_IS_THREE
+        FLDD    SIXTEEN(%r24),%fr24
+        FSTD    %fr26,-88(%sp)      ; Cycle 2
+        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
+        FSTD    %fr28,-104(%sp)
+        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
+        LDD     -96(%sp),%r3
+        FSTD    %fr29,-72(%sp)
+        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
+        LDD     -64(%sp),%r19
+        LDD     -80(%sp),%r21
+        B       $JOIN3
+        ADD     %r0,%r0,%r22
+
+$N_IS_ONE
+        FSTD    %fr25,-80(%sp)
+        FSTD    %fr27,-48(%sp)
+        FSTD    %fr26,-88(%sp)      ; Cycle 2
+        B       $JOIN5
+        ADD     %r0,%r0,%r22
+
+; We came out of the unrolled loop with wrong parity.  Do one more
+; single cycle.  This is quite tricky, because of the way the
+; carry chains and SHRPD chains have been chopped up.
+
+$ONEMORE
+
+        FLDD    0(%r24),%fr24
+
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        ADD,DC  %r0,%r20,%r20
+        FSTD    %fr26,-88(%sp)
+
+        XMPYU   %fr9R,%fr24R,%fr27  ; Cycle 3
+        FSTD    %fr28,-104(%sp)
+        LDD     UN_EIGHT(%r23),%r21
+        ADD     %r3,%r1,%r1
+
+        XMPYU   %fr9R,%fr24L,%fr25  ; Cycle 4
+        ADD,DC  %r21,%r4,%r28
+        STD     %r28,UN_EIGHT(%r23) ; moved from cycle 9
+        LDD     -96(%sp),%r3
+        FSTD    %fr29,-72(%sp)    
+
+        XMPYU   %fr9L,%fr24L,%fr26  ; Cycle 5
+        ADD,DC  %r20,%r31,%r22
+        LDD     -64(%sp),%r19
+        LDD     -80(%sp),%r21
+
+        STD     %r1,UN_SIXTEEN(%r23); Cycle 6
+$JOIN3
+        XMPYU   %fr9L,%fr24R,%fr24
+        LDD     -56(%sp),%r20
+        ADD     %r21,%r3,%r3
+
+        ADD,DC  %r20,%r19,%r19      ; Cycle 7
+        LDD     -88(%sp),%r4
+        SHRPD   %r3,%r0,32,%r21
+        LDD     -48(%sp),%r1
+
+        LDD     -104(%sp),%r31      ; Cycle 8
+        ADD,DC  %r0,%r0,%r20
+        SHRPD   %r19,%r3,32,%r3
+
+        LDD     -72(%sp),%r29       ; Cycle 9
+        SHRPD   %r20,%r19,32,%r20
+        ADD     %r21,%r1,%r1
+
+        ADD,DC  %r3,%r4,%r4         ; Cycle 10
+        FSTD    %fr24,-96(%sp)
+
+        ADD,DC  %r0,%r20,%r20       ; Cycle 11
+        LDD     0(%r23),%r3
+        FSTD    %fr25,-80(%sp)
+
+        ADD     %r22,%r1,%r1        ; Cycle 13
+        FSTD    %fr27,-48(%sp)
+
+; Shutdown code, stage 1-1/2.
+
+        ADD,DC  %r29,%r4,%r4        ; Cycle 1
+
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        ADD,DC  %r0,%r20,%r20     
+        FSTD    %fr26,-88(%sp)
+
+        LDD     UN_EIGHT(%r23),%r21 ; Cycle 3
+        ADD     %r3,%r1,%r1
+
+        ADD,DC  %r21,%r4,%r28       ; Cycle 4
+        STD     %r28,UN_EIGHT(%r23) ; moved from cycle 9
+
+        ADD,DC  %r20,%r31,%r22      ; Cycle 5
+        STD     %r1,UN_SIXTEEN(%r23)
+$JOIN5
+        LDD     -96(%sp),%r3        ; moved from cycle 4
+        LDD     -80(%sp),%r21
+        ADD     %r21,%r3,%r3        ; Cycle 6
+        ADD,DC  %r0,%r0,%r19        ; Cycle 7
+        LDD     -88(%sp),%r4
+        SHRPD   %r3,%r0,32,%r21
+        LDD     -48(%sp),%r1
+        SHRPD   %r19,%r3,32,%r3     ; Cycle 8
+        ADD     %r21,%r1,%r1        ; Cycle 9
+        ADD,DC  %r3,%r4,%r4         ; Cycle 10
+        LDD     0(%r23),%r3         ; Cycle 11
+        ADD     %r22,%r1,%r1        ; Cycle 13
+
+; Shutdown code, stage 2-1/2.
+
+        ADD,DC  %r0,%r4,%r4         ; Cycle 1
+        LDO     SIXTEEN(%r23),%r23  ; Cycle 2
+        LDD     UN_EIGHT(%r23),%r21 ; Cycle 3
+        ADD     %r3,%r1,%r1
+        STD     %r1,UN_SIXTEEN(%r23)
+        ADD,DC  %r21,%r4,%r1
+        B       $JOIN1
+        LDO     EIGHT(%r23),%r23
+
+; exit
+
+$L0
+        .LEAVE
+
+; We have verified that the above command generates what we want:
+;       LDW     -124(%sp),%r4
+;       BVE     (%r2)
+;       LDW,MB  -128(%sp),%r3
+
+        .PROCEND
+
+; ***************************************************************
+;
+;                 add_diag_[little/big]
+;
+; ***************************************************************
+
+; The arguments are as follows:
+;     r2   return PC, of course
+;     r26 = arg1 =  length
+;     r25 = arg2 =  vector to square
+;     r24 = arg3 =  result vector
+
+#ifdef LITTLE_WORDIAN
+add_diag_little
+#else
+add_diag_big
+#endif
+        .PROC
+        .CALLINFO FRAME=120,ENTRY_GR=%r4
+        .ENTER
+
+        ADDIB,< -1,%r26,$Z0         ; If N=0, exit immediately.
+        NOP
+
+; Startup code
+
+        FLDD    0(%r25),%fr7        ; Cycle 2 (alternate body)
+        XMPYU   %fr7R,%fr7R,%fr29   ; Cycle 4
+        XMPYU   %fr7L,%fr7R,%fr27   ; Cycle 5
+        XMPYU   %fr7L,%fr7L,%fr30
+        LDO     SIXTEEN(%r25),%r25  ; Cycle 6
+        FSTD    %fr29,-88(%sp)
+        FSTD    %fr27,-72(%sp)      ; Cycle 7
+        CMPIB,= 0,%r26,$DIAG_N_IS_ONE ; Cycle 1 (main body)
+        FSTD    %fr30,-96(%sp)
+        FLDD    UN_EIGHT(%r25),%fr7 ; Cycle 2
+        LDD     -88(%sp),%r22       ; Cycle 3
+        LDD     -72(%sp),%r31       ; Cycle 4
+        XMPYU   %fr7R,%fr7R,%fr28
+        XMPYU   %fr7L,%fr7R,%fr24   ; Cycle 5
+        XMPYU   %fr7L,%fr7L,%fr31
+        LDD     -96(%sp),%r20       ; Cycle 6
+        FSTD    %fr28,-80(%sp)
+        ADD     %r0,%r0,%r0         ; clear the carry bit
+        ADDIB,<= -2,%r26,$ENDDIAGLOOP ; Cycle 7
+        FSTD    %fr24,-64(%sp)
+
+; Here is the loop.  It is unrolled twice, modelled after the "alternate body" and then the "main body".
+
+$DIAGLOOP
+        SHRPD   %r31,%r0,31,%r3     ; Cycle 1 (alternate body)
+        LDO     SIXTEEN(%r25),%r25
+        LDD     0(%r24),%r1
+        FSTD    %fr31,-104(%sp)
+        SHRPD   %r0,%r31,31,%r4     ; Cycle 2
+        ADD,DC  %r22,%r3,%r3
+        FLDD    UN_SIXTEEN(%r25),%fr7   
+        ADD,DC  %r0,%r20,%r20       ; Cycle 3
+        ADD     %r1,%r3,%r3
+        XMPYU   %fr7R,%fr7R,%fr29   ; Cycle 4
+        LDD     -80(%sp),%r21
+        STD     %r3,0(%r24)
+        XMPYU   %fr7L,%fr7R,%fr27   ; Cycle 5
+        XMPYU   %fr7L,%fr7L,%fr30
+        LDD     -64(%sp),%r29       
+        LDD     EIGHT(%r24),%r1  
+        ADD,DC  %r4,%r20,%r20       ; Cycle 6
+        LDD     -104(%sp),%r19
+        FSTD    %fr29,-88(%sp)
+        ADD     %r20,%r1,%r1        ; Cycle 7
+        FSTD    %fr27,-72(%sp)
+        SHRPD   %r29,%r0,31,%r4     ; Cycle 1 (main body)
+        LDO     THIRTY_TWO(%r24),%r24
+        LDD     UN_SIXTEEN(%r24),%r28
+        FSTD    %fr30,-96(%sp)
+        SHRPD   %r0,%r29,31,%r3     ; Cycle 2
+        ADD,DC  %r21,%r4,%r4
+        FLDD    UN_EIGHT(%r25),%fr7
+        STD     %r1,UN_TWENTY_FOUR(%r24)
+        ADD,DC  %r0,%r19,%r19       ; Cycle 3
+        ADD     %r28,%r4,%r4
+        XMPYU   %fr7R,%fr7R,%fr28   ; Cycle 4
+        LDD     -88(%sp),%r22
+        STD     %r4,UN_SIXTEEN(%r24)
+        XMPYU   %fr7L,%fr7R,%fr24   ; Cycle 5
+        XMPYU   %fr7L,%fr7L,%fr31
+        LDD     -72(%sp),%r31
+        LDD     UN_EIGHT(%r24),%r28
+        ADD,DC  %r3,%r19,%r19       ; Cycle 6
+        LDD     -96(%sp),%r20
+        FSTD    %fr28,-80(%sp)
+        ADD     %r19,%r28,%r28      ; Cycle 7
+        FSTD    %fr24,-64(%sp)
+        ADDIB,> -2,%r26,$DIAGLOOP   ; Cycle 8
+        STD     %r28,UN_EIGHT(%r24)
+
+$ENDDIAGLOOP
+
+        ADD,DC  %r0,%r22,%r22    
+        CMPIB,= 0,%r26,$ONEMOREDIAG
+        SHRPD   %r31,%r0,31,%r3
+
+; Shutdown code, first stage.
+
+        FSTD    %fr31,-104(%sp)     ; Cycle 1 (alternate body)
+        LDD     0(%r24),%r28
+        SHRPD   %r0,%r31,31,%r4     ; Cycle 2
+        ADD     %r3,%r22,%r3
+        ADD,DC  %r0,%r20,%r20       ; Cycle 3
+        LDD     -80(%sp),%r21
+        ADD     %r3,%r28,%r3
+        LDD     -64(%sp),%r29       ; Cycle 4
+        STD     %r3,0(%r24)
+        LDD     EIGHT(%r24),%r1     ; Cycle 5
+        LDO     SIXTEEN(%r25),%r25  ; Cycle 6
+        LDD     -104(%sp),%r19
+        ADD,DC  %r4,%r20,%r20
+        ADD     %r20,%r1,%r1        ; Cycle 7
+        ADD,DC  %r0,%r21,%r21       ; Cycle 8
+        STD     %r1,EIGHT(%r24)
+
+; Shutdown code, second stage.
+
+        SHRPD   %r29,%r0,31,%r4     ; Cycle 1 (main body)
+        LDO     THIRTY_TWO(%r24),%r24
+        LDD     UN_SIXTEEN(%r24),%r1
+        SHRPD   %r0,%r29,31,%r3      ; Cycle 2
+        ADD     %r4,%r21,%r4
+        ADD,DC  %r0,%r19,%r19       ; Cycle 3
+        ADD     %r4,%r1,%r4
+        STD     %r4,UN_SIXTEEN(%r24); Cycle 4
+        LDD     UN_EIGHT(%r24),%r28 ; Cycle 5
+        ADD,DC  %r3,%r19,%r19       ; Cycle 6       
+        ADD     %r19,%r28,%r28      ; Cycle 7
+        ADD,DC  %r0,%r0,%r22        ; Cycle 8
+        CMPIB,*= 0,%r22,$Z0         ; if no overflow, exit
+        STD     %r28,UN_EIGHT(%r24)
+
+; Final carry propagation
+
+$FDIAG2
+        LDO     EIGHT(%r24),%r24
+        LDD     UN_EIGHT(%r24),%r26
+        ADDI    1,%r26,%r26
+        CMPIB,*= 0,%r26,$FDIAG2     ; Keep looping if there is a carry.
+        STD     %r26,UN_EIGHT(%r24)
+
+        B   $Z0
+        NOP
+
+; Here is the code that handles the difficult case N=1.
+; We do the usual trick -- branch out of the startup code at appropriate
+; points, and branch into the shutdown code.
+
+$DIAG_N_IS_ONE
+
+        LDD     -88(%sp),%r22
+        LDD     -72(%sp),%r31
+        B       $JOINDIAG
+        LDD     -96(%sp),%r20
+
+; We came out of the unrolled loop with wrong parity.  Do one more
+; single cycle.  This is the "alternate body".  It will, of course,
+; give us opposite registers from the other case, so we need
+; completely different shutdown code.
+
+$ONEMOREDIAG
+        FSTD    %fr31,-104(%sp)     ; Cycle 1 (alternate body)
+        LDD     0(%r24),%r28
+        FLDD    0(%r25),%fr7        ; Cycle 2
+        SHRPD   %r0,%r31,31,%r4
+        ADD     %r3,%r22,%r3
+        ADD,DC  %r0,%r20,%r20       ; Cycle 3
+        LDD     -80(%sp),%r21
+        ADD     %r3,%r28,%r3
+        LDD     -64(%sp),%r29       ; Cycle 4
+        STD     %r3,0(%r24)
+        XMPYU   %fr7R,%fr7R,%fr29
+        LDD     EIGHT(%r24),%r1     ; Cycle 5
+        XMPYU   %fr7L,%fr7R,%fr27
+        XMPYU   %fr7L,%fr7L,%fr30
+        LDD     -104(%sp),%r19      ; Cycle 6
+        FSTD    %fr29,-88(%sp)
+        ADD,DC  %r4,%r20,%r20
+        FSTD    %fr27,-72(%sp)      ; Cycle 7
+        ADD     %r20,%r1,%r1
+        ADD,DC  %r0,%r21,%r21       ; Cycle 8
+        STD     %r1,EIGHT(%r24)
+
+; Shutdown code, first stage.
+
+        SHRPD   %r29,%r0,31,%r4     ; Cycle 1 (main body)
+        LDO     THIRTY_TWO(%r24),%r24
+        FSTD    %fr30,-96(%sp)
+        LDD     UN_SIXTEEN(%r24),%r1
+        SHRPD   %r0,%r29,31,%r3     ; Cycle 2
+        ADD     %r4,%r21,%r4
+        ADD,DC  %r0,%r19,%r19       ; Cycle 3
+        LDD     -88(%sp),%r22
+        ADD     %r4,%r1,%r4
+        LDD     -72(%sp),%r31       ; Cycle 4
+        STD     %r4,UN_SIXTEEN(%r24)
+        LDD     UN_EIGHT(%r24),%r28 ; Cycle 5
+        LDD     -96(%sp),%r20       ; Cycle 6
+        ADD,DC  %r3,%r19,%r19
+        ADD     %r19,%r28,%r28      ; Cycle 7
+        ADD,DC  %r0,%r22,%r22       ; Cycle 8
+        STD     %r28,UN_EIGHT(%r24)
+
+; Shutdown code, second stage.
+
+$JOINDIAG
+        SHRPD   %r31,%r0,31,%r3     ; Cycle 1 (alternate body)
+        LDD     0(%r24),%r28        
+        SHRPD   %r0,%r31,31,%r4     ; Cycle 2
+        ADD     %r3,%r22,%r3
+        ADD,DC  %r0,%r20,%r20       ; Cycle 3
+        ADD     %r3,%r28,%r3
+        STD     %r3,0(%r24)         ; Cycle 4
+        LDD     EIGHT(%r24),%r1     ; Cycle 5
+        ADD,DC  %r4,%r20,%r20
+        ADD     %r20,%r1,%r1        ; Cycle 7
+        ADD,DC  %r0,%r0,%r21        ; Cycle 8
+        CMPIB,*= 0,%r21,$Z0         ; if no overflow, exit
+        STD     %r1,EIGHT(%r24)
+
+; Final carry propagation
+
+$FDIAG1
+        LDO     EIGHT(%r24),%r24
+        LDD     EIGHT(%r24),%r26
+        ADDI    1,%r26,%r26
+        CMPIB,*= 0,%r26,$FDIAG1    ; Keep looping if there is a carry.
+        STD     %r26,EIGHT(%r24)
+
+$Z0
+        .LEAVE
+        .PROCEND
+;	.ALLOW
+
+        .SPACE         $TEXT$
+        .SUBSPA        $CODE$
+#ifdef LITTLE_WORDIAN
+        .EXPORT        maxpy_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,LONG_RETURN
+        .EXPORT        add_diag_little,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,LONG_RETURN
+#else
+        .EXPORT        maxpy_big,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,ARGW3=GR,LONG_RETURN
+        .EXPORT        add_diag_big,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,ARGW2=GR,LONG_RETURN
+#endif
+        .END
+
+
+; How to use "maxpy_PA20_little" and "maxpy_PA20_big"
+; 
+; The routine "maxpy_PA20_little" or "maxpy_PA20_big"
+; performs a 64-bit x any-size multiply, and adds the
+; result to an area of memory.  That is, it performs
+; something like
+; 
+;      A B C D
+;    *       Z
+;   __________
+;    P Q R S T
+; 
+; and then adds the "PQRST" vector into an area of memory,
+; handling all carries.
+; 
+; Digression on nomenclature and endian-ness:
+; 
+; Each of the capital letters in the above represents a 64-bit
+; quantity.  That is, you could think of the discussion as
+; being in terms of radix-16-quintillion arithmetic.  The data
+; type being manipulated is "unsigned long long int".  This
+; requires the 64-bit extension of the HP-UX C compiler,
+; available at release 10.  You need these compiler flags to
+; enable these extensions:
+; 
+;       -Aa +e +DA2.0 +DS2.0
+; 
+; (The first specifies ANSI C, the second enables the
+; extensions, which are beyond ANSI C, and the third and
+; fourth tell the compiler to use whatever features of the
+; PA2.0 architecture it wishes, in order to made the code more
+; efficient.  Since the presence of the assembly code will
+; make the program unable to run on anything less than PA2.0,
+; you might as well gain the performance enhancements in the C
+; code as well.)
+; 
+; Questions of "endian-ness" often come up, usually in the
+; context of byte ordering in a word.  These routines have a
+; similar issue, that could be called "wordian-ness".
+; Independent of byte ordering (PA is always big-endian), one
+; can make two choices when representing extremely large
+; numbers as arrays of 64-bit doublewords in memory.
+; 
+; "Little-wordian" layout means that the least significant
+; word of a number is stored at the lowest address.
+; 
+;   MSW     LSW
+;    |       |
+;    V       V
+; 
+;    A B C D E
+; 
+;    ^     ^ ^
+;    |     | |____ address 0
+;    |     |
+;    |     |_______address 8
+;    |
+;    address 32
+; 
+; "Big-wordian" means that the most significant word is at the
+; lowest address.
+; 
+;   MSW     LSW
+;    |       |
+;    V       V
+; 
+;    A B C D E
+; 
+;    ^     ^ ^
+;    |     | |____ address 32
+;    |     |
+;    |     |_______address 24
+;    |
+;    address 0
+; 
+; When you compile the file, you must specify one or the other, with
+; a switch "-DLITTLE_WORDIAN" or "-DBIG_WORDIAN".
+; 
+;     Incidentally, you assemble this file as part of your
+;     project with the same C compiler as the rest of the program.
+;     My "makefile" for a superprecision arithmetic package has
+;     the following stuff:
+; 
+;     # definitions:
+;     CC = cc -Aa +e -z +DA2.0 +DS2.0 +w1
+;     CFLAGS = +O3
+;     LDFLAGS = -L /usr/lib -Wl,-aarchive
+; 
+;     # general build rule for ".s" files:
+;     .s.o:
+;             $(CC) $(CFLAGS) -c $< -DBIG_WORDIAN
+; 
+;     # Now any bind step that calls for pa20.o will assemble pa20.s
+; 
+; End of digression, back to arithmetic:
+; 
+; The way we multiply two huge numbers is, of course, to multiply
+; the "ABCD" vector by each of the "WXYZ" doublewords, adding
+; the result vectors with increasing offsets, the way we learned
+; in school, back before we all used calculators:
+; 
+;            A B C D
+;          * W X Y Z
+;         __________
+;          P Q R S T
+;        E F G H I
+;      M N O P Q
+;  + R S T U V
+;    _______________
+;    F I N A L S U M
+; 
+; So we call maxpy_PA20_big (in my case; my package is
+; big-wordian) repeatedly, giving the W, X, Y, and Z arguments
+; in turn as the "scalar", and giving the "ABCD" vector each
+; time.  We direct it to add its result into an area of memory
+; that we have cleared at the start.  We skew the exact
+; location into that area with each call.
+; 
+; The prototype for the function is
+; 
+; extern void maxpy_PA20_big(
+;    int length,        /* Number of doublewords in the multiplicand vector. */
+;    const long long int *scalaraddr,    /* Address to fetch the scalar. */
+;    const long long int *multiplicand,  /* The multiplicand vector. */
+;    long long int *result);             /* Where to accumulate the result. */
+; 
+; (You should place a copy of this prototype in an include file
+; or in your C file.)
+; 
+; Now, IN ALL CASES, the given address for the multiplicand or
+; the result is that of the LEAST SIGNIFICANT DOUBLEWORD.
+; That word is, of course, the word at which the routine
+; starts processing.  "maxpy_PA20_little" then increases the
+; addresses as it computes.  "maxpy_PA20_big" decreases them.
+; 
+; In our example above, "length" would be 4 in each case.
+; "multiplicand" would be the "ABCD" vector.  Specifically,
+; the address of the element "D".  "scalaraddr" would be the
+; address of "W", "X", "Y", or "Z" on the four calls that we
+; would make.  (The order doesn't matter, of course.)
+; "result" would be the appropriate address in the result
+; area.  When multiplying by "Z", that would be the least
+; significant word.  When multiplying by "Y", it would be the
+; next higher word (8 bytes higher if little-wordian; 8 bytes
+; lower if big-wordian), and so on.  The size of the result
+; area must be the the sum of the sizes of the multiplicand
+; and multiplier vectors, and must be initialized to zero
+; before we start.
+; 
+; Whenever the routine adds its partial product into the result
+; vector, it follows carry chains as far as they need to go.
+; 
+; Here is the super-precision multiply routine that I use for
+; my package.  The package is big-wordian.  I have taken out
+; handling of exponents (it's a floating point package):
+; 
+; static void mul_PA20(
+;   int size,
+;   const long long int *arg1,
+;   const long long int *arg2,
+;   long long int *result)
+; {
+;    int i;
+; 
+;    for (i=0 ; i<2*size ; i++) result[i] = 0ULL;
+; 
+;    for (i=0 ; i<size ; i++) {
+;       maxpy_PA20_big(size, &arg2[i], &arg1[size-1], &result[size+i]);
+;    }
+; }
diff --git a/security/nss/lib/freebl/mpi/hppatch.adb b/security/nss/lib/freebl/mpi/hppatch.adb
new file mode 100644
index 000000000..7b7aaef76
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/hppatch.adb
@@ -0,0 +1,49 @@
+#/bin/sh
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is script to change the system id in an object file 
+# from PA-RISC 2.0 to 1.1.
+#
+# The Initial Developer of the Original Code is Hewlett-Packard Company.
+# Portions created by Hewlett-Packard Company are
+# Copyright (C) March 1999, Hewlett-Packard Company. All Rights Reserved.
+#
+# Contributor(s):
+#   wrapped by Dennis Handly on Tue Mar 23 15:23:43 1999
+#
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable
+# instead of those above.  If you wish to allow use of your
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+
+# script to change the system id in an object file from PA-RISC 2.0 to 1.1
+
+adb -w $1 << EOF
+?m 0 -1 0
+0x0?X
+0x0?W (@0x0&~0x40000)|(~@0x0&0x40000)
+
+0?"change checksum"
+0x7c?X
+0x7c?W (@0x7c&~0x40000)|(~@0x7c&0x40000)
+$q
+EOF
+
+exit 0
+
diff --git a/security/nss/lib/freebl/mpi/logtab.h b/security/nss/lib/freebl/mpi/logtab.h
new file mode 100644
index 000000000..6f28be96f
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/logtab.h
@@ -0,0 +1,59 @@
+/*
+ *  logtab.h
+ *
+ *  Arbitrary precision integer arithmetic library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+const float s_logv_2[] = {
+   0.000000000f, 0.000000000f, 1.000000000f, 0.630929754f,  /*  0  1  2  3 */
+   0.500000000f, 0.430676558f, 0.386852807f, 0.356207187f,  /*  4  5  6  7 */
+   0.333333333f, 0.315464877f, 0.301029996f, 0.289064826f,  /*  8  9 10 11 */
+   0.278942946f, 0.270238154f, 0.262649535f, 0.255958025f,  /* 12 13 14 15 */
+   0.250000000f, 0.244650542f, 0.239812467f, 0.235408913f,  /* 16 17 18 19 */
+   0.231378213f, 0.227670249f, 0.224243824f, 0.221064729f,  /* 20 21 22 23 */
+   0.218104292f, 0.215338279f, 0.212746054f, 0.210309918f,  /* 24 25 26 27 */
+   0.208014598f, 0.205846832f, 0.203795047f, 0.201849087f,  /* 28 29 30 31 */
+   0.200000000f, 0.198239863f, 0.196561632f, 0.194959022f,  /* 32 33 34 35 */
+   0.193426404f, 0.191958720f, 0.190551412f, 0.189200360f,  /* 36 37 38 39 */
+   0.187901825f, 0.186652411f, 0.185449023f, 0.184288833f,  /* 40 41 42 43 */
+   0.183169251f, 0.182087900f, 0.181042597f, 0.180031327f,  /* 44 45 46 47 */
+   0.179052232f, 0.178103594f, 0.177183820f, 0.176291434f,  /* 48 49 50 51 */
+   0.175425064f, 0.174583430f, 0.173765343f, 0.172969690f,  /* 52 53 54 55 */
+   0.172195434f, 0.171441601f, 0.170707280f, 0.169991616f,  /* 56 57 58 59 */
+   0.169293808f, 0.168613099f, 0.167948779f, 0.167300179f,  /* 60 61 62 63 */
+   0.166666667f
+};
+
diff --git a/security/nss/lib/freebl/mpi/make-logtab b/security/nss/lib/freebl/mpi/make-logtab
new file mode 100755
index 000000000..0ed950c70
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/make-logtab
@@ -0,0 +1,60 @@
+#!/usr/linguist/bin/perl
+
+#
+# make-logtab
+#
+# Generate a table of logarithms of 2 in various bases, for use in
+# estimating the output sizes of various bases.
+#
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved
+##
+## Contributor(s):
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the
+## GPL.
+#
+# $Id$
+
+$ARRAYNAME = $ENV{'ARRAYNAME'} || "s_logv_2";
+$ARRAYTYPE = $ENV{'ARRAYTYPE'} || "float";
+
+printf("const %s %s[] = {\n   %0.9ff, %0.9ff, ", 
+       $ARRAYTYPE, $ARRAYNAME, 0, 0);
+$brk = 2;
+for($ix = 2; $ix < 64; $ix++) {
+    printf("%0.9ff, ", (log(2)/log($ix)));
+    $brk = ($brk + 1) & 3;
+    if(!$brk) {
+	printf(" /* %2d %2d %2d %2d */\n   ",
+	       $ix - 3, $ix - 2, $ix - 1, $ix);
+    }
+}
+printf("%0.9ff\n};\n\n", (log(2)/log($ix)));
+
+exit 0;
diff --git a/security/nss/lib/freebl/mpi/make-test-arrays b/security/nss/lib/freebl/mpi/make-test-arrays
new file mode 100755
index 000000000..a55bf3a1e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/make-test-arrays
@@ -0,0 +1,129 @@
+#!/usr/linguist/bin/perl
+
+#
+# make-test-arrays
+#
+# Given a test-arrays file, which specifies the test suite names, the
+# names of the functions which perform those test suites, and
+# descriptive comments, this script generates C structures for the
+# mpi-test program.  The input consists of lines of the form:
+#
+# suite-name:function-name:comment
+#
+# The output is written to the standard output.  Blank lines are
+# ignored, and comments beginning with '#' are stripped.
+#
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved
+##
+## Contributor(s):
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the GPL.
+## 
+# $Id$
+#
+
+# Read parameters from the environment, if available
+$NAMEVAR = $ENV{'NAMEVAR'} || "g_names";
+$COUNTVAR = $ENV{'COUNTVAR'} || "g_count";
+$FUNCVAR = $ENV{'FUNCVAR'} || "g_tests";
+$DESCVAR = $ENV{'DESCVAR'} || "g_descs";
+$FUNCLEN = 13;
+$NAMELEN = 18;
+$DESCLEN = 45;
+
+#------------------------------------------------------------------------
+# Suck in input from the files on the command line, or standard input
+while(<>) {
+    chomp;
+    s/\#.*$//;
+    next if /^\s*$/;
+
+    ($suite, $func, $desc) = split(/:/, $_);
+
+    $tmp = { "suite" => $suite,
+	     "func"  => $func,
+	     "desc"  => $desc };
+
+    push(@item, $tmp);
+}
+$count = scalar(@item);
+$last = pop(@item);
+
+#------------------------------------------------------------------------
+# Output the table of names
+print "/* Table mapping test suite names to index numbers */\n";
+printf("const int   %s = %d;\n", $COUNTVAR, $count);
+printf("const char *%s[] = {\n", $NAMEVAR);
+
+foreach $elt (@item) {
+    printf("   \"%s\",%s/* %s%s */\n", $elt->{"suite"},
+	   " " x ($NAMELEN - length($elt->{"suite"})),
+	   $elt->{"desc"},
+	   " " x ($DESCLEN - length($elt->{"desc"})));
+}
+printf("   \"%s\" %s/* %s%s */\n", $last->{"suite"},
+       " " x ($NAMELEN - length($last->{"suite"})),
+       $last->{"desc"},
+       " " x ($DESCLEN - length($last->{"desc"})));
+print "};\n\n";
+
+#------------------------------------------------------------------------
+# Output the driver function prototypes
+print "/* Test function prototypes */\n";
+foreach $elt (@item, $last) {
+    printf("int  %s(void);\n", $elt->{"func"});
+}
+print "\n";
+
+#------------------------------------------------------------------------
+# Output the table of functions
+print "/* Table mapping index numbers to functions */\n";
+printf("int (*%s[])(void)  = {\n   ", $FUNCVAR);
+$brk = 0;
+
+foreach $elt (@item) {
+    print($elt->{"func"}, ", ", 
+	  " " x ($FUNCLEN - length($elt->{"func"})));
+    $brk = ($brk + 1) & 3;
+    print "\n   " unless($brk);
+}
+print $last->{"func"}, "\n};\n\n";
+
+#------------------------------------------------------------------------
+# Output the table of descriptions
+print "/* Table mapping index numbers to descriptions */\n";
+printf("const char *%s[] = {\n", $DESCVAR);
+
+foreach $elt (@item) {
+    printf("   \"%s\",\n", $elt->{"desc"});
+}
+printf("   \"%s\"\n};\n\n", $last->{"desc"});
+
+exit 0;
+
diff --git a/security/nss/lib/freebl/mpi/mdxptest.c b/security/nss/lib/freebl/mpi/mdxptest.c
new file mode 100644
index 000000000..61d02e9a9
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mdxptest.c
@@ -0,0 +1,339 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <malloc.h>
+#include <time.h>
+#include "mpi.h"
+#include "mpi-priv.h"
+
+/* #define OLD_WAY 1  */
+
+/* This key is the 1024-bit test key used for speed testing of RSA private 
+** key ops.
+*/
+
+#define CONST const
+
+static CONST unsigned char default_n[128] = {
+0xc2,0xae,0x96,0x89,0xaf,0xce,0xd0,0x7b,0x3b,0x35,0xfd,0x0f,0xb1,0xf4,0x7a,0xd1,
+0x3c,0x7d,0xb5,0x86,0xf2,0x68,0x36,0xc9,0x97,0xe6,0x82,0x94,0x86,0xaa,0x05,0x39,
+0xec,0x11,0x51,0xcc,0x5c,0xa1,0x59,0xba,0x29,0x18,0xf3,0x28,0xf1,0x9d,0xe3,0xae,
+0x96,0x5d,0x6d,0x87,0x73,0xf6,0xf6,0x1f,0xd0,0x2d,0xfb,0x2f,0x7a,0x13,0x7f,0xc8,
+0x0c,0x7a,0xe9,0x85,0xfb,0xce,0x74,0x86,0xf8,0xef,0x2f,0x85,0x37,0x73,0x0f,0x62,
+0x4e,0x93,0x17,0xb7,0x7e,0x84,0x9a,0x94,0x11,0x05,0xca,0x0d,0x31,0x4b,0x2a,0xc8,
+0xdf,0xfe,0xe9,0x0c,0x13,0xc7,0xf2,0xad,0x19,0x64,0x28,0x3c,0xb5,0x6a,0xc8,0x4b,
+0x79,0xea,0x7c,0xce,0x75,0x92,0x45,0x3e,0xa3,0x9d,0x64,0x6f,0x04,0x69,0x19,0x17
+};
+
+static CONST unsigned char default_d[128] = {
+0x13,0xcb,0xbc,0xf2,0xf3,0x35,0x8c,0x6d,0x7b,0x6f,0xd9,0xf3,0xa6,0x9c,0xbd,0x80,
+0x59,0x2e,0x4f,0x2f,0x11,0xa7,0x17,0x2b,0x18,0x8f,0x0f,0xe8,0x1a,0x69,0x5f,0x6e,
+0xac,0x5a,0x76,0x7e,0xd9,0x4c,0x6e,0xdb,0x47,0x22,0x8a,0x57,0x37,0x7a,0x5e,0x94,
+0x7a,0x25,0xb5,0xe5,0x78,0x1d,0x3c,0x99,0xaf,0x89,0x7d,0x69,0x2e,0x78,0x9d,0x1d,
+0x84,0xc8,0xc1,0xd7,0x1a,0xb2,0x6d,0x2d,0x8a,0xd9,0xab,0x6b,0xce,0xae,0xb0,0xa0,
+0x58,0x55,0xad,0x5c,0x40,0x8a,0xd6,0x96,0x08,0x8a,0xe8,0x63,0xe6,0x3d,0x6c,0x20,
+0x49,0xc7,0xaf,0x0f,0x25,0x73,0xd3,0x69,0x43,0x3b,0xf2,0x32,0xf8,0x3d,0x5e,0xee,
+0x7a,0xca,0xd6,0x94,0x55,0xe5,0xbd,0x25,0x34,0x8d,0x63,0x40,0xb5,0x8a,0xc3,0x01
+};
+
+
+#define DEFAULT_ITERS 50
+
+typedef clock_t timetype;
+#define gettime(x) *(x) = clock()
+#define subtime(a, b) a -= b
+#define msec(x) ((clock_t)((double)x * 1000.0 / CLOCKS_PER_SEC))
+#define sec(x) (x / CLOCKS_PER_SEC)
+
+struct TimingContextStr {
+    timetype start;
+    timetype end;
+    timetype interval;
+
+    int   minutes;  
+    int   seconds;  
+    int   millisecs;
+};
+
+typedef struct TimingContextStr TimingContext;
+
+TimingContext *CreateTimingContext(void) 
+{
+    return (TimingContext *)malloc(sizeof(TimingContext));
+}
+
+void DestroyTimingContext(TimingContext *ctx) 
+{
+    free(ctx);
+}
+
+void TimingBegin(TimingContext *ctx) 
+{
+    gettime(&ctx->start);
+}
+
+static void timingUpdate(TimingContext *ctx) 
+{
+
+    ctx->millisecs = msec(ctx->interval) % 1000;
+    ctx->seconds   = sec(ctx->interval);
+    ctx->minutes   = ctx->seconds / 60;
+    ctx->seconds  %= 60;
+
+}
+
+void TimingEnd(TimingContext *ctx) 
+{
+    gettime(&ctx->end);
+    ctx->interval = ctx->end;
+    subtime(ctx->interval, ctx->start);
+    timingUpdate(ctx);
+}
+
+char *TimingGenerateString(TimingContext *ctx) 
+{
+    static char sBuf[4096];
+
+    sprintf(sBuf, "%d minutes, %d.%03d seconds", ctx->minutes,
+				ctx->seconds, ctx->millisecs);
+    return sBuf;
+}
+
+static void
+dumpBytes( unsigned char * b, int l)
+{
+    int i;
+    if (l <= 0)
+        return;
+    for (i = 0; i < l; ++i) {
+        if (i % 16 == 0)
+            printf("\t");
+        printf(" %02x", b[i]);
+        if (i % 16 == 15)
+            printf("\n");
+    }
+    if ((i % 16) != 0)
+        printf("\n");
+    printf("\n");
+}
+
+static mp_err
+testNewFuncs(const unsigned char * modulusBytes, int modulus_len)
+{
+    mp_err mperr	= MP_OKAY;
+    mp_int modulus;
+    unsigned char buf[512];
+
+    mperr = mp_init(&modulus);
+    mperr = mp_read_unsigned_octets(&modulus,  modulusBytes,  modulus_len );
+    mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len);
+    mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len+1);
+    mperr = mp_to_fixlen_octets(&modulus, buf, modulus_len+4);
+    mperr = mp_to_unsigned_octets(&modulus, buf, modulus_len);
+    mperr = mp_to_signed_octets(&modulus, buf, modulus_len + 1);
+    mp_clear(&modulus);
+    return mperr;
+}
+
+int
+testModExp( const unsigned char *      modulusBytes, 
+	    const unsigned int         expo,
+	    const unsigned char *      input, 
+	          unsigned char *      output,
+	          int                  modulus_len)
+{
+    mp_err mperr	= MP_OKAY;
+    mp_int modulus;
+    mp_int base;
+    mp_int exponent;
+    mp_int result;
+
+    mperr  = mp_init(&modulus);
+    mperr += mp_init(&base);
+    mperr += mp_init(&exponent);
+    mperr += mp_init(&result);
+    /* we initialize all mp_ints unconditionally, even if some fail.
+    ** This guarantees that the DIGITS pointer is valid (even if null).
+    ** So, mp_clear will do the right thing below. 
+    */
+    if (mperr == MP_OKAY) {
+      mperr  = mp_read_unsigned_octets(&modulus,  
+		modulusBytes + (sizeof default_n - modulus_len),  modulus_len );
+      mperr += mp_read_unsigned_octets(&base,     input,         modulus_len );
+      mp_set(&exponent, expo);
+      if (mperr == MP_OKAY) {
+#if OLD_WAY
+	mperr = s_mp_exptmod(&base, &exponent, &modulus, &result);
+#else
+	mperr = mp_exptmod(&base, &exponent, &modulus, &result);
+#endif
+	if (mperr == MP_OKAY) {
+	  mperr = mp_to_fixlen_octets(&result, output, modulus_len);
+	}
+      }
+    }
+    mp_clear(&base);
+    mp_clear(&result);
+
+    mp_clear(&modulus);
+    mp_clear(&exponent);
+
+    return (int)mperr;
+}
+
+int
+doModExp(   const unsigned char *      modulusBytes, 
+	    const unsigned char *      exponentBytes, 
+	    const unsigned char *      input, 
+	          unsigned char *      output,
+	          int                  modulus_len)
+{
+    mp_err mperr	= MP_OKAY;
+    mp_int modulus;
+    mp_int base;
+    mp_int exponent;
+    mp_int result;
+
+    mperr  = mp_init(&modulus);
+    mperr += mp_init(&base);
+    mperr += mp_init(&exponent);
+    mperr += mp_init(&result);
+    /* we initialize all mp_ints unconditionally, even if some fail.
+    ** This guarantees that the DIGITS pointer is valid (even if null).
+    ** So, mp_clear will do the right thing below. 
+    */
+    if (mperr == MP_OKAY) {
+      mperr  = mp_read_unsigned_octets(&modulus,  
+		modulusBytes + (sizeof default_n - modulus_len),  modulus_len );
+      mperr += mp_read_unsigned_octets(&exponent, exponentBytes, modulus_len );
+      mperr += mp_read_unsigned_octets(&base,     input,         modulus_len );
+      if (mperr == MP_OKAY) {
+#if OLD_WAY
+	mperr = s_mp_exptmod(&base, &exponent, &modulus, &result);
+#else
+	mperr = mp_exptmod(&base, &exponent, &modulus, &result);
+#endif
+	if (mperr == MP_OKAY) {
+	  mperr = mp_to_fixlen_octets(&result, output, modulus_len);
+	}
+      }
+    }
+    mp_clear(&base);
+    mp_clear(&result);
+
+    mp_clear(&modulus);
+    mp_clear(&exponent);
+
+    return (int)mperr;
+}
+
+int
+main(int argc, char **argv)
+{
+    TimingContext *	  timeCtx;
+    char *		  progName;
+    long 		  iters 	= DEFAULT_ITERS;
+    unsigned int 	  modulus_len;
+    int		 	  i;
+    int 		  rv;
+    unsigned char 	  buf [1024];
+    unsigned char 	  buf2[1024];
+
+    progName = strrchr(argv[0], '/');
+    if (!progName)
+	progName = strrchr(argv[0], '\\');
+    progName = progName ? progName+1 : argv[0];
+
+    if (argc >= 2) {
+	iters = atol(argv[1]);
+    }
+
+    if (argc >= 3) {
+	modulus_len = atol(argv[2]);
+    } else 
+	modulus_len = sizeof default_n;
+
+    /* no library init function !? */
+
+    memset(buf, 0x41, sizeof buf);
+
+  if (iters < 2) {
+    testNewFuncs( default_n, modulus_len);
+    testNewFuncs( default_n+1, modulus_len - 1);
+    testNewFuncs( default_n+2, modulus_len - 2);
+    testNewFuncs( default_n+3, modulus_len - 3);
+
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+    rv = testModExp(default_n, 0, buf, buf2, modulus_len);
+    dumpBytes((unsigned char *)buf2, modulus_len);
+
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+    rv = testModExp(default_n, 1, buf, buf2, modulus_len);
+    dumpBytes((unsigned char *)buf2, modulus_len);
+
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+    rv = testModExp(default_n, 2, buf, buf2, modulus_len);
+    dumpBytes((unsigned char *)buf2, modulus_len);
+
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+    rv = testModExp(default_n, 3, buf, buf2, modulus_len);
+    dumpBytes((unsigned char *)buf2, modulus_len);
+  }
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+    rv = doModExp(default_n, default_d, buf, buf2, modulus_len);
+    if (rv != 0) {
+	fprintf(stderr, "Error in modexp operation:\n");
+	exit(1);
+    }
+    dumpBytes((unsigned char *)buf2, modulus_len);
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+
+    timeCtx = CreateTimingContext();
+    TimingBegin(timeCtx);
+    i = iters;
+    while (i--) {
+	rv = doModExp(default_n, default_d, buf, buf2, modulus_len);
+	if (rv != 0) {
+	    fprintf(stderr, "Error in modexp operation\n");
+	    exit(1);
+	}
+    }
+    TimingEnd(timeCtx);
+    printf("%ld iterations in %s\n", iters, TimingGenerateString(timeCtx));
+    printf("%lu allocations, %lu frees, %lu copies\n", mp_allocs, mp_frees, mp_copies);
+
+    return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/montmulf.c b/security/nss/lib/freebl/mpi/montmulf.c
new file mode 100644
index 000000000..2cf0825f8
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulf.c
@@ -0,0 +1,326 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is SPARC optimized Montgomery multiply functions.
+ *
+ * The Initial Developer of the Original Code is Sun Microsystems Inc.
+ * Portions created by Sun Microsystems Inc. are 
+ * Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+ * 
+ * Contributor(s):
+ *	Netscape Communications Corporation
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ *  $Id$
+ */
+
+#ifdef SOLARIS
+#define RF_INLINE_MACROS 1
+#endif
+
+static const double TwoTo16=65536.0;
+static const double TwoToMinus16=1.0/65536.0;
+static const double Zero=0.0;
+static const double TwoTo32=65536.0*65536.0;
+static const double TwoToMinus32=1.0/(65536.0*65536.0);
+
+#ifdef RF_INLINE_MACROS
+
+double upper32(double);
+double lower32(double, double);
+double mod(double, double, double);
+
+void i16_to_d16_and_d32x4(const double * /*1/(2^16)*/, 
+			  const double * /* 2^16*/,
+			  const double * /* 0 */,
+			  double *       /*result16*/, 
+			  double *       /* result32 */,
+			  float *  /*source - should be unsigned int*
+		          	       converted to float* */);
+
+#else
+#ifdef MP_USE_FLOOR
+#include <math.h>
+#else
+#define floor(d) ((double)((unsigned long long)(d)))
+#endif
+
+static double upper32(double x)
+{
+  return floor(x*TwoToMinus32);
+}
+
+static double lower32(double x, double y)
+{
+  return x-TwoTo32*floor(x*TwoToMinus32);
+}
+
+static double mod(double x, double oneoverm, double m)
+{
+  return x-m*floor(x*oneoverm);
+}
+
+#endif
+
+
+static void cleanup(double *dt, int from, int tlen)
+{
+ int i;
+ double tmp,tmp1,x,x1;
+
+ tmp=tmp1=Zero;
+ /* original code **
+ for(i=2*from;i<2*tlen-2;i++)
+   {
+     x=dt[i];
+     dt[i]=lower32(x,Zero)+tmp1;
+     tmp1=tmp;
+     tmp=upper32(x);
+   }
+ dt[tlen-2]+=tmp1;
+ dt[tlen-1]+=tmp;
+ **end original code ***/
+ /* new code ***/
+ for(i=2*from;i<2*tlen;i+=2)
+   {
+     x=dt[i];
+     x1=dt[i+1];
+     dt[i]=lower32(x,Zero)+tmp;
+     dt[i+1]=lower32(x1,Zero)+tmp1;
+     tmp=upper32(x);
+     tmp1=upper32(x1);
+   }
+  /** end new code **/
+}
+
+
+void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
+{
+int i;
+long long t, t1, a, b, c, d;
+
+ t1=0;
+ a=(long long)d16[0];
+ b=(long long)d16[1];
+ for(i=0; i<ilen-1; i++)
+   {
+     c=(long long)d16[2*i+2];
+     t1+=(unsigned int)a;
+     t=(a>>32);
+     d=(long long)d16[2*i+3];
+     t1+=(b&0xffff)<<16;
+     t+=(b>>16)+(t1>>32);
+     i32[i]=(unsigned int)t1;
+     t1=t;
+     a=c;
+     b=d;
+   }
+ t1+=(unsigned int)a;
+ t=(a>>32);
+ t1+=(b&0xffff)<<16;
+ i32[i]=(unsigned int)t1;
+}
+
+void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
+{
+int i;
+
+#pragma pipeloop(0)
+ for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
+}
+
+
+void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
+{
+int i;
+unsigned int a;
+
+#pragma pipeloop(0)
+ for(i=0;i<len;i++)
+   {
+     a=i32[i];
+     d16[2*i]=(double)(a&0xffff);
+     d16[2*i+1]=(double)(a>>16);
+   }
+}
+
+
+void conv_i32_to_d32_and_d16(double *d32, double *d16, 
+			     unsigned int *i32, int len)
+{
+int i = 0;
+unsigned int a;
+
+#pragma pipeloop(0)
+#ifdef RF_INLINE_MACROS
+ for(;i<len-3;i+=4)
+   {
+     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
+			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
+   }
+#endif
+ for(;i<len;i++)
+   {
+     a=i32[i];
+     d32[i]=(double)(i32[i]);
+     d16[2*i]=(double)(a&0xffff);
+     d16[2*i+1]=(double)(a>>16);
+   }
+}
+
+
+void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
+{
+long long acc;
+int i;
+
+ if(i32[len]>0) i=-1;
+ else
+   {
+     for(i=len-1; i>=0; i--)
+       {
+	 if(i32[i]!=nint[i]) break;
+       }
+   }
+ if((i<0)||(i32[i]>nint[i]))
+   {
+     acc=0;
+     for(i=0;i<len;i++)
+       {
+	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
+	 i32[i]=(unsigned int)acc;
+	 acc=acc>>32;
+       }
+   }
+}
+
+
+
+
+/*
+** the lengths of the input arrays should be at least the following:
+** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
+** all of them should be different from one another
+**
+*/
+void mont_mulf_noconv(unsigned int *result,
+		     double *dm1, double *dm2, double *dt,
+		     double *dn, unsigned int *nint,
+		     int nlen, double dn0)
+{
+ int i, j, jj;
+ int tmp;
+ double digit, m2j, nextm2j, a, b;
+ double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
+
+ pdm1=&(dm1[0]);
+ pdm2=&(dm2[0]);
+ pdn=&(dn[0]);
+ pdm2[2*nlen]=Zero;
+
+ if (nlen!=16)
+   {
+     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
+
+     a=dt[0]=pdm1[0]*pdm2[0];
+     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+
+     pdtj=&(dt[0]);
+     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
+       {
+	 m2j=pdm2[j];
+	 a=pdtj[0]+pdn[0]*digit;
+	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
+	 pdtj[1]=b;
+
+#pragma pipeloop(0)
+	 for(i=1;i<nlen;i++)
+	   {
+	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+	   }
+ 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
+	 
+	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+       }
+   }
+ else
+   {
+     a=dt[0]=pdm1[0]*pdm2[0];
+
+     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
+     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
+     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
+     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
+     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
+     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
+     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
+     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
+     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
+     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
+     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
+
+     pdn_0=pdn[0];
+     pdm1_0=pdm1[0];
+
+     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+     pdtj=&(dt[0]);
+
+     for(j=0;j<32;j++,pdtj++)
+       {
+
+	 m2j=pdm2[j];
+	 a=pdtj[0]+pdn_0*digit;
+	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
+	 pdtj[1]=b;
+
+	 /**** this loop will be fully unrolled:
+	 for(i=1;i<16;i++)
+	   {
+	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+	   }
+	 *************************************/
+	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
+	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
+	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
+	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
+	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
+	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
+	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
+	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
+	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
+	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
+	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
+	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
+	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
+	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
+	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
+	 /* no need for cleenup, cannot overflow */
+	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+       }
+   }
+
+ conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
+
+ adjust_montf_result(result,nint,nlen); 
+ 
+}
+
diff --git a/security/nss/lib/freebl/mpi/montmulf.h b/security/nss/lib/freebl/mpi/montmulf.h
new file mode 100644
index 000000000..5fd5dd4e3
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulf.h
@@ -0,0 +1,100 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is interface file for SPARC Montgomery multiply functions.
+ *
+ * The Initial Developer of the Original Code is Sun Microsystems Inc.
+ * Portions created by Sun Microsystems Inc. are 
+ * Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+ * 
+ * Contributor(s):
+ *	Netscape Communications Corporation
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ *  $Id$
+ */
+
+/*  The functions that are to be called from outside of the .s file have the
+ *  following interfaces and array size requirements:
+ */
+
+
+void conv_i32_to_d32(double *d32, unsigned int *i32, int len);
+
+/*  Converts an array of int's to an array of doubles, so that each double
+ *  corresponds to an int.  len is the number of items converted.
+ *  Does not allocate the output array.
+ *  The pointers d32 and i32 should point to arrays of size at least  len
+ *  (doubles and unsigned ints, respectively)
+ */
+
+
+void conv_i32_to_d16(double *d16, unsigned int *i32, int len);
+
+/*  Converts an array of int's to an array of doubles so that each element
+ *  of the int array is converted to a pair of doubles, the first one
+ *  corresponding to the lower (least significant) 16 bits of the int and
+ *  the second one corresponding to the upper (most significant) 16 bits of
+ *  the 32-bit int. len is the number of ints converted.
+ *  Does not allocate the output array.
+ *  The pointer d16 should point to an array of doubles of size at least
+ *  2*len and i32 should point an array of ints of size at least  len
+ */
+
+
+void conv_i32_to_d32_and_d16(double *d32, double *d16, 
+			     unsigned int *i32, int len);
+
+/*  Does the above two conversions together, it is much faster than doing
+ *  both of those in succession
+ */
+
+
+void mont_mulf_noconv(unsigned int *result,
+		     double *dm1, double *dm2, double *dt,
+		     double *dn, unsigned int *nint,
+		     int nlen, double dn0);
+
+/*  Does the Montgomery multiplication of the numbers stored in the arrays
+ *  pointed to by dm1 and dm2, writing the result to the array pointed to by
+ *  result. It uses the array pointed to by dt as a temporary work area.
+ *  nint should point to the modulus in the array-of-integers representation, 
+ *  dn should point to its array-of-doubles as obtained as a result of the
+ *  function call   conv_i32_to_d32(dn, nint, nlen);
+ *  nlen is the length of the array containing the modulus.
+ *  The representation used for dm1 is the one that is a result of the function
+ *  call   conv_i32_to_d32(dm1, m1, nlen), the representation for dm2 is the
+ *  result of the function call   conv_i32_to_d16(dm2, m2, nlen).
+ *  Note that m1 and m2 should both be of length nlen, so they should be
+ *  padded with 0's if necessary before the conversion. The result comes in 
+ *  this form (int representation, padded with 0's).
+ *  dn0 is the value of the 16 least significant bits of n0'.
+ *  The function does not allocate memory for any of the arrays, so the 
+ *  pointers should point to arrays with the following minimal sizes:
+ *  result - nlen+1
+ *  dm1    - nlen
+ *  dm2    - 2*nlen+1  ( the +1 is necessary for technical reasons )
+ *  dt     - 4*nlen+2
+ *  dn     - nlen
+ *  nint   - nlen
+ *  No two arrays should point to overlapping areas of memory.
+ */  
diff --git a/security/nss/lib/freebl/mpi/montmulf.il b/security/nss/lib/freebl/mpi/montmulf.il
new file mode 100644
index 000000000..b3dd734b6
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulf.il
@@ -0,0 +1,137 @@
+!  
+!  The contents of this file are subject to the Mozilla Public
+!  License Version 1.1 (the "License"); you may not use this file
+!  except in compliance with the License. You may obtain a copy of
+!  the License at http://www.mozilla.org/MPL/
+!  
+!  Software distributed under the License is distributed on an "AS
+!  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+!  implied. See the License for the specific language governing
+!  rights and limitations under the License.
+!  
+!  The Original Code is inline macros for SPARC Montgomery multiply functions.
+!  
+!  The Initial Developer of the Original Code is Sun Microsystems Inc.
+!  Portions created by Sun Microsystems Inc. are 
+!  Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+!  
+!  Contributor(s):
+!  
+!  Alternatively, the contents of this file may be used under the
+!  terms of the GNU General Public License Version 2 or later (the
+!  "GPL"), in which case the provisions of the GPL are applicable 
+!  instead of those above.	If you wish to allow use of your 
+!  version of this file only under the terms of the GPL and not to
+!  allow others to use your version of this file under the MPL,
+!  indicate your decision by deleting the provisions above and
+!  replace them with the notice and other provisions required by
+!  the GPL.  If you do not delete the provisions above, a recipient
+!  may use your version of this file under either the MPL or the
+!  GPL.
+!  
+!   $Id$
+!  
+
+!
+! double upper32(double /*frs1*/);
+!
+        .inline upper32,8
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f10
+
+	fdtox	%f10,%f10
+	fitod	%f10,%f0
+        .end
+
+!
+! double lower32(double /*frs1*/, double /* Zero */);
+!
+        .inline lower32,8
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f10
+        std     %o2,[%sp+0x48]
+        ldd     [%sp+0x48],%f12
+
+	fdtox	%f10,%f10
+	fmovs	%f12,%f10
+	fxtod	%f10,%f0
+        .end
+
+!
+! double mod(double /*x*/, double /*1/m*/, double /*m*/);
+!
+        .inline mod,12
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f2
+        std     %o2,[%sp+0x48]
+        ldd     [%sp+0x48],%f4
+        std     %o4,[%sp+0x48]
+        ldd     [%sp+0x48],%f6
+
+	fmuld	%f2,%f4,%f4
+	fdtox	%f4,%f4
+	fxtod	%f4,%f4
+	fmuld	%f4,%f6,%f4
+	fsubd	%f2,%f4,%f0
+        .end
+
+
+!
+! void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
+!			    double * /* 0 */,
+!			    double * /*result16*/, double * /* result32 */
+!			    float *  /*source - should be unsigned int*
+!		            	       converted to float* */);
+!
+        .inline i16_to_d16_and_d32x4,24
+        ldd     [%o0],%f2  ! 1/(2^16)
+        ldd     [%o1],%f4  ! 2^16
+	ldd	[%o2],%f22
+
+	fmovd	%f22,%f6
+	ld	[%o5],%f7
+	fmovd	%f22,%f10
+	ld	[%o5+4],%f11
+	fmovd	%f22,%f14
+	ld	[%o5+8],%f15
+	fmovd	%f22,%f18
+	ld	[%o5+12],%f19
+	fxtod	%f6,%f6
+	std	%f6,[%o4]
+	fxtod	%f10,%f10
+	std	%f10,[%o4+8]
+	fxtod	%f14,%f14
+	std	%f14,[%o4+16]
+	fxtod	%f18,%f18
+	std	%f18,[%o4+24]
+	fmuld	%f2,%f6,%f8
+	fmuld	%f2,%f10,%f12
+	fmuld	%f2,%f14,%f16
+	fmuld	%f2,%f18,%f20
+	fdtox	%f8,%f8
+	fdtox	%f12,%f12
+	fdtox	%f16,%f16
+	fdtox	%f20,%f20
+	fxtod	%f8,%f8
+	std	%f8,[%o3+8]
+	fxtod	%f12,%f12
+	std	%f12,[%o3+24]
+	fxtod	%f16,%f16
+	std	%f16,[%o3+40]
+	fxtod	%f20,%f20
+	std	%f20,[%o3+56]
+	fmuld	%f8,%f4,%f8
+	fmuld	%f12,%f4,%f12
+	fmuld	%f16,%f4,%f16
+	fmuld	%f20,%f4,%f20
+	fsubd	%f6,%f8,%f8
+	std	%f8,[%o3]
+	fsubd	%f10,%f12,%f12
+	std	%f12,[%o3+16]
+	fsubd	%f14,%f16,%f16
+	std	%f16,[%o3+32]
+	fsubd	%f18,%f20,%f20
+	std	%f20,[%o3+48]
+        .end
+
+
diff --git a/security/nss/lib/freebl/mpi/montmulf.s b/security/nss/lib/freebl/mpi/montmulf.s
new file mode 100644
index 000000000..cdb5d376e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulf.s
@@ -0,0 +1,1967 @@
+!  
+!  The contents of this file are subject to the Mozilla Public
+!  License Version 1.1 (the "License"); you may not use this file
+!  except in compliance with the License. You may obtain a copy of
+!  the License at http://www.mozilla.org/MPL/
+!  
+!  Software distributed under the License is distributed on an "AS
+!  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+!  implied. See the License for the specific language governing
+!  rights and limitations under the License.
+!  
+!  The Original Code is SPARC hand-optimized Montgomery multiply functions.
+!   
+!  The Initial Developer of the Original Code is Sun Microsystems Inc.
+!  Portions created by Sun Microsystems Inc. are 
+!  Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+!  
+!  Contributor(s):
+!  
+!  Alternatively, the contents of this file may be used under the
+!  terms of the GNU General Public License Version 2 or later (the
+!  "GPL"), in which case the provisions of the GPL are applicable 
+!  instead of those above.	If you wish to allow use of your 
+!  version of this file only under the terms of the GPL and not to
+!  allow others to use your version of this file under the MPL,
+!  indicate your decision by deleting the provisions above and
+!  replace them with the notice and other provisions required by
+!  the GPL.  If you do not delete the provisions above, a recipient
+!  may use your version of this file under either the MPL or the
+!  GPL.
+!  
+!   $Id$
+!  
+
+	.section	".text",#alloc,#execinstr
+	.file	"montmulf.c"
+
+	.section	".data",#alloc,#write
+	.align	8
+TwoTo16:		/* frequency 1.0 confidence 0.0 */
+	.word	1089470464
+	.word	0
+	.type	TwoTo16,#object
+	.size	TwoTo16,8
+TwoToMinus16:		/* frequency 1.0 confidence 0.0 */
+	.word	1055916032
+	.word	0
+	.type	TwoToMinus16,#object
+	.size	TwoToMinus16,8
+Zero:		/* frequency 1.0 confidence 0.0 */
+	.word	0
+	.word	0
+	.type	Zero,#object
+	.size	Zero,8
+TwoTo32:		/* frequency 1.0 confidence 0.0 */
+	.word	1106247680
+	.word	0
+	.type	TwoTo32,#object
+	.size	TwoTo32,8
+TwoToMinus32:		/* frequency 1.0 confidence 0.0 */
+	.word	1039138816
+	.word	0
+	.type	TwoToMinus32,#object
+	.size	TwoToMinus32,8
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE cleanup
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global cleanup
+                                   cleanup:		/* frequency 1.0 confidence 0.0 */
+! FILE montmulf.c
+
+!    1		                    !#define RF_INLINE_MACROS
+!    3		                    !static double TwoTo16=65536.0;
+!    4		                    !static double TwoToMinus16=1.0/65536.0;
+!    5		                    !static double Zero=0.0;
+!    6		                    !static double TwoTo32=65536.0*65536.0;
+!    7		                    !static double TwoToMinus32=1.0/(65536.0*65536.0);
+!    9		                    !#ifdef RF_INLINE_MACROS
+!   11		                    !double upper32(double);
+!   12		                    !double lower32(double, double);
+!   13		                    !double mod(double, double, double);
+!   15		                    !#else
+!   17		                    !static double upper32(double x)
+!   18		                    !{
+!   19		                    !  return floor(x*TwoToMinus32);
+!   20		                    !}
+!   22		                    !static double lower32(double x, double y)
+!   23		                    !{
+!   24		                    !  return x-TwoTo32*floor(x*TwoToMinus32);
+!   25		                    !}
+!   27		                    !static double mod(double x, double oneoverm, double m)
+!   28		                    !{
+!   29		                    !  return x-m*floor(x*oneoverm);
+!   30		                    !}
+!   32		                    !#endif
+!   35		                    !void cleanup(double *dt, int from, int tlen)
+!   36		                    !{
+!   37		                    ! int i;
+!   38		                    ! double tmp,tmp1,x,x1;
+!   40		                    ! tmp=tmp1=Zero;
+
+/* 000000	  40 ( 0  1) */		sethi	%hi(Zero),%g2
+
+!   41		                    ! /* original code **
+!   42		                    ! for(i=2*from;i<2*tlen-2;i++)
+!   43		                    !   {
+!   44		                    !     x=dt[i];
+!   45		                    !     dt[i]=lower32(x,Zero)+tmp1;
+!   46		                    !     tmp1=tmp;
+!   47		                    !     tmp=upper32(x);
+!   48		                    !   }
+!   49		                    ! dt[tlen-2]+=tmp1;
+!   50		                    ! dt[tlen-1]+=tmp;
+!   51		                    ! **end original code ***/
+!   52		                    ! /* new code ***/
+!   53		                    ! for(i=2*from;i<2*tlen;i+=2)
+
+/* 0x0004	  53 ( 1  2) */		sll	%o2,1,%g3
+/* 0x0008	  40 ( 1  4) */		ldd	[%g2+%lo(Zero)],%f0
+/* 0x000c	     ( 1  2) */		add	%g2,%lo(Zero),%g2
+/* 0x0010	  53 ( 2  3) */		sll	%o1,1,%g4
+/* 0x0014	  36 ( 3  4) */		sll	%o1,4,%g1
+/* 0x0018	  40 ( 3  4) */		fmovd	%f0,%f4
+/* 0x001c	  53 ( 3  4) */		cmp	%g4,%g3
+/* 0x0020	     ( 3  4) */		bge,pt	%icc,.L77000116	! tprob=0.56
+/* 0x0024	     ( 4  5) */		fmovd	%f0,%f2
+/* 0x0028	  36 ( 4  5) */		add	%o0,%g1,%g1
+/* 0x002c	     ( 4  5) */		sub	%g3,1,%g3
+
+!   54		                    !   {
+!   55		                    !     x=dt[i];
+
+/* 0x0030	  55 ( 5  8) */		ldd	[%g1],%f8
+                                   .L900000114:		/* frequency 6.4 confidence 0.0 */
+/* 0x0034	     ( 0  3) */		fdtox	%f8,%f6
+
+!   56		                    !     x1=dt[i+1];
+
+/* 0x0038	  56 ( 0  3) */		ldd	[%g1+8],%f10
+
+!   57		                    !     dt[i]=lower32(x,Zero)+tmp;
+!   58		                    !     dt[i+1]=lower32(x1,Zero)+tmp1;
+!   59		                    !     tmp=upper32(x);
+!   60		                    !     tmp1=upper32(x1);
+
+/* 0x003c	  60 ( 0  1) */		add	%g4,2,%g4
+/* 0x0040	     ( 1  4) */		fdtox	%f8,%f8
+/* 0x0044	     ( 1  2) */		cmp	%g4,%g3
+/* 0x0048	     ( 5  6) */		fmovs	%f0,%f6
+/* 0x004c	     ( 7 10) */		fxtod	%f6,%f6
+/* 0x0050	     ( 8 11) */		fdtox	%f10,%f0
+/* 0x0054	  57 (10 13) */		faddd	%f6,%f2,%f2
+/* 0x0058	     (10 11) */		std	%f2,[%g1]
+/* 0x005c	     (12 15) */		ldd	[%g2],%f2
+/* 0x0060	     (14 15) */		fmovs	%f2,%f0
+/* 0x0064	     (16 19) */		fxtod	%f0,%f6
+/* 0x0068	     (17 20) */		fdtox	%f10,%f0
+/* 0x006c	     (18 21) */		fitod	%f8,%f2
+/* 0x0070	  58 (19 22) */		faddd	%f6,%f4,%f4
+/* 0x0074	     (19 20) */		std	%f4,[%g1+8]
+/* 0x0078	  60 (19 20) */		add	%g1,16,%g1
+/* 0x007c	     (20 23) */		fitod	%f0,%f4
+/* 0x0080	     (20 23) */		ldd	[%g2],%f0
+/* 0x0084	     (20 21) */		ble,a,pt	%icc,.L900000114	! tprob=0.86
+/* 0x0088	     (21 24) */		ldd	[%g1],%f8
+                                   .L77000116:		/* frequency 1.0 confidence 0.0 */
+/* 0x008c	     ( 0  2) */		retl	! Result = 
+/* 0x0090	     ( 1  2) */		nop
+/* 0x0094	   0 ( 0  0) */		.type	cleanup,2
+/* 0x0094	     ( 0  0) */		.size	cleanup,(.-cleanup)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE conv_d16_to_i32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global conv_d16_to_i32
+                                   conv_d16_to_i32:		/* frequency 1.0 confidence 0.0 */
+/* 000000	     ( 0  1) */		save	%sp,-136,%sp
+
+!   61		                    !   }
+!   62		                    !  /** end new code **/
+!   63		                    !}
+!   66		                    !void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
+!   67		                    !{
+!   68		                    !int i;
+!   69		                    !long long t, t1, a, b, c, d;
+!   71		                    ! t1=0;
+!   72		                    ! a=(long long)d16[0];
+
+/* 0x0004	  72 ( 1  4) */		ldd	[%i1],%f0
+
+!   73		                    ! b=(long long)d16[1];
+!   74		                    ! for(i=0; i<ilen-1; i++)
+
+/* 0x0008	  74 ( 1  2) */		sub	%i3,1,%g2
+/* 0x000c	  67 ( 1  2) */		or	%g0,%i0,%g5
+/* 0x0010	  74 ( 2  3) */		cmp	%g2,0
+/* 0x0014	  71 ( 2  3) */		or	%g0,0,%o4
+/* 0x0018	  72 ( 3  6) */		fdtox	%f0,%f0
+/* 0x001c	     ( 3  4) */		std	%f0,[%sp+120]
+/* 0x0020	  74 ( 3  4) */		or	%g0,0,%o7
+/* 0x0024	  67 ( 4  5) */		or	%g0,%i3,%o0
+/* 0x0028	     ( 4  5) */		sub	%i3,2,%o2
+/* 0x002c	  73 ( 5  8) */		ldd	[%i1+8],%f0
+/* 0x0030	  67 ( 5  6) */		sethi	%hi(0xfc00),%o0
+/* 0x0034	     ( 5  6) */		add	%o2,1,%g3
+/* 0x0038	     ( 6  7) */		add	%o0,1023,%o1
+/* 0x003c	     ( 6  7) */		or	%g0,%g5,%o5
+/* 0x0040	  73 ( 7 10) */		fdtox	%f0,%f0
+/* 0x0044	     ( 7  8) */		std	%f0,[%sp+112]
+/* 0x0048	  72 (11 13) */		ldx	[%sp+120],%g4
+/* 0x004c	  73 (12 14) */		ldx	[%sp+112],%g1
+/* 0x0050	  74 (12 13) */		ble,pt	%icc,.L900000214	! tprob=0.56
+/* 0x0054	     (12 13) */		sethi	%hi(0xfc00),%g2
+/* 0x0058	  67 (13 14) */		or	%g0,-1,%g2
+/* 0x005c	  74 (13 14) */		cmp	%g3,3
+/* 0x0060	  67 (14 15) */		srl	%g2,0,%o3
+/* 0x0064	     (14 15) */		or	%g0,%i1,%g2
+/* 0x0068	  74 (14 15) */		bl,pn	%icc,.L77000134	! tprob=0.44
+/* 0x006c	     (15 18) */		ldd	[%g2+16],%f0
+
+!   75		                    !   {
+!   76		                    !     c=(long long)d16[2*i+2];
+!   77		                    !     t1+=a&0xffffffff;
+!   78		                    !     t=(a>>32);
+!   79		                    !     d=(long long)d16[2*i+3];
+!   80		                    !     t1+=(b&0xffff)<<16;
+
+/* 0x0070	  80 (15 16) */		and	%g1,%o1,%o0
+
+!   81		                    !     t+=(b>>16)+(t1>>32);
+!   82		                    !     i32[i]=t1&0xffffffff;
+!   83		                    !     t1=t;
+!   84		                    !     a=c;
+!   85		                    !     b=d;
+
+/* 0x0074	  85 (15 16) */		add	%g2,16,%g2
+/* 0x0078	  80 (16 17) */		sllx	%o0,16,%g3
+/* 0x007c	  77 (16 17) */		and	%g4,%o3,%o0
+/* 0x0080	  76 (17 20) */		fdtox	%f0,%f0
+/* 0x0084	     (17 18) */		std	%f0,[%sp+104]
+/* 0x0088	  74 (17 18) */		add	%o0,%g3,%o4
+/* 0x008c	  79 (18 21) */		ldd	[%g2+8],%f2
+/* 0x0090	  81 (18 19) */		srax	%g1,16,%o0
+/* 0x0094	  82 (18 19) */		and	%o4,%o3,%o7
+/* 0x0098	  81 (19 20) */		stx	%o0,[%sp+112]
+/* 0x009c	     (19 20) */		srax	%o4,32,%o0
+/* 0x00a0	  85 (19 20) */		add	%g5,4,%o5
+/* 0x00a4	  81 (20 21) */		stx	%o0,[%sp+120]
+/* 0x00a8	  78 (20 21) */		srax	%g4,32,%o4
+/* 0x00ac	  79 (20 23) */		fdtox	%f2,%f0
+/* 0x00b0	     (21 22) */		std	%f0,[%sp+96]
+/* 0x00b4	  81 (22 24) */		ldx	[%sp+112],%o0
+/* 0x00b8	     (23 25) */		ldx	[%sp+120],%g4
+/* 0x00bc	  76 (25 27) */		ldx	[%sp+104],%g3
+/* 0x00c0	  81 (25 26) */		add	%o0,%g4,%g4
+/* 0x00c4	  79 (26 28) */		ldx	[%sp+96],%g1
+/* 0x00c8	  81 (26 27) */		add	%o4,%g4,%o4
+/* 0x00cc	  82 (27 28) */		st	%o7,[%g5]
+/* 0x00d0	     (27 28) */		or	%g0,1,%o7
+/* 0x00d4	  84 (27 28) */		or	%g0,%g3,%g4
+                                   .L900000209:		/* frequency 64.0 confidence 0.0 */
+/* 0x00d8	  76 (17 19) */		ldd	[%g2+16],%f0
+/* 0x00dc	  85 (17 18) */		add	%o7,1,%o7
+/* 0x00e0	     (17 18) */		add	%o5,4,%o5
+/* 0x00e4	     (18 18) */		cmp	%o7,%o2
+/* 0x00e8	     (18 19) */		add	%g2,16,%g2
+/* 0x00ec	  76 (19 22) */		fdtox	%f0,%f0
+/* 0x00f0	     (20 21) */		std	%f0,[%sp+104]
+/* 0x00f4	  79 (21 23) */		ldd	[%g2+8],%f0
+/* 0x00f8	     (23 26) */		fdtox	%f0,%f0
+/* 0x00fc	     (24 25) */		std	%f0,[%sp+96]
+/* 0x0100	  80 (25 26) */		and	%g1,%o1,%g3
+/* 0x0104	     (26 27) */		sllx	%g3,16,%g3
+/* 0x0108	     ( 0  0) */		stx	%g3,[%sp+120]
+/* 0x010c	  77 (26 27) */		and	%g4,%o3,%g3
+/* 0x0110	  74 ( 0  0) */		stx	%o7,[%sp+128]
+/* 0x0114	     ( 0  0) */		ldx	[%sp+120],%o7
+/* 0x0118	     (27 27) */		add	%g3,%o7,%g3
+/* 0x011c	     ( 0  0) */		ldx	[%sp+128],%o7
+/* 0x0120	  81 (28 29) */		srax	%g1,16,%g1
+/* 0x0124	  74 (28 28) */		add	%g3,%o4,%g3
+/* 0x0128	  81 (29 30) */		srax	%g3,32,%o4
+/* 0x012c	     ( 0  0) */		stx	%o4,[%sp+112]
+/* 0x0130	  78 (30 31) */		srax	%g4,32,%o4
+/* 0x0134	  81 ( 0  0) */		ldx	[%sp+112],%g4
+/* 0x0138	     (30 31) */		add	%g1,%g4,%g4
+/* 0x013c	  79 (31 33) */		ldx	[%sp+96],%g1
+/* 0x0140	  81 (31 32) */		add	%o4,%g4,%o4
+/* 0x0144	  82 (32 33) */		and	%g3,%o3,%g3
+/* 0x0148	  84 ( 0  0) */		ldx	[%sp+104],%g4
+/* 0x014c	  85 (33 34) */		ble,pt	%icc,.L900000209	! tprob=0.50
+/* 0x0150	     (33 34) */		st	%g3,[%o5-4]
+                                   .L900000212:		/* frequency 8.0 confidence 0.0 */
+/* 0x0154	  85 ( 0  1) */		ba	.L900000214	! tprob=1.00
+/* 0x0158	     ( 0  1) */		sethi	%hi(0xfc00),%g2
+                                   .L77000134:		/* frequency 0.7 confidence 0.0 */
+                                   .L900000213:		/* frequency 6.4 confidence 0.0 */
+/* 0x015c	  77 ( 0  1) */		and	%g4,%o3,%o0
+/* 0x0160	  80 ( 0  1) */		and	%g1,%o1,%g3
+/* 0x0164	  76 ( 0  3) */		fdtox	%f0,%f0
+/* 0x0168	  77 ( 1  2) */		add	%o4,%o0,%o0
+/* 0x016c	  76 ( 1  2) */		std	%f0,[%sp+104]
+/* 0x0170	  85 ( 1  2) */		add	%o7,1,%o7
+/* 0x0174	  80 ( 2  3) */		sllx	%g3,16,%o4
+/* 0x0178	  79 ( 2  5) */		ldd	[%g2+24],%f2
+/* 0x017c	  85 ( 2  3) */		add	%g2,16,%g2
+/* 0x0180	  80 ( 3  4) */		add	%o0,%o4,%o4
+/* 0x0184	  81 ( 3  4) */		stx	%o7,[%sp+128]
+/* 0x0188	     ( 4  5) */		srax	%g1,16,%o0
+/* 0x018c	     ( 4  5) */		stx	%o0,[%sp+112]
+/* 0x0190	  82 ( 4  5) */		and	%o4,%o3,%g3
+/* 0x0194	  81 ( 5  6) */		srax	%o4,32,%o0
+/* 0x0198	     ( 5  6) */		stx	%o0,[%sp+120]
+/* 0x019c	  79 ( 5  8) */		fdtox	%f2,%f0
+/* 0x01a0	     ( 6  7) */		std	%f0,[%sp+96]
+/* 0x01a4	  78 ( 6  7) */		srax	%g4,32,%o4
+/* 0x01a8	  81 ( 7  9) */		ldx	[%sp+120],%o7
+/* 0x01ac	     ( 8 10) */		ldx	[%sp+112],%g4
+/* 0x01b0	  76 (10 12) */		ldx	[%sp+104],%g1
+/* 0x01b4	  81 (10 11) */		add	%g4,%o7,%g4
+/* 0x01b8	     (11 13) */		ldx	[%sp+128],%o7
+/* 0x01bc	     (11 12) */		add	%o4,%g4,%o4
+/* 0x01c0	  79 (12 14) */		ldx	[%sp+96],%o0
+/* 0x01c4	  84 (12 13) */		or	%g0,%g1,%g4
+/* 0x01c8	  82 (13 14) */		st	%g3,[%o5]
+/* 0x01cc	  85 (13 14) */		add	%o5,4,%o5
+/* 0x01d0	     (13 14) */		cmp	%o7,%o2
+/* 0x01d4	     (14 15) */		or	%g0,%o0,%g1
+/* 0x01d8	     (14 15) */		ble,a,pt	%icc,.L900000213	! tprob=0.86
+/* 0x01dc	     (14 17) */		ldd	[%g2+16],%f0
+                                   .L77000127:		/* frequency 1.0 confidence 0.0 */
+
+!   86		                    !   }
+!   87		                    !     t1+=a&0xffffffff;
+!   88		                    !     t=(a>>32);
+!   89		                    !     t1+=(b&0xffff)<<16;
+!   90		                    !     i32[i]=t1&0xffffffff;
+
+/* 0x01e0	  90 ( 0  1) */		sethi	%hi(0xfc00),%g2
+                                   .L900000214:		/* frequency 1.0 confidence 0.0 */
+/* 0x01e4	  90 ( 0  1) */		or	%g0,-1,%g3
+/* 0x01e8	     ( 0  1) */		add	%g2,1023,%g2
+/* 0x01ec	     ( 1  2) */		srl	%g3,0,%g3
+/* 0x01f0	     ( 1  2) */		and	%g1,%g2,%g2
+/* 0x01f4	     ( 2  3) */		and	%g4,%g3,%g4
+/* 0x01f8	     ( 3  4) */		sllx	%g2,16,%g2
+/* 0x01fc	     ( 3  4) */		add	%o4,%g4,%g4
+/* 0x0200	     ( 4  5) */		add	%g4,%g2,%g2
+/* 0x0204	     ( 5  6) */		sll	%o7,2,%g4
+/* 0x0208	     ( 5  6) */		and	%g2,%g3,%g2
+/* 0x020c	     ( 6  7) */		st	%g2,[%g5+%g4]
+/* 0x0210	     ( 7  9) */		ret	! Result = 
+/* 0x0214	     ( 9 10) */		restore	%g0,%g0,%g0
+/* 0x0218	   0 ( 0  0) */		.type	conv_d16_to_i32,2
+/* 0x0218	     ( 0  0) */		.size	conv_d16_to_i32,(.-conv_d16_to_i32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	8
+!
+! CONSTANT POOL
+!
+                                   .L_const_seg_900000301:		/* frequency 1.0 confidence 0.0 */
+/* 000000	   0 ( 0  0) */		.word	1127219200,0
+/* 0x0008	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE conv_i32_to_d32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global conv_i32_to_d32
+                                   conv_i32_to_d32:		/* frequency 1.0 confidence 0.0 */
+/* 000000	     ( 0  1) */		orcc	%g0,%o2,%g1
+
+!   92		                    !}
+!   94		                    !void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
+!   95		                    !{
+!   96		                    !int i;
+!   98		                    !#pragma pipeloop(0)
+!   99		                    ! for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
+
+/* 0x0004	  99 ( 0  1) */		ble,pt	%icc,.L77000140	! tprob=0.56
+/* 0x0008	     ( 0  1) */		nop
+/* 0x000c	     ( 1  2) */		sethi	%hi(.L_const_seg_900000301),%g2
+/* 0x0010	  95 ( 1  2) */		or	%g0,%o1,%g4
+/* 0x0014	  99 ( 2  3) */		add	%g2,%lo(.L_const_seg_900000301),%g2
+/* 0x0018	     ( 2  3) */		or	%g0,0,%o5
+/* 0x001c	  95 ( 3  4) */		or	%g0,%o0,%g5
+/* 0x0020	  99 ( 3  4) */		sub	%o2,1,%g3
+/* 0x0024	     ( 4  5) */		cmp	%o2,9
+/* 0x0028	     ( 4  5) */		bl,pn	%icc,.L77000144	! tprob=0.44
+/* 0x002c	     ( 4  7) */		ldd	[%g2],%f8
+/* 0x0030	     ( 5  8) */		ld	[%o1],%f7
+/* 0x0034	     ( 5  6) */		add	%o1,16,%g4
+/* 0x0038	     ( 5  6) */		sub	%o2,5,%g1
+/* 0x003c	     ( 6  9) */		ld	[%o1+4],%f5
+/* 0x0040	     ( 6  7) */		or	%g0,4,%o5
+/* 0x0044	     ( 7 10) */		ld	[%o1+8],%f3
+/* 0x0048	     ( 7  8) */		fmovs	%f8,%f6
+/* 0x004c	     ( 8 11) */		ld	[%o1+12],%f1
+                                   .L900000305:		/* frequency 64.0 confidence 0.0 */
+/* 0x0050	     ( 8 16) */		ld	[%g4],%f11
+/* 0x0054	     ( 8  9) */		add	%o5,5,%o5
+/* 0x0058	     ( 8  9) */		add	%g4,20,%g4
+/* 0x005c	     ( 8 11) */		fsubd	%f6,%f8,%f6
+/* 0x0060	     ( 9 10) */		std	%f6,[%g5]
+/* 0x0064	     ( 9  9) */		cmp	%o5,%g1
+/* 0x0068	     ( 9 10) */		add	%g5,40,%g5
+/* 0x006c	     ( 0  0) */		fmovs	%f8,%f4
+/* 0x0070	     (10 18) */		ld	[%g4-16],%f7
+/* 0x0074	     (10 13) */		fsubd	%f4,%f8,%f12
+/* 0x0078	     ( 0  0) */		fmovs	%f8,%f2
+/* 0x007c	     (11 12) */		std	%f12,[%g5-32]
+/* 0x0080	     (12 20) */		ld	[%g4-12],%f5
+/* 0x0084	     (12 15) */		fsubd	%f2,%f8,%f12
+/* 0x0088	     ( 0  0) */		fmovs	%f8,%f0
+/* 0x008c	     (13 14) */		std	%f12,[%g5-24]
+/* 0x0090	     (14 22) */		ld	[%g4-8],%f3
+/* 0x0094	     (14 17) */		fsubd	%f0,%f8,%f12
+/* 0x0098	     ( 0  0) */		fmovs	%f8,%f10
+/* 0x009c	     (15 16) */		std	%f12,[%g5-16]
+/* 0x00a0	     (16 24) */		ld	[%g4-4],%f1
+/* 0x00a4	     (16 19) */		fsubd	%f10,%f8,%f10
+/* 0x00a8	     ( 0  0) */		fmovs	%f8,%f6
+/* 0x00ac	     (17 18) */		ble,pt	%icc,.L900000305	! tprob=0.50
+/* 0x00b0	     (17 18) */		std	%f10,[%g5-8]
+                                   .L900000308:		/* frequency 8.0 confidence 0.0 */
+/* 0x00b4	     ( 0  1) */		fmovs	%f8,%f4
+/* 0x00b8	     ( 0  1) */		add	%g5,32,%g5
+/* 0x00bc	     ( 0  1) */		cmp	%o5,%g3
+/* 0x00c0	     ( 1  2) */		fmovs	%f8,%f2
+/* 0x00c4	     ( 2  3) */		fmovs	%f8,%f0
+/* 0x00c8	     ( 4  7) */		fsubd	%f6,%f8,%f6
+/* 0x00cc	     ( 4  5) */		std	%f6,[%g5-32]
+/* 0x00d0	     ( 5  8) */		fsubd	%f4,%f8,%f4
+/* 0x00d4	     ( 5  6) */		std	%f4,[%g5-24]
+/* 0x00d8	     ( 6  9) */		fsubd	%f2,%f8,%f2
+/* 0x00dc	     ( 6  7) */		std	%f2,[%g5-16]
+/* 0x00e0	     ( 7 10) */		fsubd	%f0,%f8,%f0
+/* 0x00e4	     ( 7  8) */		bg,pn	%icc,.L77000140	! tprob=0.14
+/* 0x00e8	     ( 7  8) */		std	%f0,[%g5-8]
+                                   .L77000144:		/* frequency 0.7 confidence 0.0 */
+/* 0x00ec	     ( 0  3) */		ld	[%g4],%f1
+                                   .L900000309:		/* frequency 6.4 confidence 0.0 */
+/* 0x00f0	     ( 0  3) */		ldd	[%g2],%f8
+/* 0x00f4	     ( 0  1) */		add	%o5,1,%o5
+/* 0x00f8	     ( 0  1) */		add	%g4,4,%g4
+/* 0x00fc	     ( 1  2) */		cmp	%o5,%g3
+/* 0x0100	     ( 2  3) */		fmovs	%f8,%f0
+/* 0x0104	     ( 4  7) */		fsubd	%f0,%f8,%f0
+/* 0x0108	     ( 4  5) */		std	%f0,[%g5]
+/* 0x010c	     ( 4  5) */		add	%g5,8,%g5
+/* 0x0110	     ( 4  5) */		ble,a,pt	%icc,.L900000309	! tprob=0.86
+/* 0x0114	     ( 6  9) */		ld	[%g4],%f1
+                                   .L77000140:		/* frequency 1.0 confidence 0.0 */
+/* 0x0118	     ( 0  2) */		retl	! Result = 
+/* 0x011c	     ( 1  2) */		nop
+/* 0x0120	   0 ( 0  0) */		.type	conv_i32_to_d32,2
+/* 0x0120	     ( 0  0) */		.size	conv_i32_to_d32,(.-conv_i32_to_d32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	8
+!
+! CONSTANT POOL
+!
+                                   .L_const_seg_900000401:		/* frequency 1.0 confidence 0.0 */
+/* 000000	   0 ( 0  0) */		.word	1127219200,0
+/* 0x0008	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE conv_i32_to_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global conv_i32_to_d16
+                                   conv_i32_to_d16:		/* frequency 1.0 confidence 0.0 */
+/* 000000	     ( 0  1) */		save	%sp,-104,%sp
+/* 0x0004	     ( 1  2) */		orcc	%g0,%i2,%o0
+
+!  100		                    !}
+!  103		                    !void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
+!  104		                    !{
+!  105		                    !int i;
+!  106		                    !unsigned int a;
+!  108		                    !#pragma pipeloop(0)
+!  109		                    ! for(i=0;i<len;i++)
+
+/* 0x0008	 109 ( 1  2) */		ble,pt	%icc,.L77000150	! tprob=0.56
+/* 0x000c	     ( 1  2) */		nop
+/* 0x0010	     ( 2  3) */		sub	%o0,1,%o5
+/* 0x0014	     ( 2  3) */		sethi	%hi(0xfc00),%g2
+
+!  110		                    !   {
+!  111		                    !     a=i32[i];
+!  112		                    !     d16[2*i]=(double)(a&0xffff);
+!  113		                    !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x0018	 113 ( 3  4) */		sethi	%hi(.L_const_seg_900000401),%o0
+/* 0x001c	     ( 3  4) */		add	%o5,1,%g3
+/* 0x0020	     ( 4  5) */		add	%g2,1023,%o4
+/* 0x0024	 109 ( 4  5) */		or	%g0,0,%g1
+/* 0x0028	     ( 5  6) */		cmp	%g3,3
+/* 0x002c	     ( 5  6) */		or	%g0,%i1,%o7
+/* 0x0030	     ( 6  7) */		add	%o0,%lo(.L_const_seg_900000401),%o3
+/* 0x0034	     ( 6  7) */		or	%g0,%i0,%g2
+/* 0x0038	     ( 6  7) */		bl,pn	%icc,.L77000154	! tprob=0.44
+/* 0x003c	     ( 7  8) */		add	%o7,4,%o0
+/* 0x0040	 112 ( 7 10) */		ldd	[%o3],%f0
+/* 0x0044	 113 ( 7  8) */		or	%g0,1,%g1
+/* 0x0048	 111 ( 8 11) */		ld	[%o0-4],%o1
+/* 0x004c	   0 ( 8  9) */		or	%g0,%o0,%o7
+/* 0x0050	 112 (10 11) */		and	%o1,%o4,%o0
+                                   .L900000406:		/* frequency 64.0 confidence 0.0 */
+/* 0x0054	 112 (22 23) */		st	%o0,[%sp+96]
+/* 0x0058	 113 (22 23) */		add	%g1,1,%g1
+/* 0x005c	     (22 23) */		add	%g2,16,%g2
+/* 0x0060	     (23 23) */		cmp	%g1,%o5
+/* 0x0064	     (23 24) */		add	%o7,4,%o7
+/* 0x0068	 112 (29 31) */		ld	[%sp+96],%f3
+/* 0x006c	     ( 0  0) */		fmovs	%f0,%f2
+/* 0x0070	     (31 34) */		fsubd	%f2,%f0,%f2
+/* 0x0074	 113 (32 33) */		srl	%o1,16,%o0
+/* 0x0078	 112 (32 33) */		std	%f2,[%g2-16]
+/* 0x007c	 113 (33 34) */		st	%o0,[%sp+92]
+/* 0x0080	     (40 42) */		ld	[%sp+92],%f3
+/* 0x0084	 111 (41 43) */		ld	[%o7-4],%o1
+/* 0x0088	 113 ( 0  0) */		fmovs	%f0,%f2
+/* 0x008c	     (42 45) */		fsubd	%f2,%f0,%f2
+/* 0x0090	 112 (43 44) */		and	%o1,%o4,%o0
+/* 0x0094	 113 (43 44) */		ble,pt	%icc,.L900000406	! tprob=0.50
+/* 0x0098	     (43 44) */		std	%f2,[%g2-8]
+                                   .L900000409:		/* frequency 8.0 confidence 0.0 */
+/* 0x009c	 112 ( 0  1) */		st	%o0,[%sp+96]
+/* 0x00a0	     ( 0  1) */		fmovs	%f0,%f2
+/* 0x00a4	 113 ( 0  1) */		add	%g2,16,%g2
+/* 0x00a8	     ( 1  2) */		srl	%o1,16,%o0
+/* 0x00ac	 112 ( 4  7) */		ld	[%sp+96],%f3
+/* 0x00b0	     ( 6  9) */		fsubd	%f2,%f0,%f2
+/* 0x00b4	     ( 6  7) */		std	%f2,[%g2-16]
+/* 0x00b8	 113 ( 7  8) */		st	%o0,[%sp+92]
+/* 0x00bc	     (10 11) */		fmovs	%f0,%f2
+/* 0x00c0	     (11 14) */		ld	[%sp+92],%f3
+/* 0x00c4	     (13 16) */		fsubd	%f2,%f0,%f0
+/* 0x00c8	     (13 14) */		std	%f0,[%g2-8]
+/* 0x00cc	     (14 16) */		ret	! Result = 
+/* 0x00d0	     (16 17) */		restore	%g0,%g0,%g0
+                                   .L77000154:		/* frequency 0.7 confidence 0.0 */
+/* 0x00d4	 111 ( 0  3) */		ld	[%o7],%o0
+                                   .L900000410:		/* frequency 6.4 confidence 0.0 */
+/* 0x00d8	 112 ( 0  1) */		and	%o0,%o4,%o1
+/* 0x00dc	     ( 0  1) */		st	%o1,[%sp+96]
+/* 0x00e0	 113 ( 0  1) */		add	%g1,1,%g1
+/* 0x00e4	 112 ( 1  4) */		ldd	[%o3],%f0
+/* 0x00e8	 113 ( 1  2) */		srl	%o0,16,%o0
+/* 0x00ec	     ( 1  2) */		add	%o7,4,%o7
+/* 0x00f0	     ( 2  3) */		cmp	%g1,%o5
+/* 0x00f4	 112 ( 3  4) */		fmovs	%f0,%f2
+/* 0x00f8	     ( 4  7) */		ld	[%sp+96],%f3
+/* 0x00fc	     ( 6  9) */		fsubd	%f2,%f0,%f2
+/* 0x0100	     ( 6  7) */		std	%f2,[%g2]
+/* 0x0104	 113 ( 7  8) */		st	%o0,[%sp+92]
+/* 0x0108	     (10 11) */		fmovs	%f0,%f2
+/* 0x010c	     (11 14) */		ld	[%sp+92],%f3
+/* 0x0110	     (13 16) */		fsubd	%f2,%f0,%f0
+/* 0x0114	     (13 14) */		std	%f0,[%g2+8]
+/* 0x0118	     (13 14) */		add	%g2,16,%g2
+/* 0x011c	     (13 14) */		ble,a,pt	%icc,.L900000410	! tprob=0.86
+/* 0x0120	     (14 17) */		ld	[%o7],%o0
+                                   .L77000150:		/* frequency 1.0 confidence 0.0 */
+/* 0x0124	     ( 0  2) */		ret	! Result = 
+/* 0x0128	     ( 2  3) */		restore	%g0,%g0,%g0
+/* 0x012c	   0 ( 0  0) */		.type	conv_i32_to_d16,2
+/* 0x012c	     ( 0  0) */		.size	conv_i32_to_d16,(.-conv_i32_to_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	8
+!
+! CONSTANT POOL
+!
+                                   .L_const_seg_900000501:		/* frequency 1.0 confidence 0.0 */
+/* 000000	   0 ( 0  0) */		.word	1127219200,0
+/* 0x0008	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE conv_i32_to_d32_and_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global conv_i32_to_d32_and_d16
+                                   conv_i32_to_d32_and_d16:		/* frequency 1.0 confidence 0.0 */
+/* 000000	     ( 0  1) */		save	%sp,-104,%sp
+/* 0x0004	     ( 1  2) */		or	%g0,%i3,%i4
+/* 0x0008	     ( 1  2) */		or	%g0,%i2,%g1
+
+!  114		                    !   }
+!  115		                    !}
+!  118		                    !void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
+!  119		                    !			  double * /* 0 */,
+!  120		                    !			  double * /*result16*/, double * /* result32 */,
+!  121		                    !			  float *  /*source - should be unsigned int*
+!  122		                    !		          	       converted to float* */);
+!  126		                    !void conv_i32_to_d32_and_d16(double *d32, double *d16, 
+!  127		                    !			     unsigned int *i32, int len)
+!  128		                    !{
+!  129		                    !int i;
+!  130		                    !unsigned int a;
+!  132		                    !#pragma pipeloop(0)
+!  133		                    ! for(i=0;i<len-3;i+=4)
+
+/* 0x000c	 133 ( 2  3) */		sub	%i4,3,%g2
+/* 0x0010	     ( 2  3) */		or	%g0,0,%o7
+/* 0x0014	     ( 3  4) */		cmp	%g2,0
+/* 0x0018	 128 ( 3  4) */		or	%g0,%i0,%i3
+/* 0x001c	 133 ( 3  4) */		ble,pt	%icc,.L900000515	! tprob=0.56
+/* 0x0020	     ( 4  5) */		cmp	%o7,%i4
+
+!  134		                    !   {
+!  135		                    !     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
+!  136		                    !			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
+
+/* 0x0024	 136 ( 4  5) */		sethi	%hi(Zero),%g2
+/* 0x0028	 133 ( 5  6) */		or	%g0,%g1,%o3
+/* 0x002c	     ( 5  6) */		sub	%i4,4,%o2
+/* 0x0030	 136 ( 6  7) */		add	%g2,%lo(Zero),%o1
+/* 0x0034	 133 ( 6  7) */		or	%g0,0,%o5
+/* 0x0038	     ( 7  8) */		or	%g0,0,%o4
+/* 0x003c	 136 ( 7  8) */		or	%g0,%o3,%g4
+                                   .L900000514:		/* frequency 6.4 confidence 0.0 */
+/* 0x0040	     ( 0  3) */		ldd	[%o1],%f2
+/* 0x0044	 136 ( 0  1) */		add	%i3,%o5,%g2
+/* 0x0048	     ( 0  1) */		add	%i1,%o4,%g3
+/* 0x004c	     ( 1  4) */		ldd	[%o1-8],%f0
+/* 0x0050	     ( 1  2) */		add	%o7,4,%o7
+/* 0x0054	     ( 1  2) */		add	%o3,16,%o3
+/* 0x0058	     ( 2  3) */		fmovd	%f2,%f14
+/* 0x005c	     ( 2  5) */		ld	[%g4],%f15
+/* 0x0060	     ( 2  3) */		cmp	%o7,%o2
+/* 0x0064	     ( 3  4) */		fmovd	%f2,%f10
+/* 0x0068	     ( 3  6) */		ld	[%g4+4],%f11
+/* 0x006c	     ( 4  5) */		fmovd	%f2,%f6
+/* 0x0070	     ( 4  7) */		ld	[%g4+8],%f7
+/* 0x0074	     ( 5  8) */		ld	[%g4+12],%f3
+/* 0x0078	     ( 5  8) */		fxtod	%f14,%f14
+/* 0x007c	     ( 6  9) */		fxtod	%f10,%f10
+/* 0x0080	     ( 6  9) */		ldd	[%o1-16],%f16
+/* 0x0084	     ( 7 10) */		fxtod	%f6,%f6
+/* 0x0088	     ( 7  8) */		std	%f14,[%i3+%o5]
+/* 0x008c	     ( 7  8) */		add	%o5,32,%o5
+/* 0x0090	     ( 8 11) */		fxtod	%f2,%f2
+/* 0x0094	     ( 8 11) */		fmuld	%f0,%f14,%f12
+/* 0x0098	     ( 8  9) */		std	%f10,[%g2+8]
+/* 0x009c	     ( 9 12) */		fmuld	%f0,%f10,%f8
+/* 0x00a0	     ( 9 10) */		std	%f6,[%g2+16]
+/* 0x00a4	     (10 13) */		fmuld	%f0,%f6,%f4
+/* 0x00a8	     (10 11) */		std	%f2,[%g2+24]
+/* 0x00ac	     (11 14) */		fmuld	%f0,%f2,%f0
+/* 0x00b0	     (11 14) */		fdtox	%f12,%f12
+/* 0x00b4	     (12 15) */		fdtox	%f8,%f8
+/* 0x00b8	     (13 16) */		fdtox	%f4,%f4
+/* 0x00bc	     (14 17) */		fdtox	%f0,%f0
+/* 0x00c0	     (15 18) */		fxtod	%f12,%f12
+/* 0x00c4	     (15 16) */		std	%f12,[%g3+8]
+/* 0x00c8	     (16 19) */		fxtod	%f8,%f8
+/* 0x00cc	     (16 17) */		std	%f8,[%g3+24]
+/* 0x00d0	     (17 20) */		fxtod	%f4,%f4
+/* 0x00d4	     (17 18) */		std	%f4,[%g3+40]
+/* 0x00d8	     (18 21) */		fxtod	%f0,%f0
+/* 0x00dc	     (18 21) */		fmuld	%f12,%f16,%f12
+/* 0x00e0	     (18 19) */		std	%f0,[%g3+56]
+/* 0x00e4	     (19 22) */		fmuld	%f8,%f16,%f8
+/* 0x00e8	     (20 23) */		fmuld	%f4,%f16,%f4
+/* 0x00ec	     (21 24) */		fmuld	%f0,%f16,%f0
+/* 0x00f0	     (21 24) */		fsubd	%f14,%f12,%f12
+/* 0x00f4	     (21 22) */		std	%f12,[%i1+%o4]
+/* 0x00f8	     (22 25) */		fsubd	%f10,%f8,%f8
+/* 0x00fc	     (22 23) */		std	%f8,[%g3+16]
+/* 0x0100	     (22 23) */		add	%o4,64,%o4
+/* 0x0104	     (23 26) */		fsubd	%f6,%f4,%f4
+/* 0x0108	     (23 24) */		std	%f4,[%g3+32]
+/* 0x010c	     (24 27) */		fsubd	%f2,%f0,%f0
+/* 0x0110	     (24 25) */		std	%f0,[%g3+48]
+/* 0x0114	     (24 25) */		ble,pt	%icc,.L900000514	! tprob=0.86
+/* 0x0118	     (25 26) */		or	%g0,%o3,%g4
+                                   .L77000159:		/* frequency 1.0 confidence 0.0 */
+
+!  137		                    !   }
+!  138		                    ! for(;i<len;i++)
+
+/* 0x011c	 138 ( 0  1) */		cmp	%o7,%i4
+                                   .L900000515:		/* frequency 1.0 confidence 0.0 */
+/* 0x0120	 138 ( 0  1) */		bge,pt	%icc,.L77000164	! tprob=0.56
+/* 0x0124	     ( 0  1) */		nop
+
+!  139		                    !   {
+!  140		                    !     a=i32[i];
+!  141		                    !     d32[i]=(double)(i32[i]);
+!  142		                    !     d16[2*i]=(double)(a&0xffff);
+!  143		                    !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x0128	 143 ( 0  1) */		sethi	%hi(.L_const_seg_900000501),%o1
+/* 0x012c	 138 ( 1  2) */		sethi	%hi(0xfc00),%o0
+/* 0x0130	 141 ( 1  4) */		ldd	[%o1+%lo(.L_const_seg_900000501)],%f0
+/* 0x0134	 138 ( 1  2) */		sub	%i4,%o7,%g3
+/* 0x0138	     ( 2  3) */		sll	%o7,2,%g2
+/* 0x013c	     ( 2  3) */		add	%o0,1023,%o3
+/* 0x0140	     ( 3  4) */		sll	%o7,3,%g4
+/* 0x0144	     ( 3  4) */		cmp	%g3,3
+/* 0x0148	     ( 4  5) */		add	%g1,%g2,%o0
+/* 0x014c	     ( 4  5) */		add	%o1,%lo(.L_const_seg_900000501),%o2
+/* 0x0150	     ( 5  6) */		add	%i3,%g4,%o4
+/* 0x0154	     ( 5  6) */		sub	%i4,1,%o1
+/* 0x0158	     ( 6  7) */		sll	%o7,4,%g5
+/* 0x015c	     ( 6  7) */		bl,pn	%icc,.L77000161	! tprob=0.44
+/* 0x0160	     ( 7  8) */		add	%i1,%g5,%o5
+/* 0x0164	 141 ( 7 10) */		ld	[%g1+%g2],%f3
+/* 0x0168	 143 ( 7  8) */		add	%o4,8,%o4
+/* 0x016c	 140 ( 8 11) */		ld	[%g1+%g2],%g1
+/* 0x0170	 143 ( 8  9) */		add	%o5,16,%o5
+/* 0x0174	     ( 8  9) */		add	%o7,1,%o7
+/* 0x0178	 141 ( 9 10) */		fmovs	%f0,%f2
+/* 0x017c	 143 ( 9 10) */		add	%o0,4,%o0
+/* 0x0180	 142 (10 11) */		and	%g1,%o3,%g2
+/* 0x0184	 141 (11 14) */		fsubd	%f2,%f0,%f2
+/* 0x0188	     (11 12) */		std	%f2,[%o4-8]
+/* 0x018c	 143 (11 12) */		srl	%g1,16,%g1
+/* 0x0190	 142 (12 13) */		st	%g2,[%sp+96]
+/* 0x0194	     (15 16) */		fmovs	%f0,%f2
+/* 0x0198	     (16 19) */		ld	[%sp+96],%f3
+/* 0x019c	     (18 21) */		fsubd	%f2,%f0,%f2
+/* 0x01a0	     (18 19) */		std	%f2,[%o5-16]
+/* 0x01a4	 143 (19 20) */		st	%g1,[%sp+92]
+/* 0x01a8	     (22 23) */		fmovs	%f0,%f2
+/* 0x01ac	     (23 26) */		ld	[%sp+92],%f3
+/* 0x01b0	     (25 28) */		fsubd	%f2,%f0,%f2
+/* 0x01b4	     (25 26) */		std	%f2,[%o5-8]
+                                   .L900000509:		/* frequency 64.0 confidence 0.0 */
+/* 0x01b8	 141 (26 28) */		ld	[%o0],%f3
+/* 0x01bc	 143 (26 27) */		add	%o7,2,%o7
+/* 0x01c0	     (26 27) */		add	%o5,32,%o5
+/* 0x01c4	 140 (27 29) */		ld	[%o0],%g1
+/* 0x01c8	 143 (27 27) */		cmp	%o7,%o1
+/* 0x01cc	     (27 28) */		add	%o4,16,%o4
+/* 0x01d0	 141 ( 0  0) */		fmovs	%f0,%f2
+/* 0x01d4	     (28 31) */		fsubd	%f2,%f0,%f2
+/* 0x01d8	     (29 30) */		std	%f2,[%o4-16]
+/* 0x01dc	 142 (29 30) */		and	%g1,%o3,%g2
+/* 0x01e0	     (30 31) */		st	%g2,[%sp+96]
+/* 0x01e4	     (37 39) */		ld	[%sp+96],%f3
+/* 0x01e8	     ( 0  0) */		fmovs	%f0,%f2
+/* 0x01ec	     (39 42) */		fsubd	%f2,%f0,%f2
+/* 0x01f0	 143 (40 41) */		srl	%g1,16,%g1
+/* 0x01f4	 142 (40 41) */		std	%f2,[%o5-32]
+/* 0x01f8	 143 (41 42) */		st	%g1,[%sp+92]
+/* 0x01fc	     (48 50) */		ld	[%sp+92],%f3
+/* 0x0200	     ( 0  0) */		fmovs	%f0,%f2
+/* 0x0204	     (50 53) */		fsubd	%f2,%f0,%f2
+/* 0x0208	     (51 52) */		std	%f2,[%o5-24]
+/* 0x020c	     (51 52) */		add	%o0,4,%o0
+/* 0x0210	 141 (52 54) */		ld	[%o0],%f3
+/* 0x0214	 140 (53 55) */		ld	[%o0],%g1
+/* 0x0218	 141 ( 0  0) */		fmovs	%f0,%f2
+/* 0x021c	     (54 57) */		fsubd	%f2,%f0,%f2
+/* 0x0220	     (55 56) */		std	%f2,[%o4-8]
+/* 0x0224	 142 (55 56) */		and	%g1,%o3,%g2
+/* 0x0228	     (56 57) */		st	%g2,[%sp+96]
+/* 0x022c	     (63 65) */		ld	[%sp+96],%f3
+/* 0x0230	     ( 0  0) */		fmovs	%f0,%f2
+/* 0x0234	     (65 68) */		fsubd	%f2,%f0,%f2
+/* 0x0238	 143 (66 67) */		srl	%g1,16,%g1
+/* 0x023c	 142 (66 67) */		std	%f2,[%o5-16]
+/* 0x0240	 143 (67 68) */		st	%g1,[%sp+92]
+/* 0x0244	     (74 76) */		ld	[%sp+92],%f3
+/* 0x0248	     ( 0  0) */		fmovs	%f0,%f2
+/* 0x024c	     (76 79) */		fsubd	%f2,%f0,%f2
+/* 0x0250	     (77 78) */		std	%f2,[%o5-8]
+/* 0x0254	     (77 78) */		bl,pt	%icc,.L900000509	! tprob=0.50
+/* 0x0258	     (77 78) */		add	%o0,4,%o0
+                                   .L900000512:		/* frequency 8.0 confidence 0.0 */
+/* 0x025c	 143 ( 0  1) */		cmp	%o7,%i4
+/* 0x0260	     ( 0  1) */		bge,pn	%icc,.L77000164	! tprob=0.14
+/* 0x0264	     ( 0  1) */		nop
+                                   .L77000161:		/* frequency 0.7 confidence 0.0 */
+/* 0x0268	 141 ( 0  3) */		ld	[%o0],%f3
+                                   .L900000513:		/* frequency 6.4 confidence 0.0 */
+/* 0x026c	 141 ( 0  3) */		ldd	[%o2],%f0
+/* 0x0270	 143 ( 0  1) */		add	%o7,1,%o7
+/* 0x0274	 140 ( 1  4) */		ld	[%o0],%o1
+/* 0x0278	 143 ( 1  2) */		add	%o0,4,%o0
+/* 0x027c	     ( 1  2) */		cmp	%o7,%i4
+/* 0x0280	 141 ( 2  3) */		fmovs	%f0,%f2
+/* 0x0284	 142 ( 3  4) */		and	%o1,%o3,%g1
+/* 0x0288	 141 ( 4  7) */		fsubd	%f2,%f0,%f2
+/* 0x028c	     ( 4  5) */		std	%f2,[%o4]
+/* 0x0290	 143 ( 4  5) */		srl	%o1,16,%o1
+/* 0x0294	 142 ( 5  6) */		st	%g1,[%sp+96]
+/* 0x0298	 143 ( 5  6) */		add	%o4,8,%o4
+/* 0x029c	 142 ( 8  9) */		fmovs	%f0,%f2
+/* 0x02a0	     ( 9 12) */		ld	[%sp+96],%f3
+/* 0x02a4	     (11 14) */		fsubd	%f2,%f0,%f2
+/* 0x02a8	     (11 12) */		std	%f2,[%o5]
+/* 0x02ac	 143 (12 13) */		st	%o1,[%sp+92]
+/* 0x02b0	     (15 16) */		fmovs	%f0,%f2
+/* 0x02b4	     (16 19) */		ld	[%sp+92],%f3
+/* 0x02b8	     (18 21) */		fsubd	%f2,%f0,%f0
+/* 0x02bc	     (18 19) */		std	%f0,[%o5+8]
+/* 0x02c0	     (18 19) */		add	%o5,16,%o5
+/* 0x02c4	     (18 19) */		bl,a,pt	%icc,.L900000513	! tprob=0.86
+/* 0x02c8	     (19 22) */		ld	[%o0],%f3
+                                   .L77000164:		/* frequency 1.0 confidence 0.0 */
+/* 0x02cc	     ( 0  2) */		ret	! Result = 
+/* 0x02d0	     ( 2  3) */		restore	%g0,%g0,%g0
+/* 0x02d4	   0 ( 0  0) */		.type	conv_i32_to_d32_and_d16,2
+/* 0x02d4	     ( 0  0) */		.size	conv_i32_to_d32_and_d16,(.-conv_i32_to_d32_and_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	4
+!
+! SUBROUTINE adjust_montf_result
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global adjust_montf_result
+                                   adjust_montf_result:		/* frequency 1.0 confidence 0.0 */
+
+!  144		                    !   }
+!  145		                    !}
+!  148		                    !void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
+!  149		                    !{
+!  150		                    !long long acc;
+!  151		                    !int i;
+!  153		                    ! if(i32[len]>0) i=-1;
+
+/* 000000	 153 ( 0  1) */		sll	%o2,2,%g1
+/* 0x0004	     ( 0  1) */		or	%g0,-1,%g3
+/* 0x0008	     ( 1  4) */		ld	[%o0+%g1],%g1
+/* 0x000c	     ( 3  4) */		cmp	%g1,0
+/* 0x0010	     ( 3  4) */		bleu,pn	%icc,.L77000175	! tprob=0.50
+/* 0x0014	     ( 3  4) */		or	%g0,%o1,%o3
+/* 0x0018	     ( 4  5) */		ba	.L900000611	! tprob=1.00
+/* 0x001c	     ( 4  5) */		cmp	%g3,0
+                                   .L77000175:		/* frequency 0.8 confidence 0.0 */
+
+!  154		                    ! else
+!  155		                    !   {
+!  156		                    !     for(i=len-1; i>=0; i++)
+
+/* 0x0020	 156 ( 0  1) */		subcc	%o2,1,%g3
+/* 0x0024	     ( 0  1) */		bneg,pt	%icc,.L900000611	! tprob=0.60
+/* 0x0028	     ( 1  2) */		cmp	%g3,0
+/* 0x002c	     ( 1  2) */		sll	%g3,2,%g1
+/* 0x0030	     ( 2  3) */		add	%o0,%g1,%g2
+/* 0x0034	     ( 2  3) */		add	%o1,%g1,%g1
+
+!  157		                    !       {
+!  158		                    !	 if(i32[i]!=nint[i]) break;
+
+/* 0x0038	 158 ( 3  6) */		ld	[%g1],%g5
+                                   .L900000610:		/* frequency 5.3 confidence 0.0 */
+/* 0x003c	 158 ( 0  3) */		ld	[%g2],%o5
+/* 0x0040	     ( 0  1) */		add	%g1,4,%g1
+/* 0x0044	     ( 0  1) */		add	%g2,4,%g2
+/* 0x0048	     ( 2  3) */		cmp	%o5,%g5
+/* 0x004c	     ( 2  3) */		bne,pn	%icc,.L77000182	! tprob=0.16
+/* 0x0050	     ( 2  3) */		nop
+/* 0x0054	     ( 3  4) */		addcc	%g3,1,%g3
+/* 0x0058	     ( 3  4) */		bpos,a,pt	%icc,.L900000610	! tprob=0.84
+/* 0x005c	     ( 3  6) */		ld	[%g1],%g5
+                                   .L77000182:		/* frequency 1.0 confidence 0.0 */
+
+!  159		                    !       }
+!  160		                    !   }
+!  161		                    ! if((i<0)||(i32[i]>nint[i]))
+
+/* 0x0060	 161 ( 0  1) */		cmp	%g3,0
+                                   .L900000611:		/* frequency 1.0 confidence 0.0 */
+/* 0x0064	 161 ( 0  1) */		bl,pn	%icc,.L77000198	! tprob=0.50
+/* 0x0068	     ( 0  1) */		sll	%g3,2,%g2
+/* 0x006c	     ( 1  4) */		ld	[%o1+%g2],%g1
+/* 0x0070	     ( 2  5) */		ld	[%o0+%g2],%g2
+/* 0x0074	     ( 4  5) */		cmp	%g2,%g1
+/* 0x0078	     ( 4  5) */		bleu,pt	%icc,.L77000191	! tprob=0.56
+/* 0x007c	     ( 4  5) */		nop
+                                   .L77000198:		/* frequency 0.8 confidence 0.0 */
+
+!  162		                    !   {
+!  163		                    !     acc=0;
+!  164		                    !     for(i=0;i<len;i++)
+
+/* 0x0080	 164 ( 0  1) */		cmp	%o2,0
+/* 0x0084	     ( 0  1) */		ble,pt	%icc,.L77000191	! tprob=0.60
+/* 0x0088	     ( 0  1) */		nop
+/* 0x008c	 161 ( 1  2) */		or	%g0,-1,%g2
+/* 0x0090	     ( 1  2) */		sub	%o2,1,%g4
+/* 0x0094	     ( 2  3) */		srl	%g2,0,%g3
+/* 0x0098	 163 ( 2  3) */		or	%g0,0,%g5
+/* 0x009c	 164 ( 3  4) */		or	%g0,0,%o5
+/* 0x00a0	 161 ( 3  4) */		or	%g0,%o0,%o4
+/* 0x00a4	     ( 4  5) */		cmp	%o2,3
+/* 0x00a8	     ( 4  5) */		add	%o1,4,%g2
+/* 0x00ac	 164 ( 4  5) */		bl,pn	%icc,.L77000199	! tprob=0.40
+/* 0x00b0	     ( 5  6) */		add	%o0,8,%g1
+
+!  165		                    !       {
+!  166		                    !	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
+
+/* 0x00b4	 166 ( 5  8) */		ld	[%o0],%o2
+/* 0x00b8	   0 ( 5  6) */		or	%g0,%g2,%o3
+/* 0x00bc	 166 ( 6  9) */		ld	[%o1],%o1
+/* 0x00c0	   0 ( 6  7) */		or	%g0,%g1,%o4
+
+!  167		                    !	 i32[i]=acc&0xffffffff;
+!  168		                    !	 acc=acc>>32;
+
+/* 0x00c4	 168 ( 6  7) */		or	%g0,2,%o5
+/* 0x00c8	 166 ( 7 10) */		ld	[%o0+4],%g1
+/* 0x00cc	 164 ( 8  9) */		sub	%o2,%o1,%o2
+/* 0x00d0	     ( 9 10) */		or	%g0,%o2,%g5
+/* 0x00d4	 167 ( 9 10) */		and	%o2,%g3,%o2
+/* 0x00d8	     ( 9 10) */		st	%o2,[%o0]
+/* 0x00dc	 168 (10 11) */		srax	%g5,32,%g5
+                                   .L900000605:		/* frequency 64.0 confidence 0.0 */
+/* 0x00e0	 166 (12 20) */		ld	[%o3],%o2
+/* 0x00e4	 168 (12 13) */		add	%o5,1,%o5
+/* 0x00e8	     (12 13) */		add	%o3,4,%o3
+/* 0x00ec	     (13 13) */		cmp	%o5,%g4
+/* 0x00f0	     (13 14) */		add	%o4,4,%o4
+/* 0x00f4	 164 (14 14) */		sub	%g1,%o2,%g1
+/* 0x00f8	     (15 15) */		add	%g1,%g5,%g5
+/* 0x00fc	 167 (16 17) */		and	%g5,%g3,%o2
+/* 0x0100	 166 (16 24) */		ld	[%o4-4],%g1
+/* 0x0104	 167 (17 18) */		st	%o2,[%o4-8]
+/* 0x0108	 168 (17 18) */		ble,pt	%icc,.L900000605	! tprob=0.50
+/* 0x010c	     (17 18) */		srax	%g5,32,%g5
+                                   .L900000608:		/* frequency 8.0 confidence 0.0 */
+/* 0x0110	 166 ( 0  3) */		ld	[%o3],%g2
+/* 0x0114	 164 ( 2  3) */		sub	%g1,%g2,%g1
+/* 0x0118	     ( 3  4) */		add	%g1,%g5,%g1
+/* 0x011c	 167 ( 4  5) */		and	%g1,%g3,%g2
+/* 0x0120	     ( 5  7) */		retl	! Result = 
+/* 0x0124	     ( 6  7) */		st	%g2,[%o4-4]
+                                   .L77000199:		/* frequency 0.6 confidence 0.0 */
+/* 0x0128	 166 ( 0  3) */		ld	[%o4],%g1
+                                   .L900000609:		/* frequency 5.3 confidence 0.0 */
+/* 0x012c	 166 ( 0  3) */		ld	[%o3],%g2
+/* 0x0130	     ( 0  1) */		add	%g5,%g1,%g1
+/* 0x0134	 168 ( 0  1) */		add	%o5,1,%o5
+/* 0x0138	     ( 1  2) */		add	%o3,4,%o3
+/* 0x013c	     ( 1  2) */		cmp	%o5,%g4
+/* 0x0140	 166 ( 2  3) */		sub	%g1,%g2,%g1
+/* 0x0144	 167 ( 3  4) */		and	%g1,%g3,%g2
+/* 0x0148	     ( 3  4) */		st	%g2,[%o4]
+/* 0x014c	 168 ( 3  4) */		add	%o4,4,%o4
+/* 0x0150	     ( 4  5) */		srax	%g1,32,%g5
+/* 0x0154	     ( 4  5) */		ble,a,pt	%icc,.L900000609	! tprob=0.84
+/* 0x0158	     ( 4  7) */		ld	[%o4],%g1
+                                   .L77000191:		/* frequency 1.0 confidence 0.0 */
+/* 0x015c	     ( 0  2) */		retl	! Result = 
+/* 0x0160	     ( 1  2) */		nop
+/* 0x0164	   0 ( 0  0) */		.type	adjust_montf_result,2
+/* 0x0164	     ( 0  0) */		.size	adjust_montf_result,(.-adjust_montf_result)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.align	32
+!
+! SUBROUTINE mont_mulf_noconv
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   	.global mont_mulf_noconv
+                                   mont_mulf_noconv:		/* frequency 1.0 confidence 0.0 */
+/* 000000	     ( 0  1) */		save	%sp,-144,%sp
+/* 0x0004	     ( 1  2) */		st	%i0,[%fp+68]
+
+!  169		                    !       }
+!  170		                    !   }
+!  171		                    !}
+!  175		                    !void cleanup(double *dt, int from, int tlen);
+!  177		                    !/*
+!  178		                    !** the lengths of the input arrays should be at least the following:
+!  179		                    !** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
+!  180		                    !** all of them should be different from one another
+!  181		                    !**
+!  182		                    !*/
+!  183		                    !void mont_mulf_noconv(unsigned int *result,
+!  184		                    !		     double *dm1, double *dm2, double *dt,
+!  185		                    !		     double *dn, unsigned int *nint,
+!  186		                    !		     int nlen, double dn0)
+!  187		                    !{
+!  188		                    ! int i, j, jj;
+!  189		                    ! int tmp;
+!  190		                    ! double digit, m2j, nextm2j, a, b;
+!  191		                    ! double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
+!  193		                    ! pdm1=&(dm1[0]);
+!  194		                    ! pdm2=&(dm2[0]);
+!  195		                    ! pdn=&(dn[0]);
+!  196		                    ! pdm2[2*nlen]=Zero;
+
+/* 0x0008	 196 ( 1  2) */		sethi	%hi(Zero),%g2
+/* 0x000c	 187 ( 1  2) */		or	%g0,%i2,%o1
+/* 0x0010	     ( 2  3) */		st	%i5,[%fp+88]
+/* 0x0014	     ( 2  3) */		or	%g0,%i3,%o2
+/* 0x0018	 196 ( 2  3) */		add	%g2,%lo(Zero),%g4
+/* 0x001c	     ( 3  6) */		ldd	[%g2+%lo(Zero)],%f2
+/* 0x0020	 187 ( 3  4) */		or	%g0,%o2,%g5
+/* 0x0024	 196 ( 3  4) */		or	%g0,%o1,%i0
+/* 0x0028	 187 ( 4  5) */		or	%g0,%i4,%i2
+
+!  198		                    ! if (nlen!=16)
+!  199		                    !   {
+!  200		                    !     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
+!  202		                    !     a=dt[0]=pdm1[0]*pdm2[0];
+!  203		                    !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  205		                    !     pdtj=&(dt[0]);
+!  206		                    !     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
+!  207		                    !       {
+!  208		                    !	 m2j=pdm2[j];
+!  209		                    !	 a=pdtj[0]+pdn[0]*digit;
+!  210		                    !	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
+!  211		                    !	 pdtj[1]=b;
+!  213		                    !#pragma pipeloop(0)
+!  214		                    !	 for(i=1;i<nlen;i++)
+!  215		                    !	   {
+!  216		                    !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  217		                    !	   }
+!  218		                    ! 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
+!  219		                    !	 
+!  220		                    !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  221		                    !       }
+!  222		                    !   }
+!  223		                    ! else
+!  224		                    !   {
+!  225		                    !     a=dt[0]=pdm1[0]*pdm2[0];
+!  227		                    !     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
+!  228		                    !     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
+!  229		                    !     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
+!  230		                    !     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
+!  231		                    !     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
+!  232		                    !     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
+!  233		                    !     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
+!  234		                    !     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
+!  235		                    !     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
+!  236		                    !     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
+!  237		                    !     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
+!  239		                    !     pdn_0=pdn[0];
+!  240		                    !     pdm1_0=pdm1[0];
+!  242		                    !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  243		                    !     pdtj=&(dt[0]);
+!  245		                    !     for(j=0;j<32;j++,pdtj++)
+!  246		                    !       {
+!  248		                    !	 m2j=pdm2[j];
+!  249		                    !	 a=pdtj[0]+pdn_0*digit;
+!  250		                    !	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
+!  251		                    !	 pdtj[1]=b;
+!  253		                    !	 /**** this loop will be fully unrolled:
+!  254		                    !	 for(i=1;i<16;i++)
+!  255		                    !	   {
+!  256		                    !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  257		                    !	   }
+!  258		                    !	 *************************************/
+!  259		                    !	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
+!  260		                    !	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
+!  261		                    !	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
+!  262		                    !	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
+!  263		                    !	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
+!  264		                    !	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
+!  265		                    !	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
+!  266		                    !	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
+!  267		                    !	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
+!  268		                    !	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
+!  269		                    !	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
+!  270		                    !	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
+!  271		                    !	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
+!  272		                    !	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
+!  273		                    !	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
+!  274		                    !	 /* no need for cleenup, cannot overflow */
+!  275		                    !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  276		                    !       }
+!  277		                    !   }
+!  279		                    ! conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
+!  281		                    ! adjust_montf_result(result,nint,nlen); 
+
+/* 0x002c	 281 ( 4  5) */		or	%g0,1,%o4
+/* 0x0030	 187 ( 6  9) */		ldd	[%fp+96],%f0
+/* 0x0034	 196 ( 7 10) */		ld	[%fp+92],%o0
+/* 0x0038	 187 ( 8  9) */		fmovd	%f0,%f16
+/* 0x003c	 196 ( 9 10) */		sll	%o0,4,%g2
+/* 0x0040	     ( 9 10) */		or	%g0,%o0,%g1
+/* 0x0044	 198 (10 11) */		cmp	%o0,16
+/* 0x0048	     (10 11) */		be,pn	%icc,.L77000289	! tprob=0.50
+/* 0x004c	     (10 11) */		std	%f2,[%o1+%g2]
+/* 0x0050	 200 (11 12) */		sll	%o0,2,%g2
+/* 0x0054	     (11 14) */		ldd	[%g4],%f2
+/* 0x0058	     (12 13) */		add	%g2,2,%o1
+/* 0x005c	     (12 13) */		add	%g2,1,%o3
+/* 0x0060	 196 (13 14) */		sll	%o0,1,%o7
+/* 0x0064	 200 (13 14) */		cmp	%o1,0
+/* 0x0068	     (13 14) */		ble,a,pt	%icc,.L900000755	! tprob=0.55
+/* 0x006c	     (14 17) */		ldd	[%i1],%f0
+/* 0x0070	     (14 15) */		cmp	%o1,3
+/* 0x0074	 281 (14 15) */		or	%g0,1,%o1
+/* 0x0078	     (14 15) */		bl,pn	%icc,.L77000279	! tprob=0.40
+/* 0x007c	     (15 16) */		add	%o2,8,%o0
+/* 0x0080	     (15 16) */		std	%f2,[%g5]
+/* 0x0084	   0 (16 17) */		or	%g0,%o0,%o2
+                                   .L900000726:		/* frequency 64.0 confidence 0.0 */
+/* 0x0088	     ( 3  5) */		ldd	[%g4],%f0
+/* 0x008c	     ( 3  4) */		add	%o4,1,%o4
+/* 0x0090	     ( 3  4) */		add	%o2,8,%o2
+/* 0x0094	     ( 4  4) */		cmp	%o4,%o3
+/* 0x0098	     ( 5  6) */		ble,pt	%icc,.L900000726	! tprob=0.50
+/* 0x009c	     ( 5  6) */		std	%f0,[%o2-8]
+                                   .L900000729:		/* frequency 8.0 confidence 0.0 */
+/* 0x00a0	     ( 0  1) */		ba	.L900000755	! tprob=1.00
+/* 0x00a4	     ( 0  3) */		ldd	[%i1],%f0
+                                   .L77000279:		/* frequency 0.6 confidence 0.0 */
+/* 0x00a8	     ( 0  1) */		std	%f2,[%o2]
+                                   .L900000754:		/* frequency 5.3 confidence 0.0 */
+/* 0x00ac	     ( 0  3) */		ldd	[%g4],%f2
+/* 0x00b0	     ( 0  1) */		cmp	%o1,%o3
+/* 0x00b4	     ( 0  1) */		add	%o2,8,%o2
+/* 0x00b8	     ( 1  2) */		add	%o1,1,%o1
+/* 0x00bc	     ( 1  2) */		ble,a,pt	%icc,.L900000754	! tprob=0.87
+/* 0x00c0	     ( 3  4) */		std	%f2,[%o2]
+                                   .L77000284:		/* frequency 0.8 confidence 0.0 */
+/* 0x00c4	 202 ( 0  3) */		ldd	[%i1],%f0
+                                   .L900000755:		/* frequency 0.8 confidence 0.0 */
+/* 0x00c8	 202 ( 0  3) */		ldd	[%i0],%f2
+/* 0x00cc	     ( 0  1) */		add	%o7,1,%o2
+/* 0x00d0	 206 ( 0  1) */		cmp	%o7,0
+/* 0x00d4	     ( 1  2) */		sll	%o2,1,%o0
+/* 0x00d8	     ( 1  2) */		sub	%o7,1,%o1
+/* 0x00dc	 202 ( 2  5) */		fmuld	%f0,%f2,%f0
+/* 0x00e0	     ( 2  3) */		std	%f0,[%g5]
+/* 0x00e4	     ( 2  3) */		sub	%g1,1,%o7
+/* 0x00e8	     ( 3  6) */		ldd	[%g4],%f6
+/* 0x00ec	   0 ( 3  4) */		or	%g0,%o7,%g3
+/* 0x00f0	     ( 3  4) */		or	%g0,0,%l0
+/* 0x00f4	     ( 4  7) */		ldd	[%g4-8],%f2
+/* 0x00f8	     ( 4  5) */		or	%g0,0,%i5
+/* 0x00fc	     ( 4  5) */		or	%g0,%o1,%o5
+/* 0x0100	     ( 5  8) */		fdtox	%f0,%f0
+/* 0x0104	     ( 5  8) */		ldd	[%g4-16],%f4
+/* 0x0108	     ( 5  6) */		or	%g0,%o0,%o3
+/* 0x010c	 210 ( 6  7) */		add	%i0,8,%o4
+/* 0x0110	     ( 6  7) */		or	%g0,0,%i4
+/* 0x0114	     ( 9 10) */		fmovs	%f6,%f0
+/* 0x0118	     (11 14) */		fxtod	%f0,%f0
+/* 0x011c	 203 (14 17) */		fmuld	%f0,%f16,%f0
+/* 0x0120	     (17 20) */		fmuld	%f0,%f2,%f2
+/* 0x0124	     (20 23) */		fdtox	%f2,%f2
+/* 0x0128	     (23 26) */		fxtod	%f2,%f2
+/* 0x012c	     (26 29) */		fmuld	%f2,%f4,%f2
+/* 0x0130	     (29 32) */		fsubd	%f0,%f2,%f22
+/* 0x0134	 206 (29 30) */		ble,pt	%icc,.L900000748	! tprob=0.60
+/* 0x0138	     (29 30) */		sll	%g1,4,%g2
+/* 0x013c	 210 (30 33) */		ldd	[%i2],%f0
+                                   .L900000749:		/* frequency 5.3 confidence 0.0 */
+/* 0x0140	 210 ( 0  3) */		fmuld	%f0,%f22,%f8
+/* 0x0144	     ( 0  3) */		ldd	[%i1],%f0
+/* 0x0148	 214 ( 0  1) */		cmp	%g1,1
+/* 0x014c	 210 ( 1  4) */		ldd	[%o4+%i4],%f6
+/* 0x0150	     ( 1  2) */		add	%i1,8,%o0
+/* 0x0154	 214 ( 1  2) */		or	%g0,1,%o1
+/* 0x0158	 210 ( 2  5) */		ldd	[%i3],%f2
+/* 0x015c	     ( 2  3) */		add	%i3,16,%l1
+/* 0x0160	     ( 3  6) */		fmuld	%f0,%f6,%f6
+/* 0x0164	     ( 3  6) */		ldd	[%g4-8],%f4
+/* 0x0168	     ( 4  7) */		faddd	%f2,%f8,%f2
+/* 0x016c	     ( 4  7) */		ldd	[%i3+8],%f0
+/* 0x0170	 208 ( 5  8) */		ldd	[%i0+%i4],%f20
+/* 0x0174	 210 ( 6  9) */		faddd	%f0,%f6,%f0
+/* 0x0178	     ( 7 10) */		fmuld	%f2,%f4,%f2
+/* 0x017c	     (10 13) */		faddd	%f0,%f2,%f18
+/* 0x0180	 211 (10 11) */		std	%f18,[%i3+8]
+/* 0x0184	 214 (10 11) */		ble,pt	%icc,.L900000753	! tprob=0.54
+/* 0x0188	     (11 12) */		srl	%i5,31,%g2
+/* 0x018c	     (11 12) */		cmp	%g3,7
+/* 0x0190	 210 (12 13) */		add	%i2,8,%g2
+/* 0x0194	 214 (12 13) */		bl,pn	%icc,.L77000281	! tprob=0.36
+/* 0x0198	     (13 14) */		add	%g2,24,%o2
+/* 0x019c	 216 (13 16) */		ldd	[%o0+16],%f14
+/* 0x01a0	     (13 14) */		add	%i3,48,%l1
+/* 0x01a4	     (14 17) */		ldd	[%o0+24],%f12
+/* 0x01a8	   0 (14 15) */		or	%g0,%o2,%g2
+/* 0x01ac	 214 (14 15) */		sub	%g1,3,%o2
+/* 0x01b0	 216 (15 18) */		ldd	[%o0],%f2
+/* 0x01b4	     (15 16) */		or	%g0,5,%o1
+/* 0x01b8	     (16 19) */		ldd	[%g2-24],%f0
+/* 0x01bc	     (17 20) */		ldd	[%o0+8],%f6
+/* 0x01c0	     (17 20) */		fmuld	%f2,%f20,%f2
+/* 0x01c4	     (17 18) */		add	%o0,32,%o0
+/* 0x01c8	     (18 21) */		ldd	[%g2-16],%f8
+/* 0x01cc	     (18 21) */		fmuld	%f0,%f22,%f4
+/* 0x01d0	     (19 22) */		ldd	[%i3+16],%f0
+/* 0x01d4	     (19 22) */		fmuld	%f6,%f20,%f10
+/* 0x01d8	     (20 23) */		ldd	[%g2-8],%f6
+/* 0x01dc	     (21 24) */		faddd	%f2,%f4,%f4
+/* 0x01e0	     (21 24) */		ldd	[%i3+32],%f2
+                                   .L900000738:		/* frequency 512.0 confidence 0.0 */
+/* 0x01e4	 216 (16 24) */		ldd	[%g2],%f24
+/* 0x01e8	     (16 17) */		add	%o1,3,%o1
+/* 0x01ec	     (16 17) */		add	%g2,24,%g2
+/* 0x01f0	     (16 19) */		fmuld	%f8,%f22,%f8
+/* 0x01f4	     (17 25) */		ldd	[%l1],%f28
+/* 0x01f8	     (17 17) */		cmp	%o1,%o2
+/* 0x01fc	     (17 18) */		add	%o0,24,%o0
+/* 0x0200	     (18 26) */		ldd	[%o0-24],%f26
+/* 0x0204	     (18 21) */		faddd	%f0,%f4,%f0
+/* 0x0208	     (18 19) */		add	%l1,48,%l1
+/* 0x020c	     (19 22) */		faddd	%f10,%f8,%f10
+/* 0x0210	     (19 22) */		fmuld	%f14,%f20,%f4
+/* 0x0214	     (19 20) */		std	%f0,[%l1-80]
+/* 0x0218	     (20 28) */		ldd	[%g2-16],%f8
+/* 0x021c	     (20 23) */		fmuld	%f6,%f22,%f6
+/* 0x0220	     (21 29) */		ldd	[%l1-32],%f0
+/* 0x0224	     (22 30) */		ldd	[%o0-16],%f14
+/* 0x0228	     (22 25) */		faddd	%f2,%f10,%f2
+/* 0x022c	     (23 26) */		faddd	%f4,%f6,%f10
+/* 0x0230	     (23 26) */		fmuld	%f12,%f20,%f4
+/* 0x0234	     (23 24) */		std	%f2,[%l1-64]
+/* 0x0238	     (24 32) */		ldd	[%g2-8],%f6
+/* 0x023c	     (24 27) */		fmuld	%f24,%f22,%f24
+/* 0x0240	     (25 33) */		ldd	[%l1-16],%f2
+/* 0x0244	     (26 34) */		ldd	[%o0-8],%f12
+/* 0x0248	     (26 29) */		faddd	%f28,%f10,%f10
+/* 0x024c	     (27 28) */		std	%f10,[%l1-48]
+/* 0x0250	     (27 30) */		fmuld	%f26,%f20,%f10
+/* 0x0254	     (27 28) */		ble,pt	%icc,.L900000738	! tprob=0.50
+/* 0x0258	     (27 30) */		faddd	%f4,%f24,%f4
+                                   .L900000741:		/* frequency 64.0 confidence 0.0 */
+/* 0x025c	 216 ( 0  3) */		fmuld	%f8,%f22,%f28
+/* 0x0260	     ( 0  3) */		ldd	[%g2],%f24
+/* 0x0264	     ( 0  3) */		faddd	%f0,%f4,%f26
+/* 0x0268	     ( 1  4) */		fmuld	%f12,%f20,%f8
+/* 0x026c	     ( 1  2) */		add	%l1,32,%l1
+/* 0x0270	     ( 1  2) */		cmp	%o1,%g3
+/* 0x0274	     ( 2  5) */		fmuld	%f14,%f20,%f14
+/* 0x0278	     ( 2  5) */		ldd	[%l1-32],%f4
+/* 0x027c	     ( 2  3) */		add	%g2,8,%g2
+/* 0x0280	     ( 3  6) */		faddd	%f10,%f28,%f12
+/* 0x0284	     ( 3  6) */		fmuld	%f6,%f22,%f6
+/* 0x0288	     ( 3  6) */		ldd	[%l1-16],%f0
+/* 0x028c	     ( 4  7) */		fmuld	%f24,%f22,%f10
+/* 0x0290	     ( 4  5) */		std	%f26,[%l1-64]
+/* 0x0294	     ( 6  9) */		faddd	%f2,%f12,%f2
+/* 0x0298	     ( 6  7) */		std	%f2,[%l1-48]
+/* 0x029c	     ( 7 10) */		faddd	%f14,%f6,%f6
+/* 0x02a0	     ( 8 11) */		faddd	%f8,%f10,%f2
+/* 0x02a4	     (10 13) */		faddd	%f4,%f6,%f4
+/* 0x02a8	     (10 11) */		std	%f4,[%l1-32]
+/* 0x02ac	     (11 14) */		faddd	%f0,%f2,%f0
+/* 0x02b0	     (11 12) */		bg,pn	%icc,.L77000213	! tprob=0.13
+/* 0x02b4	     (11 12) */		std	%f0,[%l1-16]
+                                   .L77000281:		/* frequency 4.0 confidence 0.0 */
+/* 0x02b8	 216 ( 0  3) */		ldd	[%o0],%f0
+                                   .L900000752:		/* frequency 36.6 confidence 0.0 */
+/* 0x02bc	 216 ( 0  3) */		ldd	[%g2],%f4
+/* 0x02c0	     ( 0  3) */		fmuld	%f0,%f20,%f2
+/* 0x02c4	     ( 0  1) */		add	%o1,1,%o1
+/* 0x02c8	     ( 1  4) */		ldd	[%l1],%f0
+/* 0x02cc	     ( 1  2) */		add	%o0,8,%o0
+/* 0x02d0	     ( 1  2) */		add	%g2,8,%g2
+/* 0x02d4	     ( 2  5) */		fmuld	%f4,%f22,%f4
+/* 0x02d8	     ( 2  3) */		cmp	%o1,%g3
+/* 0x02dc	     ( 5  8) */		faddd	%f2,%f4,%f2
+/* 0x02e0	     ( 8 11) */		faddd	%f0,%f2,%f0
+/* 0x02e4	     ( 8  9) */		std	%f0,[%l1]
+/* 0x02e8	     ( 8  9) */		add	%l1,16,%l1
+/* 0x02ec	     ( 8  9) */		ble,a,pt	%icc,.L900000752	! tprob=0.87
+/* 0x02f0	     (10 13) */		ldd	[%o0],%f0
+                                   .L77000213:		/* frequency 5.3 confidence 0.0 */
+/* 0x02f4	     ( 0  1) */		srl	%i5,31,%g2
+                                   .L900000753:		/* frequency 5.3 confidence 0.0 */
+/* 0x02f8	 218 ( 0  1) */		cmp	%l0,30
+/* 0x02fc	     ( 0  1) */		bne,a,pt	%icc,.L900000751	! tprob=0.54
+/* 0x0300	     ( 0  3) */		fdtox	%f18,%f0
+/* 0x0304	     ( 1  2) */		add	%i5,%g2,%g2
+/* 0x0308	     ( 1  2) */		sub	%o3,1,%o2
+/* 0x030c	     ( 2  3) */		sra	%g2,1,%o0
+/* 0x0310	 216 ( 2  5) */		ldd	[%g4],%f0
+/* 0x0314	     ( 3  4) */		add	%o0,1,%g2
+/* 0x0318	     ( 4  5) */		sll	%g2,1,%o0
+/* 0x031c	     ( 4  5) */		fmovd	%f0,%f2
+/* 0x0320	     ( 5  6) */		sll	%g2,4,%o1
+/* 0x0324	     ( 5  6) */		cmp	%o0,%o3
+/* 0x0328	     ( 5  6) */		bge,pt	%icc,.L77000215	! tprob=0.53
+/* 0x032c	     ( 6  7) */		or	%g0,0,%l0
+/* 0x0330	 218 ( 6  7) */		add	%g5,%o1,%o1
+/* 0x0334	 216 ( 7 10) */		ldd	[%o1],%f8
+                                   .L900000750:		/* frequency 32.0 confidence 0.0 */
+/* 0x0338	     ( 0  3) */		fdtox	%f8,%f6
+/* 0x033c	     ( 0  3) */		ldd	[%g4],%f10
+/* 0x0340	     ( 0  1) */		add	%o0,2,%o0
+/* 0x0344	     ( 1  4) */		ldd	[%o1+8],%f4
+/* 0x0348	     ( 1  4) */		fdtox	%f8,%f8
+/* 0x034c	     ( 1  2) */		cmp	%o0,%o2
+/* 0x0350	     ( 5  6) */		fmovs	%f10,%f6
+/* 0x0354	     ( 7 10) */		fxtod	%f6,%f10
+/* 0x0358	     ( 8 11) */		fdtox	%f4,%f6
+/* 0x035c	     ( 9 12) */		fdtox	%f4,%f4
+/* 0x0360	     (10 13) */		faddd	%f10,%f2,%f2
+/* 0x0364	     (10 11) */		std	%f2,[%o1]
+/* 0x0368	     (12 15) */		ldd	[%g4],%f2
+/* 0x036c	     (14 15) */		fmovs	%f2,%f6
+/* 0x0370	     (16 19) */		fxtod	%f6,%f6
+/* 0x0374	     (17 20) */		fitod	%f8,%f2
+/* 0x0378	     (19 22) */		faddd	%f6,%f0,%f0
+/* 0x037c	     (19 20) */		std	%f0,[%o1+8]
+/* 0x0380	     (19 20) */		add	%o1,16,%o1
+/* 0x0384	     (20 23) */		fitod	%f4,%f0
+/* 0x0388	     (20 21) */		ble,a,pt	%icc,.L900000750	! tprob=0.87
+/* 0x038c	     (20 23) */		ldd	[%o1],%f8
+                                   .L77000233:		/* frequency 4.6 confidence 0.0 */
+/* 0x0390	     ( 0  0) */		or	%g0,0,%l0
+                                   .L77000215:		/* frequency 5.3 confidence 0.0 */
+/* 0x0394	     ( 0  3) */		fdtox	%f18,%f0
+                                   .L900000751:		/* frequency 5.3 confidence 0.0 */
+/* 0x0398	     ( 0  3) */		ldd	[%g4],%f6
+/* 0x039c	 220 ( 0  1) */		add	%i5,1,%i5
+/* 0x03a0	     ( 0  1) */		add	%i4,8,%i4
+/* 0x03a4	     ( 1  4) */		ldd	[%g4-8],%f2
+/* 0x03a8	     ( 1  2) */		add	%l0,1,%l0
+/* 0x03ac	     ( 1  2) */		add	%i3,8,%i3
+/* 0x03b0	     ( 2  3) */		fmovs	%f6,%f0
+/* 0x03b4	     ( 2  5) */		ldd	[%g4-16],%f4
+/* 0x03b8	     ( 2  3) */		cmp	%i5,%o5
+/* 0x03bc	     ( 4  7) */		fxtod	%f0,%f0
+/* 0x03c0	     ( 7 10) */		fmuld	%f0,%f16,%f0
+/* 0x03c4	     (10 13) */		fmuld	%f0,%f2,%f2
+/* 0x03c8	     (13 16) */		fdtox	%f2,%f2
+/* 0x03cc	     (16 19) */		fxtod	%f2,%f2
+/* 0x03d0	     (19 22) */		fmuld	%f2,%f4,%f2
+/* 0x03d4	     (22 25) */		fsubd	%f0,%f2,%f22
+/* 0x03d8	     (22 23) */		ble,a,pt	%icc,.L900000749	! tprob=0.89
+/* 0x03dc	     (22 25) */		ldd	[%i2],%f0
+                                   .L900000725:		/* frequency 0.7 confidence 0.0 */
+/* 0x03e0	 220 ( 0  1) */		ba	.L900000748	! tprob=1.00
+/* 0x03e4	     ( 0  1) */		sll	%g1,4,%g2
+
+	
+                                   .L77000289:		/* frequency 0.8 confidence 0.0 */
+/* 0x03e8	 225 ( 0  3) */		ldd	[%o1],%f6
+/* 0x03ec	 242 ( 0  1) */		add	%g4,-8,%g2
+/* 0x03f0	     ( 0  1) */		add	%g4,-16,%g3
+/* 0x03f4	 225 ( 1  4) */		ldd	[%i1],%f2
+/* 0x03f8	 245 ( 1  2) */		or	%g0,0,%o3
+/* 0x03fc	     ( 1  2) */		or	%g0,0,%o0
+/* 0x0400	 225 ( 3  6) */		fmuld	%f2,%f6,%f2
+/* 0x0404	     ( 3  4) */		std	%f2,[%o2]
+/* 0x0408	     ( 4  7) */		ldd	[%g4],%f6
+/* 0x040c	 237 ( 7  8) */		std	%f6,[%o2+8]
+/* 0x0410	     ( 8  9) */		std	%f6,[%o2+16]
+/* 0x0414	     ( 9 10) */		std	%f6,[%o2+24]
+/* 0x0418	     (10 11) */		std	%f6,[%o2+32]
+/* 0x041c	     (11 12) */		std	%f6,[%o2+40]
+/* 0x0420	     (12 13) */		std	%f6,[%o2+48]
+/* 0x0424	     (13 14) */		std	%f6,[%o2+56]
+/* 0x0428	     (14 15) */		std	%f6,[%o2+64]
+/* 0x042c	     (15 16) */		std	%f6,[%o2+72]
+!	prefetch	[%i4],0
+!	prefetch	[%i4+32],0
+!	prefetch	[%i4+64],0
+!	prefetch	[%i4+96],0
+!	prefetch	[%i4+120],0
+!	prefetch	[%i1],0
+!	prefetch	[%i1+32],0
+!	prefetch	[%i1+64],0
+!	prefetch	[%i1+96],0
+!	prefetch	[%i1+120],0
+/* 0x0430	     (16 17) */		std	%f6,[%o2+80]
+/* 0x0434	     (17 18) */		std	%f6,[%o2+88]
+/* 0x0438	     (18 19) */		std	%f6,[%o2+96]
+/* 0x043c	     (19 20) */		std	%f6,[%o2+104]
+/* 0x0440	     (20 21) */		std	%f6,[%o2+112]
+/* 0x0444	     (21 22) */		std	%f6,[%o2+120]
+/* 0x0448	     (22 23) */		std	%f6,[%o2+128]
+/* 0x044c	     (23 24) */		std	%f6,[%o2+136]
+/* 0x0450	     (24 25) */		std	%f6,[%o2+144]
+/* 0x0454	     (25 26) */		std	%f6,[%o2+152]
+/* 0x0458	     (26 27) */		std	%f6,[%o2+160]
+/* 0x045c	     (27 28) */		std	%f6,[%o2+168]
+/* 0x0460	     (27 30) */		fdtox	%f2,%f2
+/* 0x0464	     (28 29) */		std	%f6,[%o2+176]
+/* 0x0468	     (29 30) */		std	%f6,[%o2+184]
+/* 0x046c	     (30 31) */		std	%f6,[%o2+192]
+/* 0x0470	     (31 32) */		std	%f6,[%o2+200]
+/* 0x0474	     (32 33) */		std	%f6,[%o2+208]
+/* 0x0478	     (33 34) */		std	%f6,[%o2+216]
+/* 0x047c	     (34 35) */		std	%f6,[%o2+224]
+/* 0x0480	     (35 36) */		std	%f6,[%o2+232]
+/* 0x0484	     (36 37) */		std	%f6,[%o2+240]
+/* 0x0488	     (37 38) */		std	%f6,[%o2+248]
+/* 0x048c	     (38 39) */		std	%f6,[%o2+256]
+/* 0x0490	     (39 40) */		std	%f6,[%o2+264]
+/* 0x0494	     (40 41) */		std	%f6,[%o2+272]
+/* 0x0498	     (41 42) */		std	%f6,[%o2+280]
+/* 0x049c	     (42 43) */		std	%f6,[%o2+288]
+/* 0x04a0	     (43 44) */		std	%f6,[%o2+296]
+/* 0x04a4	     (44 45) */		std	%f6,[%o2+304]
+/* 0x04a8	     (45 46) */		std	%f6,[%o2+312]
+/* 0x04ac	     (46 47) */		std	%f6,[%o2+320]
+/* 0x04b0	     (47 48) */		std	%f6,[%o2+328]
+/* 0x04b4	     (48 49) */		std	%f6,[%o2+336]
+/* 0x04b8	     (49 50) */		std	%f6,[%o2+344]
+/* 0x04bc	     (50 51) */		std	%f6,[%o2+352]
+/* 0x04c0	     (51 52) */		std	%f6,[%o2+360]
+/* 0x04c4	     (52 53) */		std	%f6,[%o2+368]
+/* 0x04c8	     (53 54) */		std	%f6,[%o2+376]
+/* 0x04cc	     (54 55) */		std	%f6,[%o2+384]
+/* 0x04d0	     (55 56) */		std	%f6,[%o2+392]
+/* 0x04d4	     (56 57) */		std	%f6,[%o2+400]
+/* 0x04d8	     (57 58) */		std	%f6,[%o2+408]
+/* 0x04dc	     (58 59) */		std	%f6,[%o2+416]
+/* 0x04e0	     (59 60) */		std	%f6,[%o2+424]
+/* 0x04e4	     (60 61) */		std	%f6,[%o2+432]
+/* 0x04e8	     (61 62) */		std	%f6,[%o2+440]
+/* 0x04ec	     (62 63) */		std	%f6,[%o2+448]
+/* 0x04f0	     (63 64) */		std	%f6,[%o2+456]
+/* 0x04f4	     (64 65) */		std	%f6,[%o2+464]
+/* 0x04f8	     (65 66) */		std	%f6,[%o2+472]
+/* 0x04fc	     (66 67) */		std	%f6,[%o2+480]
+/* 0x0500	     (67 68) */		std	%f6,[%o2+488]
+/* 0x0504	     (68 69) */		std	%f6,[%o2+496]
+/* 0x0508	     (69 70) */		std	%f6,[%o2+504]
+/* 0x050c	     (70 71) */		std	%f6,[%o2+512]
+/* 0x0510	     (71 72) */		std	%f6,[%o2+520]
+/* 0x0514	 242 (72 75) */		ld	[%g4],%f2 ! dalign
+/* 0x0518	     (73 76) */		ld	[%g2],%f6 ! dalign
+/* 0x051c	     (74 77) */		fxtod	%f2,%f10
+/* 0x0520	     (74 77) */		ld	[%g2+4],%f7
+/* 0x0524	     (75 78) */		ld	[%g3],%f8 ! dalign
+/* 0x0528	     (76 79) */		ld	[%g3+4],%f9
+/* 0x052c	     (77 80) */		fmuld	%f10,%f0,%f0
+/* 0x0530	 239 (77 80) */		ldd	[%i4],%f4
+/* 0x0534	 240 (78 81) */		ldd	[%i1],%f2
+/* 0x0538	     (80 83) */		fmuld	%f0,%f6,%f6
+/* 0x053c	     (83 86) */		fdtox	%f6,%f6
+/* 0x0540	     (86 89) */		fxtod	%f6,%f6
+/* 0x0544	     (89 92) */		fmuld	%f6,%f8,%f6
+/* 0x0548	     (92 95) */		fsubd	%f0,%f6,%f0
+/* 0x054c	 250 (95 98) */		fmuld	%f4,%f0,%f10
+                                   .L900000747:		/* frequency 6.4 confidence 0.0 */
+
+
+	fmovd %f0,%f0
+	fmovd %f16,%f18
+	ldd [%i4],%f2
+	ldd [%o2],%f8
+	ldd [%i1],%f10
+	ldd [%g4-8],%f14
+	ldd [%g4-16],%f16
+	ldd [%o1],%f24
+
+	ldd [%i1+8],%f26
+	ldd [%i1+16],%f40
+	ldd [%i1+48],%f46
+	ldd [%i1+56],%f30
+	ldd [%i1+64],%f54
+	ldd [%i1+104],%f34
+	ldd [%i1+112],%f58
+
+	ldd [%i4+112],%f60
+	ldd [%i4+8],%f28	
+	ldd [%i4+104],%f38
+
+	nop
+	nop
+!
+	.L99999999:
+!1
+!!!
+	ldd	[%i1+24],%f32
+	fmuld	%f0,%f2,%f4
+!2
+!!!
+	ldd	[%i4+24],%f36
+	fmuld	%f26,%f24,%f20
+!3
+!!!
+	ldd	[%i1+40],%f42
+	fmuld	%f28,%f0,%f22
+!4
+!!!
+	ldd	[%i4+40],%f44
+	fmuld	%f32,%f24,%f32
+!5
+!!!
+	ldd	[%o1+8],%f6
+	faddd	%f4,%f8,%f4
+	fmuld	%f36,%f0,%f36
+!6
+!!!
+	add	%o1,8,%o1
+	ldd	[%i4+56],%f50
+	fmuld	%f42,%f24,%f42
+!7
+!!!
+	ldd	[%i1+72],%f52
+	faddd	%f20,%f22,%f20
+	fmuld	%f44,%f0,%f44
+!8
+!!!
+	ldd	[%o2+16],%f22
+	fmuld	%f10,%f6,%f12
+!9
+!!!
+	ldd	[%i4+72],%f56
+	faddd	%f32,%f36,%f32
+	fmuld	%f14,%f4,%f4
+!10
+!!!
+	ldd	[%o2+48],%f36
+	fmuld	%f30,%f24,%f48
+!11
+!!!
+	ldd	[%o2+8],%f8
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50	
+!12
+!!!
+	std	%f20,[%o2+16]
+	faddd	%f42,%f44,%f42
+	fmuld	%f52,%f24,%f52
+!13
+!!!
+	ldd	[%o2+80],%f44
+	faddd	%f4,%f12,%f4
+	fmuld	%f56,%f0,%f56
+!14
+!!!
+	ldd	[%i1+88],%f20
+	faddd	%f32,%f36,%f32
+!15
+!!!
+	ldd	[%i4+88],%f22
+	faddd	%f48,%f50,%f48
+!16
+!!!
+	ldd	[%o2+112],%f50
+	faddd	%f52,%f56,%f52
+!17
+!!!
+	ldd	[%o2+144],%f56
+	faddd	%f4,%f8,%f8
+	fmuld	%f20,%f24,%f20
+!18
+!!!
+	std	%f32,[%o2+48]
+	faddd	%f42,%f44,%f42
+	fmuld	%f22,%f0,%f22
+!19
+!!!
+	std	%f42,[%o2+80]
+	faddd	%f48,%f50,%f48
+	fmuld	%f34,%f24,%f32
+!20
+!!!
+	std	%f48,[%o2+112]
+	faddd	%f52,%f56,%f52
+	fmuld	%f38,%f0,%f36
+!21
+!!!
+	ldd	[%i1+120],%f42
+	fdtox	%f8,%f4
+!22
+!!!
+	std	%f52,[%o2+144]
+	faddd	%f20,%f22,%f20
+!23
+!!!
+	ldd	[%i4+120],%f44
+!24
+!!!
+	ldd	[%o2+176],%f22
+	faddd	%f32,%f36,%f32
+	fmuld	%f42,%f24,%f42
+!25
+!!!
+	ldd	[%i4+16],%f50
+	fmovs	%f17,%f4
+!26
+!!!
+	ldd	[%i1+32],%f52
+	fmuld	%f44,%f0,%f44
+!27
+!!!
+	ldd	[%i4+32],%f56
+	fmuld	%f40,%f24,%f48
+!28
+!!!
+	ldd	[%o2+208],%f36
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50
+!29
+!!!
+	std	%f20,[%o2+176]
+	fxtod	%f4,%f4
+	fmuld	%f52,%f24,%f52
+!30
+!!!
+	ldd	[%i4+48],%f22
+	faddd	%f42,%f44,%f42
+	fmuld	%f56,%f0,%f56
+!31
+!!!
+	ldd	[%o2+240],%f44
+	faddd	%f32,%f36,%f32
+!32
+!!!
+	std	%f32,[%o2+208]
+	faddd	%f48,%f50,%f48
+	fmuld	%f46,%f24,%f20
+!33
+!!!
+	ldd	[%o2+32],%f50
+	fmuld	%f4,%f18,%f12
+!34
+!!!
+	ldd	[%i4+64],%f36
+	faddd	%f52,%f56,%f52
+	fmuld	%f22,%f0,%f22
+!35
+!!!
+	ldd	[%o2+64],%f56
+	faddd	%f42,%f44,%f42
+!36
+!!!
+	std	%f42,[%o2+240]
+	faddd	%f48,%f50,%f48
+	fmuld	%f54,%f24,%f32
+!37
+!!!
+	std	%f48,[%o2+32]
+	fmuld	%f12,%f14,%f4
+!38
+!!!
+	ldd	[%i1+80],%f42
+	faddd	%f52,%f56,%f56	! yes, tmp52!
+	fmuld	%f36,%f0,%f36
+!39
+!!!
+	ldd	[%i4+80],%f44
+	faddd	%f20,%f22,%f20
+!40
+!!!
+	ldd	[%i1+96],%f48
+	fmuld	%f58,%f24,%f52
+!41
+!!!
+	ldd	[%i4+96],%f50
+	fdtox	%f4,%f4
+	fmuld	%f42,%f24,%f42
+!42
+!!!
+	std	%f56,[%o2+64]	! yes, tmp52!
+	faddd	%f32,%f36,%f32
+	fmuld	%f44,%f0,%f44
+!43
+!!!
+	ldd	[%o2+96],%f22
+	fmuld	%f48,%f24,%f48
+!44
+!!!
+	ldd	[%o2+128],%f36
+	fmovd	%f6,%f24
+	fmuld	%f50,%f0,%f50
+!45
+!!!
+	fxtod	%f4,%f4
+	fmuld	%f60,%f0,%f56
+!46
+!!!
+	add	%o2,8,%o2
+	faddd	%f42,%f44,%f42
+!47
+!!!
+	ldd	[%o2+160-8],%f44
+	faddd	%f20,%f22,%f20
+!48
+!!!
+	std	%f20,[%o2+96-8]
+	faddd	%f48,%f50,%f48
+!49
+!!!
+	ldd	[%o2+192-8],%f50
+	faddd	%f52,%f56,%f52
+	fmuld	%f4,%f16,%f4
+!50
+!!!
+	ldd	[%o2+224-8],%f56
+	faddd	%f32,%f36,%f32
+!51
+!!!
+	std	%f32,[%o2+128-8]
+	faddd	%f42,%f44,%f42
+!52
+	add	%o3,1,%o3
+	std	%f42,[%o2+160-8]
+	faddd	%f48,%f50,%f48
+!53
+!!!
+	cmp	%o3,31
+	std	%f48,[%o2+192-8]
+	faddd	%f52,%f56,%f52
+!54
+	std	%f52,[%o2+224-8]
+	ble,pt	%icc,.L99999999
+	fsubd	%f12,%f4,%f0
+
+
+
+!55
+	std %f8,[%o2]
+
+	
+	
+	
+	
+	
+	                                   .L77000285:		/* frequency 1.0 confidence 0.0 */
+/* 0x07a8	 279 ( 0  1) */		sll	%g1,4,%g2
+                                   .L900000748:		/* frequency 1.0 confidence 0.0 */
+/* 0x07ac	 279 ( 0  3) */		ldd	[%g5+%g2],%f0
+/* 0x07b0	     ( 0  1) */		add	%g5,%g2,%i1
+/* 0x07b4	     ( 0  1) */		or	%g0,0,%o4
+/* 0x07b8	 206 ( 1  4) */		ld	[%fp+68],%o0
+/* 0x07bc	 279 ( 1  2) */		or	%g0,0,%i0
+/* 0x07c0	     ( 1  2) */		cmp	%g1,0
+/* 0x07c4	     ( 2  5) */		fdtox	%f0,%f0
+/* 0x07c8	     ( 2  3) */		std	%f0,[%sp+120]
+/* 0x07cc	 275 ( 2  3) */		sethi	%hi(0xfc00),%o1
+/* 0x07d0	 206 ( 3  4) */		or	%g0,%o0,%o3
+/* 0x07d4	 275 ( 3  4) */		sub	%g1,1,%g4
+/* 0x07d8	 279 ( 4  7) */		ldd	[%i1+8],%f0
+/* 0x07dc	     ( 4  5) */		or	%g0,%o0,%g5
+/* 0x07e0	     ( 4  5) */		add	%o1,1023,%o1
+/* 0x07e4	     ( 6  9) */		fdtox	%f0,%f0
+/* 0x07e8	     ( 6  7) */		std	%f0,[%sp+112]
+/* 0x07ec	     (10 12) */		ldx	[%sp+112],%o5
+/* 0x07f0	     (11 13) */		ldx	[%sp+120],%o7
+/* 0x07f4	     (11 12) */		ble,pt	%icc,.L900000746	! tprob=0.56
+/* 0x07f8	     (11 12) */		sethi	%hi(0xfc00),%g2
+/* 0x07fc	 275 (12 13) */		or	%g0,-1,%g2
+/* 0x0800	 279 (12 13) */		cmp	%g1,3
+/* 0x0804	 275 (13 14) */		srl	%g2,0,%o2
+/* 0x0808	 279 (13 14) */		bl,pn	%icc,.L77000286	! tprob=0.44
+/* 0x080c	     (13 14) */		or	%g0,%i1,%g2
+/* 0x0810	     (14 17) */		ldd	[%i1+16],%f0
+/* 0x0814	     (14 15) */		and	%o5,%o1,%o0
+/* 0x0818	     (14 15) */		add	%i1,16,%g2
+/* 0x081c	     (15 16) */		sllx	%o0,16,%g3
+/* 0x0820	     (15 16) */		and	%o7,%o2,%o0
+/* 0x0824	     (16 19) */		fdtox	%f0,%f0
+/* 0x0828	     (16 17) */		std	%f0,[%sp+104]
+/* 0x082c	     (16 17) */		add	%o0,%g3,%o4
+/* 0x0830	     (17 20) */		ldd	[%i1+24],%f2
+/* 0x0834	     (17 18) */		srax	%o5,16,%o0
+/* 0x0838	     (17 18) */		add	%o3,4,%g5
+/* 0x083c	     (18 19) */		stx	%o0,[%sp+128]
+/* 0x0840	     (18 19) */		and	%o4,%o2,%o0
+/* 0x0844	     (18 19) */		or	%g0,1,%i0
+/* 0x0848	     (19 20) */		stx	%o0,[%sp+112]
+/* 0x084c	     (19 20) */		srax	%o4,32,%o0
+/* 0x0850	     (19 22) */		fdtox	%f2,%f0
+/* 0x0854	     (20 21) */		stx	%o0,[%sp+136]
+/* 0x0858	     (20 21) */		srax	%o7,32,%o4
+/* 0x085c	     (21 22) */		std	%f0,[%sp+96]
+/* 0x0860	     (22 24) */		ldx	[%sp+136],%o7
+/* 0x0864	     (23 25) */		ldx	[%sp+128],%o0
+/* 0x0868	     (25 27) */		ldx	[%sp+104],%g3
+/* 0x086c	     (25 26) */		add	%o0,%o7,%o0
+/* 0x0870	     (26 28) */		ldx	[%sp+112],%o7
+/* 0x0874	     (26 27) */		add	%o4,%o0,%o4
+/* 0x0878	     (27 29) */		ldx	[%sp+96],%o5
+/* 0x087c	     (28 29) */		st	%o7,[%o3]
+/* 0x0880	     (28 29) */		or	%g0,%g3,%o7
+                                   .L900000730:		/* frequency 64.0 confidence 0.0 */
+/* 0x0884	     (17 19) */		ldd	[%g2+16],%f0
+/* 0x0888	     (17 18) */		add	%i0,1,%i0
+/* 0x088c	     (17 18) */		add	%g5,4,%g5
+/* 0x0890	     (18 18) */		cmp	%i0,%g4
+/* 0x0894	     (18 19) */		add	%g2,16,%g2
+/* 0x0898	     (19 22) */		fdtox	%f0,%f0
+/* 0x089c	     (20 21) */		std	%f0,[%sp+104]
+/* 0x08a0	     (21 23) */		ldd	[%g2+8],%f0
+/* 0x08a4	     (23 26) */		fdtox	%f0,%f0
+/* 0x08a8	     (24 25) */		std	%f0,[%sp+96]
+/* 0x08ac	     (25 26) */		and	%o5,%o1,%g3
+/* 0x08b0	     (26 27) */		sllx	%g3,16,%g3
+/* 0x08b4	     ( 0  0) */		stx	%g3,[%sp+120]
+/* 0x08b8	     (26 27) */		and	%o7,%o2,%g3
+/* 0x08bc	     ( 0  0) */		stx	%o7,[%sp+128]
+/* 0x08c0	     ( 0  0) */		ldx	[%sp+120],%o7
+/* 0x08c4	     (27 27) */		add	%g3,%o7,%g3
+/* 0x08c8	     ( 0  0) */		ldx	[%sp+128],%o7
+/* 0x08cc	     (28 29) */		srax	%o5,16,%o5
+/* 0x08d0	     (28 28) */		add	%g3,%o4,%g3
+/* 0x08d4	     (29 30) */		srax	%g3,32,%o4
+/* 0x08d8	     ( 0  0) */		stx	%o4,[%sp+112]
+/* 0x08dc	     (30 31) */		srax	%o7,32,%o4
+/* 0x08e0	     ( 0  0) */		ldx	[%sp+112],%o7
+/* 0x08e4	     (30 31) */		add	%o5,%o7,%o7
+/* 0x08e8	     (31 33) */		ldx	[%sp+96],%o5
+/* 0x08ec	     (31 32) */		add	%o4,%o7,%o4
+/* 0x08f0	     (32 33) */		and	%g3,%o2,%g3
+/* 0x08f4	     ( 0  0) */		ldx	[%sp+104],%o7
+/* 0x08f8	     (33 34) */		ble,pt	%icc,.L900000730	! tprob=0.50
+/* 0x08fc	     (33 34) */		st	%g3,[%g5-4]
+                                   .L900000733:		/* frequency 8.0 confidence 0.0 */
+/* 0x0900	     ( 0  1) */		ba	.L900000746	! tprob=1.00
+/* 0x0904	     ( 0  1) */		sethi	%hi(0xfc00),%g2
+                                   .L77000286:		/* frequency 0.7 confidence 0.0 */
+/* 0x0908	     ( 0  3) */		ldd	[%g2+16],%f0
+                                   .L900000745:		/* frequency 6.4 confidence 0.0 */
+/* 0x090c	     ( 0  1) */		and	%o7,%o2,%o0
+/* 0x0910	     ( 0  1) */		and	%o5,%o1,%g3
+/* 0x0914	     ( 0  3) */		fdtox	%f0,%f0
+/* 0x0918	     ( 1  2) */		add	%o4,%o0,%o0
+/* 0x091c	     ( 1  2) */		std	%f0,[%sp+104]
+/* 0x0920	     ( 1  2) */		add	%i0,1,%i0
+/* 0x0924	     ( 2  3) */		sllx	%g3,16,%o4
+/* 0x0928	     ( 2  5) */		ldd	[%g2+24],%f2
+/* 0x092c	     ( 2  3) */		add	%g2,16,%g2
+/* 0x0930	     ( 3  4) */		add	%o0,%o4,%o4
+/* 0x0934	     ( 3  4) */		cmp	%i0,%g4
+/* 0x0938	     ( 4  5) */		srax	%o5,16,%o0
+/* 0x093c	     ( 4  5) */		stx	%o0,[%sp+112]
+/* 0x0940	     ( 4  5) */		and	%o4,%o2,%g3
+/* 0x0944	     ( 5  6) */		srax	%o4,32,%o5
+/* 0x0948	     ( 5  8) */		fdtox	%f2,%f0
+/* 0x094c	     ( 5  6) */		std	%f0,[%sp+96]
+/* 0x0950	     ( 6  7) */		srax	%o7,32,%o4
+/* 0x0954	     ( 6  8) */		ldx	[%sp+112],%o7
+/* 0x0958	     ( 8  9) */		add	%o7,%o5,%o7
+/* 0x095c	     ( 9 11) */		ldx	[%sp+104],%o5
+/* 0x0960	     ( 9 10) */		add	%o4,%o7,%o4
+/* 0x0964	     (10 12) */		ldx	[%sp+96],%o0
+/* 0x0968	     (11 12) */		st	%g3,[%g5]
+/* 0x096c	     (11 12) */		or	%g0,%o5,%o7
+/* 0x0970	     (11 12) */		add	%g5,4,%g5
+/* 0x0974	     (12 13) */		or	%g0,%o0,%o5
+/* 0x0978	     (12 13) */		ble,a,pt	%icc,.L900000745	! tprob=0.86
+/* 0x097c	     (12 15) */		ldd	[%g2+16],%f0
+                                   .L77000236:		/* frequency 1.0 confidence 0.0 */
+/* 0x0980	     ( 0  1) */		sethi	%hi(0xfc00),%g2
+                                   .L900000746:		/* frequency 1.0 confidence 0.0 */
+/* 0x0984	     ( 0  1) */		or	%g0,-1,%o0
+/* 0x0988	     ( 0  1) */		add	%g2,1023,%g2
+/* 0x098c	     ( 0  3) */		ld	[%fp+88],%o1
+/* 0x0990	     ( 1  2) */		srl	%o0,0,%g3
+/* 0x0994	     ( 1  2) */		and	%o5,%g2,%g2
+/* 0x0998	     ( 2  3) */		and	%o7,%g3,%g4
+/* 0x099c	 281 ( 2  3) */		or	%g0,-1,%o5
+/* 0x09a0	 275 ( 3  4) */		sllx	%g2,16,%g2
+/* 0x09a4	     ( 3  4) */		add	%o4,%g4,%g4
+/* 0x09a8	     ( 4  5) */		add	%g4,%g2,%g2
+/* 0x09ac	     ( 5  6) */		sll	%i0,2,%g4
+/* 0x09b0	     ( 5  6) */		and	%g2,%g3,%g2
+/* 0x09b4	     ( 6  7) */		st	%g2,[%o3+%g4]
+/* 0x09b8	 281 ( 6  7) */		sll	%g1,2,%g2
+/* 0x09bc	     ( 7 10) */		ld	[%o3+%g2],%g2
+/* 0x09c0	     ( 9 10) */		cmp	%g2,0
+/* 0x09c4	     ( 9 10) */		bleu,pn	%icc,.L77000241	! tprob=0.50
+/* 0x09c8	     ( 9 10) */		or	%g0,%o1,%o2
+/* 0x09cc	     (10 11) */		ba	.L900000744	! tprob=1.00
+/* 0x09d0	     (10 11) */		cmp	%o5,0
+                                   .L77000241:		/* frequency 0.8 confidence 0.0 */
+/* 0x09d4	     ( 0  1) */		subcc	%g1,1,%o5
+/* 0x09d8	     ( 0  1) */		bneg,pt	%icc,.L900000744	! tprob=0.60
+/* 0x09dc	     ( 1  2) */		cmp	%o5,0
+/* 0x09e0	     ( 1  2) */		sll	%o5,2,%g2
+/* 0x09e4	     ( 2  3) */		add	%o1,%g2,%o0
+/* 0x09e8	     ( 2  3) */		add	%o3,%g2,%o4
+/* 0x09ec	     ( 3  6) */		ld	[%o0],%g2
+                                   .L900000743:		/* frequency 5.3 confidence 0.0 */
+/* 0x09f0	     ( 0  3) */		ld	[%o4],%g3
+/* 0x09f4	     ( 0  1) */		add	%o0,4,%o0
+/* 0x09f8	     ( 0  1) */		add	%o4,4,%o4
+/* 0x09fc	     ( 2  3) */		cmp	%g3,%g2
+/* 0x0a00	     ( 2  3) */		bne,pn	%icc,.L77000244	! tprob=0.16
+/* 0x0a04	     ( 2  3) */		nop
+/* 0x0a08	     ( 3  4) */		addcc	%o5,1,%o5
+/* 0x0a0c	     ( 3  4) */		bpos,a,pt	%icc,.L900000743	! tprob=0.84
+/* 0x0a10	     ( 3  6) */		ld	[%o0],%g2
+                                   .L77000244:		/* frequency 1.0 confidence 0.0 */
+/* 0x0a14	     ( 0  1) */		cmp	%o5,0
+                                   .L900000744:		/* frequency 1.0 confidence 0.0 */
+/* 0x0a18	     ( 0  1) */		bl,pn	%icc,.L77000287	! tprob=0.50
+/* 0x0a1c	     ( 0  1) */		sll	%o5,2,%g2
+/* 0x0a20	     ( 1  4) */		ld	[%o2+%g2],%g3
+/* 0x0a24	     ( 2  5) */		ld	[%o3+%g2],%g2
+/* 0x0a28	     ( 4  5) */		cmp	%g2,%g3
+/* 0x0a2c	     ( 4  5) */		bleu,pt	%icc,.L77000224	! tprob=0.56
+/* 0x0a30	     ( 4  5) */		nop
+                                   .L77000287:		/* frequency 0.8 confidence 0.0 */
+/* 0x0a34	     ( 0  1) */		cmp	%g1,0
+/* 0x0a38	     ( 0  1) */		ble,pt	%icc,.L77000224	! tprob=0.60
+/* 0x0a3c	     ( 0  1) */		nop
+/* 0x0a40	 281 ( 1  2) */		sub	%g1,1,%o7
+/* 0x0a44	     ( 1  2) */		or	%g0,-1,%g2
+/* 0x0a48	     ( 2  3) */		srl	%g2,0,%o4
+/* 0x0a4c	     ( 2  3) */		add	%o7,1,%o0
+/* 0x0a50	 279 ( 3  4) */		or	%g0,0,%o5
+/* 0x0a54	     ( 3  4) */		or	%g0,0,%g1
+/* 0x0a58	     ( 4  5) */		cmp	%o0,3
+/* 0x0a5c	     ( 4  5) */		bl,pn	%icc,.L77000288	! tprob=0.40
+/* 0x0a60	     ( 4  5) */		add	%o3,8,%o1
+/* 0x0a64	     ( 5  6) */		add	%o2,4,%o0
+/* 0x0a68	     ( 5  8) */		ld	[%o1-8],%g2
+/* 0x0a6c	   0 ( 5  6) */		or	%g0,%o1,%o3
+/* 0x0a70	 279 ( 6  9) */		ld	[%o0-4],%g3
+/* 0x0a74	   0 ( 6  7) */		or	%g0,%o0,%o2
+/* 0x0a78	 279 ( 6  7) */		or	%g0,2,%g1
+/* 0x0a7c	     ( 7 10) */		ld	[%o3-4],%o0
+/* 0x0a80	     ( 8  9) */		sub	%g2,%g3,%g2
+/* 0x0a84	     ( 9 10) */		or	%g0,%g2,%o5
+/* 0x0a88	     ( 9 10) */		and	%g2,%o4,%g2
+/* 0x0a8c	     ( 9 10) */		st	%g2,[%o3-8]
+/* 0x0a90	     (10 11) */		srax	%o5,32,%o5
+                                   .L900000734:		/* frequency 64.0 confidence 0.0 */
+/* 0x0a94	     (12 20) */		ld	[%o2],%g2
+/* 0x0a98	     (12 13) */		add	%g1,1,%g1
+/* 0x0a9c	     (12 13) */		add	%o2,4,%o2
+/* 0x0aa0	     (13 13) */		cmp	%g1,%o7
+/* 0x0aa4	     (13 14) */		add	%o3,4,%o3
+/* 0x0aa8	     (14 14) */		sub	%o0,%g2,%o0
+/* 0x0aac	     (15 15) */		add	%o0,%o5,%o5
+/* 0x0ab0	     (16 17) */		and	%o5,%o4,%g2
+/* 0x0ab4	     (16 24) */		ld	[%o3-4],%o0
+/* 0x0ab8	     (17 18) */		st	%g2,[%o3-8]
+/* 0x0abc	     (17 18) */		ble,pt	%icc,.L900000734	! tprob=0.50
+/* 0x0ac0	     (17 18) */		srax	%o5,32,%o5
+                                   .L900000737:		/* frequency 8.0 confidence 0.0 */
+/* 0x0ac4	     ( 0  3) */		ld	[%o2],%o1
+/* 0x0ac8	     ( 2  3) */		sub	%o0,%o1,%o0
+/* 0x0acc	     ( 3  4) */		add	%o0,%o5,%o0
+/* 0x0ad0	     ( 4  5) */		and	%o0,%o4,%o1
+/* 0x0ad4	     ( 4  5) */		st	%o1,[%o3-4]
+/* 0x0ad8	     ( 5  7) */		ret	! Result = 
+/* 0x0adc	     ( 7  8) */		restore	%g0,%g0,%g0
+                                   .L77000288:		/* frequency 0.6 confidence 0.0 */
+/* 0x0ae0	     ( 0  3) */		ld	[%o3],%o0
+                                   .L900000742:		/* frequency 5.3 confidence 0.0 */
+/* 0x0ae4	     ( 0  3) */		ld	[%o2],%o1
+/* 0x0ae8	     ( 0  1) */		add	%o5,%o0,%o0
+/* 0x0aec	     ( 0  1) */		add	%g1,1,%g1
+/* 0x0af0	     ( 1  2) */		add	%o2,4,%o2
+/* 0x0af4	     ( 1  2) */		cmp	%g1,%o7
+/* 0x0af8	     ( 2  3) */		sub	%o0,%o1,%o0
+/* 0x0afc	     ( 3  4) */		and	%o0,%o4,%o1
+/* 0x0b00	     ( 3  4) */		st	%o1,[%o3]
+/* 0x0b04	     ( 3  4) */		add	%o3,4,%o3
+/* 0x0b08	     ( 4  5) */		srax	%o0,32,%o5
+/* 0x0b0c	     ( 4  5) */		ble,a,pt	%icc,.L900000742	! tprob=0.84
+/* 0x0b10	     ( 4  7) */		ld	[%o3],%o0
+                                   .L77000224:		/* frequency 1.0 confidence 0.0 */
+/* 0x0b14	     ( 0  2) */		ret	! Result = 
+/* 0x0b18	     ( 2  3) */		restore	%g0,%g0,%g0
+/* 0x0b1c	   0 ( 0  0) */		.type	mont_mulf_noconv,2
+/* 0x0b1c	     ( 0  0) */		.size	mont_mulf_noconv,(.-mont_mulf_noconv)
+
diff --git a/security/nss/lib/freebl/mpi/montmulfv8.il b/security/nss/lib/freebl/mpi/montmulfv8.il
new file mode 100644
index 000000000..b3dd734b6
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulfv8.il
@@ -0,0 +1,137 @@
+!  
+!  The contents of this file are subject to the Mozilla Public
+!  License Version 1.1 (the "License"); you may not use this file
+!  except in compliance with the License. You may obtain a copy of
+!  the License at http://www.mozilla.org/MPL/
+!  
+!  Software distributed under the License is distributed on an "AS
+!  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+!  implied. See the License for the specific language governing
+!  rights and limitations under the License.
+!  
+!  The Original Code is inline macros for SPARC Montgomery multiply functions.
+!  
+!  The Initial Developer of the Original Code is Sun Microsystems Inc.
+!  Portions created by Sun Microsystems Inc. are 
+!  Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+!  
+!  Contributor(s):
+!  
+!  Alternatively, the contents of this file may be used under the
+!  terms of the GNU General Public License Version 2 or later (the
+!  "GPL"), in which case the provisions of the GPL are applicable 
+!  instead of those above.	If you wish to allow use of your 
+!  version of this file only under the terms of the GPL and not to
+!  allow others to use your version of this file under the MPL,
+!  indicate your decision by deleting the provisions above and
+!  replace them with the notice and other provisions required by
+!  the GPL.  If you do not delete the provisions above, a recipient
+!  may use your version of this file under either the MPL or the
+!  GPL.
+!  
+!   $Id$
+!  
+
+!
+! double upper32(double /*frs1*/);
+!
+        .inline upper32,8
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f10
+
+	fdtox	%f10,%f10
+	fitod	%f10,%f0
+        .end
+
+!
+! double lower32(double /*frs1*/, double /* Zero */);
+!
+        .inline lower32,8
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f10
+        std     %o2,[%sp+0x48]
+        ldd     [%sp+0x48],%f12
+
+	fdtox	%f10,%f10
+	fmovs	%f12,%f10
+	fxtod	%f10,%f0
+        .end
+
+!
+! double mod(double /*x*/, double /*1/m*/, double /*m*/);
+!
+        .inline mod,12
+        std     %o0,[%sp+0x48]
+        ldd     [%sp+0x48],%f2
+        std     %o2,[%sp+0x48]
+        ldd     [%sp+0x48],%f4
+        std     %o4,[%sp+0x48]
+        ldd     [%sp+0x48],%f6
+
+	fmuld	%f2,%f4,%f4
+	fdtox	%f4,%f4
+	fxtod	%f4,%f4
+	fmuld	%f4,%f6,%f4
+	fsubd	%f2,%f4,%f0
+        .end
+
+
+!
+! void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
+!			    double * /* 0 */,
+!			    double * /*result16*/, double * /* result32 */
+!			    float *  /*source - should be unsigned int*
+!		            	       converted to float* */);
+!
+        .inline i16_to_d16_and_d32x4,24
+        ldd     [%o0],%f2  ! 1/(2^16)
+        ldd     [%o1],%f4  ! 2^16
+	ldd	[%o2],%f22
+
+	fmovd	%f22,%f6
+	ld	[%o5],%f7
+	fmovd	%f22,%f10
+	ld	[%o5+4],%f11
+	fmovd	%f22,%f14
+	ld	[%o5+8],%f15
+	fmovd	%f22,%f18
+	ld	[%o5+12],%f19
+	fxtod	%f6,%f6
+	std	%f6,[%o4]
+	fxtod	%f10,%f10
+	std	%f10,[%o4+8]
+	fxtod	%f14,%f14
+	std	%f14,[%o4+16]
+	fxtod	%f18,%f18
+	std	%f18,[%o4+24]
+	fmuld	%f2,%f6,%f8
+	fmuld	%f2,%f10,%f12
+	fmuld	%f2,%f14,%f16
+	fmuld	%f2,%f18,%f20
+	fdtox	%f8,%f8
+	fdtox	%f12,%f12
+	fdtox	%f16,%f16
+	fdtox	%f20,%f20
+	fxtod	%f8,%f8
+	std	%f8,[%o3+8]
+	fxtod	%f12,%f12
+	std	%f12,[%o3+24]
+	fxtod	%f16,%f16
+	std	%f16,[%o3+40]
+	fxtod	%f20,%f20
+	std	%f20,[%o3+56]
+	fmuld	%f8,%f4,%f8
+	fmuld	%f12,%f4,%f12
+	fmuld	%f16,%f4,%f16
+	fmuld	%f20,%f4,%f20
+	fsubd	%f6,%f8,%f8
+	std	%f8,[%o3]
+	fsubd	%f10,%f12,%f12
+	std	%f12,[%o3+16]
+	fsubd	%f14,%f16,%f16
+	std	%f16,[%o3+32]
+	fsubd	%f18,%f20,%f20
+	std	%f20,[%o3+48]
+        .end
+
+
diff --git a/security/nss/lib/freebl/mpi/montmulfv8.s b/security/nss/lib/freebl/mpi/montmulfv8.s
new file mode 100644
index 000000000..ac74a530d
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulfv8.s
@@ -0,0 +1,1847 @@
+!  
+!  The contents of this file are subject to the Mozilla Public
+!  License Version 1.1 (the "License"); you may not use this file
+!  except in compliance with the License. You may obtain a copy of
+!  the License at http://www.mozilla.org/MPL/
+!  
+!  Software distributed under the License is distributed on an "AS
+!  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+!  implied. See the License for the specific language governing
+!  rights and limitations under the License.
+!  
+!  The Original Code is SPARC hand-optimized Montgomery multiply functions.
+!   
+!  The Initial Developer of the Original Code is Sun Microsystems Inc.
+!  Portions created by Sun Microsystems Inc. are 
+!  Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+!  
+!  Contributor(s):
+!  
+!  Alternatively, the contents of this file may be used under the
+!  terms of the GNU General Public License Version 2 or later (the
+!  "GPL"), in which case the provisions of the GPL are applicable 
+!  instead of those above.	If you wish to allow use of your 
+!  version of this file only under the terms of the GPL and not to
+!  allow others to use your version of this file under the MPL,
+!  indicate your decision by deleting the provisions above and
+!  replace them with the notice and other provisions required by
+!  the GPL.  If you do not delete the provisions above, a recipient
+!  may use your version of this file under either the MPL or the
+!  GPL.
+!  
+!   $Id$
+!  
+
+	.section	".text",#alloc,#execinstr
+	.file	"montmulf.c"
+
+	.section	".rodata",#alloc
+	.global	TwoTo16
+	.align	8
+!
+! CONSTANT POOL
+!
+	.global TwoTo16
+TwoTo16:
+	.word	1089470464
+	.word	0
+	.type	TwoTo16,#object
+	.size	TwoTo16,8
+	.global	TwoToMinus16
+!
+! CONSTANT POOL
+!
+	.global TwoToMinus16
+TwoToMinus16:
+	.word	1055916032
+	.word	0
+	.type	TwoToMinus16,#object
+	.size	TwoToMinus16,8
+	.global	Zero
+!
+! CONSTANT POOL
+!
+	.global Zero
+Zero:
+	.word	0
+	.word	0
+	.type	Zero,#object
+	.size	Zero,8
+	.global	TwoTo32
+!
+! CONSTANT POOL
+!
+	.global TwoTo32
+TwoTo32:
+	.word	1106247680
+	.word	0
+	.type	TwoTo32,#object
+	.size	TwoTo32,8
+	.global	TwoToMinus32
+!
+! CONSTANT POOL
+!
+	.global TwoToMinus32
+TwoToMinus32:
+	.word	1039138816
+	.word	0
+	.type	TwoToMinus32,#object
+	.size	TwoToMinus32,8
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	4
+!
+! SUBROUTINE conv_d16_to_i32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_d16_to_i32
+                       conv_d16_to_i32:
+/* 000000	     */		save	%sp,-128,%sp
+! FILE montmulf.c
+
+!   36		      !#define RF_INLINE_MACROS
+!   38		      !static const double TwoTo16=65536.0;
+!   39		      !static const double TwoToMinus16=1.0/65536.0;
+!   40		      !static const double Zero=0.0;
+!   41		      !static const double TwoTo32=65536.0*65536.0;
+!   42		      !static const double TwoToMinus32=1.0/(65536.0*65536.0);
+!   44		      !#ifdef RF_INLINE_MACROS
+!   46		      !double upper32(double);
+!   47		      !double lower32(double, double);
+!   48		      !double mod(double, double, double);
+!   50		      !void i16_to_d16_and_d32x4(const double * /*1/(2^16)*/, 
+!   51		      !			  const double * /* 2^16*/,
+!   52		      !			  const double * /* 0 */,
+!   53		      !			  double *       /*result16*/, 
+!   54		      !			  double *       /* result32 */,
+!   55		      !			  float *  /*source - should be unsigned int*
+!   56		      !		          	       converted to float* */);
+!   58		      !#else
+!   60		      !static double upper32(double x)
+!   61		      !{
+!   62		      !  return floor(x*TwoToMinus32);
+!   63		      !}
+!   65		      !static double lower32(double x, double y)
+!   66		      !{
+!   67		      !  return x-TwoTo32*floor(x*TwoToMinus32);
+!   68		      !}
+!   70		      !static double mod(double x, double oneoverm, double m)
+!   71		      !{
+!   72		      !  return x-m*floor(x*oneoverm);
+!   73		      !}
+!   75		      !#endif
+!   78		      !static void cleanup(double *dt, int from, int tlen)
+!   79		      !{
+!   80		      ! int i;
+!   81		      ! double tmp,tmp1,x,x1;
+!   83		      ! tmp=tmp1=Zero;
+!   84		      ! /* original code **
+!   85		      ! for(i=2*from;i<2*tlen-2;i++)
+!   86		      !   {
+!   87		      !     x=dt[i];
+!   88		      !     dt[i]=lower32(x,Zero)+tmp1;
+!   89		      !     tmp1=tmp;
+!   90		      !     tmp=upper32(x);
+!   91		      !   }
+!   92		      ! dt[tlen-2]+=tmp1;
+!   93		      ! dt[tlen-1]+=tmp;
+!   94		      ! **end original code ***/
+!   95		      ! /* new code ***/
+!   96		      ! for(i=2*from;i<2*tlen;i+=2)
+!   97		      !   {
+!   98		      !     x=dt[i];
+!   99		      !     x1=dt[i+1];
+!  100		      !     dt[i]=lower32(x,Zero)+tmp;
+!  101		      !     dt[i+1]=lower32(x1,Zero)+tmp1;
+!  102		      !     tmp=upper32(x);
+!  103		      !     tmp1=upper32(x1);
+!  104		      !   }
+!  105		      !  /** end new code **/
+!  106		      !}
+!  109		      !void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
+!  110		      !{
+!  111		      !int i;
+!  112		      !long long t, t1, a, b, c, d;
+!  114		      ! t1=0;
+!  115		      ! a=(long long)d16[0];
+
+/* 0x0004	 115 */		ldd	[%i1],%f0
+/* 0x0008	 110 */		or	%g0,%i1,%o0
+
+!  116		      ! b=(long long)d16[1];
+!  117		      ! for(i=0; i<ilen-1; i++)
+
+/* 0x000c	 117 */		sub	%i3,1,%g2
+/* 0x0010	     */		cmp	%g2,0
+/* 0x0014	 114 */		or	%g0,0,%o4
+/* 0x0018	 115 */		fdtox	%f0,%f0
+/* 0x001c	     */		std	%f0,[%sp+120]
+/* 0x0020	 117 */		or	%g0,0,%o7
+/* 0x0024	 110 */		or	%g0,%i3,%o1
+/* 0x0028	     */		sub	%i3,2,%o2
+/* 0x002c	 116 */		ldd	[%o0+8],%f0
+/* 0x0030	 110 */		sethi	%hi(0xfc00),%o1
+/* 0x0034	     */		add	%o2,1,%g3
+/* 0x0038	     */		add	%o1,1023,%o1
+/* 0x003c	     */		or	%g0,%i0,%o5
+/* 0x0040	 116 */		fdtox	%f0,%f0
+/* 0x0044	     */		std	%f0,[%sp+112]
+/* 0x0048	     */		ldx	[%sp+112],%g1
+/* 0x004c	 115 */		ldx	[%sp+120],%g4
+/* 0x0050	 117 */		ble,pt	%icc,.L900000117
+/* 0x0054	     */		sethi	%hi(0xfc00),%g2
+/* 0x0058	 110 */		or	%g0,-1,%g2
+/* 0x005c	 117 */		cmp	%g3,3
+/* 0x0060	 110 */		srl	%g2,0,%o3
+/* 0x0064	 117 */		bl,pn	%icc,.L77000134
+/* 0x0068	     */		or	%g0,%o0,%g2
+
+!  118		      !   {
+!  119		      !     c=(long long)d16[2*i+2];
+
+/* 0x006c	 119 */		ldd	[%o0+16],%f0
+
+!  120		      !     t1+=a&0xffffffff;
+!  121		      !     t=(a>>32);
+!  122		      !     d=(long long)d16[2*i+3];
+!  123		      !     t1+=(b&0xffff)<<16;
+!  124		      !     t+=(b>>16)+(t1>>32);
+!  125		      !     i32[i]=t1&0xffffffff;
+!  126		      !     t1=t;
+!  127		      !     a=c;
+!  128		      !     b=d;
+
+/* 0x0070	 128 */		add	%o0,16,%g2
+/* 0x0074	 123 */		and	%g1,%o1,%o0
+/* 0x0078	     */		sllx	%o0,16,%g3
+/* 0x007c	 120 */		and	%g4,%o3,%o0
+/* 0x0080	 117 */		add	%o0,%g3,%o4
+/* 0x0084	 119 */		fdtox	%f0,%f0
+/* 0x0088	     */		std	%f0,[%sp+104]
+/* 0x008c	 125 */		and	%o4,%o3,%g5
+/* 0x0090	 122 */		ldd	[%g2+8],%f2
+/* 0x0094	 128 */		add	%o5,4,%o5
+/* 0x0098	 124 */		srax	%o4,32,%o4
+/* 0x009c	     */		stx	%o4,[%sp+112]
+/* 0x00a0	 122 */		fdtox	%f2,%f0
+/* 0x00a4	     */		std	%f0,[%sp+96]
+/* 0x00a8	 124 */		srax	%g1,16,%o0
+/* 0x00ac	     */		ldx	[%sp+112],%o7
+/* 0x00b0	 121 */		srax	%g4,32,%o4
+/* 0x00b4	 124 */		add	%o0,%o7,%g4
+/* 0x00b8	 128 */		or	%g0,1,%o7
+/* 0x00bc	 119 */		ldx	[%sp+104],%g3
+/* 0x00c0	 124 */		add	%o4,%g4,%o4
+/* 0x00c4	 122 */		ldx	[%sp+96],%g1
+/* 0x00c8	 125 */		st	%g5,[%o5-4]
+/* 0x00cc	 127 */		or	%g0,%g3,%g4
+                       .L900000112:
+/* 0x00d0	 119 */		ldd	[%g2+16],%f0
+/* 0x00d4	 128 */		add	%o7,1,%o7
+/* 0x00d8	     */		add	%o5,4,%o5
+/* 0x00dc	     */		cmp	%o7,%o2
+/* 0x00e0	     */		add	%g2,16,%g2
+/* 0x00e4	 119 */		fdtox	%f0,%f0
+/* 0x00e8	     */		std	%f0,[%sp+104]
+/* 0x00ec	 122 */		ldd	[%g2+8],%f0
+/* 0x00f0	     */		fdtox	%f0,%f0
+/* 0x00f4	     */		std	%f0,[%sp+96]
+/* 0x00f8	 123 */		and	%g1,%o1,%g3
+/* 0x00fc	     */		sllx	%g3,16,%g5
+/* 0x0100	 120 */		and	%g4,%o3,%g3
+/* 0x0104	 117 */		add	%g3,%g5,%g3
+/* 0x0108	 124 */		srax	%g1,16,%g1
+/* 0x010c	 117 */		add	%g3,%o4,%g3
+/* 0x0110	 124 */		srax	%g3,32,%o4
+/* 0x0114	     */		stx	%o4,[%sp+112]
+/* 0x0118	 119 */		ldx	[%sp+104],%g5
+/* 0x011c	 121 */		srax	%g4,32,%o4
+/* 0x0120	 124 */		ldx	[%sp+112],%g4
+/* 0x0124	     */		add	%g1,%g4,%g4
+/* 0x0128	 122 */		ldx	[%sp+96],%g1
+/* 0x012c	 124 */		add	%o4,%g4,%o4
+/* 0x0130	 125 */		and	%g3,%o3,%g3
+/* 0x0134	 127 */		or	%g0,%g5,%g4
+/* 0x0138	 128 */		ble,pt	%icc,.L900000112
+/* 0x013c	     */		st	%g3,[%o5-4]
+                       .L900000115:
+/* 0x0140	 128 */		ba	.L900000117
+/* 0x0144	     */		sethi	%hi(0xfc00),%g2
+                       .L77000134:
+/* 0x0148	 119 */		ldd	[%g2+16],%f0
+                       .L900000116:
+/* 0x014c	 120 */		and	%g4,%o3,%o0
+/* 0x0150	 123 */		and	%g1,%o1,%g3
+/* 0x0154	 119 */		fdtox	%f0,%f0
+/* 0x0158	 120 */		add	%o4,%o0,%o0
+/* 0x015c	 119 */		std	%f0,[%sp+104]
+/* 0x0160	 128 */		add	%o7,1,%o7
+/* 0x0164	 123 */		sllx	%g3,16,%o4
+/* 0x0168	 122 */		ldd	[%g2+24],%f2
+/* 0x016c	 128 */		add	%g2,16,%g2
+/* 0x0170	 123 */		add	%o0,%o4,%o0
+/* 0x0174	 128 */		cmp	%o7,%o2
+/* 0x0178	 125 */		and	%o0,%o3,%g3
+/* 0x017c	 122 */		fdtox	%f2,%f0
+/* 0x0180	     */		std	%f0,[%sp+96]
+/* 0x0184	 124 */		srax	%o0,32,%o0
+/* 0x0188	     */		stx	%o0,[%sp+112]
+/* 0x018c	 121 */		srax	%g4,32,%o4
+/* 0x0190	 122 */		ldx	[%sp+96],%o0
+/* 0x0194	 124 */		srax	%g1,16,%g5
+/* 0x0198	     */		ldx	[%sp+112],%g4
+/* 0x019c	 119 */		ldx	[%sp+104],%g1
+/* 0x01a0	 125 */		st	%g3,[%o5]
+/* 0x01a4	 124 */		add	%g5,%g4,%g4
+/* 0x01a8	 128 */		add	%o5,4,%o5
+/* 0x01ac	 124 */		add	%o4,%g4,%o4
+/* 0x01b0	 127 */		or	%g0,%g1,%g4
+/* 0x01b4	 128 */		or	%g0,%o0,%g1
+/* 0x01b8	     */		ble,a,pt	%icc,.L900000116
+/* 0x01bc	     */		ldd	[%g2+16],%f0
+                       .L77000127:
+
+!  129		      !   }
+!  130		      !     t1+=a&0xffffffff;
+!  131		      !     t=(a>>32);
+!  132		      !     t1+=(b&0xffff)<<16;
+!  133		      !     i32[i]=t1&0xffffffff;
+
+/* 0x01c0	 133 */		sethi	%hi(0xfc00),%g2
+                       .L900000117:
+/* 0x01c4	 133 */		or	%g0,-1,%g3
+/* 0x01c8	     */		add	%g2,1023,%g2
+/* 0x01cc	     */		srl	%g3,0,%g3
+/* 0x01d0	     */		and	%g1,%g2,%g2
+/* 0x01d4	     */		and	%g4,%g3,%g4
+/* 0x01d8	     */		sllx	%g2,16,%g2
+/* 0x01dc	     */		add	%o4,%g4,%g4
+/* 0x01e0	     */		add	%g4,%g2,%g2
+/* 0x01e4	     */		sll	%o7,2,%g4
+/* 0x01e8	     */		and	%g2,%g3,%g2
+/* 0x01ec	     */		st	%g2,[%i0+%g4]
+/* 0x01f0	     */		ret	! Result = 
+/* 0x01f4	     */		restore	%g0,%g0,%g0
+/* 0x01f8	   0 */		.type	conv_d16_to_i32,2
+/* 0x01f8	     */		.size	conv_d16_to_i32,(.-conv_d16_to_i32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000201:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	4
+/* 0x0008	     */		.skip	16
+!
+! SUBROUTINE conv_i32_to_d32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d32
+                       conv_i32_to_d32:
+/* 000000	     */		or	%g0,%o7,%g2
+
+!  135		      !}
+!  137		      !void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
+!  138		      !{
+!  139		      !int i;
+!  141		      !#pragma pipeloop(0)
+!  142		      ! for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
+
+/* 0x0004	 142 */		cmp	%o2,0
+                       .L900000210:
+/* 0x0008	     */		call	.+8
+/* 0x000c	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
+/* 0x0010	 142 */		or	%g0,0,%o5
+/* 0x0014	 138 */		add	%g4,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
+/* 0x0018	     */		or	%g0,%o0,%g5
+/* 0x001c	     */		add	%g4,%o7,%g1
+/* 0x0020	 142 */		ble,pt	%icc,.L77000140
+/* 0x0024	     */		or	%g0,%g2,%o7
+/* 0x0028	     */		sethi	%hi(.L_const_seg_900000201),%g2
+/* 0x002c	 138 */		or	%g0,%o1,%g4
+/* 0x0030	 142 */		add	%g2,%lo(.L_const_seg_900000201),%g2
+/* 0x0034	     */		sub	%o2,1,%g3
+/* 0x0038	     */		ld	[%g1+%g2],%g2
+/* 0x003c	     */		cmp	%o2,9
+/* 0x0040	     */		bl,pn	%icc,.L77000144
+/* 0x0044	     */		ldd	[%g2],%f8
+/* 0x0048	     */		add	%o1,16,%g4
+/* 0x004c	     */		sub	%o2,5,%g1
+/* 0x0050	     */		ld	[%o1],%f7
+/* 0x0054	     */		or	%g0,4,%o5
+/* 0x0058	     */		ld	[%o1+4],%f5
+/* 0x005c	     */		ld	[%o1+8],%f3
+/* 0x0060	     */		fmovs	%f8,%f6
+/* 0x0064	     */		ld	[%o1+12],%f1
+                       .L900000205:
+/* 0x0068	     */		ld	[%g4],%f11
+/* 0x006c	     */		add	%o5,5,%o5
+/* 0x0070	     */		add	%g4,20,%g4
+/* 0x0074	     */		fsubd	%f6,%f8,%f6
+/* 0x0078	     */		std	%f6,[%g5]
+/* 0x007c	     */		cmp	%o5,%g1
+/* 0x0080	     */		add	%g5,40,%g5
+/* 0x0084	     */		fmovs	%f8,%f4
+/* 0x0088	     */		ld	[%g4-16],%f7
+/* 0x008c	     */		fsubd	%f4,%f8,%f12
+/* 0x0090	     */		fmovs	%f8,%f2
+/* 0x0094	     */		std	%f12,[%g5-32]
+/* 0x0098	     */		ld	[%g4-12],%f5
+/* 0x009c	     */		fsubd	%f2,%f8,%f12
+/* 0x00a0	     */		fmovs	%f8,%f0
+/* 0x00a4	     */		std	%f12,[%g5-24]
+/* 0x00a8	     */		ld	[%g4-8],%f3
+/* 0x00ac	     */		fsubd	%f0,%f8,%f12
+/* 0x00b0	     */		fmovs	%f8,%f10
+/* 0x00b4	     */		std	%f12,[%g5-16]
+/* 0x00b8	     */		ld	[%g4-4],%f1
+/* 0x00bc	     */		fsubd	%f10,%f8,%f10
+/* 0x00c0	     */		fmovs	%f8,%f6
+/* 0x00c4	     */		ble,pt	%icc,.L900000205
+/* 0x00c8	     */		std	%f10,[%g5-8]
+                       .L900000208:
+/* 0x00cc	     */		fmovs	%f8,%f4
+/* 0x00d0	     */		add	%g5,32,%g5
+/* 0x00d4	     */		cmp	%o5,%g3
+/* 0x00d8	     */		fmovs	%f8,%f2
+/* 0x00dc	     */		fmovs	%f8,%f0
+/* 0x00e0	     */		fsubd	%f6,%f8,%f6
+/* 0x00e4	     */		std	%f6,[%g5-32]
+/* 0x00e8	     */		fsubd	%f4,%f8,%f4
+/* 0x00ec	     */		std	%f4,[%g5-24]
+/* 0x00f0	     */		fsubd	%f2,%f8,%f2
+/* 0x00f4	     */		std	%f2,[%g5-16]
+/* 0x00f8	     */		fsubd	%f0,%f8,%f0
+/* 0x00fc	     */		bg,pn	%icc,.L77000140
+/* 0x0100	     */		std	%f0,[%g5-8]
+                       .L77000144:
+/* 0x0104	     */		ld	[%g4],%f1
+                       .L900000211:
+/* 0x0108	     */		ldd	[%g2],%f8
+/* 0x010c	     */		add	%o5,1,%o5
+/* 0x0110	     */		add	%g4,4,%g4
+/* 0x0114	     */		cmp	%o5,%g3
+/* 0x0118	     */		fmovs	%f8,%f0
+/* 0x011c	     */		fsubd	%f0,%f8,%f0
+/* 0x0120	     */		std	%f0,[%g5]
+/* 0x0124	     */		add	%g5,8,%g5
+/* 0x0128	     */		ble,a,pt	%icc,.L900000211
+/* 0x012c	     */		ld	[%g4],%f1
+                       .L77000140:
+/* 0x0130	     */		retl	! Result = 
+/* 0x0134	     */		nop
+/* 0x0138	   0 */		.type	conv_i32_to_d32,2
+/* 0x0138	     */		.size	conv_i32_to_d32,(.-conv_i32_to_d32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000301:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	4
+!
+! SUBROUTINE conv_i32_to_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d16
+                       conv_i32_to_d16:
+/* 000000	     */		save	%sp,-104,%sp
+/* 0x0004	     */		or	%g0,%i2,%o0
+
+!  143		      !}
+!  146		      !void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
+!  147		      !{
+!  148		      !int i;
+!  149		      !unsigned int a;
+!  151		      !#pragma pipeloop(0)
+!  152		      ! for(i=0;i<len;i++)
+!  153		      !   {
+!  154		      !     a=i32[i];
+!  155		      !     d16[2*i]=(double)(a&0xffff);
+!  156		      !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x0008	 156 */		sethi	%hi(.L_const_seg_900000301),%g2
+                       .L900000310:
+/* 0x000c	     */		call	.+8
+/* 0x0010	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
+/* 0x0014	 152 */		cmp	%o0,0
+/* 0x0018	 147 */		add	%g3,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
+/* 0x001c	 152 */		ble,pt	%icc,.L77000150
+/* 0x0020	     */		add	%g3,%o7,%o2
+/* 0x0024	     */		sub	%i2,1,%o5
+/* 0x0028	 156 */		add	%g2,%lo(.L_const_seg_900000301),%o1
+/* 0x002c	 152 */		sethi	%hi(0xfc00),%o0
+/* 0x0030	     */		ld	[%o2+%o1],%o3
+/* 0x0034	     */		add	%o5,1,%g2
+/* 0x0038	     */		or	%g0,0,%g1
+/* 0x003c	     */		cmp	%g2,3
+/* 0x0040	     */		or	%g0,%i1,%o7
+/* 0x0044	     */		add	%o0,1023,%o4
+/* 0x0048	     */		or	%g0,%i0,%g3
+/* 0x004c	     */		bl,pn	%icc,.L77000154
+/* 0x0050	     */		add	%o7,4,%o0
+/* 0x0054	 155 */		ldd	[%o3],%f0
+/* 0x0058	 156 */		or	%g0,1,%g1
+/* 0x005c	 154 */		ld	[%o0-4],%o1
+/* 0x0060	   0 */		or	%g0,%o0,%o7
+/* 0x0064	 155 */		and	%o1,%o4,%o0
+                       .L900000306:
+/* 0x0068	 155 */		st	%o0,[%sp+96]
+/* 0x006c	 156 */		add	%g1,1,%g1
+/* 0x0070	     */		add	%g3,16,%g3
+/* 0x0074	     */		cmp	%g1,%o5
+/* 0x0078	     */		add	%o7,4,%o7
+/* 0x007c	 155 */		ld	[%sp+96],%f3
+/* 0x0080	     */		fmovs	%f0,%f2
+/* 0x0084	     */		fsubd	%f2,%f0,%f2
+/* 0x0088	 156 */		srl	%o1,16,%o0
+/* 0x008c	 155 */		std	%f2,[%g3-16]
+/* 0x0090	 156 */		st	%o0,[%sp+92]
+/* 0x0094	     */		ld	[%sp+92],%f3
+/* 0x0098	 154 */		ld	[%o7-4],%o1
+/* 0x009c	 156 */		fmovs	%f0,%f2
+/* 0x00a0	     */		fsubd	%f2,%f0,%f2
+/* 0x00a4	 155 */		and	%o1,%o4,%o0
+/* 0x00a8	 156 */		ble,pt	%icc,.L900000306
+/* 0x00ac	     */		std	%f2,[%g3-8]
+                       .L900000309:
+/* 0x00b0	 155 */		st	%o0,[%sp+96]
+/* 0x00b4	     */		fmovs	%f0,%f2
+/* 0x00b8	 156 */		add	%g3,16,%g3
+/* 0x00bc	     */		srl	%o1,16,%o0
+/* 0x00c0	 155 */		ld	[%sp+96],%f3
+/* 0x00c4	     */		fsubd	%f2,%f0,%f2
+/* 0x00c8	     */		std	%f2,[%g3-16]
+/* 0x00cc	 156 */		st	%o0,[%sp+92]
+/* 0x00d0	     */		fmovs	%f0,%f2
+/* 0x00d4	     */		ld	[%sp+92],%f3
+/* 0x00d8	     */		fsubd	%f2,%f0,%f0
+/* 0x00dc	     */		std	%f0,[%g3-8]
+/* 0x00e0	     */		ret	! Result = 
+/* 0x00e4	     */		restore	%g0,%g0,%g0
+                       .L77000154:
+/* 0x00e8	 154 */		ld	[%o7],%o0
+                       .L900000311:
+/* 0x00ec	 155 */		and	%o0,%o4,%o1
+/* 0x00f0	     */		st	%o1,[%sp+96]
+/* 0x00f4	 156 */		add	%g1,1,%g1
+/* 0x00f8	 155 */		ldd	[%o3],%f0
+/* 0x00fc	 156 */		srl	%o0,16,%o0
+/* 0x0100	     */		add	%o7,4,%o7
+/* 0x0104	     */		cmp	%g1,%o5
+/* 0x0108	 155 */		fmovs	%f0,%f2
+/* 0x010c	     */		ld	[%sp+96],%f3
+/* 0x0110	     */		fsubd	%f2,%f0,%f2
+/* 0x0114	     */		std	%f2,[%g3]
+/* 0x0118	 156 */		st	%o0,[%sp+92]
+/* 0x011c	     */		fmovs	%f0,%f2
+/* 0x0120	     */		ld	[%sp+92],%f3
+/* 0x0124	     */		fsubd	%f2,%f0,%f0
+/* 0x0128	     */		std	%f0,[%g3+8]
+/* 0x012c	     */		add	%g3,16,%g3
+/* 0x0130	     */		ble,a,pt	%icc,.L900000311
+/* 0x0134	     */		ld	[%o7],%o0
+                       .L77000150:
+/* 0x0138	     */		ret	! Result = 
+/* 0x013c	     */		restore	%g0,%g0,%g0
+/* 0x0140	   0 */		.type	conv_i32_to_d16,2
+/* 0x0140	     */		.size	conv_i32_to_d16,(.-conv_i32_to_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000401:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	4
+/* 0x0008	     */		.skip	16
+!
+! SUBROUTINE conv_i32_to_d32_and_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d32_and_d16
+                       conv_i32_to_d32_and_d16:
+/* 000000	     */		save	%sp,-120,%sp
+                       .L900000415:
+/* 0x0004	     */		call	.+8
+/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g4
+
+!  157		      !   }
+!  158		      !}
+!  161		      !void conv_i32_to_d32_and_d16(double *d32, double *d16, 
+!  162		      !			     unsigned int *i32, int len)
+!  163		      !{
+!  164		      !int i = 0;
+!  165		      !unsigned int a;
+!  167		      !#pragma pipeloop(0)
+!  168		      !#ifdef RF_INLINE_MACROS
+!  169		      ! for(;i<len-3;i+=4)
+
+/* 0x000c	 169 */		sub	%i3,3,%g2
+/* 0x0010	     */		cmp	%g2,0
+/* 0x0014	 163 */		add	%g4,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g4
+
+!  170		      !   {
+!  171		      !     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
+!  172		      !			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
+
+/* 0x0018	 172 */		sethi	%hi(Zero),%g2
+/* 0x001c	 163 */		add	%g4,%o7,%o4
+/* 0x0020	 172 */		add	%g2,%lo(Zero),%g2
+/* 0x0024	     */		sethi	%hi(TwoToMinus16),%g3
+/* 0x0028	     */		ld	[%o4+%g2],%o1
+/* 0x002c	     */		sethi	%hi(TwoTo16),%g4
+/* 0x0030	     */		add	%g3,%lo(TwoToMinus16),%g2
+/* 0x0034	     */		ld	[%o4+%g2],%o3
+/* 0x0038	 164 */		or	%g0,0,%g5
+/* 0x003c	 172 */		add	%g4,%lo(TwoTo16),%g3
+/* 0x0040	     */		ld	[%o4+%g3],%o2
+/* 0x0044	 163 */		or	%g0,%i0,%i4
+/* 0x0048	 169 */		or	%g0,%i2,%o7
+/* 0x004c	     */		ble,pt	%icc,.L900000418
+/* 0x0050	     */		cmp	%g5,%i3
+/* 0x0054	 172 */		stx	%o7,[%sp+104]
+/* 0x0058	 169 */		sub	%i3,4,%o5
+/* 0x005c	     */		or	%g0,0,%g4
+/* 0x0060	     */		or	%g0,0,%g1
+                       .L900000417:
+/* 0x0064	     */		ldd	[%o1],%f2
+/* 0x0068	 172 */		add	%i4,%g4,%g2
+/* 0x006c	     */		add	%i1,%g1,%g3
+/* 0x0070	     */		ldd	[%o3],%f0
+/* 0x0074	     */		add	%g5,4,%g5
+/* 0x0078	     */		fmovd	%f2,%f14
+/* 0x007c	     */		ld	[%o7],%f15
+/* 0x0080	     */		cmp	%g5,%o5
+/* 0x0084	     */		fmovd	%f2,%f10
+/* 0x0088	     */		ld	[%o7+4],%f11
+/* 0x008c	     */		add	%o7,16,%o7
+/* 0x0090	     */		ldx	[%sp+104],%o0
+/* 0x0094	     */		fmovd	%f2,%f6
+/* 0x0098	     */		stx	%o7,[%sp+112]
+/* 0x009c	     */		fxtod	%f14,%f14
+/* 0x00a0	     */		ld	[%o0+8],%f7
+/* 0x00a4	     */		fxtod	%f10,%f10
+/* 0x00a8	     */		ld	[%o0+12],%f3
+/* 0x00ac	     */		fxtod	%f6,%f6
+/* 0x00b0	     */		ldd	[%o2],%f16
+/* 0x00b4	     */		fmuld	%f0,%f14,%f12
+/* 0x00b8	     */		fxtod	%f2,%f2
+/* 0x00bc	     */		fmuld	%f0,%f10,%f8
+/* 0x00c0	     */		std	%f14,[%i4+%g4]
+/* 0x00c4	     */		ldx	[%sp+112],%o7
+/* 0x00c8	     */		add	%g4,32,%g4
+/* 0x00cc	     */		fmuld	%f0,%f6,%f4
+/* 0x00d0	     */		fdtox	%f12,%f12
+/* 0x00d4	     */		std	%f10,[%g2+8]
+/* 0x00d8	     */		fmuld	%f0,%f2,%f0
+/* 0x00dc	     */		fdtox	%f8,%f8
+/* 0x00e0	     */		std	%f6,[%g2+16]
+/* 0x00e4	     */		std	%f2,[%g2+24]
+/* 0x00e8	     */		fdtox	%f4,%f4
+/* 0x00ec	     */		fdtox	%f0,%f0
+/* 0x00f0	     */		fxtod	%f12,%f12
+/* 0x00f4	     */		std	%f12,[%g3+8]
+/* 0x00f8	     */		fxtod	%f8,%f8
+/* 0x00fc	     */		std	%f8,[%g3+24]
+/* 0x0100	     */		fxtod	%f4,%f4
+/* 0x0104	     */		std	%f4,[%g3+40]
+/* 0x0108	     */		fxtod	%f0,%f0
+/* 0x010c	     */		std	%f0,[%g3+56]
+/* 0x0110	     */		fmuld	%f12,%f16,%f12
+/* 0x0114	     */		fmuld	%f8,%f16,%f8
+/* 0x0118	     */		fmuld	%f4,%f16,%f4
+/* 0x011c	     */		fsubd	%f14,%f12,%f12
+/* 0x0120	     */		std	%f12,[%i1+%g1]
+/* 0x0124	     */		fmuld	%f0,%f16,%f0
+/* 0x0128	     */		fsubd	%f10,%f8,%f8
+/* 0x012c	     */		std	%f8,[%g3+16]
+/* 0x0130	     */		add	%g1,64,%g1
+/* 0x0134	     */		fsubd	%f6,%f4,%f4
+/* 0x0138	     */		std	%f4,[%g3+32]
+/* 0x013c	     */		fsubd	%f2,%f0,%f0
+/* 0x0140	     */		std	%f0,[%g3+48]
+/* 0x0144	     */		ble,a,pt	%icc,.L900000417
+/* 0x0148	     */		stx	%o7,[%sp+104]
+                       .L77000159:
+
+!  173		      !   }
+!  174		      !#endif
+!  175		      ! for(;i<len;i++)
+
+/* 0x014c	 175 */		cmp	%g5,%i3
+                       .L900000418:
+/* 0x0150	 175 */		bge,pt	%icc,.L77000164
+/* 0x0154	     */		nop
+
+!  176		      !   {
+!  177		      !     a=i32[i];
+!  178		      !     d32[i]=(double)(i32[i]);
+!  179		      !     d16[2*i]=(double)(a&0xffff);
+!  180		      !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x0158	 180 */		sethi	%hi(.L_const_seg_900000401),%g2
+/* 0x015c	     */		add	%g2,%lo(.L_const_seg_900000401),%o1
+/* 0x0160	 175 */		sethi	%hi(0xfc00),%o0
+/* 0x0164	     */		ld	[%o4+%o1],%o2
+/* 0x0168	     */		sll	%g5,2,%o3
+/* 0x016c	     */		sub	%i3,%g5,%g3
+/* 0x0170	     */		sll	%g5,3,%g2
+/* 0x0174	     */		add	%o0,1023,%o4
+/* 0x0178	 178 */		ldd	[%o2],%f0
+/* 0x017c	     */		add	%i2,%o3,%o0
+/* 0x0180	 175 */		cmp	%g3,3
+/* 0x0184	     */		add	%i4,%g2,%o3
+/* 0x0188	     */		sub	%i3,1,%o1
+/* 0x018c	     */		sll	%g5,4,%g4
+/* 0x0190	     */		bl,pn	%icc,.L77000161
+/* 0x0194	     */		add	%i1,%g4,%o5
+/* 0x0198	 178 */		ld	[%o0],%f3
+/* 0x019c	 180 */		add	%o3,8,%o3
+/* 0x01a0	 177 */		ld	[%o0],%o7
+/* 0x01a4	 180 */		add	%o5,16,%o5
+/* 0x01a8	     */		add	%g5,1,%g5
+/* 0x01ac	 178 */		fmovs	%f0,%f2
+/* 0x01b0	 180 */		add	%o0,4,%o0
+/* 0x01b4	 179 */		and	%o7,%o4,%g1
+/* 0x01b8	 178 */		fsubd	%f2,%f0,%f2
+/* 0x01bc	     */		std	%f2,[%o3-8]
+/* 0x01c0	 180 */		srl	%o7,16,%o7
+/* 0x01c4	 179 */		st	%g1,[%sp+96]
+/* 0x01c8	     */		fmovs	%f0,%f2
+/* 0x01cc	     */		ld	[%sp+96],%f3
+/* 0x01d0	     */		fsubd	%f2,%f0,%f2
+/* 0x01d4	     */		std	%f2,[%o5-16]
+/* 0x01d8	 180 */		st	%o7,[%sp+92]
+/* 0x01dc	     */		fmovs	%f0,%f2
+/* 0x01e0	     */		ld	[%sp+92],%f3
+/* 0x01e4	     */		fsubd	%f2,%f0,%f2
+/* 0x01e8	     */		std	%f2,[%o5-8]
+                       .L900000411:
+/* 0x01ec	 178 */		ld	[%o0],%f3
+/* 0x01f0	 180 */		add	%g5,2,%g5
+/* 0x01f4	     */		add	%o5,32,%o5
+/* 0x01f8	 177 */		ld	[%o0],%o7
+/* 0x01fc	 180 */		cmp	%g5,%o1
+/* 0x0200	     */		add	%o3,16,%o3
+/* 0x0204	 178 */		fmovs	%f0,%f2
+/* 0x0208	     */		fsubd	%f2,%f0,%f2
+/* 0x020c	     */		std	%f2,[%o3-16]
+/* 0x0210	 179 */		and	%o7,%o4,%g1
+/* 0x0214	     */		st	%g1,[%sp+96]
+/* 0x0218	     */		ld	[%sp+96],%f3
+/* 0x021c	     */		fmovs	%f0,%f2
+/* 0x0220	     */		fsubd	%f2,%f0,%f2
+/* 0x0224	 180 */		srl	%o7,16,%o7
+/* 0x0228	 179 */		std	%f2,[%o5-32]
+/* 0x022c	 180 */		st	%o7,[%sp+92]
+/* 0x0230	     */		ld	[%sp+92],%f3
+/* 0x0234	     */		fmovs	%f0,%f2
+/* 0x0238	     */		fsubd	%f2,%f0,%f2
+/* 0x023c	     */		std	%f2,[%o5-24]
+/* 0x0240	     */		add	%o0,4,%o0
+/* 0x0244	 178 */		ld	[%o0],%f3
+/* 0x0248	 177 */		ld	[%o0],%o7
+/* 0x024c	 178 */		fmovs	%f0,%f2
+/* 0x0250	     */		fsubd	%f2,%f0,%f2
+/* 0x0254	     */		std	%f2,[%o3-8]
+/* 0x0258	 179 */		and	%o7,%o4,%g1
+/* 0x025c	     */		st	%g1,[%sp+96]
+/* 0x0260	     */		ld	[%sp+96],%f3
+/* 0x0264	     */		fmovs	%f0,%f2
+/* 0x0268	     */		fsubd	%f2,%f0,%f2
+/* 0x026c	 180 */		srl	%o7,16,%o7
+/* 0x0270	 179 */		std	%f2,[%o5-16]
+/* 0x0274	 180 */		st	%o7,[%sp+92]
+/* 0x0278	     */		ld	[%sp+92],%f3
+/* 0x027c	     */		fmovs	%f0,%f2
+/* 0x0280	     */		fsubd	%f2,%f0,%f2
+/* 0x0284	     */		std	%f2,[%o5-8]
+/* 0x0288	     */		bl,pt	%icc,.L900000411
+/* 0x028c	     */		add	%o0,4,%o0
+                       .L900000414:
+/* 0x0290	 180 */		cmp	%g5,%i3
+/* 0x0294	     */		bge,pn	%icc,.L77000164
+/* 0x0298	     */		nop
+                       .L77000161:
+/* 0x029c	 178 */		ld	[%o0],%f3
+                       .L900000416:
+/* 0x02a0	 178 */		ldd	[%o2],%f0
+/* 0x02a4	 180 */		add	%g5,1,%g5
+/* 0x02a8	 177 */		ld	[%o0],%o1
+/* 0x02ac	 180 */		add	%o0,4,%o0
+/* 0x02b0	     */		cmp	%g5,%i3
+/* 0x02b4	 178 */		fmovs	%f0,%f2
+/* 0x02b8	 179 */		and	%o1,%o4,%o7
+/* 0x02bc	 178 */		fsubd	%f2,%f0,%f2
+/* 0x02c0	     */		std	%f2,[%o3]
+/* 0x02c4	 180 */		srl	%o1,16,%o1
+/* 0x02c8	 179 */		st	%o7,[%sp+96]
+/* 0x02cc	 180 */		add	%o3,8,%o3
+/* 0x02d0	 179 */		fmovs	%f0,%f2
+/* 0x02d4	     */		ld	[%sp+96],%f3
+/* 0x02d8	     */		fsubd	%f2,%f0,%f2
+/* 0x02dc	     */		std	%f2,[%o5]
+/* 0x02e0	 180 */		st	%o1,[%sp+92]
+/* 0x02e4	     */		fmovs	%f0,%f2
+/* 0x02e8	     */		ld	[%sp+92],%f3
+/* 0x02ec	     */		fsubd	%f2,%f0,%f0
+/* 0x02f0	     */		std	%f0,[%o5+8]
+/* 0x02f4	     */		add	%o5,16,%o5
+/* 0x02f8	     */		bl,a,pt	%icc,.L900000416
+/* 0x02fc	     */		ld	[%o0],%f3
+                       .L77000164:
+/* 0x0300	     */		ret	! Result = 
+/* 0x0304	     */		restore	%g0,%g0,%g0
+/* 0x0308	   0 */		.type	conv_i32_to_d32_and_d16,2
+/* 0x0308	     */		.size	conv_i32_to_d32_and_d16,(.-conv_i32_to_d32_and_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	4
+!
+! SUBROUTINE adjust_montf_result
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global adjust_montf_result
+                       adjust_montf_result:
+/* 000000	     */		or	%g0,%o2,%g5
+
+!  181		      !   }
+!  182		      !}
+!  185		      !void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
+!  186		      !{
+!  187		      !long long acc;
+!  188		      !int i;
+!  190		      ! if(i32[len]>0) i=-1;
+
+/* 0x0004	 190 */		or	%g0,-1,%g4
+/* 0x0008	     */		sll	%o2,2,%g1
+/* 0x000c	     */		ld	[%o0+%g1],%g1
+/* 0x0010	     */		cmp	%g1,0
+/* 0x0014	     */		bleu,pn	%icc,.L77000175
+/* 0x0018	     */		or	%g0,%o1,%o3
+/* 0x001c	     */		ba	.L900000511
+/* 0x0020	     */		cmp	%g4,0
+                       .L77000175:
+
+!  191		      ! else
+!  192		      !   {
+!  193		      !     for(i=len-1; i>=0; i--)
+
+/* 0x0024	 193 */		sub	%o2,1,%g4
+/* 0x0028	     */		sll	%g4,2,%g1
+/* 0x002c	     */		cmp	%g4,0
+/* 0x0030	     */		bl,pt	%icc,.L900000511
+/* 0x0034	     */		cmp	%g4,0
+/* 0x0038	     */		add	%o1,%g1,%g2
+
+!  194		      !       {
+!  195		      !	 if(i32[i]!=nint[i]) break;
+
+/* 0x003c	 195 */		ld	[%g2],%o5
+/* 0x0040	 193 */		add	%o0,%g1,%g3
+                       .L900000510:
+/* 0x0044	 195 */		ld	[%g3],%o2
+/* 0x0048	     */		sub	%g4,1,%g1
+/* 0x004c	     */		sub	%g2,4,%g2
+/* 0x0050	     */		sub	%g3,4,%g3
+/* 0x0054	     */		cmp	%o2,%o5
+/* 0x0058	     */		bne,pn	%icc,.L77000182
+/* 0x005c	     */		nop
+/* 0x0060	   0 */		or	%g0,%g1,%g4
+/* 0x0064	 195 */		cmp	%g1,0
+/* 0x0068	     */		bge,a,pt	%icc,.L900000510
+/* 0x006c	     */		ld	[%g2],%o5
+                       .L77000182:
+
+!  196		      !       }
+!  197		      !   }
+!  198		      ! if((i<0)||(i32[i]>nint[i]))
+
+/* 0x0070	 198 */		cmp	%g4,0
+                       .L900000511:
+/* 0x0074	 198 */		bl,pn	%icc,.L77000198
+/* 0x0078	     */		sll	%g4,2,%g2
+/* 0x007c	     */		ld	[%o1+%g2],%g1
+/* 0x0080	     */		ld	[%o0+%g2],%g2
+/* 0x0084	     */		cmp	%g2,%g1
+/* 0x0088	     */		bleu,pt	%icc,.L77000191
+/* 0x008c	     */		nop
+                       .L77000198:
+
+!  199		      !   {
+!  200		      !     acc=0;
+!  201		      !     for(i=0;i<len;i++)
+
+/* 0x0090	 201 */		cmp	%g5,0
+/* 0x0094	     */		ble,pt	%icc,.L77000191
+/* 0x0098	     */		nop
+/* 0x009c	     */		or	%g0,%g5,%g1
+/* 0x00a0	 198 */		or	%g0,-1,%g2
+/* 0x00a4	     */		srl	%g2,0,%g3
+/* 0x00a8	     */		sub	%g5,1,%g4
+/* 0x00ac	 200 */		or	%g0,0,%g5
+/* 0x00b0	 201 */		or	%g0,0,%o5
+/* 0x00b4	 198 */		or	%g0,%o0,%o4
+/* 0x00b8	     */		cmp	%g1,3
+/* 0x00bc	 201 */		bl,pn	%icc,.L77000199
+/* 0x00c0	     */		add	%o0,8,%g1
+/* 0x00c4	     */		add	%o1,4,%g2
+
+!  202		      !       {
+!  203		      !	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
+
+/* 0x00c8	 203 */		ld	[%o0],%o2
+/* 0x00cc	     */		ld	[%o1],%o1
+/* 0x00d0	   0 */		or	%g0,%g1,%o4
+/* 0x00d4	     */		or	%g0,%g2,%o3
+/* 0x00d8	 203 */		ld	[%o0+4],%g1
+
+!  204		      !	 i32[i]=acc&0xffffffff;
+!  205		      !	 acc=acc>>32;
+
+/* 0x00dc	 205 */		or	%g0,2,%o5
+/* 0x00e0	 201 */		sub	%o2,%o1,%o2
+/* 0x00e4	     */		or	%g0,%o2,%g5
+/* 0x00e8	 204 */		and	%o2,%g3,%o2
+/* 0x00ec	     */		st	%o2,[%o0]
+/* 0x00f0	 205 */		srax	%g5,32,%g5
+                       .L900000505:
+/* 0x00f4	 203 */		ld	[%o3],%o2
+/* 0x00f8	 205 */		add	%o5,1,%o5
+/* 0x00fc	     */		add	%o3,4,%o3
+/* 0x0100	     */		cmp	%o5,%g4
+/* 0x0104	     */		add	%o4,4,%o4
+/* 0x0108	 201 */		sub	%g1,%o2,%g1
+/* 0x010c	     */		add	%g1,%g5,%g5
+/* 0x0110	 204 */		and	%g5,%g3,%o2
+/* 0x0114	 203 */		ld	[%o4-4],%g1
+/* 0x0118	 204 */		st	%o2,[%o4-8]
+/* 0x011c	 205 */		ble,pt	%icc,.L900000505
+/* 0x0120	     */		srax	%g5,32,%g5
+                       .L900000508:
+/* 0x0124	 203 */		ld	[%o3],%g2
+/* 0x0128	 201 */		sub	%g1,%g2,%g1
+/* 0x012c	     */		add	%g1,%g5,%g1
+/* 0x0130	 204 */		and	%g1,%g3,%g2
+/* 0x0134	     */		retl	! Result = 
+/* 0x0138	     */		st	%g2,[%o4-4]
+                       .L77000199:
+/* 0x013c	 203 */		ld	[%o4],%g1
+                       .L900000509:
+/* 0x0140	 203 */		ld	[%o3],%g2
+/* 0x0144	     */		add	%g5,%g1,%g1
+/* 0x0148	 205 */		add	%o5,1,%o5
+/* 0x014c	     */		add	%o3,4,%o3
+/* 0x0150	     */		cmp	%o5,%g4
+/* 0x0154	 203 */		sub	%g1,%g2,%g1
+/* 0x0158	 204 */		and	%g1,%g3,%g2
+/* 0x015c	     */		st	%g2,[%o4]
+/* 0x0160	 205 */		add	%o4,4,%o4
+/* 0x0164	     */		srax	%g1,32,%g5
+/* 0x0168	     */		ble,a,pt	%icc,.L900000509
+/* 0x016c	     */		ld	[%o4],%g1
+                       .L77000191:
+/* 0x0170	     */		retl	! Result = 
+/* 0x0174	     */		nop
+/* 0x0178	   0 */		.type	adjust_montf_result,2
+/* 0x0178	     */		.size	adjust_montf_result,(.-adjust_montf_result)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	4
+/* 000000	     */		.skip	16
+!
+! SUBROUTINE mont_mulf_noconv
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global mont_mulf_noconv
+                       mont_mulf_noconv:
+/* 000000	     */		save	%sp,-144,%sp
+                       .L900000646:
+/* 0x0004	     */		call	.+8
+/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000646-.)),%g5
+
+!  206		      !       }
+!  207		      !   }
+!  208		      !}
+!  213		      !/*
+!  214		      !** the lengths of the input arrays should be at least the following:
+!  215		      !** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
+!  216		      !** all of them should be different from one another
+!  217		      !**
+!  218		      !*/
+!  219		      !void mont_mulf_noconv(unsigned int *result,
+!  220		      !		     double *dm1, double *dm2, double *dt,
+!  221		      !		     double *dn, unsigned int *nint,
+!  222		      !		     int nlen, double dn0)
+!  223		      !{
+!  224		      ! int i, j, jj;
+!  225		      ! int tmp;
+!  226		      ! double digit, m2j, nextm2j, a, b;
+!  227		      ! double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
+!  229		      ! pdm1=&(dm1[0]);
+!  230		      ! pdm2=&(dm2[0]);
+!  231		      ! pdn=&(dn[0]);
+!  232		      ! pdm2[2*nlen]=Zero;
+
+/* 0x000c	 232 */		ld	[%fp+92],%o1
+/* 0x0010	     */		sethi	%hi(Zero),%g2
+/* 0x0014	 223 */		ldd	[%fp+96],%f2
+/* 0x0018	     */		add	%g5,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000646-.)),%g5
+/* 0x001c	 232 */		add	%g2,%lo(Zero),%g2
+/* 0x0020	 223 */		st	%i0,[%fp+68]
+/* 0x0024	     */		add	%g5,%o7,%o3
+
+!  234		      ! if (nlen!=16)
+!  235		      !   {
+!  236		      !     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
+!  238		      !     a=dt[0]=pdm1[0]*pdm2[0];
+!  239		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+
+/* 0x0028	 239 */		sethi	%hi(TwoToMinus16),%g3
+/* 0x002c	 232 */		ld	[%o3+%g2],%l0
+/* 0x0030	 239 */		sethi	%hi(TwoTo16),%g4
+/* 0x0034	 223 */		or	%g0,%i2,%o2
+/* 0x0038	     */		fmovd	%f2,%f16
+/* 0x003c	     */		st	%i5,[%fp+88]
+/* 0x0040	 239 */		add	%g3,%lo(TwoToMinus16),%g2
+/* 0x0044	 223 */		or	%g0,%i1,%i2
+/* 0x0048	 232 */		ldd	[%l0],%f0
+/* 0x004c	 239 */		add	%g4,%lo(TwoTo16),%g3
+/* 0x0050	 223 */		or	%g0,%i3,%o0
+/* 0x0054	 232 */		sll	%o1,4,%g4
+/* 0x0058	 239 */		ld	[%o3+%g2],%g5
+/* 0x005c	 223 */		or	%g0,%i3,%i1
+/* 0x0060	 239 */		ld	[%o3+%g3],%g1
+/* 0x0064	 232 */		or	%g0,%o1,%i0
+/* 0x0068	     */		or	%g0,%o2,%i3
+/* 0x006c	 234 */		cmp	%o1,16
+/* 0x0070	     */		be,pn	%icc,.L77000279
+/* 0x0074	     */		std	%f0,[%o2+%g4]
+/* 0x0078	 236 */		sll	%o1,2,%g2
+/* 0x007c	     */		or	%g0,%o0,%o3
+/* 0x0080	 232 */		sll	%o1,1,%o1
+/* 0x0084	 236 */		add	%g2,2,%o2
+/* 0x0088	     */		cmp	%o2,0
+/* 0x008c	     */		ble,a,pt	%icc,.L900000660
+/* 0x0090	     */		ldd	[%i2],%f0
+
+!  241		      !     pdtj=&(dt[0]);
+!  242		      !     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
+!  243		      !       {
+!  244		      !	 m2j=pdm2[j];
+!  245		      !	 a=pdtj[0]+pdn[0]*digit;
+!  246		      !	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
+!  247		      !	 pdtj[1]=b;
+!  249		      !#pragma pipeloop(0)
+!  250		      !	 for(i=1;i<nlen;i++)
+!  251		      !	   {
+!  252		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  253		      !	   }
+!  254		      ! 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
+!  255		      !	 
+!  256		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  257		      !       }
+!  258		      !   }
+!  259		      ! else
+!  260		      !   {
+!  261		      !     a=dt[0]=pdm1[0]*pdm2[0];
+!  263		      !     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
+!  264		      !     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
+!  265		      !     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
+!  266		      !     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
+!  267		      !     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
+!  268		      !     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
+!  269		      !     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
+!  270		      !     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
+!  271		      !     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
+!  272		      !     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
+!  273		      !     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
+!  275		      !     pdn_0=pdn[0];
+!  276		      !     pdm1_0=pdm1[0];
+!  278		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  279		      !     pdtj=&(dt[0]);
+!  281		      !     for(j=0;j<32;j++,pdtj++)
+
+/* 0x0094	 281 */		add	%g2,2,%o0
+/* 0x0098	 236 */		add	%g2,1,%o2
+/* 0x009c	 281 */		cmp	%o0,3
+/* 0x00a0	     */		bl,pn	%icc,.L77000280
+/* 0x00a4	     */		or	%g0,1,%o0
+/* 0x00a8	     */		add	%o3,8,%o3
+/* 0x00ac	     */		or	%g0,1,%o4
+/* 0x00b0	     */		std	%f0,[%o3-8]
+                       .L900000630:
+/* 0x00b4	     */		std	%f0,[%o3]
+/* 0x00b8	     */		add	%o4,2,%o4
+/* 0x00bc	     */		add	%o3,16,%o3
+/* 0x00c0	     */		cmp	%o4,%g2
+/* 0x00c4	     */		ble,pt	%icc,.L900000630
+/* 0x00c8	     */		std	%f0,[%o3-8]
+                       .L900000633:
+/* 0x00cc	     */		cmp	%o4,%o2
+/* 0x00d0	     */		bg,pn	%icc,.L77000285
+/* 0x00d4	     */		add	%o4,1,%o0
+                       .L77000280:
+/* 0x00d8	     */		std	%f0,[%o3]
+                       .L900000659:
+/* 0x00dc	     */		ldd	[%l0],%f0
+/* 0x00e0	     */		cmp	%o0,%o2
+/* 0x00e4	     */		add	%o3,8,%o3
+/* 0x00e8	     */		add	%o0,1,%o0
+/* 0x00ec	     */		ble,a,pt	%icc,.L900000659
+/* 0x00f0	     */		std	%f0,[%o3]
+                       .L77000285:
+/* 0x00f4	 238 */		ldd	[%i2],%f0
+                       .L900000660:
+/* 0x00f8	 238 */		ldd	[%i3],%f2
+/* 0x00fc	     */		add	%o1,1,%o2
+/* 0x0100	 242 */		cmp	%o1,0
+/* 0x0104	     */		sll	%o2,1,%o0
+/* 0x0108	     */		sub	%o1,1,%o1
+/* 0x010c	 238 */		fmuld	%f0,%f2,%f0
+/* 0x0110	     */		std	%f0,[%i1]
+/* 0x0114	   0 */		or	%g0,0,%l1
+/* 0x0118	     */		ldd	[%l0],%f6
+/* 0x011c	     */		or	%g0,0,%g4
+/* 0x0120	     */		or	%g0,%o2,%i5
+/* 0x0124	     */		ldd	[%g5],%f2
+/* 0x0128	     */		or	%g0,%o1,%g3
+/* 0x012c	     */		or	%g0,%o0,%o3
+/* 0x0130	     */		fdtox	%f0,%f0
+/* 0x0134	     */		ldd	[%g1],%f4
+/* 0x0138	 246 */		add	%i3,8,%o4
+/* 0x013c	     */		or	%g0,0,%l2
+/* 0x0140	     */		or	%g0,%i1,%o5
+/* 0x0144	     */		sub	%i0,1,%o7
+/* 0x0148	     */		fmovs	%f6,%f0
+/* 0x014c	     */		fxtod	%f0,%f0
+/* 0x0150	 239 */		fmuld	%f0,%f16,%f0
+/* 0x0154	     */		fmuld	%f0,%f2,%f2
+/* 0x0158	     */		fdtox	%f2,%f2
+/* 0x015c	     */		fxtod	%f2,%f2
+/* 0x0160	     */		fmuld	%f2,%f4,%f2
+/* 0x0164	     */		fsubd	%f0,%f2,%f22
+/* 0x0168	 242 */		ble,pt	%icc,.L900000653
+/* 0x016c	     */		sll	%i0,4,%g2
+/* 0x0170	 246 */		ldd	[%i4],%f0
+                       .L900000654:
+/* 0x0174	 246 */		fmuld	%f0,%f22,%f8
+/* 0x0178	     */		ldd	[%i2],%f0
+/* 0x017c	 250 */		cmp	%i0,1
+/* 0x0180	 246 */		ldd	[%o4+%l2],%f6
+/* 0x0184	     */		add	%i2,8,%o0
+/* 0x0188	 250 */		or	%g0,1,%o1
+/* 0x018c	 246 */		ldd	[%o5],%f2
+/* 0x0190	     */		add	%o5,16,%l3
+/* 0x0194	     */		fmuld	%f0,%f6,%f6
+/* 0x0198	     */		ldd	[%g5],%f4
+/* 0x019c	     */		faddd	%f2,%f8,%f2
+/* 0x01a0	     */		ldd	[%o5+8],%f0
+/* 0x01a4	 244 */		ldd	[%i3+%l2],%f20
+/* 0x01a8	 246 */		faddd	%f0,%f6,%f0
+/* 0x01ac	     */		fmuld	%f2,%f4,%f2
+/* 0x01b0	     */		faddd	%f0,%f2,%f18
+/* 0x01b4	 247 */		std	%f18,[%o5+8]
+/* 0x01b8	 250 */		ble,pt	%icc,.L900000658
+/* 0x01bc	     */		srl	%g4,31,%g2
+/* 0x01c0	     */		cmp	%o7,7
+/* 0x01c4	 246 */		add	%i4,8,%g2
+/* 0x01c8	 250 */		bl,pn	%icc,.L77000284
+/* 0x01cc	     */		add	%g2,24,%o2
+/* 0x01d0	 252 */		ldd	[%o0+24],%f12
+/* 0x01d4	     */		add	%o5,48,%l3
+/* 0x01d8	     */		ldd	[%o0],%f2
+/* 0x01dc	   0 */		or	%g0,%o2,%g2
+/* 0x01e0	 250 */		sub	%o7,2,%o2
+/* 0x01e4	 252 */		ldd	[%g2-24],%f0
+/* 0x01e8	     */		or	%g0,5,%o1
+/* 0x01ec	     */		ldd	[%o0+8],%f6
+/* 0x01f0	     */		fmuld	%f2,%f20,%f2
+/* 0x01f4	     */		ldd	[%o0+16],%f14
+/* 0x01f8	     */		fmuld	%f0,%f22,%f4
+/* 0x01fc	     */		add	%o0,32,%o0
+/* 0x0200	     */		ldd	[%g2-16],%f8
+/* 0x0204	     */		fmuld	%f6,%f20,%f10
+/* 0x0208	     */		ldd	[%o5+16],%f0
+/* 0x020c	     */		ldd	[%g2-8],%f6
+/* 0x0210	     */		faddd	%f2,%f4,%f4
+/* 0x0214	     */		ldd	[%o5+32],%f2
+                       .L900000642:
+/* 0x0218	 252 */		ldd	[%g2],%f24
+/* 0x021c	     */		add	%o1,3,%o1
+/* 0x0220	     */		add	%g2,24,%g2
+/* 0x0224	     */		fmuld	%f8,%f22,%f8
+/* 0x0228	     */		ldd	[%l3],%f28
+/* 0x022c	     */		cmp	%o1,%o2
+/* 0x0230	     */		add	%o0,24,%o0
+/* 0x0234	     */		ldd	[%o0-24],%f26
+/* 0x0238	     */		faddd	%f0,%f4,%f0
+/* 0x023c	     */		add	%l3,48,%l3
+/* 0x0240	     */		faddd	%f10,%f8,%f10
+/* 0x0244	     */		fmuld	%f14,%f20,%f4
+/* 0x0248	     */		std	%f0,[%l3-80]
+/* 0x024c	     */		ldd	[%g2-16],%f8
+/* 0x0250	     */		fmuld	%f6,%f22,%f6
+/* 0x0254	     */		ldd	[%l3-32],%f0
+/* 0x0258	     */		ldd	[%o0-16],%f14
+/* 0x025c	     */		faddd	%f2,%f10,%f2
+/* 0x0260	     */		faddd	%f4,%f6,%f10
+/* 0x0264	     */		fmuld	%f12,%f20,%f4
+/* 0x0268	     */		std	%f2,[%l3-64]
+/* 0x026c	     */		ldd	[%g2-8],%f6
+/* 0x0270	     */		fmuld	%f24,%f22,%f24
+/* 0x0274	     */		ldd	[%l3-16],%f2
+/* 0x0278	     */		ldd	[%o0-8],%f12
+/* 0x027c	     */		faddd	%f28,%f10,%f10
+/* 0x0280	     */		std	%f10,[%l3-48]
+/* 0x0284	     */		fmuld	%f26,%f20,%f10
+/* 0x0288	     */		ble,pt	%icc,.L900000642
+/* 0x028c	     */		faddd	%f4,%f24,%f4
+                       .L900000645:
+/* 0x0290	 252 */		fmuld	%f8,%f22,%f28
+/* 0x0294	     */		ldd	[%g2],%f24
+/* 0x0298	     */		faddd	%f0,%f4,%f26
+/* 0x029c	     */		fmuld	%f12,%f20,%f8
+/* 0x02a0	     */		add	%l3,32,%l3
+/* 0x02a4	     */		cmp	%o1,%o7
+/* 0x02a8	     */		fmuld	%f14,%f20,%f14
+/* 0x02ac	     */		ldd	[%l3-32],%f4
+/* 0x02b0	     */		add	%g2,8,%g2
+/* 0x02b4	     */		faddd	%f10,%f28,%f12
+/* 0x02b8	     */		fmuld	%f6,%f22,%f6
+/* 0x02bc	     */		ldd	[%l3-16],%f0
+/* 0x02c0	     */		fmuld	%f24,%f22,%f10
+/* 0x02c4	     */		std	%f26,[%l3-64]
+/* 0x02c8	     */		faddd	%f2,%f12,%f2
+/* 0x02cc	     */		std	%f2,[%l3-48]
+/* 0x02d0	     */		faddd	%f14,%f6,%f6
+/* 0x02d4	     */		faddd	%f8,%f10,%f2
+/* 0x02d8	     */		faddd	%f4,%f6,%f4
+/* 0x02dc	     */		std	%f4,[%l3-32]
+/* 0x02e0	     */		faddd	%f0,%f2,%f0
+/* 0x02e4	     */		bg,pn	%icc,.L77000213
+/* 0x02e8	     */		std	%f0,[%l3-16]
+                       .L77000284:
+/* 0x02ec	 252 */		ldd	[%o0],%f0
+                       .L900000657:
+/* 0x02f0	 252 */		ldd	[%g2],%f4
+/* 0x02f4	     */		fmuld	%f0,%f20,%f2
+/* 0x02f8	     */		add	%o1,1,%o1
+/* 0x02fc	     */		ldd	[%l3],%f0
+/* 0x0300	     */		add	%o0,8,%o0
+/* 0x0304	     */		add	%g2,8,%g2
+/* 0x0308	     */		fmuld	%f4,%f22,%f4
+/* 0x030c	     */		cmp	%o1,%o7
+/* 0x0310	     */		faddd	%f2,%f4,%f2
+/* 0x0314	     */		faddd	%f0,%f2,%f0
+/* 0x0318	     */		std	%f0,[%l3]
+/* 0x031c	     */		add	%l3,16,%l3
+/* 0x0320	     */		ble,a,pt	%icc,.L900000657
+/* 0x0324	     */		ldd	[%o0],%f0
+                       .L77000213:
+/* 0x0328	     */		srl	%g4,31,%g2
+                       .L900000658:
+/* 0x032c	 254 */		cmp	%l1,30
+/* 0x0330	     */		bne,a,pt	%icc,.L900000656
+/* 0x0334	     */		fdtox	%f18,%f0
+/* 0x0338	     */		add	%g4,%g2,%g2
+/* 0x033c	     */		sra	%g2,1,%o0
+/* 0x0340	 281 */		ldd	[%l0],%f0
+/* 0x0344	     */		sll	%i5,1,%o2
+/* 0x0348	     */		add	%o0,1,%g2
+/* 0x034c	     */		sll	%g2,1,%o0
+/* 0x0350	 254 */		sub	%o2,1,%o2
+/* 0x0354	 281 */		fmovd	%f0,%f2
+/* 0x0358	     */		sll	%g2,4,%o1
+/* 0x035c	     */		cmp	%o0,%o3
+/* 0x0360	     */		bge,pt	%icc,.L77000215
+/* 0x0364	     */		or	%g0,0,%l1
+/* 0x0368	 254 */		add	%i1,%o1,%o1
+/* 0x036c	 281 */		ldd	[%o1],%f6
+                       .L900000655:
+/* 0x0370	     */		fdtox	%f6,%f10
+/* 0x0374	     */		ldd	[%o1+8],%f4
+/* 0x0378	     */		add	%o0,2,%o0
+/* 0x037c	     */		ldd	[%l0],%f12
+/* 0x0380	     */		fdtox	%f6,%f6
+/* 0x0384	     */		cmp	%o0,%o2
+/* 0x0388	     */		fdtox	%f4,%f8
+/* 0x038c	     */		fdtox	%f4,%f4
+/* 0x0390	     */		fmovs	%f12,%f10
+/* 0x0394	     */		fmovs	%f12,%f8
+/* 0x0398	     */		fxtod	%f10,%f10
+/* 0x039c	     */		fxtod	%f8,%f8
+/* 0x03a0	     */		faddd	%f10,%f2,%f2
+/* 0x03a4	     */		std	%f2,[%o1]
+/* 0x03a8	     */		faddd	%f8,%f0,%f0
+/* 0x03ac	     */		std	%f0,[%o1+8]
+/* 0x03b0	     */		add	%o1,16,%o1
+/* 0x03b4	     */		fitod	%f6,%f2
+/* 0x03b8	     */		fitod	%f4,%f0
+/* 0x03bc	     */		ble,a,pt	%icc,.L900000655
+/* 0x03c0	     */		ldd	[%o1],%f6
+                       .L77000233:
+/* 0x03c4	     */		or	%g0,0,%l1
+                       .L77000215:
+/* 0x03c8	     */		fdtox	%f18,%f0
+                       .L900000656:
+/* 0x03cc	     */		ldd	[%l0],%f6
+/* 0x03d0	 256 */		add	%g4,1,%g4
+/* 0x03d4	     */		add	%l2,8,%l2
+/* 0x03d8	     */		ldd	[%g5],%f2
+/* 0x03dc	     */		add	%l1,1,%l1
+/* 0x03e0	     */		add	%o5,8,%o5
+/* 0x03e4	     */		fmovs	%f6,%f0
+/* 0x03e8	     */		ldd	[%g1],%f4
+/* 0x03ec	     */		cmp	%g4,%g3
+/* 0x03f0	     */		fxtod	%f0,%f0
+/* 0x03f4	     */		fmuld	%f0,%f16,%f0
+/* 0x03f8	     */		fmuld	%f0,%f2,%f2
+/* 0x03fc	     */		fdtox	%f2,%f2
+/* 0x0400	     */		fxtod	%f2,%f2
+/* 0x0404	     */		fmuld	%f2,%f4,%f2
+/* 0x0408	     */		fsubd	%f0,%f2,%f22
+/* 0x040c	     */		ble,a,pt	%icc,.L900000654
+/* 0x0410	     */		ldd	[%i4],%f0
+                       .L900000629:
+/* 0x0414	 256 */		ba	.L900000653
+/* 0x0418	     */		sll	%i0,4,%g2
+                       .L77000279:
+/* 0x041c	 261 */		ldd	[%o2],%f6
+/* 0x0420	 279 */		or	%g0,%o0,%o4
+/* 0x0424	 281 */		or	%g0,0,%o3
+/* 0x0428	 261 */		ldd	[%i2],%f4
+/* 0x042c	 273 */		std	%f0,[%o0+8]
+/* 0x0430	     */		std	%f0,[%o0+16]
+/* 0x0434	 261 */		fmuld	%f4,%f6,%f4
+/* 0x0438	     */		std	%f4,[%o0]
+/* 0x043c	 273 */		std	%f0,[%o0+24]
+/* 0x0440	     */		std	%f0,[%o0+32]
+/* 0x0444	     */		fdtox	%f4,%f4
+/* 0x0448	     */		std	%f0,[%o0+40]
+/* 0x044c	     */		std	%f0,[%o0+48]
+/* 0x0450	     */		std	%f0,[%o0+56]
+/* 0x0454	     */		std	%f0,[%o0+64]
+/* 0x0458	     */		std	%f0,[%o0+72]
+/* 0x045c	     */		std	%f0,[%o0+80]
+/* 0x0460	     */		std	%f0,[%o0+88]
+/* 0x0464	     */		std	%f0,[%o0+96]
+/* 0x0468	     */		std	%f0,[%o0+104]
+/* 0x046c	     */		std	%f0,[%o0+112]
+/* 0x0470	     */		std	%f0,[%o0+120]
+/* 0x0474	     */		std	%f0,[%o0+128]
+/* 0x0478	     */		std	%f0,[%o0+136]
+/* 0x047c	     */		std	%f0,[%o0+144]
+/* 0x0480	     */		std	%f0,[%o0+152]
+/* 0x0484	     */		std	%f0,[%o0+160]
+/* 0x0488	     */		std	%f0,[%o0+168]
+/* 0x048c	     */		fmovs	%f0,%f4
+/* 0x0490	     */		std	%f0,[%o0+176]
+/* 0x0494	 281 */		or	%g0,0,%o1
+/* 0x0498	 273 */		std	%f0,[%o0+184]
+/* 0x049c	     */		fxtod	%f4,%f4
+/* 0x04a0	     */		std	%f0,[%o0+192]
+/* 0x04a4	     */		std	%f0,[%o0+200]
+/* 0x04a8	     */		std	%f0,[%o0+208]
+/* 0x04ac	 278 */		fmuld	%f4,%f2,%f2
+/* 0x04b0	 273 */		std	%f0,[%o0+216]
+/* 0x04b4	     */		std	%f0,[%o0+224]
+/* 0x04b8	     */		std	%f0,[%o0+232]
+/* 0x04bc	     */		std	%f0,[%o0+240]
+/* 0x04c0	     */		std	%f0,[%o0+248]
+/* 0x04c4	     */		std	%f0,[%o0+256]
+/* 0x04c8	     */		std	%f0,[%o0+264]
+/* 0x04cc	     */		std	%f0,[%o0+272]
+/* 0x04d0	     */		std	%f0,[%o0+280]
+/* 0x04d4	     */		std	%f0,[%o0+288]
+/* 0x04d8	     */		std	%f0,[%o0+296]
+/* 0x04dc	     */		std	%f0,[%o0+304]
+/* 0x04e0	     */		std	%f0,[%o0+312]
+/* 0x04e4	     */		std	%f0,[%o0+320]
+/* 0x04e8	     */		std	%f0,[%o0+328]
+/* 0x04ec	     */		std	%f0,[%o0+336]
+/* 0x04f0	     */		std	%f0,[%o0+344]
+/* 0x04f4	     */		std	%f0,[%o0+352]
+/* 0x04f8	     */		std	%f0,[%o0+360]
+/* 0x04fc	     */		std	%f0,[%o0+368]
+/* 0x0500	     */		std	%f0,[%o0+376]
+/* 0x0504	     */		std	%f0,[%o0+384]
+/* 0x0508	     */		std	%f0,[%o0+392]
+/* 0x050c	     */		std	%f0,[%o0+400]
+/* 0x0510	     */		std	%f0,[%o0+408]
+/* 0x0514	     */		std	%f0,[%o0+416]
+/* 0x0518	     */		std	%f0,[%o0+424]
+/* 0x051c	     */		std	%f0,[%o0+432]
+/* 0x0520	     */		std	%f0,[%o0+440]
+/* 0x0524	     */		std	%f0,[%o0+448]
+/* 0x0528	     */		std	%f0,[%o0+456]
+/* 0x052c	     */		std	%f0,[%o0+464]
+/* 0x0530	     */		std	%f0,[%o0+472]
+/* 0x0534	     */		std	%f0,[%o0+480]
+/* 0x0538	     */		std	%f0,[%o0+488]
+/* 0x053c	     */		std	%f0,[%o0+496]
+/* 0x0540	     */		std	%f0,[%o0+504]
+/* 0x0544	     */		std	%f0,[%o0+512]
+/* 0x0548	     */		std	%f0,[%o0+520]
+/* 0x054c	     */		ldd	[%g5],%f0
+/* 0x0550	     */		ldd	[%g1],%f8
+/* 0x0554	     */		fmuld	%f2,%f0,%f6
+/* 0x0558	 275 */		ldd	[%i4],%f4
+/* 0x055c	 276 */		ldd	[%i2],%f0
+/* 0x0560	     */		fdtox	%f6,%f6
+/* 0x0564	     */		fxtod	%f6,%f6
+/* 0x0568	     */		fmuld	%f6,%f8,%f6
+/* 0x056c	     */		fsubd	%f2,%f6,%f2
+/* 0x0570	 286 */		fmuld	%f4,%f2,%f12
+
+!  282		      !       {
+!  284		      !	 m2j=pdm2[j];
+!  285		      !	 a=pdtj[0]+pdn_0*digit;
+!  286		      !	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
+
+!  287		      !	 pdtj[1]=b;
+!  289		      !	 /**** this loop will be fully unrolled:
+!  290		      !	 for(i=1;i<16;i++)
+!  291		      !	   {
+!  292		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  293		      !	   }
+!  294		      !	 *************************************/
+!  295		      !	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
+!  296		      !	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
+!  297		      !	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
+!  298		      !	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
+!  299		      !	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
+!  300		      !	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
+!  301		      !	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
+!  302		      !	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
+!  303		      !	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
+!  304		      !	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
+!  305		      !	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
+!  306		      !	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
+!  307		      !	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
+!  308		      !	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
+!  309		      !	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
+!  310		      !	 /* no need for cleenup, cannot overflow */
+!  311		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+
+	fmovd %f2,%f0		! hand modified
+	fmovd %f16,%f18			! hand modified
+	ldd [%i4],%f2
+	ldd [%o4],%f8
+	ldd [%i2],%f10
+	ldd [%g5],%f14		! hand modified
+	ldd [%g1],%f16		! hand modified
+	ldd [%i3],%f24
+
+	ldd [%i2+8],%f26
+	ldd [%i2+16],%f40
+	ldd [%i2+48],%f46
+	ldd [%i2+56],%f30
+	ldd [%i2+64],%f54
+	ldd [%i2+104],%f34
+	ldd [%i2+112],%f58
+
+	ldd [%i4+8],%f28	
+	ldd [%i4+104],%f38
+	ldd [%i4+112],%f60
+
+	.L99999999: 			!1
+	ldd	[%i2+24],%f32
+	fmuld	%f0,%f2,%f4 	!2
+	ldd	[%i4+24],%f36
+	fmuld	%f26,%f24,%f20 	!3
+	ldd	[%i2+40],%f42
+	fmuld	%f28,%f0,%f22 	!4
+	ldd	[%i4+40],%f44
+	fmuld	%f32,%f24,%f32 	!5
+	ldd	[%i3+8],%f6
+	faddd	%f4,%f8,%f4
+	fmuld	%f36,%f0,%f36 	!6
+	add	%i3,8,%i3
+	ldd	[%i4+56],%f50
+	fmuld	%f42,%f24,%f42 	!7
+	ldd	[%i2+72],%f52
+	faddd	%f20,%f22,%f20
+	fmuld	%f44,%f0,%f44 	!8
+	ldd	[%o4+16],%f22
+	fmuld	%f10,%f6,%f12 	!9
+	ldd	[%i4+72],%f56
+	faddd	%f32,%f36,%f32
+	fmuld	%f14,%f4,%f4 !10
+	ldd	[%o4+48],%f36
+	fmuld	%f30,%f24,%f48 	!11
+	ldd	[%o4+8],%f8
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50	!12
+	std	%f20,[%o4+16]
+	faddd	%f42,%f44,%f42
+	fmuld	%f52,%f24,%f52 	!13
+	ldd	[%o4+80],%f44
+	faddd	%f4,%f12,%f4
+	fmuld	%f56,%f0,%f56 	!14
+	ldd	[%i2+88],%f20
+	faddd	%f32,%f36,%f32 	!15
+	ldd	[%i4+88],%f22
+	faddd	%f48,%f50,%f48 	!16
+	ldd	[%o4+112],%f50
+	faddd	%f52,%f56,%f52 	!17
+	ldd	[%o4+144],%f56
+	faddd	%f4,%f8,%f8
+	fmuld	%f20,%f24,%f20 	!18
+	std	%f32,[%o4+48]
+	faddd	%f42,%f44,%f42
+	fmuld	%f22,%f0,%f22 	!19
+	std	%f42,[%o4+80]
+	faddd	%f48,%f50,%f48
+	fmuld	%f34,%f24,%f32 	!20
+	std	%f48,[%o4+112]
+	faddd	%f52,%f56,%f52
+	fmuld	%f38,%f0,%f36 	!21
+	ldd	[%i2+120],%f42
+	fdtox	%f8,%f4 		!22
+	std	%f52,[%o4+144]
+	faddd	%f20,%f22,%f20 	!23
+	ldd	[%i4+120],%f44 	!24
+	ldd	[%o4+176],%f22
+	faddd	%f32,%f36,%f32
+	fmuld	%f42,%f24,%f42 	!25
+	ldd	[%i4+16],%f50
+	fmovs	%f17,%f4 	!26
+	ldd	[%i2+32],%f52
+	fmuld	%f44,%f0,%f44 	!27
+	ldd	[%i4+32],%f56
+	fmuld	%f40,%f24,%f48 	!28
+	ldd	[%o4+208],%f36
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50 	!29
+	std	%f20,[%o4+176]
+	fxtod	%f4,%f4
+	fmuld	%f52,%f24,%f52 	!30
+	ldd	[%i4+48],%f22
+	faddd	%f42,%f44,%f42
+	fmuld	%f56,%f0,%f56 	!31
+	ldd	[%o4+240],%f44
+	faddd	%f32,%f36,%f32 	!32
+	std	%f32,[%o4+208]
+	faddd	%f48,%f50,%f48
+	fmuld	%f46,%f24,%f20 	!33
+	ldd	[%o4+32],%f50
+	fmuld	%f4,%f18,%f12 	!34
+	ldd	[%i4+64],%f36
+	faddd	%f52,%f56,%f52
+	fmuld	%f22,%f0,%f22 	!35
+	ldd	[%o4+64],%f56
+	faddd	%f42,%f44,%f42 	!36
+	std	%f42,[%o4+240]
+	faddd	%f48,%f50,%f48
+	fmuld	%f54,%f24,%f32 	!37
+	std	%f48,[%o4+32]
+	fmuld	%f12,%f14,%f4 !38
+	ldd	[%i2+80],%f42
+	faddd	%f52,%f56,%f56	! yes, tmp52!
+	fmuld	%f36,%f0,%f36 	!39
+	ldd	[%i4+80],%f44
+	faddd	%f20,%f22,%f20 	!40
+	ldd	[%i2+96],%f48
+	fmuld	%f58,%f24,%f52 	!41
+	ldd	[%i4+96],%f50
+	fdtox	%f4,%f4
+	fmuld	%f42,%f24,%f42 	!42
+	std	%f56,[%o4+64]	! yes, tmp52!
+	faddd	%f32,%f36,%f32
+	fmuld	%f44,%f0,%f44 	!43
+	ldd	[%o4+96],%f22
+	fmuld	%f48,%f24,%f48 	!44
+	ldd	[%o4+128],%f36
+	fmovd	%f6,%f24
+	fmuld	%f50,%f0,%f50 	!45
+	fxtod	%f4,%f4
+	fmuld	%f60,%f0,%f56 	!46
+	add	%o4,8,%o4
+	faddd	%f42,%f44,%f42 	!47
+	ldd	[%o4+160-8],%f44
+	faddd	%f20,%f22,%f20 	!48
+	std	%f20,[%o4+96-8]
+	faddd	%f48,%f50,%f48 	!49
+	ldd	[%o4+192-8],%f50
+	faddd	%f52,%f56,%f52
+	fmuld	%f4,%f16,%f4 	!50
+	ldd	[%o4+224-8],%f56
+	faddd	%f32,%f36,%f32 	!51
+	std	%f32,[%o4+128-8]
+	faddd	%f42,%f44,%f42 	!52
+	add	%o3,1,%o3
+	std	%f42,[%o4+160-8]
+	faddd	%f48,%f50,%f48 	!53
+	cmp	%o3,31
+	std	%f48,[%o4+192-8]
+	fsubd	%f12,%f4,%f0 	!54
+	faddd	%f52,%f56,%f52
+	ble,pt	%icc,.L99999999
+	std	%f52,[%o4+224-8] 	!55
+	std %f8,[%o4]
+
+!  312		      !       }
+!  313		      !   }
+!  315		      ! conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
+
+/* 0x07c8	 315 */		sll	%i0,4,%g2
+                       .L900000653:
+/* 0x07cc	 315 */		add	%i1,%g2,%i1
+/* 0x07d0	 242 */		ld	[%fp+68],%o0
+/* 0x07d4	 315 */		or	%g0,0,%o4
+/* 0x07d8	     */		ldd	[%i1],%f0
+/* 0x07dc	     */		or	%g0,0,%g5
+/* 0x07e0	     */		cmp	%i0,0
+/* 0x07e4	 242 */		or	%g0,%o0,%o3
+/* 0x07e8	 311 */		sub	%i0,1,%g1
+/* 0x07ec	 315 */		fdtox	%f0,%f0
+/* 0x07f0	     */		std	%f0,[%sp+120]
+/* 0x07f4	 311 */		sethi	%hi(0xfc00),%o1
+/* 0x07f8	     */		add	%g1,1,%g3
+/* 0x07fc	     */		or	%g0,%o0,%g4
+/* 0x0800	 315 */		ldd	[%i1+8],%f0
+/* 0x0804	     */		add	%o1,1023,%o1
+/* 0x0808	     */		fdtox	%f0,%f0
+/* 0x080c	     */		std	%f0,[%sp+112]
+/* 0x0810	     */		ldx	[%sp+112],%o5
+/* 0x0814	     */		ldx	[%sp+120],%o7
+/* 0x0818	     */		ble,pt	%icc,.L900000651
+/* 0x081c	     */		sethi	%hi(0xfc00),%g2
+/* 0x0820	 311 */		or	%g0,-1,%g2
+/* 0x0824	 315 */		cmp	%g3,3
+/* 0x0828	 311 */		srl	%g2,0,%o2
+/* 0x082c	 315 */		bl,pn	%icc,.L77000287
+/* 0x0830	     */		or	%g0,%i1,%g2
+/* 0x0834	     */		ldd	[%i1+16],%f0
+/* 0x0838	     */		and	%o5,%o1,%o0
+/* 0x083c	     */		add	%i1,16,%g2
+/* 0x0840	     */		sllx	%o0,16,%g3
+/* 0x0844	     */		and	%o7,%o2,%o0
+/* 0x0848	     */		fdtox	%f0,%f0
+/* 0x084c	     */		std	%f0,[%sp+104]
+/* 0x0850	     */		add	%o0,%g3,%o4
+/* 0x0854	     */		ldd	[%i1+24],%f2
+/* 0x0858	     */		srax	%o5,16,%o0
+/* 0x085c	     */		add	%o3,4,%g4
+/* 0x0860	     */		stx	%o0,[%sp+128]
+/* 0x0864	     */		and	%o4,%o2,%o0
+/* 0x0868	     */		stx	%o0,[%sp+112]
+/* 0x086c	     */		srax	%o4,32,%o0
+/* 0x0870	     */		fdtox	%f2,%f0
+/* 0x0874	     */		stx	%o0,[%sp+136]
+/* 0x0878	     */		srax	%o7,32,%o4
+/* 0x087c	     */		std	%f0,[%sp+96]
+/* 0x0880	     */		ldx	[%sp+128],%g5
+/* 0x0884	     */		ldx	[%sp+136],%o7
+/* 0x0888	     */		ldx	[%sp+104],%g3
+/* 0x088c	     */		add	%g5,%o7,%o0
+/* 0x0890	     */		or	%g0,1,%g5
+/* 0x0894	     */		ldx	[%sp+112],%o7
+/* 0x0898	     */		add	%o4,%o0,%o4
+/* 0x089c	     */		ldx	[%sp+96],%o5
+/* 0x08a0	     */		st	%o7,[%o3]
+/* 0x08a4	     */		or	%g0,%g3,%o7
+                       .L900000634:
+/* 0x08a8	     */		ldd	[%g2+16],%f0
+/* 0x08ac	     */		add	%g5,1,%g5
+/* 0x08b0	     */		add	%g4,4,%g4
+/* 0x08b4	     */		cmp	%g5,%g1
+/* 0x08b8	     */		add	%g2,16,%g2
+/* 0x08bc	     */		fdtox	%f0,%f0
+/* 0x08c0	     */		std	%f0,[%sp+104]
+/* 0x08c4	     */		ldd	[%g2+8],%f0
+/* 0x08c8	     */		fdtox	%f0,%f0
+/* 0x08cc	     */		std	%f0,[%sp+96]
+/* 0x08d0	     */		and	%o5,%o1,%g3
+/* 0x08d4	     */		sllx	%g3,16,%g3
+/* 0x08d8	     */		stx	%g3,[%sp+120]
+/* 0x08dc	     */		and	%o7,%o2,%g3
+/* 0x08e0	     */		stx	%o7,[%sp+128]
+/* 0x08e4	     */		ldx	[%sp+120],%o7
+/* 0x08e8	     */		add	%g3,%o7,%g3
+/* 0x08ec	     */		ldx	[%sp+128],%o7
+/* 0x08f0	     */		srax	%o5,16,%o5
+/* 0x08f4	     */		add	%g3,%o4,%g3
+/* 0x08f8	     */		srax	%g3,32,%o4
+/* 0x08fc	     */		stx	%o4,[%sp+112]
+/* 0x0900	     */		srax	%o7,32,%o4
+/* 0x0904	     */		ldx	[%sp+112],%o7
+/* 0x0908	     */		add	%o5,%o7,%o7
+/* 0x090c	     */		ldx	[%sp+96],%o5
+/* 0x0910	     */		add	%o4,%o7,%o4
+/* 0x0914	     */		and	%g3,%o2,%g3
+/* 0x0918	     */		ldx	[%sp+104],%o7
+/* 0x091c	     */		ble,pt	%icc,.L900000634
+/* 0x0920	     */		st	%g3,[%g4-4]
+                       .L900000637:
+/* 0x0924	     */		ba	.L900000651
+/* 0x0928	     */		sethi	%hi(0xfc00),%g2
+                       .L77000287:
+/* 0x092c	     */		ldd	[%g2+16],%f0
+                       .L900000650:
+/* 0x0930	     */		and	%o7,%o2,%o0
+/* 0x0934	     */		and	%o5,%o1,%g3
+/* 0x0938	     */		fdtox	%f0,%f0
+/* 0x093c	     */		add	%o4,%o0,%o0
+/* 0x0940	     */		std	%f0,[%sp+104]
+/* 0x0944	     */		add	%g5,1,%g5
+/* 0x0948	     */		sllx	%g3,16,%o4
+/* 0x094c	     */		ldd	[%g2+24],%f2
+/* 0x0950	     */		add	%g2,16,%g2
+/* 0x0954	     */		add	%o0,%o4,%o4
+/* 0x0958	     */		cmp	%g5,%g1
+/* 0x095c	     */		srax	%o5,16,%o0
+/* 0x0960	     */		stx	%o0,[%sp+112]
+/* 0x0964	     */		and	%o4,%o2,%g3
+/* 0x0968	     */		srax	%o4,32,%o5
+/* 0x096c	     */		fdtox	%f2,%f0
+/* 0x0970	     */		std	%f0,[%sp+96]
+/* 0x0974	     */		srax	%o7,32,%o4
+/* 0x0978	     */		ldx	[%sp+112],%o7
+/* 0x097c	     */		add	%o7,%o5,%o7
+/* 0x0980	     */		ldx	[%sp+104],%o5
+/* 0x0984	     */		add	%o4,%o7,%o4
+/* 0x0988	     */		ldx	[%sp+96],%o0
+/* 0x098c	     */		st	%g3,[%g4]
+/* 0x0990	     */		or	%g0,%o5,%o7
+/* 0x0994	     */		add	%g4,4,%g4
+/* 0x0998	     */		or	%g0,%o0,%o5
+/* 0x099c	     */		ble,a,pt	%icc,.L900000650
+/* 0x09a0	     */		ldd	[%g2+16],%f0
+                       .L77000236:
+/* 0x09a4	     */		sethi	%hi(0xfc00),%g2
+                       .L900000651:
+/* 0x09a8	     */		or	%g0,-1,%o0
+/* 0x09ac	     */		add	%g2,1023,%g2
+/* 0x09b0	     */		ld	[%fp+88],%o1
+/* 0x09b4	     */		srl	%o0,0,%g3
+/* 0x09b8	     */		and	%o5,%g2,%g2
+/* 0x09bc	     */		and	%o7,%g3,%g4
+
+!  317		      ! adjust_montf_result(result,nint,nlen); 
+
+/* 0x09c0	 317 */		or	%g0,-1,%o5
+/* 0x09c4	 311 */		sllx	%g2,16,%g2
+/* 0x09c8	     */		add	%o4,%g4,%g4
+/* 0x09cc	     */		add	%g4,%g2,%g2
+/* 0x09d0	     */		sll	%g5,2,%g4
+/* 0x09d4	     */		and	%g2,%g3,%g2
+/* 0x09d8	     */		st	%g2,[%o3+%g4]
+/* 0x09dc	 317 */		sll	%i0,2,%g2
+/* 0x09e0	     */		ld	[%o3+%g2],%g2
+/* 0x09e4	     */		cmp	%g2,0
+/* 0x09e8	     */		bleu,pn	%icc,.L77000241
+/* 0x09ec	     */		or	%g0,%o1,%o2
+/* 0x09f0	     */		ba	.L900000649
+/* 0x09f4	     */		cmp	%o5,0
+                       .L77000241:
+/* 0x09f8	     */		sub	%i0,1,%o5
+/* 0x09fc	     */		sll	%o5,2,%g2
+/* 0x0a00	     */		cmp	%o5,0
+/* 0x0a04	     */		bl,pt	%icc,.L900000649
+/* 0x0a08	     */		cmp	%o5,0
+/* 0x0a0c	     */		add	%o1,%g2,%o1
+/* 0x0a10	     */		add	%o3,%g2,%o4
+/* 0x0a14	     */		ld	[%o1],%g2
+                       .L900000648:
+/* 0x0a18	     */		ld	[%o4],%g3
+/* 0x0a1c	     */		sub	%o5,1,%o0
+/* 0x0a20	     */		sub	%o1,4,%o1
+/* 0x0a24	     */		sub	%o4,4,%o4
+/* 0x0a28	     */		cmp	%g3,%g2
+/* 0x0a2c	     */		bne,pn	%icc,.L77000244
+/* 0x0a30	     */		nop
+/* 0x0a34	   0 */		or	%g0,%o0,%o5
+/* 0x0a38	 317 */		cmp	%o0,0
+/* 0x0a3c	     */		bge,a,pt	%icc,.L900000648
+/* 0x0a40	     */		ld	[%o1],%g2
+                       .L77000244:
+/* 0x0a44	     */		cmp	%o5,0
+                       .L900000649:
+/* 0x0a48	     */		bl,pn	%icc,.L77000288
+/* 0x0a4c	     */		sll	%o5,2,%g2
+/* 0x0a50	     */		ld	[%o2+%g2],%g3
+/* 0x0a54	     */		ld	[%o3+%g2],%g2
+/* 0x0a58	     */		cmp	%g2,%g3
+/* 0x0a5c	     */		bleu,pt	%icc,.L77000224
+/* 0x0a60	     */		nop
+                       .L77000288:
+/* 0x0a64	     */		cmp	%i0,0
+/* 0x0a68	     */		ble,pt	%icc,.L77000224
+/* 0x0a6c	     */		nop
+/* 0x0a70	 317 */		sub	%i0,1,%o7
+/* 0x0a74	     */		or	%g0,-1,%g2
+/* 0x0a78	     */		srl	%g2,0,%o4
+/* 0x0a7c	     */		add	%o7,1,%o0
+/* 0x0a80	 315 */		or	%g0,0,%o5
+/* 0x0a84	     */		or	%g0,0,%g1
+/* 0x0a88	     */		cmp	%o0,3
+/* 0x0a8c	     */		bl,pn	%icc,.L77000289
+/* 0x0a90	     */		add	%o3,8,%o1
+/* 0x0a94	     */		add	%o2,4,%o0
+/* 0x0a98	     */		ld	[%o1-8],%g2
+/* 0x0a9c	   0 */		or	%g0,%o1,%o3
+/* 0x0aa0	 315 */		ld	[%o0-4],%g3
+/* 0x0aa4	   0 */		or	%g0,%o0,%o2
+/* 0x0aa8	 315 */		or	%g0,2,%g1
+/* 0x0aac	     */		ld	[%o3-4],%o0
+/* 0x0ab0	     */		sub	%g2,%g3,%g2
+/* 0x0ab4	     */		or	%g0,%g2,%o5
+/* 0x0ab8	     */		and	%g2,%o4,%g2
+/* 0x0abc	     */		st	%g2,[%o3-8]
+/* 0x0ac0	     */		srax	%o5,32,%o5
+                       .L900000638:
+/* 0x0ac4	     */		ld	[%o2],%g2
+/* 0x0ac8	     */		add	%g1,1,%g1
+/* 0x0acc	     */		add	%o2,4,%o2
+/* 0x0ad0	     */		cmp	%g1,%o7
+/* 0x0ad4	     */		add	%o3,4,%o3
+/* 0x0ad8	     */		sub	%o0,%g2,%o0
+/* 0x0adc	     */		add	%o0,%o5,%o5
+/* 0x0ae0	     */		and	%o5,%o4,%g2
+/* 0x0ae4	     */		ld	[%o3-4],%o0
+/* 0x0ae8	     */		st	%g2,[%o3-8]
+/* 0x0aec	     */		ble,pt	%icc,.L900000638
+/* 0x0af0	     */		srax	%o5,32,%o5
+                       .L900000641:
+/* 0x0af4	     */		ld	[%o2],%o1
+/* 0x0af8	     */		sub	%o0,%o1,%o0
+/* 0x0afc	     */		add	%o0,%o5,%o0
+/* 0x0b00	     */		and	%o0,%o4,%o1
+/* 0x0b04	     */		st	%o1,[%o3-4]
+/* 0x0b08	     */		ret	! Result = 
+/* 0x0b0c	     */		restore	%g0,%g0,%g0
+                       .L77000289:
+/* 0x0b10	     */		ld	[%o3],%o0
+                       .L900000647:
+/* 0x0b14	     */		ld	[%o2],%o1
+/* 0x0b18	     */		add	%o5,%o0,%o0
+/* 0x0b1c	     */		add	%g1,1,%g1
+/* 0x0b20	     */		add	%o2,4,%o2
+/* 0x0b24	     */		cmp	%g1,%o7
+/* 0x0b28	     */		sub	%o0,%o1,%o0
+/* 0x0b2c	     */		and	%o0,%o4,%o1
+/* 0x0b30	     */		st	%o1,[%o3]
+/* 0x0b34	     */		add	%o3,4,%o3
+/* 0x0b38	     */		srax	%o0,32,%o5
+/* 0x0b3c	     */		ble,a,pt	%icc,.L900000647
+/* 0x0b40	     */		ld	[%o3],%o0
+                       .L77000224:
+/* 0x0b44	     */		ret	! Result = 
+/* 0x0b48	     */		restore	%g0,%g0,%g0
+/* 0x0b4c	   0 */		.type	mont_mulf_noconv,2
+/* 0x0b4c	     */		.size	mont_mulf_noconv,(.-mont_mulf_noconv)
+
diff --git a/security/nss/lib/freebl/mpi/montmulfv9.il b/security/nss/lib/freebl/mpi/montmulfv9.il
new file mode 100644
index 000000000..047785161
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulfv9.il
@@ -0,0 +1,122 @@
+!  
+!  The contents of this file are subject to the Mozilla Public
+!  License Version 1.1 (the "License"); you may not use this file
+!  except in compliance with the License. You may obtain a copy of
+!  the License at http://www.mozilla.org/MPL/
+!  
+!  Software distributed under the License is distributed on an "AS
+!  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+!  implied. See the License for the specific language governing
+!  rights and limitations under the License.
+!  
+!  The Original Code is inline macros for SPARC Montgomery multiply functions.
+!  
+!  The Initial Developer of the Original Code is Sun Microsystems Inc.
+!  Portions created by Sun Microsystems Inc. are 
+!  Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+!  
+!  Contributor(s):
+!  
+!  Alternatively, the contents of this file may be used under the
+!  terms of the GNU General Public License Version 2 or later (the
+!  "GPL"), in which case the provisions of the GPL are applicable 
+!  instead of those above.	If you wish to allow use of your 
+!  version of this file only under the terms of the GPL and not to
+!  allow others to use your version of this file under the MPL,
+!  indicate your decision by deleting the provisions above and
+!  replace them with the notice and other provisions required by
+!  the GPL.  If you do not delete the provisions above, a recipient
+!  may use your version of this file under either the MPL or the
+!  GPL.
+!  
+!   $Id$
+!  
+
+!
+! double upper32(double /*frs1*/);
+!
+        .inline upper32,8
+	fdtox	%f0,%f10
+	fitod	%f10,%f0
+        .end
+
+!
+! double lower32(double /*frs1*/, double /* Zero */);
+!
+        .inline lower32,8
+	fdtox	%f0,%f10
+	fmovs	%f2,%f10
+	fxtod	%f10,%f0
+        .end
+
+!
+! double mod(double /*x*/, double /*1/m*/, double /*m*/);
+!
+        .inline mod,12
+	fmuld	%f0,%f2,%f2
+	fdtox	%f2,%f2
+	fxtod	%f2,%f2
+	fmuld	%f2,%f4,%f2
+	fsubd	%f0,%f2,%f0
+        .end
+
+
+!
+! void i16_to_d16_and_d32x4(double * /*1/(2^16)*/, double * /* 2^16*/,
+!			    double * /* 0 */,
+!			    double * /*result16*/, double * /* result32 */
+!			    float *  /*source - should be unsigned int*
+!		            	       converted to float* */);
+!
+        .inline i16_to_d16_and_d32x4,24
+        ldd     [%o0],%f2  ! 1/(2^16)
+        ldd     [%o1],%f4  ! 2^16
+	ldd	[%o2],%f22
+
+	fmovd	%f22,%f6
+	ld	[%o5],%f7
+	fmovd	%f22,%f10
+	ld	[%o5+4],%f11
+	fmovd	%f22,%f14
+	ld	[%o5+8],%f15
+	fmovd	%f22,%f18
+	ld	[%o5+12],%f19
+	fxtod	%f6,%f6
+	std	%f6,[%o4]
+	fxtod	%f10,%f10
+	std	%f10,[%o4+8]
+	fxtod	%f14,%f14
+	std	%f14,[%o4+16]
+	fxtod	%f18,%f18
+	std	%f18,[%o4+24]
+	fmuld	%f2,%f6,%f8
+	fmuld	%f2,%f10,%f12
+	fmuld	%f2,%f14,%f16
+	fmuld	%f2,%f18,%f20
+	fdtox	%f8,%f8
+	fdtox	%f12,%f12
+	fdtox	%f16,%f16
+	fdtox	%f20,%f20
+	fxtod	%f8,%f8
+	std	%f8,[%o3+8]
+	fxtod	%f12,%f12
+	std	%f12,[%o3+24]
+	fxtod	%f16,%f16
+	std	%f16,[%o3+40]
+	fxtod	%f20,%f20
+	std	%f20,[%o3+56]
+	fmuld	%f8,%f4,%f8
+	fmuld	%f12,%f4,%f12
+	fmuld	%f16,%f4,%f16
+	fmuld	%f20,%f4,%f20
+	fsubd	%f6,%f8,%f8
+	std	%f8,[%o3]
+	fsubd	%f10,%f12,%f12
+	std	%f12,[%o3+16]
+	fsubd	%f14,%f16,%f16
+	std	%f16,[%o3+32]
+	fsubd	%f18,%f20,%f20
+	std	%f20,[%o3+48]
+        .end
+
+
diff --git a/security/nss/lib/freebl/mpi/montmulfv9.s b/security/nss/lib/freebl/mpi/montmulfv9.s
new file mode 100644
index 000000000..30fc4f645
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/montmulfv9.s
@@ -0,0 +1,2377 @@
+!  
+!  The contents of this file are subject to the Mozilla Public
+!  License Version 1.1 (the "License"); you may not use this file
+!  except in compliance with the License. You may obtain a copy of
+!  the License at http://www.mozilla.org/MPL/
+!  
+!  Software distributed under the License is distributed on an "AS
+!  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+!  implied. See the License for the specific language governing
+!  rights and limitations under the License.
+!  
+!  The Original Code is SPARC hand-optimized Montgomery multiply functions.
+!   
+!  The Initial Developer of the Original Code is Sun Microsystems Inc.
+!  Portions created by Sun Microsystems Inc. are 
+!  Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+!  
+!  Contributor(s):
+!  
+!  Alternatively, the contents of this file may be used under the
+!  terms of the GNU General Public License Version 2 or later (the
+!  "GPL"), in which case the provisions of the GPL are applicable 
+!  instead of those above.	If you wish to allow use of your 
+!  version of this file only under the terms of the GPL and not to
+!  allow others to use your version of this file under the MPL,
+!  indicate your decision by deleting the provisions above and
+!  replace them with the notice and other provisions required by
+!  the GPL.  If you do not delete the provisions above, a recipient
+!  may use your version of this file under either the MPL or the
+!  GPL.
+!  
+!   $Id$
+!  
+
+	.section	".text",#alloc,#execinstr
+	.file	"montmulf.c"
+
+	.section	".rodata",#alloc
+	.global	TwoTo16
+	.align	8
+!
+! CONSTANT POOL
+!
+	.global TwoTo16
+TwoTo16:
+	.word	1089470464
+	.word	0
+	.type	TwoTo16,#object
+	.size	TwoTo16,8
+	.global	TwoToMinus16
+!
+! CONSTANT POOL
+!
+	.global TwoToMinus16
+TwoToMinus16:
+	.word	1055916032
+	.word	0
+	.type	TwoToMinus16,#object
+	.size	TwoToMinus16,8
+	.global	Zero
+!
+! CONSTANT POOL
+!
+	.global Zero
+Zero:
+	.word	0
+	.word	0
+	.type	Zero,#object
+	.size	Zero,8
+	.global	TwoTo32
+!
+! CONSTANT POOL
+!
+	.global TwoTo32
+TwoTo32:
+	.word	1106247680
+	.word	0
+	.type	TwoTo32,#object
+	.size	TwoTo32,8
+	.global	TwoToMinus32
+!
+! CONSTANT POOL
+!
+	.global TwoToMinus32
+TwoToMinus32:
+	.word	1039138816
+	.word	0
+	.type	TwoToMinus32,#object
+	.size	TwoToMinus32,8
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.register	%g3,#scratch
+/* 000000	     */		.register	%g2,#scratch
+/* 000000	   0 */		.align	8
+!
+! SUBROUTINE conv_d16_to_i32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_d16_to_i32
+                       conv_d16_to_i32:
+/* 000000	     */		save	%sp,-208,%sp
+! FILE montmulf.c
+
+!    1		      !/*
+!    2		      ! * The contents of this file are subject to the Mozilla Public
+!    3		      ! * License Version 1.1 (the "License"); you may not use this file
+!    4		      ! * except in compliance with the License. You may obtain a copy of
+!    5		      ! * the License at http://www.mozilla.org/MPL/
+!    6		      ! * 
+!    7		      ! * Software distributed under the License is distributed on an "AS
+!    8		      ! * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+!    9		      ! * implied. See the License for the specific language governing
+!   10		      ! * rights and limitations under the License.
+!   11		      ! * 
+!   12		      ! * The Original Code is SPARC optimized Montgomery multiply functions.
+!   13		      ! *
+!   14		      ! * The Initial Developer of the Original Code is Sun Microsystems Inc.
+!   15		      ! * Portions created by Sun Microsystems Inc. are 
+!   16		      ! * Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+!   17		      ! * 
+!   18		      ! * Contributor(s):
+!   19		      ! *	Netscape Communications Corporation
+!   20		      ! * 
+!   21		      ! * Alternatively, the contents of this file may be used under the
+!   22		      ! * terms of the GNU General Public License Version 2 or later (the
+!   23		      ! * "GPL"), in which case the provisions of the GPL are applicable 
+!   24		      ! * instead of those above.	If you wish to allow use of your 
+!   25		      ! * version of this file only under the terms of the GPL and not to
+!   26		      ! * allow others to use your version of this file under the MPL,
+!   27		      ! * indicate your decision by deleting the provisions above and
+!   28		      ! * replace them with the notice and other provisions required by
+!   29		      ! * the GPL.  If you do not delete the provisions above, a recipient
+!   30		      ! * may use your version of this file under either the MPL or the
+!   31		      ! * GPL.
+!   32		      ! *
+!   33		      ! *  $Id$
+!   34		      ! */
+!   36		      !#define RF_INLINE_MACROS
+!   38		      !static const double TwoTo16=65536.0;
+!   39		      !static const double TwoToMinus16=1.0/65536.0;
+!   40		      !static const double Zero=0.0;
+!   41		      !static const double TwoTo32=65536.0*65536.0;
+!   42		      !static const double TwoToMinus32=1.0/(65536.0*65536.0);
+!   44		      !#ifdef RF_INLINE_MACROS
+!   46		      !double upper32(double);
+!   47		      !double lower32(double, double);
+!   48		      !double mod(double, double, double);
+!   50		      !void i16_to_d16_and_d32x4(const double * /*1/(2^16)*/, 
+!   51		      !			  const double * /* 2^16*/,
+!   52		      !			  const double * /* 0 */,
+!   53		      !			  double *       /*result16*/, 
+!   54		      !			  double *       /* result32 */,
+!   55		      !			  float *  /*source - should be unsigned int*
+!   56		      !		          	       converted to float* */);
+!   58		      !#else
+!   60		      !static double upper32(double x)
+!   61		      !{
+!   62		      !  return floor(x*TwoToMinus32);
+!   63		      !}
+!   65		      !static double lower32(double x, double y)
+!   66		      !{
+!   67		      !  return x-TwoTo32*floor(x*TwoToMinus32);
+!   68		      !}
+!   70		      !static double mod(double x, double oneoverm, double m)
+!   71		      !{
+!   72		      !  return x-m*floor(x*oneoverm);
+!   73		      !}
+!   75		      !#endif
+!   78		      !static void cleanup(double *dt, int from, int tlen)
+!   79		      !{
+!   80		      ! int i;
+!   81		      ! double tmp,tmp1,x,x1;
+!   83		      ! tmp=tmp1=Zero;
+!   84		      ! /* original code **
+!   85		      ! for(i=2*from;i<2*tlen-2;i++)
+!   86		      !   {
+!   87		      !     x=dt[i];
+!   88		      !     dt[i]=lower32(x,Zero)+tmp1;
+!   89		      !     tmp1=tmp;
+!   90		      !     tmp=upper32(x);
+!   91		      !   }
+!   92		      ! dt[tlen-2]+=tmp1;
+!   93		      ! dt[tlen-1]+=tmp;
+!   94		      ! **end original code ***/
+!   95		      ! /* new code ***/
+!   96		      ! for(i=2*from;i<2*tlen;i+=2)
+!   97		      !   {
+!   98		      !     x=dt[i];
+!   99		      !     x1=dt[i+1];
+!  100		      !     dt[i]=lower32(x,Zero)+tmp;
+!  101		      !     dt[i+1]=lower32(x1,Zero)+tmp1;
+!  102		      !     tmp=upper32(x);
+!  103		      !     tmp1=upper32(x1);
+!  104		      !   }
+!  105		      !  /** end new code **/
+!  106		      !}
+!  109		      !void conv_d16_to_i32(unsigned int *i32, double *d16, long long *tmp, int ilen)
+!  110		      !{
+!  111		      !int i;
+!  112		      !long long t, t1, a, b, c, d;
+!  114		      ! t1=0;
+!  115		      ! a=(long long)d16[0];
+
+/* 0x0004	 115 */		ldd	[%i1],%f2
+
+!  116		      ! b=(long long)d16[1];
+!  117		      ! for(i=0; i<ilen-1; i++)
+
+/* 0x0008	 117 */		sub	%i3,1,%o1
+/* 0x000c	 110 */		or	%g0,%i0,%g1
+/* 0x0010	 116 */		ldd	[%i1+8],%f4
+/* 0x0014	 117 */		cmp	%o1,0
+/* 0x0018	 114 */		or	%g0,0,%g5
+/* 0x001c	 115 */		fdtox	%f2,%f2
+/* 0x0020	     */		std	%f2,[%sp+2247]
+/* 0x0024	 117 */		or	%g0,0,%o0
+/* 0x0028	 116 */		fdtox	%f4,%f2
+/* 0x002c	     */		std	%f2,[%sp+2239]
+/* 0x0030	 110 */		sub	%o1,1,%o7
+/* 0x0034	     */		or	%g0,%i1,%o4
+/* 0x0038	     */		sethi	%hi(0xfc00),%o3
+/* 0x003c	     */		or	%g0,-1,%o1
+/* 0x0040	     */		or	%g0,2,%i1
+/* 0x0044	     */		srl	%o1,0,%g3
+/* 0x0048	     */		or	%g0,%o4,%g4
+/* 0x004c	 116 */		ldx	[%sp+2239],%i2
+/* 0x0050	     */		add	%o3,1023,%o5
+/* 0x0054	 117 */		sub	%o7,1,%o2
+/* 0x0058	 115 */		ldx	[%sp+2247],%i3
+/* 0x005c	 117 */		ble,pt	%icc,.L900000113
+/* 0x0060	     */		sethi	%hi(0xfc00),%g2
+/* 0x0064	     */		add	%o7,1,%g2
+
+!  118		      !   {
+!  119		      !     c=(long long)d16[2*i+2];
+!  120		      !     t1+=a&0xffffffff;
+!  121		      !     t=(a>>32);
+!  122		      !     d=(long long)d16[2*i+3];
+!  123		      !     t1+=(b&0xffff)<<16;
+
+/* 0x0068	 123 */		and	%i2,%o5,%i4
+/* 0x006c	     */		sllx	%i4,16,%o1
+/* 0x0070	 117 */		cmp	%g2,6
+/* 0x0074	     */		bl,pn	%icc,.L77000134
+/* 0x0078	     */		or	%g0,3,%i0
+/* 0x007c	 119 */		ldd	[%o4+16],%f0
+/* 0x0080	 120 */		and	%i3,%g3,%o3
+
+!  124		      !     t+=(b>>16)+(t1>>32);
+
+/* 0x0084	 124 */		srax	%i2,16,%i5
+/* 0x0088	 117 */		add	%o3,%o1,%i4
+/* 0x008c	 121 */		srax	%i3,32,%i3
+/* 0x0090	 119 */		fdtox	%f0,%f0
+/* 0x0094	     */		std	%f0,[%sp+2231]
+
+!  125		      !     i32[i]=t1&0xffffffff;
+
+/* 0x0098	 125 */		and	%i4,%g3,%l0
+/* 0x009c	 117 */		or	%g0,72,%o3
+/* 0x00a0	 122 */		ldd	[%g4+24],%f0
+/* 0x00a4	 117 */		or	%g0,64,%o4
+/* 0x00a8	     */		or	%g0,4,%o1
+
+!  126		      !     t1=t;
+!  127		      !     a=c;
+!  128		      !     b=d;
+
+/* 0x00ac	 128 */		or	%g0,5,%i0
+/* 0x00b0	     */		or	%g0,4,%i1
+/* 0x00b4	 119 */		ldx	[%sp+2231],%g2
+/* 0x00b8	 122 */		fdtox	%f0,%f0
+/* 0x00bc	 128 */		or	%g0,4,%o0
+/* 0x00c0	 122 */		std	%f0,[%sp+2223]
+/* 0x00c4	     */		ldd	[%g4+40],%f2
+/* 0x00c8	 120 */		and	%g2,%g3,%i2
+/* 0x00cc	 119 */		ldd	[%g4+32],%f0
+/* 0x00d0	 121 */		srax	%g2,32,%g2
+/* 0x00d4	 122 */		ldd	[%g4+56],%f4
+/* 0x00d8	     */		fdtox	%f2,%f2
+/* 0x00dc	     */		ldx	[%sp+2223],%g5
+/* 0x00e0	 119 */		fdtox	%f0,%f0
+/* 0x00e4	 125 */		st	%l0,[%g1]
+/* 0x00e8	 124 */		srax	%i4,32,%l0
+/* 0x00ec	 122 */		fdtox	%f4,%f4
+/* 0x00f0	     */		std	%f2,[%sp+2223]
+/* 0x00f4	 123 */		and	%g5,%o5,%i4
+/* 0x00f8	 124 */		add	%i5,%l0,%i5
+/* 0x00fc	 119 */		std	%f0,[%sp+2231]
+/* 0x0100	 123 */		sllx	%i4,16,%i4
+/* 0x0104	 124 */		add	%i3,%i5,%i3
+/* 0x0108	 119 */		ldd	[%g4+48],%f2
+/* 0x010c	 124 */		srax	%g5,16,%g5
+/* 0x0110	 117 */		add	%i2,%i4,%i2
+/* 0x0114	 122 */		ldd	[%g4+72],%f0
+/* 0x0118	 117 */		add	%i2,%i3,%i4
+/* 0x011c	 124 */		srax	%i4,32,%i5
+/* 0x0120	 119 */		fdtox	%f2,%f2
+/* 0x0124	 125 */		and	%i4,%g3,%i4
+/* 0x0128	 122 */		ldx	[%sp+2223],%i2
+/* 0x012c	 124 */		add	%g5,%i5,%g5
+/* 0x0130	 119 */		ldx	[%sp+2231],%i3
+/* 0x0134	 124 */		add	%g2,%g5,%g5
+/* 0x0138	 119 */		std	%f2,[%sp+2231]
+/* 0x013c	 122 */		std	%f4,[%sp+2223]
+/* 0x0140	 119 */		ldd	[%g4+64],%f2
+/* 0x0144	 125 */		st	%i4,[%g1+4]
+                       .L900000108:
+/* 0x0148	 122 */		ldx	[%sp+2223],%i4
+/* 0x014c	 128 */		add	%o0,2,%o0
+/* 0x0150	     */		add	%i0,4,%i0
+/* 0x0154	 119 */		ldx	[%sp+2231],%l0
+/* 0x0158	 117 */		add	%o3,16,%o3
+/* 0x015c	 123 */		and	%i2,%o5,%g2
+/* 0x0160	     */		sllx	%g2,16,%i5
+/* 0x0164	 120 */		and	%i3,%g3,%g2
+/* 0x0168	 122 */		ldd	[%g4+%o3],%f4
+/* 0x016c	     */		fdtox	%f0,%f0
+/* 0x0170	     */		std	%f0,[%sp+2223]
+/* 0x0174	 124 */		srax	%i2,16,%i2
+/* 0x0178	 117 */		add	%g2,%i5,%g2
+/* 0x017c	 119 */		fdtox	%f2,%f0
+/* 0x0180	 117 */		add	%o4,16,%o4
+/* 0x0184	 119 */		std	%f0,[%sp+2231]
+/* 0x0188	 117 */		add	%g2,%g5,%g2
+/* 0x018c	 119 */		ldd	[%g4+%o4],%f2
+/* 0x0190	 124 */		srax	%g2,32,%i5
+/* 0x0194	 128 */		cmp	%o0,%o2
+/* 0x0198	 121 */		srax	%i3,32,%g5
+/* 0x019c	 124 */		add	%i2,%i5,%i2
+/* 0x01a0	     */		add	%g5,%i2,%i5
+/* 0x01a4	 117 */		add	%o1,4,%o1
+/* 0x01a8	 125 */		and	%g2,%g3,%g2
+/* 0x01ac	 127 */		or	%g0,%l0,%g5
+/* 0x01b0	 125 */		st	%g2,[%g1+%o1]
+/* 0x01b4	 128 */		add	%i1,4,%i1
+/* 0x01b8	 122 */		ldx	[%sp+2223],%i2
+/* 0x01bc	 119 */		ldx	[%sp+2231],%i3
+/* 0x01c0	 117 */		add	%o3,16,%o3
+/* 0x01c4	 123 */		and	%i4,%o5,%g2
+/* 0x01c8	     */		sllx	%g2,16,%l0
+/* 0x01cc	 120 */		and	%g5,%g3,%g2
+/* 0x01d0	 122 */		ldd	[%g4+%o3],%f0
+/* 0x01d4	     */		fdtox	%f4,%f4
+/* 0x01d8	     */		std	%f4,[%sp+2223]
+/* 0x01dc	 124 */		srax	%i4,16,%i4
+/* 0x01e0	 117 */		add	%g2,%l0,%g2
+/* 0x01e4	 119 */		fdtox	%f2,%f2
+/* 0x01e8	 117 */		add	%o4,16,%o4
+/* 0x01ec	 119 */		std	%f2,[%sp+2231]
+/* 0x01f0	 117 */		add	%g2,%i5,%g2
+/* 0x01f4	 119 */		ldd	[%g4+%o4],%f2
+/* 0x01f8	 124 */		srax	%g2,32,%i5
+/* 0x01fc	 121 */		srax	%g5,32,%g5
+/* 0x0200	 124 */		add	%i4,%i5,%i4
+/* 0x0204	     */		add	%g5,%i4,%g5
+/* 0x0208	 117 */		add	%o1,4,%o1
+/* 0x020c	 125 */		and	%g2,%g3,%g2
+/* 0x0210	 128 */		ble,pt	%icc,.L900000108
+/* 0x0214	     */		st	%g2,[%g1+%o1]
+                       .L900000111:
+/* 0x0218	 122 */		ldx	[%sp+2223],%o2
+/* 0x021c	 123 */		and	%i2,%o5,%i4
+/* 0x0220	 120 */		and	%i3,%g3,%g2
+/* 0x0224	 123 */		sllx	%i4,16,%i4
+/* 0x0228	 119 */		ldx	[%sp+2231],%i5
+/* 0x022c	 128 */		cmp	%o0,%o7
+/* 0x0230	 124 */		srax	%i2,16,%i2
+/* 0x0234	 117 */		add	%g2,%i4,%g2
+/* 0x0238	 122 */		fdtox	%f0,%f4
+/* 0x023c	     */		std	%f4,[%sp+2223]
+/* 0x0240	 117 */		add	%g2,%g5,%g5
+/* 0x0244	 123 */		and	%o2,%o5,%l0
+/* 0x0248	 124 */		srax	%g5,32,%l1
+/* 0x024c	 120 */		and	%i5,%g3,%i4
+/* 0x0250	 119 */		fdtox	%f2,%f0
+/* 0x0254	 121 */		srax	%i3,32,%g2
+/* 0x0258	 119 */		std	%f0,[%sp+2231]
+/* 0x025c	 124 */		add	%i2,%l1,%i2
+/* 0x0260	 123 */		sllx	%l0,16,%i3
+/* 0x0264	 124 */		add	%g2,%i2,%i2
+/* 0x0268	     */		srax	%o2,16,%o2
+/* 0x026c	 117 */		add	%o1,4,%g2
+/* 0x0270	     */		add	%i4,%i3,%o1
+/* 0x0274	 125 */		and	%g5,%g3,%g5
+/* 0x0278	     */		st	%g5,[%g1+%g2]
+/* 0x027c	 119 */		ldx	[%sp+2231],%i3
+/* 0x0280	 117 */		add	%o1,%i2,%o1
+/* 0x0284	     */		add	%g2,4,%g2
+/* 0x0288	 124 */		srax	%o1,32,%i4
+/* 0x028c	 122 */		ldx	[%sp+2223],%i2
+/* 0x0290	 125 */		and	%o1,%g3,%g5
+/* 0x0294	 121 */		srax	%i5,32,%o1
+/* 0x0298	 124 */		add	%o2,%i4,%o2
+/* 0x029c	 125 */		st	%g5,[%g1+%g2]
+/* 0x02a0	 128 */		bg,pn	%icc,.L77000127
+/* 0x02a4	     */		add	%o1,%o2,%g5
+/* 0x02a8	     */		add	%i0,6,%i0
+/* 0x02ac	     */		add	%i1,6,%i1
+                       .L77000134:
+/* 0x02b0	 119 */		sra	%i1,0,%o2
+                       .L900000112:
+/* 0x02b4	 119 */		sllx	%o2,3,%o3
+/* 0x02b8	 120 */		and	%i3,%g3,%o1
+/* 0x02bc	 119 */		ldd	[%g4+%o3],%f0
+/* 0x02c0	 122 */		sra	%i0,0,%o3
+/* 0x02c4	 123 */		and	%i2,%o5,%o2
+/* 0x02c8	 122 */		sllx	%o3,3,%o3
+/* 0x02cc	 120 */		add	%g5,%o1,%o1
+/* 0x02d0	 119 */		fdtox	%f0,%f0
+/* 0x02d4	     */		std	%f0,[%sp+2231]
+/* 0x02d8	 123 */		sllx	%o2,16,%o2
+/* 0x02dc	     */		add	%o1,%o2,%o2
+/* 0x02e0	 128 */		add	%i1,2,%i1
+/* 0x02e4	 122 */		ldd	[%g4+%o3],%f0
+/* 0x02e8	 124 */		srax	%o2,32,%g2
+/* 0x02ec	 125 */		and	%o2,%g3,%o3
+/* 0x02f0	 124 */		srax	%i2,16,%o1
+/* 0x02f4	 128 */		add	%i0,2,%i0
+/* 0x02f8	 122 */		fdtox	%f0,%f0
+/* 0x02fc	     */		std	%f0,[%sp+2223]
+/* 0x0300	 125 */		sra	%o0,0,%o2
+/* 0x0304	     */		sllx	%o2,2,%o2
+/* 0x0308	 124 */		add	%o1,%g2,%g5
+/* 0x030c	 121 */		srax	%i3,32,%g2
+/* 0x0310	 128 */		add	%o0,1,%o0
+/* 0x0314	 124 */		add	%g2,%g5,%g5
+/* 0x0318	 128 */		cmp	%o0,%o7
+/* 0x031c	 119 */		ldx	[%sp+2231],%o4
+/* 0x0320	 122 */		ldx	[%sp+2223],%i2
+/* 0x0324	 125 */		st	%o3,[%g1+%o2]
+/* 0x0328	 127 */		or	%g0,%o4,%i3
+/* 0x032c	 128 */		ble,pt	%icc,.L900000112
+/* 0x0330	     */		sra	%i1,0,%o2
+                       .L77000127:
+
+!  129		      !   }
+!  130		      !     t1+=a&0xffffffff;
+!  131		      !     t=(a>>32);
+!  132		      !     t1+=(b&0xffff)<<16;
+!  133		      !     i32[i]=t1&0xffffffff;
+
+/* 0x0334	 133 */		sethi	%hi(0xfc00),%g2
+                       .L900000113:
+/* 0x0338	 133 */		or	%g0,-1,%g3
+/* 0x033c	     */		add	%g2,1023,%g2
+/* 0x0340	     */		srl	%g3,0,%g3
+/* 0x0344	     */		and	%i2,%g2,%g2
+/* 0x0348	     */		and	%i3,%g3,%g4
+/* 0x034c	     */		sllx	%g2,16,%g2
+/* 0x0350	     */		add	%g5,%g4,%g4
+/* 0x0354	     */		sra	%o0,0,%g5
+/* 0x0358	     */		add	%g4,%g2,%g4
+/* 0x035c	     */		sllx	%g5,2,%g2
+/* 0x0360	     */		and	%g4,%g3,%g3
+/* 0x0364	     */		st	%g3,[%g1+%g2]
+/* 0x0368	     */		ret	! Result = 
+/* 0x036c	     */		restore	%g0,%g0,%g0
+/* 0x0370	   0 */		.type	conv_d16_to_i32,2
+/* 0x0370	     */		.size	conv_d16_to_i32,(.-conv_d16_to_i32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000201:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	8
+/* 0x0008	     */		.skip	24
+!
+! SUBROUTINE conv_i32_to_d32
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d32
+                       conv_i32_to_d32:
+/* 000000	     */		or	%g0,%o7,%g3
+
+!  135		      !}
+!  137		      !void conv_i32_to_d32(double *d32, unsigned int *i32, int len)
+!  138		      !{
+!  139		      !int i;
+!  141		      !#pragma pipeloop(0)
+!  142		      ! for(i=0;i<len;i++) d32[i]=(double)(i32[i]);
+
+/* 0x0004	 142 */		cmp	%o2,0
+                       .L900000210:
+/* 0x0008	     */		call	.+8
+/* 0x000c	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
+/* 0x0010	 142 */		or	%g0,0,%o3
+/* 0x0014	 138 */		add	%g4,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000210-.)),%g4
+/* 0x0018	 142 */		sub	%o2,1,%o4
+/* 0x001c	 138 */		add	%g4,%o7,%g1
+/* 0x0020	 142 */		ble,pt	%icc,.L77000140
+/* 0x0024	     */		or	%g0,%g3,%o7
+/* 0x0028	     */		sethi	%hi(.L_const_seg_900000201),%g3
+/* 0x002c	     */		cmp	%o2,12
+/* 0x0030	     */		add	%g3,%lo(.L_const_seg_900000201),%g2
+/* 0x0034	     */		or	%g0,%o1,%g5
+/* 0x0038	     */		ldx	[%g1+%g2],%g4
+/* 0x003c	     */		or	%g0,0,%g1
+/* 0x0040	     */		or	%g0,24,%g2
+/* 0x0044	     */		bl,pn	%icc,.L77000144
+/* 0x0048	     */		or	%g0,0,%g3
+/* 0x004c	     */		ld	[%o1],%f13
+/* 0x0050	     */		or	%g0,7,%o3
+/* 0x0054	     */		ldd	[%g4],%f8
+/* 0x0058	     */		sub	%o2,5,%g3
+/* 0x005c	     */		or	%g0,8,%g1
+/* 0x0060	     */		ld	[%o1+4],%f11
+/* 0x0064	     */		ld	[%o1+8],%f7
+/* 0x0068	     */		fmovs	%f8,%f12
+/* 0x006c	     */		ld	[%o1+12],%f5
+/* 0x0070	     */		fmovs	%f8,%f10
+/* 0x0074	     */		ld	[%o1+16],%f3
+/* 0x0078	     */		fmovs	%f8,%f6
+/* 0x007c	     */		ld	[%o1+20],%f1
+/* 0x0080	     */		fsubd	%f12,%f8,%f12
+/* 0x0084	     */		std	%f12,[%o0]
+/* 0x0088	     */		fsubd	%f10,%f8,%f10
+/* 0x008c	     */		std	%f10,[%o0+8]
+                       .L900000205:
+/* 0x0090	     */		ld	[%o1+%g2],%f11
+/* 0x0094	     */		add	%g1,8,%g1
+/* 0x0098	     */		add	%o3,5,%o3
+/* 0x009c	     */		fsubd	%f6,%f8,%f6
+/* 0x00a0	     */		add	%g2,4,%g2
+/* 0x00a4	     */		std	%f6,[%o0+%g1]
+/* 0x00a8	     */		cmp	%o3,%g3
+/* 0x00ac	     */		fmovs	%f8,%f4
+/* 0x00b0	     */		ld	[%o1+%g2],%f7
+/* 0x00b4	     */		fsubd	%f4,%f8,%f12
+/* 0x00b8	     */		add	%g1,8,%g1
+/* 0x00bc	     */		add	%g2,4,%g2
+/* 0x00c0	     */		fmovs	%f8,%f2
+/* 0x00c4	     */		std	%f12,[%o0+%g1]
+/* 0x00c8	     */		ld	[%o1+%g2],%f5
+/* 0x00cc	     */		fsubd	%f2,%f8,%f12
+/* 0x00d0	     */		add	%g1,8,%g1
+/* 0x00d4	     */		add	%g2,4,%g2
+/* 0x00d8	     */		fmovs	%f8,%f0
+/* 0x00dc	     */		std	%f12,[%o0+%g1]
+/* 0x00e0	     */		ld	[%o1+%g2],%f3
+/* 0x00e4	     */		fsubd	%f0,%f8,%f12
+/* 0x00e8	     */		add	%g1,8,%g1
+/* 0x00ec	     */		add	%g2,4,%g2
+/* 0x00f0	     */		fmovs	%f8,%f10
+/* 0x00f4	     */		std	%f12,[%o0+%g1]
+/* 0x00f8	     */		ld	[%o1+%g2],%f1
+/* 0x00fc	     */		fsubd	%f10,%f8,%f10
+/* 0x0100	     */		add	%g1,8,%g1
+/* 0x0104	     */		add	%g2,4,%g2
+/* 0x0108	     */		std	%f10,[%o0+%g1]
+/* 0x010c	     */		ble,pt	%icc,.L900000205
+/* 0x0110	     */		fmovs	%f8,%f6
+                       .L900000208:
+/* 0x0114	     */		fmovs	%f8,%f4
+/* 0x0118	     */		ld	[%o1+%g2],%f11
+/* 0x011c	     */		add	%g1,8,%g3
+/* 0x0120	     */		fmovs	%f8,%f2
+/* 0x0124	     */		add	%g1,16,%g1
+/* 0x0128	     */		cmp	%o3,%o4
+/* 0x012c	     */		fmovs	%f8,%f0
+/* 0x0130	     */		add	%g1,8,%o1
+/* 0x0134	     */		add	%g1,16,%o2
+/* 0x0138	     */		fmovs	%f8,%f10
+/* 0x013c	     */		add	%g1,24,%g2
+/* 0x0140	     */		fsubd	%f6,%f8,%f6
+/* 0x0144	     */		std	%f6,[%o0+%g3]
+/* 0x0148	     */		fsubd	%f4,%f8,%f4
+/* 0x014c	     */		std	%f4,[%o0+%g1]
+/* 0x0150	     */		sra	%o3,0,%g1
+/* 0x0154	     */		fsubd	%f2,%f8,%f2
+/* 0x0158	     */		std	%f2,[%o0+%o1]
+/* 0x015c	     */		sllx	%g1,2,%g3
+/* 0x0160	     */		fsubd	%f0,%f8,%f0
+/* 0x0164	     */		std	%f0,[%o0+%o2]
+/* 0x0168	     */		fsubd	%f10,%f8,%f0
+/* 0x016c	     */		bg,pn	%icc,.L77000140
+/* 0x0170	     */		std	%f0,[%o0+%g2]
+                       .L77000144:
+/* 0x0174	     */		ldd	[%g4],%f8
+                       .L900000211:
+/* 0x0178	     */		ld	[%g5+%g3],%f13
+/* 0x017c	     */		sllx	%g1,3,%g2
+/* 0x0180	     */		add	%o3,1,%o3
+/* 0x0184	     */		sra	%o3,0,%g1
+/* 0x0188	     */		cmp	%o3,%o4
+/* 0x018c	     */		fmovs	%f8,%f12
+/* 0x0190	     */		sllx	%g1,2,%g3
+/* 0x0194	     */		fsubd	%f12,%f8,%f0
+/* 0x0198	     */		std	%f0,[%o0+%g2]
+/* 0x019c	     */		ble,a,pt	%icc,.L900000211
+/* 0x01a0	     */		ldd	[%g4],%f8
+                       .L77000140:
+/* 0x01a4	     */		retl	! Result = 
+/* 0x01a8	     */		nop
+/* 0x01ac	   0 */		.type	conv_i32_to_d32,2
+/* 0x01ac	     */		.size	conv_i32_to_d32,(.-conv_i32_to_d32)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000301:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	8
+/* 0x0008	     */		.skip	24
+!
+! SUBROUTINE conv_i32_to_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d16
+                       conv_i32_to_d16:
+/* 000000	     */		save	%sp,-192,%sp
+                       .L900000310:
+/* 0x0004	     */		call	.+8
+/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
+
+!  143		      !}
+!  146		      !void conv_i32_to_d16(double *d16, unsigned int *i32, int len)
+!  147		      !{
+!  148		      !int i;
+!  149		      !unsigned int a;
+!  151		      !#pragma pipeloop(0)
+!  152		      ! for(i=0;i<len;i++)
+
+/* 0x000c	 152 */		cmp	%i2,0
+/* 0x0010	 147 */		add	%g3,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000310-.)),%g3
+/* 0x0014	 152 */		ble,pt	%icc,.L77000150
+/* 0x0018	     */		add	%g3,%o7,%o0
+
+!  153		      !   {
+!  154		      !     a=i32[i];
+!  155		      !     d16[2*i]=(double)(a&0xffff);
+!  156		      !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x001c	 156 */		sethi	%hi(.L_const_seg_900000301),%g2
+/* 0x0020	 147 */		or	%g0,%i2,%o1
+/* 0x0024	 152 */		sethi	%hi(0xfc00),%g3
+/* 0x0028	 156 */		add	%g2,%lo(.L_const_seg_900000301),%g2
+/* 0x002c	 152 */		or	%g0,%o1,%g4
+/* 0x0030	 156 */		ldx	[%o0+%g2],%o5
+/* 0x0034	 152 */		add	%g3,1023,%g1
+/* 0x0038	 147 */		or	%g0,%i1,%o7
+/* 0x003c	 152 */		or	%g0,0,%i2
+/* 0x0040	     */		sub	%o1,1,%g5
+/* 0x0044	     */		or	%g0,0,%g3
+/* 0x0048	     */		or	%g0,1,%g2
+/* 0x004c	 154 */		or	%g0,0,%o2
+/* 0x0050	     */		cmp	%g4,6
+/* 0x0054	 152 */		bl,pn	%icc,.L77000154
+/* 0x0058	     */		ldd	[%o5],%f0
+/* 0x005c	     */		sub	%o1,2,%o3
+/* 0x0060	     */		or	%g0,16,%o2
+/* 0x0064	 154 */		ld	[%i1],%o4
+/* 0x0068	 156 */		or	%g0,3,%g2
+/* 0x006c	     */		or	%g0,2,%g3
+/* 0x0070	 155 */		fmovs	%f0,%f2
+/* 0x0074	 156 */		or	%g0,4,%i2
+/* 0x0078	 155 */		and	%o4,%g1,%o0
+/* 0x007c	     */		st	%o0,[%sp+2227]
+/* 0x0080	     */		fmovs	%f0,%f4
+/* 0x0084	 156 */		srl	%o4,16,%i4
+/* 0x0088	 152 */		or	%g0,12,%o4
+/* 0x008c	     */		or	%g0,24,%o0
+/* 0x0090	 155 */		ld	[%sp+2227],%f3
+/* 0x0094	     */		fsubd	%f2,%f0,%f2
+/* 0x0098	     */		std	%f2,[%i0]
+/* 0x009c	 156 */		st	%i4,[%sp+2223]
+/* 0x00a0	 154 */		ld	[%o7+4],%o1
+/* 0x00a4	 156 */		fmovs	%f0,%f2
+/* 0x00a8	 155 */		and	%o1,%g1,%i1
+/* 0x00ac	 156 */		ld	[%sp+2223],%f3
+/* 0x00b0	     */		srl	%o1,16,%o1
+/* 0x00b4	     */		fsubd	%f2,%f0,%f2
+/* 0x00b8	     */		std	%f2,[%i0+8]
+/* 0x00bc	     */		st	%o1,[%sp+2223]
+/* 0x00c0	 155 */		st	%i1,[%sp+2227]
+/* 0x00c4	 154 */		ld	[%o7+8],%o1
+/* 0x00c8	 156 */		fmovs	%f0,%f2
+/* 0x00cc	 155 */		and	%o1,%g1,%g4
+/* 0x00d0	     */		ld	[%sp+2227],%f5
+/* 0x00d4	 156 */		srl	%o1,16,%o1
+/* 0x00d8	     */		ld	[%sp+2223],%f3
+/* 0x00dc	     */		st	%o1,[%sp+2223]
+/* 0x00e0	 155 */		fsubd	%f4,%f0,%f4
+/* 0x00e4	     */		st	%g4,[%sp+2227]
+/* 0x00e8	 156 */		fsubd	%f2,%f0,%f2
+/* 0x00ec	 154 */		ld	[%o7+12],%o1
+/* 0x00f0	 155 */		std	%f4,[%i0+16]
+/* 0x00f4	 156 */		std	%f2,[%i0+24]
+                       .L900000306:
+/* 0x00f8	 155 */		ld	[%sp+2227],%f5
+/* 0x00fc	 156 */		add	%i2,2,%i2
+/* 0x0100	     */		add	%g2,4,%g2
+/* 0x0104	     */		ld	[%sp+2223],%f3
+/* 0x0108	     */		cmp	%i2,%o3
+/* 0x010c	     */		add	%g3,4,%g3
+/* 0x0110	 155 */		and	%o1,%g1,%g4
+/* 0x0114	 156 */		srl	%o1,16,%o1
+/* 0x0118	 155 */		st	%g4,[%sp+2227]
+/* 0x011c	 156 */		st	%o1,[%sp+2223]
+/* 0x0120	 152 */		add	%o4,4,%o1
+/* 0x0124	 154 */		ld	[%o7+%o1],%o4
+/* 0x0128	 156 */		fmovs	%f0,%f2
+/* 0x012c	 155 */		fmovs	%f0,%f4
+/* 0x0130	     */		fsubd	%f4,%f0,%f4
+/* 0x0134	 152 */		add	%o2,16,%o2
+/* 0x0138	 156 */		fsubd	%f2,%f0,%f2
+/* 0x013c	 155 */		std	%f4,[%i0+%o2]
+/* 0x0140	 152 */		add	%o0,16,%o0
+/* 0x0144	 156 */		std	%f2,[%i0+%o0]
+/* 0x0148	 155 */		ld	[%sp+2227],%f5
+/* 0x014c	 156 */		ld	[%sp+2223],%f3
+/* 0x0150	 155 */		and	%o4,%g1,%g4
+/* 0x0154	 156 */		srl	%o4,16,%o4
+/* 0x0158	 155 */		st	%g4,[%sp+2227]
+/* 0x015c	 156 */		st	%o4,[%sp+2223]
+/* 0x0160	 152 */		add	%o1,4,%o4
+/* 0x0164	 154 */		ld	[%o7+%o4],%o1
+/* 0x0168	 156 */		fmovs	%f0,%f2
+/* 0x016c	 155 */		fmovs	%f0,%f4
+/* 0x0170	     */		fsubd	%f4,%f0,%f4
+/* 0x0174	 152 */		add	%o2,16,%o2
+/* 0x0178	 156 */		fsubd	%f2,%f0,%f2
+/* 0x017c	 155 */		std	%f4,[%i0+%o2]
+/* 0x0180	 152 */		add	%o0,16,%o0
+/* 0x0184	 156 */		ble,pt	%icc,.L900000306
+/* 0x0188	     */		std	%f2,[%i0+%o0]
+                       .L900000309:
+/* 0x018c	 155 */		ld	[%sp+2227],%f5
+/* 0x0190	 156 */		fmovs	%f0,%f2
+/* 0x0194	     */		srl	%o1,16,%o3
+/* 0x0198	     */		ld	[%sp+2223],%f3
+/* 0x019c	 155 */		and	%o1,%g1,%i1
+/* 0x01a0	 152 */		add	%o2,16,%g4
+/* 0x01a4	 155 */		fmovs	%f0,%f4
+/* 0x01a8	     */		st	%i1,[%sp+2227]
+/* 0x01ac	 152 */		add	%o0,16,%o2
+/* 0x01b0	 156 */		st	%o3,[%sp+2223]
+/* 0x01b4	 154 */		sra	%i2,0,%o3
+/* 0x01b8	 152 */		add	%g4,16,%o1
+/* 0x01bc	 155 */		fsubd	%f4,%f0,%f4
+/* 0x01c0	     */		std	%f4,[%i0+%g4]
+/* 0x01c4	 152 */		add	%o0,32,%o0
+/* 0x01c8	 156 */		fsubd	%f2,%f0,%f2
+/* 0x01cc	     */		std	%f2,[%i0+%o2]
+/* 0x01d0	     */		sllx	%o3,2,%o2
+/* 0x01d4	 155 */		ld	[%sp+2227],%f5
+/* 0x01d8	 156 */		cmp	%i2,%g5
+/* 0x01dc	     */		add	%g2,6,%g2
+/* 0x01e0	     */		ld	[%sp+2223],%f3
+/* 0x01e4	     */		add	%g3,6,%g3
+/* 0x01e8	 155 */		fmovs	%f0,%f4
+/* 0x01ec	 156 */		fmovs	%f0,%f2
+/* 0x01f0	 155 */		fsubd	%f4,%f0,%f4
+/* 0x01f4	     */		std	%f4,[%i0+%o1]
+/* 0x01f8	 156 */		fsubd	%f2,%f0,%f0
+/* 0x01fc	     */		bg,pn	%icc,.L77000150
+/* 0x0200	     */		std	%f0,[%i0+%o0]
+                       .L77000154:
+/* 0x0204	 155 */		ldd	[%o5],%f0
+                       .L900000311:
+/* 0x0208	 154 */		ld	[%o7+%o2],%o0
+/* 0x020c	 155 */		sra	%g3,0,%o1
+/* 0x0210	     */		fmovs	%f0,%f2
+/* 0x0214	     */		sllx	%o1,3,%o2
+/* 0x0218	 156 */		add	%i2,1,%i2
+/* 0x021c	 155 */		and	%o0,%g1,%o1
+/* 0x0220	     */		st	%o1,[%sp+2227]
+/* 0x0224	 156 */		add	%g3,2,%g3
+/* 0x0228	     */		srl	%o0,16,%o1
+/* 0x022c	     */		cmp	%i2,%g5
+/* 0x0230	     */		sra	%g2,0,%o0
+/* 0x0234	     */		add	%g2,2,%g2
+/* 0x0238	     */		sllx	%o0,3,%o0
+/* 0x023c	 155 */		ld	[%sp+2227],%f3
+/* 0x0240	 154 */		sra	%i2,0,%o3
+/* 0x0244	 155 */		fsubd	%f2,%f0,%f2
+/* 0x0248	     */		std	%f2,[%i0+%o2]
+/* 0x024c	     */		sllx	%o3,2,%o2
+/* 0x0250	 156 */		st	%o1,[%sp+2223]
+/* 0x0254	     */		fmovs	%f0,%f2
+/* 0x0258	     */		ld	[%sp+2223],%f3
+/* 0x025c	     */		fsubd	%f2,%f0,%f0
+/* 0x0260	     */		std	%f0,[%i0+%o0]
+/* 0x0264	     */		ble,a,pt	%icc,.L900000311
+/* 0x0268	     */		ldd	[%o5],%f0
+                       .L77000150:
+/* 0x026c	     */		ret	! Result = 
+/* 0x0270	     */		restore	%g0,%g0,%g0
+/* 0x0274	   0 */		.type	conv_i32_to_d16,2
+/* 0x0274	     */		.size	conv_i32_to_d16,(.-conv_i32_to_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! CONSTANT POOL
+!
+                       .L_const_seg_900000401:
+/* 000000	   0 */		.word	1127219200,0
+/* 0x0008	   0 */		.align	8
+/* 0x0008	     */		.skip	24
+!
+! SUBROUTINE conv_i32_to_d32_and_d16
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global conv_i32_to_d32_and_d16
+                       conv_i32_to_d32_and_d16:
+/* 000000	     */		save	%sp,-192,%sp
+                       .L900000415:
+/* 0x0004	     */		call	.+8
+/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g3
+
+!  157		      !   }
+!  158		      !}
+!  161		      !void conv_i32_to_d32_and_d16(double *d32, double *d16, 
+!  162		      !			     unsigned int *i32, int len)
+!  163		      !{
+!  164		      !int i = 0;
+!  165		      !unsigned int a;
+!  167		      !#pragma pipeloop(0)
+!  168		      !#ifdef RF_INLINE_MACROS
+!  169		      ! for(;i<len-3;i+=4)
+!  170		      !   {
+!  171		      !     i16_to_d16_and_d32x4(&TwoToMinus16, &TwoTo16, &Zero,
+!  172		      !			  &(d16[2*i]), &(d32[i]), (float *)(&(i32[i])));
+
+/* 0x000c	 172 */		sethi	%hi(Zero),%g2
+/* 0x0010	 163 */		add	%g3,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000415-.)),%g3
+/* 0x0014	     */		or	%g0,%i3,%g5
+/* 0x0018	     */		add	%g3,%o7,%o3
+/* 0x001c	 172 */		add	%g2,%lo(Zero),%g2
+/* 0x0020	     */		ldx	[%o3+%g2],%o0
+/* 0x0024	     */		sethi	%hi(TwoToMinus16),%g3
+/* 0x0028	 163 */		or	%g0,%i0,%i3
+/* 0x002c	 169 */		sub	%g5,3,%o1
+/* 0x0030	 172 */		sethi	%hi(TwoTo16),%g4
+/* 0x0034	 163 */		or	%g0,%i2,%i0
+/* 0x0038	 172 */		add	%g3,%lo(TwoToMinus16),%g2
+/* 0x003c	     */		ldx	[%o3+%g2],%o2
+/* 0x0040	 169 */		cmp	%o1,0
+/* 0x0044	 164 */		or	%g0,0,%i2
+/* 0x0048	 169 */		ble,pt	%icc,.L900000418
+/* 0x004c	     */		cmp	%i2,%g5
+/* 0x0050	     */		ldd	[%o0],%f2
+/* 0x0054	 172 */		add	%g4,%lo(TwoTo16),%g3
+/* 0x0058	     */		ldx	[%o3+%g3],%o1
+/* 0x005c	 169 */		sub	%g5,4,%o4
+/* 0x0060	     */		or	%g0,0,%o5
+                       .L900000417:
+/* 0x0064	 172 */		sra	%i2,0,%g2
+/* 0x0068	     */		fmovd	%f2,%f14
+/* 0x006c	     */		ldd	[%o2],%f0
+/* 0x0070	     */		sllx	%g2,2,%g3
+/* 0x0074	     */		fmovd	%f2,%f10
+/* 0x0078	     */		ldd	[%o1],%f16
+/* 0x007c	     */		ld	[%g3+%i0],%f15
+/* 0x0080	     */		add	%i0,%g3,%g3
+/* 0x0084	     */		fmovd	%f2,%f6
+/* 0x0088	     */		ld	[%g3+4],%f11
+/* 0x008c	     */		sra	%o5,0,%g4
+/* 0x0090	     */		add	%i2,4,%i2
+/* 0x0094	     */		ld	[%g3+8],%f7
+/* 0x0098	     */		fxtod	%f14,%f14
+/* 0x009c	     */		sllx	%g2,3,%g2
+/* 0x00a0	     */		ld	[%g3+12],%f3
+/* 0x00a4	     */		fxtod	%f10,%f10
+/* 0x00a8	     */		sllx	%g4,3,%g3
+/* 0x00ac	     */		fxtod	%f6,%f6
+/* 0x00b0	     */		std	%f14,[%g2+%i3]
+/* 0x00b4	     */		add	%i3,%g2,%g4
+/* 0x00b8	     */		fxtod	%f2,%f2
+/* 0x00bc	     */		fmuld	%f0,%f14,%f12
+/* 0x00c0	     */		std	%f2,[%g4+24]
+/* 0x00c4	     */		fmuld	%f0,%f10,%f8
+/* 0x00c8	     */		std	%f10,[%g4+8]
+/* 0x00cc	     */		add	%i1,%g3,%g2
+/* 0x00d0	     */		fmuld	%f0,%f6,%f4
+/* 0x00d4	     */		std	%f6,[%g4+16]
+/* 0x00d8	     */		cmp	%i2,%o4
+/* 0x00dc	     */		fmuld	%f0,%f2,%f0
+/* 0x00e0	     */		fdtox	%f12,%f12
+/* 0x00e4	     */		add	%o5,8,%o5
+/* 0x00e8	     */		fdtox	%f8,%f8
+/* 0x00ec	     */		fdtox	%f4,%f4
+/* 0x00f0	     */		fdtox	%f0,%f0
+/* 0x00f4	     */		fxtod	%f12,%f12
+/* 0x00f8	     */		std	%f12,[%g2+8]
+/* 0x00fc	     */		fxtod	%f8,%f8
+/* 0x0100	     */		std	%f8,[%g2+24]
+/* 0x0104	     */		fxtod	%f4,%f4
+/* 0x0108	     */		std	%f4,[%g2+40]
+/* 0x010c	     */		fxtod	%f0,%f0
+/* 0x0110	     */		std	%f0,[%g2+56]
+/* 0x0114	     */		fmuld	%f12,%f16,%f12
+/* 0x0118	     */		fmuld	%f8,%f16,%f8
+/* 0x011c	     */		fmuld	%f4,%f16,%f4
+/* 0x0120	     */		fsubd	%f14,%f12,%f12
+/* 0x0124	     */		std	%f12,[%g3+%i1]
+/* 0x0128	     */		fmuld	%f0,%f16,%f0
+/* 0x012c	     */		fsubd	%f10,%f8,%f8
+/* 0x0130	     */		std	%f8,[%g2+16]
+/* 0x0134	     */		fsubd	%f6,%f4,%f4
+/* 0x0138	     */		std	%f4,[%g2+32]
+/* 0x013c	     */		fsubd	%f2,%f0,%f0
+/* 0x0140	     */		std	%f0,[%g2+48]
+/* 0x0144	     */		ble,a,pt	%icc,.L900000417
+/* 0x0148	     */		ldd	[%o0],%f2
+                       .L77000159:
+
+!  173		      !   }
+!  174		      !#endif
+!  175		      ! for(;i<len;i++)
+
+/* 0x014c	 175 */		cmp	%i2,%g5
+                       .L900000418:
+/* 0x0150	 175 */		bge,pt	%icc,.L77000164
+/* 0x0154	     */		nop
+
+!  176		      !   {
+!  177		      !     a=i32[i];
+!  178		      !     d32[i]=(double)(i32[i]);
+!  179		      !     d16[2*i]=(double)(a&0xffff);
+!  180		      !     d16[2*i+1]=(double)(a>>16);
+
+/* 0x0158	 180 */		sethi	%hi(.L_const_seg_900000401),%g2
+/* 0x015c	     */		add	%g2,%lo(.L_const_seg_900000401),%g2
+/* 0x0160	 175 */		sethi	%hi(0xfc00),%g3
+/* 0x0164	 180 */		ldx	[%o3+%g2],%g1
+/* 0x0168	 175 */		sll	%i2,1,%i4
+/* 0x016c	     */		sub	%g5,%i2,%g4
+/* 0x0170	 177 */		sra	%i2,0,%o3
+/* 0x0174	 175 */		add	%g3,1023,%g3
+/* 0x0178	 178 */		ldd	[%g1],%f2
+/* 0x017c	     */		sllx	%o3,2,%o2
+/* 0x0180	 175 */		add	%i4,1,%g2
+/* 0x0184	 177 */		or	%g0,%o3,%o1
+/* 0x0188	     */		cmp	%g4,6
+/* 0x018c	 175 */		bl,pn	%icc,.L77000161
+/* 0x0190	     */		sra	%i2,0,%o3
+/* 0x0194	 177 */		or	%g0,%o2,%o0
+/* 0x0198	 178 */		ld	[%i0+%o2],%f5
+/* 0x019c	 179 */		fmovs	%f2,%f8
+/* 0x01a0	 175 */		add	%o0,4,%o3
+/* 0x01a4	 177 */		ld	[%i0+%o0],%o7
+/* 0x01a8	 180 */		fmovs	%f2,%f6
+/* 0x01ac	 178 */		fmovs	%f2,%f4
+/* 0x01b0	     */		sllx	%o1,3,%o2
+/* 0x01b4	 175 */		add	%o3,4,%o5
+/* 0x01b8	 179 */		sra	%i4,0,%o0
+/* 0x01bc	 175 */		add	%o3,8,%o4
+/* 0x01c0	 178 */		fsubd	%f4,%f2,%f4
+/* 0x01c4	     */		std	%f4,[%i3+%o2]
+/* 0x01c8	 179 */		sllx	%o0,3,%i5
+/* 0x01cc	     */		and	%o7,%g3,%o0
+/* 0x01d0	     */		st	%o0,[%sp+2227]
+/* 0x01d4	 175 */		add	%i5,16,%o1
+/* 0x01d8	 180 */		srl	%o7,16,%g4
+/* 0x01dc	     */		add	%i2,1,%i2
+/* 0x01e0	     */		sra	%g2,0,%o0
+/* 0x01e4	 175 */		add	%o2,8,%o2
+/* 0x01e8	 179 */		fmovs	%f2,%f4
+/* 0x01ec	 180 */		sllx	%o0,3,%l0
+/* 0x01f0	     */		add	%i4,3,%g2
+/* 0x01f4	 179 */		ld	[%sp+2227],%f5
+/* 0x01f8	 175 */		add	%l0,16,%o0
+/* 0x01fc	 180 */		add	%i4,2,%i4
+/* 0x0200	 175 */		sub	%g5,1,%o7
+/* 0x0204	 180 */		add	%i2,3,%i2
+/* 0x0208	 179 */		fsubd	%f4,%f2,%f4
+/* 0x020c	     */		std	%f4,[%i1+%i5]
+/* 0x0210	 180 */		st	%g4,[%sp+2223]
+/* 0x0214	 177 */		ld	[%i0+%o3],%i5
+/* 0x0218	 180 */		fmovs	%f2,%f4
+/* 0x021c	     */		srl	%i5,16,%g4
+/* 0x0220	 179 */		and	%i5,%g3,%i5
+/* 0x0224	 180 */		ld	[%sp+2223],%f5
+/* 0x0228	     */		fsubd	%f4,%f2,%f4
+/* 0x022c	     */		std	%f4,[%i1+%l0]
+/* 0x0230	     */		st	%g4,[%sp+2223]
+/* 0x0234	 177 */		ld	[%i0+%o5],%g4
+/* 0x0238	 179 */		st	%i5,[%sp+2227]
+/* 0x023c	 178 */		fmovs	%f2,%f4
+/* 0x0240	 180 */		srl	%g4,16,%i5
+/* 0x0244	 179 */		and	%g4,%g3,%g4
+/* 0x0248	 180 */		ld	[%sp+2223],%f7
+/* 0x024c	     */		st	%i5,[%sp+2223]
+/* 0x0250	 178 */		ld	[%i0+%o3],%f5
+/* 0x0254	 180 */		fsubd	%f6,%f2,%f6
+/* 0x0258	 177 */		ld	[%i0+%o4],%o3
+/* 0x025c	 178 */		fsubd	%f4,%f2,%f4
+/* 0x0260	 179 */		ld	[%sp+2227],%f9
+/* 0x0264	 180 */		ld	[%sp+2223],%f1
+/* 0x0268	 179 */		st	%g4,[%sp+2227]
+/* 0x026c	     */		fsubd	%f8,%f2,%f8
+/* 0x0270	     */		std	%f8,[%i1+%o1]
+/* 0x0274	 180 */		std	%f6,[%i1+%o0]
+/* 0x0278	 178 */		std	%f4,[%i3+%o2]
+                       .L900000411:
+/* 0x027c	 179 */		ld	[%sp+2227],%f13
+/* 0x0280	 180 */		srl	%o3,16,%g4
+/* 0x0284	     */		add	%i2,2,%i2
+/* 0x0288	     */		st	%g4,[%sp+2223]
+/* 0x028c	     */		cmp	%i2,%o7
+/* 0x0290	     */		add	%g2,4,%g2
+/* 0x0294	 178 */		ld	[%i0+%o5],%f11
+/* 0x0298	 180 */		add	%i4,4,%i4
+/* 0x029c	 175 */		add	%o4,4,%o5
+/* 0x02a0	 177 */		ld	[%i0+%o5],%g4
+/* 0x02a4	 179 */		and	%o3,%g3,%o3
+/* 0x02a8	     */		st	%o3,[%sp+2227]
+/* 0x02ac	 180 */		fmovs	%f2,%f0
+/* 0x02b0	 179 */		fmovs	%f2,%f12
+/* 0x02b4	 180 */		fsubd	%f0,%f2,%f8
+/* 0x02b8	 179 */		fsubd	%f12,%f2,%f4
+/* 0x02bc	 175 */		add	%o1,16,%o1
+/* 0x02c0	 180 */		ld	[%sp+2223],%f7
+/* 0x02c4	 178 */		fmovs	%f2,%f10
+/* 0x02c8	 179 */		std	%f4,[%i1+%o1]
+/* 0x02cc	 175 */		add	%o0,16,%o0
+/* 0x02d0	 178 */		fsubd	%f10,%f2,%f4
+/* 0x02d4	 175 */		add	%o2,8,%o2
+/* 0x02d8	 180 */		std	%f8,[%i1+%o0]
+/* 0x02dc	 178 */		std	%f4,[%i3+%o2]
+/* 0x02e0	 179 */		ld	[%sp+2227],%f9
+/* 0x02e4	 180 */		srl	%g4,16,%o3
+/* 0x02e8	     */		st	%o3,[%sp+2223]
+/* 0x02ec	 178 */		ld	[%i0+%o4],%f5
+/* 0x02f0	 175 */		add	%o4,8,%o4
+/* 0x02f4	 177 */		ld	[%i0+%o4],%o3
+/* 0x02f8	 179 */		and	%g4,%g3,%g4
+/* 0x02fc	     */		st	%g4,[%sp+2227]
+/* 0x0300	 180 */		fmovs	%f2,%f6
+/* 0x0304	 179 */		fmovs	%f2,%f8
+/* 0x0308	 180 */		fsubd	%f6,%f2,%f6
+/* 0x030c	 179 */		fsubd	%f8,%f2,%f8
+/* 0x0310	 175 */		add	%o1,16,%o1
+/* 0x0314	 180 */		ld	[%sp+2223],%f1
+/* 0x0318	 178 */		fmovs	%f2,%f4
+/* 0x031c	 179 */		std	%f8,[%i1+%o1]
+/* 0x0320	 175 */		add	%o0,16,%o0
+/* 0x0324	 178 */		fsubd	%f4,%f2,%f4
+/* 0x0328	 175 */		add	%o2,8,%o2
+/* 0x032c	 180 */		std	%f6,[%i1+%o0]
+/* 0x0330	     */		bl,pt	%icc,.L900000411
+/* 0x0334	     */		std	%f4,[%i3+%o2]
+                       .L900000414:
+/* 0x0338	 180 */		srl	%o3,16,%o7
+/* 0x033c	     */		st	%o7,[%sp+2223]
+/* 0x0340	 179 */		fmovs	%f2,%f12
+/* 0x0344	 178 */		ld	[%i0+%o5],%f11
+/* 0x0348	 180 */		fmovs	%f2,%f0
+/* 0x034c	 179 */		and	%o3,%g3,%g4
+/* 0x0350	 180 */		fmovs	%f2,%f6
+/* 0x0354	 175 */		add	%o1,16,%o3
+/* 0x0358	     */		add	%o0,16,%o7
+/* 0x035c	 178 */		fmovs	%f2,%f10
+/* 0x0360	 175 */		add	%o2,8,%o2
+/* 0x0364	     */		add	%o1,32,%o5
+/* 0x0368	 179 */		ld	[%sp+2227],%f13
+/* 0x036c	 178 */		fmovs	%f2,%f4
+/* 0x0370	 175 */		add	%o0,32,%o1
+/* 0x0374	 180 */		ld	[%sp+2223],%f7
+/* 0x0378	 175 */		add	%o2,8,%o0
+/* 0x037c	 180 */		cmp	%i2,%g5
+/* 0x0380	 179 */		st	%g4,[%sp+2227]
+/* 0x0384	     */		fsubd	%f12,%f2,%f8
+/* 0x0388	 180 */		add	%g2,6,%g2
+/* 0x038c	 179 */		std	%f8,[%i1+%o3]
+/* 0x0390	 180 */		fsubd	%f0,%f2,%f0
+/* 0x0394	 177 */		sra	%i2,0,%o3
+/* 0x0398	 180 */		std	%f0,[%i1+%o7]
+/* 0x039c	 178 */		fsubd	%f10,%f2,%f0
+/* 0x03a0	 180 */		add	%i4,6,%i4
+/* 0x03a4	 178 */		std	%f0,[%i3+%o2]
+/* 0x03a8	     */		sllx	%o3,2,%o2
+/* 0x03ac	 179 */		ld	[%sp+2227],%f9
+/* 0x03b0	 178 */		ld	[%i0+%o4],%f5
+/* 0x03b4	 179 */		fmovs	%f2,%f8
+/* 0x03b8	     */		fsubd	%f8,%f2,%f0
+/* 0x03bc	     */		std	%f0,[%i1+%o5]
+/* 0x03c0	 180 */		fsubd	%f6,%f2,%f0
+/* 0x03c4	     */		std	%f0,[%i1+%o1]
+/* 0x03c8	 178 */		fsubd	%f4,%f2,%f0
+/* 0x03cc	 180 */		bge,pn	%icc,.L77000164
+/* 0x03d0	     */		std	%f0,[%i3+%o0]
+                       .L77000161:
+/* 0x03d4	 178 */		ldd	[%g1],%f2
+                       .L900000416:
+/* 0x03d8	 178 */		ld	[%i0+%o2],%f5
+/* 0x03dc	 179 */		sra	%i4,0,%o0
+/* 0x03e0	 180 */		add	%i2,1,%i2
+/* 0x03e4	 177 */		ld	[%i0+%o2],%o1
+/* 0x03e8	 178 */		sllx	%o3,3,%o3
+/* 0x03ec	 180 */		add	%i4,2,%i4
+/* 0x03f0	 178 */		fmovs	%f2,%f4
+/* 0x03f4	 179 */		sllx	%o0,3,%o4
+/* 0x03f8	 180 */		cmp	%i2,%g5
+/* 0x03fc	 179 */		and	%o1,%g3,%o0
+/* 0x0400	 178 */		fsubd	%f4,%f2,%f0
+/* 0x0404	     */		std	%f0,[%i3+%o3]
+/* 0x0408	 180 */		srl	%o1,16,%o1
+/* 0x040c	 179 */		st	%o0,[%sp+2227]
+/* 0x0410	 180 */		sra	%g2,0,%o0
+/* 0x0414	     */		add	%g2,2,%g2
+/* 0x0418	 177 */		sra	%i2,0,%o3
+/* 0x041c	 180 */		sllx	%o0,3,%o0
+/* 0x0420	 179 */		fmovs	%f2,%f4
+/* 0x0424	     */		sllx	%o3,2,%o2
+/* 0x0428	     */		ld	[%sp+2227],%f5
+/* 0x042c	     */		fsubd	%f4,%f2,%f0
+/* 0x0430	     */		std	%f0,[%i1+%o4]
+/* 0x0434	 180 */		st	%o1,[%sp+2223]
+/* 0x0438	     */		fmovs	%f2,%f4
+/* 0x043c	     */		ld	[%sp+2223],%f5
+/* 0x0440	     */		fsubd	%f4,%f2,%f0
+/* 0x0444	     */		std	%f0,[%i1+%o0]
+/* 0x0448	     */		bl,a,pt	%icc,.L900000416
+/* 0x044c	     */		ldd	[%g1],%f2
+                       .L77000164:
+/* 0x0450	     */		ret	! Result = 
+/* 0x0454	     */		restore	%g0,%g0,%g0
+/* 0x0458	   0 */		.type	conv_i32_to_d32_and_d16,2
+/* 0x0458	     */		.size	conv_i32_to_d32_and_d16,(.-conv_i32_to_d32_and_d16)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+!
+! SUBROUTINE adjust_montf_result
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global adjust_montf_result
+                       adjust_montf_result:
+/* 000000	     */		save	%sp,-176,%sp
+/* 0x0004	     */		or	%g0,%i2,%o1
+/* 0x0008	     */		or	%g0,%i0,%i2
+
+!  181		      !   }
+!  182		      !}
+!  185		      !void adjust_montf_result(unsigned int *i32, unsigned int *nint, int len)
+!  186		      !{
+!  187		      !long long acc;
+!  188		      !int i;
+!  190		      ! if(i32[len]>0) i=-1;
+
+/* 0x000c	 190 */		sra	%o1,0,%g2
+/* 0x0010	     */		or	%g0,-1,%o2
+/* 0x0014	     */		sllx	%g2,2,%g2
+/* 0x0018	     */		ld	[%i2+%g2],%g2
+/* 0x001c	     */		cmp	%g2,0
+/* 0x0020	     */		bleu,pn	%icc,.L77000175
+/* 0x0024	     */		or	%g0,%i1,%i0
+/* 0x0028	     */		ba	.L900000511
+/* 0x002c	     */		cmp	%o2,0
+                       .L77000175:
+
+!  191		      ! else
+!  192		      !   {
+!  193		      !     for(i=len-1; i>=0; i--)
+
+/* 0x0030	 193 */		sub	%o1,1,%o2
+/* 0x0034	     */		cmp	%o2,0
+/* 0x0038	     */		bl,pn	%icc,.L77000182
+/* 0x003c	     */		sra	%o2,0,%g2
+                       .L900000510:
+
+!  194		      !       {
+!  195		      !	 if(i32[i]!=nint[i]) break;
+
+/* 0x0040	 195 */		sllx	%g2,2,%g2
+/* 0x0044	     */		sub	%o2,1,%o0
+/* 0x0048	     */		ld	[%i1+%g2],%g3
+/* 0x004c	     */		ld	[%i2+%g2],%g2
+/* 0x0050	     */		cmp	%g2,%g3
+/* 0x0054	     */		bne,pn	%icc,.L77000182
+/* 0x0058	     */		nop
+/* 0x005c	   0 */		or	%g0,%o0,%o2
+/* 0x0060	 195 */		cmp	%o0,0
+/* 0x0064	     */		bge,pt	%icc,.L900000510
+/* 0x0068	     */		sra	%o2,0,%g2
+                       .L77000182:
+
+!  196		      !       }
+!  197		      !   }
+!  198		      ! if((i<0)||(i32[i]>nint[i]))
+
+/* 0x006c	 198 */		cmp	%o2,0
+                       .L900000511:
+/* 0x0070	 198 */		bl,pn	%icc,.L77000198
+/* 0x0074	     */		sra	%o2,0,%g2
+/* 0x0078	     */		sllx	%g2,2,%g2
+/* 0x007c	     */		ld	[%i1+%g2],%g3
+/* 0x0080	     */		ld	[%i2+%g2],%g2
+/* 0x0084	     */		cmp	%g2,%g3
+/* 0x0088	     */		bleu,pt	%icc,.L77000191
+/* 0x008c	     */		nop
+                       .L77000198:
+
+!  199		      !   {
+!  200		      !     acc=0;
+!  201		      !     for(i=0;i<len;i++)
+
+/* 0x0090	 201 */		cmp	%o1,0
+/* 0x0094	     */		ble,pt	%icc,.L77000191
+/* 0x0098	     */		nop
+/* 0x009c	 198 */		or	%g0,-1,%g2
+/* 0x00a0	 201 */		or	%g0,%o1,%g3
+/* 0x00a4	 198 */		srl	%g2,0,%g2
+/* 0x00a8	     */		sub	%o1,1,%g4
+/* 0x00ac	     */		cmp	%o1,9
+/* 0x00b0	 201 */		or	%g0,0,%i1
+/* 0x00b4	 200 */		or	%g0,0,%g5
+
+!  202		      !       {
+!  203		      !	 acc=acc+(unsigned long long)(i32[i])-(unsigned long long)(nint[i]);
+
+/* 0x00b8	 203 */		or	%g0,0,%o1
+/* 0x00bc	 201 */		bl,pn	%icc,.L77000199
+/* 0x00c0	     */		sub	%g3,4,%o7
+/* 0x00c4	 203 */		ld	[%i2],%o1
+
+!  204		      !	 i32[i]=acc&0xffffffff;
+!  205		      !	 acc=acc>>32;
+
+/* 0x00c8	 205 */		or	%g0,5,%i1
+/* 0x00cc	 203 */		ld	[%i0],%o2
+/* 0x00d0	 201 */		or	%g0,8,%o5
+/* 0x00d4	     */		or	%g0,12,%o4
+/* 0x00d8	 203 */		ld	[%i0+4],%o3
+/* 0x00dc	 201 */		or	%g0,16,%g1
+/* 0x00e0	 203 */		ld	[%i2+4],%o0
+/* 0x00e4	 201 */		sub	%o1,%o2,%o1
+/* 0x00e8	 203 */		ld	[%i0+8],%i3
+/* 0x00ec	 204 */		and	%o1,%g2,%g5
+/* 0x00f0	     */		st	%g5,[%i2]
+/* 0x00f4	 205 */		srax	%o1,32,%g5
+/* 0x00f8	 201 */		sub	%o0,%o3,%o0
+/* 0x00fc	 203 */		ld	[%i0+12],%o2
+/* 0x0100	 201 */		add	%o0,%g5,%o0
+/* 0x0104	 204 */		and	%o0,%g2,%g5
+/* 0x0108	     */		st	%g5,[%i2+4]
+/* 0x010c	 205 */		srax	%o0,32,%o0
+/* 0x0110	 203 */		ld	[%i2+8],%o1
+/* 0x0114	     */		ld	[%i2+12],%o3
+/* 0x0118	 201 */		sub	%o1,%i3,%o1
+                       .L900000505:
+/* 0x011c	     */		add	%g1,4,%g3
+/* 0x0120	 203 */		ld	[%g1+%i2],%g5
+/* 0x0124	 201 */		add	%o1,%o0,%o0
+/* 0x0128	 203 */		ld	[%i0+%g1],%i3
+/* 0x012c	 201 */		sub	%o3,%o2,%o1
+/* 0x0130	 204 */		and	%o0,%g2,%o2
+/* 0x0134	     */		st	%o2,[%o5+%i2]
+/* 0x0138	 205 */		srax	%o0,32,%o2
+/* 0x013c	     */		add	%i1,4,%i1
+/* 0x0140	 201 */		add	%g1,8,%o5
+/* 0x0144	 203 */		ld	[%g3+%i2],%o0
+/* 0x0148	 201 */		add	%o1,%o2,%o1
+/* 0x014c	 203 */		ld	[%i0+%g3],%o3
+/* 0x0150	 201 */		sub	%g5,%i3,%o2
+/* 0x0154	 204 */		and	%o1,%g2,%g5
+/* 0x0158	     */		st	%g5,[%o4+%i2]
+/* 0x015c	 205 */		srax	%o1,32,%g5
+/* 0x0160	     */		cmp	%i1,%o7
+/* 0x0164	 201 */		add	%g1,12,%o4
+/* 0x0168	 203 */		ld	[%o5+%i2],%o1
+/* 0x016c	 201 */		add	%o2,%g5,%o2
+/* 0x0170	 203 */		ld	[%i0+%o5],%i3
+/* 0x0174	 201 */		sub	%o0,%o3,%o0
+/* 0x0178	 204 */		and	%o2,%g2,%o3
+/* 0x017c	     */		st	%o3,[%g1+%i2]
+/* 0x0180	 205 */		srax	%o2,32,%g5
+/* 0x0184	 203 */		ld	[%o4+%i2],%o3
+/* 0x0188	 201 */		add	%g1,16,%g1
+/* 0x018c	     */		add	%o0,%g5,%o0
+/* 0x0190	 203 */		ld	[%i0+%o4],%o2
+/* 0x0194	 201 */		sub	%o1,%i3,%o1
+/* 0x0198	 204 */		and	%o0,%g2,%g5
+/* 0x019c	     */		st	%g5,[%g3+%i2]
+/* 0x01a0	 205 */		ble,pt	%icc,.L900000505
+/* 0x01a4	     */		srax	%o0,32,%o0
+                       .L900000508:
+/* 0x01a8	     */		add	%o1,%o0,%g3
+/* 0x01ac	     */		sub	%o3,%o2,%o1
+/* 0x01b0	 203 */		ld	[%g1+%i2],%o0
+/* 0x01b4	     */		ld	[%i0+%g1],%o2
+/* 0x01b8	 205 */		srax	%g3,32,%o7
+/* 0x01bc	 204 */		and	%g3,%g2,%o3
+/* 0x01c0	 201 */		add	%o1,%o7,%o1
+/* 0x01c4	 204 */		st	%o3,[%o5+%i2]
+/* 0x01c8	 205 */		cmp	%i1,%g4
+/* 0x01cc	 201 */		sub	%o0,%o2,%o0
+/* 0x01d0	 204 */		and	%o1,%g2,%o2
+/* 0x01d4	     */		st	%o2,[%o4+%i2]
+/* 0x01d8	 205 */		srax	%o1,32,%o1
+/* 0x01dc	 203 */		sra	%i1,0,%o2
+/* 0x01e0	 201 */		add	%o0,%o1,%o0
+/* 0x01e4	 205 */		srax	%o0,32,%g5
+/* 0x01e8	 204 */		and	%o0,%g2,%o1
+/* 0x01ec	     */		st	%o1,[%g1+%i2]
+/* 0x01f0	 205 */		bg,pn	%icc,.L77000191
+/* 0x01f4	     */		sllx	%o2,2,%o1
+                       .L77000199:
+/* 0x01f8	   0 */		or	%g0,%o1,%g1
+                       .L900000509:
+/* 0x01fc	 203 */		ld	[%o1+%i2],%o0
+/* 0x0200	 205 */		add	%i1,1,%i1
+/* 0x0204	 203 */		ld	[%i0+%o1],%o1
+/* 0x0208	     */		sra	%i1,0,%o2
+/* 0x020c	 205 */		cmp	%i1,%g4
+/* 0x0210	 203 */		add	%g5,%o0,%o0
+/* 0x0214	     */		sub	%o0,%o1,%o0
+/* 0x0218	 205 */		srax	%o0,32,%g5
+/* 0x021c	 204 */		and	%o0,%g2,%o1
+/* 0x0220	     */		st	%o1,[%g1+%i2]
+/* 0x0224	     */		sllx	%o2,2,%o1
+/* 0x0228	 205 */		ble,pt	%icc,.L900000509
+/* 0x022c	     */		or	%g0,%o1,%g1
+                       .L77000191:
+/* 0x0230	     */		ret	! Result = 
+/* 0x0234	     */		restore	%g0,%g0,%g0
+/* 0x0238	   0 */		.type	adjust_montf_result,2
+/* 0x0238	     */		.size	adjust_montf_result,(.-adjust_montf_result)
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 */		.align	8
+/* 000000	     */		.skip	24
+!
+! SUBROUTINE mont_mulf_noconv
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION
+
+                       	.global mont_mulf_noconv
+                       mont_mulf_noconv:
+/* 000000	     */		save	%sp,-224,%sp
+                       .L900000643:
+/* 0x0004	     */		call	.+8
+/* 0x0008	     */		sethi	/*X*/%hi(_GLOBAL_OFFSET_TABLE_-(.L900000643-.)),%g5
+/* 0x000c	     */		ldx	[%fp+2223],%l0
+
+!  206		      !       }
+!  207		      !   }
+!  208		      !}
+!  213		      !/*
+!  214		      !** the lengths of the input arrays should be at least the following:
+!  215		      !** result[nlen+1], dm1[nlen], dm2[2*nlen+1], dt[4*nlen+2], dn[nlen], nint[nlen]
+!  216		      !** all of them should be different from one another
+!  217		      !**
+!  218		      !*/
+!  219		      !void mont_mulf_noconv(unsigned int *result,
+!  220		      !		     double *dm1, double *dm2, double *dt,
+!  221		      !		     double *dn, unsigned int *nint,
+!  222		      !		     int nlen, double dn0)
+!  223		      !{
+!  224		      ! int i, j, jj;
+!  225		      ! int tmp;
+!  226		      ! double digit, m2j, nextm2j, a, b;
+!  227		      ! double *dptmp, *pdm1, *pdm2, *pdn, *pdtj, pdn_0, pdm1_0;
+!  229		      ! pdm1=&(dm1[0]);
+!  230		      ! pdm2=&(dm2[0]);
+!  231		      ! pdn=&(dn[0]);
+!  232		      ! pdm2[2*nlen]=Zero;
+
+/* 0x0010	 232 */		sethi	%hi(Zero),%g2
+/* 0x0014	 223 */		fmovd	%f14,%f30
+/* 0x0018	     */		add	%g5,/*X*/%lo(_GLOBAL_OFFSET_TABLE_-(.L900000643-.)),%g5
+/* 0x001c	 232 */		add	%g2,%lo(Zero),%g2
+/* 0x0020	     */		sll	%l0,1,%o3
+/* 0x0024	 223 */		add	%g5,%o7,%o4
+/* 0x0028	 232 */		sra	%o3,0,%g5
+/* 0x002c	     */		ldx	[%o4+%g2],%o7
+
+!  234		      ! if (nlen!=16)
+!  235		      !   {
+!  236		      !     for(i=0;i<4*nlen+2;i++) dt[i]=Zero;
+!  238		      !     a=dt[0]=pdm1[0]*pdm2[0];
+!  239		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+
+/* 0x0030	 239 */		sethi	%hi(TwoToMinus16),%g3
+/* 0x0034	     */		sethi	%hi(TwoTo16),%g4
+/* 0x0038	     */		add	%g3,%lo(TwoToMinus16),%g2
+/* 0x003c	 232 */		ldd	[%o7],%f0
+/* 0x0040	 239 */		add	%g4,%lo(TwoTo16),%g3
+/* 0x0044	 223 */		or	%g0,%i4,%o0
+/* 0x0048	 232 */		sllx	%g5,3,%g4
+/* 0x004c	 239 */		ldx	[%o4+%g2],%o5
+/* 0x0050	 223 */		or	%g0,%i5,%l3
+/* 0x0054	     */		or	%g0,%i0,%l2
+/* 0x0058	 239 */		ldx	[%o4+%g3],%o4
+/* 0x005c	 234 */		cmp	%l0,16
+/* 0x0060	 232 */		std	%f0,[%i2+%g4]
+/* 0x0064	 234 */		be,pn	%icc,.L77000279
+/* 0x0068	     */		or	%g0,%i3,%l4
+/* 0x006c	 236 */		sll	%l0,2,%g2
+/* 0x0070	 223 */		or	%g0,%o0,%i5
+/* 0x0074	 236 */		add	%g2,2,%o0
+/* 0x0078	 223 */		or	%g0,%i1,%i4
+/* 0x007c	 236 */		cmp	%o0,0
+/* 0x0080	 223 */		or	%g0,%i2,%l1
+/* 0x0084	 236 */		ble,a,pt	%icc,.L900000657
+/* 0x0088	     */		ldd	[%i1],%f6
+
+!  241		      !     pdtj=&(dt[0]);
+!  242		      !     for(j=jj=0;j<2*nlen;j++,jj++,pdtj++)
+!  243		      !       {
+!  244		      !	 m2j=pdm2[j];
+!  245		      !	 a=pdtj[0]+pdn[0]*digit;
+!  246		      !	 b=pdtj[1]+pdm1[0]*pdm2[j+1]+a*TwoToMinus16;
+!  247		      !	 pdtj[1]=b;
+!  249		      !#pragma pipeloop(0)
+!  250		      !	 for(i=1;i<nlen;i++)
+!  251		      !	   {
+!  252		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  253		      !	   }
+!  254		      ! 	 if((jj==30)) {cleanup(dt,j/2+1,2*nlen+1); jj=0;}
+!  255		      !	 
+!  256		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  257		      !       }
+!  258		      !   }
+!  259		      ! else
+!  260		      !   {
+!  261		      !     a=dt[0]=pdm1[0]*pdm2[0];
+!  263		      !     dt[65]=     dt[64]=     dt[63]=     dt[62]=     dt[61]=     dt[60]=
+!  264		      !     dt[59]=     dt[58]=     dt[57]=     dt[56]=     dt[55]=     dt[54]=
+!  265		      !     dt[53]=     dt[52]=     dt[51]=     dt[50]=     dt[49]=     dt[48]=
+!  266		      !     dt[47]=     dt[46]=     dt[45]=     dt[44]=     dt[43]=     dt[42]=
+!  267		      !     dt[41]=     dt[40]=     dt[39]=     dt[38]=     dt[37]=     dt[36]=
+!  268		      !     dt[35]=     dt[34]=     dt[33]=     dt[32]=     dt[31]=     dt[30]=
+!  269		      !     dt[29]=     dt[28]=     dt[27]=     dt[26]=     dt[25]=     dt[24]=
+!  270		      !     dt[23]=     dt[22]=     dt[21]=     dt[20]=     dt[19]=     dt[18]=
+!  271		      !     dt[17]=     dt[16]=     dt[15]=     dt[14]=     dt[13]=     dt[12]=
+!  272		      !     dt[11]=     dt[10]=     dt[ 9]=     dt[ 8]=     dt[ 7]=     dt[ 6]=
+!  273		      !     dt[ 5]=     dt[ 4]=     dt[ 3]=     dt[ 2]=     dt[ 1]=Zero;
+!  275		      !     pdn_0=pdn[0];
+!  276		      !     pdm1_0=pdm1[0];
+!  278		      !     digit=mod(lower32(a,Zero)*dn0,TwoToMinus16,TwoTo16);
+!  279		      !     pdtj=&(dt[0]);
+!  281		      !     for(j=0;j<32;j++,pdtj++)
+
+/* 0x008c	 281 */		or	%g0,%o0,%o1
+/* 0x0090	 236 */		sub	%o0,1,%g1
+/* 0x0094	     */		or	%g0,0,%g2
+/* 0x0098	 281 */		cmp	%o1,5
+/* 0x009c	     */		bl,pn	%icc,.L77000280
+/* 0x00a0	     */		or	%g0,8,%o0
+/* 0x00a4	     */		std	%f0,[%i3]
+/* 0x00a8	     */		or	%g0,2,%g2
+/* 0x00ac	     */		sub	%g1,2,%o1
+                       .L900000627:
+/* 0x00b0	     */		add	%o0,8,%g3
+/* 0x00b4	     */		std	%f0,[%i3+%o0]
+/* 0x00b8	     */		add	%g2,3,%g2
+/* 0x00bc	     */		add	%o0,16,%o2
+/* 0x00c0	     */		std	%f0,[%i3+%g3]
+/* 0x00c4	     */		cmp	%g2,%o1
+/* 0x00c8	     */		add	%o0,24,%o0
+/* 0x00cc	     */		ble,pt	%icc,.L900000627
+/* 0x00d0	     */		std	%f0,[%i3+%o2]
+                       .L900000630:
+/* 0x00d4	     */		cmp	%g2,%g1
+/* 0x00d8	     */		bg,pn	%icc,.L77000285
+/* 0x00dc	     */		std	%f0,[%i3+%o0]
+                       .L77000280:
+/* 0x00e0	     */		ldd	[%o7],%f0
+                       .L900000656:
+/* 0x00e4	     */		sra	%g2,0,%o0
+/* 0x00e8	     */		add	%g2,1,%g2
+/* 0x00ec	     */		sllx	%o0,3,%o0
+/* 0x00f0	     */		cmp	%g2,%g1
+/* 0x00f4	     */		std	%f0,[%i3+%o0]
+/* 0x00f8	     */		ble,a,pt	%icc,.L900000656
+/* 0x00fc	     */		ldd	[%o7],%f0
+                       .L77000285:
+/* 0x0100	 238 */		ldd	[%i1],%f6
+                       .L900000657:
+/* 0x0104	 238 */		ldd	[%i2],%f8
+/* 0x0108	 242 */		cmp	%o3,0
+/* 0x010c	     */		sub	%o3,1,%o1
+/* 0x0110	 239 */		ldd	[%o7],%f10
+/* 0x0114	     */		add	%o3,1,%o2
+/* 0x0118	   0 */		or	%g0,0,%i2
+/* 0x011c	 238 */		fmuld	%f6,%f8,%f6
+/* 0x0120	     */		std	%f6,[%i3]
+/* 0x0124	   0 */		or	%g0,0,%g3
+/* 0x0128	 239 */		ldd	[%o5],%f8
+/* 0x012c	   0 */		or	%g0,%o2,%g1
+/* 0x0130	 236 */		sub	%l0,1,%i1
+/* 0x0134	 239 */		ldd	[%o4],%f12
+/* 0x0138	 236 */		or	%g0,1,%g4
+/* 0x013c	     */		fdtox	%f6,%f0
+/* 0x0140	     */		fmovs	%f10,%f0
+/* 0x0144	     */		fxtod	%f0,%f6
+/* 0x0148	 239 */		fmuld	%f6,%f14,%f6
+/* 0x014c	     */		fmuld	%f6,%f8,%f8
+/* 0x0150	     */		fdtox	%f8,%f8
+/* 0x0154	     */		fxtod	%f8,%f8
+/* 0x0158	     */		fmuld	%f8,%f12,%f8
+/* 0x015c	     */		fsubd	%f6,%f8,%f20
+/* 0x0160	 242 */		ble,pt	%icc,.L900000650
+/* 0x0164	     */		sllx	%g5,3,%g2
+/* 0x0168	   0 */		st	%o1,[%sp+2223]
+/* 0x016c	 246 */		ldd	[%i5],%f6
+                       .L900000651:
+/* 0x0170	 246 */		sra	%g4,0,%g2
+/* 0x0174	     */		fmuld	%f6,%f20,%f6
+/* 0x0178	     */		ldd	[%i3],%f12
+/* 0x017c	     */		sllx	%g2,3,%g2
+/* 0x0180	     */		ldd	[%i4],%f8
+/* 0x0184	 250 */		cmp	%l0,1
+/* 0x0188	 246 */		ldd	[%l1+%g2],%f10
+/* 0x018c	 244 */		sra	%i2,0,%g2
+/* 0x0190	     */		add	%i2,1,%i0
+/* 0x0194	 246 */		faddd	%f12,%f6,%f6
+/* 0x0198	     */		ldd	[%o5],%f12
+/* 0x019c	 244 */		sllx	%g2,3,%g2
+/* 0x01a0	 246 */		fmuld	%f8,%f10,%f8
+/* 0x01a4	     */		ldd	[%i3+8],%f10
+/* 0x01a8	     */		srl	%i2,31,%o3
+/* 0x01ac	 244 */		ldd	[%l1+%g2],%f18
+/* 0x01b0	   0 */		or	%g0,1,%l5
+/* 0x01b4	 236 */		or	%g0,2,%g2
+/* 0x01b8	 246 */		fmuld	%f6,%f12,%f6
+/* 0x01bc	 250 */		or	%g0,32,%o1
+/* 0x01c0	     */		or	%g0,48,%o2
+/* 0x01c4	 246 */		faddd	%f10,%f8,%f8
+/* 0x01c8	     */		faddd	%f8,%f6,%f16
+/* 0x01cc	 250 */		ble,pn	%icc,.L77000213
+/* 0x01d0	     */		std	%f16,[%i3+8]
+/* 0x01d4	     */		cmp	%i1,8
+/* 0x01d8	     */		sub	%l0,3,%o3
+/* 0x01dc	     */		bl,pn	%icc,.L77000284
+/* 0x01e0	     */		or	%g0,8,%o0
+/* 0x01e4	 252 */		ldd	[%i5+8],%f0
+/* 0x01e8	     */		or	%g0,6,%l5
+/* 0x01ec	     */		ldd	[%i4+8],%f2
+/* 0x01f0	     */		or	%g0,4,%g2
+/* 0x01f4	 250 */		or	%g0,40,%o0
+/* 0x01f8	 252 */		ldd	[%i5+16],%f8
+/* 0x01fc	     */		fmuld	%f0,%f20,%f10
+/* 0x0200	     */		ldd	[%i4+16],%f4
+/* 0x0204	     */		fmuld	%f2,%f18,%f2
+/* 0x0208	     */		ldd	[%i3+16],%f0
+/* 0x020c	     */		fmuld	%f8,%f20,%f12
+/* 0x0210	     */		ldd	[%i4+24],%f6
+/* 0x0214	     */		fmuld	%f4,%f18,%f4
+/* 0x0218	     */		ldd	[%i5+24],%f8
+/* 0x021c	     */		faddd	%f2,%f10,%f2
+/* 0x0220	     */		ldd	[%i4+32],%f14
+/* 0x0224	     */		fmuld	%f6,%f18,%f10
+/* 0x0228	     */		ldd	[%i5+32],%f6
+/* 0x022c	     */		faddd	%f4,%f12,%f4
+/* 0x0230	     */		ldd	[%i4+40],%f12
+/* 0x0234	     */		faddd	%f0,%f2,%f0
+/* 0x0238	     */		std	%f0,[%i3+16]
+/* 0x023c	     */		ldd	[%i3+32],%f0
+/* 0x0240	     */		ldd	[%i3+48],%f2
+                       .L900000639:
+/* 0x0244	     */		add	%o2,16,%l6
+/* 0x0248	 252 */		ldd	[%i5+%o0],%f22
+/* 0x024c	     */		add	%l5,3,%l5
+/* 0x0250	     */		fmuld	%f8,%f20,%f8
+/* 0x0254	 250 */		add	%o0,8,%o0
+/* 0x0258	 252 */		ldd	[%l6+%i3],%f26
+/* 0x025c	     */		cmp	%l5,%o3
+/* 0x0260	     */		ldd	[%i4+%o0],%f24
+/* 0x0264	     */		faddd	%f0,%f4,%f0
+/* 0x0268	     */		add	%g2,6,%g2
+/* 0x026c	     */		faddd	%f10,%f8,%f10
+/* 0x0270	     */		fmuld	%f14,%f18,%f4
+/* 0x0274	     */		std	%f0,[%o1+%i3]
+/* 0x0278	 250 */		add	%o2,32,%o1
+/* 0x027c	 252 */		ldd	[%i5+%o0],%f8
+/* 0x0280	     */		fmuld	%f6,%f20,%f6
+/* 0x0284	 250 */		add	%o0,8,%o0
+/* 0x0288	 252 */		ldd	[%o1+%i3],%f0
+/* 0x028c	     */		ldd	[%i4+%o0],%f14
+/* 0x0290	     */		faddd	%f2,%f10,%f2
+/* 0x0294	     */		faddd	%f4,%f6,%f10
+/* 0x0298	     */		fmuld	%f12,%f18,%f4
+/* 0x029c	     */		std	%f2,[%o2+%i3]
+/* 0x02a0	 250 */		add	%o2,48,%o2
+/* 0x02a4	 252 */		ldd	[%i5+%o0],%f6
+/* 0x02a8	     */		fmuld	%f22,%f20,%f22
+/* 0x02ac	 250 */		add	%o0,8,%o0
+/* 0x02b0	 252 */		ldd	[%o2+%i3],%f2
+/* 0x02b4	     */		ldd	[%i4+%o0],%f12
+/* 0x02b8	     */		faddd	%f26,%f10,%f10
+/* 0x02bc	     */		std	%f10,[%l6+%i3]
+/* 0x02c0	     */		fmuld	%f24,%f18,%f10
+/* 0x02c4	     */		ble,pt	%icc,.L900000639
+/* 0x02c8	     */		faddd	%f4,%f22,%f4
+                       .L900000642:
+/* 0x02cc	 252 */		fmuld	%f8,%f20,%f24
+/* 0x02d0	     */		faddd	%f0,%f4,%f8
+/* 0x02d4	 250 */		add	%o2,16,%o3
+/* 0x02d8	 252 */		ldd	[%o3+%i3],%f4
+/* 0x02dc	     */		fmuld	%f14,%f18,%f0
+/* 0x02e0	     */		cmp	%l5,%i1
+/* 0x02e4	     */		std	%f8,[%o1+%i3]
+/* 0x02e8	     */		fmuld	%f12,%f18,%f8
+/* 0x02ec	 250 */		add	%o2,32,%o1
+/* 0x02f0	 252 */		faddd	%f10,%f24,%f12
+/* 0x02f4	     */		ldd	[%i5+%o0],%f22
+/* 0x02f8	     */		fmuld	%f6,%f20,%f6
+/* 0x02fc	     */		add	%g2,8,%g2
+/* 0x0300	     */		fmuld	%f22,%f20,%f10
+/* 0x0304	     */		faddd	%f2,%f12,%f2
+/* 0x0308	     */		faddd	%f0,%f6,%f6
+/* 0x030c	     */		ldd	[%o1+%i3],%f0
+/* 0x0310	     */		std	%f2,[%o2+%i3]
+/* 0x0314	     */		faddd	%f8,%f10,%f2
+/* 0x0318	     */		sra	%l5,0,%o2
+/* 0x031c	     */		sllx	%o2,3,%o0
+/* 0x0320	     */		faddd	%f4,%f6,%f4
+/* 0x0324	     */		std	%f4,[%o3+%i3]
+/* 0x0328	     */		faddd	%f0,%f2,%f0
+/* 0x032c	     */		std	%f0,[%o1+%i3]
+/* 0x0330	     */		bg,a,pn	%icc,.L77000213
+/* 0x0334	     */		srl	%i2,31,%o3
+                       .L77000284:
+/* 0x0338	 252 */		ldd	[%i4+%o0],%f2
+                       .L900000655:
+/* 0x033c	 252 */		ldd	[%i5+%o0],%f0
+/* 0x0340	     */		fmuld	%f2,%f18,%f2
+/* 0x0344	     */		sra	%g2,0,%o0
+/* 0x0348	     */		sllx	%o0,3,%o1
+/* 0x034c	     */		add	%l5,1,%l5
+/* 0x0350	     */		fmuld	%f0,%f20,%f4
+/* 0x0354	     */		ldd	[%o1+%i3],%f0
+/* 0x0358	     */		sra	%l5,0,%o2
+/* 0x035c	     */		sllx	%o2,3,%o0
+/* 0x0360	     */		add	%g2,2,%g2
+/* 0x0364	     */		cmp	%l5,%i1
+/* 0x0368	     */		faddd	%f2,%f4,%f2
+/* 0x036c	     */		faddd	%f0,%f2,%f0
+/* 0x0370	     */		std	%f0,[%o1+%i3]
+/* 0x0374	     */		ble,a,pt	%icc,.L900000655
+/* 0x0378	     */		ldd	[%i4+%o0],%f2
+                       .L900000626:
+/* 0x037c	     */		srl	%i2,31,%o3
+/* 0x0380	 252 */		ba	.L900000654
+/* 0x0384	     */		cmp	%g3,30
+                       .L77000213:
+/* 0x0388	 254 */		cmp	%g3,30
+                       .L900000654:
+/* 0x038c	     */		add	%i2,%o3,%o0
+/* 0x0390	 254 */		bne,a,pt	%icc,.L900000653
+/* 0x0394	     */		fdtox	%f16,%f0
+/* 0x0398	 281 */		sra	%o0,1,%g2
+/* 0x039c	     */		add	%g2,1,%g2
+/* 0x03a0	     */		ldd	[%o7],%f0
+/* 0x03a4	     */		sll	%g2,1,%o1
+/* 0x03a8	     */		sll	%g1,1,%g2
+/* 0x03ac	     */		or	%g0,%o1,%o2
+/* 0x03b0	     */		fmovd	%f0,%f2
+/* 0x03b4	     */		or	%g0,%g2,%o0
+/* 0x03b8	     */		cmp	%o1,%o0
+/* 0x03bc	     */		sub	%g2,1,%o0
+/* 0x03c0	     */		bge,pt	%icc,.L77000215
+/* 0x03c4	     */		or	%g0,0,%g3
+/* 0x03c8	 254 */		add	%o1,1,%o1
+/* 0x03cc	 281 */		sra	%o2,0,%g2
+                       .L900000652:
+/* 0x03d0	     */		sllx	%g2,3,%g2
+/* 0x03d4	     */		ldd	[%o7],%f6
+/* 0x03d8	     */		add	%o2,2,%o2
+/* 0x03dc	     */		sra	%o1,0,%g3
+/* 0x03e0	     */		ldd	[%g2+%l4],%f8
+/* 0x03e4	     */		cmp	%o2,%o0
+/* 0x03e8	     */		sllx	%g3,3,%g3
+/* 0x03ec	     */		add	%o1,2,%o1
+/* 0x03f0	     */		ldd	[%l4+%g3],%f10
+/* 0x03f4	     */		fdtox	%f8,%f12
+/* 0x03f8	     */		fdtox	%f10,%f4
+/* 0x03fc	     */		fmovd	%f12,%f8
+/* 0x0400	     */		fmovs	%f6,%f12
+/* 0x0404	     */		fmovs	%f6,%f4
+/* 0x0408	     */		fxtod	%f12,%f6
+/* 0x040c	     */		fxtod	%f4,%f12
+/* 0x0410	     */		fdtox	%f10,%f4
+/* 0x0414	     */		faddd	%f6,%f2,%f6
+/* 0x0418	     */		std	%f6,[%g2+%l4]
+/* 0x041c	     */		faddd	%f12,%f0,%f6
+/* 0x0420	     */		std	%f6,[%l4+%g3]
+/* 0x0424	     */		fitod	%f8,%f2
+/* 0x0428	     */		fitod	%f4,%f0
+/* 0x042c	     */		ble,pt	%icc,.L900000652
+/* 0x0430	     */		sra	%o2,0,%g2
+                       .L77000233:
+/* 0x0434	     */		or	%g0,0,%g3
+                       .L77000215:
+/* 0x0438	     */		fdtox	%f16,%f0
+                       .L900000653:
+/* 0x043c	 256 */		ldd	[%o7],%f6
+/* 0x0440	     */		add	%g4,1,%g4
+/* 0x0444	     */		or	%g0,%i0,%i2
+/* 0x0448	     */		ldd	[%o5],%f8
+/* 0x044c	     */		add	%g3,1,%g3
+/* 0x0450	     */		add	%i3,8,%i3
+/* 0x0454	     */		fmovs	%f6,%f0
+/* 0x0458	     */		ldd	[%o4],%f10
+/* 0x045c	     */		ld	[%sp+2223],%o0
+/* 0x0460	     */		fxtod	%f0,%f6
+/* 0x0464	     */		cmp	%i0,%o0
+/* 0x0468	     */		fmuld	%f6,%f30,%f6
+/* 0x046c	     */		fmuld	%f6,%f8,%f8
+/* 0x0470	     */		fdtox	%f8,%f8
+/* 0x0474	     */		fxtod	%f8,%f8
+/* 0x0478	     */		fmuld	%f8,%f10,%f8
+/* 0x047c	     */		fsubd	%f6,%f8,%f20
+/* 0x0480	     */		ble,a,pt	%icc,.L900000651
+/* 0x0484	     */		ldd	[%i5],%f6
+                       .L900000625:
+/* 0x0488	 256 */		ba	.L900000650
+/* 0x048c	     */		sllx	%g5,3,%g2
+                       .L77000279:
+/* 0x0490	 261 */		ldd	[%i1],%f4
+/* 0x0494	     */		ldd	[%i2],%f6
+/* 0x0498	 273 */		std	%f0,[%i3+8]
+/* 0x049c	     */		std	%f0,[%i3+16]
+/* 0x04a0	 261 */		fmuld	%f4,%f6,%f6
+/* 0x04a4	     */		std	%f6,[%i3]
+/* 0x04a8	 273 */		std	%f0,[%i3+24]
+/* 0x04ac	     */		std	%f0,[%i3+32]
+/* 0x04b0	     */		fdtox	%f6,%f2
+/* 0x04b4	     */		std	%f0,[%i3+40]
+/* 0x04b8	     */		std	%f0,[%i3+48]
+/* 0x04bc	     */		std	%f0,[%i3+56]
+/* 0x04c0	     */		std	%f0,[%i3+64]
+/* 0x04c4	     */		fmovs	%f0,%f2
+/* 0x04c8	     */		std	%f0,[%i3+72]
+/* 0x04cc	     */		std	%f0,[%i3+80]
+/* 0x04d0	     */		std	%f0,[%i3+88]
+/* 0x04d4	     */		std	%f0,[%i3+96]
+/* 0x04d8	     */		std	%f0,[%i3+104]
+/* 0x04dc	     */		std	%f0,[%i3+112]
+/* 0x04e0	     */		std	%f0,[%i3+120]
+/* 0x04e4	     */		std	%f0,[%i3+128]
+/* 0x04e8	     */		std	%f0,[%i3+136]
+/* 0x04ec	     */		std	%f0,[%i3+144]
+/* 0x04f0	     */		std	%f0,[%i3+152]
+/* 0x04f4	     */		std	%f0,[%i3+160]
+/* 0x04f8	     */		std	%f0,[%i3+168]
+/* 0x04fc	     */		fxtod	%f2,%f6
+/* 0x0500	     */		std	%f0,[%i3+176]
+/* 0x0504	 281 */		or	%g0,1,%o2
+/* 0x0508	 273 */		std	%f0,[%i3+184]
+
+!  282		      !       {
+!  284		      !	 m2j=pdm2[j];
+!  285		      !	 a=pdtj[0]+pdn_0*digit;
+!  286		      !	 b=pdtj[1]+pdm1_0*pdm2[j+1]+a*TwoToMinus16;
+
+/* 0x050c	 286 */		sra	%o2,0,%g2
+/* 0x0510	 279 */		or	%g0,%i3,%o3
+/* 0x0514	 273 */		std	%f0,[%i3+192]
+/* 0x0518	 278 */		fmuld	%f6,%f14,%f6
+/* 0x051c	 281 */		or	%g0,0,%g1
+/* 0x0520	 273 */		std	%f0,[%i3+200]
+/* 0x0524	     */		std	%f0,[%i3+208]
+/* 0x0528	     */		std	%f0,[%i3+216]
+/* 0x052c	     */		std	%f0,[%i3+224]
+/* 0x0530	     */		std	%f0,[%i3+232]
+/* 0x0534	     */		std	%f0,[%i3+240]
+/* 0x0538	     */		std	%f0,[%i3+248]
+/* 0x053c	     */		std	%f0,[%i3+256]
+/* 0x0540	     */		std	%f0,[%i3+264]
+/* 0x0544	     */		std	%f0,[%i3+272]
+/* 0x0548	     */		std	%f0,[%i3+280]
+/* 0x054c	     */		std	%f0,[%i3+288]
+/* 0x0550	     */		std	%f0,[%i3+296]
+/* 0x0554	     */		std	%f0,[%i3+304]
+/* 0x0558	     */		std	%f0,[%i3+312]
+/* 0x055c	     */		std	%f0,[%i3+320]
+/* 0x0560	     */		std	%f0,[%i3+328]
+/* 0x0564	     */		std	%f0,[%i3+336]
+/* 0x0568	     */		std	%f0,[%i3+344]
+/* 0x056c	     */		std	%f0,[%i3+352]
+/* 0x0570	     */		std	%f0,[%i3+360]
+/* 0x0574	     */		std	%f0,[%i3+368]
+/* 0x0578	     */		std	%f0,[%i3+376]
+/* 0x057c	     */		std	%f0,[%i3+384]
+/* 0x0580	     */		std	%f0,[%i3+392]
+/* 0x0584	     */		std	%f0,[%i3+400]
+/* 0x0588	     */		std	%f0,[%i3+408]
+/* 0x058c	     */		std	%f0,[%i3+416]
+/* 0x0590	     */		std	%f0,[%i3+424]
+/* 0x0594	     */		std	%f0,[%i3+432]
+/* 0x0598	     */		std	%f0,[%i3+440]
+/* 0x059c	     */		std	%f0,[%i3+448]
+/* 0x05a0	     */		std	%f0,[%i3+456]
+/* 0x05a4	     */		std	%f0,[%i3+464]
+/* 0x05a8	     */		std	%f0,[%i3+472]
+/* 0x05ac	     */		std	%f0,[%i3+480]
+/* 0x05b0	     */		std	%f0,[%i3+488]
+/* 0x05b4	     */		std	%f0,[%i3+496]
+/* 0x05b8	 278 */		ldd	[%o5],%f8
+/* 0x05bc	     */		ldd	[%o4],%f10
+/* 0x05c0	     */		fmuld	%f6,%f8,%f8
+/* 0x05c4	 273 */		std	%f0,[%i3+504]
+/* 0x05c8	     */		std	%f0,[%i3+512]
+/* 0x05cc	     */		std	%f0,[%i3+520]
+/* 0x05d0	     */		fdtox	%f8,%f8
+/* 0x05d4	 275 */		ldd	[%o0],%f0
+/* 0x05d8	     */		fxtod	%f8,%f8
+/* 0x05dc	     */		fmuld	%f8,%f10,%f8
+/* 0x05e0	     */		fsubd	%f6,%f8,%f2
+
+!  287		      !	 pdtj[1]=b;
+!  289		      !	 /**** this loop will be fully unrolled:
+!  290		      !	 for(i=1;i<16;i++)
+!  291		      !	   {
+!  292		      !	     pdtj[2*i]+=pdm1[i]*m2j+pdn[i]*digit;
+!  293		      !	   }
+!  294		      !	 *************************************/
+!  295		      !	     pdtj[2]+=pdm1[1]*m2j+pdn[1]*digit;
+!  296		      !	     pdtj[4]+=pdm1[2]*m2j+pdn[2]*digit;
+!  297		      !	     pdtj[6]+=pdm1[3]*m2j+pdn[3]*digit;
+!  298		      !	     pdtj[8]+=pdm1[4]*m2j+pdn[4]*digit;
+!  299		      !	     pdtj[10]+=pdm1[5]*m2j+pdn[5]*digit;
+!  300		      !	     pdtj[12]+=pdm1[6]*m2j+pdn[6]*digit;
+!  301		      !	     pdtj[14]+=pdm1[7]*m2j+pdn[7]*digit;
+!  302		      !	     pdtj[16]+=pdm1[8]*m2j+pdn[8]*digit;
+!  303		      !	     pdtj[18]+=pdm1[9]*m2j+pdn[9]*digit;
+!  304		      !	     pdtj[20]+=pdm1[10]*m2j+pdn[10]*digit;
+!  305		      !	     pdtj[22]+=pdm1[11]*m2j+pdn[11]*digit;
+!  306		      !	     pdtj[24]+=pdm1[12]*m2j+pdn[12]*digit;
+!  307		      !	     pdtj[26]+=pdm1[13]*m2j+pdn[13]*digit;
+!  308		      !	     pdtj[28]+=pdm1[14]*m2j+pdn[14]*digit;
+!  309		      !	     pdtj[30]+=pdm1[15]*m2j+pdn[15]*digit;
+!  310		      !	 /* no need for cleenup, cannot overflow */
+!  311		      !	 digit=mod(lower32(b,Zero)*dn0,TwoToMinus16,TwoTo16);
+
+
+	fmovd %f2,%f0		! hand modified
+	fmovd %f30,%f18		! hand modified
+	ldd [%o0],%f2
+	ldd [%o3],%f8
+	ldd [%i1],%f10
+	ldd [%o5],%f14		! hand modified
+	ldd [%o4],%f16		! hand modified
+	ldd [%i2],%f24
+
+	ldd [%i1+8],%f26
+	ldd [%i1+16],%f40
+	ldd [%i1+48],%f46
+	ldd [%i1+56],%f30
+	ldd [%i1+64],%f54
+	ldd [%i1+104],%f34
+	ldd [%i1+112],%f58
+
+	ldd [%o0+8],%f28	
+	ldd [%o0+104],%f38
+	ldd [%o0+112],%f60
+
+	.L99999999: 			!1
+	ldd	[%i1+24],%f32
+	fmuld	%f0,%f2,%f4 	!2
+	ldd	[%o0+24],%f36
+	fmuld	%f26,%f24,%f20 	!3
+	ldd	[%i1+40],%f42
+	fmuld	%f28,%f0,%f22 	!4
+	ldd	[%o0+40],%f44
+	fmuld	%f32,%f24,%f32 	!5
+	ldd	[%i2+8],%f6
+	faddd	%f4,%f8,%f4
+	fmuld	%f36,%f0,%f36 	!6
+	add	%i2,8,%i2
+	ldd	[%o0+56],%f50
+	fmuld	%f42,%f24,%f42 	!7
+	ldd	[%i1+72],%f52
+	faddd	%f20,%f22,%f20
+	fmuld	%f44,%f0,%f44 	!8
+	ldd	[%o3+16],%f22
+	fmuld	%f10,%f6,%f12 	!9
+	ldd	[%o0+72],%f56
+	faddd	%f32,%f36,%f32
+	fmuld	%f14,%f4,%f4 !10
+	ldd	[%o3+48],%f36
+	fmuld	%f30,%f24,%f48 	!11
+	ldd	[%o3+8],%f8
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50	!12
+	std	%f20,[%o3+16]
+	faddd	%f42,%f44,%f42
+	fmuld	%f52,%f24,%f52 	!13
+	ldd	[%o3+80],%f44
+	faddd	%f4,%f12,%f4
+	fmuld	%f56,%f0,%f56 	!14
+	ldd	[%i1+88],%f20
+	faddd	%f32,%f36,%f32 	!15
+	ldd	[%o0+88],%f22
+	faddd	%f48,%f50,%f48 	!16
+	ldd	[%o3+112],%f50
+	faddd	%f52,%f56,%f52 	!17
+	ldd	[%o3+144],%f56
+	faddd	%f4,%f8,%f8
+	fmuld	%f20,%f24,%f20 	!18
+	std	%f32,[%o3+48]
+	faddd	%f42,%f44,%f42
+	fmuld	%f22,%f0,%f22 	!19
+	std	%f42,[%o3+80]
+	faddd	%f48,%f50,%f48
+	fmuld	%f34,%f24,%f32 	!20
+	std	%f48,[%o3+112]
+	faddd	%f52,%f56,%f52
+	fmuld	%f38,%f0,%f36 	!21
+	ldd	[%i1+120],%f42
+	fdtox	%f8,%f4 		!22
+	std	%f52,[%o3+144]
+	faddd	%f20,%f22,%f20 	!23
+	ldd	[%o0+120],%f44 	!24
+	ldd	[%o3+176],%f22
+	faddd	%f32,%f36,%f32
+	fmuld	%f42,%f24,%f42 	!25
+	ldd	[%o0+16],%f50
+	fmovs	%f17,%f4 	!26
+	ldd	[%i1+32],%f52
+	fmuld	%f44,%f0,%f44 	!27
+	ldd	[%o0+32],%f56
+	fmuld	%f40,%f24,%f48 	!28
+	ldd	[%o3+208],%f36
+	faddd	%f20,%f22,%f20
+	fmuld	%f50,%f0,%f50 	!29
+	std	%f20,[%o3+176]
+	fxtod	%f4,%f4
+	fmuld	%f52,%f24,%f52 	!30
+	ldd	[%o0+48],%f22
+	faddd	%f42,%f44,%f42
+	fmuld	%f56,%f0,%f56 	!31
+	ldd	[%o3+240],%f44
+	faddd	%f32,%f36,%f32 	!32
+	std	%f32,[%o3+208]
+	faddd	%f48,%f50,%f48
+	fmuld	%f46,%f24,%f20 	!33
+	ldd	[%o3+32],%f50
+	fmuld	%f4,%f18,%f12 	!34
+	ldd	[%o0+64],%f36
+	faddd	%f52,%f56,%f52
+	fmuld	%f22,%f0,%f22 	!35
+	ldd	[%o3+64],%f56
+	faddd	%f42,%f44,%f42 	!36
+	std	%f42,[%o3+240]
+	faddd	%f48,%f50,%f48
+	fmuld	%f54,%f24,%f32 	!37
+	std	%f48,[%o3+32]
+	fmuld	%f12,%f14,%f4 !38
+	ldd	[%i1+80],%f42
+	faddd	%f52,%f56,%f56	! yes, tmp52!
+	fmuld	%f36,%f0,%f36 	!39
+	ldd	[%o0+80],%f44
+	faddd	%f20,%f22,%f20 	!40
+	ldd	[%i1+96],%f48
+	fmuld	%f58,%f24,%f52 	!41
+	ldd	[%o0+96],%f50
+	fdtox	%f4,%f4
+	fmuld	%f42,%f24,%f42 	!42
+	std	%f56,[%o3+64]	! yes, tmp52!
+	faddd	%f32,%f36,%f32
+	fmuld	%f44,%f0,%f44 	!43
+	ldd	[%o3+96],%f22
+	fmuld	%f48,%f24,%f48 	!44
+	ldd	[%o3+128],%f36
+	fmovd	%f6,%f24
+	fmuld	%f50,%f0,%f50 	!45
+	fxtod	%f4,%f4
+	fmuld	%f60,%f0,%f56 	!46
+	add	%o3,8,%o3
+	faddd	%f42,%f44,%f42 	!47
+	ldd	[%o3+160-8],%f44
+	faddd	%f20,%f22,%f20 	!48
+	std	%f20,[%o3+96-8]
+	faddd	%f48,%f50,%f48 	!49
+	ldd	[%o3+192-8],%f50
+	faddd	%f52,%f56,%f52
+	fmuld	%f4,%f16,%f4 	!50
+	ldd	[%o3+224-8],%f56
+	faddd	%f32,%f36,%f32 	!51
+	std	%f32,[%o3+128-8]
+	faddd	%f42,%f44,%f42 	!52
+	add	%g1,1,%g1
+	std	%f42,[%o3+160-8]
+	faddd	%f48,%f50,%f48 	!53
+	cmp	%g1,31
+	std	%f48,[%o3+192-8]
+	fsubd	%f12,%f4,%f0 	!54
+	faddd	%f52,%f56,%f52
+	ble,pt	%icc,.L99999999
+	std	%f52,[%o3+224-8] 	!55
+	std %f8,[%o3]
+!  312		      !       }
+!  313		      !   }
+!  315		      ! conv_d16_to_i32(result,dt+2*nlen,(long long *)dt,nlen+1);
+
+/* 0x0844	 315 */		sllx	%g5,3,%g2
+                       .L900000650:
+/* 0x0848	 315 */		ldd	[%g2+%l4],%f2
+/* 0x084c	     */		add	%l4,%g2,%o0
+/* 0x0850	     */		or	%g0,0,%g1
+/* 0x0854	     */		ldd	[%o0+8],%f4
+/* 0x0858	     */		or	%g0,0,%i2
+/* 0x085c	     */		cmp	%l0,0
+/* 0x0860	     */		fdtox	%f2,%f2
+/* 0x0864	     */		std	%f2,[%sp+2255]
+/* 0x0868	 311 */		sethi	%hi(0xfc00),%o3
+/* 0x086c	 315 */		fdtox	%f4,%f2
+/* 0x0870	     */		std	%f2,[%sp+2247]
+/* 0x0874	 311 */		or	%g0,-1,%o2
+/* 0x0878	     */		srl	%o2,0,%o5
+/* 0x087c	     */		or	%g0,2,%g5
+/* 0x0880	     */		sub	%l0,1,%g3
+/* 0x0884	     */		or	%g0,%o0,%o7
+/* 0x0888	     */		add	%o3,1023,%o4
+/* 0x088c	 315 */		or	%g0,64,%o3
+/* 0x0890	     */		ldx	[%sp+2255],%i0
+/* 0x0894	     */		sub	%l0,2,%o1
+/* 0x0898	     */		ldx	[%sp+2247],%i1
+/* 0x089c	     */		ble,pt	%icc,.L900000648
+/* 0x08a0	     */		sethi	%hi(0xfc00),%g2
+/* 0x08a4	     */		cmp	%l0,6
+/* 0x08a8	     */		and	%i0,%o5,%o2
+/* 0x08ac	     */		bl,pn	%icc,.L77000287
+/* 0x08b0	     */		or	%g0,3,%g4
+/* 0x08b4	     */		ldd	[%o7+16],%f0
+/* 0x08b8	     */		and	%i1,%o4,%i3
+/* 0x08bc	     */		sllx	%i3,16,%o0
+/* 0x08c0	     */		or	%g0,5,%g4
+/* 0x08c4	     */		srax	%i1,16,%i4
+/* 0x08c8	     */		fdtox	%f0,%f0
+/* 0x08cc	     */		std	%f0,[%sp+2239]
+/* 0x08d0	     */		srax	%i0,32,%i1
+/* 0x08d4	     */		add	%o2,%o0,%i5
+/* 0x08d8	     */		ldd	[%o7+24],%f0
+/* 0x08dc	     */		and	%i5,%o5,%l1
+/* 0x08e0	     */		or	%g0,72,%o2
+/* 0x08e4	     */		or	%g0,4,%o0
+/* 0x08e8	     */		or	%g0,4,%g5
+/* 0x08ec	     */		ldx	[%sp+2239],%g1
+/* 0x08f0	     */		fdtox	%f0,%f0
+/* 0x08f4	     */		or	%g0,4,%i2
+/* 0x08f8	     */		std	%f0,[%sp+2231]
+/* 0x08fc	     */		ldd	[%o7+40],%f2
+/* 0x0900	     */		and	%g1,%o5,%i3
+/* 0x0904	     */		ldd	[%o7+32],%f0
+/* 0x0908	     */		srax	%g1,32,%g1
+/* 0x090c	     */		ldd	[%o7+56],%f4
+/* 0x0910	     */		fdtox	%f2,%f2
+/* 0x0914	     */		ldx	[%sp+2231],%g2
+/* 0x0918	     */		fdtox	%f0,%f0
+/* 0x091c	     */		st	%l1,[%l2]
+/* 0x0920	     */		srax	%i5,32,%l1
+/* 0x0924	     */		fdtox	%f4,%f4
+/* 0x0928	     */		std	%f2,[%sp+2231]
+/* 0x092c	     */		and	%g2,%o4,%i5
+/* 0x0930	     */		add	%i4,%l1,%i4
+/* 0x0934	     */		std	%f0,[%sp+2239]
+/* 0x0938	     */		sllx	%i5,16,%i0
+/* 0x093c	     */		add	%i1,%i4,%i1
+/* 0x0940	     */		ldd	[%o7+48],%f2
+/* 0x0944	     */		srax	%g2,16,%g2
+/* 0x0948	     */		add	%i3,%i0,%i0
+/* 0x094c	     */		ldd	[%o7+72],%f0
+/* 0x0950	     */		add	%i0,%i1,%i3
+/* 0x0954	     */		srax	%i3,32,%i4
+/* 0x0958	     */		fdtox	%f2,%f2
+/* 0x095c	     */		and	%i3,%o5,%i3
+/* 0x0960	     */		ldx	[%sp+2231],%i1
+/* 0x0964	     */		add	%g2,%i4,%g2
+/* 0x0968	     */		ldx	[%sp+2239],%i0
+/* 0x096c	     */		add	%g1,%g2,%g1
+/* 0x0970	     */		std	%f2,[%sp+2239]
+/* 0x0974	     */		std	%f4,[%sp+2231]
+/* 0x0978	     */		ldd	[%o7+64],%f2
+/* 0x097c	     */		st	%i3,[%l2+4]
+                       .L900000631:
+/* 0x0980	     */		ldx	[%sp+2231],%i3
+/* 0x0984	     */		add	%i2,2,%i2
+/* 0x0988	     */		add	%g4,4,%g4
+/* 0x098c	     */		ldx	[%sp+2239],%i5
+/* 0x0990	     */		add	%o2,16,%o2
+/* 0x0994	     */		and	%i1,%o4,%g2
+/* 0x0998	     */		sllx	%g2,16,%i4
+/* 0x099c	     */		and	%i0,%o5,%g2
+/* 0x09a0	     */		ldd	[%o7+%o2],%f4
+/* 0x09a4	     */		fdtox	%f0,%f0
+/* 0x09a8	     */		std	%f0,[%sp+2231]
+/* 0x09ac	     */		srax	%i1,16,%i1
+/* 0x09b0	     */		add	%g2,%i4,%g2
+/* 0x09b4	     */		fdtox	%f2,%f0
+/* 0x09b8	     */		add	%o3,16,%o3
+/* 0x09bc	     */		std	%f0,[%sp+2239]
+/* 0x09c0	     */		add	%g2,%g1,%g1
+/* 0x09c4	     */		ldd	[%o7+%o3],%f2
+/* 0x09c8	     */		srax	%g1,32,%i4
+/* 0x09cc	     */		cmp	%i2,%o1
+/* 0x09d0	     */		srax	%i0,32,%g2
+/* 0x09d4	     */		add	%i1,%i4,%i0
+/* 0x09d8	     */		add	%g2,%i0,%i4
+/* 0x09dc	     */		add	%o0,4,%o0
+/* 0x09e0	     */		and	%g1,%o5,%g2
+/* 0x09e4	     */		or	%g0,%i5,%g1
+/* 0x09e8	     */		st	%g2,[%l2+%o0]
+/* 0x09ec	     */		add	%g5,4,%g5
+/* 0x09f0	     */		ldx	[%sp+2231],%i1
+/* 0x09f4	     */		ldx	[%sp+2239],%i0
+/* 0x09f8	     */		add	%o2,16,%o2
+/* 0x09fc	     */		and	%i3,%o4,%g2
+/* 0x0a00	     */		sllx	%g2,16,%i5
+/* 0x0a04	     */		and	%g1,%o5,%g2
+/* 0x0a08	     */		ldd	[%o7+%o2],%f0
+/* 0x0a0c	     */		fdtox	%f4,%f4
+/* 0x0a10	     */		std	%f4,[%sp+2231]
+/* 0x0a14	     */		srax	%i3,16,%i3
+/* 0x0a18	     */		add	%g2,%i5,%g2
+/* 0x0a1c	     */		fdtox	%f2,%f2
+/* 0x0a20	     */		add	%o3,16,%o3
+/* 0x0a24	     */		std	%f2,[%sp+2239]
+/* 0x0a28	     */		add	%g2,%i4,%g2
+/* 0x0a2c	     */		ldd	[%o7+%o3],%f2
+/* 0x0a30	     */		srax	%g2,32,%i4
+/* 0x0a34	     */		srax	%g1,32,%g1
+/* 0x0a38	     */		add	%i3,%i4,%i3
+/* 0x0a3c	     */		add	%g1,%i3,%g1
+/* 0x0a40	     */		add	%o0,4,%o0
+/* 0x0a44	     */		and	%g2,%o5,%g2
+/* 0x0a48	     */		ble,pt	%icc,.L900000631
+/* 0x0a4c	     */		st	%g2,[%l2+%o0]
+                       .L900000634:
+/* 0x0a50	     */		srax	%i1,16,%i5
+/* 0x0a54	     */		ldx	[%sp+2231],%o1
+/* 0x0a58	     */		and	%i1,%o4,%i3
+/* 0x0a5c	     */		sllx	%i3,16,%i3
+/* 0x0a60	     */		ldx	[%sp+2239],%i4
+/* 0x0a64	     */		and	%i0,%o5,%g2
+/* 0x0a68	     */		add	%g2,%i3,%g2
+/* 0x0a6c	     */		and	%o1,%o4,%i3
+/* 0x0a70	     */		fdtox	%f0,%f4
+/* 0x0a74	     */		sllx	%i3,16,%i3
+/* 0x0a78	     */		std	%f4,[%sp+2231]
+/* 0x0a7c	     */		add	%g2,%g1,%g2
+/* 0x0a80	     */		srax	%g2,32,%l1
+/* 0x0a84	     */		and	%i4,%o5,%i1
+/* 0x0a88	     */		fdtox	%f2,%f0
+/* 0x0a8c	     */		srax	%i0,32,%g1
+/* 0x0a90	     */		std	%f0,[%sp+2239]
+/* 0x0a94	     */		add	%i5,%l1,%i0
+/* 0x0a98	     */		srax	%o1,16,%o1
+/* 0x0a9c	     */		add	%g1,%i0,%i0
+/* 0x0aa0	     */		add	%o0,4,%g1
+/* 0x0aa4	     */		add	%i1,%i3,%o0
+/* 0x0aa8	     */		and	%g2,%o5,%g2
+/* 0x0aac	     */		st	%g2,[%l2+%g1]
+/* 0x0ab0	     */		add	%o0,%i0,%o0
+/* 0x0ab4	     */		srax	%o0,32,%i3
+/* 0x0ab8	     */		ldx	[%sp+2231],%i1
+/* 0x0abc	     */		add	%g1,4,%g1
+/* 0x0ac0	     */		ldx	[%sp+2239],%i0
+/* 0x0ac4	     */		and	%o0,%o5,%g2
+/* 0x0ac8	     */		add	%o1,%i3,%o1
+/* 0x0acc	     */		srax	%i4,32,%o0
+/* 0x0ad0	     */		cmp	%i2,%g3
+/* 0x0ad4	     */		st	%g2,[%l2+%g1]
+/* 0x0ad8	     */		bg,pn	%icc,.L77000236
+/* 0x0adc	     */		add	%o0,%o1,%g1
+/* 0x0ae0	     */		add	%g4,6,%g4
+/* 0x0ae4	     */		add	%g5,6,%g5
+                       .L77000287:
+/* 0x0ae8	     */		sra	%g5,0,%o1
+                       .L900000647:
+/* 0x0aec	     */		sllx	%o1,3,%o2
+/* 0x0af0	     */		and	%i0,%o5,%o0
+/* 0x0af4	     */		ldd	[%o7+%o2],%f0
+/* 0x0af8	     */		sra	%g4,0,%o2
+/* 0x0afc	     */		and	%i1,%o4,%o1
+/* 0x0b00	     */		sllx	%o2,3,%o2
+/* 0x0b04	     */		add	%g1,%o0,%o0
+/* 0x0b08	     */		fdtox	%f0,%f0
+/* 0x0b0c	     */		std	%f0,[%sp+2239]
+/* 0x0b10	     */		sllx	%o1,16,%o1
+/* 0x0b14	     */		add	%o0,%o1,%o1
+/* 0x0b18	     */		add	%g5,2,%g5
+/* 0x0b1c	     */		ldd	[%o7+%o2],%f0
+/* 0x0b20	     */		srax	%o1,32,%g1
+/* 0x0b24	     */		and	%o1,%o5,%o2
+/* 0x0b28	     */		srax	%i1,16,%o0
+/* 0x0b2c	     */		add	%g4,2,%g4
+/* 0x0b30	     */		fdtox	%f0,%f0
+/* 0x0b34	     */		std	%f0,[%sp+2231]
+/* 0x0b38	     */		sra	%i2,0,%o1
+/* 0x0b3c	     */		sllx	%o1,2,%o1
+/* 0x0b40	     */		add	%o0,%g1,%g2
+/* 0x0b44	     */		srax	%i0,32,%g1
+/* 0x0b48	     */		add	%i2,1,%i2
+/* 0x0b4c	     */		add	%g1,%g2,%g1
+/* 0x0b50	     */		cmp	%i2,%g3
+/* 0x0b54	     */		ldx	[%sp+2239],%o3
+/* 0x0b58	     */		ldx	[%sp+2231],%i1
+/* 0x0b5c	     */		st	%o2,[%l2+%o1]
+/* 0x0b60	     */		or	%g0,%o3,%i0
+/* 0x0b64	     */		ble,pt	%icc,.L900000647
+/* 0x0b68	     */		sra	%g5,0,%o1
+                       .L77000236:
+/* 0x0b6c	     */		sethi	%hi(0xfc00),%g2
+                       .L900000648:
+/* 0x0b70	     */		or	%g0,-1,%o0
+/* 0x0b74	     */		add	%g2,1023,%g2
+/* 0x0b78	     */		srl	%o0,0,%g3
+/* 0x0b7c	     */		and	%i1,%g2,%g2
+/* 0x0b80	     */		and	%i0,%g3,%g4
+/* 0x0b84	     */		sllx	%g2,16,%g2
+/* 0x0b88	     */		add	%g1,%g4,%g4
+/* 0x0b8c	     */		sra	%i2,0,%g5
+/* 0x0b90	     */		add	%g4,%g2,%g4
+/* 0x0b94	     */		sllx	%g5,2,%g2
+/* 0x0b98	     */		and	%g4,%g3,%g3
+/* 0x0b9c	     */		st	%g3,[%l2+%g2]
+
+!  317		      ! adjust_montf_result(result,nint,nlen); 
+
+/* 0x0ba0	 317 */		sra	%l0,0,%g4
+/* 0x0ba4	     */		sllx	%g4,2,%g2
+/* 0x0ba8	     */		ld	[%l2+%g2],%g2
+/* 0x0bac	     */		cmp	%g2,0
+/* 0x0bb0	     */		bleu,pn	%icc,.L77000241
+/* 0x0bb4	     */		or	%g0,-1,%o1
+/* 0x0bb8	     */		ba	.L900000646
+/* 0x0bbc	     */		cmp	%o1,0
+                       .L77000241:
+/* 0x0bc0	     */		sub	%l0,1,%o1
+/* 0x0bc4	     */		cmp	%o1,0
+/* 0x0bc8	     */		bl,pn	%icc,.L77000244
+/* 0x0bcc	     */		sra	%o1,0,%g2
+                       .L900000645:
+/* 0x0bd0	     */		sllx	%g2,2,%g2
+/* 0x0bd4	     */		sub	%o1,1,%o0
+/* 0x0bd8	     */		ld	[%l3+%g2],%g3
+/* 0x0bdc	     */		ld	[%l2+%g2],%g2
+/* 0x0be0	     */		cmp	%g2,%g3
+/* 0x0be4	     */		bne,pn	%icc,.L77000244
+/* 0x0be8	     */		nop
+/* 0x0bec	   0 */		or	%g0,%o0,%o1
+/* 0x0bf0	 317 */		cmp	%o0,0
+/* 0x0bf4	     */		bge,pt	%icc,.L900000645
+/* 0x0bf8	     */		sra	%o1,0,%g2
+                       .L77000244:
+/* 0x0bfc	     */		cmp	%o1,0
+                       .L900000646:
+/* 0x0c00	     */		bl,pn	%icc,.L77000288
+/* 0x0c04	     */		sra	%o1,0,%g2
+/* 0x0c08	     */		sllx	%g2,2,%g2
+/* 0x0c0c	     */		ld	[%l3+%g2],%g3
+/* 0x0c10	     */		ld	[%l2+%g2],%g2
+/* 0x0c14	     */		cmp	%g2,%g3
+/* 0x0c18	     */		bleu,pt	%icc,.L77000224
+/* 0x0c1c	     */		nop
+                       .L77000288:
+/* 0x0c20	     */		cmp	%l0,0
+/* 0x0c24	     */		ble,pt	%icc,.L77000224
+/* 0x0c28	     */		nop
+/* 0x0c2c	 317 */		or	%g0,-1,%g2
+/* 0x0c30	 315 */		or	%g0,0,%i0
+/* 0x0c34	 317 */		srl	%g2,0,%g2
+/* 0x0c38	 315 */		or	%g0,0,%g4
+/* 0x0c3c	     */		or	%g0,0,%o1
+/* 0x0c40	 317 */		sub	%l0,1,%g5
+/* 0x0c44	     */		cmp	%l0,9
+/* 0x0c48	 315 */		or	%g0,8,%o5
+/* 0x0c4c	     */		bl,pn	%icc,.L77000289
+/* 0x0c50	     */		sub	%l0,4,%o7
+/* 0x0c54	     */		ld	[%l2],%o1
+/* 0x0c58	     */		or	%g0,5,%i0
+/* 0x0c5c	     */		ld	[%l3],%o2
+/* 0x0c60	     */		or	%g0,12,%o4
+/* 0x0c64	     */		or	%g0,16,%g1
+/* 0x0c68	     */		ld	[%l3+4],%o3
+/* 0x0c6c	     */		ld	[%l2+4],%o0
+/* 0x0c70	     */		sub	%o1,%o2,%o1
+/* 0x0c74	     */		ld	[%l3+8],%i1
+/* 0x0c78	     */		and	%o1,%g2,%g4
+/* 0x0c7c	     */		st	%g4,[%l2]
+/* 0x0c80	     */		srax	%o1,32,%g4
+/* 0x0c84	     */		sub	%o0,%o3,%o0
+/* 0x0c88	     */		ld	[%l3+12],%o2
+/* 0x0c8c	     */		add	%o0,%g4,%o0
+/* 0x0c90	     */		and	%o0,%g2,%g4
+/* 0x0c94	     */		st	%g4,[%l2+4]
+/* 0x0c98	     */		srax	%o0,32,%o0
+/* 0x0c9c	     */		ld	[%l2+8],%o1
+/* 0x0ca0	     */		ld	[%l2+12],%o3
+/* 0x0ca4	     */		sub	%o1,%i1,%o1
+                       .L900000635:
+/* 0x0ca8	     */		add	%g1,4,%g3
+/* 0x0cac	     */		ld	[%g1+%l2],%g4
+/* 0x0cb0	     */		add	%o1,%o0,%o0
+/* 0x0cb4	     */		ld	[%l3+%g1],%i1
+/* 0x0cb8	     */		sub	%o3,%o2,%o1
+/* 0x0cbc	     */		and	%o0,%g2,%o2
+/* 0x0cc0	     */		st	%o2,[%o5+%l2]
+/* 0x0cc4	     */		srax	%o0,32,%o2
+/* 0x0cc8	     */		add	%i0,4,%i0
+/* 0x0ccc	     */		add	%g1,8,%o5
+/* 0x0cd0	     */		ld	[%g3+%l2],%o0
+/* 0x0cd4	     */		add	%o1,%o2,%o1
+/* 0x0cd8	     */		ld	[%l3+%g3],%o3
+/* 0x0cdc	     */		sub	%g4,%i1,%o2
+/* 0x0ce0	     */		and	%o1,%g2,%g4
+/* 0x0ce4	     */		st	%g4,[%o4+%l2]
+/* 0x0ce8	     */		srax	%o1,32,%g4
+/* 0x0cec	     */		cmp	%i0,%o7
+/* 0x0cf0	     */		add	%g1,12,%o4
+/* 0x0cf4	     */		ld	[%o5+%l2],%o1
+/* 0x0cf8	     */		add	%o2,%g4,%o2
+/* 0x0cfc	     */		ld	[%l3+%o5],%i1
+/* 0x0d00	     */		sub	%o0,%o3,%o0
+/* 0x0d04	     */		and	%o2,%g2,%o3
+/* 0x0d08	     */		st	%o3,[%g1+%l2]
+/* 0x0d0c	     */		srax	%o2,32,%g4
+/* 0x0d10	     */		ld	[%o4+%l2],%o3
+/* 0x0d14	     */		add	%g1,16,%g1
+/* 0x0d18	     */		add	%o0,%g4,%o0
+/* 0x0d1c	     */		ld	[%l3+%o4],%o2
+/* 0x0d20	     */		sub	%o1,%i1,%o1
+/* 0x0d24	     */		and	%o0,%g2,%g4
+/* 0x0d28	     */		st	%g4,[%g3+%l2]
+/* 0x0d2c	     */		ble,pt	%icc,.L900000635
+/* 0x0d30	     */		srax	%o0,32,%o0
+                       .L900000638:
+/* 0x0d34	     */		add	%o1,%o0,%g3
+/* 0x0d38	     */		sub	%o3,%o2,%o1
+/* 0x0d3c	     */		ld	[%g1+%l2],%o0
+/* 0x0d40	     */		ld	[%l3+%g1],%o2
+/* 0x0d44	     */		srax	%g3,32,%o7
+/* 0x0d48	     */		and	%g3,%g2,%o3
+/* 0x0d4c	     */		add	%o1,%o7,%o1
+/* 0x0d50	     */		st	%o3,[%o5+%l2]
+/* 0x0d54	     */		cmp	%i0,%g5
+/* 0x0d58	     */		sub	%o0,%o2,%o0
+/* 0x0d5c	     */		and	%o1,%g2,%o2
+/* 0x0d60	     */		st	%o2,[%o4+%l2]
+/* 0x0d64	     */		srax	%o1,32,%o1
+/* 0x0d68	     */		sra	%i0,0,%o2
+/* 0x0d6c	     */		add	%o0,%o1,%o0
+/* 0x0d70	     */		srax	%o0,32,%g4
+/* 0x0d74	     */		and	%o0,%g2,%o1
+/* 0x0d78	     */		st	%o1,[%g1+%l2]
+/* 0x0d7c	     */		bg,pn	%icc,.L77000224
+/* 0x0d80	     */		sllx	%o2,2,%o1
+                       .L77000289:
+/* 0x0d84	   0 */		or	%g0,%o1,%g1
+                       .L900000644:
+/* 0x0d88	     */		ld	[%o1+%l2],%o0
+/* 0x0d8c	     */		add	%i0,1,%i0
+/* 0x0d90	     */		ld	[%l3+%o1],%o1
+/* 0x0d94	     */		sra	%i0,0,%o2
+/* 0x0d98	     */		cmp	%i0,%g5
+/* 0x0d9c	     */		add	%g4,%o0,%o0
+/* 0x0da0	     */		sub	%o0,%o1,%o0
+/* 0x0da4	     */		srax	%o0,32,%g4
+/* 0x0da8	     */		and	%o0,%g2,%o1
+/* 0x0dac	     */		st	%o1,[%g1+%l2]
+/* 0x0db0	     */		sllx	%o2,2,%o1
+/* 0x0db4	     */		ble,pt	%icc,.L900000644
+/* 0x0db8	     */		or	%g0,%o1,%g1
+                       .L77000224:
+/* 0x0dbc	     */		ret	! Result = 
+/* 0x0dc0	     */		restore	%g0,%g0,%g0
+/* 0x0dc4	   0 */		.type	mont_mulf_noconv,2
+/* 0x0dc4	     */		.size	mont_mulf_noconv,(.-mont_mulf_noconv)
+
diff --git a/security/nss/lib/freebl/mpi/mpi-config.h b/security/nss/lib/freebl/mpi/mpi-config.h
new file mode 100644
index 000000000..bf573e254
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi-config.h
@@ -0,0 +1,109 @@
+/* Default configuration for MPI library 
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1997, 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *	Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/* $Id$ */
+
+#ifndef MPI_CONFIG_H_
+#define MPI_CONFIG_H_
+
+/*
+  For boolean options, 
+  0 = no
+  1 = yes
+
+  Other options are documented individually.
+
+ */
+
+#ifndef MP_IOFUNC
+#define MP_IOFUNC     0  /* include mp_print() ?                */
+#endif
+
+#ifndef MP_MODARITH
+#define MP_MODARITH   1  /* include modular arithmetic ?        */
+#endif
+
+#ifndef MP_NUMTH
+#define MP_NUMTH      1  /* include number theoretic functions? */
+#endif
+
+#ifndef MP_LOGTAB
+#define MP_LOGTAB     1  /* use table of logs instead of log()? */
+#endif
+
+#ifndef MP_MEMSET
+#define MP_MEMSET     1  /* use memset() to zero buffers?       */
+#endif
+
+#ifndef MP_MEMCPY
+#define MP_MEMCPY     1  /* use memcpy() to copy buffers?       */
+#endif
+
+#ifndef MP_CRYPTO
+#define MP_CRYPTO     1  /* erase memory on free?               */
+#endif
+
+#ifndef MP_ARGCHK
+/*
+  0 = no parameter checks
+  1 = runtime checks, continue execution and return an error to caller
+  2 = assertions; dump core on parameter errors
+ */
+#ifdef DEBUG
+#define MP_ARGCHK     2  /* how to check input arguments        */
+#else
+#define MP_ARGCHK     1  /* how to check input arguments        */
+#endif
+#endif
+
+#ifndef MP_DEBUG
+#define MP_DEBUG      0  /* print diagnostic output?            */
+#endif
+
+#ifndef MP_DEFPREC
+#define MP_DEFPREC    64 /* default precision, in digits        */
+#endif
+
+#ifndef MP_MACRO
+#define MP_MACRO      0  /* use macros for frequent calls?      */
+#endif
+
+#ifndef MP_SQUARE
+#define MP_SQUARE     1  /* use separate squaring code?         */
+#endif
+
+#endif /* ifndef MPI_CONFIG_H_ */
+
+
diff --git a/security/nss/lib/freebl/mpi/mpi-priv.h b/security/nss/lib/freebl/mpi/mpi-priv.h
new file mode 100644
index 000000000..eaa683a77
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi-priv.h
@@ -0,0 +1,258 @@
+/*
+ *  mpi-priv.h	- Private header file for MPI 
+ *  Arbitrary precision integer arithmetic library
+ *
+ *  NOTE WELL: the content of this header file is NOT part of the "public"
+ *  API for the MPI library, and may change at any time.  
+ *  Application programs that use libmpi should NOT include this header file.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *	Netscape Communications Corporation 
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+#ifndef _MPI_PRIV_H_
+#define _MPI_PRIV_H_ 1
+
+#include "mpi.h"
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+#if MP_DEBUG
+#include <stdio.h>
+
+#define DIAG(T,V) {fprintf(stderr,T);mp_print(V,stderr);fputc('\n',stderr);}
+#else
+#define DIAG(T,V)
+#endif
+
+/* If we aren't using a wired-in logarithm table, we need to include
+   the math library to get the log() function
+ */
+
+/* {{{ s_logv_2[] - log table for 2 in various bases */
+
+#if MP_LOGTAB
+/*
+  A table of the logs of 2 for various bases (the 0 and 1 entries of
+  this table are meaningless and should not be referenced).  
+
+  This table is used to compute output lengths for the mp_toradix()
+  function.  Since a number n in radix r takes up about log_r(n)
+  digits, we estimate the output size by taking the least integer
+  greater than log_r(n), where:
+
+  log_r(n) = log_2(n) * log_r(2)
+
+  This table, therefore, is a table of log_r(2) for 2 <= r <= 36,
+  which are the output bases supported.  
+ */
+
+extern const float s_logv_2[];
+#define LOG_V_2(R)  s_logv_2[(R)]
+
+#else
+
+/* 
+   If MP_LOGTAB is not defined, use the math library to compute the
+   logarithms on the fly.  Otherwise, use the table.
+   Pick which works best for your system.
+ */
+
+#include <math.h>
+#define LOG_V_2(R)  (log(2.0)/log(R))
+
+#endif /* if MP_LOGTAB */
+
+/* }}} */
+
+/* {{{ Digit arithmetic macros */
+
+/*
+  When adding and multiplying digits, the results can be larger than
+  can be contained in an mp_digit.  Thus, an mp_word is used.  These
+  macros mask off the upper and lower digits of the mp_word (the
+  mp_word may be more than 2 mp_digits wide, but we only concern
+  ourselves with the low-order 2 mp_digits)
+ */
+
+#define  CARRYOUT(W)  (mp_digit)((W)>>DIGIT_BIT)
+#define  ACCUM(W)     (mp_digit)(W)
+
+#define MP_MIN(a,b)   (((a) < (b)) ? (a) : (b))
+#define MP_MAX(a,b)   (((a) > (b)) ? (a) : (b))
+#define MP_HOWMANY(a,b) (((a) + (b) - 1)/(b))
+#define MP_ROUNDUP(a,b) (MP_HOWMANY(a,b) * (b))
+
+/* }}} */
+
+/* {{{ Comparison constants */
+
+#define  MP_LT       -1
+#define  MP_EQ        0
+#define  MP_GT        1
+
+/* }}} */
+
+/* {{{ private function declarations */
+
+/* 
+   If MP_MACRO is false, these will be defined as actual functions;
+   otherwise, suitable macro definitions will be used.  This works
+   around the fact that ANSI C89 doesn't support an 'inline' keyword
+   (although I hear C9x will ... about bloody time).  At present, the
+   macro definitions are identical to the function bodies, but they'll
+   expand in place, instead of generating a function call.
+
+   I chose these particular functions to be made into macros because
+   some profiling showed they are called a lot on a typical workload,
+   and yet they are primarily housekeeping.
+ */
+#if MP_MACRO == 0
+ void     s_mp_setz(mp_digit *dp, mp_size count); /* zero digits           */
+ void     s_mp_copy(const mp_digit *sp, mp_digit *dp, mp_size count); /* copy */
+ void    *s_mp_alloc(size_t nb, size_t ni);       /* general allocator     */
+ void     s_mp_free(void *ptr);                   /* general free function */
+extern unsigned long mp_allocs;
+extern unsigned long mp_frees;
+extern unsigned long mp_copies;
+#else
+
+ /* Even if these are defined as macros, we need to respect the settings
+    of the MP_MEMSET and MP_MEMCPY configuration options...
+  */
+ #if MP_MEMSET == 0
+  #define  s_mp_setz(dp, count) \
+       {int ix;for(ix=0;ix<(count);ix++)(dp)[ix]=0;}
+ #else
+  #define  s_mp_setz(dp, count) memset(dp, 0, (count) * sizeof(mp_digit))
+ #endif /* MP_MEMSET */
+
+ #if MP_MEMCPY == 0
+  #define  s_mp_copy(sp, dp, count) \
+       {int ix;for(ix=0;ix<(count);ix++)(dp)[ix]=(sp)[ix];}
+ #else
+  #define  s_mp_copy(sp, dp, count) memcpy(dp, sp, (count) * sizeof(mp_digit))
+ #endif /* MP_MEMCPY */
+
+ #define  s_mp_alloc(nb, ni)  calloc(nb, ni)
+ #define  s_mp_free(ptr) {if(ptr) free(ptr);}
+#endif /* MP_MACRO */
+
+mp_err   s_mp_grow(mp_int *mp, mp_size min);   /* increase allocated size */
+mp_err   s_mp_pad(mp_int *mp, mp_size min);    /* left pad with zeroes    */
+
+#if MP_MACRO == 0
+ void     s_mp_clamp(mp_int *mp);               /* clip leading zeroes     */
+#else
+ #define  s_mp_clamp(mp)\
+  { mp_size used = MP_USED(mp); \
+    while (used > 1 && DIGIT(mp, used - 1) == 0) --used; \
+    MP_USED(mp) = used; \
+  } 
+#endif /* MP_MACRO */
+
+void     s_mp_exch(mp_int *a, mp_int *b);      /* swap a and b in place   */
+
+mp_err   s_mp_lshd(mp_int *mp, mp_size p);     /* left-shift by p digits  */
+void     s_mp_rshd(mp_int *mp, mp_size p);     /* right-shift by p digits */
+mp_err   s_mp_mul_2d(mp_int *mp, mp_digit d);  /* multiply by 2^d in place */
+void     s_mp_div_2d(mp_int *mp, mp_digit d);  /* divide by 2^d in place  */
+void     s_mp_mod_2d(mp_int *mp, mp_digit d);  /* modulo 2^d in place     */
+void     s_mp_div_2(mp_int *mp);               /* divide by 2 in place    */
+mp_err   s_mp_mul_2(mp_int *mp);               /* multiply by 2 in place  */
+mp_err   s_mp_norm(mp_int *a, mp_int *b, mp_digit *pd); 
+                                               /* normalize for division  */
+mp_err   s_mp_add_d(mp_int *mp, mp_digit d);   /* unsigned digit addition */
+mp_err   s_mp_sub_d(mp_int *mp, mp_digit d);   /* unsigned digit subtract */
+mp_err   s_mp_mul_d(mp_int *mp, mp_digit d);   /* unsigned digit multiply */
+mp_err   s_mp_div_d(mp_int *mp, mp_digit d, mp_digit *r);
+		                               /* unsigned digit divide   */
+mp_err   s_mp_reduce(mp_int *x, const mp_int *m, const mp_int *mu);
+                                               /* Barrett reduction       */
+mp_err   s_mp_add(mp_int *a, const mp_int *b); /* magnitude addition      */
+mp_err   s_mp_add_3arg(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err   s_mp_sub(mp_int *a, const mp_int *b); /* magnitude subtract      */
+mp_err   s_mp_sub_3arg(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err   s_mp_add_offset(mp_int *a, mp_int *b, mp_size offset);
+                                               /* a += b * RADIX^offset   */
+mp_err   s_mp_mul(mp_int *a, const mp_int *b); /* magnitude multiply      */
+#if MP_SQUARE
+mp_err   s_mp_sqr(mp_int *a);                  /* magnitude square        */
+#else
+#define  s_mp_sqr(a) s_mp_mul(a, a)
+#endif
+mp_err   s_mp_div(mp_int *rem, mp_int *div, mp_int *quot); /* magnitude div */
+mp_err   s_mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
+mp_err   s_mp_2expt(mp_int *a, mp_digit k);    /* a = 2^k                 */
+int      s_mp_cmp(const mp_int *a, const mp_int *b); /* magnitude comparison */
+int      s_mp_cmp_d(const mp_int *a, mp_digit d); /* magnitude digit compare */
+int      s_mp_ispow2(const mp_int *v);         /* is v a power of 2?      */
+int      s_mp_ispow2d(mp_digit d);             /* is d a power of 2?      */
+
+int      s_mp_tovalue(char ch, int r);          /* convert ch to value    */
+char     s_mp_todigit(mp_digit val, int r, int low); /* convert val to digit */
+int      s_mp_outlen(int bits, int r);          /* output length in bytes */
+mp_digit s_mp_invmod_radix(mp_digit P);   /* returns (P ** -1) mod RADIX */
+mp_err   s_mp_invmod_odd_m( const mp_int *a, const mp_int *m, mp_int *c);
+mp_err   s_mp_invmod_2d(    const mp_int *a, mp_size k,       mp_int *c);
+mp_err   s_mp_invmod_even_m(const mp_int *a, const mp_int *m, mp_int *c);
+
+/* ------ mpv functions, operate on arrays of digits, not on mp_int's ------ */
+#if defined (__OS2__) && defined (__IBMC__)
+#define MPI_ASM_DECL __cdecl
+#else
+#define MPI_ASM_DECL
+#endif
+
+void     MPI_ASM_DECL s_mpv_mul_d(const mp_digit *a, mp_size a_len,
+                                        mp_digit b, mp_digit *c);
+void     MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len,
+                                            mp_digit b, mp_digit *c);
+void     MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a,
+                                                mp_size a_len, mp_digit b, 
+			                        mp_digit *c);
+void     MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
+                                                mp_size a_len,
+                                                mp_digit *sqrs);
+
+mp_err   MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
+                            mp_digit divisor, mp_digit *quot, mp_digit *rem);
+
+/* c += a * b * (MP_RADIX ** offset);  */
+#define s_mp_mul_d_add_offset(a, b, c, off) \
+(s_mpv_mul_d_add_prop(MP_DIGITS(a), MP_USED(a), b, MP_DIGITS(c) + off), MP_OKAY)
+
+/* }}} */
+#endif
+
diff --git a/security/nss/lib/freebl/mpi/mpi-test.c b/security/nss/lib/freebl/mpi/mpi-test.c
new file mode 100644
index 000000000..ed3880631
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi-test.c
@@ -0,0 +1,1973 @@
+/*
+ * mpi-test.c
+ *
+ * This is a general test suite for the MPI library, which tests
+ * all the functions in the library with known values.  The program
+ * exits with a zero (successful) status if the tests pass, or a 
+ * nonzero status if the tests fail.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *	Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <limits.h>
+#include <time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+#include "test-info.c"
+
+/* ZS means Zero Suppressed (no leading zeros) */
+#if MP_USE_LONG_DIGIT 
+#define ZS_DIGIT_FMT         "%lX"
+#elif MP_USE_LONG_LONG_DIGIT
+#define ZS_DIGIT_FMT         "%llX"
+#elif MP_USE_UINT_DIGIT 
+#define ZS_DIGIT_FMT         "%X"
+#else
+#error "unknown type of digit"
+#endif
+
+/*
+  Test vectors
+
+  If you intend to change any of these values, you must also recompute
+  the corresponding solutions below.  Basically, these are just hex
+  strings (for the big integers) or integer values (for the digits).
+
+  The comparison tests think they know what relationships hold between
+  these values.  If you change that, you may have to adjust the code
+  for the comparison tests accordingly.  Most of the other tests
+  should be fine as long as you re-compute the solutions, though.
+ */
+const char   *mp1  = "639A868CDA0C569861B";
+const char   *mp2  = "AAFC0A3FE45E5E09DBE2C29";
+const char   *mp3  = "B55AA8DF8A7E83241F38AC7A9E479CAEF2E4D7C5";
+const char   *mp4  = "-63DBC2265B88268DC801C10EA68476B7BDE0090F";
+const char   *mp5  = "F595CB42";
+const char   *mp5a = "-4B597E";
+const char   *mp6  = "0";
+const char   *mp7  = "EBFA7121CD838CE6439CC59DDB4CBEF3";
+const char   *mp8  = "5";
+const char   *mp9  = "F74A2876A1432698923B0767DA19DCF3D71795EE";
+const char   *mp10 = "9184E72A000";
+const char   *mp11 = "54D79A3557E8";
+const char   *mp12 = "10000000000000000";
+const char   *mp13 = 
+"34584F700C15A341E40BF7BFDD88A6630C8FF2B2067469372D391342BDAB6163963C"
+"D5A5C79F708BDE26E0CCF2DB66CD6D6089E29A877C45F2B050D226E6DA88";
+const char   *mp14 =
+"AC3FA0EABAAC45724814D798942A1E28E14C81E0DE8055CED630E7689DA648683645DB6E"
+"458D9F5338CC3D4E33A5D1C9BF42780133599E60DEE0049AFA8F9489501AE5C9AA2B8C13"
+"FD21285A538B2CA87A626BB56E0A654C8707535E637FF4E39174157402BDE3AA30C9F134"
+"0C1307BAA864B075A9CC828B6A5E2B2BF1AE406D920CC5E7657D7C0E697DEE5375773AF9"
+"E200A1B8FAD7CD141F9EE47ABB55511FEB9A4D99EBA22F3A3FF6792FA7EE9E5DC0EE94F7"
+"7A631EDF3D7DD7C2DAAAFDF234D60302AB63D5234CEAE941B9AF0ADDD9E6E3A940A94EE5"
+"5DB45A7C66E61EDD0477419BBEFA44C325129601C4F45671C6A0E64665DF341D17FBC71F"
+"77418BD9F4375DDB3B9D56126526D8E5E0F35A121FD4F347013DA880020A752324F31DDD"
+"9BCDB13A3B86E207A2DE086825E6EEB87B3A64232CFD8205B799BC018634AAE193F19531"
+"D6EBC19A75F27CFFAA03EB5974898F53FD569AA5CE60F431B53B0CDE715A5F382405C9C4"
+"761A8E24888328F09F7BCE4E8D80C957DF177629C8421ACCD0C268C63C0DD47C3C0D954F"
+"D79F7D7297C6788DF4B3E51381759864D880ACA246DF09533739B8BB6085EAF7AE8DC2D9"
+"F224E6874926C8D24D34B457FD2C9A586C6B99582DC24F787A39E3942786CF1D494B6EB4"
+"A513498CDA0B217C4E80BCE7DA1C704C35E071AC21E0DA9F57C27C3533F46A8D20B04137"
+"C1B1384BE4B2EB46";
+const char   *mp15 = 
+"39849CF7FD65AF2E3C4D87FE5526221103D90BA26A6642FFE3C3ECC0887BBBC57E011BF1"
+"05D822A841653509C68F79EBE51C0099B8CBB04DEF31F36F5954208A3209AC122F0E11D8"
+"4AE67A494D78336A2066D394D42E27EF6B03DDAF6D69F5112C93E714D27C94F82FC7EF77"
+"445768C68EAE1C4A1407BE1B303243391D325090449764AE469CC53EC8012C4C02A72F37"
+"07ED7275D2CC8D0A14B5BCC6BF264941520EBA97E3E6BAE4EE8BC87EE0DDA1F5611A6ECB"
+"65F8AEF4F184E10CADBDFA5A2FEF828901D18C20785E5CC63473D638762DA80625003711"
+"9E984AC43E707915B133543AF9D5522C3E7180DC58E1E5381C1FB7DC6A5F4198F3E88FA6"
+"CBB6DFA8B2D1C763226B253E18BCCB79A29EE82D2DE735078C8AE3C3C86D476AAA08434C"
+"09C274BDD40A1D8FDE38D6536C22F44E807EB73DE4FB36C9F51E0BC835DDBE3A8EFCF2FE"
+"672B525769DC39230EE624D5EEDBD837C82A52E153F37378C3AD68A81A7ADBDF3345DBCE"
+"8FA18CA1DE618EF94DF72EAD928D4F45B9E51632ACF158CF8332C51891D1D12C2A7E6684"
+"360C4BF177C952579A9F442CFFEC8DAE4821A8E7A31C4861D8464CA9116C60866C5E72F7"
+"434ADBED36D54ACDFDFF70A4EFB46E285131FE725F1C637D1C62115EDAD01C4189716327"
+"BFAA79618B1656CBFA22C2C965687D0381CC2FE0245913C4D8D96108213680BD8E93E821"
+"822AD9DDBFE4BD04";
+const char   *mp16 = "4A724340668DB150339A70";
+const char   *mp17 = "8ADB90F58";
+const char   *mp18 = "C64C230AB20E5";
+const char *mp19 = 
+"F1C9DACDA287F2E3C88DCE2393B8F53DAAAC1196DC36510962B6B59454CFE64B";
+const char *mp20 = 
+"D445662C8B6FE394107B867797750C326E0F4A967E135FC430F6CD7207913AC7";
+
+const mp_digit md1 = 0;
+const mp_digit md2 = 0x1;
+const mp_digit md3 = 0x80;
+const mp_digit md4 = 0x9C97;
+const mp_digit md5 = 0xF5BF;
+const mp_digit md6 = 0x14A0;
+const mp_digit md7 = 0x03E8;
+const mp_digit md8 = 0x0101;
+const mp_digit md9 = 0xA;
+
+/* 
+   Solutions of the form x_mpABC, where:
+
+   x = (p)roduct, (s)um, (d)ifference, (q)uotient, (r)emainder, (g)cd,
+       (i)nverse, (e)xponent, square roo(t), (g)cd, (l)cm.  A
+       leading 'm' indicates a modular operation, e.g. ms_mp12 is the
+       modular sum of operands 1 and 2
+
+   ABC are the operand numbers involved in the computation.  If a 'd'
+   precedes the number, it is a digit operand; if a 'c' precedes it,
+   it is a constant; otherwise, it is a full integer.  
+ */
+
+const char *p_mp12   = "4286AD72E095C9FE009938750743174ADDD7FD1E53";
+const char *p_mp34   = "-46BDBD66CA108C94A8CF46C325F7B6E2F2BA82D35"
+                       "A1BFD6934C441EE369B60CA29BADC26845E918B";
+const char *p_mp57   = "E260C265A0A27C17AD5F4E59D6E0360217A2EBA6";
+const char *p_mp22   = "7233B5C1097FFC77CCF55928FDC3A5D31B712FDE7A1E91";
+const char *p_mp1d4  = "3CECEA2331F4220BEF68DED";
+const char *p_mp8d6  = "6720";
+const char *p_mp1113 =
+"11590FC3831C8C3C51813142C88E566408DB04F9E27642F6471A1822E0100B12F7F1"
+"5699A127C0FA9D26DCBFF458522661F30C6ADA4A07C8C90F9116893F6DBFBF24C3A2"
+"4340";
+const char *p_mp1415 = 
+"26B36540DE8B3586699CCEAE218A2842C7D5A01590E70C4A26E789107FBCDB06AA2C"
+"6DDC39E6FA18B16FCB2E934C9A5F844DAD60EE3B1EA82199EC5E9608F67F860FB965"
+"736055DF0E8F2540EB28D07F47E309B5F5D7C94FF190AB9C83A6970160CA700B1081"
+"F60518132AF28C6CEE6B7C473E461ABAC52C39CED50A08DD4E7EA8BA18DAD545126D"
+"A388F6983C29B6BE3F9DCBC15766E8E6D626A92C5296A9C4653CAE5788350C0E2107"
+"F57E5E8B6994C4847D727FF1A63A66A6CEF42B9C9E6BD04C92550B85D5527DE8A132"
+"E6BE89341A9285C7CE7FB929D871BBCBD0ED2863B6B078B0DBB30FCA66D6C64284D6"
+"57F394A0271E15B6EC7A9D530EBAC6CA262EF6F97E1A29FCE7749240E4AECA591ECF"
+"272122BC587370F9371B67BB696B3CDC1BC8C5B64B6280994EBA00CDEB8EB0F5D06E"
+"18F401D65FDCECF23DD7B9BB5B4C5458AEF2CCC09BA7F70EACB844750ACFD027521E"
+"2E047DE8388B35F8512D3DA46FF1A12D4260213602BF7BFFDB6059439B1BD0676449"
+"8D98C74F48FB3F548948D5BA0C8ECFCD054465132DC43466D6BBD59FBAF8D6D4E157"
+"2D612B40A956C7D3E140F3B8562EF18568B24D335707D5BAC7495014DF2444172426"
+"FD099DED560D30D1F945386604AFC85C64BD1E5F531F5C7840475FC0CF0F79810012"
+"4572BAF5A9910CDBD02B27FFCC3C7E5E88EF59F3AE152476E33EDA696A4F751E0AE4"
+"A3D2792DEA78E25B9110E12A19EFD09EA47FF9D6594DA445478BEB6901EAF8A35B2D"
+"FD59BEE9BF7AA8535B7D326EFA5AA2121B5EBE04DD85827A3D43BD04F4AA6D7B62A2"
+"B6D7A3077286A511A431E1EF75FCEBA3FAE9D5843A8ED17AA02BBB1B571F904699C5"
+"A6073F87DDD012E2322AB3F41F2A61F428636FE86914148E19B8EF8314ED83332F2F"
+"8C2ADE95071E792C0A68B903E060DD322A75FD0C2B992059FCCBB58AFA06B50D1634"
+"BBD93F187FCE0566609FCC2BABB269C66CEB097598AA17957BB4FDA3E64A1B30402E"
+"851CF9208E33D52E459A92C63FBB66435BB018E155E2C7F055E0B7AB82CD58FC4889"
+"372ED9EEAC2A07E8E654AB445B9298D2830D6D4DFD117B9C8ABE3968927DC24B3633"
+"BAD6E6466DB45DDAE87A0AB00336AC2CCCE176704F7214FCAB55743AB76C2B6CA231"
+"7984610B27B5786DE55C184DDF556EDFEA79A3652831940DAD941E243F482DC17E50"
+"284BC2FB1AD712A92542C573E55678878F02DFD9E3A863C7DF863227AEDE14B47AD3"
+"957190124820ADC19F5353878EDB6BF7D0C77352A6E3BDB53EEB88F5AEF6226D6E68"
+"756776A8FB49B77564147A641664C2A54F7E5B680CCC6A4D22D894E464DF20537094"
+"548F1732452F9E7F810C0B4B430C073C0FBCE03F0D03F82630654BCE166AA772E1EE"
+"DD0C08D3E3EBDF0AF54203B43AFDFC40D8FC79C97A4B0A4E1BEB14D8FCEFDDED8758"
+"6ED65B18";
+
+const char *mp_mp345 = "B9B6D3A3";
+const char *mp_mp335 = "16609C2D";
+
+const char *s_mp13   = "B55AA8DF8A7E83241F38B2B446B06A4FB84E5DE0";
+const char *s_mp34   = "517EE6B92EF65C965736EB6BF7C325F73504CEB6";
+const char *s_mp46   = "-63DBC2265B88268DC801C10EA68476B7BDE0090F";
+const char *s_mp5d4  = "F59667D9";
+const char *s_mp2d5  = "AAFC0A3FE45E5E09DBF21E8";
+const char *s_mp1415 = 
+"E5C43DE2B811F4A084625F96E9504039E5258D8348E698CEB9F4D4292622042DB446"
+"F75F4B65C1FB7A317257FA354BB5A45E789AEC254EAECE11F80A53E3B513822491DB"
+"D9399DEC4807A2A3A10360129AC93F4A42388D3BF20B310DD0E9E9F4BE07FC88D53A"
+"78A26091E0AB506A70813712CCBFBDD440A69A906E650EE090FDD6A42A95AC1A414D"
+"317F1A9F781E6A30E9EE142ECDA45A1E3454A1417A7B9A613DA90831CF88EA1F2E82"
+"41AE88CC4053220903C2E05BCDD42F02B8CF8868F84C64C5858BAD356143C5494607"
+"EE22E11650148BAF65A985F6FC4CA540A55697F2B5AA95D6B8CF96EF638416DE1DD6"
+"3BA9E2C09E22D03E75B60BE456C642F86B82A709253E5E087B507DE3A45F8392423F"
+"4DBC284E8DC88C43CA77BC8DCEFB6129A59025F80F90FF978116DEBB9209E306FBB9"
+"1B6111F8B8CFACB7C7C9BC12691C22EE88303E1713F1DFCEB622B8EA102F6365678B"
+"C580ED87225467AA78E875868BD53B17574BA59305BC1AC666E4B7E9ED72FCFC200E"
+"189D98FC8C5C7533739C53F52DDECDDFA5A8668BFBD40DABC9640F8FCAE58F532940"
+"8162261320A25589E9FB51B50F80056471F24B7E1AEC35D1356FC2747FFC13A04B34"
+"24FCECE10880BD9D97CA8CDEB2F5969BF4F30256EB5ED2BCD1DC64BDC2EE65217848"
+"48A37FB13F84ED4FB7ACA18C4639EE64309BDD3D552AEB4AAF44295943DC1229A497"
+"A84A";
+
+const char *ms_mp345 = "1E71E292";
+
+const char *d_mp12   = "-AAFBA6A55DD183FD854A60E";
+const char *d_mp34   = "119366B05E606A9B1E73A6D8944CC1366B0C4E0D4";
+const char *d_mp5d4  = "F5952EAB";
+const char *d_mp6d2  = "-1";
+const char *md_mp345 = "26596B86";
+
+const char *q_mp42   = "-95825A1FFA1A155D5";
+const char *r_mp42   = "-6312E99D7700A3DCB32ADF2";
+const char *q_mp45a  = "15344CDA3D841F661D2B61B6EDF7828CE36";
+const char *r_mp45a  = "-47C47B";
+const char *q_mp7c2  = "75FD3890E6C1C67321CE62CEEDA65F79";
+const char *q_mp3d6  = "8CAFD53C272BD6FE8B0847BDC3B539EFAB5C3";
+const char *r_mp3d6  = "1E5";
+const char *r_mp5d5  = "1257";
+const char *r_mp47   = "B3A9018D970281A90FB729A181D95CB8";
+const char *q_mp1404 = 
+"-1B994D869142D3EF6123A3CBBC3C0114FA071CFCEEF4B7D231D65591D32501AD80F"
+"FF49AE4EC80514CC071EF6B42521C2508F4CB2FEAD69A2D2EF3934087DCAF88CC4C4"
+"659F1CA8A7F4D36817D802F778F1392337FE36302D6865BF0D4645625DF8BB044E19"
+"930635BE2609FAC8D99357D3A9F81F2578DE15A300964188292107DAC980E0A08CD7"
+"E938A2135FAD45D50CB1D8C2D4C4E60C27AB98B9FBD7E4DBF752C57D2674520E4BB2"
+"7E42324C0EFE84FB3E38CF6950E699E86FD45FE40D428400F2F94EDF7E94FAE10B45"
+"89329E1BF61E5A378C7B31C9C6A234F8254D4C24823B84D0BF8D671D8BC9154DFAC9"
+"49BD8ACABD6BD32DD4DC587F22C86153CB3954BDF7C2A890D623642492C482CF3E2C"
+"776FC019C3BBC61688B485E6FD35D6376089C1E33F880E84C4E51E8ABEACE1B3FB70"
+"3EAD0E28D2D44E7F1C0A859C840775E94F8C1369D985A3C5E8114B21D68B3CBB75D2"
+"791C586153C85B90CAA483E57A40E2D97950AAB84920A4396C950C87C7FFFE748358"
+"42A0BF65445B26D40F05BE164B822CA96321F41D85A289C5F5CD5F438A78704C9683"
+"422299D21899A22F853B0C93081CC9925E350132A0717A611DD932A68A0ACC6E4C7F"
+"7F685EF8C1F4910AEA5DC00BB5A36FCA07FFEAA490C547F6E14A08FE87041AB803E1"
+"BD9E23E4D367A2C35762F209073DFF48F3";
+const char *r_mp1404 = "12FF98621ABF63144BFFC3207AC8FC10D8D1A09";
+
+const char *q_mp13c  = 
+		"34584F700C15A341E40BF7BFDD88A6630C8FF2B2067469372D391342"
+		"BDAB6163963CD5A5C79F708BDE26E0CCF2DB66CD6D6089E29A877C45";
+const char *r_mp13c  = "F2B050D226E6DA88";
+const char *q_mp9c16 = "F74A2876A1432698923B0767DA19DCF3D71795E";
+const char *r_mp9c16 = "E";
+
+const char *e_mp5d9 = "A8FD7145E727A20E52E73D22990D35D158090307A"
+		      "13A5215AAC4E9AB1E96BD34E531209E03310400";
+const char *e_mp78  = "AA5F72C737DFFD8CCD108008BFE7C79ADC01A819B"
+		      "32B75FB82EC0FB8CA83311DA36D4063F1E57857A2"
+		      "1AB226563D84A15BB63CE975FF1453BD6750C58D9"
+		      "D113175764F5D0B3C89B262D4702F4D9640A3";
+const char *me_mp817 = "E504493ACB02F7F802B327AB13BF25";
+const char *me_mp5d47 = "1D45ED0D78F2778157992C951DD2734C";
+const char *me_mp1512 = "FB5B2A28D902B9D9";
+const char *me_mp161718 = "423C6AC6DBD74";
+const char *me_mp5114 =
+"64F0F72807993578BBA3C7C36FFB184028F9EB9A810C92079E1498D8A80FC848E1F0"
+"25F1DE43B7F6AC063F5CC29D8A7C2D7A66269D72BF5CDC327AF88AF8EF9E601DCB0A"
+"3F35BFF3525FB1B61CE3A25182F17C0A0633B4089EA15BDC47664A43FEF639748AAC"
+"19CF58E83D8FA32CD10661D2D4210CC84792937E6F36CB601851356622E63ADD4BD5"
+"542412C2E0C4958E51FD2524AABDC7D60CFB5DB332EEC9DC84210F10FAE0BA2018F2"
+"14C9D6867C9D6E49CF28C18D06CE009FD4D04BFC8837C3FAAA773F5CCF6DED1C22DE"
+"181786AFE188540586F2D74BF312E595244E6936AE52E45742109BAA76C36F2692F5"
+"CEF97AD462B138BE92721194B163254CBAAEE9B9864B21CCDD5375BCAD0D24132724"
+"113D3374B4BCF9AA49BA5ACBC12288C0BCF46DCE6CB4A241A91BD559B130B6E9CD3D"
+"D7A2C8B280C2A278BA9BF5D93244D563015C9484B86D9FEB602501DC16EEBC3EFF19"
+"53D7999682BF1A1E3B2E7B21F4BDCA3C355039FEF55B9C0885F98DC355CA7A6D8ECF"
+"5F7F1A6E11A764F2343C823B879B44616B56BF6AE3FA2ACF5483660E618882018E3F"
+"C8459313BACFE1F93CECC37B2576A5C0B2714BD3EEDEEC22F0E7E3E77B11396B9B99"
+"D683F2447A4004BBD4A57F6A616CDDFEC595C4FC19884CC2FC21CF5BF5B0B81E0F83"
+"B9DDA0CF4DFF35BB8D31245912BF4497FD0BD95F0C604E26EA5A8EA4F5EAE870A5BD"
+"FE8C";
+
+const char *e_mpc2d3 = "100000000000000000000000000000000";
+
+const char *t_mp9    = "FB9B6E32FF0452A34746";
+const char *i_mp27   = "B6AD8DCCDAF92B6FE57D062FFEE3A99";
+const char *i_mp2019 = 
+"BDF3D88DC373A63EED92903115B03FC8501910AF68297B4C41870AED3EA9F839";
+/* "15E3FE09E8AE5523AABA197BD2D16318D3CA148EDF4AE1C1C52FC96AFAF5680B"; */
+
+
+const char *t_mp15 =
+"795853094E59B0008093BCA8DECF68587C64BDCA2F3F7F8963DABC12F1CFFFA9B8C4"
+"365232FD4751870A0EF6CA619287C5D8B7F1747D95076AB19645EF309773E9EACEA0"
+"975FA4AE16251A8DA5865349C3A903E3B8A2C0DEA3C0720B6020C7FED69AFF62BB72"
+"10FAC443F9FFA2950776F949E819260C2AF8D94E8A1431A40F8C23C1973DE5D49AA2"
+"0B3FF5DA5C1D5324E712A78FF33A9B1748F83FA529905924A31DF38643B3F693EF9B"
+"58D846BB1AEAE4523ECC843FF551C1B300A130B65C1677402778F98C51C10813250E"
+"2496882877B069E877B59740DC1226F18A5C0F66F64A5F59A9FAFC5E9FC45AEC0E7A"
+"BEE244F7DD3AC268CF512A0E52E4F5BE5B94";
+
+const char *g_mp71   = "1";
+const char *g_mp25   = "7";
+const char *l_mp1011 = "C589E3D7D64A6942A000";
+
+/* mp9 in radices from 5 to 64 inclusive */
+#define LOW_RADIX   5
+#define HIGH_RADIX  64
+const char *v_mp9[] = {
+  "404041130042310320100141302000203430214122130002340212132414134210033",
+  "44515230120451152500101352430105520150025145320010504454125502",
+  "644641136612541136016610100564613624243140151310023515322",
+  "173512120732412062323044435407317550316717172705712756",
+  "265785018434285762514442046172754680368422060744852",
+  "1411774500397290569709059837552310354075408897518",
+  "184064268501499311A17746095910428222A241708032A",
+  "47706011B225950B02BB45602AA039893118A85950892",
+  "1A188C826B982353CB58422563AC602B783101671A86",
+  "105957B358B89B018958908A9114BC3DDC410B77982",
+  "CB7B3387E23452178846C55DD9D70C7CA9AEA78E8",
+  "F74A2876A1432698923B0767DA19DCF3D71795EE",
+  "17BF7C3673B76D7G7A5GA836277296F806E7453A",
+  "2EBG8HH3HFA6185D6H0596AH96G24C966DD3HG2",
+  "6G3HGBFEG8I3F25EAF61B904EIA40CFDH2124F",
+  "10AHC3D29EBHDF3HD97905CG0JA8061855C3FI",
+  "3BA5A55J5K699B2D09C38A4B237CH51IHA132",
+  "EDEA90DJ0B5CB3FGG1C8587FEB99D3C143CA",
+  "31M26JI1BBD56K3I028MML4EEDMAJK60LGLE",
+  "GGG5M3142FKKG82EJ28111D70EMHC241E4E",
+  "4446F4D5H10982023N297BF0DKBBHLLJB0I",
+  "12E9DEEOBMKAKEP0IM284MIP7FO1O521M46",
+  "85NN0HD48NN2FDDB1F5BMMKIB8CK20MDPK",
+  "2D882A7A0O0JPCJ4APDRIB77IABAKDGJP2",
+  "MFMCI0R7S27AAA3O3L2S8K44HKA7O02CN",
+  "7IGQS73FFSHC50NNH44B6PTTNLC3M6H78",
+  "2KLUB3U9850CSN6ANIDNIF1LB29MJ43LH",
+  "UT52GTL18CJ9H4HR0TJTK6ESUFBHF5FE",
+  "BTVL87QQBMUGF8PFWU4W3VU7U922QTMW",
+  "4OG10HW0MSWJBIDEE2PDH24GA7RIHIAA",
+  "1W8W9AX2DRUX48GXOLMK0PE42H0FEUWN",
+  "SVWI84VBH069WR15W1U2VTK06USY8Z2",
+  "CPTPNPDa5TYCPPNLALENT9IMX2GL0W2",
+  "5QU21UJMRaUYYYYYN6GHSMPOYOXEEUY",
+  "2O2Q7C6RPPB1SXJ9bR4035SPaQQ3H2W",
+  "18d994IbT4PHbD7cGIPCRP00bbQO0bc",
+  "NcDUEEWRO7XT76260WGeBHPVa72RdA",
+  "BbX2WCF9VfSB5LPdJAdeXKV1fd6LC2",
+  "60QDKW67P4JSQaTdQg7JE9ISafLaVU",
+  "33ba9XbDbRdNF4BeDB2XYMhAVDaBdA",
+  "1RIPZJA8gT5L5H7fTcaRhQ39geMMTc",
+  "d65j70fBATjcDiidPYXUGcaBVVLME",
+  "LKA9jhPabDG612TXWkhfT2gMXNIP2",
+  "BgNaYhjfT0G8PBcYRP8khJCR3C9QE",
+  "6Wk8RhJTAgDh10fYAiUVB1aM0HacG",
+  "3dOCjaf78kd5EQNViUZWj3AfFL90I",
+  "290VWkL3aiJoW4MBbHk0Z0bDo22Ni",
+  "1DbDZ1hpPZNUDBUp6UigcJllEdC26",
+  "dFSOLBUM7UZX8Vnc6qokGIOiFo1h",
+  "NcoUYJOg0HVmKI9fR2ag0S8R2hrK",
+  "EOpiJ5Te7oDe2pn8ZhAUKkhFHlZh",
+  "8nXK8rp8neV8LWta1WDgd1QnlWsU",
+  "5T3d6bcSBtHgrH9bCbu84tblaa7r",
+  "3PlUDIYUvMqOVCir7AtquK5dWanq",
+  "2A70gDPX2AtiicvIGGk9poiMtgvu",
+  "1MjiRxjk10J6SVAxFguv9kZiUnIc",
+  "rpre2vIDeb4h3sp50r1YBbtEx9L",
+  "ZHcoip0AglDAfibrsUcJ9M1C8fm",
+  "NHP18+eoe6uU54W49Kc6ZK7+bT2",
+  "FTAA7QXGoQOaZi7PzePtFFN5vNk"
+};
+
+const unsigned char b_mp4[] = {
+  0x01, 
+#if MP_DIGIT_MAX > MP_32BIT_MAX
+  0x00, 0x00, 0x00, 0x00,
+#endif
+  0x63, 0xDB, 0xC2, 0x26, 
+  0x5B, 0x88, 0x26, 0x8D, 
+  0xC8, 0x01, 0xC1, 0x0E, 
+  0xA6, 0x84, 0x76, 0xB7, 
+  0xBD, 0xE0, 0x09, 0x0F
+};
+
+/* Search for a test suite name in the names table  */
+int  find_name(char *name);
+void reason(char *fmt, ...);
+
+/*------------------------------------------------------------------------*/
+/*------------------------------------------------------------------------*/
+
+char g_intbuf[4096];  /* buffer for integer comparison   */
+char a_intbuf[4096];  /* buffer for integer comparison   */
+int  g_verbose = 1;   /* print out reasons for failure?  */
+int  res;
+
+#define IFOK(x) { if (MP_OKAY > (res = (x))) { \
+  reason("test %s failed: error %d\n", #x, res); return 1; }}
+
+int main(int argc, char *argv[])
+{
+  int which, res;
+
+  srand((unsigned int)time(NULL));
+
+  if (argc < 2) {
+    fprintf(stderr, "Usage: %s <test-suite> | list\n"
+	    "Type '%s help' for assistance\n", argv[0], argv[0]);
+    return 2;
+  } else if(argc > 2) {
+    if(strcmp(argv[2], "quiet") == 0)
+      g_verbose = 0;
+  }
+
+  if(strcmp(argv[1], "help") == 0) {
+    fprintf(stderr, "Help for mpi-test\n\n"
+	    "This program is a test driver for the MPI library, which\n"
+	    "tests all the various functions in the library to make sure\n"
+	    "they are working correctly.  The syntax is:\n"
+	    "    %s <suite-name>\n"
+	    "...where <suite-name> is the name of the test you wish to\n"
+	    "run.  To get a list of the tests, use '%s list'.\n\n"
+	    "The program exits with a status of zero if the test passes,\n"
+	    "or non-zero if it fails.  Ordinarily, failure is accompanied\n"
+	    "by a diagnostic message to standard error.  To suppress this\n"
+	    "add the keyword 'quiet' after the suite-name on the command\n"
+	    "line.\n\n", argv[0], argv[0]);
+    return 0;
+  }
+
+  if ((which = find_name(argv[1])) < 0) {
+    fprintf(stderr, "%s: test suite '%s' is not known\n", argv[0], argv[1]);
+    return 2;
+  }
+
+  if((res = (g_tests[which])()) < 0) {
+    fprintf(stderr, "%s: test suite not implemented yet\n", argv[0]);
+    return 2;
+  } else {
+    return res; 
+  }
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int find_name(char *name)
+{
+  int ix = 0;
+  
+  while(ix < g_count) {
+    if (strcmp(name, g_names[ix]) == 0)
+      return ix;
+    
+    ++ix;
+  }
+  
+  return -1;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_list(void)
+{
+  int ix;
+  
+  fprintf(stderr, "There are currently %d test suites available\n",
+	  g_count);
+  
+  for(ix = 1; ix < g_count; ix++)
+    fprintf(stdout, "%-20s %s\n", g_names[ix], g_descs[ix]);
+  
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_copy(void)
+{
+  mp_int  a, b;
+  int     ix;
+
+  mp_init(&a); mp_init(&b);
+
+  mp_read_radix(&a, mp3, 16);
+  mp_copy(&a, &b);
+
+  if(SIGN(&a) != SIGN(&b) || USED(&a) != USED(&b)) {
+    if(SIGN(&a) != SIGN(&b)) {
+      reason("error: sign of original is %d, sign of copy is %d\n", 
+	     SIGN(&a), SIGN(&b));
+    } else {
+      reason("error: original precision is %d, copy precision is %d\n",
+	     USED(&a), USED(&b));
+    }
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  for(ix = 0; ix < USED(&b); ix++) {
+    if(DIGIT(&a, ix) != DIGIT(&b, ix)) {
+      reason("error: digit %d " DIGIT_FMT " != " DIGIT_FMT "\n",
+	     ix, DIGIT(&a, ix), DIGIT(&b, ix));
+      mp_clear(&a); mp_clear(&b);
+      return 1;
+    }
+  }
+     
+  mp_clear(&a); mp_clear(&b);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_exch(void)
+{
+  mp_int  a, b;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp7, 16); mp_read_radix(&b, mp1, 16);
+
+  mp_exch(&a, &b);
+  mp_toradix(&a, g_intbuf, 16);
+
+  mp_clear(&a);
+  if(strcmp(g_intbuf, mp1) != 0) {
+    mp_clear(&b);
+    reason("error: exchange failed\n");
+    return 1;
+  }
+
+  mp_toradix(&b, g_intbuf, 16);
+
+  mp_clear(&b);
+  if(strcmp(g_intbuf, mp7) != 0) {
+    reason("error: exchange failed\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_zero(void)
+{
+  mp_int   a;
+
+  mp_init(&a); mp_read_radix(&a, mp7, 16);
+  mp_zero(&a);
+
+  if(USED(&a) != 1 || DIGIT(&a, 1) != 0) {
+    mp_toradix(&a, g_intbuf, 16);
+    reason("error: result is %s\n", g_intbuf);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_set(void)
+{
+  mp_int   a;
+
+  /* Test single digit set */
+  mp_init(&a); mp_set(&a, 5);
+  if(DIGIT(&a, 0) != 5) {
+    mp_toradix(&a, g_intbuf, 16);
+    reason("error: result is %s, expected 5\n", g_intbuf);
+    mp_clear(&a);
+    return 1;
+  }
+
+  /* Test integer set */
+  mp_set_int(&a, -4938110);
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a);
+  if(strcmp(g_intbuf, mp5a) != 0) {
+    reason("error: result is %s, expected %s\n", g_intbuf, mp5a);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_abs(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp4, 16);
+  mp_abs(&a, &a);
+  
+  if(SIGN(&a) != ZPOS) {
+    reason("error: sign of result is negative\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_neg(void)
+{
+  mp_int  a;
+  mp_sign s;
+
+  mp_init(&a); mp_read_radix(&a, mp4, 16);
+
+  s = SIGN(&a);
+  mp_neg(&a, &a);
+  if(SIGN(&a) == s) {
+    reason("error: sign of result is same as sign of nonzero input\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_add_d(void)
+{
+  mp_int  a;
+
+  mp_init(&a);
+  
+  mp_read_radix(&a, mp5, 16);
+  mp_add_d(&a, md4, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp5d4) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp5d4);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp2, 16);
+  mp_add_d(&a, md5, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp2d5) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp2d5);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_add(void)
+{
+  mp_int  a, b;
+  int     res = 0;
+
+  mp_init(&a); mp_init(&b);
+
+  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp3, 16);
+  mp_add(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp13) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp13);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp4, 16);
+  mp_add(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp34) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp34);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp4, 16); mp_read_radix(&b, mp6, 16);
+  mp_add(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp46) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp46);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp14, 16); mp_read_radix(&b, mp15, 16);
+  mp_add(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, s_mp1415) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, s_mp1415);
+    res = 1;
+  }
+
+ CLEANUP:
+  mp_clear(&a); mp_clear(&b);
+  return res;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_sub_d(void)
+{
+  mp_int   a;
+
+  mp_init(&a);
+  mp_read_radix(&a, mp5, 16);
+
+  mp_sub_d(&a, md4, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, d_mp5d4) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, d_mp5d4);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp6, 16);
+  
+  mp_sub_d(&a, md2, &a);
+  mp_toradix(&a, g_intbuf, 16);
+  
+  mp_clear(&a);
+  if(strcmp(g_intbuf, d_mp6d2) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, d_mp6d2);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_sub(void)
+{
+  mp_int  a, b;
+
+  mp_init(&a); mp_init(&b);
+
+  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp2, 16);
+  mp_sub(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, d_mp12) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, d_mp12);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+  mp_sub(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, d_mp34) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, d_mp34);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_clear(&a); mp_clear(&b);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_mul_d(void)
+{
+  mp_int   a;
+
+  mp_init(&a);
+  mp_read_radix(&a, mp1, 16);
+
+  IFOK( mp_mul_d(&a, md4, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  
+  if(strcmp(g_intbuf, p_mp1d4) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp1d4);    
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp8, 16);
+  IFOK( mp_mul_d(&a, md6, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  mp_clear(&a);
+  if(strcmp(g_intbuf, p_mp8d6) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp8d6); 
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_mul(void)
+{
+  mp_int   a, b;
+  int      res = 0;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp2, 16);
+
+  IFOK( mp_mul(&a, &b, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, p_mp12) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp12);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+  IFOK( mp_mul(&a, &b, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, p_mp34) !=0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp34);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp5, 16); mp_read_radix(&b, mp7, 16);
+  IFOK( mp_mul(&a, &b, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, p_mp57) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp57);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp11, 16); mp_read_radix(&b, mp13, 16);
+  IFOK( mp_mul(&a, &b, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, p_mp1113) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp1113);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp14, 16); mp_read_radix(&b, mp15, 16);
+  IFOK( mp_mul(&a, &b, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, p_mp1415) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp1415);
+    res = 1;
+  }
+
+ CLEANUP:
+  mp_clear(&a); mp_clear(&b);
+  return res;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_sqr(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp2, 16);
+
+  mp_sqr(&a, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  mp_clear(&a);
+  if(strcmp(g_intbuf, p_mp22) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, p_mp22);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_div_d(void)
+{
+  mp_int    a, q;
+  mp_digit  r;
+  int       err = 0;
+
+  mp_init(&a); mp_init(&q);
+  mp_read_radix(&a, mp3, 16);
+
+  IFOK( mp_div_d(&a, md6, &q, &r) );
+  mp_toradix(&q, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp3d6) != 0) {
+    reason("error: computed q = %s, expected %s\n", g_intbuf, q_mp3d6);
+    ++err;
+  }
+
+  sprintf(g_intbuf, ZS_DIGIT_FMT, r);
+
+  if(strcmp(g_intbuf, r_mp3d6) != 0) {
+    reason("error: computed r = %s, expected %s\n", g_intbuf, r_mp3d6);
+    ++err;
+  }
+
+  mp_read_radix(&a, mp9, 16);
+  IFOK( mp_div_d(&a, 16, &q, &r) );
+  mp_toradix(&q, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp9c16) != 0) {
+    reason("error: computed q = %s, expected %s\n", g_intbuf, q_mp9c16);
+    ++err;
+  }
+
+  sprintf(g_intbuf, ZS_DIGIT_FMT, r);
+
+  if(strcmp(g_intbuf, r_mp9c16) != 0) {
+    reason("error: computed r = %s, expected %s\n", g_intbuf, r_mp9c16);
+    ++err;
+  }
+
+  mp_clear(&a); mp_clear(&q);
+  return err;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_div_2(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp7, 16);
+  IFOK( mp_div_2(&a, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  mp_clear(&a);
+  if(strcmp(g_intbuf, q_mp7c2) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, q_mp7c2);
+    return 1;
+  }
+    
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_div_2d(void)
+{
+  mp_int  a, q, r;
+
+  mp_init(&q); mp_init(&r);
+  mp_init(&a); mp_read_radix(&a, mp13, 16);
+
+  IFOK( mp_div_2d(&a, 64, &q, &r) );
+  mp_clear(&a);
+
+  mp_toradix(&q, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp13c) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, q_mp13c);
+    mp_clear(&q); mp_clear(&r);
+    return 1;
+  }
+
+  mp_clear(&q);
+
+  mp_toradix(&r, g_intbuf, 16);
+  if(strcmp(g_intbuf, r_mp13c) != 0) {
+    reason("error, computed %s, expected %s\n", g_intbuf, r_mp13c);
+    mp_clear(&r);
+    return 1;
+  }
+
+  mp_clear(&r);
+  
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_div(void)
+{
+  mp_int  a, b, r;
+  int     err = 0;
+
+  mp_init(&a); mp_init(&b); mp_init(&r);
+
+  mp_read_radix(&a, mp4, 16); mp_read_radix(&b, mp2, 16);
+  IFOK( mp_div(&a, &b, &a, &r) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp42) != 0) {
+    reason("error: test 1 computed quot %s, expected %s\n", g_intbuf, q_mp42);
+    ++err;
+  }
+
+  mp_toradix(&r, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, r_mp42) != 0) {
+    reason("error: test 1 computed rem %s, expected %s\n", g_intbuf, r_mp42);
+    ++err;
+  }
+
+  mp_read_radix(&a, mp4, 16); mp_read_radix(&b, mp5a, 16);
+  IFOK( mp_div(&a, &b, &a, &r) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp45a) != 0) {
+    reason("error: test 2 computed quot %s, expected %s\n", g_intbuf, q_mp45a);
+    ++err;
+  }
+
+  mp_toradix(&r, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, r_mp45a) != 0) {
+    reason("error: test 2 computed rem %s, expected %s\n", g_intbuf, r_mp45a);
+    ++err;
+  }
+
+  mp_read_radix(&a, mp14, 16); mp_read_radix(&b, mp4, 16);
+  IFOK( mp_div(&a, &b, &a, &r) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, q_mp1404) != 0) {
+    reason("error: test 3 computed quot %s, expected %s\n", g_intbuf, q_mp1404);
+    ++err;
+  }
+
+  mp_toradix(&r, g_intbuf, 16);
+  
+  if(strcmp(g_intbuf, r_mp1404) != 0) {
+    reason("error: test 3 computed rem %s, expected %s\n", g_intbuf, r_mp1404);
+    ++err;
+  }
+
+  mp_clear(&a); mp_clear(&b); mp_clear(&r);
+
+  return err;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_expt_d(void)
+{
+  mp_int   a;
+
+  mp_init(&a); mp_read_radix(&a, mp5, 16);
+  mp_expt_d(&a, md9, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  mp_clear(&a);
+  if(strcmp(g_intbuf, e_mp5d9) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, e_mp5d9);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_expt(void)
+{
+  mp_int   a, b;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp7, 16); mp_read_radix(&b, mp8, 16);
+
+  mp_expt(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&b);
+
+  if(strcmp(g_intbuf, e_mp78) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, e_mp78);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_2expt(void)
+{
+  mp_int   a;
+
+  mp_init(&a);
+  mp_2expt(&a, md3);
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a);
+
+  if(strcmp(g_intbuf, e_mpc2d3) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, e_mpc2d3);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_sqrt(void)
+{
+  mp_int  a;
+  int     res = 0;
+
+  mp_init(&a); mp_read_radix(&a, mp9, 16);
+  mp_sqrt(&a, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, t_mp9) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, t_mp9);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp15, 16);
+  mp_sqrt(&a, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, t_mp15) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, t_mp15);
+    res = 1;
+  }
+
+ CLEANUP:
+  mp_clear(&a);
+  return res;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_mod_d(void)
+{
+  mp_int     a;
+  mp_digit   r;
+
+  mp_init(&a); mp_read_radix(&a, mp5, 16);
+  IFOK( mp_mod_d(&a, md5, &r) );
+  sprintf(g_intbuf, ZS_DIGIT_FMT, r);
+  mp_clear(&a);
+
+  if(strcmp(g_intbuf, r_mp5d5) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, r_mp5d5);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_mod(void)
+{
+  mp_int  a, m;
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, mp4, 16); mp_read_radix(&m, mp7, 16);
+  IFOK( mp_mod(&a, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&m);
+
+  if(strcmp(g_intbuf, r_mp47) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, r_mp47);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_addmod(void)
+{
+  mp_int a, b, m;
+
+  mp_init(&a); mp_init(&b); mp_init(&m);
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+  mp_read_radix(&m, mp5, 16);
+
+  IFOK( mp_addmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&b); mp_clear(&m);
+
+  if(strcmp(g_intbuf, ms_mp345) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, ms_mp345);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_submod(void)
+{
+  mp_int a, b, m;
+
+  mp_init(&a); mp_init(&b); mp_init(&m);
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+  mp_read_radix(&m, mp5, 16);
+
+  IFOK( mp_submod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&b); mp_clear(&m);
+
+  if(strcmp(g_intbuf, md_mp345) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, md_mp345);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_mulmod(void)
+{
+  mp_int a, b, m;
+
+  mp_init(&a); mp_init(&b); mp_init(&m);
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+  mp_read_radix(&m, mp5, 16);
+
+  IFOK( mp_mulmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&b); mp_clear(&m);
+
+  if(strcmp(g_intbuf, mp_mp345) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, mp_mp345);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_sqrmod(void)
+{
+  mp_int a, m;
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&m, mp5, 16);
+
+  IFOK( mp_sqrmod(&a, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&m);
+
+  if(strcmp(g_intbuf, mp_mp335) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, mp_mp335);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_exptmod(void)
+{
+  mp_int  a, b, m;
+  int     res = 0;
+
+  mp_init(&a); mp_init(&b); mp_init(&m);
+  mp_read_radix(&a, mp8, 16); mp_read_radix(&b, mp1, 16);
+  mp_read_radix(&m, mp7, 16);
+
+  IFOK( mp_exptmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, me_mp817) != 0) {
+    reason("case 1: error: computed %s, expected %s\n", g_intbuf, me_mp817);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp1, 16); mp_read_radix(&b, mp5, 16);
+  mp_read_radix(&m, mp12, 16);
+
+  IFOK( mp_exptmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, me_mp1512) != 0) {
+    reason("case 2: error: computed %s, expected %s\n", g_intbuf, me_mp1512);
+    res = 1; goto CLEANUP;
+  }
+
+  mp_read_radix(&a, mp5, 16); mp_read_radix(&b, mp1, 16);
+  mp_read_radix(&m, mp14, 16);
+
+  IFOK( mp_exptmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, me_mp5114) != 0) {
+    reason("case 3: error: computed %s, expected %s\n", g_intbuf, me_mp5114);
+    res = 1;
+  }
+
+  mp_read_radix(&a, mp16, 16); mp_read_radix(&b, mp17, 16);
+  mp_read_radix(&m, mp18, 16);
+
+  IFOK( mp_exptmod(&a, &b, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, me_mp161718) != 0) {
+    reason("case 4: error: computed %s, expected %s\n", g_intbuf, me_mp161718);
+    res = 1;
+  }
+
+ CLEANUP:
+  mp_clear(&a); mp_clear(&b); mp_clear(&m);
+  return res;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_exptmod_d(void)
+{
+  mp_int  a, m;
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, mp5, 16); mp_read_radix(&m, mp7, 16);
+
+  IFOK( mp_exptmod_d(&a, md4, &m, &a) );
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&m);
+
+  if(strcmp(g_intbuf, me_mp5d47) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, me_mp5d47);
+    return 1;
+  }
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_invmod(void)
+{
+  mp_int  a, m, c;
+  mp_int  p1, p2, p3, p4, p5;
+  mp_int  t1, t2, t3, t4;
+  mp_err  res;
+
+  /* 5 128-bit primes. */
+  static const char ivp1[] = { "AAD8A5A2A2BEF644BAEE7DB0CA643719" };
+  static const char ivp2[] = { "CB371AD2B79A90BCC88D0430663E40B9" };
+  static const char ivp3[] = { "C6C818D4DF2618406CA09280C0400099" };
+  static const char ivp4[] = { "CE949C04512E68918006B1F0D7E93F27" };
+  static const char ivp5[] = { "F8EE999B6416645040687440E0B89F51" };
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, mp2, 16); mp_read_radix(&m, mp7, 16);
+
+  IFOK( mp_invmod(&a, &m, &a) );
+
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&m);
+
+  if(strcmp(g_intbuf, i_mp27) != 0) {
+    reason("error: invmod test 1 computed %s, expected %s\n", g_intbuf, i_mp27);
+    return 1;
+  }
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, mp20, 16); mp_read_radix(&m, mp19, 16);
+
+  IFOK( mp_invmod(&a, &m, &a) );
+
+  mp_toradix(&a, g_intbuf, 16);
+  mp_clear(&a); mp_clear(&m);
+
+  if(strcmp(g_intbuf, i_mp2019) != 0) {
+    reason("error: invmod test 2 computed %s, expected %s\n", g_intbuf, i_mp2019);
+    return 1;
+  }
+
+/* Need the following test cases:
+  Odd modulus
+    - a is odd,      relatively prime to m
+    - a is odd,  not relatively prime to m
+    - a is even,     relatively prime to m
+    - a is even, not relatively prime to m
+  Even modulus
+    - a is even  (should fail)
+    - a is odd,  not relatively prime to m
+    - a is odd,      relatively prime to m,
+      m is not a power of 2
+	- m has factor 2**k, k < 32
+	- m has factor 2**k, k > 32
+      m is a power of 2, 2**k
+	- k < 32
+	- k > 32
+*/
+
+  mp_init(&a);  mp_init(&m);  mp_init(&c);  
+  mp_init(&p1); mp_init(&p2); mp_init(&p3); mp_init(&p4); mp_init(&p5); 
+  mp_init(&t1); mp_init(&t2); mp_init(&t3); mp_init(&t4); 
+
+  mp_read_radix(&p1, ivp1, 16);
+  mp_read_radix(&p2, ivp2, 16);
+  mp_read_radix(&p3, ivp3, 16);
+  mp_read_radix(&p4, ivp4, 16);
+  mp_read_radix(&p5, ivp5, 16);
+
+  IFOK( mp_2expt(&t2, 68) );	/* t2 = 2**68 */
+  IFOK( mp_2expt(&t3, 128) );	/* t3 = 2**128 */
+  IFOK( mp_2expt(&t4, 31) );	/* t4 = 2**31 */
+
+/* test 3: Odd modulus - a is odd, relatively prime to m */
+
+  IFOK( mp_mul(&p1, &p2, &a) );
+  IFOK( mp_mul(&p3, &p4, &m) );
+  IFOK( mp_invmod(&a, &m, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &m, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 3 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&a);   mp_init(&t1);  mp_init(&c);   
+
+/* test 4: Odd modulus - a is odd, NOT relatively prime to m */
+
+  IFOK( mp_mul(&p1, &p3, &a) );
+  /* reuse same m as before */
+
+  res = mp_invmod_xgcd(&a, &m, &c);
+  if (res != MP_UNDEF) 
+    goto CLEANUP4;
+
+  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
+  if (res != MP_UNDEF) {
+CLEANUP4:
+    reason("error: invmod test 4 succeeded, should have failed.\n");
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&a);   mp_init(&t1);  mp_init(&c);   
+
+/* test 5: Odd modulus - a is even, relatively prime to m */
+
+  IFOK( mp_mul(&p1, &t2, &a) );
+  /* reuse m */
+  IFOK( mp_invmod(&a, &m, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &m, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 5 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&a);   mp_init(&t1);  mp_init(&c);   
+
+/* test 6: Odd modulus - a is odd, NOT relatively prime to m */
+
+  /* reuse t2 */
+  IFOK( mp_mul(&t2, &p3, &a) );
+  /* reuse same m as before */
+
+  res = mp_invmod_xgcd(&a, &m, &c);
+  if (res != MP_UNDEF) 
+    goto CLEANUP6;
+
+  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
+  if (res != MP_UNDEF) {
+CLEANUP6:
+    reason("error: invmod test 6 succeeded, should have failed.\n");
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&m); mp_clear(&c);  mp_clear(&t1); 
+  mp_init(&a);   mp_init(&m);  mp_init(&c);   mp_init(&t1); 
+
+/* test 7: Even modulus, even a, should fail */
+
+  IFOK( mp_mul(&p3, &t3, &m) ); /* even m */
+  /* reuse t2 */
+  IFOK( mp_mul(&p1, &t2, &a) ); /* even a */
+
+  res = mp_invmod_xgcd(&a, &m, &c);
+  if (res != MP_UNDEF) 
+    goto CLEANUP7;
+
+  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
+  if (res != MP_UNDEF) {
+CLEANUP7:
+    reason("error: invmod test 7 succeeded, should have failed.\n");
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&c);  mp_clear(&t1); 
+  mp_init(&a);   mp_init(&c);   mp_init(&t1); 
+
+/* test 8: Even modulus    - a is odd,  not relatively prime to m */
+
+  /* reuse m */
+  IFOK( mp_mul(&p3, &p1, &a) ); /* even a */
+
+  res = mp_invmod_xgcd(&a, &m, &c);
+  if (res != MP_UNDEF) 
+    goto CLEANUP8;
+
+  res = mp_invmod(&a, &m, &t1); /* we expect this to fail. */
+  if (res != MP_UNDEF) {
+CLEANUP8:
+    reason("error: invmod test 8 succeeded, should have failed.\n");
+    return 1;
+  }
+  mp_clear(&a);  mp_clear(&m); mp_clear(&c);  mp_clear(&t1); 
+  mp_init(&a);   mp_init(&m);  mp_init(&c);   mp_init(&t1); 
+
+/* test 9: Even modulus    - m has factor 2**k, k < 32
+ *	                   - a is odd, relatively prime to m,
+ */
+  IFOK( mp_mul(&p3, &t4, &m) ); /* even m */
+  IFOK( mp_mul(&p1, &p2, &a) );
+  IFOK( mp_invmod(&a, &m, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &m, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 9 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+  mp_clear(&m);  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&m);   mp_init(&t1);  mp_init(&c);   
+
+/* test 10: Even modulus    - m has factor 2**k, k > 32
+ *	                    - a is odd, relatively prime to m,
+ */
+  IFOK( mp_mul(&p3, &t3, &m) ); /* even m */
+  /* reuse a */
+  IFOK( mp_invmod(&a, &m, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &m, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 10 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&t1);  mp_init(&c);   
+
+/* test 11: Even modulus    - m is a power of 2, 2**k | k < 32
+ *                          - a is odd, relatively prime to m,
+ */
+  IFOK( mp_invmod(&a, &t4, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &t4, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 11 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+  mp_clear(&t1); mp_clear(&c);  
+  mp_init(&t1);  mp_init(&c);   
+
+/* test 12: Even modulus    - m is a power of 2, 2**k | k > 32
+ *                          - a is odd, relatively prime to m,
+ */
+  IFOK( mp_invmod(&a, &t3, &t1) );
+  IFOK( mp_invmod_xgcd(&a, &t3, &c) );
+
+  if (mp_cmp(&t1, &c) != 0) {
+    mp_toradix(&t1, g_intbuf, 16);
+    mp_toradix(&c,  a_intbuf, 16);
+    reason("error: invmod test 12 computed %s, expected %s\n", 
+           g_intbuf, a_intbuf);
+    return 1;
+  }
+
+  mp_clear(&a);  mp_clear(&m);  mp_clear(&c);  
+  mp_clear(&t1); mp_clear(&t2); mp_clear(&t3); mp_clear(&t4); 
+  mp_clear(&p1); mp_clear(&p2); mp_clear(&p3); mp_clear(&p4); mp_clear(&p5); 
+
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_cmp_d(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp8, 16);
+
+  if(mp_cmp_d(&a, md8) >= 0) {
+    reason("error: %s >= " DIGIT_FMT "\n", mp8, md8);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp5, 16);
+
+  if(mp_cmp_d(&a, md8) <= 0) {
+    reason("error: %s <= " DIGIT_FMT "\n", mp5, md8);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp6, 16);
+
+  if(mp_cmp_d(&a, md1) != 0) {
+    reason("error: %s != " DIGIT_FMT "\n", mp6, md1);
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_cmp_z(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp6, 16);
+
+  if(mp_cmp_z(&a) != 0) {
+    reason("error: someone thinks a zero value is non-zero\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp1, 16);
+  
+  if(mp_cmp_z(&a) <= 0) {
+    reason("error: someone thinks a positive value is non-positive\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp4, 16);
+
+  if(mp_cmp_z(&a) >= 0) {
+    reason("error: someone thinks a negative value is non-negative\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_cmp(void)
+{
+  mp_int  a, b;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp3, 16); mp_read_radix(&b, mp4, 16);
+
+  if(mp_cmp(&a, &b) <= 0) {
+    reason("error: %s <= %s\n", mp3, mp4);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&b, mp3, 16);
+  if(mp_cmp(&a, &b) != 0) {
+    reason("error: %s != %s\n", mp3, mp3);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp5, 16);
+  if(mp_cmp(&a, &b) >= 0) {
+    reason("error: %s >= %s\n", mp5, mp3);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp5a, 16);
+  if(mp_cmp_int(&a, 1000000) >= 0 ||
+     (mp_cmp_int(&a, -5000000) <= 0) ||
+     (mp_cmp_int(&a, -4938110) != 0)) {
+    reason("error: long integer comparison failed (%s)", mp5a);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_clear(&a); mp_clear(&b);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_cmp_mag(void)
+{
+  mp_int  a, b;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp5, 16); mp_read_radix(&b, mp4, 16);
+
+  if(mp_cmp_mag(&a, &b) >= 0) {
+    reason("error: %s >= %s\n", mp5, mp4);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&b, mp5, 16);
+  if(mp_cmp_mag(&a, &b) != 0) {
+    reason("error: %s != %s\n", mp5, mp5);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp1, 16);
+  if(mp_cmp_mag(&b, &a) >= 0) {
+    reason("error: %s >= %s\n", mp5, mp1);
+    mp_clear(&a); mp_clear(&b);
+    return 1;
+  }
+
+  mp_clear(&a); mp_clear(&b);
+  return 0;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_parity(void)
+{
+  mp_int  a;
+
+  mp_init(&a); mp_read_radix(&a, mp1, 16);
+
+  if(!mp_isodd(&a)) {
+    reason("error: expected operand to be odd, but it isn't\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_read_radix(&a, mp6, 16);
+  
+  if(!mp_iseven(&a)) {
+    reason("error: expected operand to be even, but it isn't\n");
+    mp_clear(&a);
+    return 1;
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_gcd(void)
+{
+  mp_int  a, b;
+  int     out = 0;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp7, 16); mp_read_radix(&b, mp1, 16);
+
+  mp_gcd(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, g_mp71) != 0) {
+    reason("error: computed %s, expected %s\n", g_intbuf, g_mp71);
+    out = 1;
+  }
+
+  mp_clear(&a); mp_clear(&b);
+  return out;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_lcm(void)
+{
+  mp_int  a, b;
+  int     out = 0;
+
+  mp_init(&a); mp_init(&b);
+  mp_read_radix(&a, mp10, 16); mp_read_radix(&b, mp11, 16);
+
+  mp_lcm(&a, &b, &a);
+  mp_toradix(&a, g_intbuf, 16);
+
+  if(strcmp(g_intbuf, l_mp1011) != 0) {
+    reason("error: computed %s, expected%s\n", g_intbuf, l_mp1011);
+    out = 1;
+  }
+
+  mp_clear(&a); mp_clear(&b);
+
+  return out;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_convert(void)
+{
+  int    ix;
+  mp_int a;
+
+  mp_init(&a); mp_read_radix(&a, mp9, 16);
+
+  for(ix = LOW_RADIX; ix <= HIGH_RADIX; ix++) {
+    mp_toradix(&a, g_intbuf, ix);
+
+    if(strcmp(g_intbuf, v_mp9[ix - LOW_RADIX]) != 0) {
+      reason("error: radix %d, computed %s, expected %s\n",
+	     ix, g_intbuf, v_mp9[ix - LOW_RADIX]);
+      mp_clear(&a);
+      return 1;
+    }
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_raw(void)
+{
+  int    len, out = 0;
+  mp_int a;
+  char   *buf;
+
+  mp_init(&a); mp_read_radix(&a, mp4, 16);
+
+  len = mp_raw_size(&a);
+  if(len != sizeof(b_mp4)) {
+    reason("error: test_raw: expected length %d, computed %d\n", sizeof(b_mp4),
+	   len);
+    mp_clear(&a);
+    return 1;
+  }
+
+  buf = calloc(len, sizeof(char));
+  mp_toraw(&a, buf);
+
+  if(memcmp(buf, b_mp4, sizeof(b_mp4)) != 0) {
+    reason("error: test_raw: binary output does not match test vector\n");
+    out = 1;
+  }
+
+  free(buf);
+  mp_clear(&a);
+
+  return out;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_pprime(void)
+{
+  mp_int   p;
+  int      err = 0;
+  mp_err   res;
+
+  mp_init(&p);
+  mp_read_radix(&p, mp7, 16);
+
+  if(mpp_pprime(&p, 5) != MP_YES) {
+    reason("error: %s failed Rabin-Miller test, but is prime\n", mp7);
+    err = 1;
+  }
+
+  IFOK( mp_set_int(&p, 9) );
+  res = mpp_pprime(&p, 50);
+  if (res == MP_YES) {
+    reason("error: 9 is composite but passed Rabin-Miller test\n");
+    err = 1;
+  } else if (res != MP_NO) {
+    reason("test mpp_pprime(9, 50) failed: error %d\n", res); 
+    err = 1;
+  }
+
+  IFOK( mp_set_int(&p, 15) );
+  res = mpp_pprime(&p, 50);
+  if (res == MP_YES) {
+    reason("error: 15 is composite but passed Rabin-Miller test\n");
+    err = 1;
+  } else if (res != MP_NO) {
+    reason("test mpp_pprime(15, 50) failed: error %d\n", res); 
+    err = 1;
+  }
+
+  mp_clear(&p);
+
+  return err;
+
+}
+
+/*------------------------------------------------------------------------*/
+
+int test_fermat(void)
+{
+  mp_int p;
+  mp_err res;
+  int    err = 0;
+
+  mp_init(&p);
+  mp_read_radix(&p, mp7, 16);
+  
+  if((res = mpp_fermat(&p, 2)) != MP_YES) {
+    reason("error: %s failed Fermat test on 2: %s\n", mp7, 
+	   mp_strerror(res));
+    ++err;
+  }
+
+  if((res = mpp_fermat(&p, 3)) != MP_YES) {
+    reason("error: %s failed Fermat test on 3: %s\n", mp7, 
+	   mp_strerror(res));
+    ++err;
+  }
+
+  mp_clear(&p);
+
+  return err;
+
+}
+
+/*------------------------------------------------------------------------*/
+/* Like fprintf(), but only if we are behaving in a verbose manner        */
+
+void reason(char *fmt, ...)
+{
+  va_list    ap;
+
+  if(!g_verbose)
+    return;
+
+  va_start(ap, fmt);
+  vfprintf(stderr, fmt, ap);
+  va_end(ap);
+}
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mpi.c b/security/nss/lib/freebl/mpi/mpi.c
new file mode 100644
index 000000000..83bd86764
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi.c
@@ -0,0 +1,4795 @@
+/*
+ *  mpi.c
+ *
+ *  Arbitrary precision integer arithmetic library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *	Netscape Communications Corporation 
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include "mpi-priv.h"
+#if defined(OSF1)
+#include <c_asm.h>
+#endif
+
+#if MP_LOGTAB
+/*
+  A table of the logs of 2 for various bases (the 0 and 1 entries of
+  this table are meaningless and should not be referenced).  
+
+  This table is used to compute output lengths for the mp_toradix()
+  function.  Since a number n in radix r takes up about log_r(n)
+  digits, we estimate the output size by taking the least integer
+  greater than log_r(n), where:
+
+  log_r(n) = log_2(n) * log_r(2)
+
+  This table, therefore, is a table of log_r(2) for 2 <= r <= 36,
+  which are the output bases supported.  
+ */
+#include "logtab.h"
+#endif
+
+/* {{{ Constant strings */
+
+/* Constant strings returned by mp_strerror() */
+static const char *mp_err_string[] = {
+  "unknown result code",     /* say what?            */
+  "boolean true",            /* MP_OKAY, MP_YES      */
+  "boolean false",           /* MP_NO                */
+  "out of memory",           /* MP_MEM               */
+  "argument out of range",   /* MP_RANGE             */
+  "invalid input parameter", /* MP_BADARG            */
+  "result is undefined"      /* MP_UNDEF             */
+};
+
+/* Value to digit maps for radix conversion   */
+
+/* s_dmap_1 - standard digits and letters */
+static const char *s_dmap_1 = 
+  "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/";
+
+/* }}} */
+
+unsigned long mp_allocs;
+unsigned long mp_frees;
+unsigned long mp_copies;
+
+/* {{{ Default precision manipulation */
+
+/* Default precision for newly created mp_int's      */
+static mp_size s_mp_defprec = MP_DEFPREC;
+
+mp_size mp_get_prec(void)
+{
+  return s_mp_defprec;
+
+} /* end mp_get_prec() */
+
+void         mp_set_prec(mp_size prec)
+{
+  if(prec == 0)
+    s_mp_defprec = MP_DEFPREC;
+  else
+    s_mp_defprec = prec;
+
+} /* end mp_set_prec() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ mp_init(mp) */
+
+/*
+  mp_init(mp)
+
+  Initialize a new zero-valued mp_int.  Returns MP_OKAY if successful,
+  MP_MEM if memory could not be allocated for the structure.
+ */
+
+mp_err mp_init(mp_int *mp)
+{
+  return mp_init_size(mp, s_mp_defprec);
+
+} /* end mp_init() */
+
+/* }}} */
+
+/* {{{ mp_init_size(mp, prec) */
+
+/*
+  mp_init_size(mp, prec)
+
+  Initialize a new zero-valued mp_int with at least the given
+  precision; returns MP_OKAY if successful, or MP_MEM if memory could
+  not be allocated for the structure.
+ */
+
+mp_err mp_init_size(mp_int *mp, mp_size prec)
+{
+  ARGCHK(mp != NULL && prec > 0, MP_BADARG);
+
+  prec = MP_ROUNDUP(prec, s_mp_defprec);
+  if((DIGITS(mp) = s_mp_alloc(prec, sizeof(mp_digit))) == NULL)
+    return MP_MEM;
+
+  SIGN(mp) = ZPOS;
+  USED(mp) = 1;
+  ALLOC(mp) = prec;
+
+  return MP_OKAY;
+
+} /* end mp_init_size() */
+
+/* }}} */
+
+/* {{{ mp_init_copy(mp, from) */
+
+/*
+  mp_init_copy(mp, from)
+
+  Initialize mp as an exact copy of from.  Returns MP_OKAY if
+  successful, MP_MEM if memory could not be allocated for the new
+  structure.
+ */
+
+mp_err mp_init_copy(mp_int *mp, const mp_int *from)
+{
+  ARGCHK(mp != NULL && from != NULL, MP_BADARG);
+
+  if(mp == from)
+    return MP_OKAY;
+
+  if((DIGITS(mp) = s_mp_alloc(ALLOC(from), sizeof(mp_digit))) == NULL)
+    return MP_MEM;
+
+  s_mp_copy(DIGITS(from), DIGITS(mp), USED(from));
+  USED(mp) = USED(from);
+  ALLOC(mp) = ALLOC(from);
+  SIGN(mp) = SIGN(from);
+
+  return MP_OKAY;
+
+} /* end mp_init_copy() */
+
+/* }}} */
+
+/* {{{ mp_copy(from, to) */
+
+/*
+  mp_copy(from, to)
+
+  Copies the mp_int 'from' to the mp_int 'to'.  It is presumed that
+  'to' has already been initialized (if not, use mp_init_copy()
+  instead). If 'from' and 'to' are identical, nothing happens.
+ */
+
+mp_err mp_copy(const mp_int *from, mp_int *to)
+{
+  ARGCHK(from != NULL && to != NULL, MP_BADARG);
+
+  if(from == to)
+    return MP_OKAY;
+
+  ++mp_copies;
+  { /* copy */
+    mp_digit   *tmp;
+
+    /*
+      If the allocated buffer in 'to' already has enough space to hold
+      all the used digits of 'from', we'll re-use it to avoid hitting
+      the memory allocater more than necessary; otherwise, we'd have
+      to grow anyway, so we just allocate a hunk and make the copy as
+      usual
+     */
+    if(ALLOC(to) >= USED(from)) {
+      s_mp_setz(DIGITS(to) + USED(from), ALLOC(to) - USED(from));
+      s_mp_copy(DIGITS(from), DIGITS(to), USED(from));
+      
+    } else {
+      if((tmp = s_mp_alloc(ALLOC(from), sizeof(mp_digit))) == NULL)
+	return MP_MEM;
+
+      s_mp_copy(DIGITS(from), tmp, USED(from));
+
+      if(DIGITS(to) != NULL) {
+#if MP_CRYPTO
+	s_mp_setz(DIGITS(to), ALLOC(to));
+#endif
+	s_mp_free(DIGITS(to));
+      }
+
+      DIGITS(to) = tmp;
+      ALLOC(to) = ALLOC(from);
+    }
+
+    /* Copy the precision and sign from the original */
+    USED(to) = USED(from);
+    SIGN(to) = SIGN(from);
+  } /* end copy */
+
+  return MP_OKAY;
+
+} /* end mp_copy() */
+
+/* }}} */
+
+/* {{{ mp_exch(mp1, mp2) */
+
+/*
+  mp_exch(mp1, mp2)
+
+  Exchange mp1 and mp2 without allocating any intermediate memory
+  (well, unless you count the stack space needed for this call and the
+  locals it creates...).  This cannot fail.
+ */
+
+void mp_exch(mp_int *mp1, mp_int *mp2)
+{
+#if MP_ARGCHK == 2
+  assert(mp1 != NULL && mp2 != NULL);
+#else
+  if(mp1 == NULL || mp2 == NULL)
+    return;
+#endif
+
+  s_mp_exch(mp1, mp2);
+
+} /* end mp_exch() */
+
+/* }}} */
+
+/* {{{ mp_clear(mp) */
+
+/*
+  mp_clear(mp)
+
+  Release the storage used by an mp_int, and void its fields so that
+  if someone calls mp_clear() again for the same int later, we won't
+  get tollchocked.
+ */
+
+void   mp_clear(mp_int *mp)
+{
+  if(mp == NULL)
+    return;
+
+  if(DIGITS(mp) != NULL) {
+#if MP_CRYPTO
+    s_mp_setz(DIGITS(mp), ALLOC(mp));
+#endif
+    s_mp_free(DIGITS(mp));
+    DIGITS(mp) = NULL;
+  }
+
+  USED(mp) = 0;
+  ALLOC(mp) = 0;
+
+} /* end mp_clear() */
+
+/* }}} */
+
+/* {{{ mp_zero(mp) */
+
+/*
+  mp_zero(mp) 
+
+  Set mp to zero.  Does not change the allocated size of the structure,
+  and therefore cannot fail (except on a bad argument, which we ignore)
+ */
+void   mp_zero(mp_int *mp)
+{
+  if(mp == NULL)
+    return;
+
+  s_mp_setz(DIGITS(mp), ALLOC(mp));
+  USED(mp) = 1;
+  SIGN(mp) = ZPOS;
+
+} /* end mp_zero() */
+
+/* }}} */
+
+/* {{{ mp_set(mp, d) */
+
+void   mp_set(mp_int *mp, mp_digit d)
+{
+  if(mp == NULL)
+    return;
+
+  mp_zero(mp);
+  DIGIT(mp, 0) = d;
+
+} /* end mp_set() */
+
+/* }}} */
+
+/* {{{ mp_set_int(mp, z) */
+
+mp_err mp_set_int(mp_int *mp, long z)
+{
+  int            ix;
+  unsigned long  v = labs(z);
+  mp_err         res;
+
+  ARGCHK(mp != NULL, MP_BADARG);
+
+  mp_zero(mp);
+  if(z == 0)
+    return MP_OKAY;  /* shortcut for zero */
+
+  if (sizeof v <= sizeof(mp_digit)) {
+    DIGIT(mp,0) = v;
+  } else {
+    for (ix = sizeof(long) - 1; ix >= 0; ix--) {
+      if ((res = s_mp_mul_d(mp, (UCHAR_MAX + 1))) != MP_OKAY)
+	return res;
+
+      res = s_mp_add_d(mp, (mp_digit)((v >> (ix * CHAR_BIT)) & UCHAR_MAX));
+      if (res != MP_OKAY)
+	return res;
+    }
+  }
+  if(z < 0)
+    SIGN(mp) = NEG;
+
+  return MP_OKAY;
+
+} /* end mp_set_int() */
+
+/* }}} */
+
+/* {{{ mp_set_ulong(mp, z) */
+
+mp_err mp_set_ulong(mp_int *mp, unsigned long z)
+{
+  int            ix;
+  mp_err         res;
+
+  ARGCHK(mp != NULL, MP_BADARG);
+
+  mp_zero(mp);
+  if(z == 0)
+    return MP_OKAY;  /* shortcut for zero */
+
+  if (sizeof z <= sizeof(mp_digit)) {
+    DIGIT(mp,0) = z;
+  } else {
+    for (ix = sizeof(long) - 1; ix >= 0; ix--) {
+      if ((res = s_mp_mul_d(mp, (UCHAR_MAX + 1))) != MP_OKAY)
+	return res;
+
+      res = s_mp_add_d(mp, (mp_digit)((z >> (ix * CHAR_BIT)) & UCHAR_MAX));
+      if (res != MP_OKAY)
+	return res;
+    }
+  }
+  return MP_OKAY;
+} /* end mp_set_ulong() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ Digit arithmetic */
+
+/* {{{ mp_add_d(a, d, b) */
+
+/*
+  mp_add_d(a, d, b)
+
+  Compute the sum b = a + d, for a single digit d.  Respects the sign of
+  its primary addend (single digits are unsigned anyway).
+ */
+
+mp_err mp_add_d(const mp_int *a, mp_digit d, mp_int *b)
+{
+  mp_int   tmp;
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_init_copy(&tmp, a)) != MP_OKAY)
+    return res;
+
+  if(SIGN(&tmp) == ZPOS) {
+    if((res = s_mp_add_d(&tmp, d)) != MP_OKAY)
+      goto CLEANUP;
+  } else if(s_mp_cmp_d(&tmp, d) >= 0) {
+    if((res = s_mp_sub_d(&tmp, d)) != MP_OKAY)
+      goto CLEANUP;
+  } else {
+    mp_neg(&tmp, &tmp);
+
+    DIGIT(&tmp, 0) = d - DIGIT(&tmp, 0);
+  }
+
+  if(s_mp_cmp_d(&tmp, 0) == 0)
+    SIGN(&tmp) = ZPOS;
+
+  s_mp_exch(&tmp, b);
+
+CLEANUP:
+  mp_clear(&tmp);
+  return res;
+
+} /* end mp_add_d() */
+
+/* }}} */
+
+/* {{{ mp_sub_d(a, d, b) */
+
+/*
+  mp_sub_d(a, d, b)
+
+  Compute the difference b = a - d, for a single digit d.  Respects the
+  sign of its subtrahend (single digits are unsigned anyway).
+ */
+
+mp_err mp_sub_d(const mp_int *a, mp_digit d, mp_int *b)
+{
+  mp_int   tmp;
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_init_copy(&tmp, a)) != MP_OKAY)
+    return res;
+
+  if(SIGN(&tmp) == NEG) {
+    if((res = s_mp_add_d(&tmp, d)) != MP_OKAY)
+      goto CLEANUP;
+  } else if(s_mp_cmp_d(&tmp, d) >= 0) {
+    if((res = s_mp_sub_d(&tmp, d)) != MP_OKAY)
+      goto CLEANUP;
+  } else {
+    mp_neg(&tmp, &tmp);
+
+    DIGIT(&tmp, 0) = d - DIGIT(&tmp, 0);
+    SIGN(&tmp) = NEG;
+  }
+
+  if(s_mp_cmp_d(&tmp, 0) == 0)
+    SIGN(&tmp) = ZPOS;
+
+  s_mp_exch(&tmp, b);
+
+CLEANUP:
+  mp_clear(&tmp);
+  return res;
+
+} /* end mp_sub_d() */
+
+/* }}} */
+
+/* {{{ mp_mul_d(a, d, b) */
+
+/*
+  mp_mul_d(a, d, b)
+
+  Compute the product b = a * d, for a single digit d.  Respects the sign
+  of its multiplicand (single digits are unsigned anyway)
+ */
+
+mp_err mp_mul_d(const mp_int *a, mp_digit d, mp_int *b)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if(d == 0) {
+    mp_zero(b);
+    return MP_OKAY;
+  }
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  res = s_mp_mul_d(b, d);
+
+  return res;
+
+} /* end mp_mul_d() */
+
+/* }}} */
+
+/* {{{ mp_mul_2(a, c) */
+
+mp_err mp_mul_2(const mp_int *a, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, c)) != MP_OKAY)
+    return res;
+
+  return s_mp_mul_2(c);
+
+} /* end mp_mul_2() */
+
+/* }}} */
+
+/* {{{ mp_div_d(a, d, q, r) */
+
+/*
+  mp_div_d(a, d, q, r)
+
+  Compute the quotient q = a / d and remainder r = a mod d, for a
+  single digit d.  Respects the sign of its divisor (single digits are
+  unsigned anyway).
+ */
+
+mp_err mp_div_d(const mp_int *a, mp_digit d, mp_int *q, mp_digit *r)
+{
+  mp_err   res;
+  mp_int   qp;
+  mp_digit rem;
+  int      pow;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  if(d == 0)
+    return MP_RANGE;
+
+  /* Shortcut for powers of two ... */
+  if((pow = s_mp_ispow2d(d)) >= 0) {
+    mp_digit  mask;
+
+    mask = ((mp_digit)1 << pow) - 1;
+    rem = DIGIT(a, 0) & mask;
+
+    if(q) {
+      mp_copy(a, q);
+      s_mp_div_2d(q, pow);
+    }
+
+    if(r)
+      *r = rem;
+
+    return MP_OKAY;
+  }
+
+  if((res = mp_init_copy(&qp, a)) != MP_OKAY)
+    return res;
+
+  res = s_mp_div_d(&qp, d, &rem);
+
+  if(s_mp_cmp_d(&qp, 0) == 0)
+    SIGN(q) = ZPOS;
+
+  if(r)
+    *r = rem;
+
+  if(q)
+    s_mp_exch(&qp, q);
+
+  mp_clear(&qp);
+  return res;
+
+} /* end mp_div_d() */
+
+/* }}} */
+
+/* {{{ mp_div_2(a, c) */
+
+/*
+  mp_div_2(a, c)
+
+  Compute c = a / 2, disregarding the remainder.
+ */
+
+mp_err mp_div_2(const mp_int *a, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, c)) != MP_OKAY)
+    return res;
+
+  s_mp_div_2(c);
+
+  return MP_OKAY;
+
+} /* end mp_div_2() */
+
+/* }}} */
+
+/* {{{ mp_expt_d(a, d, b) */
+
+mp_err mp_expt_d(const mp_int *a, mp_digit d, mp_int *c)
+{
+  mp_int   s, x;
+  mp_err   res;
+
+  ARGCHK(a != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_init(&s)) != MP_OKAY)
+    return res;
+  if((res = mp_init_copy(&x, a)) != MP_OKAY)
+    goto X;
+
+  DIGIT(&s, 0) = 1;
+
+  while(d != 0) {
+    if(d & 1) {
+      if((res = s_mp_mul(&s, &x)) != MP_OKAY)
+	goto CLEANUP;
+    }
+
+    d /= 2;
+
+    if((res = s_mp_sqr(&x)) != MP_OKAY)
+      goto CLEANUP;
+  }
+
+  s_mp_exch(&s, c);
+
+CLEANUP:
+  mp_clear(&x);
+X:
+  mp_clear(&s);
+
+  return res;
+
+} /* end mp_expt_d() */
+
+/* }}} */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ Full arithmetic */
+
+/* {{{ mp_abs(a, b) */
+
+/*
+  mp_abs(a, b)
+
+  Compute b = |a|.  'a' and 'b' may be identical.
+ */
+
+mp_err mp_abs(const mp_int *a, mp_int *b)
+{
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  SIGN(b) = ZPOS;
+
+  return MP_OKAY;
+
+} /* end mp_abs() */
+
+/* }}} */
+
+/* {{{ mp_neg(a, b) */
+
+/*
+  mp_neg(a, b)
+
+  Compute b = -a.  'a' and 'b' may be identical.
+ */
+
+mp_err mp_neg(const mp_int *a, mp_int *b)
+{
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  if(s_mp_cmp_d(b, 0) == MP_EQ) 
+    SIGN(b) = ZPOS;
+  else 
+    SIGN(b) = (SIGN(b) == NEG) ? ZPOS : NEG;
+
+  return MP_OKAY;
+
+} /* end mp_neg() */
+
+/* }}} */
+
+/* {{{ mp_add(a, b, c) */
+
+/*
+  mp_add(a, b, c)
+
+  Compute c = a + b.  All parameters may be identical.
+ */
+
+mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(SIGN(a) == SIGN(b)) { /* same sign:  add values, keep sign */
+    MP_CHECKOK( s_mp_add_3arg(a, b, c) );
+  } else if(s_mp_cmp(a, b) >= 0) {  /* different sign: |a| >= |b|   */
+    MP_CHECKOK( s_mp_sub_3arg(a, b, c) );
+  } else {                          /* different sign: |a|  < |b|   */
+    MP_CHECKOK( s_mp_sub_3arg(b, a, c) );
+  }
+
+  if (s_mp_cmp_d(c, 0) == MP_EQ)
+    SIGN(c) = ZPOS;
+
+CLEANUP:
+  return res;
+
+} /* end mp_add() */
+
+/* }}} */
+
+/* {{{ mp_sub(a, b, c) */
+
+/*
+  mp_sub(a, b, c)
+
+  Compute c = a - b.  All parameters may be identical.
+ */
+
+mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c)
+{
+  mp_err  res;
+  int     magDiff;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if (a == b) {
+    mp_zero(c);
+    return MP_OKAY;
+  }
+
+  if (MP_SIGN(a) != MP_SIGN(b)) {
+    MP_CHECKOK( s_mp_add_3arg(a, b, c) );
+  } else if (!(magDiff = s_mp_cmp(a, b))) {
+    mp_zero(c);
+    res = MP_OKAY;
+  } else if (magDiff > 0) {
+    MP_CHECKOK( s_mp_sub_3arg(a, b, c) );
+  } else {
+    MP_CHECKOK( s_mp_sub_3arg(b, a, c) );
+    MP_SIGN(c) = !MP_SIGN(a);
+  }
+
+  if (s_mp_cmp_d(c, 0) == MP_EQ)
+    MP_SIGN(c) = MP_ZPOS;
+
+CLEANUP:
+  return res;
+
+} /* end mp_sub() */
+
+/* }}} */
+
+/* {{{ mp_mul(a, b, c) */
+
+/*
+  mp_mul(a, b, c)
+
+  Compute c = a * b.  All parameters may be identical.
+ */
+mp_err   mp_mul(const mp_int *a, const mp_int *b, mp_int * c)
+{
+  mp_digit *pb;
+  mp_int   tmp;
+  mp_err   res;
+  mp_size  ib;
+  mp_size  useda, usedb;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if (a == c) {
+    if ((res = mp_init_copy(&tmp, a)) != MP_OKAY)
+      return res;
+    if (a == b) 
+      b = &tmp;
+    a = &tmp;
+  } else if (b == c) {
+    if ((res = mp_init_copy(&tmp, b)) != MP_OKAY)
+      return res;
+    b = &tmp;
+  } else {
+    MP_DIGITS(&tmp) = 0;
+  }
+
+  if (MP_USED(a) < MP_USED(b)) {
+    const mp_int *xch = b;	/* switch a and b, to do fewer outer loops */
+    b = a;
+    a = xch;
+  }
+
+  MP_USED(c) = 1; MP_DIGIT(c, 0) = 0;
+  if((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY)
+    goto CLEANUP;
+
+  pb = MP_DIGITS(b);
+  s_mpv_mul_d(MP_DIGITS(a), MP_USED(a), *pb++, MP_DIGITS(c));
+
+  /* Outer loop:  Digits of b */
+  useda = MP_USED(a);
+  usedb = MP_USED(b);
+  for (ib = 1; ib < usedb; ib++) {
+    mp_digit b_i    = *pb++;
+
+    /* Inner product:  Digits of a */
+    if (b_i)
+      s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
+    else
+      MP_DIGIT(c, ib + useda) = b_i;
+  }
+
+  s_mp_clamp(c);
+
+  if(SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ)
+    SIGN(c) = ZPOS;
+  else
+    SIGN(c) = NEG;
+
+CLEANUP:
+  mp_clear(&tmp);
+  return res;
+} /* end mp_mul() */
+
+/* }}} */
+
+/* {{{ mp_sqr(a, sqr) */
+
+#if MP_SQUARE
+/*
+  Computes the square of a.  This can be done more
+  efficiently than a general multiplication, because many of the
+  computation steps are redundant when squaring.  The inner product
+  step is a bit more complicated, but we save a fair number of
+  iterations of the multiplication loop.
+ */
+
+/* sqr = a^2;   Caller provides both a and tmp; */
+mp_err   mp_sqr(const mp_int *a, mp_int *sqr)
+{
+  mp_digit *pa;
+  mp_digit d;
+  mp_err   res;
+  mp_size  ix;
+  mp_int   tmp;
+  int      count;
+
+  ARGCHK(a != NULL && sqr != NULL, MP_BADARG);
+
+  if (a == sqr) {
+    if((res = mp_init_copy(&tmp, a)) != MP_OKAY)
+      return res;
+    a = &tmp;
+  } else {
+    DIGITS(&tmp) = 0;
+    res = MP_OKAY;
+  }
+
+  ix = 2 * MP_USED(a);
+  if (ix > MP_ALLOC(sqr)) {
+    MP_USED(sqr) = 1; 
+    MP_CHECKOK( s_mp_grow(sqr, ix) );
+  } 
+  MP_USED(sqr) = ix;
+  MP_DIGIT(sqr, 0) = 0;
+
+  pa = MP_DIGITS(a);
+  count = MP_USED(a) - 1;
+  if (count > 0) {
+    d = *pa++;
+    s_mpv_mul_d(pa, count, d, MP_DIGITS(sqr) + 1);
+    for (ix = 3; --count > 0; ix += 2) {
+      d = *pa++;
+      s_mpv_mul_d_add(pa, count, d, MP_DIGITS(sqr) + ix);
+    } /* for(ix ...) */
+    MP_DIGIT(sqr, MP_USED(sqr)-1) = 0; /* above loop stopped short of this. */
+
+    /* now sqr *= 2 */
+    s_mp_mul_2(sqr);
+  } else {
+    MP_DIGIT(sqr, 1) = 0;
+  }
+
+  /* now add the squares of the digits of a to sqr. */
+  s_mpv_sqr_add_prop(MP_DIGITS(a), MP_USED(a), MP_DIGITS(sqr));
+
+  SIGN(sqr) = ZPOS;
+  s_mp_clamp(sqr);
+
+CLEANUP:
+  mp_clear(&tmp);
+  return res;
+
+} /* end mp_sqr() */
+#endif
+
+/* }}} */
+
+/* {{{ mp_div(a, b, q, r) */
+
+/*
+  mp_div(a, b, q, r)
+
+  Compute q = a / b and r = a mod b.  Input parameters may be re-used
+  as output parameters.  If q or r is NULL, that portion of the
+  computation will be discarded (although it will still be computed)
+ */
+mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r)
+{
+  mp_err   res;
+  mp_int   *pQ, *pR;
+  mp_int   qtmp, rtmp, btmp;
+  int      cmp;
+  mp_sign  signA = MP_SIGN(a);
+  mp_sign  signB = MP_SIGN(b);
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if(mp_cmp_z(b) == MP_EQ)
+    return MP_RANGE;
+
+  DIGITS(&qtmp) = 0;
+  DIGITS(&rtmp) = 0;
+  DIGITS(&btmp) = 0;
+
+  /* Set up some temporaries... */
+  if (!r || r == a || r == b) {
+    MP_CHECKOK( mp_init_copy(&rtmp, a) );
+    pR = &rtmp;
+  } else {
+    MP_CHECKOK( mp_copy(a, r) );
+    pR = r;
+  }
+
+  if (!q || q == a || q == b) {
+    MP_CHECKOK( mp_init_size(&qtmp, MP_USED(a)) );
+    pQ = &qtmp;
+  } else {
+    MP_CHECKOK( s_mp_pad(q, MP_USED(a)) );
+    pQ = q;
+    mp_zero(pQ);
+  }
+
+  /*
+    If |a| <= |b|, we can compute the solution without division;
+    otherwise, we actually do the work required.
+   */
+  if ((cmp = s_mp_cmp(a, b)) <= 0) {
+    if (cmp) {
+      /* r was set to a above. */
+      mp_zero(pQ);
+    } else {
+      mp_set(pQ, 1);
+      mp_zero(pR);
+    }
+  } else {
+    MP_CHECKOK( mp_init_copy(&btmp, b) );
+    MP_CHECKOK( s_mp_div(pR, &btmp, pQ) );
+  }
+
+  /* Compute the signs for the output  */
+  MP_SIGN(pR) = signA;   /* Sr = Sa              */
+  /* Sq = ZPOS if Sa == Sb */ /* Sq = NEG if Sa != Sb */
+  MP_SIGN(pQ) = (signA == signB) ? ZPOS : NEG;
+
+  if(s_mp_cmp_d(pQ, 0) == MP_EQ)
+    SIGN(pQ) = ZPOS;
+  if(s_mp_cmp_d(pR, 0) == MP_EQ)
+    SIGN(pR) = ZPOS;
+
+  /* Copy output, if it is needed      */
+  if(q && q != pQ) 
+    s_mp_exch(pQ, q);
+
+  if(r && r != pR) 
+    s_mp_exch(pR, r);
+
+CLEANUP:
+  mp_clear(&btmp);
+  mp_clear(&rtmp);
+  mp_clear(&qtmp);
+
+  return res;
+
+} /* end mp_div() */
+
+/* }}} */
+
+/* {{{ mp_div_2d(a, d, q, r) */
+
+mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  if(q) {
+    if((res = mp_copy(a, q)) != MP_OKAY)
+      return res;
+  }
+  if(r) {
+    if((res = mp_copy(a, r)) != MP_OKAY)
+      return res;
+  }
+  if(q) {
+    s_mp_div_2d(q, d);
+  }
+  if(r) {
+    s_mp_mod_2d(r, d);
+  }
+
+  return MP_OKAY;
+
+} /* end mp_div_2d() */
+
+/* }}} */
+
+/* {{{ mp_expt(a, b, c) */
+
+/*
+  mp_expt(a, b, c)
+
+  Compute c = a ** b, that is, raise a to the b power.  Uses a
+  standard iterative square-and-multiply technique.
+ */
+
+mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_int   s, x;
+  mp_err   res;
+  mp_digit d;
+  int      dig, bit;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(mp_cmp_z(b) < 0)
+    return MP_RANGE;
+
+  if((res = mp_init(&s)) != MP_OKAY)
+    return res;
+
+  mp_set(&s, 1);
+
+  if((res = mp_init_copy(&x, a)) != MP_OKAY)
+    goto X;
+
+  /* Loop over low-order digits in ascending order */
+  for(dig = 0; dig < (USED(b) - 1); dig++) {
+    d = DIGIT(b, dig);
+
+    /* Loop over bits of each non-maximal digit */
+    for(bit = 0; bit < DIGIT_BIT; bit++) {
+      if(d & 1) {
+	if((res = s_mp_mul(&s, &x)) != MP_OKAY) 
+	  goto CLEANUP;
+      }
+
+      d >>= 1;
+      
+      if((res = s_mp_sqr(&x)) != MP_OKAY)
+	goto CLEANUP;
+    }
+  }
+
+  /* Consider now the last digit... */
+  d = DIGIT(b, dig);
+
+  while(d) {
+    if(d & 1) {
+      if((res = s_mp_mul(&s, &x)) != MP_OKAY)
+	goto CLEANUP;
+    }
+
+    d >>= 1;
+
+    if((res = s_mp_sqr(&x)) != MP_OKAY)
+      goto CLEANUP;
+  }
+  
+  if(mp_iseven(b))
+    SIGN(&s) = SIGN(a);
+
+  res = mp_copy(&s, c);
+
+CLEANUP:
+  mp_clear(&x);
+X:
+  mp_clear(&s);
+
+  return res;
+
+} /* end mp_expt() */
+
+/* }}} */
+
+/* {{{ mp_2expt(a, k) */
+
+/* Compute a = 2^k */
+
+mp_err mp_2expt(mp_int *a, mp_digit k)
+{
+  ARGCHK(a != NULL, MP_BADARG);
+
+  return s_mp_2expt(a, k);
+
+} /* end mp_2expt() */
+
+/* }}} */
+
+/* {{{ mp_mod(a, m, c) */
+
+/*
+  mp_mod(a, m, c)
+
+  Compute c = a (mod m).  Result will always be 0 <= c < m.
+ */
+
+mp_err mp_mod(const mp_int *a, const mp_int *m, mp_int *c)
+{
+  mp_err  res;
+  int     mag;
+
+  ARGCHK(a != NULL && m != NULL && c != NULL, MP_BADARG);
+
+  if(SIGN(m) == NEG)
+    return MP_RANGE;
+
+  /*
+     If |a| > m, we need to divide to get the remainder and take the
+     absolute value.  
+
+     If |a| < m, we don't need to do any division, just copy and adjust
+     the sign (if a is negative).
+
+     If |a| == m, we can simply set the result to zero.
+
+     This order is intended to minimize the average path length of the
+     comparison chain on common workloads -- the most frequent cases are
+     that |a| != m, so we do those first.
+   */
+  if((mag = s_mp_cmp(a, m)) > 0) {
+    if((res = mp_div(a, m, NULL, c)) != MP_OKAY)
+      return res;
+    
+    if(SIGN(c) == NEG) {
+      if((res = mp_add(c, m, c)) != MP_OKAY)
+	return res;
+    }
+
+  } else if(mag < 0) {
+    if((res = mp_copy(a, c)) != MP_OKAY)
+      return res;
+
+    if(mp_cmp_z(a) < 0) {
+      if((res = mp_add(c, m, c)) != MP_OKAY)
+	return res;
+
+    }
+    
+  } else {
+    mp_zero(c);
+
+  }
+
+  return MP_OKAY;
+
+} /* end mp_mod() */
+
+/* }}} */
+
+/* {{{ mp_mod_d(a, d, c) */
+
+/*
+  mp_mod_d(a, d, c)
+
+  Compute c = a (mod d).  Result will always be 0 <= c < d
+ */
+mp_err mp_mod_d(const mp_int *a, mp_digit d, mp_digit *c)
+{
+  mp_err   res;
+  mp_digit rem;
+
+  ARGCHK(a != NULL && c != NULL, MP_BADARG);
+
+  if(s_mp_cmp_d(a, d) > 0) {
+    if((res = mp_div_d(a, d, NULL, &rem)) != MP_OKAY)
+      return res;
+
+  } else {
+    if(SIGN(a) == NEG)
+      rem = d - DIGIT(a, 0);
+    else
+      rem = DIGIT(a, 0);
+  }
+
+  if(c)
+    *c = rem;
+
+  return MP_OKAY;
+
+} /* end mp_mod_d() */
+
+/* }}} */
+
+/* {{{ mp_sqrt(a, b) */
+
+/*
+  mp_sqrt(a, b)
+
+  Compute the integer square root of a, and store the result in b.
+  Uses an integer-arithmetic version of Newton's iterative linear
+  approximation technique to determine this value; the result has the
+  following two properties:
+
+     b^2 <= a
+     (b+1)^2 >= a
+
+  It is a range error to pass a negative value.
+ */
+mp_err mp_sqrt(const mp_int *a, mp_int *b)
+{
+  mp_int   x, t;
+  mp_err   res;
+  mp_size  used;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  /* Cannot take square root of a negative value */
+  if(SIGN(a) == NEG)
+    return MP_RANGE;
+
+  /* Special cases for zero and one, trivial     */
+  if(mp_cmp_d(a, 1) <= 0)
+    return mp_copy(a, b);
+    
+  /* Initialize the temporaries we'll use below  */
+  if((res = mp_init_size(&t, USED(a))) != MP_OKAY)
+    return res;
+
+  /* Compute an initial guess for the iteration as a itself */
+  if((res = mp_init_copy(&x, a)) != MP_OKAY)
+    goto X;
+
+  used = MP_USED(&x);
+  if (used > 1) {
+    s_mp_rshd(&x, used / 2);
+  }
+
+  for(;;) {
+    /* t = (x * x) - a */
+    mp_copy(&x, &t);      /* can't fail, t is big enough for original x */
+    if((res = mp_sqr(&t, &t)) != MP_OKAY ||
+       (res = mp_sub(&t, a, &t)) != MP_OKAY)
+      goto CLEANUP;
+
+    /* t = t / 2x       */
+    s_mp_mul_2(&x);
+    if((res = mp_div(&t, &x, &t, NULL)) != MP_OKAY)
+      goto CLEANUP;
+    s_mp_div_2(&x);
+
+    /* Terminate the loop, if the quotient is zero */
+    if(mp_cmp_z(&t) == MP_EQ)
+      break;
+
+    /* x = x - t       */
+    if((res = mp_sub(&x, &t, &x)) != MP_OKAY)
+      goto CLEANUP;
+
+  }
+
+  /* Copy result to output parameter */
+  mp_sub_d(&x, 1, &x);
+  s_mp_exch(&x, b);
+
+ CLEANUP:
+  mp_clear(&x);
+ X:
+  mp_clear(&t); 
+
+  return res;
+
+} /* end mp_sqrt() */
+
+/* }}} */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ Modular arithmetic */
+
+#if MP_MODARITH
+/* {{{ mp_addmod(a, b, m, c) */
+
+/*
+  mp_addmod(a, b, m, c)
+
+  Compute c = (a + b) mod m
+ */
+
+mp_err mp_addmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_add(a, b, c)) != MP_OKAY)
+    return res;
+  if((res = mp_mod(c, m, c)) != MP_OKAY)
+    return res;
+
+  return MP_OKAY;
+
+}
+
+/* }}} */
+
+/* {{{ mp_submod(a, b, m, c) */
+
+/*
+  mp_submod(a, b, m, c)
+
+  Compute c = (a - b) mod m
+ */
+
+mp_err mp_submod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_sub(a, b, c)) != MP_OKAY)
+    return res;
+  if((res = mp_mod(c, m, c)) != MP_OKAY)
+    return res;
+
+  return MP_OKAY;
+
+}
+
+/* }}} */
+
+/* {{{ mp_mulmod(a, b, m, c) */
+
+/*
+  mp_mulmod(a, b, m, c)
+
+  Compute c = (a * b) mod m
+ */
+
+mp_err mp_mulmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_mul(a, b, c)) != MP_OKAY)
+    return res;
+  if((res = mp_mod(c, m, c)) != MP_OKAY)
+    return res;
+
+  return MP_OKAY;
+
+}
+
+/* }}} */
+
+/* {{{ mp_sqrmod(a, m, c) */
+
+#if MP_SQUARE
+mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c)
+{
+  mp_err  res;
+
+  ARGCHK(a != NULL && m != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_sqr(a, c)) != MP_OKAY)
+    return res;
+  if((res = mp_mod(c, m, c)) != MP_OKAY)
+    return res;
+
+  return MP_OKAY;
+
+} /* end mp_sqrmod() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_exptmod(a, b, m, c) */
+
+/*
+  s_mp_exptmod(a, b, m, c)
+
+  Compute c = (a ** b) mod m.  Uses a standard square-and-multiply
+  method with modular reductions at each step. (This is basically the
+  same code as mp_expt(), except for the addition of the reductions)
+  
+  The modular reductions are done using Barrett's algorithm (see
+  s_mp_reduce() below for details)
+ */
+
+mp_err s_mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
+{
+  mp_int   s, x, mu;
+  mp_err   res;
+  mp_digit d;
+  int      dig, bit;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(mp_cmp_z(b) < 0 || mp_cmp_z(m) <= 0)
+    return MP_RANGE;
+
+  if((res = mp_init(&s)) != MP_OKAY)
+    return res;
+  if((res = mp_init_copy(&x, a)) != MP_OKAY ||
+     (res = mp_mod(&x, m, &x)) != MP_OKAY)
+    goto X;
+  if((res = mp_init(&mu)) != MP_OKAY)
+    goto MU;
+
+  mp_set(&s, 1);
+
+  /* mu = b^2k / m */
+  s_mp_add_d(&mu, 1); 
+  s_mp_lshd(&mu, 2 * USED(m));
+  if((res = mp_div(&mu, m, &mu, NULL)) != MP_OKAY)
+    goto CLEANUP;
+
+  /* Loop over digits of b in ascending order, except highest order */
+  for(dig = 0; dig < (USED(b) - 1); dig++) {
+    d = DIGIT(b, dig);
+
+    /* Loop over the bits of the lower-order digits */
+    for(bit = 0; bit < DIGIT_BIT; bit++) {
+      if(d & 1) {
+	if((res = s_mp_mul(&s, &x)) != MP_OKAY)
+	  goto CLEANUP;
+	if((res = s_mp_reduce(&s, m, &mu)) != MP_OKAY)
+	  goto CLEANUP;
+      }
+
+      d >>= 1;
+
+      if((res = s_mp_sqr(&x)) != MP_OKAY)
+	goto CLEANUP;
+      if((res = s_mp_reduce(&x, m, &mu)) != MP_OKAY)
+	goto CLEANUP;
+    }
+  }
+
+  /* Now do the last digit... */
+  d = DIGIT(b, dig);
+
+  while(d) {
+    if(d & 1) {
+      if((res = s_mp_mul(&s, &x)) != MP_OKAY)
+	goto CLEANUP;
+      if((res = s_mp_reduce(&s, m, &mu)) != MP_OKAY)
+	goto CLEANUP;
+    }
+
+    d >>= 1;
+
+    if((res = s_mp_sqr(&x)) != MP_OKAY)
+      goto CLEANUP;
+    if((res = s_mp_reduce(&x, m, &mu)) != MP_OKAY)
+      goto CLEANUP;
+  }
+
+  s_mp_exch(&s, c);
+
+ CLEANUP:
+  mp_clear(&mu);
+ MU:
+  mp_clear(&x);
+ X:
+  mp_clear(&s);
+
+  return res;
+
+} /* end s_mp_exptmod() */
+
+/* }}} */
+
+/* {{{ mp_exptmod_d(a, d, m, c) */
+
+mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c)
+{
+  mp_int   s, x;
+  mp_err   res;
+
+  ARGCHK(a != NULL && c != NULL, MP_BADARG);
+
+  if((res = mp_init(&s)) != MP_OKAY)
+    return res;
+  if((res = mp_init_copy(&x, a)) != MP_OKAY)
+    goto X;
+
+  mp_set(&s, 1);
+
+  while(d != 0) {
+    if(d & 1) {
+      if((res = s_mp_mul(&s, &x)) != MP_OKAY ||
+	 (res = mp_mod(&s, m, &s)) != MP_OKAY)
+	goto CLEANUP;
+    }
+
+    d /= 2;
+
+    if((res = s_mp_sqr(&x)) != MP_OKAY ||
+       (res = mp_mod(&x, m, &x)) != MP_OKAY)
+      goto CLEANUP;
+  }
+
+  s_mp_exch(&s, c);
+
+CLEANUP:
+  mp_clear(&x);
+X:
+  mp_clear(&s);
+
+  return res;
+
+} /* end mp_exptmod_d() */
+
+/* }}} */
+#endif /* if MP_MODARITH */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ Comparison functions */
+
+/* {{{ mp_cmp_z(a) */
+
+/*
+  mp_cmp_z(a)
+
+  Compare a <=> 0.  Returns <0 if a<0, 0 if a=0, >0 if a>0.
+ */
+
+int    mp_cmp_z(const mp_int *a)
+{
+  if(SIGN(a) == NEG)
+    return MP_LT;
+  else if(USED(a) == 1 && DIGIT(a, 0) == 0)
+    return MP_EQ;
+  else
+    return MP_GT;
+
+} /* end mp_cmp_z() */
+
+/* }}} */
+
+/* {{{ mp_cmp_d(a, d) */
+
+/*
+  mp_cmp_d(a, d)
+
+  Compare a <=> d.  Returns <0 if a<d, 0 if a=d, >0 if a>d
+ */
+
+int    mp_cmp_d(const mp_int *a, mp_digit d)
+{
+  ARGCHK(a != NULL, MP_EQ);
+
+  if(SIGN(a) == NEG)
+    return MP_LT;
+
+  return s_mp_cmp_d(a, d);
+
+} /* end mp_cmp_d() */
+
+/* }}} */
+
+/* {{{ mp_cmp(a, b) */
+
+int    mp_cmp(const mp_int *a, const mp_int *b)
+{
+  ARGCHK(a != NULL && b != NULL, MP_EQ);
+
+  if(SIGN(a) == SIGN(b)) {
+    int  mag;
+
+    if((mag = s_mp_cmp(a, b)) == MP_EQ)
+      return MP_EQ;
+
+    if(SIGN(a) == ZPOS)
+      return mag;
+    else
+      return -mag;
+
+  } else if(SIGN(a) == ZPOS) {
+    return MP_GT;
+  } else {
+    return MP_LT;
+  }
+
+} /* end mp_cmp() */
+
+/* }}} */
+
+/* {{{ mp_cmp_mag(a, b) */
+
+/*
+  mp_cmp_mag(a, b)
+
+  Compares |a| <=> |b|, and returns an appropriate comparison result
+ */
+
+int    mp_cmp_mag(mp_int *a, mp_int *b)
+{
+  ARGCHK(a != NULL && b != NULL, MP_EQ);
+
+  return s_mp_cmp(a, b);
+
+} /* end mp_cmp_mag() */
+
+/* }}} */
+
+/* {{{ mp_cmp_int(a, z) */
+
+/*
+  This just converts z to an mp_int, and uses the existing comparison
+  routines.  This is sort of inefficient, but it's not clear to me how
+  frequently this wil get used anyway.  For small positive constants,
+  you can always use mp_cmp_d(), and for zero, there is mp_cmp_z().
+ */
+int    mp_cmp_int(const mp_int *a, long z)
+{
+  mp_int  tmp;
+  int     out;
+
+  ARGCHK(a != NULL, MP_EQ);
+  
+  mp_init(&tmp); mp_set_int(&tmp, z);
+  out = mp_cmp(a, &tmp);
+  mp_clear(&tmp);
+
+  return out;
+
+} /* end mp_cmp_int() */
+
+/* }}} */
+
+/* {{{ mp_isodd(a) */
+
+/*
+  mp_isodd(a)
+
+  Returns a true (non-zero) value if a is odd, false (zero) otherwise.
+ */
+int    mp_isodd(const mp_int *a)
+{
+  ARGCHK(a != NULL, 0);
+
+  return (int)(DIGIT(a, 0) & 1);
+
+} /* end mp_isodd() */
+
+/* }}} */
+
+/* {{{ mp_iseven(a) */
+
+int    mp_iseven(const mp_int *a)
+{
+  return !mp_isodd(a);
+
+} /* end mp_iseven() */
+
+/* }}} */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ Number theoretic functions */
+
+#if MP_NUMTH
+/* {{{ mp_gcd(a, b, c) */
+
+/*
+  Like the old mp_gcd() function, except computes the GCD using the
+  binary algorithm due to Josef Stein in 1961 (via Knuth).
+ */
+mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_err   res;
+  mp_int   u, v, t;
+  mp_size  k = 0;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(mp_cmp_z(a) == MP_EQ && mp_cmp_z(b) == MP_EQ)
+      return MP_RANGE;
+  if(mp_cmp_z(a) == MP_EQ) {
+    return mp_copy(b, c);
+  } else if(mp_cmp_z(b) == MP_EQ) {
+    return mp_copy(a, c);
+  }
+
+  if((res = mp_init(&t)) != MP_OKAY)
+    return res;
+  if((res = mp_init_copy(&u, a)) != MP_OKAY)
+    goto U;
+  if((res = mp_init_copy(&v, b)) != MP_OKAY)
+    goto V;
+
+  SIGN(&u) = ZPOS;
+  SIGN(&v) = ZPOS;
+
+  /* Divide out common factors of 2 until at least 1 of a, b is even */
+  while(mp_iseven(&u) && mp_iseven(&v)) {
+    s_mp_div_2(&u);
+    s_mp_div_2(&v);
+    ++k;
+  }
+
+  /* Initialize t */
+  if(mp_isodd(&u)) {
+    if((res = mp_copy(&v, &t)) != MP_OKAY)
+      goto CLEANUP;
+    
+    /* t = -v */
+    if(SIGN(&v) == ZPOS)
+      SIGN(&t) = NEG;
+    else
+      SIGN(&t) = ZPOS;
+    
+  } else {
+    if((res = mp_copy(&u, &t)) != MP_OKAY)
+      goto CLEANUP;
+
+  }
+
+  for(;;) {
+    while(mp_iseven(&t)) {
+      s_mp_div_2(&t);
+    }
+
+    if(mp_cmp_z(&t) == MP_GT) {
+      if((res = mp_copy(&t, &u)) != MP_OKAY)
+	goto CLEANUP;
+
+    } else {
+      if((res = mp_copy(&t, &v)) != MP_OKAY)
+	goto CLEANUP;
+
+      /* v = -t */
+      if(SIGN(&t) == ZPOS)
+	SIGN(&v) = NEG;
+      else
+	SIGN(&v) = ZPOS;
+    }
+
+    if((res = mp_sub(&u, &v, &t)) != MP_OKAY)
+      goto CLEANUP;
+
+    if(s_mp_cmp_d(&t, 0) == MP_EQ)
+      break;
+  }
+
+  s_mp_2expt(&v, k);       /* v = 2^k   */
+  res = mp_mul(&u, &v, c); /* c = u * v */
+
+ CLEANUP:
+  mp_clear(&v);
+ V:
+  mp_clear(&u);
+ U:
+  mp_clear(&t);
+
+  return res;
+
+} /* end mp_gcd() */
+
+/* }}} */
+
+/* {{{ mp_lcm(a, b, c) */
+
+/* We compute the least common multiple using the rule:
+
+   ab = [a, b](a, b)
+
+   ... by computing the product, and dividing out the gcd.
+ */
+
+mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_int  gcd, prod;
+  mp_err  res;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  /* Set up temporaries */
+  if((res = mp_init(&gcd)) != MP_OKAY)
+    return res;
+  if((res = mp_init(&prod)) != MP_OKAY)
+    goto GCD;
+
+  if((res = mp_mul(a, b, &prod)) != MP_OKAY)
+    goto CLEANUP;
+  if((res = mp_gcd(a, b, &gcd)) != MP_OKAY)
+    goto CLEANUP;
+
+  res = mp_div(&prod, &gcd, c, NULL);
+
+ CLEANUP:
+  mp_clear(&prod);
+ GCD:
+  mp_clear(&gcd);
+
+  return res;
+
+} /* end mp_lcm() */
+
+/* }}} */
+
+/* {{{ mp_xgcd(a, b, g, x, y) */
+
+/*
+  mp_xgcd(a, b, g, x, y)
+
+  Compute g = (a, b) and values x and y satisfying Bezout's identity
+  (that is, ax + by = g).  This uses the binary extended GCD algorithm
+  based on the Stein algorithm used for mp_gcd()
+  See algorithm 14.61 in Handbook of Applied Cryptogrpahy.
+ */
+
+mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y)
+{
+  mp_int   gx, xc, yc, u, v, A, B, C, D;
+  mp_int  *clean[9];
+  mp_err   res;
+  int      last = -1;
+
+  if(mp_cmp_z(b) == 0)
+    return MP_RANGE;
+
+  /* Initialize all these variables we need */
+  MP_CHECKOK( mp_init(&u) );
+  clean[++last] = &u;
+  MP_CHECKOK( mp_init(&v) );
+  clean[++last] = &v;
+  MP_CHECKOK( mp_init(&gx) );
+  clean[++last] = &gx;
+  MP_CHECKOK( mp_init(&A) );
+  clean[++last] = &A;
+  MP_CHECKOK( mp_init(&B) );
+  clean[++last] = &B;
+  MP_CHECKOK( mp_init(&C) );
+  clean[++last] = &C;
+  MP_CHECKOK( mp_init(&D) );
+  clean[++last] = &D;
+  MP_CHECKOK( mp_init_copy(&xc, a) );
+  clean[++last] = &xc;
+  mp_abs(&xc, &xc);
+  MP_CHECKOK( mp_init_copy(&yc, b) );
+  clean[++last] = &yc;
+  mp_abs(&yc, &yc);
+
+  mp_set(&gx, 1);
+
+  /* Divide by two until at least one of them is odd */
+  while(mp_iseven(&xc) && mp_iseven(&yc)) {
+    mp_size nx = mp_trailing_zeros(&xc);
+    mp_size ny = mp_trailing_zeros(&yc);
+    mp_size n  = MP_MIN(nx, ny);
+    s_mp_div_2d(&xc,n);
+    s_mp_div_2d(&yc,n);
+    MP_CHECKOK( s_mp_mul_2d(&gx,n) );
+  }
+
+  mp_copy(&xc, &u);
+  mp_copy(&yc, &v);
+  mp_set(&A, 1); mp_set(&D, 1);
+
+  /* Loop through binary GCD algorithm */
+  do {
+    while(mp_iseven(&u)) {
+      s_mp_div_2(&u);
+
+      if(mp_iseven(&A) && mp_iseven(&B)) {
+	s_mp_div_2(&A); s_mp_div_2(&B);
+      } else {
+	MP_CHECKOK( mp_add(&A, &yc, &A) );
+	s_mp_div_2(&A);
+	MP_CHECKOK( mp_sub(&B, &xc, &B) );
+	s_mp_div_2(&B);
+      }
+    }
+
+    while(mp_iseven(&v)) {
+      s_mp_div_2(&v);
+
+      if(mp_iseven(&C) && mp_iseven(&D)) {
+	s_mp_div_2(&C); s_mp_div_2(&D);
+      } else {
+	MP_CHECKOK( mp_add(&C, &yc, &C) );
+	s_mp_div_2(&C);
+	MP_CHECKOK( mp_sub(&D, &xc, &D) );
+	s_mp_div_2(&D);
+      }
+    }
+
+    if(mp_cmp(&u, &v) >= 0) {
+      MP_CHECKOK( mp_sub(&u, &v, &u) );
+      MP_CHECKOK( mp_sub(&A, &C, &A) );
+      MP_CHECKOK( mp_sub(&B, &D, &B) );
+    } else {
+      MP_CHECKOK( mp_sub(&v, &u, &v) );
+      MP_CHECKOK( mp_sub(&C, &A, &C) );
+      MP_CHECKOK( mp_sub(&D, &B, &D) );
+    }
+  } while (mp_cmp_z(&u) != 0);
+
+  /* copy results to output */
+  if(x)
+    MP_CHECKOK( mp_copy(&C, x) );
+
+  if(y)
+    MP_CHECKOK( mp_copy(&D, y) );
+      
+  if(g)
+    MP_CHECKOK( mp_mul(&gx, &v, g) );
+
+ CLEANUP:
+  while(last >= 0)
+    mp_clear(clean[last--]);
+
+  return res;
+
+} /* end mp_xgcd() */
+
+/* }}} */
+
+mp_size mp_trailing_zeros(const mp_int *mp)
+{
+  mp_digit d;
+  mp_size  n = 0;
+  int      ix;
+
+  if (!mp || !MP_DIGITS(mp) || !mp_cmp_z(mp))
+    return n;
+
+  for (ix = 0; !(d = MP_DIGIT(mp,ix)) && (ix < MP_USED(mp)); ++ix)
+    n += MP_DIGIT_BIT;
+  if (!d)
+    return 0;	/* shouldn't happen, but ... */
+#if !defined(MP_USE_UINT_DIGIT)
+  if (!(d & 0xffffffffU)) {
+    d >>= 32;
+    n  += 32;
+  }
+#endif
+  if (!(d & 0xffffU)) {
+    d >>= 16;
+    n  += 16;
+  }
+  if (!(d & 0xffU)) {
+    d >>= 8;
+    n  += 8;
+  }
+  if (!(d & 0xfU)) {
+    d >>= 4;
+    n  += 4;
+  }
+  if (!(d & 0x3U)) {
+    d >>= 2;
+    n  += 2;
+  }
+  if (!(d & 0x1U)) {
+    d >>= 1;
+    n  += 1;
+  }
+#if MP_ARGCHK == 2
+  assert(0 != (d & 1));
+#endif
+  return n;
+}
+
+/* Given a and prime p, computes c and k such that a*c == 2**k (mod p).
+** Returns k (positive) or error (negative).
+** This technique from the paper "Fast Modular Reciprocals" (unpublished)
+** by Richard Schroeppel (a.k.a. Captain Nemo).
+*/
+mp_err s_mp_almost_inverse(const mp_int *a, const mp_int *p, mp_int *c)
+{
+  mp_err res;
+  mp_err k    = 0;
+  mp_int d, f, g;
+
+  ARGCHK(a && p && c, MP_BADARG);
+
+  MP_DIGITS(&d) = 0;
+  MP_DIGITS(&f) = 0;
+  MP_DIGITS(&g) = 0;
+  MP_CHECKOK( mp_init(&d) );
+  MP_CHECKOK( mp_init_copy(&f, a) );	/* f = a */
+  MP_CHECKOK( mp_init_copy(&g, p) );	/* g = p */
+
+  mp_set(c, 1);
+  mp_zero(&d);
+
+  if (mp_cmp_z(&f) == 0) {
+    res = MP_UNDEF;
+  } else 
+  for (;;) {
+    int diff_sign;
+    while (mp_iseven(&f)) {
+      mp_size n = mp_trailing_zeros(&f);
+      if (!n) {
+	res = MP_UNDEF;
+	goto CLEANUP;
+      }
+      s_mp_div_2d(&f, n);
+      MP_CHECKOK( s_mp_mul_2d(&d, n) );
+      k += n;
+    }
+    if (mp_cmp_d(&f, 1) == MP_EQ) {	/* f == 1 */
+      res = k;
+      break;
+    }
+    diff_sign = mp_cmp(&f, &g);
+    if (diff_sign < 0) {		/* f < g */
+      s_mp_exch(&f, &g);
+      s_mp_exch(c, &d);
+    } else if (diff_sign == 0) {		/* f == g */
+      res = MP_UNDEF;		/* a and p are not relatively prime */
+      break;
+    }
+    if ((MP_DIGIT(&f,0) % 4) == (MP_DIGIT(&g,0) % 4)) {
+      MP_CHECKOK( mp_sub(&f, &g, &f) );	/* f = f - g */
+      MP_CHECKOK( mp_sub(c,  &d,  c) );	/* c = c - d */
+    } else {
+      MP_CHECKOK( mp_add(&f, &g, &f) );	/* f = f + g */
+      MP_CHECKOK( mp_add(c,  &d,  c) );	/* c = c + d */
+    }
+  }
+  if (res >= 0) {
+    while (MP_SIGN(c) != MP_ZPOS) {
+      MP_CHECKOK( mp_add(c, p, c) );
+    }
+    res = k;
+  }
+
+CLEANUP:
+  mp_clear(&d);
+  mp_clear(&f);
+  mp_clear(&g);
+  return res;
+}
+
+/* Compute T = (P ** -1) mod MP_RADIX.  Also works for 16-bit mp_digits.
+** This technique from the paper "Fast Modular Reciprocals" (unpublished)
+** by Richard Schroeppel (a.k.a. Captain Nemo).
+*/
+mp_digit  s_mp_invmod_radix(mp_digit P)
+{
+  mp_digit T = P;
+  T *= 2 - (P * T);
+  T *= 2 - (P * T);
+  T *= 2 - (P * T);
+  T *= 2 - (P * T);
+#if !defined(MP_USE_UINT_DIGIT)
+  T *= 2 - (P * T);
+  T *= 2 - (P * T);
+#endif
+  return T;
+}
+
+/* Given c, k, and prime p, where a*c == 2**k (mod p), 
+** Compute x = (a ** -1) mod p.  This is similar to Montgomery reduction.
+** This technique from the paper "Fast Modular Reciprocals" (unpublished)
+** by Richard Schroeppel (a.k.a. Captain Nemo).
+*/
+mp_err  s_mp_fixup_reciprocal(const mp_int *c, const mp_int *p, int k, mp_int *x)
+{
+  int      k_orig = k;
+  mp_digit r;
+  mp_size  ix;
+  mp_err   res;
+
+  if (mp_cmp_z(c) < 0) {		/* c < 0 */
+    MP_CHECKOK( mp_add(c, p, x) );	/* x = c + p */
+  } else {
+    MP_CHECKOK( mp_copy(c, x) );	/* x = c */
+  }
+
+  /* make sure x is large enough */
+  ix = MP_HOWMANY(k, MP_DIGIT_BIT) + MP_USED(p) + 1;
+  ix = MP_MAX(ix, MP_USED(x));
+  MP_CHECKOK( s_mp_pad(x, ix) );
+
+  r = 0 - s_mp_invmod_radix(MP_DIGIT(p,0));
+
+  for (ix = 0; k > 0; ix++) {
+    int      j = MP_MIN(k, MP_DIGIT_BIT);
+    mp_digit v = r * MP_DIGIT(x, ix);
+    if (j < MP_DIGIT_BIT) {
+      v &= ((mp_digit)1 << j) - 1;	/* v = v mod (2 ** j) */
+    }
+    s_mp_mul_d_add_offset(p, v, x, ix); /* x += p * v * (RADIX ** ix) */
+    k -= j;
+  }
+  s_mp_clamp(x);
+  s_mp_div_2d(x, k_orig);
+  res = MP_OKAY;
+
+CLEANUP:
+  return res;
+}
+
+/* compute mod inverse using Schroeppel's method, only if m is odd */
+mp_err s_mp_invmod_odd_m(const mp_int *a, const mp_int *m, mp_int *c)
+{
+  int k;
+  mp_err  res;
+  mp_int  x;
+
+  ARGCHK(a && m && c, MP_BADARG);
+
+  if(mp_cmp_z(a) == 0 || mp_cmp_z(m) == 0)
+    return MP_RANGE;
+  if (mp_iseven(m))
+    return MP_UNDEF;
+
+  MP_DIGITS(&x) = 0;
+
+  if (a == c) {
+    if ((res = mp_init_copy(&x, a)) != MP_OKAY)
+      return res;
+    if (a == m) 
+      m = &x;
+    a = &x;
+  } else if (m == c) {
+    if ((res = mp_init_copy(&x, m)) != MP_OKAY)
+      return res;
+    m = &x;
+  } else {
+    MP_DIGITS(&x) = 0;
+  }
+
+  MP_CHECKOK( s_mp_almost_inverse(a, m, c) );
+  k = res;
+  MP_CHECKOK( s_mp_fixup_reciprocal(c, m, k, c) );
+CLEANUP:
+  mp_clear(&x);
+  return res;
+}
+
+/* Known good algorithm for computing modular inverse.  But slow. */
+mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c)
+{
+  mp_int  g, x;
+  mp_err  res;
+
+  ARGCHK(a && m && c, MP_BADARG);
+
+  if(mp_cmp_z(a) == 0 || mp_cmp_z(m) == 0)
+    return MP_RANGE;
+
+  MP_DIGITS(&g) = 0;
+  MP_DIGITS(&x) = 0;
+  MP_CHECKOK( mp_init(&x) );
+  MP_CHECKOK( mp_init(&g) );
+
+  MP_CHECKOK( mp_xgcd(a, m, &g, &x, NULL) );
+
+  if (mp_cmp_d(&g, 1) != MP_EQ) {
+    res = MP_UNDEF;
+    goto CLEANUP;
+  }
+
+  res = mp_mod(&x, m, c);
+  SIGN(c) = SIGN(a);
+
+CLEANUP:
+  mp_clear(&x);
+  mp_clear(&g);
+
+  return res;
+}
+
+/* modular inverse where modulus is 2**k. */
+/* c = a**-1 mod 2**k */
+mp_err s_mp_invmod_2d(const mp_int *a, mp_size k, mp_int *c)
+{
+  mp_err res;
+  mp_size ix = k + 4;
+  mp_int t0, t1, val, tmp, two2k;
+
+  static const mp_digit d2 = 2;
+  static const mp_int two = { MP_ZPOS, 1, 1, (mp_digit *)&d2 };
+
+  if (mp_iseven(a))
+    return MP_UNDEF;
+  if (k <= MP_DIGIT_BIT) {
+    mp_digit i = s_mp_invmod_radix(MP_DIGIT(a,0));
+    if (k < MP_DIGIT_BIT)
+      i &= ((mp_digit)1 << k) - (mp_digit)1;
+    mp_set(c, i);
+    return MP_OKAY;
+  }
+  MP_DIGITS(&t0) = 0;
+  MP_DIGITS(&t1) = 0;
+  MP_DIGITS(&val) = 0;
+  MP_DIGITS(&tmp) = 0;
+  MP_DIGITS(&two2k) = 0;
+  MP_CHECKOK( mp_init_copy(&val, a) );
+  s_mp_mod_2d(&val, k);
+  MP_CHECKOK( mp_init_copy(&t0, &val) );
+  MP_CHECKOK( mp_init_copy(&t1, &t0)  );
+  MP_CHECKOK( mp_init(&tmp) );
+  MP_CHECKOK( mp_init(&two2k) );
+  MP_CHECKOK( s_mp_2expt(&two2k, k) );
+  do {
+    MP_CHECKOK( mp_mul(&val, &t1, &tmp)  );
+    MP_CHECKOK( mp_sub(&two, &tmp, &tmp) );
+    MP_CHECKOK( mp_mul(&t1, &tmp, &t1)   );
+    s_mp_mod_2d(&t1, k);
+    while (MP_SIGN(&t1) != MP_ZPOS) {
+      MP_CHECKOK( mp_add(&t1, &two2k, &t1) );
+    }
+    if (mp_cmp(&t1, &t0) == MP_EQ) 
+      break;
+    MP_CHECKOK( mp_copy(&t1, &t0) );
+  } while (--ix > 0);
+  if (!ix) {
+    res = MP_UNDEF;
+  } else {
+    mp_exch(c, &t1);
+  }
+
+CLEANUP:
+  mp_clear(&t0);
+  mp_clear(&t1);
+  mp_clear(&val);
+  mp_clear(&tmp);
+  mp_clear(&two2k);
+  return res;
+}
+
+mp_err s_mp_invmod_even_m(const mp_int *a, const mp_int *m, mp_int *c)
+{
+  mp_err res;
+  mp_size k;
+  mp_int oddFactor, evenFactor;	/* factors of the modulus */
+  mp_int oddPart, evenPart;	/* parts to combine via CRT. */
+  mp_int C2, tmp1, tmp2;
+
+  /*static const mp_digit d1 = 1; */
+  /*static const mp_int one = { MP_ZPOS, 1, 1, (mp_digit *)&d1 }; */
+
+  if ((res = s_mp_ispow2(m)) >= 0) {
+    k = res;
+    return s_mp_invmod_2d(a, k, c);
+  }
+  MP_DIGITS(&oddFactor) = 0;
+  MP_DIGITS(&evenFactor) = 0;
+  MP_DIGITS(&oddPart) = 0;
+  MP_DIGITS(&evenPart) = 0;
+  MP_DIGITS(&C2)     = 0;
+  MP_DIGITS(&tmp1)   = 0;
+  MP_DIGITS(&tmp2)   = 0;
+
+  MP_CHECKOK( mp_init_copy(&oddFactor, m) );    /* oddFactor = m */
+  MP_CHECKOK( mp_init(&evenFactor) );
+  MP_CHECKOK( mp_init(&oddPart) );
+  MP_CHECKOK( mp_init(&evenPart) );
+  MP_CHECKOK( mp_init(&C2)     );
+  MP_CHECKOK( mp_init(&tmp1)   );
+  MP_CHECKOK( mp_init(&tmp2)   );
+
+  k = mp_trailing_zeros(m);
+  s_mp_div_2d(&oddFactor, k);
+  MP_CHECKOK( s_mp_2expt(&evenFactor, k) );
+
+  /* compute a**-1 mod oddFactor. */
+  MP_CHECKOK( s_mp_invmod_odd_m(a, &oddFactor, &oddPart) );
+  /* compute a**-1 mod evenFactor, where evenFactor == 2**k. */
+  MP_CHECKOK( s_mp_invmod_2d(   a,       k,    &evenPart) );
+
+  /* Use Chinese Remainer theorem to compute a**-1 mod m. */
+  /* let m1 = oddFactor,  v1 = oddPart, 
+   * let m2 = evenFactor, v2 = evenPart.
+   */
+
+  /* Compute C2 = m1**-1 mod m2. */
+  MP_CHECKOK( s_mp_invmod_2d(&oddFactor, k,    &C2) );
+
+  /* compute u = (v2 - v1)*C2 mod m2 */
+  MP_CHECKOK( mp_sub(&evenPart, &oddPart,   &tmp1) );
+  MP_CHECKOK( mp_mul(&tmp1,     &C2,        &tmp2) );
+  s_mp_mod_2d(&tmp2, k);
+  while (MP_SIGN(&tmp2) != MP_ZPOS) {
+    MP_CHECKOK( mp_add(&tmp2, &evenFactor, &tmp2) );
+  }
+
+  /* compute answer = v1 + u*m1 */
+  MP_CHECKOK( mp_mul(&tmp2,     &oddFactor, c) );
+  MP_CHECKOK( mp_add(&oddPart,  c,          c) );
+  /* not sure this is necessary, but it's low cost if not. */
+  MP_CHECKOK( mp_mod(c,         m,          c) );
+
+CLEANUP:
+  mp_clear(&oddFactor);
+  mp_clear(&evenFactor);
+  mp_clear(&oddPart);
+  mp_clear(&evenPart);
+  mp_clear(&C2);
+  mp_clear(&tmp1);
+  mp_clear(&tmp2);
+  return res;
+}
+
+
+/* {{{ mp_invmod(a, m, c) */
+
+/*
+  mp_invmod(a, m, c)
+
+  Compute c = a^-1 (mod m), if there is an inverse for a (mod m).
+  This is equivalent to the question of whether (a, m) = 1.  If not,
+  MP_UNDEF is returned, and there is no inverse.
+ */
+
+mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c)
+{
+
+  ARGCHK(a && m && c, MP_BADARG);
+
+  if(mp_cmp_z(a) == 0 || mp_cmp_z(m) == 0)
+    return MP_RANGE;
+
+  if (mp_isodd(m)) {
+    return s_mp_invmod_odd_m(a, m, c);
+  }
+  if (mp_iseven(a))
+    return MP_UNDEF;	/* not invertable */
+
+  return s_mp_invmod_even_m(a, m, c);
+
+} /* end mp_invmod() */
+
+/* }}} */
+#endif /* if MP_NUMTH */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ mp_print(mp, ofp) */
+
+#if MP_IOFUNC
+/*
+  mp_print(mp, ofp)
+
+  Print a textual representation of the given mp_int on the output
+  stream 'ofp'.  Output is generated using the internal radix.
+ */
+
+void   mp_print(mp_int *mp, FILE *ofp)
+{
+  int   ix;
+
+  if(mp == NULL || ofp == NULL)
+    return;
+
+  fputc((SIGN(mp) == NEG) ? '-' : '+', ofp);
+
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    fprintf(ofp, DIGIT_FMT, DIGIT(mp, ix));
+  }
+
+} /* end mp_print() */
+
+#endif /* if MP_IOFUNC */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* {{{ More I/O Functions */
+
+/* {{{ mp_read_raw(mp, str, len) */
+
+/* 
+   mp_read_raw(mp, str, len)
+
+   Read in a raw value (base 256) into the given mp_int
+ */
+
+mp_err  mp_read_raw(mp_int *mp, char *str, int len)
+{
+  int            ix;
+  mp_err         res;
+  unsigned char *ustr = (unsigned char *)str;
+
+  ARGCHK(mp != NULL && str != NULL && len > 0, MP_BADARG);
+
+  mp_zero(mp);
+
+  /* Get sign from first byte */
+  if(ustr[0])
+    SIGN(mp) = NEG;
+  else
+    SIGN(mp) = ZPOS;
+
+  /* Read the rest of the digits */
+  for(ix = 1; ix < len; ix++) {
+    if((res = mp_mul_d(mp, 256, mp)) != MP_OKAY)
+      return res;
+    if((res = mp_add_d(mp, ustr[ix], mp)) != MP_OKAY)
+      return res;
+  }
+
+  return MP_OKAY;
+
+} /* end mp_read_raw() */
+
+/* }}} */
+
+/* {{{ mp_raw_size(mp) */
+
+int    mp_raw_size(mp_int *mp)
+{
+  ARGCHK(mp != NULL, 0);
+
+  return (USED(mp) * sizeof(mp_digit)) + 1;
+
+} /* end mp_raw_size() */
+
+/* }}} */
+
+/* {{{ mp_toraw(mp, str) */
+
+mp_err mp_toraw(mp_int *mp, char *str)
+{
+  int  ix, jx, pos = 1;
+
+  ARGCHK(mp != NULL && str != NULL, MP_BADARG);
+
+  str[0] = (char)SIGN(mp);
+
+  /* Iterate over each digit... */
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    mp_digit  d = DIGIT(mp, ix);
+
+    /* Unpack digit bytes, high order first */
+    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
+      str[pos++] = (char)(d >> (jx * CHAR_BIT));
+    }
+  }
+
+  return MP_OKAY;
+
+} /* end mp_toraw() */
+
+/* }}} */
+
+/* {{{ mp_read_radix(mp, str, radix) */
+
+/*
+  mp_read_radix(mp, str, radix)
+
+  Read an integer from the given string, and set mp to the resulting
+  value.  The input is presumed to be in base 10.  Leading non-digit
+  characters are ignored, and the function reads until a non-digit
+  character or the end of the string.
+ */
+
+mp_err  mp_read_radix(mp_int *mp, const char *str, int radix)
+{
+  int     ix = 0, val = 0;
+  mp_err  res;
+  mp_sign sig = ZPOS;
+
+  ARGCHK(mp != NULL && str != NULL && radix >= 2 && radix <= MAX_RADIX, 
+	 MP_BADARG);
+
+  mp_zero(mp);
+
+  /* Skip leading non-digit characters until a digit or '-' or '+' */
+  while(str[ix] && 
+	(s_mp_tovalue(str[ix], radix) < 0) && 
+	str[ix] != '-' &&
+	str[ix] != '+') {
+    ++ix;
+  }
+
+  if(str[ix] == '-') {
+    sig = NEG;
+    ++ix;
+  } else if(str[ix] == '+') {
+    sig = ZPOS; /* this is the default anyway... */
+    ++ix;
+  }
+
+  while((val = s_mp_tovalue(str[ix], radix)) >= 0) {
+    if((res = s_mp_mul_d(mp, radix)) != MP_OKAY)
+      return res;
+    if((res = s_mp_add_d(mp, val)) != MP_OKAY)
+      return res;
+    ++ix;
+  }
+
+  if(s_mp_cmp_d(mp, 0) == MP_EQ)
+    SIGN(mp) = ZPOS;
+  else
+    SIGN(mp) = sig;
+
+  return MP_OKAY;
+
+} /* end mp_read_radix() */
+
+mp_err mp_read_variable_radix(mp_int *a, const char * str, int default_radix)
+{
+  int     radix = default_radix;
+  int     cx;
+  mp_sign sig   = ZPOS;
+  mp_err  res;
+
+  /* Skip leading non-digit characters until a digit or '-' or '+' */
+  while ((cx = *str) != 0 && 
+	(s_mp_tovalue(cx, radix) < 0) && 
+	cx != '-' &&
+	cx != '+') {
+    ++str;
+  }
+
+  if (cx == '-') {
+    sig = NEG;
+    ++str;
+  } else if (cx == '+') {
+    sig = ZPOS; /* this is the default anyway... */
+    ++str;
+  }
+
+  if (str[0] == '0') {
+    if ((str[1] | 0x20) == 'x') {
+      radix = 16;
+      str += 2;
+    } else {
+      radix = 8;
+      str++;
+    }
+  }
+  res = mp_read_radix(a, str, radix);
+  if (res == MP_OKAY) {
+    MP_SIGN(a) = (s_mp_cmp_d(a, 0) == MP_EQ) ? ZPOS : sig;
+  }
+  return res;
+}
+
+/* }}} */
+
+/* {{{ mp_radix_size(mp, radix) */
+
+int    mp_radix_size(mp_int *mp, int radix)
+{
+  int  bits;
+
+  if(!mp || radix < 2 || radix > MAX_RADIX)
+    return 0;
+
+  bits = USED(mp) * DIGIT_BIT - 1;
+ 
+  return s_mp_outlen(bits, radix);
+
+} /* end mp_radix_size() */
+
+/* }}} */
+
+/* {{{ mp_toradix(mp, str, radix) */
+
+mp_err mp_toradix(mp_int *mp, char *str, int radix)
+{
+  int  ix, pos = 0;
+
+  ARGCHK(mp != NULL && str != NULL, MP_BADARG);
+  ARGCHK(radix > 1 && radix <= MAX_RADIX, MP_RANGE);
+
+  if(mp_cmp_z(mp) == MP_EQ) {
+    str[0] = '0';
+    str[1] = '\0';
+  } else {
+    mp_err   res;
+    mp_int   tmp;
+    mp_sign  sgn;
+    mp_digit rem, rdx = (mp_digit)radix;
+    char     ch;
+
+    if((res = mp_init_copy(&tmp, mp)) != MP_OKAY)
+      return res;
+
+    /* Save sign for later, and take absolute value */
+    sgn = SIGN(&tmp); SIGN(&tmp) = ZPOS;
+
+    /* Generate output digits in reverse order      */
+    while(mp_cmp_z(&tmp) != 0) {
+      if((res = mp_div_d(&tmp, rdx, &tmp, &rem)) != MP_OKAY) {
+	mp_clear(&tmp);
+	return res;
+      }
+
+      /* Generate digits, use capital letters */
+      ch = s_mp_todigit(rem, radix, 0);
+
+      str[pos++] = ch;
+    }
+
+    /* Add - sign if original value was negative */
+    if(sgn == NEG)
+      str[pos++] = '-';
+
+    /* Add trailing NUL to end the string        */
+    str[pos--] = '\0';
+
+    /* Reverse the digits and sign indicator     */
+    ix = 0;
+    while(ix < pos) {
+      char tmp = str[ix];
+
+      str[ix] = str[pos];
+      str[pos] = tmp;
+      ++ix;
+      --pos;
+    }
+    
+    mp_clear(&tmp);
+  }
+
+  return MP_OKAY;
+
+} /* end mp_toradix() */
+
+/* }}} */
+
+/* {{{ mp_tovalue(ch, r) */
+
+int    mp_tovalue(char ch, int r)
+{
+  return s_mp_tovalue(ch, r);
+
+} /* end mp_tovalue() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ mp_strerror(ec) */
+
+/*
+  mp_strerror(ec)
+
+  Return a string describing the meaning of error code 'ec'.  The
+  string returned is allocated in static memory, so the caller should
+  not attempt to modify or free the memory associated with this
+  string.
+ */
+const char  *mp_strerror(mp_err ec)
+{
+  int   aec = (ec < 0) ? -ec : ec;
+
+  /* Code values are negative, so the senses of these comparisons
+     are accurate */
+  if(ec < MP_LAST_CODE || ec > MP_OKAY) {
+    return mp_err_string[0];  /* unknown error code */
+  } else {
+    return mp_err_string[aec + 1];
+  }
+
+} /* end mp_strerror() */
+
+/* }}} */
+
+/*========================================================================*/
+/*------------------------------------------------------------------------*/
+/* Static function definitions (internal use only)                        */
+
+/* {{{ Memory management */
+
+/* {{{ s_mp_grow(mp, min) */
+
+/* Make sure there are at least 'min' digits allocated to mp              */
+mp_err   s_mp_grow(mp_int *mp, mp_size min)
+{
+  if(min > ALLOC(mp)) {
+    mp_digit   *tmp;
+
+    /* Set min to next nearest default precision block size */
+    min = MP_ROUNDUP(min, s_mp_defprec);
+
+    if((tmp = s_mp_alloc(min, sizeof(mp_digit))) == NULL)
+      return MP_MEM;
+
+    s_mp_copy(DIGITS(mp), tmp, USED(mp));
+
+#if MP_CRYPTO
+    s_mp_setz(DIGITS(mp), ALLOC(mp));
+#endif
+    s_mp_free(DIGITS(mp));
+    DIGITS(mp) = tmp;
+    ALLOC(mp) = min;
+  }
+
+  return MP_OKAY;
+
+} /* end s_mp_grow() */
+
+/* }}} */
+
+/* {{{ s_mp_pad(mp, min) */
+
+/* Make sure the used size of mp is at least 'min', growing if needed     */
+mp_err   s_mp_pad(mp_int *mp, mp_size min)
+{
+  if(min > USED(mp)) {
+    mp_err  res;
+
+    /* Make sure there is room to increase precision  */
+    if (min > ALLOC(mp)) {
+      if ((res = s_mp_grow(mp, min)) != MP_OKAY)
+	return res;
+    } else {
+/*    s_mp_setz(DIGITS(mp) + USED(mp), min - USED(mp)); */
+    }
+
+    /* Increase precision; should already be 0-filled */
+    USED(mp) = min;
+  }
+
+  return MP_OKAY;
+
+} /* end s_mp_pad() */
+
+/* }}} */
+
+/* {{{ s_mp_setz(dp, count) */
+
+#if MP_MACRO == 0
+/* Set 'count' digits pointed to by dp to be zeroes                       */
+void s_mp_setz(mp_digit *dp, mp_size count)
+{
+#if MP_MEMSET == 0
+  int  ix;
+
+  for(ix = 0; ix < count; ix++)
+    dp[ix] = 0;
+#else
+  memset(dp, 0, count * sizeof(mp_digit));
+#endif
+
+} /* end s_mp_setz() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_copy(sp, dp, count) */
+
+#if MP_MACRO == 0
+/* Copy 'count' digits from sp to dp                                      */
+void s_mp_copy(const mp_digit *sp, mp_digit *dp, mp_size count)
+{
+#if MP_MEMCPY == 0
+  int  ix;
+
+  for(ix = 0; ix < count; ix++)
+    dp[ix] = sp[ix];
+#else
+  memcpy(dp, sp, count * sizeof(mp_digit));
+#endif
+
+} /* end s_mp_copy() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_alloc(nb, ni) */
+
+#if MP_MACRO == 0
+/* Allocate ni records of nb bytes each, and return a pointer to that     */
+void    *s_mp_alloc(size_t nb, size_t ni)
+{
+  ++mp_allocs;
+  return calloc(nb, ni);
+
+} /* end s_mp_alloc() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_free(ptr) */
+
+#if MP_MACRO == 0
+/* Free the memory pointed to by ptr                                      */
+void     s_mp_free(void *ptr)
+{
+  if(ptr) {
+    ++mp_frees;
+    free(ptr);
+  }
+} /* end s_mp_free() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_clamp(mp) */
+
+#if MP_MACRO == 0
+/* Remove leading zeroes from the given value                             */
+void     s_mp_clamp(mp_int *mp)
+{
+  mp_size used = MP_USED(mp);
+  while (used > 1 && DIGIT(mp, used - 1) == 0)
+    --used;
+  MP_USED(mp) = used;
+} /* end s_mp_clamp() */
+#endif
+
+/* }}} */
+
+/* {{{ s_mp_exch(a, b) */
+
+/* Exchange the data for a and b; (b, a) = (a, b)                         */
+void     s_mp_exch(mp_int *a, mp_int *b)
+{
+  mp_int   tmp;
+
+  tmp = *a;
+  *a = *b;
+  *b = tmp;
+
+} /* end s_mp_exch() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ Arithmetic helpers */
+
+/* {{{ s_mp_lshd(mp, p) */
+
+/* 
+   Shift mp leftward by p digits, growing if needed, and zero-filling
+   the in-shifted digits at the right end.  This is a convenient
+   alternative to multiplication by powers of the radix
+   The value of USED(mp) must already have been set to the value for
+   the shifted result.
+ */   
+
+mp_err   s_mp_lshd(mp_int *mp, mp_size p)
+{
+  mp_err  res;
+  mp_size pos;
+  int     ix;
+
+  if(p == 0)
+    return MP_OKAY;
+
+  if (MP_USED(mp) == 1 && MP_DIGIT(mp, 0) == 0)
+    return MP_OKAY;
+
+  if((res = s_mp_pad(mp, USED(mp) + p)) != MP_OKAY)
+    return res;
+
+  pos = USED(mp) - 1;
+
+  /* Shift all the significant figures over as needed */
+  for(ix = pos - p; ix >= 0; ix--) 
+    DIGIT(mp, ix + p) = DIGIT(mp, ix);
+
+  /* Fill the bottom digits with zeroes */
+  for(ix = 0; ix < p; ix++)
+    DIGIT(mp, ix) = 0;
+
+  return MP_OKAY;
+
+} /* end s_mp_lshd() */
+
+/* }}} */
+
+/* {{{ s_mp_mul_2d(mp, d) */
+
+/*
+  Multiply the integer by 2^d, where d is a number of bits.  This
+  amounts to a bitwise shift of the value.
+ */
+mp_err   s_mp_mul_2d(mp_int *mp, mp_digit d)
+{
+  mp_err   res;
+  mp_digit dshift, bshift;
+  mp_digit mask;
+
+  ARGCHK(mp != NULL,  MP_BADARG);
+
+  dshift = d / MP_DIGIT_BIT;
+  bshift = d % MP_DIGIT_BIT;
+  /* bits to be shifted out of the top word */
+  mask   = ((mp_digit)~0 << (MP_DIGIT_BIT - bshift)); 
+  mask  &= MP_DIGIT(mp, MP_USED(mp) - 1);
+
+  if (MP_OKAY != (res = s_mp_pad(mp, MP_USED(mp) + dshift + (mask != 0) )))
+    return res;
+
+  if (dshift && MP_OKAY != (res = s_mp_lshd(mp, dshift)))
+    return res;
+
+  if (bshift) { 
+    mp_digit *pa = MP_DIGITS(mp);
+    mp_digit *alim = pa + MP_USED(mp);
+    mp_digit  prev = 0;
+
+    for (pa += dshift; pa < alim; ) {
+      mp_digit x = *pa;
+      *pa++ = (x << bshift) | prev;
+      prev = x >> (DIGIT_BIT - bshift);
+    }
+  }
+
+  s_mp_clamp(mp);
+  return MP_OKAY;
+} /* end s_mp_mul_2d() */
+
+/* {{{ s_mp_rshd(mp, p) */
+
+/* 
+   Shift mp rightward by p digits.  Maintains the invariant that
+   digits above the precision are all zero.  Digits shifted off the
+   end are lost.  Cannot fail.
+ */
+
+void     s_mp_rshd(mp_int *mp, mp_size p)
+{
+  mp_size  ix;
+  mp_digit *src, *dst;
+
+  if(p == 0)
+    return;
+
+  /* Shortcut when all digits are to be shifted off */
+  if(p >= USED(mp)) {
+    s_mp_setz(DIGITS(mp), ALLOC(mp));
+    USED(mp) = 1;
+    SIGN(mp) = ZPOS;
+    return;
+  }
+
+  /* Shift all the significant figures over as needed */
+  dst = MP_DIGITS(mp);
+  src = dst + p;
+  for (ix = USED(mp) - p; ix > 0; ix--)
+    *dst++ = *src++;
+
+  MP_USED(mp) -= p;
+  /* Fill the top digits with zeroes */
+  while (p-- > 0)
+    *dst++ = 0;
+
+#if 0
+  /* Strip off any leading zeroes    */
+  s_mp_clamp(mp);
+#endif
+
+} /* end s_mp_rshd() */
+
+/* }}} */
+
+/* {{{ s_mp_div_2(mp) */
+
+/* Divide by two -- take advantage of radix properties to do it fast      */
+void     s_mp_div_2(mp_int *mp)
+{
+  s_mp_div_2d(mp, 1);
+
+} /* end s_mp_div_2() */
+
+/* }}} */
+
+/* {{{ s_mp_mul_2(mp) */
+
+mp_err s_mp_mul_2(mp_int *mp)
+{
+  mp_digit *pd;
+  int      ix, used;
+  mp_digit kin = 0;
+
+  /* Shift digits leftward by 1 bit */
+  used = MP_USED(mp);
+  pd = MP_DIGITS(mp);
+  for (ix = 0; ix < used; ix++) {
+    mp_digit d = *pd;
+    *pd++ = (d << 1) | kin;
+    kin = (d >> (DIGIT_BIT - 1));
+  }
+
+  /* Deal with rollover from last digit */
+  if (kin) {
+    if (ix >= ALLOC(mp)) {
+      mp_err res;
+      if((res = s_mp_grow(mp, ALLOC(mp) + 1)) != MP_OKAY)
+	return res;
+    }
+
+    DIGIT(mp, ix) = kin;
+    USED(mp) += 1;
+  }
+
+  return MP_OKAY;
+
+} /* end s_mp_mul_2() */
+
+/* }}} */
+
+/* {{{ s_mp_mod_2d(mp, d) */
+
+/*
+  Remainder the integer by 2^d, where d is a number of bits.  This
+  amounts to a bitwise AND of the value, and does not require the full
+  division code
+ */
+void     s_mp_mod_2d(mp_int *mp, mp_digit d)
+{
+  mp_size  ndig = (d / DIGIT_BIT), nbit = (d % DIGIT_BIT);
+  mp_size  ix;
+  mp_digit dmask;
+
+  if(ndig >= USED(mp))
+    return;
+
+  /* Flush all the bits above 2^d in its digit */
+  dmask = ((mp_digit)1 << nbit) - 1;
+  DIGIT(mp, ndig) &= dmask;
+
+  /* Flush all digits above the one with 2^d in it */
+  for(ix = ndig + 1; ix < USED(mp); ix++)
+    DIGIT(mp, ix) = 0;
+
+  s_mp_clamp(mp);
+
+} /* end s_mp_mod_2d() */
+
+/* }}} */
+
+/* {{{ s_mp_div_2d(mp, d) */
+
+/*
+  Divide the integer by 2^d, where d is a number of bits.  This
+  amounts to a bitwise shift of the value, and does not require the
+  full division code (used in Barrett reduction, see below)
+ */
+void     s_mp_div_2d(mp_int *mp, mp_digit d)
+{
+  int       ix;
+  mp_digit  save, next, mask;
+
+  s_mp_rshd(mp, d / DIGIT_BIT);
+  d %= DIGIT_BIT;
+  if (d) {
+    mask = ((mp_digit)1 << d) - 1;
+    save = 0;
+    for(ix = USED(mp) - 1; ix >= 0; ix--) {
+      next = DIGIT(mp, ix) & mask;
+      DIGIT(mp, ix) = (DIGIT(mp, ix) >> d) | (save << (DIGIT_BIT - d));
+      save = next;
+    }
+  }
+  s_mp_clamp(mp);
+
+} /* end s_mp_div_2d() */
+
+/* }}} */
+
+/* {{{ s_mp_norm(a, b, *d) */
+
+/*
+  s_mp_norm(a, b, *d)
+
+  Normalize a and b for division, where b is the divisor.  In order
+  that we might make good guesses for quotient digits, we want the
+  leading digit of b to be at least half the radix, which we
+  accomplish by multiplying a and b by a power of 2.  The exponent 
+  (shift count) is placed in *pd, so that the remainder can be shifted 
+  back at the end of the division process.
+ */
+
+mp_err   s_mp_norm(mp_int *a, mp_int *b, mp_digit *pd)
+{
+  mp_digit  d;
+  mp_digit  mask;
+  mp_digit  b_msd;
+  mp_err    res    = MP_OKAY;
+
+  d = 0;
+  mask  = DIGIT_MAX & ~(DIGIT_MAX >> 1);	/* mask is msb of digit */
+  b_msd = DIGIT(b, USED(b) - 1);
+  while (!(b_msd & mask)) {
+    b_msd <<= 1;
+    ++d;
+  }
+
+  if (d) {
+    MP_CHECKOK( s_mp_mul_2d(a, d) );
+    MP_CHECKOK( s_mp_mul_2d(b, d) );
+  }
+
+  *pd = d;
+CLEANUP:
+  return res;
+
+} /* end s_mp_norm() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ Primitive digit arithmetic */
+
+/* {{{ s_mp_add_d(mp, d) */
+
+/* Add d to |mp| in place                                                 */
+mp_err   s_mp_add_d(mp_int *mp, mp_digit d)    /* unsigned digit addition */
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  mp_word   w, k = 0;
+  mp_size   ix = 1;
+
+  w = (mp_word)DIGIT(mp, 0) + d;
+  DIGIT(mp, 0) = ACCUM(w);
+  k = CARRYOUT(w);
+
+  while(ix < USED(mp) && k) {
+    w = (mp_word)DIGIT(mp, ix) + k;
+    DIGIT(mp, ix) = ACCUM(w);
+    k = CARRYOUT(w);
+    ++ix;
+  }
+
+  if(k != 0) {
+    mp_err  res;
+
+    if((res = s_mp_pad(mp, USED(mp) + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(mp, ix) = (mp_digit)k;
+  }
+
+  return MP_OKAY;
+#else
+  mp_digit * pmp = MP_DIGITS(mp);
+  mp_digit sum, mp_i, carry = 0;
+  mp_err   res = MP_OKAY;
+  int used = (int)MP_USED(mp);
+
+  mp_i = *pmp;
+  *pmp++ = sum = d + mp_i;
+  carry = (sum < d);
+  while (carry && --used > 0) {
+    mp_i = *pmp;
+    *pmp++ = sum = carry + mp_i;
+    carry = !sum;
+  }
+  if (carry && !used) {
+    /* mp is growing */
+    used = MP_USED(mp);
+    MP_CHECKOK( s_mp_pad(mp, used + 1) );
+    MP_DIGIT(mp, used) = carry;
+  }
+CLEANUP:
+  return res;
+#endif
+} /* end s_mp_add_d() */
+
+/* }}} */
+
+/* {{{ s_mp_sub_d(mp, d) */
+
+/* Subtract d from |mp| in place, assumes |mp| > d                        */
+mp_err   s_mp_sub_d(mp_int *mp, mp_digit d)    /* unsigned digit subtract */
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  mp_word   w, b = 0;
+  mp_size   ix = 1;
+
+  /* Compute initial subtraction    */
+  w = (RADIX + (mp_word)DIGIT(mp, 0)) - d;
+  b = CARRYOUT(w) ? 0 : 1;
+  DIGIT(mp, 0) = ACCUM(w);
+
+  /* Propagate borrows leftward     */
+  while(b && ix < USED(mp)) {
+    w = (RADIX + (mp_word)DIGIT(mp, ix)) - b;
+    b = CARRYOUT(w) ? 0 : 1;
+    DIGIT(mp, ix) = ACCUM(w);
+    ++ix;
+  }
+
+  /* Remove leading zeroes          */
+  s_mp_clamp(mp);
+
+  /* If we have a borrow out, it's a violation of the input invariant */
+  if(b)
+    return MP_RANGE;
+  else
+    return MP_OKAY;
+#else
+  mp_digit *pmp = MP_DIGITS(mp);
+  mp_digit mp_i, diff, borrow;
+  mp_size  used = MP_USED(mp);
+
+  mp_i = *pmp;
+  *pmp++ = diff = mp_i - d;
+  borrow = (diff > mp_i);
+  while (borrow && --used) {
+    mp_i = *pmp;
+    *pmp++ = diff = mp_i - borrow;
+    borrow = (diff > mp_i);
+  }
+  s_mp_clamp(mp);
+  return (borrow && !used) ? MP_RANGE : MP_OKAY;
+#endif
+} /* end s_mp_sub_d() */
+
+/* }}} */
+
+/* {{{ s_mp_mul_d(a, d) */
+
+/* Compute a = a * d, single digit multiplication                         */
+mp_err   s_mp_mul_d(mp_int *a, mp_digit d)
+{
+  mp_err  res;
+  mp_size used;
+  int     pow;
+
+  if (!d) {
+    mp_zero(a);
+    return MP_OKAY;
+  }
+  if (d == 1)
+    return MP_OKAY;
+  if (0 <= (pow = s_mp_ispow2d(d))) {
+    return s_mp_mul_2d(a, (mp_digit)pow);
+  }
+
+  used = MP_USED(a);
+  MP_CHECKOK( s_mp_pad(a, used + 1) );
+
+  s_mpv_mul_d(MP_DIGITS(a), used, d, MP_DIGITS(a));
+
+  s_mp_clamp(a);
+
+CLEANUP:
+  return res;
+  
+} /* end s_mp_mul_d() */
+
+/* }}} */
+
+/* {{{ s_mp_div_d(mp, d, r) */
+
+/*
+  s_mp_div_d(mp, d, r)
+
+  Compute the quotient mp = mp / d and remainder r = mp mod d, for a
+  single digit d.  If r is null, the remainder will be discarded.
+ */
+
+mp_err   s_mp_div_d(mp_int *mp, mp_digit d, mp_digit *r)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
+  mp_word   w = 0, q;
+#else
+  mp_digit  w, q;
+#endif
+  int       ix;
+  mp_err    res;
+  mp_int    quot;
+  mp_int    rem;
+
+  if(d == 0)
+    return MP_RANGE;
+  if (d == 1) {
+    if (r)
+      *r = 0;
+    return MP_OKAY;
+  }
+  /* could check for power of 2 here, but mp_div_d does that. */
+  if (MP_USED(mp) == 1) {
+    mp_digit n   = MP_DIGIT(mp,0);
+    mp_digit rem;
+
+    q   = n / d;
+    rem = n % d;
+    MP_DIGIT(mp,0) = q;
+    if (r)
+      *r = rem;
+    return MP_OKAY;
+  }
+
+  MP_DIGITS(&rem)  = 0;
+  MP_DIGITS(&quot) = 0;
+  /* Make room for the quotient */
+  MP_CHECKOK( mp_init_size(&quot, USED(mp)) );
+
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    w = (w << DIGIT_BIT) | DIGIT(mp, ix);
+
+    if(w >= d) {
+      q = w / d;
+      w = w % d;
+    } else {
+      q = 0;
+    }
+
+    s_mp_lshd(&quot, 1);
+    DIGIT(&quot, 0) = (mp_digit)q;
+  }
+#else
+  {
+    mp_digit p;
+#if !defined(MP_ASSEMBLY_DIV_2DX1D)
+    mp_digit norm;
+#endif
+
+    MP_CHECKOK( mp_init_copy(&rem, mp) );
+
+#if !defined(MP_ASSEMBLY_DIV_2DX1D)
+    MP_DIGIT(&quot, 0) = d;
+    MP_CHECKOK( s_mp_norm(&rem, &quot, &norm) );
+    if (norm)
+      d <<= norm;
+    MP_DIGIT(&quot, 0) = 0;
+#endif
+
+    p = 0;
+    for (ix = USED(&rem) - 1; ix >= 0; ix--) {
+      w = DIGIT(&rem, ix);
+
+      if (p) {
+        MP_CHECKOK( s_mpv_div_2dx1d(p, w, d, &q, &w) );
+      } else if (w >= d) {
+	q = w / d;
+	w = w % d;
+      } else {
+	q = 0;
+      }
+
+      MP_CHECKOK( s_mp_lshd(&quot, 1) );
+      DIGIT(&quot, 0) = q;
+      p = w;
+    }
+#if !defined(MP_ASSEMBLY_DIV_2DX1D)
+    if (norm)
+      w >>= norm;
+#endif
+  }
+#endif
+
+  /* Deliver the remainder, if desired */
+  if(r)
+    *r = (mp_digit)w;
+
+  s_mp_clamp(&quot);
+  mp_exch(&quot, mp);
+CLEANUP:
+  mp_clear(&quot);
+  mp_clear(&rem);
+
+  return res;
+} /* end s_mp_div_d() */
+
+/* }}} */
+
+
+/* }}} */
+
+/* {{{ Primitive full arithmetic */
+
+/* {{{ s_mp_add(a, b) */
+
+/* Compute a = |a| + |b|                                                  */
+mp_err   s_mp_add(mp_int *a, const mp_int *b)  /* magnitude addition      */
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  mp_word   w = 0;
+#else
+  mp_digit  d, sum, carry = 0;
+#endif
+  mp_digit *pa, *pb;
+  mp_size   ix;
+  mp_size   used;
+  mp_err    res;
+
+  /* Make sure a has enough precision for the output value */
+  if((USED(b) > USED(a)) && (res = s_mp_pad(a, USED(b))) != MP_OKAY)
+    return res;
+
+  /*
+    Add up all digits up to the precision of b.  If b had initially
+    the same precision as a, or greater, we took care of it by the
+    padding step above, so there is no problem.  If b had initially
+    less precision, we'll have to make sure the carry out is duly
+    propagated upward among the higher-order digits of the sum.
+   */
+  pa = MP_DIGITS(a);
+  pb = MP_DIGITS(b);
+  used = MP_USED(b);
+  for(ix = 0; ix < used; ix++) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+    w = w + *pa + *pb++;
+    *pa++ = ACCUM(w);
+    w = CARRYOUT(w);
+#else
+    d = *pa;
+    sum = d + *pb++;
+    d = (sum < d);			/* detect overflow */
+    *pa++ = sum += carry;
+    carry = d + (sum < carry);		/* detect overflow */
+#endif
+  }
+
+  /* If we run out of 'b' digits before we're actually done, make
+     sure the carries get propagated upward...  
+   */
+  used = MP_USED(a);
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  while (w && ix < used) {
+    w = w + *pa;
+    *pa++ = ACCUM(w);
+    w = CARRYOUT(w);
+    ++ix;
+  }
+#else
+  while (carry && ix < used) {
+    sum = carry + *pa;
+    *pa++ = sum;
+    carry = !sum;
+    ++ix;
+  }
+#endif
+
+  /* If there's an overall carry out, increase precision and include
+     it.  We could have done this initially, but why touch the memory
+     allocator unless we're sure we have to?
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  if (w) {
+    if((res = s_mp_pad(a, used + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(a, ix) = (mp_digit)w;
+  }
+#else
+  if (carry) {
+    if((res = s_mp_pad(a, used + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(a, used) = carry;
+  }
+#endif
+
+  return MP_OKAY;
+} /* end s_mp_add() */
+
+/* }}} */
+
+/* Compute c = |a| + |b|         */ /* magnitude addition      */
+mp_err   s_mp_add_3arg(const mp_int *a, const mp_int *b, mp_int *c)  
+{
+  mp_digit *pa, *pb, *pc;
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  mp_word   w = 0;
+#else
+  mp_digit  sum, carry = 0, d;
+#endif
+  mp_size   ix;
+  mp_size   used;
+  mp_err    res;
+
+  MP_SIGN(c) = MP_SIGN(a);
+  if (MP_USED(a) < MP_USED(b)) {
+    const mp_int *xch = a;
+    a = b;
+    b = xch;
+  }
+
+  /* Make sure a has enough precision for the output value */
+  if (MP_OKAY != (res = s_mp_pad(c, MP_USED(a))))
+    return res;
+
+  /*
+    Add up all digits up to the precision of b.  If b had initially
+    the same precision as a, or greater, we took care of it by the
+    exchange step above, so there is no problem.  If b had initially
+    less precision, we'll have to make sure the carry out is duly
+    propagated upward among the higher-order digits of the sum.
+   */
+  pa = MP_DIGITS(a);
+  pb = MP_DIGITS(b);
+  pc = MP_DIGITS(c);
+  used = MP_USED(b);
+  for (ix = 0; ix < used; ix++) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+    w = w + *pa++ + *pb++;
+    *pc++ = ACCUM(w);
+    w = CARRYOUT(w);
+#else
+    d = *pa++;
+    sum = d + *pb++;
+    d = (sum < d);			/* detect overflow */
+    *pc++ = sum += carry;
+    carry = d + (sum < carry);		/* detect overflow */
+#endif
+  }
+
+  /* If we run out of 'b' digits before we're actually done, make
+     sure the carries get propagated upward...  
+   */
+  for (used = MP_USED(a); ix < used; ++ix) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+    w = w + *pa++;
+    *pc++ = ACCUM(w);
+    w = CARRYOUT(w);
+#else
+    *pc++ = sum = carry + *pa++;
+    carry = (sum < carry);
+#endif
+  }
+
+  /* If there's an overall carry out, increase precision and include
+     it.  We could have done this initially, but why touch the memory
+     allocator unless we're sure we have to?
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  if (w) {
+    if((res = s_mp_pad(c, used + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(c, used) = (mp_digit)w;
+    ++used;
+  }
+#else
+  if (carry) {
+    if((res = s_mp_pad(c, used + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(c, used) = carry;
+    ++used;
+  }
+#endif
+  MP_USED(c) = used;
+  return MP_OKAY;
+}
+/* {{{ s_mp_add_offset(a, b, offset) */
+
+/* Compute a = |a| + ( |b| * (RADIX ** offset) )             */
+mp_err   s_mp_add_offset(mp_int *a, mp_int *b, mp_size offset)   
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  mp_word   w, k = 0;
+#else
+  mp_digit  d, sum, carry = 0;
+#endif
+  mp_size   ib;
+  mp_size   ia;
+  mp_size   lim;
+  mp_err    res;
+
+  /* Make sure a has enough precision for the output value */
+  lim = MP_USED(b) + offset;
+  if((lim > USED(a)) && (res = s_mp_pad(a, lim)) != MP_OKAY)
+    return res;
+
+  /*
+    Add up all digits up to the precision of b.  If b had initially
+    the same precision as a, or greater, we took care of it by the
+    padding step above, so there is no problem.  If b had initially
+    less precision, we'll have to make sure the carry out is duly
+    propagated upward among the higher-order digits of the sum.
+   */
+  lim = USED(b);
+  for(ib = 0, ia = offset; ib < lim; ib++, ia++) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+    w = (mp_word)DIGIT(a, ia) + DIGIT(b, ib) + k;
+    DIGIT(a, ia) = ACCUM(w);
+    k = CARRYOUT(w);
+#else
+    d = MP_DIGIT(a, ia);
+    sum = d + MP_DIGIT(b, ib);
+    d = (sum < d);
+    MP_DIGIT(a,ia) = sum += carry;
+    carry = d + (sum < carry);
+#endif
+  }
+
+  /* If we run out of 'b' digits before we're actually done, make
+     sure the carries get propagated upward...  
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  for (lim = MP_USED(a); k && (ia < lim); ++ia) {
+    w = (mp_word)DIGIT(a, ia) + k;
+    DIGIT(a, ia) = ACCUM(w);
+    k = CARRYOUT(w);
+  }
+#else
+  for (lim = MP_USED(a); carry && (ia < lim); ++ia) {
+    d = MP_DIGIT(a, ia);
+    MP_DIGIT(a,ia) = sum = d + carry;
+    carry = (sum < d);
+  }
+#endif
+
+  /* If there's an overall carry out, increase precision and include
+     it.  We could have done this initially, but why touch the memory
+     allocator unless we're sure we have to?
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
+  if(k) {
+    if((res = s_mp_pad(a, USED(a) + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(a, ia) = (mp_digit)k;
+  }
+#else
+  if (carry) {
+    if((res = s_mp_pad(a, lim + 1)) != MP_OKAY)
+      return res;
+
+    DIGIT(a, lim) = carry;
+  }
+#endif
+  s_mp_clamp(a);
+
+  return MP_OKAY;
+
+} /* end s_mp_add_offset() */
+
+/* }}} */
+
+/* {{{ s_mp_sub(a, b) */
+
+/* Compute a = |a| - |b|, assumes |a| >= |b|                              */
+mp_err   s_mp_sub(mp_int *a, const mp_int *b)  /* magnitude subtract      */
+{
+  mp_digit *pa, *pb, *limit;
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  mp_sword  w = 0;
+#else
+  mp_digit  d, diff, borrow = 0;
+#endif
+
+  /*
+    Subtract and propagate borrow.  Up to the precision of b, this
+    accounts for the digits of b; after that, we just make sure the
+    carries get to the right place.  This saves having to pad b out to
+    the precision of a just to make the loops work right...
+   */
+  pa = MP_DIGITS(a);
+  pb = MP_DIGITS(b);
+  limit = pb + MP_USED(b);
+  while (pb < limit) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+    w = w + *pa - *pb++;
+    *pa++ = ACCUM(w);
+    w >>= MP_DIGIT_BIT;
+#else
+    d = *pa;
+    diff = d - *pb++;
+    d = (diff > d);				/* detect borrow */
+    if (borrow && --diff == MP_DIGIT_MAX)
+      ++d;
+    *pa++ = diff;
+    borrow = d;	
+#endif
+  }
+  limit = MP_DIGITS(a) + MP_USED(a);
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  while (w && pa < limit) {
+    w = w + *pa;
+    *pa++ = ACCUM(w);
+    w >>= MP_DIGIT_BIT;
+  }
+#else
+  while (borrow && pa < limit) {
+    d = *pa;
+    *pa++ = diff = d - borrow;
+    borrow = (diff > d);
+  }
+#endif
+
+  /* Clobber any leading zeroes we created    */
+  s_mp_clamp(a);
+
+  /* 
+     If there was a borrow out, then |b| > |a| in violation
+     of our input invariant.  We've already done the work,
+     but we'll at least complain about it...
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  return w ? MP_RANGE : MP_OKAY;
+#else
+  return borrow ? MP_RANGE : MP_OKAY;
+#endif
+} /* end s_mp_sub() */
+
+/* }}} */
+
+/* Compute c = |a| - |b|, assumes |a| >= |b| */ /* magnitude subtract      */
+mp_err   s_mp_sub_3arg(const mp_int *a, const mp_int *b, mp_int *c)  
+{
+  mp_digit *pa, *pb, *pc;
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  mp_sword  w = 0;
+#else
+  mp_digit  d, diff, borrow = 0;
+#endif
+  int       ix, limit;
+  mp_err    res;
+
+  MP_SIGN(c) = MP_SIGN(a);
+
+  /* Make sure a has enough precision for the output value */
+  if (MP_OKAY != (res = s_mp_pad(c, MP_USED(a))))
+    return res;
+
+  /*
+    Subtract and propagate borrow.  Up to the precision of b, this
+    accounts for the digits of b; after that, we just make sure the
+    carries get to the right place.  This saves having to pad b out to
+    the precision of a just to make the loops work right...
+   */
+  pa = MP_DIGITS(a);
+  pb = MP_DIGITS(b);
+  pc = MP_DIGITS(c);
+  limit = MP_USED(b);
+  for (ix = 0; ix < limit; ++ix) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+    w = w + *pa++ - *pb++;
+    *pc++ = ACCUM(w);
+    w >>= MP_DIGIT_BIT;
+#else
+    d = *pa++;
+    diff = d - *pb++;
+    d = (diff > d);
+    if (borrow && --diff == MP_DIGIT_MAX)
+      ++d;
+    *pc++ = diff;
+    borrow = d;
+#endif
+  }
+  for (limit = MP_USED(a); ix < limit; ++ix) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+    w = w + *pa++;
+    *pc++ = ACCUM(w);
+    w >>= MP_DIGIT_BIT;
+#else
+    d = *pa++;
+    *pc++ = diff = d - borrow;
+    borrow = (diff > d);
+#endif
+  }
+
+  /* Clobber any leading zeroes we created    */
+  MP_USED(c) = ix;
+  s_mp_clamp(c);
+
+  /* 
+     If there was a borrow out, then |b| > |a| in violation
+     of our input invariant.  We've already done the work,
+     but we'll at least complain about it...
+   */
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_SUB_WORD)
+  return w ? MP_RANGE : MP_OKAY;
+#else
+  return borrow ? MP_RANGE : MP_OKAY;
+#endif
+}
+/* {{{ s_mp_mul(a, b) */
+
+/* Compute a = |a| * |b|                                                  */
+mp_err   s_mp_mul(mp_int *a, const mp_int *b)
+{
+  return mp_mul(a, b, a);
+} /* end s_mp_mul() */
+
+/* }}} */
+
+#if defined(MP_USE_UINT_DIGIT) && defined(MP_USE_LONG_LONG_MULTIPLY)
+/* This trick works on Sparc V8 CPUs with the Workshop compilers. */
+#define MP_MUL_DxD(a, b, Phi, Plo) \
+  { unsigned long long product = (unsigned long long)a * b; \
+    Plo = (mp_digit)product; \
+    Phi = (mp_digit)(product >> MP_DIGIT_BIT); }
+#elif defined(OSF1)
+#define MP_MUL_DxD(a, b, Phi, Plo) \
+  { Plo = asm ("mulq %a0, %a1, %v0", a, b);\
+    Phi = asm ("umulh %a0, %a1, %v0", a, b); }
+#else
+#define MP_MUL_DxD(a, b, Phi, Plo) \
+  { mp_digit a0b1, a1b0; \
+    Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \
+    Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \
+    a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \
+    a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \
+    a1b0 += a0b1; \
+    Phi += a1b0 >> MP_HALF_DIGIT_BIT; \
+    if (a1b0 < a0b1)  \
+      Phi += MP_HALF_RADIX; \
+    a1b0 <<= MP_HALF_DIGIT_BIT; \
+    Plo += a1b0; \
+    if (Plo < a1b0) \
+      ++Phi; \
+  }
+#endif
+
+#if !defined(MP_ASSEMBLY_MULTIPLY)
+/* c = a * b */
+void s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+  *c = d;
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  *c = carry;
+#endif
+}
+
+/* c += a * b */
+void s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, 
+			      mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + *c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+  *c = d;
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+    a0b0 += a_i = *c;
+    if (a0b0 < a_i)
+      ++a1b1;
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  *c = carry;
+#endif
+}
+
+/* Presently, this is only used by the Montgomery arithmetic code. */
+/* c += a * b */
+void s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + *c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+
+  while (d) {
+    mp_word w = (mp_word)*c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+
+    a0b0 += a_i = *c;
+    if (a0b0 < a_i)
+      ++a1b1;
+
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  while (carry) {
+    mp_digit c_i = *c;
+    carry += c_i;
+    *c++ = carry;
+    carry = carry < c_i;
+  }
+#endif
+}
+#endif
+
+#if defined(MP_USE_UINT_DIGIT) && defined(MP_USE_LONG_LONG_MULTIPLY)
+/* This trick works on Sparc V8 CPUs with the Workshop compilers. */
+#define MP_SQR_D(a, Phi, Plo) \
+  { unsigned long long square = (unsigned long long)a * a; \
+    Plo = (mp_digit)square; \
+    Phi = (mp_digit)(square >> MP_DIGIT_BIT); }
+#elif defined(OSF1)
+#define MP_SQR_D(a, Phi, Plo) \
+  { Plo = asm ("mulq  %a0, %a0, %v0", a);\
+    Phi = asm ("umulh %a0, %a0, %v0", a); }
+#else
+#define MP_SQR_D(a, Phi, Plo) \
+  { mp_digit Pmid; \
+    Plo  = (a  & MP_HALF_DIGIT_MAX) * (a  & MP_HALF_DIGIT_MAX); \
+    Phi  = (a >> MP_HALF_DIGIT_BIT) * (a >> MP_HALF_DIGIT_BIT); \
+    Pmid = (a  & MP_HALF_DIGIT_MAX) * (a >> MP_HALF_DIGIT_BIT); \
+    Phi += Pmid >> (MP_HALF_DIGIT_BIT - 1);  \
+    Pmid <<= (MP_HALF_DIGIT_BIT + 1);  \
+    Plo += Pmid;  \
+    if (Plo < Pmid)  \
+      ++Phi;  \
+  }
+#endif
+
+#if !defined(MP_ASSEMBLY_SQUARE)
+/* Add the squares of the digits of a to the digits of b. */
+void s_mpv_sqr_add_prop(const mp_digit *pa, mp_size a_len, mp_digit *ps)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
+  mp_word  w;
+  mp_digit d;
+  mp_size  ix;
+
+  w  = 0;
+#define ADD_SQUARE(n) \
+    d = pa[n]; \
+    w += (d * (mp_word)d) + ps[2*n]; \
+    ps[2*n] = ACCUM(w); \
+    w = (w >> DIGIT_BIT) + ps[2*n+1]; \
+    ps[2*n+1] = ACCUM(w); \
+    w = (w >> DIGIT_BIT)
+
+  for (ix = a_len; ix >= 4; ix -= 4) {
+    ADD_SQUARE(0);
+    ADD_SQUARE(1);
+    ADD_SQUARE(2);
+    ADD_SQUARE(3);
+    pa += 4;
+    ps += 8;
+  }
+  if (ix) {
+    ps += 2*ix;
+    pa += ix;
+    switch (ix) {
+    case 3: ADD_SQUARE(-3); /* FALLTHRU */
+    case 2: ADD_SQUARE(-2); /* FALLTHRU */
+    case 1: ADD_SQUARE(-1); /* FALLTHRU */
+    case 0: break;
+    }
+  }
+  while (w) {
+    w += *ps;
+    *ps++ = ACCUM(w);
+    w = (w >> DIGIT_BIT);
+  }
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *pa++;
+    mp_digit a0a0, a1a1;
+
+    MP_SQR_D(a_i, a1a1, a0a0);
+
+    /* here a1a1 and a0a0 constitute a_i ** 2 */
+    a0a0 += carry;
+    if (a0a0 < carry)
+      ++a1a1;
+
+    /* now add to ps */
+    a0a0 += a_i = *ps;
+    if (a0a0 < a_i)
+      ++a1a1;
+    *ps++ = a0a0;
+    a1a1 += a_i = *ps;
+    carry = (a1a1 < a_i);
+    *ps++ = a1a1;
+  }
+  while (carry) {
+    mp_digit s_i = *ps;
+    carry += s_i;
+    *ps++ = carry;
+    carry = carry < s_i;
+  }
+#endif
+}
+#endif
+
+#if (defined(MP_NO_MP_WORD) || defined(MP_NO_DIV_WORD)) \
+&& !defined(MP_ASSEMBLY_DIV_2DX1D)
+/*
+** Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized 
+** so its high bit is 1.   This code is from NSPR.
+*/
+mp_err s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor, 
+		       mp_digit *qp, mp_digit *rp)
+{
+    mp_digit d1, d0, q1, q0;
+    mp_digit r1, r0, m;
+
+    d1 = divisor >> MP_HALF_DIGIT_BIT;
+    d0 = divisor & MP_HALF_DIGIT_MAX;
+    r1 = Nhi % d1;
+    q1 = Nhi / d1;
+    m = q1 * d0;
+    r1 = (r1 << MP_HALF_DIGIT_BIT) | (Nlo >> MP_HALF_DIGIT_BIT);
+    if (r1 < m) {
+        q1--, r1 += divisor;
+        if (r1 >= divisor && r1 < m) {
+	    q1--, r1 += divisor;
+	}
+    }
+    r1 -= m;
+    r0 = r1 % d1;
+    q0 = r1 / d1;
+    m = q0 * d0;
+    r0 = (r0 << MP_HALF_DIGIT_BIT) | (Nlo & MP_HALF_DIGIT_MAX);
+    if (r0 < m) {
+        q0--, r0 += divisor;
+        if (r0 >= divisor && r0 < m) {
+	    q0--, r0 += divisor;
+	}
+    }
+    if (qp)
+	*qp = (q1 << MP_HALF_DIGIT_BIT) | q0;
+    if (rp)
+	*rp = r0 - m;
+    return MP_OKAY;
+}
+#endif
+
+#if MP_SQUARE
+/* {{{ s_mp_sqr(a) */
+
+mp_err   s_mp_sqr(mp_int *a)
+{
+  mp_err   res;
+  mp_int   tmp;
+
+  if((res = mp_init_size(&tmp, 2 * USED(a))) != MP_OKAY)
+    return res;
+  res = mp_sqr(a, &tmp);
+  if (res == MP_OKAY) {
+    s_mp_exch(&tmp, a);
+  }
+  mp_clear(&tmp);
+  return res;
+}
+
+/* }}} */
+#endif
+
+/* {{{ s_mp_div(a, b) */
+
+/*
+  s_mp_div(a, b)
+
+  Compute a = a / b and b = a mod b.  Assumes b > a.
+ */
+
+mp_err   s_mp_div(mp_int *rem, 	/* i: dividend, o: remainder */
+                  mp_int *div, 	/* i: divisor                */
+		  mp_int *quot)	/* i: 0;        o: quotient  */
+{
+  mp_int   part, t;
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
+  mp_word  q_msd;
+#else
+  mp_digit q_msd;
+#endif
+  mp_err   res;
+  mp_digit d;
+  mp_digit div_msd;
+  int      ix;
+
+  if(mp_cmp_z(div) == 0)
+    return MP_RANGE;
+
+  /* Shortcut if divisor is power of two */
+  if((ix = s_mp_ispow2(div)) >= 0) {
+    MP_CHECKOK( mp_copy(rem, quot) );
+    s_mp_div_2d(quot, (mp_digit)ix);
+    s_mp_mod_2d(rem,  (mp_digit)ix);
+
+    return MP_OKAY;
+  }
+
+  DIGITS(&t) = 0;
+  MP_SIGN(rem) = ZPOS;
+  MP_SIGN(div) = ZPOS;
+
+  /* A working temporary for division     */
+  MP_CHECKOK( mp_init_size(&t, MP_ALLOC(rem)));
+
+  /* Normalize to optimize guessing       */
+  MP_CHECKOK( s_mp_norm(rem, div, &d) );
+
+  part = *rem;
+
+  /* Perform the division itself...woo!   */
+  MP_USED(quot) = MP_ALLOC(quot);
+
+  /* Find a partial substring of rem which is at least div */
+  /* If we didn't find one, we're finished dividing    */
+  while (MP_USED(rem) > MP_USED(div) || s_mp_cmp(rem, div) >= 0) {
+    int i;
+    int unusedRem;
+
+    unusedRem = MP_USED(rem) - MP_USED(div);
+    MP_DIGITS(&part) = MP_DIGITS(rem) + unusedRem;
+    MP_ALLOC(&part)  = MP_ALLOC(rem)  - unusedRem;
+    MP_USED(&part)   = MP_USED(div);
+    if (s_mp_cmp(&part, div) < 0) {
+      -- unusedRem;
+#if MP_ARGCHK == 2
+      assert(unusedRem >= 0);
+#endif
+      -- MP_DIGITS(&part);
+      ++ MP_USED(&part);
+      ++ MP_ALLOC(&part);
+    }
+
+    /* Compute a guess for the next quotient digit       */
+    q_msd = MP_DIGIT(&part, MP_USED(&part) - 1);
+    div_msd = MP_DIGIT(div, MP_USED(div) - 1);
+    if (q_msd >= div_msd) {
+      q_msd = 1;
+    } else if (MP_USED(&part) > 1) {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
+      q_msd = (q_msd << MP_DIGIT_BIT) | MP_DIGIT(&part, MP_USED(&part) - 2);
+      q_msd /= div_msd;
+      if (q_msd == RADIX)
+        --q_msd;
+#else
+      mp_digit r;
+      MP_CHECKOK( s_mpv_div_2dx1d(q_msd, MP_DIGIT(&part, MP_USED(&part) - 2), 
+				  div_msd, &q_msd, &r) );
+#endif
+    } else {
+      q_msd = 0;
+    }
+#if MP_ARGCHK == 2
+    assert(q_msd > 0); /* This case should never occur any more. */
+#endif
+    if (q_msd <= 0)
+      break;
+
+    /* See what that multiplies out to                   */
+    mp_copy(div, &t);
+    MP_CHECKOK( s_mp_mul_d(&t, (mp_digit)q_msd) );
+
+    /* 
+       If it's too big, back it off.  We should not have to do this
+       more than once, or, in rare cases, twice.  Knuth describes a
+       method by which this could be reduced to a maximum of once, but
+       I didn't implement that here.
+     * When using s_mpv_div_2dx1d, we may have to do this 3 times.
+     */
+    for (i = 4; s_mp_cmp(&t, &part) > 0 && i > 0; --i) {
+      --q_msd;
+      s_mp_sub(&t, div);	/* t -= div */
+    }
+    if (i < 0) {
+      res = MP_RANGE;
+      goto CLEANUP;
+    }
+
+    /* At this point, q_msd should be the right next digit   */
+    MP_CHECKOK( s_mp_sub(&part, &t) );	/* part -= t */
+    s_mp_clamp(rem);
+
+    /*
+      Include the digit in the quotient.  We allocated enough memory
+      for any quotient we could ever possibly get, so we should not
+      have to check for failures here
+     */
+    MP_DIGIT(quot, unusedRem) = (mp_digit)q_msd;
+  }
+
+  /* Denormalize remainder                */
+  if (d) {
+    s_mp_div_2d(rem, d);
+  }
+
+  s_mp_clamp(quot);
+
+CLEANUP:
+  mp_clear(&t);
+
+  return res;
+
+} /* end s_mp_div() */
+
+
+/* }}} */
+
+/* {{{ s_mp_2expt(a, k) */
+
+mp_err   s_mp_2expt(mp_int *a, mp_digit k)
+{
+  mp_err    res;
+  mp_size   dig, bit;
+
+  dig = k / DIGIT_BIT;
+  bit = k % DIGIT_BIT;
+
+  mp_zero(a);
+  if((res = s_mp_pad(a, dig + 1)) != MP_OKAY)
+    return res;
+  
+  DIGIT(a, dig) |= ((mp_digit)1 << bit);
+
+  return MP_OKAY;
+
+} /* end s_mp_2expt() */
+
+/* }}} */
+
+/* {{{ s_mp_reduce(x, m, mu) */
+
+/*
+  Compute Barrett reduction, x (mod m), given a precomputed value for
+  mu = b^2k / m, where b = RADIX and k = #digits(m).  This should be
+  faster than straight division, when many reductions by the same
+  value of m are required (such as in modular exponentiation).  This
+  can nearly halve the time required to do modular exponentiation,
+  as compared to using the full integer divide to reduce.
+
+  This algorithm was derived from the _Handbook of Applied
+  Cryptography_ by Menezes, Oorschot and VanStone, Ch. 14,
+  pp. 603-604.  
+ */
+
+mp_err   s_mp_reduce(mp_int *x, const mp_int *m, const mp_int *mu)
+{
+  mp_int   q;
+  mp_err   res;
+
+  if((res = mp_init_copy(&q, x)) != MP_OKAY)
+    return res;
+
+  s_mp_rshd(&q, USED(m) - 1);  /* q1 = x / b^(k-1)  */
+  s_mp_mul(&q, mu);            /* q2 = q1 * mu      */
+  s_mp_rshd(&q, USED(m) + 1);  /* q3 = q2 / b^(k+1) */
+
+  /* x = x mod b^(k+1), quick (no division) */
+  s_mp_mod_2d(x, DIGIT_BIT * (USED(m) + 1));
+
+  /* q = q * m mod b^(k+1), quick (no division) */
+  s_mp_mul(&q, m);
+  s_mp_mod_2d(&q, DIGIT_BIT * (USED(m) + 1));
+
+  /* x = x - q */
+  if((res = mp_sub(x, &q, x)) != MP_OKAY)
+    goto CLEANUP;
+
+  /* If x < 0, add b^(k+1) to it */
+  if(mp_cmp_z(x) < 0) {
+    mp_set(&q, 1);
+    if((res = s_mp_lshd(&q, USED(m) + 1)) != MP_OKAY)
+      goto CLEANUP;
+    if((res = mp_add(x, &q, x)) != MP_OKAY)
+      goto CLEANUP;
+  }
+
+  /* Back off if it's too big */
+  while(mp_cmp(x, m) >= 0) {
+    if((res = s_mp_sub(x, m)) != MP_OKAY)
+      break;
+  }
+
+ CLEANUP:
+  mp_clear(&q);
+
+  return res;
+
+} /* end s_mp_reduce() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ Primitive comparisons */
+
+/* {{{ s_mp_cmp(a, b) */
+
+/* Compare |a| <=> |b|, return 0 if equal, <0 if a<b, >0 if a>b           */
+int      s_mp_cmp(const mp_int *a, const mp_int *b)
+{
+  mp_size used_a = MP_USED(a);
+  {
+    mp_size used_b = MP_USED(b);
+
+    if (used_a > used_b)
+      goto IS_GT;
+    if (used_a < used_b)
+      goto IS_LT;
+  }
+  {
+    mp_digit *pa, *pb;
+    mp_digit da = 0, db = 0;
+
+#define CMP_AB(n) if ((da = pa[n]) != (db = pb[n])) goto done
+
+    pa = MP_DIGITS(a) + used_a;
+    pb = MP_DIGITS(b) + used_a;
+    while (used_a >= 4) {
+      pa     -= 4;
+      pb     -= 4;
+      used_a -= 4;
+      CMP_AB(3);
+      CMP_AB(2);
+      CMP_AB(1);
+      CMP_AB(0);
+    }
+    while (used_a-- > 0 && ((da = *--pa) == (db = *--pb))) 
+      /* do nothing */;
+done:
+    if (da > db)
+      goto IS_GT;
+    if (da < db) 
+      goto IS_LT;
+  }
+  return MP_EQ;
+IS_LT:
+  return MP_LT;
+IS_GT:
+  return MP_GT;
+} /* end s_mp_cmp() */
+
+/* }}} */
+
+/* {{{ s_mp_cmp_d(a, d) */
+
+/* Compare |a| <=> d, return 0 if equal, <0 if a<d, >0 if a>d             */
+int      s_mp_cmp_d(const mp_int *a, mp_digit d)
+{
+  if(USED(a) > 1)
+    return MP_GT;
+
+  if(DIGIT(a, 0) < d)
+    return MP_LT;
+  else if(DIGIT(a, 0) > d)
+    return MP_GT;
+  else
+    return MP_EQ;
+
+} /* end s_mp_cmp_d() */
+
+/* }}} */
+
+/* {{{ s_mp_ispow2(v) */
+
+/*
+  Returns -1 if the value is not a power of two; otherwise, it returns
+  k such that v = 2^k, i.e. lg(v).
+ */
+int      s_mp_ispow2(const mp_int *v)
+{
+  mp_digit d;
+  int      extra = 0, ix;
+
+  ix = MP_USED(v) - 1;
+  d = MP_DIGIT(v, ix); /* most significant digit of v */
+
+  extra = s_mp_ispow2d(d);
+  if (extra < 0 || ix == 0)
+    return extra;
+
+  while (--ix >= 0) {
+    if (DIGIT(v, ix) != 0)
+      return -1; /* not a power of two */
+    extra += MP_DIGIT_BIT;
+  }
+
+  return extra;
+
+} /* end s_mp_ispow2() */
+
+/* }}} */
+
+/* {{{ s_mp_ispow2d(d) */
+
+int      s_mp_ispow2d(mp_digit d)
+{
+  if ((d != 0) && ((d & (d-1)) == 0)) { /* d is a power of 2 */
+    int pow = 0;
+#if defined (MP_USE_UINT_DIGIT)
+    if (d & 0xffff0000U)
+      pow += 16;
+    if (d & 0xff00ff00U)
+      pow += 8;
+    if (d & 0xf0f0f0f0U)
+      pow += 4;
+    if (d & 0xccccccccU)
+      pow += 2;
+    if (d & 0xaaaaaaaaU)
+      pow += 1;
+#elif defined(MP_USE_LONG_LONG_DIGIT)
+    if (d & 0xffffffff00000000ULL)
+      pow += 32;
+    if (d & 0xffff0000ffff0000ULL)
+      pow += 16;
+    if (d & 0xff00ff00ff00ff00ULL)
+      pow += 8;
+    if (d & 0xf0f0f0f0f0f0f0f0ULL)
+      pow += 4;
+    if (d & 0xccccccccccccccccULL)
+      pow += 2;
+    if (d & 0xaaaaaaaaaaaaaaaaULL)
+      pow += 1;
+#elif defined(MP_USE_LONG_DIGIT)
+    if (d & 0xffffffff00000000UL)
+      pow += 32;
+    if (d & 0xffff0000ffff0000UL)
+      pow += 16;
+    if (d & 0xff00ff00ff00ff00UL)
+      pow += 8;
+    if (d & 0xf0f0f0f0f0f0f0f0UL)
+      pow += 4;
+    if (d & 0xccccccccccccccccUL)
+      pow += 2;
+    if (d & 0xaaaaaaaaaaaaaaaaUL)
+      pow += 1;
+#else
+#error "unknown type for mp_digit"
+#endif
+    return pow;
+  }
+  return -1;
+
+} /* end s_mp_ispow2d() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ Primitive I/O helpers */
+
+/* {{{ s_mp_tovalue(ch, r) */
+
+/*
+  Convert the given character to its digit value, in the given radix.
+  If the given character is not understood in the given radix, -1 is
+  returned.  Otherwise the digit's numeric value is returned.
+
+  The results will be odd if you use a radix < 2 or > 62, you are
+  expected to know what you're up to.
+ */
+int      s_mp_tovalue(char ch, int r)
+{
+  int    val, xch;
+  
+  if(r > 36)
+    xch = ch;
+  else
+    xch = toupper(ch);
+
+  if(isdigit(xch))
+    val = xch - '0';
+  else if(isupper(xch))
+    val = xch - 'A' + 10;
+  else if(islower(xch))
+    val = xch - 'a' + 36;
+  else if(xch == '+')
+    val = 62;
+  else if(xch == '/')
+    val = 63;
+  else 
+    return -1;
+
+  if(val < 0 || val >= r)
+    return -1;
+
+  return val;
+
+} /* end s_mp_tovalue() */
+
+/* }}} */
+
+/* {{{ s_mp_todigit(val, r, low) */
+
+/*
+  Convert val to a radix-r digit, if possible.  If val is out of range
+  for r, returns zero.  Otherwise, returns an ASCII character denoting
+  the value in the given radix.
+
+  The results may be odd if you use a radix < 2 or > 64, you are
+  expected to know what you're doing.
+ */
+  
+char     s_mp_todigit(mp_digit val, int r, int low)
+{
+  char   ch;
+
+  if(val >= r)
+    return 0;
+
+  ch = s_dmap_1[val];
+
+  if(r <= 36 && low)
+    ch = tolower(ch);
+
+  return ch;
+
+} /* end s_mp_todigit() */
+
+/* }}} */
+
+/* {{{ s_mp_outlen(bits, radix) */
+
+/* 
+   Return an estimate for how long a string is needed to hold a radix
+   r representation of a number with 'bits' significant bits, plus an
+   extra for a zero terminator (assuming C style strings here)
+ */
+int      s_mp_outlen(int bits, int r)
+{
+  return (int)((double)bits * LOG_V_2(r) + 1.5) + 1;
+
+} /* end s_mp_outlen() */
+
+/* }}} */
+
+/* }}} */
+
+/* {{{ mp_read_unsigned_octets(mp, str, len) */
+/* mp_read_unsigned_octets(mp, str, len)
+   Read in a raw value (base 256) into the given mp_int
+   No sign bit, number is positive.  Leading zeros ignored.
+ */
+
+mp_err  
+mp_read_unsigned_octets(mp_int *mp, const unsigned char *str, mp_size len)
+{
+  int            count;
+  mp_err         res;
+  mp_digit       d;
+
+  ARGCHK(mp != NULL && str != NULL && len > 0, MP_BADARG);
+
+  mp_zero(mp);
+
+  count = len % sizeof(mp_digit);
+  if (count) {
+    for (d = 0; count-- > 0; --len) {
+      d = (d << 8) | *str++;
+    }
+    MP_DIGIT(mp, 0) = d;
+  }
+
+  /* Read the rest of the digits */
+  for(; len > 0; len -= sizeof(mp_digit)) {
+    for (d = 0, count = sizeof(mp_digit); count > 0; --count) {
+      d = (d << 8) | *str++;
+    }
+    if (MP_EQ == mp_cmp_z(mp)) {
+      if (!d)
+	continue;
+    } else {
+      if((res = s_mp_lshd(mp, 1)) != MP_OKAY)
+	return res;
+    }
+    MP_DIGIT(mp, 0) = d;
+  }
+  return MP_OKAY;
+} /* end mp_read_unsigned_octets() */
+/* }}} */
+
+/* {{{ mp_unsigned_octet_size(mp) */
+int    
+mp_unsigned_octet_size(const mp_int *mp)
+{
+  int  bytes;
+  int  ix;
+  mp_digit  d = 0;
+
+  ARGCHK(mp != NULL, MP_BADARG);
+  ARGCHK(MP_ZPOS == SIGN(mp), MP_BADARG);
+
+  bytes = (USED(mp) * sizeof(mp_digit));
+
+  /* subtract leading zeros. */
+  /* Iterate over each digit... */
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    d = DIGIT(mp, ix);
+    if (d) 
+	break;
+    bytes -= sizeof(d);
+  }
+  if (!bytes)
+    return 1;
+
+  /* Have MSD, check digit bytes, high order first */
+  for(ix = sizeof(mp_digit) - 1; ix >= 0; ix--) {
+    unsigned char x = (unsigned char)(d >> (ix * CHAR_BIT));
+    if (x) 
+	break;
+    --bytes;
+  }
+  return bytes;
+} /* end mp_unsigned_octet_size() */
+/* }}} */
+
+/* {{{ mp_to_unsigned_octets(mp, str) */
+/* output a buffer of big endian octets no longer than specified. */
+mp_err 
+mp_to_unsigned_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
+{
+  int  ix, pos = 0;
+  int  bytes;
+
+  ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
+
+  bytes = mp_unsigned_octet_size(mp);
+  ARGCHK(bytes <= maxlen, MP_BADARG);
+
+  /* Iterate over each digit... */
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    mp_digit  d = DIGIT(mp, ix);
+    int       jx;
+
+    /* Unpack digit bytes, high order first */
+    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
+      unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
+      if (!pos && !x)	/* suppress leading zeros */
+	continue;
+      str[pos++] = x;
+    }
+  }
+  return pos;
+} /* end mp_to_unsigned_octets() */
+/* }}} */
+
+/* {{{ mp_to_signed_octets(mp, str) */
+/* output a buffer of big endian octets no longer than specified. */
+mp_err 
+mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
+{
+  int  ix, pos = 0;
+  int  bytes;
+
+  ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
+
+  bytes = mp_unsigned_octet_size(mp);
+  ARGCHK(bytes <= maxlen, MP_BADARG);
+
+  /* Iterate over each digit... */
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    mp_digit  d = DIGIT(mp, ix);
+    int       jx;
+
+    /* Unpack digit bytes, high order first */
+    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
+      unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
+      if (!pos) {
+	if (!x)		/* suppress leading zeros */
+	  continue;
+	if (x & 0x80) { /* add one leading zero to make output positive.  */
+	  ARGCHK(bytes + 1 <= maxlen, MP_BADARG);
+	  if (bytes + 1 > maxlen)
+	    return MP_BADARG;
+	  str[pos++] = 0;
+	}
+      }
+      str[pos++] = x;
+    }
+  }
+  return pos;
+} /* end mp_to_signed_octets() */
+/* }}} */
+
+/* {{{ mp_to_fixlen_octets(mp, str) */
+/* output a buffer of big endian octets exactly as long as requested. */
+mp_err 
+mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size length)
+{
+  int  ix, pos = 0;
+  int  bytes;
+
+  ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
+
+  bytes = mp_unsigned_octet_size(mp);
+  ARGCHK(bytes <= length, MP_BADARG);
+
+  /* place any needed leading zeros */
+  for (;length > bytes; --length) {
+	*str++ = 0;
+  }
+
+  /* Iterate over each digit... */
+  for(ix = USED(mp) - 1; ix >= 0; ix--) {
+    mp_digit  d = DIGIT(mp, ix);
+    int       jx;
+
+    /* Unpack digit bytes, high order first */
+    for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
+      unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
+      if (!pos && !x)	/* suppress leading zeros */
+	continue;
+      str[pos++] = x;
+    }
+  }
+  return MP_OKAY;
+} /* end mp_to_fixlen_octets() */
+/* }}} */
+
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mpi.h b/security/nss/lib/freebl/mpi/mpi.h
new file mode 100644
index 000000000..c44099bdd
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi.h
@@ -0,0 +1,332 @@
+/*
+ *  mpi.h
+ *
+ *  Arbitrary precision integer arithmetic library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *	Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ *  $Id$
+ */
+
+#ifndef _H_MPI_
+#define _H_MPI_
+
+#include "mpi-config.h"
+
+#if MP_DEBUG
+#undef MP_IOFUNC
+#define MP_IOFUNC 1
+#endif
+
+#if MP_IOFUNC
+#include <stdio.h>
+#include <ctype.h>
+#endif
+
+#include <limits.h>
+
+#if defined(BSDI)
+#undef ULLONG_MAX
+#endif
+
+#ifdef macintosh
+#include <Types.h>
+#else
+#include <sys/types.h>
+#endif
+
+#define  MP_NEG    1
+#define  MP_ZPOS   0
+
+#define  MP_OKAY          0 /* no error, all is well */
+#define  MP_YES           0 /* yes (boolean result)  */
+#define  MP_NO           -1 /* no (boolean result)   */
+#define  MP_MEM          -2 /* out of memory         */
+#define  MP_RANGE        -3 /* argument out of range */
+#define  MP_BADARG       -4 /* invalid parameter     */
+#define  MP_UNDEF        -5 /* answer is undefined   */
+#define  MP_LAST_CODE    MP_UNDEF
+
+typedef unsigned int      mp_sign;
+typedef unsigned int      mp_size;
+typedef int               mp_err;
+
+#define MP_32BIT_MAX 4294967295U
+
+#if !defined(ULONG_MAX) 
+#error "ULONG_MAX not defined"
+#elif !defined(UINT_MAX)
+#error "UINT_MAX not defined"
+#elif !defined(USHRT_MAX)
+#error "USHRT_MAX not defined"
+#endif
+
+#if defined(ULONG_LONG_MAX)			/* GCC, HPUX */
+#define MP_ULONG_LONG_MAX ULONG_LONG_MAX
+#elif defined(ULLONG_MAX)			/* Solaris */
+#define MP_ULONG_LONG_MAX ULLONG_MAX
+/* MP_ULONG_LONG_MAX was defined to be ULLONG_MAX */
+#elif defined(ULONGLONG_MAX)			/* IRIX, AIX */
+#define MP_ULONG_LONG_MAX ULONGLONG_MAX
+#endif
+
+/* We only use unsigned long for mp_digit iff long is more than 32 bits. */
+#if !defined(MP_USE_UINT_DIGIT) && ULONG_MAX > MP_32BIT_MAX
+typedef unsigned long     mp_digit;
+#define MP_DIGIT_MAX      ULONG_MAX
+#define MP_DIGIT_FMT      "%016lX"   /* printf() format for 1 digit */
+#define MP_HALF_DIGIT_MAX UINT_MAX
+#undef  MP_NO_MP_WORD
+#define MP_NO_MP_WORD 1
+#undef  MP_USE_LONG_DIGIT
+#define MP_USE_LONG_DIGIT 1
+#undef  MP_USE_LONG_LONG_DIGIT
+
+#elif !defined(MP_USE_UINT_DIGIT) && defined(MP_ULONG_LONG_MAX) 
+typedef unsigned long long mp_digit;
+#define MP_DIGIT_MAX       MP_ULONG_LONG_MAX
+#define MP_DIGIT_FMT      "%016llX"  /* printf() format for 1 digit */
+#define MP_HALF_DIGIT_MAX  UINT_MAX
+#undef  MP_NO_MP_WORD
+#define MP_NO_MP_WORD 1
+#undef  MP_USE_LONG_LONG_DIGIT
+#define MP_USE_LONG_LONG_DIGIT 1
+#undef  MP_USE_LONG_DIGIT
+
+#else
+typedef unsigned int      mp_digit;
+#define MP_DIGIT_MAX      UINT_MAX
+#define MP_DIGIT_FMT      "%08X"     /* printf() format for 1 digit */
+#define MP_HALF_DIGIT_MAX USHRT_MAX
+#undef  MP_USE_UINT_DIGIT
+#define MP_USE_UINT_DIGIT 1
+#undef  MP_USE_LONG_LONG_DIGIT
+#undef  MP_USE_LONG_DIGIT
+#endif
+
+#if !defined(MP_NO_MP_WORD) 
+#if  defined(MP_USE_UINT_DIGIT) && \
+    (defined(MP_ULONG_LONG_MAX) || (ULONG_MAX > UINT_MAX))
+
+#if (ULONG_MAX > UINT_MAX)
+typedef unsigned long     mp_word;
+typedef          long     mp_sword;
+#define MP_WORD_MAX       ULONG_MAX
+
+#else
+typedef unsigned long long mp_word;
+typedef          long long mp_sword;
+#define MP_WORD_MAX       MP_ULONG_LONG_MAX
+#endif
+
+#else 
+#define MP_NO_MP_WORD 1
+#endif
+#endif /* !defined(MP_NO_MP_WORD) */
+
+#if !defined(MP_WORD_MAX) && defined(MP_DEFINE_SMALL_WORD)
+typedef unsigned int      mp_word;
+typedef          int      mp_sword;
+#define MP_WORD_MAX       UINT_MAX
+#endif
+
+#define MP_DIGIT_BIT      (CHAR_BIT*sizeof(mp_digit))
+#define MP_WORD_BIT       (CHAR_BIT*sizeof(mp_word))
+#define MP_RADIX          (1+(mp_word)MP_DIGIT_MAX)
+
+#define MP_HALF_DIGIT_BIT (MP_DIGIT_BIT/2)
+#define MP_HALF_RADIX     (1+(mp_digit)MP_HALF_DIGIT_MAX)
+/* MP_HALF_RADIX really ought to be called MP_SQRT_RADIX, but it's named 
+** MP_HALF_RADIX because it's the radix for MP_HALF_DIGITs, and it's 
+** consistent with the other _HALF_ names.
+*/
+
+
+/* Macros for accessing the mp_int internals           */
+#define  MP_SIGN(MP)     ((MP)->sign)
+#define  MP_USED(MP)     ((MP)->used)
+#define  MP_ALLOC(MP)    ((MP)->alloc)
+#define  MP_DIGITS(MP)   ((MP)->dp)
+#define  MP_DIGIT(MP,N)  (MP)->dp[(N)]
+
+/* This defines the maximum I/O base (minimum is 2)   */
+#define MP_MAX_RADIX         64
+
+typedef struct {
+  mp_sign       sign;    /* sign of this quantity      */
+  mp_size       alloc;   /* how many digits allocated  */
+  mp_size       used;    /* how many digits used       */
+  mp_digit     *dp;      /* the digits themselves      */
+} mp_int;
+
+/* Default precision       */
+mp_size mp_get_prec(void);
+void    mp_set_prec(mp_size prec);
+
+/* Memory management       */
+mp_err mp_init(mp_int *mp);
+mp_err mp_init_size(mp_int *mp, mp_size prec);
+mp_err mp_init_copy(mp_int *mp, const mp_int *from);
+mp_err mp_copy(const mp_int *from, mp_int *to);
+void   mp_exch(mp_int *mp1, mp_int *mp2);
+void   mp_clear(mp_int *mp);
+void   mp_zero(mp_int *mp);
+void   mp_set(mp_int *mp, mp_digit d);
+mp_err mp_set_int(mp_int *mp, long z);
+#define mp_set_long(mp,z) mp_set_int(mp,z)
+mp_err mp_set_ulong(mp_int *mp, unsigned long z);
+
+/* Single digit arithmetic */
+mp_err mp_add_d(const mp_int *a, mp_digit d, mp_int *b);
+mp_err mp_sub_d(const mp_int *a, mp_digit d, mp_int *b);
+mp_err mp_mul_d(const mp_int *a, mp_digit d, mp_int *b);
+mp_err mp_mul_2(const mp_int *a, mp_int *c);
+mp_err mp_div_d(const mp_int *a, mp_digit d, mp_int *q, mp_digit *r);
+mp_err mp_div_2(const mp_int *a, mp_int *c);
+mp_err mp_expt_d(const mp_int *a, mp_digit d, mp_int *c);
+
+/* Sign manipulations      */
+mp_err mp_abs(const mp_int *a, mp_int *b);
+mp_err mp_neg(const mp_int *a, mp_int *b);
+
+/* Full arithmetic         */
+mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c);
+#if MP_SQUARE
+mp_err mp_sqr(const mp_int *a, mp_int *b);
+#else
+#define mp_sqr(a, b) mp_mul(a, a, b)
+#endif
+mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r);
+mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r);
+mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c);
+mp_err mp_2expt(mp_int *a, mp_digit k);
+mp_err mp_sqrt(const mp_int *a, mp_int *b);
+
+/* Modular arithmetic      */
+#if MP_MODARITH
+mp_err mp_mod(const mp_int *a, const mp_int *m, mp_int *c);
+mp_err mp_mod_d(const mp_int *a, mp_digit d, mp_digit *c);
+mp_err mp_addmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
+mp_err mp_submod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
+mp_err mp_mulmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
+#if MP_SQUARE
+mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c);
+#else
+#define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c)
+#endif
+mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
+mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c);
+#endif /* MP_MODARITH */
+
+/* Comparisons             */
+int    mp_cmp_z(const mp_int *a);
+int    mp_cmp_d(const mp_int *a, mp_digit d);
+int    mp_cmp(const mp_int *a, const mp_int *b);
+int    mp_cmp_mag(mp_int *a, mp_int *b);
+int    mp_cmp_int(const mp_int *a, long z);
+int    mp_isodd(const mp_int *a);
+int    mp_iseven(const mp_int *a);
+
+/* Number theoretic        */
+#if MP_NUMTH
+mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c);
+mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c);
+mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y);
+mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c);
+mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c);
+#endif /* end MP_NUMTH */
+
+/* Input and output        */
+#if MP_IOFUNC
+void   mp_print(mp_int *mp, FILE *ofp);
+#endif /* end MP_IOFUNC */
+
+/* Base conversion         */
+mp_err mp_read_raw(mp_int *mp, char *str, int len);
+int    mp_raw_size(mp_int *mp);
+mp_err mp_toraw(mp_int *mp, char *str);
+mp_err mp_read_radix(mp_int *mp, const char *str, int radix);
+mp_err mp_read_variable_radix(mp_int *a, const char * str, int default_radix);
+int    mp_radix_size(mp_int *mp, int radix);
+mp_err mp_toradix(mp_int *mp, char *str, int radix);
+int    mp_tovalue(char ch, int r);
+
+#define mp_tobinary(M, S)  mp_toradix((M), (S), 2)
+#define mp_tooctal(M, S)   mp_toradix((M), (S), 8)
+#define mp_todecimal(M, S) mp_toradix((M), (S), 10)
+#define mp_tohex(M, S)     mp_toradix((M), (S), 16)
+
+/* Error strings           */
+const  char  *mp_strerror(mp_err ec);
+
+/* Octet string conversion functions */
+mp_err mp_read_unsigned_octets(mp_int *mp, const unsigned char *str, mp_size len);
+int    mp_unsigned_octet_size(const mp_int *mp);
+mp_err mp_to_unsigned_octets(const mp_int *mp, unsigned char *str, mp_size maxlen);
+mp_err mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen);
+mp_err mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size len);
+
+/* Miscellaneous */
+mp_size mp_trailing_zeros(const mp_int *mp);
+
+#define MP_CHECKOK(x)  if (MP_OKAY > (res = (x))) goto CLEANUP
+#define MP_CHECKERR(x) if (MP_OKAY > (res = (x))) goto CLEANUP
+
+#if defined(MP_API_COMPATIBLE)
+#define NEG             MP_NEG
+#define ZPOS            MP_ZPOS
+#define DIGIT_MAX       MP_DIGIT_MAX
+#define DIGIT_BIT       MP_DIGIT_BIT
+#define DIGIT_FMT       MP_DIGIT_FMT
+#define RADIX           MP_RADIX
+#define MAX_RADIX       MP_MAX_RADIX
+#define SIGN(MP)        MP_SIGN(MP)
+#define USED(MP)        MP_USED(MP)
+#define ALLOC(MP)       MP_ALLOC(MP)
+#define DIGITS(MP)      MP_DIGITS(MP)
+#define DIGIT(MP,N)     MP_DIGIT(MP,N)
+
+#if MP_ARGCHK == 1
+#define  ARGCHK(X,Y)  {if(!(X)){return (Y);}}
+#elif MP_ARGCHK == 2
+#include <assert.h>
+#define  ARGCHK(X,Y)  assert(X)
+#else
+#define  ARGCHK(X,Y)  /*  */
+#endif
+#endif /* defined MP_API_COMPATIBLE */
+
+#endif /* end _H_MPI_ */
diff --git a/security/nss/lib/freebl/mpi/mpi_hp.c b/security/nss/lib/freebl/mpi/mpi_hp.c
new file mode 100644
index 000000000..e30630c19
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_hp.c
@@ -0,0 +1,112 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *  $Id$
+ */
+
+/* This file contains routines that perform vector multiplication.  */
+
+#include "mpi-priv.h"
+#include <unistd.h>
+
+#include <stddef.h>
+/* #include <sys/systeminfo.h> */
+#include <strings.h>
+
+extern void multacc512( 
+   int             length,        /* doublewords in multiplicand vector. */
+   const mp_digit *scalaraddr,    /* Address of scalar. */
+   const mp_digit *multiplicand,  /* The multiplicand vector. */
+   mp_digit *      result);       /* Where to accumulate the result. */
+
+extern void maxpy_little(
+   int             length,        /* doublewords in multiplicand vector. */
+   const mp_digit *scalaraddr,    /* Address of scalar. */
+   const mp_digit *multiplicand,  /* The multiplicand vector. */
+   mp_digit *      result);       /* Where to accumulate the result. */
+
+extern void add_diag_little(
+   int            length,       /* doublewords in input vector. */
+   const mp_digit *root,         /* The vector to square. */
+   mp_digit *      result);      /* Where to accumulate the result. */
+
+void 
+s_mpv_sqr_add_prop(const mp_digit *pa, mp_size a_len, mp_digit *ps)
+{
+    add_diag_little(a_len, pa, ps);
+}
+
+#define MAX_STACK_DIGITS 258
+#define MULTACC512_LEN   (512 / MP_DIGIT_BIT)
+#define HP_MPY_ADD_FN    (a_len == MULTACC512_LEN ? multacc512 : maxpy_little)
+
+/* c = a * b */
+void 
+s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    mp_digit x[MAX_STACK_DIGITS];
+    mp_digit *px = x;
+    size_t   xSize = 0;
+
+    if (a == c) {
+	if (a_len > MAX_STACK_DIGITS) {
+	    xSize = sizeof(mp_digit) * (a_len + 2);
+	    px = malloc(xSize);
+	    if (!px)
+		return;
+	}
+	memcpy(px, a, a_len * sizeof(*a));
+	a = px;
+    }
+    s_mp_setz(c, a_len + 1);
+    HP_MPY_ADD_FN(a_len, &b, a, c);
+    if (px != x && px) {
+	memset(px, 0, xSize);
+	free(px);
+    }
+}
+
+/* c += a * b, where a is a_len words long. */
+void     
+s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    c[a_len] = 0;	/* so carry propagation stops here. */
+    HP_MPY_ADD_FN(a_len, &b, a, c);
+}
+
+/* c += a * b, where a is y words long. */
+void     
+s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, 
+			 mp_digit *c)
+{
+    HP_MPY_ADD_FN(a_len, &b, a, c);
+}
+
diff --git a/security/nss/lib/freebl/mpi/mpi_i86pc.s b/security/nss/lib/freebl/mpi/mpi_i86pc.s
new file mode 100644
index 000000000..f6c167b1a
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_i86pc.s
@@ -0,0 +1,342 @@
+ /
+ / The contents of this file are subject to the Mozilla Public
+ / License Version 1.1 (the "License"); you may not use this file
+ / except in compliance with the License. You may obtain a copy of
+ / the License at http://www.mozilla.org/MPL/
+ / 
+ / Software distributed under the License is distributed on an "AS
+ / IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ / implied. See the License for the specific language governing
+ / rights and limitations under the License.
+ / 
+ / The Original Code is the Netscape security libraries.
+ / 
+ / The Initial Developer of the Original Code is Netscape
+ / Communications Corporation.	Portions created by Netscape are 
+ / Copyright (C) 2001 Netscape Communications Corporation.  All
+ / Rights Reserved.
+ / 
+ / Contributor(s):
+ / 
+ / Alternatively, the contents of this file may be used under the
+ / terms of the GNU General Public License Version 2 or later (the
+ / "GPL"), in which case the provisions of the GPL are applicable 
+ / instead of those above. If you wish to allow use of your 
+ / version of this file only under the terms of the GPL and not to
+ / allow others to use your version of this file under the MPL,
+ / indicate your decision by deleting the provisions above and
+ / replace them with the notice and other provisions required by
+ / the GPL.  If you do not delete the provisions above, a recipient
+ / may use your version of this file under either the MPL or the
+ / GPL.
+ /  $Id$
+ /
+
+.text
+
+ /  ebp - 36:	caller's esi
+ /  ebp - 32:	caller's edi
+ /  ebp - 28:	
+ /  ebp - 24:	
+ /  ebp - 20:	
+ /  ebp - 16:	
+ /  ebp - 12:	
+ /  ebp - 8:	
+ /  ebp - 4:	
+ /  ebp + 0:	caller's ebp
+ /  ebp + 4:	return address
+ /  ebp + 8:	a	argument
+ /  ebp + 12:	a_len	argument
+ /  ebp + 16:	b	argument
+ /  ebp + 20:	c	argument
+ /  registers:
+ / 	eax:
+ /	ebx:	carry
+ /	ecx:	a_len
+ /	edx:
+ /	esi:	a ptr
+ /	edi:	c ptr
+.globl	s_mpv_mul_d
+.type	s_mpv_mul_d,@function
+s_mpv_mul_d:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		/ carry = 0
+    mov    12(%ebp),%ecx	/ ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     L2			/ jmp if a_len == 0
+    mov    8(%ebp),%esi		/ esi = a
+    cld
+L1:
+    lodsl			/ eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	/ edx = b
+    mull   %edx			/ edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		/ add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    %edx,%ebx		/ high half of product becomes next carry
+
+    stosl			/ [es:edi] = ax; edi += 4;
+    dec    %ecx			/ --a_len
+    jnz    L1			/ jmp if a_len != 0
+L2:
+    mov    %ebx,0(%edi)		/ *c = carry
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ /  ebp - 36:	caller's esi
+ /  ebp - 32:	caller's edi
+ /  ebp - 28:	
+ /  ebp - 24:	
+ /  ebp - 20:	
+ /  ebp - 16:	
+ /  ebp - 12:	
+ /  ebp - 8:	
+ /  ebp - 4:	
+ /  ebp + 0:	caller's ebp
+ /  ebp + 4:	return address
+ /  ebp + 8:	a	argument
+ /  ebp + 12:	a_len	argument
+ /  ebp + 16:	b	argument
+ /  ebp + 20:	c	argument
+ /  registers:
+ / 	eax:
+ /	ebx:	carry
+ /	ecx:	a_len
+ /	edx:
+ /	esi:	a ptr
+ /	edi:	c ptr
+.globl	s_mpv_mul_d_add
+.type	s_mpv_mul_d_add,@function
+s_mpv_mul_d_add:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		/ carry = 0
+    mov    12(%ebp),%ecx	/ ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     L4			/ jmp if a_len == 0
+    mov    8(%ebp),%esi		/ esi = a
+    cld
+L3:
+    lodsl			/ eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	/ edx = b
+    mull   %edx			/ edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		/ add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    0(%edi),%ebx		/ add in current word from *c
+    add    %ebx,%eax		
+    adc    $0,%edx
+    mov    %edx,%ebx		/ high half of product becomes next carry
+
+    stosl			/ [es:edi] = ax; edi += 4;
+    dec    %ecx			/ --a_len
+    jnz    L3			/ jmp if a_len != 0
+L4:
+    mov    %ebx,0(%edi)		/ *c = carry
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ /  ebp - 36:	caller's esi
+ /  ebp - 32:	caller's edi
+ /  ebp - 28:	
+ /  ebp - 24:	
+ /  ebp - 20:	
+ /  ebp - 16:	
+ /  ebp - 12:	
+ /  ebp - 8:	
+ /  ebp - 4:	
+ /  ebp + 0:	caller's ebp
+ /  ebp + 4:	return address
+ /  ebp + 8:	a	argument
+ /  ebp + 12:	a_len	argument
+ /  ebp + 16:	b	argument
+ /  ebp + 20:	c	argument
+ /  registers:
+ / 	eax:
+ /	ebx:	carry
+ /	ecx:	a_len
+ /	edx:
+ /	esi:	a ptr
+ /	edi:	c ptr
+.globl	s_mpv_mul_d_add_prop
+.type	s_mpv_mul_d_add_prop,@function
+s_mpv_mul_d_add_prop:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		/ carry = 0
+    mov    12(%ebp),%ecx	/ ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     L6			/ jmp if a_len == 0
+    cld
+    mov    8(%ebp),%esi		/ esi = a
+L5:
+    lodsl			/ eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	/ edx = b
+    mull   %edx			/ edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		/ add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    0(%edi),%ebx		/ add in current word from *c
+    add    %ebx,%eax		
+    adc    $0,%edx
+    mov    %edx,%ebx		/ high half of product becomes next carry
+
+    stosl			/ [es:edi] = ax; edi += 4;
+    dec    %ecx			/ --a_len
+    jnz    L5			/ jmp if a_len != 0
+L6:
+    cmp    $0,%ebx		/ is carry zero?
+    jz     L8
+    mov    0(%edi),%eax		/ add in current word from *c
+    add	   %ebx,%eax
+    stosl			/ [es:edi] = ax; edi += 4;
+    jnc    L8
+L7:
+    mov    0(%edi),%eax		/ add in current word from *c
+    adc	   $0,%eax
+    stosl			/ [es:edi] = ax; edi += 4;
+    jc     L7
+L8:
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ /  ebp - 20:	caller's esi
+ /  ebp - 16:	caller's edi
+ /  ebp - 12:	
+ /  ebp - 8:	carry
+ /  ebp - 4:	a_len	local
+ /  ebp + 0:	caller's ebp
+ /  ebp + 4:	return address
+ /  ebp + 8:	pa	argument
+ /  ebp + 12:	a_len	argument
+ /  ebp + 16:	ps	argument
+ /  ebp + 20:	
+ /  registers:
+ / 	eax:
+ /	ebx:	carry
+ /	ecx:	a_len
+ /	edx:
+ /	esi:	a ptr
+ /	edi:	c ptr
+
+.globl	s_mpv_sqr_add_prop
+.type	s_mpv_sqr_add_prop,@function
+s_mpv_sqr_add_prop:
+     push   %ebp
+     mov    %esp,%ebp
+     sub    $12,%esp
+     push   %edi
+     push   %esi
+     push   %ebx
+     movl   $0,%ebx		/ carry = 0
+     mov    12(%ebp),%ecx	/ a_len
+     mov    16(%ebp),%edi	/ edi = ps
+     cmp    $0,%ecx
+     je     L11			/ jump if a_len == 0
+     cld
+     mov    8(%ebp),%esi	/ esi = pa
+L10:
+     lodsl			/ %eax = [ds:si]; si += 4;
+     mull   %eax
+
+     add    %ebx,%eax		/ add "carry"
+     adc    $0,%edx
+     mov    0(%edi),%ebx
+     add    %ebx,%eax		/ add low word from result
+     mov    4(%edi),%ebx
+     stosl			/ [es:di] = %eax; di += 4;
+     adc    %ebx,%edx		/ add high word from result
+     movl   $0,%ebx
+     mov    %edx,%eax
+     adc    $0,%ebx
+     stosl			/ [es:di] = %eax; di += 4;
+     dec    %ecx		/ --a_len
+     jnz    L10			/ jmp if a_len != 0
+L11:
+    cmp    $0,%ebx		/ is carry zero?
+    jz     L14
+    mov    0(%edi),%eax		/ add in current word from *c
+    add	   %ebx,%eax
+    stosl			/ [es:edi] = ax; edi += 4;
+    jnc    L14
+L12:
+    mov    0(%edi),%eax		/ add in current word from *c
+    adc	   $0,%eax
+    stosl			/ [es:edi] = ax; edi += 4;
+    jc     L12
+L14:
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ /
+ / Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized
+ / so its high bit is 1.   This code is from NSPR.
+ /
+ / mp_err s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor,
+ / 		          mp_digit *qp, mp_digit *rp)
+
+ /  esp +  0:   Caller's ebx
+ /  esp +  4:	return address
+ /  esp +  8:	Nhi	argument
+ /  esp + 12:	Nlo	argument
+ /  esp + 16:	divisor	argument
+ /  esp + 20:	qp	argument
+ /  esp + 24:   rp	argument
+ /  registers:
+ / 	eax:
+ /	ebx:	carry
+ /	ecx:	a_len
+ /	edx:
+ /	esi:	a ptr
+ /	edi:	c ptr
+ / 
+
+.globl	s_mpv_div_2dx1d
+.type	s_mpv_div_2dx1d,@function
+s_mpv_div_2dx1d:
+       push   %ebx
+       mov    8(%esp),%edx
+       mov    12(%esp),%eax
+       mov    16(%esp),%ebx
+       div    %ebx
+       mov    20(%esp),%ebx
+       mov    %eax,0(%ebx)
+       mov    24(%esp),%ebx
+       mov    %edx,0(%ebx)
+       xor    %eax,%eax		/ return zero
+       pop    %ebx
+       ret    
+       nop
+  
diff --git a/security/nss/lib/freebl/mpi/mpi_mips.s b/security/nss/lib/freebl/mpi/mpi_mips.s
new file mode 100644
index 000000000..bb846ee57
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_mips.s
@@ -0,0 +1,502 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *  $Id$
+ */
+#include <regdef.h>
+        .set    noreorder
+        .set    noat
+
+        .section        .text, 1, 0x00000006, 4, 4
+.text:
+        .section        .text
+
+        .ent    s_mpv_mul_d_add
+        .globl  s_mpv_mul_d_add
+
+s_mpv_mul_d_add: 
+ #/* c += a * b */
+ #void s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, 
+ #			      mp_digit *c)
+ #{
+ #  mp_digit   a0, a1;	regs a4, a5
+ #  mp_digit   c0, c1;  regs a6, a7
+ #  mp_digit   cy = 0;  reg t2
+ #  mp_word    w0, w1;  regs t0, t1
+ #
+ #  if (a_len) {
+	beq	a1,zero,.L.1
+	move	t2,zero		# cy = 0
+	dsll32	a2,a2,0		# "b" is sometimes negative (?!?!)
+	dsrl32	a2,a2,0		# This clears the upper 32 bits.
+ #    a0 = a[0];
+	lwu	a4,0(a0)
+ #    w0 = ((mp_word)b * a0);
+	dmultu	a2,a4
+ #    if (--a_len) {
+	addiu	a1,a1,-1
+	beq	a1,zero,.L.2
+ #      while (a_len >= 2) {
+	sltiu	t3,a1,2
+	bne	t3,zero,.L.3
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+.L.4:
+ #	  a_len -= 2;
+        addiu	a1,a1,-2
+ #	  c0     = c[0];
+	lwu	a6,0(a3)
+ #	  w0    += cy;
+	mflo	t0
+	daddu	t0,t0,t2
+ #	  w0    += c0;
+	daddu	t0,t0,a6
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5			#
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  a0     = a[2];
+	lwu	a4,8(a0)
+ #	  a     += 2;
+	addiu	a0,a0,8
+ #	  c1     = c[1];
+	lwu	a7,4(a3)
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  w1    += c1;
+	daddu	t1,t1,a7
+ #	  w0     = (mp_word)b * a0;
+	dmultu	a2,a4			#
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  c     += 2;
+	addiu	a3,a3,8
+	sltiu	t3,a1,2
+	beq	t3,zero,.L.4
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+ #      }
+.L.3:
+ #      c0       = c[0];
+	lwu	a6,0(a3)
+ #      w0      += cy;
+ #      if (a_len) {
+	mflo	t0
+	beq	a1,zero,.L.5
+	daddu	t0,t0,t2
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5
+ #	  w0    += c0;
+	daddu	t0,t0,a6		#
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  c1     = c[1];
+	lwu	a7,4(a3)
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  w1    += c1;
+	daddu	t1,t1,a7
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  c     += 1;
+	b	.L.6
+	addiu	a3,a3,4
+ #      } else {
+.L.5:
+ #	  w0    += c0;
+	daddu	t0,t0,a6
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  cy     = CARRYOUT(w0);
+	b	.L.6
+	dsrl32	t2,t0,0
+ #      }
+ #    } else {
+.L.2:
+ #      c0     = c[0];
+	lwu	a6,0(a3)
+ #      w0    += c0;
+	mflo	t0
+	daddu	t0,t0,a6
+ #      c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #      cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #    }
+.L.6:
+ #    c[1] = cy;
+	jr	ra
+	sw	t2,4(a3)
+ #  }
+.L.1:
+	jr	ra
+	nop
+ #}
+ #
+        .end    s_mpv_mul_d_add
+
+        .ent    s_mpv_mul_d_add_prop
+        .globl  s_mpv_mul_d_add_prop
+
+s_mpv_mul_d_add_prop: 
+ #/* c += a * b */
+ #void s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, 
+ #			      mp_digit *c)
+ #{
+ #  mp_digit   a0, a1;	regs a4, a5
+ #  mp_digit   c0, c1;  regs a6, a7
+ #  mp_digit   cy = 0;  reg t2
+ #  mp_word    w0, w1;  regs t0, t1
+ #
+ #  if (a_len) {
+	beq	a1,zero,.M.1
+	move	t2,zero		# cy = 0
+	dsll32	a2,a2,0		# "b" is sometimes negative (?!?!)
+	dsrl32	a2,a2,0		# This clears the upper 32 bits.
+ #    a0 = a[0];
+	lwu	a4,0(a0)
+ #    w0 = ((mp_word)b * a0);
+	dmultu	a2,a4
+ #    if (--a_len) {
+	addiu	a1,a1,-1
+	beq	a1,zero,.M.2
+ #      while (a_len >= 2) {
+	sltiu	t3,a1,2
+	bne	t3,zero,.M.3
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+.M.4:
+ #	  a_len -= 2;
+        addiu	a1,a1,-2
+ #	  c0     = c[0];
+	lwu	a6,0(a3)
+ #	  w0    += cy;
+	mflo	t0
+	daddu	t0,t0,t2
+ #	  w0    += c0;
+	daddu	t0,t0,a6
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5			#
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  a0     = a[2];
+	lwu	a4,8(a0)
+ #	  a     += 2;
+	addiu	a0,a0,8
+ #	  c1     = c[1];
+	lwu	a7,4(a3)
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  w1    += c1;
+	daddu	t1,t1,a7
+ #	  w0     = (mp_word)b * a0;
+	dmultu	a2,a4			#
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  c     += 2;
+	addiu	a3,a3,8
+	sltiu	t3,a1,2
+	beq	t3,zero,.M.4
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+ #      }
+.M.3:
+ #      c0       = c[0];
+	lwu	a6,0(a3)
+ #      w0      += cy;
+ #      if (a_len) {
+	mflo	t0
+	beq	a1,zero,.M.5
+	daddu	t0,t0,t2
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5
+ #	  w0    += c0;
+	daddu	t0,t0,a6		#
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  c1     = c[1];
+	lwu	a7,4(a3)
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  w1    += c1;
+	daddu	t1,t1,a7
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  c     += 1;
+	b	.M.6
+	addiu	a3,a3,8
+ #      } else {
+.M.5:
+ #	  w0    += c0;
+	daddu	t0,t0,a6
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+	b	.M.6
+	addiu	a3,a3,4
+ #      }
+ #    } else {
+.M.2:
+ #      c0     = c[0];
+	lwu	a6,0(a3)
+ #      w0    += c0;
+	mflo	t0
+	daddu	t0,t0,a6
+ #      c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #      cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+	addiu	a3,a3,4
+ #    }
+.M.6:
+
+ #    while (cy) {
+	beq	t2,zero,.M.1
+	nop
+.M.7:
+ #      mp_word w = (mp_word)*c + cy;
+	lwu	a6,0(a3)
+	daddu	t2,t2,a6
+ #      *c++ = ACCUM(w);
+	sw	t2,0(a3)
+ #      cy = CARRYOUT(w);
+	dsrl32	t2,t2,0
+	bne	t2,zero,.M.7
+	addiu	a3,a3,4
+
+ #  }
+.M.1:
+	jr	ra
+	nop
+ #}
+ #
+        .end    s_mpv_mul_d_add_prop
+
+        .ent    s_mpv_mul_d
+        .globl  s_mpv_mul_d
+
+s_mpv_mul_d: 
+ #/* c = a * b */
+ #void s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, 
+ #			      mp_digit *c)
+ #{
+ #  mp_digit   a0, a1;	regs a4, a5
+ #  mp_digit   cy = 0;  reg t2
+ #  mp_word    w0, w1;  regs t0, t1
+ #
+ #  if (a_len) {
+	beq	a1,zero,.N.1
+	move	t2,zero		# cy = 0
+	dsll32	a2,a2,0		# "b" is sometimes negative (?!?!)
+	dsrl32	a2,a2,0		# This clears the upper 32 bits.
+ #    a0 = a[0];
+	lwu	a4,0(a0)
+ #    w0 = ((mp_word)b * a0);
+	dmultu	a2,a4
+ #    if (--a_len) {
+	addiu	a1,a1,-1
+	beq	a1,zero,.N.2
+ #      while (a_len >= 2) {
+	sltiu	t3,a1,2
+	bne	t3,zero,.N.3
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+.N.4:
+ #	  a_len -= 2;
+        addiu	a1,a1,-2
+ #	  w0    += cy;
+	mflo	t0
+	daddu	t0,t0,t2
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5	
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  a0     = a[2];
+	lwu	a4,8(a0)
+ #	  a     += 2;
+	addiu	a0,a0,8
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  w0     = (mp_word)b * a0;
+	dmultu	a2,a4	
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  c     += 2;
+	addiu	a3,a3,8
+	sltiu	t3,a1,2
+	beq	t3,zero,.N.4
+ #	  a1     = a[1];
+	lwu	a5,4(a0)
+ #      }
+.N.3:
+ #      w0      += cy;
+ #      if (a_len) {
+	mflo	t0
+	beq	a1,zero,.N.5
+	daddu	t0,t0,t2
+ #	  w1     = (mp_word)b * a1; 
+	dmultu	a2,a5			#
+ #	  cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  w1    += cy;
+	mflo	t1
+	daddu	t1,t1,t2
+ #	  c[1]   = ACCUM(w1);
+	sw	t1,4(a3)
+ #	  cy     = CARRYOUT(w1);
+	dsrl32	t2,t1,0
+ #	  c     += 1;
+	b	.N.6
+	addiu	a3,a3,4
+ #      } else {
+.N.5:
+ #	  c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #	  cy     = CARRYOUT(w0);
+	b	.N.6
+	dsrl32	t2,t0,0
+ #      }
+ #    } else {
+.N.2:
+	mflo	t0
+ #      c[0]   = ACCUM(w0);
+	sw	t0,0(a3)
+ #      cy     = CARRYOUT(w0);
+	dsrl32	t2,t0,0
+ #    }
+.N.6:
+ #    c[1] = cy;
+	jr	ra
+	sw	t2,4(a3)
+ #  }
+.N.1:
+	jr	ra
+	nop
+ #}
+ #
+        .end    s_mpv_mul_d
+
+
+        .ent    s_mpv_sqr_add_prop
+        .globl  s_mpv_sqr_add_prop
+ #void   s_mpv_sqr_add_prop(const mp_digit *a, mp_size a_len, mp_digit *sqrs);
+ #	registers
+ #	a0		*a
+ #	a1		a_len
+ #	a2		*sqr
+ #	a3		digit from *a, a_i
+ #	a4		square of digit from a
+ #	a5,a6		next 2 digits in sqr
+ #	a7,t0		carry 
+s_mpv_sqr_add_prop:
+	move	a7,zero
+	move	t0,zero
+	lwu	a3,0(a0)
+	addiu	a1,a1,-1	# --a_len
+	dmultu	a3,a3
+	beq	a1,zero,.P.3	# jump if we've already done the only sqr
+	addiu	a0,a0,4		# ++a
+.P.2:
+        lwu	a5,0(a2)
+        lwu	a6,4(a2)
+	addiu	a2,a2,8		# sqrs += 2;
+	dsll32	a6,a6,0
+	daddu	a5,a5,a6
+	lwu	a3,0(a0)
+	addiu	a0,a0,4		# ++a
+	mflo	a4
+	daddu	a6,a5,a4
+	sltu	a7,a6,a5	# a7 = a6 < a5	detect overflow
+	dmultu	a3,a3
+	daddu	a4,a6,t0
+	sltu	t0,a4,a6
+	add	t0,t0,a7
+	sw	a4,-8(a2)
+	addiu	a1,a1,-1	# --a_len
+	dsrl32	a4,a4,0
+	bne	a1,zero,.P.2	# loop if a_len > 0
+	sw	a4,-4(a2)
+.P.3:
+        lwu	a5,0(a2)
+        lwu	a6,4(a2)
+	addiu	a2,a2,8		# sqrs += 2;
+	dsll32	a6,a6,0
+	daddu	a5,a5,a6
+	mflo	a4
+	daddu	a6,a5,a4
+	sltu	a7,a6,a5	# a7 = a6 < a5	detect overflow
+	daddu	a4,a6,t0
+	sltu	t0,a4,a6
+	add	t0,t0,a7
+	sw	a4,-8(a2)
+	beq	t0,zero,.P.9	# jump if no carry
+	dsrl32	a4,a4,0
+.P.8:
+	sw	a4,-4(a2)
+	/* propagate final carry */
+	lwu	a5,0(a2)
+	daddu	a6,a5,t0
+	sltu	t0,a6,a5
+	bne	t0,zero,.P.8	# loop if carry persists
+	addiu	a2,a2,4		# sqrs++
+.P.9:
+	jr	ra
+	sw	a4,-4(a2)
+
+        .end    s_mpv_sqr_add_prop
diff --git a/security/nss/lib/freebl/mpi/mpi_sparc.c b/security/nss/lib/freebl/mpi/mpi_sparc.c
new file mode 100644
index 000000000..a7bf863fd
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_sparc.c
@@ -0,0 +1,358 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *  $Id$
+ */
+
+/* Multiplication performance enhancements for sparc v8+vis CPUs. */
+
+#include "mpi-priv.h"
+#include <stddef.h>
+#include <sys/systeminfo.h>
+#include <strings.h>
+
+/* In the functions below, */
+/* vector y must be 8-byte aligned, and n must be even */
+/* returns carry out of high order word of result */
+/* maximum n is 256 */
+
+/* vector x += vector y * scaler a; where y is of length n words. */
+extern mp_digit mul_add_inp(mp_digit *x, const mp_digit *y, int n, mp_digit a);
+
+/* vector z = vector x + vector y * scaler a; where y is of length n words. */
+extern mp_digit mul_add(mp_digit *z, const mp_digit *x, const mp_digit *y, 
+			int n, mp_digit a);
+
+/* v8 versions of these functions run on any Sparc v8 CPU. */
+
+/* This trick works on Sparc V8 CPUs with the Workshop compilers. */
+#define MP_MUL_DxD(a, b, Phi, Plo) \
+  { unsigned long long product = (unsigned long long)a * b; \
+    Plo = (mp_digit)product; \
+    Phi = (mp_digit)(product >> MP_DIGIT_BIT); }
+
+/* c = a * b */
+static void 
+v8_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+  *c = d;
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  *c = carry;
+#endif
+}
+
+/* c += a * b */
+static void 
+v8_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + *c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+  *c = d;
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+    a0b0 += a_i = *c;
+    if (a0b0 < a_i)
+      ++a1b1;
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  *c = carry;
+#endif
+}
+
+/* Presently, this is only used by the Montgomery arithmetic code. */
+/* c += a * b */
+static void 
+v8_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+#if !defined(MP_NO_MP_WORD)
+  mp_digit   d = 0;
+
+  /* Inner product:  Digits of a */
+  while (a_len--) {
+    mp_word w = ((mp_word)b * *a++) + *c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+
+  while (d) {
+    mp_word w = (mp_word)*c + d;
+    *c++ = ACCUM(w);
+    d = CARRYOUT(w);
+  }
+#else
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+
+    a0b0 += a_i = *c;
+    if (a0b0 < a_i)
+      ++a1b1;
+
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+  while (carry) {
+    mp_digit c_i = *c;
+    carry += c_i;
+    *c++ = carry;
+    carry = carry < c_i;
+  }
+#endif
+}
+
+/* vis versions of these functions run only on v8+vis or v9+vis CPUs. */
+
+/* c = a * b */
+static void 
+vis_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    mp_digit d;
+    mp_digit x[258];
+    if (a_len <= 256) {
+	if (a == c || ((ptrdiff_t)a & 0x7) != 0 || (a_len & 1) != 0) {
+	    mp_digit * px;
+	    px = (((ptrdiff_t)x & 0x7) != 0) ? x + 1 : x;
+	    memcpy(px, a, a_len * sizeof(*a));
+	    a = px;
+	    if (a_len & 1) {
+		px[a_len] = 0;
+	    }
+	}
+	s_mp_setz(c, a_len + 1);
+	d = mul_add_inp(c, a, a_len, b);
+	c[a_len] = d;
+    } else {
+	v8_mpv_mul_d(a, a_len, b, c);
+    }
+}
+
+/* c += a * b, where a is a_len words long. */
+static void     
+vis_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    mp_digit d;
+    mp_digit x[258];
+    if (a_len <= 256) {
+	if (((ptrdiff_t)a & 0x7) != 0 || (a_len & 1) != 0) {
+	    mp_digit * px;
+	    px = (((ptrdiff_t)x & 0x7) != 0) ? x + 1 : x;
+	    memcpy(px, a, a_len * sizeof(*a));
+	    a = px;
+	    if (a_len & 1) {
+		px[a_len] = 0;
+	    }
+	}
+	d = mul_add_inp(c, a, a_len, b);
+	c[a_len] = d;
+    } else {
+	v8_mpv_mul_d_add(a, a_len, b, c);
+    }
+}
+
+/* c += a * b, where a is y words long. */
+static void     
+vis_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, 
+			 mp_digit *c)
+{
+    mp_digit d;
+    mp_digit x[258];
+    if (a_len <= 256) {
+	if (((ptrdiff_t)a & 0x7) != 0 || (a_len & 1) != 0) {
+	    mp_digit * px;
+	    px = (((ptrdiff_t)x & 0x7) != 0) ? x + 1 : x;
+	    memcpy(px, a, a_len * sizeof(*a));
+	    a = px;
+	    if (a_len & 1) {
+		px[a_len] = 0;
+	    }
+	}
+	d = mul_add_inp(c, a, a_len, b);
+	if (d) {
+	    c += a_len;
+	    do {
+		mp_digit sum = d + *c;
+		*c++ = sum;
+		d = sum < d;
+	    } while (d);
+	}
+    } else {
+	v8_mpv_mul_d_add_prop(a, a_len, b, c);
+    }
+}
+
+#if defined(SOLARIS2_5)
+static int
+isSparcV8PlusVis(void)
+{
+    long buflen;
+    int  rv             = 0;    /* false */
+    char buf[256];
+    buflen = sysinfo(SI_MACHINE, buf, sizeof buf);
+    if (buflen > 0) {
+        rv = (!strcmp(buf, "sun4u") || !strcmp(buf, "sun4u1"));
+    }
+    return rv;
+}
+#else   /* SunOS2.6or higher has SI_ISALIST */
+
+static int
+isSparcV8PlusVis(void)
+{
+    long buflen;
+    int  rv             = 0;    /* false */
+    char buf[256];
+    buflen = sysinfo(SI_ISALIST, buf, sizeof buf);
+    if (buflen > 0) {
+#if defined(MP_USE_LONG_DIGIT)
+        char * found = strstr(buf, "sparcv9+vis");
+#else
+        char * found = strstr(buf, "sparcv8plus+vis");
+#endif
+        rv = (found != 0);
+    }
+    return rv;
+}
+#endif
+
+typedef void MPVmpy(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c);
+
+/* forward static function declarations */
+static MPVmpy sp_mpv_mul_d;
+static MPVmpy sp_mpv_mul_d_add;
+static MPVmpy sp_mpv_mul_d_add_prop;
+
+static MPVmpy *p_mpv_mul_d		= &sp_mpv_mul_d;
+static MPVmpy *p_mpv_mul_d_add		= &sp_mpv_mul_d_add;
+static MPVmpy *p_mpv_mul_d_add_prop	= &sp_mpv_mul_d_add_prop;
+
+static void
+initPtrs(void)
+{
+    if (isSparcV8PlusVis()) {
+	p_mpv_mul_d = 		&vis_mpv_mul_d;
+	p_mpv_mul_d_add = 	&vis_mpv_mul_d_add;
+	p_mpv_mul_d_add_prop = 	&vis_mpv_mul_d_add_prop;
+    } else {
+	p_mpv_mul_d = 		&v8_mpv_mul_d;
+	p_mpv_mul_d_add = 	&v8_mpv_mul_d_add;
+	p_mpv_mul_d_add_prop = 	&v8_mpv_mul_d_add_prop;
+    }
+}
+
+static void 
+sp_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    initPtrs();
+    (* p_mpv_mul_d)(a, a_len, b, c);
+}
+
+static void 
+sp_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    initPtrs();
+    (* p_mpv_mul_d_add)(a, a_len, b, c);
+}
+
+static void 
+sp_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    initPtrs();
+    (* p_mpv_mul_d_add_prop)(a, a_len, b, c);
+}
+
+
+/* This is the external interface */
+
+void 
+s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    (* p_mpv_mul_d)(a, a_len, b, c);
+}
+
+void 
+s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    (* p_mpv_mul_d_add)(a, a_len, b, c);
+}
+
+void 
+s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+{
+    (* p_mpv_mul_d_add_prop)(a, a_len, b, c);
+}
+
+
diff --git a/security/nss/lib/freebl/mpi/mpi_x86.asm b/security/nss/lib/freebl/mpi/mpi_x86.asm
new file mode 100644
index 000000000..ed2fc5e58
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_x86.asm
@@ -0,0 +1,351 @@
+;
+;  mpi_x86.asm - assembly language implementation of s_mpv_ functions.
+; 
+;  The contents of this file are subject to the Mozilla Public
+;  License Version 1.1 (the "License"); you may not use this file
+;  except in compliance with the License. You may obtain a copy of
+;  the License at http://www.mozilla.org/MPL/
+;  
+;  Software distributed under the License is distributed on an "AS
+;  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+;  implied. See the License for the specific language governing
+;  rights and limitations under the License.
+;  
+;  The Original Code is the Netscape security libraries.
+;  
+;  The Initial Developer of the Original Code is Netscape
+;  Communications Corporation.	Portions created by Netscape are 
+;  Copyright (C) 2000 Netscape Communications Corporation.  All
+;  Rights Reserved.
+;  
+;  Contributor(s):
+;  
+;  Alternatively, the contents of this file may be used under the
+;  terms of the GNU General Public License Version 2 or later (the
+;  "GPL"), in which case the provisions of the GPL are applicable 
+;  instead of those above.	If you wish to allow use of your 
+;  version of this file only under the terms of the GPL and not to
+;  allow others to use your version of this file under the MPL,
+;  indicate your decision by deleting the provisions above and
+;  replace them with the notice and other provisions required by
+;  the GPL.  If you do not delete the provisions above, a recipient
+;  may use your version of this file under either the MPL or the
+;  GPL.
+;   $Id$
+; 
+
+	.386p
+	.MODEL	FLAT
+	ASSUME  CS: FLAT, DS: FLAT, SS: FLAT
+_TEXT   SEGMENT
+
+;   ebp - 36:	caller's esi
+;   ebp - 32:	caller's edi
+;   ebp - 28:	
+;   ebp - 24:	
+;   ebp - 20:	
+;   ebp - 16:	
+;   ebp - 12:	
+;   ebp - 8:	
+;   ebp - 4:	
+;   ebp + 0:	caller's ebp
+;   ebp + 4:	return address
+;   ebp + 8:	a	argument
+;   ebp + 12:	a_len	argument
+;   ebp + 16:	b	argument
+;   ebp + 20:	c	argument
+;   registers:
+;  	eax:
+; 	ebx:	carry
+; 	ecx:	a_len
+; 	edx:
+; 	esi:	a ptr
+; 	edi:	c ptr
+
+public	_s_mpv_mul_d
+_s_mpv_mul_d PROC NEAR
+    push   ebp
+    mov    ebp,esp
+    sub    esp,28
+    push   edi
+    push   esi
+    push   ebx
+    mov    ebx,0		; carry = 0
+    mov    ecx,[ebp+12]		; ecx = a_len
+    mov    edi,[ebp+20]
+    cmp    ecx,0
+    je     L_2			; jmp if a_len == 0
+    mov    esi,[ebp+8]		; esi = a
+    cld
+L_1:
+    lodsd			; eax = [ds:esi]; esi += 4
+    mov    edx,[ebp+16]		; edx = b
+    mul    edx			; edx:eax = Phi:Plo = a_i * b
+
+    add    eax,ebx		; add carry (ebx) to edx:eax
+    adc    edx,0
+    mov    ebx,edx		; high half of product becomes next carry
+
+    stosd			; [es:edi] = ax; edi += 4;
+    dec    ecx			; --a_len
+    jnz    L_1			; jmp if a_len != 0
+L_2:
+    mov    [edi],ebx		; *c = carry
+    pop    ebx
+    pop    esi
+    pop    edi
+    leave  
+    ret    
+    nop
+_s_mpv_mul_d ENDP
+
+;   ebp - 36:	caller's esi
+;   ebp - 32:	caller's edi
+;   ebp - 28:	
+;   ebp - 24:	
+;   ebp - 20:	
+;   ebp - 16:	
+;   ebp - 12:	
+;   ebp - 8:	
+;   ebp - 4:	
+;   ebp + 0:	caller's ebp
+;   ebp + 4:	return address
+;   ebp + 8:	a	argument
+;   ebp + 12:	a_len	argument
+;   ebp + 16:	b	argument
+;   ebp + 20:	c	argument
+;   registers:
+;  	eax:
+; 	ebx:	carry
+; 	ecx:	a_len
+; 	edx:
+; 	esi:	a ptr
+; 	edi:	c ptr
+public	_s_mpv_mul_d_add
+_s_mpv_mul_d_add PROC NEAR
+    push   ebp
+    mov    ebp,esp
+    sub    esp,28
+    push   edi
+    push   esi
+    push   ebx
+    mov    ebx,0		; carry = 0
+    mov    ecx,[ebp+12]		; ecx = a_len
+    mov    edi,[ebp+20]
+    cmp    ecx,0
+    je     L_4			; jmp if a_len == 0
+    mov    esi,[ebp+8]		; esi = a
+    cld
+L_3:
+    lodsd			; eax = [ds:esi]; esi += 4
+    mov    edx,[ebp+16]		; edx = b
+    mul    edx			; edx:eax = Phi:Plo = a_i * b
+
+    add    eax,ebx		; add carry (ebx) to edx:eax
+    adc    edx,0
+    mov    ebx,[edi]		; add in current word from *c
+    add    eax,ebx		
+    adc    edx,0
+    mov    ebx,edx		; high half of product becomes next carry
+
+    stosd			; [es:edi] = ax; edi += 4;
+    dec    ecx			; --a_len
+    jnz    L_3			; jmp if a_len != 0
+L_4:
+    mov    [edi],ebx		; *c = carry
+    pop    ebx
+    pop    esi
+    pop    edi
+    leave  
+    ret    
+    nop
+_s_mpv_mul_d_add ENDP
+
+;   ebp - 36:	caller's esi
+;   ebp - 32:	caller's edi
+;   ebp - 28:	
+;   ebp - 24:	
+;   ebp - 20:	
+;   ebp - 16:	
+;   ebp - 12:	
+;   ebp - 8:	
+;   ebp - 4:	
+;   ebp + 0:	caller's ebp
+;   ebp + 4:	return address
+;   ebp + 8:	a	argument
+;   ebp + 12:	a_len	argument
+;   ebp + 16:	b	argument
+;   ebp + 20:	c	argument
+;   registers:
+;  	eax:
+; 	ebx:	carry
+; 	ecx:	a_len
+; 	edx:
+; 	esi:	a ptr
+; 	edi:	c ptr
+public	_s_mpv_mul_d_add_prop
+_s_mpv_mul_d_add_prop PROC NEAR
+    push   ebp
+    mov    ebp,esp
+    sub    esp,28
+    push   edi
+    push   esi
+    push   ebx
+    mov    ebx,0		; carry = 0
+    mov    ecx,[ebp+12]		; ecx = a_len
+    mov    edi,[ebp+20]
+    cmp    ecx,0
+    je     L_6			; jmp if a_len == 0
+    cld
+    mov    esi,[ebp+8]		; esi = a
+L_5:
+    lodsd			; eax = [ds:esi]; esi += 4
+    mov    edx,[ebp+16]		; edx = b
+    mul    edx			; edx:eax = Phi:Plo = a_i * b
+
+    add    eax,ebx		; add carry (ebx) to edx:eax
+    adc    edx,0
+    mov    ebx,[edi]		; add in current word from *c
+    add    eax,ebx		
+    adc    edx,0
+    mov    ebx,edx		; high half of product becomes next carry
+
+    stosd			; [es:edi] = ax; edi += 4;
+    dec    ecx			; --a_len
+    jnz    L_5			; jmp if a_len != 0
+L_6:
+    cmp    ebx,0		; is carry zero?
+    jz     L_8
+    mov    eax,[edi]		; add in current word from *c
+    add    eax,ebx
+    stosd			; [es:edi] = ax; edi += 4;
+    jnc    L_8
+L_7:
+    mov    eax,[edi]		; add in current word from *c
+    adc    eax,0
+    stosd			; [es:edi] = ax; edi += 4;
+    jc     L_7
+L_8:
+    pop    ebx
+    pop    esi
+    pop    edi
+    leave  
+    ret    
+    nop
+_s_mpv_mul_d_add_prop ENDP
+
+;   ebp - 20:	caller's esi
+;   ebp - 16:	caller's edi
+;   ebp - 12:	
+;   ebp - 8:	carry
+;   ebp - 4:	a_len	local
+;   ebp + 0:	caller's ebp
+;   ebp + 4:	return address
+;   ebp + 8:	pa	argument
+;   ebp + 12:	a_len	argument
+;   ebp + 16:	ps	argument
+;   ebp + 20:	
+;   registers:
+;  	eax:
+; 	ebx:	carry
+; 	ecx:	a_len
+; 	edx:
+; 	esi:	a ptr
+; 	edi:	c ptr
+
+public	_s_mpv_sqr_add_prop
+_s_mpv_sqr_add_prop PROC NEAR
+     push   ebp
+     mov    ebp,esp
+     sub    esp,12
+     push   edi
+     push   esi
+     push   ebx
+     mov    ebx,0		; carry = 0
+     mov    ecx,[ebp+12]	; a_len
+     mov    edi,[ebp+16]	; edi = ps
+     cmp    ecx,0
+     je     L_11		; jump if a_len == 0
+     cld
+     mov    esi,[ebp+8]		; esi = pa
+L_10:
+     lodsd			; eax = [ds:si]; si += 4;
+     mul    eax
+
+     add    eax,ebx		; add "carry"
+     adc    edx,0
+     mov    ebx,[edi]
+     add    eax,ebx		; add low word from result
+     mov    ebx,[edi+4]
+     stosd			; [es:di] = eax; di += 4;
+     adc    edx,ebx		; add high word from result
+     mov    ebx,0
+     mov    eax,edx
+     adc    ebx,0
+     stosd			; [es:di] = eax; di += 4;
+     dec    ecx			; --a_len
+     jnz    L_10		; jmp if a_len != 0
+L_11:
+    cmp    ebx,0		; is carry zero?
+    jz     L_14
+    mov    eax,[edi]		; add in current word from *c
+    add    eax,ebx
+    stosd			; [es:edi] = ax; edi += 4;
+    jnc    L_14
+L_12:
+    mov    eax,[edi]		; add in current word from *c
+    adc    eax,0
+    stosd			; [es:edi] = ax; edi += 4;
+    jc     L_12
+L_14:
+    pop    ebx
+    pop    esi
+    pop    edi
+    leave  
+    ret    
+    nop
+_s_mpv_sqr_add_prop ENDP
+
+; 
+;  Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized
+;  so its high bit is 1.   This code is from NSPR.
+; 
+;  mp_err s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor,
+;  		          mp_digit *qp, mp_digit *rp)
+
+;  Dump of assembler code for function s_mpv_div_2dx1d:
+;  
+;   esp +  0:   Caller's ebx
+;   esp +  4:	return address
+;   esp +  8:	Nhi	argument
+;   esp + 12:	Nlo	argument
+;   esp + 16:	divisor	argument
+;   esp + 20:	qp	argument
+;   esp + 24:   rp	argument
+;   registers:
+;  	eax:
+; 	ebx:	carry
+; 	ecx:	a_len
+; 	edx:
+; 	esi:	a ptr
+; 	edi:	c ptr
+;  
+public	_s_mpv_div_2dx1d
+_s_mpv_div_2dx1d PROC NEAR
+       push   ebx
+       mov    edx,[esp+8]
+       mov    eax,[esp+12]
+       mov    ebx,[esp+16]
+       div    ebx
+       mov    ebx,[esp+20]
+       mov    [ebx],eax
+       mov    ebx,[esp+24]
+       mov    [ebx],edx
+       xor    eax,eax		; return zero
+       pop    ebx
+       ret    
+       nop
+_s_mpv_div_2dx1d ENDP
+
+_TEXT	ENDS
+END
diff --git a/security/nss/lib/freebl/mpi/mpi_x86.s b/security/nss/lib/freebl/mpi/mpi_x86.s
new file mode 100644
index 000000000..427b7e61e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpi_x86.s
@@ -0,0 +1,342 @@
+ #
+ # The contents of this file are subject to the Mozilla Public
+ # License Version 1.1 (the "License"); you may not use this file
+ # except in compliance with the License. You may obtain a copy of
+ # the License at http://www.mozilla.org/MPL/
+ # 
+ # Software distributed under the License is distributed on an "AS
+ # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ # implied. See the License for the specific language governing
+ # rights and limitations under the License.
+ # 
+ # The Original Code is the Netscape security libraries.
+ # 
+ # The Initial Developer of the Original Code is Netscape
+ # Communications Corporation.	Portions created by Netscape are 
+ # Copyright (C) 2000 Netscape Communications Corporation.  All
+ # Rights Reserved.
+ # 
+ # Contributor(s):
+ # 
+ # Alternatively, the contents of this file may be used under the
+ # terms of the GNU General Public License Version 2 or later (the
+ # "GPL"), in which case the provisions of the GPL are applicable 
+ # instead of those above.	If you wish to allow use of your 
+ # version of this file only under the terms of the GPL and not to
+ # allow others to use your version of this file under the MPL,
+ # indicate your decision by deleting the provisions above and
+ # replace them with the notice and other provisions required by
+ # the GPL.  If you do not delete the provisions above, a recipient
+ # may use your version of this file under either the MPL or the
+ # GPL.
+ #  $Id$
+ #
+
+.text
+
+ #  ebp - 36:	caller's esi
+ #  ebp - 32:	caller's edi
+ #  ebp - 28:	
+ #  ebp - 24:	
+ #  ebp - 20:	
+ #  ebp - 16:	
+ #  ebp - 12:	
+ #  ebp - 8:	
+ #  ebp - 4:	
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	a	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	b	argument
+ #  ebp + 20:	c	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+.globl	s_mpv_mul_d
+.type	s_mpv_mul_d,@function
+s_mpv_mul_d:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     2f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+1:
+    lodsl			# eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	# edx = b
+    mull   %edx			# edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		# add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    %edx,%ebx		# high half of product becomes next carry
+
+    stosl			# [es:edi] = ax; edi += 4;
+    dec    %ecx			# --a_len
+    jnz    1b			# jmp if a_len != 0
+2:
+    mov    %ebx,0(%edi)		# *c = carry
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ #  ebp - 36:	caller's esi
+ #  ebp - 32:	caller's edi
+ #  ebp - 28:	
+ #  ebp - 24:	
+ #  ebp - 20:	
+ #  ebp - 16:	
+ #  ebp - 12:	
+ #  ebp - 8:	
+ #  ebp - 4:	
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	a	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	b	argument
+ #  ebp + 20:	c	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+.globl	s_mpv_mul_d_add
+.type	s_mpv_mul_d_add,@function
+s_mpv_mul_d_add:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     4f			# jmp if a_len == 0
+    mov    8(%ebp),%esi		# esi = a
+    cld
+3:
+    lodsl			# eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	# edx = b
+    mull   %edx			# edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		# add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    0(%edi),%ebx		# add in current word from *c
+    add    %ebx,%eax		
+    adc    $0,%edx
+    mov    %edx,%ebx		# high half of product becomes next carry
+
+    stosl			# [es:edi] = ax; edi += 4;
+    dec    %ecx			# --a_len
+    jnz    3b			# jmp if a_len != 0
+4:
+    mov    %ebx,0(%edi)		# *c = carry
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ #  ebp - 36:	caller's esi
+ #  ebp - 32:	caller's edi
+ #  ebp - 28:	
+ #  ebp - 24:	
+ #  ebp - 20:	
+ #  ebp - 16:	
+ #  ebp - 12:	
+ #  ebp - 8:	
+ #  ebp - 4:	
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	a	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	b	argument
+ #  ebp + 20:	c	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+.globl	s_mpv_mul_d_add_prop
+.type	s_mpv_mul_d_add_prop,@function
+s_mpv_mul_d_add_prop:
+    push   %ebp
+    mov    %esp,%ebp
+    sub    $28,%esp
+    push   %edi
+    push   %esi
+    push   %ebx
+    movl   $0,%ebx		# carry = 0
+    mov    12(%ebp),%ecx	# ecx = a_len
+    mov    20(%ebp),%edi
+    cmp    $0,%ecx
+    je     6f			# jmp if a_len == 0
+    cld
+    mov    8(%ebp),%esi		# esi = a
+5:
+    lodsl			# eax = [ds:esi]; esi += 4
+    mov    16(%ebp),%edx	# edx = b
+    mull   %edx			# edx:eax = Phi:Plo = a_i * b
+
+    add    %ebx,%eax		# add carry (%ebx) to edx:eax
+    adc    $0,%edx
+    mov    0(%edi),%ebx		# add in current word from *c
+    add    %ebx,%eax		
+    adc    $0,%edx
+    mov    %edx,%ebx		# high half of product becomes next carry
+
+    stosl			# [es:edi] = ax; edi += 4;
+    dec    %ecx			# --a_len
+    jnz    5b			# jmp if a_len != 0
+6:
+    cmp    $0,%ebx		# is carry zero?
+    jz     8f
+    mov    0(%edi),%eax		# add in current word from *c
+    add	   %ebx,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jnc    8f
+7:
+    mov    0(%edi),%eax		# add in current word from *c
+    adc	   $0,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jc     7b
+8:
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ #  ebp - 20:	caller's esi
+ #  ebp - 16:	caller's edi
+ #  ebp - 12:	
+ #  ebp - 8:	carry
+ #  ebp - 4:	a_len	local
+ #  ebp + 0:	caller's ebp
+ #  ebp + 4:	return address
+ #  ebp + 8:	pa	argument
+ #  ebp + 12:	a_len	argument
+ #  ebp + 16:	ps	argument
+ #  ebp + 20:	
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+
+.globl	s_mpv_sqr_add_prop
+.type	s_mpv_sqr_add_prop,@function
+s_mpv_sqr_add_prop:
+     push   %ebp
+     mov    %esp,%ebp
+     sub    $12,%esp
+     push   %edi
+     push   %esi
+     push   %ebx
+     movl   $0,%ebx		# carry = 0
+     mov    12(%ebp),%ecx	# a_len
+     mov    16(%ebp),%edi	# edi = ps
+     cmp    $0,%ecx
+     je     11f			# jump if a_len == 0
+     cld
+     mov    8(%ebp),%esi	# esi = pa
+10:
+     lodsl			# %eax = [ds:si]; si += 4;
+     mull   %eax
+
+     add    %ebx,%eax		# add "carry"
+     adc    $0,%edx
+     mov    0(%edi),%ebx
+     add    %ebx,%eax		# add low word from result
+     mov    4(%edi),%ebx
+     stosl			# [es:di] = %eax; di += 4;
+     adc    %ebx,%edx		# add high word from result
+     movl   $0,%ebx
+     mov    %edx,%eax
+     adc    $0,%ebx
+     stosl			# [es:di] = %eax; di += 4;
+     dec    %ecx		# --a_len
+     jnz    10b			# jmp if a_len != 0
+11:
+    cmp    $0,%ebx		# is carry zero?
+    jz     14f
+    mov    0(%edi),%eax		# add in current word from *c
+    add	   %ebx,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jnc    14f
+12:
+    mov    0(%edi),%eax		# add in current word from *c
+    adc	   $0,%eax
+    stosl			# [es:edi] = ax; edi += 4;
+    jc     12b
+14:
+    pop    %ebx
+    pop    %esi
+    pop    %edi
+    leave  
+    ret    
+    nop
+
+ #
+ # Divide 64-bit (Nhi,Nlo) by 32-bit divisor, which must be normalized
+ # so its high bit is 1.   This code is from NSPR.
+ #
+ # mp_err s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, mp_digit divisor,
+ # 		          mp_digit *qp, mp_digit *rp)
+
+ #  esp +  0:   Caller's ebx
+ #  esp +  4:	return address
+ #  esp +  8:	Nhi	argument
+ #  esp + 12:	Nlo	argument
+ #  esp + 16:	divisor	argument
+ #  esp + 20:	qp	argument
+ #  esp + 24:   rp	argument
+ #  registers:
+ # 	eax:
+ #	ebx:	carry
+ #	ecx:	a_len
+ #	edx:
+ #	esi:	a ptr
+ #	edi:	c ptr
+ # 
+
+.globl	s_mpv_div_2dx1d
+.type	s_mpv_div_2dx1d,@function
+s_mpv_div_2dx1d:
+       push   %ebx
+       mov    8(%esp),%edx
+       mov    12(%esp),%eax
+       mov    16(%esp),%ebx
+       div    %ebx
+       mov    20(%esp),%ebx
+       mov    %eax,0(%ebx)
+       mov    24(%esp),%ebx
+       mov    %edx,0(%ebx)
+       xor    %eax,%eax		# return zero
+       pop    %ebx
+       ret    
+       nop
+  
diff --git a/security/nss/lib/freebl/mpi/mplogic.c b/security/nss/lib/freebl/mpi/mplogic.c
new file mode 100644
index 000000000..e1b6e5048
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mplogic.c
@@ -0,0 +1,459 @@
+/*
+ *  mplogic.c
+ *
+ *  Bitwise logical operations on MPI values
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include "mpi-priv.h"
+#include "mplogic.h"
+
+/* {{{ Lookup table for population count */
+
+static unsigned char bitc[] = {
+   0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4, 
+   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
+   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
+   1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
+   2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 
+   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
+   3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 
+   4, 5, 5, 6, 5, 6, 6, 7, 5, 6, 6, 7, 6, 7, 7, 8
+};
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/*
+  mpl_not(a, b)    - compute b = ~a
+  mpl_and(a, b, c) - compute c = a & b
+  mpl_or(a, b, c)  - compute c = a | b
+  mpl_xor(a, b, c) - compute c = a ^ b
+ */
+
+/* {{{ mpl_not(a, b) */
+
+mp_err mpl_not(mp_int *a, mp_int *b)
+{
+  mp_err   res;
+  int      ix;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  /* This relies on the fact that the digit type is unsigned */
+  for(ix = 0; ix < USED(b); ix++) 
+    DIGIT(b, ix) = ~DIGIT(b, ix);
+
+  s_mp_clamp(b);
+
+  return MP_OKAY;
+
+} /* end mpl_not() */
+
+/* }}} */
+
+/* {{{ mpl_and(a, b, c) */
+
+mp_err mpl_and(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_int  *which, *other;
+  mp_err   res;
+  int      ix;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(USED(a) <= USED(b)) {
+    which = a;
+    other = b;
+  } else {
+    which = b;
+    other = a;
+  }
+
+  if((res = mp_copy(which, c)) != MP_OKAY)
+    return res;
+
+  for(ix = 0; ix < USED(which); ix++)
+    DIGIT(c, ix) &= DIGIT(other, ix);
+
+  s_mp_clamp(c);
+
+  return MP_OKAY;
+
+} /* end mpl_and() */
+
+/* }}} */
+
+/* {{{ mpl_or(a, b, c) */
+
+mp_err mpl_or(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_int  *which, *other;
+  mp_err   res;
+  int      ix;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(USED(a) >= USED(b)) {
+    which = a;
+    other = b;
+  } else {
+    which = b;
+    other = a;
+  }
+
+  if((res = mp_copy(which, c)) != MP_OKAY)
+    return res;
+
+  for(ix = 0; ix < USED(which); ix++)
+    DIGIT(c, ix) |= DIGIT(other, ix);
+
+  return MP_OKAY;
+
+} /* end mpl_or() */
+
+/* }}} */
+
+/* {{{ mpl_xor(a, b, c) */
+
+mp_err mpl_xor(mp_int *a, mp_int *b, mp_int *c)
+{
+  mp_int  *which, *other;
+  mp_err   res;
+  int      ix;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if(USED(a) >= USED(b)) {
+    which = a;
+    other = b;
+  } else {
+    which = b;
+    other = a;
+  }
+
+  if((res = mp_copy(which, c)) != MP_OKAY)
+    return res;
+
+  for(ix = 0; ix < USED(which); ix++)
+    DIGIT(c, ix) ^= DIGIT(other, ix);
+
+  s_mp_clamp(c);
+
+  return MP_OKAY;
+
+} /* end mpl_xor() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/*
+  mpl_rsh(a, b, d)     - b = a >> d
+  mpl_lsh(a, b, d)     - b = a << d
+ */
+
+/* {{{ mpl_rsh(a, b, d) */
+
+mp_err mpl_rsh(const mp_int *a, mp_int *b, mp_digit d)
+{
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  s_mp_div_2d(b, d);
+
+  return MP_OKAY;
+
+} /* end mpl_rsh() */
+
+/* }}} */
+
+/* {{{ mpl_lsh(a, b, d) */
+
+mp_err mpl_lsh(const mp_int *a, mp_int *b, mp_digit d)
+{
+  mp_err   res;
+
+  ARGCHK(a != NULL && b != NULL, MP_BADARG);
+
+  if((res = mp_copy(a, b)) != MP_OKAY)
+    return res;
+
+  return s_mp_mul_2d(b, d);
+
+} /* end mpl_lsh() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/*
+  mpl_num_set(a, num)
+
+  Count the number of set bits in the binary representation of a.
+  Returns MP_OKAY and sets 'num' to be the number of such bits, if
+  possible.  If num is NULL, the result is thrown away, but it is
+  not considered an error.
+
+  mpl_num_clear() does basically the same thing for clear bits.
+ */
+
+/* {{{ mpl_num_set(a, num) */
+
+mp_err mpl_num_set(mp_int *a, int *num)
+{
+  int            ix, db, nset = 0;
+  mp_digit       cur;
+  unsigned char  reg;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  for(ix = 0; ix < USED(a); ix++) {
+    cur = DIGIT(a, ix);
+    
+    for(db = 0; db < sizeof(mp_digit); db++) {
+      reg = (unsigned char)(cur >> (CHAR_BIT * db));
+
+      nset += bitc[reg];
+    }
+  }
+
+  if(num)
+    *num = nset;
+
+  return MP_OKAY;
+
+} /* end mpl_num_set() */
+
+/* }}} */
+
+/* {{{ mpl_num_clear(a, num) */
+
+mp_err mpl_num_clear(mp_int *a, int *num)
+{
+  int            ix, db, nset = 0;
+  mp_digit       cur;
+  unsigned char  reg;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  for(ix = 0; ix < USED(a); ix++) {
+    cur = DIGIT(a, ix);
+    
+    for(db = 0; db < sizeof(mp_digit); db++) {
+      reg = (unsigned char)(cur >> (CHAR_BIT * db));
+
+      nset += bitc[UCHAR_MAX - reg];
+    }
+  }
+
+  if(num)
+    *num = nset;
+
+  return MP_OKAY;
+
+
+} /* end mpl_num_clear() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/*
+  mpl_parity(a)
+
+  Determines the bitwise parity of the value given.  Returns MP_EVEN
+  if an even number of digits are set, MP_ODD if an odd number are
+  set.
+ */
+
+/* {{{ mpl_parity(a) */
+
+mp_err mpl_parity(mp_int *a)
+{
+  int      ix, par = 0;
+  mp_digit cur;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  for(ix = 0; ix < USED(a); ix++) {
+    int   shft = (sizeof(mp_digit) * CHAR_BIT) / 2;
+
+    cur = DIGIT(a, ix);
+
+    /* Compute parity for current digit */
+    while(shft != 0) {
+      cur ^= (cur >> shft);
+      shft >>= 1;
+    }
+    cur &= 1;
+
+    /* XOR with running parity so far   */
+    par ^= cur;
+  }
+
+  if(par)
+    return MP_ODD;
+  else
+    return MP_EVEN;
+
+} /* end mpl_parity() */
+
+/* }}} */
+
+/*
+  mpl_set_bit
+
+  Returns MP_OKAY or some error code.
+  Grows a if needed to set a bit to 1.
+ */
+mp_err mpl_set_bit(mp_int *a, mp_size bitNum, mp_size value)
+{
+  mp_size      ix;
+  mp_err       rv;
+  mp_digit     mask;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  ix = bitNum / MP_DIGIT_BIT;
+  if (ix + 1 > MP_USED(a)) {
+    rv = s_mp_pad(a, ix + 1);
+    if (rv != MP_OKAY)
+      return rv;
+  }
+
+  bitNum = bitNum % MP_DIGIT_BIT;
+  mask = (mp_digit)1 << bitNum;
+  if (value)
+    MP_DIGIT(a,ix) |= mask;
+  else
+    MP_DIGIT(a,ix) &= ~mask;
+  s_mp_clamp(a);
+  return MP_OKAY;
+}
+
+/*
+  mpl_get_bit
+
+  returns 0 or 1 or some (negative) error code.
+ */
+mp_err mpl_get_bit(const mp_int *a, mp_size bitNum)
+{
+  mp_size      bit, ix;
+  mp_err       rv;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  ix = bitNum / MP_DIGIT_BIT;
+  ARGCHK(ix <= MP_USED(a) - 1, MP_RANGE);
+
+  bit   = bitNum % MP_DIGIT_BIT;
+  rv = (mp_err)(MP_DIGIT(a, ix) >> bit) & 1;
+  return rv;
+}
+
+/*
+  mpl_get_bits
+  - Extracts numBits bits from a, where the least significant extracted bit
+  is bit lsbNum.  Returns a negative value if error occurs.
+  - Because sign bit is used to indicate error, maximum number of bits to 
+  be returned is the lesser of (a) the number of bits in an mp_digit, or
+  (b) one less than the number of bits in an mp_err.
+  - lsbNum + numbits can be greater than the number of significant bits in
+  integer a, as long as bit lsbNum is in the high order digit of a.
+ */
+mp_err mpl_get_bits(const mp_int *a, mp_size lsbNum, mp_size numBits) 
+{
+  mp_size    rshift = (lsbNum % MP_DIGIT_BIT);
+  mp_size    lsWndx = (lsbNum / MP_DIGIT_BIT);
+  mp_digit * digit  = MP_DIGITS(a) + lsWndx;
+  mp_digit   mask   = ((1 << numBits) - 1);
+
+  ARGCHK(numBits < CHAR_BIT * sizeof mask, MP_BADARG);
+  ARGCHK(MP_HOWMANY(lsbNum, MP_DIGIT_BIT) <= MP_USED(a), MP_RANGE);
+
+  if ((numBits + lsbNum % MP_DIGIT_BIT <= MP_DIGIT_BIT) ||
+      (lsWndx + 1 >= MP_USED(a))) {
+    mask &= (digit[0] >> rshift);
+  } else {
+    mask &= ((digit[0] >> rshift) | (digit[1] << (MP_DIGIT_BIT - rshift)));
+  }
+  return (mp_err)mask;
+}
+
+/*
+  mpl_significant_bits
+  returns number of significnant bits in abs(a).
+  returns 1 if value is zero.
+ */
+mp_err mpl_significant_bits(const mp_int *a)
+{
+  mp_err bits 	= 0;
+  int    ix;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  ix = MP_USED(a);
+  for (ix = MP_USED(a); ix > 0; ) {
+    mp_digit d;
+    d = MP_DIGIT(a, --ix);
+    if (d) {
+      while (d) {
+	++bits;
+	d >>= 1;
+      }
+      break;
+    }
+  }
+  bits += ix * MP_DIGIT_BIT;
+  if (!bits)
+    bits = 1;
+  return bits;
+}
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mplogic.h b/security/nss/lib/freebl/mpi/mplogic.h
new file mode 100644
index 000000000..8efa4327c
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mplogic.h
@@ -0,0 +1,82 @@
+/*
+ *  mplogic.h
+ *
+ *  Bitwise logical operations on MPI values
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#ifndef _H_MPLOGIC_
+#define _H_MPLOGIC_
+
+#include "mpi.h"
+
+/*
+  The logical operations treat an mp_int as if it were a bit vector,
+  without regard to its sign (an mp_int is represented in a signed
+  magnitude format).  Values are treated as if they had an infinite
+  string of zeros left of the most-significant bit.
+ */
+
+/* Parity results                    */
+
+#define MP_EVEN       MP_YES
+#define MP_ODD        MP_NO
+
+/* Bitwise functions                 */
+
+mp_err mpl_not(mp_int *a, mp_int *b);            /* one's complement  */
+mp_err mpl_and(mp_int *a, mp_int *b, mp_int *c); /* bitwise AND       */
+mp_err mpl_or(mp_int *a, mp_int *b, mp_int *c);  /* bitwise OR        */
+mp_err mpl_xor(mp_int *a, mp_int *b, mp_int *c); /* bitwise XOR       */
+
+/* Shift functions                   */
+
+mp_err mpl_rsh(const mp_int *a, mp_int *b, mp_digit d);   /* right shift    */
+mp_err mpl_lsh(const mp_int *a, mp_int *b, mp_digit d);   /* left shift     */
+
+/* Bit count and parity              */
+
+mp_err mpl_num_set(mp_int *a, int *num);         /* count set bits    */
+mp_err mpl_num_clear(mp_int *a, int *num);       /* count clear bits  */
+mp_err mpl_parity(mp_int *a);                    /* determine parity  */
+
+/* Get & Set the value of a bit */
+
+mp_err mpl_set_bit(mp_int *a, mp_size bitNum, mp_size value);
+mp_err mpl_get_bit(const mp_int *a, mp_size bitNum);
+mp_err mpl_get_bits(const mp_int *a, mp_size lsbNum, mp_size numBits);
+mp_err mpl_significant_bits(const mp_int *a);
+
+#endif /* end _H_MPLOGIC_ */
diff --git a/security/nss/lib/freebl/mpi/mpmontg.c b/security/nss/lib/freebl/mpi/mpmontg.c
new file mode 100644
index 000000000..146c8c625
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpmontg.c
@@ -0,0 +1,561 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *  $Id$
+ */
+
+/* This file implements moduluar exponentiation using Montgomery's
+ * method for modular reduction.  This file implements the method
+ * described as "Improvement 1" in the paper "A Cryptogrpahic Library for
+ * the Motorola DSP56000" by Stephen R. Dusse' and Burton S. Kaliski Jr.
+ * published in "Advances in Cryptology: Proceedings of EUROCRYPT '90"
+ * "Lecture Notes in Computer Science" volume 473, 1991, pg 230-244,
+ * published by Springer Verlag.
+ */
+
+/* #define MP_USING_MONT_MULF 1 */
+#include <string.h>
+#include "mpi-priv.h"
+#include "mplogic.h"
+#include "mpprime.h"
+#ifdef MP_USING_MONT_MULF
+#include "montmulf.h"
+#endif
+
+#define STATIC
+/* #define DEBUG 1  */
+
+#define MAX_WINDOW_BITS 6
+#define MAX_ODD_INTS    32   /* 2 ** (WINDOW_BITS - 1) */
+
+typedef struct {
+  mp_int       N;	/* modulus N */
+  mp_digit     n0prime; /* n0' = - (n0 ** -1) mod MP_RADIX */
+  mp_size      b;	/* R == 2 ** b,  also b = # significant bits in N */
+} mp_mont_modulus;
+
+mp_err   s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, 
+	               mp_mont_modulus *mmm);
+
+/* computes T = REDC(T), 2^b == R */
+STATIC
+mp_err s_mp_redc(mp_int *T, mp_mont_modulus *mmm)
+{
+  mp_err res;
+  mp_size i;
+
+  i = MP_USED(T) + MP_USED(&mmm->N) + 2;
+  MP_CHECKOK( s_mp_pad(T, i) );
+  for (i = 0; i < MP_USED(&mmm->N); ++i ) {
+    mp_digit m_i = MP_DIGIT(T, i) * mmm->n0prime;
+    /* T += N * m_i * (MP_RADIX ** i); */
+    MP_CHECKOK( s_mp_mul_d_add_offset(&mmm->N, m_i, T, i) );
+  }
+  s_mp_clamp(T);
+
+  /* T /= R */
+  s_mp_div_2d(T, mmm->b); 
+
+  if ((res = s_mp_cmp(T, &mmm->N)) >= 0) {
+    /* T = T - N */
+    MP_CHECKOK( s_mp_sub(T, &mmm->N) );
+#ifdef DEBUG
+    if ((res = mp_cmp(T, &mmm->N)) >= 0) {
+      res = MP_UNDEF;
+      goto CLEANUP;
+    }
+#endif
+  }
+  res = MP_OKAY;
+CLEANUP:
+  return res;
+}
+
+#if !defined(MP_ASSEMBLY_MUL_MONT) && !defined(MP_MONT_USE_MP_MUL)
+mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, 
+	           mp_mont_modulus *mmm)
+{
+  mp_digit *pb;
+  mp_digit m_i;
+  mp_err   res;
+  mp_size  ib;
+  mp_size  useda, usedb;
+
+  ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+
+  if (MP_USED(a) < MP_USED(b)) {
+    const mp_int *xch = b;	/* switch a and b, to do fewer outer loops */
+    b = a;
+    a = xch;
+  }
+
+  MP_USED(c) = 1; MP_DIGIT(c, 0) = 0;
+  ib = MP_USED(a) + MP_MAX(MP_USED(b), MP_USED(&mmm->N)) + 2;
+  if((res = s_mp_pad(c, ib)) != MP_OKAY)
+    goto CLEANUP;
+
+  useda = MP_USED(a);
+  pb = MP_DIGITS(b);
+  s_mpv_mul_d(MP_DIGITS(a), useda, *pb++, MP_DIGITS(c));
+  s_mp_setz(MP_DIGITS(c) + useda + 1, ib - (useda + 1));
+  m_i = MP_DIGIT(c, 0) * mmm->n0prime;
+  s_mp_mul_d_add_offset(&mmm->N, m_i, c, 0);
+
+  /* Outer loop:  Digits of b */
+  usedb = MP_USED(b);
+  for (ib = 1; ib < usedb; ib++) {
+    mp_digit b_i    = *pb++;
+
+    /* Inner product:  Digits of a */
+    if (b_i)
+      s_mpv_mul_d_add_prop(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
+    m_i = MP_DIGIT(c, ib) * mmm->n0prime;
+    s_mp_mul_d_add_offset(&mmm->N, m_i, c, ib);
+  }
+  if (usedb < MP_USED(&mmm->N)) {
+    for (usedb = MP_USED(&mmm->N); ib < usedb; ++ib ) {
+      m_i = MP_DIGIT(c, ib) * mmm->n0prime;
+      s_mp_mul_d_add_offset(&mmm->N, m_i, c, ib);
+    }
+  }
+  s_mp_clamp(c);
+  s_mp_div_2d(c, mmm->b); 
+  if (s_mp_cmp(c, &mmm->N) >= 0) {
+    MP_CHECKOK( s_mp_sub(c, &mmm->N) );
+  }
+  res = MP_OKAY;
+
+CLEANUP:
+  return res;
+}
+#endif
+
+STATIC
+mp_err s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
+{
+  mp_err res;
+
+  /* xMont = x * R mod N   where  N is modulus */
+  MP_CHECKOK( mpl_lsh(x, xMont, mmm->b) );  		/* xMont = x << b */
+  MP_CHECKOK( mp_div(xMont, &mmm->N, 0, xMont) );	/*         mod N */
+CLEANUP:
+  return res;
+}
+
+#ifdef MP_USING_MONT_MULF
+
+unsigned int mp_using_mont_mulf = 1;
+
+/* computes montgomery square of the integer in mResult */
+#define SQR \
+  conv_i32_to_d32_and_d16(dm1, d16Tmp, mResult, nLen); \
+  mont_mulf_noconv(mResult, dm1, d16Tmp, \
+		   dTmp, dn, MP_DIGITS(modulus), nLen, dn0)
+
+/* computes montgomery product of x and the integer in mResult */
+#define MUL(x) \
+  conv_i32_to_d32(dm1, mResult, nLen); \
+  mont_mulf_noconv(mResult, dm1, oddPowers[x], \
+		   dTmp, dn, MP_DIGITS(modulus), nLen, dn0)
+
+/* Do modular exponentiation using floating point multiply code. */
+mp_err mp_exptmod_f(const mp_int *   montBase, 
+                    const mp_int *   exponent, 
+		    const mp_int *   modulus, 
+		    mp_int *         result, 
+		    mp_mont_modulus *mmm, 
+		    int              nLen, 
+		    mp_size          bits_in_exponent, 
+		    mp_size          window_bits,
+		    mp_size          odd_ints)
+{
+  mp_digit *mResult;
+  double   *dBuf = 0, *dm1, *dn, *dSqr, *d16Tmp, *dTmp;
+  double    dn0;
+  mp_size   i;
+  mp_err    res;
+  int       expOff;
+  int       dSize = 0, oddPowSize, dTmpSize;
+  mp_int    accum1;
+  double   *oddPowers[MAX_ODD_INTS];
+
+  /* function for computing n0prime only works if n0 is odd */
+
+  MP_DIGITS(&accum1) = 0;
+
+  for (i = 0; i < MAX_ODD_INTS; ++i)
+    oddPowers[i] = 0;
+
+  MP_CHECKOK( mp_init_size(&accum1, 3 * nLen + 2) );
+
+  mp_set(&accum1, 1);
+  MP_CHECKOK( s_mp_to_mont(&accum1, mmm, &accum1) );
+  MP_CHECKOK( s_mp_pad(&accum1, nLen) );
+
+  oddPowSize = 2 * nLen + 1;
+  dTmpSize   = 2 * oddPowSize;
+  dSize = sizeof(double) * (nLen * 4 + 1 + 
+			    ((odd_ints + 1) * oddPowSize) + dTmpSize);
+  dBuf   = (double *)malloc(dSize);
+  dm1    = dBuf;		/* array of d32 */
+  dn     = dBuf   + nLen;	/* array of d32 */
+  dSqr   = dn     + nLen;    	/* array of d32 */
+  d16Tmp = dSqr   + nLen;	/* array of d16 */
+  dTmp   = d16Tmp + oddPowSize;
+
+  for (i = 0; i < odd_ints; ++i) {
+      oddPowers[i] = dTmp;
+      dTmp += oddPowSize;
+  }
+  mResult = (mp_digit *)(dTmp + dTmpSize);	/* size is nLen + 1 */
+
+  /* Make dn and dn0 */
+  conv_i32_to_d32(dn, MP_DIGITS(modulus), nLen);
+  dn0 = (double)(mmm->n0prime & 0xffff);
+
+  /* Make dSqr */
+  conv_i32_to_d32_and_d16(dm1, oddPowers[0], MP_DIGITS(montBase), nLen);
+  mont_mulf_noconv(mResult, dm1, oddPowers[0], 
+		   dTmp, dn, MP_DIGITS(modulus), nLen, dn0);
+  conv_i32_to_d32(dSqr, mResult, nLen);
+
+  for (i = 1; i < odd_ints; ++i) {
+    mont_mulf_noconv(mResult, dSqr, oddPowers[i - 1], 
+		     dTmp, dn, MP_DIGITS(modulus), nLen, dn0);
+    conv_i32_to_d16(oddPowers[i], mResult, nLen);
+  }
+
+  s_mp_copy(MP_DIGITS(&accum1), mResult, nLen); /* from, to, len */
+
+  for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
+    mp_size smallExp;
+    MP_CHECKOK( mpl_get_bits(exponent, expOff, window_bits) );
+    smallExp = (mp_size)res;
+
+    if (window_bits == 4) {
+      if (!smallExp) {
+	SQR; SQR; SQR; SQR;
+      } else if (smallExp & 1) {
+	SQR; SQR; SQR; SQR; MUL(smallExp/2); 
+      } else if (smallExp & 2) {
+	SQR; SQR; SQR; MUL(smallExp/4); SQR; 
+      } else if (smallExp & 4) {
+	SQR; SQR; MUL(smallExp/8); SQR; SQR; 
+      } else if (smallExp & 8) {
+	SQR; MUL(smallExp/16); SQR; SQR; SQR; 
+      } else {
+	abort();
+      }
+    } else if (window_bits == 5) {
+      if (!smallExp) {
+	SQR; SQR; SQR; SQR; SQR; 
+      } else if (smallExp & 1) {
+	SQR; SQR; SQR; SQR; SQR; MUL(smallExp/2);
+      } else if (smallExp & 2) {
+	SQR; SQR; SQR; SQR; MUL(smallExp/4); SQR;
+      } else if (smallExp & 4) {
+	SQR; SQR; SQR; MUL(smallExp/8); SQR; SQR;
+      } else if (smallExp & 8) {
+	SQR; SQR; MUL(smallExp/16); SQR; SQR; SQR;
+      } else if (smallExp & 0x10) {
+	SQR; MUL(smallExp/32); SQR; SQR; SQR; SQR;
+      } else {
+	  abort();
+      }
+    } else if (window_bits == 6) {
+      if (!smallExp) {
+	SQR; SQR; SQR; SQR; SQR; SQR;
+      } else if (smallExp & 1) {
+	SQR; SQR; SQR; SQR; SQR; SQR; MUL(smallExp/2); 
+      } else if (smallExp & 2) {
+	SQR; SQR; SQR; SQR; SQR; MUL(smallExp/4); SQR; 
+      } else if (smallExp & 4) {
+	SQR; SQR; SQR; SQR; MUL(smallExp/8); SQR; SQR; 
+      } else if (smallExp & 8) {
+	SQR; SQR; SQR; MUL(smallExp/16); SQR; SQR; SQR; 
+      } else if (smallExp & 0x10) {
+	SQR; SQR; MUL(smallExp/32); SQR; SQR; SQR; SQR; 
+      } else if (smallExp & 0x20) {
+	SQR; MUL(smallExp/64); SQR; SQR; SQR; SQR; SQR; 
+      } else {
+	abort();
+      }
+    } else {
+      abort();
+    }
+  }
+
+  s_mp_copy(mResult, MP_DIGITS(&accum1), nLen); /* from, to, len */
+
+  res = s_mp_redc(&accum1, mmm);
+  mp_exch(&accum1, result);
+
+CLEANUP:
+  mp_clear(&accum1);
+  if (dBuf) {
+    if (dSize)
+      memset(dBuf, 0, dSize);
+    free(dBuf);
+  }
+
+  return res;
+}
+#undef SQR
+#undef MUL
+#endif
+
+#define SQR(a,b) \
+  MP_CHECKOK( mp_sqr(a, b) );\
+  MP_CHECKOK( s_mp_redc(b, mmm) )
+
+#if defined(MP_MONT_USE_MP_MUL)
+#define MUL(x,a,b) \
+  MP_CHECKOK( mp_mul(a, oddPowers + (x), b) ); \
+  MP_CHECKOK( s_mp_redc(b, mmm) ) 
+#else
+#define MUL(x,a,b) \
+  MP_CHECKOK( s_mp_mul_mont(a, oddPowers + (x), b, mmm) )
+#endif
+
+#define SWAPPA ptmp = pa1; pa1 = pa2; pa2 = ptmp
+
+/* Do modular exponentiation using integer multiply code. */
+mp_err mp_exptmod_i(const mp_int *   montBase, 
+                    const mp_int *   exponent, 
+		    const mp_int *   modulus, 
+		    mp_int *         result, 
+		    mp_mont_modulus *mmm, 
+		    int              nLen, 
+		    mp_size          bits_in_exponent, 
+		    mp_size          window_bits,
+		    mp_size          odd_ints)
+{
+  mp_int *pa1, *pa2, *ptmp;
+  mp_size i;
+  mp_err  res;
+  int     expOff;
+  mp_int  accum1, accum2, power2, oddPowers[MAX_ODD_INTS];
+
+  /* power2 = base ** 2; oddPowers[i] = base ** (2*i + 1); */
+  /* oddPowers[i] = base ** (2*i + 1); */
+
+  MP_DIGITS(&accum1) = 0;
+  MP_DIGITS(&accum2) = 0;
+  MP_DIGITS(&power2) = 0;
+  for (i = 0; i < MAX_ODD_INTS; ++i) {
+    MP_DIGITS(oddPowers + i) = 0;
+  }
+
+  MP_CHECKOK( mp_init_size(&accum1, 3 * nLen + 2) );
+  MP_CHECKOK( mp_init_size(&accum2, 3 * nLen + 2) );
+
+  MP_CHECKOK( mp_init_copy(&oddPowers[0], montBase) );
+
+  mp_init_size(&power2, nLen + 2 * MP_USED(montBase) + 2);
+  MP_CHECKOK( mp_sqr(montBase, &power2) );	/* power2 = montBase ** 2 */
+  MP_CHECKOK( s_mp_redc(&power2, mmm) );
+
+  for (i = 1; i < odd_ints; ++i) {
+    mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2);
+    MP_CHECKOK( mp_mul(oddPowers + (i - 1), &power2, oddPowers + i) );
+    MP_CHECKOK( s_mp_redc(oddPowers + i, mmm) );
+  }
+
+  /* set accumulator to montgomery residue of 1 */
+  mp_set(&accum1, 1);
+  MP_CHECKOK( s_mp_to_mont(&accum1, mmm, &accum1) );
+  pa1 = &accum1;
+  pa2 = &accum2;
+
+  for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
+    mp_size smallExp;
+    MP_CHECKOK( mpl_get_bits(exponent, expOff, window_bits) );
+    smallExp = (mp_size)res;
+
+    if (window_bits == 4) {
+      if (!smallExp) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
+      } else if (smallExp & 1) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	MUL(smallExp/2, pa1,pa2); SWAPPA;
+      } else if (smallExp & 2) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); 
+	MUL(smallExp/4,pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 4) {
+	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/8,pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 8) {
+	SQR(pa1,pa2); MUL(smallExp/16,pa2,pa1); SQR(pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else {
+	abort();
+      }
+    } else if (window_bits == 5) {
+      if (!smallExp) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 1) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); MUL(smallExp/2,pa2,pa1);
+      } else if (smallExp & 2) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	MUL(smallExp/4,pa1,pa2); SQR(pa2,pa1);
+      } else if (smallExp & 4) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); 
+	MUL(smallExp/8,pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
+      } else if (smallExp & 8) {
+	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/16,pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
+      } else if (smallExp & 0x10) {
+	SQR(pa1,pa2); MUL(smallExp/32,pa2,pa1); SQR(pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1);
+      } else {
+	  abort();
+      }
+    } else if (window_bits == 6) {
+      if (!smallExp) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); SQR(pa2,pa1);
+      } else if (smallExp & 1) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/2,pa1,pa2); SWAPPA;
+      } else if (smallExp & 2) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); MUL(smallExp/4,pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 4) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	MUL(smallExp/8,pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 8) {
+	SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); 
+	MUL(smallExp/16,pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); 
+	SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 0x10) {
+	SQR(pa1,pa2); SQR(pa2,pa1); MUL(smallExp/32,pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else if (smallExp & 0x20) {
+	SQR(pa1,pa2); MUL(smallExp/64,pa2,pa1); SQR(pa1,pa2); 
+	SQR(pa2,pa1); SQR(pa1,pa2); SQR(pa2,pa1); SQR(pa1,pa2); SWAPPA;
+      } else {
+	abort();
+      }
+    } else {
+      abort();
+    }
+  }
+
+  res = s_mp_redc(pa1, mmm);
+  mp_exch(pa1, result);
+
+CLEANUP:
+  mp_clear(&accum1);
+  mp_clear(&accum2);
+  mp_clear(&power2);
+  for (i = 0; i < odd_ints; ++i) {
+    mp_clear(oddPowers + i);
+  }
+  return res;
+}
+#undef SQR
+#undef MUL
+
+
+mp_err mp_exptmod(const mp_int *inBase, const mp_int *exponent, 
+		  const mp_int *modulus, mp_int *result)
+{
+  const mp_int *base;
+  mp_size bits_in_exponent, i, window_bits, odd_ints;
+  mp_err  res;
+  int     nLen;
+  mp_int  montBase, goodBase;
+  mp_mont_modulus mmm;
+
+  /* function for computing n0prime only works if n0 is odd */
+  if (!mp_isodd(modulus))
+    return s_mp_exptmod(inBase, exponent, modulus, result);
+
+  MP_DIGITS(&montBase) = 0;
+  MP_DIGITS(&goodBase) = 0;
+
+  if (mp_cmp(inBase, modulus) < 0) {
+    base = inBase;
+  } else {
+    MP_CHECKOK( mp_init(&goodBase) );
+    base = &goodBase;
+    MP_CHECKOK( mp_mod(inBase, modulus, &goodBase) );
+  }
+
+  nLen  = MP_USED(modulus);
+  MP_CHECKOK( mp_init_size(&montBase, 2 * nLen + 2) );
+
+  mmm.N = *modulus;			/* a copy of the mp_int struct */
+  i = mpl_significant_bits(modulus);
+  i += MP_DIGIT_BIT - 1;
+  mmm.b = i - i % MP_DIGIT_BIT;
+
+  /* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
+  **		where n0 = least significant mp_digit of N, the modulus.
+  */
+  mmm.n0prime = 0 - s_mp_invmod_radix( MP_DIGIT(modulus, 0) );
+
+  MP_CHECKOK( s_mp_to_mont(base, &mmm, &montBase) );
+
+  bits_in_exponent = mpl_significant_bits(exponent);
+  if (bits_in_exponent > 480)
+    window_bits = 6;
+  else if (bits_in_exponent > 160)
+    window_bits = 5;
+  else
+    window_bits = 4;
+  odd_ints = 1 << (window_bits - 1);
+  i = bits_in_exponent % window_bits;
+  if (i != 0) {
+    bits_in_exponent += window_bits - i;
+  } 
+
+#ifdef MP_USING_MONT_MULF
+  if (mp_using_mont_mulf) {
+    MP_CHECKOK( s_mp_pad(&montBase, nLen) );
+    res = mp_exptmod_f(&montBase, exponent, modulus, result, &mmm, nLen, 
+		     bits_in_exponent, window_bits, odd_ints);
+  } else
+#endif
+  res = mp_exptmod_i(&montBase, exponent, modulus, result, &mmm, nLen, 
+		     bits_in_exponent, window_bits, odd_ints);
+
+CLEANUP:
+  mp_clear(&montBase);
+  mp_clear(&goodBase);
+  /* Don't mp_clear mmm.N because it is merely a copy of modulus.
+  ** Just zap it.
+  */
+  memset(&mmm, 0, sizeof mmm);
+  return res;
+}
diff --git a/security/nss/lib/freebl/mpi/mpprime.c b/security/nss/lib/freebl/mpi/mpprime.c
new file mode 100644
index 000000000..7317eeab1
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpprime.c
@@ -0,0 +1,619 @@
+/*
+ *  mpprime.c
+ *
+ *  Utilities for finding and working with prime and pseudo-prime
+ *  integers
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1997, 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *	Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ */
+
+#include "mpi-priv.h"
+#include "mpprime.h"
+#include "mplogic.h"
+#include <stdlib.h>
+#include <string.h>
+
+#define SMALL_TABLE 0 /* determines size of hard-wired prime table */
+
+#define RANDOM() rand()
+
+#include "primes.c"  /* pull in the prime digit table */
+
+/* 
+   Test if any of a given vector of digits divides a.  If not, MP_NO
+   is returned; otherwise, MP_YES is returned and 'which' is set to
+   the index of the integer in the vector which divided a.
+ */
+mp_err    s_mpp_divp(mp_int *a, const mp_digit *vec, int size, int *which);
+
+/* {{{ mpp_divis(a, b) */
+
+/*
+  mpp_divis(a, b)
+
+  Returns MP_YES if a is divisible by b, or MP_NO if it is not.
+ */
+
+mp_err  mpp_divis(mp_int *a, mp_int *b)
+{
+  mp_err  res;
+  mp_int  rem;
+
+  if((res = mp_init(&rem)) != MP_OKAY)
+    return res;
+
+  if((res = mp_mod(a, b, &rem)) != MP_OKAY)
+    goto CLEANUP;
+
+  if(mp_cmp_z(&rem) == 0)
+    res = MP_YES;
+  else
+    res = MP_NO;
+
+CLEANUP:
+  mp_clear(&rem);
+  return res;
+
+} /* end mpp_divis() */
+
+/* }}} */
+
+/* {{{ mpp_divis_d(a, d) */
+
+/*
+  mpp_divis_d(a, d)
+
+  Return MP_YES if a is divisible by d, or MP_NO if it is not.
+ */
+
+mp_err  mpp_divis_d(mp_int *a, mp_digit d)
+{
+  mp_err     res;
+  mp_digit   rem;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  if(d == 0)
+    return MP_NO;
+
+  if((res = mp_mod_d(a, d, &rem)) != MP_OKAY)
+    return res;
+
+  if(rem == 0)
+    return MP_YES;
+  else
+    return MP_NO;
+
+} /* end mpp_divis_d() */
+
+/* }}} */
+
+/* {{{ mpp_random(a) */
+
+/*
+  mpp_random(a)
+
+  Assigns a random value to a.  This value is generated using the
+  standard C library's rand() function, so it should not be used for
+  cryptographic purposes, but it should be fine for primality testing,
+  since all we really care about there is good statistical properties.
+
+  As many digits as a currently has are filled with random digits.
+ */
+
+mp_err  mpp_random(mp_int *a)
+
+{
+  mp_digit  next = 0;
+  int       ix, jx;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  for(ix = 0; ix < USED(a); ix++) {
+    for(jx = 0; jx < sizeof(mp_digit); jx++) {
+      next = (next << CHAR_BIT) | (RANDOM() & UCHAR_MAX);
+    }
+    DIGIT(a, ix) = next;
+  }
+
+  return MP_OKAY;
+
+} /* end mpp_random() */
+
+/* }}} */
+
+/* {{{ mpp_random_size(a, prec) */
+
+mp_err  mpp_random_size(mp_int *a, mp_size prec)
+{
+  mp_err   res;
+
+  ARGCHK(a != NULL && prec > 0, MP_BADARG);
+  
+  if((res = s_mp_pad(a, prec)) != MP_OKAY)
+    return res;
+
+  return mpp_random(a);
+
+} /* end mpp_random_size() */
+
+/* }}} */
+
+/* {{{ mpp_divis_vector(a, vec, size, which) */
+
+/*
+  mpp_divis_vector(a, vec, size, which)
+
+  Determines if a is divisible by any of the 'size' digits in vec.
+  Returns MP_YES and sets 'which' to the index of the offending digit,
+  if it is; returns MP_NO if it is not.
+ */
+
+mp_err  mpp_divis_vector(mp_int *a, const mp_digit *vec, int size, int *which)
+{
+  ARGCHK(a != NULL && vec != NULL && size > 0, MP_BADARG);
+  
+  return s_mpp_divp(a, vec, size, which);
+
+} /* end mpp_divis_vector() */
+
+/* }}} */
+
+/* {{{ mpp_divis_primes(a, np) */
+
+/*
+  mpp_divis_primes(a, np)
+
+  Test whether a is divisible by any of the first 'np' primes.  If it
+  is, returns MP_YES and sets *np to the value of the digit that did
+  it.  If not, returns MP_NO.
+ */
+mp_err  mpp_divis_primes(mp_int *a, mp_digit *np)
+{
+  int     size, which;
+  mp_err  res;
+
+  ARGCHK(a != NULL && np != NULL, MP_BADARG);
+
+  size = (int)*np;
+  if(size > prime_tab_size)
+    size = prime_tab_size;
+
+  res = mpp_divis_vector(a, prime_tab, size, &which);
+  if(res == MP_YES) 
+    *np = prime_tab[which];
+
+  return res;
+
+} /* end mpp_divis_primes() */
+
+/* }}} */
+
+/* {{{ mpp_fermat(a, w) */
+
+/*
+  Using w as a witness, try pseudo-primality testing based on Fermat's
+  little theorem.  If a is prime, and (w, a) = 1, then w^a == w (mod
+  a).  So, we compute z = w^a (mod a) and compare z to w; if they are
+  equal, the test passes and we return MP_YES.  Otherwise, we return
+  MP_NO.
+ */
+mp_err  mpp_fermat(mp_int *a, mp_digit w)
+{
+  mp_int  base, test;
+  mp_err  res;
+  
+  if((res = mp_init(&base)) != MP_OKAY)
+    return res;
+
+  mp_set(&base, w);
+
+  if((res = mp_init(&test)) != MP_OKAY)
+    goto TEST;
+
+  /* Compute test = base^a (mod a) */
+  if((res = mp_exptmod(&base, a, a, &test)) != MP_OKAY)
+    goto CLEANUP;
+
+  
+  if(mp_cmp(&base, &test) == 0)
+    res = MP_YES;
+  else
+    res = MP_NO;
+
+ CLEANUP:
+  mp_clear(&test);
+ TEST:
+  mp_clear(&base);
+
+  return res;
+
+} /* end mpp_fermat() */
+
+/* }}} */
+
+/*
+  Perform the fermat test on each of the primes in a list until
+  a) one of them shows a is not prime, or 
+  b) the list is exhausted.
+  Returns:  MP_YES if it passes tests.
+	    MP_NO  if fermat test reveals it is composite
+	    Some MP error code if some other error occurs.
+ */
+mp_err mpp_fermat_list(mp_int *a, const mp_digit *primes, mp_size nPrimes)
+{
+  mp_err rv = MP_YES;
+
+  while (nPrimes-- > 0 && rv == MP_YES) {
+    rv = mpp_fermat(a, *primes++);
+  }
+  return rv;
+}
+
+/* {{{ mpp_pprime(a, nt) */
+
+/*
+  mpp_pprime(a, nt)
+
+  Performs nt iteration of the Miller-Rabin probabilistic primality
+  test on a.  Returns MP_YES if the tests pass, MP_NO if one fails.
+  If MP_NO is returned, the number is definitely composite.  If MP_YES
+  is returned, it is probably prime (but that is not guaranteed).
+ */
+
+mp_err  mpp_pprime(mp_int *a, int nt)
+{
+  mp_err   res;
+  mp_int   x, amo, m, z;	/* "amo" = "a minus one" */
+  int      iter, jx;
+  mp_size  b;
+
+  ARGCHK(a != NULL, MP_BADARG);
+
+  MP_DIGITS(&x) = 0;
+  MP_DIGITS(&amo) = 0;
+  MP_DIGITS(&m) = 0;
+  MP_DIGITS(&z) = 0;
+
+  /* Initialize temporaries... */
+  MP_CHECKOK( mp_init(&amo));
+  /* Compute amo = a - 1 for what follows...    */
+  MP_CHECKOK( mp_sub_d(a, 1, &amo) );
+
+  b = mp_trailing_zeros(&amo);
+  if (!b) { /* a was even ? */
+    res = MP_NO;
+    goto CLEANUP;
+  }
+
+  MP_CHECKOK( mp_init_size(&x, MP_USED(a)) );
+  MP_CHECKOK( mp_init(&z) );
+  MP_CHECKOK( mp_init(&m) );
+  MP_CHECKOK( mp_div_2d(&amo, b, &m, 0) );
+
+  /* Do the test nt times... */
+  for(iter = 0; iter < nt; iter++) {
+
+    /* Choose a random value for x < a          */
+    s_mp_pad(&x, USED(a));
+    mpp_random(&x);
+    MP_CHECKOK( mp_mod(&x, a, &x) );
+
+    /* Compute z = (x ** m) mod a               */
+    MP_CHECKOK( mp_exptmod(&x, &m, a, &z) );
+    
+    if(mp_cmp_d(&z, 1) == 0 || mp_cmp(&z, &amo) == 0) {
+      res = MP_YES;
+      continue;
+    }
+    
+    res = MP_NO;  /* just in case the following for loop never executes. */
+    for (jx = 1; jx < b; jx++) {
+      /* z = z^2 (mod a) */
+      MP_CHECKOK( mp_sqrmod(&z, a, &z) );
+      res = MP_NO;	/* previous line set res to MP_YES */
+
+      if(mp_cmp_d(&z, 1) == 0) {
+	break;
+      }
+      if(mp_cmp(&z, &amo) == 0) {
+	res = MP_YES;
+	break;
+      } 
+    } /* end testing loop */
+
+    /* If the test passes, we will continue iterating, but a failed
+       test means the candidate is definitely NOT prime, so we will
+       immediately break out of this loop
+     */
+    if(res == MP_NO)
+      break;
+
+  } /* end iterations loop */
+  
+CLEANUP:
+  mp_clear(&m);
+  mp_clear(&z);
+  mp_clear(&x);
+  mp_clear(&amo);
+  return res;
+
+} /* end mpp_pprime() */
+
+/* }}} */
+
+/* Produce table of composites from list of primes and trial value.  
+** trial must be odd. List of primes must not include 2.
+** sieve should have dimension >= MAXPRIME/2, where MAXPRIME is largest 
+** prime in list of primes.  After this function is finished,
+** if sieve[i] is non-zero, then (trial + 2*i) is composite.
+** Each prime used in the sieve costs one division of trial, and eliminates
+** one or more values from the search space. (3 eliminates 1/3 of the values
+** alone!)  Each value left in the search space costs 1 or more modular 
+** exponentations.  So, these divisions are a bargain!
+*/
+mp_err mpp_sieve(mp_int *trial, const mp_digit *primes, mp_size nPrimes, 
+		 unsigned char *sieve, mp_size nSieve)
+{
+  mp_err       res;
+  mp_digit     rem;
+  mp_size      ix;
+  unsigned long offset;
+
+  memset(sieve, 0, nSieve);
+
+  for(ix = 0; ix < nPrimes; ix++) {
+    mp_digit prime = primes[ix];
+    mp_size  i;
+    if((res = mp_mod_d(trial, prime, &rem)) != MP_OKAY) 
+      return res;
+
+    if (rem == 0) {
+      offset = 0;
+    } else {
+      offset = prime - (rem / 2);
+    }
+    for (i = offset; i < nSieve ; i += prime) {
+      sieve[i] = 1;
+    }
+  }
+
+  return MP_OKAY;
+}
+
+#define SIEVE_SIZE 32*1024
+
+mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong,
+		      unsigned long * nTries)
+{
+  mp_digit      np;
+  mp_err        res;
+  int           i	= 0;
+  mp_int        trial;
+  mp_int        q;
+  mp_size       num_tests;
+  /*
+   * Always make sieve the last variabale allocated so that 
+   * Mac builds don't break by adding an extra variable
+   * on the stack. -javi
+   */
+#if defined(macintosh) || defined (XP_OS2)
+  unsigned char *sieve;
+  
+  sieve = malloc(SIEVE_SIZE);
+  ARGCHK(sieve != NULL, MP_MEM);
+#else
+  unsigned char sieve[SIEVE_SIZE];
+#endif  
+
+  ARGCHK(start != 0, MP_BADARG);
+  ARGCHK(nBits > 16, MP_RANGE);
+
+  MP_DIGITS(&trial) = 0;
+  MP_DIGITS(&q) = 0;
+  MP_CHECKOK( mp_init(&trial) );
+  MP_CHECKOK( mp_init(&q)     );
+  /* values taken from table 4.4, HandBook of Applied Cryptography */
+  if (nBits >= 1300) {
+    num_tests = 2;
+  } else if (nBits >= 850) {
+    num_tests = 3;
+  } else if (nBits >= 650) {
+    num_tests = 4;
+  } else if (nBits >= 550) {
+    num_tests = 5;
+  } else if (nBits >= 450) {
+    num_tests = 6;
+  } else if (nBits >= 400) {
+    num_tests = 7;
+  } else if (nBits >= 350) {
+    num_tests = 8;
+  } else if (nBits >= 300) {
+    num_tests = 9;
+  } else if (nBits >= 250) {
+    num_tests = 12;
+  } else if (nBits >= 200) {
+    num_tests = 15;
+  } else if (nBits >= 150) {
+    num_tests = 18;
+  } else if (nBits >= 100) {
+    num_tests = 27;
+  } else
+    num_tests = 50;
+
+  if (strong) 
+    --nBits;
+  MP_CHECKOK( mpl_set_bit(start, nBits - 1, 1) );
+  MP_CHECKOK( mpl_set_bit(start,         0, 1) );
+  for (i = mpl_significant_bits(start) - 1; i >= nBits; --i) {
+    MP_CHECKOK( mpl_set_bit(start, i, 0) );
+  }
+  /* start sieveing with prime value of 3. */
+  MP_CHECKOK(mpp_sieve(start, prime_tab + 1, prime_tab_size - 1, 
+		       sieve, SIEVE_SIZE) );
+
+#ifdef DEBUG_SIEVE
+  res = 0;
+  for (i = 0; i < SIEVE_SIZE; ++i) {
+    if (!sieve[i])
+      ++res;
+  }
+  fprintf(stderr,"sieve found %d potential primes.\n", res);
+#define FPUTC(x,y) fputc(x,y)
+#else
+#define FPUTC(x,y) 
+#endif
+
+  res = MP_NO;
+  for(i = 0; i < SIEVE_SIZE; ++i) {
+    if (sieve[i])	/* this number is composite */
+      continue;
+    MP_CHECKOK( mp_add_d(start, 2 * i, &trial) );
+    FPUTC('.', stderr);
+    /* run a Fermat test */
+    res = mpp_fermat(&trial, 2);
+    if (res != MP_OKAY) {
+      if (res == MP_NO)
+	continue;	/* was composite */
+      goto CLEANUP;
+    }
+      
+    FPUTC('+', stderr);
+    /* If that passed, run some Miller-Rabin tests	*/
+    res = mpp_pprime(&trial, num_tests);
+    if (res != MP_OKAY) {
+      if (res == MP_NO)
+	continue;	/* was composite */
+      goto CLEANUP;
+    }
+    FPUTC('!', stderr);
+
+    if (!strong) 
+      break;	/* success !! */
+
+    /* At this point, we have strong evidence that our candidate
+       is itself prime.  If we want a strong prime, we need now
+       to test q = 2p + 1 for primality...
+     */
+    MP_CHECKOK( mp_mul_2(&trial, &q) );
+    MP_CHECKOK( mp_add_d(&q, 1, &q)  );
+
+    /* Test q for small prime divisors ... */
+    np = prime_tab_size;
+    res = mpp_divis_primes(&q, &np);
+    if (res == MP_YES) { /* is composite */
+      mp_clear(&q);
+      continue;
+    }
+    if (res != MP_NO) 
+      goto CLEANUP;
+
+    /* And test with Fermat, as with its parent ... */
+    res = mpp_fermat(&q, 2);
+    if (res != MP_YES) {
+      mp_clear(&q);
+      if (res == MP_NO)
+	continue;	/* was composite */
+      goto CLEANUP;
+    }
+
+    /* And test with Miller-Rabin, as with its parent ... */
+    res = mpp_pprime(&q, num_tests);
+    if (res != MP_YES) {
+      mp_clear(&q);
+      if (res == MP_NO)
+	continue;	/* was composite */
+      goto CLEANUP;
+    }
+
+    /* If it passed, we've got a winner */
+    mp_exch(&q, &trial);
+    mp_clear(&q);
+    break;
+
+  } /* end of loop through sieved values */
+  if (res == MP_YES) 
+    mp_exch(&trial, start);
+CLEANUP:
+  mp_clear(&trial);
+  mp_clear(&q);
+  if (nTries)
+    *nTries += i;
+#if defined(macintosh) || defined(XP_OS2)
+  if (sieve != NULL) {
+  	memset(sieve, 0, SIEVE_SIZE);
+  	free (sieve);
+  }
+#endif    
+  return res;
+}
+
+/*========================================================================*/
+/*------------------------------------------------------------------------*/
+/* Static functions visible only to the library internally                */
+
+/* {{{ s_mpp_divp(a, vec, size, which) */
+
+/* 
+   Test for divisibility by members of a vector of digits.  Returns
+   MP_NO if a is not divisible by any of them; returns MP_YES and sets
+   'which' to the index of the offender, if it is.  Will stop on the
+   first digit against which a is divisible.
+ */
+
+mp_err    s_mpp_divp(mp_int *a, const mp_digit *vec, int size, int *which)
+{
+  mp_err    res;
+  mp_digit  rem;
+
+  int     ix;
+
+  for(ix = 0; ix < size; ix++) {
+    if((res = mp_mod_d(a, vec[ix], &rem)) != MP_OKAY) 
+      return res;
+
+    if(rem == 0) {
+      if(which)
+	*which = ix;
+      return MP_YES;
+    }
+  }
+
+  return MP_NO;
+
+} /* end s_mpp_divp() */
+
+/* }}} */
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/mpprime.h b/security/nss/lib/freebl/mpi/mpprime.h
new file mode 100644
index 000000000..1204580f6
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpprime.h
@@ -0,0 +1,67 @@
+/*
+ *  mpprime.h
+ *
+ *  Utilities for finding and working with prime and pseudo-prime
+ *  integers
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1997, 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _H_MP_PRIME_
+#define _H_MP_PRIME_
+
+#include "mpi.h"
+
+extern const int prime_tab_size;   /* number of primes available */
+extern const mp_digit prime_tab[];
+
+/* Tests for divisibility    */
+mp_err  mpp_divis(mp_int *a, mp_int *b);
+mp_err  mpp_divis_d(mp_int *a, mp_digit d);
+
+/* Random selection          */
+mp_err  mpp_random(mp_int *a);
+mp_err  mpp_random_size(mp_int *a, mp_size prec);
+
+/* Pseudo-primality testing  */
+mp_err  mpp_divis_vector(mp_int *a, const mp_digit *vec, int size, int *which);
+mp_err  mpp_divis_primes(mp_int *a, mp_digit *np);
+mp_err  mpp_fermat(mp_int *a, mp_digit w);
+mp_err mpp_fermat_list(mp_int *a, const mp_digit *primes, mp_size nPrimes);
+mp_err  mpp_pprime(mp_int *a, int nt);
+mp_err mpp_sieve(mp_int *trial, const mp_digit *primes, mp_size nPrimes, 
+		 unsigned char *sieve, mp_size nSieve);
+mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong,
+		      unsigned long * nTries);
+
+#endif /* end _H_MP_PRIME_ */
diff --git a/security/nss/lib/freebl/mpi/mpv_sparc.c b/security/nss/lib/freebl/mpi/mpv_sparc.c
new file mode 100644
index 000000000..a0a0b78fb
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpv_sparc.c
@@ -0,0 +1,249 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is a SPARC/VIS optimized multiply and add function
+ *
+ * The Initial Developer of the Original Code is Sun Microsystems Inc.
+ * Portions created by Sun Microsystems Inc. are 
+ * Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.   If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *  $Id$
+ */
+
+#include "vis_proto.h"
+
+/***************************************************************/
+
+typedef  int                t_s32;
+typedef  unsigned int       t_u32;
+#if defined(__sparcv9)
+typedef  long               t_s64;
+typedef  unsigned long      t_u64;
+#else
+typedef  long long          t_s64;
+typedef  unsigned long long t_u64;
+#endif
+typedef  double             t_d64;
+
+/***************************************************************/
+
+typedef union {
+  t_d64 d64;
+  struct {
+    t_s32 i0;
+    t_s32 i1;
+  } i32s;
+} d64_2_i32;
+
+/***************************************************************/
+
+#define BUFF_SIZE  256
+
+#define A_BITS  19
+#define A_MASK  ((1 << A_BITS) - 1)
+
+/***************************************************************/
+
+static t_u64 mask_cnst[] = {
+  0x8000000080000000ull
+};
+
+/***************************************************************/
+
+#define DEF_VARS(N)                     \
+  t_d64 *py = (t_d64*)y;                \
+  t_d64 mask = *((t_d64*)mask_cnst);    \
+  t_d64 ca = (1u << 31) - 1;            \
+  t_d64 da = (t_d64)a;                  \
+  t_s64 buff[N], s;                     \
+  d64_2_i32 dy
+
+/***************************************************************/
+
+#define MUL_U32_S64_2(i)                                \
+  dy.d64 = vis_fxnor(mask, py[i]);                      \
+  buff[2*(i)  ] = (ca - (t_d64)dy.i32s.i0) * da;        \
+  buff[2*(i)+1] = (ca - (t_d64)dy.i32s.i1) * da
+
+#define MUL_U32_S64_2_D(i)              \
+  dy.d64 = vis_fxnor(mask, py[i]);      \
+  d0 = ca - (t_d64)dy.i32s.i0;          \
+  d1 = ca - (t_d64)dy.i32s.i1;          \
+  buff[4*(i)  ] = (t_s64)(d0 * da);     \
+  buff[4*(i)+1] = (t_s64)(d0 * db);     \
+  buff[4*(i)+2] = (t_s64)(d1 * da);     \
+  buff[4*(i)+3] = (t_s64)(d1 * db)
+
+/***************************************************************/
+
+#define ADD_S64_U32(i)          \
+  s = buff[i] + x[i] + c;       \
+  z[i] = s;                     \
+  c = (s >> 32)
+
+#define ADD_S64_U32_D(i)                        \
+  s = buff[2*(i)] +(((t_s64)(buff[2*(i)+1]))<<A_BITS) + x[i] + uc;   \
+  z[i] = s;                                     \
+  uc = ((t_u64)s >> 32)
+
+/***************************************************************/
+
+#define MUL_U32_S64_8(i)        \
+  MUL_U32_S64_2(i);             \
+  MUL_U32_S64_2(i+1);           \
+  MUL_U32_S64_2(i+2);           \
+  MUL_U32_S64_2(i+3)
+
+#define MUL_U32_S64_D_8(i)      \
+  MUL_U32_S64_2_D(i);           \
+  MUL_U32_S64_2_D(i+1);         \
+  MUL_U32_S64_2_D(i+2);         \
+  MUL_U32_S64_2_D(i+3)
+
+/***************************************************************/
+
+#define ADD_S64_U32_8(i)        \
+  ADD_S64_U32(i);               \
+  ADD_S64_U32(i+1);             \
+  ADD_S64_U32(i+2);             \
+  ADD_S64_U32(i+3);             \
+  ADD_S64_U32(i+4);             \
+  ADD_S64_U32(i+5);             \
+  ADD_S64_U32(i+6);             \
+  ADD_S64_U32(i+7)
+
+#define ADD_S64_U32_D_8(i)      \
+  ADD_S64_U32_D(i);             \
+  ADD_S64_U32_D(i+1);           \
+  ADD_S64_U32_D(i+2);           \
+  ADD_S64_U32_D(i+3);           \
+  ADD_S64_U32_D(i+4);           \
+  ADD_S64_U32_D(i+5);           \
+  ADD_S64_U32_D(i+6);           \
+  ADD_S64_U32_D(i+7)
+
+/***************************************************************/
+
+t_u32 mul_add(t_u32 *z, t_u32 *x, t_u32 *y, int n, t_u32 a)
+{
+  if (a < (1 << A_BITS)) {
+
+    if (n == 8) {
+      DEF_VARS(8);
+      t_s32 c = 0;
+
+      MUL_U32_S64_8(0);
+      ADD_S64_U32_8(0);
+
+      return c;
+
+    } else if (n == 16) {
+      DEF_VARS(16);
+      t_s32 c = 0;
+
+      MUL_U32_S64_8(0);
+      MUL_U32_S64_8(4);
+      ADD_S64_U32_8(0);
+      ADD_S64_U32_8(8);
+
+      return c;
+
+    } else {
+      DEF_VARS(BUFF_SIZE);
+      t_s32 i, c = 0;
+
+#pragma pipeloop(0)
+      for (i = 0; i < (n+1)/2; i ++) {
+        MUL_U32_S64_2(i);
+      }
+
+#pragma pipeloop(0)
+      for (i = 0; i < n; i ++) {
+        ADD_S64_U32(i);
+      }
+
+      return c;
+
+    }
+  } else {
+
+    if (n == 8) {
+      DEF_VARS(2*8);
+      t_d64 d0, d1, db;
+      t_u32 uc = 0;
+
+      da = (t_d64)(a &  A_MASK);
+      db = (t_d64)(a >> A_BITS);
+
+      MUL_U32_S64_D_8(0);
+      ADD_S64_U32_D_8(0);
+
+      return uc;
+
+    } else if (n == 16) {
+      DEF_VARS(2*16);
+      t_d64 d0, d1, db;
+      t_u32 uc = 0;
+
+      da = (t_d64)(a &  A_MASK);
+      db = (t_d64)(a >> A_BITS);
+
+      MUL_U32_S64_D_8(0);
+      MUL_U32_S64_D_8(4);
+      ADD_S64_U32_D_8(0);
+      ADD_S64_U32_D_8(8);
+
+      return uc;
+
+    } else {
+      DEF_VARS(2*BUFF_SIZE);
+      t_d64 d0, d1, db;
+      t_u32 i, uc = 0;
+
+      da = (t_d64)(a &  A_MASK);
+      db = (t_d64)(a >> A_BITS);
+
+#pragma pipeloop(0)
+      for (i = 0; i < (n+1)/2; i ++) {
+        MUL_U32_S64_2_D(i);
+      }
+
+#pragma pipeloop(0)
+      for (i = 0; i < n; i ++) {
+        ADD_S64_U32_D(i);
+      }
+
+      return uc;
+    }
+  }
+}
+
+/***************************************************************/
+
+t_u32 mul_add_inp(t_u32 *x, t_u32 *y, int n, t_u32 a)
+{
+  return mul_add(x, x, y, n, a);
+}
+
+/***************************************************************/
diff --git a/security/nss/lib/freebl/mpi/mpv_sparcv8.s b/security/nss/lib/freebl/mpi/mpv_sparcv8.s
new file mode 100644
index 000000000..81fdd1b93
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpv_sparcv8.s
@@ -0,0 +1,1641 @@
+!/*
+! * The contents of this file are subject to the Mozilla Public
+! * License Version 1.1 (the "License"); you may not use this file
+! * except in compliance with the License. You may obtain a copy of
+! * the License at http://www.mozilla.org/MPL/
+! * 
+! * Software distributed under the License is distributed on an "AS
+! * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+! * implied. See the License for the specific language governing
+! * rights and limitations under the License.
+! * 
+! * The Original Code is a SPARC/VIS optimized multiply and add function
+! *
+! * The Initial Developer of the Original Code is Sun Microsystems Inc.
+! * Portions created by Sun Microsystems Inc. are 
+! * Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+! * 
+! * Contributor(s):
+! * 
+! * Alternatively, the contents of this file may be used under the
+! * terms of the GNU General Public License Version 2 or later (the
+! * "GPL"), in which case the provisions of the GPL are applicable 
+! * instead of those above.   If you wish to allow use of your 
+! * version of this file only under the terms of the GPL and not to
+! * allow others to use your version of this file under the MPL,
+! * indicate your decision by deleting the provisions above and
+! * replace them with the notice and other provisions required by
+! * the GPL.  If you do not delete the provisions above, a recipient
+! * may use your version of this file under either the MPL or the
+! * GPL.
+! *  $Id$
+! */
+
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   3 ( 0  0) */		.file	"mpv_sparc.c"
+/* 000000	  14 ( 0  0) */		.align	8
+!
+! SUBROUTINE .L_const_seg_900000106
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   .L_const_seg_900000106:		/* frequency 1.0 confidence 0.0 */
+/* 000000	  19 ( 0  0) */		.word	1127219200,0
+/* 0x0008	  20 ( 0  0) */		.word	1105199103,-4194304
+/* 0x0010	  21 ( 0  0) */		.align	16
+/* 0x0010	  27 ( 0  0) */		.global	mul_add
+
+!
+! ENTRY mul_add
+!
+
+                                   	.global mul_add
+                                   mul_add:		/* frequency 1.0 confidence 0.0 */
+/* 0x0010	  29 ( 0  1) */		sethi	%hi(0x1800),%g1
+/* 0x0014	  30 ( 0  1) */		sethi	%hi(mask_cnst),%g2
+/* 0x0018	  31 ( 1  2) */		xor	%g1,-984,%g1
+/* 0x001c	  32 ( 1  2) */		add	%g2,%lo(mask_cnst),%g2
+/* 0x0020	  33 ( 2  4) */		save	%sp,%g1,%sp
+
+!
+! ENTRY .L900000154
+!
+
+                                   .L900000154:		/* frequency 1.0 confidence 0.0 */
+/* 0x0024	  35 ( 0  2) */		call	(.+0x8)	! params = 	! Result = 
+/* 0x0028	     ( 1  2) */		sethi	%hi((_GLOBAL_OFFSET_TABLE_-(.L900000154-.))),%g5
+/* 0x002c	 177 ( 2  3) */		sethi	%hi(.L_const_seg_900000106),%g3
+/* 0x0030	 178 ( 2  3) */		add	%g5,%lo((_GLOBAL_OFFSET_TABLE_-(.L900000154-.))),%g5
+/* 0x0034	 179 ( 3  4) */		or	%g0,%i4,%o1
+/* 0x0038	 180 ( 3  4) */		st	%o1,[%fp+84]
+/* 0x003c	 181 ( 3  4) */		add	%g5,%o7,%o3
+/* 0x0040	 182 ( 4  5) */		add	%g3,%lo(.L_const_seg_900000106),%g3
+/* 0x0044	 183 ( 4  6) */		ld	[%o3+%g2],%g2
+/* 0x0048	 184 ( 4  5) */		or	%g0,%i3,%o2
+/* 0x004c	 185 ( 5  6) */		sethi	%hi(0x80000),%g4
+/* 0x0050	 186 ( 5  7) */		ld	[%o3+%g3],%o0
+/* 0x0054	 187 ( 5  6) */		or	%g0,%i2,%g5
+/* 0x0058	 188 ( 6  7) */		or	%g0,%o2,%o3
+/* 0x005c	 189 ( 6 10) */		ldd	[%g2],%f0
+/* 0x0060	 190 ( 6  7) */		subcc	%o1,%g4,%g0
+/* 0x0064	 191 ( 6  7) */		bcc,pn	%icc,.L77000048	! tprob=0.50
+/* 0x0068	     ( 7  8) */		subcc	%o2,8,%g0
+/* 0x006c	 193 ( 7  8) */		bne,pn	%icc,.L77000037	! tprob=0.50
+/* 0x0070	     ( 8 12) */		ldd	[%o0],%f8
+/* 0x0074	 195 ( 9 13) */		ldd	[%g5],%f4
+/* 0x0078	 196 (10 14) */		ldd	[%g5+8],%f6
+/* 0x007c	 197 (11 15) */		ldd	[%g5+16],%f10
+/* 0x0080	 198 (11 14) */		fmovs	%f8,%f12
+/* 0x0084	 199 (12 16) */		fxnor	%f0,%f4,%f4
+/* 0x0088	 200 (12 14) */		ld	[%fp+84],%f13
+/* 0x008c	 201 (13 17) */		ldd	[%o0+8],%f14
+/* 0x0090	 202 (13 17) */		fxnor	%f0,%f6,%f6
+/* 0x0094	 203 (14 18) */		ldd	[%g5+24],%f16
+/* 0x0098	 204 (14 18) */		fxnor	%f0,%f10,%f10
+/* 0x009c	 208 (15 17) */		ld	[%i1],%g2
+/* 0x00a0	 209 (15 20) */		fsubd	%f12,%f8,%f8
+/* 0x00a4	 210 (16 21) */		fitod	%f4,%f18
+/* 0x00a8	 211 (16 18) */		ld	[%i1+4],%g3
+/* 0x00ac	 212 (17 22) */		fitod	%f5,%f4
+/* 0x00b0	 213 (17 19) */		ld	[%i1+8],%g4
+/* 0x00b4	 214 (18 23) */		fitod	%f6,%f20
+/* 0x00b8	 215 (18 20) */		ld	[%i1+12],%g5
+/* 0x00bc	 216 (19 21) */		ld	[%i1+16],%o0
+/* 0x00c0	 217 (19 24) */		fitod	%f7,%f6
+/* 0x00c4	 218 (20 22) */		ld	[%i1+20],%o1
+/* 0x00c8	 219 (20 24) */		fxnor	%f0,%f16,%f16
+/* 0x00cc	 220 (21 26) */		fsubd	%f14,%f18,%f12
+/* 0x00d0	 221 (21 23) */		ld	[%i1+24],%o2
+/* 0x00d4	 222 (22 27) */		fsubd	%f14,%f4,%f4
+/* 0x00d8	 223 (22 24) */		ld	[%i1+28],%o3
+/* 0x00dc	 224 (23 28) */		fitod	%f10,%f18
+/* 0x00e0	 225 (24 29) */		fsubd	%f14,%f20,%f20
+/* 0x00e4	 226 (25 30) */		fitod	%f11,%f10
+/* 0x00e8	 227 (26 31) */		fsubd	%f14,%f6,%f6
+/* 0x00ec	 228 (26 31) */		fmuld	%f12,%f8,%f12
+/* 0x00f0	 229 (27 32) */		fitod	%f16,%f22
+/* 0x00f4	 230 (27 32) */		fmuld	%f4,%f8,%f4
+/* 0x00f8	 231 (28 33) */		fsubd	%f14,%f18,%f18
+/* 0x00fc	 232 (29 34) */		fitod	%f17,%f16
+/* 0x0100	 233 (29 34) */		fmuld	%f20,%f8,%f20
+/* 0x0104	 234 (30 35) */		fsubd	%f14,%f10,%f10
+/* 0x0108	 235 (31 36) */		fdtox	%f12,%f12
+/* 0x010c	 236 (31 32) */		std	%f12,[%sp+152]
+/* 0x0110	 237 (31 36) */		fmuld	%f6,%f8,%f6
+/* 0x0114	 238 (32 37) */		fdtox	%f4,%f4
+/* 0x0118	 239 (32 33) */		std	%f4,[%sp+144]
+/* 0x011c	 240 (33 38) */		fsubd	%f14,%f22,%f4
+/* 0x0120	 241 (33 38) */		fmuld	%f18,%f8,%f12
+/* 0x0124	 242 (34 39) */		fdtox	%f20,%f18
+/* 0x0128	 243 (34 35) */		std	%f18,[%sp+136]
+/* 0x012c	 244 (35 37) */		ldx	[%sp+152],%o4
+/* 0x0130	 245 (35 40) */		fsubd	%f14,%f16,%f14
+/* 0x0134	 246 (35 40) */		fmuld	%f10,%f8,%f10
+/* 0x0138	 247 (36 41) */		fdtox	%f6,%f6
+/* 0x013c	 248 (36 37) */		std	%f6,[%sp+128]
+/* 0x0140	 249 (37 39) */		ldx	[%sp+144],%o5
+/* 0x0144	 250 (37 38) */		add	%o4,%g2,%o4
+/* 0x0148	 251 (38 39) */		st	%o4,[%i0]
+/* 0x014c	 252 (38 39) */		srax	%o4,32,%g2
+/* 0x0150	 253 (38 43) */		fdtox	%f12,%f6
+/* 0x0154	 254 (38 43) */		fmuld	%f4,%f8,%f4
+/* 0x0158	 255 (39 40) */		std	%f6,[%sp+120]
+/* 0x015c	 256 (39 40) */		add	%o5,%g3,%g3
+/* 0x0160	 257 (40 42) */		ldx	[%sp+136],%o7
+/* 0x0164	 258 (40 41) */		add	%g3,%g2,%g2
+/* 0x0168	 259 (40 45) */		fmuld	%f14,%f8,%f6
+/* 0x016c	 260 (40 45) */		fdtox	%f10,%f8
+/* 0x0170	 261 (41 42) */		std	%f8,[%sp+112]
+/* 0x0174	 262 (41 42) */		srax	%g2,32,%o5
+/* 0x0178	 263 (42 44) */		ldx	[%sp+128],%g3
+/* 0x017c	 264 (42 43) */		add	%o7,%g4,%g4
+/* 0x0180	 265 (43 44) */		st	%g2,[%i0+4]
+/* 0x0184	 266 (43 44) */		add	%g4,%o5,%g4
+/* 0x0188	 267 (43 48) */		fdtox	%f4,%f4
+/* 0x018c	 268 (44 46) */		ldx	[%sp+120],%o5
+/* 0x0190	 269 (44 45) */		add	%g3,%g5,%g3
+/* 0x0194	 270 (44 45) */		srax	%g4,32,%g5
+/* 0x0198	 271 (45 46) */		std	%f4,[%sp+104]
+/* 0x019c	 272 (45 46) */		add	%g3,%g5,%g3
+/* 0x01a0	 273 (45 50) */		fdtox	%f6,%f4
+/* 0x01a4	 274 (46 47) */		std	%f4,[%sp+96]
+/* 0x01a8	 275 (46 47) */		add	%o5,%o0,%o0
+/* 0x01ac	 276 (46 47) */		srax	%g3,32,%o5
+/* 0x01b0	 277 (47 49) */		ldx	[%sp+112],%g5
+/* 0x01b4	 278 (47 48) */		add	%o0,%o5,%o0
+/* 0x01b8	 279 (48 49) */		st	%g4,[%i0+8]
+/* 0x01bc	 280 (49 51) */		ldx	[%sp+104],%o5
+/* 0x01c0	 281 (49 50) */		add	%g5,%o1,%o1
+/* 0x01c4	 282 (49 50) */		srax	%o0,32,%g5
+/* 0x01c8	 283 (50 51) */		st	%o0,[%i0+16]
+/* 0x01cc	 284 (50 51) */		add	%o1,%g5,%o1
+/* 0x01d0	 285 (51 53) */		ldx	[%sp+96],%g5
+/* 0x01d4	 286 (51 52) */		add	%o5,%o2,%o2
+/* 0x01d8	 287 (51 52) */		srax	%o1,32,%o5
+/* 0x01dc	 288 (52 53) */		st	%o1,[%i0+20]
+/* 0x01e0	 289 (52 53) */		add	%o2,%o5,%o2
+/* 0x01e4	 290 (53 54) */		st	%o2,[%i0+24]
+/* 0x01e8	 291 (53 54) */		srax	%o2,32,%g4
+/* 0x01ec	 292 (53 54) */		add	%g5,%o3,%g2
+/* 0x01f0	 293 (54 55) */		st	%g3,[%i0+12]
+/* 0x01f4	 294 (54 55) */		add	%g2,%g4,%g2
+/* 0x01f8	 295 (55 56) */		st	%g2,[%i0+28]
+/* 0x01fc	 299 (55 56) */		srax	%g2,32,%o7
+/* 0x0200	 300 (56 57) */		or	%g0,%o7,%i0
+/* 0x0204	     (57 64) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0208	     (59 61) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000037
+!
+
+                                   .L77000037:		/* frequency 1.0 confidence 0.0 */
+/* 0x020c	 307 ( 0  1) */		subcc	%o2,16,%g0
+/* 0x0210	 308 ( 0  1) */		bne,pn	%icc,.L77000076	! tprob=0.50
+/* 0x0214	     ( 1  5) */		ldd	[%o0],%f8
+/* 0x0218	 310 ( 2  6) */		ldd	[%g5],%f4
+/* 0x021c	 311 ( 3  7) */		ldd	[%g5+8],%f6
+/* 0x0220	 317 ( 4  8) */		ldd	[%o0+8],%f14
+/* 0x0224	 318 ( 4  7) */		fmovs	%f8,%f12
+/* 0x0228	 319 ( 5  7) */		ld	[%fp+84],%f13
+/* 0x022c	 320 ( 5  9) */		fxnor	%f0,%f4,%f4
+/* 0x0230	 321 ( 6 10) */		ldd	[%g5+16],%f10
+/* 0x0234	 322 ( 6 10) */		fxnor	%f0,%f6,%f6
+/* 0x0238	 323 ( 7 11) */		ldd	[%g5+24],%f16
+/* 0x023c	 324 ( 8 12) */		ldd	[%g5+32],%f20
+/* 0x0240	 325 ( 8 13) */		fsubd	%f12,%f8,%f8
+/* 0x0244	 331 ( 9 11) */		ld	[%i1+40],%o7
+/* 0x0248	 332 ( 9 14) */		fitod	%f4,%f18
+/* 0x024c	 333 (10 14) */		ldd	[%g5+40],%f22
+/* 0x0250	 334 (10 15) */		fitod	%f5,%f4
+/* 0x0254	 335 (11 12) */		stx	%o7,[%sp+96]
+/* 0x0258	 336 (11 16) */		fitod	%f6,%f24
+/* 0x025c	 337 (12 14) */		ld	[%i1+44],%o7
+/* 0x0260	 338 (12 16) */		fxnor	%f0,%f10,%f10
+/* 0x0264	 339 (13 17) */		ldd	[%g5+48],%f26
+/* 0x0268	 340 (13 18) */		fitod	%f7,%f6
+/* 0x026c	 341 (14 15) */		stx	%o7,[%sp+104]
+/* 0x0270	 342 (14 19) */		fsubd	%f14,%f18,%f18
+/* 0x0274	 343 (15 17) */		ld	[%i1+48],%o7
+/* 0x0278	 344 (15 20) */		fsubd	%f14,%f4,%f4
+/* 0x027c	 345 (16 18) */		ld	[%i1+36],%o5
+/* 0x0280	 346 (16 21) */		fitod	%f10,%f28
+/* 0x0284	 347 (17 18) */		stx	%o7,[%sp+112]
+/* 0x0288	 348 (17 21) */		fxnor	%f0,%f16,%f16
+/* 0x028c	 349 (18 20) */		ld	[%i1],%g2
+/* 0x0290	 350 (18 23) */		fsubd	%f14,%f24,%f24
+/* 0x0294	 351 (19 20) */		stx	%o5,[%sp+120]
+/* 0x0298	 352 (19 24) */		fitod	%f11,%f10
+/* 0x029c	 353 (19 24) */		fmuld	%f18,%f8,%f18
+/* 0x02a0	 354 (20 22) */		ld	[%i1+52],%o5
+/* 0x02a4	 355 (20 25) */		fsubd	%f14,%f6,%f6
+/* 0x02a8	 356 (20 25) */		fmuld	%f4,%f8,%f4
+/* 0x02ac	 357 (21 26) */		fitod	%f16,%f30
+/* 0x02b0	 358 (22 26) */		fxnor	%f0,%f20,%f20
+/* 0x02b4	 359 (22 24) */		ld	[%i1+4],%g3
+/* 0x02b8	 360 (23 27) */		ldd	[%g5+56],%f2
+/* 0x02bc	 361 (23 28) */		fsubd	%f14,%f28,%f28
+/* 0x02c0	 362 (23 28) */		fmuld	%f24,%f8,%f24
+/* 0x02c4	 363 (24 25) */		stx	%o5,[%sp+128]
+/* 0x02c8	 364 (24 29) */		fdtox	%f18,%f18
+/* 0x02cc	 365 (25 26) */		std	%f18,[%sp+272]
+/* 0x02d0	 366 (25 30) */		fitod	%f17,%f16
+/* 0x02d4	 367 (25 30) */		fmuld	%f6,%f8,%f6
+/* 0x02d8	 368 (26 31) */		fsubd	%f14,%f10,%f10
+/* 0x02dc	 369 (27 32) */		fitod	%f20,%f18
+/* 0x02e0	 370 (28 33) */		fdtox	%f4,%f4
+/* 0x02e4	 371 (28 29) */		std	%f4,[%sp+264]
+/* 0x02e8	 372 (28 33) */		fmuld	%f28,%f8,%f28
+/* 0x02ec	 373 (29 31) */		ld	[%i1+8],%g4
+/* 0x02f0	 374 (29 34) */		fsubd	%f14,%f30,%f4
+/* 0x02f4	 375 (30 34) */		fxnor	%f0,%f22,%f22
+/* 0x02f8	 376 (30 32) */		ld	[%i1+12],%g5
+/* 0x02fc	 377 (31 33) */		ld	[%i1+16],%o0
+/* 0x0300	 378 (31 36) */		fitod	%f21,%f20
+/* 0x0304	 379 (31 36) */		fmuld	%f10,%f8,%f10
+/* 0x0308	 380 (32 34) */		ld	[%i1+20],%o1
+/* 0x030c	 381 (32 37) */		fdtox	%f24,%f24
+/* 0x0310	 382 (33 34) */		std	%f24,[%sp+256]
+/* 0x0314	 383 (33 38) */		fsubd	%f14,%f16,%f16
+/* 0x0318	 384 (34 36) */		ldx	[%sp+272],%o7
+/* 0x031c	 385 (34 39) */		fdtox	%f6,%f6
+/* 0x0320	 386 (34 39) */		fmuld	%f4,%f8,%f4
+/* 0x0324	 387 (35 36) */		std	%f6,[%sp+248]
+/* 0x0328	 388 (35 40) */		fitod	%f22,%f24
+/* 0x032c	 389 (36 38) */		ld	[%i1+32],%o4
+/* 0x0330	 390 (36 41) */		fsubd	%f14,%f18,%f6
+/* 0x0334	 391 (36 37) */		add	%o7,%g2,%g2
+/* 0x0338	 392 (37 39) */		ldx	[%sp+264],%o7
+/* 0x033c	 393 (37 41) */		fxnor	%f0,%f26,%f26
+/* 0x0340	 394 (37 38) */		srax	%g2,32,%o5
+/* 0x0344	 395 (38 39) */		st	%g2,[%i0]
+/* 0x0348	 396 (38 43) */		fitod	%f23,%f18
+/* 0x034c	 397 (38 43) */		fmuld	%f16,%f8,%f16
+/* 0x0350	 398 (39 41) */		ldx	[%sp+248],%g2
+/* 0x0354	 399 (39 44) */		fdtox	%f28,%f22
+/* 0x0358	 400 (39 40) */		add	%o7,%g3,%g3
+/* 0x035c	 401 (40 42) */		ldx	[%sp+256],%o7
+/* 0x0360	 402 (40 45) */		fsubd	%f14,%f20,%f20
+/* 0x0364	 403 (40 41) */		add	%g3,%o5,%g3
+/* 0x0368	 404 (41 42) */		std	%f22,[%sp+240]
+/* 0x036c	 405 (41 46) */		fitod	%f26,%f22
+/* 0x0370	 406 (41 42) */		srax	%g3,32,%o5
+/* 0x0374	 407 (41 42) */		add	%g2,%g5,%g2
+/* 0x0378	 408 (42 43) */		st	%g3,[%i0+4]
+/* 0x037c	 409 (42 47) */		fdtox	%f10,%f10
+/* 0x0380	 410 (42 43) */		add	%o7,%g4,%g4
+/* 0x0384	 411 (42 47) */		fmuld	%f6,%f8,%f6
+/* 0x0388	 412 (43 44) */		std	%f10,[%sp+232]
+/* 0x038c	 413 (43 47) */		fxnor	%f0,%f2,%f12
+/* 0x0390	 414 (43 44) */		add	%g4,%o5,%g4
+/* 0x0394	 415 (44 45) */		st	%g4,[%i0+8]
+/* 0x0398	 416 (44 45) */		srax	%g4,32,%o5
+/* 0x039c	 417 (44 49) */		fsubd	%f14,%f24,%f10
+/* 0x03a0	 418 (45 47) */		ldx	[%sp+240],%o7
+/* 0x03a4	 419 (45 50) */		fdtox	%f4,%f4
+/* 0x03a8	 420 (45 46) */		add	%g2,%o5,%g2
+/* 0x03ac	 421 (45 50) */		fmuld	%f20,%f8,%f20
+/* 0x03b0	 422 (46 47) */		std	%f4,[%sp+224]
+/* 0x03b4	 423 (46 47) */		srax	%g2,32,%g5
+/* 0x03b8	 424 (46 51) */		fsubd	%f14,%f18,%f4
+/* 0x03bc	 425 (47 48) */		st	%g2,[%i0+12]
+/* 0x03c0	 426 (47 52) */		fitod	%f27,%f24
+/* 0x03c4	 427 (47 48) */		add	%o7,%o0,%g3
+/* 0x03c8	 428 (48 50) */		ldx	[%sp+232],%o5
+/* 0x03cc	 429 (48 53) */		fdtox	%f16,%f16
+/* 0x03d0	 430 (48 49) */		add	%g3,%g5,%g2
+/* 0x03d4	 431 (49 50) */		std	%f16,[%sp+216]
+/* 0x03d8	 432 (49 50) */		srax	%g2,32,%g4
+/* 0x03dc	 433 (49 54) */		fitod	%f12,%f18
+/* 0x03e0	 434 (49 54) */		fmuld	%f10,%f8,%f10
+/* 0x03e4	 435 (50 51) */		st	%g2,[%i0+16]
+/* 0x03e8	 436 (50 55) */		fsubd	%f14,%f22,%f16
+/* 0x03ec	 437 (50 51) */		add	%o5,%o1,%g2
+/* 0x03f0	 438 (51 53) */		ld	[%i1+24],%o2
+/* 0x03f4	 439 (51 56) */		fitod	%f13,%f12
+/* 0x03f8	 440 (51 52) */		add	%g2,%g4,%g2
+/* 0x03fc	 441 (51 56) */		fmuld	%f4,%f8,%f22
+/* 0x0400	 442 (52 54) */		ldx	[%sp+224],%g3
+/* 0x0404	 443 (52 53) */		srax	%g2,32,%g4
+/* 0x0408	 444 (52 57) */		fdtox	%f6,%f6
+/* 0x040c	 445 (53 54) */		std	%f6,[%sp+208]
+/* 0x0410	 446 (53 58) */		fdtox	%f20,%f6
+/* 0x0414	 447 (54 55) */		stx	%o4,[%sp+136]
+/* 0x0418	 448 (54 59) */		fsubd	%f14,%f24,%f4
+/* 0x041c	 449 (55 56) */		std	%f6,[%sp+200]
+/* 0x0420	 450 (55 60) */		fsubd	%f14,%f18,%f6
+/* 0x0424	 451 (55 60) */		fmuld	%f16,%f8,%f16
+/* 0x0428	 452 (56 57) */		st	%g2,[%i0+20]
+/* 0x042c	 453 (56 57) */		add	%g3,%o2,%g2
+/* 0x0430	 454 (56 61) */		fdtox	%f10,%f10
+/* 0x0434	 455 (57 59) */		ld	[%i1+28],%o3
+/* 0x0438	 456 (57 58) */		add	%g2,%g4,%g2
+/* 0x043c	 457 (58 60) */		ldx	[%sp+216],%g5
+/* 0x0440	 458 (58 59) */		srax	%g2,32,%g4
+/* 0x0444	 459 (59 60) */		std	%f10,[%sp+192]
+/* 0x0448	 460 (59 64) */		fsubd	%f14,%f12,%f10
+/* 0x044c	 461 (59 64) */		fmuld	%f4,%f8,%f4
+/* 0x0450	 462 (60 61) */		st	%g2,[%i0+24]
+/* 0x0454	 463 (60 61) */		add	%g5,%o3,%g2
+/* 0x0458	 464 (60 65) */		fdtox	%f22,%f12
+/* 0x045c	 465 (60 65) */		fmuld	%f6,%f8,%f6
+/* 0x0460	 466 (61 63) */		ldx	[%sp+136],%o0
+/* 0x0464	 467 (61 62) */		add	%g2,%g4,%g2
+/* 0x0468	 468 (62 64) */		ldx	[%sp+208],%g3
+/* 0x046c	 469 (62 63) */		srax	%g2,32,%g4
+/* 0x0470	 470 (63 65) */		ldx	[%sp+120],%o1
+/* 0x0474	 471 (64 66) */		ldx	[%sp+200],%g5
+/* 0x0478	 472 (64 65) */		add	%g3,%o0,%g3
+/* 0x047c	 473 (64 69) */		fdtox	%f4,%f4
+/* 0x0480	 474 (64 69) */		fmuld	%f10,%f8,%f8
+/* 0x0484	 475 (65 66) */		std	%f12,[%sp+184]
+/* 0x0488	 476 (65 66) */		add	%g3,%g4,%g3
+/* 0x048c	 477 (65 70) */		fdtox	%f16,%f12
+/* 0x0490	 478 (66 67) */		std	%f12,[%sp+176]
+/* 0x0494	 479 (66 67) */		srax	%g3,32,%o0
+/* 0x0498	 480 (66 67) */		add	%g5,%o1,%g5
+/* 0x049c	 481 (67 69) */		ldx	[%sp+192],%o2
+/* 0x04a0	 482 (67 68) */		add	%g5,%o0,%g5
+/* 0x04a4	 483 (68 70) */		ldx	[%sp+96],%g4
+/* 0x04a8	 484 (68 69) */		srax	%g5,32,%o1
+/* 0x04ac	 485 (69 71) */		ld	[%i1+56],%o4
+/* 0x04b0	 486 (70 72) */		ldx	[%sp+104],%o0
+/* 0x04b4	 487 (70 71) */		add	%o2,%g4,%g4
+/* 0x04b8	 488 (71 72) */		std	%f4,[%sp+168]
+/* 0x04bc	 489 (71 72) */		add	%g4,%o1,%g4
+/* 0x04c0	 490 (71 76) */		fdtox	%f6,%f4
+/* 0x04c4	 491 (72 74) */		ldx	[%sp+184],%o3
+/* 0x04c8	 492 (72 73) */		srax	%g4,32,%o2
+/* 0x04cc	 493 (73 75) */		ldx	[%sp+112],%o1
+/* 0x04d0	 494 (74 75) */		std	%f4,[%sp+160]
+/* 0x04d4	 495 (74 75) */		add	%o3,%o0,%o0
+/* 0x04d8	 496 (74 79) */		fdtox	%f8,%f4
+/* 0x04dc	 497 (75 77) */		ldx	[%sp+176],%o5
+/* 0x04e0	 498 (75 76) */		add	%o0,%o2,%o0
+/* 0x04e4	 499 (76 77) */		stx	%o4,[%sp+144]
+/* 0x04e8	 500 (77 78) */		st	%g2,[%i0+28]
+/* 0x04ec	 501 (77 78) */		add	%o5,%o1,%g2
+/* 0x04f0	 502 (77 78) */		srax	%o0,32,%o1
+/* 0x04f4	 503 (78 79) */		std	%f4,[%sp+152]
+/* 0x04f8	 504 (78 79) */		add	%g2,%o1,%o1
+/* 0x04fc	 505 (79 81) */		ldx	[%sp+168],%o7
+/* 0x0500	 506 (79 80) */		srax	%o1,32,%o3
+/* 0x0504	 507 (80 82) */		ldx	[%sp+128],%o2
+/* 0x0508	 508 (81 83) */		ld	[%i1+60],%o4
+/* 0x050c	 509 (82 83) */		add	%o7,%o2,%o2
+/* 0x0510	 510 (83 84) */		add	%o2,%o3,%o2
+/* 0x0514	 511 (83 85) */		ldx	[%sp+144],%o5
+/* 0x0518	 512 (84 86) */		ldx	[%sp+160],%g2
+/* 0x051c	 513 (85 87) */		ldx	[%sp+152],%o3
+/* 0x0520	 514 (86 87) */		st	%g3,[%i0+32]
+/* 0x0524	 515 (86 87) */		add	%g2,%o5,%g2
+/* 0x0528	 516 (86 87) */		srax	%o2,32,%o5
+/* 0x052c	 517 (87 88) */		st	%g5,[%i0+36]
+/* 0x0530	 518 (87 88) */		add	%g2,%o5,%g2
+/* 0x0534	 519 (87 88) */		add	%o3,%o4,%g3
+/* 0x0538	 520 (88 89) */		st	%o0,[%i0+44]
+/* 0x053c	 521 (88 89) */		srax	%g2,32,%g5
+/* 0x0540	 522 (89 90) */		st	%o1,[%i0+48]
+/* 0x0544	 523 (89 90) */		add	%g3,%g5,%g3
+/* 0x0548	 524 (90 91) */		st	%o2,[%i0+52]
+/* 0x054c	 528 (90 91) */		srax	%g3,32,%o7
+/* 0x0550	 529 (91 92) */		st	%g4,[%i0+40]
+/* 0x0554	 530 (92 93) */		st	%g2,[%i0+56]
+/* 0x0558	 531 (93 94) */		st	%g3,[%i0+60]
+/* 0x055c	 532 (93 94) */		or	%g0,%o7,%i0
+/* 0x0560	     (94 101) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0564	     (96 98) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000076
+!
+
+                                   .L77000076:		/* frequency 1.0 confidence 0.0 */
+/* 0x0568	 540 ( 0  4) */		ldd	[%o0],%f6
+/* 0x056c	 546 ( 0  1) */		add	%o2,1,%g2
+/* 0x0570	 547 ( 0  3) */		fmovd	%f0,%f14
+/* 0x0574	 548 ( 0  1) */		or	%g0,0,%o7
+/* 0x0578	 549 ( 1  3) */		ld	[%fp+84],%f9
+/* 0x057c	 550 ( 1  2) */		srl	%g2,31,%g3
+/* 0x0580	 551 ( 1  2) */		add	%fp,-2264,%o5
+/* 0x0584	 552 ( 2  3) */		add	%g2,%g3,%g2
+/* 0x0588	 553 ( 2  6) */		ldd	[%o0+8],%f18
+/* 0x058c	 554 ( 2  3) */		add	%fp,-2256,%o4
+/* 0x0590	 555 ( 3  6) */		fmovs	%f6,%f8
+/* 0x0594	 556 ( 3  4) */		sra	%g2,1,%o1
+/* 0x0598	 557 ( 3  4) */		or	%g0,0,%g2
+/* 0x059c	 558 ( 4  5) */		subcc	%o1,0,%g0
+/* 0x05a0	 559 ( 4  5) */		sub	%o1,1,%o2
+/* 0x05a4	 563 ( 5  6) */		add	%g5,32,%o0
+/* 0x05a8	 564 ( 6 11) */		fsubd	%f8,%f6,%f16
+/* 0x05ac	 565 ( 6  7) */		ble,pt	%icc,.L900000161	! tprob=0.50
+/* 0x05b0	     ( 6  7) */		subcc	%o3,0,%g0
+/* 0x05b4	 567 ( 7  8) */		subcc	%o1,7,%g0
+/* 0x05b8	 568 ( 7  8) */		bl,pn	%icc,.L77000077	! tprob=0.50
+/* 0x05bc	     ( 7  8) */		sub	%o1,2,%o1
+/* 0x05c0	 570 ( 8 12) */		ldd	[%g5],%f2
+/* 0x05c4	 571 ( 9 13) */		ldd	[%g5+8],%f4
+/* 0x05c8	 572 ( 9 10) */		or	%g0,5,%g2
+/* 0x05cc	 573 (10 14) */		ldd	[%g5+16],%f0
+/* 0x05d0	 574 (11 15) */		fxnor	%f14,%f2,%f2
+/* 0x05d4	 575 (11 15) */		ldd	[%g5+24],%f12
+/* 0x05d8	 576 (12 16) */		fxnor	%f14,%f4,%f6
+/* 0x05dc	 577 (12 16) */		ldd	[%g5+32],%f10
+/* 0x05e0	 578 (13 17) */		fxnor	%f14,%f0,%f8
+/* 0x05e4	 579 (15 20) */		fitod	%f3,%f0
+/* 0x05e8	 580 (16 21) */		fitod	%f2,%f4
+/* 0x05ec	 581 (17 22) */		fitod	%f7,%f2
+/* 0x05f0	 582 (18 23) */		fitod	%f6,%f6
+/* 0x05f4	 583 (20 25) */		fsubd	%f18,%f0,%f0
+/* 0x05f8	 584 (21 26) */		fsubd	%f18,%f4,%f4
+
+!
+! ENTRY .L900000149
+!
+
+                                   .L900000149:		/* frequency 1.0 confidence 0.0 */
+/* 0x05fc	 586 ( 0  4) */		fxnor	%f14,%f12,%f22
+/* 0x0600	 587 ( 0  5) */		fmuld	%f4,%f16,%f4
+/* 0x0604	 588 ( 0  1) */		add	%g2,2,%g2
+/* 0x0608	 589 ( 0  1) */		add	%o4,32,%o4
+/* 0x060c	 590 ( 1  6) */		fitod	%f9,%f24
+/* 0x0610	 591 ( 1  6) */		fmuld	%f0,%f16,%f20
+/* 0x0614	 592 ( 1  2) */		add	%o0,8,%o0
+/* 0x0618	 593 ( 1  2) */		subcc	%g2,%o1,%g0
+/* 0x061c	 594 ( 2  6) */		ldd	[%o0],%f12
+/* 0x0620	 595 ( 2  7) */		fsubd	%f18,%f2,%f0
+/* 0x0624	 596 ( 2  3) */		add	%o5,32,%o5
+/* 0x0628	 597 ( 3  8) */		fsubd	%f18,%f6,%f2
+/* 0x062c	 598 ( 5 10) */		fdtox	%f4,%f4
+/* 0x0630	 599 ( 6 11) */		fdtox	%f20,%f6
+/* 0x0634	 600 ( 6  7) */		std	%f4,[%o5-32]
+/* 0x0638	 601 ( 7 12) */		fitod	%f8,%f4
+/* 0x063c	 602 ( 7  8) */		std	%f6,[%o4-32]
+/* 0x0640	 603 ( 8 12) */		fxnor	%f14,%f10,%f8
+/* 0x0644	 604 ( 8 13) */		fmuld	%f2,%f16,%f6
+/* 0x0648	 605 ( 9 14) */		fitod	%f23,%f2
+/* 0x064c	 606 ( 9 14) */		fmuld	%f0,%f16,%f20
+/* 0x0650	 607 ( 9 10) */		add	%o0,8,%o0
+/* 0x0654	 608 (10 14) */		ldd	[%o0],%f10
+/* 0x0658	 609 (10 15) */		fsubd	%f18,%f24,%f0
+/* 0x065c	 610 (12 17) */		fsubd	%f18,%f4,%f4
+/* 0x0660	 611 (13 18) */		fdtox	%f6,%f6
+/* 0x0664	 612 (14 19) */		fdtox	%f20,%f20
+/* 0x0668	 613 (14 15) */		std	%f6,[%o5-16]
+/* 0x066c	 614 (15 20) */		fitod	%f22,%f6
+/* 0x0670	 615 (15 16) */		ble,pt	%icc,.L900000149	! tprob=0.50
+/* 0x0674	     (15 16) */		std	%f20,[%o4-16]
+
+!
+! ENTRY .L900000152
+!
+
+                                   .L900000152:		/* frequency 1.0 confidence 0.0 */
+/* 0x0678	 618 ( 0  4) */		fxnor	%f14,%f12,%f12
+/* 0x067c	 619 ( 0  5) */		fmuld	%f0,%f16,%f22
+/* 0x0680	 620 ( 0  1) */		add	%o5,80,%o5
+/* 0x0684	 621 ( 0  1) */		add	%o4,80,%o4
+/* 0x0688	 622 ( 1  5) */		fxnor	%f14,%f10,%f0
+/* 0x068c	 623 ( 1  6) */		fmuld	%f4,%f16,%f24
+/* 0x0690	 624 ( 1  2) */		subcc	%g2,%o2,%g0
+/* 0x0694	 625 ( 1  2) */		add	%o0,8,%g5
+/* 0x0698	 626 ( 2  7) */		fitod	%f8,%f20
+/* 0x069c	 627 ( 3  8) */		fitod	%f9,%f8
+/* 0x06a0	 628 ( 4  9) */		fsubd	%f18,%f6,%f6
+/* 0x06a4	 629 ( 5 10) */		fitod	%f12,%f26
+/* 0x06a8	 630 ( 6 11) */		fitod	%f13,%f4
+/* 0x06ac	 631 ( 7 12) */		fsubd	%f18,%f2,%f12
+/* 0x06b0	 632 ( 8 13) */		fitod	%f0,%f2
+/* 0x06b4	 633 ( 9 14) */		fitod	%f1,%f0
+/* 0x06b8	 634 (10 15) */		fsubd	%f18,%f20,%f10
+/* 0x06bc	 635 (10 15) */		fmuld	%f6,%f16,%f20
+/* 0x06c0	 636 (11 16) */		fsubd	%f18,%f8,%f8
+/* 0x06c4	 637 (12 17) */		fsubd	%f18,%f26,%f6
+/* 0x06c8	 638 (12 17) */		fmuld	%f12,%f16,%f12
+/* 0x06cc	 639 (13 18) */		fsubd	%f18,%f4,%f4
+/* 0x06d0	 640 (14 19) */		fsubd	%f18,%f2,%f2
+/* 0x06d4	 641 (15 20) */		fsubd	%f18,%f0,%f0
+/* 0x06d8	 642 (15 20) */		fmuld	%f10,%f16,%f10
+/* 0x06dc	 643 (16 21) */		fdtox	%f24,%f24
+/* 0x06e0	 644 (16 17) */		std	%f24,[%o5-80]
+/* 0x06e4	 645 (16 21) */		fmuld	%f8,%f16,%f8
+/* 0x06e8	 646 (17 22) */		fdtox	%f22,%f22
+/* 0x06ec	 647 (17 18) */		std	%f22,[%o4-80]
+/* 0x06f0	 648 (17 22) */		fmuld	%f6,%f16,%f6
+/* 0x06f4	 649 (18 23) */		fdtox	%f20,%f20
+/* 0x06f8	 650 (18 19) */		std	%f20,[%o5-64]
+/* 0x06fc	 651 (18 23) */		fmuld	%f4,%f16,%f4
+/* 0x0700	 652 (19 24) */		fdtox	%f12,%f12
+/* 0x0704	 653 (19 20) */		std	%f12,[%o4-64]
+/* 0x0708	 654 (19 24) */		fmuld	%f2,%f16,%f2
+/* 0x070c	 655 (20 25) */		fdtox	%f10,%f10
+/* 0x0710	 656 (20 21) */		std	%f10,[%o5-48]
+/* 0x0714	 657 (20 25) */		fmuld	%f0,%f16,%f0
+/* 0x0718	 658 (21 26) */		fdtox	%f8,%f8
+/* 0x071c	 659 (21 22) */		std	%f8,[%o4-48]
+/* 0x0720	 660 (22 27) */		fdtox	%f6,%f6
+/* 0x0724	 661 (22 23) */		std	%f6,[%o5-32]
+/* 0x0728	 662 (23 28) */		fdtox	%f4,%f4
+/* 0x072c	 663 (23 24) */		std	%f4,[%o4-32]
+/* 0x0730	 664 (24 29) */		fdtox	%f2,%f2
+/* 0x0734	 665 (24 25) */		std	%f2,[%o5-16]
+/* 0x0738	 666 (25 30) */		fdtox	%f0,%f0
+/* 0x073c	 667 (25 26) */		bg,pn	%icc,.L77000043	! tprob=0.50
+/* 0x0740	     (25 26) */		std	%f0,[%o4-16]
+
+!
+! ENTRY .L77000077
+!
+
+                                   .L77000077:		/* frequency 1.0 confidence 0.0 */
+/* 0x0744	 670 ( 0  4) */		ldd	[%g5],%f0
+
+!
+! ENTRY .L900000160
+!
+
+                                   .L900000160:		/* frequency 1.0 confidence 0.0 */
+/* 0x0748	 672 ( 0  4) */		fxnor	%f14,%f0,%f0
+/* 0x074c	 673 ( 0  1) */		add	%g2,1,%g2
+/* 0x0750	 674 ( 0  1) */		add	%g5,8,%g5
+/* 0x0754	 675 ( 1  2) */		subcc	%g2,%o2,%g0
+/* 0x0758	 676 ( 4  9) */		fitod	%f0,%f2
+/* 0x075c	 677 ( 5 10) */		fitod	%f1,%f0
+/* 0x0760	 678 ( 9 14) */		fsubd	%f18,%f2,%f2
+/* 0x0764	 679 (10 15) */		fsubd	%f18,%f0,%f0
+/* 0x0768	 680 (14 19) */		fmuld	%f2,%f16,%f2
+/* 0x076c	 681 (15 20) */		fmuld	%f0,%f16,%f0
+/* 0x0770	 682 (19 24) */		fdtox	%f2,%f2
+/* 0x0774	 683 (19 20) */		std	%f2,[%o5]
+/* 0x0778	 684 (19 20) */		add	%o5,16,%o5
+/* 0x077c	 685 (20 25) */		fdtox	%f0,%f0
+/* 0x0780	 686 (20 21) */		std	%f0,[%o4]
+/* 0x0784	 687 (20 21) */		add	%o4,16,%o4
+/* 0x0788	 688 (20 21) */		ble,a,pt	%icc,.L900000160	! tprob=0.50
+/* 0x078c	     (23 27) */		ldd	[%g5],%f0
+
+!
+! ENTRY .L77000043
+!
+
+                                   .L77000043:		/* frequency 1.0 confidence 0.0 */
+/* 0x0790	 696 ( 0  1) */		subcc	%o3,0,%g0
+
+!
+! ENTRY .L900000161
+!
+
+                                   .L900000161:		/* frequency 1.0 confidence 0.0 */
+/* 0x0794	 698 ( 0  1) */		ble,a,pt	%icc,.L900000159	! tprob=0.50
+/* 0x0798	     ( 0  1) */		or	%g0,%o7,%i0
+/* 0x079c	 703 ( 0  2) */		ldx	[%fp-2256],%o2
+/* 0x07a0	 704 ( 0  1) */		or	%g0,%i1,%g3
+/* 0x07a4	 705 ( 1  2) */		sub	%o3,1,%o5
+/* 0x07a8	 706 ( 1  2) */		or	%g0,0,%g4
+/* 0x07ac	 707 ( 2  3) */		add	%fp,-2264,%g5
+/* 0x07b0	 708 ( 2  3) */		or	%g0,%i0,%g2
+/* 0x07b4	 709 ( 3  4) */		subcc	%o3,6,%g0
+/* 0x07b8	 710 ( 3  4) */		sub	%o5,2,%o4
+/* 0x07bc	 711 ( 3  4) */		bl,pn	%icc,.L77000078	! tprob=0.50
+/* 0x07c0	     ( 3  5) */		ldx	[%fp-2264],%o0
+/* 0x07c4	 713 ( 4  6) */		ld	[%g3],%o1
+/* 0x07c8	 714 ( 4  5) */		add	%g2,4,%g2
+/* 0x07cc	 715 ( 4  5) */		or	%g0,3,%g4
+/* 0x07d0	 716 ( 5  7) */		ld	[%g3+4],%o3
+/* 0x07d4	 717 ( 5  6) */		add	%g3,8,%g3
+/* 0x07d8	 718 ( 5  6) */		add	%fp,-2240,%g5
+/* 0x07dc	 719 ( 6  7) */		add	%o0,%o1,%o0
+/* 0x07e0	 720 ( 6  8) */		ldx	[%fp-2248],%o1
+/* 0x07e4	 721 ( 7  8) */		st	%o0,[%g2-4]
+/* 0x07e8	 722 ( 7  8) */		srax	%o0,32,%o0
+
+!
+! ENTRY .L900000145
+!
+
+                                   .L900000145:		/* frequency 1.0 confidence 0.0 */
+/* 0x07ec	 724 ( 0  2) */		ld	[%g3],%o7
+/* 0x07f0	 725 ( 0  1) */		add	%o2,%o3,%o2
+/* 0x07f4	 726 ( 0  1) */		sra	%o0,0,%o3
+/* 0x07f8	 727 ( 1  3) */		ldx	[%g5],%o0
+/* 0x07fc	 728 ( 1  2) */		add	%o2,%o3,%o2
+/* 0x0800	 729 ( 1  2) */		add	%g4,3,%g4
+/* 0x0804	 730 ( 2  3) */		st	%o2,[%g2]
+/* 0x0808	 731 ( 2  3) */		srax	%o2,32,%o3
+/* 0x080c	 732 ( 2  3) */		subcc	%g4,%o4,%g0
+/* 0x0810	 733 ( 3  5) */		ld	[%g3+4],%o2
+/* 0x0814	 734 ( 4  5) */		stx	%o2,[%sp+96]
+/* 0x0818	 735 ( 4  5) */		add	%o1,%o7,%o1
+/* 0x081c	 736 ( 5  7) */		ldx	[%g5+8],%o2
+/* 0x0820	 737 ( 5  6) */		add	%o1,%o3,%o1
+/* 0x0824	 738 ( 5  6) */		add	%g2,12,%g2
+/* 0x0828	 739 ( 6  7) */		st	%o1,[%g2-8]
+/* 0x082c	 740 ( 6  7) */		srax	%o1,32,%o7
+/* 0x0830	 741 ( 6  7) */		add	%g3,12,%g3
+/* 0x0834	 742 ( 7  9) */		ld	[%g3-4],%o3
+/* 0x0838	 743 ( 8 10) */		ldx	[%sp+96],%o1
+/* 0x083c	 744 (10 11) */		add	%o0,%o1,%o0
+/* 0x0840	 745 (10 12) */		ldx	[%g5+16],%o1
+/* 0x0844	 746 (11 12) */		add	%o0,%o7,%o0
+/* 0x0848	 747 (11 12) */		add	%g5,24,%g5
+/* 0x084c	 748 (11 12) */		st	%o0,[%g2-4]
+/* 0x0850	 749 (11 12) */		ble,pt	%icc,.L900000145	! tprob=0.50
+/* 0x0854	     (12 13) */		srax	%o0,32,%o0
+
+!
+! ENTRY .L900000148
+!
+
+                                   .L900000148:		/* frequency 1.0 confidence 0.0 */
+/* 0x0858	 752 ( 0  1) */		add	%o2,%o3,%o2
+/* 0x085c	 753 ( 0  1) */		sra	%o0,0,%o3
+/* 0x0860	 754 ( 0  2) */		ld	[%g3],%o0
+/* 0x0864	 755 ( 1  2) */		add	%o2,%o3,%o3
+/* 0x0868	 756 ( 1  2) */		add	%g2,8,%g2
+/* 0x086c	 757 ( 2  3) */		srax	%o3,32,%o2
+/* 0x0870	 758 ( 2  3) */		st	%o3,[%g2-8]
+/* 0x0874	 759 ( 2  3) */		add	%o1,%o0,%o0
+/* 0x0878	 760 ( 3  4) */		add	%o0,%o2,%o0
+/* 0x087c	 761 ( 3  4) */		st	%o0,[%g2-4]
+/* 0x0880	 762 ( 3  4) */		subcc	%g4,%o5,%g0
+/* 0x0884	 763 ( 3  4) */		bg,pn	%icc,.L77000061	! tprob=0.50
+/* 0x0888	     ( 4  5) */		srax	%o0,32,%o7
+/* 0x088c	 765 ( 4  5) */		add	%g3,4,%g3
+
+!
+! ENTRY .L77000078
+!
+
+                                   .L77000078:		/* frequency 1.0 confidence 0.0 */
+/* 0x0890	 767 ( 0  2) */		ld	[%g3],%o2
+
+!
+! ENTRY .L900000158
+!
+
+                                   .L900000158:		/* frequency 1.0 confidence 0.0 */
+/* 0x0894	 769 ( 0  2) */		ldx	[%g5],%o0
+/* 0x0898	 770 ( 0  1) */		sra	%o7,0,%o1
+/* 0x089c	 771 ( 0  1) */		add	%g4,1,%g4
+/* 0x08a0	 772 ( 1  2) */		add	%g3,4,%g3
+/* 0x08a4	 773 ( 1  2) */		add	%g5,8,%g5
+/* 0x08a8	 774 ( 2  3) */		add	%o0,%o2,%o0
+/* 0x08ac	 775 ( 2  3) */		subcc	%g4,%o5,%g0
+/* 0x08b0	 776 ( 3  4) */		add	%o0,%o1,%o0
+/* 0x08b4	 777 ( 3  4) */		st	%o0,[%g2]
+/* 0x08b8	 778 ( 3  4) */		add	%g2,4,%g2
+/* 0x08bc	 779 ( 4  5) */		srax	%o0,32,%o7
+/* 0x08c0	 780 ( 4  5) */		ble,a,pt	%icc,.L900000158	! tprob=0.50
+/* 0x08c4	     ( 4  6) */		ld	[%g3],%o2
+
+!
+! ENTRY .L77000047
+!
+
+                                   .L77000047:		/* frequency 1.0 confidence 0.0 */
+/* 0x08c8	 783 ( 0  1) */		or	%g0,%o7,%i0
+/* 0x08cc	     ( 1  8) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x08d0	     ( 3  5) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000048
+!
+
+                                   .L77000048:		/* frequency 1.0 confidence 0.0 */
+/* 0x08d4	 794 ( 0  1) */		bne,pn	%icc,.L77000050	! tprob=0.50
+/* 0x08d8	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
+/* 0x08dc	 796 ( 0  4) */		ldd	[%g5],%f4
+/* 0x08e0	 804 ( 0  1) */		srl	%o1,19,%g3
+/* 0x08e4	 805 ( 1  2) */		st	%g3,[%sp+240]
+/* 0x08e8	 806 ( 1  2) */		andn	%o1,%g2,%g2
+/* 0x08ec	 807 ( 2  6) */		ldd	[%o0],%f8
+/* 0x08f0	 808 ( 3  4) */		st	%g2,[%sp+244]
+/* 0x08f4	 809 ( 3  7) */		fxnor	%f0,%f4,%f4
+/* 0x08f8	 810 ( 4  8) */		ldd	[%g5+8],%f6
+/* 0x08fc	 814 ( 5  9) */		ldd	[%o0+8],%f18
+/* 0x0900	 815 ( 5  8) */		fmovs	%f8,%f12
+/* 0x0904	 816 ( 6 10) */		ldd	[%g5+16],%f10
+/* 0x0908	 817 ( 6  9) */		fmovs	%f8,%f16
+/* 0x090c	 818 ( 7 11) */		ldd	[%g5+24],%f20
+/* 0x0910	 819 ( 7 12) */		fitod	%f4,%f14
+/* 0x0914	 823 ( 8 10) */		ld	[%i1],%g2
+/* 0x0918	 824 ( 8 13) */		fitod	%f5,%f4
+/* 0x091c	 825 ( 9 11) */		ld	[%sp+240],%f13
+/* 0x0920	 826 ( 9 13) */		fxnor	%f0,%f6,%f6
+/* 0x0924	 827 (10 12) */		ld	[%sp+244],%f17
+/* 0x0928	 828 (10 14) */		fxnor	%f0,%f10,%f10
+/* 0x092c	 829 (11 13) */		ld	[%i1+28],%o3
+/* 0x0930	 830 (11 15) */		fxnor	%f0,%f20,%f20
+/* 0x0934	 831 (12 14) */		ld	[%i1+4],%g3
+/* 0x0938	 832 (12 17) */		fsubd	%f12,%f8,%f12
+/* 0x093c	 833 (13 14) */		stx	%o3,[%sp+96]
+/* 0x0940	 834 (13 18) */		fsubd	%f18,%f14,%f14
+/* 0x0944	 835 (14 16) */		ld	[%i1+8],%g4
+/* 0x0948	 836 (14 19) */		fsubd	%f16,%f8,%f8
+/* 0x094c	 837 (15 17) */		ld	[%i1+12],%g5
+/* 0x0950	 838 (15 20) */		fsubd	%f18,%f4,%f4
+/* 0x0954	 839 (16 18) */		ld	[%i1+16],%o0
+/* 0x0958	 840 (16 21) */		fitod	%f6,%f22
+/* 0x095c	 841 (17 19) */		ld	[%i1+20],%o1
+/* 0x0960	 842 (17 22) */		fitod	%f7,%f6
+/* 0x0964	 843 (18 20) */		ld	[%i1+24],%o2
+/* 0x0968	 844 (18 23) */		fitod	%f10,%f16
+/* 0x096c	 845 (18 23) */		fmuld	%f14,%f12,%f24
+/* 0x0970	 846 (19 24) */		fitod	%f20,%f28
+/* 0x0974	 847 (19 24) */		fmuld	%f14,%f8,%f14
+/* 0x0978	 848 (20 25) */		fitod	%f11,%f10
+/* 0x097c	 849 (20 25) */		fmuld	%f4,%f12,%f26
+/* 0x0980	 850 (21 26) */		fsubd	%f18,%f22,%f22
+/* 0x0984	 851 (21 26) */		fmuld	%f4,%f8,%f4
+/* 0x0988	 852 (22 27) */		fsubd	%f18,%f6,%f6
+/* 0x098c	 853 (23 28) */		fdtox	%f24,%f24
+/* 0x0990	 854 (23 24) */		std	%f24,[%sp+224]
+/* 0x0994	 855 (24 29) */		fdtox	%f14,%f14
+/* 0x0998	 856 (24 25) */		std	%f14,[%sp+232]
+/* 0x099c	 857 (25 30) */		fdtox	%f26,%f14
+/* 0x09a0	 858 (25 26) */		std	%f14,[%sp+208]
+/* 0x09a4	 859 (26 28) */		ldx	[%sp+224],%o4
+/* 0x09a8	 860 (26 31) */		fitod	%f21,%f20
+/* 0x09ac	 861 (26 31) */		fmuld	%f22,%f12,%f30
+/* 0x09b0	 862 (27 29) */		ldx	[%sp+232],%o5
+/* 0x09b4	 863 (27 32) */		fsubd	%f18,%f16,%f16
+/* 0x09b8	 864 (27 32) */		fmuld	%f22,%f8,%f22
+/* 0x09bc	 865 (28 29) */		sllx	%o4,19,%o4
+/* 0x09c0	 866 (28 33) */		fdtox	%f4,%f4
+/* 0x09c4	 867 (28 29) */		std	%f4,[%sp+216]
+/* 0x09c8	 868 (28 33) */		fmuld	%f6,%f12,%f24
+/* 0x09cc	 869 (29 34) */		fsubd	%f18,%f28,%f26
+/* 0x09d0	 870 (29 30) */		add	%o5,%o4,%o4
+/* 0x09d4	 871 (29 34) */		fmuld	%f6,%f8,%f6
+/* 0x09d8	 872 (30 35) */		fsubd	%f18,%f10,%f10
+/* 0x09dc	 873 (30 31) */		add	%o4,%g2,%g2
+/* 0x09e0	 874 (30 31) */		st	%g2,[%i0]
+/* 0x09e4	 875 (31 33) */		ldx	[%sp+208],%o7
+/* 0x09e8	 876 (31 32) */		srlx	%g2,32,%o5
+/* 0x09ec	 877 (31 36) */		fsubd	%f18,%f20,%f18
+/* 0x09f0	 878 (32 37) */		fdtox	%f30,%f28
+/* 0x09f4	 879 (32 33) */		std	%f28,[%sp+192]
+/* 0x09f8	 880 (32 37) */		fmuld	%f16,%f12,%f14
+/* 0x09fc	 881 (33 34) */		sllx	%o7,19,%o4
+/* 0x0a00	 882 (33 35) */		ldx	[%sp+216],%o7
+/* 0x0a04	 883 (33 38) */		fdtox	%f22,%f20
+/* 0x0a08	 884 (33 38) */		fmuld	%f16,%f8,%f16
+/* 0x0a0c	 885 (34 35) */		std	%f20,[%sp+200]
+/* 0x0a10	 886 (34 39) */		fdtox	%f24,%f20
+/* 0x0a14	 887 (34 39) */		fmuld	%f26,%f12,%f22
+/* 0x0a18	 888 (35 36) */		std	%f20,[%sp+176]
+/* 0x0a1c	 889 (35 36) */		add	%o7,%o4,%o4
+/* 0x0a20	 890 (35 40) */		fdtox	%f6,%f6
+/* 0x0a24	 891 (35 40) */		fmuld	%f10,%f12,%f4
+/* 0x0a28	 892 (36 38) */		ldx	[%sp+192],%o3
+/* 0x0a2c	 893 (36 37) */		add	%o4,%g3,%g3
+/* 0x0a30	 894 (36 41) */		fmuld	%f10,%f8,%f10
+/* 0x0a34	 895 (37 38) */		std	%f6,[%sp+184]
+/* 0x0a38	 896 (37 38) */		add	%g3,%o5,%g3
+/* 0x0a3c	 897 (37 42) */		fdtox	%f14,%f6
+/* 0x0a40	 898 (37 42) */		fmuld	%f26,%f8,%f20
+/* 0x0a44	 899 (38 40) */		ldx	[%sp+200],%o4
+/* 0x0a48	 900 (38 39) */		sllx	%o3,19,%o3
+/* 0x0a4c	 901 (38 39) */		srlx	%g3,32,%o5
+/* 0x0a50	 902 (38 43) */		fdtox	%f16,%f14
+/* 0x0a54	 903 (39 40) */		std	%f6,[%sp+160]
+/* 0x0a58	 904 (39 44) */		fmuld	%f18,%f12,%f12
+/* 0x0a5c	 905 (40 42) */		ldx	[%sp+176],%o7
+/* 0x0a60	 906 (40 41) */		add	%o4,%o3,%o3
+/* 0x0a64	 907 (40 45) */		fdtox	%f4,%f16
+/* 0x0a68	 908 (40 45) */		fmuld	%f18,%f8,%f18
+/* 0x0a6c	 909 (41 42) */		std	%f14,[%sp+168]
+/* 0x0a70	 910 (41 42) */		add	%o3,%g4,%g4
+/* 0x0a74	 911 (41 46) */		fdtox	%f10,%f4
+/* 0x0a78	 912 (42 44) */		ldx	[%sp+184],%o3
+/* 0x0a7c	 913 (42 43) */		sllx	%o7,19,%o4
+/* 0x0a80	 914 (42 43) */		add	%g4,%o5,%g4
+/* 0x0a84	 915 (42 47) */		fdtox	%f22,%f14
+/* 0x0a88	 916 (43 44) */		std	%f16,[%sp+144]
+/* 0x0a8c	 917 (43 44) */		srlx	%g4,32,%o5
+/* 0x0a90	 918 (43 48) */		fdtox	%f20,%f6
+/* 0x0a94	 919 (44 46) */		ldx	[%sp+160],%o7
+/* 0x0a98	 920 (44 45) */		add	%o3,%o4,%o3
+/* 0x0a9c	 921 (44 49) */		fdtox	%f12,%f16
+/* 0x0aa0	 922 (45 46) */		std	%f4,[%sp+152]
+/* 0x0aa4	 923 (45 46) */		add	%o3,%g5,%g5
+/* 0x0aa8	 924 (45 50) */		fdtox	%f18,%f8
+/* 0x0aac	 925 (46 48) */		ldx	[%sp+168],%o3
+/* 0x0ab0	 926 (46 47) */		sllx	%o7,19,%o4
+/* 0x0ab4	 927 (46 47) */		add	%g5,%o5,%g5
+/* 0x0ab8	 928 (47 48) */		std	%f14,[%sp+128]
+/* 0x0abc	 929 (47 48) */		srlx	%g5,32,%o5
+/* 0x0ac0	 930 (48 49) */		std	%f6,[%sp+136]
+/* 0x0ac4	 931 (48 49) */		add	%o3,%o4,%o3
+/* 0x0ac8	 932 (49 50) */		std	%f16,[%sp+112]
+/* 0x0acc	 933 (49 50) */		add	%o3,%o0,%o0
+/* 0x0ad0	 934 (50 52) */		ldx	[%sp+144],%o7
+/* 0x0ad4	 935 (50 51) */		add	%o0,%o5,%o0
+/* 0x0ad8	 936 (51 53) */		ldx	[%sp+152],%o3
+/* 0x0adc	 937 (52 53) */		std	%f8,[%sp+120]
+/* 0x0ae0	 938 (52 53) */		sllx	%o7,19,%o4
+/* 0x0ae4	 939 (52 53) */		srlx	%o0,32,%o7
+/* 0x0ae8	 940 (53 54) */		stx	%o0,[%sp+104]
+/* 0x0aec	 941 (53 54) */		add	%o3,%o4,%o3
+/* 0x0af0	 942 (54 56) */		ldx	[%sp+128],%o5
+/* 0x0af4	 943 (54 55) */		add	%o3,%o1,%o1
+/* 0x0af8	 944 (55 57) */		ldx	[%sp+136],%o0
+/* 0x0afc	 945 (55 56) */		add	%o1,%o7,%o1
+/* 0x0b00	 946 (56 57) */		st	%g3,[%i0+4]
+/* 0x0b04	 947 (56 57) */		sllx	%o5,19,%o3
+/* 0x0b08	 948 (57 59) */		ldx	[%sp+112],%o4
+/* 0x0b0c	 949 (57 58) */		add	%o0,%o3,%o3
+/* 0x0b10	 950 (58 60) */		ldx	[%sp+120],%o0
+/* 0x0b14	 951 (58 59) */		add	%o3,%o2,%o2
+/* 0x0b18	 952 (58 59) */		srlx	%o1,32,%o3
+/* 0x0b1c	 953 (59 60) */		st	%o1,[%i0+20]
+/* 0x0b20	 954 (59 60) */		sllx	%o4,19,%g2
+/* 0x0b24	 955 (59 60) */		add	%o2,%o3,%o2
+/* 0x0b28	 956 (60 62) */		ldx	[%sp+96],%o4
+/* 0x0b2c	 957 (60 61) */		srlx	%o2,32,%g3
+/* 0x0b30	 958 (60 61) */		add	%o0,%g2,%g2
+/* 0x0b34	 959 (61 63) */		ldx	[%sp+104],%o0
+/* 0x0b38	 960 (62 63) */		st	%o2,[%i0+24]
+/* 0x0b3c	 961 (62 63) */		add	%g2,%o4,%g2
+/* 0x0b40	 962 (63 64) */		st	%o0,[%i0+16]
+/* 0x0b44	 963 (63 64) */		add	%g2,%g3,%g2
+/* 0x0b48	 964 (64 65) */		st	%g4,[%i0+8]
+/* 0x0b4c	 968 (64 65) */		srlx	%g2,32,%o7
+/* 0x0b50	 969 (65 66) */		st	%g5,[%i0+12]
+/* 0x0b54	 970 (66 67) */		st	%g2,[%i0+28]
+/* 0x0b58	 971 (66 67) */		or	%g0,%o7,%i0
+/* 0x0b5c	     (67 74) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0b60	     (69 71) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000050
+!
+
+                                   .L77000050:		/* frequency 1.0 confidence 0.0 */
+/* 0x0b64	 978 ( 0  1) */		subcc	%o2,16,%g0
+/* 0x0b68	 979 ( 0  1) */		bne,pn	%icc,.L77000073	! tprob=0.50
+/* 0x0b6c	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
+/* 0x0b70	 981 ( 1  5) */		ldd	[%g5],%f4
+/* 0x0b74	 982 ( 2  6) */		ldd	[%g5+8],%f6
+/* 0x0b78	 989 ( 2  3) */		andn	%o1,%g2,%g2
+/* 0x0b7c	 993 ( 2  3) */		srl	%o1,19,%g3
+/* 0x0b80	 994 ( 3  7) */		ldd	[%g5+16],%f8
+/* 0x0b84	 995 ( 4  8) */		fxnor	%f0,%f4,%f4
+/* 0x0b88	 996 ( 4  5) */		st	%g2,[%sp+356]
+/* 0x0b8c	 997 ( 5  9) */		ldd	[%o0],%f20
+/* 0x0b90	 998 ( 5  9) */		fxnor	%f0,%f6,%f6
+/* 0x0b94	 999 ( 6  7) */		st	%g3,[%sp+352]
+/* 0x0b98	1000 ( 6 10) */		fxnor	%f0,%f8,%f8
+/* 0x0b9c	1005 ( 7 11) */		ldd	[%o0+8],%f30
+/* 0x0ba0	1006 ( 8 13) */		fitod	%f4,%f22
+/* 0x0ba4	1007 ( 8 12) */		ldd	[%g5+24],%f10
+/* 0x0ba8	1008 ( 9 12) */		fmovs	%f20,%f24
+/* 0x0bac	1009 ( 9 13) */		ldd	[%g5+32],%f12
+/* 0x0bb0	1010 (10 15) */		fitod	%f5,%f4
+/* 0x0bb4	1011 (10 14) */		ldd	[%g5+40],%f14
+/* 0x0bb8	1012 (11 14) */		fmovs	%f20,%f26
+/* 0x0bbc	1013 (11 15) */		ldd	[%g5+48],%f16
+/* 0x0bc0	1014 (12 14) */		ld	[%sp+356],%f25
+/* 0x0bc4	1015 (12 17) */		fitod	%f6,%f28
+/* 0x0bc8	1016 (13 15) */		ld	[%sp+352],%f27
+/* 0x0bcc	1017 (13 18) */		fitod	%f8,%f32
+/* 0x0bd0	1018 (14 19) */		fsubd	%f30,%f22,%f22
+/* 0x0bd4	1019 (14 18) */		ldd	[%g5+56],%f18
+/* 0x0bd8	1020 (15 20) */		fsubd	%f24,%f20,%f24
+/* 0x0bdc	1021 (16 21) */		fsubd	%f26,%f20,%f20
+/* 0x0be0	1022 (17 22) */		fsubd	%f30,%f4,%f4
+/* 0x0be4	1023 (18 23) */		fsubd	%f30,%f28,%f26
+/* 0x0be8	1024 (19 24) */		fitod	%f7,%f6
+/* 0x0bec	1025 (20 25) */		fsubd	%f30,%f32,%f28
+/* 0x0bf0	1026 (20 25) */		fmuld	%f22,%f24,%f32
+/* 0x0bf4	1027 (21 26) */		fmuld	%f22,%f20,%f22
+/* 0x0bf8	1028 (21 25) */		fxnor	%f0,%f10,%f10
+/* 0x0bfc	1029 (22 27) */		fmuld	%f4,%f24,%f44
+/* 0x0c00	1030 (22 27) */		fitod	%f9,%f8
+/* 0x0c04	1031 (23 28) */		fmuld	%f4,%f20,%f4
+/* 0x0c08	1032 (23 27) */		fxnor	%f0,%f12,%f12
+/* 0x0c0c	1033 (24 29) */		fsubd	%f30,%f6,%f6
+/* 0x0c10	1034 (24 29) */		fmuld	%f26,%f24,%f46
+/* 0x0c14	1035 (25 30) */		fitod	%f10,%f34
+/* 0x0c18	1036 (26 31) */		fdtox	%f22,%f22
+/* 0x0c1c	1037 (26 27) */		std	%f22,[%sp+336]
+/* 0x0c20	1038 (27 32) */		fmuld	%f26,%f20,%f22
+/* 0x0c24	1039 (27 32) */		fdtox	%f44,%f26
+/* 0x0c28	1040 (27 28) */		std	%f26,[%sp+328]
+/* 0x0c2c	1041 (28 33) */		fdtox	%f4,%f4
+/* 0x0c30	1042 (28 29) */		std	%f4,[%sp+320]
+/* 0x0c34	1043 (29 34) */		fmuld	%f6,%f24,%f26
+/* 0x0c38	1044 (29 34) */		fsubd	%f30,%f8,%f8
+/* 0x0c3c	1045 (30 35) */		fdtox	%f46,%f4
+/* 0x0c40	1046 (30 31) */		std	%f4,[%sp+312]
+/* 0x0c44	1047 (31 36) */		fmuld	%f28,%f24,%f4
+/* 0x0c48	1048 (31 36) */		fdtox	%f32,%f32
+/* 0x0c4c	1049 (31 32) */		std	%f32,[%sp+344]
+/* 0x0c50	1050 (32 37) */		fitod	%f11,%f10
+/* 0x0c54	1051 (32 37) */		fmuld	%f6,%f20,%f32
+/* 0x0c58	1052 (33 38) */		fsubd	%f30,%f34,%f34
+/* 0x0c5c	1053 (34 39) */		fdtox	%f22,%f6
+/* 0x0c60	1054 (34 35) */		std	%f6,[%sp+304]
+/* 0x0c64	1058 (35 40) */		fitod	%f12,%f36
+/* 0x0c68	1059 (35 40) */		fmuld	%f28,%f20,%f6
+/* 0x0c6c	1060 (36 41) */		fdtox	%f26,%f22
+/* 0x0c70	1061 (36 37) */		std	%f22,[%sp+296]
+/* 0x0c74	1062 (37 42) */		fmuld	%f8,%f24,%f22
+/* 0x0c78	1063 (37 42) */		fdtox	%f4,%f4
+/* 0x0c7c	1064 (37 38) */		std	%f4,[%sp+280]
+/* 0x0c80	1065 (38 43) */		fmuld	%f8,%f20,%f8
+/* 0x0c84	1066 (38 43) */		fsubd	%f30,%f10,%f10
+/* 0x0c88	1067 (39 44) */		fmuld	%f34,%f24,%f4
+/* 0x0c8c	1068 (39 44) */		fitod	%f13,%f12
+/* 0x0c90	1069 (40 45) */		fsubd	%f30,%f36,%f36
+/* 0x0c94	1070 (41 46) */		fdtox	%f6,%f6
+/* 0x0c98	1071 (41 42) */		std	%f6,[%sp+272]
+/* 0x0c9c	1072 (42 46) */		fxnor	%f0,%f14,%f14
+/* 0x0ca0	1073 (42 47) */		fmuld	%f34,%f20,%f6
+/* 0x0ca4	1074 (43 48) */		fdtox	%f22,%f22
+/* 0x0ca8	1075 (43 44) */		std	%f22,[%sp+264]
+/* 0x0cac	1076 (44 49) */		fdtox	%f8,%f8
+/* 0x0cb0	1077 (44 45) */		std	%f8,[%sp+256]
+/* 0x0cb4	1078 (44 49) */		fmuld	%f10,%f24,%f22
+/* 0x0cb8	1079 (45 50) */		fdtox	%f4,%f4
+/* 0x0cbc	1080 (45 46) */		std	%f4,[%sp+248]
+/* 0x0cc0	1081 (45 50) */		fmuld	%f10,%f20,%f8
+/* 0x0cc4	1082 (46 51) */		fsubd	%f30,%f12,%f4
+/* 0x0cc8	1083 (46 51) */		fmuld	%f36,%f24,%f10
+/* 0x0ccc	1084 (47 52) */		fitod	%f14,%f38
+/* 0x0cd0	1085 (48 53) */		fdtox	%f6,%f6
+/* 0x0cd4	1086 (48 49) */		std	%f6,[%sp+240]
+/* 0x0cd8	1087 (49 54) */		fdtox	%f22,%f12
+/* 0x0cdc	1088 (49 50) */		std	%f12,[%sp+232]
+/* 0x0ce0	1089 (49 54) */		fmuld	%f36,%f20,%f6
+/* 0x0ce4	1090 (50 55) */		fdtox	%f8,%f8
+/* 0x0ce8	1091 (50 51) */		std	%f8,[%sp+224]
+/* 0x0cec	1092 (51 56) */		fdtox	%f10,%f22
+/* 0x0cf0	1093 (51 52) */		std	%f22,[%sp+216]
+/* 0x0cf4	1094 (51 56) */		fmuld	%f4,%f24,%f8
+/* 0x0cf8	1095 (52 57) */		fitod	%f15,%f14
+/* 0x0cfc	1096 (52 57) */		fmuld	%f4,%f20,%f4
+/* 0x0d00	1097 (53 58) */		fsubd	%f30,%f38,%f22
+/* 0x0d04	1098 (54 58) */		fxnor	%f0,%f16,%f16
+/* 0x0d08	1099 (55 60) */		fdtox	%f6,%f6
+/* 0x0d0c	1100 (55 56) */		std	%f6,[%sp+208]
+/* 0x0d10	1101 (56 61) */		fdtox	%f8,%f6
+/* 0x0d14	1102 (56 57) */		std	%f6,[%sp+200]
+/* 0x0d18	1103 (57 62) */		fsubd	%f30,%f14,%f10
+/* 0x0d1c	1104 (58 63) */		fitod	%f16,%f40
+/* 0x0d20	1105 (58 63) */		fmuld	%f22,%f24,%f6
+/* 0x0d24	1106 (59 64) */		fdtox	%f4,%f4
+/* 0x0d28	1107 (59 60) */		std	%f4,[%sp+192]
+/* 0x0d2c	1108 (60 65) */		fitod	%f17,%f16
+/* 0x0d30	1109 (60 65) */		fmuld	%f22,%f20,%f4
+/* 0x0d34	1110 (61 65) */		fxnor	%f0,%f18,%f18
+/* 0x0d38	1111 (62 67) */		fdtox	%f32,%f32
+/* 0x0d3c	1112 (62 63) */		std	%f32,[%sp+288]
+/* 0x0d40	1113 (62 67) */		fmuld	%f10,%f24,%f8
+/* 0x0d44	1114 (63 68) */		fdtox	%f6,%f6
+/* 0x0d48	1115 (63 64) */		std	%f6,[%sp+184]
+/* 0x0d4c	1116 (63 68) */		fmuld	%f10,%f20,%f22
+/* 0x0d50	1117 (64 69) */		fsubd	%f30,%f40,%f6
+/* 0x0d54	1118 (65 70) */		fdtox	%f4,%f4
+/* 0x0d58	1119 (65 66) */		std	%f4,[%sp+176]
+/* 0x0d5c	1120 (66 71) */		fsubd	%f30,%f16,%f10
+/* 0x0d60	1121 (67 72) */		fdtox	%f8,%f4
+/* 0x0d64	1122 (67 68) */		std	%f4,[%sp+168]
+/* 0x0d68	1123 (68 73) */		fdtox	%f22,%f4
+/* 0x0d6c	1124 (68 69) */		std	%f4,[%sp+160]
+/* 0x0d70	1125 (69 74) */		fitod	%f18,%f42
+/* 0x0d74	1126 (69 74) */		fmuld	%f6,%f24,%f4
+/* 0x0d78	1127 (70 75) */		fmuld	%f6,%f20,%f22
+/* 0x0d7c	1128 (71 76) */		fmuld	%f10,%f24,%f6
+/* 0x0d80	1129 (72 77) */		fmuld	%f10,%f20,%f8
+/* 0x0d84	1130 (74 79) */		fdtox	%f4,%f4
+/* 0x0d88	1131 (74 75) */		std	%f4,[%sp+152]
+/* 0x0d8c	1132 (75 80) */		fsubd	%f30,%f42,%f4
+/* 0x0d90	1133 (76 81) */		fdtox	%f6,%f6
+/* 0x0d94	1134 (76 77) */		std	%f6,[%sp+136]
+/* 0x0d98	1135 (77 82) */		fdtox	%f22,%f22
+/* 0x0d9c	1136 (77 78) */		std	%f22,[%sp+144]
+/* 0x0da0	1137 (78 83) */		fdtox	%f8,%f22
+/* 0x0da4	1138 (78 79) */		std	%f22,[%sp+128]
+/* 0x0da8	1139 (79 84) */		fitod	%f19,%f22
+/* 0x0dac	1140 (80 85) */		fmuld	%f4,%f24,%f6
+/* 0x0db0	1141 (81 86) */		fmuld	%f4,%f20,%f4
+/* 0x0db4	1142 (84 89) */		fsubd	%f30,%f22,%f22
+/* 0x0db8	1143 (85 90) */		fdtox	%f6,%f6
+/* 0x0dbc	1144 (85 86) */		std	%f6,[%sp+120]
+/* 0x0dc0	1145 (86 91) */		fdtox	%f4,%f4
+/* 0x0dc4	1146 (86 87) */		std	%f4,[%sp+112]
+/* 0x0dc8	1150 (87 89) */		ldx	[%sp+336],%g2
+/* 0x0dcc	1151 (88 90) */		ldx	[%sp+344],%g3
+/* 0x0dd0	1152 (89 91) */		ld	[%i1],%g4
+/* 0x0dd4	1153 (89 90) */		sllx	%g2,19,%g2
+/* 0x0dd8	1154 (89 94) */		fmuld	%f22,%f20,%f4
+/* 0x0ddc	1155 (90 92) */		ldx	[%sp+328],%g5
+/* 0x0de0	1156 (90 91) */		add	%g3,%g2,%g2
+/* 0x0de4	1157 (90 95) */		fmuld	%f22,%f24,%f6
+/* 0x0de8	1158 (91 93) */		ldx	[%sp+320],%g3
+/* 0x0dec	1159 (91 92) */		add	%g2,%g4,%g4
+/* 0x0df0	1160 (92 94) */		ldx	[%sp+304],%o0
+/* 0x0df4	1161 (93 94) */		st	%g4,[%i0]
+/* 0x0df8	1162 (93 94) */		sllx	%g3,19,%g2
+/* 0x0dfc	1163 (93 94) */		srlx	%g4,32,%g4
+/* 0x0e00	1164 (94 96) */		ld	[%i1+4],%g3
+/* 0x0e04	1165 (94 95) */		add	%g5,%g2,%g2
+/* 0x0e08	1166 (94 99) */		fdtox	%f4,%f4
+/* 0x0e0c	1167 (95 97) */		ldx	[%sp+312],%g5
+/* 0x0e10	1168 (95 100) */		fdtox	%f6,%f6
+/* 0x0e14	1169 (96 98) */		ldx	[%sp+288],%o1
+/* 0x0e18	1170 (96 97) */		add	%g2,%g3,%g2
+/* 0x0e1c	1171 (96 97) */		sllx	%o0,19,%g3
+/* 0x0e20	1172 (97 99) */		ldx	[%sp+272],%o2
+/* 0x0e24	1173 (97 98) */		add	%g2,%g4,%g2
+/* 0x0e28	1174 (97 98) */		add	%g5,%g3,%g3
+/* 0x0e2c	1175 (98 100) */		ld	[%i1+8],%g4
+/* 0x0e30	1176 (98 99) */		srlx	%g2,32,%o0
+/* 0x0e34	1177 (99 101) */		ldx	[%sp+296],%g5
+/* 0x0e38	1178 (100 101) */		st	%g2,[%i0+4]
+/* 0x0e3c	1179 (100 101) */		sllx	%o2,19,%g2
+/* 0x0e40	1180 (100 101) */		add	%g3,%g4,%g3
+/* 0x0e44	1181 (101 103) */		ldx	[%sp+256],%o2
+/* 0x0e48	1182 (101 102) */		sllx	%o1,19,%g4
+/* 0x0e4c	1183 (101 102) */		add	%g3,%o0,%g3
+/* 0x0e50	1184 (102 104) */		ld	[%i1+12],%o0
+/* 0x0e54	1185 (102 103) */		srlx	%g3,32,%o1
+/* 0x0e58	1186 (102 103) */		add	%g5,%g4,%g4
+/* 0x0e5c	1187 (103 105) */		ldx	[%sp+280],%g5
+/* 0x0e60	1188 (104 105) */		st	%g3,[%i0+8]
+/* 0x0e64	1189 (104 105) */		sllx	%o2,19,%g3
+/* 0x0e68	1190 (104 105) */		add	%g4,%o0,%g4
+/* 0x0e6c	1191 (105 107) */		ld	[%i1+16],%o0
+/* 0x0e70	1192 (105 106) */		add	%g5,%g2,%g2
+/* 0x0e74	1193 (105 106) */		add	%g4,%o1,%g4
+/* 0x0e78	1194 (106 108) */		ldx	[%sp+264],%g5
+/* 0x0e7c	1195 (106 107) */		srlx	%g4,32,%o1
+/* 0x0e80	1196 (107 109) */		ldx	[%sp+240],%o2
+/* 0x0e84	1197 (107 108) */		add	%g2,%o0,%g2
+/* 0x0e88	1198 (108 110) */		ld	[%i1+20],%o0
+/* 0x0e8c	1199 (108 109) */		add	%g5,%g3,%g3
+/* 0x0e90	1200 (108 109) */		add	%g2,%o1,%g2
+/* 0x0e94	1201 (109 111) */		ldx	[%sp+248],%g5
+/* 0x0e98	1202 (109 110) */		srlx	%g2,32,%o1
+/* 0x0e9c	1203 (110 111) */		st	%g4,[%i0+12]
+/* 0x0ea0	1204 (110 111) */		sllx	%o2,19,%g4
+/* 0x0ea4	1205 (110 111) */		add	%g3,%o0,%g3
+/* 0x0ea8	1206 (111 113) */		ld	[%i1+24],%o0
+/* 0x0eac	1207 (111 112) */		add	%g5,%g4,%g4
+/* 0x0eb0	1208 (111 112) */		add	%g3,%o1,%g3
+/* 0x0eb4	1209 (112 114) */		ldx	[%sp+224],%o2
+/* 0x0eb8	1210 (112 113) */		srlx	%g3,32,%o1
+/* 0x0ebc	1211 (113 115) */		ldx	[%sp+232],%g5
+/* 0x0ec0	1212 (113 114) */		add	%g4,%o0,%g4
+/* 0x0ec4	1213 (114 115) */		st	%g2,[%i0+16]
+/* 0x0ec8	1214 (114 115) */		sllx	%o2,19,%g2
+/* 0x0ecc	1215 (114 115) */		add	%g4,%o1,%g4
+/* 0x0ed0	1216 (115 117) */		ld	[%i1+28],%o0
+/* 0x0ed4	1217 (115 116) */		srlx	%g4,32,%o1
+/* 0x0ed8	1218 (115 116) */		add	%g5,%g2,%g2
+/* 0x0edc	1222 (116 118) */		ldx	[%sp+208],%o2
+/* 0x0ee0	1223 (117 119) */		ldx	[%sp+216],%g5
+/* 0x0ee4	1224 (117 118) */		add	%g2,%o0,%g2
+/* 0x0ee8	1225 (118 119) */		st	%g3,[%i0+20]
+/* 0x0eec	1226 (118 119) */		sllx	%o2,19,%g3
+/* 0x0ef0	1227 (118 119) */		add	%g2,%o1,%g2
+/* 0x0ef4	1228 (119 121) */		ld	[%i1+32],%o0
+/* 0x0ef8	1229 (119 120) */		srlx	%g2,32,%o1
+/* 0x0efc	1230 (119 120) */		add	%g5,%g3,%g3
+/* 0x0f00	1231 (120 122) */		ldx	[%sp+192],%o2
+/* 0x0f04	1232 (121 123) */		ldx	[%sp+200],%g5
+/* 0x0f08	1233 (121 122) */		add	%g3,%o0,%g3
+/* 0x0f0c	1234 (122 123) */		st	%g4,[%i0+24]
+/* 0x0f10	1235 (122 123) */		sllx	%o2,19,%g4
+/* 0x0f14	1236 (122 123) */		add	%g3,%o1,%g3
+/* 0x0f18	1237 (123 125) */		ld	[%i1+36],%o0
+/* 0x0f1c	1238 (123 124) */		srlx	%g3,32,%o1
+/* 0x0f20	1239 (123 124) */		add	%g5,%g4,%g4
+/* 0x0f24	1240 (124 126) */		ldx	[%sp+176],%o2
+/* 0x0f28	1241 (125 127) */		ldx	[%sp+184],%g5
+/* 0x0f2c	1242 (125 126) */		add	%g4,%o0,%g4
+/* 0x0f30	1243 (126 127) */		st	%g2,[%i0+28]
+/* 0x0f34	1244 (126 127) */		sllx	%o2,19,%g2
+/* 0x0f38	1245 (126 127) */		add	%g4,%o1,%g4
+/* 0x0f3c	1246 (127 129) */		ld	[%i1+40],%o0
+/* 0x0f40	1247 (127 128) */		srlx	%g4,32,%o1
+/* 0x0f44	1248 (127 128) */		add	%g5,%g2,%g2
+/* 0x0f48	1249 (128 130) */		ldx	[%sp+160],%o2
+/* 0x0f4c	1250 (129 131) */		ldx	[%sp+168],%g5
+/* 0x0f50	1251 (129 130) */		add	%g2,%o0,%g2
+/* 0x0f54	1252 (130 131) */		st	%g3,[%i0+32]
+/* 0x0f58	1253 (130 131) */		sllx	%o2,19,%g3
+/* 0x0f5c	1254 (130 131) */		add	%g2,%o1,%g2
+/* 0x0f60	1255 (131 133) */		ld	[%i1+44],%o0
+/* 0x0f64	1256 (131 132) */		srlx	%g2,32,%o1
+/* 0x0f68	1257 (131 132) */		add	%g5,%g3,%g3
+/* 0x0f6c	1258 (132 134) */		ldx	[%sp+144],%o2
+/* 0x0f70	1259 (133 135) */		ldx	[%sp+152],%g5
+/* 0x0f74	1260 (133 134) */		add	%g3,%o0,%g3
+/* 0x0f78	1261 (134 135) */		st	%g4,[%i0+36]
+/* 0x0f7c	1262 (134 135) */		sllx	%o2,19,%g4
+/* 0x0f80	1263 (134 135) */		add	%g3,%o1,%g3
+/* 0x0f84	1264 (135 137) */		ld	[%i1+48],%o0
+/* 0x0f88	1265 (135 136) */		srlx	%g3,32,%o1
+/* 0x0f8c	1266 (135 136) */		add	%g5,%g4,%g4
+/* 0x0f90	1267 (136 138) */		ldx	[%sp+128],%o2
+/* 0x0f94	1268 (137 139) */		ldx	[%sp+136],%g5
+/* 0x0f98	1269 (137 138) */		add	%g4,%o0,%g4
+/* 0x0f9c	1270 (138 139) */		std	%f4,[%sp+96]
+/* 0x0fa0	1271 (138 139) */		add	%g4,%o1,%g4
+/* 0x0fa4	1272 (139 140) */		st	%g2,[%i0+40]
+/* 0x0fa8	1273 (139 140) */		sllx	%o2,19,%g2
+/* 0x0fac	1274 (139 140) */		srlx	%g4,32,%o1
+/* 0x0fb0	1275 (140 142) */		ld	[%i1+52],%o0
+/* 0x0fb4	1276 (140 141) */		add	%g5,%g2,%g2
+/* 0x0fb8	1277 (141 142) */		std	%f6,[%sp+104]
+/* 0x0fbc	1278 (142 144) */		ldx	[%sp+120],%g5
+/* 0x0fc0	1279 (142 143) */		add	%g2,%o0,%g2
+/* 0x0fc4	1280 (143 144) */		st	%g3,[%i0+44]
+/* 0x0fc8	1281 (143 144) */		add	%g2,%o1,%g2
+/* 0x0fcc	1282 (144 146) */		ldx	[%sp+112],%o2
+/* 0x0fd0	1283 (144 145) */		srlx	%g2,32,%o1
+/* 0x0fd4	1284 (145 147) */		ld	[%i1+56],%o0
+/* 0x0fd8	1285 (146 147) */		st	%g4,[%i0+48]
+/* 0x0fdc	1286 (146 147) */		sllx	%o2,19,%g3
+/* 0x0fe0	1287 (147 149) */		ldx	[%sp+96],%o2
+/* 0x0fe4	1288 (147 148) */		add	%g5,%g3,%g3
+/* 0x0fe8	1289 (148 150) */		ldx	[%sp+104],%g5
+/* 0x0fec	1290 (148 149) */		add	%g3,%o0,%g3
+/* 0x0ff0	1291 (149 151) */		ld	[%i1+60],%o0
+/* 0x0ff4	1292 (149 150) */		sllx	%o2,19,%g4
+/* 0x0ff8	1293 (149 150) */		add	%g3,%o1,%g3
+/* 0x0ffc	1294 (150 151) */		st	%g2,[%i0+52]
+/* 0x1000	1295 (150 151) */		srlx	%g3,32,%o1
+/* 0x1004	1296 (150 151) */		add	%g5,%g4,%g4
+/* 0x1008	1297 (151 152) */		st	%g3,[%i0+56]
+/* 0x100c	1298 (151 152) */		add	%g4,%o0,%g2
+/* 0x1010	1299 (152 153) */		add	%g2,%o1,%g2
+/* 0x1014	1300 (152 153) */		st	%g2,[%i0+60]
+/* 0x1018	1304 (153 154) */		srlx	%g2,32,%o7
+
+!
+! ENTRY .L77000061
+!
+
+                                   .L77000061:		/* frequency 1.0 confidence 0.0 */
+/* 0x119c	1437 ( 0  1) */		or	%g0,%o7,%i0
+
+!
+! ENTRY .L900000159
+!
+
+                                   .L900000159:		/* frequency 1.0 confidence 0.0 */
+/* 0x11a0	     ( 0  7) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x11a4	     ( 2  4) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000073
+!
+
+                                   .L77000073:		/* frequency 1.0 confidence 0.0 */
+
+
+	or	%g0, %i4, %o2
+	or	%g0, %o0, %o1
+	or	%g0, %i3, %o0
+
+!
+! ENTRY .L77000052
+!
+
+                                   .L77000052:		/* frequency 1.0 confidence 0.0 */
+/* 0x1028	1318 ( 0  1) */		andn	%o2,%g2,%g2
+/* 0x102c	1319 ( 0  1) */		st	%g2,[%sp+96]
+/* 0x1030	1325 ( 0  1) */		add	%o0,1,%g3
+/* 0x1034	1326 ( 0  1) */		fmovd	%f0,%f14
+/* 0x1038	1327 ( 1  2) */		srl	%o2,19,%g2
+/* 0x103c	1328 ( 1  2) */		st	%g2,[%sp+92]
+/* 0x1040	1329 ( 1  2) */		or	%g0,0,%o5
+/* 0x1044	1330 ( 2  3) */		srl	%g3,31,%g2
+/* 0x1048	1331 ( 2  5) */		ldd	[%o1],%f6
+/* 0x104c	1335 ( 2  3) */		sethi	%hi(0x1800),%g1
+/* 0x1050	1336 ( 3  4) */		add	%g3,%g2,%g2
+/* 0x1054	1337 ( 3  4) */		xor	%g1,-304,%g1
+/* 0x1058	1338 ( 3  6) */		ldd	[%o1+8],%f20
+/* 0x105c	1339 ( 4  5) */		sra	%g2,1,%o3
+/* 0x1060	1340 ( 4  5) */		fmovs	%f6,%f8
+/* 0x1064	1341 ( 4  5) */		add	%g1,%fp,%g3
+/* 0x1068	1342 ( 5  6) */		fmovs	%f6,%f10
+/* 0x106c	1343 ( 5  7) */		ld	[%sp+96],%f9
+/* 0x1070	1344 ( 5  6) */		subcc	%o3,0,%g0
+/* 0x1074	1345 ( 6  8) */		ld	[%sp+92],%f11
+/* 0x1078	1346 ( 6  7) */		sethi	%hi(0x1800),%g1
+/* 0x107c	1347 ( 6  7) */		or	%g0,%i2,%o1
+/* 0x1080	1348 ( 7 10) */		fsubd	%f8,%f6,%f18
+/* 0x1084	1349 ( 7  8) */		xor	%g1,-296,%g1
+/* 0x1088	1350 ( 7  8) */		or	%g0,0,%g4
+/* 0x108c	1351 ( 8 11) */		fsubd	%f10,%f6,%f16
+/* 0x1090	1352 ( 8  9) */		bleu,pt	%icc,.L990000162	! tprob=0.50
+/* 0x1094	     ( 8  9) */		subcc	%o0,0,%g0
+/* 0x1098	1354 ( 9 10) */		add	%g1,%fp,%g2
+/* 0x109c	1355 ( 9 10) */		sethi	%hi(0x1800),%g1
+/* 0x10a0	1356 (10 11) */		xor	%g1,-288,%g1
+/* 0x10a4	1357 (10 11) */		subcc	%o3,7,%g0
+/* 0x10a8	1358 (11 12) */		add	%g1,%fp,%o7
+/* 0x10ac	1359 (11 12) */		sethi	%hi(0x1800),%g1
+/* 0x10b0	1360 (12 13) */		xor	%g1,-280,%g1
+/* 0x10b4	1361 (13 14) */		add	%g1,%fp,%o4
+/* 0x10b8	1362 (13 14) */		bl,pn	%icc,.L77000054	! tprob=0.50
+/* 0x10bc	     (13 14) */		sub	%o3,2,%o2
+/* 0x10c0	1364 (14 17) */		ldd	[%o1],%f2
+/* 0x10c4	1365 (14 15) */		add	%o1,16,%g5
+/* 0x10c8	1366 (14 15) */		or	%g0,4,%g4
+/* 0x10cc	1367 (15 18) */		ldd	[%o1+8],%f0
+/* 0x10d0	1368 (15 16) */		add	%o1,8,%o1
+/* 0x10d4	1369 (16 18) */		fxnor	%f14,%f2,%f6
+/* 0x10d8	1370 (16 19) */		ldd	[%g5],%f4
+/* 0x10dc	1371 (16 17) */		add	%o1,16,%o1
+/* 0x10e0	1372 (17 19) */		fxnor	%f14,%f0,%f12
+/* 0x10e4	1373 (17 20) */		ldd	[%o1],%f0
+/* 0x10e8	1374 (17 18) */		add	%o1,8,%o1
+/* 0x10ec	1375 (18 21) */		fitod	%f7,%f2
+/* 0x10f0	1376 (19 22) */		fitod	%f6,%f6
+/* 0x10f4	1377 (20 22) */		fxnor	%f14,%f4,%f10
+/* 0x10f8	1378 (21 24) */		fsubd	%f20,%f2,%f2
+/* 0x10fc	1379 (22 24) */		fxnor	%f14,%f0,%f8
+/* 0x1100	1380 (23 26) */		fitod	%f13,%f4
+/* 0x1104	1381 (24 27) */		fsubd	%f20,%f6,%f6
+/* 0x1108	1382 (24 27) */		fmuld	%f2,%f16,%f0
+
+!
+! ENTRY .L990000154
+!
+
+                                   .L990000154:		/* frequency 1.0 confidence 0.0 */
+/* 0x110c	1384 ( 0  3) */		ldd	[%o1],%f24
+/* 0x1110	1385 ( 0  1) */		add	%g4,3,%g4
+/* 0x1114	1386 ( 0  1) */		add	%o4,96,%o4
+/* 0x1118	1387 ( 1  4) */		fitod	%f11,%f22
+/* 0x111c	1388 ( 2  5) */		fsubd	%f20,%f4,%f26
+/* 0x1120	1389 ( 2  3) */		subcc	%g4,%o2,%g0
+/* 0x1124	1390 ( 2  3) */		add	%o7,96,%o7
+/* 0x1128	1391 ( 2  5) */		fmuld	%f6,%f18,%f28
+/* 0x112c	1392 ( 3  6) */		fmuld	%f6,%f16,%f6
+/* 0x1130	1393 ( 3  4) */		add	%g2,96,%g2
+/* 0x1134	1394 ( 3  4) */		add	%g3,96,%g3
+/* 0x1138	1395 ( 4  7) */		fdtox	%f0,%f0
+/* 0x113c	1396 ( 5  8) */		fitod	%f12,%f4
+/* 0x1140	1397 ( 5  8) */		fmuld	%f2,%f18,%f2
+/* 0x1144	1398 ( 6  9) */		fdtox	%f28,%f12
+/* 0x1148	1399 ( 7 10) */		fdtox	%f6,%f6
+/* 0x114c	1400 ( 7  8) */		std	%f12,[%g3-96]
+/* 0x1150	1401 ( 8  9) */		std	%f6,[%g2-96]
+/* 0x1154	1402 ( 8 11) */		fdtox	%f2,%f2
+/* 0x1158	1403 ( 9 12) */		fsubd	%f20,%f4,%f6
+/* 0x115c	1404 ( 9 10) */		std	%f2,[%o7-96]
+/* 0x1160	1405 ( 9 10) */		add	%o1,8,%o1
+/* 0x1164	1406 (10 12) */		fxnor	%f14,%f24,%f12
+/* 0x1168	1407 (10 13) */		fmuld	%f26,%f16,%f4
+/* 0x116c	1408 (10 11) */		std	%f0,[%o4-96]
+/* 0x1170	1409 (11 14) */		ldd	[%o1],%f0
+/* 0x1174	1410 (11 14) */		fitod	%f9,%f2
+/* 0x1178	1411 (12 15) */		fsubd	%f20,%f22,%f28
+/* 0x117c	1412 (12 15) */		fmuld	%f6,%f18,%f24
+/* 0x1180	1413 (13 16) */		fmuld	%f6,%f16,%f22
+/* 0x1184	1414 (13 16) */		fdtox	%f4,%f4
+/* 0x1188	1415 (14 17) */		fitod	%f10,%f6
+/* 0x118c	1416 (14 17) */		fmuld	%f26,%f18,%f10
+/* 0x1190	1417 (15 18) */		fdtox	%f24,%f24
+/* 0x1194	1418 (16 19) */		fdtox	%f22,%f22
+/* 0x1198	1419 (16 17) */		std	%f24,[%g3-64]
+/* 0x119c	1420 (17 18) */		std	%f22,[%g2-64]
+/* 0x11a0	1421 (17 20) */		fdtox	%f10,%f10
+/* 0x11a4	1422 (18 21) */		fsubd	%f20,%f6,%f6
+/* 0x11a8	1423 (18 19) */		std	%f10,[%o7-64]
+/* 0x11ac	1424 (18 19) */		add	%o1,8,%o1
+/* 0x11b0	1425 (19 21) */		fxnor	%f14,%f0,%f10
+/* 0x11b4	1426 (19 22) */		fmuld	%f28,%f16,%f0
+/* 0x11b8	1427 (19 20) */		std	%f4,[%o4-64]
+/* 0x11bc	1428 (20 23) */		ldd	[%o1],%f22
+/* 0x11c0	1429 (20 23) */		fitod	%f13,%f4
+/* 0x11c4	1430 (21 24) */		fsubd	%f20,%f2,%f2
+/* 0x11c8	1431 (21 24) */		fmuld	%f6,%f18,%f26
+/* 0x11cc	1432 (22 25) */		fmuld	%f6,%f16,%f24
+/* 0x11d0	1433 (22 25) */		fdtox	%f0,%f0
+/* 0x11d4	1434 (23 26) */		fitod	%f8,%f6
+/* 0x11d8	1435 (23 26) */		fmuld	%f28,%f18,%f8
+/* 0x11dc	1436 (24 27) */		fdtox	%f26,%f26
+/* 0x11e0	1437 (25 28) */		fdtox	%f24,%f24
+/* 0x11e4	1438 (25 26) */		std	%f26,[%g3-32]
+/* 0x11e8	1439 (26 27) */		std	%f24,[%g2-32]
+/* 0x11ec	1440 (26 29) */		fdtox	%f8,%f8
+/* 0x11f0	1441 (27 30) */		fsubd	%f20,%f6,%f6
+/* 0x11f4	1442 (27 28) */		std	%f8,[%o7-32]
+/* 0x11f8	1443 (27 28) */		add	%o1,8,%o1
+/* 0x11fc	1444 (28 30) */		fxnor	%f14,%f22,%f8
+/* 0x1200	1445 (28 29) */		std	%f0,[%o4-32]
+/* 0x1204	1446 (28 29) */		bcs,pt	%icc,.L990000154	! tprob=0.50
+/* 0x1208	     (28 31) */		fmuld	%f2,%f16,%f0
+
+!
+! ENTRY .L990000157
+!
+
+                                   .L990000157:		/* frequency 1.0 confidence 0.0 */
+/* 0x120c	1449 ( 0  3) */		fitod	%f12,%f28
+/* 0x1210	1450 ( 0  3) */		fmuld	%f6,%f18,%f24
+/* 0x1214	1451 ( 0  1) */		add	%g3,128,%g3
+/* 0x1218	1452 ( 1  4) */		fitod	%f10,%f12
+/* 0x121c	1453 ( 1  4) */		fmuld	%f6,%f16,%f26
+/* 0x1220	1454 ( 1  2) */		add	%g2,128,%g2
+/* 0x1224	1455 ( 2  5) */		fsubd	%f20,%f4,%f4
+/* 0x1228	1456 ( 2  5) */		fmuld	%f2,%f18,%f22
+/* 0x122c	1457 ( 2  3) */		add	%o7,128,%o7
+/* 0x1230	1458 ( 3  6) */		fdtox	%f24,%f6
+/* 0x1234	1459 ( 3  4) */		std	%f6,[%g3-128]
+/* 0x1238	1460 ( 3  4) */		add	%o4,128,%o4
+/* 0x123c	1461 ( 4  7) */		fsubd	%f20,%f28,%f2
+/* 0x1240	1462 ( 4  5) */		subcc	%g4,%o3,%g0
+/* 0x1244	1463 ( 5  8) */		fitod	%f11,%f6
+/* 0x1248	1464 ( 5  8) */		fmuld	%f4,%f18,%f24
+/* 0x124c	1465 ( 6  9) */		fdtox	%f26,%f10
+/* 0x1250	1466 ( 6  7) */		std	%f10,[%g2-128]
+/* 0x1254	1467 ( 7 10) */		fdtox	%f22,%f10
+/* 0x1258	1468 ( 7  8) */		std	%f10,[%o7-128]
+/* 0x125c	1469 ( 7 10) */		fmuld	%f2,%f18,%f26
+/* 0x1260	1470 ( 8 11) */		fsubd	%f20,%f12,%f10
+/* 0x1264	1471 ( 8 11) */		fmuld	%f2,%f16,%f2
+/* 0x1268	1472 ( 9 12) */		fsubd	%f20,%f6,%f22
+/* 0x126c	1473 ( 9 12) */		fmuld	%f4,%f16,%f12
+/* 0x1270	1474 (10 13) */		fdtox	%f0,%f0
+/* 0x1274	1475 (10 11) */		std	%f0,[%o4-128]
+/* 0x1278	1476 (11 14) */		fitod	%f8,%f4
+/* 0x127c	1477 (11 14) */		fmuld	%f10,%f18,%f6
+/* 0x1280	1478 (12 15) */		fdtox	%f26,%f0
+/* 0x1284	1479 (12 13) */		std	%f0,[%g3-96]
+/* 0x1288	1480 (12 15) */		fmuld	%f10,%f16,%f10
+/* 0x128c	1481 (13 16) */		fdtox	%f2,%f2
+/* 0x1290	1482 (13 14) */		std	%f2,[%g2-96]
+/* 0x1294	1483 (14 17) */		fitod	%f9,%f0
+/* 0x1298	1484 (14 17) */		fmuld	%f22,%f18,%f2
+/* 0x129c	1485 (15 18) */		fdtox	%f24,%f8
+/* 0x12a0	1486 (15 16) */		std	%f8,[%o7-96]
+/* 0x12a4	1487 (16 19) */		fsubd	%f20,%f4,%f4
+/* 0x12a8	1488 (16 19) */		fmuld	%f22,%f16,%f8
+/* 0x12ac	1489 (17 20) */		fdtox	%f12,%f12
+/* 0x12b0	1490 (17 18) */		std	%f12,[%o4-96]
+/* 0x12b4	1491 (18 21) */		fsubd	%f20,%f0,%f0
+/* 0x12b8	1492 (19 22) */		fdtox	%f6,%f6
+/* 0x12bc	1493 (19 20) */		std	%f6,[%g3-64]
+/* 0x12c0	1494 (20 23) */		fdtox	%f10,%f10
+/* 0x12c4	1495 (20 21) */		std	%f10,[%g2-64]
+/* 0x12c8	1496 (20 23) */		fmuld	%f4,%f18,%f6
+/* 0x12cc	1497 (21 24) */		fdtox	%f2,%f2
+/* 0x12d0	1498 (21 22) */		std	%f2,[%o7-64]
+/* 0x12d4	1499 (21 24) */		fmuld	%f4,%f16,%f4
+/* 0x12d8	1500 (22 25) */		fmuld	%f0,%f18,%f2
+/* 0x12dc	1501 (22 25) */		fdtox	%f8,%f8
+/* 0x12e0	1502 (22 23) */		std	%f8,[%o4-64]
+/* 0x12e4	1503 (23 26) */		fdtox	%f6,%f6
+/* 0x12e8	1504 (23 24) */		std	%f6,[%g3-32]
+/* 0x12ec	1505 (23 26) */		fmuld	%f0,%f16,%f0
+/* 0x12f0	1506 (24 27) */		fdtox	%f4,%f4
+/* 0x12f4	1507 (24 25) */		std	%f4,[%g2-32]
+/* 0x12f8	1508 (25 28) */		fdtox	%f2,%f2
+/* 0x12fc	1509 (25 26) */		std	%f2,[%o7-32]
+/* 0x1300	1510 (26 29) */		fdtox	%f0,%f0
+/* 0x1304	1511 (26 27) */		bcc,pn	%icc,.L77000056	! tprob=0.50
+/* 0x1308	     (26 27) */		std	%f0,[%o4-32]
+
+!
+! ENTRY .L77000054
+!
+
+                                   .L77000054:		/* frequency 1.0 confidence 0.0 */
+/* 0x130c	1514 ( 0  3) */		ldd	[%o1],%f0
+
+!
+! ENTRY .L990000161
+!
+
+                                   .L990000161:		/* frequency 1.0 confidence 0.0 */
+/* 0x1310	1516 ( 0  2) */		fxnor	%f14,%f0,%f0
+/* 0x1314	1517 ( 0  1) */		add	%g4,1,%g4
+/* 0x1318	1518 ( 0  1) */		add	%o1,8,%o1
+/* 0x131c	1519 ( 1  2) */		subcc	%g4,%o3,%g0
+/* 0x1320	1520 ( 2  5) */		fitod	%f0,%f2
+/* 0x1324	1521 ( 3  6) */		fitod	%f1,%f0
+/* 0x1328	1522 ( 5  8) */		fsubd	%f20,%f2,%f2
+/* 0x132c	1523 ( 6  9) */		fsubd	%f20,%f0,%f0
+/* 0x1330	1524 ( 8 11) */		fmuld	%f2,%f18,%f6
+/* 0x1334	1525 ( 9 12) */		fmuld	%f2,%f16,%f4
+/* 0x1338	1526 (10 13) */		fmuld	%f0,%f18,%f2
+/* 0x133c	1527 (11 14) */		fdtox	%f6,%f6
+/* 0x1340	1528 (11 12) */		std	%f6,[%g3]
+/* 0x1344	1529 (11 14) */		fmuld	%f0,%f16,%f0
+/* 0x1348	1530 (12 15) */		fdtox	%f4,%f4
+/* 0x134c	1531 (12 13) */		std	%f4,[%g2]
+/* 0x1350	1532 (12 13) */		add	%g2,32,%g2
+/* 0x1354	1533 (13 16) */		fdtox	%f2,%f2
+/* 0x1358	1534 (13 14) */		std	%f2,[%o7]
+/* 0x135c	1535 (13 14) */		add	%o7,32,%o7
+/* 0x1360	1536 (14 17) */		fdtox	%f0,%f0
+/* 0x1364	1537 (14 15) */		std	%f0,[%o4]
+/* 0x1368	1538 (14 15) */		add	%o4,32,%o4
+/* 0x136c	1539 (15 16) */		add	%g3,32,%g3
+/* 0x1370	1540 (15 16) */		bcs,a,pt	%icc,.L990000161	! tprob=0.50
+/* 0x1374	     (16 19) */		ldd	[%o1],%f0
+
+!
+! ENTRY .L77000056
+!
+
+                                   .L77000056:		/* frequency 1.0 confidence 0.0 */
+/* 0x1378	1548 ( 0  1) */		subcc	%o0,0,%g0
+
+!
+! ENTRY .L990000162
+!
+
+                                   .L990000162:		/* frequency 1.0 confidence 0.0 */
+/* 0x137c	1550 ( 0  1) */		bleu,pt	%icc,.L77770061	! tprob=0.50
+/* 0x1380	     ( 0  1) */		nop
+/* 0x1384	1555 ( 0  1) */		sethi	%hi(0x1800),%g1
+/* 0x1388	1556 ( 1  2) */		xor	%g1,-304,%g1
+/* 0x138c	1557 ( 1  2) */		or	%g0,%i1,%g4
+/* 0x1390	1558 ( 2  3) */		add	%g1,%fp,%g5
+/* 0x1394	1559 ( 2  3) */		sethi	%hi(0x1800),%g1
+/* 0x1398	1560 ( 3  4) */		xor	%g1,-296,%g1
+/* 0x139c	1561 ( 3  4) */		or	%g0,%o0,%o7
+/* 0x13a0	1562 ( 4  5) */		add	%g1,%fp,%g2
+/* 0x13a4	1563 ( 4  5) */		or	%g0,0,%i2
+/* 0x13a8	1564 ( 5  6) */		or	%g0,%i0,%g3
+/* 0x13ac	1565 ( 5  6) */		subcc	%o0,6,%g0
+/* 0x13b0	1566 ( 5  6) */		bl,pn	%icc,.L77000058	! tprob=0.50
+/* 0x13b4	     ( 6  7) */		sethi	%hi(0x1800),%g1
+/* 0x13b8	1568 ( 6  8) */		ld	[%g4],%o2
+/* 0x13bc	1569 ( 6  7) */		add	%g3,4,%g3
+/* 0x13c0	1570 ( 7  8) */		xor	%g1,-264,%g1
+/* 0x13c4	1571 ( 7  8) */		sub	%o7,3,%o4
+/* 0x13c8	1572 ( 8  9) */		add	%g1,%fp,%g2
+/* 0x13cc	1573 ( 8  9) */		sethi	%hi(0x1800),%g1
+/* 0x13d0	1574 ( 9 10) */		xor	%g1,-272,%g1
+/* 0x13d4	1575 ( 9 10) */		or	%g0,2,%i2
+/* 0x13d8	1576 (10 11) */		add	%g1,%fp,%g5
+/* 0x13dc	1577 (10 11) */		sethi	%hi(0x1800),%g1
+/* 0x13e0	1578 (11 12) */		xor	%g1,-296,%g1
+/* 0x13e4	1579 (12 13) */		add	%g1,%fp,%g1
+/* 0x13e8	1580 (13 15) */		ldx	[%g1],%o1
+/* 0x13ec	1581 (14 16) */		ldx	[%g1-8],%o0
+/* 0x13f0	1582 (15 16) */		sllx	%o1,19,%o1
+/* 0x13f4	1583 (15 17) */		ldx	[%g1+16],%o3
+/* 0x13f8	1584 (16 17) */		add	%o0,%o1,%o0
+/* 0x13fc	1585 (16 18) */		ld	[%g4+4],%o1
+/* 0x1400	1586 (16 17) */		add	%g4,8,%g4
+/* 0x1404	1587 (17 18) */		sllx	%o3,19,%o3
+/* 0x1408	1588 (17 18) */		add	%o0,%o2,%o0
+/* 0x140c	1589 (17 19) */		ldx	[%g1+8],%o2
+/* 0x1410	1590 (18 19) */		st	%o0,[%g3-4]
+/* 0x1414	1591 (18 19) */		srlx	%o0,32,%o0
+
+!
+! ENTRY .L990000142
+!
+
+                                   .L990000142:		/* frequency 1.0 confidence 0.0 */
+/* 0x1418	1593 ( 0  1) */		add	%o2,%o3,%o2
+/* 0x141c	1594 ( 0  1) */		add	%i2,4,%i2
+/* 0x1420	1595 ( 0  2) */		ld	[%g4],%o3
+/* 0x1424	1596 ( 1  2) */		srl	%o0,0,%o5
+/* 0x1428	1597 ( 1  2) */		add	%o2,%o1,%o1
+/* 0x142c	1598 ( 1  3) */		ldx	[%g2],%o0
+/* 0x1430	1599 ( 3  4) */		sllx	%o0,19,%o2
+/* 0x1434	1600 ( 3  5) */		ldx	[%g5],%o0
+/* 0x1438	1601 ( 3  4) */		add	%o1,%o5,%o1
+/* 0x143c	1602 ( 4  5) */		st	%o1,[%g3]
+/* 0x1440	1603 ( 4  5) */		srlx	%o1,32,%o5
+/* 0x1444	1604 ( 4  5) */		subcc	%i2,%o4,%g0
+/* 0x1448	1605 ( 5  7) */		ldx	[%g2+16],%o1
+/* 0x144c	1606 ( 5  6) */		add	%o0,%o2,%o0
+/* 0x1450	1607 ( 5  6) */		add	%g3,16,%g3
+/* 0x1454	1608 ( 6  8) */		ld	[%g4+4],%o2
+/* 0x1458	1609 ( 6  7) */		add	%o0,%o3,%o0
+/* 0x145c	1610 ( 7  8) */		sllx	%o1,19,%o3
+/* 0x1460	1611 ( 7  9) */		ldx	[%g5+16],%o1
+/* 0x1464	1612 ( 7  8) */		add	%o0,%o5,%o0
+/* 0x1468	1613 ( 8  9) */		st	%o0,[%g3-12]
+/* 0x146c	1614 ( 8  9) */		srlx	%o0,32,%o5
+/* 0x1470	1615 ( 8  9) */		add	%g4,16,%g4
+/* 0x1474	1616 ( 9 11) */		ldx	[%g2+32],%o0
+/* 0x1478	1617 ( 9 10) */		add	%o1,%o3,%o1
+/* 0x147c	1618 ( 9 10) */		add	%g2,64,%g2
+/* 0x1480	1619 (10 12) */		ld	[%g4-8],%o3
+/* 0x1484	1620 (10 11) */		add	%o1,%o2,%o2
+/* 0x1488	1621 (11 12) */		sllx	%o0,19,%o1
+/* 0x148c	1622 (11 13) */		ldx	[%g5+32],%o0
+/* 0x1490	1623 (11 12) */		add	%o2,%o5,%o2
+/* 0x1494	1624 (12 13) */		st	%o2,[%g3-8]
+/* 0x1498	1625 (12 13) */		srlx	%o2,32,%o5
+/* 0x149c	1626 (12 13) */		add	%g5,64,%g5
+/* 0x14a0	1627 (13 15) */		ldx	[%g2-16],%o2
+/* 0x14a4	1628 (13 14) */		add	%o0,%o1,%o0
+/* 0x14a8	1629 (14 16) */		ld	[%g4-4],%o1
+/* 0x14ac	1630 (14 15) */		add	%o0,%o3,%o0
+/* 0x14b0	1631 (15 16) */		sllx	%o2,19,%o3
+/* 0x14b4	1632 (15 17) */		ldx	[%g5-16],%o2
+/* 0x14b8	1633 (15 16) */		add	%o0,%o5,%o0
+/* 0x14bc	1634 (16 17) */		st	%o0,[%g3-4]
+/* 0x14c0	1635 (16 17) */		bcs,pt	%icc,.L990000142	! tprob=0.50
+/* 0x14c4	     (16 17) */		srlx	%o0,32,%o0
+
+!
+! ENTRY .L990000145
+!
+
+                                   .L990000145:		/* frequency 1.0 confidence 0.0 */
+/* 0x14c8	1638 ( 0  1) */		add	%o2,%o3,%o3
+/* 0x14cc	1639 ( 0  1) */		add	%g3,4,%g3
+/* 0x14d0	1640 ( 1  2) */		srl	%o0,0,%o2
+/* 0x14d4	1641 ( 1  2) */		add	%o3,%o1,%o0
+/* 0x14d8	1642 ( 2  3) */		add	%o0,%o2,%o0
+/* 0x14dc	1643 ( 2  3) */		st	%o0,[%g3-4]
+/* 0x14e0	1644 ( 2  3) */		subcc	%i2,%o7,%g0
+/* 0x14e4	1645 ( 2  3) */		bcc,pn	%icc,.L77770061	! tprob=0.50
+/* 0x14e8	     ( 3  4) */		srlx	%o0,32,%o5
+
+!
+! ENTRY .L77000058
+!
+
+                                   .L77000058:		/* frequency 1.0 confidence 0.0 */
+/* 0x14ec	1648 ( 0  2) */		ldx	[%g2],%o2
+
+!
+! ENTRY .L990000160
+!
+
+                                   .L990000160:		/* frequency 1.0 confidence 0.0 */
+/* 0x14f0	1650 ( 0  1) */		sllx	%o2,19,%o3
+/* 0x14f4	1651 ( 0  2) */		ldx	[%g5],%o0
+/* 0x14f8	1652 ( 0  1) */		add	%i2,1,%i2
+/* 0x14fc	1653 ( 1  2) */		srl	%o5,0,%o1
+/* 0x1500	1654 ( 1  3) */		ld	[%g4],%o2
+/* 0x1504	1655 ( 1  2) */		add	%g2,16,%g2
+/* 0x1508	1656 ( 2  3) */		add	%o0,%o3,%o0
+/* 0x150c	1657 ( 2  3) */		add	%g5,16,%g5
+/* 0x1510	1658 ( 3  4) */		add	%o0,%o2,%o0
+/* 0x1514	1659 ( 3  4) */		add	%g4,4,%g4
+/* 0x1518	1660 ( 4  5) */		add	%o0,%o1,%o0
+/* 0x151c	1661 ( 4  5) */		st	%o0,[%g3]
+/* 0x1520	1662 ( 4  5) */		subcc	%i2,%o7,%g0
+/* 0x1524	1663 ( 5  6) */		srlx	%o0,32,%o5
+/* 0x1528	1664 ( 5  6) */		add	%g3,4,%g3
+/* 0x152c	1665 ( 5  6) */		bcs,a,pt	%icc,.L990000160	! tprob=0.50
+/* 0x1530	     ( 6  8) */		ldx	[%g2],%o2
+
+!
+! ENTRY .L77770061
+!
+
+                                   .L77770061:		/* frequency 1.0 confidence 0.0 */
+/* 0x1534	     ( 0  2) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x1538	     ( 2  3) */		restore	%g0,%o5,%o0
+
+
+
+
+/* 0x11a8	1441 ( 0  0) */		.type	mul_add,2
+/* 0x11a8	1442 ( 0  0) */		.size	mul_add,(.-mul_add)
+/* 0x11a8	1445 ( 0  0) */		.align	16
+/* 0x11b0	1451 ( 0  0) */		.global	mul_add_inp
+
+!
+! ENTRY mul_add_inp
+!
+
+                                   	.global mul_add_inp
+                                   mul_add_inp:		/* frequency 1.0 confidence 0.0 */
+/* 0x11b0	1453 ( 0  1) */		or	%g0,%o2,%g1
+/* 0x11b4	1454 ( 0  1) */		or	%g0,%o3,%o4
+/* 0x11b8	1455 ( 1  2) */		or	%g0,%o0,%g3
+/* 0x11bc	1456 ( 1  2) */		or	%g0,%o1,%g2
+/* 0x11c0	1466 ( 2  3) */		or	%g0,%g1,%o3
+/* 0x11c4	1467 ( 2  3) */		or	%g0,%g3,%o1
+/* 0x11c8	1468 ( 3  4) */		or	%g0,%g2,%o2
+/* 0x11cc	1469 ( 3  4) */		or	%g0,%o7,%g1
+/* 0x11d0	1470 ( 4  6) */		call	mul_add	! params = 	! Result = 
+/* 0x11d4	     ( 5  6) */		or	%g0,%g1,%o7
+/* 0x11d8	1472 ( 0  0) */		.type	mul_add_inp,2
+/* 0x11d8	1473 ( 0  0) */		.size	mul_add_inp,(.-mul_add_inp)
+
+	.section	".data",#alloc,#write
+/* 0x11d8	   6 ( 0  0) */		.align	8
+
+!
+! ENTRY mask_cnst
+!
+
+                                   mask_cnst:		/* frequency 1.0 confidence 0.0 */
+/* 0x11d8	   8 ( 0  0) */		.word	-2147483648
+/* 0x11dc	   9 ( 0  0) */		.word	-2147483648
+/* 0x11e0	  10 ( 0  0) */		.type	mask_cnst,#object
+/* 0x11e0	  11 ( 0  0) */		.size	mask_cnst,8
+
diff --git a/security/nss/lib/freebl/mpi/mpv_sparcv9.s b/security/nss/lib/freebl/mpi/mpv_sparcv9.s
new file mode 100644
index 000000000..1a7997e4a
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpv_sparcv9.s
@@ -0,0 +1,1673 @@
+!/*
+! * The contents of this file are subject to the Mozilla Public
+! * License Version 1.1 (the "License"); you may not use this file
+! * except in compliance with the License. You may obtain a copy of
+! * the License at http://www.mozilla.org/MPL/
+! * 
+! * Software distributed under the License is distributed on an "AS
+! * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+! * implied. See the License for the specific language governing
+! * rights and limitations under the License.
+! * 
+! * The Original Code is a SPARC/VIS optimized multiply and add function
+! *
+! * The Initial Developer of the Original Code is Sun Microsystems Inc.
+! * Portions created by Sun Microsystems Inc. are 
+! * Copyright (C) 1999-2000 Sun Microsystems Inc.  All Rights Reserved.
+! * 
+! * Contributor(s):
+! * 
+! * Alternatively, the contents of this file may be used under the
+! * terms of the GNU General Public License Version 2 or later (the
+! * "GPL"), in which case the provisions of the GPL are applicable 
+! * instead of those above.   If you wish to allow use of your 
+! * version of this file only under the terms of the GPL and not to
+! * allow others to use your version of this file under the MPL,
+! * indicate your decision by deleting the provisions above and
+! * replace them with the notice and other provisions required by
+! * the GPL.  If you do not delete the provisions above, a recipient
+! * may use your version of this file under either the MPL or the
+! * GPL.
+! *  $Id$
+! */
+
+	.section	".text",#alloc,#execinstr
+/* 000000	   0 ( 0  0) */		.register	%g2,#scratch
+/* 000000	     ( 0  0) */		.register	%g3,#scratch
+/* 000000	   3 ( 0  0) */		.file	"mpv_sparc.c"
+/* 000000	  15 ( 0  0) */		.align	8
+!
+! SUBROUTINE .L_const_seg_900000101
+!
+! OFFSET    SOURCE LINE	LABEL	INSTRUCTION	(ISSUE TIME)	(COMPLETION TIME)
+
+                                   .L_const_seg_900000101:		/* frequency 1.0 confidence 0.0 */
+/* 000000	  20 ( 0  0) */		.word	1127219200,0
+/* 0x0008	  21 ( 0  0) */		.word	1105199103,-4194304
+/* 0x0010	  22 ( 0  0) */		.align	8
+/* 0x0010	  28 ( 0  0) */		.global	mul_add
+
+!
+! ENTRY mul_add
+!
+
+                                   	.global mul_add
+                                   mul_add:		/* frequency 1.0 confidence 0.0 */
+/* 0x0010	  30 ( 0  1) */		sethi	%hi(0x1c00),%g1
+/* 0x0014	  31 ( 0  1) */		sethi	%hi(mask_cnst),%g2
+/* 0x0018	  32 ( 1  2) */		xor	%g1,-48,%g1
+/* 0x001c	  33 ( 1  2) */		add	%g2,%lo(mask_cnst),%g2
+/* 0x0020	  34 ( 2  3) */		save	%sp,%g1,%sp
+
+!
+! ENTRY .L900000149
+!
+
+                                   .L900000149:		/* frequency 1.0 confidence 0.0 */
+/* 0x0024	  36 ( 0  2) */		call	(.+0x8)	! params = 	! Result = 
+/* 0x0028	     ( 1  2) */		sethi	%hi((_GLOBAL_OFFSET_TABLE_-(.L900000149-.))),%g5
+/* 0x002c	 178 ( 2  3) */		sethi	%hi(.L_const_seg_900000101),%g3
+/* 0x0030	 179 ( 2  3) */		add	%g5,%lo((_GLOBAL_OFFSET_TABLE_-(.L900000149-.))),%g5
+/* 0x0034	 180 ( 3  4) */		add	%g3,%lo(.L_const_seg_900000101),%g3
+/* 0x0038	 181 ( 3  4) */		add	%g5,%o7,%o1
+/* 0x003c	 182 ( 4  5) */		sethi	%hi(0x80000),%g4
+/* 0x0040	 183 ( 4  6) */		ldx	[%o1+%g2],%g2
+/* 0x0044	 184 ( 4  5) */		or	%g0,%i2,%o2
+/* 0x0048	 185 ( 5  6) */		subcc	%i4,%g4,%g0
+/* 0x004c	 186 ( 5  7) */		ldx	[%o1+%g3],%o0
+/* 0x0050	 187 ( 6  7) */		or	%g0,%i0,%o7
+/* 0x0054	 188 ( 6  7) */		or	%g0,%i1,%o5
+/* 0x0058	 189 ( 6  9) */		ldd	[%g2],%f0
+/* 0x005c	 190 ( 6  7) */		bcc,pn	%icc,.L77000048	! tprob=0.50
+/* 0x0060	     ( 7  8) */		subcc	%i3,8,%g0
+/* 0x0064	 192 ( 7  8) */		bne,pn	%icc,.L900000158	! tprob=0.50
+/* 0x0068	     ( 8  9) */		subcc	%i3,16,%g0
+/* 0x006c	 194 ( 9 12) */		ldd	[%o2],%f4
+/* 0x0070	 195 (10 11) */		st	%i4,[%sp+2287]
+/* 0x0074	 196 (11 14) */		ldd	[%o0],%f8
+/* 0x0078	 197 (11 13) */		fxnor	%f0,%f4,%f4
+/* 0x007c	 198 (12 15) */		ldd	[%o2+8],%f10
+/* 0x0080	 199 (13 16) */		fitod	%f4,%f12
+/* 0x0084	 200 (13 16) */		ldd	[%o0+8],%f14
+/* 0x0088	 201 (14 17) */		ld	[%sp+2287],%f7
+/* 0x008c	 202 (14 17) */		fitod	%f5,%f4
+/* 0x0090	 203 (15 17) */		fxnor	%f0,%f10,%f10
+/* 0x0094	 204 (15 18) */		ldd	[%o2+16],%f16
+/* 0x0098	 205 (16 19) */		ldd	[%o2+24],%f18
+/* 0x009c	 206 (17 20) */		fsubd	%f14,%f4,%f4
+/* 0x00a0	 210 (17 20) */		ld	[%i1],%g2
+/* 0x00a4	 211 (18 20) */		fxnor	%f0,%f16,%f16
+/* 0x00a8	 212 (18 21) */		ld	[%i1+4],%g3
+/* 0x00ac	 213 (19 22) */		ld	[%i1+8],%g4
+/* 0x00b0	 214 (20 23) */		fitod	%f16,%f20
+/* 0x00b4	 215 (20 23) */		ld	[%i1+16],%o0
+/* 0x00b8	 216 (21 24) */		ld	[%i1+12],%g5
+/* 0x00bc	 217 (22 25) */		ld	[%i1+20],%o1
+/* 0x00c0	 218 (23 26) */		ld	[%i1+24],%o2
+/* 0x00c4	 219 (24 25) */		fmovs	%f8,%f6
+/* 0x00c8	 220 (24 27) */		ld	[%i1+28],%o3
+/* 0x00cc	 221 (26 29) */		fsubd	%f6,%f8,%f6
+/* 0x00d0	 222 (27 30) */		fsubd	%f14,%f12,%f8
+/* 0x00d4	 223 (28 31) */		fitod	%f10,%f12
+/* 0x00d8	 224 (29 32) */		fmuld	%f4,%f6,%f4
+/* 0x00dc	 225 (29 32) */		fitod	%f11,%f10
+/* 0x00e0	 226 (30 33) */		fmuld	%f8,%f6,%f8
+/* 0x00e4	 227 (31 34) */		fsubd	%f14,%f12,%f12
+/* 0x00e8	 228 (32 35) */		fdtox	%f4,%f4
+/* 0x00ec	 229 (32 33) */		std	%f4,[%sp+2271]
+/* 0x00f0	 230 (33 36) */		fdtox	%f8,%f8
+/* 0x00f4	 231 (33 34) */		std	%f8,[%sp+2279]
+/* 0x00f8	 232 (34 37) */		fmuld	%f12,%f6,%f12
+/* 0x00fc	 233 (34 37) */		fsubd	%f14,%f10,%f10
+/* 0x0100	 234 (35 38) */		fsubd	%f14,%f20,%f4
+/* 0x0104	 235 (36 39) */		fitod	%f17,%f8
+/* 0x0108	 236 (37 39) */		fxnor	%f0,%f18,%f16
+/* 0x010c	 237 (37 39) */		ldx	[%sp+2279],%o4
+/* 0x0110	 238 (37 40) */		fmuld	%f10,%f6,%f10
+/* 0x0114	 239 (38 41) */		fdtox	%f12,%f12
+/* 0x0118	 240 (38 39) */		std	%f12,[%sp+2263]
+/* 0x011c	 241 (38 41) */		fmuld	%f4,%f6,%f4
+/* 0x0120	 242 (39 42) */		fitod	%f16,%f18
+/* 0x0124	 243 (39 40) */		add	%o4,%g2,%g2
+/* 0x0128	 244 (39 40) */		st	%g2,[%i0]
+/* 0x012c	 245 (40 42) */		ldx	[%sp+2271],%o4
+/* 0x0130	 246 (40 43) */		fsubd	%f14,%f8,%f8
+/* 0x0134	 247 (40 41) */		srax	%g2,32,%o5
+/* 0x0138	 248 (41 44) */		fdtox	%f10,%f10
+/* 0x013c	 249 (41 42) */		std	%f10,[%sp+2255]
+/* 0x0140	 250 (42 45) */		fdtox	%f4,%f4
+/* 0x0144	 251 (42 43) */		std	%f4,[%sp+2247]
+/* 0x0148	 252 (42 43) */		add	%o4,%g3,%o4
+/* 0x014c	 253 (43 46) */		fitod	%f17,%f12
+/* 0x0150	 254 (43 45) */		ldx	[%sp+2263],%g2
+/* 0x0154	 255 (43 44) */		add	%o4,%o5,%g3
+/* 0x0158	 256 (43 46) */		fmuld	%f8,%f6,%f8
+/* 0x015c	 257 (44 47) */		fsubd	%f14,%f18,%f10
+/* 0x0160	 258 (44 45) */		st	%g3,[%i0+4]
+/* 0x0164	 259 (44 45) */		srax	%g3,32,%g3
+/* 0x0168	 260 (45 46) */		add	%g2,%g4,%g4
+/* 0x016c	 261 (45 47) */		ldx	[%sp+2255],%g2
+/* 0x0170	 262 (46 49) */		fsubd	%f14,%f12,%f4
+/* 0x0174	 263 (46 47) */		add	%g4,%g3,%g3
+/* 0x0178	 264 (46 48) */		ldx	[%sp+2247],%g4
+/* 0x017c	 265 (47 50) */		fmuld	%f10,%f6,%f10
+/* 0x0180	 266 (47 50) */		fdtox	%f8,%f8
+/* 0x0184	 267 (47 48) */		std	%f8,[%sp+2239]
+/* 0x0188	 268 (48 49) */		add	%g4,%o0,%g4
+/* 0x018c	 269 (48 49) */		add	%g2,%g5,%g2
+/* 0x0190	 270 (48 49) */		st	%g3,[%i0+8]
+/* 0x0194	 271 (49 52) */		fmuld	%f4,%f6,%f4
+/* 0x0198	 272 (49 50) */		srax	%g3,32,%o0
+/* 0x019c	 273 (49 51) */		ldx	[%sp+2239],%g5
+/* 0x01a0	 274 (50 53) */		fdtox	%f10,%f6
+/* 0x01a4	 275 (50 51) */		std	%f6,[%sp+2231]
+/* 0x01a8	 276 (50 51) */		add	%g2,%o0,%g2
+/* 0x01ac	 277 (51 52) */		srax	%g2,32,%g3
+/* 0x01b0	 278 (51 52) */		add	%g5,%o1,%o1
+/* 0x01b4	 279 (51 52) */		st	%g2,[%i0+12]
+/* 0x01b8	 280 (52 55) */		fdtox	%f4,%f4
+/* 0x01bc	 281 (52 53) */		std	%f4,[%sp+2223]
+/* 0x01c0	 282 (52 53) */		add	%g4,%g3,%g3
+/* 0x01c4	 283 (53 54) */		srax	%g3,32,%g4
+/* 0x01c8	 284 (53 54) */		st	%g3,[%i0+16]
+/* 0x01cc	 285 (54 56) */		ldx	[%sp+2231],%o0
+/* 0x01d0	 286 (54 55) */		add	%o1,%g4,%g4
+/* 0x01d4	 287 (55 56) */		srax	%g4,32,%g2
+/* 0x01d8	 288 (55 57) */		ldx	[%sp+2223],%g5
+/* 0x01dc	 289 (56 57) */		add	%o0,%o2,%o2
+/* 0x01e0	 290 (56 57) */		st	%g4,[%i0+20]
+/* 0x01e4	 291 (57 58) */		add	%o2,%g2,%g2
+/* 0x01e8	 292 (57 58) */		add	%g5,%o3,%g5
+/* 0x01ec	 293 (57 58) */		st	%g2,[%i0+24]
+/* 0x01f0	 294 (58 59) */		srax	%g2,32,%g3
+/* 0x01f4	 295 (59 60) */		add	%g5,%g3,%g2
+/* 0x01f8	 296 (59 60) */		st	%g2,[%i0+28]
+/* 0x01fc	 300 (60 61) */		srax	%g2,32,%o3
+/* 0x0200	 301 (61 62) */		srl	%o3,0,%i0
+/* 0x0204	     (62 64) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0208	     (64 65) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L900000158
+!
+
+                                   .L900000158:		/* frequency 1.0 confidence 0.0 */
+/* 0x020c	 308 ( 0  1) */		bne,a,pn	%icc,.L900000157	! tprob=0.50
+/* 0x0210	     ( 0  1) */		st	%i4,[%sp+2223]
+/* 0x0214	 315 ( 1  4) */		ldd	[%o2],%f4
+/* 0x0218	 316 ( 2  3) */		st	%i4,[%sp+2351]
+/* 0x021c	 317 ( 3  6) */		ldd	[%o0],%f8
+/* 0x0220	 318 ( 3  5) */		fxnor	%f0,%f4,%f4
+/* 0x0224	 319 ( 4  7) */		ldd	[%o2+8],%f10
+/* 0x0228	 320 ( 5  8) */		ldd	[%o0+8],%f14
+/* 0x022c	 321 ( 5  8) */		fitod	%f4,%f12
+/* 0x0230	 322 ( 6  9) */		ld	[%sp+2351],%f7
+/* 0x0234	 323 ( 6  8) */		fxnor	%f0,%f10,%f10
+/* 0x0238	 324 ( 7 10) */		ldd	[%o2+16],%f16
+/* 0x023c	 325 ( 7 10) */		fitod	%f5,%f4
+/* 0x0240	 326 ( 8 11) */		ldd	[%o2+24],%f18
+/* 0x0244	 330 ( 9 12) */		ldd	[%o2+32],%f20
+/* 0x0248	 331 ( 9 11) */		fxnor	%f0,%f16,%f16
+/* 0x024c	 335 (10 13) */		ld	[%i1],%g2
+/* 0x0250	 336 (10 13) */		fsubd	%f14,%f4,%f4
+/* 0x0254	 337 (11 14) */		ldd	[%o2+40],%f22
+/* 0x0258	 338 (11 14) */		fitod	%f16,%f28
+/* 0x025c	 339 (12 15) */		ld	[%i1+4],%g3
+/* 0x0260	 340 (13 16) */		ld	[%i1+8],%g4
+/* 0x0264	 341 (13 15) */		fxnor	%f0,%f22,%f22
+/* 0x0268	 342 (14 17) */		ld	[%i1+12],%g5
+/* 0x026c	 343 (15 18) */		ld	[%i1+16],%o0
+/* 0x0270	 344 (16 19) */		ldd	[%o2+48],%f24
+/* 0x0274	 345 (17 20) */		ld	[%i1+20],%o1
+/* 0x0278	 346 (17 18) */		fmovs	%f8,%f6
+/* 0x027c	 347 (18 21) */		ldd	[%o2+56],%f26
+/* 0x0280	 348 (19 22) */		ld	[%i1+24],%o2
+/* 0x0284	 349 (19 22) */		fsubd	%f6,%f8,%f6
+/* 0x0288	 350 (20 23) */		ld	[%i1+28],%o3
+/* 0x028c	 351 (20 23) */		fsubd	%f14,%f12,%f8
+/* 0x0290	 355 (21 24) */		ld	[%i1+32],%o4
+/* 0x0294	 356 (21 24) */		fitod	%f10,%f12
+/* 0x0298	 357 (22 25) */		ld	[%i1+36],%o7
+/* 0x029c	 358 (22 25) */		fitod	%f11,%f10
+/* 0x02a0	 359 (22 25) */		fmuld	%f4,%f6,%f4
+/* 0x02a4	 360 (23 26) */		ld	[%i1+40],%l1
+/* 0x02a8	 361 (23 26) */		fmuld	%f8,%f6,%f8
+/* 0x02ac	 362 (24 27) */		ld	[%i1+56],%l5
+/* 0x02b0	 363 (24 27) */		fsubd	%f14,%f12,%f12
+/* 0x02b4	 364 (25 28) */		fsubd	%f14,%f10,%f10
+/* 0x02b8	 365 (26 29) */		fdtox	%f8,%f8
+/* 0x02bc	 366 (26 27) */		std	%f8,[%sp+2343]
+/* 0x02c0	 367 (27 30) */		fitod	%f17,%f8
+/* 0x02c4	 368 (27 30) */		fmuld	%f12,%f6,%f12
+/* 0x02c8	 369 (28 31) */		fdtox	%f4,%f4
+/* 0x02cc	 370 (28 29) */		std	%f4,[%sp+2335]
+/* 0x02d0	 371 (28 31) */		fmuld	%f10,%f6,%f10
+/* 0x02d4	 372 (29 31) */		fxnor	%f0,%f18,%f16
+/* 0x02d8	 373 (30 33) */		fdtox	%f12,%f12
+/* 0x02dc	 374 (30 31) */		std	%f12,[%sp+2327]
+/* 0x02e0	 375 (31 33) */		ldx	[%sp+2343],%o5
+/* 0x02e4	 376 (31 34) */		fsubd	%f14,%f8,%f8
+/* 0x02e8	 377 (32 35) */		fsubd	%f14,%f28,%f4
+/* 0x02ec	 378 (33 36) */		fitod	%f17,%f12
+/* 0x02f0	 379 (33 34) */		add	%o5,%g2,%g2
+/* 0x02f4	 380 (33 34) */		st	%g2,[%i0]
+/* 0x02f8	 381 (34 36) */		ldx	[%sp+2335],%o5
+/* 0x02fc	 382 (34 37) */		fitod	%f16,%f18
+/* 0x0300	 383 (34 35) */		srax	%g2,32,%l0
+/* 0x0304	 384 (35 37) */		fxnor	%f0,%f20,%f16
+/* 0x0308	 385 (35 38) */		fmuld	%f8,%f6,%f20
+/* 0x030c	 386 (36 39) */		fdtox	%f10,%f10
+/* 0x0310	 387 (36 37) */		std	%f10,[%sp+2319]
+/* 0x0314	 388 (36 37) */		add	%o5,%g3,%g3
+/* 0x0318	 389 (36 39) */		fmuld	%f4,%f6,%f4
+/* 0x031c	 390 (37 40) */		fitod	%f16,%f8
+/* 0x0320	 391 (37 38) */		add	%g3,%l0,%g3
+/* 0x0324	 392 (37 38) */		st	%g3,[%i0+4]
+/* 0x0328	 393 (38 40) */		ldx	[%sp+2327],%o5
+/* 0x032c	 394 (38 41) */		fsubd	%f14,%f18,%f18
+/* 0x0330	 395 (38 39) */		srax	%g3,32,%l3
+/* 0x0334	 396 (39 41) */		ldx	[%sp+2319],%l2
+/* 0x0338	 397 (39 42) */		fdtox	%f4,%f4
+/* 0x033c	 398 (40 41) */		std	%f4,[%sp+2311]
+/* 0x0340	 399 (40 43) */		fdtox	%f20,%f20
+/* 0x0344	 400 (40 41) */		add	%o5,%g4,%g4
+/* 0x0348	 401 (41 42) */		std	%f20,[%sp+2303]
+/* 0x034c	 402 (41 44) */		fsubd	%f14,%f12,%f4
+/* 0x0350	 403 (41 42) */		add	%g4,%l3,%g4
+/* 0x0354	 404 (41 44) */		fmuld	%f18,%f6,%f18
+/* 0x0358	 405 (42 43) */		st	%g4,[%i0+8]
+/* 0x035c	 406 (42 45) */		fitod	%f17,%f16
+/* 0x0360	 407 (42 43) */		srax	%g4,32,%l4
+/* 0x0364	 408 (43 46) */		ld	[%i1+44],%l0
+/* 0x0368	 409 (43 46) */		fsubd	%f14,%f8,%f20
+/* 0x036c	 410 (43 44) */		add	%l2,%g5,%l2
+/* 0x0370	 411 (44 46) */		ldx	[%sp+2311],%g5
+/* 0x0374	 412 (44 47) */		fitod	%f22,%f8
+/* 0x0378	 413 (44 45) */		add	%l2,%l4,%l2
+/* 0x037c	 414 (44 47) */		fmuld	%f4,%f6,%f4
+/* 0x0380	 415 (45 46) */		st	%l2,[%i0+12]
+/* 0x0384	 416 (45 48) */		fsubd	%f14,%f16,%f10
+/* 0x0388	 417 (46 49) */		ld	[%i1+52],%l3
+/* 0x038c	 418 (46 49) */		fdtox	%f18,%f18
+/* 0x0390	 419 (46 47) */		add	%g5,%o0,%l4
+/* 0x0394	 420 (46 49) */		fmuld	%f20,%f6,%f12
+/* 0x0398	 421 (47 48) */		std	%f18,[%sp+2295]
+/* 0x039c	 422 (47 48) */		srax	%l2,32,%o0
+/* 0x03a0	 423 (47 50) */		fitod	%f23,%f16
+/* 0x03a4	 424 (48 51) */		ld	[%i1+48],%o5
+/* 0x03a8	 425 (48 51) */		fsubd	%f14,%f8,%f8
+/* 0x03ac	 426 (48 49) */		add	%l4,%o0,%l4
+/* 0x03b0	 427 (49 50) */		st	%l4,[%i0+16]
+/* 0x03b4	 428 (49 50) */		srax	%l4,32,%o0
+/* 0x03b8	 429 (49 51) */		fxnor	%f0,%f24,%f18
+/* 0x03bc	 430 (50 52) */		ldx	[%sp+2303],%g5
+/* 0x03c0	 431 (50 53) */		fdtox	%f4,%f4
+/* 0x03c4	 432 (51 52) */		std	%f4,[%sp+2287]
+/* 0x03c8	 433 (51 54) */		fdtox	%f12,%f12
+/* 0x03cc	 434 (51 54) */		fmuld	%f10,%f6,%f4
+/* 0x03d0	 435 (52 53) */		std	%f12,[%sp+2279]
+/* 0x03d4	 436 (52 55) */		fsubd	%f14,%f16,%f12
+/* 0x03d8	 437 (52 53) */		add	%g5,%o1,%g2
+/* 0x03dc	 438 (52 55) */		fmuld	%f8,%f6,%f8
+/* 0x03e0	 439 (53 55) */		ldx	[%sp+2295],%g5
+/* 0x03e4	 440 (53 56) */		fitod	%f18,%f10
+/* 0x03e8	 441 (53 54) */		add	%g2,%o0,%g2
+/* 0x03ec	 442 (54 55) */		st	%g2,[%i0+20]
+/* 0x03f0	 443 (54 57) */		fitod	%f19,%f16
+/* 0x03f4	 444 (54 55) */		srax	%g2,32,%o0
+/* 0x03f8	 445 (55 58) */		fdtox	%f8,%f8
+/* 0x03fc	 446 (55 56) */		std	%f8,[%sp+2263]
+/* 0x0400	 447 (55 56) */		add	%g5,%o2,%g3
+/* 0x0404	 448 (56 58) */		ldx	[%sp+2287],%g5
+/* 0x0408	 449 (56 59) */		fsubd	%f14,%f10,%f10
+/* 0x040c	 450 (56 57) */		add	%g3,%o0,%g3
+/* 0x0410	 451 (57 58) */		st	%g3,[%i0+24]
+/* 0x0414	 452 (57 60) */		fsubd	%f14,%f16,%f8
+/* 0x0418	 453 (57 58) */		srax	%g3,32,%o0
+/* 0x041c	 454 (58 61) */		fdtox	%f4,%f4
+/* 0x0420	 455 (58 59) */		std	%f4,[%sp+2271]
+/* 0x0424	 456 (58 59) */		add	%g5,%o3,%g4
+/* 0x0428	 457 (59 61) */		fxnor	%f0,%f26,%f18
+/* 0x042c	 458 (59 62) */		fmuld	%f12,%f6,%f4
+/* 0x0430	 459 (59 60) */		add	%g4,%o0,%g4
+/* 0x0434	 460 (60 61) */		st	%g4,[%i0+28]
+/* 0x0438	 461 (60 63) */		fmuld	%f10,%f6,%f10
+/* 0x043c	 462 (60 61) */		srax	%g4,32,%o0
+/* 0x0440	 463 (61 63) */		ldx	[%sp+2279],%g5
+/* 0x0444	 464 (61 64) */		fitod	%f18,%f12
+/* 0x0448	 465 (61 64) */		fmuld	%f8,%f6,%f8
+/* 0x044c	 466 (62 65) */		fdtox	%f4,%f4
+/* 0x0450	 467 (62 63) */		std	%f4,[%sp+2255]
+/* 0x0454	 468 (63 64) */		add	%g5,%o4,%l2
+/* 0x0458	 469 (63 65) */		ldx	[%sp+2271],%g5
+/* 0x045c	 470 (63 66) */		fdtox	%f10,%f16
+/* 0x0460	 471 (64 67) */		fsubd	%f14,%f12,%f4
+/* 0x0464	 472 (64 65) */		std	%f16,[%sp+2247]
+/* 0x0468	 473 (64 65) */		add	%l2,%o0,%l2
+/* 0x046c	 474 (65 68) */		fdtox	%f8,%f8
+/* 0x0470	 475 (65 66) */		std	%f8,[%sp+2239]
+/* 0x0474	 476 (65 66) */		add	%g5,%o7,%l4
+/* 0x0478	 477 (66 69) */		fitod	%f19,%f10
+/* 0x047c	 478 (66 68) */		ldx	[%sp+2263],%g5
+/* 0x0480	 479 (66 67) */		srax	%l2,32,%o0
+/* 0x0484	 480 (67 68) */		add	%l4,%o0,%l4
+/* 0x0488	 481 (67 70) */		fmuld	%f4,%f6,%f4
+/* 0x048c	 482 (67 69) */		ldx	[%sp+2255],%o0
+/* 0x0490	 483 (68 69) */		srax	%l4,32,%o1
+/* 0x0494	 484 (68 69) */		add	%g5,%l1,%l1
+/* 0x0498	 485 (68 69) */		st	%l2,[%i0+32]
+/* 0x049c	 486 (69 72) */		fsubd	%f14,%f10,%f8
+/* 0x04a0	 487 (69 71) */		ldx	[%sp+2239],%o3
+/* 0x04a4	 488 (69 70) */		add	%l1,%o1,%o1
+/* 0x04a8	 489 (70 72) */		ldx	[%sp+2247],%g5
+/* 0x04ac	 490 (70 71) */		srax	%o1,32,%o2
+/* 0x04b0	 491 (70 71) */		add	%o0,%l0,%o0
+/* 0x04b4	 492 (71 74) */		fdtox	%f4,%f4
+/* 0x04b8	 493 (71 72) */		std	%f4,[%sp+2231]
+/* 0x04bc	 494 (71 72) */		add	%o0,%o2,%o2
+/* 0x04c0	 495 (72 73) */		add	%o3,%l3,%l3
+/* 0x04c4	 496 (72 75) */		fmuld	%f8,%f6,%f4
+/* 0x04c8	 497 (72 73) */		add	%g5,%o5,%g5
+/* 0x04cc	 498 (73 74) */		srax	%o2,32,%o3
+/* 0x04d0	 499 (73 74) */		st	%l4,[%i0+36]
+/* 0x04d4	 500 (74 75) */		add	%g5,%o3,%g2
+/* 0x04d8	 501 (74 76) */		ldx	[%sp+2231],%o0
+/* 0x04dc	 502 (75 76) */		srax	%g2,32,%g3
+/* 0x04e0	 503 (75 78) */		fdtox	%f4,%f4
+/* 0x04e4	 504 (75 76) */		std	%f4,[%sp+2223]
+/* 0x04e8	 505 (76 77) */		st	%o1,[%i0+40]
+/* 0x04ec	 506 (76 77) */		add	%l3,%g3,%g3
+/* 0x04f0	 507 (76 77) */		add	%o0,%l5,%g5
+/* 0x04f4	 508 (77 78) */		st	%o2,[%i0+44]
+/* 0x04f8	 509 (77 78) */		srax	%g3,32,%g4
+/* 0x04fc	 510 (78 79) */		st	%g2,[%i0+48]
+/* 0x0500	 511 (78 79) */		add	%g5,%g4,%g4
+/* 0x0504	 512 (79 80) */		st	%g3,[%i0+52]
+/* 0x0508	 513 (79 80) */		srax	%g4,32,%g5
+/* 0x050c	 514 (80 83) */		ld	[%i1+60],%g3
+/* 0x0510	 515 (81 83) */		ldx	[%sp+2223],%g2
+/* 0x0514	 516 (82 83) */		st	%g4,[%i0+56]
+/* 0x0518	 517 (83 84) */		add	%g2,%g3,%g2
+/* 0x051c	 518 (84 85) */		add	%g2,%g5,%g2
+/* 0x0520	 519 (84 85) */		st	%g2,[%i0+60]
+/* 0x0524	 523 (85 86) */		srax	%g2,32,%o3
+/* 0x0528	 524 (86 87) */		srl	%o3,0,%i0
+/* 0x052c	     (87 89) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0530	     (89 90) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L900000157
+!
+
+                                   .L900000157:		/* frequency 1.0 confidence 0.0 */
+/* 0x0534	 532 ( 0  1) */		fmovd	%f0,%f14
+/* 0x0538	 533 ( 0  3) */		ldd	[%o0],%f8
+/* 0x053c	 539 ( 0  1) */		add	%i3,1,%g2
+/* 0x0540	 540 ( 1  4) */		ld	[%sp+2223],%f7
+/* 0x0544	 541 ( 1  2) */		srl	%g2,31,%g3
+/* 0x0548	 545 ( 1  2) */		add	%fp,-217,%g4
+/* 0x054c	 546 ( 2  3) */		add	%g2,%g3,%g2
+/* 0x0550	 547 ( 2  3) */		or	%g0,0,%g5
+/* 0x0554	 548 ( 2  5) */		ldd	[%o0+8],%f18
+/* 0x0558	 549 ( 3  4) */		fmovs	%f8,%f6
+/* 0x055c	 550 ( 3  4) */		sra	%g2,1,%o1
+/* 0x0560	 551 ( 3  4) */		or	%g0,0,%o0
+/* 0x0564	 552 ( 4  5) */		subcc	%o1,0,%g0
+/* 0x0568	 553 ( 5  6) */		or	%g0,%o1,%o3
+/* 0x056c	 554 ( 5  8) */		fsubd	%f6,%f8,%f16
+/* 0x0570	 555 ( 5  6) */		ble,pt	%icc,.L900000156	! tprob=0.50
+/* 0x0574	     ( 6  7) */		subcc	%i3,0,%g0
+/* 0x0578	 557 ( 6  7) */		sub	%o1,1,%g2
+/* 0x057c	 558 ( 7  8) */		or	%g0,0,%i0
+/* 0x0580	 559 ( 7  8) */		or	%g0,1,%g3
+/* 0x0584	 560 ( 8  9) */		subcc	%o3,10,%g0
+/* 0x0588	 561 ( 8  9) */		bl,pn	%icc,.L77000077	! tprob=0.50
+/* 0x058c	     ( 9 10) */		or	%g0,0,%o1
+/* 0x0590	 563 ( 9 12) */		ldd	[%i2+8],%f0
+/* 0x0594	 564 ( 9 10) */		sub	%o3,3,%o3
+/* 0x0598	 565 (10 13) */		ldd	[%i2],%f2
+/* 0x059c	 566 (10 11) */		or	%g0,7,%o0
+/* 0x05a0	 567 (10 11) */		or	%g0,2,%i0
+/* 0x05a4	 568 (11 13) */		fxnor	%f14,%f0,%f8
+/* 0x05a8	 569 (11 14) */		ldd	[%i2+16],%f4
+/* 0x05ac	 570 (11 12) */		or	%g0,16,%o2
+/* 0x05b0	 571 (12 14) */		fxnor	%f14,%f2,%f2
+/* 0x05b4	 572 (12 15) */		ldd	[%i2+24],%f6
+/* 0x05b8	 573 (12 13) */		or	%g0,48,%o4
+/* 0x05bc	 574 (13 16) */		fitod	%f8,%f12
+/* 0x05c0	 575 (13 14) */		or	%g0,24,%o1
+/* 0x05c4	 576 (13 14) */		or	%g0,3,%g3
+/* 0x05c8	 577 (14 17) */		fitod	%f2,%f0
+/* 0x05cc	 578 (15 18) */		fitod	%f3,%f20
+/* 0x05d0	 579 (15 18) */		ldd	[%i2+32],%f2
+/* 0x05d4	 580 (16 19) */		fitod	%f9,%f10
+/* 0x05d8	 581 (16 19) */		ldd	[%i2+40],%f8
+/* 0x05dc	 582 (17 20) */		fsubd	%f18,%f0,%f0
+/* 0x05e0	 583 (18 21) */		fsubd	%f18,%f20,%f22
+/* 0x05e4	 584 (19 22) */		fsubd	%f18,%f12,%f20
+/* 0x05e8	 585 (19 22) */		ldd	[%i2+48],%f12
+/* 0x05ec	 586 (20 23) */		fsubd	%f18,%f10,%f10
+/* 0x05f0	 587 (20 23) */		fmuld	%f0,%f16,%f0
+/* 0x05f4	 588 (21 23) */		fxnor	%f14,%f4,%f4
+/* 0x05f8	 589 (21 24) */		fmuld	%f22,%f16,%f22
+/* 0x05fc	 590 (22 24) */		fxnor	%f14,%f6,%f6
+/* 0x0600	 591 (22 25) */		fmuld	%f20,%f16,%f20
+/* 0x0604	 592 (23 26) */		fdtox	%f0,%f0
+/* 0x0608	 593 (23 24) */		std	%f0,[%fp-217]
+/* 0x060c	 594 (23 26) */		fmuld	%f10,%f16,%f10
+/* 0x0610	 595 (24 27) */		fdtox	%f22,%f22
+/* 0x0614	 596 (24 25) */		std	%f22,[%fp-209]
+/* 0x0618	 597 (25 28) */		fitod	%f5,%f0
+/* 0x061c	 598 (26 29) */		fdtox	%f10,%f10
+/* 0x0620	 599 (27 30) */		fdtox	%f20,%f20
+/* 0x0624	 600 (27 28) */		std	%f20,[%fp-201]
+/* 0x0628	 601 (28 31) */		fitod	%f4,%f4
+/* 0x062c	 602 (28 29) */		std	%f10,[%fp-193]
+/* 0x0630	 603 (29 31) */		fxnor	%f14,%f2,%f10
+/* 0x0634	 604 (30 33) */		fitod	%f7,%f2
+/* 0x0638	 605 (31 34) */		fsubd	%f18,%f0,%f0
+/* 0x063c	 606 (32 35) */		fsubd	%f18,%f4,%f4
+/* 0x0640	 607 (33 35) */		fxnor	%f14,%f8,%f8
+
+!
+! ENTRY .L900000144
+!
+
+                                   .L900000144:		/* frequency 1.0 confidence 0.0 */
+/* 0x0644	 609 ( 0  3) */		fitod	%f11,%f22
+/* 0x0648	 610 ( 0  1) */		add	%o0,3,%o0
+/* 0x064c	 611 ( 0  1) */		add	%g3,6,%g3
+/* 0x0650	 612 ( 0  3) */		fmuld	%f0,%f16,%f0
+/* 0x0654	 613 ( 1  4) */		fmuld	%f4,%f16,%f24
+/* 0x0658	 614 ( 1  2) */		subcc	%o0,%o3,%g0
+/* 0x065c	 615 ( 1  2) */		add	%i0,6,%i0
+/* 0x0660	 616 ( 1  4) */		fsubd	%f18,%f2,%f2
+/* 0x0664	 617 ( 2  5) */		fitod	%f6,%f4
+/* 0x0668	 618 ( 3  6) */		fdtox	%f0,%f0
+/* 0x066c	 619 ( 3  4) */		add	%o4,8,%i1
+/* 0x0670	 620 ( 4  7) */		ldd	[%i2+%i1],%f20
+/* 0x0674	 621 ( 4  7) */		fdtox	%f24,%f6
+/* 0x0678	 622 ( 4  5) */		add	%o2,16,%o4
+/* 0x067c	 623 ( 5  8) */		fsubd	%f18,%f4,%f4
+/* 0x0680	 624 ( 5  6) */		std	%f6,[%o4+%g4]
+/* 0x0684	 625 ( 5  6) */		add	%o1,16,%o2
+/* 0x0688	 626 ( 6  8) */		fxnor	%f14,%f12,%f6
+/* 0x068c	 627 ( 6  7) */		std	%f0,[%o2+%g4]
+/* 0x0690	 628 ( 7 10) */		fitod	%f9,%f0
+/* 0x0694	 629 ( 7 10) */		fmuld	%f2,%f16,%f2
+/* 0x0698	 630 ( 8 11) */		fmuld	%f4,%f16,%f24
+/* 0x069c	 631 ( 8 11) */		fsubd	%f18,%f22,%f12
+/* 0x06a0	 632 ( 9 12) */		fitod	%f10,%f4
+/* 0x06a4	 633 (10 13) */		fdtox	%f2,%f2
+/* 0x06a8	 634 (10 11) */		add	%i1,8,%o1
+/* 0x06ac	 635 (11 14) */		ldd	[%i2+%o1],%f22
+/* 0x06b0	 636 (11 14) */		fdtox	%f24,%f10
+/* 0x06b4	 637 (11 12) */		add	%o4,16,%i4
+/* 0x06b8	 638 (12 15) */		fsubd	%f18,%f4,%f4
+/* 0x06bc	 639 (12 13) */		std	%f10,[%i4+%g4]
+/* 0x06c0	 640 (12 13) */		add	%o2,16,%i1
+/* 0x06c4	 641 (13 15) */		fxnor	%f14,%f20,%f10
+/* 0x06c8	 642 (13 14) */		std	%f2,[%i1+%g4]
+/* 0x06cc	 643 (14 17) */		fitod	%f7,%f2
+/* 0x06d0	 644 (14 17) */		fmuld	%f12,%f16,%f12
+/* 0x06d4	 645 (15 18) */		fmuld	%f4,%f16,%f24
+/* 0x06d8	 646 (15 18) */		fsubd	%f18,%f0,%f0
+/* 0x06dc	 647 (16 19) */		fitod	%f8,%f4
+/* 0x06e0	 648 (17 20) */		fdtox	%f12,%f20
+/* 0x06e4	 649 (17 18) */		add	%o1,8,%o4
+/* 0x06e8	 650 (18 21) */		ldd	[%i2+%o4],%f12
+/* 0x06ec	 651 (18 21) */		fdtox	%f24,%f8
+/* 0x06f0	 652 (18 19) */		add	%i4,16,%o2
+/* 0x06f4	 653 (19 22) */		fsubd	%f18,%f4,%f4
+/* 0x06f8	 654 (19 20) */		std	%f8,[%o2+%g4]
+/* 0x06fc	 655 (19 20) */		add	%i1,16,%o1
+/* 0x0700	 656 (20 22) */		fxnor	%f14,%f22,%f8
+/* 0x0704	 657 (20 21) */		ble,pt	%icc,.L900000144	! tprob=0.50
+/* 0x0708	     (20 21) */		std	%f20,[%o1+%g4]
+
+!
+! ENTRY .L900000147
+!
+
+                                   .L900000147:		/* frequency 1.0 confidence 0.0 */
+/* 0x070c	 660 ( 0  3) */		fitod	%f6,%f6
+/* 0x0710	 661 ( 0  3) */		fmuld	%f4,%f16,%f24
+/* 0x0714	 662 ( 0  1) */		add	%i4,32,%l4
+/* 0x0718	 663 ( 1  4) */		fsubd	%f18,%f2,%f2
+/* 0x071c	 664 ( 1  4) */		fmuld	%f0,%f16,%f22
+/* 0x0720	 665 ( 1  2) */		add	%i1,32,%l3
+/* 0x0724	 666 ( 2  5) */		fitod	%f10,%f28
+/* 0x0728	 667 ( 2  3) */		sra	%o0,0,%o2
+/* 0x072c	 668 ( 2  3) */		add	%i4,48,%l2
+/* 0x0730	 669 ( 3  6) */		fsubd	%f18,%f6,%f4
+/* 0x0734	 670 ( 3  4) */		add	%i1,48,%l1
+/* 0x0738	 671 ( 3  4) */		add	%i4,64,%l0
+/* 0x073c	 672 ( 4  7) */		fitod	%f11,%f26
+/* 0x0740	 673 ( 4  5) */		sllx	%o2,3,%o1
+/* 0x0744	 674 ( 4  5) */		add	%i1,64,%i5
+/* 0x0748	 675 ( 5  8) */		fitod	%f8,%f6
+/* 0x074c	 676 ( 5  6) */		add	%i4,80,%i4
+/* 0x0750	 677 ( 5  6) */		add	%i1,80,%i1
+/* 0x0754	 678 ( 6  8) */		fxnor	%f14,%f12,%f0
+/* 0x0758	 679 ( 6  9) */		fmuld	%f4,%f16,%f20
+/* 0x075c	 680 ( 6  7) */		add	%i4,16,%o4
+/* 0x0760	 681 ( 7 10) */		fitod	%f9,%f4
+/* 0x0764	 682 ( 7 10) */		fmuld	%f2,%f16,%f12
+/* 0x0768	 683 ( 7  8) */		add	%i1,16,%o3
+/* 0x076c	 684 ( 8 11) */		fsubd	%f18,%f28,%f10
+/* 0x0770	 685 ( 8  9) */		subcc	%o0,%g2,%g0
+/* 0x0774	 686 ( 8  9) */		add	%g3,12,%g3
+/* 0x0778	 687 ( 9 12) */		fitod	%f0,%f2
+/* 0x077c	 688 (10 13) */		fsubd	%f18,%f26,%f8
+/* 0x0780	 689 (11 14) */		fitod	%f1,%f0
+/* 0x0784	 690 (11 14) */		fmuld	%f10,%f16,%f10
+/* 0x0788	 691 (12 15) */		fdtox	%f24,%f24
+/* 0x078c	 692 (12 13) */		std	%f24,[%l4+%g4]
+/* 0x0790	 693 (12 13) */		add	%i0,12,%i0
+/* 0x0794	 694 (13 16) */		fsubd	%f18,%f6,%f6
+/* 0x0798	 695 (13 16) */		fmuld	%f8,%f16,%f8
+/* 0x079c	 696 (14 17) */		fdtox	%f22,%f22
+/* 0x07a0	 697 (14 15) */		std	%f22,[%l3+%g4]
+/* 0x07a4	 698 (15 18) */		fsubd	%f18,%f4,%f4
+/* 0x07a8	 699 (16 19) */		fdtox	%f20,%f20
+/* 0x07ac	 700 (16 17) */		std	%f20,[%l2+%g4]
+/* 0x07b0	 701 (16 19) */		fmuld	%f6,%f16,%f6
+/* 0x07b4	 702 (17 20) */		fsubd	%f18,%f2,%f2
+/* 0x07b8	 703 (18 21) */		fsubd	%f18,%f0,%f0
+/* 0x07bc	 704 (18 21) */		fmuld	%f4,%f16,%f4
+/* 0x07c0	 705 (19 22) */		fdtox	%f12,%f12
+/* 0x07c4	 706 (19 20) */		std	%f12,[%l1+%g4]
+/* 0x07c8	 707 (20 23) */		fdtox	%f10,%f10
+/* 0x07cc	 708 (20 21) */		std	%f10,[%l0+%g4]
+/* 0x07d0	 709 (20 23) */		fmuld	%f2,%f16,%f2
+/* 0x07d4	 710 (21 24) */		fdtox	%f8,%f8
+/* 0x07d8	 711 (21 22) */		std	%f8,[%i5+%g4]
+/* 0x07dc	 712 (21 24) */		fmuld	%f0,%f16,%f0
+/* 0x07e0	 713 (22 25) */		fdtox	%f6,%f6
+/* 0x07e4	 714 (22 23) */		std	%f6,[%i4+%g4]
+/* 0x07e8	 715 (23 26) */		fdtox	%f4,%f4
+/* 0x07ec	 716 (23 24) */		std	%f4,[%i1+%g4]
+/* 0x07f0	 717 (24 27) */		fdtox	%f2,%f2
+/* 0x07f4	 718 (24 25) */		std	%f2,[%o4+%g4]
+/* 0x07f8	 719 (25 28) */		fdtox	%f0,%f0
+/* 0x07fc	 720 (25 26) */		bg,pn	%icc,.L77000043	! tprob=0.50
+/* 0x0800	     (25 26) */		std	%f0,[%o3+%g4]
+
+!
+! ENTRY .L77000077
+!
+
+                                   .L77000077:		/* frequency 1.0 confidence 0.0 */
+/* 0x0804	 723 ( 0  3) */		ldd	[%i2+%o1],%f0
+
+!
+! ENTRY .L900000155
+!
+
+                                   .L900000155:		/* frequency 1.0 confidence 0.0 */
+/* 0x0808	 725 ( 0  2) */		fxnor	%f14,%f0,%f0
+/* 0x080c	 726 ( 0  1) */		sra	%i0,0,%o1
+/* 0x0810	 727 ( 0  1) */		add	%o0,1,%o0
+/* 0x0814	 728 ( 1  2) */		sllx	%o1,3,%i4
+/* 0x0818	 729 ( 1  2) */		add	%i0,2,%i0
+/* 0x081c	 730 ( 2  5) */		fitod	%f0,%f2
+/* 0x0820	 731 ( 2  3) */		sra	%g3,0,%o1
+/* 0x0824	 732 ( 2  3) */		add	%g3,2,%g3
+/* 0x0828	 733 ( 3  6) */		fitod	%f1,%f0
+/* 0x082c	 734 ( 3  4) */		sllx	%o1,3,%i1
+/* 0x0830	 735 ( 3  4) */		subcc	%o0,%g2,%g0
+/* 0x0834	 736 ( 4  5) */		sra	%o0,0,%o2
+/* 0x0838	 737 ( 5  8) */		fsubd	%f18,%f2,%f2
+/* 0x083c	 738 ( 5  6) */		sllx	%o2,3,%o1
+/* 0x0840	 739 ( 6  9) */		fsubd	%f18,%f0,%f0
+/* 0x0844	 740 ( 8 11) */		fmuld	%f2,%f16,%f2
+/* 0x0848	 741 ( 9 12) */		fmuld	%f0,%f16,%f0
+/* 0x084c	 742 (11 14) */		fdtox	%f2,%f2
+/* 0x0850	 743 (11 12) */		std	%f2,[%i4+%g4]
+/* 0x0854	 744 (12 15) */		fdtox	%f0,%f0
+/* 0x0858	 745 (12 13) */		std	%f0,[%i1+%g4]
+/* 0x085c	 746 (12 13) */		ble,a,pt	%icc,.L900000155	! tprob=0.50
+/* 0x0860	     (14 17) */		ldd	[%i2+%o1],%f0
+
+!
+! ENTRY .L77000043
+!
+
+                                   .L77000043:		/* frequency 1.0 confidence 0.0 */
+/* 0x0864	 754 ( 0  1) */		subcc	%i3,0,%g0
+
+!
+! ENTRY .L900000156
+!
+
+                                   .L900000156:		/* frequency 1.0 confidence 0.0 */
+/* 0x0868	 756 ( 0  1) */		ble,a,pt	%icc,.L77000061	! tprob=0.50
+/* 0x086c	     ( 0  1) */		or	%g0,%g5,%o3
+/* 0x0870	 761 ( 0  2) */		ldx	[%fp-209],%i1
+/* 0x0874	 762 ( 1  2) */		sub	%i3,1,%g3
+/* 0x0878	 763 ( 1  2) */		or	%g0,0,%i0
+/* 0x087c	 764 ( 2  3) */		subcc	%i3,5,%g0
+/* 0x0880	 765 ( 2  3) */		bl,pn	%icc,.L77000078	! tprob=0.50
+/* 0x0884	     ( 2  4) */		ldx	[%fp-217],%i2
+/* 0x0888	 767 ( 3  6) */		ld	[%o5],%i3
+/* 0x088c	 768 ( 3  4) */		or	%g0,8,%g2
+/* 0x0890	 769 ( 3  4) */		or	%g0,16,%o4
+/* 0x0894	 770 ( 4  5) */		sub	%g3,1,%o3
+/* 0x0898	 771 ( 4  5) */		or	%g0,3,%i0
+/* 0x089c	 772 ( 5  6) */		add	%i2,%i3,%o1
+/* 0x08a0	 773 ( 5  8) */		ld	[%o5+4],%i2
+/* 0x08a4	 774 ( 6  7) */		st	%o1,[%o7]
+/* 0x08a8	 775 ( 6  7) */		srax	%o1,32,%o1
+/* 0x08ac	 776 ( 7  9) */		ldx	[%fp-201],%o2
+/* 0x08b0	 777 ( 7  8) */		add	%i1,%i2,%o0
+/* 0x08b4	 778 ( 7  8) */		or	%g0,%o1,%i1
+/* 0x08b8	 779 ( 8 11) */		ld	[%o5+8],%o1
+/* 0x08bc	 780 ( 8  9) */		add	%o0,%i1,%o0
+/* 0x08c0	 781 ( 9 10) */		st	%o0,[%o7+4]
+/* 0x08c4	 782 ( 9 10) */		srax	%o0,32,%o0
+
+!
+! ENTRY .L900000140
+!
+
+                                   .L900000140:		/* frequency 1.0 confidence 0.0 */
+/* 0x08c8	 784 ( 0  1) */		add	%g2,4,%i1
+/* 0x08cc	 785 ( 0  1) */		add	%o4,8,%o4
+/* 0x08d0	 786 ( 1  3) */		ldx	[%o4+%g4],%i2
+/* 0x08d4	 787 ( 1  2) */		sra	%o0,0,%g5
+/* 0x08d8	 788 ( 1  2) */		add	%o2,%o1,%o1
+/* 0x08dc	 789 ( 2  5) */		ld	[%o5+%i1],%o0
+/* 0x08e0	 790 ( 2  3) */		add	%o1,%g5,%o1
+/* 0x08e4	 791 ( 2  3) */		add	%i0,2,%i0
+/* 0x08e8	 792 ( 3  4) */		st	%o1,[%o7+%g2]
+/* 0x08ec	 793 ( 3  4) */		srax	%o1,32,%g5
+/* 0x08f0	 794 ( 3  4) */		subcc	%i0,%o3,%g0
+/* 0x08f4	 795 ( 4  5) */		add	%g2,8,%g2
+/* 0x08f8	 796 ( 4  5) */		add	%o4,8,%o4
+/* 0x08fc	 797 ( 5  7) */		ldx	[%o4+%g4],%o2
+/* 0x0900	 798 ( 5  6) */		add	%i2,%o0,%o0
+/* 0x0904	 799 ( 6  9) */		ld	[%o5+%g2],%o1
+/* 0x0908	 800 ( 6  7) */		add	%o0,%g5,%o0
+/* 0x090c	 801 ( 7  8) */		st	%o0,[%o7+%i1]
+/* 0x0910	 802 ( 7  8) */		ble,pt	%icc,.L900000140	! tprob=0.50
+/* 0x0914	     ( 7  8) */		srax	%o0,32,%o0
+
+!
+! ENTRY .L900000143
+!
+
+                                   .L900000143:		/* frequency 1.0 confidence 0.0 */
+/* 0x0918	 805 ( 0  1) */		sra	%o0,0,%o3
+/* 0x091c	 806 ( 0  1) */		add	%o2,%o1,%o0
+/* 0x0920	 807 ( 1  2) */		add	%o0,%o3,%o0
+/* 0x0924	 808 ( 1  2) */		st	%o0,[%o7+%g2]
+/* 0x0928	 809 ( 1  2) */		subcc	%i0,%g3,%g0
+/* 0x092c	 810 ( 2  3) */		srax	%o0,32,%g5
+/* 0x0930	 811 ( 2  3) */		bg,a,pn	%icc,.L77000061	! tprob=0.50
+/* 0x0934	     ( 3  4) */		or	%g0,%g5,%o3
+
+!
+! ENTRY .L77000078
+!
+
+                                   .L77000078:		/* frequency 1.0 confidence 0.0 */
+/* 0x0938	 814 ( 0  1) */		sra	%i0,0,%o0
+
+!
+! ENTRY .L900000154
+!
+
+                                   .L900000154:		/* frequency 1.0 confidence 0.0 */
+/* 0x093c	 816 ( 0  1) */		sllx	%o0,2,%g2
+/* 0x0940	 817 ( 0  1) */		add	%i0,1,%i0
+/* 0x0944	 818 ( 1  2) */		sllx	%o0,3,%o4
+/* 0x0948	 819 ( 1  4) */		ld	[%o5+%g2],%o2
+/* 0x094c	 820 ( 1  2) */		subcc	%i0,%g3,%g0
+/* 0x0950	 821 ( 2  4) */		ldx	[%o4+%g4],%o0
+/* 0x0954	 822 ( 2  3) */		sra	%g5,0,%o1
+/* 0x0958	 823 ( 4  5) */		add	%o0,%o2,%o0
+/* 0x095c	 824 ( 5  6) */		add	%o0,%o1,%o0
+/* 0x0960	 825 ( 5  6) */		st	%o0,[%o7+%g2]
+/* 0x0964	 826 ( 6  7) */		srax	%o0,32,%g5
+/* 0x0968	 827 ( 6  7) */		ble,pt	%icc,.L900000154	! tprob=0.50
+/* 0x096c	     ( 7  8) */		sra	%i0,0,%o0
+
+!
+! ENTRY .L77000047
+!
+
+                                   .L77000047:		/* frequency 1.0 confidence 0.0 */
+/* 0x0970	 834 ( 0  1) */		or	%g0,%g5,%o3
+
+!
+! ENTRY .L77000061
+!
+
+                                  .L77000061:		/* frequency 1.0 confidence 0.0 */
+
+/* 0x0974	 835 ( 1  2) */		srl	%o3,0,%i0
+/* 0x0978	     ( 2  4) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x097c	     ( 4  5) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000048
+!
+
+                                   .L77000048:		/* frequency 1.0 confidence 0.0 */
+/* 0x0980	 844 ( 0  1) */		bne,pn	%icc,.L77000050	! tprob=0.50
+/* 0x0984	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
+/* 0x0988	 854 ( 0  3) */		ldd	[%o2],%f4
+/* 0x098c	 855 ( 1  4) */		ldd	[%o0],%f6
+/* 0x0990	 856 ( 1  2) */		srl	%i4,19,%g3
+/* 0x0994	 857 ( 1  2) */		andn	%i4,%g2,%g2
+/* 0x0998	 858 ( 2  3) */		st	%g3,[%sp+2351]
+/* 0x099c	 859 ( 2  4) */		fxnor	%f0,%f4,%f4
+/* 0x09a0	 860 ( 3  4) */		st	%g2,[%sp+2355]
+/* 0x09a4	 861 ( 4  7) */		ldd	[%o2+8],%f12
+/* 0x09a8	 862 ( 4  7) */		fitod	%f4,%f10
+/* 0x09ac	 863 ( 5  8) */		ldd	[%o0+8],%f16
+/* 0x09b0	 864 ( 5  8) */		fitod	%f5,%f4
+/* 0x09b4	 865 ( 6  9) */		ldd	[%o2+16],%f18
+/* 0x09b8	 866 ( 6  8) */		fxnor	%f0,%f12,%f12
+/* 0x09bc	 867 ( 7 10) */		ld	[%sp+2351],%f9
+/* 0x09c0	 868 ( 7 10) */		fsubd	%f16,%f10,%f10
+/* 0x09c4	 869 ( 8 11) */		ld	[%sp+2355],%f15
+/* 0x09c8	 870 ( 8 11) */		fitod	%f12,%f22
+/* 0x09cc	 871 ( 9 12) */		ldd	[%o2+24],%f20
+/* 0x09d0	 872 ( 9 12) */		fitod	%f13,%f12
+/* 0x09d4	 876 (10 13) */		ld	[%i1],%g2
+/* 0x09d8	 877 (10 13) */		fsubd	%f16,%f4,%f4
+/* 0x09dc	 878 (11 14) */		ld	[%i1+4],%g3
+/* 0x09e0	 879 (11 14) */		fsubd	%f16,%f22,%f22
+/* 0x09e4	 880 (12 15) */		ld	[%i1+8],%g4
+/* 0x09e8	 881 (12 14) */		fxnor	%f0,%f18,%f18
+/* 0x09ec	 882 (13 16) */		ld	[%i1+12],%g5
+/* 0x09f0	 883 (13 16) */		fsubd	%f16,%f12,%f12
+/* 0x09f4	 884 (14 17) */		ld	[%i1+16],%o0
+/* 0x09f8	 885 (14 17) */		fitod	%f18,%f26
+/* 0x09fc	 886 (15 18) */		ld	[%i1+20],%o1
+/* 0x0a00	 887 (15 17) */		fxnor	%f0,%f20,%f20
+/* 0x0a04	 888 (16 19) */		ld	[%i1+24],%o2
+/* 0x0a08	 889 (17 20) */		ld	[%i1+28],%o3
+/* 0x0a0c	 890 (19 20) */		fmovs	%f6,%f8
+/* 0x0a10	 891 (20 21) */		fmovs	%f6,%f14
+/* 0x0a14	 892 (22 25) */		fsubd	%f8,%f6,%f8
+/* 0x0a18	 893 (23 26) */		fsubd	%f14,%f6,%f6
+/* 0x0a1c	 894 (25 28) */		fmuld	%f10,%f8,%f14
+/* 0x0a20	 895 (26 29) */		fmuld	%f10,%f6,%f10
+/* 0x0a24	 896 (27 30) */		fmuld	%f4,%f8,%f24
+/* 0x0a28	 897 (28 31) */		fdtox	%f14,%f14
+/* 0x0a2c	 898 (28 29) */		std	%f14,[%sp+2335]
+/* 0x0a30	 899 (28 31) */		fmuld	%f22,%f8,%f28
+/* 0x0a34	 900 (29 32) */		fitod	%f19,%f14
+/* 0x0a38	 901 (29 32) */		fmuld	%f22,%f6,%f18
+/* 0x0a3c	 902 (30 33) */		fdtox	%f10,%f10
+/* 0x0a40	 903 (30 31) */		std	%f10,[%sp+2343]
+/* 0x0a44	 904 (30 33) */		fmuld	%f4,%f6,%f4
+/* 0x0a48	 905 (31 34) */		fmuld	%f12,%f8,%f22
+/* 0x0a4c	 906 (32 35) */		fdtox	%f18,%f18
+/* 0x0a50	 907 (32 33) */		std	%f18,[%sp+2311]
+/* 0x0a54	 908 (32 35) */		fmuld	%f12,%f6,%f10
+/* 0x0a58	 909 (33 35) */		ldx	[%sp+2335],%o4
+/* 0x0a5c	 910 (33 36) */		fdtox	%f24,%f12
+/* 0x0a60	 911 (34 35) */		std	%f12,[%sp+2319]
+/* 0x0a64	 912 (34 37) */		fsubd	%f16,%f26,%f12
+/* 0x0a68	 913 (35 37) */		ldx	[%sp+2343],%o5
+/* 0x0a6c	 914 (35 36) */		sllx	%o4,19,%o4
+/* 0x0a70	 915 (35 38) */		fdtox	%f4,%f4
+/* 0x0a74	 916 (36 37) */		std	%f4,[%sp+2327]
+/* 0x0a78	 917 (36 39) */		fdtox	%f28,%f24
+/* 0x0a7c	 918 (37 38) */		std	%f24,[%sp+2303]
+/* 0x0a80	 919 (37 40) */		fitod	%f20,%f4
+/* 0x0a84	 920 (37 38) */		add	%o5,%o4,%o4
+/* 0x0a88	 921 (37 40) */		fmuld	%f12,%f8,%f24
+/* 0x0a8c	 922 (38 40) */		ldx	[%sp+2319],%o7
+/* 0x0a90	 923 (38 41) */		fsubd	%f16,%f14,%f14
+/* 0x0a94	 924 (38 39) */		add	%o4,%g2,%o4
+/* 0x0a98	 925 (38 41) */		fmuld	%f12,%f6,%f12
+/* 0x0a9c	 926 (39 41) */		ldx	[%sp+2327],%o5
+/* 0x0aa0	 927 (39 42) */		fitod	%f21,%f18
+/* 0x0aa4	 928 (40 41) */		st	%o4,[%i0]
+/* 0x0aa8	 929 (40 41) */		sllx	%o7,19,%o7
+/* 0x0aac	 930 (40 43) */		fdtox	%f22,%f20
+/* 0x0ab0	 931 (41 42) */		std	%f20,[%sp+2287]
+/* 0x0ab4	 932 (41 44) */		fdtox	%f10,%f10
+/* 0x0ab8	 933 (41 42) */		add	%o5,%o7,%o5
+/* 0x0abc	 934 (41 44) */		fmuld	%f14,%f8,%f20
+/* 0x0ac0	 935 (42 43) */		std	%f10,[%sp+2295]
+/* 0x0ac4	 936 (42 43) */		srlx	%o4,32,%o7
+/* 0x0ac8	 937 (42 45) */		fsubd	%f16,%f4,%f4
+/* 0x0acc	 938 (42 45) */		fmuld	%f14,%f6,%f14
+/* 0x0ad0	 939 (43 45) */		ldx	[%sp+2311],%g2
+/* 0x0ad4	 940 (43 46) */		fdtox	%f24,%f10
+/* 0x0ad8	 941 (43 44) */		add	%o5,%g3,%g3
+/* 0x0adc	 942 (44 45) */		std	%f10,[%sp+2271]
+/* 0x0ae0	 943 (44 45) */		add	%g3,%o7,%g3
+/* 0x0ae4	 944 (44 47) */		fdtox	%f12,%f12
+/* 0x0ae8	 945 (45 47) */		ldx	[%sp+2303],%l0
+/* 0x0aec	 946 (45 48) */		fsubd	%f16,%f18,%f10
+/* 0x0af0	 947 (45 48) */		fmuld	%f4,%f8,%f16
+/* 0x0af4	 948 (46 47) */		std	%f12,[%sp+2279]
+/* 0x0af8	 949 (46 49) */		fdtox	%f20,%f12
+/* 0x0afc	 950 (46 49) */		fmuld	%f4,%f6,%f4
+/* 0x0b00	 951 (47 48) */		std	%f12,[%sp+2255]
+/* 0x0b04	 952 (47 48) */		sllx	%l0,19,%l0
+/* 0x0b08	 953 (47 50) */		fdtox	%f14,%f12
+/* 0x0b0c	 954 (48 50) */		ldx	[%sp+2287],%o5
+/* 0x0b10	 955 (48 49) */		add	%g2,%l0,%g2
+/* 0x0b14	 956 (48 51) */		fmuld	%f10,%f8,%f8
+/* 0x0b18	 957 (49 51) */		ldx	[%sp+2295],%l1
+/* 0x0b1c	 958 (49 50) */		srlx	%g3,32,%l0
+/* 0x0b20	 959 (49 50) */		add	%g2,%g4,%g4
+/* 0x0b24	 960 (49 52) */		fmuld	%f10,%f6,%f6
+/* 0x0b28	 961 (50 51) */		std	%f12,[%sp+2263]
+/* 0x0b2c	 962 (50 51) */		sllx	%o5,19,%g2
+/* 0x0b30	 963 (50 51) */		add	%g4,%l0,%g4
+/* 0x0b34	 964 (51 53) */		ldx	[%sp+2279],%l0
+/* 0x0b38	 965 (51 52) */		srlx	%g4,32,%o5
+/* 0x0b3c	 966 (51 52) */		add	%l1,%g2,%g2
+/* 0x0b40	 967 (52 53) */		st	%g3,[%i0+4]
+/* 0x0b44	 968 (52 53) */		add	%g2,%g5,%g2
+/* 0x0b48	 969 (52 55) */		fdtox	%f16,%f10
+/* 0x0b4c	 970 (53 55) */		ldx	[%sp+2271],%o7
+/* 0x0b50	 971 (53 54) */		add	%g2,%o5,%g2
+/* 0x0b54	 972 (53 56) */		fdtox	%f4,%f4
+/* 0x0b58	 973 (54 55) */		std	%f10,[%sp+2239]
+/* 0x0b5c	 974 (55 56) */		sllx	%o7,19,%o7
+/* 0x0b60	 975 (55 56) */		std	%f4,[%sp+2247]
+/* 0x0b64	 976 (55 58) */		fdtox	%f8,%f4
+/* 0x0b68	 977 (56 57) */		add	%l0,%o7,%o7
+/* 0x0b6c	 978 (56 58) */		ldx	[%sp+2263],%o5
+/* 0x0b70	 979 (57 58) */		add	%o7,%o0,%o0
+/* 0x0b74	 980 (57 58) */		std	%f4,[%sp+2223]
+/* 0x0b78	 981 (57 60) */		fdtox	%f6,%f4
+/* 0x0b7c	 982 (58 60) */		ldx	[%sp+2255],%g5
+/* 0x0b80	 983 (58 59) */		srlx	%g2,32,%o7
+/* 0x0b84	 984 (59 60) */		std	%f4,[%sp+2231]
+/* 0x0b88	 985 (59 60) */		add	%o0,%o7,%o0
+/* 0x0b8c	 986 (60 61) */		sllx	%g5,19,%g5
+/* 0x0b90	 987 (60 62) */		ldx	[%sp+2247],%l1
+/* 0x0b94	 988 (61 62) */		add	%o5,%g5,%g5
+/* 0x0b98	 989 (61 62) */		st	%g2,[%i0+12]
+/* 0x0b9c	 990 (62 64) */		ldx	[%sp+2239],%l0
+/* 0x0ba0	 991 (62 63) */		srlx	%o0,32,%o4
+/* 0x0ba4	 992 (62 63) */		add	%g5,%o1,%o1
+/* 0x0ba8	 993 (63 64) */		add	%o1,%o4,%o1
+/* 0x0bac	 994 (63 65) */		ldx	[%sp+2223],%o7
+/* 0x0bb0	 995 (64 65) */		sllx	%l0,19,%g3
+/* 0x0bb4	 996 (64 66) */		ldx	[%sp+2231],%o5
+/* 0x0bb8	 997 (65 66) */		add	%l1,%g3,%o4
+/* 0x0bbc	 998 (65 66) */		st	%o0,[%i0+16]
+/* 0x0bc0	 999 (66 67) */		add	%o4,%o2,%o2
+/* 0x0bc4	1000 (66 67) */		st	%o1,[%i0+20]
+/* 0x0bc8	1001 (67 68) */		srlx	%o1,32,%o4
+/* 0x0bcc	1002 (67 68) */		st	%g4,[%i0+8]
+/* 0x0bd0	1003 (68 69) */		sllx	%o7,19,%g2
+/* 0x0bd4	1004 (68 69) */		add	%o2,%o4,%o4
+/* 0x0bd8	1005 (68 69) */		st	%o4,[%i0+24]
+/* 0x0bdc	1006 (69 70) */		add	%o5,%g2,%g2
+/* 0x0be0	1007 (70 71) */		srlx	%o4,32,%g3
+/* 0x0be4	1008 (70 71) */		add	%g2,%o3,%g2
+/* 0x0be8	1009 (71 72) */		add	%g2,%g3,%g2
+/* 0x0bec	1010 (71 72) */		st	%g2,[%i0+28]
+/* 0x0bf0	1014 (72 73) */		srlx	%g2,32,%o3
+/* 0x0bf4	1015 (73 74) */		srl	%o3,0,%i0
+/* 0x0bf8	     (74 76) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x0bfc	     (76 77) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000050
+!
+
+                                   .L77000050:		/* frequency 1.0 confidence 0.0 */
+/* 0x0c00	1022 ( 0  1) */		subcc	%i3,16,%g0
+/* 0x0c04	1023 ( 0  1) */		bne,pn	%icc,.L77000073	! tprob=0.50
+/* 0x0c08	     ( 0  1) */		sethi	%hi(0xfff80000),%g2
+/* 0x0c0c	1034 ( 1  4) */		ldd	[%o2],%f4
+/* 0x0c10	1035 ( 1  2) */		andn	%i4,%g2,%g2
+/* 0x0c14	1036 ( 2  3) */		st	%g2,[%sp+2483]
+/* 0x0c18	1037 ( 2  3) */		srl	%i4,19,%g2
+/* 0x0c1c	1038 ( 3  4) */		st	%g2,[%sp+2479]
+/* 0x0c20	1039 ( 3  5) */		fxnor	%f0,%f4,%f4
+/* 0x0c24	1040 ( 4  7) */		ldd	[%o0],%f8
+/* 0x0c28	1041 ( 5  8) */		fitod	%f4,%f10
+/* 0x0c2c	1042 ( 5  8) */		ldd	[%o0+8],%f16
+/* 0x0c30	1043 ( 6  9) */		ldd	[%o2+8],%f14
+/* 0x0c34	1044 ( 6  9) */		fitod	%f5,%f4
+/* 0x0c38	1045 ( 7 10) */		ld	[%sp+2483],%f13
+/* 0x0c3c	1046 ( 8 11) */		ld	[%sp+2479],%f7
+/* 0x0c40	1047 ( 8 11) */		fsubd	%f16,%f10,%f10
+/* 0x0c44	1048 ( 9 11) */		fxnor	%f0,%f14,%f14
+/* 0x0c48	1049 (10 13) */		fsubd	%f16,%f4,%f4
+/* 0x0c4c	1050 (14 15) */		fmovs	%f8,%f12
+/* 0x0c50	1051 (15 16) */		fmovs	%f8,%f6
+/* 0x0c54	1052 (17 20) */		fsubd	%f12,%f8,%f12
+/* 0x0c58	1053 (18 21) */		fsubd	%f6,%f8,%f6
+/* 0x0c5c	1054 (19 22) */		fitod	%f14,%f8
+/* 0x0c60	1055 (20 23) */		fmuld	%f10,%f12,%f18
+/* 0x0c64	1056 (20 23) */		fitod	%f15,%f14
+/* 0x0c68	1057 (21 24) */		fmuld	%f10,%f6,%f10
+/* 0x0c6c	1058 (22 25) */		fsubd	%f16,%f8,%f8
+/* 0x0c70	1059 (22 25) */		fmuld	%f4,%f12,%f20
+/* 0x0c74	1060 (23 26) */		fmuld	%f4,%f6,%f4
+/* 0x0c78	1061 (23 26) */		fsubd	%f16,%f14,%f14
+/* 0x0c7c	1062 (24 27) */		fdtox	%f10,%f10
+/* 0x0c80	1063 (24 25) */		std	%f10,[%sp+2463]
+/* 0x0c84	1064 (25 28) */		fmuld	%f8,%f12,%f10
+/* 0x0c88	1065 (25 28) */		fdtox	%f18,%f18
+/* 0x0c8c	1066 (25 26) */		std	%f18,[%sp+2471]
+/* 0x0c90	1067 (26 29) */		fmuld	%f8,%f6,%f8
+/* 0x0c94	1068 (26 29) */		fdtox	%f4,%f4
+/* 0x0c98	1069 (26 27) */		std	%f4,[%sp+2447]
+/* 0x0c9c	1070 (27 30) */		fmuld	%f14,%f12,%f4
+/* 0x0ca0	1071 (27 30) */		fdtox	%f20,%f18
+/* 0x0ca4	1072 (27 28) */		std	%f18,[%sp+2455]
+/* 0x0ca8	1073 (28 31) */		fdtox	%f10,%f10
+/* 0x0cac	1074 (28 29) */		std	%f10,[%sp+2439]
+/* 0x0cb0	1075 (28 31) */		fmuld	%f14,%f6,%f14
+/* 0x0cb4	1076 (29 32) */		fdtox	%f8,%f8
+/* 0x0cb8	1077 (29 30) */		std	%f8,[%sp+2431]
+/* 0x0cbc	1078 (30 33) */		ldd	[%o2+16],%f10
+/* 0x0cc0	1079 (30 33) */		fdtox	%f4,%f4
+/* 0x0cc4	1080 (31 34) */		ldd	[%o2+24],%f8
+/* 0x0cc8	1081 (31 34) */		fdtox	%f14,%f14
+/* 0x0ccc	1082 (32 33) */		std	%f4,[%sp+2423]
+/* 0x0cd0	1083 (32 34) */		fxnor	%f0,%f10,%f10
+/* 0x0cd4	1084 (33 35) */		fxnor	%f0,%f8,%f4
+/* 0x0cd8	1085 (33 34) */		std	%f14,[%sp+2415]
+/* 0x0cdc	1086 (34 37) */		fitod	%f10,%f8
+/* 0x0ce0	1087 (35 38) */		fitod	%f11,%f10
+/* 0x0ce4	1088 (36 39) */		fitod	%f4,%f14
+/* 0x0ce8	1089 (37 40) */		fsubd	%f16,%f8,%f8
+/* 0x0cec	1090 (38 41) */		fsubd	%f16,%f10,%f10
+/* 0x0cf0	1091 (39 42) */		fsubd	%f16,%f14,%f14
+/* 0x0cf4	1092 (40 43) */		fmuld	%f8,%f12,%f18
+/* 0x0cf8	1093 (40 43) */		fitod	%f5,%f4
+/* 0x0cfc	1094 (41 44) */		fmuld	%f8,%f6,%f8
+/* 0x0d00	1095 (42 45) */		fmuld	%f10,%f12,%f20
+/* 0x0d04	1096 (43 46) */		fmuld	%f10,%f6,%f10
+/* 0x0d08	1097 (43 46) */		fsubd	%f16,%f4,%f4
+/* 0x0d0c	1098 (44 47) */		fdtox	%f8,%f8
+/* 0x0d10	1099 (44 45) */		std	%f8,[%sp+2399]
+/* 0x0d14	1100 (45 48) */		fmuld	%f14,%f12,%f8
+/* 0x0d18	1101 (45 48) */		fdtox	%f18,%f18
+/* 0x0d1c	1102 (45 46) */		std	%f18,[%sp+2407]
+/* 0x0d20	1103 (46 49) */		fdtox	%f10,%f10
+/* 0x0d24	1104 (46 47) */		std	%f10,[%sp+2383]
+/* 0x0d28	1105 (46 49) */		fmuld	%f14,%f6,%f14
+/* 0x0d2c	1106 (47 50) */		fmuld	%f4,%f12,%f10
+/* 0x0d30	1107 (47 50) */		fdtox	%f20,%f18
+/* 0x0d34	1108 (47 48) */		std	%f18,[%sp+2391]
+/* 0x0d38	1109 (48 51) */		fdtox	%f8,%f8
+/* 0x0d3c	1110 (48 49) */		std	%f8,[%sp+2375]
+/* 0x0d40	1111 (48 51) */		fmuld	%f4,%f6,%f4
+/* 0x0d44	1112 (49 52) */		fdtox	%f14,%f14
+/* 0x0d48	1113 (49 50) */		std	%f14,[%sp+2367]
+/* 0x0d4c	1117 (50 53) */		ldd	[%o2+32],%f8
+/* 0x0d50	1118 (50 53) */		fdtox	%f10,%f10
+/* 0x0d54	1119 (51 54) */		fdtox	%f4,%f4
+/* 0x0d58	1120 (51 52) */		std	%f4,[%sp+2351]
+/* 0x0d5c	1121 (52 54) */		fxnor	%f0,%f8,%f8
+/* 0x0d60	1122 (52 55) */		ldd	[%o2+40],%f14
+/* 0x0d64	1123 (53 54) */		std	%f10,[%sp+2359]
+/* 0x0d68	1124 (54 57) */		fitod	%f8,%f4
+/* 0x0d6c	1125 (55 57) */		fxnor	%f0,%f14,%f10
+/* 0x0d70	1126 (56 59) */		fitod	%f9,%f8
+/* 0x0d74	1127 (57 60) */		fsubd	%f16,%f4,%f4
+/* 0x0d78	1128 (58 61) */		fitod	%f10,%f14
+/* 0x0d7c	1129 (59 62) */		fsubd	%f16,%f8,%f8
+/* 0x0d80	1130 (60 63) */		fmuld	%f4,%f12,%f18
+/* 0x0d84	1131 (60 63) */		fitod	%f11,%f10
+/* 0x0d88	1132 (61 64) */		fmuld	%f4,%f6,%f4
+/* 0x0d8c	1133 (61 64) */		fsubd	%f16,%f14,%f14
+/* 0x0d90	1134 (62 65) */		fmuld	%f8,%f12,%f20
+/* 0x0d94	1135 (63 66) */		fmuld	%f8,%f6,%f8
+/* 0x0d98	1136 (63 66) */		fsubd	%f16,%f10,%f10
+/* 0x0d9c	1137 (64 67) */		fdtox	%f4,%f4
+/* 0x0da0	1138 (64 65) */		std	%f4,[%sp+2335]
+/* 0x0da4	1139 (65 68) */		fmuld	%f14,%f12,%f4
+/* 0x0da8	1140 (65 68) */		fdtox	%f18,%f18
+/* 0x0dac	1141 (65 66) */		std	%f18,[%sp+2343]
+/* 0x0db0	1142 (66 69) */		fdtox	%f8,%f8
+/* 0x0db4	1143 (66 67) */		std	%f8,[%sp+2319]
+/* 0x0db8	1144 (66 69) */		fmuld	%f14,%f6,%f14
+/* 0x0dbc	1145 (67 70) */		fmuld	%f10,%f12,%f8
+/* 0x0dc0	1146 (67 70) */		fdtox	%f20,%f18
+/* 0x0dc4	1147 (67 68) */		std	%f18,[%sp+2327]
+/* 0x0dc8	1148 (68 71) */		fdtox	%f4,%f4
+/* 0x0dcc	1149 (68 69) */		std	%f4,[%sp+2311]
+/* 0x0dd0	1150 (68 71) */		fmuld	%f10,%f6,%f10
+/* 0x0dd4	1151 (69 72) */		fdtox	%f14,%f14
+/* 0x0dd8	1152 (69 70) */		std	%f14,[%sp+2303]
+/* 0x0ddc	1153 (70 73) */		ldd	[%o2+48],%f4
+/* 0x0de0	1154 (70 73) */		fdtox	%f8,%f8
+/* 0x0de4	1155 (71 74) */		fdtox	%f10,%f10
+/* 0x0de8	1156 (71 72) */		std	%f10,[%sp+2287]
+/* 0x0dec	1157 (72 74) */		fxnor	%f0,%f4,%f4
+/* 0x0df0	1158 (72 75) */		ldd	[%o2+56],%f14
+/* 0x0df4	1159 (73 74) */		std	%f8,[%sp+2295]
+/* 0x0df8	1160 (74 77) */		fitod	%f4,%f10
+/* 0x0dfc	1161 (75 78) */		fitod	%f5,%f4
+/* 0x0e00	1162 (76 78) */		fxnor	%f0,%f14,%f8
+/* 0x0e04	1163 (77 80) */		fsubd	%f16,%f10,%f10
+/* 0x0e08	1164 (78 81) */		fsubd	%f16,%f4,%f4
+/* 0x0e0c	1165 (79 82) */		fitod	%f8,%f14
+/* 0x0e10	1166 (80 83) */		fmuld	%f10,%f12,%f18
+/* 0x0e14	1167 (80 83) */		fitod	%f9,%f8
+/* 0x0e18	1168 (81 84) */		fmuld	%f10,%f6,%f10
+/* 0x0e1c	1169 (82 85) */		fmuld	%f4,%f12,%f20
+/* 0x0e20	1170 (82 85) */		fsubd	%f16,%f14,%f14
+/* 0x0e24	1171 (83 86) */		fdtox	%f18,%f18
+/* 0x0e28	1172 (83 84) */		std	%f18,[%sp+2279]
+/* 0x0e2c	1173 (83 86) */		fmuld	%f4,%f6,%f4
+/* 0x0e30	1174 (84 87) */		fdtox	%f10,%f10
+/* 0x0e34	1175 (84 85) */		std	%f10,[%sp+2271]
+/* 0x0e38	1176 (85 88) */		fdtox	%f20,%f10
+/* 0x0e3c	1177 (85 86) */		std	%f10,[%sp+2263]
+/* 0x0e40	1178 (86 89) */		fdtox	%f4,%f4
+/* 0x0e44	1179 (86 87) */		std	%f4,[%sp+2255]
+/* 0x0e48	1180 (86 89) */		fmuld	%f14,%f12,%f10
+/* 0x0e4c	1181 (87 90) */		fmuld	%f14,%f6,%f4
+/* 0x0e50	1182 (89 92) */		fdtox	%f10,%f10
+/* 0x0e54	1183 (89 90) */		std	%f10,[%sp+2247]
+/* 0x0e58	1184 (90 93) */		fdtox	%f4,%f4
+/* 0x0e5c	1185 (90 91) */		std	%f4,[%sp+2239]
+/* 0x0e60	1189 (91 93) */		ldx	[%sp+2463],%g2
+/* 0x0e64	1190 (91 94) */		fsubd	%f16,%f8,%f4
+/* 0x0e68	1191 (92 94) */		ldx	[%sp+2471],%g3
+/* 0x0e6c	1192 (93 96) */		ld	[%i1],%g4
+/* 0x0e70	1193 (93 94) */		sllx	%g2,19,%g2
+/* 0x0e74	1194 (94 96) */		ldx	[%sp+2455],%g5
+/* 0x0e78	1195 (94 95) */		add	%g3,%g2,%g2
+/* 0x0e7c	1196 (94 97) */		fmuld	%f4,%f6,%f6
+/* 0x0e80	1197 (95 97) */		ldx	[%sp+2447],%g3
+/* 0x0e84	1198 (95 96) */		add	%g2,%g4,%g4
+/* 0x0e88	1199 (95 98) */		fmuld	%f4,%f12,%f4
+/* 0x0e8c	1200 (96 97) */		st	%g4,[%i0]
+/* 0x0e90	1201 (96 97) */		srlx	%g4,32,%g4
+/* 0x0e94	1202 (97 100) */		ld	[%i1+8],%o0
+/* 0x0e98	1203 (97 98) */		sllx	%g3,19,%g2
+/* 0x0e9c	1204 (97 100) */		fdtox	%f6,%f6
+/* 0x0ea0	1205 (98 101) */		ld	[%i1+4],%g3
+/* 0x0ea4	1206 (98 99) */		add	%g5,%g2,%g2
+/* 0x0ea8	1207 (98 101) */		fdtox	%f4,%f4
+/* 0x0eac	1208 (99 101) */		ldx	[%sp+2439],%g5
+/* 0x0eb0	1209 (100 103) */		ld	[%i1+12],%o1
+/* 0x0eb4	1210 (100 101) */		add	%g2,%g3,%g2
+/* 0x0eb8	1211 (101 103) */		ldx	[%sp+2431],%g3
+/* 0x0ebc	1212 (101 102) */		add	%g2,%g4,%g4
+/* 0x0ec0	1213 (102 103) */		st	%g4,[%i0+4]
+/* 0x0ec4	1214 (103 104) */		std	%f6,[%sp+2223]
+/* 0x0ec8	1215 (103 104) */		sllx	%g3,19,%g2
+/* 0x0ecc	1216 (104 106) */		ldx	[%sp+2423],%g3
+/* 0x0ed0	1217 (104 105) */		add	%g5,%g2,%g2
+/* 0x0ed4	1218 (105 107) */		ldx	[%sp+2415],%g5
+/* 0x0ed8	1219 (105 106) */		add	%g2,%o0,%g2
+/* 0x0edc	1220 (106 107) */		std	%f4,[%sp+2231]
+/* 0x0ee0	1221 (106 107) */		srlx	%g4,32,%o0
+/* 0x0ee4	1222 (107 109) */		ldx	[%sp+2407],%g4
+/* 0x0ee8	1223 (107 108) */		sllx	%g5,19,%g5
+/* 0x0eec	1224 (107 108) */		add	%g2,%o0,%g2
+/* 0x0ef0	1225 (108 109) */		st	%g2,[%i0+8]
+/* 0x0ef4	1226 (108 109) */		srlx	%g2,32,%o0
+/* 0x0ef8	1227 (108 109) */		add	%g3,%g5,%g3
+/* 0x0efc	1228 (109 111) */		ldx	[%sp+2399],%g5
+/* 0x0f00	1229 (109 110) */		add	%g3,%o1,%g3
+/* 0x0f04	1230 (110 113) */		ld	[%i1+16],%o1
+/* 0x0f08	1231 (110 111) */		add	%g3,%o0,%g3
+/* 0x0f0c	1232 (111 112) */		st	%g3,[%i0+12]
+/* 0x0f10	1233 (111 112) */		sllx	%g5,19,%g5
+/* 0x0f14	1234 (112 113) */		srlx	%g3,32,%o0
+/* 0x0f18	1235 (112 113) */		add	%g4,%g5,%g2
+/* 0x0f1c	1236 (112 114) */		ldx	[%sp+2383],%g5
+/* 0x0f20	1237 (113 115) */		ldx	[%sp+2391],%g4
+/* 0x0f24	1238 (113 114) */		add	%g2,%o1,%g2
+/* 0x0f28	1239 (114 117) */		ld	[%i1+20],%o1
+/* 0x0f2c	1240 (114 115) */		sllx	%g5,19,%g5
+/* 0x0f30	1241 (114 115) */		add	%g2,%o0,%g2
+/* 0x0f34	1242 (115 116) */		st	%g2,[%i0+16]
+/* 0x0f38	1243 (115 116) */		srlx	%g2,32,%o0
+/* 0x0f3c	1244 (115 116) */		add	%g4,%g5,%g3
+/* 0x0f40	1245 (116 118) */		ldx	[%sp+2367],%g5
+/* 0x0f44	1246 (116 117) */		add	%g3,%o1,%g3
+/* 0x0f48	1247 (117 119) */		ldx	[%sp+2375],%g4
+/* 0x0f4c	1248 (117 118) */		add	%g3,%o0,%g3
+/* 0x0f50	1249 (118 121) */		ld	[%i1+24],%o1
+/* 0x0f54	1250 (118 119) */		sllx	%g5,19,%g5
+/* 0x0f58	1251 (119 120) */		st	%g3,[%i0+20]
+/* 0x0f5c	1252 (119 120) */		add	%g4,%g5,%g2
+/* 0x0f60	1253 (120 122) */		ldx	[%sp+2351],%g5
+/* 0x0f64	1254 (120 121) */		srlx	%g3,32,%o0
+/* 0x0f68	1255 (120 121) */		add	%g2,%o1,%g2
+/* 0x0f6c	1256 (121 123) */		ldx	[%sp+2359],%g4
+/* 0x0f70	1257 (121 122) */		add	%g2,%o0,%g2
+/* 0x0f74	1258 (122 125) */		ld	[%i1+28],%o1
+/* 0x0f78	1259 (122 123) */		sllx	%g5,19,%g5
+/* 0x0f7c	1260 (123 124) */		st	%g2,[%i0+24]
+/* 0x0f80	1261 (123 124) */		add	%g4,%g5,%g3
+/* 0x0f84	1265 (124 126) */		ldx	[%sp+2335],%g5
+/* 0x0f88	1266 (124 125) */		srlx	%g2,32,%o0
+/* 0x0f8c	1267 (124 125) */		add	%g3,%o1,%g3
+/* 0x0f90	1268 (125 127) */		ldx	[%sp+2343],%g4
+/* 0x0f94	1269 (125 126) */		add	%g3,%o0,%g3
+/* 0x0f98	1270 (126 127) */		sllx	%g5,19,%g5
+/* 0x0f9c	1271 (126 129) */		ld	[%i1+32],%o1
+/* 0x0fa0	1272 (127 128) */		add	%g4,%g5,%g2
+/* 0x0fa4	1273 (127 129) */		ldx	[%sp+2319],%g5
+/* 0x0fa8	1274 (128 130) */		ldx	[%sp+2327],%g4
+/* 0x0fac	1275 (128 129) */		srlx	%g3,32,%o0
+/* 0x0fb0	1276 (128 129) */		add	%g2,%o1,%g2
+/* 0x0fb4	1277 (129 130) */		st	%g3,[%i0+28]
+/* 0x0fb8	1278 (129 130) */		sllx	%g5,19,%g5
+/* 0x0fbc	1279 (129 130) */		add	%g2,%o0,%g2
+/* 0x0fc0	1280 (130 133) */		ld	[%i1+36],%o1
+/* 0x0fc4	1281 (130 131) */		add	%g4,%g5,%g3
+/* 0x0fc8	1282 (131 133) */		ldx	[%sp+2303],%g5
+/* 0x0fcc	1283 (131 132) */		srlx	%g2,32,%o0
+/* 0x0fd0	1284 (132 134) */		ldx	[%sp+2311],%g4
+/* 0x0fd4	1285 (132 133) */		add	%g3,%o1,%g3
+/* 0x0fd8	1286 (133 134) */		sllx	%g5,19,%g5
+/* 0x0fdc	1287 (133 134) */		st	%g2,[%i0+32]
+/* 0x0fe0	1288 (133 134) */		add	%g3,%o0,%g3
+/* 0x0fe4	1289 (134 135) */		add	%g4,%g5,%g2
+/* 0x0fe8	1290 (134 136) */		ldx	[%sp+2287],%g5
+/* 0x0fec	1291 (135 137) */		ldx	[%sp+2295],%g4
+/* 0x0ff0	1292 (135 136) */		srlx	%g3,32,%o0
+/* 0x0ff4	1293 (136 139) */		ld	[%i1+40],%o1
+/* 0x0ff8	1294 (136 137) */		sllx	%g5,19,%g5
+/* 0x0ffc	1295 (137 138) */		st	%g3,[%i0+36]
+/* 0x1000	1296 (137 138) */		add	%g4,%g5,%g3
+/* 0x1004	1297 (138 140) */		ldx	[%sp+2271],%g5
+/* 0x1008	1298 (138 139) */		add	%g2,%o1,%g2
+/* 0x100c	1299 (139 141) */		ldx	[%sp+2279],%g4
+/* 0x1010	1300 (139 140) */		add	%g2,%o0,%g2
+/* 0x1014	1301 (140 143) */		ld	[%i1+44],%o1
+/* 0x1018	1302 (140 141) */		sllx	%g5,19,%g5
+/* 0x101c	1303 (141 142) */		st	%g2,[%i0+40]
+/* 0x1020	1304 (141 142) */		srlx	%g2,32,%o0
+/* 0x1024	1305 (141 142) */		add	%g4,%g5,%g2
+/* 0x1028	1306 (142 144) */		ldx	[%sp+2255],%g5
+/* 0x102c	1307 (142 143) */		add	%g3,%o1,%g3
+/* 0x1030	1308 (143 145) */		ldx	[%sp+2263],%g4
+/* 0x1034	1309 (143 144) */		add	%g3,%o0,%g3
+/* 0x1038	1310 (144 147) */		ld	[%i1+48],%o1
+/* 0x103c	1311 (144 145) */		sllx	%g5,19,%g5
+/* 0x1040	1312 (145 146) */		srlx	%g3,32,%o0
+/* 0x1044	1313 (145 146) */		st	%g3,[%i0+44]
+/* 0x1048	1314 (145 146) */		add	%g4,%g5,%g3
+/* 0x104c	1315 (146 148) */		ldx	[%sp+2239],%g5
+/* 0x1050	1316 (146 147) */		add	%g2,%o1,%g2
+/* 0x1054	1317 (147 150) */		ld	[%i1+52],%o1
+/* 0x1058	1318 (147 148) */		add	%g2,%o0,%g2
+/* 0x105c	1319 (148 150) */		ldx	[%sp+2247],%g4
+/* 0x1060	1320 (148 149) */		sllx	%g5,19,%g5
+/* 0x1064	1321 (149 150) */		srlx	%g2,32,%o0
+/* 0x1068	1322 (149 150) */		st	%g2,[%i0+48]
+/* 0x106c	1323 (149 150) */		add	%g3,%o1,%g3
+/* 0x1070	1324 (150 153) */		ld	[%i1+56],%o1
+/* 0x1074	1325 (150 151) */		add	%g4,%g5,%g2
+/* 0x1078	1326 (150 151) */		add	%g3,%o0,%g3
+/* 0x107c	1327 (151 153) */		ldx	[%sp+2223],%g5
+/* 0x1080	1328 (151 152) */		srlx	%g3,32,%o0
+/* 0x1084	1329 (152 154) */		ldx	[%sp+2231],%g4
+/* 0x1088	1330 (152 153) */		add	%g2,%o1,%g2
+/* 0x108c	1331 (153 154) */		sllx	%g5,19,%g5
+/* 0x1090	1332 (153 156) */		ld	[%i1+60],%o1
+/* 0x1094	1333 (153 154) */		add	%g2,%o0,%g2
+/* 0x1098	1334 (154 155) */		st	%g3,[%i0+52]
+/* 0x109c	1335 (154 155) */		add	%g4,%g5,%g3
+/* 0x10a0	1336 (155 156) */		st	%g2,[%i0+56]
+/* 0x10a4	1337 (155 156) */		srlx	%g2,32,%g2
+/* 0x10a8	1338 (155 156) */		add	%g3,%o1,%g3
+/* 0x10ac	1339 (156 157) */		add	%g3,%g2,%g2
+/* 0x10b0	1340 (156 157) */		st	%g2,[%i0+60]
+/* 0x10b4	1344 (157 158) */		srlx	%g2,32,%o3
+/* 0x10b8	1345 (158 159) */		srl	%o3,0,%i0
+/* 0x10bc	     (159 161) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x10c0	     (161 162) */		restore	%g0,%g0,%g0
+
+!
+! ENTRY .L77000073
+!
+
+                                   .L77000073:		/* frequency 1.0 confidence 0.0 */
+
+
+	or	%g0, %i4, %o2
+	or	%g0, %o0, %o1
+	or	%g0, %i3, %o0
+
+!
+! ENTRY .L77000052
+!
+
+                                   .L77000052:		/* frequency 1.0 confidence 0.0 */
+/* 0x1028	1318 ( 0  1) */		andn	%o2,%g2,%g2
+/* 0x102c	1319 ( 0  1) */		st	%g2,[%sp+2227]
+/* 0x1030	1325 ( 0  1) */		add	%o0,1,%g3
+/* 0x1034	1326 ( 0  1) */		fmovd	%f0,%f14
+/* 0x1038	1327 ( 1  2) */		srl	%o2,19,%g2
+/* 0x103c	1328 ( 1  2) */		st	%g2,[%sp+2223]
+/* 0x1040	1329 ( 1  2) */		or	%g0,0,%o5
+/* 0x1044	1330 ( 2  3) */		srl	%g3,31,%g2
+/* 0x1048	1331 ( 2  5) */		ldd	[%o1],%f6
+/* 0x104c	1335 ( 2  3) */		sethi	%hi(0x1000),%g1
+/* 0x1050	1336 ( 3  4) */		add	%g3,%g2,%g2
+/* 0x1054	1337 ( 3  4) */		xor	%g1,-625,%g1
+/* 0x1058	1338 ( 3  6) */		ldd	[%o1+8],%f20
+/* 0x105c	1339 ( 4  5) */		sra	%g2,1,%o3
+/* 0x1060	1340 ( 4  5) */		fmovs	%f6,%f8
+/* 0x1064	1341 ( 4  5) */		add	%g1,%fp,%g3
+/* 0x1068	1342 ( 5  6) */		fmovs	%f6,%f10
+/* 0x106c	1343 ( 5  7) */		ld	[%sp+2227],%f9
+/* 0x1070	1344 ( 5  6) */		subcc	%o3,0,%g0
+/* 0x1074	1345 ( 6  8) */		ld	[%sp+2223],%f11
+/* 0x1078	1346 ( 6  7) */		sethi	%hi(0x1000),%g1
+/* 0x107c	1347 ( 6  7) */		or	%g0,%i2,%o1
+/* 0x1080	1348 ( 7 10) */		fsubd	%f8,%f6,%f18
+/* 0x1084	1349 ( 7  8) */		xor	%g1,-617,%g1
+/* 0x1088	1350 ( 7  8) */		or	%g0,0,%g4
+/* 0x108c	1351 ( 8 11) */		fsubd	%f10,%f6,%f16
+/* 0x1090	1352 ( 8  9) */		bleu,pt	%icc,.L990000162	! tprob=0.50
+/* 0x1094	     ( 8  9) */		subcc	%o0,0,%g0
+/* 0x1098	1354 ( 9 10) */		add	%g1,%fp,%g2
+/* 0x109c	1355 ( 9 10) */		sethi	%hi(0x1000),%g1
+/* 0x10a0	1356 (10 11) */		xor	%g1,-609,%g1
+/* 0x10a4	1357 (10 11) */		subcc	%o3,7,%g0
+/* 0x10a8	1358 (11 12) */		add	%g1,%fp,%o7
+/* 0x10ac	1359 (11 12) */		sethi	%hi(0x1000),%g1
+/* 0x10b0	1360 (12 13) */		xor	%g1,-601,%g1
+/* 0x10b4	1361 (13 14) */		add	%g1,%fp,%o4
+/* 0x10b8	1362 (13 14) */		bl,pn	%icc,.L77000054	! tprob=0.50
+/* 0x10bc	     (13 14) */		sub	%o3,2,%o2
+/* 0x10c0	1364 (14 17) */		ldd	[%o1],%f2
+/* 0x10c4	1365 (14 15) */		add	%o1,16,%g5
+/* 0x10c8	1366 (14 15) */		or	%g0,4,%g4
+/* 0x10cc	1367 (15 18) */		ldd	[%o1+8],%f0
+/* 0x10d0	1368 (15 16) */		add	%o1,8,%o1
+/* 0x10d4	1369 (16 18) */		fxnor	%f14,%f2,%f6
+/* 0x10d8	1370 (16 19) */		ldd	[%g5],%f4
+/* 0x10dc	1371 (16 17) */		add	%o1,16,%o1
+/* 0x10e0	1372 (17 19) */		fxnor	%f14,%f0,%f12
+/* 0x10e4	1373 (17 20) */		ldd	[%o1],%f0
+/* 0x10e8	1374 (17 18) */		add	%o1,8,%o1
+/* 0x10ec	1375 (18 21) */		fitod	%f7,%f2
+/* 0x10f0	1376 (19 22) */		fitod	%f6,%f6
+/* 0x10f4	1377 (20 22) */		fxnor	%f14,%f4,%f10
+/* 0x10f8	1378 (21 24) */		fsubd	%f20,%f2,%f2
+/* 0x10fc	1379 (22 24) */		fxnor	%f14,%f0,%f8
+/* 0x1100	1380 (23 26) */		fitod	%f13,%f4
+/* 0x1104	1381 (24 27) */		fsubd	%f20,%f6,%f6
+/* 0x1108	1382 (24 27) */		fmuld	%f2,%f16,%f0
+
+!
+! ENTRY .L990000154
+!
+
+                                   .L990000154:		/* frequency 1.0 confidence 0.0 */
+/* 0x110c	1384 ( 0  3) */		ldd	[%o1],%f24
+/* 0x1110	1385 ( 0  1) */		add	%g4,3,%g4
+/* 0x1114	1386 ( 0  1) */		add	%o4,96,%o4
+/* 0x1118	1387 ( 1  4) */		fitod	%f11,%f22
+/* 0x111c	1388 ( 2  5) */		fsubd	%f20,%f4,%f26
+/* 0x1120	1389 ( 2  3) */		subcc	%g4,%o2,%g0
+/* 0x1124	1390 ( 2  3) */		add	%o7,96,%o7
+/* 0x1128	1391 ( 2  5) */		fmuld	%f6,%f18,%f28
+/* 0x112c	1392 ( 3  6) */		fmuld	%f6,%f16,%f6
+/* 0x1130	1393 ( 3  4) */		add	%g2,96,%g2
+/* 0x1134	1394 ( 3  4) */		add	%g3,96,%g3
+/* 0x1138	1395 ( 4  7) */		fdtox	%f0,%f0
+/* 0x113c	1396 ( 5  8) */		fitod	%f12,%f4
+/* 0x1140	1397 ( 5  8) */		fmuld	%f2,%f18,%f2
+/* 0x1144	1398 ( 6  9) */		fdtox	%f28,%f12
+/* 0x1148	1399 ( 7 10) */		fdtox	%f6,%f6
+/* 0x114c	1400 ( 7  8) */		std	%f12,[%g3-96]
+/* 0x1150	1401 ( 8  9) */		std	%f6,[%g2-96]
+/* 0x1154	1402 ( 8 11) */		fdtox	%f2,%f2
+/* 0x1158	1403 ( 9 12) */		fsubd	%f20,%f4,%f6
+/* 0x115c	1404 ( 9 10) */		std	%f2,[%o7-96]
+/* 0x1160	1405 ( 9 10) */		add	%o1,8,%o1
+/* 0x1164	1406 (10 12) */		fxnor	%f14,%f24,%f12
+/* 0x1168	1407 (10 13) */		fmuld	%f26,%f16,%f4
+/* 0x116c	1408 (10 11) */		std	%f0,[%o4-96]
+/* 0x1170	1409 (11 14) */		ldd	[%o1],%f0
+/* 0x1174	1410 (11 14) */		fitod	%f9,%f2
+/* 0x1178	1411 (12 15) */		fsubd	%f20,%f22,%f28
+/* 0x117c	1412 (12 15) */		fmuld	%f6,%f18,%f24
+/* 0x1180	1413 (13 16) */		fmuld	%f6,%f16,%f22
+/* 0x1184	1414 (13 16) */		fdtox	%f4,%f4
+/* 0x1188	1415 (14 17) */		fitod	%f10,%f6
+/* 0x118c	1416 (14 17) */		fmuld	%f26,%f18,%f10
+/* 0x1190	1417 (15 18) */		fdtox	%f24,%f24
+/* 0x1194	1418 (16 19) */		fdtox	%f22,%f22
+/* 0x1198	1419 (16 17) */		std	%f24,[%g3-64]
+/* 0x119c	1420 (17 18) */		std	%f22,[%g2-64]
+/* 0x11a0	1421 (17 20) */		fdtox	%f10,%f10
+/* 0x11a4	1422 (18 21) */		fsubd	%f20,%f6,%f6
+/* 0x11a8	1423 (18 19) */		std	%f10,[%o7-64]
+/* 0x11ac	1424 (18 19) */		add	%o1,8,%o1
+/* 0x11b0	1425 (19 21) */		fxnor	%f14,%f0,%f10
+/* 0x11b4	1426 (19 22) */		fmuld	%f28,%f16,%f0
+/* 0x11b8	1427 (19 20) */		std	%f4,[%o4-64]
+/* 0x11bc	1428 (20 23) */		ldd	[%o1],%f22
+/* 0x11c0	1429 (20 23) */		fitod	%f13,%f4
+/* 0x11c4	1430 (21 24) */		fsubd	%f20,%f2,%f2
+/* 0x11c8	1431 (21 24) */		fmuld	%f6,%f18,%f26
+/* 0x11cc	1432 (22 25) */		fmuld	%f6,%f16,%f24
+/* 0x11d0	1433 (22 25) */		fdtox	%f0,%f0
+/* 0x11d4	1434 (23 26) */		fitod	%f8,%f6
+/* 0x11d8	1435 (23 26) */		fmuld	%f28,%f18,%f8
+/* 0x11dc	1436 (24 27) */		fdtox	%f26,%f26
+/* 0x11e0	1437 (25 28) */		fdtox	%f24,%f24
+/* 0x11e4	1438 (25 26) */		std	%f26,[%g3-32]
+/* 0x11e8	1439 (26 27) */		std	%f24,[%g2-32]
+/* 0x11ec	1440 (26 29) */		fdtox	%f8,%f8
+/* 0x11f0	1441 (27 30) */		fsubd	%f20,%f6,%f6
+/* 0x11f4	1442 (27 28) */		std	%f8,[%o7-32]
+/* 0x11f8	1443 (27 28) */		add	%o1,8,%o1
+/* 0x11fc	1444 (28 30) */		fxnor	%f14,%f22,%f8
+/* 0x1200	1445 (28 29) */		std	%f0,[%o4-32]
+/* 0x1204	1446 (28 29) */		bcs,pt	%icc,.L990000154	! tprob=0.50
+/* 0x1208	     (28 31) */		fmuld	%f2,%f16,%f0
+
+!
+! ENTRY .L990000157
+!
+
+                                   .L990000157:		/* frequency 1.0 confidence 0.0 */
+/* 0x120c	1449 ( 0  3) */		fitod	%f12,%f28
+/* 0x1210	1450 ( 0  3) */		fmuld	%f6,%f18,%f24
+/* 0x1214	1451 ( 0  1) */		add	%g3,128,%g3
+/* 0x1218	1452 ( 1  4) */		fitod	%f10,%f12
+/* 0x121c	1453 ( 1  4) */		fmuld	%f6,%f16,%f26
+/* 0x1220	1454 ( 1  2) */		add	%g2,128,%g2
+/* 0x1224	1455 ( 2  5) */		fsubd	%f20,%f4,%f4
+/* 0x1228	1456 ( 2  5) */		fmuld	%f2,%f18,%f22
+/* 0x122c	1457 ( 2  3) */		add	%o7,128,%o7
+/* 0x1230	1458 ( 3  6) */		fdtox	%f24,%f6
+/* 0x1234	1459 ( 3  4) */		std	%f6,[%g3-128]
+/* 0x1238	1460 ( 3  4) */		add	%o4,128,%o4
+/* 0x123c	1461 ( 4  7) */		fsubd	%f20,%f28,%f2
+/* 0x1240	1462 ( 4  5) */		subcc	%g4,%o3,%g0
+/* 0x1244	1463 ( 5  8) */		fitod	%f11,%f6
+/* 0x1248	1464 ( 5  8) */		fmuld	%f4,%f18,%f24
+/* 0x124c	1465 ( 6  9) */		fdtox	%f26,%f10
+/* 0x1250	1466 ( 6  7) */		std	%f10,[%g2-128]
+/* 0x1254	1467 ( 7 10) */		fdtox	%f22,%f10
+/* 0x1258	1468 ( 7  8) */		std	%f10,[%o7-128]
+/* 0x125c	1469 ( 7 10) */		fmuld	%f2,%f18,%f26
+/* 0x1260	1470 ( 8 11) */		fsubd	%f20,%f12,%f10
+/* 0x1264	1471 ( 8 11) */		fmuld	%f2,%f16,%f2
+/* 0x1268	1472 ( 9 12) */		fsubd	%f20,%f6,%f22
+/* 0x126c	1473 ( 9 12) */		fmuld	%f4,%f16,%f12
+/* 0x1270	1474 (10 13) */		fdtox	%f0,%f0
+/* 0x1274	1475 (10 11) */		std	%f0,[%o4-128]
+/* 0x1278	1476 (11 14) */		fitod	%f8,%f4
+/* 0x127c	1477 (11 14) */		fmuld	%f10,%f18,%f6
+/* 0x1280	1478 (12 15) */		fdtox	%f26,%f0
+/* 0x1284	1479 (12 13) */		std	%f0,[%g3-96]
+/* 0x1288	1480 (12 15) */		fmuld	%f10,%f16,%f10
+/* 0x128c	1481 (13 16) */		fdtox	%f2,%f2
+/* 0x1290	1482 (13 14) */		std	%f2,[%g2-96]
+/* 0x1294	1483 (14 17) */		fitod	%f9,%f0
+/* 0x1298	1484 (14 17) */		fmuld	%f22,%f18,%f2
+/* 0x129c	1485 (15 18) */		fdtox	%f24,%f8
+/* 0x12a0	1486 (15 16) */		std	%f8,[%o7-96]
+/* 0x12a4	1487 (16 19) */		fsubd	%f20,%f4,%f4
+/* 0x12a8	1488 (16 19) */		fmuld	%f22,%f16,%f8
+/* 0x12ac	1489 (17 20) */		fdtox	%f12,%f12
+/* 0x12b0	1490 (17 18) */		std	%f12,[%o4-96]
+/* 0x12b4	1491 (18 21) */		fsubd	%f20,%f0,%f0
+/* 0x12b8	1492 (19 22) */		fdtox	%f6,%f6
+/* 0x12bc	1493 (19 20) */		std	%f6,[%g3-64]
+/* 0x12c0	1494 (20 23) */		fdtox	%f10,%f10
+/* 0x12c4	1495 (20 21) */		std	%f10,[%g2-64]
+/* 0x12c8	1496 (20 23) */		fmuld	%f4,%f18,%f6
+/* 0x12cc	1497 (21 24) */		fdtox	%f2,%f2
+/* 0x12d0	1498 (21 22) */		std	%f2,[%o7-64]
+/* 0x12d4	1499 (21 24) */		fmuld	%f4,%f16,%f4
+/* 0x12d8	1500 (22 25) */		fmuld	%f0,%f18,%f2
+/* 0x12dc	1501 (22 25) */		fdtox	%f8,%f8
+/* 0x12e0	1502 (22 23) */		std	%f8,[%o4-64]
+/* 0x12e4	1503 (23 26) */		fdtox	%f6,%f6
+/* 0x12e8	1504 (23 24) */		std	%f6,[%g3-32]
+/* 0x12ec	1505 (23 26) */		fmuld	%f0,%f16,%f0
+/* 0x12f0	1506 (24 27) */		fdtox	%f4,%f4
+/* 0x12f4	1507 (24 25) */		std	%f4,[%g2-32]
+/* 0x12f8	1508 (25 28) */		fdtox	%f2,%f2
+/* 0x12fc	1509 (25 26) */		std	%f2,[%o7-32]
+/* 0x1300	1510 (26 29) */		fdtox	%f0,%f0
+/* 0x1304	1511 (26 27) */		bcc,pn	%icc,.L77000056	! tprob=0.50
+/* 0x1308	     (26 27) */		std	%f0,[%o4-32]
+
+!
+! ENTRY .L77000054
+!
+
+                                   .L77000054:		/* frequency 1.0 confidence 0.0 */
+/* 0x130c	1514 ( 0  3) */		ldd	[%o1],%f0
+
+!
+! ENTRY .L990000161
+!
+
+                                   .L990000161:		/* frequency 1.0 confidence 0.0 */
+/* 0x1310	1516 ( 0  2) */		fxnor	%f14,%f0,%f0
+/* 0x1314	1517 ( 0  1) */		add	%g4,1,%g4
+/* 0x1318	1518 ( 0  1) */		add	%o1,8,%o1
+/* 0x131c	1519 ( 1  2) */		subcc	%g4,%o3,%g0
+/* 0x1320	1520 ( 2  5) */		fitod	%f0,%f2
+/* 0x1324	1521 ( 3  6) */		fitod	%f1,%f0
+/* 0x1328	1522 ( 5  8) */		fsubd	%f20,%f2,%f2
+/* 0x132c	1523 ( 6  9) */		fsubd	%f20,%f0,%f0
+/* 0x1330	1524 ( 8 11) */		fmuld	%f2,%f18,%f6
+/* 0x1334	1525 ( 9 12) */		fmuld	%f2,%f16,%f4
+/* 0x1338	1526 (10 13) */		fmuld	%f0,%f18,%f2
+/* 0x133c	1527 (11 14) */		fdtox	%f6,%f6
+/* 0x1340	1528 (11 12) */		std	%f6,[%g3]
+/* 0x1344	1529 (11 14) */		fmuld	%f0,%f16,%f0
+/* 0x1348	1530 (12 15) */		fdtox	%f4,%f4
+/* 0x134c	1531 (12 13) */		std	%f4,[%g2]
+/* 0x1350	1532 (12 13) */		add	%g2,32,%g2
+/* 0x1354	1533 (13 16) */		fdtox	%f2,%f2
+/* 0x1358	1534 (13 14) */		std	%f2,[%o7]
+/* 0x135c	1535 (13 14) */		add	%o7,32,%o7
+/* 0x1360	1536 (14 17) */		fdtox	%f0,%f0
+/* 0x1364	1537 (14 15) */		std	%f0,[%o4]
+/* 0x1368	1538 (14 15) */		add	%o4,32,%o4
+/* 0x136c	1539 (15 16) */		add	%g3,32,%g3
+/* 0x1370	1540 (15 16) */		bcs,a,pt	%icc,.L990000161	! tprob=0.50
+/* 0x1374	     (16 19) */		ldd	[%o1],%f0
+
+!
+! ENTRY .L77000056
+!
+
+                                   .L77000056:		/* frequency 1.0 confidence 0.0 */
+/* 0x1378	1548 ( 0  1) */		subcc	%o0,0,%g0
+
+!
+! ENTRY .L990000162
+!
+
+                                   .L990000162:		/* frequency 1.0 confidence 0.0 */
+/* 0x137c	1550 ( 0  1) */		bleu,pt	%icc,.L77770061	! tprob=0.50
+/* 0x1380	     ( 0  1) */		nop
+/* 0x1384	1555 ( 0  1) */		sethi	%hi(0x1000),%g1
+/* 0x1388	1556 ( 1  2) */		xor	%g1,-625,%g1
+/* 0x138c	1557 ( 1  2) */		or	%g0,%i1,%g4
+/* 0x1390	1558 ( 2  3) */		add	%g1,%fp,%g5
+/* 0x1394	1559 ( 2  3) */		sethi	%hi(0x1000),%g1
+/* 0x1398	1560 ( 3  4) */		xor	%g1,-617,%g1
+/* 0x139c	1561 ( 3  4) */		or	%g0,%o0,%o7
+/* 0x13a0	1562 ( 4  5) */		add	%g1,%fp,%g2
+/* 0x13a4	1563 ( 4  5) */		or	%g0,0,%i2
+/* 0x13a8	1564 ( 5  6) */		or	%g0,%i0,%g3
+/* 0x13ac	1565 ( 5  6) */		subcc	%o0,6,%g0
+/* 0x13b0	1566 ( 5  6) */		bl,pn	%icc,.L77000058	! tprob=0.50
+/* 0x13b4	     ( 6  7) */		sethi	%hi(0x1000),%g1
+/* 0x13b8	1568 ( 6  8) */		ld	[%g4],%o2
+/* 0x13bc	1569 ( 6  7) */		add	%g3,4,%g3
+/* 0x13c0	1570 ( 7  8) */		xor	%g1,-585,%g1
+/* 0x13c4	1571 ( 7  8) */		sub	%o7,3,%o4
+/* 0x13c8	1572 ( 8  9) */		add	%g1,%fp,%g2
+/* 0x13cc	1573 ( 8  9) */		sethi	%hi(0x1000),%g1
+/* 0x13d0	1574 ( 9 10) */		xor	%g1,-593,%g1
+/* 0x13d4	1575 ( 9 10) */		or	%g0,2,%i2
+/* 0x13d8	1576 (10 11) */		add	%g1,%fp,%g5
+/* 0x13dc	1577 (10 11) */		sethi	%hi(0x1000),%g1
+/* 0x13e0	1578 (11 12) */		xor	%g1,-617,%g1
+/* 0x13e4	1579 (12 13) */		add	%g1,%fp,%g1
+/* 0x13e8	1580 (13 15) */		ldx	[%g1],%o1
+/* 0x13ec	1581 (14 16) */		ldx	[%g1-8],%o0
+/* 0x13f0	1582 (15 16) */		sllx	%o1,19,%o1
+/* 0x13f4	1583 (15 17) */		ldx	[%g1+16],%o3
+/* 0x13f8	1584 (16 17) */		add	%o0,%o1,%o0
+/* 0x13fc	1585 (16 18) */		ld	[%g4+4],%o1
+/* 0x1400	1586 (16 17) */		add	%g4,8,%g4
+/* 0x1404	1587 (17 18) */		sllx	%o3,19,%o3
+/* 0x1408	1588 (17 18) */		add	%o0,%o2,%o0
+/* 0x140c	1589 (17 19) */		ldx	[%g1+8],%o2
+/* 0x1410	1590 (18 19) */		st	%o0,[%g3-4]
+/* 0x1414	1591 (18 19) */		srlx	%o0,32,%o0
+
+!
+! ENTRY .L990000142
+!
+
+                                   .L990000142:		/* frequency 1.0 confidence 0.0 */
+/* 0x1418	1593 ( 0  1) */		add	%o2,%o3,%o2
+/* 0x141c	1594 ( 0  1) */		add	%i2,4,%i2
+/* 0x1420	1595 ( 0  2) */		ld	[%g4],%o3
+/* 0x1424	1596 ( 1  2) */		srl	%o0,0,%o5
+/* 0x1428	1597 ( 1  2) */		add	%o2,%o1,%o1
+/* 0x142c	1598 ( 1  3) */		ldx	[%g2],%o0
+/* 0x1430	1599 ( 3  4) */		sllx	%o0,19,%o2
+/* 0x1434	1600 ( 3  5) */		ldx	[%g5],%o0
+/* 0x1438	1601 ( 3  4) */		add	%o1,%o5,%o1
+/* 0x143c	1602 ( 4  5) */		st	%o1,[%g3]
+/* 0x1440	1603 ( 4  5) */		srlx	%o1,32,%o5
+/* 0x1444	1604 ( 4  5) */		subcc	%i2,%o4,%g0
+/* 0x1448	1605 ( 5  7) */		ldx	[%g2+16],%o1
+/* 0x144c	1606 ( 5  6) */		add	%o0,%o2,%o0
+/* 0x1450	1607 ( 5  6) */		add	%g3,16,%g3
+/* 0x1454	1608 ( 6  8) */		ld	[%g4+4],%o2
+/* 0x1458	1609 ( 6  7) */		add	%o0,%o3,%o0
+/* 0x145c	1610 ( 7  8) */		sllx	%o1,19,%o3
+/* 0x1460	1611 ( 7  9) */		ldx	[%g5+16],%o1
+/* 0x1464	1612 ( 7  8) */		add	%o0,%o5,%o0
+/* 0x1468	1613 ( 8  9) */		st	%o0,[%g3-12]
+/* 0x146c	1614 ( 8  9) */		srlx	%o0,32,%o5
+/* 0x1470	1615 ( 8  9) */		add	%g4,16,%g4
+/* 0x1474	1616 ( 9 11) */		ldx	[%g2+32],%o0
+/* 0x1478	1617 ( 9 10) */		add	%o1,%o3,%o1
+/* 0x147c	1618 ( 9 10) */		add	%g2,64,%g2
+/* 0x1480	1619 (10 12) */		ld	[%g4-8],%o3
+/* 0x1484	1620 (10 11) */		add	%o1,%o2,%o2
+/* 0x1488	1621 (11 12) */		sllx	%o0,19,%o1
+/* 0x148c	1622 (11 13) */		ldx	[%g5+32],%o0
+/* 0x1490	1623 (11 12) */		add	%o2,%o5,%o2
+/* 0x1494	1624 (12 13) */		st	%o2,[%g3-8]
+/* 0x1498	1625 (12 13) */		srlx	%o2,32,%o5
+/* 0x149c	1626 (12 13) */		add	%g5,64,%g5
+/* 0x14a0	1627 (13 15) */		ldx	[%g2-16],%o2
+/* 0x14a4	1628 (13 14) */		add	%o0,%o1,%o0
+/* 0x14a8	1629 (14 16) */		ld	[%g4-4],%o1
+/* 0x14ac	1630 (14 15) */		add	%o0,%o3,%o0
+/* 0x14b0	1631 (15 16) */		sllx	%o2,19,%o3
+/* 0x14b4	1632 (15 17) */		ldx	[%g5-16],%o2
+/* 0x14b8	1633 (15 16) */		add	%o0,%o5,%o0
+/* 0x14bc	1634 (16 17) */		st	%o0,[%g3-4]
+/* 0x14c0	1635 (16 17) */		bcs,pt	%icc,.L990000142	! tprob=0.50
+/* 0x14c4	     (16 17) */		srlx	%o0,32,%o0
+
+!
+! ENTRY .L990000145
+!
+
+                                   .L990000145:		/* frequency 1.0 confidence 0.0 */
+/* 0x14c8	1638 ( 0  1) */		add	%o2,%o3,%o3
+/* 0x14cc	1639 ( 0  1) */		add	%g3,4,%g3
+/* 0x14d0	1640 ( 1  2) */		srl	%o0,0,%o2
+/* 0x14d4	1641 ( 1  2) */		add	%o3,%o1,%o0
+/* 0x14d8	1642 ( 2  3) */		add	%o0,%o2,%o0
+/* 0x14dc	1643 ( 2  3) */		st	%o0,[%g3-4]
+/* 0x14e0	1644 ( 2  3) */		subcc	%i2,%o7,%g0
+/* 0x14e4	1645 ( 2  3) */		bcc,pn	%icc,.L77770061	! tprob=0.50
+/* 0x14e8	     ( 3  4) */		srlx	%o0,32,%o5
+
+!
+! ENTRY .L77000058
+!
+
+                                   .L77000058:		/* frequency 1.0 confidence 0.0 */
+/* 0x14ec	1648 ( 0  2) */		ldx	[%g2],%o2
+
+!
+! ENTRY .L990000160
+!
+
+                                   .L990000160:		/* frequency 1.0 confidence 0.0 */
+/* 0x14f0	1650 ( 0  1) */		sllx	%o2,19,%o3
+/* 0x14f4	1651 ( 0  2) */		ldx	[%g5],%o0
+/* 0x14f8	1652 ( 0  1) */		add	%i2,1,%i2
+/* 0x14fc	1653 ( 1  2) */		srl	%o5,0,%o1
+/* 0x1500	1654 ( 1  3) */		ld	[%g4],%o2
+/* 0x1504	1655 ( 1  2) */		add	%g2,16,%g2
+/* 0x1508	1656 ( 2  3) */		add	%o0,%o3,%o0
+/* 0x150c	1657 ( 2  3) */		add	%g5,16,%g5
+/* 0x1510	1658 ( 3  4) */		add	%o0,%o2,%o0
+/* 0x1514	1659 ( 3  4) */		add	%g4,4,%g4
+/* 0x1518	1660 ( 4  5) */		add	%o0,%o1,%o0
+/* 0x151c	1661 ( 4  5) */		st	%o0,[%g3]
+/* 0x1520	1662 ( 4  5) */		subcc	%i2,%o7,%g0
+/* 0x1524	1663 ( 5  6) */		srlx	%o0,32,%o5
+/* 0x1528	1664 ( 5  6) */		add	%g3,4,%g3
+/* 0x152c	1665 ( 5  6) */		bcs,a,pt	%icc,.L990000160	! tprob=0.50
+/* 0x1530	     ( 6  8) */		ldx	[%g2],%o2
+
+!
+! ENTRY .L77770061
+!
+
+                                   .L77770061:		/* frequency 1.0 confidence 0.0 */
+/* 0x1534	     ( 0  2) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x1538	     ( 2  3) */		restore	%g0,%o5,%o0
+
+
+/* 0x124c	1476 ( 0  0) */		.type	mul_add,2
+/* 0x124c	1477 ( 0  0) */		.size	mul_add,(.-mul_add)
+/* 0x124c	1480 ( 0  0) */		.align	8
+/* 0x1250	1486 ( 0  0) */		.global	mul_add_inp
+
+!
+! ENTRY mul_add_inp
+!
+
+                                   	.global mul_add_inp
+                                   mul_add_inp:		/* frequency 1.0 confidence 0.0 */
+/* 0x1250	1488 ( 0  1) */		save	%sp,-176,%sp
+/* 0x1254	1500 ( 1  2) */		sra	%i2,0,%o3
+/* 0x1258	1501 ( 1  2) */		or	%g0,%i1,%o2
+/* 0x125c	1502 ( 2  3) */		or	%g0,%i0,%o0
+/* 0x1260	1503 ( 2  3) */		or	%g0,%i0,%o1
+/* 0x1264	1504 ( 3  5) */		call	mul_add	! params = 	! Result = 
+/* 0x1268	     ( 4  5) */		srl	%i3,0,%o4
+/* 0x126c	1506 ( 5  6) */		srl	%o0,0,%i0
+/* 0x1270	     ( 6  8) */		ret	! Result =  %o1 %o0 %f0 %f1
+/* 0x1274	     ( 8  9) */		restore	%g0,%g0,%g0
+/* 0x1278	1509 ( 0  0) */		.type	mul_add_inp,2
+/* 0x1278	1510 ( 0  0) */		.size	mul_add_inp,(.-mul_add_inp)
+
+	.section	".data",#alloc,#write
+/* 0x1278	   6 ( 0  0) */		.align	8
+
+!
+! ENTRY mask_cnst
+!
+
+                                   mask_cnst:		/* frequency 1.0 confidence 0.0 */
+/* 0x1278	   8 ( 0  0) */		.xword	-9223372034707292160
+/* 0x1280	   9 ( 0  0) */		.type	mask_cnst,#object
+/* 0x1280	  10 ( 0  0) */		.size	mask_cnst,8
+
diff --git a/security/nss/lib/freebl/mpi/mpvalpha.c b/security/nss/lib/freebl/mpi/mpvalpha.c
new file mode 100644
index 000000000..5118e73c3
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mpvalpha.c
@@ -0,0 +1,214 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Multiple Precision Integer optimization code for 
+ * the Compaq Alpha processor.
+ *
+ * The Initial Developer of the Original Code is
+ * Richard C. Swift.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):	Richard C. Swift	(swift@netscape.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "mpi-priv.h"
+#include <c_asm.h>
+
+
+#define MP_MUL_DxD(a, b, Phi, Plo)		\
+ { Plo = asm ("mulq %a0, %a1, %v0", a, b);	\
+   Phi = asm ("umulh %a0, %a1, %v0", a, b); }	\
+
+/* This is empty for the loop in s_mpv_mul_d	*/
+#define CARRY_ADD
+
+#define ONE_MUL				\
+    a_i = *a++;				\
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);	\
+    a0b0 += carry;			\
+    if (a0b0 < carry)			\
+      ++a1b1;				\
+    CARRY_ADD				\
+    *c++ = a0b0;			\
+    carry = a1b1;			\
+
+#define FOUR_MUL			\
+	ONE_MUL				\
+	ONE_MUL				\
+	ONE_MUL				\
+	ONE_MUL				\
+
+#define SIXTEEN_MUL			\
+	FOUR_MUL			\
+	FOUR_MUL			\
+	FOUR_MUL			\
+	FOUR_MUL			\
+
+#define THIRTYTWO_MUL			\
+	SIXTEEN_MUL			\
+	SIXTEEN_MUL			\
+
+#define ONETWENTYEIGHT_MUL		\
+	THIRTYTWO_MUL			\
+	THIRTYTWO_MUL			\
+	THIRTYTWO_MUL			\
+	THIRTYTWO_MUL			\
+
+
+#define EXPAND_256(CALL)		\
+ mp_digit carry = 0;			\
+ mp_digit a_i;				\
+ mp_digit a0b0, a1b1;			\
+ if (a_len &255) {			\
+	if (a_len &1) {			\
+	  ONE_MUL			\
+	}				\
+	if (a_len &2) {			\
+	  ONE_MUL			\
+	  ONE_MUL			\
+	}				\
+	if (a_len &4) {			\
+	  FOUR_MUL			\
+	}				\
+	if (a_len &8) {			\
+	  FOUR_MUL			\
+	  FOUR_MUL			\
+	}				\
+	if (a_len & 16 ) {		\
+	  SIXTEEN_MUL			\
+	}				\
+	if (a_len & 32 ) {		\
+	  THIRTYTWO_MUL			\
+	}				\
+	if (a_len & 64 ) {		\
+	  THIRTYTWO_MUL			\
+	  THIRTYTWO_MUL			\
+	}				\
+	if (a_len & 128) {		\
+	  ONETWENTYEIGHT_MUL		\
+	}				\
+	a_len = a_len & (-256);		\
+  }					\
+  if (a_len>=256 ) {			\
+	carry = CALL(a, a_len, b, c, carry);	\
+	c += a_len;			\
+  }					\
+
+#define FUNC_NAME(NAME)			\
+mp_digit NAME(const mp_digit *a, 	\
+	mp_size a_len,			\
+	mp_digit b, mp_digit *c, 	\
+	mp_digit carry)			\
+
+#define DECLARE_MUL_256(FNAME)		\
+FUNC_NAME(FNAME)			\
+{					\
+  mp_digit a_i;				\
+  mp_digit a0b0, a1b1;			\
+  while (a_len) {			\
+	ONETWENTYEIGHT_MUL		\
+	ONETWENTYEIGHT_MUL		\
+	a_len-= 256;			\
+  }					\
+  return carry;				\
+}					\
+
+/* Expanding the loop in s_mpv_mul_d appeared to slow down the
+   (admittedly) small number of tests (i.e., timetest) used to
+   measure performance, so this define disables that optimization. */
+#define DO_NOT_EXPAND 1
+
+/* Need forward declaration so it can be instantiated after
+	the routine that uses it; this helps locality somewhat	*/
+#if !defined(DO_NOT_EXPAND)
+FUNC_NAME(s_mpv_mul_d_MUL256);
+#endif
+
+/* c = a * b */
+void s_mpv_mul_d(const mp_digit *a, mp_size a_len, 
+			mp_digit b, mp_digit *c)
+{
+#if defined(DO_NOT_EXPAND)
+  mp_digit carry = 0;
+  while (a_len--) {
+    mp_digit a_i = *a++;
+    mp_digit a0b0, a1b1;
+
+    MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+    a0b0 += carry;
+    if (a0b0 < carry)
+      ++a1b1;
+    *c++ = a0b0;
+    carry = a1b1;
+  }
+#else
+  EXPAND_256(s_mpv_mul_d_MUL256)
+#endif
+  *c = carry;
+}
+
+#if !defined(DO_NOT_EXPAND)
+DECLARE_MUL_256(s_mpv_mul_d_MUL256)
+#endif
+
+#undef CARRY_ADD
+/* This is redefined for the loop in s_mpv_mul_d_add */
+#define CARRY_ADD			\
+    a0b0 += a_i = *c;			\
+    if (a0b0 < a_i)			\
+      ++a1b1;				\
+
+/* Need forward declaration so it can be instantiated between the
+	two routines that use it; this helps locality somewhat	*/
+FUNC_NAME(s_mpv_mul_d_add_MUL256);
+
+/* c += a * b */
+void s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, 
+			mp_digit b, mp_digit *c)
+{
+  EXPAND_256(s_mpv_mul_d_add_MUL256)
+  *c = carry;
+}
+
+/* Instantiate multiply 256 routine here */
+DECLARE_MUL_256(s_mpv_mul_d_add_MUL256)
+
+/* Presently, this is only used by the Montgomery arithmetic code. */
+/* c += a * b */
+void s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, 
+			mp_digit b, mp_digit *c)
+{
+  EXPAND_256(s_mpv_mul_d_add_MUL256)
+  while (carry) {
+    mp_digit c_i = *c;
+    carry += c_i;
+    *c++ = carry;
+    carry = carry < c_i;
+  }
+}
+
diff --git a/security/nss/lib/freebl/mpi/mulsqr.c b/security/nss/lib/freebl/mpi/mulsqr.c
new file mode 100644
index 000000000..db2b5ce8a
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/mulsqr.c
@@ -0,0 +1,111 @@
+/*
+ * Test whether to include squaring code given the current settings
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1997, 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <time.h>
+
+#define MP_SQUARE 1  /* make sure squaring code is included */
+
+#include "mpi.h"
+#include "mpprime.h"
+
+int main(int argc, char *argv[])
+{
+  int           ntests, prec, ix;
+  unsigned int  seed;
+  clock_t       start, stop;
+  double        multime, sqrtime;
+  mp_int        a, c;
+
+  seed = (unsigned int)time(NULL);
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <ntests> <nbits>\n", argv[0]);
+    return 1;
+  }
+
+  if((ntests = abs(atoi(argv[1]))) == 0) {
+    fprintf(stderr, "%s: must request at least 1 test.\n", argv[0]);
+    return 1;
+  }
+  if((prec = abs(atoi(argv[2]))) < CHAR_BIT) {
+    fprintf(stderr, "%s: must request at least %d bits.\n", argv[0],
+	    CHAR_BIT);
+    return 1;
+  }
+
+  prec = (prec + (DIGIT_BIT - 1)) / DIGIT_BIT;
+
+  mp_init_size(&a, prec);
+  mp_init_size(&c, 2 * prec);
+
+  /* Test multiplication by self */
+  srand(seed);
+  start = clock();
+  for(ix = 0; ix < ntests; ix++) {
+    mpp_random_size(&a, prec);
+    mp_mul(&a, &a, &c);
+  }
+  stop = clock();
+
+  multime = (double)(stop - start) / CLOCKS_PER_SEC;
+
+  /* Test squaring */
+  srand(seed);
+  start = clock();
+  for(ix = 0; ix < ntests; ix++) {
+    mpp_random_size(&a, prec);
+    mp_sqr(&a, &c);
+  }
+  stop = clock();
+
+  sqrtime = (double)(stop - start) / CLOCKS_PER_SEC;
+
+  printf("Multiply: %.4f\n", multime);
+  printf("Square:   %.4f\n", sqrtime);
+  if(multime < sqrtime) {
+    printf("Speedup:  %.1f%%\n", 100.0 * (1.0 - multime / sqrtime));
+    printf("Prefer:   multiply\n");
+  } else {
+    printf("Speedup:  %.1f%%\n", 100.0 * (1.0 - sqrtime / multime));
+    printf("Prefer:   square\n");
+  }
+
+  mp_clear(&a); mp_clear(&c);
+  return 0;
+
+}
diff --git a/security/nss/lib/freebl/mpi/multest b/security/nss/lib/freebl/mpi/multest
new file mode 100755
index 000000000..08fec8388
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/multest
@@ -0,0 +1,107 @@
+#!/bin/sh
+#
+# multest
+#
+# Run multiply and square timing tests, to compute a chart for the
+# current processor and compiler combination.
+#
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 2000 Michael J. Fromberger. All Rights Reserved
+##
+## Contributor(s):
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the GPL.
+## 
+# $Id$
+#
+
+ECHO=/bin/echo
+MAKE=gmake
+
+$ECHO "\n** Running multiply and square timing tests\n"
+
+$ECHO "Bringing 'mulsqr' up to date ... "
+if $MAKE mulsqr ; then
+    :
+else
+    $ECHO "\nMake failed to build mulsqr.\n"
+    exit 1
+fi
+
+if [ ! -x ./mulsqr ] ; then
+    $ECHO "\nCannot find 'mulsqr' program, testing cannot continue.\n"
+    exit 1
+fi
+
+sizes='64 128 192 256 320 384 448 512 640 768 896 1024 1536 2048'
+ntests=500000
+
+$ECHO "Running timing tests, please wait ... "
+
+trap 'echo "oop!";rm -f tt*.tmp;exit 0' INT HUP
+
+touch tt$$.tmp
+$ECHO $ntests tests >> tt$$.tmp
+for size in $sizes ; do
+    $ECHO "$size bits ... \c"
+    set -A res `./mulsqr $ntests $size|head -3|tr -d '%'|awk '{print $2}'`
+    $ECHO $size"\t"${res[0]}"\t"${res[1]}"\t"${res[2]} >> tt$$.tmp
+    $ECHO "(done)"
+done
+mv tt$$.tmp mulsqr-results.txt
+rm -f tt$$.tmp
+
+$ECHO "\n** Running Karatsuba-Ofman multiplication tests\n"
+
+$ECHO "Brining 'karatsuba' up to date ... "
+if $MAKE karatsuba ; then
+    :
+else
+    $ECHO "\nMake failed to build karatsuba.\n"
+    exit 1
+fi
+
+if [ ! -x ./karatsuba ] ; then
+    $ECHO "\nCannot find 'karatsuba' program, testing cannot continue.\n"
+    exit 1
+fi
+
+ntests=100000
+
+trap 'echo "oop!";rm -f tt*.tmp;exit 0' INT HUP
+
+touch tt$$.tmp
+for size in $sizes ; do
+    $ECHO "$size bits ... "
+    ./karatsuba $ntests $size >> tt$$.tmp
+    tail -2 tt$$.tmp
+done
+mv tt$$.tmp karatsuba-results.txt
+rm -f tt$$.tmp
+
+exit 0
diff --git a/security/nss/lib/freebl/mpi/primes.c b/security/nss/lib/freebl/mpi/primes.c
new file mode 100644
index 000000000..14f927b6c
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/primes.c
@@ -0,0 +1,871 @@
+/*
+ * These tables of primes wwere generated using the 'sieve' program
+ * (sieve.c) and converted to this format with 'ptab.pl'.  
+ *
+ * The 'small' table is just the first 128 primes.  The 'large' table
+ * is a table of all the prime values that will fit into a single
+ * mp_digit (given the current size of an mp_digit, which is two bytes).
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1997, 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#if SMALL_TABLE
+#define MP_PRIME_TAB_SIZE 128
+#else
+#define MP_PRIME_TAB_SIZE 6542
+#endif
+
+const int prime_tab_size = MP_PRIME_TAB_SIZE;
+const mp_digit  prime_tab[] = {
+	0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013, 
+	0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035, 
+	0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059, 
+	0x0061, 0x0065, 0x0067, 0x006B, 0x006D, 0x0071, 0x007F, 0x0083, 
+	0x0089, 0x008B, 0x0095, 0x0097, 0x009D, 0x00A3, 0x00A7, 0x00AD, 
+	0x00B3, 0x00B5, 0x00BF, 0x00C1, 0x00C5, 0x00C7, 0x00D3, 0x00DF, 
+	0x00E3, 0x00E5, 0x00E9, 0x00EF, 0x00F1, 0x00FB, 0x0101, 0x0107, 
+	0x010D, 0x010F, 0x0115, 0x0119, 0x011B, 0x0125, 0x0133, 0x0137, 
+	0x0139, 0x013D, 0x014B, 0x0151, 0x015B, 0x015D, 0x0161, 0x0167, 
+	0x016F, 0x0175, 0x017B, 0x017F, 0x0185, 0x018D, 0x0191, 0x0199, 
+	0x01A3, 0x01A5, 0x01AF, 0x01B1, 0x01B7, 0x01BB, 0x01C1, 0x01C9, 
+	0x01CD, 0x01CF, 0x01D3, 0x01DF, 0x01E7, 0x01EB, 0x01F3, 0x01F7, 
+	0x01FD, 0x0209, 0x020B, 0x021D, 0x0223, 0x022D, 0x0233, 0x0239, 
+	0x023B, 0x0241, 0x024B, 0x0251, 0x0257, 0x0259, 0x025F, 0x0265, 
+	0x0269, 0x026B, 0x0277, 0x0281, 0x0283, 0x0287, 0x028D, 0x0293, 
+	0x0295, 0x02A1, 0x02A5, 0x02AB, 0x02B3, 0x02BD, 0x02C5, 0x02CF, 
+#if ! SMALL_TABLE
+	0x02D7, 0x02DD, 0x02E3, 0x02E7, 0x02EF, 0x02F5, 0x02F9, 0x0301, 
+	0x0305, 0x0313, 0x031D, 0x0329, 0x032B, 0x0335, 0x0337, 0x033B, 
+	0x033D, 0x0347, 0x0355, 0x0359, 0x035B, 0x035F, 0x036D, 0x0371, 
+	0x0373, 0x0377, 0x038B, 0x038F, 0x0397, 0x03A1, 0x03A9, 0x03AD, 
+	0x03B3, 0x03B9, 0x03C7, 0x03CB, 0x03D1, 0x03D7, 0x03DF, 0x03E5, 
+	0x03F1, 0x03F5, 0x03FB, 0x03FD, 0x0407, 0x0409, 0x040F, 0x0419, 
+	0x041B, 0x0425, 0x0427, 0x042D, 0x043F, 0x0443, 0x0445, 0x0449, 
+	0x044F, 0x0455, 0x045D, 0x0463, 0x0469, 0x047F, 0x0481, 0x048B, 
+	0x0493, 0x049D, 0x04A3, 0x04A9, 0x04B1, 0x04BD, 0x04C1, 0x04C7, 
+	0x04CD, 0x04CF, 0x04D5, 0x04E1, 0x04EB, 0x04FD, 0x04FF, 0x0503, 
+	0x0509, 0x050B, 0x0511, 0x0515, 0x0517, 0x051B, 0x0527, 0x0529, 
+	0x052F, 0x0551, 0x0557, 0x055D, 0x0565, 0x0577, 0x0581, 0x058F, 
+	0x0593, 0x0595, 0x0599, 0x059F, 0x05A7, 0x05AB, 0x05AD, 0x05B3, 
+	0x05BF, 0x05C9, 0x05CB, 0x05CF, 0x05D1, 0x05D5, 0x05DB, 0x05E7, 
+	0x05F3, 0x05FB, 0x0607, 0x060D, 0x0611, 0x0617, 0x061F, 0x0623, 
+	0x062B, 0x062F, 0x063D, 0x0641, 0x0647, 0x0649, 0x064D, 0x0653, 
+	0x0655, 0x065B, 0x0665, 0x0679, 0x067F, 0x0683, 0x0685, 0x069D, 
+	0x06A1, 0x06A3, 0x06AD, 0x06B9, 0x06BB, 0x06C5, 0x06CD, 0x06D3, 
+	0x06D9, 0x06DF, 0x06F1, 0x06F7, 0x06FB, 0x06FD, 0x0709, 0x0713, 
+	0x071F, 0x0727, 0x0737, 0x0745, 0x074B, 0x074F, 0x0751, 0x0755, 
+	0x0757, 0x0761, 0x076D, 0x0773, 0x0779, 0x078B, 0x078D, 0x079D, 
+	0x079F, 0x07B5, 0x07BB, 0x07C3, 0x07C9, 0x07CD, 0x07CF, 0x07D3, 
+	0x07DB, 0x07E1, 0x07EB, 0x07ED, 0x07F7, 0x0805, 0x080F, 0x0815, 
+	0x0821, 0x0823, 0x0827, 0x0829, 0x0833, 0x083F, 0x0841, 0x0851, 
+	0x0853, 0x0859, 0x085D, 0x085F, 0x0869, 0x0871, 0x0883, 0x089B, 
+	0x089F, 0x08A5, 0x08AD, 0x08BD, 0x08BF, 0x08C3, 0x08CB, 0x08DB, 
+	0x08DD, 0x08E1, 0x08E9, 0x08EF, 0x08F5, 0x08F9, 0x0905, 0x0907, 
+	0x091D, 0x0923, 0x0925, 0x092B, 0x092F, 0x0935, 0x0943, 0x0949, 
+	0x094D, 0x094F, 0x0955, 0x0959, 0x095F, 0x096B, 0x0971, 0x0977, 
+	0x0985, 0x0989, 0x098F, 0x099B, 0x09A3, 0x09A9, 0x09AD, 0x09C7, 
+	0x09D9, 0x09E3, 0x09EB, 0x09EF, 0x09F5, 0x09F7, 0x09FD, 0x0A13, 
+	0x0A1F, 0x0A21, 0x0A31, 0x0A39, 0x0A3D, 0x0A49, 0x0A57, 0x0A61, 
+	0x0A63, 0x0A67, 0x0A6F, 0x0A75, 0x0A7B, 0x0A7F, 0x0A81, 0x0A85, 
+	0x0A8B, 0x0A93, 0x0A97, 0x0A99, 0x0A9F, 0x0AA9, 0x0AAB, 0x0AB5, 
+	0x0ABD, 0x0AC1, 0x0ACF, 0x0AD9, 0x0AE5, 0x0AE7, 0x0AED, 0x0AF1, 
+	0x0AF3, 0x0B03, 0x0B11, 0x0B15, 0x0B1B, 0x0B23, 0x0B29, 0x0B2D, 
+	0x0B3F, 0x0B47, 0x0B51, 0x0B57, 0x0B5D, 0x0B65, 0x0B6F, 0x0B7B, 
+	0x0B89, 0x0B8D, 0x0B93, 0x0B99, 0x0B9B, 0x0BB7, 0x0BB9, 0x0BC3, 
+	0x0BCB, 0x0BCF, 0x0BDD, 0x0BE1, 0x0BE9, 0x0BF5, 0x0BFB, 0x0C07, 
+	0x0C0B, 0x0C11, 0x0C25, 0x0C2F, 0x0C31, 0x0C41, 0x0C5B, 0x0C5F, 
+	0x0C61, 0x0C6D, 0x0C73, 0x0C77, 0x0C83, 0x0C89, 0x0C91, 0x0C95, 
+	0x0C9D, 0x0CB3, 0x0CB5, 0x0CB9, 0x0CBB, 0x0CC7, 0x0CE3, 0x0CE5, 
+	0x0CEB, 0x0CF1, 0x0CF7, 0x0CFB, 0x0D01, 0x0D03, 0x0D0F, 0x0D13, 
+	0x0D1F, 0x0D21, 0x0D2B, 0x0D2D, 0x0D3D, 0x0D3F, 0x0D4F, 0x0D55, 
+	0x0D69, 0x0D79, 0x0D81, 0x0D85, 0x0D87, 0x0D8B, 0x0D8D, 0x0DA3, 
+	0x0DAB, 0x0DB7, 0x0DBD, 0x0DC7, 0x0DC9, 0x0DCD, 0x0DD3, 0x0DD5, 
+	0x0DDB, 0x0DE5, 0x0DE7, 0x0DF3, 0x0DFD, 0x0DFF, 0x0E09, 0x0E17, 
+	0x0E1D, 0x0E21, 0x0E27, 0x0E2F, 0x0E35, 0x0E3B, 0x0E4B, 0x0E57, 
+	0x0E59, 0x0E5D, 0x0E6B, 0x0E71, 0x0E75, 0x0E7D, 0x0E87, 0x0E8F, 
+	0x0E95, 0x0E9B, 0x0EB1, 0x0EB7, 0x0EB9, 0x0EC3, 0x0ED1, 0x0ED5, 
+	0x0EDB, 0x0EED, 0x0EEF, 0x0EF9, 0x0F07, 0x0F0B, 0x0F0D, 0x0F17, 
+	0x0F25, 0x0F29, 0x0F31, 0x0F43, 0x0F47, 0x0F4D, 0x0F4F, 0x0F53, 
+	0x0F59, 0x0F5B, 0x0F67, 0x0F6B, 0x0F7F, 0x0F95, 0x0FA1, 0x0FA3, 
+	0x0FA7, 0x0FAD, 0x0FB3, 0x0FB5, 0x0FBB, 0x0FD1, 0x0FD3, 0x0FD9, 
+	0x0FE9, 0x0FEF, 0x0FFB, 0x0FFD, 0x1003, 0x100F, 0x101F, 0x1021, 
+	0x1025, 0x102B, 0x1039, 0x103D, 0x103F, 0x1051, 0x1069, 0x1073, 
+	0x1079, 0x107B, 0x1085, 0x1087, 0x1091, 0x1093, 0x109D, 0x10A3, 
+	0x10A5, 0x10AF, 0x10B1, 0x10BB, 0x10C1, 0x10C9, 0x10E7, 0x10F1, 
+	0x10F3, 0x10FD, 0x1105, 0x110B, 0x1115, 0x1127, 0x112D, 0x1139, 
+	0x1145, 0x1147, 0x1159, 0x115F, 0x1163, 0x1169, 0x116F, 0x1181, 
+	0x1183, 0x118D, 0x119B, 0x11A1, 0x11A5, 0x11A7, 0x11AB, 0x11C3, 
+	0x11C5, 0x11D1, 0x11D7, 0x11E7, 0x11EF, 0x11F5, 0x11FB, 0x120D, 
+	0x121D, 0x121F, 0x1223, 0x1229, 0x122B, 0x1231, 0x1237, 0x1241, 
+	0x1247, 0x1253, 0x125F, 0x1271, 0x1273, 0x1279, 0x127D, 0x128F, 
+	0x1297, 0x12AF, 0x12B3, 0x12B5, 0x12B9, 0x12BF, 0x12C1, 0x12CD, 
+	0x12D1, 0x12DF, 0x12FD, 0x1307, 0x130D, 0x1319, 0x1327, 0x132D, 
+	0x1337, 0x1343, 0x1345, 0x1349, 0x134F, 0x1357, 0x135D, 0x1367, 
+	0x1369, 0x136D, 0x137B, 0x1381, 0x1387, 0x138B, 0x1391, 0x1393, 
+	0x139D, 0x139F, 0x13AF, 0x13BB, 0x13C3, 0x13D5, 0x13D9, 0x13DF, 
+	0x13EB, 0x13ED, 0x13F3, 0x13F9, 0x13FF, 0x141B, 0x1421, 0x142F, 
+	0x1433, 0x143B, 0x1445, 0x144D, 0x1459, 0x146B, 0x146F, 0x1471, 
+	0x1475, 0x148D, 0x1499, 0x149F, 0x14A1, 0x14B1, 0x14B7, 0x14BD, 
+	0x14CB, 0x14D5, 0x14E3, 0x14E7, 0x1505, 0x150B, 0x1511, 0x1517, 
+	0x151F, 0x1525, 0x1529, 0x152B, 0x1537, 0x153D, 0x1541, 0x1543, 
+	0x1549, 0x155F, 0x1565, 0x1567, 0x156B, 0x157D, 0x157F, 0x1583, 
+	0x158F, 0x1591, 0x1597, 0x159B, 0x15B5, 0x15BB, 0x15C1, 0x15C5, 
+	0x15CD, 0x15D7, 0x15F7, 0x1607, 0x1609, 0x160F, 0x1613, 0x1615, 
+	0x1619, 0x161B, 0x1625, 0x1633, 0x1639, 0x163D, 0x1645, 0x164F, 
+	0x1655, 0x1669, 0x166D, 0x166F, 0x1675, 0x1693, 0x1697, 0x169F, 
+	0x16A9, 0x16AF, 0x16B5, 0x16BD, 0x16C3, 0x16CF, 0x16D3, 0x16D9, 
+	0x16DB, 0x16E1, 0x16E5, 0x16EB, 0x16ED, 0x16F7, 0x16F9, 0x1709, 
+	0x170F, 0x1723, 0x1727, 0x1733, 0x1741, 0x175D, 0x1763, 0x1777, 
+	0x177B, 0x178D, 0x1795, 0x179B, 0x179F, 0x17A5, 0x17B3, 0x17B9, 
+	0x17BF, 0x17C9, 0x17CB, 0x17D5, 0x17E1, 0x17E9, 0x17F3, 0x17F5, 
+	0x17FF, 0x1807, 0x1813, 0x181D, 0x1835, 0x1837, 0x183B, 0x1843, 
+	0x1849, 0x184D, 0x1855, 0x1867, 0x1871, 0x1877, 0x187D, 0x187F, 
+	0x1885, 0x188F, 0x189B, 0x189D, 0x18A7, 0x18AD, 0x18B3, 0x18B9, 
+	0x18C1, 0x18C7, 0x18D1, 0x18D7, 0x18D9, 0x18DF, 0x18E5, 0x18EB, 
+	0x18F5, 0x18FD, 0x1915, 0x191B, 0x1931, 0x1933, 0x1945, 0x1949, 
+	0x1951, 0x195B, 0x1979, 0x1981, 0x1993, 0x1997, 0x1999, 0x19A3, 
+	0x19A9, 0x19AB, 0x19B1, 0x19B5, 0x19C7, 0x19CF, 0x19DB, 0x19ED, 
+	0x19FD, 0x1A03, 0x1A05, 0x1A11, 0x1A17, 0x1A21, 0x1A23, 0x1A2D, 
+	0x1A2F, 0x1A35, 0x1A3F, 0x1A4D, 0x1A51, 0x1A69, 0x1A6B, 0x1A7B, 
+	0x1A7D, 0x1A87, 0x1A89, 0x1A93, 0x1AA7, 0x1AAB, 0x1AAD, 0x1AB1, 
+	0x1AB9, 0x1AC9, 0x1ACF, 0x1AD5, 0x1AD7, 0x1AE3, 0x1AF3, 0x1AFB, 
+	0x1AFF, 0x1B05, 0x1B23, 0x1B25, 0x1B2F, 0x1B31, 0x1B37, 0x1B3B, 
+	0x1B41, 0x1B47, 0x1B4F, 0x1B55, 0x1B59, 0x1B65, 0x1B6B, 0x1B73, 
+	0x1B7F, 0x1B83, 0x1B91, 0x1B9D, 0x1BA7, 0x1BBF, 0x1BC5, 0x1BD1, 
+	0x1BD7, 0x1BD9, 0x1BEF, 0x1BF7, 0x1C09, 0x1C13, 0x1C19, 0x1C27, 
+	0x1C2B, 0x1C2D, 0x1C33, 0x1C3D, 0x1C45, 0x1C4B, 0x1C4F, 0x1C55, 
+	0x1C73, 0x1C81, 0x1C8B, 0x1C8D, 0x1C99, 0x1CA3, 0x1CA5, 0x1CB5, 
+	0x1CB7, 0x1CC9, 0x1CE1, 0x1CF3, 0x1CF9, 0x1D09, 0x1D1B, 0x1D21, 
+	0x1D23, 0x1D35, 0x1D39, 0x1D3F, 0x1D41, 0x1D4B, 0x1D53, 0x1D5D, 
+	0x1D63, 0x1D69, 0x1D71, 0x1D75, 0x1D7B, 0x1D7D, 0x1D87, 0x1D89, 
+	0x1D95, 0x1D99, 0x1D9F, 0x1DA5, 0x1DA7, 0x1DB3, 0x1DB7, 0x1DC5, 
+	0x1DD7, 0x1DDB, 0x1DE1, 0x1DF5, 0x1DF9, 0x1E01, 0x1E07, 0x1E0B, 
+	0x1E13, 0x1E17, 0x1E25, 0x1E2B, 0x1E2F, 0x1E3D, 0x1E49, 0x1E4D, 
+	0x1E4F, 0x1E6D, 0x1E71, 0x1E89, 0x1E8F, 0x1E95, 0x1EA1, 0x1EAD, 
+	0x1EBB, 0x1EC1, 0x1EC5, 0x1EC7, 0x1ECB, 0x1EDD, 0x1EE3, 0x1EEF, 
+	0x1EF7, 0x1EFD, 0x1F01, 0x1F0D, 0x1F0F, 0x1F1B, 0x1F39, 0x1F49, 
+	0x1F4B, 0x1F51, 0x1F67, 0x1F75, 0x1F7B, 0x1F85, 0x1F91, 0x1F97, 
+	0x1F99, 0x1F9D, 0x1FA5, 0x1FAF, 0x1FB5, 0x1FBB, 0x1FD3, 0x1FE1, 
+	0x1FE7, 0x1FEB, 0x1FF3, 0x1FFF, 0x2011, 0x201B, 0x201D, 0x2027, 
+	0x2029, 0x202D, 0x2033, 0x2047, 0x204D, 0x2051, 0x205F, 0x2063, 
+	0x2065, 0x2069, 0x2077, 0x207D, 0x2089, 0x20A1, 0x20AB, 0x20B1, 
+	0x20B9, 0x20C3, 0x20C5, 0x20E3, 0x20E7, 0x20ED, 0x20EF, 0x20FB, 
+	0x20FF, 0x210D, 0x2113, 0x2135, 0x2141, 0x2149, 0x214F, 0x2159, 
+	0x215B, 0x215F, 0x2173, 0x217D, 0x2185, 0x2195, 0x2197, 0x21A1, 
+	0x21AF, 0x21B3, 0x21B5, 0x21C1, 0x21C7, 0x21D7, 0x21DD, 0x21E5, 
+	0x21E9, 0x21F1, 0x21F5, 0x21FB, 0x2203, 0x2209, 0x220F, 0x221B, 
+	0x2221, 0x2225, 0x222B, 0x2231, 0x2239, 0x224B, 0x224F, 0x2263, 
+	0x2267, 0x2273, 0x2275, 0x227F, 0x2285, 0x2287, 0x2291, 0x229D, 
+	0x229F, 0x22A3, 0x22B7, 0x22BD, 0x22DB, 0x22E1, 0x22E5, 0x22ED, 
+	0x22F7, 0x2303, 0x2309, 0x230B, 0x2327, 0x2329, 0x232F, 0x2333, 
+	0x2335, 0x2345, 0x2351, 0x2353, 0x2359, 0x2363, 0x236B, 0x2383, 
+	0x238F, 0x2395, 0x23A7, 0x23AD, 0x23B1, 0x23BF, 0x23C5, 0x23C9, 
+	0x23D5, 0x23DD, 0x23E3, 0x23EF, 0x23F3, 0x23F9, 0x2405, 0x240B, 
+	0x2417, 0x2419, 0x2429, 0x243D, 0x2441, 0x2443, 0x244D, 0x245F, 
+	0x2467, 0x246B, 0x2479, 0x247D, 0x247F, 0x2485, 0x249B, 0x24A1, 
+	0x24AF, 0x24B5, 0x24BB, 0x24C5, 0x24CB, 0x24CD, 0x24D7, 0x24D9, 
+	0x24DD, 0x24DF, 0x24F5, 0x24F7, 0x24FB, 0x2501, 0x2507, 0x2513, 
+	0x2519, 0x2527, 0x2531, 0x253D, 0x2543, 0x254B, 0x254F, 0x2573, 
+	0x2581, 0x258D, 0x2593, 0x2597, 0x259D, 0x259F, 0x25AB, 0x25B1, 
+	0x25BD, 0x25CD, 0x25CF, 0x25D9, 0x25E1, 0x25F7, 0x25F9, 0x2605, 
+	0x260B, 0x260F, 0x2615, 0x2627, 0x2629, 0x2635, 0x263B, 0x263F, 
+	0x264B, 0x2653, 0x2659, 0x2665, 0x2669, 0x266F, 0x267B, 0x2681, 
+	0x2683, 0x268F, 0x269B, 0x269F, 0x26AD, 0x26B3, 0x26C3, 0x26C9, 
+	0x26CB, 0x26D5, 0x26DD, 0x26EF, 0x26F5, 0x2717, 0x2719, 0x2735, 
+	0x2737, 0x274D, 0x2753, 0x2755, 0x275F, 0x276B, 0x276D, 0x2773, 
+	0x2777, 0x277F, 0x2795, 0x279B, 0x279D, 0x27A7, 0x27AF, 0x27B3, 
+	0x27B9, 0x27C1, 0x27C5, 0x27D1, 0x27E3, 0x27EF, 0x2803, 0x2807, 
+	0x280D, 0x2813, 0x281B, 0x281F, 0x2821, 0x2831, 0x283D, 0x283F, 
+	0x2849, 0x2851, 0x285B, 0x285D, 0x2861, 0x2867, 0x2875, 0x2881, 
+	0x2897, 0x289F, 0x28BB, 0x28BD, 0x28C1, 0x28D5, 0x28D9, 0x28DB, 
+	0x28DF, 0x28ED, 0x28F7, 0x2903, 0x2905, 0x2911, 0x2921, 0x2923, 
+	0x293F, 0x2947, 0x295D, 0x2965, 0x2969, 0x296F, 0x2975, 0x2983, 
+	0x2987, 0x298F, 0x299B, 0x29A1, 0x29A7, 0x29AB, 0x29BF, 0x29C3, 
+	0x29D5, 0x29D7, 0x29E3, 0x29E9, 0x29ED, 0x29F3, 0x2A01, 0x2A13, 
+	0x2A1D, 0x2A25, 0x2A2F, 0x2A4F, 0x2A55, 0x2A5F, 0x2A65, 0x2A6B, 
+	0x2A6D, 0x2A73, 0x2A83, 0x2A89, 0x2A8B, 0x2A97, 0x2A9D, 0x2AB9, 
+	0x2ABB, 0x2AC5, 0x2ACD, 0x2ADD, 0x2AE3, 0x2AEB, 0x2AF1, 0x2AFB, 
+	0x2B13, 0x2B27, 0x2B31, 0x2B33, 0x2B3D, 0x2B3F, 0x2B4B, 0x2B4F, 
+	0x2B55, 0x2B69, 0x2B6D, 0x2B6F, 0x2B7B, 0x2B8D, 0x2B97, 0x2B99, 
+	0x2BA3, 0x2BA5, 0x2BA9, 0x2BBD, 0x2BCD, 0x2BE7, 0x2BEB, 0x2BF3, 
+	0x2BF9, 0x2BFD, 0x2C09, 0x2C0F, 0x2C17, 0x2C23, 0x2C2F, 0x2C35, 
+	0x2C39, 0x2C41, 0x2C57, 0x2C59, 0x2C69, 0x2C77, 0x2C81, 0x2C87, 
+	0x2C93, 0x2C9F, 0x2CAD, 0x2CB3, 0x2CB7, 0x2CCB, 0x2CCF, 0x2CDB, 
+	0x2CE1, 0x2CE3, 0x2CE9, 0x2CEF, 0x2CFF, 0x2D07, 0x2D1D, 0x2D1F, 
+	0x2D3B, 0x2D43, 0x2D49, 0x2D4D, 0x2D61, 0x2D65, 0x2D71, 0x2D89, 
+	0x2D9D, 0x2DA1, 0x2DA9, 0x2DB3, 0x2DB5, 0x2DC5, 0x2DC7, 0x2DD3, 
+	0x2DDF, 0x2E01, 0x2E03, 0x2E07, 0x2E0D, 0x2E19, 0x2E1F, 0x2E25, 
+	0x2E2D, 0x2E33, 0x2E37, 0x2E39, 0x2E3F, 0x2E57, 0x2E5B, 0x2E6F, 
+	0x2E79, 0x2E7F, 0x2E85, 0x2E93, 0x2E97, 0x2E9D, 0x2EA3, 0x2EA5, 
+	0x2EB1, 0x2EB7, 0x2EC1, 0x2EC3, 0x2ECD, 0x2ED3, 0x2EE7, 0x2EEB, 
+	0x2F05, 0x2F09, 0x2F0B, 0x2F11, 0x2F27, 0x2F29, 0x2F41, 0x2F45, 
+	0x2F4B, 0x2F4D, 0x2F51, 0x2F57, 0x2F6F, 0x2F75, 0x2F7D, 0x2F81, 
+	0x2F83, 0x2FA5, 0x2FAB, 0x2FB3, 0x2FC3, 0x2FCF, 0x2FD1, 0x2FDB, 
+	0x2FDD, 0x2FE7, 0x2FED, 0x2FF5, 0x2FF9, 0x3001, 0x300D, 0x3023, 
+	0x3029, 0x3037, 0x303B, 0x3055, 0x3059, 0x305B, 0x3067, 0x3071, 
+	0x3079, 0x307D, 0x3085, 0x3091, 0x3095, 0x30A3, 0x30A9, 0x30B9, 
+	0x30BF, 0x30C7, 0x30CB, 0x30D1, 0x30D7, 0x30DF, 0x30E5, 0x30EF, 
+	0x30FB, 0x30FD, 0x3103, 0x3109, 0x3119, 0x3121, 0x3127, 0x312D, 
+	0x3139, 0x3143, 0x3145, 0x314B, 0x315D, 0x3161, 0x3167, 0x316D, 
+	0x3173, 0x317F, 0x3191, 0x3199, 0x319F, 0x31A9, 0x31B1, 0x31C3, 
+	0x31C7, 0x31D5, 0x31DB, 0x31ED, 0x31F7, 0x31FF, 0x3209, 0x3215, 
+	0x3217, 0x321D, 0x3229, 0x3235, 0x3259, 0x325D, 0x3263, 0x326B, 
+	0x326F, 0x3275, 0x3277, 0x327B, 0x328D, 0x3299, 0x329F, 0x32A7, 
+	0x32AD, 0x32B3, 0x32B7, 0x32C9, 0x32CB, 0x32CF, 0x32D1, 0x32E9, 
+	0x32ED, 0x32F3, 0x32F9, 0x3307, 0x3325, 0x332B, 0x332F, 0x3335, 
+	0x3341, 0x3347, 0x335B, 0x335F, 0x3367, 0x336B, 0x3373, 0x3379, 
+	0x337F, 0x3383, 0x33A1, 0x33A3, 0x33AD, 0x33B9, 0x33C1, 0x33CB, 
+	0x33D3, 0x33EB, 0x33F1, 0x33FD, 0x3401, 0x340F, 0x3413, 0x3419, 
+	0x341B, 0x3437, 0x3445, 0x3455, 0x3457, 0x3463, 0x3469, 0x346D, 
+	0x3481, 0x348B, 0x3491, 0x3497, 0x349D, 0x34A5, 0x34AF, 0x34BB, 
+	0x34C9, 0x34D3, 0x34E1, 0x34F1, 0x34FF, 0x3509, 0x3517, 0x351D, 
+	0x352D, 0x3533, 0x353B, 0x3541, 0x3551, 0x3565, 0x356F, 0x3571, 
+	0x3577, 0x357B, 0x357D, 0x3581, 0x358D, 0x358F, 0x3599, 0x359B, 
+	0x35A1, 0x35B7, 0x35BD, 0x35BF, 0x35C3, 0x35D5, 0x35DD, 0x35E7, 
+	0x35EF, 0x3605, 0x3607, 0x3611, 0x3623, 0x3631, 0x3635, 0x3637, 
+	0x363B, 0x364D, 0x364F, 0x3653, 0x3659, 0x3661, 0x366B, 0x366D, 
+	0x368B, 0x368F, 0x36AD, 0x36AF, 0x36B9, 0x36BB, 0x36CD, 0x36D1, 
+	0x36E3, 0x36E9, 0x36F7, 0x3701, 0x3703, 0x3707, 0x371B, 0x373F, 
+	0x3745, 0x3749, 0x374F, 0x375D, 0x3761, 0x3775, 0x377F, 0x378D, 
+	0x37A3, 0x37A9, 0x37AB, 0x37C9, 0x37D5, 0x37DF, 0x37F1, 0x37F3, 
+	0x37F7, 0x3805, 0x380B, 0x3821, 0x3833, 0x3835, 0x3841, 0x3847, 
+	0x384B, 0x3853, 0x3857, 0x385F, 0x3865, 0x386F, 0x3871, 0x387D, 
+	0x388F, 0x3899, 0x38A7, 0x38B7, 0x38C5, 0x38C9, 0x38CF, 0x38D5, 
+	0x38D7, 0x38DD, 0x38E1, 0x38E3, 0x38FF, 0x3901, 0x391D, 0x3923, 
+	0x3925, 0x3929, 0x392F, 0x393D, 0x3941, 0x394D, 0x395B, 0x396B, 
+	0x3979, 0x397D, 0x3983, 0x398B, 0x3991, 0x3995, 0x399B, 0x39A1, 
+	0x39A7, 0x39AF, 0x39B3, 0x39BB, 0x39BF, 0x39CD, 0x39DD, 0x39E5, 
+	0x39EB, 0x39EF, 0x39FB, 0x3A03, 0x3A13, 0x3A15, 0x3A1F, 0x3A27, 
+	0x3A2B, 0x3A31, 0x3A4B, 0x3A51, 0x3A5B, 0x3A63, 0x3A67, 0x3A6D, 
+	0x3A79, 0x3A87, 0x3AA5, 0x3AA9, 0x3AB7, 0x3ACD, 0x3AD5, 0x3AE1, 
+	0x3AE5, 0x3AEB, 0x3AF3, 0x3AFD, 0x3B03, 0x3B11, 0x3B1B, 0x3B21, 
+	0x3B23, 0x3B2D, 0x3B39, 0x3B45, 0x3B53, 0x3B59, 0x3B5F, 0x3B71, 
+	0x3B7B, 0x3B81, 0x3B89, 0x3B9B, 0x3B9F, 0x3BA5, 0x3BA7, 0x3BAD, 
+	0x3BB7, 0x3BB9, 0x3BC3, 0x3BCB, 0x3BD1, 0x3BD7, 0x3BE1, 0x3BE3, 
+	0x3BF5, 0x3BFF, 0x3C01, 0x3C0D, 0x3C11, 0x3C17, 0x3C1F, 0x3C29, 
+	0x3C35, 0x3C43, 0x3C4F, 0x3C53, 0x3C5B, 0x3C65, 0x3C6B, 0x3C71, 
+	0x3C85, 0x3C89, 0x3C97, 0x3CA7, 0x3CB5, 0x3CBF, 0x3CC7, 0x3CD1, 
+	0x3CDD, 0x3CDF, 0x3CF1, 0x3CF7, 0x3D03, 0x3D0D, 0x3D19, 0x3D1B, 
+	0x3D1F, 0x3D21, 0x3D2D, 0x3D33, 0x3D37, 0x3D3F, 0x3D43, 0x3D6F, 
+	0x3D73, 0x3D75, 0x3D79, 0x3D7B, 0x3D85, 0x3D91, 0x3D97, 0x3D9D, 
+	0x3DAB, 0x3DAF, 0x3DB5, 0x3DBB, 0x3DC1, 0x3DC9, 0x3DCF, 0x3DF3, 
+	0x3E05, 0x3E09, 0x3E0F, 0x3E11, 0x3E1D, 0x3E23, 0x3E29, 0x3E2F, 
+	0x3E33, 0x3E41, 0x3E57, 0x3E63, 0x3E65, 0x3E77, 0x3E81, 0x3E87, 
+	0x3EA1, 0x3EB9, 0x3EBD, 0x3EBF, 0x3EC3, 0x3EC5, 0x3EC9, 0x3ED7, 
+	0x3EDB, 0x3EE1, 0x3EE7, 0x3EEF, 0x3EFF, 0x3F0B, 0x3F0D, 0x3F37, 
+	0x3F3B, 0x3F3D, 0x3F41, 0x3F59, 0x3F5F, 0x3F65, 0x3F67, 0x3F79, 
+	0x3F7D, 0x3F8B, 0x3F91, 0x3FAD, 0x3FBF, 0x3FCD, 0x3FD3, 0x3FDD, 
+	0x3FE9, 0x3FEB, 0x3FF1, 0x3FFD, 0x401B, 0x4021, 0x4025, 0x402B, 
+	0x4031, 0x403F, 0x4043, 0x4045, 0x405D, 0x4061, 0x4067, 0x406D, 
+	0x4087, 0x4091, 0x40A3, 0x40A9, 0x40B1, 0x40B7, 0x40BD, 0x40DB, 
+	0x40DF, 0x40EB, 0x40F7, 0x40F9, 0x4109, 0x410B, 0x4111, 0x4115, 
+	0x4121, 0x4133, 0x4135, 0x413B, 0x413F, 0x4159, 0x4165, 0x416B, 
+	0x4177, 0x417B, 0x4193, 0x41AB, 0x41B7, 0x41BD, 0x41BF, 0x41CB, 
+	0x41E7, 0x41EF, 0x41F3, 0x41F9, 0x4205, 0x4207, 0x4219, 0x421F, 
+	0x4223, 0x4229, 0x422F, 0x4243, 0x4253, 0x4255, 0x425B, 0x4261, 
+	0x4273, 0x427D, 0x4283, 0x4285, 0x4289, 0x4291, 0x4297, 0x429D, 
+	0x42B5, 0x42C5, 0x42CB, 0x42D3, 0x42DD, 0x42E3, 0x42F1, 0x4307, 
+	0x430F, 0x431F, 0x4325, 0x4327, 0x4333, 0x4337, 0x4339, 0x434F, 
+	0x4357, 0x4369, 0x438B, 0x438D, 0x4393, 0x43A5, 0x43A9, 0x43AF, 
+	0x43B5, 0x43BD, 0x43C7, 0x43CF, 0x43E1, 0x43E7, 0x43EB, 0x43ED, 
+	0x43F1, 0x43F9, 0x4409, 0x440B, 0x4417, 0x4423, 0x4429, 0x443B, 
+	0x443F, 0x4445, 0x444B, 0x4451, 0x4453, 0x4459, 0x4465, 0x446F, 
+	0x4483, 0x448F, 0x44A1, 0x44A5, 0x44AB, 0x44AD, 0x44BD, 0x44BF, 
+	0x44C9, 0x44D7, 0x44DB, 0x44F9, 0x44FB, 0x4505, 0x4511, 0x4513, 
+	0x452B, 0x4531, 0x4541, 0x4549, 0x4553, 0x4555, 0x4561, 0x4577, 
+	0x457D, 0x457F, 0x458F, 0x45A3, 0x45AD, 0x45AF, 0x45BB, 0x45C7, 
+	0x45D9, 0x45E3, 0x45EF, 0x45F5, 0x45F7, 0x4601, 0x4603, 0x4609, 
+	0x4613, 0x4625, 0x4627, 0x4633, 0x4639, 0x463D, 0x4643, 0x4645, 
+	0x465D, 0x4679, 0x467B, 0x467F, 0x4681, 0x468B, 0x468D, 0x469D, 
+	0x46A9, 0x46B1, 0x46C7, 0x46C9, 0x46CF, 0x46D3, 0x46D5, 0x46DF, 
+	0x46E5, 0x46F9, 0x4705, 0x470F, 0x4717, 0x4723, 0x4729, 0x472F, 
+	0x4735, 0x4739, 0x474B, 0x474D, 0x4751, 0x475D, 0x476F, 0x4771, 
+	0x477D, 0x4783, 0x4787, 0x4789, 0x4799, 0x47A5, 0x47B1, 0x47BF, 
+	0x47C3, 0x47CB, 0x47DD, 0x47E1, 0x47ED, 0x47FB, 0x4801, 0x4807, 
+	0x480B, 0x4813, 0x4819, 0x481D, 0x4831, 0x483D, 0x4847, 0x4855, 
+	0x4859, 0x485B, 0x486B, 0x486D, 0x4879, 0x4897, 0x489B, 0x48A1, 
+	0x48B9, 0x48CD, 0x48E5, 0x48EF, 0x48F7, 0x4903, 0x490D, 0x4919, 
+	0x491F, 0x492B, 0x4937, 0x493D, 0x4945, 0x4955, 0x4963, 0x4969, 
+	0x496D, 0x4973, 0x4997, 0x49AB, 0x49B5, 0x49D3, 0x49DF, 0x49E1, 
+	0x49E5, 0x49E7, 0x4A03, 0x4A0F, 0x4A1D, 0x4A23, 0x4A39, 0x4A41, 
+	0x4A45, 0x4A57, 0x4A5D, 0x4A6B, 0x4A7D, 0x4A81, 0x4A87, 0x4A89, 
+	0x4A8F, 0x4AB1, 0x4AC3, 0x4AC5, 0x4AD5, 0x4ADB, 0x4AED, 0x4AEF, 
+	0x4B07, 0x4B0B, 0x4B0D, 0x4B13, 0x4B1F, 0x4B25, 0x4B31, 0x4B3B, 
+	0x4B43, 0x4B49, 0x4B59, 0x4B65, 0x4B6D, 0x4B77, 0x4B85, 0x4BAD, 
+	0x4BB3, 0x4BB5, 0x4BBB, 0x4BBF, 0x4BCB, 0x4BD9, 0x4BDD, 0x4BDF, 
+	0x4BE3, 0x4BE5, 0x4BE9, 0x4BF1, 0x4BF7, 0x4C01, 0x4C07, 0x4C0D, 
+	0x4C0F, 0x4C15, 0x4C1B, 0x4C21, 0x4C2D, 0x4C33, 0x4C4B, 0x4C55, 
+	0x4C57, 0x4C61, 0x4C67, 0x4C73, 0x4C79, 0x4C7F, 0x4C8D, 0x4C93, 
+	0x4C99, 0x4CCD, 0x4CE1, 0x4CE7, 0x4CF1, 0x4CF3, 0x4CFD, 0x4D05, 
+	0x4D0F, 0x4D1B, 0x4D27, 0x4D29, 0x4D2F, 0x4D33, 0x4D41, 0x4D51, 
+	0x4D59, 0x4D65, 0x4D6B, 0x4D81, 0x4D83, 0x4D8D, 0x4D95, 0x4D9B, 
+	0x4DB1, 0x4DB3, 0x4DC9, 0x4DCF, 0x4DD7, 0x4DE1, 0x4DED, 0x4DF9, 
+	0x4DFB, 0x4E05, 0x4E0B, 0x4E17, 0x4E19, 0x4E1D, 0x4E2B, 0x4E35, 
+	0x4E37, 0x4E3D, 0x4E4F, 0x4E53, 0x4E5F, 0x4E67, 0x4E79, 0x4E85, 
+	0x4E8B, 0x4E91, 0x4E95, 0x4E9B, 0x4EA1, 0x4EAF, 0x4EB3, 0x4EB5, 
+	0x4EC1, 0x4ECD, 0x4ED1, 0x4ED7, 0x4EE9, 0x4EFB, 0x4F07, 0x4F09, 
+	0x4F19, 0x4F25, 0x4F2D, 0x4F3F, 0x4F49, 0x4F63, 0x4F67, 0x4F6D, 
+	0x4F75, 0x4F7B, 0x4F81, 0x4F85, 0x4F87, 0x4F91, 0x4FA5, 0x4FA9, 
+	0x4FAF, 0x4FB7, 0x4FBB, 0x4FCF, 0x4FD9, 0x4FDB, 0x4FFD, 0x4FFF, 
+	0x5003, 0x501B, 0x501D, 0x5029, 0x5035, 0x503F, 0x5045, 0x5047, 
+	0x5053, 0x5071, 0x5077, 0x5083, 0x5093, 0x509F, 0x50A1, 0x50B7, 
+	0x50C9, 0x50D5, 0x50E3, 0x50ED, 0x50EF, 0x50FB, 0x5107, 0x510B, 
+	0x510D, 0x5111, 0x5117, 0x5123, 0x5125, 0x5135, 0x5147, 0x5149, 
+	0x5171, 0x5179, 0x5189, 0x518F, 0x5197, 0x51A1, 0x51A3, 0x51A7, 
+	0x51B9, 0x51C1, 0x51CB, 0x51D3, 0x51DF, 0x51E3, 0x51F5, 0x51F7, 
+	0x5209, 0x5213, 0x5215, 0x5219, 0x521B, 0x521F, 0x5227, 0x5243, 
+	0x5245, 0x524B, 0x5261, 0x526D, 0x5273, 0x5281, 0x5293, 0x5297, 
+	0x529D, 0x52A5, 0x52AB, 0x52B1, 0x52BB, 0x52C3, 0x52C7, 0x52C9, 
+	0x52DB, 0x52E5, 0x52EB, 0x52FF, 0x5315, 0x531D, 0x5323, 0x5341, 
+	0x5345, 0x5347, 0x534B, 0x535D, 0x5363, 0x5381, 0x5383, 0x5387, 
+	0x538F, 0x5395, 0x5399, 0x539F, 0x53AB, 0x53B9, 0x53DB, 0x53E9, 
+	0x53EF, 0x53F3, 0x53F5, 0x53FB, 0x53FF, 0x540D, 0x5411, 0x5413, 
+	0x5419, 0x5435, 0x5437, 0x543B, 0x5441, 0x5449, 0x5453, 0x5455, 
+	0x545F, 0x5461, 0x546B, 0x546D, 0x5471, 0x548F, 0x5491, 0x549D, 
+	0x54A9, 0x54B3, 0x54C5, 0x54D1, 0x54DF, 0x54E9, 0x54EB, 0x54F7, 
+	0x54FD, 0x5507, 0x550D, 0x551B, 0x5527, 0x552B, 0x5539, 0x553D, 
+	0x554F, 0x5551, 0x555B, 0x5563, 0x5567, 0x556F, 0x5579, 0x5585, 
+	0x5597, 0x55A9, 0x55B1, 0x55B7, 0x55C9, 0x55D9, 0x55E7, 0x55ED, 
+	0x55F3, 0x55FD, 0x560B, 0x560F, 0x5615, 0x5617, 0x5623, 0x562F, 
+	0x5633, 0x5639, 0x563F, 0x564B, 0x564D, 0x565D, 0x565F, 0x566B, 
+	0x5671, 0x5675, 0x5683, 0x5689, 0x568D, 0x568F, 0x569B, 0x56AD, 
+	0x56B1, 0x56D5, 0x56E7, 0x56F3, 0x56FF, 0x5701, 0x5705, 0x5707, 
+	0x570B, 0x5713, 0x571F, 0x5723, 0x5747, 0x574D, 0x575F, 0x5761, 
+	0x576D, 0x5777, 0x577D, 0x5789, 0x57A1, 0x57A9, 0x57AF, 0x57B5, 
+	0x57C5, 0x57D1, 0x57D3, 0x57E5, 0x57EF, 0x5803, 0x580D, 0x580F, 
+	0x5815, 0x5827, 0x582B, 0x582D, 0x5855, 0x585B, 0x585D, 0x586D, 
+	0x586F, 0x5873, 0x587B, 0x588D, 0x5897, 0x58A3, 0x58A9, 0x58AB, 
+	0x58B5, 0x58BD, 0x58C1, 0x58C7, 0x58D3, 0x58D5, 0x58DF, 0x58F1, 
+	0x58F9, 0x58FF, 0x5903, 0x5917, 0x591B, 0x5921, 0x5945, 0x594B, 
+	0x594D, 0x5957, 0x595D, 0x5975, 0x597B, 0x5989, 0x5999, 0x599F, 
+	0x59B1, 0x59B3, 0x59BD, 0x59D1, 0x59DB, 0x59E3, 0x59E9, 0x59ED, 
+	0x59F3, 0x59F5, 0x59FF, 0x5A01, 0x5A0D, 0x5A11, 0x5A13, 0x5A17, 
+	0x5A1F, 0x5A29, 0x5A2F, 0x5A3B, 0x5A4D, 0x5A5B, 0x5A67, 0x5A77, 
+	0x5A7F, 0x5A85, 0x5A95, 0x5A9D, 0x5AA1, 0x5AA3, 0x5AA9, 0x5ABB, 
+	0x5AD3, 0x5AE5, 0x5AEF, 0x5AFB, 0x5AFD, 0x5B01, 0x5B0F, 0x5B19, 
+	0x5B1F, 0x5B25, 0x5B2B, 0x5B3D, 0x5B49, 0x5B4B, 0x5B67, 0x5B79, 
+	0x5B87, 0x5B97, 0x5BA3, 0x5BB1, 0x5BC9, 0x5BD5, 0x5BEB, 0x5BF1, 
+	0x5BF3, 0x5BFD, 0x5C05, 0x5C09, 0x5C0B, 0x5C0F, 0x5C1D, 0x5C29, 
+	0x5C2F, 0x5C33, 0x5C39, 0x5C47, 0x5C4B, 0x5C4D, 0x5C51, 0x5C6F, 
+	0x5C75, 0x5C77, 0x5C7D, 0x5C87, 0x5C89, 0x5CA7, 0x5CBD, 0x5CBF, 
+	0x5CC3, 0x5CC9, 0x5CD1, 0x5CD7, 0x5CDD, 0x5CED, 0x5CF9, 0x5D05, 
+	0x5D0B, 0x5D13, 0x5D17, 0x5D19, 0x5D31, 0x5D3D, 0x5D41, 0x5D47, 
+	0x5D4F, 0x5D55, 0x5D5B, 0x5D65, 0x5D67, 0x5D6D, 0x5D79, 0x5D95, 
+	0x5DA3, 0x5DA9, 0x5DAD, 0x5DB9, 0x5DC1, 0x5DC7, 0x5DD3, 0x5DD7, 
+	0x5DDD, 0x5DEB, 0x5DF1, 0x5DFD, 0x5E07, 0x5E0D, 0x5E13, 0x5E1B, 
+	0x5E21, 0x5E27, 0x5E2B, 0x5E2D, 0x5E31, 0x5E39, 0x5E45, 0x5E49, 
+	0x5E57, 0x5E69, 0x5E73, 0x5E75, 0x5E85, 0x5E8B, 0x5E9F, 0x5EA5, 
+	0x5EAF, 0x5EB7, 0x5EBB, 0x5ED9, 0x5EFD, 0x5F09, 0x5F11, 0x5F27, 
+	0x5F33, 0x5F35, 0x5F3B, 0x5F47, 0x5F57, 0x5F5D, 0x5F63, 0x5F65, 
+	0x5F77, 0x5F7B, 0x5F95, 0x5F99, 0x5FA1, 0x5FB3, 0x5FBD, 0x5FC5, 
+	0x5FCF, 0x5FD5, 0x5FE3, 0x5FE7, 0x5FFB, 0x6011, 0x6023, 0x602F, 
+	0x6037, 0x6053, 0x605F, 0x6065, 0x606B, 0x6073, 0x6079, 0x6085, 
+	0x609D, 0x60AD, 0x60BB, 0x60BF, 0x60CD, 0x60D9, 0x60DF, 0x60E9, 
+	0x60F5, 0x6109, 0x610F, 0x6113, 0x611B, 0x612D, 0x6139, 0x614B, 
+	0x6155, 0x6157, 0x615B, 0x616F, 0x6179, 0x6187, 0x618B, 0x6191, 
+	0x6193, 0x619D, 0x61B5, 0x61C7, 0x61C9, 0x61CD, 0x61E1, 0x61F1, 
+	0x61FF, 0x6209, 0x6217, 0x621D, 0x6221, 0x6227, 0x623B, 0x6241, 
+	0x624B, 0x6251, 0x6253, 0x625F, 0x6265, 0x6283, 0x628D, 0x6295, 
+	0x629B, 0x629F, 0x62A5, 0x62AD, 0x62D5, 0x62D7, 0x62DB, 0x62DD, 
+	0x62E9, 0x62FB, 0x62FF, 0x6305, 0x630D, 0x6317, 0x631D, 0x632F, 
+	0x6341, 0x6343, 0x634F, 0x635F, 0x6367, 0x636D, 0x6371, 0x6377, 
+	0x637D, 0x637F, 0x63B3, 0x63C1, 0x63C5, 0x63D9, 0x63E9, 0x63EB, 
+	0x63EF, 0x63F5, 0x6401, 0x6403, 0x6409, 0x6415, 0x6421, 0x6427, 
+	0x642B, 0x6439, 0x6443, 0x6449, 0x644F, 0x645D, 0x6467, 0x6475, 
+	0x6485, 0x648D, 0x6493, 0x649F, 0x64A3, 0x64AB, 0x64C1, 0x64C7, 
+	0x64C9, 0x64DB, 0x64F1, 0x64F7, 0x64F9, 0x650B, 0x6511, 0x6521, 
+	0x652F, 0x6539, 0x653F, 0x654B, 0x654D, 0x6553, 0x6557, 0x655F, 
+	0x6571, 0x657D, 0x658D, 0x658F, 0x6593, 0x65A1, 0x65A5, 0x65AD, 
+	0x65B9, 0x65C5, 0x65E3, 0x65F3, 0x65FB, 0x65FF, 0x6601, 0x6607, 
+	0x661D, 0x6629, 0x6631, 0x663B, 0x6641, 0x6647, 0x664D, 0x665B, 
+	0x6661, 0x6673, 0x667D, 0x6689, 0x668B, 0x6695, 0x6697, 0x669B, 
+	0x66B5, 0x66B9, 0x66C5, 0x66CD, 0x66D1, 0x66E3, 0x66EB, 0x66F5, 
+	0x6703, 0x6713, 0x6719, 0x671F, 0x6727, 0x6731, 0x6737, 0x673F, 
+	0x6745, 0x6751, 0x675B, 0x676F, 0x6779, 0x6781, 0x6785, 0x6791, 
+	0x67AB, 0x67BD, 0x67C1, 0x67CD, 0x67DF, 0x67E5, 0x6803, 0x6809, 
+	0x6811, 0x6817, 0x682D, 0x6839, 0x683B, 0x683F, 0x6845, 0x684B, 
+	0x684D, 0x6857, 0x6859, 0x685D, 0x6863, 0x6869, 0x686B, 0x6871, 
+	0x6887, 0x6899, 0x689F, 0x68B1, 0x68BD, 0x68C5, 0x68D1, 0x68D7, 
+	0x68E1, 0x68ED, 0x68EF, 0x68FF, 0x6901, 0x690B, 0x690D, 0x6917, 
+	0x6929, 0x692F, 0x6943, 0x6947, 0x6949, 0x694F, 0x6965, 0x696B, 
+	0x6971, 0x6983, 0x6989, 0x6997, 0x69A3, 0x69B3, 0x69B5, 0x69BB, 
+	0x69C1, 0x69C5, 0x69D3, 0x69DF, 0x69E3, 0x69E5, 0x69F7, 0x6A07, 
+	0x6A2B, 0x6A37, 0x6A3D, 0x6A4B, 0x6A67, 0x6A69, 0x6A75, 0x6A7B, 
+	0x6A87, 0x6A8D, 0x6A91, 0x6A93, 0x6AA3, 0x6AC1, 0x6AC9, 0x6AE1, 
+	0x6AE7, 0x6B05, 0x6B0F, 0x6B11, 0x6B23, 0x6B27, 0x6B2D, 0x6B39, 
+	0x6B41, 0x6B57, 0x6B59, 0x6B5F, 0x6B75, 0x6B87, 0x6B89, 0x6B93, 
+	0x6B95, 0x6B9F, 0x6BBD, 0x6BBF, 0x6BDB, 0x6BE1, 0x6BEF, 0x6BFF, 
+	0x6C05, 0x6C19, 0x6C29, 0x6C2B, 0x6C31, 0x6C35, 0x6C55, 0x6C59, 
+	0x6C5B, 0x6C5F, 0x6C65, 0x6C67, 0x6C73, 0x6C77, 0x6C7D, 0x6C83, 
+	0x6C8F, 0x6C91, 0x6C97, 0x6C9B, 0x6CA1, 0x6CA9, 0x6CAF, 0x6CB3, 
+	0x6CC7, 0x6CCB, 0x6CEB, 0x6CF5, 0x6CFD, 0x6D0D, 0x6D0F, 0x6D25, 
+	0x6D27, 0x6D2B, 0x6D31, 0x6D39, 0x6D3F, 0x6D4F, 0x6D5D, 0x6D61, 
+	0x6D73, 0x6D7B, 0x6D7F, 0x6D93, 0x6D99, 0x6DA5, 0x6DB1, 0x6DB7, 
+	0x6DC1, 0x6DC3, 0x6DCD, 0x6DCF, 0x6DDB, 0x6DF7, 0x6E03, 0x6E15, 
+	0x6E17, 0x6E29, 0x6E33, 0x6E3B, 0x6E45, 0x6E75, 0x6E77, 0x6E7B, 
+	0x6E81, 0x6E89, 0x6E93, 0x6E95, 0x6E9F, 0x6EBD, 0x6EBF, 0x6EE3, 
+	0x6EE9, 0x6EF3, 0x6EF9, 0x6EFB, 0x6F0D, 0x6F11, 0x6F17, 0x6F1F, 
+	0x6F2F, 0x6F3D, 0x6F4D, 0x6F53, 0x6F61, 0x6F65, 0x6F79, 0x6F7D, 
+	0x6F83, 0x6F85, 0x6F8F, 0x6F9B, 0x6F9D, 0x6FA3, 0x6FAF, 0x6FB5, 
+	0x6FBB, 0x6FBF, 0x6FCB, 0x6FCD, 0x6FD3, 0x6FD7, 0x6FE3, 0x6FE9, 
+	0x6FF1, 0x6FF5, 0x6FF7, 0x6FFD, 0x700F, 0x7019, 0x701F, 0x7027, 
+	0x7033, 0x7039, 0x704F, 0x7051, 0x7057, 0x7063, 0x7075, 0x7079, 
+	0x7087, 0x708D, 0x7091, 0x70A5, 0x70AB, 0x70BB, 0x70C3, 0x70C7, 
+	0x70CF, 0x70E5, 0x70ED, 0x70F9, 0x70FF, 0x7105, 0x7115, 0x7121, 
+	0x7133, 0x7151, 0x7159, 0x715D, 0x715F, 0x7163, 0x7169, 0x7183, 
+	0x7187, 0x7195, 0x71AD, 0x71C3, 0x71C9, 0x71CB, 0x71D1, 0x71DB, 
+	0x71E1, 0x71EF, 0x71F5, 0x71FB, 0x7207, 0x7211, 0x7217, 0x7219, 
+	0x7225, 0x722F, 0x723B, 0x7243, 0x7255, 0x7267, 0x7271, 0x7277, 
+	0x727F, 0x728F, 0x7295, 0x729B, 0x72A3, 0x72B3, 0x72C7, 0x72CB, 
+	0x72CD, 0x72D7, 0x72D9, 0x72E3, 0x72EF, 0x72F5, 0x72FD, 0x7303, 
+	0x730D, 0x7321, 0x732B, 0x733D, 0x7357, 0x735B, 0x7361, 0x737F, 
+	0x7381, 0x7385, 0x738D, 0x7393, 0x739F, 0x73AB, 0x73BD, 0x73C1, 
+	0x73C9, 0x73DF, 0x73E5, 0x73E7, 0x73F3, 0x7415, 0x741B, 0x742D, 
+	0x7439, 0x743F, 0x7441, 0x745D, 0x746B, 0x747B, 0x7489, 0x748D, 
+	0x749B, 0x74A7, 0x74AB, 0x74B1, 0x74B7, 0x74B9, 0x74DD, 0x74E1, 
+	0x74E7, 0x74FB, 0x7507, 0x751F, 0x7525, 0x753B, 0x753D, 0x754D, 
+	0x755F, 0x756B, 0x7577, 0x7589, 0x758B, 0x7591, 0x7597, 0x759D, 
+	0x75A1, 0x75A7, 0x75B5, 0x75B9, 0x75BB, 0x75D1, 0x75D9, 0x75E5, 
+	0x75EB, 0x75F5, 0x75FB, 0x7603, 0x760F, 0x7621, 0x762D, 0x7633, 
+	0x763D, 0x763F, 0x7655, 0x7663, 0x7669, 0x766F, 0x7673, 0x7685, 
+	0x768B, 0x769F, 0x76B5, 0x76B7, 0x76C3, 0x76DB, 0x76DF, 0x76F1, 
+	0x7703, 0x7705, 0x771B, 0x771D, 0x7721, 0x772D, 0x7735, 0x7741, 
+	0x774B, 0x7759, 0x775D, 0x775F, 0x7771, 0x7781, 0x77A7, 0x77AD, 
+	0x77B3, 0x77B9, 0x77C5, 0x77CF, 0x77D5, 0x77E1, 0x77E9, 0x77EF, 
+	0x77F3, 0x77F9, 0x7807, 0x7825, 0x782B, 0x7835, 0x783D, 0x7853, 
+	0x7859, 0x7861, 0x786D, 0x7877, 0x7879, 0x7883, 0x7885, 0x788B, 
+	0x7895, 0x7897, 0x78A1, 0x78AD, 0x78BF, 0x78D3, 0x78D9, 0x78DD, 
+	0x78E5, 0x78FB, 0x7901, 0x7907, 0x7925, 0x792B, 0x7939, 0x793F, 
+	0x794B, 0x7957, 0x795D, 0x7967, 0x7969, 0x7973, 0x7991, 0x7993, 
+	0x79A3, 0x79AB, 0x79AF, 0x79B1, 0x79B7, 0x79C9, 0x79CD, 0x79CF, 
+	0x79D5, 0x79D9, 0x79F3, 0x79F7, 0x79FF, 0x7A05, 0x7A0F, 0x7A11, 
+	0x7A15, 0x7A1B, 0x7A23, 0x7A27, 0x7A2D, 0x7A4B, 0x7A57, 0x7A59, 
+	0x7A5F, 0x7A65, 0x7A69, 0x7A7D, 0x7A93, 0x7A9B, 0x7A9F, 0x7AA1, 
+	0x7AA5, 0x7AED, 0x7AF5, 0x7AF9, 0x7B01, 0x7B17, 0x7B19, 0x7B1D, 
+	0x7B2B, 0x7B35, 0x7B37, 0x7B3B, 0x7B4F, 0x7B55, 0x7B5F, 0x7B71, 
+	0x7B77, 0x7B8B, 0x7B9B, 0x7BA1, 0x7BA9, 0x7BAF, 0x7BB3, 0x7BC7, 
+	0x7BD3, 0x7BE9, 0x7BEB, 0x7BEF, 0x7BF1, 0x7BFD, 0x7C07, 0x7C19, 
+	0x7C1B, 0x7C31, 0x7C37, 0x7C49, 0x7C67, 0x7C69, 0x7C73, 0x7C81, 
+	0x7C8B, 0x7C93, 0x7CA3, 0x7CD5, 0x7CDB, 0x7CE5, 0x7CED, 0x7CF7, 
+	0x7D03, 0x7D09, 0x7D1B, 0x7D1D, 0x7D33, 0x7D39, 0x7D3B, 0x7D3F, 
+	0x7D45, 0x7D4D, 0x7D53, 0x7D59, 0x7D63, 0x7D75, 0x7D77, 0x7D8D, 
+	0x7D8F, 0x7D9F, 0x7DAD, 0x7DB7, 0x7DBD, 0x7DBF, 0x7DCB, 0x7DD5, 
+	0x7DE9, 0x7DED, 0x7DFB, 0x7E01, 0x7E05, 0x7E29, 0x7E2B, 0x7E2F, 
+	0x7E35, 0x7E41, 0x7E43, 0x7E47, 0x7E55, 0x7E61, 0x7E67, 0x7E6B, 
+	0x7E71, 0x7E73, 0x7E79, 0x7E7D, 0x7E91, 0x7E9B, 0x7E9D, 0x7EA7, 
+	0x7EAD, 0x7EB9, 0x7EBB, 0x7ED3, 0x7EDF, 0x7EEB, 0x7EF1, 0x7EF7, 
+	0x7EFB, 0x7F13, 0x7F15, 0x7F19, 0x7F31, 0x7F33, 0x7F39, 0x7F3D, 
+	0x7F43, 0x7F4B, 0x7F5B, 0x7F61, 0x7F63, 0x7F6D, 0x7F79, 0x7F87, 
+	0x7F8D, 0x7FAF, 0x7FB5, 0x7FC3, 0x7FC9, 0x7FCD, 0x7FCF, 0x7FED, 
+	0x8003, 0x800B, 0x800F, 0x8015, 0x801D, 0x8021, 0x8023, 0x803F, 
+	0x8041, 0x8047, 0x804B, 0x8065, 0x8077, 0x808D, 0x808F, 0x8095, 
+	0x80A5, 0x80AB, 0x80AD, 0x80BD, 0x80C9, 0x80CB, 0x80D7, 0x80DB, 
+	0x80E1, 0x80E7, 0x80F5, 0x80FF, 0x8105, 0x810D, 0x8119, 0x811D, 
+	0x812F, 0x8131, 0x813B, 0x8143, 0x8153, 0x8159, 0x815F, 0x817D, 
+	0x817F, 0x8189, 0x819B, 0x819D, 0x81A7, 0x81AF, 0x81B3, 0x81BB, 
+	0x81C7, 0x81DF, 0x8207, 0x8209, 0x8215, 0x821F, 0x8225, 0x8231, 
+	0x8233, 0x823F, 0x8243, 0x8245, 0x8249, 0x824F, 0x8261, 0x826F, 
+	0x827B, 0x8281, 0x8285, 0x8293, 0x82B1, 0x82B5, 0x82BD, 0x82C7, 
+	0x82CF, 0x82D5, 0x82DF, 0x82F1, 0x82F9, 0x82FD, 0x830B, 0x831B, 
+	0x8321, 0x8329, 0x832D, 0x8333, 0x8335, 0x833F, 0x8341, 0x834D, 
+	0x8351, 0x8353, 0x8357, 0x835D, 0x8365, 0x8369, 0x836F, 0x838F, 
+	0x83A7, 0x83B1, 0x83B9, 0x83CB, 0x83D5, 0x83D7, 0x83DD, 0x83E7, 
+	0x83E9, 0x83ED, 0x83FF, 0x8405, 0x8411, 0x8413, 0x8423, 0x8425, 
+	0x843B, 0x8441, 0x8447, 0x844F, 0x8461, 0x8465, 0x8477, 0x8483, 
+	0x848B, 0x8491, 0x8495, 0x84A9, 0x84AF, 0x84CD, 0x84E3, 0x84EF, 
+	0x84F1, 0x84F7, 0x8509, 0x850D, 0x854B, 0x854F, 0x8551, 0x855D, 
+	0x8563, 0x856D, 0x856F, 0x857B, 0x8587, 0x85A3, 0x85A5, 0x85A9, 
+	0x85B7, 0x85CD, 0x85D3, 0x85D5, 0x85DB, 0x85E1, 0x85EB, 0x85F9, 
+	0x85FD, 0x85FF, 0x8609, 0x860F, 0x8617, 0x8621, 0x862F, 0x8639, 
+	0x863F, 0x8641, 0x864D, 0x8663, 0x8675, 0x867D, 0x8687, 0x8699, 
+	0x86A5, 0x86A7, 0x86B3, 0x86B7, 0x86C3, 0x86C5, 0x86CF, 0x86D1, 
+	0x86D7, 0x86E9, 0x86EF, 0x86F5, 0x8717, 0x871D, 0x871F, 0x872B, 
+	0x872F, 0x8735, 0x8747, 0x8759, 0x875B, 0x876B, 0x8771, 0x8777, 
+	0x877F, 0x8785, 0x878F, 0x87A1, 0x87A9, 0x87B3, 0x87BB, 0x87C5, 
+	0x87C7, 0x87CB, 0x87DD, 0x87F7, 0x8803, 0x8819, 0x881B, 0x881F, 
+	0x8821, 0x8837, 0x883D, 0x8843, 0x8851, 0x8861, 0x8867, 0x887B, 
+	0x8885, 0x8891, 0x8893, 0x88A5, 0x88CF, 0x88D3, 0x88EB, 0x88ED, 
+	0x88F3, 0x88FD, 0x8909, 0x890B, 0x8911, 0x891B, 0x8923, 0x8927, 
+	0x892D, 0x8939, 0x8945, 0x894D, 0x8951, 0x8957, 0x8963, 0x8981, 
+	0x8995, 0x899B, 0x89B3, 0x89B9, 0x89C3, 0x89CF, 0x89D1, 0x89DB, 
+	0x89EF, 0x89F5, 0x89FB, 0x89FF, 0x8A0B, 0x8A19, 0x8A23, 0x8A35, 
+	0x8A41, 0x8A49, 0x8A4F, 0x8A5B, 0x8A5F, 0x8A6D, 0x8A77, 0x8A79, 
+	0x8A85, 0x8AA3, 0x8AB3, 0x8AB5, 0x8AC1, 0x8AC7, 0x8ACB, 0x8ACD, 
+	0x8AD1, 0x8AD7, 0x8AF1, 0x8AF5, 0x8B07, 0x8B09, 0x8B0D, 0x8B13, 
+	0x8B21, 0x8B57, 0x8B5D, 0x8B91, 0x8B93, 0x8BA3, 0x8BA9, 0x8BAF, 
+	0x8BBB, 0x8BD5, 0x8BD9, 0x8BDB, 0x8BE1, 0x8BF7, 0x8BFD, 0x8BFF, 
+	0x8C0B, 0x8C17, 0x8C1D, 0x8C27, 0x8C39, 0x8C3B, 0x8C47, 0x8C53, 
+	0x8C5D, 0x8C6F, 0x8C7B, 0x8C81, 0x8C89, 0x8C8F, 0x8C99, 0x8C9F, 
+	0x8CA7, 0x8CAB, 0x8CAD, 0x8CB1, 0x8CC5, 0x8CDD, 0x8CE3, 0x8CE9, 
+	0x8CF3, 0x8D01, 0x8D0B, 0x8D0D, 0x8D23, 0x8D29, 0x8D37, 0x8D41, 
+	0x8D5B, 0x8D5F, 0x8D71, 0x8D79, 0x8D85, 0x8D91, 0x8D9B, 0x8DA7, 
+	0x8DAD, 0x8DB5, 0x8DC5, 0x8DCB, 0x8DD3, 0x8DD9, 0x8DDF, 0x8DF5, 
+	0x8DF7, 0x8E01, 0x8E15, 0x8E1F, 0x8E25, 0x8E51, 0x8E63, 0x8E69, 
+	0x8E73, 0x8E75, 0x8E79, 0x8E7F, 0x8E8D, 0x8E91, 0x8EAB, 0x8EAF, 
+	0x8EB1, 0x8EBD, 0x8EC7, 0x8ECF, 0x8ED3, 0x8EDB, 0x8EE7, 0x8EEB, 
+	0x8EF7, 0x8EFF, 0x8F15, 0x8F1D, 0x8F23, 0x8F2D, 0x8F3F, 0x8F45, 
+	0x8F4B, 0x8F53, 0x8F59, 0x8F65, 0x8F69, 0x8F71, 0x8F83, 0x8F8D, 
+	0x8F99, 0x8F9F, 0x8FAB, 0x8FAD, 0x8FB3, 0x8FB7, 0x8FB9, 0x8FC9, 
+	0x8FD5, 0x8FE1, 0x8FEF, 0x8FF9, 0x9007, 0x900D, 0x9017, 0x9023, 
+	0x9025, 0x9031, 0x9037, 0x903B, 0x9041, 0x9043, 0x904F, 0x9053, 
+	0x906D, 0x9073, 0x9085, 0x908B, 0x9095, 0x909B, 0x909D, 0x90AF, 
+	0x90B9, 0x90C1, 0x90C5, 0x90DF, 0x90E9, 0x90FD, 0x9103, 0x9113, 
+	0x9127, 0x9133, 0x913D, 0x9145, 0x914F, 0x9151, 0x9161, 0x9167, 
+	0x917B, 0x9185, 0x9199, 0x919D, 0x91BB, 0x91BD, 0x91C1, 0x91C9, 
+	0x91D9, 0x91DB, 0x91ED, 0x91F1, 0x91F3, 0x91F9, 0x9203, 0x9215, 
+	0x9221, 0x922F, 0x9241, 0x9247, 0x9257, 0x926B, 0x9271, 0x9275, 
+	0x927D, 0x9283, 0x9287, 0x928D, 0x9299, 0x92A1, 0x92AB, 0x92AD, 
+	0x92B9, 0x92BF, 0x92C3, 0x92C5, 0x92CB, 0x92D5, 0x92D7, 0x92E7, 
+	0x92F3, 0x9301, 0x930B, 0x9311, 0x9319, 0x931F, 0x933B, 0x933D, 
+	0x9343, 0x9355, 0x9373, 0x9395, 0x9397, 0x93A7, 0x93B3, 0x93B5, 
+	0x93C7, 0x93D7, 0x93DD, 0x93E5, 0x93EF, 0x93F7, 0x9401, 0x9409, 
+	0x9413, 0x943F, 0x9445, 0x944B, 0x944F, 0x9463, 0x9467, 0x9469, 
+	0x946D, 0x947B, 0x9497, 0x949F, 0x94A5, 0x94B5, 0x94C3, 0x94E1, 
+	0x94E7, 0x9505, 0x9509, 0x9517, 0x9521, 0x9527, 0x952D, 0x9535, 
+	0x9539, 0x954B, 0x9557, 0x955D, 0x955F, 0x9575, 0x9581, 0x9589, 
+	0x958F, 0x959B, 0x959F, 0x95AD, 0x95B1, 0x95B7, 0x95B9, 0x95BD, 
+	0x95CF, 0x95E3, 0x95E9, 0x95F9, 0x961F, 0x962F, 0x9631, 0x9635, 
+	0x963B, 0x963D, 0x9665, 0x968F, 0x969D, 0x96A1, 0x96A7, 0x96A9, 
+	0x96C1, 0x96CB, 0x96D1, 0x96D3, 0x96E5, 0x96EF, 0x96FB, 0x96FD, 
+	0x970D, 0x970F, 0x9715, 0x9725, 0x972B, 0x9733, 0x9737, 0x9739, 
+	0x9743, 0x9749, 0x9751, 0x975B, 0x975D, 0x976F, 0x977F, 0x9787, 
+	0x9793, 0x97A5, 0x97B1, 0x97B7, 0x97C3, 0x97CD, 0x97D3, 0x97D9, 
+	0x97EB, 0x97F7, 0x9805, 0x9809, 0x980B, 0x9815, 0x9829, 0x982F, 
+	0x983B, 0x9841, 0x9851, 0x986B, 0x986F, 0x9881, 0x9883, 0x9887, 
+	0x98A7, 0x98B1, 0x98B9, 0x98BF, 0x98C3, 0x98C9, 0x98CF, 0x98DD, 
+	0x98E3, 0x98F5, 0x98F9, 0x98FB, 0x990D, 0x9917, 0x991F, 0x9929, 
+	0x9931, 0x993B, 0x993D, 0x9941, 0x9947, 0x9949, 0x9953, 0x997D, 
+	0x9985, 0x9991, 0x9995, 0x999B, 0x99AD, 0x99AF, 0x99BF, 0x99C7, 
+	0x99CB, 0x99CD, 0x99D7, 0x99E5, 0x99F1, 0x99FB, 0x9A0F, 0x9A13, 
+	0x9A1B, 0x9A25, 0x9A4B, 0x9A4F, 0x9A55, 0x9A57, 0x9A61, 0x9A75, 
+	0x9A7F, 0x9A8B, 0x9A91, 0x9A9D, 0x9AB7, 0x9AC3, 0x9AC7, 0x9ACF, 
+	0x9AEB, 0x9AF3, 0x9AF7, 0x9AFF, 0x9B17, 0x9B1D, 0x9B27, 0x9B2F, 
+	0x9B35, 0x9B45, 0x9B51, 0x9B59, 0x9B63, 0x9B6F, 0x9B77, 0x9B8D, 
+	0x9B93, 0x9B95, 0x9B9F, 0x9BA1, 0x9BA7, 0x9BB1, 0x9BB7, 0x9BBD, 
+	0x9BC5, 0x9BCB, 0x9BCF, 0x9BDD, 0x9BF9, 0x9C01, 0x9C11, 0x9C23, 
+	0x9C2B, 0x9C2F, 0x9C35, 0x9C49, 0x9C4D, 0x9C5F, 0x9C65, 0x9C67, 
+	0x9C7F, 0x9C97, 0x9C9D, 0x9CA3, 0x9CAF, 0x9CBB, 0x9CBF, 0x9CC1, 
+	0x9CD7, 0x9CD9, 0x9CE3, 0x9CE9, 0x9CF1, 0x9CFD, 0x9D01, 0x9D15, 
+	0x9D27, 0x9D2D, 0x9D31, 0x9D3D, 0x9D55, 0x9D5B, 0x9D61, 0x9D97, 
+	0x9D9F, 0x9DA5, 0x9DA9, 0x9DC3, 0x9DE7, 0x9DEB, 0x9DED, 0x9DF1, 
+	0x9E0B, 0x9E17, 0x9E23, 0x9E27, 0x9E2D, 0x9E33, 0x9E3B, 0x9E47, 
+	0x9E51, 0x9E53, 0x9E5F, 0x9E6F, 0x9E81, 0x9E87, 0x9E8F, 0x9E95, 
+	0x9EA1, 0x9EB3, 0x9EBD, 0x9EBF, 0x9EF5, 0x9EF9, 0x9EFB, 0x9F05, 
+	0x9F23, 0x9F2F, 0x9F37, 0x9F3B, 0x9F43, 0x9F53, 0x9F61, 0x9F6D, 
+	0x9F73, 0x9F77, 0x9F7D, 0x9F89, 0x9F8F, 0x9F91, 0x9F95, 0x9FA3, 
+	0x9FAF, 0x9FB3, 0x9FC1, 0x9FC7, 0x9FDF, 0x9FE5, 0x9FEB, 0x9FF5, 
+	0xA001, 0xA00D, 0xA021, 0xA033, 0xA039, 0xA03F, 0xA04F, 0xA057, 
+	0xA05B, 0xA061, 0xA075, 0xA079, 0xA099, 0xA09D, 0xA0AB, 0xA0B5, 
+	0xA0B7, 0xA0BD, 0xA0C9, 0xA0D9, 0xA0DB, 0xA0DF, 0xA0E5, 0xA0F1, 
+	0xA0F3, 0xA0FD, 0xA105, 0xA10B, 0xA10F, 0xA111, 0xA11B, 0xA129, 
+	0xA12F, 0xA135, 0xA141, 0xA153, 0xA175, 0xA17D, 0xA187, 0xA18D, 
+	0xA1A5, 0xA1AB, 0xA1AD, 0xA1B7, 0xA1C3, 0xA1C5, 0xA1E3, 0xA1ED, 
+	0xA1FB, 0xA207, 0xA213, 0xA223, 0xA229, 0xA22F, 0xA231, 0xA243, 
+	0xA247, 0xA24D, 0xA26B, 0xA279, 0xA27D, 0xA283, 0xA289, 0xA28B, 
+	0xA291, 0xA295, 0xA29B, 0xA2A9, 0xA2AF, 0xA2B3, 0xA2BB, 0xA2C5, 
+	0xA2D1, 0xA2D7, 0xA2F7, 0xA301, 0xA309, 0xA31F, 0xA321, 0xA32B, 
+	0xA331, 0xA349, 0xA351, 0xA355, 0xA373, 0xA379, 0xA37B, 0xA387, 
+	0xA397, 0xA39F, 0xA3A5, 0xA3A9, 0xA3AF, 0xA3B7, 0xA3C7, 0xA3D5, 
+	0xA3DB, 0xA3E1, 0xA3E5, 0xA3E7, 0xA3F1, 0xA3FD, 0xA3FF, 0xA40F, 
+	0xA41D, 0xA421, 0xA423, 0xA427, 0xA43B, 0xA44D, 0xA457, 0xA459, 
+	0xA463, 0xA469, 0xA475, 0xA493, 0xA49B, 0xA4AD, 0xA4B9, 0xA4C3, 
+	0xA4C5, 0xA4CB, 0xA4D1, 0xA4D5, 0xA4E1, 0xA4ED, 0xA4EF, 0xA4F3, 
+	0xA4FF, 0xA511, 0xA529, 0xA52B, 0xA535, 0xA53B, 0xA543, 0xA553, 
+	0xA55B, 0xA561, 0xA56D, 0xA577, 0xA585, 0xA58B, 0xA597, 0xA59D, 
+	0xA5A3, 0xA5A7, 0xA5A9, 0xA5C1, 0xA5C5, 0xA5CB, 0xA5D3, 0xA5D9, 
+	0xA5DD, 0xA5DF, 0xA5E3, 0xA5E9, 0xA5F7, 0xA5FB, 0xA603, 0xA60D, 
+	0xA625, 0xA63D, 0xA649, 0xA64B, 0xA651, 0xA65D, 0xA673, 0xA691, 
+	0xA693, 0xA699, 0xA6AB, 0xA6B5, 0xA6BB, 0xA6C1, 0xA6C9, 0xA6CD, 
+	0xA6CF, 0xA6D5, 0xA6DF, 0xA6E7, 0xA6F1, 0xA6F7, 0xA6FF, 0xA70F, 
+	0xA715, 0xA723, 0xA729, 0xA72D, 0xA745, 0xA74D, 0xA757, 0xA759, 
+	0xA765, 0xA76B, 0xA76F, 0xA793, 0xA795, 0xA7AB, 0xA7B1, 0xA7B9, 
+	0xA7BF, 0xA7C9, 0xA7D1, 0xA7D7, 0xA7E3, 0xA7ED, 0xA7FB, 0xA805, 
+	0xA80B, 0xA81D, 0xA829, 0xA82B, 0xA837, 0xA83B, 0xA855, 0xA85F, 
+	0xA86D, 0xA87D, 0xA88F, 0xA897, 0xA8A9, 0xA8B5, 0xA8C1, 0xA8C7, 
+	0xA8D7, 0xA8E5, 0xA8FD, 0xA907, 0xA913, 0xA91B, 0xA931, 0xA937, 
+	0xA939, 0xA943, 0xA97F, 0xA985, 0xA987, 0xA98B, 0xA993, 0xA9A3, 
+	0xA9B1, 0xA9BB, 0xA9C1, 0xA9D9, 0xA9DF, 0xA9EB, 0xA9FD, 0xAA15, 
+	0xAA17, 0xAA35, 0xAA39, 0xAA3B, 0xAA47, 0xAA4D, 0xAA57, 0xAA59, 
+	0xAA5D, 0xAA6B, 0xAA71, 0xAA81, 0xAA83, 0xAA8D, 0xAA95, 0xAAAB, 
+	0xAABF, 0xAAC5, 0xAAC9, 0xAAE9, 0xAAEF, 0xAB01, 0xAB05, 0xAB07, 
+	0xAB0B, 0xAB0D, 0xAB11, 0xAB19, 0xAB4D, 0xAB5B, 0xAB71, 0xAB73, 
+	0xAB89, 0xAB9D, 0xABA7, 0xABAF, 0xABB9, 0xABBB, 0xABC1, 0xABC5, 
+	0xABD3, 0xABD7, 0xABDD, 0xABF1, 0xABF5, 0xABFB, 0xABFD, 0xAC09, 
+	0xAC15, 0xAC1B, 0xAC27, 0xAC37, 0xAC39, 0xAC45, 0xAC4F, 0xAC57, 
+	0xAC5B, 0xAC61, 0xAC63, 0xAC7F, 0xAC8B, 0xAC93, 0xAC9D, 0xACA9, 
+	0xACAB, 0xACAF, 0xACBD, 0xACD9, 0xACE1, 0xACE7, 0xACEB, 0xACED, 
+	0xACF1, 0xACF7, 0xACF9, 0xAD05, 0xAD3F, 0xAD45, 0xAD53, 0xAD5D, 
+	0xAD5F, 0xAD65, 0xAD81, 0xADA1, 0xADA5, 0xADC3, 0xADCB, 0xADD1, 
+	0xADD5, 0xADDB, 0xADE7, 0xADF3, 0xADF5, 0xADF9, 0xADFF, 0xAE05, 
+	0xAE13, 0xAE23, 0xAE2B, 0xAE49, 0xAE4D, 0xAE4F, 0xAE59, 0xAE61, 
+	0xAE67, 0xAE6B, 0xAE71, 0xAE8B, 0xAE8F, 0xAE9B, 0xAE9D, 0xAEA7, 
+	0xAEB9, 0xAEC5, 0xAED1, 0xAEE3, 0xAEE5, 0xAEE9, 0xAEF5, 0xAEFD, 
+	0xAF09, 0xAF13, 0xAF27, 0xAF2B, 0xAF33, 0xAF43, 0xAF4F, 0xAF57, 
+	0xAF5D, 0xAF6D, 0xAF75, 0xAF7F, 0xAF8B, 0xAF99, 0xAF9F, 0xAFA3, 
+	0xAFAB, 0xAFB7, 0xAFBB, 0xAFCF, 0xAFD5, 0xAFFD, 0xB005, 0xB015, 
+	0xB01B, 0xB03F, 0xB041, 0xB047, 0xB04B, 0xB051, 0xB053, 0xB069, 
+	0xB07B, 0xB07D, 0xB087, 0xB08D, 0xB0B1, 0xB0BF, 0xB0CB, 0xB0CF, 
+	0xB0E1, 0xB0E9, 0xB0ED, 0xB0FB, 0xB105, 0xB107, 0xB111, 0xB119, 
+	0xB11D, 0xB11F, 0xB131, 0xB141, 0xB14D, 0xB15B, 0xB165, 0xB173, 
+	0xB179, 0xB17F, 0xB1A9, 0xB1B3, 0xB1B9, 0xB1BF, 0xB1D3, 0xB1DD, 
+	0xB1E5, 0xB1F1, 0xB1F5, 0xB201, 0xB213, 0xB215, 0xB21F, 0xB22D, 
+	0xB23F, 0xB249, 0xB25B, 0xB263, 0xB269, 0xB26D, 0xB27B, 0xB281, 
+	0xB28B, 0xB2A9, 0xB2B7, 0xB2BD, 0xB2C3, 0xB2C7, 0xB2D3, 0xB2F9, 
+	0xB2FD, 0xB2FF, 0xB303, 0xB309, 0xB311, 0xB31D, 0xB327, 0xB32D, 
+	0xB33F, 0xB345, 0xB377, 0xB37D, 0xB381, 0xB387, 0xB393, 0xB39B, 
+	0xB3A5, 0xB3C5, 0xB3CB, 0xB3E1, 0xB3E3, 0xB3ED, 0xB3F9, 0xB40B, 
+	0xB40D, 0xB413, 0xB417, 0xB435, 0xB43D, 0xB443, 0xB449, 0xB45B, 
+	0xB465, 0xB467, 0xB46B, 0xB477, 0xB48B, 0xB495, 0xB49D, 0xB4B5, 
+	0xB4BF, 0xB4C1, 0xB4C7, 0xB4DD, 0xB4E3, 0xB4E5, 0xB4F7, 0xB501, 
+	0xB50D, 0xB50F, 0xB52D, 0xB53F, 0xB54B, 0xB567, 0xB569, 0xB56F, 
+	0xB573, 0xB579, 0xB587, 0xB58D, 0xB599, 0xB5A3, 0xB5AB, 0xB5AF, 
+	0xB5BB, 0xB5D5, 0xB5DF, 0xB5E7, 0xB5ED, 0xB5FD, 0xB5FF, 0xB609, 
+	0xB61B, 0xB629, 0xB62F, 0xB633, 0xB639, 0xB647, 0xB657, 0xB659, 
+	0xB65F, 0xB663, 0xB66F, 0xB683, 0xB687, 0xB69B, 0xB69F, 0xB6A5, 
+	0xB6B1, 0xB6B3, 0xB6D7, 0xB6DB, 0xB6E1, 0xB6E3, 0xB6ED, 0xB6EF, 
+	0xB705, 0xB70D, 0xB713, 0xB71D, 0xB729, 0xB735, 0xB747, 0xB755, 
+	0xB76D, 0xB791, 0xB795, 0xB7A9, 0xB7C1, 0xB7CB, 0xB7D1, 0xB7D3, 
+	0xB7EF, 0xB7F5, 0xB807, 0xB80F, 0xB813, 0xB819, 0xB821, 0xB827, 
+	0xB82B, 0xB82D, 0xB839, 0xB855, 0xB867, 0xB875, 0xB885, 0xB893, 
+	0xB8A5, 0xB8AF, 0xB8B7, 0xB8BD, 0xB8C1, 0xB8C7, 0xB8CD, 0xB8D5, 
+	0xB8EB, 0xB8F7, 0xB8F9, 0xB903, 0xB915, 0xB91B, 0xB91D, 0xB92F, 
+	0xB939, 0xB93B, 0xB947, 0xB951, 0xB963, 0xB983, 0xB989, 0xB98D, 
+	0xB993, 0xB999, 0xB9A1, 0xB9A7, 0xB9AD, 0xB9B7, 0xB9CB, 0xB9D1, 
+	0xB9DD, 0xB9E7, 0xB9EF, 0xB9F9, 0xBA07, 0xBA0D, 0xBA17, 0xBA25, 
+	0xBA29, 0xBA2B, 0xBA41, 0xBA53, 0xBA55, 0xBA5F, 0xBA61, 0xBA65, 
+	0xBA79, 0xBA7D, 0xBA7F, 0xBAA1, 0xBAA3, 0xBAAF, 0xBAB5, 0xBABF, 
+	0xBAC1, 0xBACB, 0xBADD, 0xBAE3, 0xBAF1, 0xBAFD, 0xBB09, 0xBB1F, 
+	0xBB27, 0xBB2D, 0xBB3D, 0xBB43, 0xBB4B, 0xBB4F, 0xBB5B, 0xBB61, 
+	0xBB69, 0xBB6D, 0xBB91, 0xBB97, 0xBB9D, 0xBBB1, 0xBBC9, 0xBBCF, 
+	0xBBDB, 0xBBED, 0xBBF7, 0xBBF9, 0xBC03, 0xBC1D, 0xBC23, 0xBC33, 
+	0xBC3B, 0xBC41, 0xBC45, 0xBC5D, 0xBC6F, 0xBC77, 0xBC83, 0xBC8F, 
+	0xBC99, 0xBCAB, 0xBCB7, 0xBCB9, 0xBCD1, 0xBCD5, 0xBCE1, 0xBCF3, 
+	0xBCFF, 0xBD0D, 0xBD17, 0xBD19, 0xBD1D, 0xBD35, 0xBD41, 0xBD4F, 
+	0xBD59, 0xBD5F, 0xBD61, 0xBD67, 0xBD6B, 0xBD71, 0xBD8B, 0xBD8F, 
+	0xBD95, 0xBD9B, 0xBD9D, 0xBDB3, 0xBDBB, 0xBDCD, 0xBDD1, 0xBDE3, 
+	0xBDEB, 0xBDEF, 0xBE07, 0xBE09, 0xBE15, 0xBE21, 0xBE25, 0xBE27, 
+	0xBE5B, 0xBE5D, 0xBE6F, 0xBE75, 0xBE79, 0xBE7F, 0xBE8B, 0xBE8D, 
+	0xBE93, 0xBE9F, 0xBEA9, 0xBEB1, 0xBEB5, 0xBEB7, 0xBECF, 0xBED9, 
+	0xBEDB, 0xBEE5, 0xBEE7, 0xBEF3, 0xBEF9, 0xBF0B, 0xBF33, 0xBF39, 
+	0xBF4D, 0xBF5D, 0xBF5F, 0xBF6B, 0xBF71, 0xBF7B, 0xBF87, 0xBF89, 
+	0xBF8D, 0xBF93, 0xBFA1, 0xBFAD, 0xBFB9, 0xBFCF, 0xBFD5, 0xBFDD, 
+	0xBFE1, 0xBFE3, 0xBFF3, 0xC005, 0xC011, 0xC013, 0xC019, 0xC029, 
+	0xC02F, 0xC031, 0xC037, 0xC03B, 0xC047, 0xC065, 0xC06D, 0xC07D, 
+	0xC07F, 0xC091, 0xC09B, 0xC0B3, 0xC0B5, 0xC0BB, 0xC0D3, 0xC0D7, 
+	0xC0D9, 0xC0EF, 0xC0F1, 0xC101, 0xC103, 0xC109, 0xC115, 0xC119, 
+	0xC12B, 0xC133, 0xC137, 0xC145, 0xC149, 0xC15B, 0xC173, 0xC179, 
+	0xC17B, 0xC181, 0xC18B, 0xC18D, 0xC197, 0xC1BD, 0xC1C3, 0xC1CD, 
+	0xC1DB, 0xC1E1, 0xC1E7, 0xC1FF, 0xC203, 0xC205, 0xC211, 0xC221, 
+	0xC22F, 0xC23F, 0xC24B, 0xC24D, 0xC253, 0xC25D, 0xC277, 0xC27B, 
+	0xC27D, 0xC289, 0xC28F, 0xC293, 0xC29F, 0xC2A7, 0xC2B3, 0xC2BD, 
+	0xC2CF, 0xC2D5, 0xC2E3, 0xC2FF, 0xC301, 0xC307, 0xC311, 0xC313, 
+	0xC317, 0xC325, 0xC347, 0xC349, 0xC34F, 0xC365, 0xC367, 0xC371, 
+	0xC37F, 0xC383, 0xC385, 0xC395, 0xC39D, 0xC3A7, 0xC3AD, 0xC3B5, 
+	0xC3BF, 0xC3C7, 0xC3CB, 0xC3D1, 0xC3D3, 0xC3E3, 0xC3E9, 0xC3EF, 
+	0xC401, 0xC41F, 0xC42D, 0xC433, 0xC437, 0xC455, 0xC457, 0xC461, 
+	0xC46F, 0xC473, 0xC487, 0xC491, 0xC499, 0xC49D, 0xC4A5, 0xC4B7, 
+	0xC4BB, 0xC4C9, 0xC4CF, 0xC4D3, 0xC4EB, 0xC4F1, 0xC4F7, 0xC509, 
+	0xC51B, 0xC51D, 0xC541, 0xC547, 0xC551, 0xC55F, 0xC56B, 0xC56F, 
+	0xC575, 0xC577, 0xC595, 0xC59B, 0xC59F, 0xC5A1, 0xC5A7, 0xC5C3, 
+	0xC5D7, 0xC5DB, 0xC5EF, 0xC5FB, 0xC613, 0xC623, 0xC635, 0xC641, 
+	0xC64F, 0xC655, 0xC659, 0xC665, 0xC685, 0xC691, 0xC697, 0xC6A1, 
+	0xC6A9, 0xC6B3, 0xC6B9, 0xC6CB, 0xC6CD, 0xC6DD, 0xC6EB, 0xC6F1, 
+	0xC707, 0xC70D, 0xC719, 0xC71B, 0xC72D, 0xC731, 0xC739, 0xC757, 
+	0xC763, 0xC767, 0xC773, 0xC775, 0xC77F, 0xC7A5, 0xC7BB, 0xC7BD, 
+	0xC7C1, 0xC7CF, 0xC7D5, 0xC7E1, 0xC7F9, 0xC7FD, 0xC7FF, 0xC803, 
+	0xC811, 0xC81D, 0xC827, 0xC829, 0xC839, 0xC83F, 0xC853, 0xC857, 
+	0xC86B, 0xC881, 0xC88D, 0xC88F, 0xC893, 0xC895, 0xC8A1, 0xC8B7, 
+	0xC8CF, 0xC8D5, 0xC8DB, 0xC8DD, 0xC8E3, 0xC8E7, 0xC8ED, 0xC8EF, 
+	0xC8F9, 0xC905, 0xC911, 0xC917, 0xC919, 0xC91F, 0xC92F, 0xC937, 
+	0xC93D, 0xC941, 0xC953, 0xC95F, 0xC96B, 0xC979, 0xC97D, 0xC989, 
+	0xC98F, 0xC997, 0xC99D, 0xC9AF, 0xC9B5, 0xC9BF, 0xC9CB, 0xC9D9, 
+	0xC9DF, 0xC9E3, 0xC9EB, 0xCA01, 0xCA07, 0xCA09, 0xCA25, 0xCA37, 
+	0xCA39, 0xCA4B, 0xCA55, 0xCA5B, 0xCA69, 0xCA73, 0xCA75, 0xCA7F, 
+	0xCA8D, 0xCA93, 0xCA9D, 0xCA9F, 0xCAB5, 0xCABB, 0xCAC3, 0xCAC9, 
+	0xCAD9, 0xCAE5, 0xCAED, 0xCB03, 0xCB05, 0xCB09, 0xCB17, 0xCB29, 
+	0xCB35, 0xCB3B, 0xCB53, 0xCB59, 0xCB63, 0xCB65, 0xCB71, 0xCB87, 
+	0xCB99, 0xCB9F, 0xCBB3, 0xCBB9, 0xCBC3, 0xCBD1, 0xCBD5, 0xCBD7, 
+	0xCBDD, 0xCBE9, 0xCBFF, 0xCC0D, 0xCC19, 0xCC1D, 0xCC23, 0xCC2B, 
+	0xCC41, 0xCC43, 0xCC4D, 0xCC59, 0xCC61, 0xCC89, 0xCC8B, 0xCC91, 
+	0xCC9B, 0xCCA3, 0xCCA7, 0xCCD1, 0xCCE5, 0xCCE9, 0xCD09, 0xCD15, 
+	0xCD1F, 0xCD25, 0xCD31, 0xCD3D, 0xCD3F, 0xCD49, 0xCD51, 0xCD57, 
+	0xCD5B, 0xCD63, 0xCD67, 0xCD81, 0xCD93, 0xCD97, 0xCD9F, 0xCDBB, 
+	0xCDC1, 0xCDD3, 0xCDD9, 0xCDE5, 0xCDE7, 0xCDF1, 0xCDF7, 0xCDFD, 
+	0xCE0B, 0xCE15, 0xCE21, 0xCE2F, 0xCE47, 0xCE4D, 0xCE51, 0xCE65, 
+	0xCE7B, 0xCE7D, 0xCE8F, 0xCE93, 0xCE99, 0xCEA5, 0xCEA7, 0xCEB7, 
+	0xCEC9, 0xCED7, 0xCEDD, 0xCEE3, 0xCEE7, 0xCEED, 0xCEF5, 0xCF07, 
+	0xCF0B, 0xCF19, 0xCF37, 0xCF3B, 0xCF4D, 0xCF55, 0xCF5F, 0xCF61, 
+	0xCF65, 0xCF6D, 0xCF79, 0xCF7D, 0xCF89, 0xCF9B, 0xCF9D, 0xCFA9, 
+	0xCFB3, 0xCFB5, 0xCFC5, 0xCFCD, 0xCFD1, 0xCFEF, 0xCFF1, 0xCFF7, 
+	0xD013, 0xD015, 0xD01F, 0xD021, 0xD033, 0xD03D, 0xD04B, 0xD04F, 
+	0xD069, 0xD06F, 0xD081, 0xD085, 0xD099, 0xD09F, 0xD0A3, 0xD0AB, 
+	0xD0BD, 0xD0C1, 0xD0CD, 0xD0E7, 0xD0FF, 0xD103, 0xD117, 0xD12D, 
+	0xD12F, 0xD141, 0xD157, 0xD159, 0xD15D, 0xD169, 0xD16B, 0xD171, 
+	0xD177, 0xD17D, 0xD181, 0xD187, 0xD195, 0xD199, 0xD1B1, 0xD1BD, 
+	0xD1C3, 0xD1D5, 0xD1D7, 0xD1E3, 0xD1FF, 0xD20D, 0xD211, 0xD217, 
+	0xD21F, 0xD235, 0xD23B, 0xD247, 0xD259, 0xD261, 0xD265, 0xD279, 
+	0xD27F, 0xD283, 0xD289, 0xD28B, 0xD29D, 0xD2A3, 0xD2A7, 0xD2B3, 
+	0xD2BF, 0xD2C7, 0xD2E3, 0xD2E9, 0xD2F1, 0xD2FB, 0xD2FD, 0xD315, 
+	0xD321, 0xD32B, 0xD343, 0xD34B, 0xD355, 0xD369, 0xD375, 0xD37B, 
+	0xD387, 0xD393, 0xD397, 0xD3A5, 0xD3B1, 0xD3C9, 0xD3EB, 0xD3FD, 
+	0xD405, 0xD40F, 0xD415, 0xD427, 0xD42F, 0xD433, 0xD43B, 0xD44B, 
+	0xD459, 0xD45F, 0xD463, 0xD469, 0xD481, 0xD483, 0xD489, 0xD48D, 
+	0xD493, 0xD495, 0xD4A5, 0xD4AB, 0xD4B1, 0xD4C5, 0xD4DD, 0xD4E1, 
+	0xD4E3, 0xD4E7, 0xD4F5, 0xD4F9, 0xD50B, 0xD50D, 0xD513, 0xD51F, 
+	0xD523, 0xD531, 0xD535, 0xD537, 0xD549, 0xD559, 0xD55F, 0xD565, 
+	0xD567, 0xD577, 0xD58B, 0xD591, 0xD597, 0xD5B5, 0xD5B9, 0xD5C1, 
+	0xD5C7, 0xD5DF, 0xD5EF, 0xD5F5, 0xD5FB, 0xD603, 0xD60F, 0xD62D, 
+	0xD631, 0xD643, 0xD655, 0xD65D, 0xD661, 0xD67B, 0xD685, 0xD687, 
+	0xD69D, 0xD6A5, 0xD6AF, 0xD6BD, 0xD6C3, 0xD6C7, 0xD6D9, 0xD6E1, 
+	0xD6ED, 0xD709, 0xD70B, 0xD711, 0xD715, 0xD721, 0xD727, 0xD73F, 
+	0xD745, 0xD74D, 0xD757, 0xD76B, 0xD77B, 0xD783, 0xD7A1, 0xD7A7, 
+	0xD7AD, 0xD7B1, 0xD7B3, 0xD7BD, 0xD7CB, 0xD7D1, 0xD7DB, 0xD7FB, 
+	0xD811, 0xD823, 0xD825, 0xD829, 0xD82B, 0xD82F, 0xD837, 0xD84D, 
+	0xD855, 0xD867, 0xD873, 0xD88F, 0xD891, 0xD8A1, 0xD8AD, 0xD8BF, 
+	0xD8CD, 0xD8D7, 0xD8E9, 0xD8F5, 0xD8FB, 0xD91B, 0xD925, 0xD933, 
+	0xD939, 0xD943, 0xD945, 0xD94F, 0xD951, 0xD957, 0xD96D, 0xD96F, 
+	0xD973, 0xD979, 0xD981, 0xD98B, 0xD991, 0xD99F, 0xD9A5, 0xD9A9, 
+	0xD9B5, 0xD9D3, 0xD9EB, 0xD9F1, 0xD9F7, 0xD9FF, 0xDA05, 0xDA09, 
+	0xDA0B, 0xDA0F, 0xDA15, 0xDA1D, 0xDA23, 0xDA29, 0xDA3F, 0xDA51, 
+	0xDA59, 0xDA5D, 0xDA5F, 0xDA71, 0xDA77, 0xDA7B, 0xDA7D, 0xDA8D, 
+	0xDA9F, 0xDAB3, 0xDABD, 0xDAC3, 0xDAC9, 0xDAE7, 0xDAE9, 0xDAF5, 
+	0xDB11, 0xDB17, 0xDB1D, 0xDB23, 0xDB25, 0xDB31, 0xDB3B, 0xDB43, 
+	0xDB55, 0xDB67, 0xDB6B, 0xDB73, 0xDB85, 0xDB8F, 0xDB91, 0xDBAD, 
+	0xDBAF, 0xDBB9, 0xDBC7, 0xDBCB, 0xDBCD, 0xDBEB, 0xDBF7, 0xDC0D, 
+	0xDC27, 0xDC31, 0xDC39, 0xDC3F, 0xDC49, 0xDC51, 0xDC61, 0xDC6F, 
+	0xDC75, 0xDC7B, 0xDC85, 0xDC93, 0xDC99, 0xDC9D, 0xDC9F, 0xDCA9, 
+	0xDCB5, 0xDCB7, 0xDCBD, 0xDCC7, 0xDCCF, 0xDCD3, 0xDCD5, 0xDCDF, 
+	0xDCF9, 0xDD0F, 0xDD15, 0xDD17, 0xDD23, 0xDD35, 0xDD39, 0xDD53, 
+	0xDD57, 0xDD5F, 0xDD69, 0xDD6F, 0xDD7D, 0xDD87, 0xDD89, 0xDD9B, 
+	0xDDA1, 0xDDAB, 0xDDBF, 0xDDC5, 0xDDCB, 0xDDCF, 0xDDE7, 0xDDE9, 
+	0xDDED, 0xDDF5, 0xDDFB, 0xDE0B, 0xDE19, 0xDE29, 0xDE3B, 0xDE3D, 
+	0xDE41, 0xDE4D, 0xDE4F, 0xDE59, 0xDE5B, 0xDE61, 0xDE6D, 0xDE77, 
+	0xDE7D, 0xDE83, 0xDE97, 0xDE9D, 0xDEA1, 0xDEA7, 0xDECD, 0xDED1, 
+	0xDED7, 0xDEE3, 0xDEF1, 0xDEF5, 0xDF01, 0xDF09, 0xDF13, 0xDF1F, 
+	0xDF2B, 0xDF33, 0xDF37, 0xDF3D, 0xDF4B, 0xDF55, 0xDF5B, 0xDF67, 
+	0xDF69, 0xDF73, 0xDF85, 0xDF87, 0xDF99, 0xDFA3, 0xDFAB, 0xDFB5, 
+	0xDFB7, 0xDFC3, 0xDFC7, 0xDFD5, 0xDFF1, 0xDFF3, 0xE003, 0xE005, 
+	0xE017, 0xE01D, 0xE027, 0xE02D, 0xE035, 0xE045, 0xE053, 0xE071, 
+	0xE07B, 0xE08F, 0xE095, 0xE09F, 0xE0B7, 0xE0B9, 0xE0D5, 0xE0D7, 
+	0xE0E3, 0xE0F3, 0xE0F9, 0xE101, 0xE125, 0xE129, 0xE131, 0xE135, 
+	0xE143, 0xE14F, 0xE159, 0xE161, 0xE16D, 0xE171, 0xE177, 0xE17F, 
+	0xE183, 0xE189, 0xE197, 0xE1AD, 0xE1B5, 0xE1BB, 0xE1BF, 0xE1C1, 
+	0xE1CB, 0xE1D1, 0xE1E5, 0xE1EF, 0xE1F7, 0xE1FD, 0xE203, 0xE219, 
+	0xE22B, 0xE22D, 0xE23D, 0xE243, 0xE257, 0xE25B, 0xE275, 0xE279, 
+	0xE287, 0xE29D, 0xE2AB, 0xE2AF, 0xE2BB, 0xE2C1, 0xE2C9, 0xE2CD, 
+	0xE2D3, 0xE2D9, 0xE2F3, 0xE2FD, 0xE2FF, 0xE311, 0xE323, 0xE327, 
+	0xE329, 0xE339, 0xE33B, 0xE34D, 0xE351, 0xE357, 0xE35F, 0xE363, 
+	0xE369, 0xE375, 0xE377, 0xE37D, 0xE383, 0xE39F, 0xE3C5, 0xE3C9, 
+	0xE3D1, 0xE3E1, 0xE3FB, 0xE3FF, 0xE401, 0xE40B, 0xE417, 0xE419, 
+	0xE423, 0xE42B, 0xE431, 0xE43B, 0xE447, 0xE449, 0xE453, 0xE455, 
+	0xE46D, 0xE471, 0xE48F, 0xE4A9, 0xE4AF, 0xE4B5, 0xE4C7, 0xE4CD, 
+	0xE4D3, 0xE4E9, 0xE4EB, 0xE4F5, 0xE507, 0xE521, 0xE525, 0xE537, 
+	0xE53F, 0xE545, 0xE54B, 0xE557, 0xE567, 0xE56D, 0xE575, 0xE585, 
+	0xE58B, 0xE593, 0xE5A3, 0xE5A5, 0xE5CF, 0xE609, 0xE611, 0xE615, 
+	0xE61B, 0xE61D, 0xE621, 0xE629, 0xE639, 0xE63F, 0xE653, 0xE657, 
+	0xE663, 0xE66F, 0xE675, 0xE681, 0xE683, 0xE68D, 0xE68F, 0xE695, 
+	0xE6AB, 0xE6AD, 0xE6B7, 0xE6BD, 0xE6C5, 0xE6CB, 0xE6D5, 0xE6E3, 
+	0xE6E9, 0xE6EF, 0xE6F3, 0xE705, 0xE70D, 0xE717, 0xE71F, 0xE72F, 
+	0xE73D, 0xE747, 0xE749, 0xE753, 0xE755, 0xE761, 0xE767, 0xE76B, 
+	0xE77F, 0xE789, 0xE791, 0xE7C5, 0xE7CD, 0xE7D7, 0xE7DD, 0xE7DF, 
+	0xE7E9, 0xE7F1, 0xE7FB, 0xE801, 0xE807, 0xE80F, 0xE819, 0xE81B, 
+	0xE831, 0xE833, 0xE837, 0xE83D, 0xE84B, 0xE84F, 0xE851, 0xE869, 
+	0xE875, 0xE879, 0xE893, 0xE8A5, 0xE8A9, 0xE8AF, 0xE8BD, 0xE8DB, 
+	0xE8E1, 0xE8E5, 0xE8EB, 0xE8ED, 0xE903, 0xE90B, 0xE90F, 0xE915, 
+	0xE917, 0xE92D, 0xE933, 0xE93B, 0xE94B, 0xE951, 0xE95F, 0xE963, 
+	0xE969, 0xE97B, 0xE983, 0xE98F, 0xE995, 0xE9A1, 0xE9B9, 0xE9D7, 
+	0xE9E7, 0xE9EF, 0xEA11, 0xEA19, 0xEA2F, 0xEA35, 0xEA43, 0xEA4D, 
+	0xEA5F, 0xEA6D, 0xEA71, 0xEA7D, 0xEA85, 0xEA89, 0xEAAD, 0xEAB3, 
+	0xEAB9, 0xEABB, 0xEAC5, 0xEAC7, 0xEACB, 0xEADF, 0xEAE5, 0xEAEB, 
+	0xEAF5, 0xEB01, 0xEB07, 0xEB09, 0xEB31, 0xEB39, 0xEB3F, 0xEB5B, 
+	0xEB61, 0xEB63, 0xEB6F, 0xEB81, 0xEB85, 0xEB9D, 0xEBAB, 0xEBB1, 
+	0xEBB7, 0xEBC1, 0xEBD5, 0xEBDF, 0xEBED, 0xEBFD, 0xEC0B, 0xEC1B, 
+	0xEC21, 0xEC29, 0xEC4D, 0xEC51, 0xEC5D, 0xEC69, 0xEC6F, 0xEC7B, 
+	0xECAD, 0xECB9, 0xECBF, 0xECC3, 0xECC9, 0xECCF, 0xECD7, 0xECDD, 
+	0xECE7, 0xECE9, 0xECF3, 0xECF5, 0xED07, 0xED11, 0xED1F, 0xED2F, 
+	0xED37, 0xED3D, 0xED41, 0xED55, 0xED59, 0xED5B, 0xED65, 0xED6B, 
+	0xED79, 0xED8B, 0xED95, 0xEDBB, 0xEDC5, 0xEDD7, 0xEDD9, 0xEDE3, 
+	0xEDE5, 0xEDF1, 0xEDF5, 0xEDF7, 0xEDFB, 0xEE09, 0xEE0F, 0xEE19, 
+	0xEE21, 0xEE49, 0xEE4F, 0xEE63, 0xEE67, 0xEE73, 0xEE7B, 0xEE81, 
+	0xEEA3, 0xEEAB, 0xEEC1, 0xEEC9, 0xEED5, 0xEEDF, 0xEEE1, 0xEEF1, 
+	0xEF1B, 0xEF27, 0xEF2F, 0xEF45, 0xEF4D, 0xEF63, 0xEF6B, 0xEF71, 
+	0xEF93, 0xEF95, 0xEF9B, 0xEF9F, 0xEFAD, 0xEFB3, 0xEFC3, 0xEFC5, 
+	0xEFDB, 0xEFE1, 0xEFE9, 0xF001, 0xF017, 0xF01D, 0xF01F, 0xF02B, 
+	0xF02F, 0xF035, 0xF043, 0xF047, 0xF04F, 0xF067, 0xF06B, 0xF071, 
+	0xF077, 0xF079, 0xF08F, 0xF0A3, 0xF0A9, 0xF0AD, 0xF0BB, 0xF0BF, 
+	0xF0C5, 0xF0CB, 0xF0D3, 0xF0D9, 0xF0E3, 0xF0E9, 0xF0F1, 0xF0F7, 
+	0xF107, 0xF115, 0xF11B, 0xF121, 0xF137, 0xF13D, 0xF155, 0xF175, 
+	0xF17B, 0xF18D, 0xF193, 0xF1A5, 0xF1AF, 0xF1B7, 0xF1D5, 0xF1E7, 
+	0xF1ED, 0xF1FD, 0xF209, 0xF20F, 0xF21B, 0xF21D, 0xF223, 0xF227, 
+	0xF233, 0xF23B, 0xF241, 0xF257, 0xF25F, 0xF265, 0xF269, 0xF277, 
+	0xF281, 0xF293, 0xF2A7, 0xF2B1, 0xF2B3, 0xF2B9, 0xF2BD, 0xF2BF, 
+	0xF2DB, 0xF2ED, 0xF2EF, 0xF2F9, 0xF2FF, 0xF305, 0xF30B, 0xF319, 
+	0xF341, 0xF359, 0xF35B, 0xF35F, 0xF367, 0xF373, 0xF377, 0xF38B, 
+	0xF38F, 0xF3AF, 0xF3C1, 0xF3D1, 0xF3D7, 0xF3FB, 0xF403, 0xF409, 
+	0xF40D, 0xF413, 0xF421, 0xF425, 0xF42B, 0xF445, 0xF44B, 0xF455, 
+	0xF463, 0xF475, 0xF47F, 0xF485, 0xF48B, 0xF499, 0xF4A3, 0xF4A9, 
+	0xF4AF, 0xF4BD, 0xF4C3, 0xF4DB, 0xF4DF, 0xF4ED, 0xF503, 0xF50B, 
+	0xF517, 0xF521, 0xF529, 0xF535, 0xF547, 0xF551, 0xF563, 0xF56B, 
+	0xF583, 0xF58D, 0xF595, 0xF599, 0xF5B1, 0xF5B7, 0xF5C9, 0xF5CF, 
+	0xF5D1, 0xF5DB, 0xF5F9, 0xF5FB, 0xF605, 0xF607, 0xF60B, 0xF60D, 
+	0xF635, 0xF637, 0xF653, 0xF65B, 0xF661, 0xF667, 0xF679, 0xF67F, 
+	0xF689, 0xF697, 0xF69B, 0xF6AD, 0xF6CB, 0xF6DD, 0xF6DF, 0xF6EB, 
+	0xF709, 0xF70F, 0xF72D, 0xF731, 0xF743, 0xF74F, 0xF751, 0xF755, 
+	0xF763, 0xF769, 0xF773, 0xF779, 0xF781, 0xF787, 0xF791, 0xF79D, 
+	0xF79F, 0xF7A5, 0xF7B1, 0xF7BB, 0xF7BD, 0xF7CF, 0xF7D3, 0xF7E7, 
+	0xF7EB, 0xF7F1, 0xF7FF, 0xF805, 0xF80B, 0xF821, 0xF827, 0xF82D, 
+	0xF835, 0xF847, 0xF859, 0xF863, 0xF865, 0xF86F, 0xF871, 0xF877, 
+	0xF87B, 0xF881, 0xF88D, 0xF89F, 0xF8A1, 0xF8AB, 0xF8B3, 0xF8B7, 
+	0xF8C9, 0xF8CB, 0xF8D1, 0xF8D7, 0xF8DD, 0xF8E7, 0xF8EF, 0xF8F9, 
+	0xF8FF, 0xF911, 0xF91D, 0xF925, 0xF931, 0xF937, 0xF93B, 0xF941, 
+	0xF94F, 0xF95F, 0xF961, 0xF96D, 0xF971, 0xF977, 0xF99D, 0xF9A3, 
+	0xF9A9, 0xF9B9, 0xF9CD, 0xF9E9, 0xF9FD, 0xFA07, 0xFA0D, 0xFA13, 
+	0xFA21, 0xFA25, 0xFA3F, 0xFA43, 0xFA51, 0xFA5B, 0xFA6D, 0xFA7B, 
+	0xFA97, 0xFA99, 0xFA9D, 0xFAAB, 0xFABB, 0xFABD, 0xFAD9, 0xFADF, 
+	0xFAE7, 0xFAED, 0xFB0F, 0xFB17, 0xFB1B, 0xFB2D, 0xFB2F, 0xFB3F, 
+	0xFB47, 0xFB4D, 0xFB75, 0xFB7D, 0xFB8F, 0xFB93, 0xFBB1, 0xFBB7, 
+	0xFBC3, 0xFBC5, 0xFBE3, 0xFBE9, 0xFBF3, 0xFC01, 0xFC29, 0xFC37, 
+	0xFC41, 0xFC43, 0xFC4F, 0xFC59, 0xFC61, 0xFC65, 0xFC6D, 0xFC73, 
+	0xFC79, 0xFC95, 0xFC97, 0xFC9B, 0xFCA7, 0xFCB5, 0xFCC5, 0xFCCD, 
+	0xFCEB, 0xFCFB, 0xFD0D, 0xFD0F, 0xFD19, 0xFD2B, 0xFD31, 0xFD51, 
+	0xFD55, 0xFD67, 0xFD6D, 0xFD6F, 0xFD7B, 0xFD85, 0xFD97, 0xFD99, 
+	0xFD9F, 0xFDA9, 0xFDB7, 0xFDC9, 0xFDE5, 0xFDEB, 0xFDF3, 0xFE03, 
+	0xFE05, 0xFE09, 0xFE1D, 0xFE27, 0xFE2F, 0xFE41, 0xFE4B, 0xFE4D, 
+	0xFE57, 0xFE5F, 0xFE63, 0xFE69, 0xFE75, 0xFE7B, 0xFE8F, 0xFE93, 
+	0xFE95, 0xFE9B, 0xFE9F, 0xFEB3, 0xFEBD, 0xFED7, 0xFEE9, 0xFEF3, 
+	0xFEF5, 0xFF07, 0xFF0D, 0xFF1D, 0xFF2B, 0xFF2F, 0xFF49, 0xFF4D, 
+	0xFF5B, 0xFF65, 0xFF71, 0xFF7F, 0xFF85, 0xFF8B, 0xFF8F, 0xFF9D, 
+	0xFFA7, 0xFFA9, 0xFFC7, 0xFFD9, 0xFFEF, 0xFFF1, 
+#endif
+};
+
diff --git a/security/nss/lib/freebl/mpi/stats b/security/nss/lib/freebl/mpi/stats
new file mode 100755
index 000000000..dd63ca0db
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/stats
@@ -0,0 +1,70 @@
+#!/usr/bin/perl
+
+#
+# Treat each line as a sequence of comma and/or space delimited
+# floating point numbers, and compute basic statistics on them.
+# These are written to standard output
+#
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved
+##
+## Contributor(s):
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the GPL.
+##
+# $Id$
+#
+
+$min = 1.7976931348623157E+308;
+$max = 2.2250738585072014E-308;
+$sum = $num = 0;
+
+while(<>) {
+    chomp;
+
+    @nums = split(/[\s,]+/, $_);
+    next if($#nums < 0);
+
+    $num += scalar @nums;
+    foreach (@nums) {
+	$min = $_ if($_ < $min);
+	$max = $_ if($_ > $max);
+	$sum += $_;
+    }
+}
+
+if($num) {
+    $avg = $sum / $num;
+} else {
+    $min = $max = 0;
+}
+
+printf "%d\tmin=%.2f, avg=%.2f, max=%.2f, sum=%.2f\n",
+    $num, $min, $avg, $max, $sum;
+
+# end
diff --git a/security/nss/lib/freebl/mpi/test-arrays.txt b/security/nss/lib/freebl/mpi/test-arrays.txt
new file mode 100644
index 000000000..d247154be
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/test-arrays.txt
@@ -0,0 +1,86 @@
+#
+# Test suite table for MPI library
+#
+# Format of entries:
+# suite-name:function-name:description
+#
+# suite-name	The name used to identify this test in mpi-test
+# function-name	The function called to perform this test in mpi-test.c
+# description   A brief description of what the suite tests
+#
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved
+##
+## Contributor(s):
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the GPL.
+## 
+# $Id$
+#
+list:test_list:print out a list of the available test suites
+copy:test_copy:test assignment of mp-int structures
+exchange:test_exch:test exchange of mp-int structures
+zero:test_zero:test zeroing of an mp-int
+set:test_set:test setting an mp-int to a small constant
+absolute-value:test_abs:test the absolute value function
+negate:test_neg:test the arithmetic negation function
+add-digit:test_add_d:test digit addition
+add:test_add:test full addition
+subtract-digit:test_sub_d:test digit subtraction
+subtract:test_sub:test full subtraction
+multiply-digit:test_mul_d:test digit multiplication
+multiply:test_mul:test full multiplication
+square:test_sqr:test full squaring function
+divide-digit:test_div_d:test digit division
+divide-2:test_div_2:test division by two
+divide-2d:test_div_2d:test division & remainder by 2^d
+divide:test_div:test full division
+expt-digit:test_expt_d:test digit exponentiation
+expt:test_expt:test full exponentiation
+expt-2:test_2expt:test power-of-two exponentiation
+square-root:test_sqrt:test integer square root function
+modulo-digit:test_mod_d:test digit modular reduction
+modulo:test_mod:test full modular reduction
+mod-add:test_addmod:test modular addition
+mod-subtract:test_submod:test modular subtraction
+mod-multiply:test_mulmod:test modular multiplication
+mod-square:test_sqrmod:test modular squaring function
+mod-expt:test_exptmod:test full modular exponentiation
+mod-expt-digit:test_exptmod_d:test digit modular exponentiation
+mod-inverse:test_invmod:test modular inverse function
+compare-digit:test_cmp_d:test digit comparison function
+compare-zero:test_cmp_z:test zero comparison function
+compare:test_cmp:test general signed comparison
+compare-magnitude:test_cmp_mag:test general magnitude comparison
+parity:test_parity:test parity comparison functions
+gcd:test_gcd:test greatest common divisor functions
+lcm:test_lcm:test least common multiple function
+conversion:test_convert:test general radix conversion facilities
+binary:test_raw:test raw output format
+pprime:test_pprime:test probabilistic primality tester
+fermat:test_fermat:test Fermat pseudoprimality tester
diff --git a/security/nss/lib/freebl/mpi/test-info.c b/security/nss/lib/freebl/mpi/test-info.c
new file mode 100644
index 000000000..f84013e2e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/test-info.c
@@ -0,0 +1,191 @@
+/*
+ *  test-info.c
+ *
+ *  Arbitrary precision integer arithmetic library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+/* Table mapping test suite names to index numbers */
+const int   g_count = 42;
+const char *g_names[] = {
+   "list",              /* print out a list of the available test suites */
+   "copy",              /* test assignment of mp-int structures          */
+   "exchange",          /* test exchange of mp-int structures            */
+   "zero",              /* test zeroing of an mp-int                     */
+   "set",               /* test setting an mp-int to a small constant    */
+   "absolute-value",    /* test the absolute value function              */
+   "negate",            /* test the arithmetic negation function         */
+   "add-digit",         /* test digit addition                           */
+   "add",               /* test full addition                            */
+   "subtract-digit",    /* test digit subtraction                        */
+   "subtract",          /* test full subtraction                         */
+   "multiply-digit",    /* test digit multiplication                     */
+   "multiply",          /* test full multiplication                      */
+   "square",            /* test full squaring function                   */
+   "divide-digit",      /* test digit division                           */
+   "divide-2",          /* test division by two                          */
+   "divide-2d",         /* test division & remainder by 2^d              */
+   "divide",            /* test full division                            */
+   "expt-digit",        /* test digit exponentiation                     */
+   "expt",              /* test full exponentiation                      */
+   "expt-2",            /* test power-of-two exponentiation              */
+   "square-root",       /* test integer square root function             */
+   "modulo-digit",      /* test digit modular reduction                  */
+   "modulo",            /* test full modular reduction                   */
+   "mod-add",           /* test modular addition                         */
+   "mod-subtract",      /* test modular subtraction                      */
+   "mod-multiply",      /* test modular multiplication                   */
+   "mod-square",        /* test modular squaring function                */
+   "mod-expt",          /* test full modular exponentiation              */
+   "mod-expt-digit",    /* test digit modular exponentiation             */
+   "mod-inverse",       /* test modular inverse function                 */
+   "compare-digit",     /* test digit comparison function                */
+   "compare-zero",      /* test zero comparison function                 */
+   "compare",           /* test general signed comparison                */
+   "compare-magnitude", /* test general magnitude comparison             */
+   "parity",            /* test parity comparison functions              */
+   "gcd",               /* test greatest common divisor functions        */
+   "lcm",               /* test least common multiple function           */
+   "conversion",        /* test general radix conversion facilities      */
+   "binary",            /* test raw output format                        */
+   "pprime",            /* test probabilistic primality tester           */
+   "fermat"             /* test Fermat pseudoprimality tester            */
+};
+
+/* Test function prototypes */
+int  test_list(void);
+int  test_copy(void);
+int  test_exch(void);
+int  test_zero(void);
+int  test_set(void);
+int  test_abs(void);
+int  test_neg(void);
+int  test_add_d(void);
+int  test_add(void);
+int  test_sub_d(void);
+int  test_sub(void);
+int  test_mul_d(void);
+int  test_mul(void);
+int  test_sqr(void);
+int  test_div_d(void);
+int  test_div_2(void);
+int  test_div_2d(void);
+int  test_div(void);
+int  test_expt_d(void);
+int  test_expt(void);
+int  test_2expt(void);
+int  test_sqrt(void);
+int  test_mod_d(void);
+int  test_mod(void);
+int  test_addmod(void);
+int  test_submod(void);
+int  test_mulmod(void);
+int  test_sqrmod(void);
+int  test_exptmod(void);
+int  test_exptmod_d(void);
+int  test_invmod(void);
+int  test_cmp_d(void);
+int  test_cmp_z(void);
+int  test_cmp(void);
+int  test_cmp_mag(void);
+int  test_parity(void);
+int  test_gcd(void);
+int  test_lcm(void);
+int  test_convert(void);
+int  test_raw(void);
+int  test_pprime(void);
+int  test_fermat(void);
+
+/* Table mapping index numbers to functions */
+int (*g_tests[])(void)  = {
+   test_list,     test_copy,     test_exch,     test_zero,     
+   test_set,      test_abs,      test_neg,      test_add_d,    
+   test_add,      test_sub_d,    test_sub,      test_mul_d,    
+   test_mul,      test_sqr,      test_div_d,    test_div_2,    
+   test_div_2d,   test_div,      test_expt_d,   test_expt,     
+   test_2expt,    test_sqrt,     test_mod_d,    test_mod,      
+   test_addmod,   test_submod,   test_mulmod,   test_sqrmod,   
+   test_exptmod,  test_exptmod_d, test_invmod,   test_cmp_d,    
+   test_cmp_z,    test_cmp,      test_cmp_mag,  test_parity,   
+   test_gcd,      test_lcm,      test_convert,  test_raw,      
+   test_pprime,   test_fermat
+};
+
+/* Table mapping index numbers to descriptions */
+const char *g_descs[] = {
+   "print out a list of the available test suites",
+   "test assignment of mp-int structures",
+   "test exchange of mp-int structures",
+   "test zeroing of an mp-int",
+   "test setting an mp-int to a small constant",
+   "test the absolute value function",
+   "test the arithmetic negation function",
+   "test digit addition",
+   "test full addition",
+   "test digit subtraction",
+   "test full subtraction",
+   "test digit multiplication",
+   "test full multiplication",
+   "test full squaring function",
+   "test digit division",
+   "test division by two",
+   "test division & remainder by 2^d",
+   "test full division",
+   "test digit exponentiation",
+   "test full exponentiation",
+   "test power-of-two exponentiation",
+   "test integer square root function",
+   "test digit modular reduction",
+   "test full modular reduction",
+   "test modular addition",
+   "test modular subtraction",
+   "test modular multiplication",
+   "test modular squaring function",
+   "test full modular exponentiation",
+   "test digit modular exponentiation",
+   "test modular inverse function",
+   "test digit comparison function",
+   "test zero comparison function",
+   "test general signed comparison",
+   "test general magnitude comparison",
+   "test parity comparison functions",
+   "test greatest common divisor functions",
+   "test least common multiple function",
+   "test general radix conversion facilities",
+   "test raw output format",
+   "test probabilistic primality tester",
+   "test Fermat pseudoprimality tester"
+};
+
diff --git a/security/nss/lib/freebl/mpi/tests/LICENSE b/security/nss/lib/freebl/mpi/tests/LICENSE
new file mode 100644
index 000000000..c2c5d0190
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/LICENSE
@@ -0,0 +1,6 @@
+Within this directory, each of the file listed below is licensed under 
+the terms given in the file LICENSE-MPL, also in this directory.
+
+pi1k.txt
+pi2k.txt
+pi5k.txt
diff --git a/security/nss/lib/freebl/mpi/tests/LICENSE-MPL b/security/nss/lib/freebl/mpi/tests/LICENSE-MPL
new file mode 100644
index 000000000..9ff410e4b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/LICENSE-MPL
@@ -0,0 +1,32 @@
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the Netscape security libraries.
+
+The Initial Developer of the Original Code is Netscape
+Communications Corporation.  Portions created by Netscape are 
+Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable 
+instead of those above.  If you wish to allow use of your 
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the
+GPL.
+
+
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-1.c b/security/nss/lib/freebl/mpi/tests/mptest-1.c
new file mode 100644
index 000000000..6861e616e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-1.c
@@ -0,0 +1,72 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 1: Simple input test (drives single-digit multiply and add,
+ *         as well as I/O routines)
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#ifdef MAC_CW_SIOUX
+#include <console.h>
+#endif
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  int    ix;
+  mp_int mp;
+
+#ifdef MAC_CW_SIOUX
+  argc = ccommand(&argv);
+#endif
+
+  mp_init(&mp);
+  
+  for(ix = 1; ix < argc; ix++) {
+    mp_read_radix(&mp, argv[ix], 10);
+    mp_print(&mp, stdout);
+    fputc('\n', stdout);
+  }
+
+  mp_clear(&mp);
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-2.c b/security/nss/lib/freebl/mpi/tests/mptest-2.c
new file mode 100644
index 000000000..d350d1d49
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-2.c
@@ -0,0 +1,83 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 2: Basic addition and subtraction test
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int a, b, c;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 2: Basic addition and subtraction\n\n");
+
+  mp_init(&a);
+  mp_init(&b);
+
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&b, argv[2], 10);
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  
+  mp_init(&c);
+  printf("c = a + b\n");
+
+  mp_add(&a, &b, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+  
+  printf("c = a - b\n");
+  
+  mp_sub(&a, &b, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
+
+  mp_clear(&c);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-3.c b/security/nss/lib/freebl/mpi/tests/mptest-3.c
new file mode 100644
index 000000000..ac2dd2c6c
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-3.c
@@ -0,0 +1,128 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 3: Multiplication, division, and exponentiation test
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include <time.h>
+
+#include "mpi.h"
+
+#define  SQRT 1  /* define nonzero to get square-root test  */
+#define  EXPT 0  /* define nonzero to get exponentiate test */
+
+int main(int argc, char *argv[])
+{
+  int      ix;
+  mp_int   a, b, c, d;
+  mp_digit r;
+  mp_err   res;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 3: Multiplication and division\n\n");
+  srand(time(NULL));
+
+  mp_init(&a);
+  mp_init(&b);
+
+  mp_read_variable_radix(&a, argv[1], 10);
+  mp_read_variable_radix(&b, argv[2], 10);
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  
+  mp_init(&c);
+  printf("\nc = a * b\n");
+
+  mp_mul(&a, &b, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = b * 32523\n");
+
+  mp_mul_d(&b, 32523, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+  
+  mp_init(&d);
+  printf("\nc = a / b, d = a mod b\n");
+  
+  mp_div(&a, &b, &c, &d);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
+  printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);  
+
+  ix = rand() % 256;
+  printf("\nc = a / %d, r = a mod %d\n", ix, ix);
+  mp_div_d(&a, (mp_digit)ix, &c, &r);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
+  printf("r = %04X\n", r);
+
+#if EXPT
+  printf("\nc = a ** b\n");
+  mp_expt(&a, &b, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);  
+#endif
+
+  ix = rand() % 256;
+  printf("\nc = 2^%d\n", ix);
+  mp_2expt(&c, ix);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+#if SQRT
+  printf("\nc = sqrt(a)\n");
+  if((res = mp_sqrt(&a, &c)) != MP_OKAY) {
+    printf("mp_sqrt: %s\n", mp_strerror(res));
+  } else {
+    printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+    mp_sqr(&c, &c);
+    printf("c^2 = "); mp_print(&c, stdout); fputc('\n', stdout);
+  }
+#endif
+
+  mp_clear(&d);
+  mp_clear(&c);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-3a.c b/security/nss/lib/freebl/mpi/tests/mptest-3a.c
new file mode 100644
index 000000000..014bd386c
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-3a.c
@@ -0,0 +1,141 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 3a: Multiplication vs. squaring timing test
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include <time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+int main(int argc, char *argv[])
+{
+  int        ix, num, prec = 8;
+  double     d1, d2;
+  clock_t    start, finish;
+  time_t     seed;
+  mp_int     a, c, d;
+
+  seed = time(NULL);
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-tests> [<precision>]\n", argv[0]);
+    return 1;
+  }
+
+  if((num = atoi(argv[1])) < 0)
+    num = -num;
+
+  if(!num) {
+    fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]);
+    return 1;
+  }
+
+  if(argc > 2) {
+    if((prec = atoi(argv[2])) <= 0)
+      prec = 8;
+    else
+      prec = (prec + (DIGIT_BIT - 1)) / DIGIT_BIT;
+  }
+  
+  printf("Test 3a: Multiplication vs squaring timing test\n"
+	 "Precision:  %d digits (%u bits)\n"
+	 "# of tests: %d\n\n", prec, prec * DIGIT_BIT, num);
+
+  mp_init_size(&a, prec);
+
+  mp_init(&c); mp_init(&d);
+
+  printf("Verifying accuracy ... \n");
+  srand((unsigned int)seed);
+  for(ix = 0; ix < num; ix++) {
+    mpp_random_size(&a, prec);
+    mp_mul(&a, &a, &c);
+    mp_sqr(&a, &d);
+
+    if(mp_cmp(&c, &d) != 0) {
+      printf("Error!  Results not accurate:\n");
+      printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+      printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+      printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);
+      mp_sub(&c, &d, &d);
+      printf("dif "); mp_print(&d, stdout); fputc('\n', stdout);
+      mp_clear(&c); mp_clear(&d);
+      mp_clear(&a);
+      return 1;
+    }
+  }
+  printf("Accuracy is confirmed for the %d test samples\n", num);
+  mp_clear(&d);
+
+  printf("Testing squaring ... \n");
+  srand((unsigned int)seed);
+  start = clock();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random_size(&a, prec);
+    mp_sqr(&a, &c);
+  }
+  finish = clock();
+
+  d2 = (double)(finish - start) / CLOCKS_PER_SEC;
+
+  printf("Testing multiplication ... \n");
+  srand((unsigned int)seed);
+  start = clock();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random(&a);
+    mp_mul(&a, &a, &c);
+  }
+  finish = clock();
+
+  d1 = (double)(finish - start) / CLOCKS_PER_SEC;
+
+  printf("Multiplication time: %.3f sec (%.3f each)\n", d1, d1 / num);
+  printf("Squaring time:       %.3f sec (%.3f each)\n", d2, d2 / num);
+  printf("Improvement:         %.2f%%\n", (1.0 - (d2 / d1)) * 100.0);
+
+  mp_clear(&c);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4.c b/security/nss/lib/freebl/mpi/tests/mptest-4.c
new file mode 100644
index 000000000..6a9920cd8
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-4.c
@@ -0,0 +1,123 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 4: Modular arithmetic tests
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  int      ix;
+  mp_int   a, b, c, m;
+  mp_digit r;
+
+  if(argc < 4) {
+    fprintf(stderr, "Usage: %s <a> <b> <m>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 4: Modular arithmetic\n\n");
+
+  mp_init(&a);
+  mp_init(&b);
+  mp_init(&m);
+
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&b, argv[2], 10);
+  mp_read_radix(&m, argv[3], 10);
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  printf("m = "); mp_print(&m, stdout); fputc('\n', stdout);
+  
+  mp_init(&c);
+  printf("\nc = a (mod m)\n");
+
+  mp_mod(&a, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = b (mod m)\n");
+
+  mp_mod(&b, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = b (mod 1853)\n");
+
+  mp_mod_d(&b, 1853, &r);
+  printf("c = %04X\n", r);
+
+  printf("\nc = (a + b) mod m\n");
+
+  mp_addmod(&a, &b, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = (a - b) mod m\n");
+
+  mp_submod(&a, &b, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = (a * b) mod m\n");
+
+  mp_mulmod(&a, &b, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nc = (a ** b) mod m\n");
+
+  mp_exptmod(&a, &b, &m, &c);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  printf("\nIn-place modular squaring test:\n");
+  for(ix = 0; ix < 5; ix++) {
+    printf("a = (a * a) mod m   a = ");
+    mp_sqrmod(&a, &m, &a);
+    mp_print(&a, stdout);
+    fputc('\n', stdout);
+  }
+  
+
+  mp_clear(&c);
+  mp_clear(&m);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4a.c b/security/nss/lib/freebl/mpi/tests/mptest-4a.c
new file mode 100644
index 000000000..22610b8a5
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-4a.c
@@ -0,0 +1,135 @@
+/* 
+ *  mptest4a - modular exponentiation speed test 
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <time.h>
+
+#include <sys/time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+typedef struct {
+  unsigned int  sec;
+  unsigned int  usec;
+} instant_t;
+
+instant_t now(void)
+{
+  struct timeval clk;
+  instant_t      res;
+
+  res.sec = res.usec = 0;
+
+  if(gettimeofday(&clk, NULL) != 0)
+    return res;
+
+  res.sec = clk.tv_sec;
+  res.usec = clk.tv_usec;
+
+  return res;
+}
+
+extern mp_err s_mp_pad();
+
+int main(int argc, char *argv[])
+{
+  int        ix, num, prec = 8;
+  unsigned   int d;
+  instant_t  start, finish;
+  time_t     seed;
+  mp_int     a, m, c;
+
+  seed = time(NULL);
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-tests> [<precision>]\n", argv[0]);
+    return 1;
+  }
+
+  if((num = atoi(argv[1])) < 0)
+    num = -num;
+
+  if(!num) {
+    fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]);
+    return 1;
+  }
+
+  if(argc > 2) {
+    if((prec = atoi(argv[2])) <= 0)
+      prec = 8;
+  }
+  
+  printf("Test 3a: Modular exponentiation timing test\n"
+	 "Precision:  %d digits (%d bits)\n"
+	 "# of tests: %d\n\n", prec, prec * DIGIT_BIT, num);
+
+  mp_init_size(&a, prec);
+  mp_init_size(&m, prec);
+  mp_init_size(&c, prec);
+  s_mp_pad(&a, prec);
+  s_mp_pad(&m, prec);
+  s_mp_pad(&c, prec);
+
+  printf("Testing modular exponentiation ... \n");
+  srand((unsigned int)seed);
+
+  start = now();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random(&a);
+    mpp_random(&c);
+    mpp_random(&m);
+    mp_exptmod(&a, &c, &m, &c);
+  }
+  finish = now();
+
+  d = (finish.sec - start.sec) * 1000000;
+  d -= start.usec; d += finish.usec;
+
+  printf("Total time elapsed:        %u usec\n", d);
+  printf("Time per exponentiation:   %u usec (%.3f sec)\n", 
+	 (d / num), (double)(d / num) / 1000000);
+
+  mp_clear(&c);
+  mp_clear(&a);
+  mp_clear(&m);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-4b.c b/security/nss/lib/freebl/mpi/tests/mptest-4b.c
new file mode 100644
index 000000000..77a38eb8d
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-4b.c
@@ -0,0 +1,132 @@
+/*
+ * mptest-4b.c
+ *
+ * Test speed of a large modular exponentiation of a primitive element
+ * modulo a prime.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <time.h>
+
+#include <sys/time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+char *g_prime = 
+  "34BD53C07350E817CCD49721020F1754527959C421C1533244769D4CF060A8B1C3DA"
+  "25094BE723FB1E2369B55FEEBBE0FAC16425161BF82684062B5EC5D7D47D1B23C117"
+  "0FA19745E44A55E148314E582EB813AC9EE5126295E2E380CACC2F6D206B293E5ED9"
+  "23B54EE961A8C69CD625CE4EC38B70C649D7F014432AEF3A1C93";
+char *g_gen = "5";
+
+typedef struct {
+  unsigned int  sec;
+  unsigned int  usec;
+} instant_t;
+
+instant_t now(void)
+{
+  struct timeval clk;
+  instant_t      res;
+
+  res.sec = res.usec = 0;
+
+  if(gettimeofday(&clk, NULL) != 0)
+    return res;
+
+  res.sec = clk.tv_sec;
+  res.usec = clk.tv_usec;
+
+  return res;
+}
+
+extern mp_err s_mp_pad();
+
+int main(int argc, char *argv[])
+{
+  instant_t    start, finish;
+  mp_int       prime, gen, expt, res;
+  unsigned int ix, diff;
+  int          num;
+
+  srand(time(NULL));
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-tests>\n", argv[0]);
+    return 1;
+  }
+
+  if((num = atoi(argv[1])) < 0)
+    num = -num;
+
+  if(num == 0)
+    ++num;
+
+  mp_init(&prime); mp_init(&gen); mp_init(&res);
+  mp_read_radix(&prime, g_prime, 16);
+  mp_read_radix(&gen, g_gen, 16);
+
+  mp_init_size(&expt, USED(&prime) - 1);
+  s_mp_pad(&expt, USED(&prime) - 1);
+
+  printf("Testing %d modular exponentations ... \n", num);
+
+  start = now();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random(&expt);
+    mp_exptmod(&gen, &expt, &prime, &res);
+  }
+  finish = now();
+
+  diff = (finish.sec - start.sec) * 1000000;
+  diff += finish.usec; diff -= start.usec;
+
+  printf("%d operations took %u usec (%.3f sec)\n",
+	 num, diff, (double)diff / 1000000.0);
+  printf("That is %.3f sec per operation.\n",
+	 ((double)diff / 1000000.0) / num);
+
+  mp_clear(&expt);
+  mp_clear(&res);
+  mp_clear(&gen);
+  mp_clear(&prime);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-5.c b/security/nss/lib/freebl/mpi/tests/mptest-5.c
new file mode 100644
index 000000000..4b161d1b8
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-5.c
@@ -0,0 +1,100 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 5: Other number theoretic functions
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int   a, b, c, x, y;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 5: Number theoretic functions\n\n");
+
+  mp_init(&a);
+  mp_init(&b);
+
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&b, argv[2], 10);
+
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  
+  mp_init(&c);
+  printf("\nc = (a, b)\n");
+
+  mp_gcd(&a, &b, &c);
+  printf("Euclid: c = "); mp_print(&c, stdout); fputc('\n', stdout);
+/*
+  mp_bgcd(&a, &b, &c);
+  printf("Binary: c = "); mp_print(&c, stdout); fputc('\n', stdout);
+*/
+  mp_init(&x);
+  mp_init(&y);
+  printf("\nc = (a, b) = ax + by\n");
+
+  mp_xgcd(&a, &b, &c, &x, &y);
+  printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+  printf("x = "); mp_print(&x, stdout); fputc('\n', stdout);
+  printf("y = "); mp_print(&y, stdout); fputc('\n', stdout);
+
+  printf("\nc = a^-1 (mod b)\n");
+  if(mp_invmod(&a, &b, &c) == MP_UNDEF) {
+    printf("a has no inverse mod b\n");
+  } else {
+    printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+  }
+
+  mp_clear(&y);
+  mp_clear(&x);
+  mp_clear(&c);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-5a.c b/security/nss/lib/freebl/mpi/tests/mptest-5a.c
new file mode 100644
index 000000000..82552b766
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-5a.c
@@ -0,0 +1,162 @@
+/*
+ * Simple test driver for MPI library
+ *
+ * Test 5a: Greatest common divisor speed test, binary vs. Euclid
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+#include <time.h>
+
+#include <sys/time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+typedef struct {
+  unsigned int  sec;
+  unsigned int  usec;
+} instant_t;
+
+instant_t now(void)
+{
+  struct timeval clk;
+  instant_t      res;
+
+  res.sec = res.usec = 0;
+
+  if(gettimeofday(&clk, NULL) != 0)
+    return res;
+
+  res.sec = clk.tv_sec;
+  res.usec = clk.tv_usec;
+
+  return res;
+}
+
+#define PRECISION 16
+
+int main(int argc, char *argv[])
+{
+  int          ix, num, prec = PRECISION;
+  mp_int       a, b, c, d;
+  instant_t    start, finish;
+  time_t       seed;
+  unsigned int d1, d2;
+
+  seed = time(NULL);
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-tests>\n", argv[0]);
+    return 1;
+  }
+
+  if((num = atoi(argv[1])) < 0)
+    num = -num;
+
+  printf("Test 5a: Euclid vs. Binary, a GCD speed test\n\n"
+	 "Number of tests: %d\n"
+	 "Precision:       %d digits\n\n", num, prec);
+
+  mp_init_size(&a, prec);
+  mp_init_size(&b, prec);
+  mp_init(&c);
+  mp_init(&d);
+
+  printf("Verifying accuracy ... \n");
+  srand((unsigned int)seed);
+  for(ix = 0; ix < num; ix++) {
+    mpp_random_size(&a, prec);
+    mpp_random_size(&b, prec);
+
+    mp_gcd(&a, &b, &c);
+    mp_bgcd(&a, &b, &d);
+
+    if(mp_cmp(&c, &d) != 0) {
+      printf("Error!  Results not accurate:\n");
+      printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+      printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+      printf("c = "); mp_print(&c, stdout); fputc('\n', stdout);
+      printf("d = "); mp_print(&d, stdout); fputc('\n', stdout);
+
+      mp_clear(&a); mp_clear(&b); mp_clear(&c); mp_clear(&d);
+      return 1;
+    }
+  }
+  mp_clear(&d);
+  printf("Accuracy confirmed for the %d test samples\n", num);
+
+  printf("Testing Euclid ... \n");
+  srand((unsigned int)seed);
+  start = now();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random_size(&a, prec);
+    mpp_random_size(&b, prec);
+    mp_gcd(&a, &b, &c);
+
+  }
+  finish = now();
+
+  d1 = (finish.sec - start.sec) * 1000000;
+  d1 -= start.usec; d1 += finish.usec;
+
+  printf("Testing binary ... \n");
+  srand((unsigned int)seed);
+  start = now();
+  for(ix = 0; ix < num; ix++) {
+    mpp_random_size(&a, prec);
+    mpp_random_size(&b, prec);
+    mp_bgcd(&a, &b, &c);
+  }
+  finish = now();
+
+  d2 = (finish.sec - start.sec) * 1000000;
+  d2 -= start.usec; d2 += finish.usec;
+
+  printf("Euclidean algorithm time: %u usec\n", d1);
+  printf("Binary algorithm time:    %u usec\n", d2);
+  printf("Improvement:              %.2f%%\n",
+         (1.0 - ((double)d2 / (double)d1)) * 100.0);
+
+  mp_clear(&c);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-6.c b/security/nss/lib/freebl/mpi/tests/mptest-6.c
new file mode 100644
index 000000000..5e91716de
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-6.c
@@ -0,0 +1,108 @@
+/*
+ *  Simple test driver for MPI library
+ *
+ *  Test 6: Output functions
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+
+#include "mpi.h"
+
+void print_buf(FILE *ofp, char *buf, int len)
+{
+  int ix, brk = 0;
+
+  for(ix = 0; ix < len; ix++) {
+    fprintf(ofp, "%02X ", buf[ix]);
+
+    brk = (brk + 1) & 0xF;
+    if(!brk) 
+      fputc('\n', ofp);
+  }
+
+  if(brk)
+    fputc('\n', ofp);
+
+}
+
+int main(int argc, char *argv[])
+{
+  int       ix, size;
+  mp_int    a;
+  char     *buf;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 6: Output functions\n\n");
+
+  mp_init(&a);
+
+  mp_read_radix(&a, argv[1], 10);
+
+  printf("\nConverting to a string:\n");
+
+  printf("Rx Size Representation\n");
+  for(ix = 2; ix <= MAX_RADIX; ix++) {
+    size = mp_radix_size(&a, ix);
+
+    buf = calloc(size, sizeof(char));
+    mp_toradix(&a, buf, ix);
+    printf("%2d: %3d: %s\n", ix, size, buf);
+    free(buf);
+
+  }
+
+  printf("\nRaw output:\n");
+  size = mp_raw_size(&a);
+  buf = calloc(size, sizeof(char));
+
+  printf("Size:  %d bytes\n", size);
+
+  mp_toraw(&a, buf);
+  print_buf(stdout, buf, size);
+  free(buf);
+  
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-7.c b/security/nss/lib/freebl/mpi/tests/mptest-7.c
new file mode 100644
index 000000000..4b41a1a4f
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-7.c
@@ -0,0 +1,104 @@
+/*
+ *  Simple test driver for MPI library
+ *
+ *  Test 7: Random and divisibility tests
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+#include <time.h>
+
+#define MP_IOFUNC
+#include "mpi.h"
+
+#include "mpprime.h"
+
+int main(int argc, char *argv[])
+{
+  mp_digit  num;
+  mp_int    a, b;
+
+  srand(time(NULL));
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 7: Random & divisibility tests\n\n");
+
+  mp_init(&a);
+  mp_init(&b);
+
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&b, argv[2], 10);
+
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+
+  if(mpp_divis(&a, &b) == MP_YES)
+    printf("a is divisible by b\n");
+  else
+    printf("a is not divisible by b\n");
+
+  if(mpp_divis(&b, &a) == MP_YES)
+    printf("b is divisible by a\n");
+  else
+    printf("b is not divisible by a\n");
+
+  printf("\nb = mpp_random()\n");
+  mpp_random(&b);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  mpp_random(&b);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+  mpp_random(&b);
+  printf("b = "); mp_print(&b, stdout); fputc('\n', stdout);
+
+  printf("\nTesting a for divisibility by first 170 primes\n");
+  num = 170;
+  if(mpp_divis_primes(&a, &num) == MP_YES)
+    printf("It is divisible by at least one of them\n");
+  else
+    printf("It is not divisible by any of them\n");
+
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-8.c b/security/nss/lib/freebl/mpi/tests/mptest-8.c
new file mode 100644
index 000000000..e2ddc2c19
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-8.c
@@ -0,0 +1,95 @@
+/*
+ *  Simple test driver for MPI library
+ *
+ *  Test 8: Probabilistic primality tester
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+#include <time.h>
+
+#define MP_IOFUNC
+#include "mpi.h"
+
+#include "mpprime.h"
+
+int main(int argc, char *argv[])
+{
+  int       ix;
+  mp_digit  num;
+  mp_int    a;
+
+  srand(time(NULL));
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
+    return 1;
+  }
+
+  printf("Test 8: Probabilistic primality testing\n\n");
+
+  mp_init(&a);
+
+  mp_read_radix(&a, argv[1], 10);
+
+  printf("a = "); mp_print(&a, stdout); fputc('\n', stdout);
+
+  printf("\nChecking for divisibility by small primes ... \n");
+  num = 170;
+  if(mpp_divis_primes(&a, &num) == MP_YES) {
+    printf("it is not prime\n");
+    goto CLEANUP;
+  }
+  printf("Passed that test (not divisible by any small primes).\n");
+
+  for(ix = 0; ix < 10; ix++) {
+    printf("\nPerforming Rabin-Miller test, iteration %d\n", ix + 1);
+
+    if(mpp_pprime(&a, 5) == MP_NO) {
+      printf("it is not prime\n");
+      goto CLEANUP;
+    }
+  }
+  printf("All tests passed; a is probably prime\n");
+
+CLEANUP:
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/tests/mptest-9.c b/security/nss/lib/freebl/mpi/tests/mptest-9.c
new file mode 100644
index 000000000..07d6410c7
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/mptest-9.c
@@ -0,0 +1,113 @@
+/*
+ *    mptest-9.c
+ *
+ *   Test logical functions
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <limits.h>
+#include <time.h>
+
+#include "mpi.h"
+#include "mplogic.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int    a, b, c;
+  int       pco;
+  mp_err    res;
+
+  printf("Test 9: Logical functions\n\n");
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a); mp_init(&b); mp_init(&c);
+  mp_read_radix(&a, argv[1], 16);
+  mp_read_radix(&b, argv[2], 16);
+
+  printf("a       = "); mp_print(&a, stdout); fputc('\n', stdout);
+  printf("b       = "); mp_print(&b, stdout); fputc('\n', stdout);
+
+  mpl_not(&a, &c);
+  printf("~a      = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_and(&a, &b, &c);
+  printf("a & b   = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_or(&a, &b, &c);
+  printf("a | b   = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_xor(&a, &b, &c);
+  printf("a ^ b   = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_rsh(&a, &c, 1);
+  printf("a >>  1 = "); mp_print(&c, stdout); fputc('\n', stdout);
+  mpl_rsh(&a, &c, 5);
+  printf("a >>  5 = "); mp_print(&c, stdout); fputc('\n', stdout);
+  mpl_rsh(&a, &c, 16);
+  printf("a >> 16 = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_lsh(&a, &c, 1);
+  printf("a <<  1 = "); mp_print(&c, stdout); fputc('\n', stdout);
+  mpl_lsh(&a, &c, 5);
+  printf("a <<  5 = "); mp_print(&c, stdout); fputc('\n', stdout);
+  mpl_lsh(&a, &c, 16);
+  printf("a << 16 = "); mp_print(&c, stdout); fputc('\n', stdout);
+
+  mpl_num_set(&a, &pco);
+  printf("population(a) = %d\n", pco);
+  mpl_num_set(&b, &pco);
+  printf("population(b) = %d\n", pco);
+
+  res = mpl_parity(&a);
+  if(res == MP_EVEN)
+    printf("a has even parity\n");
+  else
+    printf("a has odd parity\n");
+  
+  mp_clear(&c);
+  mp_clear(&b);
+  mp_clear(&a);
+
+  return 0;
+}
+
diff --git a/security/nss/lib/freebl/mpi/tests/pi1k.txt b/security/nss/lib/freebl/mpi/tests/pi1k.txt
new file mode 100644
index 000000000..5ff6209ff
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/pi1k.txt
@@ -0,0 +1 @@
+31415926535897932384626433832795028841971693993751058209749445923078164062862089986280348253421170679821480865132823066470938446095505822317253594081284811174502841027019385211055596446229489549303819644288109756659334461284756482337867831652712019091456485669234603486104543266482133936072602491412737245870066063155881748815209209628292540917153643678925903600113305305488204665213841469519415116094330572703657595919530921861173819326117931051185480744623799627495673518857527248912279381830119491298336733624406566430860213949463952247371907021798609437027705392171762931767523846748184676694051320005681271452635608277857713427577896091736371787214684409012249534301465495853710507922796892589235420199561121290219608640344181598136297747713099605187072113499999983729780499510597317328160963185950244594553469083026425223082533446850352619311881710100031378387528865875332083814206171776691473035982534904287554687311595628638823537875937519577818577805321712268066130019278766111959092164201989
diff --git a/security/nss/lib/freebl/mpi/tests/pi2k.txt b/security/nss/lib/freebl/mpi/tests/pi2k.txt
new file mode 100644
index 000000000..9ce82acd1
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/pi2k.txt
@@ -0,0 +1 @@
+314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196442881097566593344612847564823378678316527120190914564856692346034861045432664821339360726024914127372458700660631558817488152092096282925409171536436789259036001133053054882046652138414695194151160943305727036575959195309218611738193261179310511854807446237996274956735188575272489122793818301194912983367336244065664308602139494639522473719070217986094370277053921717629317675238467481846766940513200056812714526356082778577134275778960917363717872146844090122495343014654958537105079227968925892354201995611212902196086403441815981362977477130996051870721134999999837297804995105973173281609631859502445945534690830264252230825334468503526193118817101000313783875288658753320838142061717766914730359825349042875546873115956286388235378759375195778185778053217122680661300192787661119590921642019893809525720106548586327886593615338182796823030195203530185296899577362259941389124972177528347913151557485724245415069595082953311686172785588907509838175463746493931925506040092770167113900984882401285836160356370766010471018194295559619894676783744944825537977472684710404753464620804668425906949129331367702898915210475216205696602405803815019351125338243003558764024749647326391419927260426992279678235478163600934172164121992458631503028618297455570674983850549458858692699569092721079750930295532116534498720275596023648066549911988183479775356636980742654252786255181841757467289097777279380008164706001614524919217321721477235014144197356854816136115735255213347574184946843852332390739414333454776241686251898356948556209921922218427255025425688767179049460165346680498862723279178608578438382796797668145410095388378636095068006422512520511739298489608412848862694560424196528502221066118630674427862203919494504712371378696095636437191728746776465757396241389086583264599581339047802759010
diff --git a/security/nss/lib/freebl/mpi/tests/pi5k.txt b/security/nss/lib/freebl/mpi/tests/pi5k.txt
new file mode 100644
index 000000000..901fac2ea
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/tests/pi5k.txt
@@ -0,0 +1 @@
+314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196442881097566593344612847564823378678316527120190914564856692346034861045432664821339360726024914127372458700660631558817488152092096282925409171536436789259036001133053054882046652138414695194151160943305727036575959195309218611738193261179310511854807446237996274956735188575272489122793818301194912983367336244065664308602139494639522473719070217986094370277053921717629317675238467481846766940513200056812714526356082778577134275778960917363717872146844090122495343014654958537105079227968925892354201995611212902196086403441815981362977477130996051870721134999999837297804995105973173281609631859502445945534690830264252230825334468503526193118817101000313783875288658753320838142061717766914730359825349042875546873115956286388235378759375195778185778053217122680661300192787661119590921642019893809525720106548586327886593615338182796823030195203530185296899577362259941389124972177528347913151557485724245415069595082953311686172785588907509838175463746493931925506040092770167113900984882401285836160356370766010471018194295559619894676783744944825537977472684710404753464620804668425906949129331367702898915210475216205696602405803815019351125338243003558764024749647326391419927260426992279678235478163600934172164121992458631503028618297455570674983850549458858692699569092721079750930295532116534498720275596023648066549911988183479775356636980742654252786255181841757467289097777279380008164706001614524919217321721477235014144197356854816136115735255213347574184946843852332390739414333454776241686251898356948556209921922218427255025425688767179049460165346680498862723279178608578438382796797668145410095388378636095068006422512520511739298489608412848862694560424196528502221066118630674427862203919494504712371378696095636437191728746776465757396241389086583264599581339047802759009946576407895126946839835259570982582262052248940772671947826848260147699090264013639443745530506820349625245174939965143142980919065925093722169646151570985838741059788595977297549893016175392846813826868386894277415599185592524595395943104997252468084598727364469584865383673622262609912460805124388439045124413654976278079771569143599770012961608944169486855584840635342207222582848864815845602850601684273945226746767889525213852254995466672782398645659611635488623057745649803559363456817432411251507606947945109659609402522887971089314566913686722874894056010150330861792868092087476091782493858900971490967598526136554978189312978482168299894872265880485756401427047755513237964145152374623436454285844479526586782105114135473573952311342716610213596953623144295248493718711014576540359027993440374200731057853906219838744780847848968332144571386875194350643021845319104848100537061468067491927819119793995206141966342875444064374512371819217999839101591956181467514269123974894090718649423196156794520809514655022523160388193014209376213785595663893778708303906979207734672218256259966150142150306803844773454920260541466592520149744285073251866600213243408819071048633173464965145390579626856100550810665879699816357473638405257145910289706414011097120628043903975951567715770042033786993600723055876317635942187312514712053292819182618612586732157919841484882916447060957527069572209175671167229109816909152801735067127485832228718352093539657251210835791513698820914442100675103346711031412671113699086585163983150197016515116851714376576183515565088490998985998238734552833163550764791853589322618548963213293308985706420467525907091548141654985946163718027098199430992448895757128289059232332609729971208443357326548938239119325974636673058360414281388303203824903758985243744170291327656180937734440307074692112019130203303801976211011004492932151608424448596376698389522868478312355265821314495768572624334418930396864262434107732269780280731891544110104468232527162010526522721116603966655730925471105578537634668206531098965269186205647693125705863566201855810072936065987648611791045334885034611365768675324944166803962657978771855608455296541266540853061434443185867697514566140680070023787765913440171274947042056223053899456131407112700040785473326993908145466464588079727082668306343285878569830523580893306575740679545716377525420211495576158140025012622859413021647155097925923099079654737612551765675135751782966645477917450112996148903046399471329621073404375189573596145890193897131117904297828564750320319869151402870808599048010941214722131794764777262241425485454033215718530614228813758504306332175182979866223717215916077166925474873898665494945011465406284336639379003976926567214638530673609657120918076383271664162748888007869256029022847210403172118608204190004229661711963779213375751149595015660496318629472654736425230817703675159067350235072835405670403867435136222247715891504953098444893330963408780769325993978054193414473774418426312986080998886874132604721
diff --git a/security/nss/lib/freebl/mpi/timetest b/security/nss/lib/freebl/mpi/timetest
new file mode 100755
index 000000000..d78f3c56a
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/timetest
@@ -0,0 +1,131 @@
+#!/bin/sh
+
+# 
+# Simple timing test for the MPI library.  Basically, we use prime
+# generation as a timing test, since it exercises most of the pathways
+# of the library fairly heavily.  The 'primegen' tool outputs a line
+# summarizing timing results.  We gather these and process them for
+# statistical information, which is collected into a file.
+#
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 2000 Michael J. Fromberger. All Rights Reserved
+##
+## Contributor(s):
+##	Netscape Communications Corporation
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the GPL.
+## 
+# $Id$
+#
+
+# Avoid using built-in shell echoes
+ECHO=/bin/echo
+MAKE=gmake
+
+# Use a fixed seed so timings will be more consistent
+# This one is the 11th-18th decimal digits of 'e'
+#export SEED=45904523
+SEED=45904523; export SEED
+
+#------------------------------------------------------------------------
+
+$ECHO "\n** Running timing tests for MPI library\n"
+
+$ECHO "Bringing 'metime' up to date ... "
+if $MAKE metime ; then
+    :
+else 
+    $ECHO "\nMake failed to build metime.\n"
+    exit 1
+fi
+
+if [ ! -x ./metime ] ; then 
+    $ECHO "\nCannot find 'metime' program, testing cannot continue.\n"
+    exit 1
+fi
+
+#------------------------------------------------------------------------
+
+$ECHO "Bringing 'primegen' up to date ... "
+if $MAKE primegen ; then
+    :
+else
+    $ECHO "\nMake failed to build primegen.\n"
+    exit 1
+fi
+
+if [ ! -x ./primegen ] ; then
+    $ECHO "\nCannot find 'primegen' program, testing cannot continue.\n"
+    exit 1
+fi
+
+#------------------------------------------------------------------------
+
+rm -f timing-results.txt
+touch timing-results.txt
+
+sizes="256 512 1024 2048"
+ntests=10
+
+trap 'echo "oop!";rm -f tt*.tmp timing-results.txt;exit 0' INT HUP
+
+$ECHO "\n-- Modular exponentiation\n"
+$ECHO "Modular exponentiation:" >> timing-results.txt
+
+$ECHO "Running $ntests modular exponentiations per test:"
+for size in $sizes ; do
+    $ECHO "- Gathering statistics for $size bits ... "
+    secs=`./metime $ntests $size | tail -1 | awk '{print $2}'`
+    $ECHO "$size: " $secs " seconds per op" >> timing-results.txt
+    tail -1 timing-results.txt
+done
+
+$ECHO "<done>";
+
+sizes="256 512 1024"
+ntests=1
+
+$ECHO "\n-- Prime generation\n"
+$ECHO "Prime generation:" >> timing-results.txt
+
+$ECHO "Generating $ntests prime values per test:"
+for size in $sizes ; do
+    $ECHO "- Gathering statistics for $size bits ... "
+    ./primegen $size $ntests | grep ticks | awk '{print $7}' | tr -d '(' > tt$$.tmp
+    $ECHO "$size:" >> timing-results.txt
+    perl stats tt$$.tmp >> timing-results.txt
+    tail -1 timing-results.txt
+    rm -f tt$$.tmp
+done
+
+$ECHO "<done>"
+
+trap 'rm -f tt*.tmp timing-results.txt' INT HUP
+
+exit 0
+
diff --git a/security/nss/lib/freebl/mpi/types.pl b/security/nss/lib/freebl/mpi/types.pl
new file mode 100755
index 000000000..5f2a2f4d1
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/types.pl
@@ -0,0 +1,158 @@
+#!/usr/bin/perl
+
+#
+# types.pl - find recommended type definitions for digits and words
+#
+# This script scans the Makefile for the C compiler and compilation
+# flags currently in use, and using this combination, attempts to
+# compile a simple test program that outputs the sizes of the various
+# unsigned integer types, in bytes.  Armed with these, it finds all
+# the "viable" type combinations for mp_digit and mp_word, where
+# viability is defined by the requirement that mp_word be at least two
+# times the precision of mp_digit.
+#
+# Of these, the one with the largest digit size is chosen, and
+# appropriate typedef statements are written to standard output.
+# 
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 2000 Michael J. Fromberger. All Rights Reserved
+##
+## Contributor(s):
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the GPL.
+##
+# $Id$
+#
+
+@_=split(/\//,$0);chomp($prog=pop(@_));
+
+# The array of integer types to be considered...
+@TYPES = ( 
+	   "unsigned char", 
+	   "unsigned short", 
+	   "unsigned int", 
+	   "unsigned long"
+);
+
+# Macro names for the maximum unsigned value of each type
+%TMAX = ( 
+	  "unsigned char"   => "UCHAR_MAX",
+	  "unsigned short"  => "USHRT_MAX",
+	  "unsigned int"    => "UINT_MAX",
+	  "unsigned long"   => "ULONG_MAX"
+);
+
+# Read the Makefile to find out which C compiler to use
+open(MFP, "<Makefile") or die "$prog: Makefile: $!\n";
+while(<MFP>) {
+    chomp;
+    if(/^CC=(.*)$/) {
+	$cc = $1;
+	last if $cflags;
+    } elsif(/^CFLAGS=(.*)$/) {
+	$cflags = $1;
+	last if $cc;
+    }
+}
+close(MFP);
+
+# If we couldn't find that, use 'cc' by default
+$cc = "cc" unless $cc;
+
+printf STDERR "Using '%s' as the C compiler.\n", $cc;
+
+print STDERR "Determining type sizes ... \n";
+open(OFP, ">tc$$.c") or die "$prog: tc$$.c: $!\n";
+print OFP "#include <stdio.h>\n\nint main(void)\n{\n";
+foreach $type (@TYPES) {
+    printf OFP "\tprintf(\"%%d\\n\", (int)sizeof(%s));\n", $type;
+}
+print OFP "\n\treturn 0;\n}\n";
+close(OFP);
+
+system("$cc $cflags -o tc$$ tc$$.c");
+
+die "$prog: unable to build test program\n" unless(-x "tc$$");
+
+open(IFP, "./tc$$|") or die "$prog: can't execute test program\n";
+$ix = 0;
+while(<IFP>) {
+    chomp;
+    $size{$TYPES[$ix++]} = $_;
+}
+close(IFP);
+
+unlink("tc$$");
+unlink("tc$$.c");
+
+print STDERR "Selecting viable combinations ... \n";
+while(($type, $size) = each(%size)) {
+    push(@ts, [ $size, $type ]);
+}
+
+# Sort them ascending by size 
+@ts = sort { $a->[0] <=> $b->[0] } @ts;
+
+# Try all possible combinations, finding pairs in which the word size
+# is twice the digit size.  The number of possible pairs is too small
+# to bother doing this more efficiently than by brute force
+for($ix = 0; $ix <= $#ts; $ix++) {
+    $w = $ts[$ix];
+
+    for($jx = 0; $jx <= $#ts; $jx++) {
+	$d = $ts[$jx];
+
+	if($w->[0] == 2 * $d->[0]) {
+	    push(@valid, [ $d, $w ]);
+	}
+    }
+}
+
+# Sort descending by digit size
+@valid = sort { $b->[0]->[0] <=> $a->[0]->[0] } @valid;
+
+# Select the maximum as the recommended combination
+$rec = shift(@valid);
+
+printf("typedef %-18s mp_sign;\n", "char");
+printf("typedef %-18s mp_digit;  /* %d byte type */\n", 
+       $rec->[0]->[1], $rec->[0]->[0]);
+printf("typedef %-18s mp_word;   /* %d byte type */\n", 
+       $rec->[1]->[1], $rec->[1]->[0]);
+printf("typedef %-18s mp_size;\n", "unsigned int");
+printf("typedef %-18s mp_err;\n\n", "int");
+
+printf("#define %-18s (CHAR_BIT*sizeof(mp_digit))\n", "DIGIT_BIT");
+printf("#define %-18s %s\n", "DIGIT_MAX", $TMAX{$rec->[0]->[1]});
+printf("#define %-18s (CHAR_BIT*sizeof(mp_word))\n", "MP_WORD_BIT");
+printf("#define %-18s %s\n\n", "MP_WORD_MAX", $TMAX{$rec->[1]->[1]});
+printf("#define %-18s (DIGIT_MAX+1)\n\n", "RADIX");
+
+printf("#define %-18s \"%%0%dX\"\n", "DIGIT_FMT", (2 * $rec->[0]->[0]));
+
+exit 0;
diff --git a/security/nss/lib/freebl/mpi/utils/LICENSE b/security/nss/lib/freebl/mpi/utils/LICENSE
new file mode 100644
index 000000000..5f96df7ab
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/LICENSE
@@ -0,0 +1,4 @@
+Within this directory, each of the file listed below is licensed under 
+the terms given in the file LICENSE-MPL, also in this directory.
+
+PRIMES
diff --git a/security/nss/lib/freebl/mpi/utils/LICENSE-MPL b/security/nss/lib/freebl/mpi/utils/LICENSE-MPL
new file mode 100644
index 000000000..9ff410e4b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/LICENSE-MPL
@@ -0,0 +1,32 @@
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the Netscape security libraries.
+
+The Initial Developer of the Original Code is Netscape
+Communications Corporation.  Portions created by Netscape are 
+Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable 
+instead of those above.  If you wish to allow use of your 
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the
+GPL.
+
+
diff --git a/security/nss/lib/freebl/mpi/utils/PRIMES b/security/nss/lib/freebl/mpi/utils/PRIMES
new file mode 100644
index 000000000..ed65703ff
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/PRIMES
@@ -0,0 +1,41 @@
+Probable primes (sorted by number of significant bits)
+
+ 128: 81386202757205669562183851789305348631
+
+ 128: 180241813863264101444573802809858694397
+
+ 128: 245274683055224433281596312431122059021
+
+ 128: 187522309397665259809392608791686659539
+
+ 256: 83252422946206411852330647237287722547866360773229941071371588246436\
+      513990159
+
+ 256: 79132571131322331023736933767063051273085304521895229780914612117520\
+      058517909
+
+ 256: 72081815425552909748220041100909735706208853818662000557743644603407\
+      965465527
+
+ 256: 87504602391905701494845474079163412737334477797316409702279059573654\
+      274811271
+
+ 512: 12233064210800062190450937494718705259777386009095453001870729392786\
+      63450255179083524798507997690270500580265258111668148238355016411719\
+      9168737693316468563
+
+ 512: 12003639081420725322369909586347545220275253633035565716386136197501\
+      88208318984400479275215620499883521216480724155582768193682335576385\
+      2069481074929084063
+
+1024: 16467877625718912296741904171202513097057724053648819680815842057593\
+      20371835940722471475475803725455063836431454757000451907612224427007\
+      63984592414360595161051906727075047683803534852982766542661204179549\
+      77327573530800542562611753617736693359790119074768292178493884576587\
+      0230450429880021317876149636714743053
+
+1024: 16602953991090311275234291158294516471009930684624948451178742895360\
+      86073703307475884280944414508444679430090561246728195735962931545473\
+      40743240318558456247740186704660778277799687988031119436541068736925\
+      20563780233711166724859277827382391527748470939542560819625727876091\
+      5372193745283891895989104479029844957
diff --git a/security/nss/lib/freebl/mpi/utils/README b/security/nss/lib/freebl/mpi/utils/README
new file mode 100644
index 000000000..86887bf81
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/README
@@ -0,0 +1,239 @@
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+library.
+
+The Initial Developer of the Original Code is 
+Michael J. Fromberger <sting@linguist.dartmouth.edu>
+
+Portions created by Michael J. Fromberger are 
+Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable
+instead of those above.  If you wish to allow use of your
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the
+GPL.
+
+
+
+Additional MPI utilities
+------------------------
+
+The files 'mpprime.h' and 'mpprime.c' define some useful extensions to
+the MPI library for dealing with prime numbers (in particular, testing
+for divisbility, and the Rabin-Miller probabilistic primality test).
+
+The files 'mplogic.h' and 'mplogic.c' define extensions to the MPI
+library for doing bitwise logical operations and shifting.
+
+This document assumes you have read the help file for the MPI library
+and understand its conventions.
+
+Divisibility (mpprime.h)
+------------
+
+To test a number for divisibility by another number:
+
+mpp_divis(a, b)		- test if b|a
+mpp_divis_d(a, d)	- test if d|a
+
+Each of these functions returns MP_YES if its initial argument is
+divisible by its second, or MP_NO if it is not.  Other errors may be
+returned as appropriate (such as MP_RANGE if you try to test for
+divisibility by zero).
+
+Randomness (mpprime.h)
+----------
+
+To generate random data:
+
+mpp_random(a)		- fill a with random data
+mpp_random_size(a, p)   - fill a with p digits of random data
+
+The mpp_random_size() function increases the precision of a to at
+least p, then fills all those digits randomly.  The mp_random()
+function fills a to its current precision (as determined by the number
+of significant digits, USED(a))
+
+Note that these functions simply use the C library's rand() function
+to fill a with random digits up to its precision.  This should be
+adequate for primality testing, but should not be used for
+cryptographic applications where truly random values are required for
+security.  
+
+You should call srand() in your driver program in order to seed the
+random generator; this function doesn't call it.
+
+Primality Testing (mpprime.h)
+-----------------
+
+mpp_divis_vector(a, v, s, w)   - is a divisible by any of the s values
+                                 in v, and if so, w = which.
+mpp_divis_primes(a, np)   - is a divisible by any of the first np primes?
+mpp_fermat(a, w)          - is a pseudoprime with respect to witness w?
+mpp_pprime(a, nt)	  - run nt iterations of Rabin-Miller on a.
+
+The mpp_divis_vector() function tests a for divisibility by each
+member of an array of digits.  The array is v, the size of that array
+is s.  Returns MP_YES if a is divisible, and stores the index of the
+offending digit in w.  Returns MP_NO if a is not divisible by any of
+the digits in the array.
+
+A small table of primes is compiled into the library (typically the
+first 128 primes, although you can change this by editing the file
+'primes.c' before you build).  The global variable prime_tab_size
+contains the number of primes in the table, and the values themselves
+are in the array prime_tab[], which is an array of mp_digit.
+
+The mpp_divis_primes() function is basically just a wrapper around
+mpp_divis_vector() that uses prime_tab[] as the test vector.  The np
+parameter is a pointer to an mp_digit -- on input, it should specify
+the number of primes to be tested against.  If a is divisible by any
+of the primes, MP_YES is returned and np is given the prime value that
+divided a (you can use this if you're factoring, for example).
+Otherwise, MP_NO is returned and np is untouched.
+
+The function mpp_fermat() performs Fermat's test, using w as a
+witness.  This test basically relies on the fact that if a is prime,
+and w is relatively prime to a, then:
+
+	w^a = w (mod a)
+
+That is,
+
+	w^(a - 1) = 1 (mod a)
+
+The function returns MP_YES if the test passes, MP_NO if it fails.  If
+w is relatively prime to a, and the test fails, a is definitely
+composite.  If w is relatively prime to a and the test passes, then a
+is either prime, or w is a false witness (the probability of this
+happening depends on the choice of w and of a ... consult a number
+theory textbook for more information about this).  
+
+Note:  If (w, a) != 1, the output of this test is meaningless.
+----
+
+The function mpp_pprime() performs the Rabin-Miller probabilistic
+primality test for nt rounds.  If all the tests pass, MP_YES is
+returned, and a is probably prime.  The probability that an answer of
+MP_YES is incorrect is no greater than 1 in 4^nt, and in fact is
+usually much less than that (this is a pessimistic estimate).  If any
+test fails, MP_NO is returned, and a is definitely composite.
+
+Bruce Schneier recommends at least 5 iterations of this test for most
+cryptographic applications; Knuth suggests that 25 are reasonable.
+Run it as many times as you feel are necessary.
+
+See the programs 'makeprime.c' and 'isprime.c' for reasonable examples
+of how to use these functions for primality testing.
+
+
+Bitwise Logic (mplogic.c)
+-------------
+
+The four commonest logical operations are implemented as:
+
+mpl_not(a, b)		- Compute bitwise (one's) complement, b = ~a
+
+mpl_and(a, b, c)	- Compute bitwise AND, c = a & b
+
+mpl_or(a, b, c)		- Compute bitwise OR, c = a | b
+
+mpl_xor(a, b, c)	- Compute bitwise XOR, c = a ^ b
+
+Left and right shifts are available as well.  These take a number to
+shift, a destination, and a shift amount.  The shift amount must be a
+digit value between 0 and DIGIT_BIT inclusive; if it is not, MP_RANGE
+will be returned and the shift will not happen.
+
+mpl_rsh(a, b, d)	- Compute logical right shift, b = a >> d
+
+mpl_lsh(a, b, d)	- Compute logical left shift, b = a << d
+
+Since these are logical shifts, they fill with zeroes (the library
+uses a signed magnitude representation, so there are no sign bits to
+extend anyway).
+
+
+Command-line Utilities
+----------------------
+
+A handful of interesting command-line utilities are provided.  These
+are:
+
+lap.c		- Find the order of a mod m.  Usage is 'lap <a> <m>'.
+                  This uses a dumb algorithm, so don't use it for 
+                  a really big modulus.
+
+invmod.c	- Find the inverse of a mod m, if it exists.  Usage
+		  is 'invmod <a> <m>'
+
+sieve.c		- A simple bitmap-based implementation of the Sieve
+		  of Eratosthenes.  Used to generate the table of 
+		  primes in primes.c.  Usage is 'sieve <nbits>'
+
+prng.c          - Uses the routines in bbs_rand.{h,c} to generate
+                  one or more 32-bit pseudo-random integers.  This
+                  is mainly an example, not intended for use in a
+                  cryptographic application (the system time is 
+                  the only source of entropy used)
+
+dec2hex.c       - Convert decimal to hexadecimal
+
+hex2dec.c       - Convert hexadecimal to decimal
+
+basecvt.c       - General radix conversion tool (supports 2-64)
+
+isprime.c       - Probabilistically test an integer for primality
+                  using the Rabin-Miller pseudoprime test combined
+                  with division by small primes.
+
+primegen.c      - Generate primes at random.
+
+exptmod.c       - Perform modular exponentiation
+
+ptab.pl		- A Perl script to munge the output of the sieve
+		  program into a compilable C structure.
+
+
+Other Files
+-----------
+
+PRIMES		- Some randomly generated numbers which are prime with
+		  extremely high probability.
+
+README		- You're reading me already.
+
+
+About the Author
+----------------
+
+This software was written by Michael J. Fromberger.  You can contact
+the author as follows:
+
+E-mail:	  <sting@linguist.dartmouth.edu>
+
+Postal:	  8000 Cummings Hall, Thayer School of Engineering
+	  Dartmouth College, Hanover, New Hampshire, USA
+
+PGP key:  http://linguist.dartmouth.edu/~sting/keys/mjf.html
+          9736 188B 5AFA 23D6 D6AA  BE0D 5856 4525 289D 9907
+
+Last updated:  $Id$
diff --git a/security/nss/lib/freebl/mpi/utils/basecvt.c b/security/nss/lib/freebl/mpi/utils/basecvt.c
new file mode 100644
index 000000000..90ed0f66b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/basecvt.c
@@ -0,0 +1,97 @@
+/*
+ *  basecvt.c
+ *
+ *  Convert integer values specified on the command line from one input
+ *  base to another.  Accepts input and output bases between 2 and 36
+ *  inclusive.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+#define IBASE     10
+#define OBASE     16
+#define USAGE     "Usage: %s ibase obase [value]\n"
+#define MAXBASE   64
+#define MINBASE   2
+
+int main(int argc, char *argv[])
+{
+  int    ix, ibase = IBASE, obase = OBASE;
+  mp_int val;
+
+  ix = 1;
+  if(ix < argc) {
+    ibase = atoi(argv[ix++]);
+    
+    if(ibase < MINBASE || ibase > MAXBASE) {
+      fprintf(stderr, "%s: input radix must be between %d and %d inclusive\n",
+	      argv[0], MINBASE, MAXBASE);
+      return 1;
+    }
+  }
+  if(ix < argc) {
+    obase = atoi(argv[ix++]);
+
+    if(obase < MINBASE || obase > MAXBASE) {
+      fprintf(stderr, "%s: output radix must be between %d and %d inclusive\n",
+	      argv[0], MINBASE, MAXBASE);
+      return 1;
+    }
+  }
+
+  mp_init(&val);
+  while(ix < argc) {
+    char  *out;
+    int    outlen;
+
+    mp_read_radix(&val, argv[ix++], ibase);
+
+    outlen = mp_radix_size(&val, obase);
+    out = calloc(outlen, sizeof(char));
+    mp_toradix(&val, out, obase);
+
+    printf("%s\n", out);
+    free(out);
+  }
+
+  mp_clear(&val);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/bbs_rand.c b/security/nss/lib/freebl/mpi/utils/bbs_rand.c
new file mode 100644
index 000000000..c3e8b869b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/bbs_rand.c
@@ -0,0 +1,93 @@
+/*
+ *  Blum, Blum & Shub PRNG using the MPI library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include "bbs_rand.h"
+
+#define SEED     1
+#define MODULUS  2
+
+/* This modulus is the product of two randomly generated 512-bit
+   prime integers, each of which is congruent to 3 (mod 4).          */
+static char *bbs_modulus = 
+"75A2A6E1D27393B86562B9CE7279A8403CB4258A637DAB5233465373E37837383EDC"
+"332282B8575927BC4172CE8C147B4894050EE9D2BDEED355C121037270CA2570D127"
+"7D2390CD1002263326635CC6B259148DE3A1A03201980A925E395E646A5E9164B0EC"
+"28559EBA58C87447245ADD0651EDA507056A1129E3A3E16E903D64B437";
+
+static int    bbs_init = 0;  /* flag set when library is initialized */
+static mp_int bbs_state;     /* the current state of the generator   */
+
+/* Suggested size of random seed data */
+int           bbs_seed_size = (sizeof(bbs_modulus) / 2);
+
+void         bbs_srand(unsigned char *data, int len)
+{
+  if((bbs_init & SEED) == 0) {
+    mp_init(&bbs_state);
+    bbs_init |= SEED;
+  }
+
+  mp_read_raw(&bbs_state, (char *)data, len);
+
+} /* end bbs_srand() */
+
+unsigned int bbs_rand(void)
+{
+  static mp_int   modulus;
+  unsigned int    result = 0, ix;
+
+  if((bbs_init & MODULUS) == 0) {
+    mp_init(&modulus);
+    mp_read_radix(&modulus, bbs_modulus, 16);
+    bbs_init |= MODULUS;
+  }
+
+  for(ix = 0; ix < sizeof(unsigned int); ix++) {
+    mp_digit   d;
+
+    mp_sqrmod(&bbs_state, &modulus, &bbs_state);
+    d = DIGIT(&bbs_state, 0);
+
+    result = (result << CHAR_BIT) | (d & UCHAR_MAX);
+  }
+
+  return result;
+
+} /* end bbs_rand() */
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/bbs_rand.h b/security/nss/lib/freebl/mpi/utils/bbs_rand.h
new file mode 100644
index 000000000..de4587421
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/bbs_rand.h
@@ -0,0 +1,55 @@
+/*
+ *  bbs_rand.h
+ *
+ *  Blum, Blum & Shub PRNG using the MPI library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ *  $Id$
+ */
+
+#ifndef _H_BBSRAND_
+#define _H_BBSRAND_
+
+#include <limits.h>
+#include "mpi.h"
+
+#define  BBS_RAND_MAX    UINT_MAX
+
+/* Suggested length of seed data */
+extern int bbs_seed_size;
+
+void         bbs_srand(unsigned char *data, int len);
+unsigned int bbs_rand(void);
+
+#endif /* end _H_BBSRAND_ */
diff --git a/security/nss/lib/freebl/mpi/utils/bbsrand.c b/security/nss/lib/freebl/mpi/utils/bbsrand.c
new file mode 100644
index 000000000..28600fabe
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/bbsrand.c
@@ -0,0 +1,64 @@
+/*
+ *  bbsrand.c
+ *
+ *  Test driver for routines in bbs_rand.h
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <limits.h>
+
+#include "bbs_rand.h"
+
+#define NUM_TESTS   100
+
+int main(void)
+{
+  unsigned int   seed, result, ix;
+
+  seed = time(NULL);
+  bbs_srand((unsigned char *)&seed, sizeof(seed));
+
+  for(ix = 0; ix < NUM_TESTS; ix++) {
+    result = bbs_rand();
+    
+    printf("Test %3u: %08X\n", ix + 1, result);
+  }
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/dec2hex.c b/security/nss/lib/freebl/mpi/utils/dec2hex.c
new file mode 100644
index 000000000..9bdcfa018
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/dec2hex.c
@@ -0,0 +1,68 @@
+/*
+ *  dec2hex.c
+ *
+ *  Convert decimal integers into hexadecimal
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int  a;
+  char   *buf;
+  int     len;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a); mp_read_radix(&a, argv[1], 10);
+  len = mp_radix_size(&a, 16);
+  buf = malloc(len);
+  mp_toradix(&a, buf, 16);
+
+  printf("%s\n", buf);
+
+  free(buf);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/exptmod.c b/security/nss/lib/freebl/mpi/utils/exptmod.c
new file mode 100644
index 000000000..d5e66ac37
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/exptmod.c
@@ -0,0 +1,80 @@
+/*
+ *  exptmod.c
+ *
+ * Command line tool to perform modular exponentiation on arbitrary
+ * precision integers.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ * $Id$ 
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int  a, b, m;
+  mp_err  res;
+  char   *str;
+  int     len, rval = 0;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b> <m>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a); mp_init(&b); mp_init(&m);
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&b, argv[2], 10);
+  mp_read_radix(&m, argv[3], 10);
+
+  if((res = mp_exptmod(&a, &b, &m, &a)) != MP_OKAY) {
+    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
+    rval = 1;
+  } else {
+    len = mp_radix_size(&a, 10);
+    str = calloc(len, sizeof(char));
+    mp_toradix(&a, str, 10);
+
+    printf("%s\n", str);
+
+    free(str);
+  }
+
+  mp_clear(&a); mp_clear(&b); mp_clear(&m);
+
+  return rval;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/fact.c b/security/nss/lib/freebl/mpi/utils/fact.c
new file mode 100644
index 000000000..02b6711c9
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/fact.c
@@ -0,0 +1,112 @@
+/*
+ * fact.c
+ *
+ * Compute factorial of input integer
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+mp_err mp_fact(mp_int *a, mp_int *b);
+
+int main(int argc, char *argv[])
+{
+  mp_int  a;
+  mp_err  res;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <number>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a);
+  mp_read_radix(&a, argv[1], 10);
+
+  if((res = mp_fact(&a, &a)) != MP_OKAY) {
+    fprintf(stderr, "%s: error: %s\n", argv[0],
+	    mp_strerror(res));
+    mp_clear(&a);
+    return 1;
+  }
+
+  {
+    char  *buf;
+    int    len;
+
+    len = mp_radix_size(&a, 10);
+    buf = malloc(len);
+    mp_todecimal(&a, buf);
+
+    puts(buf);
+
+    free(buf);
+  }
+
+  mp_clear(&a);
+  return 0;
+}
+
+mp_err mp_fact(mp_int *a, mp_int *b)
+{
+  mp_int    ix, s;
+  mp_err    res = MP_OKAY;
+
+  if(mp_cmp_z(a) < 0)
+    return MP_UNDEF;
+
+  mp_init(&s);
+  mp_add_d(&s, 1, &s);   /* s = 1  */
+  mp_init(&ix);
+  mp_add_d(&ix, 1, &ix); /* ix = 1 */
+
+  for(/*  */; mp_cmp(&ix, a) <= 0; mp_add_d(&ix, 1, &ix)) {
+    if((res = mp_mul(&s, &ix, &s)) != MP_OKAY)
+      break;
+  }
+
+  mp_clear(&ix);
+
+  /* Copy out results if we got them */
+  if(res == MP_OKAY)
+    mp_copy(&s, b);
+
+  mp_clear(&s);
+
+  return res;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/gcd.c b/security/nss/lib/freebl/mpi/utils/gcd.c
new file mode 100644
index 000000000..b36c7f281
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/gcd.c
@@ -0,0 +1,116 @@
+/*
+ *  gcd.c
+ *
+ *  Greatest common divisor
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+char     *g_prog = NULL;
+
+void print_mp_int(mp_int *mp, FILE *ofp);
+
+int main(int argc, char *argv[]) 
+{
+  mp_int   a, b, x, y;
+  mp_err   res;
+  int      ext = 0;
+
+  g_prog = argv[0];
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <b>\n", g_prog);
+    return 1;
+  }
+
+  mp_init(&a); mp_read_radix(&a, argv[1], 10);
+  mp_init(&b); mp_read_radix(&b, argv[2], 10);
+
+  /* If we were called 'xgcd', compute x, y so that g = ax + by */
+  if(strcmp(g_prog, "xgcd") == 0) {
+    ext = 1;
+    mp_init(&x); mp_init(&y);
+  }
+
+  if(ext) {
+    if((res = mp_xgcd(&a, &b, &a, &x, &y)) != MP_OKAY) {
+      fprintf(stderr, "%s: error: %s\n", g_prog, mp_strerror(res));
+      mp_clear(&a); mp_clear(&b);
+      mp_clear(&x); mp_clear(&y);
+      return 1;
+    }
+  } else {
+    if((res = mp_gcd(&a, &b, &a)) != MP_OKAY) {
+      fprintf(stderr, "%s: error: %s\n", g_prog,
+	      mp_strerror(res));
+      mp_clear(&a); mp_clear(&b);
+      return 1;
+    }
+  }
+
+  print_mp_int(&a, stdout); 
+  if(ext) {
+    fputs("x = ", stdout); print_mp_int(&x, stdout); 
+    fputs("y = ", stdout); print_mp_int(&y, stdout); 
+  }
+
+  mp_clear(&a); mp_clear(&b);
+
+  if(ext) {
+    mp_clear(&x);
+    mp_clear(&y);
+  }
+
+  return 0;
+
+}
+
+void print_mp_int(mp_int *mp, FILE *ofp)
+{
+  char  *buf;
+  int    len;
+
+  len = mp_radix_size(mp, 10);
+  buf = calloc(len, sizeof(char));
+  mp_todecimal(mp, buf);
+  fprintf(ofp, "%s\n", buf);
+  free(buf);
+
+}
diff --git a/security/nss/lib/freebl/mpi/utils/hex2dec.c b/security/nss/lib/freebl/mpi/utils/hex2dec.c
new file mode 100644
index 000000000..97aad55c9
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/hex2dec.c
@@ -0,0 +1,68 @@
+/*
+ *  hex2dec.c
+ *
+ *  Convert decimal integers into hexadecimal
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int  a;
+  char   *buf;
+  int     len;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <a>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a); mp_read_radix(&a, argv[1], 16);
+  len = mp_radix_size(&a, 10);
+  buf = malloc(len);
+  mp_toradix(&a, buf, 10);
+
+  printf("%s\n", buf);
+
+  free(buf);
+  mp_clear(&a);
+
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/identest.c b/security/nss/lib/freebl/mpi/utils/identest.c
new file mode 100644
index 000000000..a75d2b352
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/identest.c
@@ -0,0 +1,79 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include "mpi.h"
+#include "mpprime.h"
+#include <sys/types.h>
+#include <time.h>
+
+#define MAX_PREC (4096 / MP_DIGIT_BIT)
+
+mp_err identity_test(void)
+{
+  mp_size       preca, precb;
+  mp_err        res;
+  mp_int        a, b;
+  mp_int        t1, t2, t3, t4, t5;
+
+  preca = (rand() % MAX_PREC) + 1;
+  precb = (rand() % MAX_PREC) + 1;
+
+  MP_DIGITS(&a) = 0;
+  MP_DIGITS(&b) = 0;
+  MP_DIGITS(&t1) = 0;
+  MP_DIGITS(&t2) = 0;
+  MP_DIGITS(&t3) = 0;
+  MP_DIGITS(&t4) = 0;
+  MP_DIGITS(&t5) = 0;
+
+  MP_CHECKOK( mp_init(&a)  );
+  MP_CHECKOK( mp_init(&b)  );
+  MP_CHECKOK( mp_init(&t1) );
+  MP_CHECKOK( mp_init(&t2) );
+  MP_CHECKOK( mp_init(&t3) );
+  MP_CHECKOK( mp_init(&t4) );
+  MP_CHECKOK( mp_init(&t5) );
+
+  MP_CHECKOK( mpp_random_size(&a, preca) );
+  MP_CHECKOK( mpp_random_size(&b, precb) );
+
+  if (mp_cmp(&a, &b) < 0)
+    mp_exch(&a, &b);
+
+  MP_CHECKOK( mp_mod(&a, &b, &t1) );       /* t1 = a%b */
+  MP_CHECKOK( mp_div(&a, &b, &t2, NULL) ); /* t2 = a/b */
+  MP_CHECKOK( mp_mul(&b, &t2, &t3) );      /* t3 = (a/b)*b */
+  MP_CHECKOK( mp_add(&t1, &t3, &t4) );     /* t4 = a%b + (a/b)*b */
+  MP_CHECKOK( mp_sub(&t4, &a, &t5) );      /* t5 = a%b + (a/b)*b - a */
+  if (mp_cmp_z(&t5) != 0) {
+    res = MP_UNDEF;
+    goto CLEANUP;
+  }
+
+CLEANUP:
+  mp_clear(&t5);
+  mp_clear(&t4);
+  mp_clear(&t3);
+  mp_clear(&t2);
+  mp_clear(&t1);
+  mp_clear(&b);
+  mp_clear(&a);
+  return res;
+}
+
+int
+main(void)
+{
+  unsigned int  seed = (unsigned int)time(NULL);
+  unsigned long count = 0;
+  mp_err        res;
+
+  srand(seed);
+
+  while (MP_OKAY == (res = identity_test())) {
+     if ((++count % 100) == 0)
+       fputc('.', stderr);
+  }
+
+  fprintf(stderr, "\ntest failed, err %d\n", res);
+  return res;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/invmod.c b/security/nss/lib/freebl/mpi/utils/invmod.c
new file mode 100644
index 000000000..df58bb6d1
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/invmod.c
@@ -0,0 +1,89 @@
+/*
+ *  invmod.c
+ *
+ *  Compute modular inverses
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1997, 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "mpi.h"
+
+int main(int argc, char *argv[])
+{
+  mp_int    a, m;
+  mp_err    res;
+  char     *buf;
+  int       len, out = 0;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <m>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a); mp_init(&m);
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&m, argv[2], 10);
+
+  if(mp_cmp(&a, &m) > 0)
+    mp_mod(&a, &m, &a);
+
+  switch((res = mp_invmod(&a, &m, &a))) {
+  case MP_OKAY:
+    len = mp_radix_size(&a, 10);
+    buf = malloc(len);
+
+    mp_toradix(&a, buf, 10);
+    printf("%s\n", buf);
+    free(buf);
+    break;
+
+  case MP_UNDEF:
+    printf("No inverse\n");
+    out = 1;
+    break;
+
+  default:
+    printf("error: %s (%d)\n", mp_strerror(res), res);
+    out = 2;
+    break;
+  }
+
+  mp_clear(&a);
+  mp_clear(&m);
+
+  return out;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/isprime.c b/security/nss/lib/freebl/mpi/utils/isprime.c
new file mode 100644
index 000000000..f9cd9707b
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/isprime.c
@@ -0,0 +1,118 @@
+/*
+ *  isprime.c
+ *
+ *  Probabilistic primality tester command-line tool
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+#define  RM_TESTS       15   /* how many iterations of Rabin-Miller? */
+#define  MINIMUM        1024 /* don't bother us with a < this        */
+
+int      g_tests = RM_TESTS;
+char    *g_prog = NULL;
+
+int main(int argc, char *argv[])
+{
+  mp_int   a;
+  mp_digit np = prime_tab_size; /* from mpprime.h */
+  int      res = 0;
+
+  g_prog = argv[0];
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <a>, where <a> is a decimal integer\n"
+	    "Use '0x' prefix for a hexadecimal value\n", g_prog);
+    return 1;
+  }
+
+  /* Read number of tests from environment, if present */
+  {
+    char *tmp;
+
+    if((tmp = getenv("RM_TESTS")) != NULL) {
+      if((g_tests = atoi(tmp)) <= 0)
+	g_tests = RM_TESTS;
+    }
+  }
+
+  mp_init(&a);
+  if(argv[1][0] == '0' && argv[1][1] == 'x')
+    mp_read_radix(&a, argv[1] + 2, 16);
+  else
+    mp_read_radix(&a, argv[1], 10);
+
+  if(mp_cmp_d(&a, MINIMUM) <= 0) {
+    fprintf(stderr, "%s: please use a value greater than %d\n", 
+	    g_prog, MINIMUM);
+    mp_clear(&a);
+    return 1;
+  }
+
+  /* Test for divisibility by small primes */
+  if(mpp_divis_primes(&a, &np) != MP_NO) {
+    printf("Not prime (divisible by small prime %d)\n", np);
+    res = 2;
+    goto CLEANUP;
+  }
+
+  /* Test with Fermat's test, using 2 as a witness */
+  if(mpp_fermat(&a, 2) != MP_YES) {
+    printf("Not prime (failed Fermat test)\n");
+    res = 2;
+    goto CLEANUP;
+  }
+ 
+  /* Test with Rabin-Miller probabilistic test */
+  if(mpp_pprime(&a, g_tests) == MP_NO) {
+      printf("Not prime (failed pseudoprime test)\n");
+      res = 2;
+      goto CLEANUP;
+  }
+
+  printf("Probably prime, 1 in 4^%d chance of false positive\n", g_tests);
+
+CLEANUP:
+  mp_clear(&a);
+  
+  return res;
+
+}
diff --git a/security/nss/lib/freebl/mpi/utils/lap.c b/security/nss/lib/freebl/mpi/utils/lap.c
new file mode 100644
index 000000000..ababed7f3
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/lap.c
@@ -0,0 +1,118 @@
+/*
+ *  lap.c
+ *
+ *  Find least annihilating power of a mod m
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+
+#include "mpi.h"
+
+void sig_catch(int ign);
+
+int g_quit = 0;
+
+int main(int argc, char *argv[])
+{
+  mp_int   a, m, p, k;
+
+  if(argc < 3) {
+    fprintf(stderr, "Usage: %s <a> <m>\n", argv[0]);
+    return 1;
+  }
+
+  mp_init(&a);
+  mp_init(&m);
+  mp_init(&p);
+  mp_add_d(&p, 1, &p);
+
+  mp_read_radix(&a, argv[1], 10);
+  mp_read_radix(&m, argv[2], 10);
+
+  mp_init_copy(&k, &a);
+
+  signal(SIGINT, sig_catch);
+#ifndef __OS2__
+  signal(SIGHUP, sig_catch);
+#endif
+  signal(SIGTERM, sig_catch);
+
+  while(mp_cmp(&p, &m) < 0) {
+    if(g_quit) {
+	int  len;
+	char *buf;
+
+	len = mp_radix_size(&p, 10);
+	buf = malloc(len);
+	mp_toradix(&p, buf, 10);
+	
+	fprintf(stderr, "Terminated at: %s\n", buf);
+	free(buf);
+	return 1;
+    }
+    if(mp_cmp_d(&k, 1) == 0) {
+      int    len;
+      char  *buf;
+
+      len = mp_radix_size(&p, 10);
+      buf = malloc(len);
+      mp_toradix(&p, buf, 10);
+
+      printf("%s\n", buf);
+
+      free(buf);
+      break;
+    }
+
+    mp_mulmod(&k, &a, &m, &k);
+    mp_add_d(&p, 1, &p);
+  }
+
+  if(mp_cmp(&p, &m) >= 0) 
+    printf("No annihilating power.\n");
+
+  mp_clear(&p);
+  mp_clear(&m);
+  mp_clear(&a);
+  return 0;
+}
+
+void sig_catch(int ign)
+{
+  g_quit = 1;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/makeprime.c b/security/nss/lib/freebl/mpi/utils/makeprime.c
new file mode 100644
index 000000000..c4deaa9f0
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/makeprime.c
@@ -0,0 +1,144 @@
+/*
+ * makeprime.c
+ *
+ * A simple prime generator function (and test driver).  Prints out the
+ * first prime it finds greater than or equal to the starting value.
+ *
+ * Usage: makeprime <start>
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+/* These two must be included for make_prime() to work */
+
+#include "mpi.h"
+#include "mpprime.h"
+
+/*
+  make_prime(p, nr)
+
+  Find the smallest prime integer greater than or equal to p, where
+  primality is verified by 'nr' iterations of the Rabin-Miller
+  probabilistic primality test.  The caller is responsible for
+  generating the initial value of p.
+
+  Returns MP_OKAY if a prime has been generated, otherwise the error
+  code indicates some other problem.  The value of p is clobbered; the
+  caller should keep a copy if the value is needed.  
+ */
+mp_err   make_prime(mp_int *p, int nr);
+
+/* The main() is not required -- it's just a test driver */
+int main(int argc, char *argv[])
+{
+  mp_int    start;
+  mp_err    res;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <start-value>\n", argv[0]);
+    return 1;
+  }
+	    
+  mp_init(&start);
+  if(argv[1][0] == '0' && tolower(argv[1][1]) == 'x') {
+    mp_read_radix(&start, argv[1] + 2, 16);
+  } else {
+    mp_read_radix(&start, argv[1], 10);
+  }
+  mp_abs(&start, &start);
+
+  if((res = make_prime(&start, 5)) != MP_OKAY) {
+    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
+    mp_clear(&start);
+
+    return 1;
+
+  } else {
+    char  *buf = malloc(mp_radix_size(&start, 10));
+
+    mp_todecimal(&start, buf);
+    printf("%s\n", buf);
+    free(buf);
+    
+    mp_clear(&start);
+
+    return 0;
+  }
+  
+} /* end main() */
+
+/*------------------------------------------------------------------------*/
+
+mp_err   make_prime(mp_int *p, int nr)
+{
+  mp_err  res;
+
+  if(mp_iseven(p)) {
+    mp_add_d(p, 1, p);
+  }
+
+  do {
+    mp_digit   which = prime_tab_size;
+
+    /*  First test for divisibility by a few small primes */
+    if((res = mpp_divis_primes(p, &which)) == MP_YES)
+      continue;
+    else if(res != MP_NO)
+      goto CLEANUP;
+
+    /* If that passes, try one iteration of Fermat's test */
+    if((res = mpp_fermat(p, 2)) == MP_NO)
+      continue;
+    else if(res != MP_YES)
+      goto CLEANUP;
+
+    /* If that passes, run Rabin-Miller as often as requested */
+    if((res = mpp_pprime(p, nr)) == MP_YES)
+      break;
+    else if(res != MP_NO)
+      goto CLEANUP;
+      
+  } while((res = mp_add_d(p, 2, p)) == MP_OKAY);
+
+ CLEANUP:
+  return res;
+
+} /* end make_prime() */
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/metime.c b/security/nss/lib/freebl/mpi/utils/metime.c
new file mode 100644
index 000000000..3f39b23a9
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/metime.c
@@ -0,0 +1,132 @@
+/* 
+ *  metime.c
+ *
+ * Modular exponentiation timing test
+ *
+ * $Id$
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 2000 Michael J. Fromberger. All Rights Reserved.
+ *
+ * Contributor(s):
+ *	Netscape Communications Corporation
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <time.h>
+
+#include "mpi.h"
+#include "mpprime.h"
+
+double clk_to_sec(clock_t start, clock_t stop);
+
+int main(int argc, char *argv[])
+{
+  int          ix, num, prec = 8;
+  unsigned int seed;
+  clock_t      start, stop;
+  double       sec;
+
+  mp_int     a, m, c;
+
+  if(getenv("SEED") != NULL)
+    seed = abs(atoi(getenv("SEED")));
+  else 
+    seed = (unsigned int)time(NULL);
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-tests> [<nbits>]\n", argv[0]);
+    return 1;
+  }
+
+  if((num = atoi(argv[1])) < 0)
+    num = -num;
+
+  if(!num) {
+    fprintf(stderr, "%s: must perform at least 1 test\n", argv[0]);
+    return 1;
+  }
+
+  if(argc > 2) {
+    if((prec = atoi(argv[2])) <= 0)
+      prec = 8;
+    else 
+      prec = (prec + (DIGIT_BIT - 1)) / DIGIT_BIT;
+
+  }
+  
+  printf("Modular exponentiation timing test\n"
+	 "Precision:  %d digits (%d bits)\n"
+	 "# of tests: %d\n\n", prec, prec * DIGIT_BIT, num);
+
+  mp_init_size(&a, prec);
+  mp_init_size(&m, prec);
+  mp_init_size(&c, prec);
+
+  srand(seed);
+
+  start = clock();
+  for(ix = 0; ix < num; ix++) {
+
+    mpp_random_size(&a, prec);
+    mpp_random_size(&c, prec);
+    mpp_random_size(&m, prec);
+    /* set msb and lsb of m */
+    DIGIT(&m,0) |= 1;
+    DIGIT(&m, USED(&m)-1) |= (mp_digit)1 << (DIGIT_BIT - 1);
+    if (mp_cmp(&a, &m) > 0)
+      mp_sub(&a, &m, &a);
+
+    mp_exptmod(&a, &c, &m, &c);
+  }
+  stop = clock();
+
+  sec = clk_to_sec(start, stop);
+
+  printf("Total:      %.3f seconds\n", sec);
+  printf("Individual: %.3f seconds\n", sec / num);
+
+  mp_clear(&c);
+  mp_clear(&a);
+  mp_clear(&m);
+
+  return 0;
+}
+
+double clk_to_sec(clock_t start, clock_t stop)
+{
+  return (double)(stop - start) / CLOCKS_PER_SEC;
+}
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/pi.c b/security/nss/lib/freebl/mpi/utils/pi.c
new file mode 100644
index 000000000..367118586
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/pi.c
@@ -0,0 +1,194 @@
+/*
+ * pi.c
+ *
+ * Compute pi to an arbitrary number of digits.  Uses Machin's formula,
+ * like everyone else on the planet:
+ * 
+ *    pi = 16 * arctan(1/5) - 4 * arctan(1/239)
+ *
+ * This is pretty effective for up to a few thousand digits, but it
+ * gets pretty slow after that.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ * $Id$ 
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <time.h>
+
+#include "mpi.h"
+
+mp_err arctan(mp_digit mul, mp_digit x, mp_digit prec, mp_int *sum);
+
+int main(int argc, char *argv[])
+{
+  mp_err       res;
+  mp_digit     ndigits;
+  mp_int       sum1, sum2;
+  clock_t      start, stop;
+  int          out = 0;
+
+  /* Make the user specify precision on the command line */
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <num-digits>\n", argv[0]);
+    return 1;
+  }
+
+  if((ndigits = abs(atoi(argv[1]))) == 0) {
+    fprintf(stderr, "%s: you must request at least 1 digit\n", argv[0]);
+    return 1;
+  }
+
+  start = clock();
+  mp_init(&sum1); mp_init(&sum2);
+
+  /* sum1 = 16 * arctan(1/5)  */
+  if((res = arctan(16, 5, ndigits, &sum1)) != MP_OKAY) {
+    fprintf(stderr, "%s: arctan: %s\n", argv[0], mp_strerror(res));
+    out = 1; goto CLEANUP;
+  }
+
+  /* sum2 = 4 * arctan(1/239) */
+  if((res = arctan(4, 239, ndigits, &sum2)) != MP_OKAY) {
+    fprintf(stderr, "%s: arctan: %s\n", argv[0], mp_strerror(res));
+    out = 1; goto CLEANUP;
+  }
+
+  /* pi = sum1 - sum2         */
+  if((res = mp_sub(&sum1, &sum2, &sum1)) != MP_OKAY) {
+    fprintf(stderr, "%s: mp_sub: %s\n", argv[0], mp_strerror(res));
+    out = 1; goto CLEANUP;
+  }
+  stop = clock();
+
+  /* Write the output in decimal */
+  {
+    char  *buf = malloc(mp_radix_size(&sum1, 10));
+
+    if(buf == NULL) {
+      fprintf(stderr, "%s: out of memory\n", argv[0]);
+      out = 1; goto CLEANUP;
+    }
+    mp_todecimal(&sum1, buf);
+    printf("%s\n", buf);
+    free(buf);
+  }
+
+  fprintf(stderr, "Computation took %.2f sec.\n", 
+	  (double)(stop - start) / CLOCKS_PER_SEC);
+
+ CLEANUP:
+  mp_clear(&sum1);
+  mp_clear(&sum2);
+
+  return out;
+
+}
+
+/* Compute sum := mul * arctan(1/x), to 'prec' digits of precision */
+mp_err arctan(mp_digit mul, mp_digit x, mp_digit prec, mp_int *sum)
+{
+  mp_int   t, v;
+  mp_digit q = 1, rd;
+  mp_err   res;
+  int      sign = 1;
+
+  prec += 3;  /* push inaccuracies off the end */
+
+  mp_init(&t); mp_set(&t, 10);
+  mp_init(&v); 
+  if((res = mp_expt_d(&t, prec, &t)) != MP_OKAY ||  /* get 10^prec    */
+     (res = mp_mul_d(&t, mul, &t)) != MP_OKAY ||    /* ... times mul  */
+     (res = mp_mul_d(&t, x, &t)) != MP_OKAY)        /* ... times x    */
+    goto CLEANUP;
+
+  /*
+    The extra multiplication by x in the above takes care of what
+    would otherwise have to be a special case for 1 / x^1 during the
+    first loop iteration.  A little sneaky, but effective.
+
+    We compute arctan(1/x) by the formula:
+
+         1     1       1       1
+	 - - ----- + ----- - ----- + ...
+	 x   3 x^3   5 x^5   7 x^7
+
+    We multiply through by 'mul' beforehand, which gives us a couple
+    more iterations and more precision
+   */
+
+  x *= x; /* works as long as x < sqrt(RADIX), which it is here */
+
+  mp_zero(sum);
+
+  do {
+    if((res = mp_div_d(&t, x, &t, &rd)) != MP_OKAY)
+      goto CLEANUP;
+
+    if(sign < 0 && rd != 0)
+      mp_add_d(&t, 1, &t);
+
+    if((res = mp_div_d(&t, q, &v, &rd)) != MP_OKAY)
+      goto CLEANUP;
+
+    if(sign < 0 && rd != 0)
+      mp_add_d(&v, 1, &v);
+
+    if(sign > 0)
+      res = mp_add(sum, &v, sum);
+    else
+      res = mp_sub(sum, &v, sum);
+
+    if(res != MP_OKAY)
+      goto CLEANUP;
+
+    sign *= -1;
+    q += 2;
+
+  } while(mp_cmp_z(&t) != 0);
+
+  /* Chop off inaccurate low-order digits */
+  mp_div_d(sum, 1000, sum, NULL);
+
+ CLEANUP:
+  mp_clear(&v);
+  mp_clear(&t);
+
+  return res;
+}
+
+/*------------------------------------------------------------------------*/
+/* HERE THERE BE DRAGONS                                                  */
diff --git a/security/nss/lib/freebl/mpi/utils/primegen.c b/security/nss/lib/freebl/mpi/utils/primegen.c
new file mode 100644
index 000000000..1f7a593e1
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/primegen.c
@@ -0,0 +1,198 @@
+/*
+ *  primegen.c
+ *
+ * Generates random integers which are prime with a high degree of
+ * probability using the Miller-Rabin probabilistic primality testing
+ * algorithm.
+ *
+ * Usage:
+ *    primegen <bits> [<num>]
+ *
+ *    <bits>   - number of significant bits each prime should have
+ *    <num>    - number of primes to generate
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <time.h>
+
+#include "mpi.h"
+#include "mplogic.h"
+#include "mpprime.h"
+
+#undef MACOS		/* define if running on a Macintosh */
+
+#ifdef MACOS
+#include <console.h>
+#endif
+
+#define NUM_TESTS 5  /* Number of Rabin-Miller iterations to test with */
+
+#ifdef DEBUG
+#define FPUTC(x,y) fputc(x,y)
+#else
+#define FPUTC(x,y) 
+#endif
+
+int main(int argc, char *argv[])
+{
+  unsigned char *raw;
+  char          *out;
+  unsigned long nTries;
+  int		rawlen, bits, outlen, ngen, ix, jx;
+  int           g_strong = 0;
+  mp_int	testval;
+  mp_err	res;
+  clock_t	start, end;
+
+#ifdef MACOS
+  argc = ccommand(&argv);
+#endif
+
+  /* We'll just use the C library's rand() for now, although this
+     won't be good enough for cryptographic purposes */
+  if((out = getenv("SEED")) == NULL) {
+    srand((unsigned int)time(NULL));
+  } else {
+    srand((unsigned int)atoi(out));
+  }
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <bits> [<count> [strong]]\n", argv[0]);
+    return 1;
+  }
+	
+  if((bits = abs(atoi(argv[1]))) < CHAR_BIT) {
+    fprintf(stderr, "%s: please request at least %d bits.\n",
+	    argv[0], CHAR_BIT);
+    return 1;
+  }
+
+  /* If optional third argument is given, use that as the number of
+     primes to generate; otherwise generate one prime only.
+   */
+  if(argc < 3) {
+    ngen = 1;
+  } else {
+    ngen = abs(atoi(argv[2]));
+  }
+
+  /* If fourth argument is given, and is the word "strong", we'll 
+     generate strong (Sophie Germain) primes. 
+   */
+  if(argc > 3 && strcmp(argv[3], "strong") == 0)
+    g_strong = 1;
+
+  /* testval - candidate being tested; nTries - number tried so far */
+  if ((res = mp_init(&testval)) != MP_OKAY) {
+    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
+    return 1;
+  }
+  
+  if(g_strong) {
+    printf("Requested %d strong prime value(s) of %d bits.\n", 
+	   ngen, bits);
+  } else {
+    printf("Requested %d prime value(s) of %d bits.\n", ngen, bits);
+  }
+
+  rawlen = (bits / CHAR_BIT) + ((bits % CHAR_BIT) ? 1 : 0) + 1;
+
+  if((raw = calloc(rawlen, sizeof(unsigned char))) == NULL) {
+    fprintf(stderr, "%s: out of memory, sorry.\n", argv[0]);
+    return 1;
+  }
+
+  /* This loop is one for each prime we need to generate */
+  for(jx = 0; jx < ngen; jx++) {
+
+    raw[0] = 0;  /* sign is positive */
+
+    /*	Pack the initializer with random bytes	*/
+    for(ix = 1; ix < rawlen; ix++) 
+      raw[ix] = (rand() * rand()) & UCHAR_MAX;
+
+    raw[1] |= 0x80;             /* set high-order bit of test value     */
+    raw[rawlen - 1] |= 1;       /* set low-order bit of test value      */
+
+    /* Make an mp_int out of the initializer */
+    mp_read_raw(&testval, (char *)raw, rawlen);
+
+    /* Initialize candidate counter */
+    nTries = 0;
+
+    start = clock(); /* time generation for this prime */
+    do {
+      res = mpp_make_prime(&testval, bits, g_strong, &nTries);
+      if (res != MP_NO)
+	break;
+      /* This code works whether digits are 16 or 32 bits */
+      res = mp_add_d(&testval, 32 * 1024, &testval);
+      res = mp_add_d(&testval, 32 * 1024, &testval);
+      FPUTC(',', stderr);
+    } while (1);
+    end = clock();
+
+    if (res != MP_YES) {
+      break;
+    }
+    FPUTC('\n', stderr);
+    puts("The following value is probably prime:");
+    outlen = mp_radix_size(&testval, 10);
+    out = calloc(outlen, sizeof(unsigned char));
+    mp_toradix(&testval, (char *)out, 10);
+    printf("10: %s\n", out);
+    mp_toradix(&testval, (char *)out, 16);
+    printf("16: %s\n\n", out);
+    free(out);
+    
+    printf("Number of candidates tried: %lu\n", nTries);
+    printf("This computation took %ld clock ticks (%.2f seconds)\n",
+	   (end - start), ((double)(end - start) / CLOCKS_PER_SEC));
+    
+    FPUTC('\n', stderr);
+  } /* end of loop to generate all requested primes */
+  
+  if(res != MP_OKAY) 
+    fprintf(stderr, "%s: error: %s\n", argv[0], mp_strerror(res));
+
+  free(raw);
+  mp_clear(&testval);	
+  
+  return 0;
+}
diff --git a/security/nss/lib/freebl/mpi/utils/prng.c b/security/nss/lib/freebl/mpi/utils/prng.c
new file mode 100644
index 000000000..9b8f7983a
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/prng.c
@@ -0,0 +1,87 @@
+/*
+ *  prng.c
+ *
+ *  Command-line pseudo-random number generator
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <time.h>
+
+#ifdef __OS2__
+#include <types.h>
+#include <process.h>
+#else
+#include <unistd.h>
+#endif
+
+#include "bbs_rand.h"
+
+int main(int argc, char *argv[])
+{
+  unsigned char *seed;
+  unsigned int   ix, num = 1;
+  pid_t          pid;
+  
+  if(argc > 1) {
+    num = atoi(argv[1]);
+    if(num <= 0) 
+      num = 1;
+  }
+
+  pid = getpid();
+  srand(time(NULL) * (unsigned int)pid);
+
+  /* Not a perfect seed, but not bad */
+  seed = malloc(bbs_seed_size);
+  for(ix = 0; ix < bbs_seed_size; ix++) {
+    seed[ix] = rand() % UCHAR_MAX;
+  }
+
+  bbs_srand(seed, bbs_seed_size);
+  memset(seed, 0, bbs_seed_size);
+  free(seed);
+
+  while(num-- > 0) {
+    ix = bbs_rand();
+
+    printf("%u\n", ix);
+  }
+
+  return 0;
+
+}
diff --git a/security/nss/lib/freebl/mpi/utils/ptab.pl b/security/nss/lib/freebl/mpi/utils/ptab.pl
new file mode 100755
index 000000000..f9c56b6c3
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/ptab.pl
@@ -0,0 +1,58 @@
+#!/usr/linguist/bin/perl
+##
+## The contents of this file are subject to the Mozilla Public
+## License Version 1.1 (the "License"); you may not use this file
+## except in compliance with the License. You may obtain a copy of
+## the License at http://www.mozilla.org/MPL/
+##
+## Software distributed under the License is distributed on an "AS
+## IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+## implied. See the License for the specific language governing
+## rights and limitations under the License.
+##
+## The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+## library.
+##
+## The Initial Developer of the Original Code is 
+## Michael J. Fromberger <sting@linguist.dartmouth.edu>
+##
+## Portions created by Michael J. Fromberger are 
+## Copyright (C) 1998, 2000 Michael J. Fromberger. All Rights Reserved.
+##
+## Contributor(s):
+##
+## Alternatively, the contents of this file may be used under the
+## terms of the GNU General Public License Version 2 or later (the
+## "GPL"), in which case the provisions of the GPL are applicable
+## instead of those above.  If you wish to allow use of your
+## version of this file only under the terms of the GPL and not to
+## allow others to use your version of this file under the MPL,
+## indicate your decision by deleting the provisions above and
+## replace them with the notice and other provisions required by
+## the GPL.  If you do not delete the provisions above, a recipient
+## may use your version of this file under either the MPL or the
+## GPL.
+##
+## $Id$
+##
+
+while(<>) {
+    chomp;
+    push(@primes, $_);
+}
+
+printf("mp_size   prime_tab_size = %d;\n", ($#primes + 1));
+print "mp_digit  prime_tab[] = {\n";
+
+print "\t";
+$last = pop(@primes);
+foreach $prime (sort {$a<=>$b} @primes) {
+    printf("0x%04X, ", $prime);
+    $brk = ($brk + 1) % 8;
+    print "\n\t" if(!$brk);
+}
+printf("0x%04X", $last);
+print "\n" if($brk);
+print "};\n\n";
+
+exit 0;
diff --git a/security/nss/lib/freebl/mpi/utils/sieve.c b/security/nss/lib/freebl/mpi/utils/sieve.c
new file mode 100644
index 000000000..4dd20604c
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/utils/sieve.c
@@ -0,0 +1,265 @@
+/*
+ * sieve.c
+ *
+ * Finds prime numbers using the Sieve of Eratosthenes
+ *
+ * This implementation uses a bitmap to represent all odd integers in a
+ * given range.  We iterate over this bitmap, crossing off the
+ * multiples of each prime we find.  At the end, all the remaining set
+ * bits correspond to prime integers.
+ *
+ * Here, we make two passes -- once we have generated a sieve-ful of
+ * primes, we copy them out, reset the sieve using the highest
+ * generated prime from the first pass as a base.  Then we cross out
+ * all the multiples of all the primes we found the first time through,
+ * and re-sieve.  In this way, we get double use of the memory we
+ * allocated for the sieve the first time though.  Since we also
+ * implicitly ignore multiples of 2, this amounts to 4 times the
+ * values.
+ *
+ * This could (and probably will) be generalized to re-use the sieve a
+ * few more times.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the MPI Arbitrary Precision Integer Arithmetic
+ * library.
+ *
+ * The Initial Developer of the Original Code is Michael J. Fromberger.
+ * Portions created by Michael J. Fromberger are 
+ * Copyright (C) 1998, 1999, 2000 Michael J. Fromberger. 
+ * All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above.  If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the GPL.
+ *
+ *  $Id$
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+
+typedef unsigned char  byte;
+
+typedef struct {
+  int   size;
+  byte *bits;
+  long  base;
+  int   next;
+  int   nbits;
+} sieve;
+
+void sieve_init(sieve *sp, long base, int nbits);
+void sieve_grow(sieve *sp, int nbits);
+long sieve_next(sieve *sp);
+void sieve_reset(sieve *sp, long base);
+void sieve_cross(sieve *sp, long val);
+void sieve_clear(sieve *sp);
+
+#define S_ISSET(S, B)  (((S)->bits[(B)/CHAR_BIT]>>((B)%CHAR_BIT))&1)
+#define S_SET(S, B)    ((S)->bits[(B)/CHAR_BIT]|=(1<<((B)%CHAR_BIT)))
+#define S_CLR(S, B)    ((S)->bits[(B)/CHAR_BIT]&=~(1<<((B)%CHAR_BIT)))
+#define S_VAL(S, B)    ((S)->base+(2*(B)))
+#define S_BIT(S, V)    (((V)-((S)->base))/2)
+
+int main(int argc, char *argv[])
+{
+  sieve   s;
+  long    pr, *p;
+  int     c, ix, cur = 0;
+
+  if(argc < 2) {
+    fprintf(stderr, "Usage: %s <width>\n", argv[0]);
+    return 1;
+  }
+
+  c = atoi(argv[1]);
+  if(c < 0) c = -c;
+
+  fprintf(stderr, "%s: sieving to %d positions\n", argv[0], c);
+
+  sieve_init(&s, 3, c);
+
+  c = 0;
+  while((pr = sieve_next(&s)) > 0) {
+    ++c;
+  }
+
+  p = calloc(c, sizeof(long));
+  if(!p) {
+    fprintf(stderr, "%s: out of memory after first half\n", argv[0]);
+    sieve_clear(&s);
+    exit(1);
+  }
+
+  fprintf(stderr, "%s: half done ... \n", argv[0]);
+
+  for(ix = 0; ix < s.nbits; ix++) {
+    if(S_ISSET(&s, ix)) {
+      p[cur] = S_VAL(&s, ix);
+      printf("%ld\n", p[cur]);
+      ++cur;
+    }
+  }
+
+  sieve_reset(&s, p[cur - 1]);
+  fprintf(stderr, "%s: crossing off %d found primes ... \n", argv[0], cur);
+  for(ix = 0; ix < cur; ix++) {
+    sieve_cross(&s, p[ix]);
+    if(!(ix % 1000))
+      fputc('.', stderr);
+  }
+  fputc('\n', stderr);
+
+  free(p);
+
+  fprintf(stderr, "%s: sieving again from %ld ... \n", argv[0], p[cur - 1]);
+  c = 0;
+  while((pr = sieve_next(&s)) > 0) {
+    ++c;
+  }
+  
+  fprintf(stderr, "%s: done!\n", argv[0]);
+  for(ix = 0; ix < s.nbits; ix++) {
+    if(S_ISSET(&s, ix)) {
+      printf("%ld\n", S_VAL(&s, ix));
+    }
+  }
+
+  sieve_clear(&s);
+
+  return 0;
+}
+
+void sieve_init(sieve *sp, long base, int nbits)
+{
+  sp->size = (nbits / CHAR_BIT);
+
+  if(nbits % CHAR_BIT)
+    ++sp->size;
+
+  sp->bits = calloc(sp->size, sizeof(byte));
+  memset(sp->bits, UCHAR_MAX, sp->size);
+  if(!(base & 1))
+    ++base;
+  sp->base = base;
+  
+  sp->next = 0;
+  sp->nbits = sp->size * CHAR_BIT;
+}
+
+void sieve_grow(sieve *sp, int nbits)
+{
+  int  ns = (nbits / CHAR_BIT);
+
+  if(nbits % CHAR_BIT)
+    ++ns;
+
+  if(ns > sp->size) {
+    byte   *tmp;
+    int     ix;
+
+    tmp = calloc(ns, sizeof(byte));
+    if(tmp == NULL) {
+      fprintf(stderr, "Error: out of memory in sieve_grow\n");
+      return;
+    }
+
+    memcpy(tmp, sp->bits, sp->size);
+    for(ix = sp->size; ix < ns; ix++) {
+      tmp[ix] = UCHAR_MAX;
+    }
+
+    free(sp->bits);
+    sp->bits = tmp;
+    sp->size = ns;
+
+    sp->nbits = sp->size * CHAR_BIT;
+  }
+}
+
+long sieve_next(sieve *sp)
+{
+  long out;
+  int  ix = 0;
+  long val;
+
+  if(sp->next > sp->nbits)
+    return -1;
+
+  out = S_VAL(sp, sp->next);
+#ifdef DEBUG
+  fprintf(stderr, "Sieving %ld\n", out);
+#endif
+
+  /* Sieve out all multiples of the current prime */
+  val = out;
+  while(ix < sp->nbits) {
+    val += out;
+    ix = S_BIT(sp, val);
+    if((val & 1) && ix < sp->nbits) { /* && S_ISSET(sp, ix)) { */
+      S_CLR(sp, ix);
+#ifdef DEBUG
+      fprintf(stderr, "Crossing out %ld (bit %d)\n", val, ix);
+#endif
+    }
+  }
+
+  /* Scan ahead to the next prime */
+  ++sp->next;
+  while(sp->next < sp->nbits && !S_ISSET(sp, sp->next))
+    ++sp->next;
+
+  return out;
+}
+
+void sieve_cross(sieve *sp, long val)
+{
+  int  ix = 0;
+  long cur = val;
+
+  while(cur < sp->base)
+    cur += val;
+
+  ix = S_BIT(sp, cur);
+  while(ix < sp->nbits) {
+    if(cur & 1) 
+      S_CLR(sp, ix);
+    cur += val;
+    ix = S_BIT(sp, cur);
+  }
+}
+
+void sieve_reset(sieve *sp, long base)
+{
+  memset(sp->bits, UCHAR_MAX, sp->size);
+  sp->base = base;
+  sp->next = 0;
+}
+
+void sieve_clear(sieve *sp)
+{
+  if(sp->bits) 
+    free(sp->bits);
+
+  sp->bits = NULL;
+}
diff --git a/security/nss/lib/freebl/mpi/vis_32.il b/security/nss/lib/freebl/mpi/vis_32.il
new file mode 100644
index 000000000..443b6a00e
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/vis_32.il
@@ -0,0 +1,1320 @@
+! 
+!  The contents of this file are subject to the Mozilla Public
+!  License Version 1.1 (the "License"); you may not use this file
+!  except in compliance with the License. You may obtain a copy of
+!  the License at http://www.mozilla.org/MPL/
+!  
+!  Software distributed under the License is distributed on an "AS
+!  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+!  implied. See the License for the specific language governing
+!  rights and limitations under the License.
+!  
+!  The Original Code is vis inline macros (32 bit).  (vis_32.il 3.3)
+! 
+!  The Initial Developer of the Original Code is Sun Microsystems Inc.
+!  Portions created by Sun Microsystems Inc. are 
+!  Copyright (C) 1995-2000 Sun Microsystems Inc.  All Rights Reserved.
+!  
+!  Contributor(s):
+!  
+!  Alternatively, the contents of this file may be used under the
+!  terms of the GNU General Public License Version 2 or later (the
+!  "GPL"), in which case the provisions of the GPL are applicable 
+!  instead of those above.	If you wish to allow use of your 
+!  version of this file only under the terms of the GPL and not to
+!  allow others to use your version of this file under the MPL,
+!  indicate your decision by deleting the provisions above and
+!  replace them with the notice and other provisions required by
+!  the GPL.  If you do not delete the provisions above, a recipient
+!  may use your version of this file under either the MPL or the
+!  GPL.
+!   $Id$
+! 
+! @(#)vis_32.il	3.3	00/03/02 SMI
+
+! The interface to the VIS instructions as declared below (and in the VIS
+! User's Manual) will not change, but the macro implementation might change
+! in the future.
+
+!--------------------------------------------------------------------
+! Pure edge handling instructions
+!
+! int vis_edge8(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8,8
+	edge8	%o0,%o1,%o0
+	.end
+!
+! int vis_edge8l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8l,8
+	edge8l	%o0,%o1,%o0
+	.end
+!
+! int vis_edge16(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16,8
+	edge16	%o0,%o1,%o0
+	.end
+!
+! int vis_edge16l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16l,8
+	edge16l	%o0,%o1,%o0
+	.end
+!
+! int vis_edge32(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32,8
+	edge32	%o0,%o1,%o0
+	.end
+!
+! int vis_edge32l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32l,8
+	edge32l	%o0,%o1,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Edge handling instructions with negative return values if cc set
+!
+! int vis_edge8cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8cc,8
+	edge8	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge8lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8lcc,8
+	edge8l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge16cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16cc,8
+	edge16	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge16lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16lcc,8
+	edge16l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge32cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32cc,8
+	edge32	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge32lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32lcc,8
+	edge32l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %icc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Alignment instructions
+!
+! void *vis_alignaddr(void */*rs1*/, int /*rs2*/);
+!
+	.inline vis_alignaddr,8
+	alignaddr	%o0,%o1,%o0
+	.end
+!
+! void *vis_alignaddrl(void */*rs1*/, int /*rs2*/);
+!
+	.inline vis_alignaddrl,8
+	alignaddrl	%o0,%o1,%o0
+	.end
+!
+! double vis_faligndata(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_faligndata,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	faligndata	%f4,%f10,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Partitioned comparison instructions
+!
+! int vis_fcmple16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmple16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmple16	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpne16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpne16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpne16	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmple32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmple32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmple32	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpne32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpne32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpne32	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpgt16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpgt16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpgt16	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpeq16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpeq16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpeq16	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpgt32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpgt32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpgt32	%f4,%f10,%o0
+	.end
+!
+! int vis_fcmpeq32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpeq32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fcmpeq32	%f4,%f10,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Partitioned arithmetic
+!
+! double vis_fmul8x16(float /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8x16,12
+	st	%o0,[%sp+0x44]
+	ld	[%sp+0x44],%f4
+	st	%o1,[%sp+0x48]
+	st	%o2,[%sp+0x4c]
+	ldd	[%sp+0x48],%f10
+	fmul8x16	%f4,%f10,%f0
+	.end
+!
+! double vis_fmul8x16_dummy(float /*frs1*/, int /*dummy*/, double /*frs2*/);
+!
+	.inline vis_fmul8x16_dummy,16
+	st	%o0,[%sp+0x44]
+	ld	[%sp+0x44],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fmul8x16	%f4,%f10,%f0
+	.end
+!
+! double vis_fmul8x16au(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmul8x16au,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fmul8x16au	%f4,%f10,%f0
+	.end
+!
+! double vis_fmul8x16al(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmul8x16al,8
+	st	%o0,[%sp+0x44]
+	ld	[%sp+0x44],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fmul8x16al	%f4,%f10,%f0
+	.end
+!
+! double vis_fmul8sux16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8sux16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fmul8sux16	%f4,%f10,%f0
+	.end
+!
+! double vis_fmul8ulx16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8ulx16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fmul8ulx16	%f4,%f10,%f0
+	.end
+!
+! double vis_fmuld8sux16(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmuld8sux16,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fmuld8sux16	%f4,%f10,%f0
+	.end
+!
+! double vis_fmuld8ulx16(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmuld8ulx16,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fmuld8ulx16	%f4,%f10,%f0
+	.end
+!
+! double vis_fpadd16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpadd16,16
+	std	%o0,[%sp+0x40]
+	ldd	[%sp+0x40],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpadd16	%f4,%f10,%f0
+	.end
+!
+! float vis_fpadd16s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpadd16s,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fpadd16s	%f4,%f10,%f0
+	.end
+!
+! double vis_fpadd32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpadd32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpadd32	%f4,%f10,%f0
+	.end
+!
+! float vis_fpadd32s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpadd32s,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fpadd32s	%f4,%f10,%f0
+	.end
+!
+! double vis_fpsub16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpsub16,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpsub16	%f4,%f10,%f0
+	.end
+!
+! float vis_fpsub16s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpsub16s,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fpsub16s	%f4,%f10,%f0
+	.end
+!
+! double vis_fpsub32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpsub32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpsub32	%f4,%f10,%f0
+	.end
+!
+! float vis_fpsub32s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpsub32s,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fpsub32s	%f4,%f10,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Pixel packing
+!
+! float vis_fpack16(double /*frs2*/);
+!
+	.inline vis_fpack16,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fpack16	%f4,%f0
+	.end
+
+!
+! double vis_fpack16_pair(double /*frs2*/, double /*frs2*/);
+!
+	.inline vis_fpack16_pair,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpack16	%f4,%f0
+	fpack16	%f10,%f1
+	.end
+!
+! void vis_st2_fpack16(double, double, double *)
+!
+	.inline vis_st2_fpack16,20
+ 	std	%o0,[%sp+0x48]
+ 	ldd	[%sp+0x48],%f4
+ 	std	%o2,[%sp+0x48]
+ 	ldd	[%sp+0x48],%f10
+ 	fpack16	%f4,%f0
+ 	fpack16	%f10,%f1
+ 	st	%f0,[%o4+0]
+ 	st	%f1,[%o4+4]
+ 	.end
+!
+! void vis_std_fpack16(double, double, double *)
+!
+	.inline vis_std_fpack16,20
+	std     %o0,[%sp+0x48]
+	ldd     [%sp+0x48],%f4
+	std     %o2,[%sp+0x48]
+	ldd     [%sp+0x48],%f10
+	fpack16 %f4,%f0
+	fpack16 %f10,%f1
+	std     %f0,[%o4]
+	.end
+!
+! void vis_st2_fpackfix(double, double, double *)
+!
+	.inline vis_st2_fpackfix,20
+ 	std	%o0,[%sp+0x48]
+ 	ldd	[%sp+0x48],%f4
+ 	std	%o2,[%sp+0x48]
+ 	ldd	[%sp+0x48],%f10
+ 	fpackfix %f4,%f0
+ 	fpackfix %f10,%f1
+ 	st	%f0,[%o4+0]
+ 	st	%f1,[%o4+4]
+ 	.end
+!
+! double vis_fpack16_to_hi(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack16_to_hi,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f0
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fpack16	%f4,%f0
+	.end
+
+! double vis_fpack16_to_lo(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack16_to_lo,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f0
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fpack16	%f4,%f3
+	fmovs	%f3,%f1		/* without this, optimizer goes wrong */
+	.end
+
+!
+! double vis_fpack32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack32,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fpack32	%f4,%f10,%f0
+	.end
+!
+! float vis_fpackfix(double /*frs2*/);
+!
+	.inline vis_fpackfix,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fpackfix	%f4,%f0
+	.end
+!
+! double vis_fpackfix_pair(double /*frs2*/, double /*frs2*/);
+!
+	.inline vis_fpackfix_pair,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f6
+	fpackfix	%f4,%f0
+	fpackfix	%f6,%f1
+	.end
+
+!--------------------------------------------------------------------
+! Motion estimation
+!
+! double vis_pdist(double /*frs1*/, double /*frs2*/, double /*frd*/);
+!
+	.inline vis_pdist,24
+	std	%o4,[%sp+0x48]
+	ldd	[%sp+0x48],%f0
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	pdist	%f4,%f10,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Channel merging
+!
+! double vis_fpmerge(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpmerge,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fpmerge	%f4,%f10,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Pixel expansion
+!
+! double vis_fexpand(float /*frs2*/);
+!
+	.inline vis_fexpand,4
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	fexpand	%f4,%f0
+	.end
+
+! double vis_fexpand_hi(double /*frs2*/);
+!
+	.inline vis_fexpand_hi,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fexpand	%f4,%f0
+	.end
+
+! double vis_fexpand_lo(double /*frs2*/);
+!
+	.inline vis_fexpand_lo,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fmovs	%f5, %f2
+	fexpand	%f2,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Bitwise logical operations
+!
+! double vis_fnor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fnor,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fnor	%f4,%f10,%f0
+	.end
+!
+! float vis_fnors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fnors,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fnors	%f4,%f10,%f0
+	.end
+!
+! double vis_fandnot(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fandnot,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fandnot1	%f4,%f10,%f0
+	.end
+!
+! float vis_fandnots(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fandnots,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fandnot1s	%f4,%f10,%f0
+	.end
+!
+! double vis_fnot(double /*frs1*/);
+!
+	.inline vis_fnot,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fnot1	%f4,%f0
+	.end
+!
+! float vis_fnots(float /*frs1*/);
+!
+	.inline vis_fnots,4
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	fnot1s	%f4,%f0
+	.end
+!
+! double vis_fxor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fxor,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fxor	%f4,%f10,%f0
+	.end
+!
+! float vis_fxors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fxors,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fxors	%f4,%f10,%f0
+	.end
+!
+! double vis_fnand(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fnand,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fnand	%f4,%f10,%f0
+	.end
+!
+! float vis_fnands(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fnands,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fnands	%f4,%f10,%f0
+	.end
+!
+! double vis_fand(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fand,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fand	%f4,%f10,%f0
+	.end
+!
+! float vis_fands(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fands,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fands	%f4,%f10,%f0
+	.end
+!
+! double vis_fxnor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fxnor,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fxnor	%f4,%f10,%f0
+	.end
+!
+! float vis_fxnors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fxnors,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fxnors	%f4,%f10,%f0
+	.end
+!
+! double vis_fsrc(double /*frs1*/);
+!
+	.inline vis_fsrc,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	fsrc1	%f4,%f0
+	.end
+!
+! float vis_fsrcs(float /*frs1*/);
+!
+	.inline vis_fsrcs,4
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	fsrc1s	%f4,%f0
+	.end
+!
+! double vis_fornot(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fornot,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	fornot1	%f4,%f10,%f0
+	.end
+!
+! float vis_fornots(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fornots,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fornot1s	%f4,%f10,%f0
+	.end
+!
+! double vis_for(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_for,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	std	%o2,[%sp+0x48]
+	ldd	[%sp+0x48],%f10
+	for	%f4,%f10,%f0
+	.end
+!
+! float vis_fors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fors,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	st	%o1,[%sp+0x48]
+	ld	[%sp+0x48],%f10
+	fors	%f4,%f10,%f0
+	.end
+!
+! double vis_fzero(/* void */)
+!
+	.inline	vis_fzero,0
+	fzero	%f0
+	.end
+!
+! float vis_fzeros(/* void */)
+!
+	.inline	vis_fzeros,0
+	fzeros	%f0
+	.end
+!
+! double vis_fone(/* void */)
+!
+	.inline	vis_fone,0
+	fone	%f0
+	.end
+!
+! float vis_fones(/* void */)
+!
+	.inline	vis_fones,0
+	fones	%f0
+	.end
+
+!--------------------------------------------------------------------
+! Partial store instructions
+!
+! vis_stdfa_ASI_PST8P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8P,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc0	! ASI_PST8_P
+	.end
+!
+! vis_stdfa_ASI_PST8PL(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8PL,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc8	! ASI_PST8_PL
+	.end
+!
+! vis_stdfa_ASI_PST8P_int_pair(void *rs1, void *rs2, void *rs3, int rmask);
+!
+	.inline vis_stdfa_ASI_PST8P_int_pair,16
+        ld	[%o0],%f4
+        ld	[%o1],%f5
+	stda	%f4,[%o2]%o3,0xc0	! ASI_PST8_P
+	.end
+!
+! vis_stdfa_ASI_PST8S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8S,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc1	! ASI_PST8_S
+	.end
+!
+! vis_stdfa_ASI_PST16P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST16P,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc2	! ASI_PST16_P
+	.end
+!
+! vis_stdfa_ASI_PST16S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST16S,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc3	! ASI_PST16_S
+	.end
+!
+! vis_stdfa_ASI_PST32P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST32P,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc4	! ASI_PST32_P
+	.end
+!
+! vis_stdfa_ASI_PST32S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST32S,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]%o3,0xc5	! ASI_PST32_S
+	.end
+
+!--------------------------------------------------------------------
+! Short store instructions
+!
+! vis_stdfa_ASI_FL8P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8P,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd0	! ASI_FL8_P
+	.end
+!
+! vis_stdfa_ASI_FL8P_index(double frd, void *rs1, long index)
+!
+	.inline vis_stdfa_ASI_FL8P_index,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2+%o3]0xd0 ! ASI_FL8_P
+	.end
+!
+! vis_stdfa_ASI_FL8S(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8S,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd1	! ASI_FL8_S
+	.end
+!
+! vis_stdfa_ASI_FL16P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16P,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd2	! ASI_FL16_P
+	.end
+!
+! vis_stdfa_ASI_FL16P_index(double frd, void *rs1, long index)
+!
+	.inline vis_stdfa_ASI_FL16P_index,16
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2+%o3]0xd2 ! ASI_FL16_P
+	.end
+!
+! vis_stdfa_ASI_FL16S(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16S,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd3	! ASI_FL16_S
+	.end
+!
+! vis_stdfa_ASI_FL8PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8PL,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd8	! ASI_FL8_PL
+	.end
+!
+! vis_stdfa_ASI_FL8SL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8SL,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xd9	! ASI_FL8_SL
+	.end
+!
+! vis_stdfa_ASI_FL16PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16PL,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xda	! ASI_FL16_PL
+	.end
+!
+! vis_stdfa_ASI_FL16SL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16SL,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0xdb	! ASI_FL16_SL
+	.end
+
+!--------------------------------------------------------------------
+! Short load instructions
+!
+! double vis_lddfa_ASI_FL8P(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8P,4
+	ldda	[%o0]0xd0,%f4	! ASI_FL8_P
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_FL8P_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL8P_index,8
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8P_hi(void *rs1, unsigned int index)
+!
+	.inline vis_lddfa_ASI_FL8P_hi,8
+	sra     %o1,16,%o1
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8P_lo(void *rs1, unsigned int index)
+!
+	.inline vis_lddfa_ASI_FL8P_lo,8
+	sll     %o1,16,%o1
+	sra     %o1,16,%o1
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8S(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8S,4
+	ldda	[%o0]0xd1,%f4	! ASI_FL8_S
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16P(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16P,4
+	ldda	[%o0]0xd2,%f4	! ASI_FL16_P
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16P_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL16P_index,8
+	ldda	[%o0+%o1]0xd2,%f4 ! ASI_FL16_P
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16S(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16S,4
+	ldda	[%o0]0xd3,%f4	! ASI_FL16_S
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8PL,4
+	ldda	[%o0]0xd8,%f4	! ASI_FL8_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8PL_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL8PL_index,8
+	ldda	[%o0+%o1]0xd8,%f4	! ASI_FL8_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8SL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8SL,4
+	ldda	[%o0]0xd9,%f4	! ASI_FL8_SL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16PL,4
+	ldda	[%o0]0xda,%f4	! ASI_FL16_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16PL_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL16PL_index,8
+	ldda	[%o0+%o1]0xda,%f4	! ASI_FL16_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16SL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16SL,4
+	ldda	[%o0]0xdb,%f4	! ASI_FL16_SL
+	fmovd	%f4,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Graphics status register
+!
+! unsigned int vis_read_gsr(void)
+!
+	.inline vis_read_gsr,0
+	rd	%gsr,%o0
+	.end
+!
+! void vis_write_gsr(unsigned int /* GSR */)
+!
+	.inline vis_write_gsr,4
+	wr	%g0,%o0,%gsr
+	.end
+
+!--------------------------------------------------------------------
+! Voxel texture mapping
+!
+! unsigned long vis_array8(unsigned long long /*rs1 */, int /*rs2*/)
+!
+	.inline	vis_array8,12
+	sllx	%o0,32,%o0
+	srl	%o1,0,%o1	! clear the most significant 32 bits of %o1
+	or	%o0,%o1,%o3	! join %o0 and %o1 into %o3
+	array8	%o3,%o2,%o0
+	.end
+!
+! unsigned long vis_array16(unsigned long long /*rs1*/, int /*rs2*/)
+!
+	.inline	vis_array16,12
+	sllx	%o0,32,%o0
+	srl	%o1,0,%o1	! clear the most significant 32 bits of %o1
+	or	%o0,%o1,%o3	! join %o0 and %o1 into %o3
+	array16	%o3,%o2,%o0
+	.end
+!
+! unsigned long vis_array32(unsigned long long /*rs1*/, int /*rs2*/)
+!
+	.inline	vis_array32,12
+	sllx	%o0,32,%o0
+	srl	%o1,0,%o1	! clear the most significant 32 bits of %o1
+	or	%o0,%o1,%o3	! join %o0 and %o1 into %o3
+	array32	%o3,%o2,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Register aliasing and type casts
+!
+! float vis_read_hi(double /* frs1 */);
+!
+	.inline vis_read_hi,8
+	std	%o0,[%sp+0x48]	! store double frs1
+	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1; return %f0;
+	.end
+!
+! float vis_read_lo(double /* frs1 */);
+!
+	.inline vis_read_lo,8
+	std	%o0,[%sp+0x48]	! store double frs1
+	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1;
+	fmovs	%f1,%f0		! %f0 = low word (frs1); return %f0;
+	.end
+!
+! double vis_write_hi(double /* frs1 */, float /* frs2 */);
+!
+	.inline vis_write_hi,12
+	std	%o0,[%sp+0x48]	! store double frs1;
+	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1;
+	st	%o2,[%sp+0x44]	! store float frs2;
+	ld	[%sp+0x44],%f2	! %f2 = float frs2;
+	fmovs	%f2,%f0		! %f0 = float frs2; return %f0:f1;
+	.end
+!
+! double vis_write_lo(double /* frs1 */, float /* frs2 */);
+!
+	.inline vis_write_lo,12
+	std	%o0,[%sp+0x48]	! store double frs1;
+	ldd	[%sp+0x48],%f0	! %f0:%f1 = double frs1;
+	st	%o2,[%sp+0x44]	! store float frs2;
+	ld	[%sp+0x44],%f2	! %f2 = float frs2;
+	fmovs	%f2,%f1		! %f1 = float frs2; return %f0:f1;
+	.end
+!
+! double vis_freg_pair(float /* frs1 */, float /* frs2 */);
+!
+	.inline vis_freg_pair,8
+	st	%o0,[%sp+0x48]	! store float frs1
+	ld	[%sp+0x48],%f0
+	st	%o1,[%sp+0x48]	! store float frs2
+	ld	[%sp+0x48],%f1
+	.end
+!
+! float vis_to_float(unsigned int /*value*/);
+!
+	.inline vis_to_float,4
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f0
+	.end
+!
+! double vis_to_double(unsigned int /*value1*/, unsigned int /*value2*/);
+!
+	.inline vis_to_double,8
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f0
+	.end
+!
+! double vis_to_double_dup(unsigned int /*value*/);
+!
+	.inline vis_to_double_dup,4
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f1
+	fmovs	%f1,%f0		! duplicate value
+	.end
+!
+! double vis_ll_to_double(unsigned long long /*value*/);
+!
+	.inline vis_ll_to_double,8
+	std     %o0,[%sp+0x48]
+	ldd     [%sp+0x48],%f0
+	.end
+
+!--------------------------------------------------------------------
+! Address space identifier (ASI) register
+!
+! unsigned int vis_read_asi(void)
+!
+	.inline vis_read_asi,0
+	rd	%asi,%o0
+	.end
+!
+! void vis_write_asi(unsigned int /* ASI */)
+!
+	.inline vis_write_asi,4
+	wr	%g0,%o0,%asi
+	.end
+
+!--------------------------------------------------------------------
+! Load/store from/into alternate space
+!
+! float vis_ldfa_ASI_REG(void *rs1)
+!
+	.inline vis_ldfa_ASI_REG,4
+	lda	[%o0+0]%asi,%f4
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! float vis_ldfa_ASI_P(void *rs1)
+!
+	.inline vis_ldfa_ASI_P,4
+	lda	[%o0]0x80,%f4	! ASI_P
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! float vis_ldfa_ASI_PL(void *rs1)
+!
+	.inline vis_ldfa_ASI_PL,4
+	lda	[%o0]0x88,%f4	! ASI_PL
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_REG(void *rs1)
+!
+	.inline vis_lddfa_ASI_REG,4
+	ldda	[%o0+0]%asi,%f4
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_P(void *rs1)
+!
+	.inline vis_lddfa_ASI_P,4
+	ldda	[%o0]0x80,%f4	! ASI_P
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_PL,4
+	ldda	[%o0]0x88,%f4	! ASI_PL
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! vis_stfa_ASI_REG(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_REG,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	sta	%f4,[%o1+0]%asi
+	.end
+!
+! vis_stfa_ASI_P(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_P,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	sta	%f4,[%o1]0x80	! ASI_P
+	.end
+!
+! vis_stfa_ASI_PL(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_PL,8
+	st	%o0,[%sp+0x48]
+	ld	[%sp+0x48],%f4
+	sta	%f4,[%o1]0x88	! ASI_PL
+	.end
+!
+! vis_stdfa_ASI_REG(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_REG,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2+0]%asi
+	.end
+!
+! vis_stdfa_ASI_P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_P,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0x80	! ASI_P
+	.end
+!
+! vis_stdfa_ASI_PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_PL,12
+	std	%o0,[%sp+0x48]
+	ldd	[%sp+0x48],%f4
+	stda	%f4,[%o2]0x88	! ASI_PL
+	.end
+!
+! unsigned short vis_lduha_ASI_REG(void *rs1)
+!
+	.inline vis_lduha_ASI_REG,4
+	lduha	[%o0+0]%asi,%o0
+	.end
+!
+! unsigned short vis_lduha_ASI_P(void *rs1)
+!
+	.inline vis_lduha_ASI_P,4
+	lduha	[%o0]0x80,%o0	! ASI_P
+	.end
+!
+! unsigned short vis_lduha_ASI_PL(void *rs1)
+!
+	.inline vis_lduha_ASI_PL,4
+	lduha	[%o0]0x88,%o0	! ASI_PL
+	.end
+!
+! unsigned short vis_lduha_ASI_P_index(void *rs1, long index)
+!
+	.inline vis_lduha_ASI_P_index,8
+	lduha	[%o0+%o1]0x80,%o0	! ASI_P
+	.end
+!
+! unsigned short vis_lduha_ASI_PL_index(void *rs1, long index)
+!
+	.inline vis_lduha_ASI_PL_index,8
+	lduha	[%o0+%o1]0x88,%o0	! ASI_PL
+	.end
+
+!--------------------------------------------------------------------
+! Prefetch
+!
+! void vis_prefetch_read(void * /*address*/);
+!
+	.inline vis_prefetch_read,4
+	prefetch	[%o0+0],0
+	.end
+!
+! void vis_prefetch_write(void * /*address*/);
+!
+	.inline vis_prefetch_write,4
+	prefetch	[%o0+0],2
+	.end
diff --git a/security/nss/lib/freebl/mpi/vis_64.il b/security/nss/lib/freebl/mpi/vis_64.il
new file mode 100644
index 000000000..7a57e9b79
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/vis_64.il
@@ -0,0 +1,1026 @@
+! 
+!  The contents of this file are subject to the Mozilla Public
+!  License Version 1.1 (the "License"); you may not use this file
+!  except in compliance with the License. You may obtain a copy of
+!  the License at http://www.mozilla.org/MPL/
+!  
+!  Software distributed under the License is distributed on an "AS
+!  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+!  implied. See the License for the specific language governing
+!  rights and limitations under the License.
+!  
+!  The Original Code is vis inline macros (64 bit).  (vis_64.il 3.4)
+! 
+!  The Initial Developer of the Original Code is Sun Microsystems Inc.
+!  Portions created by Sun Microsystems Inc. are 
+!  Copyright (C) 1998-2000 Sun Microsystems Inc. All Rights Reserved.
+!  
+!  Contributor(s):
+!  
+!  Alternatively, the contents of this file may be used under the
+!  terms of the GNU General Public License Version 2 or later (the
+!  "GPL"), in which case the provisions of the GPL are applicable 
+!  instead of those above.	If you wish to allow use of your 
+!  version of this file only under the terms of the GPL and not to
+!  allow others to use your version of this file under the MPL,
+!  indicate your decision by deleting the provisions above and
+!  replace them with the notice and other provisions required by
+!  the GPL.  If you do not delete the provisions above, a recipient
+!  may use your version of this file under either the MPL or the
+!  GPL.
+!   $Id$
+! 
+! @(#)vis_64.il	3.4	00/03/02 SMI
+
+! This file is to be used in place of vis.il in 64-bit builds.
+
+!--------------------------------------------------------------------
+! Pure edge handling instructions
+!
+! int vis_edge8(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8,16
+	edge8	%o0,%o1,%o0
+	.end
+!
+! int vis_edge8l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8l,16
+	edge8l	%o0,%o1,%o0
+	.end
+!
+! int vis_edge16(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16,16
+	edge16	%o0,%o1,%o0
+	.end
+!
+! int vis_edge16l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16l,16
+	edge16l	%o0,%o1,%o0
+	.end
+!
+! int vis_edge32(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32,16
+	edge32	%o0,%o1,%o0
+	.end
+!
+! int vis_edge32l(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32l,16
+	edge32l	%o0,%o1,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Edge handling instructions with negative return values if cc set
+!
+! int vis_edge8cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8cc,16
+	edge8	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge8lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge8lcc,16
+	edge8l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge16cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16cc,16
+	edge16	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge16lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge16lcc,16
+	edge16l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge32cc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32cc,16
+	edge32	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+!
+! int vis_edge32lcc(void */*frs1*/, void */*frs2*/);
+!
+	.inline vis_edge32lcc,16
+	edge32l	%o0,%o1,%o0
+	mov     0,%o1
+	movgu   %xcc,-1024,%o1
+	or      %o1,%o0,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Alignment instructions
+!
+! void *vis_alignaddr(void */*rs1*/, int /*rs2*/);
+!
+	.inline vis_alignaddr,12
+	alignaddr	%o0,%o1,%o0
+	.end
+!
+! void *vis_alignaddrl(void */*rs1*/, int /*rs2*/);
+!
+	.inline vis_alignaddrl,12
+	alignaddrl	%o0,%o1,%o0
+	.end
+!
+! double vis_faligndata(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_faligndata,16
+	faligndata	%f0,%f2,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Partitioned comparison instructions
+!
+! int vis_fcmple16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmple16,16
+	fcmple16	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpne16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpne16,16
+	fcmpne16	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmple32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmple32,16
+	fcmple32	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpne32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpne32,16
+	fcmpne32	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpgt16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpgt16,16
+	fcmpgt16	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpeq16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpeq16,16
+	fcmpeq16	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpgt32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpgt32,16
+	fcmpgt32	%f0,%f2,%o0
+	.end
+!
+! int vis_fcmpeq32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fcmpeq32,16
+	fcmpeq32	%f0,%f2,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Partitioned arithmetic
+!
+! double vis_fmul8x16(float /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8x16,12
+	fmul8x16	%f1,%f2,%f0
+	.end
+!
+! double vis_fmul8x16_dummy(float /*frs1*/, int /*dummy*/, double /*frs2*/);
+!
+	.inline vis_fmul8x16_dummy,16
+	fmul8x16	%f1,%f4,%f0
+	.end
+!
+! double vis_fmul8x16au(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmul8x16au,8
+	fmul8x16au	%f1,%f3,%f0
+	.end
+!
+! double vis_fmul8x16al(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmul8x16al,8
+	fmul8x16al	%f1,%f3,%f0
+	.end
+!
+! double vis_fmul8sux16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8sux16,16
+	fmul8sux16	%f0,%f2,%f0
+	.end
+!
+! double vis_fmul8ulx16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fmul8ulx16,16
+	fmul8ulx16	%f0,%f2,%f0
+	.end
+!
+! double vis_fmuld8sux16(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmuld8sux16,8
+	fmuld8sux16	%f1,%f3,%f0
+	.end
+!
+! double vis_fmuld8ulx16(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fmuld8ulx16,8
+	fmuld8ulx16	%f1,%f3,%f0
+	.end
+!
+! double vis_fpadd16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpadd16,16
+	fpadd16	%f0,%f2,%f0
+	.end
+!
+! float vis_fpadd16s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpadd16s,8
+	fpadd16s	%f1,%f3,%f0
+	.end
+!
+! double vis_fpadd32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpadd32,16
+	fpadd32	%f0,%f2,%f0
+	.end
+!
+! float vis_fpadd32s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpadd32s,8
+	fpadd32s	%f1,%f3,%f0
+	.end
+!
+! double vis_fpsub16(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpsub16,16
+	fpsub16	%f0,%f2,%f0
+	.end
+!
+! float vis_fpsub16s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpsub16s,8
+	fpsub16s	%f1,%f3,%f0
+	.end
+!
+! double vis_fpsub32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpsub32,16
+	fpsub32	%f0,%f2,%f0
+	.end
+!
+! float vis_fpsub32s(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpsub32s,8
+	fpsub32s	%f1,%f3,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Pixel packing
+!
+! float vis_fpack16(double /*frs2*/);
+!
+	.inline vis_fpack16,8
+	fpack16	%f0,%f0
+	.end
+!
+! double vis_fpack16_pair(double /*frs2*/, double /*frs2*/);
+!
+	.inline vis_fpack16_pair,16
+	fpack16	%f0,%f0
+	fpack16	%f2,%f1
+	.end
+!
+! void vis_st2_fpack16(double, double, double *)
+!
+	.inline vis_st2_fpack16,24
+ 	fpack16	%f0,%f0
+ 	fpack16	%f2,%f1
+ 	st	%f0,[%o2+0]
+ 	st	%f1,[%o2+4]
+ 	.end
+!
+! void vis_std_fpack16(double, double, double *)
+!
+	.inline vis_std_fpack16,24
+	fpack16	%f0,%f0
+	fpack16	%f2,%f1
+	std	%f0,[%o2]
+	.end
+!
+! void vis_st2_fpackfix(double, double, double *)
+!
+	.inline vis_st2_fpackfix,24
+ 	fpackfix %f0,%f0
+ 	fpackfix %f2,%f1
+ 	st	%f0,[%o2+0]
+ 	st	%f1,[%o2+4]
+ 	.end
+!
+! double vis_fpack16_to_hi(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack16_to_hi,16
+	fpack16	%f2,%f0
+	.end
+
+! double vis_fpack16_to_lo(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack16_to_lo,16
+	fpack16	%f2,%f3
+	fmovs	%f3,%f1		/* without this, optimizer goes wrong */
+	.end
+
+!
+! double vis_fpack32(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fpack32,16
+	fpack32	%f0,%f2,%f0
+	.end
+!
+! float vis_fpackfix(double /*frs2*/);
+!
+	.inline vis_fpackfix,8
+	fpackfix	%f0,%f0
+	.end
+!
+! double vis_fpackfix_pair(double /*frs2*/, double /*frs2*/);
+!
+	.inline vis_fpackfix_pair,16
+	fpackfix	%f0,%f0
+	fpackfix	%f2,%f1
+	.end
+
+!--------------------------------------------------------------------
+! Motion estimation
+!
+! double vis_pxldist64(double accum /*frd*/, double pxls1 /*frs1*/, 
+!		       double pxls2 /*frs2*/);
+!
+	.inline vis_pxldist64,24
+	pdist	%f2,%f4,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Channel merging
+!
+! double vis_fpmerge(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fpmerge,8
+	fpmerge	%f1,%f3,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Pixel expansion
+!
+! double vis_fexpand(float /*frs2*/);
+!
+	.inline vis_fexpand,4
+	fexpand	%f1,%f0
+	.end
+
+! double vis_fexpand_hi(double /*frs2*/);
+!
+	.inline vis_fexpand_hi,8
+	fexpand	%f0,%f0
+	.end
+
+! double vis_fexpand_lo(double /*frs2*/);
+!
+	.inline vis_fexpand_lo,8
+	fexpand	%f1,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Bitwise logical operations
+!
+! double vis_fnor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fnor,16
+	fnor	%f0,%f2,%f0
+	.end
+!
+! float vis_fnors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fnors,8
+	fnors	%f1,%f3,%f0
+	.end
+!
+! double vis_fandnot(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fandnot,16
+	fandnot1 %f0,%f2,%f0
+	.end
+!
+! float vis_fandnots(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fandnots,8
+	fandnot1s %f1,%f3,%f0
+	.end
+!
+! double vis_fnot(double /*frs1*/);
+!
+	.inline vis_fnot,8
+	fnot1	%f0,%f0
+	.end
+!
+! float vis_fnots(float /*frs1*/);
+!
+	.inline vis_fnots,4
+	fnot1s	%f1,%f0
+	.end
+!
+! double vis_fxor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fxor,16
+	fxor	%f0,%f2,%f0
+	.end
+!
+! float vis_fxors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fxors,8
+	fxors	%f1,%f3,%f0
+	.end
+!
+! double vis_fnand(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fnand,16
+	fnand	%f0,%f2,%f0
+	.end
+!
+! float vis_fnands(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fnands,8
+	fnands	%f1,%f3,%f0
+	.end
+!
+! double vis_fand(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fand,16
+	fand	%f0,%f2,%f0
+	.end
+!
+! float vis_fands(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fands,8
+	fands	%f1,%f3,%f0
+	.end
+!
+! double vis_fxnor(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fxnor,16
+	fxnor	%f0,%f2,%f0
+	.end
+!
+! float vis_fxnors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fxnors,8
+	fxnors	%f1,%f3,%f0
+	.end
+!
+! double vis_fsrc(double /*frs1*/);
+!
+	.inline vis_fsrc,8
+	fsrc1	%f0,%f0
+	.end
+!
+! float vis_fsrcs(float /*frs1*/);
+!
+	.inline vis_fsrcs,4
+	fsrc1s	%f1,%f0
+	.end
+!
+! double vis_fornot(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_fornot,16
+	fornot1	%f0,%f2,%f0
+	.end
+!
+! float vis_fornots(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fornots,8
+	fornot1s %f1,%f3,%f0
+	.end
+!
+! double vis_for(double /*frs1*/, double /*frs2*/);
+!
+	.inline vis_for,16
+	for	%f0,%f2,%f0
+	.end
+!
+! float vis_fors(float /*frs1*/, float /*frs2*/);
+!
+	.inline vis_fors,8
+	fors	%f1,%f3,%f0
+	.end
+!
+! double vis_fzero(/* void */)
+!
+	.inline	vis_fzero,0
+	fzero	%f0
+	.end
+!
+! float vis_fzeros(/* void */)
+!
+	.inline	vis_fzeros,0
+	fzeros	%f0
+	.end
+!
+! double vis_fone(/* void */)
+!
+	.inline	vis_fone,0
+	fone	%f0
+	.end
+!
+! float vis_fones(/* void */)
+!
+	.inline	vis_fones,0
+	fones	%f0
+	.end
+
+!--------------------------------------------------------------------
+! Partial store instructions
+!
+! vis_stdfa_ASI_PST8P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8P,20
+	stda	%f0,[%o1]%o2,0xc0	! ASI_PST8_P
+	.end
+!
+! vis_stdfa_ASI_PST8PL(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8PL,20
+	stda	%f0,[%o1]%o2,0xc8	! ASI_PST8_PL
+	.end
+!
+! vis_stdfa_ASI_PST8P_int_pair(void *rs1, void *rs2, void *rs3, int rmask);
+!
+	.inline vis_stdfa_ASI_PST8P_int_pair,28
+        ld	[%o0],%f4
+        ld	[%o1],%f5
+	stda	%f4,[%o2]%o3,0xc0	! ASI_PST8_P
+	.end
+!
+! vis_stdfa_ASI_PST8S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST8S,20
+	stda	%f0,[%o1]%o2,0xc1	! ASI_PST8_S
+	.end
+!
+! vis_stdfa_ASI_PST16P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST16P,20
+	stda	%f0,[%o1]%o2,0xc2	! ASI_PST16_P
+	.end
+!
+! vis_stdfa_ASI_PST16S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST16S,20
+	stda	%f0,[%o1]%o2,0xc3	! ASI_PST16_S
+	.end
+!
+! vis_stdfa_ASI_PST32P(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST32P,20
+	stda	%f0,[%o1]%o2,0xc4	! ASI_PST32_P
+	.end
+!
+! vis_stdfa_ASI_PST32S(double frd, void *rs1, int rmask)
+!
+	.inline vis_stdfa_ASI_PST32S,20
+	stda	%f0,[%o1]%o2,0xc5	! ASI_PST32_S
+	.end
+
+!--------------------------------------------------------------------
+! Short store instructions
+!
+! vis_stdfa_ASI_FL8P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8P,16
+	stda	%f0,[%o1]0xd0	! ASI_FL8_P
+	.end
+!
+! vis_stdfa_ASI_FL8P_index(double frd, void *rs1, long index)
+!
+	.inline vis_stdfa_ASI_FL8P_index,24
+	stda	%f0,[%o1+%o2]0xd0 ! ASI_FL8_P
+	.end
+!
+! vis_stdfa_ASI_FL8S(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8S,16
+	stda	%f0,[%o1]0xd1	! ASI_FL8_S
+	.end
+!
+! vis_stdfa_ASI_FL16P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16P,16
+	stda	%f0,[%o1]0xd2	! ASI_FL16_P
+	.end
+!
+! vis_stdfa_ASI_FL16P_index(double frd, void *rs1, long index)
+!
+	.inline vis_stdfa_ASI_FL16P_index,24
+	stda	%f0,[%o1+%o2]0xd2 ! ASI_FL16_P
+	.end
+!
+! vis_stdfa_ASI_FL16S(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16S,16
+	stda	%f0,[%o1]0xd3	! ASI_FL16_S
+	.end
+!
+! vis_stdfa_ASI_FL8PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8PL,16
+	stda	%f0,[%o1]0xd8	! ASI_FL8_PL
+	.end
+!
+! vis_stdfa_ASI_FL8SL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL8SL,16
+	stda	%f0,[%o1]0xd9	! ASI_FL8_SL
+	.end
+!
+! vis_stdfa_ASI_FL16PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16PL,16
+	stda	%f0,[%o1]0xda	! ASI_FL16_PL
+	.end
+!
+! vis_stdfa_ASI_FL16SL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_FL16SL,16
+	stda	%f0,[%o1]0xdb	! ASI_FL16_SL
+	.end
+
+!--------------------------------------------------------------------
+! Short load instructions
+!
+! double vis_lddfa_ASI_FL8P(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8P,8
+	ldda	[%o0]0xd0,%f4	! ASI_FL8_P
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_FL8P_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL8P_index,16
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8P_hi(void *rs1, unsigned int index)
+!
+	.inline vis_lddfa_ASI_FL8P_hi,12
+	sra     %o1,16,%o1
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8P_lo(void *rs1, unsigned int index)
+!
+	.inline vis_lddfa_ASI_FL8P_lo,12
+	sll     %o1,16,%o1
+	sra     %o1,16,%o1
+	ldda	[%o0+%o1]0xd0,%f4
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8S(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8S,8
+	ldda	[%o0]0xd1,%f4	! ASI_FL8_S
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16P(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16P,8
+	ldda	[%o0]0xd2,%f4	! ASI_FL16_P
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16P_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL16P_index,16
+	ldda	[%o0+%o1]0xd2,%f4 ! ASI_FL16_P
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16S(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16S,8
+	ldda	[%o0]0xd3,%f4	! ASI_FL16_S
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8PL,8
+	ldda	[%o0]0xd8,%f4	! ASI_FL8_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8PL_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL8PL_index,16
+	ldda	[%o0+%o1]0xd8,%f4	! ASI_FL8_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL8SL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL8SL,8
+	ldda	[%o0]0xd9,%f4	! ASI_FL8_SL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16PL,8
+	ldda	[%o0]0xda,%f4	! ASI_FL16_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16PL_index(void *rs1, long index)
+!
+	.inline vis_lddfa_ASI_FL16PL_index,16
+	ldda	[%o0+%o1]0xda,%f4	! ASI_FL16_PL
+	fmovd	%f4,%f0
+	.end
+!
+! double vis_lddfa_ASI_FL16SL(void *rs1)
+!
+	.inline vis_lddfa_ASI_FL16SL,8
+	ldda	[%o0]0xdb,%f4	! ASI_FL16_SL
+	fmovd	%f4,%f0
+	.end
+
+!--------------------------------------------------------------------
+! Graphics status register
+!
+! unsigned int vis_read_gsr(void)
+!
+	.inline vis_read_gsr,0
+	rd	%gsr,%o0
+	.end
+!
+! void vis_write_gsr(unsigned int /* GSR */)
+!
+	.inline vis_write_gsr,4
+	wr	%g0,%o0,%gsr
+	.end
+
+!--------------------------------------------------------------------
+! Voxel texture mapping
+!
+! unsigned long vis_array8(unsigned long long /*rs1 */, int /*rs2*/)
+!
+	.inline	vis_array8,12
+	array8	%o0,%o1,%o0
+	.end
+!
+! unsigned long vis_array16(unsigned long long /*rs1*/, int /*rs2*/)
+!
+	.inline	vis_array16,12
+	array16	%o0,%o1,%o0
+	.end
+!
+! unsigned long vis_array32(unsigned long long /*rs1*/, int /*rs2*/)
+!
+	.inline	vis_array32,12
+	array32	%o0,%o1,%o0
+	.end
+
+!--------------------------------------------------------------------
+! Register aliasing and type casts
+!
+! float vis_read_hi(double /* frs1 */);
+!
+	.inline vis_read_hi,8
+	fmovs	%f0,%f0
+	.end
+!
+! float vis_read_lo(double /* frs1 */);
+!
+	.inline vis_read_lo,8
+	fmovs	%f1,%f0		! %f0 = low word (frs1); return %f0;
+	.end
+!
+! double vis_write_hi(double /* frs1 */, float /* frs2 */);
+!
+	.inline vis_write_hi,12
+	fmovs	%f3,%f0		! %f3 = float frs2; return %f0:f1;
+	.end
+!
+! double vis_write_lo(double /* frs1 */, float /* frs2 */);
+!
+	.inline vis_write_lo,12
+	fmovs	%f3,%f1		! %f3 = float frs2; return %f0:f1;
+	.end
+!
+! double vis_freg_pair(float /* frs1 */, float /* frs2 */);
+!
+	.inline vis_freg_pair,8
+	fmovs	%f1,%f0		! %f1 = float frs1; put in hi;
+	fmovs	%f3,%f1		! %f3 = float frs2; put in lo; return %f0:f1;
+	.end
+!
+! float vis_to_float(unsigned int /*value*/);
+!
+	.inline vis_to_float,4
+	st	%o0,[%sp+2183]
+	ld	[%sp+2183],%f0
+	.end
+!
+! double vis_to_double(unsigned int /*value1*/, unsigned int /*value2*/);
+!
+	.inline vis_to_double,8
+	st	%o0,[%sp+2183]
+	ld	[%sp+2183],%f0
+	st	%o1,[%sp+2183]
+	ld	[%sp+2183],%f1
+	.end
+!
+! double vis_to_double_dup(unsigned int /*value*/);
+!
+	.inline vis_to_double_dup,4
+	st	%o0,[%sp+2183]
+	ld	[%sp+2183],%f1
+	fmovs	%f1,%f0		! duplicate value
+	.end
+!
+! double vis_ll_to_double(unsigned long long /*value*/);
+!
+	.inline vis_ll_to_double,8
+	stx     %o0,[%sp+2183]
+	ldd     [%sp+2183],%f0
+        .end
+
+!--------------------------------------------------------------------
+! Address space identifier (ASI) register
+!
+! unsigned int vis_read_asi(void)
+!
+	.inline vis_read_asi,0
+	rd	%asi,%o0
+	.end
+!
+! void vis_write_asi(unsigned int /* ASI */)
+!
+	.inline vis_write_asi,4
+	wr	%g0,%o0,%asi
+	.end
+
+!--------------------------------------------------------------------
+! Load/store from/into alternate space
+!
+! float vis_ldfa_ASI_REG(void *rs1)
+!
+	.inline vis_ldfa_ASI_REG,8
+	lda	[%o0+0]%asi,%f4
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! float vis_ldfa_ASI_P(void *rs1)
+!
+	.inline vis_ldfa_ASI_P,8
+	lda	[%o0]0x80,%f4	! ASI_P
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! float vis_ldfa_ASI_PL(void *rs1)
+!
+	.inline vis_ldfa_ASI_PL,8
+	lda	[%o0]0x88,%f4	! ASI_PL
+	fmovs	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_REG(void *rs1)
+!
+	.inline vis_lddfa_ASI_REG,8
+	ldda	[%o0+0]%asi,%f4
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_P(void *rs1)
+!
+	.inline vis_lddfa_ASI_P,8
+	ldda	[%o0]0x80,%f4	! ASI_P
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! double vis_lddfa_ASI_PL(void *rs1)
+!
+	.inline vis_lddfa_ASI_PL,8
+	ldda	[%o0]0x88,%f4	! ASI_PL
+	fmovd	%f4,%f0	        ! Compiler can clean this up
+	.end
+!
+! vis_stfa_ASI_REG(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_REG,12
+	sta	%f1,[%o1+0]%asi
+	.end
+!
+! vis_stfa_ASI_P(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_P,12
+	sta	%f1,[%o1]0x80	! ASI_P
+	.end
+!
+! vis_stfa_ASI_PL(float frs, void *rs1)
+!
+	.inline vis_stfa_ASI_PL,12
+	sta	%f1,[%o1]0x88	! ASI_PL
+	.end
+!
+! vis_stdfa_ASI_REG(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_REG,16
+	stda	%f0,[%o1+0]%asi
+	.end
+!
+! vis_stdfa_ASI_P(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_P,16
+	stda	%f0,[%o1]0x80	! ASI_P
+	.end
+!
+! vis_stdfa_ASI_PL(double frd, void *rs1)
+!
+	.inline vis_stdfa_ASI_PL,16
+	stda	%f0,[%o1]0x88	! ASI_PL
+	.end
+!
+! unsigned short vis_lduha_ASI_REG(void *rs1)
+!
+	.inline vis_lduha_ASI_REG,8
+	lduha	[%o0+0]%asi,%o0
+	.end
+!
+! unsigned short vis_lduha_ASI_P(void *rs1)
+!
+	.inline vis_lduha_ASI_P,8
+	lduha	[%o0]0x80,%o0	! ASI_P
+	.end
+!
+! unsigned short vis_lduha_ASI_PL(void *rs1)
+!
+	.inline vis_lduha_ASI_PL,8
+	lduha	[%o0]0x88,%o0	! ASI_PL
+	.end
+!
+! unsigned short vis_lduha_ASI_P_index(void *rs1, long index)
+!
+	.inline vis_lduha_ASI_P_index,16
+	lduha	[%o0+%o1]0x80,%o0	! ASI_P
+	.end
+!
+! unsigned short vis_lduha_ASI_PL_index(void *rs1, long index)
+!
+	.inline vis_lduha_ASI_PL_index,16
+	lduha	[%o0+%o1]0x88,%o0	! ASI_PL
+	.end
+
+!--------------------------------------------------------------------
+! Prefetch
+!
+! void vis_prefetch_read(void * /*address*/);
+!
+	.inline vis_prefetch_read,8
+	prefetch	[%o0+0],0
+	.end
+!
+! void vis_prefetch_write(void * /*address*/);
+!
+	.inline vis_prefetch_write,8
+	prefetch	[%o0+0],2
+	.end
diff --git a/security/nss/lib/freebl/mpi/vis_proto.h b/security/nss/lib/freebl/mpi/vis_proto.h
new file mode 100644
index 000000000..44192ad53
--- /dev/null
+++ b/security/nss/lib/freebl/mpi/vis_proto.h
@@ -0,0 +1,263 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is prototypes for vis.il  (vis_proto.h 1.3)
+ *
+ * The Initial Developer of the Original Code is Sun Microsystems Inc.
+ * Portions created by Sun Microsystems Inc. are 
+ * Copyright (C) 1995, 1997 Sun Microsystems Inc. All Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *  $Id$
+ */
+
+/*
+ * Prototypes for the inline templates in vis.il
+ */
+
+#ifndef VIS_PROTO_H
+#define VIS_PROTO_H
+
+#pragma ident	"@(#)vis_proto.h	1.3	97/03/30 SMI"
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+/* Pure edge handling instructions */
+int vis_edge8(void * /*frs1*/, void * /*frs2*/);
+int vis_edge8l(void * /*frs1*/, void * /*frs2*/);
+int vis_edge16(void * /*frs1*/, void * /*frs2*/);
+int vis_edge16l(void * /*frs1*/, void * /*frs2*/);
+int vis_edge32(void * /*frs1*/, void * /*frs2*/);
+int vis_edge32l(void * /*frs1*/, void * /*frs2*/);
+
+/* Edge handling instructions with negative return values if cc set. */
+int vis_edge8cc(void * /*frs1*/, void * /*frs2*/);
+int vis_edge8lcc(void * /*frs1*/, void * /*frs2*/);
+int vis_edge16cc(void * /*frs1*/, void * /*frs2*/);
+int vis_edge16lcc(void * /*frs1*/, void * /*frs2*/);
+int vis_edge32cc(void * /*frs1*/, void * /*frs2*/);
+int vis_edge32lcc(void * /*frs1*/, void * /*frs2*/);
+
+/* Alignment instructions. */
+void *vis_alignaddr(void * /*rs1*/, int /*rs2*/);
+void *vis_alignaddrl(void * /*rs1*/, int /*rs2*/);
+double vis_faligndata(double /*frs1*/, double /*frs2*/);
+
+/* Partitioned comparison instructions. */
+int vis_fcmple16(double /*frs1*/, double /*frs2*/);
+int vis_fcmpne16(double /*frs1*/, double /*frs2*/);
+int vis_fcmple32(double /*frs1*/, double /*frs2*/);
+int vis_fcmpne32(double /*frs1*/, double /*frs2*/);
+int vis_fcmpgt16(double /*frs1*/, double /*frs2*/);
+int vis_fcmpeq16(double /*frs1*/, double /*frs2*/);
+int vis_fcmpgt32(double /*frs1*/, double /*frs2*/);
+int vis_fcmpeq32(double /*frs1*/, double /*frs2*/);
+
+/* Partitioned multiplication. */
+#if 0
+double vis_fmul8x16(float /*frs1*/, double /*frs2*/);
+#endif
+double vis_fmul8x16_dummy(float /*frs1*/, int /*dummy*/, double /*frs2*/);
+double vis_fmul8x16au(float /*frs1*/, float /*frs2*/);
+double vis_fmul8x16al(float /*frs1*/, float /*frs2*/);
+double vis_fmul8sux16(double /*frs1*/, double /*frs2*/);
+double vis_fmul8ulx16(double /*frs1*/, double /*frs2*/);
+double vis_fmuld8ulx16(float /*frs1*/, float /*frs2*/);
+double vis_fmuld8sux16(float /*frs1*/, float /*frs2*/);
+
+/* Partitioned addition & subtraction. */
+double vis_fpadd16(double /*frs1*/, double /*frs2*/);
+float vis_fpadd16s(float /*frs1*/, float /*frs2*/);
+double vis_fpadd32(double /*frs1*/, double /*frs2*/);
+float vis_fpadd32s(float /*frs1*/, float /*frs2*/);
+double vis_fpsub16(double /*frs1*/, double /*frs2*/);
+float vis_fpsub16s(float /*frs1*/, float /*frs2*/);
+double vis_fpsub32(double /*frs1*/, double /*frs2*/);
+float vis_fpsub32s(float /*frs1*/, float /*frs2*/);
+
+/* Pixel packing & clamping. */
+float vis_fpack16(double /*frs2*/);
+double vis_fpack32(double /*frs1*/, double /*frs2*/);
+float vis_fpackfix(double /*frs2*/);
+
+/* Combined pack ops. */
+double vis_fpack16_pair(double /*frs2*/, double /*frs2*/);
+double vis_fpackfix_pair(double /*frs2*/, double /*frs2*/);
+void vis_st2_fpack16(double, double, double *);
+void vis_std_fpack16(double, double, double *);
+void vis_st2_fpackfix(double, double, double *);
+
+double vis_fpack16_to_hi(double /*frs1*/, double /*frs2*/);
+double vis_fpack16_to_lo(double /*frs1*/, double /*frs2*/);
+
+/* Motion estimation. */
+double vis_pdist(double /*frs1*/, double /*frs2*/, double /*frd*/);
+
+/* Channel merging. */
+double vis_fpmerge(float /*frs1*/, float /*frs2*/);
+
+/* Pixel expansion. */
+double vis_fexpand(float /*frs2*/);
+double vis_fexpand_hi(double /*frs2*/);
+double vis_fexpand_lo(double /*frs2*/);
+
+/* Bitwise logical operators. */
+double vis_fnor(double /*frs1*/, double /*frs2*/);
+float vis_fnors(float /*frs1*/, float /*frs2*/);
+double vis_fandnot(double /*frs1*/, double /*frs2*/);
+float vis_fandnots(float /*frs1*/, float /*frs2*/);
+double vis_fnot(double /*frs1*/);
+float vis_fnots(float /*frs1*/);
+double vis_fxor(double /*frs1*/, double /*frs2*/);
+float vis_fxors(float /*frs1*/, float /*frs2*/);
+double vis_fnand(double /*frs1*/, double /*frs2*/);
+float vis_fnands(float /*frs1*/, float /*frs2*/);
+double vis_fand(double /*frs1*/, double /*frs2*/);
+float vis_fands(float /*frs1*/, float /*frs2*/);
+double vis_fxnor(double /*frs1*/, double /*frs2*/);
+float vis_fxnors(float /*frs1*/, float /*frs2*/);
+double vis_fsrc(double /*frs1*/);
+float vis_fsrcs(float /*frs1*/);
+double vis_fornot(double /*frs1*/, double /*frs2*/);
+float vis_fornots(float /*frs1*/, float /*frs2*/);
+double vis_for(double /*frs1*/, double /*frs2*/);
+float vis_fors(float /*frs1*/, float /*frs2*/);
+double vis_fzero(void);
+float vis_fzeros(void);
+double vis_fone(void);
+float vis_fones(void);
+
+/* Partial stores. */
+void vis_stdfa_ASI_PST8P(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST8PL(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST8P_int_pair(void * /*rs1*/, void * /*rs2*/,
+                                  void * /*rs3*/, int /*rmask*/);
+void vis_stdfa_ASI_PST8S(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST16P(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST16S(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST32P(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+void vis_stdfa_ASI_PST32S(double /*frd*/, void * /*rs1*/, int /*rmask*/);
+
+/* Byte & short stores. */
+void vis_stdfa_ASI_FL8P(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL8P_index(double /*frd*/, void * /*rs1*/, long /*index*/);
+void vis_stdfa_ASI_FL8S(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL16P(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL16P_index(double /*frd*/, void * /*rs1*/, long /*index*/);
+void vis_stdfa_ASI_FL16S(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL8PL(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL8SL(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL16PL(double /*frd*/, void * /*rs1*/);
+void vis_stdfa_ASI_FL16SL(double /*frd*/, void * /*rs1*/);
+
+/* Byte & short loads. */
+double vis_lddfa_ASI_FL8P(void * /*rs1*/);
+double vis_lddfa_ASI_FL8P_index(void * /*rs1*/, long /*index*/);
+double vis_lddfa_ASI_FL8P_hi(void * /*rs1*/, unsigned int /*index*/);
+double vis_lddfa_ASI_FL8P_lo(void * /*rs1*/, unsigned int /*index*/);
+double vis_lddfa_ASI_FL8S(void * /*rs1*/);
+double vis_lddfa_ASI_FL16P(void * /*rs1*/);
+double vis_lddfa_ASI_FL16P_index(void * /*rs1*/, long /*index*/);
+double vis_lddfa_ASI_FL16S(void * /*rs1*/);
+double vis_lddfa_ASI_FL8PL(void * /*rs1*/);
+double vis_lddfa_ASI_FL8SL(void * /*rs1*/);
+double vis_lddfa_ASI_FL16PL(void * /*rs1*/);
+double vis_lddfa_ASI_FL16SL(void * /*rs1*/);
+
+/* Direct write to GSR, read from GSR */
+void vis_write_gsr(unsigned int /*GSR*/);
+unsigned int vis_read_gsr(void);
+
+/* Voxel texture mapping. */
+#if !defined(_NO_LONGLONG)
+unsigned long vis_array8(unsigned long long /*rs1*/, int /*rs2*/);
+unsigned long vis_array16(unsigned long long /*rs1*/, int /*rs2*/);
+unsigned long vis_array32(unsigned long long /*rs1*/, int /*rs2*/);
+#endif /* !defined(_NO_LONGLONG) */
+
+/* Register aliasing and type casts. */
+float vis_read_hi(double /*frs1*/);
+float vis_read_lo(double /*frs1*/);
+double vis_write_hi(double /*frs1*/, float /*frs2*/);
+double vis_write_lo(double /*frs1*/, float /*frs2*/);
+double vis_freg_pair(float /*frs1*/, float /*frs2*/);
+float vis_to_float(unsigned int /*value*/);
+double vis_to_double(unsigned int /*value1*/, unsigned int /*value2*/);
+double vis_to_double_dup(unsigned int /*value*/);
+#if !defined(_NO_LONGLONG)
+double vis_ll_to_double(unsigned long long /*value*/);
+#endif /* !defined(_NO_LONGLONG) */
+
+/* Miscellany (no inlines) */
+void vis_error(char * /*fmt*/, int /*a0*/);
+void vis_sim_init(void);
+
+/* For better performance */
+#define vis_fmul8x16(farg,darg) vis_fmul8x16_dummy((farg),0,(darg))
+
+/* Nicknames for explicit ASI loads and stores. */
+#define vis_st_u8      vis_stdfa_ASI_FL8P
+#define vis_st_u8_i    vis_stdfa_ASI_FL8P_index
+#define vis_st_u8_le   vis_stdfa_ASI_FL8PL
+#define vis_st_u16     vis_stdfa_ASI_FL16P
+#define vis_st_u16_i   vis_stdfa_ASI_FL16P_index
+#define vis_st_u16_le  vis_stdfa_ASI_FL16PL
+
+#define vis_ld_u8      vis_lddfa_ASI_FL8P
+#define vis_ld_u8_i    vis_lddfa_ASI_FL8P_index
+#define vis_ld_u8_le   vis_lddfa_ASI_FL8PL
+#define vis_ld_u16     vis_lddfa_ASI_FL16P
+#define vis_ld_u16_i   vis_lddfa_ASI_FL16P_index
+#define vis_ld_u16_le  vis_lddfa_ASI_FL16PL
+
+#define vis_pst_8      vis_stdfa_ASI_PST8P
+#define vis_pst_16     vis_stdfa_ASI_PST16P
+#define vis_pst_32     vis_stdfa_ASI_PST32P
+
+#define vis_st_u8s     vis_stdfa_ASI_FL8S
+#define vis_st_u8s_le  vis_stdfa_ASI_FL8SL
+#define vis_st_u16s    vis_stdfa_ASI_FL16S
+#define vis_st_u16s_le vis_stdfa_ASI_FL16SL
+
+#define vis_ld_u8s     vis_lddfa_ASI_FL8S
+#define vis_ld_u8s_le  vis_lddfa_ASI_FL8SL
+#define vis_ld_u16s    vis_lddfa_ASI_FL16S
+#define vis_ld_u16s_le vis_lddfa_ASI_FL16SL
+
+#define vis_pst_8s     vis_stdfa_ASI_PST8S
+#define vis_pst_16s    vis_stdfa_ASI_PST16S
+#define vis_pst_32s    vis_stdfa_ASI_PST32S
+
+/* "<" and ">=" may be implemented in terms of ">" and "<=". */
+#define vis_fcmplt16(a,b) vis_fcmpgt16((b),(a))
+#define vis_fcmplt32(a,b) vis_fcmpgt32((b),(a))
+#define vis_fcmpge16(a,b) vis_fcmple16((b),(a))
+#define vis_fcmpge32(a,b) vis_fcmple32((b),(a))
+
+#ifdef __cplusplus
+} // End of extern "C"
+#endif /* __cplusplus */
+
+#endif /* VIS_PROTO_H */
diff --git a/security/nss/lib/freebl/os2_rand.c b/security/nss/lib/freebl/os2_rand.c
new file mode 100644
index 000000000..7eede8883
--- /dev/null
+++ b/security/nss/lib/freebl/os2_rand.c
@@ -0,0 +1,329 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#define INCL_DOS
+#define INCL_DOSERRORS
+#include <os2.h>
+#include <secrng.h>
+#include <stdlib.h>
+#include <time.h>
+#include <stdio.h>
+#include <sys/stat.h>
+
+static BOOL clockTickTime(unsigned long *phigh, unsigned long *plow)
+{
+    APIRET rc = NO_ERROR;
+    QWORD qword = {0,0};
+
+    rc = DosTmrQueryTime(&qword);
+    if (rc != NO_ERROR)
+       return FALSE;
+
+    *phigh = qword.ulHi;
+    *plow  = qword.ulLo;
+
+    return TRUE;
+}
+
+size_t RNG_GetNoise(void *buf, size_t maxbuf)
+{
+    unsigned long high = 0;
+    unsigned long low  = 0;
+    clock_t val = 0;
+    int n = 0;
+    int nBytes = 0;
+    time_t sTime;
+
+    if (maxbuf <= 0)
+       return 0;
+
+    clockTickTime(&high, &low);
+
+    /* get the maximally changing bits first */
+    nBytes = sizeof(low) > maxbuf ? maxbuf : sizeof(low);
+    memcpy(buf, &low, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+       return n;
+
+    nBytes = sizeof(high) > maxbuf ? maxbuf : sizeof(high);
+    memcpy(((char *)buf) + n, &high, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+       return n;
+
+    /* get the number of milliseconds that have elapsed since application started */
+    val = clock();
+
+    nBytes = sizeof(val) > maxbuf ? maxbuf : sizeof(val);
+    memcpy(((char *)buf) + n, &val, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+       return n;
+
+    /* get the time in seconds since midnight Jan 1, 1970 */
+    time(&sTime);
+    nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
+    memcpy(((char *)buf) + n, &sTime, nBytes);
+    n += nBytes;
+
+    return n;
+}
+
+static BOOL
+EnumSystemFiles(void (*func)(const char *))
+{
+    APIRET              rc;
+    ULONG               sysInfo = 0;
+    char                bootLetter[2];
+    char                sysDir[_MAX_PATH] = "";
+    char                filename[_MAX_PATH];
+    HDIR                hdir = HDIR_CREATE;
+    ULONG               numFiles = 1;
+    FILEFINDBUF3        fileBuf = {0};
+    ULONG               buflen = sizeof(FILEFINDBUF3);
+
+    if (DosQuerySysInfo(QSV_BOOT_DRIVE, QSV_BOOT_DRIVE, (PVOID)&sysInfo,
+                        sizeof(ULONG)) == NO_ERROR)
+    {
+      bootLetter[0] = sysInfo + 'A' -1;
+      strcpy(sysDir, bootLetter);
+      strcpy(sysDir+1, ":\\OS2\\");
+
+      strcpy( filename, sysDir );
+      strcat( filename, "*.*" );
+    }
+
+    rc =DosFindFirst( filename, &hdir, FILE_NORMAL, &fileBuf, buflen,
+                      &numFiles, FIL_STANDARD );
+    if( rc == NO_ERROR )
+    {
+      do {
+        // pass the full pathname to the callback
+        sprintf( filename, "%s\\%s", sysDir, fileBuf.achName );
+        (*func)(filename);
+
+        numFiles = 1;
+        rc = DosFindNext( hdir, &fileBuf, buflen, &numFiles );
+        if( rc != NO_ERROR && rc != ERROR_NO_MORE_FILES )
+          printf( "DosFindNext errod code = %d\n", rc );
+      } while ( rc == NO_ERROR );
+
+      rc = DosFindClose(hdir);
+      if( rc != NO_ERROR )
+        printf( "DosFindClose error code = %d", rc );
+    }
+    else
+      printf( "DosFindFirst error code = %d", rc );
+
+    return TRUE;
+}
+
+static int    dwNumFiles, dwReadEvery;
+
+static void
+CountFiles(const char *file)
+{
+    dwNumFiles++;
+}
+
+static void
+ReadFiles(const char *file)
+{
+    if ((dwNumFiles % dwReadEvery) == 0)
+        RNG_FileForRNG(file);
+
+    dwNumFiles++;
+}
+
+static void
+ReadSystemFiles()
+{
+    // first count the number of files
+    dwNumFiles = 0;
+    if (!EnumSystemFiles(CountFiles))
+        return;
+
+    RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
+
+    // now read 10 files
+    if (dwNumFiles == 0)
+        return;
+
+    dwReadEvery = dwNumFiles / 10;
+    if (dwReadEvery == 0)
+        dwReadEvery = 1;  // less than 10 files
+
+    dwNumFiles = 0;
+    EnumSystemFiles(ReadFiles);
+}
+
+void RNG_SystemInfoForRNG(void)
+{
+   unsigned long *plong = 0;
+   PTIB ptib;
+   PPIB ppib;
+   APIRET rc = NO_ERROR;
+   DATETIME dt;
+   COUNTRYCODE cc = {0};
+   COUNTRYINFO ci = {0};
+   unsigned long actual = 0;
+   char path[_MAX_PATH]="";
+   char fullpath[_MAX_PATH]="";
+   unsigned long pathlength = sizeof(path);
+   FSALLOCATE fsallocate;
+   FILESTATUS3 fstatus;
+   unsigned long defaultdrive = 0;
+   unsigned long logicaldrives = 0;
+   unsigned long sysInfo[QSV_MAX] = {0};
+   char buffer[20];
+   int nBytes = 0;
+
+   nBytes = RNG_GetNoise(buffer, sizeof(buffer));
+   RNG_RandomUpdate(buffer, nBytes);
+   
+   /* allocate memory and use address and memory */
+   plong = (unsigned long *)malloc(sizeof(*plong));
+   RNG_RandomUpdate(&plong, sizeof(plong));
+   RNG_RandomUpdate(plong, sizeof(*plong));
+   free(plong);
+
+   /* process info */
+   rc = DosGetInfoBlocks(&ptib, &ppib);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(ptib, sizeof(*ptib));
+      RNG_RandomUpdate(ppib, sizeof(*ppib));
+   }
+
+   /* time */
+   rc = DosGetDateTime(&dt);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(&dt, sizeof(dt));
+   }
+
+   /* country */
+   rc = DosQueryCtryInfo(sizeof(ci), &cc, &ci, &actual);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(&cc, sizeof(cc));
+      RNG_RandomUpdate(&ci, sizeof(ci));
+      RNG_RandomUpdate(&actual, sizeof(actual));
+   }
+
+   /* current directory */
+   rc = DosQueryCurrentDir(0, path, &pathlength);
+   strcat(fullpath, "\\");
+   strcat(fullpath, path);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(fullpath, strlen(fullpath));
+      // path info
+      rc = DosQueryPathInfo(fullpath, FIL_STANDARD, &fstatus, sizeof(fstatus));
+      if (rc == NO_ERROR)
+      {
+         RNG_RandomUpdate(&fstatus, sizeof(fstatus));
+      }
+   }
+
+   /* file system info */
+   rc = DosQueryFSInfo(0, FSIL_ALLOC, &fsallocate, sizeof(fsallocate));
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(&fsallocate, sizeof(fsallocate));
+   }
+
+   /* drive info */
+   rc = DosQueryCurrentDisk(&defaultdrive, &logicaldrives);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(&defaultdrive, sizeof(defaultdrive));
+      RNG_RandomUpdate(&logicaldrives, sizeof(logicaldrives));
+   }
+
+   /* system info */
+   rc = DosQuerySysInfo(1L, QSV_MAX, (PVOID)&sysInfo, sizeof(ULONG)*QSV_MAX);
+   if (rc == NO_ERROR)
+   {
+      RNG_RandomUpdate(&sysInfo, sizeof(sysInfo));
+   }
+
+   // now let's do some files
+   ReadSystemFiles();
+
+   /* more noise */
+   nBytes = RNG_GetNoise(buffer, sizeof(buffer));
+   RNG_RandomUpdate(buffer, nBytes);
+}
+
+void RNG_FileForRNG(const char *filename)
+{
+    struct stat stat_buf;
+    unsigned char buffer[1024];
+    FILE *file = 0;
+    int nBytes = 0;
+    static int totalFileBytes = 0;
+    
+    if (stat((char *)filename, &stat_buf) < 0)
+       return;
+
+    RNG_RandomUpdate((unsigned char*)&stat_buf, sizeof(stat_buf));
+    
+    file = fopen((char *)filename, "r");
+    if (file != NULL)
+    {
+       for (;;)
+       {
+           size_t bytes = fread(buffer, 1, sizeof(buffer), file);
+
+           if (bytes == 0)
+              break;
+
+           RNG_RandomUpdate(buffer, bytes);
+           totalFileBytes += bytes;
+           if (totalFileBytes > 250000)
+              break;
+       }
+       fclose(file);
+    }
+
+    nBytes = RNG_GetNoise(buffer, 20); 
+    RNG_RandomUpdate(buffer, nBytes);
+}
diff --git a/security/nss/lib/freebl/pqg.c b/security/nss/lib/freebl/pqg.c
new file mode 100644
index 000000000..dca53e93d
--- /dev/null
+++ b/security/nss/lib/freebl/pqg.c
@@ -0,0 +1,667 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * PQG parameter generation/verification.  Based on FIPS 186-1.
+ *
+ * $Id$
+ */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "blapi.h"
+#include "secitem.h"
+#include "mpi.h"
+#include "mpprime.h"
+#include "mplogic.h"
+#include "secmpi.h"
+
+#define MAX_ITERATIONS 600  /* Maximum number of iterations of primegen */
+#define PQG_Q_PRIMALITY_TESTS 18 /* from HAC table 4.4 */
+#define PQG_P_PRIMALITY_TESTS 5  /* from HAC table 4.4 */
+
+ /* XXX to be replaced by define in blapit.h */
+#define BITS_IN_Q 160
+
+/* For FIPS-compliance testing.
+** The following array holds the seed defined in FIPS 186-1 appendix 5.
+** This seed is used to generate P and Q according to appendix 2; use of
+** this seed will exactly generate the PQG specified in appendix 2.
+*/
+#ifdef FIPS_186_1_A5_TEST
+static const unsigned char fips_186_1_a5_pqseed[] = {
+    0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8,
+    0xb6, 0x21, 0x1b, 0x40, 0x62, 0xba, 0x32, 0x24,
+    0xe0, 0x42, 0x7d, 0xd3
+};
+#endif
+
+/* Get a seed for generating P and Q.  If in testing mode, copy in the
+** seed from FIPS 186-1 appendix 5.  Otherwise, obtain bytes from the
+** global random number generator.
+*/
+static SECStatus
+getPQseed(SECItem *seed)
+{
+    if (seed->data) {
+        PORT_Free(seed->data);
+        seed->data = NULL;
+    }
+    seed->data = (unsigned char*)PORT_ZAlloc(seed->len);
+    if (!seed->data) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+#ifdef FIPS_186_1_A5_TEST
+    memcpy(seed->data, fips_186_1_a5_pqseed, seed->len);
+    return SECSuccess;
+#else
+    return RNG_GenerateGlobalRandomBytes(seed->data, seed->len);
+#endif
+}
+
+/* Generate a candidate h value.  If in testing mode, use the h value
+** specified in FIPS 186-1 appendix 5, h = 2.  Otherwise, obtain bytes
+** from the global random number generator.
+*/
+static SECStatus
+generate_h_candidate(SECItem *hit, mp_int *H)
+{
+    SECStatus rv = SECSuccess;
+    mp_err   err = MP_OKAY;
+#ifdef FIPS_186_1_A5_TEST
+    memset(hit->data, 0, hit->len);
+    hit->data[hit->len-1] = 0x02;
+#else
+    rv = RNG_GenerateGlobalRandomBytes(hit->data, hit->len);
+#endif
+    if (rv)
+	return SECFailure;
+    err = mp_read_unsigned_octets(H, hit->data, hit->len);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* Compute SHA[(SEED + addend) mod 2**g]
+** Result is placed in shaOutBuf.
+** This computation is used in steps 2 and 7 of FIPS 186 Appendix 2.2 .
+*/
+static SECStatus
+addToSeedThenSHA(const SECItem * seed,
+                 unsigned long   addend,
+                 int             g,
+                 unsigned char * shaOutBuf)
+{
+    SECItem str = { 0, 0, 0 };
+    mp_int s, sum, modulus, tmp;
+    mp_err    err = MP_OKAY;
+    SECStatus rv  = SECSuccess;
+    MP_DIGITS(&s)       = 0;
+    MP_DIGITS(&sum)     = 0;
+    MP_DIGITS(&modulus) = 0;
+    MP_DIGITS(&tmp)     = 0;
+    CHECK_MPI_OK( mp_init(&s) );
+    CHECK_MPI_OK( mp_init(&sum) );
+    CHECK_MPI_OK( mp_init(&modulus) );
+    SECITEM_TO_MPINT(*seed, &s); /* s = seed */
+    /* seed += addend */
+    if (addend < MP_DIGIT_MAX) {
+	CHECK_MPI_OK( mp_add_d(&s, (mp_digit)addend, &s) );
+    } else {
+	CHECK_MPI_OK( mp_init(&tmp) );
+	CHECK_MPI_OK( mp_set_ulong(&tmp, addend) );
+	CHECK_MPI_OK( mp_add(&s, &tmp, &s) );
+    }
+    CHECK_MPI_OK( mp_div_2d(&s, (mp_digit)g, NULL, &sum) );/*sum = s mod 2**g */
+    MPINT_TO_SECITEM(&sum, &str, NULL);
+    rv = SHA1_HashBuf(shaOutBuf, str.data, str.len); /* SHA1 hash result */
+cleanup:
+    mp_clear(&s);
+    mp_clear(&sum);
+    mp_clear(&modulus);
+    mp_clear(&tmp);
+    if (str.data)
+	SECITEM_ZfreeItem(&str, PR_FALSE);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	return SECFailure;
+    }
+    return rv;
+}
+
+/*
+**  Perform steps 2 and 3 of FIPS 186, appendix 2.2.
+**  Generate Q from seed.
+*/
+static SECStatus
+makeQfromSeed(
+      unsigned int  g,          /* input.  Length of seed in bits. */
+const SECItem   *   seed,       /* input.  */
+      mp_int    *   Q)          /* output. */
+{
+    unsigned char sha1[SHA1_LENGTH];
+    unsigned char sha2[SHA1_LENGTH];
+    unsigned char U[SHA1_LENGTH];
+    SECStatus rv  = SECSuccess;
+    mp_err    err = MP_OKAY;
+    int i;
+    /* ******************************************************************
+    ** Step 2.
+    ** "Compute U = SHA[SEED] XOR SHA[(SEED+1) mod 2**g]."
+    **/
+    CHECK_SEC_OK( SHA1_HashBuf(sha1, seed->data, seed->len) );
+    CHECK_SEC_OK( addToSeedThenSHA(seed, 1, g, sha2) );
+    for (i=0; i<SHA1_LENGTH; ++i) 
+	U[i] = sha1[i] ^ sha2[i];
+    /* ******************************************************************
+    ** Step 3.
+    ** "Form Q from U by setting the most signficant bit (the 2**159 bit)
+    **  and the least signficant bit to 1.  In terms of boolean operations,
+    **  Q = U OR 2**159 OR 1.  Note that 2**159 < Q < 2**160."
+    */
+    U[0]             |= 0x80;  /* U is MSB first */
+    U[SHA1_LENGTH-1] |= 0x01;
+    err = mp_read_unsigned_octets(Q, U, SHA1_LENGTH);
+cleanup:
+     memset(U, 0, SHA1_LENGTH);
+     memset(sha1, 0, SHA1_LENGTH);
+     memset(sha2, 0, SHA1_LENGTH);
+     if (err) {
+	MP_TO_SEC_ERROR(err);
+	return SECFailure;
+     }
+     return rv;
+}
+
+/*  Perform steps 7, 8 and 9 of FIPS 186, appendix 2.2.
+**  Generate P from Q, seed, L, and offset.
+*/
+static SECStatus
+makePfromQandSeed(
+      unsigned int  L,          /* Length of P in bits.  Per FIPS 186. */
+      unsigned int  offset,     /* Per FIPS 186, appendix 2.2. */
+      unsigned int  g,          /* input.  Length of seed in bits. */
+const SECItem   *   seed,       /* input.  */
+const mp_int    *   Q,          /* input.  */
+      mp_int    *   P)          /* output. */
+{
+    unsigned int  k;            /* Per FIPS 186, appendix 2.2. */
+    unsigned int  n;            /* Per FIPS 186, appendix 2.2. */
+    mp_digit      b;            /* Per FIPS 186, appendix 2.2. */
+    unsigned char V_k[SHA1_LENGTH];
+    mp_int        W, X, c, twoQ, V_n, tmp;
+    mp_err    err = MP_OKAY;
+    SECStatus rv  = SECSuccess;
+    /* Initialize bignums */
+    MP_DIGITS(&W)     = 0;
+    MP_DIGITS(&X)     = 0;
+    MP_DIGITS(&c)     = 0;
+    MP_DIGITS(&twoQ)  = 0;
+    MP_DIGITS(&V_n)   = 0;
+    MP_DIGITS(&tmp)   = 0;
+    CHECK_MPI_OK( mp_init(&W)    );
+    CHECK_MPI_OK( mp_init(&X)    );
+    CHECK_MPI_OK( mp_init(&c)    );
+    CHECK_MPI_OK( mp_init(&twoQ) );
+    CHECK_MPI_OK( mp_init(&tmp)  );
+    CHECK_MPI_OK( mp_init(&V_n)  );
+    /* L - 1 = n*160 + b */
+    n = (L - 1) / BITS_IN_Q;
+    b = (L - 1) % BITS_IN_Q;
+    /* ******************************************************************
+    ** Step 7.
+    **  "for k = 0 ... n let
+    **           V_k = SHA[(SEED + offset + k) mod 2**g]."
+    **
+    ** Step 8.
+    **  "Let W be the integer 
+    **    W = V_0 + (V_1 * 2**160) + ... + (V_n-1 * 2**((n-1)*160)) 
+    **         + ((V_n mod 2**b) * 2**(n*160))
+    */
+    for (k=0; k<n; ++k) { /* Do the first n terms of V_k */
+	/* Do step 7 for iteration k.
+	** V_k = SHA[(seed + offset + k) mod 2**g]
+	*/
+	CHECK_SEC_OK( addToSeedThenSHA(seed, offset + k, g, V_k) );
+	/* Do step 8 for iteration k.
+	** W += V_k * 2**(k*160)
+	*/
+	OCTETS_TO_MPINT(V_k, &tmp, SHA1_LENGTH);      /* get bignum V_k     */
+	CHECK_MPI_OK( mpl_lsh(&tmp, &tmp, k*160) );   /* tmp = V_k << k*160 */
+	CHECK_MPI_OK( mp_add(&W, &tmp, &W) );         /* W += tmp           */
+    }
+    /* Step 8, continued.
+    **   [W += ((V_n mod 2**b) * 2**(n*160))] 
+    */
+    CHECK_SEC_OK( addToSeedThenSHA(seed, offset + n, g, V_k) );
+    OCTETS_TO_MPINT(V_k, &V_n, SHA1_LENGTH);          /* get bignum V_n     */
+    CHECK_MPI_OK( mp_div_2d(&V_n, b, NULL, &tmp) );   /* tmp = V_n mod 2**b */
+    CHECK_MPI_OK( mpl_lsh(&tmp, &tmp, n*160) );       /* tmp = tmp << n*160 */
+    CHECK_MPI_OK( mp_add(&W, &tmp, &W) );             /* W += tmp           */
+    /* Step 8, continued.
+    ** "and let X = W + 2**(L-1).
+    **  Note that 0 <= W < 2**(L-1) and hence 2**(L-1) <= X < 2**L."
+    */
+    CHECK_MPI_OK( mpl_set_bit(&X, (mp_size)(L-1), 1) );    /* X = 2**(L-1) */
+    CHECK_MPI_OK( mp_add(&X, &W, &X) );                    /* X += W       */
+    /*************************************************************
+    ** Step 9.
+    ** "Let c = X mod 2q  and set p = X - (c - 1).
+    **  Note that p is congruent to 1 mod 2q."
+    */
+    CHECK_MPI_OK( mp_mul_2(Q, &twoQ) );                    /* 2q           */
+    CHECK_MPI_OK( mp_mod(&X, &twoQ, &c) );                 /* c = X mod 2q */
+    CHECK_MPI_OK( mp_sub_d(&c, 1, &c) );                   /* c -= 1       */
+    CHECK_MPI_OK( mp_sub(&X, &c, P) );                     /* P = X - c    */
+cleanup:
+    mp_clear(&W);
+    mp_clear(&X);
+    mp_clear(&c);
+    mp_clear(&twoQ);
+    mp_clear(&V_n);
+    mp_clear(&tmp);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	return SECFailure;
+    }
+    return rv;
+}
+
+/*
+** Generate G from h, P, and Q.
+*/
+static SECStatus
+makeGfromH(const mp_int *P,     /* input.  */
+           const mp_int *Q,     /* input.  */
+                 mp_int *H,     /* input and output. */
+                 mp_int *G,     /* output. */
+                 PRBool *passed)
+{
+    mp_int exp, pm1;
+    mp_err err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    *passed = PR_FALSE;
+    MP_DIGITS(&exp) = 0;
+    MP_DIGITS(&pm1) = 0;
+    CHECK_MPI_OK( mp_init(&exp) );
+    CHECK_MPI_OK( mp_init(&pm1) );
+    CHECK_MPI_OK( mp_sub_d(P, 1, &pm1) );        /* P - 1            */
+    if ( mp_cmp(H, &pm1) > 0)                   /* H = H mod (P-1)  */
+	CHECK_MPI_OK( mp_sub(H, &pm1, H) );
+    /* Let b = 2**n (smallest power of 2 greater than P).
+    ** Since P-1 >= b/2, and H < b, quotient(H/(P-1)) = 0 or 1
+    ** so the above operation safely computes H mod (P-1)
+    */
+    /* Check for H = to 0 or 1.  Regen H if so.  (Regen means return error). */
+    if (mp_cmp_d(H, 1) <= 0) {
+	rv = SECFailure;
+	goto cleanup;
+    }
+    /* Compute G, according to the equation  G = (H ** ((P-1)/Q)) mod P */
+    CHECK_MPI_OK( mp_div(&pm1, Q, &exp, NULL) );  /* exp = (P-1)/Q      */
+    CHECK_MPI_OK( mp_exptmod(H, &exp, P, G) );    /* G = H ** exp mod P */
+    /* Check for G == 0 or G == 1, return error if so. */
+    if (mp_cmp_d(G, 1) <= 0) {
+	rv = SECFailure;
+	goto cleanup;
+    }
+    *passed = PR_TRUE;
+cleanup:
+    mp_clear(&exp);
+    mp_clear(&pm1);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+SECStatus
+PQG_ParamGen(unsigned int j, PQGParams **pParams, PQGVerify **pVfy)
+{
+    unsigned int L;            /* Length of P in bits.  Per FIPS 186. */
+    unsigned int seedBytes;
+
+    if (j > 8 || !pParams || !pVfy) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    L = 512 + (j * 64);         /* bits in P */
+    seedBytes = L/8;
+    return PQG_ParamGenSeedLen(j, seedBytes, pParams, pVfy);
+}
+
+/* This code uses labels and gotos, so that it can follow the numbered
+** steps in the algorithms from FIPS 186 appendix 2.2 very closely,
+** and so that the correctness of this code can be easily verified.
+** So, please forgive the ugly c code.
+**/
+SECStatus
+PQG_ParamGenSeedLen(unsigned int j, unsigned int seedBytes,
+                    PQGParams **pParams, PQGVerify **pVfy)
+{
+    unsigned int  L;        /* Length of P in bits.  Per FIPS 186. */
+    unsigned int  n;        /* Per FIPS 186, appendix 2.2. */
+    unsigned int  b;        /* Per FIPS 186, appendix 2.2. */
+    unsigned int  g;        /* Per FIPS 186, appendix 2.2. */
+    unsigned int  counter;  /* Per FIPS 186, appendix 2.2. */
+    unsigned int  offset;   /* Per FIPS 186, appendix 2.2. */
+    SECItem      *seed;     /* Per FIPS 186, appendix 2.2. */
+    PRArenaPool  *arena  = NULL;
+    PQGParams    *params = NULL;
+    PQGVerify    *verify = NULL;
+    PRBool passed;
+    SECItem hit = { 0, 0, 0 };
+    mp_int P, Q, G, H, l;
+    mp_err    err = MP_OKAY;
+    SECStatus rv  = SECFailure;
+    int iterations = 0;
+    if (j > 8 || !pParams || !pVfy) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* Initialize an arena for the params. */
+    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    params = (PQGParams *)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
+    if (!params) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+    params->arena = arena;
+    /* Initialize an arena for the verify. */
+    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(params->arena, PR_TRUE);
+	return SECFailure;
+    }
+    verify = (PQGVerify *)PORT_ArenaZAlloc(arena, sizeof(PQGVerify));
+    if (!verify) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	PORT_FreeArena(params->arena, PR_TRUE);
+	return SECFailure;
+    }
+    verify->arena = arena;
+    seed = &verify->seed;
+    arena = NULL;
+    /* Initialize bignums */
+    MP_DIGITS(&P) = 0;
+    MP_DIGITS(&Q) = 0;
+    MP_DIGITS(&G) = 0;
+    MP_DIGITS(&H) = 0;
+    MP_DIGITS(&l) = 0;
+    CHECK_MPI_OK( mp_init(&P) );
+    CHECK_MPI_OK( mp_init(&Q) );
+    CHECK_MPI_OK( mp_init(&G) );
+    CHECK_MPI_OK( mp_init(&H) );
+    CHECK_MPI_OK( mp_init(&l) );
+    /* Compute lengths. */
+    L = 512 + (j * 64);               /* bits in P */
+    n = (L - 1) / BITS_IN_Q;          /* BITS_IN_Q is 160 */  
+    b = (L - 1) % BITS_IN_Q;
+    g = seedBytes * BITS_PER_BYTE;    /* bits in seed, NOT G of PQG. */
+step_1:
+    /* ******************************************************************
+    ** Step 1.
+    ** "Choose an abitrary sequence of at least 160 bits and call it SEED.
+    **  Let g be the length of SEED in bits."
+    */
+    if (++iterations > MAX_ITERATIONS) {        /* give up after a while */
+        PORT_SetError(SEC_ERROR_NEED_RANDOM);
+        goto cleanup;
+    }
+    seed->len = seedBytes;
+    CHECK_SEC_OK( getPQseed(seed) );
+    /* ******************************************************************
+    ** Step 2.
+    ** "Compute U = SHA[SEED] XOR SHA[(SEED+1) mod 2**g]."
+    **
+    ** Step 3.
+    ** "Form Q from U by setting the most signficant bit (the 2**159 bit) 
+    **  and the least signficant bit to 1.  In terms of boolean operations,
+    **  Q = U OR 2**159 OR 1.  Note that 2**159 < Q < 2**160."
+    */
+    CHECK_SEC_OK( makeQfromSeed(g, seed, &Q) );
+    /* ******************************************************************
+    ** Step 4.
+    ** "Use a robust primality testing algorithm to test whether q is prime."
+    **
+    ** Appendix 2.1 states that a Rabin test with at least 50 iterations
+    ** "will give an acceptable probability of error."
+    */
+    /*CHECK_SEC_OK( prm_RabinTest(&Q, &passed) );*/
+    err = mpp_pprime(&Q, PQG_Q_PRIMALITY_TESTS);
+    passed = (err == MP_YES) ? SECSuccess : SECFailure;
+    /* ******************************************************************
+    ** Step 5. "If q is not prime, goto step 1."
+    */
+    if (passed != SECSuccess)
+        goto step_1;
+    /* ******************************************************************
+    ** Step 6. "Let counter = 0 and offset = 2."
+    */
+    counter = 0;
+    offset  = 2;
+step_7:
+    /* ******************************************************************
+    ** Step 7.
+    ** "for k = 0 ... n let
+    **          V_k = SHA[(SEED + offset + k) mod 2**g]."
+    **
+    ** Step 8.
+    ** "Let W be the sum of  (V_k * 2**(k*160)) for k = 0 ... n
+    **  and let X = W + 2**(L-1).
+    **  Note that 0 <= W < 2**(L-1) and hence 2**(L-1) <= X < 2**L."
+    **
+    ** Step 9.
+    ** "Let c = X mod 2q  and set p = X - (c - 1).
+    **  Note that p is congruent to 1 mod 2q."
+    */
+    CHECK_SEC_OK( makePfromQandSeed(L, offset, g, seed, &Q, &P) );
+    /*************************************************************
+    ** Step 10.
+    ** "if p < 2**(L-1), then goto step 13."
+    */
+    CHECK_MPI_OK( mpl_set_bit(&l, (mp_size)(L-1), 1) ); /* l = 2**(L-1) */
+    if (mp_cmp(&P, &l) < 0)
+        goto step_13;
+    /************************************************************
+    ** Step 11.
+    ** "Perform a robust primality test on p."
+    */
+    /*CHECK_SEC_OK( prm_RabinTest(&P, &passed) );*/
+    err = mpp_pprime(&P, PQG_P_PRIMALITY_TESTS);
+    passed = (err == MP_YES) ? SECSuccess : SECFailure;
+    /* ******************************************************************
+    ** Step 12. "If p passes the test performed in step 11, go to step 15."
+    */
+    if (passed == SECSuccess)
+        goto step_15;
+step_13:
+    /* ******************************************************************
+    ** Step 13.  "Let counter = counter + 1 and offset = offset + n + 1."
+    */
+    counter++;
+    offset += n + 1;
+    /* ******************************************************************
+    ** Step 14.  "If counter >= 4096 goto step 1, otherwise go to step 7."
+    */
+    if (counter >= 4096)
+        goto step_1;
+    goto step_7;
+step_15:
+    /* ******************************************************************
+    ** Step 15.  
+    ** "Save the value of SEED and the value of counter for use
+    **  in certifying the proper generation of p and q."
+    */
+    /* Generate h. */
+    SECITEM_AllocItem(NULL, &hit, seedBytes); /* h is no longer than p */
+    if (!hit.data) goto cleanup;
+    do {
+	/* loop generate h until 1<h<p-1 and (h**[(p-1)/q])mod p > 1 */
+	CHECK_SEC_OK( generate_h_candidate(&hit, &H) );
+        CHECK_SEC_OK( makeGfromH(&P, &Q, &H, &G, &passed) );
+    } while (passed != PR_TRUE);
+    /* All generation is done.  Now, save the PQG params.  */
+    MPINT_TO_SECITEM(&P, &params->prime,    params->arena);
+    MPINT_TO_SECITEM(&Q, &params->subPrime, params->arena);
+    MPINT_TO_SECITEM(&G, &params->base,     params->arena);
+    MPINT_TO_SECITEM(&H, &verify->h,        verify->arena);
+    verify->counter = counter;
+    *pParams = params;
+    *pVfy = verify;
+cleanup:
+    mp_clear(&P);
+    mp_clear(&Q);
+    mp_clear(&G);
+    mp_clear(&H);
+    mp_clear(&l);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    if (rv) {
+	PORT_FreeArena(params->arena, PR_TRUE);
+	PORT_FreeArena(verify->arena, PR_TRUE);
+    }
+    return rv;
+}
+
+SECStatus   
+PQG_VerifyParams(const PQGParams *params, 
+                 const PQGVerify *vfy, SECStatus *result)
+{
+    SECStatus rv = SECSuccess;
+    int passed;
+    unsigned int g, n, L, offset;
+    mp_int P, Q, G, P_, Q_, G_, r, h;
+    mp_err err = MP_OKAY;
+    int j;
+#define CHECKPARAM(cond)      \
+    if (!(cond)) {            \
+	*result = SECFailure; \
+	goto cleanup;         \
+    }
+    if (!params || !vfy || !result) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    MP_DIGITS(&P) = 0;
+    MP_DIGITS(&Q) = 0;
+    MP_DIGITS(&G) = 0;
+    MP_DIGITS(&P_) = 0;
+    MP_DIGITS(&Q_) = 0;
+    MP_DIGITS(&G_) = 0;
+    MP_DIGITS(&r) = 0;
+    MP_DIGITS(&h) = 0;
+    CHECK_MPI_OK( mp_init(&P) );
+    CHECK_MPI_OK( mp_init(&Q) );
+    CHECK_MPI_OK( mp_init(&G) );
+    CHECK_MPI_OK( mp_init(&P_) );
+    CHECK_MPI_OK( mp_init(&Q_) );
+    CHECK_MPI_OK( mp_init(&G_) );
+    CHECK_MPI_OK( mp_init(&r) );
+    CHECK_MPI_OK( mp_init(&h) );
+    *result = SECSuccess;
+    SECITEM_TO_MPINT(params->prime,    &P);
+    SECITEM_TO_MPINT(params->subPrime, &Q);
+    SECITEM_TO_MPINT(params->base,     &G);
+    /* 1.  Q is 160 bits long. */
+    CHECKPARAM( mpl_significant_bits(&Q) == 160 );
+    /* 2.  P is one of the 9 valid lengths. */
+    L = mpl_significant_bits(&P);
+    j = PQG_PBITS_TO_INDEX(L);
+    CHECKPARAM( j >= 0 && j <= 8 );
+    /* 3.  G < P */
+    CHECKPARAM( mp_cmp(&G, &P) < 0 );
+    /* 4.  P % Q == 1 */
+    CHECK_MPI_OK( mp_mod(&P, &Q, &r) );
+    CHECKPARAM( mp_cmp_d(&r, 1) == 0 );
+    /* 5.  Q is prime */
+    CHECKPARAM( mpp_pprime(&Q, PQG_Q_PRIMALITY_TESTS) == MP_YES );
+    /* 6.  P is prime */
+    CHECKPARAM( mpp_pprime(&P, PQG_P_PRIMALITY_TESTS) == MP_YES );
+    /* Steps 7-12 are done only if the optional PQGVerify is supplied. */
+    if (!vfy) goto cleanup;
+    /* 7.  counter < 4096 */
+    CHECKPARAM( vfy->counter < 4096 );
+    /* 8.  g >= 160 and g < 2048   (g is length of seed in bits) */
+    g = vfy->seed.len * 8;
+    CHECKPARAM( g >= 160 && g < 2048 );
+    /* 9.  Q generated from SEED matches Q in PQGParams. */
+    CHECK_SEC_OK( makeQfromSeed(g, &vfy->seed, &Q_) );
+    CHECKPARAM( mp_cmp(&Q, &Q_) == 0 );
+    /* 10. P generated from (L, counter, g, SEED, Q) matches P in PQGParams. */
+    n = (L - 1) / BITS_IN_Q;
+    offset = vfy->counter * (n + 1) + 2;
+    CHECK_SEC_OK( makePfromQandSeed(L, offset, g, &vfy->seed, &Q, &P_) );
+    CHECKPARAM( mp_cmp(&P, &P_) == 0 );
+    /* Next two are optional: if h == 0 ignore */
+    if (vfy->h.len == 0) goto cleanup;
+    /* 11. 1 < h < P-1 */
+    SECITEM_TO_MPINT(vfy->h, &h);
+    CHECK_MPI_OK( mpl_set_bit(&P, 0, 0) ); /* P is prime, p-1 == zero 1st bit */
+    CHECKPARAM( mp_cmp_d(&h, 1) > 0 && mp_cmp(&h, &P) );
+    CHECK_MPI_OK( mpl_set_bit(&P, 0, 1) ); /* set it back */
+    /* 12. G generated from h matches G in PQGParams. */
+    CHECK_SEC_OK( makeGfromH(&P, &Q, &h, &G_, &passed) );
+    CHECKPARAM( passed && mp_cmp(&G, &G_) == 0 );
+cleanup:
+    mp_clear(&P);
+    mp_clear(&Q);
+    mp_clear(&G);
+    mp_clear(&P_);
+    mp_clear(&Q_);
+    mp_clear(&G_);
+    mp_clear(&r);
+    mp_clear(&h);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+
diff --git a/security/nss/lib/freebl/prng_fips1861.c b/security/nss/lib/freebl/prng_fips1861.c
new file mode 100644
index 000000000..bf0199926
--- /dev/null
+++ b/security/nss/lib/freebl/prng_fips1861.c
@@ -0,0 +1,513 @@
+/*
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "prinit.h"
+#include "blapi.h"
+#include "nssilock.h"
+#include "secitem.h"
+#include "sha_fast.h"
+#include "secrng.h"	/* for RNG_GetNoise() */
+
+/*
+ * The minimum amount of seed data required before the generator will
+ * provide data.
+ * Note that this is a measure of the number of bytes sent to
+ * RNG_RandomUpdate, not the actual amount of entropy present in the
+ * generator.  Naturally, it is impossible to know (at this level) just
+ * how much entropy is present in the provided seed data.  A bare minimum
+ * of entropy would be 20 bytes, so by requiring 1K this code is making
+ * the tacit assumption that at least 1 byte of pure entropy is provided
+ * with every 8 bytes supplied to RNG_RandomUpdate.  The reality of this
+ * assumption is left up to the caller.
+ */
+#define MIN_SEED_COUNT 1024
+
+/*
+ * Steps taken from FIPS 186-1 Appendix 3.1
+ */
+
+/*
+ * According to FIPS 186-1, 160 <= b <= 512
+ * For our purposes, we will assume b == 160
+ */
+#define FIPS_B     160
+#define BSIZE      FIPS_B / BITS_PER_BYTE
+
+/*
+ * Add two 160-bit numbers represented as arrays of 20 bytes.
+ * The numbers are big-endian, MSB first, so addition is done
+ * from the end of the buffer to the beginning.
+ */
+#define ADD_160BIT_PLUS_CARRY(dest, add1, add2, cy) \
+    carry = cy; \
+    for (i=BSIZE-1; i>=0; --i) { \
+	carry += add1[i] + add2[i]; \
+	dest[i] = (PRUint8)carry; \
+	carry >>= 8; \
+    }
+
+#define ADD_160BIT_2(dest, add1, add2) \
+	ADD_160BIT_PLUS_CARRY(dest, add1, add2, 0)
+
+
+/*
+ * FIPS requires result from Step 3c to be reduced mod q when generating
+ * random numbers for DSA.
+ * by definition q >= 2^159 + 1, thus xj < 2q
+ * thus reducing mod q is simple subtraction when xj > q
+ */
+#define dsa_reduce_mod_q(xj, q) \
+    PORT_Assert(q[0] >= 0x80); \
+    if (memcmp(xj,q,BSIZE) > 0) { \
+	carry = 0; \
+	for (i=BSIZE-1; i>=0; --i) { \
+	    carry += (signed int)xj[i] - (signed int)q[i]; \
+	    xj[i] = (PRUint8)carry; \
+	    carry >>= 8; \
+	} \
+    }
+
+/*
+ * Specialized SHA1-like function.  This function appends zeroes to a 
+ * single input block and runs a single instance of the compression function, 
+ * as specified in FIPS 186-1 appendix 3.3.
+ */
+void 
+RNG_UpdateAndEnd_FIPS186_1(SHA1Context *ctx, 
+                           unsigned char *input, unsigned int inputLen,
+                           unsigned char *hashout, unsigned int *pDigestLen, 
+                           unsigned int maxDigestLen);
+
+/*
+ * Global RNG context
+ */ 
+struct RNGContextStr {
+    PRUint8   XKEY[BSIZE]; /* Seed for next SHA iteration */
+    PRUint8   Xj[BSIZE];   /* Output from previous operation */
+    PZLock   *lock;        /* Lock to serialize access to global rng */
+    PRUint8   avail;       /* # bytes of output available, [0...20] */
+    PRUint32  seedCount;   /* number of seed bytes given to generator */
+    PRBool    isValid;     /* false if RNG reaches an invalid state */
+};
+typedef struct RNGContextStr RNGContext;
+static RNGContext *globalrng = NULL;
+
+/*
+ * Free the global RNG context
+ */
+static void
+freeRNGContext()
+{
+    PZ_DestroyLock(globalrng->lock);
+    PORT_ZFree(globalrng, sizeof *globalrng);
+    globalrng = NULL;
+}
+
+/*
+ * Implementation of the algorithm in FIPS 186-1 appendix 3.1, heretofore
+ * called alg3_1().  It is assumed a lock for the global rng context has
+ * already been acquired.
+ * Calling this function with XSEEDj == NULL is equivalent to saying there
+ * is no optional user input, which is further equivalent to saying that
+ * the optional user input is 0.
+ */
+static SECStatus
+alg_fips186_1_x3_1(RNGContext *rng,
+                   const unsigned char *XSEEDj, unsigned char *q)
+{
+    /* SHA1 context for G(t, XVAL) function */
+    SHA1Context sha1cx;
+    /* input to hash function */
+    PRUint8 XVAL[BSIZE];
+    /* store a copy of the output to compare with the previous output */
+    PRUint8 x_j[BSIZE];
+    /* used by ADD_160BIT macros */
+    int i, carry;
+    unsigned int len;
+    if (!rng->isValid) {
+	/* RNG has alread entered an invalid state. */
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* initialize the SHA1 context */
+    memset(&sha1cx, 0, sizeof(sha1cx));
+    /* 
+     * <Step 2> Initialize t, taken care of in SHA-1 (same initial values) 
+     */
+    SHA1_Begin(&sha1cx);
+    /* 
+     * <Step 3a> XSEEDj is optional user input
+     * 
+     * <Step 3b> XVAL = (XKEY + XSEEDj) mod 2^b
+     *     :always reduced mod 2^b, since storing as 160-bit value
+     */
+    if (XSEEDj) {
+	/* XSEEDj > 0 */
+	ADD_160BIT_2(XVAL, rng->XKEY, XSEEDj);
+    } else {
+	/* XSEEDj == 0 */
+	memcpy(XVAL, rng->XKEY, BSIZE);
+    }
+    /* 
+     * <Step 3c> Xj = G(t, XVAL) mod q
+     *     :In this code, (mod q) is only understood for DSA ops, 
+     *     :not general RNG (what would q be in non-DSA uses?).
+     *     :If a q is specified, use it.
+     *     :FIPS 186-1 specifies a different padding than the SHA1 180-1
+     *     :specification, this function is implemented below.
+     */ 
+    RNG_UpdateAndEnd_FIPS186_1(&sha1cx, XVAL, BSIZE, x_j, &len, BSIZE);
+    if (q != NULL) {
+	dsa_reduce_mod_q(x_j, q);
+    }
+    /*     [FIPS 140-1] verify output does not match previous output */
+    if (memcmp(x_j, rng->Xj, BSIZE) == 0) {
+	/* failed FIPS 140-1 continuous RNG condition.  RNG now invalid. */
+	rng->isValid = PR_FALSE;
+	return SECFailure;
+    }
+    /* Xj is the output */
+    memcpy(rng->Xj, x_j, BSIZE);
+    /* 
+     * <Step 3d> XKEY = (1 + XKEY + Xj) mod 2^b
+     *     :always reduced mod 2^b, since storing as 160-bit value 
+     */
+    ADD_160BIT_PLUS_CARRY(rng->XKEY, rng->XKEY, x_j, 1);
+    /* Always have a full buffer after executing alg3_1() */
+    rng->avail = BSIZE;
+    /* housekeeping */
+    memset(x_j, 0, BSIZE);
+    memset(XVAL, 0, BSIZE);
+    return SECSuccess;
+}
+
+/* Use NSPR to prevent RNG_RNGInit from being called from separate
+ * threads, creating a race condition.
+ */
+static PRCallOnceType coRNGInit = { 0, 0, 0 };
+static PRStatus rng_init(void)
+{
+    unsigned char bytes[120];
+    unsigned int numBytes;
+    if (globalrng == NULL) {
+	/* create a new global RNG context */
+	globalrng = (RNGContext *)PORT_ZAlloc(sizeof(RNGContext));
+	if (globalrng == NULL) {
+	    PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+	    return PR_FAILURE;
+	}
+	/* create a lock for it */
+	globalrng->lock = PZ_NewLock(nssILockOther);
+	if (globalrng->lock == NULL) {
+	    PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
+	    return PR_FAILURE;
+	}
+	/* the RNG is in a valid state */
+	globalrng->isValid = PR_TRUE;
+	/* Try to get some seed data for the RNG */
+	numBytes = RNG_GetNoise(bytes, sizeof bytes);
+	RNG_RandomUpdate(bytes, numBytes);
+    }
+    return (globalrng != NULL) ? PR_SUCCESS : PR_FAILURE;
+}
+
+/*
+ * Initialize the global RNG context and give it some seed input taken
+ * from the system.  This function is thread-safe and will only allow
+ * the global context to be initialized once.  The seed input is likely
+ * small, so it is imperative that RNG_RandomUpdate() be called with
+ * additional seed data before the generator is used.  A good way to
+ * provide the generator with additional entropy is to call
+ * RNG_SystemInfoForRNG().  Note that NSS_Init() does exactly that.
+ */
+SECStatus 
+RNG_RNGInit(void)
+{
+    /* Allow only one call to initialize the context */
+    PR_CallOnce(&coRNGInit, rng_init);
+    /* Make sure there is a context */
+    return (globalrng != NULL) ? PR_SUCCESS : PR_FAILURE;
+}
+
+/*
+** Update the global random number generator with more seeding
+** material
+*/
+SECStatus 
+prng_RandomUpdate(RNGContext *rng, const void *data, size_t bytes, 
+	unsigned char *q)
+{
+    SECStatus rv = SECSuccess;
+    unsigned char inputhash[BSIZE];
+    /* check for a valid global RNG context */
+    PORT_Assert(rng != NULL);
+    if (rng == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* RNG_SystemInfoForRNG() sometimes does this, not really an error */
+    if (bytes == 0)
+	return SECSuccess;
+    /* If received 20 bytes of input, use it, else hash the input before 
+     * locking.
+     */
+    if (bytes == BSIZE)
+	memcpy(inputhash, data, BSIZE);
+    else
+	rv = SHA1_HashBuf(inputhash, data, bytes);
+    if (rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* --- LOCKED --- */
+    PZ_Lock(rng->lock);
+    /*
+     * Random information is initially supplied by a call to
+     * RNG_SystemInfoForRNG().  That function collects entropy from
+     * the system and calls RNG_RandomUpdate() to seed the generator.
+     * FIPS 186-1 3.1 step 1 specifies that a secret value for the
+     * seed-key must be chosen before the generator can begin.  The
+     * size of XKEY is b-bytes, so fill it with the first b-bytes
+     * sent to RNG_RandomUpdate().
+     */
+    if (rng->seedCount == 0) {
+	/* This is the first call to RandomUpdate().  Use a SHA1 hash
+	 * of the input to set the seed, XKEY.
+	 *
+	 * <Step 1> copy seed bytes into context's XKEY
+	 */
+	memcpy(rng->XKEY, inputhash, BSIZE);
+	/* 
+	 * Now continue with algorithm.  Since the input was used to
+	 * initialize XKEY, the "optional user input" at this stage
+	 * will be a pad of zeros, XSEEDj = 0.
+	 */
+	rv = alg_fips186_1_x3_1(rng, NULL, q);
+	/* As per FIPS 140-1 continuous RNG requirement, the first
+	 * iteration of output is discarded.  So here there is really
+	 * no output available.  This forces another execution of alg3_1()
+	 * before any bytes can be extracted from the generator.
+	 */
+	rng->avail = 0;
+    } else {
+	/* Execute the algorithm from FIPS 186-1 appendix 3.1 */
+	rv = alg_fips186_1_x3_1(rng, inputhash, q);
+    }
+    /* If got this far, have added bytes of seed data. */
+    rng->seedCount += bytes;
+    PZ_Unlock(rng->lock);
+    /* --- UNLOCKED --- */
+    /* housekeeping */
+    memset(inputhash, 0, BSIZE);
+    return rv;
+}
+
+/*
+** Update the global random number generator with more seeding
+** material.  Not DSA, so no q.
+*/
+SECStatus 
+RNG_RandomUpdate(const void *data, size_t bytes)
+{
+    return prng_RandomUpdate(globalrng, data, bytes, NULL);
+}
+
+/*
+** Generate some random bytes, using the global random number generator
+** object.
+*/
+SECStatus 
+prng_GenerateGlobalRandomBytes(RNGContext *rng,
+                               void *dest, size_t len, unsigned char *q)
+{
+    PRUint8 num;
+    SECStatus rv = SECSuccess;
+    unsigned char *output = dest;
+    /* check for a valid global RNG context */
+    PORT_Assert(rng != NULL);
+    if (rng == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* --- LOCKED --- */
+    PZ_Lock(rng->lock);
+    /* Check the amount of seed data in the generator.  If not enough,
+     * don't produce any data.
+     */
+    if (rng->seedCount < MIN_SEED_COUNT) {
+	PZ_Unlock(rng->lock);
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	return SECFailure;
+    }
+    /*
+     * If there are enough bytes of random data, send back Xj, 
+     * else call alg3_1() with 0's to generate more random data.
+     */
+    while (len > 0) {
+	if (rng->avail == 0)
+	    /* All available bytes are used, so generate more. */
+	    rv = alg_fips186_1_x3_1(rng, NULL, q);
+	/* number of bytes to obtain on this iteration (max of 20) */
+	num = PR_MIN(rng->avail, len);
+	/* if avail < BSIZE, the first avail bytes have already been used. */
+	memcpy(output, rng->Xj + (BSIZE - rng->avail), num);
+	rng->avail -= num;
+	len -= num;
+	output += num;
+    }
+    PZ_Unlock(rng->lock);
+    /* --- UNLOCKED --- */
+    return rv;
+}
+
+/*
+** Generate some random bytes, using the global random number generator
+** object.  Not DSA, so no q.
+*/
+SECStatus 
+RNG_GenerateGlobalRandomBytes(void *dest, size_t len)
+{
+    return prng_GenerateGlobalRandomBytes(globalrng, dest, len, NULL);
+}
+
+void
+RNG_RNGShutdown(void)
+{
+    /* check for a valid global RNG context */
+    PORT_Assert(globalrng != NULL);
+    if (globalrng == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return;
+    }
+    /* clear */
+    freeRNGContext();
+    /* zero the callonce struct to allow a new call to RNG_RNGInit() */
+    memset(&coRNGInit, 0, sizeof coRNGInit);
+}
+
+/*
+ *  SHA: Generate hash value from context
+ *       Specialized function for PRNG
+ *       The PRNG specified in FIPS 186-1 3.3 uses a function, G,
+ *       which has the same initialization and compression functions
+ *       as SHA1 180-1, but uses different padding.  FIPS 186-1 3.3 
+ *       specifies that the message be padded with 0's until the size
+ *       reaches 512 bits.
+ */
+void 
+RNG_UpdateAndEnd_FIPS186_1(SHA1Context *ctx, 
+                           unsigned char *input, unsigned int inputLen,
+                           unsigned char *hashout, unsigned int *pDigestLen, 
+                           unsigned int maxDigestLen)
+{
+    register PRUint32 A;
+    static const unsigned char bulk_pad0[64] = { 0,0,0,0,0,0,0,0,0,0,
+               0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+               0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  };
+
+    PORT_Assert(maxDigestLen >= SHA1_LENGTH);
+    PORT_Assert(inputLen <= SHA1_INPUT_LEN);
+
+    /*
+     *  Add the input
+     */
+    SHA1_Update(ctx, input, inputLen);
+    /*
+     *  Pad with zeroes
+     *  This will fill the input block and cause the compression function
+     *  to be called.
+     */
+    SHA1_Update(ctx, bulk_pad0, SHA1_INPUT_LEN - inputLen);
+
+    /*
+     *  Output hash
+     */
+#if defined(IS_LITTLE_ENDIAN)
+    SHA_BYTESWAP(ctx->H[0]);
+    SHA_BYTESWAP(ctx->H[1]);
+    SHA_BYTESWAP(ctx->H[2]);
+    SHA_BYTESWAP(ctx->H[3]);
+    SHA_BYTESWAP(ctx->H[4]);
+#endif
+    memcpy(hashout, ctx->H, SHA1_LENGTH);
+    *pDigestLen = SHA1_LENGTH;
+
+    /*
+     *  Re-initialize the context (also zeroizes contents)
+     */
+    SHA1_Begin(ctx);
+}
+
+/*
+ * Specialized RNG for DSA
+ *
+ * As per FIPS 186-1 appendix 3.1, in step 5 the value Xj should
+ * be reduced mod q, a 160-bit prime number.   Since this parameter is
+ * only meaningful in the context of DSA, the above RNG functions
+ * were implemented without it.  They are re-implemented below for use
+ * with DSA.
+ *
+ */
+
+/*
+** Update the global random number generator with more seeding
+** material.  DSA needs a q parameter.
+*/
+SECStatus 
+DSA_RandomUpdate(void *data, size_t bytes, unsigned char *q)
+{
+    if( q && (*q == 0) ) {
+        ++q;
+    }
+    return prng_RandomUpdate(globalrng, data, bytes, q);
+}
+
+/*
+** Generate some random bytes, using the global random number generator
+** object.  In DSA mode, so there is a q.
+*/
+SECStatus 
+DSA_GenerateGlobalRandomBytes(void *dest, size_t len, unsigned char *q)
+{
+    if( q && (*q == 0) ) {
+        ++q;
+    }
+    return prng_GenerateGlobalRandomBytes(globalrng, dest, len, q);
+}
diff --git a/security/nss/lib/freebl/rijndael.c b/security/nss/lib/freebl/rijndael.c
new file mode 100644
index 000000000..374a0fad4
--- /dev/null
+++ b/security/nss/lib/freebl/rijndael.c
@@ -0,0 +1,1136 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "prinit.h"
+#include "prerr.h"
+#include "secerr.h"
+
+#include "prtypes.h"
+#include "blapi.h"
+#include "rijndael.h"
+
+/*
+ * There are currently five ways to build this code, varying in performance
+ * and code size.
+ *
+ * RIJNDAEL_INCLUDE_TABLES         Include all tables from rijndael32.tab
+ * RIJNDAEL_GENERATE_TABLES        Generate tables on first 
+ *                                 encryption/decryption, then store them;
+ *                                 use the function gfm
+ * RIJNDAEL_GENERATE_TABLES_MACRO  Same as above, but use macros to do
+ *                                 the generation
+ * RIJNDAEL_GENERATE_VALUES        Do not store tables, generate the table
+ *                                 values "on-the-fly", using gfm
+ * RIJNDAEL_GENERATE_VALUES_MACRO  Same as above, but use macros
+ *
+ * The default is RIJNDAEL_INCLUDE_TABLES.
+ */
+
+/*
+ * When building RIJNDAEL_INCLUDE_TABLES, includes S**-1, Rcon, T[0..4], 
+ *                                                 T**-1[0..4], IMXC[0..4]
+ * When building anything else, includes S, S**-1, Rcon
+ */
+#include "rijndael32.tab"
+
+#if defined(RIJNDAEL_INCLUDE_TABLES)
+/*
+ * RIJNDAEL_INCLUDE_TABLES
+ */
+#define T0(i)    _T0[i]
+#define T1(i)    _T1[i]
+#define T2(i)    _T2[i]
+#define T3(i)    _T3[i]
+#define TInv0(i) _TInv0[i]
+#define TInv1(i) _TInv1[i]
+#define TInv2(i) _TInv2[i]
+#define TInv3(i) _TInv3[i]
+#define IMXC0(b) _IMXC0[b]
+#define IMXC1(b) _IMXC1[b]
+#define IMXC2(b) _IMXC2[b]
+#define IMXC3(b) _IMXC3[b]
+/* The S-box can be recovered from the T-tables */
+#ifdef IS_LITTLE_ENDIAN
+#define SBOX(b)    ((PRUint8)_T3[b])
+#else
+#define SBOX(b)    ((PRUint8)_T1[b])
+#endif
+#define SINV(b) (_SInv[b])
+
+#else /* not RIJNDAEL_INCLUDE_TABLES */
+
+/*
+ * Code for generating T-table values.
+ */
+
+#ifdef IS_LITTLE_ENDIAN
+#define WORD4(b0, b1, b2, b3) \
+    (((b3) << 24) | ((b2) << 16) | ((b1) << 8) | (b0))
+#else
+#define WORD4(b0, b1, b2, b3) \
+    (((b0) << 24) | ((b1) << 16) | ((b2) << 8) | (b3))
+#endif
+
+/*
+ * Define the S and S**-1 tables (both have been stored)
+ */
+#define SBOX(b)    (_S[b])
+#define SINV(b) (_SInv[b])
+
+/*
+ * The function xtime, used for Galois field multiplication
+ */
+#define XTIME(a) \
+    ((a & 0x80) ? ((a << 1) ^ 0x1b) : (a << 1))
+
+/* Choose GFM method (macros or function) */
+#if defined(RIJNDAEL_GENERATE_TABLES_MACRO) ||  \
+    defined(RIJNDAEL_GENERATE_VALUES_MACRO)
+
+/*
+ * Galois field GF(2**8) multipliers, in macro form
+ */
+#define GFM01(a) \
+    (a)                                 /* a * 01 = a, the identity */
+#define GFM02(a) \
+    (XTIME(a) & 0xff)                   /* a * 02 = xtime(a) */
+#define GFM04(a) \
+    (GFM02(GFM02(a)))                   /* a * 04 = xtime**2(a) */
+#define GFM08(a) \
+    (GFM02(GFM04(a)))                   /* a * 08 = xtime**3(a) */
+#define GFM03(a) \
+    (GFM01(a) ^ GFM02(a))               /* a * 03 = a * (01 + 02) */
+#define GFM09(a) \
+    (GFM01(a) ^ GFM08(a))               /* a * 09 = a * (01 + 08) */
+#define GFM0B(a) \
+    (GFM01(a) ^ GFM02(a) ^ GFM08(a))    /* a * 0B = a * (01 + 02 + 08) */
+#define GFM0D(a) \
+    (GFM01(a) ^ GFM04(a) ^ GFM08(a))    /* a * 0D = a * (01 + 04 + 08) */
+#define GFM0E(a) \
+    (GFM02(a) ^ GFM04(a) ^ GFM08(a))    /* a * 0E = a * (02 + 04 + 08) */
+
+#else  /* RIJNDAEL_GENERATE_TABLES or RIJNDAEL_GENERATE_VALUES */
+
+/* GF_MULTIPLY
+ *
+ * multiply two bytes represented in GF(2**8), mod (x**4 + 1)
+ */
+PRUint8 gfm(PRUint8 a, PRUint8 b)
+{
+    PRUint8 res = 0;
+    while (b > 0) {
+	res = (b & 0x01) ? res ^ a : res;
+	a = XTIME(a);
+	b >>= 1;
+    }
+    return res;
+}
+
+#define GFM01(a) \
+    (a)                                 /* a * 01 = a, the identity */
+#define GFM02(a) \
+    (XTIME(a) & 0xff)                   /* a * 02 = xtime(a) */
+#define GFM03(a) \
+    (gfm(a, 0x03))                      /* a * 03 */
+#define GFM09(a) \
+    (gfm(a, 0x09))                      /* a * 09 */
+#define GFM0B(a) \
+    (gfm(a, 0x0B))                      /* a * 0B */
+#define GFM0D(a) \
+    (gfm(a, 0x0D))                      /* a * 0D */
+#define GFM0E(a) \
+    (gfm(a, 0x0E))                      /* a * 0E */
+
+#endif /* choosing GFM function */
+
+/*
+ * The T-tables
+ */
+#define G_T0(i) \
+    ( WORD4( GFM02(SBOX(i)), GFM01(SBOX(i)), GFM01(SBOX(i)), GFM03(SBOX(i)) ) )
+#define G_T1(i) \
+    ( WORD4( GFM03(SBOX(i)), GFM02(SBOX(i)), GFM01(SBOX(i)), GFM01(SBOX(i)) ) )
+#define G_T2(i) \
+    ( WORD4( GFM01(SBOX(i)), GFM03(SBOX(i)), GFM02(SBOX(i)), GFM01(SBOX(i)) ) )
+#define G_T3(i) \
+    ( WORD4( GFM01(SBOX(i)), GFM01(SBOX(i)), GFM03(SBOX(i)), GFM02(SBOX(i)) ) )
+
+/*
+ * The inverse T-tables
+ */
+#define G_TInv0(i) \
+    ( WORD4( GFM0E(SINV(i)), GFM09(SINV(i)), GFM0D(SINV(i)), GFM0B(SINV(i)) ) )
+#define G_TInv1(i) \
+    ( WORD4( GFM0B(SINV(i)), GFM0E(SINV(i)), GFM09(SINV(i)), GFM0D(SINV(i)) ) )
+#define G_TInv2(i) \
+    ( WORD4( GFM0D(SINV(i)), GFM0B(SINV(i)), GFM0E(SINV(i)), GFM09(SINV(i)) ) )
+#define G_TInv3(i) \
+    ( WORD4( GFM09(SINV(i)), GFM0D(SINV(i)), GFM0B(SINV(i)), GFM0E(SINV(i)) ) )
+
+/*
+ * The inverse mix column tables
+ */
+#define G_IMXC0(i) \
+    ( WORD4( GFM0E(i), GFM09(i), GFM0D(i), GFM0B(i) ) )
+#define G_IMXC1(i) \
+    ( WORD4( GFM0B(i), GFM0E(i), GFM09(i), GFM0D(i) ) )
+#define G_IMXC2(i) \
+    ( WORD4( GFM0D(i), GFM0B(i), GFM0E(i), GFM09(i) ) )
+#define G_IMXC3(i) \
+    ( WORD4( GFM09(i), GFM0D(i), GFM0B(i), GFM0E(i) ) )
+
+/* Now choose the T-table indexing method */
+#if defined(RIJNDAEL_GENERATE_VALUES)
+/* generate values for the tables with a function*/
+static PRUint32 gen_TInvXi(PRUint8 tx, PRUint8 i)
+{
+    PRUint8 si01, si02, si03, si04, si08, si09, si0B, si0D, si0E;
+    si01 = SINV(i);
+    si02 = XTIME(si01);
+    si04 = XTIME(si02);
+    si08 = XTIME(si04);
+    si03 = si02 ^ si01;
+    si09 = si08 ^ si01;
+    si0B = si08 ^ si03;
+    si0D = si09 ^ si04;
+    si0E = si08 ^ si04 ^ si02;
+    switch (tx) {
+    case 0:
+	return WORD4(si0E, si09, si0D, si0B);
+    case 1:
+	return WORD4(si0B, si0E, si09, si0D);
+    case 2:
+	return WORD4(si0D, si0B, si0E, si09);
+    case 3:
+	return WORD4(si09, si0D, si0B, si0E);
+    }
+    return -1;
+}
+#define T0(i)    G_T0(i)
+#define T1(i)    G_T1(i)
+#define T2(i)    G_T2(i)
+#define T3(i)    G_T3(i)
+#define TInv0(i) gen_TInvXi(0, i)
+#define TInv1(i) gen_TInvXi(1, i)
+#define TInv2(i) gen_TInvXi(2, i)
+#define TInv3(i) gen_TInvXi(3, i)
+#define IMXC0(b) G_IMXC0(b)
+#define IMXC1(b) G_IMXC1(b)
+#define IMXC2(b) G_IMXC2(b)
+#define IMXC3(b) G_IMXC3(b)
+#elif defined(RIJNDAEL_GENERATE_VALUES_MACRO)
+/* generate values for the tables with macros */
+#define T0(i)    G_T0(i)
+#define T1(i)    G_T1(i)
+#define T2(i)    G_T2(i)
+#define T3(i)    G_T3(i)
+#define TInv0(i) G_TInv0(i)
+#define TInv1(i) G_TInv1(i)
+#define TInv2(i) G_TInv2(i)
+#define TInv3(i) G_TInv3(i)
+#define IMXC0(b) G_IMXC0(b)
+#define IMXC1(b) G_IMXC1(b)
+#define IMXC2(b) G_IMXC2(b)
+#define IMXC3(b) G_IMXC3(b)
+#else  /* RIJNDAEL_GENERATE_TABLES or RIJNDAEL_GENERATE_TABLES_MACRO */
+/* Generate T and T**-1 table values and store, then index */
+/* The inverse mix column tables are still generated */
+#define T0(i)    rijndaelTables->T0[i]
+#define T1(i)    rijndaelTables->T1[i]
+#define T2(i)    rijndaelTables->T2[i]
+#define T3(i)    rijndaelTables->T3[i]
+#define TInv0(i) rijndaelTables->TInv0[i]
+#define TInv1(i) rijndaelTables->TInv1[i]
+#define TInv2(i) rijndaelTables->TInv2[i]
+#define TInv3(i) rijndaelTables->TInv3[i]
+#define IMXC0(b) G_IMXC0(b)
+#define IMXC1(b) G_IMXC1(b)
+#define IMXC2(b) G_IMXC2(b)
+#define IMXC3(b) G_IMXC3(b)
+#endif /* choose T-table indexing method */
+
+#endif /* not RIJNDAEL_INCLUDE_TABLES */
+
+#if defined(RIJNDAEL_GENERATE_TABLES) ||  \
+    defined(RIJNDAEL_GENERATE_TABLES_MACRO)
+
+/* Code to generate and store the tables */
+
+struct rijndael_tables_str {
+    PRUint32 T0[256];
+    PRUint32 T1[256];
+    PRUint32 T2[256];
+    PRUint32 T3[256];
+    PRUint32 TInv0[256];
+    PRUint32 TInv1[256];
+    PRUint32 TInv2[256];
+    PRUint32 TInv3[256];
+};
+
+static struct rijndael_tables_str *rijndaelTables = NULL;
+static PRCallOnceType coRTInit = { 0, 0, 0 };
+static PRStatus 
+init_rijndael_tables(void)
+{
+    PRUint32 i;
+    PRUint8 si01, si02, si03, si04, si08, si09, si0B, si0D, si0E;
+    struct rijndael_tables_str *rts;
+    rts = (struct rijndael_tables_str *)
+                   PORT_Alloc(sizeof(struct rijndael_tables_str));
+    if (!rts) return PR_FAILURE;
+    for (i=0; i<256; i++) {
+	/* The forward values */
+	si01 = SBOX(i);
+	si02 = XTIME(si01);
+	si03 = si02 ^ si01;
+	rts->T0[i] = WORD4(si02, si01, si01, si03);
+	rts->T1[i] = WORD4(si03, si02, si01, si01);
+	rts->T2[i] = WORD4(si01, si03, si02, si01);
+	rts->T3[i] = WORD4(si01, si01, si03, si02);
+	/* The inverse values */
+	si01 = SINV(i);
+	si02 = XTIME(si01);
+	si04 = XTIME(si02);
+	si08 = XTIME(si04);
+	si03 = si02 ^ si01;
+	si09 = si08 ^ si01;
+	si0B = si08 ^ si03;
+	si0D = si09 ^ si04;
+	si0E = si08 ^ si04 ^ si02;
+	rts->TInv0[i] = WORD4(si0E, si09, si0D, si0B);
+	rts->TInv1[i] = WORD4(si0B, si0E, si09, si0D);
+	rts->TInv2[i] = WORD4(si0D, si0B, si0E, si09);
+	rts->TInv3[i] = WORD4(si09, si0D, si0B, si0E);
+    }
+    /* wait until all the values are in to set */
+    rijndaelTables = rts;
+    return PR_SUCCESS;
+}
+
+#endif /* code to generate tables */
+
+/**************************************************************************
+ *
+ * Stuff related to the Rijndael key schedule
+ *
+ *************************************************************************/
+
+#define SUBBYTE(w) \
+    ((SBOX((w >> 24) & 0xff) << 24) | \
+     (SBOX((w >> 16) & 0xff) << 16) | \
+     (SBOX((w >>  8) & 0xff) <<  8) | \
+     (SBOX((w      ) & 0xff)         ))
+
+#ifdef IS_LITTLE_ENDIAN
+#define ROTBYTE(b) \
+    ((b >> 8) | (b << 24))
+#else
+#define ROTBYTE(b) \
+    ((b << 8) | (b >> 24))
+#endif
+
+/* rijndael_key_expansion7
+ *
+ * Generate the expanded key from the key input by the user.
+ * XXX
+ * Nk == 7 (224 key bits) is a weird case.  Since Nk > 6, an added SubByte
+ * transformation is done periodically.  The period is every 4 bytes, and
+ * since 7%4 != 0 this happens at different times for each key word (unlike
+ * Nk == 8 where it happens twice in every key word, in the same positions).
+ * For now, I'm implementing this case "dumbly", w/o any unrolling.
+ */
+static SECStatus
+rijndael_key_expansion7(AESContext *cx, unsigned char *key, unsigned int Nk)
+{
+    unsigned int i;
+    PRUint32 *W;
+    PRUint32 *pW;
+    PRUint32 tmp;
+    W = cx->expandedKey;
+    /* 1.  the first Nk words contain the cipher key */
+    memcpy(W, key, Nk * 4);
+    i = Nk;
+    /* 2.  loop until full expanded key is obtained */
+    pW = W + i - 1;
+    for (; i < cx->Nb * (cx->Nr + 1); ++i) {
+	tmp = *pW++;
+	if (i % Nk == 0)
+	    tmp = SUBBYTE(ROTBYTE(tmp)) ^ Rcon[i / Nk - 1];
+	else if (i % Nk == 4)
+	    tmp = SUBBYTE(tmp);
+	*pW = W[i - Nk] ^ tmp;
+    }
+    return SECSuccess;
+}
+
+/* rijndael_key_expansion
+ *
+ * Generate the expanded key from the key input by the user.
+ */
+static SECStatus
+rijndael_key_expansion(AESContext *cx, unsigned char *key, unsigned int Nk)
+{
+    unsigned int i;
+    PRUint32 *W;
+    PRUint32 *pW;
+    PRUint32 tmp;
+    unsigned int round_key_words = cx->Nb * (cx->Nr + 1);
+    if (Nk == 7)
+	return rijndael_key_expansion7(cx, key, Nk);
+    W = cx->expandedKey;
+    /* The first Nk words contain the input cipher key */
+    memcpy(W, key, Nk * 4);
+    i = Nk;
+    pW = W + i - 1;
+    /* Loop over all sets of Nk words, except the last */
+    while (i < round_key_words - Nk) {
+	tmp = *pW++;
+	tmp = SUBBYTE(ROTBYTE(tmp)) ^ Rcon[i / Nk - 1];
+	*pW = W[i++ - Nk] ^ tmp;
+	tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	if (Nk == 4)
+	    continue;
+	switch (Nk) {
+	case 8: tmp = *pW++; tmp = SUBBYTE(tmp); *pW = W[i++ - Nk] ^ tmp;
+	case 7: tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	case 6: tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	case 5: tmp = *pW++; *pW = W[i++ - Nk] ^ tmp;
+	}
+    }
+    /* Generate the last word */
+    tmp = *pW++;
+    tmp = SUBBYTE(ROTBYTE(tmp)) ^ Rcon[i / Nk - 1];
+    *pW = W[i++ - Nk] ^ tmp;
+    /* There may be overflow here, if Nk % (Nb * (Nr + 1)) > 0.  However,
+     * since the above loop generated all but the last Nk key words, there
+     * is no more need for the SubByte transformation.
+     */
+    if (Nk < 8) {
+	for (; i < round_key_words; ++i) {
+	    tmp = *pW++; 
+	    *pW = W[i - Nk] ^ tmp;
+	}
+    } else {
+	/* except in the case when Nk == 8.  Then one more SubByte may have
+	 * to be performed, at i % Nk == 4.
+	 */
+	for (; i < round_key_words; ++i) {
+	    tmp = *pW++;
+	    if (i % Nk == 4)
+		tmp = SUBBYTE(tmp);
+	    *pW = W[i - Nk] ^ tmp;
+	}
+    }
+    return SECSuccess;
+}
+
+/* rijndael_invkey_expansion
+ *
+ * Generate the expanded key for the inverse cipher from the key input by 
+ * the user.
+ */
+static SECStatus
+rijndael_invkey_expansion(AESContext *cx, unsigned char *key, unsigned int Nk)
+{
+    unsigned int r;
+    PRUint32 *roundkeyw;
+    PRUint8 *b;
+    int Nb = cx->Nb;
+    /* begins like usual key expansion ... */
+    if (rijndael_key_expansion(cx, key, Nk) != SECSuccess)
+	return SECFailure;
+    /* ... but has the additional step of InvMixColumn,
+     * excepting the first and last round keys.
+     */
+    roundkeyw = cx->expandedKey + cx->Nb;
+    for (r=1; r<cx->Nr; ++r) {
+	/* each key word, roundkeyw, represents a column in the key
+	 * matrix.  Each column is multiplied by the InvMixColumn matrix.
+	 *   [ 0E 0B 0D 09 ]   [ b0 ]
+	 *   [ 09 0E 0B 0D ] * [ b1 ]
+	 *   [ 0D 09 0E 0B ]   [ b2 ]
+	 *   [ 0B 0D 09 0E ]   [ b3 ]
+	 */
+	b = (PRUint8 *)roundkeyw;
+	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
+	b = (PRUint8 *)roundkeyw;
+	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
+	b = (PRUint8 *)roundkeyw;
+	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
+	b = (PRUint8 *)roundkeyw;
+	*roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ IMXC2(b[2]) ^ IMXC3(b[3]);
+	if (Nb <= 4)
+	    continue;
+	switch (Nb) {
+	case 8: b = (PRUint8 *)roundkeyw;
+	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
+	                       IMXC2(b[2]) ^ IMXC3(b[3]);
+	case 7: b = (PRUint8 *)roundkeyw;
+	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
+	                       IMXC2(b[2]) ^ IMXC3(b[3]);
+	case 6: b = (PRUint8 *)roundkeyw;
+	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
+	                       IMXC2(b[2]) ^ IMXC3(b[3]);
+	case 5: b = (PRUint8 *)roundkeyw;
+	        *roundkeyw++ = IMXC0(b[0]) ^ IMXC1(b[1]) ^ 
+	                       IMXC2(b[2]) ^ IMXC3(b[3]);
+	}
+    }
+    return SECSuccess;
+}
+/**************************************************************************
+ *
+ * Stuff related to Rijndael encryption/decryption, optimized for
+ * a 128-bit blocksize.
+ *
+ *************************************************************************/
+
+#ifdef IS_LITTLE_ENDIAN
+#define BYTE0WORD(w) ((w) & 0x000000ff)
+#define BYTE1WORD(w) ((w) & 0x0000ff00)
+#define BYTE2WORD(w) ((w) & 0x00ff0000)
+#define BYTE3WORD(w) ((w) & 0xff000000)
+#else
+#define BYTE0WORD(w) ((w) & 0xff000000)
+#define BYTE1WORD(w) ((w) & 0x00ff0000)
+#define BYTE2WORD(w) ((w) & 0x0000ff00)
+#define BYTE3WORD(w) ((w) & 0x000000ff)
+#endif
+
+typedef union {
+    PRUint32 w[4];
+    PRUint8  b[16];
+} rijndael_state;
+
+#define COLUMN_0(state) state.w[0]
+#define COLUMN_1(state) state.w[1]
+#define COLUMN_2(state) state.w[2]
+#define COLUMN_3(state) state.w[3]
+
+#define STATE_BYTE(i) state.b[i]
+
+static SECStatus 
+rijndael_encryptBlock128(AESContext *cx, 
+                         unsigned char *output,
+                         const unsigned char *input)
+{
+    unsigned int r;
+    PRUint32 *roundkeyw;
+    rijndael_state state;
+    PRUint32 C0, C1, C2, C3;
+#if defined(_X86_)
+#define pIn input
+#define pOut output
+#else
+    unsigned char *pIn, *pOut;
+    PRUint32 inBuf[4], outBuf[4];
+
+    if ((ptrdiff_t)input & 0x3) {
+	memcpy(inBuf, input, sizeof inBuf);
+	pIn = (unsigned char *)inBuf;
+    } else {
+	pIn = (unsigned char *)input;
+    }
+    if ((ptrdiff_t)output & 0x3) {
+	pOut = (unsigned char *)outBuf;
+    } else {
+	pOut = (unsigned char *)output;
+    }
+#endif
+    roundkeyw = cx->expandedKey;
+    /* Step 1: Add Round Key 0 to initial state */
+    COLUMN_0(state) = *((PRUint32 *)(pIn     )) ^ *roundkeyw++;
+    COLUMN_1(state) = *((PRUint32 *)(pIn + 4 )) ^ *roundkeyw++;
+    COLUMN_2(state) = *((PRUint32 *)(pIn + 8 )) ^ *roundkeyw++;
+    COLUMN_3(state) = *((PRUint32 *)(pIn + 12)) ^ *roundkeyw++;
+    /* Step 2: Loop over rounds [1..NR-1] */
+    for (r=1; r<cx->Nr; ++r) {
+        /* Do ShiftRow, ByteSub, and MixColumn all at once */
+	C0 = T0(STATE_BYTE(0))  ^
+	     T1(STATE_BYTE(5))  ^
+	     T2(STATE_BYTE(10)) ^
+	     T3(STATE_BYTE(15));
+	C1 = T0(STATE_BYTE(4))  ^
+	     T1(STATE_BYTE(9))  ^
+	     T2(STATE_BYTE(14)) ^
+	     T3(STATE_BYTE(3));
+	C2 = T0(STATE_BYTE(8))  ^
+	     T1(STATE_BYTE(13)) ^
+	     T2(STATE_BYTE(2))  ^
+	     T3(STATE_BYTE(7));
+	C3 = T0(STATE_BYTE(12)) ^
+	     T1(STATE_BYTE(1))  ^
+	     T2(STATE_BYTE(6))  ^
+	     T3(STATE_BYTE(11));
+	/* Round key addition */
+	COLUMN_0(state) = C0 ^ *roundkeyw++;
+	COLUMN_1(state) = C1 ^ *roundkeyw++;
+	COLUMN_2(state) = C2 ^ *roundkeyw++;
+	COLUMN_3(state) = C3 ^ *roundkeyw++;
+    }
+    /* Step 3: Do the last round */
+    /* Final round does not employ MixColumn */
+    C0 = ((BYTE0WORD(T2(STATE_BYTE(0))))   |
+          (BYTE1WORD(T3(STATE_BYTE(5))))   |
+          (BYTE2WORD(T0(STATE_BYTE(10))))  |
+          (BYTE3WORD(T1(STATE_BYTE(15)))))  ^
+          *roundkeyw++;
+    C1 = ((BYTE0WORD(T2(STATE_BYTE(4))))   |
+          (BYTE1WORD(T3(STATE_BYTE(9))))   |
+          (BYTE2WORD(T0(STATE_BYTE(14))))  |
+          (BYTE3WORD(T1(STATE_BYTE(3)))))   ^
+          *roundkeyw++;
+    C2 = ((BYTE0WORD(T2(STATE_BYTE(8))))   |
+          (BYTE1WORD(T3(STATE_BYTE(13))))  |
+          (BYTE2WORD(T0(STATE_BYTE(2))))   |
+          (BYTE3WORD(T1(STATE_BYTE(7)))))   ^
+          *roundkeyw++;
+    C3 = ((BYTE0WORD(T2(STATE_BYTE(12))))  |
+          (BYTE1WORD(T3(STATE_BYTE(1))))   |
+          (BYTE2WORD(T0(STATE_BYTE(6))))   |
+          (BYTE3WORD(T1(STATE_BYTE(11)))))  ^
+          *roundkeyw++;
+    *((PRUint32 *) pOut     )  = C0;
+    *((PRUint32 *)(pOut + 4))  = C1;
+    *((PRUint32 *)(pOut + 8))  = C2;
+    *((PRUint32 *)(pOut + 12)) = C3;
+#if defined(_X86_)
+#undef pIn
+#undef pOut
+#else
+    if ((ptrdiff_t)output & 0x3) {
+	memcpy(output, outBuf, sizeof outBuf);
+    }
+#endif
+    return SECSuccess;
+}
+
+static SECStatus 
+rijndael_decryptBlock128(AESContext *cx, 
+                         unsigned char *output,
+                         const unsigned char *input)
+{
+    int r;
+    PRUint32 *roundkeyw;
+    rijndael_state state;
+    PRUint32 C0, C1, C2, C3;
+#if defined(_X86_)
+#define pIn input
+#define pOut output
+#else
+    unsigned char *pIn, *pOut;
+    PRUint32 inBuf[4], outBuf[4];
+
+    if ((ptrdiff_t)input & 0x3) {
+	memcpy(inBuf, input, sizeof inBuf);
+	pIn = (unsigned char *)inBuf;
+    } else {
+	pIn = (unsigned char *)input;
+    }
+    if ((ptrdiff_t)output & 0x3) {
+	pOut = (unsigned char *)outBuf;
+    } else {
+	pOut = (unsigned char *)output;
+    }
+#endif
+    roundkeyw = cx->expandedKey + cx->Nb * cx->Nr + 3;
+    /* reverse the final key addition */
+    COLUMN_3(state) = *((PRUint32 *)(pIn + 12)) ^ *roundkeyw--;
+    COLUMN_2(state) = *((PRUint32 *)(pIn +  8)) ^ *roundkeyw--;
+    COLUMN_1(state) = *((PRUint32 *)(pIn +  4)) ^ *roundkeyw--;
+    COLUMN_0(state) = *((PRUint32 *)(pIn     )) ^ *roundkeyw--;
+    /* Loop over rounds in reverse [NR..1] */
+    for (r=cx->Nr; r>1; --r) {
+	/* Invert the (InvByteSub*InvMixColumn)(InvShiftRow(state)) */
+	C0 = TInv0(STATE_BYTE(0))  ^
+	     TInv1(STATE_BYTE(13)) ^
+	     TInv2(STATE_BYTE(10)) ^
+	     TInv3(STATE_BYTE(7));
+	C1 = TInv0(STATE_BYTE(4))  ^
+	     TInv1(STATE_BYTE(1))  ^
+	     TInv2(STATE_BYTE(14)) ^
+	     TInv3(STATE_BYTE(11));
+	C2 = TInv0(STATE_BYTE(8))  ^
+	     TInv1(STATE_BYTE(5))  ^
+	     TInv2(STATE_BYTE(2))  ^
+	     TInv3(STATE_BYTE(15));
+	C3 = TInv0(STATE_BYTE(12)) ^
+	     TInv1(STATE_BYTE(9))  ^
+	     TInv2(STATE_BYTE(6))  ^
+	     TInv3(STATE_BYTE(3));
+	/* Invert the key addition step */
+	COLUMN_3(state) = C3 ^ *roundkeyw--;
+	COLUMN_2(state) = C2 ^ *roundkeyw--;
+	COLUMN_1(state) = C1 ^ *roundkeyw--;
+	COLUMN_0(state) = C0 ^ *roundkeyw--;
+    }
+    /* inverse sub */
+    pOut[ 0] = SINV(STATE_BYTE( 0));
+    pOut[ 1] = SINV(STATE_BYTE(13));
+    pOut[ 2] = SINV(STATE_BYTE(10));
+    pOut[ 3] = SINV(STATE_BYTE( 7));
+    pOut[ 4] = SINV(STATE_BYTE( 4));
+    pOut[ 5] = SINV(STATE_BYTE( 1));
+    pOut[ 6] = SINV(STATE_BYTE(14));
+    pOut[ 7] = SINV(STATE_BYTE(11));
+    pOut[ 8] = SINV(STATE_BYTE( 8));
+    pOut[ 9] = SINV(STATE_BYTE( 5));
+    pOut[10] = SINV(STATE_BYTE( 2));
+    pOut[11] = SINV(STATE_BYTE(15));
+    pOut[12] = SINV(STATE_BYTE(12));
+    pOut[13] = SINV(STATE_BYTE( 9));
+    pOut[14] = SINV(STATE_BYTE( 6));
+    pOut[15] = SINV(STATE_BYTE( 3));
+    /* final key addition */
+    *((PRUint32 *)(pOut + 12)) ^= *roundkeyw--;
+    *((PRUint32 *)(pOut +  8)) ^= *roundkeyw--;
+    *((PRUint32 *)(pOut +  4)) ^= *roundkeyw--;
+    *((PRUint32 *) pOut      ) ^= *roundkeyw--;
+#if defined(_X86_)
+#undef pIn
+#undef pOut
+#else
+    if ((ptrdiff_t)output & 0x3) {
+	memcpy(output, outBuf, sizeof outBuf);
+    }
+#endif
+    return SECSuccess;
+}
+
+/**************************************************************************
+ *
+ * Stuff related to general Rijndael encryption/decryption, for blocksizes
+ * greater than 128 bits.
+ *
+ * XXX This code is currently untested!  So far, AES specs have only been
+ *     released for 128 bit blocksizes.  This will be tested, but for now
+ *     only the code above has been tested using known values.
+ *
+ *************************************************************************/
+
+#define COLUMN(array, j) *((PRUint32 *)(array + j))
+
+SECStatus 
+rijndael_encryptBlock(AESContext *cx, 
+                      unsigned char *output,
+                      const unsigned char *input)
+{
+    return SECFailure;
+#ifdef rijndael_large_blocks_fixed
+    unsigned int j, r, Nb;
+    unsigned int c2=0, c3=0;
+    PRUint32 *roundkeyw;
+    PRUint8 clone[RIJNDAEL_MAX_STATE_SIZE];
+    Nb = cx->Nb;
+    roundkeyw = cx->expandedKey;
+    /* Step 1: Add Round Key 0 to initial state */
+    for (j=0; j<4*Nb; j+=4) {
+	COLUMN(clone, j) = COLUMN(input, j) ^ *roundkeyw++;
+    }
+    /* Step 2: Loop over rounds [1..NR-1] */
+    for (r=1; r<cx->Nr; ++r) {
+	for (j=0; j<Nb; ++j) {
+	    COLUMN(output, j) = T0(STATE_BYTE(4*  j          )) ^
+	                        T1(STATE_BYTE(4*((j+ 1)%Nb)+1)) ^
+	                        T2(STATE_BYTE(4*((j+c2)%Nb)+2)) ^
+	                        T3(STATE_BYTE(4*((j+c3)%Nb)+3));
+	}
+	for (j=0; j<4*Nb; j+=4) {
+	    COLUMN(clone, j) = COLUMN(output, j) ^ *roundkeyw++;
+	}
+    }
+    /* Step 3: Do the last round */
+    /* Final round does not employ MixColumn */
+    for (j=0; j<Nb; ++j) {
+	COLUMN(output, j) = ((BYTE0WORD(T2(STATE_BYTE(4* j         ))))  |
+                             (BYTE1WORD(T3(STATE_BYTE(4*(j+ 1)%Nb)+1)))  |
+                             (BYTE2WORD(T0(STATE_BYTE(4*(j+c2)%Nb)+2)))  |
+                             (BYTE3WORD(T1(STATE_BYTE(4*(j+c3)%Nb)+3)))) ^
+	                     *roundkeyw++;
+    }
+    return SECSuccess;
+#endif
+}
+
+SECStatus 
+rijndael_decryptBlock(AESContext *cx, 
+                      unsigned char *output,
+                      const unsigned char *input)
+{
+    return SECFailure;
+#ifdef rijndael_large_blocks_fixed
+    int j, r, Nb;
+    int c2=0, c3=0;
+    PRUint32 *roundkeyw;
+    PRUint8 clone[RIJNDAEL_MAX_STATE_SIZE];
+    Nb = cx->Nb;
+    roundkeyw = cx->expandedKey + cx->Nb * cx->Nr + 3;
+    /* reverse key addition */
+    for (j=4*Nb; j>=0; j-=4) {
+	COLUMN(clone, j) = COLUMN(input, j) ^ *roundkeyw--;
+    }
+    /* Loop over rounds in reverse [NR..1] */
+    for (r=cx->Nr; r>1; --r) {
+	/* Invert the (InvByteSub*InvMixColumn)(InvShiftRow(state)) */
+	for (j=0; j<Nb; ++j) {
+	    COLUMN(output, 4*j) = TInv0(STATE_BYTE(4* j            )) ^
+	                          TInv1(STATE_BYTE(4*(j+Nb- 1)%Nb)+1) ^
+	                          TInv2(STATE_BYTE(4*(j+Nb-c2)%Nb)+2) ^
+	                          TInv3(STATE_BYTE(4*(j+Nb-c3)%Nb)+3);
+	}
+	/* Invert the key addition step */
+	for (j=4*Nb; j>=0; j-=4) {
+	    COLUMN(clone, j) = COLUMN(output, j) ^ *roundkeyw--;
+	}
+    }
+    /* inverse sub */
+    for (j=0; j<4*Nb; ++j) {
+	output[j] = SINV(clone[j]);
+    }
+    /* final key addition */
+    for (j=4*Nb; j>=0; j-=4) {
+	COLUMN(output, j) ^= *roundkeyw--;
+    }
+    return SECSuccess;
+#endif
+}
+
+/**************************************************************************
+ *
+ *  Rijndael modes of operation (ECB and CBC)
+ *
+ *************************************************************************/
+
+static SECStatus 
+rijndael_encryptECB(AESContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen, 
+                    int blocksize)
+{
+    SECStatus rv;
+    AESBlockFunc *encryptor;
+    encryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
+				  ? &rijndael_encryptBlock128 
+				  : &rijndael_encryptBlock;
+    while (inputLen > 0) {
+        rv = (*encryptor)(cx, output, input);
+	if (rv != SECSuccess)
+	    return rv;
+	output += blocksize;
+	input += blocksize;
+	inputLen -= blocksize;
+    }
+    return SECSuccess;
+}
+
+static SECStatus 
+rijndael_encryptCBC(AESContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen, 
+                    int blocksize)
+{
+    int j;
+    SECStatus rv;
+    AESBlockFunc *encryptor;
+    unsigned char *lastblock;
+    unsigned char inblock[RIJNDAEL_MAX_STATE_SIZE * 8];
+
+    if (!inputLen)
+	return SECSuccess;
+    lastblock = cx->iv;
+    encryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
+				  ? &rijndael_encryptBlock128 
+				  : &rijndael_encryptBlock;
+    while (inputLen > 0) {
+	/* XOR with the last block (IV if first block) */
+	for (j=0; j<blocksize; ++j)
+	    inblock[j] = input[j] ^ lastblock[j];
+	/* encrypt */
+        rv = (*encryptor)(cx, output, inblock);
+	if (rv != SECSuccess)
+	    return rv;
+	/* move to the next block */
+	lastblock = output;
+	output += blocksize;
+	input += blocksize;
+	inputLen -= blocksize;
+    }
+    memcpy(cx->iv, lastblock, blocksize);
+    return SECSuccess;
+}
+
+static SECStatus 
+rijndael_decryptECB(AESContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen, 
+                    int blocksize)
+{
+    SECStatus rv;
+    AESBlockFunc *decryptor;
+    decryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
+				  ? &rijndael_decryptBlock128 
+				  : &rijndael_decryptBlock;
+    while (inputLen > 0) {
+        rv = (*decryptor)(cx, output, input);
+	if (rv != SECSuccess)
+	    return rv;
+	output += blocksize;
+	input += blocksize;
+	inputLen -= blocksize;
+    }
+    return SECSuccess;
+}
+
+static SECStatus 
+rijndael_decryptCBC(AESContext *cx, unsigned char *output,
+                    unsigned int *outputLen, unsigned int maxOutputLen,
+                    const unsigned char *input, unsigned int inputLen, 
+                    int blocksize)
+{
+    SECStatus rv;
+    AESBlockFunc *decryptor;
+    const unsigned char *in;
+    unsigned char *out;
+    int j;
+    unsigned char newIV[RIJNDAEL_MAX_BLOCKSIZE];
+
+    if (!inputLen) 
+	return SECSuccess;
+    PORT_Assert(output - input >= 0 || input - output >= (int)inputLen );
+    decryptor = (blocksize == RIJNDAEL_MIN_BLOCKSIZE) 
+                                  ? &rijndael_decryptBlock128 
+				  : &rijndael_decryptBlock;
+    in  = input  + (inputLen - blocksize);
+    memcpy(newIV, in, blocksize);
+    out = output + (inputLen - blocksize);
+    while (inputLen > blocksize) {
+        rv = (*decryptor)(cx, out, in);
+	if (rv != SECSuccess)
+	    return rv;
+	for (j=0; j<blocksize; ++j)
+	    out[j] ^= in[j - blocksize];
+	out -= blocksize;
+	in -= blocksize;
+	inputLen -= blocksize;
+    }
+    if (in == input) {
+        rv = (*decryptor)(cx, out, in);
+	if (rv != SECSuccess)
+	    return rv;
+	for (j=0; j<blocksize; ++j)
+	    out[j] ^= cx->iv[j];
+    }
+    memcpy(cx->iv, newIV, blocksize);
+    return SECSuccess;
+}
+
+/************************************************************************
+ *
+ * BLAPI Interface functions
+ *
+ * The following functions implement the encryption routines defined in
+ * BLAPI for the AES cipher, Rijndael.
+ *
+ ***********************************************************************/
+
+/* AES_CreateContext
+ *
+ * create a new context for Rijndael operations
+ */
+AESContext *
+AES_CreateContext(unsigned char *key, unsigned char *iv, int mode, int encrypt,
+                  unsigned int keysize, unsigned int blocksize)
+{
+    AESContext *cx;
+    unsigned int Nk;
+    /* According to Rijndael AES Proposal, section 12.1, block and key
+     * lengths between 128 and 256 bits are supported, as long as the
+     * length in bytes is divisible by 4.
+     */
+    if (key == NULL || 
+        keysize < RIJNDAEL_MIN_BLOCKSIZE   || 
+	keysize > RIJNDAEL_MAX_BLOCKSIZE   || 
+	keysize % 4 != 0 ||
+        blocksize < RIJNDAEL_MIN_BLOCKSIZE || 
+	blocksize > RIJNDAEL_MAX_BLOCKSIZE || 
+	blocksize % 4 != 0) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    if (mode != NSS_AES && mode != NSS_AES_CBC) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    if (mode == NSS_AES_CBC && iv == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    cx = PORT_ZNew(AESContext);
+    if (!cx) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    	return NULL;
+    }
+    /* Nb = (block size in bits) / 32 */
+    cx->Nb = blocksize / 4;
+    /* Nk = (key size in bits) / 32 */
+    Nk = keysize / 4;
+    /* Obtain number of rounds from "table" */
+    cx->Nr = RIJNDAEL_NUM_ROUNDS(Nk, cx->Nb);
+    /* copy in the iv, if neccessary */
+    if (mode == NSS_AES_CBC) {
+	memcpy(cx->iv, iv, blocksize);
+	cx->worker = (encrypt) ? &rijndael_encryptCBC : &rijndael_decryptCBC;
+    } else {
+	cx->worker = (encrypt) ? &rijndael_encryptECB : &rijndael_decryptECB;
+    }
+    /* Allocate memory for the expanded key */
+    cx->expandedKey = PORT_ZNewArray(PRUint32, cx->Nb * (cx->Nr + 1));
+    if (!cx->expandedKey) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto cleanup;
+    }
+    /* Generate expanded key */
+    if (encrypt) {
+	if (rijndael_key_expansion(cx, key, Nk) != SECSuccess)
+	    goto cleanup;
+    } else {
+	if (rijndael_invkey_expansion(cx, key, Nk) != SECSuccess)
+	    goto cleanup;
+    }
+    return cx;
+cleanup:
+    if (cx->expandedKey)
+	PORT_ZFree(cx->expandedKey, cx->Nb * (cx->Nr + 1));
+    PORT_ZFree(cx, sizeof *cx);
+    return NULL;
+}
+
+/*
+ * AES_DestroyContext
+ * 
+ * Zero an AES cipher context.  If freeit is true, also free the pointer
+ * to the context.
+ */
+void 
+AES_DestroyContext(AESContext *cx, PRBool freeit)
+{
+    PORT_ZFree(cx->expandedKey, cx->Nb * (cx->Nr + 1));
+    memset(cx, 0, sizeof *cx);
+    if (freeit)
+	PORT_Free(cx);
+}
+
+/*
+ * AES_Encrypt
+ *
+ * Encrypt an arbitrary-length buffer.  The output buffer must already be
+ * allocated to at least inputLen.
+ */
+SECStatus 
+AES_Encrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+    int blocksize;
+    /* Check args */
+    if (cx == NULL || output == NULL || input == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    blocksize = 4 * cx->Nb;
+    if (inputLen % blocksize != 0) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return SECFailure;
+    }
+    if (maxOutputLen < inputLen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+    *outputLen = inputLen;
+#if defined(RIJNDAEL_GENERATE_TABLES) ||  \
+    defined(RIJNDAEL_GENERATE_TABLES_MACRO)
+    if (rijndaelTables == NULL) {
+	if (PR_CallOnce(&coRTInit, init_rijndael_tables) 
+	      != PR_SUCCESS) {
+	    return PR_FAILURE;
+	}
+    }
+#endif
+    return (*cx->worker)(cx, output, outputLen, maxOutputLen,	
+                             input, inputLen, blocksize);
+}
+
+/*
+ * AES_Decrypt
+ *
+ * Decrypt and arbitrary-length buffer.  The output buffer must already be
+ * allocated to at least inputLen.
+ */
+SECStatus 
+AES_Decrypt(AESContext *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
+{
+    int blocksize;
+    /* Check args */
+    if (cx == NULL || output == NULL || input == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    blocksize = 4 * cx->Nb;
+    if (inputLen % blocksize != 0) {
+	PORT_SetError(SEC_ERROR_INPUT_LEN);
+	return SECFailure;
+    }
+    if (maxOutputLen < inputLen) {
+	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+	return SECFailure;
+    }
+    *outputLen = inputLen;
+#if defined(RIJNDAEL_GENERATE_TABLES) ||  \
+    defined(RIJNDAEL_GENERATE_TABLES_MACRO)
+    if (rijndaelTables == NULL) {
+	if (PR_CallOnce(&coRTInit, init_rijndael_tables) 
+	      != PR_SUCCESS) {
+	    return PR_FAILURE;
+	}
+    }
+#endif
+    return (*cx->worker)(cx, output, outputLen, maxOutputLen,	
+                             input, inputLen, blocksize);
+}
+
diff --git a/security/nss/lib/freebl/rijndael.h b/security/nss/lib/freebl/rijndael.h
new file mode 100644
index 000000000..2a928ae4f
--- /dev/null
+++ b/security/nss/lib/freebl/rijndael.h
@@ -0,0 +1,86 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef _RIJNDAEL_H_
+#define _RIJNDAEL_H_ 1
+
+#define RIJNDAEL_MIN_BLOCKSIZE 16 /* bytes */
+#define RIJNDAEL_MAX_BLOCKSIZE 32 /* bytes */
+
+typedef SECStatus AESFunc(AESContext *cx, unsigned char *output,
+                          unsigned int *outputLen, unsigned int maxOutputLen,
+                          const unsigned char *input, unsigned int inputLen, 
+                          int blocksize);
+
+typedef SECStatus AESBlockFunc(AESContext *cx, 
+                               unsigned char *output,
+                               const unsigned char *input);
+
+/* AESContextStr
+ *
+ * Values which maintain the state for Rijndael encryption/decryption.
+ *
+ * iv          - initialization vector for CBC mode
+ * Nb          - the number of bytes in a block, specified by user
+ * Nr          - the number of rounds, specified by a table
+ * expandedKey - the round keys in 4-byte words, the length is Nr * Nb
+ * worker      - the encryption/decryption function to use with this context
+ */
+struct AESContextStr
+{
+    unsigned int   Nb;
+    unsigned int   Nr;
+    PRUint32      *expandedKey;
+    AESFunc       *worker;
+    unsigned char iv[RIJNDAEL_MAX_BLOCKSIZE];
+};
+
+/* RIJNDAEL_NUM_ROUNDS
+ *
+ * Number of rounds per execution
+ * Nk - number of key bytes
+ * Nb - blocksize (in bytes)
+ */
+#define RIJNDAEL_NUM_ROUNDS(Nk, Nb) \
+    (PR_MAX(Nk, Nb) + 6)
+
+/* RIJNDAEL_NUM_ROUNDS
+ *
+ * Maximum number of bytes in the state (spec includes up to 256-bit block
+ * size)
+ */
+#define RIJNDAEL_MAX_STATE_SIZE 32
+
+#endif /* _RIJNDAEL_H_ */
diff --git a/security/nss/lib/freebl/rijndael32.tab b/security/nss/lib/freebl/rijndael32.tab
new file mode 100644
index 000000000..6b78e2e8b
--- /dev/null
+++ b/security/nss/lib/freebl/rijndael32.tab
@@ -0,0 +1,1215 @@
+#ifndef RIJNDAEL_INCLUDE_TABLES
+static const PRUint8 _S[256] = 
+{
+ 99, 124, 119, 123, 242, 107, 111, 197,  48,   1, 103,  43, 254, 215, 171, 118,
+202, 130, 201, 125, 250,  89,  71, 240, 173, 212, 162, 175, 156, 164, 114, 192,
+183, 253, 147,  38,  54,  63, 247, 204,  52, 165, 229, 241, 113, 216,  49,  21,
+  4, 199,  35, 195,  24, 150,   5, 154,   7,  18, 128, 226, 235,  39, 178, 117,
+  9, 131,  44,  26,  27, 110,  90, 160,  82,  59, 214, 179,  41, 227,  47, 132,
+ 83, 209,   0, 237,  32, 252, 177,  91, 106, 203, 190,  57,  74,  76,  88, 207,
+208, 239, 170, 251,  67,  77,  51, 133,  69, 249,   2, 127,  80,  60, 159, 168,
+ 81, 163,  64, 143, 146, 157,  56, 245, 188, 182, 218,  33,  16, 255, 243, 210,
+205,  12,  19, 236,  95, 151,  68,  23, 196, 167, 126,  61, 100,  93,  25, 115,
+ 96, 129,  79, 220,  34,  42, 144, 136,  70, 238, 184,  20, 222,  94,  11, 219,
+224,  50,  58,  10,  73,   6,  36,  92, 194, 211, 172,  98, 145, 149, 228, 121,
+231, 200,  55, 109, 141, 213,  78, 169, 108,  86, 244, 234, 101, 122, 174,   8,
+186, 120,  37,  46,  28, 166, 180, 198, 232, 221, 116,  31,  75, 189, 139, 138,
+112,  62, 181, 102,  72,   3, 246,  14,  97,  53,  87, 185, 134, 193,  29, 158,
+225, 248, 152,  17, 105, 217, 142, 148, 155,  30, 135, 233, 206,  85,  40, 223,
+140, 161, 137,  13, 191, 230,  66, 104,  65, 153,  45,  15, 176,  84, 187,  22 
+};
+#endif /* not RIJNDAEL_INCLUDE_TABLES */
+
+static const PRUint8 _SInv[256] = 
+{
+ 82,   9, 106, 213,  48,  54, 165,  56, 191,  64, 163, 158, 129, 243, 215, 251,
+124, 227,  57, 130, 155,  47, 255, 135,  52, 142,  67,  68, 196, 222, 233, 203,
+ 84, 123, 148,  50, 166, 194,  35,  61, 238,  76, 149,  11,  66, 250, 195,  78,
+  8,  46, 161, 102,  40, 217,  36, 178, 118,  91, 162,  73, 109, 139, 209,  37,
+114, 248, 246, 100, 134, 104, 152,  22, 212, 164,  92, 204,  93, 101, 182, 146,
+108, 112,  72,  80, 253, 237, 185, 218,  94,  21,  70,  87, 167, 141, 157, 132,
+144, 216, 171,   0, 140, 188, 211,  10, 247, 228,  88,   5, 184, 179,  69,   6,
+208,  44,  30, 143, 202,  63,  15,   2, 193, 175, 189,   3,   1,  19, 138, 107,
+ 58, 145,  17,  65,  79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230, 115,
+150, 172, 116,  34, 231, 173,  53, 133, 226, 249,  55, 232,  28, 117, 223, 110,
+ 71, 241,  26, 113,  29,  41, 197, 137, 111, 183,  98,  14, 170,  24, 190,  27,
+252,  86,  62,  75, 198, 210, 121,  32, 154, 219, 192, 254, 120, 205,  90, 244,
+ 31, 221, 168,  51, 136,   7, 199,  49, 177,  18,  16,  89,  39, 128, 236,  95,
+ 96,  81, 127, 169,  25, 181,  74,  13,  45, 229, 122, 159, 147, 201, 156, 239,
+160, 224,  59,  77, 174,  42, 245, 176, 200, 235, 187,  60, 131,  83, 153,  97,
+ 23,  43,   4, 126, 186, 119, 214,  38, 225, 105,  20,  99,  85,  33,  12, 125 
+};
+
+#ifdef RIJNDAEL_INCLUDE_TABLES
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _T0[256] = 
+{
+0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, 0x0df2f2ff, 0xbd6b6bd6,
+0xb16f6fde, 0x54c5c591, 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
+0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, 0x45caca8f, 0x9d82821f,
+0x40c9c989, 0x877d7dfa, 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
+0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, 0xbf9c9c23, 0xf7a4a453,
+0x967272e4, 0x5bc0c09b, 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
+0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, 0x5c343468, 0xf4a5a551,
+0x34e5e5d1, 0x08f1f1f9, 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
+0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, 0x28181830, 0xa1969637,
+0x0f05050a, 0xb59a9a2f, 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
+0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, 0x1b090912, 0x9e83831d,
+0x742c2c58, 0x2e1a1a34, 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
+0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, 0x7b292952, 0x3ee3e3dd,
+0x712f2f5e, 0x97848413, 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
+0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, 0xbe6a6ad4, 0x46cbcb8d,
+0xd9bebe67, 0x4b393972, 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
+0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, 0xc5434386, 0xd74d4d9a,
+0x55333366, 0x94858511, 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
+0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, 0xf35151a2, 0xfea3a35d,
+0xc0404080, 0x8a8f8f05, 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
+0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, 0x30101020, 0x1affffe5,
+0x0ef3f3fd, 0x6dd2d2bf, 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
+0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, 0x57c4c493, 0xf2a7a755,
+0x827e7efc, 0x473d3d7a, 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
+0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, 0x66222244, 0x7e2a2a54,
+0xab90903b, 0x8388880b, 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
+0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, 0x3be0e0db, 0x56323264,
+0x4e3a3a74, 0x1e0a0a14, 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
+0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, 0xa8919139, 0xa4959531,
+0x37e4e4d3, 0x8b7979f2, 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
+0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, 0xb46c6cd8, 0xfa5656ac,
+0x07f4f4f3, 0x25eaeacf, 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
+0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, 0x241c1c38, 0xf1a6a657,
+0xc7b4b473, 0x51c6c697, 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
+0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, 0x907070e0, 0x423e3e7c,
+0xc4b5b571, 0xaa6666cc, 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
+0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, 0x91868617, 0x58c1c199,
+0x271d1d3a, 0xb99e9e27, 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
+0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, 0xb69b9b2d, 0x221e1e3c,
+0x92878715, 0x20e9e9c9, 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
+0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, 0xdabfbf65, 0x31e6e6d7,
+0xc6424284, 0xb86868d0, 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
+0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c  
+};
+#else
+static const PRUint32 _T0[256] = 
+{
+0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d, 0xfff2f20d, 0xd66b6bbd,
+0xde6f6fb1, 0x91c5c554, 0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d,
+0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a, 0x8fcaca45, 0x1f82829d,
+0x89c9c940, 0xfa7d7d87, 0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b,
+0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea, 0x239c9cbf, 0x53a4a4f7,
+0xe4727296, 0x9bc0c05b, 0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a,
+0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f, 0x6834345c, 0x51a5a5f4,
+0xd1e5e534, 0xf9f1f108, 0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f,
+0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e, 0x30181828, 0x379696a1,
+0x0a05050f, 0x2f9a9ab5, 0x0e070709, 0x24121236, 0x1b80809b, 0xdfe2e23d,
+0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f, 0x1209091b, 0x1d83839e,
+0x582c2c74, 0x341a1a2e, 0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb,
+0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce, 0x5229297b, 0xdde3e33e,
+0x5e2f2f71, 0x13848497, 0xa65353f5, 0xb9d1d168, 0x00000000, 0xc1eded2c,
+0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed, 0xd46a6abe, 0x8dcbcb46,
+0x67bebed9, 0x7239394b, 0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a,
+0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16, 0x864343c5, 0x9a4d4dd7,
+0x66333355, 0x11858594, 0x8a4545cf, 0xe9f9f910, 0x04020206, 0xfe7f7f81,
+0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3, 0xa25151f3, 0x5da3a3fe,
+0x804040c0, 0x058f8f8a, 0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504,
+0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163, 0x20101030, 0xe5ffff1a,
+0xfdf3f30e, 0xbfd2d26d, 0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f,
+0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739, 0x93c4c457, 0x55a7a7f2,
+0xfc7e7e82, 0x7a3d3d47, 0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395,
+0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f, 0x44222266, 0x542a2a7e,
+0x3b9090ab, 0x0b888883, 0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c,
+0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76, 0xdbe0e03b, 0x64323256,
+0x743a3a4e, 0x140a0a1e, 0x924949db, 0x0c06060a, 0x4824246c, 0xb85c5ce4,
+0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6, 0x399191a8, 0x319595a4,
+0xd3e4e437, 0xf279798b, 0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7,
+0x018d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0, 0xd86c6cb4, 0xac5656fa,
+0xf3f4f407, 0xcfeaea25, 0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818,
+0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72, 0x381c1c24, 0x57a6a6f1,
+0x73b4b4c7, 0x97c6c651, 0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21,
+0x964b4bdd, 0x61bdbddc, 0x0d8b8b86, 0x0f8a8a85, 0xe0707090, 0x7c3e3e42,
+0x71b5b5c4, 0xcc6666aa, 0x904848d8, 0x06030305, 0xf7f6f601, 0x1c0e0e12,
+0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0, 0x17868691, 0x99c1c158,
+0x3a1d1d27, 0x279e9eb9, 0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133,
+0xd26969bb, 0xa9d9d970, 0x078e8e89, 0x339494a7, 0x2d9b9bb6, 0x3c1e1e22,
+0x15878792, 0xc9e9e920, 0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a,
+0x038c8c8f, 0x59a1a1f8, 0x09898980, 0x1a0d0d17, 0x65bfbfda, 0xd7e6e631,
+0x844242c6, 0xd06868b8, 0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11,
+0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _T1[256] = 
+{
+0x6363c6a5, 0x7c7cf884, 0x7777ee99, 0x7b7bf68d, 0xf2f2ff0d, 0x6b6bd6bd,
+0x6f6fdeb1, 0xc5c59154, 0x30306050, 0x01010203, 0x6767cea9, 0x2b2b567d,
+0xfefee719, 0xd7d7b562, 0xabab4de6, 0x7676ec9a, 0xcaca8f45, 0x82821f9d,
+0xc9c98940, 0x7d7dfa87, 0xfafaef15, 0x5959b2eb, 0x47478ec9, 0xf0f0fb0b,
+0xadad41ec, 0xd4d4b367, 0xa2a25ffd, 0xafaf45ea, 0x9c9c23bf, 0xa4a453f7,
+0x7272e496, 0xc0c09b5b, 0xb7b775c2, 0xfdfde11c, 0x93933dae, 0x26264c6a,
+0x36366c5a, 0x3f3f7e41, 0xf7f7f502, 0xcccc834f, 0x3434685c, 0xa5a551f4,
+0xe5e5d134, 0xf1f1f908, 0x7171e293, 0xd8d8ab73, 0x31316253, 0x15152a3f,
+0x0404080c, 0xc7c79552, 0x23234665, 0xc3c39d5e, 0x18183028, 0x969637a1,
+0x05050a0f, 0x9a9a2fb5, 0x07070e09, 0x12122436, 0x80801b9b, 0xe2e2df3d,
+0xebebcd26, 0x27274e69, 0xb2b27fcd, 0x7575ea9f, 0x0909121b, 0x83831d9e,
+0x2c2c5874, 0x1a1a342e, 0x1b1b362d, 0x6e6edcb2, 0x5a5ab4ee, 0xa0a05bfb,
+0x5252a4f6, 0x3b3b764d, 0xd6d6b761, 0xb3b37dce, 0x2929527b, 0xe3e3dd3e,
+0x2f2f5e71, 0x84841397, 0x5353a6f5, 0xd1d1b968, 0x00000000, 0xededc12c,
+0x20204060, 0xfcfce31f, 0xb1b179c8, 0x5b5bb6ed, 0x6a6ad4be, 0xcbcb8d46,
+0xbebe67d9, 0x3939724b, 0x4a4a94de, 0x4c4c98d4, 0x5858b0e8, 0xcfcf854a,
+0xd0d0bb6b, 0xefefc52a, 0xaaaa4fe5, 0xfbfbed16, 0x434386c5, 0x4d4d9ad7,
+0x33336655, 0x85851194, 0x45458acf, 0xf9f9e910, 0x02020406, 0x7f7ffe81,
+0x5050a0f0, 0x3c3c7844, 0x9f9f25ba, 0xa8a84be3, 0x5151a2f3, 0xa3a35dfe,
+0x404080c0, 0x8f8f058a, 0x92923fad, 0x9d9d21bc, 0x38387048, 0xf5f5f104,
+0xbcbc63df, 0xb6b677c1, 0xdadaaf75, 0x21214263, 0x10102030, 0xffffe51a,
+0xf3f3fd0e, 0xd2d2bf6d, 0xcdcd814c, 0x0c0c1814, 0x13132635, 0xececc32f,
+0x5f5fbee1, 0x979735a2, 0x444488cc, 0x17172e39, 0xc4c49357, 0xa7a755f2,
+0x7e7efc82, 0x3d3d7a47, 0x6464c8ac, 0x5d5dbae7, 0x1919322b, 0x7373e695,
+0x6060c0a0, 0x81811998, 0x4f4f9ed1, 0xdcdca37f, 0x22224466, 0x2a2a547e,
+0x90903bab, 0x88880b83, 0x46468cca, 0xeeeec729, 0xb8b86bd3, 0x1414283c,
+0xdedea779, 0x5e5ebce2, 0x0b0b161d, 0xdbdbad76, 0xe0e0db3b, 0x32326456,
+0x3a3a744e, 0x0a0a141e, 0x494992db, 0x06060c0a, 0x2424486c, 0x5c5cb8e4,
+0xc2c29f5d, 0xd3d3bd6e, 0xacac43ef, 0x6262c4a6, 0x919139a8, 0x959531a4,
+0xe4e4d337, 0x7979f28b, 0xe7e7d532, 0xc8c88b43, 0x37376e59, 0x6d6ddab7,
+0x8d8d018c, 0xd5d5b164, 0x4e4e9cd2, 0xa9a949e0, 0x6c6cd8b4, 0x5656acfa,
+0xf4f4f307, 0xeaeacf25, 0x6565caaf, 0x7a7af48e, 0xaeae47e9, 0x08081018,
+0xbaba6fd5, 0x7878f088, 0x25254a6f, 0x2e2e5c72, 0x1c1c3824, 0xa6a657f1,
+0xb4b473c7, 0xc6c69751, 0xe8e8cb23, 0xdddda17c, 0x7474e89c, 0x1f1f3e21,
+0x4b4b96dd, 0xbdbd61dc, 0x8b8b0d86, 0x8a8a0f85, 0x7070e090, 0x3e3e7c42,
+0xb5b571c4, 0x6666ccaa, 0x484890d8, 0x03030605, 0xf6f6f701, 0x0e0e1c12,
+0x6161c2a3, 0x35356a5f, 0x5757aef9, 0xb9b969d0, 0x86861791, 0xc1c19958,
+0x1d1d3a27, 0x9e9e27b9, 0xe1e1d938, 0xf8f8eb13, 0x98982bb3, 0x11112233,
+0x6969d2bb, 0xd9d9a970, 0x8e8e0789, 0x949433a7, 0x9b9b2db6, 0x1e1e3c22,
+0x87871592, 0xe9e9c920, 0xcece8749, 0x5555aaff, 0x28285078, 0xdfdfa57a,
+0x8c8c038f, 0xa1a159f8, 0x89890980, 0x0d0d1a17, 0xbfbf65da, 0xe6e6d731,
+0x424284c6, 0x6868d0b8, 0x414182c3, 0x999929b0, 0x2d2d5a77, 0x0f0f1e11,
+0xb0b07bcb, 0x5454a8fc, 0xbbbb6dd6, 0x16162c3a  
+};
+#else
+static const PRUint32 _T1[256] = 
+{
+0xa5c66363, 0x84f87c7c, 0x99ee7777, 0x8df67b7b, 0x0dfff2f2, 0xbdd66b6b,
+0xb1de6f6f, 0x5491c5c5, 0x50603030, 0x03020101, 0xa9ce6767, 0x7d562b2b,
+0x19e7fefe, 0x62b5d7d7, 0xe64dabab, 0x9aec7676, 0x458fcaca, 0x9d1f8282,
+0x4089c9c9, 0x87fa7d7d, 0x15effafa, 0xebb25959, 0xc98e4747, 0x0bfbf0f0,
+0xec41adad, 0x67b3d4d4, 0xfd5fa2a2, 0xea45afaf, 0xbf239c9c, 0xf753a4a4,
+0x96e47272, 0x5b9bc0c0, 0xc275b7b7, 0x1ce1fdfd, 0xae3d9393, 0x6a4c2626,
+0x5a6c3636, 0x417e3f3f, 0x02f5f7f7, 0x4f83cccc, 0x5c683434, 0xf451a5a5,
+0x34d1e5e5, 0x08f9f1f1, 0x93e27171, 0x73abd8d8, 0x53623131, 0x3f2a1515,
+0x0c080404, 0x5295c7c7, 0x65462323, 0x5e9dc3c3, 0x28301818, 0xa1379696,
+0x0f0a0505, 0xb52f9a9a, 0x090e0707, 0x36241212, 0x9b1b8080, 0x3ddfe2e2,
+0x26cdebeb, 0x694e2727, 0xcd7fb2b2, 0x9fea7575, 0x1b120909, 0x9e1d8383,
+0x74582c2c, 0x2e341a1a, 0x2d361b1b, 0xb2dc6e6e, 0xeeb45a5a, 0xfb5ba0a0,
+0xf6a45252, 0x4d763b3b, 0x61b7d6d6, 0xce7db3b3, 0x7b522929, 0x3edde3e3,
+0x715e2f2f, 0x97138484, 0xf5a65353, 0x68b9d1d1, 0x00000000, 0x2cc1eded,
+0x60402020, 0x1fe3fcfc, 0xc879b1b1, 0xedb65b5b, 0xbed46a6a, 0x468dcbcb,
+0xd967bebe, 0x4b723939, 0xde944a4a, 0xd4984c4c, 0xe8b05858, 0x4a85cfcf,
+0x6bbbd0d0, 0x2ac5efef, 0xe54faaaa, 0x16edfbfb, 0xc5864343, 0xd79a4d4d,
+0x55663333, 0x94118585, 0xcf8a4545, 0x10e9f9f9, 0x06040202, 0x81fe7f7f,
+0xf0a05050, 0x44783c3c, 0xba259f9f, 0xe34ba8a8, 0xf3a25151, 0xfe5da3a3,
+0xc0804040, 0x8a058f8f, 0xad3f9292, 0xbc219d9d, 0x48703838, 0x04f1f5f5,
+0xdf63bcbc, 0xc177b6b6, 0x75afdada, 0x63422121, 0x30201010, 0x1ae5ffff,
+0x0efdf3f3, 0x6dbfd2d2, 0x4c81cdcd, 0x14180c0c, 0x35261313, 0x2fc3ecec,
+0xe1be5f5f, 0xa2359797, 0xcc884444, 0x392e1717, 0x5793c4c4, 0xf255a7a7,
+0x82fc7e7e, 0x477a3d3d, 0xacc86464, 0xe7ba5d5d, 0x2b321919, 0x95e67373,
+0xa0c06060, 0x98198181, 0xd19e4f4f, 0x7fa3dcdc, 0x66442222, 0x7e542a2a,
+0xab3b9090, 0x830b8888, 0xca8c4646, 0x29c7eeee, 0xd36bb8b8, 0x3c281414,
+0x79a7dede, 0xe2bc5e5e, 0x1d160b0b, 0x76addbdb, 0x3bdbe0e0, 0x56643232,
+0x4e743a3a, 0x1e140a0a, 0xdb924949, 0x0a0c0606, 0x6c482424, 0xe4b85c5c,
+0x5d9fc2c2, 0x6ebdd3d3, 0xef43acac, 0xa6c46262, 0xa8399191, 0xa4319595,
+0x37d3e4e4, 0x8bf27979, 0x32d5e7e7, 0x438bc8c8, 0x596e3737, 0xb7da6d6d,
+0x8c018d8d, 0x64b1d5d5, 0xd29c4e4e, 0xe049a9a9, 0xb4d86c6c, 0xfaac5656,
+0x07f3f4f4, 0x25cfeaea, 0xafca6565, 0x8ef47a7a, 0xe947aeae, 0x18100808,
+0xd56fbaba, 0x88f07878, 0x6f4a2525, 0x725c2e2e, 0x24381c1c, 0xf157a6a6,
+0xc773b4b4, 0x5197c6c6, 0x23cbe8e8, 0x7ca1dddd, 0x9ce87474, 0x213e1f1f,
+0xdd964b4b, 0xdc61bdbd, 0x860d8b8b, 0x850f8a8a, 0x90e07070, 0x427c3e3e,
+0xc471b5b5, 0xaacc6666, 0xd8904848, 0x05060303, 0x01f7f6f6, 0x121c0e0e,
+0xa3c26161, 0x5f6a3535, 0xf9ae5757, 0xd069b9b9, 0x91178686, 0x5899c1c1,
+0x273a1d1d, 0xb9279e9e, 0x38d9e1e1, 0x13ebf8f8, 0xb32b9898, 0x33221111,
+0xbbd26969, 0x70a9d9d9, 0x89078e8e, 0xa7339494, 0xb62d9b9b, 0x223c1e1e,
+0x92158787, 0x20c9e9e9, 0x4987cece, 0xffaa5555, 0x78502828, 0x7aa5dfdf,
+0x8f038c8c, 0xf859a1a1, 0x80098989, 0x171a0d0d, 0xda65bfbf, 0x31d7e6e6,
+0xc6844242, 0xb8d06868, 0xc3824141, 0xb0299999, 0x775a2d2d, 0x111e0f0f,
+0xcb7bb0b0, 0xfca85454, 0xd66dbbbb, 0x3a2c1616  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _T2[256] = 
+{
+0x63c6a563, 0x7cf8847c, 0x77ee9977, 0x7bf68d7b, 0xf2ff0df2, 0x6bd6bd6b,
+0x6fdeb16f, 0xc59154c5, 0x30605030, 0x01020301, 0x67cea967, 0x2b567d2b,
+0xfee719fe, 0xd7b562d7, 0xab4de6ab, 0x76ec9a76, 0xca8f45ca, 0x821f9d82,
+0xc98940c9, 0x7dfa877d, 0xfaef15fa, 0x59b2eb59, 0x478ec947, 0xf0fb0bf0,
+0xad41ecad, 0xd4b367d4, 0xa25ffda2, 0xaf45eaaf, 0x9c23bf9c, 0xa453f7a4,
+0x72e49672, 0xc09b5bc0, 0xb775c2b7, 0xfde11cfd, 0x933dae93, 0x264c6a26,
+0x366c5a36, 0x3f7e413f, 0xf7f502f7, 0xcc834fcc, 0x34685c34, 0xa551f4a5,
+0xe5d134e5, 0xf1f908f1, 0x71e29371, 0xd8ab73d8, 0x31625331, 0x152a3f15,
+0x04080c04, 0xc79552c7, 0x23466523, 0xc39d5ec3, 0x18302818, 0x9637a196,
+0x050a0f05, 0x9a2fb59a, 0x070e0907, 0x12243612, 0x801b9b80, 0xe2df3de2,
+0xebcd26eb, 0x274e6927, 0xb27fcdb2, 0x75ea9f75, 0x09121b09, 0x831d9e83,
+0x2c58742c, 0x1a342e1a, 0x1b362d1b, 0x6edcb26e, 0x5ab4ee5a, 0xa05bfba0,
+0x52a4f652, 0x3b764d3b, 0xd6b761d6, 0xb37dceb3, 0x29527b29, 0xe3dd3ee3,
+0x2f5e712f, 0x84139784, 0x53a6f553, 0xd1b968d1, 0x00000000, 0xedc12ced,
+0x20406020, 0xfce31ffc, 0xb179c8b1, 0x5bb6ed5b, 0x6ad4be6a, 0xcb8d46cb,
+0xbe67d9be, 0x39724b39, 0x4a94de4a, 0x4c98d44c, 0x58b0e858, 0xcf854acf,
+0xd0bb6bd0, 0xefc52aef, 0xaa4fe5aa, 0xfbed16fb, 0x4386c543, 0x4d9ad74d,
+0x33665533, 0x85119485, 0x458acf45, 0xf9e910f9, 0x02040602, 0x7ffe817f,
+0x50a0f050, 0x3c78443c, 0x9f25ba9f, 0xa84be3a8, 0x51a2f351, 0xa35dfea3,
+0x4080c040, 0x8f058a8f, 0x923fad92, 0x9d21bc9d, 0x38704838, 0xf5f104f5,
+0xbc63dfbc, 0xb677c1b6, 0xdaaf75da, 0x21426321, 0x10203010, 0xffe51aff,
+0xf3fd0ef3, 0xd2bf6dd2, 0xcd814ccd, 0x0c18140c, 0x13263513, 0xecc32fec,
+0x5fbee15f, 0x9735a297, 0x4488cc44, 0x172e3917, 0xc49357c4, 0xa755f2a7,
+0x7efc827e, 0x3d7a473d, 0x64c8ac64, 0x5dbae75d, 0x19322b19, 0x73e69573,
+0x60c0a060, 0x81199881, 0x4f9ed14f, 0xdca37fdc, 0x22446622, 0x2a547e2a,
+0x903bab90, 0x880b8388, 0x468cca46, 0xeec729ee, 0xb86bd3b8, 0x14283c14,
+0xdea779de, 0x5ebce25e, 0x0b161d0b, 0xdbad76db, 0xe0db3be0, 0x32645632,
+0x3a744e3a, 0x0a141e0a, 0x4992db49, 0x060c0a06, 0x24486c24, 0x5cb8e45c,
+0xc29f5dc2, 0xd3bd6ed3, 0xac43efac, 0x62c4a662, 0x9139a891, 0x9531a495,
+0xe4d337e4, 0x79f28b79, 0xe7d532e7, 0xc88b43c8, 0x376e5937, 0x6ddab76d,
+0x8d018c8d, 0xd5b164d5, 0x4e9cd24e, 0xa949e0a9, 0x6cd8b46c, 0x56acfa56,
+0xf4f307f4, 0xeacf25ea, 0x65caaf65, 0x7af48e7a, 0xae47e9ae, 0x08101808,
+0xba6fd5ba, 0x78f08878, 0x254a6f25, 0x2e5c722e, 0x1c38241c, 0xa657f1a6,
+0xb473c7b4, 0xc69751c6, 0xe8cb23e8, 0xdda17cdd, 0x74e89c74, 0x1f3e211f,
+0x4b96dd4b, 0xbd61dcbd, 0x8b0d868b, 0x8a0f858a, 0x70e09070, 0x3e7c423e,
+0xb571c4b5, 0x66ccaa66, 0x4890d848, 0x03060503, 0xf6f701f6, 0x0e1c120e,
+0x61c2a361, 0x356a5f35, 0x57aef957, 0xb969d0b9, 0x86179186, 0xc19958c1,
+0x1d3a271d, 0x9e27b99e, 0xe1d938e1, 0xf8eb13f8, 0x982bb398, 0x11223311,
+0x69d2bb69, 0xd9a970d9, 0x8e07898e, 0x9433a794, 0x9b2db69b, 0x1e3c221e,
+0x87159287, 0xe9c920e9, 0xce8749ce, 0x55aaff55, 0x28507828, 0xdfa57adf,
+0x8c038f8c, 0xa159f8a1, 0x89098089, 0x0d1a170d, 0xbf65dabf, 0xe6d731e6,
+0x4284c642, 0x68d0b868, 0x4182c341, 0x9929b099, 0x2d5a772d, 0x0f1e110f,
+0xb07bcbb0, 0x54a8fc54, 0xbb6dd6bb, 0x162c3a16  
+};
+#else
+static const PRUint32 _T2[256] = 
+{
+0x63a5c663, 0x7c84f87c, 0x7799ee77, 0x7b8df67b, 0xf20dfff2, 0x6bbdd66b,
+0x6fb1de6f, 0xc55491c5, 0x30506030, 0x01030201, 0x67a9ce67, 0x2b7d562b,
+0xfe19e7fe, 0xd762b5d7, 0xabe64dab, 0x769aec76, 0xca458fca, 0x829d1f82,
+0xc94089c9, 0x7d87fa7d, 0xfa15effa, 0x59ebb259, 0x47c98e47, 0xf00bfbf0,
+0xadec41ad, 0xd467b3d4, 0xa2fd5fa2, 0xafea45af, 0x9cbf239c, 0xa4f753a4,
+0x7296e472, 0xc05b9bc0, 0xb7c275b7, 0xfd1ce1fd, 0x93ae3d93, 0x266a4c26,
+0x365a6c36, 0x3f417e3f, 0xf702f5f7, 0xcc4f83cc, 0x345c6834, 0xa5f451a5,
+0xe534d1e5, 0xf108f9f1, 0x7193e271, 0xd873abd8, 0x31536231, 0x153f2a15,
+0x040c0804, 0xc75295c7, 0x23654623, 0xc35e9dc3, 0x18283018, 0x96a13796,
+0x050f0a05, 0x9ab52f9a, 0x07090e07, 0x12362412, 0x809b1b80, 0xe23ddfe2,
+0xeb26cdeb, 0x27694e27, 0xb2cd7fb2, 0x759fea75, 0x091b1209, 0x839e1d83,
+0x2c74582c, 0x1a2e341a, 0x1b2d361b, 0x6eb2dc6e, 0x5aeeb45a, 0xa0fb5ba0,
+0x52f6a452, 0x3b4d763b, 0xd661b7d6, 0xb3ce7db3, 0x297b5229, 0xe33edde3,
+0x2f715e2f, 0x84971384, 0x53f5a653, 0xd168b9d1, 0x00000000, 0xed2cc1ed,
+0x20604020, 0xfc1fe3fc, 0xb1c879b1, 0x5bedb65b, 0x6abed46a, 0xcb468dcb,
+0xbed967be, 0x394b7239, 0x4ade944a, 0x4cd4984c, 0x58e8b058, 0xcf4a85cf,
+0xd06bbbd0, 0xef2ac5ef, 0xaae54faa, 0xfb16edfb, 0x43c58643, 0x4dd79a4d,
+0x33556633, 0x85941185, 0x45cf8a45, 0xf910e9f9, 0x02060402, 0x7f81fe7f,
+0x50f0a050, 0x3c44783c, 0x9fba259f, 0xa8e34ba8, 0x51f3a251, 0xa3fe5da3,
+0x40c08040, 0x8f8a058f, 0x92ad3f92, 0x9dbc219d, 0x38487038, 0xf504f1f5,
+0xbcdf63bc, 0xb6c177b6, 0xda75afda, 0x21634221, 0x10302010, 0xff1ae5ff,
+0xf30efdf3, 0xd26dbfd2, 0xcd4c81cd, 0x0c14180c, 0x13352613, 0xec2fc3ec,
+0x5fe1be5f, 0x97a23597, 0x44cc8844, 0x17392e17, 0xc45793c4, 0xa7f255a7,
+0x7e82fc7e, 0x3d477a3d, 0x64acc864, 0x5de7ba5d, 0x192b3219, 0x7395e673,
+0x60a0c060, 0x81981981, 0x4fd19e4f, 0xdc7fa3dc, 0x22664422, 0x2a7e542a,
+0x90ab3b90, 0x88830b88, 0x46ca8c46, 0xee29c7ee, 0xb8d36bb8, 0x143c2814,
+0xde79a7de, 0x5ee2bc5e, 0x0b1d160b, 0xdb76addb, 0xe03bdbe0, 0x32566432,
+0x3a4e743a, 0x0a1e140a, 0x49db9249, 0x060a0c06, 0x246c4824, 0x5ce4b85c,
+0xc25d9fc2, 0xd36ebdd3, 0xacef43ac, 0x62a6c462, 0x91a83991, 0x95a43195,
+0xe437d3e4, 0x798bf279, 0xe732d5e7, 0xc8438bc8, 0x37596e37, 0x6db7da6d,
+0x8d8c018d, 0xd564b1d5, 0x4ed29c4e, 0xa9e049a9, 0x6cb4d86c, 0x56faac56,
+0xf407f3f4, 0xea25cfea, 0x65afca65, 0x7a8ef47a, 0xaee947ae, 0x08181008,
+0xbad56fba, 0x7888f078, 0x256f4a25, 0x2e725c2e, 0x1c24381c, 0xa6f157a6,
+0xb4c773b4, 0xc65197c6, 0xe823cbe8, 0xdd7ca1dd, 0x749ce874, 0x1f213e1f,
+0x4bdd964b, 0xbddc61bd, 0x8b860d8b, 0x8a850f8a, 0x7090e070, 0x3e427c3e,
+0xb5c471b5, 0x66aacc66, 0x48d89048, 0x03050603, 0xf601f7f6, 0x0e121c0e,
+0x61a3c261, 0x355f6a35, 0x57f9ae57, 0xb9d069b9, 0x86911786, 0xc15899c1,
+0x1d273a1d, 0x9eb9279e, 0xe138d9e1, 0xf813ebf8, 0x98b32b98, 0x11332211,
+0x69bbd269, 0xd970a9d9, 0x8e89078e, 0x94a73394, 0x9bb62d9b, 0x1e223c1e,
+0x87921587, 0xe920c9e9, 0xce4987ce, 0x55ffaa55, 0x28785028, 0xdf7aa5df,
+0x8c8f038c, 0xa1f859a1, 0x89800989, 0x0d171a0d, 0xbfda65bf, 0xe631d7e6,
+0x42c68442, 0x68b8d068, 0x41c38241, 0x99b02999, 0x2d775a2d, 0x0f111e0f,
+0xb0cb7bb0, 0x54fca854, 0xbbd66dbb, 0x163a2c16  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _T3[256] = 
+{
+0xc6a56363, 0xf8847c7c, 0xee997777, 0xf68d7b7b, 0xff0df2f2, 0xd6bd6b6b,
+0xdeb16f6f, 0x9154c5c5, 0x60503030, 0x02030101, 0xcea96767, 0x567d2b2b,
+0xe719fefe, 0xb562d7d7, 0x4de6abab, 0xec9a7676, 0x8f45caca, 0x1f9d8282,
+0x8940c9c9, 0xfa877d7d, 0xef15fafa, 0xb2eb5959, 0x8ec94747, 0xfb0bf0f0,
+0x41ecadad, 0xb367d4d4, 0x5ffda2a2, 0x45eaafaf, 0x23bf9c9c, 0x53f7a4a4,
+0xe4967272, 0x9b5bc0c0, 0x75c2b7b7, 0xe11cfdfd, 0x3dae9393, 0x4c6a2626,
+0x6c5a3636, 0x7e413f3f, 0xf502f7f7, 0x834fcccc, 0x685c3434, 0x51f4a5a5,
+0xd134e5e5, 0xf908f1f1, 0xe2937171, 0xab73d8d8, 0x62533131, 0x2a3f1515,
+0x080c0404, 0x9552c7c7, 0x46652323, 0x9d5ec3c3, 0x30281818, 0x37a19696,
+0x0a0f0505, 0x2fb59a9a, 0x0e090707, 0x24361212, 0x1b9b8080, 0xdf3de2e2,
+0xcd26ebeb, 0x4e692727, 0x7fcdb2b2, 0xea9f7575, 0x121b0909, 0x1d9e8383,
+0x58742c2c, 0x342e1a1a, 0x362d1b1b, 0xdcb26e6e, 0xb4ee5a5a, 0x5bfba0a0,
+0xa4f65252, 0x764d3b3b, 0xb761d6d6, 0x7dceb3b3, 0x527b2929, 0xdd3ee3e3,
+0x5e712f2f, 0x13978484, 0xa6f55353, 0xb968d1d1, 0x00000000, 0xc12ceded,
+0x40602020, 0xe31ffcfc, 0x79c8b1b1, 0xb6ed5b5b, 0xd4be6a6a, 0x8d46cbcb,
+0x67d9bebe, 0x724b3939, 0x94de4a4a, 0x98d44c4c, 0xb0e85858, 0x854acfcf,
+0xbb6bd0d0, 0xc52aefef, 0x4fe5aaaa, 0xed16fbfb, 0x86c54343, 0x9ad74d4d,
+0x66553333, 0x11948585, 0x8acf4545, 0xe910f9f9, 0x04060202, 0xfe817f7f,
+0xa0f05050, 0x78443c3c, 0x25ba9f9f, 0x4be3a8a8, 0xa2f35151, 0x5dfea3a3,
+0x80c04040, 0x058a8f8f, 0x3fad9292, 0x21bc9d9d, 0x70483838, 0xf104f5f5,
+0x63dfbcbc, 0x77c1b6b6, 0xaf75dada, 0x42632121, 0x20301010, 0xe51affff,
+0xfd0ef3f3, 0xbf6dd2d2, 0x814ccdcd, 0x18140c0c, 0x26351313, 0xc32fecec,
+0xbee15f5f, 0x35a29797, 0x88cc4444, 0x2e391717, 0x9357c4c4, 0x55f2a7a7,
+0xfc827e7e, 0x7a473d3d, 0xc8ac6464, 0xbae75d5d, 0x322b1919, 0xe6957373,
+0xc0a06060, 0x19988181, 0x9ed14f4f, 0xa37fdcdc, 0x44662222, 0x547e2a2a,
+0x3bab9090, 0x0b838888, 0x8cca4646, 0xc729eeee, 0x6bd3b8b8, 0x283c1414,
+0xa779dede, 0xbce25e5e, 0x161d0b0b, 0xad76dbdb, 0xdb3be0e0, 0x64563232,
+0x744e3a3a, 0x141e0a0a, 0x92db4949, 0x0c0a0606, 0x486c2424, 0xb8e45c5c,
+0x9f5dc2c2, 0xbd6ed3d3, 0x43efacac, 0xc4a66262, 0x39a89191, 0x31a49595,
+0xd337e4e4, 0xf28b7979, 0xd532e7e7, 0x8b43c8c8, 0x6e593737, 0xdab76d6d,
+0x018c8d8d, 0xb164d5d5, 0x9cd24e4e, 0x49e0a9a9, 0xd8b46c6c, 0xacfa5656,
+0xf307f4f4, 0xcf25eaea, 0xcaaf6565, 0xf48e7a7a, 0x47e9aeae, 0x10180808,
+0x6fd5baba, 0xf0887878, 0x4a6f2525, 0x5c722e2e, 0x38241c1c, 0x57f1a6a6,
+0x73c7b4b4, 0x9751c6c6, 0xcb23e8e8, 0xa17cdddd, 0xe89c7474, 0x3e211f1f,
+0x96dd4b4b, 0x61dcbdbd, 0x0d868b8b, 0x0f858a8a, 0xe0907070, 0x7c423e3e,
+0x71c4b5b5, 0xccaa6666, 0x90d84848, 0x06050303, 0xf701f6f6, 0x1c120e0e,
+0xc2a36161, 0x6a5f3535, 0xaef95757, 0x69d0b9b9, 0x17918686, 0x9958c1c1,
+0x3a271d1d, 0x27b99e9e, 0xd938e1e1, 0xeb13f8f8, 0x2bb39898, 0x22331111,
+0xd2bb6969, 0xa970d9d9, 0x07898e8e, 0x33a79494, 0x2db69b9b, 0x3c221e1e,
+0x15928787, 0xc920e9e9, 0x8749cece, 0xaaff5555, 0x50782828, 0xa57adfdf,
+0x038f8c8c, 0x59f8a1a1, 0x09808989, 0x1a170d0d, 0x65dabfbf, 0xd731e6e6,
+0x84c64242, 0xd0b86868, 0x82c34141, 0x29b09999, 0x5a772d2d, 0x1e110f0f,
+0x7bcbb0b0, 0xa8fc5454, 0x6dd6bbbb, 0x2c3a1616  
+};
+#else
+static const PRUint32 _T3[256] = 
+{
+0x6363a5c6, 0x7c7c84f8, 0x777799ee, 0x7b7b8df6, 0xf2f20dff, 0x6b6bbdd6,
+0x6f6fb1de, 0xc5c55491, 0x30305060, 0x01010302, 0x6767a9ce, 0x2b2b7d56,
+0xfefe19e7, 0xd7d762b5, 0xababe64d, 0x76769aec, 0xcaca458f, 0x82829d1f,
+0xc9c94089, 0x7d7d87fa, 0xfafa15ef, 0x5959ebb2, 0x4747c98e, 0xf0f00bfb,
+0xadadec41, 0xd4d467b3, 0xa2a2fd5f, 0xafafea45, 0x9c9cbf23, 0xa4a4f753,
+0x727296e4, 0xc0c05b9b, 0xb7b7c275, 0xfdfd1ce1, 0x9393ae3d, 0x26266a4c,
+0x36365a6c, 0x3f3f417e, 0xf7f702f5, 0xcccc4f83, 0x34345c68, 0xa5a5f451,
+0xe5e534d1, 0xf1f108f9, 0x717193e2, 0xd8d873ab, 0x31315362, 0x15153f2a,
+0x04040c08, 0xc7c75295, 0x23236546, 0xc3c35e9d, 0x18182830, 0x9696a137,
+0x05050f0a, 0x9a9ab52f, 0x0707090e, 0x12123624, 0x80809b1b, 0xe2e23ddf,
+0xebeb26cd, 0x2727694e, 0xb2b2cd7f, 0x75759fea, 0x09091b12, 0x83839e1d,
+0x2c2c7458, 0x1a1a2e34, 0x1b1b2d36, 0x6e6eb2dc, 0x5a5aeeb4, 0xa0a0fb5b,
+0x5252f6a4, 0x3b3b4d76, 0xd6d661b7, 0xb3b3ce7d, 0x29297b52, 0xe3e33edd,
+0x2f2f715e, 0x84849713, 0x5353f5a6, 0xd1d168b9, 0x00000000, 0xeded2cc1,
+0x20206040, 0xfcfc1fe3, 0xb1b1c879, 0x5b5bedb6, 0x6a6abed4, 0xcbcb468d,
+0xbebed967, 0x39394b72, 0x4a4ade94, 0x4c4cd498, 0x5858e8b0, 0xcfcf4a85,
+0xd0d06bbb, 0xefef2ac5, 0xaaaae54f, 0xfbfb16ed, 0x4343c586, 0x4d4dd79a,
+0x33335566, 0x85859411, 0x4545cf8a, 0xf9f910e9, 0x02020604, 0x7f7f81fe,
+0x5050f0a0, 0x3c3c4478, 0x9f9fba25, 0xa8a8e34b, 0x5151f3a2, 0xa3a3fe5d,
+0x4040c080, 0x8f8f8a05, 0x9292ad3f, 0x9d9dbc21, 0x38384870, 0xf5f504f1,
+0xbcbcdf63, 0xb6b6c177, 0xdada75af, 0x21216342, 0x10103020, 0xffff1ae5,
+0xf3f30efd, 0xd2d26dbf, 0xcdcd4c81, 0x0c0c1418, 0x13133526, 0xecec2fc3,
+0x5f5fe1be, 0x9797a235, 0x4444cc88, 0x1717392e, 0xc4c45793, 0xa7a7f255,
+0x7e7e82fc, 0x3d3d477a, 0x6464acc8, 0x5d5de7ba, 0x19192b32, 0x737395e6,
+0x6060a0c0, 0x81819819, 0x4f4fd19e, 0xdcdc7fa3, 0x22226644, 0x2a2a7e54,
+0x9090ab3b, 0x8888830b, 0x4646ca8c, 0xeeee29c7, 0xb8b8d36b, 0x14143c28,
+0xdede79a7, 0x5e5ee2bc, 0x0b0b1d16, 0xdbdb76ad, 0xe0e03bdb, 0x32325664,
+0x3a3a4e74, 0x0a0a1e14, 0x4949db92, 0x06060a0c, 0x24246c48, 0x5c5ce4b8,
+0xc2c25d9f, 0xd3d36ebd, 0xacacef43, 0x6262a6c4, 0x9191a839, 0x9595a431,
+0xe4e437d3, 0x79798bf2, 0xe7e732d5, 0xc8c8438b, 0x3737596e, 0x6d6db7da,
+0x8d8d8c01, 0xd5d564b1, 0x4e4ed29c, 0xa9a9e049, 0x6c6cb4d8, 0x5656faac,
+0xf4f407f3, 0xeaea25cf, 0x6565afca, 0x7a7a8ef4, 0xaeaee947, 0x08081810,
+0xbabad56f, 0x787888f0, 0x25256f4a, 0x2e2e725c, 0x1c1c2438, 0xa6a6f157,
+0xb4b4c773, 0xc6c65197, 0xe8e823cb, 0xdddd7ca1, 0x74749ce8, 0x1f1f213e,
+0x4b4bdd96, 0xbdbddc61, 0x8b8b860d, 0x8a8a850f, 0x707090e0, 0x3e3e427c,
+0xb5b5c471, 0x6666aacc, 0x4848d890, 0x03030506, 0xf6f601f7, 0x0e0e121c,
+0x6161a3c2, 0x35355f6a, 0x5757f9ae, 0xb9b9d069, 0x86869117, 0xc1c15899,
+0x1d1d273a, 0x9e9eb927, 0xe1e138d9, 0xf8f813eb, 0x9898b32b, 0x11113322,
+0x6969bbd2, 0xd9d970a9, 0x8e8e8907, 0x9494a733, 0x9b9bb62d, 0x1e1e223c,
+0x87879215, 0xe9e920c9, 0xcece4987, 0x5555ffaa, 0x28287850, 0xdfdf7aa5,
+0x8c8c8f03, 0xa1a1f859, 0x89898009, 0x0d0d171a, 0xbfbfda65, 0xe6e631d7,
+0x4242c684, 0x6868b8d0, 0x4141c382, 0x9999b029, 0x2d2d775a, 0x0f0f111e,
+0xb0b0cb7b, 0x5454fca8, 0xbbbbd66d, 0x16163a2c  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _TInv0[256] = 
+{
+0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, 0xcb6bab3b, 0xf1459d1f,
+0xab58faac, 0x9303e34b, 0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5,
+0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5, 0x495ab1de, 0x671bba25,
+0x980eea45, 0xe1c0fe5d, 0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b,
+0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295, 0x2d83bed4, 0xd3217458,
+0x2969e049, 0x44c8c98e, 0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927,
+0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d, 0x184adf63, 0x82311ae5,
+0x60335197, 0x457f5362, 0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9,
+0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52, 0x23d373ab, 0xe2024b72,
+0x578f1fe3, 0x2aab5566, 0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3,
+0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed, 0x2b1ccf8a, 0x92b479a7,
+0xf0f207f3, 0xa1e2694e, 0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4,
+0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4, 0x39ec830b, 0xaaef6040,
+0x069f715e, 0x51106ebd, 0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d,
+0xb58d5491, 0x055dc471, 0x6fd40604, 0xff155060, 0x24fb9819, 0x97e9bdd6,
+0xcc434089, 0x779ed967, 0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879,
+0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000, 0x83868009, 0x48ed2b32,
+0xac70111e, 0x4e725a6c, 0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36,
+0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624, 0xb1670a0c, 0x0fe75793,
+0xd296eeb4, 0x9e919b1b, 0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c,
+0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12, 0x0b0d090e, 0xadc78bf2,
+0xb9a8b62d, 0xc8a91e14, 0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3,
+0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b, 0x7629438b, 0xdcc623cb,
+0x68fcedb6, 0x63f1e4b8, 0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684,
+0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7, 0x4b2f9e1d, 0xf330b2dc,
+0xec52860d, 0xd0e3c177, 0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947,
+0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322, 0xc74e4987, 0xc1d138d9,
+0xfea2ca8c, 0x360bd498, 0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f,
+0xe49d3a2c, 0x0d927850, 0x9bcc5f6a, 0x62467e54, 0xc2138df6, 0xe8b8d890,
+0x5ef7392e, 0xf5afc382, 0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf,
+0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb, 0x097826cd, 0xf418596e,
+0x01b79aec, 0xa89a4f83, 0x656e95e6, 0x7ee6ffaa, 0x08cfbc21, 0xe6e815ef,
+0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029, 0xafb2a431, 0x31233f2a,
+0x3094a5c6, 0xc066a235, 0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733,
+0x4a9804f1, 0xf7daec41, 0x0e50cd7f, 0x2ff69117, 0x8dd64d76, 0x4db0ef43,
+0x544daacc, 0xdf0496e4, 0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546,
+0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb, 0x5a1d67b3, 0x52d2db92,
+0x335610e9, 0x1347d66d, 0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb,
+0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a, 0x59dfd29c, 0x3f73f255,
+0x79ce1418, 0xbf37c773, 0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478,
+0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2, 0x72c31d16, 0x0c25e2bc,
+0x8b493c28, 0x41950dff, 0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664,
+0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0  
+};
+#else
+static const PRUint32 _TInv0[256] = 
+{
+0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96, 0x3bab6bcb, 0x1f9d45f1,
+0xacfa58ab, 0x4be30393, 0x2030fa55, 0xad766df6, 0x88cc7691, 0xf5024c25,
+0x4fe5d7fc, 0xc52acbd7, 0x26354480, 0xb562a38f, 0xdeb15a49, 0x25ba1b67,
+0x45ea0e98, 0x5dfec0e1, 0xc32f7502, 0x814cf012, 0x8d4697a3, 0x6bd3f9c6,
+0x038f5fe7, 0x15929c95, 0xbf6d7aeb, 0x955259da, 0xd4be832d, 0x587421d3,
+0x49e06929, 0x8ec9c844, 0x75c2896a, 0xf48e7978, 0x99583e6b, 0x27b971dd,
+0xbee14fb6, 0xf088ad17, 0xc920ac66, 0x7dce3ab4, 0x63df4a18, 0xe51a3182,
+0x97513360, 0x62537f45, 0xb16477e0, 0xbb6bae84, 0xfe81a01c, 0xf9082b94,
+0x70486858, 0x8f45fd19, 0x94de6c87, 0x527bf8b7, 0xab73d323, 0x724b02e2,
+0xe31f8f57, 0x6655ab2a, 0xb2eb2807, 0x2fb5c203, 0x86c57b9a, 0xd33708a5,
+0x302887f2, 0x23bfa5b2, 0x02036aba, 0xed16825c, 0x8acf1c2b, 0xa779b492,
+0xf307f2f0, 0x4e69e2a1, 0x65daf4cd, 0x0605bed5, 0xd134621f, 0xc4a6fe8a,
+0x342e539d, 0xa2f355a0, 0x058ae132, 0xa4f6eb75, 0x0b83ec39, 0x4060efaa,
+0x5e719f06, 0xbd6e1051, 0x3e218af9, 0x96dd063d, 0xdd3e05ae, 0x4de6bd46,
+0x91548db5, 0x71c45d05, 0x0406d46f, 0x605015ff, 0x1998fb24, 0xd6bde997,
+0x894043cc, 0x67d99e77, 0xb0e842bd, 0x07898b88, 0xe7195b38, 0x79c8eedb,
+0xa17c0a47, 0x7c420fe9, 0xf8841ec9, 0x00000000, 0x09808683, 0x322bed48,
+0x1e1170ac, 0x6c5a724e, 0xfd0efffb, 0x0f853856, 0x3daed51e, 0x362d3927,
+0x0a0fd964, 0x685ca621, 0x9b5b54d1, 0x24362e3a, 0x0c0a67b1, 0x9357e70f,
+0xb4ee96d2, 0x1b9b919e, 0x80c0c54f, 0x61dc20a2, 0x5a774b69, 0x1c121a16,
+0xe293ba0a, 0xc0a02ae5, 0x3c22e043, 0x121b171d, 0x0e090d0b, 0xf28bc7ad,
+0x2db6a8b9, 0x141ea9c8, 0x57f11985, 0xaf75074c, 0xee99ddbb, 0xa37f60fd,
+0xf701269f, 0x5c72f5bc, 0x44663bc5, 0x5bfb7e34, 0x8b432976, 0xcb23c6dc,
+0xb6edfc68, 0xb8e4f163, 0xd731dcca, 0x42638510, 0x13972240, 0x84c61120,
+0x854a247d, 0xd2bb3df8, 0xaef93211, 0xc729a16d, 0x1d9e2f4b, 0xdcb230f3,
+0x0d8652ec, 0x77c1e3d0, 0x2bb3166c, 0xa970b999, 0x119448fa, 0x47e96422,
+0xa8fc8cc4, 0xa0f03f1a, 0x567d2cd8, 0x223390ef, 0x87494ec7, 0xd938d1c1,
+0x8ccaa2fe, 0x98d40b36, 0xa6f581cf, 0xa57ade28, 0xdab78e26, 0x3fadbfa4,
+0x2c3a9de4, 0x5078920d, 0x6a5fcc9b, 0x547e4662, 0xf68d13c2, 0x90d8b8e8,
+0x2e39f75e, 0x82c3aff5, 0x9f5d80be, 0x69d0937c, 0x6fd52da9, 0xcf2512b3,
+0xc8ac993b, 0x10187da7, 0xe89c636e, 0xdb3bbb7b, 0xcd267809, 0x6e5918f4,
+0xec9ab701, 0x834f9aa8, 0xe6956e65, 0xaaffe67e, 0x21bccf08, 0xef15e8e6,
+0xbae79bd9, 0x4a6f36ce, 0xea9f09d4, 0x29b07cd6, 0x31a4b2af, 0x2a3f2331,
+0xc6a59430, 0x35a266c0, 0x744ebc37, 0xfc82caa6, 0xe090d0b0, 0x33a7d815,
+0xf104984a, 0x41ecdaf7, 0x7fcd500e, 0x1791f62f, 0x764dd68d, 0x43efb04d,
+0xccaa4d54, 0xe49604df, 0x9ed1b5e3, 0x4c6a881b, 0xc12c1fb8, 0x4665517f,
+0x9d5eea04, 0x018c355d, 0xfa877473, 0xfb0b412e, 0xb3671d5a, 0x92dbd252,
+0xe9105633, 0x6dd64713, 0x9ad7618c, 0x37a10c7a, 0x59f8148e, 0xeb133c89,
+0xcea927ee, 0xb761c935, 0xe11ce5ed, 0x7a47b13c, 0x9cd2df59, 0x55f2733f,
+0x1814ce79, 0x73c737bf, 0x53f7cdea, 0x5ffdaa5b, 0xdf3d6f14, 0x7844db86,
+0xcaaff381, 0xb968c43e, 0x3824342c, 0xc2a3405f, 0x161dc372, 0xbce2250c,
+0x283c498b, 0xff0d9541, 0x39a80171, 0x080cb3de, 0xd8b4e49c, 0x6456c190,
+0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _TInv1[256] = 
+{
+0xa7f45150, 0x65417e53, 0xa4171ac3, 0x5e273a96, 0x6bab3bcb, 0x459d1ff1,
+0x58faacab, 0x03e34b93, 0xfa302055, 0x6d76adf6, 0x76cc8891, 0x4c02f525,
+0xd7e54ffc, 0xcb2ac5d7, 0x44352680, 0xa362b58f, 0x5ab1de49, 0x1bba2567,
+0x0eea4598, 0xc0fe5de1, 0x752fc302, 0xf04c8112, 0x97468da3, 0xf9d36bc6,
+0x5f8f03e7, 0x9c921595, 0x7a6dbfeb, 0x595295da, 0x83bed42d, 0x217458d3,
+0x69e04929, 0xc8c98e44, 0x89c2756a, 0x798ef478, 0x3e58996b, 0x71b927dd,
+0x4fe1beb6, 0xad88f017, 0xac20c966, 0x3ace7db4, 0x4adf6318, 0x311ae582,
+0x33519760, 0x7f536245, 0x7764b1e0, 0xae6bbb84, 0xa081fe1c, 0x2b08f994,
+0x68487058, 0xfd458f19, 0x6cde9487, 0xf87b52b7, 0xd373ab23, 0x024b72e2,
+0x8f1fe357, 0xab55662a, 0x28ebb207, 0xc2b52f03, 0x7bc5869a, 0x0837d3a5,
+0x872830f2, 0xa5bf23b2, 0x6a0302ba, 0x8216ed5c, 0x1ccf8a2b, 0xb479a792,
+0xf207f3f0, 0xe2694ea1, 0xf4da65cd, 0xbe0506d5, 0x6234d11f, 0xfea6c48a,
+0x532e349d, 0x55f3a2a0, 0xe18a0532, 0xebf6a475, 0xec830b39, 0xef6040aa,
+0x9f715e06, 0x106ebd51, 0x8a213ef9, 0x06dd963d, 0x053eddae, 0xbde64d46,
+0x8d5491b5, 0x5dc47105, 0xd406046f, 0x155060ff, 0xfb981924, 0xe9bdd697,
+0x434089cc, 0x9ed96777, 0x42e8b0bd, 0x8b890788, 0x5b19e738, 0xeec879db,
+0x0a7ca147, 0x0f427ce9, 0x1e84f8c9, 0x00000000, 0x86800983, 0xed2b3248,
+0x70111eac, 0x725a6c4e, 0xff0efdfb, 0x38850f56, 0xd5ae3d1e, 0x392d3627,
+0xd90f0a64, 0xa65c6821, 0x545b9bd1, 0x2e36243a, 0x670a0cb1, 0xe757930f,
+0x96eeb4d2, 0x919b1b9e, 0xc5c0804f, 0x20dc61a2, 0x4b775a69, 0x1a121c16,
+0xba93e20a, 0x2aa0c0e5, 0xe0223c43, 0x171b121d, 0x0d090e0b, 0xc78bf2ad,
+0xa8b62db9, 0xa91e14c8, 0x19f15785, 0x0775af4c, 0xdd99eebb, 0x607fa3fd,
+0x2601f79f, 0xf5725cbc, 0x3b6644c5, 0x7efb5b34, 0x29438b76, 0xc623cbdc,
+0xfcedb668, 0xf1e4b863, 0xdc31d7ca, 0x85634210, 0x22971340, 0x11c68420,
+0x244a857d, 0x3dbbd2f8, 0x32f9ae11, 0xa129c76d, 0x2f9e1d4b, 0x30b2dcf3,
+0x52860dec, 0xe3c177d0, 0x16b32b6c, 0xb970a999, 0x489411fa, 0x64e94722,
+0x8cfca8c4, 0x3ff0a01a, 0x2c7d56d8, 0x903322ef, 0x4e4987c7, 0xd138d9c1,
+0xa2ca8cfe, 0x0bd49836, 0x81f5a6cf, 0xde7aa528, 0x8eb7da26, 0xbfad3fa4,
+0x9d3a2ce4, 0x9278500d, 0xcc5f6a9b, 0x467e5462, 0x138df6c2, 0xb8d890e8,
+0xf7392e5e, 0xafc382f5, 0x805d9fbe, 0x93d0697c, 0x2dd56fa9, 0x1225cfb3,
+0x99acc83b, 0x7d1810a7, 0x639ce86e, 0xbb3bdb7b, 0x7826cd09, 0x18596ef4,
+0xb79aec01, 0x9a4f83a8, 0x6e95e665, 0xe6ffaa7e, 0xcfbc2108, 0xe815efe6,
+0x9be7bad9, 0x366f4ace, 0x099fead4, 0x7cb029d6, 0xb2a431af, 0x233f2a31,
+0x94a5c630, 0x66a235c0, 0xbc4e7437, 0xca82fca6, 0xd090e0b0, 0xd8a73315,
+0x9804f14a, 0xdaec41f7, 0x50cd7f0e, 0xf691172f, 0xd64d768d, 0xb0ef434d,
+0x4daacc54, 0x0496e4df, 0xb5d19ee3, 0x886a4c1b, 0x1f2cc1b8, 0x5165467f,
+0xea5e9d04, 0x358c015d, 0x7487fa73, 0x410bfb2e, 0x1d67b35a, 0xd2db9252,
+0x5610e933, 0x47d66d13, 0x61d79a8c, 0x0ca1377a, 0x14f8598e, 0x3c13eb89,
+0x27a9ceee, 0xc961b735, 0xe51ce1ed, 0xb1477a3c, 0xdfd29c59, 0x73f2553f,
+0xce141879, 0x37c773bf, 0xcdf753ea, 0xaafd5f5b, 0x6f3ddf14, 0xdb447886,
+0xf3afca81, 0xc468b93e, 0x3424382c, 0x40a3c25f, 0xc31d1672, 0x25e2bc0c,
+0x493c288b, 0x950dff41, 0x01a83971, 0xb30c08de, 0xe4b4d89c, 0xc1566490,
+0x84cb7b61, 0xb632d570, 0x5c6c4874, 0x57b8d042  
+};
+#else
+static const PRUint32 _TInv1[256] = 
+{
+0x5051f4a7, 0x537e4165, 0xc31a17a4, 0x963a275e, 0xcb3bab6b, 0xf11f9d45,
+0xabacfa58, 0x934be303, 0x552030fa, 0xf6ad766d, 0x9188cc76, 0x25f5024c,
+0xfc4fe5d7, 0xd7c52acb, 0x80263544, 0x8fb562a3, 0x49deb15a, 0x6725ba1b,
+0x9845ea0e, 0xe15dfec0, 0x02c32f75, 0x12814cf0, 0xa38d4697, 0xc66bd3f9,
+0xe7038f5f, 0x9515929c, 0xebbf6d7a, 0xda955259, 0x2dd4be83, 0xd3587421,
+0x2949e069, 0x448ec9c8, 0x6a75c289, 0x78f48e79, 0x6b99583e, 0xdd27b971,
+0xb6bee14f, 0x17f088ad, 0x66c920ac, 0xb47dce3a, 0x1863df4a, 0x82e51a31,
+0x60975133, 0x4562537f, 0xe0b16477, 0x84bb6bae, 0x1cfe81a0, 0x94f9082b,
+0x58704868, 0x198f45fd, 0x8794de6c, 0xb7527bf8, 0x23ab73d3, 0xe2724b02,
+0x57e31f8f, 0x2a6655ab, 0x07b2eb28, 0x032fb5c2, 0x9a86c57b, 0xa5d33708,
+0xf2302887, 0xb223bfa5, 0xba02036a, 0x5ced1682, 0x2b8acf1c, 0x92a779b4,
+0xf0f307f2, 0xa14e69e2, 0xcd65daf4, 0xd50605be, 0x1fd13462, 0x8ac4a6fe,
+0x9d342e53, 0xa0a2f355, 0x32058ae1, 0x75a4f6eb, 0x390b83ec, 0xaa4060ef,
+0x065e719f, 0x51bd6e10, 0xf93e218a, 0x3d96dd06, 0xaedd3e05, 0x464de6bd,
+0xb591548d, 0x0571c45d, 0x6f0406d4, 0xff605015, 0x241998fb, 0x97d6bde9,
+0xcc894043, 0x7767d99e, 0xbdb0e842, 0x8807898b, 0x38e7195b, 0xdb79c8ee,
+0x47a17c0a, 0xe97c420f, 0xc9f8841e, 0x00000000, 0x83098086, 0x48322bed,
+0xac1e1170, 0x4e6c5a72, 0xfbfd0eff, 0x560f8538, 0x1e3daed5, 0x27362d39,
+0x640a0fd9, 0x21685ca6, 0xd19b5b54, 0x3a24362e, 0xb10c0a67, 0x0f9357e7,
+0xd2b4ee96, 0x9e1b9b91, 0x4f80c0c5, 0xa261dc20, 0x695a774b, 0x161c121a,
+0x0ae293ba, 0xe5c0a02a, 0x433c22e0, 0x1d121b17, 0x0b0e090d, 0xadf28bc7,
+0xb92db6a8, 0xc8141ea9, 0x8557f119, 0x4caf7507, 0xbbee99dd, 0xfda37f60,
+0x9ff70126, 0xbc5c72f5, 0xc544663b, 0x345bfb7e, 0x768b4329, 0xdccb23c6,
+0x68b6edfc, 0x63b8e4f1, 0xcad731dc, 0x10426385, 0x40139722, 0x2084c611,
+0x7d854a24, 0xf8d2bb3d, 0x11aef932, 0x6dc729a1, 0x4b1d9e2f, 0xf3dcb230,
+0xec0d8652, 0xd077c1e3, 0x6c2bb316, 0x99a970b9, 0xfa119448, 0x2247e964,
+0xc4a8fc8c, 0x1aa0f03f, 0xd8567d2c, 0xef223390, 0xc787494e, 0xc1d938d1,
+0xfe8ccaa2, 0x3698d40b, 0xcfa6f581, 0x28a57ade, 0x26dab78e, 0xa43fadbf,
+0xe42c3a9d, 0x0d507892, 0x9b6a5fcc, 0x62547e46, 0xc2f68d13, 0xe890d8b8,
+0x5e2e39f7, 0xf582c3af, 0xbe9f5d80, 0x7c69d093, 0xa96fd52d, 0xb3cf2512,
+0x3bc8ac99, 0xa710187d, 0x6ee89c63, 0x7bdb3bbb, 0x09cd2678, 0xf46e5918,
+0x01ec9ab7, 0xa8834f9a, 0x65e6956e, 0x7eaaffe6, 0x0821bccf, 0xe6ef15e8,
+0xd9bae79b, 0xce4a6f36, 0xd4ea9f09, 0xd629b07c, 0xaf31a4b2, 0x312a3f23,
+0x30c6a594, 0xc035a266, 0x37744ebc, 0xa6fc82ca, 0xb0e090d0, 0x1533a7d8,
+0x4af10498, 0xf741ecda, 0x0e7fcd50, 0x2f1791f6, 0x8d764dd6, 0x4d43efb0,
+0x54ccaa4d, 0xdfe49604, 0xe39ed1b5, 0x1b4c6a88, 0xb8c12c1f, 0x7f466551,
+0x049d5eea, 0x5d018c35, 0x73fa8774, 0x2efb0b41, 0x5ab3671d, 0x5292dbd2,
+0x33e91056, 0x136dd647, 0x8c9ad761, 0x7a37a10c, 0x8e59f814, 0x89eb133c,
+0xeecea927, 0x35b761c9, 0xede11ce5, 0x3c7a47b1, 0x599cd2df, 0x3f55f273,
+0x791814ce, 0xbf73c737, 0xea53f7cd, 0x5b5ffdaa, 0x14df3d6f, 0x867844db,
+0x81caaff3, 0x3eb968c4, 0x2c382434, 0x5fc2a340, 0x72161dc3, 0x0cbce225,
+0x8b283c49, 0x41ff0d95, 0x7139a801, 0xde080cb3, 0x9cd8b4e4, 0x906456c1,
+0x617bcb84, 0x70d532b6, 0x74486c5c, 0x42d0b857  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _TInv2[256] = 
+{
+0xf45150a7, 0x417e5365, 0x171ac3a4, 0x273a965e, 0xab3bcb6b, 0x9d1ff145,
+0xfaacab58, 0xe34b9303, 0x302055fa, 0x76adf66d, 0xcc889176, 0x02f5254c,
+0xe54ffcd7, 0x2ac5d7cb, 0x35268044, 0x62b58fa3, 0xb1de495a, 0xba25671b,
+0xea45980e, 0xfe5de1c0, 0x2fc30275, 0x4c8112f0, 0x468da397, 0xd36bc6f9,
+0x8f03e75f, 0x9215959c, 0x6dbfeb7a, 0x5295da59, 0xbed42d83, 0x7458d321,
+0xe0492969, 0xc98e44c8, 0xc2756a89, 0x8ef47879, 0x58996b3e, 0xb927dd71,
+0xe1beb64f, 0x88f017ad, 0x20c966ac, 0xce7db43a, 0xdf63184a, 0x1ae58231,
+0x51976033, 0x5362457f, 0x64b1e077, 0x6bbb84ae, 0x81fe1ca0, 0x08f9942b,
+0x48705868, 0x458f19fd, 0xde94876c, 0x7b52b7f8, 0x73ab23d3, 0x4b72e202,
+0x1fe3578f, 0x55662aab, 0xebb20728, 0xb52f03c2, 0xc5869a7b, 0x37d3a508,
+0x2830f287, 0xbf23b2a5, 0x0302ba6a, 0x16ed5c82, 0xcf8a2b1c, 0x79a792b4,
+0x07f3f0f2, 0x694ea1e2, 0xda65cdf4, 0x0506d5be, 0x34d11f62, 0xa6c48afe,
+0x2e349d53, 0xf3a2a055, 0x8a0532e1, 0xf6a475eb, 0x830b39ec, 0x6040aaef,
+0x715e069f, 0x6ebd5110, 0x213ef98a, 0xdd963d06, 0x3eddae05, 0xe64d46bd,
+0x5491b58d, 0xc471055d, 0x06046fd4, 0x5060ff15, 0x981924fb, 0xbdd697e9,
+0x4089cc43, 0xd967779e, 0xe8b0bd42, 0x8907888b, 0x19e7385b, 0xc879dbee,
+0x7ca1470a, 0x427ce90f, 0x84f8c91e, 0x00000000, 0x80098386, 0x2b3248ed,
+0x111eac70, 0x5a6c4e72, 0x0efdfbff, 0x850f5638, 0xae3d1ed5, 0x2d362739,
+0x0f0a64d9, 0x5c6821a6, 0x5b9bd154, 0x36243a2e, 0x0a0cb167, 0x57930fe7,
+0xeeb4d296, 0x9b1b9e91, 0xc0804fc5, 0xdc61a220, 0x775a694b, 0x121c161a,
+0x93e20aba, 0xa0c0e52a, 0x223c43e0, 0x1b121d17, 0x090e0b0d, 0x8bf2adc7,
+0xb62db9a8, 0x1e14c8a9, 0xf1578519, 0x75af4c07, 0x99eebbdd, 0x7fa3fd60,
+0x01f79f26, 0x725cbcf5, 0x6644c53b, 0xfb5b347e, 0x438b7629, 0x23cbdcc6,
+0xedb668fc, 0xe4b863f1, 0x31d7cadc, 0x63421085, 0x97134022, 0xc6842011,
+0x4a857d24, 0xbbd2f83d, 0xf9ae1132, 0x29c76da1, 0x9e1d4b2f, 0xb2dcf330,
+0x860dec52, 0xc177d0e3, 0xb32b6c16, 0x70a999b9, 0x9411fa48, 0xe9472264,
+0xfca8c48c, 0xf0a01a3f, 0x7d56d82c, 0x3322ef90, 0x4987c74e, 0x38d9c1d1,
+0xca8cfea2, 0xd498360b, 0xf5a6cf81, 0x7aa528de, 0xb7da268e, 0xad3fa4bf,
+0x3a2ce49d, 0x78500d92, 0x5f6a9bcc, 0x7e546246, 0x8df6c213, 0xd890e8b8,
+0x392e5ef7, 0xc382f5af, 0x5d9fbe80, 0xd0697c93, 0xd56fa92d, 0x25cfb312,
+0xacc83b99, 0x1810a77d, 0x9ce86e63, 0x3bdb7bbb, 0x26cd0978, 0x596ef418,
+0x9aec01b7, 0x4f83a89a, 0x95e6656e, 0xffaa7ee6, 0xbc2108cf, 0x15efe6e8,
+0xe7bad99b, 0x6f4ace36, 0x9fead409, 0xb029d67c, 0xa431afb2, 0x3f2a3123,
+0xa5c63094, 0xa235c066, 0x4e7437bc, 0x82fca6ca, 0x90e0b0d0, 0xa73315d8,
+0x04f14a98, 0xec41f7da, 0xcd7f0e50, 0x91172ff6, 0x4d768dd6, 0xef434db0,
+0xaacc544d, 0x96e4df04, 0xd19ee3b5, 0x6a4c1b88, 0x2cc1b81f, 0x65467f51,
+0x5e9d04ea, 0x8c015d35, 0x87fa7374, 0x0bfb2e41, 0x67b35a1d, 0xdb9252d2,
+0x10e93356, 0xd66d1347, 0xd79a8c61, 0xa1377a0c, 0xf8598e14, 0x13eb893c,
+0xa9ceee27, 0x61b735c9, 0x1ce1ede5, 0x477a3cb1, 0xd29c59df, 0xf2553f73,
+0x141879ce, 0xc773bf37, 0xf753eacd, 0xfd5f5baa, 0x3ddf146f, 0x447886db,
+0xafca81f3, 0x68b93ec4, 0x24382c34, 0xa3c25f40, 0x1d1672c3, 0xe2bc0c25,
+0x3c288b49, 0x0dff4195, 0xa8397101, 0x0c08deb3, 0xb4d89ce4, 0x566490c1,
+0xcb7b6184, 0x32d570b6, 0x6c48745c, 0xb8d04257  
+};
+#else
+static const PRUint32 _TInv2[256] = 
+{
+0xa75051f4, 0x65537e41, 0xa4c31a17, 0x5e963a27, 0x6bcb3bab, 0x45f11f9d,
+0x58abacfa, 0x03934be3, 0xfa552030, 0x6df6ad76, 0x769188cc, 0x4c25f502,
+0xd7fc4fe5, 0xcbd7c52a, 0x44802635, 0xa38fb562, 0x5a49deb1, 0x1b6725ba,
+0x0e9845ea, 0xc0e15dfe, 0x7502c32f, 0xf012814c, 0x97a38d46, 0xf9c66bd3,
+0x5fe7038f, 0x9c951592, 0x7aebbf6d, 0x59da9552, 0x832dd4be, 0x21d35874,
+0x692949e0, 0xc8448ec9, 0x896a75c2, 0x7978f48e, 0x3e6b9958, 0x71dd27b9,
+0x4fb6bee1, 0xad17f088, 0xac66c920, 0x3ab47dce, 0x4a1863df, 0x3182e51a,
+0x33609751, 0x7f456253, 0x77e0b164, 0xae84bb6b, 0xa01cfe81, 0x2b94f908,
+0x68587048, 0xfd198f45, 0x6c8794de, 0xf8b7527b, 0xd323ab73, 0x02e2724b,
+0x8f57e31f, 0xab2a6655, 0x2807b2eb, 0xc2032fb5, 0x7b9a86c5, 0x08a5d337,
+0x87f23028, 0xa5b223bf, 0x6aba0203, 0x825ced16, 0x1c2b8acf, 0xb492a779,
+0xf2f0f307, 0xe2a14e69, 0xf4cd65da, 0xbed50605, 0x621fd134, 0xfe8ac4a6,
+0x539d342e, 0x55a0a2f3, 0xe132058a, 0xeb75a4f6, 0xec390b83, 0xefaa4060,
+0x9f065e71, 0x1051bd6e, 0x8af93e21, 0x063d96dd, 0x05aedd3e, 0xbd464de6,
+0x8db59154, 0x5d0571c4, 0xd46f0406, 0x15ff6050, 0xfb241998, 0xe997d6bd,
+0x43cc8940, 0x9e7767d9, 0x42bdb0e8, 0x8b880789, 0x5b38e719, 0xeedb79c8,
+0x0a47a17c, 0x0fe97c42, 0x1ec9f884, 0x00000000, 0x86830980, 0xed48322b,
+0x70ac1e11, 0x724e6c5a, 0xfffbfd0e, 0x38560f85, 0xd51e3dae, 0x3927362d,
+0xd9640a0f, 0xa621685c, 0x54d19b5b, 0x2e3a2436, 0x67b10c0a, 0xe70f9357,
+0x96d2b4ee, 0x919e1b9b, 0xc54f80c0, 0x20a261dc, 0x4b695a77, 0x1a161c12,
+0xba0ae293, 0x2ae5c0a0, 0xe0433c22, 0x171d121b, 0x0d0b0e09, 0xc7adf28b,
+0xa8b92db6, 0xa9c8141e, 0x198557f1, 0x074caf75, 0xddbbee99, 0x60fda37f,
+0x269ff701, 0xf5bc5c72, 0x3bc54466, 0x7e345bfb, 0x29768b43, 0xc6dccb23,
+0xfc68b6ed, 0xf163b8e4, 0xdccad731, 0x85104263, 0x22401397, 0x112084c6,
+0x247d854a, 0x3df8d2bb, 0x3211aef9, 0xa16dc729, 0x2f4b1d9e, 0x30f3dcb2,
+0x52ec0d86, 0xe3d077c1, 0x166c2bb3, 0xb999a970, 0x48fa1194, 0x642247e9,
+0x8cc4a8fc, 0x3f1aa0f0, 0x2cd8567d, 0x90ef2233, 0x4ec78749, 0xd1c1d938,
+0xa2fe8cca, 0x0b3698d4, 0x81cfa6f5, 0xde28a57a, 0x8e26dab7, 0xbfa43fad,
+0x9de42c3a, 0x920d5078, 0xcc9b6a5f, 0x4662547e, 0x13c2f68d, 0xb8e890d8,
+0xf75e2e39, 0xaff582c3, 0x80be9f5d, 0x937c69d0, 0x2da96fd5, 0x12b3cf25,
+0x993bc8ac, 0x7da71018, 0x636ee89c, 0xbb7bdb3b, 0x7809cd26, 0x18f46e59,
+0xb701ec9a, 0x9aa8834f, 0x6e65e695, 0xe67eaaff, 0xcf0821bc, 0xe8e6ef15,
+0x9bd9bae7, 0x36ce4a6f, 0x09d4ea9f, 0x7cd629b0, 0xb2af31a4, 0x23312a3f,
+0x9430c6a5, 0x66c035a2, 0xbc37744e, 0xcaa6fc82, 0xd0b0e090, 0xd81533a7,
+0x984af104, 0xdaf741ec, 0x500e7fcd, 0xf62f1791, 0xd68d764d, 0xb04d43ef,
+0x4d54ccaa, 0x04dfe496, 0xb5e39ed1, 0x881b4c6a, 0x1fb8c12c, 0x517f4665,
+0xea049d5e, 0x355d018c, 0x7473fa87, 0x412efb0b, 0x1d5ab367, 0xd25292db,
+0x5633e910, 0x47136dd6, 0x618c9ad7, 0x0c7a37a1, 0x148e59f8, 0x3c89eb13,
+0x27eecea9, 0xc935b761, 0xe5ede11c, 0xb13c7a47, 0xdf599cd2, 0x733f55f2,
+0xce791814, 0x37bf73c7, 0xcdea53f7, 0xaa5b5ffd, 0x6f14df3d, 0xdb867844,
+0xf381caaf, 0xc43eb968, 0x342c3824, 0x405fc2a3, 0xc372161d, 0x250cbce2,
+0x498b283c, 0x9541ff0d, 0x017139a8, 0xb3de080c, 0xe49cd8b4, 0xc1906456,
+0x84617bcb, 0xb670d532, 0x5c74486c, 0x5742d0b8  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _TInv3[256] = 
+{
+0x5150a7f4, 0x7e536541, 0x1ac3a417, 0x3a965e27, 0x3bcb6bab, 0x1ff1459d,
+0xacab58fa, 0x4b9303e3, 0x2055fa30, 0xadf66d76, 0x889176cc, 0xf5254c02,
+0x4ffcd7e5, 0xc5d7cb2a, 0x26804435, 0xb58fa362, 0xde495ab1, 0x25671bba,
+0x45980eea, 0x5de1c0fe, 0xc302752f, 0x8112f04c, 0x8da39746, 0x6bc6f9d3,
+0x03e75f8f, 0x15959c92, 0xbfeb7a6d, 0x95da5952, 0xd42d83be, 0x58d32174,
+0x492969e0, 0x8e44c8c9, 0x756a89c2, 0xf478798e, 0x996b3e58, 0x27dd71b9,
+0xbeb64fe1, 0xf017ad88, 0xc966ac20, 0x7db43ace, 0x63184adf, 0xe582311a,
+0x97603351, 0x62457f53, 0xb1e07764, 0xbb84ae6b, 0xfe1ca081, 0xf9942b08,
+0x70586848, 0x8f19fd45, 0x94876cde, 0x52b7f87b, 0xab23d373, 0x72e2024b,
+0xe3578f1f, 0x662aab55, 0xb20728eb, 0x2f03c2b5, 0x869a7bc5, 0xd3a50837,
+0x30f28728, 0x23b2a5bf, 0x02ba6a03, 0xed5c8216, 0x8a2b1ccf, 0xa792b479,
+0xf3f0f207, 0x4ea1e269, 0x65cdf4da, 0x06d5be05, 0xd11f6234, 0xc48afea6,
+0x349d532e, 0xa2a055f3, 0x0532e18a, 0xa475ebf6, 0x0b39ec83, 0x40aaef60,
+0x5e069f71, 0xbd51106e, 0x3ef98a21, 0x963d06dd, 0xddae053e, 0x4d46bde6,
+0x91b58d54, 0x71055dc4, 0x046fd406, 0x60ff1550, 0x1924fb98, 0xd697e9bd,
+0x89cc4340, 0x67779ed9, 0xb0bd42e8, 0x07888b89, 0xe7385b19, 0x79dbeec8,
+0xa1470a7c, 0x7ce90f42, 0xf8c91e84, 0x00000000, 0x09838680, 0x3248ed2b,
+0x1eac7011, 0x6c4e725a, 0xfdfbff0e, 0x0f563885, 0x3d1ed5ae, 0x3627392d,
+0x0a64d90f, 0x6821a65c, 0x9bd1545b, 0x243a2e36, 0x0cb1670a, 0x930fe757,
+0xb4d296ee, 0x1b9e919b, 0x804fc5c0, 0x61a220dc, 0x5a694b77, 0x1c161a12,
+0xe20aba93, 0xc0e52aa0, 0x3c43e022, 0x121d171b, 0x0e0b0d09, 0xf2adc78b,
+0x2db9a8b6, 0x14c8a91e, 0x578519f1, 0xaf4c0775, 0xeebbdd99, 0xa3fd607f,
+0xf79f2601, 0x5cbcf572, 0x44c53b66, 0x5b347efb, 0x8b762943, 0xcbdcc623,
+0xb668fced, 0xb863f1e4, 0xd7cadc31, 0x42108563, 0x13402297, 0x842011c6,
+0x857d244a, 0xd2f83dbb, 0xae1132f9, 0xc76da129, 0x1d4b2f9e, 0xdcf330b2,
+0x0dec5286, 0x77d0e3c1, 0x2b6c16b3, 0xa999b970, 0x11fa4894, 0x472264e9,
+0xa8c48cfc, 0xa01a3ff0, 0x56d82c7d, 0x22ef9033, 0x87c74e49, 0xd9c1d138,
+0x8cfea2ca, 0x98360bd4, 0xa6cf81f5, 0xa528de7a, 0xda268eb7, 0x3fa4bfad,
+0x2ce49d3a, 0x500d9278, 0x6a9bcc5f, 0x5462467e, 0xf6c2138d, 0x90e8b8d8,
+0x2e5ef739, 0x82f5afc3, 0x9fbe805d, 0x697c93d0, 0x6fa92dd5, 0xcfb31225,
+0xc83b99ac, 0x10a77d18, 0xe86e639c, 0xdb7bbb3b, 0xcd097826, 0x6ef41859,
+0xec01b79a, 0x83a89a4f, 0xe6656e95, 0xaa7ee6ff, 0x2108cfbc, 0xefe6e815,
+0xbad99be7, 0x4ace366f, 0xead4099f, 0x29d67cb0, 0x31afb2a4, 0x2a31233f,
+0xc63094a5, 0x35c066a2, 0x7437bc4e, 0xfca6ca82, 0xe0b0d090, 0x3315d8a7,
+0xf14a9804, 0x41f7daec, 0x7f0e50cd, 0x172ff691, 0x768dd64d, 0x434db0ef,
+0xcc544daa, 0xe4df0496, 0x9ee3b5d1, 0x4c1b886a, 0xc1b81f2c, 0x467f5165,
+0x9d04ea5e, 0x015d358c, 0xfa737487, 0xfb2e410b, 0xb35a1d67, 0x9252d2db,
+0xe9335610, 0x6d1347d6, 0x9a8c61d7, 0x377a0ca1, 0x598e14f8, 0xeb893c13,
+0xceee27a9, 0xb735c961, 0xe1ede51c, 0x7a3cb147, 0x9c59dfd2, 0x553f73f2,
+0x1879ce14, 0x73bf37c7, 0x53eacdf7, 0x5f5baafd, 0xdf146f3d, 0x7886db44,
+0xca81f3af, 0xb93ec468, 0x382c3424, 0xc25f40a3, 0x1672c31d, 0xbc0c25e2,
+0x288b493c, 0xff41950d, 0x397101a8, 0x08deb30c, 0xd89ce4b4, 0x6490c156,
+0x7b6184cb, 0xd570b632, 0x48745c6c, 0xd04257b8  
+};
+#else
+static const PRUint32 _TInv3[256] = 
+{
+0xf4a75051, 0x4165537e, 0x17a4c31a, 0x275e963a, 0xab6bcb3b, 0x9d45f11f,
+0xfa58abac, 0xe303934b, 0x30fa5520, 0x766df6ad, 0xcc769188, 0x024c25f5,
+0xe5d7fc4f, 0x2acbd7c5, 0x35448026, 0x62a38fb5, 0xb15a49de, 0xba1b6725,
+0xea0e9845, 0xfec0e15d, 0x2f7502c3, 0x4cf01281, 0x4697a38d, 0xd3f9c66b,
+0x8f5fe703, 0x929c9515, 0x6d7aebbf, 0x5259da95, 0xbe832dd4, 0x7421d358,
+0xe0692949, 0xc9c8448e, 0xc2896a75, 0x8e7978f4, 0x583e6b99, 0xb971dd27,
+0xe14fb6be, 0x88ad17f0, 0x20ac66c9, 0xce3ab47d, 0xdf4a1863, 0x1a3182e5,
+0x51336097, 0x537f4562, 0x6477e0b1, 0x6bae84bb, 0x81a01cfe, 0x082b94f9,
+0x48685870, 0x45fd198f, 0xde6c8794, 0x7bf8b752, 0x73d323ab, 0x4b02e272,
+0x1f8f57e3, 0x55ab2a66, 0xeb2807b2, 0xb5c2032f, 0xc57b9a86, 0x3708a5d3,
+0x2887f230, 0xbfa5b223, 0x036aba02, 0x16825ced, 0xcf1c2b8a, 0x79b492a7,
+0x07f2f0f3, 0x69e2a14e, 0xdaf4cd65, 0x05bed506, 0x34621fd1, 0xa6fe8ac4,
+0x2e539d34, 0xf355a0a2, 0x8ae13205, 0xf6eb75a4, 0x83ec390b, 0x60efaa40,
+0x719f065e, 0x6e1051bd, 0x218af93e, 0xdd063d96, 0x3e05aedd, 0xe6bd464d,
+0x548db591, 0xc45d0571, 0x06d46f04, 0x5015ff60, 0x98fb2419, 0xbde997d6,
+0x4043cc89, 0xd99e7767, 0xe842bdb0, 0x898b8807, 0x195b38e7, 0xc8eedb79,
+0x7c0a47a1, 0x420fe97c, 0x841ec9f8, 0x00000000, 0x80868309, 0x2bed4832,
+0x1170ac1e, 0x5a724e6c, 0x0efffbfd, 0x8538560f, 0xaed51e3d, 0x2d392736,
+0x0fd9640a, 0x5ca62168, 0x5b54d19b, 0x362e3a24, 0x0a67b10c, 0x57e70f93,
+0xee96d2b4, 0x9b919e1b, 0xc0c54f80, 0xdc20a261, 0x774b695a, 0x121a161c,
+0x93ba0ae2, 0xa02ae5c0, 0x22e0433c, 0x1b171d12, 0x090d0b0e, 0x8bc7adf2,
+0xb6a8b92d, 0x1ea9c814, 0xf1198557, 0x75074caf, 0x99ddbbee, 0x7f60fda3,
+0x01269ff7, 0x72f5bc5c, 0x663bc544, 0xfb7e345b, 0x4329768b, 0x23c6dccb,
+0xedfc68b6, 0xe4f163b8, 0x31dccad7, 0x63851042, 0x97224013, 0xc6112084,
+0x4a247d85, 0xbb3df8d2, 0xf93211ae, 0x29a16dc7, 0x9e2f4b1d, 0xb230f3dc,
+0x8652ec0d, 0xc1e3d077, 0xb3166c2b, 0x70b999a9, 0x9448fa11, 0xe9642247,
+0xfc8cc4a8, 0xf03f1aa0, 0x7d2cd856, 0x3390ef22, 0x494ec787, 0x38d1c1d9,
+0xcaa2fe8c, 0xd40b3698, 0xf581cfa6, 0x7ade28a5, 0xb78e26da, 0xadbfa43f,
+0x3a9de42c, 0x78920d50, 0x5fcc9b6a, 0x7e466254, 0x8d13c2f6, 0xd8b8e890,
+0x39f75e2e, 0xc3aff582, 0x5d80be9f, 0xd0937c69, 0xd52da96f, 0x2512b3cf,
+0xac993bc8, 0x187da710, 0x9c636ee8, 0x3bbb7bdb, 0x267809cd, 0x5918f46e,
+0x9ab701ec, 0x4f9aa883, 0x956e65e6, 0xffe67eaa, 0xbccf0821, 0x15e8e6ef,
+0xe79bd9ba, 0x6f36ce4a, 0x9f09d4ea, 0xb07cd629, 0xa4b2af31, 0x3f23312a,
+0xa59430c6, 0xa266c035, 0x4ebc3774, 0x82caa6fc, 0x90d0b0e0, 0xa7d81533,
+0x04984af1, 0xecdaf741, 0xcd500e7f, 0x91f62f17, 0x4dd68d76, 0xefb04d43,
+0xaa4d54cc, 0x9604dfe4, 0xd1b5e39e, 0x6a881b4c, 0x2c1fb8c1, 0x65517f46,
+0x5eea049d, 0x8c355d01, 0x877473fa, 0x0b412efb, 0x671d5ab3, 0xdbd25292,
+0x105633e9, 0xd647136d, 0xd7618c9a, 0xa10c7a37, 0xf8148e59, 0x133c89eb,
+0xa927eece, 0x61c935b7, 0x1ce5ede1, 0x47b13c7a, 0xd2df599c, 0xf2733f55,
+0x14ce7918, 0xc737bf73, 0xf7cdea53, 0xfdaa5b5f, 0x3d6f14df, 0x44db8678,
+0xaff381ca, 0x68c43eb9, 0x24342c38, 0xa3405fc2, 0x1dc37216, 0xe2250cbc,
+0x3c498b28, 0x0d9541ff, 0xa8017139, 0x0cb3de08, 0xb4e49cd8, 0x56c19064,
+0xcb84617b, 0x32b670d5, 0x6c5c7448, 0xb85742d0  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _IMXC0[256] = 
+{
+0x00000000, 0x0b0d090e, 0x161a121c, 0x1d171b12, 0x2c342438, 0x27392d36,
+0x3a2e3624, 0x31233f2a, 0x58684870, 0x5365417e, 0x4e725a6c, 0x457f5362,
+0x745c6c48, 0x7f516546, 0x62467e54, 0x694b775a, 0xb0d090e0, 0xbbdd99ee,
+0xa6ca82fc, 0xadc78bf2, 0x9ce4b4d8, 0x97e9bdd6, 0x8afea6c4, 0x81f3afca,
+0xe8b8d890, 0xe3b5d19e, 0xfea2ca8c, 0xf5afc382, 0xc48cfca8, 0xcf81f5a6,
+0xd296eeb4, 0xd99be7ba, 0x7bbb3bdb, 0x70b632d5, 0x6da129c7, 0x66ac20c9,
+0x578f1fe3, 0x5c8216ed, 0x41950dff, 0x4a9804f1, 0x23d373ab, 0x28de7aa5,
+0x35c961b7, 0x3ec468b9, 0x0fe75793, 0x04ea5e9d, 0x19fd458f, 0x12f04c81,
+0xcb6bab3b, 0xc066a235, 0xdd71b927, 0xd67cb029, 0xe75f8f03, 0xec52860d,
+0xf1459d1f, 0xfa489411, 0x9303e34b, 0x980eea45, 0x8519f157, 0x8e14f859,
+0xbf37c773, 0xb43ace7d, 0xa92dd56f, 0xa220dc61, 0xf66d76ad, 0xfd607fa3,
+0xe07764b1, 0xeb7a6dbf, 0xda595295, 0xd1545b9b, 0xcc434089, 0xc74e4987,
+0xae053edd, 0xa50837d3, 0xb81f2cc1, 0xb31225cf, 0x82311ae5, 0x893c13eb,
+0x942b08f9, 0x9f2601f7, 0x46bde64d, 0x4db0ef43, 0x50a7f451, 0x5baafd5f,
+0x6a89c275, 0x6184cb7b, 0x7c93d069, 0x779ed967, 0x1ed5ae3d, 0x15d8a733,
+0x08cfbc21, 0x03c2b52f, 0x32e18a05, 0x39ec830b, 0x24fb9819, 0x2ff69117,
+0x8dd64d76, 0x86db4478, 0x9bcc5f6a, 0x90c15664, 0xa1e2694e, 0xaaef6040,
+0xb7f87b52, 0xbcf5725c, 0xd5be0506, 0xdeb30c08, 0xc3a4171a, 0xc8a91e14,
+0xf98a213e, 0xf2872830, 0xef903322, 0xe49d3a2c, 0x3d06dd96, 0x360bd498,
+0x2b1ccf8a, 0x2011c684, 0x1132f9ae, 0x1a3ff0a0, 0x0728ebb2, 0x0c25e2bc,
+0x656e95e6, 0x6e639ce8, 0x737487fa, 0x78798ef4, 0x495ab1de, 0x4257b8d0,
+0x5f40a3c2, 0x544daacc, 0xf7daec41, 0xfcd7e54f, 0xe1c0fe5d, 0xeacdf753,
+0xdbeec879, 0xd0e3c177, 0xcdf4da65, 0xc6f9d36b, 0xafb2a431, 0xa4bfad3f,
+0xb9a8b62d, 0xb2a5bf23, 0x83868009, 0x888b8907, 0x959c9215, 0x9e919b1b,
+0x470a7ca1, 0x4c0775af, 0x51106ebd, 0x5a1d67b3, 0x6b3e5899, 0x60335197,
+0x7d244a85, 0x7629438b, 0x1f6234d1, 0x146f3ddf, 0x097826cd, 0x02752fc3,
+0x335610e9, 0x385b19e7, 0x254c02f5, 0x2e410bfb, 0x8c61d79a, 0x876cde94,
+0x9a7bc586, 0x9176cc88, 0xa055f3a2, 0xab58faac, 0xb64fe1be, 0xbd42e8b0,
+0xd4099fea, 0xdf0496e4, 0xc2138df6, 0xc91e84f8, 0xf83dbbd2, 0xf330b2dc,
+0xee27a9ce, 0xe52aa0c0, 0x3cb1477a, 0x37bc4e74, 0x2aab5566, 0x21a65c68,
+0x10856342, 0x1b886a4c, 0x069f715e, 0x0d927850, 0x64d90f0a, 0x6fd40604,
+0x72c31d16, 0x79ce1418, 0x48ed2b32, 0x43e0223c, 0x5ef7392e, 0x55fa3020,
+0x01b79aec, 0x0aba93e2, 0x17ad88f0, 0x1ca081fe, 0x2d83bed4, 0x268eb7da,
+0x3b99acc8, 0x3094a5c6, 0x59dfd29c, 0x52d2db92, 0x4fc5c080, 0x44c8c98e,
+0x75ebf6a4, 0x7ee6ffaa, 0x63f1e4b8, 0x68fcedb6, 0xb1670a0c, 0xba6a0302,
+0xa77d1810, 0xac70111e, 0x9d532e34, 0x965e273a, 0x8b493c28, 0x80443526,
+0xe90f427c, 0xe2024b72, 0xff155060, 0xf418596e, 0xc53b6644, 0xce366f4a,
+0xd3217458, 0xd82c7d56, 0x7a0ca137, 0x7101a839, 0x6c16b32b, 0x671bba25,
+0x5638850f, 0x5d358c01, 0x40229713, 0x4b2f9e1d, 0x2264e947, 0x2969e049,
+0x347efb5b, 0x3f73f255, 0x0e50cd7f, 0x055dc471, 0x184adf63, 0x1347d66d,
+0xcadc31d7, 0xc1d138d9, 0xdcc623cb, 0xd7cb2ac5, 0xe6e815ef, 0xede51ce1,
+0xf0f207f3, 0xfbff0efd, 0x92b479a7, 0x99b970a9, 0x84ae6bbb, 0x8fa362b5,
+0xbe805d9f, 0xb58d5491, 0xa89a4f83, 0xa397468d  
+};
+#else
+static const PRUint32 _IMXC0[256] = 
+{
+0x00000000, 0x0e090d0b, 0x1c121a16, 0x121b171d, 0x3824342c, 0x362d3927,
+0x24362e3a, 0x2a3f2331, 0x70486858, 0x7e416553, 0x6c5a724e, 0x62537f45,
+0x486c5c74, 0x4665517f, 0x547e4662, 0x5a774b69, 0xe090d0b0, 0xee99ddbb,
+0xfc82caa6, 0xf28bc7ad, 0xd8b4e49c, 0xd6bde997, 0xc4a6fe8a, 0xcaaff381,
+0x90d8b8e8, 0x9ed1b5e3, 0x8ccaa2fe, 0x82c3aff5, 0xa8fc8cc4, 0xa6f581cf,
+0xb4ee96d2, 0xbae79bd9, 0xdb3bbb7b, 0xd532b670, 0xc729a16d, 0xc920ac66,
+0xe31f8f57, 0xed16825c, 0xff0d9541, 0xf104984a, 0xab73d323, 0xa57ade28,
+0xb761c935, 0xb968c43e, 0x9357e70f, 0x9d5eea04, 0x8f45fd19, 0x814cf012,
+0x3bab6bcb, 0x35a266c0, 0x27b971dd, 0x29b07cd6, 0x038f5fe7, 0x0d8652ec,
+0x1f9d45f1, 0x119448fa, 0x4be30393, 0x45ea0e98, 0x57f11985, 0x59f8148e,
+0x73c737bf, 0x7dce3ab4, 0x6fd52da9, 0x61dc20a2, 0xad766df6, 0xa37f60fd,
+0xb16477e0, 0xbf6d7aeb, 0x955259da, 0x9b5b54d1, 0x894043cc, 0x87494ec7,
+0xdd3e05ae, 0xd33708a5, 0xc12c1fb8, 0xcf2512b3, 0xe51a3182, 0xeb133c89,
+0xf9082b94, 0xf701269f, 0x4de6bd46, 0x43efb04d, 0x51f4a750, 0x5ffdaa5b,
+0x75c2896a, 0x7bcb8461, 0x69d0937c, 0x67d99e77, 0x3daed51e, 0x33a7d815,
+0x21bccf08, 0x2fb5c203, 0x058ae132, 0x0b83ec39, 0x1998fb24, 0x1791f62f,
+0x764dd68d, 0x7844db86, 0x6a5fcc9b, 0x6456c190, 0x4e69e2a1, 0x4060efaa,
+0x527bf8b7, 0x5c72f5bc, 0x0605bed5, 0x080cb3de, 0x1a17a4c3, 0x141ea9c8,
+0x3e218af9, 0x302887f2, 0x223390ef, 0x2c3a9de4, 0x96dd063d, 0x98d40b36,
+0x8acf1c2b, 0x84c61120, 0xaef93211, 0xa0f03f1a, 0xb2eb2807, 0xbce2250c,
+0xe6956e65, 0xe89c636e, 0xfa877473, 0xf48e7978, 0xdeb15a49, 0xd0b85742,
+0xc2a3405f, 0xccaa4d54, 0x41ecdaf7, 0x4fe5d7fc, 0x5dfec0e1, 0x53f7cdea,
+0x79c8eedb, 0x77c1e3d0, 0x65daf4cd, 0x6bd3f9c6, 0x31a4b2af, 0x3fadbfa4,
+0x2db6a8b9, 0x23bfa5b2, 0x09808683, 0x07898b88, 0x15929c95, 0x1b9b919e,
+0xa17c0a47, 0xaf75074c, 0xbd6e1051, 0xb3671d5a, 0x99583e6b, 0x97513360,
+0x854a247d, 0x8b432976, 0xd134621f, 0xdf3d6f14, 0xcd267809, 0xc32f7502,
+0xe9105633, 0xe7195b38, 0xf5024c25, 0xfb0b412e, 0x9ad7618c, 0x94de6c87,
+0x86c57b9a, 0x88cc7691, 0xa2f355a0, 0xacfa58ab, 0xbee14fb6, 0xb0e842bd,
+0xea9f09d4, 0xe49604df, 0xf68d13c2, 0xf8841ec9, 0xd2bb3df8, 0xdcb230f3,
+0xcea927ee, 0xc0a02ae5, 0x7a47b13c, 0x744ebc37, 0x6655ab2a, 0x685ca621,
+0x42638510, 0x4c6a881b, 0x5e719f06, 0x5078920d, 0x0a0fd964, 0x0406d46f,
+0x161dc372, 0x1814ce79, 0x322bed48, 0x3c22e043, 0x2e39f75e, 0x2030fa55,
+0xec9ab701, 0xe293ba0a, 0xf088ad17, 0xfe81a01c, 0xd4be832d, 0xdab78e26,
+0xc8ac993b, 0xc6a59430, 0x9cd2df59, 0x92dbd252, 0x80c0c54f, 0x8ec9c844,
+0xa4f6eb75, 0xaaffe67e, 0xb8e4f163, 0xb6edfc68, 0x0c0a67b1, 0x02036aba,
+0x10187da7, 0x1e1170ac, 0x342e539d, 0x3a275e96, 0x283c498b, 0x26354480,
+0x7c420fe9, 0x724b02e2, 0x605015ff, 0x6e5918f4, 0x44663bc5, 0x4a6f36ce,
+0x587421d3, 0x567d2cd8, 0x37a10c7a, 0x39a80171, 0x2bb3166c, 0x25ba1b67,
+0x0f853856, 0x018c355d, 0x13972240, 0x1d9e2f4b, 0x47e96422, 0x49e06929,
+0x5bfb7e34, 0x55f2733f, 0x7fcd500e, 0x71c45d05, 0x63df4a18, 0x6dd64713,
+0xd731dcca, 0xd938d1c1, 0xcb23c6dc, 0xc52acbd7, 0xef15e8e6, 0xe11ce5ed,
+0xf307f2f0, 0xfd0efffb, 0xa779b492, 0xa970b999, 0xbb6bae84, 0xb562a38f,
+0x9f5d80be, 0x91548db5, 0x834f9aa8, 0x8d4697a3  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _IMXC1[256] = 
+{
+0x00000000, 0x0d090e0b, 0x1a121c16, 0x171b121d, 0x3424382c, 0x392d3627,
+0x2e36243a, 0x233f2a31, 0x68487058, 0x65417e53, 0x725a6c4e, 0x7f536245,
+0x5c6c4874, 0x5165467f, 0x467e5462, 0x4b775a69, 0xd090e0b0, 0xdd99eebb,
+0xca82fca6, 0xc78bf2ad, 0xe4b4d89c, 0xe9bdd697, 0xfea6c48a, 0xf3afca81,
+0xb8d890e8, 0xb5d19ee3, 0xa2ca8cfe, 0xafc382f5, 0x8cfca8c4, 0x81f5a6cf,
+0x96eeb4d2, 0x9be7bad9, 0xbb3bdb7b, 0xb632d570, 0xa129c76d, 0xac20c966,
+0x8f1fe357, 0x8216ed5c, 0x950dff41, 0x9804f14a, 0xd373ab23, 0xde7aa528,
+0xc961b735, 0xc468b93e, 0xe757930f, 0xea5e9d04, 0xfd458f19, 0xf04c8112,
+0x6bab3bcb, 0x66a235c0, 0x71b927dd, 0x7cb029d6, 0x5f8f03e7, 0x52860dec,
+0x459d1ff1, 0x489411fa, 0x03e34b93, 0x0eea4598, 0x19f15785, 0x14f8598e,
+0x37c773bf, 0x3ace7db4, 0x2dd56fa9, 0x20dc61a2, 0x6d76adf6, 0x607fa3fd,
+0x7764b1e0, 0x7a6dbfeb, 0x595295da, 0x545b9bd1, 0x434089cc, 0x4e4987c7,
+0x053eddae, 0x0837d3a5, 0x1f2cc1b8, 0x1225cfb3, 0x311ae582, 0x3c13eb89,
+0x2b08f994, 0x2601f79f, 0xbde64d46, 0xb0ef434d, 0xa7f45150, 0xaafd5f5b,
+0x89c2756a, 0x84cb7b61, 0x93d0697c, 0x9ed96777, 0xd5ae3d1e, 0xd8a73315,
+0xcfbc2108, 0xc2b52f03, 0xe18a0532, 0xec830b39, 0xfb981924, 0xf691172f,
+0xd64d768d, 0xdb447886, 0xcc5f6a9b, 0xc1566490, 0xe2694ea1, 0xef6040aa,
+0xf87b52b7, 0xf5725cbc, 0xbe0506d5, 0xb30c08de, 0xa4171ac3, 0xa91e14c8,
+0x8a213ef9, 0x872830f2, 0x903322ef, 0x9d3a2ce4, 0x06dd963d, 0x0bd49836,
+0x1ccf8a2b, 0x11c68420, 0x32f9ae11, 0x3ff0a01a, 0x28ebb207, 0x25e2bc0c,
+0x6e95e665, 0x639ce86e, 0x7487fa73, 0x798ef478, 0x5ab1de49, 0x57b8d042,
+0x40a3c25f, 0x4daacc54, 0xdaec41f7, 0xd7e54ffc, 0xc0fe5de1, 0xcdf753ea,
+0xeec879db, 0xe3c177d0, 0xf4da65cd, 0xf9d36bc6, 0xb2a431af, 0xbfad3fa4,
+0xa8b62db9, 0xa5bf23b2, 0x86800983, 0x8b890788, 0x9c921595, 0x919b1b9e,
+0x0a7ca147, 0x0775af4c, 0x106ebd51, 0x1d67b35a, 0x3e58996b, 0x33519760,
+0x244a857d, 0x29438b76, 0x6234d11f, 0x6f3ddf14, 0x7826cd09, 0x752fc302,
+0x5610e933, 0x5b19e738, 0x4c02f525, 0x410bfb2e, 0x61d79a8c, 0x6cde9487,
+0x7bc5869a, 0x76cc8891, 0x55f3a2a0, 0x58faacab, 0x4fe1beb6, 0x42e8b0bd,
+0x099fead4, 0x0496e4df, 0x138df6c2, 0x1e84f8c9, 0x3dbbd2f8, 0x30b2dcf3,
+0x27a9ceee, 0x2aa0c0e5, 0xb1477a3c, 0xbc4e7437, 0xab55662a, 0xa65c6821,
+0x85634210, 0x886a4c1b, 0x9f715e06, 0x9278500d, 0xd90f0a64, 0xd406046f,
+0xc31d1672, 0xce141879, 0xed2b3248, 0xe0223c43, 0xf7392e5e, 0xfa302055,
+0xb79aec01, 0xba93e20a, 0xad88f017, 0xa081fe1c, 0x83bed42d, 0x8eb7da26,
+0x99acc83b, 0x94a5c630, 0xdfd29c59, 0xd2db9252, 0xc5c0804f, 0xc8c98e44,
+0xebf6a475, 0xe6ffaa7e, 0xf1e4b863, 0xfcedb668, 0x670a0cb1, 0x6a0302ba,
+0x7d1810a7, 0x70111eac, 0x532e349d, 0x5e273a96, 0x493c288b, 0x44352680,
+0x0f427ce9, 0x024b72e2, 0x155060ff, 0x18596ef4, 0x3b6644c5, 0x366f4ace,
+0x217458d3, 0x2c7d56d8, 0x0ca1377a, 0x01a83971, 0x16b32b6c, 0x1bba2567,
+0x38850f56, 0x358c015d, 0x22971340, 0x2f9e1d4b, 0x64e94722, 0x69e04929,
+0x7efb5b34, 0x73f2553f, 0x50cd7f0e, 0x5dc47105, 0x4adf6318, 0x47d66d13,
+0xdc31d7ca, 0xd138d9c1, 0xc623cbdc, 0xcb2ac5d7, 0xe815efe6, 0xe51ce1ed,
+0xf207f3f0, 0xff0efdfb, 0xb479a792, 0xb970a999, 0xae6bbb84, 0xa362b58f,
+0x805d9fbe, 0x8d5491b5, 0x9a4f83a8, 0x97468da3  
+};
+#else
+static const PRUint32 _IMXC1[256] = 
+{
+0x00000000, 0x0b0e090d, 0x161c121a, 0x1d121b17, 0x2c382434, 0x27362d39,
+0x3a24362e, 0x312a3f23, 0x58704868, 0x537e4165, 0x4e6c5a72, 0x4562537f,
+0x74486c5c, 0x7f466551, 0x62547e46, 0x695a774b, 0xb0e090d0, 0xbbee99dd,
+0xa6fc82ca, 0xadf28bc7, 0x9cd8b4e4, 0x97d6bde9, 0x8ac4a6fe, 0x81caaff3,
+0xe890d8b8, 0xe39ed1b5, 0xfe8ccaa2, 0xf582c3af, 0xc4a8fc8c, 0xcfa6f581,
+0xd2b4ee96, 0xd9bae79b, 0x7bdb3bbb, 0x70d532b6, 0x6dc729a1, 0x66c920ac,
+0x57e31f8f, 0x5ced1682, 0x41ff0d95, 0x4af10498, 0x23ab73d3, 0x28a57ade,
+0x35b761c9, 0x3eb968c4, 0x0f9357e7, 0x049d5eea, 0x198f45fd, 0x12814cf0,
+0xcb3bab6b, 0xc035a266, 0xdd27b971, 0xd629b07c, 0xe7038f5f, 0xec0d8652,
+0xf11f9d45, 0xfa119448, 0x934be303, 0x9845ea0e, 0x8557f119, 0x8e59f814,
+0xbf73c737, 0xb47dce3a, 0xa96fd52d, 0xa261dc20, 0xf6ad766d, 0xfda37f60,
+0xe0b16477, 0xebbf6d7a, 0xda955259, 0xd19b5b54, 0xcc894043, 0xc787494e,
+0xaedd3e05, 0xa5d33708, 0xb8c12c1f, 0xb3cf2512, 0x82e51a31, 0x89eb133c,
+0x94f9082b, 0x9ff70126, 0x464de6bd, 0x4d43efb0, 0x5051f4a7, 0x5b5ffdaa,
+0x6a75c289, 0x617bcb84, 0x7c69d093, 0x7767d99e, 0x1e3daed5, 0x1533a7d8,
+0x0821bccf, 0x032fb5c2, 0x32058ae1, 0x390b83ec, 0x241998fb, 0x2f1791f6,
+0x8d764dd6, 0x867844db, 0x9b6a5fcc, 0x906456c1, 0xa14e69e2, 0xaa4060ef,
+0xb7527bf8, 0xbc5c72f5, 0xd50605be, 0xde080cb3, 0xc31a17a4, 0xc8141ea9,
+0xf93e218a, 0xf2302887, 0xef223390, 0xe42c3a9d, 0x3d96dd06, 0x3698d40b,
+0x2b8acf1c, 0x2084c611, 0x11aef932, 0x1aa0f03f, 0x07b2eb28, 0x0cbce225,
+0x65e6956e, 0x6ee89c63, 0x73fa8774, 0x78f48e79, 0x49deb15a, 0x42d0b857,
+0x5fc2a340, 0x54ccaa4d, 0xf741ecda, 0xfc4fe5d7, 0xe15dfec0, 0xea53f7cd,
+0xdb79c8ee, 0xd077c1e3, 0xcd65daf4, 0xc66bd3f9, 0xaf31a4b2, 0xa43fadbf,
+0xb92db6a8, 0xb223bfa5, 0x83098086, 0x8807898b, 0x9515929c, 0x9e1b9b91,
+0x47a17c0a, 0x4caf7507, 0x51bd6e10, 0x5ab3671d, 0x6b99583e, 0x60975133,
+0x7d854a24, 0x768b4329, 0x1fd13462, 0x14df3d6f, 0x09cd2678, 0x02c32f75,
+0x33e91056, 0x38e7195b, 0x25f5024c, 0x2efb0b41, 0x8c9ad761, 0x8794de6c,
+0x9a86c57b, 0x9188cc76, 0xa0a2f355, 0xabacfa58, 0xb6bee14f, 0xbdb0e842,
+0xd4ea9f09, 0xdfe49604, 0xc2f68d13, 0xc9f8841e, 0xf8d2bb3d, 0xf3dcb230,
+0xeecea927, 0xe5c0a02a, 0x3c7a47b1, 0x37744ebc, 0x2a6655ab, 0x21685ca6,
+0x10426385, 0x1b4c6a88, 0x065e719f, 0x0d507892, 0x640a0fd9, 0x6f0406d4,
+0x72161dc3, 0x791814ce, 0x48322bed, 0x433c22e0, 0x5e2e39f7, 0x552030fa,
+0x01ec9ab7, 0x0ae293ba, 0x17f088ad, 0x1cfe81a0, 0x2dd4be83, 0x26dab78e,
+0x3bc8ac99, 0x30c6a594, 0x599cd2df, 0x5292dbd2, 0x4f80c0c5, 0x448ec9c8,
+0x75a4f6eb, 0x7eaaffe6, 0x63b8e4f1, 0x68b6edfc, 0xb10c0a67, 0xba02036a,
+0xa710187d, 0xac1e1170, 0x9d342e53, 0x963a275e, 0x8b283c49, 0x80263544,
+0xe97c420f, 0xe2724b02, 0xff605015, 0xf46e5918, 0xc544663b, 0xce4a6f36,
+0xd3587421, 0xd8567d2c, 0x7a37a10c, 0x7139a801, 0x6c2bb316, 0x6725ba1b,
+0x560f8538, 0x5d018c35, 0x40139722, 0x4b1d9e2f, 0x2247e964, 0x2949e069,
+0x345bfb7e, 0x3f55f273, 0x0e7fcd50, 0x0571c45d, 0x1863df4a, 0x136dd647,
+0xcad731dc, 0xc1d938d1, 0xdccb23c6, 0xd7c52acb, 0xe6ef15e8, 0xede11ce5,
+0xf0f307f2, 0xfbfd0eff, 0x92a779b4, 0x99a970b9, 0x84bb6bae, 0x8fb562a3,
+0xbe9f5d80, 0xb591548d, 0xa8834f9a, 0xa38d4697  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _IMXC2[256] = 
+{
+0x00000000, 0x090e0b0d, 0x121c161a, 0x1b121d17, 0x24382c34, 0x2d362739,
+0x36243a2e, 0x3f2a3123, 0x48705868, 0x417e5365, 0x5a6c4e72, 0x5362457f,
+0x6c48745c, 0x65467f51, 0x7e546246, 0x775a694b, 0x90e0b0d0, 0x99eebbdd,
+0x82fca6ca, 0x8bf2adc7, 0xb4d89ce4, 0xbdd697e9, 0xa6c48afe, 0xafca81f3,
+0xd890e8b8, 0xd19ee3b5, 0xca8cfea2, 0xc382f5af, 0xfca8c48c, 0xf5a6cf81,
+0xeeb4d296, 0xe7bad99b, 0x3bdb7bbb, 0x32d570b6, 0x29c76da1, 0x20c966ac,
+0x1fe3578f, 0x16ed5c82, 0x0dff4195, 0x04f14a98, 0x73ab23d3, 0x7aa528de,
+0x61b735c9, 0x68b93ec4, 0x57930fe7, 0x5e9d04ea, 0x458f19fd, 0x4c8112f0,
+0xab3bcb6b, 0xa235c066, 0xb927dd71, 0xb029d67c, 0x8f03e75f, 0x860dec52,
+0x9d1ff145, 0x9411fa48, 0xe34b9303, 0xea45980e, 0xf1578519, 0xf8598e14,
+0xc773bf37, 0xce7db43a, 0xd56fa92d, 0xdc61a220, 0x76adf66d, 0x7fa3fd60,
+0x64b1e077, 0x6dbfeb7a, 0x5295da59, 0x5b9bd154, 0x4089cc43, 0x4987c74e,
+0x3eddae05, 0x37d3a508, 0x2cc1b81f, 0x25cfb312, 0x1ae58231, 0x13eb893c,
+0x08f9942b, 0x01f79f26, 0xe64d46bd, 0xef434db0, 0xf45150a7, 0xfd5f5baa,
+0xc2756a89, 0xcb7b6184, 0xd0697c93, 0xd967779e, 0xae3d1ed5, 0xa73315d8,
+0xbc2108cf, 0xb52f03c2, 0x8a0532e1, 0x830b39ec, 0x981924fb, 0x91172ff6,
+0x4d768dd6, 0x447886db, 0x5f6a9bcc, 0x566490c1, 0x694ea1e2, 0x6040aaef,
+0x7b52b7f8, 0x725cbcf5, 0x0506d5be, 0x0c08deb3, 0x171ac3a4, 0x1e14c8a9,
+0x213ef98a, 0x2830f287, 0x3322ef90, 0x3a2ce49d, 0xdd963d06, 0xd498360b,
+0xcf8a2b1c, 0xc6842011, 0xf9ae1132, 0xf0a01a3f, 0xebb20728, 0xe2bc0c25,
+0x95e6656e, 0x9ce86e63, 0x87fa7374, 0x8ef47879, 0xb1de495a, 0xb8d04257,
+0xa3c25f40, 0xaacc544d, 0xec41f7da, 0xe54ffcd7, 0xfe5de1c0, 0xf753eacd,
+0xc879dbee, 0xc177d0e3, 0xda65cdf4, 0xd36bc6f9, 0xa431afb2, 0xad3fa4bf,
+0xb62db9a8, 0xbf23b2a5, 0x80098386, 0x8907888b, 0x9215959c, 0x9b1b9e91,
+0x7ca1470a, 0x75af4c07, 0x6ebd5110, 0x67b35a1d, 0x58996b3e, 0x51976033,
+0x4a857d24, 0x438b7629, 0x34d11f62, 0x3ddf146f, 0x26cd0978, 0x2fc30275,
+0x10e93356, 0x19e7385b, 0x02f5254c, 0x0bfb2e41, 0xd79a8c61, 0xde94876c,
+0xc5869a7b, 0xcc889176, 0xf3a2a055, 0xfaacab58, 0xe1beb64f, 0xe8b0bd42,
+0x9fead409, 0x96e4df04, 0x8df6c213, 0x84f8c91e, 0xbbd2f83d, 0xb2dcf330,
+0xa9ceee27, 0xa0c0e52a, 0x477a3cb1, 0x4e7437bc, 0x55662aab, 0x5c6821a6,
+0x63421085, 0x6a4c1b88, 0x715e069f, 0x78500d92, 0x0f0a64d9, 0x06046fd4,
+0x1d1672c3, 0x141879ce, 0x2b3248ed, 0x223c43e0, 0x392e5ef7, 0x302055fa,
+0x9aec01b7, 0x93e20aba, 0x88f017ad, 0x81fe1ca0, 0xbed42d83, 0xb7da268e,
+0xacc83b99, 0xa5c63094, 0xd29c59df, 0xdb9252d2, 0xc0804fc5, 0xc98e44c8,
+0xf6a475eb, 0xffaa7ee6, 0xe4b863f1, 0xedb668fc, 0x0a0cb167, 0x0302ba6a,
+0x1810a77d, 0x111eac70, 0x2e349d53, 0x273a965e, 0x3c288b49, 0x35268044,
+0x427ce90f, 0x4b72e202, 0x5060ff15, 0x596ef418, 0x6644c53b, 0x6f4ace36,
+0x7458d321, 0x7d56d82c, 0xa1377a0c, 0xa8397101, 0xb32b6c16, 0xba25671b,
+0x850f5638, 0x8c015d35, 0x97134022, 0x9e1d4b2f, 0xe9472264, 0xe0492969,
+0xfb5b347e, 0xf2553f73, 0xcd7f0e50, 0xc471055d, 0xdf63184a, 0xd66d1347,
+0x31d7cadc, 0x38d9c1d1, 0x23cbdcc6, 0x2ac5d7cb, 0x15efe6e8, 0x1ce1ede5,
+0x07f3f0f2, 0x0efdfbff, 0x79a792b4, 0x70a999b9, 0x6bbb84ae, 0x62b58fa3,
+0x5d9fbe80, 0x5491b58d, 0x4f83a89a, 0x468da397  
+};
+#else
+static const PRUint32 _IMXC2[256] = 
+{
+0x00000000, 0x0d0b0e09, 0x1a161c12, 0x171d121b, 0x342c3824, 0x3927362d,
+0x2e3a2436, 0x23312a3f, 0x68587048, 0x65537e41, 0x724e6c5a, 0x7f456253,
+0x5c74486c, 0x517f4665, 0x4662547e, 0x4b695a77, 0xd0b0e090, 0xddbbee99,
+0xcaa6fc82, 0xc7adf28b, 0xe49cd8b4, 0xe997d6bd, 0xfe8ac4a6, 0xf381caaf,
+0xb8e890d8, 0xb5e39ed1, 0xa2fe8cca, 0xaff582c3, 0x8cc4a8fc, 0x81cfa6f5,
+0x96d2b4ee, 0x9bd9bae7, 0xbb7bdb3b, 0xb670d532, 0xa16dc729, 0xac66c920,
+0x8f57e31f, 0x825ced16, 0x9541ff0d, 0x984af104, 0xd323ab73, 0xde28a57a,
+0xc935b761, 0xc43eb968, 0xe70f9357, 0xea049d5e, 0xfd198f45, 0xf012814c,
+0x6bcb3bab, 0x66c035a2, 0x71dd27b9, 0x7cd629b0, 0x5fe7038f, 0x52ec0d86,
+0x45f11f9d, 0x48fa1194, 0x03934be3, 0x0e9845ea, 0x198557f1, 0x148e59f8,
+0x37bf73c7, 0x3ab47dce, 0x2da96fd5, 0x20a261dc, 0x6df6ad76, 0x60fda37f,
+0x77e0b164, 0x7aebbf6d, 0x59da9552, 0x54d19b5b, 0x43cc8940, 0x4ec78749,
+0x05aedd3e, 0x08a5d337, 0x1fb8c12c, 0x12b3cf25, 0x3182e51a, 0x3c89eb13,
+0x2b94f908, 0x269ff701, 0xbd464de6, 0xb04d43ef, 0xa75051f4, 0xaa5b5ffd,
+0x896a75c2, 0x84617bcb, 0x937c69d0, 0x9e7767d9, 0xd51e3dae, 0xd81533a7,
+0xcf0821bc, 0xc2032fb5, 0xe132058a, 0xec390b83, 0xfb241998, 0xf62f1791,
+0xd68d764d, 0xdb867844, 0xcc9b6a5f, 0xc1906456, 0xe2a14e69, 0xefaa4060,
+0xf8b7527b, 0xf5bc5c72, 0xbed50605, 0xb3de080c, 0xa4c31a17, 0xa9c8141e,
+0x8af93e21, 0x87f23028, 0x90ef2233, 0x9de42c3a, 0x063d96dd, 0x0b3698d4,
+0x1c2b8acf, 0x112084c6, 0x3211aef9, 0x3f1aa0f0, 0x2807b2eb, 0x250cbce2,
+0x6e65e695, 0x636ee89c, 0x7473fa87, 0x7978f48e, 0x5a49deb1, 0x5742d0b8,
+0x405fc2a3, 0x4d54ccaa, 0xdaf741ec, 0xd7fc4fe5, 0xc0e15dfe, 0xcdea53f7,
+0xeedb79c8, 0xe3d077c1, 0xf4cd65da, 0xf9c66bd3, 0xb2af31a4, 0xbfa43fad,
+0xa8b92db6, 0xa5b223bf, 0x86830980, 0x8b880789, 0x9c951592, 0x919e1b9b,
+0x0a47a17c, 0x074caf75, 0x1051bd6e, 0x1d5ab367, 0x3e6b9958, 0x33609751,
+0x247d854a, 0x29768b43, 0x621fd134, 0x6f14df3d, 0x7809cd26, 0x7502c32f,
+0x5633e910, 0x5b38e719, 0x4c25f502, 0x412efb0b, 0x618c9ad7, 0x6c8794de,
+0x7b9a86c5, 0x769188cc, 0x55a0a2f3, 0x58abacfa, 0x4fb6bee1, 0x42bdb0e8,
+0x09d4ea9f, 0x04dfe496, 0x13c2f68d, 0x1ec9f884, 0x3df8d2bb, 0x30f3dcb2,
+0x27eecea9, 0x2ae5c0a0, 0xb13c7a47, 0xbc37744e, 0xab2a6655, 0xa621685c,
+0x85104263, 0x881b4c6a, 0x9f065e71, 0x920d5078, 0xd9640a0f, 0xd46f0406,
+0xc372161d, 0xce791814, 0xed48322b, 0xe0433c22, 0xf75e2e39, 0xfa552030,
+0xb701ec9a, 0xba0ae293, 0xad17f088, 0xa01cfe81, 0x832dd4be, 0x8e26dab7,
+0x993bc8ac, 0x9430c6a5, 0xdf599cd2, 0xd25292db, 0xc54f80c0, 0xc8448ec9,
+0xeb75a4f6, 0xe67eaaff, 0xf163b8e4, 0xfc68b6ed, 0x67b10c0a, 0x6aba0203,
+0x7da71018, 0x70ac1e11, 0x539d342e, 0x5e963a27, 0x498b283c, 0x44802635,
+0x0fe97c42, 0x02e2724b, 0x15ff6050, 0x18f46e59, 0x3bc54466, 0x36ce4a6f,
+0x21d35874, 0x2cd8567d, 0x0c7a37a1, 0x017139a8, 0x166c2bb3, 0x1b6725ba,
+0x38560f85, 0x355d018c, 0x22401397, 0x2f4b1d9e, 0x642247e9, 0x692949e0,
+0x7e345bfb, 0x733f55f2, 0x500e7fcd, 0x5d0571c4, 0x4a1863df, 0x47136dd6,
+0xdccad731, 0xd1c1d938, 0xc6dccb23, 0xcbd7c52a, 0xe8e6ef15, 0xe5ede11c,
+0xf2f0f307, 0xfffbfd0e, 0xb492a779, 0xb999a970, 0xae84bb6b, 0xa38fb562,
+0x80be9f5d, 0x8db59154, 0x9aa8834f, 0x97a38d46  
+};
+#endif
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 _IMXC3[256] = 
+{
+0x00000000, 0x0e0b0d09, 0x1c161a12, 0x121d171b, 0x382c3424, 0x3627392d,
+0x243a2e36, 0x2a31233f, 0x70586848, 0x7e536541, 0x6c4e725a, 0x62457f53,
+0x48745c6c, 0x467f5165, 0x5462467e, 0x5a694b77, 0xe0b0d090, 0xeebbdd99,
+0xfca6ca82, 0xf2adc78b, 0xd89ce4b4, 0xd697e9bd, 0xc48afea6, 0xca81f3af,
+0x90e8b8d8, 0x9ee3b5d1, 0x8cfea2ca, 0x82f5afc3, 0xa8c48cfc, 0xa6cf81f5,
+0xb4d296ee, 0xbad99be7, 0xdb7bbb3b, 0xd570b632, 0xc76da129, 0xc966ac20,
+0xe3578f1f, 0xed5c8216, 0xff41950d, 0xf14a9804, 0xab23d373, 0xa528de7a,
+0xb735c961, 0xb93ec468, 0x930fe757, 0x9d04ea5e, 0x8f19fd45, 0x8112f04c,
+0x3bcb6bab, 0x35c066a2, 0x27dd71b9, 0x29d67cb0, 0x03e75f8f, 0x0dec5286,
+0x1ff1459d, 0x11fa4894, 0x4b9303e3, 0x45980eea, 0x578519f1, 0x598e14f8,
+0x73bf37c7, 0x7db43ace, 0x6fa92dd5, 0x61a220dc, 0xadf66d76, 0xa3fd607f,
+0xb1e07764, 0xbfeb7a6d, 0x95da5952, 0x9bd1545b, 0x89cc4340, 0x87c74e49,
+0xddae053e, 0xd3a50837, 0xc1b81f2c, 0xcfb31225, 0xe582311a, 0xeb893c13,
+0xf9942b08, 0xf79f2601, 0x4d46bde6, 0x434db0ef, 0x5150a7f4, 0x5f5baafd,
+0x756a89c2, 0x7b6184cb, 0x697c93d0, 0x67779ed9, 0x3d1ed5ae, 0x3315d8a7,
+0x2108cfbc, 0x2f03c2b5, 0x0532e18a, 0x0b39ec83, 0x1924fb98, 0x172ff691,
+0x768dd64d, 0x7886db44, 0x6a9bcc5f, 0x6490c156, 0x4ea1e269, 0x40aaef60,
+0x52b7f87b, 0x5cbcf572, 0x06d5be05, 0x08deb30c, 0x1ac3a417, 0x14c8a91e,
+0x3ef98a21, 0x30f28728, 0x22ef9033, 0x2ce49d3a, 0x963d06dd, 0x98360bd4,
+0x8a2b1ccf, 0x842011c6, 0xae1132f9, 0xa01a3ff0, 0xb20728eb, 0xbc0c25e2,
+0xe6656e95, 0xe86e639c, 0xfa737487, 0xf478798e, 0xde495ab1, 0xd04257b8,
+0xc25f40a3, 0xcc544daa, 0x41f7daec, 0x4ffcd7e5, 0x5de1c0fe, 0x53eacdf7,
+0x79dbeec8, 0x77d0e3c1, 0x65cdf4da, 0x6bc6f9d3, 0x31afb2a4, 0x3fa4bfad,
+0x2db9a8b6, 0x23b2a5bf, 0x09838680, 0x07888b89, 0x15959c92, 0x1b9e919b,
+0xa1470a7c, 0xaf4c0775, 0xbd51106e, 0xb35a1d67, 0x996b3e58, 0x97603351,
+0x857d244a, 0x8b762943, 0xd11f6234, 0xdf146f3d, 0xcd097826, 0xc302752f,
+0xe9335610, 0xe7385b19, 0xf5254c02, 0xfb2e410b, 0x9a8c61d7, 0x94876cde,
+0x869a7bc5, 0x889176cc, 0xa2a055f3, 0xacab58fa, 0xbeb64fe1, 0xb0bd42e8,
+0xead4099f, 0xe4df0496, 0xf6c2138d, 0xf8c91e84, 0xd2f83dbb, 0xdcf330b2,
+0xceee27a9, 0xc0e52aa0, 0x7a3cb147, 0x7437bc4e, 0x662aab55, 0x6821a65c,
+0x42108563, 0x4c1b886a, 0x5e069f71, 0x500d9278, 0x0a64d90f, 0x046fd406,
+0x1672c31d, 0x1879ce14, 0x3248ed2b, 0x3c43e022, 0x2e5ef739, 0x2055fa30,
+0xec01b79a, 0xe20aba93, 0xf017ad88, 0xfe1ca081, 0xd42d83be, 0xda268eb7,
+0xc83b99ac, 0xc63094a5, 0x9c59dfd2, 0x9252d2db, 0x804fc5c0, 0x8e44c8c9,
+0xa475ebf6, 0xaa7ee6ff, 0xb863f1e4, 0xb668fced, 0x0cb1670a, 0x02ba6a03,
+0x10a77d18, 0x1eac7011, 0x349d532e, 0x3a965e27, 0x288b493c, 0x26804435,
+0x7ce90f42, 0x72e2024b, 0x60ff1550, 0x6ef41859, 0x44c53b66, 0x4ace366f,
+0x58d32174, 0x56d82c7d, 0x377a0ca1, 0x397101a8, 0x2b6c16b3, 0x25671bba,
+0x0f563885, 0x015d358c, 0x13402297, 0x1d4b2f9e, 0x472264e9, 0x492969e0,
+0x5b347efb, 0x553f73f2, 0x7f0e50cd, 0x71055dc4, 0x63184adf, 0x6d1347d6,
+0xd7cadc31, 0xd9c1d138, 0xcbdcc623, 0xc5d7cb2a, 0xefe6e815, 0xe1ede51c,
+0xf3f0f207, 0xfdfbff0e, 0xa792b479, 0xa999b970, 0xbb84ae6b, 0xb58fa362,
+0x9fbe805d, 0x91b58d54, 0x83a89a4f, 0x8da39746  
+};
+#else
+static const PRUint32 _IMXC3[256] = 
+{
+0x00000000, 0x090d0b0e, 0x121a161c, 0x1b171d12, 0x24342c38, 0x2d392736,
+0x362e3a24, 0x3f23312a, 0x48685870, 0x4165537e, 0x5a724e6c, 0x537f4562,
+0x6c5c7448, 0x65517f46, 0x7e466254, 0x774b695a, 0x90d0b0e0, 0x99ddbbee,
+0x82caa6fc, 0x8bc7adf2, 0xb4e49cd8, 0xbde997d6, 0xa6fe8ac4, 0xaff381ca,
+0xd8b8e890, 0xd1b5e39e, 0xcaa2fe8c, 0xc3aff582, 0xfc8cc4a8, 0xf581cfa6,
+0xee96d2b4, 0xe79bd9ba, 0x3bbb7bdb, 0x32b670d5, 0x29a16dc7, 0x20ac66c9,
+0x1f8f57e3, 0x16825ced, 0x0d9541ff, 0x04984af1, 0x73d323ab, 0x7ade28a5,
+0x61c935b7, 0x68c43eb9, 0x57e70f93, 0x5eea049d, 0x45fd198f, 0x4cf01281,
+0xab6bcb3b, 0xa266c035, 0xb971dd27, 0xb07cd629, 0x8f5fe703, 0x8652ec0d,
+0x9d45f11f, 0x9448fa11, 0xe303934b, 0xea0e9845, 0xf1198557, 0xf8148e59,
+0xc737bf73, 0xce3ab47d, 0xd52da96f, 0xdc20a261, 0x766df6ad, 0x7f60fda3,
+0x6477e0b1, 0x6d7aebbf, 0x5259da95, 0x5b54d19b, 0x4043cc89, 0x494ec787,
+0x3e05aedd, 0x3708a5d3, 0x2c1fb8c1, 0x2512b3cf, 0x1a3182e5, 0x133c89eb,
+0x082b94f9, 0x01269ff7, 0xe6bd464d, 0xefb04d43, 0xf4a75051, 0xfdaa5b5f,
+0xc2896a75, 0xcb84617b, 0xd0937c69, 0xd99e7767, 0xaed51e3d, 0xa7d81533,
+0xbccf0821, 0xb5c2032f, 0x8ae13205, 0x83ec390b, 0x98fb2419, 0x91f62f17,
+0x4dd68d76, 0x44db8678, 0x5fcc9b6a, 0x56c19064, 0x69e2a14e, 0x60efaa40,
+0x7bf8b752, 0x72f5bc5c, 0x05bed506, 0x0cb3de08, 0x17a4c31a, 0x1ea9c814,
+0x218af93e, 0x2887f230, 0x3390ef22, 0x3a9de42c, 0xdd063d96, 0xd40b3698,
+0xcf1c2b8a, 0xc6112084, 0xf93211ae, 0xf03f1aa0, 0xeb2807b2, 0xe2250cbc,
+0x956e65e6, 0x9c636ee8, 0x877473fa, 0x8e7978f4, 0xb15a49de, 0xb85742d0,
+0xa3405fc2, 0xaa4d54cc, 0xecdaf741, 0xe5d7fc4f, 0xfec0e15d, 0xf7cdea53,
+0xc8eedb79, 0xc1e3d077, 0xdaf4cd65, 0xd3f9c66b, 0xa4b2af31, 0xadbfa43f,
+0xb6a8b92d, 0xbfa5b223, 0x80868309, 0x898b8807, 0x929c9515, 0x9b919e1b,
+0x7c0a47a1, 0x75074caf, 0x6e1051bd, 0x671d5ab3, 0x583e6b99, 0x51336097,
+0x4a247d85, 0x4329768b, 0x34621fd1, 0x3d6f14df, 0x267809cd, 0x2f7502c3,
+0x105633e9, 0x195b38e7, 0x024c25f5, 0x0b412efb, 0xd7618c9a, 0xde6c8794,
+0xc57b9a86, 0xcc769188, 0xf355a0a2, 0xfa58abac, 0xe14fb6be, 0xe842bdb0,
+0x9f09d4ea, 0x9604dfe4, 0x8d13c2f6, 0x841ec9f8, 0xbb3df8d2, 0xb230f3dc,
+0xa927eece, 0xa02ae5c0, 0x47b13c7a, 0x4ebc3774, 0x55ab2a66, 0x5ca62168,
+0x63851042, 0x6a881b4c, 0x719f065e, 0x78920d50, 0x0fd9640a, 0x06d46f04,
+0x1dc37216, 0x14ce7918, 0x2bed4832, 0x22e0433c, 0x39f75e2e, 0x30fa5520,
+0x9ab701ec, 0x93ba0ae2, 0x88ad17f0, 0x81a01cfe, 0xbe832dd4, 0xb78e26da,
+0xac993bc8, 0xa59430c6, 0xd2df599c, 0xdbd25292, 0xc0c54f80, 0xc9c8448e,
+0xf6eb75a4, 0xffe67eaa, 0xe4f163b8, 0xedfc68b6, 0x0a67b10c, 0x036aba02,
+0x187da710, 0x1170ac1e, 0x2e539d34, 0x275e963a, 0x3c498b28, 0x35448026,
+0x420fe97c, 0x4b02e272, 0x5015ff60, 0x5918f46e, 0x663bc544, 0x6f36ce4a,
+0x7421d358, 0x7d2cd856, 0xa10c7a37, 0xa8017139, 0xb3166c2b, 0xba1b6725,
+0x8538560f, 0x8c355d01, 0x97224013, 0x9e2f4b1d, 0xe9642247, 0xe0692949,
+0xfb7e345b, 0xf2733f55, 0xcd500e7f, 0xc45d0571, 0xdf4a1863, 0xd647136d,
+0x31dccad7, 0x38d1c1d9, 0x23c6dccb, 0x2acbd7c5, 0x15e8e6ef, 0x1ce5ede1,
+0x07f2f0f3, 0x0efffbfd, 0x79b492a7, 0x70b999a9, 0x6bae84bb, 0x62a38fb5,
+0x5d80be9f, 0x548db591, 0x4f9aa883, 0x4697a38d  
+};
+#endif
+
+#endif /* RIJNDAEL_INCLUDE_TABLES */
+
+#ifdef IS_LITTLE_ENDIAN
+static const PRUint32 Rcon[30] = {
+0x00000001, 0x00000002, 0x00000004, 0x00000008, 0x00000010, 0x00000020,
+0x00000040, 0x00000080, 0x0000001b, 0x00000036, 0x0000006c, 0x000000d8,
+0x000000ab, 0x0000004d, 0x0000009a, 0x0000002f, 0x0000005e, 0x000000bc,
+0x00000063, 0x000000c6, 0x00000097, 0x00000035, 0x0000006a, 0x000000d4,
+0x000000b3, 0x0000007d, 0x000000fa, 0x000000ef, 0x000000c5, 0x00000091 
+};
+#else
+static const PRUint32 Rcon[30] = {
+0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, 0x20000000,
+0x40000000, 0x80000000, 0x1b000000, 0x36000000, 0x6c000000, 0xd8000000,
+0xab000000, 0x4d000000, 0x9a000000, 0x2f000000, 0x5e000000, 0xbc000000,
+0x63000000, 0xc6000000, 0x97000000, 0x35000000, 0x6a000000, 0xd4000000,
+0xb3000000, 0x7d000000, 0xfa000000, 0xef000000, 0xc5000000, 0x91000000 
+};
+#endif
+
diff --git a/security/nss/lib/freebl/rijndael_tables.c b/security/nss/lib/freebl/rijndael_tables.c
new file mode 100644
index 000000000..6f1957468
--- /dev/null
+++ b/security/nss/lib/freebl/rijndael_tables.c
@@ -0,0 +1,244 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "stdio.h"
+#include "prtypes.h"
+#include "blapi.h"
+
+/*
+ * what follows is code thrown together to generate the myriad of tables
+ * used by Rijndael, the AES cipher.
+ */
+
+
+#define WORD_LE(b0, b1, b2, b3) \
+    (((b3) << 24) | ((b2) << 16) | ((b1) << 8) | b0)
+
+#define WORD_BE(b0, b1, b2, b3) \
+    (((b0) << 24) | ((b1) << 16) | ((b2) << 8) | b3)
+
+static const PRUint8 __S[256] = 
+{
+ 99, 124, 119, 123, 242, 107, 111, 197,  48,   1, 103,  43, 254, 215, 171, 118, 
+202, 130, 201, 125, 250,  89,  71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 
+183, 253, 147,  38,  54,  63, 247, 204,  52, 165, 229, 241, 113, 216,  49,  21, 
+  4, 199,  35, 195,  24, 150,   5, 154,   7,  18, 128, 226, 235,  39, 178, 117, 
+  9, 131,  44,  26,  27, 110,  90, 160,  82,  59, 214, 179,  41, 227,  47, 132, 
+ 83, 209,   0, 237,  32, 252, 177,  91, 106, 203, 190,  57,  74,  76,  88, 207, 
+208, 239, 170, 251,  67,  77,  51, 133,  69, 249,   2, 127,  80,  60, 159, 168, 
+ 81, 163,  64, 143, 146, 157,  56, 245, 188, 182, 218,  33,  16, 255, 243, 210, 
+205,  12,  19, 236,  95, 151,  68,  23, 196, 167, 126,  61, 100,  93,  25, 115, 
+ 96, 129,  79, 220,  34,  42, 144, 136,  70, 238, 184,  20, 222,  94,  11, 219, 
+224,  50,  58,  10,  73,   6,  36,  92, 194, 211, 172,  98, 145, 149, 228, 121, 
+231, 200,  55, 109, 141, 213,  78, 169, 108,  86, 244, 234, 101, 122, 174,   8, 
+186, 120,  37,  46,  28, 166, 180, 198, 232, 221, 116,  31,  75, 189, 139, 138, 
+112,  62, 181, 102,  72,   3, 246,  14,  97,  53,  87, 185, 134, 193,  29, 158, 
+225, 248, 152,  17, 105, 217, 142, 148, 155,  30, 135, 233, 206,  85,  40, 223, 
+140, 161, 137,  13, 191, 230,  66, 104,  65, 153,  45,  15, 176,  84, 187,  22, 
+};
+
+static const PRUint8 __SInv[256] = 
+{
+ 82,   9, 106, 213,  48,  54, 165,  56, 191,  64, 163, 158, 129, 243, 215, 251, 
+124, 227,  57, 130, 155,  47, 255, 135,  52, 142,  67,  68, 196, 222, 233, 203, 
+ 84, 123, 148,  50, 166, 194,  35,  61, 238,  76, 149,  11,  66, 250, 195,  78, 
+  8,  46, 161, 102,  40, 217,  36, 178, 118,  91, 162,  73, 109, 139, 209,  37, 
+114, 248, 246, 100, 134, 104, 152,  22, 212, 164,  92, 204,  93, 101, 182, 146, 
+108, 112,  72,  80, 253, 237, 185, 218,  94,  21,  70,  87, 167, 141, 157, 132, 
+144, 216, 171,   0, 140, 188, 211,  10, 247, 228,  88,   5, 184, 179,  69,   6, 
+208,  44,  30, 143, 202,  63,  15,   2, 193, 175, 189,   3,   1,  19, 138, 107, 
+ 58, 145,  17,  65,  79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230, 115, 
+150, 172, 116,  34, 231, 173,  53, 133, 226, 249,  55, 232,  28, 117, 223, 110, 
+ 71, 241,  26, 113,  29,  41, 197, 137, 111, 183,  98,  14, 170,  24, 190,  27, 
+252,  86,  62,  75, 198, 210, 121,  32, 154, 219, 192, 254, 120, 205,  90, 244, 
+ 31, 221, 168,  51, 136,   7, 199,  49, 177,  18,  16,  89,  39, 128, 236,  95, 
+ 96,  81, 127, 169,  25, 181,  74,  13,  45, 229, 122, 159, 147, 201, 156, 239, 
+160, 224,  59,  77, 174,  42, 245, 176, 200, 235, 187,  60, 131,  83, 153,  97, 
+ 23,  43,   4, 126, 186, 119, 214,  38, 225, 105,  20,  99,  85,  33,  12, 125
+};
+
+/* GF_MULTIPLY
+ *
+ * multiply two bytes represented in GF(2**8), mod (x**4 + 1)
+ */
+PRUint8 gf_multiply(PRUint8 a, PRUint8 b)
+{
+    PRUint8 res = 0;
+    while (b > 0) {
+	res = (b & 0x01) ? res ^ a : res;
+	a = (a & 0x80) ? ((a << 1) ^ 0x1b) : (a << 1);
+	b >>= 1;
+    }
+    return res;
+}
+
+void
+make_T_Table(char *table, const PRUint8 Sx[256], FILE *file,
+             unsigned char m0, unsigned char m1, 
+             unsigned char m2, unsigned char m3)
+{
+    PRUint32 Ti;
+    int i;
+    fprintf(file, "#ifdef IS_LITTLE_ENDIAN\n");
+    fprintf(file, "static const PRUint32 _T%s[256] = \n{\n", table);
+    for (i=0; i<256; i++) {
+	Ti = WORD_LE( gf_multiply(Sx[i], m0),
+	              gf_multiply(Sx[i], m1),
+	              gf_multiply(Sx[i], m2),
+	              gf_multiply(Sx[i], m3) );
+	if (Ti == 0)
+	    fprintf(file, "0x00000000%c%c", (i==255)?' ':',',
+	                                    (i%6==5)?'\n':' ');
+	else
+	    fprintf(file, "%#.8x%c%c", Ti, (i==255)?' ':',',
+	                                   (i%6==5)?'\n':' ');
+    }
+    fprintf(file, "\n};\n");
+    fprintf(file, "#else\n");
+    fprintf(file, "static const PRUint32 _T%s[256] = \n{\n", table);
+    for (i=0; i<256; i++) {
+	Ti = WORD_BE( gf_multiply(Sx[i], m0),
+	              gf_multiply(Sx[i], m1),
+	              gf_multiply(Sx[i], m2),
+	              gf_multiply(Sx[i], m3) );
+	if (Ti == 0)
+	    fprintf(file, "0x00000000%c%c", (i==255)?' ':',',
+	                                    (i%6==5)?'\n':' ');
+	else
+	    fprintf(file, "%#.8x%c%c", Ti, (i==255)?' ':',',
+	                                   (i%6==5)?'\n':' ');
+    }
+    fprintf(file, "\n};\n");
+    fprintf(file, "#endif\n\n");
+}
+
+void make_InvMixCol_Table(int num, FILE *file, PRUint8 m0, PRUint8 m1, PRUint8 m2, PRUint8 m3)
+{
+    PRUint16 i;
+    PRUint8 b0, b1, b2, b3;
+    fprintf(file, "#ifdef IS_LITTLE_ENDIAN\n");
+    fprintf(file, "static const PRUint32 _IMXC%d[256] = \n{\n", num);
+    for (i=0; i<256; i++) {
+	b0 = gf_multiply(i, m0);
+	b1 = gf_multiply(i, m1);
+	b2 = gf_multiply(i, m2);
+	b3 = gf_multiply(i, m3);
+	fprintf(file, "0x%.2x%.2x%.2x%.2x%c%c", b3, b2, b1, b0, (i==255)?' ':',', (i%6==5)?'\n':' ');
+    }
+    fprintf(file, "\n};\n");
+    fprintf(file, "#else\n");
+    fprintf(file, "static const PRUint32 _IMXC%d[256] = \n{\n", num);
+    for (i=0; i<256; i++) {
+	b0 = gf_multiply(i, m0);
+	b1 = gf_multiply(i, m1);
+	b2 = gf_multiply(i, m2);
+	b3 = gf_multiply(i, m3);
+	fprintf(file, "0x%.2x%.2x%.2x%.2x%c%c", b0, b1, b2, b3, (i==255)?' ':',', (i%6==5)?'\n':' ');
+    }
+    fprintf(file, "\n};\n");
+    fprintf(file, "#endif\n\n");
+}
+
+int main()
+{
+    int i, j;
+    PRUint8 cur, last;
+    PRUint32 tmp;
+    FILE *optfile;
+    optfile = fopen("rijndael32.tab", "w");
+    /* output S, if there are no T tables */
+    fprintf(optfile, "#ifndef RIJNDAEL_INCLUDE_TABLES\n");
+    fprintf(optfile, "static const PRUint8 _S[256] = \n{\n");
+    for (i=0; i<256; i++) {
+	fprintf(optfile, "%3d%c%c", __S[i],(i==255)?' ':',', 
+	                            (i%16==15)?'\n':' ');
+    }
+    fprintf(optfile, "};\n#endif /* not RIJNDAEL_INCLUDE_TABLES */\n\n");
+    /* output S**-1 */
+    fprintf(optfile, "static const PRUint8 _SInv[256] = \n{\n");
+    for (i=0; i<256; i++) {
+	fprintf(optfile, "%3d%c%c", __SInv[i],(i==255)?' ':',', 
+	                            (i%16==15)?'\n':' ');
+    }
+    fprintf(optfile, "};\n\n");
+    fprintf(optfile, "#ifdef RIJNDAEL_INCLUDE_TABLES\n");
+    /* The 32-bit word tables for optimized implementation */
+    /* T0 = [ S[a] * 02, S[a], S[a], S[a] * 03 ] */
+    make_T_Table("0", __S, optfile, 0x02, 0x01, 0x01, 0x03);
+    /* T1 = [ S[a] * 03, S[a] * 02, S[a], S[a] ] */
+    make_T_Table("1", __S, optfile, 0x03, 0x02, 0x01, 0x01);
+    /* T2 = [ S[a], S[a] * 03, S[a] * 02, S[a] ] */
+    make_T_Table("2", __S, optfile, 0x01, 0x03, 0x02, 0x01);
+    /* T3 = [ S[a], S[a], S[a] * 03, S[a] * 02 ] */
+    make_T_Table("3", __S, optfile, 0x01, 0x01, 0x03, 0x02);
+    /* TInv0 = [ Si[a] * 0E, Si[a] * 09, Si[a] * 0D, Si[a] * 0B ] */
+    make_T_Table("Inv0", __SInv, optfile, 0x0e, 0x09, 0x0d, 0x0b);
+    /* TInv1 = [ Si[a] * 0B, Si[a] * 0E, Si[a] * 09, Si[a] * 0D ] */
+    make_T_Table("Inv1", __SInv, optfile, 0x0b, 0x0e, 0x09, 0x0d);
+    /* TInv2 = [ Si[a] * 0D, Si[a] * 0B, Si[a] * 0E, Si[a] * 09 ] */
+    make_T_Table("Inv2", __SInv, optfile, 0x0d, 0x0b, 0x0e, 0x09);
+    /* TInv3 = [ Si[a] * 09, Si[a] * 0D, Si[a] * 0B, Si[a] * 0E ] */
+    make_T_Table("Inv3", __SInv, optfile, 0x09, 0x0d, 0x0b, 0x0e);
+    /* byte multiply tables for inverse key expansion (mimics InvMixColumn) */
+    make_InvMixCol_Table(0, optfile, 0x0e, 0x09, 0x0d, 0x0b);
+    make_InvMixCol_Table(1, optfile, 0x0b, 0x0E, 0x09, 0x0d);
+    make_InvMixCol_Table(2, optfile, 0x0d, 0x0b, 0x0e, 0x09);
+    make_InvMixCol_Table(3, optfile, 0x09, 0x0d, 0x0b, 0x0e);
+    fprintf(optfile, "#endif /* RIJNDAEL_INCLUDE_TABLES */\n\n");
+    /* round constants for key expansion */
+    fprintf(optfile, "#ifdef IS_LITTLE_ENDIAN\n");
+    fprintf(optfile, "static const PRUint32 Rcon[30] = {\n");
+    cur = 0x01;
+    for (i=0; i<30; i++) {
+	fprintf(optfile, "%#.8x%c%c", WORD_LE(cur, 0, 0, 0), 
+	                                (i==29)?' ':',', (i%6==5)?'\n':' ');
+	last = cur;
+	cur = gf_multiply(last, 0x02);
+    }
+    fprintf(optfile, "};\n");
+    fprintf(optfile, "#else\n");
+    fprintf(optfile, "static const PRUint32 Rcon[30] = {\n");
+    cur = 0x01;
+    for (i=0; i<30; i++) {
+	fprintf(optfile, "%#.8x%c%c", WORD_BE(cur, 0, 0, 0), 
+	                                (i==29)?' ':',', (i%6==5)?'\n':' ');
+	last = cur;
+	cur = gf_multiply(last, 0x02);
+    }
+    fprintf(optfile, "};\n");
+    fprintf(optfile, "#endif\n\n");
+    fclose(optfile);
+    return 0;
+}
diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c
new file mode 100644
index 000000000..3151ebb87
--- /dev/null
+++ b/security/nss/lib/freebl/rsa.c
@@ -0,0 +1,927 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ */
+
+/*
+ * RSA key generation, public key op, private key op.
+ *
+ * $Id$
+ */
+
+#include "secerr.h"
+
+#include "prclist.h"
+#include "nssilock.h"
+#include "prinit.h"
+#include "blapi.h"
+#include "mpi.h"
+#include "mpprime.h"
+#include "mplogic.h"
+#include "secmpi.h"
+#include "secitem.h"
+
+/*
+** Number of times to attempt to generate a prime (p or q) from a random
+** seed (the seed changes for each iteration).
+*/
+#define MAX_PRIME_GEN_ATTEMPTS 10
+/*
+** Number of times to attempt to generate a key.  The primes p and q change
+** for each attempt.
+*/
+#define MAX_KEY_GEN_ATTEMPTS 10
+
+/*
+** RSABlindingParamsStr
+**
+** For discussion of Paul Kocher's timing attack against an RSA private key
+** operation, see http://www.cryptography.com/timingattack/paper.html.  The 
+** countermeasure to this attack, known as blinding, is also discussed in 
+** the Handbook of Applied Cryptography, 11.118-11.119.
+*/
+struct RSABlindingParamsStr
+{
+    /* Blinding-specific parameters */
+    PRCList   link;                  /* link to list of structs            */
+    SECItem   modulus;               /* list element "key"                 */
+    mp_int    f, g;                  /* Blinding parameters                */
+    int       counter;               /* number of remaining uses of (f, g) */
+};
+
+/*
+** RSABlindingParamsListStr
+**
+** List of key-specific blinding params.  The arena holds the volatile pool
+** of memory for each entry and the list itself.  The lock is for list
+** operations, in this case insertions and iterations, as well as control
+** of the counter for each set of blinding parameters.
+*/
+struct RSABlindingParamsListStr
+{
+    PZLock  *lock;   /* Lock for the list   */
+    PRCList  head;   /* Pointer to the list */
+};
+
+/*
+** The master blinding params list.
+*/
+static struct RSABlindingParamsListStr blindingParamsList = { 0 };
+
+/* Number of times to reuse (f, g).  Suggested by Paul Kocher */
+#define RSA_BLINDING_PARAMS_MAX_REUSE 50
+
+/* Global, allows optional use of blinding.  On by default. */
+/* Cannot be changed at the moment, due to thread-safety issues. */
+static PRBool nssRSAUseBlinding = PR_TRUE;
+
+static SECStatus
+rsa_keygen_from_primes(mp_int *p, mp_int *q, mp_int *e, RSAPrivateKey *key,
+                       unsigned int keySizeInBits)
+{
+    mp_int n, d, phi;
+    mp_int psub1, qsub1, tmp;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    MP_DIGITS(&n)     = 0;
+    MP_DIGITS(&d)     = 0;
+    MP_DIGITS(&phi)   = 0;
+    MP_DIGITS(&psub1) = 0;
+    MP_DIGITS(&qsub1) = 0;
+    MP_DIGITS(&tmp)   = 0;
+    CHECK_MPI_OK( mp_init(&n)     );
+    CHECK_MPI_OK( mp_init(&d)     );
+    CHECK_MPI_OK( mp_init(&phi)   );
+    CHECK_MPI_OK( mp_init(&psub1) );
+    CHECK_MPI_OK( mp_init(&qsub1) );
+    CHECK_MPI_OK( mp_init(&tmp)   );
+    /* 1.  Compute n = p*q */
+    CHECK_MPI_OK( mp_mul(p, q, &n) );
+    /*     verify that the modulus has the desired number of bits */
+    if ((unsigned)mpl_significant_bits(&n) != keySizeInBits) {
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	rv = SECFailure;
+	goto cleanup;
+    }
+    /* 2.  Compute phi = (p-1)*(q-1) */
+    CHECK_MPI_OK( mp_sub_d(p, 1, &psub1) );
+    CHECK_MPI_OK( mp_sub_d(q, 1, &qsub1) );
+    CHECK_MPI_OK( mp_mul(&psub1, &qsub1, &phi) );
+    /* 3.  Compute d = e**-1 mod(phi) */
+    err = mp_invmod(e, &phi, &d);
+    /*     Verify that phi(n) and e have no common divisors */
+    if (err != MP_OKAY) {
+	if (err == MP_UNDEF) {
+	    PORT_SetError(SEC_ERROR_NEED_RANDOM);
+	    err = MP_OKAY; /* to keep PORT_SetError from being called again */
+	    rv = SECFailure;
+	}
+	goto cleanup;
+    }
+    MPINT_TO_SECITEM(&n, &key->modulus, key->arena);
+    MPINT_TO_SECITEM(&d, &key->privateExponent, key->arena);
+    /* 4.  Compute exponent1 = d mod (p-1) */
+    CHECK_MPI_OK( mp_mod(&d, &psub1, &tmp) );
+    MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
+    /* 5.  Compute exponent2 = d mod (q-1) */
+    CHECK_MPI_OK( mp_mod(&d, &qsub1, &tmp) );
+    MPINT_TO_SECITEM(&tmp, &key->exponent2, key->arena);
+    /* 6.  Compute coefficient = q**-1 mod p */
+    CHECK_MPI_OK( mp_invmod(q, p, &tmp) );
+    MPINT_TO_SECITEM(&tmp, &key->coefficient, key->arena);
+cleanup:
+    mp_clear(&n);
+    mp_clear(&d);
+    mp_clear(&phi);
+    mp_clear(&psub1);
+    mp_clear(&qsub1);
+    mp_clear(&tmp);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+static SECStatus
+generate_prime(mp_int *prime, int primeLen)
+{
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    unsigned long counter = 0;
+    int piter;
+    unsigned char *pb = NULL;
+    pb = PORT_Alloc(primeLen);
+    if (!pb) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto cleanup;
+    }
+    for (piter = 0; piter < MAX_PRIME_GEN_ATTEMPTS; piter++) {
+	CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(pb, primeLen) );
+	pb[0]          |= 0xC0; /* set two high-order bits */
+	pb[primeLen-1] |= 0x01; /* set low-order bit       */
+	CHECK_MPI_OK( mp_read_unsigned_octets(prime, pb, primeLen) );
+	err = mpp_make_prime(prime, primeLen * 8, PR_FALSE, &counter);
+	if (err != MP_NO)
+	    goto cleanup;
+	/* keep going while err == MP_NO */
+    }
+cleanup:
+    if (pb)
+	PORT_ZFree(pb, primeLen);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+** Generate and return a new RSA public and private key.
+**	Both keys are encoded in a single RSAPrivateKey structure.
+**	"cx" is the random number generator context
+**	"keySizeInBits" is the size of the key to be generated, in bits.
+**	   512, 1024, etc.
+**	"publicExponent" when not NULL is a pointer to some data that
+**	   represents the public exponent to use. The data is a byte
+**	   encoded integer, in "big endian" order.
+*/
+RSAPrivateKey *
+RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
+{
+    unsigned int primeLen;
+    mp_int p, q, e;
+    int kiter;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    int prerr = 0;
+    RSAPrivateKey *key = NULL;
+    PRArenaPool *arena = NULL;
+    /* Require key size to be a multiple of 16 bits. */
+    if (!publicExponent || keySizeInBits % 16 != 0) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    /* 1. Allocate arena & key */
+    arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+    key = (RSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(RSAPrivateKey));
+    if (!key) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_FreeArena(arena, PR_TRUE);
+	return NULL;
+    }
+    key->arena = arena;
+    /* length of primes p and q (in bytes) */
+    primeLen = keySizeInBits / (2 * BITS_PER_BYTE);
+    MP_DIGITS(&p) = 0;
+    MP_DIGITS(&q) = 0;
+    MP_DIGITS(&e) = 0;
+    CHECK_MPI_OK( mp_init(&p) );
+    CHECK_MPI_OK( mp_init(&q) );
+    CHECK_MPI_OK( mp_init(&e) );
+    /* 2.  Set the version number (PKCS1 v1.5 says it should be zero) */
+    SECITEM_AllocItem(arena, &key->version, 1);
+    key->version.data[0] = 0;
+    /* 3.  Set the public exponent */
+    SECITEM_CopyItem(arena, &key->publicExponent, publicExponent);
+    SECITEM_TO_MPINT(*publicExponent, &e);
+    kiter = 0;
+    do {
+	prerr = 0;
+	PORT_SetError(0);
+	CHECK_SEC_OK( generate_prime(&p, primeLen) );
+	CHECK_SEC_OK( generate_prime(&q, primeLen) );
+	/* Assure q < p */
+	if (mp_cmp(&p, &q) < 0)
+	    mp_exch(&p, &q);
+	/* Attempt to use these primes to generate a key */
+	rv = rsa_keygen_from_primes(&p, &q, &e, key, keySizeInBits);
+	if (rv == SECSuccess)
+	    break; /* generated two good primes */
+	prerr = PORT_GetError();
+	kiter++;
+	/* loop until have primes */
+    } while (prerr == SEC_ERROR_NEED_RANDOM && kiter < MAX_KEY_GEN_ATTEMPTS);
+    if (prerr)
+	goto cleanup;
+    MPINT_TO_SECITEM(&p, &key->prime1, arena);
+    MPINT_TO_SECITEM(&q, &key->prime2, arena);
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&e);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    if (rv && arena) {
+	PORT_FreeArena(arena, PR_TRUE);
+	key = NULL;
+    }
+    return key;
+}
+
+static unsigned int
+rsa_modulusLen(SECItem *modulus)
+{
+    unsigned char byteZero = modulus->data[0];
+    unsigned int modLen = modulus->len - !byteZero;
+    return modLen;
+}
+
+/*
+** Perform a raw public-key operation 
+**	Length of input and output buffers are equal to key's modulus len.
+*/
+SECStatus 
+RSA_PublicKeyOp(RSAPublicKey  *key, 
+                unsigned char *output, 
+                const unsigned char *input)
+{
+    unsigned int modLen;
+    mp_int n, e, m, c;
+    mp_err err   = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    if (!key || !output || !input) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    MP_DIGITS(&n) = 0;
+    MP_DIGITS(&e) = 0;
+    MP_DIGITS(&m) = 0;
+    MP_DIGITS(&c) = 0;
+    CHECK_MPI_OK( mp_init(&n) );
+    CHECK_MPI_OK( mp_init(&e) );
+    CHECK_MPI_OK( mp_init(&m) );
+    CHECK_MPI_OK( mp_init(&c) );
+    modLen = rsa_modulusLen(&key->modulus);
+    /* 1.  Obtain public key (n, e) */
+    SECITEM_TO_MPINT(key->modulus, &n);
+    SECITEM_TO_MPINT(key->publicExponent, &e);
+    /* 2.  Represent message as integer in range [0..n-1] */
+    CHECK_MPI_OK( mp_read_unsigned_octets(&m, input, modLen) );
+    /* 3.  Compute c = m**e mod n */
+#ifdef USE_MPI_EXPT_D
+    /* XXX see which is faster */
+    if (MP_USED(&e) == 1) {
+	CHECK_MPI_OK( mp_exptmod_d(&m, MP_DIGIT(&e, 0), &n, &c) );
+    } else
+#endif
+    CHECK_MPI_OK( mp_exptmod(&m, &e, &n, &c) );
+    /* 4.  result c is ciphertext */
+    err = mp_to_fixlen_octets(&c, output, modLen);
+    if (err >= 0) err = MP_OKAY;
+cleanup:
+    mp_clear(&n);
+    mp_clear(&e);
+    mp_clear(&m);
+    mp_clear(&c);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+**  RSA Private key operation (no CRT).
+*/
+static SECStatus 
+rsa_PrivateKeyOpNoCRT(RSAPrivateKey *key, mp_int *m, mp_int *c, mp_int *n,
+                      unsigned int modLen)
+{
+    mp_int d;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    MP_DIGITS(&d) = 0;
+    CHECK_MPI_OK( mp_init(&d) );
+    SECITEM_TO_MPINT(key->privateExponent, &d);
+    /* 1. m = c**d mod n */
+    CHECK_MPI_OK( mp_exptmod(c, &d, n, m) );
+cleanup:
+    mp_clear(&d);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+**  RSA Private key operation using CRT.
+*/
+static SECStatus 
+rsa_PrivateKeyOpCRTNoCheck(RSAPrivateKey *key, mp_int *m, mp_int *c)
+{
+    mp_int p, q, d_p, d_q, qInv;
+    mp_int m1, m2, h, ctmp;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    MP_DIGITS(&p)    = 0;
+    MP_DIGITS(&q)    = 0;
+    MP_DIGITS(&d_p)  = 0;
+    MP_DIGITS(&d_q)  = 0;
+    MP_DIGITS(&qInv) = 0;
+    MP_DIGITS(&m1)   = 0;
+    MP_DIGITS(&m2)   = 0;
+    MP_DIGITS(&h)    = 0;
+    MP_DIGITS(&ctmp) = 0;
+    CHECK_MPI_OK( mp_init(&p)    );
+    CHECK_MPI_OK( mp_init(&q)    );
+    CHECK_MPI_OK( mp_init(&d_p)  );
+    CHECK_MPI_OK( mp_init(&d_q)  );
+    CHECK_MPI_OK( mp_init(&qInv) );
+    CHECK_MPI_OK( mp_init(&m1)   );
+    CHECK_MPI_OK( mp_init(&m2)   );
+    CHECK_MPI_OK( mp_init(&h)    );
+    CHECK_MPI_OK( mp_init(&ctmp) );
+    /* copy private key parameters into mp integers */
+    SECITEM_TO_MPINT(key->prime1,      &p);    /* p */
+    SECITEM_TO_MPINT(key->prime2,      &q);    /* q */
+    SECITEM_TO_MPINT(key->exponent1,   &d_p);  /* d_p  = d mod (p-1) */
+    SECITEM_TO_MPINT(key->exponent2,   &d_q);  /* d_q  = d mod (q-1) */
+    SECITEM_TO_MPINT(key->coefficient, &qInv); /* qInv = q**-1 mod p */
+    /* 1. m1 = c**d_p mod p */
+    CHECK_MPI_OK( mp_mod(c, &p, &ctmp) );
+    CHECK_MPI_OK( mp_exptmod(&ctmp, &d_p, &p, &m1) );
+    /* 2. m2 = c**d_q mod q */
+    CHECK_MPI_OK( mp_mod(c, &q, &ctmp) );
+    CHECK_MPI_OK( mp_exptmod(&ctmp, &d_q, &q, &m2) );
+    /* 3.  h = (m1 - m2) * qInv mod p */
+    CHECK_MPI_OK( mp_submod(&m1, &m2, &p, &h) );
+    CHECK_MPI_OK( mp_mulmod(&h, &qInv, &p, &h)  );
+    /* 4.  m = m2 + h * q */
+    CHECK_MPI_OK( mp_mul(&h, &q, m) );
+    CHECK_MPI_OK( mp_add(m, &m2, m) );
+cleanup:
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&d_p);
+    mp_clear(&d_q);
+    mp_clear(&qInv);
+    mp_clear(&m1);
+    mp_clear(&m2);
+    mp_clear(&h);
+    mp_clear(&ctmp);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+** An attack against RSA CRT was described by Boneh, DeMillo, and Lipton in:
+** "On the Importance of Eliminating Errors in Cryptographic Computations",
+** http://theory.stanford.edu/~dabo/papers/faults.ps.gz
+**
+** As a defense against the attack, carry out the private key operation, 
+** followed up with a public key operation to invert the result.  
+** Verify that result against the input.
+*/
+static SECStatus 
+rsa_PrivateKeyOpCRTCheckedPubKey(RSAPrivateKey *key, mp_int *m, mp_int *c)
+{
+    mp_int n, e, v;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    MP_DIGITS(&n) = 0;
+    MP_DIGITS(&e) = 0;
+    MP_DIGITS(&v) = 0;
+    CHECK_MPI_OK( mp_init(&n) );
+    CHECK_MPI_OK( mp_init(&e) );
+    CHECK_MPI_OK( mp_init(&v) );
+    CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, m, c) );
+    SECITEM_TO_MPINT(key->modulus,        &n);
+    SECITEM_TO_MPINT(key->publicExponent, &e);
+    /* Perform a public key operation v = m ** e mod n */
+    CHECK_MPI_OK( mp_exptmod(m, &e, &n, &v) );
+    if (mp_cmp(&v, c) != 0) {
+	rv = SECFailure;
+    }
+cleanup:
+    mp_clear(&n);
+    mp_clear(&e);
+    mp_clear(&v);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+static PRCallOnceType coBPInit = { 0, 0, 0 };
+static PRStatus 
+init_blinding_params_list(void)
+{
+    blindingParamsList.lock = PZ_NewLock(nssILockOther);
+    if (!blindingParamsList.lock) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return PR_FAILURE;
+    }
+    PR_INIT_CLIST(&blindingParamsList.head);
+    return PR_SUCCESS;
+}
+
+static SECStatus
+generate_blinding_params(struct RSABlindingParamsStr *rsabp, 
+                         RSAPrivateKey *key, mp_int *n, unsigned int modLen)
+{
+    SECStatus rv = SECSuccess;
+    mp_int e, k;
+    mp_err err = MP_OKAY;
+    unsigned char *kb = NULL;
+    MP_DIGITS(&e) = 0;
+    MP_DIGITS(&k) = 0;
+    CHECK_MPI_OK( mp_init(&e) );
+    CHECK_MPI_OK( mp_init(&k) );
+    SECITEM_TO_MPINT(key->publicExponent, &e);
+    /* generate random k < n */
+    kb = PORT_Alloc(modLen);
+    if (!kb) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto cleanup;
+    }
+    CHECK_SEC_OK( RNG_GenerateGlobalRandomBytes(kb, modLen) );
+    CHECK_MPI_OK( mp_read_unsigned_octets(&k, kb, modLen) );
+    /* k < n */
+    CHECK_MPI_OK( mp_mod(&k, n, &k) );
+    /* f = k**e mod n */
+    CHECK_MPI_OK( mp_exptmod(&k, &e, n, &rsabp->f) );
+    /* g = k**-1 mod n */
+    CHECK_MPI_OK( mp_invmod(&k, n, &rsabp->g) );
+    /* Initialize the counter for this (f, g) */
+    rsabp->counter = RSA_BLINDING_PARAMS_MAX_REUSE;
+cleanup:
+    if (kb)
+	PORT_ZFree(kb, modLen);
+    mp_clear(&k);
+    mp_clear(&e);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+static SECStatus
+init_blinding_params(struct RSABlindingParamsStr *rsabp, RSAPrivateKey *key,
+                     mp_int *n, unsigned int modLen)
+{
+    SECStatus rv = SECSuccess;
+    mp_err err = MP_OKAY;
+    MP_DIGITS(&rsabp->f) = 0;
+    MP_DIGITS(&rsabp->g) = 0;
+    /* initialize blinding parameters */
+    CHECK_MPI_OK( mp_init(&rsabp->f) );
+    CHECK_MPI_OK( mp_init(&rsabp->g) );
+    /* List elements are keyed using the modulus */
+    SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
+    CHECK_SEC_OK( generate_blinding_params(rsabp, key, n, modLen) );
+    return SECSuccess;
+cleanup:
+    mp_clear(&rsabp->f);
+    mp_clear(&rsabp->g);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+static SECStatus
+get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
+                    mp_int *f, mp_int *g)
+{
+    SECStatus rv = SECSuccess;
+    mp_err err = MP_OKAY;
+    int cmp;
+    PRCList *el;
+    struct RSABlindingParamsStr *rsabp = NULL;
+    /* Init the list if neccessary (the init function is only called once!) */
+    if (blindingParamsList.lock == NULL) {
+	if (PR_CallOnce(&coBPInit, init_blinding_params_list) != PR_SUCCESS) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return SECFailure;
+	}
+    }
+    /* Acquire the list lock */
+    PZ_Lock(blindingParamsList.lock);
+    /* Walk the list looking for the private key */
+    for (el = PR_NEXT_LINK(&blindingParamsList.head);
+         el != &blindingParamsList.head;
+         el = PR_NEXT_LINK(el)) {
+	rsabp = (struct RSABlindingParamsStr *)el;
+	cmp = SECITEM_CompareItem(&rsabp->modulus, &key->modulus);
+	if (cmp == 0) {
+	    /* Check the usage counter for the parameters */
+	    if (--rsabp->counter <= 0) {
+		/* Regenerate the blinding parameters */
+		CHECK_SEC_OK( generate_blinding_params(rsabp, key, n, modLen) );
+	    }
+	    /* Return the parameters */
+	    CHECK_MPI_OK( mp_copy(&rsabp->f, f) );
+	    CHECK_MPI_OK( mp_copy(&rsabp->g, g) );
+	    /* Now that the params are located, release the list lock. */
+	    PZ_Unlock(blindingParamsList.lock); /* XXX when fails? */
+	    return SECSuccess;
+	} else if (cmp > 0) {
+	    /* The key is not in the list.  Break to param creation. */
+	    break;
+	}
+    }
+    /* At this point, the key is not in the list.  el should point to the
+    ** list element that this key should be inserted before.  NOTE: the list
+    ** lock is still held, so there cannot be a race condition here.
+    */
+    rsabp = (struct RSABlindingParamsStr *)
+              PORT_ZAlloc(sizeof(struct RSABlindingParamsStr));
+    if (!rsabp) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto cleanup;
+    }
+    /* Initialize the list pointer for the element */
+    PR_INIT_CLIST(&rsabp->link);
+    /* Initialize the blinding parameters 
+    ** This ties up the list lock while doing some heavy, element-specific
+    ** operations, but we don't want to insert the element until it is valid,
+    ** which requires computing the blinding params.  If this proves costly,
+    ** it could be done after the list lock is released, and then if it fails
+    ** the lock would have to be reobtained and the invalid element removed.
+    */
+    rv = init_blinding_params(rsabp, key, n, modLen);
+    if (rv != SECSuccess) {
+	PORT_ZFree(rsabp, sizeof(struct RSABlindingParamsStr));
+	goto cleanup;
+    }
+    /* Insert the new element into the list
+    ** If inserting in the middle of the list, el points to the link
+    ** to insert before.  Otherwise, the link needs to be appended to
+    ** the end of the list, which is the same as inserting before the
+    ** head (since el would have looped back to the head).
+    */
+    PR_INSERT_BEFORE(&rsabp->link, el);
+    /* Return the parameters */
+    CHECK_MPI_OK( mp_copy(&rsabp->f, f) );
+    CHECK_MPI_OK( mp_copy(&rsabp->g, g) );
+    /* Release the list lock */
+    PZ_Unlock(blindingParamsList.lock); /* XXX when fails? */
+    return SECSuccess;
+cleanup:
+    /* It is possible to reach this after the lock is already released.
+    ** Ignore the error in that case.
+    */
+    PZ_Unlock(blindingParamsList.lock);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return SECFailure;
+}
+
+/*
+** Perform a raw private-key operation 
+**	Length of input and output buffers are equal to key's modulus len.
+*/
+static SECStatus 
+rsa_PrivateKeyOp(RSAPrivateKey *key, 
+                 unsigned char *output, 
+                 const unsigned char *input,
+                 PRBool check)
+{
+    unsigned int modLen;
+    unsigned int offset;
+    SECStatus rv = SECSuccess;
+    mp_err err;
+    mp_int n, c, m;
+    mp_int f, g;
+    if (!key || !output || !input) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    /* check input out of range (needs to be in range [0..n-1]) */
+    modLen = rsa_modulusLen(&key->modulus);
+    offset = (key->modulus.data[0] == 0) ? 1 : 0; /* may be leading 0 */
+    if (memcmp(input, key->modulus.data + offset, modLen) >= 0) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    MP_DIGITS(&n) = 0;
+    MP_DIGITS(&c) = 0;
+    MP_DIGITS(&m) = 0;
+    MP_DIGITS(&f) = 0;
+    MP_DIGITS(&g) = 0;
+    CHECK_MPI_OK( mp_init(&n) );
+    CHECK_MPI_OK( mp_init(&c) );
+    CHECK_MPI_OK( mp_init(&m) );
+    CHECK_MPI_OK( mp_init(&f) );
+    CHECK_MPI_OK( mp_init(&g) );
+    SECITEM_TO_MPINT(key->modulus, &n);
+    OCTETS_TO_MPINT(input, &c, modLen);
+    /* If blinding, compute pre-image of ciphertext by multiplying by
+    ** blinding factor
+    */
+    if (nssRSAUseBlinding) {
+	CHECK_SEC_OK( get_blinding_params(key, &n, modLen, &f, &g) );
+	/* c' = c*f mod n */
+	CHECK_MPI_OK( mp_mulmod(&c, &f, &n, &c) );
+    }
+    /* Do the private key operation m = c**d mod n */
+    if ( key->prime1.len      == 0 ||
+         key->prime2.len      == 0 ||
+         key->exponent1.len   == 0 ||
+         key->exponent2.len   == 0 ||
+         key->coefficient.len == 0) {
+	CHECK_SEC_OK( rsa_PrivateKeyOpNoCRT(key, &m, &c, &n, modLen) );
+    } else if (check) {
+	CHECK_SEC_OK( rsa_PrivateKeyOpCRTCheckedPubKey(key, &m, &c) );
+    } else {
+	CHECK_SEC_OK( rsa_PrivateKeyOpCRTNoCheck(key, &m, &c) );
+    }
+    /* If blinding, compute post-image of plaintext by multiplying by
+    ** blinding factor
+    */
+    if (nssRSAUseBlinding) {
+	/* m = m'*g mod n */
+	CHECK_MPI_OK( mp_mulmod(&m, &g, &n, &m) );
+    }
+    err = mp_to_fixlen_octets(&m, output, modLen);
+    if (err >= 0) err = MP_OKAY;
+cleanup:
+    mp_clear(&n);
+    mp_clear(&c);
+    mp_clear(&m);
+    mp_clear(&f);
+    mp_clear(&g);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+SECStatus 
+RSA_PrivateKeyOp(RSAPrivateKey *key, 
+                 unsigned char *output, 
+                 const unsigned char *input)
+{
+    return rsa_PrivateKeyOp(key, output, input, PR_FALSE);
+}
+
+SECStatus 
+RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key, 
+                              unsigned char *output, 
+                              const unsigned char *input)
+{
+    return rsa_PrivateKeyOp(key, output, input, PR_TRUE);
+}
+
+static SECStatus
+swap_in_key_value(PRArenaPool *arena, mp_int *mpval, SECItem *buffer)
+{
+    int len;
+    mp_err err = MP_OKAY;
+    memset(buffer->data, 0, buffer->len);
+    len = mp_unsigned_octet_size(mpval);
+    if (len <= 0) return SECFailure;
+    if ((unsigned int)len <= buffer->len) {
+	/* The new value is no longer than the old buffer, so use it */
+	err = mp_to_unsigned_octets(mpval, buffer->data, len);
+	buffer->len = len;
+    } else if (arena) {
+	/* The new value is longer, but working within an arena */
+	(void)SECITEM_AllocItem(arena, buffer, len);
+	err = mp_to_unsigned_octets(mpval, buffer->data, len);
+    } else {
+	/* The new value is longer, no arena, can't handle this key */
+	return SECFailure;
+    }
+    return (err == MP_OKAY) ? SECSuccess : SECFailure;
+}
+
+SECStatus
+RSA_PrivateKeyCheck(RSAPrivateKey *key)
+{
+    mp_int p, q, n, psub1, qsub1, e, d, d_p, d_q, qInv, res;
+    mp_err   err = MP_OKAY;
+    SECStatus rv = SECSuccess;
+    MP_DIGITS(&n)    = 0;
+    MP_DIGITS(&psub1)= 0;
+    MP_DIGITS(&qsub1)= 0;
+    MP_DIGITS(&e)    = 0;
+    MP_DIGITS(&d)    = 0;
+    MP_DIGITS(&d_p)  = 0;
+    MP_DIGITS(&d_q)  = 0;
+    MP_DIGITS(&qInv) = 0;
+    MP_DIGITS(&res)  = 0;
+    CHECK_MPI_OK( mp_init(&n)    );
+    CHECK_MPI_OK( mp_init(&p)    );
+    CHECK_MPI_OK( mp_init(&q)    );
+    CHECK_MPI_OK( mp_init(&psub1));
+    CHECK_MPI_OK( mp_init(&qsub1));
+    CHECK_MPI_OK( mp_init(&e)    );
+    CHECK_MPI_OK( mp_init(&d)    );
+    CHECK_MPI_OK( mp_init(&d_p)  );
+    CHECK_MPI_OK( mp_init(&d_q)  );
+    CHECK_MPI_OK( mp_init(&qInv) );
+    CHECK_MPI_OK( mp_init(&res)  );
+    SECITEM_TO_MPINT(key->modulus,         &n);
+    SECITEM_TO_MPINT(key->prime1,          &p);
+    SECITEM_TO_MPINT(key->prime2,          &q);
+    SECITEM_TO_MPINT(key->publicExponent,  &e);
+    SECITEM_TO_MPINT(key->privateExponent, &d);
+    SECITEM_TO_MPINT(key->exponent1,       &d_p);
+    SECITEM_TO_MPINT(key->exponent2,       &d_q);
+    SECITEM_TO_MPINT(key->coefficient,     &qInv);
+    /* p > q  */
+    if (mp_cmp(&p, &q) <= 0) {
+	/* mind the p's and q's (and d_p's and d_q's) */
+	SECItem tmp;
+	mp_exch(&p, &q);
+	tmp = key->prime1;
+	key->prime1 = key->prime2;
+	key->prime2 = tmp;
+	tmp = key->exponent1;
+	key->exponent1 = key->exponent2;
+	key->exponent2 = tmp;
+    }
+#define VERIFY_MPI_EQUAL(m1, m2) \
+    if (mp_cmp(m1, m2) != 0) {   \
+	rv = SECFailure;         \
+	goto cleanup;            \
+    }
+#define VERIFY_MPI_EQUAL_1(m)    \
+    if (mp_cmp_d(m, 1) != 0) {   \
+	rv = SECFailure;         \
+	goto cleanup;            \
+    }
+    /*
+     * The following errors cannot be recovered from.
+     */
+    /* n == p * q */
+    CHECK_MPI_OK( mp_mul(&p, &q, &res) );
+    VERIFY_MPI_EQUAL(&res, &n);
+    /* gcd(e, p-1) == 1 */
+    CHECK_MPI_OK( mp_sub_d(&p, 1, &psub1) );
+    CHECK_MPI_OK( mp_gcd(&e, &psub1, &res) );
+    VERIFY_MPI_EQUAL_1(&res);
+    /* gcd(e, q-1) == 1 */
+    CHECK_MPI_OK( mp_sub_d(&q, 1, &qsub1) );
+    CHECK_MPI_OK( mp_gcd(&e, &qsub1, &res) );
+    VERIFY_MPI_EQUAL_1(&res);
+    /* d*e == 1 mod p-1 */
+    CHECK_MPI_OK( mp_mulmod(&d, &e, &psub1, &res) );
+    VERIFY_MPI_EQUAL_1(&res);
+    /* d*e == 1 mod q-1 */
+    CHECK_MPI_OK( mp_mulmod(&d, &e, &qsub1, &res) );
+    VERIFY_MPI_EQUAL_1(&res);
+    /*
+     * The following errors can be recovered from.
+     */
+    /* d_p == d mod p-1 */
+    CHECK_MPI_OK( mp_mod(&d, &psub1, &res) );
+    if (mp_cmp(&d_p, &res) != 0) {
+	/* swap in the correct value */
+	CHECK_SEC_OK( swap_in_key_value(key->arena, &res, &key->exponent1) );
+    }
+    /* d_q == d mod q-1 */
+    CHECK_MPI_OK( mp_mod(&d, &qsub1, &res) );
+    if (mp_cmp(&d_q, &res) != 0) {
+	/* swap in the correct value */
+	CHECK_SEC_OK( swap_in_key_value(key->arena, &res, &key->exponent2) );
+    }
+    /* q * q**-1 == 1 mod p */
+    CHECK_MPI_OK( mp_mulmod(&q, &qInv, &p, &res) );
+    if (mp_cmp_d(&res, 1) != 0) {
+	/* compute the correct value */
+	CHECK_MPI_OK( mp_invmod(&q, &p, &qInv) );
+	CHECK_SEC_OK( swap_in_key_value(key->arena, &qInv, &key->coefficient) );
+    }
+cleanup:
+    mp_clear(&n);
+    mp_clear(&p);
+    mp_clear(&q);
+    mp_clear(&psub1);
+    mp_clear(&qsub1);
+    mp_clear(&e);
+    mp_clear(&d);
+    mp_clear(&d_p);
+    mp_clear(&d_q);
+    mp_clear(&qInv);
+    mp_clear(&res);
+    if (err) {
+	MP_TO_SEC_ERROR(err);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/* cleanup at shutdown */
+void RSA_Cleanup(void)
+{
+    if (!coBPInit.initialized)
+	return;
+
+    while (!PR_CLIST_IS_EMPTY(&blindingParamsList.head))
+    {
+	struct RSABlindingParamsStr * rsabp = (struct RSABlindingParamsStr *)
+	    PR_LIST_HEAD(&blindingParamsList.head);
+	PR_REMOVE_LINK(&rsabp->link);
+	mp_clear(&rsabp->f);
+	mp_clear(&rsabp->g);
+	SECITEM_FreeItem(&rsabp->modulus,PR_FALSE);
+	PORT_Free(rsabp);
+    }
+
+    if (blindingParamsList.lock)
+    {
+	PZ_DestroyLock(blindingParamsList.lock);
+	blindingParamsList.lock = NULL;
+    }
+
+    coBPInit.initialized = 0;
+    coBPInit.inProgress = 0;
+    coBPInit.status = 0;
+}
+
+/*
+ * need a central place for this function to free up all the memory that
+ * free_bl may have allocated along the way. Currently only RSA does this,
+ * so I've put it here for now.
+ */
+void BL_Cleanup(void)
+{
+    RSA_Cleanup();
+}
diff --git a/security/nss/lib/freebl/secmpi.h b/security/nss/lib/freebl/secmpi.h
new file mode 100644
index 000000000..cddcbb03d
--- /dev/null
+++ b/security/nss/lib/freebl/secmpi.h
@@ -0,0 +1,57 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.	Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "mpi.h"
+
+#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
+
+#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
+
+#define OCTETS_TO_MPINT(oc, mp, len) \
+    CHECK_MPI_OK(mp_read_unsigned_octets((mp), oc, len))
+
+#define SECITEM_TO_MPINT(it, mp) \
+    CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len))
+
+#define MPINT_TO_SECITEM(mp, it, arena)                         \
+    SECITEM_AllocItem(arena, (it), mp_unsigned_octet_size(mp)); \
+    err = mp_to_unsigned_octets(mp, (it)->data, (it)->len);     \
+    if (err < 0) goto cleanup; else err = MP_OKAY;
+
+#define MP_TO_SEC_ERROR(err)                                          \
+    switch (err) {                                                    \
+    case MP_MEM:    PORT_SetError(SEC_ERROR_NO_MEMORY);       break;  \
+    case MP_RANGE:  PORT_SetError(SEC_ERROR_BAD_DATA);        break;  \
+    case MP_BADARG: PORT_SetError(SEC_ERROR_INVALID_ARGS);    break;  \
+    default:        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); break;  \
+    }
diff --git a/security/nss/lib/freebl/secrng.h b/security/nss/lib/freebl/secrng.h
new file mode 100644
index 000000000..cddc7b000
--- /dev/null
+++ b/security/nss/lib/freebl/secrng.h
@@ -0,0 +1,82 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _SECRNG_H_
+#define _SECRNG_H_
+/*
+ * secrng.h - public data structures and prototypes for the secure random
+ *	      number generator
+ *
+ * $Id$
+ */
+
+/******************************************/
+/*
+** Random number generation. A cryptographically strong random number
+** generator.
+*/
+
+#include "blapi.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+** The following 3 functions are provided by the security library
+** but are differently implemented for the UNIX, Mac and Win
+** versions
+*/
+
+/*
+** Get the "noisiest" information available on the system.
+** The amount of data returned depends on the system implementation.
+** It will not exceed maxbytes, but may be (much) less.
+** Returns number of noise bytes copied into buf, or zero if error.
+*/
+extern size_t RNG_GetNoise(void *buf, size_t maxbytes);
+
+/*
+** RNG_SystemInfoForRNG should be called before any use of SSL. It
+** gathers up the system specific information to help seed the
+** state of the global random number generator.
+*/
+extern void RNG_SystemInfoForRNG(void);
+
+/* 
+** Use the contents (and stat) of a file to help seed the
+** global random number generator.
+*/
+extern void RNG_FileForRNG(const char *filename);
+
+SEC_END_PROTOS
+
+#endif /* _SECUTIL_H_ */
diff --git a/security/nss/lib/freebl/sha.c b/security/nss/lib/freebl/sha.c
new file mode 100644
index 000000000..c8480c72c
--- /dev/null
+++ b/security/nss/lib/freebl/sha.c
@@ -0,0 +1,160 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is SHA 180-1 Reference Implementation (Compact version)
+ * 
+ * The Initial Developer of the Original Code is Paul Kocher of
+ * Cryptography Research.  Portions created by Paul Kocher are 
+ * Copyright (C) 1995-9 by Cryptography Research, Inc.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ *
+ *     Paul Kocher
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "sha.h"
+
+static void shaHashBlock(SHA_CTX *ctx);
+
+void shaInit(SHA_CTX *ctx) {
+  int i;
+
+  ctx->lenW = 0;
+  ctx->sizeHi = ctx->sizeLo = 0;
+
+  /* Initialize H with the magic constants (see FIPS180 for constants)
+   */
+  ctx->H[0] = 0x67452301L;
+  ctx->H[1] = 0xefcdab89L;
+  ctx->H[2] = 0x98badcfeL;
+  ctx->H[3] = 0x10325476L;
+  ctx->H[4] = 0xc3d2e1f0L;
+
+  for (i = 0; i < 80; i++)
+    ctx->W[i] = 0;
+}
+
+
+void shaUpdate(SHA_CTX *ctx, unsigned char *dataIn, int len) {
+  int i;
+
+  /* Read the data into W and process blocks as they get full
+   */
+  for (i = 0; i < len; i++) {
+    ctx->W[ctx->lenW / 4] <<= 8;
+    ctx->W[ctx->lenW / 4] |= (unsigned long)dataIn[i];
+    if ((++ctx->lenW) % 64 == 0) {
+      shaHashBlock(ctx);
+      ctx->lenW = 0;
+    }
+    ctx->sizeLo += 8;
+    ctx->sizeHi += (ctx->sizeLo < 8);
+  }
+}
+
+
+void shaFinal(SHA_CTX *ctx, unsigned char hashout[20]) {
+  unsigned char pad0x80 = 0x80;
+  unsigned char pad0x00 = 0x00;
+  unsigned char padlen[8];
+  int i;
+
+  /* Pad with a binary 1 (e.g. 0x80), then zeroes, then length
+   */
+  padlen[0] = (unsigned char)((ctx->sizeHi >> 24) & 255);
+  padlen[1] = (unsigned char)((ctx->sizeHi >> 16) & 255);
+  padlen[2] = (unsigned char)((ctx->sizeHi >> 8) & 255);
+  padlen[3] = (unsigned char)((ctx->sizeHi >> 0) & 255);
+  padlen[4] = (unsigned char)((ctx->sizeLo >> 24) & 255);
+  padlen[5] = (unsigned char)((ctx->sizeLo >> 16) & 255);
+  padlen[6] = (unsigned char)((ctx->sizeLo >> 8) & 255);
+  padlen[7] = (unsigned char)((ctx->sizeLo >> 0) & 255);
+  shaUpdate(ctx, &pad0x80, 1);
+  while (ctx->lenW != 56)
+    shaUpdate(ctx, &pad0x00, 1);
+  shaUpdate(ctx, padlen, 8);
+
+  /* Output hash
+   */
+  for (i = 0; i < 20; i++) {
+    hashout[i] = (unsigned char)(ctx->H[i / 4] >> 24);
+    ctx->H[i / 4] <<= 8;
+  }
+
+  /*
+   *  Re-initialize the context (also zeroizes contents)
+   */
+  shaInit(ctx);
+}
+
+
+void shaBlock(unsigned char *dataIn, int len, unsigned char hashout[20]) {
+  SHA_CTX ctx;
+
+  shaInit(&ctx);
+  shaUpdate(&ctx, dataIn, len);
+  shaFinal(&ctx, hashout);
+}
+
+
+#define SHA_ROTL(X,n) (((X) << (n)) | ((X) >> (32-(n))))
+
+static void shaHashBlock(SHA_CTX *ctx) {
+  int t;
+  unsigned long A,B,C,D,E,TEMP;
+
+  for (t = 16; t <= 79; t++)
+    ctx->W[t] =
+      SHA_ROTL(ctx->W[t-3] ^ ctx->W[t-8] ^ ctx->W[t-14] ^ ctx->W[t-16], 1);
+
+  A = ctx->H[0];
+  B = ctx->H[1];
+  C = ctx->H[2];
+  D = ctx->H[3];
+  E = ctx->H[4];
+
+  for (t = 0; t <= 19; t++) {
+    TEMP = SHA_ROTL(A,5) + (((C^D)&B)^D)     + E + ctx->W[t] + 0x5a827999L;
+    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
+  }
+  for (t = 20; t <= 39; t++) {
+    TEMP = SHA_ROTL(A,5) + (B^C^D)           + E + ctx->W[t] + 0x6ed9eba1L;
+    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
+  }
+  for (t = 40; t <= 59; t++) {
+    TEMP = SHA_ROTL(A,5) + ((B&C)|(D&(B|C))) + E + ctx->W[t] + 0x8f1bbcdcL;
+    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
+  }
+  for (t = 60; t <= 79; t++) {
+    TEMP = SHA_ROTL(A,5) + (B^C^D)           + E + ctx->W[t] + 0xca62c1d6L;
+    E = D; D = C; C = SHA_ROTL(B, 30); B = A; A = TEMP;
+  }
+
+  ctx->H[0] += A;
+  ctx->H[1] += B;
+  ctx->H[2] += C;
+  ctx->H[3] += D;
+  ctx->H[4] += E;
+}
+
diff --git a/security/nss/lib/freebl/sha.h b/security/nss/lib/freebl/sha.h
new file mode 100644
index 000000000..0522a00b2
--- /dev/null
+++ b/security/nss/lib/freebl/sha.h
@@ -0,0 +1,48 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is SHA 180-1 Header File
+ * 
+ * The Initial Developer of the Original Code is Paul Kocher of
+ * Cryptography Research.  Portions created by Paul Kocher are 
+ * Copyright (C) 1995-9 by Cryptography Research, Inc.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ *
+ *     Paul Kocher
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+typedef struct {
+  unsigned long H[5];
+  unsigned long W[80];
+  int lenW;
+  unsigned long sizeHi,sizeLo;
+} SHA_CTX;
+
+
+void shaInit(SHA_CTX *ctx);
+void shaUpdate(SHA_CTX *ctx, unsigned char *dataIn, int len);
+void shaFinal(SHA_CTX *ctx, unsigned char hashout[20]);
+void shaBlock(unsigned char *dataIn, int len, unsigned char hashout[20]);
+
diff --git a/security/nss/lib/freebl/sha_fast.c b/security/nss/lib/freebl/sha_fast.c
new file mode 100644
index 000000000..655f5c3e6
--- /dev/null
+++ b/security/nss/lib/freebl/sha_fast.c
@@ -0,0 +1,421 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is SHA 180-1 Reference Implementation (Optimized)
+ * 
+ * The Initial Developer of the Original Code is Paul Kocher of
+ * Cryptography Research.  Portions created by Paul Kocher are 
+ * Copyright (C) 1995-9 by Cryptography Research, Inc.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ *
+ *     Paul Kocher
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include <memory.h>
+#include "blapi.h"
+#include "sha_fast.h"
+#include "prerror.h"
+
+#ifdef TRACING_SSL
+#include "ssl.h"
+#include "ssltrace.h"
+#endif
+
+static void shaCompress(SHA1Context *ctx);
+
+#define W u.w
+#define B u.b
+
+#define SHA_ROTL(X,n) (((X) << (n)) | ((X) >> (32-(n))))
+#define SHA_F1(X,Y,Z) ((((Y)^(Z))&(X))^(Z))
+#define SHA_F2(X,Y,Z) ((X)^(Y)^(Z))
+#define SHA_F3(X,Y,Z) (((X)&(Y))|((Z)&((X)|(Y))))
+#define SHA_F4(X,Y,Z) ((X)^(Y)^(Z))
+#define SHA_MIX(t)    ctx->W[t] = \
+  (A = ctx->W[t-3] ^ ctx->W[t-8] ^ ctx->W[t-14] ^ ctx->W[t-16], SHA_ROTL(A, 1))
+
+
+/*
+ *  SHA: Zeroize and initialize context
+ */
+void 
+SHA1_Begin(SHA1Context *ctx)
+{
+  memset(ctx, 0, sizeof(SHA1Context));
+
+  /*
+   *  Initialize H with constants from FIPS180-1.
+   */
+  ctx->H[0] = 0x67452301L;
+  ctx->H[1] = 0xefcdab89L;
+  ctx->H[2] = 0x98badcfeL;
+  ctx->H[3] = 0x10325476L;
+  ctx->H[4] = 0xc3d2e1f0L;
+
+}
+
+
+/*
+ *  SHA: Add data to context.
+ */
+void 
+SHA1_Update(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len) 
+{
+  register unsigned int lenB = ctx->sizeLo & 63;
+  register unsigned int togo;
+
+  if (!len)
+    return;
+
+  /* accumulate the byte count. */
+  ctx->sizeLo += len;
+  ctx->sizeHi += (ctx->sizeLo < len);
+
+  /*
+   *  Read the data into W and process blocks as they get full
+   */
+  if (lenB > 0) {
+    togo = 64 - lenB;
+    if (len < togo)
+      togo = len;
+    memcpy(ctx->B + lenB, dataIn, togo);
+    len    -= togo;
+    dataIn += togo;
+    lenB    = (lenB + togo) & 63;
+    if (!lenB) {
+      shaCompress(ctx);
+    }
+  }
+  while (len >= 64) {
+    memcpy(ctx->B, dataIn, 64);
+    dataIn += 64;
+    len    -= 64;
+    shaCompress(ctx);
+  }
+  if (len) {
+    memcpy(ctx->B, dataIn, len);
+  }
+}
+
+
+/*
+ *  SHA: Generate hash value from context
+ */
+void 
+SHA1_End(SHA1Context *ctx, unsigned char *hashout,
+         unsigned int *pDigestLen, unsigned int maxDigestLen)
+{
+  register PRUint32 sizeHi, sizeLo, lenB;
+  static const unsigned char bulk_pad[64] = { 0x80,0,0,0,0,0,0,0,0,0,
+          0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
+          0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  };
+#define A lenB
+
+  PORT_Assert (maxDigestLen >= SHA1_LENGTH);
+
+  /*
+   *  Pad with a binary 1 (e.g. 0x80), then zeroes, then length in bits
+   */
+  sizeHi = ctx->sizeHi;
+  sizeLo = ctx->sizeLo;
+  lenB = sizeLo & 63;
+  SHA1_Update(ctx, bulk_pad, (((55+64) - lenB) & 63) + 1);
+  PORT_Assert((ctx->sizeLo & 63) == 56);
+
+  /* Convert size{Hi,Lo} from bytes to bits. */
+  sizeHi = (sizeHi << 3) | (sizeLo >> 29);
+  sizeLo <<= 3;
+
+  ctx->W[14] = SHA_HTONL(sizeHi);
+  ctx->W[15] = SHA_HTONL(sizeLo);
+  shaCompress(ctx);
+
+  /*
+   *  Output hash
+   */
+#if defined(IS_LITTLE_ENDIAN)
+  SHA_BYTESWAP(ctx->H[0]);
+  SHA_BYTESWAP(ctx->H[1]);
+  SHA_BYTESWAP(ctx->H[2]);
+  SHA_BYTESWAP(ctx->H[3]);
+  SHA_BYTESWAP(ctx->H[4]);
+#endif
+  memcpy(hashout, ctx->H, SHA1_LENGTH);
+  *pDigestLen = SHA1_LENGTH;
+
+  /*
+   *  Re-initialize the context (also zeroizes contents)
+   */
+  SHA1_Begin(ctx);
+}
+
+#undef A
+#undef B
+/*
+ *  SHA: Compression function, unrolled.
+ */
+static void 
+shaCompress(SHA1Context *ctx) 
+{
+  register PRUint32 A, B, C, D, E;
+
+#if defined(IS_LITTLE_ENDIAN)
+  SHA_BYTESWAP(ctx->W[0]);
+  SHA_BYTESWAP(ctx->W[1]);
+  SHA_BYTESWAP(ctx->W[2]);
+  SHA_BYTESWAP(ctx->W[3]);
+  SHA_BYTESWAP(ctx->W[4]);
+  SHA_BYTESWAP(ctx->W[5]);
+  SHA_BYTESWAP(ctx->W[6]);
+  SHA_BYTESWAP(ctx->W[7]);
+  SHA_BYTESWAP(ctx->W[8]);
+  SHA_BYTESWAP(ctx->W[9]);
+  SHA_BYTESWAP(ctx->W[10]);
+  SHA_BYTESWAP(ctx->W[11]);
+  SHA_BYTESWAP(ctx->W[12]);
+  SHA_BYTESWAP(ctx->W[13]);
+  SHA_BYTESWAP(ctx->W[14]);
+  SHA_BYTESWAP(ctx->W[15]);
+#endif
+
+  /*
+   *  This can be moved into the main code block below, but doing
+   *  so can cause some compilers to run out of registers and resort
+   *  to storing intermediates in RAM.
+   */
+
+               SHA_MIX(16); SHA_MIX(17); SHA_MIX(18); SHA_MIX(19);
+  SHA_MIX(20); SHA_MIX(21); SHA_MIX(22); SHA_MIX(23); SHA_MIX(24);
+  SHA_MIX(25); SHA_MIX(26); SHA_MIX(27); SHA_MIX(28); SHA_MIX(29);
+  SHA_MIX(30); SHA_MIX(31); SHA_MIX(32); SHA_MIX(33); SHA_MIX(34);
+  SHA_MIX(35); SHA_MIX(36); SHA_MIX(37); SHA_MIX(38); SHA_MIX(39);
+  SHA_MIX(40); SHA_MIX(41); SHA_MIX(42); SHA_MIX(43); SHA_MIX(44);
+  SHA_MIX(45); SHA_MIX(46); SHA_MIX(47); SHA_MIX(48); SHA_MIX(49);
+  SHA_MIX(50); SHA_MIX(51); SHA_MIX(52); SHA_MIX(53); SHA_MIX(54);
+  SHA_MIX(55); SHA_MIX(56); SHA_MIX(57); SHA_MIX(58); SHA_MIX(59);
+  SHA_MIX(60); SHA_MIX(61); SHA_MIX(62); SHA_MIX(63); SHA_MIX(64);
+  SHA_MIX(65); SHA_MIX(66); SHA_MIX(67); SHA_MIX(68); SHA_MIX(69);
+  SHA_MIX(70); SHA_MIX(71); SHA_MIX(72); SHA_MIX(73); SHA_MIX(74);
+  SHA_MIX(75); SHA_MIX(76); SHA_MIX(77); SHA_MIX(78); SHA_MIX(79);
+
+  A = ctx->H[0];
+  B = ctx->H[1];
+  C = ctx->H[2];
+  D = ctx->H[3];
+  E = ctx->H[4];
+
+  E = SHA_ROTL(A,5)+SHA_F1(B,C,D)+E+ctx->W[ 0]+0x5a827999L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F1(A,B,C)+D+ctx->W[ 1]+0x5a827999L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F1(E,A,B)+C+ctx->W[ 2]+0x5a827999L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F1(D,E,A)+B+ctx->W[ 3]+0x5a827999L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F1(C,D,E)+A+ctx->W[ 4]+0x5a827999L; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F1(B,C,D)+E+ctx->W[ 5]+0x5a827999L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F1(A,B,C)+D+ctx->W[ 6]+0x5a827999L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F1(E,A,B)+C+ctx->W[ 7]+0x5a827999L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F1(D,E,A)+B+ctx->W[ 8]+0x5a827999L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F1(C,D,E)+A+ctx->W[ 9]+0x5a827999L; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F1(B,C,D)+E+ctx->W[10]+0x5a827999L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F1(A,B,C)+D+ctx->W[11]+0x5a827999L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F1(E,A,B)+C+ctx->W[12]+0x5a827999L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F1(D,E,A)+B+ctx->W[13]+0x5a827999L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F1(C,D,E)+A+ctx->W[14]+0x5a827999L; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F1(B,C,D)+E+ctx->W[15]+0x5a827999L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F1(A,B,C)+D+ctx->W[16]+0x5a827999L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F1(E,A,B)+C+ctx->W[17]+0x5a827999L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F1(D,E,A)+B+ctx->W[18]+0x5a827999L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F1(C,D,E)+A+ctx->W[19]+0x5a827999L; C=SHA_ROTL(C,30); 
+
+  E = SHA_ROTL(A,5)+SHA_F2(B,C,D)+E+ctx->W[20]+0x6ed9eba1L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F2(A,B,C)+D+ctx->W[21]+0x6ed9eba1L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F2(E,A,B)+C+ctx->W[22]+0x6ed9eba1L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F2(D,E,A)+B+ctx->W[23]+0x6ed9eba1L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F2(C,D,E)+A+ctx->W[24]+0x6ed9eba1L; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F2(B,C,D)+E+ctx->W[25]+0x6ed9eba1L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F2(A,B,C)+D+ctx->W[26]+0x6ed9eba1L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F2(E,A,B)+C+ctx->W[27]+0x6ed9eba1L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F2(D,E,A)+B+ctx->W[28]+0x6ed9eba1L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F2(C,D,E)+A+ctx->W[29]+0x6ed9eba1L; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F2(B,C,D)+E+ctx->W[30]+0x6ed9eba1L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F2(A,B,C)+D+ctx->W[31]+0x6ed9eba1L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F2(E,A,B)+C+ctx->W[32]+0x6ed9eba1L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F2(D,E,A)+B+ctx->W[33]+0x6ed9eba1L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F2(C,D,E)+A+ctx->W[34]+0x6ed9eba1L; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F2(B,C,D)+E+ctx->W[35]+0x6ed9eba1L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F2(A,B,C)+D+ctx->W[36]+0x6ed9eba1L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F2(E,A,B)+C+ctx->W[37]+0x6ed9eba1L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F2(D,E,A)+B+ctx->W[38]+0x6ed9eba1L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F2(C,D,E)+A+ctx->W[39]+0x6ed9eba1L; C=SHA_ROTL(C,30); 
+
+  E = SHA_ROTL(A,5)+SHA_F3(B,C,D)+E+ctx->W[40]+0x8f1bbcdcL; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F3(A,B,C)+D+ctx->W[41]+0x8f1bbcdcL; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F3(E,A,B)+C+ctx->W[42]+0x8f1bbcdcL; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F3(D,E,A)+B+ctx->W[43]+0x8f1bbcdcL; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F3(C,D,E)+A+ctx->W[44]+0x8f1bbcdcL; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F3(B,C,D)+E+ctx->W[45]+0x8f1bbcdcL; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F3(A,B,C)+D+ctx->W[46]+0x8f1bbcdcL; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F3(E,A,B)+C+ctx->W[47]+0x8f1bbcdcL; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F3(D,E,A)+B+ctx->W[48]+0x8f1bbcdcL; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F3(C,D,E)+A+ctx->W[49]+0x8f1bbcdcL; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F3(B,C,D)+E+ctx->W[50]+0x8f1bbcdcL; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F3(A,B,C)+D+ctx->W[51]+0x8f1bbcdcL; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F3(E,A,B)+C+ctx->W[52]+0x8f1bbcdcL; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F3(D,E,A)+B+ctx->W[53]+0x8f1bbcdcL; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F3(C,D,E)+A+ctx->W[54]+0x8f1bbcdcL; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F3(B,C,D)+E+ctx->W[55]+0x8f1bbcdcL; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F3(A,B,C)+D+ctx->W[56]+0x8f1bbcdcL; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F3(E,A,B)+C+ctx->W[57]+0x8f1bbcdcL; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F3(D,E,A)+B+ctx->W[58]+0x8f1bbcdcL; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F3(C,D,E)+A+ctx->W[59]+0x8f1bbcdcL; C=SHA_ROTL(C,30); 
+
+  E = SHA_ROTL(A,5)+SHA_F4(B,C,D)+E+ctx->W[60]+0xca62c1d6L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F4(A,B,C)+D+ctx->W[61]+0xca62c1d6L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F4(E,A,B)+C+ctx->W[62]+0xca62c1d6L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F4(D,E,A)+B+ctx->W[63]+0xca62c1d6L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F4(C,D,E)+A+ctx->W[64]+0xca62c1d6L; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F4(B,C,D)+E+ctx->W[65]+0xca62c1d6L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F4(A,B,C)+D+ctx->W[66]+0xca62c1d6L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F4(E,A,B)+C+ctx->W[67]+0xca62c1d6L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F4(D,E,A)+B+ctx->W[68]+0xca62c1d6L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F4(C,D,E)+A+ctx->W[69]+0xca62c1d6L; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F4(B,C,D)+E+ctx->W[70]+0xca62c1d6L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F4(A,B,C)+D+ctx->W[71]+0xca62c1d6L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F4(E,A,B)+C+ctx->W[72]+0xca62c1d6L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F4(D,E,A)+B+ctx->W[73]+0xca62c1d6L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F4(C,D,E)+A+ctx->W[74]+0xca62c1d6L; C=SHA_ROTL(C,30); 
+  E = SHA_ROTL(A,5)+SHA_F4(B,C,D)+E+ctx->W[75]+0xca62c1d6L; B=SHA_ROTL(B,30); 
+  D = SHA_ROTL(E,5)+SHA_F4(A,B,C)+D+ctx->W[76]+0xca62c1d6L; A=SHA_ROTL(A,30); 
+  C = SHA_ROTL(D,5)+SHA_F4(E,A,B)+C+ctx->W[77]+0xca62c1d6L; E=SHA_ROTL(E,30); 
+  B = SHA_ROTL(C,5)+SHA_F4(D,E,A)+B+ctx->W[78]+0xca62c1d6L; D=SHA_ROTL(D,30); 
+  A = SHA_ROTL(B,5)+SHA_F4(C,D,E)+A+ctx->W[79]+0xca62c1d6L; C=SHA_ROTL(C,30); 
+
+  ctx->H[0] += A;
+  ctx->H[1] += B;
+  ctx->H[2] += C;
+  ctx->H[3] += D;
+  ctx->H[4] += E;
+}
+
+/*************************************************************************
+** Code below this line added to make SHA code support BLAPI interface
+*/
+
+SHA1Context *
+SHA1_NewContext(void)
+{
+    SHA1Context *cx;
+
+    cx = PORT_ZNew(SHA1Context);
+    return cx;
+}
+
+void
+SHA1_DestroyContext(SHA1Context *cx, PRBool freeit)
+{
+    if (freeit) {
+        PORT_ZFree(cx, sizeof(SHA1Context));
+    }
+}
+
+SECStatus
+SHA1_HashBuf(unsigned char *dest, const unsigned char *src, uint32 src_length)
+{
+    SHA1Context ctx;
+    unsigned int outLen;
+
+    SHA1_Begin(&ctx);
+    SHA1_Update(&ctx, src, src_length);
+    SHA1_End(&ctx, dest, &outLen, SHA1_LENGTH);
+
+    return SECSuccess;
+}
+
+/* Hash a null-terminated character string. */
+SECStatus
+SHA1_Hash(unsigned char *dest, const char *src)
+{
+    return SHA1_HashBuf(dest, (const unsigned char *)src, PORT_Strlen (src));
+}
+
+/*
+ * need to support save/restore state in pkcs11. Stores all the info necessary
+ * for a structure into just a stream of bytes.
+ */
+unsigned int
+SHA1_FlattenSize(SHA1Context *cx)
+{
+    return sizeof(SHA1Context);
+}
+
+SECStatus
+SHA1_Flatten(SHA1Context *cx,unsigned char *space)
+{
+    PORT_Memcpy(space,cx, sizeof(SHA1Context));
+    return SECSuccess;
+}
+
+SHA1Context *
+SHA1_Resurrect(unsigned char *space,void *arg)
+{
+    SHA1Context *cx = SHA1_NewContext();
+    if (cx == NULL) return NULL;
+
+    PORT_Memcpy(cx,space, sizeof(SHA1Context));
+    return cx;
+}
+
+void
+SHA1_TraceState(SHA1Context *ctx)
+{
+#ifdef TRACING_SSL
+    uint32        W;
+    int           i;
+    int           len;
+    int           fixWord = -1;
+    int           remainder;	/* bytes in last word */
+    unsigned char buf[64 * 4];
+
+    SSL_TRC(99, ("%d: SSL: SHA1 state: %08x %08x %08x %08x %08x", SSL_GETPID(), 
+	         ctx->H[0], ctx->H[1], ctx->H[2], ctx->H[3], ctx->H[4]));
+
+    len = (int)(ctx->sizeLo & 63);
+    remainder = len % 4;
+    if (remainder) 
+    	fixWord = len - remainder;
+    for (i = 0; i < len; i++) {
+	if (0 == (i % 4)) {
+	    W = ctx->W[i / 4];
+	    if (i == fixWord) {
+	        W <<= 8 * (4 - remainder);
+	    }
+	}
+	buf[i] = (unsigned char)(W >> 24);
+	W <<= 8;
+    }
+
+    PRINT_BUF(99, (0, "SHA1_TraceState: buffered input", buf, len));
+
+#else
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+#endif
+}
diff --git a/security/nss/lib/freebl/sha_fast.h b/security/nss/lib/freebl/sha_fast.h
new file mode 100644
index 000000000..d371f9332
--- /dev/null
+++ b/security/nss/lib/freebl/sha_fast.h
@@ -0,0 +1,59 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is SHA 180-1 Reference Implementation (Optimized)
+ * 
+ * The Initial Developer of the Original Code is Paul Kocher of
+ * Cryptography Research.  Portions created by Paul Kocher are 
+ * Copyright (C) 1995-9 by Cryptography Research, Inc.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ *
+ *     Paul Kocher
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _SHA_FAST_H_
+#define _SHA_FAST_H_
+
+#define SHA1_INPUT_LEN 64
+
+struct SHA1ContextStr {
+  union {
+    PRUint32 w[80];		/* input buffer, plus 64 words */
+    PRUint8  b[320];
+  } u;
+  PRUint32 H[5];		/* 5 state variables */
+  PRUint32 sizeHi,sizeLo;	/* 64-bit count of hashed bytes. */
+};
+
+#define SHA_MASK      0x00FF00FF
+#if defined(IS_LITTLE_ENDIAN)
+#define SHA_HTONL(x)  (A = (x), A = (A << 16) | (A >> 16), \
+                       ((A & SHA_MASK) << 8) | ((A >> 8) & SHA_MASK))
+#else
+#define SHA_HTONL(x)  (x)
+#endif
+#define SHA_BYTESWAP(x) x = SHA_HTONL(x)
+
+#endif /* _SHA_FAST_H_ */
diff --git a/security/nss/lib/freebl/sparcfix.c b/security/nss/lib/freebl/sparcfix.c
new file mode 100644
index 000000000..6ebc41cf0
--- /dev/null
+++ b/security/nss/lib/freebl/sparcfix.c
@@ -0,0 +1,95 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is a program to modify v8+vis objects for linking.
+ *
+ * The Initial Developer of the Original Code is Sun Microsystems Inc.
+ * Portions created by Sun Microsystems Inc. are 
+ * Copyright (C) 1999-2000 Sun Microsystems Inc. All Rights Reserved.
+ * 
+ * Contributor(s):
+ *	Netscape Communications Corporation
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.	If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *  $Id$
+ */
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#if defined(SOLARIS2_6) || defined(SOLARIS2_7) || defined(SOLARIS2_8)
+#define NEW_SYSV_SPARC 1
+#include <gelf.h>
+#endif
+#include <libelf.h>
+#include <sys/elf_SPARC.h>
+
+int
+main(int argc, char *argv[])
+{
+	Elf *     elf;
+	off_t     size;
+	int       fd;
+	int       count;
+#if defined(NEW_SYSV_SPARC)
+	GElf_Ehdr  hdr;
+	GElf_Ehdr *ehdr = &hdr;
+#else
+	Elf32_Ehdr *ehdr;
+#endif
+
+
+	elf_version(EV_CURRENT);
+	fd = open(argv[1], O_RDWR);
+	if (fd < 0)
+	    goto loser;
+	elf = elf_begin(fd, ELF_C_RDWR, (Elf *)0);
+	if (!elf)
+	    goto loser;
+
+#if defined(NEW_SYSV_SPARC)
+	gelf_getehdr(elf, ehdr);
+#else
+        ehdr = elf32_getehdr(elf);
+	if (!ehdr)
+	    goto loser;
+#endif
+
+	if (ehdr->e_machine == EM_SPARC32PLUS) {
+	    ehdr->e_machine = EM_SPARC;
+	    ehdr->e_flags &= ~(EF_SPARC_32PLUS | EF_SPARC_SUN_US1);
+#if defined(NEW_SYSV_SPARC)
+	    count = gelf_update_ehdr(elf, ehdr);
+	    if (count < 0)
+		goto loser;
+#endif
+	    size = elf_update(elf, ELF_C_WRITE);
+	    if (size < 0)
+		goto loser;
+	}
+
+	do {
+	    count = elf_end(elf);
+	} while (count > 0);
+	return count;
+
+loser:
+	return 1;
+}
diff --git a/security/nss/lib/freebl/sysrand.c b/security/nss/lib/freebl/sysrand.c
new file mode 100644
index 000000000..410ab9cc7
--- /dev/null
+++ b/security/nss/lib/freebl/sysrand.c
@@ -0,0 +1,46 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "seccomon.h"
+#if defined(XP_UNIX) || defined(XP_BEOS)
+#include "unix_rand.c"
+#endif
+#ifdef XP_WIN
+#include "win_rand.c"
+#endif
+#ifdef XP_MAC
+#include "mac_rand.c"
+#endif
+#ifdef XP_OS2
+#include "os2_rand.c"
+#endif
diff --git a/security/nss/lib/freebl/unix_rand.c b/security/nss/lib/freebl/unix_rand.c
new file mode 100644
index 000000000..aa64c8866
--- /dev/null
+++ b/security/nss/lib/freebl/unix_rand.c
@@ -0,0 +1,976 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <signal.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <sys/time.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <assert.h>
+#include "secrng.h"
+
+size_t RNG_FileUpdate(const char *fileName, size_t limit);
+
+/*
+ * When copying data to the buffer we want the least signicant bytes
+ * from the input since those bits are changing the fastest. The address
+ * of least significant byte depends upon whether we are running on
+ * a big-endian or little-endian machine.
+ *
+ * Does this mean the least signicant bytes are the most significant
+ * to us? :-)
+ */
+    
+static size_t CopyLowBits(void *dst, size_t dstlen, void *src, size_t srclen)
+{
+    union endianness {
+	int32 i;
+	char c[4];
+    } u;
+
+    if (srclen <= dstlen) {
+	memcpy(dst, src, srclen);
+	return srclen;
+    }
+    u.i = 0x01020304;
+    if (u.c[0] == 0x01) {
+	/* big-endian case */
+	memcpy(dst, (char*)src + (srclen - dstlen), dstlen);
+    } else {
+	/* little-endian case */
+	memcpy(dst, src, dstlen);
+    }
+    return dstlen;
+}
+
+#if defined(SCO) || defined(UNIXWARE) || defined(BSDI) || defined(FREEBSD) \
+    || defined(NETBSD) || defined(NTO) || defined(DARWIN)
+#include <sys/times.h>
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    int ticks;
+    struct tms buffer;
+
+    ticks=times(&buffer);
+    return CopyLowBits(buf, maxbytes, &ticks, sizeof(ticks));
+}
+
+static void
+GiveSystemInfo(void)
+{
+    long si;
+
+    /* 
+     * Is this really necessary?  Why not use rand48 or something?
+     */
+    si = sysconf(_SC_CHILD_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+
+    si = sysconf(_SC_STREAM_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+
+    si = sysconf(_SC_OPEN_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+}
+#endif
+
+#if defined(__sun)
+#if defined(__svr4) || defined(SVR4)
+#include <sys/systeminfo.h>
+#include <sys/times.h>
+#include <wait.h>
+
+int gettimeofday(struct timeval *);
+int gethostname(char *, int);
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[2000];
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    hrtime_t t;
+    t = gethrtime();
+    if (t) {
+	return CopyLowBits(buf, maxbytes, &t, sizeof(t));
+    }
+    return 0;
+}
+#else /* SunOS (Sun, but not SVR4) */
+
+extern long sysconf(int name);
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    long si;
+
+    /* This is not very good */
+    si = sysconf(_SC_CHILD_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+}
+#endif
+#endif /* Sun */
+
+#if defined(__hpux)
+#include <sys/unistd.h>
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    extern int ret_cr16();
+    int cr16val;
+
+    cr16val = ret_cr16();
+    return CopyLowBits(buf, maxbytes, &cr16val, sizeof(cr16val));
+}
+
+static void
+GiveSystemInfo(void)
+{
+    long si;
+
+    /* This is not very good */
+    si = sysconf(_AES_OS_VERSION);
+    RNG_RandomUpdate(&si, sizeof(si));
+    si = sysconf(_SC_CPU_VERSION);
+    RNG_RandomUpdate(&si, sizeof(si));
+}
+#endif /* HPUX */
+
+#if defined(OSF1)
+#include <sys/types.h>
+#include <sys/sysinfo.h>
+#include <sys/systeminfo.h>
+#include <c_asm.h>
+
+static void
+GiveSystemInfo(void)
+{
+    char buf[BUFSIZ];
+    int rv;
+    int off = 0;
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+
+/*
+ * Use the "get the cycle counter" instruction on the alpha.
+ * The low 32 bits completely turn over in less than a minute.
+ * The high 32 bits are some non-counter gunk that changes sometimes.
+ */
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    unsigned long t;
+
+    t = asm("rpcc %v0");
+    return CopyLowBits(buf, maxbytes, &t, sizeof(t));
+}
+
+#endif /* Alpha */
+
+#if defined(_IBMR2)
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    /* XXX haven't found any yet! */
+}
+#endif /* IBM R2 */
+
+#if defined(LINUX)
+#include <linux/kernel.h>
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    /* XXX sysinfo() does not seem be implemented anywhwere */
+#if 0
+    struct sysinfo si;
+    char hn[2000];
+    if (sysinfo(&si) == 0) {
+	RNG_RandomUpdate(&si, sizeof(si));
+    }
+#endif
+}
+#endif /* LINUX */
+
+#if defined(NCR)
+
+#include <sys/utsname.h>
+#include <sys/systeminfo.h>
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[2000];
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+
+#endif /* NCR */
+
+
+#if defined(sgi)
+#include <fcntl.h>
+#undef PRIVATE
+#include <sys/mman.h>
+#include <sys/syssgi.h>
+#include <sys/immu.h>
+#include <sys/systeminfo.h>
+#include <sys/utsname.h>
+#include <wait.h>
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[4096];
+
+    rv = syssgi(SGI_SYSID, &buf[0]);
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, MAXSYSIDSIZE);
+    }
+#ifdef SGI_RDUBLK
+    rv = syssgi(SGI_RDUBLK, getpid(), &buf[0], sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, sizeof(buf));
+    }
+#endif /* SGI_RDUBLK */
+    rv = syssgi(SGI_INVENT, SGI_INV_READ, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, sizeof(buf));
+    }
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+
+static size_t GetHighResClock(void *buf, size_t maxbuf)
+{
+    unsigned phys_addr, raddr, cycleval;
+    static volatile unsigned *iotimer_addr = NULL;
+    static int tries = 0;
+    static int cntr_size;
+    int mfd;
+    long s0[2];
+    struct timeval tv;
+
+#ifndef SGI_CYCLECNTR_SIZE
+#define SGI_CYCLECNTR_SIZE      165     /* Size user needs to use to read CC */
+#endif
+
+    if (iotimer_addr == NULL) {
+	if (tries++ > 1) {
+	    /* Don't keep trying if it didn't work */
+	    return 0;
+	}
+
+	/*
+	** For SGI machines we can use the cycle counter, if it has one,
+	** to generate some truly random numbers
+	*/
+	phys_addr = syssgi(SGI_QUERY_CYCLECNTR, &cycleval);
+	if (phys_addr) {
+	    int pgsz = getpagesize();
+	    int pgoffmask = pgsz - 1;
+
+	    raddr = phys_addr & ~pgoffmask;
+	    mfd = open("/dev/mmem", O_RDONLY);
+	    if (mfd < 0) {
+		return 0;
+	    }
+	    iotimer_addr = (unsigned *)
+		mmap(0, pgoffmask, PROT_READ, MAP_PRIVATE, mfd, (int)raddr);
+	    if (iotimer_addr == (void*)-1) {
+		close(mfd);
+		iotimer_addr = NULL;
+		return 0;
+	    }
+	    iotimer_addr = (unsigned*)
+		((__psint_t)iotimer_addr | (phys_addr & pgoffmask));
+	    /*
+	     * The file 'mfd' is purposefully not closed.
+	     */
+	    cntr_size = syssgi(SGI_CYCLECNTR_SIZE);
+	    if (cntr_size < 0) {
+		struct utsname utsinfo;
+
+		/* 
+		 * We must be executing on a 6.0 or earlier system, since the
+		 * SGI_CYCLECNTR_SIZE call is not supported.
+		 * 
+		 * The only pre-6.1 platforms with 64-bit counters are
+		 * IP19 and IP21 (Challenge, PowerChallenge, Onyx).
+		 */
+		uname(&utsinfo);
+		if (!strncmp(utsinfo.machine, "IP19", 4) ||
+		    !strncmp(utsinfo.machine, "IP21", 4))
+			cntr_size = 64;
+		else
+			cntr_size = 32;
+	    }
+	    cntr_size /= 8;	/* Convert from bits to bytes */
+	}
+    }
+
+    s0[0] = *iotimer_addr;
+    if (cntr_size > 4)
+	s0[1] = *(iotimer_addr + 1);
+    memcpy(buf, (char *)&s0[0], cntr_size);
+    return CopyLowBits(buf, maxbuf, &s0, cntr_size);
+}
+#endif
+
+#if defined(sony)
+#include <sys/systeminfo.h>
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[2000];
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+#endif /* sony */
+
+#if defined(sinix)
+#include <sys/systeminfo.h>
+#include <sys/times.h>
+
+int gettimeofday(struct timeval *, struct timezone *);
+int gethostname(char *, int);
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    int ticks;
+    struct tms buffer;
+
+    ticks=times(&buffer);
+    return CopyLowBits(buf, maxbytes, &ticks, sizeof(ticks));
+}
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[2000];
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+#endif /* sinix */
+
+#if defined(VMS)
+#include <c_asm.h>
+
+static void
+GiveSystemInfo(void)
+{
+    long si;
+ 
+    /* 
+     * This is copied from the SCO/UNIXWARE etc section. And like the comment
+     * there says, what's the point? This isn't random, it generates the same
+     * stuff every time its run!
+     */
+    si = sysconf(_SC_CHILD_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+ 
+    si = sysconf(_SC_STREAM_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+ 
+    si = sysconf(_SC_OPEN_MAX);
+    RNG_RandomUpdate(&si, sizeof(si));
+}
+ 
+/*
+ * Use the "get the cycle counter" instruction on the alpha.
+ * The low 32 bits completely turn over in less than a minute.
+ * The high 32 bits are some non-counter gunk that changes sometimes.
+ */
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    unsigned long t;
+ 
+    t = asm("rpcc %v0");
+    return CopyLowBits(buf, maxbytes, &t, sizeof(t));
+}
+ 
+#endif /* VMS */
+
+#ifdef BEOS
+#include <be/kernel/OS.h>
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    bigtime_t bigtime; /* Actually an int64 */
+
+    bigtime = real_time_clock_usecs();
+    return CopyLowBits(buf, maxbytes, &bigtime, sizeof(bigtime));
+}
+
+static void
+GiveSystemInfo(void)
+{
+    system_info *info = NULL;
+    int32 val;                     
+    get_system_info(info);
+    if (info) {
+        val = info->boot_time;
+        RNG_RandomUpdate(&val, sizeof(val));
+        val = info->used_pages;
+        RNG_RandomUpdate(&val, sizeof(val));
+        val = info->used_ports;
+        RNG_RandomUpdate(&val, sizeof(val));
+        val = info->used_threads;
+        RNG_RandomUpdate(&val, sizeof(val));
+        val = info->used_teams;
+        RNG_RandomUpdate(&val, sizeof(val));
+    }
+}
+#endif /* BEOS */
+
+#if defined(nec_ews)
+#include <sys/systeminfo.h>
+
+#define getdtablesize() sysconf(_SC_OPEN_MAX)
+
+static size_t
+GetHighResClock(void *buf, size_t maxbytes)
+{
+    return 0;
+}
+
+static void
+GiveSystemInfo(void)
+{
+    int rv;
+    char buf[2000];
+
+    rv = sysinfo(SI_MACHINE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+    rv = sysinfo(SI_HW_SERIAL, buf, sizeof(buf));
+    if (rv > 0) {
+	RNG_RandomUpdate(buf, rv);
+    }
+}
+#endif /* nec_ews */
+
+size_t RNG_GetNoise(void *buf, size_t maxbytes)
+{
+    struct timeval tv;
+    int n = 0;
+    int c;
+
+    n = GetHighResClock(buf, maxbytes);
+    maxbytes -= n;
+
+#if defined(__sun) && (defined(_svr4) || defined(SVR4)) || defined(sony)
+    (void)gettimeofday(&tv);
+#else
+    (void)gettimeofday(&tv, 0);
+#endif
+    c = CopyLowBits((char*)buf+n, maxbytes, &tv.tv_usec, sizeof(tv.tv_usec));
+    n += c;
+    maxbytes -= c;
+    c = CopyLowBits((char*)buf+n, maxbytes, &tv.tv_sec, sizeof(tv.tv_sec));
+    n += c;
+    return n;
+}
+
+#define SAFE_POPEN_MAXARGS	10	/* must be at least 2 */
+
+/*
+ * safe_popen is static to this module and we know what arguments it is
+ * called with. Note that this version only supports a single open child
+ * process at any time.
+ */
+static pid_t safe_popen_pid;
+static struct sigaction oldact;
+
+static FILE *
+safe_popen(char *cmd)
+{
+    int p[2], fd, argc;
+    pid_t pid;
+    char *argv[SAFE_POPEN_MAXARGS + 1];
+    FILE *fp;
+    static char blank[] = " \t";
+    static struct sigaction newact;
+
+    if (pipe(p) < 0)
+	return 0;
+
+    /* Setup signals so that SIGCHLD is ignored as we want to do waitpid */
+    newact.sa_handler = SIG_DFL;
+    newact.sa_flags = 0;
+    sigfillset(&newact.sa_mask);
+    sigaction (SIGCHLD, &newact, &oldact);
+
+    pid = fork();
+    switch (pid) {
+      case -1:
+	close(p[0]);
+	close(p[1]);
+	sigaction (SIGCHLD, &oldact, NULL);
+	return 0;
+
+      case 0:
+	/* dup write-side of pipe to stderr and stdout */
+	if (p[1] != 1) dup2(p[1], 1);
+	if (p[1] != 2) dup2(p[1], 2);
+	close(0);
+	for (fd = getdtablesize(); --fd > 2; close(fd))
+	    ;
+
+	/* clean up environment in the child process */
+	putenv("PATH=/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc");
+	putenv("SHELL=/bin/sh");
+	putenv("IFS= \t");
+
+	/*
+	 * The caller may have passed us a string that is in text
+	 * space. It may be illegal to modify the string
+	 */
+	cmd = strdup(cmd);
+	/* format argv */
+	argv[0] = strtok(cmd, blank);
+	argc = 1;
+	while ((argv[argc] = strtok(0, blank)) != 0) {
+	    if (++argc == SAFE_POPEN_MAXARGS) {
+		argv[argc] = 0;
+		break;
+	    }
+	}
+
+	/* and away we go */
+	execvp(argv[0], argv);
+	exit(127);
+	break;
+
+      default:
+	close(p[1]);
+	fp = fdopen(p[0], "r");
+	if (fp == 0) {
+	    close(p[0]);
+	    sigaction (SIGCHLD, &oldact, NULL);
+	    return 0;
+	}
+	break;
+    }
+
+    /* non-zero means there's a cmd running */
+    safe_popen_pid = pid;
+    return fp;
+}
+
+static int
+safe_pclose(FILE *fp)
+{
+    pid_t pid;
+    int count, status;
+
+    if ((pid = safe_popen_pid) == 0)
+	return -1;
+    safe_popen_pid = 0;
+
+    /* if the child hasn't exited, kill it -- we're done with its output */
+    count = 0;
+    while (waitpid(pid, &status, WNOHANG) == 0) {
+    	if (kill(pid, SIGKILL) < 0 && errno == ESRCH)
+	    break;
+	if (++count == 1000)
+	    break;
+    }
+
+    /* Reset SIGCHLD signal hander before returning */
+    sigaction(SIGCHLD, &oldact, NULL);
+
+    fclose(fp);
+    return status;
+}
+
+
+#if !defined(VMS)
+
+#ifdef DARWIN
+#include <crt_externs.h>
+#endif
+
+void RNG_SystemInfoForRNG(void)
+{
+    FILE *fp;
+    char buf[BUFSIZ];
+    size_t bytes;
+    const char * const *cp;
+    char *randfile;
+#ifdef DARWIN
+    char **environ = *_NSGetEnviron();
+#else
+    extern char **environ;
+#endif
+#ifdef BEOS
+    static const char * const files[] = {
+	"/boot/var/swap",
+	"/boot/var/log/syslog",
+	"/boot/var/tmp",
+	"/boot/home/config/settings",
+	"/boot/home",
+	0
+    };
+#else
+    static const char * const files[] = {
+	"/etc/passwd",
+	"/etc/utmp",
+	"/tmp",
+	"/var/tmp",
+	"/usr/tmp",
+	0
+    };
+#endif
+
+#ifdef DO_PS
+For now it is considered that it is too expensive to run the ps command
+for the small amount of entropy it provides.
+#if defined(__sun) && (!defined(__svr4) && !defined(SVR4)) || defined(bsdi) || defined(LINUX)
+    static char ps_cmd[] = "ps aux";
+#else
+    static char ps_cmd[] = "ps -el";
+#endif
+#endif /* DO_PS */
+#if defined(BSDI)
+    static char netstat_ni_cmd[] = "netstat -nis";
+#else
+    static char netstat_ni_cmd[] = "netstat -ni";
+#endif
+
+    GiveSystemInfo();
+
+    bytes = RNG_GetNoise(buf, sizeof(buf));
+    RNG_RandomUpdate(buf, bytes);
+
+    /*
+     * Pass the C environment and the addresses of the pointers to the
+     * hash function. This makes the random number function depend on the
+     * execution environment of the user and on the platform the program
+     * is running on.
+     */
+    cp = (const char * const *)environ;
+    while (*cp) {
+	RNG_RandomUpdate(*cp, strlen(*cp));
+	cp++;
+    }
+    RNG_RandomUpdate(environ, (char*)cp - (char*)environ);
+
+    /* Give in system information */
+    if (gethostname(buf, sizeof(buf)) > 0) {
+	RNG_RandomUpdate(buf, strlen(buf));
+    }
+    GiveSystemInfo();
+
+    /* grab some data from system's PRNG before any other files. */
+    bytes = RNG_FileUpdate("/dev/urandom", 1024);
+
+    /* If the user points us to a random file, pass it through the rng */
+    randfile = getenv("NSRANDFILE");
+    if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
+	RNG_FileForRNG(randfile);
+    }
+
+    /* pass other files through */
+    for (cp = files; *cp; cp++)
+	RNG_FileForRNG(*cp);
+
+/*
+ * Bug 100447: On BSD/OS 4.2 and 4.3, we have problem calling safe_popen
+ * in a pthreads environment.  Therefore, we call safe_popen last and on
+ * BSD/OS we do not call safe_popen when we succeeded in getting data
+ * from /dev/urandom.
+ */
+
+#ifdef BSDI
+    if (bytes)
+        return;
+#endif
+
+#ifdef DO_PS
+    fp = safe_popen(ps_cmd);
+    if (fp != NULL) {
+	while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0)
+	    RNG_RandomUpdate(buf, bytes);
+	safe_pclose(fp);
+    }
+#endif
+    fp = safe_popen(netstat_ni_cmd);
+    if (fp != NULL) {
+	while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0)
+	    RNG_RandomUpdate(buf, bytes);
+	safe_pclose(fp);
+    }
+
+}
+#else
+void RNG_SystemInfoForRNG(void)
+{
+    FILE *fp;
+    char buf[BUFSIZ];
+    size_t bytes;
+    int extra;
+    char **cp;
+    extern char **environ;
+    char *randfile;
+ 
+    GiveSystemInfo();
+ 
+    bytes = RNG_GetNoise(buf, sizeof(buf));
+    RNG_RandomUpdate(buf, bytes);
+ 
+    /*
+     * Pass the C environment and the addresses of the pointers to the
+     * hash function. This makes the random number function depend on the
+     * execution environment of the user and on the platform the program
+     * is running on.
+     */
+    cp = environ;
+    while (*cp) {
+	RNG_RandomUpdate(*cp, strlen(*cp));
+	cp++;
+    }
+    RNG_RandomUpdate(environ, (char*)cp - (char*)environ);
+ 
+    /* Give in system information */
+    if (gethostname(buf, sizeof(buf)) > 0) {
+	RNG_RandomUpdate(buf, strlen(buf));
+    }
+    GiveSystemInfo();
+ 
+    /* If the user points us to a random file, pass it through the rng */
+    randfile = getenv("NSRANDFILE");
+    if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
+	RNG_FileForRNG(randfile);
+    }
+
+    /*
+    ** We need to generate at least 1024 bytes of seed data. Since we don't
+    ** do the file stuff for VMS, and because the environ list is so short
+    ** on VMS, we need to make sure we generate enough. So do another 1000
+    ** bytes to be sure.
+    */
+    extra = 1000;
+    while (extra > 0) {
+        cp = environ;
+        while (*cp) {
+	    int n = strlen(*cp);
+	    RNG_RandomUpdate(*cp, n);
+	    extra -= n;
+	    cp++;
+        }
+    }
+}
+#endif
+
+#define TOTAL_FILE_LIMIT 1000000	/* one million */
+
+size_t RNG_FileUpdate(const char *fileName, size_t limit)
+{
+    FILE *        file;
+    size_t        bytes;
+    size_t        fileBytes = 0;
+    struct stat   stat_buf;
+    unsigned char buffer[BUFSIZ];
+    static size_t totalFileBytes = 0;
+    
+    if (stat((char *)fileName, &stat_buf) < 0)
+	return fileBytes;
+    RNG_RandomUpdate(&stat_buf, sizeof(stat_buf));
+    
+    file = fopen((char *)fileName, "r");
+    if (file != NULL) {
+	while (limit > fileBytes) {
+	    bytes = PR_MIN(sizeof buffer, limit - fileBytes);
+	    bytes = fread(buffer, 1, bytes, file);
+	    if (bytes == 0) 
+		break;
+	    RNG_RandomUpdate(buffer, bytes);
+	    fileBytes      += bytes;
+	    totalFileBytes += bytes;
+	    /* after TOTAL_FILE_LIMIT has been reached, only read in first
+	    ** buffer of data from each subsequent file.
+	    */
+	    if (totalFileBytes > TOTAL_FILE_LIMIT) 
+		break;
+	}
+	fclose(file);
+    }
+    /*
+     * Pass yet another snapshot of our highest resolution clock into
+     * the hash function.
+     */
+    bytes = RNG_GetNoise(buffer, sizeof(buffer));
+    RNG_RandomUpdate(buffer, bytes);
+    return fileBytes;
+}
+
+void RNG_FileForRNG(const char *fileName)
+{
+    RNG_FileUpdate(fileName, TOTAL_FILE_LIMIT);
+}
diff --git a/security/nss/lib/freebl/win_rand.c b/security/nss/lib/freebl/win_rand.c
new file mode 100644
index 000000000..dc16b19b7
--- /dev/null
+++ b/security/nss/lib/freebl/win_rand.c
@@ -0,0 +1,415 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "secrng.h"
+#ifdef XP_WIN
+#include <windows.h>
+#include <time.h>
+#include <io.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdio.h>
+
+#ifndef _WIN32
+#define VTD_Device_ID   5
+#define OP_OVERRIDE     _asm _emit 0x66
+#include <dos.h>
+#endif
+
+static BOOL
+CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow)
+{
+#ifdef _WIN32
+    LARGE_INTEGER   liCount;
+
+    if (!QueryPerformanceCounter(&liCount))
+        return FALSE;
+
+    *lpdwHigh = liCount.u.HighPart;
+    *lpdwLow = liCount.u.LowPart;
+    return TRUE;
+
+#else   /* is WIN16 */
+    BOOL    bRetVal;
+    FARPROC lpAPI;
+    WORD    w1, w2, w3, w4;
+
+    // Get direct access to the VTD and query the current clock tick time
+    _asm {
+        xor   di, di
+        mov   es, di
+        mov   ax, 1684h
+        mov   bx, VTD_Device_ID
+        int   2fh
+        mov   ax, es
+        or    ax, di
+        jz    EnumerateFailed
+
+        ; VTD API is available. First store the API address (the address actually
+        ; contains an instruction that causes a fault, the fault handler then
+        ; makes the ring transition and calls the API in the VxD)
+        mov   word ptr lpAPI, di
+        mov   word ptr lpAPI+2, es
+        mov   ax, 100h      ; API function to VTD_Get_Real_Time
+;       call  dword ptr [lpAPI]
+        call  [lpAPI]
+
+        ; Result is in EDX:EAX which we will get 16-bits at a time
+        mov   w2, dx
+        OP_OVERRIDE
+        shr   dx,10h        ; really "shr edx, 16"
+        mov   w1, dx
+
+        mov   w4, ax
+        OP_OVERRIDE
+        shr   ax,10h        ; really "shr eax, 16"
+        mov   w3, ax
+
+        mov   bRetVal, 1    ; return TRUE
+        jmp   EnumerateExit
+
+      EnumerateFailed:
+        mov   bRetVal, 0    ; return FALSE
+
+      EnumerateExit:
+    }
+
+    *lpdwHigh = MAKELONG(w2, w1);
+    *lpdwLow = MAKELONG(w4, w3);
+
+    return bRetVal;
+#endif  /* is WIN16 */
+}
+
+size_t RNG_GetNoise(void *buf, size_t maxbuf)
+{
+    DWORD   dwHigh, dwLow, dwVal;
+    int     n = 0;
+    int     nBytes;
+    time_t  sTime;
+
+    if (maxbuf <= 0)
+        return 0;
+
+    CurrentClockTickTime(&dwHigh, &dwLow);
+
+    // get the maximally changing bits first
+    nBytes = sizeof(dwLow) > maxbuf ? maxbuf : sizeof(dwLow);
+    memcpy((char *)buf, &dwLow, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+        return n;
+
+    nBytes = sizeof(dwHigh) > maxbuf ? maxbuf : sizeof(dwHigh);
+    memcpy(((char *)buf) + n, &dwHigh, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+        return n;
+
+    // get the number of milliseconds that have elapsed since Windows started
+    dwVal = GetTickCount();
+
+    nBytes = sizeof(dwVal) > maxbuf ? maxbuf : sizeof(dwVal);
+    memcpy(((char *)buf) + n, &dwVal, nBytes);
+    n += nBytes;
+    maxbuf -= nBytes;
+
+    if (maxbuf <= 0)
+        return n;
+
+    // get the time in seconds since midnight Jan 1, 1970
+    time(&sTime);
+    nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
+    memcpy(((char *)buf) + n, &sTime, nBytes);
+    n += nBytes;
+
+    return n;
+}
+
+static BOOL
+EnumSystemFiles(void (*func)(const char *))
+{
+    int                 iStatus;
+    char                szSysDir[_MAX_PATH];
+    char                szFileName[_MAX_PATH];
+#ifdef _WIN32
+    struct _finddata_t  fdData;
+    long                lFindHandle;
+#else
+    struct _find_t  fdData;
+#endif
+
+    if (!GetSystemDirectory(szSysDir, sizeof(szSysDir)))
+        return FALSE;
+
+    // tack *.* on the end so we actually look for files. this will
+    // not overflow
+    strcpy(szFileName, szSysDir);
+    strcat(szFileName, "\\*.*");
+
+#ifdef _WIN32
+    lFindHandle = _findfirst(szFileName, &fdData);
+    if (lFindHandle == -1)
+        return FALSE;
+#else
+    if (_dos_findfirst(szFileName, _A_NORMAL | _A_RDONLY | _A_ARCH | _A_SUBDIR, &fdData) != 0)
+        return FALSE;
+#endif
+
+    do {
+        // pass the full pathname to the callback
+        sprintf(szFileName, "%s\\%s", szSysDir, fdData.name);
+        (*func)(szFileName);
+
+#ifdef _WIN32
+        iStatus = _findnext(lFindHandle, &fdData);
+#else
+        iStatus = _dos_findnext(&fdData);
+#endif
+    } while (iStatus == 0);
+
+#ifdef _WIN32
+    _findclose(lFindHandle);
+#endif
+
+    return TRUE;
+}
+
+static DWORD    dwNumFiles, dwReadEvery;
+
+static void
+CountFiles(const char *file)
+{
+    dwNumFiles++;
+}
+
+static void
+ReadFiles(const char *file)
+{
+    if ((dwNumFiles % dwReadEvery) == 0)
+        RNG_FileForRNG(file);
+
+    dwNumFiles++;
+}
+
+static void
+ReadSystemFiles()
+{
+    // first count the number of files
+    dwNumFiles = 0;
+    if (!EnumSystemFiles(CountFiles))
+        return;
+
+    RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
+
+    // now read 10 files
+    if (dwNumFiles == 0)
+        return;
+
+    dwReadEvery = dwNumFiles / 10;
+    if (dwReadEvery == 0)
+        dwReadEvery = 1;  // less than 10 files
+
+    dwNumFiles = 0;
+    EnumSystemFiles(ReadFiles);
+}
+
+void RNG_SystemInfoForRNG(void)
+{
+    DWORD           dwVal;
+    char            buffer[256];
+    int             nBytes;
+#ifdef _WIN32
+    MEMORYSTATUS    sMem;
+    DWORD           dwSerialNum;
+    DWORD           dwComponentLen;
+    DWORD           dwSysFlags;
+    char            volName[128];
+    DWORD           dwSectors, dwBytes, dwFreeClusters, dwNumClusters;
+    HANDLE          hVal;
+#else
+    int             iVal;
+    HTASK           hTask;
+    WORD            wDS, wCS;
+    LPSTR           lpszEnv;
+#endif
+
+    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
+    RNG_RandomUpdate(buffer, nBytes);
+
+#ifdef _WIN32
+    sMem.dwLength = sizeof(sMem);
+    GlobalMemoryStatus(&sMem);                // assorted memory stats
+    RNG_RandomUpdate(&sMem, sizeof(sMem));
+
+    dwVal = GetLogicalDrives();
+    RNG_RandomUpdate(&dwVal, sizeof(dwVal));  // bitfields in bits 0-25
+
+#else
+    dwVal = GetFreeSpace(0);
+    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
+
+    _asm    mov wDS, ds;
+    _asm    mov wCS, cs;
+    RNG_RandomUpdate(&wDS, sizeof(wDS));
+    RNG_RandomUpdate(&wCS, sizeof(wCS));
+#endif
+
+#ifdef _WIN32
+    dwVal = sizeof(buffer);
+    if (GetComputerName(buffer, &dwVal))
+        RNG_RandomUpdate(buffer, dwVal);
+
+/* XXX This is code that got yanked because of NSPR20.  We should put it
+ * back someday.
+ */
+#ifdef notdef
+    {
+    POINT ptVal;
+    GetCursorPos(&ptVal);
+    RNG_RandomUpdate(&ptVal, sizeof(ptVal));
+    }
+
+    dwVal = GetQueueStatus(QS_ALLINPUT);      // high and low significant
+    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
+
+    {
+    HWND hWnd;
+    hWnd = GetClipboardOwner();               // 2 or 4 bytes
+    RNG_RandomUpdate((void *)&hWnd, sizeof(hWnd));
+    }
+
+    {
+    UUID sUuid;
+    UuidCreate(&sUuid);                       // this will fail on machines with no ethernet
+    RNG_RandomUpdate(&sUuid, sizeof(sUuid));  // boards. shove the bits in regardless
+    }
+#endif
+
+    hVal = GetCurrentProcess();               // 4 byte handle of current task
+    RNG_RandomUpdate(&hVal, sizeof(hVal));
+
+    dwVal = GetCurrentProcessId();            // process ID (4 bytes)
+    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
+
+    volName[0] = '\0';
+    buffer[0] = '\0';
+    GetVolumeInformation(NULL,
+                         volName,
+                         sizeof(volName),
+                         &dwSerialNum,
+                         &dwComponentLen,
+                         &dwSysFlags,
+                         buffer,
+                         sizeof(buffer));
+
+    RNG_RandomUpdate(volName,         strlen(volName));
+    RNG_RandomUpdate(&dwSerialNum,    sizeof(dwSerialNum));
+    RNG_RandomUpdate(&dwComponentLen, sizeof(dwComponentLen));
+    RNG_RandomUpdate(&dwSysFlags,     sizeof(dwSysFlags));
+    RNG_RandomUpdate(buffer,          strlen(buffer));
+
+    if (GetDiskFreeSpace(NULL, &dwSectors, &dwBytes, &dwFreeClusters, &dwNumClusters)) {
+        RNG_RandomUpdate(&dwSectors,      sizeof(dwSectors));
+        RNG_RandomUpdate(&dwBytes,        sizeof(dwBytes));
+        RNG_RandomUpdate(&dwFreeClusters, sizeof(dwFreeClusters));
+        RNG_RandomUpdate(&dwNumClusters,  sizeof(dwNumClusters));
+    }
+
+#else   /* is WIN16 */
+    hTask = GetCurrentTask();
+    RNG_RandomUpdate((void *)&hTask, sizeof(hTask));
+
+    iVal = GetNumTasks();
+    RNG_RandomUpdate(&iVal, sizeof(iVal));      // number of running tasks
+
+    lpszEnv = GetDOSEnvironment();
+    while (*lpszEnv != '\0') {
+        RNG_RandomUpdate(lpszEnv, strlen(lpszEnv));
+
+        lpszEnv += strlen(lpszEnv) + 1;
+    }
+#endif  /* is WIN16 */
+
+    // now let's do some files
+    ReadSystemFiles();
+
+    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
+    RNG_RandomUpdate(buffer, nBytes);
+}
+
+void RNG_FileForRNG(const char *filename)
+{
+    FILE*           file;
+    int             nBytes;
+    struct stat     stat_buf;
+    unsigned char   buffer[1024];
+
+    static DWORD    totalFileBytes = 0;
+
+    /* windows doesn't initialize all the bytes in the stat buf,
+     * so initialize them all here to avoid UMRs.
+     */
+    memset(&stat_buf, 0, sizeof stat_buf);
+
+    if (stat((char *)filename, &stat_buf) < 0)
+        return;
+
+    RNG_RandomUpdate((unsigned char*)&stat_buf, sizeof(stat_buf));
+
+    file = fopen((char *)filename, "r");
+    if (file != NULL) {
+        for (;;) {
+            size_t  bytes = fread(buffer, 1, sizeof(buffer), file);
+
+            if (bytes == 0)
+                break;
+
+            RNG_RandomUpdate(buffer, bytes);
+            totalFileBytes += bytes;
+            if (totalFileBytes > 250000)
+                break;
+        }
+
+        fclose(file);
+    }
+
+    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
+    RNG_RandomUpdate(buffer, nBytes);
+}
+
+#endif  /* is XP_WIN */
diff --git a/security/nss/lib/jar/Makefile b/security/nss/lib/jar/Makefile
new file mode 100644
index 000000000..063e5daf7
--- /dev/null
+++ b/security/nss/lib/jar/Makefile
@@ -0,0 +1,39 @@
+#! gmake
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
diff --git a/security/nss/lib/jar/config.mk b/security/nss/lib/jar/config.mk
new file mode 100644
index 000000000..0a00dc61e
--- /dev/null
+++ b/security/nss/lib/jar/config.mk
@@ -0,0 +1,43 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/jar/jar-ds.c b/security/nss/lib/jar/jar-ds.c
new file mode 100644
index 000000000..f5a40cad5
--- /dev/null
+++ b/security/nss/lib/jar/jar-ds.c
@@ -0,0 +1,70 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "jar.h"
+
+/* These are old DS_* routines renamed to ZZ_* */
+
+ZZList *ZZ_NewList()
+  {
+  ZZList *list;
+
+  list = (ZZList *) PORT_ZAlloc (sizeof (ZZList));
+
+  if (list)
+    ZZ_InitList (list);
+
+  return list;
+  }
+
+ZZLink *ZZ_NewLink (JAR_Item *thing)
+  {
+  ZZLink *link;
+
+  link = (ZZLink *) PORT_ZAlloc (sizeof (ZZLink));
+
+  if (link)
+    link->thing = thing;
+ 
+  return link;
+  }
+
+void ZZ_DestroyLink (ZZLink *link)
+  {
+  PORT_Free (link);
+  }
+
+void ZZ_DestroyList (ZZList *list)
+  {
+  PORT_Free (list);
+  }
diff --git a/security/nss/lib/jar/jar-ds.h b/security/nss/lib/jar/jar-ds.h
new file mode 100644
index 000000000..36716d97c
--- /dev/null
+++ b/security/nss/lib/jar/jar-ds.h
@@ -0,0 +1,106 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef __JAR_DS_h_
+#define __JAR_DS_h_
+
+/* Typedefs */
+typedef struct ZZLinkStr ZZLink;
+typedef struct ZZListStr ZZList;
+
+/*
+** Circular linked list. Each link contains a pointer to the object that
+** is actually in the list.
+*/ 
+struct ZZLinkStr 
+{
+    ZZLink *next;
+    ZZLink *prev;
+    JAR_Item *thing;
+};
+
+struct ZZListStr 
+{
+    ZZLink link;
+};
+
+#define ZZ_InitList(lst)	     \
+{				     \
+    (lst)->link.next = &(lst)->link; \
+    (lst)->link.prev = &(lst)->link; \
+    (lst)->link.thing = 0;	     \
+}
+
+#define ZZ_ListEmpty(lst) \
+    ((lst)->link.next == &(lst)->link)
+
+#define ZZ_ListHead(lst) \
+    ((lst)->link.next)
+
+#define ZZ_ListTail(lst) \
+    ((lst)->link.prev)
+
+#define ZZ_ListIterDone(lst,lnk) \
+    ((lnk) == &(lst)->link)
+
+#define ZZ_AppendLink(lst,lnk)	    \
+{				    \
+    (lnk)->next = &(lst)->link;	    \
+    (lnk)->prev = (lst)->link.prev; \
+    (lst)->link.prev->next = (lnk); \
+    (lst)->link.prev = (lnk);	    \
+}
+
+#define ZZ_InsertLink(lst,lnk)	    \
+{				    \
+    (lnk)->next = (lst)->link.next; \
+    (lnk)->prev = &(lst)->link;	    \
+    (lst)->link.next->prev = (lnk); \
+    (lst)->link.next = (lnk);	    \
+}
+
+#define ZZ_RemoveLink(lnk)	     \
+{				     \
+    (lnk)->next->prev = (lnk)->prev; \
+    (lnk)->prev->next = (lnk)->next; \
+    (lnk)->next = 0;		     \
+    (lnk)->prev = 0;		     \
+}
+
+extern ZZLink *ZZ_NewLink (JAR_Item *thing);
+extern void ZZ_DestroyLink (ZZLink *link);
+extern ZZList *ZZ_NewList (void);
+extern void ZZ_DestroyList (ZZList *list);
+
+
+#endif /* __JAR_DS_h_ */
diff --git a/security/nss/lib/jar/jar.c b/security/nss/lib/jar/jar.c
new file mode 100644
index 000000000..cfd46b195
--- /dev/null
+++ b/security/nss/lib/jar/jar.c
@@ -0,0 +1,831 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  JAR.C
+ *
+ *  Jarnature.
+ *  Routines common to signing and validating.
+ *
+ */
+
+#include "jar.h"
+#include "jarint.h"
+
+static void jar_destroy_list (ZZList *list);
+
+static int jar_find_first_cert 
+    (JAR_Signer *signer, int type, JAR_Item **it);
+
+/*
+ *  J A R _ n e w 
+ *
+ *  Create a new instantiation of a manifest representation.
+ *  Use this as a token to any calls to this API.
+ *
+ */
+
+JAR *JAR_new (void)
+  {
+  JAR *jar;
+
+  if ((jar = (JAR*)PORT_ZAlloc (sizeof (JAR))) == NULL)
+    goto loser;
+
+  if ((jar->manifest = ZZ_NewList()) == NULL)
+    goto loser;
+
+  if ((jar->hashes = ZZ_NewList()) == NULL)
+    goto loser;
+
+  if ((jar->phy = ZZ_NewList()) == NULL)
+    goto loser;
+
+  if ((jar->metainfo = ZZ_NewList()) == NULL)
+    goto loser;
+
+  if ((jar->signers = ZZ_NewList()) == NULL)
+    goto loser;
+
+  return jar;
+
+loser:
+
+  if (jar)
+    {
+    if (jar->manifest)
+      ZZ_DestroyList (jar->manifest);
+
+    if (jar->hashes)
+      ZZ_DestroyList (jar->hashes);
+
+    if (jar->phy)
+      ZZ_DestroyList (jar->phy);
+
+    if (jar->metainfo)
+      ZZ_DestroyList (jar->metainfo);
+
+    if (jar->signers)
+      ZZ_DestroyList (jar->signers);
+
+    PORT_Free (jar);
+    }
+
+  return NULL;
+  }
+
+/* 
+ *  J A R _ d e s t r o y
+ *
+ *  Godzilla.
+ *
+ */
+
+void PR_CALLBACK JAR_destroy (JAR *jar)
+  {
+  PORT_Assert( jar != NULL );
+
+  if (jar == NULL)
+    return;
+
+  if (jar->fp) JAR_FCLOSE ((PRFileDesc*)jar->fp);
+
+  if (jar->url)      PORT_Free (jar->url);
+  if (jar->filename) PORT_Free (jar->filename);
+
+  /* Free the linked list elements */
+
+  jar_destroy_list (jar->manifest);
+  ZZ_DestroyList (jar->manifest);
+
+  jar_destroy_list (jar->hashes);
+  ZZ_DestroyList (jar->hashes);
+
+  jar_destroy_list (jar->phy);
+  ZZ_DestroyList (jar->phy);
+
+  jar_destroy_list (jar->metainfo);
+  ZZ_DestroyList (jar->metainfo);
+
+  jar_destroy_list (jar->signers);
+  ZZ_DestroyList (jar->signers);
+
+  PORT_Free (jar);
+  }
+
+static void jar_destroy_list (ZZList *list)
+  {
+  ZZLink *link, *oldlink;
+
+  JAR_Item *it;
+
+  JAR_Physical *phy;
+  JAR_Digest *dig;
+  JAR_Cert *fing;
+  JAR_Metainfo *met;
+  JAR_Signer *signer;
+
+  if (list && !ZZ_ListEmpty (list))
+    {
+    link = ZZ_ListHead (list);
+
+    while (!ZZ_ListIterDone (list, link))
+      {
+      it = link->thing;
+      if (!it) goto next;
+
+      if (it->pathname) PORT_Free (it->pathname);
+ 
+      switch (it->type)
+        {
+        case jarTypeMeta:
+
+          met = (JAR_Metainfo *) it->data;
+          if (met)
+            {
+            if (met->header) PORT_Free (met->header);
+            if (met->info) PORT_Free (met->info);
+            PORT_Free (met);
+            }
+          break;
+
+	case jarTypePhy:
+
+          phy = (JAR_Physical *) it->data;
+          if (phy)
+            PORT_Free (phy);
+          break;
+
+        case jarTypeSign:
+
+          fing = (JAR_Cert *) it->data;
+          if (fing)
+            {
+            if (fing->cert)
+              CERT_DestroyCertificate (fing->cert);
+            if (fing->key)
+              PORT_Free (fing->key);
+            PORT_Free (fing);
+            }
+	  break;
+
+        case jarTypeSect:
+        case jarTypeMF:
+        case jarTypeSF:
+
+          dig = (JAR_Digest *) it->data;
+          if (dig)
+            {
+            PORT_Free (dig);
+            }
+          break;
+
+        case jarTypeOwner:
+
+          signer = (JAR_Signer *) it->data;
+
+          if (signer)
+            JAR_destroy_signer (signer);
+
+          break;
+
+        default:
+
+          /* PORT_Assert( 1 != 2 ); */
+          break;
+        }
+
+      PORT_Free (it);
+
+    next:
+
+      oldlink = link;
+      link = link->next;
+
+      ZZ_DestroyLink (oldlink);
+      }
+    }
+  }
+
+/*
+ *  J A R _ g e t _ m e t a i n f o
+ *
+ *  Retrieve meta information from the manifest file.
+ *  It doesn't matter whether it's from .MF or .SF, does it?
+ *
+ */
+
+int JAR_get_metainfo
+    (JAR *jar, char *name, char *header, void **info, unsigned long *length)
+  {
+  JAR_Item *it;
+
+  ZZLink *link;
+  ZZList *list;
+
+  JAR_Metainfo *met;
+
+  PORT_Assert( jar != NULL && header != NULL );
+
+  if (jar == NULL || header == NULL)
+    return JAR_ERR_PNF;
+
+  list = jar->metainfo;
+
+  if (ZZ_ListEmpty (list))
+    return JAR_ERR_PNF;
+
+  for (link = ZZ_ListHead (list); 
+       !ZZ_ListIterDone (list, link); 
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypeMeta)
+      {
+      if ((name && !it->pathname) || (!name && it->pathname))
+        continue;
+
+      if (name && it->pathname && strcmp (it->pathname, name))
+        continue;
+
+      met = (JAR_Metainfo *) it->data;
+
+      if (!PORT_Strcasecmp (met->header, header))
+        {
+        *info = PORT_Strdup (met->info);
+        *length = PORT_Strlen (met->info);
+        return 0;
+        }
+      }
+    }
+
+  return JAR_ERR_PNF;
+  }
+
+/*
+ *  J A R _ f i n d
+ *
+ *  Establish the search pattern for use
+ *  by JAR_find_next, to traverse the filenames
+ *  or certificates in the JAR structure.
+ *
+ *  See jar.h for a description on how to use.
+ *
+ */
+
+JAR_Context *JAR_find (JAR *jar, char *pattern, jarType type)
+  {
+  JAR_Context *ctx;
+
+  PORT_Assert( jar != NULL );
+
+  if (!jar)
+    return NULL;
+
+  ctx = (JAR_Context *) PORT_ZAlloc (sizeof (JAR_Context));
+
+  if (ctx == NULL)
+    return NULL;
+
+  ctx->jar = jar;
+
+  if (pattern)
+    {
+    if ((ctx->pattern = PORT_Strdup (pattern)) == NULL)
+      {
+      PORT_Free (ctx);
+      return NULL;
+      }
+    }
+
+  ctx->finding = type;
+
+  switch (type)
+    {
+    case jarTypeMF:     ctx->next = ZZ_ListHead (jar->hashes);
+                        break;
+
+    case jarTypeSF:
+    case jarTypeSign:   ctx->next = NULL;
+                        ctx->nextsign = ZZ_ListHead (jar->signers);
+                        break;
+
+    case jarTypeSect:   ctx->next = ZZ_ListHead (jar->manifest);
+                        break;
+
+    case jarTypePhy:    ctx->next = ZZ_ListHead (jar->phy);
+                        break;
+
+    case jarTypeOwner:  if (jar->signers)
+                          ctx->next = ZZ_ListHead (jar->signers);
+                        else
+                          ctx->next = NULL;
+                        break;
+
+    case jarTypeMeta:   ctx->next = ZZ_ListHead (jar->metainfo);
+                        break;
+
+    default:            PORT_Assert( 1 != 2);
+                        break;
+    }
+
+  return ctx;
+  }
+
+/*
+ *  J A R _ f i n d _ e n d
+ *
+ *  Destroy the find iterator context.
+ *
+ */
+
+void JAR_find_end (JAR_Context *ctx)
+  {
+  PORT_Assert( ctx != NULL );
+
+  if (ctx)
+    {
+    if (ctx->pattern) 
+      PORT_Free (ctx->pattern);
+    PORT_Free (ctx);
+    }
+  }
+
+/*
+ *  J A R _ f i n d _ n e x t
+ *
+ *  Return the next item of the given type
+ *  from one of the JAR linked lists.
+ *
+ */
+
+int JAR_find_next (JAR_Context *ctx, JAR_Item **it)
+  {
+  JAR *jar;
+  ZZList *list = NULL;
+
+  int finding;
+
+  JAR_Signer *signer = NULL;
+
+  PORT_Assert( ctx != NULL );
+  PORT_Assert( ctx->jar != NULL );
+
+  jar = ctx->jar;
+
+  /* Internally, convert jarTypeSign to jarTypeSF, and return
+     the actual attached certificate later */
+
+  finding = (ctx->finding == jarTypeSign) ? jarTypeSF : ctx->finding;
+
+  if (ctx->nextsign)
+    {
+      if (ZZ_ListIterDone (jar->signers, ctx->nextsign))
+       {
+       *it = NULL;
+       return -1;
+       }
+    PORT_Assert (ctx->nextsign->thing != NULL);
+    signer = (JAR_Signer*)ctx->nextsign->thing->data;
+    }
+
+
+  /* Find out which linked list to traverse. Then if
+     necessary, advance to the next linked list. */
+
+  while (1)
+    {
+    switch (finding)
+      {
+      case jarTypeSign:    /* not any more */
+                           PORT_Assert( finding != jarTypeSign );
+                           list = signer->certs;
+                           break;
+
+      case jarTypeSect:    list = jar->manifest;
+                           break;
+
+      case jarTypePhy:     list = jar->phy;
+                           break;
+
+      case jarTypeSF:      /* signer, not jar */
+                           PORT_Assert( signer != NULL );
+                           list = signer->sf;
+                           break;
+
+      case jarTypeMF:      list = jar->hashes;
+                           break;
+
+      case jarTypeOwner:   list = jar->signers;
+                           break;
+
+      case jarTypeMeta:    list = jar->metainfo;
+                           break;
+
+      default:             PORT_Assert( 1 != 2 );
+                           break;
+      }
+
+    if (list == NULL)
+      {
+      *it = NULL;
+      return -1;
+      }
+
+    /* When looping over lists of lists, advance
+       to the next signer. This is done when multiple
+       signers are possible. */
+
+    if (ZZ_ListIterDone (list, ctx->next))
+      {
+      if (ctx->nextsign && jar->signers) 
+        {
+        ctx->nextsign = ctx->nextsign->next;
+        if (!ZZ_ListIterDone (jar->signers, ctx->nextsign)) 
+          {
+          PORT_Assert (ctx->nextsign->thing != NULL);
+
+          signer = (JAR_Signer*)ctx->nextsign->thing->data;
+          PORT_Assert( signer != NULL );
+
+          ctx->next = NULL;
+          continue;
+          }
+        }
+      *it = NULL;
+      return -1;
+      }
+
+    /* if the signer changed, still need to fill
+       in the "next" link */
+
+    if (ctx->nextsign && ctx->next == NULL)
+      {
+      switch (finding)
+        {
+        case jarTypeSF:
+
+          ctx->next = ZZ_ListHead (signer->sf);
+          break;
+
+        case jarTypeSign:
+
+          ctx->next = ZZ_ListHead (signer->certs);
+          break;
+        }
+      }
+
+    PORT_Assert( ctx->next != NULL );
+
+
+    while (!ZZ_ListIterDone (list, ctx->next))
+      {
+      *it = ctx->next->thing;
+      ctx->next = ctx->next->next;
+
+      if (!it || !*it || (*it)->type != finding)
+        continue;
+
+      if (ctx->pattern && *ctx->pattern)
+        {
+        if (PORT_Strcmp ((*it)->pathname, ctx->pattern))
+          continue;
+        }
+
+      /* We have a valid match. If this is a jarTypeSign
+         return the certificate instead.. */
+
+      if (ctx->finding == jarTypeSign)
+        {
+        JAR_Item *itt;
+
+        /* just the first one for now */
+        if (jar_find_first_cert (signer, jarTypeSign, &itt) >= 0) 
+           {
+           *it = itt;
+           return 0;
+           }
+
+        continue;      
+        }
+
+      return 0;
+      }
+
+    } /* end while */
+  }
+
+static int jar_find_first_cert 
+    (JAR_Signer *signer, int type, JAR_Item **it)
+  {
+  ZZLink *link;
+  ZZList *list;
+
+  int status = JAR_ERR_PNF;
+
+  list = signer->certs;
+
+  *it = NULL;
+
+  if (ZZ_ListEmpty (list))
+    {
+    /* empty list */
+    return JAR_ERR_PNF;
+    }
+
+  for (link = ZZ_ListHead (list); 
+       !ZZ_ListIterDone (list, link); 
+       link = link->next)
+    {
+    if (link->thing->type == type)
+      {
+      *it = link->thing;
+      status = 0;
+      break;
+      }
+    }
+
+  return status;
+  }
+
+JAR_Signer *JAR_new_signer (void)
+  {
+  JAR_Signer *signer;
+
+  signer = (JAR_Signer *) PORT_ZAlloc (sizeof (JAR_Signer));
+
+  if (signer == NULL)
+    goto loser;
+
+
+  /* certs */
+  signer->certs = ZZ_NewList();
+
+  if (signer->certs == NULL)
+    goto loser;
+
+
+  /* sf */
+  signer->sf = ZZ_NewList();
+
+  if (signer->sf == NULL)
+    goto loser;
+
+
+  return signer;
+
+
+loser:
+
+  if (signer)
+    {
+    if (signer->certs) 
+      ZZ_DestroyList (signer->certs);
+
+    if (signer->sf) 
+      ZZ_DestroyList (signer->sf);
+
+    PORT_Free (signer);
+    }
+
+  return NULL;
+  }
+
+void JAR_destroy_signer (JAR_Signer *signer)
+  {
+  if (signer)
+    {
+    if (signer->owner) PORT_Free (signer->owner);
+    if (signer->digest) PORT_Free (signer->digest);
+
+    jar_destroy_list (signer->sf);
+    ZZ_DestroyList (signer->sf);
+
+    jar_destroy_list (signer->certs);
+    ZZ_DestroyList (signer->certs);
+
+    PORT_Free (signer);
+    }
+  }
+
+JAR_Signer *jar_get_signer (JAR *jar, char *basename)
+  {
+  JAR_Item *it;
+  JAR_Context *ctx;
+
+  JAR_Signer *candidate;
+  JAR_Signer *signer = NULL;
+
+  ctx = JAR_find (jar, NULL, jarTypeOwner);
+
+  if (ctx == NULL)
+    return NULL;
+
+  while (JAR_find_next (ctx, &it) >= 0)
+    {
+    candidate = (JAR_Signer *) it->data;
+    if (*basename == '*' || !PORT_Strcmp (candidate->owner, basename))
+      {
+      signer = candidate;
+      break;
+      }
+    }
+
+  JAR_find_end (ctx);
+
+  return signer;
+  }
+
+/*
+ *  J A R _ g e t _ f i l e n a m e
+ *
+ *  Returns the filename associated with
+ *  a JAR structure.
+ *
+ */
+
+char *JAR_get_filename (JAR *jar)
+  {
+  return jar->filename;
+  }
+
+/*
+ *  J A R _ g e t _ u r l
+ *
+ *  Returns the URL associated with
+ *  a JAR structure. Nobody really uses this now.
+ *
+ */
+
+char *JAR_get_url (JAR *jar)
+  {
+  return jar->url;
+  }
+
+/*
+ *  J A R _ s e t _ c a l l b a c k
+ *
+ *  Register some manner of callback function for this jar. 
+ *
+ */
+
+int JAR_set_callback (int type, JAR *jar, 
+      int (*fn) (int status, JAR *jar, 
+         const char *metafile, char *pathname, char *errortext))
+  {
+  if (type == JAR_CB_SIGNAL)
+    {
+    jar->signal = fn;
+    return 0;
+    }
+  else
+    return -1;
+  }
+
+/*
+ *  Callbacks
+ *
+ */
+
+/* To return an error string */
+char *(*jar_fn_GetString) (int) = NULL;
+
+/* To return an MWContext for Java */
+void *(*jar_fn_FindSomeContext) (void) = NULL;
+
+/* To fabricate an MWContext for FE_GetPassword */
+void *(*jar_fn_GetInitContext) (void) = NULL;
+
+void
+JAR_init_callbacks
+     ( 
+     char *(*string_cb)(int), 
+     void *(*find_cx)(void), 
+     void *(*init_cx)(void) 
+     )
+  {
+  jar_fn_GetString = string_cb;
+  jar_fn_FindSomeContext = find_cx;
+  jar_fn_GetInitContext = init_cx;
+  }
+
+/*
+ *  J A R _ g e t _ e r r o r
+ *
+ *  This is provided to map internal JAR errors to strings for
+ *  the Java console. Also, a DLL may call this function if it does
+ *  not have access to the XP_GetString function.
+ *
+ *  These strings aren't UI, since they are Java console only.
+ *
+ */
+
+char *JAR_get_error (int status)
+  { 
+  char *errstring = NULL;
+
+  switch (status)
+    {
+    case JAR_ERR_GENERAL:
+      errstring = "General JAR file error";
+      break;
+
+    case JAR_ERR_FNF:
+      errstring = "JAR file not found";
+      break;
+
+    case JAR_ERR_CORRUPT:
+      errstring = "Corrupt JAR file";
+      break;
+
+    case JAR_ERR_MEMORY:
+      errstring = "Out of memory";
+      break;
+
+    case JAR_ERR_DISK:
+      errstring = "Disk error (perhaps out of space)";
+      break;
+
+    case JAR_ERR_ORDER:
+      errstring = "Inconsistent files in META-INF directory";
+      break;
+
+    case JAR_ERR_SIG:
+      errstring = "Invalid digital signature file";
+      break;
+
+    case JAR_ERR_METADATA:
+      errstring = "JAR metadata failed verification";
+      break;
+
+    case JAR_ERR_ENTRY:
+      errstring = "No Manifest entry for this JAR entry";
+      break;
+
+    case JAR_ERR_HASH:
+      errstring = "Invalid Hash of this JAR entry";
+      break;
+
+    case JAR_ERR_PK7:
+      errstring = "Strange PKCS7 or RSA failure";
+      break;
+
+    case JAR_ERR_PNF:
+      errstring = "Path not found inside JAR file";
+      break;
+
+    default:
+      if (jar_fn_GetString)
+        {
+        errstring = jar_fn_GetString (status);
+        }
+      else
+        {
+        /* this is not a normal situation, and would only be
+           called in cases of improper initialization */
+
+        char *err;
+
+        err = (char*)PORT_Alloc (40);
+        if (err)
+          PR_snprintf (err, 39,  "Error %d\n", status);
+        else
+          err = "Error! Bad! Out of memory!";
+
+        return err;
+        }
+      break;
+    }
+
+  return errstring;
+  }
diff --git a/security/nss/lib/jar/jar.h b/security/nss/lib/jar/jar.h
new file mode 100644
index 000000000..d132f2579
--- /dev/null
+++ b/security/nss/lib/jar/jar.h
@@ -0,0 +1,478 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef __JAR_h_
+#define __JAR_h_
+
+/*
+ *  In general, any functions that return pointers
+ *  have memory owned by the caller.
+ *
+ */
+
+/* security includes */
+#include "cert.h"
+#include "hasht.h"
+
+/* nspr 2.0 includes */
+#include "prio.h"
+
+#ifndef ZHUGEP
+#ifdef XP_WIN16
+#define ZHUGEP __huge
+#else
+#define ZHUGEP
+#endif
+#endif
+
+#include <stdio.h>
+
+/* various types */
+
+typedef enum
+  {
+  jarTypeMF = 2,
+  jarTypeSF = 3,
+  jarTypeMeta = 6,
+  jarTypePhy = 7,
+  jarTypeSign = 10,
+  jarTypeSect = 11,
+  jarTypeOwner = 13
+  }
+jarType;
+
+/* void data in ZZList's contain JAR_Item type */
+
+typedef struct JAR_Item_
+  {
+  char *pathname;        /* relative. inside zip file */
+  jarType type;          /* various types */
+  size_t size;           /* size of data below */
+  void *data;            /* totally opaque */
+  }
+JAR_Item;
+
+
+/* hashes */
+
+typedef enum
+  {
+  jarHashNone = 0,
+  jarHashBad = 1,
+  jarHashPresent = 2
+  }
+jarHash;
+
+typedef struct JAR_Digest_
+  {
+  jarHash md5_status;
+  unsigned char md5 [MD5_LENGTH];
+  jarHash sha1_status;
+  unsigned char sha1 [SHA1_LENGTH];
+  }
+JAR_Digest;
+
+
+/* physical archive formats */
+
+typedef enum
+  {
+  jarArchGuess = 0,
+  jarArchNone = 1,
+  jarArchZip = 2,
+  jarArchTar = 3
+  }
+jarArch;
+
+
+#include "jar-ds.h"
+
+/* jar object */
+
+typedef struct JAR_
+  {
+  jarArch format;       /* physical archive format */ 
+  char *url;            /* Where it came from */
+  char *filename;       /* Disk location */
+  FILE *fp;             /* For multiple extractions */    /* JAR_FILE */
+
+  /* various linked lists */
+
+  ZZList *manifest;     /* Digests of MF sections */
+  ZZList *hashes;       /* Digests of actual signed files */
+  ZZList *phy;          /* Physical layout of JAR file */
+  ZZList *metainfo;     /* Global metainfo */
+
+  JAR_Digest *globalmeta;  /* digest of .MF global portion */
+
+  /* Below will change to a linked list to support multiple sigs */
+
+  int pkcs7;            /* Enforced opaqueness */
+  int valid;            /* PKCS7 signature validated */
+
+  ZZList *signers;      /* the above, per signer */
+
+  /* Window context, very necessary for PKCS11 now */
+
+  void *mw;             /* MWContext window context */
+
+  /* Signal callback function */
+
+  int (*signal) (int status, struct JAR_ *jar, 
+     const char *metafile, char *pathname, char *errorstring);
+  }
+JAR;
+
+
+/*
+ *  Iterator
+ *
+ *  Context for iterative operations. Certain operations
+ *  require iterating multiple linked lists because of
+ *  multiple signers. "nextsign" is used for this purpose.
+ *
+ */
+
+typedef struct JAR_Context_
+  {
+  JAR *jar;             /* Jar we are searching */
+  char *pattern;        /* Regular expression */
+  jarType finding;      /* Type of item to find */
+  ZZLink *next;         /* Next item in find */
+  ZZLink *nextsign;     /* Next signer, sometimes */
+  }
+JAR_Context;
+
+typedef struct JAR_Signer_
+  {
+  int pkcs7;            /* Enforced opaqueness */
+  int valid;            /* PKCS7 signature validated */
+  char *owner;          /* name of .RSA file */
+  JAR_Digest *digest;   /* of .SF file */
+  ZZList *sf;           /* Linked list of .SF file contents */
+  ZZList *certs;        /* Signing information */
+  }
+JAR_Signer;
+
+
+/* Meta informaton, or "policy", from the manifest file.
+   Right now just one tuple per JAR_Item. */
+
+typedef struct JAR_Metainfo_
+  {
+  char *header;
+  char *info;
+  }
+JAR_Metainfo;
+
+/* This should not be global */
+
+typedef struct JAR_Physical_
+  {
+  unsigned char compression;
+  unsigned long offset;
+  unsigned long length;
+  unsigned long uncompressed_length;
+#if defined(XP_UNIX) || defined(XP_BEOS)
+  uint16 mode;
+#endif
+  }
+JAR_Physical;
+
+typedef struct JAR_Cert_
+  {
+  size_t length;
+  void *key;
+  CERTCertificate *cert;
+  }
+JAR_Cert;
+
+
+/* certificate stuff */
+
+typedef enum
+  {
+  jarCertCompany = 1,
+  jarCertCA = 2,
+  jarCertSerial = 3,
+  jarCertExpires = 4,
+  jarCertNickname = 5,
+  jarCertFinger = 6,
+  jarCertJavaHack = 100
+  }
+jarCert;
+
+/* callback types */
+
+#define JAR_CB_SIGNAL	1
+
+
+/* 
+ *  This is the base for the JAR error codes. It will
+ *  change when these are incorporated into allxpstr.c,
+ *  but right now they won't let me put them there.
+ *
+ */
+
+#ifndef SEC_ERR_BASE
+#define SEC_ERR_BASE		(-0x2000)
+#endif
+ 
+#define JAR_BASE		SEC_ERR_BASE + 300
+
+/* Jar specific error definitions */
+
+#define JAR_ERR_GENERAL         (JAR_BASE + 1)
+#define JAR_ERR_FNF		(JAR_BASE + 2)
+#define JAR_ERR_CORRUPT		(JAR_BASE + 3)
+#define JAR_ERR_MEMORY		(JAR_BASE + 4)
+#define JAR_ERR_DISK		(JAR_BASE + 5)
+#define JAR_ERR_ORDER           (JAR_BASE + 6)
+#define JAR_ERR_SIG		(JAR_BASE + 7)
+#define JAR_ERR_METADATA        (JAR_BASE + 8)
+#define JAR_ERR_ENTRY		(JAR_BASE + 9)
+#define JAR_ERR_HASH		(JAR_BASE + 10)
+#define JAR_ERR_PK7		(JAR_BASE + 11)
+#define JAR_ERR_PNF		(JAR_BASE + 12)
+
+
+/*
+ *  Birth and death 
+ *
+ */
+
+extern JAR *JAR_new (void);
+
+extern void PR_CALLBACK JAR_destroy (JAR *jar);
+
+extern char *JAR_get_error (int status);
+
+extern int JAR_set_callback (int type, JAR *jar, 
+  int (*fn) (int status, JAR *jar, 
+  const char *metafile, char *pathname, char *errortext));
+
+extern void JAR_init_callbacks
+  ( char *(*string_cb)(int), void *(*find_cx)(void), void *(*init_cx)(void) );
+
+/*
+ *  JAR_set_context
+ *
+ *  PKCS11 may require a password to be entered by the user
+ *  before any crypto routines may be called. This will require
+ *  a window context if used from inside Mozilla.
+ *
+ *  Call this routine with your context before calling 
+ *  verifying or signing. If you have no context, call with NULL
+ *  and one will be chosen for you.
+ *
+ */
+
+int JAR_set_context (JAR *jar, void /*MWContext*/ *mw);
+
+/*
+ *  Iterative operations
+ *
+ *  JAR_find sets up for repeated calls with JAR_find_next.
+ *  I never liked findfirst and findnext, this is nicer.
+ *
+ *  Pattern contains a relative pathname to match inside the
+ *  archive. It is currently assumed to be "*".
+ *
+ *  To use:
+ *
+ *     JAR_Item *item;
+ *     JAR_find (jar, "*.class", jarTypeMF);
+ *     while (JAR_find_next (jar, &item) >= 0) 
+ *       { do stuff }
+ *
+ */
+
+
+/* Replacement functions with an external context */
+
+extern JAR_Context *JAR_find (JAR *jar, char *pattern, jarType type);
+
+extern int JAR_find_next (JAR_Context *ctx, JAR_Item **it);
+
+extern void JAR_find_end (JAR_Context *ctx);
+
+
+/*
+ *  Function to parse manifest file:
+ *
+ *  Many signatures may be attached to a single filename located
+ *  inside the zip file. We only support one.
+ *
+ *  Several manifests may be included in the zip file. 
+ *
+ *  You must pass the MANIFEST.MF file before any .SF files.
+ *
+ *  Right now this returns a big ole list, privately in the jar structure.
+ *  If you need to traverse it, use JAR_find if possible.
+ *
+ *  The path is needed to determine what type of binary signature is
+ *  being passed, though it is technically not needed for manifest files.
+ *
+ *  When parsing an ASCII file, null terminate the ASCII raw_manifest
+ *  prior to sending it, and indicate a length of 0. For binary digital
+ *  signatures only, indicate the true length of the signature.
+ *  (This is legacy behavior.)
+ *
+ *  You may free the manifest after parsing it.
+ *
+ */
+
+extern int JAR_parse_manifest 
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+       long length, const char *path, const char *url);
+
+/*
+ *  Verify data (nonstreaming). The signature is actually
+ *  checked by JAR_parse_manifest or JAR_pass_archive.
+ *
+ */
+
+extern JAR_Digest * PR_CALLBACK JAR_calculate_digest 
+    (void ZHUGEP *data, long length);
+
+extern int PR_CALLBACK JAR_verify_digest
+    (JAR *jar, const char *name, JAR_Digest *dig);
+
+extern int JAR_digest_file (char *filename, JAR_Digest *dig);
+
+/*
+ *  Get attribute from certificate:
+ *
+ *  Returns any special signed attribute associated with this cert
+ *  or signature (passed in "data"). Attributes jarCert*. Most of the time
+ *  this will return a zero terminated string.
+ *
+ */
+
+extern int PR_CALLBACK JAR_cert_attribute
+    (JAR *jar, jarCert attrib, long keylen, void *key, 
+       void **result, unsigned long *length);
+
+/*
+ *  Meta information
+ *
+ *  Currently, since this call does not support passing of an owner
+ *  (certificate, or physical name of the .sf file), it is restricted to
+ *  returning information located in the manifest.mf file. 
+ *
+ *  Meta information is a name/value pair inside the archive file. Here,
+ *  the name is passed in *header and value returned in **info.
+ *
+ *  Pass a NULL as the name to retrieve metainfo from the global section.
+ *
+ *  Data is returned in **info, of size *length. The return value
+ *  will indicate if no data was found.
+ *
+ */
+
+extern int JAR_get_metainfo
+    (JAR *jar, char *name, char *header, void **info, unsigned long *length);
+
+extern char *JAR_get_filename (JAR *jar);
+
+extern char *JAR_get_url (JAR *jar);
+
+/*
+ *  Return an HTML mockup of a certificate or signature.
+ *
+ *  Returns a zero terminated ascii string
+ *  in raw HTML format.
+ *
+ */
+
+extern char *JAR_cert_html
+    (JAR *jar, int style, long keylen, void *key, int *result);
+
+/* save the certificate with this fingerprint in persistent
+   storage, somewhere, for retrieval in a future session when there 
+   is no corresponding JAR structure. */
+
+extern int PR_CALLBACK JAR_stash_cert
+        (JAR *jar, long keylen, void *key);
+
+/* retrieve a certificate presumably stashed with the above
+   function, but may be any certificate. Type is &CERTCertificate */
+
+void *JAR_fetch_cert (long length, void *key);
+
+/*
+ *  New functions to handle archives alone
+ *    (call JAR_new beforehand)
+ *
+ *  JAR_pass_archive acts much like parse_manifest. Certificates
+ *  are returned in the JAR structure but as opaque data. When calling 
+ *  JAR_verified_extract you still need to decide which of these 
+ *  certificates to honor. 
+ *
+ *  Code to examine a JAR structure is in jarbert.c. You can obtain both 
+ *  a list of filenames and certificates from traversing the linked list.
+ *
+ */
+
+extern int JAR_pass_archive
+    (JAR *jar, jarArch format, char *filename, const char *url);
+
+/*
+ * Same thing, but don't check signatures
+ */
+extern int JAR_pass_archive_unverified
+    (JAR *jar, jarArch format, char *filename, const char *url);
+
+/*
+ *  Extracts a relative pathname from the archive and places it
+ *  in the filename specified. 
+ * 
+ *  Call JAR_set_nailed if you want to keep the file descriptors
+ *  open between multiple calls to JAR_verify_extract.
+ *
+ */
+
+extern int JAR_verified_extract
+    (JAR *jar, char *path, char *outpath);
+
+/*
+ *  JAR_extract does no crypto checking. This can be used if you
+ *  need to extract a manifest file or signature, etc.
+ *
+ */
+
+extern int JAR_extract
+    (JAR *jar, char *path, char *outpath);
+
+
+#endif /* __JAR_h_ */ 
diff --git a/security/nss/lib/jar/jarevil.c b/security/nss/lib/jar/jarevil.c
new file mode 100644
index 000000000..cced82b7d
--- /dev/null
+++ b/security/nss/lib/jar/jarevil.c
@@ -0,0 +1,573 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  JAREVIL
+ *
+ *  Wrappers to callback in the mozilla thread
+ *
+ *  Certificate code is unsafe when called outside the
+ *  mozilla thread. These functions push an event on the
+ *  queue to cause the cert function to run in that thread. 
+ *
+ */
+
+#include "jar.h"
+#include "jarint.h"
+
+#include "jarevil.h"
+#include "certdb.h"
+
+/* from libevent.h */
+#ifdef MOZILLA_CLIENT_OLD
+typedef void (*ETVoidPtrFunc) (void * data);
+extern void ET_moz_CallFunction (ETVoidPtrFunc fn, void *data);
+
+extern void *mozilla_event_queue;
+#endif
+
+
+/* Special macros facilitate running on Win 16 */
+#if defined(XP_WIN16)
+
+  /* 
+   * Allocate the data passed to the callback functions from the heap...
+   *
+   * This inter-thread structure cannot reside on a thread stack since the 
+   * thread's stack is swapped away with the thread under Win16...
+   */
+
+ #define ALLOC_OR_DEFINE(type, pointer_var_name, out_of_memory_return_value) \
+         type * pointer_var_name = PORT_ZAlloc (sizeof(type));               \
+         do {                                                                \
+           if (!pointer_var_name)                                            \
+             return (out_of_memory_return_value);                            \
+         } while (0)   /* and now a semicolon can follow :-) */
+
+ #define FREE_IF_ALLOC_IS_USED(pointer_var_name) PORT_Free(pointer_var_name)
+
+#else /* not win 16... so we can alloc via auto variables */
+
+ #define ALLOC_OR_DEFINE(type, pointer_var_name, out_of_memory_return_value) \
+         type actual_structure_allocated_in_macro;                           \
+         type * pointer_var_name = &actual_structure_allocated_in_macro;     \
+         PORT_Memset (pointer_var_name, 0, sizeof (*pointer_var_name));      \
+         ((void) 0) /* and now a semicolon can follow  */
+
+ #define FREE_IF_ALLOC_IS_USED(pointer_var_name) ((void) 0)
+
+#endif /* not Win 16 */
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_encode
+ *
+ *  Call SEC_PKCS7Encode inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_encode
+  {
+  int error;
+  SECStatus status;
+  SEC_PKCS7ContentInfo *cinfo;
+  SEC_PKCS7EncoderOutputCallback outputfn;
+  void *outputarg;
+  PK11SymKey *bulkkey;
+  SECKEYGetPasswordKey pwfn;
+  void *pwfnarg;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_encode_fn (void *data)
+  {
+  SECStatus status;
+  struct EVIL_encode *encode_data = (struct EVIL_encode *)data;
+
+  PORT_SetError (encode_data->error);
+
+  status = SEC_PKCS7Encode (encode_data->cinfo, encode_data->outputfn, 
+                            encode_data->outputarg, encode_data->bulkkey, 
+                            encode_data->pwfn, encode_data->pwfnarg);
+
+  encode_data->status = status;
+  encode_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+SECStatus jar_moz_encode
+      (
+      SEC_PKCS7ContentInfo *cinfo,
+      SEC_PKCS7EncoderOutputCallback  outputfn,
+      void *outputarg,
+      PK11SymKey *bulkkey,
+      SECKEYGetPasswordKey pwfn,
+      void *pwfnarg
+      )
+  {
+  SECStatus ret;
+  ALLOC_OR_DEFINE(struct EVIL_encode, encode_data, SECFailure);
+
+  encode_data->error     = PORT_GetError();
+  encode_data->cinfo     = cinfo;
+  encode_data->outputfn  = outputfn;
+  encode_data->outputarg = outputarg;
+  encode_data->bulkkey   = bulkkey;
+  encode_data->pwfn      = pwfn;
+  encode_data->pwfnarg   = pwfnarg;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_encode_fn, encode_data);
+  else
+    jar_moz_encode_fn (encode_data);
+#else
+  jar_moz_encode_fn (encode_data);
+#endif
+
+  PORT_SetError (encode_data->error);
+  ret = encode_data->status;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(encode_data);
+  return ret;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_verify
+ *
+ *  Call SEC_PKCS7VerifyDetachedSignature inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_verify
+  {
+  int error;
+  SECStatus status;
+  SEC_PKCS7ContentInfo *cinfo;
+  SECCertUsage certusage;
+  SECItem *detached_digest;
+  HASH_HashType digest_type;
+  PRBool keepcerts;
+  };
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_verify_fn (void *data)
+  {
+	PRBool result;
+  struct EVIL_verify *verify_data = (struct EVIL_verify *)data;
+
+  PORT_SetError (verify_data->error);
+
+  result = SEC_PKCS7VerifyDetachedSignature
+        (verify_data->cinfo, verify_data->certusage, verify_data->detached_digest, 
+         verify_data->digest_type, verify_data->keepcerts);
+	
+
+  verify_data->status = result==PR_TRUE ? SECSuccess : SECFailure;
+  verify_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+SECStatus jar_moz_verify
+      (
+      SEC_PKCS7ContentInfo *cinfo,
+      SECCertUsage certusage,
+      SECItem *detached_digest,
+      HASH_HashType digest_type,
+      PRBool keepcerts
+      )
+  {
+  SECStatus ret;
+  ALLOC_OR_DEFINE(struct EVIL_verify, verify_data, SECFailure);
+
+  verify_data->error           = PORT_GetError();
+  verify_data->cinfo           = cinfo;
+  verify_data->certusage       = certusage;
+  verify_data->detached_digest = detached_digest;
+  verify_data->digest_type     = digest_type;
+  verify_data->keepcerts       = keepcerts;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_verify_fn, verify_data);
+  else
+    jar_moz_verify_fn (verify_data);
+#else
+  jar_moz_verify_fn (verify_data);
+#endif
+
+  PORT_SetError (verify_data->error);
+  ret = verify_data->status;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(verify_data);
+  return ret;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_nickname
+ *
+ *  Call CERT_FindCertByNickname inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_nickname
+  {
+  int error;
+  CERTCertDBHandle *certdb;
+  char *nickname;
+  CERTCertificate *cert;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_nickname_fn (void *data)
+  {
+  CERTCertificate *cert;
+  struct EVIL_nickname *nickname_data = (struct EVIL_nickname *)data;
+
+  PORT_SetError (nickname_data->error);
+
+  cert = CERT_FindCertByNickname (nickname_data->certdb, nickname_data->nickname);
+
+  nickname_data->cert  = cert;
+  nickname_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+CERTCertificate *jar_moz_nickname (CERTCertDBHandle *certdb, char *nickname)
+  {
+  CERTCertificate *cert;
+  ALLOC_OR_DEFINE(struct EVIL_nickname, nickname_data, NULL );
+
+  nickname_data->error    = PORT_GetError();
+  nickname_data->certdb   = certdb;
+  nickname_data->nickname = nickname;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_nickname_fn, nickname_data);
+  else
+    jar_moz_nickname_fn (nickname_data);
+#else
+  jar_moz_nickname_fn (nickname_data);
+#endif
+
+  PORT_SetError (nickname_data->error);
+  cert = nickname_data->cert;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(nickname_data);
+  return cert;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_perm
+ *
+ *  Call CERT_AddTempCertToPerm inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_perm
+  {
+  int error;
+  SECStatus status;
+  CERTCertificate *cert;
+  char *nickname;
+  CERTCertTrust *trust;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_perm_fn (void *data)
+  {
+  SECStatus status;
+  struct EVIL_perm *perm_data = (struct EVIL_perm *)data;
+
+  PORT_SetError (perm_data->error);
+
+  status = CERT_AddTempCertToPerm (perm_data->cert, perm_data->nickname, perm_data->trust);
+
+  perm_data->status = status;
+  perm_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+SECStatus jar_moz_perm 
+    (CERTCertificate *cert, char *nickname, CERTCertTrust *trust)
+  {
+  SECStatus ret;
+  ALLOC_OR_DEFINE(struct EVIL_perm, perm_data, SECFailure);
+
+  perm_data->error    = PORT_GetError();
+  perm_data->cert     = cert;
+  perm_data->nickname = nickname;
+  perm_data->trust    = trust;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_perm_fn, perm_data);
+  else
+    jar_moz_perm_fn (perm_data);
+#else
+  jar_moz_perm_fn (perm_data);
+#endif
+
+  PORT_SetError (perm_data->error);
+  ret = perm_data->status;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(perm_data);
+  return ret;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_certkey
+ *
+ *  Call CERT_FindCertByKey inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_certkey
+  {
+  int error;
+  CERTCertificate *cert;
+  CERTCertDBHandle *certdb;
+  CERTIssuerAndSN *seckey;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_certkey_fn (void *data)
+  {
+  CERTCertificate *cert;
+  struct EVIL_certkey *certkey_data = (struct EVIL_certkey *)data;
+
+  PORT_SetError (certkey_data->error);
+
+  cert=CERT_FindCertByIssuerAndSN(certkey_data->certdb, certkey_data->seckey);
+
+  certkey_data->cert = cert;
+  certkey_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+CERTCertificate *jar_moz_certkey (CERTCertDBHandle *certdb, 
+						CERTIssuerAndSN *seckey)
+  {
+  CERTCertificate *cert;
+  ALLOC_OR_DEFINE(struct EVIL_certkey, certkey_data, NULL);
+
+  certkey_data->error  = PORT_GetError();
+  certkey_data->certdb = certdb;
+  certkey_data->seckey = seckey;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_certkey_fn, certkey_data);
+  else
+    jar_moz_certkey_fn (certkey_data);
+#else
+  jar_moz_certkey_fn (certkey_data);
+#endif
+
+  PORT_SetError (certkey_data->error);
+  cert = certkey_data->cert;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(certkey_data);
+  return cert;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_issuer
+ *
+ *  Call CERT_FindCertIssuer inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_issuer
+  {
+  int error;
+  CERTCertificate *cert;
+  CERTCertificate *issuer;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_issuer_fn (void *data)
+  {
+  CERTCertificate *issuer;
+  struct EVIL_issuer *issuer_data = (struct EVIL_issuer *)data;
+
+  PORT_SetError (issuer_data->error);
+
+  issuer = CERT_FindCertIssuer (issuer_data->cert, PR_Now(),
+				certUsageObjectSigner);
+
+  issuer_data->issuer = issuer;
+  issuer_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+CERTCertificate *jar_moz_issuer (CERTCertificate *cert)
+  {
+  CERTCertificate *issuer_cert;
+  ALLOC_OR_DEFINE(struct EVIL_issuer, issuer_data, NULL);
+
+  issuer_data->error = PORT_GetError();
+  issuer_data->cert  = cert;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_issuer_fn, issuer_data);
+  else
+    jar_moz_issuer_fn (issuer_data);
+#else
+  jar_moz_issuer_fn (issuer_data);
+#endif
+
+  PORT_SetError (issuer_data->error);
+  issuer_cert = issuer_data->issuer;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(issuer_data);
+  return issuer_cert;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
+
+/*
+ *  JAR_MOZ_dup
+ *
+ *  Call CERT_DupCertificate inside
+ *  the mozilla thread
+ *
+ */
+
+struct EVIL_dup
+  {
+  int error;
+  CERTCertificate *cert;
+  CERTCertificate *return_cert;
+  };
+
+
+/* This is called inside the mozilla thread */
+
+PR_STATIC_CALLBACK(void) jar_moz_dup_fn (void *data)
+  {
+  CERTCertificate *return_cert;
+  struct EVIL_dup *dup_data = (struct EVIL_dup *)data;
+
+  PORT_SetError (dup_data->error);
+
+  return_cert = CERT_DupCertificate (dup_data->cert);
+
+  dup_data->return_cert = return_cert;
+  dup_data->error = PORT_GetError();
+  }
+
+
+/* Wrapper for the ET_MOZ call */
+ 
+CERTCertificate *jar_moz_dup (CERTCertificate *cert)
+  {
+  CERTCertificate *dup_cert;
+  ALLOC_OR_DEFINE(struct EVIL_dup, dup_data, NULL);
+
+  dup_data->error = PORT_GetError();
+  dup_data->cert  = cert;
+
+  /* Synchronously invoke the callback function on the mozilla thread. */
+#ifdef MOZILLA_CLIENT_OLD
+  if (mozilla_event_queue)
+    ET_moz_CallFunction (jar_moz_dup_fn, dup_data);
+  else
+    jar_moz_dup_fn (dup_data);
+#else
+  jar_moz_dup_fn (dup_data);
+#endif
+
+  PORT_SetError (dup_data->error);
+  dup_cert = dup_data->return_cert;
+
+  /* Free the data passed to the callback function... */
+  FREE_IF_ALLOC_IS_USED(dup_data);
+  return dup_cert;
+  }
+
+/* --- --- --- --- --- --- --- --- --- --- --- --- --- */
diff --git a/security/nss/lib/jar/jarevil.h b/security/nss/lib/jar/jarevil.h
new file mode 100644
index 000000000..95b4f6883
--- /dev/null
+++ b/security/nss/lib/jar/jarevil.h
@@ -0,0 +1,76 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  jarevil.h
+ *
+ *  dot H file for calls to mozilla thread
+ *  from within jarver.c 
+ *
+ */
+
+#include "certt.h"
+#include "secpkcs7.h"
+
+extern SECStatus jar_moz_encode
+      (
+      SEC_PKCS7ContentInfo *cinfo,
+      SEC_PKCS7EncoderOutputCallback  outputfn,
+      void *outputarg,
+      PK11SymKey *bulkkey,
+      SECKEYGetPasswordKey pwfn,
+      void *pwfnarg
+      );
+
+extern SECStatus jar_moz_verify
+      (
+      SEC_PKCS7ContentInfo *cinfo,
+      SECCertUsage certusage,
+      SECItem *detached_digest,
+      HASH_HashType digest_type,
+      PRBool keepcerts
+      );
+
+extern CERTCertificate *jar_moz_nickname 
+   (CERTCertDBHandle *certdb, char *nickname);
+
+extern SECStatus jar_moz_perm 
+  (CERTCertificate *cert, char *nickname, CERTCertTrust *trust);
+ 
+extern CERTCertificate *jar_moz_certkey 
+  (CERTCertDBHandle *certdb, CERTIssuerAndSN *seckey);
+
+extern CERTCertificate *jar_moz_issuer (CERTCertificate *cert);
+
+extern CERTCertificate *jar_moz_dup (CERTCertificate *cert);
+
diff --git a/security/nss/lib/jar/jarfile.c b/security/nss/lib/jar/jarfile.c
new file mode 100644
index 000000000..19a3eaa02
--- /dev/null
+++ b/security/nss/lib/jar/jarfile.c
@@ -0,0 +1,1151 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  JARFILE
+ *
+ *  Parsing of a Jar file
+ */
+
+#define JAR_SIZE 256
+
+#include "jar.h"
+
+#include "jarint.h"
+#include "jarfile.h"
+
+/* commercial compression */
+#include "jzlib.h"
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+#include "sys/stat.h"
+#endif
+
+#include "sechash.h"	/* for HASH_GetHashObject() */
+
+/* extracting */
+
+static int jar_guess_jar (char *filename, JAR_FILE fp);
+
+static int jar_inflate_memory 
+   (unsigned int method, long *length, long expected_out_len, char ZHUGEP **data);
+
+static int jar_physical_extraction 
+   (JAR_FILE fp, char *outpath, long offset, long length);
+
+static int jar_physical_inflate
+   (JAR_FILE fp, char *outpath, long offset, 
+         long length, unsigned int method);
+
+static int jar_verify_extract 
+   (JAR *jar, char *path, char *physical_path);
+
+static JAR_Physical *jar_get_physical (JAR *jar, char *pathname);
+
+static int jar_extract_manifests (JAR *jar, jarArch format, JAR_FILE fp);
+
+static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext);
+
+
+/* indexing */
+
+static int jar_gen_index (JAR *jar, jarArch format, JAR_FILE fp);
+
+static int jar_listtar (JAR *jar, JAR_FILE fp);
+
+static int jar_listzip (JAR *jar, JAR_FILE fp);
+
+
+/* conversions */
+
+static int dosdate (char *date, char *s);
+
+static int dostime (char *time, char *s);
+
+static unsigned int xtoint (unsigned char *ii);
+
+static unsigned long xtolong (unsigned char *ll);
+
+static long atoo (char *s);
+
+/*
+ *  J A R _ p a s s _ a r c h i v e
+ *
+ *  For use by naive clients. Slam an entire archive file
+ *  into this function. We extract manifests, parse, index
+ *  the archive file, and do whatever nastiness.
+ *
+ */
+
+int JAR_pass_archive
+    (JAR *jar, jarArch format, char *filename, const char *url)
+  {
+  JAR_FILE fp;
+  int status = 0;
+
+  if (filename == NULL)
+    return JAR_ERR_GENERAL;
+
+  if ((fp = JAR_FOPEN (filename, "rb")) != NULL)
+    {
+    if (format == jarArchGuess)
+      format = (jarArch)jar_guess_jar (filename, fp);
+
+    jar->format = format;
+    jar->url = url ? PORT_Strdup (url) : NULL;
+    jar->filename = PORT_Strdup (filename);
+
+    status = jar_gen_index (jar, format, fp);
+
+    if (status == 0)
+      status = jar_extract_manifests (jar, format, fp);
+
+    JAR_FCLOSE (fp);
+
+    if (status < 0)
+      return status;
+
+    /* people were expecting it this way */
+    return jar->valid;
+    }
+  else
+    {
+    /* file not found */
+    return JAR_ERR_FNF;
+    }
+  }
+
+/*
+ *  J A R _ p a s s _ a r c h i v e _ u n v e r i f i e d
+ *
+ * Same as JAR_pass_archive, but doesn't parse signatures.
+ *
+ */
+int JAR_pass_archive_unverified
+        (JAR *jar, jarArch format, char *filename, const char *url)
+{
+        JAR_FILE fp;
+        int status = 0;
+
+        if (filename == NULL) {
+                return JAR_ERR_GENERAL;
+        }
+
+        if ((fp = JAR_FOPEN (filename, "rb")) != NULL) {
+                if (format == jarArchGuess) {
+                        format = (jarArch)jar_guess_jar (filename, fp);
+                }
+
+                jar->format = format;
+                jar->url = url ? PORT_Strdup (url) : NULL;
+                jar->filename = PORT_Strdup (filename);
+
+                status = jar_gen_index (jar, format, fp);
+
+                if (status == 0) {
+                        status = jar_extract_mf(jar, format, fp, "mf");
+                }
+
+                JAR_FCLOSE (fp);
+
+                if (status < 0) {
+                        return status;
+                }
+
+                /* people were expecting it this way */
+                return jar->valid;
+        } else {
+                /* file not found */
+                return JAR_ERR_FNF;
+        }
+}
+
+/*
+ *  J A R _ v e r i f i e d _ e x t r a c t
+ *
+ *  Optimization: keep a file descriptor open
+ *  inside the JAR structure, so we don't have to
+ *  open the file 25 times to run java. 
+ *
+ */
+
+int JAR_verified_extract
+    (JAR *jar, char *path, char *outpath)
+  {
+  int status;
+
+  status = JAR_extract (jar, path, outpath);
+
+  if (status >= 0)
+    return jar_verify_extract (jar, path, outpath);
+  else
+    return status;
+  }
+
+int JAR_extract
+    (JAR *jar, char *path, char *outpath)
+  {
+  int result;
+
+  JAR_Physical *phy;
+
+  if (jar->fp == NULL && jar->filename)
+    {
+    jar->fp = (FILE*)JAR_FOPEN (jar->filename, "rb");
+    }
+
+  if (jar->fp == NULL)
+    {
+    /* file not found */
+    return JAR_ERR_FNF;
+    }
+
+  phy = jar_get_physical (jar, path);
+
+  if (phy)
+    {
+    if (phy->compression != 0 && phy->compression != 8)
+      {
+      /* unsupported compression method */
+      result = JAR_ERR_CORRUPT;
+      }
+
+    if (phy->compression == 0)
+      {
+      result = jar_physical_extraction 
+         ((PRFileDesc*)jar->fp, outpath, phy->offset, phy->length);
+      }
+    else
+      {
+      result = jar_physical_inflate 
+         ((PRFileDesc*)jar->fp, outpath, phy->offset, phy->length, 
+            (unsigned int) phy->compression);
+      }
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+    if (phy->mode)
+      chmod (outpath, 0400 | (mode_t) phy->mode);
+#endif
+    }
+  else
+    {
+    /* pathname not found in archive */
+    result = JAR_ERR_PNF;
+    }
+
+  return result;
+  }
+
+/* 
+ *  p h y s i c a l _ e x t r a c t i o n
+ *
+ *  This needs to be done in chunks of say 32k, instead of
+ *  in one bulk calloc. (Necessary under Win16 platform.)
+ *  This is done for uncompressed entries only.
+ *
+ */
+
+#define CHUNK 32768
+
+static int jar_physical_extraction 
+     (JAR_FILE fp, char *outpath, long offset, long length)
+  {
+  JAR_FILE out;
+
+  char *buffer;
+  long at, chunk;
+
+  int status = 0;
+
+  buffer = (char *) PORT_ZAlloc (CHUNK);
+
+  if (buffer == NULL)
+    return JAR_ERR_MEMORY;
+
+  if ((out = JAR_FOPEN (outpath, "wb")) != NULL)
+    {
+    at = 0;
+
+    JAR_FSEEK (fp, offset, (PRSeekWhence)0);
+
+    while (at < length)
+      {
+      chunk = (at + CHUNK <= length) ? CHUNK : length - at;
+
+      if (JAR_FREAD (fp, buffer, chunk) != chunk)
+        {
+        status = JAR_ERR_DISK;
+        break;
+        }
+
+      at += chunk;
+
+      if (JAR_FWRITE (out, buffer, chunk) < chunk)
+        {
+        /* most likely a disk full error */
+        status = JAR_ERR_DISK;
+        break;
+        }
+      }
+    JAR_FCLOSE (out);
+    }
+  else
+    {
+    /* error opening output file */
+    status = JAR_ERR_DISK;
+    }
+
+  PORT_Free (buffer);
+  return status;
+  }
+
+/*
+ *  j a r _ p h y s i c a l _ i n f l a t e
+ *
+ *  Inflate a range of bytes in a file, writing the inflated
+ *  result to "outpath". Chunk based.
+ *
+ */
+
+/* input and output chunks differ, assume 4x compression */
+
+#define ICHUNK 8192
+#define OCHUNK 32768
+
+static int jar_physical_inflate
+     (JAR_FILE fp, char *outpath, long offset, 
+          long length, unsigned int method)
+  {
+  z_stream zs;
+
+  JAR_FILE out;
+
+  long at, chunk;
+  char *inbuf, *outbuf;
+
+  int status = 0;
+
+  unsigned long prev_total, ochunk, tin;
+
+  if ((inbuf = (char *) PORT_ZAlloc (ICHUNK)) == NULL)
+    return JAR_ERR_MEMORY;
+
+  if ((outbuf = (char *) PORT_ZAlloc (OCHUNK)) == NULL)
+    {
+    PORT_Free (inbuf);
+    return JAR_ERR_MEMORY;
+    }
+
+  PORT_Memset (&zs, 0, sizeof (zs));
+  status = inflateInit2 (&zs, -MAX_WBITS);
+
+  if (status != Z_OK)
+    return JAR_ERR_GENERAL;
+
+  if ((out = JAR_FOPEN (outpath, "wb")) != NULL)
+    {
+    at = 0;
+
+    JAR_FSEEK (fp, offset, (PRSeekWhence)0);
+
+    while (at < length)
+      {
+      chunk = (at + ICHUNK <= length) ? ICHUNK : length - at;
+
+      if (JAR_FREAD (fp, inbuf, chunk) != chunk)
+        {
+        /* incomplete read */
+        return JAR_ERR_CORRUPT;
+        }
+
+      at += chunk;
+
+      zs.next_in = (Bytef *) inbuf;
+      zs.avail_in = chunk;
+      zs.avail_out = OCHUNK;
+
+      tin = zs.total_in;
+
+      while ((zs.total_in - tin < chunk) || (zs.avail_out == 0))
+        {
+        prev_total = zs.total_out;
+
+        zs.next_out = (Bytef *) outbuf;
+        zs.avail_out = OCHUNK;
+
+        status = inflate (&zs, Z_NO_FLUSH);
+
+        if (status != Z_OK && status != Z_STREAM_END)
+          {
+          /* error during decompression */
+          return JAR_ERR_CORRUPT;
+          }
+
+	ochunk = zs.total_out - prev_total;
+
+        if (JAR_FWRITE (out, outbuf, ochunk) < ochunk)
+          {
+          /* most likely a disk full error */
+          status = JAR_ERR_DISK;
+          break;
+          }
+
+        if (status == Z_STREAM_END)
+          break;
+        }
+      }
+
+    JAR_FCLOSE (out);
+    status = inflateEnd (&zs);
+    }
+  else
+    {
+    /* error opening output file */
+    status = JAR_ERR_DISK;
+    }
+
+  PORT_Free (inbuf);
+  PORT_Free (outbuf);
+
+  return status;
+  }
+
+/*
+ *  j a r _ i n f l a t e _ m e m o r y
+ *
+ *  Call zlib to inflate the given memory chunk. It is re-XP_ALLOC'd, 
+ *  and thus appears to operate inplace to the caller.
+ *
+ */
+
+static int jar_inflate_memory 
+     (unsigned int method, long *length, long expected_out_len, char ZHUGEP **data)
+  {
+  int status;
+  z_stream zs;
+
+  long insz, outsz;
+
+  char *inbuf, *outbuf;
+
+  inbuf =  *data;
+  insz = *length;
+
+  outsz = expected_out_len;
+  outbuf = (char*)PORT_ZAlloc (outsz);
+
+  if (outbuf == NULL)
+    return JAR_ERR_MEMORY;
+
+  PORT_Memset (&zs, 0, sizeof (zs));
+
+  status = inflateInit2 (&zs, -MAX_WBITS);
+
+  if (status < 0)
+    {
+    /* error initializing zlib stream */
+    return JAR_ERR_GENERAL;
+    }
+
+  zs.next_in = (Bytef *) inbuf;
+  zs.next_out = (Bytef *) outbuf;
+
+  zs.avail_in = insz;
+  zs.avail_out = outsz;
+
+  status = inflate (&zs, Z_FINISH);
+
+  if (status != Z_OK && status != Z_STREAM_END)
+    {
+    /* error during deflation */
+    return JAR_ERR_GENERAL; 
+    }
+
+  status = inflateEnd (&zs);
+
+  if (status != Z_OK)
+    {
+    /* error during deflation */
+    return JAR_ERR_GENERAL;
+    }
+
+  PORT_Free (*data);
+
+  *data = outbuf;
+  *length = zs.total_out;
+
+  return 0;
+  }
+
+/*
+ *  v e r i f y _ e x t r a c t
+ *
+ *  Validate signature on the freshly extracted file.
+ *
+ */
+
+static int jar_verify_extract (JAR *jar, char *path, char *physical_path)
+  {
+  int status;
+  JAR_Digest dig;
+
+  PORT_Memset (&dig, 0, sizeof (JAR_Digest));
+  status = JAR_digest_file (physical_path, &dig);
+
+  if (!status)
+    status = JAR_verify_digest (jar, path, &dig);
+
+  return status;
+  }
+
+/*
+ *  g e t _ p h y s i c a l
+ *
+ *  Let's get physical.
+ *  Obtains the offset and length of this file in the jar file.
+ *
+ */
+
+static JAR_Physical *jar_get_physical (JAR *jar, char *pathname)
+  {
+  JAR_Item *it;
+
+  JAR_Physical *phy;
+
+  ZZLink *link;
+  ZZList *list;
+
+  list = jar->phy;
+
+  if (ZZ_ListEmpty (list))
+    return NULL;
+
+  for (link = ZZ_ListHead (list);
+       !ZZ_ListIterDone (list, link);
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypePhy 
+          && it->pathname && !PORT_Strcmp (it->pathname, pathname))
+      {
+      phy = (JAR_Physical *) it->data;
+      return phy;
+      }
+    }
+
+  return NULL;
+  }
+
+/*
+ *  j a r _ e x t r a c t _ m a n i f e s t s
+ *
+ *  Extract the manifest files and parse them,
+ *  from an open archive file whose contents are known.
+ *
+ */
+
+static int jar_extract_manifests (JAR *jar, jarArch format, JAR_FILE fp)
+  {
+  int status;
+
+  if (format != jarArchZip && format != jarArchTar)
+    return JAR_ERR_CORRUPT;
+
+  if ((status = jar_extract_mf (jar, format, fp, "mf")) < 0)
+    return status;
+
+  if ((status = jar_extract_mf (jar, format, fp, "sf")) < 0)
+    return status;
+
+  if ((status = jar_extract_mf (jar, format, fp, "rsa")) < 0)
+    return status;
+
+  if ((status = jar_extract_mf (jar, format, fp, "dsa")) < 0)
+    return status;
+
+  return 0;
+  }
+
+/*
+ *  j a r _ e x t r a c t _ m f
+ *
+ *  Extracts manifest files based on an extension, which 
+ *  should be .MF, .SF, .RSA, etc. Order of the files is now no 
+ *  longer important when zipping jar files.
+ *
+ */
+
+static int jar_extract_mf (JAR *jar, jarArch format, JAR_FILE fp, char *ext)
+  {
+  JAR_Item *it;
+
+  JAR_Physical *phy;
+
+  ZZLink *link;
+  ZZList *list;
+
+  char *fn, *e;
+  char ZHUGEP *manifest;
+
+  long length;
+  int status, ret = 0, num;
+
+  list = jar->phy;
+
+  if (ZZ_ListEmpty (list))
+    return JAR_ERR_PNF;
+
+  for (link = ZZ_ListHead (list);
+       !ZZ_ListIterDone (list, link);
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypePhy 
+          && !PORT_Strncmp (it->pathname, "META-INF", 8))
+      {
+      phy = (JAR_Physical *) it->data;
+
+      if (PORT_Strlen (it->pathname) < 8)
+        continue;
+
+      fn = it->pathname + 8;
+      if (*fn == '/' || *fn == '\\') fn++;
+
+      if (*fn == 0)
+        {
+        /* just a directory entry */
+        continue;
+        }
+
+      /* skip to extension */
+      for (e = fn; *e && *e != '.'; e++)
+        /* yip */ ;
+
+      /* and skip dot */
+      if (*e == '.') e++;
+
+      if (PORT_Strcasecmp (ext, e))
+        {
+        /* not the right extension */
+        continue;
+        }
+
+      if (phy->length == 0)
+        {
+        /* manifest files cannot be zero length! */
+        return JAR_ERR_CORRUPT;
+        }
+
+      /* Read in the manifest and parse it */
+      /* FIX? Does this break on win16 for very very large manifest files? */
+
+#ifdef XP_WIN16
+      PORT_Assert( phy->length+1 < 0xFFFF );
+#endif
+
+      manifest = (char ZHUGEP *) PORT_ZAlloc (phy->length + 1);
+      if (manifest)
+        {
+        JAR_FSEEK (fp, phy->offset, (PRSeekWhence)0);
+        num = JAR_FREAD (fp, manifest, phy->length);
+
+        if (num != phy->length)
+          {
+          /* corrupt archive file */
+          return JAR_ERR_CORRUPT;
+          }
+
+        if (phy->compression == 8)
+          {
+          length = phy->length;
+
+          status = jar_inflate_memory ((unsigned int) phy->compression, &length,  phy->uncompressed_length, &manifest);
+
+          if (status < 0)
+            return status;
+          }
+        else if (phy->compression)
+          {
+          /* unsupported compression method */
+          return JAR_ERR_CORRUPT;
+          }
+        else
+          length = phy->length;
+
+        status = JAR_parse_manifest 
+           (jar, manifest, length, it->pathname, "url");
+
+        PORT_Free (manifest);
+
+        if (status < 0 && ret == 0) ret = status;
+        }
+      else
+        return JAR_ERR_MEMORY;
+      }
+    else if (it->type == jarTypePhy)
+      {
+      /* ordinary file */
+      }
+    }
+
+  return ret;
+  }
+
+/*
+ *  j a r _ g e n _ i n d e x
+ *
+ *  Generate an index for the various types of
+ *  known archive files. Right now .ZIP and .TAR
+ *
+ */
+
+static int jar_gen_index (JAR *jar, jarArch format, JAR_FILE fp)
+  {
+  int result = JAR_ERR_CORRUPT;
+  JAR_FSEEK (fp, 0, (PRSeekWhence)0);
+
+  switch (format)
+    {
+    case jarArchZip:
+      result = jar_listzip (jar, fp);
+      break;
+
+    case jarArchTar:
+      result = jar_listtar (jar, fp);
+      break;
+
+    case jarArchGuess:
+    case jarArchNone:
+      return JAR_ERR_GENERAL;
+    }
+
+  JAR_FSEEK (fp, 0, (PRSeekWhence)0);
+  return result;
+  }
+
+
+/*
+ *  j a r _ l i s t z i p
+ *
+ *  List the physical contents of a Phil Katz 
+ *  style .ZIP file into the JAR linked list.
+ *
+ */
+
+static int jar_listzip (JAR *jar, JAR_FILE fp)
+  {
+  int err = 0;
+
+  long pos = 0L;
+  char filename [JAR_SIZE];
+
+  char date [9], time [9];
+  char sig [4];
+
+  unsigned int compression;
+  unsigned int filename_len, extra_len;
+
+  struct ZipLocal *Local;
+  struct ZipCentral *Central;
+  struct ZipEnd *End;
+
+  /* phy things */
+
+  ZZLink  *ent;
+  JAR_Item *it;
+  JAR_Physical *phy;
+
+  Local = (struct ZipLocal *) PORT_ZAlloc (30);
+  Central = (struct ZipCentral *) PORT_ZAlloc (46);
+  End = (struct ZipEnd *) PORT_ZAlloc (22);
+
+  if (!Local || !Central || !End)
+    {
+    /* out of memory */
+    err = JAR_ERR_MEMORY;
+    goto loser;
+    }
+
+  while (1)
+    {
+    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
+
+    if (JAR_FREAD (fp, (char *) sig, 4) != 4)
+      {
+      /* zip file ends prematurely */
+      err = JAR_ERR_CORRUPT;
+      goto loser;
+      }
+
+    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
+
+    if (xtolong ((unsigned char *)sig) == LSIG)
+      {
+      JAR_FREAD (fp, (char *) Local, 30);
+
+      filename_len = xtoint ((unsigned char *) Local->filename_len);
+      extra_len = xtoint ((unsigned char *) Local->extrafield_len);
+
+      if (filename_len >= JAR_SIZE)
+        {
+        /* corrupt zip file */
+        err = JAR_ERR_CORRUPT;
+        goto loser;
+        }
+
+      if (JAR_FREAD (fp, filename, filename_len) != filename_len)
+        {
+        /* truncated archive file */
+        err = JAR_ERR_CORRUPT;
+        goto loser;
+        }
+
+      filename [filename_len] = 0;
+
+      /* Add this to our jar chain */
+
+      phy = (JAR_Physical *) PORT_ZAlloc (sizeof (JAR_Physical));
+
+      if (phy == NULL)
+        {
+        err = JAR_ERR_MEMORY;
+        goto loser;
+        }
+
+      /* We will index any file that comes our way, but when it comes
+         to actually extraction, compression must be 0 or 8 */
+
+      compression = xtoint ((unsigned char *) Local->method);
+      phy->compression = compression >= 0 && 
+              compression <= 255 ? compression : 222;
+
+      phy->offset = pos + 30 + filename_len + extra_len;
+      phy->length = xtolong ((unsigned char *) Local->size);
+      phy->uncompressed_length = xtolong((unsigned char *) Local->orglen);
+
+      dosdate (date, Local->date);
+      dostime (time, Local->time);
+
+      it = (JAR_Item*)PORT_ZAlloc (sizeof (JAR_Item));
+      if (it == NULL)
+        {
+        err = JAR_ERR_MEMORY;
+        goto loser;
+        }
+
+      it->pathname = PORT_Strdup (filename);
+
+      it->type = jarTypePhy;
+
+      it->data = (unsigned char *) phy;
+      it->size = sizeof (JAR_Physical);
+
+      ent = ZZ_NewLink (it);
+
+      if (ent == NULL)
+        {
+        err = JAR_ERR_MEMORY;
+        goto loser;
+        }
+
+      ZZ_AppendLink (jar->phy, ent);
+ 
+      pos = phy->offset + phy->length;
+      }
+    else if (xtolong ( (unsigned char *)sig) == CSIG)
+      {
+      if (JAR_FREAD (fp, (char *) Central, 46) != 46)
+        {
+        /* apparently truncated archive */
+        err = JAR_ERR_CORRUPT;
+        goto loser;
+        }
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+      /* with unix we need to locate any bits from 
+         the protection mask in the external attributes. */
+        {
+        unsigned int attr;
+
+        /* determined empirically */
+        attr = Central->external_attributes [2];
+
+        if (attr)
+          {
+          /* we have to read the filename, again */
+
+          filename_len = xtoint ((unsigned char *) Central->filename_len);
+
+          if (filename_len >= JAR_SIZE)
+            {
+            /* corrupt in central directory */
+            err = JAR_ERR_CORRUPT;
+            goto loser;
+            }
+
+          if (JAR_FREAD (fp, filename, filename_len) != filename_len)
+            {
+            /* truncated in central directory */
+            err = JAR_ERR_CORRUPT;
+            goto loser;
+            }
+
+          filename [filename_len] = 0;
+
+          /* look up this name again */
+          phy = jar_get_physical (jar, filename);
+
+          if (phy)
+            {
+            /* always allow access by self */
+            phy->mode = 0400 | attr;
+            }
+          }
+        }
+#endif
+
+      pos += 46 + xtoint ( (unsigned char *)Central->filename_len)
+                + xtoint ( (unsigned char *)Central->commentfield_len)
+                + xtoint ( (unsigned char *)Central->extrafield_len);
+      }
+    else if (xtolong ( (unsigned char *)sig) == ESIG)
+      {
+      if (JAR_FREAD (fp, (char *) End, 22) != 22)
+        {
+        err = JAR_ERR_CORRUPT;
+        goto loser;
+        }
+      else
+        break;
+      }
+    else
+      {
+      /* garbage in archive */
+      err = JAR_ERR_CORRUPT;
+      goto loser;
+      }
+    }
+
+loser:
+
+  if (Local) PORT_Free (Local);
+  if (Central) PORT_Free (Central);
+  if (End) PORT_Free (End);
+
+  return err;
+  }
+
+/*
+ *  j a r _ l i s t t a r
+ *
+ *  List the physical contents of a Unix 
+ *  .tar file into the JAR linked list.
+ *
+ */
+
+static int jar_listtar (JAR *jar, JAR_FILE fp)
+  {
+  long pos = 0L;
+
+  long sz, mode;
+  time_t when;
+  union TarEntry tarball;
+
+  char *s;
+
+  /* phy things */
+
+  JAR_Physical *phy;
+
+  while (1)
+    {
+    JAR_FSEEK (fp, pos, (PRSeekWhence)0);
+
+    if (JAR_FREAD (fp, (char *) &tarball, 512) < 512)
+      break;
+
+    if (!*tarball.val.filename)
+      break;
+
+    when = atoo (tarball.val.time);
+    sz = atoo (tarball.val.size);
+    mode = atoo (tarball.val.mode);
+
+
+    /* Tag the end of filename */
+
+    s = tarball.val.filename;
+    while (*s && *s != ' ') s++;
+    *s = 0;
+
+
+    /* Add to our linked list */
+
+    phy = (JAR_Physical *) PORT_ZAlloc (sizeof (JAR_Physical));
+
+    if (phy == NULL)
+      return JAR_ERR_MEMORY;
+
+    phy->compression = 0;
+    phy->offset = pos + 512;
+    phy->length = sz;
+
+    ADDITEM (jar->phy, jarTypePhy, 
+       tarball.val.filename, phy, sizeof (JAR_Physical));
+
+
+    /* Advance to next file entry */
+
+    sz += 511;
+    sz = (sz / 512) * 512;
+
+    pos += sz + 512;
+    }
+
+  return 0;
+  }
+
+/*
+ *  d o s d a t e
+ *
+ *  Not used right now, but keep it in here because
+ *  it will be needed. 
+ *
+ */
+
+static int dosdate (char *date, char *s)
+  {
+  int num = xtoint ( (unsigned char *)s);
+
+  PR_snprintf (date, 9, "%02d-%02d-%02d",
+     ((num >> 5) & 0x0F), (num & 0x1F), ((num >> 9) + 80));
+
+  return 0;
+  }
+
+/*
+ *  d o s t i m e
+ *
+ *  Not used right now, but keep it in here because
+ *  it will be needed. 
+ *
+ */
+
+static int dostime (char *time, char *s)
+  {
+  int num = xtoint ( (unsigned char *)s);
+
+  PR_snprintf (time, 6, "%02d:%02d",
+     ((num >> 11) & 0x1F), ((num >> 5) & 0x3F));
+
+  return 0;
+  }
+
+/*
+ *  x t o i n t
+ *
+ *  Converts a two byte ugly endianed integer
+ *  to our platform's integer.
+ *
+ */
+
+static unsigned int xtoint (unsigned char *ii)
+  {
+  return (int) (ii [0]) | ((int) ii [1] << 8);
+  }
+
+/*
+ *  x t o l o n g
+ *
+ *  Converts a four byte ugly endianed integer
+ *  to our platform's integer.
+ *
+ */
+
+static unsigned long xtolong (unsigned char *ll)
+  {
+  unsigned long ret;
+
+  ret =  (
+         (((unsigned long) ll [0]) <<  0) |
+         (((unsigned long) ll [1]) <<  8) |
+         (((unsigned long) ll [2]) << 16) |
+         (((unsigned long) ll [3]) << 24)
+         );
+
+  return ret;
+  }
+
+/*
+ *  a t o o
+ *
+ *  Ascii octal to decimal.
+ *  Used for integer encoding inside tar files.
+ *
+ */
+
+static long atoo (char *s)
+  {
+  long num = 0L;
+
+  while (*s == ' ') s++;
+
+  while (*s >= '0' && *s <= '7')
+    {
+    num <<= 3;
+    num += *s++ - '0';
+    }
+
+  return num;
+  }
+
+/*
+ *  g u e s s _ j a r
+ *
+ *  Try to guess what kind of JAR file this is.
+ *  Maybe tar, maybe zip. Look in the file for magic
+ *  or at its filename.
+ *
+ */
+
+static int jar_guess_jar (char *filename, JAR_FILE fp)
+  {
+  char *ext;
+
+  ext = filename + PORT_Strlen (filename) - 4;
+
+  if (!PORT_Strcmp (ext, ".tar"))
+    return jarArchTar;
+
+  return jarArchZip;
+  }
diff --git a/security/nss/lib/jar/jarfile.h b/security/nss/lib/jar/jarfile.h
new file mode 100644
index 000000000..d28b090fa
--- /dev/null
+++ b/security/nss/lib/jar/jarfile.h
@@ -0,0 +1,114 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  JARFILE.H
+ * 
+ *  Certain constants and structures for the archive format.
+ *
+ */
+
+/* ZIP */
+
+struct ZipLocal
+  {
+  char signature [4];
+  char word [2];
+  char bitflag [2];
+  char method [2];
+  char time [2];
+  char date [2];
+  char crc32 [4];
+  char size [4];
+  char orglen [4];
+  char filename_len [2];
+  char extrafield_len [2];
+  };
+
+struct ZipCentral
+  {
+  char signature [4];
+  char version_made_by [2];
+  char version [2];
+  char bitflag [2];
+  char method [2];
+  char time [2];
+  char date [2];
+  char crc32 [4];
+  char size [4];
+  char orglen [4];
+  char filename_len [2];
+  char extrafield_len [2];
+  char commentfield_len [2];
+  char diskstart_number [2];
+  char internal_attributes [2];
+  char external_attributes [4];
+  char localhdr_offset [4];
+  };
+
+struct ZipEnd
+  {
+  char signature [4];
+  char disk_nr [2];
+  char start_central_dir [2];
+  char total_entries_disk [2];
+  char total_entries_archive [2];
+  char central_dir_size [4];
+  char offset_central_dir [4];
+  char commentfield_len [2];
+  };
+
+#define LSIG 0x04034B50l
+#define CSIG 0x02014B50l
+#define ESIG 0x06054B50l
+
+/* TAR */
+
+union TarEntry
+  {
+  struct header
+    {
+    char filename [100];
+    char mode [8];
+    char uid [8];
+    char gid [8];
+    char size [12];
+    char time [12];
+    char checksum [8];
+    char linkflag;
+    char linkname [100];
+    }
+  val;
+
+  char buffer [512];
+  };
diff --git a/security/nss/lib/jar/jarint.c b/security/nss/lib/jar/jarint.c
new file mode 100644
index 000000000..4c8da5986
--- /dev/null
+++ b/security/nss/lib/jar/jarint.c
@@ -0,0 +1,81 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Internal libjar routines.
+ */
+
+#include "jar.h"
+#include "jarint.h"
+
+/*-----------------------------------------------------------------------
+ * JAR_FOPEN_to_PR_Open
+ * Translate JAR_FOPEN arguments to PR_Open arguments
+ */
+PRFileDesc*
+JAR_FOPEN_to_PR_Open(const char* name, const char *mode)
+{
+
+	PRIntn	prflags=0, prmode=0;
+
+	/* Get read/write flags */
+	if(strchr(mode, 'r') && !strchr(mode, '+')) {
+		prflags |= PR_RDONLY;
+	} else if( (strchr(mode, 'w') || strchr(mode, 'a')) &&
+			!strchr(mode,'+') ) {
+		prflags |= PR_WRONLY;
+	} else {
+		prflags |= PR_RDWR;
+	}
+
+	/* Create a new file? */
+	if(strchr(mode, 'w') || strchr(mode, 'a')) {
+		prflags |= PR_CREATE_FILE;
+	}
+
+	/* Append? */
+	if(strchr(mode, 'a')) {
+		prflags |= PR_APPEND;
+	}
+
+	/* Truncate? */
+	if(strchr(mode, 'w')) {
+		prflags |= PR_TRUNCATE;
+	}
+
+	/* We can't do umask because it isn't XP.  Choose some default
+	   mode for created files */
+	prmode = 0755;
+
+	return PR_Open(name, prflags, prmode);
+}
diff --git a/security/nss/lib/jar/jarint.h b/security/nss/lib/jar/jarint.h
new file mode 100644
index 000000000..7baa4f3f1
--- /dev/null
+++ b/security/nss/lib/jar/jarint.h
@@ -0,0 +1,116 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/* JAR internal routines */
+
+#include "nspr.h"
+
+/* definitely required */
+/*#include "certdb.h" */
+#include "key.h"
+#include "base64.h"
+
+extern CERTCertDBHandle *JAR_open_database (void);
+
+extern int JAR_close_database (CERTCertDBHandle *certdb);
+
+extern int jar_close_key_database (void *keydb);
+
+extern void *jar_open_key_database (void);
+
+extern JAR_Signer *JAR_new_signer (void);
+
+extern void JAR_destroy_signer (JAR_Signer *signer);
+
+extern JAR_Signer *jar_get_signer (JAR *jar, char *basename);
+
+extern int jar_append (ZZList *list, int type,
+   char *pathname, void *data, size_t size);
+
+/* Translate fopen mode arg to PR_Open flags and mode */
+PRFileDesc*
+JAR_FOPEN_to_PR_Open(const char *name, const char *mode);
+
+
+#define ADDITEM(list,type,pathname,data,size) \
+  { int err; err = jar_append (list, type, pathname, data, size); \
+    if (err < 0) return err; }
+
+/* Here is some ugliness in the event it is necessary to link
+   with NSPR 1.0 libraries, which do not include an FSEEK. It is 
+   difficult to fudge an FSEEK into 1.0 so we use stdio. */
+
+/* stdio */
+#if 0
+#define JAR_FILE FILE *
+#define JAR_FOPEN(fn,mode) fopen(fn,mode)
+#define JAR_FCLOSE fclose
+#define JAR_FSEEK fseek
+#define JAR_FREAD(fp,buf,siz) fread(buf,1,siz,fp)
+#define JAR_FWRITE(fp,buf,siz) fwrite(buf,1,siz,fp) 
+#endif
+
+#if 0
+/* nspr 1.0 suite */
+#define JAR_FILE PRFileHandle
+#define JAR_FOPEN(fn,mode) PR_OpenFile(fn,0,mode)
+#define JAR_FCLOSE PR_CLOSE
+#define JAR_FSEEK (no-equivalent)
+#define JAR_FREAD PR_READ
+#define JAR_FWRITE PR_WRITE
+#endif
+
+/* nspr 2.0 suite */
+#define JAR_FILE PRFileDesc *
+/* #define JAR_FOPEN(fn,mode) PR_Open(fn,0,0) */
+#define JAR_FOPEN(fn,mode) JAR_FOPEN_to_PR_Open(fn,mode)
+#define JAR_FCLOSE PR_Close
+#define JAR_FSEEK PR_Seek
+#define JAR_FREAD PR_Read
+#define JAR_FWRITE PR_Write
+
+#if 0
+/* nav XP suite, note argument order */
+#define JAR_FILE XP_File
+#define JAR_FOPEN(fn,mode) XP_FileOpen(fn,xpURL,mode)
+#define JAR_FCLOSE XP_FileClose
+#define JAR_FSEEK XP_FileSeek
+#define JAR_FREAD(fp,buf,siz) XP_FileRead(buf,siz,fp)
+#define JAR_FWRITE(fp,buf,siz) XP_FileWrite(buf,siz,fp)
+#endif
+
+int jar_create_pk7
+   (CERTCertDBHandle *certdb, void *keydb,
+       CERTCertificate *cert, char *password, JAR_FILE infp, 
+       JAR_FILE outfp);
+
diff --git a/security/nss/lib/jar/jarjart.c b/security/nss/lib/jar/jarjart.c
new file mode 100644
index 000000000..039531a2b
--- /dev/null
+++ b/security/nss/lib/jar/jarjart.c
@@ -0,0 +1,354 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  JARJART
+ *
+ *  JAR functions used by Jartool
+ */
+
+/* This allows manifest files above 64k to be
+   processed on non-win16 platforms */
+
+#include "jar.h"
+#include "jarint.h"
+#include "jarjart.h"
+#include "blapi.h"	/* JAR is supposed to be above the line!! */
+#include "pk11func.h"	/* PK11 wrapper funcs are all above the line. */
+#include "certdb.h"
+
+/* from certdb.h */
+#define CERTDB_USER (1<<6)
+
+#if 0
+/* from certdb.h */
+typedef SECStatus (* PermCertCallback)(CERTCertificate *cert, SECItem *k, void *pdata);
+/* from certdb.h */
+SECStatus SEC_TraversePermCerts
+   (CERTCertDBHandle *handle, PermCertCallback certfunc, void *udata);
+#endif
+
+/*
+ *  S O B _ l i s t _ c e r t s
+ *
+ *  Return a list of newline separated certificate nicknames
+ *  (this function used by the Jartool)
+ * 
+ */
+
+static SECStatus jar_list_cert_callback 
+     (CERTCertificate *cert, SECItem *k, void *data)
+  {
+  char *name;
+  char **ugly_list;
+
+  int trusted;
+
+  ugly_list = (char **) data;
+
+  if (cert)
+    {
+    name = cert->nickname;
+
+    trusted = cert->trust->objectSigningFlags & CERTDB_USER;
+
+    /* Add this name or email to list */
+
+    if (name && trusted)
+      {
+      *ugly_list = (char*)PORT_Realloc
+           (*ugly_list, PORT_Strlen (*ugly_list) + PORT_Strlen (name) + 2);
+
+      if (*ugly_list)
+        {
+        if (**ugly_list)
+          PORT_Strcat (*ugly_list, "\n");
+
+        PORT_Strcat (*ugly_list, name);
+        }
+      }
+    }
+
+  return (SECSuccess);
+  }
+
+/*
+ *  S O B _ J A R _ l i s t _ c e r t s
+ *
+ *  Return a linfeed separated ascii list of certificate
+ *  nicknames for the Jartool.
+ *
+ */
+
+char *JAR_JAR_list_certs (void)
+  {
+  SECStatus status = SECFailure;
+  CERTCertDBHandle *certdb;
+
+  char *ugly_list;
+
+  certdb = JAR_open_database();
+
+  /* a little something */
+  ugly_list = (char*)PORT_ZAlloc (16);
+
+  if (ugly_list)
+    {
+    *ugly_list = 0;
+
+    status = SEC_TraversePermCerts 
+            (certdb, jar_list_cert_callback, (void *) &ugly_list);
+    }
+
+  JAR_close_database (certdb);
+
+  return (status != SECSuccess) ? NULL : ugly_list;
+  }
+
+int JAR_JAR_validate_archive (char *filename)
+  {
+  JAR *jar;
+  int status = -1;
+
+  jar = JAR_new();
+
+  if (jar)
+    {
+    status = JAR_pass_archive (jar, jarArchGuess, filename, "");
+
+    if (status == 0)
+      status = jar->valid;
+
+    JAR_destroy (jar);
+    }
+
+  return status;
+  }
+
+char *JAR_JAR_get_error (int status)
+  {
+  return JAR_get_error (status);
+  }
+
+/*
+ *  S O B _ J A R _  h a s h
+ *
+ *  Hash algorithm interface for use by the Jartool. Since we really
+ *  don't know the private sizes of the context, and Java does need to
+ *  know this number, allocate 512 bytes for it.
+ *
+ *  In april 1997 hashes in this file were changed to call PKCS11,
+ *  as FIPS requires that when a smartcard has failed validation, 
+ *  hashes are not to be performed. But because of the difficulty of
+ *  preserving pointer context between calls to the JAR_JAR hashing
+ *  functions, the hash routines are called directly, though after
+ *  checking to see if hashing is allowed.
+ *
+ */
+
+void *JAR_JAR_new_hash (int alg)
+  {
+  void *context;
+
+  MD5Context *md5;
+  SHA1Context *sha1;
+
+  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
+
+  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
+    return NULL;
+
+  context = PORT_ZAlloc (512);
+
+  if (context)
+    {
+    switch (alg)
+      {
+      case 1:  /* MD5 */
+               md5 = (MD5Context *) context;
+               MD5_Begin (md5);
+               break;
+
+      case 2:  /* SHA1 */
+               sha1 = (SHA1Context *) context;
+               SHA1_Begin (sha1);
+               break;
+      }
+    }
+
+  return context;
+  }
+
+void *JAR_JAR_hash (int alg, void *cookie, int length, void *data)
+  {
+  MD5Context *md5;
+  SHA1Context *sha1;
+
+  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
+
+  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1))
+    return NULL;
+
+  if (length > 0)
+    {
+    switch (alg)
+      {
+      case 1:  /* MD5 */
+               md5 = (MD5Context *) cookie;
+               MD5_Update (md5, (unsigned char*)data, length);
+               break;
+
+      case 2:  /* SHA1 */
+               sha1 = (SHA1Context *) cookie;
+               SHA1_Update (sha1, (unsigned char*)data, length);
+               break;
+      }
+    }
+
+  return cookie;
+  }
+
+void *JAR_JAR_end_hash (int alg, void *cookie)
+  {
+  int length;
+  unsigned char *data;
+  char *ascii; 
+
+  MD5Context *md5;
+  SHA1Context *sha1;
+
+  unsigned int md5_length;
+  unsigned char md5_digest [MD5_LENGTH];
+
+  unsigned int sha1_length;
+  unsigned char sha1_digest [SHA1_LENGTH];
+
+  /* this is a hack because this whole PORT_ZAlloc stuff looks scary */
+
+  if (!PK11_HashOK (alg == 1 ? SEC_OID_MD5 : SEC_OID_SHA1)) 
+    return NULL;
+
+  switch (alg)
+    {
+    case 1:  /* MD5 */
+
+             md5 = (MD5Context *) cookie;
+
+             MD5_End (md5, md5_digest, &md5_length, MD5_LENGTH);
+             /* MD5_DestroyContext (md5, PR_TRUE); */
+
+             data = md5_digest;
+             length = md5_length;
+
+             break;
+
+    case 2:  /* SHA1 */
+
+             sha1 = (SHA1Context *) cookie;
+
+             SHA1_End (sha1, sha1_digest, &sha1_length, SHA1_LENGTH);
+             /* SHA1_DestroyContext (sha1, PR_TRUE); */
+
+             data = sha1_digest;
+             length = sha1_length;
+
+             break;
+
+    default: return NULL;
+    }
+
+  /* Instead of destroy context, since we created it */
+  /* PORT_Free (cookie); */
+
+  ascii = BTOA_DataToAscii(data, length);
+
+  return ascii ? PORT_Strdup (ascii) : NULL;
+  }
+
+/*
+ *  S O B _ J A R _ s i g n _ a r c h i v e
+ *
+ *  A simple API to sign a JAR archive.
+ *
+ */
+
+int JAR_JAR_sign_archive 
+      (char *nickname, char *password, char *sf, char *outsig)
+  {
+  char *out_fn;
+
+  int status = JAR_ERR_GENERAL;
+  JAR_FILE sf_fp; 
+  JAR_FILE out_fp;
+
+  CERTCertDBHandle *certdb;
+  void *keydb;
+
+  CERTCertificate *cert;
+
+  /* open cert and key databases */
+
+  certdb = JAR_open_database();
+  if (certdb == NULL)
+    return JAR_ERR_GENERAL;
+
+  keydb = jar_open_key_database();
+  if (keydb == NULL)
+    return JAR_ERR_GENERAL;
+
+  out_fn = PORT_Strdup (sf);
+
+  if (out_fn == NULL || PORT_Strlen (sf) < 5)
+    return JAR_ERR_GENERAL;
+
+  sf_fp = JAR_FOPEN (sf, "rb");
+  out_fp = JAR_FOPEN (outsig, "wb");
+
+  cert = CERT_FindCertByNickname (certdb, nickname);
+
+  if (cert && sf_fp && out_fp)
+    {
+    status = jar_create_pk7 (certdb, keydb, cert, password, sf_fp, out_fp);
+    }
+
+  /* remove password from prying eyes */
+  PORT_Memset (password, 0, PORT_Strlen (password));
+
+  JAR_FCLOSE (sf_fp);
+  JAR_FCLOSE (out_fp);
+
+  JAR_close_database (certdb);
+  jar_close_key_database (keydb);
+
+  return status;
+  }
diff --git a/security/nss/lib/jar/jarjart.h b/security/nss/lib/jar/jarjart.h
new file mode 100644
index 000000000..bb4596e90
--- /dev/null
+++ b/security/nss/lib/jar/jarjart.h
@@ -0,0 +1,72 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  jarjart.h
+ *
+ *  Functions for the Jartool, which is written in Java and
+ *  requires wrappers located elsewhere in the client.
+ *
+ *  Do not call these unless you are the Jartool, no matter
+ *  how convenient they may appear.
+ *
+ */
+
+#ifndef _JARJART_H_
+#define _JARJART_H_
+
+/* return a list of certificate nicknames, separated by \n's */
+extern char *JAR_JAR_list_certs (void);
+
+/* validate archive, simple api */
+extern int JAR_JAR_validate_archive (char *filename);
+
+/* begin hash */
+extern void *JAR_JAR_new_hash (int alg);
+
+/* hash a streaming pile */
+extern void *JAR_JAR_hash (int alg, void *cookie, int length, void *data);
+
+/* end hash */
+extern void *JAR_JAR_end_hash (int alg, void *cookie);
+
+/* sign the archive (given an .SF file) with the given cert.
+   The password argument is a relic, PKCS11 now handles that. */
+
+extern int JAR_JAR_sign_archive 
+   (char *nickname, char *password, char *sf, char *outsig);
+
+/* convert status to text */
+extern char *JAR_JAR_get_error (int status);
+
+#endif
diff --git a/security/nss/lib/jar/jarnav.c b/security/nss/lib/jar/jarnav.c
new file mode 100644
index 000000000..865ded5da
--- /dev/null
+++ b/security/nss/lib/jar/jarnav.c
@@ -0,0 +1,107 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  JARNAV.C
+ *
+ *  JAR stuff needed for client only.
+ *
+ */
+
+#include "jar.h"
+#include "jarint.h"
+
+/* from proto.h */
+#ifdef MOZILLA_CLIENT_OLD
+extern MWContext *XP_FindSomeContext(void);
+#endif
+
+/* sigh */
+extern MWContext *FE_GetInitContext(void);
+
+/* To return an MWContext for Java */
+static MWContext *(*jar_fn_FindSomeContext) (void) = NULL;
+
+/* To fabricate an MWContext for FE_GetPassword */
+static MWContext *(*jar_fn_GetInitContext) (void) = NULL;
+
+/*
+ *  J A R _ i n i t
+ *
+ *  Initialize the JAR functions.
+ * 
+ */
+
+void JAR_init (void)
+  {
+#ifdef MOZILLA_CLIENT_OLD
+  JAR_init_callbacks (XP_GetString, XP_FindSomeContext, FE_GetInitContext);
+#else
+  JAR_init_callbacks (XP_GetString, NULL, NULL);
+#endif
+  }
+
+/*
+ *  J A R _ s e t _ c o n t e x t
+ *
+ *  Set the jar window context for use by PKCS11, since
+ *  it may be needed to prompt the user for a password.
+ *
+ */
+
+int JAR_set_context (JAR *jar, MWContext *mw)
+  {
+  if (mw)
+    {
+    jar->mw = mw;
+    }
+  else
+    {
+    /* jar->mw = XP_FindSomeContext(); */
+    jar->mw = NULL;
+
+    /*
+     * We can't find a context because we're in startup state and none
+     * exist yet. go get an FE_InitContext that only works at initialization
+     * time.
+     */
+
+    /* Turn on the mac when we get the FE_ function */
+    if (jar->mw == NULL)
+      {
+      jar->mw = jar_fn_GetInitContext();
+      }
+   }
+
+  return 0;
+  }
diff --git a/security/nss/lib/jar/jarsign.c b/security/nss/lib/jar/jarsign.c
new file mode 100644
index 000000000..5ff7d55de
--- /dev/null
+++ b/security/nss/lib/jar/jarsign.c
@@ -0,0 +1,371 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  JARSIGN
+ *
+ *  Routines used in signing archives.
+ */
+
+
+#define USE_MOZ_THREAD
+
+#include "jar.h"
+#include "jarint.h"
+
+#ifdef USE_MOZ_THREAD
+#include "jarevil.h"
+#endif
+
+#include "pk11func.h"
+#include "sechash.h"
+
+/* from libevent.h */
+typedef void (*ETVoidPtrFunc) (void * data);
+
+#ifdef MOZILLA_CLIENT_OLD
+
+extern void ET_moz_CallFunction (ETVoidPtrFunc fn, void *data);
+
+/* from proto.h */
+/* extern MWContext *XP_FindSomeContext(void); */
+extern void *XP_FindSomeContext(void);
+
+#endif
+
+/* key database wrapper */
+
+/* static SECKEYKeyDBHandle *jar_open_key_database (void); */
+
+/* CHUNQ is our bite size */
+
+#define CHUNQ 64000
+#define FILECHUNQ 32768
+
+/*
+ *  J A R _ c a l c u l a t e _ d i g e s t 
+ *
+ *  Quick calculation of a digest for
+ *  the specified block of memory. Will calculate
+ *  for all supported algorithms, now MD5.
+ *
+ *  This version supports huge pointers for WIN16.
+ * 
+ */
+
+JAR_Digest * PR_CALLBACK JAR_calculate_digest (void ZHUGEP *data, long length)
+  {
+  long chunq;
+  JAR_Digest *dig;
+
+  unsigned int md5_length, sha1_length;
+
+  PK11Context *md5  = 0;
+  PK11Context *sha1 = 0;
+
+  dig = (JAR_Digest *) PORT_ZAlloc (sizeof (JAR_Digest));
+
+  if (dig == NULL) 
+    {
+    /* out of memory allocating digest */
+    return NULL;
+    }
+
+#if defined(XP_WIN16)
+  PORT_Assert ( !IsBadHugeReadPtr(data, length) );
+#endif
+
+  md5  = PK11_CreateDigestContext (SEC_OID_MD5);
+  sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
+
+  if (length >= 0) 
+    {
+    PK11_DigestBegin (md5);
+    PK11_DigestBegin (sha1);
+
+    do {
+       chunq = length;
+
+#ifdef XP_WIN16
+       if (length > CHUNQ) chunq = CHUNQ;
+
+       /*
+        *  If the block of data crosses one or more segment 
+        *  boundaries then only pass the chunk of data in the 
+        *  first segment.
+        * 
+        *  This allows the data to be treated as FAR by the
+        *  PK11_DigestOp(...) routine.
+        *
+        */
+
+       if (OFFSETOF(data) + chunq >= 0x10000) 
+         chunq = 0x10000 - OFFSETOF(data);
+#endif
+
+       PK11_DigestOp (md5,  (unsigned char*)data, chunq);
+       PK11_DigestOp (sha1, (unsigned char*)data, chunq);
+
+       length -= chunq;
+       data = ((char ZHUGEP *) data + chunq);
+       } 
+    while (length > 0);
+
+    PK11_DigestFinal (md5,  dig->md5,  &md5_length,  MD5_LENGTH);
+    PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
+
+    PK11_DestroyContext (md5,  PR_TRUE);
+    PK11_DestroyContext (sha1, PR_TRUE);
+    }
+
+  return dig;
+  }
+
+/*
+ *  J A R _ d i g e s t _ f i l e
+ *
+ *  Calculates the MD5 and SHA1 digests for a file 
+ *  present on disk, and returns these in JAR_Digest struct.
+ *
+ */
+
+int JAR_digest_file (char *filename, JAR_Digest *dig)
+    {
+    JAR_FILE fp;
+
+    int num;
+    unsigned char *buf;
+
+    PK11Context *md5 = 0;
+    PK11Context *sha1 = 0;
+
+    unsigned int md5_length, sha1_length;
+
+    buf = (unsigned char *) PORT_ZAlloc (FILECHUNQ);
+    if (buf == NULL)
+      {
+      /* out of memory */
+      return JAR_ERR_MEMORY;
+      }
+ 
+    if ((fp = JAR_FOPEN (filename, "rb")) == 0)
+      {
+      /* perror (filename); FIX XXX XXX XXX XXX XXX XXX */
+      PORT_Free (buf);
+      return JAR_ERR_FNF;
+      }
+
+    md5 = PK11_CreateDigestContext (SEC_OID_MD5);
+    sha1 = PK11_CreateDigestContext (SEC_OID_SHA1);
+
+    if (md5 == NULL || sha1 == NULL) 
+      {
+      /* can't generate digest contexts */
+      PORT_Free (buf);
+      JAR_FCLOSE (fp);
+      return JAR_ERR_GENERAL;
+      }
+
+    PK11_DigestBegin (md5);
+    PK11_DigestBegin (sha1);
+
+    while (1)
+      {
+      if ((num = JAR_FREAD (fp, buf, FILECHUNQ)) == 0)
+        break;
+
+      PK11_DigestOp (md5, buf, num);
+      PK11_DigestOp (sha1, buf, num);
+      }
+
+    PK11_DigestFinal (md5, dig->md5, &md5_length, MD5_LENGTH);
+    PK11_DigestFinal (sha1, dig->sha1, &sha1_length, SHA1_LENGTH);
+
+    PK11_DestroyContext (md5, PR_TRUE);
+    PK11_DestroyContext (sha1, PR_TRUE);
+
+    PORT_Free (buf);
+    JAR_FCLOSE (fp);
+
+    return 0;
+    }
+
+/*
+ *  J A R _ o p e n _ k e y _ d a t a b a s e
+ *
+ */
+
+void* jar_open_key_database (void)
+  {
+    return NULL;
+  }
+
+int jar_close_key_database (void *keydb)
+  {
+  /* We never do close it */
+  return 0;
+  }
+
+
+/*
+ *  j a r _ c r e a t e _ p k 7
+ *
+ */
+
+static void jar_pk7_out (void *arg, const char *buf, unsigned long len)
+  {
+  JAR_FWRITE ((JAR_FILE) arg, buf, len);
+  }
+
+int jar_create_pk7 
+   (CERTCertDBHandle *certdb, void *keydb, 
+       CERTCertificate *cert, char *password, JAR_FILE infp, JAR_FILE outfp)
+  {
+  int nb;
+  unsigned char buffer [4096], digestdata[32];
+  const SECHashObject *hashObj;
+  void *hashcx;
+  unsigned int len;
+
+  int status = 0;
+  char *errstring;
+
+  SECItem digest;
+  SEC_PKCS7ContentInfo *cinfo;
+  SECStatus rv;
+
+  void /*MWContext*/ *mw;
+
+  if (outfp == NULL || infp == NULL || cert == NULL)
+    return JAR_ERR_GENERAL;
+
+  /* we sign with SHA */
+  hashObj = HASH_GetHashObject(HASH_AlgSHA1);
+
+  hashcx = (* hashObj->create)();
+  if (hashcx == NULL)
+    return JAR_ERR_GENERAL;
+
+  (* hashObj->begin)(hashcx);
+
+  while (1)
+    {
+    /* nspr2.0 doesn't support feof 
+       if (feof (infp)) break; */
+
+    nb = JAR_FREAD (infp, buffer, sizeof (buffer));
+    if (nb == 0) 
+      {
+#if 0
+      if (ferror(infp)) 
+        {
+        /* PORT_SetError(SEC_ERROR_IO); */ /* FIX */
+	(* hashObj->destroy) (hashcx, PR_TRUE);
+	return JAR_ERR_GENERAL;
+        }
+#endif
+      /* eof */
+      break;
+      }
+    (* hashObj->update) (hashcx, buffer, nb);
+    }
+
+  (* hashObj->end) (hashcx, digestdata, &len, 32);
+  (* hashObj->destroy) (hashcx, PR_TRUE);
+
+  digest.data = digestdata;
+  digest.len = len;
+
+  /* signtool must use any old context it can find since it's
+     calling from inside javaland. */
+
+#ifdef MOZILLA_CLIENT_OLD
+  mw = XP_FindSomeContext();
+#else
+  mw = NULL;
+#endif
+
+  PORT_SetError (0);
+
+  cinfo = SEC_PKCS7CreateSignedData 
+             (cert, certUsageObjectSigner, NULL, 
+                SEC_OID_SHA1, &digest, NULL, (void *) mw);
+
+  if (cinfo == NULL)
+    return JAR_ERR_PK7;
+
+  rv = SEC_PKCS7IncludeCertChain (cinfo, NULL);
+  if (rv != SECSuccess) 
+    {
+    status = PORT_GetError();
+    SEC_PKCS7DestroyContentInfo (cinfo);
+    return status;
+    }
+
+  /* Having this here forces signtool to always include
+     signing time. */
+
+  rv = SEC_PKCS7AddSigningTime (cinfo);
+  if (rv != SECSuccess)
+    {
+    /* don't check error */
+    }
+
+  PORT_SetError (0);
+
+#ifdef USE_MOZ_THREAD
+  /* if calling from mozilla */
+  rv = jar_moz_encode
+             (cinfo, jar_pk7_out, outfp, 
+                 NULL,  /* pwfn */ NULL,  /* pwarg */ (void *) mw);
+#else
+  /* if calling from mozilla thread*/
+  rv = SEC_PKCS7Encode 
+             (cinfo, jar_pk7_out, outfp, 
+                 NULL,  /* pwfn */ NULL,  /* pwarg */ (void *) mw):
+#endif
+
+  if (rv != SECSuccess)
+    status = PORT_GetError();
+
+  SEC_PKCS7DestroyContentInfo (cinfo);
+
+  if (rv != SECSuccess)
+    {
+    errstring = JAR_get_error (status);
+    /*XP_TRACE (("Jar signing failed (reason %d = %s)", status, errstring));*/
+    return status < 0 ? status : JAR_ERR_GENERAL;
+    }
+
+  return 0;
+  }
diff --git a/security/nss/lib/jar/jarver.c b/security/nss/lib/jar/jarver.c
new file mode 100644
index 000000000..be974a1dd
--- /dev/null
+++ b/security/nss/lib/jar/jarver.c
@@ -0,0 +1,2031 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ *  JARVER
+ *
+ *  Jarnature Parsing & Verification
+ */
+
+#define USE_MOZ_THREAD
+
+#include "jar.h"
+#include "jarint.h"
+
+#ifdef USE_MOZ_THREAD
+#include "jarevil.h"
+#endif
+/*#include "cdbhdl.h" */
+#include "secder.h"
+
+/* to use huge pointers in win16 */
+
+#if !defined(XP_WIN16)
+#define xp_HUGE_MEMCPY PORT_Memcpy
+#define xp_HUGE_STRCPY PORT_Strcpy
+#define xp_HUGE_STRLEN PORT_Strlen
+#define xp_HUGE_STRNCASECMP PORT_Strncasecmp
+#else
+#define xp_HUGE_MEMCPY hmemcpy
+int xp_HUGE_STRNCASECMP (char ZHUGEP *buf, char *key, int len);
+size_t xp_HUGE_STRLEN (char ZHUGEP *s);
+char *xp_HUGE_STRCPY (char *to, char ZHUGEP *from);
+#endif
+
+/* from certdb.h */
+#define CERTDB_USER (1<<6)
+
+#if 0
+/* from certdb.h */
+extern PRBool SEC_CertNicknameConflict
+   (char *nickname, CERTCertDBHandle *handle);
+/* from certdb.h */
+extern SECStatus SEC_AddTempNickname
+   (CERTCertDBHandle *handle, char *nickname, SECItem *certKey);
+/* from certdb.h */
+typedef SECStatus (* PermCertCallback)(CERTCertificate *cert, SECItem *k, void *pdata);
+
+/* from certdb.h */
+SECStatus SEC_TraversePermCerts
+   (CERTCertDBHandle *handle, PermCertCallback certfunc, void *udata);
+#endif
+
+
+
+#define SZ 512
+
+static int jar_validate_pkcs7 
+     (JAR *jar, JAR_Signer *signer, char *data, long length);
+
+static void jar_catch_bytes
+     (void *arg, const char *buf, unsigned long len);
+
+static int jar_gather_signers
+     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo);
+
+static char ZHUGEP *jar_eat_line 
+     (int lines, int eating, char ZHUGEP *data, long *len);
+
+static JAR_Digest *jar_digest_section 
+     (char ZHUGEP *manifest, long length);
+
+static JAR_Digest *jar_get_mf_digest (JAR *jar, char *path);
+
+static int jar_parse_digital_signature 
+     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar);
+
+static int jar_add_cert
+     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert);
+
+static CERTCertificate *jar_get_certificate
+            (JAR *jar, long keylen, void *key, int *result);
+
+static char *jar_cert_element (char *name, char *tag, int occ);
+
+static char *jar_choose_nickname (CERTCertificate *cert);
+
+static char *jar_basename (const char *path);
+
+static int jar_signal 
+     (int status, JAR *jar, const char *metafile, char *pathname);
+
+#ifdef DEBUG
+static int jar_insanity_check (char ZHUGEP *data, long length);
+#endif
+
+int jar_parse_mf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url);
+
+int jar_parse_sf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url);
+
+int jar_parse_sig
+    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length);
+
+int jar_parse_any
+    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url);
+
+static int jar_internal_digest 
+     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig);
+
+/*
+ *  J A R _ p a r s e _ m a n i f e s t
+ * 
+ *  Pass manifest files to this function. They are
+ *  decoded and placed into internal representations.
+ * 
+ *  Accepts both signature and manifest files. Use
+ *  the same "jar" for both. 
+ *
+ */
+
+int JAR_parse_manifest 
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+  {
+
+#if defined(XP_WIN16)
+    PORT_Assert( !IsBadHugeReadPtr(raw_manifest, length) );
+#endif
+
+  /* fill in the path, if supplied. This is a the location
+     of the jar file on disk, if known */
+
+  if (jar->filename == NULL && path)
+    {
+    jar->filename = PORT_Strdup (path);
+    if (jar->filename == NULL)
+      return JAR_ERR_MEMORY;
+    }
+
+  /* fill in the URL, if supplied. This is the place
+     from which the jar file was retrieved. */
+
+  if (jar->url == NULL && url)
+    {
+    jar->url = PORT_Strdup (url);
+    if (jar->url == NULL)
+      return JAR_ERR_MEMORY;
+    }
+
+  /* Determine what kind of file this is from the META-INF 
+     directory. It could be MF, SF, or a binary RSA/DSA file */
+
+  if (!xp_HUGE_STRNCASECMP (raw_manifest, "Manifest-Version:", 17))
+    {
+    return jar_parse_mf (jar, raw_manifest, length, path, url);
+    }
+  else if (!xp_HUGE_STRNCASECMP (raw_manifest, "Signature-Version:", 18))
+    {
+    return jar_parse_sf (jar, raw_manifest, length, path, url);
+    }
+  else
+    {
+    /* This is probably a binary signature */
+    return jar_parse_sig (jar, path, raw_manifest, length);
+    }
+  }
+
+/*
+ *  j a r _ p a r s e _ s i g
+ *
+ *  Pass some manner of RSA or DSA digital signature
+ *  on, after checking to see if it comes at an appropriate state.
+ *
+ */
+ 
+int jar_parse_sig
+    (JAR *jar, const char *path, char ZHUGEP *raw_manifest, long length)
+  {
+  JAR_Signer *signer;
+  int status = JAR_ERR_ORDER;
+
+  if (length <= 128) 
+    {
+    /* signature is way too small */
+    return JAR_ERR_SIG;
+    }
+
+  /* make sure that MF and SF have already been processed */
+
+  if (jar->globalmeta == NULL)
+    return JAR_ERR_ORDER;
+
+#if 0
+  /* XXX Turn this on to disable multiple signers */
+  if (jar->digest == NULL)
+    return JAR_ERR_ORDER;
+#endif
+
+  /* Determine whether or not this RSA file has
+     has an associated SF file */
+
+  if (path)
+    {
+    char *owner;
+    owner = jar_basename (path);
+
+    if (owner == NULL)
+      return JAR_ERR_MEMORY;
+
+    signer = jar_get_signer (jar, owner);
+
+    PORT_Free (owner);
+    }
+  else
+    signer = jar_get_signer (jar, "*");
+
+  if (signer == NULL)
+    return JAR_ERR_ORDER;
+
+
+  /* Do not pass a huge pointer to this function,
+     since the underlying security code is unaware. We will
+     never pass >64k through here. */
+
+  if (length > 64000)
+    {
+    /* this digital signature is way too big */
+    return JAR_ERR_SIG;
+    }
+
+#ifdef XP_WIN16
+  /*
+   * For Win16, copy the portion of the raw_buffer containing the digital 
+   * signature into another buffer...  This insures that the data will
+   * NOT cross a segment boundary.  Therefore, 
+   * jar_parse_digital_signature(...) does NOT need to deal with HUGE 
+   * pointers...
+   */
+
+    {
+    unsigned char *manifest_copy;
+
+    manifest_copy = (unsigned char *) PORT_ZAlloc (length);
+    if (manifest_copy)
+      {
+      xp_HUGE_MEMCPY (manifest_copy, raw_manifest, length);
+
+      status = jar_parse_digital_signature 
+                  (manifest_copy, signer, length, jar);
+
+      PORT_Free (manifest_copy);
+      }
+    else
+      {
+      /* out of memory */
+      return JAR_ERR_MEMORY;
+      }
+    }
+#else
+  /* don't expense unneeded calloc overhead on non-win16 */
+  status = jar_parse_digital_signature 
+                (raw_manifest, signer, length, jar);
+#endif
+
+  return status;
+  }
+
+/*
+ *  j a r _ p a r s e _ m f
+ *
+ *  Parse the META-INF/manifest.mf file, whose
+ *  information applies to all signers.
+ *
+ */
+
+int jar_parse_mf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+  {
+  if (jar->globalmeta)
+    {
+    /* refuse a second manifest file, if passed for some reason */
+    return JAR_ERR_ORDER;
+    }
+
+
+  /* remember a digest for the global section */
+
+  jar->globalmeta = jar_digest_section (raw_manifest, length);
+
+  if (jar->globalmeta == NULL)
+    return JAR_ERR_MEMORY;
+
+
+  return jar_parse_any 
+    (jar, jarTypeMF, NULL, raw_manifest, length, path, url);
+  }
+
+/*
+ *  j a r _ p a r s e _ s f
+ *
+ *  Parse META-INF/xxx.sf, a digitally signed file
+ *  pointing to a subset of MF sections. 
+ *
+ */
+
+int jar_parse_sf
+    (JAR *jar, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+  {
+  JAR_Signer *signer = NULL;
+  int status = JAR_ERR_MEMORY;
+
+  if (jar->globalmeta == NULL)
+    {
+    /* It is a requirement that the MF file be passed before the SF file */
+    return JAR_ERR_ORDER;
+    }
+
+  signer = JAR_new_signer();
+
+  if (signer == NULL)
+    goto loser;
+
+  if (path)
+    {
+    signer->owner = jar_basename (path);
+    if (signer->owner == NULL)
+      goto loser;
+    }
+
+
+  /* check for priors. When someone doctors a jar file
+     to contain identical path entries, prevent the second
+     one from affecting JAR functions */
+
+  if (jar_get_signer (jar, signer->owner))
+    {
+    /* someone is trying to spoof us */
+    status = JAR_ERR_ORDER;
+    goto loser;
+    }
+
+
+  /* remember its digest */
+
+  signer->digest = JAR_calculate_digest (raw_manifest, length);
+
+  if (signer->digest == NULL)
+    goto loser;
+
+  /* Add this signer to the jar */
+
+  ADDITEM (jar->signers, jarTypeOwner, 
+     signer->owner, signer, sizeof (JAR_Signer));
+
+
+  return jar_parse_any 
+    (jar, jarTypeSF, signer, raw_manifest, length, path, url);
+
+loser:
+
+  if (signer)
+    JAR_destroy_signer (signer);
+
+  return status;
+  }
+
+/* 
+ *  j a r _ p a r s e _ a n y
+ *
+ *  Parse a MF or SF manifest file. 
+ *
+ */
+ 
+int jar_parse_any
+    (JAR *jar, int type, JAR_Signer *signer, char ZHUGEP *raw_manifest, 
+        long length, const char *path, const char *url)
+  {
+  int status;
+
+  long raw_len;
+
+  JAR_Digest *dig, *mfdig = NULL;
+
+  char line [SZ];
+  char x_name [SZ], x_md5 [SZ], x_sha [SZ];
+
+  char *x_info;
+
+  char *sf_md5 = NULL, *sf_sha1 = NULL;
+
+  *x_name = 0;
+  *x_md5 = 0;
+  *x_sha = 0;
+
+  PORT_Assert( length > 0 );
+  raw_len = length;
+
+#ifdef DEBUG
+  if ((status = jar_insanity_check (raw_manifest, raw_len)) < 0)
+    return status;
+#endif
+
+
+  /* null terminate the first line */
+  raw_manifest = jar_eat_line (0, PR_TRUE, raw_manifest, &raw_len);
+
+
+  /* skip over the preliminary section */
+  /* This is one section at the top of the file with global metainfo */
+
+  while (raw_len)
+    {
+    JAR_Metainfo *met;
+
+    raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
+    if (!*raw_manifest) break;
+
+    met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
+    if (met == NULL)
+      return JAR_ERR_MEMORY;
+
+    /* Parse out the header & info */
+
+    if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
+      {
+      /* almost certainly nonsense */
+      continue;
+      }
+
+    xp_HUGE_STRCPY (line, raw_manifest);
+    x_info = line;
+
+    while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
+      x_info++;
+
+    if (*x_info) *x_info++ = 0;
+
+    while (*x_info == ' ' || *x_info == '\t')
+      x_info++;
+
+    /* metainfo (name, value) pair is now (line, x_info) */
+
+    met->header = PORT_Strdup (line);
+    met->info = PORT_Strdup (x_info);
+
+    if (type == jarTypeMF)
+      {
+      ADDITEM (jar->metainfo, jarTypeMeta, 
+         /* pathname */ NULL, met, sizeof (JAR_Metainfo));
+      }
+
+    /* For SF files, this metadata may be the digests
+       of the MF file, still in the "met" structure. */
+
+    if (type == jarTypeSF)
+      {
+      if (!PORT_Strcasecmp (line, "MD5-Digest"))
+        sf_md5 = (char *) met->info;
+
+      if (!PORT_Strcasecmp (line, "SHA1-Digest") || !PORT_Strcasecmp (line, "SHA-Digest"))
+        sf_sha1 = (char *) met->info;
+      }
+    }
+
+  if (type == jarTypeSF && jar->globalmeta)
+    {
+    /* this is a SF file which may contain a digest of the manifest.mf's 
+       global metainfo. */
+
+    int match = 0;
+    JAR_Digest *glob = jar->globalmeta;
+
+    if (sf_md5)
+      {
+      unsigned int md5_length;
+      unsigned char *md5_digest;
+
+      md5_digest = ATOB_AsciiToData (sf_md5, &md5_length);
+      PORT_Assert( md5_length == MD5_LENGTH );
+
+      if (md5_length != MD5_LENGTH)
+        return JAR_ERR_CORRUPT;
+
+      match = PORT_Memcmp (md5_digest, glob->md5, MD5_LENGTH);
+      }
+
+    if (sf_sha1 && match == 0)
+      {
+      unsigned int sha1_length;
+      unsigned char *sha1_digest;
+
+      sha1_digest = ATOB_AsciiToData (sf_sha1, &sha1_length);
+      PORT_Assert( sha1_length == SHA1_LENGTH );
+
+      if (sha1_length != SHA1_LENGTH)
+        return JAR_ERR_CORRUPT;
+
+      match = PORT_Memcmp (sha1_digest, glob->sha1, SHA1_LENGTH);
+      }
+
+    if (match != 0)
+      {
+      /* global digest doesn't match, SF file therefore invalid */
+      jar->valid = JAR_ERR_METADATA;
+      return JAR_ERR_METADATA;
+      }
+    }
+
+  /* done with top section of global data */
+
+
+  while (raw_len)
+    {
+    *x_md5 = 0;
+    *x_sha = 0;
+    *x_name = 0;
+
+
+    /* If this is a manifest file, attempt to get a digest of the following section, 
+       without damaging it. This digest will be saved later. */
+
+    if (type == jarTypeMF)
+      {
+      char ZHUGEP *sec;
+      long sec_len = raw_len;
+
+      if (!*raw_manifest || *raw_manifest == '\n')
+        {     
+        /* skip the blank line */ 
+        sec = jar_eat_line (1, PR_FALSE, raw_manifest, &sec_len);
+        }
+      else
+        sec = raw_manifest;
+
+      if (!xp_HUGE_STRNCASECMP (sec, "Name:", 5))
+        {
+        if (type == jarTypeMF)
+          mfdig = jar_digest_section (sec, sec_len);
+        else
+          mfdig = NULL;
+        }
+      }
+
+
+    while (raw_len)
+      {
+      raw_manifest = jar_eat_line (1, PR_TRUE, raw_manifest, &raw_len);
+      if (!*raw_manifest) break; /* blank line, done with this entry */
+
+      if (xp_HUGE_STRLEN (raw_manifest) >= SZ)
+        {
+        /* almost certainly nonsense */
+        continue;
+        }
+
+
+      /* Parse out the name/value pair */
+
+      xp_HUGE_STRCPY (line, raw_manifest);
+      x_info = line;
+
+      while (*x_info && *x_info != ' ' && *x_info != '\t' && *x_info != ':')
+        x_info++;
+
+      if (*x_info) *x_info++ = 0;
+
+      while (*x_info == ' ' || *x_info == '\t') 
+        x_info++;
+
+
+      if (!PORT_Strcasecmp (line, "Name"))
+        PORT_Strcpy (x_name, x_info);
+
+      else if (!PORT_Strcasecmp (line, "MD5-Digest"))
+        PORT_Strcpy (x_md5, x_info);
+
+      else if (!PORT_Strcasecmp (line, "SHA1-Digest") 
+                  || !PORT_Strcasecmp (line, "SHA-Digest"))
+        {
+        PORT_Strcpy (x_sha, x_info);
+        }
+
+      /* Algorithm list is meta info we don't care about; keeping it out
+         of metadata saves significant space for large jar files */
+
+      else if (!PORT_Strcasecmp (line, "Digest-Algorithms")
+                    || !PORT_Strcasecmp (line, "Hash-Algorithms"))
+        {
+        continue;
+        }
+
+      /* Meta info is only collected for the manifest.mf file,
+         since the JAR_get_metainfo call does not support identity */
+
+      else if (type == jarTypeMF)
+        {
+        JAR_Metainfo *met;
+
+        /* this is meta-data */
+
+        met = (JAR_Metainfo*)PORT_ZAlloc (sizeof (JAR_Metainfo));
+
+        if (met == NULL)
+          return JAR_ERR_MEMORY;
+
+        /* metainfo (name, value) pair is now (line, x_info) */
+
+        if ((met->header = PORT_Strdup (line)) == NULL)
+          return JAR_ERR_MEMORY;
+
+        if ((met->info = PORT_Strdup (x_info)) == NULL)
+          return JAR_ERR_MEMORY;
+
+        ADDITEM (jar->metainfo, jarTypeMeta, 
+           x_name, met, sizeof (JAR_Metainfo));
+        }
+      }
+
+	if(!x_name || !*x_name) {
+		/* Whatever that was, it wasn't an entry, because we didn't get a name.
+		 * We don't really have anything, so don't record this. */
+		continue;
+	}
+
+    dig = (JAR_Digest*)PORT_ZAlloc (sizeof (JAR_Digest));
+    if (dig == NULL)
+      return JAR_ERR_MEMORY;
+
+    if (*x_md5 ) 
+      {
+      unsigned int binary_length;
+      unsigned char *binary_digest;
+
+      binary_digest = ATOB_AsciiToData (x_md5, &binary_length);
+      PORT_Assert( binary_length == MD5_LENGTH );
+
+      if (binary_length != MD5_LENGTH)
+        return JAR_ERR_CORRUPT;
+
+      memcpy (dig->md5, binary_digest, MD5_LENGTH);
+      dig->md5_status = jarHashPresent;
+      }
+
+    if (*x_sha ) 
+      {
+      unsigned int binary_length;
+      unsigned char *binary_digest;
+
+      binary_digest = ATOB_AsciiToData (x_sha, &binary_length);
+      PORT_Assert( binary_length == SHA1_LENGTH );
+
+      if (binary_length != SHA1_LENGTH)
+        return JAR_ERR_CORRUPT;
+
+      memcpy (dig->sha1, binary_digest, SHA1_LENGTH);
+      dig->sha1_status = jarHashPresent;
+      }
+
+    PORT_Assert( type == jarTypeMF || type == jarTypeSF );
+
+
+    if (type == jarTypeMF)
+      {
+      ADDITEM (jar->hashes, jarTypeMF, x_name, dig, sizeof (JAR_Digest));
+      }
+    else if (type == jarTypeSF)
+      {
+      ADDITEM (signer->sf, jarTypeSF, x_name, dig, sizeof (JAR_Digest));
+      }
+    else
+      return JAR_ERR_ORDER;
+
+    /* we're placing these calculated digests of manifest.mf 
+       sections in a list where they can subsequently be forgotten */
+
+    if (type == jarTypeMF && mfdig)
+      {
+      ADDITEM (jar->manifest, jarTypeSect, 
+         x_name, mfdig, sizeof (JAR_Digest));
+
+      mfdig = NULL;
+      }
+
+
+    /* Retrieve our saved SHA1 digest from saved copy and check digests.
+       This is just comparing the digest of the MF section as indicated in
+       the SF file with the one we remembered from parsing the MF file */
+
+    if (type == jarTypeSF)
+      {
+      if ((status = jar_internal_digest (jar, path, x_name, dig)) < 0)
+        return status;
+      }
+    }
+
+  return 0;
+  }
+
+static int jar_internal_digest 
+     (JAR *jar, const char *path, char *x_name, JAR_Digest *dig)
+  {
+  int cv;
+  int status;
+
+  JAR_Digest *savdig;
+
+  savdig = jar_get_mf_digest (jar, x_name);
+
+  if (savdig == NULL)
+    {
+    /* no .mf digest for this pathname */
+    status = jar_signal (JAR_ERR_ENTRY, jar, path, x_name);
+    if (status < 0) 
+      return 0; /* was continue; */
+    else 
+      return status;
+    }
+
+  /* check for md5 consistency */
+  if (dig->md5_status)
+    {
+    cv = PORT_Memcmp (savdig->md5, dig->md5, MD5_LENGTH);
+    /* md5 hash of .mf file is not what expected */
+    if (cv) 
+      {
+      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
+
+      /* bad hash, man */
+
+      dig->md5_status = jarHashBad;
+      savdig->md5_status = jarHashBad;
+
+      if (status < 0) 
+        return 0; /* was continue; */
+      else 
+        return status;
+      }
+    }
+
+  /* check for sha1 consistency */
+  if (dig->sha1_status)
+    {
+    cv = PORT_Memcmp (savdig->sha1, dig->sha1, SHA1_LENGTH);
+    /* sha1 hash of .mf file is not what expected */
+    if (cv) 
+      {
+      status = jar_signal (JAR_ERR_HASH, jar, path, x_name);
+
+      /* bad hash, man */
+
+      dig->sha1_status = jarHashBad;
+      savdig->sha1_status = jarHashBad;
+
+      if (status < 0)
+        return 0; /* was continue; */
+      else
+        return status;
+      }
+    }
+	return 0;
+  }
+
+#ifdef DEBUG
+/*
+ *  j a r _ i n s a n i t y _ c h e c k
+ *
+ *  Check for illegal characters (or possibly so)
+ *  in the manifest files, to detect potential memory
+ *  corruption by our neighbors. Debug only, since
+ *  not I18N safe.
+ * 
+ */
+
+static int jar_insanity_check (char ZHUGEP *data, long length)
+  {
+  int c;
+  long off;
+
+  for (off = 0; off < length; off++)
+    {
+    c = data [off];
+
+    if (c == '\n' || c == '\r' || (c >= ' ' && c <= 128))
+      continue;
+
+    return JAR_ERR_CORRUPT;
+    }
+
+  return 0;
+  }
+#endif
+
+/*
+ *  j a r _ p a r s e _ d i g i t a l _ s i g n a t u r e
+ *
+ *  Parse an RSA or DSA (or perhaps other) digital signature.
+ *  Right now everything is PKCS7.
+ *
+ */
+
+static int jar_parse_digital_signature 
+     (char *raw_manifest, JAR_Signer *signer, long length, JAR *jar)
+  {
+#if defined(XP_WIN16)
+  PORT_Assert( LOWORD(raw_manifest) + length < 0xFFFF );
+#endif
+  return jar_validate_pkcs7 (jar, signer, raw_manifest, length);
+  }
+
+/*
+ *  j a r _ a d d _ c e r t
+ * 
+ *  Add information for the given certificate
+ *  (or whatever) to the JAR linked list. A pointer
+ *  is passed for some relevant reference, say
+ *  for example the original certificate.
+ *
+ */
+
+static int jar_add_cert
+     (JAR *jar, JAR_Signer *signer, int type, CERTCertificate *cert)
+  {
+  JAR_Cert *fing;
+  unsigned char *keyData;
+
+  if (cert == NULL)
+    return JAR_ERR_ORDER;
+
+  fing = (JAR_Cert*)PORT_ZAlloc (sizeof (JAR_Cert));
+
+  if (fing == NULL)
+    goto loser;
+
+#ifdef USE_MOZ_THREAD
+  fing->cert = jar_moz_dup (cert);
+#else
+  fing->cert = CERT_DupCertificate (cert);
+#endif
+
+  /* get the certkey */
+
+  fing->length = cert->derIssuer.len + 2 + cert->serialNumber.len;
+
+  keyData = (unsigned char *) PORT_ZAlloc (fing->length);
+  fing->key = keyData;
+
+  if (fing->key == NULL)
+    goto loser;
+  keyData[0] = ((cert->derIssuer.len) >> 8) & 0xff;
+  keyData[1] = ((cert->derIssuer.len) & 0xff);
+  PORT_Memcpy (&keyData[2], cert->derIssuer.data, cert->derIssuer.len);
+  PORT_Memcpy (&keyData[2+cert->derIssuer.len], cert->serialNumber.data,
+						 cert->serialNumber.len);
+
+  ADDITEM (signer->certs, type, 
+    /* pathname */ NULL, fing, sizeof (JAR_Cert));
+
+  return 0;
+
+loser:
+
+  if (fing)
+    {
+    if (fing->cert) 
+      CERT_DestroyCertificate (fing->cert);
+
+    PORT_Free (fing);
+    }
+
+  return JAR_ERR_MEMORY;
+  }
+
+/*
+ *  e a t _ l i n e 
+ *
+ *  Consume an ascii line from the top of a file kept
+ *  in memory. This destroys the file in place. This function
+ *  handles PC, Mac, and Unix style text files.
+ *
+ */
+
+static char ZHUGEP *jar_eat_line 
+    (int lines, int eating, char ZHUGEP *data, long *len)
+  {
+  char ZHUGEP *ret;
+
+  ret = data;
+  if (!*len) return ret;
+
+  /* Eat the requisite number of lines, if any; 
+     prior to terminating the current line with a 0. */
+
+  for (/* yip */ ; lines; lines--)
+    {
+    while (*data && *data != '\n')
+      data++;
+
+    /* After the CR, ok to eat one LF */
+
+    if (*data == '\n')
+      data++;
+
+    /* If there are zeros, we put them there */
+
+    while (*data == 0 && data - ret < *len)
+      data++;
+    }
+
+  *len -= data - ret;
+  ret = data;
+
+  if (eating)
+    {
+    /* Terminate this line with a 0 */ 
+
+    while (*data && *data != '\n' && *data != '\r')
+      data++;
+
+    /* In any case we are allowed to eat CR */
+
+    if (*data == '\r')
+      *data++ = 0;
+
+    /* After the CR, ok to eat one LF */
+
+    if (*data == '\n')
+      *data++ = 0;
+    }
+
+  return ret;
+  }
+
+/*
+ *  j a r _ d i g e s t _ s e c t i o n
+ *
+ *  Return the digests of the next section of the manifest file.
+ *  Does not damage the manifest file, unlike parse_manifest.
+ * 
+ */
+
+static JAR_Digest *jar_digest_section 
+    (char ZHUGEP *manifest, long length)
+  {
+  long global_len;
+  char ZHUGEP *global_end;
+
+  global_end = manifest;
+  global_len = length;
+
+  while (global_len)
+    {
+    global_end = jar_eat_line (1, PR_FALSE, global_end, &global_len);
+    if (*global_end == 0 || *global_end == '\n')
+      break;
+    }
+
+  return JAR_calculate_digest (manifest, global_end - manifest);
+  }
+
+/*
+ *  J A R _ v e r i f y _ d i g e s t
+ *
+ *  Verifies that a precalculated digest matches the
+ *  expected value in the manifest.
+ *
+ */
+
+int PR_CALLBACK JAR_verify_digest
+    (JAR *jar, const char *name, JAR_Digest *dig)
+  {
+  JAR_Item *it;
+
+  JAR_Digest *shindig;
+
+  ZZLink *link;
+  ZZList *list;
+
+  int result1, result2;
+
+  list = jar->hashes;
+
+  result1 = result2 = 0;
+
+  if (jar->valid < 0)
+    {
+    /* signature not valid */
+    return JAR_ERR_SIG;
+    }
+
+  if (ZZ_ListEmpty (list))
+    {
+    /* empty list */
+    return JAR_ERR_PNF;
+    }
+
+  for (link = ZZ_ListHead (list); 
+       !ZZ_ListIterDone (list, link); 
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypeMF 
+           && it->pathname && !PORT_Strcmp (it->pathname, name))
+      {
+      shindig = (JAR_Digest *) it->data;
+
+      if (shindig->md5_status)
+        {
+        if (shindig->md5_status == jarHashBad)
+          return JAR_ERR_HASH;
+        else
+          result1 = memcmp (dig->md5, shindig->md5, MD5_LENGTH);
+        }
+
+      if (shindig->sha1_status)
+        {
+        if (shindig->sha1_status == jarHashBad)
+          return JAR_ERR_HASH;
+        else
+          result2 = memcmp (dig->sha1, shindig->sha1, SHA1_LENGTH);
+        }
+
+      return (result1 == 0 && result2 == 0) ? 0 : JAR_ERR_HASH;
+      }
+    }
+
+  return JAR_ERR_PNF;
+  }
+
+/* 
+ *  J A R _ c e r t _ a t t r i b u t e
+ *
+ *  Return the named certificate attribute from the
+ *  certificate specified by the given key.
+ *
+ */
+
+int PR_CALLBACK JAR_cert_attribute
+    (JAR *jar, jarCert attrib, long keylen, void *key, 
+        void **result, unsigned long *length)
+  {
+  int status = 0;
+  char *ret = NULL;
+
+  CERTCertificate *cert;
+
+  CERTCertDBHandle *certdb;
+
+  JAR_Digest *dig;
+  SECItem hexme;
+
+  *length = 0;
+
+  if (attrib == 0 || key == 0)
+    return JAR_ERR_GENERAL;
+
+  if (attrib == jarCertJavaHack)
+    {
+    cert = (CERTCertificate *) NULL;
+    certdb = JAR_open_database();
+
+    if (certdb)
+      {
+#ifdef USE_MOZ_THREAD
+      cert = jar_moz_nickname (certdb, (char*)key);
+#else
+      cert = CERT_FindCertByNickname (certdb, key);
+#endif
+
+      if (cert)
+        {
+        *length = cert->certKey.len;
+
+        *result = (void *) PORT_ZAlloc (*length);
+
+        if (*result)
+          PORT_Memcpy (*result, cert->certKey.data, *length);
+        else
+          return JAR_ERR_MEMORY;
+        }
+      JAR_close_database (certdb);
+      }
+
+    return cert ? 0 : JAR_ERR_GENERAL;
+    }
+
+  if (jar && jar->pkcs7 == 0)
+    return JAR_ERR_GENERAL;
+
+  cert = jar_get_certificate (jar, keylen, key, &status);
+
+  if (cert == NULL || status < 0)
+    return JAR_ERR_GENERAL;
+
+#define SEP " <br> "
+#define SEPLEN (PORT_Strlen(SEP))
+
+  switch (attrib)
+    {
+    case jarCertCompany:
+
+      ret = cert->subjectName;
+
+      /* This is pretty ugly looking but only used
+         here for this one purpose. */
+
+      if (ret)
+        {
+        int retlen = 0;
+
+        char *cer_ou1, *cer_ou2, *cer_ou3;
+	char *cer_cn, *cer_e, *cer_o, *cer_l;
+
+	cer_cn  = CERT_GetCommonName (&cert->subject);
+        cer_e   = CERT_GetCertEmailAddress (&cert->subject);
+        cer_ou3 = jar_cert_element (ret, "OU=", 3);
+        cer_ou2 = jar_cert_element (ret, "OU=", 2);
+        cer_ou1 = jar_cert_element (ret, "OU=", 1);
+        cer_o   = CERT_GetOrgName (&cert->subject);
+        cer_l   = CERT_GetCountryName (&cert->subject);
+
+        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
+        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
+        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
+        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
+        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
+        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
+        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
+
+        ret = (char *) PORT_ZAlloc (1 + retlen);
+
+        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
+        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
+        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
+        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
+        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
+        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
+        if (cer_l)     PORT_Strcat (ret, cer_l);
+
+	/* return here to avoid unsightly memory leak */
+
+        *result = ret;
+        *length = PORT_Strlen (ret);
+
+        return 0;
+        }
+      break;
+
+    case jarCertCA:
+
+      ret = cert->issuerName;
+
+      if (ret)
+        {
+        int retlen = 0;
+
+        char *cer_ou1, *cer_ou2, *cer_ou3;
+	char *cer_cn, *cer_e, *cer_o, *cer_l;
+
+        /* This is pretty ugly looking but only used
+           here for this one purpose. */
+
+	cer_cn  = CERT_GetCommonName (&cert->issuer);
+        cer_e   = CERT_GetCertEmailAddress (&cert->issuer);
+        cer_ou3 = jar_cert_element (ret, "OU=", 3);
+        cer_ou2 = jar_cert_element (ret, "OU=", 2);
+        cer_ou1 = jar_cert_element (ret, "OU=", 1);
+        cer_o   = CERT_GetOrgName (&cert->issuer);
+        cer_l   = CERT_GetCountryName (&cert->issuer);
+
+        if (cer_cn)  retlen += SEPLEN + PORT_Strlen (cer_cn);
+        if (cer_e)   retlen += SEPLEN + PORT_Strlen (cer_e);
+        if (cer_ou1) retlen += SEPLEN + PORT_Strlen (cer_ou1);
+        if (cer_ou2) retlen += SEPLEN + PORT_Strlen (cer_ou2);
+        if (cer_ou3) retlen += SEPLEN + PORT_Strlen (cer_ou3);
+        if (cer_o)   retlen += SEPLEN + PORT_Strlen (cer_o);
+        if (cer_l)   retlen += SEPLEN + PORT_Strlen (cer_l);
+
+        ret = (char *) PORT_ZAlloc (1 + retlen);
+
+        if (cer_cn)  { PORT_Strcpy (ret, cer_cn);  PORT_Strcat (ret, SEP); }
+        if (cer_e)   { PORT_Strcat (ret, cer_e);   PORT_Strcat (ret, SEP); }
+        if (cer_ou1) { PORT_Strcat (ret, cer_ou1); PORT_Strcat (ret, SEP); }
+        if (cer_ou2) { PORT_Strcat (ret, cer_ou2); PORT_Strcat (ret, SEP); }
+        if (cer_ou3) { PORT_Strcat (ret, cer_ou3); PORT_Strcat (ret, SEP); }
+        if (cer_o)   { PORT_Strcat (ret, cer_o);   PORT_Strcat (ret, SEP); }
+        if (cer_l)     PORT_Strcat (ret, cer_l);
+
+	/* return here to avoid unsightly memory leak */
+
+        *result = ret;
+        *length = PORT_Strlen (ret);
+
+        return 0;
+        }
+
+      break;
+
+    case jarCertSerial:
+
+      ret = CERT_Hexify (&cert->serialNumber, 1);
+      break;
+
+    case jarCertExpires:
+
+      ret = DER_UTCDayToAscii (&cert->validity.notAfter);
+      break;
+
+    case jarCertNickname:
+
+      ret = jar_choose_nickname (cert);
+      break;
+
+    case jarCertFinger:
+
+      dig = JAR_calculate_digest 
+         ((char *) cert->derCert.data, cert->derCert.len);
+
+      if (dig)
+        {
+        hexme.len = sizeof (dig->md5);
+        hexme.data = dig->md5;
+        ret = CERT_Hexify (&hexme, 1);
+        }
+      break;
+
+    default:
+
+      return JAR_ERR_GENERAL;
+    }
+
+  *result = ret ? PORT_Strdup (ret) : NULL;
+  *length = ret ? PORT_Strlen (ret) : 0;
+
+  return 0;
+  }
+
+/* 
+ *  j a r  _ c e r t _ e l e m e n t
+ *
+ *  Retrieve an element from an x400ish ascii
+ *  designator, in a hackish sort of way. The right
+ *  thing would probably be to sort AVATags.
+ *
+ */
+
+static char *jar_cert_element (char *name, char *tag, int occ)
+  {
+  if (name && tag)
+    {
+    char *s;
+    int found = 0;
+
+    while (occ--)
+      {
+      if (PORT_Strstr (name, tag))
+        {
+        name = PORT_Strstr (name, tag) + PORT_Strlen (tag);
+        found = 1;
+        }
+      else
+        {
+        name = PORT_Strstr (name, "=");
+        if (name == NULL) return NULL;
+        found = 0;
+        }
+      }
+
+    if (!found) return NULL;
+
+    /* must mangle only the copy */
+    name = PORT_Strdup (name);
+
+    /* advance to next equal */
+    for (s = name; *s && *s != '='; s++)
+      /* yip */ ;
+
+    /* back up to previous comma */
+    while (s > name && *s != ',') s--;
+
+    /* zap the whitespace and return */
+    *s = 0;
+    }
+
+  return name;
+  }
+
+/* 
+ *  j a r _ c h o o s e _ n i c k n a m e
+ *
+ *  Attempt to determine a suitable nickname for
+ *  a certificate with a computer-generated "tmpcertxxx" 
+ *  nickname. It needs to be something a user can
+ *  understand, so try a few things.
+ *
+ */
+
+static char *jar_choose_nickname (CERTCertificate *cert)
+  {
+  char *cert_cn;
+  char *cert_o;
+  char *cert_cn_o;
+
+  int cn_o_length;
+
+  /* is the existing name ok */
+
+  if (cert->nickname && PORT_Strncmp (cert->nickname, "tmpcert", 7))
+    return PORT_Strdup (cert->nickname);
+
+  /* we have an ugly name here people */
+
+  /* Try the CN */
+  cert_cn = CERT_GetCommonName (&cert->subject);
+
+  if (cert_cn)
+    {
+    /* check for duplicate nickname */
+
+#ifdef USE_MOZ_THREAD
+    if (jar_moz_nickname (CERT_GetDefaultCertDB(), cert_cn) == NULL)
+#else
+    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn) == NULL)
+#endif
+      return cert_cn;
+
+    /* Try the CN plus O */
+    cert_o = CERT_GetOrgName (&cert->subject);
+
+    cn_o_length = PORT_Strlen (cert_cn) + 3 + PORT_Strlen (cert_o) + 20;
+    cert_cn_o = (char*)PORT_ZAlloc (cn_o_length);
+
+    PR_snprintf (cert_cn_o, cn_o_length, 
+           "%s's %s Certificate", cert_cn, cert_o);
+
+#ifdef USE_MOZ_THREAD
+    if (jar_moz_nickname (CERT_GetDefaultCertDB(), cert_cn_o) == NULL)
+#else
+    if (CERT_FindCertByNickname (CERT_GetDefaultCertDB(), cert_cn_o) == NULL)
+#endif
+      return cert_cn;
+    }
+
+  /* If all that failed, use the ugly nickname */
+  return cert->nickname ? PORT_Strdup (cert->nickname) : NULL;
+  }
+
+/*
+ *  J A R _ c e r t _ h t m l 
+ *
+ *  Return an HTML representation of the certificate
+ *  designated by the given fingerprint, in specified style.
+ *
+ *  JAR is optional, but supply it if you can in order
+ *  to optimize.
+ *
+ */
+
+char *JAR_cert_html
+    (JAR *jar, int style, long keylen, void *key, int *result)
+  {
+  char *html;
+  CERTCertificate *cert;
+
+  *result = -1;
+
+  if (style != 0)
+    return NULL;
+
+  cert = jar_get_certificate (jar, keylen, key, result);
+
+  if (cert == NULL || *result < 0)
+    return NULL;
+
+  *result = 0;
+
+  html = CERT_HTMLCertInfo (cert, /* show images */ PR_TRUE,
+		/*show issuer*/PR_TRUE);
+
+  if (html == NULL)
+    *result = -1;
+
+  return html;
+  }
+
+/*
+ *  J A R _ s t a s h _ c e r t
+ *
+ *  Stash the certificate pointed to by this
+ *  fingerprint, in persistent storage somewhere.
+ *
+ */
+
+extern int PR_CALLBACK JAR_stash_cert
+    (JAR *jar, long keylen, void *key)
+  {
+  int result = 0;
+
+  char *nickname;
+  CERTCertTrust trust;
+
+  CERTCertDBHandle *certdb;
+  CERTCertificate *cert, *newcert;
+
+  cert = jar_get_certificate (jar, keylen, key, &result);
+
+  if (result < 0)
+    return result;
+
+  if (cert == NULL)
+    return JAR_ERR_GENERAL;
+
+  if ((certdb = JAR_open_database()) == NULL)
+    return JAR_ERR_GENERAL;
+
+  /* Attempt to give a name to the newish certificate */
+  nickname = jar_choose_nickname (cert);
+
+#ifdef USE_MOZ_THREAD
+  newcert = jar_moz_nickname (certdb, nickname);
+#else
+  newcert = CERT_FindCertByNickname (certdb, nickname);
+#endif
+
+  if (newcert && newcert->isperm) 
+    {
+    /* already in permanant database */
+    return 0;
+    }
+
+  if (newcert) cert = newcert;
+
+  /* FIX, since FindCert returns a bogus dbhandle
+     set it ourselves */
+
+  cert->dbhandle = certdb;
+
+#if 0
+  nickname = cert->subjectName;
+  if (nickname)
+    {
+    /* Not checking for a conflict here. But this should
+       be a new cert or it would have been found earlier. */
+
+    nickname = jar_cert_element (nickname, "CN=", 1);
+
+    if (SEC_CertNicknameConflict (nickname, cert->dbhandle))
+      {
+      /* conflict */
+      nickname = PORT_Realloc (&nickname, PORT_Strlen (nickname) + 3);
+
+      /* Beyond one copy, there are probably serious problems 
+         so we will stop at two rather than counting.. */
+
+      PORT_Strcat (nickname, " #2");
+      }
+    }
+#endif
+
+  if (nickname != NULL)
+    {
+    PORT_Memset ((void *) &trust, 0, sizeof(trust));
+
+#ifdef USE_MOZ_THREAD
+    if (jar_moz_perm (cert, nickname, &trust) != SECSuccess) 
+#else
+    if (CERT_AddTempCertToPerm (cert, nickname, &trust) != SECSuccess) 
+#endif
+      {
+      /* XXX might want to call PORT_GetError here */
+      result = JAR_ERR_GENERAL;
+      }
+    }
+
+  JAR_close_database (certdb);
+
+  return result;
+  }
+
+/*
+ *  J A R _ f e t c h _ c e r t
+ *
+ *  Given an opaque identifier of a certificate, 
+ *  return the full certificate.
+ *
+ * The new function, which retrieves by key.
+ *
+ */
+
+void *JAR_fetch_cert (long length, void *key)
+  {
+  CERTIssuerAndSN issuerSN;
+  CERTCertificate *cert = NULL;
+
+  CERTCertDBHandle *certdb;
+
+  certdb = JAR_open_database();
+
+  if (certdb)
+    {
+    unsigned char *keyData = (unsigned char *)key;
+    issuerSN.derIssuer.len = (keyData[0] << 8) + keyData[0];
+    issuerSN.derIssuer.data = &keyData[2];
+    issuerSN.serialNumber.len = length - (2 + issuerSN.derIssuer.len);
+    issuerSN.serialNumber.data = &keyData[2+issuerSN.derIssuer.len];
+
+#ifdef USE_MOZ_THREAD
+    cert = jar_moz_certkey (certdb, &issuerSN);
+#else
+    cert = CERT_FindCertByIssuerAndSN (certdb, &issuerSN);
+#endif
+
+    JAR_close_database (certdb);
+    }
+
+  return (void *) cert;
+  }
+
+/*
+ *  j a r _ g e t _ m f _ d i g e s t
+ *
+ *  Retrieve a corresponding saved digest over a section
+ *  of the main manifest file. 
+ *
+ */
+
+static JAR_Digest *jar_get_mf_digest (JAR *jar, char *pathname)
+  {
+  JAR_Item *it;
+
+  JAR_Digest *dig;
+
+  ZZLink *link;
+  ZZList *list;
+
+  list = jar->manifest;
+
+  if (ZZ_ListEmpty (list))
+    return NULL;
+
+  for (link = ZZ_ListHead (list);
+       !ZZ_ListIterDone (list, link);
+       link = link->next)
+    {
+    it = link->thing;
+    if (it->type == jarTypeSect 
+          && it->pathname && !PORT_Strcmp (it->pathname, pathname))
+      {
+      dig = (JAR_Digest *) it->data;
+      return dig;
+      }
+    }
+
+  return NULL;
+  }
+
+/*
+ *  j a r _ b a s e n a m e
+ *
+ *  Return the basename -- leading components of path stripped off,
+ *  extension ripped off -- of a path.
+ *
+ */
+
+static char *jar_basename (const char *path)
+  {
+  char *pith, *e, *basename, *ext;
+
+  if (path == NULL)
+    return PORT_Strdup ("");
+
+  pith = PORT_Strdup (path);
+
+  basename = pith;
+
+  while (1)
+    {
+    for (e = basename; *e && *e != '/' && *e != '\\'; e++)
+      /* yip */ ;
+    if (*e) 
+      basename = ++e; 
+    else
+      break;
+    }
+
+  if ((ext = PORT_Strrchr (basename, '.')) != NULL)
+    *ext = 0;
+
+  /* We already have the space allocated */
+  PORT_Strcpy (pith, basename);
+
+  return pith;
+  }
+
+/*
+ *  + + + + + + + + + + + + + + +
+ *
+ *  CRYPTO ROUTINES FOR JAR
+ *
+ *  The following functions are the cryptographic 
+ *  interface to PKCS7 for Jarnatures.
+ *
+ *  + + + + + + + + + + + + + + +
+ *
+ */
+
+/*
+ *  j a r _ c a t c h _ b y t e s
+ *
+ *  In the event signatures contain enveloped data, it will show up here.
+ *  But note that the lib/pkcs7 routines aren't ready for it.
+ *
+ */
+
+static void jar_catch_bytes
+     (void *arg, const char *buf, unsigned long len)
+  {
+  /* Actually this should never be called, since there is
+     presumably no data in the signature itself. */
+  }
+
+/*
+ *  j a r _ v a l i d a t e _ p k c s 7
+ *
+ *  Validate (and decode, if necessary) a binary pkcs7
+ *  signature in DER format.
+ *
+ */
+
+static int jar_validate_pkcs7 
+     (JAR *jar, JAR_Signer *signer, char *data, long length)
+  {
+  SECItem detdig;
+
+  SEC_PKCS7ContentInfo *cinfo = NULL;
+  SEC_PKCS7DecoderContext *dcx;
+
+  int status = 0;
+  char *errstring = NULL;
+
+  PORT_Assert( jar != NULL && signer != NULL );
+
+  if (jar == NULL || signer == NULL)
+    return JAR_ERR_ORDER;
+
+  signer->valid = JAR_ERR_SIG;
+
+  /* We need a context if we can get one */
+
+#ifdef MOZILLA_CLIENT_OLD
+  if (jar->mw == NULL) {
+    JAR_set_context (jar, NULL);
+  }
+#endif
+
+
+  dcx = SEC_PKCS7DecoderStart
+           (jar_catch_bytes, NULL /*cb_arg*/, NULL /*getpassword*/, jar->mw,
+            NULL, NULL, NULL);
+
+  if (dcx == NULL) 
+    {
+    /* strange pkcs7 failure */
+    return JAR_ERR_PK7;
+    }
+
+  SEC_PKCS7DecoderUpdate (dcx, data, length);
+  cinfo = SEC_PKCS7DecoderFinish (dcx);
+
+  if (cinfo == NULL)
+    {
+    /* strange pkcs7 failure */
+    return JAR_ERR_PK7;
+    }
+
+  if (SEC_PKCS7ContentIsEncrypted (cinfo))
+    {
+    /* content was encrypted, fail */
+    return JAR_ERR_PK7;
+    }
+
+  if (SEC_PKCS7ContentIsSigned (cinfo) == PR_FALSE)
+    {
+    /* content was not signed, fail */
+    return JAR_ERR_PK7;
+    }
+
+  PORT_SetError (0);
+
+  /* use SHA1 only */
+
+  detdig.len = SHA1_LENGTH;
+  detdig.data = signer->digest->sha1;
+
+#ifdef USE_MOZ_THREAD
+  if (jar_moz_verify
+        (cinfo, certUsageObjectSigner, &detdig, HASH_AlgSHA1, PR_FALSE)==
+		SECSuccess)
+#else
+  if (SEC_PKCS7VerifyDetachedSignature 
+        (cinfo, certUsageObjectSigner, &detdig, HASH_AlgSHA1, PR_FALSE)==
+		PR_TRUE)
+#endif
+    {
+    /* signature is valid */
+    signer->valid = 0;
+    jar_gather_signers (jar, signer, cinfo);
+    }
+  else
+    {
+    status = PORT_GetError();
+
+    PORT_Assert( status < 0 );
+    if (status >= 0) status = JAR_ERR_SIG;
+
+    jar->valid = status;
+    signer->valid = status;
+
+    errstring = JAR_get_error (status);
+    /*XP_TRACE(("JAR signature invalid (reason %d = %s)", status, errstring));*/
+    }
+
+  jar->pkcs7 = PR_TRUE;
+  signer->pkcs7 = PR_TRUE;
+
+  SEC_PKCS7DestroyContentInfo (cinfo);
+
+  return status;
+  }
+
+/*
+ *  j a r _ g a t h e r _ s i g n e r s
+ *
+ *  Add the single signer of this signature to the
+ *  certificate linked list.
+ *
+ */
+
+static int jar_gather_signers
+     (JAR *jar, JAR_Signer *signer, SEC_PKCS7ContentInfo *cinfo)
+  {
+  int result;
+
+  CERTCertificate *cert;
+  CERTCertDBHandle *certdb;
+
+  SEC_PKCS7SignedData *sdp;
+  SEC_PKCS7SignerInfo **pksigners, *pksigner;
+
+  sdp = cinfo->content.signedData;
+
+  if (sdp == NULL)
+    return JAR_ERR_PK7;
+
+  pksigners = sdp->signerInfos;
+
+  /* permit exactly one signer */
+
+  if (pksigners == NULL || pksigners [0] == NULL || pksigners [1] != NULL)
+    return JAR_ERR_PK7;
+
+  pksigner = *pksigners;
+  cert = pksigner->cert;
+
+  if (cert == NULL)
+    return JAR_ERR_PK7;
+
+  certdb = JAR_open_database();
+
+  if (certdb == NULL)
+    return JAR_ERR_GENERAL;
+
+  result = jar_add_cert (jar, signer, jarTypeSign, cert);
+
+  JAR_close_database (certdb);
+
+  return result;
+  }
+
+/*
+ *  j a r _ o p e n _ d a t a b a s e
+ *
+ *  Open the certificate database,
+ *  for use by JAR functions.
+ *
+ */
+
+CERTCertDBHandle *JAR_open_database (void)
+  {
+  CERTCertDBHandle *certdb;
+
+  certdb = CERT_GetDefaultCertDB();
+
+  return certdb;
+  }
+
+/*
+ *  j a r _ c l o s e _ d a t a b a s e
+ *
+ *  Close the certificate database.
+ *  For use by JAR functions.
+ *
+ */
+
+int JAR_close_database (CERTCertDBHandle *certdb)
+  {
+#ifdef notdef
+  CERTCertDBHandle *defaultdb;
+
+  /* This really just retrieves the handle, nothing more */
+  defaultdb = CERT_GetDefaultCertDB();
+
+  /* If there is no default db, it means we opened 
+     the permanent database for some reason */
+
+  if (defaultdb == NULL && certdb != NULL)
+    CERT_ClosePermCertDB (certdb);
+#endif
+
+  return 0;
+  }
+
+/*
+ *  j a r _ g e t _ c e r t i f i c a t e
+ *
+ *  Return the certificate referenced
+ *  by a given fingerprint, or NULL if not found.
+ *  Error code is returned in result.
+ *
+ */
+
+static CERTCertificate *jar_get_certificate
+      (JAR *jar, long keylen, void *key, int *result)
+  {
+  int found = 0;
+
+  JAR_Item *it;
+  JAR_Cert *fing = NULL;
+
+  JAR_Context *ctx;
+
+  if (jar == NULL) 
+    {
+    void *cert;
+    cert = JAR_fetch_cert (keylen, key);
+    *result = (cert == NULL) ? JAR_ERR_GENERAL : 0;
+    return (CERTCertificate *) cert;
+    }
+
+  ctx = JAR_find (jar, NULL, jarTypeSign);
+
+  while (JAR_find_next (ctx, &it) >= 0)
+    {
+    fing = (JAR_Cert *) it->data;
+
+    if (keylen != fing->length)
+      continue;
+
+    PORT_Assert( keylen < 0xFFFF );
+    if (!PORT_Memcmp (fing->key, key, keylen))
+      {
+      found = 1;
+      break;
+      }
+    }
+
+  JAR_find_end (ctx);
+
+  if (found == 0)
+    {
+    *result = JAR_ERR_GENERAL;
+    return NULL;
+    }
+
+  PORT_Assert(fing != NULL);
+  *result = 0;
+  return fing->cert;
+  }
+
+/*
+ *  j a r _ s i g n a l
+ *
+ *  Nonfatal errors come here to callback Java.
+ *  
+ */
+
+static int jar_signal 
+     (int status, JAR *jar, const char *metafile, char *pathname)
+  {
+  char *errstring;
+
+  errstring = JAR_get_error (status);
+
+  if (jar->signal)
+    {
+    (*jar->signal) (status, jar, metafile, pathname, errstring);
+    return 0;
+    }
+
+  return status;
+  }
+
+/*
+ *  j a r _ a p p e n d
+ *
+ *  Tack on an element to one of a JAR's linked
+ *  lists, with rudimentary error handling.
+ *
+ */
+
+int jar_append (ZZList *list, int type, 
+        char *pathname, void *data, size_t size)
+  {
+  JAR_Item *it;
+  ZZLink *entity;
+
+  it = (JAR_Item*)PORT_ZAlloc (sizeof (JAR_Item));
+
+  if (it == NULL)
+    goto loser;
+
+  if (pathname)
+    {
+    it->pathname = PORT_Strdup (pathname);
+    if (it->pathname == NULL)
+      goto loser;
+    }
+
+  it->type = (jarType)type;
+  it->data = (unsigned char *) data;
+  it->size = size;
+
+  entity = ZZ_NewLink (it);
+
+  if (entity)
+    {
+    ZZ_AppendLink (list, entity);
+    return 0;
+    }
+
+loser:
+
+  if (it)
+    {
+    if (it->pathname) PORT_Free (it->pathname);
+    PORT_Free (it);
+    }
+
+  return JAR_ERR_MEMORY;
+  }
+
+/* 
+ *  W I N 1 6   s t u f f
+ *
+ *  These functions possibly belong in xp_mem.c, they operate 
+ *  on huge string pointers for win16.
+ *
+ */
+
+#if defined(XP_WIN16)
+int xp_HUGE_STRNCASECMP (char ZHUGEP *buf, char *key, int len)
+  {
+  while (len--) 
+    {
+    char c1, c2;
+
+    c1 = *buf++;
+    c2 = *key++;
+
+    if (c1 >= 'a' && c1 <= 'z') c1 -= ('a' - 'A');
+    if (c2 >= 'a' && c2 <= 'z') c2 -= ('a' - 'A');
+
+    if (c1 != c2) 
+      return (c1 < c2) ? -1 : 1;
+    }
+  return 0;
+  }
+
+size_t xp_HUGE_STRLEN (char ZHUGEP *s)
+  {
+  size_t len = 0L;
+  while (*s++) len++;
+  return len;
+  }
+
+char *xp_HUGE_STRCPY (char *to, char ZHUGEP *from)
+  {
+  char *ret = to;
+
+  while (*from)
+    *to++ = *from++;
+  *to = 0;
+
+  return ret;
+  }
+#endif
diff --git a/security/nss/lib/jar/jzconf.h b/security/nss/lib/jar/jzconf.h
new file mode 100644
index 000000000..278aaa5d5
--- /dev/null
+++ b/security/nss/lib/jar/jzconf.h
@@ -0,0 +1,190 @@
+/* zconf.h -- configuration of the zlib compression library
+ * Copyright (C) 1995-1996 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h 
+ */
+/* This file was modified since it was taken from the zlib distribution */
+/* $Id$ */
+
+#ifndef _ZCONF_H
+#define _ZCONF_H
+
+/*
+ * If you *really* need a unique prefix for all types and library functions,
+ * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
+ */
+#ifdef Z_PREFIX
+#  define deflateInit_	z_deflateInit_
+#  define deflate	z_deflate
+#  define deflateEnd	z_deflateEnd
+#  define inflateInit_ 	z_inflateInit_
+#  define inflate	z_inflate
+#  define inflateEnd	z_inflateEnd
+#  define deflateInit2_	z_deflateInit2_
+#  define deflateSetDictionary z_deflateSetDictionary
+#  define deflateCopy	z_deflateCopy
+#  define deflateReset	z_deflateReset
+#  define deflateParams	z_deflateParams
+#  define inflateInit2_	z_inflateInit2_
+#  define inflateSetDictionary z_inflateSetDictionary
+#  define inflateSync	z_inflateSync
+#  define inflateReset	z_inflateReset
+#  define compress	z_compress
+#  define uncompress	z_uncompress
+#  define adler32	z_adler32
+#  define crc32		z_crc32
+#  define get_crc_table z_get_crc_table
+
+#  define Byte		z_Byte
+#  define uInt		z_uInt
+#  define uLong		z_uLong
+#  define Bytef	        z_Bytef
+#  define charf		z_charf
+#  define intf		z_intf
+#  define uIntf		z_uIntf
+#  define uLongf	z_uLongf
+#  define voidpf	z_voidpf
+#  define voidp		z_voidp
+#endif
+
+#if (defined(_WIN32) || defined(__WIN32__)) && !defined(WIN32)
+#  define WIN32
+#endif
+#if defined(__GNUC__) || defined(WIN32) || defined(__386__) || defined(i386)
+#  ifndef __32BIT__
+#    define __32BIT__
+#  endif
+#endif
+#if defined(__MSDOS__) && !defined(MSDOS)
+#  define MSDOS
+#endif
+
+/*
+ * Compile with -DMAXSEG_64K if the alloc function cannot allocate more
+ * than 64k bytes at a time (needed on systems with 16-bit int).
+ */
+#if defined(MSDOS) && !defined(__32BIT__)
+#  define MAXSEG_64K
+#endif
+#ifdef MSDOS
+#  define UNALIGNED_OK
+#endif
+
+#if (defined(MSDOS) || defined(_WINDOWS) || defined(WIN32) || defined(XP_OS2))  && !defined(STDC)
+#  define STDC
+#endif
+#if (defined(__STDC__) || defined(__cplusplus)) && !defined(STDC)
+#  define STDC
+#endif
+
+#ifndef STDC
+#  ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */
+#    define const
+#  endif
+#endif
+
+/* Some Mac compilers merge all .h files incorrectly: */
+#if defined(__MWERKS__) || defined(applec) ||defined(THINK_C) ||defined(__SC__)
+#  define NO_DUMMY_DECL
+#endif
+
+/* Maximum value for memLevel in deflateInit2 */
+#ifndef MAX_MEM_LEVEL
+#  ifdef MAXSEG_64K
+#    define MAX_MEM_LEVEL 8
+#  else
+#    define MAX_MEM_LEVEL 9
+#  endif
+#endif
+
+/* Maximum value for windowBits in deflateInit2 and inflateInit2 */
+#ifndef MAX_WBITS
+#  define MAX_WBITS   15 /* 32K LZ77 window */
+#endif
+
+/* The memory requirements for deflate are (in bytes):
+            1 << (windowBits+2)   +  1 << (memLevel+9)
+ that is: 128K for windowBits=15  +  128K for memLevel = 8  (default values)
+ plus a few kilobytes for small objects. For example, if you want to reduce
+ the default memory requirements from 256K to 128K, compile with
+     make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7"
+ Of course this will generally degrade compression (there's no free lunch).
+
+   The memory requirements for inflate are (in bytes) 1 << windowBits
+ that is, 32K for windowBits=15 (default value) plus a few kilobytes
+ for small objects.
+*/
+
+                        /* Type declarations */
+
+#ifndef OF /* function prototypes */
+#  ifdef STDC
+#    define OF(args)  args
+#  else
+#    define OF(args)  ()
+#  endif
+#endif
+
+/* The following definitions for FAR are needed only for MSDOS mixed
+ * model programming (small or medium model with some far allocations).
+ * This was tested only with MSC; for other MSDOS compilers you may have
+ * to define NO_MEMCPY in zutil.h.  If you don't need the mixed model,
+ * just define FAR to be empty.
+ */
+#if (defined(M_I86SM) || defined(M_I86MM)) && !defined(__32BIT__)
+   /* MSC small or medium model */
+#  define SMALL_MEDIUM
+#  ifdef _MSC_VER
+#    define FAR __far
+#  else
+#    define FAR far
+#  endif
+#endif
+#if defined(__BORLANDC__) && (defined(__SMALL__) || defined(__MEDIUM__))
+#  ifndef __32BIT__
+#    define SMALL_MEDIUM
+#    define FAR __far
+#  endif
+#endif
+#ifndef FAR
+#   define FAR
+#endif
+
+typedef unsigned char  Byte;  /* 8 bits */
+typedef unsigned int   uInt;  /* 16 bits or more */
+typedef unsigned long  uLong; /* 32 bits or more */
+
+#if defined(__BORLANDC__) && defined(SMALL_MEDIUM)
+   /* Borland C/C++ ignores FAR inside typedef */
+#  define Bytef Byte FAR
+#else
+   typedef Byte  FAR Bytef;
+#endif
+typedef char  FAR charf;
+typedef int   FAR intf;
+typedef uInt  FAR uIntf;
+typedef uLong FAR uLongf;
+
+#ifdef STDC
+   typedef void FAR *voidpf;
+   typedef void     *voidp;
+#else
+   typedef Byte FAR *voidpf;
+   typedef Byte     *voidp;
+#endif
+
+#ifdef MOZILLA_CLIENT
+#include "prtypes.h"
+#else
+/* Compile with -DZLIB_DLL for Windows DLL support */
+#if (defined(_WINDOWS) || defined(WINDOWS)) && defined(ZLIB_DLL)
+#  include <windows.h>
+#  define EXPORT  WINAPI
+#else
+#  define EXPORT
+#endif
+
+#define PR_PUBLIC_API(type) type
+
+#endif /* MOZILLA_CLIENT */
+
+#endif /* _ZCONF_H */
diff --git a/security/nss/lib/jar/jzlib.h b/security/nss/lib/jar/jzlib.h
new file mode 100644
index 000000000..dd5b4d8e9
--- /dev/null
+++ b/security/nss/lib/jar/jzlib.h
@@ -0,0 +1,896 @@
+/* zlib.h -- interface of the 'zlib' general purpose compression library
+  version 1.0.4, Jul 24th, 1996.
+
+  Copyright (C) 1995-1996 Jean-loup Gailly and Mark Adler
+
+  This software is provided 'as-is', without any express or implied
+  warranty.  In no event will the authors be held liable for any damages
+  arising from the use of this software.
+
+  Permission is granted to anyone to use this software for any purpose,
+  including commercial applications, and to alter it and redistribute it
+  freely, subject to the following restrictions:
+
+  1. The origin of this software must not be misrepresented; you must not
+     claim that you wrote the original software. If you use this software
+     in a product, an acknowledgment in the product documentation would be
+     appreciated but is not required.
+  2. Altered source versions must be plainly marked as such, and must not be
+     misrepresented as being the original software.
+  3. This notice may not be removed or altered from any source distribution.
+
+  Jean-loup Gailly        Mark Adler
+  gzip@prep.ai.mit.edu    madler@alumni.caltech.edu
+
+
+  The data format used by the zlib library is described by RFCs (Request for
+  Comments) 1950 to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt
+  (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format).
+*/
+/* This file was modified since it was taken from the zlib distribution */
+
+#ifndef _ZLIB_H
+#define _ZLIB_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef MOZILLA_CLIENT
+#include "jzconf.h"
+#else
+#include "zconf.h"
+#endif
+
+#define ZLIB_VERSION "1.0.4"
+
+/* 
+     The 'zlib' compression library provides in-memory compression and
+  decompression functions, including integrity checks of the uncompressed
+  data.  This version of the library supports only one compression method
+  (deflation) but other algorithms may be added later and will have the same
+  stream interface.
+
+     For compression the application must provide the output buffer and
+  may optionally provide the input buffer for optimization. For decompression,
+  the application must provide the input buffer and may optionally provide
+  the output buffer for optimization.
+
+     Compression can be done in a single step if the buffers are large
+  enough (for example if an input file is mmap'ed), or can be done by
+  repeated calls of the compression function.  In the latter case, the
+  application must provide more input and/or consume the output
+  (providing more output space) before each call.
+
+     The library does not install any signal handler. It is recommended to
+  add at least a handler for SIGSEGV when decompressing; the library checks
+  the consistency of the input data whenever possible but may go nuts
+  for some forms of corrupted input.
+*/
+
+typedef voidpf (*alloc_func) OF((voidpf opaque, uInt items, uInt size));
+typedef void   (*free_func)  OF((voidpf opaque, voidpf address));
+
+struct internal_state;
+
+typedef struct z_stream_s {
+    Bytef    *next_in;  /* next input byte */
+    uInt     avail_in;  /* number of bytes available at next_in */
+    uLong    total_in;  /* total nb of input bytes read so far */
+
+    Bytef    *next_out; /* next output byte should be put there */
+    uInt     avail_out; /* remaining free space at next_out */
+    uLong    total_out; /* total nb of bytes output so far */
+
+    char     *msg;      /* last error message, NULL if no error */
+    struct internal_state FAR *state; /* not visible by applications */
+
+    alloc_func zalloc;  /* used to allocate the internal state */
+    free_func  zfree;   /* used to free the internal state */
+    voidpf     opaque;  /* private data object passed to zalloc and zfree */
+
+    int     data_type;  /* best guess about the data type: ascii or binary */
+    uLong   adler;      /* adler32 value of the uncompressed data */
+    uLong   reserved;   /* reserved for future use */
+} z_stream;
+
+typedef z_stream FAR *z_streamp;
+
+/*
+   The application must update next_in and avail_in when avail_in has
+   dropped to zero. It must update next_out and avail_out when avail_out
+   has dropped to zero. The application must initialize zalloc, zfree and
+   opaque before calling the init function. All other fields are set by the
+   compression library and must not be updated by the application.
+
+   The opaque value provided by the application will be passed as the first
+   parameter for calls of zalloc and zfree. This can be useful for custom
+   memory management. The compression library attaches no meaning to the
+   opaque value.
+
+   zalloc must return Z_NULL if there is not enough memory for the object.
+   On 16-bit systems, the functions zalloc and zfree must be able to allocate
+   exactly 65536 bytes, but will not be required to allocate more than this
+   if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS,
+   pointers returned by zalloc for objects of exactly 65536 bytes *must*
+   have their offset normalized to zero. The default allocation function
+   provided by this library ensures this (see zutil.c). To reduce memory
+   requirements and avoid any allocation of 64K objects, at the expense of
+   compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h).
+
+   The fields total_in and total_out can be used for statistics or
+   progress reports. After compression, total_in holds the total size of
+   the uncompressed data and may be saved for use in the decompressor
+   (particularly if the decompressor wants to decompress everything in
+   a single step).
+*/
+
+                        /* constants */
+
+#define Z_NO_FLUSH      0
+#define Z_PARTIAL_FLUSH 1
+#define Z_SYNC_FLUSH    2
+#define Z_FULL_FLUSH    3
+#define Z_FINISH        4
+/* Allowed flush values; see deflate() below for details */
+
+#define Z_OK            0
+#define Z_STREAM_END    1
+#define Z_NEED_DICT     2
+#define Z_ERRNO        (-1)
+#define Z_STREAM_ERROR (-2)
+#define Z_DATA_ERROR   (-3)
+#define Z_MEM_ERROR    (-4)
+#define Z_BUF_ERROR    (-5)
+#define Z_VERSION_ERROR (-6)
+/* Return codes for the compression/decompression functions. Negative
+ * values are errors, positive values are used for special but normal events.
+ */
+
+#define Z_NO_COMPRESSION         0
+#define Z_BEST_SPEED             1
+#define Z_BEST_COMPRESSION       9
+#define Z_DEFAULT_COMPRESSION  (-1)
+/* compression levels */
+
+#define Z_FILTERED            1
+#define Z_HUFFMAN_ONLY        2
+#define Z_DEFAULT_STRATEGY    0
+/* compression strategy; see deflateInit2() below for details */
+
+#define Z_BINARY   0
+#define Z_ASCII    1
+#define Z_UNKNOWN  2
+/* Possible values of the data_type field */
+
+#define Z_DEFLATED   8
+/* The deflate compression method (the only one supported in this version) */
+
+#define Z_NULL  0  /* for initializing zalloc, zfree, opaque */
+
+#define zlib_version zlibVersion()
+/* for compatibility with versions < 1.0.2 */
+
+                        /* basic functions */
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern const char *) zlibVersion (void);
+#else
+extern const char * EXPORT zlibVersion OF((void));
+#endif
+/* The application can compare zlibVersion and ZLIB_VERSION for consistency.
+   If the first character differs, the library code actually used is
+   not compatible with the zlib.h header file used by the application.
+   This check is automatically made by deflateInit and inflateInit.
+ */
+
+/* 
+extern int EXPORT deflateInit OF((z_streamp strm, int level));
+
+     Initializes the internal stream state for compression. The fields
+   zalloc, zfree and opaque must be initialized before by the caller.
+   If zalloc and zfree are set to Z_NULL, deflateInit updates them to
+   use default allocation functions.
+
+     The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9:
+   1 gives best speed, 9 gives best compression, 0 gives no compression at
+   all (the input data is simply copied a block at a time).
+   Z_DEFAULT_COMPRESSION requests a default compromise between speed and
+   compression (currently equivalent to level 6).
+
+     deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_STREAM_ERROR if level is not a valid compression level,
+   Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible
+   with the version assumed by the caller (ZLIB_VERSION).
+   msg is set to null if there is no error message.  deflateInit does not
+   perform any compression: this will be done by deflate().
+*/
+
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflate (z_streamp strm, int flush);
+#else
+extern int EXPORT deflate OF((z_streamp strm, int flush));
+#endif
+/*
+  Performs one or both of the following actions:
+
+  - Compress more input starting at next_in and update next_in and avail_in
+    accordingly. If not all input can be processed (because there is not
+    enough room in the output buffer), next_in and avail_in are updated and
+    processing will resume at this point for the next call of deflate().
+
+  - Provide more output starting at next_out and update next_out and avail_out
+    accordingly. This action is forced if the parameter flush is non zero.
+    Forcing flush frequently degrades the compression ratio, so this parameter
+    should be set only when necessary (in interactive applications).
+    Some output may be provided even if flush is not set.
+
+  Before the call of deflate(), the application should ensure that at least
+  one of the actions is possible, by providing more input and/or consuming
+  more output, and updating avail_in or avail_out accordingly; avail_out
+  should never be zero before the call. The application can consume the
+  compressed output when it wants, for example when the output buffer is full
+  (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK
+  and with zero avail_out, it must be called again after making room in the
+  output buffer because there might be more output pending.
+
+    If the parameter flush is set to Z_PARTIAL_FLUSH, the current compression
+  block is terminated and flushed to the output buffer so that the
+  decompressor can get all input data available so far. For method 9, a future
+  variant on method 8, the current block will be flushed but not terminated.
+  Z_SYNC_FLUSH has the same effect as partial flush except that the compressed
+  output is byte aligned (the compressor can clear its internal bit buffer)
+  and the current block is always terminated; this can be useful if the
+  compressor has to be restarted from scratch after an interruption (in which
+  case the internal state of the compressor may be lost).
+    If flush is set to Z_FULL_FLUSH, the compression block is terminated, a
+  special marker is output and the compression dictionary is discarded; this
+  is useful to allow the decompressor to synchronize if one compressed block
+  has been damaged (see inflateSync below).  Flushing degrades compression and
+  so should be used only when necessary.  Using Z_FULL_FLUSH too often can
+  seriously degrade the compression. If deflate returns with avail_out == 0,
+  this function must be called again with the same value of the flush
+  parameter and more output space (updated avail_out), until the flush is
+  complete (deflate returns with non-zero avail_out).
+
+    If the parameter flush is set to Z_FINISH, pending input is processed,
+  pending output is flushed and deflate returns with Z_STREAM_END if there
+  was enough output space; if deflate returns with Z_OK, this function must be
+  called again with Z_FINISH and more output space (updated avail_out) but no
+  more input data, until it returns with Z_STREAM_END or an error. After
+  deflate has returned Z_STREAM_END, the only possible operations on the
+  stream are deflateReset or deflateEnd.
+  
+    Z_FINISH can be used immediately after deflateInit if all the compression
+  is to be done in a single step. In this case, avail_out must be at least
+  0.1% larger than avail_in plus 12 bytes.  If deflate does not return
+  Z_STREAM_END, then it must be called again as described above.
+
+    deflate() may update data_type if it can make a good guess about
+  the input data type (Z_ASCII or Z_BINARY). In doubt, the data is considered
+  binary. This field is only for information purposes and does not affect
+  the compression algorithm in any manner.
+
+    deflate() returns Z_OK if some progress has been made (more input
+  processed or more output produced), Z_STREAM_END if all input has been
+  consumed and all output has been produced (only when flush is set to
+  Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example
+  if next_in or next_out was NULL), Z_BUF_ERROR if no progress is possible.
+*/
+
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateEnd (z_streamp strm);
+#else
+extern int EXPORT deflateEnd OF((z_streamp strm));
+#endif
+/*
+     All dynamically allocated data structures for this stream are freed.
+   This function discards any unprocessed input and does not flush any
+   pending output.
+
+     deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the
+   stream state was inconsistent, Z_DATA_ERROR if the stream was freed
+   prematurely (some input or output was discarded). In the error case,
+   msg may be set but then points to a static string (which must not be
+   deallocated).
+*/
+
+
+/* 
+extern int EXPORT inflateInit OF((z_streamp strm));
+
+     Initializes the internal stream state for decompression. The fields
+   zalloc, zfree and opaque must be initialized before by the caller.  If
+   zalloc and zfree are set to Z_NULL, inflateInit updates them to use default
+   allocation functions.
+
+     inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_VERSION_ERROR if the zlib library version is incompatible
+   with the version assumed by the caller.  msg is set to null if there is no
+   error message. inflateInit does not perform any decompression: this will be
+   done by inflate().
+*/
+
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) inflate (z_streamp strm, int flush);
+#else
+extern int EXPORT inflate OF((z_streamp strm, int flush));
+#endif
+/*
+  Performs one or both of the following actions:
+
+  - Decompress more input starting at next_in and update next_in and avail_in
+    accordingly. If not all input can be processed (because there is not
+    enough room in the output buffer), next_in is updated and processing
+    will resume at this point for the next call of inflate().
+
+  - Provide more output starting at next_out and update next_out and avail_out
+    accordingly.  inflate() provides as much output as possible, until there
+    is no more input data or no more space in the output buffer (see below
+    about the flush parameter).
+
+  Before the call of inflate(), the application should ensure that at least
+  one of the actions is possible, by providing more input and/or consuming
+  more output, and updating the next_* and avail_* values accordingly.
+  The application can consume the uncompressed output when it wants, for
+  example when the output buffer is full (avail_out == 0), or after each
+  call of inflate(). If inflate returns Z_OK and with zero avail_out, it
+  must be called again after making room in the output buffer because there
+  might be more output pending.
+
+    If the parameter flush is set to Z_PARTIAL_FLUSH, inflate flushes as much
+  output as possible to the output buffer. The flushing behavior of inflate is
+  not specified for values of the flush parameter other than Z_PARTIAL_FLUSH
+  and Z_FINISH, but the current implementation actually flushes as much output
+  as possible anyway.
+
+    inflate() should normally be called until it returns Z_STREAM_END or an
+  error. However if all decompression is to be performed in a single step
+  (a single call of inflate), the parameter flush should be set to
+  Z_FINISH. In this case all pending input is processed and all pending
+  output is flushed; avail_out must be large enough to hold all the
+  uncompressed data. (The size of the uncompressed data may have been saved
+  by the compressor for this purpose.) The next operation on this stream must
+  be inflateEnd to deallocate the decompression state. The use of Z_FINISH
+  is never required, but can be used to inform inflate that a faster routine
+  may be used for the single inflate() call.
+
+    inflate() returns Z_OK if some progress has been made (more input
+  processed or more output produced), Z_STREAM_END if the end of the
+  compressed data has been reached and all uncompressed output has been
+  produced, Z_NEED_DICT if a preset dictionary is needed at this point (see
+  inflateSetDictionary below), Z_DATA_ERROR if the input data was corrupted,
+  Z_STREAM_ERROR if the stream structure was inconsistent (for example if
+  next_in or next_out was NULL), Z_MEM_ERROR if there was not enough memory,
+  Z_BUF_ERROR if no progress is possible or if there was not enough room in
+  the output buffer when Z_FINISH is used. In the Z_DATA_ERROR case, the
+  application may then call inflateSync to look for a good compression block.
+  In the Z_NEED_DICT case, strm->adler is set to the Adler32 value of the
+  dictionary chosen by the compressor.
+*/
+
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) inflateEnd (z_streamp strm);
+#else
+extern int EXPORT inflateEnd OF((z_streamp strm));
+#endif
+/*
+     All dynamically allocated data structures for this stream are freed.
+   This function discards any unprocessed input and does not flush any
+   pending output.
+
+     inflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state
+   was inconsistent. In the error case, msg may be set but then points to a
+   static string (which must not be deallocated).
+*/
+
+                        /* Advanced functions */
+
+/*
+    The following functions are needed only in some special applications.
+*/
+
+/*   
+extern int EXPORT deflateInit2 OF((z_streamp strm,
+                                   int  level,
+                                   int  method,
+                                   int  windowBits,
+                                   int  memLevel,
+                                   int  strategy));
+
+     This is another version of deflateInit with more compression options. The
+   fields next_in, zalloc, zfree and opaque must be initialized before by
+   the caller.
+
+     The method parameter is the compression method. It must be Z_DEFLATED in
+   this version of the library. (Method 9 will allow a 64K history buffer and
+   partial block flushes.)
+
+     The windowBits parameter is the base two logarithm of the window size
+   (the size of the history buffer).  It should be in the range 8..15 for this
+   version of the library (the value 16 will be allowed for method 9). Larger
+   values of this parameter result in better compression at the expense of
+   memory usage. The default value is 15 if deflateInit is used instead.
+
+     The memLevel parameter specifies how much memory should be allocated
+   for the internal compression state. memLevel=1 uses minimum memory but
+   is slow and reduces compression ratio; memLevel=9 uses maximum memory
+   for optimal speed. The default value is 8. See zconf.h for total memory
+   usage as a function of windowBits and memLevel.
+
+     The strategy parameter is used to tune the compression algorithm. Use the
+   value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a
+   filter (or predictor), or Z_HUFFMAN_ONLY to force Huffman encoding only (no
+   string match).  Filtered data consists mostly of small values with a
+   somewhat random distribution. In this case, the compression algorithm is
+   tuned to compress them better. The effect of Z_FILTERED is to force more
+   Huffman coding and less string matching; it is somewhat intermediate
+   between Z_DEFAULT and Z_HUFFMAN_ONLY. The strategy parameter only affects
+   the compression ratio but not the correctness of the compressed output even
+   if it is not set appropriately.
+
+     If next_in is not null, the library will use this buffer to hold also
+   some history information; the buffer must either hold the entire input
+   data, or have at least 1<<(windowBits+1) bytes and be writable. If next_in
+   is null, the library will allocate its own history buffer (and leave next_in
+   null). next_out need not be provided here but must be provided by the
+   application for the next call of deflate().
+
+     If the history buffer is provided by the application, next_in must
+   must never be changed by the application since the compressor maintains
+   information inside this buffer from call to call; the application
+   must provide more input only by increasing avail_in. next_in is always
+   reset by the library in this case.
+
+      deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was
+   not enough memory, Z_STREAM_ERROR if a parameter is invalid (such as
+   an invalid method). msg is set to null if there is no error message.
+   deflateInit2 does not perform any compression: this will be done by
+   deflate(). 
+*/
+                            
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateSetDictionary (z_streamp strm,
+                                           const Bytef *dictionary,
+				           uInt  dictLength);
+#else
+extern int EXPORT deflateSetDictionary OF((z_streamp strm,
+                                           const Bytef *dictionary,
+				           uInt  dictLength));
+#endif
+/*
+     Initializes the compression dictionary (history buffer) from the given
+   byte sequence without producing any compressed output. This function must
+   be called immediately after deflateInit or deflateInit2, before any call
+   of deflate. The compressor and decompressor must use exactly the same
+   dictionary (see inflateSetDictionary).
+     The dictionary should consist of strings (byte sequences) that are likely
+   to be encountered later in the data to be compressed, with the most commonly
+   used strings preferably put towards the end of the dictionary. Using a
+   dictionary is most useful when the data to be compressed is short and
+   can be predicted with good accuracy; the data can then be compressed better
+   than with the default empty dictionary. In this version of the library,
+   only the last 32K bytes of the dictionary are used.
+     Upon return of this function, strm->adler is set to the Adler32 value
+   of the dictionary; the decompressor may later use this value to determine
+   which dictionary has been used by the compressor. (The Adler32 value
+   applies to the whole dictionary even if only a subset of the dictionary is
+   actually used by the compressor.)
+
+     deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a
+   parameter is invalid (such as NULL dictionary) or the stream state
+   is inconsistent (for example if deflate has already been called for this
+   stream). deflateSetDictionary does not perform any compression: this will
+   be done by deflate(). 
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateCopy (z_streamp dest, z_streamp source);
+#else
+extern int EXPORT deflateCopy OF((z_streamp dest, z_streamp source));
+#endif
+/*
+     Sets the destination stream as a complete copy of the source stream.  If
+   the source stream is using an application-supplied history buffer, a new
+   buffer is allocated for the destination stream.  The compressed output
+   buffer is always application-supplied. It's the responsibility of the
+   application to provide the correct values of next_out and avail_out for the
+   next call of deflate.
+
+     This function can be useful when several compression strategies will be
+   tried, for example when there are several ways of pre-processing the input
+   data with a filter. The streams that will be discarded should then be freed
+   by calling deflateEnd.  Note that deflateCopy duplicates the internal
+   compression state which can be quite large, so this strategy is slow and
+   can consume lots of memory.
+
+     deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
+   (such as zalloc being NULL). msg is left unchanged in both source and
+   destination.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateReset (z_streamp strm);
+#else
+extern int EXPORT deflateReset OF((z_streamp strm));
+#endif
+/*
+     This function is equivalent to deflateEnd followed by deflateInit,
+   but does not free and reallocate all the internal compression state.
+   The stream will keep the same compression level and any other attributes
+   that may have been set by deflateInit2.
+
+      deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent (such as zalloc or state being NULL).
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateParams (z_streamp strm, int level, int strategy);
+#else
+extern int EXPORT deflateParams OF((z_streamp strm, int level, int strategy));
+#endif
+/*
+     Dynamically update the compression level and compression strategy.
+   This can be used to switch between compression and straight copy of
+   the input data, or to switch to a different kind of input data requiring
+   a different strategy. If the compression level is changed, the input
+   available so far is compressed with the old level (and may be flushed);
+   the new level will take effect only at the next call of deflate().
+
+     Before the call of deflateParams, the stream state must be set as for
+   a call of deflate(), since the currently available input may have to
+   be compressed and flushed. In particular, strm->avail_out must be non-zero.
+
+     deflateParams returns Z_OK if success, Z_STREAM_ERROR if the source
+   stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR
+   if strm->avail_out was zero.
+*/
+
+/*   
+extern int EXPORT inflateInit2 OF((z_streamp strm,
+                                   int  windowBits));
+
+     This is another version of inflateInit with more compression options. The
+   fields next_out, zalloc, zfree and opaque must be initialized before by
+   the caller.
+
+     The windowBits parameter is the base two logarithm of the maximum window
+   size (the size of the history buffer).  It should be in the range 8..15 for
+   this version of the library (the value 16 will be allowed soon). The
+   default value is 15 if inflateInit is used instead. If a compressed stream
+   with a larger window size is given as input, inflate() will return with
+   the error code Z_DATA_ERROR instead of trying to allocate a larger window.
+
+     If next_out is not null, the library will use this buffer for the history
+   buffer; the buffer must either be large enough to hold the entire output
+   data, or have at least 1<<windowBits bytes.  If next_out is null, the
+   library will allocate its own buffer (and leave next_out null). next_in
+   need not be provided here but must be provided by the application for the
+   next call of inflate().
+
+     If the history buffer is provided by the application, next_out must
+   never be changed by the application since the decompressor maintains
+   history information inside this buffer from call to call; the application
+   can only reset next_out to the beginning of the history buffer when
+   avail_out is zero and all output has been consumed.
+
+      inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was
+   not enough memory, Z_STREAM_ERROR if a parameter is invalid (such as
+   windowBits < 8). msg is set to null if there is no error message.
+   inflateInit2 does not perform any decompression: this will be done by
+   inflate().
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) inflateSetDictionary (z_streamp strm,
+				           const Bytef *dictionary,
+					   uInt  dictLength);
+#else
+extern int EXPORT inflateSetDictionary OF((z_streamp strm,
+				           const Bytef *dictionary,
+					   uInt  dictLength));
+#endif
+/*
+     Initializes the decompression dictionary (history buffer) from the given
+   uncompressed byte sequence. This function must be called immediately after
+   a call of inflate if this call returned Z_NEED_DICT. The dictionary chosen
+   by the compressor can be determined from the Adler32 value returned by this
+   call of inflate. The compressor and decompressor must use exactly the same
+   dictionary (see deflateSetDictionary).
+
+     inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a
+   parameter is invalid (such as NULL dictionary) or the stream state is
+   inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the
+   expected one (incorrect Adler32 value). inflateSetDictionary does not
+   perform any decompression: this will be done by subsequent calls of
+   inflate().
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) inflateSync (z_streamp strm);
+#else
+extern int EXPORT inflateSync OF((z_streamp strm));
+#endif
+/* 
+    Skips invalid compressed data until the special marker (see deflate()
+  above) can be found, or until all available input is skipped. No output
+  is provided.
+
+    inflateSync returns Z_OK if the special marker has been found, Z_BUF_ERROR
+  if no more input was provided, Z_DATA_ERROR if no marker has been found,
+  or Z_STREAM_ERROR if the stream structure was inconsistent. In the success
+  case, the application may save the current current value of total_in which
+  indicates where valid compressed data was found. In the error case, the
+  application may repeatedly call inflateSync, providing more input each time,
+  until success or end of the input data.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) inflateReset (z_streamp strm);
+#else
+extern int EXPORT inflateReset OF((z_streamp strm));
+#endif
+/*
+     This function is equivalent to inflateEnd followed by inflateInit,
+   but does not free and reallocate all the internal decompression state.
+   The stream will keep attributes that may have been set by inflateInit2.
+
+      inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
+   stream state was inconsistent (such as zalloc or state being NULL).
+*/
+
+
+                        /* utility functions */
+
+/*
+     The following utility functions are implemented on top of the
+   basic stream-oriented functions. To simplify the interface, some
+   default options are assumed (compression level, window size,
+   standard memory allocation functions). The source code of these
+   utility functions can easily be modified if you need special options.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) compress (Bytef *dest,   uLongf *destLen,
+			       const Bytef *source, uLong sourceLen);
+#else
+extern int EXPORT compress OF((Bytef *dest,   uLongf *destLen,
+			       const Bytef *source, uLong sourceLen));
+#endif
+/*
+     Compresses the source buffer into the destination buffer.  sourceLen is
+   the byte length of the source buffer. Upon entry, destLen is the total
+   size of the destination buffer, which must be at least 0.1% larger than
+   sourceLen plus 12 bytes. Upon exit, destLen is the actual size of the
+   compressed buffer.
+     This function can be used to compress a whole file at once if the
+   input file is mmap'ed.
+     compress returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_BUF_ERROR if there was not enough room in the output
+   buffer.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) uncompress (Bytef *dest,   uLongf *destLen,
+				 const Bytef *source, uLong sourceLen);
+#else
+extern int EXPORT uncompress OF((Bytef *dest,   uLongf *destLen,
+				 const Bytef *source, uLong sourceLen));
+#endif
+/*
+     Decompresses the source buffer into the destination buffer.  sourceLen is
+   the byte length of the source buffer. Upon entry, destLen is the total
+   size of the destination buffer, which must be large enough to hold the
+   entire uncompressed data. (The size of the uncompressed data must have
+   been saved previously by the compressor and transmitted to the decompressor
+   by some mechanism outside the scope of this compression library.)
+   Upon exit, destLen is the actual size of the compressed buffer.
+     This function can be used to decompress a whole file at once if the
+   input file is mmap'ed.
+
+     uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
+   enough memory, Z_BUF_ERROR if there was not enough room in the output
+   buffer, or Z_DATA_ERROR if the input data was corrupted.
+*/
+
+
+typedef voidp gzFile;
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern gzFile) gzopen  (const char *path, const char *mode);
+#else
+extern gzFile EXPORT gzopen  OF((const char *path, const char *mode));
+#endif
+/*
+     Opens a gzip (.gz) file for reading or writing. The mode parameter
+   is as in fopen ("rb" or "wb") but can also include a compression level
+   ("wb9").  gzopen can be used to read a file which is not in gzip format;
+   in this case gzread will directly read from the file without decompression.
+     gzopen returns NULL if the file could not be opened or if there was
+   insufficient memory to allocate the (de)compression state; errno
+   can be checked to distinguish the two cases (if errno is zero, the
+   zlib error is Z_MEM_ERROR).
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern gzFile) gzdopen  (int fd, const char *mode);
+#else
+extern gzFile EXPORT gzdopen  OF((int fd, const char *mode));
+#endif
+/*
+     gzdopen() associates a gzFile with the file descriptor fd.  File
+   descriptors are obtained from calls like open, dup, creat, pipe or
+   fileno (in the file has been previously opened with fopen).
+   The mode parameter is as in gzopen.
+     The next call of gzclose on the returned gzFile will also close the
+   file descriptor fd, just like fclose(fdopen(fd), mode) closes the file
+   descriptor fd. If you want to keep fd open, use gzdopen(dup(fd), mode).
+     gzdopen returns NULL if there was insufficient memory to allocate
+   the (de)compression state.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int)    gzread  (gzFile file, voidp buf, unsigned len);
+#else
+extern int EXPORT    gzread  OF((gzFile file, voidp buf, unsigned len));
+#endif
+/*
+     Reads the given number of uncompressed bytes from the compressed file.
+   If the input file was not in gzip format, gzread copies the given number
+   of bytes into the buffer.
+     gzread returns the number of uncompressed bytes actually read (0 for
+   end of file, -1 for error). */
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int)    gzwrite (gzFile file, const voidp buf, unsigned len);
+#else
+extern int EXPORT    gzwrite OF((gzFile file, const voidp buf, unsigned len));
+#endif
+/*
+     Writes the given number of uncompressed bytes into the compressed file.
+   gzwrite returns the number of uncompressed bytes actually written
+   (0 in case of error).
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int)    gzflush (gzFile file, int flush);
+#else
+extern int EXPORT    gzflush OF((gzFile file, int flush));
+#endif
+/*
+     Flushes all pending output into the compressed file. The parameter
+   flush is as in the deflate() function. The return value is the zlib
+   error number (see function gzerror below). gzflush returns Z_OK if
+   the flush parameter is Z_FINISH and all output could be flushed.
+     gzflush should be called only when strictly necessary because it can
+   degrade compression.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int)    gzclose (gzFile file);
+#else
+extern int EXPORT    gzclose OF((gzFile file));
+#endif
+/*
+     Flushes all pending output if necessary, closes the compressed file
+   and deallocates all the (de)compression state. The return value is the zlib
+   error number (see function gzerror below).
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern const char *) gzerror (gzFile file, int *errnum);
+#else
+extern const char * EXPORT gzerror OF((gzFile file, int *errnum));
+#endif
+/*
+     Returns the error message for the last error which occurred on the
+   given compressed file. errnum is set to zlib error number. If an
+   error occurred in the file system and not in the compression library,
+   errnum is set to Z_ERRNO and the application may consult errno
+   to get the exact error code.
+*/
+
+                        /* checksum functions */
+
+/*
+     These functions are not related to compression but are exported
+   anyway because they might be useful in applications using the
+   compression library.
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern uLong) adler32 (uLong adler, const Bytef *buf, uInt len);
+#else
+extern uLong EXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len));
+#endif
+
+/*
+     Update a running Adler-32 checksum with the bytes buf[0..len-1] and
+   return the updated checksum. If buf is NULL, this function returns
+   the required initial value for the checksum.
+   An Adler-32 checksum is almost as reliable as a CRC32 but can be computed
+   much faster. Usage example:
+
+     uLong adler = adler32(0L, Z_NULL, 0);
+
+     while (read_buffer(buffer, length) != EOF) {
+       adler = adler32(adler, buffer, length);
+     }
+     if (adler != original_adler) error();
+*/
+
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern uLong) crc32   (uLong crc, const Bytef *buf, uInt len);
+#else
+extern uLong EXPORT crc32   OF((uLong crc, const Bytef *buf, uInt len));
+#endif
+/*
+     Update a running crc with the bytes buf[0..len-1] and return the updated
+   crc. If buf is NULL, this function returns the required initial value
+   for the crc. Pre- and post-conditioning (one's complement) is performed
+   within this function so it shouldn't be done by the application.
+   Usage example:
+
+     uLong crc = crc32(0L, Z_NULL, 0);
+
+     while (read_buffer(buffer, length) != EOF) {
+       crc = crc32(crc, buffer, length);
+     }
+     if (crc != original_crc) error();
+*/
+
+
+                        /* various hacks, don't look :) */
+
+/* deflateInit and inflateInit are macros to allow checking the zlib version
+ * and the compiler's view of z_stream:
+ */
+#ifdef MOZILLA_CLIENT
+PR_PUBLIC_API(extern int) deflateInit_ (z_streamp strm, int level, const char *version, 
+					int stream_size);
+PR_PUBLIC_API(extern int) inflateInit_ (z_streamp strm, const char *version, 
+					int stream_size);
+PR_PUBLIC_API(extern int) deflateInit2_ (z_streamp strm, int  level, int  method, 
+					 int windowBits, int memLevel, int strategy, 
+					 const char *version, int stream_size);
+PR_PUBLIC_API(extern int) inflateInit2_ (z_streamp strm, int  windowBits, 
+					 const char *version, int stream_size);
+#else
+extern int EXPORT deflateInit_ OF((z_streamp strm, int level, const char *version, 
+				   int stream_size));
+extern int EXPORT inflateInit_ OF((z_streamp strm, const char *version, 
+				   int stream_size));
+extern int EXPORT deflateInit2_ OF((z_streamp strm, int  level, int  method, 
+				    int windowBits, int memLevel, int strategy, 
+				    const char *version, int stream_size));
+extern int EXPORT inflateInit2_ OF((z_streamp strm, int  windowBits, 
+				    const char *version, int stream_size));
+#endif /* MOZILLA_CLIENT */
+
+
+#define deflateInit(strm, level) \
+        deflateInit_((strm), (level),       ZLIB_VERSION, sizeof(z_stream))
+#define inflateInit(strm) \
+        inflateInit_((strm),                ZLIB_VERSION, sizeof(z_stream))
+#define deflateInit2(strm, level, method, windowBits, memLevel, strategy) \
+        deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\
+		      (strategy),           ZLIB_VERSION, sizeof(z_stream))
+#define inflateInit2(strm, windowBits) \
+        inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream))
+
+#if !defined(_Z_UTIL_H) && !defined(NO_DUMMY_DECL)
+    struct internal_state {int dummy;}; /* hack for buggy compilers */
+#endif
+
+uLongf *get_crc_table OF((void)); /* can be used by asm versions of crc32() */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _ZLIB_H */
diff --git a/security/nss/lib/jar/manifest.mn b/security/nss/lib/jar/manifest.mn
new file mode 100644
index 000000000..9a47b1558
--- /dev/null
+++ b/security/nss/lib/jar/manifest.mn
@@ -0,0 +1,53 @@
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+
+MODULE = security
+
+LIBRARY_NAME = jar
+
+CORE_DEPTH = ../../..
+
+CSRCS =	\
+	jarver.c \
+	jarsign.c \
+	jar.c \
+	jar-ds.c \
+	jarfile.c \
+	jarevil.c \
+	jarjart.c \
+	jarint.c \
+	$(NULL)
+
+REQUIRES = security dbm
+
+EXPORTS	 = jar.h jar-ds.h jarfile.h
+
+DEFINES = -DMOZILLA_CLIENT=1
diff --git a/security/nss/lib/macbuild/NSS/NSS/NSS.mcp b/security/nss/lib/macbuild/NSS/NSS/NSS.mcp
new file mode 100644
index 000000000..99a1dd3de
--- /dev/null
+++ b/security/nss/lib/macbuild/NSS/NSS/NSS.mcp
diff --git a/security/nss/lib/macbuild/SecurityLib.mcp b/security/nss/lib/macbuild/SecurityLib.mcp
new file mode 100644
index 000000000..3efcf8c2d
--- /dev/null
+++ b/security/nss/lib/macbuild/SecurityLib.mcp
diff --git a/security/nss/lib/manifest.mn b/security/nss/lib/manifest.mn
new file mode 100644
index 000000000..2738cf722
--- /dev/null
+++ b/security/nss/lib/manifest.mn
@@ -0,0 +1,65 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../..
+DEPTH      = ../..
+
+#
+# organized by DLL
+#
+#  softoken and prereqs.
+#  stan (not a separate dll yet)
+#  nss base (traditional)
+#  ssl
+#  smime
+#  ckfw (builtins module)
+#  crmf jar (not dll's)
+#  fortcrypt
+DIRS =  util freebl softoken \
+	base asn1 dev pki pki1 \
+	certdb certhigh pk11wrap cryptohi crypto nss \
+	ssl \
+	pkcs12 pkcs7 smime \
+	crmf jar \
+	ckfw      \
+	fortcrypt \
+	$(NULL)
+
+# NSS 4.0 build - pure stan libraries
+ifdef PURE_STAN_BUILD
+DIRS = base asn1 dev pki pki1
+endif
+
+#
+# these dirs are not built at the moment
+#
+#NOBUILD_DIRS = jar
diff --git a/security/nss/lib/nss/Makefile b/security/nss/lib/nss/Makefile
new file mode 100644
index 000000000..2eeeaef56
--- /dev/null
+++ b/security/nss/lib/nss/Makefile
@@ -0,0 +1,78 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/arch.mk
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+include config.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/nss/config.mk b/security/nss/lib/nss/config.mk
new file mode 100644
index 000000000..c18b1c6ae
--- /dev/null
+++ b/security/nss/lib/nss/config.mk
@@ -0,0 +1,99 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
+IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).lib
+
+RES = $(OBJDIR)/$(LIBRARY_NAME).res
+RESNAME = $(LIBRARY_NAME).rc
+
+EXTRA_SHARED_LIBS += \
+	$(DIST)/lib/softokn3.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+
+else
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib/ \
+	-lsoftokn3 \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+
+endif
+
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+SHARED_LIBRARY_LIBS = \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(NULL)
+
+SHARED_LIBRARY_DIRS = \
+	../certhigh \
+	../cryptohi \
+	../pk11wrap \
+	../certdb \
+	../util \
+	../pki \
+	../dev \
+	../base \
+	$(NULL)
+
+
+ifeq ($(OS_TARGET),SunOS)
+# The -R '$ORIGIN' linker option instructs libnss3.so to search for its
+# dependencies (libsoftokn3.so) in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+endif
diff --git a/security/nss/lib/nss/manifest.mn b/security/nss/lib/nss/manifest.mn
new file mode 100644
index 000000000..1fbdc045d
--- /dev/null
+++ b/security/nss/lib/nss/manifest.mn
@@ -0,0 +1,55 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	nssrenam.h \
+	$(NULL)
+
+EXPORTS = \
+	nss.h \
+	$(NULL)
+
+MODULE = security
+
+CSRCS = \
+	nssinit.c \
+	nssver.c \
+	$(NULL)
+
+REQUIRES = security dbm
+
+MAPFILE = $(OBJDIR)/nss.def
+
+LIBRARY_NAME = nss
+LIBRARY_VERSION = 3
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
new file mode 100644
index 000000000..46ecdbd03
--- /dev/null
+++ b/security/nss/lib/nss/nss.def
@@ -0,0 +1,661 @@
+;+#
+;+# The contents of this file are subject to the Mozilla Public
+;+# License Version 1.1 (the "License"); you may not use this file
+;+# except in compliance with the License. You may obtain a copy of
+;+# the License at http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS
+;+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+;+# implied. See the License for the specific language governing
+;+# rights and limitations under the License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is Netscape
+;+# Communications Corporation.  Portions created by Netscape are
+;+# Copyright (C) 2000 Netscape Communications Corporation.  All
+;+# Rights Reserved.
+;+#
+;+# Contributor(s): 
+;+#	Dr Stephen Henson <stephen.henson@gemplus.com>
+;+#
+;+# Alternatively, the contents of this file may be used under the
+;+# terms of the GNU General Public License Version 2 or later (the
+;+# "GPL"), in which case the provisions of the GPL are applicable
+;+# instead of those above.  If you wish to allow use of your
+;+# version of this file only under the terms of the GPL and not to
+;+# allow others to use your version of this file under the MPL,
+;+# indicate your decision by deleting the provisions above and
+;+# replace them with the notice and other provisions required by
+;+# the GPL.  If you do not delete the provisions above, a recipient
+;+# may use your version of this file under either the MPL or the
+;+# GPL.
+;+#
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+NSS_3.2 {       # NSS 3.2 release
+;+    global:
+LIBRARY nss3	;-
+EXPORTS		;-
+ATOB_AsciiToData;
+BTOA_ConvertItemToAscii;
+BTOA_DataToAscii;
+CERT_AsciiToName;
+CERT_CertTimesValid;
+CERT_CheckCertValidTimes;
+CERT_CreateCertificateRequest;
+CERT_ChangeCertTrust;
+CERT_DecodeDERCrl;
+CERT_DestroyCertificateRequest;
+CERT_DestroyCertList;
+CERT_DestroyName;
+CERT_EnableOCSPChecking;
+CERT_FormatName;
+CERT_DestroyCertificate;
+CERT_DupCertificate;
+CERT_FreeDistNames;
+CERT_FreeNicknames;
+CERT_GetAVATag;
+CERT_GetCertEmailAddress;
+CERT_GetCertNicknames;
+CERT_GetCertIssuerAndSN;
+CERT_GetCertTrust;
+CERT_GetCertUid;
+CERT_GetCommonName;
+CERT_GetCountryName;
+CERT_GetDBContentVersion;
+CERT_GetDefaultCertDB;
+CERT_GetDomainComponentName;
+CERT_GetLocalityName;
+CERT_GetOrgName;
+CERT_GetOrgUnitName;
+CERT_GetSSLCACerts;
+CERT_GetSlopTime;
+CERT_GetStateName;
+CERT_ImportCAChain;
+CERT_NameToAscii;
+CERT_RFC1485_EscapeAndQuote;
+CERT_SetSlopTime;
+CERT_VerifyCertName;
+CERT_VerifyCertNow;
+DER_UTCDayToAscii;
+DER_UTCTimeToAscii;
+DER_GeneralizedTimeToTime;
+NSS_Init;
+NSS_Initialize;
+NSS_InitReadWrite;
+NSS_NoDB_Init;
+NSS_Shutdown;
+NSS_VersionCheck;
+PK11_Authenticate;
+PK11_ChangePW;
+PK11_CheckUserPassword;
+PK11_CipherOp;
+PK11_CloneContext;
+PK11_ConfigurePKCS11;
+PK11_CreateContextBySymKey;
+PK11_CreateDigestContext;
+PK11_DestroyContext;
+PK11_DestroyTokenObject;
+PK11_DigestBegin;
+PK11_DigestOp;
+PK11_DigestFinal;
+PK11_DoesMechanism;
+PK11_FindCertFromNickname;
+PK11_FindCertFromDERCert;
+PK11_FindCertByIssuerAndSN;
+PK11_FindKeyByAnyCert;
+PK11_FindKeyByDERCert;
+PK11_FindSlotByName;
+PK11_Finalize;
+PK11_FortezzaHasKEA;
+PK11_FreeSlot;
+PK11_FreeSlotList;
+PK11_FreeSymKey;
+PK11_GenerateKeyPair;
+PK11_GenerateRandom;
+PK11_GenerateNewParam;
+PK11_GetAllTokens;
+PK11_GetBlockSize;
+PK11_GetFirstSafe;
+PK11_GetInternalKeySlot;
+PK11_GetInternalSlot;
+PK11_GetSlotName;
+PK11_GetTokenName;
+PK11_HashBuf;
+PK11_IsFIPS;
+PK11_IsFriendly;
+PK11_IsInternal;
+PK11_IsHW;
+PK11_IsPresent;
+PK11_IsReadOnly;
+PK11_KeyGen;
+PK11_ListCerts;
+PK11_NeedLogin;
+PK11_RandomUpdate;
+PK11_SetPasswordFunc;
+PK11_SetSlotPWValues;
+PORT_Alloc;
+PORT_Free;
+PORT_GetError;
+PORT_SetError;
+PORT_SetUCS4_UTF8ConversionFunction;
+PORT_SetUCS2_UTF8ConversionFunction;
+PORT_SetUCS2_ASCIIConversionFunction;
+SECITEM_CopyItem;
+SECITEM_DupItem;
+SECITEM_FreeItem;
+SECITEM_ZfreeItem;
+SECKEY_ConvertToPublicKey;
+SECKEY_CopyPrivateKey;
+SECKEY_CreateSubjectPublicKeyInfo;
+SECKEY_DestroyPrivateKey;
+SECKEY_DestroySubjectPublicKeyInfo;
+SECMOD_IsModulePresent;
+SECOID_FindOIDTagDescription;
+SECOID_GetAlgorithmTag;
+SEC_DeletePermCertificate;
+SEC_DeletePermCRL;
+SEC_DerSignData;
+SEC_DestroyCrl;
+SEC_FindCrlByDERCert;
+SEC_FindCrlByName;
+SEC_LookupCrls;
+SEC_NewCrl;
+;+#
+;+# The following symbols are exported only to make libssl3.so work. 
+;+# These are still private!!!
+;+#
+__CERT_NewTempCertificate;
+__PK11_CreateContextByRawKey;
+__PK11_GetKeyData;
+__nss_InitLock;
+CERT_CertChainFromCert;
+CERT_DestroyCertificateList;
+CERT_DupCertList;
+CERT_ExtractPublicKey;
+CERT_FindCertByName;
+DER_Lengths;
+DSAU_DecodeDerSig;
+DSAU_EncodeDerSig;
+HASH_GetHashObject;
+NSSRWLock_Destroy;
+NSSRWLock_HaveWriteLock;
+NSSRWLock_LockRead;
+NSSRWLock_LockWrite;
+NSSRWLock_New;
+NSSRWLock_UnlockRead;
+NSSRWLock_UnlockWrite;
+NSS_PutEnv;
+PK11_Derive;
+PK11_DeriveWithFlags;
+PK11_DigestKey;
+PK11_FindBestKEAMatch;
+PK11_FindFixedKey;
+PK11_GenerateFortezzaIV;
+PK11_GetBestKeyLength;
+PK11_GetBestSlot;
+PK11_GetBestSlotMultiple;
+PK11_GetBestWrapMechanism;
+PK11_GetCurrentWrapIndex;
+PK11_GetMechanism;
+PK11_GetModuleID;
+PK11_GetPrivateModulusLen;
+PK11_GetSlotFromKey;
+PK11_GetSlotFromPrivateKey;
+PK11_GetSlotID;
+PK11_GetSlotSeries;
+PK11_GetTokenInfo;
+PK11_GetWindow;
+PK11_GetWrapKey;
+PK11_IVFromParam;
+PK11_MakeKEAPubKey;
+PK11_ParamFromIV;
+PK11_PubDecryptRaw;
+PK11_PubDerive;
+PK11_PubEncryptRaw;
+PK11_PubUnwrapSymKey;
+PK11_PubWrapSymKey;
+PK11_ReferenceSymKey;
+PK11_RestoreContext;
+PK11_SaveContext;
+PK11_SetFortezzaHack;
+PK11_SetWrapKey;
+PK11_Sign;
+PK11_SignatureLen;
+PK11_SymKeyFromHandle;
+PK11_TokenExists;
+PK11_UnwrapSymKey;
+PK11_UnwrapSymKeyWithFlags;
+PK11_Verify;
+PK11_VerifyKeyOK;
+PK11_WrapSymKey;
+PORT_ArenaAlloc;
+PORT_ArenaZAlloc;
+PORT_FreeArena;
+PORT_NewArena;
+PORT_Realloc;
+PORT_ZAlloc;
+PORT_ZFree;
+RSA_FormatBlock;
+SECITEM_CompareItem;
+SECKEY_CreateRSAPrivateKey;
+SECKEY_DestroyPublicKey;
+SECKEY_PublicKeyStrength;
+SECKEY_UpdateCertPQG;
+SECMOD_LookupSlot;
+SGN_Begin;
+SGN_DestroyContext;
+SGN_End;
+SGN_NewContext;
+SGN_Update;
+VFY_Begin;
+VFY_CreateContext;
+VFY_DestroyContext;
+VFY_End;
+VFY_Update;
+;+#
+;+# The following symbols are exported only to make libsmime3.so work. 
+;+# These are still private!!!
+;+#
+__CERT_ClosePermCertDB;
+__CERT_DecodeDERCertificate;
+__CERT_TraversePermCertsForNickname;
+__CERT_TraversePermCertsForSubject;
+__PBE_CreateContext;
+__PBE_DestroyContext;
+__PBE_GenerateBits;
+ATOB_ConvertAsciiToItem;
+CERT_AddCertToListTail;
+CERT_CertListFromCert;
+CERT_DestroyCertArray;
+CERT_FindCertByDERCert;
+CERT_FindCertByIssuerAndSN;
+CERT_FindSMimeProfile;
+CERT_ImportCerts;
+CERT_NewCertList;
+CERT_OpenCertDBFilename;
+CERT_SaveSMimeProfile;
+CERT_VerifyCert;
+DER_GetInteger;
+DER_TimeToUTCTime;
+DER_UTCTimeToTime;
+PK11_AlgtagToMechanism;
+PK11_BlockData;
+PK11_CreatePBEAlgorithmID;
+PK11_DestroyObject;
+PK11_ExportEncryptedPrivateKeyInfo;
+PK11_ExportPrivateKeyInfo;
+PK11_FindCertAndKeyByRecipientList;
+PK11_FindCertAndKeyByRecipientListNew;
+PK11_FindCertInSlot;
+PK11_FindPrivateKeyFromCert;
+PK11_FortezzaMapSig;
+PK11_GetKeyLength;
+PK11_GetKeyStrength;
+PK11_ImportCertForKeyToSlot;
+PK11_ImportEncryptedPrivateKeyInfo;
+PK11_ImportPrivateKeyInfo;
+PK11_MapPBEMechanismToCryptoMechanism;
+PK11_PBEKeyGen;
+PK11_ParamFromAlgid;
+PK11_ParamToAlgid;
+PK11_TraverseCertsForNicknameInSlot;
+PK11_TraverseCertsForSubjectInSlot;
+PORT_ArenaGrow;
+PORT_ArenaMark;
+PORT_ArenaRelease;
+PORT_ArenaStrdup;
+PORT_ArenaUnmark;
+PORT_UCS2_ASCIIConversion;
+PORT_UCS2_UTF8Conversion;
+SECITEM_AllocItem;
+SECKEY_CopyEncryptedPrivateKeyInfo;
+SECKEY_CopyPrivateKeyInfo;
+SECKEY_DestroyEncryptedPrivateKeyInfo;
+SECKEY_DestroyPrivateKeyInfo;
+SECOID_CompareAlgorithmID;
+SECOID_CopyAlgorithmID;
+SECOID_DestroyAlgorithmID;
+SECOID_FindOID;
+SECOID_FindOIDByTag;
+SECOID_FindOIDTag;
+SECOID_SetAlgorithmID;
+SEC_ASN1DecodeInteger;
+SEC_ASN1DecodeItem;
+SEC_ASN1DecoderClearFilterProc;
+SEC_ASN1DecoderClearNotifyProc;
+SEC_ASN1DecoderFinish;
+SEC_ASN1DecoderSetFilterProc;
+SEC_ASN1DecoderSetNotifyProc;
+SEC_ASN1DecoderStart;
+SEC_ASN1DecoderUpdate;
+SEC_ASN1Encode;
+SEC_ASN1EncodeInteger;
+SEC_ASN1EncodeItem;
+SEC_ASN1EncoderClearNotifyProc;
+SEC_ASN1EncoderClearStreaming;
+SEC_ASN1EncoderClearTakeFromBuf;
+SEC_ASN1EncoderFinish;
+SEC_ASN1EncoderSetNotifyProc;
+SEC_ASN1EncoderSetStreaming;
+SEC_ASN1EncoderSetTakeFromBuf;
+SEC_ASN1EncoderStart;
+SEC_ASN1EncoderUpdate;
+SEC_ASN1LengthLength;
+SEC_PKCS5GetCryptoAlgorithm;
+SEC_PKCS5GetKeyLength;
+SEC_PKCS5GetPBEAlgorithm;
+SEC_PKCS5IsAlgorithmPBEAlg;
+SEC_SignData;
+SGN_CompareDigestInfo;
+SGN_CopyDigestInfo;
+SGN_CreateDigestInfo;
+SGN_DestroyDigestInfo;
+SGN_Digest;
+VFY_VerifyData;
+VFY_VerifyDigest;
+;+#
+;+# Data objects
+;+#
+;+# Don't export these DATA symbols on Windows because they don't work right.
+;;CERT_CrlTemplate DATA ;
+;;CERT_SignedDataTemplate DATA ;
+;;CERT_CertificateTemplate DATA ;
+;;CERT_CertificateRequestTemplate DATA ;
+;;CERT_IssuerAndSNTemplate DATA ;
+;;CERT_SetOfSignedCrlTemplate DATA ;
+;;SECKEY_DSAPublicKeyTemplate DATA ;
+;;SECKEY_EncryptedPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PointerToEncryptedPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PointerToPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PrivateKeyInfoTemplate DATA ;
+;;SECKEY_RSAPublicKeyTemplate DATA ;
+;;SECOID_AlgorithmIDTemplate DATA ;
+;;SEC_AnyTemplate DATA ;
+;;SEC_BMPStringTemplate DATA ;
+;;SEC_BitStringTemplate DATA ;
+;;SEC_GeneralizedTimeTemplate DATA ;
+;;SEC_IA5StringTemplate DATA ;
+;;SEC_IntegerTemplate DATA ;
+;;SEC_ObjectIDTemplate DATA ;
+;;SEC_OctetStringTemplate DATA ;
+;;SEC_PointerToAnyTemplate DATA ;
+;;SEC_PointerToOctetStringTemplate DATA ;
+;;SEC_SetOfAnyTemplate DATA ;
+;;SEC_UTCTimeTemplate DATA ;
+;;sgn_DigestInfoTemplate DATA ;
+NSS_Get_CERT_CrlTemplate;
+NSS_Get_CERT_SignedDataTemplate;
+NSS_Get_CERT_CertificateTemplate;
+NSS_Get_CERT_CertificateRequestTemplate;
+NSS_Get_CERT_IssuerAndSNTemplate;
+NSS_Get_CERT_SetOfSignedCrlTemplate;
+NSS_Get_SECKEY_DSAPublicKeyTemplate;
+NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PrivateKeyInfoTemplate;
+NSS_Get_SECKEY_RSAPublicKeyTemplate;
+NSS_Get_SECOID_AlgorithmIDTemplate;
+NSS_Get_SEC_AnyTemplate;
+NSS_Get_SEC_BMPStringTemplate;
+NSS_Get_SEC_BitStringTemplate;
+NSS_Get_SEC_GeneralizedTimeTemplate;
+NSS_Get_SEC_IA5StringTemplate;
+NSS_Get_SEC_IntegerTemplate;
+NSS_Get_SEC_ObjectIDTemplate;
+NSS_Get_SEC_OctetStringTemplate;
+NSS_Get_SEC_PointerToAnyTemplate;
+NSS_Get_SEC_PointerToOctetStringTemplate;
+NSS_Get_SEC_SetOfAnyTemplate;
+NSS_Get_SEC_UTCTimeTemplate;
+NSS_Get_sgn_DigestInfoTemplate;
+;+# commands
+CERT_DecodeBasicConstraintValue;
+CERT_DecodeOidSequence;
+CERT_DecodeUserNotice;
+CERT_DecodeCertificatePoliciesExtension;
+CERT_DestroyCertificatePoliciesExtension;
+CERT_FindCertByNicknameOrEmailAddr;
+CERT_FindCertByNickname;
+CERT_GenTime2FormattedAscii;
+CERT_Hexify;
+CERT_CompareName;
+PK11SDR_Encrypt;
+PK11SDR_Decrypt;
+NSSBase64Decoder_Create;
+NSSBase64Decoder_Destroy;
+NSSBase64Decoder_Update;
+NSSBase64Encoder_Create;
+NSSBase64Encoder_Destroy;
+NSSBase64Encoder_Update;
+;+#PK11_DoPassword;
+;+#PK11_FindKeyByKeyID;
+PK11_InitPin;
+PK11_NeedUserInit;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.2.1 {       # NSS 3.2.1 release
+;+    global:
+CERT_AddRDN;
+CERT_CreateRDN;
+CERT_CreateAVA;
+CERT_CreateName;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.3 { 	# NSS 3.3. release
+;+    global:
+CERT_CheckCertUsage;
+CERT_FindCertIssuer;
+PK11_GetModule;
+SECKEY_CreateDHPrivateKey;
+SECKEY_GetPublicKeyType;
+SECMOD_AddNewModule;
+;+#
+;+# The following symbols are exported only to make JSS work.
+;+# These are still private!!!
+;+#
+CERT_DisableOCSPChecking;
+CERT_DisableOCSPDefaultResponder;
+CERT_EnableOCSPDefaultResponder;
+CERT_GetCertTimes;
+CERT_ImportCAChainTrusted;
+CERT_ImportCRL;
+CERT_IsCACert;
+CERT_IsCADERCert;
+CERT_SetOCSPDefaultResponder;
+PBE_CreateContext;
+PBE_DestroyContext;
+PBE_GenerateBits;
+PK11_CheckSSOPassword;
+PK11_CopySymKeyForSigning;
+PK11_DeleteTokenCertAndKey;
+PK11_DEREncodePublicKey;
+PK11_ExtractKeyValue;
+PK11_FindCertsFromNickname;
+PK11_FindKeyByKeyID;
+PK11_GetIVLength;
+PK11_GetKeyData;
+PK11_GetKeyType;
+PK11_GetLowLevelKeyIDForCert;
+PK11_GetLowLevelKeyIDForPrivateKey;
+PK11_GetSlotPWValues;
+PK11_ImportCertForKey;
+PK11_ImportDERCertForKey;
+PK11_ImportDERPrivateKeyInfo;
+PK11_ImportSymKey;
+PK11_IsLoggedIn;
+PK11_KeyForDERCertExists;
+PK11_KeyForCertExists;
+PK11_ListPrivateKeysInSlot;
+PK11_ListCertsInSlot;
+PK11_Logout;
+PK11_NeedPWInit;
+PK11_MakeIDFromPubKey;
+PK11_PQG_DestroyParams;
+PK11_PQG_DestroyVerify;
+PK11_PQG_GetBaseFromParams;
+PK11_PQG_GetCounterFromVerify;
+PK11_PQG_GetHFromVerify;
+PK11_PQG_GetPrimeFromParams;
+PK11_PQG_GetSeedFromVerify;
+PK11_PQG_GetSubPrimeFromParams;
+PK11_PQG_NewParams;
+PK11_PQG_NewVerify;
+PK11_PQG_ParamGen;
+PK11_PQG_ParamGenSeedLen;
+PK11_PQG_VerifyParams;
+PK11_ReferenceSlot;
+PK11_SeedRandom;
+PK11_UnwrapPrivKey;
+PK11_VerifyRecover;
+PK11_WrapPrivKey;
+SEC_CertNicknameConflict;
+SEC_PKCS5GetIV;
+SECMOD_DeleteInternalModule;
+SECMOD_DestroyModule;
+SECMOD_GetDefaultModuleList;
+SECMOD_GetDefaultModuleListLock;
+SECMOD_GetInternalModule;
+SECMOD_GetReadLock;
+SECMOD_ReferenceModule;
+SECMOD_ReleaseReadLock;
+SECKEY_AddPrivateKeyToListTail;
+SECKEY_EncodeDERSubjectPublicKeyInfo;
+SECKEY_ExtractPublicKey;
+SECKEY_DestroyPrivateKeyList;
+SECKEY_GetPrivateKeyType;
+SECKEY_HashPassword;
+SECKEY_ImportDERPublicKey;
+SECKEY_NewPrivateKeyList;
+SECKEY_RemovePrivateKeyListNode;
+VFY_EndWithSignature;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.3.1 { 	# NSS 3.3.1 release
+;+    global:
+;+#
+;+# The following symbols are exported only to make libsmime3.so work. 
+;+# These are still private!!!
+;+#
+PK11_CreatePBEParams;
+PK11_DestroyPBEParams;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.4 { 	# NSS 3.4 release
+;+    global:
+SECMOD_AddNewModuleEx;
+SECMOD_DeleteModule;
+SECMOD_FreeModuleSpecList;
+SECMOD_GetModuleSpecList;
+SECMOD_LoadUserModule;
+SECMOD_UnloadUserModule;
+SECMOD_UpdateModule;
+;+# for PKCS #12
+PK11_RawPBEKeyGen;
+;+# for PSM
+__CERT_AddTempCertToPerm;
+CERT_AddOKDomainName;
+CERT_CopyName;
+CERT_CreateSubjectCertList;
+CERT_DecodeAVAValue;
+;+#CERT_DecodeCertFromPackage;
+CERT_DecodeGeneralName;
+CERT_DecodeTrustString;
+CERT_DerNameToAscii;
+CERT_EncodeGeneralName;
+CERT_FilterCertListByCANames;
+CERT_FilterCertListByUsage;
+CERT_FindCertExtension;
+CERT_FindKeyUsageExtension;
+CERT_FindUserCertByUsage;
+CERT_FindUserCertsByUsage;
+CERT_GetCertChainFromCert;
+CERT_GetOCSPAuthorityInfoAccessLocation;
+CERT_KeyFromDERCrl;
+CERT_MakeCANickname;
+CERT_NicknameStringsFromCertList;
+CERT_VerifySignedData;
+DER_Encode;
+HASH_Begin;
+HASH_Create;
+HASH_Destroy;
+HASH_End;
+HASH_ResultLen;
+HASH_Update;
+NSSBase64_DecodeBuffer;   # from Stan
+NSSBase64_EncodeItem;   # from Stan
+PK11_GetKeyGen;
+PK11_GetMinimumPwdLength;
+PK11_GetNextSafe;
+PK11_GetPadMechanism;
+PK11_GetSlotInfo;
+PK11_HasRootCerts;
+PK11_IsDisabled;
+PK11_LoadPrivKey;
+PK11_LogoutAll;
+PK11_MechanismToAlgtag;
+PK11_ResetToken;
+PK11_TraverseSlotCerts;
+SEC_ASN1Decode;
+SECKEY_CopySubjectPublicKeyInfo;
+SECMOD_CreateModule;
+SECMOD_FindModule;
+SECMOD_FindSlot;
+SECMOD_PubCipherFlagstoInternal;
+SECMOD_PubMechFlagstoInternal;
+;;CERT_NameTemplate DATA ;
+;;CERT_SubjectPublicKeyInfoTemplate DATA ;
+;;SEC_BooleanTemplate DATA ;
+;;SEC_NullTemplate DATA ;
+;;SEC_SignedCertificateTemplate DATA ;
+;;SEC_UTF8StringTemplate DATA ;
+NSS_Get_CERT_NameTemplate;
+NSS_Get_CERT_SubjectPublicKeyInfoTemplate;
+NSS_Get_SEC_BooleanTemplate;
+NSS_Get_SEC_NullTemplate;
+NSS_Get_SEC_SignedCertificateTemplate;
+NSS_Get_SEC_UTF8StringTemplate;
+;+# for JSS
+PK11_DeleteTokenPrivateKey;
+PK11_DeleteTokenPublicKey;
+PK11_DeleteTokenSymKey;
+PK11_GetNextSymKey;
+PK11_GetPQGParamsFromPrivateKey;
+PK11_GetPrivateKeyNickname;
+PK11_GetPublicKeyNickname;
+PK11_GetSymKeyNickname;
+PK11_ImportDERPrivateKeyInfoAndReturnKey;
+PK11_ImportPrivateKeyInfoAndReturnKey;
+PK11_ImportPublicKey;
+PK11_ImportSymKeyWithFlags;
+PK11_ListFixedKeysInSlot;
+PK11_ListPrivKeysInSlot;
+PK11_ListPublicKeysInSlot;
+PK11_ProtectedAuthenticationPath;
+PK11_SetPrivateKeyNickname;
+PK11_SetPublicKeyNickname;
+PK11_SetSymKeyNickname;
+SECKEY_DecodeDERSubjectPublicKeyInfo;
+SECKEY_DestroyPublicKeyList;
+;+# for debugging
+nss_DumpCertificateCacheInfo;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
new file mode 100644
index 000000000..519f26ef8
--- /dev/null
+++ b/security/nss/lib/nss/nss.h
@@ -0,0 +1,153 @@
+/*
+ * NSS utility functions
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef __nss_h_
+#define __nss_h_
+
+#include "seccomon.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * NSS's major version, minor version, patch level, and whether
+ * this is a beta release.
+ *
+ * The format of the version string should be
+ *     "<major version>.<minor version>[.<patch level>] [<Beta>]"
+ */
+#define NSS_VERSION  "3.4 Beta"
+#define NSS_VMAJOR   3
+#define NSS_VMINOR   4
+#define NSS_VPATCH   0
+#define NSS_BETA     PR_TRUE
+
+
+/*
+ * Return a boolean that indicates whether the underlying library
+ * will perform as the caller expects.
+ *
+ * The only argument is a string, which should be the verson
+ * identifier of the NSS library. That string will be compared
+ * against a string that represents the actual build version of
+ * the NSS library.  It also invokes the version checking functions
+ * of the dependent libraries such as NSPR.
+ */
+extern PRBool NSS_VersionCheck(const char *importedVersion);
+
+/*
+ * Open the Cert, Key, and Security Module databases, read only.
+ * Initialize the Random Number Generator.
+ * Does not initialize the cipher policies or enables.
+ * Default policy settings disallow all ciphers.
+ */
+extern SECStatus NSS_Init(const char *configdir);
+
+/*
+ * Open the Cert, Key, and Security Module databases, read/write.
+ * Initialize the Random Number Generator.
+ * Does not initialize the cipher policies or enables.
+ * Default policy settings disallow all ciphers.
+ */
+extern SECStatus NSS_InitReadWrite(const char *configdir);
+
+/*
+ * Open the Cert, Key, and Security Module databases, read/write.
+ * Initialize the Random Number Generator.
+ * Does not initialize the cipher policies or enables.
+ * Default policy settings disallow all ciphers.
+ *
+ * This allows using application defined prefixes for the cert and key db's
+ * and an alternate name for the secmod database. NOTE: In future releases,
+ * the database prefixes my not necessarily map to database names.
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ * 			"https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ * 			"https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * flags - change the open options of NSS_Initialize as follows:
+ * 	NSS_INIT_READONLY - Open the databases read only.
+ * 	NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just 
+ * 			initialize the volatile certdb.
+ * 	NSS_INIT_NOMODDB  - Don't open the security module DB, just 
+ *			initialize the 	PKCS #11 module.
+ *      NSS_INIT_FORCEOPEN - Continue to force initializations even if the 
+ * 			databases cannot be opened.
+ *      NSS_INIT_NOROOTINIT - Don't try to look for the root certs module
+ *			automatically.
+ *
+ * Also NOTE: This is not the recommended method for initializing NSS. 
+ * The prefered method is NSS_init().
+ */
+#define NSS_INIT_READONLY	0x1
+#define NSS_INIT_NOCERTDB	0x2
+#define NSS_INIT_NOMODDB	0x4
+#define NSS_INIT_FORCEOPEN	0x8
+#define NSS_INIT_NOROOTINIT     0x10
+
+extern SECStatus NSS_Initialize(const char *configdir, 
+	const char *certPrefix, const char *keyPrefix, 
+	const char *secmodName, PRUint32 flags);
+
+/*
+ * initialize NSS without a creating cert db's, key db's, or secmod db's.
+ */
+SECStatus NSS_NoDB_Init(const char *configdir);
+
+/* 
+ * Close the Cert, Key databases.
+ */
+extern void NSS_Shutdown(void);
+
+/*
+ * set the PKCS #11 strings for the internal token.
+ */
+void PK11_ConfigurePKCS11(const char *man, const char *libdes, 
+	const char *tokdes, const char *ptokdes, const char *slotdes, 
+	const char *pslotdes, const char *fslotdes, const char *fpslotdes,
+        int minPwd, int pwRequired);
+
+/*
+ * Dump the contents of the certificate cache and the temporary cert store.
+ * Use to detect leaked references of certs at shutdown time.
+ */
+void nss_DumpCertificateCacheInfo(void);
+
+SEC_END_PROTOS
+
+#endif /* __nss_h_ */
diff --git a/security/nss/lib/nss/nss.rc b/security/nss/lib/nss/nss.rc
new file mode 100644
index 000000000..7eb93b8bb
--- /dev/null
+++ b/security/nss/lib/nss/nss.rc
@@ -0,0 +1,98 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nss.h"
+#include <winver.h>
+
+#define MY_LIBNAME "nss"
+#define MY_FILEDESCRIPTION "NSS Base Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if NSS_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Netscape Communications Corporation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", NSS_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "LegalCopyright", "Copyright \251 1994-2001 Netscape Communications Corporation\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", NSS_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
new file mode 100644
index 000000000..1389867fe
--- /dev/null
+++ b/security/nss/lib/nss/nssinit.c
@@ -0,0 +1,524 @@
+/*
+ * NSS utility functions
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ # $Id$
+ */
+
+#include <ctype.h>
+#include "seccomon.h"
+#include "prinit.h"
+#include "prprf.h"
+#include "prmem.h"
+#include "cert.h"
+#include "key.h"
+#include "ssl.h"
+#include "sslproto.h"
+#include "secmod.h"
+#include "secoid.h"
+#include "nss.h"
+#include "secrng.h"
+#include "pk11func.h"
+
+#include "pki3hack.h"
+
+#define NSS_MAX_FLAG_SIZE  sizeof("readOnly")+sizeof("noCertDB")+ \
+	sizeof("noModDB")+sizeof("forceOpen")+sizeof("passwordRequired")
+#define NSS_DEFAULT_MOD_NAME "NSS Internal Module"
+#ifdef macintosh
+#define SECMOD_DB "Security Modules"
+#else
+#define SECMOD_DB "secmod.db"
+#endif
+
+static char *
+nss_makeFlags(PRBool readOnly, PRBool noCertDB, 
+		PRBool noModDB, PRBool forceOpen, PRBool passwordRequired) 
+{
+    char *flags = (char *)PORT_Alloc(NSS_MAX_FLAG_SIZE);
+    PRBool first = PR_TRUE;
+
+    PORT_Memset(flags,0,NSS_MAX_FLAG_SIZE);
+    if (readOnly) {
+        PORT_Strcat(flags,"readOnly");
+        first = PR_FALSE;
+    }
+    if (noCertDB) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"noCertDB");
+        first = PR_FALSE;
+    }
+    if (noModDB) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"noModDB");
+        first = PR_FALSE;
+    }
+    if (forceOpen) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"forceOpen");
+        first = PR_FALSE;
+    }
+    if (passwordRequired) {
+        if (!first) PORT_Strcat(flags,",");
+        PORT_Strcat(flags,"passwordRequired");
+        first = PR_FALSE;
+    }
+    return flags;
+}
+
+/*
+ * statics to remember the PKCS11_ConfigurePKCS11()
+ * info.
+ */
+static char * pk11_config_strings = NULL;
+static char * pk11_config_name = NULL;
+static PRBool pk11_password_required = PR_FALSE;
+
+/*
+ * this is a legacy configuration function which used to be part of
+ * the PKCS #11 internal token.
+ */
+void
+PK11_ConfigurePKCS11(const char *man, const char *libdes, const char *tokdes,
+	const char *ptokdes, const char *slotdes, const char *pslotdes, 
+	const char *fslotdes, const char *fpslotdes, int minPwd, int pwRequired)
+{
+   char *strings = NULL;
+   char *newStrings;
+
+   /* make sure the internationalization was done correctly... */
+   strings = PR_smprintf("");
+   if (strings == NULL) return;
+
+    if (man) {
+        newStrings = PR_smprintf("%s manufacturerID='%s'",strings,man);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (libdes) {
+        newStrings = PR_smprintf("%s libraryDescription='%s'",strings,libdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+	if (pk11_config_name != NULL) {
+	    PORT_Free(pk11_config_name);
+	}
+	pk11_config_name = PORT_Strdup(libdes);
+    }
+   if (strings == NULL) return;
+
+    if (tokdes) {
+        newStrings = PR_smprintf("%s cryptoTokenDescription='%s'",strings,
+								tokdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (ptokdes) {
+        newStrings = PR_smprintf("%s dbTokenDescription='%s'",strings,ptokdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (slotdes) {
+        newStrings = PR_smprintf("%s cryptoSlotDescription='%s'",strings,
+								slotdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (pslotdes) {
+        newStrings = PR_smprintf("%s dbSlotDescription='%s'",strings,pslotdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (fslotdes) {
+        newStrings = PR_smprintf("%s FIPSSlotDescription='%s'",
+							strings,fslotdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    if (fpslotdes) {
+        newStrings = PR_smprintf("%s FIPSTokenDescription='%s'",
+							strings,fpslotdes);
+	PR_smprintf_free(strings);
+	strings = newStrings;
+    }
+   if (strings == NULL) return;
+
+    newStrings = PR_smprintf("%s minPS=%d", strings, minPwd);
+    PR_smprintf_free(strings);
+    strings = newStrings;
+   if (strings == NULL) return;
+
+    if (pk11_config_strings != NULL) {
+	PR_smprintf_free(pk11_config_strings);
+    }
+    pk11_config_strings = strings;
+    pk11_password_required = pwRequired;
+
+    return;
+}
+
+static char *
+nss_addEscape(const char *string, char quote)
+{
+    char *newString = 0;
+    int escapes = 0, size = 0;
+    const char *src;
+    char *dest;
+
+    for (src=string; *src ; src++) {
+	if ((*src == quote) || (*src == '\\')) escapes++;
+	size++;
+    }
+
+    newString = PORT_ZAlloc(escapes+size+1); 
+    if (newString == NULL) {
+	return NULL;
+    }
+
+    for (src=string, dest=newString; *src; src++,dest++) {
+	if ((*src == '\\') || (*src == quote)) {
+	    *dest++ = '\\';
+	}
+	*dest = *src;
+    }
+
+    return newString;
+}
+
+static char *
+nss_doubleEscape(const char *string)
+{
+    char *round1 = NULL;
+    char *retValue = NULL;
+    if (string == NULL) {
+	goto done;
+    }
+    round1 = nss_addEscape(string,'\'');
+    if (round1) {
+	retValue = nss_addEscape(round1,'"');
+	PORT_Free(round1);
+    }
+
+done:
+    if (retValue == NULL) {
+	retValue = PORT_Strdup("");
+    }
+    return retValue;
+}
+
+
+#ifndef XP_MAC
+/*
+ * The following code is an attempt to automagically find the external root
+ * module. NOTE: This code should be checked out on the MAC! There must be
+ * some cross platform support out there to help out with this?
+ * Note: Keep the #if-defined chunks in order. HPUX must select before UNIX.
+ */
+
+static const char *dllname =
+#if defined(XP_WIN32) || defined(XP_OS2)
+	"nssckbi.dll";
+#elif defined(HPUX)
+	"libnssckbi.sl";
+#elif defined(DARWIN)
+	"libnssckbi.dylib";
+#elif defined(XP_UNIX) || defined(XP_BEOS)
+	"libnssckbi.so";
+#elif defined(XP_MAC)
+	"NSS Builtin Root Certs";
+#else
+	#error "Uh! Oh! I don't know about this platform."
+#endif
+
+/* Should we have platform ifdefs here??? */
+#define FILE_SEP '/'
+
+static void
+nss_FindExternalRoot(const char *dbpath)
+{
+	char *path;
+	int len, path_len;
+
+	path_len = PORT_Strlen(dbpath);
+	len = path_len + PORT_Strlen(dllname) + 2; /* FILE_SEP + NULL */
+	
+	path = PORT_Alloc(len);
+	if (path == NULL) return;
+
+	/* back up to the top of the directory */
+	PORT_Memcpy(path,dbpath,path_len);
+	if (path[path_len-1] != FILE_SEP) {
+	    path[path_len++] = FILE_SEP;
+	}
+	PORT_Strcpy(&path[path_len],dllname);
+	(void) SECMOD_AddNewModule("Root Certs",path, 0, 0);
+	PORT_Free(path);
+	return;
+}
+#endif
+
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ * 			"https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ * 			"https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * readOnly - Boolean: true if the databases are to be openned read only.
+ * nocertdb - Don't open the cert DB and key DB's, just initialize the 
+ *			Volatile certdb.
+ * nomoddb - Don't open the security module DB, just initialize the 
+ *			PKCS #11 module.
+ * forceOpen - Continue to force initializations even if the databases cannot
+ * 			be opened.
+ */
+
+static PRBool nss_IsInitted = PR_FALSE;
+
+static SECStatus
+nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
+		 const char *secmodName, PRBool readOnly, PRBool noCertDB, 
+			PRBool noModDB, PRBool forceOpen, PRBool noRootInit)
+{
+    char *moduleSpec = NULL;
+    char *flags = NULL;
+    SECStatus rv = SECFailure;
+    char *lconfigdir = NULL;
+    char *lcertPrefix = NULL;
+    char *lkeyPrefix = NULL;
+    char *lsecmodName = NULL;
+
+    if (nss_IsInitted) {
+	return SECSuccess;
+    }
+
+    flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
+						pk11_password_required);
+    if (flags == NULL) return rv;
+
+    /*
+     * configdir is double nested, and Windows uses the same character
+     * for file seps as we use for escapes! (sigh).
+     */
+    lconfigdir = nss_doubleEscape(configdir);
+    if (lconfigdir == NULL) {
+	goto loser;
+    }
+    lcertPrefix = nss_doubleEscape(certPrefix);
+    if (lcertPrefix == NULL) {
+	goto loser;
+    }
+    lkeyPrefix = nss_doubleEscape(keyPrefix);
+    if (lkeyPrefix == NULL) {
+	goto loser;
+    }
+    lsecmodName = nss_doubleEscape(secmodName);
+    if (lsecmodName == NULL) {
+	goto loser;
+    }
+
+    moduleSpec = PR_smprintf("name=\"%s\" parameters=\"configdir='%s' certPrefix='%s' keyPrefix='%s' secmod='%s' flags=%s %s\" NSS=\"flags=internal,moduleDB,moduleDBOnly,critical\"",
+		pk11_config_name ? pk11_config_name : NSS_DEFAULT_MOD_NAME,
+		lconfigdir,lcertPrefix,lkeyPrefix,lsecmodName,flags,
+		pk11_config_strings ? pk11_config_strings : "");
+
+loser:
+    PORT_Free(flags);
+    if (lconfigdir) PORT_Free(lconfigdir);
+    if (lcertPrefix) PORT_Free(lcertPrefix);
+    if (lkeyPrefix) PORT_Free(lkeyPrefix);
+    if (lsecmodName) PORT_Free(lsecmodName);
+
+    if (moduleSpec) {
+	SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
+	PR_smprintf_free(moduleSpec);
+	if (module) {
+	    if (module->loaded) rv=SECSuccess;
+	    SECMOD_DestroyModule(module);
+	}
+    }
+
+    if (rv == SECSuccess) {
+	/* can this function fail?? */
+	STAN_LoadDefaultNSS3TrustDomain();
+	CERT_SetDefaultCertDB((CERTCertDBHandle *)
+				STAN_GetDefaultTrustDomain());
+#ifndef XP_MAC
+	/* only servers need this. We currently do not have a mac server */
+	if ((!noModDB) && (!noCertDB) && (!noRootInit)) {
+	    if (!SECMOD_HasRootCerts()) {
+		nss_FindExternalRoot(configdir);
+	    }
+	}
+#endif
+	nss_IsInitted = PR_TRUE;
+    }
+    return rv;
+}
+
+
+SECStatus
+NSS_Init(const char *configdir)
+{
+    return nss_Init(configdir, "", "", SECMOD_DB, PR_TRUE, 
+		PR_FALSE, PR_FALSE, PR_FALSE, PR_TRUE);
+}
+
+SECStatus
+NSS_InitReadWrite(const char *configdir)
+{
+    return nss_Init(configdir, "", "", SECMOD_DB, PR_FALSE, 
+		PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE);
+}
+
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ * 			"https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ * 			"https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * flags - change the open options of NSS_Initialize as follows:
+ * 	NSS_INIT_READONLY - Open the databases read only.
+ * 	NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just 
+ * 			initialize the volatile certdb.
+ * 	NSS_INIT_NOMODDB  - Don't open the security module DB, just 
+ *			initialize the 	PKCS #11 module.
+ *      NSS_INIT_FORCEOPEN - Continue to force initializations even if the 
+ * 			databases cannot be opened.
+ */
+SECStatus
+NSS_Initialize(const char *configdir, const char *certPrefix, 
+	const char *keyPrefix, const char *secmodName, PRUint32 flags)
+{
+    return nss_Init(configdir, certPrefix, keyPrefix, secmodName, 
+	((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
+	((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
+	((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
+	((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN),
+	((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT));
+}
+
+/*
+ * initialize NSS without a creating cert db's, key db's, or secmod db's.
+ */
+SECStatus
+NSS_NoDB_Init(const char * configdir)
+{
+      return nss_Init(configdir?configdir:"","","",SECMOD_DB,
+				PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE);
+}
+
+void
+NSS_Shutdown(void)
+{
+    SECOID_Shutdown();
+    SECMOD_Shutdown();
+    STAN_Shutdown();
+    nss_IsInitted = PR_FALSE;
+}
+
+
+
+extern const char __nss_base_rcsid[];
+extern const char __nss_base_sccsid[];
+
+PRBool
+NSS_VersionCheck(const char *importedVersion)
+{
+    /*
+     * This is the secret handshake algorithm.
+     *
+     * This release has a simple version compatibility
+     * check algorithm.  This release is not backward
+     * compatible with previous major releases.  It is
+     * not compatible with future major, minor, or
+     * patch releases.
+     */
+    int vmajor = 0, vminor = 0, vpatch = 0;
+    const char *ptr = importedVersion;
+    volatile char c; /* force a reference that won't get optimized away */
+
+    c = __nss_base_rcsid[0] + __nss_base_sccsid[0]; 
+
+    while (isdigit(*ptr)) {
+        vmajor = 10 * vmajor + *ptr - '0';
+        ptr++;
+    }
+    if (*ptr == '.') {
+        ptr++;
+        while (isdigit(*ptr)) {
+            vminor = 10 * vminor + *ptr - '0';
+            ptr++;
+        }
+        if (*ptr == '.') {
+            ptr++;
+            while (isdigit(*ptr)) {
+                vpatch = 10 * vpatch + *ptr - '0';
+                ptr++;
+            }
+        }
+    }
+
+    if (vmajor != NSS_VMAJOR) {
+        return PR_FALSE;
+    }
+    if (vmajor == NSS_VMAJOR && vminor > NSS_VMINOR) {
+        return PR_FALSE;
+    }
+    if (vmajor == NSS_VMAJOR && vminor == NSS_VMINOR && vpatch > NSS_VPATCH) {
+        return PR_FALSE;
+    }
+    /* Check dependent libraries */
+    if (PR_VersionCheck(PR_VERSION) == PR_FALSE) {
+        return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
+
diff --git a/security/nss/lib/nss/nssrenam.h b/security/nss/lib/nss/nssrenam.h
new file mode 100644
index 000000000..7791173f5
--- /dev/null
+++ b/security/nss/lib/nss/nssrenam.h
@@ -0,0 +1,49 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef __nssrenam_h_
+#define __nssrenam_h_
+
+#define CERT_NewTempCertificate __CERT_NewTempCertificate
+#define PK11_CreateContextByRawKey __PK11_CreateContextByRawKey
+#define PK11_GetKeyData __PK11_GetKeyData
+#define nss_InitLock __nss_InitLock
+#define CERT_ClosePermCertDB __CERT_ClosePermCertDB
+#define CERT_DecodeDERCertificate __CERT_DecodeDERCertificate
+#define CERT_TraversePermCertsForNickname __CERT_TraversePermCertsForNickname
+#define CERT_TraversePermCertsForSubject __CERT_TraversePermCertsForSubject
+#define PBE_CreateContext __PBE_CreateContext
+#define PBE_DestroyContext __PBE_DestroyContext
+#define PBE_GenerateBits __PBE_GenerateBits
+
+#endif /* __nssrenam_h_ */
diff --git a/security/nss/lib/nss/nssver.c b/security/nss/lib/nss/nssver.c
new file mode 100644
index 000000000..463a77b6b
--- /dev/null
+++ b/security/nss/lib/nss/nssver.c
@@ -0,0 +1,53 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/* Library identity and versioning */
+
+#include "nss.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_base_rcsid[] = "$Header: NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_base_sccsid[] = "@(#)NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/pk11wrap/Makefile b/security/nss/lib/pk11wrap/Makefile
new file mode 100644
index 000000000..a84456e7d
--- /dev/null
+++ b/security/nss/lib/pk11wrap/Makefile
@@ -0,0 +1,88 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+-include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile
+# pk11slot.c in 64-bit mode for unknown reasons.  A workaround is
+# to compile it with optimizations turned on.  (Bugzilla bug #63815)
+ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3)
+ifeq ($(USE_64),1)
+ifndef BUILD_OPT
+$(OBJDIR)/pk11slot.o: pk11slot.c
+	@$(MAKE_OBJDIR)
+	$(CC) -o $@ -c -O2 $(CFLAGS) $<
+endif
+endif
+endif
diff --git a/security/nss/lib/pk11wrap/config.mk b/security/nss/lib/pk11wrap/config.mk
new file mode 100644
index 000000000..0a00dc61e
--- /dev/null
+++ b/security/nss/lib/pk11wrap/config.mk
@@ -0,0 +1,43 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c
new file mode 100644
index 000000000..43a12628b
--- /dev/null
+++ b/security/nss/lib/pk11wrap/dev3hack.c
@@ -0,0 +1,236 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef NSS_3_4_CODE
+#define NSS_3_4_CODE
+#endif /* NSS_3_4_CODE */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+#ifndef DEVT_H
+#include "devt.h"
+#endif /* DEVT_H */
+
+#include "pki3hack.h"
+#include "dev3hack.h"
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#include "pk11func.h"
+#include "secmodti.h"
+
+NSS_IMPLEMENT nssSession *
+nssSession_ImportNSS3Session(NSSArena *arenaOpt,
+                             CK_SESSION_HANDLE session, 
+                             PZLock *lock, PRBool rw)
+{
+    nssSession *rvSession;
+    rvSession = nss_ZNEW(arenaOpt, nssSession);
+    rvSession->handle = session;
+    rvSession->lock = lock;
+    rvSession->isRW = rw;
+    return rvSession;
+}
+
+NSS_IMPLEMENT nssSession *
+nssSlot_CreateSession
+(
+  NSSSlot *slot,
+  NSSArena *arenaOpt,
+  PRBool readWrite
+)
+{
+    nssSession *rvSession;
+    rvSession = nss_ZNEW(arenaOpt, nssSession);
+    if (!rvSession) {
+	return (nssSession *)NULL;
+    }
+    if (readWrite) {
+	rvSession->handle = PK11_GetRWSession(slot->pk11slot);
+	if (rvSession->handle == CK_INVALID_HANDLE) {
+	    nss_ZFreeIf(rvSession);
+	    return NULL;
+	}
+	rvSession->isRW = PR_TRUE;
+	rvSession->slot = slot;
+	return rvSession;
+    } else {
+	return NULL;
+    }
+}
+
+NSS_IMPLEMENT PRStatus
+nssSession_Destroy
+(
+  nssSession *s
+)
+{
+    CK_RV ckrv = CKR_OK;
+    if (s) {
+	if (s->isRW) {
+	    PK11_RestoreROSession(s->slot->pk11slot, s->handle);
+	}
+	nss_ZFreeIf(s);
+    }
+    return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE;
+}
+
+static NSSSlot *
+nssSlot_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
+{
+    NSSSlot *rvSlot;
+    rvSlot = nss_ZNEW(td->arena, NSSSlot);
+    if (!rvSlot) {
+	return NULL;
+    }
+    rvSlot->refCount = 1;
+    rvSlot->pk11slot = nss3slot;
+    rvSlot->epv = nss3slot->functionList;
+    rvSlot->slotID = nss3slot->slotID;
+    rvSlot->trustDomain = td;
+    /* Grab the slot name from the PKCS#11 fixed-length buffer */
+    rvSlot->name = nssUTF8_Duplicate(nss3slot->slot_name,td->arena);
+    return rvSlot;
+}
+
+NSS_IMPLEMENT NSSToken *
+nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
+{
+    NSSToken *rvToken;
+    rvToken = nss_ZNEW(td->arena, NSSToken);
+    if (!rvToken) {
+	return NULL;
+    }
+    rvToken->refCount = 1;
+    rvToken->pk11slot = nss3slot;
+    rvToken->epv = nss3slot->functionList;
+    rvToken->defaultSession = nssSession_ImportNSS3Session(td->arena,
+                                                       nss3slot->session,
+                                                       nss3slot->sessionLock,
+                                                       nss3slot->defRWSession);
+    rvToken->trustDomain = td;
+    /* Grab the token name from the PKCS#11 fixed-length buffer */
+    rvToken->name = nssUTF8_Duplicate(nss3slot->token_name,td->arena);
+    rvToken->slot = nssSlot_CreateFromPK11SlotInfo(td, nss3slot);
+    rvToken->slot->token = rvToken;
+    rvToken->defaultSession->slot = rvToken->slot;
+    rvToken->arena = td->arena;
+    return rvToken;
+}
+
+NSS_IMPLEMENT void
+nssToken_UpdateName(NSSToken *token)
+{
+    if (!token) {
+	return;
+    }
+    token->name = nssUTF8_Duplicate(token->pk11slot->token_name,token->arena);
+}
+
+NSS_IMPLEMENT PRBool
+nssSlot_IsPermanent
+(
+  NSSSlot *slot
+)
+{
+    return slot->pk11slot->isPerm;
+}
+
+NSS_IMPLEMENT PRStatus
+nssToken_Refresh(NSSToken *token)
+{
+    PK11SlotInfo *nss3slot;
+
+    if (!token) {
+	return PR_SUCCESS;
+    }
+    nss3slot = token->pk11slot;
+    token->defaultSession = nssSession_ImportNSS3Session(token->slot->arena,
+                                                       nss3slot->session,
+                                                       nss3slot->sessionLock,
+                                                       nss3slot->defRWSession);
+    nssToken_DestroyCertList(token, PR_TRUE);
+    return nssToken_LoadCerts(token);
+}
+
+NSS_IMPLEMENT PRStatus
+nssSlot_Refresh
+(
+  NSSSlot *slot
+)
+{
+    PK11SlotInfo *nss3slot = slot->pk11slot;
+    if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) {
+	return PR_FAILURE;
+    }
+    return nssToken_Refresh(slot->token);
+}
+
+
+
+NSSTrustDomain *
+nssToken_GetTrustDomain(NSSToken *token)
+{
+    return token->trustDomain;
+}
+
+typedef enum {
+    nssPK11Event_DefaultSessionRO = 0,
+    nssPK11Event_DefaultSessionRW = 1
+} nssPK11Event;
+
+NSS_IMPLEMENT PRStatus
+nssToken_Nofify
+(
+  NSSToken *tok,
+  nssPK11Event event
+)
+
+{
+#ifdef notdef
+    switch (event) {
+    default:
+	return PR_FAILURE;
+    }
+#endif
+    return PR_FAILURE;
+}
+
diff --git a/security/nss/lib/pk11wrap/dev3hack.h b/security/nss/lib/pk11wrap/dev3hack.h
new file mode 100644
index 000000000..19f9bbb8b
--- /dev/null
+++ b/security/nss/lib/pk11wrap/dev3hack.h
@@ -0,0 +1,69 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef DEVNSS3HACK_H
+#define DEVNSS3HACK_H
+
+#ifdef DEBUG
+static const char DEVNSS3HACK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "cert.h"
+
+PR_BEGIN_EXTERN_C
+
+NSS_EXTERN NSSToken *
+nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot);
+
+NSS_EXTERN void
+nssToken_UpdateName(NSSToken *);
+
+NSS_EXTERN PRStatus
+nssToken_Refresh(NSSToken *);
+
+NSSTrustDomain *
+nssToken_GetTrustDomain(NSSToken *token);
+
+void PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst);
+
+NSSToken * PK11Slot_GetNSSToken(PK11SlotInfo *sl);
+
+NSS_EXTERN PRStatus
+nssToken_LoadCerts(NSSToken *token);
+
+NSS_EXTERN void
+nssToken_UpdateTrustForCerts(NSSToken *token);
+
+PR_END_EXTERN_C
+
+#endif /* DEVNSS3HACK_H */
diff --git a/security/nss/lib/pk11wrap/manifest.mn b/security/nss/lib/pk11wrap/manifest.mn
new file mode 100644
index 000000000..9d39d9b75
--- /dev/null
+++ b/security/nss/lib/pk11wrap/manifest.mn
@@ -0,0 +1,70 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	secmod.h \
+	secmodt.h \
+	secpkcs5.h \
+	pk11func.h \
+	pk11sdr.h \
+	pk11pqg.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	pk11init.h \
+	dev3hack.h \
+	$(NULL)
+
+MODULE = security
+
+CSRCS = \
+	dev3hack.c \
+	pk11cert.c \
+	pk11err.c  \
+	pk11load.c \
+	pk11pars.c \
+	pk11slot.c \
+	pk11list.c \
+	pk11skey.c \
+	pk11kea.c \
+	pk11util.c \
+	pk11sdr.c \
+	pk11pqg.c \
+	pk11pk12.c \
+	pk11pbe.c \
+	$(NULL)
+
+REQUIRES = security dbm
+
+LIBRARY_NAME = pk11wrap
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
new file mode 100644
index 000000000..9611ff06f
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -0,0 +1,4009 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * This file implements the Symkey wrapper and the PKCS context
+ * Interfaces.
+ */
+#include "seccomon.h"
+#include "secmod.h"
+#include "nssilock.h"
+#include "secmodi.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "cert.h"
+#include "secitem.h"
+#include "key.h"
+#include "hasht.h"
+#include "secoid.h"
+#include "pkcs7t.h"
+#include "cmsreclist.h"
+
+#include "certdb.h"
+#include "secerr.h"
+#include "sslerr.h"
+
+#ifndef NSS_3_4_CODE
+#define NSS_3_4_CODE
+#endif /* NSS_3_4_CODE */
+#include "pki3hack.h"
+#include "dev3hack.h"
+
+#include "dev.h" 
+#include "nsspki.h"
+#include "pki.h"
+#include "pkim.h"
+#include "pkitm.h"
+
+#define PK11_SEARCH_CHUNKSIZE 10
+
+CK_OBJECT_HANDLE
+pk11_FindPubKeyByAnyCert(CERTCertificate *cert, PK11SlotInfo **slot, void *wincx);
+
+struct nss3_cert_cbstr {
+    SECStatus(* callback)(CERTCertificate*, void *);
+    nssList *cached;
+    void *arg;
+};
+
+/* Translate from NSSCertificate to CERTCertificate, then pass the latter
+ * to a callback.
+ */
+static PRStatus convert_cert(NSSCertificate *c, void *arg)
+{
+    CERTCertificate *nss3cert;
+    SECStatus secrv;
+    struct nss3_cert_cbstr *nss3cb = (struct nss3_cert_cbstr *)arg;
+    nss3cert = STAN_GetCERTCertificate(c);
+    if (!nss3cert) return PR_FAILURE;
+    secrv = (*nss3cb->callback)(nss3cert, nss3cb->arg);
+    return (secrv) ? PR_FAILURE : PR_SUCCESS;
+}
+
+static PRStatus convert_and_cache_cert(NSSCertificate *c, void *arg)
+{
+    PRStatus nssrv;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    struct nss3_cert_cbstr *nss3cb = (struct nss3_cert_cbstr *)arg;
+    NSSCertificate *cp = nssCertificate_AddRef(c);
+    /* The cert coming in has been retrieved from a token.  It was not in
+     * the cache when the search was begun.  But it may be in the cache now,
+     * and if it isn't, it will be, because it is going to be cracked into
+     * a CERTCertificate and fed into the callback.
+     */
+    nssrv = nssTrustDomain_AddCertsToCache(td, &c, 1);
+    /* This is why the hack of copying the cert was done above.  The pointer
+     * c passed to this function is provided by retrieve_cert.  That function
+     * will destroy the pointer once this function returns.  Since c is a local
+     * copy, there is no way to notify retrieve_cert if it has changed.  That
+     * would happen if the above call to add it to the cache found the cert
+     * already there.  In that case, the pointer c passed to the callback
+     * below will be the cached cert, and the pointer c that retrieve_cert
+     * has will be the same as the copy made above.  Thus, retrieve_cert will
+     * destroy the reference to the copy, the callback will use the reference
+     * to the cached entry, and everyone should be happy.
+     */
+    nssrv = convert_cert(c, arg);
+    /* This function owns a reference to the cert, either from the AddRef
+     * or by getting it from the cache.
+     */
+    CERT_DestroyCertificate(STAN_GetCERTCertificate(c));
+    return nssrv;
+}
+
+/* this is redeclared from trustdomain.c, but this code is just 3.4 glue
+ * anyway
+ */
+static void cert_destructor(void *el)
+{
+    NSSCertificate *c = (NSSCertificate *)el;
+    CERTCertificate *cert = STAN_GetCERTCertificate(c);
+    /* It's already been obtained as a CERTCertificate, so it must
+     * be destroyed as one
+     */
+    CERT_DestroyCertificate(cert);
+}
+
+void
+PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst) 
+{
+    sl->nssToken = nsst;
+}
+
+NSSToken *
+PK11Slot_GetNSSToken(PK11SlotInfo *sl) 
+{
+    return sl->nssToken;
+}
+
+/*
+ * build a cert nickname based on the token name and the label of the 
+ * certificate If the label in NULL, build a label based on the ID.
+ */
+static int toHex(int x) { return (x < 10) ? (x+'0') : (x+'a'-10); }
+#define MAX_CERT_ID 4
+#define DEFAULT_STRING "Cert ID "
+static char *
+pk11_buildNickname(PK11SlotInfo *slot,CK_ATTRIBUTE *cert_label,
+			CK_ATTRIBUTE *key_label, CK_ATTRIBUTE *cert_id)
+{
+    int prefixLen = PORT_Strlen(slot->token_name);
+    int suffixLen = 0;
+    char *suffix = NULL;
+    char buildNew[sizeof(DEFAULT_STRING)+MAX_CERT_ID*2];
+    char *next,*nickname;
+
+    if (cert_label && (cert_label->ulValueLen)) {
+	suffixLen = cert_label->ulValueLen;
+	suffix = (char*)cert_label->pValue;
+    } else if (key_label && (key_label->ulValueLen)) {
+	suffixLen = key_label->ulValueLen;
+	suffix = (char*)key_label->pValue;
+    } else if (cert_id && cert_id->ulValueLen > 0) {
+	int i,first = cert_id->ulValueLen - MAX_CERT_ID;
+	int offset = sizeof(DEFAULT_STRING);
+	char *idValue = (char *)cert_id->pValue;
+
+	PORT_Memcpy(buildNew,DEFAULT_STRING,sizeof(DEFAULT_STRING)-1);
+	next = buildNew + offset;
+	if (first < 0) first = 0;
+	for (i=first; i < (int) cert_id->ulValueLen; i++) {
+		*next++ = toHex((idValue[i] >> 4) & 0xf);
+		*next++ = toHex(idValue[i] & 0xf);
+	}
+	*next++ = 0;
+	suffix = buildNew;
+	suffixLen = PORT_Strlen(buildNew);
+    } else {
+	PORT_SetError( SEC_ERROR_LIBRARY_FAILURE );
+	return NULL;
+    }
+
+    /* if is internal key slot, add code to skip the prefix!! */
+    next = nickname = (char *)PORT_Alloc(prefixLen+1+suffixLen+1);
+    if (nickname == NULL) return NULL;
+
+    PORT_Memcpy(next,slot->token_name,prefixLen);
+    next += prefixLen;
+    *next++ = ':';
+    PORT_Memcpy(next,suffix,suffixLen);
+    next += suffixLen;
+    *next++ = 0;
+    return nickname;
+}
+
+/*
+ * return the object handle that matches the template
+ */
+CK_OBJECT_HANDLE
+pk11_FindObjectByTemplate(PK11SlotInfo *slot,CK_ATTRIBUTE *theTemplate,int tsize)
+{
+    CK_OBJECT_HANDLE object;
+    CK_RV crv;
+    CK_ULONG objectCount;
+
+    /*
+     * issue the find
+     */
+    PK11_EnterSlotMonitor(slot);
+    crv=PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, theTemplate, tsize);
+    if (crv != CKR_OK) {
+        PK11_ExitSlotMonitor(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return CK_INVALID_HANDLE;
+    }
+
+    crv=PK11_GETTAB(slot)->C_FindObjects(slot->session,&object,1,&objectCount);
+    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
+    PK11_ExitSlotMonitor(slot);
+    if ((crv != CKR_OK) || (objectCount < 1)) {
+	/* shouldn't use SSL_ERROR... here */
+	PORT_SetError( crv != CKR_OK ? PK11_MapError(crv) :
+						  SSL_ERROR_NO_CERTIFICATE);
+	return CK_INVALID_HANDLE;
+    }
+
+    /* blow up if the PKCS #11 module returns us and invalid object handle */
+    PORT_Assert(object != CK_INVALID_HANDLE);
+    return object;
+} 
+
+/*
+ * return all the object handles that matches the template
+ */
+CK_OBJECT_HANDLE *
+pk11_FindObjectsByTemplate(PK11SlotInfo *slot,
+		CK_ATTRIBUTE *findTemplate,int findCount,int *object_count) {
+    CK_OBJECT_HANDLE *objID = NULL;
+    CK_ULONG returned_count = 0;
+    CK_RV crv;
+
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, findTemplate, 
+								findCount);
+    if (crv != CKR_OK) {
+	PK11_ExitSlotMonitor(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	*object_count = -1;
+	return NULL;
+    }
+
+
+    /*
+     * collect all the Matching Objects
+     */
+    do {
+	CK_OBJECT_HANDLE *oldObjID = objID;
+
+	if (objID == NULL) {
+    	    objID = (CK_OBJECT_HANDLE *) PORT_Alloc(sizeof(CK_OBJECT_HANDLE)*
+				(*object_count+ PK11_SEARCH_CHUNKSIZE));
+	} else {
+    	    objID = (CK_OBJECT_HANDLE *) PORT_Realloc(objID,
+		sizeof(CK_OBJECT_HANDLE)*(*object_count+PK11_SEARCH_CHUNKSIZE));
+	}
+
+	if (objID == NULL) {
+	    if (oldObjID) PORT_Free(oldObjID);
+	    break;
+	}
+    	crv = PK11_GETTAB(slot)->C_FindObjects(slot->session,
+		&objID[*object_count],PK11_SEARCH_CHUNKSIZE,&returned_count);
+	if (crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    PORT_Free(objID);
+	    objID = NULL;
+	    break;
+    	}
+	*object_count += returned_count;
+    } while (returned_count == PK11_SEARCH_CHUNKSIZE);
+
+    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
+    PK11_ExitSlotMonitor(slot);
+
+    if (objID && (*object_count == 0)) {
+	PORT_Free(objID);
+	return NULL;
+    }
+    if (objID == NULL) *object_count = -1;
+    return objID;
+}
+/*
+ * given a PKCS #11 object, match it's peer based on the KeyID. searchID
+ * is typically a privateKey or a certificate while the peer is the opposite
+ */
+CK_OBJECT_HANDLE
+PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE searchID,
+				 		CK_OBJECT_CLASS matchclass)
+{
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    CK_ATTRIBUTE *keyclass = &theTemplate[1];
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    /* if you change the array, change the variable below as well */
+    CK_OBJECT_HANDLE peerID;
+    CK_OBJECT_HANDLE parent;
+    PRArenaPool *arena;
+    CK_RV crv;
+
+    /* now we need to create space for the public key */
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) return CK_INVALID_HANDLE;
+
+    crv = PK11_GetAttributes(arena,slot,searchID,theTemplate,tsize);
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	PORT_SetError( PK11_MapError(crv) );
+	return CK_INVALID_HANDLE;
+    }
+
+    /*
+     * issue the find
+     */
+    parent = *(CK_OBJECT_CLASS *)(keyclass->pValue);
+    *(CK_OBJECT_CLASS *)(keyclass->pValue) = matchclass;
+
+    peerID = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
+    PORT_FreeArena(arena,PR_FALSE);
+
+    return peerID;
+}
+
+PRBool
+PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert,
+						CK_OBJECT_HANDLE certID)
+{
+    CK_OBJECT_CLASS theClass;
+
+    if (slot == NULL) return PR_FALSE;
+    if (cert == NULL) return PR_FALSE;
+
+    theClass = CKO_PRIVATE_KEY;
+    if (!PK11_IsLoggedIn(slot,NULL) && PK11_NeedLogin(slot)) {
+	theClass = CKO_PUBLIC_KEY;
+    }
+    if (PK11_MatchItem(slot, certID , theClass) != CK_INVALID_HANDLE) {
+	return PR_TRUE;
+    }
+
+   if (theClass == CKO_PUBLIC_KEY) {
+	SECKEYPublicKey *pubKey= CERT_ExtractPublicKey(cert);
+	CK_ATTRIBUTE theTemplate;
+
+	if (pubKey == NULL) {
+	   return PR_FALSE;
+	}
+
+	PK11_SETATTRS(&theTemplate,0,NULL,0);
+	switch (pubKey->keyType) {
+	case rsaKey:
+	    PK11_SETATTRS(&theTemplate,CKA_MODULUS, pubKey->u.rsa.modulus.data,
+						pubKey->u.rsa.modulus.len);
+	    break;
+	case dsaKey:
+	    PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dsa.publicValue.data,
+						pubKey->u.dsa.publicValue.len);
+	case dhKey:
+	    PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dh.publicValue.data,
+						pubKey->u.dh.publicValue.len);
+	    break;
+	case keaKey:
+	case fortezzaKey:
+	case nullKey:
+	    /* fall through and return false */
+	    break;
+	}
+
+	if (theTemplate.ulValueLen == 0) {
+	    SECKEY_DestroyPublicKey(pubKey);
+	    return PR_FALSE;
+	}
+	pk11_SignedToUnsigned(&theTemplate);
+	if (pk11_FindObjectByTemplate(slot,&theTemplate,1) != CK_INVALID_HANDLE) {
+	    SECKEY_DestroyPublicKey(pubKey);
+	    return PR_TRUE;
+	}
+	SECKEY_DestroyPublicKey(pubKey);
+    }
+    return PR_FALSE;
+}
+
+/*
+ * Check out if a cert has ID of zero. This is a magic ID that tells
+ * NSS that this cert may be an automagically trusted cert.
+ * The Cert has to be self signed as well. That check is done elsewhere.
+ *  
+ */
+PRBool
+pk11_isID0(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID)
+{
+    CK_ATTRIBUTE keyID = {CKA_ID, NULL, 0};
+    PRBool isZero = PR_FALSE;
+    int i;
+    CK_RV crv;
+
+
+    crv = PK11_GetAttributes(NULL,slot,certID,&keyID,1);
+    if (crv != CKR_OK) {
+	return isZero;
+    }
+
+    if (keyID.ulValueLen != 0) {
+	char *value = (char *)keyID.pValue;
+	isZero = PR_TRUE; /* ID exists, may be zero */
+	for (i=0; i < (int) keyID.ulValueLen; i++) {
+	    if (value[i] != 0) {
+		isZero = PR_FALSE; /* nope */
+		break;
+	    }
+	}
+    }
+    PORT_Free(keyID.pValue);
+    return isZero;
+
+}
+     
+CERTCertificate
+*pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, 
+			CK_ATTRIBUTE *privateLabel, char **nickptr)
+{
+    CK_ATTRIBUTE certTemp[] = {
+	{ CKA_ID, NULL, 0 },
+	{ CKA_VALUE, NULL, 0 },
+	{ CKA_LABEL, NULL, 0 }
+    };
+    CK_ATTRIBUTE *id = &certTemp[0];
+    CK_ATTRIBUTE *certDER = &certTemp[1];
+    CK_ATTRIBUTE *label = &certTemp[2];
+    SECItem derCert;
+    int csize = sizeof(certTemp)/sizeof(certTemp[0]);
+    PRArenaPool *arena;
+    char *nickname;
+    CERTCertificate *cert;
+    CK_RV crv;
+
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) return NULL;
+    /*
+     * grab the der encoding
+     */
+    crv = PK11_GetAttributes(arena,slot,certID,certTemp,csize);
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+
+    /*
+     * build a certificate out of it
+     */
+    derCert.data = (unsigned char*)certDER->pValue;
+    derCert.len = certDER->ulValueLen;
+
+    /* figure out the nickname.... */
+    nickname = pk11_buildNickname(slot,label,privateLabel,id);
+    cert = CERT_DecodeDERCertificate(&derCert, PR_TRUE, nickname);
+    if (cert) {
+	cert->dbhandle = (CERTCertDBHandle *)
+			nssToken_GetTrustDomain(slot->nssToken);
+    }
+	
+    if (nickptr) {
+	*nickptr = nickname;
+    } else {
+	if (nickname) PORT_Free(nickname);
+    }
+    PORT_FreeArena(arena,PR_FALSE);
+    return cert;
+}
+
+CK_TRUST
+pk11_GetTrustField(PK11SlotInfo *slot, PRArenaPool *arena, 
+                   CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type)
+{
+  CK_TRUST rv = 0;
+  SECItem item;
+
+  item.data = NULL;
+  item.len = 0;
+
+  if( SECSuccess == PK11_ReadAttribute(slot, id, type, arena, &item) ) {
+    PORT_Assert(item.len == sizeof(CK_TRUST));
+    PORT_Memcpy(&rv, item.data, sizeof(CK_TRUST));
+    /* Damn, is there an endian problem here? */
+    return rv;
+  }
+
+  return 0;
+}
+
+PRBool
+pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert, CERTCertTrust *trust)
+{
+  PRArenaPool *arena;
+
+  CK_ATTRIBUTE tobjTemplate[] = {
+    { CKA_CLASS, NULL, 0 },
+    { CKA_CERT_SHA1_HASH, NULL, 0 },
+  };
+
+  CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
+  CK_OBJECT_HANDLE tobjID;
+  unsigned char sha1_hash[SHA1_LENGTH];
+
+  CK_TRUST serverAuth, codeSigning, emailProtection, clientAuth;
+
+  PK11_HashBuf(SEC_OID_SHA1, sha1_hash, cert->derCert.data, cert->derCert.len);
+
+  PK11_SETATTRS(&tobjTemplate[0], CKA_CLASS, &tobjc, sizeof(tobjc));
+  PK11_SETATTRS(&tobjTemplate[1], CKA_CERT_SHA1_HASH, sha1_hash, 
+                SHA1_LENGTH);
+
+  tobjID = pk11_FindObjectByTemplate(slot, tobjTemplate, 
+                                     sizeof(tobjTemplate)/sizeof(tobjTemplate[0]));
+  if( CK_INVALID_HANDLE == tobjID ) {
+    return PR_FALSE;
+  }
+
+  arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+  if( NULL == arena ) return PR_FALSE;
+
+  /* Unfortunately, it seems that PK11_GetAttributes doesn't deal
+   * well with nonexistant attributes.  I guess we have to check 
+   * the trust info fields one at a time.
+   */
+
+  /* We could verify CKA_CERT_HASH here */
+
+  /* We could verify CKA_EXPIRES here */
+
+
+  /* "Purpose" trust information */
+  serverAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_SERVER_AUTH);
+  clientAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CLIENT_AUTH);
+  codeSigning = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CODE_SIGNING);
+  emailProtection = pk11_GetTrustField(slot, arena, tobjID, 
+						CKA_TRUST_EMAIL_PROTECTION);
+  /* Here's where the fun logic happens.  We have to map back from the 
+   * key usage, extended key usage, purpose, and possibly other trust values 
+   * into the old trust-flags bits.  */
+
+  /* First implementation: keep it simple for testing.  We can study what other
+   * mappings would be appropriate and add them later.. fgmr 20000724 */
+
+  if ( serverAuth ==  CKT_NETSCAPE_TRUSTED ) {
+    trust->sslFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+  }
+
+  if ( serverAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+    trust->sslFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | 
+							CERTDB_NS_TRUSTED_CA;
+  }
+  if ( clientAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+    trust->sslFlags |=  CERTDB_TRUSTED_CLIENT_CA ;
+  }
+
+  if ( emailProtection == CKT_NETSCAPE_TRUSTED ) {
+    trust->emailFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+  }
+
+  if ( emailProtection == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+    trust->emailFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
+  }
+
+  if( codeSigning == CKT_NETSCAPE_TRUSTED ) {
+    trust->objectSigningFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+  }
+
+  if( codeSigning == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
+    trust->objectSigningFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
+  }
+
+  /* There's certainly a lot more logic that can go here.. */
+
+  PORT_FreeArena(arena, PR_FALSE);
+
+  return PR_TRUE;
+}
+
+/*
+ * Build an CERTCertificate structure from a PKCS#11 object ID.... certID
+ * Must be a CertObject. This code does not explicitly checks that.
+ */
+CERTCertificate *
+PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID,
+						CK_ATTRIBUTE *privateLabel)
+{
+    char * nickname = NULL;
+    CERTCertificate *cert = NULL;
+    CERTCertTrust *trust;
+    PRBool isFortezzaRootCA = PR_FALSE;
+    PRBool swapNickname = PR_FALSE;
+
+    cert = pk11_fastCert(slot,certID,privateLabel, &nickname);
+    if (cert == NULL) goto loser;
+	
+    if (nickname) {
+	if (cert->nickname != NULL) {
+		cert->dbnickname = cert->nickname;
+	} 
+	cert->nickname = PORT_ArenaStrdup(cert->arena,nickname);
+	PORT_Free(nickname);
+	nickname = NULL;
+	swapNickname = PR_TRUE;
+    }
+
+    /* remember where this cert came from.... If we have just looked
+     * it up from the database and it already has a slot, don't add a new
+     * one. */
+    if (cert->slot == NULL) {
+	cert->slot = PK11_ReferenceSlot(slot);
+	cert->pkcs11ID = certID;
+	cert->ownSlot = PR_TRUE;
+    }
+
+    trust = (CERTCertTrust*)PORT_ArenaAlloc(cert->arena, sizeof(CERTCertTrust));
+    if (trust == NULL) goto loser;
+    PORT_Memset(trust,0, sizeof(CERTCertTrust));
+    cert->trust = trust;
+
+    
+
+    if(! pk11_HandleTrustObject(slot, cert, trust) ) {
+	unsigned int type;
+
+	/* build some cert trust flags */
+	if (CERT_IsCACert(cert, &type)) {
+	    unsigned int trustflags = CERTDB_VALID_CA;
+	   
+	    /* Allow PKCS #11 modules to give us trusted CA's. We only accept
+	     * valid CA's which are self-signed here. They must have an object
+	     * ID of '0'.  */ 
+	    if (pk11_isID0(slot,certID) && 
+		SECITEM_CompareItem(&cert->derSubject,&cert->derIssuer)
+							   == SECEqual) {
+		trustflags |= CERTDB_TRUSTED_CA;
+		/* is the slot a fortezza card? allow the user or
+		 * admin to turn on objectSigning, but don't turn
+		 * full trust on explicitly */
+		if (PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
+		    trust->objectSigningFlags |= CERTDB_VALID_CA;
+		    isFortezzaRootCA = PR_TRUE;
+		}
+	    }
+	    if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) {
+		trust->sslFlags |= trustflags;
+	    }
+	    if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) {
+		trust->emailFlags |= trustflags;
+	    }
+	    if ((type & NS_CERT_TYPE_OBJECT_SIGNING_CA) 
+					== NS_CERT_TYPE_OBJECT_SIGNING_CA) {
+		trust->objectSigningFlags |= trustflags;
+	    }
+	}
+    }
+
+    if (PK11_IsUserCert(slot,cert,certID)) {
+	trust->sslFlags |= CERTDB_USER;
+	trust->emailFlags |= CERTDB_USER;
+	/*    trust->objectSigningFlags |= CERTDB_USER; */
+    }
+
+    return cert;
+
+loser:
+    if (nickname) PORT_Free(nickname);
+    if (cert) CERT_DestroyCertificate(cert);
+    return NULL;
+}
+
+	
+/*
+ * Build get a certificate from a private key
+ */
+CERTCertificate *
+PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey)
+{
+    PK11SlotInfo *slot = privKey->pkcs11Slot;
+    CK_OBJECT_HANDLE handle = privKey->pkcs11ID;
+    CK_OBJECT_HANDLE certID = 
+		PK11_MatchItem(slot,handle,CKO_CERTIFICATE);
+    CERTCertificate *cert;
+
+    if (certID == CK_INVALID_HANDLE) {
+	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
+	return NULL;
+    }
+    cert = PK11_MakeCertFromHandle(slot,certID,NULL);
+    return (cert);
+
+}
+
+/*
+ * destroy a private key if there are no matching certs.
+ * this function also frees the privKey structure.
+ */
+SECStatus
+PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey, PRBool force)
+{
+    CERTCertificate *cert=PK11_GetCertFromPrivateKey(privKey);
+
+    /* found a cert matching the private key?. */
+    if (!force  && cert != NULL) {
+	/* yes, don't delete the key */
+        CERT_DestroyCertificate(cert);
+	SECKEY_DestroyPrivateKey(privKey);
+	return SECWouldBlock;
+    }
+    /* now, then it's safe for the key to go away */
+    PK11_DestroyTokenObject(privKey->pkcs11Slot,privKey->pkcs11ID);
+    SECKEY_DestroyPrivateKey(privKey);
+    return SECSuccess;
+}
+
+/*
+ * destroy a private key if there are no matching certs.
+ * this function also frees the privKey structure.
+ */
+SECStatus
+PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey)
+{
+    /* now, then it's safe for the key to go away */
+    if (pubKey->pkcs11Slot == NULL) {
+	return SECFailure;
+    }
+    PK11_DestroyTokenObject(pubKey->pkcs11Slot,pubKey->pkcs11ID);
+    SECKEY_DestroyPublicKey(pubKey);
+    return SECSuccess;
+}
+
+
+/*
+ * delete a cert and it's private key (if no other certs are pointing to the
+ * private key.
+ */
+SECStatus
+PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx)
+{
+    SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert,wincx);
+    CK_OBJECT_HANDLE pubKey;
+    PK11SlotInfo *slot = NULL;
+
+    pubKey = pk11_FindPubKeyByAnyCert(cert, &slot, wincx);
+    if (privKey) {
+#ifdef NSS_CLASSIC
+    	PK11_DestroyTokenObject(cert->slot,cert->pkcs11ID);
+#else
+	/* For 3.4, utilize the generic cert delete function */
+	SEC_DeletePermCertificate(cert);
+#endif
+	PK11_DeleteTokenPrivateKey(privKey, PR_FALSE);
+    }
+    if ((pubKey != CK_INVALID_HANDLE) && (slot != NULL)) { 
+    	PK11_DestroyTokenObject(slot,pubKey);
+        PK11_FreeSlot(slot);
+    }
+    return SECSuccess;
+}
+
+/*
+ * count the number of objects that match the template.
+ */
+int
+PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, 
+							int templateCount)
+{
+    CK_OBJECT_HANDLE objID[PK11_SEARCH_CHUNKSIZE];
+    int object_count = 0;
+    CK_ULONG returned_count = 0;
+    CK_RV crv;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session,
+					findTemplate, templateCount);
+    if (crv != CKR_OK) {
+        PK11_ExitSlotMonitor(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return 0;
+    }
+
+    /*
+     * collect all the Matching Objects
+     */
+    do {
+    	crv = PK11_GETTAB(slot)->C_FindObjects(slot->session,
+				objID,PK11_SEARCH_CHUNKSIZE,&returned_count);
+	if (crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    break;
+    	}
+	object_count += returned_count;
+    } while (returned_count == PK11_SEARCH_CHUNKSIZE);
+
+    PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session);
+    PK11_ExitSlotMonitor(slot);
+    return object_count;
+}
+
+/*
+ * cert callback structure
+ */
+typedef struct pk11DoCertCallbackStr {
+	SECStatus(* callback)(PK11SlotInfo *slot, CERTCertificate*, void *);
+	SECStatus(* noslotcallback)(CERTCertificate*, void *);
+	SECStatus(* itemcallback)(CERTCertificate*, SECItem *, void *);
+	void *callbackArg;
+} pk11DoCertCallback;
+
+/*
+ * callback to map object handles to certificate structures.
+ */
+static SECStatus
+pk11_DoCerts(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, void *arg)
+{
+    CERTCertificate *cert;
+    pk11DoCertCallback *certcb = (pk11DoCertCallback *) arg;
+
+    cert = PK11_MakeCertFromHandle(slot, certID, NULL);
+
+    if (cert == NULL) {
+	return SECFailure;
+    }
+
+    if (certcb ) {
+	if (certcb->callback) {
+	    (*certcb->callback)(slot, cert, certcb->callbackArg);
+	}
+	if (certcb->noslotcallback) {
+	    (*certcb->noslotcallback)(cert, certcb->callbackArg);
+	}
+	if (certcb->itemcallback) {
+	    (*certcb->itemcallback)(cert, NULL, certcb->callbackArg);
+	}
+    }
+
+    CERT_DestroyCertificate(cert);
+	    
+    return SECSuccess;
+}
+
+static SECStatus
+pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg)
+{
+    SECItem derCrl;
+    CERTCrlHeadNode *head = (CERTCrlHeadNode *) arg;
+    CERTCrlNode *new_node = NULL;
+    CK_ATTRIBUTE fetchCrl[3] = {
+	 { CKA_VALUE, NULL, 0},
+	 { CKA_NETSCAPE_KRL, NULL, 0},
+	 { CKA_NETSCAPE_URL, NULL, 0},
+    };
+    const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]);
+    SECStatus rv;
+
+    rv = PK11_GetAttributes(head->arena,slot,crlID,fetchCrl,fetchCrlSize);
+    if (rv == SECFailure) {
+	goto loser;
+    }
+    rv = SECFailure;
+
+    new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena, sizeof(CERTCrlNode));
+    if (new_node == NULL) {
+        goto loser;
+    }
+
+    new_node->type =  *((CK_BBOOL *)fetchCrl[1].pValue)  ? 
+						SEC_KRL_TYPE : SEC_CRL_TYPE;
+    derCrl.data = (unsigned char *)fetchCrl[0].pValue;
+    derCrl.len = fetchCrl[0].ulValueLen;
+    new_node->crl=CERT_DecodeDERCrl(head->arena,&derCrl,new_node->type);
+
+    if (fetchCrl[2].pValue) {
+        int nnlen = fetchCrl[2].ulValueLen;
+        new_node->crl->url  = (char *)PORT_ArenaAlloc(head->arena, nnlen+1);
+        if ( !new_node->crl->url ) {
+            goto loser;
+        }
+        PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen);
+        new_node->crl->url[nnlen] = 0;
+    } else {
+        new_node->crl->url = NULL;
+    }
+
+
+    new_node->next = NULL;
+    if (head->last) {
+        head->last->next = new_node;
+        head->last = new_node;
+    } else {
+        head->first = head->last = new_node;
+    }
+    rv = SECSuccess;
+
+loser:
+    return(rv);
+}
+
+
+/*
+ * key call back structure.
+ */
+typedef struct pk11KeyCallbackStr {
+	SECStatus (* callback)(SECKEYPrivateKey *,void *);
+	void *callbackArg;
+	void *wincx;
+} pk11KeyCallback;
+
+/*
+ * callback to map Object Handles to Private Keys;
+ */
+SECStatus
+pk11_DoKeys(PK11SlotInfo *slot, CK_OBJECT_HANDLE keyHandle, void *arg)
+{
+    SECStatus rv = SECSuccess;
+    SECKEYPrivateKey *privKey;
+    pk11KeyCallback *keycb = (pk11KeyCallback *) arg;
+
+    privKey = PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,keycb->wincx);
+
+    if (privKey == NULL) {
+	return SECFailure;
+    }
+
+    if (keycb && (keycb->callback)) {
+	rv = (*keycb->callback)(privKey,keycb->callbackArg);
+    }
+
+    SECKEY_DestroyPrivateKey(privKey);	    
+    return rv;
+}
+
+/* Traverse slots callback */
+typedef struct pk11TraverseSlotStr {
+    SECStatus (*callback)(PK11SlotInfo *,CK_OBJECT_HANDLE, void *);
+    void *callbackArg;
+    CK_ATTRIBUTE *findTemplate;
+    int templateCount;
+} pk11TraverseSlot;
+
+/*
+ * Extract all the certs on a card from a slot.
+ */
+SECStatus
+PK11_TraverseSlot(PK11SlotInfo *slot, void *arg)
+{
+    int i;
+    CK_OBJECT_HANDLE *objID = NULL;
+    int object_count = 0;
+    pk11TraverseSlot *slotcb = (pk11TraverseSlot*) arg;
+
+    objID = pk11_FindObjectsByTemplate(slot,slotcb->findTemplate,
+		slotcb->templateCount,&object_count);
+
+    /*Actually this isn't a failure... there just were no objs to be found*/
+    if (object_count == 0) {
+	return SECSuccess;
+    }
+
+    if (objID == NULL) {
+	return SECFailure;
+    }
+
+    for (i=0; i < object_count; i++) {
+	(*slotcb->callback)(slot,objID[i],slotcb->callbackArg);
+    }
+    PORT_Free(objID);
+    return SECSuccess;
+}
+
+typedef struct pk11CertCallbackStr {
+	SECStatus(* callback)(CERTCertificate*,SECItem *,void *);
+	void *callbackArg;
+} pk11CertCallback;
+
+/*
+ * Extract all the certs on a card from a slot.
+ */
+static SECStatus
+pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *),
+						void *arg,void *wincx) {
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+    SECStatus rv;
+
+    /* get them all! */
+    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,wincx);
+    if (list == NULL) return SECFailure;
+
+    /* look at each slot and authenticate as necessary */
+    for (le = list->head ; le; le = le->next) {
+	if (!PK11_IsFriendly(le->slot)) {
+             rv = PK11_Authenticate(le->slot, PR_FALSE, wincx);
+             if (rv != SECSuccess) continue;
+	}
+	(*callback)(le->slot,arg);
+    }
+
+    PK11_FreeSlotList(list);
+
+    return SECSuccess;
+}
+
+struct fake_der_cb_argstr
+{
+    SECStatus(* callback)(CERTCertificate*, SECItem *, void *);
+    void *arg;
+};
+
+static SECStatus fake_der_cb(CERTCertificate *c, void *a)
+{
+    struct fake_der_cb_argstr *fda = (struct fake_der_cb_argstr *)a;
+    return (*fda->callback)(c, &c->derCert, fda->arg);
+}
+
+/*
+ * Extract all the certs on a card from a slot.
+ */
+SECStatus
+PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
+						void *arg, void *wincx) {
+#ifdef NSS_CLASSIC
+    pk11DoCertCallback caller;
+    pk11TraverseSlot creater;
+    CK_ATTRIBUTE theTemplate;
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+
+    PK11_SETATTRS(&theTemplate, CKA_CLASS, &certClass, sizeof(certClass));
+
+    caller.callback = NULL;
+    caller.noslotcallback = NULL;
+    caller.itemcallback = callback;
+    caller.callbackArg = arg;
+    creater.callback = pk11_DoCerts;
+    creater.callbackArg = (void *) & caller;
+    creater.findTemplate = &theTemplate;
+    creater.templateCount = 1;
+
+    return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, wincx);
+#else
+    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
+    struct fake_der_cb_argstr fda;
+    struct nss3_cert_cbstr pk11cb;
+    fda.callback = callback;
+    fda.arg = arg;
+    pk11cb.callback = fake_der_cb;
+    pk11cb.arg = &fda;
+    NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb);
+    return SECSuccess;
+#endif
+}
+
+/*
+ * Extract all the certs on a card from a slot.
+ */
+SECStatus
+PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) {
+    pk11TraverseSlot creater;
+    CK_ATTRIBUTE theTemplate[2];
+    CK_ATTRIBUTE *attrs;
+    CK_OBJECT_CLASS certClass = CKO_NETSCAPE_CRL;
+
+    attrs = theTemplate;
+    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); attrs++;
+    if (type != -1) {
+	CK_BBOOL isKrl = (CK_BBOOL) (type == SEC_KRL_TYPE);
+        PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, &isKrl, sizeof(isKrl)); attrs++;
+    }
+
+    creater.callback = pk11_CollectCrls;
+    creater.callbackArg = (void *) nodes;
+    creater.findTemplate = theTemplate;
+    creater.templateCount = (attrs - theTemplate);
+
+    return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, wincx);
+}
+
+/***********************************************************************
+ * PK11_TraversePrivateKeysInSlot
+ *
+ * Traverses all the private keys on a slot.
+ *
+ * INPUTS
+ *      slot
+ *          The PKCS #11 slot whose private keys you want to traverse.
+ *      callback
+ *          A callback function that will be called for each key.
+ *      arg
+ *          An argument that will be passed to the callback function.
+ */
+SECStatus
+PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
+    SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg)
+{
+    pk11KeyCallback perKeyCB;
+    pk11TraverseSlot perObjectCB;
+    CK_OBJECT_CLASS privkClass = CKO_PRIVATE_KEY;
+    CK_BBOOL ckTrue = CK_TRUE;
+    CK_ATTRIBUTE theTemplate[2];
+    int templateSize = 2;
+
+    theTemplate[0].type = CKA_CLASS;
+    theTemplate[0].pValue = &privkClass;
+    theTemplate[0].ulValueLen = sizeof(privkClass);
+    theTemplate[1].type = CKA_TOKEN;
+    theTemplate[1].pValue = &ckTrue;
+    theTemplate[1].ulValueLen = sizeof(ckTrue);
+
+    if(slot==NULL) {
+        return SECSuccess;
+    }
+
+    perObjectCB.callback = pk11_DoKeys;
+    perObjectCB.callbackArg = &perKeyCB;
+    perObjectCB.findTemplate = theTemplate;
+    perObjectCB.templateCount = templateSize;
+    perKeyCB.callback = callback;
+    perKeyCB.callbackArg = arg;
+    perKeyCB.wincx = NULL;
+
+    return PK11_TraverseSlot(slot, &perObjectCB);
+}
+
+CK_OBJECT_HANDLE *
+PK11_FindObjectsFromNickname(char *nickname,PK11SlotInfo **slotptr,
+		CK_OBJECT_CLASS objclass, int *returnCount, void *wincx)
+{
+    char *tokenName;
+    char *delimit;
+    PK11SlotInfo *slot;
+    CK_OBJECT_HANDLE *objID;
+    CK_ATTRIBUTE findTemplate[] = {
+	 { CKA_LABEL, NULL, 0},
+	 { CKA_CLASS, NULL, 0},
+    };
+    int findCount = sizeof(findTemplate)/sizeof(findTemplate[0]);
+    SECStatus rv;
+    PK11_SETATTRS(&findTemplate[1], CKA_CLASS, &objclass, sizeof(objclass));
+
+    *slotptr = slot = NULL;
+    *returnCount = 0;
+    /* first find the slot associated with this nickname */
+    if ((delimit = PORT_Strchr(nickname,':')) != NULL) {
+	int len = delimit - nickname;
+	tokenName = (char*)PORT_Alloc(len+1);
+	PORT_Memcpy(tokenName,nickname,len);
+	tokenName[len] = 0;
+
+        slot = *slotptr = PK11_FindSlotByName(tokenName);
+        PORT_Free(tokenName);
+	/* if we couldn't find a slot, assume the nickname is an internal cert
+	 * with no proceding slot name */
+	if (slot == NULL) {
+		slot = *slotptr = PK11_GetInternalKeySlot();
+	} else {
+		nickname = delimit+1;
+	}
+    } else {
+	*slotptr = slot = PK11_GetInternalKeySlot();
+    }
+    if (slot == NULL) {
+        return CK_INVALID_HANDLE;
+    }
+
+    if (!PK11_IsFriendly(slot)) {
+	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) {
+	    PK11_FreeSlot(slot);
+	    *slotptr = NULL;
+	    return CK_INVALID_HANDLE;
+	 }
+    }
+
+    findTemplate[0].pValue = nickname;
+    findTemplate[0].ulValueLen = PORT_Strlen(nickname);
+    objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount,returnCount);
+    if (objID == NULL) {
+	/* PKCS #11 isn't clear on whether or not the NULL is
+	 * stored in the template.... try the find again with the
+	 * full null terminated string. */
+    	findTemplate[0].ulValueLen += 1;
+        objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount,
+								returnCount);
+	if (objID == NULL) {
+	    /* Well that's the best we can do. It's just not here */
+	    /* what about faked nicknames? */
+	    PK11_FreeSlot(slot);
+	    *slotptr = NULL;
+	    *returnCount = 0;
+	}
+    }
+
+    return objID;
+}
+
+static PRStatus 
+get_newest_cert(NSSCertificate *c, void *arg)
+{
+    nssDecodedCert *dc, *founddc;
+    NSSCertificate **cfound = (NSSCertificate **)arg;
+    if (!*cfound) {
+	*cfound = nssCertificate_AddRef(c);
+	return PR_SUCCESS;
+    }
+    dc = nssCertificate_GetDecoding(c);
+    founddc = nssCertificate_GetDecoding(*cfound);
+    if (!founddc->isNewerThan(founddc, dc)) {
+	CERT_DestroyCertificate(STAN_GetCERTCertificate(*cfound));
+	*cfound = nssCertificate_AddRef(c);
+    }
+    return PR_SUCCESS;
+}
+
+struct token_cbstr {
+    NSSToken *token;
+    PRStatus (* callback)(NSSCertificate *c, void *arg);
+    void *cbarg;
+};
+
+/* This callback matches all certs on a given token.  It is used to filter
+ * cert lists to only those certs on a particular token.
+ */
+static PRStatus 
+token_callback(NSSCertificate *c, void *arg)
+{
+    nssListIterator *instances;
+    nssCryptokiInstance *instance;
+    PRBool isToken = PR_FALSE;
+    struct token_cbstr *token_cb = (struct token_cbstr *)arg;
+    instances = c->object.instances;
+    for (instance  = (nssCryptokiInstance *)nssListIterator_Start(instances);
+         instance != (nssCryptokiInstance *)NULL;
+         instance  = (nssCryptokiInstance *)nssListIterator_Next(instances))
+    {
+	if (instance->token == token_cb->token) {
+	    isToken = PR_TRUE;
+	    break;
+	}
+    }
+    nssListIterator_Finish(instances);
+    if (isToken) {
+	return (*token_cb->callback)(c, token_cb->cbarg);
+    } else {
+	return PR_SUCCESS;
+    }
+}
+
+/* match all token certs with a nickname */
+static nssList *
+filter_token_certs_nickname(NSSToken *token, NSSUTF8 *nickname)
+{
+    nssListIterator *certs;
+    NSSCertificate *cert;
+    PRStatus nssrv;
+    nssList *rvList;
+    certs = nssList_CreateIterator(token->certList);
+    if (!certs) return NULL;
+    rvList = nssList_Create(NULL, PR_FALSE);
+    if (!rvList) {
+	nssListIterator_Destroy(certs);
+	return NULL;
+    }
+    for (cert  = (NSSCertificate *)nssListIterator_Start(certs);
+         cert != (NSSCertificate *)NULL;
+         cert  = (NSSCertificate *)nssListIterator_Next(certs))
+    {
+	NSSUTF8 *tokenNick = NSSCertificate_GetNickname(cert, token);
+	if (!tokenNick) continue;
+	if (nssUTF8_Equal(tokenNick, nickname, &nssrv)) {
+	    nssList_Add(rvList, nssCertificate_AddRef(cert));
+	}
+    }
+    nssListIterator_Finish(certs);
+    nssListIterator_Destroy(certs);
+    if (nssList_Count(rvList) == 0) {
+	nssList_Destroy(rvList);
+	rvList = NULL;
+    }
+    return rvList;
+}
+
+/* match all token certs with an email address */
+static nssList *
+filter_token_certs_email(NSSToken *token, NSSASCII7 *email)
+{
+    nssListIterator *certs;
+    NSSCertificate *cert;
+    PRStatus nssrv;
+    nssList *rvList;
+    certs = nssList_CreateIterator(token->certList);
+    if (!certs) return NULL;
+    rvList = nssList_Create(NULL, PR_FALSE);
+    if (!rvList) {
+	nssListIterator_Destroy(certs);
+	return NULL;
+    }
+    for (cert  = (NSSCertificate *)nssListIterator_Start(certs);
+         cert != (NSSCertificate *)NULL;
+         cert  = (NSSCertificate *)nssListIterator_Next(certs))
+    {
+	if (!cert->email) continue;
+	if (nssUTF8_Equal(cert->email, email, &nssrv)) {
+	    nssList_Add(rvList, nssCertificate_AddRef(cert));
+	}
+    }
+    nssListIterator_Finish(certs);
+    nssListIterator_Destroy(certs);
+    if (nssList_Count(rvList) == 0) {
+	nssList_Destroy(rvList);
+	rvList = NULL;
+    }
+    return rvList;
+}
+
+CERTCertificate *
+PK11_FindCertFromNickname(char *nickname, void *wincx) {
+#ifdef NSS_CLASSIC
+    PK11SlotInfo *slot;
+    int count=0;
+    CK_OBJECT_HANDLE *certID = PK11_FindObjectsFromNickname(nickname,&slot,
+				 		CKO_CERTIFICATE, &count, wincx);
+    CERTCertificate *cert;
+
+    if (certID == CK_INVALID_HANDLE) return NULL;
+    cert = PK11_MakeCertFromHandle(slot,certID[0],NULL);
+    PK11_FreeSlot(slot);
+    PORT_Free(certID);
+    return cert;
+#else
+    CERTCertificate *rvCert = NULL;
+    NSSCertificate *cert = NULL;
+    NSSUsage usage;
+    NSSToken *token;
+    PK11SlotInfo *slot = NULL;
+    char *nickCopy;
+    char *delimit = NULL;
+    char *tokenName;
+    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
+    usage.anyUsage = PR_TRUE;
+    nickCopy = PORT_Strdup(nickname);
+    if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
+	tokenName = nickCopy;
+	nickname = delimit + 1;
+	*delimit = '\0';
+	/* find token by name */
+	token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName);
+	if (token) {
+		slot = PK11_ReferenceSlot(token->pk11slot);
+	}
+	*delimit = ':';
+    } else {
+	slot = PK11_GetInternalKeySlot();
+	token = PK11Slot_GetNSSToken(slot);
+    }
+    if (token) {
+	nssTokenCertSearch search;
+	struct token_cbstr token_cb;
+	nssList *certList;
+
+	if (!PK11_IsPresent(slot)) {
+		return NULL;
+	}
+	if (!PK11_IsFriendly(slot)) {
+	    if (PK11_Authenticate(slot, PR_TRUE, wincx) != SECSuccess) {
+		PK11_FreeSlot(slot);
+		return NULL;
+	    }
+	}
+	/* find best cert on token */
+	if (!nssToken_SearchCerts(token, NULL)) {
+	    /* token certs are in cache, filter the list of token certs to
+	     * match the nickname
+	     */
+	    certList = filter_token_certs_nickname(token, nickname);
+	    if (certList) {
+		nssCertificateList_DoCallback(certList, 
+		                              get_newest_cert, 
+		                              (void *)&cert);
+	    }
+	} else {
+	    /* find matching certs on the token */
+	    certList = nssList_Create(NULL, PR_FALSE);
+	    if (!certList) return NULL;
+	    /* first, get all matching certs from the cache */
+	    (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD, 
+	                                                      nickname, 
+	                                                      certList);
+	    /* set the search criteria */
+	    token_cb.callback = get_newest_cert;
+	    token_cb.cbarg = (void *)&cert;
+	    token_cb.token = token;
+	    search.callback = token_callback;
+	    search.cbarg = &token_cb;
+	    search.cached = certList;
+	    search.searchType = nssTokenSearchType_TokenOnly;
+	    /* now search the token */
+	    nssToken_TraverseCertificatesByNickname(token, NULL, 
+	                                            (NSSUTF8 *)nickname,
+	                                            &search);
+	    /* filter the list of cached certs for only those on the token */
+	    nssCertificateList_DoCallback(certList, 
+	                                  token_callback, 
+	                                  &token_cb);
+	}
+	if (certList) {
+	    nssList_Clear(certList, cert_destructor);
+	    nssList_Destroy(certList);
+	}
+	/* if it wasn't found, repeat the process for email address */
+	if (!cert) {
+	    if (!nssToken_SearchCerts(token, NULL)) {
+		certList = filter_token_certs_email(token, nickname);
+		if (certList) {
+		    nssCertificateList_DoCallback(certList, 
+		                                  get_newest_cert, 
+		                                  (void *)&cert);
+		}
+	    } else {
+		certList = nssList_Create(NULL, PR_FALSE);
+		if (!certList) return NULL;
+		(void)nssTrustDomain_GetCertsForEmailAddressFromCache(
+		                                                  defaultTD, 
+	                                                          nickname, 
+	                                                          certList);
+		search.cached = certList;
+		nssToken_TraverseCertificatesByEmail(token, NULL, 
+		                                     (NSSASCII7 *)nickname,
+		                                     &search);
+		nssCertificateList_DoCallback(certList, 
+		                              token_callback,
+		                              &token_cb);
+	    }
+	    if (certList) {
+		nssList_Clear(certList, cert_destructor);
+		nssList_Destroy(certList);
+	    }
+	}
+	if (cert) {
+	    (void)nssTrustDomain_AddCertsToCache(defaultTD, &cert, 1);
+	    rvCert = STAN_GetCERTCertificate(cert);
+	}
+    }
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    if (nickCopy) PORT_Free(nickCopy);
+    return rvCert;
+#endif
+}
+
+static PRStatus 
+collect_certs(NSSCertificate *c, void *arg)
+{
+    nssList *list = (nssList *)arg;
+    /* Add the cert to the return list if not present */
+    if (!nssList_Get(list, (void *)c)) {
+	nssCertificate_AddRef(c);
+	nssList_Add(list, (void *)c);
+    }
+    return PR_SUCCESS;
+}
+
+CERTCertList *
+PK11_FindCertsFromNickname(char *nickname, void *wincx) {
+#ifdef NSS_CLASSIC
+    PK11SlotInfo *slot;
+    int i,count = 0;
+    CK_OBJECT_HANDLE *certID = PK11_FindObjectsFromNickname(nickname,&slot,
+				 		CKO_CERTIFICATE, &count, wincx);
+    CERTCertList *certList = NULL;
+
+    if (certID == NULL) return NULL;
+
+    certList= CERT_NewCertList();
+
+    for (i=0; i < count; i++) {
+    	CERTCertificate *cert = PK11_MakeCertFromHandle(slot,certID[i],NULL);
+
+	if (cert) CERT_AddCertToListTail(certList,cert);
+    }
+
+    if (CERT_LIST_HEAD(certList) == NULL) {
+	CERT_DestroyCertList(certList);
+	certList = NULL;
+    }
+    PK11_FreeSlot(slot);
+    PORT_Free(certID);
+    return certList;
+#else
+    PRStatus nssrv;
+    char *nickCopy;
+    char *delimit = NULL;
+    char *tokenName;
+    int i;
+    CERTCertList *certList = NULL;
+    NSSCertificate **foundCerts = NULL;
+    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
+    NSSCertificate *c;
+    NSSToken *token;
+    PK11SlotInfo *slot;
+    nickCopy = PORT_Strdup(nickname);
+    if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) {
+	tokenName = nickCopy;
+	nickname = delimit + 1;
+	*delimit = '\0';
+	/* find token by name */
+	token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName);
+	if (token) {
+	    slot = PK11_ReferenceSlot(token->pk11slot);
+	} else {
+	    slot = NULL;
+	}
+	*delimit = ':';
+    } else {
+	slot = PK11_GetInternalKeySlot();
+	token = PK11Slot_GetNSSToken(slot);
+    }
+    if (token) {
+	nssTokenCertSearch search;
+	PRUint32 count;
+	nssList *nameList;
+	if (!PK11_IsFriendly(slot)) {
+	    if (PK11_Authenticate(slot, PR_TRUE, wincx) != SECSuccess) {
+		PK11_FreeSlot(slot);
+		return NULL;
+	    }
+	}
+	if (!nssToken_SearchCerts(token, NULL)) {
+	    nameList = filter_token_certs_nickname(token, nickname);
+	} else {
+	    nameList = nssList_Create(NULL, PR_FALSE);
+	    if (!nameList) return NULL;
+	    (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD,
+	                                                      nickname, 
+	                                                      nameList);
+	    /* set the search criteria */
+	    search.callback = collect_certs;
+	    search.cbarg = nameList;
+	    search.cached = nameList;
+	    search.searchType = nssTokenSearchType_TokenOnly;
+	    nssrv = nssToken_TraverseCertificatesByNickname(token, NULL, 
+	                                                    nickname, &search);
+	}
+	if (nameList) {
+	    count = nssList_Count(nameList);
+	    foundCerts = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
+	    nssList_GetArray(nameList, (void **)foundCerts, count);
+	    nssList_Destroy(nameList);
+	}
+    }
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    if (nickCopy) PORT_Free(nickCopy);
+    if (foundCerts) {
+	certList = CERT_NewCertList();
+	for (i=0, c = *foundCerts; c; c = foundCerts[++i]) {
+	    CERT_AddCertToListTail(certList, STAN_GetCERTCertificate(c));
+	}
+	if (CERT_LIST_HEAD(certList) == NULL) {
+	    CERT_DestroyCertList(certList);
+	    certList = NULL;
+	}
+	nss_ZFreeIf(foundCerts);
+    }
+    return certList;
+#endif
+}
+
+/*
+ * extract a key ID for a certificate...
+ * NOTE: We call this function from PKCS11.c If we ever use
+ * pkcs11 to extract the public key (we currently do not), this will break.
+ */
+SECItem *
+PK11_GetPubIndexKeyID(CERTCertificate *cert) {
+    SECKEYPublicKey *pubk;
+    SECItem *newItem = NULL;
+
+    pubk = CERT_ExtractPublicKey(cert);
+    if (pubk == NULL) return NULL;
+
+    switch (pubk->keyType) {
+    case rsaKey:
+	newItem = SECITEM_DupItem(&pubk->u.rsa.modulus);
+	break;
+    case dsaKey:
+        newItem = SECITEM_DupItem(&pubk->u.dsa.publicValue);
+	break;
+    case dhKey:
+        newItem = SECITEM_DupItem(&pubk->u.dh.publicValue);
+    case fortezzaKey:
+    default:
+	newItem = NULL; /* Fortezza Fix later... */
+    }
+    SECKEY_DestroyPublicKey(pubk);
+    /* make hash of it */
+    return newItem;
+}
+
+/*
+ * generate a CKA_ID from a certificate.
+ */
+SECItem *
+pk11_mkcertKeyID(CERTCertificate *cert) {
+    SECItem *pubKeyData = PK11_GetPubIndexKeyID(cert) ;
+    SECItem *certCKA_ID;
+
+    if (pubKeyData == NULL) return NULL;
+    
+    certCKA_ID = PK11_MakeIDFromPubKey(pubKeyData);
+    SECITEM_FreeItem(pubKeyData,PR_TRUE);
+    return certCKA_ID;
+}
+
+
+/*
+ * Generate a CKA_ID from the relevant public key data. The CKA_ID is generated
+ * from the pubKeyData by SHA1_Hashing it to produce a smaller CKA_ID (to make
+ * smart cards happy.
+ */
+SECItem *
+PK11_MakeIDFromPubKey(SECItem *pubKeyData) {
+    PK11Context *context;
+    SECItem *certCKA_ID;
+    SECStatus rv;
+
+    context = PK11_CreateDigestContext(SEC_OID_SHA1);
+    if (context == NULL) {
+	return NULL;
+    }
+
+    rv = PK11_DigestBegin(context);
+    if (rv == SECSuccess) {
+    	rv = PK11_DigestOp(context,pubKeyData->data,pubKeyData->len);
+    }
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(context,PR_TRUE);
+	return NULL;
+    }
+
+    certCKA_ID = (SECItem *)PORT_Alloc(sizeof(SECItem));
+    if (certCKA_ID == NULL) {
+	PK11_DestroyContext(context,PR_TRUE);
+	return NULL;
+    }
+
+    certCKA_ID->len = SHA1_LENGTH;
+    certCKA_ID->data = (unsigned char*)PORT_Alloc(certCKA_ID->len);
+    if (certCKA_ID->data == NULL) {
+	PORT_Free(certCKA_ID);
+	PK11_DestroyContext(context,PR_TRUE);
+        return NULL;
+    }
+
+    rv = PK11_DigestFinal(context,certCKA_ID->data,&certCKA_ID->len,
+								SHA1_LENGTH);
+    PK11_DestroyContext(context,PR_TRUE);
+    if (rv != SECSuccess) {
+    	SECITEM_FreeItem(certCKA_ID,PR_TRUE);
+	return NULL;
+    }
+
+    return certCKA_ID;
+}
+
+/*
+ * Write the cert into the token.
+ */
+SECStatus
+PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, 
+		CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust) {
+    int len = 0;
+    SECItem *keyID = pk11_mkcertKeyID(cert);
+    CK_ATTRIBUTE keyAttrs[] = {
+	{ CKA_LABEL, NULL, 0},
+	{ CKA_SUBJECT, NULL, 0},
+    };
+    CK_OBJECT_CLASS certc = CKO_CERTIFICATE;
+    CK_CERTIFICATE_TYPE certType = CKC_X_509;
+    CK_OBJECT_HANDLE certID;
+    CK_SESSION_HANDLE rwsession;
+    CK_BBOOL cktrue = CK_TRUE;
+    SECStatus rv = SECFailure;
+    CK_ATTRIBUTE certAttrs[] = {
+	{ CKA_ID, NULL, 0 },
+	{ CKA_LABEL, NULL, 0},
+	{ CKA_CLASS,  NULL, 0},
+	{ CKA_TOKEN,  NULL, 0},
+	{ CKA_CERTIFICATE_TYPE, NULL, 0},
+	{ CKA_SUBJECT, NULL, 0},
+	{ CKA_ISSUER, NULL, 0},
+	{ CKA_SERIAL_NUMBER,  NULL, 0},
+	{ CKA_VALUE,  NULL, 0},
+	{ CKA_NETSCAPE_TRUST,  NULL, 0},
+    };
+    int certCount = sizeof(certAttrs)/sizeof(certAttrs[0]), keyCount = 2;
+    int realCount = 0;
+    CK_ATTRIBUTE *attrs;
+    CK_RV crv;
+    SECCertUsage *certUsage = NULL;
+    SECItem derSerial = { 0 };
+    NSSToken *token;
+
+    if (keyID == NULL) {
+	PORT_SetError(SEC_ERROR_ADDING_CERT);
+	return rv;
+    }
+
+    len = ((nickname) ? PORT_Strlen(nickname) : 0);
+    
+    attrs = certAttrs;
+    PK11_SETATTRS(attrs,CKA_ID, keyID->data, keyID->len); attrs++;
+    if (nickname) {
+	PK11_SETATTRS(attrs,CKA_LABEL, nickname, len ); attrs++;
+    }
+    PK11_SETATTRS(attrs,CKA_CLASS, &certc, sizeof(certc) ); attrs++;
+    PK11_SETATTRS(attrs,CKA_TOKEN, &cktrue, sizeof(cktrue) ); attrs++;
+    PK11_SETATTRS(attrs,CKA_CERTIFICATE_TYPE, &certType,
+						sizeof(certType)); attrs++;
+    PK11_SETATTRS(attrs,CKA_SUBJECT, cert->derSubject.data,
+					 cert->derSubject.len ); attrs++;
+    PK11_SETATTRS(attrs,CKA_ISSUER, cert->derIssuer.data,
+					 cert->derIssuer.len ); attrs++;
+    if (PR_TRUE) {
+	/* CERTCertificate stores serial numbers decoded.  I need the DER
+	* here.  sigh.
+	*/
+	CERT_SerialNumberFromDERCert(&cert->derCert, &derSerial);
+	PK11_SETATTRS(attrs,CKA_SERIAL_NUMBER, derSerial.data, derSerial.len); 
+	attrs++;
+    }
+    PK11_SETATTRS(attrs,CKA_VALUE, cert->derCert.data, 
+						cert->derCert.len); attrs++;
+    if (includeTrust && PK11_IsInternal(slot)) {
+	certUsage = (SECCertUsage*)PORT_Alloc(sizeof(SECCertUsage));
+	if(!certUsage) {
+	    SECITEM_FreeItem(keyID,PR_TRUE);
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return rv;
+	}
+	*certUsage = certUsageUserCertImport;
+	PK11_SETATTRS(attrs,CKA_NETSCAPE_TRUST, certUsage,
+							 sizeof(SECCertUsage));
+	attrs++;
+    }
+    realCount = attrs - certAttrs;
+    PORT_Assert(realCount <= certCount);
+
+    attrs = keyAttrs;
+    if(nickname) {
+	PK11_SETATTRS(attrs,CKA_LABEL, nickname, len ); attrs++;
+    }
+    PK11_SETATTRS(attrs,CKA_SUBJECT, cert->derSubject.data,
+					 cert->derSubject.len );
+
+    if(!nickname) {
+	certCount--;
+	keyCount--;
+    }
+
+    rwsession = PK11_GetRWSession(slot);
+    if (key != CK_INVALID_HANDLE) {
+	crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession,key,keyAttrs,
+								keyCount);
+	if (crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    goto done;
+	}
+    }
+
+    crv = PK11_GETTAB(slot)->
+			C_CreateObject(rwsession,certAttrs,realCount,&certID);
+    if (crv == CKR_OK) {
+	rv = SECSuccess;
+    } else {
+	PORT_SetError( PK11_MapError(crv) );
+    }
+
+    if (!cert->nickname && nickname) {
+	cert->nickname = PORT_ArenaStrdup(cert->arena, nickname);
+    }
+
+    cert->pkcs11ID = certID;
+    cert->dbhandle = STAN_GetDefaultTrustDomain();
+    if (cert->slot == NULL) {
+	cert->slot = PK11_ReferenceSlot(slot);
+	cert->ownSlot = PR_TRUE;
+	if (cert->nssCertificate) {
+	    nssCryptokiInstance *instance;
+	    NSSCertificate *c = cert->nssCertificate;
+	    instance = nss_ZNEW(c->object.arena, nssCryptokiInstance);
+	    instance->token = slot->nssToken;
+	    instance->handle = cert->pkcs11ID;
+	    instance->isTokenObject = PR_TRUE;
+	    nssList_Add(c->object.instanceList, instance);
+	    /* XXX Fix this! */
+	    nssListIterator_Destroy(c->object.instances);
+	    c->object.instances = nssList_CreateIterator(c->object.instanceList);
+	} else {
+	    cert->nssCertificate = STAN_GetNSSCertificate(cert);
+	}
+    }
+    cert->trust = nssTrust_GetCERTCertTrustForCert(cert->nssCertificate, cert);
+    token = PK11Slot_GetNSSToken(slot);
+    if (token->certList) {
+	/* create a persistent reference for the token */
+	NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+	nssCertificate_AddRef(cert->nssCertificate);
+	nssList_Add(token->certList, cert->nssCertificate);
+	/* and add the cert to the cache */
+	nssTrustDomain_AddCertsToCache(td, &cert->nssCertificate, 1);
+    }
+
+done:
+    if (derSerial.data) PORT_Free(derSerial.data);
+    SECITEM_FreeItem(keyID,PR_TRUE);
+    PK11_RestoreROSession(slot,rwsession);
+    if(certUsage) {
+	PORT_Free(certUsage);
+    }
+    return rv;
+
+}
+
+/*
+ * get a certificate handle, look at the cached handle first..
+ */
+CK_OBJECT_HANDLE
+pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert, 
+					CK_ATTRIBUTE *theTemplate,int tsize)
+{
+    CK_OBJECT_HANDLE certh;
+
+    if (cert->slot == slot) {
+	certh = cert->pkcs11ID;
+	if (certh == CK_INVALID_HANDLE) {
+    	     certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
+	     cert->pkcs11ID = certh;
+	}
+    } else {
+    	certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
+    }
+    return certh;
+}
+
+/*
+ * return the private key From a given Cert
+ */
+SECKEYPrivateKey *
+PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert,
+								 void *wincx) {
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_VALUE, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_OBJECT_HANDLE certh;
+    CK_OBJECT_HANDLE keyh;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    SECStatus rv;
+
+    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, 
+						cert->derCert.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
+
+    /*
+     * issue the find
+     */
+    rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+
+    certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
+    if (certh == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY);
+    if (keyh == CK_INVALID_HANDLE) { return NULL; }
+    return PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyh, wincx);
+} 
+
+
+/*
+ * return the private key with the given ID
+ */
+static CK_OBJECT_HANDLE
+pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot, SECItem *keyID)  {
+    CK_OBJECT_CLASS privKey = CKO_PRIVATE_KEY;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 },
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_ATTRIBUTE *attrs = theTemplate;
+
+    PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len ); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &privKey, sizeof(privKey));
+
+    return pk11_FindObjectByTemplate(slot,theTemplate,tsize);
+} 
+
+/*
+ * import a cert for a private key we have already generated. Set the label
+ * on both to be the nickname. This is for the Key Gen, orphaned key case.
+ */
+PK11SlotInfo *
+PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, 
+								void *wincx) {
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+    SECItem *keyID;
+    CK_OBJECT_HANDLE key;
+    PK11SlotInfo *slot = NULL;
+    SECStatus rv;
+
+    keyID = pk11_mkcertKeyID(cert);
+    /* get them all! */
+    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
+    if ((keyID == NULL) || (list == NULL)) {
+	if (keyID) SECITEM_FreeItem(keyID,PR_TRUE);
+	if (list) PK11_FreeSlotList(list);
+    	return NULL;
+    }
+
+    /* Look for the slot that holds the Key */
+    for (le = list->head ; le; le = le->next) {
+	rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) continue;
+	
+	key = pk11_FindPrivateKeyFromCertID(le->slot,keyID);
+	if (key != CK_INVALID_HANDLE) {
+	    slot = PK11_ReferenceSlot(le->slot);
+	    if (keyPtr) *keyPtr = key;
+	    break;
+	}
+    }
+
+    SECITEM_FreeItem(keyID,PR_TRUE);
+    PK11_FreeSlotList(list);
+    return slot;
+
+}
+/*
+ * import a cert for a private key we have already generated. Set the label
+ * on both to be the nickname. This is for the Key Gen, orphaned key case.
+ */
+PK11SlotInfo *
+PK11_KeyForDERCertExists(SECItem *derCert, CK_OBJECT_HANDLE *keyPtr, 
+								void *wincx) {
+    CERTCertificate *cert;
+    PK11SlotInfo *slot = NULL;
+
+    cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+    if (cert == NULL) return NULL;
+
+    slot = PK11_KeyForCertExists(cert, keyPtr, wincx);
+    CERT_DestroyCertificate (cert);
+    return slot;
+}
+
+PK11SlotInfo *
+PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,void *wincx) {
+    PK11SlotInfo *slot = NULL;
+    CK_OBJECT_HANDLE key;
+
+    slot = PK11_KeyForCertExists(cert,&key,wincx);
+
+    if (slot) {
+	if (PK11_ImportCert(slot,cert,key,nickname,PR_FALSE) != SECSuccess) {
+	    PK11_FreeSlot(slot);
+	    slot = NULL;
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_ADDING_CERT);
+    }
+
+    return slot;
+}
+
+PK11SlotInfo *
+PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,void *wincx) {
+    CERTCertificate *cert;
+    PK11SlotInfo *slot = NULL;
+
+    cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+    if (cert == NULL) return NULL;
+
+    slot = PK11_ImportCertForKey(cert, nickname, wincx);
+    CERT_DestroyCertificate (cert);
+    return slot;
+}
+
+static CK_OBJECT_HANDLE
+pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr, 
+		CK_ATTRIBUTE *searchTemplate, int count, void *wincx) {
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+    CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE;
+    PK11SlotInfo *slot = NULL;
+    SECStatus rv;
+
+    *slotPtr = NULL;
+
+    /* get them all! */
+    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
+    if (list == NULL) {
+	if (list) PK11_FreeSlotList(list);
+    	return CK_INVALID_HANDLE;
+    }
+
+
+    /* Look for the slot that holds the Key */
+    for (le = list->head ; le; le = le->next) {
+ 	if (!PK11_IsFriendly(le->slot)) {
+	    rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
+	    if (rv != SECSuccess) continue;
+	}
+
+	certHandle = pk11_FindObjectByTemplate(le->slot,searchTemplate,count);
+	if (certHandle != CK_INVALID_HANDLE) {
+	    slot = PK11_ReferenceSlot(le->slot);
+	    break;
+	}
+    }
+
+    PK11_FreeSlotList(list);
+
+    if (slot == NULL) {
+	return CK_INVALID_HANDLE;
+    }
+    *slotPtr = slot;
+    return certHandle;
+}
+
+
+/*
+ * We're looking for a cert which we have the private key for that's on the
+ * list of recipients. This searches one slot.
+ * this is the new version for NSS SMIME code
+ * this stuff should REALLY be in the SMIME code, but some things in here are not public
+ * (they should be!)
+ */
+static CK_OBJECT_HANDLE
+pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipientlist, int *rlIndex)
+{
+    CK_OBJECT_HANDLE certHandle;
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_OBJECT_CLASS peerClass ;
+    CK_ATTRIBUTE searchTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_ISSUER, NULL, 0 },
+	{ CKA_SERIAL_NUMBER, NULL, 0}
+    };
+    int count = sizeof(searchTemplate)/sizeof(CK_ATTRIBUTE);
+    NSSCMSRecipient *ri = NULL;
+    CK_ATTRIBUTE *attrs;
+    int i;
+
+    peerClass = CKO_PRIVATE_KEY;
+    if (!PK11_IsLoggedIn(slot,NULL) && PK11_NeedLogin(slot)) {
+	peerClass = CKO_PUBLIC_KEY;
+    }
+
+    for (i=0; (ri = recipientlist[i]) != NULL; i++) {
+	/* XXXXX fixme - not yet implemented! */
+	if (ri->kind == RLSubjKeyID)
+	    continue;
+
+    	attrs = searchTemplate;
+
+	PK11_SETATTRS(attrs, CKA_CLASS, &certClass,sizeof(certClass)); attrs++;
+	PK11_SETATTRS(attrs, CKA_ISSUER, ri->id.issuerAndSN->derIssuer.data, 
+				ri->id.issuerAndSN->derIssuer.len); attrs++;
+	PK11_SETATTRS(attrs, CKA_SERIAL_NUMBER, 
+	  ri->id.issuerAndSN->serialNumber.data,ri->id.issuerAndSN->serialNumber.len);
+
+	certHandle = pk11_FindObjectByTemplate(slot,searchTemplate,count);
+	if (certHandle != CK_INVALID_HANDLE) {
+	    CERTCertificate *cert = pk11_fastCert(slot,certHandle,NULL,NULL);
+	    if (PK11_IsUserCert(slot,cert,certHandle)) {
+		/* we've found a cert handle, now let's see if there is a key
+	         * associated with it... */
+		ri->slot = PK11_ReferenceSlot(slot);
+		*rlIndex = i;
+	
+		CERT_DestroyCertificate(cert);       
+		return certHandle;
+	    }
+	    CERT_DestroyCertificate(cert);       
+	}
+    }
+    *rlIndex = -1;
+    return CK_INVALID_HANDLE;
+}
+
+/*
+ * This function is the same as above, but it searches all the slots.
+ * this is the new version for NSS SMIME code
+ * this stuff should REALLY be in the SMIME code, but some things in here are not public
+ * (they should be!)
+ */
+static CK_OBJECT_HANDLE
+pk11_AllFindCertObjectByRecipientNew(NSSCMSRecipient **recipientlist, void *wincx, int *rlIndex)
+{
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+    CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE;
+    SECStatus rv;
+
+    /* get them all! */
+    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
+    if (list == NULL) {
+	if (list) PK11_FreeSlotList(list);
+    	return CK_INVALID_HANDLE;
+    }
+
+    /* Look for the slot that holds the Key */
+    for (le = list->head ; le; le = le->next) {
+	if ( !PK11_IsFriendly(le->slot)) {
+	    rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
+	    if (rv != SECSuccess) continue;
+	}
+
+	certHandle = pk11_FindCertObjectByRecipientNew(le->slot, recipientlist, rlIndex);
+	if (certHandle != CK_INVALID_HANDLE)
+	    break;
+    }
+
+    PK11_FreeSlotList(list);
+
+    return (le == NULL) ? CK_INVALID_HANDLE : certHandle;
+}
+
+/*
+ * We're looking for a cert which we have the private key for that's on the
+ * list of recipients. This searches one slot.
+ */
+static CK_OBJECT_HANDLE
+pk11_FindCertObjectByRecipient(PK11SlotInfo *slot, 
+	SEC_PKCS7RecipientInfo **recipientArray,SEC_PKCS7RecipientInfo **rip)
+{
+    CK_OBJECT_HANDLE certHandle;
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_OBJECT_CLASS peerClass ;
+    CK_ATTRIBUTE searchTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_ISSUER, NULL, 0 },
+	{ CKA_SERIAL_NUMBER, NULL, 0}
+    };
+    int count = sizeof(searchTemplate)/sizeof(CK_ATTRIBUTE);
+    SEC_PKCS7RecipientInfo *ri = NULL;
+    CK_ATTRIBUTE *attrs;
+    int i;
+
+
+    peerClass = CKO_PRIVATE_KEY;
+    if (!PK11_IsLoggedIn(slot,NULL) && PK11_NeedLogin(slot)) {
+	peerClass = CKO_PUBLIC_KEY;
+    }
+
+    for (i=0; (ri = recipientArray[i]) != NULL; i++) {
+    	attrs = searchTemplate;
+
+	PK11_SETATTRS(attrs, CKA_CLASS, &certClass,sizeof(certClass)); attrs++;
+	PK11_SETATTRS(attrs, CKA_ISSUER, ri->issuerAndSN->derIssuer.data, 
+				ri->issuerAndSN->derIssuer.len); attrs++;
+	PK11_SETATTRS(attrs, CKA_SERIAL_NUMBER, 
+	  ri->issuerAndSN->serialNumber.data,ri->issuerAndSN->serialNumber.len);
+
+	certHandle = pk11_FindObjectByTemplate(slot,searchTemplate,count);
+	if (certHandle != CK_INVALID_HANDLE) {
+	    CERTCertificate *cert = pk11_fastCert(slot,certHandle,NULL,NULL);
+	    if (PK11_IsUserCert(slot,cert,certHandle)) {
+		/* we've found a cert handle, now let's see if there is a key
+	         * associated with it... */
+		*rip = ri;
+	
+		CERT_DestroyCertificate(cert);       
+		return certHandle;
+	    }
+	    CERT_DestroyCertificate(cert);       
+	}
+    }
+    *rip = NULL;
+    return CK_INVALID_HANDLE;
+}
+
+/*
+ * This function is the same as above, but it searches all the slots.
+ */
+static CK_OBJECT_HANDLE
+pk11_AllFindCertObjectByRecipient(PK11SlotInfo **slotPtr, 
+	SEC_PKCS7RecipientInfo **recipientArray,SEC_PKCS7RecipientInfo **rip,
+							void *wincx) {
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+    CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE;
+    PK11SlotInfo *slot = NULL;
+    SECStatus rv;
+
+    *slotPtr = NULL;
+
+    /* get them all! */
+    list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx);
+    if (list == NULL) {
+	if (list) PK11_FreeSlotList(list);
+    	return CK_INVALID_HANDLE;
+    }
+
+    *rip = NULL;
+
+    /* Look for the slot that holds the Key */
+    for (le = list->head ; le; le = le->next) {
+	if ( !PK11_IsFriendly(le->slot)) {
+	    rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
+	    if (rv != SECSuccess) continue;
+	}
+
+	certHandle = pk11_FindCertObjectByRecipient(le->slot,
+							recipientArray,rip);
+	if (certHandle != CK_INVALID_HANDLE) {
+	    slot = PK11_ReferenceSlot(le->slot);
+	    break;
+	}
+    }
+
+    PK11_FreeSlotList(list);
+
+    if (slot == NULL) {
+	return CK_INVALID_HANDLE;
+    }
+    *slotPtr = slot;
+    return certHandle;
+}
+
+/*
+ * We need to invert the search logic for PKCS 7 because if we search for
+ * each cert on the list over all the slots, we wind up with lots of spurious
+ * password prompts. This way we get only one password prompt per slot, at
+ * the max, and most of the time we can find the cert, and only prompt for
+ * the key...
+ */
+CERTCertificate *
+PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slotPtr, 
+	SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
+				SECKEYPrivateKey**privKey, void *wincx)
+{
+    CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE;
+    CK_OBJECT_HANDLE keyHandle = CK_INVALID_HANDLE;
+    CERTCertificate *cert = NULL;
+    SECStatus rv;
+
+    *privKey = NULL;
+    certHandle = pk11_AllFindCertObjectByRecipient(slotPtr,array,rip,wincx);
+    if (certHandle == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+
+    rv = PK11_Authenticate(*slotPtr,PR_TRUE,wincx);
+    if (rv != SECSuccess) {
+	PK11_FreeSlot(*slotPtr);
+	*slotPtr = NULL;
+	return NULL;
+    }
+
+    keyHandle = PK11_MatchItem(*slotPtr,certHandle,CKO_PRIVATE_KEY);
+    if (keyHandle == CK_INVALID_HANDLE) { 
+	PK11_FreeSlot(*slotPtr);
+	*slotPtr = NULL;
+	return NULL;
+    }
+
+    *privKey =  PK11_MakePrivKey(*slotPtr, nullKey, PR_TRUE, keyHandle, wincx);
+    if (*privKey == NULL) {
+	PK11_FreeSlot(*slotPtr);
+	*slotPtr = NULL;
+	return NULL;
+    }
+    cert = PK11_MakeCertFromHandle(*slotPtr,certHandle,NULL);
+    if (cert == NULL) {
+	PK11_FreeSlot(*slotPtr);
+	SECKEY_DestroyPrivateKey(*privKey);
+	*slotPtr = NULL;
+	*privKey = NULL;
+	return NULL;
+    }
+    return cert;
+}
+
+/*
+ * This is the new version of the above function for NSS SMIME code
+ * this stuff should REALLY be in the SMIME code, but some things in here are not public
+ * (they should be!)
+ */
+int
+PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist, void *wincx)
+{
+    CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE;
+    CK_OBJECT_HANDLE keyHandle = CK_INVALID_HANDLE;
+    NSSCMSRecipient *rl;
+    int rlIndex;
+
+    certHandle = pk11_AllFindCertObjectByRecipientNew(recipientlist, wincx, &rlIndex);
+    if (certHandle == CK_INVALID_HANDLE) {
+	return -1;
+    }
+
+    rl = recipientlist[rlIndex];
+
+    /* at this point, rl->slot is set */
+
+    /* authenticate to the token */
+    if (PK11_Authenticate(rl->slot, PR_TRUE, wincx) != SECSuccess) {
+	PK11_FreeSlot(rl->slot);
+	rl->slot = NULL;
+	return -1;
+    }
+
+    /* try to get a private key handle for the cert we found */
+    keyHandle = PK11_MatchItem(rl->slot, certHandle, CKO_PRIVATE_KEY);
+    if (keyHandle == CK_INVALID_HANDLE) { 
+	PK11_FreeSlot(rl->slot);
+	rl->slot = NULL;
+	return -1;
+    }
+
+    /* make a private key out of the handle */
+    rl->privkey = PK11_MakePrivKey(rl->slot, nullKey, PR_TRUE, keyHandle, wincx);
+    if (rl->privkey == NULL) {
+	PK11_FreeSlot(rl->slot);
+	rl->slot = NULL;
+	return -1;
+    }
+    /* make a cert from the cert handle */
+    rl->cert = PK11_MakeCertFromHandle(rl->slot, certHandle, NULL);
+    if (rl->cert == NULL) {
+	PK11_FreeSlot(rl->slot);
+	SECKEY_DestroyPrivateKey(rl->privkey);
+	rl->slot = NULL;
+	rl->privkey = NULL;
+	return -1;
+    }
+    return rlIndex;
+}
+
+CERTCertificate *
+PK11_FindCertByIssuerAndSN(PK11SlotInfo **slotPtr, CERTIssuerAndSN *issuerSN,
+							 void *wincx)
+{
+#ifdef NSS_CLASSIC
+    CK_OBJECT_HANDLE certHandle;
+    CERTCertificate *cert = NULL;
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE searchTemplate[] = {
+ 	{ CKA_CLASS, NULL, 0 },
+	{ CKA_ISSUER, NULL, 0 },
+	{ CKA_SERIAL_NUMBER, NULL, 0}
+    };
+    int count = sizeof(searchTemplate)/sizeof(CK_ATTRIBUTE);
+    CK_ATTRIBUTE *attrs = searchTemplate;
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_ISSUER, issuerSN->derIssuer.data, 
+					issuerSN->derIssuer.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_SERIAL_NUMBER, issuerSN->serialNumber.data, 
+						issuerSN->serialNumber.len);
+
+    certHandle = pk11_FindCertObjectByTemplate
+					(slotPtr,searchTemplate,count,wincx);
+    if (certHandle == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    cert = PK11_MakeCertFromHandle(*slotPtr,certHandle,NULL);
+    if (cert == NULL) {
+	PK11_FreeSlot(*slotPtr);
+	return NULL;
+    }
+    return cert;
+#else
+    CERTCertificate *rvCert = NULL;
+    NSSCertificate *cert;
+    NSSDER issuer, serial;
+    NSSCryptoContext *cc;
+    SECItem *derSerial;
+
+    if (slotPtr) *slotPtr = NULL;
+
+    /* PKCS#11 needs to use DER-encoded serial numbers.  Create a
+     * CERTIssuerAndSN that actually has the encoded value and pass that
+     * to PKCS#11 (and the crypto context).
+     */
+    derSerial = SEC_ASN1EncodeItem(NULL, NULL,
+                                   &issuerSN->serialNumber,
+                                   SEC_IntegerTemplate);
+    if (!derSerial) {
+	return NULL;
+    }
+
+    NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer);
+    NSSITEM_FROM_SECITEM(&serial, derSerial);
+
+    cc = STAN_GetDefaultCryptoContext();
+    cert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(cc, 
+                                                                &issuer, 
+                                                                &serial);
+    if (cert) {
+	SECITEM_FreeItem(derSerial, PR_TRUE);
+	return STAN_GetCERTCertificate(cert);
+    }
+    cert = NSSTrustDomain_FindCertificateByIssuerAndSerialNumber(
+                                                  STAN_GetDefaultTrustDomain(),
+                                                  &issuer,
+                                                  &serial);
+    if (cert) {
+	rvCert = STAN_GetCERTCertificate(cert);
+	if (slotPtr) *slotPtr = PK11_ReferenceSlot(rvCert->slot);
+    }
+    SECITEM_FreeItem(derSerial, PR_TRUE);
+    return rvCert;
+#endif
+}
+
+CK_OBJECT_HANDLE
+PK11_FindObjectForCert(CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot)
+{
+    CK_OBJECT_HANDLE certHandle;
+    CK_ATTRIBUTE searchTemplate	= { CKA_VALUE, NULL, 0 };
+    
+    PK11_SETATTRS(&searchTemplate, CKA_VALUE, cert->derCert.data,
+		  cert->derCert.len);
+
+    if (cert->slot) {
+	certHandle = pk11_getcerthandle(cert->slot,cert,&searchTemplate,1);
+	if (certHandle != CK_INVALID_HANDLE) {
+	    *pSlot = PK11_ReferenceSlot(cert->slot);
+	    return certHandle;
+	}
+    }
+
+    certHandle = pk11_FindCertObjectByTemplate(pSlot,&searchTemplate,1,wincx);
+    if (certHandle != CK_INVALID_HANDLE) {
+	if (cert->slot == NULL) {
+	    cert->slot = PK11_ReferenceSlot(*pSlot);
+	    cert->pkcs11ID = certHandle;
+	    cert->ownSlot = PR_TRUE;
+	}
+    }
+
+    return(certHandle);
+}
+
+SECKEYPrivateKey *
+PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx)
+{
+    CK_OBJECT_HANDLE certHandle;
+    CK_OBJECT_HANDLE keyHandle;
+    PK11SlotInfo *slot = NULL;
+    SECKEYPrivateKey *privKey;
+    SECStatus rv;
+
+    certHandle = PK11_FindObjectForCert(cert, wincx, &slot);
+    if (certHandle == CK_INVALID_HANDLE) {
+	 return NULL;
+    }
+    rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+    if (rv != SECSuccess) {
+	PK11_FreeSlot(slot);
+	return NULL;
+    }
+    keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY);
+    if (keyHandle == CK_INVALID_HANDLE) { 
+	PK11_FreeSlot(slot);
+	return NULL;
+    }
+    privKey =  PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx);
+    PK11_FreeSlot(slot);
+    return privKey;
+}
+
+CK_OBJECT_HANDLE
+pk11_FindPubKeyByAnyCert(CERTCertificate *cert, PK11SlotInfo **slot, void *wincx)
+{
+    CK_OBJECT_HANDLE certHandle;
+    CK_OBJECT_HANDLE keyHandle;
+
+    certHandle = PK11_FindObjectForCert(cert, wincx, slot);
+    if (certHandle == CK_INVALID_HANDLE) {
+	 return CK_INVALID_HANDLE;
+    }
+    keyHandle = PK11_MatchItem(*slot,certHandle,CKO_PUBLIC_KEY);
+    if (keyHandle == CK_INVALID_HANDLE) { 
+	PK11_FreeSlot(*slot);
+	return CK_INVALID_HANDLE;
+    }
+    return keyHandle;
+}
+
+SECKEYPrivateKey *
+PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, void *wincx)
+{
+    CK_OBJECT_HANDLE keyHandle;
+    SECKEYPrivateKey *privKey;
+
+    keyHandle = pk11_FindPrivateKeyFromCertID(slot, keyID);
+    if (keyHandle == CK_INVALID_HANDLE) { 
+	return NULL;
+    }
+    privKey =  PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx);
+    return privKey;
+}
+
+/*
+ * find the number of certs in the slot with the same subject name
+ */
+int
+PK11_NumberCertsForCertSubject(CERTCertificate *cert)
+{
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 },
+    };
+    CK_ATTRIBUTE *attr = theTemplate;
+   int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+
+    PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
+    PK11_SETATTRS(attr,CKA_SUBJECT,cert->derSubject.data,cert->derSubject.len);
+
+    if (cert->slot == NULL) {
+	PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
+							PR_FALSE,PR_TRUE,NULL);
+	PK11SlotListElement *le;
+	int count = 0;
+
+	/* loop through all the fortezza tokens */
+	for (le = list->head; le; le = le->next) {
+	    count += PK11_NumberObjectsFor(le->slot,theTemplate,templateSize);
+	}
+	PK11_FreeSlotList(list);
+	return count;
+    }
+
+    return PK11_NumberObjectsFor(cert->slot,theTemplate,templateSize);
+}
+
+/*
+ *  Walk all the certs with the same subject
+ */
+SECStatus
+PK11_TraverseCertsForSubject(CERTCertificate *cert,
+        SECStatus(* callback)(CERTCertificate*, void *), void *arg)
+{
+    if(!cert) {
+	return SECFailure;
+    }
+    if (cert->slot == NULL) {
+	PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
+							PR_FALSE,PR_TRUE,NULL);
+	PK11SlotListElement *le;
+
+	/* loop through all the fortezza tokens */
+	for (le = list->head; le; le = le->next) {
+	    PK11_TraverseCertsForSubjectInSlot(cert,le->slot,callback,arg);
+	}
+	PK11_FreeSlotList(list);
+	return SECSuccess;
+
+    }
+
+    return PK11_TraverseCertsForSubjectInSlot(cert, cert->slot, callback, arg);
+}
+
+/* Find all certs with a given subject in the list of token certs */
+static nssList *
+filter_token_certs_subject(NSSToken *token, NSSDER *subject)
+{
+    nssListIterator *certs;
+    NSSCertificate *cert;
+    PRStatus nssrv;
+    nssList *rvList;
+    certs = nssList_CreateIterator(token->certList);
+    if (!certs) return NULL;
+    rvList = nssList_Create(NULL, PR_FALSE);
+    if (!rvList) {
+	nssListIterator_Destroy(certs);
+	return NULL;
+    }
+    for (cert  = (NSSCertificate *)nssListIterator_Start(certs);
+         cert != (NSSCertificate *)NULL;
+         cert  = (NSSCertificate *)nssListIterator_Next(certs))
+    {
+	if (nssItem_Equal(&cert->subject, subject, &nssrv)) {
+	    nssList_Add(rvList, nssCertificate_AddRef(cert));
+	}
+    }
+    nssListIterator_Finish(certs);
+    nssListIterator_Destroy(certs);
+    if (nssList_Count(rvList) == 0) {
+	nssList_Destroy(rvList);
+	rvList = NULL;
+    }
+    return rvList;
+}
+
+/* remove all certs in a list that are not on the given token */
+static void 
+filter_list_for_token_certs(nssList *certList, NSSToken *token)
+{
+    nssListIterator *instances, *certs;
+    nssCryptokiInstance *instance;
+    NSSCertificate *c;
+    PRBool isToken = PR_FALSE;
+    certs = nssList_CreateIterator(certList);
+    if (!certs) return;
+    for (c  = (NSSCertificate *)nssListIterator_Start(certs);
+         c != (NSSCertificate *)NULL;
+         c  = (NSSCertificate *)nssListIterator_Next(certs)) {
+	instances = c->object.instances;
+	for (instance  = (nssCryptokiInstance *)nssListIterator_Start(instances);
+	     instance != (nssCryptokiInstance *)NULL;
+	     instance  = (nssCryptokiInstance *)nssListIterator_Next(instances))
+	{
+	    if (instance->token == token) {
+		isToken = PR_TRUE;
+		break;
+	    }
+	}
+	nssListIterator_Finish(instances);
+	if (!isToken) {
+	    /* safe since iterator is copied */
+	    nssList_Remove(certList, c);
+	    CERT_DestroyCertificate(STAN_GetCERTCertificate(c));
+	}
+    }
+    nssListIterator_Finish(certs);
+    nssListIterator_Destroy(certs);
+}
+
+SECStatus
+PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot,
+	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
+{
+#ifdef NSS_CLASSIC
+    pk11DoCertCallback caller;
+    pk11TraverseSlot callarg;
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 },
+    };
+    CK_ATTRIBUTE *attr = theTemplate;
+   int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+
+    PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
+    PK11_SETATTRS(attr,CKA_SUBJECT,cert->derSubject.data,cert->derSubject.len);
+
+    if (slot == NULL)  {
+	return SECSuccess;
+    }
+    caller.noslotcallback = callback;
+    caller.callback = NULL;
+    caller.itemcallback = NULL;
+    caller.callbackArg = arg;
+    callarg.callback = pk11_DoCerts;
+    callarg.callbackArg = (void *) & caller;
+    callarg.findTemplate = theTemplate;
+    callarg.templateCount = templateSize;
+    
+    return PK11_TraverseSlot(slot, &callarg);
+#else
+    struct nss3_cert_cbstr pk11cb;
+    PRStatus nssrv = PR_SUCCESS;
+    NSSToken *token;
+    NSSDER subject;
+    NSSTrustDomain *td;
+    nssList *subjectList;
+    nssTokenCertSearch search;
+    pk11cb.callback = callback;
+    pk11cb.arg = arg;
+    td = STAN_GetDefaultTrustDomain();
+    NSSITEM_FROM_SECITEM(&subject, &cert->derSubject);
+    token = PK11Slot_GetNSSToken(slot);
+    if (!nssToken_SearchCerts(token, NULL)) {
+	subjectList = filter_token_certs_subject(token, &subject);
+	if (subjectList) {
+	    nssrv = nssCertificateList_DoCallback(subjectList, 
+	                                          convert_cert, &pk11cb);
+	}
+    } else {
+	subjectList = nssList_Create(NULL, PR_FALSE);
+	if (!subjectList) {
+	    return SECFailure;
+	}
+	(void)nssTrustDomain_GetCertsForSubjectFromCache(td, &subject, 
+	                                                 subjectList);
+	/* set the search criteria */
+	search.callback = convert_and_cache_cert;
+	search.cbarg = &pk11cb;
+	search.cached = subjectList;
+	search.searchType = nssTokenSearchType_TokenOnly;
+	pk11cb.cached = subjectList;
+	nssrv = nssToken_TraverseCertificatesBySubject(token, NULL, 
+	                                               &subject, &search);
+	if (nssrv == PR_SUCCESS) {
+	    filter_list_for_token_certs(subjectList, token);
+	    nssrv = nssCertificateList_DoCallback(subjectList, 
+	                                          convert_cert, &pk11cb);
+	}
+    }
+    if (subjectList) {
+	nssList_Clear(subjectList, cert_destructor);
+	nssList_Destroy(subjectList);
+    }
+    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+#endif
+}
+
+SECStatus
+PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot,
+	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
+{
+#ifdef NSS_CLASSIC
+    pk11DoCertCallback caller;
+    pk11TraverseSlot callarg;
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_LABEL, NULL, 0 },
+    };
+    CK_ATTRIBUTE *attr = theTemplate;
+    int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+
+    if(!nickname) {
+	return SECSuccess;
+    }
+
+    PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
+    PK11_SETATTRS(attr,CKA_LABEL,nickname->data,nickname->len);
+
+    if (slot == NULL) {
+	return SECSuccess;
+    }
+
+    caller.noslotcallback = callback;
+    caller.callback = NULL;
+    caller.itemcallback = NULL;
+    caller.callbackArg = arg;
+    callarg.callback = pk11_DoCerts;
+    callarg.callbackArg = (void *) & caller;
+    callarg.findTemplate = theTemplate;
+    callarg.templateCount = templateSize;
+
+    return PK11_TraverseSlot(slot, &callarg);
+#else
+    struct nss3_cert_cbstr pk11cb;
+    PRStatus nssrv = PR_SUCCESS;
+    NSSToken *token;
+    NSSTrustDomain *td;
+    NSSUTF8 *nick;
+    PRBool created = PR_FALSE;
+    nssTokenCertSearch search;
+    nssList *nameList;
+    pk11cb.callback = callback;
+    pk11cb.arg = arg;
+    if (nickname->data[nickname->len-1] != '\0') {
+	nick = nssUTF8_Create(NULL, nssStringType_UTF8String, 
+	                      nickname->data, nickname->len);
+	created = PR_TRUE;
+    } else {
+	nick = (NSSUTF8 *)nickname->data;
+    }
+    td = STAN_GetDefaultTrustDomain();
+    token = PK11Slot_GetNSSToken(slot);
+    if (!nssToken_SearchCerts(token, NULL)) {
+	nameList = filter_token_certs_nickname(token, nick);
+	if (nameList) {
+	    nssrv = nssCertificateList_DoCallback(nameList, 
+	                                          convert_cert, &pk11cb);
+	}
+    } else {
+	nameList = nssList_Create(NULL, PR_FALSE);
+	(void)nssTrustDomain_GetCertsForNicknameFromCache(td, nick, nameList);
+	/* set the search criteria */
+	search.callback = convert_and_cache_cert;
+	search.cbarg = &pk11cb;
+	search.cached = nameList;
+	search.searchType = nssTokenSearchType_TokenOnly;
+	pk11cb.cached = nameList;
+	nssrv = nssToken_TraverseCertificatesByNickname(token, NULL, 
+	                                                nick, &search);
+	if (nssrv == PR_SUCCESS) {
+	    filter_list_for_token_certs(nameList, token);
+	    nssrv = nssCertificateList_DoCallback(nameList, 
+	                                          convert_cert, &pk11cb);
+	}
+    }
+    if (nameList) {
+	nssList_Clear(nameList, cert_destructor);
+	nssList_Destroy(nameList);
+    }
+    if (created) nss_ZFreeIf(nick);
+    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+#endif
+}
+
+SECStatus
+PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
+	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
+{
+#ifdef NSS_CLASSIC
+    pk11DoCertCallback caller;
+    pk11TraverseSlot callarg;
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+    };
+    CK_ATTRIBUTE *attr = theTemplate;
+    int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+
+    PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++;
+
+    if (slot == NULL) {
+	return SECSuccess;
+    }
+
+    caller.noslotcallback = callback;
+    caller.callback = NULL;
+    caller.itemcallback = NULL;
+    caller.callbackArg = arg;
+    callarg.callback = pk11_DoCerts;
+    callarg.callbackArg = (void *) & caller;
+    callarg.findTemplate = theTemplate;
+    callarg.templateCount = templateSize;
+    return PK11_TraverseSlot(slot, &callarg);
+#else
+    PRStatus nssrv;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    struct nss3_cert_cbstr pk11cb;
+    NSSToken *tok;
+    nssList *certList = NULL;
+    nssTokenCertSearch search;
+    pk11cb.callback = callback;
+    pk11cb.arg = arg;
+    tok = PK11Slot_GetNSSToken(slot);
+    if (!nssToken_SearchCerts(tok, NULL)) {
+	certList = tok->certList;
+	nssrv = nssCertificateList_DoCallback(certList, convert_cert, &pk11cb);
+    } else {
+	certList = nssList_Create(NULL, PR_FALSE);
+	if (!certList) {
+	    return SECFailure;
+	}
+	(void *)nssTrustDomain_GetCertsFromCache(td, certList);
+	/* set the search criteria */
+	search.callback = convert_and_cache_cert;
+	search.cbarg = &pk11cb;
+	search.cached = certList;
+	search.searchType = nssTokenSearchType_TokenOnly;
+	pk11cb.cached = certList;
+	nssrv = nssToken_TraverseCertificates(tok, NULL, &search);
+	if (nssrv == PR_SUCCESS) {
+	    filter_list_for_token_certs(certList, tok);
+	    nssrv = nssCertificateList_DoCallback(certList, 
+	                                          convert_cert, &pk11cb);
+	}
+	nssList_Clear(certList, cert_destructor);
+	nssList_Destroy(certList);
+    }
+    return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
+#endif
+}
+
+static NSSCertificate *
+filter_token_certs_DER(NSSToken *token, NSSDER *der)
+{
+    nssListIterator *certs;
+    NSSCertificate *cert, *rvCert;
+    PRStatus nssrv;
+    certs = nssList_CreateIterator(token->certList);
+    if (!certs) return NULL;
+    rvCert = NULL;
+    for (cert  = (NSSCertificate *)nssListIterator_Start(certs);
+         cert != (NSSCertificate *)NULL;
+         cert  = (NSSCertificate *)nssListIterator_Next(certs))
+    {
+	if (nssItem_Equal(&cert->encoding, der, &nssrv)) {
+	    rvCert = nssCertificate_AddRef(cert);
+	    break;
+	}
+    }
+    nssListIterator_Finish(certs);
+    nssListIterator_Destroy(certs);
+    return rvCert;
+}
+
+/*
+ * return the certificate associated with a derCert 
+ */
+CERTCertificate *
+PK11_FindCertFromDERCert(PK11SlotInfo *slot, CERTCertificate *cert,
+								 void *wincx)
+{
+#ifdef NSS_CLASSIC
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_VALUE, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_OBJECT_HANDLE certh;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    SECStatus rv;
+
+    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, 
+						cert->derCert.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
+
+    /*
+     * issue the find
+     */
+    if ( !PK11_IsFriendly(slot)) {
+	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) return NULL;
+    }
+
+    certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
+    if (certh == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    return PK11_MakeCertFromHandle(slot, certh, NULL);
+#else
+    CERTCertificate *rvCert = NULL;
+    NSSCertificate *c;
+    NSSDER derCert;
+    NSSToken *tok;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    tok = PK11Slot_GetNSSToken(slot);
+    NSSITEM_FROM_SECITEM(&derCert, &cert->derCert);
+    if (!PK11_IsFriendly(slot)) {
+	if (PK11_Authenticate(slot, PR_TRUE, wincx) != SECSuccess) {
+	    PK11_FreeSlot(slot);
+	    return NULL;
+	}
+    }
+    if (!nssToken_SearchCerts(tok, NULL)) {
+	c = filter_token_certs_DER(tok, &derCert);
+    } else {
+	c = nssTrustDomain_GetCertByDERFromCache(td, &derCert);
+	if (!c) {
+	    c = nssToken_FindCertificateByEncodedCertificate(tok, NULL, 
+	                                        &derCert,
+                                                nssTokenSearchType_TokenOnly);
+	}
+    }
+    if (c) {
+	rvCert = STAN_GetCERTCertificate(c);
+    }
+    return rvCert;
+#endif
+} 
+
+/* mcgreer 3.4 -- nobody uses this, ignoring */
+/*
+ * return the certificate associated with a derCert 
+ */
+CERTCertificate *
+PK11_FindCertFromDERSubjectAndNickname(PK11SlotInfo *slot, 
+					CERTCertificate *cert, 
+					char *nickname, void *wincx)
+{
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_LABEL, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_OBJECT_HANDLE certh;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    SECStatus rv;
+
+    PK11_SETATTRS(attrs, CKA_SUBJECT, cert->derSubject.data, 
+						cert->derSubject.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_LABEL, nickname, PORT_Strlen(nickname));
+    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
+
+    /*
+     * issue the find
+     */
+    if ( !PK11_IsFriendly(slot)) {
+	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) return NULL;
+    }
+
+    certh = pk11_getcerthandle(slot,cert,theTemplate,tsize);
+    if (certh == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+
+    return PK11_MakeCertFromHandle(slot, certh, NULL);
+}
+
+/*
+ * import a cert for a private key we have already generated. Set the label
+ * on both to be the nickname.
+ */
+static CK_OBJECT_HANDLE 
+pk11_findKeyObjectByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, 
+								void *wincx)
+{
+    SECItem *keyID;
+    CK_OBJECT_HANDLE key;
+    SECStatus rv;
+
+    if((slot == NULL) || (cert == NULL)) {
+	return CK_INVALID_HANDLE;
+    }
+
+    keyID = pk11_mkcertKeyID(cert);
+    if(keyID == NULL) {
+	return CK_INVALID_HANDLE;
+    }
+
+    key = CK_INVALID_HANDLE;
+
+    rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+    if (rv != SECSuccess) goto loser;
+
+    key = pk11_FindPrivateKeyFromCertID(slot, keyID);
+
+loser:
+    SECITEM_ZfreeItem(keyID, PR_TRUE);
+    return key;
+}
+
+SECKEYPrivateKey *
+PK11_FindKeyByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, 
+								void *wincx)
+{
+    CK_OBJECT_HANDLE keyHandle;
+
+    if((slot == NULL) || (cert == NULL)) {
+	return NULL;
+    }
+
+    keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
+    if (keyHandle == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+
+    return PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,wincx);
+}
+
+SECStatus
+PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert, 
+						char *nickname, 
+						PRBool addCertUsage,void *wincx)
+{
+    CK_OBJECT_HANDLE keyHandle;
+
+    if((slot == NULL) || (cert == NULL) || (nickname == NULL)) {
+	return SECFailure;
+    }
+
+    keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx);
+    if (keyHandle == CK_INVALID_HANDLE) {
+	return SECFailure;
+    }
+
+    return PK11_ImportCert(slot, cert, keyHandle, nickname, addCertUsage);
+}   
+
+
+/* remove when the real version comes out */
+#define SEC_OID_MISSI_KEA 300  /* until we have v3 stuff merged */
+PRBool
+KEAPQGCompare(CERTCertificate *server,CERTCertificate *cert) {
+
+    if ( SECKEY_KEAParamCompare(server,cert) == SECEqual ) {
+        return PR_TRUE;
+    } else {
+	return PR_FALSE;
+    }
+}
+
+PRBool
+PK11_FortezzaHasKEA(CERTCertificate *cert) {
+   /* look at the subject and see if it is a KEA for MISSI key */
+   SECOidData *oid;
+
+   if ((cert->trust == NULL) ||
+       ((cert->trust->sslFlags & CERTDB_USER) != CERTDB_USER)) {
+       return PR_FALSE;
+   }
+
+   oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm);
+
+
+   return (PRBool)((oid->offset == SEC_OID_MISSI_KEA_DSS_OLD) || 
+		(oid->offset == SEC_OID_MISSI_KEA_DSS) ||
+				(oid->offset == SEC_OID_MISSI_KEA)) ;
+}
+
+/*
+ * Find a kea cert on this slot that matches the domain of it's peer
+ */
+static CERTCertificate
+*pk11_GetKEAMate(PK11SlotInfo *slot,CERTCertificate *peer)
+{
+    int i;
+    CERTCertificate *returnedCert = NULL;
+
+    for (i=0; i < slot->cert_count; i++) {
+	CERTCertificate *cert = slot->cert_array[i];
+
+	if (PK11_FortezzaHasKEA(cert) && KEAPQGCompare(peer,cert)) {
+		returnedCert = CERT_DupCertificate(cert);
+		break;
+	}
+    }
+    return returnedCert;
+}
+
+/*
+ * The following is a FORTEZZA only Certificate request. We call this when we
+ * are doing a non-client auth SSL connection. We are only interested in the
+ * fortezza slots, and we are only interested in certs that share the same root
+ * key as the server.
+ */
+CERTCertificate *
+PK11_FindBestKEAMatch(CERTCertificate *server, void *wincx)
+{
+    PK11SlotList *keaList = PK11_GetAllTokens(CKM_KEA_KEY_DERIVE,
+							PR_FALSE,PR_TRUE,wincx);
+    PK11SlotListElement *le;
+    CERTCertificate *returnedCert = NULL;
+    SECStatus rv;
+
+    /* loop through all the fortezza tokens */
+    for (le = keaList->head; le; le = le->next) {
+        rv = PK11_Authenticate(le->slot, PR_TRUE, wincx);
+        if (rv != SECSuccess) continue;
+	if (le->slot->session == CK_INVALID_SESSION) {
+	    continue;
+	}
+	returnedCert = pk11_GetKEAMate(le->slot,server);
+	if (returnedCert) break;
+    }
+    PK11_FreeSlotList(keaList);
+
+    return returnedCert;
+}
+
+/*
+ * find a matched pair of kea certs to key exchange parameters from one 
+ * fortezza card to another as necessary.
+ */
+SECStatus
+PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2,
+	CERTCertificate **cert1, CERTCertificate **cert2)
+{
+    CERTCertificate *returnedCert = NULL;
+    int i;
+
+    for (i=0; i < slot1->cert_count; i++) {
+	CERTCertificate *cert = slot1->cert_array[i];
+
+	if (PK11_FortezzaHasKEA(cert)) {
+	    returnedCert = pk11_GetKEAMate(slot2,cert);
+	    if (returnedCert != NULL) {
+		*cert2 = returnedCert;
+		*cert1 = CERT_DupCertificate(cert);
+		return SECSuccess;
+	    }
+	}
+    }
+    return SECFailure;
+}
+
+SECOidTag 
+PK11_FortezzaMapSig(SECOidTag algTag)
+{
+    switch (algTag) {
+    case SEC_OID_MISSI_KEA_DSS:
+    case SEC_OID_MISSI_DSS:
+    case SEC_OID_MISSI_DSS_OLD:
+    case SEC_OID_MISSI_KEA_DSS_OLD:
+    case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+	return SEC_OID_ANSIX9_DSA_SIGNATURE;
+    default:
+	break;
+    }
+    return algTag;
+}
+
+/*
+ * return the private key From a given Cert
+ */
+CK_OBJECT_HANDLE
+PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx)
+{
+    CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_VALUE, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_ATTRIBUTE *attrs = theTemplate;
+    SECStatus rv;
+
+    PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data,
+						cert->derCert.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass));
+
+    /*
+     * issue the find
+     */
+    rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+    if (rv != SECSuccess) {
+	return CK_INVALID_HANDLE;
+    }
+
+    return pk11_getcerthandle(slot,cert,theTemplate,tsize);
+}
+
+SECItem *
+PK11_GetKeyIDFromCert(CERTCertificate *cert, void *wincx)
+{
+    CK_OBJECT_HANDLE handle;
+    PK11SlotInfo *slot = NULL;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+    };
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    SECItem *item = NULL;
+    CK_RV crv;
+
+    handle = PK11_FindObjectForCert(cert,wincx,&slot);
+    if (handle == CK_INVALID_HANDLE) {
+	goto loser;
+    }
+
+
+    crv = PK11_GetAttributes(NULL,slot,handle,theTemplate,tsize);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+    item = PORT_ZNew(SECItem);
+    if (item) {
+        item->data = theTemplate[0].pValue;
+        item->len = theTemplate[0].ulValueLen;
+    }
+
+
+loser:
+    PK11_FreeSlot(slot);
+    return item;
+}
+
+SECItem *
+PK11_GetKeyIDFromPrivateKey(SECKEYPrivateKey *key, void *wincx)
+{
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+    };
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    SECItem *item = NULL;
+    CK_RV crv;
+
+    crv = PK11_GetAttributes(NULL,key->pkcs11Slot,key->pkcs11ID,
+							theTemplate,tsize);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+    item = PORT_ZNew(SECItem);
+    if (item) {
+        item->data = theTemplate[0].pValue;
+        item->len = theTemplate[0].ulValueLen;
+    }
+
+
+loser:
+    return item;
+}
+
+struct listCertsStr {
+    PK11CertListType type;
+    CERTCertList *certList;
+};
+
+static PRBool
+isOnList(CERTCertList *certList,CERTCertificate *cert)
+{
+	CERTCertListNode *cln;
+
+	for (cln = CERT_LIST_HEAD(certList); !CERT_LIST_END(cln,certList);
+			cln = CERT_LIST_NEXT(cln)) {
+	    if (cln->cert == cert) {
+		return PR_TRUE;
+	    }
+	}
+	return PR_FALSE;
+}
+static SECStatus
+#ifdef NSS_CLASSIC
+pk11ListCertCallback(CERTCertificate *cert, SECItem *derCert, void *arg)
+#else
+pk11ListCertCallback(CERTCertificate *cert, void *arg)
+#endif
+{
+    struct listCertsStr *listCertP = (struct listCertsStr *)arg;
+    CERTCertificate *newCert = NULL;
+    PK11CertListType type = listCertP->type;
+    CERTCertList *certList = listCertP->certList;
+    CERTCertTrust *trust;
+    PRBool isUnique = PR_FALSE;
+    char *nickname = NULL;
+    unsigned int certType;
+
+    if ((type == PK11CertListUnique) || (type == PK11CertListRootUnique)) {
+	isUnique = PR_TRUE;
+    }
+    /* at this point the nickname is correct for the cert. save it for later */
+    if (!isUnique && cert->nickname) {
+         nickname = PORT_ArenaStrdup(listCertP->certList->arena,cert->nickname);
+    }
+#ifdef NSS_CLASSIC
+    if (derCert == NULL) {
+	newCert=CERT_DupCertificate(cert);
+    } else {
+	newCert=CERT_FindCertByDERCert(CERT_GetDefaultCertDB(),&cert->derCert);
+    }
+#else
+    newCert=CERT_DupCertificate(cert);
+#endif
+
+    if (newCert == NULL) return SECSuccess;
+
+    trust = newCert->trust;
+
+    /* if we want user certs and we don't have one skip this cert */
+    if ((type == PK11CertListUser) && 
+	  ((trust == NULL) || 
+		( ((trust->sslFlags & CERTDB_USER) == 0)  && 
+			((trust->emailFlags & CERTDB_USER) == 0) )) ) {
+	CERT_DestroyCertificate(newCert);
+	return SECSuccess;
+    }
+
+    /* if we want root certs, skip the user certs */
+    if ((type == PK11CertListRootUnique) && 
+	  ((trust) && (((trust->sslFlags & CERTDB_USER )  || 
+				(trust->emailFlags & CERTDB_USER))) ) ) {
+	CERT_DestroyCertificate(newCert);
+	return SECSuccess;
+    }
+
+
+    /* if we want Unique certs and we already have it on our list, skip it */
+    if ( isUnique && isOnList(certList,newCert) ) {
+	CERT_DestroyCertificate(newCert);
+	return SECSuccess;
+    }
+
+    /* if we want CA certs and it ain't one, skip it */
+    if( type == PK11CertListCA  && (!CERT_IsCACert(newCert, &certType)) ) {
+	CERT_DestroyCertificate(newCert);
+	return SECSuccess;
+    }
+
+    /* put slot certs at the end */
+    if (newCert->slot && !PK11_IsInternal(newCert->slot)) {
+    	CERT_AddCertToListTailWithData(certList,newCert,nickname);
+    } else {
+    	CERT_AddCertToListHeadWithData(certList,newCert,nickname);
+    }
+    return SECSuccess;
+}
+
+
+CERTCertList *
+PK11_ListCerts(PK11CertListType type, void *pwarg)
+{
+#ifdef NSS_CLASSIC
+    CERTCertList *certList = NULL;
+    struct listCertsStr listCerts;
+    
+    certList= CERT_NewCertList();
+    listCerts.type = type;
+    listCerts.certList = certList;
+
+    PK11_TraverseSlotCerts(pk11ListCertCallback,&listCerts,pwarg);
+
+    if (CERT_LIST_HEAD(certList) == NULL) {
+	CERT_DestroyCertList(certList);
+	certList = NULL;
+    }
+    return certList;
+#else
+    NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain();
+    CERTCertList *certList = NULL;
+    struct nss3_cert_cbstr pk11cb;
+    struct listCertsStr listCerts;
+    certList = CERT_NewCertList();
+    listCerts.type = type;
+    listCerts.certList = certList;
+    pk11cb.callback = pk11ListCertCallback;
+    pk11cb.arg = &listCerts;
+    NSSTrustDomain_TraverseCertificates(defaultTD, convert_cert, &pk11cb);
+    return certList;
+#endif
+}
+
+static SECItem *
+pk11_GetLowLevelKeyFromHandle(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle) {
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_ID, NULL, 0 },
+    };
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_RV crv;
+    SECItem *item;
+
+    item = SECITEM_AllocItem(NULL, NULL, 0);
+
+    if (item == NULL) {
+	return NULL;
+    }
+
+    crv = PK11_GetAttributes(NULL,slot,handle,theTemplate,tsize);
+    if (crv != CKR_OK) {
+	SECITEM_FreeItem(item,PR_TRUE);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+
+    item->data = theTemplate[0].pValue;
+    item->len =theTemplate[0].ulValueLen;
+
+    return item;
+}
+    
+SECItem *
+PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
+					CERTCertificate *cert, void *wincx)
+{
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_VALUE, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_OBJECT_HANDLE certHandle;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    PK11SlotInfo *slotRef = NULL;
+    SECItem *item;
+    SECStatus rv;
+
+    if (slot) {
+	PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, 
+						cert->derCert.len); attrs++;
+
+	rv = PK11_Authenticate(slot, PR_TRUE, wincx);
+	if (rv != SECSuccess) {
+	    return NULL;
+	}
+        certHandle = pk11_getcerthandle(slot,cert,theTemplate,tsize);
+    } else {
+    	certHandle = PK11_FindObjectForCert(cert, wincx, &slotRef);
+	if (certHandle == CK_INVALID_HANDLE) {
+	   return pk11_mkcertKeyID(cert);
+	}
+	slot = slotRef;
+    }
+
+    if (certHandle == CK_INVALID_HANDLE) {
+	 return NULL;
+    }
+
+    item = pk11_GetLowLevelKeyFromHandle(slot,certHandle);
+    if (slotRef) PK11_FreeSlot(slotRef);
+    return item;
+}
+
+SECItem *
+PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *privKey)
+{
+    return pk11_GetLowLevelKeyFromHandle(privKey->pkcs11Slot,privKey->pkcs11ID);
+}
+
+static SECStatus
+listCertsCallback(CERTCertificate* cert, void*arg)
+{
+    CERTCertList *list = (CERTCertList*)arg;
+    char *nickname = NULL;
+
+    if (cert->nickname) {
+	nickname = PORT_ArenaStrdup(list->arena,cert->nickname);
+    }
+
+    return CERT_AddCertToListTailWithData(list, 
+				CERT_DupCertificate(cert),nickname);
+}
+
+CERTCertList *
+PK11_ListCertsInSlot(PK11SlotInfo *slot)
+{
+    SECStatus status;
+    CERTCertList *certs;
+
+    certs = CERT_NewCertList();
+    if(certs == NULL) return NULL;
+
+    status = PK11_TraverseCertsInSlot(slot, listCertsCallback,
+		(void*)certs);
+
+    if( status != SECSuccess ) {
+	CERT_DestroyCertList(certs);
+	certs = NULL;
+    }
+
+    return certs;
+}
+
+static SECStatus
+privateKeyListCallback(SECKEYPrivateKey *key, void *arg)
+{
+    SECKEYPrivateKeyList *list = (SECKEYPrivateKeyList*)arg;
+    return SECKEY_AddPrivateKeyToListTail(list, SECKEY_CopyPrivateKey(key));
+}
+
+SECKEYPrivateKeyList*
+PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot)
+{
+    SECStatus status;
+    SECKEYPrivateKeyList *keys;
+
+    keys = SECKEY_NewPrivateKeyList();
+    if(keys == NULL) return NULL;
+
+    status = PK11_TraversePrivateKeysInSlot(slot, privateKeyListCallback,
+		(void*)keys);
+
+    if( status != SECSuccess ) {
+	SECKEY_DestroyPrivateKeyList(keys);
+	keys = NULL;
+    }
+
+    return keys;
+}
+
+SECKEYPublicKeyList*
+PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, char *nickname)
+{
+    CK_ATTRIBUTE findTemp[4];
+    CK_ATTRIBUTE *attrs;
+    CK_BBOOL ckTrue = CK_TRUE;
+    CK_OBJECT_CLASS keyclass = CKO_PUBLIC_KEY;
+    int tsize = 0;
+    int objCount = 0;
+    CK_OBJECT_HANDLE *key_ids;
+    SECStatus status;
+    SECKEYPublicKeyList *keys;
+    int i,len;
+
+
+    attrs = findTemp;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
+    if (nickname) {
+	len = PORT_Strlen(nickname)-1;
+	PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++;
+    }
+    tsize = attrs - findTemp;
+    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+    key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount);
+    if (key_ids == NULL) {
+	return NULL;
+    }
+    keys = SECKEY_NewPublicKeyList();
+    if (keys == NULL) {
+	PORT_Free(key_ids);
+    }
+
+    for (i=0; i < objCount ; i++) {
+	SECKEYPublicKey *pubKey = 
+				PK11_ExtractPublicKey(slot,nullKey,key_ids[i]);
+	SECKEY_AddPublicKeyToListTail(keys, pubKey);
+   }
+
+   PORT_Free(key_ids);
+   return keys;
+}
+
+SECKEYPrivateKeyList*
+PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx)
+{
+    CK_ATTRIBUTE findTemp[4];
+    CK_ATTRIBUTE *attrs;
+    CK_BBOOL ckTrue = CK_TRUE;
+    CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY;
+    int tsize = 0;
+    int objCount = 0;
+    CK_OBJECT_HANDLE *key_ids;
+    SECStatus status;
+    SECKEYPrivateKeyList *keys;
+    int i,len;
+
+
+    attrs = findTemp;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
+    if (nickname) {
+	len = PORT_Strlen(nickname)-1;
+	PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++;
+    }
+    tsize = attrs - findTemp;
+    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+    key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount);
+    if (key_ids == NULL) {
+	return NULL;
+    }
+    keys = SECKEY_NewPrivateKeyList();
+    if (keys == NULL) {
+	PORT_Free(key_ids);
+    }
+
+    for (i=0; i < objCount ; i++) {
+	SECKEYPrivateKey *privKey = 
+		PK11_MakePrivKey(slot,nullKey,PR_TRUE,key_ids[i],wincx);
+	SECKEY_AddPrivateKeyToListTail(keys, privKey);
+   }
+
+   PORT_Free(key_ids);
+   return keys;
+}
+
+/*
+ * return the certificate associated with a derCert 
+ */
+SECItem *
+PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle,
+					 SECItem *name, int type, char **url)
+{
+    CK_OBJECT_CLASS crlClass = CKO_NETSCAPE_CRL;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_NETSCAPE_KRL, NULL, 0 },
+    };
+    CK_ATTRIBUTE crlData[] = {
+	{ CKA_VALUE, NULL, 0 },
+	{ CKA_NETSCAPE_URL, NULL, 0 },
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_BBOOL ck_true = CK_TRUE;
+    CK_BBOOL ck_false = CK_FALSE;
+    CK_OBJECT_HANDLE crlh = CK_INVALID_HANDLE;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    CK_RV crv;
+    SECItem *derCrl = NULL;
+
+    PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &crlClass, sizeof(crlClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, (type == SEC_CRL_TYPE) ? 
+			&ck_false : &ck_true, sizeof (CK_BBOOL)); attrs++;
+
+    if (*slot) {
+    	crlh = pk11_FindObjectByTemplate(*slot,theTemplate,tsize);
+    } else {
+	PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
+							PR_FALSE,PR_TRUE,NULL);
+	PK11SlotListElement *le;
+
+	/* loop through all the fortezza tokens */
+	for (le = list->head; le; le = le->next) {
+	    if (le->slot->nssToken && !nssToken_HasCrls(le->slot->nssToken)) {
+		continue;
+	    }
+	    crlh = pk11_FindObjectByTemplate(le->slot,theTemplate,tsize);
+	    if (crlh != CK_INVALID_HANDLE) {
+		*slot = PK11_ReferenceSlot(le->slot);
+		break;
+	    }
+	}
+	PK11_FreeSlotList(list);
+    }
+    
+    if (crlh == CK_INVALID_HANDLE) {
+	PORT_SetError(SEC_ERROR_NO_KRL);
+	return NULL;
+    }
+    crv = PK11_GetAttributes(NULL,*slot,crlh,crlData,2);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError (crv));
+	goto loser;
+    }
+
+    derCrl = (SECItem *)PORT_ZAlloc(sizeof(SECItem));    
+    if (derCrl == NULL) {
+	goto loser;
+    }
+
+    derCrl->data = crlData[0].pValue;
+    derCrl->len = crlData[0].ulValueLen;
+
+    if (crlHandle) {
+        *crlHandle = crlh;
+    }
+
+    if ((url) && crlData[1].ulValueLen != 0) {
+	/* make sure it's a null terminated string */
+	*url = PORT_ZAlloc (crlData[1].ulValueLen+1);
+	if (*url) {
+	    PORT_Memcpy(*url,crlData[1].pValue,crlData[1].ulValueLen);
+	}
+    }
+	
+
+loser:
+    if (!derCrl) {
+	if (crlData[0].pValue) PORT_Free(crlData[0].pValue);
+    }
+    if (crlData[1].pValue) PORT_Free(crlData[1].pValue);
+    return derCrl;
+}
+
+CK_OBJECT_HANDLE
+PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, 
+							char *url, int type)
+{
+    CK_OBJECT_CLASS crlClass = CKO_NETSCAPE_CRL;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_NETSCAPE_KRL, NULL, 0 },
+	{ CKA_NETSCAPE_URL, NULL, 0 },
+	{ CKA_VALUE, NULL, 0 },
+	{ CKA_TOKEN, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize;
+    CK_BBOOL ck_true = CK_TRUE;
+    CK_BBOOL ck_false = CK_FALSE;
+    CK_OBJECT_HANDLE crlh = CK_INVALID_HANDLE;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    CK_SESSION_HANDLE rwsession;
+    CK_RV crv;
+
+    PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &crlClass, sizeof(crlClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, (type == SEC_CRL_TYPE) ? 
+			&ck_false : &ck_true, sizeof (CK_BBOOL)); attrs++;
+    if (url) {
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_URL, url, PORT_Strlen(url)+1); attrs++;
+    }
+    PK11_SETATTRS(attrs, CKA_VALUE,crl->data,crl->len); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true,sizeof(CK_BBOOL)); attrs++;
+
+    tsize = attrs - &theTemplate[0];
+    PORT_Assert(tsize <= sizeof(theTemplate)/sizeof(theTemplate[0]));
+
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_READ_ONLY);
+	return crlh;
+    }
+
+    crv = PK11_GETTAB(slot)->
+                        C_CreateObject(rwsession,theTemplate,tsize,&crlh);
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+    }
+
+    PK11_RestoreROSession(slot,rwsession);
+
+    if (slot->nssToken) {
+	nssToken_SetHasCrls(slot->nssToken);
+    }
+    return crlh;
+}
+
+
+
+/*
+ * delete a crl.
+ */
+SECStatus
+SEC_DeletePermCRL(CERTSignedCrl *crl)
+{
+    PK11SlotInfo *slot = crl->slot;
+    CK_RV crv;
+
+    if (slot == NULL) {
+	/* shouldn't happen */
+	PORT_SetError( SEC_ERROR_CRL_INVALID);
+	return SECFailure;
+    }
+
+    crv = PK11_DestroyTokenObject(slot,crl->pkcs11ID);
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+    crl->slot = NULL;
+    PK11_FreeSlot(slot);
+loser:
+    return SECSuccess;
+}
+
+/*
+ * return the certificate associated with a derCert 
+ */
+SECItem *
+PK11_FindSMimeProfile(PK11SlotInfo **slot, char *emailAddr,
+				 SECItem *name, SECItem **profileTime)
+{
+    CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_NETSCAPE_EMAIL, NULL, 0 },
+    };
+    CK_ATTRIBUTE smimeData[] =  {
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_VALUE, NULL, 0 },
+    };
+    /* if you change the array, change the variable below as well */
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    CK_RV crv;
+    SECItem *emailProfile = NULL;
+
+    PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, emailAddr, strlen(emailAddr)); 
+								    attrs++;
+
+    if (*slot) {
+    	smimeh = pk11_FindObjectByTemplate(*slot,theTemplate,tsize);
+    } else {
+	PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
+							PR_FALSE,PR_TRUE,NULL);
+	PK11SlotListElement *le;
+
+	/* loop through all the fortezza tokens */
+	for (le = list->head; le; le = le->next) {
+	    smimeh = pk11_FindObjectByTemplate(le->slot,theTemplate,tsize);
+	    if (smimeh != CK_INVALID_HANDLE) {
+		*slot = PK11_ReferenceSlot(le->slot);
+		break;
+	    }
+	}
+	PK11_FreeSlotList(list);
+    }
+    
+    if (smimeh == CK_INVALID_HANDLE) {
+	PORT_SetError(SEC_ERROR_NO_KRL);
+	return NULL;
+    }
+
+    if (profileTime) {
+    	PK11_SETATTRS(smimeData, CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0);
+    } 
+    
+    crv = PK11_GetAttributes(NULL,*slot,smimeh,smimeData,2);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError (crv));
+	goto loser;
+    }
+
+    if (!profileTime) {
+	SECItem profileSubject;
+
+	profileSubject.data = smimeData[0].pValue;
+	profileSubject.len = smimeData[0].ulValueLen;
+	if (!SECITEM_ItemsAreEqual(&profileSubject,name)) {
+	    goto loser;
+	}
+    }
+
+    emailProfile = (SECItem *)PORT_ZAlloc(sizeof(SECItem));    
+    if (emailProfile == NULL) {
+	goto loser;
+    }
+
+    emailProfile->data = smimeData[1].pValue;
+    emailProfile->len = smimeData[1].ulValueLen;
+
+    if (profileTime) {
+	*profileTime = (SECItem *)PORT_ZAlloc(sizeof(SECItem));    
+	if (*profileTime) {
+	    (*profileTime)->data = smimeData[0].pValue;
+	    (*profileTime)->len = smimeData[0].ulValueLen;
+	}
+    }
+
+loser:
+    if (emailProfile == NULL) {
+	if (smimeData[1].pValue) {
+	    PORT_Free(smimeData[1].pValue);
+	}
+    }
+    if (profileTime == NULL || *profileTime == NULL) {
+	if (smimeData[0].pValue) {
+	    PORT_Free(smimeData[0].pValue);
+	}
+    }
+    return emailProfile;
+}
+
+
+SECStatus
+PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
+				 SECItem *emailProfile,  SECItem *profileTime)
+{
+    CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME;
+    CK_BBOOL ck_true = CK_TRUE;
+    CK_ATTRIBUTE theTemplate[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_TOKEN, NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 },
+	{ CKA_NETSCAPE_EMAIL, NULL, 0 },
+	{ CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0 },
+	{ CKA_VALUE, NULL, 0 }
+    };
+    /* if you change the array, change the variable below as well */
+    int realSize = 0;
+    CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    CK_SESSION_HANDLE rwsession;
+    CK_RV crv;
+#ifdef DEBUG
+    int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
+#endif
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true, sizeof(ck_true)); attrs++;
+    PK11_SETATTRS(attrs, CKA_SUBJECT, derSubj->data, derSubj->len); attrs++;
+    PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, 
+				emailAddr, PORT_Strlen(emailAddr)+1); attrs++;
+    if (profileTime) {
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_SMIME_TIMESTAMP, profileTime->data,
+	                                            profileTime->len); attrs++;
+	PK11_SETATTRS(attrs, CKA_VALUE,emailProfile->data,
+	                                            emailProfile->len); attrs++;
+    }
+    realSize = attrs - theTemplate;
+    PORT_Assert (realSize <= tsize);
+
+    if (slot == NULL) {
+	slot = PK11_GetInternalKeySlot();
+	/* we need to free the key slot in the end!!! */
+    }
+
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) {
+	PORT_SetError(SEC_ERROR_READ_ONLY);
+	return SECFailure;
+    }
+
+    crv = PK11_GETTAB(slot)->
+                        C_CreateObject(rwsession,theTemplate,realSize,&smimeh);
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+    }
+
+    PK11_RestoreROSession(slot,rwsession);
+    return SECSuccess;
+}
+
+
diff --git a/security/nss/lib/pk11wrap/pk11err.c b/security/nss/lib/pk11wrap/pk11err.c
new file mode 100644
index 000000000..b6846af84
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11err.c
@@ -0,0 +1,147 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/* 
+ * this file maps PKCS11 Errors into SECErrors
+ *  This is an information reducing process, since most errors are reflected
+ *  back to the user (the user doesn't care about invalid flags, or active
+ *  operations). If any of these errors need more detail in the upper layers
+ *  which call PK11 library functions, we can add more SEC_ERROR_XXX functions
+ *  and change there mappings here.
+ */
+#include "pkcs11t.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+#ifdef PK11_ERROR_USE_ARRAY 
+
+/*
+ * build a static array of entries...
+ */
+static struct {
+	CK_RV pk11_error;
+	int   sec_error;
+} pk11_error_map = {
+#define MAPERROR(x,y) {x, y},
+
+#else
+
+/* the default is to use a big switch statement */
+int
+PK11_MapError(CK_RV rv) {
+
+	switch (rv) {
+#define MAPERROR(x,y) case x: return y;
+
+#endif
+
+/* the guts mapping */
+	MAPERROR(CKR_OK, 0)
+	MAPERROR(CKR_CANCEL, SEC_ERROR_IO)
+	MAPERROR(CKR_HOST_MEMORY, SEC_ERROR_NO_MEMORY)
+	MAPERROR(CKR_SLOT_ID_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_ATTRIBUTE_READ_ONLY, SEC_ERROR_READ_ONLY)
+	MAPERROR(CKR_ATTRIBUTE_SENSITIVE, SEC_ERROR_IO) /* XX SENSITIVE */
+	MAPERROR(CKR_ATTRIBUTE_TYPE_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_ATTRIBUTE_VALUE_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_DATA_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_DATA_LEN_RANGE, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_DEVICE_ERROR, SEC_ERROR_IO)
+	MAPERROR(CKR_DEVICE_MEMORY, SEC_ERROR_NO_MEMORY)
+	MAPERROR(CKR_DEVICE_REMOVED, SEC_ERROR_NO_TOKEN)
+	MAPERROR(CKR_ENCRYPTED_DATA_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_ENCRYPTED_DATA_LEN_RANGE, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_FUNCTION_CANCELED, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_FUNCTION_NOT_PARALLEL, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_MECHANISM_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_MECHANISM_PARAM_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_OBJECT_HANDLE_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_OPERATION_ACTIVE, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_OPERATION_NOT_INITIALIZED,SEC_ERROR_LIBRARY_FAILURE )
+	MAPERROR(CKR_PIN_INCORRECT, SEC_ERROR_BAD_PASSWORD)
+	MAPERROR(CKR_PIN_INVALID, SEC_ERROR_BAD_PASSWORD)
+	MAPERROR(CKR_PIN_LEN_RANGE, SEC_ERROR_BAD_PASSWORD)
+	MAPERROR(CKR_SESSION_CLOSED, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_SESSION_COUNT, SEC_ERROR_NO_MEMORY) /* XXXX? */
+	MAPERROR(CKR_SESSION_HANDLE_INVALID, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_SESSION_PARALLEL_NOT_SUPPORTED, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_SESSION_READ_ONLY, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_SIGNATURE_INVALID, SEC_ERROR_BAD_SIGNATURE)
+	MAPERROR(CKR_SIGNATURE_LEN_RANGE, SEC_ERROR_BAD_SIGNATURE)
+	MAPERROR(CKR_TEMPLATE_INCOMPLETE, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_TEMPLATE_INCONSISTENT, SEC_ERROR_BAD_DATA)
+	MAPERROR(CKR_TOKEN_NOT_PRESENT, SEC_ERROR_NO_TOKEN)
+	MAPERROR(CKR_TOKEN_NOT_RECOGNIZED, SEC_ERROR_IO)
+	MAPERROR(CKR_TOKEN_WRITE_PROTECTED, SEC_ERROR_READ_ONLY)
+	MAPERROR(CKR_UNWRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_UNWRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_USER_ALREADY_LOGGED_IN, 0)
+	MAPERROR(CKR_USER_NOT_LOGGED_IN, SEC_ERROR_LIBRARY_FAILURE) /* XXXX */
+	MAPERROR(CKR_USER_PIN_NOT_INITIALIZED, SEC_ERROR_NO_TOKEN)
+	MAPERROR(CKR_USER_TYPE_INVALID, SEC_ERROR_LIBRARY_FAILURE)
+	MAPERROR(CKR_WRAPPED_KEY_INVALID, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_WRAPPED_KEY_LEN_RANGE, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_WRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_WRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_WRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY)
+	MAPERROR(CKR_VENDOR_DEFINED, SEC_ERROR_LIBRARY_FAILURE)
+
+
+#ifdef PK11_ERROR_USE_ARRAY 
+
+int
+PK11_MapError(CK_RV rv) {
+    int size = sizeof(pk11_error_map)/sizeof(pk11_error_map[0]);
+
+    for (i=0; i < size; i++) {
+	if (pk11_error_map[i].pk11_error == rv) {
+	    return pk11_error_map[i].sec_error;
+	}
+    }
+    return SEC_ERROR_IO;
+ }
+
+
+#else
+
+    default:
+	break;
+    }
+    return SEC_ERROR_IO;
+}
+
+
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11func.h b/security/nss/lib/pk11wrap/pk11func.h
new file mode 100644
index 000000000..61f1fd705
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11func.h
@@ -0,0 +1,550 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * PKCS #11 Wrapper functions which handles authenticating to the card's
+ * choosing the best cards, etc.
+ */
+#ifndef _PK11FUNC_H_
+#define _PK11FUNC_H_
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secdert.h"
+#include "keyt.h"
+#include "certt.h"
+#include "pkcs11t.h"
+#include "secmodt.h"
+#include "seccomon.h"
+#include "pkcs7t.h"
+#include "cmsreclist.h"
+
+SEC_BEGIN_PROTOS
+
+/************************************************************
+ * Generic Slot Lists Management
+ ************************************************************/
+PK11SlotList * PK11_NewSlotList(void);
+void PK11_FreeSlotList(PK11SlotList *list);
+SECStatus PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot);
+SECStatus PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le);
+PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list);
+PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list, 
+				PK11SlotListElement *le, PRBool restart);
+PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list,
+							PK11SlotInfo *slot);
+
+/************************************************************
+ * Generic Slot Management
+ ************************************************************/
+PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot);
+PK11SlotInfo *PK11_FindSlotByID(SECMODModuleID modID,CK_SLOT_ID slotID);
+void PK11_FreeSlot(PK11SlotInfo *slot);
+SECStatus PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
+SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
+CK_OBJECT_HANDLE PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject);
+SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+         CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result);
+CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+         CK_ATTRIBUTE_TYPE type);
+PK11SlotInfo *PK11_GetInternalKeySlot(void);
+PK11SlotInfo *PK11_GetInternalSlot(void);
+char * PK11_MakeString(PRArenaPool *arena,char *space,char *staticSring,
+								int stringLen);
+int PK11_MapError(CK_RV error);
+CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot);
+void PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession);
+PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot,
+					 CK_SESSION_HANDLE session_handle);
+PK11SlotInfo *PK11_NewSlotInfo(void);
+SECStatus PK11_Logout(PK11SlotInfo *slot);
+void PK11_LogoutAll(void);
+void PK11_EnterSlotMonitor(PK11SlotInfo *);
+void PK11_ExitSlotMonitor(PK11SlotInfo *);
+void PK11_CleanKeyList(PK11SlotInfo *slot);
+
+
+/************************************************************
+ *  Slot Password Management
+ ************************************************************/
+void PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout);
+void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout);
+SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw);
+SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw);
+SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
+PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx);
+SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw);
+SECStatus PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *pk11_userpwd);
+SECStatus PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw);
+void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx);
+void PK11_SetPasswordFunc(PK11PasswordFunc func);
+void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func);
+void PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func);
+int PK11_GetMinimumPwdLength(PK11SlotInfo *slot);
+SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd);
+
+/************************************************************
+ * Manage the built-In Slot Lists
+ ************************************************************/
+SECStatus PK11_InitSlotLists(void);
+void PK11_DestroySlotLists(void);
+PK11SlotList *PK11_GetSlotList(CK_MECHANISM_TYPE type);
+void PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count);
+void PK11_ClearSlotList(PK11SlotInfo *slot);
+
+
+/******************************************************************
+ *           Slot initialization
+ ******************************************************************/
+PRBool PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern,
+  CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv);
+PRBool PK11_VerifySlotMechanisms(PK11SlotInfo *slot);
+SECStatus pk11_CheckVerifyTest(PK11SlotInfo *slot);
+SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts);
+SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
+void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot);
+
+
+/******************************************************************
+ *           Slot info functions
+ ******************************************************************/
+PK11SlotInfo *PK11_FindSlotByName(char *name);
+PK11SlotInfo *PK11_FindSlotBySerial(char *serial);
+PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
+PRBool PK11_IsInternal(PK11SlotInfo *slot);
+char * PK11_GetTokenName(PK11SlotInfo *slot);
+char * PK11_GetSlotName(PK11SlotInfo *slot);
+PRBool PK11_NeedLogin(PK11SlotInfo *slot);
+PRBool PK11_IsFriendly(PK11SlotInfo *slot);
+PRBool PK11_IsHW(PK11SlotInfo *slot);
+PRBool PK11_NeedUserInit(PK11SlotInfo *slot);
+PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot);
+int PK11_GetSlotSeries(PK11SlotInfo *slot);
+int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot);
+unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot);
+CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot);
+SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot);
+SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info);
+SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info);
+PRBool PK11_IsDisabled(PK11SlotInfo *slot);
+PRBool PK11_HasRootCerts(PK11SlotInfo *slot);
+PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot);
+/* Prevents the slot from being used, and set disable reason to user-disable */
+/* NOTE: Mechanisms that were ON continue to stay ON */
+/*       Therefore, when the slot is enabled, it will remember */
+/*       what mechanisms needs to be turned on */
+PRBool PK11_UserDisableSlot(PK11SlotInfo *slot);
+/* Allow all mechanisms that are ON before UserDisableSlot() */
+/* was called to be available again */
+PRBool PK11_UserEnableSlot(PK11SlotInfo *slot);
+
+PRBool PK11_NeedPWInit(void);
+PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
+PRBool PK11_TokenExists(CK_MECHANISM_TYPE);
+SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info);
+PRBool PK11_IsFIPS(void);
+SECMODModule *PK11_GetModule(PK11SlotInfo *slot);
+
+/*********************************************************************
+ *            Slot mapping utility functions.
+ *********************************************************************/
+PRBool PK11_IsPresent(PK11SlotInfo *slot);
+PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
+PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type,PRBool needRW,
+					PRBool loadCerts, void *wincx);
+PK11SlotList * PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,
+						PRBool needRW,void *wincx);
+PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int count,
+							void *wincx);
+PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx);
+CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot);
+int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
+
+/*********************************************************************
+ *       Mechanism Mapping functions
+ *********************************************************************/
+void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
+		 	CK_MECHANISM_TYPE keygen, int ivLen, int blocksize);
+CK_MECHANISM_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len);
+CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type);
+int PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params);
+int PK11_GetIVLength(CK_MECHANISM_TYPE type);
+SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv);
+unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len);
+SECItem * PK11_BlockData(SECItem *data,unsigned long size);
+
+/* PKCS #11 to DER mapping functions */
+SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid);
+SECItem *PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey *);
+CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag);
+SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type);
+SECOidTag PK11_FortezzaMapSig(SECOidTag algTag);
+SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param,
+                                   PRArenaPool *arena, SECAlgorithmID *algid);
+SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len);
+SECStatus PK11_RandomUpdate(void *data, size_t bytes);
+SECStatus PK11_GenerateRandom(unsigned char *data,int len);
+CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
+					    CK_MECHANISM_PTR pCryptoMechanism,
+					    SECItem *pbe_pwd, PRBool bad3DES);
+CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE);
+
+/**********************************************************************
+ *                   Symetric, Public, and Private Keys 
+ **********************************************************************/
+PK11SymKey *PK11_CreateSymKey(PK11SlotInfo *slot, 
+					CK_MECHANISM_TYPE type, void *wincx);
+void PK11_FreeSymKey(PK11SymKey *key);
+PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey);
+PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+    PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx);
+PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, 
+    CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation, 
+    SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx);
+PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent,
+    PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, 
+    PRBool owner, void *wincx);
+PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap,
+			      CK_MECHANISM_TYPE type,int series, void *wincx);
+void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey);
+CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey);
+CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot, 
+				SECKEYPublicKey *pubKey, PRBool isToken);
+PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+				SECItem *param,	int keySize,void *wincx);
+PK11SymKey * PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname,
+								void *wincx);
+PK11SymKey *PK11_GetNextSymKey(PK11SymKey *symKey);
+
+/* Key Generation specialized for SDR (fixed DES3 key) */
+PK11SymKey *PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx);
+
+SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
+				PK11SymKey *symKey, SECItem *wrappedKey);
+SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
+	 PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
+PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism,
+   			SECItem *param, CK_MECHANISM_TYPE target, 
+		        CK_ATTRIBUTE_TYPE operation, int keySize);
+PK11SymKey *PK11_DeriveWithFlags( PK11SymKey *baseKey, 
+	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, 
+	CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags);
+PK11SymKey *PK11_PubDerive( SECKEYPrivateKey *privKey, 
+ SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
+ CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
+		 CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) ;
+PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key, 
+	CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey,  
+	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
+PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, 
+	CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, 
+	CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, 
+	CK_FLAGS flags);
+PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
+	 CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
+PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, 
+						SECItem *keyID, void *wincx);
+SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey,PRBool force);
+SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey);
+SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey);
+SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx);
+SECKEYPrivateKey * PK11_LoadPrivKey(PK11SlotInfo *slot,
+		SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, 
+					PRBool token, PRBool sensitive);
+SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType,
+					 CK_OBJECT_HANDLE id);
+char * PK11_GetSymKeyNickname(PK11SymKey *symKey);
+char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
+char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
+SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
+SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, 
+							const char *nickname);
+SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, 
+							const char *nickname);
+
+/* size to hold key in bytes */
+unsigned int PK11_GetKeyLength(PK11SymKey *key);
+/* size of actual secret parts of key in bits */
+/* algid is because RC4 strength is determined by the effective bits as well
+ * as the key bits */
+unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
+SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
+SECItem * PK11_GetKeyData(PK11SymKey *symKey);
+PK11SlotInfo * PK11_GetSlotFromKey(PK11SymKey *symKey);
+void *PK11_GetWindow(PK11SymKey *symKey);
+SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot,
+   CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
+		 	    PRBool isPerm, PRBool isSensitive, void *wincx);
+SECKEYPrivateKey *PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
+                        PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx);
+SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot,
+				 	CERTCertificate *cert, void *wincx);
+SECKEYPrivateKey * PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx);
+SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID,
+				       void *wincx);
+CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert,
+					void *wincx, PK11SlotInfo **pSlot);
+int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key); 
+SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data,
+   unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
+/* The encrypt version of the above function */
+SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
+                unsigned char *data, unsigned dataLen, void *wincx);
+SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, 
+		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
+		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+		unsigned int usage, void *wincx);
+SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, 
+		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
+		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+		unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
+SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, 
+		SECItem *derPKI, SECItem *nickname,
+		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+		unsigned int usage, void *wincx);
+SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, 
+		SECItem *derPKI, SECItem *nickname,
+		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+		unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
+SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, 
+		SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, 
+		SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+		PRBool isPrivate, KeyType type, 
+		unsigned int usage, void *wincx);
+SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
+		CERTCertificate *cert, void *wincx);
+SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
+		PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
+		CERTCertificate *cert, int iteration, void *wincx);
+SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot, 
+					CERTCertificate *cert, void *wincx);
+SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length);
+SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key);
+PRBool PK11_VerifyKeyOK(PK11SymKey *key);
+SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot, 
+		PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
+		SECItem *param, SECItem *wrappedKey, SECItem *label, 
+		SECItem *publicValue, PRBool token, PRBool sensitive,
+		CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
+		void *wincx);
+SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
+			   SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType,
+			   SECItem *param, SECItem *wrappedKey, void *wincx);
+PK11SymKey * pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
+SECItem *PK11_GetKeyIDFromCert(CERTCertificate *cert, void *wincx);
+SECItem * PK11_GetKeyIDFromPrivateKey(SECKEYPrivateKey *key, void *wincx);
+SECItem* PK11_DEREncodePublicKey(SECKEYPublicKey *pubk);
+PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey,
+	CK_MECHANISM_TYPE mech);
+SECKEYPrivateKeyList* PK11_ListPrivKeysInSlot(PK11SlotInfo *slot,
+						 char *nickname, void *wincx);
+SECKEYPublicKeyList* PK11_ListPublicKeysInSlot(PK11SlotInfo *slot,
+							char *nickname);
+SECKEYPQGParams *PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey);
+/* depricated */
+SECKEYPrivateKeyList* PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot);
+
+/**********************************************************************
+ *                   Certs
+ **********************************************************************/
+SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData);
+CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey);
+SECStatus PK11_TraverseSlotCerts(
+     SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
+                                                void *arg, void *wincx);
+SECStatus PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
+    SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg);
+CERTCertificate * PK11_FindCertFromNickname(char *nickname, void *wincx);
+CERTCertList * PK11_FindCertsFromNickname(char *nickname, void *wincx);
+SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
+SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
+                CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
+PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,
+								void *wincx);
+PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,
+								void *wincx);
+CK_OBJECT_HANDLE * PK11_FindObjectsFromNickname(char *nickname,
+	PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount, 
+								void *wincx);
+PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert,
+					CK_OBJECT_HANDLE *keyPtr, void *wincx);
+PK11SlotInfo *PK11_KeyForDERCertExists(SECItem *derCert,
+					CK_OBJECT_HANDLE *keyPtr, void *wincx);
+CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot,CK_OBJECT_HANDLE peer,
+						CK_OBJECT_CLASS o_class); 
+CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot,
+					CERTIssuerAndSN *sn, void *wincx);
+CERTCertificate * PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot,
+	SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
+				SECKEYPrivateKey**privKey, void *wincx);
+int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist,
+				void *wincx);
+CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot,
+			       CK_OBJECT_HANDLE id,
+			       CK_ATTRIBUTE_TYPE type );
+CK_RV PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot,
+			 CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count);
+int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
+SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, 
+	SECStatus(*callback)(CERTCertificate *, void *), void *arg);
+SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
+	PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
+	void *arg);
+CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot, 
+					  CERTCertificate *cert, void *wincx);
+CERTCertificate *PK11_FindCertFromDERSubjectAndNickname(
+					PK11SlotInfo *slot, 
+					CERTCertificate *cert, char *nickname,
+					void *wincx);
+SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
+					char *nickname, PRBool addUsage,
+					void *wincx);
+CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert,void *wincx);
+SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
+   PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
+PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
+CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert,
+				     void *wincx);
+SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
+	PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
+	void *arg);
+SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
+       SECStatus(* callback)(CERTCertificate*, void *), void *arg);
+CERTCertList * PK11_ListCerts(PK11CertListType type, void *pwarg);
+CERTCertList * PK11_ListCertsInSlot(PK11SlotInfo *slot);
+SECStatus PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx);
+
+
+/**********************************************************************
+ *                   Sign/Verify 
+ **********************************************************************/
+int PK11_SignatureLen(SECKEYPrivateKey *key);
+PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key);
+SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash);
+SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, SECItem *sig,
+						 SECItem *dsig, void * wincx);
+SECStatus PK11_Verify(SECKEYPublicKey *key, SECItem *sig, 
+						SECItem *hash, void *wincx);
+
+
+
+/**********************************************************************
+ *                   Crypto Contexts
+ **********************************************************************/
+void PK11_DestroyContext(PK11Context *context, PRBool freeit);
+PK11Context * PK11_CreateContextByRawKey(PK11SlotInfo *slot, 
+    CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
+			 	SECItem *key, SECItem *param, void *wincx);
+PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
+	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param);
+PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
+PK11Context *PK11_CloneContext(PK11Context *old);
+SECStatus PK11_DigestBegin(PK11Context *cx);
+SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in,
+					int32 len);
+SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in, 
+                        unsigned len);
+SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
+				int maxout, unsigned char *in, int inlen);
+SECStatus PK11_Finalize(PK11Context *context);
+SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data, 
+				unsigned int *outLen, unsigned int length);
+PRBool PK11_HashOK(SECOidTag hashAlg);
+SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save,
+						int *len, int saveLength);
+SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len);
+SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len);
+SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
+void PK11_FreeSlotCerts(PK11SlotInfo *slot);
+void PK11_SetFortezzaHack(PK11SymKey *symKey) ;
+
+
+/**********************************************************************
+ *                   PBE functions 
+ **********************************************************************/
+
+/* This function creates PBE parameters from the given inputs.  The result
+ * can be used to create a password integrity key for PKCS#12, by sending
+ * the return value to PK11_KeyGen along with the appropriate mechanism.
+ */
+SECItem * 
+PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations);
+
+/* free params created above (can be called after keygen is done */
+void PK11_DestroyPBEParams(SECItem *params);
+
+SECAlgorithmID *
+PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
+PK11SymKey *
+PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid,  SECItem *pwitem,
+	       PRBool faulty3DES, void *wincx);
+PK11SymKey *
+PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params,
+		SECItem *pwitem, PRBool faulty3DES, void *wincx);
+SECItem *
+PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
+
+/**********************************************************************
+ * New fucntions which are already depricated....
+ **********************************************************************/
+SECItem *
+PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
+					CERTCertificate *cert, void *pwarg);
+SECItem *
+PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
+
+SECItem *
+PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *handle,
+					SECItem *derName, int type, char **url);
+
+CK_OBJECT_HANDLE
+PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, 
+				SECItem *name, char *url, int type);
+
+SECItem *
+PK11_FindSMimeProfile(PK11SlotInfo **slotp, char *emailAddr, SECItem *derSubj,
+					SECItem **profileTime);
+SECStatus
+PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
+			SECItem *emailProfile, SECItem *profileTime);
+
+PRBool SECMOD_HasRootCerts(void);
+
+PRBool PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle);
+
+char * PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) ;
+SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, 
+						const char *nickname) ;
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11init.h b/security/nss/lib/pk11wrap/pk11init.h
new file mode 100644
index 000000000..b5fa0b4ec
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11init.h
@@ -0,0 +1,63 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Internal header file included in pk11wrap dir, or in softoken
+ */
+#ifndef _PK11_INIT_H_
+#define _PK11_INIT_H_ 1
+
+/* hold slot default flags until we initialize a slot. This structure is only
+ * useful between the time we define a module (either by hand or from the
+ * database) and the time the module is loaded. Not reference counted  */
+struct PK11PreSlotInfoStr {
+    CK_SLOT_ID slotID;  	/* slot these flags are for */
+    unsigned long defaultFlags; /* bit mask of default implementation this slot
+				 * provides */
+    int askpw;			/* slot specific password bits */
+    long timeout;		/* slot specific timeout value */
+    char hasRootCerts;		/* is this the root cert PKCS #11 module? */
+    char hasRootTrust;		/* is this the root cert PKCS #11 module? */
+};
+
+#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES]"
+
+#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
+"Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
+
+#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
+#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
+#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
+#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
+
+
+#endif /* _PK11_INIT_H_ 1 */
diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c
new file mode 100644
index 000000000..d6046bd99
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11kea.c
@@ -0,0 +1,228 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * This file implements the Symkey wrapper and the PKCS context
+ * Interfaces.
+ */
+
+#include "seccomon.h"
+#include "secmod.h"
+#include "nssilock.h"
+#include "secmodi.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "key.h"
+#include "secasn1.h"
+#include "sechash.h"
+#include "cert.h"
+#include "secerr.h"
+
+/*
+ * find an RSA public key on a card
+ */
+static CK_OBJECT_HANDLE
+pk11_FindRSAPubKey(PK11SlotInfo *slot)
+{
+    CK_KEY_TYPE key_type = CKK_RSA;
+    CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY;
+    CK_ATTRIBUTE theTemplate[2];
+    int template_count = sizeof(theTemplate)/sizeof(theTemplate[0]);
+    CK_ATTRIBUTE *attrs = theTemplate;
+
+    PK11_SETATTRS(attrs,CKA_CLASS,&class_type,sizeof(class_type)); attrs++;
+    PK11_SETATTRS(attrs,CKA_KEY_TYPE,&key_type,sizeof(key_type)); attrs++;
+    template_count = attrs - theTemplate;
+    PR_ASSERT(template_count <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
+
+    return pk11_FindObjectByTemplate(slot,theTemplate,template_count);
+}
+
+PK11SymKey *
+pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey)
+{
+    PK11SymKey *newSymKey = NULL;
+    SECStatus rv;
+    /* performance improvement can go here --- use a generated key to as a
+     * per startup wrapping key. If it exists, use it, otherwise do a full
+     * key exchange. */
+
+    /* find a common Key Exchange algorithm */
+    /* RSA */
+    if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) && 
+				PK11_DoesMechanism(slot,CKM_RSA_PKCS)) {
+	CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_HANDLE;
+	SECKEYPublicKey *pubKey = NULL;
+	SECKEYPrivateKey *privKey = NULL;
+	SECItem wrapData;
+
+	wrapData.data = NULL;
+
+	/* find RSA Public Key on target */
+	pubKeyHandle = pk11_FindRSAPubKey(slot);
+	if (pubKeyHandle != CK_INVALID_HANDLE) {
+	    privKeyHandle = PK11_MatchItem(slot,pubKeyHandle,CKO_PRIVATE_KEY);
+	}
+
+	/* if no key exists, generate a key pair */
+	if (privKeyHandle == CK_INVALID_HANDLE) {
+	    unsigned int     symKeyLength = PK11_GetKeyLength(symKey);
+	    PK11RSAGenParams rsaParams;
+
+	    if (symKeyLength > 60) /* bytes */ {
+		/* we'd have to generate an RSA key pair > 512 bits long,
+		** and that's too costly.  Don't even try. 
+		*/
+		PORT_SetError( SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY );
+		goto rsa_failed;
+	    }
+	    rsaParams.keySizeInBits = 
+	        (symKeyLength > 28 || symKeyLength == 0) ? 512 : 256;
+	    rsaParams.pe  = 0x10001;
+	    privKey = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN, 
+			    &rsaParams, &pubKey,PR_FALSE,PR_TRUE,symKey->cx);
+	} else {
+	    /* if keys exist, build SECKEY data structures for them */
+	    privKey = PK11_MakePrivKey(slot,nullKey, PR_TRUE, privKeyHandle,
+					symKey->cx);
+	    if (privKey != NULL) {
+    		pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle);
+		if (pubKey && pubKey->pkcs11Slot) {
+		    PK11_FreeSlot(pubKey->pkcs11Slot);
+		    pubKey->pkcs11Slot = NULL;
+		    pubKey->pkcs11ID = CK_INVALID_HANDLE;
+		}
+	    }
+	}
+	if (privKey == NULL) goto rsa_failed;
+	if (pubKey == NULL)  goto rsa_failed;
+
+        wrapData.len  = SECKEY_PublicKeyStrength(pubKey);
+        if (!wrapData.len) goto rsa_failed;
+        wrapData.data = PORT_Alloc(wrapData.len);
+        if (wrapData.data == NULL) goto rsa_failed;
+
+	/* now wrap the keys in and out */
+	rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData);
+	if (rv == SECSuccess) {
+	    newSymKey = PK11_PubUnwrapSymKey(privKey,&wrapData,type,operation,
+							symKey->size);
+	}
+rsa_failed:
+	if (wrapData.data != NULL) PORT_Free(wrapData.data);
+	if (privKey != NULL) SECKEY_DestroyPrivateKey(privKey);
+	if (pubKey != NULL) SECKEY_DestroyPublicKey(pubKey);
+
+	return  newSymKey;
+    }
+    /* KEA */
+    if (PK11_DoesMechanism(symKey->slot, CKM_KEA_KEY_DERIVE) && 
+				PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) {
+	CERTCertificate *certSource = NULL;
+	CERTCertificate *certTarget = NULL;
+	SECKEYPublicKey *pubKeySource = NULL;
+	SECKEYPublicKey *pubKeyTarget = NULL;
+	SECKEYPrivateKey *privKeySource = NULL;
+	SECKEYPrivateKey *privKeyTarget = NULL;
+	PK11SymKey *tekSource = NULL;
+	PK11SymKey *tekTarget = NULL;
+	SECItem Ra,wrap;
+
+	/* can only exchange skipjack keys */
+	if (type != CKM_SKIPJACK_CBC64) {
+    	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    goto kea_failed;
+	}
+
+	/* find a pair of certs we can use */
+	rv = PK11_GetKEAMatchedCerts(symKey->slot,slot,&certSource,&certTarget);
+	if (rv != SECSuccess) goto kea_failed;
+
+	/* get all the key pairs */
+	pubKeyTarget = CERT_ExtractPublicKey(certSource);
+	pubKeySource = CERT_ExtractPublicKey(certTarget);
+	privKeySource = 
+		PK11_FindKeyByDERCert(symKey->slot,certSource,symKey->cx);
+	privKeyTarget = 
+		PK11_FindKeyByDERCert(slot,certTarget,symKey->cx);
+
+	if ((pubKeySource == NULL) || (pubKeyTarget == NULL) ||
+	  (privKeySource == NULL) || (privKeyTarget == NULL)) goto kea_failed;
+
+	/* generate the wrapping TEK's */
+	Ra.data = (unsigned char*)PORT_Alloc(128 /* FORTEZZA RA MAGIC */);
+	Ra.len = 128;
+	if (Ra.data == NULL) goto kea_failed;
+
+	tekSource = PK11_PubDerive(privKeySource,pubKeyTarget,PR_TRUE,&Ra,NULL,
+		CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx);
+	tekTarget = PK11_PubDerive(privKeyTarget,pubKeySource,PR_FALSE,&Ra,NULL,
+		CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx);
+	PORT_Free(Ra.data);
+
+	if ((tekSource == NULL) || (tekTarget == NULL)) { goto kea_failed; }
+
+	/* wrap the key out of Source into target */
+	wrap.data = (unsigned char*)PORT_Alloc(12); /* MAGIC SKIPJACK LEN */
+	wrap.len = 12;
+
+	/* paranoia to prevent infinite recursion on bugs */
+	PORT_Assert(tekSource->slot == symKey->slot);
+	if (tekSource->slot != symKey->slot) {
+    	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    goto kea_failed;
+	}
+
+	rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP,NULL,tekSource,symKey,&wrap);
+	if (rv == SECSuccess) {
+	    newSymKey = PK11_UnwrapSymKey(tekTarget, CKM_SKIPJACK_WRAP, NULL,
+			&wrap, type, operation, symKey->size);
+	}
+	PORT_Free(wrap.data);
+kea_failed:
+	if (certSource == NULL) CERT_DestroyCertificate(certSource);
+	if (certTarget == NULL) CERT_DestroyCertificate(certTarget);
+	if (pubKeySource == NULL) SECKEY_DestroyPublicKey(pubKeySource);
+	if (pubKeyTarget == NULL) SECKEY_DestroyPublicKey(pubKeyTarget);
+	if (privKeySource == NULL) SECKEY_DestroyPrivateKey(privKeySource);
+	if (privKeyTarget == NULL) SECKEY_DestroyPrivateKey(privKeyTarget);
+	if (tekSource == NULL) PK11_FreeSymKey(tekSource);
+	if (tekTarget == NULL) PK11_FreeSymKey(tekTarget);
+	return newSymKey;
+    }
+    PORT_SetError( SEC_ERROR_NO_MODULE );
+    return NULL;
+}
+
diff --git a/security/nss/lib/pk11wrap/pk11list.c b/security/nss/lib/pk11wrap/pk11list.c
new file mode 100644
index 000000000..67bef9573
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11list.c
@@ -0,0 +1,169 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Locking and queue management primatives
+ *
+ */
+
+#include "seccomon.h"
+#include "nssilock.h"
+#include "prmon.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "prlong.h"
+
+#define ISREADING 1
+#define ISWRITING 2
+#define WANTWRITE 4
+#define ISLOCKED 3
+
+/*
+ * create a new lock for a Module List
+ */
+SECMODListLock *SECMOD_NewListLock() {
+    SECMODListLock *modLock;
+
+    modLock = (SECMODListLock*)PORT_Alloc(sizeof(SECMODListLock));
+#ifdef PKCS11_USE_THREADS
+    modLock->mutex = NULL;
+    modLock->monitor = PZ_NewMonitor(nssILockList);
+#else
+    modLock->mutex = NULL;
+    modLock->monitor = NULL;
+#endif
+    modLock->state = 0;
+    modLock->count = 0;
+    return modLock;
+}
+
+/*
+ * destroy the lock
+ */
+void SECMOD_DestroyListLock(SECMODListLock *lock) {
+    PK11_USE_THREADS(PZ_DestroyMonitor(lock->monitor);)
+    PORT_Free(lock);
+}
+
+
+/*
+ * Lock the List for Read: NOTE: this assumes the reading isn't so common
+ * the writing will be starved.
+ */
+void SECMOD_GetReadLock(SECMODListLock *modLock) {
+#ifdef PKCS11_USE_THREADS
+    if (modLock == NULL) return;
+    PZ_EnterMonitor(modLock->monitor);
+    while (modLock->state & ISWRITING) {
+	PZ_Wait(modLock->monitor,PR_INTERVAL_NO_TIMEOUT); /* wait until woken up */
+    }
+    modLock->state |= ISREADING;
+    modLock->count++;
+    PZ_ExitMonitor(modLock->monitor);
+#endif
+}
+
+/*
+ * Release the Read lock
+ */
+void SECMOD_ReleaseReadLock(SECMODListLock *modLock) {
+#ifdef PKCS11_USE_THREADS
+    if (modLock == NULL) return;
+    PZ_EnterMonitor(modLock->monitor);
+    modLock->count--;
+    if (modLock->count == 0) {
+	modLock->state &= ~ISREADING;
+	if (modLock->state & WANTWRITE) {
+	    PZ_Notify(modLock->monitor);  /* only one writer at a time */
+	}
+    }
+    PZ_ExitMonitor(modLock->monitor);
+#endif
+}
+
+
+/*
+ * lock the list for Write
+ */
+void SECMOD_GetWriteLock(SECMODListLock *modLock) {
+#ifdef PKCS11_USE_THREADS
+    if (modLock == NULL) return;
+    PZ_EnterMonitor(modLock->monitor);
+    while (modLock->state & ISLOCKED) {
+	modLock->state |= WANTWRITE;
+	PZ_Wait(modLock->monitor,PR_INTERVAL_NO_TIMEOUT); /* wait until woken up */
+    }
+    modLock->state = ISWRITING;
+    PZ_ExitMonitor(modLock->monitor);
+#endif
+}
+
+
+/*
+ * Release the Write Lock: NOTE, this code is pretty inefficient if you have
+ * lots of write collisions.
+ */
+void SECMOD_ReleaseWriteLock(SECMODListLock *modLock) {
+#ifdef PKCS11_USE_THREADS
+    if (modLock == NULL) return;
+    PZ_EnterMonitor(modLock->monitor);
+    modLock->state = 0;
+    PR_NotifyAll(modLock->monitor); /* enable all the readers */
+    PZ_ExitMonitor(modLock->monitor);
+#endif
+}
+
+
+/*
+ * must Hold the Write lock
+ */
+void
+SECMOD_RemoveList(SECMODModuleList **parent, SECMODModuleList *child) {
+    *parent = child->next;
+    child->next = NULL;
+}
+
+/*
+ * if lock is not specified, it must already be held
+ */
+void
+SECMOD_AddList(SECMODModuleList *parent, SECMODModuleList *child, 
+							SECMODListLock *lock) {
+    if (lock) { SECMOD_GetWriteLock(lock); }
+
+    child->next = parent->next;
+    parent->next = child;
+
+   if (lock) { SECMOD_ReleaseWriteLock(lock); }
+}
+
+
diff --git a/security/nss/lib/pk11wrap/pk11load.c b/security/nss/lib/pk11wrap/pk11load.c
new file mode 100644
index 000000000..1711bd3a3
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11load.c
@@ -0,0 +1,304 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * The following handles the loading, unloading and management of
+ * various PCKS #11 modules
+ */
+#include "seccomon.h"
+#include "pkcs11.h"
+#include "secmod.h"
+#include "prlink.h"
+#include "pk11func.h"
+#include "secmodi.h"
+#include "nssilock.h"
+
+extern void FC_GetFunctionList(void);
+extern void NSC_GetFunctionList(void);
+extern void NSC_ModuleDBFunc(void);
+
+
+/* build the PKCS #11 2.01 lock files */
+CK_RV PR_CALLBACK secmodCreateMutext(CK_VOID_PTR_PTR pmutex) {
+    *pmutex = (CK_VOID_PTR) PZ_NewLock(nssILockOther);
+    if ( *pmutex ) return CKR_OK;
+    return CKR_HOST_MEMORY;
+}
+
+CK_RV PR_CALLBACK secmodDestroyMutext(CK_VOID_PTR mutext) {
+    PZ_DestroyLock((PZLock *)mutext);
+    return CKR_OK;
+}
+
+CK_RV PR_CALLBACK secmodLockMutext(CK_VOID_PTR mutext) {
+    PZ_Lock((PZLock *)mutext);
+    return CKR_OK;
+}
+
+CK_RV PR_CALLBACK secmodUnlockMutext(CK_VOID_PTR mutext) {
+    PZ_Unlock((PZLock *)mutext);
+    return CKR_OK;
+}
+
+static SECMODModuleID  nextModuleID = 1;
+static CK_C_INITIALIZE_ARGS secmodLockFunctions = {
+    secmodCreateMutext, secmodDestroyMutext, secmodLockMutext, 
+    secmodUnlockMutext, CKF_LIBRARY_CANT_CREATE_OS_THREADS|
+	CKF_OS_LOCKING_OK
+    ,NULL
+};
+
+/*
+ * set the hasRootCerts flags in the module so it can be stored back
+ * into the database.
+ */
+void
+SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod) {
+    PK11PreSlotInfo *psi = NULL;
+    int i;
+
+    if (slot->hasRootCerts) {
+	for (i=0; i < mod->slotInfoCount; i++) {
+	    if (slot->slotID == mod->slotInfo[i].slotID) {
+		psi = &mod->slotInfo[i];
+		break;
+	    }
+	}
+	if (psi == NULL) {
+	   /* allocate more slots */
+	   PK11PreSlotInfo *psi_list = (PK11PreSlotInfo *)
+		PORT_ArenaAlloc(mod->arena,
+			(mod->slotInfoCount+1)* sizeof(PK11PreSlotInfo));
+	   /* copy the old ones */
+	   if (mod->slotInfoCount > 0) {
+		PORT_Memcpy(psi_list,mod->slotInfo,
+				(mod->slotInfoCount)*sizeof(PK11PreSlotInfo));
+	   }
+	   /* assign psi to the last new slot */
+	   psi = &psi_list[mod->slotInfoCount];
+	   psi->slotID = slot->slotID;
+	   psi->askpw = 0;
+	   psi->timeout = 0;
+	   psi ->defaultFlags = 0;
+
+	   /* increment module count & store new list */
+	   mod->slotInfo = psi_list;
+	   mod->slotInfoCount++;
+	   
+	}
+	psi->hasRootCerts = 1;
+    }
+}
+
+/*
+ * load a new module into our address space and initialize it.
+ */
+SECStatus
+SECMOD_LoadPKCS11Module(SECMODModule *mod) {
+    PRLibrary *library = NULL;
+    CK_C_GetFunctionList entry = NULL;
+    char * full_name;
+    CK_INFO info;
+    CK_ULONG slotCount = 0;
+
+
+    if (mod->loaded) return SECSuccess;
+
+    /* intenal modules get loaded from their internal list */
+    if (mod->internal) {
+	/* internal, statically get the C_GetFunctionList function */
+	if (mod->isFIPS) {
+	    entry = (CK_C_GetFunctionList) FC_GetFunctionList;
+	} else {
+	    entry = (CK_C_GetFunctionList) NSC_GetFunctionList;
+	}
+	if (mod->isModuleDB) {
+	    mod->moduleDBFunc = (void *) NSC_ModuleDBFunc;
+	}
+	if (mod->moduleDBOnly) {
+	    mod->loaded = PR_TRUE;
+	    return SECSuccess;
+	}
+    } else {
+	/* Not internal, load the DLL and look up C_GetFunctionList */
+	if (mod->dllName == NULL) {
+	    return SECFailure;
+	}
+
+#ifdef notdef
+	/* look up the library name */
+	full_name = PR_GetLibraryName(PR_GetLibraryPath(),mod->dllName);
+	if (full_name == NULL) {
+	    return SECFailure;
+	}
+#else
+	full_name = PORT_Strdup(mod->dllName);
+#endif
+
+	/* load the library. If this succeeds, then we have to remember to
+	 * unload the library if anything goes wrong from here on out...
+	 */
+	library = PR_LoadLibrary(full_name);
+	mod->library = (void *)library;
+	PORT_Free(full_name);
+	if (library == NULL) {
+	    return SECFailure;
+	}
+
+	/*
+	 * now we need to get the entry point to find the function pointers
+	 */
+	if (!mod->moduleDBOnly) {
+	    entry = (CK_C_GetFunctionList)
+			PR_FindSymbol(library, "C_GetFunctionList");
+	}
+	if (mod->isModuleDB) {
+	    mod->moduleDBFunc = (void *)
+			PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
+	}
+	if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE;
+	if (entry == NULL) {
+	    if (mod->isModuleDB) {
+		mod->loaded = PR_TRUE;
+		mod->moduleDBOnly = PR_TRUE;
+		return SECSuccess;
+	    }
+	    PR_UnloadLibrary(library);
+	    return SECFailure;
+	}
+    }
+
+    /*
+     * We need to get the function list
+     */
+    if ((*entry)((CK_FUNCTION_LIST_PTR *)&mod->functionList) != CKR_OK) 
+								goto fail;
+
+    mod->isThreadSafe = PR_TRUE;
+    /* Now we initialize the module */
+    if (mod->libraryParams) {
+	secmodLockFunctions.LibraryParameters = (void *) mod->libraryParams;
+    } else {
+	secmodLockFunctions.LibraryParameters = NULL;
+    }
+    if (PK11_GETTAB(mod)->C_Initialize(&secmodLockFunctions) != CKR_OK) {
+	mod->isThreadSafe = PR_FALSE;
+    	if (PK11_GETTAB(mod)->C_Initialize(NULL) != CKR_OK) goto fail;
+    }
+
+    /* check the version number */
+    if (PK11_GETTAB(mod)->C_GetInfo(&info) != CKR_OK) goto fail2;
+    if (info.cryptokiVersion.major != 2) goto fail2;
+    /* all 2.0 are a priori *not* thread safe */
+    if (info.cryptokiVersion.minor < 1) mod->isThreadSafe = PR_FALSE;
+
+
+    /* If we don't have a common name, get it from the PKCS 11 module */
+    if ((mod->commonName == NULL) || (mod->commonName[0] == 0)) {
+	mod->commonName = PK11_MakeString(mod->arena,NULL,
+	   (char *)info.libraryDescription, sizeof(info.libraryDescription));
+	if (mod->commonName == NULL) goto fail2;
+    }
+    
+
+    /* initialize the Slots */
+    if (PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, NULL, &slotCount) == CKR_OK) {
+	CK_SLOT_ID *slotIDs;
+	int i;
+	CK_RV rv;
+
+	mod->slots = (PK11SlotInfo **)PORT_ArenaAlloc(mod->arena,
+					sizeof(PK11SlotInfo *) * slotCount);
+	if (mod->slots == NULL) goto fail2;
+
+	slotIDs = (CK_SLOT_ID *) PORT_Alloc(sizeof(CK_SLOT_ID)*slotCount);
+	if (slotIDs == NULL) {
+	    goto fail2;
+	}  
+	rv = PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, slotIDs, &slotCount);
+	if (rv != CKR_OK) {
+	    PORT_Free(slotIDs);
+	    goto fail2;
+	}
+
+	/* Initialize each slot */
+	for (i=0; i < (int)slotCount; i++) {
+	    mod->slots[i] = PK11_NewSlotInfo();
+	    PK11_InitSlot(mod,slotIDs[i],mod->slots[i]);
+	    /* look down the slot info table */
+	    PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount);
+	    SECMOD_SetRootCerts(mod->slots[i],mod);
+	}
+	mod->slotCount = slotCount;
+	mod->slotInfoCount = 0;
+	PORT_Free(slotIDs);
+    }
+    
+    mod->loaded = PR_TRUE;
+    mod->moduleID = nextModuleID++;
+    return SECSuccess;
+fail2:
+    PK11_GETTAB(mod)->C_Finalize(NULL);
+fail:
+    mod->functionList = NULL;
+    if (library) PR_UnloadLibrary(library);
+    return SECFailure;
+}
+
+SECStatus
+SECMOD_UnloadModule(SECMODModule *mod) {
+    PRLibrary *library;
+
+    if (!mod->loaded) {
+	return SECFailure;
+    }
+
+    if (!mod->moduleDBOnly) PK11_GETTAB(mod)->C_Finalize(NULL);
+    mod->moduleID = 0;
+    mod->loaded = PR_FALSE;
+    
+    /* do we want the semantics to allow unloading the internal library?
+     * if not, we should change this to SECFailure and move it above the
+     * mod->loaded = PR_FALSE; */
+    if (mod->internal) {
+	return SECSuccess;
+    }
+
+    library = (PRLibrary *)mod->library;
+    /* paranoia */
+    if (library == NULL) {
+	return SECFailure;
+    }
+
+    PR_UnloadLibrary(library);
+    return SECSuccess;
+}
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c
new file mode 100644
index 000000000..13315f18c
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11pars.c
@@ -0,0 +1,394 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * The following handles the loading, unloading and management of
+ * various PCKS #11 modules
+ */
+
+#include <ctype.h>
+#include "pkcs11.h"
+#include "seccomon.h"
+#include "secmod.h"
+#include "secmodi.h"
+   
+#include "pk11pars.h" 
+
+/* create a new module */
+static  SECMODModule *
+secmod_NewModule(void)
+{
+    SECMODModule *newMod;
+    PRArenaPool *arena;
+
+
+    /* create an arena in which dllName and commonName can be
+     * allocated.
+     */
+    arena = PORT_NewArena(512);
+    if (arena == NULL) {
+	return NULL;
+    }
+
+    newMod = (SECMODModule *)PORT_ArenaAlloc(arena,sizeof (SECMODModule));
+    if (newMod == NULL) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+
+    /*
+     * initialize of the fields of the module
+     */
+    newMod->arena = arena;
+    newMod->internal = PR_FALSE;
+    newMod->loaded = PR_FALSE;
+    newMod->isFIPS = PR_FALSE;
+    newMod->dllName = NULL;
+    newMod->commonName = NULL;
+    newMod->library = NULL;
+    newMod->functionList = NULL;
+    newMod->slotCount = 0;
+    newMod->slots = NULL;
+    newMod->slotInfo = NULL;
+    newMod->slotInfoCount = 0;
+    newMod->refCount = 1;
+    newMod->ssl[0] = 0;
+    newMod->ssl[1] = 0;
+    newMod->libraryParams = NULL;
+    newMod->moduleDBFunc = NULL;
+    newMod->parent = NULL;
+    newMod->isCritical = PR_FALSE;
+    newMod->isModuleDB = PR_FALSE;
+    newMod->moduleDBOnly = PR_FALSE;
+    newMod->trustOrder = 0;
+    newMod->cipherOrder = 0;
+#ifdef PKCS11_USE_THREADS
+    newMod->refLock = (void *)PZ_NewLock(nssILockRefLock);
+    if (newMod->refLock == NULL) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+#else
+    newMod->refLock = NULL;
+#endif
+    return newMod;
+    
+}
+
+/*
+ * for 3.4 we continue to use the old SECMODModule structure
+ */
+SECMODModule *
+SECMOD_CreateModule(char *library, char *moduleName, char *parameters, char *nss)
+{
+    SECMODModule *mod = secmod_NewModule();
+    char *slotParams,*ciphers;
+    if (mod == NULL) return NULL;
+
+    mod->commonName = PORT_ArenaStrdup(mod->arena,moduleName ? moduleName : "");
+    if (library) {
+	mod->dllName = PORT_ArenaStrdup(mod->arena,library);
+    }
+    /* new field */
+    if (parameters) {
+	mod->libraryParams = PORT_ArenaStrdup(mod->arena,parameters);
+    }
+    mod->internal = pk11_argHasFlag("flags","internal",nss);
+    mod->isFIPS = pk11_argHasFlag("flags","FIPS",nss);
+    mod->isCritical = pk11_argHasFlag("flags","critical",nss);
+    slotParams = pk11_argGetParamValue("slotParams",nss);
+    mod->slotInfo = pk11_argParseSlotInfo(mod->arena,slotParams,
+							&mod->slotInfoCount);
+    if (slotParams) PORT_Free(slotParams);
+    /* new field */
+    mod->trustOrder = pk11_argReadLong("trustOrder",nss,
+						PK11_DEFAULT_TRUST_ORDER,NULL);
+    /* new field */
+    mod->cipherOrder = pk11_argReadLong("cipherOrder",nss,
+						PK11_DEFAULT_CIPHER_ORDER,NULL);
+    /* new field */
+    mod->isModuleDB = pk11_argHasFlag("flags","moduleDB",nss);
+    mod->moduleDBOnly = pk11_argHasFlag("flags","moduleDBOnly",nss);
+    if (mod->moduleDBOnly) mod->isModuleDB = PR_TRUE;
+
+    ciphers = pk11_argGetParamValue("ciphers",nss);
+    pk11_argSetNewCipherFlags(&mod->ssl[0],ciphers);
+    if (ciphers) PORT_Free(ciphers);
+
+    return mod;
+}
+
+static char *
+pk11_mkModuleSpec(SECMODModule * module)
+{
+    char *nss = NULL, *modSpec = NULL, **slotStrings = NULL;
+    int slotCount, i, si;
+
+    /* allocate target slot info strings */
+    slotCount = 0;
+    if (module->slotCount) {
+	for (i=0; i < module->slotCount; i++) {
+	    if (module->slots[i]->defaultFlags !=0) {
+		slotCount++;
+	    }
+	}
+    } else {
+	slotCount = module->slotInfoCount;
+    }
+
+    slotStrings = (char **)PORT_ZAlloc(slotCount*sizeof(char *));
+    if (slotStrings == NULL) {
+	goto loser;
+    }
+
+
+    /* build the slot info strings */
+    if (module->slotCount) {
+	for (i=0, si= 0; i < module->slotCount; i++) {
+	    if (module->slots[i]->defaultFlags) {
+		PORT_Assert(si < slotCount);
+		if (si >= slotCount) break;
+		slotStrings[si] = pk11_mkSlotString(module->slots[i]->slotID,
+			module->slots[i]->defaultFlags,
+			module->slots[i]->timeout,
+			module->slots[i]->askpw,
+			module->slots[i]->hasRootCerts,
+			module->slots[i]->hasRootTrust);
+		si++;
+	    }
+	}
+     } else {
+	for (i=0; i < slotCount; i++) {
+		slotStrings[i] = pk11_mkSlotString(module->slotInfo[i].slotID,
+			module->slotInfo[i].defaultFlags,
+			module->slotInfo[i].timeout,
+			module->slotInfo[i].askpw,
+			module->slotInfo[i].hasRootCerts,
+			module->slotInfo[i].hasRootTrust);
+	}
+    }
+
+    nss = pk11_mkNSS(slotStrings,slotCount,module->internal, module->isFIPS,
+	module->isModuleDB, module->moduleDBOnly, module->isCritical,
+	module->trustOrder,module->cipherOrder,module->ssl[0],module->ssl[1]);
+    modSpec= pk11_mkNewModuleSpec(module->dllName,module->commonName,
+						module->libraryParams,nss);
+    PORT_Free(slotStrings);
+    PR_smprintf_free(nss);
+loser:
+    return (modSpec);
+}
+    
+
+char **
+SECMOD_GetModuleSpecList(SECMODModule *module)
+{
+    SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc;
+    if (func) {
+	return (*func)(SECMOD_MODULE_DB_FUNCTION_FIND,
+		module->libraryParams,NULL);
+    }
+    return NULL;
+}
+
+SECStatus
+SECMOD_AddPermDB(SECMODModule *module)
+{
+    SECMODModuleDBFunc func;
+    char *moduleSpec;
+    char **retString;
+
+    if (module->parent == NULL) return SECFailure;
+
+    func  = (SECMODModuleDBFunc) module->parent->moduleDBFunc;
+    if (func) {
+	moduleSpec = pk11_mkModuleSpec(module);
+	retString = (*func)(SECMOD_MODULE_DB_FUNCTION_ADD,
+		module->parent->libraryParams,moduleSpec);
+	PORT_Free(moduleSpec);
+	if (retString != NULL) return SECSuccess;
+    }
+    return SECFailure;
+}
+
+SECStatus
+SECMOD_DeletePermDB(SECMODModule *module)
+{
+    SECMODModuleDBFunc func;
+    char *moduleSpec;
+    char **retString;
+
+    if (module->parent == NULL) return SECFailure;
+
+    func  = (SECMODModuleDBFunc) module->parent->moduleDBFunc;
+    if (func) {
+	moduleSpec = pk11_mkModuleSpec(module);
+	retString = (*func)(SECMOD_MODULE_DB_FUNCTION_DEL,
+		module->parent->libraryParams,moduleSpec);
+	PORT_Free(moduleSpec);
+	if (retString != NULL) return SECSuccess;
+    }
+    return SECFailure;
+}
+
+SECStatus
+SECMOD_FreeModuleSpecList(SECMODModule *parent, char **moduleSpecList)
+{
+    char ** index;
+
+    for(index = moduleSpecList; *index; index++) {
+	PORT_Free(*index);
+    }
+    PORT_Free(moduleSpecList);
+    return SECSuccess;
+}
+
+/* internal function that loads a PKCS#11 module but does not add it to the
+   default NSS trust domain */
+
+SECMODModule *
+SECMOD_LoadModule(char *modulespec,SECMODModule *parent, PRBool recurse)
+{
+    char *library = NULL, *moduleName = NULL, *parameters = NULL, *nss= NULL;
+    SECStatus status;
+    SECMODModule *module = NULL;
+    SECStatus rv;
+
+    /* initialize the underlying module structures */
+    SECMOD_Init();
+
+    status = pk11_argParseModuleSpec(modulespec, &library, &moduleName, 
+							&parameters, &nss);
+    if (status != SECSuccess) {
+	goto loser;
+    }
+
+    module = SECMOD_CreateModule(library, moduleName, parameters, nss);
+    if (library) PORT_Free(library);
+    if (moduleName) PORT_Free(moduleName);
+    if (parameters) PORT_Free(parameters);
+    if (nss) PORT_Free(nss);
+
+    /* load it */
+    rv = SECMOD_LoadPKCS11Module(module);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    if (recurse && module->isModuleDB) {
+	char ** moduleSpecList;
+	char **index;
+
+	moduleSpecList = SECMOD_GetModuleSpecList(module);
+
+	for (index = moduleSpecList; index && *index; index++) {
+	    SECMODModule *child;
+	    child = SECMOD_LoadModule(*index,module,PR_TRUE);
+	    if (!child) break;
+	    if (child->isCritical && !child->loaded) {
+		rv = SECFailure;
+		SECMOD_DestroyModule(child);
+		break;
+	    }
+	    SECMOD_DestroyModule(child);
+	}
+
+	SECMOD_FreeModuleSpecList(module,moduleSpecList);
+    }
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    if (parent) {
+    	module->parent = SECMOD_ReferenceModule(parent);
+    }
+
+    /* inherit the reference */
+    if (!module->moduleDBOnly) {
+	SECMOD_AddModuleToList(module);
+    } else {
+	SECMOD_AddModuleToDBOnlyList(module);
+    }
+   
+    /* handle any additional work here */
+    return module;
+
+loser:
+    if (module) {
+	if (module->loaded) {
+	    SECMOD_UnloadModule(module);
+	}
+	SECMOD_AddModuleToUnloadList(module);
+    }
+    return module;
+}
+
+/* exported function that loads a PKCS#11 module and adds it to the default
+   NSS trust domain */
+
+SECMODModule *
+SECMOD_LoadUserModule(char *modulespec,SECMODModule *parent, PRBool recurse)
+{
+    SECStatus rv = SECSuccess;
+    SECMODModule * newmod = SECMOD_LoadModule(modulespec, parent, recurse);
+    if (newmod)
+    {
+        rv = STAN_AddModuleToDefaultTrustDomain(newmod);
+        if (SECSuccess != rv)
+        {
+            SECMOD_DestroyModule(newmod);
+            return NULL;
+        }
+    }
+    return newmod;
+}
+
+/* exported call that removes the PKCS#11 module from the default NSS trust
+   domain, call C_Finalize, and destroy the module structure */
+
+SECStatus SECMOD_UnloadUserModule(SECMODModule *mod)
+{
+    SECStatus rv = SECSuccess;
+    int atype = 0;
+    if (!mod)
+    {
+        return SECFailure;
+    }
+    rv = STAN_RemoveModuleFromDefaultTrustDomain(mod);
+    if (SECSuccess != rv)
+    {
+        return SECFailure;
+    }
+    return SECMOD_DeleteModuleEx(NULL, mod, &atype, PR_FALSE);
+}
+
diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c
new file mode 100644
index 000000000..71548a07a
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11pbe.c
@@ -0,0 +1,680 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "secport.h"
+#include "hasht.h"
+#include "pkcs11t.h"
+#include "sechash.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "secoid.h"
+#include "alghmac.h"
+#include "secerr.h"
+#include "secmod.h"
+#include "pk11func.h"
+#include "secpkcs5.h"
+
+typedef struct SEC_PKCS5PBEParameterStr SEC_PKCS5PBEParameter;
+struct SEC_PKCS5PBEParameterStr {
+    PRArenaPool *poolp;
+    SECItem     salt;           /* octet string */
+    SECItem     iteration;      /* integer */
+};
+
+
+/* template for PKCS 5 PBE Parameter.  This template has been expanded
+ * based upon the additions in PKCS 12.  This should eventually be moved
+ * if RSA updates PKCS 5.
+ */
+const SEC_ASN1Template SEC_PKCS5PBEParameterTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(SEC_PKCS5PBEParameter) },
+    { SEC_ASN1_OCTET_STRING, 
+	offsetof(SEC_PKCS5PBEParameter, salt) },
+    { SEC_ASN1_INTEGER,
+	offsetof(SEC_PKCS5PBEParameter, iteration) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_V2PKCS12PBEParameterTemplate[] =
+{   
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) },
+    { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) },
+    { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) },
+    { 0 }
+};
+
+/* maps crypto algorithm from PBE algorithm.
+ */
+SECOidTag 
+SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid)
+{
+
+    SECOidTag algorithm;
+
+    if(algid == NULL)
+	return SEC_OID_UNKNOWN;
+
+    algorithm = SECOID_GetAlgorithmTag(algid);
+    switch(algorithm)
+    {
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
+	    return SEC_OID_DES_EDE3_CBC;
+	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
+	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+	    return SEC_OID_DES_CBC;
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	    return SEC_OID_RC2_CBC;
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	    return SEC_OID_RC4;
+	default:
+	    break;
+    }
+
+    return SEC_OID_UNKNOWN;
+}
+
+/* check to see if an oid is a pbe algorithm
+ */ 
+PRBool 
+SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid)
+{
+    return (PRBool)(SEC_PKCS5GetCryptoAlgorithm(algid) != SEC_OID_UNKNOWN);
+}
+
+/* maps PBE algorithm from crypto algorithm, assumes SHA1 hashing.
+ */
+SECOidTag 
+SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen)
+{
+    switch(algTag)
+    {
+	case SEC_OID_DES_EDE3_CBC:
+	    switch(keyLen) {
+		case 168:
+		case 192:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
+		case 128:
+		case 92:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC;
+		default:
+		    break;
+	    }
+	    break;
+	case SEC_OID_DES_CBC:
+	    return SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC;
+	case SEC_OID_RC2_CBC:
+	    switch(keyLen) {
+		case 40:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
+		case 128:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC;
+		default:
+		    break;
+	    }
+	    break;
+	case SEC_OID_RC4:
+	    switch(keyLen) {
+		case 40:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4;
+		case 128:
+		    return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4;
+		default:
+		    break;
+	    }
+	    break;
+	default:
+	    break;
+    }
+
+    return SEC_OID_UNKNOWN;
+}
+
+
+/* get the key length needed for the PBE algorithm
+ */
+
+int 
+SEC_PKCS5GetKeyLength(SECAlgorithmID *algid)
+{
+
+    SECOidTag algorithm;
+
+    if(algid == NULL)
+	return SEC_OID_UNKNOWN;
+
+    algorithm = SECOID_GetAlgorithmTag(algid);
+
+    switch(algorithm)
+    {
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
+	    return 24;
+	case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+	case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
+	case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+	    return 8;
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	    return 5;
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	    return 16;
+	default:
+	    break;
+    }
+    return -1;
+}
+
+
+/* the V2 algorithms only encode the salt, there is no iteration
+ * count so we need a check for V2 algorithm parameters.
+ */
+static PRBool
+sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(SECOidTag algorithm)
+{
+    switch(algorithm) 
+    {
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	    return PR_TRUE;
+	default:
+	    break;
+    }
+
+    return PR_FALSE;
+}
+/* destroy a pbe parameter.  it assumes that the parameter was 
+ * generated using the appropriate create function and therefor
+ * contains an arena pool.
+ */
+static void 
+sec_pkcs5_destroy_pbe_param(SEC_PKCS5PBEParameter *pbe_param)
+{
+    if(pbe_param != NULL)
+	PORT_FreeArena(pbe_param->poolp, PR_TRUE);
+}
+
+/* creates a PBE parameter based on the PBE algorithm.  the only required
+ * parameters are algorithm and interation.  the return is a PBE parameter
+ * which conforms to PKCS 5 parameter unless an extended parameter is needed.
+ * this is primarily if keyLen and a variable key length algorithm are
+ * specified.
+ *   salt -  if null, a salt will be generated from random bytes.
+ *   iteration - number of iterations to perform hashing.
+ *   keyLen - only used in variable key length algorithms
+ *   iv - if null, the IV will be generated based on PKCS 5 when needed.
+ *   params - optional, currently unsupported additional parameters.
+ * once a parameter is allocated, it should be destroyed calling 
+ * sec_pkcs5_destroy_pbe_parameter or SEC_PKCS5DestroyPBEParameter.
+ */
+#define DEFAULT_SALT_LENGTH 16
+static SEC_PKCS5PBEParameter *
+sec_pkcs5_create_pbe_parameter(SECOidTag algorithm, 
+			SECItem *salt, 
+			int iteration)
+{
+    PRArenaPool *poolp = NULL;
+    SEC_PKCS5PBEParameter *pbe_param = NULL;
+    SECStatus rv= SECSuccess; 
+    void *dummy = NULL;
+
+    if(iteration < 0) {
+	return NULL;
+    }
+
+    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(poolp == NULL)
+	return NULL;
+
+    pbe_param = (SEC_PKCS5PBEParameter *)PORT_ArenaZAlloc(poolp,
+	sizeof(SEC_PKCS5PBEParameter));
+    if(!pbe_param) {
+	PORT_FreeArena(poolp, PR_TRUE);
+	return NULL;
+    }
+
+    pbe_param->poolp = poolp;
+
+    rv = SECFailure;
+    if (salt && salt->data) {
+    	rv = SECITEM_CopyItem(poolp, &pbe_param->salt, salt);
+    } else {
+	/* sigh, the old interface generated salt on the fly, so we have to
+	 * preserve the semantics */
+	pbe_param->salt.len = DEFAULT_SALT_LENGTH;
+	pbe_param->salt.data = PORT_ArenaZAlloc(poolp,DEFAULT_SALT_LENGTH);
+	if (pbe_param->salt.data) {
+	   rv = PK11_GenerateRandom(pbe_param->salt.data,DEFAULT_SALT_LENGTH);
+	}
+    }
+
+    if(rv != SECSuccess) {
+	PORT_FreeArena(poolp, PR_TRUE);
+	return NULL;
+    }
+
+    /* encode the integer */
+    dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->iteration, 
+		iteration);
+    rv = (dummy) ? SECSuccess : SECFailure;
+
+    if(rv != SECSuccess) {
+	PORT_FreeArena(poolp, PR_FALSE);
+	return NULL;
+    }
+
+    return pbe_param;
+}
+
+/* creates a algorithm ID containing the PBE algorithm and appropriate
+ * parameters.  the required parameter is the algorithm.  if salt is
+ * not specified, it is generated randomly.  if IV is specified, it overrides
+ * the PKCS 5 generation of the IV.  
+ *
+ * the returned SECAlgorithmID should be destroyed using 
+ * SECOID_DestroyAlgorithmID
+ */
+SECAlgorithmID *
+SEC_PKCS5CreateAlgorithmID(SECOidTag algorithm, 
+			   SECItem *salt, 
+			   int iteration)
+{
+    PRArenaPool *poolp = NULL;
+    SECAlgorithmID *algid, *ret_algid;
+    SECItem der_param;
+    SECStatus rv = SECFailure;
+    SEC_PKCS5PBEParameter *pbe_param;
+
+    if(iteration <= 0) {
+	return NULL;
+    }
+
+    der_param.data = NULL;
+    der_param.len = 0;
+
+    /* generate the parameter */
+    pbe_param = sec_pkcs5_create_pbe_parameter(algorithm, salt, iteration);
+    if(!pbe_param) {
+	return NULL;
+    }
+
+    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(!poolp) {
+	sec_pkcs5_destroy_pbe_param(pbe_param);
+	return NULL;
+    }
+
+    /* generate the algorithm id */
+    algid = (SECAlgorithmID *)PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID));
+    if(algid != NULL) {
+	void *dummy;
+	if(!sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) {
+	    dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param,
+					SEC_PKCS5PBEParameterTemplate);
+	} else {
+	    dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param,
+	    				SEC_V2PKCS12PBEParameterTemplate);
+	}
+	
+	if(dummy) {
+	    rv = SECOID_SetAlgorithmID(poolp, algid, algorithm, &der_param);
+	}
+    }
+
+    ret_algid = NULL;
+    if(algid != NULL) {
+	ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID));
+	if(ret_algid != NULL) {
+	    rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid);
+	    if(rv != SECSuccess) {
+		SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE);
+		ret_algid = NULL;
+	    }
+	}
+    }
+	
+    if(poolp != NULL) {
+	PORT_FreeArena(poolp, PR_TRUE);
+	algid = NULL;
+    }
+
+    sec_pkcs5_destroy_pbe_param(pbe_param);
+
+    return ret_algid;
+}
+
+SECStatus
+pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech)
+{
+    CK_PBE_PARAMS *pbe_params = NULL;
+    SEC_PKCS5PBEParameter p5_param;
+    SECItem *salt = NULL;
+    SECOidTag algorithm = SECOID_GetAlgorithmTag(algid);
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECFailure;
+    int iv_len;
+    
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (arena == NULL) {
+	goto loser;
+    }
+    iv_len = PK11_GetIVLength(PK11_AlgtagToMechanism(algorithm));
+    if (iv_len < 0) {
+	goto loser;
+    }
+
+    if (sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) {
+        rv = SEC_ASN1DecodeItem(arena, &p5_param,
+			 SEC_V2PKCS12PBEParameterTemplate, &algid->parameters);
+    } else {
+        rv = SEC_ASN1DecodeItem(arena,&p5_param,SEC_PKCS5PBEParameterTemplate, 
+						&algid->parameters);
+    }
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+        
+    salt = &p5_param.salt;
+
+    pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(sizeof(CK_PBE_PARAMS)+
+						salt->len+iv_len);
+    if (pbe_params == NULL) {
+	goto loser;
+    }
+
+    /* get salt */
+    pbe_params->pSalt = ((CK_CHAR_PTR) pbe_params)+sizeof(CK_PBE_PARAMS);
+    if (iv_len) {
+	pbe_params->pInitVector = ((CK_CHAR_PTR) pbe_params)+
+					sizeof(CK_PBE_PARAMS)+salt->len;
+    }
+    PORT_Memcpy(pbe_params->pSalt, salt->data, salt->len);
+    pbe_params->ulSaltLen = (CK_ULONG) salt->len;
+
+    /* get iteration count */
+    pbe_params->ulIteration = (CK_ULONG) DER_GetInteger(&p5_param.iteration);
+
+    /* copy into the mechanism sec item */
+    mech->data = (unsigned char *)pbe_params;
+    mech->len = sizeof(*pbe_params);
+    if (arena) {
+	PORT_FreeArena(arena,PR_TRUE);
+    }
+    return SECSuccess;
+
+loser:
+    if (pbe_params) {
+	PORT_Free(pbe_params);
+    }
+    if (arena) {
+	PORT_FreeArena(arena,PR_TRUE);
+    }
+    return SECFailure;
+}
+
+SECStatus
+PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, PRArenaPool *arena, 
+		     SECAlgorithmID *algId)
+{
+    CK_PBE_PARAMS *pbe_param;
+    SECItem pbeSalt;
+    SECAlgorithmID *pbeAlgID = NULL;
+    SECStatus rv;
+
+    if(!param || !algId) {
+	return SECFailure;
+    }
+
+    pbe_param = (CK_PBE_PARAMS *)param->data;
+    pbeSalt.data = (unsigned char *)pbe_param->pSalt;
+    pbeSalt.len = pbe_param->ulSaltLen;
+    pbeAlgID = SEC_PKCS5CreateAlgorithmID(algTag, &pbeSalt, 
+					  (int)pbe_param->ulIteration);
+    if(!pbeAlgID) {
+	return SECFailure;
+    }
+
+    rv = SECOID_CopyAlgorithmID(arena, algId, pbeAlgID);
+    SECOID_DestroyAlgorithmID(pbeAlgID, PR_TRUE);
+    return rv;
+}
+
+PBEBitGenContext *
+PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose,
+	SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded,
+	unsigned int iterations)
+{
+    SECItem *context = NULL;
+    SECItem mechItem;
+    CK_PBE_PARAMS pbe_params;
+    CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM;
+    PK11SymKey *symKey = NULL;
+    unsigned char ivData[8];
+    
+
+    /* use the purpose to select the low level keygen algorithm */
+    switch (bitGenPurpose) {
+    case pbeBitGenIntegrityKey:
+	switch (hashAlgorithm) {
+	case SEC_OID_SHA1:
+	    mechanism = CKM_PBA_SHA1_WITH_SHA1_HMAC;
+	    break;
+	case SEC_OID_MD2:
+	    mechanism = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;
+	    break;
+	case SEC_OID_MD5:
+	    mechanism = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN;
+	    break;
+	default:
+	    break;
+	}
+	break;
+    case pbeBitGenCipherIV:
+	if (bitsNeeded > 64) {
+	    break;
+	}
+	if (hashAlgorithm != SEC_OID_SHA1) {
+	    break;
+	}
+	mechanism = CKM_PBE_SHA1_DES3_EDE_CBC;
+    case pbeBitGenCipherKey:
+	if (hashAlgorithm != SEC_OID_SHA1) {
+	    break;
+	}
+	switch (bitsNeeded) {
+	case 40:
+	    mechanism = CKM_PBE_SHA1_RC4_40;
+	    break;
+	case 128:
+	    mechanism = CKM_PBE_SHA1_RC4_128;
+	    break;
+	default:
+	    break;
+	}
+    case pbeBitGenIDNull:
+	break;
+    }
+
+    if (mechanism == CKM_INVALID_MECHANISM) {
+	/* we should set an error, but this is a depricated function, and
+	 * we are keeping bug for bug compatibility;)... */
+	    return NULL;
+    } 
+
+    pbe_params.pInitVector = ivData;
+    pbe_params.pPassword = pwitem->data;
+    pbe_params.ulPasswordLen = pwitem->len;
+    pbe_params.pSalt = salt->data;
+    pbe_params.ulSaltLen = salt->len;
+    pbe_params.ulIteration = iterations;
+    mechItem.data = (unsigned char *) &pbe_params;
+    mechItem.len = sizeof(pbe_params);
+
+
+    symKey = PK11_RawPBEKeyGen(PK11_GetInternalSlot(),mechanism,
+					&mechItem, pwitem, PR_FALSE, NULL);
+    if (symKey != NULL) {
+	if (bitGenPurpose == pbeBitGenCipherIV) {
+	    /* NOTE: this assumes that bitsNeeded is a multiple of 8! */
+	    SECItem ivItem;
+
+	    ivItem.data = ivData;
+	    ivItem.len = bitsNeeded/8;
+	    context = SECITEM_DupItem(&ivItem);
+	} else {
+	    SECItem *keyData;
+	    PK11_ExtractKeyValue(symKey);
+	    keyData = PK11_GetKeyData(symKey);
+
+	    /* assert bitsNeeded with length? */
+	    if (keyData) {
+	    	context = SECITEM_DupItem(keyData);
+	    }
+	}
+	PK11_FreeSymKey(symKey);
+    }
+
+    return (PBEBitGenContext *)context;
+}
+
+SECItem *
+PBE_GenerateBits(PBEBitGenContext *context)
+{
+    return (SECItem *)context;
+}
+
+void
+PBE_DestroyContext(PBEBitGenContext *context)
+{
+    SECITEM_FreeItem((SECItem *)context,PR_TRUE);
+}
+
+SECItem *
+SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES)
+{
+    SECItem mechItem;
+    SECOidTag algorithm = SECOID_GetAlgorithmTag(algid);
+    CK_PBE_PARAMS *pbe_params;
+    CK_MECHANISM_TYPE mechanism;
+    SECItem *iv = NULL;
+    SECStatus rv;
+    int iv_len;
+    PK11SymKey *symKey;
+
+    rv = pbe_PK11AlgidToParam(algid,&mechItem);
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+
+    mechanism = PK11_AlgtagToMechanism(algorithm);
+    iv_len = PK11_GetIVLength(mechanism);
+    pbe_params = (CK_PBE_PARAMS_PTR)mechItem.data;
+
+    symKey = PK11_RawPBEKeyGen(PK11_GetInternalSlot(),mechanism,
+					&mechItem, pwitem, faulty3DES,NULL);
+
+    if (symKey) {
+	SECItem tmp;
+
+	tmp.data = pbe_params->pInitVector;
+	tmp.len = iv_len;
+	iv = SECITEM_DupItem(&tmp);
+        PK11_FreeSymKey(symKey);
+    }
+
+    if (mechItem.data) {
+	PORT_ZFree(mechItem.data,mechItem.len);
+    }
+
+    return iv;
+}
+
+/*
+ * Subs from nss 3.x that are depricated
+ */
+PBEBitGenContext *
+__PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose,
+	SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded,
+	unsigned int iterations)
+{
+    PORT_Assert("__PBE_CreateContext is Depricated" == NULL);
+    return NULL;
+}
+
+SECItem *
+__PBE_GenerateBits(PBEBitGenContext *context)
+{
+    PORT_Assert("__PBE_GenerateBits is Depricated" == NULL);
+    return NULL;
+}
+
+void
+__PBE_DestroyContext(PBEBitGenContext *context)
+{
+    PORT_Assert("__PBE_DestroyContext is Depricated" == NULL);
+}
+
+SECStatus
+RSA_FormatBlock(SECItem *result, unsigned modulusLen,
+                int blockType, SECItem *data)
+{
+    PORT_Assert("RSA_FormatBlock is Depricated" == NULL);
+    return SECFailure;
+}
+
diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c
new file mode 100644
index 000000000..bbc3205ee
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11pk12.c
@@ -0,0 +1,551 @@
+
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * This file PKCS #12 fuctions that should really be moved to the
+ * PKCS #12 directory, however we can't do that in a point release
+ * because that will break binary compatibility, so we keep them here for now.
+ */
+
+#include "seccomon.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "key.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "secerr.h"
+
+
+
+/* These data structures should move to a common .h file shared between the
+ * wrappers and the pkcs 12 code. */
+
+/*
+** RSA Raw Private Key structures
+*/
+
+/* member names from PKCS#1, section 7.2 */
+struct SECKEYRSAPrivateKeyStr {
+    PRArenaPool * arena;
+    SECItem version;
+    SECItem modulus;
+    SECItem publicExponent;
+    SECItem privateExponent;
+    SECItem prime1;
+    SECItem prime2;
+    SECItem exponent1;
+    SECItem exponent2;
+    SECItem coefficient;
+};
+typedef struct SECKEYRSAPrivateKeyStr SECKEYRSAPrivateKey;
+
+
+/*
+** DSA Raw Private Key structures
+*/
+
+struct SECKEYDSAPrivateKeyStr {
+    SECKEYPQGParams params;
+    SECItem privateValue;
+};
+typedef struct SECKEYDSAPrivateKeyStr SECKEYDSAPrivateKey;
+
+/*
+** Diffie-Hellman Raw Private Key structures
+** Structure member names suggested by PKCS#3.
+*/
+struct SECKEYDHPrivateKeyStr {
+    PRArenaPool * arena;
+    SECItem prime;
+    SECItem base;
+    SECItem privateValue;
+};
+typedef struct SECKEYDHPrivateKeyStr SECKEYDHPrivateKey;
+
+/*
+** raw private key object
+*/
+struct SECKEYRawPrivateKeyStr {
+    PLArenaPool *arena;
+    KeyType keyType;
+    union {
+        SECKEYRSAPrivateKey rsa;
+        SECKEYDSAPrivateKey dsa;
+        SECKEYDHPrivateKey  dh;
+    } u;
+};
+typedef struct SECKEYRawPrivateKeyStr SECKEYRawPrivateKey;
+
+
+/* ASN1 Templates for new decoder/encoder */
+/*
+ * Attribute value for PKCS8 entries (static?)
+ */
+const SEC_ASN1Template SECKEY_AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+        0, NULL, sizeof(SECKEYAttribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SECKEYAttribute, attrType) },
+    { SEC_ASN1_SET_OF, offsetof(SECKEYAttribute, attrValue),
+        SEC_AnyTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SECKEY_SetOfAttributeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SECKEY_AttributeTemplate },
+};
+
+const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPrivateKeyInfo) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYPrivateKeyInfo,version) },
+    { SEC_ASN1_INLINE, offsetof(SECKEYPrivateKeyInfo,algorithm),
+        SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPrivateKeyInfo,privateKey) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+        offsetof(SECKEYPrivateKeyInfo,attributes),
+        SECKEY_SetOfAttributeTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SECKEY_PrivateKeyInfoTemplate }
+};
+
+const SEC_ASN1Template SECKEY_RSAPrivateKeyExportTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRawPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.version) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.modulus) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.publicExponent) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.privateExponent) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.prime1) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.prime2) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.exponent1) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.exponent2) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.coefficient) },
+    { 0 }
+};
+
+const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dsa.privateValue) },
+};
+
+const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.privateValue) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.base) },
+    { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.prime) },
+};
+
+const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+        0, NULL, sizeof(SECKEYEncryptedPrivateKeyInfo) },
+    { SEC_ASN1_INLINE,
+        offsetof(SECKEYEncryptedPrivateKeyInfo,algorithm),
+        SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_OCTET_STRING,
+        offsetof(SECKEYEncryptedPrivateKeyInfo,encryptedData) },
+    { 0 }
+};
+
+const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[] = {
+        { SEC_ASN1_POINTER, 0, SECKEY_EncryptedPrivateKeyInfoTemplate }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_EncryptedPrivateKeyInfoTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PrivateKeyInfoTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_PointerToPrivateKeyInfoTemplate)
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+static void
+prepare_rsa_priv_key_export_for_asn1(SECKEYRawPrivateKey *key)
+{
+    key->u.rsa.modulus.type = siUnsignedInteger;
+    key->u.rsa.publicExponent.type = siUnsignedInteger;
+    key->u.rsa.privateExponent.type = siUnsignedInteger;
+    key->u.rsa.prime1.type = siUnsignedInteger;
+    key->u.rsa.prime2.type = siUnsignedInteger;
+    key->u.rsa.exponent1.type = siUnsignedInteger;
+    key->u.rsa.exponent2.type = siUnsignedInteger;
+    key->u.rsa.coefficient.type = siUnsignedInteger;
+}
+
+static void
+prepare_dsa_priv_key_export_for_asn1(SECKEYRawPrivateKey *key)
+{
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+    key->u.dsa.params.prime.type = siUnsignedInteger;
+    key->u.dsa.params.subPrime.type = siUnsignedInteger;
+    key->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+static void
+prepare_dh_priv_key_export_for_asn1(SECKEYRawPrivateKey *key)
+{
+    key->u.dh.privateValue.type = siUnsignedInteger;
+    key->u.dh.prime.type = siUnsignedInteger;
+    key->u.dh.base.type = siUnsignedInteger;
+}
+
+
+SECStatus
+PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, SECItem *derPKI, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
+{
+    return PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, derPKI,
+	nickname, publicValue, isPerm, isPrivate, keyUsage, NULL, wincx);
+}
+
+SECStatus
+PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, SECKEYPrivateKey** privk,
+	void *wincx) 
+{
+    SECKEYPrivateKeyInfo *pki = NULL;
+    PRArenaPool *temparena = NULL;
+    SECStatus rv = SECFailure;
+
+    temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    pki = PORT_ZNew(SECKEYPrivateKeyInfo);
+
+    rv = SEC_ASN1DecodeItem(temparena, pki, SECKEY_PrivateKeyInfoTemplate,
+		derPKI);
+    if( rv != SECSuccess ) {
+	goto finish;
+    }
+
+    rv = PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname,
+		publicValue, isPerm, isPrivate, keyUsage, privk, wincx);
+
+finish:
+    if( pki != NULL ) {
+	SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/);
+    }
+    if( temparena != NULL ) {
+	PORT_FreeArena(temparena, PR_TRUE);
+    }
+    return rv;
+}
+        
+SECStatus
+PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, SECKEYPrivateKey **privk,
+	void *wincx) 
+{
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+    CK_KEY_TYPE keyType = CKK_RSA;
+    CK_OBJECT_HANDLE objectID;
+    CK_ATTRIBUTE theTemplate[20];
+    int templateCount = 0;
+    SECStatus rv = SECFailure;
+    PRArenaPool *arena;
+    CK_ATTRIBUTE *attrs;
+    CK_ATTRIBUTE *signedattr = NULL;
+    int signedcount = 0;
+    CK_ATTRIBUTE *ap;
+    SECItem *ck_id = NULL;
+
+    arena = PORT_NewArena(2048);
+    if(!arena) {
+	return SECFailure;
+    }
+
+    attrs = theTemplate;
+
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, isPerm ? &cktrue : &ckfalse, 
+						sizeof(CK_BBOOL) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_SENSITIVE, isPrivate ? &cktrue : &ckfalse, 
+						sizeof(CK_BBOOL) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_PRIVATE, isPrivate ? &cktrue : &ckfalse,
+						 sizeof(CK_BBOOL) ); attrs++;
+
+    switch (lpk->keyType) {
+    case rsaKey:
+	    PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ?
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ?
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? 
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, 
+				(keyUsage & KU_DIGITAL_SIGNATURE) ? 
+				&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
+	    ck_id = PK11_MakeIDFromPubKey(&lpk->u.rsa.modulus);
+	    if (ck_id == NULL) {
+		goto loser;
+	    }
+	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
+	    if (nickname) {
+		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); attrs++; 
+	    } 
+	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_MODULUS, lpk->u.rsa.modulus.data,
+						lpk->u.rsa.modulus.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
+	     			lpk->u.rsa.publicExponent.data,
+				lpk->u.rsa.publicExponent.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PRIVATE_EXPONENT, 
+	     			lpk->u.rsa.privateExponent.data,
+				lpk->u.rsa.privateExponent.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PRIME_1, 
+	     			lpk->u.rsa.prime1.data,
+				lpk->u.rsa.prime1.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PRIME_2, 
+	     			lpk->u.rsa.prime2.data,
+				lpk->u.rsa.prime2.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_EXPONENT_1, 
+	     			lpk->u.rsa.exponent1.data,
+				lpk->u.rsa.exponent1.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_EXPONENT_2, 
+	     			lpk->u.rsa.exponent2.data,
+				lpk->u.rsa.exponent2.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_COEFFICIENT, 
+	     			lpk->u.rsa.coefficient.data,
+				lpk->u.rsa.coefficient.len); attrs++;
+	    break;
+    case dsaKey:
+	    /* To make our intenal PKCS #11 module work correctly with 
+	     * our database, we need to pass in the public key value for 
+	     * this dsa key. We have a netscape only CKA_ value to do this.
+	     * Only send it to internal slots */
+	    if( publicValue == NULL ) {
+		goto loser;
+	    }
+	    if (PK11_IsInternal(slot)) {
+	        PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
+				publicValue->data, publicValue->len); attrs++;
+	    }
+	    PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(CK_BBOOL)); attrs++;
+	    PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, &cktrue, sizeof(CK_BBOOL)); attrs++;
+	    if(nickname) {
+		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
+		attrs++; 
+	    } 
+	    ck_id = PK11_MakeIDFromPubKey(publicValue);
+	    if (ck_id == NULL) {
+		goto loser;
+	    }
+	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
+	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    lpk->u.dsa.params.prime.data,
+				lpk->u.dsa.params.prime.len); attrs++;
+	    PK11_SETATTRS(attrs,CKA_SUBPRIME,lpk->u.dsa.params.subPrime.data,
+				lpk->u.dsa.params.subPrime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  lpk->u.dsa.params.base.data,
+					lpk->u.dsa.params.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    lpk->u.dsa.privateValue.data, 
+					lpk->u.dsa.privateValue.len); attrs++;
+	    break;
+     case dhKey:
+	    /* To make our intenal PKCS #11 module work correctly with 
+	     * our database, we need to pass in the public key value for 
+	     * this dh key. We have a netscape only CKA_ value to do this.
+	     * Only send it to internal slots */
+	    if (PK11_IsInternal(slot)) {
+	        PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
+				publicValue->data, publicValue->len); attrs++;
+	    }
+	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); attrs++;
+	    if(nickname) {
+		PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
+		attrs++; 
+	    } 
+	    ck_id = PK11_MakeIDFromPubKey(publicValue);
+	    if (ck_id == NULL) {
+		goto loser;
+	    }
+	    PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
+	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    lpk->u.dh.prime.data,
+				lpk->u.dh.prime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  lpk->u.dh.base.data,
+					lpk->u.dh.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    lpk->u.dh.privateValue.data, 
+					lpk->u.dh.privateValue.len); attrs++;
+	    break;
+	/* what about fortezza??? */
+    default:
+	    PORT_SetError(SEC_ERROR_BAD_KEY);
+	    goto loser;
+    }
+    templateCount = attrs - theTemplate;
+    PORT_Assert(templateCount <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
+    PORT_Assert(signedattr != NULL);
+    signedcount = attrs - signedattr;
+
+    for (ap=signedattr; signedcount; ap++, signedcount--) {
+	pk11_SignedToUnsigned(ap);
+    }
+
+    rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
+			theTemplate, templateCount, isPerm, &objectID);
+
+    /* create and return a SECKEYPrivateKey */
+    if( rv == SECSuccess && privk != NULL) {
+	*privk = PK11_MakePrivKey(slot, lpk->keyType, !isPerm, objectID, wincx);
+	if( *privk == NULL ) {
+	    rv = SECFailure;
+	}
+    }
+loser:
+    if (ck_id) {
+	SECITEM_ZfreeItem(ck_id, PR_TRUE);
+    }
+    return rv;
+}
+
+SECStatus
+PK11_ImportPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
+{
+    return PK11_ImportAndReturnPrivateKey(slot, lpk, nickname, publicValue,
+	isPerm, isPrivate, keyUsage, NULL, wincx);
+}
+
+SECStatus
+PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
+	SECKEYPrivateKeyInfo *pki, SECItem *nickname, SECItem *publicValue,
+	PRBool isPerm, PRBool isPrivate, unsigned int keyUsage,
+	SECKEYPrivateKey **privk, void *wincx) 
+{
+    CK_KEY_TYPE keyType = CKK_RSA;
+    SECStatus rv = SECFailure;
+    SECKEYRawPrivateKey *lpk = NULL;
+    const SEC_ASN1Template *keyTemplate, *paramTemplate;
+    void *paramDest = NULL;
+    PRArenaPool *arena;
+
+    arena = PORT_NewArena(2048);
+    if(!arena) {
+	return SECFailure;
+    }
+
+    /* need to change this to use RSA/DSA keys */
+    lpk = (SECKEYRawPrivateKey *)PORT_ArenaZAlloc(arena,
+						  sizeof(SECKEYRawPrivateKey));
+    if(lpk == NULL) {
+	goto loser;
+    }
+    lpk->arena = arena;
+
+    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
+	case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	    prepare_rsa_priv_key_export_for_asn1(lpk);
+	    keyTemplate = SECKEY_RSAPrivateKeyExportTemplate;
+	    paramTemplate = NULL;
+	    paramDest = NULL;
+	    lpk->keyType = rsaKey;
+	    keyType = CKK_RSA;
+	    break;
+	case SEC_OID_ANSIX9_DSA_SIGNATURE:
+	    prepare_dsa_priv_key_export_for_asn1(lpk);
+	    keyTemplate = SECKEY_DSAPrivateKeyExportTemplate;
+	    paramTemplate = SECKEY_PQGParamsTemplate;
+	    paramDest = &(lpk->u.dsa.params);
+	    lpk->keyType = dsaKey;
+	    keyType = CKK_DSA;
+	    break;
+	case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+	    if(!publicValue) {
+		goto loser;
+	    }
+	    prepare_dh_priv_key_export_for_asn1(lpk);
+	    keyTemplate = SECKEY_DHPrivateKeyExportTemplate;
+	    paramTemplate = NULL;
+	    paramDest = NULL;
+	    lpk->keyType = dhKey;
+	    keyType = CKK_DH;
+	    break;
+
+	default:
+	    keyTemplate   = NULL;
+	    paramTemplate = NULL;
+	    paramDest     = NULL;
+	    break;
+    }
+
+    if(!keyTemplate) {
+	goto loser;
+    }
+
+    /* decode the private key and any algorithm parameters */
+    rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+    if(paramDest && paramTemplate) {
+	rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, 
+				 &(pki->algorithm.parameters));
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    rv = PK11_ImportAndReturnPrivateKey(slot,lpk,nickname,publicValue, isPerm, 
+	isPrivate,  keyUsage, privk, wincx);
+
+
+loser:
+    if (lpk!= NULL) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+
+    return rv;
+}
+
+SECStatus
+PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki, 
+	SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+	PRBool isPrivate, unsigned int keyUsage, void *wincx) 
+{
+    return PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname,
+	publicValue, isPerm, isPrivate, keyUsage, NULL, wincx);
+
+}
+
diff --git a/security/nss/lib/pk11wrap/pk11pqg.c b/security/nss/lib/pk11wrap/pk11pqg.c
new file mode 100644
index 000000000..f58fd60cb
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11pqg.c
@@ -0,0 +1,374 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/* Thse functions are stub functions which will get replaced with calls through
+ * PKCS #11.
+ */
+
+#include "pk11func.h"
+#include "secmod.h"
+#include "secmodi.h"
+#include "pkcs11t.h"
+#include "pk11pqg.h"
+#include "secerr.h"
+
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of P specified by j.  Length of h will match length of P.
+ * Length of SEED in bytes specified in seedBytes.
+ * seedBbytes must be in the range [20..255] or an error will result.
+ */
+extern SECStatus
+PK11_PQG_ParamGenSeedLen( unsigned int j, unsigned int seedBytes,
+				 PQGParams **pParams, PQGVerify **pVfy)
+{
+    PK11SlotInfo *slot = NULL;
+    CK_ATTRIBUTE genTemplate[5];
+    CK_ATTRIBUTE *attrs = genTemplate;
+    int count = sizeof(genTemplate)/sizeof(genTemplate[0]);
+    CK_MECHANISM mechanism;
+    CK_OBJECT_HANDLE objectID = CK_INVALID_HANDLE;
+    CK_RV crv;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_ATTRIBUTE pTemplate[] = {
+	{ CKA_PRIME, NULL, 0 },
+	{ CKA_SUBPRIME, NULL, 0 },
+	{ CKA_BASE, NULL, 0 },
+    };
+    CK_ATTRIBUTE vTemplate[] = {
+	{ CKA_NETSCAPE_PQG_COUNTER, NULL, 0 },
+	{ CKA_NETSCAPE_PQG_SEED, NULL, 0 },
+	{ CKA_NETSCAPE_PQG_H, NULL, 0 },
+    };
+    int pTemplateCount = sizeof(pTemplate)/sizeof(pTemplate[0]);
+    int vTemplateCount = sizeof(vTemplate)/sizeof(vTemplate[0]);
+    PRArenaPool *parena = NULL;
+    PRArenaPool *varena = NULL;
+    PQGParams *params = NULL;
+    PQGVerify *verify = NULL;
+    CK_ULONG primeBits = j;
+    CK_ULONG seedBits = seedBytes*8;
+
+    *pParams = NULL;
+    *pVfy =  NULL;
+
+    PK11_SETATTRS(attrs, CKA_PRIME_BITS,&primeBits,sizeof(primeBits)); attrs++;
+    if (seedBits != 0) {
+    	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED_BITS, 
+					&seedBits, sizeof(seedBits)); attrs++;
+    }
+    count = attrs - genTemplate;
+    PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE));
+
+    slot = PK11_GetInternalSlot();
+    if (slot == NULL) {
+	/* set error */
+	goto loser;
+    }
+
+    /* Initialize the Key Gen Mechanism */
+    mechanism.mechanism = CKM_DSA_PARAMETER_GEN;
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GenerateKey(slot->session,
+			 &mechanism, genTemplate, count, &objectID);
+    PK11_ExitSlotMonitor(slot);
+
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+    parena = PORT_NewArena(60);
+    crv = PK11_GetAttributes(parena, slot, objectID, pTemplate, pTemplateCount);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+
+    params = (PQGParams *)PORT_ArenaAlloc(parena,sizeof(PQGParams));
+    if (params == NULL) {
+	goto loser;
+    }
+
+    /* fill in Params */
+    params->arena = parena;
+    params->prime.data = pTemplate[0].pValue;
+    params->prime.len = pTemplate[0].ulValueLen;
+    params->subPrime.data = pTemplate[1].pValue;
+    params->subPrime.len = pTemplate[1].ulValueLen;
+    params->base.data = pTemplate[2].pValue;
+    params->base.len = pTemplate[2].ulValueLen;
+
+
+    varena = PORT_NewArena(60);
+    crv = PK11_GetAttributes(varena, slot, objectID, vTemplate, vTemplateCount);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+
+    verify = (PQGVerify *)PORT_ArenaAlloc(varena,sizeof(PQGVerify));
+    if (verify == NULL) {
+	goto loser;
+    }
+    /* fill in Params */
+    verify->arena = varena;
+    verify->counter = (unsigned int)(*(CK_ULONG*)vTemplate[0].pValue);
+    verify->seed.data = vTemplate[1].pValue;
+    verify->seed.len = vTemplate[1].ulValueLen;
+    verify->h.data = vTemplate[2].pValue;
+    verify->h.len = vTemplate[2].ulValueLen;
+
+    PK11_DestroyObject(slot,objectID);
+    PK11_FreeSlot(slot);
+
+    *pParams = params;
+    *pVfy =  verify;
+
+    return SECSuccess;
+
+loser:
+    if (objectID != CK_INVALID_HANDLE) {
+	PK11_DestroyObject(slot,objectID);
+    }
+    if (parena != NULL) {
+	PORT_FreeArena(parena,PR_FALSE);
+    }
+    if (varena != NULL) {
+	PORT_FreeArena(varena,PR_FALSE);
+    }
+    if (slot) {
+	PK11_FreeSlot(slot);
+    }
+    return SECFailure;
+}
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of seed and length of h both equal length of P. 
+ * All lengths are specified by "j", according to the table above.
+ */
+extern SECStatus
+PK11_PQG_ParamGen(unsigned int j, PQGParams **pParams, PQGVerify **pVfy)
+{
+    return PK11_PQG_ParamGenSeedLen(j, 0, pParams, pVfy);
+}
+
+/*  Test PQGParams for validity as DSS PQG values.
+ *  If vfy is non-NULL, test PQGParams to make sure they were generated
+ *       using the specified seed, counter, and h values.
+ *
+ *  Return value indicates whether Verification operation ran succesfully
+ *  to completion, but does not indicate if PQGParams are valid or not.
+ *  If return value is SECSuccess, then *pResult has these meanings:
+ *       SECSuccess: PQGParams are valid.
+ *       SECFailure: PQGParams are invalid.
+ */
+
+extern SECStatus
+PK11_PQG_VerifyParams(const PQGParams *params, const PQGVerify *vfy, 
+							SECStatus *result)
+{
+    CK_ATTRIBUTE keyTempl[] = {
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_KEY_TYPE, NULL, 0 },
+	{ CKA_PRIME, NULL, 0 },
+	{ CKA_SUBPRIME, NULL, 0 },
+	{ CKA_BASE, NULL, 0 },
+	{ CKA_TOKEN, NULL, 0 },
+	{ CKA_NETSCAPE_PQG_COUNTER, NULL, 0 },
+	{ CKA_NETSCAPE_PQG_SEED, NULL, 0 },
+	{ CKA_NETSCAPE_PQG_H, NULL, 0 },
+    };
+    CK_ATTRIBUTE *attrs;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_OBJECT_CLASS class = CKO_KG_PARAMETERS;
+    CK_KEY_TYPE keyType = CKK_DSA;
+    SECStatus rv = SECSuccess;
+    PK11SlotInfo *slot;
+    int keyCount;
+    CK_OBJECT_HANDLE objectID;
+    CK_ULONG counter;
+    CK_RV crv;
+
+    attrs = keyTempl;
+    PK11_SETATTRS(attrs, CKA_CLASS, &class, sizeof(class)); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++;
+    PK11_SETATTRS(attrs, CKA_PRIME, params->prime.data, 
+						params->prime.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_SUBPRIME, params->subPrime.data, 
+						params->subPrime.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_BASE,params->base.data,params->base.len); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ckfalse, sizeof(ckfalse)); attrs++;
+    if (vfy) {
+	counter = vfy->counter;
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_COUNTER, 
+			&counter, sizeof(counter)); attrs++;
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED, 
+			vfy->seed.data, vfy->seed.len); attrs++;
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_H, 
+			vfy->h.data, vfy->h.len); attrs++;
+    }
+
+    keyCount = attrs - keyTempl;
+    PORT_Assert(keyCount <= sizeof(keyTempl)/sizeof(keyTempl[0]));
+
+
+    slot = PK11_GetInternalSlot();
+    if (slot == NULL) {
+	return SECFailure;
+    }
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_CreateObject(slot->session, keyTempl, keyCount, 
+								&objectID);
+    PK11_ExitSlotMonitor(slot);
+
+    /* throw away the keys, we only wanted the return code */
+    PK11_DestroyObject(slot,objectID);
+    PK11_FreeSlot(slot);
+
+    *result = SECSuccess;
+    if (crv == CKR_ATTRIBUTE_VALUE_INVALID) {
+	*result = SECFailure;
+    } else if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	rv = SECFailure;
+    }
+    return rv;
+
+}
+
+
+
+/**************************************************************************
+ *  Free the PQGParams struct and the things it points to.                *
+ **************************************************************************/
+extern void 
+PK11_PQG_DestroyParams(PQGParams *params) {
+     PQG_DestroyParams(params);
+     return;
+}
+
+/**************************************************************************
+ *  Free the PQGVerify struct and the things it points to.                *
+ **************************************************************************/
+extern void
+PK11_PQG_DestroyVerify(PQGVerify *vfy) {
+    PQG_DestroyVerify(vfy);
+    return;
+}
+
+/**************************************************************************
+ *  Return a pointer to a new PQGParams struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+extern PQGParams *
+PK11_PQG_NewParams(const SECItem * prime, const SECItem * subPrime, 
+                                 		const SECItem * base) {
+    return PQG_NewParams(prime, subPrime, base);
+}
+
+
+/**************************************************************************
+ * Fills in caller's "prime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus 
+PK11_PQG_GetPrimeFromParams(const PQGParams *params, SECItem * prime) {
+    return PQG_GetPrimeFromParams(params, prime);
+}
+
+
+/**************************************************************************
+ * Fills in caller's "subPrime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus
+PK11_PQG_GetSubPrimeFromParams(const PQGParams *params, SECItem * subPrime) {
+    return PQG_GetSubPrimeFromParams(params, subPrime);
+}
+
+
+/**************************************************************************
+ * Fills in caller's "base" SECItem with the base value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus 
+PK11_PQG_GetBaseFromParams(const PQGParams *params, SECItem *base) {
+    return PQG_GetBaseFromParams(params, base);
+}
+
+
+/**************************************************************************
+ *  Return a pointer to a new PQGVerify struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+extern PQGVerify *
+PK11_PQG_NewVerify(unsigned int counter, const SECItem * seed, 
+							const SECItem * h) {
+    return PQG_NewVerify(counter, seed, h);
+}
+
+
+/**************************************************************************
+ * Returns "counter" value from the PQGVerify.
+ **************************************************************************/
+extern unsigned int 
+PK11_PQG_GetCounterFromVerify(const PQGVerify *verify) {
+    return PQG_GetCounterFromVerify(verify);
+}
+
+/**************************************************************************
+ * Fills in caller's "seed" SECItem with the seed value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus 
+PK11_PQG_GetSeedFromVerify(const PQGVerify *verify, SECItem *seed) {
+    return PQG_GetSeedFromVerify(verify, seed);
+}
+
+
+/**************************************************************************
+ * Fills in caller's "h" SECItem with the h value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus 
+PK11_PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h) {
+    return PQG_GetHFromVerify(verify, h);
+}
diff --git a/security/nss/lib/pk11wrap/pk11pqg.h b/security/nss/lib/pk11wrap/pk11pqg.h
new file mode 100644
index 000000000..389946ff1
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11pqg.h
@@ -0,0 +1,149 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/* Thse functions are stub functions which will get replaced with calls through
+ * PKCS #11.
+ */
+
+#ifndef _PK11PQG_H_
+#define  _PK11PQG_H_ 1
+
+#include "blapit.h"
+#include "pqgutil.h"
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of seed and length of h both equal length of P. 
+ * All lengths are specified by "j", according to the table above.
+ */
+extern SECStatus PK11_PQG_ParamGen(unsigned int j, PQGParams **pParams, 
+							PQGVerify **pVfy);
+
+/* Generate PQGParams and PQGVerify structs.
+ * Length of P specified by j.  Length of h will match length of P.
+ * Length of SEED in bytes specified in seedBytes.
+ * seedBbytes must be in the range [20..255] or an error will result.
+ */
+extern SECStatus PK11_PQG_ParamGenSeedLen( unsigned int j, 
+	unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy);
+
+/*  Test PQGParams for validity as DSS PQG values.
+ *  If vfy is non-NULL, test PQGParams to make sure they were generated
+ *       using the specified seed, counter, and h values.
+ *
+ *  Return value indicates whether Verification operation ran succesfully
+ *  to completion, but does not indicate if PQGParams are valid or not.
+ *  If return value is SECSuccess, then *pResult has these meanings:
+ *       SECSuccess: PQGParams are valid.
+ *       SECFailure: PQGParams are invalid.
+ *
+ * Verify the following 12 facts about PQG counter SEED g and h
+ * 1.  Q is 160 bits long.
+ * 2.  P is one of the 9 valid lengths.
+ * 3.  G < P
+ * 4.  P % Q == 1
+ * 5.  Q is prime
+ * 6.  P is prime
+ * Steps 7-12 are done only if the optional PQGVerify is supplied.
+ * 7.  counter < 4096
+ * 8.  g >= 160 and g < 2048   (g is length of seed in bits)
+ * 9.  Q generated from SEED matches Q in PQGParams.
+ * 10. P generated from (L, counter, g, SEED, Q) matches P in PQGParams.
+ * 11. 1 < h < P-1
+ * 12. G generated from h matches G in PQGParams.
+ */
+
+extern SECStatus PK11_PQG_VerifyParams(const PQGParams *params, 
+                                    const PQGVerify *vfy, SECStatus *result);
+extern void PK11_PQG_DestroyParams(PQGParams *params);
+extern void PK11_PQG_DestroyVerify(PQGVerify *vfy);
+
+/**************************************************************************
+ *  Return a pointer to a new PQGParams struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+extern PQGParams * PK11_PQG_NewParams(const SECItem * prime, const 
+				SECItem * subPrime, const SECItem * base);
+
+
+/**************************************************************************
+ * Fills in caller's "prime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PK11_PQG_GetPrimeFromParams(const PQGParams *params, 
+							SECItem * prime);
+
+
+/**************************************************************************
+ * Fills in caller's "subPrime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PK11_PQG_GetSubPrimeFromParams(const PQGParams *params, 
+							SECItem * subPrime);
+
+
+/**************************************************************************
+ * Fills in caller's "base" SECItem with the base value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PK11_PQG_GetBaseFromParams(const PQGParams *params, 
+							SECItem *base);
+
+
+/**************************************************************************
+ *  Return a pointer to a new PQGVerify struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+extern PQGVerify * PK11_PQG_NewVerify(unsigned int counter, 
+				const SECItem * seed, const SECItem * h);
+
+
+/**************************************************************************
+ * Returns "counter" value from the PQGVerify.
+ **************************************************************************/
+extern unsigned int PK11_PQG_GetCounterFromVerify(const PQGVerify *verify);
+
+/**************************************************************************
+ * Fills in caller's "seed" SECItem with the seed value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PK11_PQG_GetSeedFromVerify(const PQGVerify *verify, 
+							SECItem *seed);
+
+/**************************************************************************
+ * Fills in caller's "h" SECItem with the h value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PK11_PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h);
+
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11sdr.c b/security/nss/lib/pk11wrap/pk11sdr.c
new file mode 100644
index 000000000..630be0245
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11sdr.c
@@ -0,0 +1,295 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ *   thayes@netscape.com
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * PKCS #11 Wrapper functions which handles authenticating to the card's
+ * choosing the best cards, etc.
+ */
+
+#include "seccomon.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "pk11sdr.h"
+
+/*
+ * Data structure and template for encoding the result of an SDR operation
+ *  This is temporary.  It should include the algorithm ID of the encryption mechanism
+ */
+struct SDRResult
+{
+  SECItem keyid;
+  SECAlgorithmID alg;
+  SECItem data;
+};
+typedef struct SDRResult SDRResult;
+
+static SEC_ASN1Template template[] = {
+  { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (SDRResult) },
+  { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, keyid) },
+  { SEC_ASN1_INLINE, offsetof(SDRResult, alg), SECOID_AlgorithmIDTemplate },
+  { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, data) },
+  { 0 }
+};
+
+static unsigned char keyID[] = {
+  0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
+};
+
+static SECItem keyIDItem = {
+  0,
+  keyID,
+  sizeof keyID
+};
+
+/* local utility function for padding an incoming data block
+ * to the mechanism block size.
+ */
+static SECStatus
+padBlock(SECItem *data, int blockSize, SECItem *result)
+{
+  SECStatus rv = SECSuccess;
+  int padLength;
+  unsigned int i;
+
+  result->data = 0;
+  result->len = 0;
+
+  /* This algorithm always adds to the block (to indicate the number
+   * of pad bytes).  So allocate a block large enough.
+   */
+  padLength = blockSize - (data->len % blockSize);
+  result->len = data->len + padLength;
+  result->data = (unsigned char *)PORT_Alloc(result->len);
+
+  /* Copy the data */
+  PORT_Memcpy(result->data, data->data, data->len);
+
+  /* Add the pad values */
+  for(i = data->len; i < result->len; i++)
+    result->data[i] = (unsigned char)padLength;
+
+  return rv;
+}
+
+static SECStatus
+unpadBlock(SECItem *data, int blockSize, SECItem *result)
+{
+  SECStatus rv = SECSuccess;
+  int padLength;
+
+  result->data = 0;
+  result->len = 0;
+
+  /* Remove the padding from the end if the input data */
+  if (data->len == 0 || data->len % blockSize  != 0) { rv = SECFailure; goto loser; }
+
+  padLength = data->data[data->len-1];
+  if (padLength > blockSize) { rv = SECFailure; goto loser; }
+
+  result->len = data->len - padLength;
+  result->data = (unsigned char *)PORT_Alloc(result->len);
+  if (!result->data) { rv = SECFailure; goto loser; }
+
+  PORT_Memcpy(result->data, data->data, result->len);
+
+loser:
+  return rv;
+}
+
+/*
+ * PK11SDR_Encrypt
+ *  Encrypt a block of data using the symmetric key identified.  The result
+ *  is an ASN.1 (DER) encoded block of keyid, params and data.
+ */
+SECStatus
+PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx)
+{
+  SECStatus rv = SECSuccess;
+  PK11SlotInfo *slot = 0;
+  PK11SymKey *key = 0;
+  SECItem *params = 0;
+  PK11Context *ctx = 0;
+  CK_MECHANISM_TYPE type;
+  SDRResult sdrResult;
+  SECItem paddedData;
+  SECItem *pKeyID;
+  PLArenaPool *arena = 0;
+
+  /* Initialize */
+  paddedData.len = 0;
+  paddedData.data = 0;
+
+  arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+  if (!arena) { rv = SECFailure; goto loser; }
+
+  /* 1. Locate the requested keyid, or the default key (which has a keyid)
+   * 2. Create an encryption context
+   * 3. Encrypt
+   * 4. Encode the results (using ASN.1)
+   */
+
+  slot = PK11_GetInternalKeySlot();
+  if (!slot) { rv = SECFailure; goto loser; }
+
+  /* Use triple-DES */
+  type = CKM_DES3_CBC;
+
+  /*
+   * Login to the internal token before we look for the key, otherwise we
+   * won't find it.
+   */
+  rv = PK11_Authenticate(slot, PR_TRUE, cx);
+  if (rv != SECSuccess) goto loser;
+
+  /* Find the key to use */
+  pKeyID = keyid;
+  if (pKeyID->len == 0) {
+	  pKeyID = &keyIDItem;  /* Use default value */
+
+	  /* Try to find the key */
+	  key = PK11_FindFixedKey(slot, type, pKeyID, cx);
+	  
+	  /* If the default key doesn't exist yet, try to create it */
+	  if (!key) key = PK11_GenDES3TokenKey(slot, pKeyID, cx);
+  } else {
+	  key = PK11_FindFixedKey(slot, type, pKeyID, cx);
+  }
+
+  if (!key) { rv = SECFailure; goto loser; }
+
+  params = PK11_GenerateNewParam(type, key);
+  if (!params) { rv = SECFailure; goto loser; }
+
+  ctx = PK11_CreateContextBySymKey(type, CKA_ENCRYPT, key, params);
+  if (!ctx) { rv = SECFailure; goto loser; }
+
+  rv = padBlock(data, PK11_GetBlockSize(type, 0), &paddedData);
+  if (rv != SECSuccess) goto loser;
+
+  sdrResult.data.len = paddedData.len;
+  sdrResult.data.data = (unsigned char *)PORT_ArenaAlloc(arena, sdrResult.data.len);
+
+  rv = PK11_CipherOp(ctx, sdrResult.data.data, (int*)&sdrResult.data.len, sdrResult.data.len,
+                     paddedData.data, paddedData.len);
+  if (rv != SECSuccess) goto loser;
+
+  PK11_Finalize(ctx);
+
+  sdrResult.keyid = *pKeyID;
+
+  rv = PK11_ParamToAlgid(SEC_OID_DES_EDE3_CBC, params, arena, &sdrResult.alg);
+  if (rv != SECSuccess) goto loser;
+
+  if (!SEC_ASN1EncodeItem(0, result, &sdrResult, template)) { rv = SECFailure; goto loser; }
+
+loser:
+  SECITEM_ZfreeItem(&paddedData, PR_FALSE);
+  if (arena) PORT_FreeArena(arena, PR_TRUE);
+  if (ctx) PK11_DestroyContext(ctx, PR_TRUE);
+  if (params) SECITEM_ZfreeItem(params, PR_TRUE);
+  if (key) PK11_FreeSymKey(key);
+  if (slot) PK11_FreeSlot(slot);
+
+  return rv;
+}
+
+/*
+ * PK11SDR_Decrypt
+ *  Decrypt a block of data produced by PK11SDR_Encrypt.  The key used is identified
+ *  by the keyid field within the input.
+ */
+SECStatus
+PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx)
+{
+  SECStatus rv = SECSuccess;
+  PK11SlotInfo *slot = 0;
+  PK11SymKey *key = 0;
+  PK11Context *ctx = 0;
+  CK_MECHANISM_TYPE type;
+  SDRResult sdrResult;
+  SECItem *params = 0;
+  SECItem paddedResult;
+  PLArenaPool *arena = 0;
+
+  paddedResult.len = 0;
+  paddedResult.data = 0;
+
+  arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+  if (!arena) { rv = SECFailure; goto loser; }
+
+  /* Decode the incoming data */
+  memset(&sdrResult, 0, sizeof sdrResult);
+  rv = SEC_ASN1DecodeItem(arena, &sdrResult, template, data);
+  if (rv != SECSuccess) goto loser;  /* Invalid format */
+
+  /* Find the slot and key for the given keyid */
+  slot = PK11_GetInternalKeySlot();
+  if (!slot) { rv = SECFailure; goto loser; }
+
+  /* Use triple-DES (Should look up the algorithm) */
+  type = CKM_DES3_CBC;
+  key = PK11_FindFixedKey(slot, type, &sdrResult.keyid, cx);
+  if (!key) { rv = SECFailure; goto loser; }
+
+  /* Get the parameter values from the data */
+  params = PK11_ParamFromAlgid(&sdrResult.alg);
+  if (!params) { rv = SECFailure; goto loser; }
+
+  ctx = PK11_CreateContextBySymKey(type, CKA_DECRYPT, key, params);
+  if (!ctx) { rv = SECFailure; goto loser; }
+
+  paddedResult.len = sdrResult.data.len;
+  paddedResult.data = PORT_ArenaAlloc(arena, paddedResult.len);
+
+  rv = PK11_CipherOp(ctx, paddedResult.data, (int*)&paddedResult.len, paddedResult.len,
+                     sdrResult.data.data, sdrResult.data.len);
+  if (rv != SECSuccess) goto loser;
+
+  PK11_Finalize(ctx);
+
+  /* Remove the padding */
+  rv = unpadBlock(&paddedResult, PK11_GetBlockSize(type, 0), result);
+  if (rv) goto loser;
+
+loser:
+  /* SECITEM_ZfreeItem(&paddedResult, PR_FALSE); */
+  if (arena) PORT_FreeArena(arena, PR_TRUE);
+  if (ctx) PK11_DestroyContext(ctx, PR_TRUE);
+  if (key) PK11_FreeSymKey(key);
+  if (params) SECITEM_ZfreeItem(params, PR_TRUE);
+  if (slot) PK11_FreeSlot(slot);
+
+  return rv;
+}
diff --git a/security/nss/lib/pk11wrap/pk11sdr.h b/security/nss/lib/pk11wrap/pk11sdr.h
new file mode 100644
index 000000000..652098cad
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11sdr.h
@@ -0,0 +1,59 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * PKCS #11 Wrapper functions which handles authenticating to the card's
+ * choosing the best cards, etc.
+ */
+
+#ifndef _PK11SDR_H_
+#define _PK11SDR_H_
+
+#include "seccomon.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * PK11SDR_Encrypt - encrypt data using the specified key id or SDR default
+ *
+ */
+SECStatus
+PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx);
+
+/*
+ * PK11SDR_Decrypt - decrypt data previously encrypted with PK11SDR_Encrypt
+ */
+SECStatus
+PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
new file mode 100644
index 000000000..b77b718fb
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -0,0 +1,4953 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ *	Dr Stephen Henson <stephen.henson@gemplus.com>
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * This file implements the Symkey wrapper and the PKCS context
+ * Interfaces.
+ */
+
+#include "seccomon.h"
+#include "secmod.h"
+#include "nssilock.h"
+#include "secmodi.h"
+#include "pkcs11.h"
+#include "pk11func.h"
+#include "secitem.h"
+#include "key.h"
+#include "secoid.h"
+#include "secasn1.h"
+#include "sechash.h"
+#include "cert.h"
+#include "secerr.h"
+#include "secpkcs5.h" 
+
+#define PAIRWISE_SECITEM_TYPE			siBuffer
+#define PAIRWISE_DIGEST_LENGTH			SHA1_LENGTH /* 160-bits */
+#define PAIRWISE_MESSAGE_LENGTH			20          /* 160-bits */
+
+/* forward static declarations. */
+static PK11SymKey *pk11_DeriveWithTemplate(PK11SymKey *baseKey, 
+	CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, 
+	CK_ATTRIBUTE_TYPE operation, int keySize, CK_ATTRIBUTE *userAttr, 
+	unsigned int numAttrs);
+
+
+/*
+ * strip leading zero's from key material
+ */
+void
+pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib) {
+    char *ptr = (char *)attrib->pValue;
+    unsigned long len = attrib->ulValueLen;
+
+    while (len && (*ptr == 0)) {
+	len--;
+	ptr++;
+    }
+    attrib->pValue = ptr;
+    attrib->ulValueLen = len;
+}
+
+/*
+ * get a new session on a slot. If we run out of session, use the slot's
+ * 'exclusive' session. In this case owner becomes false.
+ */
+static CK_SESSION_HANDLE
+pk11_GetNewSession(PK11SlotInfo *slot,PRBool *owner)
+{
+    CK_SESSION_HANDLE session;
+    *owner =  PR_TRUE;
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    if ( PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION, 
+			slot,pk11_notify,&session) != CKR_OK) {
+	*owner = PR_FALSE;
+	session = slot->session;
+    }
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+
+    return session;
+}
+
+static void
+pk11_CloseSession(PK11SlotInfo *slot,CK_SESSION_HANDLE session,PRBool owner)
+{
+    if (!owner) return;
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    (void) PK11_GETTAB(slot)->C_CloseSession(session);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+}
+
+
+SECStatus
+PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
+				CK_ATTRIBUTE *theTemplate, int count, 
+				PRBool token, CK_OBJECT_HANDLE *objectID)
+{
+	CK_SESSION_HANDLE rwsession;
+	CK_RV crv;
+	SECStatus rv = SECSuccess;
+
+	rwsession = session;
+	if (rwsession == CK_INVALID_SESSION) {
+	    if (token) {
+		rwsession =  PK11_GetRWSession(slot);
+	    } else { 
+		rwsession =  slot->session;
+		PK11_EnterSlotMonitor(slot);
+	    }
+	}
+	crv = PK11_GETTAB(slot)->C_CreateObject(rwsession, theTemplate,
+							count,objectID);
+	if(crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    rv = SECFailure;
+	}
+
+	if (session == CK_INVALID_SESSION) {
+	    if (token) {
+		PK11_RestoreROSession(slot, rwsession);
+	    } else {
+		PK11_ExitSlotMonitor(slot);
+	    }
+        }
+
+	return rv;
+}
+
+static void
+pk11_EnterKeyMonitor(PK11SymKey *symKey) {
+    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
+	PK11_EnterSlotMonitor(symKey->slot);
+}
+
+static void
+pk11_ExitKeyMonitor(PK11SymKey *symKey) {
+    if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) 
+    	PK11_ExitSlotMonitor(symKey->slot);
+}
+
+
+static PK11SymKey *
+pk11_getKeyFromList(PK11SlotInfo *slot) {
+    PK11SymKey *symKey = NULL;
+
+
+    PK11_USE_THREADS(PZ_Lock(slot->freeListLock);)
+    if (slot->freeSymKeysHead) {
+    	symKey = slot->freeSymKeysHead;
+	slot->freeSymKeysHead = symKey->next;
+	slot->keyCount--;
+    }
+    PK11_USE_THREADS(PZ_Unlock(slot->freeListLock);)
+    if (symKey) {
+	symKey->next = NULL;
+	if ((symKey->series != slot->series) || (!symKey->sessionOwner))
+    	    symKey->session = pk11_GetNewSession(slot,&symKey->sessionOwner);
+	return symKey;
+    }
+
+    symKey = (PK11SymKey *)PORT_ZAlloc(sizeof(PK11SymKey));
+    if (symKey == NULL) {
+	return NULL;
+    }
+    symKey->refLock = PZ_NewLock(nssILockRefLock);
+    if (symKey->refLock == NULL) {
+	PORT_Free(symKey);
+	return NULL;
+    }
+    symKey->session = pk11_GetNewSession(slot,&symKey->sessionOwner);
+    symKey->next = NULL;
+    return symKey;
+}
+
+void
+PK11_CleanKeyList(PK11SlotInfo *slot)
+{
+    PK11SymKey *symKey = NULL;
+
+    while (slot->freeSymKeysHead) {
+    	symKey = slot->freeSymKeysHead;
+	slot->freeSymKeysHead = symKey->next;
+	pk11_CloseSession(slot, symKey->session,symKey->sessionOwner);
+	PK11_USE_THREADS(PZ_DestroyLock(symKey->refLock);)
+	PORT_Free(symKey);
+    };
+    return;
+}
+
+/*
+ * create a symetric key:
+ *      Slot is the slot to create the key in.
+ *      type is the mechainism type 
+ */
+PK11SymKey *
+PK11_CreateSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, void *wincx)
+{
+
+    PK11SymKey *symKey = pk11_getKeyFromList(slot);
+
+
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->type = type;
+    symKey->data.data = NULL;
+    symKey->data.len = 0;
+    symKey->owner = PR_TRUE;
+    symKey->objectID = CK_INVALID_HANDLE;
+    symKey->slot = slot;
+    symKey->series = slot->series;
+    symKey->cx = wincx;
+    symKey->size = 0;
+    symKey->refCount = 1;
+    symKey->origin = PK11_OriginNULL;
+    symKey->origin = PK11_OriginNULL;
+    PK11_ReferenceSlot(slot);
+    return symKey;
+}
+
+/*
+ * destroy a symetric key
+ */
+void
+PK11_FreeSymKey(PK11SymKey *symKey)
+{
+    PRBool destroy = PR_FALSE;
+    PK11SlotInfo *slot;
+    PRBool freeit = PR_TRUE;
+
+    PK11_USE_THREADS(PZ_Lock(symKey->refLock);)
+     if (symKey->refCount-- == 1) {
+	destroy= PR_TRUE;
+    }
+    PK11_USE_THREADS(PZ_Unlock(symKey->refLock);)
+    if (destroy) {
+	if ((symKey->owner) && symKey->objectID != CK_INVALID_HANDLE) {
+	    pk11_EnterKeyMonitor(symKey);
+	    (void) PK11_GETTAB(symKey->slot)->
+		C_DestroyObject(symKey->session, symKey->objectID);
+	    pk11_ExitKeyMonitor(symKey);
+	}
+	if (symKey->data.data) {
+	    PORT_Memset(symKey->data.data, 0, symKey->data.len);
+	    PORT_Free(symKey->data.data);
+	}
+        slot = symKey->slot;
+        PK11_USE_THREADS(PZ_Lock(slot->freeListLock);)
+	if (slot->keyCount < slot->maxKeyCount) {
+	   symKey->next = slot->freeSymKeysHead;
+	   slot->freeSymKeysHead = symKey;
+	   slot->keyCount++;
+	   symKey->slot = NULL;
+	   freeit = PR_FALSE;
+        }
+	PK11_USE_THREADS(PZ_Unlock(slot->freeListLock);)
+        if (freeit) {
+	    pk11_CloseSession(symKey->slot, symKey->session,
+							symKey->sessionOwner);
+	    PK11_USE_THREADS(PZ_DestroyLock(symKey->refLock);)
+	    PORT_Free(symKey);
+	}
+	PK11_FreeSlot(slot);
+    }
+}
+
+PK11SymKey *
+PK11_ReferenceSymKey(PK11SymKey *symKey)
+{
+    PK11_USE_THREADS(PZ_Lock(symKey->refLock);)
+    symKey->refCount++;
+    PK11_USE_THREADS(PZ_Unlock(symKey->refLock);)
+    return symKey;
+}
+
+/*
+ * turn key handle into an appropriate key object
+ */
+PK11SymKey *
+PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin,
+    CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, PRBool owner, void *wincx)
+{
+    PK11SymKey *symKey;
+
+    if (keyID == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+
+    symKey = PK11_CreateSymKey(slot,type,wincx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->objectID = keyID;
+    symKey->origin = origin;
+    symKey->owner = owner;
+
+    /* adopt the parent's session */
+    /* This is only used by SSL. What we really want here is a session
+     * structure with a ref count so  the session goes away only after all the
+     * keys do. */
+    if (owner && parent) {
+	pk11_CloseSession(symKey->slot, symKey->session,symKey->sessionOwner);
+	symKey->sessionOwner = parent->sessionOwner;
+	symKey->session = parent->session;
+	parent->sessionOwner = PR_FALSE;
+    }
+
+    return symKey;
+}
+
+/*
+ * turn key handle into an appropriate key object
+ */
+PK11SymKey *
+PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, CK_MECHANISM_TYPE type,
+						    int series, void *wincx)
+{
+    PK11SymKey *symKey = NULL;
+
+    if (slot->series != series) return NULL;
+    if (slot->refKeys[wrap] == CK_INVALID_HANDLE) return NULL;
+    if (type == CKM_INVALID_MECHANISM) type = slot->wrapMechanism;
+
+    symKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive,
+		 slot->wrapMechanism, slot->refKeys[wrap], PR_FALSE, wincx);
+    return symKey;
+}
+
+void
+PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey)
+{
+    /* save the handle and mechanism for the wrapping key */
+    /* mark the key and session as not owned by us to they don't get freed
+     * when the key goes way... that lets us reuse the key later */
+    slot->refKeys[wrap] = wrapKey->objectID;
+    wrapKey->owner = PR_FALSE;
+    wrapKey->sessionOwner = PR_FALSE;
+    slot->wrapMechanism = wrapKey->type;
+}
+
+CK_MECHANISM_TYPE
+PK11_GetMechanism(PK11SymKey *symKey)
+{
+    return symKey->type;
+}
+
+/*
+ * figure out if a key is still valid or if it is stale.
+ */
+PRBool
+PK11_VerifyKeyOK(PK11SymKey *key) {
+    if (!PK11_IsPresent(key->slot)) {
+	return PR_FALSE;
+    }
+    return (PRBool)(key->series == key->slot->series);
+}
+
+#define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */
+
+/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
+#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
+
+static unsigned int
+pk11_FlagsToAttributes(CK_FLAGS flags, CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue)
+{
+
+    const static CK_ATTRIBUTE_TYPE attrTypes[12] = {
+	CKA_ENCRYPT,      CKA_DECRYPT, 0 /* DIGEST */,     CKA_SIGN,
+	CKA_SIGN_RECOVER, CKA_VERIFY,  CKA_VERIFY_RECOVER, 0 /* GEN */,
+	0 /* GEN PAIR */, CKA_WRAP,    CKA_UNWRAP,         CKA_DERIVE 
+    };
+
+    const CK_ATTRIBUTE_TYPE *pType	= attrTypes;
+          CK_ATTRIBUTE      *attr	= attrs;
+          CK_FLAGS          test	= CKF_ENCRYPT;
+
+
+    PR_ASSERT(!(flags & ~CKF_KEY_OPERATION_FLAGS));
+    flags &= CKF_KEY_OPERATION_FLAGS;
+
+    for (; flags && test <= CKF_DERIVE; test <<= 1, ++pType) {
+    	if (test & flags) {
+	    flags ^= test;
+	    PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); 
+	    ++attr;
+	}
+    }
+    return (attr - attrs);
+}
+
+static PK11SymKey *
+pk11_ImportSymKeyWithTempl(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+                  PK11Origin origin, CK_ATTRIBUTE *keyTemplate, 
+		  unsigned int templateCount, SECItem *key, void *wincx)
+{
+    PK11SymKey *    symKey;
+    SECStatus	    rv;
+
+    symKey = PK11_CreateSymKey(slot,type,wincx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->size = key->len;
+
+    PK11_SETATTRS(&keyTemplate[templateCount], CKA_VALUE, key->data, key->len);
+    templateCount++;
+
+    if (SECITEM_CopyItem(NULL,&symKey->data,key) != SECSuccess) {
+	PK11_FreeSymKey(symKey);
+	return NULL;
+    }
+
+    symKey->origin = origin;
+
+    /* import the keys */
+    rv = PK11_CreateNewObject(slot, symKey->session, keyTemplate,
+		 	templateCount, PR_FALSE, &symKey->objectID);
+    if ( rv != SECSuccess) {
+	PK11_FreeSymKey(symKey);
+	return NULL;
+    }
+
+    return symKey;
+}
+
+/*
+ * turn key bits into an appropriate key object
+ */
+PK11SymKey *
+PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,void *wincx)
+{
+    PK11SymKey *    symKey;
+    unsigned int    templateCount = 0;
+    CK_OBJECT_CLASS keyClass 	= CKO_SECRET_KEY;
+    CK_KEY_TYPE     keyType 	= CKK_GENERIC_SECRET;
+    CK_BBOOL        cktrue 	= CK_TRUE; /* sigh */
+    CK_ATTRIBUTE    keyTemplate[5];
+    CK_ATTRIBUTE *  attrs 	= keyTemplate;
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
+    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount+1 <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+    keyType = PK11_GetKeyType(type,key->len);
+    symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, keyTemplate, 
+    					templateCount, key, wincx);
+    return symKey;
+}
+
+
+/*
+ * turn key bits into an appropriate key object
+ */
+PK11SymKey *
+PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,
+     CK_FLAGS flags, PRBool isPerm, void *wincx)
+{
+    PK11SymKey *    symKey;
+    unsigned int    templateCount = 0;
+    CK_OBJECT_CLASS keyClass 	= CKO_SECRET_KEY;
+    CK_KEY_TYPE     keyType 	= CKK_GENERIC_SECRET;
+    CK_BBOOL        cktrue 	= CK_TRUE; /* sigh */
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE *  attrs 	= keyTemplate;
+
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
+    if (isPerm) {
+	PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(keyType) ); attrs++;
+    }
+    templateCount = attrs - keyTemplate;
+    templateCount += pk11_FlagsToAttributes(flags, attrs, &cktrue);
+    PR_ASSERT(templateCount+1 <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+    keyType = PK11_GetKeyType(type,key->len);
+    symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, keyTemplate, 
+    					templateCount, key, wincx);
+    if (isPerm) {
+	symKey->owner = PR_FALSE;
+    }
+    return symKey;
+}
+
+/*
+ * import a public key into the desired slot
+ */
+CK_OBJECT_HANDLE
+PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, 
+								PRBool isToken)
+{
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+    CK_OBJECT_HANDLE objectID;
+    CK_ATTRIBUTE theTemplate[10];
+    CK_ATTRIBUTE *signedattr = NULL;
+    CK_ATTRIBUTE *attrs = theTemplate;
+    int signedcount = 0;
+    int templateCount = 0;
+    SECStatus rv;
+
+    /* if we already have an object in the desired slot, use it */
+    if (!isToken && pubKey->pkcs11Slot == slot) {
+	return pubKey->pkcs11ID;
+    }
+
+    /* free the existing key */
+    if (pubKey->pkcs11Slot != NULL) {
+	PK11SlotInfo *oSlot = pubKey->pkcs11Slot;
+	PK11_EnterSlotMonitor(oSlot);
+	(void) PK11_GETTAB(oSlot)->C_DestroyObject(oSlot->session,
+							pubKey->pkcs11ID);
+	PK11_ExitSlotMonitor(oSlot);
+	PK11_FreeSlot(oSlot);
+	pubKey->pkcs11Slot = NULL;
+    }
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, isToken ? &cktrue : &ckfalse,
+						 sizeof(CK_BBOOL) ); attrs++;
+
+    /* now import the key */
+    {
+        switch (pubKey->keyType) {
+        case rsaKey:
+	    keyType = CKK_RSA;
+	    PK11_SETATTRS(attrs, CKA_WRAP, &cktrue, sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_ENCRYPT, &cktrue, 
+						sizeof(CK_BBOOL) ); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_MODULUS, pubKey->u.rsa.modulus.data,
+					 pubKey->u.rsa.modulus.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
+	     	pubKey->u.rsa.publicExponent.data,
+				 pubKey->u.rsa.publicExponent.len); attrs++;
+	    break;
+        case dsaKey:
+	    keyType = CKK_DSA;
+	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    pubKey->u.dsa.params.prime.data,
+				pubKey->u.dsa.params.prime.len); attrs++;
+	    PK11_SETATTRS(attrs,CKA_SUBPRIME,pubKey->u.dsa.params.subPrime.data,
+				pubKey->u.dsa.params.subPrime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.dsa.params.base.data,
+					pubKey->u.dsa.params.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    pubKey->u.dsa.publicValue.data, 
+					pubKey->u.dsa.publicValue.len); attrs++;
+	    break;
+	case fortezzaKey:
+	    keyType = CKK_DSA;
+	    PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,pubKey->u.fortezza.params.prime.data,
+				pubKey->u.fortezza.params.prime.len); attrs++;
+	    PK11_SETATTRS(attrs,CKA_SUBPRIME,
+				pubKey->u.fortezza.params.subPrime.data,
+				pubKey->u.fortezza.params.subPrime.len);attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.fortezza.params.base.data,
+				pubKey->u.fortezza.params.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.fortezza.DSSKey.data, 
+				pubKey->u.fortezza.DSSKey.len); attrs++;
+            break;
+        case dhKey:
+	    keyType = CKK_DH;
+	    PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++;
+ 	    signedattr = attrs;
+	    PK11_SETATTRS(attrs, CKA_PRIME,    pubKey->u.dh.prime.data,
+				pubKey->u.dh.prime.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_BASE,  pubKey->u.dh.base.data,
+					pubKey->u.dh.base.len); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE,    pubKey->u.dh.publicValue.data, 
+					pubKey->u.dh.publicValue.len); attrs++;
+	    break;
+	/* what about fortezza??? */
+	default:
+	    PORT_SetError( SEC_ERROR_BAD_KEY );
+	    return CK_INVALID_HANDLE;
+	}
+
+	templateCount = attrs - theTemplate;
+	signedcount = attrs - signedattr;
+	PORT_Assert(templateCount <= (sizeof(theTemplate)/sizeof(CK_ATTRIBUTE)));
+	for (attrs=signedattr; signedcount; attrs++, signedcount--) {
+		pk11_SignedToUnsigned(attrs);
+	} 
+        rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate,
+				 	templateCount, isToken, &objectID);
+	if ( rv != SECSuccess) {
+	    return CK_INVALID_HANDLE;
+	}
+    }
+
+    pubKey->pkcs11ID = objectID;
+    pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
+
+    return objectID;
+}
+
+
+/*
+ * return the slot associated with a symetric key
+ */
+PK11SlotInfo *
+PK11_GetSlotFromKey(PK11SymKey *symKey)
+{
+    return PK11_ReferenceSlot(symKey->slot);
+}
+
+PK11SymKey *
+PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *keyID,
+								void *wincx)
+{
+    CK_ATTRIBUTE findTemp[4];
+    CK_ATTRIBUTE *attrs;
+    CK_BBOOL ckTrue = CK_TRUE;
+    CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
+    int tsize = 0;
+    CK_OBJECT_HANDLE key_id;
+
+    attrs = findTemp;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
+    if (keyID) {
+        PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); attrs++;
+    }
+    tsize = attrs - findTemp;
+    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+    key_id = pk11_FindObjectByTemplate(slot,findTemp,tsize);
+    if (key_id == CK_INVALID_HANDLE) {
+	return NULL;
+    }
+    return PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, type, key_id,
+		 				PR_FALSE, wincx);
+}
+
+PK11SymKey *
+PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx)
+{
+    CK_ATTRIBUTE findTemp[4];
+    CK_ATTRIBUTE *attrs;
+    CK_BBOOL ckTrue = CK_TRUE;
+    CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY;
+    int tsize = 0;
+    int objCount = 0;
+    CK_OBJECT_HANDLE *key_ids;
+    PK11SymKey *nextKey = NULL;
+    PK11SymKey *topKey = NULL;
+    int i,len;
+
+    attrs = findTemp;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++;
+    if (nickname) {
+	len = PORT_Strlen(nickname)-1;
+	PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++;
+    }
+    tsize = attrs - findTemp;
+    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+    key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount);
+    if (key_ids == NULL) {
+	return NULL;
+    }
+
+    for (i=0; i < objCount ; i++) {
+	nextKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, 
+			CKM_INVALID_MECHANISM, key_ids[i], PR_FALSE, wincx);
+	if (nextKey) {
+	    nextKey->next = topKey;
+	    topKey = nextKey;
+	}
+   }
+   PORT_Free(key_ids);
+   return topKey;
+}
+
+void *
+PK11_GetWindow(PK11SymKey *key)
+{
+   return key->cx;
+}
+    
+
+/*
+ * extract a symetric key value. NOTE: if the key is sensitive, we will
+ * not be able to do this operation. This function is used to move
+ * keys from one token to another */
+SECStatus
+PK11_ExtractKeyValue(PK11SymKey *symKey)
+{
+
+    if (symKey->data.data != NULL) return SECSuccess;
+
+    if (symKey->slot == NULL) {
+	PORT_SetError( SEC_ERROR_INVALID_KEY );
+	return SECFailure;
+    }
+
+    return PK11_ReadAttribute(symKey->slot,symKey->objectID,CKA_VALUE,NULL,
+				&symKey->data);
+}
+
+SECStatus
+PK11_DeleteTokenSymKey(PK11SymKey *symKey)
+{
+    if (!PK11_IsPermObject(symKey->slot, symKey->objectID)) {
+	return SECFailure;
+    }
+    PK11_DestroyTokenObject(symKey->slot,symKey->objectID);
+    symKey->objectID = CK_INVALID_HANDLE;
+    return SECSuccess;
+}
+
+SECItem *
+__PK11_GetKeyData(PK11SymKey *symKey)
+{
+    return &symKey->data;
+}
+
+SECItem *
+PK11_GetKeyData(PK11SymKey *symKey)
+{
+    return __PK11_GetKeyData(symKey);
+}
+
+/*
+ * take an attribute and copy it into a secitem
+ */
+static CK_RV
+pk11_Attr2SecItem(PRArenaPool *arena, CK_ATTRIBUTE *attr, SECItem *item) 
+{
+    item->data = NULL;
+
+    (void)SECITEM_AllocItem(arena, item, attr->ulValueLen);
+    if (item->data == NULL) {
+	return CKR_HOST_MEMORY;
+    } 
+    PORT_Memcpy(item->data, attr->pValue, item->len);
+    return CKR_OK;
+}
+
+/*
+ * extract a public key from a slot and id
+ */
+SECKEYPublicKey *
+PK11_ExtractPublicKey(PK11SlotInfo *slot,KeyType keyType,CK_OBJECT_HANDLE id)
+{
+    CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+    PRArenaPool *arena;
+    PRArenaPool *tmp_arena;
+    SECKEYPublicKey *pubKey;
+    int templateCount = 0;
+    CK_KEY_TYPE pk11KeyType;
+    CK_RV crv;
+    CK_ATTRIBUTE template[8];
+    CK_ATTRIBUTE *attrs= template;
+    CK_ATTRIBUTE *modulus,*exponent,*base,*prime,*subprime,*value;
+
+    /* if we didn't know the key type, get it */
+    if (keyType== nullKey) {
+
+        pk11KeyType = PK11_ReadULongAttribute(slot,id,CKA_KEY_TYPE);
+	if (pk11KeyType ==  CK_UNAVAILABLE_INFORMATION) {
+	    return NULL;
+	}
+	switch (pk11KeyType) {
+	case CKK_RSA:
+	    keyType = rsaKey;
+	    break;
+	case CKK_DSA:
+	    keyType = dsaKey;
+	    break;
+	case CKK_DH:
+	    keyType = dhKey;
+	    break;
+	default:
+	    PORT_SetError( SEC_ERROR_BAD_KEY );
+	    return NULL;
+	}
+    }
+
+
+    /* now we need to create space for the public key */
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) return NULL;
+    tmp_arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (tmp_arena == NULL) {
+	PORT_FreeArena (arena, PR_FALSE);
+	return NULL;
+    }
+
+
+    pubKey = (SECKEYPublicKey *) 
+			PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
+    if (pubKey == NULL) {
+	PORT_FreeArena (arena, PR_FALSE);
+	PORT_FreeArena (tmp_arena, PR_FALSE);
+	return NULL;
+    }
+
+    pubKey->arena = arena;
+    pubKey->keyType = keyType;
+    pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
+    pubKey->pkcs11ID = id;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, 
+						sizeof(keyClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &pk11KeyType, 
+						sizeof(pk11KeyType) ); attrs++;
+    switch (pubKey->keyType) {
+    case rsaKey:
+	modulus = attrs;
+	PK11_SETATTRS(attrs, CKA_MODULUS, NULL, 0); attrs++; 
+	exponent = attrs;
+	PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, NULL, 0); attrs++; 
+
+	templateCount = attrs - template;
+	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
+	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
+	if (crv != CKR_OK) break;
+
+	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_RSA)) {
+	    crv = CKR_OBJECT_HANDLE_INVALID;
+	    break;
+	} 
+	crv = pk11_Attr2SecItem(arena,modulus,&pubKey->u.rsa.modulus);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,exponent,&pubKey->u.rsa.publicExponent);
+	if (crv != CKR_OK) break;
+	break;
+    case dsaKey:
+	prime = attrs;
+	PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; 
+	subprime = attrs;
+	PK11_SETATTRS(attrs, CKA_SUBPRIME, NULL, 0); attrs++; 
+	base = attrs;
+	PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; 
+	value = attrs;
+	PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; 
+	templateCount = attrs - template;
+	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
+	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
+	if (crv != CKR_OK) break;
+
+	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) {
+	    crv = CKR_OBJECT_HANDLE_INVALID;
+	    break;
+	} 
+	crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dsa.params.prime);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,subprime,&pubKey->u.dsa.params.subPrime);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dsa.params.base);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dsa.publicValue);
+	if (crv != CKR_OK) break;
+	break;
+    case dhKey:
+	prime = attrs;
+	PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; 
+	base = attrs;
+	PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; 
+	value =attrs;
+	PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; 
+	templateCount = attrs - template;
+	PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE));
+	crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount);
+	if (crv != CKR_OK) break;
+
+	if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DH)) {
+	    crv = CKR_OBJECT_HANDLE_INVALID;
+	    break;
+	} 
+	crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dh.prime);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dh.base);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dh.publicValue);
+	if (crv != CKR_OK) break;
+	break;
+    case fortezzaKey:
+    case nullKey:
+    default:
+	crv = CKR_OBJECT_HANDLE_INVALID;
+	break;
+    }
+
+    PORT_FreeArena(tmp_arena,PR_FALSE);
+
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	PK11_FreeSlot(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+
+    return pubKey;
+}
+
+/*
+ * Build a Private Key structure from raw PKCS #11 information.
+ */
+SECKEYPrivateKey *
+PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, 
+			PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx)
+{
+    PRArenaPool *arena;
+    SECKEYPrivateKey *privKey;
+
+    /* don't know? look it up */
+    if (keyType == nullKey) {
+	CK_KEY_TYPE pk11Type = CKK_RSA;
+
+	pk11Type = PK11_ReadULongAttribute(slot,privID,CKA_KEY_TYPE);
+	isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN);
+	switch (pk11Type) {
+	case CKK_RSA: keyType = rsaKey; break;
+	case CKK_DSA: keyType = dsaKey; break;
+	case CKK_DH: keyType = dhKey; break;
+	case CKK_KEA: keyType = fortezzaKey; break;
+	default:
+		break;
+	}
+    }
+
+    /* now we need to create space for the private key */
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) return NULL;
+
+    privKey = (SECKEYPrivateKey *) 
+			PORT_ArenaZAlloc(arena, sizeof(SECKEYPrivateKey));
+    if (privKey == NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return NULL;
+    }
+
+    privKey->arena = arena;
+    privKey->keyType = keyType;
+    privKey->pkcs11Slot = PK11_ReferenceSlot(slot);
+    privKey->pkcs11ID = privID;
+    privKey->pkcs11IsTemp = isTemp;
+    privKey->wincx = wincx;
+
+    return privKey;
+}
+
+/* return the keylength if possible.  '0' if not */
+unsigned int
+PK11_GetKeyLength(PK11SymKey *key)
+{
+   if (key->size != 0) return key->size ;
+   if (key->data.data == NULL) {
+	PK11_ExtractKeyValue(key);
+   }
+   /* key is probably secret. Look up it's type and length */
+   /*  this is new PKCS #11 version 2.0 functionality. */
+   if (key->size == 0) {
+	CK_ULONG keyLength;
+
+	keyLength = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_VALUE_LEN);
+	/* doesn't have a length field, check the known PKCS #11 key types,
+	 * which don't have this field */
+	if (keyLength == CK_UNAVAILABLE_INFORMATION) {
+	    CK_KEY_TYPE keyType;
+	    keyType = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_KEY_TYPE);
+	    switch (keyType) {
+	    case CKK_DES: key->size = 8; break;
+	    case CKK_DES2: key->size = 16; break;
+	    case CKK_DES3: key->size = 24; break;
+	    case CKK_SKIPJACK: key->size = 10; break;
+	    case CKK_BATON: key->size = 20; break;
+	    case CKK_JUNIPER: key->size = 20; break;
+	    case CKK_GENERIC_SECRET:
+		if (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)  {
+		    key->size=48;
+		}
+		break;
+	    default: break;
+	    }
+	} else {
+	    key->size = (unsigned int)keyLength;
+	}
+    }
+	
+   return key->size;
+}
+
+/* return the strength of a key. This is different from length in that
+ * 1) it returns the size in bits, and 2) it returns only the secret portions
+ * of the key minus any checksums or parity.
+ */
+unsigned int
+PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid) 
+{
+     int size=0;
+     CK_MECHANISM_TYPE mechanism= CKM_INVALID_MECHANISM; /* RC2 only */
+     SECItem *param = NULL; /* RC2 only */
+     CK_RC2_CBC_PARAMS *rc2_params = NULL; /* RC2 ONLY */
+     unsigned int effectiveBits = 0; /* RC2 ONLY */
+
+     switch (PK11_GetKeyType(key->type,0)) {
+     case CKK_CDMF:
+	return 40;
+     case CKK_DES:
+	return 56;
+     case CKK_DES3:
+     case CKK_DES2:
+	size = PK11_GetKeyLength(key);
+	if (size == 16) {
+	   /* double des */
+	   return 112; /* 16*7 */
+	}
+	return 168;
+    /*
+     * RC2 has is different than other ciphers in that it allows the user
+     * to deprecating keysize while still requiring all the bits for the 
+     * original key. The info
+     * on what the effective key strength is in the parameter for the key.
+     * In S/MIME this parameter is stored in the DER encoded algid. In Our 
+     * other uses of RC2, effectiveBits == keyBits, so this code functions
+     * correctly without an algid.
+     */
+    case CKK_RC2:
+	/* if no algid was provided, fall through to default */
+        if (!algid) {
+	    break; 
+	}
+	/* verify that the algid is for RC2 */
+	mechanism = PK11_AlgtagToMechanism(SECOID_GetAlgorithmTag(algid));
+	if ((mechanism != CKM_RC2_CBC) && (mechanism != CKM_RC2_ECB)) {
+	    break;
+	}
+
+	/* now get effective bits from the algorithm ID. */
+	param = PK11_ParamFromAlgid(algid);
+	/* if we couldn't get memory just use key length */
+	if (param == NULL) {
+	    break;
+	}
+
+	rc2_params = (CK_RC2_CBC_PARAMS *) param->data;
+	/* paranoia... shouldn't happen */
+	PORT_Assert(param->data != NULL);
+	if (param->data == NULL) {
+	    SECITEM_FreeItem(param,PR_TRUE);
+	    break;
+	}
+	effectiveBits = (unsigned int)rc2_params->ulEffectiveBits;
+	SECITEM_FreeItem(param,PR_TRUE);
+	param = NULL; rc2_params=NULL; /* paranoia */
+
+	/* we have effective bits, is and allocated memory is free, now
+	 * we need to return the smaller of effective bits and keysize */
+	size = PK11_GetKeyLength(key);
+	if ((unsigned int)size*8 > effectiveBits) {
+	    return effectiveBits;
+	}
+
+	return size*8; /* the actual key is smaller, the strength can't be
+			* greater than the actual key size */
+	
+    default:
+	break;
+    }
+    return PK11_GetKeyLength(key) * 8;
+}
+
+/* Make a Key type to an appropriate signing/verification mechanism */
+static CK_MECHANISM_TYPE
+pk11_mapSignKeyType(KeyType keyType)
+{
+    switch (keyType) {
+    case rsaKey:
+	return CKM_RSA_PKCS;
+    case fortezzaKey:
+    case dsaKey:
+	return CKM_DSA;
+    case dhKey:
+    default:
+	break;
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+static CK_MECHANISM_TYPE
+pk11_mapWrapKeyType(KeyType keyType)
+{
+    switch (keyType) {
+    case rsaKey:
+	return CKM_RSA_PKCS;
+    /* Add fortezza?? */
+    default:
+	break;
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+/*
+ * Some non-compliant PKCS #11 vendors do not give us the modulus, so actually
+ * set up a signature to get the signaure length.
+ */
+static int
+pk11_backupGetSignLength(SECKEYPrivateKey *key)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_ULONG len;
+    CK_RV crv;
+    unsigned char h_data[20]  = { 0 };
+    unsigned char buf[20]; /* obviously to small */
+    CK_ULONG smallLen = sizeof(buf);
+
+    mech.mechanism = pk11_mapSignKeyType(key->keyType);
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return -1;
+    }
+    len = 0;
+    crv = PK11_GETTAB(slot)->C_Sign(session,h_data,sizeof(h_data),
+					NULL, &len);
+    /* now call C_Sign with too small a buffer to clear the session state */
+    (void) PK11_GETTAB(slot)->
+			C_Sign(session,h_data,sizeof(h_data),buf,&smallLen);
+	
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return -1;
+    }
+    return len;
+}
+/*
+ * get the length of a signature object based on the key
+ */
+int
+PK11_SignatureLen(SECKEYPrivateKey *key)
+{
+    int val;
+
+    switch (key->keyType) {
+    case rsaKey:
+	val = PK11_GetPrivateModulusLen(key);
+	if (val == -1) {
+	    return pk11_backupGetSignLength(key);
+	}
+	return (unsigned long) val;
+	
+    case fortezzaKey:
+    case dsaKey:
+	return 40;
+
+    default:
+	break;
+    }
+    PORT_SetError( SEC_ERROR_INVALID_KEY );
+    return 0;
+}
+
+PK11SlotInfo *
+PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    slot = PK11_ReferenceSlot(slot);
+    return slot;
+}
+
+/*
+ * Get the modulus length for raw parsing
+ */
+int
+PK11_GetPrivateModulusLen(SECKEYPrivateKey *key)
+{
+    CK_ATTRIBUTE theTemplate = { CKA_MODULUS, NULL, 0 };
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_RV crv;
+    int length;
+
+    switch (key->keyType) {
+    case rsaKey:
+	crv = PK11_GetAttributes(NULL, slot, key->pkcs11ID, &theTemplate, 1);
+	if (crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    return -1;
+	}
+	length = theTemplate.ulValueLen;
+	if ( *(unsigned char *)theTemplate.pValue == 0) {
+	    length--;
+	}
+	if (theTemplate.pValue != NULL)
+	    PORT_Free(theTemplate.pValue);
+	return (int) length;
+	
+    case fortezzaKey:
+    case dsaKey:
+    case dhKey:
+    default:
+	break;
+    }
+    if (theTemplate.pValue != NULL)
+	PORT_Free(theTemplate.pValue);
+    PORT_SetError( SEC_ERROR_INVALID_KEY );
+    return -1;
+}
+
+/*
+ * copy a key (or any other object) on a token
+ */
+CK_OBJECT_HANDLE
+PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject)
+{
+    CK_OBJECT_HANDLE destObject;
+    CK_RV crv;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_CopyObject(slot->session,srcObject,NULL,0,
+				&destObject);
+    PK11_ExitSlotMonitor(slot);
+    if (crv == CKR_OK) return destObject;
+    PORT_SetError( PK11_MapError(crv) );
+    return CK_INVALID_HANDLE;
+}
+
+
+PK11SymKey *
+pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
+
+/*
+ * The next two utilities are to deal with the fact that a given operation
+ * may be a multi-slot affair. This creates a new key object that is copied
+ * into the new slot.
+ */
+PK11SymKey *
+pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+		 	CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey)
+{
+    SECStatus rv;
+    PK11SymKey *newKey = NULL;
+
+    /* Extract the raw key data if possible */
+    if (symKey->data.data == NULL) {
+	rv = PK11_ExtractKeyValue(symKey);
+	/* KEY is sensitive, we're try key exchanging it. */
+	if (rv != SECSuccess) {
+	    return pk11_KeyExchange(slot, type, operation, symKey);
+	}
+    }
+    newKey = PK11_ImportSymKey(slot, type, symKey->origin, operation, 
+						&symKey->data, symKey->cx);
+    if (newKey == NULL) newKey = pk11_KeyExchange(slot,type,operation,symKey);
+    return newKey;
+}
+
+/*
+ * Make sure the slot we are in the correct slot for the operation
+ */
+static PK11SymKey *
+pk11_ForceSlot(PK11SymKey *symKey,CK_MECHANISM_TYPE type,
+						CK_ATTRIBUTE_TYPE operation)
+{
+    PK11SlotInfo *slot = symKey->slot;
+    PK11SymKey *newKey = NULL;
+
+    if ((slot== NULL) || !PK11_DoesMechanism(slot,type)) {
+	slot = PK11_GetBestSlot(type,symKey->cx);
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return NULL;
+	}
+	newKey = pk11_CopyToSlot(slot, type, operation, symKey);
+	PK11_FreeSlot(slot);
+    }
+    return newKey;
+}
+
+/*
+ * Use the token to Generate a key. keySize must be 'zero' for fixed key
+ * length algorithms. NOTE: this means we can never generate a DES2 key
+ * from this interface!
+ */
+PK11SymKey *
+PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
+    int keySize, SECItem *keyid, PRBool isToken, void *wincx)
+{
+    PK11SymKey *symKey;
+    CK_ATTRIBUTE genTemplate[5];
+    CK_ATTRIBUTE *attrs = genTemplate;
+    int count = sizeof(genTemplate)/sizeof(genTemplate[0]);
+    CK_SESSION_HANDLE session;
+    CK_MECHANISM mechanism;
+    CK_RV crv;
+    PRBool weird = PR_FALSE;   /* hack for fortezza */
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_ULONG ck_key_size;       /* only used for variable-length keys */
+
+    if ((keySize == -1) && (type == CKM_SKIPJACK_CBC64)) {
+	weird = PR_TRUE;
+	keySize = 0;
+    }
+
+    /* TNH: Isn't this redundant, since "handleKey" will set defaults? */
+    PK11_SETATTRS(attrs, (!weird) 
+	? CKA_ENCRYPT : CKA_DECRYPT, &cktrue, sizeof(CK_BBOOL)); attrs++;
+    
+    if (keySize != 0) {
+        ck_key_size = keySize; /* Convert to PK11 type */
+
+        PK11_SETATTRS(attrs, CKA_VALUE_LEN, &ck_key_size, sizeof(ck_key_size)); 
+							attrs++;
+    }
+
+    /* Include key id value if provided */
+    if (keyid) {
+        PK11_SETATTRS(attrs, CKA_ID, keyid->data, keyid->len); attrs++;
+    }
+
+    if (isToken) {
+        PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue));  attrs++;
+        PK11_SETATTRS(attrs, CKA_PRIVATE, &cktrue, sizeof(cktrue));  attrs++;
+    }
+
+    PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(cktrue));  attrs++;
+
+    count = attrs - genTemplate;
+    PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE));
+
+    /* find a slot to generate the key into */
+    /* Only do slot management if this is not a token key */
+    if (!isToken && (slot == NULL || !PK11_DoesMechanism(slot,type))) {
+        PK11SlotInfo *bestSlot;
+
+        bestSlot = PK11_GetBestSlot(type,wincx); /* TNH: references the slot? */
+        if (bestSlot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return NULL;
+	}
+
+        symKey = PK11_CreateSymKey(bestSlot,type,wincx);
+
+        PK11_FreeSlot(bestSlot);
+    } else {
+	symKey = PK11_CreateSymKey(slot, type, wincx);
+    }
+    if (symKey == NULL) return NULL;
+
+    symKey->size = keySize;
+    symKey->origin = (!weird) ? PK11_OriginGenerated : PK11_OriginFortezzaHack;
+
+    /* Initialize the Key Gen Mechanism */
+    mechanism.mechanism = PK11_GetKeyGen(type);
+    if (mechanism.mechanism == CKM_FAKE_RANDOM) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return NULL;
+    }
+
+    /* Set the parameters for the key gen if provided */
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    }
+
+    /* Get session and perform locking */
+    if (isToken) {
+	PK11_Authenticate(symKey->slot,PR_TRUE,wincx);
+        session = PK11_GetRWSession(symKey->slot);  /* Should always be original slot */
+    } else {
+        session = symKey->session;
+        pk11_EnterKeyMonitor(symKey);
+    }
+
+    crv = PK11_GETTAB(symKey->slot)->C_GenerateKey(session,
+			 &mechanism, genTemplate, count, &symKey->objectID);
+
+    /* Release lock and session */
+    if (isToken) {
+        PK11_RestoreROSession(symKey->slot, session);
+    } else {
+        pk11_ExitKeyMonitor(symKey);
+    }
+
+    if (crv != CKR_OK) {
+	PK11_FreeSymKey(symKey);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+
+    return symKey;
+}
+
+PK11SymKey *
+PK11_KeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
+						int keySize, void *wincx)
+{
+    return PK11_TokenKeyGen(slot, type, param, keySize, 0, PR_FALSE, wincx);
+}
+
+/* --- */
+PK11SymKey *
+PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx)
+{
+  return PK11_TokenKeyGen(slot, CKM_DES3_CBC, 0, 0, keyid, PR_TRUE, cx);
+}
+
+/*
+ * PKCS #11 pairwise consistency check utilized to validate key pair.
+ */
+static SECStatus
+pk11_PairwiseConsistencyCheck(SECKEYPublicKey *pubKey, 
+	SECKEYPrivateKey *privKey, CK_MECHANISM *mech, void* wincx )
+{
+    /* Variables used for Encrypt/Decrypt functions. */
+    unsigned char *known_message = (unsigned char *)"Known Crypto Message";
+    CK_BBOOL isEncryptable = CK_FALSE;
+    CK_BBOOL canSignVerify = CK_FALSE;
+    CK_BBOOL isDerivable = CK_FALSE;
+    unsigned char plaintext[PAIRWISE_MESSAGE_LENGTH];
+    CK_ULONG bytes_decrypted;
+    PK11SlotInfo *slot;
+    CK_OBJECT_HANDLE id;
+    unsigned char *ciphertext;
+    unsigned char *text_compared;
+    CK_ULONG max_bytes_encrypted;
+    CK_ULONG bytes_encrypted;
+    CK_ULONG bytes_compared;
+    CK_RV crv;
+
+    /* Variables used for Signature/Verification functions. */
+    unsigned char *known_digest = (unsigned char *)"Mozilla Rules World!";
+    SECItem  signature;
+    SECItem  digest;    /* always uses SHA-1 digest */
+    int signature_length;
+    SECStatus rv;
+
+    /**************************************************/
+    /* Pairwise Consistency Check of Encrypt/Decrypt. */
+    /**************************************************/
+
+    isEncryptable = PK11_HasAttributeSet( privKey->pkcs11Slot, 
+					privKey->pkcs11ID, CKA_DECRYPT );
+
+    /* If the encryption attribute is set; attempt to encrypt */
+    /* with the public key and decrypt with the private key.  */
+    if( isEncryptable ) {
+	/* Find a module to encrypt against */
+	slot = PK11_GetBestSlot(pk11_mapWrapKeyType(privKey->keyType),wincx);
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return SECFailure;
+	}
+
+	id = PK11_ImportPublicKey(slot,pubKey,PR_FALSE);
+	if (id == CK_INVALID_HANDLE) {
+	    PK11_FreeSlot(slot);
+	    return SECFailure;
+	}
+
+        /* Compute max bytes encrypted from modulus length of private key. */
+	max_bytes_encrypted = PK11_GetPrivateModulusLen( privKey );
+
+
+	/* Prepare for encryption using the public key. */
+        PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB( slot )->C_EncryptInit( slot->session,
+						  mech, id );
+        if( crv != CKR_OK ) {
+	    PK11_ExitSlotMonitor(slot);
+	    PORT_SetError( PK11_MapError( crv ) );
+	    PK11_FreeSlot(slot);
+	    return SECFailure;
+	}
+
+	/* Allocate space for ciphertext. */
+	ciphertext = (unsigned char *) PORT_Alloc( max_bytes_encrypted );
+	if( ciphertext == NULL ) {
+	    PK11_ExitSlotMonitor(slot);
+	    PORT_SetError( SEC_ERROR_NO_MEMORY );
+	    PK11_FreeSlot(slot);
+	    return SECFailure;
+	}
+
+	/* Initialize bytes encrypted to max bytes encrypted. */
+	bytes_encrypted = max_bytes_encrypted;
+
+	/* Encrypt using the public key. */
+	crv = PK11_GETTAB( slot )->C_Encrypt( slot->session,
+					      known_message,
+					      PAIRWISE_MESSAGE_LENGTH,
+					      ciphertext,
+					      &bytes_encrypted );
+	PK11_ExitSlotMonitor(slot);
+	PK11_FreeSlot(slot);
+	if( crv != CKR_OK ) {
+	    PORT_SetError( PK11_MapError( crv ) );
+	    PORT_Free( ciphertext );
+	    return SECFailure;
+	}
+
+	/* Always use the smaller of these two values . . . */
+	bytes_compared = ( bytes_encrypted > PAIRWISE_MESSAGE_LENGTH )
+			 ? PAIRWISE_MESSAGE_LENGTH
+			 : bytes_encrypted;
+
+	/* If there was a failure, the plaintext */
+	/* goes at the end, therefore . . .      */
+	text_compared = ( bytes_encrypted > PAIRWISE_MESSAGE_LENGTH )
+			? (ciphertext + bytes_encrypted -
+			  PAIRWISE_MESSAGE_LENGTH )
+			: ciphertext;
+
+	/* Check to ensure that ciphertext does */
+	/* NOT EQUAL known input message text   */
+	/* per FIPS PUB 140-1 directive.        */
+	if( ( bytes_encrypted != max_bytes_encrypted ) ||
+	    ( PORT_Memcmp( text_compared, known_message,
+			   bytes_compared ) == 0 ) ) {
+	    /* Set error to Invalid PRIVATE Key. */
+	    PORT_SetError( SEC_ERROR_INVALID_KEY );
+	    PORT_Free( ciphertext );
+	    return SECFailure;
+	}
+
+	slot = privKey->pkcs11Slot;
+	/* Prepare for decryption using the private key. */
+        PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB( slot )->C_DecryptInit( slot->session,
+						  mech,
+						  privKey->pkcs11ID );
+	if( crv != CKR_OK ) {
+	    PK11_ExitSlotMonitor(slot);
+	    PORT_SetError( PK11_MapError(crv) );
+	    PORT_Free( ciphertext );
+	    PK11_FreeSlot(slot);
+	    return SECFailure;
+	}
+
+	/* Initialize bytes decrypted to be the */
+	/* expected PAIRWISE_MESSAGE_LENGTH.    */
+	bytes_decrypted = PAIRWISE_MESSAGE_LENGTH;
+
+	/* Decrypt using the private key.   */
+	/* NOTE:  No need to reset the      */
+	/*        value of bytes_encrypted. */
+	crv = PK11_GETTAB( slot )->C_Decrypt( slot->session,
+					      ciphertext,
+					      bytes_encrypted,
+					      plaintext,
+					      &bytes_decrypted );
+	PK11_ExitSlotMonitor(slot);
+
+	/* Finished with ciphertext; free it. */
+	PORT_Free( ciphertext );
+
+	if( crv != CKR_OK ) {
+	   PORT_SetError( PK11_MapError(crv) );
+	    PK11_FreeSlot(slot);
+	   return SECFailure;
+	}
+
+	/* Check to ensure that the output plaintext */
+	/* does EQUAL known input message text.      */
+	if( ( bytes_decrypted != PAIRWISE_MESSAGE_LENGTH ) ||
+	    ( PORT_Memcmp( plaintext, known_message,
+			   PAIRWISE_MESSAGE_LENGTH ) != 0 ) ) {
+	    /* Set error to Bad PUBLIC Key. */
+	    PORT_SetError( SEC_ERROR_BAD_KEY );
+	    PK11_FreeSlot(slot);
+	    return SECFailure;
+	}
+      }
+
+    /**********************************************/
+    /* Pairwise Consistency Check of Sign/Verify. */
+    /**********************************************/
+
+    canSignVerify = PK11_HasAttributeSet ( privKey->pkcs11Slot, 
+					  privKey->pkcs11ID, CKA_SIGN);
+    
+    if (canSignVerify)
+      {
+	/* Initialize signature and digest data. */
+	signature.data = NULL;
+	digest.data = NULL;
+	
+	/* Determine length of signature. */
+	signature_length = PK11_SignatureLen( privKey );
+	if( signature_length == 0 )
+	  goto failure;
+	
+	/* Allocate space for signature data. */
+	signature.data = (unsigned char *) PORT_Alloc( signature_length );
+	if( signature.data == NULL ) {
+	  PORT_SetError( SEC_ERROR_NO_MEMORY );
+	  goto failure;
+	}
+	
+	/* Allocate space for known digest data. */
+	digest.data = (unsigned char *) PORT_Alloc( PAIRWISE_DIGEST_LENGTH );
+	if( digest.data == NULL ) {
+	  PORT_SetError( SEC_ERROR_NO_MEMORY );
+	  goto failure;
+	}
+	
+	/* "Fill" signature type and length. */
+	signature.type = PAIRWISE_SECITEM_TYPE;
+	signature.len  = signature_length;
+	
+	/* "Fill" digest with known SHA-1 digest parameters. */
+	digest.type = PAIRWISE_SECITEM_TYPE;
+	PORT_Memcpy( digest.data, known_digest, PAIRWISE_DIGEST_LENGTH );
+	digest.len = PAIRWISE_DIGEST_LENGTH;
+	
+	/* Sign the known hash using the private key. */
+	rv = PK11_Sign( privKey, &signature, &digest );
+	if( rv != SECSuccess )
+	  goto failure;
+	
+	/* Verify the known hash using the public key. */
+	rv = PK11_Verify( pubKey, &signature, &digest, wincx );
+    if( rv != SECSuccess )
+      goto failure;
+	
+	/* Free signature and digest data. */
+	PORT_Free( signature.data );
+	PORT_Free( digest.data );
+      }
+
+
+
+    /**********************************************/
+    /* Pairwise Consistency Check for Derivation  */
+    /**********************************************/
+
+    isDerivable = PK11_HasAttributeSet ( privKey->pkcs11Slot, 
+					  privKey->pkcs11ID, CKA_DERIVE);
+    
+    if (isDerivable)
+      {   
+	/* 
+	 * We are not doing consistency check for Diffie-Hellman Key - 
+	 * otherwise it would be here
+	 */
+
+      }
+
+    return SECSuccess;
+
+failure:
+    if( signature.data != NULL )
+	PORT_Free( signature.data );
+    if( digest.data != NULL )
+	PORT_Free( digest.data );
+
+    return SECFailure;
+}
+
+
+
+/*
+ * take a private key in one pkcs11 module and load it into another:
+ *  NOTE: the source private key is a rare animal... it can't be sensitive.
+ *  This is used to do a key gen using one pkcs11 module and storing the
+ *  result into another.
+ */
+SECKEYPrivateKey *
+pk11_loadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, 
+		SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) 
+{
+    CK_ATTRIBUTE privTemplate[] = {
+        /* class must be first */
+	{ CKA_CLASS, NULL, 0 },
+	{ CKA_KEY_TYPE, NULL, 0 },
+	/* these three must be next */
+	{ CKA_TOKEN, NULL, 0 },
+	{ CKA_PRIVATE, NULL, 0 },
+	{ CKA_SENSITIVE, NULL, 0 },
+	{ CKA_ID, NULL, 0 },
+#ifdef notdef
+	{ CKA_LABEL, NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 },
+#endif
+	/* RSA */
+	{ CKA_MODULUS, NULL, 0 },
+	{ CKA_PRIVATE_EXPONENT, NULL, 0 },
+	{ CKA_PUBLIC_EXPONENT, NULL, 0 },
+	{ CKA_PRIME_1, NULL, 0 },
+	{ CKA_PRIME_2, NULL, 0 },
+	{ CKA_EXPONENT_1, NULL, 0 },
+	{ CKA_EXPONENT_2, NULL, 0 },
+	{ CKA_COEFFICIENT, NULL, 0 },
+    };
+    CK_ATTRIBUTE *attrs = NULL, *ap;
+    int templateSize = sizeof(privTemplate)/sizeof(privTemplate[0]);
+    PRArenaPool *arena;
+    CK_OBJECT_HANDLE objectID;
+    int i, count = 0;
+    int extra_count = 0;
+    CK_RV crv;
+    SECStatus rv;
+
+    for (i=0; i < templateSize; i++) {
+	if (privTemplate[i].type == CKA_MODULUS) {
+	    attrs= &privTemplate[i];
+	    count = i;
+	    break;
+	}
+    }
+    PORT_Assert(attrs != NULL);
+    if (attrs == NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return NULL;
+    }
+
+    ap = attrs;
+
+    switch (privKey->keyType) {
+    case rsaKey:
+	count = templateSize;
+	extra_count = templateSize - (attrs - privTemplate);
+	break;
+    case dsaKey:
+	ap->type = CKA_PRIME; ap++; count++; extra_count++;
+	ap->type = CKA_SUBPRIME; ap++; count++; extra_count++;
+	ap->type = CKA_BASE; ap++; count++; extra_count++;
+	ap->type = CKA_VALUE; ap++; count++; extra_count++;
+	break;
+    case dhKey:
+	ap->type = CKA_PRIME; ap++; count++; extra_count++;
+	ap->type = CKA_BASE; ap++; count++; extra_count++;
+	ap->type = CKA_VALUE; ap++; count++; extra_count++;
+	break;
+     default:
+	count = 0;
+	extra_count = 0;
+	break;
+     }
+
+     if (count == 0) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return NULL;
+     }
+
+     arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
+     if (arena == NULL) return NULL;
+     /*
+      * read out the old attributes.
+      */
+     crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID,
+		privTemplate,count);
+     if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	PORT_FreeArena(arena, PR_TRUE);
+	return NULL;
+     }
+
+     /* Reset sensitive, token, and private */
+     *(CK_BBOOL *)(privTemplate[2].pValue) = token ? CK_TRUE : CK_FALSE;
+     *(CK_BBOOL *)(privTemplate[3].pValue) = token ? CK_TRUE : CK_FALSE;
+     *(CK_BBOOL *)(privTemplate[4].pValue) = sensitive ? CK_TRUE : CK_FALSE;
+
+     /* Not everyone can handle zero padded key values, give
+      * them the raw data as unsigned */
+     for (ap=attrs; extra_count; ap++, extra_count--) {
+	pk11_SignedToUnsigned(ap);
+     }
+
+     /* now Store the puppies */
+     rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, privTemplate, 
+						count, token, &objectID);
+     PORT_FreeArena(arena, PR_TRUE);
+     if (rv != SECSuccess) {
+	return NULL;
+     }
+
+     /* try loading the public key as a token object */
+     if (pubKey) {
+	PK11_ImportPublicKey(slot, pubKey, PR_TRUE);
+	if (pubKey->pkcs11Slot) {
+	    PK11_FreeSlot(pubKey->pkcs11Slot);
+	    pubKey->pkcs11Slot = NULL;
+	    pubKey->pkcs11ID = CK_INVALID_HANDLE;
+	}
+     }
+
+     /* build new key structure */
+     return PK11_MakePrivKey(slot, privKey->keyType, (PRBool)!token, 
+						objectID, privKey->wincx);
+}
+
+/*
+ * export this for PSM
+ */
+SECKEYPrivateKey *
+PK11_LoadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, 
+		SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) 
+{
+    return pk11_loadPrivKey(slot,privKey,pubKey,token,sensitive);
+}
+
+
+/*
+ * Use the token to Generate a key. keySize must be 'zero' for fixed key
+ * length algorithms. NOTE: this means we can never generate a DES2 key
+ * from this interface!
+ */
+SECKEYPrivateKey *
+PK11_GenerateKeyPair(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, 
+   void *param, SECKEYPublicKey **pubKey, PRBool token, 
+					PRBool sensitive, void *wincx)
+{
+    /* we have to use these native types because when we call PKCS 11 modules
+     * we have to make sure that we are using the correct sizes for all the
+     * parameters. */
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_ULONG modulusBits;
+    CK_BYTE publicExponent[4];
+    CK_ATTRIBUTE privTemplate[] = {
+	{ CKA_SENSITIVE, NULL, 0},
+	{ CKA_TOKEN,  NULL, 0},
+	{ CKA_PRIVATE,  NULL, 0},
+	{ CKA_DERIVE,  NULL, 0},
+	{ CKA_UNWRAP,  NULL, 0},
+	{ CKA_SIGN,  NULL, 0},
+	{ CKA_DECRYPT,  NULL, 0},
+    };
+    CK_ATTRIBUTE rsaPubTemplate[] = {
+	{ CKA_MODULUS_BITS, NULL, 0},
+	{ CKA_PUBLIC_EXPONENT, NULL, 0},
+	{ CKA_TOKEN,  NULL, 0},
+	{ CKA_DERIVE,  NULL, 0},
+	{ CKA_WRAP,  NULL, 0},
+	{ CKA_VERIFY,  NULL, 0},
+	{ CKA_VERIFY_RECOVER,  NULL, 0},
+	{ CKA_ENCRYPT,  NULL, 0},
+    };
+    CK_ATTRIBUTE dsaPubTemplate[] = {
+	{ CKA_PRIME, NULL, 0 },
+	{ CKA_SUBPRIME, NULL, 0 },
+	{ CKA_BASE, NULL, 0 },
+	{ CKA_TOKEN,  NULL, 0},
+	{ CKA_DERIVE,  NULL, 0},
+	{ CKA_WRAP,  NULL, 0},
+	{ CKA_VERIFY,  NULL, 0},
+	{ CKA_VERIFY_RECOVER,  NULL, 0},
+	{ CKA_ENCRYPT,  NULL, 0},
+    };
+    CK_ATTRIBUTE dhPubTemplate[] = {
+      { CKA_PRIME, NULL, 0 }, 
+      { CKA_BASE, NULL, 0 }, 
+      { CKA_TOKEN,  NULL, 0},
+      { CKA_DERIVE,  NULL, 0},
+      { CKA_WRAP,  NULL, 0},
+      { CKA_VERIFY,  NULL, 0},
+      { CKA_VERIFY_RECOVER,  NULL, 0},
+      { CKA_ENCRYPT,  NULL, 0},
+    };
+
+    int dsaPubCount = sizeof(dsaPubTemplate)/sizeof(dsaPubTemplate[0]);
+    /*CK_ULONG key_size = 0;*/
+    CK_ATTRIBUTE *pubTemplate;
+    int privCount = sizeof(privTemplate)/sizeof(privTemplate[0]);
+    int rsaPubCount = sizeof(rsaPubTemplate)/sizeof(rsaPubTemplate[0]);
+    int dhPubCount = sizeof(dhPubTemplate)/sizeof(dhPubTemplate[0]);
+    int pubCount = 0;
+    PK11RSAGenParams *rsaParams;
+    SECKEYPQGParams *dsaParams;
+    SECKEYDHParams * dhParams;
+    CK_MECHANISM mechanism;
+    CK_MECHANISM test_mech;
+    CK_SESSION_HANDLE session_handle;
+    CK_RV crv;
+    CK_OBJECT_HANDLE privID,pubID;
+    SECKEYPrivateKey *privKey;
+    KeyType keyType;
+    PRBool restore;
+    int peCount,i;
+    CK_ATTRIBUTE *attrs;
+    CK_ATTRIBUTE *privattrs;
+    SECItem *pubKeyIndex;
+    CK_ATTRIBUTE setTemplate;
+    SECStatus rv;
+    CK_MECHANISM_INFO mechanism_info;
+    CK_OBJECT_CLASS keyClass;
+    SECItem *cka_id;
+    PRBool haslock = PR_FALSE;
+    PRBool pubIsToken = PR_FALSE;
+
+    PORT_Assert(slot != NULL);
+    if (slot == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MODULE);
+	return NULL;
+    }
+
+    /* if our slot really doesn't do this mechanism, Generate the key
+     * in our internal token and write it out */
+    if (!PK11_DoesMechanism(slot,type)) {
+	PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+	/* don't loop forever looking for a slot */
+	if (slot == int_slot) {
+	    PK11_FreeSlot(int_slot);
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return NULL;
+	}
+
+	/* if there isn't a suitable slot, then we can't do the keygen */
+	if (int_slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return NULL;
+	}
+
+	/* generate the temporary key to load */
+	privKey = PK11_GenerateKeyPair(int_slot,type, param, pubKey, PR_FALSE, 
+							PR_FALSE, wincx);
+	PK11_FreeSlot(int_slot);
+
+	/* if successful, load the temp key into the new token */
+	if (privKey != NULL) {
+	    SECKEYPrivateKey *newPrivKey = pk11_loadPrivKey(slot,privKey,
+						*pubKey,token,sensitive);
+	    SECKEY_DestroyPrivateKey(privKey);
+	    if (newPrivKey == NULL) {
+		SECKEY_DestroyPublicKey(*pubKey);
+		*pubKey = NULL;
+	    }
+	    return newPrivKey;
+	}
+	return NULL;
+   }
+
+
+    mechanism.mechanism = type;
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+    test_mech.pParameter = NULL;
+    test_mech.ulParameterLen = 0;
+
+    /* set up the private key template */
+    privattrs = privTemplate;
+    PK11_SETATTRS(privattrs, CKA_SENSITIVE, sensitive ? &cktrue : &ckfalse, 
+					sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_TOKEN, token ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_PRIVATE, sensitive ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+
+    /* set up the mechanism specific info */
+    switch (type) {
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+	rsaParams = (PK11RSAGenParams *)param;
+	modulusBits = rsaParams->keySizeInBits;
+	peCount = 0;
+
+	/* convert pe to a PKCS #11 string */
+	for (i=0; i < 4; i++) {
+	    if (peCount || (rsaParams->pe & 
+				((unsigned long)0xff000000L >> (i*8)))) {
+		publicExponent[peCount] = 
+				(CK_BYTE)((rsaParams->pe >> (3-i)*8) & 0xff);
+		peCount++;
+	    }
+	}
+	PORT_Assert(peCount != 0);
+	attrs = rsaPubTemplate;
+	PK11_SETATTRS(attrs, CKA_MODULUS_BITS, 
+				&modulusBits, sizeof(modulusBits)); attrs++;
+	PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, 
+				publicExponent, peCount);attrs++;
+	pubTemplate = rsaPubTemplate;
+	pubCount = rsaPubCount;
+	keyType = rsaKey;
+	test_mech.mechanism = CKM_RSA_PKCS;
+	break;
+    case CKM_DSA_KEY_PAIR_GEN:
+	dsaParams = (SECKEYPQGParams *)param;
+	attrs = dsaPubTemplate;
+	PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data,
+				dsaParams->prime.len); attrs++;
+	PK11_SETATTRS(attrs, CKA_SUBPRIME, dsaParams->subPrime.data,
+					dsaParams->subPrime.len); attrs++;
+	PK11_SETATTRS(attrs, CKA_BASE, dsaParams->base.data,
+						dsaParams->base.len); attrs++;
+	pubTemplate = dsaPubTemplate;
+	pubCount = dsaPubCount;
+	keyType = dsaKey;
+	test_mech.mechanism = CKM_DSA;
+	break;
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+        dhParams = (SECKEYDHParams *)param;
+        attrs = dhPubTemplate;
+        PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data,
+                      dhParams->prime.len);   attrs++;
+        PK11_SETATTRS(attrs, CKA_BASE, dhParams->base.data,
+                      dhParams->base.len);    attrs++;
+        pubTemplate = dhPubTemplate;
+	pubCount = dhPubCount;
+        keyType = dhKey;
+        test_mech.mechanism = CKM_DH_PKCS_DERIVE;
+	break;
+    default:
+	PORT_SetError( SEC_ERROR_BAD_KEY );
+	return NULL;
+    }
+
+    /* now query the slot to find out how "good" a key we can generate */
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
+				test_mech.mechanism,&mechanism_info);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if ((crv != CKR_OK) || (mechanism_info.flags == 0)) {
+	/* must be old module... guess what it should be... */
+	switch (test_mech.mechanism) {
+	case CKM_RSA_PKCS:
+		mechanism_info.flags = (CKF_SIGN | CKF_DECRYPT | 
+			CKF_WRAP | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_WRAP);;
+		break;
+	case CKM_DSA:
+		mechanism_info.flags = CKF_SIGN | CKF_VERIFY;
+		break;
+	case CKM_DH_PKCS_DERIVE:
+		mechanism_info.flags = CKF_DERIVE;
+		break;
+	default:
+	       break;
+	}
+    }
+    /* set the public key objects */
+    PK11_SETATTRS(attrs, CKA_TOKEN, token ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_DERIVE, 
+		mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_WRAP, 
+		mechanism_info.flags & CKF_WRAP ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_VERIFY, 
+		mechanism_info.flags & CKF_VERIFY ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_VERIFY_RECOVER, 
+		mechanism_info.flags & CKF_VERIFY_RECOVER ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(attrs, CKA_ENCRYPT, 
+		mechanism_info.flags & CKF_ENCRYPT? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); attrs++;
+    PK11_SETATTRS(privattrs, CKA_DERIVE, 
+		mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_UNWRAP, 
+		mechanism_info.flags & CKF_UNWRAP ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_SIGN, 
+		mechanism_info.flags & CKF_SIGN ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+    PK11_SETATTRS(privattrs, CKA_DECRYPT, 
+		mechanism_info.flags & CKF_DECRYPT ? &cktrue : &ckfalse,
+					 sizeof(CK_BBOOL)); privattrs++;
+
+    if (token) {
+	session_handle = PK11_GetRWSession(slot);
+	haslock = PK11_RWSessionHasLock(slot,session_handle);
+	restore = PR_TRUE;
+    } else {
+        PK11_EnterSlotMonitor(slot); /* gross!! */
+	session_handle = slot->session;
+	restore = PR_FALSE;
+	haslock = PR_TRUE;
+    }
+
+    crv = PK11_GETTAB(slot)->C_GenerateKeyPair(session_handle, &mechanism,
+	pubTemplate,pubCount,privTemplate,privCount,&pubID,&privID);
+
+
+    if (crv != CKR_OK) {
+	if (restore)  {
+	    PK11_RestoreROSession(slot,session_handle);
+	} else PK11_ExitSlotMonitor(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+    /* This locking code is dangerous and needs to be more thought
+     * out... the real problem is that we're holding the mutex open this long
+     */
+    if (haslock) { PK11_ExitSlotMonitor(slot); }
+
+    /* swap around the ID's for older PKCS #11 modules */
+    keyClass = PK11_ReadULongAttribute(slot,pubID,CKA_CLASS);
+    if (keyClass != CKO_PUBLIC_KEY) {
+	CK_OBJECT_HANDLE tmp = pubID;
+	pubID = privID;
+	privID = tmp;
+    }
+
+    *pubKey = PK11_ExtractPublicKey(slot, keyType, pubID);
+    if (*pubKey == NULL) {
+	if (restore)  {
+	    /* we may have to restore the mutex so it get's exited properly
+	     * in RestoreROSession */
+            if (haslock)  PK11_EnterSlotMonitor(slot); 
+	    PK11_RestoreROSession(slot,session_handle);
+	} 
+	PK11_DestroyObject(slot,pubID);
+	PK11_DestroyObject(slot,privID);
+	return NULL;
+    }
+
+    /* set the ID to the public key so we can find it again */
+    pubKeyIndex =  NULL;
+    switch (type) {
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+      pubKeyIndex = &(*pubKey)->u.rsa.modulus;
+      break;
+    case CKM_DSA_KEY_PAIR_GEN:
+      pubKeyIndex = &(*pubKey)->u.dsa.publicValue;
+      break;
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+      pubKeyIndex = &(*pubKey)->u.dh.publicValue;
+      break;      
+    }
+    PORT_Assert(pubKeyIndex != NULL);
+
+    cka_id = PK11_MakeIDFromPubKey(pubKeyIndex);
+    pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN);
+
+    PK11_SETATTRS(&setTemplate, CKA_ID, cka_id->data, cka_id->len);
+
+    if (haslock) { PK11_EnterSlotMonitor(slot); }
+    crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, privID,
+		&setTemplate, 1);
+   
+    if (crv == CKR_OK && pubIsToken) {
+    	crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, pubID,
+		&setTemplate, 1);
+    }
+
+
+    if (restore) {
+	PK11_RestoreROSession(slot,session_handle);
+    } else {
+	PK11_ExitSlotMonitor(slot);
+    }
+    SECITEM_FreeItem(cka_id,PR_TRUE);
+
+
+    if (crv != CKR_OK) {
+	PK11_DestroyObject(slot,pubID);
+	PK11_DestroyObject(slot,privID);
+	PORT_SetError( PK11_MapError(crv) );
+	*pubKey = NULL;
+	return NULL;
+    }
+
+    privKey = PK11_MakePrivKey(slot,keyType,(PRBool)!token,privID,wincx);
+    if (privKey == NULL) {
+	SECKEY_DestroyPublicKey(*pubKey);
+	PK11_DestroyObject(slot,privID);
+	*pubKey = NULL;
+	return NULL;  /* due to pairwise consistency check */
+    }
+
+    /* Perform PKCS #11 pairwise consistency check. */
+    rv = pk11_PairwiseConsistencyCheck( *pubKey, privKey, &test_mech, wincx );
+    if( rv != SECSuccess ) {
+	SECKEY_DestroyPublicKey( *pubKey );
+	SECKEY_DestroyPrivateKey( privKey );
+	*pubKey = NULL;
+	privKey = NULL;
+	return NULL;
+    }
+
+    return privKey;
+}
+
+/*
+ * This function does a straight public key wrap (which only RSA can do).
+ * Use PK11_PubGenKey and PK11_WrapSymKey to implement the FORTEZZA and
+ * Diffie-Hellman Ciphers. */
+SECStatus
+PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
+				PK11SymKey *symKey, SECItem *wrappedKey)
+{
+    PK11SlotInfo *slot;
+    CK_ULONG len =  wrappedKey->len;
+    PK11SymKey *newKey = NULL;
+    CK_OBJECT_HANDLE id;
+    CK_MECHANISM mechanism;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    /* if this slot doesn't support the mechanism, go to a slot that does */
+    newKey = pk11_ForceSlot(symKey,type,CKA_ENCRYPT);
+    if (newKey != NULL) {
+	symKey = newKey;
+    }
+
+    if ((symKey == NULL) || (symKey->slot == NULL)) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return SECFailure;
+    }
+
+    slot = symKey->slot;
+    mechanism.mechanism = pk11_mapWrapKeyType(pubKey->keyType);
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+
+    id = PK11_ImportPublicKey(slot,pubKey,PR_FALSE);
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_WrapKey(session,&mechanism,
+		id,symKey->objectID,wrappedKey->data,&len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (newKey) {
+	PK11_FreeSymKey(newKey);
+    }
+
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    wrappedKey->len = len;
+    return SECSuccess;
+} 
+
+/*
+ * this little function uses the Encrypt function to wrap a key, just in
+ * case we have problems with the wrap implementation for a token.
+ */
+static SECStatus
+pk11_HandWrap(PK11SymKey *wrappingKey, SECItem *param, CK_MECHANISM_TYPE type,
+			 SECItem *inKey, SECItem *outKey)
+{
+    PK11SlotInfo *slot;
+    CK_ULONG len;
+    SECItem *data;
+    CK_MECHANISM mech;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    slot = wrappingKey->slot;
+    /* use NULL IV's for wrapping */
+    mech.mechanism = type;
+    if (param) {
+	mech.pParameter = param->data;
+	mech.ulParameterLen = param->len;
+    } else {
+	mech.pParameter = NULL;
+	mech.ulParameterLen = 0;
+    }
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_EncryptInit(session,&mech,
+							wrappingKey->objectID);
+    if (crv != CKR_OK) {
+        if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+        pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+
+    /* keys are almost always aligned, but if we get this far,
+     * we've gone above and beyond anyway... */
+    data = PK11_BlockData(inKey,PK11_GetBlockSize(type,param));
+    if (data == NULL) {
+        if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+        pk11_CloseSession(slot,session,owner);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    len = outKey->len;
+    crv = PK11_GETTAB(slot)->C_Encrypt(session,data->data,data->len,
+							   outKey->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    SECITEM_FreeItem(data,PR_TRUE);
+    outKey->len = len;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * This function does a symetric based wrap.
+ */
+SECStatus
+PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *param, 
+	PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey)
+{
+    PK11SlotInfo *slot;
+    CK_ULONG len = wrappedKey->len;
+    PK11SymKey *newKey = NULL;
+    SECItem *param_save = NULL;
+    CK_MECHANISM mechanism;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+    SECStatus rv;
+
+    /* if this slot doesn't support the mechanism, go to a slot that does */
+    /* Force symKey and wrappingKey into the same slot */
+    if ((wrappingKey->slot == NULL) || (symKey->slot != wrappingKey->slot)) {
+	/* first try copying the wrapping Key to the symKey slot */
+	if (symKey->slot && PK11_DoesMechanism(symKey->slot,type)) {
+	    newKey = pk11_CopyToSlot(symKey->slot,type,CKA_WRAP,wrappingKey);
+	}
+	/* Nope, try it the other way */
+	if (newKey == NULL) {
+	    if (wrappingKey->slot) {
+	        newKey = pk11_CopyToSlot(wrappingKey->slot,
+					symKey->type, CKA_ENCRYPT, symKey);
+	    }
+	    /* just not playing... one last thing, can we get symKey's data?
+	     * If it's possible, we it should already be in the 
+	     * symKey->data.data pointer because pk11_CopyToSlot would have
+	     * tried to put it there. */
+	    if (newKey == NULL) {
+		/* Can't get symKey's data: Game Over */
+		if (symKey->data.data == NULL) {
+		    PORT_SetError( SEC_ERROR_NO_MODULE );
+		    return SECFailure;
+		}
+		if (param == NULL) {
+		    param_save = param = PK11_ParamFromIV(type,NULL);
+		}
+		rv = pk11_HandWrap(wrappingKey, param, type,
+						&symKey->data,wrappedKey);
+		if (param_save) SECITEM_FreeItem(param_save,PR_TRUE);
+		return rv;
+	    }
+	    /* we successfully moved the sym Key */
+	    symKey = newKey;
+	} else {
+	    /* we successfully moved the wrapping Key */
+	    wrappingKey = newKey;
+	}
+    }
+
+    /* at this point both keys are in the same token */
+    slot = wrappingKey->slot;
+    mechanism.mechanism = type;
+    /* use NULL IV's for wrapping */
+    if (param == NULL) {
+    	param_save = param = PK11_ParamFromIV(type,NULL);
+    }
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+
+    len = wrappedKey->len;
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_WrapKey(session, &mechanism,
+		 wrappingKey->objectID, symKey->objectID, 
+						wrappedKey->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    rv = SECSuccess;
+    if (crv != CKR_OK) {
+	/* can't wrap it? try hand wrapping it... */
+	do {
+	    if (symKey->data.data == NULL) {
+		rv = PK11_ExtractKeyValue(symKey);
+		if (rv != SECSuccess) break;
+	    }
+	    rv = pk11_HandWrap(wrappingKey, param, type, &symKey->data,
+								 wrappedKey);
+	} while (PR_FALSE);
+    } else {
+        wrappedKey->len = len;
+    }
+    if (newKey) PK11_FreeSymKey(newKey);
+    if (param_save) SECITEM_FreeItem(param_save,PR_TRUE);
+    return rv;
+} 
+
+/*
+ * This Generates a new key based on a symetricKey
+ */
+PK11SymKey *
+PK11_Derive( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, SECItem *param, 
+             CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
+	     int keySize)
+{
+    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
+				   keySize, NULL, 0);
+}
+
+
+PK11SymKey *
+PK11_DeriveWithFlags( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
+	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+	int keySize, CK_FLAGS flags)
+{
+    CK_BBOOL        ckTrue	= CK_TRUE; 
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    unsigned int    templateCount;
+
+    templateCount = pk11_FlagsToAttributes(flags, keyTemplate, &ckTrue);
+    return pk11_DeriveWithTemplate(baseKey, derive, param, target, operation, 
+				   keySize, keyTemplate, templateCount);
+}
+
+static PRBool
+pk11_FindAttrInTemplate(CK_ATTRIBUTE *    attr, 
+                        unsigned int      numAttrs,
+			CK_ATTRIBUTE_TYPE target)
+{
+    for (; numAttrs > 0; ++attr, --numAttrs) {
+    	if (attr->type == target)
+	    return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+static PK11SymKey *
+pk11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, 
+	SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+	int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs)
+{
+    PK11SlotInfo *  slot	= baseKey->slot;
+    PK11SymKey *    symKey;
+    PK11SymKey *    newBaseKey	= NULL;
+    CK_BBOOL        cktrue	= CK_TRUE; 
+    CK_OBJECT_CLASS keyClass	= CKO_SECRET_KEY;
+    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
+    CK_ULONG        valueLen	= 0;
+    CK_MECHANISM    mechanism; 
+    CK_RV           crv;
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE *  attrs	= keyTemplate;
+    unsigned int    templateCount;
+
+    if (numAttrs > MAX_TEMPL_ATTRS) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    /* first copy caller attributes in. */
+    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
+    	*attrs++ = *userAttr++;
+    }
+
+    /* We only add the following attributes to the template if the caller
+    ** didn't already supply them.
+    */
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
+	PK11_SETATTRS(attrs, CKA_CLASS,     &keyClass, sizeof keyClass); 
+	attrs++;
+    }
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
+	keyType = PK11_GetKeyType(target, keySize);
+	PK11_SETATTRS(attrs, CKA_KEY_TYPE,  &keyType,  sizeof keyType ); 
+	attrs++;
+    }
+    if (keySize > 0 &&
+    	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
+	valueLen = (CK_ULONG)keySize;
+	PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); 
+	attrs++;
+    }
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
+	PK11_SETATTRS(attrs, operation, &cktrue, sizeof cktrue); attrs++;
+    }
+
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount <= MAX_TEMPL_ATTRS);
+
+    /* move the key to a slot that can do the function */
+    if (!PK11_DoesMechanism(slot,derive)) {
+	/* get a new base key & slot */
+	PK11SlotInfo *newSlot = PK11_GetBestSlot(derive, baseKey->cx);
+
+	if (newSlot == NULL) return NULL;
+
+        newBaseKey = pk11_CopyToSlot (newSlot, derive, CKA_DERIVE, 
+				     baseKey);
+	PK11_FreeSlot(newSlot);
+	if (newBaseKey == NULL) return NULL;	
+	baseKey = newBaseKey;
+	slot = baseKey->slot;
+    }
+
+
+    /* get our key Structure */
+    symKey = PK11_CreateSymKey(slot,target,baseKey->cx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->size = keySize;
+
+    mechanism.mechanism = derive;
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+    symKey->origin=PK11_OriginDerive;
+
+    pk11_EnterKeyMonitor(symKey);
+    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
+	     baseKey->objectID, keyTemplate, templateCount, &symKey->objectID);
+    pk11_ExitKeyMonitor(symKey);
+
+    if (newBaseKey) PK11_FreeSymKey(newBaseKey);
+    if (crv != CKR_OK) {
+	PK11_FreeSymKey(symKey);
+	return NULL;
+    }
+    return symKey;
+}
+
+/* build a public KEA key from the public value */
+SECKEYPublicKey *
+PK11_MakeKEAPubKey(unsigned char *keyData,int length)
+{
+    SECKEYPublicKey *pubk;
+    SECItem pkData;
+    SECStatus rv;
+    PRArenaPool *arena;
+
+    pkData.data = keyData;
+    pkData.len = length;
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+	return NULL;
+
+    pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
+    if (pubk == NULL) {
+	PORT_FreeArena (arena, PR_FALSE);
+	return NULL;
+    }
+
+    pubk->arena = arena;
+    pubk->pkcs11Slot = 0;
+    pubk->pkcs11ID = CK_INVALID_HANDLE;
+    pubk->keyType = fortezzaKey;
+    rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.KEAKey, &pkData);
+    if (rv != SECSuccess) {
+	PORT_FreeArena (arena, PR_FALSE);
+	return NULL;
+    }
+    return pubk;
+}
+	
+
+/*
+ * This Generates a wrapping key based on a privateKey, publicKey, and two
+ * random numbers. For Mail usage RandomB should be NULL. In the Sender's
+ * case RandomA is generate, outherwize it is passed.
+ */
+static unsigned char *rb_email = NULL;
+
+PK11SymKey *
+PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, 
+   PRBool isSender, SECItem *randomA, SECItem *randomB, 
+    CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
+			CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx)
+{
+    PK11SlotInfo *slot = privKey->pkcs11Slot;
+    CK_MECHANISM mechanism;
+    PK11SymKey *symKey;
+    CK_RV crv;
+
+
+    if (rb_email == NULL) {
+	rb_email = PORT_ZAlloc(128);
+	if (rb_email == NULL) {
+	    return NULL;
+	}
+	rb_email[127] = 1;
+    }
+
+    /* get our key Structure */
+    symKey = PK11_CreateSymKey(slot,target,wincx);
+    if (symKey == NULL) {
+	return NULL;
+    }
+
+    symKey->origin = PK11_OriginDerive;
+
+    switch (privKey->keyType) {
+    case rsaKey:
+    case nullKey:
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+	break;
+    case dsaKey:
+    case keaKey:
+    case fortezzaKey:
+	{
+	    CK_KEA_DERIVE_PARAMS param;
+	    param.isSender = (CK_BBOOL) isSender;
+	    param.ulRandomLen = randomA->len;
+	    param.pRandomA = randomA->data;
+	    param.pRandomB = rb_email;
+	    if (randomB)
+		 param.pRandomB = randomB->data;
+	    if (pubKey->keyType == fortezzaKey) {
+		param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
+		param.pPublicData = pubKey->u.fortezza.KEAKey.data;
+	    } else {
+		/* assert type == keaKey */
+		/* XXX change to match key key types */
+		param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len;
+		param.pPublicData = pubKey->u.fortezza.KEAKey.data;
+	    }
+
+	    mechanism.mechanism = derive;
+	    mechanism.pParameter = &param;
+	    mechanism.ulParameterLen = sizeof(param);
+
+	    /* get a new symKey structure */
+	    pk11_EnterKeyMonitor(symKey);
+	    crv=PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
+			privKey->pkcs11ID, NULL, 0, &symKey->objectID);
+	    pk11_ExitKeyMonitor(symKey);
+	    if (crv == CKR_OK) return symKey;
+	    PORT_SetError( PK11_MapError(crv) );
+	}
+	break;
+    case dhKey:
+	{
+	    CK_BBOOL cktrue = CK_TRUE;
+	    CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+	    CK_ULONG key_size = 0;
+	    CK_ATTRIBUTE keyTemplate[4];
+	    int templateCount;
+	    CK_ATTRIBUTE *attrs = keyTemplate;
+
+	    if (pubKey->keyType != dhKey) {
+		PORT_SetError(SEC_ERROR_BAD_KEY);
+		break;
+	    }
+
+	    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
+	    attrs++;
+	    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
+	    attrs++;
+	    PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
+	    PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); 
+	    attrs++;
+	    templateCount =  attrs - keyTemplate;
+	    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+	    keyType = PK11_GetKeyType(target,keySize);
+	    key_size = keySize;
+	    symKey->size = keySize;
+	    if (key_size == 0) templateCount--;
+
+	    mechanism.mechanism = derive;
+
+	    /* we can undefine these when we define diffie-helman keys */
+	    mechanism.pParameter = pubKey->u.dh.publicValue.data; 
+	    mechanism.ulParameterLen = pubKey->u.dh.publicValue.len;
+		
+	    pk11_EnterKeyMonitor(symKey);
+	    crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism,
+	     privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID);
+	    pk11_ExitKeyMonitor(symKey);
+	    if (crv == CKR_OK) return symKey;
+	    PORT_SetError( PK11_MapError(crv) );
+	}
+	break;
+   }
+
+   PK11_FreeSymKey(symKey);
+   return NULL;
+}
+
+/*
+ * this little function uses the Decrypt function to unwrap a key, just in
+ * case we are having problem with unwrap. NOTE: The key size may
+ * not be preserved properly for some algorithms!
+ */
+static PK11SymKey *
+pk11_HandUnwrap(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
+                CK_MECHANISM *mech, SECItem *inKey, CK_MECHANISM_TYPE target, 
+		CK_ATTRIBUTE *keyTemplate, unsigned int templateCount, 
+		int key_size, void * wincx, CK_RV *crvp)
+{
+    CK_ULONG len;
+    SECItem outKey;
+    PK11SymKey *symKey;
+    CK_RV crv;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+
+    /* remove any VALUE_LEN parameters */
+    if (keyTemplate[templateCount-1].type == CKA_VALUE_LEN) {
+        templateCount--;
+    }
+
+    /* keys are almost always aligned, but if we get this far,
+     * we've gone above and beyond anyway... */
+    outKey.data = (unsigned char*)PORT_Alloc(inKey->len);
+    if (outKey.data == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MEMORY );
+	if (crvp) *crvp = CKR_HOST_MEMORY;
+	return NULL;
+    }
+    len = inKey->len;
+
+    /* use NULL IV's for wrapping */
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_DecryptInit(session,mech,wrappingKey);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_Free(outKey.data);
+	PORT_SetError( PK11_MapError(crv) );
+	if (crvp) *crvp =crv;
+	return NULL;
+    }
+    crv = PK11_GETTAB(slot)->C_Decrypt(session,inKey->data,inKey->len,
+							   outKey.data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (crv != CKR_OK) {
+	PORT_Free(outKey.data);
+	PORT_SetError( PK11_MapError(crv) );
+	if (crvp) *crvp =crv;
+	return NULL;
+    }
+
+    outKey.len = (key_size == 0) ? len : key_size;
+
+    if (PK11_DoesMechanism(slot,target)) {
+	symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, 
+	                                    keyTemplate, templateCount, 
+					    &outKey, wincx);
+    } else {
+	slot = PK11_GetBestSlot(target,wincx);
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    PORT_Free(outKey.data);
+	    if (crvp) *crvp = CKR_DEVICE_ERROR; 
+	    return NULL;
+	}
+	symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, 
+	                                    keyTemplate, templateCount, 
+					    &outKey, wincx);
+	PK11_FreeSlot(slot);
+    }
+    PORT_Free(outKey.data);
+
+    if (crvp) *crvp = symKey? CKR_OK : CKR_DEVICE_ERROR; 
+    return symKey;
+}
+
+/*
+ * The wrap/unwrap function is pretty much the same for private and
+ * public keys. It's just getting the Object ID and slot right. This is
+ * the combined unwrap function.
+ */
+static PK11SymKey *
+pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
+    CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, 
+    CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, 
+    void *wincx, CK_ATTRIBUTE *userAttr, unsigned int numAttrs)
+{
+    PK11SymKey *    symKey;
+    SECItem *       param_free	= NULL;
+    CK_BBOOL        cktrue	= CK_TRUE; 
+    CK_OBJECT_CLASS keyClass	= CKO_SECRET_KEY;
+    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
+    CK_ULONG        valueLen	= 0;
+    CK_MECHANISM    mechanism;
+    CK_RV           crv;
+    CK_MECHANISM_INFO mechanism_info;
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    CK_ATTRIBUTE *  attrs	= keyTemplate;
+    unsigned int    templateCount;
+
+    if (numAttrs > MAX_TEMPL_ATTRS) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    /* first copy caller attributes in. */
+    for (templateCount = 0; templateCount < numAttrs; ++templateCount) {
+    	*attrs++ = *userAttr++;
+    }
+
+    /* We only add the following attributes to the template if the caller
+    ** didn't already supply them.
+    */
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) {
+	PK11_SETATTRS(attrs, CKA_CLASS,     &keyClass, sizeof keyClass); 
+	attrs++;
+    }
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) {
+	keyType = PK11_GetKeyType(target, keySize);
+	PK11_SETATTRS(attrs, CKA_KEY_TYPE,  &keyType,  sizeof keyType ); 
+	attrs++;
+    }
+    if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
+	PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++;
+    }
+
+    /*
+     * must be last in case we need to use this template to import the key
+     */
+    if (keySize > 0 &&
+    	  !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) {
+	valueLen = (CK_ULONG)keySize;
+	PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); 
+	attrs++;
+    }
+
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE));
+
+
+    /* find out if we can do wrap directly. Because the RSA case if *very*
+     * common, cache the results for it. */
+    if ((wrapType == CKM_RSA_PKCS) && (slot->hasRSAInfo)) {
+	mechanism_info.flags = slot->RSAInfoFlags;
+    } else {
+	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,wrapType,
+				 &mechanism_info);
+    	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    	if (crv != CKR_OK) {
+	     mechanism_info.flags = 0;
+    	}
+        if (wrapType == CKM_RSA_PKCS) {
+	    slot->RSAInfoFlags = mechanism_info.flags;
+	    slot->hasRSAInfo = PR_TRUE;
+	}
+    }
+
+    /* initialize the mechanism structure */
+    mechanism.mechanism = wrapType;
+    /* use NULL IV's for wrapping */
+    if (param == NULL) param = param_free = PK11_ParamFromIV(wrapType,NULL);
+    if (param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+
+    if ((mechanism_info.flags & CKF_DECRYPT)  
+				&& !PK11_DoesMechanism(slot,target)) {
+	symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, 
+	                         target, keyTemplate, templateCount, keySize, 
+				 wincx, &crv);
+	if (symKey) {
+	    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
+	    return symKey;
+	}
+	/*
+	 * if the RSA OP simply failed, don't try to unwrap again 
+	 * with this module.
+	 */
+	if (crv == CKR_DEVICE_ERROR){
+	   return NULL;
+	}
+	/* fall through, maybe they incorrectly set CKF_DECRYPT */
+    }
+
+    /* get our key Structure */
+    symKey = PK11_CreateSymKey(slot,target,wincx);
+    if (symKey == NULL) {
+	if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
+	return NULL;
+    }
+
+    symKey->size = keySize;
+    symKey->origin = PK11_OriginUnwrap;
+
+    pk11_EnterKeyMonitor(symKey);
+    crv = PK11_GETTAB(slot)->C_UnwrapKey(symKey->session,&mechanism,wrappingKey,
+		wrappedKey->data, wrappedKey->len, keyTemplate, templateCount, 
+							  &symKey->objectID);
+    pk11_ExitKeyMonitor(symKey);
+    if (param_free) SECITEM_FreeItem(param_free,PR_TRUE);
+    if ((crv != CKR_OK) && (crv != CKR_DEVICE_ERROR)) {
+	/* try hand Unwrapping */
+	PK11_FreeSymKey(symKey);
+	symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, 
+	                         target, keyTemplate, templateCount, keySize, 
+				 wincx, NULL);
+   }
+
+   return symKey;
+}
+
+/* use a symetric key to unwrap another symetric key */
+PK11SymKey *
+PK11_UnwrapSymKey( PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
+                   SECItem *param, SECItem *wrappedKey, 
+		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+		   int keySize)
+{
+    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
+		    wrapType, param, wrappedKey, target, operation, keySize, 
+		    wrappingKey->cx, NULL, 0);
+}
+
+/* use a symetric key to unwrap another symetric key */
+PK11SymKey *
+PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
+                   SECItem *param, SECItem *wrappedKey, 
+		   CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, 
+		   int keySize, CK_FLAGS flags)
+{
+    CK_BBOOL        ckTrue	= CK_TRUE; 
+    CK_ATTRIBUTE    keyTemplate[MAX_TEMPL_ATTRS];
+    unsigned int    templateCount;
+
+    templateCount = pk11_FlagsToAttributes(flags, keyTemplate, &ckTrue);
+    return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
+		    wrapType, param, wrappedKey, target, operation, keySize, 
+		    wrappingKey->cx, keyTemplate, templateCount);
+}
+
+
+/* unwrap a symetric key with a private key. */
+PK11SymKey *
+PK11_PubUnwrapSymKey(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey,
+	  CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize)
+{
+    CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
+
+    PK11_HandlePasswordCheck(wrappingKey->pkcs11Slot,wrappingKey->wincx);
+    
+    return pk11_AnyUnwrapKey(wrappingKey->pkcs11Slot, wrappingKey->pkcs11ID,
+	wrapType, NULL, wrappedKey, target, operation, keySize, 
+	wrappingKey->wincx, NULL, 0);
+}
+
+/*
+ * Recover the Signed data. We need this because our old verify can't
+ * figure out which hash algorithm to use until we decryptted this.
+ */
+SECStatus
+PK11_VerifyRecover(SECKEYPublicKey *key,
+			 	SECItem *sig, SECItem *dsig, void *wincx)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_OBJECT_HANDLE id = key->pkcs11ID;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_ULONG len;
+    CK_RV crv;
+
+    mech.mechanism = pk11_mapSignKeyType(key->keyType);
+
+    if (slot == NULL) {
+	slot = PK11_GetBestSlot(mech.mechanism,wincx);
+	if (slot == NULL) {
+	    	PORT_SetError( SEC_ERROR_NO_MODULE );
+		return SECFailure;
+	}
+	id = PK11_ImportPublicKey(slot,key,PR_FALSE);
+    } else {
+	PK11_ReferenceSlot(slot);
+    }
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_VerifyRecoverInit(session,&mech,id);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	PK11_FreeSlot(slot);
+	return SECFailure;
+    }
+    len = dsig->len;
+    crv = PK11_GETTAB(slot)->C_VerifyRecover(session,sig->data,
+						sig->len, dsig->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    dsig->len = len;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	PK11_FreeSlot(slot);
+	return SECFailure;
+    }
+    PK11_FreeSlot(slot);
+    return SECSuccess;
+}
+
+/*
+ * verify a signature from its hash.
+ */
+SECStatus
+PK11_Verify(SECKEYPublicKey *key, SECItem *sig, SECItem *hash, void *wincx)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_OBJECT_HANDLE id = key->pkcs11ID;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    mech.mechanism = pk11_mapSignKeyType(key->keyType);
+
+    if (slot == NULL) {
+	slot = PK11_GetBestSlot(mech.mechanism,wincx);
+       
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return SECFailure;
+	}
+	id = PK11_ImportPublicKey(slot,key,PR_FALSE);
+            
+    } else {
+	PK11_ReferenceSlot(slot);
+    }
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_VerifyInit(session,&mech,id);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PK11_FreeSlot(slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_Verify(session,hash->data,
+					hash->len, sig->data, sig->len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    PK11_FreeSlot(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * sign a hash. The algorithm is determined by the key.
+ */
+SECStatus
+PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_MECHANISM mech = {0, NULL, 0 };
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_ULONG len;
+    CK_RV crv;
+
+    mech.mechanism = pk11_mapSignKeyType(key->keyType);
+
+    PK11_HandlePasswordCheck(slot, key->wincx);
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    len = sig->len;
+    crv = PK11_GETTAB(slot)->C_Sign(session,hash->data,
+					hash->len, sig->data, &len);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    sig->len = len;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * Now SSL 2.0 uses raw RSA stuff. These next to functions *must* use
+ * RSA keys, or they'll fail. We do the checks up front. If anyone comes
+ * up with a meaning for rawdecrypt for any other public key operation,
+ * then we need to move this check into some of PK11_PubDecrypt callers,
+ * (namely SSL 2.0).
+ */
+SECStatus
+PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, 
+	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
+							 unsigned encLen)
+{
+    PK11SlotInfo *slot = key->pkcs11Slot;
+    CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
+    CK_ULONG out = maxLen;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    if (key->keyType != rsaKey) {
+	PORT_SetError( SEC_ERROR_INVALID_KEY );
+	return SECFailure;
+    }
+
+    /* Why do we do a PK11_handle check here? for simple
+     * decryption? .. because the user may have asked for 'ask always'
+     * and this is a private key operation. In practice, thought, it's mute
+     * since only servers wind up using this function */
+    PK11_HandlePasswordCheck(slot, key->wincx);
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_DecryptInit(session,&mech,key->pkcs11ID);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen,
+								data, &out);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    *outLen = out;
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* The encrypt version of the above function */
+SECStatus
+PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
+		unsigned char *data, unsigned dataLen, void *wincx)
+{
+    PK11SlotInfo *slot;
+    CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
+    CK_OBJECT_HANDLE id;
+    CK_ULONG out = dataLen;
+    PRBool owner = PR_TRUE;
+    CK_SESSION_HANDLE session;
+    CK_RV crv;
+
+    if (key->keyType != rsaKey) {
+	PORT_SetError( SEC_ERROR_BAD_KEY );
+	return SECFailure;
+    }
+
+    slot = PK11_GetBestSlot(mech.mechanism, wincx);
+    if (slot == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return SECFailure;
+    }
+
+    id = PK11_ImportPublicKey(slot,key,PR_FALSE);
+
+    session = pk11_GetNewSession(slot,&owner);
+    if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_EncryptInit(session,&mech,id);
+    if (crv != CKR_OK) {
+	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+	pk11_CloseSession(slot,session,owner);
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_Encrypt(session,data,dataLen,enc,&out);
+    if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
+    pk11_CloseSession(slot,session,owner);
+    if (crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+	
+/**********************************************************************
+ *
+ *                   Now Deal with Crypto Contexts
+ *
+ **********************************************************************/
+
+/*
+ * the monitors...
+ */
+void
+PK11_EnterContextMonitor(PK11Context *cx) {
+    /* if we own the session and our slot is ThreadSafe, only monitor
+     * the Context */
+    if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
+	/* Should this use monitors instead? */
+	PZ_Lock(cx->sessionLock);
+    } else {
+	PK11_EnterSlotMonitor(cx->slot);
+    }
+}
+
+void
+PK11_ExitContextMonitor(PK11Context *cx) {
+    /* if we own the session and our slot is ThreadSafe, only monitor
+     * the Context */
+    if ((cx->ownSession) && (cx->slot->isThreadSafe)) {
+	/* Should this use monitors instead? */
+	PZ_Unlock(cx->sessionLock);
+    } else {
+	PK11_ExitSlotMonitor(cx->slot);
+    }
+}
+
+/*
+ * Free up a Cipher Context
+ */
+void
+PK11_DestroyContext(PK11Context *context, PRBool freeit)
+{
+    pk11_CloseSession(context->slot,context->session,context->ownSession);
+    /* initialize the critical fields of the context */
+    if (context->savedData != NULL ) PORT_Free(context->savedData);
+    if (context->key) PK11_FreeSymKey(context->key);
+    if (context->param) SECITEM_FreeItem(context->param, PR_TRUE);
+    if (context->sessionLock) PZ_DestroyLock(context->sessionLock);
+    PK11_FreeSlot(context->slot);
+    if (freeit) PORT_Free(context);
+}
+
+/*
+ * save the current context. Allocate Space if necessary.
+ */
+static void *
+pk11_saveContextHelper(PK11Context *context, void *space, 
+	unsigned long *savedLength, PRBool staticBuffer, PRBool recurse)
+{
+    CK_ULONG length;
+    CK_RV crv;
+
+    if (staticBuffer) PORT_Assert(space != NULL);
+
+    if (space == NULL) {
+	crv =PK11_GETTAB(context->slot)->C_GetOperationState(context->session,
+				NULL,&length);
+	if (crv != CKR_OK) {
+	    PORT_SetError( PK11_MapError(crv) );
+	    return NULL;
+	}
+	space = PORT_Alloc(length);
+	if (space == NULL) return NULL;
+	*savedLength = length;
+    }
+    crv = PK11_GETTAB(context->slot)->C_GetOperationState(context->session,
+					(CK_BYTE_PTR)space,savedLength);
+    if (!staticBuffer && !recurse && (crv == CKR_BUFFER_TOO_SMALL)) {
+	if (!staticBuffer) PORT_Free(space);
+	return pk11_saveContextHelper(context, NULL, 
+					savedLength, PR_FALSE, PR_TRUE);
+    }
+    if (crv != CKR_OK) {
+	if (!staticBuffer) PORT_Free(space);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+    return space;
+}
+
+void *
+pk11_saveContext(PK11Context *context, void *space, unsigned long *savedLength)
+{
+	return pk11_saveContextHelper(context, space, 
+					savedLength, PR_FALSE, PR_FALSE);
+}
+
+/*
+ * restore the current context
+ */
+SECStatus
+pk11_restoreContext(PK11Context *context,void *space, unsigned long savedLength)
+{
+    CK_RV crv;
+    CK_OBJECT_HANDLE objectID = (context->key) ? context->key->objectID:
+			CK_INVALID_HANDLE;
+
+    PORT_Assert(space != NULL);
+    if (space == NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(context->slot)->C_SetOperationState(context->session,
+        (CK_BYTE_PTR)space, savedLength, objectID, 0);
+    if (crv != CKR_OK) {
+       PORT_SetError( PK11_MapError(crv));
+       return SECFailure;
+   }
+   return SECSuccess;
+}
+
+SECStatus pk11_Finalize(PK11Context *context);
+
+/*
+ * Context initialization. Used by all flavors of CreateContext
+ */
+static SECStatus 
+pk11_context_init(PK11Context *context, CK_MECHANISM *mech_info)
+{
+    CK_RV crv;
+    PK11SymKey *symKey = context->key;
+    SECStatus rv = SECSuccess;
+
+    switch (context->operation) {
+    case CKA_ENCRYPT:
+	crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_DECRYPT:
+	if (context->fortezzaHack) {
+	    CK_ULONG count = 0;;
+	    /* generate the IV for fortezza */
+	    crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session,
+				mech_info, symKey->objectID);
+	    if (crv != CKR_OK) break;
+	    PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
+				NULL, &count);
+	}
+	crv=PK11_GETTAB(context->slot)->C_DecryptInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_SignInit(context->session,
+				mech_info, symKey->objectID);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestInit(context->session,
+				mech_info);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        return SECFailure;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    return rv;
+}
+
+
+/*
+ * Common Helper Function do come up with a new context.
+ */
+static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type,
+     PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey,
+							     SECItem *param)
+{
+    CK_MECHANISM mech_info;
+    PK11Context *context;
+    SECStatus rv;
+	
+    PORT_Assert(slot != NULL);
+    if (!slot) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+    context = (PK11Context *) PORT_Alloc(sizeof(PK11Context));
+    if (context == NULL) {
+	return NULL;
+    }
+
+    /* now deal with the fortezza hack... the fortezza hack is an attempt
+     * to get around the issue of the card not allowing you to do a FORTEZZA
+     * LoadIV/Encrypt, which was added because such a combination could be
+     * use to circumvent the key escrow system. Unfortunately SSL needs to
+     * do this kind of operation, so in SSL we do a loadIV (to verify it),
+     * Then GenerateIV, and through away the first 8 bytes on either side
+     * of the connection.*/
+    context->fortezzaHack = PR_FALSE;
+    if (type == CKM_SKIPJACK_CBC64) {
+	if (symKey->origin == PK11_OriginFortezzaHack) {
+	    context->fortezzaHack = PR_TRUE;
+	}
+    }
+
+    /* initialize the critical fields of the context */
+    context->operation = operation;
+    context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL;
+    context->slot = PK11_ReferenceSlot(slot);
+    context->session = pk11_GetNewSession(slot,&context->ownSession);
+    context->cx = symKey ? symKey->cx : NULL;
+    /* get our session */
+    context->savedData = NULL;
+
+    /* save the parameters so that some digesting stuff can do multiple
+     * begins on a single context */
+    context->type = type;
+    context->param = SECITEM_DupItem(param);
+    context->init = PR_FALSE;
+    context->sessionLock = PZ_NewLock(nssILockPK11cxt);
+    if ((context->param == NULL) || (context->sessionLock == NULL)) {
+	PK11_DestroyContext(context,PR_TRUE);
+	return NULL;
+    }
+
+    mech_info.mechanism = type;
+    mech_info.pParameter = param->data;
+    mech_info.ulParameterLen = param->len;
+    PK11_EnterContextMonitor(context);
+    rv = pk11_context_init(context,&mech_info);
+    PK11_ExitContextMonitor(context);
+
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(context,PR_TRUE);
+	return NULL;
+    }
+    context->init = PR_TRUE;
+    return context;
+}
+
+
+/*
+ * put together the various PK11_Create_Context calls used by different
+ * parts of libsec.
+ */
+PK11Context *
+__PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, 
+						SECItem *param, void *wincx)
+{
+    PK11SymKey *symKey;
+    PK11Context *context;
+
+    /* first get a slot */
+    if (slot == NULL) {
+	slot = PK11_GetBestSlot(type,wincx);
+	if (slot == NULL) {
+	    PORT_SetError( SEC_ERROR_NO_MODULE );
+	    return NULL;
+	}
+    } else {
+	PK11_ReferenceSlot(slot);
+    }
+
+    /* now import the key */
+    symKey = PK11_ImportSymKey(slot, type, origin, operation,  key, wincx);
+    if (symKey == NULL) return NULL;
+
+    context = PK11_CreateContextBySymKey(type, operation, symKey, param);
+
+    PK11_FreeSymKey(symKey);
+    PK11_FreeSlot(slot);
+
+    return context;
+}
+
+PK11Context *
+PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+     PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, 
+						SECItem *param, void *wincx)
+{
+    return __PK11_CreateContextByRawKey(slot, type, origin, operation,
+                                        key, param, wincx);
+}
+
+
+/*
+ * Create a context from a key. We really should make sure we aren't using
+ * the same key in multiple session!
+ */
+PK11Context *
+PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,CK_ATTRIBUTE_TYPE operation,
+			PK11SymKey *symKey, SECItem *param)
+{
+    PK11SymKey *newKey;
+    PK11Context *context;
+
+    /* if this slot doesn't support the mechanism, go to a slot that does */
+    newKey = pk11_ForceSlot(symKey,type,operation);
+    if (newKey == NULL) {
+	PK11_ReferenceSymKey(symKey);
+    } else {
+	symKey = newKey;
+    }
+
+
+    /* Context Adopts the symKey.... */
+    context = pk11_CreateNewContextInSlot(type, symKey->slot, operation, symKey,
+							     param);
+    PK11_FreeSymKey(symKey);
+    return context;
+}
+
+/*
+ * Digest contexts don't need keys, but the do need to find a slot.
+ * Macing should use PK11_CreateContextBySymKey.
+ */
+PK11Context *
+PK11_CreateDigestContext(SECOidTag hashAlg)
+{
+    /* digesting has to work without authentication to the slot */
+    CK_MECHANISM_TYPE type;
+    PK11SlotInfo *slot;
+    PK11Context *context;
+    SECItem param;
+
+    type = PK11_AlgtagToMechanism(hashAlg);
+    slot = PK11_GetBestSlot(type, NULL);
+    if (slot == NULL) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return NULL;
+    }
+
+    /* maybe should really be PK11_GenerateNewParam?? */
+    param.data = NULL;
+    param.len = 0;
+
+    context = pk11_CreateNewContextInSlot(type, slot, CKA_DIGEST, NULL, &param);
+    PK11_FreeSlot(slot);
+    return context;
+}
+
+/*
+ * create a new context which is the clone of the state of old context.
+ */
+PK11Context * PK11_CloneContext(PK11Context *old)
+{
+     PK11Context *newcx;
+     PRBool needFree = PR_FALSE;
+     SECStatus rv = SECSuccess;
+     void *data;
+     unsigned long len;
+
+     newcx = pk11_CreateNewContextInSlot(old->type, old->slot, old->operation,
+						old->key, old->param);
+     if (newcx == NULL) return NULL;
+
+     /* now clone the save state. First we need to find the save state
+      * of the old session. If the old context owns it's session,
+      * the state needs to be saved, otherwise the state is in saveData. */
+     if (old->ownSession) {
+        PK11_EnterContextMonitor(old);
+	data=pk11_saveContext(old,NULL,&len);
+        PK11_ExitContextMonitor(old);
+	needFree = PR_TRUE;
+     } else {
+	data = old->savedData;
+	len = old->savedLength;
+     }
+
+     if (data == NULL) {
+	PK11_DestroyContext(newcx,PR_TRUE);
+	return NULL;
+     }
+
+     /* now copy that state into our new context. Again we have different
+      * work if the new context owns it's own session. If it does, we
+      * restore the state gathered above. If it doesn't, we copy the
+      * saveData pointer... */
+     if (newcx->ownSession) {
+        PK11_EnterContextMonitor(newcx);
+	rv = pk11_restoreContext(newcx,data,len);
+        PK11_ExitContextMonitor(newcx);
+     } else {
+	PORT_Assert(newcx->savedData != NULL);
+	if ((newcx->savedData == NULL) || (newcx->savedLength < len)) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    rv = SECFailure;
+	} else {
+	    PORT_Memcpy(newcx->savedData,data,len);
+	    newcx->savedLength = len;
+	}
+    }
+
+    if (needFree) PORT_Free(data);
+
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(newcx,PR_TRUE);
+	return NULL;
+    }
+    return newcx;
+}
+
+/*
+ * save the current context state into a variable. Required to make FORTEZZA
+ * work.
+ */
+SECStatus
+PK11_SaveContext(PK11Context *cx,unsigned char *save,int *len, int saveLength)
+{
+    unsigned char * data = NULL;
+    CK_ULONG length = saveLength;
+
+    if (cx->ownSession) {
+        PK11_EnterContextMonitor(cx);
+	data = (unsigned char*)pk11_saveContextHelper(cx,save,&length,
+							PR_FALSE,PR_FALSE);
+        PK11_ExitContextMonitor(cx);
+	if (data) *len = length;
+    } else if ((unsigned) saveLength >= cx->savedLength) {
+	data = (unsigned char*)cx->savedData;
+	if (cx->savedData) {
+	    PORT_Memcpy(save,cx->savedData,cx->savedLength);
+	}
+	*len = cx->savedLength;
+    }
+    return (data != NULL) ? SECSuccess : SECFailure;
+}
+
+/*
+ * restore the context state into a new running context. Also required for
+ * FORTEZZA .
+ */
+SECStatus
+PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len)
+{
+    SECStatus rv = SECSuccess;
+    if (cx->ownSession) {
+        PK11_EnterContextMonitor(cx);
+	pk11_Finalize(cx);
+	rv = pk11_restoreContext(cx,save,len);
+        PK11_ExitContextMonitor(cx);
+    } else {
+	PORT_Assert(cx->savedData != NULL);
+	if ((cx->savedData == NULL) || (cx->savedLength < (unsigned) len)) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    rv = SECFailure;
+	} else {
+	    PORT_Memcpy(cx->savedData,save,len);
+	    cx->savedLength = len;
+	}
+    }
+    return rv;
+}
+
+/*
+ * This is  to get FIPS compliance until we can convert
+ * libjar to use PK11_ hashing functions. It returns PR_FALSE
+ * if we can't get a PK11 Context.
+ */
+PRBool
+PK11_HashOK(SECOidTag algID) {
+    PK11Context *cx;
+
+    cx = PK11_CreateDigestContext(algID);
+    if (cx == NULL) return PR_FALSE;
+    PK11_DestroyContext(cx, PR_TRUE);
+    return PR_TRUE;
+}
+
+
+
+/*
+ * start a new digesting or Mac'ing operation on this context
+ */
+SECStatus PK11_DigestBegin(PK11Context *cx)
+{
+    CK_MECHANISM mech_info;
+    SECStatus rv;
+
+    if (cx->init == PR_TRUE) {
+	return SECSuccess;
+    }
+
+    /*
+     * make sure the old context is clear first
+     */
+    PK11_EnterContextMonitor(cx);
+    pk11_Finalize(cx);
+
+    mech_info.mechanism = cx->type;
+    mech_info.pParameter = cx->param->data;
+    mech_info.ulParameterLen = cx->param->len;
+    rv = pk11_context_init(cx,&mech_info);
+    PK11_ExitContextMonitor(cx);
+
+    if (rv != SECSuccess) {
+	return SECFailure;
+    }
+    cx->init = PR_TRUE;
+    return SECSuccess;
+}
+
+SECStatus
+PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in, 
+								int32 len) {
+    PK11Context *context;
+    unsigned int max_length;
+    unsigned int out_length;
+    SECStatus rv;
+
+    context = PK11_CreateDigestContext(hashAlg);
+    if (context == NULL) return SECFailure;
+
+    rv = PK11_DigestBegin(context);
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(context, PR_TRUE);
+	return rv;
+    }
+
+    rv = PK11_DigestOp(context, in, len);
+    if (rv != SECSuccess) {
+	PK11_DestroyContext(context, PR_TRUE);
+	return rv;
+    }
+
+    /* we need the output length ... maybe this should be table driven...*/
+    switch (hashAlg) {
+    case  SEC_OID_SHA1: max_length = SHA1_LENGTH; break;
+    case  SEC_OID_MD2: max_length = MD2_LENGTH; break;
+    case  SEC_OID_MD5: max_length = MD5_LENGTH; break;
+    default: max_length = 16; break;
+    }
+
+    rv = PK11_DigestFinal(context,out,&out_length,max_length);
+    PK11_DestroyContext(context, PR_TRUE);
+    return rv;
+}
+
+
+/*
+ * execute a bulk encryption operation
+ */
+SECStatus
+PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, 
+				int maxout, unsigned char *in, int inlen)
+{
+    CK_RV crv = CKR_OK;
+    CK_ULONG length = maxout;
+    CK_ULONG offset =0;
+    SECStatus rv = SECSuccess;
+    unsigned char *saveOut = out;
+    unsigned char *allocOut = NULL;
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+	    return rv;
+	}
+    }
+
+    /*
+     * The fortezza hack is to send 8 extra bytes on the first encrypted and
+     * loose them on the first decrypt.
+     */
+    if (context->fortezzaHack) {
+	unsigned char random[8];
+	if (context->operation == CKA_ENCRYPT) {
+	    PK11_ExitContextMonitor(context);
+	    rv = PK11_GenerateRandom(random,sizeof(random));
+    	    PK11_EnterContextMonitor(context);
+
+	    /* since we are offseting the output, we can't encrypt back into
+	     * the same buffer... allocate a temporary buffer just for this
+	     * call. */
+	    allocOut = out = (unsigned char*)PORT_Alloc(maxout);
+	    if (out == NULL) {
+		PK11_ExitContextMonitor(context);
+		return SECFailure;
+	    }
+	    crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session,
+		random,sizeof(random),out,&length);
+
+	    out += length;
+	    maxout -= length;
+	    offset = length;
+	} else if (context->operation == CKA_DECRYPT) {
+	    length = sizeof(random);
+	    crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
+		in,sizeof(random),random,&length);
+	    inlen -= length;
+	    in += length;
+	    context->fortezzaHack = PR_FALSE;
+	}
+    }
+
+    switch (context->operation) {
+    case CKA_ENCRYPT:
+	length = maxout;
+	crv=PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session,
+						in, inlen, out, &length);
+	length += offset;
+	break;
+    case CKA_DECRYPT:
+	length = maxout;
+	crv=PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session,
+						in, inlen, out, &length);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	*outlen = 0;
+        rv = SECFailure;
+    } else {
+    	*outlen = length;
+    }
+
+    if (context->fortezzaHack) {
+	if (context->operation == CKA_ENCRYPT) {
+	    PORT_Assert(allocOut);
+	    PORT_Memcpy(saveOut, allocOut, length);
+	    PORT_Free(allocOut);
+	}
+	context->fortezzaHack = PR_FALSE;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    PK11_ExitContextMonitor(context);
+    return rv;
+}
+
+/*
+ * execute a digest/signature operation
+ */
+SECStatus
+PK11_DigestOp(PK11Context *context, const unsigned char * in, unsigned inLen) 
+{
+    CK_RV crv = CKR_OK;
+    SECStatus rv = SECSuccess;
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    context->init = PR_FALSE;
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+	    return rv;
+	}
+    }
+
+    switch (context->operation) {
+    /* also for MAC'ing */
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignUpdate(context->session,
+						     (unsigned char *)in, 
+						     inLen);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_VerifyUpdate(context->session,
+						       (unsigned char *)in, 
+						       inLen);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session,
+						       (unsigned char *)in, 
+						       inLen);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        rv = SECFailure;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    PK11_ExitContextMonitor(context);
+    return rv;
+}
+
+/*
+ * Digest a key if possible./
+ */
+SECStatus
+PK11_DigestKey(PK11Context *context, PK11SymKey *key)
+{
+    CK_RV crv = CKR_OK;
+    SECStatus rv = SECSuccess;
+    PK11SymKey *newKey = NULL;
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    if (context->slot != key->slot) {
+	newKey = pk11_CopyToSlot(context->slot,CKM_SSL3_SHA1_MAC,CKA_SIGN,key);
+    } else {
+	newKey = PK11_ReferenceSymKey(key);
+    }
+
+    context->init = PR_FALSE;
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+            PK11_FreeSymKey(newKey);
+	    return rv;
+	}
+    }
+
+
+    if (newKey == NULL) {
+	crv = CKR_KEY_TYPE_INCONSISTENT;
+	if (key->data.data) {
+	    crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session,
+					key->data.data,key->data.len);
+	}
+    } else {
+	crv=PK11_GETTAB(context->slot)->C_DigestKey(context->session,
+							newKey->objectID);
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        rv = SECFailure;
+    }
+
+    /*
+     * handle session starvation case.. use our last session to multiplex
+     */
+    if (!context->ownSession) {
+	context->savedData = pk11_saveContext(context,context->savedData,
+				&context->savedLength);
+	if (context->savedData == NULL) rv = SECFailure;
+	
+	/* clear out out session for others to use */
+	pk11_Finalize(context);
+    }
+    PK11_ExitContextMonitor(context);
+    if (newKey) PK11_FreeSymKey(newKey);
+    return rv;
+}
+
+/*
+ * externally callable version of the lowercase pk11_finalize().
+ */
+SECStatus
+PK11_Finalize(PK11Context *context) {
+    SECStatus rv;
+
+    PK11_EnterContextMonitor(context);
+    rv = pk11_Finalize(context);
+    PK11_ExitContextMonitor(context);
+    return rv;
+}
+
+/*
+ * clean up a cipher operation, so the session can be used by
+ * someone new.
+ */
+SECStatus
+pk11_Finalize(PK11Context *context)
+{
+    CK_ULONG count = 0;
+    CK_RV crv;
+
+    if (!context->ownSession) {
+	return SECSuccess;
+    }
+
+    switch (context->operation) {
+    case CKA_ENCRYPT:
+	crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
+				NULL,&count);
+	break;
+    case CKA_DECRYPT:
+	crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session,
+				NULL,&count);
+	break;
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session,
+				NULL,&count);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session,
+				NULL,count);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session,
+				NULL,&count);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ *  Return the final digested or signed data...
+ *  this routine can either take pre initialized data, or allocate data
+ *  either out of an arena or out of the standard heap.
+ */
+SECStatus
+PK11_DigestFinal(PK11Context *context,unsigned char *data, 
+			unsigned int *outLen, unsigned int length)
+{
+    CK_ULONG len;
+    CK_RV crv;
+    SECStatus rv;
+
+
+    /* if we ran out of session, we need to restore our previously stored
+     * state.
+     */
+    PK11_EnterContextMonitor(context);
+    if (!context->ownSession) {
+        rv = pk11_restoreContext(context,context->savedData,
+							context->savedLength);
+	if (rv != SECSuccess) {
+	    PK11_ExitContextMonitor(context);
+	    return rv;
+	}
+    }
+
+    len = length;
+    switch (context->operation) {
+    case CKA_SIGN:
+	crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session,
+				data,&len);
+	break;
+    case CKA_VERIFY:
+	crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session,
+				data,len);
+	break;
+    case CKA_DIGEST:
+	crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session,
+				data,&len);
+	break;
+    case CKA_ENCRYPT:
+	crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session,
+				data, &len);
+	break;
+    case CKA_DECRYPT:
+	crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session,
+				data, &len);
+	break;
+    default:
+	crv = CKR_OPERATION_NOT_INITIALIZED;
+	break;
+    }
+    PK11_ExitContextMonitor(context);
+
+    *outLen = (unsigned int) len;
+    context->init = PR_FALSE; /* allow Begin to start up again */
+
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/****************************************************************************
+ *
+ * Now Do The PBE Functions Here...
+ *
+ ****************************************************************************/
+
+static void
+pk11_destroy_ck_pbe_params(CK_PBE_PARAMS *pbe_params)
+{
+    if (pbe_params) {
+	if (pbe_params->pPassword)
+	    PORT_ZFree(pbe_params->pPassword, PR_FALSE);
+	if (pbe_params->pSalt)
+	    PORT_ZFree(pbe_params->pSalt, PR_FALSE);
+	PORT_ZFree(pbe_params, PR_TRUE);
+    }
+}
+
+SECItem * 
+PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations)
+{
+    CK_PBE_PARAMS *pbe_params = NULL;
+    SECItem *paramRV = NULL;
+    pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(sizeof(CK_PBE_PARAMS));
+    pbe_params->pPassword = (CK_CHAR_PTR)PORT_ZAlloc(pwd->len);
+    if (pbe_params->pPassword != NULL) {
+	PORT_Memcpy(pbe_params->pPassword, pwd->data, pwd->len);
+	pbe_params->ulPasswordLen = pwd->len;
+    } else goto loser;
+    pbe_params->pSalt = (CK_CHAR_PTR)PORT_ZAlloc(salt->len);
+    if (pbe_params->pSalt != NULL) {
+	PORT_Memcpy(pbe_params->pSalt, salt->data, salt->len);
+	pbe_params->ulSaltLen = salt->len;
+    } else goto loser;
+    pbe_params->ulIteration = (CK_ULONG)iterations;
+    paramRV = SECITEM_AllocItem(NULL, NULL, sizeof(CK_PBE_PARAMS));
+    paramRV->data = (unsigned char *)pbe_params;
+    return paramRV;
+loser:
+    pk11_destroy_ck_pbe_params(pbe_params);
+    return NULL;
+}
+
+void
+PK11_DestroyPBEParams(SECItem *params)
+{
+    pk11_destroy_ck_pbe_params((CK_PBE_PARAMS *)params->data);
+}
+
+SECAlgorithmID *
+PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt)
+{
+    SECAlgorithmID *algid = NULL;
+    algid = SEC_PKCS5CreateAlgorithmID(algorithm, salt, iteration);
+    return algid;
+}
+
+PK11SymKey *
+PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *mech,
+			 SECItem *pwitem, PRBool faulty3DES, void *wincx)
+{
+    /* pbe stuff */
+    CK_PBE_PARAMS *pbe_params;
+    PK11SymKey *symKey;
+
+    if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) {
+	type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC;
+    }
+    if(mech == NULL) {
+	return NULL;
+    }
+
+    pbe_params = (CK_PBE_PARAMS *)mech->data;
+    pbe_params->pPassword = (CK_CHAR_PTR)PORT_ZAlloc(pwitem->len);
+    if(pbe_params->pPassword != NULL) {
+	PORT_Memcpy(pbe_params->pPassword, pwitem->data, pwitem->len);
+	pbe_params->ulPasswordLen = pwitem->len;
+    } else {
+	SECITEM_ZfreeItem(mech, PR_TRUE);
+	return NULL;
+    }
+
+    symKey = PK11_KeyGen(slot, type, mech, 0, wincx);
+
+    PORT_ZFree(pbe_params->pPassword, pwitem->len);
+    pbe_params->pPassword = NULL;
+    pbe_params->ulPasswordLen = 0;
+    return symKey;
+}
+
+PK11SymKey *
+PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
+	       					PRBool faulty3DES, void *wincx)
+{
+    /* pbe stuff */
+    CK_MECHANISM_TYPE type;
+    SECItem *mech;
+    PK11SymKey *symKey;
+
+    mech = PK11_ParamFromAlgid(algid);
+    type = PK11_AlgtagToMechanism(SECOID_FindOIDTag(&algid->algorithm));
+    if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) {
+	type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC;
+    }
+    if(mech == NULL) {
+	return NULL;
+    }
+    symKey = PK11_RawPBEKeyGen(slot, type, mech, pwitem, faulty3DES, wincx);
+
+    SECITEM_ZfreeItem(mech, PR_TRUE);
+    return symKey;
+}
+
+
+SECStatus 
+PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
+			SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
+			SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+			PRBool isPrivate, KeyType keyType, unsigned int keyUsage,
+			void *wincx)
+{
+    CK_MECHANISM_TYPE mechanism;
+    SECItem *pbe_param, crypto_param;
+    PK11SymKey *key = NULL;
+    SECStatus rv = SECSuccess;
+    CK_MECHANISM cryptoMech, pbeMech;
+    CK_RV crv;
+    SECKEYPrivateKey *privKey = NULL;
+    PRBool faulty3DES = PR_FALSE;
+    int usageCount = 0;
+    CK_KEY_TYPE key_type;
+    CK_ATTRIBUTE_TYPE *usage = NULL;
+    CK_ATTRIBUTE_TYPE rsaUsage[] = {
+		 CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER };
+    CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN };
+    CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE };
+
+    if((epki == NULL) || (pwitem == NULL))
+	return SECFailure;
+
+    crypto_param.data = NULL;
+
+    mechanism = PK11_AlgtagToMechanism(SECOID_FindOIDTag(
+					&epki->algorithm.algorithm));
+
+    switch (keyType) {
+    default:
+    case rsaKey:
+	key_type = CKK_RSA;
+	switch  (keyUsage & (KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE)) {
+	case KU_KEY_ENCIPHERMENT:
+	    usage = rsaUsage;
+	    usageCount = 2;
+	    break;
+	case KU_DIGITAL_SIGNATURE:
+	    usage = &rsaUsage[2];
+	    usageCount = 2;
+	    break;
+	case KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE:
+	case 0: /* default to everything */
+	    usage = rsaUsage;
+	    usageCount = 4;
+	    break;
+	}
+        break;
+    case dhKey:
+	key_type = CKK_DH;
+	usage = dhUsage;
+	usageCount = sizeof(dhUsage)/sizeof(dhUsage[0]);
+	break;
+    case dsaKey:
+	key_type = CKK_DSA;
+	usage = dsaUsage;
+	usageCount = sizeof(dsaUsage)/sizeof(dsaUsage[0]);
+	break;
+    }
+
+try_faulty_3des:
+    pbe_param = PK11_ParamFromAlgid(&epki->algorithm);
+
+    key = PK11_RawPBEKeyGen(slot, mechanism, pbe_param, pwitem, 
+							faulty3DES, wincx);
+    if((key == NULL) || (pbe_param == NULL)) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    pbeMech.mechanism = mechanism;
+    pbeMech.pParameter = pbe_param->data;
+    pbeMech.ulParameterLen = pbe_param->len;
+
+    crv = PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, 
+					        pwitem, faulty3DES);
+    if(crv != CKR_OK) {
+	rv = SECFailure;
+	goto done;
+    }
+
+    cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMech.mechanism);
+    crypto_param.data = (unsigned char*)cryptoMech.pParameter;
+    crypto_param.len = cryptoMech.ulParameterLen;
+
+    PORT_Assert(usage != NULL);
+    PORT_Assert(usageCount != 0);
+    privKey = PK11_UnwrapPrivKey(slot, key, cryptoMech.mechanism, 
+				 &crypto_param, &epki->encryptedData, 
+				 nickname, publicValue, isPerm, isPrivate,
+				 key_type, usage, usageCount, wincx);
+    if(privKey) {
+	SECKEY_DestroyPrivateKey(privKey);
+	privKey = NULL;
+	rv = SECSuccess;
+	goto done;
+    }
+
+    /* if we are unable to import the key and the mechanism is 
+     * CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, then it is possible that
+     * the encrypted blob was created with a buggy key generation method
+     * which is described in the PKCS 12 implementation notes.  So we
+     * need to try importing via that method.
+     */ 
+    if((mechanism == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC) && (!faulty3DES)) {
+	/* clean up after ourselves before redoing the key generation. */
+
+	PK11_FreeSymKey(key);
+	key = NULL;
+
+	if(pbe_param) {
+	    SECITEM_ZfreeItem(pbe_param, PR_TRUE);
+	    pbe_param = NULL;
+	}
+
+	if(crypto_param.data) {
+	    SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
+	    crypto_param.data = NULL;
+	    cryptoMech.pParameter = NULL;
+	    crypto_param.len = cryptoMech.ulParameterLen = 0;
+	}
+
+	faulty3DES = PR_TRUE;
+	goto try_faulty_3des;
+    }
+
+    /* key import really did fail */
+    rv = SECFailure;
+
+done:
+    if(pbe_param != NULL) {
+	SECITEM_ZfreeItem(pbe_param, PR_TRUE);
+	pbe_param = NULL;
+    }
+
+    if(crypto_param.data != NULL) {
+	SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
+    }
+
+    if(key != NULL) {
+    	PK11_FreeSymKey(key);
+    }
+
+    return rv;
+}
+
+SECKEYPrivateKeyInfo *
+PK11_ExportPrivateKeyInfo(CERTCertificate *cert, void *wincx)
+{
+    return NULL;
+}
+
+static int
+pk11_private_key_encrypt_buffer_length(SECKEYPrivateKey *key)
+				
+{
+    CK_ATTRIBUTE rsaTemplate = { CKA_MODULUS, NULL, 0 };
+    CK_ATTRIBUTE dsaTemplate = { CKA_PRIME, NULL, 0 };
+    CK_ATTRIBUTE_PTR pTemplate;
+    CK_RV crv;
+    int length;
+
+    if(!key) {
+	return -1;
+    }
+
+    switch (key->keyType) {
+	case rsaKey:
+	    pTemplate = &rsaTemplate;
+	    break;
+	case dsaKey:
+	case dhKey:
+	    pTemplate = &dsaTemplate;
+	    break;
+	case fortezzaKey:
+	default:
+	    pTemplate = NULL;
+    }
+
+    if(!pTemplate) {
+	return -1;
+    }
+
+    crv = PK11_GetAttributes(NULL, key->pkcs11Slot, key->pkcs11ID, 
+								pTemplate, 1);
+    if(crv != CKR_OK) {
+	PORT_SetError( PK11_MapError(crv) );
+	return -1;
+    }
+
+    length = pTemplate->ulValueLen;
+    length *= 10;
+
+    if(pTemplate->pValue != NULL) {
+	PORT_Free(pTemplate->pValue);
+    }
+
+    return length;
+}
+
+SECKEYEncryptedPrivateKeyInfo * 
+PK11_ExportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, SECOidTag algTag,
+   SECItem *pwitem, CERTCertificate *cert, int iteration, void *wincx)
+{
+    SECKEYEncryptedPrivateKeyInfo *epki = NULL;
+    SECKEYPrivateKey *pk;
+    PRArenaPool *arena = NULL;
+    SECAlgorithmID *algid;
+    CK_MECHANISM_TYPE mechanism;
+    SECItem *pbe_param = NULL, crypto_param;
+    PK11SymKey *key = NULL;
+    SECStatus rv = SECSuccess;
+    CK_MECHANISM pbeMech, cryptoMech;
+    CK_ULONG encBufLenPtr;
+    CK_RV crv;
+    SECItem encryptedKey = {siBuffer,NULL,0};
+    int encryptBufLen;
+
+    if(!pwitem)
+	return NULL;
+
+    crypto_param.data = NULL;
+
+    arena = PORT_NewArena(2048);
+    epki = (SECKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(arena, 
+    		sizeof(SECKEYEncryptedPrivateKeyInfo));
+    if(epki == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    epki->arena = arena;
+    algid = SEC_PKCS5CreateAlgorithmID(algTag, NULL, iteration);
+    if(algid == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    mechanism = PK11_AlgtagToMechanism(SECOID_FindOIDTag(&algid->algorithm));
+    pbe_param = PK11_ParamFromAlgid(algid);
+    pbeMech.mechanism = mechanism;
+    pbeMech.pParameter = pbe_param->data;
+    pbeMech.ulParameterLen = pbe_param->len;
+    key = PK11_RawPBEKeyGen(slot, mechanism, pbe_param, pwitem, 
+							PR_FALSE, wincx);
+
+    if((key == NULL) || (pbe_param == NULL)) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    crv = PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, 
+						pwitem, PR_FALSE);
+    if(crv != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+    cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMech.mechanism);
+    crypto_param.data = (unsigned char *)cryptoMech.pParameter;
+    crypto_param.len = cryptoMech.ulParameterLen;
+
+    pk = PK11_FindKeyByAnyCert(cert, wincx);
+    if(pk == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    encryptBufLen = pk11_private_key_encrypt_buffer_length(pk); 
+    if(encryptBufLen == -1) {
+	rv = SECFailure;
+	goto loser;
+    }
+    encryptedKey.len = (unsigned int)encryptBufLen;
+    encBufLenPtr = (CK_ULONG) encryptBufLen;
+    encryptedKey.data = (unsigned char *)PORT_ZAlloc(encryptedKey.len);
+    if(!encryptedKey.data) {
+	rv = SECFailure;
+	goto loser;
+    }
+	
+    /* we are extracting an encrypted privateKey structure.
+     * which needs to be freed along with the buffer into which it is
+     * returned.  eventually, we should retrieve an encrypted key using
+     * pkcs8/pkcs5.
+     */
+    PK11_EnterSlotMonitor(pk->pkcs11Slot);
+    crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, 
+    		&cryptoMech, key->objectID, pk->pkcs11ID, encryptedKey.data, 
+		&encBufLenPtr); 
+    PK11_ExitSlotMonitor(pk->pkcs11Slot);
+    encryptedKey.len = (unsigned int) encBufLenPtr;
+    if(crv != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    if(!encryptedKey.len) {
+	rv = SECFailure;
+	goto loser;
+    }
+    
+    rv = SECITEM_CopyItem(arena, &epki->encryptedData, &encryptedKey);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    rv = SECOID_CopyAlgorithmID(arena, &epki->algorithm, algid);
+
+loser:
+    if(pbe_param != NULL) {
+	SECITEM_ZfreeItem(pbe_param, PR_TRUE);
+	pbe_param = NULL;
+    }
+
+    if(crypto_param.data != NULL) {
+	SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
+	crypto_param.data = NULL;
+    }
+
+    if(key != NULL) {
+    	PK11_FreeSymKey(key);
+    }
+
+    if(rv == SECFailure) {
+	if(arena != NULL) {
+	    PORT_FreeArena(arena, PR_TRUE);
+	}
+	epki = NULL;
+    }
+
+    return epki;
+}
+
+
+/*
+ * This is required to allow FORTEZZA_NULL and FORTEZZA_RC4
+ * working. This function simply gets a valid IV for the keys.
+ */
+SECStatus
+PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len)
+{
+    CK_MECHANISM mech_info;
+    CK_ULONG count = 0;
+    CK_RV crv;
+    SECStatus rv = SECFailure;
+
+    mech_info.mechanism = CKM_SKIPJACK_CBC64;
+    mech_info.pParameter = iv;
+    mech_info.ulParameterLen = len;
+
+    /* generate the IV for fortezza */
+    PK11_EnterSlotMonitor(symKey->slot);
+    crv=PK11_GETTAB(symKey->slot)->C_EncryptInit(symKey->slot->session,
+				&mech_info, symKey->objectID);
+    if (crv == CKR_OK) {
+	PK11_GETTAB(symKey->slot)->C_EncryptFinal(symKey->slot->session, 
+								NULL, &count);
+	rv = SECSuccess;
+    }
+    PK11_ExitSlotMonitor(symKey->slot);
+    return rv;
+}
+
+SECKEYPrivateKey *
+PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
+		   CK_MECHANISM_TYPE wrapType, SECItem *param, 
+		   SECItem *wrappedKey, SECItem *label, 
+		   SECItem *idValue, PRBool perm, PRBool sensitive,
+		   CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
+		   void *wincx)
+{
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+    CK_ATTRIBUTE keyTemplate[15] ;
+    int templateCount = 0;
+    CK_OBJECT_HANDLE privKeyID;
+    CK_MECHANISM mechanism;
+    CK_ATTRIBUTE *attrs = keyTemplate;
+    SECItem *param_free = NULL, *ck_id;
+    CK_RV crv;
+    CK_SESSION_HANDLE rwsession;
+    PK11SymKey *newKey = NULL;
+    int i;
+
+    if(!slot || !wrappedKey || !idValue) {
+	/* SET AN ERROR!!! */
+	return NULL;
+    }
+
+    ck_id = PK11_MakeIDFromPubKey(idValue);
+    if(!ck_id) {
+	return NULL;
+    }
+
+    PK11_SETATTRS(attrs, CKA_TOKEN, perm ? &cktrue : &ckfalse,
+					 sizeof(cktrue)); attrs++;
+    PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); attrs++;
+    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++;
+    PK11_SETATTRS(attrs, CKA_PRIVATE, sensitive ? &cktrue : &ckfalse,
+					 sizeof(cktrue)); attrs++;
+    PK11_SETATTRS(attrs, CKA_SENSITIVE, sensitive ? &cktrue : &ckfalse,
+					sizeof(cktrue)); attrs++;
+    PK11_SETATTRS(attrs, CKA_LABEL, label->data, label->len); attrs++;
+    PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); attrs++;
+    for (i=0; i < usageCount; i++) {
+    	PK11_SETATTRS(attrs, usage[i], &cktrue, sizeof(cktrue)); attrs++;
+    }
+
+    if (PK11_IsInternal(slot)) {
+	PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, idValue->data, 
+		      idValue->len); attrs++;
+    }
+
+    templateCount = attrs - keyTemplate;
+    PR_ASSERT(templateCount <= (sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)) );
+
+    mechanism.mechanism = wrapType;
+    if(!param) param = param_free= PK11_ParamFromIV(wrapType, NULL);
+    if(param) {
+	mechanism.pParameter = param->data;
+	mechanism.ulParameterLen = param->len;
+    } else {
+	mechanism.pParameter = NULL;
+	mechanism.ulParameterLen = 0;
+    }
+
+    if (wrappingKey->slot != slot) {
+	newKey = pk11_CopyToSlot(slot,wrapType,CKA_WRAP,wrappingKey);
+    } else {
+	newKey = PK11_ReferenceSymKey(wrappingKey);
+    }
+
+    if (newKey) {
+	if (perm) {
+	    rwsession = PK11_GetRWSession(slot);
+	} else {
+	    rwsession = slot->session;
+	}
+	crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, 
+					 newKey->objectID,
+					 wrappedKey->data, 
+					 wrappedKey->len, keyTemplate, 
+					 templateCount, &privKeyID);
+
+	if (perm) PK11_RestoreROSession(slot, rwsession);
+	PK11_FreeSymKey(newKey);
+    } else {
+	crv = CKR_FUNCTION_NOT_SUPPORTED;
+    }
+
+    if(ck_id) {
+	SECITEM_FreeItem(ck_id, PR_TRUE);
+	ck_id = NULL;
+    }
+
+    if (crv != CKR_OK) {
+	/* we couldn't unwrap the key, use the internal module to do the
+	 * unwrap, then load the new key into the token */
+	 PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+	if (int_slot && (slot != int_slot)) {
+	    SECKEYPrivateKey *privKey = PK11_UnwrapPrivKey(int_slot,
+			wrappingKey, wrapType, param, wrappedKey, label,
+			idValue, PR_FALSE, PR_FALSE, 
+			keyType, usage, usageCount, wincx);
+	    if (privKey) {
+		SECKEYPrivateKey *newPrivKey = pk11_loadPrivKey(slot,privKey,
+						NULL,perm,sensitive);
+		SECKEY_DestroyPrivateKey(privKey);
+		PK11_FreeSlot(int_slot);
+		return newPrivKey;
+	    }
+	}
+	if (int_slot) PK11_FreeSlot(int_slot);
+	PORT_SetError( PK11_MapError(crv) );
+	return NULL;
+    }
+    return PK11_MakePrivKey(slot, nullKey, PR_FALSE, privKeyID, wincx);
+}
+
+#define ALLOC_BLOCK  10
+
+/*
+ * Now we're going to wrap a SECKEYPrivateKey with a PK11SymKey
+ * The strategy is to get both keys to reside in the same slot,
+ * one that can perform the desired crypto mechanism and then
+ * call C_WrapKey after all the setup has taken place.
+ */
+SECStatus
+PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, 
+		 SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType, 
+		 SECItem *param, SECItem *wrappedKey, void *wincx)
+{
+    PK11SlotInfo     *privSlot   = privKey->pkcs11Slot; /* The slot where
+							 * the private key
+							 * we are going to
+							 * wrap lives.
+							 */
+    PK11SymKey       *newSymKey  = NULL;
+    SECKEYPrivateKey *newPrivKey = NULL;
+    SECItem          *param_free = NULL;
+    CK_ULONG          len        = wrappedKey->len;
+    CK_MECHANISM      mech;
+    CK_RV             crv;
+
+    if (!privSlot || !PK11_DoesMechanism(privSlot, wrapType)) {
+        /* Figure out a slot that does the mechanism and try to import
+	 * the private key onto that slot.
+	 */
+        PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+	privSlot = int_slot; /* The private key has a new home */
+	newPrivKey = pk11_loadPrivKey(privSlot,privKey,NULL,PR_FALSE,PR_FALSE);
+	if (newPrivKey == NULL) {
+	    PK11_FreeSlot (int_slot);
+	    return SECFailure;
+	}
+	privKey = newPrivKey;
+    }
+
+    if (privSlot != wrappingKey->slot) {
+        newSymKey = pk11_CopyToSlot (privSlot, wrapType, CKA_WRAP, 
+				     wrappingKey);
+	wrappingKey = newSymKey;
+    }
+
+    if (wrappingKey == NULL) {
+        if (newPrivKey) {
+		SECKEY_DestroyPrivateKey(newPrivKey);
+	}
+	return SECFailure;
+    }
+    mech.mechanism = wrapType;
+    if (!param) {
+        param = param_free = PK11_ParamFromIV(wrapType, NULL);
+    }
+    if (param) {
+        mech.pParameter     = param->data;
+	mech.ulParameterLen = param->len;
+    } else {
+        mech.pParameter     = NULL;
+	mech.ulParameterLen = 0;
+    }
+
+    PK11_EnterSlotMonitor(privSlot);
+    crv = PK11_GETTAB(privSlot)->C_WrapKey(privSlot->session, &mech, 
+					   wrappingKey->objectID, 
+					   privKey->pkcs11ID,
+					   wrappedKey->data, &len);
+    PK11_ExitSlotMonitor(privSlot);
+
+    if (newSymKey) {
+        PK11_FreeSymKey(newSymKey);
+    }
+    if (newPrivKey) {
+        SECKEY_DestroyPrivateKey(newPrivKey);
+    }
+
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	return SECFailure;
+    }
+
+    wrappedKey->len = len;
+    return SECSuccess;
+}
+    
+void   
+PK11_SetFortezzaHack(PK11SymKey *symKey) { 
+   symKey->origin = PK11_OriginFortezzaHack;
+}
+
+SECItem*
+PK11_DEREncodePublicKey(SECKEYPublicKey *pubk)
+{
+    CERTSubjectPublicKeyInfo *spki=NULL;
+    SECItem *spkiDER = NULL;
+
+    if( pubk == NULL ) {
+        return NULL;
+    }
+
+    /* get the subjectpublickeyinfo */
+    spki = SECKEY_CreateSubjectPublicKeyInfo(pubk);
+    if( spki == NULL ) {
+        goto finish;
+    }
+
+    /* DER-encode the subjectpublickeyinfo */
+    spkiDER = SEC_ASN1EncodeItem(NULL /*arena*/, NULL/*dest*/, spki,
+                    CERT_SubjectPublicKeyInfoTemplate);
+
+finish:
+    return spkiDER;
+}
+
+PK11SymKey*
+PK11_CopySymKeyForSigning(PK11SymKey *originalKey, CK_MECHANISM_TYPE mech)
+{
+    return pk11_CopyToSlot(PK11_GetSlotFromKey(originalKey), mech, CKA_SIGN,
+			originalKey);
+}
+
+char *
+PK11_GetSymKeyNickname(PK11SymKey *symKey)
+{
+    return PK11_GetObjectNickname(symKey->slot,symKey->objectID);
+}
+
+char *
+PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey)
+{
+    return PK11_GetObjectNickname(privKey->pkcs11Slot,privKey->pkcs11ID);
+}
+
+char *
+PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey)
+{
+    return PK11_GetObjectNickname(pubKey->pkcs11Slot,pubKey->pkcs11ID);
+}
+
+SECStatus
+PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname)
+{
+    return PK11_SetObjectNickname(symKey->slot,symKey->objectID,nickname);
+}
+
+SECStatus
+PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, const char *nickname)
+{
+    return PK11_SetObjectNickname(privKey->pkcs11Slot,
+					privKey->pkcs11ID,nickname);
+}
+
+SECStatus
+PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, const char *nickname)
+{
+    return PK11_SetObjectNickname(pubKey->pkcs11Slot,
+					pubKey->pkcs11ID,nickname);
+}
+
+SECKEYPQGParams *
+PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey)
+{
+    CK_ATTRIBUTE pTemplate[] = {
+	{ CKA_PRIME, NULL, 0 },
+	{ CKA_SUBPRIME, NULL, 0 },
+	{ CKA_BASE, NULL, 0 },
+    };
+    int pTemplateLen = sizeof(pTemplate)/sizeof(pTemplate[0]);
+    PRArenaPool *arena = NULL;
+    SECKEYPQGParams *params;
+    CK_RV crv;
+
+
+    arena = PORT_NewArena(2048);
+    if (arena == NULL) {
+	goto loser;
+    }
+    params=(SECKEYPQGParams *)PORT_ArenaZAlloc(arena,sizeof(SECKEYPQGParams));
+    if (params == NULL) {
+	goto loser;
+    }
+
+    crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID, 
+						pTemplate, pTemplateLen);
+    if (crv != CKR_OK) {
+        PORT_SetError( PK11_MapError(crv) );
+	goto loser;
+    }
+
+    params->arena = arena;
+    params->prime.data = pTemplate[0].pValue;
+    params->prime.len = pTemplate[0].ulValueLen;
+    params->subPrime.data = pTemplate[1].pValue;
+    params->subPrime.len = pTemplate[1].ulValueLen;
+    params->base.data = pTemplate[2].pValue;
+    params->base.len = pTemplate[2].ulValueLen;
+
+    return params;
+
+loser:
+    if (arena != NULL) {
+	PORT_FreeArena(arena,PR_FALSE);
+    }
+    return NULL;
+}
+
+PK11SymKey *
+PK11_GetNextSymKey(PK11SymKey *symKey)
+{
+    return symKey ? symKey->next : NULL;
+}
diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
new file mode 100644
index 000000000..cd2d29bd4
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -0,0 +1,4480 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ *	Dr Stephen Henson <stephen.henson@gemplus.com>
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Deal with PKCS #11 Slots.
+ */
+#include "seccomon.h"
+#include "secmod.h"
+#include "nssilock.h"
+#include "secmodi.h"
+#include "pkcs11t.h"
+#include "pk11func.h"
+#include "cert.h"
+#include "key.h"
+#include "secitem.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "prtime.h"
+#include "prlong.h"
+#include "secerr.h"
+/*#include "secpkcs5.h" */
+
+#include "dev.h"
+#include "dev3hack.h"
+#include "pki3hack.h"
+
+
+/*************************************************************
+ * local static and global data
+ *************************************************************/
+
+/*
+ * This array helps parsing between names, mechanisms, and flags.
+ * to make the config files understand more entries, add them
+ * to this table. (NOTE: we need function to export this table and it's size)
+ */
+PK11DefaultArrayEntry PK11_DefaultArray[] = {
+	{ "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
+	{ "DSA", SECMOD_DSA_FLAG, CKM_DSA },
+	{ "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
+	{ "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
+	{ "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
+	{ "DES", SECMOD_DES_FLAG, CKM_DES_CBC },
+	{ "AES", SECMOD_AES_FLAG, CKM_AES_CBC },
+	{ "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC },
+	{ "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 },
+	{ "MD5", SECMOD_MD5_FLAG, CKM_MD5 },
+	{ "MD2", SECMOD_MD2_FLAG, CKM_MD2 },
+	{ "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN },
+	{ "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE },
+	{ "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 },
+	{ "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM },
+	{ "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM },
+};
+int num_pk11_default_mechanisms = sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]);
+
+/*
+ * These  slotlists are lists of modules which provide default support for
+ *  a given algorithm or mechanism.
+ */
+static PK11SlotList pk11_aesSlotList,
+    pk11_desSlotList,
+    pk11_rc4SlotList,
+    pk11_rc2SlotList,
+    pk11_rc5SlotList,
+    pk11_sha1SlotList,
+    pk11_md5SlotList,
+    pk11_md2SlotList,
+    pk11_rsaSlotList,
+    pk11_dsaSlotList,
+    pk11_dhSlotList,
+    pk11_ideaSlotList,
+    pk11_sslSlotList,
+    pk11_tlsSlotList,
+    pk11_randomSlotList;
+
+/*
+ * Tables used for Extended mechanism mapping (currently not used)
+ */
+typedef struct {
+	CK_MECHANISM_TYPE keyGen;
+	CK_KEY_TYPE keyType;
+	CK_MECHANISM_TYPE type;
+	int blockSize;
+	int iv;
+} pk11MechanismData;
+	
+static pk11MechanismData pk11_default = 
+  { CKM_GENERIC_SECRET_KEY_GEN, CKK_GENERIC_SECRET, CKM_FAKE_RANDOM, 8, 8 };
+static pk11MechanismData *pk11_MechanismTable = NULL;
+static int pk11_MechTableSize = 0;
+static int pk11_MechEntrySize = 0;
+
+/*
+ * list of mechanisms we're willing to wrap secret keys with.
+ * This list is ordered by preference.
+ */
+CK_MECHANISM_TYPE wrapMechanismList[] = {
+    CKM_DES3_ECB,
+    CKM_CAST5_ECB,
+    CKM_AES_ECB,
+    CKM_CAST5_ECB,
+    CKM_DES_ECB,
+    CKM_KEY_WRAP_LYNKS,
+    CKM_IDEA_ECB,
+    CKM_CAST3_ECB,
+    CKM_CAST_ECB,
+    CKM_RC5_ECB,
+    CKM_RC2_ECB,
+    CKM_CDMF_ECB,
+    CKM_SKIPJACK_WRAP,
+};
+
+int wrapMechanismCount = sizeof(wrapMechanismList)/sizeof(wrapMechanismList[0]);
+
+/*
+ * This structure keeps track of status that spans all the Slots.
+ * NOTE: This is a global data structure. It semantics expect thread crosstalk
+ * be very careful when you see it used. 
+ *  It's major purpose in life is to allow the user to log in one PER 
+ * Tranaction, even if a transaction spans threads. The problem is the user
+ * may have to enter a password one just to be able to look at the 
+ * personalities/certificates (s)he can use. Then if Auth every is one, they
+ * may have to enter the password again to use the card. See PK11_StartTransac
+ * and PK11_EndTransaction.
+ */
+static struct PK11GlobalStruct {
+   int transaction;
+   PRBool inTransaction;
+   char *(PR_CALLBACK *getPass)(PK11SlotInfo *,PRBool,void *);
+   PRBool (PR_CALLBACK *verifyPass)(PK11SlotInfo *,void *);
+   PRBool (PR_CALLBACK *isLoggedIn)(PK11SlotInfo *,void *);
+} PK11_Global = { 1, PR_FALSE, NULL, NULL, NULL };
+ 
+/************************************************************
+ * Generic Slot List and Slot List element manipulations
+ ************************************************************/
+
+/*
+ * allocate a new list 
+ */
+PK11SlotList *
+PK11_NewSlotList(void)
+{
+    PK11SlotList *list;
+ 
+    list = (PK11SlotList *)PORT_Alloc(sizeof(PK11SlotList));
+    if (list == NULL) return NULL;
+    list->head = NULL;
+    list->tail = NULL;
+#ifdef PKCS11_USE_THREADS
+    list->lock = PZ_NewLock(nssILockList);
+    if (list->lock == NULL) {
+	PORT_Free(list);
+	return NULL;
+    }
+#else
+    list->lock = NULL;
+#endif
+
+    return list;
+}
+
+/*
+ * free a list element when all the references go away.
+ */
+static void
+pk11_FreeListElement(PK11SlotList *list, PK11SlotListElement *le)
+{
+    PRBool freeit = PR_FALSE;
+
+    PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));)
+    if (le->refCount-- == 1) {
+	freeit = PR_TRUE;
+    }
+    PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));)
+    if (freeit) {
+    	PK11_FreeSlot(le->slot);
+	PORT_Free(le);
+    }
+}
+
+/*
+ * if we are freeing the list, we must be the only ones with a pointer
+ * to the list.
+ */
+void
+PK11_FreeSlotList(PK11SlotList *list)
+{
+    PK11SlotListElement *le, *next ;
+    if (list == NULL) return;
+
+    for (le = list->head ; le; le = next) {
+	next = le->next;
+	pk11_FreeListElement(list,le);
+    }
+    PK11_USE_THREADS(PZ_DestroyLock((PZLock *)(list->lock));)
+    PORT_Free(list);
+}
+
+/*
+ * add a slot to a list
+ */
+SECStatus
+PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot)
+{
+    PK11SlotListElement *le;
+
+    le = (PK11SlotListElement *) PORT_Alloc(sizeof(PK11SlotListElement));
+    if (le == NULL) return SECFailure;
+
+    le->slot = PK11_ReferenceSlot(slot);
+    le->prev = NULL;
+    le->refCount = 1;
+    PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));)
+    if (list->head) list->head->prev = le; else list->tail = le;
+    le->next = list->head;
+    list->head = le;
+    PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));)
+
+    return SECSuccess;
+}
+
+/*
+ * remove a slot entry from the list
+ */
+SECStatus
+PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le)
+{
+    PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));)
+    if (le->prev) le->prev->next = le->next; else list->head = le->next;
+    if (le->next) le->next->prev = le->prev; else list->tail = le->prev;
+    le->next = le->prev = NULL;
+    PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));)
+    pk11_FreeListElement(list,le);
+    return SECSuccess;
+}
+
+/*
+ * Move a list to the end of the target list. NOTE: There is no locking
+ * here... This assumes BOTH lists are private copy lists.
+ */
+SECStatus
+PK11_MoveListToList(PK11SlotList *target,PK11SlotList *src)
+{
+    if (src->head == NULL) return SECSuccess;
+
+    if (target->tail == NULL) {
+	target->head = src->head;
+    } else {
+	target->tail->next = src->head;
+    }
+    src->head->prev = target->tail;
+    target->tail = src->tail;
+    src->head = src->tail = NULL;
+    return SECSuccess;
+}
+
+/*
+ * get an element from the list with a reference. You must own the list.
+ */
+PK11SlotListElement *
+PK11_GetFirstRef(PK11SlotList *list)
+{
+    PK11SlotListElement *le;
+
+    le = list->head;
+    if (le != NULL) (le)->refCount++;
+    return le;
+}
+
+/*
+ * get the next element from the list with a reference. You must own the list.
+ */
+PK11SlotListElement *
+PK11_GetNextRef(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
+{
+    PK11SlotListElement *new_le;
+    new_le = le->next;
+    if (new_le) new_le->refCount++;
+    pk11_FreeListElement(list,le);
+    return new_le;
+}
+
+/*
+ * get an element safely from the list. This just makes sure that if
+ * this element is not deleted while we deal with it.
+ */
+PK11SlotListElement *
+PK11_GetFirstSafe(PK11SlotList *list)
+{
+    PK11SlotListElement *le;
+
+    PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));)
+    le = list->head;
+    if (le != NULL) (le)->refCount++;
+    PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));)
+    return le;
+}
+
+/*
+ * NOTE: if this element gets deleted, we can no longer safely traverse using
+ * it's pointers. We can either terminate the loop, or restart from the
+ * beginning. This is controlled by the restart option.
+ */
+PK11SlotListElement *
+PK11_GetNextSafe(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
+{
+    PK11SlotListElement *new_le;
+    PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));)
+    new_le = le->next;
+    if (le->next == NULL) {
+	/* if the prev and next fields are NULL then either this element
+	 * has been removed and we need to walk the list again (if restart
+	 * is true) or this was the only element on the list */
+	if ((le->prev == NULL) && restart &&  (list->head != le)) {
+	    new_le = list->head;
+	}
+    }
+    if (new_le) new_le->refCount++;
+    PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));)
+    pk11_FreeListElement(list,le);
+    return new_le;
+}
+
+
+/*
+ * Find the element that holds this slot
+ */
+PK11SlotListElement *
+PK11_FindSlotElement(PK11SlotList *list,PK11SlotInfo *slot)
+{
+    PK11SlotListElement *le;
+
+    for (le = PK11_GetFirstSafe(list); le;
+			 	le = PK11_GetNextSafe(list,le,PR_TRUE)) {
+	if (le->slot == slot) return le;
+    }
+    return NULL;
+}
+
+/************************************************************
+ * Generic Slot Utilities
+ ************************************************************/
+/*
+ * Create a new slot structure
+ */
+PK11SlotInfo *
+PK11_NewSlotInfo(void)
+{
+    PK11SlotInfo *slot;
+
+    slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo));
+    if (slot == NULL) return slot;
+
+#ifdef PKCS11_USE_THREADS
+    slot->refLock = PZ_NewLock(nssILockSlot);
+    if (slot->refLock == NULL) {
+	PORT_Free(slot);
+	return slot;
+    }
+    slot->sessionLock = PZ_NewLock(nssILockSession);
+    if (slot->sessionLock == NULL) {
+	PZ_DestroyLock(slot->refLock);
+	PORT_Free(slot);
+	return slot;
+    }
+    slot->freeListLock = PZ_NewLock(nssILockFreelist);
+    if (slot->freeListLock == NULL) {
+	PZ_DestroyLock(slot->sessionLock);
+	PZ_DestroyLock(slot->refLock);
+	PORT_Free(slot);
+	return slot;
+    }
+#else
+    slot->sessionLock = NULL;
+    slot->refLock = NULL;
+    slot->freeListLock = NULL;
+#endif
+    slot->freeSymKeysHead = NULL;
+    slot->keyCount = 0;
+    slot->maxKeyCount = 0;
+    slot->functionList = NULL;
+    slot->needTest = PR_TRUE;
+    slot->isPerm = PR_FALSE;
+    slot->isHW = PR_FALSE;
+    slot->isInternal = PR_FALSE;
+    slot->isThreadSafe = PR_FALSE;
+    slot->disabled = PR_FALSE;
+    slot->series = 0;
+    slot->wrapKey = 0;
+    slot->wrapMechanism = CKM_INVALID_MECHANISM;
+    slot->refKeys[0] = CK_INVALID_HANDLE;
+    slot->reason = PK11_DIS_NONE;
+    slot->readOnly = PR_TRUE;
+    slot->needLogin = PR_FALSE;
+    slot->hasRandom = PR_FALSE;
+    slot->defRWSession = PR_FALSE;
+    slot->protectedAuthPath = PR_FALSE;
+    slot->flags = 0;
+    slot->session = CK_INVALID_SESSION;
+    slot->slotID = 0;
+    slot->defaultFlags = 0;
+    slot->refCount = 1;
+    slot->askpw = 0;
+    slot->timeout = 0;
+    slot->mechanismList = NULL;
+    slot->mechanismCount = 0;
+    slot->cert_array = NULL;
+    slot->cert_count = 0;
+    slot->slot_name[0] = 0;
+    slot->token_name[0] = 0;
+    PORT_Memset(slot->serial,' ',sizeof(slot->serial));
+    slot->module = NULL;
+    slot->authTransact = 0;
+    slot->authTime = LL_ZERO;
+    slot->minPassword = 0;
+    slot->maxPassword = 0;
+    slot->hasRootCerts = PR_FALSE;
+    slot->nssToken = NULL;
+    return slot;
+}
+    
+/* create a new reference to a slot so it doesn't go away */
+PK11SlotInfo *
+PK11_ReferenceSlot(PK11SlotInfo *slot)
+{
+    PK11_USE_THREADS(PZ_Lock(slot->refLock);)
+    slot->refCount++;
+    PK11_USE_THREADS(PZ_Unlock(slot->refLock);)
+    return slot;
+}
+
+/* Destroy all info on a slot we have built up */
+void
+PK11_DestroySlot(PK11SlotInfo *slot)
+{
+   /* first free up all the sessions on this slot */
+   if (slot->functionList) {
+	PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
+   }
+
+   /* free up the cached keys and sessions */
+   PK11_CleanKeyList(slot);
+
+   if (slot->mechanismList) {
+	PORT_Free(slot->mechanismList);
+   }
+
+   /* finally Tell our parent module that we've gone away so it can unload */
+   if (slot->module) {
+	SECMOD_SlotDestroyModule(slot->module,PR_TRUE);
+   }
+#ifdef PKCS11_USE_THREADS
+   if (slot->refLock) {
+	PZ_DestroyLock(slot->refLock);
+	slot->refLock = NULL;
+   }
+   if (slot->sessionLock) {
+	PZ_DestroyLock(slot->sessionLock);
+	slot->sessionLock = NULL;
+   }
+   if (slot->freeListLock) {
+	PZ_DestroyLock(slot->freeListLock);
+	slot->freeListLock = NULL;
+   }
+#endif
+
+   /* ok, well not quit finally... now we free the memory */
+   PORT_Free(slot);
+}
+
+
+/* We're all done with the slot, free it */
+void
+PK11_FreeSlot(PK11SlotInfo *slot)
+{
+    PRBool freeit = PR_FALSE;
+
+    PK11_USE_THREADS(PZ_Lock(slot->refLock);)
+    if (slot->refCount-- == 1) freeit = PR_TRUE;
+    PK11_USE_THREADS(PZ_Unlock(slot->refLock);)
+
+    if (freeit) PK11_DestroySlot(slot);
+}
+
+void
+PK11_EnterSlotMonitor(PK11SlotInfo *slot) {
+    PZ_Lock(slot->sessionLock);
+}
+
+void
+PK11_ExitSlotMonitor(PK11SlotInfo *slot) {
+    PZ_Unlock(slot->sessionLock);
+}
+
+/***********************************************************
+ * Functions to find specific slots.
+ ***********************************************************/
+PRBool
+SECMOD_HasRootCerts(void)
+{
+   SECMODModuleList *mlp;
+   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+   SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+   int i;
+   PK11SlotInfo *slot = NULL;
+   PRBool found = PR_FALSE;
+
+   /* work through all the slots */
+   SECMOD_GetReadLock(moduleLock);
+   for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
+	    if (PK11_IsPresent(tmpSlot)) {
+		if (tmpSlot->hasRootCerts) {
+		    found = PR_TRUE;
+		    break;
+		}
+	    }
+	}
+	if (found) break;
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    return found;
+}
+
+/***********************************************************
+ * Functions to find specific slots.
+ ***********************************************************/
+PK11SlotInfo *
+PK11_FindSlotByName(char *name)
+{
+   SECMODModuleList *mlp;
+   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+   SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+   int i;
+   PK11SlotInfo *slot = NULL;
+
+   if ((name == NULL) || (*name == 0)) {
+	return PK11_GetInternalKeySlot();
+   }
+
+   /* work through all the slots */
+   SECMOD_GetReadLock(moduleLock);
+   for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
+	    if (PK11_IsPresent(tmpSlot)) {
+		if (PORT_Strcmp(tmpSlot->token_name,name) == 0) {
+		    slot = PK11_ReferenceSlot(tmpSlot);
+		    break;
+		}
+	    }
+	}
+	if (slot != NULL) break;
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    if (slot == NULL) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+    }
+
+    return slot;
+}
+
+
+PK11SlotInfo *
+PK11_FindSlotBySerial(char *serial)
+{
+   SECMODModuleList *mlp;
+   SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+   SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+   int i;
+   PK11SlotInfo *slot = NULL;
+
+   /* work through all the slots */
+   SECMOD_GetReadLock(moduleLock);
+   for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    PK11SlotInfo *tmpSlot = mlp->module->slots[i];
+	    if (PK11_IsPresent(tmpSlot)) {
+		if (PORT_Memcmp(tmpSlot->serial,serial,
+					sizeof(tmpSlot->serial)) == 0) {
+		    slot = PK11_ReferenceSlot(tmpSlot);
+		    break;
+		}
+	    }
+	}
+	if (slot != NULL) break;
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    if (slot == NULL) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+    }
+
+    return slot;
+}
+
+
+
+
+/***********************************************************
+ * Password Utilities
+ ***********************************************************/
+/*
+ * Check the user's password. Log into the card if it's correct.
+ * succeed if the user is already logged in.
+ */
+SECStatus
+pk11_CheckPassword(PK11SlotInfo *slot,char *pw)
+{
+    int len = PORT_Strlen(pw);
+    CK_RV crv;
+    SECStatus rv;
+    int64 currtime = PR_Now();
+
+    if (slot->protectedAuthPath) {
+	len = 0;
+	pw = NULL;
+    }
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+						(unsigned char *)pw,len);
+    PK11_ExitSlotMonitor(slot);
+    switch (crv) {
+    /* if we're already logged in, we're good to go */
+    case CKR_OK:
+	slot->authTransact = PK11_Global.transaction;
+    case CKR_USER_ALREADY_LOGGED_IN:
+	slot->authTime = currtime;
+	rv = SECSuccess;
+	break;
+    case CKR_PIN_INCORRECT:
+	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
+	break;
+    default:
+	PORT_SetError(PK11_MapError(crv));
+	rv = SECFailure; /* some failure we can't fix by retrying */
+    }
+    return rv;
+}
+
+/*
+ * Check the user's password. Logout before hand to make sure that
+ * we are really checking the password.
+ */
+SECStatus
+PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw)
+{
+    int len = PORT_Strlen(pw);
+    CK_RV crv;
+    SECStatus rv;
+    int64 currtime = PR_Now();
+
+    if (slot->protectedAuthPath) {
+	len = 0;
+	pw = NULL;
+    }
+
+    /* force a logout */
+    PK11_EnterSlotMonitor(slot);
+    PK11_GETTAB(slot)->C_Logout(slot->session);
+
+    crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+					(unsigned char *)pw,len);
+    PK11_ExitSlotMonitor(slot);
+    switch (crv) {
+    /* if we're already logged in, we're good to go */
+    case CKR_OK:
+	slot->authTransact = PK11_Global.transaction;
+	slot->authTime = currtime;
+	rv = SECSuccess;
+	break;
+    case CKR_PIN_INCORRECT:
+	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
+	break;
+    default:
+	PORT_SetError(PK11_MapError(crv));
+	rv = SECFailure; /* some failure we can't fix by retrying */
+    }
+    return rv;
+}
+
+SECStatus
+PK11_Logout(PK11SlotInfo *slot)
+{
+    CK_RV crv;
+
+    /* force a logout */
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_Logout(slot->session);
+    PK11_ExitSlotMonitor(slot);
+    if (slot->nssToken && !PK11_IsFriendly(slot)) {
+	/* If the slot certs are not public readable, destroy them */
+	nssToken_DestroyCertList(slot->nssToken, PR_TRUE);
+    }
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return  SECSuccess;
+}
+
+/*
+ * transaction stuff is for when we test for the need to do every
+ * time auth to see if we already did it for this slot/transaction
+ */
+void PK11_StartAuthTransaction(void)
+{
+PK11_Global.transaction++;
+PK11_Global.inTransaction = PR_TRUE;
+}
+
+void PK11_EndAuthTransaction(void)
+{
+PK11_Global.transaction++;
+PK11_Global.inTransaction = PR_FALSE;
+}
+
+/*
+ * before we do a private key op, we check to see if we
+ * need to reauthenticate.
+ */
+void
+PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx)
+{
+    int askpw = slot->askpw;
+    PRBool NeedAuth = PR_FALSE;
+
+    if (!slot->needLogin) return;
+
+    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
+	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
+
+	if (def_slot) {
+	    askpw = def_slot->askpw;
+	    PK11_FreeSlot(def_slot);
+	}
+    }
+
+    /* timeouts are handled by isLoggedIn */
+    if (!PK11_IsLoggedIn(slot,wincx)) {
+	NeedAuth = PR_TRUE;
+    } else if (askpw == -1) {
+	if (!PK11_Global.inTransaction	||
+			 (PK11_Global.transaction != slot->authTransact)) {
+    	    PK11_EnterSlotMonitor(slot);
+	    PK11_GETTAB(slot)->C_Logout(slot->session);
+    	    PK11_ExitSlotMonitor(slot);
+	    NeedAuth = PR_TRUE;
+	}
+    }
+    if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx);
+}
+
+void
+PK11_SlotDBUpdate(PK11SlotInfo *slot)
+{
+    SECMOD_UpdateModule(slot->module);
+}
+
+/*
+ * set new askpw and timeout values
+ */
+void
+PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout)
+{
+        slot->askpw = askpw;
+        slot->timeout = timeout;
+        slot->defaultFlags |= PK11_OWN_PW_DEFAULTS;
+        PK11_SlotDBUpdate(slot);
+}
+
+/*
+ * Get the askpw and timeout values for this slot
+ */
+void
+PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout)
+{
+    *askpw = slot->askpw;
+    *timeout = slot->timeout;
+
+    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
+	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
+
+	if (def_slot) {
+	    *askpw = def_slot->askpw;
+	    *timeout = def_slot->timeout;
+	    PK11_FreeSlot(def_slot);
+	}
+    }
+}
+
+/*
+ * make sure a slot is authenticated...
+ */
+SECStatus
+PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) {
+    if (slot->needLogin && !PK11_IsLoggedIn(slot,wincx)) {
+	return PK11_DoPassword(slot,loadCerts,wincx);
+    }
+    return SECSuccess;
+}
+
+/*
+ * notification stub. If we ever get interested in any events that
+ * the pkcs11 functions may pass back to use, we can catch them here...
+ * currently pdata is a slotinfo structure.
+ */
+CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
+							 CK_VOID_PTR pdata)
+{
+    return CKR_OK;
+}
+
+
+/*
+ * grab a new RW session
+ * !!! has a side effect of grabbing the Monitor if either the slot's default
+ * session is RW or the slot is not thread safe. Monitor is release in function
+ * below
+ */
+CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot)
+{
+    CK_SESSION_HANDLE rwsession;
+    CK_RV crv;
+
+    if (!slot->isThreadSafe || slot->defRWSession) PK11_EnterSlotMonitor(slot);
+    if (slot->defRWSession) return slot->session;
+
+    crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+				CKF_RW_SESSION|CKF_SERIAL_SESSION,
+				  	  slot, pk11_notify,&rwsession);
+    if (crv == CKR_SESSION_COUNT) {
+	PK11_GETTAB(slot)->C_CloseSession(slot->session);
+	slot->session = CK_INVALID_SESSION;
+    	crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+				CKF_RW_SESSION|CKF_SERIAL_SESSION,
+				  	  slot,pk11_notify,&rwsession);
+    }
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	if (slot->session == CK_INVALID_SESSION) {
+    	    PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION,
+				  	 slot,pk11_notify,&slot->session);
+	}
+	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	return CK_INVALID_SESSION;
+    }
+
+    return rwsession;
+}
+
+PRBool
+PK11_RWSessionHasLock(PK11SlotInfo *slot,CK_SESSION_HANDLE session_handle) {
+    return (PRBool)(!slot->isThreadSafe || slot->defRWSession);
+}
+
+/*
+ * close the rwsession and restore our readonly session
+ * !!! has a side effect of releasing the Monitor if either the slot's default
+ * session is RW or the slot is not thread safe.
+ */
+void
+PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession)
+{
+    if (slot->defRWSession) {
+	PK11_ExitSlotMonitor(slot);
+	return;
+    }
+    PK11_GETTAB(slot)->C_CloseSession(rwsession);
+    if (slot->session == CK_INVALID_SESSION) {
+    	 PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION,
+				  	 slot,pk11_notify,&slot->session);
+    }
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+}
+
+/*
+ * NOTE: this assumes that we are logged out of the card before hand
+ */
+SECStatus
+PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw)
+{
+    CK_SESSION_HANDLE rwsession;
+    CK_RV crv;
+    SECStatus rv = SECFailure;
+    int len = PORT_Strlen(ssopw);
+
+    /* get a rwsession */
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) return rv;
+
+    if (slot->protectedAuthPath) {
+	len = 0;
+	ssopw = NULL;
+    }
+
+    /* check the password */
+    crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO,
+						(unsigned char *)ssopw,len);
+    switch (crv) {
+    /* if we're already logged in, we're good to go */
+    case CKR_OK:
+	rv = SECSuccess;
+	break;
+    case CKR_PIN_INCORRECT:
+	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
+	break;
+    default:
+	PORT_SetError(PK11_MapError(crv));
+	rv = SECFailure; /* some failure we can't fix by retrying */
+    }
+    PK11_GETTAB(slot)->C_Logout(rwsession);
+    /* release rwsession */
+    PK11_RestoreROSession(slot,rwsession);
+    return rv;
+}
+
+/*
+ * make sure the password conforms to your token's requirements.
+ */
+SECStatus
+PK11_VerifyPW(PK11SlotInfo *slot,char *pw)
+{
+    int len = PORT_Strlen(pw);
+
+    if ((slot->minPassword > len) || (slot->maxPassword < len)) {
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * initialize a user PIN Value
+ */
+SECStatus
+PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *userpw)
+{
+    CK_SESSION_HANDLE rwsession = CK_INVALID_SESSION;
+    CK_RV crv;
+    SECStatus rv = SECFailure;
+    int len;
+    int ssolen;
+
+    if (userpw == NULL) userpw = "";
+    if (ssopw == NULL) ssopw = "";
+
+    len = PORT_Strlen(userpw);
+    ssolen = PORT_Strlen(ssopw);
+
+    /* get a rwsession */
+    rwsession = PK11_GetRWSession(slot);
+    if (rwsession == CK_INVALID_SESSION) goto done;
+
+    if (slot->protectedAuthPath) {
+	len = 0;
+	ssolen = 0;
+	ssopw = NULL;
+	userpw = NULL;
+    }
+
+    /* check the password */
+    crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO, 
+					  (unsigned char *)ssopw,ssolen);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	goto done;
+    }
+
+    crv = PK11_GETTAB(slot)->C_InitPIN(rwsession,(unsigned char *)userpw,len);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+    } else {
+    	rv = SECSuccess;
+    }
+
+done:
+    PK11_GETTAB(slot)->C_Logout(rwsession);
+    PK11_RestoreROSession(slot,rwsession);
+    if (rv == SECSuccess) {
+        /* update our view of the world */
+        PK11_InitToken(slot,PR_TRUE);
+	PK11_EnterSlotMonitor(slot);
+    	PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+						(unsigned char *)userpw,len);
+	PK11_ExitSlotMonitor(slot);
+    }
+    return rv;
+}
+
+/*
+ * Change an existing user password
+ */
+SECStatus
+PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw)
+{
+    CK_RV crv;
+    SECStatus rv = SECFailure;
+    int newLen;
+    int oldLen;
+    CK_SESSION_HANDLE rwsession;
+
+    if (newpw == NULL) newpw = "";
+    if (oldpw == NULL) oldpw = "";
+    newLen = PORT_Strlen(newpw);
+    oldLen = PORT_Strlen(oldpw);
+
+    /* get a rwsession */
+    rwsession = PK11_GetRWSession(slot);
+
+    crv = PK11_GETTAB(slot)->C_SetPIN(rwsession,
+		(unsigned char *)oldpw,oldLen,(unsigned char *)newpw,newLen);
+    if (crv == CKR_OK) {
+	rv = SECSuccess;
+    } else {
+	PORT_SetError(PK11_MapError(crv));
+    }
+
+    PK11_RestoreROSession(slot,rwsession);
+
+    /* update our view of the world */
+    PK11_InitToken(slot,PR_TRUE);
+    return rv;
+}
+
+static char *
+pk11_GetPassword(PK11SlotInfo *slot, PRBool retry, void * wincx)
+{
+    if (PK11_Global.getPass == NULL) return NULL;
+    return (*PK11_Global.getPass)(slot, retry, wincx);
+}
+
+void
+PK11_SetPasswordFunc(PK11PasswordFunc func)
+{
+    PK11_Global.getPass = func;
+}
+
+void
+PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func)
+{
+    PK11_Global.verifyPass = func;
+}
+
+void
+PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func)
+{
+    PK11_Global.isLoggedIn = func;
+}
+
+
+/*
+ * authenticate to a slot. This loops until we can't recover, the user
+ * gives up, or we succeed. If we're already logged in and this function
+ * is called we will still prompt for a password, but we will probably
+ * succeed no matter what the password was (depending on the implementation
+ * of the PKCS 11 module.
+ */
+SECStatus
+PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
+{
+    SECStatus rv = SECFailure;
+    char * password;
+    PRBool attempt = PR_FALSE;
+
+    if (PK11_NeedUserInit(slot)) {
+	PORT_SetError(SEC_ERROR_IO);
+	return SECFailure;
+    }
+
+
+    /*
+     * Central server type applications which control access to multiple
+     * slave applications to single crypto devices need to virtuallize the
+     * login state. This is done by a callback out of PK11_IsLoggedIn and
+     * here. If we are actually logged in, then we got here because the
+     * higher level code told us that the particular client application may
+     * still need to be logged in. If that is the case, we simply tell the
+     * server code that it should now verify the clients password and tell us
+     * the results.
+     */
+    if (PK11_IsLoggedIn(slot,NULL) && 
+    			(PK11_Global.verifyPass != NULL)) {
+	if (!PK11_Global.verifyPass(slot,wincx)) {
+	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	    return SECFailure;
+	}
+	return SECSuccess;
+    }
+
+    /* get the password. This can drop out of the while loop
+     * for the following reasons:
+     * 	(1) the user refused to enter a password. 
+     *			(return error to caller)
+     *	(2) the token user password is disabled [usually due to
+     *	   too many failed authentication attempts].
+     *			(return error to caller)
+     *	(3) the password was successful.
+     */
+    while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) {
+	attempt = PR_TRUE;
+	rv = pk11_CheckPassword(slot,password);
+	PORT_Memset(password, 0, PORT_Strlen(password));
+	PORT_Free(password);
+	if (rv != SECWouldBlock) break;
+    }
+    if (rv == SECSuccess) {
+	rv = pk11_CheckVerifyTest(slot);
+	if (rv == SECSuccess && slot->nssToken && !PK11_IsFriendly(slot)) {
+	    /* notify stan about the login if certs are not public readable */
+	    nssToken_LoadCerts(slot->nssToken);
+	    nssToken_UpdateTrustForCerts(slot->nssToken);
+	}
+    } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+    return rv;
+}
+
+void PK11_LogoutAll(void)
+{
+    SECMODListLock *lock = SECMOD_GetDefaultModuleListLock();
+    SECMODModuleList *modList = SECMOD_GetDefaultModuleList();
+    SECMODModuleList *mlp = NULL;
+    int i;
+
+    SECMOD_GetReadLock(lock);
+    /* find the number of entries */
+    for (mlp = modList; mlp != NULL; mlp = mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    PK11_Logout(mlp->module->slots[i]);
+	}
+    }
+
+    SECMOD_ReleaseReadLock(lock);
+}
+
+int
+PK11_GetMinimumPwdLength(PK11SlotInfo *slot)
+{
+    return ((int)slot->minPassword);
+}
+
+/************************************************************
+ * Manage the built-In Slot Lists
+ ************************************************************/
+
+/* Init the static built int slot list (should actually integrate
+ * with PK11_NewSlotList */
+static void
+pk11_initSlotList(PK11SlotList *list)
+{
+#ifdef PKCS11_USE_THREADS
+    list->lock = PZ_NewLock(nssILockList);
+#else
+    list->lock = NULL;
+#endif
+    list->head = NULL;
+}
+
+static void
+pk11_freeSlotList(PK11SlotList *list)
+{
+    PK11SlotListElement *le, *next ;
+    if (list == NULL) return;
+
+    for (le = list->head ; le; le = next) {
+	next = le->next;
+	pk11_FreeListElement(list,le);
+    }
+#ifdef PK11_USE_THREADS
+    if (list->lock) {
+    	PZ_DestroyLock((PZLock *)(list->lock));
+    }
+#endif
+    list->lock = NULL;
+    list->head = NULL;
+}
+
+/* initialize the system slotlists */
+SECStatus
+PK11_InitSlotLists(void)
+{
+    pk11_initSlotList(&pk11_aesSlotList);
+    pk11_initSlotList(&pk11_desSlotList);
+    pk11_initSlotList(&pk11_rc4SlotList);
+    pk11_initSlotList(&pk11_rc2SlotList);
+    pk11_initSlotList(&pk11_rc5SlotList);
+    pk11_initSlotList(&pk11_md5SlotList);
+    pk11_initSlotList(&pk11_md2SlotList);
+    pk11_initSlotList(&pk11_sha1SlotList);
+    pk11_initSlotList(&pk11_rsaSlotList);
+    pk11_initSlotList(&pk11_dsaSlotList);
+    pk11_initSlotList(&pk11_dhSlotList);
+    pk11_initSlotList(&pk11_ideaSlotList);
+    pk11_initSlotList(&pk11_sslSlotList);
+    pk11_initSlotList(&pk11_tlsSlotList);
+    pk11_initSlotList(&pk11_randomSlotList);
+    return SECSuccess;
+}
+
+void
+PK11_DestroySlotLists(void)
+{
+    pk11_freeSlotList(&pk11_aesSlotList);
+    pk11_freeSlotList(&pk11_desSlotList);
+    pk11_freeSlotList(&pk11_rc4SlotList);
+    pk11_freeSlotList(&pk11_rc2SlotList);
+    pk11_freeSlotList(&pk11_rc5SlotList);
+    pk11_freeSlotList(&pk11_md5SlotList);
+    pk11_freeSlotList(&pk11_md2SlotList);
+    pk11_freeSlotList(&pk11_sha1SlotList);
+    pk11_freeSlotList(&pk11_rsaSlotList);
+    pk11_freeSlotList(&pk11_dsaSlotList);
+    pk11_freeSlotList(&pk11_dhSlotList);
+    pk11_freeSlotList(&pk11_ideaSlotList);
+    pk11_freeSlotList(&pk11_sslSlotList);
+    pk11_freeSlotList(&pk11_tlsSlotList);
+    pk11_freeSlotList(&pk11_randomSlotList);
+    return;
+}
+
+/* return a system slot list based on mechanism */
+PK11SlotList *
+PK11_GetSlotList(CK_MECHANISM_TYPE type)
+{
+/* XXX a workaround for Bugzilla bug #55267 */
+#if defined(HPUX) && defined(__LP64__)
+    if (CKM_INVALID_MECHANISM == type)
+        return NULL;
+#endif
+    switch (type) {
+    case CKM_AES_CBC:
+    case CKM_AES_ECB:
+	return &pk11_aesSlotList;
+    case CKM_DES_CBC:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_DES3_CBC:
+	return &pk11_desSlotList;
+    case CKM_RC4:
+	return &pk11_rc4SlotList;
+    case CKM_RC5_CBC:
+	return &pk11_rc5SlotList;
+    case CKM_SHA_1:
+	return &pk11_sha1SlotList;
+    case CKM_MD5:
+	return &pk11_md5SlotList;
+    case CKM_MD2:
+	return &pk11_md2SlotList;
+    case CKM_RC2_ECB:
+    case CKM_RC2_CBC:
+	return &pk11_rc2SlotList;
+    case CKM_RSA_PKCS:
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+    case CKM_RSA_X_509:
+	return &pk11_rsaSlotList;
+    case CKM_DSA:
+	return &pk11_dsaSlotList;
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+    case CKM_DH_PKCS_DERIVE:
+	return &pk11_dhSlotList;
+    case CKM_SSL3_PRE_MASTER_KEY_GEN:
+    case CKM_SSL3_MASTER_KEY_DERIVE:
+    case CKM_SSL3_SHA1_MAC:
+    case CKM_SSL3_MD5_MAC:
+	return &pk11_sslSlotList;
+    case CKM_TLS_MASTER_KEY_DERIVE:
+    case CKM_TLS_KEY_AND_MAC_DERIVE:
+	return &pk11_tlsSlotList;
+    case CKM_IDEA_CBC:
+    case CKM_IDEA_ECB:
+	return &pk11_ideaSlotList;
+    case CKM_FAKE_RANDOM:
+	return &pk11_randomSlotList;
+    }
+    return NULL;
+}
+
+/*
+ * load the static SlotInfo structures used to select a PKCS11 slot.
+ * preSlotInfo has a list of all the default flags for the slots on this
+ * module.
+ */
+void
+PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count)
+{
+    int i;
+
+    for (i=0; i < count; i++) {
+	if (psi[i].slotID == slot->slotID)
+	    break;
+    }
+
+    if (i == count) return;
+
+    slot->defaultFlags = psi[i].defaultFlags;
+    slot->askpw = psi[i].askpw;
+    slot->timeout = psi[i].timeout;
+    slot->hasRootCerts = psi[i].hasRootCerts;
+
+    /* if the slot is already disabled, don't load them into the
+     * default slot lists. We get here so we can save the default
+     * list value. */
+    if (slot->disabled) return;
+
+    /* if the user has disabled us, don't load us in */
+    if (slot->defaultFlags & PK11_DISABLE_FLAG) {
+	slot->disabled = PR_TRUE;
+	slot->reason = PK11_DIS_USER_SELECTED;
+	/* free up sessions and things?? */
+	return;
+    }
+
+    for (i=0; i < sizeof(PK11_DefaultArray)/sizeof(PK11_DefaultArray[0]);
+								i++) {
+	if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
+	    CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
+	    PK11SlotList *slotList = PK11_GetSlotList(mechanism);
+
+	    if (slotList) PK11_AddSlotToList(slotList,slot);
+	}
+    }
+
+    return;
+}
+
+
+/*
+ * update a slot to its new attribute according to the slot list
+ * returns: SECSuccess if nothing to do or add/delete is successful
+ */
+SECStatus
+PK11_UpdateSlotAttribute(PK11SlotInfo *slot, PK11DefaultArrayEntry *entry,
+                        PRBool add)  
+                        /* add: PR_TRUE if want to turn on */
+{
+    SECStatus result = SECSuccess;
+    PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism);
+
+    if (add) { /* trying to turn on a mechanism */
+                 
+        /* turn on the default flag in the slot */
+        slot->defaultFlags |= entry->flag;
+        
+        /* add this slot to the list */
+        if (slotList!=NULL)
+            result = PK11_AddSlotToList(slotList, slot);
+        
+    } else { /* trying to turn off */
+            
+        /* turn OFF the flag in the slot */ 
+        slot->defaultFlags &= ~entry->flag;
+        
+        if (slotList) {
+            /* find the element in the list & delete it */
+            PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot);
+
+            /* remove the slot from the list */
+            if (le)
+                result = PK11_DeleteSlotFromList(slotList, le);
+        }
+    }
+    return result;
+}
+
+/*
+ * clear a slot off of all of it's default list
+ */
+void
+PK11_ClearSlotList(PK11SlotInfo *slot)
+{
+    int i;
+
+    if (slot->disabled) return;
+    if (slot->defaultFlags == 0) return;
+
+    for (i=0; i < sizeof(PK11_DefaultArray)/sizeof(PK11_DefaultArray[0]);
+								i++) {
+	if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
+	    CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
+	    PK11SlotList *slotList = PK11_GetSlotList(mechanism);
+	    PK11SlotListElement *le = NULL;
+
+	    if (slotList) le = PK11_FindSlotElement(slotList,slot);
+
+	    if (le) {
+		PK11_DeleteSlotFromList(slotList,le);
+		pk11_FreeListElement(slotList,le);
+	    }
+	}
+    }
+}
+
+
+/******************************************************************
+ *           Slot initialization
+ ******************************************************************/
+/*
+ * turn a PKCS11 Static Label into a string
+ */
+char *
+PK11_MakeString(PRArenaPool *arena,char *space,
+					char *staticString,int stringLen)
+{
+	int i;
+	char *newString;
+	for(i=(stringLen-1); i >= 0; i--) {
+	  if (staticString[i] != ' ') break;
+	}
+	/* move i to point to the last space */
+	i++;
+	if (arena) {
+	    newString = (char*)PORT_ArenaAlloc(arena,i+1 /* space for NULL */);
+	} else if (space) {
+	    newString = space;
+	} else {
+	    newString = (char*)PORT_Alloc(i+1 /* space for NULL */);
+	}
+	if (newString == NULL) return NULL;
+
+	if (i) PORT_Memcpy(newString,staticString, i);
+	newString[i] = 0;
+
+	return newString;
+}
+
+/*
+ * verify that slot implements Mechanism mech properly by checking against
+ * our internal implementation
+ */
+PRBool
+PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern,
+  CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv)
+{
+    PK11Context *test = NULL, *reference = NULL;
+    PK11SymKey *symKey = NULL, *testKey = NULL;
+    SECItem *param = NULL;
+    unsigned char encTest[8];
+    unsigned char encRef[8];
+    int outLenTest,outLenRef;
+    int key_size = 0;
+    PRBool verify = PR_FALSE;
+    SECStatus rv;
+
+    if ((mech == CKM_RC2_CBC) || (mech == CKM_RC2_ECB) || (mech == CKM_RC4)) {
+	key_size = 16;
+    }
+
+    /* initialize the mechanism parameter */
+    param = PK11_ParamFromIV(mech,iv);
+    if (param == NULL) goto loser;
+
+    /* load the keys and contexts */
+    symKey = PK11_KeyGen(intern,mech,NULL, key_size, NULL);
+    if (symKey == NULL) goto loser;
+
+    reference = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, symKey, param);
+    if (reference == NULL) goto loser;
+
+    testKey = pk11_CopyToSlot(slot, mech, CKA_ENCRYPT, symKey);
+    if (testKey == NULL) goto loser;
+
+    test = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, testKey, param);
+    if (test == NULL) goto loser;
+    SECITEM_FreeItem(param,PR_TRUE); param = NULL;
+
+    /* encrypt the test data */
+    rv = PK11_CipherOp(test,encTest,&outLenTest,sizeof(encTest),
+							data->data,data->len);
+    if (rv != SECSuccess) goto loser;
+    rv = PK11_CipherOp(reference,encRef,&outLenRef,sizeof(encRef),
+							data->data,data->len);
+    if (rv != SECSuccess) goto loser;
+
+    PK11_DestroyContext(reference,PR_TRUE); reference = NULL;
+    PK11_DestroyContext(test,PR_TRUE); test = NULL;
+
+    if (outLenTest != outLenRef) goto loser;
+    if (PORT_Memcmp(encTest, encRef, outLenTest) != 0) goto loser;
+
+    verify = PR_TRUE;
+
+loser:
+    if (test) PK11_DestroyContext(test,PR_TRUE);
+    if (symKey) PK11_FreeSymKey(symKey);
+    if (testKey) PK11_FreeSymKey(testKey);
+    if (reference) PK11_DestroyContext(reference,PR_TRUE);
+    if (param) SECITEM_FreeItem(param,PR_TRUE);
+
+    return verify;
+}
+
+/*
+ * this code verifies that the advertised mechanisms are what they
+ * seem to be.
+ */
+#define MAX_MECH_LIST_SIZE 30	/* we only know of about 30 odd mechanisms */
+PRBool
+PK11_VerifySlotMechanisms(PK11SlotInfo *slot)
+{
+    CK_MECHANISM_TYPE mechListArray[MAX_MECH_LIST_SIZE];
+    CK_MECHANISM_TYPE *mechList = mechListArray;
+    static SECItem data;
+    static SECItem iv;
+    static unsigned char dataV[8];
+    static unsigned char ivV[8];
+    static PRBool generated = PR_FALSE;
+    CK_ULONG count;
+    int i;
+    CK_RV crv;
+
+    PRBool alloced = PR_FALSE;
+    PK11SlotInfo *intern = PK11_GetInternalSlot();
+
+    /* if we couldn't initialize an internal module, 
+     * we can't check external ones */
+    if (intern == NULL) return PR_FALSE;
+
+    /* first get the count of mechanisms */
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PK11_FreeSlot(intern);
+	return PR_FALSE;
+    }
+
+
+    /* don't blow up just because the card supports more mechanisms than
+     * we know about, just alloc space for them */
+    if (count > MAX_MECH_LIST_SIZE) {
+    	mechList = (CK_MECHANISM_TYPE *)
+			    PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE));
+	alloced = PR_TRUE;
+	if (mechList == NULL) return PR_FALSE;
+    }
+    /* get the list */
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv =PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, mechList, &count);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	if (alloced) PORT_Free(mechList);
+	PK11_FreeSlot(intern);
+	return PR_FALSE;
+    }
+
+    if (!generated) {
+	data.data = dataV;
+	data.len = sizeof(dataV);
+	iv.data = ivV;
+	iv.len = sizeof(ivV);
+	/* ok, this is a cheat, we know our internal random number generater
+	 * is thread safe */
+	PK11_GETTAB(intern)->C_GenerateRandom(intern->session,
+							data.data, data.len);
+	PK11_GETTAB(intern)->C_GenerateRandom(intern->session,
+							iv.data, iv.len);
+    }
+    for (i=0; i < (int) count; i++) {
+	switch (mechList[i]) {
+	case CKM_DES_CBC:
+	case CKM_DES_ECB:
+	case CKM_RC4:
+	case CKM_RC2_CBC:
+	case CKM_RC2_ECB:
+	    if (!PK11_VerifyMechanism(slot,intern,mechList[i],&data,&iv)){
+		if (alloced) PORT_Free(mechList);
+    		PK11_FreeSlot(intern);
+		return PR_FALSE;
+	    }
+	}
+    }
+    if (alloced) PORT_Free(mechList);
+    PK11_FreeSlot(intern);
+    return PR_TRUE;
+}
+
+/*
+ * See if we need to run the verify test, do so if necessary. If we fail,
+ * disable the slot.
+ */    
+SECStatus
+pk11_CheckVerifyTest(PK11SlotInfo *slot)
+{
+    PK11_EnterSlotMonitor(slot);
+    if (slot->needTest) {
+	slot->needTest = PR_FALSE; 
+    	PK11_ExitSlotMonitor(slot);
+	if (!PK11_VerifySlotMechanisms(slot)) {
+	    (void)PK11_GETTAB(slot)->C_CloseSession(slot->session);
+	    slot->session = CK_INVALID_SESSION;
+	    PK11_ClearSlotList(slot);
+	    slot->disabled = PR_TRUE;
+	    slot->reason = PK11_DIS_TOKEN_VERIFY_FAILED;
+	    slot->needTest = PR_TRUE;
+	    PORT_SetError(SEC_ERROR_IO);
+	    return SECFailure;
+	}
+    } else {
+    	PK11_ExitSlotMonitor(slot);
+    }
+    return SECSuccess;
+}
+
+/*
+ * Reads in the slots mechanism list for later use
+ */
+SECStatus
+PK11_ReadMechanismList(PK11SlotInfo *slot)
+{
+    CK_ULONG count;
+    CK_RV crv;
+
+    if (slot->mechanismList) {
+	PORT_Free(slot->mechanismList);
+	slot->mechanismList = NULL;
+    }
+    slot->mechanismCount = 0;
+
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count);
+    if (crv != CKR_OK) {
+	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+
+    slot->mechanismList = (CK_MECHANISM_TYPE *)
+			    PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE));
+    if (slot->mechanismList == NULL) {
+	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	return SECFailure;
+    }
+    crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,
+						slot->mechanismList, &count);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_Free(slot->mechanismList);
+	slot->mechanismList = NULL;
+	PORT_SetError(PK11_MapError(crv));
+	return SECSuccess;
+    }
+    slot->mechanismCount = count;
+    return SECSuccess;
+}
+
+/*
+ * initialize a new token
+ * unlike initialize slot, this can be called multiple times in the lifetime
+ * of NSS. It reads the information associated with a card or token,
+ * that is not going to change unless the card or token changes.
+ */
+SECStatus
+PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
+{
+    CK_TOKEN_INFO tokenInfo;
+    CK_RV crv;
+    char *tmp;
+    SECStatus rv;
+
+    /* set the slot flags to the current token values */
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+
+    /* set the slot flags to the current token values */
+    slot->series++; /* allow other objects to detect that the 
+		      * slot is different */
+    slot->flags = tokenInfo.flags;
+    slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? 
+							PR_TRUE : PR_FALSE);
+    slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? 
+							PR_TRUE : PR_FALSE);
+    slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE);
+    slot->protectedAuthPath =
+    		((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) 
+							? PR_TRUE : PR_FALSE);
+    tmp = PK11_MakeString(NULL,slot->token_name,
+			(char *)tokenInfo.label, sizeof(tokenInfo.label));
+    slot->minPassword = tokenInfo.ulMinPinLen;
+    slot->maxPassword = tokenInfo.ulMaxPinLen;
+    PORT_Memcpy(slot->serial,tokenInfo.serialNumber,sizeof(slot->serial));
+
+    nssToken_UpdateName(slot->nssToken);
+
+    slot->defRWSession = (PRBool)((!slot->readOnly) && 
+					(tokenInfo.ulMaxSessionCount == 1));
+    rv = PK11_ReadMechanismList(slot);
+    if (rv != SECSuccess) return rv;
+
+    slot->hasRSAInfo = PR_FALSE;
+    slot->RSAInfoFlags = 0;
+
+    /* initialize the maxKeyCount value */
+    if (tokenInfo.ulMaxSessionCount == 0) {
+	slot->maxKeyCount = 800; /* should be #define or a config param */
+    } else if (tokenInfo.ulMaxSessionCount < 20) {
+	/* don't have enough sessions to keep that many keys around */
+	slot->maxKeyCount = 0;
+    } else {
+	slot->maxKeyCount = tokenInfo.ulMaxSessionCount/2;
+    }
+
+    /* Make sure our session handle is valid */
+    if (slot->session == CK_INVALID_SESSION) {
+	/* we know we don't have a valid session, go get one */
+	CK_SESSION_HANDLE session;
+
+	/* session should be Readonly, serial */
+	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+	      (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
+				  slot,pk11_notify,&session);
+	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	if (crv != CKR_OK) {
+	    PORT_SetError(PK11_MapError(crv));
+	    return SECFailure;
+	}
+	slot->session = session;
+    } else {
+	/* The session we have may be defunct (the token associated with it)
+	 * has been removed   */
+	CK_SESSION_INFO sessionInfo;
+
+	if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
+        if (crv == CKR_DEVICE_ERROR) {
+	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
+	    crv = CKR_SESSION_CLOSED;
+	}
+	if ((crv==CKR_SESSION_CLOSED) || (crv==CKR_SESSION_HANDLE_INVALID)) {
+	    crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+	      (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
+					slot,pk11_notify,&slot->session);
+	    if (crv != CKR_OK) {
+	        PORT_SetError(PK11_MapError(crv));
+		slot->session = CK_INVALID_SESSION;
+		if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+		return SECFailure;
+	    }
+	}
+	if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    }
+
+    nssToken_Refresh(slot->nssToken);
+
+    if (!(slot->needLogin)) {
+	return pk11_CheckVerifyTest(slot);
+    }
+
+
+    if (!(slot->isInternal) && (slot->hasRandom)) {
+	/* if this slot has a random number generater, use it to add entropy
+	 * to the internal slot. */
+	PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+	if (int_slot) {
+	    unsigned char random_bytes[32];
+
+	    /* if this slot can issue random numbers, get some entropy from
+	     * that random number generater and give it to our internal token.
+	     */
+	    PK11_EnterSlotMonitor(slot);
+	    crv = PK11_GETTAB(slot)->C_GenerateRandom
+			(slot->session,random_bytes, sizeof(random_bytes));
+	    PK11_ExitSlotMonitor(slot);
+	    if (crv == CKR_OK) {
+	        PK11_EnterSlotMonitor(int_slot);
+		PK11_GETTAB(int_slot)->C_SeedRandom(int_slot->session,
+					random_bytes, sizeof(random_bytes));
+	        PK11_ExitSlotMonitor(int_slot);
+	    }
+
+	    /* Now return the favor and send entropy to the token's random 
+	     * number generater */
+	    PK11_EnterSlotMonitor(int_slot);
+	    crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session,
+					random_bytes, sizeof(random_bytes));
+	    PK11_ExitSlotMonitor(int_slot);
+	    if (crv == CKR_OK) {
+	        PK11_EnterSlotMonitor(slot);
+		PK11_GETTAB(slot)->C_SeedRandom(slot->session,
+					random_bytes, sizeof(random_bytes));
+	        PK11_ExitSlotMonitor(slot);
+	    }
+	}
+    }
+
+	
+    return SECSuccess;
+}
+
+static PRBool
+pk11_isRootSlot(PK11SlotInfo *slot) 
+{
+    CK_ATTRIBUTE findTemp[1];
+    CK_ATTRIBUTE *attrs;
+    CK_OBJECT_CLASS oclass = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
+    int tsize;
+    CK_OBJECT_HANDLE handle;
+
+    attrs = findTemp;
+    PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass)); attrs++;
+    tsize = attrs - findTemp;
+    PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+    handle = pk11_FindObjectByTemplate(slot,findTemp,tsize);
+    if (handle == CK_INVALID_HANDLE) {
+	return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
+/*
+ * Initialize the slot :
+ * This initialization code is called on each slot a module supports when
+ * it is loaded. It does the bringup initialization. The difference between
+ * this and InitToken is Init slot does those one time initialization stuff,
+ * usually associated with the reader, while InitToken may get called multiple
+ * times as tokens are removed and re-inserted.
+ */
+void
+PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot)
+{
+    SECStatus rv;
+    char *tmp;
+    CK_SLOT_INFO slotInfo;
+
+    slot->functionList = mod->functionList;
+    slot->isInternal = mod->internal;
+    slot->slotID = slotID;
+    slot->isThreadSafe = mod->isThreadSafe;
+    slot->hasRSAInfo = PR_FALSE;
+    
+    if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID,&slotInfo) != CKR_OK) {
+	slot->disabled = PR_TRUE;
+	slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
+	return;
+    }
+
+    /* test to make sure claimed mechanism work */
+    slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
+    slot->module = mod; /* NOTE: we don't make a reference here because
+			 * modules have references to their slots. This
+			 * works because modules keep implicit references
+			 * from their slots, and won't unload and disappear
+			 * until all their slots have been freed */
+    tmp = PK11_MakeString(NULL,slot->slot_name,
+	 (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
+    slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);
+    if ((slotInfo.flags & CKF_REMOVABLE_DEVICE) == 0) {
+	slot->isPerm = PR_TRUE;
+	/* permanment slots must have the token present always */
+	if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
+	    slot->disabled = PR_TRUE;
+	    slot->reason = PK11_DIS_TOKEN_NOT_PRESENT;
+	    return; /* nothing else to do */
+	}
+    }
+    /* if the token is present, initialize it */
+    if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) {
+	rv = PK11_InitToken(slot,PR_TRUE);
+	/* the only hard failures are on permanent devices, or function
+	 * verify failures... function verify failures are already handled
+	 * by tokenInit */
+	if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) {
+	    slot->disabled = PR_TRUE;
+	    slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
+	}
+    }
+    if (pk11_isRootSlot(slot)) {
+	if (!slot->hasRootCerts) {
+	    slot->module->trustOrder = 100;
+	}
+	slot->hasRootCerts= PR_TRUE;
+    }
+}
+
+	
+
+/*********************************************************************
+ *            Slot mapping utility functions.
+ *********************************************************************/
+
+/*
+ * determine if the token is present. If the token is present, make sure
+ * we have a valid session handle. Also set the value of needLogin 
+ * appropriately.
+ */
+static PRBool
+pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts)
+{
+    CK_SLOT_INFO slotInfo;
+    CK_SESSION_INFO sessionInfo;
+    CK_RV crv;
+
+    /* disabled slots are never present */
+    if (slot->disabled) {
+	return PR_FALSE;
+    }
+
+    /* permanent slots are always present */
+    if (slot->isPerm && (slot->session != CK_INVALID_SESSION)) {
+	return PR_TRUE;
+    }
+
+    if (slot->nssToken) {
+	return nssToken_IsPresent(slot->nssToken);
+    }
+
+    /* removable slots have a flag that says they are present */
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    if (PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo) != CKR_OK) {
+        if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	return PR_FALSE;
+    }
+    if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
+	/* if the slot is no longer present, close the session */
+	if (slot->session != CK_INVALID_SESSION) {
+	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
+	    slot->session = CK_INVALID_SESSION;
+	    /* force certs to be freed */
+	}
+        if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+	return PR_FALSE;
+    }
+
+    /* use the session Info to determine if the card has been removed and then
+     * re-inserted */
+    if (slot->session != CK_INVALID_SESSION) {
+	crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo);
+	if (crv != CKR_OK) {
+	    PK11_GETTAB(slot)->C_CloseSession(slot->session);
+	    slot->session = CK_INVALID_SESSION;
+	}
+    }
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+
+    /* card has not been removed, current token info is correct */
+    if (slot->session != CK_INVALID_SESSION) return PR_TRUE;
+
+    /* initialize the token info state */
+    if (PK11_InitToken(slot,loadCerts) != SECSuccess) {
+	return PR_FALSE;
+    }
+
+    return PR_TRUE;
+}
+
+/*
+ * old version of the routine
+ */
+PRBool
+PK11_IsPresent(PK11SlotInfo *slot) {
+   return pk11_IsPresentCertLoad(slot,PR_TRUE);
+}
+
+/* is the slot disabled? */
+PRBool
+PK11_IsDisabled(PK11SlotInfo *slot)
+{
+    return slot->disabled;
+}
+
+/* and why? */
+PK11DisableReasons
+PK11_GetDisabledReason(PK11SlotInfo *slot)
+{
+    return slot->reason;
+}
+
+/* returns PR_TRUE if successfully disable the slot */
+/* returns PR_FALSE otherwise */
+PRBool PK11_UserDisableSlot(PK11SlotInfo *slot) {
+
+    slot->defaultFlags |= PK11_DISABLE_FLAG;
+    slot->disabled = PR_TRUE;
+    slot->reason = PK11_DIS_USER_SELECTED;
+    
+    return PR_TRUE;
+}
+
+PRBool PK11_UserEnableSlot(PK11SlotInfo *slot) {
+
+    slot->defaultFlags &= ~PK11_DISABLE_FLAG;
+    slot->disabled = PR_FALSE;
+    slot->reason = PK11_DIS_NONE;
+    return PR_TRUE;
+}
+
+PRBool PK11_HasRootCerts(PK11SlotInfo *slot) {
+    return slot->hasRootCerts;
+}
+
+/* Get the module this slot is attatched to */
+SECMODModule *
+PK11_GetModule(PK11SlotInfo *slot)
+{
+	return slot->module;
+}
+
+/* return the default flags of a slot */
+unsigned long
+PK11_GetDefaultFlags(PK11SlotInfo *slot)
+{
+	return slot->defaultFlags;
+}
+
+/* Does this slot have a protected pin path? */
+PRBool
+PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot)
+{
+	return slot->protectedAuthPath;
+}
+
+/*
+ * we can initialize the password if 1) The toke is not inited 
+ * (need login == true and see need UserInit) or 2) the token has
+ * a NULL password. (slot->needLogin = false & need user Init = false).
+ */
+PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot)
+{
+    if (slot->needLogin && PK11_NeedUserInit(slot)) {
+	return PR_TRUE;
+    }
+    if (!slot->needLogin && !PK11_NeedUserInit(slot)) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+PRBool PK11_NeedPWInit()
+{
+    PK11SlotInfo *slot = PK11_GetInternalKeySlot();
+    PRBool ret = PK11_NeedPWInitForSlot(slot);
+
+    PK11_FreeSlot(slot);
+    return ret;
+}
+
+/*
+ * The following wrapper functions allow us to export an opaque slot
+ * function to the rest of libsec and the world... */
+PRBool
+PK11_IsReadOnly(PK11SlotInfo *slot)
+{
+    return slot->readOnly;
+}
+
+PRBool
+PK11_IsHW(PK11SlotInfo *slot)
+{
+    return slot->isHW;
+}
+
+PRBool
+PK11_IsInternal(PK11SlotInfo *slot)
+{
+    return slot->isInternal;
+}
+
+PRBool
+PK11_NeedLogin(PK11SlotInfo *slot)
+{
+    return slot->needLogin;
+}
+
+PRBool
+PK11_IsFriendly(PK11SlotInfo *slot)
+{
+    /* internal slot always has public readable certs */
+    return (PRBool)(slot->isInternal || 
+		    ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG) == 
+		     SECMOD_FRIENDLY_FLAG));
+}
+
+char *
+PK11_GetTokenName(PK11SlotInfo *slot)
+{
+     return slot->token_name;
+}
+
+char *
+PK11_GetSlotName(PK11SlotInfo *slot)
+{
+     return slot->slot_name;
+}
+
+int
+PK11_GetSlotSeries(PK11SlotInfo *slot)
+{
+    return slot->series;
+}
+
+int
+PK11_GetCurrentWrapIndex(PK11SlotInfo *slot)
+{
+    return slot->wrapKey;
+}
+
+CK_SLOT_ID
+PK11_GetSlotID(PK11SlotInfo *slot)
+{
+    return slot->slotID;
+}
+
+SECMODModuleID
+PK11_GetModuleID(PK11SlotInfo *slot)
+{
+    return slot->module->moduleID;
+}
+
+
+/* return the slot info structure */
+SECStatus
+PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info)
+{
+    CK_RV crv;
+
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,info);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*  return the token info structure */
+SECStatus
+PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info)
+{
+    CK_RV crv;
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,info);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* Find out if we need to initialize the user's pin */
+PRBool
+PK11_NeedUserInit(PK11SlotInfo *slot)
+{
+    return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0);
+}
+
+/* get the internal key slot. FIPS has only one slot for both key slots and
+ * default slots */
+PK11SlotInfo *
+PK11_GetInternalKeySlot(void)
+{
+    SECMODModule *mod = SECMOD_GetInternalModule();
+    PORT_Assert(mod != NULL);
+    if (!mod) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return NULL;
+    }
+    return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]);
+}
+
+/* get the internal default slot */
+PK11SlotInfo *
+PK11_GetInternalSlot(void) 
+{
+    SECMODModule * mod = SECMOD_GetInternalModule();
+    PORT_Assert(mod != NULL);
+    if (!mod) {
+	PORT_SetError( SEC_ERROR_NO_MODULE );
+	return NULL;
+    }
+    return PK11_ReferenceSlot(mod->slots[0]);
+}
+
+/*
+ * Determine if the token is logged in. We have to actually query the token,
+ * because it's state can change without intervention from us.
+ */
+PRBool
+PK11_IsLoggedIn(PK11SlotInfo *slot,void *wincx)
+{
+    CK_SESSION_INFO sessionInfo;
+    int askpw = slot->askpw;
+    int timeout = slot->timeout;
+    CK_RV crv;
+
+    /* If we don't have our own password default values, use the system
+     * ones */
+    if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
+	PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
+
+	if (def_slot) {
+	    askpw = def_slot->askpw;
+	    timeout = def_slot->timeout;
+	    PK11_FreeSlot(def_slot);
+	}
+    }
+
+    if ((wincx != NULL) && (PK11_Global.isLoggedIn != NULL) &&
+	(*PK11_Global.isLoggedIn)(slot, wincx) == PR_FALSE) { return PR_FALSE; }
+
+
+    /* forget the password if we've been inactive too long */
+    if (askpw == 1) {
+	int64 currtime = PR_Now();
+	int64 result;
+	int64 mult;
+	
+	LL_I2L(result, timeout);
+	LL_I2L(mult, 60*1000*1000);
+	LL_MUL(result,result,mult);
+	LL_ADD(result, result, slot->authTime);
+	if (LL_CMP(result, <, currtime) ) {
+	    PK11_EnterSlotMonitor(slot);
+	    PK11_GETTAB(slot)->C_Logout(slot->session);
+	    PK11_ExitSlotMonitor(slot);
+	} else {
+	    slot->authTime = currtime;
+	}
+    }
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
+    PK11_ExitSlotMonitor(slot);
+    /* if we can't get session info, something is really wrong */
+    if (crv != CKR_OK) {
+	slot->session = CK_INVALID_SESSION;
+	return PR_FALSE;
+    }
+
+    switch (sessionInfo.state) {
+    case CKS_RW_PUBLIC_SESSION:
+    case CKS_RO_PUBLIC_SESSION:
+    default:
+	break; /* fail */
+    case CKS_RW_USER_FUNCTIONS:
+    case CKS_RW_SO_FUNCTIONS:
+    case CKS_RO_USER_FUNCTIONS:
+	return PR_TRUE;
+    }
+    return PR_FALSE; 
+}
+
+
+/*
+ * check if a given slot supports the requested mechanism
+ */
+PRBool
+PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type)
+{
+    int i;
+
+    /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to
+     * tell us we're looking form someone that has implemented get
+     * random bits */
+    if (type == CKM_FAKE_RANDOM) {
+	return slot->hasRandom;
+    }
+
+    for (i=0; i < (int) slot->mechanismCount; i++) {
+	if (slot->mechanismList[i] == type) return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+/*
+ * Return true if a token that can do the desired mechanism exists.
+ * This allows us to have hardware tokens that can do function XYZ magically
+ * allow SSL Ciphers to appear if they are plugged in.
+ */
+PRBool
+PK11_TokenExists(CK_MECHANISM_TYPE type)
+{
+    SECMODModuleList *mlp;
+    SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+    PK11SlotInfo *slot;
+    PRBool found = PR_FALSE;
+    int i;
+
+    /* we only need to know if there is a token that does this mechanism.
+     * check the internal module first because it's fast, and supports 
+     * almost everything. */
+    slot = PK11_GetInternalSlot();
+    if (slot) {
+    	found = PK11_DoesMechanism(slot,type);
+	PK11_FreeSlot(slot);
+    }
+    if (found) return PR_TRUE; /* bypass getting module locks */
+
+    SECMOD_GetReadLock(moduleLock);
+    for(mlp = modules; mlp != NULL && (!found); mlp = mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    slot = mlp->module->slots[i];
+	    if (PK11_IsPresent(slot)) {
+		if (PK11_DoesMechanism(slot,type)) {
+		    found = PR_TRUE;
+		    break;
+		}
+	    }
+	}
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+    return found;
+}
+
+/*
+ * get all the currently available tokens in a list.
+ * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM,
+ * get all the tokens. Make sure tokens that need authentication are put at
+ * the end of this list.
+ */
+PK11SlotList *
+PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, 
+                  void *wincx)
+{
+    PK11SlotList *     list         = PK11_NewSlotList();
+    PK11SlotList *     loginList    = PK11_NewSlotList();
+    PK11SlotList *     friendlyList = PK11_NewSlotList();
+    SECMODModuleList * mlp;
+    SECMODModuleList * modules      = SECMOD_GetDefaultModuleList();
+    SECMODListLock *   moduleLock   = SECMOD_GetDefaultModuleListLock();
+    int                i;
+#if defined( XP_WIN32 ) 
+    int                j            = 0;
+    PRInt32            waste[16];
+#endif
+
+    if ((list == NULL)  || (loginList == NULL) || (friendlyList == NULL)) {
+	if (list) PK11_FreeSlotList(list);
+	if (loginList) PK11_FreeSlotList(loginList);
+	if (friendlyList) PK11_FreeSlotList(friendlyList);
+	return NULL;
+    }
+
+    SECMOD_GetReadLock(moduleLock);
+    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+
+#if defined( XP_WIN32 ) 
+	/* This is works around some horrible cache/page thrashing problems 
+	** on Win32.  Without this, this loop can take up to 6 seconds at 
+	** 100% CPU on a Pentium-Pro 200.  The thing this changes is to 
+	** increase the size of the stack frame and modify it.  
+	** Moving the loop code itself seems to have no effect.
+	** Dunno why this combination makes a difference, but it does.
+	*/
+	waste[ j & 0xf] = j++; 
+#endif
+
+	for (i = 0; i < mlp->module->slotCount; i++) {
+	    PK11SlotInfo *slot = mlp->module->slots[i];
+
+	    if (pk11_IsPresentCertLoad(slot, loadCerts)) {
+		if (needRW &&  slot->readOnly) continue;
+		if ((type == CKM_INVALID_MECHANISM) 
+					|| PK11_DoesMechanism(slot, type)) {
+		    if (slot->needLogin && !PK11_IsLoggedIn(slot, wincx)) {
+			if (PK11_IsFriendly(slot)) {
+			    PK11_AddSlotToList(friendlyList, slot);
+			} else {
+			    PK11_AddSlotToList(loginList, slot);
+			}
+		    } else {
+			PK11_AddSlotToList(list, slot);
+		    }
+		}
+	    }
+	}
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    PK11_MoveListToList(list,friendlyList);
+    PK11_FreeSlotList(friendlyList);
+    PK11_MoveListToList(list,loginList);
+    PK11_FreeSlotList(loginList);
+
+    return list;
+}
+
+/*
+ * NOTE: This routine is working from a private List generated by 
+ * PK11_GetAllTokens. That is why it does not need to lock.
+ */
+PK11SlotList *
+PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,PRBool needRW,void *wincx)
+{
+    PK11SlotList *list = PK11_GetAllTokens(type,needRW,PR_TRUE,wincx);
+    PK11SlotListElement *le, *next ;
+    SECStatus rv;
+
+    if (list == NULL) return list;
+
+    for (le = list->head ; le; le = next) {
+	next = le->next; /* save the pointer here in case we have to 
+			  * free the element later */
+        rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
+	if (rv != SECSuccess) {
+	    PK11_DeleteSlotFromList(list,le);
+	    continue;
+	}
+    }
+    return list;
+}
+
+
+/*
+ * find the best slot which supports the given
+ * Mechanism. In normal cases this should grab the first slot on the list
+ * with no fuss.
+ */
+PK11SlotInfo *
+PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int mech_count, void *wincx)
+{
+    PK11SlotList *list = NULL;
+    PK11SlotListElement *le ;
+    PK11SlotInfo *slot = NULL;
+    PRBool freeit = PR_FALSE;
+    PRBool listNeedLogin = PR_FALSE;
+    int i;
+    SECStatus rv;
+
+    list = PK11_GetSlotList(type[0]);
+
+    if ((list == NULL) || (list->head == NULL)) {
+	/* We need to look up all the tokens for the mechanism */
+	list = PK11_GetAllTokens(type[0],PR_FALSE,PR_TRUE,wincx);
+	freeit = PR_TRUE;
+    }
+
+    /* no one can do it! */
+    if (list == NULL) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+	return NULL;
+    }
+
+    PORT_SetError(0);
+
+
+    listNeedLogin = PR_FALSE;
+    for (i=0; i < mech_count; i++) {
+	if ((type[i] != CKM_FAKE_RANDOM) && (type[i] != CKM_SHA_1) &&
+			(type[i] != CKM_MD5) && (type[i] != CKM_MD2)) {
+	    listNeedLogin = PR_TRUE;
+	    break;
+	}
+    }
+
+    for (le = PK11_GetFirstSafe(list); le;
+			 	le = PK11_GetNextSafe(list,le,PR_TRUE)) {
+	if (PK11_IsPresent(le->slot)) {
+	    PRBool doExit = PR_FALSE;
+	    for (i=0; i < mech_count; i++) {
+	    	if (!PK11_DoesMechanism(le->slot,type[i])) {
+		    doExit = PR_TRUE;
+		    break;
+		}
+	    }
+	    if (doExit) continue;
+	      
+	    if (listNeedLogin && le->slot->needLogin) {
+		rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
+		if (rv != SECSuccess) continue;
+	    }
+	    slot = le->slot;
+	    PK11_ReferenceSlot(slot);
+	    pk11_FreeListElement(list,le);
+	    if (freeit) { PK11_FreeSlotList(list); }
+	    return slot;
+	}
+    }
+    if (freeit) { PK11_FreeSlotList(list); }
+    if (PORT_GetError() == 0) {
+	PORT_SetError(SEC_ERROR_NO_TOKEN);
+    }
+    return NULL;
+}
+
+/* original get best slot now calls the multiple version with only one type */
+PK11SlotInfo *
+PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx)
+{
+    return PK11_GetBestSlotMultiple(&type, 1, wincx);
+}
+
+/*
+ * find the best key wrap mechanism for this slot.
+ */
+CK_MECHANISM_TYPE
+PK11_GetBestWrapMechanism(PK11SlotInfo *slot)
+{
+    int i;
+    for (i=0; i < wrapMechanismCount; i++) {
+	if (PK11_DoesMechanism(slot,wrapMechanismList[i])) {
+	    return wrapMechanismList[i];
+	}
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+int
+PK11_GetBestKeyLength(PK11SlotInfo *slot,CK_MECHANISM_TYPE mechanism)
+{
+    CK_MECHANISM_INFO mechanism_info;
+    CK_RV crv;
+
+    if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
+                               mechanism,&mechanism_info);
+    if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) return 0;
+
+    if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize) 
+		return 0;
+    return mechanism_info.ulMaxKeySize;
+}
+
+
+/*********************************************************************
+ *       Mechanism Mapping functions
+ *********************************************************************/
+
+/*
+ * lookup an entry in the mechanism table. If none found, return the
+ * default structure.
+ */
+static pk11MechanismData *
+pk11_lookup(CK_MECHANISM_TYPE type)
+{
+    int i;
+    for (i=0; i < pk11_MechEntrySize; i++) {
+	if (pk11_MechanismTable[i].type == type) {
+	     return (&pk11_MechanismTable[i]);
+	}
+    }
+    return &pk11_default;
+}
+
+/*
+ * NOTE: This is not thread safe. Called at init time, and when loading
+ * a new Entry. It is reasonably safe as long as it is not re-entered
+ * (readers will always see a consistant table)
+ *
+ * This routine is called to add entries to the mechanism table, once there,
+ * they can not be removed.
+ */
+void
+PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
+		 	CK_MECHANISM_TYPE keyGen, int ivLen, int blockSize)
+{
+    int tableSize = pk11_MechTableSize;
+    int size = pk11_MechEntrySize;
+    int entry = size++;
+    pk11MechanismData *old = pk11_MechanismTable;
+    pk11MechanismData *newt = pk11_MechanismTable;
+
+	
+    if (size > tableSize) {
+	int oldTableSize = tableSize;
+	tableSize += 10;
+	newt = (pk11MechanismData *)
+				PORT_Alloc(tableSize*sizeof(pk11MechanismData));
+	if (newt == NULL) return;
+
+	if (old) PORT_Memcpy(newt,old,oldTableSize*sizeof(pk11MechanismData));
+    } else old = NULL;
+
+    newt[entry].type = type;
+    newt[entry].keyType = key;
+    newt[entry].keyGen = keyGen;
+    newt[entry].iv = ivLen;
+    newt[entry].blockSize = blockSize;
+
+    pk11_MechanismTable = newt;
+    pk11_MechTableSize = tableSize;
+    pk11_MechEntrySize = size;
+    if (old) PORT_Free(old);
+}
+
+/*
+ * Get the key type needed for the given mechanism
+ */
+CK_MECHANISM_TYPE
+PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
+{
+    switch (type) {
+    case CKM_AES_ECB:
+    case CKM_AES_CBC:
+    case CKM_AES_MAC:
+    case CKM_AES_MAC_GENERAL:
+    case CKM_AES_CBC_PAD:
+    case CKM_AES_KEY_GEN:
+	return CKK_AES;
+    case CKM_DES_ECB:
+    case CKM_DES_CBC:
+    case CKM_DES_MAC:
+    case CKM_DES_MAC_GENERAL:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES_KEY_GEN:
+    case CKM_KEY_WRAP_LYNKS:
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+	return CKK_DES;
+    case CKM_DES3_ECB:
+    case CKM_DES3_CBC:
+    case CKM_DES3_MAC:
+    case CKM_DES3_MAC_GENERAL:
+    case CKM_DES3_CBC_PAD:
+	return (len == 128) ? CKK_DES2 : CKK_DES3;
+    case CKM_DES2_KEY_GEN:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+	return CKK_DES2;
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_DES3_KEY_GEN:
+	return CKK_DES3;
+    case CKM_CDMF_ECB:
+    case CKM_CDMF_CBC:
+    case CKM_CDMF_MAC:
+    case CKM_CDMF_MAC_GENERAL:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CDMF_KEY_GEN:
+	return CKK_CDMF;
+    case CKM_RC2_ECB:
+    case CKM_RC2_CBC:
+    case CKM_RC2_MAC:
+    case CKM_RC2_MAC_GENERAL:
+    case CKM_RC2_CBC_PAD:
+    case CKM_RC2_KEY_GEN:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+	return CKK_RC2;
+    case CKM_RC4:
+    case CKM_RC4_KEY_GEN:
+	return CKK_RC4;
+    case CKM_RC5_ECB:
+    case CKM_RC5_CBC:
+    case CKM_RC5_MAC:
+    case CKM_RC5_MAC_GENERAL:
+    case CKM_RC5_CBC_PAD:
+    case CKM_RC5_KEY_GEN:
+	return CKK_RC5;
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_SKIPJACK_KEY_GEN:
+    case CKM_SKIPJACK_WRAP:
+    case CKM_SKIPJACK_PRIVATE_WRAP:
+	return CKK_SKIPJACK;
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_BATON_WRAP:
+    case CKM_BATON_KEY_GEN:
+	return CKK_BATON;
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+    case CKM_JUNIPER_WRAP:
+    case CKM_JUNIPER_KEY_GEN:
+	return CKK_JUNIPER;
+    case CKM_IDEA_CBC:
+    case CKM_IDEA_ECB:
+    case CKM_IDEA_MAC:
+    case CKM_IDEA_MAC_GENERAL:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_IDEA_KEY_GEN:
+	return CKK_IDEA;
+    case CKM_CAST_ECB:
+    case CKM_CAST_CBC:
+    case CKM_CAST_MAC:
+    case CKM_CAST_MAC_GENERAL:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST_KEY_GEN:
+    case CKM_PBE_MD5_CAST_CBC:
+	return CKK_CAST;
+    case CKM_CAST3_ECB:
+    case CKM_CAST3_CBC:
+    case CKM_CAST3_MAC:
+    case CKM_CAST3_MAC_GENERAL:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST3_KEY_GEN:
+    case CKM_PBE_MD5_CAST3_CBC:
+	return CKK_CAST3;
+    case CKM_CAST5_ECB:
+    case CKM_CAST5_CBC:
+    case CKM_CAST5_MAC:
+    case CKM_CAST5_MAC_GENERAL:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_CAST5_KEY_GEN:
+    case CKM_PBE_MD5_CAST5_CBC:
+	return CKK_CAST5;
+    case CKM_RSA_PKCS:
+    case CKM_RSA_9796:
+    case CKM_RSA_X_509:
+    case CKM_MD2_RSA_PKCS:
+    case CKM_MD5_RSA_PKCS:
+    case CKM_SHA1_RSA_PKCS:
+    case CKM_KEY_WRAP_SET_OAEP:
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+	return CKK_RSA;
+    case CKM_DSA:
+    case CKM_DSA_SHA1:
+    case CKM_DSA_KEY_PAIR_GEN:
+	return CKK_DSA;
+    case CKM_DH_PKCS_DERIVE:
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+	return CKK_DH;
+    case CKM_KEA_KEY_DERIVE:
+    case CKM_KEA_KEY_PAIR_GEN:
+	return CKK_KEA;
+    case CKM_ECDSA_KEY_PAIR_GEN:
+    case CKM_ECDSA:
+    case CKM_ECDSA_SHA1:
+	return CKK_ECDSA;
+    case CKM_SSL3_PRE_MASTER_KEY_GEN:
+    case CKM_GENERIC_SECRET_KEY_GEN:
+    case CKM_SSL3_MASTER_KEY_DERIVE:
+    case CKM_SSL3_MASTER_KEY_DERIVE_DH:
+    case CKM_SSL3_KEY_AND_MAC_DERIVE:
+    case CKM_SSL3_SHA1_MAC:
+    case CKM_SSL3_MD5_MAC:
+    case CKM_TLS_MASTER_KEY_DERIVE:
+    case CKM_TLS_MASTER_KEY_DERIVE_DH:
+    case CKM_TLS_KEY_AND_MAC_DERIVE:
+    case CKM_SHA_1_HMAC:
+    case CKM_SHA_1_HMAC_GENERAL:
+    case CKM_MD2_HMAC:
+    case CKM_MD2_HMAC_GENERAL:
+    case CKM_MD5_HMAC:
+    case CKM_MD5_HMAC_GENERAL:
+    case CKM_TLS_PRF_GENERAL:
+	return CKK_GENERIC_SECRET;
+    default:
+	return pk11_lookup(type)->keyType;
+    }
+}
+
+/*
+ * Get the Key Gen Mechanism needed for the given 
+ * crypto mechanism
+ */
+CK_MECHANISM_TYPE
+PK11_GetKeyGen(CK_MECHANISM_TYPE type)
+{
+    switch (type) {
+    case CKM_AES_ECB:
+    case CKM_AES_CBC:
+    case CKM_AES_MAC:
+    case CKM_AES_MAC_GENERAL:
+    case CKM_AES_CBC_PAD:
+	return CKM_AES_KEY_GEN;
+    case CKM_DES_ECB:
+    case CKM_DES_CBC:
+    case CKM_DES_MAC:
+    case CKM_DES_MAC_GENERAL:
+    case CKM_KEY_WRAP_LYNKS:
+    case CKM_DES_CBC_PAD:
+	return CKM_DES_KEY_GEN;
+    case CKM_DES3_ECB:
+    case CKM_DES3_CBC:
+    case CKM_DES3_MAC:
+    case CKM_DES3_MAC_GENERAL:
+    case CKM_DES3_CBC_PAD:
+	return CKM_DES3_KEY_GEN;
+    case CKM_CDMF_ECB:
+    case CKM_CDMF_CBC:
+    case CKM_CDMF_MAC:
+    case CKM_CDMF_MAC_GENERAL:
+    case CKM_CDMF_CBC_PAD:
+	return CKM_CDMF_KEY_GEN;
+    case CKM_RC2_ECB:
+    case CKM_RC2_CBC:
+    case CKM_RC2_MAC:
+    case CKM_RC2_MAC_GENERAL:
+    case CKM_RC2_CBC_PAD:
+	return CKM_RC2_KEY_GEN;
+    case CKM_RC4:
+	return CKM_RC4_KEY_GEN;
+    case CKM_RC5_ECB:
+    case CKM_RC5_CBC:
+    case CKM_RC5_MAC:
+    case CKM_RC5_MAC_GENERAL:
+    case CKM_RC5_CBC_PAD:
+	return CKM_RC5_KEY_GEN;
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_SKIPJACK_WRAP:
+	return CKM_SKIPJACK_KEY_GEN;
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_BATON_WRAP:
+	return CKM_BATON_KEY_GEN;
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+    case CKM_JUNIPER_WRAP:
+	return CKM_JUNIPER_KEY_GEN;
+    case CKM_IDEA_CBC:
+    case CKM_IDEA_ECB:
+    case CKM_IDEA_MAC:
+    case CKM_IDEA_MAC_GENERAL:
+    case CKM_IDEA_CBC_PAD:
+	return CKM_IDEA_KEY_GEN;
+    case CKM_CAST_ECB:
+    case CKM_CAST_CBC:
+    case CKM_CAST_MAC:
+    case CKM_CAST_MAC_GENERAL:
+    case CKM_CAST_CBC_PAD:
+	return CKM_CAST_KEY_GEN;
+    case CKM_CAST3_ECB:
+    case CKM_CAST3_CBC:
+    case CKM_CAST3_MAC:
+    case CKM_CAST3_MAC_GENERAL:
+    case CKM_CAST3_CBC_PAD:
+	return CKM_CAST3_KEY_GEN;
+    case CKM_CAST5_ECB:
+    case CKM_CAST5_CBC:
+    case CKM_CAST5_MAC:
+    case CKM_CAST5_MAC_GENERAL:
+    case CKM_CAST5_CBC_PAD:
+	return CKM_CAST5_KEY_GEN;
+    case CKM_RSA_PKCS:
+    case CKM_RSA_9796:
+    case CKM_RSA_X_509:
+    case CKM_MD2_RSA_PKCS:
+    case CKM_MD5_RSA_PKCS:
+    case CKM_SHA1_RSA_PKCS:
+    case CKM_KEY_WRAP_SET_OAEP:
+	return CKM_RSA_PKCS_KEY_PAIR_GEN;
+    case CKM_DSA:
+    case CKM_DSA_SHA1:
+	return CKM_DSA_KEY_PAIR_GEN;
+    case CKM_DH_PKCS_DERIVE:
+	return CKM_DH_PKCS_KEY_PAIR_GEN;
+    case CKM_KEA_KEY_DERIVE:
+	return CKM_KEA_KEY_PAIR_GEN;
+    case CKM_ECDSA:
+	return CKM_ECDSA_KEY_PAIR_GEN;
+    case CKM_SSL3_PRE_MASTER_KEY_GEN:
+    case CKM_SSL3_MASTER_KEY_DERIVE:
+    case CKM_SSL3_KEY_AND_MAC_DERIVE:
+    case CKM_SSL3_SHA1_MAC:
+    case CKM_SSL3_MD5_MAC:
+    case CKM_TLS_MASTER_KEY_DERIVE:
+    case CKM_TLS_KEY_AND_MAC_DERIVE:
+	return CKM_SSL3_PRE_MASTER_KEY_GEN;
+    case CKM_SHA_1_HMAC:
+    case CKM_SHA_1_HMAC_GENERAL:
+    case CKM_MD2_HMAC:
+    case CKM_MD2_HMAC_GENERAL:
+    case CKM_MD5_HMAC:
+    case CKM_MD5_HMAC_GENERAL:
+    case CKM_TLS_PRF_GENERAL:
+	return CKM_GENERIC_SECRET_KEY_GEN;
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_PBA_SHA1_WITH_SHA1_HMAC:
+    case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
+    case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
+    case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_SHA1_RC4_128:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+    	return type;
+    default:
+	return pk11_lookup(type)->keyGen;
+    }
+}
+
+/*
+ * get the mechanism block size
+ */
+int
+PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params)
+{
+    CK_RC5_PARAMS *rc5_params;
+    CK_RC5_CBC_PARAMS *rc5_cbc_params;
+    switch (type) {
+    case CKM_RC5_ECB:
+	if ((params) && (params->data)) {
+	    rc5_params = (CK_RC5_PARAMS *) params->data;
+	    return (rc5_params->ulWordsize)*2;
+	}
+	return 8;
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+	if ((params) && (params->data)) {
+	    rc5_cbc_params = (CK_RC5_CBC_PARAMS *) params->data;
+	    return (rc5_cbc_params->ulWordsize)*2;
+	}
+	return 8;
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_RC2_ECB:
+    case CKM_IDEA_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+    case CKM_RC2_CBC:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_RC2_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+	return 8;
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+	return 4;
+    case CKM_AES_ECB:
+    case CKM_AES_CBC:
+    case CKM_AES_CBC_PAD:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	return 16;
+    case CKM_BATON_ECB96:
+	return 12;
+    case CKM_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_SHA1_RC4_128:
+	return 0;
+    case CKM_RSA_PKCS:
+    case CKM_RSA_9796:
+    case CKM_RSA_X_509:
+	/*actually it's the modulus length of the key!*/
+	return -1;	/* failure */
+    default:
+	return pk11_lookup(type)->blockSize;
+    }
+}
+
+/*
+ * get the iv length
+ */
+int
+PK11_GetIVLength(CK_MECHANISM_TYPE type)
+{
+    switch (type) {
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_RC2_ECB:
+    case CKM_IDEA_ECB:
+    case CKM_SKIPJACK_WRAP:
+    case CKM_BATON_WRAP:
+    case CKM_RC5_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+	return 0;
+    case CKM_RC2_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+    case CKM_RC5_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_RC2_CBC_PAD:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_RC5_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+	return 8;
+    case CKM_AES_CBC:
+    case CKM_AES_CBC_PAD:
+	return 16;
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	return 24;
+    case CKM_RC4:
+    case CKM_RSA_PKCS:
+    case CKM_RSA_9796:
+    case CKM_RSA_X_509:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_SHA1_RC4_128:
+	return 0;
+    default:
+	return pk11_lookup(type)->iv;
+    }
+}
+
+
+/* These next two utilities are here to help facilitate future
+ * Dynamic Encrypt/Decrypt symetric key mechanisms, and to allow functions
+ * like SSL and S-MIME to automatically add them.
+ */
+SECItem *
+PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv)
+{
+    CK_RC2_CBC_PARAMS *rc2_params = NULL;
+    CK_RC2_PARAMS *rc2_ecb_params = NULL;
+    CK_RC5_PARAMS *rc5_params = NULL;
+    CK_RC5_CBC_PARAMS *rc5_cbc_params = NULL;
+    SECItem *param;
+
+    param = (SECItem *)PORT_Alloc(sizeof(SECItem));
+    if (param == NULL) return NULL;
+    param->data = NULL;
+    param->len = 0;
+    switch (type) {
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_RSA_PKCS:
+    case CKM_RSA_X_509:
+    case CKM_RSA_9796:
+    case CKM_IDEA_ECB:
+    case CKM_CDMF_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+    case CKM_RC4:
+	break;
+    case CKM_RC2_ECB:
+	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
+	if (rc2_ecb_params == NULL) break;
+	/*  Maybe we should pass the key size in too to get this value? */
+	*rc2_ecb_params = 128;
+	param->data = (unsigned char *) rc2_ecb_params;
+	param->len = sizeof(CK_RC2_PARAMS);
+	break;
+    case CKM_RC2_CBC:
+    case CKM_RC2_CBC_PAD:
+	rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
+	if (rc2_params == NULL) break;
+	/* Maybe we should pass the key size in too to get this value? */
+	rc2_params->ulEffectiveBits = 128;
+	if (iv && iv->data)
+	    PORT_Memcpy(rc2_params->iv,iv->data,sizeof(rc2_params->iv));
+	param->data = (unsigned char *) rc2_params;
+	param->len = sizeof(CK_RC2_CBC_PARAMS);
+	break;
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+	rc5_cbc_params = (CK_RC5_CBC_PARAMS *)
+		PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + ((iv) ? iv->len : 0));
+	if (rc5_cbc_params == NULL) break;
+	if (iv && iv->data) {
+	    rc5_cbc_params->pIv = ((CK_BYTE_PTR) rc5_cbc_params) 
+						+ sizeof(CK_RC5_CBC_PARAMS);
+	    PORT_Memcpy(rc5_cbc_params->pIv,iv->data,iv->len);
+	    rc5_cbc_params->ulIvLen = iv->len;
+	    rc5_cbc_params->ulWordsize = iv->len/2;
+	} else {
+	    rc5_cbc_params->ulWordsize = 4;
+	    rc5_cbc_params->pIv = NULL;
+	    rc5_cbc_params->ulIvLen = iv->len;
+	}
+	rc5_cbc_params->ulRounds = 16;
+	param->data = (unsigned char *) rc5_cbc_params;
+	param->len = sizeof(CK_RC5_CBC_PARAMS);
+	break;
+    case CKM_RC5_ECB:
+	rc5_params = (CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS));
+	if (rc5_params == NULL) break;
+	if (iv && iv->data && iv->len) {
+	    rc5_params->ulWordsize = iv->len/2;
+	} else {
+	    rc5_params->ulWordsize = 4;
+	}
+	rc5_params->ulRounds = 16;
+	param->data = (unsigned char *) rc5_params;
+	param->len = sizeof(CK_RC5_PARAMS);
+	break;
+    case CKM_AES_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CDMF_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_AES_CBC_PAD:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	if ((iv == NULL) || (iv->data == NULL)) break;
+	param->data = (unsigned char*)PORT_Alloc(iv->len);
+	if (param->data != NULL) {
+	    PORT_Memcpy(param->data,iv->data,iv->len);
+	    param->len = iv->len;
+	}
+	break;
+     /* unknown mechanism, pass IV in if it's there */
+     default:
+	if (pk11_lookup(type)->iv == 0) {
+	    break;
+	}
+	if ((iv == NULL) || (iv->data == NULL)) {
+	    break;
+	}
+	param->data = (unsigned char*)PORT_Alloc(iv->len);
+	if (param->data != NULL) {
+	    PORT_Memcpy(param->data,iv->data,iv->len);
+	    param->len = iv->len;
+	}
+	break;
+     }
+     return param;
+}
+
+unsigned char *
+PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len)
+{
+    CK_RC2_CBC_PARAMS *rc2_params;
+    CK_RC5_CBC_PARAMS *rc5_cbc_params;
+
+    *len = 0;
+    switch (type) {
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_RSA_PKCS:
+    case CKM_RSA_X_509:
+    case CKM_RSA_9796:
+    case CKM_IDEA_ECB:
+    case CKM_CDMF_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+    case CKM_RC4:
+	return NULL;
+    case CKM_RC2_ECB:
+	return NULL;
+    case CKM_RC2_CBC:
+    case CKM_RC2_CBC_PAD:
+	rc2_params = (CK_RC2_CBC_PARAMS *)param->data;
+        *len = sizeof(rc2_params->iv);
+	return &rc2_params->iv[0];
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+	rc5_cbc_params = (CK_RC5_CBC_PARAMS *) param->data;
+	*len = rc5_cbc_params->ulIvLen;
+	return rc5_cbc_params->pIv;
+    case CKM_AES_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CDMF_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	break;
+     /* unknown mechanism, pass IV in if it's there */
+     default:
+	break;
+     }
+     if (param->data) {
+	*len = param->len;
+     }
+     return param->data;
+}
+
+typedef struct sec_rc5cbcParameterStr {
+    SECItem version;
+    SECItem rounds;
+    SECItem blockSizeInBits;
+    SECItem iv;
+} sec_rc5cbcParameter;
+
+static const SEC_ASN1Template sec_rc5ecb_parameter_template[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(sec_rc5cbcParameter) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,version) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,rounds) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,blockSizeInBits) },
+    { 0 }
+};
+
+static const SEC_ASN1Template sec_rc5cbc_parameter_template[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(sec_rc5cbcParameter) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,version) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,rounds) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc5cbcParameter,blockSizeInBits) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(sec_rc5cbcParameter,iv) },
+    { 0 }
+};
+
+typedef struct sec_rc2cbcParameterStr {
+    SECItem rc2ParameterVersion;
+    SECItem iv;
+} sec_rc2cbcParameter;
+
+static const SEC_ASN1Template sec_rc2cbc_parameter_template[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(sec_rc2cbcParameter) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc2cbcParameter,rc2ParameterVersion) },
+    { SEC_ASN1_OCTET_STRING,
+          offsetof(sec_rc2cbcParameter,iv) },
+    { 0 }
+};
+
+static const SEC_ASN1Template sec_rc2ecb_parameter_template[] = {
+    { SEC_ASN1_SEQUENCE,
+          0, NULL, sizeof(sec_rc2cbcParameter) },
+    { SEC_ASN1_INTEGER,
+          offsetof(sec_rc2cbcParameter,rc2ParameterVersion) },
+    { 0 }
+};
+
+/* S/MIME picked id values to represent differnt keysizes */
+/* I do have a formula, but it ain't pretty, and it only works because you
+ * can always match three points to a parabola:) */
+static unsigned char  rc2_map(SECItem *version)
+{
+    long x;
+
+    x = DER_GetInteger(version);
+    
+    switch (x) {
+        case 58: return 128;
+        case 120: return 64;
+        case 160: return 40;
+    }
+    return 128; 
+}
+
+static unsigned long  rc2_unmap(unsigned long x)
+{
+    switch (x) {
+        case 128: return 58;
+        case 64: return 120;
+        case 40: return 160;
+    }
+    return 58; 
+}
+
+
+
+/* Generate a mechaism param from a type, and iv. */
+SECItem *
+PK11_ParamFromAlgid(SECAlgorithmID *algid)
+{
+    CK_RC2_CBC_PARAMS *rc2_params = NULL;
+    CK_RC2_PARAMS *rc2_ecb_params = NULL;
+    CK_RC5_CBC_PARAMS *rc5_params_cbc;
+    CK_RC5_PARAMS *rc5_params_ecb;
+    SECItem iv;
+    sec_rc2cbcParameter rc2;
+    sec_rc5cbcParameter rc5;
+    SECItem *mech;
+    CK_MECHANISM_TYPE type;
+    SECOidTag algtag;
+    SECStatus rv;
+
+    algtag = SECOID_GetAlgorithmTag(algid);
+    type = PK11_AlgtagToMechanism(algtag);
+
+    mech = (SECItem *) PORT_Alloc(sizeof(SECItem));
+    if (mech == NULL) return NULL;
+
+
+    /* handle the complicated cases */
+    switch (type) {
+    case CKM_RC2_ECB:
+        rv = SEC_ASN1DecodeItem(NULL, &rc2 ,sec_rc2ecb_parameter_template,
+							&(algid->parameters));
+	if (rv != SECSuccess) { 
+	    PORT_Free(mech);
+	    return NULL;
+	}
+	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
+	if (rc2_ecb_params == NULL) {
+	    PORT_Free(rc2.rc2ParameterVersion.data);
+	    PORT_Free(mech);
+	    return NULL;
+	}
+	*rc2_ecb_params = rc2_map(&rc2.rc2ParameterVersion);
+	PORT_Free(rc2.rc2ParameterVersion.data);
+	mech->data = (unsigned char *) rc2_ecb_params;
+	mech->len = sizeof(CK_RC2_PARAMS);
+	return mech;
+    case CKM_RC2_CBC:
+    case CKM_RC2_CBC_PAD:
+        rv = SEC_ASN1DecodeItem(NULL, &rc2 ,sec_rc2cbc_parameter_template,
+							&(algid->parameters));
+	if (rv != SECSuccess) { 
+	    PORT_Free(mech);
+	    return NULL;
+	}
+	rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
+	if (rc2_params == NULL) {
+	    PORT_Free(rc2.iv.data);
+	    PORT_Free(rc2.rc2ParameterVersion.data);
+	    PORT_Free(mech);
+	    return NULL;
+	}
+	rc2_params->ulEffectiveBits = rc2_map(&rc2.rc2ParameterVersion);
+	PORT_Free(rc2.rc2ParameterVersion.data);
+	PORT_Memcpy(rc2_params->iv,rc2.iv.data,sizeof(rc2_params->iv));
+	PORT_Free(rc2.iv.data);
+	mech->data = (unsigned char *) rc2_params;
+	mech->len = sizeof(CK_RC2_CBC_PARAMS);
+	return mech;
+    case CKM_RC5_ECB:
+        rv = SEC_ASN1DecodeItem(NULL, &rc5 ,sec_rc5ecb_parameter_template,
+							&(algid->parameters));
+	if (rv != SECSuccess) { 
+	    PORT_Free(mech);
+	    return NULL;
+	}
+	rc5_params_ecb=(CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS));
+	PORT_Free(rc5.version.data);
+	if (rc5_params_ecb == NULL) {
+	    PORT_Free(rc5.rounds.data);
+	    PORT_Free(rc5.blockSizeInBits.data);
+	    PORT_Free(mech);
+	    return NULL;
+	}
+	rc5_params_ecb->ulRounds = DER_GetInteger(&rc5.rounds);
+	rc5_params_ecb->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8;
+	PORT_Free(rc5.rounds.data);
+	PORT_Free(rc5.blockSizeInBits.data);
+	mech->data = (unsigned char *) rc5_params_ecb;
+	mech->len = sizeof(CK_RC5_PARAMS);
+	return mech;
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+        rv = SEC_ASN1DecodeItem(NULL, &rc5 ,sec_rc5cbc_parameter_template,
+							&(algid->parameters));
+	if (rv != SECSuccess) { 
+	    PORT_Free(mech);
+	    return NULL;
+	}
+	rc5_params_cbc = (CK_RC5_CBC_PARAMS *)
+		PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + rc5.iv.len);
+	PORT_Free(rc5.version.data);
+	if (rc2_params == NULL) {
+	    PORT_Free(rc5.iv.data);
+	    PORT_Free(rc5.rounds.data);
+	    PORT_Free(rc5.blockSizeInBits.data);
+	    PORT_Free(mech);
+	    return NULL;
+	}
+	rc5_params_cbc->ulRounds = DER_GetInteger(&rc5.rounds);
+	rc5_params_cbc->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8;
+	PORT_Free(rc5.rounds.data);
+	PORT_Free(rc5.blockSizeInBits.data);
+        rc5_params_cbc->pIv = ((CK_BYTE_PTR)rc5_params_cbc)
+						+ sizeof(CK_RC5_CBC_PARAMS);
+	PORT_Memcpy(rc5_params_cbc->pIv,rc5.iv.data,rc5.iv.len);
+        rc5_params_cbc->ulIvLen = rc5.iv.len;
+	PORT_Free(rc5.iv.data);
+	mech->data = (unsigned char *) rc5_params_cbc;
+	mech->len = sizeof(CK_RC5_CBC_PARAMS);
+	return mech;
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_SHA1_RC4_128:
+	rv = pbe_PK11AlgidToParam(algid,mech);
+	if (rv != SECSuccess) {
+	    PORT_Free(mech);
+	    return NULL;
+	}
+	return mech;
+    default:
+	/* must be a simple case */
+	break;
+    }
+
+    /* simple cases are simpley Octect encoded IV's */
+    rv = SEC_ASN1DecodeItem(NULL, &iv, SEC_OctetStringTemplate, 
+							&(algid->parameters));
+    if (rv !=  SECSuccess) {
+	iv.data = NULL;
+	iv.len = 0;
+    }
+
+    rv = SECSuccess;
+    switch (type) {
+    case CKM_RC4:
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_IDEA_ECB:
+    case CKM_CDMF_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+	mech->data = NULL;
+	mech->len = 0;
+	break;
+    default:
+	if (pk11_lookup(type)->iv == 0) {
+	    mech->data = NULL;
+	    mech->len = 0;
+	    break;
+	}
+    case CKM_AES_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CDMF_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_AES_CBC_PAD:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	if (iv.data ==  NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	mech->data = (unsigned char*)PORT_Alloc(iv.len);
+	if (mech->data == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	PORT_Memcpy(mech->data,iv.data,iv.len);
+	mech->len = iv.len;
+	break;
+    }
+    if (iv.data) PORT_Free(iv.data);
+    if (rv !=  SECSuccess) {
+	SECITEM_FreeItem(mech,PR_TRUE);
+	return NULL;
+    }
+    return mech;
+}
+
+SECStatus
+PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) {
+    CK_RV crv;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session,data, (CK_ULONG)len);
+    PK11_ExitSlotMonitor(slot);
+    return (crv != CKR_OK) ? SECFailure : SECSuccess;
+}
+
+/* Attempts to update the Best Slot for "FAKE RANDOM" generation.
+** If that's not the internal slot, then it also attempts to update the
+** internal slot.
+** The return value indicates if the INTERNAL slot was updated OK.
+*/
+SECStatus
+PK11_RandomUpdate(void *data, size_t bytes)
+{
+    PK11SlotInfo *slot;
+    PRBool        bestIsInternal;
+    SECStatus     status;
+
+    slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL);
+    if (slot == NULL) {
+	slot = PK11_GetInternalSlot();
+	if (!slot)
+	    return SECFailure;
+    }
+
+    bestIsInternal = PK11_IsInternal(slot);
+    status = PK11_SeedRandom(slot, data, bytes);
+    PK11_FreeSlot(slot);
+
+    if (!bestIsInternal) {
+    	/* do internal slot, too. */
+    	slot = PK11_GetInternalSlot();	/* can't fail */
+	status = PK11_SeedRandom(slot, data, bytes);
+	PK11_FreeSlot(slot);
+    }
+    return status;
+}
+
+
+SECStatus
+PK11_GenerateRandom(unsigned char *data,int len) {
+    PK11SlotInfo *slot;
+    CK_RV crv;
+
+    slot = PK11_GetBestSlot(CKM_FAKE_RANDOM,NULL);
+    if (slot == NULL) return SECFailure;
+
+    if (!slot->isInternal) PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session,data, 
+							(CK_ULONG)len);
+    if (!slot->isInternal) PK11_ExitSlotMonitor(slot);
+    PK11_FreeSlot(slot);
+    return (crv != CKR_OK) ? SECFailure : SECSuccess;
+}
+
+/*
+ * Generate an IV for the given mechanism 
+ */
+static SECStatus
+pk11_GenIV(CK_MECHANISM_TYPE type, SECItem *iv) {
+    int iv_size = PK11_GetIVLength(type);
+    SECStatus rv;
+
+    iv->len = iv_size;
+    if (iv_size == 0) { 
+	iv->data = NULL;
+	return SECSuccess;
+    }
+
+    iv->data = (unsigned char *) PORT_Alloc(iv_size);
+    if (iv->data == NULL) {
+	iv->len = 0;
+	return SECFailure;
+    }
+
+    rv = PK11_GenerateRandom(iv->data,iv->len);
+    if (rv != SECSuccess) {
+	PORT_Free(iv->data);
+	iv->data = NULL; iv->len = 0;
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+
+/*
+ * create a new paramter block from the passed in MECHANISM and the
+ * key. Use Netscape's S/MIME Rules for the New param block.
+ */
+SECItem *
+PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) { 
+    CK_RC2_CBC_PARAMS *rc2_params;
+    CK_RC2_PARAMS *rc2_ecb_params;
+    SECItem *mech;
+    SECItem iv;
+    SECStatus rv;
+
+
+    mech = (SECItem *) PORT_Alloc(sizeof(SECItem));
+    if (mech == NULL) return NULL;
+
+    rv = SECSuccess;
+    switch (type) {
+    case CKM_RC4:
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_IDEA_ECB:
+    case CKM_CDMF_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+	mech->data = NULL;
+	mech->len = 0;
+	break;
+    case CKM_RC2_ECB:
+	rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
+	if (rc2_ecb_params == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
+	 *   or RC4 key. Of course that wouldn't happen here doing RC2:).*/
+	*rc2_ecb_params = PK11_GetKeyLength(key)*8;
+	mech->data = (unsigned char *) rc2_ecb_params;
+	mech->len = sizeof(CK_RC2_PARAMS);
+	break;
+    case CKM_RC2_CBC:
+    case CKM_RC2_CBC_PAD:
+	rv = pk11_GenIV(type,&iv);
+	if (rv != SECSuccess) {
+	    break;
+	}
+	rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
+	if (rc2_params == NULL) {
+	    PORT_Free(iv.data);
+	    rv = SECFailure;
+	    break;
+	}
+	/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
+	 *   or RC4 key. Of course that wouldn't happen here doing RC2:).*/
+	rc2_params->ulEffectiveBits = PK11_GetKeyLength(key)*8;
+	if (iv.data)
+	    PORT_Memcpy(rc2_params->iv,iv.data,sizeof(rc2_params->iv));
+	mech->data = (unsigned char *) rc2_params;
+	mech->len = sizeof(CK_RC2_CBC_PARAMS);
+	PORT_Free(iv.data);
+	break;
+    case CKM_RC5_ECB:
+        PORT_Free(mech);
+	return PK11_ParamFromIV(type,NULL);
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+	rv = pk11_GenIV(type,&iv);
+	if (rv != SECSuccess) {
+	    break;
+	}
+        PORT_Free(mech);
+	return PK11_ParamFromIV(type,&iv);
+    default:
+	if (pk11_lookup(type)->iv == 0) {
+	    mech->data = NULL;
+	    mech->len = 0;
+	    break;
+	}
+    case CKM_AES_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CDMF_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	rv = pk11_GenIV(type,&iv);
+	if (rv != SECSuccess) {
+	    break;
+	}
+	mech->data = (unsigned char*)PORT_Alloc(iv.len);
+	if (mech->data == NULL) {
+	    PORT_Free(iv.data);
+	    rv = SECFailure;
+	    break;
+	}
+	PORT_Memcpy(mech->data,iv.data,iv.len);
+	mech->len = iv.len;
+        PORT_Free(iv.data);
+	break;
+    }
+    if (rv !=  SECSuccess) {
+	SECITEM_FreeItem(mech,PR_TRUE);
+	return NULL;
+    }
+    return mech;
+
+}
+
+#define RC5_V10 0x10
+
+/* turn a PKCS #11 parameter into a DER Encoded Algorithm ID */
+SECStatus
+PK11_ParamToAlgid(SECOidTag algTag, SECItem *param, 
+				PRArenaPool *arena, SECAlgorithmID *algid) {
+    CK_RC2_CBC_PARAMS *rc2_params;
+    sec_rc2cbcParameter rc2;
+    CK_RC5_CBC_PARAMS *rc5_params;
+    sec_rc5cbcParameter rc5;
+    CK_MECHANISM_TYPE type = PK11_AlgtagToMechanism(algTag);
+    SECItem *newParams = NULL;
+    SECStatus rv = SECFailure;
+    unsigned long rc2version;
+
+    rv = SECSuccess;
+    switch (type) {
+    case CKM_RC4:
+    case CKM_AES_ECB:
+    case CKM_DES_ECB:
+    case CKM_DES3_ECB:
+    case CKM_IDEA_ECB:
+    case CKM_CDMF_ECB:
+    case CKM_CAST_ECB:
+    case CKM_CAST3_ECB:
+    case CKM_CAST5_ECB:
+	newParams = NULL;
+	rv = SECSuccess;
+	break;
+    case CKM_RC2_ECB:
+	break;
+    case CKM_RC2_CBC:
+    case CKM_RC2_CBC_PAD:
+	rc2_params = (CK_RC2_CBC_PARAMS *)param->data;
+	rc2version = rc2_unmap(rc2_params->ulEffectiveBits);
+	if (SEC_ASN1EncodeUnsignedInteger (NULL, &(rc2.rc2ParameterVersion),
+					   rc2version) == NULL)
+	    break;
+	rc2.iv.data = rc2_params->iv;
+	rc2.iv.len = sizeof(rc2_params->iv);
+	newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc2,
+                                         sec_rc2cbc_parameter_template);
+        PORT_Free(rc2.rc2ParameterVersion.data);
+	if (newParams == NULL)
+	    break;
+	rv = SECSuccess;
+	break;
+
+    case CKM_RC5_ECB: /* well not really... */
+	break;
+    case CKM_RC5_CBC:
+    case CKM_RC5_CBC_PAD:
+	rc5_params = (CK_RC5_CBC_PARAMS *)param->data;
+	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.version, RC5_V10) == NULL)
+	    break;
+	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.blockSizeInBits, 
+					rc5_params->ulWordsize*8) == NULL) {
+            PORT_Free(rc5.version.data);
+	    break;
+	}
+	if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.rounds, 
+					rc5_params->ulWordsize*8) == NULL) {
+            PORT_Free(rc5.blockSizeInBits.data);
+            PORT_Free(rc5.version.data);
+	    break;
+	}
+	rc5.iv.data = rc5_params->pIv;
+	rc5.iv.len = rc5_params->ulIvLen;
+	newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc5,
+                                         sec_rc5cbc_parameter_template);
+        PORT_Free(rc5.version.data);
+        PORT_Free(rc5.blockSizeInBits.data);
+        PORT_Free(rc5.rounds.data);
+	if (newParams == NULL)
+	    break;
+	rv = SECSuccess;
+	break;
+    case CKM_PBE_MD2_DES_CBC:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_SHA1_RC4_128:
+	return PBE_PK11ParamToAlgid(algTag, param, arena, algid);
+    default:
+	if (pk11_lookup(type)->iv == 0) {
+	    rv = SECSuccess;
+	    newParams = NULL;
+	    break;
+	}
+    case CKM_AES_CBC:
+    case CKM_DES_CBC:
+    case CKM_DES3_CBC:
+    case CKM_IDEA_CBC:
+    case CKM_CDMF_CBC:
+    case CKM_CAST_CBC:
+    case CKM_CAST3_CBC:
+    case CKM_CAST5_CBC:
+    case CKM_DES_CBC_PAD:
+    case CKM_DES3_CBC_PAD:
+    case CKM_IDEA_CBC_PAD:
+    case CKM_CDMF_CBC_PAD:
+    case CKM_CAST_CBC_PAD:
+    case CKM_CAST3_CBC_PAD:
+    case CKM_CAST5_CBC_PAD:
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+    case CKM_BATON_ECB128:
+    case CKM_BATON_ECB96:
+    case CKM_BATON_CBC128:
+    case CKM_BATON_COUNTER:
+    case CKM_BATON_SHUFFLE:
+    case CKM_JUNIPER_ECB128:
+    case CKM_JUNIPER_CBC128:
+    case CKM_JUNIPER_COUNTER:
+    case CKM_JUNIPER_SHUFFLE:
+	newParams = SEC_ASN1EncodeItem(NULL,NULL,param,
+						SEC_OctetStringTemplate);
+	rv = SECSuccess;
+	break;
+    }
+
+    if (rv !=  SECSuccess) {
+	if (newParams) SECITEM_FreeItem(newParams,PR_TRUE);
+	return rv;
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, algid, algTag, newParams);
+    SECITEM_FreeItem(newParams,PR_TRUE);
+    return rv;
+}
+
+/* turn an OID algorithm tag into a PKCS #11 mechanism. This allows us to
+ * map OID's directly into the PKCS #11 mechanism we want to call. We find
+ * this mapping in our standard OID table */
+CK_MECHANISM_TYPE
+PK11_AlgtagToMechanism(SECOidTag algTag) {
+    SECOidData *oid = SECOID_FindOIDByTag(algTag);
+
+    if (oid) return (CK_MECHANISM_TYPE) oid->mechanism;
+    return CKM_INVALID_MECHANISM;
+}
+
+/* turn a mechanism into an oid. */
+SECOidTag
+PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type) {
+    SECOidData *oid = SECOID_FindOIDByMechanism((unsigned long)type);
+
+    if (oid) return oid->offset;
+    return SEC_OID_UNKNOWN;
+}
+
+/* Determine appropriate blocking mechanism, used when wrapping private keys
+ * which require PKCS padding.  If the mechanism does not map to a padding
+ * mechanism, we simply return the mechanism.
+ */
+CK_MECHANISM_TYPE
+PK11_GetPadMechanism(CK_MECHANISM_TYPE type) {
+    switch(type) {
+	case CKM_AES_CBC:
+	    return CKM_AES_CBC_PAD;
+	case CKM_DES_CBC:
+	    return CKM_DES_CBC_PAD;
+	case CKM_DES3_CBC:
+	    return CKM_DES3_CBC_PAD;
+	case CKM_RC2_CBC:
+	    return CKM_RC2_CBC_PAD;
+	case CKM_CDMF_CBC:
+	    return CKM_CDMF_CBC_PAD;
+	case CKM_CAST_CBC:
+	    return CKM_CAST_CBC_PAD;
+	case CKM_CAST3_CBC:
+	    return CKM_CAST3_CBC_PAD;
+	case CKM_CAST5_CBC:
+	    return CKM_CAST5_CBC_PAD;
+	case CKM_RC5_CBC:
+	    return CKM_RC5_CBC_PAD; 
+	case CKM_IDEA_CBC:
+	    return CKM_IDEA_CBC_PAD; 
+	default:
+	    break;
+    }
+
+    return type;
+}
+	    
+/*
+ * Build a block big enough to hold the data
+ */
+SECItem *
+PK11_BlockData(SECItem *data,unsigned long size) {
+    SECItem *newData;
+
+    newData = (SECItem *)PORT_Alloc(sizeof(SECItem));
+    if (newData == NULL) return NULL;
+
+    newData->len = (data->len + (size-1))/size;
+    newData->len *= size;
+
+    newData->data = (unsigned char *) PORT_ZAlloc(newData->len); 
+    if (newData->data == NULL) {
+	PORT_Free(newData);
+	return NULL;
+    }
+    PORT_Memset(newData->data,newData->len-data->len,newData->len); 
+    PORT_Memcpy(newData->data,data->data,data->len);
+    return newData;
+}
+
+
+SECStatus
+PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) {
+    CK_RV crv;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_DestroyObject(slot->session,object);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) {
+    CK_RV crv;
+    SECStatus rv = SECSuccess;
+    CK_SESSION_HANDLE rwsession;
+
+    
+    rwsession = PK11_GetRWSession(slot);
+
+    crv = PK11_GETTAB(slot)->C_DestroyObject(rwsession,object);
+    if (crv != CKR_OK) {
+	rv = SECFailure;
+	PORT_SetError(PK11_MapError(crv));
+    }
+    PK11_RestoreROSession(slot,rwsession);
+    return rv;
+}
+
+/*
+ * Read in a single attribute into a SECItem. Allocate space for it with 
+ * PORT_Alloc unless an arena is supplied. In the latter case use the arena
+ * to allocate the space.
+ */
+SECStatus
+PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+	 CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result) {
+    CK_ATTRIBUTE attr = { 0, NULL, 0 };
+    CK_RV crv;
+
+    attr.type = type;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
+    if (crv != CKR_OK) {
+	PK11_ExitSlotMonitor(slot);
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    if (arena) {
+    	attr.pValue = PORT_ArenaAlloc(arena,attr.ulValueLen);
+    } else {
+    	attr.pValue = PORT_Alloc(attr.ulValueLen);
+    }
+    if (attr.pValue == NULL) return SECFailure;
+    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	if (!arena) PORT_Free(attr.pValue);
+	return SECFailure;
+    }
+
+    result->data = (unsigned char*)attr.pValue;
+    result->len = attr.ulValueLen;
+
+    return SECSuccess;
+}
+
+/*
+ * Read in a single attribute into As a Ulong. 
+ */
+CK_ULONG
+PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+	 CK_ATTRIBUTE_TYPE type) {
+    CK_ATTRIBUTE attr;
+    CK_ULONG value = CK_UNAVAILABLE_INFORMATION;
+    CK_RV crv;
+
+    PK11_SETATTRS(&attr,type,&value,sizeof(value));
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+    }
+    return value;
+}
+
+/*
+ * check to see if a bool has been set.
+ */
+CK_BBOOL
+PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+				                      CK_ATTRIBUTE_TYPE type )
+{
+    CK_BBOOL ckvalue = CK_FALSE;
+    CK_ATTRIBUTE theTemplate;
+    CK_RV crv;
+
+    /* Prepare to retrieve the attribute. */
+    PK11_SETATTRS( &theTemplate, type, &ckvalue, sizeof( CK_BBOOL ) );
+
+    /* Retrieve attribute value. */
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB( slot )->C_GetAttributeValue( slot->session, id,
+                                                    &theTemplate, 1 );
+    PK11_ExitSlotMonitor(slot);
+    if( crv != CKR_OK ) {
+        PORT_SetError( PK11_MapError( crv ) );
+        return CK_FALSE;
+    }
+
+    return ckvalue;
+}
+
+/*
+ * returns a full list of attributes. Allocate space for them. If an arena is
+ * provided, allocate space out of the arena.
+ */
+CK_RV
+PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot,
+			CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count)
+{
+    int i;
+    /* make pedantic happy... note that it's only used arena != NULL */ 
+    void *mark = NULL; 
+    CK_RV crv;
+
+    /*
+     * first get all the lengths of the parameters.
+     */
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count);
+    if (crv != CKR_OK) {
+	PK11_ExitSlotMonitor(slot);
+	return crv;
+    }
+
+    if (arena) {
+    	mark = PORT_ArenaMark(arena);
+	if (mark == NULL) return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * now allocate space to store the results.
+     */
+    for (i=0; i < count; i++) {
+	if (arena) {
+	    attr[i].pValue = PORT_ArenaAlloc(arena,attr[i].ulValueLen);
+	    if (attr[i].pValue == NULL) {
+		/* arena failures, just release the mark */
+		PORT_ArenaRelease(arena,mark);
+		PK11_ExitSlotMonitor(slot);
+		return CKR_HOST_MEMORY;
+	    }
+	} else {
+	    attr[i].pValue = PORT_Alloc(attr[i].ulValueLen);
+	    if (attr[i].pValue == NULL) {
+		/* Separate malloc failures, loop to release what we have 
+		 * so far */
+		int j;
+		for (j= 0; j < i; j++) { 
+		    PORT_Free(attr[j].pValue);
+		    /* don't give the caller pointers to freed memory */
+		    attr[j].pValue = NULL; 
+		}
+		PK11_ExitSlotMonitor(slot);
+		return CKR_HOST_MEMORY;
+	    }
+	}
+    }
+
+    /*
+     * finally get the results.
+     */
+    crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	if (arena) {
+	    PORT_ArenaRelease(arena,mark);
+	} else {
+	    for (i= 0; i < count; i++) {
+		PORT_Free(attr[i].pValue);
+		/* don't give the caller pointers to freed memory */
+		attr[i].pValue = NULL;
+	    }
+	}
+    } else if (arena && mark) {
+	PORT_ArenaUnmark(arena,mark);
+    }
+    return crv;
+}
+
+/*
+ * Reset the token to it's initial state. For the internal module, this will
+ * Purge your keydb, and reset your cert db certs to USER_INIT.
+ */
+SECStatus 
+PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd)
+{
+    unsigned char tokenName[32];
+    int tokenNameLen;
+    CK_RV crv;
+
+    /* reconstruct the token name */
+    tokenNameLen = PORT_Strlen(slot->token_name);
+    if (tokenNameLen > sizeof(tokenName)) {
+	tokenNameLen = sizeof(tokenName);
+    }
+
+    PORT_Memcpy(tokenName,slot->token_name,tokenNameLen);
+    if (tokenNameLen < sizeof(tokenName)) {
+	PORT_Memset(&tokenName[tokenNameLen],' ',
+					 sizeof(tokenName)-tokenNameLen);
+    }
+
+    /* initialize the token */    
+    PK11_EnterSlotMonitor(slot);
+
+    /* first shutdown the token. Existing sessions will get closed here */
+    PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
+    slot->session = CK_INVALID_SESSION;
+
+    /* now re-init the token */ 
+    crv = PK11_GETTAB(slot)->C_InitToken(slot->slotID,
+	(unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd): 0, tokenName);
+
+    /* finally bring the token back up */
+    PK11_InitToken(slot,PR_TRUE);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static PRBool
+pk11_isAllZero(unsigned char *data,int len) {
+    while (len--) {
+	if (*data++) {
+	    return PR_FALSE;
+	}
+    }
+    return PR_TRUE;
+}
+
+CK_RV
+PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, 
+				      CK_MECHANISM_PTR pCryptoMechanism,
+				      SECItem *pbe_pwd, PRBool faulty3DES)
+{
+    int iv_len = 0;
+    CK_PBE_PARAMS_PTR pPBEparams;
+    CK_RC2_CBC_PARAMS_PTR rc2_params;
+    CK_ULONG rc2_key_len;
+
+    if((pPBEMechanism == CK_NULL_PTR) || (pCryptoMechanism == CK_NULL_PTR)) {
+	return CKR_HOST_MEMORY;
+    }
+
+    pPBEparams = (CK_PBE_PARAMS_PTR)pPBEMechanism->pParameter;
+    iv_len = PK11_GetIVLength(pPBEMechanism->mechanism);
+
+    if (iv_len) {
+	if (pk11_isAllZero(pPBEparams->pInitVector,iv_len)) {
+	    SECItem param;
+	    PK11SymKey *symKey;
+
+	    param.data = pPBEMechanism->pParameter;
+	    param.len = pPBEMechanism->ulParameterLen;
+
+	    symKey = PK11_RawPBEKeyGen(PK11_GetInternalSlot(),
+		pPBEMechanism->mechanism, &param, pbe_pwd, faulty3DES, NULL);
+	    if (symKey== NULL) {
+		return CKR_DEVICE_ERROR; /* sigh */
+	    }
+	    PK11_FreeSymKey(symKey);
+	}
+    }
+
+    switch(pPBEMechanism->mechanism) {
+	case CKM_PBE_MD2_DES_CBC:
+	case CKM_PBE_MD5_DES_CBC:
+	case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+	    pCryptoMechanism->mechanism = CKM_DES_CBC;
+	    goto have_crypto_mechanism;
+	case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+	case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+	case CKM_PBE_SHA1_DES3_EDE_CBC:
+	case CKM_PBE_SHA1_DES2_EDE_CBC:
+	    pCryptoMechanism->mechanism = CKM_DES3_CBC;
+have_crypto_mechanism:
+	    pCryptoMechanism->pParameter = PORT_Alloc(iv_len);
+	    pCryptoMechanism->ulParameterLen = (CK_ULONG)iv_len;
+	    if(pCryptoMechanism->pParameter == NULL) {
+		return CKR_HOST_MEMORY;
+	    }
+	    PORT_Memcpy((unsigned char *)(pCryptoMechanism->pParameter),
+			(unsigned char *)(pPBEparams->pInitVector),
+			iv_len);
+	    break;
+	case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+	case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+	case CKM_PBE_SHA1_RC4_40:
+	case CKM_PBE_SHA1_RC4_128:
+	    pCryptoMechanism->mechanism = CKM_RC4;
+	    pCryptoMechanism->ulParameterLen = 0;
+	    pCryptoMechanism->pParameter = CK_NULL_PTR;
+	    break;
+	case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+	case CKM_PBE_SHA1_RC2_40_CBC:
+	    rc2_key_len = 40;
+	    goto have_key_len;
+	case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+	    rc2_key_len = 128;
+have_key_len:
+	    pCryptoMechanism->mechanism = CKM_RC2_CBC;
+	    pCryptoMechanism->ulParameterLen = (CK_ULONG)
+						sizeof(CK_RC2_CBC_PARAMS);
+	    pCryptoMechanism->pParameter = (CK_RC2_CBC_PARAMS_PTR)
+				PORT_ZAlloc(sizeof(CK_RC2_CBC_PARAMS));
+	    if(pCryptoMechanism->pParameter == NULL) {
+		return CKR_HOST_MEMORY;
+	    }
+	    rc2_params = (CK_RC2_CBC_PARAMS_PTR)pCryptoMechanism->pParameter;
+	    PORT_Memcpy((unsigned char *)rc2_params->iv,
+	    		(unsigned char *)pPBEparams->pInitVector,
+	    		iv_len);
+	    rc2_params->ulEffectiveBits = rc2_key_len;
+	    break;
+	default:
+	    return CKR_MECHANISM_INVALID;
+    }
+
+    return CKR_OK;
+}
+
+PRBool
+PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle)
+{
+    return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN);
+}
+
+char *
+PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) 
+{
+    char *nickname = NULL;
+    SECItem result;
+    SECStatus rv;
+
+    rv = PK11_ReadAttribute(slot,id,CKA_LABEL,NULL,&result);
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+
+    nickname = PORT_ZAlloc(result.len);
+    if (nickname == NULL) {
+	PORT_Free(result.data);
+	return NULL;
+    }
+    PORT_Memcpy(nickname, result.data, result.len);
+    PORT_Free(result.data);
+    return nickname;
+}
+
+SECStatus
+PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, 
+						const char *nickname) 
+{
+    int len = PORT_Strlen(nickname);
+    CK_ATTRIBUTE setTemplate;
+    CK_RV crv;
+    CK_SESSION_HANDLE rwsession;
+
+    if (len < 0) {
+	return SECFailure;
+    }
+
+    PK11_SETATTRS(&setTemplate, CKA_LABEL, (CK_CHAR *) nickname, len);
+    rwsession = PK11_GetRWSession(slot);
+    crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, id,
+			&setTemplate, 1);
+    PK11_RestoreROSession(slot, rwsession);
+    if (crv != CKR_OK) {
+	PORT_SetError(PK11_MapError(crv));
+	return SECFailure;
+    }
+    return SECSuccess;
+}
diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c
new file mode 100644
index 000000000..92e14816c
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11util.c
@@ -0,0 +1,669 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Initialize the PCKS 11 subsystem
+ */
+#include "seccomon.h"
+#include "secmod.h"
+#include "nssilock.h"
+#include "secmodi.h"
+#include "pk11func.h"
+#include "pki3hack.h"
+
+/* these are for displaying error messages */
+
+static  SECMODModuleList *modules = NULL;
+static  SECMODModuleList *modulesDB = NULL;
+static  SECMODModuleList *modulesUnload = NULL;
+static  SECMODModule *internalModule = NULL;
+static  SECMODModule *defaultDBModule = NULL;
+static SECMODListLock *moduleLock = NULL;
+
+extern PK11DefaultArrayEntry PK11_DefaultArray[];
+extern int num_pk11_default_mechanisms;
+
+
+void SECMOD_Init() {
+    /* don't initialize twice */
+    if (moduleLock) return;
+
+    moduleLock = SECMOD_NewListLock();
+    PK11_InitSlotLists();
+}
+
+
+void SECMOD_Shutdown() {
+    /* destroy the lock */
+    if (moduleLock) {
+	SECMOD_DestroyListLock(moduleLock);
+	moduleLock = NULL;
+    }
+    /* free the internal module */
+    if (internalModule) {
+	SECMOD_DestroyModule(internalModule);
+	internalModule = NULL;
+    }
+    /* destroy the list */
+    if (modules) {
+	SECMOD_DestroyModuleList(modules);
+	modules = NULL;
+    }
+   
+    if (modulesDB) {
+	SECMOD_DestroyModuleList(modulesDB);
+	modulesDB = NULL;
+    }
+
+    if (modulesUnload) {
+	SECMOD_DestroyModuleList(modulesUnload);
+	modulesUnload = NULL;
+    }
+
+    /* make all the slots and the lists go away */
+    PK11_DestroySlotLists();
+}
+
+
+/*
+ * retrieve the internal module
+ */
+SECMODModule *
+SECMOD_GetInternalModule(void) {
+   return internalModule;
+}
+
+
+SECStatus
+secmod_AddModuleToList(SECMODModuleList **moduleList,SECMODModule *newModule) {
+    SECMODModuleList *mlp, *newListElement, *last = NULL;
+
+    newListElement = SECMOD_NewModuleListElement();
+    if (newListElement == NULL) {
+	return SECFailure;
+    }
+
+    newListElement->module = SECMOD_ReferenceModule(newModule);
+
+    SECMOD_GetWriteLock(moduleLock);
+    /* Added it to the end (This is very inefficient, but Adding a module
+     * on the fly should happen maybe 2-3 times through the life this program
+     * on a given computer, and this list should be *SHORT*. */
+    for(mlp = *moduleList; mlp != NULL; mlp = mlp->next) {
+	last = mlp;
+    }
+
+    if (last == NULL) {
+	*moduleList = newListElement;
+    } else {
+	SECMOD_AddList(last,newListElement,NULL);
+    }
+    SECMOD_ReleaseWriteLock(moduleLock);
+    return SECSuccess;
+}
+
+SECStatus
+SECMOD_AddModuleToList(SECMODModule *newModule) {
+    if (newModule->internal && !internalModule) {
+	internalModule = SECMOD_ReferenceModule(newModule);
+    }
+    return secmod_AddModuleToList(&modules,newModule);
+}
+
+SECStatus
+SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule) {
+    if (defaultDBModule == NULL) {
+	defaultDBModule = SECMOD_ReferenceModule(newModule);
+    }
+    return secmod_AddModuleToList(&modulesDB,newModule);
+}
+
+SECStatus
+SECMOD_AddModuleToUnloadList(SECMODModule *newModule) {
+    return secmod_AddModuleToList(&modulesUnload,newModule);
+}
+
+/*
+ * get the list of PKCS11 modules that are available.
+ */
+SECMODModuleList *SECMOD_GetDefaultModuleList() { return modules; }
+SECMODListLock *SECMOD_GetDefaultModuleListLock() { return moduleLock; }
+
+
+
+/*
+ * find a module by name, and add a reference to it.
+ * return that module.
+ */
+SECMODModule *SECMOD_FindModule(char *name) {
+    SECMODModuleList *mlp;
+    SECMODModule *module = NULL;
+
+    SECMOD_GetReadLock(moduleLock);
+    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
+	    module = mlp->module;
+	    SECMOD_ReferenceModule(module);
+	    break;
+	}
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    return module;
+}
+
+/*
+ * find a module by ID, and add a reference to it.
+ * return that module.
+ */
+SECMODModule *SECMOD_FindModuleByID(SECMODModuleID id) {
+    SECMODModuleList *mlp;
+    SECMODModule *module = NULL;
+
+    SECMOD_GetReadLock(moduleLock);
+    for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+	if (id == mlp->module->moduleID) {
+	    module = mlp->module;
+	    SECMOD_ReferenceModule(module);
+	    break;
+	}
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+
+    return module;
+}
+
+/*
+ * lookup the Slot module based on it's module ID and slot ID.
+ */
+PK11SlotInfo *SECMOD_LookupSlot(SECMODModuleID moduleID,CK_SLOT_ID slotID) {
+    int i;
+    SECMODModule *module;
+
+    module = SECMOD_FindModuleByID(moduleID);
+    if (module == NULL) return NULL;
+
+    for (i=0; i < module->slotCount; i++) {
+	PK11SlotInfo *slot = module->slots[i];
+
+	if (slot->slotID == slotID) {
+	    SECMOD_DestroyModule(module);
+	    return PK11_ReferenceSlot(slot);
+	}
+    }
+    SECMOD_DestroyModule(module);
+    return NULL;
+}
+
+/*
+ * find a module by name or module pointer, and delete it off the module list
+ * optionally remove it from secmod.db
+ */
+
+SECStatus
+SECMOD_DeleteModuleEx(char * name, SECMODModule *mod, int *type, PRBool permdb) {
+    SECMODModuleList *mlp;
+    SECMODModuleList **mlpp;
+    SECStatus rv = SECFailure;
+
+
+    *type = SECMOD_EXTERNAL;
+
+    SECMOD_GetWriteLock(moduleLock);
+    for(mlpp = &modules,mlp = modules; 
+				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
+        if ( ( name && (PORT_Strcmp(name,mlp->module->commonName) == 0) ) ||
+             mod == mlp->module ) {
+	    /* don't delete the internal module */
+	    if (!mlp->module->internal) {
+		SECMOD_RemoveList(mlpp,mlp);
+		/* delete it after we release the lock */
+		rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module);
+	    } else if (mlp->module->isFIPS) {
+		*type = SECMOD_FIPS;
+	    } else {
+		*type = SECMOD_INTERNAL;
+	    }
+	    break;
+	}
+    }
+    SECMOD_ReleaseWriteLock(moduleLock);
+
+    if (rv == SECSuccess) {
+        if (permdb) {
+ 	    SECMOD_DeletePermDB(mlp->module);
+        }
+	SECMOD_DestroyModuleListElement(mlp);
+    }
+    return rv;
+}
+
+/*
+ * find a module by name and delete it of the module list
+ */
+SECStatus
+SECMOD_DeleteModule(char *name, int *type) {
+    return SECMOD_DeleteModuleEx(name, NULL, type, PR_TRUE);
+}
+
+/*
+ * find a module by name and delete it of the module list
+ */
+SECStatus
+SECMOD_DeleteInternalModule(char *name) {
+    SECMODModuleList *mlp;
+    SECMODModuleList **mlpp;
+    SECStatus rv = SECFailure;
+
+    SECMOD_GetWriteLock(moduleLock);
+    for(mlpp = &modules,mlp = modules; 
+				mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
+	if (PORT_Strcmp(name,mlp->module->commonName) == 0) {
+	    /* don't delete the internal module */
+	    if (mlp->module->internal) {
+		SECMOD_RemoveList(mlpp,mlp);
+		rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module);
+	    } 
+	    break;
+	}
+    }
+    SECMOD_ReleaseWriteLock(moduleLock);
+
+    if (rv == SECSuccess) {
+	SECMODModule *newModule,*oldModule;
+
+	if (mlp->module->isFIPS) {
+    	    newModule = SECMOD_CreateModule(NULL, SECMOD_INT_NAME,
+				NULL, SECMOD_INT_FLAGS);
+	} else {
+    	    newModule = SECMOD_CreateModule(NULL, SECMOD_FIPS_NAME,
+				NULL, SECMOD_FIPS_FLAGS);
+	}
+	if (newModule == NULL) {
+	    SECMODModuleList *last = NULL,*mlp2;
+	   /* we're in pretty deep trouble if this happens...Security
+	    * not going to work well... try to put the old module back on
+	    * the list */
+	   SECMOD_GetWriteLock(moduleLock);
+	   for(mlp2 = modules; mlp2 != NULL; mlp2 = mlp->next) {
+		last = mlp2;
+	   }
+
+	   if (last == NULL) {
+		modules = mlp;
+	   } else {
+		SECMOD_AddList(last,mlp,NULL);
+	   }
+	   SECMOD_ReleaseWriteLock(moduleLock);
+	   return SECFailure; 
+	}
+	newModule->libraryParams = 
+	     PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams);
+	oldModule = internalModule;
+	internalModule = NULL;
+	SECMOD_DestroyModule(oldModule);
+ 	SECMOD_DeletePermDB(mlp->module);
+	SECMOD_DestroyModuleListElement(mlp);
+	internalModule = SECMOD_ReferenceModule(newModule);
+	SECMOD_AddModule(internalModule);
+    }
+    return rv;
+}
+
+SECStatus
+SECMOD_AddModuleEx(SECMODModule *newModule, PRBool permdb) {
+    SECStatus rv;
+    SECMODModule *oldModule;
+
+    /* Test if a module w/ the same name already exists */
+    /* and return SECWouldBlock if so. */
+    /* We should probably add a new return value such as */
+    /* SECDublicateModule, but to minimize ripples, I'll */
+    /* give SECWouldBlock a new meaning */
+    if ((oldModule = SECMOD_FindModule(newModule->commonName)) != NULL) {
+	SECMOD_DestroyModule(oldModule);
+        return SECWouldBlock;
+        /* module already exists. */
+    }
+
+    rv = SECMOD_LoadPKCS11Module(newModule);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    if (newModule->parent == NULL) {
+	newModule->parent = SECMOD_ReferenceModule(defaultDBModule);
+    }
+
+    if (permdb) {
+        SECMOD_AddPermDB(newModule);
+    }
+    SECMOD_AddModuleToList(newModule);
+
+    rv = STAN_AddModuleToDefaultTrustDomain(newModule);
+
+    return rv;
+}
+
+SECStatus
+SECMOD_AddModule(SECMODModule *newModule) {
+    return SECMOD_AddModuleEx(newModule, PR_TRUE);
+}
+
+PK11SlotInfo *SECMOD_FindSlot(SECMODModule *module,char *name) {
+    int i;
+    char *string;
+
+    for (i=0; i < module->slotCount; i++) {
+	PK11SlotInfo *slot = module->slots[i];
+
+	if (PK11_IsPresent(slot)) {
+	    string = PK11_GetTokenName(slot);
+	} else {
+	    string = PK11_GetSlotName(slot);
+	}
+	if (PORT_Strcmp(name,string) == 0) {
+	    return PK11_ReferenceSlot(slot);
+	}
+    }
+    return NULL;
+}
+
+SECStatus
+PK11_GetModInfo(SECMODModule *mod,CK_INFO *info) {
+    CK_RV crv;
+
+    if (mod->functionList == NULL) return SECFailure;
+    crv = PK11_GETTAB(mod)->C_GetInfo(info);
+    return (crv == CKR_OK) ? SECSuccess : SECFailure;
+}
+
+/* Determine if we have the FIP's module loaded as the default
+ * module to trigger other bogus FIPS requirements in PKCS #12 and
+ * SSL
+ */
+PRBool
+PK11_IsFIPS(void)
+{
+    SECMODModule *mod = SECMOD_GetInternalModule();
+
+    if (mod && mod->internal) {
+	return mod->isFIPS;
+    }
+
+    return PR_FALSE;
+}
+
+/* combines NewModule() & AddModule */
+/* give a string for the module name & the full-path for the dll, */
+/* installs the PKCS11 module & update registry */
+SECStatus SECMOD_AddNewModuleEx(char* moduleName, char* dllPath,
+                              unsigned long defaultMechanismFlags,
+                              unsigned long cipherEnableFlags,
+                              char* modparms,
+                              char* nssparms) {
+    SECMODModule *module;
+    SECStatus result = SECFailure;
+    int s,i;
+    PK11SlotInfo* slot;
+
+    PR_SetErrorText(0, NULL);
+
+    module = SECMOD_CreateModule(dllPath,moduleName, modparms, nssparms);
+
+    if (module->dllName != NULL) {
+        if (module->dllName[0] != 0) {
+            result = SECMOD_AddModule(module);
+            if (result == SECSuccess) {
+                /* turn on SSL cipher enable flags */
+                module->ssl[0] = cipherEnableFlags;
+
+                /* check each slot to turn on appropriate mechanisms */
+                for (s = 0; s < module->slotCount; s++) {
+                    slot = (module->slots)[s];
+                    /* for each possible mechanism */
+                    for (i=0; i < num_pk11_default_mechanisms; i++) {
+                        /* we are told to turn it on by default ? */
+                        if (PK11_DefaultArray[i].flag & defaultMechanismFlags) {                            
+                            /* it ignores if slot attribute update failes */
+                            result = PK11_UpdateSlotAttribute(slot, &(PK11_DefaultArray[i]), PR_TRUE);
+                        } else { /* turn this mechanism of the slot off by default */
+                            result = PK11_UpdateSlotAttribute(slot, &(PK11_DefaultArray[i]), PR_FALSE);
+                        }
+                    } /* for each mechanism */
+                    /* disable each slot if the defaultFlags say so */
+                    if (defaultMechanismFlags & PK11_DISABLE_FLAG) {
+                        PK11_UserDisableSlot(slot);
+                    }
+                } /* for each slot of this module */
+
+                /* delete and re-add module in order to save changes to the module */
+		result = SECMOD_UpdateModule(module);
+            }
+        }
+    }
+    SECMOD_DestroyModule(module);
+    return result;
+}
+
+SECStatus SECMOD_AddNewModule(char* moduleName, char* dllPath,
+                              unsigned long defaultMechanismFlags,
+                              unsigned long cipherEnableFlags)
+{
+    return SECMOD_AddNewModuleEx(moduleName, dllPath, defaultMechanismFlags,
+                  cipherEnableFlags, 
+                  NULL, NULL); /* don't pass module or nss params */
+}
+
+SECStatus SECMOD_UpdateModule(SECMODModule *module)
+{
+    SECStatus result;
+
+    result = SECMOD_DeletePermDB(module);
+                
+    if (result == SECSuccess) {          
+    }
+	result = SECMOD_AddPermDB(module);
+    return result;
+}
+
+/* Public & Internal(Security Library)  representation of
+ * encryption mechanism flags conversion */
+
+/* Currently, the only difference is that internal representation 
+ * puts RANDOM_FLAG at bit 31 (Most-significant bit), but
+ * public representation puts this bit at bit 28
+ */
+unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags) {
+    unsigned long internalFlags = publicFlags;
+
+    if (publicFlags & PUBLIC_MECH_RANDOM_FLAG) {
+        internalFlags &= ~PUBLIC_MECH_RANDOM_FLAG;
+        internalFlags |= SECMOD_RANDOM_FLAG;
+    }
+    return internalFlags;
+}
+
+unsigned long SECMOD_InternaltoPubMechFlags(unsigned long internalFlags) {
+    unsigned long publicFlags = internalFlags;
+
+    if (internalFlags & SECMOD_RANDOM_FLAG) {
+        publicFlags &= ~SECMOD_RANDOM_FLAG;
+        publicFlags |= PUBLIC_MECH_RANDOM_FLAG;
+    }
+    return publicFlags;
+}
+
+
+/* Public & Internal(Security Library)  representation of */
+/* cipher flags conversion */
+/* Note: currently they are just stubs */
+unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags) {
+    return publicFlags;
+}
+
+unsigned long SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags) {
+    return internalFlags;
+}
+
+/* Funtion reports true if module of modType is installed/configured */
+PRBool 
+SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags )
+{
+    PRBool result = PR_FALSE;
+    SECMODModuleList *mods = SECMOD_GetDefaultModuleList();
+    SECMOD_GetReadLock(moduleLock);
+
+
+    for ( ; mods != NULL; mods = mods->next) {
+        if (mods->module->ssl[0] & SECMOD_PubCipherFlagstoInternal(pubCipherEnableFlags)) {
+            result = PR_TRUE;
+        }
+    }
+
+    SECMOD_ReleaseReadLock(moduleLock);
+    return result;
+}
+
+/* create a new ModuleListElement */
+SECMODModuleList *SECMOD_NewModuleListElement(void) {
+    SECMODModuleList *newModList;
+
+    newModList= (SECMODModuleList *) PORT_Alloc(sizeof(SECMODModuleList));
+    if (newModList) {
+	newModList->next = NULL;
+	newModList->module = NULL;
+    }
+    return newModList;
+}
+/*
+ * make a new reference to a module so It doesn't go away on us
+ */
+SECMODModule *
+SECMOD_ReferenceModule(SECMODModule *module) {
+    PK11_USE_THREADS(PZ_Lock((PZLock *)module->refLock);)
+    PORT_Assert(module->refCount > 0);
+
+    module->refCount++;
+    PK11_USE_THREADS(PZ_Unlock((PZLock*)module->refLock);)
+    return module;
+}
+
+
+/* destroy an existing module */
+void
+SECMOD_DestroyModule(SECMODModule *module) {
+    PRBool willfree = PR_FALSE;
+    int slotCount;
+    int i;
+
+    PK11_USE_THREADS(PZ_Lock((PZLock *)module->refLock);)
+    if (module->refCount-- == 1) {
+	willfree = PR_TRUE;
+    }
+    PORT_Assert(willfree || (module->refCount > 0));
+    PK11_USE_THREADS(PZ_Unlock((PZLock *)module->refLock);)
+
+    if (!willfree) {
+	return;
+    }
+
+    /* slots can't really disappear until our module starts freeing them,
+     * so this check is safe */
+    slotCount = module->slotCount;
+    if (slotCount == 0) {
+	SECMOD_SlotDestroyModule(module,PR_FALSE);
+	return;
+    }
+
+    /* now free all out slots, when they are done, they will cause the
+     * module to disappear altogether */
+    for (i=0 ; i < slotCount; i++) {
+	if (!module->slots[i]->disabled) {
+		PK11_ClearSlotList(module->slots[i]);
+	}
+	PK11_FreeSlot(module->slots[i]);
+    }
+    /* WARNING: once the last slot has been freed is it possible (even likely)
+     * that module is no more... touching it now is a good way to go south */
+}
+
+
+/* we can only get here if we've destroyed the module, or some one has
+ * erroneously freed a slot that wasn't referenced. */
+void
+SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot) {
+    PRBool willfree = PR_FALSE;
+    if (fromSlot) {
+        PORT_Assert(module->refCount == 0);
+	PK11_USE_THREADS(PZ_Lock((PZLock *)module->refLock);)
+	if (module->slotCount-- == 1) {
+	    willfree = PR_TRUE;
+	}
+	PORT_Assert(willfree || (module->slotCount > 0));
+	PK11_USE_THREADS(PZ_Unlock((PZLock *)module->refLock);)
+        if (!willfree) return;
+    }
+    if (module->loaded) {
+	SECMOD_UnloadModule(module);
+    }
+    PK11_USE_THREADS(PZ_DestroyLock((PZLock *)module->refLock);)
+    PORT_FreeArena(module->arena,PR_FALSE);
+}
+
+/* destroy a list element
+ * this destroys a single element, and returns the next element
+ * on the chain. It makes it easy to implement for loops to delete
+ * the chain. It also make deleting a single element easy */
+SECMODModuleList *
+SECMOD_DestroyModuleListElement(SECMODModuleList *element) {
+    SECMODModuleList *next = element->next;
+
+    if (element->module) {
+	SECMOD_DestroyModule(element->module);
+	element->module = NULL;
+    }
+    PORT_Free(element);
+    return next;
+}
+
+
+/*
+ * Destroy an entire module list
+ */
+void
+SECMOD_DestroyModuleList(SECMODModuleList *list) {
+    SECMODModuleList *lp;
+
+    for ( lp = list; lp != NULL; lp = SECMOD_DestroyModuleListElement(lp)) ;
+}
+
diff --git a/security/nss/lib/pk11wrap/secmod.h b/security/nss/lib/pk11wrap/secmod.h
new file mode 100644
index 000000000..303e3fe58
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secmod.h
@@ -0,0 +1,151 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * Definition of Security Module Data Structure. There is a separate data
+ * structure for each loaded PKCS #11 module.
+ */
+#ifndef _SECMOD_H_
+#define _SEDMOD_H_
+#include "seccomon.h"
+#include "secmodt.h"
+
+#define PKCS11_USE_THREADS
+
+/* These mechanisms flags are visible to all other libraries. */
+/* They must be converted to internal SECMOD_*_FLAG */
+/* if used inside the functions of the security library */
+#define PUBLIC_MECH_RSA_FLAG         0x00000001ul
+#define PUBLIC_MECH_DSA_FLAG         0x00000002ul
+#define PUBLIC_MECH_RC2_FLAG         0x00000004ul
+#define PUBLIC_MECH_RC4_FLAG         0x00000008ul
+#define PUBLIC_MECH_DES_FLAG         0x00000010ul
+#define PUBLIC_MECH_DH_FLAG          0x00000020ul
+#define PUBLIC_MECH_FORTEZZA_FLAG    0x00000040ul
+#define PUBLIC_MECH_RC5_FLAG         0x00000080ul
+#define PUBLIC_MECH_SHA1_FLAG        0x00000100ul
+#define PUBLIC_MECH_MD5_FLAG         0x00000200ul
+#define PUBLIC_MECH_MD2_FLAG         0x00000400ul
+#define PUBLIC_MECH_SSL_FLAG         0x00000800ul
+#define PUBLIC_MECH_TLS_FLAG         0x00001000ul
+
+#define PUBLIC_MECH_RANDOM_FLAG      0x08000000ul
+#define PUBLIC_MECH_FRIENDLY_FLAG    0x10000000ul
+#define PUBLIC_OWN_PW_DEFAULTS       0X20000000ul
+#define PUBLIC_DISABLE_FLAG          0x40000000ul
+
+/* warning: reserved means reserved */
+#define PUBLIC_MECH_RESERVED_FLAGS   0x87FFE000ul
+
+/* These cipher flags are visible to all other libraries, */
+/* But they must be converted before used in functions */
+/* withing the security module */
+#define PUBLIC_CIPHER_FORTEZZA_FLAG  0x00000001ul
+
+/* warning: reserved means reserved */
+#define PUBLIC_CIPHER_RESERVED_FLAGS 0xFFFFFFFEul
+
+SEC_BEGIN_PROTOS
+
+/*
+ * the following functions are going to be depricated in NSS 4.0 in
+ * favor of the new stan functions.
+ */
+
+/* Initialization */
+extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,
+							PRBool recurse);
+
+extern SECMODModule *SECMOD_LoadUserModule(char *moduleSpec,SECMODModule *parent,
+							PRBool recurse);
+
+SECStatus SECMOD_UnloadUserModule(SECMODModule *mod);
+
+SECMODModule * SECMOD_CreateModule(char *lib, char *name, char *param, 
+								char *nss);
+extern void SECMOD_Shutdown(void);
+
+
+/* Module Management */
+char **SECMOD_GetModuleSpecList(SECMODModule *module);
+SECStatus SECMOD_FreeModuleSpecList(SECMODModule *module,char **moduleSpecList);
+
+ 
+/* protoypes */
+extern SECMODModuleList *SECMOD_GetDefaultModuleList(void);
+extern SECMODListLock *SECMOD_GetDefaultModuleListLock(void);
+
+extern SECStatus SECMOD_UpdateModule(SECMODModule *module);
+
+/* lock management */
+extern SECMODListLock *SECMOD_NewListLock(void);
+extern void SECMOD_DestroyListLock(SECMODListLock *);
+extern void SECMOD_GetReadLock(SECMODListLock *);
+extern void SECMOD_ReleaseReadLock(SECMODListLock *);
+extern void SECMOD_GetWriteLock(SECMODListLock *);
+extern void SECMOD_ReleaseWriteLock(SECMODListLock *);
+
+/* Operate on modules by name */
+extern SECMODModule *SECMOD_FindModule(char *name);
+extern SECStatus SECMOD_DeleteModule(char *name, int *type);
+extern SECStatus SECMOD_DeleteInternalModule(char *name);
+extern SECStatus SECMOD_AddNewModule(char* moduleName, char* dllPath,
+                              unsigned long defaultMechanismFlags,
+                              unsigned long cipherEnableFlags);
+extern SECStatus SECMOD_AddNewModuleEx(char* moduleName, char* dllPath,
+                              unsigned long defaultMechanismFlags,
+                              unsigned long cipherEnableFlags,
+                              char* modparms,
+                              char* nssparms);
+
+/* database/memory management */
+extern SECMODModule *SECMOD_GetInternalModule(void);
+extern SECMODModule *SECMOD_ReferenceModule(SECMODModule *module);
+extern void SECMOD_DestroyModule(SECMODModule *module);
+extern PK11SlotInfo *SECMOD_LookupSlot(SECMODModuleID module,
+							unsigned long slotID);
+extern PK11SlotInfo *SECMOD_FindSlot(SECMODModule *module,char *name);
+
+/* Funtion reports true if at least one of the modules */
+/* of modType has been installed */
+PRBool SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags );
+
+/* Functions used to convert between internal & public representation
+ * of Mechanism Flags and Cipher Enable Flags */
+extern unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags);
+extern unsigned long SECMOD_InternaltoPubMechFlags(unsigned long internalFlags);
+
+extern unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags);
+extern unsigned long SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/pk11wrap/secmodi.h b/security/nss/lib/pk11wrap/secmodi.h
new file mode 100644
index 000000000..9e78addb4
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secmodi.h
@@ -0,0 +1,111 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Internal header file included only by files in pkcs11 dir, or in
+ * pkcs11 specific client and server files.
+ */
+#ifndef _SECMODI_H_
+#define _SECMODI_H_ 1
+#include "pkcs11.h"
+#include "nssilock.h"
+#include "mcom_db.h"
+#include "secoidt.h"
+#include "secdert.h"
+#include "certt.h"
+#include "secmodt.h"
+#include "secmodti.h"
+
+#ifdef PKCS11_USE_THREADS
+#define PK11_USE_THREADS(x) x
+#else
+#define PK11_USE_THREADS(x)
+#endif
+
+SEC_BEGIN_PROTOS
+
+/* proto-types */
+extern SECStatus SECMOD_DeletePermDB(SECMODModule *module);
+extern SECStatus SECMOD_AddPermDB(SECMODModule *module);
+
+extern void SECMOD_Init(void);
+
+/* list managment */
+extern SECStatus SECMOD_AddModuleToList(SECMODModule *newModule);
+extern SECStatus SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule);
+extern SECStatus SECMOD_AddModuleToUnloadList(SECMODModule *newModule);
+extern void SECMOD_RemoveList(SECMODModuleList **,SECMODModuleList *);
+extern void SECMOD_AddList(SECMODModuleList *,SECMODModuleList *,SECMODListLock *);
+
+/* Operate on modules by name */
+extern SECMODModule *SECMOD_FindModuleByID(SECMODModuleID);
+
+/* database/memory management */
+extern SECMODModuleList *SECMOD_NewModuleListElement(void);
+extern SECMODModuleList *SECMOD_DestroyModuleListElement(SECMODModuleList *);
+extern void SECMOD_DestroyModuleList(SECMODModuleList *);
+extern SECStatus SECMOD_AddModule(SECMODModule *newModule);
+SECStatus SECMOD_DeleteModuleEx(char * name, SECMODModule *mod, int *type, PRBool permdb);
+
+extern unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags);
+extern unsigned long SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags);
+
+/* Library functions */
+SECStatus SECMOD_LoadPKCS11Module(SECMODModule *);
+SECStatus SECMOD_UnloadModule(SECMODModule *);
+void SECMOD_SetInternalModule(SECMODModule *);
+
+void SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot);
+CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
+                                                         CK_VOID_PTR pdata);
+void pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib);
+CK_OBJECT_HANDLE pk11_FindObjectByTemplate(PK11SlotInfo *slot,
+					CK_ATTRIBUTE *inTemplate,int tsize);
+CK_OBJECT_HANDLE *pk11_FindObjectsByTemplate(PK11SlotInfo *slot,
+			CK_ATTRIBUTE *inTemplate,int tsize, int *objCount);
+SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
+				 PK11DefaultArrayEntry *entry, PRBool add);
+
+#define PK11_GETTAB(x) ((CK_FUNCTION_LIST_PTR)((x)->functionList))
+#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
+		(x)->pValue=(v); (x)->ulValueLen = (l);
+SECStatus PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
+                               CK_ATTRIBUTE *theTemplate, int count,
+                                PRBool token, CK_OBJECT_HANDLE *objectID);
+
+SECStatus pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech);
+SECStatus PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, 
+				PRArenaPool *arena, SECAlgorithmID *algId);
+SEC_END_PROTOS
+
+#endif
+
diff --git a/security/nss/lib/pk11wrap/secmodt.h b/security/nss/lib/pk11wrap/secmodt.h
new file mode 100644
index 000000000..b83f57d63
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secmodt.h
@@ -0,0 +1,248 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * Definition of Security Module Data Structure. There is a separate data
+ * structure for each loaded PKCS #11 module.
+ */
+#ifndef _SECMODT_H_
+#define _SECMODT_H_ 1
+
+#include "secoid.h"
+#include "secasn1.h"
+
+/* find a better home for these... */
+extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
+extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
+extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
+
+/* PKCS11 needs to be included */
+typedef struct SECMODModuleStr SECMODModule;
+typedef struct SECMODModuleListStr SECMODModuleList;
+typedef struct SECMODListLockStr SECMODListLock; /* defined in secmodi.h */
+typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
+typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
+typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
+typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
+typedef struct PK11SlotListStr PK11SlotList;
+typedef struct PK11SlotListElementStr PK11SlotListElement;
+typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
+typedef unsigned long SECMODModuleID;
+typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
+
+struct SECMODModuleStr {
+    PRArenaPool	*arena;
+    PRBool	internal;	/* true of internally linked modules, false
+				 * for the loaded modules */
+    PRBool	loaded;		/* Set to true if module has been loaded */
+    PRBool	isFIPS;		/* Set to true if module is finst internal */
+    char	*dllName;	/* name of the shared library which implements
+				 * this module */
+    char	*commonName;	/* name of the module to display to the user */
+    void	*library;	/* pointer to the library. opaque. used only by
+				 * pk11load.c */
+    void	*functionList; /* The PKCS #11 function table */
+    void	*refLock;	/* only used pk11db.c */
+    int		refCount;	/* Module reference count */
+    PK11SlotInfo **slots;	/* array of slot points attatched to this mod*/
+    int		slotCount;	/* count of slot in above array */
+    PK11PreSlotInfo *slotInfo;	/* special info about slots default settings */
+    int		slotInfoCount;  /* count */
+    SECMODModuleID moduleID;	/* ID so we can find this module again */
+    PRBool	isThreadSafe;
+    unsigned long ssl[2];	/* SSL cipher enable flags */
+    char	*libraryParams;  /* Module specific parameters */
+    void *moduleDBFunc; /* function to return module configuration data*/
+    SECMODModule *parent;	/* module that loaded us */
+    PRBool	isCritical;	/* This module must load successfully */
+    PRBool	isModuleDB;	/* this module has lists of PKCS #11 modules */
+    PRBool	moduleDBOnly;	/* this module only has lists of PKCS #11 modules */
+    int		trustOrder;	/* order for this module's certificate trust rollup */
+    int		cipherOrder;	/* order for cipher operations */
+};
+
+struct SECMODModuleListStr {
+    SECMODModuleList	*next;
+    SECMODModule	*module;
+};
+
+struct PK11SlotListStr {
+    PK11SlotListElement *head;
+    PK11SlotListElement *tail;
+    void *lock;
+};
+
+struct PK11SlotListElementStr {
+    PK11SlotListElement *next;
+    PK11SlotListElement *prev;
+    PK11SlotInfo *slot;
+    int refCount;
+};
+
+struct PK11RSAGenParamsStr {
+    int keySizeInBits;
+    unsigned long pe;
+};
+
+typedef enum {
+     PK11CertListUnique = 0,
+     PK11CertListUser = 1,
+     PK11CertListRootUnique = 2,
+     PK11CertListCA = 3
+} PK11CertListType;
+
+/*
+ * Entry into the Array which lists all the legal bits for the default flags
+ * in the slot, their definition, and the PKCS #11 mechanism the represent
+ * Always Statically allocated. 
+ */
+struct PK11DefaultArrayEntryStr {
+    char *name;
+    unsigned long flag;
+    unsigned long mechanism; /* this is a long so we don't include the 
+			      * whole pkcs 11 world to use this header */
+};
+
+
+#define SECMOD_RSA_FLAG 	0x00000001L
+#define SECMOD_DSA_FLAG 	0x00000002L
+#define SECMOD_RC2_FLAG 	0x00000004L
+#define SECMOD_RC4_FLAG 	0x00000008L
+#define SECMOD_DES_FLAG 	0x00000010L
+#define SECMOD_DH_FLAG	 	0x00000020L
+#define SECMOD_FORTEZZA_FLAG	0x00000040L
+#define SECMOD_RC5_FLAG		0x00000080L
+#define SECMOD_SHA1_FLAG	0x00000100L
+#define SECMOD_MD5_FLAG		0x00000200L
+#define SECMOD_MD2_FLAG		0x00000400L
+#define SECMOD_SSL_FLAG		0x00000800L
+#define SECMOD_TLS_FLAG		0x00001000L
+#define SECMOD_AES_FLAG 	0x00002000L
+/* reserved bit for future, do not use */
+#define SECMOD_RESERVED_FLAG    0X08000000L
+#define SECMOD_FRIENDLY_FLAG	0x10000000L
+#define SECMOD_RANDOM_FLAG	0x80000000L
+
+/* need to make SECMOD and PK11 prefixes consistant. */
+#define PK11_OWN_PW_DEFAULTS 0x20000000L
+#define PK11_DISABLE_FLAG    0x40000000L
+
+/* FAKE PKCS #11 defines */
+#define CKM_FAKE_RANDOM       0x80000efeL
+#define CKM_INVALID_MECHANISM 0xffffffffL
+#define CKA_DIGEST            0x81000000L
+
+/* Cryptographic module types */
+#define SECMOD_EXTERNAL	0	/* external module */
+#define SECMOD_INTERNAL 1	/* internal default module */
+#define SECMOD_FIPS	2	/* internal fips module */
+
+/* default module configuration strings */
+#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES]"
+
+#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
+"Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
+
+#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
+#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
+#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
+#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
+
+
+/*
+ * What is the origin of a given Key. Normally this doesn't matter, but
+ * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
+ * hack.
+ */
+typedef enum {
+    PK11_OriginNULL = 0,	/* There is not key, it's a null SymKey */
+    PK11_OriginDerive = 1,	/* Key was derived from some other key */
+    PK11_OriginGenerated = 2,	/* Key was generated (also PBE keys) */
+    PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
+    PK11_OriginUnwrap = 4	/* Key was unwrapped or decrypted */
+} PK11Origin;
+
+/* PKCS #11 disable reasons */
+typedef enum {
+    PK11_DIS_NONE = 0,
+    PK11_DIS_USER_SELECTED = 1,
+    PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
+    PK11_DIS_TOKEN_VERIFY_FAILED = 3,
+    PK11_DIS_TOKEN_NOT_PRESENT = 4
+} PK11DisableReasons;
+
+/* function pointer type for password callback function.
+ * This type is passed in to PK11_SetPasswordFunc() 
+ */
+typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
+typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
+typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
+
+/*
+ * PKCS #11 key structures
+ */
+
+/*
+** Attributes
+*/
+struct SECKEYAttributeStr {
+    SECItem attrType;
+    SECItem **attrValue;
+};
+typedef struct SECKEYAttributeStr SECKEYAttribute;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct SECKEYPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID algorithm;
+    SECItem privateKey;
+    SECKEYAttribute **attributes;
+};
+typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct SECKEYEncryptedPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem encryptedData;
+};
+typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
+
+#endif /*_SECMODT_H_ */
diff --git a/security/nss/lib/pk11wrap/secmodti.h b/security/nss/lib/pk11wrap/secmodti.h
new file mode 100644
index 000000000..9d3919903
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secmodti.h
@@ -0,0 +1,188 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Internal header file included only by files in pkcs11 dir, or in
+ * pkcs11 specific client and server files.
+ */
+
+#ifndef  _SECMODTI_H_
+#define  _SECMODTI_H_ 1
+#include "prmon.h"
+#include "prtypes.h"
+#include "nssilckt.h"
+#include "pk11init.h"
+
+#ifndef NSS_3_4_CODE
+#define NSS_3_4_CODE
+#endif /* NSS_3_4_CODE */
+#include "nssdevt.h"
+
+/* internal data structures */
+
+/* structure to allow us to implement the read/write locks for our
+ * module lists  */
+struct SECMODListLockStr {
+    PZLock	*mutex;	    /*general mutex to protect this data structure*/
+    PZMonitor	*monitor;   /* monitor to allow us to signal */
+    int		state;	    /* read/write/waiting state */
+    int		count;	    /* how many waiters on this lock */
+};
+
+/* represent a pkcs#11 slot reference counted. */
+struct PK11SlotInfoStr {
+    /* the PKCS11 function list for this slot */
+    void *functionList;
+    SECMODModule *module; /* our parent module */
+    /* Boolean to indicate the current state of this slot */
+    PRBool needTest;	/* Has this slot been tested for Export complience */
+    PRBool isPerm;	/* is this slot a permanment device */
+    PRBool isHW;	/* is this slot a hardware device */
+    PRBool isInternal;  /* is this slot one of our internal PKCS #11 devices */
+    PRBool disabled;	/* is this slot disabled... */
+    PK11DisableReasons reason; 	/* Why this slot is disabled */
+    PRBool readOnly;	/* is the token in this slot read-only */
+    PRBool needLogin;	/* does the token of the type that needs 
+			 * authentication (still true even if token is logged 
+			 * in) */
+    PRBool hasRandom;   /* can this token generated random numbers */
+    PRBool defRWSession; /* is the default session RW (we open our default 
+			  * session rw if the token can only handle one session
+			  * at a time. */
+    PRBool isThreadSafe; /* copied from the module */
+    /* The actual flags (many of which are distilled into the above PRBools) */
+    CK_FLAGS flags;      /* flags from PKCS #11 token Info */
+    /* a default session handle to do quick and dirty functions */
+    CK_SESSION_HANDLE session; 
+    PZLock *sessionLock; /* lock for this session */
+    /* our ID */
+    CK_SLOT_ID slotID;
+    /* persistant flags saved from startup to startup */
+    unsigned long defaultFlags;
+    /* keep track of who is using us so we don't accidently get freed while
+     * still in use */
+    int refCount;
+    PZLock *refLock;
+    PZLock *freeListLock;
+    PK11SymKey *freeSymKeysHead;
+    int keyCount;
+    int maxKeyCount;
+    /* Password control functions for this slot. many of these are only
+     * active if the appropriate flag is on in defaultFlags */
+    int askpw;		/* what our password options are */
+    int timeout;	/* If we're ask_timeout, what is our timeout time is 
+			 * seconds */
+    int authTransact;   /* allow multiple authentications off one password if
+		         * they are all part of the same transaction */
+    int64 authTime;     /* when were we last authenticated */
+    int minPassword;	/* smallest legal password */
+    int maxPassword;	/* largest legal password */
+    uint16 series;	/* break up the slot info into various groups of 
+			 * inserted tokens so that keys and certs can be
+			 * invalidated */
+    uint16 wrapKey;	/* current wrapping key for SSL master secrets */
+    CK_MECHANISM_TYPE wrapMechanism;
+			/* current wrapping mechanism for current wrapKey */
+    CK_OBJECT_HANDLE refKeys[1]; /* array of existing wrapping keys for */
+    CK_MECHANISM_TYPE *mechanismList; /* list of mechanism supported by this
+				       * token */
+    int mechanismCount;
+    /* cache the certificates stored on the token of this slot */
+    CERTCertificate **cert_array;
+    int array_size;
+    int cert_count;
+    char serial[16];
+    /* since these are odd sizes, keep them last. They are odd sizes to 
+     * allow them to become null terminated strings */
+    char slot_name[65];
+    char token_name[33];
+    PRBool hasRootCerts;
+    PRBool hasRootTrust;
+    PRBool hasRSAInfo;
+    CK_FLAGS RSAInfoFlags;
+    PRBool protectedAuthPath;
+    /* for Stan */
+    NSSToken *nssToken;
+};
+
+/* Symetric Key structure. Reference Counted */
+struct PK11SymKeyStr {
+    CK_MECHANISM_TYPE type;	/* type of operation this key was created for*/
+    CK_OBJECT_HANDLE  objectID; /* object id of this key in the slot */
+    PK11SlotInfo      *slot;    /* Slot this key is loaded into */
+    void	      *cx;	/* window context in case we need to loggin */
+    PK11SymKey		*next;
+    PRBool	owner;
+    SECItem	data;		/* raw key data if available */
+    CK_SESSION_HANDLE session;
+    PRBool	sessionOwner;
+    int		refCount;	/* number of references to this key */
+    PZLock	*refLock;
+    int		size;		/* key size in bytes */
+    PK11Origin	origin;		/* where this key came from 
+						(see def in secmodt.h) */
+    uint16 series;		/* break up the slot info into various groups of 
+			 * inserted tokens so that keys and certs can be
+			 * invalidated */
+};
+
+
+/*
+ * hold a hash, encryption or signing context for multi-part operations.
+ * hold enough information so that multiple contexts can be interleaved
+ * if necessary. ... Not RefCounted.
+ */
+struct PK11ContextStr {
+    CK_ATTRIBUTE_TYPE	operation; /* type of operation this context is doing
+				    * (CKA_ENCRYPT, CKA_SIGN, CKA_HASH, etc. */
+    PK11SymKey  	*key;	   /* symetric key used in this context */
+    PK11SlotInfo	*slot;	   /* slot this context is operationing on */
+    CK_SESSION_HANDLE	session;   /* session this context is using */
+    PZLock		*sessionLock; /* lock before accessing a PKCS #11 
+				       * session */
+    PRBool		ownSession;/* do we own the session? */
+    void 		*cx;	   /* window context in case we need to loggin*/
+    void		*savedData;/* save data when we are multiplexing on a
+				    * single context */
+    unsigned long	savedLength; /* length of the saved context */
+    SECItem		*param;	    /* mechanism parameters used to build this
+								context */
+    PRBool		init;	    /* has this contexted been initialized */
+    CK_MECHANISM_TYPE	type;	    /* what is the PKCS #11 this context is
+				     * representing (usually what algorithm is
+				     * being used (CKM_RSA_PKCS, CKM_DES,
+				     * CKM_SHA, etc.*/
+    PRBool		fortezzaHack; /*Fortezza SSL has some special
+				       * non-standard semantics*/
+};
+
+#endif /* _SECMODTI_H_ */
diff --git a/security/nss/lib/pk11wrap/secpkcs5.h b/security/nss/lib/pk11wrap/secpkcs5.h
new file mode 100644
index 000000000..1ace06c10
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secpkcs5.h
@@ -0,0 +1,71 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ */
+#ifndef _SECPKS5_H_
+#define _SECPKCS5_H_
+#include "seccomon.h"
+#include "secmodt.h"
+
+/* used for V2 PKCS 12 Draft Spec */
+typedef enum {
+    pbeBitGenIDNull = 0,
+    pbeBitGenCipherKey = 0x01,
+    pbeBitGenCipherIV = 0x02,
+    pbeBitGenIntegrityKey = 0x03
+} PBEBitGenID;
+
+typedef struct PBEBitGenContextStr PBEBitGenContext;
+
+SEC_BEGIN_PROTOS
+
+SECAlgorithmID *
+SEC_PKCS5CreateAlgorithmID(SECOidTag algorithm, SECItem *salt, int iteration);
+
+/* Get the initialization vector.  The password is passed in, hashing
+ * is performed, and the initialization vector is returned.
+ *  algid is a pointer to a PBE algorithm ID
+ *  pwitem is the password
+ * If an error occurs or the algorithm id is not a PBE algrithm,
+ * NULL is returned.  Otherwise, the iv is returned in a secitem.
+ */
+SECItem *
+SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES);
+
+SECOidTag SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid);
+PRBool SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid);
+SECOidTag SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen);
+int SEC_PKCS5GetKeyLength(SECAlgorithmID *algid);
+
+SEC_END_PROTOS
+
+#endif /* _SECPKS5_H_ */
diff --git a/security/nss/lib/pkcs12/Makefile b/security/nss/lib/pkcs12/Makefile
new file mode 100644
index 000000000..5742208b5
--- /dev/null
+++ b/security/nss/lib/pkcs12/Makefile
@@ -0,0 +1,77 @@
+#! gmake
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+# 
+
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
diff --git a/security/nss/lib/pkcs12/config.mk b/security/nss/lib/pkcs12/config.mk
new file mode 100644
index 000000000..3b647d954
--- /dev/null
+++ b/security/nss/lib/pkcs12/config.mk
@@ -0,0 +1,44 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+# 
+
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/pkcs12/manifest.mn b/security/nss/lib/pkcs12/manifest.mn
new file mode 100644
index 000000000..c8b4981d3
--- /dev/null
+++ b/security/nss/lib/pkcs12/manifest.mn
@@ -0,0 +1,58 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+# 
+
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	pkcs12t.h \
+	pkcs12.h \
+	p12plcy.h \
+	p12.h \
+	p12t.h \
+	$(NULL)
+
+MODULE = security
+
+CSRCS = \
+	p12local.c \
+	p12creat.c \
+	p12dec.c \
+	p12plcy.c \
+	p12tmpl.c \
+	p12e.c \
+	p12d.c \
+	$(NULL)
+
+REQUIRES = security dbm
+
+LIBRARY_NAME = pkcs12
diff --git a/security/nss/lib/pkcs12/p12.h b/security/nss/lib/pkcs12/p12.h
new file mode 100644
index 000000000..14a8dd385
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12.h
@@ -0,0 +1,181 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#ifndef _P12_H_
+#define _P12_H_
+
+#include "secoid.h"
+#include "key.h"
+#include "secpkcs7.h"
+#include "p12t.h"
+
+typedef int (PR_CALLBACK * PKCS12OpenFunction)(void *arg);
+typedef int (PR_CALLBACK * PKCS12ReadFunction)(void *arg,
+                                               unsigned char *buffer, 
+                                               unsigned int *lenRead,
+                                               unsigned int maxLen);
+typedef int (PR_CALLBACK * PKCS12WriteFunction)(void *arg,
+                                                unsigned char *buffer, 
+                                                unsigned int *bufLen,
+                                                unsigned int *lenWritten);
+typedef int (PR_CALLBACK * PKCS12CloseFunction)(void *arg);
+typedef SECStatus (PR_CALLBACK * PKCS12UnicodeConvertFunction)(
+                                 PRArenaPool *arena,
+                                 SECItem *dest, SECItem *src,
+                                 PRBool toUnicode,
+                                 PRBool swapBytes);
+typedef void (PR_CALLBACK * SEC_PKCS12EncoderOutputCallback)(
+                            void *arg, const char *buf,
+                            unsigned long len);
+typedef void (PR_CALLBACK * SEC_PKCS12DecoderOutputCallback)(
+                            void *arg, const char *buf,
+                            unsigned long len);
+typedef SECItem * (PR_CALLBACK * SEC_PKCS12NicknameCollisionCallback)(
+                                 SECItem *old_nickname,
+                                 PRBool *cancel,
+                                 void *arg);
+
+
+
+
+typedef SECStatus (PR_CALLBACK *digestOpenFn)(void *arg, PRBool readData);
+typedef SECStatus (PR_CALLBACK *digestCloseFn)(void *arg, PRBool removeFile);
+typedef int (PR_CALLBACK *digestIOFn)(void *arg, unsigned char *buf, 
+                                      unsigned long len);
+
+typedef struct SEC_PKCS12ExportContextStr SEC_PKCS12ExportContext;
+typedef struct SEC_PKCS12SafeInfoStr SEC_PKCS12SafeInfo;
+typedef struct SEC_PKCS12DecoderContextStr SEC_PKCS12DecoderContext;
+
+struct sec_PKCS12PasswordModeInfo {
+    SECItem	*password;
+    SECOidTag	algorithm;
+};
+
+struct sec_PKCS12PublicKeyModeInfo {
+    CERTCertificate	*cert;
+    CERTCertDBHandle *certDb;
+    SECOidTag	algorithm;
+    int keySize;
+};
+
+SEC_PKCS12SafeInfo *
+SEC_PKCS12CreatePubKeyEncryptedSafe(SEC_PKCS12ExportContext *p12ctxt,
+				    CERTCertDBHandle *certDb,
+				    CERTCertificate *signer,
+				    CERTCertificate **recipients,
+				    SECOidTag algorithm, int keysize);
+
+extern SEC_PKCS12SafeInfo *
+SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, 
+				 SECItem *pwitem, SECOidTag privAlg);
+
+extern SEC_PKCS12SafeInfo *
+SEC_PKCS12CreateUnencryptedSafe(SEC_PKCS12ExportContext *p12ctxt);
+
+extern SECStatus
+SEC_PKCS12AddPasswordIntegrity(SEC_PKCS12ExportContext *p12ctxt,
+			       SECItem *pwitem, SECOidTag integAlg);
+extern SECStatus
+SEC_PKCS12AddPublicKeyIntegrity(SEC_PKCS12ExportContext *p12ctxt,
+				CERTCertificate *cert, CERTCertDBHandle *certDb,
+				SECOidTag algorithm, int keySize);
+
+extern SEC_PKCS12ExportContext *
+SEC_PKCS12CreateExportContext(SECKEYGetPasswordKey pwfn, void *pwfnarg,  
+			      PK11SlotInfo *slot, void *wincx);
+
+extern SECStatus
+SEC_PKCS12AddCert(SEC_PKCS12ExportContext *p12ctxt, 
+		  SEC_PKCS12SafeInfo *safe, void *nestedDest,
+		  CERTCertificate *cert, CERTCertDBHandle *certDb,
+		  SECItem *keyId, PRBool includeCertChain);
+
+extern SECStatus
+SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, 
+			SEC_PKCS12SafeInfo *safe, 
+			void *nestedDest, CERTCertificate *cert,
+			PRBool shroudKey, SECOidTag algorithm, SECItem *pwitem,
+			SECItem *keyId, SECItem *nickName);
+
+extern SECStatus
+SEC_PKCS12AddCertAndKey(SEC_PKCS12ExportContext *p12ctxt, 
+			void *certSafe, void *certNestedDest, 
+			CERTCertificate *cert, CERTCertDBHandle *certDb,
+			void *keySafe, void *keyNestedDest, 
+			PRBool shroudKey, SECItem *pwitem, SECOidTag algorithm);
+
+extern SECStatus
+SEC_PKCS12AddDERCertAndEncryptedKey(SEC_PKCS12ExportContext *p12ctxt, 
+			void *certSafe, void *certNestedDest, SECItem *derCert,
+			void *keySafe, void *keyNestedDest, 
+			SECKEYEncryptedPrivateKeyInfo *epki, char *nickname);
+
+extern void *
+SEC_PKCS12CreateNestedSafeContents(SEC_PKCS12ExportContext *p12ctxt,
+				   void *baseSafe, void *nestedDest);
+
+extern SECStatus
+SEC_PKCS12Encode(SEC_PKCS12ExportContext *p12exp, 
+		 SEC_PKCS12EncoderOutputCallback output, void *outputarg);
+
+extern void
+SEC_PKCS12DestroyExportContext(SEC_PKCS12ExportContext *p12exp);
+
+extern SEC_PKCS12DecoderContext *
+SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx,
+		       digestOpenFn dOpen, digestCloseFn dClose,
+		       digestIOFn dRead, digestIOFn dWrite, void *dArg);
+
+extern SECStatus
+SEC_PKCS12DecoderUpdate(SEC_PKCS12DecoderContext *p12dcx, unsigned char *data,
+			unsigned long len);
+
+extern void
+SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx);
+
+extern SECStatus
+SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx);
+
+extern SECStatus
+SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
+			      SEC_PKCS12NicknameCollisionCallback nicknameCb);
+
+extern SECStatus
+SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx);
+
+CERTCertList *
+SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx);
+
+#endif
diff --git a/security/nss/lib/pkcs12/p12creat.c b/security/nss/lib/pkcs12/p12creat.c
new file mode 100644
index 000000000..65678b299
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12creat.c
@@ -0,0 +1,251 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "pkcs12.h"
+#include "secitem.h"
+#include "secport.h"
+#include "secder.h"
+#include "secoid.h"
+#include "p12local.h"
+#include "secerr.h"
+
+
+/* allocate space for a PFX structure and set up initial
+ * arena pool.  pfx structure is cleared and a pointer to
+ * the new structure is returned.
+ */
+SEC_PKCS12PFXItem *
+sec_pkcs12_new_pfx(void)
+{
+    SEC_PKCS12PFXItem   *pfx = NULL;
+    PRArenaPool     *poolp = NULL;
+
+    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);	/* XXX Different size? */
+    if(poolp == NULL)
+	goto loser;
+
+    pfx = (SEC_PKCS12PFXItem *)PORT_ArenaZAlloc(poolp, 
+	sizeof(SEC_PKCS12PFXItem));
+    if(pfx == NULL)
+	goto loser;
+    pfx->poolp = poolp;
+
+    return pfx;
+
+loser:
+    PORT_FreeArena(poolp, PR_TRUE);
+    return NULL;
+}
+
+/* allocate space for a PFX structure and set up initial
+ * arena pool.  pfx structure is cleared and a pointer to
+ * the new structure is returned.
+ */
+SEC_PKCS12AuthenticatedSafe *
+sec_pkcs12_new_asafe(PRArenaPool *poolp)
+{
+    SEC_PKCS12AuthenticatedSafe  *asafe = NULL;
+    void *mark;
+
+    mark = PORT_ArenaMark(poolp);
+    asafe = (SEC_PKCS12AuthenticatedSafe *)PORT_ArenaZAlloc(poolp, 
+	sizeof(SEC_PKCS12AuthenticatedSafe));
+    if(asafe == NULL)
+	goto loser;
+    asafe->poolp = poolp;
+    PORT_Memset(&asafe->old_baggage, 0, sizeof(SEC_PKCS7ContentInfo));
+
+    PORT_ArenaUnmark(poolp, mark);
+    return asafe;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/* create a safe contents structure with a list of
+ * length 0 with the first element being NULL 
+ */
+SEC_PKCS12SafeContents *
+sec_pkcs12_create_safe_contents(PRArenaPool *poolp)
+{
+    SEC_PKCS12SafeContents *safe;
+    void *mark;
+
+    if(poolp == NULL)
+	return NULL;
+
+    /* allocate structure */
+    mark = PORT_ArenaMark(poolp);
+    safe = (SEC_PKCS12SafeContents *)PORT_ArenaZAlloc(poolp, 
+	sizeof(SEC_PKCS12SafeContents));
+    if(safe == NULL)
+    {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+
+    /* init list */
+    safe->contents = (SEC_PKCS12SafeBag**)PORT_ArenaZAlloc(poolp, 
+						  sizeof(SEC_PKCS12SafeBag *));
+    if(safe->contents == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+    safe->contents[0] = NULL;
+    safe->poolp       = poolp;
+    safe->safe_size   = 0;
+    PORT_ArenaUnmark(poolp, mark);
+    return safe;
+}
+
+/* create a new external bag which is appended onto the list
+ * of bags in baggage.  the bag is created in the same arena
+ * as baggage
+ */
+SEC_PKCS12BaggageItem *
+sec_pkcs12_create_external_bag(SEC_PKCS12Baggage *luggage)
+{
+    void *dummy, *mark;
+    SEC_PKCS12BaggageItem *bag;
+
+    if(luggage == NULL) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(luggage->poolp);
+
+    /* allocate space for null terminated bag list */
+    if(luggage->bags == NULL) {
+	luggage->bags=(SEC_PKCS12BaggageItem**)PORT_ArenaZAlloc(luggage->poolp, 
+					sizeof(SEC_PKCS12BaggageItem *));
+	if(luggage->bags == NULL) {
+	    goto loser;
+	}
+	luggage->luggage_size = 0;
+    }
+
+    /* grow the list */    
+    dummy = PORT_ArenaGrow(luggage->poolp, luggage->bags,
+    			sizeof(SEC_PKCS12BaggageItem *) * (luggage->luggage_size + 1),
+    			sizeof(SEC_PKCS12BaggageItem *) * (luggage->luggage_size + 2));
+    if(dummy == NULL) {
+	goto loser;
+    }
+    luggage->bags = (SEC_PKCS12BaggageItem**)dummy;
+
+    luggage->bags[luggage->luggage_size] = 
+    		(SEC_PKCS12BaggageItem *)PORT_ArenaZAlloc(luggage->poolp,
+    							sizeof(SEC_PKCS12BaggageItem));
+    if(luggage->bags[luggage->luggage_size] == NULL) {
+	goto loser;
+    }
+
+    /* create new bag and append it to the end */
+    bag = luggage->bags[luggage->luggage_size];
+    bag->espvks = (SEC_PKCS12ESPVKItem **)PORT_ArenaZAlloc(
+    						luggage->poolp,
+    						sizeof(SEC_PKCS12ESPVKItem *));
+    bag->unencSecrets = (SEC_PKCS12SafeBag **)PORT_ArenaZAlloc(
+    						luggage->poolp,
+    						sizeof(SEC_PKCS12SafeBag *));
+    if((bag->espvks == NULL) || (bag->unencSecrets == NULL)) {
+	goto loser;
+    }
+
+    bag->poolp = luggage->poolp;
+    luggage->luggage_size++;
+    luggage->bags[luggage->luggage_size] = NULL;
+    bag->espvks[0] = NULL;
+    bag->unencSecrets[0] = NULL;
+    bag->nEspvks = bag->nSecrets = 0;
+
+    PORT_ArenaUnmark(luggage->poolp, mark);
+    return bag;
+
+loser:
+    PORT_ArenaRelease(luggage->poolp, mark);
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    return NULL;
+}
+
+/* creates a baggage witha NULL terminated 0 length list */
+SEC_PKCS12Baggage *
+sec_pkcs12_create_baggage(PRArenaPool *poolp)
+{
+    SEC_PKCS12Baggage *luggage;
+    void *mark;
+
+    if(poolp == NULL)
+	return NULL;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* allocate bag */
+    luggage = (SEC_PKCS12Baggage *)PORT_ArenaZAlloc(poolp, 
+	sizeof(SEC_PKCS12Baggage));
+    if(luggage == NULL)
+    {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+
+    /* init list */
+    luggage->bags = (SEC_PKCS12BaggageItem **)PORT_ArenaZAlloc(poolp,
+    					sizeof(SEC_PKCS12BaggageItem *));
+    if(luggage->bags == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+
+    luggage->bags[0] = NULL;
+    luggage->luggage_size = 0;
+    luggage->poolp = poolp;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return luggage;
+}
+
+/* free pfx structure and associated items in the arena */
+void 
+SEC_PKCS12DestroyPFX(SEC_PKCS12PFXItem *pfx)
+{
+    if (pfx != NULL && pfx->poolp != NULL)
+    {
+	PORT_FreeArena(pfx->poolp, PR_TRUE);
+    }
+}
diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c
new file mode 100644
index 000000000..051428575
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12d.c
@@ -0,0 +1,3328 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#include "nssrenam.h"
+#include "p12t.h"
+#include "p12.h"
+#include "plarena.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "seccomon.h"
+#include "secport.h"
+#include "cert.h"
+#include "secpkcs7.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "pk11func.h"
+#include "p12plcy.h"
+#include "p12local.h"
+#include "alghmac.h"
+#include "secder.h"
+#include "secport.h"
+
+#include "certdb.h"
+
+#include "prcpucfg.h"
+
+typedef struct sec_PKCS12SafeContentsContextStr sec_PKCS12SafeContentsContext;
+
+/* Opaque structure for decoding SafeContents.  These are used
+ * for each authenticated safe as well as any nested safe contents.
+ */
+struct sec_PKCS12SafeContentsContextStr {
+    /* the parent decoder context */
+    SEC_PKCS12DecoderContext *p12dcx;
+
+    /* memory arena to allocate space from */
+    PRArenaPool *arena;
+
+    /* decoder context and destination for decoding safe contents */
+    SEC_ASN1DecoderContext *safeContentsDcx;
+    sec_PKCS12SafeContents safeContents;
+
+    /* information for decoding safe bags within the safe contents.
+     * these variables are updated for each safe bag decoded.
+     */
+    SEC_ASN1DecoderContext *currentSafeBagDcx;
+    sec_PKCS12SafeBag *currentSafeBag;
+    PRBool skipCurrentSafeBag;
+
+    /* if the safe contents is nested, the parent is pointed to here. */
+    sec_PKCS12SafeContentsContext *nestedCtx;
+};
+
+/* opaque decoder context structure.  information for decoding a pkcs 12
+ * PDU are stored here as well as decoding pointers for intermediary 
+ * structures which are part of the PKCS 12 PDU.  Upon a successful
+ * decode, the safe bags containing certificates and keys encountered.
+ */  
+struct SEC_PKCS12DecoderContextStr {
+    PRArenaPool *arena;
+    PK11SlotInfo *slot;
+    void *wincx;
+    PRBool error;
+    int errorValue;
+
+    /* password */
+    SECItem *pwitem;
+
+    /* used for decoding the PFX structure */
+    SEC_ASN1DecoderContext *pfxDcx;
+    sec_PKCS12PFXItem pfx;
+
+    /* safe bags found during decoding */  
+    sec_PKCS12SafeBag **safeBags;
+    unsigned int safeBagCount;
+
+    /* state variables for decoding authenticated safes. */
+    SEC_PKCS7DecoderContext *currentASafeP7Dcx;
+    SEC_PKCS5KeyAndPassword *currentASafeKeyPwd;
+    SEC_ASN1DecoderContext *aSafeDcx;
+    SEC_PKCS7DecoderContext *aSafeP7Dcx;
+    sec_PKCS12AuthenticatedSafe authSafe;
+    SEC_PKCS7ContentInfo *aSafeCinfo;
+    sec_PKCS12SafeContents safeContents;
+
+    /* safe contents info */
+    unsigned int safeContentsCnt;
+    sec_PKCS12SafeContentsContext **safeContentsList;
+
+    /* HMAC info */
+    sec_PKCS12MacData	macData;
+    SEC_ASN1DecoderContext *hmacDcx;
+
+    /* routines for reading back the data to be hmac'd */
+    digestOpenFn dOpen;
+    digestCloseFn dClose;
+    digestIOFn dRead, dWrite;
+    void *dArg;
+
+    /* helper functions */
+    SECKEYGetPasswordKey pwfn;
+    void *pwfnarg;
+    PRBool swapUnicodeBytes;
+
+    /* import information */
+    PRBool bagsVerified;
+
+    /* buffer management for the default callbacks implementation */
+    void        *buffer;      /* storage area */
+    PRInt32     filesize;     /* actual data size */
+    PRInt32     allocated;    /* total buffer size allocated */
+    PRInt32     currentpos;   /* position counter */
+};
+
+
+/* make sure that the PFX version being decoded is a version
+ * which we support.
+ */
+static PRBool
+sec_pkcs12_proper_version(sec_PKCS12PFXItem *pfx)
+{
+    /* if no version, assume it is not supported */
+    if(pfx->version.len == 0) {
+	return PR_FALSE;
+    }
+
+    if(DER_GetInteger(&pfx->version) > SEC_PKCS12_VERSION) {
+	return PR_FALSE;
+    }
+
+    return PR_TRUE;
+}
+
+/* retrieve the key for decrypting the safe contents */ 
+static PK11SymKey *
+sec_pkcs12_decoder_get_decrypt_key(void *arg, SECAlgorithmID *algid)
+{
+    SEC_PKCS5KeyAndPassword *keyPwd = 
+        (SEC_PKCS5KeyAndPassword *)arg;
+
+    if(!keyPwd) {
+	return NULL;
+    }
+
+    /* if no slot specified, use the internal key slot */
+    if(!keyPwd->slot) {
+	keyPwd->slot = PK11_GetInternalKeySlot();
+    }
+
+    /* retrieve the key */
+    if(!keyPwd->key) {
+	keyPwd->key = PK11_PBEKeyGen(keyPwd->slot, algid, 
+				     keyPwd->pwitem, PR_FALSE, keyPwd->wincx);
+    }
+
+    return (PK11SymKey *)keyPwd;
+}
+
+/* XXX this needs to be modified to handle enveloped data.  most
+ * likely, it should mirror the routines for SMIME in that regard.
+ */
+static PRBool
+sec_pkcs12_decoder_decryption_allowed(SECAlgorithmID *algid, 
+				      PK11SymKey *bulkkey)
+{
+    PRBool decryptionAllowed = SEC_PKCS12DecryptionAllowed(algid);
+
+    if(!decryptionAllowed) {
+	return PR_FALSE;
+    }
+
+    return PR_TRUE;
+}
+
+/* when we encounter a new safe bag during the decoding, we need
+ * to allocate space for the bag to be decoded to and set the 
+ * state variables appropriately.  all of the safe bags are allocated
+ * in a buffer in the outer SEC_PKCS12DecoderContext, however,
+ * a pointer to the safeBag is also used in the sec_PKCS12SafeContentsContext
+ * for the current bag.
+ */
+static SECStatus
+sec_pkcs12_decoder_init_new_safe_bag(sec_PKCS12SafeContentsContext 
+						*safeContentsCtx)
+{
+    void *mark = NULL;
+    SEC_PKCS12DecoderContext *p12dcx;
+
+    /* make sure that the structures are defined, and there has
+     * not been an error in the decoding 
+     */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
+		|| safeContentsCtx->p12dcx->error) {
+	return SECFailure;
+    }
+
+    p12dcx = safeContentsCtx->p12dcx;
+    mark = PORT_ArenaMark(p12dcx->arena);
+
+    /* allocate a new safe bag, if bags already exist, grow the 
+     * list of bags, otherwise allocate a new list.  the list is
+     * NULL terminated.
+     */
+    if(p12dcx->safeBagCount) {
+	p12dcx->safeBags = 
+	    (sec_PKCS12SafeBag**)PORT_ArenaGrow(p12dcx->arena,p12dcx->safeBags,
+			(p12dcx->safeBagCount + 1) * sizeof(sec_PKCS12SafeBag *),
+			(p12dcx->safeBagCount + 2) * sizeof(sec_PKCS12SafeBag *));
+    } else {
+	p12dcx->safeBags = (sec_PKCS12SafeBag**)PORT_ArenaZAlloc(p12dcx->arena,
+					    2 * sizeof(sec_PKCS12SafeBag *));
+    }
+    if(!p12dcx->safeBags) {
+	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
+	goto loser;
+    }
+
+    /* append the bag to the end of the list and update the reference
+     * in the safeContentsCtx.
+     */
+    p12dcx->safeBags[p12dcx->safeBagCount] = 
+        (sec_PKCS12SafeBag*)PORT_ArenaZAlloc(p12dcx->arena,
+					     sizeof(sec_PKCS12SafeBag));
+    safeContentsCtx->currentSafeBag = p12dcx->safeBags[p12dcx->safeBagCount];
+    p12dcx->safeBags[++p12dcx->safeBagCount] = NULL;
+    if(!safeContentsCtx->currentSafeBag) {
+	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
+	goto loser;
+    }
+
+    safeContentsCtx->currentSafeBag->slot = safeContentsCtx->p12dcx->slot;
+    safeContentsCtx->currentSafeBag->pwitem = safeContentsCtx->p12dcx->pwitem;
+    safeContentsCtx->currentSafeBag->swapUnicodeBytes = 
+				safeContentsCtx->p12dcx->swapUnicodeBytes;
+    safeContentsCtx->currentSafeBag->arena = safeContentsCtx->p12dcx->arena;
+
+    PORT_ArenaUnmark(p12dcx->arena, mark);
+    return SECSuccess;
+
+loser:
+
+    /* if an error occurred, release the memory and set the error flag
+     * the only possible errors triggered by this function are memory 
+     * related.
+     */
+    if(mark) {
+	PORT_ArenaRelease(p12dcx->arena, mark);
+    }
+
+    p12dcx->error = PR_TRUE;
+    return SECFailure;
+}
+
+/* A wrapper for updating the ASN1 context in which a safeBag is
+ * being decoded.  This function is called as a callback from
+ * secasn1d when decoding SafeContents structures.
+ */
+static void
+sec_pkcs12_decoder_safe_bag_update(void *arg, const char *data, 
+				   unsigned long len, int depth, 
+				   SEC_ASN1EncodingPart data_kind)
+{
+    sec_PKCS12SafeContentsContext *safeContentsCtx = 
+        (sec_PKCS12SafeContentsContext *)arg;
+    SEC_PKCS12DecoderContext *p12dcx;
+    SECStatus rv;
+
+    /* make sure that we are not skipping the current safeBag,
+     * and that there are no errors.  If so, just return rather
+     * than continuing to process.
+     */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
+		|| safeContentsCtx->p12dcx->error 
+		|| safeContentsCtx->skipCurrentSafeBag) {
+	return;
+    }
+    p12dcx = safeContentsCtx->p12dcx;
+
+    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagDcx, data, len);
+    if(rv != SECSuccess) {
+	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
+	goto loser;
+    }
+
+    return;
+
+loser:
+    /* set the error, and finish the decoder context.  because there 
+     * is not a way of returning an error message, it may be worth
+     * while to do a check higher up and finish any decoding contexts
+     * that are still open.
+     */
+    p12dcx->error = PR_TRUE;
+    SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
+    safeContentsCtx->currentSafeBagDcx = NULL;
+    return;
+}
+
+/* forward declarations of functions that are used when decoding
+ * safeContents bags which are nested and when decoding the 
+ * authenticatedSafes.
+ */
+static SECStatus
+sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext 
+							*safeContentsCtx);
+static SECStatus
+sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext
+							*safeContentsCtx);
+static void
+sec_pkcs12_decoder_safe_bag_update(void *arg, const char *data, 
+				   unsigned long len, int depth, 
+				   SEC_ASN1EncodingPart data_kind);
+
+/* notify function for decoding safeBags.  This function is
+ * used to filter safeBag types which are not supported,
+ * initiate the decoding of nested safe contents, and decode
+ * safeBags in general.  this function is set when the decoder
+ * context for the safeBag is first created.
+ */
+static void
+sec_pkcs12_decoder_safe_bag_notify(void *arg, PRBool before,
+				   void *dest, int real_depth)
+{
+    sec_PKCS12SafeContentsContext *safeContentsCtx = 
+        (sec_PKCS12SafeContentsContext *)arg;
+    SEC_PKCS12DecoderContext *p12dcx;
+    sec_PKCS12SafeBag *bag;
+    PRBool after;
+
+    /* if an error is encountered, return */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
+		safeContentsCtx->p12dcx->error) {
+	return;
+    }
+    p12dcx = safeContentsCtx->p12dcx;
+
+    /* to make things more readable */
+    if(before)
+	after = PR_FALSE;
+    else 
+	after = PR_TRUE;
+
+    /* have we determined the safeBagType yet? */
+    bag = safeContentsCtx->currentSafeBag;
+    if(bag->bagTypeTag == NULL) {
+	if(after && (dest == &(bag->safeBagType))) {
+	    bag->bagTypeTag = SECOID_FindOID(&(bag->safeBagType));
+	    if(bag->bagTypeTag == NULL) {
+		p12dcx->error = PR_TRUE;
+		p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
+	    }
+	}
+	return;
+    }
+
+    /* process the safeBag depending on it's type.  those
+     * which we do not support, are ignored.  we start a decoding
+     * context for a nested safeContents.
+     */
+    switch(bag->bagTypeTag->offset) {
+	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+	    break;
+	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
+	    /* if we are just starting to decode the safeContents, initialize
+	     * a new safeContentsCtx to process it.
+	     */
+	    if(before && (dest == &(bag->safeBagContent))) {
+		sec_pkcs12_decoder_begin_nested_safe_contents(safeContentsCtx);
+	    } else if(after && (dest == &(bag->safeBagContent))) {
+		/* clean up the nested decoding */
+		sec_pkcs12_decoder_finish_nested_safe_contents(safeContentsCtx);
+	    }
+	    break;
+	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
+	case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
+	default:
+	    /* skip any safe bag types we don't understand or handle */
+	    safeContentsCtx->skipCurrentSafeBag = PR_TRUE;
+	    break;
+    }
+
+    return;
+}
+
+/* notify function for decoding safe contents.  each entry in the
+ * safe contents is a safeBag which needs to be allocated and
+ * the decoding context initialized at the beginning and then
+ * the context needs to be closed and finished at the end.
+ *
+ * this function is set when the safeContents decode context is
+ * initialized.
+ */
+static void
+sec_pkcs12_decoder_safe_contents_notify(void *arg, PRBool before,
+					void *dest, int real_depth)
+{
+    sec_PKCS12SafeContentsContext *safeContentsCtx = 
+        (sec_PKCS12SafeContentsContext*)arg;
+    SEC_PKCS12DecoderContext *p12dcx;
+    SECStatus rv;
+
+    /* if there is an error we don't want to continue processing,
+     * just return and keep going.
+     */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
+		|| safeContentsCtx->p12dcx->error) {
+	return;
+    }
+    p12dcx = safeContentsCtx->p12dcx;
+
+    /* if we are done with the current safeBag, then we need to
+     * finish the context and set the state variables appropriately.
+     */
+    if(!before) {
+	SEC_ASN1DecoderClearFilterProc(safeContentsCtx->safeContentsDcx);
+	SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
+	safeContentsCtx->currentSafeBagDcx = NULL;
+	safeContentsCtx->skipCurrentSafeBag = PR_FALSE;
+    } else {
+	/* we are starting a new safe bag.  we need to allocate space
+	 * for the bag and initialize the decoding context.
+	 */
+	rv = sec_pkcs12_decoder_init_new_safe_bag(safeContentsCtx);
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+
+	/* set up the decoder context */
+	safeContentsCtx->currentSafeBagDcx = SEC_ASN1DecoderStart(p12dcx->arena,
+						safeContentsCtx->currentSafeBag,
+						sec_PKCS12SafeBagTemplate);
+	if(!safeContentsCtx->currentSafeBagDcx) {
+	    p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
+	    goto loser;
+	}
+
+	/* set the notify and filter procs so that the safe bag
+	 * data gets sent to the proper location when decoding.
+	 */
+	SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->currentSafeBagDcx, 
+				 sec_pkcs12_decoder_safe_bag_notify, 
+				 safeContentsCtx);
+	SEC_ASN1DecoderSetFilterProc(safeContentsCtx->safeContentsDcx, 
+				 sec_pkcs12_decoder_safe_bag_update, 
+				 safeContentsCtx, PR_TRUE);
+    }
+
+    return;
+
+loser:
+    /* in the event of an error, we want to close the decoding
+     * context and clear the filter and notify procedures.
+     */
+    p12dcx->error = PR_TRUE;
+
+    if(safeContentsCtx->currentSafeBagDcx) {
+	SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagDcx);
+	safeContentsCtx->currentSafeBagDcx = NULL;
+    }
+
+    SEC_ASN1DecoderClearNotifyProc(safeContentsCtx->safeContentsDcx);
+    SEC_ASN1DecoderClearFilterProc(safeContentsCtx->safeContentsDcx);
+
+    return;
+}
+
+/* initialize the safeContents for decoding.  this routine
+ * is used for authenticatedSafes as well as nested safeContents.
+ */
+static sec_PKCS12SafeContentsContext *
+sec_pkcs12_decoder_safe_contents_init_decode(SEC_PKCS12DecoderContext *p12dcx,
+					     PRBool nestedSafe)
+{
+    sec_PKCS12SafeContentsContext *safeContentsCtx = NULL;
+    const SEC_ASN1Template *theTemplate;
+
+    if(!p12dcx || p12dcx->error) {
+	return NULL;
+    }
+
+    /* allocate a new safeContents list or grow the existing list and
+     * append the new safeContents onto the end.
+     */
+    if(!p12dcx->safeContentsCnt) {
+	p12dcx->safeContentsList = 
+	    (sec_PKCS12SafeContentsContext**)PORT_ArenaZAlloc(p12dcx->arena, 
+	       			 sizeof(sec_PKCS12SafeContentsContext *));
+    } else {
+	p12dcx->safeContentsList = 
+	   (sec_PKCS12SafeContentsContext **) PORT_ArenaGrow(p12dcx->arena,
+			p12dcx->safeContentsList,
+			(p12dcx->safeContentsCnt * 
+				sizeof(sec_PKCS12SafeContentsContext *)),
+			(1 + p12dcx->safeContentsCnt * 
+				sizeof(sec_PKCS12SafeContentsContext *)));
+    }
+    if(!p12dcx->safeContentsList) {
+	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
+	goto loser;
+    }
+
+    p12dcx->safeContentsList[p12dcx->safeContentsCnt] = 
+        (sec_PKCS12SafeContentsContext*)PORT_ArenaZAlloc(
+					p12dcx->arena,
+					sizeof(sec_PKCS12SafeContentsContext));
+    p12dcx->safeContentsList[p12dcx->safeContentsCnt+1] = NULL;
+    if(!p12dcx->safeContentsList[p12dcx->safeContentsCnt]) {
+	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
+	goto loser;
+    }
+
+    /* set up the state variables */
+    safeContentsCtx = p12dcx->safeContentsList[p12dcx->safeContentsCnt];
+    p12dcx->safeContentsCnt++;
+    safeContentsCtx->p12dcx = p12dcx;
+    safeContentsCtx->arena = p12dcx->arena;
+
+    /* begin the decoding -- the template is based on whether we are
+     * decoding a nested safeContents or not.
+     */
+    if(nestedSafe == PR_TRUE) {
+	theTemplate = sec_PKCS12NestedSafeContentsDecodeTemplate;
+    } else {
+	theTemplate = sec_PKCS12SafeContentsDecodeTemplate;
+    }
+
+    /* start the decoder context */
+    safeContentsCtx->safeContentsDcx = SEC_ASN1DecoderStart(p12dcx->arena, 
+					&safeContentsCtx->safeContents,
+					theTemplate);
+	
+    if(!safeContentsCtx->safeContentsDcx) {
+	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
+	goto loser;
+    }
+
+    /* set the safeContents notify procedure to look for
+     * and start the decode of safeBags.
+     */
+    SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->safeContentsDcx, 
+				sec_pkcs12_decoder_safe_contents_notify,
+				safeContentsCtx);
+
+    return safeContentsCtx;
+
+loser:
+    /* in the case of an error, we want to finish the decoder
+     * context and set the error flag.
+     */
+    if(safeContentsCtx && safeContentsCtx->safeContentsDcx) {
+	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
+	safeContentsCtx->safeContentsDcx = NULL;
+    }
+
+    p12dcx->error = PR_TRUE;
+
+    return NULL;
+}
+
+/* wrapper for updating safeContents.  this is set as the filter of
+ * safeBag when there is a nested safeContents.
+ */
+static void
+sec_pkcs12_decoder_nested_safe_contents_update(void *arg, const char *buf,
+					  unsigned long len, int depth,
+					  SEC_ASN1EncodingPart data_kind)
+{
+    sec_PKCS12SafeContentsContext *safeContentsCtx = 
+        (sec_PKCS12SafeContentsContext *)arg;
+    SEC_PKCS12DecoderContext *p12dcx;
+    SECStatus rv;
+
+    /* check for an error */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
+			|| safeContentsCtx->p12dcx->error) {
+	return;
+    }
+
+    /* no need to update if no data sent in */
+    if(!len || !buf) {
+	return;
+    }
+
+    /* update the decoding context */
+    p12dcx = safeContentsCtx->p12dcx;
+    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->safeContentsDcx, buf, len);
+    if(rv != SECSuccess) {
+	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
+	goto loser;
+    }
+
+    return;
+
+loser:
+    /* handle any errors.  If a decoding context is open, close it. */
+    p12dcx->error = PR_TRUE;
+    if(safeContentsCtx->safeContentsDcx) {
+	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
+	safeContentsCtx->safeContentsDcx = NULL;
+    }
+}
+
+/* whenever a new safeContentsSafeBag is encountered, we need
+ * to init a safeContentsContext.  
+ */
+static SECStatus  
+sec_pkcs12_decoder_begin_nested_safe_contents(sec_PKCS12SafeContentsContext 
+							*safeContentsCtx)
+{
+    /* check for an error */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
+		safeContentsCtx->p12dcx->error) {
+	return SECFailure;
+    }
+
+    safeContentsCtx->nestedCtx = sec_pkcs12_decoder_safe_contents_init_decode(
+						safeContentsCtx->p12dcx,
+						PR_TRUE);
+    if(!safeContentsCtx->nestedCtx) {
+	return SECFailure;
+    }
+
+    /* set up new filter proc */
+    SEC_ASN1DecoderSetNotifyProc(safeContentsCtx->nestedCtx->safeContentsDcx,
+				 sec_pkcs12_decoder_safe_contents_notify,
+				 safeContentsCtx->nestedCtx);
+    SEC_ASN1DecoderSetFilterProc(safeContentsCtx->currentSafeBagDcx,
+				 sec_pkcs12_decoder_nested_safe_contents_update,
+				 safeContentsCtx->nestedCtx, PR_TRUE);
+
+    return SECSuccess;
+}
+
+/* when the safeContents is done decoding, we need to reset the
+ * proper filter and notify procs and close the decoding context 
+ */
+static SECStatus
+sec_pkcs12_decoder_finish_nested_safe_contents(sec_PKCS12SafeContentsContext
+							*safeContentsCtx)
+{
+    /* check for error */
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx || 
+		safeContentsCtx->p12dcx->error) {
+	return SECFailure;
+    }
+
+    /* clean up */	
+    SEC_ASN1DecoderClearFilterProc(safeContentsCtx->currentSafeBagDcx);
+    SEC_ASN1DecoderClearNotifyProc(safeContentsCtx->nestedCtx->safeContentsDcx);
+    SEC_ASN1DecoderFinish(safeContentsCtx->nestedCtx->safeContentsDcx);
+    safeContentsCtx->nestedCtx->safeContentsDcx = NULL;
+    safeContentsCtx->nestedCtx = NULL;
+
+    return SECSuccess;
+}
+
+/* wrapper for updating safeContents.  This is used when decoding
+ * the nested safeContents and any authenticatedSafes.
+ */
+static void
+sec_pkcs12_decoder_safe_contents_callback(void *arg, const char *buf,
+					  unsigned long len)
+{
+    SECStatus rv;
+    sec_PKCS12SafeContentsContext *safeContentsCtx = 
+        (sec_PKCS12SafeContentsContext *)arg;
+    SEC_PKCS12DecoderContext *p12dcx;
+
+    /* check for error */  
+    if(!safeContentsCtx || !safeContentsCtx->p12dcx 
+		|| safeContentsCtx->p12dcx->error) {
+	return;
+    }
+    p12dcx = safeContentsCtx->p12dcx;
+
+    /* update the decoder */
+    rv = SEC_ASN1DecoderUpdate(safeContentsCtx->safeContentsDcx, buf, len);
+    if(rv != SECSuccess) {
+	/* if we fail while trying to decode a 'safe', it's probably because
+	 * we didn't have the correct password. */
+	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
+	goto loser;
+    }
+
+    return;
+
+loser:
+    /* set the error and finish the context */
+    p12dcx->error = PR_TRUE;
+    if(safeContentsCtx->safeContentsDcx) {
+	SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsDcx);
+	safeContentsCtx->safeContentsDcx = NULL;
+    }
+
+    return;
+}
+
+/* this is a wrapper for the ASN1 decoder to call SEC_PKCS7DecoderUpdate
+ */
+static void
+sec_pkcs12_decoder_wrap_p7_update(void *arg, const char *data,
+				  unsigned long len, int depth,
+				  SEC_ASN1EncodingPart data_kind)
+{
+    SEC_PKCS7DecoderContext *p7dcx = (SEC_PKCS7DecoderContext *)arg;
+
+    SEC_PKCS7DecoderUpdate(p7dcx, data, len);
+}
+
+/* notify function for decoding aSafes.  at the beginning,
+ * of an authenticatedSafe, we start a decode of a safeContents.
+ * at the end, we clean up the safeContents decoder context and
+ * reset state variables 
+ */
+static void
+sec_pkcs12_decoder_asafes_notify(void *arg, PRBool before, void *dest, 
+			       int real_depth)
+{
+    SEC_PKCS12DecoderContext *p12dcx;
+    sec_PKCS12SafeContentsContext *safeContentsCtx;
+
+    /* make sure no error occurred. */
+    p12dcx = (SEC_PKCS12DecoderContext *)arg;
+    if(!p12dcx || p12dcx->error) {
+	return;
+    }
+
+    if(before) {
+
+	/* init a new safeContentsContext */
+	safeContentsCtx = sec_pkcs12_decoder_safe_contents_init_decode(p12dcx, 
+								PR_FALSE);
+	if(!safeContentsCtx) {
+	    goto loser;
+	}
+
+	/* set up password and encryption key information */
+	p12dcx->currentASafeKeyPwd = 
+	    (SEC_PKCS5KeyAndPassword*)PORT_ArenaZAlloc(p12dcx->arena, 
+					      sizeof(SEC_PKCS5KeyAndPassword));
+	if(!p12dcx->currentASafeKeyPwd) {
+	    p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
+	    goto loser;
+	}
+	p12dcx->currentASafeKeyPwd->pwitem = p12dcx->pwitem;
+	p12dcx->currentASafeKeyPwd->slot = p12dcx->slot;
+	p12dcx->currentASafeKeyPwd->wincx = p12dcx->wincx;
+
+	/* initiate the PKCS7ContentInfo decode */
+	p12dcx->currentASafeP7Dcx = SEC_PKCS7DecoderStart(
+				sec_pkcs12_decoder_safe_contents_callback,
+				safeContentsCtx, 
+				p12dcx->pwfn, p12dcx->pwfnarg,
+				sec_pkcs12_decoder_get_decrypt_key, 
+				p12dcx->currentASafeKeyPwd, 
+				sec_pkcs12_decoder_decryption_allowed);
+	if(!p12dcx->currentASafeP7Dcx) {
+	    p12dcx->errorValue = PORT_GetError();
+	    goto loser;
+	}
+	SEC_ASN1DecoderSetFilterProc(p12dcx->aSafeDcx, 
+				     sec_pkcs12_decoder_wrap_p7_update,
+				     p12dcx->currentASafeP7Dcx, PR_TRUE);
+    }
+
+    if(!before) {
+	/* if one is being decoded, finish the decode */
+	if(p12dcx->currentASafeP7Dcx != NULL) {
+	    if(!SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx)) {
+		p12dcx->currentASafeP7Dcx = NULL;
+		p12dcx->errorValue = PORT_GetError();
+		goto loser;
+	    }
+	    p12dcx->currentASafeP7Dcx = NULL;
+	}
+	p12dcx->currentASafeP7Dcx = NULL;
+	if(p12dcx->currentASafeKeyPwd->key != NULL) {
+	    p12dcx->currentASafeKeyPwd->key = NULL;
+	}
+    }
+
+
+    return;
+
+loser:
+    /* set the error flag */
+    p12dcx->error = PR_TRUE;
+    return;
+}
+
+/* wrapper for updating asafes decoding context.  this function
+ * writes data being decoded to disk, so that a mac can be computed
+ * later.  
+ */
+static void
+sec_pkcs12_decoder_asafes_callback(void *arg, const char *buf, 
+				  unsigned long len)
+{
+    SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg;
+    SECStatus rv;
+
+    if(!p12dcx || p12dcx->error) {
+	return;
+    }
+
+    /* update the context */
+    rv = SEC_ASN1DecoderUpdate(p12dcx->aSafeDcx, buf, len);
+    if(rv != SECSuccess) {
+	p12dcx->error = (PRBool)SEC_ERROR_NO_MEMORY;
+	goto loser;
+    }
+
+    /* if we are writing to a file, write out the new information */
+    if(p12dcx->dWrite) {
+	unsigned long writeLen = (*p12dcx->dWrite)(p12dcx->dArg, 	
+						   (unsigned char *)buf, len);
+	if(writeLen != len) {
+	    p12dcx->errorValue = PORT_GetError();
+	    goto loser;
+	}
+    }
+
+    return;
+
+loser:
+    /* set the error flag */
+    p12dcx->error = PR_TRUE;
+    SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
+    p12dcx->aSafeDcx = NULL;
+
+    return;
+}
+   
+/* start the decode of an authenticatedSafe contentInfo.
+ */ 
+static SECStatus
+sec_pkcs12_decode_start_asafes_cinfo(SEC_PKCS12DecoderContext *p12dcx)
+{
+    if(!p12dcx || p12dcx->error) {
+	return SECFailure;
+    }
+
+    /* start the decode context */
+    p12dcx->aSafeDcx = SEC_ASN1DecoderStart(p12dcx->arena, 
+    					&p12dcx->authSafe,
+    					sec_PKCS12AuthenticatedSafeTemplate);
+    if(!p12dcx->aSafeDcx) {
+	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
+   	goto loser;
+    }
+
+    /* set the notify function */
+    SEC_ASN1DecoderSetNotifyProc(p12dcx->aSafeDcx,
+    				 sec_pkcs12_decoder_asafes_notify, p12dcx);
+
+    /* begin the authSafe decoder context */
+    p12dcx->aSafeP7Dcx = SEC_PKCS7DecoderStart(
+    				sec_pkcs12_decoder_asafes_callback, p12dcx,
+    				p12dcx->pwfn, p12dcx->pwfnarg, NULL, NULL, NULL);
+    if(!p12dcx->aSafeP7Dcx) {
+	p12dcx->errorValue = SEC_ERROR_NO_MEMORY;
+	goto loser;
+    }
+  
+    /* open the temp file for writing, if the filter functions were set */ 
+    if(p12dcx->dOpen && (*p12dcx->dOpen)(p12dcx->dArg, PR_FALSE) 
+				!= SECSuccess) {
+	p12dcx->errorValue = PORT_GetError();
+	goto loser;
+    }
+
+    return SECSuccess;
+
+loser:
+    p12dcx->error = PR_TRUE;
+
+    if(p12dcx->aSafeDcx) {
+	SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
+	p12dcx->aSafeDcx = NULL;
+    } 
+
+    if(p12dcx->aSafeP7Dcx) {
+	SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
+	p12dcx->aSafeP7Dcx = NULL;
+    }
+
+    return SECFailure;
+}
+
+/* wrapper for updating the safeContents.  this function is used as
+ * a filter for the pfx when decoding the authenticated safes 
+ */
+static void 
+sec_pkcs12_decode_asafes_cinfo_update(void *arg, const char *buf,
+				      unsigned long len, int depth,
+				      SEC_ASN1EncodingPart data_kind)
+{
+    SEC_PKCS12DecoderContext *p12dcx;
+    SECStatus rv;
+
+    p12dcx = (SEC_PKCS12DecoderContext*)arg;
+    if(!p12dcx || p12dcx->error) {
+	return;
+    }
+
+    /* update the safeContents decoder */
+    rv = SEC_PKCS7DecoderUpdate(p12dcx->aSafeP7Dcx, buf, len);
+    if(rv != SECSuccess) {
+	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
+	goto loser;
+    }
+
+    return;
+
+loser:
+
+    /* did we find an error?  if so, close the context and set the 
+     * error flag.
+     */
+    SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
+    p12dcx->aSafeP7Dcx = NULL;
+    p12dcx->error = PR_TRUE;
+}
+
+/* notify procedure used while decoding the pfx.  When we encounter
+ * the authSafes, we want to trigger the decoding of authSafes as well
+ * as when we encounter the macData, trigger the decoding of it.  we do
+ * this because we we are streaming the decoder and not decoding in place.
+ * the pfx which is the destination, only has the version decoded into it.
+ */
+static void 
+sec_pkcs12_decoder_pfx_notify_proc(void *arg, PRBool before, void *dest,
+				   int real_depth)
+{
+    SECStatus rv;
+    SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext*)arg;
+
+    /* if an error occurrs, clear the notifyProc and the filterProc 
+     * and continue. 
+     */
+    if(p12dcx->error) {
+	SEC_ASN1DecoderClearNotifyProc(p12dcx->pfxDcx);
+	SEC_ASN1DecoderClearFilterProc(p12dcx->pfxDcx);
+	return;
+    }
+
+    if(before && (dest == &p12dcx->pfx.encodedAuthSafe)) {
+
+	/* we want to make sure this is a version we support */
+	if(!sec_pkcs12_proper_version(&p12dcx->pfx)) {
+	    p12dcx->errorValue = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
+	    goto loser;
+	}
+
+	/* start the decode of the aSafes cinfo... */
+	rv = sec_pkcs12_decode_start_asafes_cinfo(p12dcx);
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+
+	/* set the filter proc to update the authenticated safes. */
+	SEC_ASN1DecoderSetFilterProc(p12dcx->pfxDcx,
+				     sec_pkcs12_decode_asafes_cinfo_update,
+				     p12dcx, PR_TRUE);
+    }
+
+    if(!before && (dest == &p12dcx->pfx.encodedAuthSafe)) {
+
+	/* we are done decoding the authenticatedSafes, so we need to 
+	 * finish the decoderContext and clear the filter proc
+	 * and close the hmac callback, if present
+	 */
+	p12dcx->aSafeCinfo = SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
+	p12dcx->aSafeP7Dcx = NULL;
+	if(!p12dcx->aSafeCinfo) {
+	    p12dcx->errorValue = PORT_GetError();
+	    goto loser;
+	}
+	SEC_ASN1DecoderClearFilterProc(p12dcx->pfxDcx);
+	if(p12dcx->dClose && ((*p12dcx->dClose)(p12dcx->dArg, PR_FALSE) 
+				!= SECSuccess)) {
+	    p12dcx->errorValue = PORT_GetError();
+	    goto loser;
+	}
+
+    }
+
+    return;
+
+loser:
+    p12dcx->error = PR_TRUE;
+}
+
+/*  default implementations of the open/close/read/write functions for
+    SEC_PKCS12DecoderStart 
+*/
+
+#define DEFAULT_TEMP_SIZE 4096
+
+static SECStatus
+p12u_DigestOpen(void *arg, PRBool readData)
+{
+    SEC_PKCS12DecoderContext* p12cxt = arg;
+
+    p12cxt->currentpos = 0;
+
+    if (PR_FALSE == readData) {
+        /* allocate an initial buffer */
+        p12cxt->filesize = 0;
+        p12cxt->allocated = DEFAULT_TEMP_SIZE;
+        p12cxt->buffer = PORT_Alloc(DEFAULT_TEMP_SIZE);
+        PR_ASSERT(p12cxt->buffer);
+    }
+    else
+    {
+        PR_ASSERT(p12cxt->buffer);
+        if (!p12cxt->buffer) {
+            return SECFailure; /* no data to read */
+        }
+    }
+
+    return SECSuccess;
+}
+
+static SECStatus
+p12u_DigestClose(void *arg, PRBool removeFile)
+{
+    SEC_PKCS12DecoderContext* p12cxt = arg;
+
+    PR_ASSERT(p12cxt);
+    if (!p12cxt) {
+        return SECFailure;
+    }
+    p12cxt->currentpos = 0;
+
+    if (PR_TRUE == removeFile) {
+        PR_ASSERT(p12cxt->buffer);
+        if (!p12cxt->buffer) {
+            return SECFailure;
+        }
+        if (p12cxt->buffer) {
+            PORT_Free(p12cxt->buffer);
+            p12cxt->buffer = NULL;
+            p12cxt->allocated = 0;
+            p12cxt->filesize = 0;
+        }
+    }
+
+    return SECSuccess;
+}
+
+static int
+p12u_DigestRead(void *arg, unsigned char *buf, unsigned long len)
+{
+    int toread = len;
+    SEC_PKCS12DecoderContext* p12cxt = arg;
+
+    if(!buf || len == 0) {
+	return -1;
+    }
+
+    if (!p12cxt->buffer || ((p12cxt->filesize-p12cxt->currentpos)<len) ) {
+        /* trying to read past the end of the buffer */
+        toread = p12cxt->filesize-p12cxt->currentpos;
+    }
+    memcpy(buf, (void*)((char*)p12cxt->buffer+p12cxt->currentpos), toread);
+    p12cxt->currentpos += toread;
+    return toread;
+}
+
+static int
+p12u_DigestWrite(void *arg, unsigned char *buf, unsigned long len)
+{
+    SEC_PKCS12DecoderContext* p12cxt = arg;
+
+    if(!buf || len == 0) {
+        return -1;
+    }
+
+    if (p12cxt->currentpos+len > p12cxt->filesize) {
+        p12cxt->filesize = p12cxt->currentpos + len;
+    }
+    else {
+        p12cxt->filesize += len;
+    }
+    if (p12cxt->filesize > p12cxt->allocated) {
+        void* newbuffer;
+        size_t newsize = p12cxt->filesize + DEFAULT_TEMP_SIZE;
+        newbuffer  = PORT_Realloc(p12cxt->buffer, newsize);
+        if (NULL == newbuffer) {
+            return -1; /* can't extend the buffer */
+        }
+        p12cxt->buffer = newbuffer;
+        p12cxt->allocated = newsize;
+    }
+    PR_ASSERT(p12cxt->buffer);
+    memcpy((void*)((char*)p12cxt->buffer+p12cxt->currentpos), buf, len);
+    p12cxt->currentpos += len;
+    return len;
+}
+
+/* SEC_PKCS12DecoderStart
+ *	Creates a decoder context for decoding a PKCS 12 PDU objct.
+ *	This function sets up the initial decoding context for the
+ *	PFX and sets the needed state variables.
+ *
+ *	pwitem - the password for the hMac and any encoded safes.
+ *		 this should be changed to take a callback which retrieves
+ *		 the password.  it may be possible for different safes to
+ *		 have different passwords.  also, the password is already
+ *		 in unicode.  it should probably be converted down below via
+ *		 a unicode conversion callback.
+ *	slot - the slot to import the dataa into should multiple slots 
+ *		 be supported based on key type and cert type?
+ *	dOpen, dClose, dRead, dWrite - digest routines for writing data
+ *		 to a file so it could be read back and the hmack recomputed
+ *		 and verified.  doesn't seem to be away for both encoding
+ *		 and decoding to be single pass, thus the need for these
+ *		 routines.
+ *	dArg - the argument for dOpen, etc.
+ *
+ *      if NULL == dOpen == dClose == dRead == dWrite == dArg, then default
+ *      implementations using a memory buffer are used
+ *
+ *	This function returns the decoder context, if it was successful.
+ *	Otherwise, null is returned.
+ */
+SEC_PKCS12DecoderContext *
+SEC_PKCS12DecoderStart(SECItem *pwitem, PK11SlotInfo *slot, void *wincx,
+		       digestOpenFn dOpen, digestCloseFn dClose, 
+		       digestIOFn dRead, digestIOFn dWrite, void *dArg)
+{
+    SEC_PKCS12DecoderContext *p12dcx;
+    PRArenaPool *arena;
+
+    arena = PORT_NewArena(2048); /* different size? */
+    if(!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    /* allocate the decoder context and set the state variables */
+    p12dcx = (SEC_PKCS12DecoderContext*)PORT_ArenaZAlloc(arena, sizeof(SEC_PKCS12DecoderContext));
+    if(!p12dcx) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    if (!dOpen && !dClose && !dRead && !dWrite && !dArg) {
+        /* use default implementations */
+        dOpen = p12u_DigestOpen;
+        dClose = p12u_DigestClose;
+        dRead = p12u_DigestRead;
+        dWrite = p12u_DigestWrite;
+        dArg = (void*)p12dcx;
+    }
+
+    p12dcx->arena = arena;
+    p12dcx->pwitem = pwitem;
+    p12dcx->slot = (slot ? slot : PK11_GetInternalKeySlot());
+    p12dcx->wincx = wincx;
+#ifdef IS_LITTLE_ENDIAN
+    p12dcx->swapUnicodeBytes = PR_TRUE;
+#else
+    p12dcx->swapUnicodeBytes = PR_FALSE;
+#endif
+    p12dcx->errorValue = 0;
+    p12dcx->error = PR_FALSE;
+
+    /* a slot is *required */
+    if(!slot) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* start the decoding of the PFX and set the notify proc
+     * for the PFX item.
+     */
+    p12dcx->pfxDcx = SEC_ASN1DecoderStart(p12dcx->arena, &p12dcx->pfx,
+    					  sec_PKCS12PFXItemTemplate);
+    if(!p12dcx->pfxDcx) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY); 
+	goto loser;
+    }
+
+    SEC_ASN1DecoderSetNotifyProc(p12dcx->pfxDcx, 
+				 sec_pkcs12_decoder_pfx_notify_proc,
+    				 p12dcx); 
+    
+    /* set up digest functions */
+    p12dcx->dOpen = dOpen;
+    p12dcx->dWrite = dWrite;
+    p12dcx->dClose = dClose;
+    p12dcx->dRead = dRead;
+    p12dcx->dArg = dArg;
+
+    return p12dcx;
+
+loser:
+    PORT_FreeArena(arena, PR_TRUE);
+    return NULL;
+}
+
+/* SEC_PKCS12DecoderUpdate 
+ *	Streaming update sending more data to the decoder.  If 
+ *	an error occurs, SECFailure is returned.
+ *
+ *	p12dcx - the decoder context 
+ *	data, len - the data buffer and length of data to send to 
+ *		the update functions.
+ */
+SECStatus
+SEC_PKCS12DecoderUpdate(SEC_PKCS12DecoderContext *p12dcx,
+			unsigned char *data, unsigned long len)
+{
+    SECStatus rv;
+
+    if(!p12dcx || p12dcx->error) {
+	return SECFailure;
+    }
+
+    /* update the PFX decoder context */
+    rv = SEC_ASN1DecoderUpdate(p12dcx->pfxDcx, (const char *)data, len);
+    if(rv != SECSuccess) {
+	p12dcx->errorValue = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
+	goto loser;
+    }
+
+    return SECSuccess;
+
+loser:
+
+    p12dcx->error = PR_TRUE;
+    return SECFailure;
+}
+
+/* IN_BUF_LEN should be larger than SHA1_LENGTH */
+#define IN_BUF_LEN		80
+
+/* verify the hmac by reading the data from the temporary file
+ * using the routines specified when the decodingContext was 
+ * created and return SECSuccess if the hmac matches.
+ */
+static SECStatus
+sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
+{
+    SECStatus rv = SECFailure;
+    SECItem hmacRes;
+    unsigned char buf[IN_BUF_LEN];
+    unsigned int bufLen;
+    int iteration;
+    PK11Context *pk11cx = NULL;
+    SECItem ignore = {0};
+    PK11SymKey *symKey;
+    SECItem *params;
+    SECOidTag algtag;
+    CK_MECHANISM_TYPE integrityMech;
+    
+    if(!p12dcx || p12dcx->error) {
+	return SECFailure;
+    }
+
+    /* generate hmac key */
+    if(p12dcx->macData.iter.data) {
+	iteration = (int)DER_GetInteger(&p12dcx->macData.iter);
+    } else {
+	iteration = 1;
+    }
+
+    params = PK11_CreatePBEParams(&p12dcx->macData.macSalt, p12dcx->pwitem,
+                                  iteration);
+
+    algtag = SECOID_GetAlgorithmTag(&p12dcx->macData.safeMac.digestAlgorithm);
+    switch (algtag) {
+    case SEC_OID_SHA1:
+	integrityMech = CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN; break;
+    case SEC_OID_MD5:
+	integrityMech = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN;  break;
+    case SEC_OID_MD2:
+	integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;  break;
+    default:
+	goto loser;
+    }
+
+    symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL);
+    PK11_DestroyPBEParams(params);
+    if (!symKey) goto loser;
+    /* init hmac */
+    pk11cx = PK11_CreateContextBySymKey(sec_pkcs12_algtag_to_mech(algtag),
+                                        CKA_SIGN, symKey, &ignore);
+    if(!pk11cx) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    rv = PK11_DigestBegin(pk11cx);
+
+    /* try to open the data for readback */
+    if(p12dcx->dOpen && ((*p12dcx->dOpen)(p12dcx->dArg, PR_TRUE) 
+			!= SECSuccess)) {
+	goto loser;
+    }
+
+    /* read the data back IN_BUF_LEN bytes at a time and recompute
+     * the hmac.  if fewer bytes are read than are requested, it is
+     * assumed that the end of file has been reached. if bytesRead
+     * is returned as -1, then an error occured reading from the 
+     * file.
+     */
+    while(1) {
+	int bytesRead = (*p12dcx->dRead)(p12dcx->dArg, buf, IN_BUF_LEN);
+	if(bytesRead == -1) {
+	    goto loser;
+	}
+
+	rv = PK11_DigestOp(pk11cx, buf, bytesRead);
+	if(bytesRead < IN_BUF_LEN) {
+	    break;
+	}
+    }
+
+    /* finish the hmac context */
+    rv = PK11_DigestFinal(pk11cx, buf, &bufLen, IN_BUF_LEN);
+
+    hmacRes.data = buf;
+    hmacRes.len = bufLen;
+
+    /* is the hmac computed the same as the hmac which was decoded? */
+    rv = SECSuccess;
+    if(SECITEM_CompareItem(&hmacRes, &p12dcx->macData.safeMac.digest) 
+			!= SECEqual) {
+	PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
+	rv = SECFailure;
+    }
+
+loser:
+    /* close the file and remove it */
+    if(p12dcx->dClose) {
+	(*p12dcx->dClose)(p12dcx->dArg, PR_TRUE);
+    }
+
+    if(pk11cx) {
+	PK11_DestroyContext(pk11cx, PR_TRUE);
+    }
+
+    return rv;
+}
+
+/* SEC_PKCS12DecoderVerify
+ * 	Verify the macData or the signature of the decoded PKCS 12 PDU.
+ *	If the signature or the macData do not match, SECFailure is
+ *	returned.
+ *
+ * 	p12dcx - the decoder context 
+ */
+SECStatus
+SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx)
+{
+    SECStatus rv = SECSuccess;
+
+    /* make sure that no errors have occured... */
+    if(!p12dcx || p12dcx->error) {
+	return SECFailure;
+    }
+
+    /* check the signature or the mac depending on the type of
+     * integrity used.
+     */
+    if(p12dcx->pfx.encodedMacData.len) {
+	rv = SEC_ASN1DecodeItem(p12dcx->arena, &p12dcx->macData,
+				sec_PKCS12MacDataTemplate,
+				&p12dcx->pfx.encodedMacData);
+	if(rv == SECSuccess) {
+	    return sec_pkcs12_decoder_verify_mac(p12dcx);
+	} else {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	}
+    } else {
+	if(SEC_PKCS7VerifySignature(p12dcx->aSafeCinfo, certUsageEmailSigner,
+				    PR_FALSE)) {
+	    return SECSuccess;
+	} else {
+	    PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
+	}
+    }
+
+    return SECFailure;
+}
+
+/* SEC_PKCS12DecoderFinish
+ *	Free any open ASN1 or PKCS7 decoder contexts and then
+ *	free the arena pool which everything should be allocated
+ *	from.  This function should be called upon completion of
+ *	decoding and installing of a pfx pdu.  This should be
+ *	called even if an error occurs.
+ *
+ *	p12dcx - the decoder context
+ */
+void
+SEC_PKCS12DecoderFinish(SEC_PKCS12DecoderContext *p12dcx)
+{
+    if(!p12dcx) {
+	return;
+    }
+
+    if(p12dcx->pfxDcx) {
+	SEC_ASN1DecoderFinish(p12dcx->pfxDcx);
+	p12dcx->pfxDcx = NULL;
+    }
+
+    if(p12dcx->aSafeDcx) {
+	SEC_ASN1DecoderFinish(p12dcx->aSafeDcx);
+	p12dcx->aSafeDcx = NULL;
+    }
+
+    if(p12dcx->currentASafeP7Dcx) {
+	SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx);
+	p12dcx->currentASafeP7Dcx = NULL;
+    }
+
+    if(p12dcx->aSafeP7Dcx) {
+	SEC_PKCS7DecoderFinish(p12dcx->aSafeP7Dcx);
+    }
+
+    if(p12dcx->hmacDcx) {
+	SEC_ASN1DecoderFinish(p12dcx->hmacDcx);
+	p12dcx->hmacDcx = NULL;
+    }
+
+    if(p12dcx->arena) {
+	PORT_FreeArena(p12dcx->arena, PR_TRUE);
+    }
+}
+
+static SECStatus
+sec_pkcs12_decoder_set_attribute_value(sec_PKCS12SafeBag *bag,
+			       SECOidTag attributeType,
+			       SECItem *attrValue)
+{
+    int i = 0;
+    SECOidData *oid;
+
+    if(!bag || !attrValue) {
+	return SECFailure;
+    }
+
+    oid = SECOID_FindOIDByTag(attributeType);
+    if(!oid) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    if(!bag->attribs) {
+	bag->attribs = (sec_PKCS12Attribute**)PORT_ArenaZAlloc(bag->arena, 
+					sizeof(sec_PKCS12Attribute *) * 2);
+    } else {
+	while(bag->attribs[i]) i++;
+	bag->attribs = (sec_PKCS12Attribute **)PORT_ArenaGrow(bag->arena, 
+				      bag->attribs, 
+				      (i + 1) * sizeof(sec_PKCS12Attribute *),
+				      (i + 2) * sizeof(sec_PKCS12Attribute *));
+    }
+
+    if(!bag->attribs) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    bag->attribs[i] = (sec_PKCS12Attribute*)PORT_ArenaZAlloc(bag->arena, 
+						  sizeof(sec_PKCS12Attribute));
+    if(!bag->attribs) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    bag->attribs[i]->attrValue = (SECItem**)PORT_ArenaZAlloc(bag->arena, 
+						  sizeof(SECItem *) * 2);
+    if(!bag->attribs[i]->attrValue) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    bag->attribs[i+1] = NULL;
+    bag->attribs[i]->attrValue[0] = attrValue;
+    bag->attribs[i]->attrValue[1] = NULL;
+
+    if(SECITEM_CopyItem(bag->arena, &bag->attribs[i]->attrType, &oid->oid)
+			!= SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+static SECItem *
+sec_pkcs12_get_attribute_value(sec_PKCS12SafeBag *bag,
+			       SECOidTag attributeType)
+{
+    int i = 0;
+
+    if(!bag->attribs) {
+	return NULL;
+    }
+
+    while(bag->attribs[i] != NULL) {
+	if(SECOID_FindOIDTag(&bag->attribs[i]->attrType) 
+			== attributeType) {
+	    return bag->attribs[i]->attrValue[0];
+	}
+	i++;
+    }
+
+    return NULL;
+}
+
+/* For now, this function will merely remove any ":"
+ * in the nickname which the PK11 functions may have
+ * placed there.  This will keep dual certs from appearing
+ * twice under "Your" certificates when imported onto smart
+ * cards.  Once with the name "Slot:Cert" and another with
+ * the nickname "Slot:Slot:Cert"
+ */
+static void
+sec_pkcs12_sanitize_nickname(PK11SlotInfo *slot, SECItem *nick)
+{
+    char *nickname;
+    char *delimit;
+    int delimitlen;
+ 
+    nickname = (char*)nick->data; /*Mac breaks without this type cast*/
+    if ((delimit = PORT_Strchr(nickname, ':')) != NULL) {
+        char *slotName;
+	int slotNameLen;
+
+	slotNameLen = delimit-nickname;
+	slotName = PORT_NewArray(char, (slotNameLen+1));
+	PORT_Assert(slotName);
+	if (slotName == NULL) {
+	  /* What else can we do?*/
+	  return;
+	}
+	PORT_Memcpy(slotName, nickname, slotNameLen);
+	slotName[slotNameLen] = '\0';
+	if (PORT_Strcmp(PK11_GetTokenName(slot), slotName) == 0) {
+	  delimitlen = PORT_Strlen(delimit+1);
+	  PORT_Memmove(nickname, delimit+1, delimitlen+1);
+	  nick->len = delimitlen;
+	}
+	PORT_Free(slotName);
+    }
+ 
+}
+
+static SECItem *
+sec_pkcs12_get_nickname(sec_PKCS12SafeBag *bag)
+{
+    SECItem *src, *dest;
+
+    if(!bag) {
+	bag->problem = PR_TRUE;
+	bag->error = SEC_ERROR_NO_MEMORY;
+	return NULL;
+    }
+
+    src = sec_pkcs12_get_attribute_value(bag, SEC_OID_PKCS9_FRIENDLY_NAME);
+    if(!src) {
+	return NULL;
+    }
+
+    dest = (SECItem*)PORT_ZAlloc(sizeof(SECItem));
+    if(!dest) { 
+	goto loser;
+    }
+    if(!sec_pkcs12_convert_item_to_unicode(NULL, dest, src, PR_FALSE, 
+				PR_FALSE, PR_FALSE)) {
+	goto loser;
+    }
+
+    sec_pkcs12_sanitize_nickname(bag->slot, dest);
+
+    return dest;
+
+loser:
+    if(dest) {
+	SECITEM_ZfreeItem(dest, PR_TRUE);
+    }
+
+    bag->problem = PR_TRUE;
+    bag->error = PORT_GetError();
+    return NULL;
+}
+
+static SECStatus
+sec_pkcs12_set_nickname(sec_PKCS12SafeBag *bag, SECItem *name)
+{
+    int i = 0;
+    sec_PKCS12Attribute *attr = NULL;
+    SECOidData *oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_FRIENDLY_NAME);
+
+    if(!bag || !bag->arena || !name) {
+	return SECFailure;
+    }
+	
+    if(!bag->attribs) {
+	if(!oid) {
+	    goto loser;
+	}
+
+	bag->attribs = (sec_PKCS12Attribute**)PORT_ArenaZAlloc(bag->arena, 
+					     sizeof(sec_PKCS12Attribute *)*2);
+	if(!bag->attribs) {
+	    goto loser;
+	}
+	bag->attribs[0] = (sec_PKCS12Attribute*)PORT_ArenaZAlloc(bag->arena, 
+						  sizeof(sec_PKCS12Attribute));
+	if(!bag->attribs[0]) {
+	    goto loser;
+	}
+	bag->attribs[1] = NULL;
+
+	attr = bag->attribs[0];
+	if(SECITEM_CopyItem(bag->arena, &attr->attrType, &oid->oid) 
+			!= SECSuccess) {
+	    goto loser;
+	}
+    } else {
+	while(bag->attribs[i]) {
+	    if(SECOID_FindOIDTag(&bag->attribs[i]->attrType)
+			== SEC_OID_PKCS9_FRIENDLY_NAME) {
+		attr = bag->attribs[i];
+		goto have_attrib;
+		
+	    }
+	    i++;
+	}
+	if(!attr) {
+	    bag->attribs = (sec_PKCS12Attribute **)PORT_ArenaGrow(bag->arena, 
+								  bag->attribs,
+					(i+1) * sizeof(sec_PKCS12Attribute *),
+					(i+2) * sizeof(sec_PKCS12Attribute *));
+	    if(!bag->attribs) {
+		goto loser;
+	    }
+	    bag->attribs[i] = 
+	        (sec_PKCS12Attribute *)PORT_ArenaZAlloc(bag->arena, 
+						  sizeof(sec_PKCS12Attribute));
+	    if(!bag->attribs[i]) {
+		goto loser;
+	    }
+	    bag->attribs[i+1] = NULL;
+	    attr = bag->attribs[i];
+	    if(SECITEM_CopyItem(bag->arena, &attr->attrType, &oid->oid) 
+				!= SECSuccess) {
+		goto loser;
+	    }
+	}
+    }
+have_attrib:
+    PORT_Assert(attr);
+    if(!attr->attrValue) {
+	attr->attrValue = (SECItem **)PORT_ArenaZAlloc(bag->arena, 
+						       sizeof(SECItem *) * 2);
+	if(!attr->attrValue) {
+	    goto loser;
+	}
+	attr->attrValue[0] = (SECItem*)PORT_ArenaZAlloc(bag->arena, 
+							sizeof(SECItem));
+	if(!attr->attrValue[0]) {
+	    goto loser;
+	}
+	attr->attrValue[1] = NULL;
+    }
+
+    name->len = PORT_Strlen((char *)name->data);
+    if(!sec_pkcs12_convert_item_to_unicode(bag->arena, attr->attrValue[0],
+				name, PR_FALSE, PR_FALSE, PR_TRUE)) {
+	goto loser;
+    }
+
+    return SECSuccess;
+
+loser:
+    bag->problem = PR_TRUE;
+    bag->error = SEC_ERROR_NO_MEMORY;
+    return SECFailure;
+}
+	
+static SECStatus
+sec_pkcs12_get_key_info(sec_PKCS12SafeBag *key) 
+{
+    int i = 0;
+    SECKEYPrivateKeyInfo *pki = NULL;
+
+    if(!key) {
+	return SECFailure;
+    }
+
+    /* if the bag does *not* contain an unencrypted PrivateKeyInfo 
+     * then we cannot convert the attributes.  We are propagating
+     * attributes within the PrivateKeyInfo to the SafeBag level.
+     */
+    if(SECOID_FindOIDTag(&(key->safeBagType)) != 
+			SEC_OID_PKCS12_V1_KEY_BAG_ID) {
+	return SECSuccess;
+    }
+
+    pki = key->safeBagContent.pkcs8KeyBag;
+
+    if(!pki || !pki->attributes) {
+	return SECSuccess;
+    }
+
+    while(pki->attributes[i]) {
+	SECItem *attrValue = NULL;
+
+	if(SECOID_FindOIDTag(&pki->attributes[i]->attrType) == 
+			SEC_OID_PKCS9_LOCAL_KEY_ID) {
+	    attrValue = sec_pkcs12_get_attribute_value(key, 
+						 SEC_OID_PKCS9_LOCAL_KEY_ID);
+	    if(!attrValue) {
+		if(sec_pkcs12_decoder_set_attribute_value(key, 
+					SEC_OID_PKCS9_LOCAL_KEY_ID,
+					pki->attributes[i]->attrValue[0])
+					!= SECSuccess) {
+		    key->problem = PR_TRUE;
+		    key->error = SEC_ERROR_NO_MEMORY;
+		    return SECFailure;
+		}
+	    }
+	}
+
+	if(SECOID_FindOIDTag(&pki->attributes[i]->attrType) == 
+			SEC_OID_PKCS9_FRIENDLY_NAME) {
+	    attrValue = sec_pkcs12_get_attribute_value(key, 
+						SEC_OID_PKCS9_FRIENDLY_NAME);
+	    if(!attrValue) {
+		if(sec_pkcs12_decoder_set_attribute_value(key, 
+					SEC_OID_PKCS9_FRIENDLY_NAME,
+					pki->attributes[i]->attrValue[0])
+					!= SECSuccess) {
+		    key->problem = PR_TRUE;
+		    key->error = SEC_ERROR_NO_MEMORY;
+		    return SECFailure;
+		}
+	    }
+	}
+
+	i++;
+    }
+
+    return SECSuccess;
+}
+
+/* retrieve the nickname for the certificate bag.  first look
+ * in the cert bag, otherwise get it from the key.
+ */
+static SECItem *
+sec_pkcs12_get_nickname_for_cert(sec_PKCS12SafeBag *cert,
+				 sec_PKCS12SafeBag *key, 
+				 void *wincx)
+{
+    SECItem *nickname;
+
+    if(!cert) {
+	return NULL;
+    }
+
+    nickname = sec_pkcs12_get_nickname(cert);
+    if(nickname) {
+	return nickname;
+    }
+
+    if(key) {
+	nickname = sec_pkcs12_get_nickname(key);
+	
+        if(nickname && sec_pkcs12_set_nickname(cert, nickname)
+			!= SECSuccess) {
+	    cert->error = SEC_ERROR_NO_MEMORY;
+	    cert->problem = PR_TRUE;
+	    if(nickname) { 
+		SECITEM_ZfreeItem(nickname, PR_TRUE);
+	    }
+	    return NULL;
+	}
+    }
+
+    return nickname;
+}
+
+/* set the nickname for the certificate */
+static SECStatus
+sec_pkcs12_set_nickname_for_cert(sec_PKCS12SafeBag *cert, 
+				 sec_PKCS12SafeBag *key, 
+				 SECItem *nickname, 
+				 void *wincx)
+{
+    if(!nickname || !cert) {
+	return SECFailure;
+    }
+
+    if(sec_pkcs12_set_nickname(cert, nickname) != SECSuccess) {
+	cert->error = SEC_ERROR_NO_MEMORY;
+	cert->problem = PR_TRUE;
+	return SECFailure;
+    }
+
+    if(key) {
+	if(sec_pkcs12_set_nickname(key, nickname) != SECSuccess) {
+	    cert->error = SEC_ERROR_NO_MEMORY;
+	    cert->problem = PR_TRUE;
+	    return SECFailure;
+	}
+    }
+
+    return SECSuccess;
+}
+
+/* retrieve the DER cert from the cert bag */
+static SECItem *
+sec_pkcs12_get_der_cert(sec_PKCS12SafeBag *cert) 
+{
+    if(!cert) {
+	return NULL;
+    }
+
+    if(SECOID_FindOIDTag(&cert->safeBagType) != SEC_OID_PKCS12_V1_CERT_BAG_ID) {
+	return NULL;
+    }
+
+    /* only support X509 certs not SDSI */
+    if(SECOID_FindOIDTag(&cert->safeBagContent.certBag->bagID) 
+			!= SEC_OID_PKCS9_X509_CERT) {
+	return NULL;
+    }
+			
+    return SECITEM_DupItem(&(cert->safeBagContent.certBag->value.x509Cert));
+}
+
+struct certNickInfo {
+    PRArenaPool *arena;
+    unsigned int nNicks;
+    SECItem **nickList;
+    unsigned int error;
+};
+
+/* callback for traversing certificates to gather the nicknames 
+ * used in a particular traversal.  for instance, when using
+ * CERT_TraversePermCertsForSubject, gather the nicknames and
+ * store them in the certNickInfo for a particular DN.
+ * 
+ * this handles the case where multiple nicknames are allowed
+ * for the same dn, which is not currently allowed, but may be
+ * in the future.
+ */ 
+static SECStatus
+gatherNicknames(CERTCertificate *cert, void *arg)
+{
+    struct certNickInfo *nickArg = (struct certNickInfo *)arg;
+    SECItem tempNick;
+    unsigned int i;
+
+    if(!cert || !nickArg || nickArg->error) {
+	return SECFailure;
+    }
+
+    if(!cert->nickname) {
+	return SECSuccess;
+    }
+
+    tempNick.data = (unsigned char *)cert->nickname;
+    tempNick.len = PORT_Strlen(cert->nickname) + 1;
+
+    /* do we already have the nickname in the list? */
+    if(nickArg->nNicks > 0) {
+
+	/* nicknames have been encountered, but there is no list -- bad */
+	if(!nickArg->nickList) {
+	    nickArg->error = SEC_ERROR_NO_MEMORY;
+	    return SECFailure;
+	}
+
+	for(i = 0; i < nickArg->nNicks; i++) {
+	    if(SECITEM_CompareItem(nickArg->nickList[i], &tempNick) 
+				== SECEqual) {
+		return SECSuccess;
+	    }
+	}
+    }
+
+    /* add the nickname to the list */
+    if(nickArg->nNicks == 0) {
+	nickArg->nickList = (SECItem **)PORT_ArenaZAlloc(nickArg->arena, 
+					     2 * sizeof(SECItem *));
+    } else {
+	nickArg->nickList = (SECItem **)PORT_ArenaGrow(nickArg->arena,
+				nickArg->nickList, 
+				(nickArg->nNicks + 1) * sizeof(SECItem *),
+				(nickArg->nNicks + 2) * sizeof(SECItem *));
+    }
+    if(!nickArg->nickList) {
+	nickArg->error = SEC_ERROR_NO_MEMORY;
+	return SECFailure;
+    }
+
+    nickArg->nickList[nickArg->nNicks] = 
+        (SECItem *)PORT_ArenaZAlloc(nickArg->arena, sizeof(SECItem));
+    if(!nickArg->nickList[nickArg->nNicks]) {
+	nickArg->error = SEC_ERROR_NO_MEMORY;
+	return SECFailure;
+    }
+    
+
+    if(SECITEM_CopyItem(nickArg->arena, nickArg->nickList[nickArg->nNicks],
+			&tempNick) != SECSuccess) {
+	nickArg->error = SEC_ERROR_NO_MEMORY;
+	return SECFailure;
+    }
+
+    nickArg->nNicks++;
+
+    return SECSuccess;
+}
+
+/* traverses the certs in the data base or in the token for the
+ * DN to see if any certs currently have a nickname set.
+ * If so, return it. 
+ */
+static SECItem *
+sec_pkcs12_get_existing_nick_for_dn(sec_PKCS12SafeBag *cert, void *wincx)
+{
+    struct certNickInfo *nickArg = NULL;
+    SECItem *derCert, *returnDn = NULL;
+    PRArenaPool *arena = NULL;
+    CERTCertificate *tempCert;
+
+    if(!cert) {
+	return NULL;
+    }
+
+    derCert = sec_pkcs12_get_der_cert(cert);
+    if(!derCert) {
+	return NULL;
+    }
+
+    tempCert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+    if(!tempCert) {
+	returnDn = NULL;
+	goto loser;
+    }
+
+    arena = PORT_NewArena(1024);
+    if(!arena) {
+	returnDn = NULL;
+	goto loser;
+    }
+    nickArg = (struct certNickInfo *)PORT_ArenaZAlloc(arena, 
+						 sizeof(struct certNickInfo));
+    if(!nickArg) {
+	returnDn = NULL;
+	goto loser;
+    }
+    nickArg->error = 0;
+    nickArg->nNicks = 0;
+    nickArg->nickList = NULL;
+    nickArg->arena = arena;
+
+    /* if the token is local, first traverse the cert database 
+     * then traverse the token.
+     */
+    if(PK11_TraverseCertsForSubjectInSlot(tempCert, cert->slot, gatherNicknames,
+			(void *)nickArg) != SECSuccess) {
+	returnDn = NULL;
+	goto loser;
+    }
+
+    if(nickArg->error) {
+	/* XXX do we want to set the error? */
+	returnDn = NULL;
+	goto loser;
+    }
+		
+    if(nickArg->nNicks == 0) {
+	returnDn = NULL;
+	goto loser;
+    }
+
+    /* set it to the first name, for now.  handle multiple names? */
+    returnDn = SECITEM_DupItem(nickArg->nickList[0]);
+
+loser:
+    if(arena) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+
+    if(tempCert) {
+	CERT_DestroyCertificate(tempCert);
+    }
+
+    if(derCert) {
+	SECITEM_FreeItem(derCert, PR_TRUE);
+    }
+
+    return (returnDn);
+}
+
+/* counts certificates found for a given traversal function */
+static SECStatus
+countCertificate(CERTCertificate *cert, void *arg)
+{
+    unsigned int *nCerts = (unsigned int *)arg;
+
+    if(!cert || !arg) {
+	return SECFailure;
+    }
+
+    (*nCerts)++;
+    return SECSuccess;
+}
+
+static PRBool
+sec_pkcs12_certs_for_nickname_exist(SECItem *nickname, PK11SlotInfo *slot)
+{
+    unsigned int nCerts = 0;
+
+    if(!nickname || !slot) {
+	return PR_TRUE;
+    }
+
+    /* we want to check the local database first if we are importing to it */
+    PK11_TraverseCertsForNicknameInSlot(nickname, slot, countCertificate, 
+					(void *)&nCerts);
+    if(nCerts) return PR_TRUE;
+
+    return PR_FALSE;
+}
+
+/* validate cert nickname such that there is a one-to-one relation
+ * between nicknames and dn's.  we want to enforce the case that the
+ * nickname is non-NULL and that there is only one nickname per DN.
+ * 
+ * if there is a problem with a nickname or the nickname is not present, 
+ * the user will be prompted for it.
+ */
+static void
+sec_pkcs12_validate_cert_nickname(sec_PKCS12SafeBag *cert,
+				sec_PKCS12SafeBag *key,
+				SEC_PKCS12NicknameCollisionCallback nicknameCb,
+				void *wincx)
+{
+    SECItem *certNickname, *existingDNNick;
+    PRBool setNickname = PR_FALSE, cancel = PR_FALSE;
+    SECItem *newNickname = NULL;
+
+    if(!cert || !cert->hasKey) {
+	return;
+    }
+
+    if(!nicknameCb) {
+	cert->problem = PR_TRUE;
+	cert->error = SEC_ERROR_NO_MEMORY;
+	return;
+    }
+
+    if(cert->hasKey && !key) {
+	cert->problem = PR_TRUE;
+	cert->error = SEC_ERROR_NO_MEMORY;
+	return;
+    }
+
+    certNickname = sec_pkcs12_get_nickname_for_cert(cert, key, wincx);
+    existingDNNick = sec_pkcs12_get_existing_nick_for_dn(cert, wincx);
+
+    /* nickname is already used w/ this dn, so it is safe to return */
+    if(certNickname && existingDNNick &&
+		SECITEM_CompareItem(certNickname, existingDNNick) == SECEqual) {
+	goto loser;
+    }
+
+    /* nickname not set in pkcs 12 bags, but a nick is already used for
+     * this dn.  set the nicks in the p12 bags and finish.
+     */
+    if(existingDNNick) {
+	if(sec_pkcs12_set_nickname_for_cert(cert, key, existingDNNick, wincx)
+			!= SECSuccess) {
+	    cert->problem = PR_TRUE;
+	    cert->error = SEC_ERROR_NO_MEMORY;
+	}
+	goto loser;
+    }
+
+    /* at this point, we have a certificate for which the DN is not located
+     * on the token.  the nickname specified may or may not be NULL.  if it
+     * is not null, we need to make sure that there are no other certificates
+     * with this nickname in the token for it to be valid.  this imposes a 
+     * one to one relationship between DN and nickname.  
+     *
+     * if the nickname is null, we need the user to enter a nickname for
+     * the certificate.
+     *
+     * once we have a nickname, we make sure that the nickname is unique
+     * for the DN.  if it is not, the user is reprompted to enter a new 
+     * nickname.  
+     *
+     * in order to exit this loop, the nickname entered is either unique
+     * or the user hits cancel and the certificate is not imported.
+     */
+    setNickname = PR_FALSE;
+    while(1) {
+	if(certNickname && certNickname->data) {
+	    /* we will use the nickname so long as no other certs have the
+	     * same nickname.  and the nickname is not NULL.
+	     */		
+	    if(!sec_pkcs12_certs_for_nickname_exist(certNickname, cert->slot)) {
+		if(setNickname) {
+		    if(sec_pkcs12_set_nickname_for_cert(cert, key, certNickname,
+					wincx) != SECSuccess) {
+			cert->problem = PR_TRUE;
+			cert->error = SEC_ERROR_NO_MEMORY;
+		    }
+		}
+		goto loser;
+	    }
+	}
+
+	setNickname = PR_FALSE;
+	newNickname = (*nicknameCb)(certNickname, &cancel, wincx);
+	if(cancel) {
+	    cert->problem = PR_TRUE;
+	    cert->error = SEC_ERROR_USER_CANCELLED;
+	    goto loser;
+	}
+
+	if(!newNickname) {
+	    cert->problem = PR_TRUE;
+	    cert->error = SEC_ERROR_NO_MEMORY;
+	    goto loser;
+	}
+
+	/* at this point we have a new nickname, if we have an existing
+	 * certNickname, we need to free it and assign the new nickname
+	 * to it to avoid a memory leak.  happy?
+	 */
+	if(certNickname) {
+	    SECITEM_ZfreeItem(certNickname, PR_TRUE);
+	    certNickname = NULL;
+	}
+
+	certNickname = newNickname;
+	setNickname = PR_TRUE;
+	/* go back and recheck the new nickname */
+    }
+
+loser:
+    if(certNickname) {
+	SECITEM_ZfreeItem(certNickname, PR_TRUE);
+    }
+
+    if(existingDNNick) {
+	SECITEM_ZfreeItem(existingDNNick, PR_TRUE);
+    }
+}
+
+static void 
+sec_pkcs12_validate_cert(sec_PKCS12SafeBag *cert,
+			 sec_PKCS12SafeBag *key,
+			 SEC_PKCS12NicknameCollisionCallback nicknameCb,
+			 void *wincx)
+{
+    CERTCertificate *leafCert, *testCert;
+
+    if(!cert) {
+	return;
+    }
+    
+    cert->validated = PR_TRUE;
+
+    if(!nicknameCb) {
+	cert->problem = PR_TRUE;
+	cert->error = SEC_ERROR_NO_MEMORY;
+	cert->noInstall = PR_TRUE;
+	return;
+    }
+
+    if(!cert->safeBagContent.certBag) {
+	cert->noInstall = PR_TRUE;
+	cert->problem = PR_TRUE;
+	cert->error = SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE;
+	return;
+    }
+
+    cert->noInstall = PR_FALSE;
+    cert->removeExisting = PR_FALSE;
+    cert->problem = PR_FALSE;
+    cert->error = 0;
+
+    leafCert = CERT_DecodeDERCertificate(
+	 &cert->safeBagContent.certBag->value.x509Cert, PR_FALSE, NULL);
+    if(!leafCert) {
+	cert->noInstall = PR_TRUE;
+	cert->problem = PR_TRUE;
+	cert->error = SEC_ERROR_NO_MEMORY;
+	return;
+    }
+
+    testCert = PK11_FindCertFromDERCert(cert->slot, leafCert, wincx);
+    CERT_DestroyCertificate(leafCert);
+    /* if we can't find the certificate through the PKCS11 interface,
+     * we should check the cert database directly, if we are
+     * importing to an internal slot.
+     */
+    if(!testCert && PK11_IsInternal(cert->slot)) {
+	testCert = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(),
+				 &cert->safeBagContent.certBag->value.x509Cert);
+    }
+
+    if(testCert) {
+	if(!testCert->nickname) {
+	    cert->removeExisting = PR_TRUE;
+	}
+	CERT_DestroyCertificate(testCert);
+	if(cert->noInstall && !cert->removeExisting) {
+	    return;
+	}
+    }
+
+    sec_pkcs12_validate_cert_nickname(cert, key, nicknameCb, wincx);
+}
+
+static void
+sec_pkcs12_validate_key_by_cert(sec_PKCS12SafeBag *cert, sec_PKCS12SafeBag *key,
+				void *wincx)
+{
+    CERTCertificate *leafCert;
+    SECKEYPrivateKey *privk;
+
+    if(!key) {
+	return;
+    }
+
+    key->validated = PR_TRUE;
+
+    if(!cert) {
+	key->problem = PR_TRUE;
+	key->noInstall = PR_TRUE;
+	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
+	return;
+    }
+
+    leafCert = CERT_DecodeDERCertificate(
+	&(cert->safeBagContent.certBag->value.x509Cert), PR_FALSE, NULL);
+    if(!leafCert) {
+	key->problem = PR_TRUE;
+	key->noInstall = PR_TRUE;
+	key->error = SEC_ERROR_NO_MEMORY;
+	return;
+    }
+
+    privk = PK11_FindPrivateKeyFromCert(key->slot, leafCert, wincx);
+    if(!privk) {
+	privk = PK11_FindKeyByDERCert(key->slot, leafCert, wincx);
+    }
+ 
+    if(privk) {
+	SECKEY_DestroyPrivateKey(privk);
+	key->noInstall = PR_TRUE;
+    } 
+
+    CERT_DestroyCertificate(leafCert);
+}
+
+static SECStatus
+sec_pkcs12_remove_existing_cert(sec_PKCS12SafeBag *cert, 
+				void *wincx)
+{
+    SECItem *derCert = NULL;
+    CERTCertificate *tempCert = NULL;
+    CK_OBJECT_HANDLE certObj;
+    PRBool removed = PR_FALSE;
+
+    if(!cert) {
+	return SECFailure;
+    }
+
+    PORT_Assert(cert->removeExisting);
+
+    cert->removeExisting = PR_FALSE;
+    derCert = &cert->safeBagContent.certBag->value.x509Cert;
+    tempCert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+    if(!tempCert) {
+	return SECFailure;
+    }
+
+    certObj = PK11_FindCertInSlot(cert->slot, tempCert, wincx);
+    CERT_DestroyCertificate(tempCert);
+    tempCert = NULL;
+
+    if(certObj != CK_INVALID_HANDLE) {
+	PK11_DestroyObject(cert->slot, certObj);
+	removed = PR_TRUE;
+    } else if(PK11_IsInternal(cert->slot)) {
+	tempCert = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), derCert);
+	if(tempCert) {
+	    if(SEC_DeletePermCertificate(tempCert) == SECSuccess) {
+		removed = PR_TRUE;
+	    } 
+	    CERT_DestroyCertificate(tempCert);
+	    tempCert = NULL;
+	}
+    }
+
+    if(!removed) {
+	cert->problem = PR_TRUE;
+	cert->error = SEC_ERROR_NO_MEMORY;
+	cert->noInstall = PR_TRUE;
+    }
+	
+    if(tempCert) {
+	CERT_DestroyCertificate(tempCert);
+    }
+
+    return ((removed) ? SECSuccess : SECFailure);
+}
+
+static SECStatus
+sec_pkcs12_add_cert(sec_PKCS12SafeBag *cert, PRBool keyExists, void *wincx)
+{
+    SECItem *derCert, *nickName;
+    char *nickData = NULL;
+    SECStatus rv;
+
+    if(!cert) {
+	return SECFailure;
+    }
+
+    if(cert->problem || cert->noInstall || cert->installed) {
+	return SECSuccess;
+    }
+
+    derCert = &cert->safeBagContent.certBag->value.x509Cert;
+    if(cert->removeExisting) {
+	if(sec_pkcs12_remove_existing_cert(cert, wincx) 
+			!= SECSuccess) {
+	    return SECFailure;
+	}
+	cert->removeExisting = PR_FALSE;
+    }
+
+    PORT_Assert(!cert->problem && !cert->removeExisting && !cert->noInstall);
+
+    nickName = sec_pkcs12_get_nickname(cert);
+    if(nickName) {
+	nickData = (char *)nickName->data;
+    }
+
+    if(keyExists) {
+	CERTCertificate *newCert;
+
+	newCert = CERT_DecodeDERCertificate( derCert, PR_FALSE, NULL);
+	if(!newCert) {
+	     if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE);
+	     cert->error = SEC_ERROR_NO_MEMORY;
+	     cert->problem = PR_TRUE;
+	     return SECFailure;
+	}
+
+	rv = PK11_ImportCertForKeyToSlot(cert->slot, newCert, nickData, 
+					 PR_TRUE, wincx);
+	CERT_DestroyCertificate(newCert);
+    } else {
+	SECItem *certList[2];
+	certList[0] = derCert;
+	certList[1] = NULL;
+	rv = CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageUserCertImport,
+			      1, certList, NULL, PR_TRUE, PR_FALSE, nickData);
+    }
+
+    cert->installed = PR_TRUE;
+    if(nickName) SECITEM_ZfreeItem(nickName, PR_TRUE);
+    return rv;
+}
+
+static SECStatus
+sec_pkcs12_add_key(sec_PKCS12SafeBag *key, SECItem *publicValue, 
+			KeyType keyType, unsigned int keyUsage, void *wincx)
+{
+    SECStatus rv;
+    SECItem *nickName;
+
+    if(!key) {
+	return SECFailure;
+    }
+
+    if(key->removeExisting) {
+	key->problem = PR_TRUE;
+	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
+	return SECFailure;
+    }
+
+    if(key->problem || key->noInstall) {
+	return SECSuccess;
+    }
+
+    nickName = sec_pkcs12_get_nickname(key);
+
+    switch(SECOID_FindOIDTag(&key->safeBagType))
+    {
+	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	    rv = PK11_ImportPrivateKeyInfo(key->slot, 
+			  key->safeBagContent.pkcs8KeyBag, 
+			  nickName, publicValue, PR_TRUE, PR_TRUE,
+			  keyUsage,  wincx);
+	    break;
+	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+	    rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot,
+					key->safeBagContent.pkcs8ShroudedKeyBag,
+					key->pwitem, nickName, publicValue, 
+					PR_TRUE, PR_TRUE, keyType, keyUsage,
+					wincx);
+	    break;
+	default:
+	    key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
+	    key->problem = PR_TRUE;
+	    if(nickName) {
+		SECITEM_ZfreeItem(nickName, PR_TRUE);
+	    }
+	    return SECFailure;
+    }
+
+    key->installed = PR_TRUE;
+
+    if(nickName) {
+	SECITEM_ZfreeItem(nickName, PR_TRUE);
+    }
+					
+    if(rv != SECSuccess) {
+	key->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
+	key->problem = PR_TRUE;
+    } else {
+	key->installed = PR_TRUE;
+    }
+
+    return rv;
+}
+
+static SECStatus
+sec_pkcs12_add_item_to_bag_list(sec_PKCS12SafeBag ***bagList, 
+				sec_PKCS12SafeBag *bag)
+{
+    int i = 0;
+
+    if(!bagList || !bag) {
+	return SECFailure;
+    }
+
+    if(!(*bagList)) {
+	(*bagList) = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(bag->arena, 
+				      sizeof(sec_PKCS12SafeBag *) * 2);
+    } else {
+	while((*bagList)[i]) i++;
+	(*bagList) = (sec_PKCS12SafeBag **)PORT_ArenaGrow(bag->arena, *bagList,
+				sizeof(sec_PKCS12SafeBag *) * (i + 1),
+				sizeof(sec_PKCS12SafeBag *) * (i + 2));
+    }
+
+    if(!(*bagList)) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    (*bagList)[i] = bag;
+    (*bagList)[i+1] = NULL;
+
+    return SECSuccess;
+}
+
+static sec_PKCS12SafeBag **
+sec_pkcs12_find_certs_for_key(sec_PKCS12SafeBag **safeBags, sec_PKCS12SafeBag *key ) 
+{
+    sec_PKCS12SafeBag **certList = NULL;
+    SECItem *keyId;
+    int i;
+
+    if(!safeBags || !safeBags[0]) {
+	return NULL;
+    }
+
+    keyId = sec_pkcs12_get_attribute_value(key, SEC_OID_PKCS9_LOCAL_KEY_ID);
+    if(!keyId) {
+	return NULL;
+    }
+
+    i = 0;
+    certList = NULL;
+    while(safeBags[i]) {
+	if(SECOID_FindOIDTag(&(safeBags[i]->safeBagType)) 
+				== SEC_OID_PKCS12_V1_CERT_BAG_ID) {
+	    SECItem *certKeyId = sec_pkcs12_get_attribute_value(safeBags[i],
+						SEC_OID_PKCS9_LOCAL_KEY_ID);
+
+	    if(certKeyId && (SECITEM_CompareItem(certKeyId, keyId) 
+				== SECEqual)) {
+		if(sec_pkcs12_add_item_to_bag_list(&certList, safeBags[i])
+				!= SECSuccess) {
+		    return NULL;
+		}
+	    }
+	}
+	i++;
+    }
+
+    return certList;
+}
+
+CERTCertList *
+SEC_PKCS12DecoderGetCerts(SEC_PKCS12DecoderContext *p12dcx)
+{
+    CERTCertList *certList = NULL;
+    sec_PKCS12SafeBag **safeBags = p12dcx->safeBags;
+    int i;
+
+    if (!p12dcx || !p12dcx->safeBags || !p12dcx->safeBags[0]) {
+	return NULL;
+    }
+
+    safeBags = p12dcx->safeBags;
+    i = 0;
+    certList = CERT_NewCertList();
+
+    if (certList == NULL) {
+	 return NULL;
+    }
+
+    while(safeBags[i]) {
+	if (SECOID_FindOIDTag(&(safeBags[i]->safeBagType)) 
+				== SEC_OID_PKCS12_V1_CERT_BAG_ID) {
+		SECItem *derCert = sec_pkcs12_get_der_cert(safeBags[i]) ;
+		CERTCertificate *tempCert = NULL;
+
+		if (derCert == NULL) continue;
+    		tempCert=CERT_DecodeDERCertificate(derCert, PR_TRUE, NULL);
+
+		if (tempCert) {
+		    CERT_AddCertToListTail(certList,tempCert);
+		}
+		SECITEM_FreeItem(derCert,PR_TRUE);
+	}
+	i++;
+    }
+
+    return certList;
+}
+static sec_PKCS12SafeBag **
+sec_pkcs12_get_key_bags(sec_PKCS12SafeBag **safeBags)
+{
+    int i;
+    sec_PKCS12SafeBag **keyList = NULL;
+    SECOidTag bagType;
+
+    if(!safeBags || !safeBags[0]) {
+	return NULL;
+    }
+
+    i = 0;
+    while(safeBags[i]) {
+	bagType = SECOID_FindOIDTag(&(safeBags[i]->safeBagType));
+	switch(bagType) {
+	    case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	    case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+		if(sec_pkcs12_add_item_to_bag_list(&keyList, safeBags[i])
+				!= SECSuccess) {
+		    return NULL;
+		}
+		break;
+	    default:
+		break;
+	}
+	i++;
+    }
+
+    return keyList;
+}
+
+static SECStatus 
+sec_pkcs12_validate_bags(sec_PKCS12SafeBag **safeBags, 
+			 SEC_PKCS12NicknameCollisionCallback nicknameCb,
+			 void *wincx)
+{
+    sec_PKCS12SafeBag **keyList;
+    int i;
+
+    if(!safeBags || !nicknameCb) {
+	return SECFailure;
+    }
+
+    if(!safeBags[0]) {
+	return SECSuccess;
+    }
+
+    keyList = sec_pkcs12_get_key_bags(safeBags);
+    if(keyList) {
+	i = 0;
+
+	while(keyList[i]) {
+	    sec_PKCS12SafeBag **certList = sec_pkcs12_find_certs_for_key(
+							safeBags, keyList[i]);
+	    if(certList) {
+		int j = 0;
+
+		if(SECOID_FindOIDTag(&(keyList[i]->safeBagType)) == 
+					SEC_OID_PKCS12_V1_KEY_BAG_ID) {
+		    /* if it is an unencrypted private key then make sure
+		     * the attributes are propageted to the appropriate 
+		     * level 
+		     */
+		    if(sec_pkcs12_get_key_info(keyList[i]) != SECSuccess) {
+			keyList[i]->problem = PR_TRUE;
+			keyList[i]->error = SEC_ERROR_NO_MEMORY;
+			return SECFailure;
+		     }
+		}
+	
+		sec_pkcs12_validate_key_by_cert(certList[0], keyList[i], wincx);
+		while(certList[j]) {
+		    certList[j]->hasKey = PR_TRUE;
+		    if(keyList[i]->problem) {
+			certList[j]->problem = PR_TRUE;
+			certList[j]->error = keyList[i]->error;
+		    } else {
+			sec_pkcs12_validate_cert(certList[j], keyList[i],
+						 nicknameCb, wincx);
+			if(certList[j]->problem) {
+			    keyList[i]->problem = certList[j]->problem;
+			    keyList[i]->error = certList[j]->error;
+			}
+		    }
+		    j++;
+		}
+	    }
+
+	    i++;
+	}
+    }
+
+    i = 0;
+    while(safeBags[i]) {
+	if(!safeBags[i]->validated) {
+	    SECOidTag bagType = SECOID_FindOIDTag(&safeBags[i]->safeBagType);
+
+	    switch(bagType) {
+		case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+		    sec_pkcs12_validate_cert(safeBags[i], NULL, nicknameCb, 
+					     wincx);
+		    break;
+		case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+		case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+		    safeBags[i]->noInstall = PR_TRUE;
+		    safeBags[i]->problem = PR_TRUE;	
+		    safeBags[i]->error = SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY;
+		    break;
+		default:
+		    safeBags[i]->noInstall = PR_TRUE;
+	    }
+	}
+	i++;
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+SEC_PKCS12DecoderValidateBags(SEC_PKCS12DecoderContext *p12dcx,
+			      SEC_PKCS12NicknameCollisionCallback nicknameCb)
+{
+    SECStatus rv;
+    int i, noInstallCnt, probCnt, bagCnt, errorVal = 0;
+    if(!p12dcx || p12dcx->error) {
+	return SECFailure;
+    }
+
+    rv = sec_pkcs12_validate_bags(p12dcx->safeBags, nicknameCb, p12dcx->wincx);
+    if(rv == SECSuccess) {
+	p12dcx->bagsVerified = PR_TRUE;
+    }
+
+    noInstallCnt = probCnt = bagCnt = 0;
+    i = 0;
+    while(p12dcx->safeBags[i]) {
+	bagCnt++;
+	if(p12dcx->safeBags[i]->noInstall) noInstallCnt++;
+	if(p12dcx->safeBags[i]->problem) {
+	    probCnt++;
+	    errorVal = p12dcx->safeBags[i]->error;
+	}
+	i++;
+    }
+
+    if(bagCnt == noInstallCnt) {
+	PORT_SetError(SEC_ERROR_PKCS12_DUPLICATE_DATA);
+	return SECFailure;
+    }
+
+    if(probCnt) {
+	PORT_SetError(errorVal);
+	return SECFailure;
+    }
+
+    return rv;
+}
+
+static SECItem *
+sec_pkcs12_get_public_value_and_type(sec_PKCS12SafeBag *certBag,
+					KeyType *type, unsigned int *usage)
+{
+    SECKEYPublicKey *pubKey = NULL;
+    CERTCertificate *cert = NULL;
+    SECItem *pubValue;
+
+    *type = nullKey;
+    *usage = 0;
+
+    if(!certBag) {
+	return NULL;
+    }
+
+    cert = CERT_DecodeDERCertificate(
+	 &certBag->safeBagContent.certBag->value.x509Cert, PR_FALSE, NULL);
+    if(!cert) {
+	return NULL;
+    }
+
+    *usage = cert->keyUsage;
+    pubKey = CERT_ExtractPublicKey(cert);
+    CERT_DestroyCertificate(cert);
+    if(!pubKey) {
+	return NULL;
+    }
+
+    *type = pubKey->keyType;
+    switch(pubKey->keyType) {
+	case dsaKey:
+	    pubValue = SECITEM_DupItem(&pubKey->u.dsa.publicValue);
+	    break;
+	case dhKey:
+	    pubValue = SECITEM_DupItem(&pubKey->u.dh.publicValue);
+	    break;
+	case rsaKey:
+	    pubValue = SECITEM_DupItem(&pubKey->u.rsa.modulus);
+	    break;
+	default:
+	    pubValue = NULL;
+    }
+
+    SECKEY_DestroyPublicKey(pubKey);
+
+    return pubValue;
+}
+
+static SECStatus 
+sec_pkcs12_install_bags(sec_PKCS12SafeBag **safeBags, 
+			void *wincx)
+{
+    sec_PKCS12SafeBag **keyList, **certList;
+    int i;
+
+    if(!safeBags) {
+	return SECFailure;
+    }
+
+    if(!safeBags[0]) {
+	return SECSuccess;
+    }
+
+    keyList = sec_pkcs12_get_key_bags(safeBags);
+    if(keyList) {
+	i = 0;
+
+	while(keyList[i]) {
+	    SECStatus rv;
+	    SECItem *publicValue = NULL;
+	    KeyType keyType;
+	    unsigned int keyUsage;
+
+	    if(keyList[i]->problem) {
+		goto next_key_bag;
+	    }
+
+	    certList = sec_pkcs12_find_certs_for_key(safeBags,
+						     keyList[i]);
+	    if(certList) {
+		publicValue = sec_pkcs12_get_public_value_and_type(certList[0],
+							&keyType, &keyUsage);
+	    }
+	    rv = sec_pkcs12_add_key(keyList[i], publicValue, keyType, keyUsage,
+									wincx);
+	    if(publicValue) {
+		SECITEM_FreeItem(publicValue, PR_TRUE);
+	    }
+	    if(rv != SECSuccess) {
+		PORT_SetError(keyList[i]->error);
+		return SECFailure;
+	    }
+
+	    if(certList) {
+		int j = 0;
+
+		while(certList[j]) {
+		    SECStatus certRv;
+
+		    if(rv != SECSuccess) {
+			certList[j]->problem = keyList[i]->problem;
+			certList[j]->error = keyList[i]->error;	
+			certList[j]->noInstall = PR_TRUE;
+			goto next_cert_bag;
+		    }
+
+		    certRv = sec_pkcs12_add_cert(certList[j], 
+						 certList[j]->hasKey, wincx);
+		    if(certRv != SECSuccess) {
+			keyList[i]->problem = certList[j]->problem;
+			keyList[i]->error = certList[j]->error;
+			PORT_SetError(certList[j]->error);
+			return SECFailure;
+		    }
+next_cert_bag:
+		    j++;
+		}
+	    }
+
+next_key_bag:
+	    i++;
+	}
+    }
+
+    i = 0;
+    while(safeBags[i]) {
+	if(!safeBags[i]->installed) {
+	    SECStatus rv;
+	    SECOidTag bagType = SECOID_FindOIDTag(&(safeBags[i]->safeBagType));
+
+	    switch(bagType) {
+		case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+		    rv = sec_pkcs12_add_cert(safeBags[i], safeBags[i]->hasKey,
+					     wincx);
+		    if(rv != SECSuccess) {
+			PORT_SetError(safeBags[i]->error);
+			return SECFailure;
+		    }
+		    break;
+		case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+		case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+		default:
+		    break;
+	    }
+	}
+	i++;
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+SEC_PKCS12DecoderImportBags(SEC_PKCS12DecoderContext *p12dcx)
+{
+    if(!p12dcx || p12dcx->error) {
+	return SECFailure;
+    }
+
+    if(!p12dcx->bagsVerified) {
+	return SECFailure;
+    }
+
+    return sec_pkcs12_install_bags(p12dcx->safeBags, p12dcx->wincx);
+}
+
+static SECStatus
+sec_pkcs12_decoder_append_bag_to_context(SEC_PKCS12DecoderContext *p12dcx,
+					 sec_PKCS12SafeBag *bag)
+{
+    if(!p12dcx || p12dcx->error) {
+	return SECFailure;
+    }
+
+    if(!p12dcx->safeBagCount) {
+	p12dcx->safeBags = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(p12dcx->arena, 
+					    sizeof(sec_PKCS12SafeBag *) * 2);
+    } else {
+	p12dcx->safeBags = 
+	  (sec_PKCS12SafeBag **)PORT_ArenaGrow(p12dcx->arena, p12dcx->safeBags,
+		     (p12dcx->safeBagCount + 1) * sizeof(sec_PKCS12SafeBag *),
+		     (p12dcx->safeBagCount + 2) * sizeof(sec_PKCS12SafeBag *));
+    }
+
+    if(!p12dcx->safeBags) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    p12dcx->safeBags[p12dcx->safeBagCount] = bag;
+    p12dcx->safeBags[p12dcx->safeBagCount+1] = NULL;
+    p12dcx->safeBagCount++;
+
+    return SECSuccess;
+}
+
+static sec_PKCS12SafeBag *
+sec_pkcs12_decoder_convert_old_key(SEC_PKCS12DecoderContext *p12dcx,
+				   void *key, PRBool isEspvk)
+{
+    sec_PKCS12SafeBag *keyBag;
+    SECOidData *oid;
+    SECOidTag keyTag;
+    SECItem *keyID, *nickName, *newNickName;
+
+    if(!p12dcx || p12dcx->error || !key) {
+	return NULL;
+    }
+
+    newNickName =(SECItem *)PORT_ArenaZAlloc(p12dcx->arena, sizeof(SECItem));
+    keyBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12dcx->arena, 
+						   sizeof(sec_PKCS12SafeBag));
+    if(!keyBag || !newNickName) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    keyBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes;
+    keyBag->slot = p12dcx->slot;
+    keyBag->arena = p12dcx->arena;
+    keyBag->pwitem = p12dcx->pwitem;
+    keyBag->oldBagType = PR_TRUE;
+
+    keyTag = (isEspvk) ? SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID :
+			 SEC_OID_PKCS12_V1_KEY_BAG_ID;
+    oid = SECOID_FindOIDByTag(keyTag);
+    if(!oid) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    if(SECITEM_CopyItem(p12dcx->arena, &keyBag->safeBagType, &oid->oid) 
+			!= SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    if(isEspvk) {
+	SEC_PKCS12ESPVKItem *espvk = (SEC_PKCS12ESPVKItem *)key;
+	keyBag->safeBagContent.pkcs8ShroudedKeyBag  = 
+					espvk->espvkCipherText.pkcs8KeyShroud;
+	nickName = &(espvk->espvkData.uniNickName); 
+	if(!espvk->espvkData.assocCerts || !espvk->espvkData.assocCerts[0]) {
+	    PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	    return NULL;
+	}
+	keyID = &espvk->espvkData.assocCerts[0]->digest;
+    } else {
+	SEC_PKCS12PrivateKey *pk = (SEC_PKCS12PrivateKey *)key;
+	keyBag->safeBagContent.pkcs8KeyBag = &pk->pkcs8data;
+	nickName= &(pk->pvkData.uniNickName);
+	if(!pk->pvkData.assocCerts || !pk->pvkData.assocCerts[0]) {
+	    PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	    return NULL;
+	}
+	keyID = &pk->pvkData.assocCerts[0]->digest;
+    }
+
+    if(nickName->len) {
+	if(nickName->len >= 2) {
+	    if(nickName->data[0] && nickName->data[1]) {
+		if(!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName, 
+					nickName, PR_FALSE, PR_FALSE, PR_TRUE)) {
+		    PORT_SetError(SEC_ERROR_NO_MEMORY);
+		    return NULL;
+		}
+		nickName = newNickName;
+	    } else if(nickName->data[0] && !nickName->data[1]) {
+		unsigned int j = 0;
+		unsigned char t;
+		for(j = 0; j < nickName->len; j+=2) {
+		    t = nickName->data[j+1];
+		    nickName->data[j+1] = nickName->data[j];
+		    nickName->data[j] = t;
+		}
+	    }
+	} else {
+	    if(!sec_pkcs12_convert_item_to_unicode(p12dcx->arena, newNickName, 
+					nickName, PR_FALSE, PR_FALSE, PR_TRUE)) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		return NULL;
+	    }
+	    nickName = newNickName;
+	}
+    }
+
+    if(sec_pkcs12_decoder_set_attribute_value(keyBag,
+					      SEC_OID_PKCS9_FRIENDLY_NAME,
+					      nickName) != SECSuccess) {
+	return NULL;
+    }
+	
+    if(sec_pkcs12_decoder_set_attribute_value(keyBag,SEC_OID_PKCS9_LOCAL_KEY_ID,
+					keyID) != SECSuccess) {
+	return NULL;
+    }
+
+    return keyBag;
+}
+
+static sec_PKCS12SafeBag *
+sec_pkcs12_decoder_create_cert(SEC_PKCS12DecoderContext *p12dcx,
+			       SECItem *derCert)
+{
+    sec_PKCS12SafeBag *certBag;
+    SECOidData *oid;
+    SGNDigestInfo *digest;
+    SECItem *keyId;
+    SECStatus rv;
+
+    if(!p12dcx || p12dcx->error || !derCert) {
+	return NULL;
+    }
+
+    keyId = (SECItem *)PORT_ArenaZAlloc(p12dcx->arena, sizeof(SECItem));
+    if(!keyId) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    digest = sec_pkcs12_compute_thumbprint(derCert);
+    if(!digest) {
+	return NULL;
+    }
+
+    rv = SECITEM_CopyItem(p12dcx->arena, keyId, &digest->digest);
+    SGN_DestroyDigestInfo(digest);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    oid = SECOID_FindOIDByTag(SEC_OID_PKCS12_V1_CERT_BAG_ID);
+    certBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12dcx->arena, 
+						    sizeof(sec_PKCS12SafeBag));
+    if(!certBag || !oid || (SECITEM_CopyItem(p12dcx->arena, 
+			&certBag->safeBagType, &oid->oid) != SECSuccess)) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    certBag->slot = p12dcx->slot;
+    certBag->pwitem = p12dcx->pwitem;
+    certBag->swapUnicodeBytes = p12dcx->swapUnicodeBytes;
+    certBag->arena = p12dcx->arena;
+
+    oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_X509_CERT);
+    certBag->safeBagContent.certBag = 
+        (sec_PKCS12CertBag *)PORT_ArenaZAlloc(p12dcx->arena, 
+					      sizeof(sec_PKCS12CertBag));
+    if(!certBag->safeBagContent.certBag || !oid ||
+			(SECITEM_CopyItem(p12dcx->arena, 
+				 &certBag->safeBagContent.certBag->bagID,
+				 &oid->oid) != SECSuccess)) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+      
+    if(SECITEM_CopyItem(p12dcx->arena, 
+			 &(certBag->safeBagContent.certBag->value.x509Cert),
+			 derCert) != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    if(sec_pkcs12_decoder_set_attribute_value(certBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
+					keyId) != SECSuccess) {
+	return NULL;
+    }
+
+    return certBag;
+}
+
+static sec_PKCS12SafeBag **
+sec_pkcs12_decoder_convert_old_cert(SEC_PKCS12DecoderContext *p12dcx,
+				    SEC_PKCS12CertAndCRL *oldCert)
+{
+    sec_PKCS12SafeBag **certList;
+    SECItem **derCertList;
+    int i, j;
+
+    if(!p12dcx || p12dcx->error || !oldCert) {
+	return NULL;
+    }
+
+    derCertList = SEC_PKCS7GetCertificateList(&oldCert->value.x509->certOrCRL);
+    if(!derCertList) {
+	return NULL;
+    }
+
+    i = 0;
+    while(derCertList[i]) i++;
+
+    certList = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(p12dcx->arena, 
+				(i + 1) * sizeof(sec_PKCS12SafeBag *));
+    if(!certList) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    for(j = 0; j < i; j++) {
+	certList[j] = sec_pkcs12_decoder_create_cert(p12dcx, derCertList[j]);
+	if(!certList[j]) {
+	    return NULL;
+	}
+    }
+
+    return certList;
+}   
+
+static SECStatus
+sec_pkcs12_decoder_convert_old_key_and_certs(SEC_PKCS12DecoderContext *p12dcx,
+					     void *oldKey, PRBool isEspvk,
+					     SEC_PKCS12SafeContents *safe,
+					     SEC_PKCS12Baggage *baggage)
+{
+    sec_PKCS12SafeBag *key, **certList;
+    SEC_PKCS12CertAndCRL *oldCert;
+    SEC_PKCS12PVKSupportingData *pvkData;
+    int i;
+    SECItem *keyName;
+
+    if(!p12dcx || !oldKey) {
+	return SECFailure;
+    }
+
+    if(isEspvk) {
+	pvkData = &((SEC_PKCS12ESPVKItem *)(oldKey))->espvkData;
+    } else {
+	pvkData = &((SEC_PKCS12PrivateKey *)(oldKey))->pvkData;
+    }
+
+    if(!pvkData->assocCerts || !pvkData->assocCerts[0]) {
+	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	return SECFailure;
+    }
+
+    oldCert = (SEC_PKCS12CertAndCRL *)sec_pkcs12_find_object(safe, baggage, 
+				     SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID, NULL,
+				     pvkData->assocCerts[0]);
+    if(!oldCert) {
+	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	return SECFailure;
+    }
+	
+    key = sec_pkcs12_decoder_convert_old_key(p12dcx,oldKey, isEspvk);
+    certList = sec_pkcs12_decoder_convert_old_cert(p12dcx, oldCert);
+    if(!key || !certList) {
+	return SECFailure;
+    }
+
+    if(sec_pkcs12_decoder_append_bag_to_context(p12dcx, key) != SECSuccess) {
+	return SECFailure;
+    }
+
+    keyName = sec_pkcs12_get_nickname(key);
+    if(!keyName) {
+	return SECFailure;
+    }
+
+    i = 0;
+    while(certList[i]) {
+	if(sec_pkcs12_decoder_append_bag_to_context(p12dcx, certList[i]) 
+				!= SECSuccess) {
+	    return SECFailure;
+	}
+	i++;
+    }
+
+    certList = sec_pkcs12_find_certs_for_key(p12dcx->safeBags, key);
+    if(!certList) {
+	return SECFailure;
+    }
+
+    i = 0;
+    while(certList[i] != 0) {
+	if(sec_pkcs12_set_nickname(certList[i], keyName) != SECSuccess) {
+	    return SECFailure;
+	}
+	i++;
+    }
+				
+    return SECSuccess;
+}
+	
+static SECStatus
+sec_pkcs12_decoder_convert_old_safe_to_bags(SEC_PKCS12DecoderContext *p12dcx,
+					    SEC_PKCS12SafeContents *safe,
+					    SEC_PKCS12Baggage *baggage)
+{
+    SECStatus rv;
+
+    if(!p12dcx || p12dcx->error) {
+	return SECFailure;
+    }
+
+    if(safe && safe->contents) {
+	int i = 0;
+	while(safe->contents[i] != NULL) {
+	    if(SECOID_FindOIDTag(&safe->contents[i]->safeBagType) 
+				== SEC_OID_PKCS12_KEY_BAG_ID) {
+		int j = 0;
+		SEC_PKCS12PrivateKeyBag *privBag = 
+					safe->contents[i]->safeContent.keyBag;
+		
+		while(privBag->privateKeys[j] != NULL) {
+		    SEC_PKCS12PrivateKey *pk = privBag->privateKeys[j];
+		    rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx,pk,
+						PR_FALSE, safe, baggage);
+		    if(rv != SECSuccess) {
+			goto loser;
+		    }
+		    j++;
+		}
+	    }
+	    i++;
+	}
+    }
+
+    if(baggage && baggage->bags) {
+	int i = 0;
+	while(baggage->bags[i] != NULL) {
+	    SEC_PKCS12BaggageItem *bag = baggage->bags[i];
+	    int j = 0;
+
+	    if(!bag->espvks) {
+		i++;
+		continue;
+	    }
+
+	    while(bag->espvks[j] != NULL) {
+		SEC_PKCS12ESPVKItem *espvk = bag->espvks[j];
+		rv = sec_pkcs12_decoder_convert_old_key_and_certs(p12dcx, espvk,
+							PR_TRUE, safe, baggage);
+		if(rv != SECSuccess) {
+		    goto loser;
+		}
+		j++;
+	    }
+	    i++;
+	}
+    }
+
+    return SECSuccess;
+
+loser:
+    return SECFailure;
+}
+
+SEC_PKCS12DecoderContext *
+sec_PKCS12ConvertOldSafeToNew(PRArenaPool *arena, PK11SlotInfo *slot, 
+			      PRBool swapUnicode, SECItem *pwitem,
+			      void *wincx, SEC_PKCS12SafeContents *safe,
+			      SEC_PKCS12Baggage *baggage)
+{
+    SEC_PKCS12DecoderContext *p12dcx;
+
+    if(!arena || !slot || !pwitem) {
+	return NULL;
+    }
+
+    if(!safe && !baggage) {
+	return NULL;
+    }
+
+    p12dcx = (SEC_PKCS12DecoderContext *)PORT_ArenaZAlloc(arena, 
+					    sizeof(SEC_PKCS12DecoderContext));
+    if(!p12dcx) {
+	return NULL;
+    }
+
+    p12dcx->arena = arena;
+    p12dcx->slot = slot;
+    p12dcx->wincx = wincx;
+    p12dcx->error = PR_FALSE;
+    p12dcx->swapUnicodeBytes = swapUnicode; 
+    p12dcx->pwitem = pwitem;
+    
+    if(sec_pkcs12_decoder_convert_old_safe_to_bags(p12dcx, safe, baggage) 
+				!= SECSuccess) {
+	p12dcx->error = PR_TRUE;
+	return NULL;
+    }
+
+    return p12dcx;
+}
diff --git a/security/nss/lib/pkcs12/p12dec.c b/security/nss/lib/pkcs12/p12dec.c
new file mode 100644
index 000000000..abce05885
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12dec.c
@@ -0,0 +1,693 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "pkcs12.h"
+#include "plarena.h"
+#include "secpkcs7.h"
+#include "p12local.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secport.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "secerr.h"
+#include "cert.h"
+#include "certdb.h"
+#include "p12plcy.h"
+#include "p12.h" 
+#include "secpkcs5.h" 
+
+/* PFX extraction and validation routines */
+
+/* decode the DER encoded PFX item.  if unable to decode, check to see if it
+ * is an older PFX item.  If that fails, assume the file was not a valid
+ * pfx file.
+ * the returned pfx structure should be destroyed using SEC_PKCS12DestroyPFX
+ */
+static SEC_PKCS12PFXItem *
+sec_pkcs12_decode_pfx(SECItem *der_pfx)
+{
+    SEC_PKCS12PFXItem *pfx;
+    SECStatus rv;
+
+    if(der_pfx == NULL) {
+	return NULL;
+    }
+
+    /* allocate the space for a new PFX item */
+    pfx = sec_pkcs12_new_pfx();
+    if(pfx == NULL) {
+	return NULL;
+    }
+
+    rv = SEC_ASN1DecodeItem(pfx->poolp, pfx, SEC_PKCS12PFXItemTemplate, 
+    			    der_pfx);
+
+    /* if a failure occurred, check for older version...
+     * we also get rid of the old pfx structure, because we don't
+     * know where it failed and what data in may contain
+     */
+    if(rv != SECSuccess) {
+	SEC_PKCS12DestroyPFX(pfx);
+	pfx = sec_pkcs12_new_pfx();
+	if(pfx == NULL) {
+	    return NULL;
+	}
+	rv = SEC_ASN1DecodeItem(pfx->poolp, pfx, SEC_PKCS12PFXItemTemplate_OLD, 
+				der_pfx);
+	if(rv != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_PKCS12_DECODING_PFX);
+	    PORT_FreeArena(pfx->poolp, PR_TRUE);
+	    return NULL;
+	}
+	pfx->old = PR_TRUE;
+	SGN_CopyDigestInfo(pfx->poolp, &pfx->macData.safeMac, &pfx->old_safeMac);
+	SECITEM_CopyItem(pfx->poolp, &pfx->macData.macSalt, &pfx->old_macSalt);
+    } else {
+	pfx->old = PR_FALSE;
+    }
+
+    /* convert bit string from bits to bytes */
+    pfx->macData.macSalt.len /= 8;
+
+    return pfx;
+}
+
+/* validate the integrity MAC used in the PFX.  The MAC is generated
+ * per the PKCS 12 document.  If the MAC is incorrect, it is most likely
+ * due to an invalid password.
+ * pwitem is the integrity password
+ * pfx is the decoded pfx item
+ */
+static PRBool 
+sec_pkcs12_check_pfx_mac(SEC_PKCS12PFXItem *pfx,
+			 SECItem *pwitem)
+{
+    SECItem *key = NULL, *mac = NULL, *data = NULL;
+    SECItem *vpwd = NULL;
+    SECOidTag algorithm;
+    PRBool ret = PR_FALSE;
+
+    if(pfx == NULL) {
+	return PR_FALSE;
+    }
+
+    algorithm = SECOID_GetAlgorithmTag(&pfx->macData.safeMac.digestAlgorithm);
+    switch(algorithm) {
+	/* only SHA1 hashing supported as a MACing algorithm */
+	case SEC_OID_SHA1:
+	    if(pfx->old == PR_FALSE) {
+		pfx->swapUnicode = PR_FALSE;
+	    }
+
+recheckUnicodePassword:
+	    vpwd = sec_pkcs12_create_virtual_password(pwitem, 
+	    					&pfx->macData.macSalt, 
+						pfx->swapUnicode);
+	    if(vpwd == NULL) {
+		return PR_FALSE;
+	    }
+
+	    key = sec_pkcs12_generate_key_from_password(algorithm,
+						&pfx->macData.macSalt, 
+						(pfx->old ? pwitem : vpwd));
+	    /* free vpwd only for newer PFX */
+	    if(vpwd) {
+		SECITEM_ZfreeItem(vpwd, PR_TRUE);
+	    }
+	    if(key == NULL) {
+		return PR_FALSE;
+	    }
+
+	    data = SEC_PKCS7GetContent(&pfx->authSafe);
+	    if(data == NULL) {
+		break;
+	    }
+
+	    /* check MAC */
+	    mac = sec_pkcs12_generate_mac(key, data, pfx->old);
+	    ret = PR_TRUE;
+	    if(mac) {
+		SECItem *safeMac = &pfx->macData.safeMac.digest;
+		if(SECITEM_CompareItem(mac, safeMac) != SECEqual) {
+
+		    /* if we encounter an invalid mac, lets invert the
+		     * password in case of unicode changes 
+		     */
+		    if(((!pfx->old) && pfx->swapUnicode) || (pfx->old)){
+			PORT_SetError(SEC_ERROR_PKCS12_INVALID_MAC);
+			ret = PR_FALSE;
+		    } else {
+			SECITEM_ZfreeItem(mac, PR_TRUE);
+			pfx->swapUnicode = PR_TRUE;
+			goto recheckUnicodePassword;
+		    }
+		} 
+		SECITEM_ZfreeItem(mac, PR_TRUE);
+	    } else {
+		ret = PR_FALSE;
+	    }
+	    break;
+	default:
+	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM);
+	    ret = PR_FALSE;
+	    break;
+    }
+
+    /* let success fall through */
+    if(key != NULL)
+	SECITEM_ZfreeItem(key, PR_TRUE);
+
+    return ret;
+}
+
+/* check the validity of the pfx structure.  we currently only support
+ * password integrity mode, so we check the MAC.
+ */
+static PRBool 
+sec_pkcs12_validate_pfx(SEC_PKCS12PFXItem *pfx, 
+			SECItem *pwitem)
+{
+    SECOidTag contentType;
+
+    contentType = SEC_PKCS7ContentType(&pfx->authSafe);
+    switch(contentType)
+    {
+	case SEC_OID_PKCS7_DATA:
+	    return sec_pkcs12_check_pfx_mac(pfx, pwitem);
+	    break;
+	case SEC_OID_PKCS7_SIGNED_DATA:
+	default:
+	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE);
+	    break;
+    }
+
+    return PR_FALSE;
+}
+
+/* decode and return the valid PFX.  if the PFX item is not valid,
+ * NULL is returned.
+ */
+static SEC_PKCS12PFXItem *
+sec_pkcs12_get_pfx(SECItem *pfx_data, 
+		   SECItem *pwitem)
+{
+    SEC_PKCS12PFXItem *pfx;
+    PRBool valid_pfx;
+
+    if((pfx_data == NULL) || (pwitem == NULL)) {
+	return NULL;
+    }
+
+    pfx = sec_pkcs12_decode_pfx(pfx_data);
+    if(pfx == NULL) {
+	return NULL;
+    }
+
+    valid_pfx = sec_pkcs12_validate_pfx(pfx, pwitem);
+    if(valid_pfx != PR_TRUE) {
+	SEC_PKCS12DestroyPFX(pfx);
+	pfx = NULL;
+    }
+
+    return pfx;
+}
+
+/* authenticated safe decoding, validation, and access routines
+ */
+
+/* convert dogbert beta 3 authenticated safe structure to a post
+ * beta three structure, so that we don't have to change more routines.
+ */
+static SECStatus
+sec_pkcs12_convert_old_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe)
+{
+    SEC_PKCS12Baggage *baggage;
+    SEC_PKCS12BaggageItem *bag;
+    SECStatus rv = SECSuccess;
+
+    if(asafe->old_baggage.espvks == NULL) {
+	/* XXX should the ASN1 engine produce a single NULL element list
+	 * rather than setting the pointer to NULL?  
+	 * There is no need to return an error -- assume that the list
+	 * was empty.
+	 */
+	return SECSuccess;
+    }
+
+    baggage = sec_pkcs12_create_baggage(asafe->poolp);
+    if(!baggage) {
+	return SECFailure;
+    }
+    bag = sec_pkcs12_create_external_bag(baggage);
+    if(!bag) {
+	return SECFailure;
+    }
+
+    PORT_Memcpy(&asafe->baggage, baggage, sizeof(SEC_PKCS12Baggage));
+
+    /* if there are shrouded keys, append them to the bag */
+    rv = SECSuccess;
+    if(asafe->old_baggage.espvks[0] != NULL) {
+	int nEspvk = 0;
+	rv = SECSuccess;
+	while((asafe->old_baggage.espvks[nEspvk] != NULL) && 
+		(rv == SECSuccess)) {
+	    rv = sec_pkcs12_append_shrouded_key(bag, 
+	    				asafe->old_baggage.espvks[nEspvk]);
+	    nEspvk++;
+	}
+    }
+
+    return rv;
+}    
+
+/* decodes the authenticated safe item.  a return of NULL indicates
+ * an error.  however, the error will have occured either in memory
+ * allocation or in decoding the authenticated safe.
+ *
+ * if an old PFX item has been found, we want to convert the
+ * old authenticated safe to the new one.
+ */
+static SEC_PKCS12AuthenticatedSafe *
+sec_pkcs12_decode_authenticated_safe(SEC_PKCS12PFXItem *pfx) 
+{
+    SECItem *der_asafe = NULL;
+    SEC_PKCS12AuthenticatedSafe *asafe = NULL;
+    SECStatus rv;
+
+    if(pfx == NULL) {
+	return NULL;
+    }
+
+    der_asafe = SEC_PKCS7GetContent(&pfx->authSafe);
+    if(der_asafe == NULL) {
+	/* XXX set error ? */
+	goto loser;
+    }
+
+    asafe = sec_pkcs12_new_asafe(pfx->poolp);
+    if(asafe == NULL) {
+	goto loser;
+    }
+
+    if(pfx->old == PR_FALSE) {
+	rv = SEC_ASN1DecodeItem(pfx->poolp, asafe, 
+			 	SEC_PKCS12AuthenticatedSafeTemplate, 
+			 	der_asafe);
+	asafe->old = PR_FALSE;
+	asafe->swapUnicode = pfx->swapUnicode;
+    } else {
+	/* handle beta exported files */
+	rv = SEC_ASN1DecodeItem(pfx->poolp, asafe, 
+				SEC_PKCS12AuthenticatedSafeTemplate_OLD,
+				der_asafe);
+	asafe->safe = &(asafe->old_safe);
+	rv = sec_pkcs12_convert_old_auth_safe(asafe);
+	asafe->old = PR_TRUE;
+    }
+
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    asafe->poolp = pfx->poolp;
+    
+    return asafe;
+
+loser:
+    return NULL;
+}
+
+/* validates the safe within the authenticated safe item.  
+ * in order to be valid:
+ *  1.  the privacy salt must be present
+ *  2.  the encryption algorithm must be supported (including
+ *	export policy)
+ * PR_FALSE indicates an error, PR_TRUE indicates a valid safe
+ */
+static PRBool 
+sec_pkcs12_validate_encrypted_safe(SEC_PKCS12AuthenticatedSafe *asafe)
+{
+    PRBool valid = PR_FALSE;
+    SECAlgorithmID *algid;
+
+    if(asafe == NULL) {
+	return PR_FALSE;
+    }
+
+    /* if mode is password privacy, then privacySalt is assumed
+     * to be non-zero.
+     */
+    if(asafe->privacySalt.len != 0) {
+	valid = PR_TRUE;
+	asafe->privacySalt.len /= 8;
+    } else {
+	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	return PR_FALSE;
+    }
+
+    /* until spec changes, content will have between 2 and 8 bytes depending
+     * upon the algorithm used if certs are unencrypted...
+     * also want to support case where content is empty -- which we produce 
+     */ 
+    if(SEC_PKCS7IsContentEmpty(asafe->safe, 8) == PR_TRUE) {
+	asafe->emptySafe = PR_TRUE;
+	return PR_TRUE;
+    }
+
+    asafe->emptySafe = PR_FALSE;
+
+    /* make sure that a pbe algorithm is being used */
+    algid = SEC_PKCS7GetEncryptionAlgorithm(asafe->safe);
+    if(algid != NULL) {
+	if(SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
+	    valid = SEC_PKCS12DecryptionAllowed(algid);
+
+	    if(valid == PR_FALSE) {
+		PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
+	    }
+	} else {
+	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM);
+	    valid = PR_FALSE;
+	}
+    } else {
+	valid = PR_FALSE;
+	PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM);
+    }
+
+    return valid;
+}
+
+/* validates authenticates safe:
+ *  1.  checks that the version is supported
+ *  2.  checks that only password privacy mode is used (currently)
+ *  3.  further, makes sure safe has appropriate policies per above function
+ * PR_FALSE indicates failure.
+ */
+static PRBool 
+sec_pkcs12_validate_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe)
+{
+    PRBool valid = PR_TRUE;
+    SECOidTag safe_type;
+    int version;
+
+    if(asafe == NULL) {
+	return PR_FALSE;
+    }
+
+    /* check version, since it is default it may not be present.
+     * therefore, assume ok
+     */
+    if((asafe->version.len > 0) && (asafe->old == PR_FALSE)) {
+	version = DER_GetInteger(&asafe->version);
+	if(version > SEC_PKCS12_PFX_VERSION) {
+	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION);
+	    return PR_FALSE;
+	}
+    }
+
+    /* validate password mode is being used */
+    safe_type = SEC_PKCS7ContentType(asafe->safe);
+    switch(safe_type)
+    {
+	case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    valid = sec_pkcs12_validate_encrypted_safe(asafe);
+	    break;
+	case SEC_OID_PKCS7_ENVELOPED_DATA:
+	default:
+	    PORT_SetError(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE);
+	    valid = PR_FALSE;
+	    break;
+    }
+
+    return valid;
+}
+
+/* retrieves the authenticated safe item from the PFX item
+ *  before returning the authenticated safe, the validity of the
+ *  authenticated safe is checked and if valid, returned.
+ * a return of NULL indicates that an error occured.
+ */
+static SEC_PKCS12AuthenticatedSafe *
+sec_pkcs12_get_auth_safe(SEC_PKCS12PFXItem *pfx)
+{
+    SEC_PKCS12AuthenticatedSafe *asafe;
+    PRBool valid_safe;
+
+    if(pfx == NULL) {
+	return NULL;
+    }
+
+    asafe = sec_pkcs12_decode_authenticated_safe(pfx);
+    if(asafe == NULL) {
+	return NULL;
+    }
+
+    valid_safe = sec_pkcs12_validate_auth_safe(asafe);
+    if(valid_safe != PR_TRUE) {
+	asafe = NULL;
+    } else if(asafe) {
+	asafe->baggage.poolp = asafe->poolp;
+    }
+
+    return asafe;
+}
+
+/* decrypts the authenticated safe.
+ * a return of anything but SECSuccess indicates an error.  the
+ * password is not known to be valid until the call to the 
+ * function sec_pkcs12_get_safe_contents.  If decoding the safe
+ * fails, it is assumed the password was incorrect and the error
+ * is set then.  any failure here is assumed to be due to 
+ * internal problems in SEC_PKCS7DecryptContents or below.
+ */
+static SECStatus
+sec_pkcs12_decrypt_auth_safe(SEC_PKCS12AuthenticatedSafe *asafe, 
+			     SECItem *pwitem,
+			     void *wincx)
+{
+    SECStatus rv = SECFailure;
+    SECItem *vpwd = NULL;
+
+    if((asafe == NULL) || (pwitem == NULL)) {
+	return SECFailure;
+    }
+
+    if(asafe->old == PR_FALSE) {
+	vpwd = sec_pkcs12_create_virtual_password(pwitem, &asafe->privacySalt,
+						 asafe->swapUnicode);
+	if(vpwd == NULL) {
+	    return SECFailure;
+	}
+    }
+
+    rv = SEC_PKCS7DecryptContents(asafe->poolp, asafe->safe, 
+    				  (asafe->old ? pwitem : vpwd), wincx);
+
+    if(asafe->old == PR_FALSE) {
+	SECITEM_ZfreeItem(vpwd, PR_TRUE);
+    }
+
+    return rv;
+}
+
+/* extract the safe from the authenticated safe.
+ *  if we are unable to decode the safe, then it is likely that the 
+ *  safe has not been decrypted or the password used to decrypt
+ *  the safe was invalid.  we assume that the password was invalid and
+ *  set an error accordingly.
+ * a return of NULL indicates that an error occurred.
+ */
+static SEC_PKCS12SafeContents *
+sec_pkcs12_get_safe_contents(SEC_PKCS12AuthenticatedSafe *asafe)
+{
+    SECItem *src = NULL;
+    SEC_PKCS12SafeContents *safe = NULL;
+    SECStatus rv = SECFailure;
+
+    if(asafe == NULL) {
+	return NULL;
+    }
+
+    safe = (SEC_PKCS12SafeContents *)PORT_ArenaZAlloc(asafe->poolp, 
+	    					sizeof(SEC_PKCS12SafeContents));
+    if(safe == NULL) {
+	return NULL;
+    }
+    safe->poolp = asafe->poolp;
+    safe->old = asafe->old;
+    safe->swapUnicode = asafe->swapUnicode;
+
+    src = SEC_PKCS7GetContent(asafe->safe);
+    if(src != NULL) {
+	const SEC_ASN1Template *theTemplate;
+	if(asafe->old != PR_TRUE) {
+	    theTemplate = SEC_PKCS12SafeContentsTemplate;
+	} else {
+	    theTemplate = SEC_PKCS12SafeContentsTemplate_OLD;
+	}
+
+	rv = SEC_ASN1DecodeItem(asafe->poolp, safe, theTemplate, src);
+
+	/* if we could not decode the item, password was probably invalid */
+	if(rv != SECSuccess) {
+	    safe = NULL;
+	    PORT_SetError(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT);
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE);
+	rv = SECFailure;
+    }
+
+    return safe;
+}
+
+/* import PFX item 
+ * der_pfx is the der encoded pfx structure
+ * pbef and pbearg are the integrity/encryption password call back
+ * ncCall is the nickname collision calllback
+ * slot is the destination token
+ * wincx window handler
+ *
+ * on error, error code set and SECFailure returned 
+ */
+SECStatus
+SEC_PKCS12PutPFX(SECItem *der_pfx, SECItem *pwitem,
+		 SEC_PKCS12NicknameCollisionCallback ncCall,
+		 PK11SlotInfo *slot,
+		 void *wincx)
+{
+    SEC_PKCS12PFXItem *pfx;
+    SEC_PKCS12AuthenticatedSafe *asafe;
+    SEC_PKCS12SafeContents *safe_contents = NULL;
+    SECStatus rv;
+
+    if(!der_pfx || !pwitem || !slot) {
+	return SECFailure;
+    }
+
+    /* decode and validate each section */
+    rv = SECFailure;
+
+    pfx = sec_pkcs12_get_pfx(der_pfx, pwitem);
+    if(pfx != NULL) {
+	asafe = sec_pkcs12_get_auth_safe(pfx);
+	if(asafe != NULL) {
+
+	    /* decrypt safe -- only if not empty */
+	    if(asafe->emptySafe != PR_TRUE) {
+		rv = sec_pkcs12_decrypt_auth_safe(asafe, pwitem, wincx);
+		if(rv == SECSuccess) {
+		    safe_contents = sec_pkcs12_get_safe_contents(asafe);
+		    if(safe_contents == NULL) {
+			rv = SECFailure;
+		    }
+		}
+	    } else {
+		safe_contents = sec_pkcs12_create_safe_contents(asafe->poolp);
+		safe_contents->swapUnicode = pfx->swapUnicode;
+		if(safe_contents == NULL) {
+		    rv = SECFailure;
+		} else {
+		    rv = SECSuccess;
+		}
+	    }
+
+	    /* get safe contents and begin import */
+	    if(rv == SECSuccess) {
+		SEC_PKCS12DecoderContext *p12dcx;
+
+		p12dcx = sec_PKCS12ConvertOldSafeToNew(pfx->poolp, slot,
+					pfx->swapUnicode,
+					pwitem, wincx, safe_contents,
+					&asafe->baggage);
+		if(!p12dcx) {
+		    rv = SECFailure;
+		    goto loser;
+		}
+
+		if(SEC_PKCS12DecoderValidateBags(p12dcx, ncCall) 
+				!= SECSuccess) {
+		    rv = SECFailure;
+		    goto loser;
+		}
+
+		rv = SEC_PKCS12DecoderImportBags(p12dcx);
+	    }
+
+	}
+    }
+
+loser:
+
+    if(pfx) {
+	SEC_PKCS12DestroyPFX(pfx);
+    }
+
+    return rv;
+}
+
+PRBool 
+SEC_PKCS12ValidData(char *buf, int bufLen, long int totalLength)
+{
+    int lengthLength;
+
+    PRBool valid = PR_FALSE;
+
+    if(buf == NULL) {
+	return PR_FALSE;
+    }
+
+    /* check for constructed sequence identifier tag */
+    if(*buf == (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE)) {
+	totalLength--;   /* header byte taken care of */
+	buf++;
+
+	lengthLength = (long int)SEC_ASN1LengthLength(totalLength - 1);
+	if(totalLength > 0x7f) {
+	    lengthLength--;
+	    *buf &= 0x7f;  /* remove bit 8 indicator */
+	    if((*buf - (char)lengthLength) == 0) {
+		valid = PR_TRUE;
+	    }
+	} else {
+	    lengthLength--;
+	    if((*buf - (char)lengthLength) == 0) {
+		valid = PR_TRUE;
+	    }
+	}
+    }
+
+    return valid;
+}
diff --git a/security/nss/lib/pkcs12/p12e.c b/security/nss/lib/pkcs12/p12e.c
new file mode 100644
index 000000000..9f9a92cea
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12e.c
@@ -0,0 +1,2282 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nssrenam.h"
+#include "p12t.h"
+#include "p12.h"
+#include "plarena.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "seccomon.h"
+#include "secport.h"
+#include "cert.h"
+#include "secpkcs7.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "pk11func.h"
+#include "p12plcy.h"
+#include "p12local.h"
+#include "alghmac.h"
+#include "prcpucfg.h"
+
+/*********************************
+ * Structures used in exporting the PKCS 12 blob
+ *********************************/
+
+/* A SafeInfo is used for each ContentInfo which makes up the
+ * sequence of safes in the AuthenticatedSafe portion of the
+ * PFX structure.
+ */
+struct SEC_PKCS12SafeInfoStr {
+    PRArenaPool *arena;
+
+    /* information for setting up password encryption */
+    SECItem pwitem;
+    SECOidTag algorithm;
+    PK11SymKey *encryptionKey;
+
+    /* how many items have been stored in this safe,
+     * we will skip any safe which does not contain any
+     * items
+      */
+    unsigned int itemCount;
+
+    /* the content info for the safe */
+    SEC_PKCS7ContentInfo *cinfo;
+
+    sec_PKCS12SafeContents *safe;
+};
+
+/* An opaque structure which contains information needed for exporting
+ * certificates and keys through PKCS 12.
+ */
+struct SEC_PKCS12ExportContextStr {
+    PRArenaPool *arena;
+    PK11SlotInfo *slot;
+    void *wincx;
+
+    /* integrity information */
+    PRBool integrityEnabled;
+    PRBool	pwdIntegrity;
+    union {
+	struct sec_PKCS12PasswordModeInfo pwdInfo;
+	struct sec_PKCS12PublicKeyModeInfo pubkeyInfo;
+    } integrityInfo; 
+
+    /* helper functions */
+    /* retrieve the password call back */
+    SECKEYGetPasswordKey pwfn;
+    void *pwfnarg;
+
+    /* safe contents bags */
+    SEC_PKCS12SafeInfo **safeInfos;
+    unsigned int safeInfoCount;
+
+    /* the sequence of safes */
+    sec_PKCS12AuthenticatedSafe authSafe;
+
+    /* information needing deletion */
+    CERTCertificate **certList;
+};
+
+/* structures for passing information to encoder callbacks when processing
+ * data through the ASN1 engine.
+ */
+struct sec_pkcs12_encoder_output {
+    SEC_PKCS12EncoderOutputCallback outputfn;
+    void *outputarg;
+};
+
+struct sec_pkcs12_hmac_and_output_info {
+    void *arg;
+    struct sec_pkcs12_encoder_output output;
+};
+
+/* An encoder context which is used for the actual encoding
+ * portion of PKCS 12. 
+ */
+typedef struct sec_PKCS12EncoderContextStr {
+    PRArenaPool *arena;
+    SEC_PKCS12ExportContext *p12exp;
+    PK11SymKey *encryptionKey;
+
+    /* encoder information - this is set up based on whether 
+     * password based or public key pased privacy is being used
+     */
+    SEC_ASN1EncoderContext *ecx;
+    union {
+	struct sec_pkcs12_hmac_and_output_info hmacAndOutputInfo;
+	struct sec_pkcs12_encoder_output encOutput;
+    } output;
+
+    /* structures for encoding of PFX and MAC */
+    sec_PKCS12PFXItem pfx;
+    sec_PKCS12MacData mac;
+
+    /* authenticated safe encoding tracking information */
+    SEC_PKCS7ContentInfo *aSafeCinfo;
+    SEC_PKCS7EncoderContext *aSafeP7Ecx;
+    SEC_ASN1EncoderContext *aSafeEcx;
+    unsigned int currentSafe;
+
+    /* hmac context */
+    PK11Context *hmacCx;
+} sec_PKCS12EncoderContext;
+
+
+/*********************************
+ * Export setup routines
+ *********************************/
+
+/* SEC_PKCS12CreateExportContext 
+ *   Creates an export context and sets the unicode and password retrieval
+ *   callbacks.  This is the first call which must be made when exporting
+ *   a PKCS 12 blob.
+ *
+ * pwfn, pwfnarg - password retrieval callback and argument.  these are
+ * 		   required for password-authentication mode.
+ */
+SEC_PKCS12ExportContext *
+SEC_PKCS12CreateExportContext(SECKEYGetPasswordKey pwfn, void *pwfnarg,  
+			      PK11SlotInfo *slot, void *wincx)
+{
+    PRArenaPool *arena = NULL;
+    SEC_PKCS12ExportContext *p12ctxt = NULL;
+
+    /* allocate the arena and create the context */
+    arena = PORT_NewArena(4096);
+    if(!arena) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    p12ctxt = (SEC_PKCS12ExportContext *)PORT_ArenaZAlloc(arena, 
+					sizeof(SEC_PKCS12ExportContext));
+    if(!p12ctxt) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* password callback for key retrieval */
+    p12ctxt->pwfn = pwfn;
+    p12ctxt->pwfnarg = pwfnarg;
+
+    p12ctxt->integrityEnabled = PR_FALSE;
+    p12ctxt->arena = arena;
+    p12ctxt->wincx = wincx;
+    p12ctxt->slot = (slot) ? slot : PK11_GetInternalSlot();
+
+    return p12ctxt;
+
+loser:
+    if(arena) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+
+    return NULL;
+}
+
+/* 
+ * Adding integrity mode
+ */
+
+/* SEC_PKCS12AddPasswordIntegrity 
+ *	Add password integrity to the exported data.  If an integrity method
+ *	has already been set, then return an error.
+ *	
+ *	p12ctxt - the export context
+ * 	pwitem - the password for integrity mode
+ *	integAlg - the integrity algorithm to use for authentication.
+ */
+SECStatus
+SEC_PKCS12AddPasswordIntegrity(SEC_PKCS12ExportContext *p12ctxt,
+			       SECItem *pwitem, SECOidTag integAlg) 
+{			       
+    if(!p12ctxt || p12ctxt->integrityEnabled) {
+	return SECFailure;
+    }
+   
+    /* set up integrity information */
+    p12ctxt->pwdIntegrity = PR_TRUE;
+    p12ctxt->integrityInfo.pwdInfo.password = 
+        (SECItem*)PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECItem));
+    if(!p12ctxt->integrityInfo.pwdInfo.password) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    if(SECITEM_CopyItem(p12ctxt->arena, 
+			p12ctxt->integrityInfo.pwdInfo.password, pwitem)
+		!= SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    p12ctxt->integrityInfo.pwdInfo.algorithm = integAlg;
+    p12ctxt->integrityEnabled = PR_TRUE;
+
+    return SECSuccess;
+}
+
+/* SEC_PKCS12AddPublicKeyIntegrity
+ *	Add public key integrity to the exported data.  If an integrity method
+ *	has already been set, then return an error.  The certificate must be
+ *	allowed to be used as a signing cert.
+ *	
+ *	p12ctxt - the export context
+ *	cert - signer certificate
+ *	certDb - the certificate database
+ *	algorithm - signing algorithm
+ *	keySize - size of the signing key (?)
+ */
+SECStatus
+SEC_PKCS12AddPublicKeyIntegrity(SEC_PKCS12ExportContext *p12ctxt,
+				CERTCertificate *cert, CERTCertDBHandle *certDb,
+				SECOidTag algorithm, int keySize)
+{
+    if(!p12ctxt) {
+	return SECFailure;
+    }
+    
+    p12ctxt->integrityInfo.pubkeyInfo.cert = cert;
+    p12ctxt->integrityInfo.pubkeyInfo.certDb = certDb;
+    p12ctxt->integrityInfo.pubkeyInfo.algorithm = algorithm;
+    p12ctxt->integrityInfo.pubkeyInfo.keySize = keySize;
+    p12ctxt->integrityEnabled = PR_TRUE;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Adding safes - encrypted (password/public key) or unencrypted
+ *	Each of the safe creation routines return an opaque pointer which
+ *	are later passed into the routines for exporting certificates and
+ *	keys.
+ */
+
+/* append the newly created safeInfo to list of safeInfos in the export
+ * context.  
+ */
+static SECStatus
+sec_pkcs12_append_safe_info(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *info)
+{
+    void *mark = NULL, *dummy1 = NULL, *dummy2 = NULL;
+
+    if(!p12ctxt || !info) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    /* if no safeInfos have been set, create the list, otherwise expand it. */
+    if(!p12ctxt->safeInfoCount) {
+	p12ctxt->safeInfos = (SEC_PKCS12SafeInfo **)PORT_ArenaZAlloc(p12ctxt->arena, 
+					      2 * sizeof(SEC_PKCS12SafeInfo *));
+	dummy1 = p12ctxt->safeInfos;
+	p12ctxt->authSafe.encodedSafes = (SECItem **)PORT_ArenaZAlloc(p12ctxt->arena, 
+					2 * sizeof(SECItem *));
+	dummy2 = p12ctxt->authSafe.encodedSafes;
+    } else {
+	dummy1 = PORT_ArenaGrow(p12ctxt->arena, p12ctxt->safeInfos, 
+			       (p12ctxt->safeInfoCount + 1) * sizeof(SEC_PKCS12SafeInfo *),
+			       (p12ctxt->safeInfoCount + 2) * sizeof(SEC_PKCS12SafeInfo *));
+	p12ctxt->safeInfos = (SEC_PKCS12SafeInfo **)dummy1;
+	dummy2 = PORT_ArenaGrow(p12ctxt->arena, p12ctxt->authSafe.encodedSafes, 
+			       (p12ctxt->authSafe.safeCount + 1) * sizeof(SECItem *),
+			       (p12ctxt->authSafe.safeCount + 2) * sizeof(SECItem *));
+	p12ctxt->authSafe.encodedSafes = (SECItem**)dummy2;
+    }
+    if(!dummy1 || !dummy2) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* append the new safeInfo and null terminate the list */
+    p12ctxt->safeInfos[p12ctxt->safeInfoCount] = info;
+    p12ctxt->safeInfos[++p12ctxt->safeInfoCount] = NULL;
+    p12ctxt->authSafe.encodedSafes[p12ctxt->authSafe.safeCount] = 
+        (SECItem*)PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECItem));
+    if(!p12ctxt->authSafe.encodedSafes[p12ctxt->authSafe.safeCount]) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    p12ctxt->authSafe.encodedSafes[++p12ctxt->authSafe.safeCount] = NULL;
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    return SECFailure;
+}
+
+/* SEC_PKCS12CreatePasswordPrivSafe
+ *	Create a password privacy safe to store exported information in.
+ *
+ * 	p12ctxt - export context
+ *	pwitem - password for encryption
+ *	privAlg - pbe algorithm through which encryption is done.
+ */
+SEC_PKCS12SafeInfo *
+SEC_PKCS12CreatePasswordPrivSafe(SEC_PKCS12ExportContext *p12ctxt, 
+				 SECItem *pwitem, SECOidTag privAlg)
+{
+    SEC_PKCS12SafeInfo *safeInfo = NULL;
+    void *mark = NULL;
+    PK11SlotInfo *slot;
+    SECAlgorithmID *algId;
+    SECItem uniPwitem = {siBuffer, NULL, 0};
+
+    if(!p12ctxt) {
+	return NULL;
+    }
+
+    /* allocate the safe info */
+    mark = PORT_ArenaMark(p12ctxt->arena);
+    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
+    						sizeof(SEC_PKCS12SafeInfo));
+    if(!safeInfo) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	return NULL;
+    }
+
+    safeInfo->itemCount = 0;
+
+    /* create the encrypted safe */
+    safeInfo->cinfo = SEC_PKCS7CreateEncryptedData(privAlg, 0, p12ctxt->pwfn, 
+    						   p12ctxt->pwfnarg);
+    if(!safeInfo->cinfo) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    safeInfo->arena = p12ctxt->arena;
+
+    /* convert the password to unicode */ 
+    if(!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem,
+					       PR_TRUE, PR_TRUE, PR_TRUE)) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    if(SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* generate the encryption key */
+    slot = p12ctxt->slot;
+    if(!slot) {
+	slot = PK11_GetInternalKeySlot();
+	if(!slot) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+    }
+
+    algId = SEC_PKCS7GetEncryptionAlgorithm(safeInfo->cinfo);
+    safeInfo->encryptionKey = PK11_PBEKeyGen(slot, algId, &uniPwitem, 
+					     PR_FALSE, p12ctxt->wincx);
+    if(!safeInfo->encryptionKey) {
+	goto loser;
+    }
+
+    safeInfo->arena = p12ctxt->arena;
+    safeInfo->safe = NULL;
+    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
+	goto loser;
+    }
+
+    if(uniPwitem.data) {
+	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
+    }
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return safeInfo;
+
+loser:
+    if(safeInfo->cinfo) {
+	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
+    }
+
+    if(uniPwitem.data) {
+	SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
+    }
+
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    return NULL;
+}
+
+/* SEC_PKCS12CreateUnencryptedSafe 
+ *	Creates an unencrypted safe within the export context.
+ *
+ *	p12ctxt - the export context 
+ */
+SEC_PKCS12SafeInfo *
+SEC_PKCS12CreateUnencryptedSafe(SEC_PKCS12ExportContext *p12ctxt)
+{
+    SEC_PKCS12SafeInfo *safeInfo = NULL;
+    void *mark = NULL;
+
+    if(!p12ctxt) {
+	return NULL;
+    }
+
+    /* create the safe info */
+    mark = PORT_ArenaMark(p12ctxt->arena);
+    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
+    					      sizeof(SEC_PKCS12SafeInfo));
+    if(!safeInfo) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    safeInfo->itemCount = 0;
+
+    /* create the safe content */
+    safeInfo->cinfo = SEC_PKCS7CreateData();
+    if(!safeInfo->cinfo) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return safeInfo;
+
+loser:
+    if(safeInfo->cinfo) {
+	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
+    }
+
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    return NULL;
+}
+
+/* SEC_PKCS12CreatePubKeyEncryptedSafe
+ *	Creates a safe which is protected by public key encryption.  
+ *
+ *	p12ctxt - the export context
+ *	certDb - the certificate database
+ *	signer - the signer's certificate
+ *	recipients - the list of recipient certificates.
+ *	algorithm - the encryption algorithm to use
+ *	keysize - the algorithms key size (?)
+ */
+SEC_PKCS12SafeInfo *
+SEC_PKCS12CreatePubKeyEncryptedSafe(SEC_PKCS12ExportContext *p12ctxt,
+				    CERTCertDBHandle *certDb,
+				    CERTCertificate *signer,
+				    CERTCertificate **recipients,
+				    SECOidTag algorithm, int keysize) 
+{
+    SEC_PKCS12SafeInfo *safeInfo = NULL;
+    void *mark = NULL;
+
+    if(!p12ctxt || !signer || !recipients || !(*recipients)) {
+	return NULL;
+    }
+
+    /* allocate the safeInfo */
+    mark = PORT_ArenaMark(p12ctxt->arena);
+    safeInfo = (SEC_PKCS12SafeInfo *)PORT_ArenaZAlloc(p12ctxt->arena, 
+    						      sizeof(SEC_PKCS12SafeInfo));
+    if(!safeInfo) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    safeInfo->itemCount = 0;
+    safeInfo->arena = p12ctxt->arena;
+
+    /* create the enveloped content info using certUsageEmailSigner currently.
+     * XXX We need to eventually use something other than certUsageEmailSigner
+     */
+    safeInfo->cinfo = SEC_PKCS7CreateEnvelopedData(signer, certUsageEmailSigner,
+					certDb, algorithm, keysize, 
+					p12ctxt->pwfn, p12ctxt->pwfnarg);
+    if(!safeInfo->cinfo) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* add recipients */
+    if(recipients) {
+	unsigned int i = 0;
+	while(recipients[i] != NULL) {
+	    SECStatus rv = SEC_PKCS7AddRecipient(safeInfo->cinfo, recipients[i],
+					       certUsageEmailRecipient, certDb);
+	    if(rv != SECSuccess) {
+		goto loser;
+	    }
+	    i++;
+	}
+    }
+
+    if(sec_pkcs12_append_safe_info(p12ctxt, safeInfo) != SECSuccess) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return safeInfo;
+
+loser:
+    if(safeInfo->cinfo) {
+	SEC_PKCS7DestroyContentInfo(safeInfo->cinfo);
+	safeInfo->cinfo = NULL;
+    }
+
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    return NULL;
+} 
+
+/*********************************
+ * Routines to handle the exporting of the keys and certificates
+ *********************************/
+
+/* creates a safe contents which safeBags will be appended to */
+sec_PKCS12SafeContents *
+sec_PKCS12CreateSafeContents(PRArenaPool *arena)
+{
+    sec_PKCS12SafeContents *safeContents;
+
+    if(arena == NULL) {
+	return NULL; 
+    }
+
+    /* create the safe contents */
+    safeContents = (sec_PKCS12SafeContents *)PORT_ArenaZAlloc(arena,
+					    sizeof(sec_PKCS12SafeContents));
+    if(!safeContents) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* set up the internal contents info */
+    safeContents->safeBags = NULL;
+    safeContents->arena = arena;
+    safeContents->bagCount = 0;
+
+    return safeContents;
+
+loser:
+    return NULL;
+}   
+
+/* appends a safe bag to a safeContents using the specified arena. 
+ */
+SECStatus
+sec_pkcs12_append_bag_to_safe_contents(PRArenaPool *arena, 
+				       sec_PKCS12SafeContents *safeContents,
+				       sec_PKCS12SafeBag *safeBag)
+{
+    void *mark = NULL, *dummy = NULL;
+
+    if(!arena || !safeBag || !safeContents) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(arena);
+    if(!mark) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    /* allocate space for the list, or reallocate to increase space */
+    if(!safeContents->safeBags) {
+	safeContents->safeBags = (sec_PKCS12SafeBag **)PORT_ArenaZAlloc(arena, 
+						(2 * sizeof(sec_PKCS12SafeBag *)));
+	dummy = safeContents->safeBags;
+	safeContents->bagCount = 0;
+    } else {
+	dummy = PORT_ArenaGrow(arena, safeContents->safeBags, 
+			(safeContents->bagCount + 1) * sizeof(sec_PKCS12SafeBag *),
+			(safeContents->bagCount + 2) * sizeof(sec_PKCS12SafeBag *));
+	safeContents->safeBags = (sec_PKCS12SafeBag **)dummy;
+    }
+
+    if(!dummy) {
+	PORT_ArenaRelease(arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    /* append the bag at the end and null terminate the list */
+    safeContents->safeBags[safeContents->bagCount++] = safeBag;
+    safeContents->safeBags[safeContents->bagCount] = NULL;
+
+    PORT_ArenaUnmark(arena, mark);
+
+    return SECSuccess;
+}
+
+/* appends a safeBag to a specific safeInfo.
+ */
+SECStatus
+sec_pkcs12_append_bag(SEC_PKCS12ExportContext *p12ctxt, 
+		      SEC_PKCS12SafeInfo *safeInfo, sec_PKCS12SafeBag *safeBag)
+{
+    sec_PKCS12SafeContents *dest;
+    SECStatus rv = SECFailure;
+
+    if(!p12ctxt || !safeBag || !safeInfo) {
+	return SECFailure;
+    }
+
+    if(!safeInfo->safe) {
+	safeInfo->safe = sec_PKCS12CreateSafeContents(p12ctxt->arena);
+	if(!safeInfo->safe) {
+	    return SECFailure;
+	}
+    }
+
+    dest = safeInfo->safe;
+    rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, dest, safeBag);
+    if(rv == SECSuccess) {
+	safeInfo->itemCount++;
+    }
+    
+    return rv;
+} 
+
+/* Creates a safeBag of the specified type, and if bagData is specified,
+ * the contents are set.  The contents could be set later by the calling
+ * routine.
+ */
+sec_PKCS12SafeBag *
+sec_PKCS12CreateSafeBag(SEC_PKCS12ExportContext *p12ctxt, SECOidTag bagType, 
+			void *bagData)
+{
+    sec_PKCS12SafeBag *safeBag;
+    PRBool setName = PR_TRUE;
+    void *mark = NULL;
+    SECStatus rv = SECSuccess;
+    SECOidData *oidData = NULL;
+
+    if(!p12ctxt) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+    if(!mark) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    safeBag = (sec_PKCS12SafeBag *)PORT_ArenaZAlloc(p12ctxt->arena, 
+    						    sizeof(sec_PKCS12SafeBag));
+    if(!safeBag) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    /* set the bags content based upon bag type */
+    switch(bagType) {
+	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	    safeBag->safeBagContent.pkcs8KeyBag =
+	        (SECKEYPrivateKeyInfo *)bagData;
+	    break;
+	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+	    safeBag->safeBagContent.certBag = (sec_PKCS12CertBag *)bagData;
+	    break;
+	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
+	    safeBag->safeBagContent.crlBag = (sec_PKCS12CRLBag *)bagData;
+	    break;
+	case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
+	    safeBag->safeBagContent.secretBag = (sec_PKCS12SecretBag *)bagData;
+	    break;
+	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+	    safeBag->safeBagContent.pkcs8ShroudedKeyBag = 
+	        (SECKEYEncryptedPrivateKeyInfo *)bagData;
+	    break;
+	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
+	    safeBag->safeBagContent.safeContents = 
+	        (sec_PKCS12SafeContents *)bagData;
+	    setName = PR_FALSE;
+	    break;
+	default:
+	    goto loser;
+    }
+
+    oidData = SECOID_FindOIDByTag(bagType);
+    if(oidData) {
+	rv = SECITEM_CopyItem(p12ctxt->arena, &safeBag->safeBagType, &oidData->oid);
+	if(rv != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+    } else {
+	goto loser;
+    }
+    
+    safeBag->arena = p12ctxt->arena;
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+
+    return safeBag;
+
+loser:
+    if(mark) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+    }
+
+    return NULL;
+}
+
+/* Creates a new certificate bag and returns a pointer to it.  If an error
+ * occurs NULL is returned.
+ */
+sec_PKCS12CertBag *
+sec_PKCS12NewCertBag(PRArenaPool *arena, SECOidTag certType)
+{
+    sec_PKCS12CertBag *certBag = NULL;
+    SECOidData *bagType = NULL;
+    SECStatus rv;
+    void *mark = NULL;
+
+    if(!arena) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(arena);
+    certBag = (sec_PKCS12CertBag *)PORT_ArenaZAlloc(arena, 
+    						    sizeof(sec_PKCS12CertBag));
+    if(!certBag) {
+	PORT_ArenaRelease(arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    bagType = SECOID_FindOIDByTag(certType);
+    if(!bagType) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    rv = SECITEM_CopyItem(arena, &certBag->bagID, &bagType->oid);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+	
+    PORT_ArenaUnmark(arena, mark);
+    return certBag;
+
+loser:
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+/* Creates a new CRL bag and returns a pointer to it.  If an error
+ * occurs NULL is returned.
+ */
+sec_PKCS12CRLBag *
+sec_PKCS12NewCRLBag(PRArenaPool *arena, SECOidTag crlType)
+{
+    sec_PKCS12CRLBag *crlBag = NULL;
+    SECOidData *bagType = NULL;
+    SECStatus rv;
+    void *mark = NULL;
+
+    if(!arena) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(arena);
+    crlBag = (sec_PKCS12CRLBag *)PORT_ArenaZAlloc(arena, 
+    						  sizeof(sec_PKCS12CRLBag));
+    if(!crlBag) {
+	PORT_ArenaRelease(arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    bagType = SECOID_FindOIDByTag(crlType);
+    if(!bagType) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    rv = SECITEM_CopyItem(arena, &crlBag->bagID, &bagType->oid);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+	
+    PORT_ArenaUnmark(arena, mark);
+    return crlBag;
+
+loser:
+    PORT_ArenaRelease(arena, mark);
+    return NULL;
+}
+
+/* sec_PKCS12AddAttributeToBag
+ * adds an attribute to a safeBag.  currently, the only attributes supported
+ * are those which are specified within PKCS 12.  
+ *
+ *	p12ctxt - the export context 
+ *	safeBag - the safeBag to which attributes are appended
+ *	attrType - the attribute type
+ * 	attrData - the attribute data
+ */
+SECStatus
+sec_PKCS12AddAttributeToBag(SEC_PKCS12ExportContext *p12ctxt, 
+			    sec_PKCS12SafeBag *safeBag, SECOidTag attrType,
+			    SECItem *attrData)
+{
+    sec_PKCS12Attribute *attribute;
+    void *mark = NULL, *dummy = NULL;
+    SECOidData *oiddata = NULL;
+    SECItem unicodeName = { siBuffer, NULL, 0};
+    void *src = NULL;
+    unsigned int nItems = 0;
+    SECStatus rv;
+
+    if(!safeBag || !p12ctxt) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(safeBag->arena);
+
+    /* allocate the attribute */
+    attribute = (sec_PKCS12Attribute *)PORT_ArenaZAlloc(safeBag->arena, 
+    						sizeof(sec_PKCS12Attribute));
+    if(!attribute) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* set up the attribute */
+    oiddata = SECOID_FindOIDByTag(attrType);
+    if(!oiddata) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    if(SECITEM_CopyItem(p12ctxt->arena, &attribute->attrType, &oiddata->oid) !=
+    		SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    nItems = 1;
+    switch(attrType) {
+	case SEC_OID_PKCS9_LOCAL_KEY_ID:
+	    {
+		src = attrData;
+		break;
+	    }
+	case SEC_OID_PKCS9_FRIENDLY_NAME:
+	    {
+		if(!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, 
+					&unicodeName, attrData, PR_FALSE, 
+					PR_FALSE, PR_TRUE)) {
+		    goto loser;
+		}
+		src = &unicodeName;
+		break;
+	    }
+	default:
+	    goto loser;
+    }
+
+    /* append the attribute to the attribute value list  */
+    attribute->attrValue = (SECItem **)PORT_ArenaZAlloc(p12ctxt->arena, 
+    					    ((nItems + 1) * sizeof(SECItem *)));
+    if(!attribute->attrValue) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* XXX this will need to be changed if attributes requiring more than
+     * one element are ever used.
+     */
+    attribute->attrValue[0] = (SECItem *)PORT_ArenaZAlloc(p12ctxt->arena, 
+    							  sizeof(SECItem));
+    if(!attribute->attrValue[0]) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    attribute->attrValue[1] = NULL;
+
+    rv = SECITEM_CopyItem(p12ctxt->arena, attribute->attrValue[0], 
+			  (SECItem*)src);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* append the attribute to the safeBag attributes */
+    if(safeBag->nAttribs) {
+	dummy = PORT_ArenaGrow(p12ctxt->arena, safeBag->attribs, 
+			((safeBag->nAttribs + 1) * sizeof(sec_PKCS12Attribute *)),
+			((safeBag->nAttribs + 2) * sizeof(sec_PKCS12Attribute *)));
+	safeBag->attribs = (sec_PKCS12Attribute **)dummy;
+    } else {
+	safeBag->attribs = (sec_PKCS12Attribute **)PORT_ArenaZAlloc(p12ctxt->arena, 
+						2 * sizeof(sec_PKCS12Attribute *));
+	dummy = safeBag->attribs;
+    }
+    if(!dummy) {
+	goto loser;
+    }
+
+    safeBag->attribs[safeBag->nAttribs] = attribute;
+    safeBag->attribs[++safeBag->nAttribs] = NULL;
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return SECSuccess;
+
+loser:
+    if(mark) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+    }
+
+    return SECFailure;
+}
+
+/* SEC_PKCS12AddCert
+ * 	Adds a certificate to the data being exported.  
+ *
+ *	p12ctxt - the export context
+ *	safe - the safeInfo to which the certificate is placed 
+ *	nestedDest - if the cert is to be placed within a nested safeContents then,
+ *		     this value is to be specified with the destination
+ *	cert - the cert to export
+ *	certDb - the certificate database handle
+ *	keyId - a unique identifier to associate a certificate/key pair
+ *	includeCertChain - PR_TRUE if the certificate chain is to be included.
+ */
+SECStatus
+SEC_PKCS12AddCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *safe, 
+		  void *nestedDest, CERTCertificate *cert, 
+		  CERTCertDBHandle *certDb, SECItem *keyId,
+		  PRBool includeCertChain)
+{
+    sec_PKCS12CertBag *certBag;
+    sec_PKCS12SafeBag *safeBag;
+    void *mark;
+    SECStatus rv;
+    SECItem nick = {siBuffer, NULL,0};
+
+    if(!p12ctxt || !cert) {
+	return SECFailure;
+    }
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    /* allocate the cert bag */
+    certBag = sec_PKCS12NewCertBag(p12ctxt->arena, 
+    				   SEC_OID_PKCS9_X509_CERT);
+    if(!certBag) {
+	goto loser;
+    }
+
+    if(SECITEM_CopyItem(p12ctxt->arena, &certBag->value.x509Cert, 
+    			&cert->derCert) != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* if the cert chain is to be included, we should only be exporting
+     * the cert from our internal database.
+     */
+    if(includeCertChain) {
+	CERTCertificateList *certList = CERT_CertChainFromCert(cert,
+							       certUsageSSLClient,
+							       PR_TRUE);
+	unsigned int count = 0;
+	if(!certList) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+
+	/* add cert chain */
+	for(count = 0; count < (unsigned int)certList->len; count++) {
+	    if(SECITEM_CompareItem(&certList->certs[count], &cert->derCert)
+	    			!= SECEqual) {
+	    	CERTCertificate *tempCert;
+
+		/* decode the certificate */
+		/* XXX
+		 * This was rather silly.  The chain is constructed above
+		 * by finding all of the CERTCertificate's in the database.
+		 * Then the chain is put into a CERTCertificateList, which only
+		 * contains the DER.  Finally, the DER was decoded, and the
+		 * decoded cert was sent recursively back to this function.
+		 * Beyond being inefficent, this causes data loss (specifically,
+		 * the nickname).  Instead, for 3.4, we'll do a lookup by the
+		 * DER, which should return the cached entry.
+		 */
+		tempCert = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(),
+		                                  &certList->certs[count]);
+	    	if(!tempCert) {
+		    CERT_DestroyCertificateList(certList);
+		    goto loser;
+		}
+
+		/* add the certificate */
+	    	if(SEC_PKCS12AddCert(p12ctxt, safe, nestedDest, tempCert,
+				 certDb, NULL, PR_FALSE) != SECSuccess) {
+		    CERT_DestroyCertificate(tempCert);
+		    CERT_DestroyCertificateList(certList);
+		    goto loser;
+		}
+		CERT_DestroyCertificate(tempCert);
+	    }
+	}
+	CERT_DestroyCertificateList(certList);
+    }
+
+    /* if the certificate has a nickname, we will set the friendly name
+     * to that.
+     */
+    if(cert->nickname) {
+        if (cert->slot && !PK11_IsInternal(cert->slot)) {
+	  /*
+	   * The cert is coming off of an external token, 
+	   * let's strip the token name from the nickname
+	   * and only add what comes after the colon as the
+	   * nickname. -javi
+	   */
+	    char *delimit;
+	    
+	    delimit = PORT_Strchr(cert->nickname,':');
+	    if (delimit == NULL) {
+	        nick.data = (unsigned char *)cert->nickname;
+		nick.len = PORT_Strlen(cert->nickname);
+	    } else {
+	        delimit++;
+	        nick.data = (unsigned char *)PORT_ArenaStrdup(p12ctxt->arena,
+							      delimit);
+		nick.len = PORT_Strlen(delimit);
+	    }
+	} else {
+	    nick.data = (unsigned char *)cert->nickname;
+	    nick.len = PORT_Strlen(cert->nickname);
+	}
+    }
+
+    safeBag = sec_PKCS12CreateSafeBag(p12ctxt, SEC_OID_PKCS12_V1_CERT_BAG_ID, 
+    				      certBag);
+    if(!safeBag) {
+	goto loser;
+    }
+
+    /* add the friendly name and keyId attributes, if necessary */
+    if(nick.data) {
+	if(sec_PKCS12AddAttributeToBag(p12ctxt, safeBag, 
+				       SEC_OID_PKCS9_FRIENDLY_NAME, &nick) 
+				       != SECSuccess) {
+	    goto loser;
+	}
+    }
+	   
+    if(keyId) {
+	if(sec_PKCS12AddAttributeToBag(p12ctxt, safeBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
+				       keyId) != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    /* append the cert safeBag */
+    if(nestedDest) {
+	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, 
+					  (sec_PKCS12SafeContents*)nestedDest, 
+					   safeBag);
+    } else {
+	rv = sec_pkcs12_append_bag(p12ctxt, safe, safeBag);
+    }
+
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return SECSuccess;
+
+loser:
+    if(mark) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+    }
+
+    return SECFailure;
+}
+
+/* SEC_PKCS12AddEncryptedKey
+ *	Extracts the key associated with a particular certificate and exports
+ *	it.
+ *
+ *	p12ctxt - the export context 
+ *	safe - the safeInfo to place the key in
+ *	nestedDest - the nested safeContents to place a key
+ *	cert - the certificate which the key belongs to
+ *	shroudKey - encrypt the private key for export.  This value should 
+ *		always be true.  lower level code will not allow the export
+ *		of unencrypted private keys.
+ *	algorithm - the algorithm with which to encrypt the private key
+ *	pwitem - the password to encrypted the private key with
+ *	keyId - the keyID attribute
+ *	nickName - the nickname attribute
+ */
+static SECStatus
+SEC_PKCS12AddEncryptedKey(SEC_PKCS12ExportContext *p12ctxt, 
+		SECKEYEncryptedPrivateKeyInfo *epki, SEC_PKCS12SafeInfo *safe,
+		void *nestedDest, SECItem *keyId, SECItem *nickName)
+{
+    void *mark;
+    void *keyItem;
+    SECOidTag keyType;
+    SECStatus rv = SECFailure;
+    sec_PKCS12SafeBag *returnBag;
+
+    if(!p12ctxt || !safe || !epki) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    keyItem = PORT_ArenaZAlloc(p12ctxt->arena, 
+				sizeof(SECKEYEncryptedPrivateKeyInfo));
+    if(!keyItem) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    rv = SECKEY_CopyEncryptedPrivateKeyInfo(p12ctxt->arena, 
+					(SECKEYEncryptedPrivateKeyInfo *)keyItem,
+					epki);
+    keyType = SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID;
+
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+	
+    /* create the safe bag and set any attributes */
+    returnBag = sec_PKCS12CreateSafeBag(p12ctxt, keyType, keyItem);
+    if(!returnBag) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    if(nickName) {
+	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, 
+				       SEC_OID_PKCS9_FRIENDLY_NAME, nickName) 
+				       != SECSuccess) {
+	    goto loser;
+	}
+    }
+	   
+    if(keyId) {
+	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
+				       keyId) != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    if(nestedDest) {
+	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, 
+					   (sec_PKCS12SafeContents*)nestedDest,
+					   returnBag);
+    } else {
+	rv = sec_pkcs12_append_bag(p12ctxt, safe, returnBag);
+    }
+
+loser:
+
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+    } else {
+	PORT_ArenaUnmark(p12ctxt->arena, mark);
+    }
+
+    return rv;
+}
+
+/* SEC_PKCS12AddKeyForCert
+ *	Extracts the key associated with a particular certificate and exports
+ *	it.
+ *
+ *	p12ctxt - the export context 
+ *	safe - the safeInfo to place the key in
+ *	nestedDest - the nested safeContents to place a key
+ *	cert - the certificate which the key belongs to
+ *	shroudKey - encrypt the private key for export.  This value should 
+ *		always be true.  lower level code will not allow the export
+ *		of unencrypted private keys.
+ *	algorithm - the algorithm with which to encrypt the private key
+ *	pwitem - the password to encrypt the private key with
+ *	keyId - the keyID attribute
+ *	nickName - the nickname attribute
+ */
+SECStatus
+SEC_PKCS12AddKeyForCert(SEC_PKCS12ExportContext *p12ctxt, SEC_PKCS12SafeInfo *safe, 
+			void *nestedDest, CERTCertificate *cert,
+			PRBool shroudKey, SECOidTag algorithm, SECItem *pwitem,
+			SECItem *keyId, SECItem *nickName)
+{
+    void *mark;
+    void *keyItem;
+    SECOidTag keyType;
+    SECStatus rv = SECFailure;
+    SECItem nickname = {siBuffer,NULL,0}, uniPwitem = {siBuffer, NULL, 0};
+    sec_PKCS12SafeBag *returnBag;
+
+    if(!p12ctxt || !cert || !safe) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    /* retrieve the key based upon the type that it is and 
+     * specify the type of safeBag to store the key in
+     */	   
+    if(!shroudKey) {
+
+	/* extract the key unencrypted.  this will most likely go away */
+	SECKEYPrivateKeyInfo *pki = PK11_ExportPrivateKeyInfo(cert, 
+							      p12ctxt->wincx);
+	if(!pki) {
+	    PORT_ArenaRelease(p12ctxt->arena, mark);
+	    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
+	    return SECFailure;
+	}   
+	keyItem = PORT_ArenaZAlloc(p12ctxt->arena, sizeof(SECKEYPrivateKeyInfo));
+	if(!keyItem) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	rv = SECKEY_CopyPrivateKeyInfo(p12ctxt->arena, 
+				       (SECKEYPrivateKeyInfo *)keyItem, pki);
+	keyType = SEC_OID_PKCS12_V1_KEY_BAG_ID;
+	SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
+    } else {
+
+	/* extract the key encrypted */
+	SECKEYEncryptedPrivateKeyInfo *epki = NULL;
+	PK11SlotInfo *slot = p12ctxt->slot;
+
+	if(!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem,
+				 pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+
+	/* we want to make sure to take the key out of the key slot */
+	if(PK11_IsInternal(p12ctxt->slot)) {
+	    slot = PK11_GetInternalKeySlot();
+	}
+
+	epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm, 
+						  &uniPwitem, cert, 1, 
+						  p12ctxt->wincx);
+	if(PK11_IsInternal(p12ctxt->slot)) {
+	    PK11_FreeSlot(slot);
+	}
+	
+	keyItem = PORT_ArenaZAlloc(p12ctxt->arena, 
+				  sizeof(SECKEYEncryptedPrivateKeyInfo));
+	if(!keyItem) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	if(!epki) {
+	    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
+	    return SECFailure;
+	}   
+	rv = SECKEY_CopyEncryptedPrivateKeyInfo(p12ctxt->arena, 
+					(SECKEYEncryptedPrivateKeyInfo *)keyItem,
+					epki);
+	keyType = SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID;
+	SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE);
+    }
+
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+	
+    /* if no nickname specified, let's see if the certificate has a 
+     * nickname.
+     */					  
+    if(!nickName) {
+	if(cert->nickname) {
+	    nickname.data = (unsigned char *)cert->nickname;
+	    nickname.len = PORT_Strlen(cert->nickname);
+	    nickName = &nickname;
+	}
+    }
+
+    /* create the safe bag and set any attributes */
+    returnBag = sec_PKCS12CreateSafeBag(p12ctxt, keyType, keyItem);
+    if(!returnBag) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    if(nickName) {
+	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, 
+				       SEC_OID_PKCS9_FRIENDLY_NAME, nickName) 
+				       != SECSuccess) {
+	    goto loser;
+	}
+    }
+	   
+    if(keyId) {
+	if(sec_PKCS12AddAttributeToBag(p12ctxt, returnBag, SEC_OID_PKCS9_LOCAL_KEY_ID,
+				       keyId) != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    if(nestedDest) {
+	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena,
+					  (sec_PKCS12SafeContents*)nestedDest, 
+					  returnBag);
+    } else {
+	rv = sec_pkcs12_append_bag(p12ctxt, safe, returnBag);
+    }
+
+loser:
+
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+    } else {
+	PORT_ArenaUnmark(p12ctxt->arena, mark);
+    }
+
+    return rv;
+}
+
+/* SEC_PKCS12AddCertAndEncryptedKey
+ *	Add a certificate and key pair to be exported.
+ *
+ *	p12ctxt - the export context 
+ * 	certSafe - the safeInfo where the cert is stored
+ *	certNestedDest - the nested safeContents to store the cert
+ *	keySafe - the safeInfo where the key is stored
+ *	keyNestedDest - the nested safeContents to store the key
+ *	shroudKey - extract the private key encrypted?
+ *	pwitem - the password with which the key is encrypted
+ *	algorithm - the algorithm with which the key is encrypted
+ */
+SECStatus
+SEC_PKCS12AddDERCertAndEncryptedKey(SEC_PKCS12ExportContext *p12ctxt, 
+		void *certSafe, void *certNestedDest, 
+		SECItem *derCert, void *keySafe, 
+		void *keyNestedDest, SECKEYEncryptedPrivateKeyInfo *epki,
+		char *nickname)
+{		
+    SECStatus rv = SECFailure;
+    SGNDigestInfo *digest = NULL;
+    void *mark = NULL;
+    CERTCertificate *cert;
+    SECItem nick = {siBuffer, NULL,0}, *nickPtr = NULL; 
+
+    if(!p12ctxt || !certSafe || !keySafe || !derCert) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL);
+    if(!cert) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+    cert->nickname = nickname;
+
+    /* generate the thumbprint of the cert to use as a keyId */
+    digest = sec_pkcs12_compute_thumbprint(&cert->derCert);
+    if(!digest) {
+	CERT_DestroyCertificate(cert);
+	return SECFailure;
+    }
+
+    /* add the certificate */
+    rv = SEC_PKCS12AddCert(p12ctxt, (SEC_PKCS12SafeInfo*)certSafe, 
+			   certNestedDest, cert, NULL,
+    			   &digest->digest, PR_FALSE);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    if(nickname) {
+	nick.data = (unsigned char *)nickname;
+	nick.len = PORT_Strlen(nickname);
+	nickPtr = &nick;
+    } else {
+	nickPtr = NULL;
+    }
+
+    /* add the key */
+    rv = SEC_PKCS12AddEncryptedKey(p12ctxt, epki, (SEC_PKCS12SafeInfo*)keySafe,
+				   keyNestedDest, &digest->digest, nickPtr );
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    SGN_DestroyDigestInfo(digest);
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return SECSuccess;
+
+loser:
+    SGN_DestroyDigestInfo(digest);
+    CERT_DestroyCertificate(cert);
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    
+    return SECFailure; 
+}
+
+/* SEC_PKCS12AddCertAndKey
+ *	Add a certificate and key pair to be exported.
+ *
+ *	p12ctxt - the export context 
+ * 	certSafe - the safeInfo where the cert is stored
+ *	certNestedDest - the nested safeContents to store the cert
+ *	keySafe - the safeInfo where the key is stored
+ *	keyNestedDest - the nested safeContents to store the key
+ *	shroudKey - extract the private key encrypted?
+ *	pwitem - the password with which the key is encrypted
+ *	algorithm - the algorithm with which the key is encrypted
+ */
+SECStatus
+SEC_PKCS12AddCertAndKey(SEC_PKCS12ExportContext *p12ctxt, 
+			void *certSafe, void *certNestedDest, 
+			CERTCertificate *cert, CERTCertDBHandle *certDb,
+			void *keySafe, void *keyNestedDest, 
+			PRBool shroudKey, SECItem *pwitem, SECOidTag algorithm)
+{		
+    SECStatus rv = SECFailure;
+    SGNDigestInfo *digest = NULL;
+    void *mark = NULL;
+
+    if(!p12ctxt || !certSafe || !keySafe || !cert) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    /* generate the thumbprint of the cert to use as a keyId */
+    digest = sec_pkcs12_compute_thumbprint(&cert->derCert);
+    if(!digest) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	return SECFailure;
+    }
+
+    /* add the certificate */
+    rv = SEC_PKCS12AddCert(p12ctxt, (SEC_PKCS12SafeInfo*)certSafe, 
+			   (SEC_PKCS12SafeInfo*)certNestedDest, cert, certDb,
+    			   &digest->digest, PR_TRUE);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* add the key */
+    rv = SEC_PKCS12AddKeyForCert(p12ctxt, (SEC_PKCS12SafeInfo*)keySafe, 
+				 keyNestedDest, cert, 
+    				 shroudKey, algorithm, pwitem, 
+    				 &digest->digest, NULL );
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    SGN_DestroyDigestInfo(digest);
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return SECSuccess;
+
+loser:
+    SGN_DestroyDigestInfo(digest);
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    
+    return SECFailure; 
+}
+
+/* SEC_PKCS12CreateNestedSafeContents
+ * 	Allows nesting of safe contents to be implemented.  No limit imposed on 
+ *	depth.  
+ *
+ *	p12ctxt - the export context 
+ *	baseSafe - the base safeInfo 
+ *	nestedDest - a parent safeContents (?)
+ */
+void *
+SEC_PKCS12CreateNestedSafeContents(SEC_PKCS12ExportContext *p12ctxt,
+				   void *baseSafe, void *nestedDest)
+{
+    sec_PKCS12SafeContents *newSafe;
+    sec_PKCS12SafeBag *safeContentsBag;
+    void *mark;
+    SECStatus rv;
+
+    if(!p12ctxt || !baseSafe) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(p12ctxt->arena);
+
+    newSafe = sec_PKCS12CreateSafeContents(p12ctxt->arena);
+    if(!newSafe) {
+	PORT_ArenaRelease(p12ctxt->arena, mark);
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    /* create the safeContents safeBag */
+    safeContentsBag = sec_PKCS12CreateSafeBag(p12ctxt, 
+					SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID,
+					newSafe);
+    if(!safeContentsBag) {
+	goto loser;
+    }
+
+    /* append the safeContents to the appropriate area */
+    if(nestedDest) {
+	rv = sec_pkcs12_append_bag_to_safe_contents(p12ctxt->arena, 
+					   (sec_PKCS12SafeContents*)nestedDest,
+					   safeContentsBag);
+    } else {
+	rv = sec_pkcs12_append_bag(p12ctxt, (SEC_PKCS12SafeInfo*)baseSafe, 
+				   safeContentsBag);
+    }
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(p12ctxt->arena, mark);
+    return newSafe;
+
+loser:
+    PORT_ArenaRelease(p12ctxt->arena, mark);
+    return NULL;
+}
+
+/*********************************
+ * Encoding routines
+ *********************************/
+
+/* set up the encoder context based on information in the export context
+ * and return the newly allocated enocoder context.  A return of NULL 
+ * indicates an error occurred. 
+ */
+sec_PKCS12EncoderContext *
+sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
+{
+    sec_PKCS12EncoderContext *p12enc = NULL;
+    unsigned int i, nonEmptyCnt;
+    SECStatus rv;
+    SECItem ignore = {0};
+    void *mark;
+
+    if(!p12exp || !p12exp->safeInfos) {
+	return NULL;
+    }
+
+    /* check for any empty safes and skip them */
+    i = nonEmptyCnt = 0;
+    while(p12exp->safeInfos[i]) {
+	if(p12exp->safeInfos[i]->itemCount) {
+	    nonEmptyCnt++;
+	}
+	i++;
+    }
+    if(nonEmptyCnt == 0) {
+	return NULL;
+    }
+    p12exp->authSafe.encodedSafes[nonEmptyCnt] = NULL;
+
+    /* allocate the encoder context */
+    mark = PORT_ArenaMark(p12exp->arena);
+    p12enc = (sec_PKCS12EncoderContext*)PORT_ArenaZAlloc(p12exp->arena, 
+    			      sizeof(sec_PKCS12EncoderContext));
+    if(!p12enc) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    p12enc->arena = p12exp->arena;
+    p12enc->p12exp = p12exp;
+
+    /* set up the PFX version and information */
+    PORT_Memset(&p12enc->pfx, 0, sizeof(sec_PKCS12PFXItem));
+    if(!SEC_ASN1EncodeInteger(p12exp->arena, &(p12enc->pfx.version), 
+    			      SEC_PKCS12_VERSION) ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    	goto loser;
+    }
+
+    /* set up the authenticated safe content info based on the 
+     * type of integrity being used.  this should be changed to
+     * enforce integrity mode, but will not be implemented until
+     * it is confirmed that integrity must be in place
+     */
+    if(p12exp->integrityEnabled && !p12exp->pwdIntegrity) {
+	SECStatus rv;
+
+	/* create public key integrity mode */
+	p12enc->aSafeCinfo = SEC_PKCS7CreateSignedData(
+				p12exp->integrityInfo.pubkeyInfo.cert,
+				certUsageEmailSigner,
+				p12exp->integrityInfo.pubkeyInfo.certDb,
+				p12exp->integrityInfo.pubkeyInfo.algorithm,
+				NULL,
+				p12exp->pwfn,
+				p12exp->pwfnarg);
+	if(!p12enc->aSafeCinfo) {
+	    goto loser;
+	}
+	if(SEC_PKCS7IncludeCertChain(p12enc->aSafeCinfo,NULL) != SECSuccess) {
+	    goto loser;
+	}
+	rv = SEC_PKCS7AddSigningTime(p12enc->aSafeCinfo);
+	PORT_Assert(rv == SECSuccess);
+    } else {
+	p12enc->aSafeCinfo = SEC_PKCS7CreateData();
+
+	/* init password pased integrity mode */
+	if(p12exp->integrityEnabled) {
+	    SECItem  pwd = {siBuffer,NULL, 0};
+	    SECItem *salt = sec_pkcs12_generate_salt();
+	    PK11SymKey *symKey;
+	    SECItem *params;
+	    CK_MECHANISM_TYPE integrityMech;
+
+	    /* zero out macData and set values */
+	    PORT_Memset(&p12enc->mac, 0, sizeof(sec_PKCS12MacData));
+
+	    if(!salt) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }
+	    if(SECITEM_CopyItem(p12exp->arena, &(p12enc->mac.macSalt), salt) 
+			!= SECSuccess) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }   
+
+	    /* generate HMAC key */
+	    if(!sec_pkcs12_convert_item_to_unicode(NULL, &pwd, 
+			p12exp->integrityInfo.pwdInfo.password, PR_TRUE, 
+			PR_TRUE, PR_TRUE)) {
+		goto loser;
+	    }
+
+	    params = PK11_CreatePBEParams(salt, &pwd, 1);
+	    SECITEM_ZfreeItem(salt, PR_TRUE);
+	    SECITEM_ZfreeItem(&pwd, PR_FALSE);
+
+	    switch (p12exp->integrityInfo.pwdInfo.algorithm) {
+	    case SEC_OID_SHA1:
+		integrityMech = CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN; break;
+	    case SEC_OID_MD5:
+		integrityMech = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN;  break;
+	    case SEC_OID_MD2:
+		integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;  break;
+	    default:
+		goto loser;
+	    }
+
+	    symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL);
+	    PK11_DestroyPBEParams(params);
+	    if(!symKey) {
+		goto loser;
+	    }
+
+	    /* initialize hmac */
+	    p12enc->hmacCx = PK11_CreateContextBySymKey(
+	     sec_pkcs12_algtag_to_mech(p12exp->integrityInfo.pwdInfo.algorithm),
+	                                           CKA_SIGN, symKey, &ignore);
+	    if(!p12enc->hmacCx) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }
+	    rv = PK11_DigestBegin(p12enc->hmacCx);
+	    if (rv != SECSuccess)
+		goto loser;
+	}
+    }
+
+    if(!p12enc->aSafeCinfo) {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(p12exp->arena, mark);
+
+    return p12enc;
+
+loser:
+    if(p12enc) {
+	if(p12enc->aSafeCinfo) {
+	    SEC_PKCS7DestroyContentInfo(p12enc->aSafeCinfo);
+	}
+	if(p12enc->hmacCx) {
+	    PK11_DestroyContext(p12enc->hmacCx, PR_TRUE);
+	}
+    }
+    if (p12exp->arena != NULL)
+	PORT_ArenaRelease(p12exp->arena, mark);
+
+    return NULL;
+}
+
+/* callback wrapper to allow the ASN1 engine to call the PKCS 12 
+ * output routines.
+ */
+static void
+sec_pkcs12_encoder_out(void *arg, const char *buf, unsigned long len,
+		       int depth, SEC_ASN1EncodingPart data_kind)
+{
+    struct sec_pkcs12_encoder_output *output;
+
+    output = (struct sec_pkcs12_encoder_output*)arg;
+    (* output->outputfn)(output->outputarg, buf, len);
+}
+
+/* callback wrapper to wrap SEC_PKCS7EncoderUpdate for ASN1 encoder
+ */
+static void 
+sec_pkcs12_wrap_pkcs7_encoder_update(void *arg, const char *buf, 
+				     unsigned long len, int depth, 
+				     SEC_ASN1EncodingPart data_kind)
+{
+    SEC_PKCS7EncoderContext *ecx;
+    if(!buf || !len) {
+	return;
+    }
+
+    ecx = (SEC_PKCS7EncoderContext*)arg;
+    SEC_PKCS7EncoderUpdate(ecx, buf, len);
+}
+
+/* callback wrapper to wrap SEC_ASN1EncoderUpdate for PKCS 7 encoding
+ */
+static void
+sec_pkcs12_wrap_asn1_update_for_p7_update(void *arg, const char *buf,
+					  unsigned long len)
+{
+    if(!buf && !len) return;
+
+    SEC_ASN1EncoderUpdate((SEC_ASN1EncoderContext*)arg, buf, len);
+}
+
+/* callback wrapper which updates the HMAC and passes on bytes to the 
+ * appropriate output function.
+ */
+static void
+sec_pkcs12_asafe_update_hmac_and_encode_bits(void *arg, const char *buf,
+				      unsigned long len, int depth,
+				      SEC_ASN1EncodingPart data_kind)
+{
+    sec_PKCS12EncoderContext *p12ecx;
+
+    p12ecx = (sec_PKCS12EncoderContext*)arg;
+    PK11_DigestOp(p12ecx->hmacCx, (unsigned char *)buf, len);
+    sec_pkcs12_wrap_pkcs7_encoder_update(p12ecx->aSafeP7Ecx, buf, len,
+    					 depth, data_kind);
+}
+
+/* this function encodes content infos which are part of the
+ * sequence of content infos labeled AuthenticatedSafes 
+ */
+static SECStatus 
+sec_pkcs12_encoder_asafe_process(sec_PKCS12EncoderContext *p12ecx)
+{ 
+    SECStatus rv = SECSuccess;
+    SEC_PKCS5KeyAndPassword keyPwd;
+    SEC_PKCS7EncoderContext *p7ecx;
+    SEC_PKCS7ContentInfo *cinfo;
+    SEC_ASN1EncoderContext *ecx = NULL;
+
+    void *arg = NULL;
+
+    if(p12ecx->currentSafe < p12ecx->p12exp->authSafe.safeCount) {
+	SEC_PKCS12SafeInfo *safeInfo;
+	SECOidTag cinfoType;
+
+	safeInfo = p12ecx->p12exp->safeInfos[p12ecx->currentSafe];
+
+	/* skip empty safes */
+	if(safeInfo->itemCount == 0) {
+	    return SECSuccess;
+	}
+
+	cinfo = safeInfo->cinfo;
+	cinfoType = SEC_PKCS7ContentType(cinfo);
+
+	/* determine the safe type and set the appropriate argument */
+	switch(cinfoType) {
+	    case SEC_OID_PKCS7_DATA:
+		arg = NULL;
+		break;
+	    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+		keyPwd.pwitem = &safeInfo->pwitem;
+		keyPwd.key = safeInfo->encryptionKey;
+		arg = &keyPwd;
+		break;
+	    case SEC_OID_PKCS7_ENVELOPED_DATA:
+		arg = NULL;
+		break;
+	    default:
+		return SECFailure;
+
+	}
+
+	/* start the PKCS7 encoder */
+	p7ecx = SEC_PKCS7EncoderStart(cinfo, 
+				      sec_pkcs12_wrap_asn1_update_for_p7_update,
+				      p12ecx->aSafeEcx, (PK11SymKey *)arg);
+	if(!p7ecx) {
+	    goto loser;
+	}
+
+	/* encode safe contents */
+	ecx = SEC_ASN1EncoderStart(safeInfo->safe, sec_PKCS12SafeContentsTemplate,
+				   sec_pkcs12_wrap_pkcs7_encoder_update, p7ecx);
+	if(!ecx) {
+	    goto loser;
+	}   
+	rv = SEC_ASN1EncoderUpdate(ecx, NULL, 0);
+	SEC_ASN1EncoderFinish(ecx);
+	ecx = NULL;
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+
+
+	/* finish up safe content info */
+	rv = SEC_PKCS7EncoderFinish(p7ecx, p12ecx->p12exp->pwfn, 
+				    p12ecx->p12exp->pwfnarg);
+    }
+
+    return SECSuccess;
+
+loser:
+    if(p7ecx) {
+	SEC_PKCS7EncoderFinish(p7ecx, p12ecx->p12exp->pwfn, 
+			       p12ecx->p12exp->pwfnarg);
+    }
+
+    if(ecx) {
+	SEC_ASN1EncoderFinish(ecx);
+    }
+
+    return SECFailure;
+}
+
+/* finish the HMAC and encode the macData so that it can be
+ * encoded.
+ */
+static SECStatus
+sec_pkcs12_update_mac(sec_PKCS12EncoderContext *p12ecx)
+{
+    SECItem hmac = { siBuffer, NULL, 0 };
+    SECStatus rv;
+    SGNDigestInfo *di = NULL;
+    void *dummy;
+
+    if(!p12ecx) {
+	return SECFailure;
+    }
+
+    /* make sure we are using password integrity mode */
+    if(!p12ecx->p12exp->integrityEnabled) {
+	return SECSuccess;
+    }
+
+    if(!p12ecx->p12exp->pwdIntegrity) {
+	return SECSuccess;
+    }
+
+    /* finish the hmac */
+    hmac.data = (unsigned char *)PORT_ZAlloc(SHA1_LENGTH);
+    if(!hmac.data) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    rv = PK11_DigestFinal(p12ecx->hmacCx, hmac.data, &hmac.len, SHA1_LENGTH);
+
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* create the digest info */
+    di = SGN_CreateDigestInfo(p12ecx->p12exp->integrityInfo.pwdInfo.algorithm,
+    			      hmac.data, hmac.len);
+    if(!di) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = SGN_CopyDigestInfo(p12ecx->arena, &p12ecx->mac.safeMac, di);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* encode the mac data */
+    dummy = SEC_ASN1EncodeItem(p12ecx->arena, &p12ecx->pfx.encodedMacData, 
+    			    &p12ecx->mac, sec_PKCS12MacDataTemplate);
+    if(!dummy) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	rv = SECFailure;
+    }
+
+loser:
+    if(di) {
+	SGN_DestroyDigestInfo(di);
+    }
+    if(hmac.data) {
+	SECITEM_ZfreeItem(&hmac, PR_FALSE);
+    }
+    PK11_DestroyContext(p12ecx->hmacCx, PR_TRUE);
+    p12ecx->hmacCx = NULL;
+
+    return rv;
+}
+
+/* wraps the ASN1 encoder update for PKCS 7 encoder */
+static void
+sec_pkcs12_wrap_asn1_encoder_update(void *arg, const char *buf, 
+				    unsigned long len)
+{
+    SEC_ASN1EncoderContext *cx;
+
+    cx = (SEC_ASN1EncoderContext*)arg;
+    SEC_ASN1EncoderUpdate(cx, buf, len);
+}
+
+/* pfx notify function for ASN1 encoder.  we want to stop encoding, once we reach
+ * the authenticated safe.  at that point, the encoder will be updated via streaming
+ * as the authenticated safe is  encoded. 
+ */
+static void
+sec_pkcs12_encoder_pfx_notify(void *arg, PRBool before, void *dest, int real_depth)
+{
+    sec_PKCS12EncoderContext *p12ecx;
+
+    if(!before) {
+	return;
+    }
+
+    /* look for authenticated safe */
+    p12ecx = (sec_PKCS12EncoderContext*)arg;
+    if(dest != &p12ecx->pfx.encodedAuthSafe) {
+	return;
+    }
+
+    SEC_ASN1EncoderSetTakeFromBuf(p12ecx->ecx);
+    SEC_ASN1EncoderSetStreaming(p12ecx->ecx);
+    SEC_ASN1EncoderClearNotifyProc(p12ecx->ecx);
+}
+
+/* SEC_PKCS12Encode
+ *	Encodes the PFX item and returns it to the output function, via
+ *	callback.  the output function must be capable of multiple updates.
+ *	
+ *	p12exp - the export context 
+ *	output - the output function callback, will be called more than once,
+ *		 must be able to accept streaming data.
+ *	outputarg - argument for the output callback.
+ */
+SECStatus
+SEC_PKCS12Encode(SEC_PKCS12ExportContext *p12exp, 
+		 SEC_PKCS12EncoderOutputCallback output, void *outputarg)
+{
+    sec_PKCS12EncoderContext *p12enc;
+    struct sec_pkcs12_encoder_output outInfo;
+    SECStatus rv;
+
+    if(!p12exp || !output) {
+	return SECFailure;
+    }
+
+    /* get the encoder context */
+    p12enc = sec_pkcs12_encoder_start_context(p12exp);
+    if(!p12enc) {
+	return SECFailure;
+    }
+
+    outInfo.outputfn = output;
+    outInfo.outputarg = outputarg;
+
+    /* set up PFX encoder.  Set it for streaming */
+    p12enc->ecx = SEC_ASN1EncoderStart(&p12enc->pfx, sec_PKCS12PFXItemTemplate,
+				       sec_pkcs12_encoder_out, 
+				       &outInfo);
+    if(!p12enc->ecx) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	rv = SECFailure;
+	goto loser;
+    }
+    SEC_ASN1EncoderSetStreaming(p12enc->ecx);
+    SEC_ASN1EncoderSetNotifyProc(p12enc->ecx, sec_pkcs12_encoder_pfx_notify, p12enc);
+    rv = SEC_ASN1EncoderUpdate(p12enc->ecx, NULL, 0);
+    if(rv != SECSuccess) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    /* set up asafe cinfo - the output of the encoder feeds the PFX encoder */
+    p12enc->aSafeP7Ecx = SEC_PKCS7EncoderStart(p12enc->aSafeCinfo, 
+    					       sec_pkcs12_wrap_asn1_encoder_update,
+    					       p12enc->ecx, NULL);
+    if(!p12enc->aSafeP7Ecx) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    /* encode asafe */
+    if(p12enc->p12exp->integrityEnabled && p12enc->p12exp->pwdIntegrity) {
+	p12enc->aSafeEcx = SEC_ASN1EncoderStart(&p12enc->p12exp->authSafe,
+					sec_PKCS12AuthenticatedSafeTemplate, 
+					sec_pkcs12_asafe_update_hmac_and_encode_bits,
+    					p12enc);
+    } else {
+	p12enc->aSafeEcx = SEC_ASN1EncoderStart(&p12enc->p12exp->authSafe,
+				sec_PKCS12AuthenticatedSafeTemplate,
+				sec_pkcs12_wrap_pkcs7_encoder_update,
+				p12enc->aSafeP7Ecx);
+    }
+    if(!p12enc->aSafeEcx) {
+	rv = SECFailure;
+	goto loser;
+    }
+    SEC_ASN1EncoderSetStreaming(p12enc->aSafeEcx);
+    SEC_ASN1EncoderSetTakeFromBuf(p12enc->aSafeEcx); 
+	
+    /* encode each of the safes */			 
+    while(p12enc->currentSafe != p12enc->p12exp->safeInfoCount) {
+	sec_pkcs12_encoder_asafe_process(p12enc);
+	p12enc->currentSafe++;
+    }
+    SEC_ASN1EncoderClearTakeFromBuf(p12enc->aSafeEcx);
+    SEC_ASN1EncoderClearStreaming(p12enc->aSafeEcx);
+    SEC_ASN1EncoderUpdate(p12enc->aSafeEcx, NULL, 0);
+    SEC_ASN1EncoderFinish(p12enc->aSafeEcx);
+
+    /* finish the encoding of the authenticated safes */
+    rv = SEC_PKCS7EncoderFinish(p12enc->aSafeP7Ecx, p12exp->pwfn, 
+    				p12exp->pwfnarg);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    SEC_ASN1EncoderClearTakeFromBuf(p12enc->ecx);
+    SEC_ASN1EncoderClearStreaming(p12enc->ecx);
+
+    /* update the mac, if necessary */
+    rv = sec_pkcs12_update_mac(p12enc);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+   
+    /* finish encoding the pfx */ 
+    rv = SEC_ASN1EncoderUpdate(p12enc->ecx, NULL, 0);
+
+    SEC_ASN1EncoderFinish(p12enc->ecx);
+
+loser:
+    return rv;
+}
+
+void
+SEC_PKCS12DestroyExportContext(SEC_PKCS12ExportContext *p12ecx)
+{
+    int i = 0;
+
+    if(!p12ecx) {
+	return;
+    }
+
+    if(p12ecx->safeInfos) {
+	i = 0;
+	while(p12ecx->safeInfos[i] != NULL) {
+	    if(p12ecx->safeInfos[i]->encryptionKey) {
+		PK11_FreeSymKey(p12ecx->safeInfos[i]->encryptionKey);
+	    }
+	    if(p12ecx->safeInfos[i]->cinfo) {
+		SEC_PKCS7DestroyContentInfo(p12ecx->safeInfos[i]->cinfo);
+	    }
+	    i++;
+	}
+    }
+
+    PORT_FreeArena(p12ecx->arena, PR_TRUE);
+}
+
+
+/*********************************
+ * All-in-one routines for exporting certificates 
+ *********************************/
+struct inPlaceEncodeInfo {
+    PRBool error;
+    SECItem outItem;
+};
+
+static void 
+sec_pkcs12_in_place_encoder_output(void *arg, const char *buf, unsigned long len)
+{
+    struct inPlaceEncodeInfo *outInfo = (struct inPlaceEncodeInfo*)arg;
+
+    if(!outInfo || !len || outInfo->error) {
+	return;
+    }
+
+    if(!outInfo->outItem.data) {
+	outInfo->outItem.data = (unsigned char*)PORT_ZAlloc(len);
+	outInfo->outItem.len = 0;
+    } else {
+	if(!PORT_Realloc(&(outInfo->outItem.data), (outInfo->outItem.len + len))) {
+	    SECITEM_ZfreeItem(&(outInfo->outItem), PR_FALSE);
+	    outInfo->outItem.data = NULL;
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    outInfo->error = PR_TRUE;
+	    return;
+	}
+    }
+
+    PORT_Memcpy(&(outInfo->outItem.data[outInfo->outItem.len]), buf, len);
+    outInfo->outItem.len += len;
+
+    return;
+}
+
+/*
+ * SEC_PKCS12ExportCertifcateAndKeyUsingPassword
+ *	Exports a certificate/key pair using password-based encryption and
+ *	authentication.
+ *
+ * pwfn, pwfnarg - password function and argument for the key database
+ * cert - the certificate to export
+ * certDb - certificate database
+ * pwitem - the password to use
+ * shroudKey - encrypt the key externally, 
+ * keyShroudAlg - encryption algorithm for key
+ * encryptionAlg - the algorithm with which data is encrypted
+ * integrityAlg - the algorithm for integrity
+ */
+SECItem *
+SEC_PKCS12ExportCertificateAndKeyUsingPassword(
+				SECKEYGetPasswordKey pwfn, void *pwfnarg,
+				CERTCertificate *cert, PK11SlotInfo *slot,
+				CERTCertDBHandle *certDb, SECItem *pwitem,
+				PRBool shroudKey, SECOidTag shroudAlg,
+				PRBool encryptCert, SECOidTag certEncAlg,
+				SECOidTag integrityAlg, void *wincx)
+{
+    struct inPlaceEncodeInfo outInfo;
+    SEC_PKCS12ExportContext *p12ecx = NULL;
+    SEC_PKCS12SafeInfo *keySafe, *certSafe;
+    SECItem *returnItem = NULL;
+
+    if(!cert || !pwitem || !slot) {
+	return NULL;
+    }
+
+    outInfo.error = PR_FALSE;
+    outInfo.outItem.data = NULL;
+    outInfo.outItem.len = 0;
+
+    p12ecx = SEC_PKCS12CreateExportContext(pwfn, pwfnarg, slot, wincx);
+    if(!p12ecx) {
+	return NULL;
+    }
+
+    /* set up cert safe */
+    if(encryptCert) {
+	certSafe = SEC_PKCS12CreatePasswordPrivSafe(p12ecx, pwitem, certEncAlg);
+    } else {
+	certSafe = SEC_PKCS12CreateUnencryptedSafe(p12ecx);
+    }
+    if(!certSafe) {
+	goto loser;
+    }
+
+    /* set up key safe */
+    if(shroudKey) {
+	keySafe = SEC_PKCS12CreateUnencryptedSafe(p12ecx);
+    } else {
+	keySafe = certSafe;
+    }
+    if(!keySafe) {
+	goto loser;
+    }
+
+    /* add integrity mode */
+    if(SEC_PKCS12AddPasswordIntegrity(p12ecx, pwitem, integrityAlg) 
+		!= SECSuccess) {
+	goto loser;
+    }
+
+    /* add cert and key pair */
+    if(SEC_PKCS12AddCertAndKey(p12ecx, certSafe, NULL, cert, certDb, 
+			       keySafe, NULL, shroudKey, pwitem, shroudAlg)
+		!= SECSuccess) {
+	goto loser;
+    }
+
+    /* encode the puppy */
+    if(SEC_PKCS12Encode(p12ecx, sec_pkcs12_in_place_encoder_output, &outInfo)
+		!= SECSuccess) {
+	goto loser;
+    }
+    if(outInfo.error) {
+	goto loser;
+    }
+
+    SEC_PKCS12DestroyExportContext(p12ecx);
+	
+    returnItem = SECITEM_DupItem(&outInfo.outItem);
+    SECITEM_ZfreeItem(&outInfo.outItem, PR_FALSE);
+
+    return returnItem;
+
+loser:
+    if(outInfo.outItem.data) {
+	SECITEM_ZfreeItem(&(outInfo.outItem), PR_TRUE);
+    }
+
+    if(p12ecx) {
+	SEC_PKCS12DestroyExportContext(p12ecx);
+    }
+
+    return NULL;
+}
+
+
diff --git a/security/nss/lib/pkcs12/p12exp.c b/security/nss/lib/pkcs12/p12exp.c
new file mode 100644
index 000000000..242d98288
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12exp.c
@@ -0,0 +1,1407 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "plarena.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "seccomon.h"
+#include "secport.h"
+#include "cert.h"
+#include "pkcs12.h"
+#include "p12local.h"
+#include "secpkcs7.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "p12plcy.h"
+
+/* release the memory taken up by the list of nicknames */
+static void
+sec_pkcs12_destroy_nickname_list(SECItem **nicknames)
+{
+    int i = 0;
+
+    if(nicknames == NULL) {
+	return;
+    }
+
+    while(nicknames[i] != NULL) {
+	SECITEM_FreeItem(nicknames[i], PR_FALSE);
+	i++;
+    }
+
+    PORT_Free(nicknames);
+}
+   
+/* release the memory taken up by the list of certificates */ 
+static void
+sec_pkcs12_destroy_certificate_list(CERTCertificate **ref_certs)
+{
+    int i = 0;
+
+    if(ref_certs == NULL) {
+	return;
+    }
+
+    while(ref_certs[i] != NULL) {
+	CERT_DestroyCertificate(ref_certs[i]);
+	i++;
+    }
+}
+
+static void
+sec_pkcs12_destroy_cinfos_for_cert_bags(SEC_PKCS12CertAndCRLBag *certBag)
+{
+    int j = 0;
+    j = 0;
+    while(certBag->certAndCRLs[j] != NULL) {
+	SECOidTag certType = SECOID_FindOIDTag(&certBag->certAndCRLs[j]->BagID);
+	if(certType == SEC_OID_PKCS12_X509_CERT_CRL_BAG) {
+	    SEC_PKCS12X509CertCRL *x509;
+	    x509 = certBag->certAndCRLs[j]->value.x509;
+	    SEC_PKCS7DestroyContentInfo(&x509->certOrCRL);
+	}
+	j++;
+    }
+}
+
+/* destroy all content infos since they were not allocated in common
+ * pool
+ */
+static void
+sec_pkcs12_destroy_cert_content_infos(SEC_PKCS12SafeContents *safe,
+				      SEC_PKCS12Baggage *baggage)
+{
+    int i, j;
+
+    if((safe != NULL) && (safe->contents != NULL)) {
+	i = 0;
+	while(safe->contents[i] != NULL) {
+	    SECOidTag bagType = SECOID_FindOIDTag(&safe->contents[i]->safeBagType);
+	    if(bagType == SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID) {
+		SEC_PKCS12CertAndCRLBag *certBag;
+		certBag = safe->contents[i]->safeContent.certAndCRLBag;
+		sec_pkcs12_destroy_cinfos_for_cert_bags(certBag);
+	    }
+	    i++;
+	}
+    }
+
+    if((baggage != NULL) && (baggage->bags != NULL)) {
+	i = 0;
+	while(baggage->bags[i] != NULL) { 
+	    if(baggage->bags[i]->unencSecrets != NULL) {
+		j = 0;
+		while(baggage->bags[i]->unencSecrets[j] != NULL) {
+		    SECOidTag bagType;
+		    bagType = SECOID_FindOIDTag(&baggage->bags[i]->unencSecrets[j]->safeBagType);
+		    if(bagType == SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID) {
+			SEC_PKCS12CertAndCRLBag *certBag;
+			certBag = baggage->bags[i]->unencSecrets[j]->safeContent.certAndCRLBag;
+			sec_pkcs12_destroy_cinfos_for_cert_bags(certBag);
+		    }
+		    j++;
+		}
+	    }
+	    i++;
+	}
+    }
+}
+
+/* convert the nickname list from a NULL termincated Char list
+ * to a NULL terminated SECItem list
+ */
+static SECItem **
+sec_pkcs12_convert_nickname_list(char **nicknames)
+{
+    SECItem **nicks;
+    int i, j;
+    PRBool error = PR_FALSE;
+
+    if(nicknames == NULL) {
+	return NULL;
+    }
+
+    i = j = 0;
+    while(nicknames[i] != NULL) {
+	i++;
+    }
+
+    /* allocate the space and copy the data */	
+    nicks = (SECItem **)PORT_ZAlloc(sizeof(SECItem *) * (i + 1));
+    if(nicks != NULL) {
+	for(j = 0; ((j < i) && (error == PR_FALSE)); j++) {
+	    nicks[j] = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+	    if(nicks[j] != NULL) {
+		nicks[j]->data = 
+		    (unsigned char *)PORT_ZAlloc(PORT_Strlen(nicknames[j])+1);
+		if(nicks[j]->data != NULL) {
+		    nicks[j]->len = PORT_Strlen(nicknames[j]);
+		    PORT_Memcpy(nicks[j]->data, nicknames[j], nicks[j]->len);
+		    nicks[j]->data[nicks[j]->len] = 0;
+		} else {
+		    error = PR_TRUE;
+		}
+	    } else {
+	       error = PR_TRUE;
+	    }
+	}
+    }
+
+    if(error == PR_TRUE) {
+        for(i = 0; i < j; i++) { 
+	    SECITEM_FreeItem(nicks[i], PR_TRUE);
+	}
+	PORT_Free(nicks);
+	nicks = NULL;
+    }
+
+    return nicks;
+}
+
+/* package the certificate add_cert into PKCS12 structures,
+ * retrieve the certificate chain for the cert and return
+ * the packaged contents.
+ * poolp -- common memory pool;
+ * add_cert -- certificate to package up
+ * nickname for the certificate 
+ * a return of NULL indicates an error
+ */
+static SEC_PKCS12CertAndCRL *
+sec_pkcs12_get_cert(PRArenaPool *poolp,
+		       CERTCertificate *add_cert, 
+		       SECItem *nickname)
+{
+    SEC_PKCS12CertAndCRL *cert;
+    SEC_PKCS7ContentInfo *cinfo;
+    SGNDigestInfo *t_di;
+    void *mark;
+    SECStatus rv;
+
+    if((poolp == NULL) || (add_cert == NULL) || (nickname == NULL)) {
+    	return NULL;
+    }
+    mark = PORT_ArenaMark(poolp);
+
+    cert = sec_pkcs12_new_cert_crl(poolp, SEC_OID_PKCS12_X509_CERT_CRL_BAG);
+    if(cert != NULL) {
+
+	/* copy the nickname */
+	rv = SECITEM_CopyItem(poolp, &cert->nickname, nickname);
+	if(rv != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    cert = NULL;
+	} else {
+
+	    /* package the certificate and cert chain into a NULL signer
+	     * PKCS 7 SignedData content Info and prepare it for encoding 
+	     * since we cannot use DER_ANY_TEMPLATE
+	     */
+	    cinfo = SEC_PKCS7CreateCertsOnly(add_cert, PR_TRUE, NULL);
+	    rv = SEC_PKCS7PrepareForEncode(cinfo, NULL, NULL, NULL);
+
+	    /* thumbprint the certificate */
+	    if((cinfo != NULL) && (rv == SECSuccess))
+	    {
+		PORT_Memcpy(&cert->value.x509->certOrCRL, cinfo, sizeof(*cinfo));
+		t_di = sec_pkcs12_compute_thumbprint(&add_cert->derCert);
+		if(t_di != NULL)
+		{
+		    /* test */
+		    rv = SGN_CopyDigestInfo(poolp, &cert->value.x509->thumbprint,
+		    			    t_di);
+		    if(rv != SECSuccess) {
+			cert = NULL;
+			PORT_SetError(SEC_ERROR_NO_MEMORY);
+		    }
+		    SGN_DestroyDigestInfo(t_di);
+		}
+		else
+		    cert = NULL;
+	    }
+	}
+    }
+
+    if (cert == NULL) {
+	PORT_ArenaRelease(poolp, mark);
+    } else {
+	PORT_ArenaUnmark(poolp, mark);
+    }
+
+    return cert;
+}
+
+/* package the private key associated with the certificate and 
+ * return the appropriate PKCS 12 structure 
+ * poolp common memory pool
+ * nickname key nickname
+ * cert -- cert to look up
+ * wincx -- window handle 
+ * an error is indicated by a return of NULL
+ */
+static SEC_PKCS12PrivateKey *
+sec_pkcs12_get_private_key(PRArenaPool *poolp,
+			   SECItem *nickname,
+			   CERTCertificate *cert,
+			   void *wincx)
+{
+    SECKEYPrivateKeyInfo *pki;
+    SEC_PKCS12PrivateKey *pk;
+    SECStatus rv;
+    void *mark;
+
+    if((poolp == NULL) || (nickname == NULL)) {
+	return NULL;
+    }
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* retrieve key from the data base */
+    pki = PK11_ExportPrivateKeyInfo(nickname, cert, wincx);
+    if(pki == NULL) {
+	PORT_ArenaRelease(poolp, mark);
+	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
+	return NULL;
+    }
+
+    pk = (SEC_PKCS12PrivateKey *)PORT_ArenaZAlloc(poolp,
+						  sizeof(SEC_PKCS12PrivateKey));
+    if(pk != NULL) {
+	rv = sec_pkcs12_init_pvk_data(poolp, &pk->pvkData);
+
+	if(rv == SECSuccess) {
+	    /* copy the key into poolp memory space */
+	    rv = SECKEY_CopyPrivateKeyInfo(poolp, &pk->pkcs8data, pki);
+	    if(rv == SECSuccess) {
+		rv = SECITEM_CopyItem(poolp, &pk->pvkData.nickname, nickname);
+	    }
+	}
+
+	if(rv != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    pk = NULL;
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_NO_MEMORY); 
+    }
+
+    /* destroy private key, zeroing out data */
+    SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
+    if (pk == NULL) {
+	PORT_ArenaRelease(poolp, mark);
+    } else {
+	PORT_ArenaUnmark(poolp, mark);
+    }
+
+    return pk;
+}
+
+/* get a shrouded key item associated with a certificate
+ * return the appropriate PKCS 12 structure 
+ * poolp common memory pool
+ * nickname key nickname
+ * cert -- cert to look up
+ * wincx -- window handle 
+ * an error is indicated by a return of NULL
+ */
+static SEC_PKCS12ESPVKItem *
+sec_pkcs12_get_shrouded_key(PRArenaPool *poolp,
+			    SECItem *nickname,
+			    CERTCertificate *cert,
+			    SECOidTag algorithm, 
+			    SECItem *pwitem,
+			    PKCS12UnicodeConvertFunction unicodeFn,
+			    void *wincx)
+{
+    SECKEYEncryptedPrivateKeyInfo *epki;
+    SEC_PKCS12ESPVKItem *pk;
+    void *mark;
+    SECStatus rv;
+    PK11SlotInfo *slot = NULL;
+    PRBool swapUnicodeBytes = PR_FALSE;
+
+#ifdef IS_LITTLE_ENDIAN
+    swapUnicodeBytes = PR_TRUE;
+#endif
+
+    if((poolp == NULL) || (nickname == NULL))
+	return NULL;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* use internal key slot */
+    slot = PK11_GetInternalKeySlot();
+
+    /* retrieve encrypted prviate key */
+    epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algorithm, pwitem, 
+    					      nickname, cert, 1, 0, NULL);
+    PK11_FreeSlot(slot);
+    if(epki == NULL) {
+	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY);
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+
+    /* create a private key and store the data into the poolp memory space */
+    pk = sec_pkcs12_create_espvk(poolp, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING);
+    if(pk != NULL) {
+	rv = sec_pkcs12_init_pvk_data(poolp, &pk->espvkData);
+	rv = SECITEM_CopyItem(poolp, &pk->espvkData.nickname, nickname);
+	pk->espvkCipherText.pkcs8KeyShroud = 
+	    (SECKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(poolp,
+					sizeof(SECKEYEncryptedPrivateKeyInfo));
+	if((pk->espvkCipherText.pkcs8KeyShroud != NULL)  && (rv == SECSuccess)) {
+	    rv = SECKEY_CopyEncryptedPrivateKeyInfo(poolp, 
+					pk->espvkCipherText.pkcs8KeyShroud, epki);
+	    if(rv == SECSuccess) {
+		rv = (*unicodeFn)(poolp, &pk->espvkData.uniNickName, nickname, 
+				  PR_TRUE, swapUnicodeBytes);
+	    }
+	}
+
+	if(rv != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    pk = NULL;
+	}
+    }
+
+    SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE);
+    if(pk == NULL) {
+	PORT_ArenaRelease(poolp, mark);
+    } else {
+	PORT_ArenaUnmark(poolp, mark);
+    }
+	
+    return pk;
+}
+
+/* add a thumbprint to a private key associated certs list 
+ * pvk is the area where the list is stored
+ * thumb is the thumbprint to copy
+ * a return of SECFailure indicates an error 
+ */
+static SECStatus 
+sec_pkcs12_add_thumbprint(SEC_PKCS12PVKSupportingData *pvk,
+			  SGNDigestInfo *thumb)
+{
+    SGNDigestInfo **thumb_list = NULL;
+    int nthumbs, size;
+    void *mark, *dummy;
+    SECStatus rv = SECFailure;
+
+    if((pvk == NULL) || (thumb == NULL)) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(pvk->poolp);
+
+    thumb_list = pvk->assocCerts;
+    nthumbs = pvk->nThumbs;
+
+    /* allocate list space needed -- either growing or allocating 
+     * list must be NULL terminated 
+     */
+    size = sizeof(SGNDigestInfo *);
+    dummy = PORT_ArenaGrow(pvk->poolp, thumb_list, (size * (nthumbs + 1)),
+    			   (size * (nthumbs + 2)));
+    thumb_list = dummy;
+    if(dummy != NULL) {
+	thumb_list[nthumbs] = (SGNDigestInfo *)PORT_ArenaZAlloc(pvk->poolp, 
+						sizeof(SGNDigestInfo));
+	if(thumb_list[nthumbs] != NULL) {
+	    SGN_CopyDigestInfo(pvk->poolp, thumb_list[nthumbs], thumb);
+	    nthumbs += 1;
+	    thumb_list[nthumbs] = 0;
+	} else {
+	    dummy = NULL;
+	}
+    }
+
+    if(dummy == NULL) {
+    	PORT_ArenaRelease(pvk->poolp, mark);
+	return SECFailure;
+    } 
+
+    pvk->assocCerts = thumb_list;
+    pvk->nThumbs = nthumbs;
+
+    PORT_ArenaUnmark(pvk->poolp, mark);
+    return SECSuccess;
+}
+
+/* search the list of shrouded keys in the baggage for the desired
+ * name.  return a pointer to the item.  a return of NULL indicates
+ * that no match was present or that an error occurred.
+ */
+static SEC_PKCS12ESPVKItem *
+sec_pkcs12_get_espvk_by_name(SEC_PKCS12Baggage *luggage, 
+			     SECItem *name)
+{
+    PRBool found = PR_FALSE;
+    SEC_PKCS12ESPVKItem *espvk = NULL;
+    int i, j;
+    SECComparison rv = SECEqual;
+    SECItem *t_name;
+    SEC_PKCS12BaggageItem *bag;
+
+    if((luggage == NULL) || (name == NULL)) {
+	return NULL;
+    }
+
+    i = 0;
+    while((found == PR_FALSE) && (i < luggage->luggage_size)) {
+	j = 0;
+	bag = luggage->bags[i];
+	while((found == PR_FALSE) && (j < bag->nEspvks)) {
+	    espvk = bag->espvks[j];
+	    if(espvk->poolp == NULL) {
+		espvk->poolp = luggage->poolp;
+	    }
+	    t_name = SECITEM_DupItem(&espvk->espvkData.nickname);
+	    if(t_name != NULL) {
+		rv = SECITEM_CompareItem(name, t_name);
+		if(rv == SECEqual) {
+		    found = PR_TRUE;
+		}
+		SECITEM_FreeItem(t_name, PR_TRUE);
+	    } else {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		return NULL;
+	    }
+	    j++;
+	}
+	i++;
+    }
+
+    if(found != PR_TRUE) {
+	PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
+	return NULL;
+    }
+
+    return espvk;
+}
+
+/* locates a certificate and copies the thumbprint to the
+ * appropriate private key
+ */
+static SECStatus 
+sec_pkcs12_propagate_thumbprints(SECItem **nicknames,
+				 CERTCertificate **ref_certs,
+				 SEC_PKCS12SafeContents *safe,
+				 SEC_PKCS12Baggage *baggage)
+{
+    SEC_PKCS12CertAndCRL *cert;
+    SEC_PKCS12PrivateKey *key;
+    SEC_PKCS12ESPVKItem *espvk;
+    int i;
+    PRBool error = PR_FALSE;
+    SECStatus rv = SECFailure;
+
+    if((nicknames == NULL) || (safe == NULL)) {
+	return SECFailure;
+    }
+
+    i = 0;
+    while((nicknames[i] != NULL) && (error == PR_FALSE)) {
+	/* process all certs */
+	cert = (SEC_PKCS12CertAndCRL *)sec_pkcs12_find_object(safe, baggage,
+					SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
+					nicknames[i], NULL);
+	if(cert != NULL) {
+	    /* locate key and copy thumbprint */
+	    key = (SEC_PKCS12PrivateKey *)sec_pkcs12_find_object(safe, baggage,
+	    				SEC_OID_PKCS12_KEY_BAG_ID,
+	    				nicknames[i], NULL);
+	    if(key != NULL) {
+		key->pvkData.poolp = key->poolp;
+		rv = sec_pkcs12_add_thumbprint(&key->pvkData, 
+			&cert->value.x509->thumbprint);
+		if(rv == SECFailure)
+		    error = PR_TRUE;  /* XXX Set error? */
+	    }
+
+	    /* look in the baggage as well...*/
+	    if((baggage != NULL) && (error == PR_FALSE)) {
+		espvk = sec_pkcs12_get_espvk_by_name(baggage, nicknames[i]);
+		if(espvk != NULL) {
+		    espvk->espvkData.poolp = espvk->poolp;
+		    rv = sec_pkcs12_add_thumbprint(&espvk->espvkData,
+			&cert->value.x509->thumbprint);
+		    if(rv == SECFailure)
+			error = PR_TRUE;  /* XXX Set error? */
+		}
+	    }
+	}
+	i++;
+    }
+
+    if(error == PR_TRUE) {
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+/* append a safe bag to the end of the safe contents list */
+SECStatus 
+sec_pkcs12_append_safe_bag(SEC_PKCS12SafeContents *safe,
+			   SEC_PKCS12SafeBag *bag)
+{
+    int size;
+    void *mark = NULL, *dummy = NULL;
+
+    if((bag == NULL) || (safe == NULL))
+	return SECFailure;
+
+    mark = PORT_ArenaMark(safe->poolp);
+
+    size = (safe->safe_size * sizeof(SEC_PKCS12SafeBag *));
+    
+    if(safe->safe_size > 0) {
+	dummy = (SEC_PKCS12SafeBag **)PORT_ArenaGrow(safe->poolp, 
+	    				safe->contents, 
+	    				size, 
+	    				(size + sizeof(SEC_PKCS12SafeBag *)));
+	safe->contents = dummy;
+    } else {
+	safe->contents = (SEC_PKCS12SafeBag **)PORT_ArenaZAlloc(safe->poolp, 
+	    (2 * sizeof(SEC_PKCS12SafeBag *)));
+	dummy = safe->contents;
+    }
+
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    safe->contents[safe->safe_size] = bag;
+    safe->safe_size++;
+    safe->contents[safe->safe_size] = NULL;
+
+    PORT_ArenaUnmark(safe->poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(safe->poolp, mark);
+    return SECFailure;
+}
+
+/* append a certificate onto the end of a cert bag */
+static SECStatus 
+sec_pkcs12_append_cert_to_bag(PRArenaPool *arena,
+			      SEC_PKCS12SafeBag *safebag,
+			      CERTCertificate *cert,
+			      SECItem *nickname)
+{
+    int size;
+    void *dummy = NULL, *mark = NULL;
+    SEC_PKCS12CertAndCRL *p12cert;
+    SEC_PKCS12CertAndCRLBag *bag;
+
+    if((arena == NULL) || (safebag == NULL) || 
+    	(cert == NULL) || (nickname == NULL)) {
+	return SECFailure;
+    }
+
+    bag = safebag->safeContent.certAndCRLBag;
+    if(bag == NULL) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(arena);
+
+    p12cert = sec_pkcs12_get_cert(arena, cert, nickname);
+    if(p12cert == NULL) {
+	PORT_ArenaRelease(bag->poolp, mark);
+	return SECFailure;
+    }
+
+    size = bag->bag_size * sizeof(SEC_PKCS12CertAndCRL *);
+    if(bag->bag_size > 0) {
+	dummy = (SEC_PKCS12CertAndCRL **)PORT_ArenaGrow(bag->poolp,
+	    bag->certAndCRLs, size, size + sizeof(SEC_PKCS12CertAndCRL *));
+	bag->certAndCRLs = dummy;
+    } else {
+	bag->certAndCRLs = (SEC_PKCS12CertAndCRL **)PORT_ArenaZAlloc(bag->poolp,
+	    (2 * sizeof(SEC_PKCS12CertAndCRL *)));
+	dummy = bag->certAndCRLs;
+    }
+
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    bag->certAndCRLs[bag->bag_size] = p12cert;
+    bag->bag_size++;
+    bag->certAndCRLs[bag->bag_size] = NULL;
+
+    PORT_ArenaUnmark(bag->poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(bag->poolp, mark);
+    return SECFailure;
+}
+
+/* append a key onto the end of a list of keys in a key bag */
+SECStatus 
+sec_pkcs12_append_key_to_bag(SEC_PKCS12SafeBag *safebag,
+			     SEC_PKCS12PrivateKey *pk)
+{
+    void *mark, *dummy;
+    SEC_PKCS12PrivateKeyBag *bag;
+    int size;
+
+    if((safebag == NULL) || (pk == NULL))
+	return SECFailure;
+
+    bag = safebag->safeContent.keyBag;
+    if(bag == NULL) {
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark(bag->poolp);
+
+    size = (bag->bag_size * sizeof(SEC_PKCS12PrivateKey *));
+
+    if(bag->bag_size > 0) {
+	dummy = (SEC_PKCS12PrivateKey **)PORT_ArenaGrow(bag->poolp,
+					bag->privateKeys, 
+					size, 
+					size + sizeof(SEC_PKCS12PrivateKey *));
+	bag->privateKeys = dummy;
+    } else {
+	bag->privateKeys = (SEC_PKCS12PrivateKey **)PORT_ArenaZAlloc(bag->poolp,
+	    (2 * sizeof(SEC_PKCS12PrivateKey *)));
+	dummy = bag->privateKeys;
+    }
+
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    bag->privateKeys[bag->bag_size] = pk;
+    bag->bag_size++;
+    bag->privateKeys[bag->bag_size] = NULL;
+
+    PORT_ArenaUnmark(bag->poolp, mark);
+    return SECSuccess;
+
+loser:
+    /* XXX Free memory? */
+    PORT_ArenaRelease(bag->poolp, mark);
+    return SECFailure;
+}
+
+/* append a safe bag to the baggage area */
+static SECStatus 
+sec_pkcs12_append_unshrouded_bag(SEC_PKCS12BaggageItem *bag,
+				 SEC_PKCS12SafeBag *u_bag)
+{
+    int size;
+    void *mark = NULL, *dummy = NULL;
+
+    if((bag == NULL) || (u_bag == NULL))
+	return SECFailure;
+
+    mark = PORT_ArenaMark(bag->poolp);
+
+    /* dump things into the first bag */
+    size = (bag->nSecrets + 1) * sizeof(SEC_PKCS12SafeBag *);
+    dummy = PORT_ArenaGrow(bag->poolp,
+	    		bag->unencSecrets, size, 
+	    		size + sizeof(SEC_PKCS12SafeBag *));
+    bag->unencSecrets = dummy;
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    bag->unencSecrets[bag->nSecrets] = u_bag;
+    bag->nSecrets++;
+    bag->unencSecrets[bag->nSecrets] = NULL;
+
+    PORT_ArenaUnmark(bag->poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(bag->poolp, mark);
+    return SECFailure;
+}
+
+/* gather up all certificates and keys and package them up
+ * in the safe, baggage, or both.
+ * nicknames is the list of nicknames and corresponding certs in ref_certs
+ * ref_certs a null terminated list of certificates
+ * rSafe, rBaggage -- return areas for safe and baggage
+ * shroud_keys -- store keys externally
+ * pwitem -- password for computing integrity mac and encrypting contents
+ * wincx -- window handle
+ *
+ * if a failure occurs, an error is set and SECFailure returned.
+ */
+static SECStatus
+sec_pkcs12_package_certs_and_keys(SECItem **nicknames,
+				  CERTCertificate **ref_certs,
+				  PRBool unencryptedCerts,
+				  SEC_PKCS12SafeContents **rSafe,
+				  SEC_PKCS12Baggage **rBaggage,
+				  PRBool shroud_keys, 
+				  SECOidTag shroud_alg,
+				  SECItem *pwitem,
+				  PKCS12UnicodeConvertFunction unicodeFn,
+				  void *wincx)
+{
+    PRArenaPool *permArena;
+    SEC_PKCS12SafeContents *safe = NULL;
+    SEC_PKCS12Baggage *baggage = NULL;
+
+    SECStatus rv = SECFailure;
+    PRBool problem = PR_FALSE;
+
+    SEC_PKCS12ESPVKItem *espvk = NULL;
+    SEC_PKCS12PrivateKey *pk = NULL;
+    CERTCertificate *add_cert = NULL;
+    SEC_PKCS12SafeBag *certbag = NULL, *keybag = NULL;
+    SEC_PKCS12BaggageItem *external_bag = NULL;
+    int ncerts = 0, nkeys = 0;
+    int i;
+
+    if((nicknames == NULL) || (rSafe == NULL) || (rBaggage == NULL)) {
+	return SECFailure;
+    }
+	
+    *rBaggage = baggage;
+    *rSafe = safe;
+
+    permArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(permArena == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+     }
+
+    /* allocate structures */
+    safe = sec_pkcs12_create_safe_contents(permArena);
+    if(safe == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	rv = SECFailure;
+	goto loser;
+    }
+
+    certbag = sec_pkcs12_create_safe_bag(permArena, 
+					 SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID);
+    if(certbag == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    if(shroud_keys != PR_TRUE) {
+	keybag = sec_pkcs12_create_safe_bag(permArena, 
+					    SEC_OID_PKCS12_KEY_BAG_ID);
+	if(keybag == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+    }
+
+    if((shroud_keys == PR_TRUE) || (unencryptedCerts == PR_TRUE)) {
+	baggage = sec_pkcs12_create_baggage(permArena);
+    	if(baggage == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	external_bag = sec_pkcs12_create_external_bag(baggage);
+    }
+
+    /* package keys and certs */
+    i = 0;
+    while((nicknames[i] != NULL) && (problem == PR_FALSE)) {
+	if(ref_certs[i] != NULL) {
+	    /* append cert to bag o certs */
+	    rv = sec_pkcs12_append_cert_to_bag(permArena, certbag, 
+	    				       ref_certs[i],
+	    				       nicknames[i]);
+	    if(rv == SECFailure) {
+		problem = PR_FALSE;
+	    } else {
+		ncerts++;
+	    }
+
+	    if(rv == SECSuccess) {
+		/* package up them keys */
+		if(shroud_keys == PR_TRUE) {
+	    	    espvk = sec_pkcs12_get_shrouded_key(permArena, 
+							nicknames[i],
+	    	    					ref_certs[i],
+							shroud_alg, 
+							pwitem, unicodeFn,
+							wincx);
+		    if(espvk != NULL) {
+			rv = sec_pkcs12_append_shrouded_key(external_bag, espvk);
+			SECITEM_CopyItem(permArena, &espvk->derCert,
+					 &ref_certs[i]->derCert);
+		    } else {
+			rv = SECFailure;
+		    }
+		} else {
+		    pk = sec_pkcs12_get_private_key(permArena, nicknames[i], 
+		    				    ref_certs[i], wincx);
+		    if(pk != NULL) {
+			rv = sec_pkcs12_append_key_to_bag(keybag, pk);
+			SECITEM_CopyItem(permArena, &espvk->derCert,
+					 &ref_certs[i]->derCert);
+		    } else {
+			rv = SECFailure;
+		    }
+		}
+	
+		if(rv == SECFailure) {
+		    problem = PR_TRUE;
+		} else {
+		    nkeys++;
+		}
+	    }
+	} else {
+	    /* handle only keys here ? */
+	    problem = PR_TRUE;
+	}
+	i++;
+    }
+
+    /* let success fall through */
+loser:
+    if(problem == PR_FALSE) {
+	/* if we have certs, we want to append the cert bag to the 
+	 * appropriate area 
+	 */
+	if(ncerts > 0) {
+	    if(unencryptedCerts != PR_TRUE) {
+		rv = sec_pkcs12_append_safe_bag(safe, certbag);
+	    } else {
+		rv = sec_pkcs12_append_unshrouded_bag(external_bag, certbag);
+	    }
+	} else {
+	    rv = SECSuccess;
+	}
+
+	/* append key bag, if they are stored in safe contents */
+	if((rv == SECSuccess) && (shroud_keys == PR_FALSE) && (nkeys > 0)) {
+	    rv = sec_pkcs12_append_safe_bag(safe, keybag);
+	}
+    } else {
+	rv = SECFailure;
+    }
+
+    /* if baggage not used, NULLify it */
+    if((shroud_keys == PR_TRUE) || (unencryptedCerts == PR_TRUE)) {
+	if(((unencryptedCerts == PR_TRUE) && (ncerts == 0)) &&
+	   ((shroud_keys == PR_TRUE) && (nkeys == 0)))
+		baggage = NULL;
+    } else {
+	baggage = NULL;
+    }
+
+    if((problem == PR_TRUE) || (rv == SECFailure)) {
+	PORT_FreeArena(permArena, PR_TRUE);
+	rv = SECFailure;
+	baggage = NULL;
+	safe = NULL;
+    }
+
+    *rBaggage = baggage;
+    *rSafe = safe;
+
+    return rv;
+}
+
+/* DER encode the safe contents and return a SECItem.  if an error
+ * occurs, NULL is returned.
+ */
+static SECItem *
+sec_pkcs12_encode_safe_contents(SEC_PKCS12SafeContents *safe)
+{
+    SECItem *dsafe = NULL, *tsafe;
+    void *dummy = NULL;
+    PRArenaPool *arena;
+
+    if(safe == NULL) {
+	return NULL;
+    }
+
+/*    rv = sec_pkcs12_prepare_for_der_code_safe(safe, PR_TRUE);
+    if(rv != SECSuccess) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }*/
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(arena == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    tsafe = (SECItem *)PORT_ArenaZAlloc(arena, sizeof(SECItem));
+    if(tsafe != NULL) {
+	dummy = SEC_ASN1EncodeItem(arena, tsafe, safe, 
+	    SEC_PKCS12SafeContentsTemplate);
+	if(dummy != NULL) {
+	    dsafe = SECITEM_DupItem(tsafe);
+	} else {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    PORT_FreeArena(arena, PR_TRUE);
+
+    return dsafe;
+}
+
+/* prepare the authenicated safe for encoding and encode it.  
+ *   baggage is copied to the appropriate area, safe is encoded and
+ *   encrypted.  the version and transport mode are set on the asafe.
+ *   the whole ball of wax is then der encoded and packaged up into
+ *   data content info 
+ * safe -- container of certs and keys, is encrypted.
+ * baggage -- container of certs and keys, keys assumed to be encrypted by 
+ *    another method, certs are in the clear
+ * algorithm -- algorithm by which to encrypt safe
+ * pwitem -- password for encryption
+ * wincx - window handle
+ *
+ * return of NULL is an error condition.
+ */
+static SEC_PKCS7ContentInfo *
+sec_pkcs12_get_auth_safe(SEC_PKCS12SafeContents *safe, 
+			 SEC_PKCS12Baggage *baggage,  
+			 SECOidTag algorithm, 
+			 SECItem *pwitem,
+			 PKCS12UnicodeConvertFunction unicodeFn,
+			 void *wincx)
+{
+    SECItem *src = NULL, *dest = NULL, *psalt = NULL;
+    PRArenaPool *poolp;
+    SEC_PKCS12AuthenticatedSafe *asafe;
+    SEC_PKCS7ContentInfo *safe_cinfo = NULL;
+    SEC_PKCS7ContentInfo *asafe_cinfo = NULL;
+    void *dummy;
+    SECStatus rv = SECSuccess;
+    PRBool swapUnicodeBytes = PR_FALSE;
+
+#ifdef IS_LITTLE_ENDIAN
+    swapUnicodeBytes = PR_TRUE;
+#endif
+    
+    if(((safe != NULL) && (pwitem == NULL)) && (baggage == NULL))
+	return NULL;
+
+    poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(poolp == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    /* prepare authenticated safe for encode */
+    asafe = sec_pkcs12_new_asafe(poolp);
+    if(asafe != NULL) {
+
+	/* set version */
+	dummy = SEC_ASN1EncodeInteger(asafe->poolp, &asafe->version,
+				      SEC_PKCS12_PFX_VERSION);
+	if(dummy == NULL) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* generate the privacy salt used to create virtual pwd */
+	psalt = sec_pkcs12_generate_salt();
+	if(psalt != NULL) {
+	    rv = SECITEM_CopyItem(asafe->poolp, &asafe->privacySalt,
+				  psalt);
+	    if(rv == SECSuccess) {
+		asafe->privacySalt.len *= 8;
+	    } 
+	    else {
+		SECITEM_ZfreeItem(psalt, PR_TRUE);
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }
+	} 
+
+	if((psalt == NULL) || (rv == SECFailure)) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* package up safe contents */
+	if(safe != NULL) 
+	{
+	    safe_cinfo = SEC_PKCS7CreateEncryptedData(algorithm, NULL, wincx);
+	    if((safe_cinfo != NULL) && (safe->safe_size > 0)) {
+		/* encode the safe and encrypt the contents of the 
+		 * content info
+		 */
+		src = sec_pkcs12_encode_safe_contents(safe);
+
+		if(src != NULL) {
+		    rv = SEC_PKCS7SetContent(safe_cinfo, (char *)src->data, src->len);
+		    SECITEM_ZfreeItem(src, PR_TRUE);
+		    if(rv == SECSuccess) {
+			SECItem *vpwd;
+			vpwd = sec_pkcs12_create_virtual_password(pwitem, psalt,
+						unicodeFn, swapUnicodeBytes);
+			if(vpwd != NULL) {
+			    rv = SEC_PKCS7EncryptContents(NULL, safe_cinfo,
+							  vpwd, wincx);
+			    SECITEM_ZfreeItem(vpwd, PR_TRUE);
+			} else {
+			    rv = SECFailure;
+			    PORT_SetError(SEC_ERROR_NO_MEMORY);
+			}
+		    } else {
+			PORT_SetError(SEC_ERROR_NO_MEMORY);
+		    }
+		} else {
+		    rv = SECFailure;
+		}
+	    } else if(safe->safe_size > 0) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    } else {
+	    	/* case where there is NULL content in the safe contents */
+		rv = SEC_PKCS7SetContent(safe_cinfo, NULL, 0);
+		if(rv != SECFailure) {
+		    PORT_SetError(SEC_ERROR_NO_MEMORY);
+		}
+	    }
+
+	    if(rv != SECSuccess) {
+		SEC_PKCS7DestroyContentInfo(safe_cinfo);
+		safe_cinfo = NULL;
+		goto loser;
+	    }
+
+	    asafe->safe = safe_cinfo;	
+	    /*
+	    PORT_Memcpy(&asafe->safe, safe_cinfo, sizeof(*safe_cinfo));
+	    */
+	}
+
+	/* copy the baggage to the authenticated safe baggage if present */
+	if(baggage != NULL) {
+	    PORT_Memcpy(&asafe->baggage, baggage, sizeof(*baggage));
+	}
+
+	/* encode authenticated safe and store it in a Data content info */
+	dest = (SECItem *)PORT_ArenaZAlloc(poolp, sizeof(SECItem));
+	if(dest != NULL) {
+	    dummy = SEC_ASN1EncodeItem(poolp, dest, asafe, 
+				SEC_PKCS12AuthenticatedSafeTemplate);
+	    if(dummy != NULL) {
+		asafe_cinfo = SEC_PKCS7CreateData();
+		if(asafe_cinfo != NULL) {
+		    rv = SEC_PKCS7SetContent(asafe_cinfo, 
+					 	(char *)dest->data, 
+						dest->len);
+		    if(rv != SECSuccess) {
+			PORT_SetError(SEC_ERROR_NO_MEMORY);
+			SEC_PKCS7DestroyContentInfo(asafe_cinfo);
+			asafe_cinfo = NULL;
+		    }
+		}
+	    } else {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		rv = SECFailure;
+	    }
+	}
+    }
+
+loser:
+    PORT_FreeArena(poolp, PR_TRUE);
+    if(safe_cinfo != NULL) {
+    	SEC_PKCS7DestroyContentInfo(safe_cinfo);
+    }
+    if(psalt != NULL) {
+	SECITEM_ZfreeItem(psalt, PR_TRUE);
+    }
+
+    if(rv == SECFailure) {
+	return NULL;
+    }
+	
+    return asafe_cinfo;
+}
+
+/* generates the PFX and computes the mac on the authenticated safe 
+ * NULL implies an error
+ */
+static SEC_PKCS12PFXItem *
+sec_pkcs12_get_pfx(SEC_PKCS7ContentInfo *cinfo, 
+		   PRBool do_mac, 
+		   SECItem *pwitem, PKCS12UnicodeConvertFunction unicodeFn)
+{
+    SECItem *dest = NULL, *mac = NULL, *salt = NULL, *key = NULL;
+    SEC_PKCS12PFXItem *pfx;
+    SECStatus rv = SECFailure;
+    SGNDigestInfo *di;
+    SECItem *vpwd;
+    PRBool swapUnicodeBytes = PR_FALSE;
+
+#ifdef IS_LITTLE_ENDIAN
+    swapUnicodeBytes = PR_TRUE;
+#endif
+
+    if((cinfo == NULL) || ((do_mac == PR_TRUE) && (pwitem == NULL))) {
+	return NULL;
+    }
+
+    /* allocate new pfx structure */
+    pfx = sec_pkcs12_new_pfx();
+    if(pfx == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    PORT_Memcpy(&pfx->authSafe, cinfo, sizeof(*cinfo));
+    if(do_mac == PR_TRUE) {
+
+    	/* salt for computing mac */
+	salt = sec_pkcs12_generate_salt();
+	if(salt != NULL) {
+	    rv = SECITEM_CopyItem(pfx->poolp, &pfx->macData.macSalt, salt);
+	    pfx->macData.macSalt.len *= 8;
+
+	    vpwd = sec_pkcs12_create_virtual_password(pwitem, salt,
+						unicodeFn, swapUnicodeBytes);
+	    if(vpwd == NULL) {
+		rv = SECFailure;
+		key = NULL;
+	    } else {
+		key = sec_pkcs12_generate_key_from_password(SEC_OID_SHA1,
+							salt, vpwd);
+		SECITEM_ZfreeItem(vpwd, PR_TRUE);
+	    }
+
+	    if((key != NULL) && (rv == SECSuccess)) {
+		dest = SEC_PKCS7GetContent(cinfo);
+		if(dest != NULL) {
+
+		    /* compute mac on data -- for password integrity mode */
+		    mac = sec_pkcs12_generate_mac(key, dest, PR_FALSE);
+		    if(mac != NULL) {
+			di = SGN_CreateDigestInfo(SEC_OID_SHA1, 
+			    			  mac->data, mac->len);
+			if(di != NULL) {
+			    rv = SGN_CopyDigestInfo(pfx->poolp, 
+						    &pfx->macData.safeMac, di);
+			    SGN_DestroyDigestInfo(di);
+			} else {
+			    PORT_SetError(SEC_ERROR_NO_MEMORY);
+			}
+			SECITEM_ZfreeItem(mac, PR_TRUE);
+		    }
+		} else {
+		    rv = SECFailure;
+		}
+	    } else {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		rv = SECFailure;
+	    }
+
+	    if(key != NULL) {
+		SECITEM_ZfreeItem(key, PR_TRUE);
+	    }
+	    SECITEM_ZfreeItem(salt, PR_TRUE);
+	}
+    }
+
+    if(rv == SECFailure) {
+	SEC_PKCS12DestroyPFX(pfx);
+	pfx = NULL;
+    }
+
+    return pfx;
+}
+
+/* der encode the pfx */
+static SECItem *
+sec_pkcs12_encode_pfx(SEC_PKCS12PFXItem *pfx)
+{
+    SECItem *dest;
+    void *dummy;
+
+    if(pfx == NULL) {
+	return NULL;
+    }
+
+    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(dest == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    dummy = SEC_ASN1EncodeItem(NULL, dest, pfx, SEC_PKCS12PFXItemTemplate);
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	SECITEM_ZfreeItem(dest, PR_TRUE);
+	dest = NULL;
+    }
+
+    return dest;
+}
+
+SECItem *
+SEC_PKCS12GetPFX(char **nicknames,
+		 CERTCertificate **ref_certs,
+		 PRBool shroud_keys, 
+		 SEC_PKCS5GetPBEPassword pbef, 
+		 void *pbearg,
+		 PKCS12UnicodeConvertFunction unicodeFn,
+		 void *wincx)
+{
+    SECItem **nicks = NULL;
+    SEC_PKCS12PFXItem *pfx = NULL;
+    SEC_PKCS12Baggage *baggage = NULL;
+    SEC_PKCS12SafeContents *safe = NULL;
+    SEC_PKCS7ContentInfo *cinfo = NULL;
+    SECStatus rv = SECFailure;
+    SECItem *dest = NULL, *pwitem = NULL;
+    PRBool problem = PR_FALSE;
+    PRBool unencryptedCerts;
+    SECOidTag shroud_alg, safe_alg;
+
+    /* how should we encrypt certs ? */
+    unencryptedCerts = !SEC_PKCS12IsEncryptionAllowed();
+    if(!unencryptedCerts) {
+	safe_alg = SEC_PKCS12GetPreferredEncryptionAlgorithm();
+	if(safe_alg == SEC_OID_UNKNOWN) {
+	    safe_alg = SEC_PKCS12GetStrongestAllowedAlgorithm();
+	}
+	if(safe_alg == SEC_OID_UNKNOWN) {
+	    unencryptedCerts = PR_TRUE;
+	    /* for export where no encryption is allowed, we still need
+	     * to encrypt the NULL contents per the spec.  encrypted info
+	     * is known plaintext, so it shouldn't be a problem.
+	     */
+	    safe_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
+	}
+    } else {
+	/* for export where no encryption is allowed, we still need
+	 * to encrypt the NULL contents per the spec.  encrypted info
+	 * is known plaintext, so it shouldn't be a problem.
+	 */
+	safe_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
+    }
+
+    /* keys are always stored with triple DES */
+    shroud_alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
+
+    /* check for FIPS, if so, do not encrypt certs */
+    if(PK11_IsFIPS() && !unencryptedCerts) {
+	unencryptedCerts = PR_TRUE;
+    }
+
+    if((nicknames == NULL) || (pbef == NULL) || (ref_certs == NULL)) {
+	problem = PR_TRUE;
+	goto loser;
+    }
+
+
+    /* get password */
+    pwitem = (*pbef)(pbearg);
+    if(pwitem == NULL) {
+	problem = PR_TRUE;
+	goto loser;
+    }
+    nicks = sec_pkcs12_convert_nickname_list(nicknames);
+
+    /* get safe and baggage */
+    rv = sec_pkcs12_package_certs_and_keys(nicks, ref_certs, unencryptedCerts,
+    					   &safe, &baggage, shroud_keys,
+    					   shroud_alg, pwitem, unicodeFn, wincx);
+    if(rv == SECFailure) {
+	problem = PR_TRUE;
+    }
+
+    if((safe != NULL) && (problem == PR_FALSE)) {
+	/* copy thumbprints */
+	rv = sec_pkcs12_propagate_thumbprints(nicks, ref_certs, safe, baggage);
+
+	/* package everything up into AuthenticatedSafe */
+	cinfo = sec_pkcs12_get_auth_safe(safe, baggage, 
+					 safe_alg, pwitem, unicodeFn, wincx);
+
+	sec_pkcs12_destroy_cert_content_infos(safe, baggage);
+
+	/* get the pfx and mac it */
+	if(cinfo != NULL) {
+	    pfx = sec_pkcs12_get_pfx(cinfo, PR_TRUE, pwitem, unicodeFn);
+	    if(pfx != NULL) {
+		dest = sec_pkcs12_encode_pfx(pfx);
+		SEC_PKCS12DestroyPFX(pfx);
+	    }
+	    SEC_PKCS7DestroyContentInfo(cinfo);
+	}
+
+	if(safe != NULL) {
+	    PORT_FreeArena(safe->poolp, PR_TRUE);
+	}
+    } else {
+	if(safe != NULL) {
+	    PORT_FreeArena(safe->poolp, PR_TRUE);
+	}
+    }
+
+loser:
+    if(nicks != NULL) {
+	sec_pkcs12_destroy_nickname_list(nicks);
+    }
+
+    if(ref_certs != NULL) {
+	sec_pkcs12_destroy_certificate_list(ref_certs);
+    }
+
+    if(pwitem != NULL) {
+	SECITEM_ZfreeItem(pwitem, PR_TRUE);
+    }
+
+    if(problem == PR_TRUE) {
+	dest = NULL;
+    }
+
+    return dest;
+}
diff --git a/security/nss/lib/pkcs12/p12local.c b/security/nss/lib/pkcs12/p12local.c
new file mode 100644
index 000000000..ec7e4a76a
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12local.c
@@ -0,0 +1,1363 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nssrenam.h"
+#include "pkcs12.h"
+#include "secpkcs7.h"
+#include "secasn1.h"
+#include "seccomon.h"
+#include "secoid.h"
+#include "sechash.h"
+#include "secitem.h"
+#include "secerr.h"
+#include "pk11func.h"
+#include "p12local.h"
+#include "alghmac.h"
+#include "p12.h"
+
+#define SALT_LENGTH	16
+
+SEC_ASN1_MKSUB(SECKEY_PrivateKeyInfoTemplate)
+SEC_ASN1_MKSUB(sgn_DigestInfoTemplate)
+
+CK_MECHANISM_TYPE
+sec_pkcs12_algtag_to_mech(SECOidTag algtag)
+{
+    switch (algtag) {
+    case SEC_OID_MD2:
+	return CKM_MD2_HMAC;
+    case SEC_OID_MD5:
+	return CKM_MD5_HMAC;
+    case SEC_OID_SHA1:
+	return CKM_SHA_1_HMAC;
+    default:
+	break;
+    }
+    return CKM_INVALID_MECHANISM;
+}
+
+/* helper functions */
+/* returns proper bag type template based upon object type tag */
+const SEC_ASN1Template *
+sec_pkcs12_choose_bag_type_old(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS12SafeBag *safebag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    safebag = (SEC_PKCS12SafeBag*)src_or_dest;
+
+    oiddata = safebag->safeBagTypeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&safebag->safeBagType);
+	safebag->safeBagTypeTag = oiddata;
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_KEY_BAG_ID:
+	    theTemplate = SEC_PointerToPKCS12KeyBagTemplate;
+	    break;
+	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
+	    theTemplate = SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD;
+	    break;
+        case SEC_OID_PKCS12_SECRET_BAG_ID:
+	    theTemplate = SEC_PointerToPKCS12SecretBagTemplate;
+	    break;
+    }
+    return theTemplate;
+}
+
+const SEC_ASN1Template *
+sec_pkcs12_choose_bag_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS12SafeBag *safebag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    safebag = (SEC_PKCS12SafeBag*)src_or_dest;
+
+    oiddata = safebag->safeBagTypeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&safebag->safeBagType);
+	safebag->safeBagTypeTag = oiddata;
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_KEY_BAG_ID:
+	    theTemplate = SEC_PKCS12PrivateKeyBagTemplate;
+	    break;
+	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
+	    theTemplate = SEC_PKCS12CertAndCRLBagTemplate;
+	    break;
+        case SEC_OID_PKCS12_SECRET_BAG_ID:
+	    theTemplate = SEC_PKCS12SecretBagTemplate;
+	    break;
+    }
+    return theTemplate;
+}
+
+/* returns proper cert crl template based upon type tag */
+const SEC_ASN1Template *
+sec_pkcs12_choose_cert_crl_type_old(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS12CertAndCRL *certbag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    certbag = (SEC_PKCS12CertAndCRL*)src_or_dest;
+    oiddata = certbag->BagTypeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&certbag->BagID);
+	certbag->BagTypeTag = oiddata;
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_X509_CERT_CRL_BAG:
+	    theTemplate = SEC_PointerToPKCS12X509CertCRLTemplate_OLD;
+	    break;
+	case SEC_OID_PKCS12_SDSI_CERT_BAG:
+	    theTemplate = SEC_PointerToPKCS12SDSICertTemplate;
+	    break;
+    }
+    return theTemplate;
+}
+
+const SEC_ASN1Template *
+sec_pkcs12_choose_cert_crl_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS12CertAndCRL *certbag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    certbag = (SEC_PKCS12CertAndCRL*)src_or_dest;
+    oiddata = certbag->BagTypeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&certbag->BagID);
+	certbag->BagTypeTag = oiddata;
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_X509_CERT_CRL_BAG:
+	    theTemplate = SEC_PointerToPKCS12X509CertCRLTemplate;
+	    break;
+	case SEC_OID_PKCS12_SDSI_CERT_BAG:
+	    theTemplate = SEC_PointerToPKCS12SDSICertTemplate;
+	    break;
+    }
+    return theTemplate;
+}
+
+/* returns appropriate shroud template based on object type tag */
+const SEC_ASN1Template *
+sec_pkcs12_choose_shroud_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS12ESPVKItem *espvk;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    espvk = (SEC_PKCS12ESPVKItem*)src_or_dest;
+    oiddata = espvk->espvkTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&espvk->espvkOID);
+ 	espvk->espvkTag = oiddata;
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_PKCS8_KEY_SHROUDING:
+	   theTemplate = 
+		SEC_ASN1_GET(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate);
+	    break;
+    }
+    return theTemplate;
+}
+
+/* generate SALT  placing it into the character array passed in.
+ * it is assumed that salt_dest is an array of appropriate size
+ * XXX We might want to generate our own random context
+ */
+SECItem *
+sec_pkcs12_generate_salt(void)
+{
+    SECItem *salt;
+
+    salt = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(salt == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+    salt->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) * 
+					      SALT_LENGTH);
+    salt->len = SALT_LENGTH;
+    if(salt->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	SECITEM_ZfreeItem(salt, PR_TRUE);
+	return NULL;
+    }
+
+    PK11_GenerateRandom(salt->data, salt->len);
+
+    return salt;
+}
+
+/* generate KEYS -- as per PKCS12 section 7.  
+ * only used for MAC
+ */
+SECItem *
+sec_pkcs12_generate_key_from_password(SECOidTag algorithm, 
+				      SECItem *salt, 
+				      SECItem *password) 
+{
+    unsigned char *pre_hash=NULL;
+    unsigned char *hash_dest=NULL;
+    SECStatus res;
+    PRArenaPool *poolp;
+    SECItem *key = NULL;
+    int key_len = 0;
+
+    if((salt == NULL) || (password == NULL)) {
+	return NULL;
+    }
+
+    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if(poolp == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    pre_hash = (unsigned char *)PORT_ArenaZAlloc(poolp, sizeof(char) * 
+						 (salt->len+password->len));
+    if(pre_hash == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    hash_dest = (unsigned char *)PORT_ArenaZAlloc(poolp, 
+					sizeof(unsigned char) * SHA1_LENGTH);
+    if(hash_dest == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    PORT_Memcpy(pre_hash, salt->data, salt->len);
+    /* handle password of 0 length case */
+    if(password->len > 0) {
+	PORT_Memcpy(&(pre_hash[salt->len]), password->data, password->len);
+    }
+
+    res = PK11_HashBuf(SEC_OID_SHA1, hash_dest, pre_hash, 
+                       (salt->len+password->len));
+    if(res == SECFailure) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    switch(algorithm) {
+	case SEC_OID_SHA1:
+	    if(key_len == 0)
+		key_len = 16;
+	    key = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+	    if(key == NULL) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }
+	    key->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) 
+						     * key_len);
+	    if(key->data == NULL) {
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		goto loser;
+	    }
+	    key->len = key_len;
+	    PORT_Memcpy(key->data, &hash_dest[SHA1_LENGTH-key->len], key->len);
+	    break;
+	default:
+	    goto loser;
+	    break;
+    }
+
+    PORT_FreeArena(poolp, PR_TRUE);
+    return key;
+
+loser:
+    PORT_FreeArena(poolp, PR_TRUE);
+    if(key != NULL) {
+	SECITEM_ZfreeItem(key, PR_TRUE);
+    }
+    return NULL;
+}
+
+/* MAC is generated per PKCS 12 section 6.  It is expected that key, msg
+ * and mac_dest are pre allocated, non-NULL arrays.  msg_len is passed in
+ * because it is not known how long the message actually is.  String
+ * manipulation routines will not necessarily work because msg may have
+ * imbedded NULLs
+ */
+static SECItem *
+sec_pkcs12_generate_old_mac(SECItem *key, 
+			    SECItem *msg)
+{
+    SECStatus res;
+    PRArenaPool *temparena = NULL;
+    unsigned char *hash_dest=NULL, *hash_src1=NULL, *hash_src2 = NULL;
+    int i;
+    SECItem *mac = NULL;
+
+    if((key == NULL) || (msg == NULL))
+        goto loser;
+
+    /* allocate return item */
+    mac = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(mac == NULL)
+    	return NULL;
+    mac->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char)
+    	* SHA1_LENGTH);
+    mac->len = SHA1_LENGTH;
+    if(mac->data == NULL)
+	goto loser;
+
+    /* allocate temporary items */
+    temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if(temparena == NULL)
+	goto loser;
+
+    hash_src1 = (unsigned char *)PORT_ArenaZAlloc(temparena,
+    	sizeof(unsigned char) * (16+msg->len));
+    if(hash_src1 == NULL)
+        goto loser;
+
+    hash_src2 = (unsigned char *)PORT_ArenaZAlloc(temparena,
+   	sizeof(unsigned char) * (SHA1_LENGTH+16));
+    if(hash_src2 == NULL)
+        goto loser;
+
+    hash_dest = (unsigned char *)PORT_ArenaZAlloc(temparena, 
+   	sizeof(unsigned char) * SHA1_LENGTH);
+    if(hash_dest == NULL)
+        goto loser;
+
+    /* perform mac'ing as per PKCS 12 */
+
+    /* first round of hashing */
+    for(i = 0; i < 16; i++)
+	hash_src1[i] = key->data[i] ^ 0x36;
+    PORT_Memcpy(&(hash_src1[16]), msg->data, msg->len);
+    res = PK11_HashBuf(SEC_OID_SHA1, hash_dest, hash_src1, (16+msg->len));
+    if(res == SECFailure)
+	goto loser;
+
+    /* second round of hashing */
+    for(i = 0; i < 16; i++)
+	hash_src2[i] = key->data[i] ^ 0x5c;
+    PORT_Memcpy(&(hash_src2[16]), hash_dest, SHA1_LENGTH);
+    res = PK11_HashBuf(SEC_OID_SHA1, mac->data, hash_src2, SHA1_LENGTH+16);
+    if(res == SECFailure)
+	goto loser;
+
+    PORT_FreeArena(temparena, PR_TRUE);
+    return mac;
+
+loser:
+    if(temparena != NULL)
+	PORT_FreeArena(temparena, PR_TRUE);
+    if(mac != NULL)
+	SECITEM_ZfreeItem(mac, PR_TRUE);
+    return NULL;
+}
+
+/* MAC is generated per PKCS 12 section 6.  It is expected that key, msg
+ * and mac_dest are pre allocated, non-NULL arrays.  msg_len is passed in
+ * because it is not known how long the message actually is.  String
+ * manipulation routines will not necessarily work because msg may have
+ * imbedded NULLs
+ */
+SECItem *
+sec_pkcs12_generate_mac(SECItem *key, 
+			SECItem *msg,
+			PRBool old_method)
+{
+    SECStatus res = SECFailure;
+    SECItem *mac = NULL;
+    PK11Context *pk11cx = NULL;    
+    SECItem ignore = {0};
+
+    if((key == NULL) || (msg == NULL)) {
+	return NULL;
+    }
+
+    if(old_method == PR_TRUE) {
+	return sec_pkcs12_generate_old_mac(key, msg);
+    }
+
+    /* allocate return item */
+    mac = SECITEM_AllocItem(NULL, NULL, SHA1_LENGTH);
+    if (mac == NULL) {
+	return NULL;
+    }
+
+    pk11cx = PK11_CreateContextByRawKey(NULL, CKM_SHA_1_HMAC, PK11_OriginDerive,
+                                        CKA_SIGN, key, &ignore, NULL);
+    if (pk11cx == NULL) {
+	goto loser;
+    }
+
+    res = PK11_DigestBegin(pk11cx);
+    if (res == SECFailure) {
+	goto loser;
+    }
+
+    res = PK11_DigestOp(pk11cx, msg->data, msg->len);
+    if (res == SECFailure) {
+	goto loser;
+    }
+
+    res = PK11_DigestFinal(pk11cx, mac->data, &mac->len, SHA1_LENGTH);
+    if (res == SECFailure) {
+	goto loser;
+    }
+
+    PK11_DestroyContext(pk11cx, PR_TRUE);
+    pk11cx = NULL;
+
+loser:
+
+    if(res != SECSuccess) {
+	SECITEM_ZfreeItem(mac, PR_TRUE);
+	mac = NULL;
+	if (pk11cx) {
+	    PK11_DestroyContext(pk11cx, PR_TRUE);
+	}
+    }
+
+    return mac;
+}
+
+/* compute the thumbprint of the DER cert and create a digest info
+ * to store it in and return the digest info.
+ * a return of NULL indicates an error.
+ */
+SGNDigestInfo *
+sec_pkcs12_compute_thumbprint(SECItem *der_cert)
+{
+    SGNDigestInfo *thumb = NULL;
+    SECItem digest;
+    PRArenaPool *temparena = NULL;
+    SECStatus rv = SECFailure;
+
+    if(der_cert == NULL)
+	return NULL;
+
+    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(temparena == NULL) {
+	return NULL;
+    }
+
+    digest.data = (unsigned char *)PORT_ArenaZAlloc(temparena,
+						    sizeof(unsigned char) * 
+						    SHA1_LENGTH);
+    /* digest data and create digest info */
+    if(digest.data != NULL) {
+	digest.len = SHA1_LENGTH;
+	rv = PK11_HashBuf(SEC_OID_SHA1, digest.data, der_cert->data, 
+	                  der_cert->len);
+	if(rv == SECSuccess) {
+	    thumb = SGN_CreateDigestInfo(SEC_OID_SHA1, 
+					 digest.data, 
+					 digest.len);
+	} else {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	}
+    } else {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    PORT_FreeArena(temparena, PR_TRUE);
+
+    return thumb;
+}
+
+/* create a virtual password per PKCS 12, the password is converted
+ * to unicode, the salt is prepended to it, and then the whole thing
+ * is returned */
+SECItem *
+sec_pkcs12_create_virtual_password(SECItem *password, SECItem *salt,
+				   PRBool swap)
+{
+    SECItem uniPwd = {siBuffer, NULL,0}, *retPwd = NULL;
+
+    if((password == NULL) || (salt == NULL)) {
+	return NULL;
+    }
+
+    if(password->len == 0) {
+	uniPwd.data = (unsigned char*)PORT_ZAlloc(2);
+	uniPwd.len = 2;
+	if(!uniPwd.data) {
+	    return NULL;
+	}
+    } else {
+	uniPwd.data = (unsigned char*)PORT_ZAlloc(password->len * 3);
+	uniPwd.len = password->len * 3;
+	if(!PORT_UCS2_ASCIIConversion(PR_TRUE, password->data, password->len,
+				uniPwd.data, uniPwd.len, &uniPwd.len, swap)) {
+	    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
+	    return NULL;
+	}
+    }
+
+    retPwd = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(retPwd == NULL) {
+	goto loser;
+    }
+
+    /* allocate space and copy proper data */
+    retPwd->len = uniPwd.len + salt->len;
+    retPwd->data = (unsigned char *)PORT_Alloc(retPwd->len);
+    if(retPwd->data == NULL) {
+	PORT_Free(retPwd);
+	goto loser;
+    }
+
+    PORT_Memcpy(retPwd->data, salt->data, salt->len);
+    PORT_Memcpy((retPwd->data + salt->len), uniPwd.data, uniPwd.len);
+
+    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
+
+    return retPwd;
+
+loser:
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    SECITEM_ZfreeItem(&uniPwd, PR_FALSE);
+    return NULL;
+}
+
+/* appends a shrouded key to a key bag.  this is used for exporting
+ * to store externally wrapped keys.  it is used when importing to convert
+ * old items to new
+ */
+SECStatus 
+sec_pkcs12_append_shrouded_key(SEC_PKCS12BaggageItem *bag,
+				SEC_PKCS12ESPVKItem *espvk)
+{
+    int size;
+    void *mark = NULL, *dummy = NULL;
+
+    if((bag == NULL) || (espvk == NULL))
+	return SECFailure;
+
+    mark = PORT_ArenaMark(bag->poolp);
+
+    /* grow the list */
+    size = (bag->nEspvks + 1) * sizeof(SEC_PKCS12ESPVKItem *);
+    dummy = (SEC_PKCS12ESPVKItem **)PORT_ArenaGrow(bag->poolp,
+	    				bag->espvks, size, 
+	    				size + sizeof(SEC_PKCS12ESPVKItem *));
+    bag->espvks = (SEC_PKCS12ESPVKItem**)dummy;
+    if(dummy == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    bag->espvks[bag->nEspvks] = espvk;
+    bag->nEspvks++;
+    bag->espvks[bag->nEspvks] = NULL;
+
+    PORT_ArenaUnmark(bag->poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(bag->poolp, mark);
+    return SECFailure;
+}
+
+/* search a certificate list for a nickname, a thumbprint, or both
+ * within a certificate bag.  if the certificate could not be
+ * found or an error occurs, NULL is returned;
+ */
+static SEC_PKCS12CertAndCRL *
+sec_pkcs12_find_cert_in_certbag(SEC_PKCS12CertAndCRLBag *certbag,
+				SECItem *nickname, SGNDigestInfo *thumbprint)
+{
+    PRBool search_both = PR_FALSE, search_nickname = PR_FALSE;
+    int i, j;
+
+    if((certbag == NULL) || ((nickname == NULL) && (thumbprint == NULL))) {
+	return NULL;
+    }
+
+    if(thumbprint && nickname) {
+	search_both = PR_TRUE;
+    }
+
+    if(nickname) {
+	search_nickname = PR_TRUE;
+    }
+
+search_again:  
+    i = 0;
+    while(certbag->certAndCRLs[i] != NULL) {
+	SEC_PKCS12CertAndCRL *cert = certbag->certAndCRLs[i];
+
+	if(SECOID_FindOIDTag(&cert->BagID) == SEC_OID_PKCS12_X509_CERT_CRL_BAG) {
+
+	    /* check nicknames */
+	    if(search_nickname) {
+		if(SECITEM_CompareItem(nickname, &cert->nickname) == SECEqual) {
+		    return cert;
+		}
+	    } else {
+	    /* check thumbprints */
+		SECItem **derCertList;
+
+		/* get pointer to certificate list, does not need to
+		 * be freed since it is within the arena which will
+		 * be freed later.
+		 */
+		derCertList = SEC_PKCS7GetCertificateList(&cert->value.x509->certOrCRL);
+		j = 0;
+		if(derCertList != NULL) {
+		    while(derCertList[j] != NULL) {
+			SECComparison eq;
+			SGNDigestInfo *di;
+			di = sec_pkcs12_compute_thumbprint(derCertList[j]);
+			if(di) {
+			    eq = SGN_CompareDigestInfo(thumbprint, di);
+			    SGN_DestroyDigestInfo(di);
+			    if(eq == SECEqual) {
+				/* copy the derCert for later reference */
+				cert->value.x509->derLeafCert = derCertList[j];
+				return cert;
+			    }
+			} else {
+			    /* an error occurred */
+			    return NULL;
+			}
+			j++;
+		    }
+		}
+	    }
+	}
+
+	i++;
+    }
+
+    if(search_both) {
+	search_both = PR_FALSE;
+	search_nickname = PR_FALSE;
+	goto search_again;
+    }
+
+    return NULL;
+}
+
+/* search a key list for a nickname, a thumbprint, or both
+ * within a key bag.  if the key could not be
+ * found or an error occurs, NULL is returned;
+ */
+static SEC_PKCS12PrivateKey *
+sec_pkcs12_find_key_in_keybag(SEC_PKCS12PrivateKeyBag *keybag,
+			      SECItem *nickname, SGNDigestInfo *thumbprint)
+{
+    PRBool search_both = PR_FALSE, search_nickname = PR_FALSE;
+    int i, j;
+
+    if((keybag == NULL) || ((nickname == NULL) && (thumbprint == NULL))) {
+	return NULL;
+    }
+
+    if(keybag->privateKeys == NULL) {
+	return NULL;
+    }
+
+    if(thumbprint && nickname) {
+	search_both = PR_TRUE;
+    }
+
+    if(nickname) {
+	search_nickname = PR_TRUE;
+    }
+
+search_again:  
+    i = 0;
+    while(keybag->privateKeys[i] != NULL) {
+	SEC_PKCS12PrivateKey *key = keybag->privateKeys[i];
+
+	/* check nicknames */
+	if(search_nickname) {
+	    if(SECITEM_CompareItem(nickname, &key->pvkData.nickname) == SECEqual) {
+		return key;
+	    }
+	} else {
+	    /* check digests */
+	    SGNDigestInfo **assocCerts = key->pvkData.assocCerts;
+	    if((assocCerts == NULL) || (assocCerts[0] == NULL)) {
+		return NULL;
+	    }
+
+	    j = 0;
+	    while(assocCerts[j] != NULL) {
+		SECComparison eq;
+		eq = SGN_CompareDigestInfo(thumbprint, assocCerts[j]);
+		if(eq == SECEqual) {
+		    return key;
+		}
+		j++;
+	    }
+	}
+	i++;
+    }
+
+    if(search_both) {
+	search_both = PR_FALSE;
+	search_nickname = PR_FALSE;
+	goto search_again;
+    }
+
+    return NULL;
+}
+
+/* seach the safe first then try the baggage bag 
+ *  safe and bag contain certs and keys to search
+ *  objType is the object type to look for
+ *  bagType is the type of bag that was found by sec_pkcs12_find_object
+ *  index is the entity in safe->safeContents or bag->unencSecrets which
+ *    is being searched
+ *  nickname and thumbprint are the search criteria
+ * 
+ * a return of null indicates no match
+ */
+static void *
+sec_pkcs12_try_find(SEC_PKCS12SafeContents *safe,
+		  SEC_PKCS12BaggageItem *bag,
+		  SECOidTag objType, SECOidTag bagType, int index,
+		  SECItem *nickname, SGNDigestInfo *thumbprint)
+{
+    PRBool searchSafe;
+    int i = index;
+
+    if((safe == NULL) && (bag == NULL)) {
+	return NULL;
+    }
+
+    searchSafe = (safe == NULL ? PR_FALSE : PR_TRUE);
+    switch(objType) {
+	case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID:
+	    if(objType == bagType) {
+		SEC_PKCS12CertAndCRLBag *certBag;
+
+		if(searchSafe) {
+		    certBag = safe->contents[i]->safeContent.certAndCRLBag;
+		} else {
+		    certBag = bag->unencSecrets[i]->safeContent.certAndCRLBag;
+		}
+		return sec_pkcs12_find_cert_in_certbag(certBag, nickname, 
+							thumbprint);
+	    }
+	    break;
+	case SEC_OID_PKCS12_KEY_BAG_ID:
+	    if(objType == bagType) {
+		SEC_PKCS12PrivateKeyBag *keyBag;
+
+		if(searchSafe) {
+		    keyBag = safe->contents[i]->safeContent.keyBag;
+		} else {
+		    keyBag = bag->unencSecrets[i]->safeContent.keyBag;
+		}
+		return sec_pkcs12_find_key_in_keybag(keyBag, nickname, 
+							 thumbprint);
+	    }
+	    break;
+	default:
+	    break;
+    }
+
+    return NULL;
+}
+
+/* searches both the baggage and the safe areas looking for
+ * object of specified type matching either the nickname or the 
+ * thumbprint specified.
+ *
+ * safe and baggage store certs and keys
+ * objType is the OID for the bag type to be searched:
+ *   SEC_OID_PKCS12_KEY_BAG_ID, or 
+ *   SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID
+ * nickname and thumbprint are the search criteria
+ * 
+ * if no match found, NULL returned and error set
+ */
+void *
+sec_pkcs12_find_object(SEC_PKCS12SafeContents *safe,
+			SEC_PKCS12Baggage *baggage,
+			SECOidTag objType,
+			SECItem *nickname,
+			SGNDigestInfo *thumbprint)
+{
+    int i, j;
+    void *retItem;
+   
+    if(((safe == NULL) && (thumbprint == NULL)) ||
+       ((nickname == NULL) && (thumbprint == NULL))) {
+	return NULL;
+    }    
+
+    i = 0;
+    if((safe != NULL) && (safe->contents != NULL)) {
+	while(safe->contents[i] != NULL) {
+	    SECOidTag bagType = SECOID_FindOIDTag(&safe->contents[i]->safeBagType);
+	    retItem = sec_pkcs12_try_find(safe, NULL, objType, bagType, i,
+	    				  nickname, thumbprint);
+	    if(retItem != NULL) {
+		return retItem;
+	    }
+	    i++;
+	}
+    }
+
+    if((baggage != NULL) && (baggage->bags != NULL)) {
+	i = 0;
+	while(baggage->bags[i] != NULL) {
+	    SEC_PKCS12BaggageItem *xbag = baggage->bags[i];
+	    j = 0;
+	    if(xbag->unencSecrets != NULL) {
+		while(xbag->unencSecrets[j] != NULL) {
+		    SECOidTag bagType;
+		    bagType = SECOID_FindOIDTag(&xbag->unencSecrets[j]->safeBagType);
+		    retItem = sec_pkcs12_try_find(NULL, xbag, objType, bagType,
+		    				  j, nickname, thumbprint);
+		    if(retItem != NULL) {
+			return retItem;
+		    }
+		    j++;
+		}
+	    }
+	    i++;
+	}
+    }
+
+    PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
+    return NULL;
+}
+
+/* this function converts a password to unicode and encures that the 
+ * required double 0 byte be placed at the end of the string
+ */
+PRBool
+sec_pkcs12_convert_item_to_unicode(PRArenaPool *arena, SECItem *dest,
+				   SECItem *src, PRBool zeroTerm,
+				   PRBool asciiConvert, PRBool toUnicode)
+{
+    PRBool success = PR_FALSE;
+    if(!src || !dest) {
+	return PR_FALSE;
+    }
+
+    dest->len = src->len * 3 + 2;
+    if(arena) {
+	dest->data = (unsigned char*)PORT_ArenaZAlloc(arena, dest->len);
+    } else {
+	dest->data = (unsigned char*)PORT_ZAlloc(dest->len);
+    }
+
+    if(!dest->data) {
+	dest->len = 0;
+	return PR_FALSE;
+    }
+
+    if(!asciiConvert) {
+	success = PORT_UCS2_UTF8Conversion(toUnicode, src->data, src->len, dest->data,
+					   dest->len, &dest->len);
+    } else {
+#ifndef IS_LITTLE_ENDIAN
+	PRBool swapUnicode = PR_FALSE;
+#else
+	PRBool swapUnicode = PR_TRUE;
+#endif
+	success = PORT_UCS2_ASCIIConversion(toUnicode, src->data, src->len, dest->data,
+					    dest->len, &dest->len, swapUnicode);
+    }
+
+    if(!success) {
+	if(!arena) {
+	    PORT_Free(dest->data);
+	    dest->data = NULL;
+	    dest->len = 0;
+	}
+	return PR_FALSE;
+    }
+
+    if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
+	if(dest->len + 2 > 3 * src->len) {
+	    if(arena) {
+		dest->data = (unsigned char*)PORT_ArenaGrow(arena, 
+						     dest->data, dest->len,
+						     dest->len + 2);
+	    } else {
+		dest->data = (unsigned char*)PORT_Realloc(dest->data, 
+							  dest->len + 2);
+	    }
+
+	    if(!dest->data) {
+		return PR_FALSE;
+	    }
+	}
+	dest->len += 2;
+	dest->data[dest->len-1] = dest->data[dest->len-2] = 0;
+    }
+
+    return PR_TRUE;
+}
+
+/* pkcs 12 templates */
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser =
+    sec_pkcs12_choose_shroud_type;
+
+const SEC_ASN1Template SEC_PKCS12CodedSafeBagTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
+    { SEC_ASN1_ANY, offsetof(SEC_PKCS12SafeBag, derSafeContent) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12CodedCertBagTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
+    { SEC_ASN1_ANY, offsetof(SEC_PKCS12CertAndCRL, derValue) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12CodedCertAndCRLBagTemplate[] =
+{
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
+	SEC_PKCS12CodedCertBagTemplate },
+};
+
+const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate_OLD[] = 
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12ESPVKItem) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12ESPVKItem, espvkOID) },
+    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12ESPVKItem, espvkData),
+	SEC_PKCS12PVKSupportingDataTemplate_OLD },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+	SEC_ASN1_DYNAMIC | 0, offsetof(SEC_PKCS12ESPVKItem, espvkCipherText),
+	&sec_pkcs12_shroud_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate[] = 
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12ESPVKItem) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12ESPVKItem, espvkOID) },
+    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12ESPVKItem, espvkData),
+	SEC_PKCS12PVKSupportingDataTemplate },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+	SEC_ASN1_DYNAMIC | 0, offsetof(SEC_PKCS12ESPVKItem, espvkCipherText),
+	&sec_pkcs12_shroud_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PVKAdditionalDataTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKAdditionalData) },
+    { SEC_ASN1_OBJECT_ID, 
+	offsetof(SEC_PKCS12PVKAdditionalData, pvkAdditionalType) },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(SEC_PKCS12PVKAdditionalData, pvkAdditionalContent) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKSupportingData) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN , 
+        offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, 
+	offsetof(SEC_PKCS12PVKSupportingData, regenerable) },
+    { SEC_ASN1_PRINTABLE_STRING, 
+	offsetof(SEC_PKCS12PVKSupportingData, nickname) },
+    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
+	offsetof(SEC_PKCS12PVKSupportingData, pvkAdditionalDER) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PVKSupportingData) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN , 
+        offsetof(SEC_PKCS12PVKSupportingData, assocCerts),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BOOLEAN, 
+	offsetof(SEC_PKCS12PVKSupportingData, regenerable) },
+    { SEC_ASN1_BMP_STRING, 
+	offsetof(SEC_PKCS12PVKSupportingData, uniNickName) },
+    { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL,
+	offsetof(SEC_PKCS12PVKSupportingData, pvkAdditionalDER) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12BaggageItemTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12BaggageItem) },
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, espvks),
+	SEC_PKCS12ESPVKItemTemplate },
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, unencSecrets),
+	SEC_PKCS12SafeBagTemplate },
+    /*{ SEC_ASN1_SET_OF, offsetof(SEC_PKCS12BaggageItem, unencSecrets),
+	SEC_PKCS12CodedSafeBagTemplate }, */
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12BaggageTemplate[] =
+{
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12Baggage, bags),
+	SEC_PKCS12BaggageItemTemplate },
+};
+
+const SEC_ASN1Template SEC_PKCS12BaggageTemplate_OLD[] =
+{
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12Baggage_OLD, espvks),
+	SEC_PKCS12ESPVKItemTemplate_OLD },
+};
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_bag_chooser =
+	sec_pkcs12_choose_bag_type;
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_bag_chooser_old =
+	sec_pkcs12_choose_bag_type_old;
+
+const SEC_ASN1Template SEC_PKCS12SafeBagTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+	SEC_ASN1_CONTEXT_SPECIFIC | 0,
+        offsetof(SEC_PKCS12SafeBag, safeContent),
+	&sec_pkcs12_bag_chooser_old },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SafeBagTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_POINTER,
+        offsetof(SEC_PKCS12SafeBag, safeContent),
+	&sec_pkcs12_bag_chooser },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BMP_STRING,
+	offsetof(SEC_PKCS12SafeBag, uniSafeBagName) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate_OLD[] =
+{
+    { SEC_ASN1_SET_OF,
+	offsetof(SEC_PKCS12SafeContents, contents),
+	SEC_PKCS12SafeBagTemplate_OLD }
+};
+
+const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate[] =
+{
+    { SEC_ASN1_SET_OF,
+	offsetof(SEC_PKCS12SafeContents, contents),
+	SEC_PKCS12SafeBagTemplate }  /* here */
+};
+
+const SEC_ASN1Template SEC_PKCS12PrivateKeyTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PrivateKey) },
+    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12PrivateKey, pvkData),
+	SEC_PKCS12PVKSupportingDataTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, 
+        offsetof(SEC_PKCS12PrivateKey, pkcs8data),
+	SEC_ASN1_SUB(SECKEY_PrivateKeyInfoTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PrivateKeyBagTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PrivateKeyBag) },
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12PrivateKeyBag, privateKeys),
+	SEC_PKCS12PrivateKeyTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
+    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12X509CertCRL, certOrCRL),
+	sec_PKCS7ContentInfoTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , 
+        offsetof(SEC_PKCS12X509CertCRL, thumbprint),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
+    { SEC_ASN1_INLINE, offsetof(SEC_PKCS12X509CertCRL, certOrCRL),
+	sec_PKCS7ContentInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SDSICertTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12X509CertCRL) },
+    { SEC_ASN1_IA5_STRING, offsetof(SEC_PKCS12SDSICert, value) },
+    { 0 }
+};
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_crl_chooser_old =
+	sec_pkcs12_choose_cert_crl_type_old;
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_crl_chooser =
+	sec_pkcs12_choose_cert_crl_type;
+
+const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT |
+	SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | 0,
+	offsetof(SEC_PKCS12CertAndCRL, value),
+	&sec_pkcs12_cert_crl_chooser_old },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRL) },
+    { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12CertAndCRL, BagID) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+	SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+	offsetof(SEC_PKCS12CertAndCRL, value),
+	&sec_pkcs12_cert_crl_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate[] =
+{
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
+	SEC_PKCS12CertAndCRLTemplate },
+};
+
+const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12CertAndCRLBag) },
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12CertAndCRLBag, certAndCRLs),
+	SEC_PKCS12CertAndCRLTemplate_OLD },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SecretAdditionalTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SecretAdditional) },
+    { SEC_ASN1_OBJECT_ID,
+	offsetof(SEC_PKCS12SecretAdditional, secretAdditionalType) },
+    { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT,
+	offsetof(SEC_PKCS12SecretAdditional, secretAdditionalContent) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SecretTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12Secret) },
+    { SEC_ASN1_BMP_STRING, offsetof(SEC_PKCS12Secret, uniSecretName) },
+    { SEC_ASN1_ANY, offsetof(SEC_PKCS12Secret, value) },
+    { SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
+	offsetof(SEC_PKCS12Secret, secretAdditional),
+	SEC_PKCS12SecretAdditionalTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SecretItemTemplate[] = 
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12Secret) },
+    { SEC_ASN1_INLINE | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(SEC_PKCS12SecretItem, secret), SEC_PKCS12SecretTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	offsetof(SEC_PKCS12SecretItem, subFolder), SEC_PKCS12SafeBagTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12SecretBagTemplate[] =
+{
+    { SEC_ASN1_SET_OF, offsetof(SEC_PKCS12SecretBag, secrets),
+	SEC_PKCS12SecretItemTemplate },
+};
+
+const SEC_ASN1Template SEC_PKCS12MacDataTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , offsetof(SEC_PKCS12MacData, safeMac),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { SEC_ASN1_BIT_STRING, offsetof(SEC_PKCS12MacData, macSalt) },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PFXItemTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
+    { SEC_ASN1_OPTIONAL |
+	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+	offsetof(SEC_PKCS12PFXItem, macData), SEC_PKCS12MacDataTemplate },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
+	offsetof(SEC_PKCS12PFXItem, authSafe), 
+	sec_PKCS7ContentInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12PFXItemTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12PFXItem) },
+    { SEC_ASN1_OPTIONAL |
+	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, 
+	offsetof(SEC_PKCS12PFXItem, old_safeMac), 
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_BIT_STRING,
+	offsetof(SEC_PKCS12PFXItem, old_macSalt) },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, 
+	offsetof(SEC_PKCS12PFXItem, authSafe), 
+	sec_PKCS7ContentInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12AuthenticatedSafe) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
+	offsetof(SEC_PKCS12AuthenticatedSafe, version) }, 
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_OBJECT_ID,
+	offsetof(SEC_PKCS12AuthenticatedSafe, transportMode) },
+    { SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL,
+	offsetof(SEC_PKCS12AuthenticatedSafe, privacySalt) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_SET_OF, 
+	offsetof(SEC_PKCS12AuthenticatedSafe, baggage.bags), 
+	SEC_PKCS12BaggageItemTemplate },
+    { SEC_ASN1_POINTER,
+	offsetof(SEC_PKCS12AuthenticatedSafe, safe),
+	sec_PKCS7ContentInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate_OLD[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12AuthenticatedSafe) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
+	offsetof(SEC_PKCS12AuthenticatedSafe, version) }, 
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER,
+	offsetof(SEC_PKCS12AuthenticatedSafe, transportMode) },
+    { SEC_ASN1_BIT_STRING,
+	offsetof(SEC_PKCS12AuthenticatedSafe, privacySalt) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+    	SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+	offsetof(SEC_PKCS12AuthenticatedSafe, old_baggage), 
+	SEC_PKCS12BaggageTemplate_OLD },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	offsetof(SEC_PKCS12AuthenticatedSafe, old_safe),
+	sec_PKCS7ContentInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12KeyBagTemplate[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12PrivateKeyBagTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12CertAndCRLBagTemplate_OLD }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12CertAndCRLBagTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12SecretBagTemplate[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12SecretBagTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate_OLD[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12X509CertCRLTemplate_OLD }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12X509CertCRLTemplate }
+};
+
+const SEC_ASN1Template SEC_PointerToPKCS12SDSICertTemplate[] =
+{
+    { SEC_ASN1_POINTER, 0, SEC_PKCS12SDSICertTemplate }
+};
+
+
diff --git a/security/nss/lib/pkcs12/p12local.h b/security/nss/lib/pkcs12/p12local.h
new file mode 100644
index 000000000..e0333e2c3
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12local.h
@@ -0,0 +1,88 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#ifndef _P12LOCAL_H_
+#define _P12LOCAL_H_
+
+#include "plarena.h"
+#include "secoidt.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "certt.h"
+#include "secpkcs7.h"
+#include "pkcs12.h"
+#include "p12.h"
+
+/* helper functions */
+extern const SEC_ASN1Template *
+sec_pkcs12_choose_bag_type(void *src_or_dest, PRBool encoding);
+extern const SEC_ASN1Template *
+sec_pkcs12_choose_cert_crl_type(void *src_or_dest, PRBool encoding);
+extern const SEC_ASN1Template *
+sec_pkcs12_choose_shroud_type(void *src_or_dest, PRBool encoding);
+extern SECItem *sec_pkcs12_generate_salt(void);
+extern SECItem *sec_pkcs12_generate_key_from_password(SECOidTag algorithm, 
+	SECItem *salt, SECItem *password);
+extern SECItem *sec_pkcs12_generate_mac(SECItem *key, SECItem *msg, 
+					PRBool old_method);
+extern SGNDigestInfo *sec_pkcs12_compute_thumbprint(SECItem *der_cert);
+extern SECItem *sec_pkcs12_create_virtual_password(SECItem *password, 
+			SECItem *salt, PRBool swapUnicodeBytes);
+extern SECStatus sec_pkcs12_append_shrouded_key(SEC_PKCS12BaggageItem *bag,
+						 SEC_PKCS12ESPVKItem *espvk);
+extern void *sec_pkcs12_find_object(SEC_PKCS12SafeContents *safe,
+				SEC_PKCS12Baggage *baggage, SECOidTag objType,
+				SECItem *nickname, SGNDigestInfo *thumbprint);
+extern PRBool sec_pkcs12_convert_item_to_unicode(PRArenaPool *arena, SECItem *dest,
+						 SECItem *src, PRBool zeroTerm,
+						 PRBool asciiConvert, PRBool toUnicode);
+extern CK_MECHANISM_TYPE sec_pkcs12_algtag_to_mech(SECOidTag algtag);
+
+/* create functions */
+extern SEC_PKCS12PFXItem *sec_pkcs12_new_pfx(void);
+extern SEC_PKCS12SafeContents *sec_pkcs12_create_safe_contents(
+	PRArenaPool *poolp);
+extern SEC_PKCS12Baggage *sec_pkcs12_create_baggage(PRArenaPool *poolp);
+extern SEC_PKCS12BaggageItem *sec_pkcs12_create_external_bag(SEC_PKCS12Baggage *luggage);
+extern void SEC_PKCS12DestroyPFX(SEC_PKCS12PFXItem *pfx);
+extern SEC_PKCS12AuthenticatedSafe *sec_pkcs12_new_asafe(PRArenaPool *poolp);
+
+/* conversion from old to new */
+extern SEC_PKCS12DecoderContext *
+sec_PKCS12ConvertOldSafeToNew(PRArenaPool *arena, PK11SlotInfo *slot,
+			      PRBool swapUnicode, SECItem *pwitem,
+			      void *wincx, SEC_PKCS12SafeContents *safe,
+			      SEC_PKCS12Baggage *baggage);
+	
+#endif
diff --git a/security/nss/lib/pkcs12/p12plcy.c b/security/nss/lib/pkcs12/p12plcy.c
new file mode 100644
index 000000000..a62be5fe7
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12plcy.c
@@ -0,0 +1,198 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#include "p12plcy.h"
+#include "secoid.h"
+#include "secport.h"
+#include "secpkcs5.h" 
+
+#define PKCS12_NULL  0x0000
+
+typedef struct pkcs12SuiteMapStr {
+    SECOidTag		algTag;
+    unsigned int	keyLengthBits;	/* in bits */
+    unsigned long	suite;
+    PRBool 		allowed;
+    PRBool		preferred;
+} pkcs12SuiteMap;
+
+static pkcs12SuiteMap pkcs12SuiteMaps[] = {
+    { SEC_OID_RC4,		40,	PKCS12_RC4_40,		PR_FALSE,	PR_FALSE},
+    { SEC_OID_RC4,	       128,	PKCS12_RC4_128,		PR_FALSE,	PR_FALSE},
+    { SEC_OID_RC2_CBC,		40,	PKCS12_RC2_CBC_40,	PR_FALSE,	PR_TRUE},
+    { SEC_OID_RC2_CBC,	       128,	PKCS12_RC2_CBC_128,	PR_FALSE,	PR_FALSE},
+    { SEC_OID_DES_CBC,		64,	PKCS12_DES_56,		PR_FALSE,	PR_FALSE},
+    { SEC_OID_DES_EDE3_CBC,    192,	PKCS12_DES_EDE3_168,	PR_FALSE,	PR_FALSE},
+    { SEC_OID_UNKNOWN,		 0,	PKCS12_NULL,		PR_FALSE,	PR_FALSE},
+    { SEC_OID_UNKNOWN,		 0,	0L,			PR_FALSE,	PR_FALSE}
+};
+
+/* determine if algid is an algorithm which is allowed */
+PRBool 
+SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid)
+{
+    unsigned int keyLengthBits;
+    SECOidTag algId;
+    int i;
+   
+    algId = SEC_PKCS5GetCryptoAlgorithm(algid);
+    if(algId == SEC_OID_UNKNOWN) {
+	return PR_FALSE;
+    }
+    
+    keyLengthBits = (unsigned int)(SEC_PKCS5GetKeyLength(algid) * 8);
+
+    i = 0;
+    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
+	if((pkcs12SuiteMaps[i].algTag == algId) && 
+	   (pkcs12SuiteMaps[i].keyLengthBits == keyLengthBits)) {
+
+	    return pkcs12SuiteMaps[i].allowed;
+	}
+	i++;
+    }
+
+    return PR_FALSE;
+}
+
+/* is any encryption allowed? */
+PRBool
+SEC_PKCS12IsEncryptionAllowed(void)
+{
+    int i;
+
+    i = 0;
+    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
+	if(pkcs12SuiteMaps[i].allowed == PR_TRUE) {
+	    return PR_TRUE;
+	} 
+	i++;
+    }
+
+    return PR_FALSE;
+}
+
+/* get the preferred algorithm.
+ */
+SECOidTag
+SEC_PKCS12GetPreferredEncryptionAlgorithm(void)
+{
+    int i;
+
+    i = 0;
+    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
+	if((pkcs12SuiteMaps[i].preferred == PR_TRUE) && 
+	   (pkcs12SuiteMaps[i].allowed == PR_TRUE)) {
+	    return SEC_PKCS5GetPBEAlgorithm(pkcs12SuiteMaps[i].algTag,
+	    				    pkcs12SuiteMaps[i].keyLengthBits);
+	}
+	i++;
+    }
+
+    return SEC_OID_UNKNOWN;
+}
+
+/* return the strongest algorithm allowed */
+SECOidTag
+SEC_PKCS12GetStrongestAllowedAlgorithm(void)
+{
+    int i, keyLengthBits = 0;
+    SECOidTag algorithm = SEC_OID_UNKNOWN;
+
+    i = 0;
+    while(pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN) {
+	if((pkcs12SuiteMaps[i].allowed == PR_TRUE) && 
+	   (pkcs12SuiteMaps[i].keyLengthBits > (unsigned int)keyLengthBits) &&
+	   (pkcs12SuiteMaps[i].algTag != SEC_OID_RC4)) {
+	    algorithm = pkcs12SuiteMaps[i].algTag;
+	    keyLengthBits = pkcs12SuiteMaps[i].keyLengthBits;
+	}
+	i++;
+    }
+
+    if(algorithm == SEC_OID_UNKNOWN) {
+	return SEC_OID_UNKNOWN;
+    }
+
+    return SEC_PKCS5GetPBEAlgorithm(algorithm, keyLengthBits);
+}
+
+SECStatus
+SEC_PKCS12EnableCipher(long which, int on) 
+{
+    int i;
+
+    i = 0;
+    while(pkcs12SuiteMaps[i].suite != 0L) {
+	if(pkcs12SuiteMaps[i].suite == (unsigned long)which) {
+	    if(on) {
+		pkcs12SuiteMaps[i].allowed = PR_TRUE;
+	    } else {
+		pkcs12SuiteMaps[i].allowed = PR_FALSE;
+	    }
+	    return SECSuccess;
+	}
+	i++;
+    }
+
+    return SECFailure;
+}
+
+SECStatus
+SEC_PKCS12SetPreferredCipher(long which, int on)
+{
+    int i;
+    PRBool turnedOff = PR_FALSE;
+    PRBool turnedOn = PR_FALSE;
+
+    i = 0;
+    while(pkcs12SuiteMaps[i].suite != 0L) {
+	if(pkcs12SuiteMaps[i].preferred == PR_TRUE) {
+	    pkcs12SuiteMaps[i].preferred = PR_FALSE;
+	    turnedOff = PR_TRUE;
+	}
+	if(pkcs12SuiteMaps[i].suite == (unsigned long)which) {
+	    pkcs12SuiteMaps[i].preferred = PR_TRUE;
+	    turnedOn = PR_TRUE;
+	}
+	i++;
+    }
+
+    if((turnedOn) && (turnedOff)) {
+	return SECSuccess;
+    }
+
+    return SECFailure;
+}
+
diff --git a/security/nss/lib/pkcs12/p12plcy.h b/security/nss/lib/pkcs12/p12plcy.h
new file mode 100644
index 000000000..1a3a9ee2f
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12plcy.h
@@ -0,0 +1,57 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifndef _P12PLCY_H_
+#define _P12PLCY_H_
+
+#include "secoid.h"
+#include "ciferfam.h"
+
+/* for the algid specified, can we decrypt it ? */
+extern PRBool SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid);
+
+/* is encryption allowed? */
+extern PRBool SEC_PKCS12IsEncryptionAllowed(void);
+
+/* get the preferred encryption algorithm */
+extern SECOidTag SEC_PKCS12GetPreferredEncryptionAlgorithm(void);
+
+/* get the stronget crypto allowed (based on order in the table */
+extern SECOidTag SEC_PKCS12GetStrongestAllowedAlgorithm(void);
+
+/* enable a cipher for encryption/decryption */
+extern SECStatus SEC_PKCS12EnableCipher(long which, int on);
+
+/* return the preferred cipher for encryption */
+extern SECStatus SEC_PKCS12SetPreferredCipher(long which, int on);
+
+#endif
diff --git a/security/nss/lib/pkcs12/p12t.h b/security/nss/lib/pkcs12/p12t.h
new file mode 100644
index 000000000..6b9d3da1b
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12t.h
@@ -0,0 +1,182 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _P12T_H_
+#define _P12T_H_
+
+#include "secoid.h"
+#include "key.h"
+#include "pkcs11.h"
+#include "secpkcs7.h"
+#include "secdig.h"	/* for SGNDigestInfo */
+
+#define SEC_PKCS12_VERSION	3
+
+/* structure declarations */
+typedef struct sec_PKCS12PFXItemStr sec_PKCS12PFXItem;
+typedef struct sec_PKCS12MacDataStr sec_PKCS12MacData;
+typedef struct sec_PKCS12AuthenticatedSafeStr sec_PKCS12AuthenticatedSafe;
+typedef struct sec_PKCS12SafeContentsStr sec_PKCS12SafeContents;
+typedef struct sec_PKCS12SafeBagStr sec_PKCS12SafeBag;
+typedef struct sec_PKCS12PKCS8ShroudedKeyBagStr sec_PKCS12PKCS8ShroudedKeyBag;
+typedef struct sec_PKCS12CertBagStr sec_PKCS12CertBag;
+typedef struct sec_PKCS12CRLBagStr sec_PKCS12CRLBag;
+typedef struct sec_PKCS12SecretBag sec_PKCS12SecretBag;
+typedef struct sec_PKCS12AttributeStr sec_PKCS12Attribute;
+
+struct sec_PKCS12CertBagStr {
+    /* what type of cert is stored? */
+    SECItem bagID;
+
+    /* certificate information */
+    union {
+	SECItem x509Cert;
+	SECItem SDSICert;
+    } value;
+};
+
+struct sec_PKCS12CRLBagStr {
+    /* what type of cert is stored? */
+    SECItem bagID;
+
+    /* certificate information */
+    union {
+	SECItem x509CRL;
+    } value;
+};
+
+struct sec_PKCS12SecretBag {
+    /* what type of secret? */
+    SECItem secretType;
+
+    /* secret information.  ssshhhh be vewy vewy quiet. */
+    SECItem secretContent;
+};
+
+struct sec_PKCS12AttributeStr {
+    SECItem attrType;
+    SECItem **attrValue;
+};
+
+struct sec_PKCS12SafeBagStr {
+
+    /* What type of bag are we using? */
+    SECItem safeBagType;
+
+    /* Dependent upon the type of bag being used. */
+    union {
+	SECKEYPrivateKeyInfo *pkcs8KeyBag;
+	SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
+	sec_PKCS12CertBag *certBag;
+	sec_PKCS12CRLBag *crlBag;
+	sec_PKCS12SecretBag *secretBag;
+	sec_PKCS12SafeContents *safeContents;
+    } safeBagContent;
+
+    sec_PKCS12Attribute **attribs;
+
+    /* used locally */
+    SECOidData *bagTypeTag;
+    PRArenaPool *arena;
+    unsigned int nAttribs;
+
+    /* used for validation/importing */
+    PRBool problem, noInstall, validated, hasKey, removeExisting, installed;
+    int error;
+
+    PRBool swapUnicodeBytes;
+    PK11SlotInfo *slot;
+    SECItem *pwitem;
+    PRBool oldBagType;
+};
+    
+struct sec_PKCS12SafeContentsStr {
+    sec_PKCS12SafeBag **safeBags;
+    SECItem **encodedSafeBags;
+    
+    /* used locally */
+    PRArenaPool *arena;
+    unsigned int bagCount;
+};
+
+struct sec_PKCS12MacDataStr {
+    SGNDigestInfo safeMac;
+    SECItem macSalt;
+    SECItem iter;
+};
+
+struct sec_PKCS12PFXItemStr {
+
+    SECItem version;
+
+    /* Content type will either be Data (password integrity mode)
+     * or signedData (public-key integrity mode)
+     */
+    SEC_PKCS7ContentInfo *authSafe;
+    SECItem encodedAuthSafe;
+
+    /* Only present in password integrity mode */
+    sec_PKCS12MacData macData;
+    SECItem encodedMacData;
+};
+
+struct sec_PKCS12AuthenticatedSafeStr {
+    /* Content type will either be encryptedData (password privacy mode)
+     * or envelopedData (public-key privacy mode)
+     */
+    SEC_PKCS7ContentInfo **safes;
+    SECItem **encodedSafes;
+
+    /* used locally */
+    unsigned int safeCount;
+    SECItem dummySafe;
+};
+
+extern const SEC_ASN1Template sec_PKCS12PFXItemTemplate[];
+extern const SEC_ASN1Template sec_PKCS12MacDataTemplate[];
+extern const SEC_ASN1Template sec_PKCS12AuthenticatedSafeTemplate[];
+extern const SEC_ASN1Template sec_PKCS12SafeContentsTemplate[];
+extern const SEC_ASN1Template sec_PKCS12SafeContentsDecodeTemplate[];
+extern const SEC_ASN1Template sec_PKCS12NestedSafeContentsDecodeTemplate[];
+extern const SEC_ASN1Template sec_PKCS12CertBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12CRLBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12SecretBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12PointerToCertBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12PointerToCRLBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12PointerToSecretBagTemplate[];
+extern const SEC_ASN1Template sec_PKCS12PointerToSafeContentsTemplate[];
+extern const SEC_ASN1Template sec_PKCS12AttributeTemplate[];
+extern const SEC_ASN1Template sec_PKCS12PointerToContentInfoTemplate[];
+extern const SEC_ASN1Template sec_PKCS12SafeBagTemplate[];
+
+#endif
diff --git a/security/nss/lib/pkcs12/p12tmpl.c b/security/nss/lib/pkcs12/p12tmpl.c
new file mode 100644
index 000000000..e58816386
--- /dev/null
+++ b/security/nss/lib/pkcs12/p12tmpl.c
@@ -0,0 +1,320 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "plarena.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "seccomon.h"
+#include "secport.h"
+#include "cert.h"
+#include "secpkcs7.h"
+#include "secasn1.h"
+#include "p12t.h"
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(sgn_DigestInfoTemplate)
+
+static const SEC_ASN1Template *
+sec_pkcs12_choose_safe_bag_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    sec_PKCS12SafeBag *safeBag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    safeBag = (sec_PKCS12SafeBag*)src_or_dest;
+
+    oiddata = SECOID_FindOID(&safeBag->safeBagType);
+    if(oiddata == NULL) {
+	return SEC_ASN1_GET(SEC_AnyTemplate);
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+	    theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
+	    break;
+	case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+	    theTemplate = sec_PKCS12PointerToCertBagTemplate;
+	    break;
+	case SEC_OID_PKCS12_V1_CRL_BAG_ID:
+	    theTemplate = sec_PKCS12PointerToCRLBagTemplate;
+	    break;
+        case SEC_OID_PKCS12_V1_SECRET_BAG_ID:
+	    theTemplate = sec_PKCS12PointerToSecretBagTemplate;
+	    break;
+	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
+	    theTemplate = 
+	        SEC_ASN1_GET(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate);
+	    break;
+	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
+	    if(encoding) {
+		theTemplate = sec_PKCS12PointerToSafeContentsTemplate;
+	    } else {
+		theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	    }
+	    break;
+    }
+    return theTemplate;
+}
+
+static const SEC_ASN1Template *
+sec_pkcs12_choose_crl_bag_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    sec_PKCS12CRLBag *crlbag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    crlbag = (sec_PKCS12CRLBag*)src_or_dest;
+
+    oiddata = SECOID_FindOID(&crlbag->bagID);
+    if(oiddata == NULL) {
+	return SEC_ASN1_GET(SEC_AnyTemplate);
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	case SEC_OID_PKCS9_X509_CRL:
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
+	    break;
+    }
+    return theTemplate;
+}
+
+static const SEC_ASN1Template *
+sec_pkcs12_choose_cert_bag_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    sec_PKCS12CertBag *certbag;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    certbag = (sec_PKCS12CertBag*)src_or_dest;
+
+    oiddata = SECOID_FindOID(&certbag->bagID);
+    if(oiddata == NULL) {
+	return SEC_ASN1_GET(SEC_AnyTemplate);
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	case SEC_OID_PKCS9_X509_CERT:
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
+	    break;
+	case SEC_OID_PKCS9_SDSI_CERT:
+	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
+	    break;
+    }
+    return theTemplate;
+}
+
+static const SEC_ASN1Template *
+sec_pkcs12_choose_attr_type(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    sec_PKCS12Attribute *attr;
+    SECOidData *oiddata;
+
+    if (src_or_dest == NULL) {
+	return NULL;
+    }
+
+    attr = (sec_PKCS12Attribute*)src_or_dest;
+
+    oiddata = SECOID_FindOID(&attr->attrType);
+    if(oiddata == NULL) {
+	return SEC_ASN1_GET(SEC_AnyTemplate);
+    }
+
+    switch (oiddata->offset) {
+	default:
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	case SEC_OID_PKCS9_FRIENDLY_NAME:
+	    theTemplate = SEC_ASN1_GET(SEC_BMPStringTemplate);
+	    break;
+	case SEC_OID_PKCS9_LOCAL_KEY_ID:
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
+	    break;
+	case SEC_OID_PKCS12_KEY_USAGE:
+	    theTemplate = SEC_ASN1_GET(SEC_BitStringTemplate);
+	    break;
+    }
+
+    return theTemplate;
+}
+
+
+const SEC_ASN1Template sec_PKCS12PointerToContentInfoTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM, 0, sec_PKCS7ContentInfoTemplate }
+};
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_crl_bag_chooser =
+    sec_pkcs12_choose_crl_bag_type;
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_cert_bag_chooser =
+    sec_pkcs12_choose_cert_bag_type;
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_safe_bag_chooser =
+    sec_pkcs12_choose_safe_bag_type;
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs12_attr_chooser =
+    sec_pkcs12_choose_attr_type;
+
+const SEC_ASN1Template sec_PKCS12PointerToCertBagTemplate[] = {
+    { SEC_ASN1_POINTER, 0, sec_PKCS12CertBagTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12PointerToCRLBagTemplate[] = {
+    { SEC_ASN1_POINTER, 0, sec_PKCS12CRLBagTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12PointerToSecretBagTemplate[] = {
+    { SEC_ASN1_POINTER, 0, sec_PKCS12SecretBagTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12PointerToSafeContentsTemplate[] = {
+    { SEC_ASN1_POINTER, 0, sec_PKCS12SafeContentsTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12PFXItemTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, 0, NULL, 
+	sizeof(sec_PKCS12PFXItem) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, 
+	offsetof(sec_PKCS12PFXItem, version) },
+    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM, 
+	offsetof(sec_PKCS12PFXItem, encodedAuthSafe) },
+    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM,
+	offsetof(sec_PKCS12PFXItem, encodedMacData) },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12MacDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12MacData) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN , offsetof(sec_PKCS12MacData, safeMac),
+	SEC_ASN1_SUB(sgn_DigestInfoTemplate) },
+    { SEC_ASN1_OCTET_STRING, offsetof(sec_PKCS12MacData, macSalt) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_INTEGER, offsetof(sec_PKCS12MacData, iter) },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12AuthenticatedSafeTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 
+	offsetof(sec_PKCS12AuthenticatedSafe, encodedSafes), 
+	SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+const SEC_ASN1Template sec_PKCS12SafeBagTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, 0, NULL, 
+	sizeof(sec_PKCS12SafeBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12SafeBag, safeBagType) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_DYNAMIC | SEC_ASN1_CONSTRUCTED |
+	SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC | 0, 
+	offsetof(sec_PKCS12SafeBag, safeBagContent), 
+	&sec_pkcs12_safe_bag_chooser },
+    { SEC_ASN1_SET_OF | SEC_ASN1_OPTIONAL, offsetof(sec_PKCS12SafeBag, attribs),
+	sec_PKCS12AttributeTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12SafeContentsTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM, 
+	offsetof(sec_PKCS12SafeContents, safeBags),
+	sec_PKCS12SafeBagTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12SequenceOfAnyTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 0,
+	SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+const SEC_ASN1Template sec_PKCS12NestedSafeContentsDecodeTemplate[] = {
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0,
+	offsetof(sec_PKCS12SafeContents, encodedSafeBags),
+	sec_PKCS12SequenceOfAnyTemplate }
+};
+
+const SEC_ASN1Template sec_PKCS12SafeContentsDecodeTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_MAY_STREAM | SEC_ASN1_XTRN , 
+	offsetof(sec_PKCS12SafeContents, encodedSafeBags),
+	SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+const SEC_ASN1Template sec_PKCS12CRLBagTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12CRLBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12CRLBag, bagID) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_POINTER, 
+	offsetof(sec_PKCS12CRLBag, value), &sec_pkcs12_crl_bag_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12CertBagTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12CertBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12CertBag, bagID) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED |
+	SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	offsetof(sec_PKCS12CertBag, value), &sec_pkcs12_cert_bag_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12SecretBagTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12SecretBag) },
+    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12SecretBag, secretType) },
+    { SEC_ASN1_ANY, offsetof(sec_PKCS12SecretBag, secretContent) },
+    { 0 }
+};
+
+const SEC_ASN1Template sec_PKCS12AttributeTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(sec_PKCS12Attribute) },
+    { SEC_ASN1_OBJECT_ID, offsetof(sec_PKCS12Attribute, attrType) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_DYNAMIC, 
+	offsetof(sec_PKCS12Attribute, attrValue),
+	&sec_pkcs12_attr_chooser },
+    { 0 }
+};
diff --git a/security/nss/lib/pkcs12/pkcs12.h b/security/nss/lib/pkcs12/pkcs12.h
new file mode 100644
index 000000000..dd9d99594
--- /dev/null
+++ b/security/nss/lib/pkcs12/pkcs12.h
@@ -0,0 +1,67 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+
+#ifndef _PKCS12_H_
+#define _PKCS12_H_
+
+#include "pkcs12t.h"
+#include "p12.h"
+
+typedef SECItem * (* SEC_PKCS12GetPassword)(void *arg);
+
+/* Decode functions */
+/* Import a PFX item.  
+ *	der_pfx is the der-encoded pfx item to import.
+ *	pbef, and pbefarg are used to retrieve passwords for the HMAC,
+ *	    and any passwords needed for passing to PKCS5 encryption 
+ *	    routines.
+ *	algorithm is the algorithm by which private keys are stored in
+ *	    the key database.  this could be a specific algorithm or could
+ *	    be based on a global setting.
+ *	slot is the slot to where the certificates will be placed.  if NULL,
+ *	    the internal key slot is used.
+ * If the process is successful, a SECSuccess is returned, otherwise
+ * a failure occurred.
+ */ 
+SECStatus
+SEC_PKCS12PutPFX(SECItem *der_pfx, SECItem *pwitem,
+		 SEC_PKCS12NicknameCollisionCallback ncCall,
+		 PK11SlotInfo *slot, void *wincx);
+
+/* check the first two bytes of a file to make sure that it matches
+ * the desired header for a PKCS 12 file
+ */
+PRBool SEC_PKCS12ValidData(char *buf, int bufLen, long int totalLength);
+
+#endif
diff --git a/security/nss/lib/pkcs12/pkcs12t.h b/security/nss/lib/pkcs12/pkcs12t.h
new file mode 100644
index 000000000..53c36c3f7
--- /dev/null
+++ b/security/nss/lib/pkcs12/pkcs12t.h
@@ -0,0 +1,386 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _PKCS12T_H_
+#define _PKCS12T_H_
+
+#include "seccomon.h"
+#include "secoid.h"
+#include "cert.h"
+#include "key.h"
+#include "plarena.h"
+#include "secpkcs7.h"
+#include "secdig.h"	/* for SGNDigestInfo */
+
+/* PKCS12 Structures */
+typedef struct SEC_PKCS12PFXItemStr SEC_PKCS12PFXItem;
+typedef struct SEC_PKCS12MacDataStr SEC_PKCS12MacData;
+typedef struct SEC_PKCS12AuthenticatedSafeStr SEC_PKCS12AuthenticatedSafe;
+typedef struct SEC_PKCS12BaggageItemStr SEC_PKCS12BaggageItem;
+typedef struct SEC_PKCS12BaggageStr SEC_PKCS12Baggage;
+typedef struct SEC_PKCS12Baggage_OLDStr SEC_PKCS12Baggage_OLD;
+typedef struct SEC_PKCS12ESPVKItemStr SEC_PKCS12ESPVKItem;
+typedef struct SEC_PKCS12PVKSupportingDataStr SEC_PKCS12PVKSupportingData;
+typedef struct SEC_PKCS12PVKAdditionalDataStr SEC_PKCS12PVKAdditionalData;
+typedef struct SEC_PKCS12SafeContentsStr SEC_PKCS12SafeContents;
+typedef struct SEC_PKCS12SafeBagStr SEC_PKCS12SafeBag;
+typedef struct SEC_PKCS12PrivateKeyStr SEC_PKCS12PrivateKey;
+typedef struct SEC_PKCS12PrivateKeyBagStr SEC_PKCS12PrivateKeyBag;
+typedef struct SEC_PKCS12CertAndCRLBagStr SEC_PKCS12CertAndCRLBag;
+typedef struct SEC_PKCS12CertAndCRLStr SEC_PKCS12CertAndCRL;
+typedef struct SEC_PKCS12X509CertCRLStr SEC_PKCS12X509CertCRL;
+typedef struct SEC_PKCS12SDSICertStr SEC_PKCS12SDSICert;
+typedef struct SEC_PKCS12SecretStr SEC_PKCS12Secret;
+typedef struct SEC_PKCS12SecretAdditionalStr SEC_PKCS12SecretAdditional;
+typedef struct SEC_PKCS12SecretItemStr SEC_PKCS12SecretItem;
+typedef struct SEC_PKCS12SecretBagStr SEC_PKCS12SecretBag;
+
+typedef SECItem *(* SEC_PKCS12PasswordFunc)(SECItem *args);
+
+/* PKCS12 types */
+
+/* stores shrouded keys */
+struct SEC_PKCS12BaggageStr
+{
+    PRArenaPool     *poolp;
+    SEC_PKCS12BaggageItem **bags;
+
+    int luggage_size;		/* used locally */
+};
+
+/* additional data to be associated with keys.	currently there
+ * is nothing defined to be stored here.  allows future expansion.
+ */
+struct SEC_PKCS12PVKAdditionalDataStr
+{
+    PRArenaPool	*poolp;
+    SECOidData	*pvkAdditionalTypeTag;	/* used locally */
+    SECItem     pvkAdditionalType;
+    SECItem     pvkAdditionalContent;
+};
+
+/* cert and other supporting data for private keys.  used
+ * for both shrouded and non-shrouded keys.
+ */
+struct SEC_PKCS12PVKSupportingDataStr
+{
+    PRArenaPool		*poolp;
+    SGNDigestInfo 	**assocCerts;
+    SECItem		regenerable;
+    SECItem         	nickname;
+    SEC_PKCS12PVKAdditionalData     pvkAdditional;
+    SECItem		pvkAdditionalDER;
+
+    SECItem		uniNickName;
+    /* used locally */
+    int			nThumbs;
+};
+
+/* shrouded key structure.  supports only pkcs8 shrouding
+ * currently.
+ */
+struct SEC_PKCS12ESPVKItemStr
+{
+    PRArenaPool *poolp;		/* used locally */
+    SECOidData	*espvkTag;	/* used locally */
+    SECItem	espvkOID;
+    SEC_PKCS12PVKSupportingData espvkData;
+    union
+    {
+	SECKEYEncryptedPrivateKeyInfo *pkcs8KeyShroud;
+    } espvkCipherText;
+
+    PRBool duplicate;	/* used locally */
+    PRBool problem_cert; 	/* used locally */
+    PRBool single_cert;		/* used locally */
+    int nCerts;			/* used locally */
+    SECItem derCert;		/* used locally */
+};
+
+/* generic bag store for the safe.  safeBagType identifies
+ * the type of bag stored.
+ */
+struct SEC_PKCS12SafeBagStr
+{
+    PRArenaPool *poolp;
+    SECOidData	*safeBagTypeTag;	/* used locally */
+    SECItem     safeBagType;
+    union
+    {
+	SEC_PKCS12PrivateKeyBag	*keyBag;
+	SEC_PKCS12CertAndCRLBag *certAndCRLBag;
+	SEC_PKCS12SecretBag     *secretBag;
+    } safeContent;
+
+    SECItem	derSafeContent;
+    SECItem 	safeBagName;
+
+    SECItem	uniSafeBagName;
+};
+
+/* stores private keys and certificates in a list.  each safebag
+ * has an ID identifying the type of content stored.
+ */
+struct SEC_PKCS12SafeContentsStr
+{
+    PRArenaPool     	*poolp;
+    SEC_PKCS12SafeBag	**contents;
+
+    /* used for tracking purposes */
+    int safe_size;
+    PRBool old;
+    PRBool swapUnicode;
+    PRBool possibleSwapUnicode;
+};
+
+/* private key structure which holds encrypted private key and
+ * supporting data including nickname and certificate thumbprint.
+ */
+struct SEC_PKCS12PrivateKeyStr
+{
+    PRArenaPool *poolp;
+    SEC_PKCS12PVKSupportingData pvkData;
+    SECKEYPrivateKeyInfo	pkcs8data;   /* borrowed from PKCS 8 */
+
+    PRBool duplicate;	/* used locally */
+    PRBool problem_cert;/* used locally */
+    PRBool single_cert;	/* used locally */
+    int nCerts;		/* used locally */
+    SECItem derCert;	/* used locally */
+};
+
+/* private key bag, holds a (null terminated) list of private key
+ * structures.
+ */
+struct SEC_PKCS12PrivateKeyBagStr
+{
+    PRArenaPool     *poolp;
+    SEC_PKCS12PrivateKey 	**privateKeys;
+
+    int bag_size;	/* used locally */
+};
+
+/* container to hold certificates.  currently supports x509
+ * and sdsi certificates
+ */
+struct SEC_PKCS12CertAndCRLStr
+{
+    PRArenaPool     *poolp;
+    SECOidData	    *BagTypeTag;    /* used locally */
+    SECItem         BagID;
+    union
+    {
+    	SEC_PKCS12X509CertCRL	*x509;
+    	SEC_PKCS12SDSICert	*sdsi;
+    } value;
+
+    SECItem derValue;
+    SECItem nickname;		/* used locally */
+    PRBool duplicate;		/* used locally */
+};
+
+/* x509 certificate structure.	typically holds the der encoding
+ * of the x509 certificate.  thumbprint contains a digest of the
+ * certificate
+ */
+struct SEC_PKCS12X509CertCRLStr
+{
+    PRArenaPool     		*poolp;
+    SEC_PKCS7ContentInfo	certOrCRL;
+    SGNDigestInfo		thumbprint;
+
+    SECItem *derLeafCert;	/* used locally */
+};
+
+/* sdsi certificate structure.	typically holds the der encoding
+ * of the sdsi certificate.  thumbprint contains a digest of the
+ * certificate
+ */
+struct SEC_PKCS12SDSICertStr
+{
+    PRArenaPool     *poolp;
+    SECItem         value;
+    SGNDigestInfo   thumbprint;
+};
+
+/* contains a null terminated list of certs and crls */
+struct SEC_PKCS12CertAndCRLBagStr
+{
+    PRArenaPool     		*poolp;
+    SEC_PKCS12CertAndCRL	**certAndCRLs;
+
+    int bag_size;	/* used locally */
+};
+
+/* additional secret information.  currently no information
+ * stored in this structure.
+ */
+struct SEC_PKCS12SecretAdditionalStr
+{
+    PRArenaPool     *poolp;
+    SECOidData	    *secretTypeTag;         /* used locally */
+    SECItem         secretAdditionalType;
+    SECItem         secretAdditionalContent;
+};
+
+/* secrets container.  this will be used to contain currently
+ * unspecified secrets.  (it's a secret)
+ */
+struct SEC_PKCS12SecretStr
+{
+    PRArenaPool     *poolp;
+    SECItem	secretName;
+    SECItem	value;
+    SEC_PKCS12SecretAdditional	secretAdditional;
+
+    SECItem	uniSecretName;
+};
+
+struct SEC_PKCS12SecretItemStr
+{
+    PRArenaPool     *poolp;
+    SEC_PKCS12Secret	secret;
+    SEC_PKCS12SafeBag	subFolder;
+};    
+
+/* a bag of secrets.  holds a null terminated list of secrets.
+ */
+struct SEC_PKCS12SecretBagStr
+{
+    PRArenaPool     	*poolp;
+    SEC_PKCS12SecretItem	**secrets;
+
+    int bag_size;	/* used locally */
+};
+
+struct SEC_PKCS12MacDataStr
+{
+    SGNDigestInfo	safeMac;
+    SECItem		macSalt;
+};
+
+/* outer transfer unit */
+struct SEC_PKCS12PFXItemStr
+{
+    PRArenaPool		*poolp;
+    SEC_PKCS12MacData	macData;
+    SEC_PKCS7ContentInfo	authSafe; 
+
+    /* for compatibility with beta */
+    PRBool		old;
+    SGNDigestInfo 	old_safeMac;
+    SECItem		old_macSalt;
+
+    /* compatibility between platforms for unicode swapping */
+    PRBool		swapUnicode;
+};
+
+struct SEC_PKCS12BaggageItemStr {
+    PRArenaPool	    *poolp;
+    SEC_PKCS12ESPVKItem	**espvks;
+    SEC_PKCS12SafeBag	**unencSecrets;
+
+    int nEspvks;
+    int nSecrets; 
+};
+    
+/* stores shrouded keys */
+struct SEC_PKCS12Baggage_OLDStr
+{
+    PRArenaPool     *poolp;
+    SEC_PKCS12ESPVKItem **espvks;
+
+    int luggage_size;		/* used locally */
+};
+
+/* authenticated safe, stores certs, keys, and shrouded keys */
+struct SEC_PKCS12AuthenticatedSafeStr
+{
+    PRArenaPool     *poolp;
+    SECItem         version;
+    SECOidData	    *transportTypeTag;	/* local not part of encoding*/
+    SECItem         transportMode;
+    SECItem         privacySalt;
+    SEC_PKCS12Baggage	  baggage;
+    SEC_PKCS7ContentInfo  *safe;
+
+    /* used for beta compatibility */
+    PRBool old;
+    PRBool emptySafe;
+    SEC_PKCS12Baggage_OLD old_baggage;
+    SEC_PKCS7ContentInfo old_safe;
+    PRBool swapUnicode;
+};
+#define SEC_PKCS12_PFX_VERSION		1		/* what we create */
+
+
+
+/* PKCS 12 Templates */
+extern const SEC_ASN1Template SEC_PKCS12PFXItemTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12BaggageTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12PFXItemTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12MacDataTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12AuthenticatedSafeTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12BaggageTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12PVKAdditionalTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12SafeContentsTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SafeBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12PrivateKeyTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12PrivateKeyBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12CertAndCRLTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12CertAndCRLBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12X509CertCRLTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SDSICertTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SecretBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SecretTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SecretItemTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12SecretAdditionalTemplate[];
+extern const SEC_ASN1Template SGN_DigestInfoTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12KeyBagTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12CertAndCRLBagTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12SecretBagTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12X509CertCRLTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPKCS12SDSICertTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12CodedSafeBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12CodedCertBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12CodedCertAndCRLBagTemplate[];
+extern const SEC_ASN1Template SEC_PKCS12PVKSupportingDataTemplate_OLD[];
+extern const SEC_ASN1Template SEC_PKCS12ESPVKItemTemplate_OLD[];
+#endif
diff --git a/security/nss/lib/pkcs7/Makefile b/security/nss/lib/pkcs7/Makefile
new file mode 100644
index 000000000..cb85677bc
--- /dev/null
+++ b/security/nss/lib/pkcs7/Makefile
@@ -0,0 +1,76 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
diff --git a/security/nss/lib/pkcs7/certread.c b/security/nss/lib/pkcs7/certread.c
new file mode 100644
index 000000000..073a9e545
--- /dev/null
+++ b/security/nss/lib/pkcs7/certread.c
@@ -0,0 +1,537 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nssrenam.h"
+#include "cert.h"
+#include "secpkcs7.h"
+#include "base64.h"
+#include "secitem.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "secoid.h"
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+
+SECStatus
+SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
+{
+    SEC_PKCS7ContentInfo *contentInfo = NULL;
+    SECStatus rv;
+    SECItem **certs;
+    int count;
+
+    contentInfo = SEC_PKCS7DecodeItem(pkcs7Item, NULL, NULL, NULL, NULL, NULL, 
+				      NULL, NULL);
+    if ( contentInfo == NULL ) {
+	goto loser;
+    }
+
+    if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_PKCS7_SIGNED_DATA ) {
+	goto loser;
+    }
+
+    certs = contentInfo->content.signedData->rawCerts;
+    if ( certs ) {
+	count = 0;
+	
+	while ( *certs ) {
+	    count++;
+	    certs++;
+	}
+	rv = (* f)(arg, contentInfo->content.signedData->rawCerts, count);
+    }
+    
+    rv = SECSuccess;
+    
+    goto done;
+loser:
+    rv = SECFailure;
+    
+done:
+    if ( contentInfo ) {
+	SEC_PKCS7DestroyContentInfo(contentInfo);
+    }
+
+    return(rv);
+}
+
+const SEC_ASN1Template SEC_CertSequenceTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, 0, SEC_ASN1_SUB(SEC_AnyTemplate) }
+};
+
+SECStatus
+SEC_ReadCertSequence(SECItem *certsItem, CERTImportCertificateFunc f, void *arg)
+{
+    SECStatus rv;
+    SECItem **certs;
+    int count;
+    SECItem **rawCerts = NULL;
+    PRArenaPool *arena;
+    SEC_PKCS7ContentInfo *contentInfo = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return SECFailure;
+    }
+
+    contentInfo = SEC_PKCS7DecodeItem(certsItem, NULL, NULL, NULL, NULL, NULL, 
+				      NULL, NULL);
+    if ( contentInfo == NULL ) {
+	goto loser;
+    }
+
+    if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE ) {
+	goto loser;
+    }
+
+
+    rv = SEC_ASN1DecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
+		    contentInfo->content.data);
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    certs = rawCerts;
+    if ( certs ) {
+	count = 0;
+	
+	while ( *certs ) {
+	    count++;
+	    certs++;
+	}
+	rv = (* f)(arg, rawCerts, count);
+    }
+    
+    rv = SECSuccess;
+    
+    goto done;
+loser:
+    rv = SECFailure;
+    
+done:
+    if ( contentInfo ) {
+	SEC_PKCS7DestroyContentInfo(contentInfo);
+    }
+
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(rv);
+}
+
+CERTCertificate *
+CERT_ConvertAndDecodeCertificate(char *certstr)
+{
+    CERTCertificate *cert;
+    SECStatus rv;
+    SECItem der;
+
+    rv = ATOB_ConvertAsciiToItem(&der, certstr);
+    if (rv != SECSuccess)
+	return NULL;
+
+    cert = CERT_DecodeDERCertificate(&der, PR_TRUE, NULL);
+
+    PORT_Free(der.data);
+    return cert;
+}
+
+#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
+#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
+
+#define CERTIFICATE_TYPE_STRING "certificate"
+#define CERTIFICATE_TYPE_LEN (sizeof(CERTIFICATE_TYPE_STRING)-1)
+
+CERTPackageType
+CERT_CertPackageType(SECItem *package, SECItem *certitem)
+{
+    unsigned char *cp;
+    int seqLen, seqLenLen;
+    SECItem oiditem;
+    SECOidData *oiddata;
+    CERTPackageType type = certPackageNone;
+    
+    cp = package->data;
+
+    /* is a DER encoded certificate of some type? */
+    if ( ( *cp  & 0x1f ) == SEC_ASN1_SEQUENCE ) {
+	cp++;
+	
+	if ( *cp & 0x80) {
+	    /* Multibyte length */
+	    seqLenLen = cp[0] & 0x7f;
+	    
+	    switch (seqLenLen) {
+	      case 4:
+		seqLen = ((unsigned long)cp[1]<<24) |
+		    ((unsigned long)cp[2]<<16) | (cp[3]<<8) | cp[4];
+		break;
+	      case 3:
+		seqLen = ((unsigned long)cp[1]<<16) | (cp[2]<<8) | cp[3];
+		break;
+	      case 2:
+		seqLen = (cp[1]<<8) | cp[2];
+		break;
+	      case 1:
+		seqLen = cp[1];
+		break;
+	      default:
+		/* indefinite length */
+		seqLen = 0;
+	    }
+	    cp += ( seqLenLen + 1 );
+
+	} else {
+	    seqLenLen = 0;
+	    seqLen = *cp;
+	    cp++;
+	}
+
+	/* check entire length if definite length */
+	if ( seqLen || seqLenLen ) {
+	    if ( package->len != ( seqLen + seqLenLen + 2 ) ) {
+		/* not a DER package */
+		return(type);
+	    }
+	}
+	
+	/* check the type string */
+	/* netscape wrapped DER cert */
+	if ( ( cp[0] == SEC_ASN1_OCTET_STRING ) &&
+	    ( cp[1] == CERTIFICATE_TYPE_LEN ) &&
+	    ( PORT_Strcmp((char *)&cp[2], CERTIFICATE_TYPE_STRING) ) ) {
+	    
+	    cp += ( CERTIFICATE_TYPE_LEN + 2 );
+
+	    /* it had better be a certificate by now!! */
+	    if ( certitem ) {
+		certitem->data = cp;
+		certitem->len = package->len -
+		    ( cp - (unsigned char *)package->data );
+	    }
+	    type = certPackageNSCertWrap;
+	    
+	} else if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
+	    /* XXX - assume DER encoding of OID len!! */
+	    oiditem.len = cp[1];
+	    oiditem.data = (unsigned char *)&cp[2];
+	    oiddata = SECOID_FindOID(&oiditem);
+	    if ( oiddata == NULL ) {
+		/* failure */
+		return(type);
+	    }
+
+	    if ( certitem ) {
+		certitem->data = package->data;
+		certitem->len = package->len;
+	    }
+	    
+	    switch ( oiddata->offset ) {
+	      case SEC_OID_PKCS7_SIGNED_DATA:
+		type = certPackagePKCS7;
+		break;
+	      case SEC_OID_NS_TYPE_CERT_SEQUENCE:
+		type = certPackageNSCertSeq;
+		break;
+	      default:
+		break;
+	    }
+	    
+	} else {
+	    /* it had better be a certificate by now!! */
+	    if ( certitem ) {
+		certitem->data = package->data;
+		certitem->len = package->len;
+	    }
+	    
+	    type = certPackageCert;
+	}
+    }
+
+    return(type);
+}
+
+/*
+ * read an old style ascii or binary certificate chain
+ */
+SECStatus
+CERT_DecodeCertPackage(char *certbuf,
+		       int certlen,
+		       CERTImportCertificateFunc f,
+		       void *arg)
+{
+    unsigned char *cp;
+    int seqLen, seqLenLen;
+    int cl;
+    unsigned char *bincert = NULL, *certbegin = NULL, *certend = NULL;
+    unsigned int binLen;
+    char *ascCert = NULL;
+    int asciilen;
+    CERTCertificate *cert;
+    SECItem certitem, oiditem;
+    SECStatus rv;
+    SECOidData *oiddata;
+    SECItem *pcertitem = &certitem;
+    
+    if ( certbuf == NULL ) {
+	return(SECFailure);
+    }
+    
+    cert = 0;
+    cp = (unsigned char *)certbuf;
+
+    /* is a DER encoded certificate of some type? */
+    if ( ( *cp  & 0x1f ) == SEC_ASN1_SEQUENCE ) {
+	cp++;
+	
+	if ( *cp & 0x80) {
+	    /* Multibyte length */
+	    seqLenLen = cp[0] & 0x7f;
+	    
+	    switch (seqLenLen) {
+	      case 4:
+		seqLen = ((unsigned long)cp[1]<<24) |
+		    ((unsigned long)cp[2]<<16) | (cp[3]<<8) | cp[4];
+		break;
+	      case 3:
+		seqLen = ((unsigned long)cp[1]<<16) | (cp[2]<<8) | cp[3];
+		break;
+	      case 2:
+		seqLen = (cp[1]<<8) | cp[2];
+		break;
+	      case 1:
+		seqLen = cp[1];
+		break;
+	      default:
+		/* indefinite length */
+		seqLen = 0;
+	    }
+	    cp += ( seqLenLen + 1 );
+
+	} else {
+	    seqLenLen = 0;
+	    seqLen = *cp;
+	    cp++;
+	}
+
+	/* check entire length if definite length */
+	if ( seqLen || seqLenLen ) {
+	    if ( certlen != ( seqLen + seqLenLen + 2 ) ) {
+		goto notder;
+	    }
+	}
+	
+	/* check the type string */
+	/* netscape wrapped DER cert */
+	if ( ( cp[0] == SEC_ASN1_OCTET_STRING ) &&
+	    ( cp[1] == CERTIFICATE_TYPE_LEN ) &&
+	    ( PORT_Strcmp((char *)&cp[2], CERTIFICATE_TYPE_STRING) ) ) {
+	    
+	    cp += ( CERTIFICATE_TYPE_LEN + 2 );
+
+	    /* it had better be a certificate by now!! */
+	    certitem.data = cp;
+	    certitem.len = certlen - ( cp - (unsigned char *)certbuf );
+	    
+	    rv = (* f)(arg, &pcertitem, 1);
+	    
+	    return(rv);
+	} else if ( cp[0] == SEC_ASN1_OBJECT_ID ) {
+	    /* XXX - assume DER encoding of OID len!! */
+	    oiditem.len = cp[1];
+	    oiditem.data = (unsigned char *)&cp[2];
+	    oiddata = SECOID_FindOID(&oiditem);
+	    if ( oiddata == NULL ) {
+		return(SECFailure);
+	    }
+
+	    certitem.data = (unsigned char*)certbuf;
+	    certitem.len = certlen;
+	    
+	    switch ( oiddata->offset ) {
+	      case SEC_OID_PKCS7_SIGNED_DATA:
+		return(SEC_ReadPKCS7Certs(&certitem, f, arg));
+		break;
+	      case SEC_OID_NS_TYPE_CERT_SEQUENCE:
+		return(SEC_ReadCertSequence(&certitem, f, arg));
+		break;
+	      default:
+		break;
+	    }
+	    
+	} else {
+	    /* it had better be a certificate by now!! */
+	    certitem.data = (unsigned char*)certbuf;
+	    certitem.len = certlen;
+	    
+	    rv = (* f)(arg, &pcertitem, 1);
+	    return(rv);
+	}
+    }
+
+    /* now look for a netscape base64 ascii encoded cert */
+notder:
+    cp = (unsigned char *)certbuf;
+    cl = certlen;
+    certbegin = 0;
+    certend = 0;
+
+    /* find the beginning marker */
+    while ( cl > sizeof(NS_CERT_HEADER) ) {
+	if ( !PORT_Strncasecmp((char *)cp, NS_CERT_HEADER,
+			     sizeof(NS_CERT_HEADER)-1) ) {
+	    cp = cp + sizeof(NS_CERT_HEADER);
+	    certbegin = cp;
+	    break;
+	}
+	
+	/* skip to next eol */
+	do {
+	    cp++;
+	    cl--;
+	} while ( ( *cp != '\n') && cl );
+
+	/* skip all blank lines */
+	while ( ( *cp == '\n') && cl ) {
+	    cp++;
+	    cl--;
+	}
+    }
+
+    if ( certbegin ) {
+
+	/* find the ending marker */
+	while ( cl > sizeof(NS_CERT_TRAILER) ) {
+	    if ( !PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
+				 sizeof(NS_CERT_TRAILER)-1) ) {
+		certend = (unsigned char *)cp;
+		break;
+	    }
+
+	    /* skip to next eol */
+	    do {
+		cp++;
+		cl--;
+	    } while ( ( *cp != '\n') && cl );
+
+	    /* skip all blank lines */
+	    while ( ( *cp == '\n') && cl ) {
+		cp++;
+		cl--;
+	    }
+	}
+    }
+
+    if ( certbegin && certend ) {
+
+	/* Convert the ASCII data into a nul-terminated string */
+	asciilen = certend - certbegin;
+	ascCert = (char *)PORT_Alloc(asciilen+1);
+	if (!ascCert) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	PORT_Memcpy(ascCert, certbegin, asciilen);
+	ascCert[asciilen] = '\0';
+	
+	/* convert to binary */
+	bincert = ATOB_AsciiToData(ascCert, &binLen);
+	if (!bincert) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* now recurse to decode the binary */
+	rv = CERT_DecodeCertPackage((char *)bincert, binLen, f, arg);
+	
+    } else {
+	rv = SECFailure;
+    }
+
+loser:
+
+    if ( bincert ) {
+	PORT_Free(bincert);
+    }
+
+    if ( ascCert ) {
+	PORT_Free(ascCert);
+    }
+
+    return(rv);
+}
+
+typedef struct {
+    PRArenaPool *arena;
+    SECItem cert;
+} collect_args;
+
+static SECStatus
+collect_certs(void *arg, SECItem **certs, int numcerts)
+{
+    SECStatus rv;
+    collect_args *collectArgs;
+    
+    collectArgs = (collect_args *)arg;
+    
+    rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
+
+    return(rv);
+}
+
+
+/*
+ * read an old style ascii or binary certificate
+ */
+CERTCertificate *
+CERT_DecodeCertFromPackage(char *certbuf, int certlen)
+{
+    collect_args collectArgs;
+    SECStatus rv;
+    CERTCertificate *cert = NULL;
+    
+    collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs,
+				(void *)&collectArgs);
+    if ( rv == SECSuccess ) {
+	cert = CERT_DecodeDERCertificate(&collectArgs.cert, PR_TRUE, NULL);
+    }
+    
+    PORT_FreeArena(collectArgs.arena, PR_FALSE);
+    
+    return(cert);
+}
diff --git a/security/nss/lib/pkcs7/config.mk b/security/nss/lib/pkcs7/config.mk
new file mode 100644
index 000000000..ec34728f9
--- /dev/null
+++ b/security/nss/lib/pkcs7/config.mk
@@ -0,0 +1,42 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
diff --git a/security/nss/lib/pkcs7/manifest.mn b/security/nss/lib/pkcs7/manifest.mn
new file mode 100644
index 000000000..64cc3e05f
--- /dev/null
+++ b/security/nss/lib/pkcs7/manifest.mn
@@ -0,0 +1,60 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	secmime.h \
+	secpkcs7.h \
+	pkcs7t.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	p7local.h \
+	$(NULL)
+
+MODULE = security
+
+CSRCS = \
+	certread.c \
+	p7common.c \
+	p7create.c \
+	p7decode.c \
+	p7encode.c \
+	p7local.c  \
+	secmime.c  \
+	$(NULL)
+
+REQUIRES = security dbm
+
+LIBRARY_NAME = pkcs7
diff --git a/security/nss/lib/pkcs7/p7common.c b/security/nss/lib/pkcs7/p7common.c
new file mode 100644
index 000000000..329b078ed
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7common.c
@@ -0,0 +1,747 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * PKCS7 implementation -- the exported parts that are used whether
+ * creating or decoding.
+ *
+ * $Id$
+ */
+
+#include "p7local.h"
+
+#include "cert.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+
+/*
+ * Find out (saving pointer to lookup result for future reference)
+ * and return the inner content type.
+ */
+SECOidTag
+SEC_PKCS7ContentType (SEC_PKCS7ContentInfo *cinfo)
+{
+    if (cinfo->contentTypeTag == NULL)
+	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+
+    if (cinfo->contentTypeTag == NULL)
+	return SEC_OID_UNKNOWN;
+
+    return cinfo->contentTypeTag->offset;
+}
+
+
+/*
+ * Destroy a PKCS7 contentInfo and all of its sub-pieces.
+ */
+void
+SEC_PKCS7DestroyContentInfo(SEC_PKCS7ContentInfo *cinfo)
+{
+    SECOidTag kind;
+    CERTCertificate **certs;
+    CERTCertificateList **certlists;
+    SEC_PKCS7SignerInfo **signerinfos;
+    SEC_PKCS7RecipientInfo **recipientinfos;
+
+    PORT_Assert (cinfo->refCount > 0);
+    if (cinfo->refCount <= 0)
+	return;
+
+    cinfo->refCount--;
+    if (cinfo->refCount > 0)
+	return;
+
+    certs = NULL;
+    certlists = NULL;
+    recipientinfos = NULL;
+    signerinfos = NULL;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7EnvelopedData *edp;
+
+	    edp = cinfo->content.envelopedData;
+	    if (edp != NULL) {
+		recipientinfos = edp->recipientInfos;
+	    }
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    if (sdp != NULL) {
+		certs = sdp->certs;
+		certlists = sdp->certLists;
+		signerinfos = sdp->signerInfos;
+	    }
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    if (saedp != NULL) {
+		certs = saedp->certs;
+		certlists = saedp->certLists;
+		recipientinfos = saedp->recipientInfos;
+		signerinfos = saedp->signerInfos;
+		if (saedp->sigKey != NULL)
+		    PK11_FreeSymKey (saedp->sigKey);
+	    }
+	}
+	break;
+      default:
+	/* XXX Anything else that needs to be "manually" freed/destroyed? */
+	break;
+    }
+
+    if (certs != NULL) {
+	CERTCertificate *cert;
+
+	while ((cert = *certs++) != NULL) {
+	    CERT_DestroyCertificate (cert);
+	}
+    }
+
+    if (certlists != NULL) {
+	CERTCertificateList *certlist;
+
+	while ((certlist = *certlists++) != NULL) {
+	    CERT_DestroyCertificateList (certlist);
+	}
+    }
+
+    if (recipientinfos != NULL) {
+	SEC_PKCS7RecipientInfo *ri;
+
+	while ((ri = *recipientinfos++) != NULL) {
+	    if (ri->cert != NULL)
+		CERT_DestroyCertificate (ri->cert);
+	}
+    }
+
+    if (signerinfos != NULL) {
+	SEC_PKCS7SignerInfo *si;
+
+	while ((si = *signerinfos++) != NULL) {
+	    if (si->cert != NULL)
+		CERT_DestroyCertificate (si->cert);
+	    if (si->certList != NULL)
+		CERT_DestroyCertificateList (si->certList);
+	}
+    }
+
+    if (cinfo->poolp != NULL) {
+	PORT_FreeArena (cinfo->poolp, PR_FALSE);	/* XXX clear it? */
+    }
+}
+
+
+/*
+ * Return a copy of the given contentInfo.  The copy may be virtual
+ * or may be real -- either way, the result needs to be passed to
+ * SEC_PKCS7DestroyContentInfo later (as does the original).
+ */
+SEC_PKCS7ContentInfo *
+SEC_PKCS7CopyContentInfo(SEC_PKCS7ContentInfo *cinfo)
+{
+    if (cinfo == NULL)
+	return NULL;
+
+    PORT_Assert (cinfo->refCount > 0);
+
+    if (cinfo->created) {
+	/*
+	 * Want to do a real copy of these; otherwise subsequent
+	 * changes made to either copy are likely to be a surprise.
+	 * XXX I suspect that this will not actually be called for yet,
+	 * which is why the assert, so to notice if it is...
+	 */
+	PORT_Assert (0);
+	/*
+	 * XXX Create a new pool here, and copy everything from
+	 * within.  For cert stuff, need to call the appropriate
+	 * copy functions, etc.
+	 */
+    }
+
+    cinfo->refCount++;
+    return cinfo;
+}
+
+
+/*
+ * Return a pointer to the actual content.  In the case of those types
+ * which are encrypted, this returns the *plain* content.
+ * XXX Needs revisiting if/when we handle nested encrypted types.
+ */
+SECItem *
+SEC_PKCS7GetContent(SEC_PKCS7ContentInfo *cinfo)
+{
+    SECOidTag kind;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_DATA:
+	return cinfo->content.data;
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	{
+	    SEC_PKCS7DigestedData *digd;
+
+	    digd = cinfo->content.digestedData;
+	    if (digd == NULL)
+		break;
+	    return SEC_PKCS7GetContent (&(digd->contentInfo));
+	}
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	{
+	    SEC_PKCS7EncryptedData *encd;
+
+	    encd = cinfo->content.encryptedData;
+	    if (encd == NULL)
+		break;
+	    return &(encd->encContentInfo.plainContent);
+	}
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7EnvelopedData *envd;
+
+	    envd = cinfo->content.envelopedData;
+	    if (envd == NULL)
+		break;
+	    return &(envd->encContentInfo.plainContent);
+	}
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sigd;
+
+	    sigd = cinfo->content.signedData;
+	    if (sigd == NULL)
+		break;
+	    return SEC_PKCS7GetContent (&(sigd->contentInfo));
+	}
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saed;
+
+	    saed = cinfo->content.signedAndEnvelopedData;
+	    if (saed == NULL)
+		break;
+	    return &(saed->encContentInfo.plainContent);
+	}
+      default:
+	PORT_Assert(0);
+	break;
+    }
+
+    return NULL;
+}
+
+
+/*
+ * XXX Fix the placement and formatting of the
+ * following routines (i.e. make them consistent with the rest of
+ * the pkcs7 code -- I think some/many belong in other files and
+ * they all need a formatting/style rehaul)
+ */
+
+/* retrieve the algorithm identifier for encrypted data.  
+ * the identifier returned is a copy of the algorithm identifier
+ * in the content info and needs to be freed after being used.
+ *
+ *   cinfo is the content info for which to retrieve the
+ *     encryption algorithm.
+ *
+ * if the content info is not encrypted data or an error 
+ * occurs NULL is returned.
+ */
+SECAlgorithmID *
+SEC_PKCS7GetEncryptionAlgorithm(SEC_PKCS7ContentInfo *cinfo)
+{
+  SECAlgorithmID *alg = 0;
+  switch (SEC_PKCS7ContentType(cinfo))
+    {
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+      alg = &cinfo->content.encryptedData->encContentInfo.contentEncAlg;
+      break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+      alg = &cinfo->content.envelopedData->encContentInfo.contentEncAlg;
+      break;
+    case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+      alg = &cinfo->content.signedAndEnvelopedData
+	->encContentInfo.contentEncAlg;
+      break;
+    default:
+      alg = 0;
+      break;
+    }
+
+    return alg;
+}
+
+/* set the content of the content info.  For data content infos,
+ * the data is set.  For encrytped content infos, the plainContent
+ * is set, and is expected to be encrypted later.
+ *  
+ * cinfo is the content info where the data will be set
+ *
+ * buf is a buffer of the data to set
+ *
+ * len is the length of the data being set.
+ *
+ * in the event of an error, SECFailure is returned.  SECSuccess 
+ * indicates the content was successfully set.
+ */
+SECStatus 
+SEC_PKCS7SetContent(SEC_PKCS7ContentInfo *cinfo,
+		    const char *buf, 
+		    unsigned long len)
+{
+    SECOidTag cinfo_type;
+    SECStatus rv;
+    SECItem content;
+    SECOidData *contentTypeTag = NULL;
+
+    content.data = (unsigned char *)buf;
+    content.len = len;
+
+    cinfo_type = SEC_PKCS7ContentType(cinfo);
+
+    /* set inner content */
+    switch(cinfo_type)
+    {
+	case SEC_OID_PKCS7_SIGNED_DATA:
+	    if(content.len > 0) {
+		/* we "leak" the old content here, but as it's all in the pool */
+		/* it does not really matter */
+
+		/* create content item if necessary */
+		if (cinfo->content.signedData->contentInfo.content.data == NULL)
+		    cinfo->content.signedData->contentInfo.content.data = SECITEM_AllocItem(cinfo->poolp, NULL, 0);
+		rv = SECITEM_CopyItem(cinfo->poolp, 
+			cinfo->content.signedData->contentInfo.content.data,
+			&content);
+	    } else {
+		cinfo->content.signedData->contentInfo.content.data->data = NULL;
+		cinfo->content.signedData->contentInfo.content.data->len = 0;
+		rv = SECSuccess;
+	    }
+	    if(rv == SECFailure)
+		goto loser;
+	    
+	    break;
+	case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    /* XXX this forces the inner content type to be "data" */
+	    /* do we really want to override without asking or reason? */
+	    contentTypeTag = SECOID_FindOIDByTag(SEC_OID_PKCS7_DATA);
+	    if(contentTypeTag == NULL)
+		goto loser;
+	    rv = SECITEM_CopyItem(cinfo->poolp, 
+		&(cinfo->content.encryptedData->encContentInfo.contentType),
+		&(contentTypeTag->oid));
+	    if(rv == SECFailure)
+		goto loser;
+	    if(content.len > 0) {
+		rv = SECITEM_CopyItem(cinfo->poolp, 
+			&(cinfo->content.encryptedData->encContentInfo.plainContent),
+			&content);
+	    } else {
+		cinfo->content.encryptedData->encContentInfo.plainContent.data = NULL;
+		cinfo->content.encryptedData->encContentInfo.encContent.data = NULL;
+		cinfo->content.encryptedData->encContentInfo.plainContent.len = 0;
+		cinfo->content.encryptedData->encContentInfo.encContent.len = 0;
+		rv = SECSuccess;
+	    }
+	    if(rv == SECFailure)
+		goto loser;
+	    break;
+	case SEC_OID_PKCS7_DATA:
+	    cinfo->content.data = (SECItem *)PORT_ArenaZAlloc(cinfo->poolp,
+		sizeof(SECItem));
+	    if(cinfo->content.data == NULL)
+		goto loser;
+	    if(content.len > 0) {
+		rv = SECITEM_CopyItem(cinfo->poolp,
+			cinfo->content.data, &content);
+	    } else {
+	    	/* handle case with NULL content */
+		rv = SECSuccess;
+	    }
+	    if(rv == SECFailure)
+		goto loser;
+	    break;
+	default:
+	    goto loser;
+    }
+
+    return SECSuccess;
+
+loser:
+	
+    return SECFailure;
+}
+
+/* the content of an encrypted data content info is encrypted.
+ * it is assumed that for encrypted data, that the data has already
+ * been set and is in the "plainContent" field of the content info.
+ *
+ * cinfo is the content info to encrypt
+ *
+ * key is the key with which to perform the encryption.  if the
+ *     algorithm is a password based encryption algorithm, the
+ *     key is actually a password which will be processed per
+ *     PKCS #5.
+ * 
+ * in the event of an error, SECFailure is returned.  SECSuccess
+ * indicates a success.
+ */
+SECStatus 
+SEC_PKCS7EncryptContents(PRArenaPool *poolp,
+			 SEC_PKCS7ContentInfo *cinfo,
+			 SECItem *key,
+			 void *wincx)
+{
+    SECAlgorithmID *algid 	= NULL;
+    SECItem *       result 	= NULL;
+    SECItem *       src;
+    SECItem *       dest;
+    SECItem *       blocked_data = NULL;
+    void *          mark;
+    void *          cx;
+    PK11SymKey *    eKey 	= NULL;
+    PK11SlotInfo *  slot 	= NULL;
+
+    CK_MECHANISM    pbeMech;
+    CK_MECHANISM    cryptoMech;
+    int             bs;
+    SECOidTag       algtag;
+    SECStatus       rv 		= SECFailure;
+    SECItem         c_param;
+
+    if((cinfo == NULL) || (key == NULL))
+	return SECFailure;
+
+    if(SEC_PKCS7ContentType(cinfo) != SEC_OID_PKCS7_ENCRYPTED_DATA)
+	return SECFailure;
+
+    algid = SEC_PKCS7GetEncryptionAlgorithm(cinfo);	
+    if(algid == NULL)
+	return SECFailure;
+
+    if(poolp == NULL)
+	poolp = cinfo->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+    
+    src = &cinfo->content.encryptedData->encContentInfo.plainContent;
+    dest = &cinfo->content.encryptedData->encContentInfo.encContent;
+    algtag = SECOID_GetAlgorithmTag(algid);
+    c_param.data = NULL;
+    dest->data = (unsigned char*)PORT_ArenaZAlloc(poolp, (src->len + 64));
+    dest->len = (src->len + 64);
+    if(dest->data == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    slot = PK11_GetInternalKeySlot();
+    if(slot == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
+    result = PK11_ParamFromAlgid(algid);
+    if (result == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    pbeMech.pParameter = result->data;
+    pbeMech.ulParameterLen = result->len;
+
+    eKey = PK11_RawPBEKeyGen(slot, pbeMech.mechanism, result, key, PR_FALSE,
+								 wincx);
+    if(eKey == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, key, 
+			PR_FALSE) != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+    c_param.data = (unsigned char *)cryptoMech.pParameter;
+    c_param.len = cryptoMech.ulParameterLen;
+
+    /* block according to PKCS 8 */
+    bs = PK11_GetBlockSize(cryptoMech.mechanism, &c_param);
+    rv = SECSuccess;
+    if(bs) {
+	char pad_char;
+	pad_char = (char)(bs - (src->len % bs));
+	if(src->len % bs) {
+	    rv = SECSuccess;
+	    blocked_data = PK11_BlockData(src, bs);
+	    if(blocked_data) {
+		PORT_Memset((blocked_data->data + blocked_data->len - (int)pad_char), 
+			    pad_char, (int)pad_char);
+	    } else {
+		rv = SECFailure;
+		goto loser;
+	    }
+	} else {
+	    blocked_data = SECITEM_DupItem(src);
+	    if(blocked_data) {
+		blocked_data->data = (unsigned char*)PORT_Realloc(
+						  blocked_data->data,
+						  blocked_data->len + bs);
+		if(blocked_data->data) {
+		    blocked_data->len += bs;
+		    PORT_Memset((blocked_data->data + src->len), (char)bs, bs);
+		} else {
+		    rv = SECFailure;
+		    goto loser;
+		}
+	    } else {
+		rv = SECFailure;
+		goto loser;
+	    }
+	 }
+    } else {
+	blocked_data = SECITEM_DupItem(src);
+	if(!blocked_data) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+    }
+
+    cx = PK11_CreateContextBySymKey(cryptoMech.mechanism, CKA_ENCRYPT,
+		    		    eKey, &c_param);
+    if(cx == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = PK11_CipherOp((PK11Context*)cx, dest->data, (int *)(&dest->len), 
+		       (int)(src->len + 64), blocked_data->data, 
+		       (int)blocked_data->len);
+    PK11_DestroyContext((PK11Context*)cx, PR_TRUE);
+
+loser:
+    /* let success fall through */
+    if(blocked_data != NULL)
+	SECITEM_ZfreeItem(blocked_data, PR_TRUE);
+
+    if(result != NULL)
+	SECITEM_ZfreeItem(result, PR_TRUE);
+
+    if(rv == SECFailure)
+	PORT_ArenaRelease(poolp, mark);
+    else 
+	PORT_ArenaUnmark(poolp, mark);
+
+    if(eKey != NULL)
+	PK11_FreeSymKey(eKey);
+
+    if(slot != NULL)
+	PK11_FreeSlot(slot);
+
+    if(c_param.data != NULL) 
+	SECITEM_ZfreeItem(&c_param, PR_FALSE);
+	
+    return rv;
+}
+
+/* the content of an encrypted data content info is decrypted.
+ * it is assumed that for encrypted data, that the data has already
+ * been set and is in the "encContent" field of the content info.
+ *
+ * cinfo is the content info to decrypt
+ *
+ * key is the key with which to perform the decryption.  if the
+ *     algorithm is a password based encryption algorithm, the
+ *     key is actually a password which will be processed per
+ *     PKCS #5.
+ * 
+ * in the event of an error, SECFailure is returned.  SECSuccess
+ * indicates a success.
+ */
+SECStatus 
+SEC_PKCS7DecryptContents(PRArenaPool *poolp,
+			 SEC_PKCS7ContentInfo *cinfo,
+			 SECItem *key,
+			 void *wincx)
+{
+    SECAlgorithmID *algid = NULL;
+    SECOidTag algtag;
+    SECStatus rv = SECFailure;
+    SECItem *result = NULL, *dest, *src;
+    void *mark;
+
+    PK11SymKey *eKey = NULL;
+    PK11SlotInfo *slot = NULL;
+    CK_MECHANISM pbeMech, cryptoMech;
+    void *cx;
+    SECItem c_param;
+    int bs;
+
+    if((cinfo == NULL) || (key == NULL))
+	return SECFailure;
+
+    if(SEC_PKCS7ContentType(cinfo) != SEC_OID_PKCS7_ENCRYPTED_DATA)
+	return SECFailure;
+
+    algid = SEC_PKCS7GetEncryptionAlgorithm(cinfo);	
+    if(algid == NULL)
+	return SECFailure;
+
+    if(poolp == NULL)
+	poolp = cinfo->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+    
+    src = &cinfo->content.encryptedData->encContentInfo.encContent;
+    dest = &cinfo->content.encryptedData->encContentInfo.plainContent;
+    algtag = SECOID_GetAlgorithmTag(algid);
+    c_param.data = NULL;
+    dest->data = (unsigned char*)PORT_ArenaZAlloc(poolp, (src->len + 64));
+    dest->len = (src->len + 64);
+    if(dest->data == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    slot = PK11_GetInternalKeySlot();
+    if(slot == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
+    result = PK11_ParamFromAlgid(algid);
+    if (result == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    pbeMech.pParameter = result->data;
+    pbeMech.ulParameterLen = result->len;
+    eKey = PK11_RawPBEKeyGen(slot,pbeMech.mechanism,result,key,PR_FALSE,wincx);
+    if(eKey == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, key,
+			PR_FALSE) != CKR_OK) {
+	rv = SECFailure;
+	goto loser;
+    }
+    c_param.data = (unsigned char *)cryptoMech.pParameter;
+    c_param.len = cryptoMech.ulParameterLen;
+
+    cx = PK11_CreateContextBySymKey(cryptoMech.mechanism, CKA_DECRYPT,
+		    		    eKey, &c_param);
+    if(cx == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = PK11_CipherOp((PK11Context*)cx, dest->data, (int *)(&dest->len), 
+		       (int)(src->len + 64), src->data, (int)src->len);
+    PK11_DestroyContext((PK11Context *)cx, PR_TRUE);
+
+    bs = PK11_GetBlockSize(cryptoMech.mechanism, &c_param);
+    if(bs) {
+	/* check for proper badding in block algorithms.  this assumes
+	 * RC2 cbc or a DES cbc variant.  and the padding is thus defined
+	 */
+	if(((int)dest->data[dest->len-1] <= bs) && 
+	   ((int)dest->data[dest->len-1] > 0)) {
+	    dest->len -= (int)dest->data[dest->len-1];
+	} else {
+	    rv = SECFailure;
+	    /* set an error ? */
+	}
+    } 
+
+loser:
+    /* let success fall through */
+    if(result != NULL)
+	SECITEM_ZfreeItem(result, PR_TRUE);
+
+    if(rv == SECFailure)
+	PORT_ArenaRelease(poolp, mark);
+    else
+	PORT_ArenaUnmark(poolp, mark);
+
+    if(eKey != NULL)
+	PK11_FreeSymKey(eKey);
+
+    if(slot != NULL)
+	PK11_FreeSlot(slot);
+
+    if(c_param.data != NULL) 
+	SECITEM_ZfreeItem(&c_param, PR_FALSE);
+	
+    return rv;
+}
+
+SECItem **
+SEC_PKCS7GetCertificateList(SEC_PKCS7ContentInfo *cinfo)
+{
+    switch(SEC_PKCS7ContentType(cinfo))
+    {
+	case SEC_OID_PKCS7_SIGNED_DATA:
+	    return cinfo->content.signedData->rawCerts;
+	    break;
+	default:
+	    return NULL;
+	    break;
+    }
+}
+
+
+int
+SEC_PKCS7GetKeyLength(SEC_PKCS7ContentInfo *cinfo)
+{
+  if (cinfo->contentTypeTag->offset == SEC_OID_PKCS7_ENVELOPED_DATA)
+    return cinfo->content.envelopedData->encContentInfo.keysize;
+  else
+    return 0;
+}
+
diff --git a/security/nss/lib/pkcs7/p7create.c b/security/nss/lib/pkcs7/p7create.c
new file mode 100644
index 000000000..47bdee60c
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7create.c
@@ -0,0 +1,1320 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * PKCS7 creation.
+ *
+ * $Id$
+ */
+
+#include "p7local.h"
+
+#include "cert.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "secder.h"
+
+static SECStatus
+sec_pkcs7_init_content_info (SEC_PKCS7ContentInfo *cinfo, PRArenaPool *poolp,
+			     SECOidTag kind, PRBool detached)
+{
+    void *thing;
+    int version;
+    SECItem *versionp;
+    SECStatus rv;
+
+    PORT_Assert (cinfo != NULL && poolp != NULL);
+    if (cinfo == NULL || poolp == NULL)
+	return SECFailure;
+
+    cinfo->contentTypeTag = SECOID_FindOIDByTag (kind);
+    PORT_Assert (cinfo->contentTypeTag
+		 && cinfo->contentTypeTag->offset == kind);
+
+    rv = SECITEM_CopyItem (poolp, &(cinfo->contentType),
+			   &(cinfo->contentTypeTag->oid));
+    if (rv != SECSuccess)
+	return rv;
+
+    if (detached)
+	return SECSuccess;
+
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+	thing = PORT_ArenaZAlloc (poolp, sizeof(SECItem));
+	cinfo->content.data = (SECItem*)thing;
+	versionp = NULL;
+	version = -1;
+	break;
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7DigestedData));
+	cinfo->content.digestedData = (SEC_PKCS7DigestedData*)thing;
+	versionp = &(cinfo->content.digestedData->version);
+	version = SEC_PKCS7_DIGESTED_DATA_VERSION;
+	break;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7EncryptedData));
+	cinfo->content.encryptedData = (SEC_PKCS7EncryptedData*)thing;
+	versionp = &(cinfo->content.encryptedData->version);
+	version = SEC_PKCS7_ENCRYPTED_DATA_VERSION;
+	break;
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7EnvelopedData));
+	cinfo->content.envelopedData = 
+	  (SEC_PKCS7EnvelopedData*)thing;
+	versionp = &(cinfo->content.envelopedData->version);
+	version = SEC_PKCS7_ENVELOPED_DATA_VERSION;
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7SignedData));
+	cinfo->content.signedData = 
+	  (SEC_PKCS7SignedData*)thing;
+	versionp = &(cinfo->content.signedData->version);
+	version = SEC_PKCS7_SIGNED_DATA_VERSION;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	thing = PORT_ArenaZAlloc(poolp,sizeof(SEC_PKCS7SignedAndEnvelopedData));
+	cinfo->content.signedAndEnvelopedData = 
+	  (SEC_PKCS7SignedAndEnvelopedData*)thing;
+	versionp = &(cinfo->content.signedAndEnvelopedData->version);
+	version = SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION;
+	break;
+    }
+
+    if (thing == NULL)
+	return SECFailure;
+
+    if (versionp != NULL) {
+	SECItem *dummy;
+
+	PORT_Assert (version >= 0);
+	dummy = SEC_ASN1EncodeInteger (poolp, versionp, version);
+	if (dummy == NULL)
+	    return SECFailure;
+	PORT_Assert (dummy == versionp);
+    }
+
+    return SECSuccess;
+}
+
+
+static SEC_PKCS7ContentInfo *
+sec_pkcs7_create_content_info (SECOidTag kind, PRBool detached,
+			       SECKEYGetPasswordKey pwfn, void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    PRArenaPool *poolp;
+    SECStatus rv;
+
+    poolp = PORT_NewArena (1024);	/* XXX what is right value? */
+    if (poolp == NULL)
+	return NULL;
+
+    cinfo = (SEC_PKCS7ContentInfo*)PORT_ArenaZAlloc (poolp, sizeof(*cinfo));
+    if (cinfo == NULL) {
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    cinfo->poolp = poolp;
+    cinfo->pwfn = pwfn;
+    cinfo->pwfn_arg = pwfn_arg;
+    cinfo->created = PR_TRUE;
+    cinfo->refCount = 1;
+
+    rv = sec_pkcs7_init_content_info (cinfo, poolp, kind, detached);
+    if (rv != SECSuccess) {
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    return cinfo;
+}
+
+
+/*
+ * Add a signer to a PKCS7 thing, verifying the signature cert first.
+ * Any error returns SECFailure.
+ *
+ * XXX Right now this only adds the *first* signer.  It fails if you try
+ * to add a second one -- this needs to be fixed.
+ */
+static SECStatus
+sec_pkcs7_add_signer (SEC_PKCS7ContentInfo *cinfo,
+		      CERTCertificate *     cert,
+		      SECCertUsage          certusage,
+		      CERTCertDBHandle *    certdb,
+		      SECOidTag             digestalgtag,
+		      SECItem *             digestdata)
+{
+    SEC_PKCS7SignerInfo *signerinfo, **signerinfos, ***signerinfosp;
+    SECAlgorithmID      *digestalg,  **digestalgs,  ***digestalgsp;
+    SECItem             *digest,     **digests,     ***digestsp;
+    SECItem *            dummy;
+    void *               mark;
+    SECStatus            rv;
+    SECOidTag            kind;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    digestalgsp = &(sdp->digestAlgorithms);
+	    digestsp = &(sdp->digests);
+	    signerinfosp = &(sdp->signerInfos);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    digestalgsp = &(saedp->digestAlgorithms);
+	    digestsp = &(saedp->digests);
+	    signerinfosp = &(saedp->signerInfos);
+	}
+	break;
+      default:
+	return SECFailure;		/* XXX set an error? */
+    }
+
+    /*
+     * XXX I think that CERT_VerifyCert should do this if *it* is passed
+     * a NULL database.
+     */
+    if (certdb == NULL) {
+	certdb = CERT_GetDefaultCertDB();
+	if (certdb == NULL)
+	    return SECFailure;		/* XXX set an error? */
+    }
+
+    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, PR_Now(),
+			 cinfo->pwfn_arg, NULL) != SECSuccess)
+	{
+	/* XXX Did CERT_VerifyCert set an error? */
+	return SECFailure;
+    }
+
+    /*
+     * XXX This is the check that we do not already have a signer.
+     * This is not what we really want -- we want to allow this
+     * and *add* the new signer.
+     */
+    PORT_Assert (*signerinfosp == NULL
+		 && *digestalgsp == NULL && *digestsp == NULL);
+    if (*signerinfosp != NULL || *digestalgsp != NULL || *digestsp != NULL)
+	return SECFailure;
+
+    mark = PORT_ArenaMark (cinfo->poolp);
+
+    signerinfo = (SEC_PKCS7SignerInfo*)PORT_ArenaZAlloc (cinfo->poolp, 
+						  sizeof(SEC_PKCS7SignerInfo));
+    if (signerinfo == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    dummy = SEC_ASN1EncodeInteger (cinfo->poolp, &signerinfo->version,
+				   SEC_PKCS7_SIGNER_INFO_VERSION);
+    if (dummy == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+    PORT_Assert (dummy == &signerinfo->version);
+
+    signerinfo->cert = CERT_DupCertificate (cert);
+    if (signerinfo->cert == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    signerinfo->issuerAndSN = CERT_GetCertIssuerAndSN (cinfo->poolp, cert);
+    if (signerinfo->issuerAndSN == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    rv = SECOID_SetAlgorithmID (cinfo->poolp, &signerinfo->digestAlg,
+				digestalgtag, NULL);
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    /*
+     * Okay, now signerinfo is all set.  We just need to put it and its
+     * companions (another copy of the digest algorithm, and the digest
+     * itself if given) into the main structure.
+     *
+     * XXX If we are handling more than one signer, the following code
+     * needs to look through the digest algorithms already specified
+     * and see if the same one is there already.  If it is, it does not
+     * need to be added again.  Also, if it is there *and* the digest
+     * is not null, then the digest given should match the digest already
+     * specified -- if not, that is an error.  Finally, the new signerinfo
+     * should be *added* to the set already found.
+     */
+
+    signerinfos = (SEC_PKCS7SignerInfo**)PORT_ArenaAlloc (cinfo->poolp,
+				   2 * sizeof(SEC_PKCS7SignerInfo *));
+    if (signerinfos == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+    signerinfos[0] = signerinfo;
+    signerinfos[1] = NULL;
+
+    digestalg = PORT_ArenaZAlloc (cinfo->poolp, sizeof(SECAlgorithmID));
+    digestalgs = PORT_ArenaAlloc (cinfo->poolp, 2 * sizeof(SECAlgorithmID *));
+    if (digestalg == NULL || digestalgs == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+    rv = SECOID_SetAlgorithmID (cinfo->poolp, digestalg, digestalgtag, NULL);
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+    digestalgs[0] = digestalg;
+    digestalgs[1] = NULL;
+
+    if (digestdata != NULL) {
+	digest = (SECItem*)PORT_ArenaAlloc (cinfo->poolp, sizeof(SECItem));
+	digests = (SECItem**)PORT_ArenaAlloc (cinfo->poolp, 
+					      2 * sizeof(SECItem *));
+	if (digest == NULL || digests == NULL) {
+	    PORT_ArenaRelease (cinfo->poolp, mark);
+	    return SECFailure;
+	}
+	rv = SECITEM_CopyItem (cinfo->poolp, digest, digestdata);
+	if (rv != SECSuccess) {
+	    PORT_ArenaRelease (cinfo->poolp, mark);
+	    return SECFailure;
+	}
+	digests[0] = digest;
+	digests[1] = NULL;
+    } else {
+	digests = NULL;
+    }
+
+    *signerinfosp = signerinfos;
+    *digestalgsp = digestalgs;
+    *digestsp = digests;
+
+    PORT_ArenaUnmark(cinfo->poolp, mark);
+    return SECSuccess;
+}
+
+
+/*
+ * Helper function for creating an empty signedData.
+ */
+static SEC_PKCS7ContentInfo *
+sec_pkcs7_create_signed_data (SECKEYGetPasswordKey pwfn, void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SEC_PKCS7SignedData *sigd;
+    SECStatus rv;
+
+    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_SIGNED_DATA, PR_FALSE,
+					   pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    sigd = cinfo->content.signedData;
+    PORT_Assert (sigd != NULL);
+
+    /*
+     * XXX Might we want to allow content types other than data?
+     * If so, via what interface?
+     */
+    rv = sec_pkcs7_init_content_info (&(sigd->contentInfo), cinfo->poolp,
+				      SEC_OID_PKCS7_DATA, PR_TRUE);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    return cinfo;
+}
+
+
+/*
+ * Start a PKCS7 signing context.
+ *
+ * "cert" is the cert that will be used to sign the data.  It will be
+ * checked for validity.
+ *
+ * "certusage" describes the signing usage (e.g. certUsageEmailSigner)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "signing" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ * 
+ * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
+ *
+ * "digest" is the actual digest of the data.  It must be provided in
+ * the case of detached data or NULL if the content will be included.
+ *
+ * The return value can be passed to functions which add things to
+ * it like attributes, then eventually to SEC_PKCS7Encode() or to
+ * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
+ * SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateSignedData (CERTCertificate *cert,
+			   SECCertUsage certusage,
+			   CERTCertDBHandle *certdb,
+			   SECOidTag digestalg,
+			   SECItem *digest,
+ 			   SECKEYGetPasswordKey pwfn, void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SECStatus rv;
+
+    cinfo = sec_pkcs7_create_signed_data (pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    rv = sec_pkcs7_add_signer (cinfo, cert, certusage, certdb,
+			       digestalg, digest);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    return cinfo;
+}
+
+
+static SEC_PKCS7Attribute *
+sec_pkcs7_create_attribute (PRArenaPool *poolp, SECOidTag oidtag,
+			    SECItem *value, PRBool encoded)
+{
+    SEC_PKCS7Attribute *attr;
+    SECItem **values;
+    void *mark;
+
+    PORT_Assert (poolp != NULL);
+    mark = PORT_ArenaMark (poolp);
+
+    attr = (SEC_PKCS7Attribute*)PORT_ArenaAlloc (poolp, 
+						 sizeof(SEC_PKCS7Attribute));
+    if (attr == NULL)
+	goto loser;
+
+    attr->typeTag = SECOID_FindOIDByTag (oidtag);
+    if (attr->typeTag == NULL)
+	goto loser;
+
+    if (SECITEM_CopyItem (poolp, &(attr->type),
+			  &(attr->typeTag->oid)) != SECSuccess)
+	goto loser;
+
+    values = (SECItem**)PORT_ArenaAlloc (poolp, 2 * sizeof(SECItem *));
+    if (values == NULL)
+	goto loser;
+
+    if (value != NULL) {
+	SECItem *copy;
+
+	copy = (SECItem*)PORT_ArenaAlloc (poolp, sizeof(SECItem));
+	if (copy == NULL)
+	    goto loser;
+
+	if (SECITEM_CopyItem (poolp, copy, value) != SECSuccess)
+	    goto loser;
+
+	value = copy;
+    }
+
+    values[0] = value;
+    values[1] = NULL;
+    attr->values = values;
+    attr->encoded = encoded;
+
+    PORT_ArenaUnmark (poolp, mark);
+    return attr;
+
+loser:
+    PORT_Assert (mark != NULL);
+    PORT_ArenaRelease (poolp, mark);
+    return NULL;
+}
+
+
+static SECStatus
+sec_pkcs7_add_attribute (SEC_PKCS7ContentInfo *cinfo,
+			 SEC_PKCS7Attribute ***attrsp,
+			 SEC_PKCS7Attribute *attr)
+{
+    SEC_PKCS7Attribute **attrs;
+    SECItem *ct_value;
+    void *mark;
+
+    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
+    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
+	return SECFailure;
+
+    attrs = *attrsp;
+    if (attrs != NULL) {
+	int count;
+
+	/*
+	 * We already have some attributes, and just need to add this
+	 * new one.
+	 */
+
+	/*
+	 * We should already have the *required* attributes, which were
+	 * created/added at the same time the first attribute was added.
+	 */
+	PORT_Assert (sec_PKCS7FindAttribute (attrs,
+					     SEC_OID_PKCS9_CONTENT_TYPE,
+					     PR_FALSE) != NULL);
+	PORT_Assert (sec_PKCS7FindAttribute (attrs,
+					     SEC_OID_PKCS9_MESSAGE_DIGEST,
+					     PR_FALSE) != NULL);
+
+	for (count = 0; attrs[count] != NULL; count++)
+	    ;
+	attrs = (SEC_PKCS7Attribute**)PORT_ArenaGrow (cinfo->poolp, attrs,
+				(count + 1) * sizeof(SEC_PKCS7Attribute *),
+				(count + 2) * sizeof(SEC_PKCS7Attribute *));
+	if (attrs == NULL)
+	    return SECFailure;
+
+	attrs[count] = attr;
+	attrs[count+1] = NULL;
+	*attrsp = attrs;
+
+	return SECSuccess;
+    }
+
+    /*
+     * This is the first time an attribute is going in.
+     * We need to create and add the required attributes, and then
+     * we will also add in the one our caller gave us.
+     */
+
+    /*
+     * There are 2 required attributes, plus the one our caller wants
+     * to add, plus we always end with a NULL one.  Thus, four slots.
+     */
+    attrs = (SEC_PKCS7Attribute**)PORT_ArenaAlloc (cinfo->poolp, 
+					   4 * sizeof(SEC_PKCS7Attribute *));
+    if (attrs == NULL)
+	return SECFailure;
+
+    mark = PORT_ArenaMark (cinfo->poolp);
+
+    /*
+     * First required attribute is the content type of the data
+     * being signed.
+     */
+    ct_value = &(cinfo->content.signedData->contentInfo.contentType);
+    attrs[0] = sec_pkcs7_create_attribute (cinfo->poolp,
+					   SEC_OID_PKCS9_CONTENT_TYPE,
+					   ct_value, PR_FALSE);
+    /*
+     * Second required attribute is the message digest of the data
+     * being signed; we leave the value NULL for now (just create
+     * the place for it to go), and the encoder will fill it in later.
+     */
+    attrs[1] = sec_pkcs7_create_attribute (cinfo->poolp,
+					   SEC_OID_PKCS9_MESSAGE_DIGEST,
+					   NULL, PR_FALSE);
+    if (attrs[0] == NULL || attrs[1] == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure; 
+    }
+
+    attrs[2] = attr;
+    attrs[3] = NULL;
+    *attrsp = attrs;
+
+    PORT_ArenaUnmark (cinfo->poolp, mark);
+    return SECSuccess;
+}
+
+
+/*
+ * Add the signing time to the authenticated (i.e. signed) attributes
+ * of "cinfo".  This is expected to be included in outgoing signed
+ * messages for email (S/MIME) but is likely useful in other situations.
+ *
+ * This should only be added once; a second call will either do
+ * nothing or replace an old signing time with a newer one.
+ *
+ * XXX This will probably just shove the current time into "cinfo"
+ * but it will not actually get signed until the entire item is
+ * processed for encoding.  Is this (expected to be small) delay okay?
+ *
+ * "cinfo" should be of type signedData (the only kind of pkcs7 data
+ * that is allowed authenticated attributes); SECFailure will be returned
+ * if it is not.
+ */
+SECStatus
+SEC_PKCS7AddSigningTime (SEC_PKCS7ContentInfo *cinfo)
+{
+    SEC_PKCS7SignerInfo **signerinfos;
+    SEC_PKCS7Attribute *attr;
+    SECItem stime;
+    SECStatus rv;
+    int si;
+
+    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
+    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
+	return SECFailure;
+
+    signerinfos = cinfo->content.signedData->signerInfos;
+
+    /* There has to be a signer, or it makes no sense. */
+    if (signerinfos == NULL || signerinfos[0] == NULL)
+	return SECFailure;
+
+    rv = DER_TimeToUTCTime (&stime, PR_Now());
+    if (rv != SECSuccess)
+	return rv;
+
+    attr = sec_pkcs7_create_attribute (cinfo->poolp,
+				       SEC_OID_PKCS9_SIGNING_TIME,
+				       &stime, PR_FALSE);
+    SECITEM_FreeItem (&stime, PR_FALSE);
+
+    if (attr == NULL)
+	return SECFailure;
+
+    rv = SECSuccess;
+    for (si = 0; signerinfos[si] != NULL; si++) {
+	SEC_PKCS7Attribute *oattr;
+
+	oattr = sec_PKCS7FindAttribute (signerinfos[si]->authAttr,
+					SEC_OID_PKCS9_SIGNING_TIME, PR_FALSE);
+	PORT_Assert (oattr == NULL);
+	if (oattr != NULL)
+	    continue;	/* XXX or would it be better to replace it? */
+
+	rv = sec_pkcs7_add_attribute (cinfo, &(signerinfos[si]->authAttr),
+				      attr);
+	if (rv != SECSuccess)
+	    break;	/* could try to continue, but may as well give up now */
+    }
+
+    return rv;
+}
+
+
+/*
+ * Add the specified attribute to the authenticated (i.e. signed) attributes
+ * of "cinfo" -- "oidtag" describes the attribute and "value" is the
+ * value to be associated with it.  NOTE! "value" must already be encoded;
+ * no interpretation of "oidtag" is done.  Also, it is assumed that this
+ * signedData has only one signer -- if we ever need to add attributes
+ * when there is more than one signature, we need a way to specify *which*
+ * signature should get the attribute.
+ *
+ * XXX Technically, a signed attribute can have multiple values; if/when
+ * we ever need to support an attribute which takes multiple values, we
+ * either need to change this interface or create an AddSignedAttributeValue
+ * which can be called subsequently, and would then append a value.
+ *
+ * "cinfo" should be of type signedData (the only kind of pkcs7 data
+ * that is allowed authenticated attributes); SECFailure will be returned
+ * if it is not.
+ */
+SECStatus
+SEC_PKCS7AddSignedAttribute (SEC_PKCS7ContentInfo *cinfo,
+			     SECOidTag oidtag,
+			     SECItem *value)
+{
+    SEC_PKCS7SignerInfo **signerinfos;
+    SEC_PKCS7Attribute *attr;
+
+    PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
+    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
+	return SECFailure;
+
+    signerinfos = cinfo->content.signedData->signerInfos;
+
+    /*
+     * No signature or more than one means no deal.
+     */
+    if (signerinfos == NULL || signerinfos[0] == NULL || signerinfos[1] != NULL)
+	return SECFailure;
+
+    attr = sec_pkcs7_create_attribute (cinfo->poolp, oidtag, value, PR_TRUE);
+    if (attr == NULL)
+	return SECFailure;
+
+    return sec_pkcs7_add_attribute (cinfo, &(signerinfos[0]->authAttr), attr);
+}
+ 
+
+/*
+ * Mark that the signer certificates and their issuing chain should
+ * be included in the encoded data.  This is expected to be used
+ * in outgoing signed messages for email (S/MIME).
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL, meaning use the default database.
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+SECStatus
+SEC_PKCS7IncludeCertChain (SEC_PKCS7ContentInfo *cinfo,
+			   CERTCertDBHandle *certdb)
+{
+    SECOidTag kind;
+    SEC_PKCS7SignerInfo *signerinfo, **signerinfos;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	signerinfos = cinfo->content.signedData->signerInfos;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	signerinfos = cinfo->content.signedAndEnvelopedData->signerInfos;
+	break;
+      default:
+	return SECFailure;		/* XXX set an error? */
+    }
+
+    if (signerinfos == NULL)		/* no signer, no certs? */
+	return SECFailure;		/* XXX set an error? */
+
+    if (certdb == NULL) {
+	certdb = CERT_GetDefaultCertDB();
+	if (certdb == NULL) {
+	    PORT_SetError (SEC_ERROR_BAD_DATABASE);
+	    return SECFailure;
+	}
+    }
+
+    /* XXX Should it be an error if we find no signerinfo or no certs? */
+    while ((signerinfo = *signerinfos++) != NULL) {
+	if (signerinfo->cert != NULL)
+	    /* get the cert chain.  don't send the root to avoid contamination
+	     * of old clients with a new root that they don't trust
+	     */
+	    signerinfo->certList = CERT_CertChainFromCert (signerinfo->cert,
+							   certUsageEmailSigner,
+							   PR_FALSE);
+    }
+
+    return SECSuccess;
+}
+
+
+/*
+ * Helper function to add a certificate chain for inclusion in the
+ * bag of certificates in a signedData.
+ */
+static SECStatus
+sec_pkcs7_add_cert_chain (SEC_PKCS7ContentInfo *cinfo,
+			  CERTCertificate *cert,
+			  CERTCertDBHandle *certdb)
+{
+    SECOidTag kind;
+    CERTCertificateList *certlist, **certlists, ***certlistsp;
+    int count;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    certlistsp = &(sdp->certLists);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    certlistsp = &(saedp->certLists);
+	}
+	break;
+      default:
+	return SECFailure;		/* XXX set an error? */
+    }
+
+    if (certdb == NULL) {
+	certdb = CERT_GetDefaultCertDB();
+	if (certdb == NULL) {
+	    PORT_SetError (SEC_ERROR_BAD_DATABASE);
+	    return SECFailure;
+	}
+    }
+
+    certlist = CERT_CertChainFromCert (cert, certUsageEmailSigner, PR_FALSE);
+    if (certlist == NULL)
+	return SECFailure;
+
+    certlists = *certlistsp;
+    if (certlists == NULL) {
+	count = 0;
+	certlists = (CERTCertificateList**)PORT_ArenaAlloc (cinfo->poolp,
+				     2 * sizeof(CERTCertificateList *));
+    } else {
+	for (count = 0; certlists[count] != NULL; count++)
+	    ;
+	PORT_Assert (count);	/* should be at least one already */
+	certlists = (CERTCertificateList**)PORT_ArenaGrow (cinfo->poolp, 
+				 certlists,
+				(count + 1) * sizeof(CERTCertificateList *),
+				(count + 2) * sizeof(CERTCertificateList *));
+    }
+
+    if (certlists == NULL) {
+	CERT_DestroyCertificateList (certlist);
+	return SECFailure;
+    }
+
+    certlists[count] = certlist;
+    certlists[count + 1] = NULL;
+
+    *certlistsp = certlists;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Helper function to add a certificate for inclusion in the bag of
+ * certificates in a signedData.
+ */
+static SECStatus
+sec_pkcs7_add_certificate (SEC_PKCS7ContentInfo *cinfo,
+			   CERTCertificate *cert)
+{
+    SECOidTag kind;
+    CERTCertificate **certs, ***certsp;
+    int count;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    certsp = &(sdp->certs);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    certsp = &(saedp->certs);
+	}
+	break;
+      default:
+	return SECFailure;		/* XXX set an error? */
+    }
+
+    cert = CERT_DupCertificate (cert);
+    if (cert == NULL)
+	return SECFailure;
+
+    certs = *certsp;
+    if (certs == NULL) {
+	count = 0;
+	certs = (CERTCertificate**)PORT_ArenaAlloc (cinfo->poolp, 
+					      2 * sizeof(CERTCertificate *));
+    } else {
+	for (count = 0; certs[count] != NULL; count++)
+	    ;
+	PORT_Assert (count);	/* should be at least one already */
+	certs = (CERTCertificate**)PORT_ArenaGrow (cinfo->poolp, certs,
+				(count + 1) * sizeof(CERTCertificate *),
+				(count + 2) * sizeof(CERTCertificate *));
+    }
+
+    if (certs == NULL) {
+	CERT_DestroyCertificate (cert);
+	return SECFailure;
+    }
+
+    certs[count] = cert;
+    certs[count + 1] = NULL;
+
+    *certsp = certs;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Create a PKCS7 certs-only container.
+ *
+ * "cert" is the (first) cert that will be included.
+ *
+ * "include_chain" specifies whether the entire chain for "cert" should
+ * be included.
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL in when "include_chain" is false, or when meaning
+ * use the default database.
+ *
+ * More certs and chains can be added via AddCertificate and AddCertChain.
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateCertsOnly (CERTCertificate *cert,
+			  PRBool include_chain,
+			  CERTCertDBHandle *certdb)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SECStatus rv;
+
+    cinfo = sec_pkcs7_create_signed_data (NULL, NULL);
+    if (cinfo == NULL)
+	return NULL;
+
+    if (include_chain)
+	rv = sec_pkcs7_add_cert_chain (cinfo, cert, certdb);
+    else
+	rv = sec_pkcs7_add_certificate (cinfo, cert);
+
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    return cinfo;
+}
+
+
+/*
+ * Add "cert" and its entire chain to the set of certs included in "cinfo".
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL, meaning use the default database.
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+SECStatus
+SEC_PKCS7AddCertChain (SEC_PKCS7ContentInfo *cinfo,
+		       CERTCertificate *cert,
+		       CERTCertDBHandle *certdb)
+{
+    SECOidTag kind;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    if (kind != SEC_OID_PKCS7_SIGNED_DATA
+	&& kind != SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA)
+	return SECFailure;		/* XXX set an error? */
+
+    return sec_pkcs7_add_cert_chain (cinfo, cert, certdb);
+}
+
+
+/*
+ * Add "cert" to the set of certs included in "cinfo".
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+SECStatus
+SEC_PKCS7AddCertificate (SEC_PKCS7ContentInfo *cinfo, CERTCertificate *cert)
+{
+    SECOidTag kind;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    if (kind != SEC_OID_PKCS7_SIGNED_DATA
+	&& kind != SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA)
+	return SECFailure;		/* XXX set an error? */
+
+    return sec_pkcs7_add_certificate (cinfo, cert);
+}
+
+
+static SECStatus
+sec_pkcs7_init_encrypted_content_info (SEC_PKCS7EncryptedContentInfo *enccinfo,
+				       PRArenaPool *poolp,
+				       SECOidTag kind, PRBool detached,
+				       SECOidTag encalg, int keysize)
+{
+    SECStatus rv;
+
+    PORT_Assert (enccinfo != NULL && poolp != NULL);
+    if (enccinfo == NULL || poolp == NULL)
+	return SECFailure;
+
+    /*
+     * XXX Some day we may want to allow for other kinds.  That needs
+     * more work and modifications to the creation interface, etc.
+     * For now, allow but notice callers who pass in other kinds.
+     * They are responsible for creating the inner type and encoding,
+     * if it is other than DATA.
+     */
+    PORT_Assert (kind == SEC_OID_PKCS7_DATA);
+
+    enccinfo->contentTypeTag = SECOID_FindOIDByTag (kind);
+    PORT_Assert (enccinfo->contentTypeTag
+	       && enccinfo->contentTypeTag->offset == kind);
+
+    rv = SECITEM_CopyItem (poolp, &(enccinfo->contentType),
+			   &(enccinfo->contentTypeTag->oid));
+    if (rv != SECSuccess)
+	return rv;
+
+    /* Save keysize and algorithm for later. */
+    enccinfo->keysize = keysize;
+    enccinfo->encalg = encalg;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Add a recipient to a PKCS7 thing, verifying their cert first.
+ * Any error returns SECFailure.
+ */
+static SECStatus
+sec_pkcs7_add_recipient (SEC_PKCS7ContentInfo *cinfo,
+			 CERTCertificate *cert,
+			 SECCertUsage certusage,
+			 CERTCertDBHandle *certdb)
+{
+    SECOidTag kind;
+    SEC_PKCS7RecipientInfo *recipientinfo, **recipientinfos, ***recipientinfosp;
+    SECItem *dummy;
+    void *mark;
+    int count;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7EnvelopedData *edp;
+
+	    edp = cinfo->content.envelopedData;
+	    recipientinfosp = &(edp->recipientInfos);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    recipientinfosp = &(saedp->recipientInfos);
+	}
+	break;
+      default:
+	return SECFailure;		/* XXX set an error? */
+    }
+
+    /*
+     * XXX I think that CERT_VerifyCert should do this if *it* is passed
+     * a NULL database.
+     */
+    if (certdb == NULL) {
+	certdb = CERT_GetDefaultCertDB();
+	if (certdb == NULL)
+	    return SECFailure;		/* XXX set an error? */
+    }
+
+    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, PR_Now(),
+			 cinfo->pwfn_arg, NULL) != SECSuccess)
+	{
+	/* XXX Did CERT_VerifyCert set an error? */
+	return SECFailure;
+    }
+
+    mark = PORT_ArenaMark (cinfo->poolp);
+
+    recipientinfo = (SEC_PKCS7RecipientInfo*)PORT_ArenaZAlloc (cinfo->poolp,
+				      sizeof(SEC_PKCS7RecipientInfo));
+    if (recipientinfo == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    dummy = SEC_ASN1EncodeInteger (cinfo->poolp, &recipientinfo->version,
+				   SEC_PKCS7_RECIPIENT_INFO_VERSION);
+    if (dummy == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+    PORT_Assert (dummy == &recipientinfo->version);
+
+    recipientinfo->cert = CERT_DupCertificate (cert);
+    if (recipientinfo->cert == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    recipientinfo->issuerAndSN = CERT_GetCertIssuerAndSN (cinfo->poolp, cert);
+    if (recipientinfo->issuerAndSN == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    /*
+     * Okay, now recipientinfo is all set.  We just need to put it into
+     * the main structure.
+     *
+     * If this is the first recipient, allocate a new recipientinfos array;
+     * otherwise, reallocate the array, making room for the new entry.
+     */
+    recipientinfos = *recipientinfosp;
+    if (recipientinfos == NULL) {
+	count = 0;
+	recipientinfos = (SEC_PKCS7RecipientInfo **)PORT_ArenaAlloc (
+					  cinfo->poolp,
+					  2 * sizeof(SEC_PKCS7RecipientInfo *));
+    } else {
+	for (count = 0; recipientinfos[count] != NULL; count++)
+	    ;
+	PORT_Assert (count);	/* should be at least one already */
+	recipientinfos = (SEC_PKCS7RecipientInfo **)PORT_ArenaGrow (
+				 cinfo->poolp, recipientinfos,
+				(count + 1) * sizeof(SEC_PKCS7RecipientInfo *),
+				(count + 2) * sizeof(SEC_PKCS7RecipientInfo *));
+    }
+
+    if (recipientinfos == NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+	return SECFailure;
+    }
+
+    recipientinfos[count] = recipientinfo;
+    recipientinfos[count + 1] = NULL;
+
+    *recipientinfosp = recipientinfos;
+
+    PORT_ArenaUnmark (cinfo->poolp, mark);
+    return SECSuccess;
+}
+
+
+/*
+ * Start a PKCS7 enveloping context.
+ *
+ * "cert" is the cert for the recipient.  It will be checked for validity.
+ *
+ * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "recipient" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ *
+ * "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2).
+ *
+ * "keysize" specifies the bulk encryption key size, in bits.
+ *
+ * The return value can be passed to functions which add things to
+ * it like more recipients, then eventually to SEC_PKCS7Encode() or to
+ * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
+ * SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateEnvelopedData (CERTCertificate *cert,
+			      SECCertUsage certusage,
+			      CERTCertDBHandle *certdb,
+			      SECOidTag encalg,
+			      int keysize,
+ 			      SECKEYGetPasswordKey pwfn, void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SEC_PKCS7EnvelopedData *envd;
+    SECStatus rv;
+
+    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_ENVELOPED_DATA,
+					   PR_FALSE, pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    rv = sec_pkcs7_add_recipient (cinfo, cert, certusage, certdb);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    envd = cinfo->content.envelopedData;
+    PORT_Assert (envd != NULL);
+
+    /*
+     * XXX Might we want to allow content types other than data?
+     * If so, via what interface?
+     */
+    rv = sec_pkcs7_init_encrypted_content_info (&(envd->encContentInfo),
+						cinfo->poolp,
+						SEC_OID_PKCS7_DATA, PR_FALSE,
+						encalg, keysize);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    /* XXX Anything more to do here? */
+
+    return cinfo;
+}
+
+
+/*
+ * Add another recipient to an encrypted message.
+ *
+ * "cinfo" should be of type envelopedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ *
+ * "cert" is the cert for the recipient.  It will be checked for validity.
+ *
+ * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "recipient" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ */
+SECStatus
+SEC_PKCS7AddRecipient (SEC_PKCS7ContentInfo *cinfo,
+		       CERTCertificate *cert,
+		       SECCertUsage certusage,
+		       CERTCertDBHandle *certdb)
+{
+    return sec_pkcs7_add_recipient (cinfo, cert, certusage, certdb);
+}
+
+
+/*
+ * Create an empty PKCS7 data content info.
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateData (void)
+{
+    return sec_pkcs7_create_content_info (SEC_OID_PKCS7_DATA, PR_FALSE,
+					  NULL, NULL);
+}
+
+
+/*
+ * Create an empty PKCS7 encrypted content info.
+ *
+ * "algorithm" specifies the bulk encryption algorithm to use.
+ * 
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize,
+			      SECKEYGetPasswordKey pwfn, void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SECAlgorithmID *algid;
+    SEC_PKCS7EncryptedData *enc_data;
+    SECStatus rv;
+
+    cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_ENCRYPTED_DATA, 
+					   PR_FALSE, pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    enc_data = cinfo->content.encryptedData;
+    algid = &(enc_data->encContentInfo.contentEncAlg);
+
+    switch (algorithm) {
+      case SEC_OID_RC2_CBC:
+      case SEC_OID_DES_EDE3_CBC:
+      case SEC_OID_DES_CBC:
+	rv = SECOID_SetAlgorithmID (cinfo->poolp, algid, algorithm, NULL);
+	break;
+      default:
+	{
+	    /*
+	     * Assume password-based-encryption.  At least, try that.
+	     */
+	    SECAlgorithmID *pbe_algid;
+	    pbe_algid = PK11_CreatePBEAlgorithmID (algorithm, 1, NULL);
+	    if (pbe_algid == NULL) {
+		rv = SECFailure;
+	    } else {
+		rv = SECOID_CopyAlgorithmID (cinfo->poolp, algid, pbe_algid);
+		SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE);
+	    }
+	}
+	break;
+    }
+
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    rv = sec_pkcs7_init_encrypted_content_info (&(enc_data->encContentInfo),
+						cinfo->poolp,
+						SEC_OID_PKCS7_DATA, PR_FALSE,
+						algorithm, keysize);
+    if (rv != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    return cinfo;
+}
+
diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c
new file mode 100644
index 000000000..a3a41bb79
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7decode.c
@@ -0,0 +1,2085 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * PKCS7 decoding, verification.
+ *
+ * $Id$
+ */
+
+#include "nssrenam.h"
+
+#include "p7local.h"
+
+#include "cert.h"
+				/* XXX do not want to have to include */
+#include "certdb.h"		/* certdb.h -- the trust stuff needed by */
+     				/* the add certificate code needs to get */
+                           	/* rewritten/abstracted and then this */
+      				/* include should be removed! */
+/*#include "cdbhdl.h" */
+#include "cryptohi.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
+#include "secder.h"
+#include "secpkcs5.h"
+
+struct sec_pkcs7_decoder_worker {
+    int depth;
+    int digcnt;
+    void **digcxs;
+    const SECHashObject **digobjs;
+    sec_PKCS7CipherObject *decryptobj;
+    PRBool saw_contents;
+};
+
+struct SEC_PKCS7DecoderContextStr {
+    SEC_ASN1DecoderContext *dcx;
+    SEC_PKCS7ContentInfo *cinfo;
+    SEC_PKCS7DecoderContentCallback cb;
+    void *cb_arg;
+    SECKEYGetPasswordKey pwfn;
+    void *pwfn_arg;
+    struct sec_pkcs7_decoder_worker worker;
+    PRArenaPool *tmp_poolp;
+    int error;
+    SEC_PKCS7GetDecryptKeyCallback dkcb;
+    void *dkcb_arg;
+    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb;
+};
+
+/*
+ * Handle one worker, decrypting and digesting the data as necessary.
+ *
+ * XXX If/when we support nested contents, this probably needs to be
+ * revised somewhat to get passed the content-info (which unfortunately
+ * can be two different types depending on whether it is encrypted or not)
+ * corresponding to the given worker.
+ */
+static void
+sec_pkcs7_decoder_work_data (SEC_PKCS7DecoderContext *p7dcx,
+			     struct sec_pkcs7_decoder_worker *worker,
+			     const unsigned char *data, unsigned long len,
+			     PRBool final)
+{
+    unsigned char *buf = NULL;
+    SECStatus rv;
+    int i;
+
+    /*
+     * We should really have data to process, or we should be trying
+     * to finish/flush the last block.  (This is an overly paranoid
+     * check since all callers are in this file and simple inspection
+     * proves they do it right.  But it could find a bug in future
+     * modifications/development, that is why it is here.)
+     */
+    PORT_Assert ((data != NULL && len) || final);
+
+    /*
+     * Decrypt this chunk.
+     *
+     * XXX If we get an error, we do not want to do the digest or callback,
+     * but we want to keep decoding.  Or maybe we want to stop decoding
+     * altogether if there is a callback, because obviously we are not
+     * sending the data back and they want to know that.
+     */
+    if (worker->decryptobj != NULL) {
+	/* XXX the following lengths should all be longs? */
+	unsigned int inlen;	/* length of data being decrypted */
+	unsigned int outlen;	/* length of decrypted data */
+	unsigned int buflen;	/* length available for decrypted data */
+	SECItem *plain;
+
+	inlen = len;
+	buflen = sec_PKCS7DecryptLength (worker->decryptobj, inlen, final);
+	if (buflen == 0) {
+	    if (inlen == 0)	/* no input and no output */
+		return;
+	    /*
+	     * No output is expected, but the input data may be buffered
+	     * so we still have to call Decrypt.
+	     */
+	    rv = sec_PKCS7Decrypt (worker->decryptobj, NULL, NULL, 0,
+				   data, inlen, final);
+	    if (rv != SECSuccess) {
+		p7dcx->error = PORT_GetError();
+		return;		/* XXX indicate error? */
+	    }
+	    return;
+	}
+
+	if (p7dcx->cb != NULL) {
+	    buf = (unsigned char *) PORT_Alloc (buflen);
+	    plain = NULL;
+	} else {
+	    unsigned long oldlen;
+
+	    /*
+	     * XXX This assumes one level of content only.
+	     * See comment above about nested content types.
+	     * XXX Also, it should work for signedAndEnvelopedData, too!
+	     */
+	    plain = &(p7dcx->cinfo->
+			content.envelopedData->encContentInfo.plainContent);
+
+	    oldlen = plain->len;
+	    if (oldlen == 0) {
+		buf = (unsigned char*)PORT_ArenaAlloc (p7dcx->cinfo->poolp, 
+						       buflen);
+	    } else {
+		buf = (unsigned char*)PORT_ArenaGrow (p7dcx->cinfo->poolp, 
+				      plain->data,
+				      oldlen, oldlen + buflen);
+		if (buf != NULL)
+		    buf += oldlen;
+	    }
+	    plain->data = buf;
+	}
+	if (buf == NULL) {
+	    p7dcx->error = SEC_ERROR_NO_MEMORY;
+	    return;		/* XXX indicate error? */
+	}
+	rv = sec_PKCS7Decrypt (worker->decryptobj, buf, &outlen, buflen,
+			       data, inlen, final);
+	if (rv != SECSuccess) {
+	    p7dcx->error = PORT_GetError();
+	    return;		/* XXX indicate error? */
+	}
+	if (plain != NULL) {
+	    PORT_Assert (final || outlen == buflen);
+	    plain->len += outlen;
+	}
+	data = buf;
+	len = outlen;
+    }
+
+    /*
+     * Update the running digests.
+     */
+    if (len) {
+	for (i = 0; i < worker->digcnt; i++) {
+	    (* worker->digobjs[i]->update) (worker->digcxs[i], data, len);
+	}
+    }
+
+    /*
+     * Pass back the contents bytes, and free the temporary buffer.
+     */
+    if (p7dcx->cb != NULL) {
+	if (len)
+	    (* p7dcx->cb) (p7dcx->cb_arg, (const char *)data, len);
+	if (worker->decryptobj != NULL) {
+	    PORT_Assert (buf != NULL);
+	    PORT_Free (buf);
+	}
+    }
+}
+
+static void
+sec_pkcs7_decoder_filter (void *arg, const char *data, unsigned long len,
+			  int depth, SEC_ASN1EncodingPart data_kind)
+{
+    SEC_PKCS7DecoderContext *p7dcx;
+    struct sec_pkcs7_decoder_worker *worker;
+
+    /*
+     * Since we do not handle any nested contents, the only bytes we
+     * are really interested in are the actual contents bytes (not
+     * the identifier, length, or end-of-contents bytes).  If we were
+     * handling nested types we would probably need to do something
+     * smarter based on depth and data_kind.
+     */
+    if (data_kind != SEC_ASN1_Contents)
+	return;
+
+    /*
+     * The ASN.1 decoder should not even call us with a length of 0.
+     * Just being paranoid.
+     */
+    PORT_Assert (len);
+    if (len == 0)
+	return;
+
+    p7dcx = (SEC_PKCS7DecoderContext*)arg;
+
+    /*
+     * Handling nested contents would mean that there is a chain
+     * of workers -- one per each level of content.  The following
+     * would start with the first worker and loop over them.
+     */
+    worker = &(p7dcx->worker);
+
+    worker->saw_contents = PR_TRUE;
+
+    sec_pkcs7_decoder_work_data (p7dcx, worker,
+				 (const unsigned char *) data, len, PR_FALSE);
+}
+
+
+/*
+ * Create digest contexts for each algorithm in "digestalgs".
+ * No algorithms is not an error, we just do not do anything.
+ * An error (like trouble allocating memory), marks the error
+ * in "p7dcx" and returns SECFailure, which means that our caller
+ * should just give up altogether.
+ */
+static SECStatus
+sec_pkcs7_decoder_start_digests (SEC_PKCS7DecoderContext *p7dcx, int depth,
+				 SECAlgorithmID **digestalgs)
+{
+    SECAlgorithmID *algid;
+    SECOidData *oiddata;
+    const SECHashObject *digobj;
+    void *digcx;
+    int i, digcnt;
+
+    if (digestalgs == NULL)
+	return SECSuccess;
+
+    /*
+     * Count the algorithms.
+     */
+    digcnt = 0;
+    while (digestalgs[digcnt] != NULL)
+	digcnt++;
+
+    /*
+     * No algorithms means no work to do.
+     * This is not expected, so cause an assert.
+     * But if it does happen, just act as if there were
+     * no algorithms specified.
+     */
+    PORT_Assert (digcnt != 0);
+    if (digcnt == 0)
+	return SECSuccess;
+
+    p7dcx->worker.digcxs = (void**)PORT_ArenaAlloc (p7dcx->tmp_poolp,
+					    digcnt * sizeof (void *));
+    p7dcx->worker.digobjs = (const SECHashObject**)PORT_ArenaAlloc (p7dcx->tmp_poolp,
+					     digcnt * sizeof (SECHashObject *));
+    if (p7dcx->worker.digcxs == NULL || p7dcx->worker.digobjs == NULL) {
+	p7dcx->error = SEC_ERROR_NO_MEMORY;
+	return SECFailure;
+    }
+
+    p7dcx->worker.depth = depth;
+    p7dcx->worker.digcnt = 0;
+
+    /*
+     * Create a digest context for each algorithm.
+     */
+    for (i = 0; i < digcnt; i++) {
+	algid = digestalgs[i];
+	oiddata = SECOID_FindOID(&(algid->algorithm));
+	if (oiddata == NULL) {
+	    digobj = NULL;
+	} else {
+	    switch (oiddata->offset) {
+	      case SEC_OID_MD2:
+		digobj = HASH_GetHashObject(HASH_AlgMD2);
+		break;
+	      case SEC_OID_MD5:
+		digobj = HASH_GetHashObject(HASH_AlgMD5);
+		break;
+	      case SEC_OID_SHA1:
+		digobj = HASH_GetHashObject(HASH_AlgSHA1);
+		break;
+	      default:
+		digobj = NULL;
+		break;
+	    }
+	}
+
+	/*
+	 * Skip any algorithm we do not even recognize; obviously,
+	 * this could be a problem, but if it is critical then the
+	 * result will just be that the signature does not verify.
+	 * We do not necessarily want to error out here, because
+	 * the particular algorithm may not actually be important,
+	 * but we cannot know that until later.
+	 */
+	if (digobj == NULL) {
+	    p7dcx->worker.digcnt--;
+	    continue;
+	}
+
+	digcx = (* digobj->create)();
+	if (digcx != NULL) {
+	    (* digobj->begin) (digcx);
+	    p7dcx->worker.digobjs[p7dcx->worker.digcnt] = digobj;
+	    p7dcx->worker.digcxs[p7dcx->worker.digcnt] = digcx;
+	    p7dcx->worker.digcnt++;
+	}
+    }
+
+    if (p7dcx->worker.digcnt != 0)
+	SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
+				      sec_pkcs7_decoder_filter,
+				      p7dcx,
+				      (PRBool)(p7dcx->cb != NULL));
+    return SECSuccess;
+}
+
+
+/*
+ * Close out all of the digest contexts, storing the results in "digestsp".
+ */
+static SECStatus
+sec_pkcs7_decoder_finish_digests (SEC_PKCS7DecoderContext *p7dcx,
+				  PRArenaPool *poolp,
+				  SECItem ***digestsp)
+{
+    struct sec_pkcs7_decoder_worker *worker;
+    const SECHashObject *digobj;
+    void *digcx;
+    SECItem **digests, *digest;
+    int i;
+    void *mark;
+
+    /*
+     * XXX Handling nested contents would mean that there is a chain
+     * of workers -- one per each level of content.  The following
+     * would want to find the last worker in the chain.
+     */
+    worker = &(p7dcx->worker);
+
+    /*
+     * If no digests, then we have nothing to do.
+     */
+    if (worker->digcnt == 0)
+	return SECSuccess;
+
+    /*
+     * No matter what happens after this, we want to stop filtering.
+     * XXX If we handle nested contents, we only want to stop filtering
+     * if we are finishing off the *last* worker.
+     */
+    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
+
+    /*
+     * If we ended up with no contents, just destroy each
+     * digest context -- they are meaningless and potentially
+     * confusing, because their presence would imply some content
+     * was digested.
+     */
+    if (! worker->saw_contents) {
+	for (i = 0; i < worker->digcnt; i++) {
+	    digcx = worker->digcxs[i];
+	    digobj = worker->digobjs[i];
+	    (* digobj->destroy) (digcx, PR_TRUE);
+	}
+	return SECSuccess;
+    }
+
+    mark = PORT_ArenaMark (poolp);
+
+    /*
+     * Close out each digest context, saving digest away.
+     */
+    digests = 
+      (SECItem**)PORT_ArenaAlloc (poolp,(worker->digcnt+1)*sizeof(SECItem *));
+    digest = (SECItem*)PORT_ArenaAlloc (poolp, worker->digcnt*sizeof(SECItem));
+    if (digests == NULL || digest == NULL) {
+	p7dcx->error = PORT_GetError();
+	PORT_ArenaRelease (poolp, mark);
+	return SECFailure;
+    }
+
+    for (i = 0; i < worker->digcnt; i++, digest++) {
+	digcx = worker->digcxs[i];
+	digobj = worker->digobjs[i];
+
+	digest->data = (unsigned char*)PORT_ArenaAlloc (poolp, digobj->length);
+	if (digest->data == NULL) {
+	    p7dcx->error = PORT_GetError();
+	    PORT_ArenaRelease (poolp, mark);
+	    return SECFailure;
+	}
+
+	digest->len = digobj->length;
+	(* digobj->end) (digcx, digest->data, &(digest->len), digest->len);
+	(* digobj->destroy) (digcx, PR_TRUE);
+
+	digests[i] = digest;
+    }
+    digests[i] = NULL;
+    *digestsp = digests;
+
+    PORT_ArenaUnmark (poolp, mark);
+    return SECSuccess;
+}
+
+/*
+ * XXX Need comment explaining following helper function (which is used
+ * by sec_pkcs7_decoder_start_decrypt).
+ */
+extern const SEC_ASN1Template SEC_SMIMEKEAParamTemplateAllParams[];
+
+static PK11SymKey *
+sec_pkcs7_decoder_get_recipient_key (SEC_PKCS7DecoderContext *p7dcx,
+				     SEC_PKCS7RecipientInfo **recipientinfos,
+				     SEC_PKCS7EncryptedContentInfo *enccinfo)
+{
+    SEC_PKCS7RecipientInfo *ri;
+    CERTCertificate *cert = NULL;
+    SECKEYPrivateKey *privkey = NULL;
+    PK11SymKey *bulkkey;
+    SECOidTag keyalgtag, bulkalgtag, encalgtag;
+    PK11SlotInfo *slot;
+    int bulkLength = 0;
+
+    if (recipientinfos == NULL || recipientinfos[0] == NULL) {
+	p7dcx->error = SEC_ERROR_NOT_A_RECIPIENT;
+	goto no_key_found;
+    }
+
+    cert = PK11_FindCertAndKeyByRecipientList(&slot,recipientinfos,&ri,
+						&privkey, p7dcx->pwfn_arg);
+    if (cert == NULL) {
+	p7dcx->error = SEC_ERROR_NOT_A_RECIPIENT;
+	goto no_key_found;
+    }
+
+    ri->cert = cert;		/* so we can find it later */
+    PORT_Assert(privkey != NULL);
+
+    keyalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+    encalgtag = SECOID_GetAlgorithmTag (&(ri->keyEncAlg));
+    if ((encalgtag != SEC_OID_NETSCAPE_SMIME_KEA) && (keyalgtag != encalgtag)) {
+	p7dcx->error = SEC_ERROR_PKCS7_KEYALG_MISMATCH;
+	goto no_key_found;
+    }
+    bulkalgtag = SECOID_GetAlgorithmTag (&(enccinfo->contentEncAlg));
+
+    switch (encalgtag) {
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	bulkkey = PK11_PubUnwrapSymKey (privkey, &ri->encKey,
+					PK11_AlgtagToMechanism (bulkalgtag),
+					CKA_DECRYPT, 0);
+	if (bulkkey == NULL) {
+	    p7dcx->error = PORT_GetError();
+	    PORT_SetError(0);
+	    goto no_key_found;
+	}
+	break;
+	/* ### mwelch -- KEA */ 
+        case SEC_OID_NETSCAPE_SMIME_KEA:
+	  {
+	      SECStatus err;
+	      CK_MECHANISM_TYPE bulkType;
+	      PK11SymKey *tek;
+	      SECKEYPublicKey *senderPubKey;
+	      SEC_PKCS7SMIMEKEAParameters   keaParams;
+
+	      (void) memset(&keaParams, 0, sizeof(keaParams));
+
+	      /* Decode the KEA algorithm parameters. */
+	      err = SEC_ASN1DecodeItem(NULL,
+				       &keaParams,
+				       SEC_SMIMEKEAParamTemplateAllParams,
+				       &(ri->keyEncAlg.parameters));
+	      if (err != SECSuccess)
+	      {
+		  p7dcx->error = err;
+		  PORT_SetError(0);
+		  goto no_key_found;
+	      }
+	  
+
+	      /* We just got key data, no key structure. So, we
+		 create one. */
+	     senderPubKey = 
+		  PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
+				     keaParams.originatorKEAKey.len);
+	     if (senderPubKey == NULL)
+	     {
+		    p7dcx->error = PORT_GetError();
+		    PORT_SetError(0);
+		    goto no_key_found;
+	     }
+	      
+	     /* Generate the TEK (token exchange key) which we use
+	         to unwrap the bulk encryption key. */
+	     tek = PK11_PubDerive(privkey, senderPubKey, 
+				   PR_FALSE,
+				   &keaParams.originatorRA,
+				   NULL,
+				   CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+				   CKA_WRAP, 0, p7dcx->pwfn_arg);
+	     SECKEY_DestroyPublicKey(senderPubKey);
+	      
+	     if (tek == NULL)
+	     {
+		  p7dcx->error = PORT_GetError();
+		  PORT_SetError(0);
+		  goto no_key_found;
+	     }
+	      
+	      /* Now that we have the TEK, unwrap the bulk key
+	         with which to decrypt the message. We have to
+		 do one of two different things depending on 
+		 whether Skipjack was used for bulk encryption 
+		 of the message. */
+	      bulkType = PK11_AlgtagToMechanism (bulkalgtag);
+	      switch(bulkType)
+	      {
+	      case CKM_SKIPJACK_CBC64:
+	      case CKM_SKIPJACK_ECB64:
+	      case CKM_SKIPJACK_OFB64:
+	      case CKM_SKIPJACK_CFB64:
+	      case CKM_SKIPJACK_CFB32:
+	      case CKM_SKIPJACK_CFB16:
+	      case CKM_SKIPJACK_CFB8:
+		  /* Skipjack is being used as the bulk encryption algorithm.*/
+		  /* Unwrap the bulk key. */
+		  bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP,
+					      NULL, &ri->encKey, 
+					      CKM_SKIPJACK_CBC64, 
+					      CKA_DECRYPT, 0);
+		  break;
+	      default:
+		  /* Skipjack was not used for bulk encryption of this
+		     message. Use Skipjack CBC64, with the nonSkipjackIV
+		     part of the KEA key parameters, to decrypt 
+		     the bulk key. If we got a parameter indicating that the
+		     bulk key size is different than the encrypted key size,
+		     pass in the real key size. */
+		  
+		  /* Check for specified bulk key length (unspecified implies
+		     that the bulk key length is the same as encrypted length) */
+		  if (keaParams.bulkKeySize.len > 0)
+		  {
+		      p7dcx->error = SEC_ASN1DecodeItem(NULL, &bulkLength,
+					SEC_ASN1_GET(SEC_IntegerTemplate),
+					&keaParams.bulkKeySize);
+		  }
+		  
+		  if (p7dcx->error != SECSuccess)
+		      goto no_key_found;
+		  
+		  bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64,
+					      &keaParams.nonSkipjackIV, 
+					      &ri->encKey,
+					      bulkType,
+					      CKA_DECRYPT, bulkLength);
+	      }
+	      
+	      
+	      if (bulkkey == NULL)
+	      {
+		  p7dcx->error = PORT_GetError();
+		  PORT_SetError(0);
+		  goto no_key_found;
+	      }
+	      break;
+	  }
+      default:
+	p7dcx->error = SEC_ERROR_UNSUPPORTED_KEYALG;
+	goto no_key_found;
+    }
+
+    return bulkkey;
+
+no_key_found:
+    if (privkey != NULL)
+	SECKEY_DestroyPrivateKey (privkey);
+
+    return NULL;
+}
+ 
+/*
+ * XXX The following comment is old -- the function used to only handle
+ * EnvelopedData or SignedAndEnvelopedData but now handles EncryptedData
+ * as well (and it had all of the code of the helper function above
+ * built into it), though the comment was left as is.  Fix it...
+ *
+ * We are just about to decode the content of an EnvelopedData.
+ * Set up a decryption context so we can decrypt as we go.
+ * Presumably we are one of the recipients listed in "recipientinfos".
+ * (XXX And if we are not, or if we have trouble, what should we do?
+ *  It would be nice to let the decoding still work.  Maybe it should
+ *  be an error if there is a content callback, but not an error otherwise?)
+ * The encryption key and related information can be found in "enccinfo".
+ */
+static SECStatus
+sec_pkcs7_decoder_start_decrypt (SEC_PKCS7DecoderContext *p7dcx, int depth,
+				 SEC_PKCS7RecipientInfo **recipientinfos,
+				 SEC_PKCS7EncryptedContentInfo *enccinfo,
+				 PK11SymKey **copy_key_for_signature)
+{
+    PK11SymKey *bulkkey = NULL;
+    sec_PKCS7CipherObject *decryptobj;
+
+    /*
+     * If a callback is supplied to retrieve the encryption key, 
+     * for instance, for Encrypted Content infos, then retrieve
+     * the bulkkey from the callback.  Otherwise, assume that
+     * we are processing Enveloped or SignedAndEnveloped data
+     * content infos.
+     *
+     * XXX Put an assert here?
+     */
+    if (SEC_PKCS7ContentType(p7dcx->cinfo) == SEC_OID_PKCS7_ENCRYPTED_DATA) {
+	if (p7dcx->dkcb != NULL) {
+	    bulkkey = (*p7dcx->dkcb)(p7dcx->dkcb_arg, 
+				     &(enccinfo->contentEncAlg));
+	}
+	enccinfo->keysize = 0;
+    } else {
+	bulkkey = sec_pkcs7_decoder_get_recipient_key (p7dcx, recipientinfos, 
+						       enccinfo);
+	if (bulkkey == NULL) goto no_decryption;
+	enccinfo->keysize = PK11_GetKeyStrength(bulkkey, 
+						&(enccinfo->contentEncAlg));
+
+    }
+
+    /*
+     * XXX I think following should set error in p7dcx and clear set error
+     * (as used to be done here, or as is done in get_receipient_key above.
+     */
+    if(bulkkey == NULL) {
+	goto no_decryption;
+    }
+    
+    /* 
+     * We want to make sure decryption is allowed.  This is done via
+     * a callback specified in SEC_PKCS7DecoderStart().
+     */
+    if (p7dcx->decrypt_allowed_cb) {
+	if ((*p7dcx->decrypt_allowed_cb) (&(enccinfo->contentEncAlg), 
+					  bulkkey) == PR_FALSE) {
+	    p7dcx->error = SEC_ERROR_DECRYPTION_DISALLOWED;
+	    goto no_decryption;
+	}
+    } else {
+	    p7dcx->error = SEC_ERROR_DECRYPTION_DISALLOWED;
+	    goto no_decryption;
+    }
+
+    /*
+     * When decrypting a signedAndEnvelopedData, the signature also has
+     * to be decrypted with the bulk encryption key; to avoid having to
+     * get it all over again later (and do another potentially expensive
+     * RSA operation), copy it for later signature verification to use.
+     */
+    if (copy_key_for_signature != NULL)
+	*copy_key_for_signature = PK11_ReferenceSymKey (bulkkey);
+
+    /*
+     * Now we have the bulk encryption key (in bulkkey) and the
+     * the algorithm (in enccinfo->contentEncAlg).  Using those,
+     * create a decryption context.
+     */
+    decryptobj = sec_PKCS7CreateDecryptObject (bulkkey,
+					       &(enccinfo->contentEncAlg));
+
+    /* 
+     * For PKCS5 Encryption Algorithms, the bulkkey is actually a different
+     * structure.  Therefore, we need to set the bulkkey to the actual key 
+     * prior to freeing it.
+     */
+    if ( SEC_PKCS5IsAlgorithmPBEAlg(&(enccinfo->contentEncAlg)) && bulkkey ) {
+	SEC_PKCS5KeyAndPassword *keyPwd = (SEC_PKCS5KeyAndPassword *)bulkkey;
+	bulkkey = keyPwd->key;
+    }
+
+    /*
+     * We are done with (this) bulkkey now.
+     */
+    PK11_FreeSymKey (bulkkey);
+
+    if (decryptobj == NULL) {
+	p7dcx->error = PORT_GetError();
+	PORT_SetError(0);
+	goto no_decryption;
+    }
+
+    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
+				  sec_pkcs7_decoder_filter,
+				  p7dcx,
+				  (PRBool)(p7dcx->cb != NULL));
+
+    p7dcx->worker.depth = depth;
+    p7dcx->worker.decryptobj = decryptobj;
+
+    return SECSuccess;
+
+no_decryption:
+    /*
+     * For some reason (error set already, if appropriate), we cannot
+     * decrypt the content.  I am not sure what exactly is the right
+     * thing to do here; in some cases we want to just stop, and in
+     * others we want to let the decoding finish even though we cannot
+     * decrypt the content.  My current thinking is that if the caller
+     * set up a content callback, then they are really interested in
+     * getting (decrypted) content, and if they cannot they will want
+     * to know about it.  However, if no callback was specified, then
+     * maybe it is not important that the decryption failed.
+     */
+    if (p7dcx->cb != NULL)
+	return SECFailure;
+    else
+	return SECSuccess;	/* Let the decoding continue. */
+}
+
+
+static SECStatus
+sec_pkcs7_decoder_finish_decrypt (SEC_PKCS7DecoderContext *p7dcx,
+				  PRArenaPool *poolp,
+				  SEC_PKCS7EncryptedContentInfo *enccinfo)
+{
+    struct sec_pkcs7_decoder_worker *worker;
+
+    /*
+     * XXX Handling nested contents would mean that there is a chain
+     * of workers -- one per each level of content.  The following
+     * would want to find the last worker in the chain.
+     */
+    worker = &(p7dcx->worker);
+
+    /*
+     * If no decryption context, then we have nothing to do.
+     */
+    if (worker->decryptobj == NULL)
+	return SECSuccess;
+
+    /*
+     * No matter what happens after this, we want to stop filtering.
+     * XXX If we handle nested contents, we only want to stop filtering
+     * if we are finishing off the *last* worker.
+     */
+    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
+
+    /*
+     * Handle the last block.
+     */
+    sec_pkcs7_decoder_work_data (p7dcx, worker, NULL, 0, PR_TRUE);
+
+    /*
+     * All done, destroy it.
+     */
+    sec_PKCS7DestroyDecryptObject (worker->decryptobj);
+
+    return SECSuccess;
+}
+
+
+static void
+sec_pkcs7_decoder_notify (void *arg, PRBool before, void *dest, int depth)
+{
+    SEC_PKCS7DecoderContext *p7dcx;
+    SEC_PKCS7ContentInfo *cinfo;
+    SEC_PKCS7SignedData *sigd;
+    SEC_PKCS7EnvelopedData *envd;
+    SEC_PKCS7SignedAndEnvelopedData *saed;
+    SEC_PKCS7EncryptedData *encd;
+    SEC_PKCS7DigestedData *digd;
+    PRBool after;
+    SECStatus rv;
+
+    /*
+     * Just to make the code easier to read, create an "after" variable
+     * that is equivalent to "not before".
+     * (This used to be just the statement "after = !before", but that
+     * causes a warning on the mac; to avoid that, we do it the long way.)
+     */
+    if (before)
+	after = PR_FALSE;
+    else
+	after = PR_TRUE;
+
+    p7dcx = (SEC_PKCS7DecoderContext*)arg;
+    cinfo = p7dcx->cinfo;
+
+    if (cinfo->contentTypeTag == NULL) {
+	if (after && dest == &(cinfo->contentType))
+	    cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+	return;
+    }
+
+    switch (cinfo->contentTypeTag->offset) {
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	sigd = cinfo->content.signedData;
+	if (sigd == NULL)
+	    break;
+
+	if (sigd->contentInfo.contentTypeTag == NULL) {
+	    if (after && dest == &(sigd->contentInfo.contentType))
+		sigd->contentInfo.contentTypeTag =
+			SECOID_FindOID(&(sigd->contentInfo.contentType));
+	    break;
+	}
+
+	/*
+	 * We only set up a filtering digest if the content is
+	 * plain DATA; anything else needs more work because a
+	 * second pass is required to produce a DER encoding from
+	 * an input that can be BER encoded.  (This is a requirement
+	 * of PKCS7 that is unfortunate, but there you have it.)
+	 *
+	 * XXX Also, since we stop here if this is not DATA, the
+	 * inner content is not getting processed at all.  Someday
+	 * we may want to fix that.
+	 */
+	if (sigd->contentInfo.contentTypeTag->offset != SEC_OID_PKCS7_DATA) {
+	    /* XXX Set an error in p7dcx->error */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	    break;
+	}
+
+	/*
+	 * Just before the content, we want to set up a digest context
+	 * for each digest algorithm listed, and start a filter which
+	 * will run all of the contents bytes through that digest.
+	 */
+	if (before && dest == &(sigd->contentInfo.content)) {
+	    rv = sec_pkcs7_decoder_start_digests (p7dcx, depth,
+						  sigd->digestAlgorithms);
+	    if (rv != SECSuccess)
+		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+
+	    break;
+	}
+
+	/*
+	 * XXX To handle nested types, here is where we would want
+	 * to check for inner boundaries that need handling.
+	 */
+
+	/*
+	 * Are we done?
+	 */
+	if (after && dest == &(sigd->contentInfo.content)) {
+	    /*
+	     * Close out the digest contexts.  We ignore any error
+	     * because we are stopping anyway; the error status left
+	     * behind in p7dcx will be seen by outer functions.
+	     */
+	    (void) sec_pkcs7_decoder_finish_digests (p7dcx, cinfo->poolp,
+						     &(sigd->digests));
+
+	    /*
+	     * XXX To handle nested contents, we would need to remove
+	     * the worker from the chain (and free it).
+	     */
+
+	    /*
+	     * Stop notify.
+	     */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	}
+	break;
+
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	envd = cinfo->content.envelopedData;
+	if (envd == NULL)
+	    break;
+
+	if (envd->encContentInfo.contentTypeTag == NULL) {
+	    if (after && dest == &(envd->encContentInfo.contentType))
+		envd->encContentInfo.contentTypeTag =
+			SECOID_FindOID(&(envd->encContentInfo.contentType));
+	    break;
+	}
+
+	/*
+	 * Just before the content, we want to set up a decryption
+	 * context, and start a filter which will run all of the
+	 * contents bytes through it to determine the plain content.
+	 */
+	if (before && dest == &(envd->encContentInfo.encContent)) {
+	    rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth,
+						  envd->recipientInfos,
+						  &(envd->encContentInfo),
+						  NULL);
+	    if (rv != SECSuccess)
+		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+
+	    break;
+	}
+
+	/*
+	 * Are we done?
+	 */
+	if (after && dest == &(envd->encContentInfo.encContent)) {
+	    /*
+	     * Close out the decryption context.  We ignore any error
+	     * because we are stopping anyway; the error status left
+	     * behind in p7dcx will be seen by outer functions.
+	     */
+	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
+						     &(envd->encContentInfo));
+
+	    /*
+	     * XXX To handle nested contents, we would need to remove
+	     * the worker from the chain (and free it).
+	     */
+
+	    /*
+	     * Stop notify.
+	     */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	}
+	break;
+
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	saed = cinfo->content.signedAndEnvelopedData;
+	if (saed == NULL)
+	    break;
+
+	if (saed->encContentInfo.contentTypeTag == NULL) {
+	    if (after && dest == &(saed->encContentInfo.contentType))
+		saed->encContentInfo.contentTypeTag =
+			SECOID_FindOID(&(saed->encContentInfo.contentType));
+	    break;
+	}
+
+	/*
+	 * Just before the content, we want to set up a decryption
+	 * context *and* digest contexts, and start a filter which
+	 * will run all of the contents bytes through both.
+	 */
+	if (before && dest == &(saed->encContentInfo.encContent)) {
+	    rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth,
+						  saed->recipientInfos,
+						  &(saed->encContentInfo),
+						  &(saed->sigKey));
+	    if (rv == SECSuccess)
+		rv = sec_pkcs7_decoder_start_digests (p7dcx, depth,
+						      saed->digestAlgorithms);
+	    if (rv != SECSuccess)
+		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+
+	    break;
+	}
+
+	/*
+	 * Are we done?
+	 */
+	if (after && dest == &(saed->encContentInfo.encContent)) {
+	    /*
+	     * Close out the decryption and digests contexts.
+	     * We ignore any errors because we are stopping anyway;
+	     * the error status left behind in p7dcx will be seen by
+	     * outer functions.
+	     *
+	     * Note that the decrypt stuff must be called first;
+	     * it may have a last buffer to do which in turn has
+	     * to be added to the digest.
+	     */
+	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
+						     &(saed->encContentInfo));
+	    (void) sec_pkcs7_decoder_finish_digests (p7dcx, cinfo->poolp,
+						     &(saed->digests));
+
+	    /*
+	     * XXX To handle nested contents, we would need to remove
+	     * the worker from the chain (and free it).
+	     */
+
+	    /*
+	     * Stop notify.
+	     */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	}
+	break;
+
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	digd = cinfo->content.digestedData;
+	
+	/* 
+	 * XXX Want to do the digest or not?  Maybe future enhancement...
+	 */
+	if (before && dest == &(digd->contentInfo.content.data)) {
+	    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx, sec_pkcs7_decoder_filter,
+					  p7dcx,
+					  (PRBool)(p7dcx->cb != NULL));
+	    break;
+	}
+
+	/*
+	 * Are we done?
+	 */
+	if (after && dest == &(digd->contentInfo.content.data)) {
+	    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
+	}
+	break;
+
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	encd = cinfo->content.encryptedData;
+
+	/*
+	 * XXX If the decryption key callback is set, we want to start
+	 * the decryption.  If the callback is not set, we will treat the
+	 * content as plain data, since we do not have the key.
+	 *
+	 * Is this the proper thing to do?
+	 */
+	if (before && dest == &(encd->encContentInfo.encContent)) {
+	    /*
+	     * Start the encryption process if the decryption key callback
+	     * is present.  Otherwise, treat the content like plain data.
+	     */
+	    rv = SECSuccess;
+	    if (p7dcx->dkcb != NULL) {
+		rv = sec_pkcs7_decoder_start_decrypt (p7dcx, depth, NULL,
+						      &(encd->encContentInfo),
+						      NULL);
+	    }
+
+	    if (rv != SECSuccess)
+		SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+		
+	    break;
+	}
+
+	/*
+	 * Are we done?
+	 */
+	if (after && dest == &(encd->encContentInfo.encContent)) {
+	    /*
+	     * Close out the decryption context.  We ignore any error
+	     * because we are stopping anyway; the error status left
+	     * behind in p7dcx will be seen by outer functions.
+	     */
+	    (void) sec_pkcs7_decoder_finish_decrypt (p7dcx, cinfo->poolp,
+						     &(encd->encContentInfo));
+
+	    /*
+	     * Stop notify.
+	     */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	}
+	break;
+
+      case SEC_OID_PKCS7_DATA:
+	/*
+	 * If a output callback has been specified, we want to set the filter
+	 * to call the callback.  This is taken care of in 
+	 * sec_pkcs7_decoder_start_decrypt() or 
+	 * sec_pkcs7_decoder_start_digests() for the other content types.
+	 */ 
+	
+	if (before && dest == &(cinfo->content.data)) {
+
+	    /* 
+	     * Set the filter proc up.
+	     */
+	    SEC_ASN1DecoderSetFilterProc (p7dcx->dcx,
+					  sec_pkcs7_decoder_filter,
+					  p7dcx,
+					  (PRBool)(p7dcx->cb != NULL));
+	    break;
+	}
+
+	if (after && dest == &(cinfo->content.data)) {
+	    /*
+	     * Time to clean up after ourself, stop the Notify and Filter
+	     * procedures.
+	     */
+	    SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	    SEC_ASN1DecoderClearFilterProc (p7dcx->dcx);
+	}
+	break;
+
+      default:
+	SEC_ASN1DecoderClearNotifyProc (p7dcx->dcx);
+	break;
+    }
+}
+
+
+SEC_PKCS7DecoderContext *
+SEC_PKCS7DecoderStart(SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
+		      SECKEYGetPasswordKey pwfn, void *pwfn_arg,
+		      SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
+		      void *decrypt_key_cb_arg,
+		      SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb)
+{
+    SEC_PKCS7DecoderContext *p7dcx;
+    SEC_ASN1DecoderContext *dcx;
+    SEC_PKCS7ContentInfo *cinfo;
+    PRArenaPool *poolp;
+
+    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
+    if (poolp == NULL)
+	return NULL;
+
+    cinfo = (SEC_PKCS7ContentInfo*)PORT_ArenaZAlloc (poolp, sizeof(*cinfo));
+    if (cinfo == NULL) {
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    cinfo->poolp = poolp;
+    cinfo->pwfn = pwfn;
+    cinfo->pwfn_arg = pwfn_arg;
+    cinfo->created = PR_FALSE;
+    cinfo->refCount = 1;
+
+    p7dcx = 
+      (SEC_PKCS7DecoderContext*)PORT_ZAlloc (sizeof(SEC_PKCS7DecoderContext));
+    if (p7dcx == NULL) {
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    p7dcx->tmp_poolp = PORT_NewArena (1024);	/* XXX what is right value? */
+    if (p7dcx->tmp_poolp == NULL) {
+	PORT_Free (p7dcx);
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    dcx = SEC_ASN1DecoderStart (poolp, cinfo, sec_PKCS7ContentInfoTemplate);
+    if (dcx == NULL) {
+	PORT_FreeArena (p7dcx->tmp_poolp, PR_FALSE);
+	PORT_Free (p7dcx);
+	PORT_FreeArena (poolp, PR_FALSE);
+	return NULL;
+    }
+
+    SEC_ASN1DecoderSetNotifyProc (dcx, sec_pkcs7_decoder_notify, p7dcx);
+
+    p7dcx->dcx = dcx;
+    p7dcx->cinfo = cinfo;
+    p7dcx->cb = cb;
+    p7dcx->cb_arg = cb_arg;
+    p7dcx->pwfn = pwfn;
+    p7dcx->pwfn_arg = pwfn_arg;
+    p7dcx->dkcb = decrypt_key_cb;
+    p7dcx->dkcb_arg = decrypt_key_cb_arg;
+    p7dcx->decrypt_allowed_cb = decrypt_allowed_cb;
+
+    return p7dcx;
+}
+
+
+/*
+ * Do the next chunk of PKCS7 decoding.  If there is a problem, set
+ * an error and return a failure status.  Note that in the case of
+ * an error, this routine is still prepared to be called again and
+ * again in case that is the easiest route for our caller to take.
+ * We simply detect it and do not do anything except keep setting
+ * that error in case our caller has not noticed it yet...
+ */
+SECStatus
+SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx,
+		       const char *buf, unsigned long len)
+{
+    if (p7dcx->cinfo != NULL && p7dcx->dcx != NULL) { 
+	PORT_Assert (p7dcx->error == 0);
+	if (p7dcx->error == 0) {
+	    if (SEC_ASN1DecoderUpdate (p7dcx->dcx, buf, len) != SECSuccess) {
+		p7dcx->error = PORT_GetError();
+		PORT_Assert (p7dcx->error);
+		if (p7dcx->error == 0)
+		    p7dcx->error = -1;
+	    }
+	}
+    }
+
+    if (p7dcx->error) {
+	if (p7dcx->dcx != NULL) {
+	    (void) SEC_ASN1DecoderFinish (p7dcx->dcx);
+	    p7dcx->dcx = NULL;
+	}
+	if (p7dcx->cinfo != NULL) {
+	    SEC_PKCS7DestroyContentInfo (p7dcx->cinfo);
+	    p7dcx->cinfo = NULL;
+	}
+	PORT_SetError (p7dcx->error);
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+SEC_PKCS7ContentInfo *
+SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+
+    cinfo = p7dcx->cinfo;
+    if (p7dcx->dcx != NULL) {
+	if (SEC_ASN1DecoderFinish (p7dcx->dcx) != SECSuccess) {
+	    SEC_PKCS7DestroyContentInfo (cinfo);
+	    cinfo = NULL;
+	}
+    }
+    PORT_FreeArena (p7dcx->tmp_poolp, PR_FALSE);
+    PORT_Free (p7dcx);
+    return cinfo;
+}
+
+
+SEC_PKCS7ContentInfo *
+SEC_PKCS7DecodeItem(SECItem *p7item,
+		    SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
+		    SECKEYGetPasswordKey pwfn, void *pwfn_arg,
+		    SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
+		    void *decrypt_key_cb_arg,
+		    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb)
+{
+    SEC_PKCS7DecoderContext *p7dcx;
+
+    p7dcx = SEC_PKCS7DecoderStart(cb, cb_arg, pwfn, pwfn_arg, decrypt_key_cb,
+				  decrypt_key_cb_arg, decrypt_allowed_cb);
+    (void) SEC_PKCS7DecoderUpdate(p7dcx, (char *) p7item->data, p7item->len);
+    return SEC_PKCS7DecoderFinish(p7dcx);
+}
+
+
+/*
+ * If the thing contains any certs or crls return true; false otherwise.
+ */
+PRBool
+SEC_PKCS7ContainsCertsOrCrls(SEC_PKCS7ContentInfo *cinfo)
+{
+    SECOidTag kind;
+    SECItem **certs;
+    CERTSignedCrl **crls;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	return PR_FALSE;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	certs = cinfo->content.signedData->rawCerts;
+	crls = cinfo->content.signedData->crls;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	certs = cinfo->content.signedAndEnvelopedData->rawCerts;
+	crls = cinfo->content.signedAndEnvelopedData->crls;
+	break;
+    }
+
+    /*
+     * I know this could be collapsed, but I was in a mood to be explicit.
+     */
+    if (certs != NULL && certs[0] != NULL)
+	return PR_TRUE;
+    else if (crls != NULL && crls[0] != NULL)
+	return PR_TRUE;
+    else
+	return PR_FALSE;
+}
+
+/* return the content length...could use GetContent, however we
+ * need the encrypted content length 
+ */
+PRBool
+SEC_PKCS7IsContentEmpty(SEC_PKCS7ContentInfo *cinfo, unsigned int minLen)
+{
+    SECItem *item = NULL;
+
+    if(cinfo == NULL) {
+	return PR_TRUE;
+    }
+
+    switch(SEC_PKCS7ContentType(cinfo)) 
+    {
+	case SEC_OID_PKCS7_DATA:
+	    item = cinfo->content.data;
+	    break;
+	case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    item = &cinfo->content.encryptedData->encContentInfo.encContent;
+	    break;
+	default:
+	    /* add other types */
+	    return PR_FALSE;
+    }
+
+    if(!item) {
+	return PR_TRUE;
+    } else if(item->len <= minLen) {
+	return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
+
+
+PRBool
+SEC_PKCS7ContentIsEncrypted(SEC_PKCS7ContentInfo *cinfo)
+{
+    SECOidTag kind;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	return PR_FALSE;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	return PR_TRUE;
+    }
+}
+
+
+/*
+ * If the PKCS7 content has a signature (not just *could* have a signature)
+ * return true; false otherwise.  This can/should be called before calling
+ * VerifySignature, which will always indicate failure if no signature is
+ * present, but that does not mean there even was a signature!
+ * Note that the content itself can be empty (detached content was sent
+ * another way); it is the presence of the signature that matters.
+ */
+PRBool
+SEC_PKCS7ContentIsSigned(SEC_PKCS7ContentInfo *cinfo)
+{
+    SECOidTag kind;
+    SEC_PKCS7SignerInfo **signerinfos;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	return PR_FALSE;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	signerinfos = cinfo->content.signedData->signerInfos;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	signerinfos = cinfo->content.signedAndEnvelopedData->signerInfos;
+	break;
+    }
+
+    /*
+     * I know this could be collapsed; but I kind of think it will get
+     * more complicated before I am finished, so...
+     */
+    if (signerinfos != NULL && signerinfos[0] != NULL)
+	return PR_TRUE;
+    else
+	return PR_FALSE;
+}
+
+
+/*
+ * SEC_PKCS7ContentVerifySignature
+ *	Look at a PKCS7 contentInfo and check if the signature is good.
+ *	The digest was either calculated earlier (and is stored in the
+ *	contentInfo itself) or is passed in via "detached_digest".
+ *
+ *	The verification checks that the signing cert is valid and trusted
+ *	for the purpose specified by "certusage".
+ *
+ *	In addition, if "keepcerts" is true, add any new certificates found
+ *	into our local database.
+ *
+ * XXX Each place which returns PR_FALSE should be sure to have a good
+ * error set for inspection by the caller.  Alternatively, we could create
+ * an enumeration of success and each type of failure and return that
+ * instead of a boolean.  For now, the default in a bad situation is to
+ * set the error to SEC_ERROR_PKCS7_BAD_SIGNATURE.  But this should be
+ * reviewed; better (more specific) errors should be possible (to distinguish
+ * a signature failure from a badly-formed pkcs7 signedData, for example).
+ * Some of the errors should probably just be SEC_ERROR_BAD_SIGNATURE,
+ * but that has a less helpful error string associated with it right now;
+ * if/when that changes, review and change these as needed.
+ *
+ * XXX This is broken wrt signedAndEnvelopedData.  In that case, the
+ * message digest is doubly encrypted -- first encrypted with the signer
+ * private key but then again encrypted with the bulk encryption key used
+ * to encrypt the content.  So before we can pass the digest to VerifyDigest,
+ * we need to decrypt it with the bulk encryption key.  Also, in this case,
+ * there should be NO authenticatedAttributes (signerinfo->authAttr should
+ * be NULL).
+ */
+static PRBool
+sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
+			   SECCertUsage certusage,
+			   SECItem *detached_digest,
+			   HASH_HashType digest_type,
+			   PRBool keepcerts)
+{
+    SECAlgorithmID **digestalgs, *bulkid;
+    SECItem *digest;
+    SECItem **digests;
+    SECItem **rawcerts;
+    CERTSignedCrl **crls;
+    SEC_PKCS7SignerInfo **signerinfos, *signerinfo;
+    CERTCertificate *cert, **certs;
+    PRBool goodsig;
+    CERTCertDBHandle *certdb, *defaultdb; 
+    SECOidData *algiddata;
+    int i, certcount;
+    SECKEYPublicKey *publickey;
+    SECItem *content_type;
+    PK11SymKey *sigkey;
+    SECItem *utc_stime;
+    int64 stime;
+    SECStatus rv;
+
+    /*
+     * Everything needed in order to "goto done" safely.
+     */
+    goodsig = PR_FALSE;
+    certcount = 0;
+    cert = NULL;
+    certs = NULL;
+    certdb = NULL;
+    defaultdb = CERT_GetDefaultCertDB();
+    publickey = NULL;
+
+    if (! SEC_PKCS7ContentIsSigned(cinfo)) {
+	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	goto done;
+    }
+
+    PORT_Assert (cinfo->contentTypeTag != NULL);
+
+    switch (cinfo->contentTypeTag->offset) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	/* Could only get here if SEC_PKCS7ContentIsSigned is broken. */
+	PORT_Assert (0);
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    digestalgs = sdp->digestAlgorithms;
+	    digests = sdp->digests;
+	    rawcerts = sdp->rawCerts;
+	    crls = sdp->crls;
+	    signerinfos = sdp->signerInfos;
+	    content_type = &(sdp->contentInfo.contentType);
+	    sigkey = NULL;
+	    bulkid = NULL;
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    digestalgs = saedp->digestAlgorithms;
+	    digests = saedp->digests;
+	    rawcerts = saedp->rawCerts;
+	    crls = saedp->crls;
+	    signerinfos = saedp->signerInfos;
+	    content_type = &(saedp->encContentInfo.contentType);
+	    sigkey = saedp->sigKey;
+	    bulkid = &(saedp->encContentInfo.contentEncAlg);
+	}
+	break;
+    }
+
+    if ((signerinfos == NULL) || (signerinfos[0] == NULL)) {
+	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	goto done;
+    }
+
+    /*
+     * XXX Need to handle multiple signatures; checking them is easy,
+     * but what should be the semantics here (like, return value)?
+     */
+    if (signerinfos[1] != NULL) {
+	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	goto done;
+    }
+
+    signerinfo = signerinfos[0];
+
+    /*
+     * XXX I would like to just pass the issuerAndSN, along with the rawcerts
+     * and crls, to some function that did all of this certificate stuff
+     * (open/close the database if necessary, verifying the certs, etc.)
+     * and gave me back a cert pointer if all was good.
+     */
+    certdb = defaultdb;
+    if (certdb == NULL) {
+	goto done;
+    }
+
+    certcount = 0;
+    if (rawcerts != NULL) {
+	for (; rawcerts[certcount] != NULL; certcount++) {
+	    /* just counting */
+	}
+    }
+
+    /*
+     * Note that the result of this is that each cert in "certs"
+     * needs to be destroyed.
+     */
+    rv = CERT_ImportCerts(certdb, certusage, certcount, rawcerts, &certs,
+			  keepcerts, PR_FALSE, NULL);
+    if ( rv != SECSuccess ) {
+	goto done;
+    }
+
+    /*
+     * This cert will also need to be freed, but since we save it
+     * in signerinfo for later, we do not want to destroy it when
+     * we leave this function -- we let the clean-up of the entire
+     * cinfo structure later do the destroy of this cert.
+     */
+    cert = CERT_FindCertByIssuerAndSN(certdb, signerinfo->issuerAndSN);
+    if (cert == NULL) {
+	goto done;
+    }
+
+    signerinfo->cert = cert;
+
+    /*
+     * Get and convert the signing time; if available, it will be used
+     * both on the cert verification and for importing the sender
+     * email profile.
+     */
+    utc_stime = SEC_PKCS7GetSigningTime (cinfo);
+    if (utc_stime != NULL) {
+	if (DER_UTCTimeToTime (&stime, utc_stime) != SECSuccess)
+	    utc_stime = NULL;	/* conversion failed, so pretend none */
+    }
+
+    /*
+     * XXX  This uses the signing time, if available.  Additionally, we
+     * might want to, if there is no signing time, get the message time
+     * from the mail header itself, and use that.  That would require
+     * a change to our interface though, and for S/MIME callers to pass
+     * in a time (and for non-S/MIME callers to pass in nothing, or
+     * maybe make them pass in the current time, always?).
+     */
+    if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage,
+			 utc_stime != NULL ? stime : PR_Now(),
+			 cinfo->pwfn_arg, NULL) != SECSuccess)
+	{
+	/*
+	 * XXX Give the user an option to check the signature anyway?
+	 * If we want to do this, need to give a way to leave and display
+	 * some dialog and get the answer and come back through (or do
+	 * the rest of what we do below elsewhere, maybe by putting it
+	 * in a function that we call below and could call from a dialog
+	 * finish handler).
+	 */
+	goto savecert;
+    }
+
+    publickey = CERT_ExtractPublicKey (cert);
+    if (publickey == NULL)
+	goto done;
+
+    /*
+     * XXX No!  If digests is empty, see if we can create it now by
+     * digesting the contents.  This is necessary if we want to allow
+     * somebody to do a simple decode (without filtering, etc.) and
+     * then later call us here to do the verification.
+     * OR, we can just specify that the interface to this routine
+     * *requires* that the digest(s) be done before calling and either
+     * stashed in the struct itself or passed in explicitly (as would
+     * be done for detached contents).
+     */
+    if ((digests == NULL || digests[0] == NULL)
+	&& (detached_digest == NULL || detached_digest->data == NULL))
+	goto done;
+
+    /*
+     * Find and confirm digest algorithm.
+     */
+    algiddata = SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
+
+    if (detached_digest != NULL) {
+	switch (digest_type) {
+	  default:
+	  case HASH_AlgNULL:
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	  case HASH_AlgMD2:
+	    PORT_Assert (detached_digest->len == MD2_LENGTH);
+	    if (algiddata->offset != SEC_OID_MD2) {
+		PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+		goto done;
+	    }
+	    break;
+	  case HASH_AlgMD5:
+	    PORT_Assert (detached_digest->len == MD5_LENGTH);
+	    if (algiddata->offset != SEC_OID_MD5) {
+		PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+		goto done;
+	    }
+	    break;
+	  case HASH_AlgSHA1:
+	    PORT_Assert (detached_digest->len == SHA1_LENGTH);
+	    if (algiddata->offset != SEC_OID_SHA1) {
+		PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+		goto done;
+	    }
+	    break;
+	}
+	digest = detached_digest;
+    } else {
+	PORT_Assert (digestalgs != NULL && digestalgs[0] != NULL);
+	if (digestalgs == NULL || digestalgs[0] == NULL) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	/*
+	 * pick digest matching signerinfo->digestAlg from digests
+	 */
+	if (algiddata == NULL) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+	for (i = 0; digestalgs[i] != NULL; i++) {
+	    if (SECOID_FindOID (&(digestalgs[i]->algorithm)) == algiddata)
+		break;
+	}
+	if (digestalgs[i] == NULL) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	digest = digests[i];
+    }
+
+    /*
+     * XXX This may not be the right set of algorithms to check.
+     * I'd prefer to trust that just calling VFY_Verify{Data,Digest}
+     * would do the right thing (and set an error if it could not);
+     * then additional algorithms could be handled by that code
+     * and we would Just Work.  So this check should just be removed,
+     * but not until the VFY code is better at setting errors.
+     */
+    algiddata = SECOID_FindOID (&(signerinfo->digestEncAlg.algorithm));
+    if (algiddata == NULL ||
+	((algiddata->offset != SEC_OID_PKCS1_RSA_ENCRYPTION) &&
+	 (algiddata->offset != SEC_OID_ANSIX9_DSA_SIGNATURE))) {
+	PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	goto done;
+    }
+
+    if (signerinfo->authAttr != NULL) {
+	SEC_PKCS7Attribute *attr;
+	SECItem *value;
+	SECItem encoded_attrs;
+
+	/*
+	 * We have a sigkey only for signedAndEnvelopedData, which is
+	 * not supposed to have any authenticated attributes.
+	 */
+	if (sigkey != NULL) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	/*
+	 * PKCS #7 says that if there are any authenticated attributes,
+	 * then there must be one for content type which matches the
+	 * content type of the content being signed, and there must
+	 * be one for message digest which matches our message digest.
+	 * So check these things first.
+	 * XXX Might be nice to have a compare-attribute-value function
+	 * which could collapse the following nicely.
+	 */
+	attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
+				       SEC_OID_PKCS9_CONTENT_TYPE, PR_TRUE);
+	value = sec_PKCS7AttributeValue (attr);
+	if (value == NULL || value->len != content_type->len) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+	if (PORT_Memcmp (value->data, content_type->data, value->len) != 0) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
+				       SEC_OID_PKCS9_MESSAGE_DIGEST, PR_TRUE);
+	value = sec_PKCS7AttributeValue (attr);
+	if (value == NULL || value->len != digest->len) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+	if (PORT_Memcmp (value->data, digest->data, value->len) != 0) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	/*
+	 * Okay, we met the constraints of the basic attributes.
+	 * Now check the signature, which is based on a digest of
+	 * the DER-encoded authenticated attributes.  So, first we
+	 * encode and then we digest/verify.
+	 */
+	encoded_attrs.data = NULL;
+	encoded_attrs.len = 0;
+	if (sec_PKCS7EncodeAttributes (NULL, &encoded_attrs,
+				       &(signerinfo->authAttr)) == NULL)
+	    goto done;
+
+	if (encoded_attrs.data == NULL || encoded_attrs.len == 0) {
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	goodsig = (PRBool)(VFY_VerifyData (encoded_attrs.data, 
+				   encoded_attrs.len,
+				   publickey, &(signerinfo->encDigest),
+				   SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg)),
+				   cinfo->pwfn_arg) == SECSuccess);
+	PORT_Free (encoded_attrs.data);
+    } else {
+	SECItem *sig;
+	SECItem holder;
+	SECStatus rv;
+
+	/*
+	 * No authenticated attributes.
+	 * The signature is based on the plain message digest.
+	 */
+
+	sig = &(signerinfo->encDigest);
+	if (sig->len == 0) {		/* bad signature */
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+	    goto done;
+	}
+
+	if (sigkey != NULL) {
+	    sec_PKCS7CipherObject *decryptobj;
+	    unsigned int buflen;
+
+	    /*
+	     * For signedAndEnvelopedData, we first must decrypt the encrypted
+	     * digest with the bulk encryption key.  The result is the normal
+	     * encrypted digest (aka the signature).
+	     */
+	    decryptobj = sec_PKCS7CreateDecryptObject (sigkey, bulkid);
+	    if (decryptobj == NULL)
+		goto done;
+
+	    buflen = sec_PKCS7DecryptLength (decryptobj, sig->len, PR_TRUE);
+	    PORT_Assert (buflen);
+	    if (buflen == 0) {		/* something is wrong */
+		sec_PKCS7DestroyDecryptObject (decryptobj);
+		goto done;
+	    }
+
+	    holder.data = (unsigned char*)PORT_Alloc (buflen);
+	    if (holder.data == NULL) {
+		sec_PKCS7DestroyDecryptObject (decryptobj);
+		goto done;
+	    }
+
+	    rv = sec_PKCS7Decrypt (decryptobj, holder.data, &holder.len, buflen,
+				   sig->data, sig->len, PR_TRUE);
+	    if (rv != SECSuccess) {
+		sec_PKCS7DestroyDecryptObject (decryptobj);
+		goto done;
+	    }
+
+	    sig = &holder;
+	}
+
+	goodsig = (PRBool)(VFY_VerifyDigest (digest, publickey, sig,
+				     SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg)),
+				     cinfo->pwfn_arg)
+		   == SECSuccess);
+
+	if (sigkey != NULL) {
+	    PORT_Assert (sig == &holder);
+	    PORT_ZFree (holder.data, holder.len);
+	}
+    }
+
+    if (! goodsig) {
+	/*
+	 * XXX Change the generic error into our specific one, because
+	 * in that case we get a better explanation out of the Security
+	 * Advisor.  This is really a bug in our error strings (the
+	 * "generic" error has a lousy/wrong message associated with it
+	 * which assumes the signature verification was done for the
+	 * purposes of checking the issuer signature on a certificate)
+	 * but this is at least an easy workaround and/or in the
+	 * Security Advisor, which specifically checks for the error
+	 * SEC_ERROR_PKCS7_BAD_SIGNATURE and gives more explanation
+	 * in that case but does not similarly check for
+	 * SEC_ERROR_BAD_SIGNATURE.  It probably should, but then would
+	 * probably say the wrong thing in the case that it *was* the
+	 * certificate signature check that failed during the cert
+	 * verification done above.  Our error handling is really a mess.
+	 */
+	if (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE)
+	    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+    }
+
+savecert:
+    /*
+     * Only save the smime profile if we are checking an email message and
+     * the cert has an email address in it.
+     */
+    if ( ( cert->emailAddr != NULL ) &&
+	( ( certusage == certUsageEmailSigner ) ||
+	 ( certusage == certUsageEmailRecipient ) ) ) {
+	SECItem *profile = NULL;
+	int save_error;
+
+	/*
+	 * Remember the current error set because we do not care about
+	 * anything set by the functions we are about to call.
+	 */
+	save_error = PORT_GetError();
+
+	if (goodsig && (signerinfo->authAttr != NULL)) {
+	    /*
+	     * If the signature is good, then we can save the S/MIME profile,
+	     * if we have one.
+	     */
+	    SEC_PKCS7Attribute *attr;
+
+	    attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
+					   SEC_OID_PKCS9_SMIME_CAPABILITIES,
+					   PR_TRUE);
+	    profile = sec_PKCS7AttributeValue (attr);
+	}
+
+	rv = CERT_SaveSMimeProfile (cert, profile, utc_stime);
+
+	/*
+	 * Restore the saved error in case the calls above set a new
+	 * one that we do not actually care about.
+	 */
+	PORT_SetError (save_error);
+
+	/*
+	 * XXX Failure is not indicated anywhere -- the signature
+	 * verification itself is unaffected by whether or not the
+	 * profile was successfully saved.
+	 */
+    }
+	
+
+done:
+
+    /*
+     * See comment above about why we do not want to destroy cert
+     * itself here.
+     */
+
+    if (certs != NULL)
+	CERT_DestroyCertArray (certs, certcount);
+
+    if (publickey != NULL)
+	SECKEY_DestroyPublicKey (publickey);
+
+    return goodsig;
+}
+
+/*
+ * SEC_PKCS7VerifySignature
+ *	Look at a PKCS7 contentInfo and check if the signature is good.
+ *	The verification checks that the signing cert is valid and trusted
+ *	for the purpose specified by "certusage".
+ *
+ *	In addition, if "keepcerts" is true, add any new certificates found
+ *	into our local database.
+ */
+PRBool
+SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
+			 SECCertUsage certusage,
+			 PRBool keepcerts)
+{
+    return sec_pkcs7_verify_signature (cinfo, certusage,
+				       NULL, HASH_AlgNULL, keepcerts);
+}
+
+/*
+ * SEC_PKCS7VerifyDetachedSignature
+ *	Look at a PKCS7 contentInfo and check if the signature matches
+ *	a passed-in digest (calculated, supposedly, from detached contents).
+ *	The verification checks that the signing cert is valid and trusted
+ *	for the purpose specified by "certusage".
+ *
+ *	In addition, if "keepcerts" is true, add any new certificates found
+ *	into our local database.
+ */
+PRBool
+SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
+				 SECCertUsage certusage,
+				 SECItem *detached_digest,
+				 HASH_HashType digest_type,
+				 PRBool keepcerts)
+{
+    return sec_pkcs7_verify_signature (cinfo, certusage,
+				       detached_digest, digest_type,
+				       keepcerts);
+}
+
+
+/*
+ * Return the asked-for portion of the name of the signer of a PKCS7
+ * signed object.
+ *
+ * Returns a pointer to allocated memory, which must be freed.
+ * A NULL return value is an error.
+ */
+
+#define sec_common_name 1
+#define sec_email_address 2
+
+static char *
+sec_pkcs7_get_signer_cert_info(SEC_PKCS7ContentInfo *cinfo, int selector)
+{
+    SECOidTag kind;
+    SEC_PKCS7SignerInfo **signerinfos;
+    CERTCertificate *signercert;
+    char *container;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	PORT_Assert (0);
+	return NULL;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    signerinfos = sdp->signerInfos;
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    signerinfos = saedp->signerInfos;
+	}
+	break;
+    }
+
+    if (signerinfos == NULL || signerinfos[0] == NULL)
+	return NULL;
+
+    signercert = signerinfos[0]->cert;
+
+    /*
+     * No cert there; see if we can find one by calling verify ourselves.
+     */
+    if (signercert == NULL) {
+	/*
+	 * The cert usage does not matter in this case, because we do not
+	 * actually care about the verification itself, but we have to pick
+	 * some valid usage to pass in.
+	 */
+	(void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner,
+					   NULL, HASH_AlgNULL, PR_FALSE);
+	signercert = signerinfos[0]->cert;
+	if (signercert == NULL)
+	    return NULL;
+    }
+
+    switch (selector) {
+      case sec_common_name:
+	container = CERT_GetCommonName (&signercert->subject);
+	break;
+      case sec_email_address:
+	if(signercert->emailAddr) {
+	    container = PORT_Strdup(signercert->emailAddr);
+	} else {
+	    container = NULL;
+	}
+	break;
+      default:
+	PORT_Assert (0);
+	container = NULL;
+	break;
+    }
+
+    return container;
+}
+
+char *
+SEC_PKCS7GetSignerCommonName(SEC_PKCS7ContentInfo *cinfo)
+{
+    return sec_pkcs7_get_signer_cert_info(cinfo, sec_common_name);
+}
+
+char *
+SEC_PKCS7GetSignerEmailAddress(SEC_PKCS7ContentInfo *cinfo)
+{
+    return sec_pkcs7_get_signer_cert_info(cinfo, sec_email_address);
+}
+
+
+/*
+ * Return the signing time, in UTCTime format, of a PKCS7 contentInfo.
+ */
+SECItem *
+SEC_PKCS7GetSigningTime(SEC_PKCS7ContentInfo *cinfo)
+{
+    SEC_PKCS7SignerInfo **signerinfos;
+    SEC_PKCS7Attribute *attr;
+
+    if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
+	return NULL;
+
+    signerinfos = cinfo->content.signedData->signerInfos;
+
+    /*
+     * No signature, or more than one, means no deal.
+     */
+    if (signerinfos == NULL || signerinfos[0] == NULL || signerinfos[1] != NULL)
+	return NULL;
+
+    attr = sec_PKCS7FindAttribute (signerinfos[0]->authAttr,
+				   SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE);
+    return sec_PKCS7AttributeValue (attr);
+}
diff --git a/security/nss/lib/pkcs7/p7encode.c b/security/nss/lib/pkcs7/p7encode.c
new file mode 100644
index 000000000..879a1b286
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7encode.c
@@ -0,0 +1,1333 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * PKCS7 encoding.
+ *
+ * $Id$
+ */
+
+#include "nssrenam.h"
+
+#include "p7local.h"
+
+#include "cert.h"
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "sechash.h"	/* for HASH_GetHashObject() */
+
+struct sec_pkcs7_encoder_output {
+    SEC_PKCS7EncoderOutputCallback outputfn;
+    void *outputarg;
+};
+
+struct SEC_PKCS7EncoderContextStr {
+    SEC_ASN1EncoderContext *ecx;
+    SEC_PKCS7ContentInfo *cinfo;
+    struct sec_pkcs7_encoder_output output;
+    sec_PKCS7CipherObject *encryptobj;
+    const SECHashObject *digestobj;
+    void *digestcx;
+};
+
+
+/*
+ * The little output function that the ASN.1 encoder calls to hand
+ * us bytes which we in turn hand back to our caller (via the callback
+ * they gave us).
+ */
+static void
+sec_pkcs7_encoder_out(void *arg, const char *buf, unsigned long len,
+		      int depth, SEC_ASN1EncodingPart data_kind)
+{
+    struct sec_pkcs7_encoder_output *output;
+
+    output = (struct sec_pkcs7_encoder_output*)arg;
+    output->outputfn (output->outputarg, buf, len);
+}
+
+static sec_PKCS7CipherObject *
+sec_pkcs7_encoder_start_encrypt (SEC_PKCS7ContentInfo *cinfo,
+						 PK11SymKey *orig_bulkkey)
+{
+    SECOidTag kind;
+    sec_PKCS7CipherObject *encryptobj;
+    SEC_PKCS7RecipientInfo **recipientinfos, *ri;
+    SEC_PKCS7EncryptedContentInfo *enccinfo;
+    SEC_PKCS7SMIMEKEAParameters   keaParams;
+    SECKEYPublicKey *publickey = NULL;
+    SECKEYPrivateKey *ourPrivKey = NULL;
+    PK11SymKey  *bulkkey;
+    void *mark, *wincx;
+    int i;
+    PRArenaPool *arena = NULL;
+
+    /* Get the context in case we need it below. */
+    wincx = cinfo->pwfn_arg;
+
+    /* Clear keaParams, since cleanup code checks the lengths */
+    (void) memset(&keaParams, 0, sizeof(keaParams));
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	recipientinfos = NULL;
+	enccinfo = NULL;
+	break;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	{
+	    SEC_PKCS7EncryptedData *encdp;
+
+	    /* To do EncryptedData we *must* be given a bulk key. */
+	    PORT_Assert (orig_bulkkey != NULL);
+	    if (orig_bulkkey == NULL) {
+		/* XXX error? */
+		return NULL;
+	    }
+
+	    encdp = cinfo->content.encryptedData;
+	    recipientinfos = NULL;
+	    enccinfo = &(encdp->encContentInfo);
+	}
+	break;
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7EnvelopedData *envdp;
+
+	    envdp = cinfo->content.envelopedData;
+	    recipientinfos = envdp->recipientInfos;
+	    enccinfo = &(envdp->encContentInfo);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    recipientinfos = saedp->recipientInfos;
+	    enccinfo = &(saedp->encContentInfo);
+	}
+	break;
+    }
+
+    if (enccinfo == NULL)
+	return NULL;
+
+    bulkkey = orig_bulkkey;
+    if (bulkkey == NULL) {
+	CK_MECHANISM_TYPE type = PK11_AlgtagToMechanism(enccinfo->encalg);
+	PK11SlotInfo *slot;
+
+
+	slot = PK11_GetBestSlot(type,cinfo->pwfn_arg);
+	if (slot == NULL) {
+	    return NULL;
+	}
+	bulkkey = PK11_KeyGen(slot,type,NULL, enccinfo->keysize/8,
+			      cinfo->pwfn_arg);
+	PK11_FreeSlot(slot);
+	if (bulkkey == NULL) {
+	    return NULL;
+	}
+    }
+
+    encryptobj = NULL;
+    mark = PORT_ArenaMark (cinfo->poolp);
+
+    /*
+     * Encrypt the bulk key with the public key of each recipient.
+     */
+    for (i = 0; recipientinfos && (ri = recipientinfos[i]) != NULL; i++) {
+	CERTCertificate *cert;
+	SECOidTag certalgtag, encalgtag;
+	SECStatus rv;
+	int data_len;
+	SECItem *params = NULL;
+
+	cert = ri->cert;
+	PORT_Assert (cert != NULL);
+	if (cert == NULL)
+	    continue;
+
+	/*
+	 * XXX Want an interface that takes a cert and some data and
+	 * fills in an algorithmID and encrypts the data with the public
+	 * key from the cert.  Or, give me two interfaces -- one which
+	 * gets the algorithm tag from a cert (I should not have to go
+	 * down into the subjectPublicKeyInfo myself) and another which
+	 * takes a public key and algorithm tag and data and encrypts
+	 * the data.  Or something like that.  The point is that all
+	 * of the following hardwired RSA and KEA stuff should be done
+	 * elsewhere.
+	 */
+
+	certalgtag=SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+
+	switch (certalgtag) {
+	case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	    encalgtag = certalgtag;
+	    publickey = CERT_ExtractPublicKey (cert);
+	    if (publickey == NULL) goto loser;
+		
+	    data_len = SECKEY_PublicKeyStrength(publickey);
+	    ri->encKey.data = 
+	        (unsigned char*)PORT_ArenaAlloc(cinfo->poolp ,data_len);
+	    ri->encKey.len = data_len;
+	    if (ri->encKey.data == NULL) goto loser;
+
+	    rv = PK11_PubWrapSymKey(PK11_AlgtagToMechanism(certalgtag),publickey,
+				bulkkey,&ri->encKey);
+
+	    SECKEY_DestroyPublicKey(publickey);
+	    publickey = NULL;
+	    if (rv != SECSuccess) goto loser;
+	    params = NULL; /* paranoia */
+	    break;
+	/* ### mwelch -- KEA */ 
+      case SEC_OID_MISSI_KEA_DSS_OLD:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_KEA:
+	    {
+#define SMIME_FORTEZZA_RA_LENGTH 128
+#define SMIME_FORTEZZA_IV_LENGTH 24
+#define SMIME_FORTEZZA_MAX_KEY_SIZE 256
+		SECStatus err;
+		PK11SymKey *tek;
+		CERTCertificate *ourCert;
+		SECKEYPublicKey *ourPubKey;
+		SECKEATemplateSelector whichKEA = SECKEAInvalid;
+
+		/* We really want to show our KEA tag as the
+		   key exchange algorithm tag. */
+		encalgtag = SEC_OID_NETSCAPE_SMIME_KEA;
+
+		/* Get the public key of the recipient. */
+		publickey = CERT_ExtractPublicKey(cert);
+		if (publickey == NULL) goto loser;
+
+		/* Find our own cert, and extract its keys. */
+		ourCert = PK11_FindBestKEAMatch(cert,wincx);
+		if (ourCert == NULL) goto loser;
+
+		arena = PORT_NewArena(1024);
+		if (arena == NULL) goto loser;
+
+		ourPubKey = CERT_ExtractPublicKey(ourCert);
+		if (ourPubKey == NULL)
+		{
+		    CERT_DestroyCertificate(ourCert);
+		    goto loser;
+		}
+
+		/* While we're here, copy the public key into the outgoing
+		 * KEA parameters. */
+		SECITEM_CopyItem(arena, &(keaParams.originatorKEAKey),
+				 &(ourPubKey->u.fortezza.KEAKey));
+		SECKEY_DestroyPublicKey(ourPubKey);
+		ourPubKey = NULL;
+
+		/* Extract our private key in order to derive the 
+		 * KEA key. */
+		ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
+		CERT_DestroyCertificate(ourCert); /* we're done with this */
+		if (!ourPrivKey) goto loser;
+
+		/* Prepare raItem with 128 bytes (filled with zeros). */
+		keaParams.originatorRA.data = 
+		  (unsigned char*)PORT_ArenaAlloc(arena,SMIME_FORTEZZA_RA_LENGTH);
+		keaParams.originatorRA.len = SMIME_FORTEZZA_RA_LENGTH;
+
+
+		/* Generate the TEK (token exchange key) which we use
+		 * to wrap the bulk encryption key. (raItem) will be
+		 * filled with a random seed which we need to send to
+		 * the recipient. */
+		tek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
+				     &keaParams.originatorRA, NULL,
+				     CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+				     CKA_WRAP, 0, wincx);
+
+		    SECKEY_DestroyPublicKey(publickey);
+		    SECKEY_DestroyPrivateKey(ourPrivKey);
+		    publickey = NULL;
+		    ourPrivKey = NULL;
+		
+		if (!tek)
+		    goto loser;
+
+		ri->encKey.data = (unsigned char*)PORT_ArenaAlloc(cinfo->poolp,
+						  SMIME_FORTEZZA_MAX_KEY_SIZE);
+		ri->encKey.len = SMIME_FORTEZZA_MAX_KEY_SIZE;
+
+		if (ri->encKey.data == NULL)
+		{
+		    PK11_FreeSymKey(tek);
+		    goto loser;
+		}
+
+		/* Wrap the bulk key. What we do with the resulting data
+		   depends on whether we're using Skipjack to wrap the key. */
+		switch(PK11_AlgtagToMechanism(enccinfo->encalg))
+		{
+		case CKM_SKIPJACK_CBC64:
+		case CKM_SKIPJACK_ECB64:
+		case CKM_SKIPJACK_OFB64:
+		case CKM_SKIPJACK_CFB64:
+		case CKM_SKIPJACK_CFB32:
+		case CKM_SKIPJACK_CFB16:
+		case CKM_SKIPJACK_CFB8:
+		    /* do SKIPJACK, we use the wrap mechanism */
+		    err = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, 
+				      tek, bulkkey, &ri->encKey);
+		    whichKEA = SECKEAUsesSkipjack;
+		    break;
+		default:
+		    /* Not SKIPJACK, we encrypt the raw key data */
+		    keaParams.nonSkipjackIV .data = 
+		      (unsigned char*)PORT_ArenaAlloc(arena,
+						     SMIME_FORTEZZA_IV_LENGTH);
+		    keaParams.nonSkipjackIV.len = SMIME_FORTEZZA_IV_LENGTH;
+		    err = PK11_WrapSymKey(CKM_SKIPJACK_CBC64,
+					  &keaParams.nonSkipjackIV, 
+				          tek, bulkkey, &ri->encKey);
+		    if (err != SECSuccess)
+			goto loser;
+
+		    if (ri->encKey.len != PK11_GetKeyLength(bulkkey))
+		    {
+			/* The size of the encrypted key is not the same as
+			   that of the original bulk key, presumably due to
+			   padding. Encode and store the real size of the
+			   bulk key. */
+			if (SEC_ASN1EncodeInteger(arena, 
+						  &keaParams.bulkKeySize,
+						  PK11_GetKeyLength(bulkkey))
+			    == NULL)
+			    err = (SECStatus)PORT_GetError();
+			else
+			    /* use full template for encoding */
+			    whichKEA = SECKEAUsesNonSkipjackWithPaddedEncKey;
+		    }
+		    else
+			/* enc key length == bulk key length */
+			whichKEA = SECKEAUsesNonSkipjack; 
+		    break;
+		}
+
+		PK11_FreeSymKey(tek);
+		if (err != SECSuccess)
+		    goto loser;
+
+		PORT_Assert( whichKEA != SECKEAInvalid);
+
+		/* Encode the KEA parameters into the recipient info. */
+		params = SEC_ASN1EncodeItem(arena,NULL, &keaParams, 
+				      sec_pkcs7_get_kea_template(whichKEA));
+		if (params == NULL) goto loser;
+		break;
+	    }
+	default:
+	    PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
+	    goto loser;
+	}
+
+	rv = SECOID_SetAlgorithmID(cinfo->poolp, &ri->keyEncAlg, encalgtag, 
+			params);
+	if (rv != SECSuccess)
+	    goto loser;
+	if (arena) PORT_FreeArena(arena,PR_FALSE);
+	arena = NULL;
+    }
+
+    encryptobj = sec_PKCS7CreateEncryptObject (cinfo->poolp, bulkkey,
+					       enccinfo->encalg,
+					       &(enccinfo->contentEncAlg));
+    if (encryptobj != NULL) {
+	PORT_ArenaUnmark (cinfo->poolp, mark);
+	mark = NULL;		/* good one; do not want to release */
+    }
+    /* fallthru */
+
+loser:
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    if (publickey) {
+        SECKEY_DestroyPublicKey(publickey);
+    }
+    if (ourPrivKey) {
+        SECKEY_DestroyPrivateKey(ourPrivKey);
+    }
+    if (mark != NULL) {
+	PORT_ArenaRelease (cinfo->poolp, mark);
+    }
+    if (orig_bulkkey == NULL) {
+	if (bulkkey) PK11_FreeSymKey(bulkkey);
+    }
+
+    return encryptobj;
+}
+
+
+static void
+sec_pkcs7_encoder_notify (void *arg, PRBool before, void *dest, int depth)
+{
+    SEC_PKCS7EncoderContext *p7ecx;
+    SEC_PKCS7ContentInfo *cinfo;
+    SECOidTag kind;
+    PRBool before_content;
+
+    /*
+     * We want to notice just before the content field.  After fields are
+     * not interesting to us.
+     */
+    if (!before)
+	return;
+
+    p7ecx = (SEC_PKCS7EncoderContext*)arg;
+    cinfo = p7ecx->cinfo;
+
+    before_content = PR_FALSE;
+
+    /*
+     * Watch for the content field, at which point we want to instruct
+     * the ASN.1 encoder to start taking bytes from the buffer.
+     *
+     * XXX The following assumes the inner content type is data;
+     * if/when we want to handle fully nested types, this will have
+     * to recurse until reaching the innermost data content.
+     */
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+	if (dest == &(cinfo->content.data))
+	    before_content = PR_TRUE;
+	break;
+
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	{
+	    SEC_PKCS7DigestedData *digd;
+
+	    digd = cinfo->content.digestedData;
+	    if (digd == NULL)
+		break;
+
+	    if (dest == &(digd->contentInfo.content))
+		before_content = PR_TRUE;
+	}
+	break;
+
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	{
+	    SEC_PKCS7EncryptedData *encd;
+
+	    encd = cinfo->content.encryptedData;
+	    if (encd == NULL)
+		break;
+
+	    if (dest == &(encd->encContentInfo.encContent))
+		before_content = PR_TRUE;
+	}
+	break;
+
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7EnvelopedData *envd;
+
+	    envd = cinfo->content.envelopedData;
+	    if (envd == NULL)
+		break;
+
+	    if (dest == &(envd->encContentInfo.encContent))
+		before_content = PR_TRUE;
+	}
+	break;
+
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sigd;
+
+	    sigd = cinfo->content.signedData;
+	    if (sigd == NULL)
+		break;
+
+	    if (dest == &(sigd->contentInfo.content))
+		before_content = PR_TRUE;
+	}
+	break;
+
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saed;
+
+	    saed = cinfo->content.signedAndEnvelopedData;
+	    if (saed == NULL)
+		break;
+
+	    if (dest == &(saed->encContentInfo.encContent))
+		before_content = PR_TRUE;
+	}
+	break;
+    }
+
+    if (before_content) {
+	/*
+	 * This will cause the next SEC_ASN1EncoderUpdate to take the
+	 * contents bytes from the passed-in buffer.
+	 */
+	SEC_ASN1EncoderSetTakeFromBuf (p7ecx->ecx);
+	/*
+	 * And that is all we needed this notify function for.
+	 */
+	SEC_ASN1EncoderClearNotifyProc (p7ecx->ecx);
+    }
+}
+
+
+static SEC_PKCS7EncoderContext *
+sec_pkcs7_encoder_start_contexts (SEC_PKCS7ContentInfo *cinfo,
+				  PK11SymKey *bulkkey)
+{
+    SEC_PKCS7EncoderContext *p7ecx;
+    SECOidTag kind;
+    PRBool encrypt;
+    SECItem **digests;
+    SECAlgorithmID *digestalg, **digestalgs;
+
+    p7ecx = 
+      (SEC_PKCS7EncoderContext*)PORT_ZAlloc (sizeof(SEC_PKCS7EncoderContext));
+    if (p7ecx == NULL)
+	return NULL;
+
+    digests = NULL;
+    digestalg = NULL;
+    digestalgs = NULL;
+    encrypt = PR_FALSE;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+	break;
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	digestalg = &(cinfo->content.digestedData->digestAlg);
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	digests = cinfo->content.signedData->digests;
+	digestalgs = cinfo->content.signedData->digestAlgorithms;
+	break;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	encrypt = PR_TRUE;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	digests = cinfo->content.signedAndEnvelopedData->digests;
+	digestalgs = cinfo->content.signedAndEnvelopedData->digestAlgorithms;
+	encrypt = PR_TRUE;
+	break;
+    }
+
+    if (encrypt) {
+	p7ecx->encryptobj = sec_pkcs7_encoder_start_encrypt (cinfo, bulkkey);
+	if (p7ecx->encryptobj == NULL) {
+	    PORT_Free (p7ecx);
+	    return NULL;
+	}
+    }
+
+    if (digestalgs != NULL) {
+	if (digests != NULL) {
+	    /* digests already created (probably for detached data) */
+	    digestalg = NULL;
+	} else {
+	    /*
+	     * XXX Some day we should handle multiple digests; for now,
+	     * assume only one will be done.
+	     */
+	    PORT_Assert (digestalgs[0] != NULL && digestalgs[1] == NULL);
+	    digestalg = digestalgs[0];
+	}
+    }
+
+    if (digestalg != NULL) {
+	SECOidData *oiddata;
+
+	oiddata = SECOID_FindOID (&(digestalg->algorithm));
+	if (oiddata != NULL) {
+	    switch (oiddata->offset) {
+	      case SEC_OID_MD2:
+		p7ecx->digestobj = HASH_GetHashObject(HASH_AlgMD2);
+		break;
+	      case SEC_OID_MD5:
+		p7ecx->digestobj = HASH_GetHashObject(HASH_AlgMD5);
+		break;
+	      case SEC_OID_SHA1:
+		p7ecx->digestobj = HASH_GetHashObject(HASH_AlgSHA1);
+		break;
+	      default:
+		/* XXX right error? */
+		PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
+		break;
+	    }
+	}
+	if (p7ecx->digestobj != NULL) {
+	    p7ecx->digestcx = (* p7ecx->digestobj->create) ();
+	    if (p7ecx->digestcx == NULL)
+		p7ecx->digestobj = NULL;
+	    else
+		(* p7ecx->digestobj->begin) (p7ecx->digestcx);
+	}
+	if (p7ecx->digestobj == NULL) {
+	    if (p7ecx->encryptobj != NULL)
+		sec_PKCS7DestroyEncryptObject (p7ecx->encryptobj);
+	    PORT_Free (p7ecx);
+	    return NULL;
+	}
+    }
+
+    p7ecx->cinfo = cinfo;
+    return p7ecx;
+}
+
+
+SEC_PKCS7EncoderContext *
+SEC_PKCS7EncoderStart (SEC_PKCS7ContentInfo *cinfo,
+		       SEC_PKCS7EncoderOutputCallback outputfn,
+		       void *outputarg,
+		       PK11SymKey *bulkkey)
+{
+    SEC_PKCS7EncoderContext *p7ecx;
+    SECStatus rv;
+
+    p7ecx = sec_pkcs7_encoder_start_contexts (cinfo, bulkkey);
+    if (p7ecx == NULL)
+	return NULL;
+
+    p7ecx->output.outputfn = outputfn;
+    p7ecx->output.outputarg = outputarg;
+
+    /*
+     * Initialize the BER encoder.
+     */
+    p7ecx->ecx = SEC_ASN1EncoderStart (cinfo, sec_PKCS7ContentInfoTemplate,
+				       sec_pkcs7_encoder_out, &(p7ecx->output));
+    if (p7ecx->ecx == NULL) {
+	PORT_Free (p7ecx);
+	return NULL;
+    }
+
+    /*
+     * Indicate that we are streaming.  We will be streaming until we
+     * get past the contents bytes.
+     */
+    SEC_ASN1EncoderSetStreaming (p7ecx->ecx);
+
+    /*
+     * The notify function will watch for the contents field.
+     */
+    SEC_ASN1EncoderSetNotifyProc (p7ecx->ecx, sec_pkcs7_encoder_notify, p7ecx);
+
+    /*
+     * This will encode everything up to the content bytes.  (The notify
+     * function will then cause the encoding to stop there.)  Then our
+     * caller can start passing contents bytes to our Update, which we
+     * will pass along.
+     */
+    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, NULL, 0);
+    if (rv != SECSuccess) {
+	PORT_Free (p7ecx);
+	return NULL;
+    }
+
+    return p7ecx;
+}
+
+
+/*
+ * XXX If/when we support nested contents, this needs to be revised.
+ */
+static SECStatus
+sec_pkcs7_encoder_work_data (SEC_PKCS7EncoderContext *p7ecx, SECItem *dest,
+			     const unsigned char *data, unsigned long len,
+			     PRBool final)
+{
+    unsigned char *buf = NULL;
+    SECStatus rv;
+
+
+    rv = SECSuccess;		/* may as well be optimistic */
+
+    /*
+     * We should really have data to process, or we should be trying
+     * to finish/flush the last block.  (This is an overly paranoid
+     * check since all callers are in this file and simple inspection
+     * proves they do it right.  But it could find a bug in future
+     * modifications/development, that is why it is here.)
+     */
+    PORT_Assert ((data != NULL && len) || final);
+
+    /*
+     * Update the running digest.
+     * XXX This needs modification if/when we handle multiple digests.
+     */
+    if (len && p7ecx->digestobj != NULL) {
+	(* p7ecx->digestobj->update) (p7ecx->digestcx, data, len);
+    }
+
+    /*
+     * Encrypt this chunk.
+     */
+    if (p7ecx->encryptobj != NULL) {
+	/* XXX the following lengths should all be longs? */
+	unsigned int inlen;	/* length of data being encrypted */
+	unsigned int outlen;	/* length of encrypted data */
+	unsigned int buflen;	/* length available for encrypted data */
+
+	inlen = len;
+	buflen = sec_PKCS7EncryptLength (p7ecx->encryptobj, inlen, final);
+	if (buflen == 0) {
+	    /*
+	     * No output is expected, but the input data may be buffered
+	     * so we still have to call Encrypt.
+	     */
+	    rv = sec_PKCS7Encrypt (p7ecx->encryptobj, NULL, NULL, 0,
+				   data, inlen, final);
+	    if (final) {
+		len = 0;
+		goto done;
+	    }
+	    return rv;
+	}
+
+	if (dest != NULL)
+	    buf = (unsigned char*)PORT_ArenaAlloc(p7ecx->cinfo->poolp, buflen);
+	else
+	    buf = (unsigned char*)PORT_Alloc (buflen);
+
+	if (buf == NULL) {
+	    rv = SECFailure;
+	} else {
+	    rv = sec_PKCS7Encrypt (p7ecx->encryptobj, buf, &outlen, buflen,
+				   data, inlen, final);
+	    data = buf;
+	    len = outlen;
+	}
+	if (rv != SECSuccess) {
+	    if (final)
+		goto done;
+	    return rv;
+	}
+    }
+
+    if (p7ecx->ecx != NULL) {
+	/*
+	 * Encode the contents bytes.
+	 */
+	if(len) {
+	    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, (const char *)data, len);
+	}
+    }
+
+done:
+    if (p7ecx->encryptobj != NULL) {
+	if (final)
+	    sec_PKCS7DestroyEncryptObject (p7ecx->encryptobj);
+	if (dest != NULL) {
+	    dest->data = buf;
+	    dest->len = len;
+	} else if (buf != NULL) {
+	    PORT_Free (buf);
+	}
+    }
+
+    if (final && p7ecx->digestobj != NULL) {
+	SECItem *digest, **digests, ***digestsp;
+	unsigned char *digdata;
+	SECOidTag kind;
+
+	kind = SEC_PKCS7ContentType (p7ecx->cinfo);
+	switch (kind) {
+	  default:
+	    PORT_Assert (0);
+	    return SECFailure;
+	  case SEC_OID_PKCS7_DIGESTED_DATA:
+	    digest = &(p7ecx->cinfo->content.digestedData->digest);
+	    digestsp = NULL;
+	    break;
+	  case SEC_OID_PKCS7_SIGNED_DATA:
+	    digest = NULL;
+	    digestsp = &(p7ecx->cinfo->content.signedData->digests);
+	    break;
+	  case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	    digest = NULL;
+	    digestsp = &(p7ecx->cinfo->content.signedAndEnvelopedData->digests);
+	    break;
+	}
+
+	digdata = (unsigned char*)PORT_ArenaAlloc (p7ecx->cinfo->poolp,
+				   p7ecx->digestobj->length);
+	if (digdata == NULL)
+	    return SECFailure;
+
+	if (digestsp != NULL) {
+	    PORT_Assert (digest == NULL);
+
+	    digest = (SECItem*)PORT_ArenaAlloc (p7ecx->cinfo->poolp, 
+						sizeof(SECItem));
+	    digests = (SECItem**)PORT_ArenaAlloc (p7ecx->cinfo->poolp,
+				       2 * sizeof(SECItem *));
+	    if (digests == NULL || digest == NULL)
+		return SECFailure;
+
+	    digests[0] = digest;
+	    digests[1] = NULL;
+
+	    *digestsp = digests;
+	}
+
+	PORT_Assert (digest != NULL);
+
+	digest->data = digdata;
+	digest->len = p7ecx->digestobj->length;
+
+	(* p7ecx->digestobj->end) (p7ecx->digestcx, digest->data,
+				   &(digest->len), digest->len);
+	(* p7ecx->digestobj->destroy) (p7ecx->digestcx, PR_TRUE);
+    }
+
+    return rv;
+}
+
+
+SECStatus
+SEC_PKCS7EncoderUpdate (SEC_PKCS7EncoderContext *p7ecx,
+			const char *data, unsigned long len)
+{
+    /* XXX Error handling needs help.  Return what?  Do "Finish" on failure? */
+    return sec_pkcs7_encoder_work_data (p7ecx, NULL,
+					(const unsigned char *)data, len,
+					PR_FALSE);
+}
+
+
+/*
+ * XXX I would *really* like to not have to do this, but the current
+ * signing interface gives me little choice.
+ */
+static SECOidTag
+sec_pkcs7_pick_sign_alg (SECOidTag hashalg, SECOidTag encalg)
+{
+    switch (encalg) {
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	switch (hashalg) {
+	  case SEC_OID_MD2:
+	    return SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
+	  case SEC_OID_MD5:
+	    return SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
+	  case SEC_OID_SHA1:
+	    return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+	  default:
+	    return SEC_OID_UNKNOWN;
+	}
+      case SEC_OID_ANSIX9_DSA_SIGNATURE:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_DSS:
+	switch (hashalg) {
+	  case SEC_OID_SHA1:
+	    return SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+	  default:
+	    return SEC_OID_UNKNOWN;
+	}
+      default:
+	break;
+    }
+
+    return encalg;		/* maybe it is already the right algid */
+}
+
+
+static SECStatus
+sec_pkcs7_encoder_sig_and_certs (SEC_PKCS7ContentInfo *cinfo,
+				 SECKEYGetPasswordKey pwfn, void *pwfnarg)
+{
+    SECOidTag kind;
+    CERTCertificate **certs;
+    CERTCertificateList **certlists;
+    SECAlgorithmID **digestalgs;
+    SECItem **digests;
+    SEC_PKCS7SignerInfo *signerinfo, **signerinfos;
+    SECItem **rawcerts, ***rawcertsp;
+    PRArenaPool *poolp;
+    int certcount;
+    int ci, cli, rci, si;
+
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+      case SEC_OID_PKCS7_DATA:
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	certs = NULL;
+	certlists = NULL;
+	digestalgs = NULL;
+	digests = NULL;
+	signerinfos = NULL;
+	rawcertsp = NULL;
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	{
+	    SEC_PKCS7SignedData *sdp;
+
+	    sdp = cinfo->content.signedData;
+	    certs = sdp->certs;
+	    certlists = sdp->certLists;
+	    digestalgs = sdp->digestAlgorithms;
+	    digests = sdp->digests;
+	    signerinfos = sdp->signerInfos;
+	    rawcertsp = &(sdp->rawCerts);
+	}
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	{
+	    SEC_PKCS7SignedAndEnvelopedData *saedp;
+
+	    saedp = cinfo->content.signedAndEnvelopedData;
+	    certs = saedp->certs;
+	    certlists = saedp->certLists;
+	    digestalgs = saedp->digestAlgorithms;
+	    digests = saedp->digests;
+	    signerinfos = saedp->signerInfos;
+	    rawcertsp = &(saedp->rawCerts);
+	}
+	break;
+    }
+
+    if (certs == NULL && certlists == NULL && signerinfos == NULL)
+	return SECSuccess;		/* nothing for us to do! */
+
+    poolp = cinfo->poolp;
+    certcount = 0;
+
+    if (signerinfos != NULL) {
+	SECOidTag digestalgtag;
+	int di;
+	SECStatus rv;
+	CERTCertificate *cert;
+	SECKEYPrivateKey *privkey;
+	SECItem signature;
+	SECOidTag signalgtag;
+
+	PORT_Assert (digestalgs != NULL && digests != NULL);
+
+	/*
+	 * If one fails, we bail right then.  If we want to continue and
+	 * try to do subsequent signatures, this loop, and the departures
+	 * from it, will need to be reworked.
+	 */
+	for (si = 0; signerinfos[si] != NULL; si++) {
+
+	    signerinfo = signerinfos[si];
+
+	    /* find right digest */
+	    digestalgtag = SECOID_GetAlgorithmTag (&(signerinfo->digestAlg));
+	    for (di = 0; digestalgs[di] != NULL; di++) {
+		/* XXX Should I be comparing more than the tag? */
+		if (digestalgtag == SECOID_GetAlgorithmTag (digestalgs[di]))
+		    break;
+	    }
+	    if (digestalgs[di] == NULL) {
+		/* XXX oops; do what? set an error? */
+		return SECFailure;
+	    }
+	    PORT_Assert (digests[di] != NULL);
+
+	    cert = signerinfo->cert;
+	    privkey = PK11_FindKeyByAnyCert (cert, pwfnarg);
+	    if (privkey == NULL)
+		return SECFailure;
+
+	    /*
+	     * XXX I think there should be a cert-level interface for this,
+	     * so that I do not have to know about subjectPublicKeyInfo...
+	     */
+	    signalgtag = SECOID_GetAlgorithmTag (&(cert->subjectPublicKeyInfo.algorithm));
+
+	    /* Fortezza MISSI have weird signature formats.  Map them
+	     * to standard DSA formats */
+	    signalgtag = PK11_FortezzaMapSig(signalgtag);
+
+	    if (signerinfo->authAttr != NULL) {
+		SEC_PKCS7Attribute *attr;
+		SECItem encoded_attrs;
+		SECItem *dummy;
+
+		/*
+		 * First, find and fill in the message digest attribute.
+		 */
+		attr = sec_PKCS7FindAttribute (signerinfo->authAttr,
+					       SEC_OID_PKCS9_MESSAGE_DIGEST,
+					       PR_TRUE);
+		PORT_Assert (attr != NULL);
+		if (attr == NULL) {
+		    SECKEY_DestroyPrivateKey (privkey);
+		    return SECFailure;
+		}
+
+		/*
+		 * XXX The second half of the following assertion prevents
+		 * the encoder from being called twice on the same content.
+		 * Either just remove the second half the assertion, or
+		 * change the code to check if the value already there is
+		 * the same as digests[di], whichever seems more right.
+		 */
+		PORT_Assert (attr->values != NULL && attr->values[0] == NULL);
+		attr->values[0] = digests[di];
+
+		/*
+		 * Before encoding, reorder the attributes so that when they
+		 * are encoded, they will be conforming DER, which is required
+		 * to have a specific order and that is what must be used for
+		 * the hash/signature.  We do this here, rather than building
+		 * it into EncodeAttributes, because we do not want to do
+		 * such reordering on incoming messages (which also uses
+		 * EncodeAttributes) or our old signatures (and other "broken"
+		 * implementations) will not verify.  So, we want to guarantee
+		 * that we send out good DER encodings of attributes, but not
+		 * to expect to receive them.
+		 */
+		rv = sec_PKCS7ReorderAttributes (signerinfo->authAttr);
+		if (rv != SECSuccess) {
+		    SECKEY_DestroyPrivateKey (privkey);
+		    return SECFailure;
+		}
+
+		encoded_attrs.data = NULL;
+		encoded_attrs.len = 0;
+		dummy = sec_PKCS7EncodeAttributes (NULL, &encoded_attrs,
+						   &(signerinfo->authAttr));
+		if (dummy == NULL) {
+		    SECKEY_DestroyPrivateKey (privkey);
+		    return SECFailure;
+		}
+
+		rv = SEC_SignData (&signature,
+				   encoded_attrs.data, encoded_attrs.len,
+				   privkey,
+				   sec_pkcs7_pick_sign_alg (digestalgtag,
+							    signalgtag));
+		SECITEM_FreeItem (&encoded_attrs, PR_FALSE);
+	    } else {
+		rv = SGN_Digest (privkey, digestalgtag, &signature,
+				 digests[di]);
+	    }
+
+	    SECKEY_DestroyPrivateKey (privkey);
+
+	    if (rv != SECSuccess)
+		return rv;
+
+	    rv = SECITEM_CopyItem (poolp, &(signerinfo->encDigest), &signature);
+	    if (rv != SECSuccess)
+		return rv;
+
+	    SECITEM_FreeItem (&signature, PR_FALSE);
+
+	    rv = SECOID_SetAlgorithmID (poolp, &(signerinfo->digestEncAlg),
+					signalgtag, NULL);
+	    if (rv != SECSuccess)
+		return SECFailure;
+
+	    /*
+	     * Count the cert chain for this signer.
+	     */
+	    if (signerinfo->certList != NULL)
+		certcount += signerinfo->certList->len;
+	}
+    }
+
+    if (certs != NULL) {
+	for (ci = 0; certs[ci] != NULL; ci++)
+	    certcount++;
+    }
+
+    if (certlists != NULL) {
+	for (cli = 0; certlists[cli] != NULL; cli++)
+	    certcount += certlists[cli]->len;
+    }
+
+    if (certcount == 0)
+	return SECSuccess;		/* signing done; no certs */
+
+    /*
+     * Combine all of the certs and cert chains into rawcerts.
+     * Note: certcount is an upper bound; we may not need that many slots
+     * but we will allocate anyway to avoid having to do another pass.
+     * (The temporary space saving is not worth it.)
+     */
+    rawcerts = (SECItem**)PORT_ArenaAlloc (poolp, 
+					(certcount + 1) * sizeof(SECItem *));
+    if (rawcerts == NULL)
+	return SECFailure;
+
+    /*
+     * XXX Want to check for duplicates and not add *any* cert that is
+     * already in the set.  This will be more important when we start
+     * dealing with larger sets of certs, dual-key certs (signing and
+     * encryption), etc.  For the time being we can slide by...
+     */
+    rci = 0;
+    if (signerinfos != NULL) {
+	for (si = 0; signerinfos[si] != NULL; si++) {
+	    signerinfo = signerinfos[si];
+	    for (ci = 0; ci < signerinfo->certList->len; ci++)
+		rawcerts[rci++] = &(signerinfo->certList->certs[ci]);
+	}
+
+    }
+
+    if (certs != NULL) {
+	for (ci = 0; certs[ci] != NULL; ci++)
+	    rawcerts[rci++] = &(certs[ci]->derCert);
+    }
+
+    if (certlists != NULL) {
+	for (cli = 0; certlists[cli] != NULL; cli++) {
+	    for (ci = 0; ci < certlists[cli]->len; ci++)
+		rawcerts[rci++] = &(certlists[cli]->certs[ci]);
+	}
+    }
+
+    rawcerts[rci] = NULL;
+    *rawcertsp = rawcerts;
+
+    return SECSuccess;
+}
+
+
+SECStatus
+SEC_PKCS7EncoderFinish (SEC_PKCS7EncoderContext *p7ecx,
+			SECKEYGetPasswordKey pwfn, void *pwfnarg)
+{
+    SECStatus rv;
+
+    /*
+     * Flush out any remaining data.
+     */
+    rv = sec_pkcs7_encoder_work_data (p7ecx, NULL, NULL, 0, PR_TRUE);
+
+    /*
+     * Turn off streaming stuff.
+     */
+    SEC_ASN1EncoderClearTakeFromBuf (p7ecx->ecx);
+    SEC_ASN1EncoderClearStreaming (p7ecx->ecx);
+
+    if (rv != SECSuccess)
+	goto loser;
+
+    rv = sec_pkcs7_encoder_sig_and_certs (p7ecx->cinfo, pwfn, pwfnarg);
+    if (rv != SECSuccess)
+	goto loser;
+
+    rv = SEC_ASN1EncoderUpdate (p7ecx->ecx, NULL, 0);
+
+loser:
+    SEC_ASN1EncoderFinish (p7ecx->ecx);
+    PORT_Free (p7ecx);
+    return rv;
+}
+
+
+/*
+ * After this routine is called, the entire PKCS7 contentInfo is ready
+ * to be encoded.  This is used internally, but can also be called from
+ * elsewhere for those who want to be able to just have pointers to
+ * the ASN1 template for pkcs7 contentInfo built into their own encodings.
+ */
+SECStatus
+SEC_PKCS7PrepareForEncode (SEC_PKCS7ContentInfo *cinfo,
+			   PK11SymKey *bulkkey,
+			   SECKEYGetPasswordKey pwfn,
+			   void *pwfnarg)
+{
+    SEC_PKCS7EncoderContext *p7ecx;
+    SECItem *content, *enc_content;
+    SECStatus rv;
+
+    p7ecx = sec_pkcs7_encoder_start_contexts (cinfo, bulkkey);
+    if (p7ecx == NULL)
+	return SECFailure;
+
+    content = SEC_PKCS7GetContent (cinfo);
+
+    if (p7ecx->encryptobj != NULL) {
+	SECOidTag kind;
+	SEC_PKCS7EncryptedContentInfo *enccinfo;
+
+	kind = SEC_PKCS7ContentType (p7ecx->cinfo);
+	switch (kind) {
+	  default:
+	    PORT_Assert (0);
+	    rv = SECFailure;
+	    goto loser;
+	  case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    enccinfo = &(p7ecx->cinfo->content.encryptedData->encContentInfo);
+	    break;
+	  case SEC_OID_PKCS7_ENVELOPED_DATA:
+	    enccinfo = &(p7ecx->cinfo->content.envelopedData->encContentInfo);
+	    break;
+	  case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	    enccinfo = &(p7ecx->cinfo->content.signedAndEnvelopedData->encContentInfo);
+	    break;
+	}
+	enc_content = &(enccinfo->encContent);
+    } else {
+	enc_content = NULL;
+    }
+
+    if (content != NULL && content->data != NULL && content->len) {
+	rv = sec_pkcs7_encoder_work_data (p7ecx, enc_content,
+					  content->data, content->len, PR_TRUE);
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    rv = sec_pkcs7_encoder_sig_and_certs (cinfo, pwfn, pwfnarg);
+
+loser:
+    PORT_Free (p7ecx);
+    return rv;
+}
+
+
+/*
+ * Encode a PKCS7 object, in one shot.  All necessary components
+ * of the object must already be specified.  Either the data has
+ * already been included (via SetContent), or the data is detached,
+ * or there is no data at all (certs-only).
+ *
+ * "cinfo" specifies the object to be encoded.
+ *
+ * "outputfn" is where the encoded bytes will be passed.
+ *
+ * "outputarg" is an opaque argument to the above callback.
+ *
+ * "bulkkey" specifies the bulk encryption key to use.   This argument
+ * can be NULL if no encryption is being done, or if the bulk key should
+ * be generated internally (usually the case for EnvelopedData but never
+ * for EncryptedData, which *must* provide a bulk encryption key).
+ *
+ * "pwfn" is a callback for getting the password which protects the
+ * private key of the signer.  This argument can be NULL if it is known
+ * that no signing is going to be done.
+ *
+ * "pwfnarg" is an opaque argument to the above callback.
+ */
+SECStatus
+SEC_PKCS7Encode (SEC_PKCS7ContentInfo *cinfo,
+		 SEC_PKCS7EncoderOutputCallback outputfn,
+		 void *outputarg,
+		 PK11SymKey *bulkkey,
+		 SECKEYGetPasswordKey pwfn,
+		 void *pwfnarg)
+{
+    SECStatus rv;
+
+    rv = SEC_PKCS7PrepareForEncode (cinfo, bulkkey, pwfn, pwfnarg);
+    if (rv == SECSuccess) {
+	struct sec_pkcs7_encoder_output outputcx;
+
+	outputcx.outputfn = outputfn;
+	outputcx.outputarg = outputarg;
+
+	rv = SEC_ASN1Encode (cinfo, sec_PKCS7ContentInfoTemplate,
+			     sec_pkcs7_encoder_out, &outputcx);
+    }
+
+    return rv;
+}
+
+
+/*
+ * Encode a PKCS7 object, in one shot.  All necessary components
+ * of the object must already be specified.  Either the data has
+ * already been included (via SetContent), or the data is detached,
+ * or there is no data at all (certs-only).  The output, rather than
+ * being passed to an output function as is done above, is all put
+ * into a SECItem.
+ *
+ * "pool" specifies a pool from which to allocate the result.
+ * It can be NULL, in which case memory is allocated generically.
+ *
+ * "dest" specifies a SECItem in which to put the result data.
+ * It can be NULL, in which case the entire item is allocated, too.
+ *
+ * "cinfo" specifies the object to be encoded.
+ *
+ * "bulkkey" specifies the bulk encryption key to use.   This argument
+ * can be NULL if no encryption is being done, or if the bulk key should
+ * be generated internally (usually the case for EnvelopedData but never
+ * for EncryptedData, which *must* provide a bulk encryption key).
+ *
+ * "pwfn" is a callback for getting the password which protects the
+ * private key of the signer.  This argument can be NULL if it is known
+ * that no signing is going to be done.
+ *
+ * "pwfnarg" is an opaque argument to the above callback.
+ */
+SECItem *
+SEC_PKCS7EncodeItem (PRArenaPool *pool,
+		     SECItem *dest,
+		     SEC_PKCS7ContentInfo *cinfo,
+		     PK11SymKey *bulkkey,
+		     SECKEYGetPasswordKey pwfn,
+		     void *pwfnarg)
+{
+    SECStatus rv;
+
+    rv = SEC_PKCS7PrepareForEncode (cinfo, bulkkey, pwfn, pwfnarg);
+    if (rv != SECSuccess)
+	return NULL;
+
+    return SEC_ASN1EncodeItem (pool, dest, cinfo, sec_PKCS7ContentInfoTemplate);
+}
+
diff --git a/security/nss/lib/pkcs7/p7local.c b/security/nss/lib/pkcs7/p7local.c
new file mode 100644
index 000000000..68376cec0
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7local.c
@@ -0,0 +1,1442 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Support routines for PKCS7 implementation, none of which are exported.
+ * This file should only contain things that are needed by both the
+ * encoding/creation side *and* the decoding/decryption side.  Anything
+ * else should be static routines in the appropriate file.
+ *
+ * $Id$
+ */
+
+#include "p7local.h"
+
+#include "cryptohi.h" 
+#include "secasn1.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "pk11func.h"
+#include "secpkcs5.h"
+#include "secerr.h"
+
+/*
+ * -------------------------------------------------------------------
+ * Cipher stuff.
+ */
+
+typedef SECStatus (*sec_pkcs7_cipher_function) (void *,
+						unsigned char *,
+						unsigned *,
+						unsigned int,
+						const unsigned char *,
+						unsigned int);
+typedef SECStatus (*sec_pkcs7_cipher_destroy) (void *, PRBool);
+
+#define BLOCK_SIZE 4096
+
+struct sec_pkcs7_cipher_object {
+    void *cx;
+    sec_pkcs7_cipher_function doit;
+    sec_pkcs7_cipher_destroy destroy;
+    PRBool encrypt;
+    int block_size;
+    int pad_size;
+    int pending_count;
+    unsigned char pending_buf[BLOCK_SIZE];
+};
+
+SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
+SEC_ASN1_MKSUB(CERT_SetOfSignedCrlTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
+
+/*
+ * Create a cipher object to do decryption,  based on the given bulk
+ * encryption key and algorithm identifier (which may include an iv).
+ *
+ * XXX This interface, or one similar, would be really nice available
+ * in general...  I tried to keep the pkcs7-specific stuff (mostly
+ * having to do with padding) out of here.
+ *
+ * XXX Once both are working, it might be nice to combine this and the
+ * function below (for starting up encryption) into one routine, and just
+ * have two simple cover functions which call it. 
+ */
+sec_PKCS7CipherObject *
+sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid)
+{
+    sec_PKCS7CipherObject *result;
+    SECOidTag algtag;
+    void *ciphercx;
+    CK_MECHANISM_TYPE mechanism;
+    SECItem *param;
+    PK11SlotInfo *slot;
+
+    result = (struct sec_pkcs7_cipher_object*)
+      PORT_ZAlloc (sizeof(struct sec_pkcs7_cipher_object));
+    if (result == NULL)
+	return NULL;
+
+    ciphercx = NULL;
+    algtag = SECOID_GetAlgorithmTag (algid);
+
+    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
+	CK_MECHANISM pbeMech, cryptoMech;
+	SECItem *pbeParams, *pwitem;
+	SEC_PKCS5KeyAndPassword *keyPwd;
+
+	keyPwd = (SEC_PKCS5KeyAndPassword *)key;
+	key = keyPwd->key;
+	pwitem = keyPwd->pwitem;
+
+	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
+	pbeParams = PK11_ParamFromAlgid(algid);
+	if (!pbeParams) {
+	    PORT_Free(result);
+	    return NULL;
+	}
+
+	pbeMech.pParameter = pbeParams->data;
+	pbeMech.ulParameterLen = pbeParams->len;
+	if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, pwitem,
+						  PR_FALSE) != CKR_OK) { 
+	    PORT_Free(result);
+	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
+	    return NULL;
+	}
+	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
+
+	param = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+	if(!param) {
+	     PORT_Free(result);
+	     return NULL;
+	}
+	param->data = (unsigned char *)cryptoMech.pParameter;
+	param->len = cryptoMech.ulParameterLen;
+	mechanism = cryptoMech.mechanism;
+    } else {
+	mechanism = PK11_AlgtagToMechanism(algtag);
+	param = PK11_ParamFromAlgid(algid);
+	if (param == NULL) {
+	    PORT_Free(result);
+	    return NULL;
+	}
+    }
+
+    result->pad_size = PK11_GetBlockSize(mechanism,param);
+    slot = PK11_GetSlotFromKey(key);
+    result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size;
+    PK11_FreeSlot(slot);
+    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_DECRYPT, key, param);
+    SECITEM_FreeItem(param,PR_TRUE);
+    if (ciphercx == NULL) {
+	PORT_Free (result);
+	return NULL;
+    }
+
+    result->cx = ciphercx;
+    result->doit =  (sec_pkcs7_cipher_function) PK11_CipherOp;
+    result->destroy = (sec_pkcs7_cipher_destroy) PK11_DestroyContext;
+    result->encrypt = PR_FALSE;
+    result->pending_count = 0;
+
+    return result;
+}
+
+/*
+ * Create a cipher object to do encryption, based on the given bulk
+ * encryption key and algorithm tag.  Fill in the algorithm identifier
+ * (which may include an iv) appropriately.
+ *
+ * XXX This interface, or one similar, would be really nice available
+ * in general...  I tried to keep the pkcs7-specific stuff (mostly
+ * having to do with padding) out of here.
+ *
+ * XXX Once both are working, it might be nice to combine this and the
+ * function above (for starting up decryption) into one routine, and just
+ * have two simple cover functions which call it. 
+ */
+sec_PKCS7CipherObject *
+sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key,
+			      SECOidTag algtag, SECAlgorithmID *algid)
+{
+    sec_PKCS7CipherObject *result;
+    void *ciphercx;
+    SECItem *param;
+    SECStatus rv;
+    CK_MECHANISM_TYPE mechanism;
+    PRBool needToEncodeAlgid = PR_FALSE;
+    PK11SlotInfo *slot;
+
+    result = (struct sec_pkcs7_cipher_object*)
+	      PORT_ZAlloc (sizeof(struct sec_pkcs7_cipher_object));
+    if (result == NULL)
+	return NULL;
+
+    ciphercx = NULL;
+    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
+	CK_MECHANISM pbeMech, cryptoMech;
+	SECItem *pbeParams;
+	SEC_PKCS5KeyAndPassword *keyPwd;
+
+	PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM));
+	PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM));
+
+	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
+	pbeParams = PK11_ParamFromAlgid(algid);
+	if(!pbeParams) {
+	    PORT_Free(result);
+	    return NULL;
+	}
+	keyPwd = (SEC_PKCS5KeyAndPassword *)key;
+	key = keyPwd->key;
+
+	pbeMech.pParameter = pbeParams->data;
+	pbeMech.ulParameterLen = pbeParams->len;
+	if(PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, 
+					 keyPwd->pwitem, PR_FALSE) != CKR_OK) {
+	    PORT_Free(result);
+	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
+	    return NULL;
+	}
+	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
+
+	param = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+	if(!param) {
+	     PORT_Free(result);
+	     return NULL;
+	}
+	param->data = (unsigned char *)cryptoMech.pParameter;
+	param->len = cryptoMech.ulParameterLen;
+	mechanism = cryptoMech.mechanism;
+    } else {
+	mechanism = PK11_AlgtagToMechanism(algtag);
+	param = PK11_GenerateNewParam(mechanism,key);
+	if (param == NULL) {
+	    PORT_Free(result);
+	    return NULL;
+	}
+	needToEncodeAlgid = PR_TRUE;
+    }
+
+    result->pad_size = PK11_GetBlockSize(mechanism,param);
+    slot = PK11_GetSlotFromKey(key);
+    result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size;
+    PK11_FreeSlot(slot);
+    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, 
+    					  key, param);
+    if (ciphercx == NULL) {
+	PORT_Free (result);
+        SECITEM_FreeItem(param,PR_TRUE);
+	return NULL;
+    }
+
+    /*
+     * These are placed after the CreateContextBySymKey() because some
+     * mechanisms have to generate their IVs from their card (i.e. FORTEZZA).
+     * Don't move it from here.
+     */
+    if (needToEncodeAlgid) {
+	rv = PK11_ParamToAlgid(algtag,param,poolp,algid);
+	if(rv != SECSuccess) {
+	    return NULL;
+	}
+    }
+    SECITEM_FreeItem(param,PR_TRUE);
+
+    result->cx = ciphercx;
+    result->doit = (sec_pkcs7_cipher_function) PK11_CipherOp;
+    result->destroy = (sec_pkcs7_cipher_destroy) PK11_DestroyContext;
+    result->encrypt = PR_TRUE;
+    result->pending_count = 0;
+
+    return result;
+}
+
+
+/*
+ * Destroy the cipher object.
+ */
+static void
+sec_pkcs7_destroy_cipher (sec_PKCS7CipherObject *obj)
+{
+    (* obj->destroy) (obj->cx, PR_TRUE);
+    PORT_Free (obj);
+}
+
+void
+sec_PKCS7DestroyDecryptObject (sec_PKCS7CipherObject *obj)
+{
+    PORT_Assert (obj != NULL);
+    if (obj == NULL)
+	return;
+    PORT_Assert (! obj->encrypt);
+    sec_pkcs7_destroy_cipher (obj);
+}
+
+void
+sec_PKCS7DestroyEncryptObject (sec_PKCS7CipherObject *obj)
+{
+    PORT_Assert (obj != NULL);
+    if (obj == NULL)
+	return;
+    PORT_Assert (obj->encrypt);
+    sec_pkcs7_destroy_cipher (obj);
+}
+
+
+/*
+ * XXX I think all of the following lengths should be longs instead
+ * of ints, but our current crypto interface uses ints, so I did too.
+ */
+
+
+/*
+ * What will be the output length of the next call to decrypt?
+ * Result can be used to perform memory allocations.  Note that the amount
+ * is exactly accurate only when not doing a block cipher or when final
+ * is false, otherwise it is an upper bound on the amount because until
+ * we see the data we do not know how many padding bytes there are
+ * (always between 1 and bsize).
+ *
+ * Note that this can return zero, which does not mean that the decrypt
+ * operation can be skipped!  (It simply means that there are not enough
+ * bytes to make up an entire block; the bytes will be reserved until
+ * there are enough to encrypt/decrypt at least one block.)  However,
+ * if zero is returned it *does* mean that no output buffer need be
+ * passed in to the subsequent decrypt operation, as no output bytes
+ * will be stored.
+ */
+unsigned int
+sec_PKCS7DecryptLength (sec_PKCS7CipherObject *obj, unsigned int input_len,
+			PRBool final)
+{
+    int blocks, block_size;
+
+    PORT_Assert (! obj->encrypt);
+
+    block_size = obj->block_size;
+
+    /*
+     * If this is not a block cipher, then we always have the same
+     * number of output bytes as we had input bytes.
+     */
+    if (block_size == 0)
+	return input_len;
+
+    /*
+     * On the final call, we will always use up all of the pending
+     * bytes plus all of the input bytes, *but*, there will be padding
+     * at the end and we cannot predict how many bytes of padding we
+     * will end up removing.  The amount given here is actually known
+     * to be at least 1 byte too long (because we know we will have
+     * at least 1 byte of padding), but seemed clearer/better to me.
+     */
+    if (final)
+	return obj->pending_count + input_len;
+
+    /*
+     * Okay, this amount is exactly what we will output on the
+     * next cipher operation.  We will always hang onto the last
+     * 1 - block_size bytes for non-final operations.  That is,
+     * we will do as many complete blocks as we can *except* the
+     * last block (complete or partial).  (This is because until
+     * we know we are at the end, we cannot know when to interpret
+     * and removing the padding byte(s), which are guaranteed to
+     * be there.)
+     */
+    blocks = (obj->pending_count + input_len - 1) / block_size;
+    return blocks * block_size;
+}
+
+/*
+ * What will be the output length of the next call to encrypt?
+ * Result can be used to perform memory allocations.
+ *
+ * Note that this can return zero, which does not mean that the encrypt
+ * operation can be skipped!  (It simply means that there are not enough
+ * bytes to make up an entire block; the bytes will be reserved until
+ * there are enough to encrypt/decrypt at least one block.)  However,
+ * if zero is returned it *does* mean that no output buffer need be
+ * passed in to the subsequent encrypt operation, as no output bytes
+ * will be stored.
+ */
+unsigned int
+sec_PKCS7EncryptLength (sec_PKCS7CipherObject *obj, unsigned int input_len,
+			PRBool final)
+{
+    int blocks, block_size;
+    int pad_size;
+
+    PORT_Assert (obj->encrypt);
+
+    block_size = obj->block_size;
+    pad_size = obj->pad_size;
+
+    /*
+     * If this is not a block cipher, then we always have the same
+     * number of output bytes as we had input bytes.
+     */
+    if (block_size == 0)
+	return input_len;
+
+    /*
+     * On the final call, we only send out what we need for
+     * remaining bytes plus the padding.  (There is always padding,
+     * so even if we have an exact number of blocks as input, we
+     * will add another full block that is just padding.)
+     */
+    if (final) {
+	if (pad_size == 0) {
+    	    return obj->pending_count + input_len;
+	} else {
+    	    blocks = (obj->pending_count + input_len) / pad_size;
+	    blocks++;
+	    return blocks*pad_size;
+	}
+    }
+
+    /*
+     * Now, count the number of complete blocks of data we have.
+     */
+    blocks = (obj->pending_count + input_len) / block_size;
+
+
+    return blocks * block_size;
+}
+
+
+/*
+ * Decrypt a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the decrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "obj" is the return value from sec_PKCS7CreateDecryptObject.
+ * When "final" is true, this is the last of the data to be decrypted.
+ *
+ * This is much more complicated than it sounds when the cipher is
+ * a block-type, meaning that the decryption function will only
+ * operate on whole blocks.  But our caller is operating stream-wise,
+ * and can pass in any number of bytes.  So we need to keep track
+ * of block boundaries.  We save excess bytes between calls in "obj".
+ * We also need to determine which bytes are padding, and remove
+ * them from the output.  We can only do this step when we know we
+ * have the final block of data.  PKCS #7 specifies that the padding
+ * used for a block cipher is a string of bytes, each of whose value is
+ * the same as the length of the padding, and that all data is padded.
+ * (Even data that starts out with an exact multiple of blocks gets
+ * added to it another block, all of which is padding.)
+ */ 
+SECStatus
+sec_PKCS7Decrypt (sec_PKCS7CipherObject *obj, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final)
+{
+    int blocks, bsize, pcount, padsize;
+    unsigned int max_needed, ifraglen, ofraglen, output_len;
+    unsigned char *pbuf;
+    SECStatus rv;
+
+    PORT_Assert (! obj->encrypt);
+
+    /*
+     * Check that we have enough room for the output.  Our caller should
+     * already handle this; failure is really an internal error (i.e. bug).
+     */
+    max_needed = sec_PKCS7DecryptLength (obj, input_len, final);
+    PORT_Assert (max_output_len >= max_needed);
+    if (max_output_len < max_needed) {
+	/* PORT_SetError (XXX); */
+	return SECFailure;
+    }
+
+    /*
+     * hardware encryption does not like small decryption sizes here, so we
+     * allow both blocking and padding.
+     */
+    bsize = obj->block_size;
+    padsize = obj->pad_size;
+
+    /*
+     * When no blocking or padding work to do, we can simply call the
+     * cipher function and we are done.
+     */
+    if (bsize == 0) {
+	return (* obj->doit) (obj->cx, output, output_len_p, max_output_len,
+			      input, input_len);
+    }
+
+    pcount = obj->pending_count;
+    pbuf = obj->pending_buf;
+
+    output_len = 0;
+
+    if (pcount) {
+	/*
+	 * Try to fill in an entire block, starting with the bytes
+	 * we already have saved away.
+	 */
+	while (input_len && pcount < bsize) {
+	    pbuf[pcount++] = *input++;
+	    input_len--;
+	}
+	/*
+	 * If we have at most a whole block and this is not our last call,
+	 * then we are done for now.  (We do not try to decrypt a lone
+	 * single block because we cannot interpret the padding bytes
+	 * until we know we are handling the very last block of all input.)
+	 */
+	if (input_len == 0 && !final) {
+	    obj->pending_count = pcount;
+	    if (output_len_p)
+		*output_len_p = 0;
+	    return SECSuccess;
+	}
+	/*
+	 * Given the logic above, we expect to have a full block by now.
+	 * If we do not, there is something wrong, either with our own
+	 * logic or with (length of) the data given to us.
+	 */
+	PORT_Assert ((padsize == 0) || (pcount % padsize) == 0);
+	if ((padsize != 0) && (pcount % padsize) != 0) {
+	    PORT_Assert (final);	
+	    PORT_SetError (SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+	/*
+	 * Decrypt the block.
+	 */
+	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
+			    pbuf, pcount);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then sec_PKCS7DecryptLength needs to be made smarter!
+	 */
+	PORT_Assert (ofraglen == pcount);
+
+	/*
+	 * Account for the bytes now in output.
+	 */
+	max_output_len -= ofraglen;
+	output_len += ofraglen;
+	output += ofraglen;
+    }
+
+    /*
+     * If this is our last call, we expect to have an exact number of
+     * blocks left to be decrypted; we will decrypt them all.
+     * 
+     * If not our last call, we always save between 1 and bsize bytes
+     * until next time.  (We must do this because we cannot be sure
+     * that none of the decrypted bytes are padding bytes until we
+     * have at least another whole block of data.  You cannot tell by
+     * looking -- the data could be anything -- you can only tell by
+     * context, knowing you are looking at the last block.)  We could
+     * decrypt a whole block now but it is easier if we just treat it
+     * the same way we treat partial block bytes.
+     */
+    if (final) {
+	if (padsize) {
+	    blocks = input_len / padsize;
+	    ifraglen = blocks * padsize;
+	} else ifraglen = input_len;
+	PORT_Assert (ifraglen == input_len);
+
+	if (ifraglen != input_len) {
+	    PORT_SetError (SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+    } else {
+	blocks = (input_len - 1) / bsize;
+	ifraglen = blocks * bsize;
+	PORT_Assert (ifraglen < input_len);
+
+	pcount = input_len - ifraglen;
+	PORT_Memcpy (pbuf, input + ifraglen, pcount);
+	obj->pending_count = pcount;
+    }
+
+    if (ifraglen) {
+	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
+			    input, ifraglen);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then sec_PKCS7DecryptLength needs to be made smarter!
+	 */
+	PORT_Assert (ifraglen == ofraglen);
+	if (ifraglen != ofraglen) {
+	    PORT_SetError (SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+
+	output_len += ofraglen;
+    } else {
+	ofraglen = 0;
+    }
+
+    /*
+     * If we just did our very last block, "remove" the padding by
+     * adjusting the output length.
+     */
+    if (final && (padsize != 0)) {
+	unsigned int padlen = *(output + ofraglen - 1);
+	PORT_Assert (padlen > 0 && padlen <= padsize);
+	if (padlen == 0 || padlen > padsize) {
+	    PORT_SetError (SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+	output_len -= padlen;
+    }
+
+    PORT_Assert (output_len_p != NULL || output_len == 0);
+    if (output_len_p != NULL)
+	*output_len_p = output_len;
+
+    return SECSuccess;
+}
+
+/*
+ * Encrypt a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the encrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "obj" is the return value from sec_PKCS7CreateEncryptObject.
+ * When "final" is true, this is the last of the data to be encrypted.
+ *
+ * This is much more complicated than it sounds when the cipher is
+ * a block-type, meaning that the encryption function will only
+ * operate on whole blocks.  But our caller is operating stream-wise,
+ * and can pass in any number of bytes.  So we need to keep track
+ * of block boundaries.  We save excess bytes between calls in "obj".
+ * We also need to add padding bytes at the end.  PKCS #7 specifies
+ * that the padding used for a block cipher is a string of bytes,
+ * each of whose value is the same as the length of the padding,
+ * and that all data is padded.  (Even data that starts out with
+ * an exact multiple of blocks gets added to it another block,
+ * all of which is padding.)
+ *
+ * XXX I would kind of like to combine this with the function above
+ * which does decryption, since they have a lot in common.  But the
+ * tricky parts about padding and filling blocks would be much
+ * harder to read that way, so I left them separate.  At least for
+ * now until it is clear that they are right.
+ */ 
+SECStatus
+sec_PKCS7Encrypt (sec_PKCS7CipherObject *obj, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final)
+{
+    int blocks, bsize, padlen, pcount, padsize;
+    unsigned int max_needed, ifraglen, ofraglen, output_len;
+    unsigned char *pbuf;
+    SECStatus rv;
+
+    PORT_Assert (obj->encrypt);
+
+    /*
+     * Check that we have enough room for the output.  Our caller should
+     * already handle this; failure is really an internal error (i.e. bug).
+     */
+    max_needed = sec_PKCS7EncryptLength (obj, input_len, final);
+    PORT_Assert (max_output_len >= max_needed);
+    if (max_output_len < max_needed) {
+	/* PORT_SetError (XXX); */
+	return SECFailure;
+    }
+
+    bsize = obj->block_size;
+    padsize = obj->pad_size;
+
+    /*
+     * When no blocking and padding work to do, we can simply call the
+     * cipher function and we are done.
+     */
+    if (bsize == 0) {
+	return (* obj->doit) (obj->cx, output, output_len_p, max_output_len,
+			      input, input_len);
+    }
+
+    pcount = obj->pending_count;
+    pbuf = obj->pending_buf;
+
+    output_len = 0;
+
+    if (pcount) {
+	/*
+	 * Try to fill in an entire block, starting with the bytes
+	 * we already have saved away.
+	 */
+	while (input_len && pcount < bsize) {
+	    pbuf[pcount++] = *input++;
+	    input_len--;
+	}
+	/*
+	 * If we do not have a full block and we know we will be
+	 * called again, then we are done for now.
+	 */
+	if (pcount < bsize && !final) {
+	    obj->pending_count = pcount;
+	    if (output_len_p != NULL)
+		*output_len_p = 0;
+	    return SECSuccess;
+	}
+	/*
+	 * If we have a whole block available, encrypt it.
+	 */
+	if ((padsize == 0) || (pcount % padsize) == 0) {
+	    rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
+				pbuf, pcount);
+	    if (rv != SECSuccess)
+		return rv;
+
+	    /*
+	     * For now anyway, all of our ciphers have the same number of
+	     * bytes of output as they do input.  If this ever becomes untrue,
+	     * then sec_PKCS7EncryptLength needs to be made smarter!
+	     */
+	    PORT_Assert (ofraglen == pcount);
+
+	    /*
+	     * Account for the bytes now in output.
+	     */
+	    max_output_len -= ofraglen;
+	    output_len += ofraglen;
+	    output += ofraglen;
+
+	    pcount = 0;
+	}
+    }
+
+    if (input_len) {
+	PORT_Assert (pcount == 0);
+
+	blocks = input_len / bsize;
+	ifraglen = blocks * bsize;
+
+	if (ifraglen) {
+	    rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
+				input, ifraglen);
+	    if (rv != SECSuccess)
+		return rv;
+
+	    /*
+	     * For now anyway, all of our ciphers have the same number of
+	     * bytes of output as they do input.  If this ever becomes untrue,
+	     * then sec_PKCS7EncryptLength needs to be made smarter!
+	     */
+	    PORT_Assert (ifraglen == ofraglen);
+
+	    max_output_len -= ofraglen;
+	    output_len += ofraglen;
+	    output += ofraglen;
+	}
+
+	pcount = input_len - ifraglen;
+	PORT_Assert (pcount < bsize);
+	if (pcount)
+	    PORT_Memcpy (pbuf, input + ifraglen, pcount);
+    }
+
+    if (final) {
+	padlen = padsize - (pcount % padsize);
+	PORT_Memset (pbuf + pcount, padlen, padlen);
+	rv = (* obj->doit) (obj->cx, output, &ofraglen, max_output_len,
+			    pbuf, pcount+padlen);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then sec_PKCS7EncryptLength needs to be made smarter!
+	 */
+	PORT_Assert (ofraglen == (pcount+padlen));
+	output_len += ofraglen;
+    } else {
+	obj->pending_count = pcount;
+    }
+
+    PORT_Assert (output_len_p != NULL || output_len == 0);
+    if (output_len_p != NULL)
+	*output_len_p = output_len;
+
+    return SECSuccess;
+}
+
+/*
+ * End of cipher stuff.
+ * -------------------------------------------------------------------
+ */
+
+
+/*
+ * -------------------------------------------------------------------
+ * XXX The following Attribute stuff really belongs elsewhere.
+ * The Attribute type is *not* part of pkcs7 but rather X.501.
+ * But for now, since PKCS7 is the only customer of attributes,
+ * we define them here.  Once there is a use outside of PKCS7,
+ * then change the attribute types and functions from internal
+ * to external naming convention, and move them elsewhere!
+ */
+
+/*
+ * Look through a set of attributes and find one that matches the
+ * specified object ID.  If "only" is true, then make sure that
+ * there is not more than one attribute of the same type.  Otherwise,
+ * just return the first one found. (XXX Does anybody really want
+ * that first-found behavior?  It was like that when I found it...)
+ */
+SEC_PKCS7Attribute *
+sec_PKCS7FindAttribute (SEC_PKCS7Attribute **attrs, SECOidTag oidtag,
+			PRBool only)
+{
+    SECOidData *oid;
+    SEC_PKCS7Attribute *attr1, *attr2;
+
+    if (attrs == NULL)
+	return NULL;
+
+    oid = SECOID_FindOIDByTag(oidtag);
+    if (oid == NULL)
+	return NULL;
+
+    while ((attr1 = *attrs++) != NULL) {
+	if (attr1->type.len == oid->oid.len && PORT_Memcmp (attr1->type.data,
+							    oid->oid.data,
+							    oid->oid.len) == 0)
+	    break;
+    }
+
+    if (attr1 == NULL)
+	return NULL;
+
+    if (!only)
+	return attr1;
+
+    while ((attr2 = *attrs++) != NULL) {
+	if (attr2->type.len == oid->oid.len && PORT_Memcmp (attr2->type.data,
+							    oid->oid.data,
+							    oid->oid.len) == 0)
+	    break;
+    }
+
+    if (attr2 != NULL)
+	return NULL;
+
+    return attr1;
+}
+
+
+/*
+ * Return the single attribute value, doing some sanity checking first:
+ * - Multiple values are *not* expected.
+ * - Empty values are *not* expected.
+ */
+SECItem *
+sec_PKCS7AttributeValue(SEC_PKCS7Attribute *attr)
+{
+    SECItem *value;
+
+    if (attr == NULL)
+	return NULL;
+
+    value = attr->values[0];
+
+    if (value == NULL || value->data == NULL || value->len == 0)
+	return NULL;
+
+    if (attr->values[1] != NULL)
+	return NULL;
+
+    return value;
+}
+
+static const SEC_ASN1Template *
+sec_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS7Attribute *attribute;
+    SECOidData *oiddata;
+    PRBool encoded;
+
+    PORT_Assert (src_or_dest != NULL);
+    if (src_or_dest == NULL)
+	return NULL;
+
+    attribute = (SEC_PKCS7Attribute*)src_or_dest;
+
+    if (encoding && attribute->encoded)
+	return SEC_ASN1_GET(SEC_AnyTemplate);
+
+    oiddata = attribute->typeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&attribute->type);
+	attribute->typeTag = oiddata;
+    }
+
+    if (oiddata == NULL) {
+	encoded = PR_TRUE;
+	theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+    } else {
+	switch (oiddata->offset) {
+	  default:
+	    encoded = PR_TRUE;
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	  case SEC_OID_PKCS9_EMAIL_ADDRESS:
+	  case SEC_OID_RFC1274_MAIL:
+	  case SEC_OID_PKCS9_UNSTRUCTURED_NAME:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
+	    break;
+	  case SEC_OID_PKCS9_CONTENT_TYPE:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_ObjectIDTemplate);
+	    break;
+	  case SEC_OID_PKCS9_MESSAGE_DIGEST:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
+	    break;
+	  case SEC_OID_PKCS9_SIGNING_TIME:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_UTCTimeTemplate);
+	    break;
+	  /* XXX Want other types here, too */
+	}
+    }
+
+    if (encoding) {
+	/*
+	 * If we are encoding and we think we have an already-encoded value,
+	 * then the code which initialized this attribute should have set
+	 * the "encoded" property to true (and we would have returned early,
+	 * up above).  No devastating error, but that code should be fixed.
+	 * (It could indicate that the resulting encoded bytes are wrong.)
+	 */
+	PORT_Assert (!encoded);
+    } else {
+	/*
+	 * We are decoding; record whether the resulting value is
+	 * still encoded or not.
+	 */
+	attribute->encoded = encoded;
+    }
+    return theTemplate;
+}
+
+static const SEC_ASN1TemplateChooserPtr sec_attr_chooser
+	= sec_attr_choose_attr_value_template;
+
+static const SEC_ASN1Template sec_pkcs7_attribute_template[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7Attribute) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(SEC_PKCS7Attribute,type) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_SET_OF,
+	  offsetof(SEC_PKCS7Attribute,values),
+	  &sec_attr_chooser },
+    { 0 }
+};
+
+static const SEC_ASN1Template sec_pkcs7_set_of_attribute_template[] = {
+    { SEC_ASN1_SET_OF, 0, sec_pkcs7_attribute_template },
+};
+
+/*
+ * If you are wondering why this routine does not reorder the attributes
+ * first, and might be tempted to make it do so, see the comment by the
+ * call to ReorderAttributes in p7encode.c.  (Or, see who else calls this
+ * and think long and hard about the implications of making it always
+ * do the reordering.)
+ */
+SECItem *
+sec_PKCS7EncodeAttributes (PRArenaPool *poolp, SECItem *dest, void *src)
+{
+    return SEC_ASN1EncodeItem (poolp, dest, src,
+			       sec_pkcs7_set_of_attribute_template);
+}
+
+/*
+ * Make sure that the order of the attributes guarantees valid DER
+ * (which must be in lexigraphically ascending order for a SET OF);
+ * if reordering is necessary it will be done in place (in attrs).
+ */
+SECStatus
+sec_PKCS7ReorderAttributes (SEC_PKCS7Attribute **attrs)
+{
+    PRArenaPool *poolp;
+    int num_attrs, i, j, pass, besti;
+    SECItem **enc_attrs;
+    SEC_PKCS7Attribute **new_attrs;
+
+    /*
+     * I think we should not be called with NULL.  But if we are,
+     * call it a success anyway, because the order *is* okay.
+     */
+    PORT_Assert (attrs != NULL);
+    if (attrs == NULL)
+	return SECSuccess;
+
+    /*
+     * Count how many attributes we are dealing with here.
+     */
+    num_attrs = 0;
+    while (attrs[num_attrs] != NULL)
+	num_attrs++;
+
+    /*
+     * Again, I think we should have some attributes here.
+     * But if we do not, or if there is only one, then call it
+     * a success because it also already has a fine order.
+     */
+    PORT_Assert (num_attrs);
+    if (num_attrs == 0 || num_attrs == 1)
+	return SECSuccess;
+
+    /*
+     * Allocate an arena for us to work with, so it is easy to
+     * clean up all of the memory (fairly small pieces, really).
+     */
+    poolp = PORT_NewArena (1024);	/* XXX what is right value? */
+    if (poolp == NULL)
+	return SECFailure;		/* no memory; nothing we can do... */
+
+    /*
+     * Allocate arrays to hold the individual encodings which we will use
+     * for comparisons and the reordered attributes as they are sorted.
+     */
+    enc_attrs=(SECItem**)PORT_ArenaZAlloc(poolp, num_attrs*sizeof(SECItem *));
+    new_attrs = (SEC_PKCS7Attribute**)PORT_ArenaZAlloc (poolp,
+				  num_attrs * sizeof(SEC_PKCS7Attribute *));
+    if (enc_attrs == NULL || new_attrs == NULL) {
+	PORT_FreeArena (poolp, PR_FALSE);
+	return SECFailure;
+    }
+
+    /*
+     * DER encode each individual attribute.
+     */
+    for (i = 0; i < num_attrs; i++) {
+	enc_attrs[i] = SEC_ASN1EncodeItem (poolp, NULL, attrs[i],
+					   sec_pkcs7_attribute_template);
+	if (enc_attrs[i] == NULL) {
+	    PORT_FreeArena (poolp, PR_FALSE);
+	    return SECFailure;
+	}
+    }
+
+    /*
+     * Now compare and sort them; this is not the most efficient sorting
+     * method, but it is just fine for the problem at hand, because the
+     * number of attributes is (always) going to be small.
+     */
+    for (pass = 0; pass < num_attrs; pass++) {
+	/*
+	 * Find the first not-yet-accepted attribute.  (Once one is
+	 * sorted into the other array, it is cleared from enc_attrs.)
+	 */
+	for (i = 0; i < num_attrs; i++) {
+	    if (enc_attrs[i] != NULL)
+		break;
+	}
+	PORT_Assert (i < num_attrs);
+	besti = i;
+
+	/*
+	 * Find the lowest (lexigraphically) encoding.  One that is
+	 * shorter than all the rest is known to be "less" because each
+	 * attribute is of the same type (a SEQUENCE) and so thus the
+	 * first octet of each is the same, and the second octet is
+	 * the length (or the length of the length with the high bit
+	 * set, followed by the length, which also works out to always
+	 * order the shorter first).  Two (or more) that have the
+	 * same length need to be compared byte by byte until a mismatch
+	 * is found.
+	 */
+	for (i = besti + 1; i < num_attrs; i++) {
+	    if (enc_attrs[i] == NULL)	/* slot already handled */
+		continue;
+
+	    if (enc_attrs[i]->len != enc_attrs[besti]->len) {
+		if (enc_attrs[i]->len < enc_attrs[besti]->len)
+		    besti = i;
+		continue;
+	    }
+
+	    for (j = 0; j < enc_attrs[i]->len; j++) {
+		if (enc_attrs[i]->data[j] < enc_attrs[besti]->data[j]) {
+		    besti = i;
+		    break;
+		}
+	    }
+
+	    /*
+	     * For this not to be true, we would have to have encountered	
+	     * two *identical* attributes, which I think we should not see.
+	     * So assert if it happens, but even if it does, let it go
+	     * through; the ordering of the two does not matter.
+	     */
+	    PORT_Assert (j < enc_attrs[i]->len);
+	}
+
+	/*
+	 * Now we have found the next-lowest one; copy it over and
+	 * remove it from enc_attrs.
+	 */
+	new_attrs[pass] = attrs[besti];
+	enc_attrs[besti] = NULL;
+    }
+
+    /*
+     * Now new_attrs has the attributes in the order we want;
+     * copy them back into the attrs array we started with.
+     */
+    for (i = 0; i < num_attrs; i++)
+	attrs[i] = new_attrs[i];
+
+    PORT_FreeArena (poolp, PR_FALSE);
+    return SECSuccess;
+}
+
+/*
+ * End of attribute stuff.
+ * -------------------------------------------------------------------
+ */
+
+
+/*
+ * Templates and stuff.  Keep these at the end of the file.
+ */
+
+/* forward declaration */
+static const SEC_ASN1Template *
+sec_pkcs7_choose_content_template(void *src_or_dest, PRBool encoding);
+
+static const SEC_ASN1TemplateChooserPtr sec_pkcs7_chooser
+	= sec_pkcs7_choose_content_template;
+
+const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7ContentInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(SEC_PKCS7ContentInfo,contentType) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
+     | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(SEC_PKCS7ContentInfo,content),
+	  &sec_pkcs7_chooser },
+    { 0 }
+};
+
+/* XXX These names should change from external to internal convention. */
+
+static const SEC_ASN1Template SEC_PKCS7SignerInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7SignerInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7SignerInfo,version) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7SignerInfo,issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7SignerInfo,digestAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(SEC_PKCS7SignerInfo,authAttr),
+	  sec_pkcs7_set_of_attribute_template },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7SignerInfo,digestEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7SignerInfo,encDigest) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(SEC_PKCS7SignerInfo,unAuthAttr),
+	  sec_pkcs7_set_of_attribute_template },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PKCS7SignedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7SignedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7SignedData,version) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7SignedData,digestAlgorithms),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE,
+	  offsetof(SEC_PKCS7SignedData,contentInfo),
+	  sec_PKCS7ContentInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(SEC_PKCS7SignedData,rawCerts),
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  |
+      SEC_ASN1_XTRN | 1,
+	  offsetof(SEC_PKCS7SignedData,crls),
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
+    { SEC_ASN1_SET_OF,
+	  offsetof(SEC_PKCS7SignedData,signerInfos),
+	  SEC_PKCS7SignerInfoTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PointerToPKCS7SignedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PKCS7SignedDataTemplate }
+};
+
+static const SEC_ASN1Template SEC_PKCS7RecipientInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7RecipientInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7RecipientInfo,version) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7RecipientInfo,issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7RecipientInfo,keyEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7RecipientInfo,encKey) },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PKCS7EncryptedContentInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7EncryptedContentInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(SEC_PKCS7EncryptedContentInfo,contentType) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7EncryptedContentInfo,contentEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_MAY_STREAM | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(SEC_PKCS7EncryptedContentInfo,encContent),
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PKCS7EnvelopedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7EnvelopedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7EnvelopedData,version) },
+    { SEC_ASN1_SET_OF,
+	  offsetof(SEC_PKCS7EnvelopedData,recipientInfos),
+	  SEC_PKCS7RecipientInfoTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(SEC_PKCS7EnvelopedData,encContentInfo),
+	  SEC_PKCS7EncryptedContentInfoTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PointerToPKCS7EnvelopedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PKCS7EnvelopedDataTemplate }
+};
+
+static const SEC_ASN1Template SEC_PKCS7SignedAndEnvelopedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7SignedAndEnvelopedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,version) },
+    { SEC_ASN1_SET_OF,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,recipientInfos),
+	  SEC_PKCS7RecipientInfoTemplate },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,digestAlgorithms),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,encContentInfo),
+	  SEC_PKCS7EncryptedContentInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,rawCerts),
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,crls),
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
+    { SEC_ASN1_SET_OF,
+	  offsetof(SEC_PKCS7SignedAndEnvelopedData,signerInfos),
+	  SEC_PKCS7SignerInfoTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template
+SEC_PointerToPKCS7SignedAndEnvelopedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PKCS7SignedAndEnvelopedDataTemplate }
+};
+
+static const SEC_ASN1Template SEC_PKCS7DigestedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7DigestedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7DigestedData,version) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(SEC_PKCS7DigestedData,digestAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE,
+	  offsetof(SEC_PKCS7DigestedData,contentInfo),
+	  sec_PKCS7ContentInfoTemplate },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7DigestedData,digest) },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PointerToPKCS7DigestedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PKCS7DigestedDataTemplate }
+};
+
+static const SEC_ASN1Template SEC_PKCS7EncryptedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(SEC_PKCS7EncryptedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(SEC_PKCS7EncryptedData,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(SEC_PKCS7EncryptedData,encContentInfo),
+	  SEC_PKCS7EncryptedContentInfoTemplate },
+    { 0 }
+};
+
+static const SEC_ASN1Template SEC_PointerToPKCS7EncryptedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PKCS7EncryptedDataTemplate }
+};
+
+const SEC_ASN1Template SEC_SMIMEKEAParamTemplateSkipjack[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
+	{ 0 }
+};
+
+const SEC_ASN1Template SEC_SMIMEKEAParamTemplateNoSkipjack[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,nonSkipjackIV) },
+	{ 0 }
+};
+
+const SEC_ASN1Template SEC_SMIMEKEAParamTemplateAllParams[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SEC_PKCS7SMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,originatorRA) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,nonSkipjackIV) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(SEC_PKCS7SMIMEKEAParameters,bulkKeySize) },
+	{ 0 }
+};
+
+const SEC_ASN1Template*
+sec_pkcs7_get_kea_template(SECKEATemplateSelector whichTemplate)
+{
+	const SEC_ASN1Template *returnVal = NULL;
+
+	switch(whichTemplate)
+	{
+	case SECKEAUsesNonSkipjack:
+		returnVal = SEC_SMIMEKEAParamTemplateNoSkipjack;
+		break;
+	case SECKEAUsesSkipjack:
+		returnVal = SEC_SMIMEKEAParamTemplateSkipjack;
+		break;
+	case SECKEAUsesNonSkipjackWithPaddedEncKey:
+	default:
+		returnVal = SEC_SMIMEKEAParamTemplateAllParams;
+		break;
+	}
+	return returnVal;
+}
+	
+static const SEC_ASN1Template *
+sec_pkcs7_choose_content_template(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    SEC_PKCS7ContentInfo *cinfo;
+    SECOidTag kind;
+
+    PORT_Assert (src_or_dest != NULL);
+    if (src_or_dest == NULL)
+	return NULL;
+
+    cinfo = (SEC_PKCS7ContentInfo*)src_or_dest;
+    kind = SEC_PKCS7ContentType (cinfo);
+    switch (kind) {
+      default:
+	theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	break;
+      case SEC_OID_PKCS7_DATA:
+	theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	theTemplate = SEC_PointerToPKCS7SignedDataTemplate;
+	break;
+      case SEC_OID_PKCS7_ENVELOPED_DATA:
+	theTemplate = SEC_PointerToPKCS7EnvelopedDataTemplate;
+	break;
+      case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
+	theTemplate = SEC_PointerToPKCS7SignedAndEnvelopedDataTemplate;
+	break;
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	theTemplate = SEC_PointerToPKCS7DigestedDataTemplate;
+	break;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	theTemplate = SEC_PointerToPKCS7EncryptedDataTemplate;
+	break;
+    }
+    return theTemplate;
+}
+
+/*
+ * End of templates.  Do not add stuff after this; put new code
+ * up above the start of the template definitions.
+ */
diff --git a/security/nss/lib/pkcs7/p7local.h b/security/nss/lib/pkcs7/p7local.h
new file mode 100644
index 000000000..80640c930
--- /dev/null
+++ b/security/nss/lib/pkcs7/p7local.h
@@ -0,0 +1,176 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Support routines for PKCS7 implementation, none of which are exported.
+ * This file should only contain things that are needed by both the
+ * encoding/creation side *and* the decoding/decryption side.  Anything
+ * else should just be static routines in the appropriate file.
+ *
+ * Do not export this file!  If something in here is really needed outside
+ * of pkcs7 code, first try to add a PKCS7 interface which will do it for
+ * you.  If that has a problem, then just move out what you need, changing
+ * its name as appropriate!
+ *
+ * $Id$
+ */
+
+#ifndef _P7LOCAL_H_
+#define _P7LOCAL_H_
+
+#include "secpkcs7.h"
+#include "secasn1t.h"
+
+extern const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[];
+
+/* opaque objects */
+typedef struct sec_pkcs7_cipher_object sec_PKCS7CipherObject;
+
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/*
+ * Look through a set of attributes and find one that matches the
+ * specified object ID.  If "only" is true, then make sure that
+ * there is not more than one attribute of the same type.  Otherwise,
+ * just return the first one found. (XXX Does anybody really want
+ * that first-found behavior?  It was like that when I found it...)
+ */
+extern SEC_PKCS7Attribute *sec_PKCS7FindAttribute (SEC_PKCS7Attribute **attrs,
+						   SECOidTag oidtag,
+						   PRBool only);
+/*
+ * Return the single attribute value, doing some sanity checking first:
+ * - Multiple values are *not* expected.
+ * - Empty values are *not* expected.
+ */
+extern SECItem *sec_PKCS7AttributeValue (SEC_PKCS7Attribute *attr);
+
+/*
+ * Encode a set of attributes (found in "src").
+ */
+extern SECItem *sec_PKCS7EncodeAttributes (PRArenaPool *poolp,
+					   SECItem *dest, void *src);
+
+/*
+ * Make sure that the order of the attributes guarantees valid DER
+ * (which must be in lexigraphically ascending order for a SET OF);
+ * if reordering is necessary it will be done in place (in attrs).
+ */
+extern SECStatus sec_PKCS7ReorderAttributes (SEC_PKCS7Attribute **attrs);
+
+
+/*
+ * Create a context for decrypting, based on the given key and algorithm.
+ */
+extern sec_PKCS7CipherObject *
+sec_PKCS7CreateDecryptObject (PK11SymKey *key, SECAlgorithmID *algid);
+
+/*
+ * Create a context for encrypting, based on the given key and algorithm,
+ * and fill in the algorithm id.
+ */
+extern sec_PKCS7CipherObject *
+sec_PKCS7CreateEncryptObject (PRArenaPool *poolp, PK11SymKey *key,
+			      SECOidTag algtag, SECAlgorithmID *algid);
+
+/*
+ * Destroy the given decryption or encryption object.
+ */
+extern void sec_PKCS7DestroyDecryptObject (sec_PKCS7CipherObject *obj);
+extern void sec_PKCS7DestroyEncryptObject (sec_PKCS7CipherObject *obj);
+
+/*
+ * What will be the output length of the next call to encrypt/decrypt?
+ * Result can be used to perform memory allocations.  Note that the amount
+ * is exactly accurate only when not doing a block cipher or when final
+ * is false, otherwise it is an upper bound on the amount because until
+ * we see the data we do not know how many padding bytes there are
+ * (always between 1 and the cipher block size).
+ *
+ * Note that this can return zero, which does not mean that the cipher
+ * operation can be skipped!  (It simply means that there are not enough
+ * bytes to make up an entire block; the bytes will be reserved until
+ * there are enough to encrypt/decrypt at least one block.)  However,
+ * if zero is returned it *does* mean that no output buffer need be
+ * passed in to the subsequent cipher operation, as no output bytes
+ * will be stored.
+ */
+extern unsigned int sec_PKCS7DecryptLength (sec_PKCS7CipherObject *obj,
+					    unsigned int input_len,
+					    PRBool final);
+extern unsigned int sec_PKCS7EncryptLength (sec_PKCS7CipherObject *obj,
+					    unsigned int input_len,
+					    PRBool final);
+
+/*
+ * Decrypt a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the decrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "obj" is the return value from sec_PKCS7CreateDecryptObject.
+ * When "final" is true, this is the last of the data to be decrypted.
+ */ 
+extern SECStatus sec_PKCS7Decrypt (sec_PKCS7CipherObject *obj,
+				   unsigned char *output,
+				   unsigned int *output_len_p,
+				   unsigned int max_output_len,
+				   const unsigned char *input,
+				   unsigned int input_len,
+				   PRBool final);
+
+/*
+ * Encrypt a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the encrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "obj" is the return value from sec_PKCS7CreateEncryptObject.
+ * When "final" is true, this is the last of the data to be encrypted.
+ */ 
+extern SECStatus sec_PKCS7Encrypt (sec_PKCS7CipherObject *obj,
+				   unsigned char *output,
+				   unsigned int *output_len_p,
+				   unsigned int max_output_len,
+				   const unsigned char *input,
+				   unsigned int input_len,
+				   PRBool final);
+
+/* return the correct kea template based on the template selector. skipjack
+ * does not have the extra IV.
+ */
+const SEC_ASN1Template * 
+sec_pkcs7_get_kea_template(SECKEATemplateSelector whichTemplate);
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _P7LOCAL_H_ */
diff --git a/security/nss/lib/pkcs7/pkcs7t.h b/security/nss/lib/pkcs7/pkcs7t.h
new file mode 100644
index 000000000..d36c5e41a
--- /dev/null
+++ b/security/nss/lib/pkcs7/pkcs7t.h
@@ -0,0 +1,296 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Header for pkcs7 types.
+ *
+ * $Id$
+ */
+
+#ifndef _PKCS7T_H_
+#define _PKCS7T_H_
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "certt.h"
+#include "secmodt.h"
+
+/* Opaque objects */
+typedef struct SEC_PKCS7DecoderContextStr SEC_PKCS7DecoderContext;
+typedef struct SEC_PKCS7EncoderContextStr SEC_PKCS7EncoderContext;
+
+/* legacy defines that haven't been active for years */
+typedef void *(*SECKEYGetPasswordKey)(void *arg, void *handle);
+
+
+/* Non-opaque objects.  NOTE, though: I want them to be treated as
+ * opaque as much as possible.  If I could hide them completely,
+ * I would.  (I tried, but ran into trouble that was taking me too
+ * much time to get out of.)  I still intend to try to do so.
+ * In fact, the only type that "outsiders" should even *name* is
+ * SEC_PKCS7ContentInfo, and they should not reference its fields.
+ */
+/* rjr: PKCS #11 cert handling (pk11cert.c) does use SEC_PKCS7RecipientInfo's.
+ * This is because when we search the recipient list for the cert and key we
+ * want, we need to invert the order of the loops we used to have. The old
+ * loops were:
+ *
+ *  For each recipient {
+ *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
+ *       [which unrolls to... ]
+ *       For each slot {
+ *            Log into slot;
+ *            search slot for cert;
+ *      }
+ *  }
+ *
+ *  the new loop searchs all the recipients at once on a slot. this allows
+ *  PKCS #11 to order slots in such a way that logout slots don't get checked
+ *  if we can find the cert on a logged in slot. This eliminates lots of
+ *  spurious password prompts when smart cards are installed... so why this
+ *  comment? If you make SEC_PKCS7RecipientInfo completely opaque, you need
+ *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
+ *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
+ *  function.
+ */
+typedef struct SEC_PKCS7ContentInfoStr SEC_PKCS7ContentInfo;
+typedef struct SEC_PKCS7SignedDataStr SEC_PKCS7SignedData;
+typedef struct SEC_PKCS7EncryptedContentInfoStr SEC_PKCS7EncryptedContentInfo;
+typedef struct SEC_PKCS7EnvelopedDataStr SEC_PKCS7EnvelopedData;
+typedef struct SEC_PKCS7SignedAndEnvelopedDataStr
+		SEC_PKCS7SignedAndEnvelopedData;
+typedef struct SEC_PKCS7SignerInfoStr SEC_PKCS7SignerInfo;
+typedef struct SEC_PKCS7RecipientInfoStr SEC_PKCS7RecipientInfo;
+typedef struct SEC_PKCS7DigestedDataStr SEC_PKCS7DigestedData;
+typedef struct SEC_PKCS7EncryptedDataStr SEC_PKCS7EncryptedData;
+typedef struct SEC_PKCS7SMIMEKEAParametersStr SEC_PKCS7SMIMEKEAParameters;
+/*
+ * The following is not actually a PKCS7 type, but for now it is only
+ * used by PKCS7, so we have adopted it.  If someone else *ever* needs
+ * it, its name should be changed and it should be moved out of here.
+ * Do not dare to use it without doing so!
+ */
+typedef struct SEC_PKCS7AttributeStr SEC_PKCS7Attribute;
+
+struct SEC_PKCS7ContentInfoStr {
+    PRArenaPool *poolp;			/* local; not part of encoding */
+    PRBool created;			/* local; not part of encoding */
+    int refCount;			/* local; not part of encoding */
+    SECOidData *contentTypeTag;		/* local; not part of encoding */
+    SECKEYGetPasswordKey pwfn;		/* local; not part of encoding */
+    void *pwfn_arg;			/* local; not part of encoding */
+    SECItem contentType;
+    union {
+	SECItem				*data;
+	SEC_PKCS7DigestedData		*digestedData;
+	SEC_PKCS7EncryptedData		*encryptedData;
+	SEC_PKCS7EnvelopedData		*envelopedData;
+	SEC_PKCS7SignedData		*signedData;
+	SEC_PKCS7SignedAndEnvelopedData	*signedAndEnvelopedData;
+    } content;
+};
+
+struct SEC_PKCS7SignedDataStr {
+    SECItem version;
+    SECAlgorithmID **digestAlgorithms;
+    SEC_PKCS7ContentInfo contentInfo;
+    SECItem **rawCerts;
+    CERTSignedCrl **crls;
+    SEC_PKCS7SignerInfo **signerInfos;
+    SECItem **digests;			/* local; not part of encoding */
+    CERTCertificate **certs;		/* local; not part of encoding */
+    CERTCertificateList **certLists;	/* local; not part of encoding */
+};
+#define SEC_PKCS7_SIGNED_DATA_VERSION		1	/* what we *create* */
+
+struct SEC_PKCS7EncryptedContentInfoStr {
+    SECOidData *contentTypeTag;		/* local; not part of encoding */
+    SECItem contentType;
+    SECAlgorithmID contentEncAlg;
+    SECItem encContent;
+    SECItem plainContent;		/* local; not part of encoding */
+					/* bytes not encrypted, but encoded */
+    int keysize;			/* local; not part of encoding */
+					/* size of bulk encryption key
+					 * (only used by creation code) */
+    SECOidTag encalg;			/* local; not part of encoding */
+					/* oid tag of encryption algorithm
+					 * (only used by creation code) */
+};
+
+struct SEC_PKCS7EnvelopedDataStr {
+    SECItem version;
+    SEC_PKCS7RecipientInfo **recipientInfos;
+    SEC_PKCS7EncryptedContentInfo encContentInfo;
+};
+#define SEC_PKCS7_ENVELOPED_DATA_VERSION	0	/* what we *create* */
+
+struct SEC_PKCS7SignedAndEnvelopedDataStr {
+    SECItem version;
+    SEC_PKCS7RecipientInfo **recipientInfos;
+    SECAlgorithmID **digestAlgorithms;
+    SEC_PKCS7EncryptedContentInfo encContentInfo;
+    SECItem **rawCerts;
+    CERTSignedCrl **crls;
+    SEC_PKCS7SignerInfo **signerInfos;
+    SECItem **digests;			/* local; not part of encoding */
+    CERTCertificate **certs;		/* local; not part of encoding */
+    CERTCertificateList **certLists;	/* local; not part of encoding */
+    PK11SymKey *sigKey;			/* local; not part of encoding */
+};
+#define SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION 1	/* what we *create* */
+
+struct SEC_PKCS7SignerInfoStr {
+    SECItem version;
+    CERTIssuerAndSN *issuerAndSN;
+    SECAlgorithmID digestAlg;
+    SEC_PKCS7Attribute **authAttr;
+    SECAlgorithmID digestEncAlg;
+    SECItem encDigest;
+    SEC_PKCS7Attribute **unAuthAttr;
+    CERTCertificate *cert;		/* local; not part of encoding */
+    CERTCertificateList *certList;	/* local; not part of encoding */
+};
+#define SEC_PKCS7_SIGNER_INFO_VERSION		1	/* what we *create* */
+
+struct SEC_PKCS7RecipientInfoStr {
+    SECItem version;
+    CERTIssuerAndSN *issuerAndSN;
+    SECAlgorithmID keyEncAlg;
+    SECItem encKey;
+    CERTCertificate *cert;		/* local; not part of encoding */
+};
+#define SEC_PKCS7_RECIPIENT_INFO_VERSION	0	/* what we *create* */
+
+struct SEC_PKCS7DigestedDataStr {
+    SECItem version;
+    SECAlgorithmID digestAlg;
+    SEC_PKCS7ContentInfo contentInfo;
+    SECItem digest;
+};
+#define SEC_PKCS7_DIGESTED_DATA_VERSION		0	/* what we *create* */
+
+struct SEC_PKCS7EncryptedDataStr {
+    SECItem version;
+    SEC_PKCS7EncryptedContentInfo encContentInfo;
+};
+#define SEC_PKCS7_ENCRYPTED_DATA_VERSION	0	/* what we *create* */
+
+/*
+ * See comment above about this type not really belonging to PKCS7.
+ */
+struct SEC_PKCS7AttributeStr {
+    /* The following fields make up an encoded Attribute: */
+    SECItem type;
+    SECItem **values;	/* data may or may not be encoded */
+    /* The following fields are not part of an encoded Attribute: */
+    SECOidData *typeTag;
+    PRBool encoded;	/* when true, values are encoded */
+};
+
+/* An enumerated type used to select templates based on the encryption
+   scenario and data specifics. */
+typedef enum
+{
+	SECKEAInvalid = -1,
+	SECKEAUsesSkipjack = 0,
+	SECKEAUsesNonSkipjack = 1,
+	SECKEAUsesNonSkipjackWithPaddedEncKey = 2
+} SECKEATemplateSelector;
+
+/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
+                but I cannot think of a more appropriate place at this time. */
+struct SEC_PKCS7SMIMEKEAParametersStr {
+	SECItem originatorKEAKey;	/* sender KEA key (encrypted?) */
+	SECItem originatorRA;		/* random number generated by sender */
+	SECItem nonSkipjackIV;		/* init'n vector for SkipjackCBC64
+					   decryption of KEA key if Skipjack
+					   is not the bulk algorithm used on
+					   the message */
+	SECItem bulkKeySize;		/* if Skipjack is not the bulk
+					   algorithm used on the message,
+					   and the size of the bulk encryption
+					   key is not the same as that of
+					   originatorKEAKey (due to padding
+					   perhaps), this field will contain
+					   the real size of the bulk encryption
+					   key. */
+};
+
+/*
+ * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
+ * If specified, this is where the content bytes (only) will be "sent"
+ * as they are recovered during the decoding.
+ *
+ * XXX Should just combine this with SEC_PKCS7EncoderContentCallback type
+ * and use a simpler, common name.
+ */
+typedef void (* SEC_PKCS7DecoderContentCallback)(void *arg,
+						 const char *buf,
+						 unsigned long len);
+
+/*
+ * Type of function passed to SEC_PKCS7Encode or SEC_PKCS7EncoderStart.
+ * This is where the encoded bytes will be "sent".
+ *
+ * XXX Should just combine this with SEC_PKCS7DecoderContentCallback type
+ * and use a simpler, common name.
+ */
+typedef void (* SEC_PKCS7EncoderOutputCallback)(void *arg,
+						const char *buf,
+						unsigned long len);
+
+
+/*
+ * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart
+ * to retrieve the decryption key.  This function is inteded to be
+ * used for EncryptedData content info's which do not have a key available
+ * in a certificate, etc.
+ */
+typedef PK11SymKey * (* SEC_PKCS7GetDecryptKeyCallback)(void *arg, 
+							SECAlgorithmID *algid);
+
+/* 
+ * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
+ * This function in intended to be used to verify that decrypting a
+ * particular crypto algorithm is allowed.  Content types which do not
+ * require decryption will not need the callback.  If the callback
+ * is not specified for content types which require decryption, the
+ * decryption will be disallowed.
+ */
+typedef PRBool (* SEC_PKCS7DecryptionAllowedCallback)(SECAlgorithmID *algid,  
+						      PK11SymKey *bulkkey);
+
+#endif /* _PKCS7T_H_ */
diff --git a/security/nss/lib/pkcs7/secmime.c b/security/nss/lib/pkcs7/secmime.c
new file mode 100644
index 000000000..017896bd7
--- /dev/null
+++ b/security/nss/lib/pkcs7/secmime.c
@@ -0,0 +1,901 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Stuff specific to S/MIME policy and interoperability.
+ * Depends on PKCS7, but there should be no dependency the other way around.
+ *
+ * $Id$
+ */
+
+#include "secmime.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "ciferfam.h"	/* for CIPHER_FAMILY symbols */
+#include "secasn1.h"
+#include "secitem.h"
+#include "cert.h"
+#include "key.h"
+#include "secerr.h"
+
+typedef struct smime_cipher_map_struct {
+    unsigned long cipher;
+    SECOidTag algtag;
+    SECItem *parms;
+} smime_cipher_map;
+
+/*
+ * These are macros because I think some subsequent parameters,
+ * like those for RC5, will want to use them, too, separately.
+ */
+#define SMIME_DER_INTVAL_16	SEC_ASN1_INTEGER, 0x01, 0x10
+#define SMIME_DER_INTVAL_40	SEC_ASN1_INTEGER, 0x01, 0x28
+#define SMIME_DER_INTVAL_64	SEC_ASN1_INTEGER, 0x01, 0x40
+#define SMIME_DER_INTVAL_128	SEC_ASN1_INTEGER, 0x02, 0x00, 0x80
+
+#ifdef SMIME_DOES_RC5	/* will be needed; quiet unused warning for now */
+static unsigned char smime_int16[] = { SMIME_DER_INTVAL_16 };
+#endif
+static unsigned char smime_int40[] = { SMIME_DER_INTVAL_40 };
+static unsigned char smime_int64[] = { SMIME_DER_INTVAL_64 };
+static unsigned char smime_int128[] = { SMIME_DER_INTVAL_128 };
+
+static SECItem smime_rc2p40 = { siBuffer, smime_int40, sizeof(smime_int40) };
+static SECItem smime_rc2p64 = { siBuffer, smime_int64, sizeof(smime_int64) };
+static SECItem smime_rc2p128 = { siBuffer, smime_int128, sizeof(smime_int128) };
+
+static smime_cipher_map smime_cipher_maps[] = {
+    { SMIME_RC2_CBC_40,		SEC_OID_RC2_CBC,	&smime_rc2p40 },
+    { SMIME_RC2_CBC_64,		SEC_OID_RC2_CBC,	&smime_rc2p64 },
+    { SMIME_RC2_CBC_128,	SEC_OID_RC2_CBC,	&smime_rc2p128 },
+#ifdef SMIME_DOES_RC5
+    { SMIME_RC5PAD_64_16_40,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p40 },
+    { SMIME_RC5PAD_64_16_64,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p64 },
+    { SMIME_RC5PAD_64_16_128,	SEC_OID_RC5_CBC_PAD,	&smime_rc5p128 },
+#endif
+    { SMIME_DES_CBC_56,		SEC_OID_DES_CBC,	NULL },
+    { SMIME_DES_EDE3_168,	SEC_OID_DES_EDE3_CBC,	NULL },
+    { SMIME_FORTEZZA,		SEC_OID_FORTEZZA_SKIPJACK, NULL}
+};
+
+/*
+ * Note, the following value really just needs to be an upper bound
+ * on the ciphers.
+ */
+static const int smime_symmetric_count = sizeof(smime_cipher_maps)
+					 / sizeof(smime_cipher_map);
+
+static unsigned long *smime_prefs, *smime_newprefs;
+static int smime_current_pref_index = 0;
+static PRBool smime_prefs_complete = PR_FALSE;
+static PRBool smime_prefs_changed = PR_TRUE;
+
+static unsigned long smime_policy_bits = 0;
+
+
+static int
+smime_mapi_by_cipher (unsigned long cipher)
+{
+    int i;
+
+    for (i = 0; i < smime_symmetric_count; i++) {
+	if (smime_cipher_maps[i].cipher == cipher)
+	    break;
+    }
+
+    if (i == smime_symmetric_count)
+	return -1;
+
+    return i;
+}
+
+
+/*
+ * this function locally records the user's preference
+ */
+SECStatus 
+SECMIME_EnableCipher(long which, int on)
+{
+    unsigned long mask;
+
+    if (smime_newprefs == NULL || smime_prefs_complete) {
+	/*
+	 * This is either the very first time, or we are starting over.
+	 */
+	smime_newprefs = (unsigned long*)PORT_ZAlloc (smime_symmetric_count
+				      * sizeof(*smime_newprefs));
+	if (smime_newprefs == NULL)
+	    return SECFailure;
+	smime_current_pref_index = 0;
+	smime_prefs_complete = PR_FALSE;
+    }
+
+    mask = which & CIPHER_FAMILYID_MASK;
+    if (mask == CIPHER_FAMILYID_MASK) {
+    	/*
+	 * This call signifies that all preferences have been set.
+	 * Move "newprefs" over, after checking first whether or
+	 * not the new ones are different from the old ones.
+	 */
+	if (smime_prefs != NULL) {
+	    if (PORT_Memcmp (smime_prefs, smime_newprefs,
+			     smime_symmetric_count * sizeof(*smime_prefs)) == 0)
+		smime_prefs_changed = PR_FALSE;
+	    else
+		smime_prefs_changed = PR_TRUE;
+	    PORT_Free (smime_prefs);
+	}
+
+	smime_prefs = smime_newprefs;
+	smime_prefs_complete = PR_TRUE;
+	return SECSuccess;
+    }
+
+    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
+    if (mask != CIPHER_FAMILYID_SMIME) {
+	/* XXX set an error! */
+    	return SECFailure;
+    }
+
+    if (on) {
+	PORT_Assert (smime_current_pref_index < smime_symmetric_count);
+	if (smime_current_pref_index >= smime_symmetric_count) {
+	    /* XXX set an error! */
+	    return SECFailure;
+	}
+
+	smime_newprefs[smime_current_pref_index++] = which;
+    }
+
+    return SECSuccess;
+}
+
+
+/*
+ * this function locally records the export policy
+ */
+SECStatus 
+SECMIME_SetPolicy(long which, int on)
+{
+    unsigned long mask;
+
+    PORT_Assert ((which & CIPHER_FAMILYID_MASK) == CIPHER_FAMILYID_SMIME);
+    if ((which & CIPHER_FAMILYID_MASK) != CIPHER_FAMILYID_SMIME) {
+	/* XXX set an error! */
+    	return SECFailure;
+    }
+
+    which &= ~CIPHER_FAMILYID_MASK;
+
+    PORT_Assert (which < 32);	/* bits in the long */
+    if (which >= 32) {
+	/* XXX set an error! */
+    	return SECFailure;
+    }
+
+    mask = 1UL << which;
+
+    if (on) {
+    	smime_policy_bits |= mask;
+    } else {
+    	smime_policy_bits &= ~mask;
+    }
+
+    return SECSuccess;
+}
+
+
+/*
+ * Based on the given algorithm (including its parameters, in some cases!)
+ * and the given key (may or may not be inspected, depending on the
+ * algorithm), find the appropriate policy algorithm specification
+ * and return it.  If no match can be made, -1 is returned.
+ */
+static long
+smime_policy_algorithm (SECAlgorithmID *algid, PK11SymKey *key)
+{
+    SECOidTag algtag;
+
+    algtag = SECOID_GetAlgorithmTag (algid);
+    switch (algtag) {
+      case SEC_OID_RC2_CBC:
+	{
+	    unsigned int keylen_bits;
+
+	    keylen_bits = PK11_GetKeyStrength (key, algid);
+	    switch (keylen_bits) {
+	      case 40:
+		return SMIME_RC2_CBC_40;
+	      case 64:
+		return SMIME_RC2_CBC_64;
+	      case 128:
+		return SMIME_RC2_CBC_128;
+	      default:
+		break;
+	    }
+	}
+	break;
+      case SEC_OID_DES_CBC:
+	return SMIME_DES_CBC_56;
+      case SEC_OID_DES_EDE3_CBC:
+	return SMIME_DES_EDE3_168;
+      case SEC_OID_FORTEZZA_SKIPJACK:
+	return SMIME_FORTEZZA;
+#ifdef SMIME_DOES_RC5
+      case SEC_OID_RC5_CBC_PAD:
+	PORT_Assert (0);	/* XXX need to pull out parameters and match */
+	break;
+#endif
+      default:
+	break;
+    }
+
+    return -1;
+}
+
+
+static PRBool
+smime_cipher_allowed (unsigned long which)
+{
+    unsigned long mask;
+
+    which &= ~CIPHER_FAMILYID_MASK;
+    PORT_Assert (which < 32);	/* bits per long (min) */
+    if (which >= 32)
+	return PR_FALSE;
+
+    mask = 1UL << which;
+    if ((mask & smime_policy_bits) == 0)
+	return PR_FALSE;
+
+    return PR_TRUE;
+}
+
+
+PRBool
+SECMIME_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key)
+{
+    long which;
+
+    which = smime_policy_algorithm (algid, key);
+    if (which < 0)
+	return PR_FALSE;
+
+    return smime_cipher_allowed ((unsigned long)which);
+}
+
+
+/*
+ * Does the current policy allow *any* S/MIME encryption (or decryption)?
+ *
+ * This tells whether or not *any* S/MIME encryption can be done,
+ * according to policy.  Callers may use this to do nicer user interface
+ * (say, greying out a checkbox so a user does not even try to encrypt
+ * a message when they are not allowed to) or for any reason they want
+ * to check whether S/MIME encryption (or decryption, for that matter)
+ * may be done.
+ *
+ * It takes no arguments.  The return value is a simple boolean:
+ *   PR_TRUE means encryption (or decryption) is *possible*
+ *	(but may still fail due to other reasons, like because we cannot
+ *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
+ *   PR_FALSE means encryption (or decryption) is not permitted
+ *
+ * There are no errors from this routine.
+ */
+PRBool
+SECMIME_EncryptionPossible (void)
+{
+    if (smime_policy_bits != 0)
+	return PR_TRUE;
+
+    return PR_FALSE;
+}
+
+
+/*
+ * XXX Would like the "parameters" field to be a SECItem *, but the
+ * encoder is having trouble with optional pointers to an ANY.  Maybe
+ * once that is fixed, can change this back...
+ */
+typedef struct smime_capability_struct {
+    unsigned long cipher;	/* local; not part of encoding */
+    SECOidTag capIDTag;		/* local; not part of encoding */
+    SECItem capabilityID;
+    SECItem parameters;
+} smime_capability;
+
+static const SEC_ASN1Template smime_capability_template[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(smime_capability) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(smime_capability,capabilityID), },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	  offsetof(smime_capability,parameters), },
+    { 0, }
+};
+
+static const SEC_ASN1Template smime_capabilities_template[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, smime_capability_template }
+};
+
+
+
+static void
+smime_fill_capability (smime_capability *cap)
+{
+    unsigned long cipher;
+    SECOidTag algtag;
+    int i;
+
+    algtag = SECOID_FindOIDTag (&(cap->capabilityID));
+
+    for (i = 0; i < smime_symmetric_count; i++) {
+	if (smime_cipher_maps[i].algtag != algtag)
+	    continue;
+	/*
+	 * XXX If SECITEM_CompareItem allowed NULLs as arguments (comparing
+	 * 2 NULLs as equal and NULL and non-NULL as not equal), we could
+	 * use that here instead of all of the following comparison code.
+	 */
+	if (cap->parameters.data != NULL) {
+	    if (smime_cipher_maps[i].parms == NULL)
+		continue;
+	    if (cap->parameters.len != smime_cipher_maps[i].parms->len)
+		continue;
+	    if (PORT_Memcmp (cap->parameters.data,
+			     smime_cipher_maps[i].parms->data,
+			     cap->parameters.len) == 0)
+		break;
+	} else if (smime_cipher_maps[i].parms == NULL) {
+	    break;
+	}
+    }
+
+    if (i == smime_symmetric_count)
+	cipher = 0;
+    else
+	cipher = smime_cipher_maps[i].cipher;
+
+    cap->cipher = cipher;
+    cap->capIDTag = algtag;
+}
+
+
+static long
+smime_choose_cipher (CERTCertificate *scert, CERTCertificate **rcerts)
+{
+    PRArenaPool *poolp;
+    long chosen_cipher;
+    int *cipher_abilities;
+    int *cipher_votes;
+    int strong_mapi;
+    int rcount, mapi, max, i;
+	PRBool isFortezza = PK11_FortezzaHasKEA(scert);
+
+    if (smime_policy_bits == 0) {
+	PORT_SetError (SEC_ERROR_BAD_EXPORT_ALGORITHM);
+	return -1;
+    }
+
+    chosen_cipher = SMIME_RC2_CBC_40;		/* the default, LCD */
+
+    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
+    if (poolp == NULL)
+	goto done;
+
+    cipher_abilities = (int*)PORT_ArenaZAlloc (poolp,
+					 smime_symmetric_count * sizeof(int));
+    if (cipher_abilities == NULL)
+	goto done;
+
+    cipher_votes = (int*)PORT_ArenaZAlloc (poolp,
+				     smime_symmetric_count * sizeof(int));
+    if (cipher_votes == NULL)
+	goto done;
+
+    /*
+     * XXX Should have a #define somewhere which specifies default
+     * strong cipher.  (Or better, a way to configure, which would
+     * take Fortezza into account as well.)
+     */
+
+    /* If the user has the Fortezza preference turned on, make
+     *  that the strong cipher. Otherwise, use triple-DES. */
+    strong_mapi = -1;
+    if (isFortezza) {
+	for(i=0;i < smime_current_pref_index && strong_mapi < 0;i++)
+	{
+	    if (smime_prefs[i] == SMIME_FORTEZZA)
+		strong_mapi = smime_mapi_by_cipher(SMIME_FORTEZZA);
+	}
+    }
+
+    if (strong_mapi == -1)
+	strong_mapi = smime_mapi_by_cipher (SMIME_DES_EDE3_168);
+
+    PORT_Assert (strong_mapi >= 0);
+
+    for (rcount = 0; rcerts[rcount] != NULL; rcount++) {
+	SECItem *profile;
+	smime_capability **caps;
+	int capi, pref;
+	SECStatus dstat;
+
+	pref = smime_symmetric_count;
+	profile = CERT_FindSMimeProfile (rcerts[rcount]);
+	if (profile != NULL && profile->data != NULL && profile->len > 0) {
+	    caps = NULL;
+	    dstat = SEC_ASN1DecodeItem (poolp, &caps,
+					smime_capabilities_template,
+					profile);
+	    if (dstat == SECSuccess && caps != NULL) {
+		for (capi = 0; caps[capi] != NULL; capi++) {
+		    smime_fill_capability (caps[capi]);
+		    mapi = smime_mapi_by_cipher (caps[capi]->cipher);
+		    if (mapi >= 0) {
+			cipher_abilities[mapi]++;
+			cipher_votes[mapi] += pref;
+			--pref;
+		    }
+		}
+	    }
+	} else {
+	    SECKEYPublicKey *key;
+	    unsigned int pklen_bits;
+
+	    /*
+	     * XXX This is probably only good for RSA keys.  What I would
+	     * really like is a function to just say;  Is the public key in
+	     * this cert an export-length key?  Then I would not have to
+	     * know things like the value 512, or the kind of key, or what
+	     * a subjectPublicKeyInfo is, etc.
+	     */
+	    key = CERT_ExtractPublicKey (rcerts[rcount]);
+	    if (key != NULL) {
+		pklen_bits = SECKEY_PublicKeyStrength (key) * 8;
+		SECKEY_DestroyPublicKey (key);
+
+		if (pklen_bits > 512) {
+		    cipher_abilities[strong_mapi]++;
+		    cipher_votes[strong_mapi] += pref;
+		}
+	    }
+	}
+	if (profile != NULL)
+	    SECITEM_FreeItem (profile, PR_TRUE);
+    }
+
+    max = 0;
+    for (mapi = 0; mapi < smime_symmetric_count; mapi++) {
+	if (cipher_abilities[mapi] != rcount)
+	    continue;
+	if (! smime_cipher_allowed (smime_cipher_maps[mapi].cipher))
+	    continue;
+	if (!isFortezza  && (smime_cipher_maps[mapi].cipher == SMIME_FORTEZZA))
+		continue;
+	if (cipher_votes[mapi] > max) {
+	    chosen_cipher = smime_cipher_maps[mapi].cipher;
+	    max = cipher_votes[mapi];
+	} /* XXX else if a tie, let scert break it? */
+    }
+
+done:
+    if (poolp != NULL)
+	PORT_FreeArena (poolp, PR_FALSE);
+
+    return chosen_cipher;
+}
+
+
+/*
+ * XXX This is a hack for now to satisfy our current interface.
+ * Eventually, with more parameters needing to be specified, just
+ * looking up the keysize is not going to be sufficient.
+ */
+static int
+smime_keysize_by_cipher (unsigned long which)
+{
+    int keysize;
+
+    switch (which) {
+      case SMIME_RC2_CBC_40:
+	keysize = 40;
+	break;
+      case SMIME_RC2_CBC_64:
+	keysize = 64;
+	break;
+      case SMIME_RC2_CBC_128:
+	keysize = 128;
+	break;
+#ifdef SMIME_DOES_RC5
+      case SMIME_RC5PAD_64_16_40:
+      case SMIME_RC5PAD_64_16_64:
+      case SMIME_RC5PAD_64_16_128:
+	/* XXX See comment above; keysize is not enough... */
+	PORT_Assert (0);
+	PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
+	keysize = -1;
+	break;
+#endif
+      case SMIME_DES_CBC_56:
+      case SMIME_DES_EDE3_168:
+      case SMIME_FORTEZZA:
+	/*
+	 * These are special; since the key size is fixed, we actually
+	 * want to *avoid* specifying a key size.
+	 */
+	keysize = 0;
+	break;
+      default:
+	keysize = -1;
+	break;
+    }
+
+    return keysize;
+}
+
+
+/*
+ * Start an S/MIME encrypting context.
+ *
+ * "scert" is the cert for the sender.  It will be checked for validity.
+ * "rcerts" are the certs for the recipients.  They will also be checked.
+ *
+ * "certdb" is the cert database to use for verifying the certs.
+ * It can be NULL if a default database is available (like in the client).
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+SEC_PKCS7ContentInfo *
+SECMIME_CreateEncrypted(CERTCertificate *scert,
+			CERTCertificate **rcerts,
+			CERTCertDBHandle *certdb,
+			SECKEYGetPasswordKey pwfn,
+			void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    long cipher;
+    SECOidTag encalg;
+    int keysize;
+    int mapi, rci;
+
+    cipher = smime_choose_cipher (scert, rcerts);
+    if (cipher < 0)
+	return NULL;
+
+    mapi = smime_mapi_by_cipher (cipher);
+    if (mapi < 0)
+	return NULL;
+
+    /*
+     * XXX This is stretching it -- CreateEnvelopedData should probably
+     * take a cipher itself of some sort, because we cannot know what the
+     * future will bring in terms of parameters for each type of algorithm.
+     * For example, just an algorithm and keysize is *not* sufficient to
+     * fully specify the usage of RC5 (which also needs to know rounds and
+     * block size).  Work this out into a better API!
+     */
+    encalg = smime_cipher_maps[mapi].algtag;
+    keysize = smime_keysize_by_cipher (cipher);
+    if (keysize < 0)
+	return NULL;
+
+    cinfo = SEC_PKCS7CreateEnvelopedData (scert, certUsageEmailRecipient,
+					  certdb, encalg, keysize,
+					  pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    for (rci = 0; rcerts[rci] != NULL; rci++) {
+	if (rcerts[rci] == scert)
+	    continue;
+	if (SEC_PKCS7AddRecipient (cinfo, rcerts[rci], certUsageEmailRecipient,
+				   NULL) != SECSuccess) {
+	    SEC_PKCS7DestroyContentInfo (cinfo);
+	    return NULL;
+	}
+    }
+
+    return cinfo;
+}
+
+
+static smime_capability **smime_capabilities;
+static SECItem *smime_encoded_caps;
+static PRBool lastUsedFortezza;
+
+
+static SECStatus
+smime_init_caps (PRBool isFortezza)
+{
+    smime_capability *cap;
+    smime_cipher_map *map;
+    SECOidData *oiddata;
+    SECStatus rv;
+    int i, capIndex;
+
+    if (smime_encoded_caps != NULL 
+	&& (! smime_prefs_changed) 
+	&& lastUsedFortezza == isFortezza)
+	return SECSuccess;
+
+    if (smime_encoded_caps != NULL) {
+	SECITEM_FreeItem (smime_encoded_caps, PR_TRUE);
+	smime_encoded_caps = NULL;
+    }
+
+    if (smime_capabilities == NULL) {
+	smime_capabilities = (smime_capability**)PORT_ZAlloc (
+					  (smime_symmetric_count + 1)
+					  * sizeof(smime_capability *));
+	if (smime_capabilities == NULL)
+	    return SECFailure;
+    }
+
+    rv = SECFailure;
+
+    /* 
+       The process of creating the encoded PKCS7 cipher capability list
+       involves two basic steps: 
+
+       (a) Convert our internal representation of cipher preferences 
+           (smime_prefs) into an array containing cipher OIDs and 
+	   parameter data (smime_capabilities). This step is
+	   performed here.
+
+       (b) Encode, using ASN.1, the cipher information in 
+           smime_capabilities, leaving the encoded result in 
+	   smime_encoded_caps.
+
+       (In the process of performing (a), Lisa put in some optimizations
+       which allow us to avoid needlessly re-populating elements in 
+       smime_capabilities as we walk through smime_prefs.)
+
+       We want to use separate loop variables for smime_prefs and
+       smime_capabilities because in the case where the Skipjack cipher 
+       is turned on in the prefs, but where we don't want to include 
+       Skipjack in the encoded capabilities (presumably due to using a 
+       non-fortezza cert when sending a message), we want to avoid creating
+       an empty element in smime_capabilities. This would otherwise cause 
+       the encoding step to produce an empty set, since Skipjack happens 
+       to be the first cipher in smime_prefs, if it is turned on.
+    */
+    for (i = 0, capIndex = 0; i < smime_current_pref_index; i++, capIndex++) {
+	int mapi;
+
+	/* Get the next cipher preference in smime_prefs. */
+	mapi = smime_mapi_by_cipher (smime_prefs[i]);
+	if (mapi < 0)
+	    break;
+
+	/* Find the corresponding entry in the cipher map. */
+	PORT_Assert (mapi < smime_symmetric_count);
+	map = &(smime_cipher_maps[mapi]);
+
+	/* If we're using a non-Fortezza cert, only advertise non-Fortezza
+	   capabilities. (We advertise all capabilities if we have a 
+	   Fortezza cert.) */
+	if ((!isFortezza) && (map->cipher == SMIME_FORTEZZA))
+	{
+	    capIndex--; /* we want to visit the same caps index entry next time */
+	    continue;
+	}
+
+	/*
+	 * Convert the next preference found in smime_prefs into an
+	 * smime_capability.
+	 */
+
+	cap = smime_capabilities[capIndex];
+	if (cap == NULL) {
+	    cap = (smime_capability*)PORT_ZAlloc (sizeof(smime_capability));
+	    if (cap == NULL)
+		break;
+	    smime_capabilities[capIndex] = cap;
+	} else if (cap->cipher == smime_prefs[i]) {
+	    continue;		/* no change to this one */
+	}
+
+	cap->capIDTag = map->algtag;
+	oiddata = SECOID_FindOIDByTag (map->algtag);
+	if (oiddata == NULL)
+	    break;
+
+	if (cap->capabilityID.data != NULL) {
+	    SECITEM_FreeItem (&(cap->capabilityID), PR_FALSE);
+	    cap->capabilityID.data = NULL;
+	    cap->capabilityID.len = 0;
+	}
+
+	rv = SECITEM_CopyItem (NULL, &(cap->capabilityID), &(oiddata->oid));
+	if (rv != SECSuccess)
+	    break;
+
+	if (map->parms == NULL) {
+	    cap->parameters.data = NULL;
+	    cap->parameters.len = 0;
+	} else {
+	    cap->parameters.data = map->parms->data;
+	    cap->parameters.len = map->parms->len;
+	}
+
+	cap->cipher = smime_prefs[i];
+    }
+
+    if (i != smime_current_pref_index)
+	return rv;
+
+    while (capIndex < smime_symmetric_count) {
+	cap = smime_capabilities[capIndex];
+	if (cap != NULL) {
+	    SECITEM_FreeItem (&(cap->capabilityID), PR_FALSE);
+	    PORT_Free (cap);
+	}
+	smime_capabilities[capIndex] = NULL;
+	capIndex++;
+    }
+    smime_capabilities[capIndex] = NULL;
+
+    smime_encoded_caps = SEC_ASN1EncodeItem (NULL, NULL, &smime_capabilities,
+					     smime_capabilities_template);
+    if (smime_encoded_caps == NULL)
+	return SECFailure;
+
+    lastUsedFortezza = isFortezza;
+
+    return SECSuccess;
+}
+
+
+static SECStatus
+smime_add_profile (CERTCertificate *cert, SEC_PKCS7ContentInfo *cinfo)
+{
+    PRBool isFortezza = PR_FALSE;
+
+    PORT_Assert (smime_prefs_complete);
+    if (! smime_prefs_complete)
+	return SECFailure;
+
+    /* See if the sender's cert specifies Fortezza key exchange. */
+    if (cert != NULL)
+	isFortezza = PK11_FortezzaHasKEA(cert);
+
+    /* For that matter, if capabilities haven't been initialized yet,
+       do so now. */
+    if (isFortezza != lastUsedFortezza || smime_encoded_caps == NULL || smime_prefs_changed) {
+	SECStatus rv;
+
+	rv = smime_init_caps(isFortezza);
+	if (rv != SECSuccess)
+	    return rv;
+
+	PORT_Assert (smime_encoded_caps != NULL);
+    }
+
+    return SEC_PKCS7AddSignedAttribute (cinfo, SEC_OID_PKCS9_SMIME_CAPABILITIES,
+					smime_encoded_caps);
+}
+
+
+/*
+ * Start an S/MIME signing context.
+ *
+ * "scert" is the cert that will be used to sign the data.  It will be
+ * checked for validity.
+ *
+ * "ecert" is the signer's encryption cert.  If it is different from
+ * scert, then it will be included in the signed message so that the
+ * recipient can save it for future encryptions.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ * 
+ * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
+ * XXX There should be SECMIME functions for hashing, or the hashing should
+ * be built into this interface, which we would like because we would
+ * support more smartcards that way, and then this argument should go away.)
+ *
+ * "digest" is the actual digest of the data.  It must be provided in
+ * the case of detached data or NULL if the content will be included.
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+
+SEC_PKCS7ContentInfo *
+SECMIME_CreateSigned (CERTCertificate *scert,
+		      CERTCertificate *ecert,
+		      CERTCertDBHandle *certdb,
+		      SECOidTag digestalg,
+		      SECItem *digest,
+		      SECKEYGetPasswordKey pwfn,
+		      void *pwfn_arg)
+{
+    SEC_PKCS7ContentInfo *cinfo;
+    SECStatus rv;
+
+    /* See note in header comment above about digestalg. */
+    PORT_Assert (digestalg == SEC_OID_SHA1);
+
+    cinfo = SEC_PKCS7CreateSignedData (scert, certUsageEmailSigner,
+				       certdb, digestalg, digest,
+				       pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    if (SEC_PKCS7IncludeCertChain (cinfo, NULL) != SECSuccess) {
+	SEC_PKCS7DestroyContentInfo (cinfo);
+	return NULL;
+    }
+
+    /* if the encryption cert and the signing cert differ, then include
+     * the encryption cert too.
+     */
+    /* it is ok to compare the pointers since we ref count, and the same
+     * cert will always have the same pointer
+     */
+    if ( ( ecert != NULL ) && ( ecert != scert ) ) {
+	rv = SEC_PKCS7AddCertificate(cinfo, ecert);
+	if ( rv != SECSuccess ) {
+	    SEC_PKCS7DestroyContentInfo (cinfo);
+	    return NULL;
+	}
+    }
+    /*
+     * Add the signing time.  But if it fails for some reason,
+     * may as well not give up altogether -- just assert.
+     */
+    rv = SEC_PKCS7AddSigningTime (cinfo);
+    PORT_Assert (rv == SECSuccess);
+
+    /*
+     * Add the email profile.  Again, if it fails for some reason,
+     * may as well not give up altogether -- just assert.
+     */
+    rv = smime_add_profile (ecert, cinfo);
+    PORT_Assert (rv == SECSuccess);
+
+    return cinfo;
+}
diff --git a/security/nss/lib/pkcs7/secmime.h b/security/nss/lib/pkcs7/secmime.h
new file mode 100644
index 000000000..6950e416f
--- /dev/null
+++ b/security/nss/lib/pkcs7/secmime.h
@@ -0,0 +1,192 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Header file for routines specific to S/MIME.  Keep things that are pure
+ * pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
+ *
+ * $Id$
+ */
+
+#ifndef _SECMIME_H_
+#define _SECMIME_H_ 1
+
+#include "secpkcs7.h"
+
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/*
+ * Initialize the local recording of the user S/MIME cipher preferences.
+ * This function is called once for each cipher, the order being
+ * important (first call records greatest preference, and so on).
+ * When finished, it is called with a "which" of CIPHER_FAMILID_MASK.
+ * If the function is called again after that, it is assumed that
+ * the preferences are being reset, and the old preferences are
+ * discarded.
+ *
+ * XXX This is for a particular user, and right now the storage is
+ * XXX local, static.  The preference should be stored elsewhere to allow
+ * XXX for multiple uses of one library?  How does SSL handle this;
+ * XXX it has something similar?
+ *
+ *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
+ *    for example SMIME_DES_CBC_56).
+ *  - If "on" is non-zero then the named cipher is enabled, otherwise
+ *    it is disabled.  (It is not necessary to call the function for
+ *    ciphers that are disabled, however, as that is the default.)
+ *
+ * If the cipher preference is successfully recorded, SECSuccess
+ * is returned.  Otherwise SECFailure is returned.  The only errors
+ * are due to failure allocating memory or bad parameters/calls:
+ *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
+ *	SEC_ERROR_XXX (function is being called more times than there
+ *		are known/expected ciphers)
+ */
+extern SECStatus SECMIME_EnableCipher(long which, int on);
+
+/*
+ * Initialize the local recording of the S/MIME policy.
+ * This function is called to enable/disable a particular cipher.
+ * (S/MIME encryption or decryption using a particular cipher is only
+ * allowed if that cipher is currently enabled.)  At startup, all S/MIME
+ * ciphers are disabled.  From that point, this function can be called
+ * to enable a cipher -- it is not necessary to call this to disable
+ * a cipher unless that cipher was previously, explicitly enabled via
+ * this function.
+ *
+ * XXX This is for a the current module, I think, so local, static storage
+ * XXX is okay.  Is that correct, or could multiple uses of the same
+ * XXX library expect to operate under different policies?
+ *
+ *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
+ *    for example SMIME_DES_CBC_56).
+ *  - If "on" is non-zero then the named cipher is enabled, otherwise
+ *    it is disabled.
+ *
+ * If the cipher is successfully enabled/disabled, SECSuccess is
+ * returned.  Otherwise SECFailure is returned.  The only errors
+ * are due to bad parameters:
+ *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
+ *	SEC_ERROR_XXX ("which" exceeds expected maximum cipher; this is
+ *		really an internal error)
+ */
+extern SECStatus SECMIME_SetPolicy(long which, int on);
+
+/*
+ * Does the current policy allow S/MIME decryption of this particular
+ * algorithm and keysize?
+ */
+extern PRBool SECMIME_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key);
+
+/*
+ * Does the current policy allow *any* S/MIME encryption (or decryption)?
+ *
+ * This tells whether or not *any* S/MIME encryption can be done,
+ * according to policy.  Callers may use this to do nicer user interface
+ * (say, greying out a checkbox so a user does not even try to encrypt
+ * a message when they are not allowed to) or for any reason they want
+ * to check whether S/MIME encryption (or decryption, for that matter)
+ * may be done.
+ *
+ * It takes no arguments.  The return value is a simple boolean:
+ *   PR_TRUE means encryption (or decryption) is *possible*
+ *	(but may still fail due to other reasons, like because we cannot
+ *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
+ *   PR_FALSE means encryption (or decryption) is not permitted
+ *
+ * There are no errors from this routine.
+ */
+extern PRBool SECMIME_EncryptionPossible(void);
+
+/*
+ * Start an S/MIME encrypting context.
+ *
+ * "scert" is the cert for the sender.  It will be checked for validity.
+ * "rcerts" are the certs for the recipients.  They will also be checked.
+ *
+ * "certdb" is the cert database to use for verifying the certs.
+ * It can be NULL if a default database is available (like in the client).
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *SECMIME_CreateEncrypted(CERTCertificate *scert,
+						     CERTCertificate **rcerts,
+						     CERTCertDBHandle *certdb,
+						     SECKEYGetPasswordKey pwfn,
+						     void *pwfn_arg);
+
+/*
+ * Start an S/MIME signing context.
+ *
+ * "scert" is the cert that will be used to sign the data.  It will be
+ * checked for validity.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ * 
+ * "digestalg" names the digest algorithm.  (It should be SEC_OID_SHA1;
+ * XXX There should be SECMIME functions for hashing, or the hashing should
+ * be built into this interface, which we would like because we would
+ * support more smartcards that way, and then this argument should go away.)
+ *
+ * "digest" is the actual digest of the data.  It must be provided in
+ * the case of detached data or NULL if the content will be included.
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *SECMIME_CreateSigned(CERTCertificate *scert,
+						  CERTCertificate *ecert,
+						  CERTCertDBHandle *certdb,
+						  SECOidTag digestalg,
+						  SECItem *digest,
+						  SECKEYGetPasswordKey pwfn,
+						  void *pwfn_arg);
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _SECMIME_H_ */
diff --git a/security/nss/lib/pkcs7/secpkcs7.h b/security/nss/lib/pkcs7/secpkcs7.h
new file mode 100644
index 000000000..8c210225b
--- /dev/null
+++ b/security/nss/lib/pkcs7/secpkcs7.h
@@ -0,0 +1,616 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Interface to the PKCS7 implementation.
+ *
+ * $Id$
+ */
+
+#ifndef _SECPKCS7_H_
+#define _SECPKCS7_H_
+
+#include "seccomon.h"
+
+#include "secoidt.h"
+#include "certt.h"
+#include "keyt.h"
+#include "hasht.h"
+#include "pkcs7t.h"
+
+extern const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[];
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/************************************************************************
+ *	Miscellaneous
+ ************************************************************************/
+
+/*
+ * Returns the content type of the given contentInfo.
+ */
+extern SECOidTag SEC_PKCS7ContentType (SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * Destroy a PKCS7 contentInfo and all of its sub-pieces.
+ */
+extern void SEC_PKCS7DestroyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
+
+/*
+ * Copy a PKCS7 contentInfo.  A Destroy is needed on *each* copy.
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CopyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
+
+/*
+ * Return a pointer to the actual content.  In the case of those types
+ * which are encrypted, this returns the *plain* content.
+ */
+extern SECItem *SEC_PKCS7GetContent(SEC_PKCS7ContentInfo *cinfo);
+
+/************************************************************************
+ *	PKCS7 Decoding, Verification, etc..
+ ************************************************************************/
+
+extern SEC_PKCS7DecoderContext *
+SEC_PKCS7DecoderStart(SEC_PKCS7DecoderContentCallback callback,
+		      void *callback_arg,
+		      SECKEYGetPasswordKey pwfn, void *pwfn_arg,
+		      SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
+		      void *decrypt_key_cb_arg,
+		      SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
+
+extern SECStatus
+SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx,
+		       const char *buf, unsigned long len);
+
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx);
+
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7DecodeItem(SECItem *p7item,
+		    SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
+		    SECKEYGetPasswordKey pwfn, void *pwfn_arg,
+		    SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, 
+		    void *decrypt_key_cb_arg,
+		    SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
+
+extern PRBool SEC_PKCS7ContainsCertsOrCrls(SEC_PKCS7ContentInfo *cinfo);
+
+/* checks to see if the contents of the content info is
+ * empty.  it so, PR_TRUE is returned.  PR_FALSE, otherwise.
+ *
+ * minLen is used to specify a minimum size.  if content size <= minLen,
+ * content is assumed empty.
+ */
+extern PRBool 
+SEC_PKCS7IsContentEmpty(SEC_PKCS7ContentInfo *cinfo, unsigned int minLen); 
+
+extern PRBool SEC_PKCS7ContentIsEncrypted(SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * If the PKCS7 content has a signature (not just *could* have a signature)
+ * return true; false otherwise.  This can/should be called before calling
+ * VerifySignature, which will always indicate failure if no signature is
+ * present, but that does not mean there even was a signature!
+ * Note that the content itself can be empty (detached content was sent
+ * another way); it is the presence of the signature that matters.
+ */
+extern PRBool SEC_PKCS7ContentIsSigned(SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * SEC_PKCS7VerifySignature
+ *	Look at a PKCS7 contentInfo and check if the signature is good.
+ *	The verification checks that the signing cert is valid and trusted
+ *	for the purpose specified by "certusage".
+ *
+ *	In addition, if "keepcerts" is true, add any new certificates found
+ *	into our local database.
+ */
+extern PRBool SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
+				       SECCertUsage certusage,
+				       PRBool keepcerts);
+
+/*
+ * SEC_PKCS7VerifyDetachedSignature
+ *	Look at a PKCS7 contentInfo and check if the signature matches
+ *	a passed-in digest (calculated, supposedly, from detached contents).
+ *	The verification checks that the signing cert is valid and trusted
+ *	for the purpose specified by "certusage".
+ *
+ *	In addition, if "keepcerts" is true, add any new certificates found
+ *	into our local database.
+ */
+extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
+					       SECCertUsage certusage,
+					       SECItem *detached_digest,
+					       HASH_HashType digest_type,
+					       PRBool keepcerts);
+
+/*
+ * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress
+ *      The passed-in contentInfo is espected to be Signed, and these
+ *      functions return the specified portion of the full signer name.
+ *
+ *      Returns a pointer to allocated memory, which must be freed.
+ *      A NULL return value is an error.
+ */
+extern char *SEC_PKCS7GetSignerCommonName(SEC_PKCS7ContentInfo *cinfo);
+extern char *SEC_PKCS7GetSignerEmailAddress(SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * Return the the signing time, in UTCTime format, of a PKCS7 contentInfo.
+ */
+extern SECItem *SEC_PKCS7GetSigningTime(SEC_PKCS7ContentInfo *cinfo);
+
+
+/************************************************************************
+ *	PKCS7 Creation and Encoding.
+ ************************************************************************/
+
+/*
+ * Start a PKCS7 signing context.
+ *
+ * "cert" is the cert that will be used to sign the data.  It will be
+ * checked for validity.
+ *
+ * "certusage" describes the signing usage (e.g. certUsageEmailSigner)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "signing" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ * 
+ * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
+ *
+ * "digest" is the actual digest of the data.  It must be provided in
+ * the case of detached data or NULL if the content will be included.
+ *
+ * The return value can be passed to functions which add things to
+ * it like attributes, then eventually to SEC_PKCS7Encode() or to
+ * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
+ * SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateSignedData (CERTCertificate *cert,
+			   SECCertUsage certusage,
+			   CERTCertDBHandle *certdb,
+			   SECOidTag digestalg,
+			   SECItem *digest,
+		           SECKEYGetPasswordKey pwfn, void *pwfn_arg);
+
+/*
+ * Create a PKCS7 certs-only container.
+ *
+ * "cert" is the (first) cert that will be included.
+ *
+ * "include_chain" specifies whether the entire chain for "cert" should
+ * be included.
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL in when "include_chain" is false, or when meaning
+ * use the default database.
+ *
+ * More certs and chains can be added via AddCertficate and AddCertChain.
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateCertsOnly (CERTCertificate *cert,
+			  PRBool include_chain,
+			  CERTCertDBHandle *certdb);
+
+/*
+ * Start a PKCS7 enveloping context.
+ *
+ * "cert" is the cert for the recipient.  It will be checked for validity.
+ *
+ * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "recipient" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ *
+ * "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2).
+ *
+ * "keysize" specifies the bulk encryption key size, in bits.
+ *
+ * The return value can be passed to functions which add things to
+ * it like more recipients, then eventually to SEC_PKCS7Encode() or to
+ * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
+ * SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateEnvelopedData (CERTCertificate *cert,
+			      SECCertUsage certusage,
+			      CERTCertDBHandle *certdb,
+			      SECOidTag encalg,
+			      int keysize,
+		              SECKEYGetPasswordKey pwfn, void *pwfn_arg);
+
+/*
+ * XXX There will be a similar routine for creating signedAndEnvelopedData.
+ * But its parameters will be different and I have no plans to implement
+ * it any time soon because we have no current need for it.
+ */
+
+/*
+ * Create an empty PKCS7 data content info.
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *SEC_PKCS7CreateData (void);
+
+/*
+ * Create an empty PKCS7 encrypted content info.
+ *
+ * "algorithm" specifies the bulk encryption algorithm to use.
+ * 
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern SEC_PKCS7ContentInfo *
+SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize,
+			      SECKEYGetPasswordKey pwfn, void *pwfn_arg);
+
+/*
+ * All of the following things return SECStatus to signal success or failure.
+ * Failure should have a more specific error status available via
+ * PORT_GetError()/XP_GetError().
+ */
+
+/*
+ * Add the specified attribute to the authenticated (i.e. signed) attributes
+ * of "cinfo" -- "oidtag" describes the attribute and "value" is the
+ * value to be associated with it.  NOTE! "value" must already be encoded;
+ * no interpretation of "oidtag" is done.  Also, it is assumed that this
+ * signedData has only one signer -- if we ever need to add attributes
+ * when there is more than one signature, we need a way to specify *which*
+ * signature should get the attribute.
+ *
+ * XXX Technically, a signed attribute can have multiple values; if/when
+ * we ever need to support an attribute which takes multiple values, we
+ * either need to change this interface or create an AddSignedAttributeValue
+ * which can be called subsequently, and would then append a value.
+ *
+ * "cinfo" should be of type signedData (the only kind of pkcs7 data
+ * that is allowed authenticated attributes); SECFailure will be returned
+ * if it is not.
+ */
+extern SECStatus SEC_PKCS7AddSignedAttribute (SEC_PKCS7ContentInfo *cinfo,
+					      SECOidTag oidtag,
+					      SECItem *value);
+
+/*
+ * Add "cert" and its entire chain to the set of certs included in "cinfo".
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL, meaning use the default database.
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+extern SECStatus SEC_PKCS7AddCertChain (SEC_PKCS7ContentInfo *cinfo,
+					CERTCertificate *cert,
+					CERTCertDBHandle *certdb);
+
+/*
+ * Add "cert" to the set of certs included in "cinfo".
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+extern SECStatus SEC_PKCS7AddCertificate (SEC_PKCS7ContentInfo *cinfo,
+					  CERTCertificate *cert);
+
+/*
+ * Add another recipient to an encrypted message.
+ *
+ * "cinfo" should be of type envelopedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ *
+ * "cert" is the cert for the recipient.  It will be checked for validity.
+ *
+ * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
+ * XXX Maybe SECCertUsage should be split so that our caller just says
+ * "email" and *we* add the "recipient" part -- otherwise our caller
+ * could be lying about the usage; we do not want to allow encryption
+ * certs for signing or vice versa.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ */
+extern SECStatus SEC_PKCS7AddRecipient (SEC_PKCS7ContentInfo *cinfo,
+					CERTCertificate *cert,
+					SECCertUsage certusage,
+					CERTCertDBHandle *certdb);
+
+/*
+ * Add the signing time to the authenticated (i.e. signed) attributes
+ * of "cinfo".  This is expected to be included in outgoing signed
+ * messages for email (S/MIME) but is likely useful in other situations.
+ *
+ * This should only be added once; a second call will either do
+ * nothing or replace an old signing time with a newer one.
+ *
+ * XXX This will probably just shove the current time into "cinfo"
+ * but it will not actually get signed until the entire item is
+ * processed for encoding.  Is this (expected to be small) delay okay?
+ *
+ * "cinfo" should be of type signedData (the only kind of pkcs7 data
+ * that is allowed authenticated attributes); SECFailure will be returned
+ * if it is not.
+ */
+extern SECStatus SEC_PKCS7AddSigningTime (SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * Add the signer's symmetric capabilities to the authenticated
+ * (i.e. signed) attributes of "cinfo".  This is expected to be
+ * included in outgoing signed messages for email (S/MIME).
+ *
+ * This can only be added once; a second call will return SECFailure.
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+extern SECStatus SEC_PKCS7AddSymmetricCapabilities(SEC_PKCS7ContentInfo *cinfo);
+
+/*
+ * Mark that the signer's certificate and its issuing chain should
+ * be included in the encoded data.  This is expected to be used
+ * in outgoing signed messages for email (S/MIME).
+ *
+ * "certdb" is the cert database to use for finding the chain.
+ * It can be NULL, meaning use the default database.
+ *
+ * "cinfo" should be of type signedData or signedAndEnvelopedData;
+ * SECFailure will be returned if it is not.
+ */
+extern SECStatus SEC_PKCS7IncludeCertChain (SEC_PKCS7ContentInfo *cinfo,
+					    CERTCertDBHandle *certdb);
+
+
+/*
+ * Set the content; it will be included and also hashed and/or encrypted
+ * as appropriate.  This is for in-memory content (expected to be "small")
+ * that will be included in the PKCS7 object.  All others should stream the
+ * content through when encoding (see SEC_PKCS7Encoder{Start,Update,Finish}).
+ *
+ * "buf" points to data of length "len"; it will be copied.
+ */
+extern SECStatus SEC_PKCS7SetContent (SEC_PKCS7ContentInfo *cinfo,
+				      const char *buf, unsigned long len);
+
+/*
+ * Encode a PKCS7 object, in one shot.  All necessary components
+ * of the object must already be specified.  Either the data has
+ * already been included (via SetContent), or the data is detached,
+ * or there is no data at all (certs-only).
+ *
+ * "cinfo" specifies the object to be encoded.
+ *
+ * "outputfn" is where the encoded bytes will be passed.
+ *
+ * "outputarg" is an opaque argument to the above callback.
+ *
+ * "bulkkey" specifies the bulk encryption key to use.   This argument
+ * can be NULL if no encryption is being done, or if the bulk key should
+ * be generated internally (usually the case for EnvelopedData but never
+ * for EncryptedData, which *must* provide a bulk encryption key).
+ *
+ * "pwfn" is a callback for getting the password which protects the
+ * private key of the signer.  This argument can be NULL if it is known
+ * that no signing is going to be done.
+ *
+ * "pwfnarg" is an opaque argument to the above callback.
+ */
+extern SECStatus SEC_PKCS7Encode (SEC_PKCS7ContentInfo *cinfo,
+				  SEC_PKCS7EncoderOutputCallback outputfn,
+				  void *outputarg,
+				  PK11SymKey *bulkkey,
+				  SECKEYGetPasswordKey pwfn,
+				  void *pwfnarg);
+
+/*
+ * Encode a PKCS7 object, in one shot.  All necessary components
+ * of the object must already be specified.  Either the data has
+ * already been included (via SetContent), or the data is detached,
+ * or there is no data at all (certs-only).  The output, rather than
+ * being passed to an output function as is done above, is all put
+ * into a SECItem.
+ *
+ * "pool" specifies a pool from which to allocate the result.
+ * It can be NULL, in which case memory is allocated generically.
+ *
+ * "dest" specifies a SECItem in which to put the result data.
+ * It can be NULL, in which case the entire item is allocated, too.
+ *
+ * "cinfo" specifies the object to be encoded.
+ *
+ * "bulkkey" specifies the bulk encryption key to use.   This argument
+ * can be NULL if no encryption is being done, or if the bulk key should
+ * be generated internally (usually the case for EnvelopedData but never
+ * for EncryptedData, which *must* provide a bulk encryption key).
+ *
+ * "pwfn" is a callback for getting the password which protects the
+ * private key of the signer.  This argument can be NULL if it is known
+ * that no signing is going to be done.
+ *
+ * "pwfnarg" is an opaque argument to the above callback.
+ */
+extern SECItem *SEC_PKCS7EncodeItem (PRArenaPool *pool,
+				     SECItem *dest,
+				     SEC_PKCS7ContentInfo *cinfo,
+				     PK11SymKey *bulkkey,
+				     SECKEYGetPasswordKey pwfn,
+				     void *pwfnarg);
+
+/*
+ * For those who want to simply point to the pkcs7 contentInfo ASN.1
+ * template, and *not* call the encoding functions directly, the
+ * following function can be used -- after it is called, the entire
+ * PKCS7 contentInfo is ready to be encoded.
+ */
+extern SECStatus SEC_PKCS7PrepareForEncode (SEC_PKCS7ContentInfo *cinfo,
+					    PK11SymKey *bulkkey,
+					    SECKEYGetPasswordKey pwfn,
+					    void *pwfnarg);
+
+/*
+ * Start the process of encoding a PKCS7 object.  The first part of
+ * the encoded object will be passed to the output function right away;
+ * after that it is expected that SEC_PKCS7EncoderUpdate will be called,
+ * streaming in the actual content that is getting included as well as
+ * signed or encrypted (or both).
+ *
+ * "cinfo" specifies the object to be encoded.
+ *
+ * "outputfn" is where the encoded bytes will be passed.
+ *
+ * "outputarg" is an opaque argument to the above callback.
+ *
+ * "bulkkey" specifies the bulk encryption key to use.   This argument
+ * can be NULL if no encryption is being done, or if the bulk key should
+ * be generated internally (usually the case for EnvelopedData but never
+ * for EncryptedData, which *must* provide a bulk encryption key).
+ *
+ * Returns an object to be passed to EncoderUpdate and EncoderFinish.
+ */
+extern SEC_PKCS7EncoderContext *
+SEC_PKCS7EncoderStart (SEC_PKCS7ContentInfo *cinfo,
+		       SEC_PKCS7EncoderOutputCallback outputfn,
+		       void *outputarg,
+		       PK11SymKey *bulkkey);
+
+/*
+ * Encode more contents, hashing and/or encrypting along the way.
+ */
+extern SECStatus SEC_PKCS7EncoderUpdate (SEC_PKCS7EncoderContext *p7ecx,
+					 const char *buf,
+					 unsigned long len);
+
+/*
+ * No more contents; finish the signature creation, if appropriate,
+ * and then the encoding.
+ *
+ * "pwfn" is a callback for getting the password which protects the
+ * signer's private key.  This argument can be NULL if it is known
+ * that no signing is going to be done.
+ *
+ * "pwfnarg" is an opaque argument to the above callback.
+ */
+extern SECStatus SEC_PKCS7EncoderFinish (SEC_PKCS7EncoderContext *p7ecx,
+					 SECKEYGetPasswordKey pwfn,
+					 void *pwfnarg);
+
+/* retrieve the algorithm ID used to encrypt the content info
+ * for encrypted and enveloped data.  The SECAlgorithmID pointer
+ * returned needs to be freed as it is a copy of the algorithm
+ * id in the content info.
+ */ 
+extern SECAlgorithmID *
+SEC_PKCS7GetEncryptionAlgorithm(SEC_PKCS7ContentInfo *cinfo); 
+
+/* the content of an encrypted data content info is encrypted.
+ * it is assumed that for encrypted data, that the data has already
+ * been set and is in the "plainContent" field of the content info.
+ *
+ * cinfo is the content info to encrypt
+ *
+ * key is the key with which to perform the encryption.  if the
+ *     algorithm is a password based encryption algorithm, the
+ *     key is actually a password which will be processed per
+ *     PKCS #5.
+ * 
+ * in the event of an error, SECFailure is returned.  SECSuccess
+ * indicates a success.
+ */
+extern SECStatus 
+SEC_PKCS7EncryptContents(PRArenaPool *poolp,
+			 SEC_PKCS7ContentInfo *cinfo, 
+			 SECItem *key,
+			 void *wincx); 
+	
+/* the content of an encrypted data content info is decrypted.
+ * it is assumed that for encrypted data, that the data has already
+ * been set and is in the "encContent" field of the content info.
+ *
+ * cinfo is the content info to decrypt
+ *
+ * key is the key with which to perform the decryption.  if the
+ *     algorithm is a password based encryption algorithm, the
+ *     key is actually a password which will be processed per
+ *     PKCS #5.
+ * 
+ * in the event of an error, SECFailure is returned.  SECSuccess
+ * indicates a success.
+ */
+extern SECStatus 
+SEC_PKCS7DecryptContents(PRArenaPool *poolp,
+			 SEC_PKCS7ContentInfo *cinfo, 
+			 SECItem *key,
+			 void *wincx); 
+
+/* retrieve the certificate list from the content info.  the list
+ * is a pointer to the list in the content info.  this should not
+ * be deleted or freed in any way short of calling 
+ * SEC_PKCS7DestroyContentInfo
+ */
+extern SECItem **
+SEC_PKCS7GetCertificateList(SEC_PKCS7ContentInfo *cinfo);
+
+/* Returns the key length (in bits) of the algorithm used to encrypt
+   this object.  Returns 0 if it's not encrypted, or the key length is
+   irrelevant. */
+extern int 
+SEC_PKCS7GetKeyLength(SEC_PKCS7ContentInfo *cinfo);
+ 
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _SECPKCS7_H_ */
diff --git a/security/nss/lib/pki/Makefile b/security/nss/lib/pki/Makefile
new file mode 100644
index 000000000..bfe27629c
--- /dev/null
+++ b/security/nss/lib/pki/Makefile
@@ -0,0 +1,44 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+ifdef PURE_STAN_BUILD
+include config.mk
+else
+include config34.mk
+endif
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+export:: private_export
diff --git a/security/nss/lib/pki/asymmkey.c b/security/nss/lib/pki/asymmkey.c
new file mode 100644
index 000000000..1ad65f051
--- /dev/null
+++ b/security/nss/lib/pki/asymmkey.c
@@ -0,0 +1,465 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+NSS_IMPLEMENT PRStatus
+NSSPrivateKey_Destroy
+(
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSPrivateKey_DeleteStoredObject
+(
+  NSSPrivateKey *vk,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRUint32
+NSSPrivateKey_GetSignatureLength
+(
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return -1;
+}
+
+NSS_IMPLEMENT PRUint32
+NSSPrivateKey_GetPrivateModulusLength
+(
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return -1;
+}
+
+NSS_IMPLEMENT PRBool
+NSSPrivateKey_IsStillPresent
+(
+  NSSPrivateKey *vk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FALSE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPrivateKey_Encode
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *ap,
+  NSSItem *passwordOpt, /* NULL will cause a callback; "" for no password */
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSPrivateKey_GetTrustDomain
+(
+  NSSPrivateKey *vk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSPrivateKey_GetToken
+(
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSlot *
+NSSPrivateKey_GetSlot
+(
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSModule *
+NSSPrivateKey_GetModule
+(
+  NSSPrivateKey *vk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPrivateKey_Decrypt
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPrivateKey_Sign
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPrivateKey_SignRecover
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSPrivateKey_UnwrapSymmetricKey
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSPrivateKey_DeriveSymmetricKey
+(
+  NSSPrivateKey *vk,
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPublicKey *
+NSSPrivateKey_FindPublicKey
+(
+  NSSPrivateKey *vk
+  /* { don't need the callback here, right? } */
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSPrivateKey_CreateCryptoContext
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSPrivateKey_FindCertificates
+(
+  NSSPrivateKey *vk,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSPrivateKey_FindBestCertificate
+(
+  NSSPrivateKey *vk,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSPublicKey_Destroy
+(
+  NSSPublicKey *bk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSPublicKey_DeleteStoredObject
+(
+  NSSPublicKey *bk,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPublicKey_Encode
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *ap,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSPublicKey_GetTrustDomain
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSPublicKey_GetToken
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSlot *
+NSSPublicKey_GetSlot
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSModule *
+NSSPublicKey_GetModule
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPublicKey_Encrypt
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSPublicKey_Verify
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPublicKey_VerifyRecover
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSPublicKey_WrapSymmetricKey
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSPublicKey_CreateCryptoContext
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSPublicKey_FindCertificates
+(
+  NSSPublicKey *bk,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSPublicKey_FindBestCertificate
+(
+  NSSPublicKey *bk,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPrivateKey *
+NSSPublicKey_FindPrivateKey
+(
+  NSSPublicKey *bk,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
diff --git a/security/nss/lib/pki/certdecode.c b/security/nss/lib/pki/certdecode.c
new file mode 100644
index 000000000..fbf0c1d67
--- /dev/null
+++ b/security/nss/lib/pki/certdecode.c
@@ -0,0 +1,232 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+/* XXX
+ * move this to a more appropriate location
+ */
+NSS_IMPLEMENT PRStatus
+nssPKIObject_Initialize
+(
+  struct nssPKIObjectBaseStr *object,
+  NSSArena *arena,
+  NSSTrustDomain *td,
+  NSSCryptoContext *cc
+)
+{
+    object->arena = arena;
+    object->trustDomain = td;
+    object->cryptoContext = cc;
+    object->lock = PZ_NewLock(nssILockOther);
+    if (!object->lock) {
+	return PR_FAILURE;
+    }
+    object->instanceList = nssList_Create(arena, PR_TRUE);
+    if (!object->instanceList) {
+	PZ_DestroyLock(object->lock);
+	return PR_FAILURE;
+    }
+    object->instances = nssList_CreateIterator(object->instanceList);
+    if (!object->instances) {
+	nssList_Destroy(object->instanceList);
+	PZ_DestroyLock(object->lock);
+	return PR_FAILURE;
+    }
+    object->refCount = 1;
+    return PR_SUCCESS;
+}
+
+/* XXX
+ * move this to a more appropriate location
+ */
+NSS_IMPLEMENT void
+nssPKIObject_AddRef
+(
+  struct nssPKIObjectBaseStr *object
+)
+{
+    PZ_Lock(object->lock);
+    object->refCount++;
+    PZ_Unlock(object->lock);
+}
+
+/* XXX
+ * move this to a more appropriate location
+ */
+NSS_IMPLEMENT PRBool
+nssPKIObject_Destroy
+(
+  struct nssPKIObjectBaseStr *object
+)
+{
+    PRUint32 refCount;
+    PZ_Lock(object->lock);
+    PORT_Assert(object->refCount > 0);
+    refCount = --object->refCount;
+    PZ_Unlock(object->lock);
+    if (refCount == 0) {
+	PZ_DestroyLock(object->lock);
+	nssListIterator_Destroy(object->instances);
+	nssList_Destroy(object->instanceList);
+	nssArena_Destroy(object->arena);
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+#ifdef NSS_3_4_CODE
+/* This is defined in nss3hack.c */
+NSS_EXTERN nssDecodedCert *
+nssDecodedPKIXCertificate_Create
+(
+  NSSArena *arenaOpt,
+  NSSDER *encoding
+);
+
+NSS_IMPLEMENT PRStatus
+nssDecodedPKIXCertificate_Destroy
+(
+  nssDecodedCert *dc
+);
+#else /* NSS_4_0_CODE */
+/* This is where 4.0 PKIX code will handle the decoding */
+static nssDecodedCert *
+nssDecodedPKIXCertificate_Create
+(
+  NSSArena *arenaOpt,
+  NSSDER *encoding
+)
+{
+    return (nssDecodedCert *)NULL;
+}
+
+static PRStatus
+nssDecodedPKIXCertificate_Destroy
+(
+  nssDecodedCert *dc
+)
+{
+    return PR_FAILURE;
+}
+#endif /* not NSS_3_4_CODE */
+
+NSS_IMPLEMENT nssDecodedCert *
+nssDecodedCert_Create
+(
+  NSSArena *arenaOpt,
+  NSSDER *encoding,
+  NSSCertificateType type
+)
+{
+    nssDecodedCert *rvDC = NULL;
+    switch(type) {
+    case NSSCertificateType_PKIX:
+	rvDC = nssDecodedPKIXCertificate_Create(arenaOpt, encoding);
+	break;
+    default:
+#if 0
+	nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+#endif
+	return (nssDecodedCert *)NULL;
+    }
+    return rvDC;
+}
+
+NSS_IMPLEMENT PRStatus
+nssDecodedCert_Destroy
+(
+  nssDecodedCert *dc
+)
+{
+    if (!dc) {
+	return PR_FAILURE;
+    }
+    switch(dc->type) {
+    case NSSCertificateType_PKIX:
+	return nssDecodedPKIXCertificate_Destroy(dc);
+    default:
+#if 0
+	nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+#endif
+	break;
+    }
+    return PR_FAILURE;
+}
+
+/* Of course none of this belongs here */
+
+/* how bad would it be to have a static now sitting around, updated whenever
+ * this was called?  would avoid repeated allocs...
+ */
+NSS_IMPLEMENT NSSTime *
+NSSTime_Now
+(
+  NSSTime *timeOpt
+)
+{
+    return NSSTime_SetPRTime(timeOpt, PR_Now());
+}
+
+NSS_IMPLEMENT NSSTime *
+NSSTime_SetPRTime
+(
+  NSSTime *timeOpt,
+  PRTime prTime
+)
+{
+    NSSTime *rvTime;
+    rvTime = (timeOpt) ? timeOpt : nss_ZNEW(NULL, NSSTime);
+    rvTime->prTime = prTime;
+    return rvTime;
+}
+
+NSS_IMPLEMENT PRTime
+NSSTime_GetPRTime
+(
+  NSSTime *time
+)
+{
+  return time->prTime;
+}
+
diff --git a/security/nss/lib/pki/certificate.c b/security/nss/lib/pki/certificate.c
new file mode 100644
index 000000000..f9dc9a7e3
--- /dev/null
+++ b/security/nss/lib/pki/certificate.c
@@ -0,0 +1,945 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifdef NSS_3_4_CODE
+#include "pki3hack.h"
+#endif
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+NSS_IMPLEMENT NSSCertificate *
+nssCertificate_AddRef
+(
+  NSSCertificate *c
+)
+{
+    if (c) {
+	nssPKIObject_AddRef(&c->object);
+    }
+    return c;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCertificate_Destroy
+(
+  NSSCertificate *c
+)
+{
+    PRBool destroyed;
+    if (c) {
+	nssDecodedCert *dc = c->decoding;
+	destroyed = nssPKIObject_Destroy(&c->object);
+	if (destroyed) {
+	    if (dc) {
+		nssDecodedCert_Destroy(dc);
+	    }
+	}
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSCertificate_GetNickname
+(
+  NSSCertificate *c,
+  NSSToken *tokenOpt
+)
+{
+    NSSUTF8 *rvNick = NULL;
+    nssCryptokiInstance *instance;
+    nssListIterator *instances = c->object.instances;
+    if (c->object.cryptoContext) {
+	return c->object.tempName;
+    }
+    for (instance  = (nssCryptokiInstance *)nssListIterator_Start(instances);
+         instance != (nssCryptokiInstance *)NULL;
+         instance  = (nssCryptokiInstance *)nssListIterator_Next(instances)) 
+    {
+	if (tokenOpt) {
+	    if (instance->token == tokenOpt) {
+		/* take the nickname on the given token */
+		rvNick = instance->label;
+		break;
+	    }
+	} else {
+	    /* take the first one */
+	    rvNick = instance->label;
+	    break;
+	}
+    }
+    nssListIterator_Finish(instances);
+    return rvNick;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCertificate_DeleteStoredObject
+(
+  NSSCertificate *c,
+  NSSCallback *uhh
+)
+{
+    /* this needs more thought on what will happen when there are multiple
+     * instances
+     */
+    /* XXX use callback to log in if neccessary */
+    PRStatus nssrv = PR_SUCCESS;
+    nssCryptokiInstance *instance;
+    nssListIterator *instances = c->object.instances;
+    for (instance  = (nssCryptokiInstance *)nssListIterator_Start(instances);
+         instance != (nssCryptokiInstance *)NULL;
+         instance  = (nssCryptokiInstance *)nssListIterator_Next(instances)) 
+    {
+	/* XXX this should be fixed to understand read-only tokens, for
+	 * now, to handle the builtins, just make the attempt.
+	 */
+	nssrv = nssToken_DeleteStoredObject(instance);
+	if (nssrv == PR_SUCCESS) {
+	    nssList_Remove(c->object.instanceList, instance);
+#ifdef NSS_3_4_CODE
+	    if (instance->token->certList) {
+		/* If the cert has been cached locally on the token, remove
+		 * that reference
+		 */
+		nssList_Remove(instance->token->certList, c);
+		NSSCertificate_Destroy(c);
+	    }
+#endif
+	}
+    }
+    nssListIterator_Finish(instances);
+    c->object.instances = nssList_CreateIterator(c->object.instanceList);
+    nssListIterator_Destroy(instances);
+    /* XXX for now, always success */
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCertificate_Validate
+(
+  NSSCertificate *c,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT void ** /* void *[] */
+NSSCertificate_ValidateCompletely
+(
+  NSSCertificate *c,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt, /* NULL for none */
+  void **rvOpt, /* NULL for allocate */
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt /* NULL for heap */
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
+(
+  NSSCertificate *c,
+  NSSTime **notBeforeOutOpt,
+  NSSTime **notAfterOutOpt,
+  void *allowedUsages,
+  void *disallowedUsages,
+  void *allowedPolicies,
+  void *disallowedPolicies,
+  /* more args.. work on this fgmr */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSDER *
+NSSCertificate_Encode
+(
+  NSSCertificate *c,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    /* Item, DER, BER are all typedefs now... */
+    return nssItem_Duplicate((NSSItem *)&c->encoding, arenaOpt, rvOpt);
+}
+
+NSS_IMPLEMENT nssDecodedCert *
+nssCertificate_GetDecoding
+(
+  NSSCertificate *c
+)
+{
+    if (!c->decoding) {
+	c->decoding = nssDecodedCert_Create(NULL, &c->encoding, c->type);
+    }
+    return c->decoding;
+}
+
+static void
+nssCertificateArray_Destroy
+(
+  NSSCertificate **certArray
+)
+{
+    NSSCertificate **ci;
+    ci = certArray;
+    while (ci && *ci) {
+	NSSCertificate_Destroy(*ci);
+	ci++;
+    }
+    nss_ZFreeIf(certArray);
+}
+
+static NSSCertificate *
+filter_subject_certs_for_id(NSSCertificate **subjectCerts, NSSItem *id)
+{
+    NSSCertificate **si;
+    NSSCertificate *rvCert = NULL;
+    nssDecodedCert *dcp;
+    /* walk the subject certs */
+    si = subjectCerts;
+    while (*si) {
+	dcp = nssCertificate_GetDecoding(*si);
+	if (dcp->matchIdentifier(dcp, id)) {
+	    /* this cert has the correct identifier */
+	    rvCert = nssCertificate_AddRef(*si);
+	    break;
+	}
+	si++;
+    }
+    return rvCert;
+}
+
+static NSSCertificate *
+find_issuer_cert_for_identifier(NSSCertificate *c, NSSItem *id)
+{
+    NSSCertificate *rvCert = NULL;
+    NSSCertificate **subjectCerts = NULL;
+    NSSTrustDomain *td;
+    NSSCryptoContext *cc;
+    /* Find all certs with this cert's issuer as the subject */
+    cc = c->object.cryptoContext; /* NSSCertificate_GetCryptoContext(c); */
+    if (cc) {
+	subjectCerts = NSSCryptoContext_FindCertificatesBySubject(cc,
+	                                                          &c->issuer,
+	                                                          NULL,
+	                                                          0,
+	                                                          NULL);
+	if (subjectCerts) {
+	    rvCert = filter_subject_certs_for_id(subjectCerts, id);
+	    nssCertificateArray_Destroy(subjectCerts);
+	}
+    }
+    if (!rvCert) {
+	/* The general behavior of NSS <3.4 seems to be that if the search
+	 * turns up empty in the temp db, fall back to the perm db,
+	 * irregardless of whether or not the cert itself is perm or temp.
+	 * This is replicated here.
+	 */
+	td = NSSCertificate_GetTrustDomain(c);
+	subjectCerts = NSSTrustDomain_FindCertificatesBySubject(td,
+	                                                        &c->issuer,
+	                                                        NULL,
+	                                                        0,
+	                                                        NULL);
+	if (subjectCerts) {
+	    rvCert = filter_subject_certs_for_id(subjectCerts, id);
+	    nssCertificateArray_Destroy(subjectCerts);
+	}
+    }
+    return rvCert;
+}
+
+/* XXX review based on CERT_FindCertIssuer
+ * this function is not using the authCertIssuer field as a fallback
+ * if authority key id does not exist
+ */
+NSS_IMPLEMENT NSSCertificate **
+NSSCertificate_BuildChain
+(
+  NSSCertificate *c,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt,
+  PRStatus *statusOpt
+)
+{
+    PRStatus nssrv;
+    nssList *chain;
+    NSSItem *issuerID;
+    NSSCertificate **rvChain;
+    NSSTrustDomain *td;
+    NSSCryptoContext *cc;
+    nssDecodedCert *dc;
+    NSSCertificate *ct, *cp;
+    cc = c->object.cryptoContext; /* NSSCertificate_GetCryptoContext(c); */
+    td = NSSCertificate_GetTrustDomain(c);
+#ifdef NSS_3_4_CODE
+    if (!td) {
+	td = STAN_GetDefaultTrustDomain();
+    }
+#endif
+    chain = nssList_Create(NULL, PR_FALSE);
+    nssList_Add(chain, nssCertificate_AddRef(c));
+    if (statusOpt) *statusOpt = PR_SUCCESS;
+    if (rvLimit == 1) goto finish;
+    while (!nssItem_Equal(&c->subject, &c->issuer, &nssrv)) {
+	dc = nssCertificate_GetDecoding(c);
+	issuerID = dc->getIssuerIdentifier(dc);
+	if (issuerID) {
+	    c = find_issuer_cert_for_identifier(c, issuerID);
+	    nssItem_Destroy(issuerID);
+	    issuerID = NULL;
+	    if (!c) {
+		nss_SetError(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND);
+		if (statusOpt) *statusOpt = PR_FAILURE;
+		goto finish;
+	    }
+	} else {
+	    nssBestCertificateCB best;
+	    NSSDER *issuer = &c->issuer;
+#ifdef NSS_3_4_CODE
+	    PRBool tmpca = usage->nss3lookingForCA;
+	    usage->nss3lookingForCA = PR_TRUE;
+#endif
+	    c = ct = cp = NULL;
+	    if (cc) {
+		ct = NSSCryptoContext_FindBestCertificateBySubject(cc,
+		                                                   issuer,
+		                                                   timeOpt,
+		                                                   usage,
+		                                                   policiesOpt);
+		/* Mimic functionality from CERT_FindCertIssuer.  If a matching
+		 * cert (based on trust & usage) cannot be found, just take the
+		 * newest cert with the correct subject.
+		 */
+		if (!ct && !usage->anyUsage) {
+		    usage->anyUsage = PR_TRUE;
+		    ct = NSSCryptoContext_FindBestCertificateBySubject(cc,
+		                                                  issuer,
+		                                                  timeOpt,
+		                                                  usage,
+		                                                  policiesOpt);
+		    usage->anyUsage = PR_FALSE;
+		}
+	    }
+	    cp = NSSTrustDomain_FindBestCertificateBySubject(td,
+	                                                     issuer,
+	                                                     timeOpt,
+	                                                     usage,
+	                                                     policiesOpt);
+	    /* Mimic functionality from CERT_FindCertIssuer.  If a matching
+	     * cert (based on trust & usage) cannot be found, just take the
+	     * newest cert with the correct subject.
+	     */
+	    if (!cp && !usage->anyUsage) {
+		usage->anyUsage = PR_TRUE;
+		cp = NSSTrustDomain_FindBestCertificateBySubject(td,
+		                                                 issuer,
+		                                                 timeOpt,
+		                                                 usage,
+		                                                 policiesOpt);
+		usage->anyUsage = PR_FALSE;
+	    }
+	    nssBestCertificate_SetArgs(&best, timeOpt, usage, policiesOpt);
+	    /* Take the better of the best temp and best perm cert, according
+	     * to the given usage
+	     */
+	    if (ct) {
+		nssBestCertificate_Callback(ct, (void *)&best);
+	    }
+	    if (cp) {
+		nssBestCertificate_Callback(cp, (void *)&best);
+	    }
+	    if (!best.cert) {
+		best.usage->anyUsage = PR_TRUE;
+		/* Take the newest of the best temp and best perm cert */
+		if (ct) {
+		    nssBestCertificate_Callback(ct, (void *)&best);
+		}
+		if (cp) {
+		    nssBestCertificate_Callback(cp, (void *)&best);
+		}
+	    }
+	    if (ct) NSSCertificate_Destroy(ct);
+	    if (cp) NSSCertificate_Destroy(cp);
+	    c = best.cert;
+#ifdef NSS_3_4_CODE
+	    usage->nss3lookingForCA = tmpca;
+#endif
+	    if (!c) {
+		nss_SetError(NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND);
+		if (statusOpt) *statusOpt = PR_FAILURE;
+		goto finish;
+	    }
+	}
+	nssList_Add(chain, c);
+	if (nssList_Count(chain) == rvLimit) goto finish;
+    }
+finish:
+    if (rvOpt) {
+	rvChain = rvOpt;
+    } else {
+	rvLimit = nssList_Count(chain);
+	rvChain = nss_ZNEWARRAY(arenaOpt, NSSCertificate *, rvLimit + 1);
+    }
+    nssList_GetArray(chain, (void **)rvChain, rvLimit);
+    nssList_Destroy(chain);
+    /* XXX now, the question is, cache all certs in the chain? */
+    return rvChain;
+}
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSCertificate_GetTrustDomain
+(
+  NSSCertificate *c
+)
+{
+    return c->object.trustDomain;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSCertificate_GetToken
+(
+  NSSCertificate *c,
+  PRStatus *statusOpt
+)
+{
+    return (NSSToken *)NULL;
+}
+
+NSS_IMPLEMENT NSSSlot *
+NSSCertificate_GetSlot
+(
+  NSSCertificate *c,
+  PRStatus *statusOpt
+)
+{
+    return (NSSSlot *)NULL;
+}
+
+NSS_IMPLEMENT NSSModule *
+NSSCertificate_GetModule
+(
+  NSSCertificate *c,
+  PRStatus *statusOpt
+)
+{
+    return (NSSModule *)NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCertificate_Encrypt
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCertificate_Verify
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCertificate_VerifyRecover
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCertificate_WrapSymmetricKey
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSCertificate_CreateCryptoContext
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh  
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPublicKey *
+NSSCertificate_GetPublicKey
+(
+  NSSCertificate *c
+)
+{
+#if 0
+    CK_ATTRIBUTE pubktemplate[] = {
+	{ CKA_CLASS,   NULL, 0 },
+	{ CKA_ID,      NULL, 0 },
+	{ CKA_SUBJECT, NULL, 0 }
+    };
+    PRStatus nssrv;
+    CK_ULONG count = sizeof(pubktemplate) / sizeof(pubktemplate[0]);
+    NSS_CK_SET_ATTRIBUTE_ITEM(pubktemplate, 0, &g_ck_class_pubkey);
+    if (c->id.size > 0) {
+	/* CKA_ID */
+	NSS_CK_ITEM_TO_ATTRIBUTE(&c->id, &pubktemplate[1]);
+    } else {
+	/* failure, yes? */
+	return (NSSPublicKey *)NULL;
+    }
+    if (c->subject.size > 0) {
+	/* CKA_SUBJECT */
+	NSS_CK_ITEM_TO_ATTRIBUTE(&c->subject, &pubktemplate[2]);
+    } else {
+	/* failure, yes? */
+	return (NSSPublicKey *)NULL;
+    }
+    /* Try the cert's token first */
+    if (c->token) {
+	nssrv = nssToken_FindObjectByTemplate(c->token, pubktemplate, count);
+    }
+#endif
+    /* Try all other key tokens */
+    return (NSSPublicKey *)NULL;
+}
+
+NSS_IMPLEMENT NSSPrivateKey *
+NSSCertificate_FindPrivateKey
+(
+  NSSCertificate *c,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRBool
+NSSCertificate_IsPrivateKeyAvailable
+(
+  NSSCertificate *c,
+  NSSCallback *uhh,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FALSE;
+}
+
+NSS_IMPLEMENT PRBool
+NSSUserCertificate_IsStillPresent
+(
+  NSSUserCertificate *uc,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FALSE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSUserCertificate_Decrypt
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSUserCertificate_Sign
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSUserCertificate_SignRecover
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSUserCertificate_UnwrapSymmetricKey
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSUserCertificate_DeriveSymmetricKey
+(
+  NSSUserCertificate *uc, /* provides private key */
+  NSSCertificate *c, /* provides public key */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT void 
+nssBestCertificate_SetArgs
+(
+  nssBestCertificateCB *best,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policies
+)
+{
+    if (timeOpt) {
+	best->time = timeOpt;
+    } else {
+	NSSTime_Now(&best->sTime);
+	best->time = &best->sTime;
+    }
+    best->usage = usage;
+    best->policies = policies;
+    best->cert = NULL;
+}
+
+NSS_IMPLEMENT PRStatus 
+nssBestCertificate_Callback
+(
+  NSSCertificate *c, 
+  void *arg
+)
+{
+    nssBestCertificateCB *best = (nssBestCertificateCB *)arg;
+    nssDecodedCert *dc, *bestdc;
+    dc = nssCertificate_GetDecoding(c);
+    if (!best->cert) {
+	/* usage */
+	if (best->usage->anyUsage) {
+	    best->cert = nssCertificate_AddRef(c);
+	} else {
+#ifdef NSS_3_4_CODE
+	    /* For this to work in NSS 3.4, we have to go out and fill in
+	     * all of the CERTCertificate fields.  Why?  Because the
+	     * matchUsage function calls CERT_IsCACert, which needs to know
+	     * what the trust values are for the cert.
+	     * Ignore the returned pointer, the refcount is in c anyway.
+	     */
+	    (void)STAN_GetCERTCertificate(c);
+#endif
+	    if (dc->matchUsage(dc, best->usage)) {
+		best->cert = nssCertificate_AddRef(c);
+	    }
+	}
+	return PR_SUCCESS;
+    }
+    bestdc = nssCertificate_GetDecoding(best->cert);
+    /* time */
+    if (bestdc->isValidAtTime(bestdc, best->time)) {
+	/* The current best cert is valid at time */
+	if (!dc->isValidAtTime(dc, best->time)) {
+	    /* If the new cert isn't valid at time, it's not better */
+	    return PR_SUCCESS;
+	}
+    } else {
+	/* The current best cert is not valid at time */
+	if (dc->isValidAtTime(dc, best->time)) {
+	    /* If the new cert is valid at time, it's better */
+	    NSSCertificate_Destroy(best->cert);
+	    best->cert = nssCertificate_AddRef(c);
+	    return PR_SUCCESS;
+	}
+    }
+    /* either they are both valid at time, or neither valid; take the newer */
+    /* XXX later -- defer to policies */
+    if (!bestdc->isNewerThan(bestdc, dc)) {
+	NSSCertificate_Destroy(best->cert);
+	best->cert = nssCertificate_AddRef(c);
+    }
+    /* policies */
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT nssSMIMEProfile *
+nssSMIMEProfile_Create
+(
+  NSSCertificate *cert,
+  NSSItem *profileTime,
+  NSSItem *profileData
+)
+{
+    PRStatus nssrv;
+    NSSArena *arena;
+    nssSMIMEProfile *rvProfile;
+    arena = nssArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    rvProfile = nss_ZNEW(arena, nssSMIMEProfile);
+    if (!rvProfile) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+    nssrv = nssPKIObject_Initialize(&rvProfile->object, arena, NULL, NULL);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    rvProfile->certificate = cert;
+    rvProfile->email = nssUTF8_Duplicate(cert->email, arena);
+    rvProfile->subject = nssItem_Duplicate(&cert->subject, arena, NULL);
+    if (profileTime) {
+	rvProfile->profileTime = nssItem_Duplicate(profileTime, arena, NULL);
+    }
+    if (profileData) {
+	rvProfile->profileData = nssItem_Duplicate(profileData, arena, NULL);
+    }
+    return rvProfile;
+loser:
+    nssPKIObject_Destroy(&rvProfile->object);
+    return NULL;
+}
+
+/* execute a callback function on all members of a cert list */
+NSS_EXTERN PRStatus
+nssCertificateList_DoCallback
+(
+  nssList *certList, 
+  PRStatus (* callback)(NSSCertificate *c, void *arg),
+  void *arg
+)
+{
+    nssListIterator *certs;
+    NSSCertificate *cert;
+    PRStatus nssrv;
+    certs = nssList_CreateIterator(certList);
+    for (cert  = (NSSCertificate *)nssListIterator_Start(certs);
+         cert != (NSSCertificate *)NULL;
+         cert  = (NSSCertificate *)nssListIterator_Next(certs))
+    {
+	nssrv = (*callback)(cert, arg);
+    }
+    nssListIterator_Finish(certs);
+    nssListIterator_Destroy(certs);
+    return PR_SUCCESS;
+}
+
+static PRStatus add_ref_callback(NSSCertificate *c, void *a)
+{
+    nssCertificate_AddRef(c);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT void
+nssCertificateList_AddReferences
+(
+  nssList *certList
+)
+{
+    (void)nssCertificateList_DoCallback(certList, add_ref_callback, NULL);
+}
+
+NSS_IMPLEMENT NSSTrust *
+nssTrust_AddRef
+(
+  NSSTrust *trust
+)
+{
+    if (trust) {
+	nssPKIObject_AddRef(&trust->object);
+    }
+    return trust;
+}
+
+NSS_IMPLEMENT PRStatus
+nssTrust_Destroy
+(
+  NSSTrust *trust
+)
+{
+    if (trust) {
+	(void)nssPKIObject_Destroy(&trust->object);
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT nssSMIMEProfile *
+nssSMIMEProfile_AddRef
+(
+  nssSMIMEProfile *profile
+)
+{
+    if (profile) {
+	nssPKIObject_AddRef(&profile->object);
+    }
+    return profile;
+}
+
+NSS_IMPLEMENT PRStatus
+nssSMIMEProfile_Destroy
+(
+  nssSMIMEProfile *profile
+)
+{
+    if (profile) {
+	(void)nssPKIObject_Destroy(&profile->object);
+    }
+    return PR_SUCCESS;
+}
+
diff --git a/security/nss/lib/pki/config.mk b/security/nss/lib/pki/config.mk
new file mode 100644
index 000000000..9614977ee
--- /dev/null
+++ b/security/nss/lib/pki/config.mk
@@ -0,0 +1,144 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
+IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).lib
+
+DLLFLAGS += -DEF:nsspki.def
+RES = $(OBJDIR)/nsspki.res
+RESNAME = nsspki.rc
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+
+SHARED_LIBRARY_LIBS = \
+	$(DIST)/lib/nssb.lib \
+	$(DIST)/lib/nssdev.lib \
+	$(DIST)/lib/nsspki.lib \
+	$(NULL)
+
+SHARED_LIBRARY_DIRS = \
+	../base \
+	../dev \
+	$(NULL)
+
+EXTRA_LIBS += \
+	$(NULL)
+
+EXTRA_SHARED_LIBS += \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+
+# $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
+#OS_LIBS += \
+#	wsock32.lib \
+#	winmm.lib \
+#	$(NULL)
+else
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+SHARED_LIBRARY_LIBS = \
+	$(DIST)/lib/libnssb.$(LIB_SUFFIX) \
+	$(DIST)/lib/libnssdev.$(LIB_SUFFIX) \
+	$(DIST)/lib/libnsspki.$(LIB_SUFFIX) \
+	$(NULL)
+
+EXTRA_LIBS += \
+	$(NULL)
+
+SHARED_LIBRARY_DIRS = \
+	../base \
+	../dev \
+	$(NULL)
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib/ \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+MAPFILE = $(OBJDIR)/nsspkimap.sun
+ALL_TRASH += $(MAPFILE)
+MKSHLIB += -M $(MAPFILE)
+ifndef USE_64
+ifeq ($(CPU_ARCH),sparc)
+# The -R '$ORIGIN' linker option instructs libnss3.so to search for its
+# dependencies (libfreebl_*.so) in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+endif
+endif
+endif
+
+ifeq ($(OS_TARGET),AIX)
+MAPFILE = $(OBJDIR)/nsspkimap.aix
+ALL_TRASH += $(MAPFILE)
+EXPORT_RULES = -bexport:$(MAPFILE)
+endif
+
+ifeq ($(OS_TARGET),HP-UX)
+MAPFILE = $(OBJDIR)/nsspkimap.hp
+ALL_TRASH += $(MAPFILE)
+MKSHLIB += -c $(MAPFILE)
+endif
+
+ifeq ($(OS_TARGET), OSF1)
+MAPFILE = $(OBJDIR)/nsspkimap.osf
+ALL_TRASH += $(MAPFILE)
+MKSHLIB += -hidden -input $(MAPFILE)
+endif
+
+ifeq ($(OS_TARGET),Linux)
+MAPFILE = $(OBJDIR)/nsspkimap.linux
+ALL_TRASH += $(MAPFILE)
+MKSHLIB += -Wl,--version-script,$(MAPFILE)
+endif
+
+
+	
+
diff --git a/security/nss/lib/pki/config34.mk b/security/nss/lib/pki/config34.mk
new file mode 100644
index 000000000..4a9ed7dda
--- /dev/null
+++ b/security/nss/lib/pki/config34.mk
@@ -0,0 +1,48 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/pki/cryptocontext.c b/security/nss/lib/pki/cryptocontext.c
new file mode 100644
index 000000000..f713bcb10
--- /dev/null
+++ b/security/nss/lib/pki/cryptocontext.c
@@ -0,0 +1,1140 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef PKISTORE_H
+#include "pkistore.h"
+#endif /* PKISTORE_H */
+
+#ifdef NSS_3_4_CODE
+#include "pk11func.h"
+#include "dev3hack.h"
+#endif
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_Destroy
+(
+  NSSCryptoContext *cc
+)
+{
+    if (cc->certStore) {
+	nssCertificateStore_Destroy(cc->certStore);
+    }
+    nssArena_Destroy(cc->arena);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_SetDefaultCallback
+(
+  NSSCryptoContext *td,
+  NSSCallback *newCallback,
+  NSSCallback **oldCallbackOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSCallback *
+NSSCryptoContext_GetDefaultCallback
+(
+  NSSCryptoContext *td,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSCryptoContext_GetTrustDomain
+(
+  NSSCryptoContext *td
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_ImportCertificate
+(
+  NSSCryptoContext *cc,
+  NSSCertificate *c
+)
+{
+    PRStatus nssrv;
+    if (!cc->certStore) {
+	cc->certStore = nssCertificateStore_Create(cc->arena);
+	if (!cc->certStore) {
+	    return PR_FAILURE;
+	}
+    }
+    nssrv = nssCertificateStore_Add(cc->certStore, c);
+    if (nssrv == PR_SUCCESS) {
+	c->object.cryptoContext = cc;
+    }
+    return nssrv;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_ImportPKIXCertificate
+(
+  NSSCryptoContext *cc,
+  struct NSSPKIXCertificateStr *pc
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_ImportEncodedCertificate
+(
+  NSSCryptoContext *cc,
+  NSSBER *ber
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_ImportEncodedPKIXCertificateChain
+(
+  NSSCryptoContext *cc,
+  NSSBER *ber
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCryptoContext_ImportTrust
+(
+  NSSCryptoContext *cc,
+  NSSTrust *trust
+)
+{
+    PRStatus nssrv;
+    if (!cc->certStore) {
+	cc->certStore = nssCertificateStore_Create(cc->arena);
+	if (!cc->certStore) {
+	    return PR_FAILURE;
+	}
+    }
+    nssrv = nssCertificateStore_AddTrust(cc->certStore, trust);
+    if (nssrv == PR_SUCCESS) {
+	trust->object.cryptoContext = cc;
+    }
+    return nssrv;
+}
+
+NSS_IMPLEMENT PRStatus
+nssCryptoContext_ImportSMIMEProfile
+(
+  NSSCryptoContext *cc,
+  nssSMIMEProfile *profile
+)
+{
+    PRStatus nssrv;
+    if (!cc->certStore) {
+	cc->certStore = nssCertificateStore_Create(cc->arena);
+	if (!cc->certStore) {
+	    return PR_FAILURE;
+	}
+    }
+    nssrv = nssCertificateStore_AddSMIMEProfile(cc->certStore, profile);
+    if (nssrv == PR_SUCCESS) {
+	profile->object.cryptoContext = cc;
+    }
+    return nssrv;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestCertificateByNickname
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *name,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+)
+{
+    PRIntn i;
+    NSSCertificate *c;
+    NSSCertificate **nickCerts;
+    nssBestCertificateCB best;
+    if (!cc->certStore) {
+	return NULL;
+    }
+    nssBestCertificate_SetArgs(&best, timeOpt, usage, policiesOpt);
+    /* This could be improved by querying the store with a callback */
+    nickCerts = nssCertificateStore_FindCertificatesByNickname(cc->certStore,
+                                                               name,
+                                                               NULL,
+                                                               0,
+                                                               NULL);
+    if (nickCerts) {
+	PRStatus nssrv;
+	for (i=0, c = *nickCerts; c != NULL; c = nickCerts[++i]) {
+	    nssrv = nssBestCertificate_Callback(c, &best);
+	    NSSCertificate_Destroy(c);
+	    if (nssrv != PR_SUCCESS) {
+		if (best.cert) {
+		    NSSCertificate_Destroy(best.cert);
+		    best.cert = NULL;
+		}
+		break;
+	    }
+	}
+	nss_ZFreeIf(nickCerts);
+    }
+    return best.cert;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindCertificatesByNickname
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *name,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvCerts;
+    if (!cc->certStore) {
+	return NULL;
+    }
+    rvCerts = nssCertificateStore_FindCertificatesByNickname(cc->certStore,
+                                                             name,
+                                                             rvOpt,
+                                                             maximumOpt,
+                                                             arenaOpt);
+    return rvCerts;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
+(
+  NSSCryptoContext *cc,
+  NSSDER *issuer,
+  NSSDER *serialNumber
+)
+{
+    if (!cc->certStore) {
+	return NULL;
+    }
+    return nssCertificateStore_FindCertificateByIssuerAndSerialNumber(
+                                                               cc->certStore,
+                                                               issuer,
+                                                               serialNumber);
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestCertificateBySubject
+(
+  NSSCryptoContext *cc,
+  NSSDER *subject,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    PRIntn i;
+    NSSCertificate *c;
+    NSSCertificate **subjectCerts;
+    nssBestCertificateCB best;
+    if (!cc->certStore) {
+	return NULL;
+    }
+    nssBestCertificate_SetArgs(&best, timeOpt, usage, policiesOpt);
+    subjectCerts = nssCertificateStore_FindCertificatesBySubject(cc->certStore,
+                                                                 subject,
+                                                                 NULL,
+                                                                 0,
+                                                                 NULL);
+    if (subjectCerts) {
+	PRStatus nssrv;
+	for (i=0, c = *subjectCerts; c != NULL; c = subjectCerts[++i]) {
+	    nssrv = nssBestCertificate_Callback(c, &best);
+	    NSSCertificate_Destroy(c);
+	    if (nssrv != PR_SUCCESS) {
+		if (best.cert) {
+		    NSSCertificate_Destroy(best.cert);
+		    best.cert = NULL;
+		}
+		break;
+	    }
+	}
+	nss_ZFreeIf(subjectCerts);
+    }
+    return best.cert;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindCertificatesBySubject
+(
+  NSSCryptoContext *cc,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvCerts;
+    if (!cc->certStore) {
+	return NULL;
+    }
+    rvCerts = nssCertificateStore_FindCertificatesBySubject(cc->certStore,
+                                                            subject,
+                                                            rvOpt,
+                                                            maximumOpt,
+                                                            arenaOpt);
+    return rvCerts;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestCertificateByNameComponents
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *nameComponents,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindCertificatesByNameComponents
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *nameComponents,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindCertificateByEncodedCertificate
+(
+  NSSCryptoContext *cc,
+  NSSBER *encodedCertificate
+)
+{
+    if (!cc->certStore) {
+	return NULL;
+    }
+    return nssCertificateStore_FindCertificateByEncodedCertificate(
+                                                           cc->certStore,
+                                                           encodedCertificate);
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestCertificateByEmail
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *email,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    PRIntn i;
+    NSSCertificate *c;
+    NSSCertificate **emailCerts;
+    nssBestCertificateCB best;
+    if (!cc->certStore) {
+	return NULL;
+    }
+    nssBestCertificate_SetArgs(&best, timeOpt, usage, policiesOpt);
+    emailCerts = nssCertificateStore_FindCertificatesByEmail(cc->certStore,
+                                                             email,
+                                                             NULL,
+                                                             0,
+                                                             NULL);
+    if (emailCerts) {
+	PRStatus nssrv;
+	for (i=0, c = *emailCerts; c != NULL; c = emailCerts[++i]) {
+	    nssrv = nssBestCertificate_Callback(c, &best);
+	    NSSCertificate_Destroy(c);
+	    if (nssrv != PR_SUCCESS) {
+		if (best.cert) {
+		    NSSCertificate_Destroy(best.cert);
+		    best.cert = NULL;
+		}
+		break;
+	    }
+	}
+	nss_ZFreeIf(emailCerts);
+    }
+    return best.cert;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindCertificatesByEmail
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvCerts;
+    if (!cc->certStore) {
+	return NULL;
+    }
+    rvCerts = nssCertificateStore_FindCertificatesByEmail(cc->certStore,
+                                                          email,
+                                                          rvOpt,
+                                                          maximumOpt,
+                                                          arenaOpt);
+    return rvCerts;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindCertificateByOCSPHash
+(
+  NSSCryptoContext *cc,
+  NSSItem *hash
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestUserCertificate
+(
+  NSSCryptoContext *cc,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindUserCertificates
+(
+  NSSCryptoContext *cc,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSCryptoContext_FindUserCertificatesForSSLClientAuth
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindBestUserCertificateForEmailSigning
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSCryptoContext_FindUserCertificatesForEmailSigning
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *signerOpt, /* fgmr or a more general name? */
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSTrust *
+nssCryptoContext_FindTrustForCertificate
+(
+  NSSCryptoContext *cc,
+  NSSCertificate *cert
+)
+{
+    if (!cc->certStore) {
+	return NULL;
+    }
+    return nssCertificateStore_FindTrustForCertificate(cc->certStore, cert);
+}
+
+NSS_IMPLEMENT nssSMIMEProfile *
+nssCryptoContext_FindSMIMEProfileForCertificate
+(
+  NSSCryptoContext *cc,
+  NSSCertificate *cert
+)
+{
+    if (!cc->certStore) {
+	return NULL;
+    }
+    return nssCertificateStore_FindSMIMEProfileForCertificate(cc->certStore, 
+                                                              cert);
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_GenerateKeyPair
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  NSSPrivateKey **pvkOpt,
+  NSSPublicKey **pbkOpt,
+  PRBool privateKeyIsSensitive,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSCryptoContext_GenerateSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  PRUint32 keysize,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSCryptoContext_GenerateSymmetricKeyFromPassword
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  NSSUTF8 *passwordOpt, /* if null, prompt */
+  NSSToken *destinationOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
+(
+  NSSCryptoContext *cc,
+  NSSOID *algorithm,
+  NSSItem *keyID,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+struct token_session_str {
+    NSSToken *token;
+    nssSession *session;
+};
+
+#ifdef nodef
+static nssSession *
+get_token_session(NSSCryptoContext *cc, NSSToken *tok)
+{
+    struct token_session_str *ts;
+    for (ts  = (struct token_session_str *)nssListIterator_Start(cc->sessions);
+         ts != (struct token_session_str *)NULL;
+         ts  = (struct token_session_str *)nssListIterator_Next(cc->sessions))
+    {
+	if (ts->token == tok) { /* will this need to be more general? */
+	    break;
+	}
+    }
+    nssListIterator_Finish(cc->sessions);
+    if (!ts) {
+	/* need to create a session for this token. */
+	ts = nss_ZNEW(NULL, struct token_session_str);
+	ts->token = nssToken_AddRef(tok);
+	ts->session = nssSlot_CreateSession(tok->slot, cc->arena, PR_FALSE);
+	nssList_AddElement(cc->sessionList, (void *)ts);
+    }
+    return ts->session;
+}
+#endif
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_Decrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+#if 0
+    NSSToken *tok;
+    nssSession *session;
+    NSSItem *rvData;
+    PRUint32 dataLen;
+    NSSAlgorithmAndParameters *ap;
+    CK_RV ckrv;
+    ap = (apOpt) ? apOpt : cc->defaultAlgorithm;
+    /* Get the token for this operation */
+    tok = nssTrustDomain_GetCryptoToken(cc->trustDomain, ap);
+    if (!tok) {
+	return (NSSItem *)NULL;
+    }
+    /* Get the local session for this token */
+    session = get_token_session(cc, tok);
+    /* Get the key needed to decrypt */
+    keyHandle = get_decrypt_key(cc, ap);
+    /* Set up the decrypt operation */
+    ckrv = CKAPI(tok)->C_DecryptInit(session->handle,
+                                     &ap->mechanism, keyHandle);
+    if (ckrv != CKR_OK) {
+	/* handle PKCS#11 error */
+	return (NSSItem *)NULL;
+    }
+    /* Get the length of the output buffer */
+    ckrv = CKAPI(tok)->C_Decrypt(session->handle,
+                                 (CK_BYTE_PTR)encryptedData->data,
+                                 (CK_ULONG)encryptedData->size,
+                                 (CK_BYTE_PTR)NULL,
+                                 (CK_ULONG_PTR)&dataLen);
+    if (ckrv != CKR_OK) {
+	/* handle PKCS#11 error */
+	return (NSSItem *)NULL;
+    }
+    /* Alloc return value memory */
+    rvData = nssItem_Create(NULL, NULL, dataLen, NULL);
+    if (!rvItem) {
+	return (NSSItem *)NULL;
+    }
+    /* Do the decryption */
+    ckrv = CKAPI(tok)->C_Decrypt(cc->session->handle,
+                                 (CK_BYTE_PTR)encryptedData->data,
+                                 (CK_ULONG)encryptedData->size,
+                                 (CK_BYTE_PTR)rvData->data,
+                                 (CK_ULONG_PTR)&dataLen);
+    if (ckrv != CKR_OK) {
+	/* handle PKCS#11 error */
+	nssItem_ZFreeIf(rvData);
+	return (NSSItem *)NULL;
+    }
+    return rvData;
+#endif
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginDecrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_ContinueDecrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishDecrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_Sign
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginSign
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_ContinueSign
+(
+  NSSCryptoContext *cc,
+  NSSItem *data
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishSign
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_SignRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginSignRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_ContinueSignRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishSignRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSCryptoContext_UnwrapSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSCryptoContext_DeriveSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_Encrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginEncrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_ContinueEncrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishEncrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_Verify
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginVerify
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_ContinueVerify
+(
+  NSSCryptoContext *cc,
+  NSSItem *data
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_FinishVerify
+(
+  NSSCryptoContext *cc
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_VerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginVerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_ContinueVerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishVerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_WrapSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_Digest
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    return nssToken_Digest(cc->token, cc->session, apOpt, 
+                           data, rvOpt, arenaOpt);
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_BeginDigest
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+)
+{
+    return nssToken_BeginDigest(cc->token, cc->session, apOpt);
+}
+
+NSS_IMPLEMENT PRStatus
+NSSCryptoContext_ContinueDigest
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *item
+)
+{
+	/*
+    NSSAlgorithmAndParameters *ap;
+    ap = (apOpt) ? apOpt : cc->ap;
+    */
+	/* why apOpt?  can't change it at this point... */
+    return nssToken_ContinueDigest(cc->token, cc->session, item);
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSCryptoContext_FinishDigest
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    return nssToken_FinishDigest(cc->token, cc->session, rvOpt, arenaOpt);
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSCryptoContext_Clone
+(
+  NSSCryptoContext *cc
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
diff --git a/security/nss/lib/pki/doc/standiag.png b/security/nss/lib/pki/doc/standiag.png
new file mode 100644
index 000000000..fe1aca389
--- /dev/null
+++ b/security/nss/lib/pki/doc/standiag.png
diff --git a/security/nss/lib/pki/doc/standoc.html b/security/nss/lib/pki/doc/standoc.html
new file mode 100644
index 000000000..43eb3a3cf
--- /dev/null
+++ b/security/nss/lib/pki/doc/standoc.html
@@ -0,0 +1,471 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+         <!-- 
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   - 
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   - 
+   - The Original Code is the Netscape security libraries.
+   - 
+   - The Initial Developer of the Original Code is Netscape
+   - Communications Corporation.  Portions created by Netscape are 
+   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+   - Rights Reserved.
+   - 
+   - Contributor(s):
+   - 
+   - Alternatively, the contents of this file may be used under the
+   - terms of the GNU General Public License Version 2 or later (the
+   - "GPL"), in which case the provisions of the GPL are applicable 
+   - instead of those above.  If you wish to allow use of your 
+   - version of this file only under the terms of the GPL and not to
+   - allow others to use your version of this file under the MPL,
+   - indicate your decision by deleting the provisions above and
+   - replace them with the notice and other provisions required by
+   - the GPL.  If you do not delete the provisions above, a recipient
+   - may use your version of this file under either the MPL or the
+   - GPL.
+  -->
+                                                                        
+                              
+  <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
+  <title>Stan Design - Work In Progress</title>
+</head>
+  <body>
+ <br>
+               This is a working document for progress on Stan design/development.<br>
+ <br>
+        Current <a href="#build">build</a>
+       and <a href="#test">test</a>
+        instructions.<br>
+ <br>
+                      The current set of Stan libraries.<br>
+ <a href="#asn1">asn1</a>
+ <br>
+ <a href="#base">base</a>
+ <br>
+ <a href="#ckfw">ckfw</a>
+ <br>
+ <a href="#dev">dev</a>
+ <br>
+ <a href="#pki">pki</a>
+ <br>
+ <a href="#pki1">pki1</a>
+ <br>
+ <a href="#pkix">pkix</a>
+ <br>
+ <br>
+                     "Public" types below (those available to consumers of
+ NSS)   begin    with   "NSS".  &nbsp;"Protected" types (those only available
+ within   NSS)   begin   with  "nss".<br>
+ <br>
+        Open issues appears as numbered indents.<br>
+ <br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="asn1"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/asn1/">
+           ASN.1</a>
+ </h3>
+                          ASN.1 encoder/decoder wrapping around the current 
+ ASN.1    implementation.<br>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSASN1EncodingType">  NSSASN1EncodingType</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Item">nssASN1Item</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Template">nssASN1Template</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1ChooseTemplateFunction">
+                     nssASN1ChooseTemplateFunction</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Encoder">nssASN1Encoder</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1Decoder">nssASN1Decoder</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1EncodingPart">  nssASN1EncodingPart</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1NotifyFunction">
+       nssASN1NotifyFunction</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1EncoderWriteFunction">
+                     nssASN1EncoderWriteFunction</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssASN1DecoderFilterFunction">
+                     nssASN1DecoderFilterFunction</a>
+ <br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"> 
+<h3><a name="base"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/base/">
+       Base</a>
+ </h3>
+                          Set of base utilities for Stan implementation.
+&nbsp;These       are   all   fairly straightforward, except for nssPointerTracker.<br>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSError">NSSError</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSArena">NSSArena</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSItem">NSSItem</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSBER">NSSBER</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSDER">NSSDER</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSBitString">NSSBitString</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSUTF8">NSSUTF8</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSASCII7">NSSASCII7</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssArenaMark">nssArenaMark</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssPointerTracker">nssPointerTracker</a>
+ <br>
+          This is intended for debug builds only.<br>
+ 
+<ol>
+   <li>Ignored for now.<br>
+   </li>
+ 
+</ol>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssStringType">nssStringType</a>
+ <br>
+ <br>
+          Suggested additions:<br>
+ 
+<ol>
+   <li>nssList - A list that optionally uses a lock. &nbsp;This list  would 
+   manage the currently loaded modules in a trust domain, etc.</li>
+   
+  <ul>
+     <li>SECMODListLock kept track of the number of waiting threads.  &nbsp;Will 
+  this be needed in the trust domain?</li>
+   
+  </ul>
+ 
+</ol>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"> 
+<h3><a name="ckfw"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/">
+  CKFW</a>
+ </h3>
+                     The cryptoki framework, used for building cryptoki tokens. 
+   &nbsp;This      needs  to be described in a separate document showing how
+   to set up a  token    using  CKFW. &nbsp;This code only relates to tokens,
+   so it is not  relevant    here.<br>
+ <br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"> 
+<h3><a name="dev"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/dev/"> 
+ Device</a>
+ </h3>
+                          Defines cryptoki devices used in NSS. &nbsp;This
+ is  not   part  of the exposed API. &nbsp;It is a low-level API allowing
+NSS to manage   cryptoki  devices.<br>
+ <br>
+         The relationship is like this:<br>
+ <br>
+         libpki --&gt; libdev --&gt; cryptoki<br>
+ <br>
+         As an example,<br>
+ <br>
+         NSSTrustDomain_FindCertificate --&gt; NSSToken_FindCertificate --&gt;
+   C_FindObjects<br>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSModule">NSSModule</a>
+ <br>
+                     Replaces the SECMOD API. &nbsp;The module manages a
+PRLibrary       that   holds  a cryptoki implementation via a number of slots.
+&nbsp;The      API should   provide  the ability  to Load and Unload a module,
+Login  and    Logout to the   module (through its slots), and to locate a
+particular   slot/token.<br>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSSlot">NSSSlot</a>
+ <br>
+                     This and NSSToken combine to replace the PK11 API parts
+  that   relate    to  slot  and token management. &nbsp;The slot API should
+  provide   the ability   to Login/Logout   to a slot, check the login status,
+  determine    basic configuration    information   about the slot, and modify
+  the password    settings.<br>
+ 
+<ol>
+   <li>Should slots also maintain a default session? &nbsp;This session would 
+ be used for slot management calls (sections 9.5 and9.6 of PKCS#11). &nbsp;Or 
+ is the token session sufficient (this would not work if C_GetTokenInfo and 
+ C_InitToken need to be wrapped in a threadsafe session).<br>
+   </li>
+ 
+</ol>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSToken">NSSToken</a>
+ <br>
+                     Fills in the gaps left by NSSSlot. &nbsp;Much of the 
+cryptoki     API   is  directed   towards slots.  &nbsp;However,   some  functionality
+   clearly belongs with a token type. &nbsp;For  example,   a certificate
+ lives  on a token, not a slot, so one would expect  a function   NSSToken_FindCertificate.
+    &nbsp;Thus functions that deal with  importing/exporting   an object
+and    performing  actual cryptographic operations  belong here.<br>
+ 
+<ol>
+   <li>The   distinction  between a slot and a token is not clear. &nbsp;Most 
+   functions take  a slotID   as an argument,  even though it is obvious that
+     the event   is intended to occur on a token. &nbsp;That leaves various
+   possibilities:</li>
+   
+  <ol>
+     <li>Implement the API entirely as NSSToken. &nbsp;If the token  is not 
+  present, some calls will simply fail.</li>
+     <li>Divide the API between NSSToken and NSSSlot, as described  above. 
+&nbsp;NSSSlot  would handle cryptoki calls specified as "slot management",
+  while NSSToken  handles actual token operations.</li>
+     <li>Others?</li>
+   
+  </ol>
+   <li>Session management. &nbsp;Tokens needs a threadsafe session handle 
+ to perform operations. &nbsp;CryptoContexts are meant to provide such sessions, 
+ but other objects will need access to token functions as well (examples: 
+the TrustDomain_Find functions, _Login, _Logout, and others that do not exist 
+ such as NSSToken_ChangePassword). &nbsp;For those functions, the token could 
+ maintain a default session. &nbsp;Thus all NSSToken API functions would take
+ sessionOpt as an argument. &nbsp;If the caller is going to provide a session,
+ it sends an NSSSession there, otherwise it sends NULL and the default session
+ is utilized.<br>
+   </li>
+ 
+</ol>
+      Proposed:<br>
+    NSSSession<br>
+    Wraps a Cryptoki session. &nbsp;Created from a slot. &nbsp;Used to manage
+  sessions for crypto contexts. &nbsp;Has a lock field, which locks the session
+  if the slot is not threadsafe.<br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="pki"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki/"> 
+   PKI</a>
+ </h3>
+                          The NSS PKI library.<br>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCertificate">NSS</a>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCertificate">Certificate</a>
+ <br>
+ 
+<ol>
+   <li>The API leaves open the possibility of NSSCertificate meaning  various 
+ certificate types, not just X.509. &nbsp;The way to keep open this  possibility 
+ is to keep only generally useful information in the NSSCertificate  type. 
+&nbsp;Examples would be the certificate encoding, label, trust (obtained
+ from cryptoki calls), an email address, etc. &nbsp;Some type of generic
+reference  should be kept to the decoded certificate, which would then be
+accessed by  a type-specific API (e.g., NSSX509_GetSubjectName).</li>
+ 
+</ol>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSUserCertificate">NSSUserCertificate</a>
+ <br>
+ 
+<ol>
+   <li>Should this be a typedef of NSSCertificate?&nbsp; This implies  that 
+ any function that requires an   NSSUserCertificate   would fail when  called 
+ with a certificate lacking a private key. </li>
+ 
+</ol>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSPrivateKey">NSSPrivateKey</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSPublicKey">NSSPublicKey</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSSymmetricKey">NSSSymmetricKey</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSTrustDomain">NSSTrustDomain</a>
+ <br>
+                    A trust domain is "the field in which certificates may
+ be  validated."       &nbsp;It  is a collection of modules capable of performing 
+  cryptographic      operations  and storing certs and keys. &nbsp;This collection 
+  is managed     by NSS in a manner opaque to the consumer. &nbsp;The slots 
+  will have various      orderings determining which has preference for a 
+given  operation. &nbsp;For      example, the trust domain may order the storage
+ of user certificates one    way, and the storage of email certificates in
+ another way [is that a good    example?].<br>
+ <br>
+ 
+<ol>
+   <li>           How will ordering work? &nbsp;We already have the  suggestion 
+      that  there be two kinds of ordering: storage and search.  &nbsp;How 
+will     they be  constructed/managed? &nbsp;Do we want to expose  access 
+to a token     that overrides  this ordering (i.e., the download of  updated 
+root certs   may  need to override  storage order)</li>
+   <li>How are certs cached? &nbsp;Nelson wonders what it means   to   Stan 
+    when a cert does not live on a token yet. &nbsp;Bob, Terry, and    I discussed
+    this. &nbsp;My conclusion is that there should be a type,  separate 
+from   NSSCertificate,  that holds the decoded cert parts (e.g.,   NSSX509Certificate,
+    or to avoid confusion, NSSX509DecodedParts). &nbsp;NSSCertificate   would
+  keep  a handle to this type, so that it only needs to decode the  cert
+once.   &nbsp;The  NSSTrustDomain would keep a hash table of cached certs, 
+some of  which may  not live on a token yet (i.e., they are only NSSX509DecodedParts). 
+     &nbsp;This  cache could be accessed in the same way the temp db was, 
+and    when the cert  is ready to be moved onto a token a call to NSSTrustDomain_ImportCertificate 
+       is made. &nbsp;Note    that this is essentially the same as CERT_TempCertToPerm.</li>
+   
+  <ul>
+     <li>The hashtable in lib/base (copied from ckfw/hash.c) uses the identity 
+hash. &nbsp;Therefore, in a hash of certificates, the key is the certificate 
+pointer itself. &nbsp;One possibility is to store the decoded cert (NSSX509DecodedParts 
+above) as the value in the {key, value} pair. &nbsp;When a cert is decoded, 
+the cert pointer and decoding pointer are added to the hash. &nbsp;Subsequent 
+lookups have access to one or both of these pointers. &nbsp;This keeps NSSCertificate 
+separate from its decoding, while providing a way to locate it.</li>
+   
+  </ul>
+   <li>The API is designed to keep token details hidden from the user.  &nbsp;However, 
+ it has already been realized that PSM and CMS may need special  access to 
+tokens. &nbsp;Is this part of the TrustDomain API, or should PSM  and CMS 
+be allowed to use "friend" headers from the Token API?</li>
+   <li>Do we want to allow traversal via NSSTrustDomain_TraverseXXXX?<br>
+   </li>
+ 
+</ol>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCryptoContext"><br>
+                   NSSCryptoContext</a>
+ <br>
+    Analgous to a Cryptoki session. &nbsp;Manages session objects only.<br>
+  <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSTime">NSSTime</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSUsage">NSSUsage</a>
+ <br>
+ 
+<ol>
+   <li>       See Fred's <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki/nsspkit.h#187">
+               comments</a>
+              .</li>
+ 
+</ol>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSPolicies">NSSPolicies</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSAlgorithmAndParameters">
+                      NSSAlgorithmAndParameters</a>
+ <br>
+ 
+<ol>
+   <li>       Again, Fred's <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki/nsspkit.h#215">
+               comments</a>
+              . &nbsp;The old NSS code had various types related to  algorithms 
+    running around in it. &nbsp;We had SECOidTag, SECAlgorithmID,   SECItem's
+     for parameters, CK_MECHANISM for cryptoki, etc. &nbsp;This type   should
+    be  able to encapsulate all of those.</li>
+ 
+</ol>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSCallback">NSSCallback</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSOperations">NSSOperations</a>
+ <br>
+ <br>
+ <br>
+ 
+<hr width="100%" size="2"><br>
+ <br>
+ A diagram to suggest a possible TrustDomain architecture.<br>
+ <br>
+ <img src="./standiag.png" alt="Trust Domain Diagram" width="748" height="367">
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="pki1"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pki1/">
+    PKI1</a>
+ </h3>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSOID">NSSOID</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSATAV">NSSATAV</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSRDN">NSSRDN</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSRDNSeq">NSSRDNSeq</a>
+ <br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=NSSName">NSSName</a>
+ <br>
+            NSSNameChoice<br>
+            NSSGeneralName<br>
+            NSSGeneralNameChoice<br>
+            NSSOtherName<br>
+            NSSRFC822Name<br>
+            NSSDNSName<br>
+            NSSX400Address<br>
+            NSSEdiParityAddress<br>
+            NSSURI<br>
+            NSSIPAddress<br>
+            NSSRegisteredID<br>
+            NSSGeneralNameSeq<br>
+ <a href="http://lxr.mozilla.org/mozilla/ident?i=nssAttributeTypeAliasTable">
+            nssAttributeTypeAliasTable</a>
+ <br>
+ <br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="pkix"></a>
+ <a href="http://lxr.mozilla.org/mozilla/source/security/nss/lib/pkix/">
+       PKIX&nbsp;</a>
+ </h3>
+           There is a plethora of PKIX related types here.<br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="build"></a>
+        Building Stan</h3>
+ <br>
+       From nss/lib, run "make BUILD_STAN=1"<br>
+ <br>
+ 
+<hr width="100%" size="2" align="Left"><br>
+ 
+<h3><a name="test"></a>
+       Testing Stan</h3>
+       A&nbsp;new command line tool, pkiutil, has been created to use only
+ the   Stan API. &nbsp;It depends on a new library, cmdlib, meant to replace
+ the   old secutil library. &nbsp;The old library had code used by products
+ that   needed to be integrated into the main library codebase somehow. &nbsp;The
+   goal of the new cmdlib is to have functionality needed strictly for NSS
+ tools.<br>
+ <br>
+       How to build:<br>
+ 
+<ol>
+   <li>cd nss/cmd/cmdlib; make</li>
+   <li>cd ../pkiutil; make</li>
+ 
+</ol>
+       pkiutil will give detailed help with either "pkiutil -?" or "pkiutil 
+ --help".<br>
+ <br>
+      So far, the only available test is to list certs on the builtins token. 
+  &nbsp;Copy "libnssckbi.so" (or whatever it is) to cmd/pkiutil. &nbsp;Then 
+  run "pkiutil -L" or "pkiutil --list". &nbsp;The list of certificate nicknames 
+  should be displayed.<br>
+ <br>
+ <br>
+ 
+</body>
+</html>
diff --git a/security/nss/lib/pki/manifest.mn b/security/nss/lib/pki/manifest.mn
new file mode 100644
index 000000000..2367cf8e4
--- /dev/null
+++ b/security/nss/lib/pki/manifest.mn
@@ -0,0 +1,70 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+CORE_DEPTH = ../../..
+
+PRIVATE_EXPORTS = \
+	pki.h      \
+	pkit.h     \
+	nsspkit.h  \
+	nsspki.h   \
+	$(NULL)
+
+EXPORTS =	   \
+	$(NULL)
+
+MODULE = security
+
+CSRCS =		        \
+	asymmkey.c      \
+	certificate.c   \
+	cryptocontext.c \
+	symmkey.c       \
+	trustdomain.c   \
+	tdcache.c       \
+	certdecode.c    \
+	pkistore.c      \
+	$(NULL)
+
+ifndef PURE_STAN_BUILD
+CSRCS += pki3hack.c
+PRIVATE_EXPORTS += pkistore.h pki3hack.h pkitm.h pkim.h
+#DEFINES = -DNSS_3_4_CODE -DDEBUG_CACHE
+DEFINES = -DNSS_3_4_CODE
+endif
+
+REQUIRES = security nspr
+
+LIBRARY_NAME = nsspki
+LIBRARY_VERSION = 3
diff --git a/security/nss/lib/pki/nsspki.def b/security/nss/lib/pki/nsspki.def
new file mode 100644
index 000000000..d32a4d1e6
--- /dev/null
+++ b/security/nss/lib/pki/nsspki.def
@@ -0,0 +1,249 @@
+;+#
+;+# The contents of this file are subject to the Mozilla Public
+;+# License Version 1.1 (the "License"); you may not use this file
+;+# except in compliance with the License. You may obtain a copy of
+;+# the License at http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS
+;+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+;+# implied. See the License for the specific language governing
+;+# rights and limitations under the License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is Netscape
+;+# Communications Corporation.  Portions created by Netscape are
+;+# Copyright (C) 2000 Netscape Communications Corporation.  All
+;+# Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#
+;+# Alternatively, the contents of this file may be used under the
+;+# terms of the GNU General Public License Version 2 or later (the
+;+# "GPL"), in which case the provisions of the GPL are applicable
+;+# instead of those above.  If you wish to allow use of your
+;+# version of this file only under the terms of the GPL and not to
+;+# allow others to use your version of this file under the MPL,
+;+# indicate your decision by deleting the provisions above and
+;+# replace them with the notice and other provisions required by
+;+# the GPL.  If you do not delete the provisions above, a recipient
+;+# may use your version of this file under either the MPL or the
+;+# GPL.
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+#
+;+#
+;+# This file contains the complete Stan API to date.  Functions that are
+;+# not yet implemented are commented out.
+;+
+;+NSS_3.4 {               # NSS 3.4 release
+;+    global:
+LIBRARY nsspki3 ;-
+EXPORTS	;-
+NSSArena_Create
+NSSArena_Destroy
+NSS_GetError
+NSS_GetErrorStack
+;NSSCertificate_Destroy;
+;NSSCertificate_DeleteStoredObject;
+;NSSCertificate_Validate;
+;NSSCertificate_ValidateCompletely;
+;NSSCertificate_ValidateAndDiscoverUsagesAndPolicies;
+;NSSCertificate_Encode;
+;NSSCertificate_BuildChain;
+;NSSCertificate_GetTrustDomain;
+;NSSCertificate_GetToken;
+;NSSCertificate_GetSlot;
+;NSSCertificate_GetModule;
+;NSSCertificate_Encrypt;
+;NSSCertificate_Verify;
+;NSSCertificate_VerifyRecover;
+;NSSCertificate_WrapSymmetricKey;
+;NSSCertificate_CreateCryptoContext;
+;NSSCertificate_GetPublicKey;
+;NSSCertificate_FindPrivateKey;
+;NSSCertificate_IsPrivateKeyAvailable;
+;NSSUserCertificate_IsStillPresent;
+;NSSUserCertificate_Decrypt;
+;NSSUserCertificate_Sign;
+;NSSUserCertificate_SignRecover;
+;NSSUserCertificate_UnwrapSymmetricKey;
+;NSSUserCertificate_DeriveSymmetricKey;
+;NSSPrivateKey_Destroy;
+;NSSPrivateKey_DeleteStoredObject;
+;NSSPrivateKey_GetSignatureLength;
+;NSSPrivateKey_GetPrivateModulusLength;
+;NSSPrivateKey_IsStillPresent;
+;NSSPrivateKey_Encode;
+;NSSPrivateKey_GetTrustDomain;
+;NSSPrivateKey_GetToken;
+;NSSPrivateKey_GetSlot;
+;NSSPrivateKey_GetModule;
+;NSSPrivateKey_Decrypt;
+;NSSPrivateKey_Sign;
+;NSSPrivateKey_SignRecover;
+;NSSPrivateKey_UnwrapSymmetricKey;
+;NSSPrivateKey_DeriveSymmetricKey;
+;NSSPrivateKey_FindPublicKey;
+;NSSPrivateKey_CreateCryptoContext;
+;NSSPrivateKey_FindCertificates;
+;NSSPrivateKey_FindBestCertificate;
+;NSSPublicKey_Destroy;
+;NSSPublicKey_DeleteStoredObject;
+;NSSPublicKey_Encode;
+;NSSPublicKey_GetTrustDomain;
+;NSSPublicKey_GetToken;
+;NSSPublicKey_GetSlot;
+;NSSPublicKey_GetModule;
+;NSSPublicKey_Encrypt;
+;NSSPublicKey_Verify;
+;NSSPublicKey_VerifyRecover;
+;NSSPublicKey_WrapSymmetricKey;
+;NSSPublicKey_CreateCryptoContext;
+;NSSPublicKey_FindCertificates;
+;NSSPublicKey_FindBestCertificate;
+;NSSPublicKey_FindPrivateKey;
+;NSSSymmetricKey_Destroy;
+;NSSSymmetricKey_DeleteStoredObject;
+;NSSSymmetricKey_GetKeyLength;
+;NSSSymmetricKey_GetKeyStrength;
+;NSSSymmetricKey_IsStillPresent;
+;NSSSymmetricKey_GetTrustDomain;
+;NSSSymmetricKey_GetToken;
+;NSSSymmetricKey_GetSlot;
+;NSSSymmetricKey_GetModule;
+;NSSSymmetricKey_Encrypt;
+;NSSSymmetricKey_Decrypt;
+;NSSSymmetricKey_Sign;
+;NSSSymmetricKey_SignRecover;
+;NSSSymmetricKey_Verify;
+;NSSSymmetricKey_VerifyRecover;
+;NSSSymmetricKey_WrapSymmetricKey;
+;NSSSymmetricKey_WrapPrivateKey;
+;NSSSymmetricKey_UnwrapSymmetricKey;
+;NSSSymmetricKey_UnwrapPrivateKey;
+;NSSSymmetricKey_DeriveSymmetricKey;
+;NSSSymmetricKey_CreateCryptoContext;
+NSSTrustDomain_Create;
+;NSSTrustDomain_Destroy;
+;NSSTrustDomain_SetDefaultCallback;
+;NSSTrustDomain_GetDefaultCallback;
+NSSTrustDomain_LoadModule;
+;NSSTrustDomain_DisableToken;
+;NSSTrustDomain_EnableToken;
+;NSSTrustDomain_IsTokenEnabled;
+;NSSTrustDomain_FindSlotByName;
+;NSSTrustDomain_FindTokenByName;
+;NSSTrustDomain_FindTokenBySlotName;
+;NSSTrustDomain_FindTokenForAlgorithm;
+;NSSTrustDomain_FindBestTokenForAlgorithms;
+;NSSTrustDomain_Login;
+;NSSTrustDomain_Logout;
+;NSSTrustDomain_ImportCertificate;
+;NSSTrustDomain_ImportPKIXCertificate;
+;NSSTrustDomain_ImportEncodedCertificate;
+;NSSTrustDomain_ImportEncodedCertificateChain;
+;NSSTrustDomain_ImportEncodedPrivateKey;
+;NSSTrustDomain_ImportEncodedPublicKey;
+;NSSTrustDomain_FindBestCertificateByNickname;
+NSSTrustDomain_FindCertificatesByNickname
+;NSSTrustDomain_FindCertificateByIssuerAndSerialNumber;
+;NSSTrustDomain_FindBestCertificateBySubject;
+;NSSTrustDomain_FindCertificatesBySubject;
+;NSSTrustDomain_FindBestCertificateByNameComponents;
+;NSSTrustDomain_FindCertificatesByNameComponents;
+;NSSTrustDomain_FindCertificateByEncodedCertificate;
+;NSSTrustDomain_FindCertificateByEmail;
+;NSSTrustDomain_FindCertificatesByEmail;
+;NSSTrustDomain_FindCertificateByOCSPHash;
+;NSSTrustDomain_FindBestUserCertificate;
+;NSSTrustDomain_FindUserCertificates;
+;NSSTrustDomain_FindBestUserCertificateForSSLClientAuth;
+;NSSTrustDomain_FindUserCertificatesForSSLClientAuth;
+;NSSTrustDomain_FindBestUserCertificateForEmailSigning;
+;NSSTrustDomain_FindUserCertificatesForEmailSigning;
+;NSSTrustDomain_GenerateKeyPair;
+;NSSTrustDomain_GenerateSymmetricKey;
+;NSSTrustDomain_GenerateSymmetricKeyFromPassword;
+;NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID;
+;NSSTrustDomain_CreateCryptoContext;
+;NSSTrustDomain_CreateCryptoContextForAlgorithm;
+;NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters;
+;NSSCryptoContext_Destroy;
+;NSSCryptoContext_SetDefaultCallback;
+;NSSCryptoContext_GetDefaultCallback;
+;NSSCryptoContext_GetTrustDomain;
+;NSSCryptoContext_ImportCertificate;
+;NSSCryptoContext_ImportPKIXCertificate;
+;NSSCryptoContext_ImportEncodedCertificate;
+;NSSCryptoContext_ImportEncodedPKIXCertificateChain;
+;NSSCryptoContext_FindBestCertificateByNickname;
+;NSSCryptoContext_FindCertificatesByNickname;
+;NSSCryptoContext_FindCertificateByIssuerAndSerialNumber;
+;NSSCryptoContext_FindBestCertificateBySubject;
+;NSSCryptoContext_FindCertificatesBySubject;
+;NSSCryptoContext_FindBestCertificateByNameComponents;
+;NSSCryptoContext_FindCertificatesByNameComponents;
+;NSSCryptoContext_FindCertificateByEncodedCertificate;
+;NSSCryptoContext_FindBestCertificateByEmail;
+;NSSCryptoContext_FindCertificatesByEmail;
+;NSSCryptoContext_FindCertificateByOCSPHash;
+;NSSCryptoContext_FindBestUserCertificate;
+;NSSCryptoContext_FindUserCertificates;
+;NSSCryptoContext_FindBestUserCertificateForSSLClientAuth;
+;NSSCryptoContext_FindUserCertificatesForSSLClientAuth;
+;NSSCryptoContext_FindBestUserCertificateForEmailSigning;
+;NSSCryptoContext_FindUserCertificatesForEmailSigning;
+;NSSCryptoContext_GenerateKeyPair;
+;NSSCryptoContext_GenerateSymmetricKey;
+;NSSCryptoContext_GenerateSymmetricKeyFromPassword;
+;NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID;
+;NSSCryptoContext_Decrypt;
+;NSSCryptoContext_BeginDecrypt;
+;NSSCryptoContext_ContinueDecrypt;
+;NSSCryptoContext_FinishDecrypt;
+;NSSCryptoContext_Sign;
+;NSSCryptoContext_BeginSign;
+;NSSCryptoContext_ContinueSign;
+;NSSCryptoContext_FinishSign;
+;NSSCryptoContext_SignRecover;
+;NSSCryptoContext_BeginSignRecover;
+;NSSCryptoContext_ContinueSignRecover;
+;NSSCryptoContext_FinishSignRecover;
+;NSSCryptoContext_UnwrapSymmetricKey;
+;NSSCryptoContext_DeriveSymmetricKey;
+;NSSCryptoContext_Encrypt;
+;NSSCryptoContext_BeginEncrypt;
+;NSSCryptoContext_ContinueEncrypt;
+;NSSCryptoContext_FinishEncrypt;
+;NSSCryptoContext_Verify;
+;NSSCryptoContext_BeginVerify;
+;NSSCryptoContext_ContinueVerify;
+;NSSCryptoContext_FinishVerify;
+;NSSCryptoContext_VerifyRecover;
+;NSSCryptoContext_BeginVerifyRecover;
+;NSSCryptoContext_ContinueVerifyRecover;
+;NSSCryptoContext_FinishVerifyRecover;
+;NSSCryptoContext_WrapSymmetricKey;
+;NSSCryptoContext_Digest;
+;NSSCryptoContext_BeginDigest;
+;NSSCryptoContext_ContinueDigest;
+;NSSCryptoContext_FinishDigest;
+;NSSCryptoContext_Clone;
+;+    local:
+NSSTrustDomain_TraverseCertificates;
+NSSCertificate_GetID;
+NSSCertificate_GetLabel;
+;+        *;
+;+};
diff --git a/security/nss/lib/pki/nsspki.h b/security/nss/lib/pki/nsspki.h
new file mode 100644
index 000000000..f8bb731e2
--- /dev/null
+++ b/security/nss/lib/pki/nsspki.h
@@ -0,0 +1,3190 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSPKI_H
+#define NSSPKI_H
+
+#ifdef DEBUG
+static const char NSSPKI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nsspki.h
+ *
+ * This file prototypes the methods of the top-level PKI objects.
+ */
+
+#ifndef NSSDEVT_H
+#include "nssdevt.h"
+#endif /* NSSDEVT_H */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+#ifndef NSSPKI1_H
+#include "nsspki1.h"
+#endif /* NSSPKI1_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * A note about interfaces
+ *
+ * Although these APIs are specified in C, a language which does
+ * not have fancy support for abstract interfaces, this library
+ * was designed from an object-oriented perspective.  It may be
+ * useful to consider the standard interfaces which went into
+ * the writing of these APIs.
+ *
+ * Basic operations on all objects:
+ *  Destroy -- free a pointer to an object
+ *  DeleteStoredObject -- delete an object permanently
+ *
+ * Public Key cryptographic operations:
+ *  Encrypt
+ *  Verify
+ *  VerifyRecover
+ *  Wrap
+ *  Derive
+ *
+ * Private Key cryptographic operations:
+ *  IsStillPresent
+ *  Decrypt
+ *  Sign
+ *  SignRecover
+ *  Unwrap
+ *  Derive
+ *
+ * Symmetric Key cryptographic operations:
+ *  IsStillPresent
+ *  Encrypt
+ *  Decrypt
+ *  Sign
+ *  SignRecover
+ *  Verify
+ *  VerifyRecover
+ *  Wrap
+ *  Unwrap
+ *  Derive
+ *
+ */
+
+/*
+ * NSSCertificate
+ *
+ * These things can do crypto ops like public keys, except that the trust, 
+ * usage, and other constraints are checked.  These objects are "high-level,"
+ * so trust, usages, etc. are in the form we throw around (client auth,
+ * email signing, etc.).  Remember that theoretically another implementation
+ * (think PGP) could be beneath this object.
+ */
+
+/*
+ * NSSCertificate_Destroy
+ *
+ * Free a pointer to a certificate object.
+ */
+
+NSS_EXTERN PRStatus
+NSSCertificate_Destroy
+(
+  NSSCertificate *c
+);
+
+/*
+ * NSSCertificate_DeleteStoredObject
+ *
+ * Permanently remove this certificate from storage.  If this is the
+ * only (remaining) certificate corresponding to a private key, 
+ * public key, and/or other object; then that object (those objects)
+ * are deleted too.
+ */
+
+NSS_EXTERN PRStatus
+NSSCertificate_DeleteStoredObject
+(
+  NSSCertificate *c,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSCertificate_Validate
+ *
+ * Verify that this certificate is trusted, for the specified usage(s), 
+ * at the specified time, {word word} the specified policies.
+ */
+
+NSS_EXTERN PRStatus
+NSSCertificate_Validate
+(
+  NSSCertificate *c,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+);
+
+/*
+ * NSSCertificate_ValidateCompletely
+ *
+ * Verify that this certificate is trusted.  The difference between
+ * this and the previous call is that NSSCertificate_Validate merely
+ * returns success or failure with an appropriate error stack.
+ * However, there may be (and often are) multiple problems with a
+ * certificate.  This routine returns an array of errors, specifying
+ * every problem.
+ */
+
+/* 
+ * Return value must be an array of objects, each of which has
+ * an NSSError, and any corresponding certificate (in the chain)
+ * and/or policy.
+ */
+
+NSS_EXTERN void ** /* void *[] */
+NSSCertificate_ValidateCompletely
+(
+  NSSCertificate *c,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt, /* NULL for none */
+  void **rvOpt, /* NULL for allocate */
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt /* NULL for heap */
+);
+
+/*
+ * NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
+ *
+ * Returns PR_SUCCESS if the certificate is valid for at least something.
+ */
+
+NSS_EXTERN PRStatus
+NSSCertificate_ValidateAndDiscoverUsagesAndPolicies
+(
+  NSSCertificate *c,
+  NSSTime **notBeforeOutOpt,
+  NSSTime **notAfterOutOpt,
+  void *allowedUsages,
+  void *disallowedUsages,
+  void *allowedPolicies,
+  void *disallowedPolicies,
+  /* more args.. work on this fgmr */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCertificate_Encode
+ *
+ */
+
+NSS_EXTERN NSSDER *
+NSSCertificate_Encode
+(
+  NSSCertificate *c,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCertificate_BuildChain
+ *
+ * This routine returns NSSCertificate *'s for each certificate
+ * in the "chain" starting from the specified one up to and
+ * including the root.  The zeroth element in the array is the
+ * specified ("leaf") certificate.
+ *
+ * If statusOpt is supplied, and is returned as PR_FAILURE, possible
+ * error values are:
+ *
+ * NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND - the chain is incomplete
+ *
+ */
+
+extern const NSSError NSS_ERROR_CERTIFICATE_ISSUER_NOT_FOUND;
+
+NSS_EXTERN NSSCertificate **
+NSSCertificate_BuildChain
+(
+  NSSCertificate *c,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSCertificate_GetTrustDomain
+ *
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSCertificate_GetTrustDomain
+(
+  NSSCertificate *c
+);
+
+/*
+ * NSSCertificate_GetToken
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSToken *
+NSSCertificate_GetToken
+(
+  NSSCertificate *c,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSCertificate_GetSlot
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSSlot *
+NSSCertificate_GetSlot
+(
+  NSSCertificate *c,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSCertificate_GetModule
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSModule *
+NSSCertificate_GetModule
+(
+  NSSCertificate *c,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSCertificate_Encrypt
+ *
+ * Encrypt a single chunk of data with the public key corresponding to
+ * this certificate.
+ */
+
+NSS_EXTERN NSSItem *
+NSSCertificate_Encrypt
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCertificate_Verify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCertificate_Verify
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSCertificate_VerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCertificate_VerifyRecover
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCertificate_WrapSymmetricKey
+ *
+ * This method tries very hard to to succeed, even in situations 
+ * involving sensitive keys and multiple modules.
+ * { relyea: want to add verbiage? }
+ */
+
+NSS_EXTERN NSSItem *
+NSSCertificate_WrapSymmetricKey
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCertificate_CreateCryptoContext
+ *
+ * Create a crypto context, in this certificate's trust domain, with this
+ * as the distinguished certificate.
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSCertificate_CreateCryptoContext
+(
+  NSSCertificate *c,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh  
+);
+
+/*
+ * NSSCertificate_GetPublicKey
+ *
+ * Returns the public key corresponding to this certificate.
+ */
+
+NSS_EXTERN NSSPublicKey *
+NSSCertificate_GetPublicKey
+(
+  NSSCertificate *c
+);
+
+/*
+ * NSSCertificate_FindPrivateKey
+ *
+ * Finds and returns the private key corresponding to this certificate,
+ * if it is available.
+ *
+ * { Should this hang off of NSSUserCertificate? }
+ */
+
+NSS_EXTERN NSSPrivateKey *
+NSSCertificate_FindPrivateKey
+(
+  NSSCertificate *c,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSCertificate_IsPrivateKeyAvailable
+ *
+ * Returns success if the private key corresponding to this certificate
+ * is available to be used.
+ *
+ * { Should *this* hang off of NSSUserCertificate?? }
+ */
+
+NSS_EXTERN PRBool
+NSSCertificate_IsPrivateKeyAvailable
+(
+  NSSCertificate *c,
+  NSSCallback *uhh,
+  PRStatus *statusOpt
+);
+
+/*
+ * If we make NSSUserCertificate not a typedef of NSSCertificate, 
+ * then we'll need implementations of the following:
+ *
+ *  NSSUserCertificate_Destroy
+ *  NSSUserCertificate_DeleteStoredObject
+ *  NSSUserCertificate_Validate
+ *  NSSUserCertificate_ValidateCompletely
+ *  NSSUserCertificate_ValidateAndDiscoverUsagesAndPolicies
+ *  NSSUserCertificate_Encode
+ *  NSSUserCertificate_BuildChain
+ *  NSSUserCertificate_GetTrustDomain
+ *  NSSUserCertificate_GetToken
+ *  NSSUserCertificate_GetSlot
+ *  NSSUserCertificate_GetModule
+ *  NSSUserCertificate_GetCryptoContext
+ *  NSSUserCertificate_GetPublicKey
+ */
+
+/*
+ * NSSUserCertificate_IsStillPresent
+ *
+ * Verify that if this certificate lives on a token, that the token
+ * is still present and the certificate still exists.  This is a
+ * lightweight call which should be used whenever it should be
+ * verified that the user hasn't perhaps popped out his or her
+ * token and strolled away.
+ */
+
+NSS_EXTERN PRBool
+NSSUserCertificate_IsStillPresent
+(
+  NSSUserCertificate *uc,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSUserCertificate_Decrypt
+ *
+ * Decrypt a single chunk of data with the private key corresponding
+ * to this certificate.
+ */
+
+NSS_EXTERN NSSItem *
+NSSUserCertificate_Decrypt
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSUserCertificate_Sign
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSUserCertificate_Sign
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSUserCertificate_SignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSUserCertificate_SignRecover
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSUserCertificate_UnwrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSUserCertificate_UnwrapSymmetricKey
+(
+  NSSUserCertificate *uc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSUserCertificate_DeriveSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSUserCertificate_DeriveSymmetricKey
+(
+  NSSUserCertificate *uc, /* provides private key */
+  NSSCertificate *c, /* provides public key */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhh
+);
+
+/* filter-certs function(s) */
+
+/**
+ ** fgmr -- trust objects
+ **/
+
+/*
+ * NSSPrivateKey
+ *
+ */
+
+/*
+ * NSSPrivateKey_Destroy
+ *
+ * Free a pointer to a private key object.
+ */
+
+NSS_EXTERN PRStatus
+NSSPrivateKey_Destroy
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_DeleteStoredObject
+ *
+ * Permanently remove this object, and any related objects (such as the
+ * certificates corresponding to this key).
+ */
+
+NSS_EXTERN PRStatus
+NSSPrivateKey_DeleteStoredObject
+(
+  NSSPrivateKey *vk,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPrivateKey_GetSignatureLength
+ *
+ */
+
+NSS_EXTERN PRUint32
+NSSPrivateKey_GetSignatureLength
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_GetPrivateModulusLength
+ *
+ */
+
+NSS_EXTERN PRUint32
+NSSPrivateKey_GetPrivateModulusLength
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_IsStillPresent
+ *
+ */
+
+NSS_EXTERN PRBool
+NSSPrivateKey_IsStillPresent
+(
+  NSSPrivateKey *vk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPrivateKey_Encode
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPrivateKey_Encode
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *ap,
+  NSSItem *passwordOpt, /* NULL will cause a callback; "" for no password */
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_GetTrustDomain
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSPrivateKey_GetTrustDomain
+(
+  NSSPrivateKey *vk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPrivateKey_GetToken
+ *
+ */
+
+NSS_EXTERN NSSToken *
+NSSPrivateKey_GetToken
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_GetSlot
+ *
+ */
+
+NSS_EXTERN NSSSlot *
+NSSPrivateKey_GetSlot
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_GetModule
+ *
+ */
+
+NSS_EXTERN NSSModule *
+NSSPrivateKey_GetModule
+(
+  NSSPrivateKey *vk
+);
+
+/*
+ * NSSPrivateKey_Decrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPrivateKey_Decrypt
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_Sign
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPrivateKey_Sign
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_SignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPrivateKey_SignRecover
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_UnwrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSPrivateKey_UnwrapSymmetricKey
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPrivateKey_DeriveSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSPrivateKey_DeriveSymmetricKey
+(
+  NSSPrivateKey *vk,
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPrivateKey_FindPublicKey
+ *
+ */
+
+NSS_EXTERN NSSPublicKey *
+NSSPrivateKey_FindPublicKey
+(
+  NSSPrivateKey *vk
+  /* { don't need the callback here, right? } */
+);
+
+/*
+ * NSSPrivateKey_CreateCryptoContext
+ *
+ * Create a crypto context, in this key's trust domain,
+ * with this as the distinguished private key.
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSPrivateKey_CreateCryptoContext
+(
+  NSSPrivateKey *vk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPrivateKey_FindCertificates
+ *
+ * Note that there may be more than one certificate for this
+ * private key.  { FilterCertificates function to further
+ * reduce the list. }
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSPrivateKey_FindCertificates
+(
+  NSSPrivateKey *vk,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_FindBestCertificate
+ *
+ * The parameters for this function will depend on what the users
+ * need.  This is just a starting point.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSPrivateKey_FindBestCertificate
+(
+  NSSPrivateKey *vk,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSPublicKey
+ *
+ * Once you generate, find, or derive one of these, you can use it
+ * to perform (simple) cryptographic operations.  Though there may
+ * be certificates associated with these public keys, they are not
+ * verified.
+ */
+
+/*
+ * NSSPublicKey_Destroy
+ *
+ * Free a pointer to a public key object.
+ */
+
+NSS_EXTERN PRStatus
+NSSPublicKey_Destroy
+(
+  NSSPublicKey *bk
+);
+
+/*
+ * NSSPublicKey_DeleteStoredObject
+ *
+ * Permanently remove this object, and any related objects (such as the
+ * corresponding private keys and certificates).
+ */
+
+NSS_EXTERN PRStatus
+NSSPublicKey_DeleteStoredObject
+(
+  NSSPublicKey *bk,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPublicKey_Encode
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPublicKey_Encode
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *ap,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPublicKey_GetTrustDomain
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSPublicKey_GetTrustDomain
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPublicKey_GetToken
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSToken *
+NSSPublicKey_GetToken
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPublicKey_GetSlot
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSSlot *
+NSSPublicKey_GetSlot
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPublicKey_GetModule
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSModule *
+NSSPublicKey_GetModule
+(
+  NSSPublicKey *bk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPublicKey_Encrypt
+ *
+ * Encrypt a single chunk of data with the public key corresponding to
+ * this certificate.
+ */
+
+NSS_EXTERN NSSItem *
+NSSPublicKey_Encrypt
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPublicKey_Verify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSPublicKey_Verify
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPublicKey_VerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPublicKey_VerifyRecover
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPublicKey_WrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSPublicKey_WrapSymmetricKey
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPublicKey_CreateCryptoContext
+ *
+ * Create a crypto context, in this key's trust domain, with this
+ * as the distinguished public key.
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSPublicKey_CreateCryptoContext
+(
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSPublicKey_FindCertificates
+ *
+ * Note that there may be more than one certificate for this
+ * public key.  The current implementation may not find every
+ * last certificate available for this public key: that would
+ * involve trolling e.g. huge ldap databases, which will be
+ * grossly inefficient and not generally useful.
+ * { FilterCertificates function to further reduce the list }
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSPublicKey_FindCertificates
+(
+  NSSPublicKey *bk,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPrivateKey_FindBestCertificate
+ *
+ * The parameters for this function will depend on what the users
+ * need.  This is just a starting point.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSPublicKey_FindBestCertificate
+(
+  NSSPublicKey *bk,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSPublicKey_FindPrivateKey
+ *
+ */
+
+NSS_EXTERN NSSPrivateKey *
+NSSPublicKey_FindPrivateKey
+(
+  NSSPublicKey *bk,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey
+ *
+ */
+
+/*
+ * NSSSymmetricKey_Destroy
+ *
+ * Free a pointer to a symmetric key object.
+ */
+
+NSS_EXTERN PRStatus
+NSSSymmetricKey_Destroy
+(
+  NSSSymmetricKey *mk
+);
+
+/*
+ * NSSSymmetricKey_DeleteStoredObject
+ *
+ * Permanently remove this object.
+ */
+
+NSS_EXTERN PRStatus
+NSSSymmetricKey_DeleteStoredObject
+(
+  NSSSymmetricKey *mk,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey_GetKeyLength
+ *
+ */
+
+NSS_EXTERN PRUint32
+NSSSymmetricKey_GetKeyLength
+(
+  NSSSymmetricKey *mk
+);
+
+/*
+ * NSSSymmetricKey_GetKeyStrength
+ *
+ */
+
+NSS_EXTERN PRUint32
+NSSSymmetricKey_GetKeyStrength
+(
+  NSSSymmetricKey *mk
+);
+
+/*
+ * NSSSymmetricKey_IsStillPresent
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSSymmetricKey_IsStillPresent
+(
+  NSSSymmetricKey *mk
+);
+
+/*
+ * NSSSymmetricKey_GetTrustDomain
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSSymmetricKey_GetTrustDomain
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSSymmetricKey_GetToken
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSToken *
+NSSSymmetricKey_GetToken
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSSymmetricKey_GetSlot
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSSlot *
+NSSSymmetricKey_GetSlot
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSSymmetricKey_GetModule
+ *
+ * There doesn't have to be one.
+ */
+
+NSS_EXTERN NSSModule *
+NSSSymmetricKey_GetModule
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSSymmetricKey_Encrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_Encrypt
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_Decrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_Decrypt
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_Sign
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_Sign
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_SignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_SignRecover
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_Verify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSSymmetricKey_Verify
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey_VerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_VerifyRecover
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_WrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_WrapSymmetricKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_WrapPrivateKey
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSSymmetricKey_WrapPrivateKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPrivateKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSSymmetricKey_UnwrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSSymmetricKey_UnwrapSymmetricKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSOID *target,
+  PRUint32 keySizeOpt,
+  NSSOperations operations,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey_UnwrapPrivateKey
+ *
+ */
+
+NSS_EXTERN NSSPrivateKey *
+NSSSymmetricKey_UnwrapPrivateKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSUTF8 *labelOpt,
+  NSSItem *keyIDOpt,
+  PRBool persistant,
+  PRBool sensitive,
+  NSSToken *destinationOpt,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey_DeriveSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSSymmetricKey_DeriveSymmetricKey
+(
+  NSSSymmetricKey *originalKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt,
+  NSSOperations operations,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSSymmetricKey_CreateCryptoContext
+ *
+ * Create a crypto context, in this key's trust domain,
+ * with this as the distinguished symmetric key.
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSSymmetricKey_CreateCryptoContext
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+);
+
+/*
+ * NSSTrustDomain
+ *
+ */
+
+/*
+ * NSSTrustDomain_Create
+ *
+ * This creates a trust domain, optionally with an initial cryptoki
+ * module.  If the module name is not null, the module is loaded if
+ * needed (using the uriOpt argument), and initialized with the
+ * opaqueOpt argument.  If mumble mumble priority settings, then
+ * module-specification objects in the module can cause the loading
+ * and initialization of further modules.
+ *
+ * The uriOpt is defined to take a URI.  At present, we only
+ * support file: URLs pointing to platform-native shared libraries.
+ * However, by specifying this as a URI, this keeps open the 
+ * possibility of supporting other, possibly remote, resources.
+ *
+ * The "reserved" arguments is held for when we figure out the
+ * module priority stuff.
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSTrustDomain_Create
+(
+  NSSUTF8 *moduleOpt,
+  NSSUTF8 *uriOpt,
+  NSSUTF8 *opaqueOpt,
+  void *reserved
+);
+
+/*
+ * NSSTrustDomain_Destroy
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_Destroy
+(
+  NSSTrustDomain *td
+);
+
+/*
+ * NSSTrustDomain_SetDefaultCallback
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_SetDefaultCallback
+(
+  NSSTrustDomain *td,
+  NSSCallback *newCallback,
+  NSSCallback **oldCallbackOpt
+);
+
+/*
+ * NSSTrustDomain_GetDefaultCallback
+ *
+ */
+
+NSS_EXTERN NSSCallback *
+NSSTrustDomain_GetDefaultCallback
+(
+  NSSTrustDomain *td,
+  PRStatus *statusOpt
+);
+
+/*
+ * Default policies?
+ * Default usage?
+ * Default time, for completeness?
+ */
+
+/*
+ * NSSTrustDomain_LoadModule
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_LoadModule
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *moduleOpt,
+  NSSUTF8 *uriOpt,
+  NSSUTF8 *opaqueOpt,
+  void *reserved
+);
+
+/*
+ * NSSTrustDomain_AddModule
+ * NSSTrustDomain_AddSlot
+ * NSSTrustDomain_UnloadModule
+ * Managing modules, slots, tokens; priorities;
+ * Traversing all of the above
+ * this needs more work
+ */
+
+/*
+ * NSSTrustDomain_DisableToken
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_DisableToken
+(
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSError why
+);
+
+/*
+ * NSSTrustDomain_EnableToken
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_EnableToken
+(
+  NSSTrustDomain *td,
+  NSSToken *token
+);
+
+/*
+ * NSSTrustDomain_IsTokenEnabled
+ *
+ * If disabled, "why" is always on the error stack.
+ * The optional argument is just for convenience.
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_IsTokenEnabled
+(
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSError *whyOpt
+);
+
+/*
+ * NSSTrustDomain_FindSlotByName
+ *
+ */
+
+NSS_EXTERN NSSSlot *
+NSSTrustDomain_FindSlotByName
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *slotName
+);
+
+/*
+ * NSSTrustDomain_FindTokenByName
+ *
+ */
+
+NSS_EXTERN NSSToken *
+NSSTrustDomain_FindTokenByName
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *tokenName
+);
+
+/*
+ * NSSTrustDomain_FindTokenBySlotName
+ *
+ */
+
+NSS_EXTERN NSSToken *
+NSSTrustDomain_FindTokenBySlotName
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *slotName
+);
+
+/*
+ * NSSTrustDomain_FindBestTokenForAlgorithm
+ *
+ */
+
+NSS_EXTERN NSSToken *
+NSSTrustDomain_FindTokenForAlgorithm
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithm
+);
+
+/*
+ * NSSTrustDomain_FindBestTokenForAlgorithms
+ *
+ */
+
+NSS_EXTERN NSSToken *
+NSSTrustDomain_FindBestTokenForAlgorithms
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithms[], /* may be null-terminated */
+  PRUint32 nAlgorithmsOpt /* limits the array if nonzero */
+);
+
+/*
+ * NSSTrustDomain_Login
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_Login
+(
+  NSSTrustDomain *td,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_Logout
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_Logout
+(
+  NSSTrustDomain *td
+);
+
+/* Importing things */
+
+/*
+ * NSSTrustDomain_ImportCertificate
+ *
+ * The implementation will pull some data out of the certificate
+ * (e.g. e-mail address) for use in pkcs#11 object attributes.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_ImportCertificate
+(
+  NSSTrustDomain *td,
+  NSSCertificate *c
+);
+
+/*
+ * NSSTrustDomain_ImportPKIXCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_ImportPKIXCertificate
+(
+  NSSTrustDomain *td,
+  /* declared as a struct until these "data types" are defined */
+  struct NSSPKIXCertificateStr *pc
+);
+
+/*
+ * NSSTrustDomain_ImportEncodedCertificate
+ *
+ * Imports any type of certificate we support.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_ImportEncodedCertificate
+(
+  NSSTrustDomain *td,
+  NSSBER *ber
+);
+
+/*
+ * NSSTrustDomain_ImportEncodedCertificateChain
+ *
+ * If you just want the leaf, pass in a maximum of one.
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_ImportEncodedCertificateChain
+(
+  NSSTrustDomain *td,
+  NSSBER *ber,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_ImportEncodedPrivateKey
+ *
+ */
+
+NSS_EXTERN NSSPrivateKey *
+NSSTrustDomain_ImportEncodedPrivateKey
+(
+  NSSTrustDomain *td,
+  NSSBER *ber,
+  NSSItem *passwordOpt, /* NULL will cause a callback */
+  NSSCallback *uhhOpt,
+  NSSToken *destination
+);
+
+/*
+ * NSSTrustDomain_ImportEncodedPublicKey
+ *
+ */
+
+NSS_EXTERN NSSPublicKey *
+NSSTrustDomain_ImportEncodedPublicKey
+(
+  NSSTrustDomain *td,
+  NSSBER *ber
+);
+
+/* Other importations: S/MIME capabilities */
+
+/*
+ * NSSTrustDomain_FindBestCertificateByNickname
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestCertificateByNickname
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *name,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+);
+
+/*
+ * NSSTrustDomain_FindCertificatesByNickname
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindCertificatesByNickname
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *name,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
+(
+  NSSTrustDomain *td,
+  NSSDER *issuer,
+  NSSDER *serialNumber
+);
+
+/*
+ * NSSTrustDomain_FindCertificatesByIssuerAndSerialNumber
+ *
+ * Theoretically, this should never happen.  However, some companies
+ * we know have issued duplicate certificates with the same issuer
+ * and serial number.  Do we just ignore them?  I'm thinking yes.
+ */
+
+/*
+ * NSSTrustDomain_FindBestCertificateBySubject
+ *
+ * This does not search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestCertificateBySubject
+(
+  NSSTrustDomain *td,
+  NSSDER /*NSSUTF8*/ *subject,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificatesBySubject
+ *
+ * This does not search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindCertificatesBySubject
+(
+  NSSTrustDomain *td,
+  NSSDER /*NSSUTF8*/ *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindBestCertificateByNameComponents
+ *
+ * This call does try several tricks, including a pseudo pkcs#11 
+ * attribute for the ldap module to try as a query.  Eventually
+ * this call falls back to a traversal if that's what's required.
+ * It will search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestCertificateByNameComponents
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *nameComponents,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificatesByNameComponents
+ *
+ * This call, too, tries several tricks.  It will stop on the first
+ * attempt that generates results, so it won't e.g. traverse the
+ * entire ldap database.
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindCertificatesByNameComponents
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *nameComponents,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificateByEncodedCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindCertificateByEncodedCertificate
+(
+  NSSTrustDomain *td,
+  NSSBER *encodedCertificate
+);
+
+/*
+ * NSSTrustDomain_FindBestCertificateByEmail
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindCertificateByEmail
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificatesByEmail
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindCertificatesByEmail
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindCertificateByOCSPHash
+ *
+ * There can be only one.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindCertificateByOCSPHash
+(
+  NSSTrustDomain *td,
+  NSSItem *hash
+);
+
+/*
+ * NSSTrustDomain_TraverseCertificates
+ *
+ * This function descends from one in older versions of NSS which
+ * traverses the certs in the permanent database.  That function
+ * was used to implement selection routines, but was directly
+ * available too.  Trust domains are going to contain a lot more
+ * certs now (e.g., an ldap server), so we'd really like to
+ * discourage traversal.  Thus for now, this is commented out.
+ * If it's needed, let's look at the situation more closely to
+ * find out what the actual requirements are.
+ */
+ 
+/* For now, adding this function.  This may only be for debugging
+ * purposes.
+ * Perhaps some equivalent function, on a specified token, will be
+ * needed in a "friend" header file?
+ */
+NSS_EXTERN PRStatus *
+NSSTrustDomain_TraverseCertificates
+(
+  NSSTrustDomain *td,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+);
+
+/*
+ * NSSTrustDomain_FindBestUserCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestUserCertificate
+(
+  NSSTrustDomain *td,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindUserCertificates
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindUserCertificates
+(
+  NSSTrustDomain *td,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindUserCertificatesForSSLClientAuth
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindUserCertificatesForSSLClientAuth
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSTrustDomain_FindBestUserCertificateForEmailSigning
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSTrustDomain_FindBestUserCertificateForEmailSigning
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSTrustDomain_FindUserCertificatesForEmailSigning
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSTrustDomain_FindUserCertificatesForEmailSigning
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/*
+ * Here is where we'd add more Find[Best]UserCertificate[s]For<usage>
+ * routines.
+ */
+
+/* Private Keys */
+
+/*
+ * NSSTrustDomain_GenerateKeyPair
+ *
+ * Creates persistant objects.  If you want session objects, use
+ * NSSCryptoContext_GenerateKeyPair.  The destination token is where
+ * the keys are stored.  If that token can do the required math, then
+ * that's where the keys are generated too.  Otherwise, the keys are
+ * generated elsewhere and moved to that token.
+ */
+
+NSS_EXTERN PRStatus
+NSSTrustDomain_GenerateKeyPair
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  NSSPrivateKey **pvkOpt,
+  NSSPublicKey **pbkOpt,
+  PRBool privateKeyIsSensitive,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_TraversePrivateKeys
+ *
+ * 
+ * NSS_EXTERN PRStatus *
+ * NSSTrustDomain_TraversePrivateKeys
+ * (
+ *   NSSTrustDomain *td,
+ *   PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
+ *   void *arg
+ * );
+ */
+
+/* Symmetric Keys */
+
+/*
+ * NSSTrustDomain_GenerateSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSTrustDomain_GenerateSymmetricKey
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  PRUint32 keysize,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_GenerateSymmetricKeyFromPassword
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSTrustDomain_GenerateSymmetricKeyFromPassword
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  NSSUTF8 *passwordOpt, /* if null, prompt */
+  NSSToken *destinationOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_FindSymmetricKeyByAlgorithm
+ *
+ * Is this still needed?
+ * 
+ * NSS_EXTERN NSSSymmetricKey *
+ * NSSTrustDomain_FindSymmetricKeyByAlgorithm
+ * (
+ *   NSSTrustDomain *td,
+ *   NSSOID *algorithm,
+ *   NSSCallback *uhhOpt
+ * );
+ */
+
+/*
+ * NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithm,
+  NSSItem *keyID,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_TraverseSymmetricKeys
+ *
+ * 
+ * NSS_EXTERN PRStatus *
+ * NSSTrustDomain_TraverseSymmetricKeys
+ * (
+ *   NSSTrustDomain *td,
+ *   PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
+ *   void *arg
+ * );
+ */
+
+/*
+ * NSSTrustDomain_CreateCryptoContext
+ *
+ * If a callback object is specified, it becomes the for the crypto
+ * context; otherwise, this trust domain's default (if any) is
+ * inherited.
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContext
+(
+  NSSTrustDomain *td,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSTrustDomain_CreateCryptoContextForAlgorithm
+ *
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContextForAlgorithm
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithm
+);
+
+/*
+ * NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
+ *
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap
+);
+
+/* find/traverse other objects, e.g. s/mime profiles */
+
+/*
+ * NSSCryptoContext
+ *
+ * A crypto context is sort of a short-term snapshot of a trust domain,
+ * used for the life of "one crypto operation."  You can also think of
+ * it as a "temporary database."
+ * 
+ * Just about all of the things you can do with a trust domain -- importing
+ * or creating certs, keys, etc. -- can be done with a crypto context.
+ * The difference is that the objects will be temporary ("session") objects.
+ * 
+ * Also, if the context was created for a key, cert, and/or algorithm; or
+ * if such objects have been "associated" with the context, then the context
+ * can do everything the keys can, like crypto operations.
+ * 
+ * And finally, because it keeps the state of the crypto operations, it
+ * can do streaming crypto ops.
+ */
+
+/*
+ * NSSTrustDomain_Destroy
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_Destroy
+(
+  NSSCryptoContext *cc
+);
+
+/* establishing a default callback */
+
+/*
+ * NSSCryptoContext_SetDefaultCallback
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_SetDefaultCallback
+(
+  NSSCryptoContext *cc,
+  NSSCallback *newCallback,
+  NSSCallback **oldCallbackOpt
+);
+
+/*
+ * NSSCryptoContext_GetDefaultCallback
+ *
+ */
+
+NSS_EXTERN NSSCallback *
+NSSCryptoContext_GetDefaultCallback
+(
+  NSSCryptoContext *cc,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSCryptoContext_GetTrustDomain
+ *
+ */
+
+NSS_EXTERN NSSTrustDomain *
+NSSCryptoContext_GetTrustDomain
+(
+  NSSCryptoContext *cc
+);
+
+/* AddModule, etc: should we allow "temporary" changes here? */
+/* DisableToken, etc: ditto */
+/* Ordering of tokens? */
+/* Finding slots+token etc. */
+/* login+logout */
+
+/* Importing things */
+
+/*
+ * NSSCryptoContext_ImportCertificate
+ *
+ * If there's not a "distinguished certificate" for this context, this
+ * sets the specified one to be it.
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_ImportCertificate
+(
+  NSSCryptoContext *cc,
+  NSSCertificate *c
+);
+
+/*
+ * NSSCryptoContext_ImportPKIXCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_ImportPKIXCertificate
+(
+  NSSCryptoContext *cc,
+  struct NSSPKIXCertificateStr *pc
+);
+
+/*
+ * NSSCryptoContext_ImportEncodedCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_ImportEncodedCertificate
+(
+  NSSCryptoContext *cc,
+  NSSBER *ber
+);
+
+/*
+ * NSSCryptoContext_ImportEncodedPKIXCertificateChain
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_ImportEncodedPKIXCertificateChain
+(
+  NSSCryptoContext *cc,
+  NSSBER *ber
+);
+
+/* Other importations: S/MIME capabilities
+ */
+
+/*
+ * NSSCryptoContext_FindBestCertificateByNickname
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestCertificateByNickname
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *name,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+);
+
+/*
+ * NSSCryptoContext_FindCertificatesByNickname
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindCertificatesByNickname
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *name,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindCertificateByIssuerAndSerialNumber
+(
+  NSSCryptoContext *cc,
+  NSSDER *issuer,
+  NSSDER *serialNumber
+);
+
+/*
+ * NSSCryptoContext_FindBestCertificateBySubject
+ *
+ * This does not search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestCertificateBySubject
+(
+  NSSCryptoContext *cc,
+  NSSDER /*NSSUTF8*/ *subject,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificatesBySubject
+ *
+ * This does not search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindCertificatesBySubject
+(
+  NSSCryptoContext *cc,
+  NSSDER /*NSSUTF8*/ *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindBestCertificateByNameComponents
+ *
+ * This call does try several tricks, including a pseudo pkcs#11 
+ * attribute for the ldap module to try as a query.  Eventually
+ * this call falls back to a traversal if that's what's required.
+ * It will search through alternate names hidden in extensions.
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestCertificateByNameComponents
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *nameComponents,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificatesByNameComponents
+ *
+ * This call, too, tries several tricks.  It will stop on the first
+ * attempt that generates results, so it won't e.g. traverse the
+ * entire ldap database.
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindCertificatesByNameComponents
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *nameComponents,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificateByEncodedCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindCertificateByEncodedCertificate
+(
+  NSSCryptoContext *cc,
+  NSSBER *encodedCertificate
+);
+
+/*
+ * NSSCryptoContext_FindBestCertificateByEmail
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestCertificateByEmail
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *email,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificatesByEmail
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindCertificatesByEmail
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindCertificateByOCSPHash
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindCertificateByOCSPHash
+(
+  NSSCryptoContext *cc,
+  NSSItem *hash
+);
+
+/*
+ * NSSCryptoContext_TraverseCertificates
+ *
+ * 
+ * NSS_EXTERN PRStatus *
+ * NSSCryptoContext_TraverseCertificates
+ * (
+ *   NSSCryptoContext *cc,
+ *   PRStatus (*callback)(NSSCertificate *c, void *arg),
+ *   void *arg
+ * );
+ */
+
+/*
+ * NSSCryptoContext_FindBestUserCertificate
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestUserCertificate
+(
+  NSSCryptoContext *cc,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindUserCertificates
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindUserCertificates
+(
+  NSSCryptoContext *cc,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestUserCertificateForSSLClientAuth
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindUserCertificatesForSSLClientAuth
+ *
+ */
+
+NSS_EXTERN NSSCertificate **
+NSSCryptoContext_FindUserCertificatesForSSLClientAuth
+(
+  NSSCryptoContext *cc,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FindBestUserCertificateForEmailSigning
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindBestUserCertificateForEmailSigning
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+);
+
+/*
+ * NSSCryptoContext_FindUserCertificatesForEmailSigning
+ *
+ */
+
+NSS_EXTERN NSSCertificate *
+NSSCryptoContext_FindUserCertificatesForEmailSigning
+(
+  NSSCryptoContext *cc,
+  NSSASCII7 *signerOpt, /* fgmr or a more general name? */
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+);
+
+/* Private Keys */
+
+/*
+ * NSSCryptoContext_GenerateKeyPair
+ *
+ * Creates session objects.  If you want persistant objects, use
+ * NSSTrustDomain_GenerateKeyPair.  The destination token is where
+ * the keys are stored.  If that token can do the required math, then
+ * that's where the keys are generated too.  Otherwise, the keys are
+ * generated elsewhere and moved to that token.
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_GenerateKeyPair
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  NSSPrivateKey **pvkOpt,
+  NSSPublicKey **pbkOpt,
+  PRBool privateKeyIsSensitive,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_TraversePrivateKeys
+ *
+ * 
+ * NSS_EXTERN PRStatus *
+ * NSSCryptoContext_TraversePrivateKeys
+ * (
+ *   NSSCryptoContext *cc,
+ *   PRStatus (*callback)(NSSPrivateKey *vk, void *arg),
+ *   void *arg
+ * );
+ */
+
+/* Symmetric Keys */
+
+/*
+ * NSSCryptoContext_GenerateSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSCryptoContext_GenerateSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  PRUint32 keysize,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_GenerateSymmetricKeyFromPassword
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSCryptoContext_GenerateSymmetricKeyFromPassword
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *ap,
+  NSSUTF8 *passwordOpt, /* if null, prompt */
+  NSSToken *destinationOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_FindSymmetricKeyByAlgorithm
+ *
+ * 
+ * NSS_EXTERN NSSSymmetricKey *
+ * NSSCryptoContext_FindSymmetricKeyByType
+ * (
+ *   NSSCryptoContext *cc,
+ *   NSSOID *type,
+ *   NSSCallback *uhhOpt
+ * );
+ */
+
+/*
+ * NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSCryptoContext_FindSymmetricKeyByAlgorithmAndKeyID
+(
+  NSSCryptoContext *cc,
+  NSSOID *algorithm,
+  NSSItem *keyID,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_TraverseSymmetricKeys
+ *
+ * 
+ * NSS_EXTERN PRStatus *
+ * NSSCryptoContext_TraverseSymmetricKeys
+ * (
+ *   NSSCryptoContext *cc,
+ *   PRStatus (*callback)(NSSSymmetricKey *mk, void *arg),
+ *   void *arg
+ * );
+ */
+
+/* Crypto ops on distinguished keys */
+
+/*
+ * NSSCryptoContext_Decrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_Decrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginDecrypt
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginDecrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueDecrypt
+ *
+ */
+
+/*
+ * NSSItem semantics:
+ *
+ *   If rvOpt is NULL, a new NSSItem and buffer are allocated.
+ *   If rvOpt is not null, but the buffer pointer is null,
+ *     then rvOpt is returned but a new buffer is allocated.
+ *     In this case, if the length value is not zero, then
+ *     no more than that much space will be allocated.
+ *   If rvOpt is not null and the buffer pointer is not null,
+ *     then that buffer is re-used.  No more than the buffer
+ *     length value will be used; if it's not enough, an
+ *     error is returned.  If less is used, the number is
+ *     adjusted downwards.
+ *
+ *  Note that although this is short of some ideal "Item"
+ *  definition, we can usually tell how big these buffers
+ *  have to be.
+ *
+ *  Feedback is requested; and earlier is better than later.
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_ContinueDecrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FinishDecrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishDecrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_Sign
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_Sign
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginSign
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginSign
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueSign
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_ContinueSign
+(
+  NSSCryptoContext *cc,
+  NSSItem *data
+);
+
+/*
+ * NSSCryptoContext_FinishSign
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishSign
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_SignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_SignRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginSignRecover
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginSignRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueSignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_ContinueSignRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FinishSignRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishSignRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_UnwrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSCryptoContext_UnwrapSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_DeriveSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSSymmetricKey *
+NSSCryptoContext_DeriveSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSPublicKey *bk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt, /* zero for best allowed */
+  NSSOperations operations,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_Encrypt
+ *
+ * Encrypt a single chunk of data with the distinguished public key
+ * of this crypto context.
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_Encrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginEncrypt
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginEncrypt
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueEncrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_ContinueEncrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FinishEncrypt
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishEncrypt
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_Verify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_Verify
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_BeginVerify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginVerify
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueVerify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_ContinueVerify
+(
+  NSSCryptoContext *cc,
+  NSSItem *data
+);
+
+/*
+ * NSSCryptoContext_FinishVerify
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_FinishVerify
+(
+  NSSCryptoContext *cc
+);
+
+/*
+ * NSSCryptoContext_VerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_VerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginVerifyRecover
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginVerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueVerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_ContinueVerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *data,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_FinishVerifyRecover
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishVerifyRecover
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_WrapSymmetricKey
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_WrapSymmetricKey
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_Digest
+ *
+ * Digest a single chunk of data with the distinguished digest key
+ * of this crypto context.
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_Digest
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhhOpt,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSCryptoContext_BeginDigest
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_BeginDigest
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhhOpt
+);
+
+/*
+ * NSSCryptoContext_ContinueDigest
+ *
+ */
+
+NSS_EXTERN PRStatus
+NSSCryptoContext_ContinueDigest
+(
+  NSSCryptoContext *cc,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *item
+);
+
+/*
+ * NSSCryptoContext_FinishDigest
+ *
+ */
+
+NSS_EXTERN NSSItem *
+NSSCryptoContext_FinishDigest
+(
+  NSSCryptoContext *cc,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * tbd: Combination ops
+ */
+
+/*
+ * NSSCryptoContext_Clone
+ *
+ */
+
+NSS_EXTERN NSSCryptoContext *
+NSSCryptoContext_Clone
+(
+  NSSCryptoContext *cc
+);
+
+/*
+ * NSSCryptoContext_Save
+ * NSSCryptoContext_Restore
+ *
+ * We need to be able to save and restore the state of contexts.
+ * Perhaps a mark-and-release mechanism would be better?
+ */
+
+/*
+ * ..._SignTBSCertificate
+ *
+ * This requires feedback from the cert server team.
+ */
+
+/*
+ * PRBool NSSCertificate_GetIsTrustedFor{xxx}(NSSCertificate *c);
+ * PRStatus NSSCertificate_SetIsTrustedFor{xxx}(NSSCertificate *c, PRBool trusted);
+ *
+ * These will be helper functions which get the trust object for a cert,
+ * and then call the corresponding function(s) on it.
+ *
+ * PKIX trust objects will have methods to manipulate the low-level trust
+ * bits (which are based on key usage and extended key usage), and also the
+ * conceptual high-level usages (e.g. ssl client auth, email encryption, etc.)
+ *
+ * Other types of trust objects (if any) might have different low-level
+ * representations, but hopefully high-level concepts would map.
+ *
+ * Only these high-level general routines would be promoted to the
+ * general certificate level here.  Hence the {xxx} above would be things
+ * like "EmailSigning."
+ *
+ *
+ * NSSPKIXTrust *NSSCertificate_GetPKIXTrustObject(NSSCertificate *c);
+ * PRStatus NSSCertificate_SetPKIXTrustObject(NSSCertificate *c, NSPKIXTrust *t);
+ *
+ * I want to hold off on any general trust object until we've investigated
+ * other models more thoroughly.
+ */
+
+PR_END_EXTERN_C
+
+#endif /* NSSPKI_H */
diff --git a/security/nss/lib/pki/nsspki.rc b/security/nss/lib/pki/nsspki.rc
new file mode 100644
index 000000000..5228cefb3
--- /dev/null
+++ b/security/nss/lib/pki/nsspki.rc
@@ -0,0 +1,98 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nss.h"
+#include <winver.h>
+
+#define MY_LIBNAME "nsspki"
+#define MY_FILEDESCRIPTION "NSS PKI Base Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if NSS_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Netscape Communications Corporation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", NSS_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "LegalCopyright", "Copyright \251 1994-2001 Netscape Communications Corporation\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", NSS_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/pki/nsspkit.h b/security/nss/lib/pki/nsspkit.h
new file mode 100644
index 000000000..6083ac0f8
--- /dev/null
+++ b/security/nss/lib/pki/nsspkit.h
@@ -0,0 +1,271 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSPKIT_H
+#define NSSPKIT_H
+
+#ifdef DEBUG
+static const char NSSPKIT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nsspkit.h
+ *
+ * This file defines the types of the top-level PKI objects.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSCertificate
+ *
+ * This is the public representation of a Certificate.  The certificate
+ * may be one found on a smartcard or other token, one decoded from data
+ * received as part of a protocol, one constructed from constituent
+ * parts, etc.  Usually it is associated with ("in") a trust domain; as
+ * it can be verified only within a trust domain.  The underlying type
+ * of certificate may be of any supported standard, e.g. PKIX, PGP, etc.
+ *
+ * People speak of "verifying (with) the server's, or correspondant's, 
+ * certificate"; for simple operations we support that simplification
+ * by implementing public-key crypto operations as methods on this type.
+ */
+
+struct NSSCertificateStr;
+typedef struct NSSCertificateStr NSSCertificate;
+
+/*
+ * NSSUserCertificate
+ *
+ * A ``User'' certificate is one for which the private key is available.
+ * People speak of "using my certificate to sign my email" and "using
+ * my certificate to authenticate to (or login to) the server"; for
+ * simple operations, we support that simplification by implementing
+ * private-key crypto operations as methods on this type.
+ *
+ * The current design only weakly distinguishes between certificates
+ * and user certificates: as far as the compiler goes they're 
+ * interchangable; debug libraries only have one common pointer-tracker;
+ * etc.  However, attempts to do private-key operations on a certificate
+ * for which the private key is not available will fail.
+ *
+ * Open design question: should these types be more firmly separated?
+ */
+
+typedef NSSCertificate NSSUserCertificate;
+
+/*
+ * NSSPrivateKey
+ *
+ * This is the public representation of a Private Key.  In general,
+ * the actual value of the key is not available, but operations may
+ * be performed with it.
+ */
+
+struct NSSPrivateKeyStr;
+typedef struct NSSPrivateKeyStr NSSPrivateKey;
+
+/*
+ * NSSPublicKey
+ *
+ */
+
+struct NSSPublicKeyStr;
+typedef struct NSSPublicKeyStr NSSPublicKey;
+
+/*
+ * NSSSymmetricKey
+ *
+ */
+
+struct NSSSymmetricKeyStr;
+typedef struct NSSSymmetricKeyStr NSSSymmetricKey;
+
+/*
+ * NSSTrustDomain
+ *
+ * A Trust Domain is the field in which certificates may be validated.
+ * A trust domain will generally have one or more cryptographic modules
+ * open; these modules perform the cryptographic operations, and 
+ * provide the basic "root" trust information from which the trust in
+ * a specific certificate or key depends.
+ *
+ * A client program, or a simple server, would typically have one
+ * trust domain.  A server supporting multiple "virtual servers" might
+ * have a separate trust domain for each virtual server.  The separate
+ * trust domains might share some modules (e.g., a hardware crypto
+ * accelerator) but not others (e.g., the tokens storing the different
+ * servers' private keys, or the databases with each server's trusted
+ * root certificates).
+ *
+ * This object descends from the "permananet database" in the old code.
+ */
+
+struct NSSTrustDomainStr;
+typedef struct NSSTrustDomainStr NSSTrustDomain;
+
+/*
+ * NSSCryptoContext
+ *
+ * A Crypto Context is a short-term, "helper" object which is used
+ * for the lifetime of one ongoing "crypto operation."  Such an
+ * operation may be the creation of a signed message, the use of an
+ * TLS socket connection, etc.  Each crypto context is "in" a
+ * specific trust domain, and it may have associated with it a
+ * distinguished certificate, public key, private key, and/or
+ * symmetric key.  It can also temporarily hold and use temporary
+ * data (e.g. intermediate certificates) which is not stored
+ * permanently in the trust domain.
+ *
+ * In OO terms, this interface inherits interfaces from the trust
+ * domain, the certificates, and the keys.  It also provides
+ * streaming crypto operations.
+ *
+ * This object descends from the "temporary database" concept in the
+ * old code, but it has changed a lot as a result of what we've 
+ * learned.
+ */
+
+typedef struct NSSCryptoContextStr NSSCryptoContext;
+
+/*
+ * fgmr others
+ */
+
+/* 
+ * NSSTime
+ *
+ * Unfortunately, we need an "exceptional" value to indicate
+ * an error upon return, or "no value" on input.  Note that zero
+ * is a perfectly valid value for both time_t and PRTime.
+ *
+ * If we were to create a "range" object, with two times for
+ * Not Before and Not After, we would have an obvious place for
+ * the somewhat arbitrary logic involved in comparing them.
+ *
+ * Failing that, let's have an NSSTime_CompareRanges function.
+ */
+
+struct NSSTimeStr;
+typedef struct NSSTimeStr NSSTime;
+
+struct NSSTrustStr;
+typedef struct NSSTrustStr NSSTrust;
+
+/*
+ * NSSUsage
+ *
+ * This is trickier than originally planned; I'll write up a
+ * doc on it.
+ *
+ * We'd still like nsspki.h to have a list of common usages,
+ * e.g.:
+ *
+ *  extern const NSSUsage *NSSUsage_ClientAuth;
+ *  extern const NSSUsage *NSSUsage_ServerAuth;
+ *  extern const NSSUsage *NSSUsage_SignEmail;
+ *  extern const NSSUsage *NSSUsage_EncryptEmail;
+ *  etc.
+ */
+
+struct NSSUsageStr;
+typedef struct NSSUsageStr NSSUsage;
+
+/*
+ * NSSPolicies
+ *
+ * Placeholder, for now.
+ */
+
+struct NSSPoliciesStr;
+typedef struct NSSPoliciesStr NSSPolicies;
+
+/*
+ * NSSAlgorithmAndParameters
+ *
+ * Algorithm is an OID
+ * Parameters depend on the algorithm
+ */
+
+struct NSSAlgorithmAndParametersStr;
+typedef struct NSSAlgorithmAndParametersStr NSSAlgorithmAndParameters;
+
+/*
+ * NSSCallback
+ *
+ * At minimum, a "challenge" method and a closure argument.
+ * Usually the challenge will just be prompting for a password.
+ * How OO do we want to make it?
+ */
+
+typedef struct NSSCallbackStr NSSCallback;
+
+struct NSSCallbackStr {
+    /* Prompt for a password to initialize a slot.  */
+    PRStatus (* getInitPW)(NSSUTF8 *slotName, void *arg, 
+                           NSSUTF8 **ssoPW, NSSUTF8 **userPW); 
+    /* Prompt for oldPW and newPW in order to change the 
+     * password on a slot.  
+     */
+    PRStatus (* getNewPW)(NSSUTF8 *slotName, PRUint32 *retries, void *arg,
+                          NSSUTF8 **oldPW, NSSUTF8 **newPW); 
+    /* Prompt for slot password.  */
+    PRStatus (* getPW)(NSSUTF8 *slotName, PRUint32 *retries, void *arg,
+                       NSSUTF8 **password); 
+    void *arg;
+};
+
+/* set errors - user cancelled, ... */
+
+typedef PRUint32 NSSOperations;
+/* 1) Do we want these to be preprocessor definitions or constants? */
+/* 2) What is the correct and complete list? */
+
+#define NSSOperations_ENCRYPT           0x0001
+#define NSSOperations_DECRYPT           0x0002
+#define NSSOperations_WRAP              0x0004
+#define NSSOperations_UNWRAP            0x0008
+#define NSSOperations_SIGN              0x0010
+#define NSSOperations_SIGN_RECOVER      0x0020
+#define NSSOperations_VERIFY            0x0040
+#define NSSOperations_VERIFY_RECOVER    0x0080
+
+struct NSSPKIXCertificateStr;
+
+PR_END_EXTERN_C
+
+#endif /* NSSPKIT_H */
diff --git a/security/nss/lib/pki/pki.h b/security/nss/lib/pki/pki.h
new file mode 100644
index 000000000..4460b52be
--- /dev/null
+++ b/security/nss/lib/pki/pki.h
@@ -0,0 +1,127 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKI_H
+#define PKI_H
+
+#ifdef DEBUG
+static const char PKI_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+#ifndef NSSDEVT_H
+#include "nssdevt.h"
+#endif /* NSSDEVT_H */
+
+PR_BEGIN_EXTERN_C
+
+NSS_EXTERN NSSCertificate *
+nssCertificate_AddRef
+(
+  NSSCertificate *c
+);
+
+NSS_EXTERN NSSUTF8 *
+NSSCertificate_GetNickname
+(
+  NSSCertificate *c,
+  NSSToken *tokenOpt
+);
+
+/* putting here for now, needs more thought */
+NSS_EXTERN PRStatus
+nssCryptoContext_ImportTrust
+(
+  NSSCryptoContext *cc,
+  NSSTrust *trust
+);
+
+NSS_EXTERN NSSTrust *
+nssCryptoContext_FindTrustForCertificate
+(
+  NSSCryptoContext *cc,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN PRStatus
+nssCryptoContext_ImportSMIMEProfile
+(
+  NSSCryptoContext *cc,
+  nssSMIMEProfile *profile
+);
+
+NSS_EXTERN nssSMIMEProfile *
+nssCryptoContext_FindSMIMEProfileForCertificate
+(
+  NSSCryptoContext *cc,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN NSSTrust *
+nssTrust_AddRef
+(
+  NSSTrust *trust
+);
+
+NSS_EXTERN PRStatus
+nssTrust_Destroy
+(
+  NSSTrust *trust
+);
+
+NSS_EXTERN nssSMIMEProfile *
+nssSMIMEProfile_AddRef
+(
+  nssSMIMEProfile *profile
+);
+
+NSS_EXTERN PRStatus
+nssSMIMEProfile_Destroy
+(
+  nssSMIMEProfile *profile
+);
+
+NSS_EXTERN nssSMIMEProfile *
+nssSMIMEProfile_Create
+(
+  NSSCertificate *cert,
+  NSSItem *profileTime,
+  NSSItem *profileData
+);
+
+PR_END_EXTERN_C
+
+#endif /* PKI_H */
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
new file mode 100644
index 000000000..8a8d3bf63
--- /dev/null
+++ b/security/nss/lib/pki/pki3hack.c
@@ -0,0 +1,1295 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * Hacks to integrate NSS 3.4 and NSS 4.0 certificates.
+ */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef PKI_H
+#include "pki.h"
+#endif /* PKI_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef DEVNSS3HACK_H
+#include "dev3hack.h"
+#endif /* DEVNSS3HACK_H */
+
+#ifndef PKINSS3HACK_H
+#include "pki3hack.h"
+#endif /* PKINSS3HACK_H */
+
+#include "secitem.h"
+#include "certdb.h"
+#include "certt.h"
+#include "cert.h"
+#include "pk11func.h"
+#include "pkistore.h"
+#include "secmod.h"
+
+/* if it's got more than 10 certs, it better handle traversal well */
+#define NSSTOKEN_MAX_LOCAL_CERTS 10
+
+NSSTrustDomain *g_default_trust_domain = NULL;
+
+NSSCryptoContext *g_default_crypto_context = NULL;
+
+NSSTrustDomain *
+STAN_GetDefaultTrustDomain()
+{
+    return g_default_trust_domain;
+}
+
+NSSCryptoContext *
+STAN_GetDefaultCryptoContext()
+{
+    return g_default_crypto_context;
+}
+
+NSS_IMPLEMENT NSSToken *
+STAN_GetDefaultCryptoToken
+(
+  void
+)
+{
+    PK11SlotInfo *pk11slot = PK11_GetInternalSlot();
+    return PK11Slot_GetNSSToken(pk11slot);
+}
+
+static CERTCertificate *
+stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate);
+
+/* stuff the cert in the global trust domain cache, and then add a reference
+ * to remain with the token in a list.
+ */
+static PRStatus
+cache_token_cert(NSSCertificate *c, void *arg)
+{
+    NSSToken *token = (NSSToken *)arg;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    NSSCertificate *cp = nssCertificate_AddRef(c);
+    if (nssList_Count(token->certList) > NSSTOKEN_MAX_LOCAL_CERTS) {
+	nssToken_DestroyCertList(token, PR_TRUE);
+	/* terminate the traversal */
+	return PR_FAILURE;
+    }
+    nssTrustDomain_AddCertsToCache(td, &c, 1);
+    if (cp == c) {
+	NSSCertificate_Destroy(cp);
+    } else {
+	/* The cert was already in the cache, from another token.  Add this
+	 * token's instance to the cert.
+	 */
+	nssCryptokiInstance *tokenInstance, *instance;
+	nssList_GetArray(cp->object.instanceList, (void **)&tokenInstance, 1);
+	instance = nssCryptokiInstance_Create(c->object.arena, token,
+	                                      tokenInstance->handle, PR_TRUE);
+	nssList_Add(c->object.instanceList, instance);
+	nssListIterator_Destroy(c->object.instances);
+	c->object.instances = nssList_CreateIterator(c->object.instanceList);
+    }
+    /* This list reference persists with the token */
+    nssList_Add(token->certList, nssCertificate_AddRef(c));
+    /* The cert needs to become external (made into a CERTCertificate)
+     * in order for it to be properly released.
+     * Force an update of the nickname and slot fields.
+     */
+    (void)stan_GetCERTCertificate(c, PR_TRUE);
+    return PR_SUCCESS;
+}
+
+static void remove_token_instance(NSSCertificate *c, NSSToken *token)
+{
+    nssListIterator *instances;
+    nssCryptokiInstance *instance, *rmInstance = NULL;
+    instances = c->object.instances;
+    for (instance  = (nssCryptokiInstance *)nssListIterator_Start(instances);
+         instance != (nssCryptokiInstance *)NULL;
+         instance  = (nssCryptokiInstance *)nssListIterator_Next(instances))
+    {
+	if (instance->token == token) {
+	    rmInstance = instance;
+	    break;
+	}
+    }
+    nssListIterator_Finish(instances);
+    if (rmInstance) {
+	nssList_Remove(c->object.instanceList, rmInstance);
+	nssListIterator_Destroy(instances);
+	c->object.instances = nssList_CreateIterator(c->object.instanceList);
+    }
+}
+
+static PRBool instance_destructor(NSSCertificate *c, NSSToken *token)
+{
+    remove_token_instance(c, token);
+    if (nssList_Count(c->object.instanceList) == 0) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+NSS_IMPLEMENT void
+destroy_token_certs(nssList *certList, NSSToken *token, PRBool renewInstances)
+{
+    nssListIterator *certs;
+    NSSCertificate *cert;
+    PRBool removeIt;
+    certs = nssList_CreateIterator(certList);
+    for (cert  = (NSSCertificate *)nssListIterator_Start(certs);
+         cert != (NSSCertificate *)NULL;
+         cert  = (NSSCertificate *)nssListIterator_Next(certs))
+    {
+	removeIt = instance_destructor(cert, token);
+	if (removeIt) {
+	    nssList_Remove(certList, cert);
+	    CERT_DestroyCertificate(STAN_GetCERTCertificate(cert));
+	} else if (renewInstances) {
+	    /* force an update of the nickname and slot fields of the cert */
+	    (void)stan_GetCERTCertificate(cert, PR_TRUE);
+	}
+    }
+    nssListIterator_Finish(certs);
+    nssListIterator_Destroy(certs);
+}
+
+NSS_IMPLEMENT void
+nssCertificateList_DestroyTokenCerts(nssList *certList, NSSToken *token)
+{
+    destroy_token_certs(certList, token, PR_TRUE);
+}
+
+NSS_IMPLEMENT void
+nssCertificateList_RemoveTokenCerts(nssList *certList, NSSToken *token)
+{
+    nssListIterator *certs;
+    NSSCertificate *cert;
+    PRBool removeIt;
+    certs = nssList_CreateIterator(certList);
+    for (cert  = (NSSCertificate *)nssListIterator_Start(certs);
+         cert != (NSSCertificate *)NULL;
+         cert  = (NSSCertificate *)nssListIterator_Next(certs))
+    {
+	removeIt = instance_destructor(cert, token);
+	if (removeIt) {
+	    nssList_Remove(certList, cert);
+	} else {
+	    /* force an update of the nickname and slot fields of the cert */
+	    (void)stan_GetCERTCertificate(cert, PR_TRUE);
+	}
+    }
+    nssListIterator_Finish(certs);
+    nssListIterator_Destroy(certs);
+}
+
+/* destroy the list of certs on a token */
+NSS_IMPLEMENT void
+nssToken_DestroyCertList(NSSToken *token, PRBool renewInstances)
+{
+    if (!token->certList) {
+	return;
+    }
+    destroy_token_certs(token->certList, token, renewInstances);
+    nssList_Clear(token->certList, NULL);
+    /* leave the list non-null to prevent it from being searched */
+}
+
+/* create a list of local cert references for certain tokens */
+NSS_IMPLEMENT PRStatus
+nssToken_LoadCerts(NSSToken *token)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    nssTokenCertSearch search;
+    if (!PK11_IsInternal(token->pk11slot) && PK11_IsHW(token->pk11slot)) {
+	/* Hardware token certs will be immediately cached, and no searches
+	 * will be performed on the token (the certs will be discovered by
+	 * cache lookups)
+	 */
+	search.callback = cache_token_cert;
+	search.cbarg = token;
+	search.cached = NULL;
+	search.searchType = nssTokenSearchType_TokenOnly;
+	if (!token->certList) {
+	    token->certList = nssList_Create(token->arena, PR_FALSE);
+	    if (!token->certList) {
+		return PR_FAILURE;
+	    }
+	} else if (nssList_Count(token->certList) > 0) {
+	    /* already been done */
+	    return PR_SUCCESS;
+	}
+	/* ignore the rv, just work without the list */
+	(void)nssToken_TraverseCertificates(token, NULL, &search);
+	(void)nssToken_SetTrustCache(token);
+	(void)nssToken_SetCrlCache(token);
+
+	/* even if there are no certs, leave a valid list pointer should
+	 * any be imported.  Having the pointer will also prevent searches,
+	 * see below.
+	 */
+	if (nssList_Count(token->certList) == 0 &&
+	    !PK11_IsLoggedIn(token->pk11slot, NULL)) {
+	    /* If the token is not logged in, that may be the reason no
+	     * certs were found.
+	     */
+	    token->loggedIn = PR_FALSE;
+	}
+    }
+    return nssrv;
+}
+
+NSS_IMPLEMENT void
+nssToken_UpdateTrustForCerts(NSSToken *token)
+{
+    nssListIterator *certs;
+    NSSCertificate *cert;
+    certs = nssList_CreateIterator(token->certList);
+    for (cert  = (NSSCertificate *)nssListIterator_Start(certs);
+         cert != (NSSCertificate *)NULL;
+         cert  = (NSSCertificate *)nssListIterator_Next(certs))
+    {
+	CERTCertificate *cc = STAN_GetCERTCertificate(cert);
+	cc->trust = NULL;
+	/* force an update of the trust fields of the CERTCertificate */
+	(void)stan_GetCERTCertificate(cert, PR_FALSE);
+    }
+    nssListIterator_Finish(certs);
+    nssListIterator_Destroy(certs);
+}
+
+NSS_IMPLEMENT PRBool
+nssToken_SearchCerts
+(
+  NSSToken *token,
+  PRBool *notPresentOpt
+)
+{
+    if (notPresentOpt) {
+	*notPresentOpt = PR_FALSE;
+    }
+    if (!nssToken_IsPresent(token)) {
+	nssToken_DestroyCertList(token, PR_TRUE); /* will free cached certs */
+	if (notPresentOpt) {
+	    *notPresentOpt = PR_TRUE;
+	}
+    } else if (token->certList && 
+	       nssList_Count(token->certList) == 0 &&
+	       !token->loggedIn) {
+	/* If the token has no cached certs, but wasn't logged in, check
+	 * to see if it is logged in now and retry
+	 */
+	if (PK11_IsLoggedIn(token->pk11slot, NULL)) {
+	    token->loggedIn = PR_TRUE;
+	    nssToken_LoadCerts(token);
+	}
+    }
+    return (PRBool) (token->certList == NULL);
+}
+
+NSS_IMPLEMENT PRStatus
+STAN_LoadDefaultNSS3TrustDomain
+(
+  void
+)
+{
+    NSSTrustDomain *td;
+    NSSToken *token;
+    PK11SlotList *list;
+    PK11SlotListElement *le;
+    SECMODModuleList *mlp;
+    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+    int i;
+
+    td = NSSTrustDomain_Create(NULL, NULL, NULL, NULL);
+    if (!td) {
+	return PR_FAILURE;
+    }
+    td->tokenList = nssList_Create(td->arena, PR_TRUE);
+    SECMOD_GetReadLock(moduleLock);
+    for (mlp = SECMOD_GetDefaultModuleList(); mlp != NULL; mlp=mlp->next) {
+	for (i=0; i < mlp->module->slotCount; i++) {
+	    token = nssToken_CreateFromPK11SlotInfo(td, mlp->module->slots[i]);
+	    PK11Slot_SetNSSToken(mlp->module->slots[i], token);
+	    nssList_Add(td->tokenList, token);
+	}
+    }
+    SECMOD_ReleaseReadLock(moduleLock);
+    g_default_trust_domain = td;
+    g_default_crypto_context = NSSTrustDomain_CreateCryptoContext(td, NULL);
+    /* Cache hardware token certs with the token to make them persistent */
+    td->tokens = nssList_CreateIterator(td->tokenList);
+    for (token =  (NSSToken *)nssListIterator_Start(td->tokens);
+         token != (NSSToken *)NULL;
+	 token =  (NSSToken *)nssListIterator_Next(td->tokens)) 
+    {
+	nssToken_LoadCerts(token);
+    }
+    nssListIterator_Finish(td->tokens);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT SECStatus
+STAN_AddModuleToDefaultTrustDomain
+(
+  SECMODModule *module
+)
+{
+    NSSToken *token;
+    NSSTrustDomain *td;
+    int i;
+    td = STAN_GetDefaultTrustDomain();
+    for (i=0; i<module->slotCount; i++) {
+	token = nssToken_CreateFromPK11SlotInfo(td, module->slots[i]);
+	PK11Slot_SetNSSToken(module->slots[i], token);
+	nssToken_LoadCerts(token);
+	nssList_Add(td->tokenList, token);
+    }
+    nssListIterator_Destroy(td->tokens);
+    td->tokens = nssList_CreateIterator(td->tokenList);
+    return SECSuccess;
+}
+
+NSS_IMPLEMENT void
+STAN_DestroyNSSToken(NSSToken *token)
+{
+    if (token->certList) {
+	nssToken_DestroyCertList(token, PR_FALSE);
+    }
+    nssToken_Destroy(token);
+}
+
+NSS_IMPLEMENT SECStatus
+STAN_RemoveModuleFromDefaultTrustDomain
+(
+  SECMODModule *module
+)
+{
+    NSSToken *token;
+    NSSTrustDomain *td;
+    int i;
+    td = STAN_GetDefaultTrustDomain();
+    for (i=0; i<module->slotCount; i++) {
+	token = PK11Slot_GetNSSToken(module->slots[i]);
+	if (token) {
+	    nssList_Remove(td->tokenList, token);
+	    STAN_DestroyNSSToken(token);
+ 	}
+    }
+    nssListIterator_Destroy(td->tokens);
+    td->tokens = nssList_CreateIterator(td->tokenList);
+    return SECSuccess;
+}
+
+NSS_IMPLEMENT void
+STAN_Shutdown()
+{
+    if (g_default_trust_domain) {
+	NSSTrustDomain_Destroy(g_default_trust_domain);
+    }
+    if (g_default_crypto_context) {
+	NSSCryptoContext_Destroy(g_default_crypto_context);
+    }
+}
+
+/* this function should not be a hack; it will be needed in 4.0 (rename) */
+NSS_IMPLEMENT NSSItem *
+STAN_GetCertIdentifierFromDER(NSSArena *arenaOpt, NSSDER *der)
+{
+    NSSItem *rvKey;
+    SECItem secDER;
+    SECItem secKey = { 0 };
+    SECStatus secrv;
+    PRArenaPool *arena;
+
+    SECITEM_FROM_NSSITEM(&secDER, der);
+
+    /* nss3 call uses nss3 arena's */
+    arena = PORT_NewArena(256);
+    if (!arena) {
+	return NULL;
+    }
+    secrv = CERT_KeyFromDERCert(arena, &secDER, &secKey);
+    if (secrv != SECSuccess) {
+	return NULL;
+    }
+    rvKey = nssItem_Create(arenaOpt, NULL, secKey.len, (void *)secKey.data);
+    PORT_FreeArena(arena,PR_FALSE);
+    return rvKey;
+}
+
+static NSSItem *
+nss3certificate_getIdentifier(nssDecodedCert *dc)
+{
+    NSSItem *rvID;
+    CERTCertificate *c = (CERTCertificate *)dc->data;
+    rvID = nssItem_Create(NULL, NULL, c->certKey.len, c->certKey.data);
+    return rvID;
+}
+
+static NSSItem *
+nss3certificate_getIssuerIdentifier(nssDecodedCert *dc)
+{
+    CERTCertificate *c = (CERTCertificate *)dc->data;
+    CERTAuthKeyID *cAuthKeyID;
+    PRArenaPool *tmpArena = NULL;
+    SECItem issuerCertKey;
+    NSSItem *rvID = NULL;
+    SECStatus secrv;
+    tmpArena = PORT_NewArena(512);
+    cAuthKeyID = CERT_FindAuthKeyIDExten(tmpArena, c);
+    if (cAuthKeyID == NULL) {
+	goto done;
+    }
+    if (cAuthKeyID->keyID.data) {
+	rvID = nssItem_Create(NULL, NULL, cAuthKeyID->keyID.len, 
+						cAuthKeyID->keyID.data);
+    } else if (cAuthKeyID->authCertIssuer) {
+	SECItem *caName = NULL;
+	CERTIssuerAndSN issuerSN;
+	CERTCertificate *issuer = NULL;
+
+	caName = (SECItem *)CERT_GetGeneralNameByType(
+	                                        cAuthKeyID->authCertIssuer,
+						certDirectoryName, PR_TRUE);
+	if (caName == NULL) {
+	    goto done;
+	}
+	issuerSN.derIssuer.data = caName->data;
+	issuerSN.derIssuer.len = caName->len;
+	issuerSN.serialNumber.data = cAuthKeyID->authCertSerialNumber.data;
+	issuerSN.serialNumber.len = cAuthKeyID->authCertSerialNumber.len;
+	issuer = PK11_FindCertByIssuerAndSN(NULL, &issuerSN, NULL);
+	if (issuer) {
+	    rvID = nssItem_Create(NULL, NULL, issuer->subjectKeyID.len, 
+	    			issuer->subjectKeyID.data);
+	    CERT_DestroyCertificate(issuer);
+	}
+    }
+done:
+    if (tmpArena) PORT_FreeArena(tmpArena, PR_FALSE);
+    return rvID;
+}
+
+static PRBool
+nss3certificate_matchIdentifier(nssDecodedCert *dc, NSSItem *id)
+{
+    CERTCertificate *c = (CERTCertificate *)dc->data;
+    SECItem *subjectKeyID, authKeyID;
+    subjectKeyID = &c->subjectKeyID;
+    SECITEM_FROM_NSSITEM(&authKeyID, id);
+    if (SECITEM_CompareItem(subjectKeyID, &authKeyID) == SECEqual) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+static NSSUsage *
+nss3certificate_getUsage(nssDecodedCert *dc)
+{
+    /* CERTCertificate *c = (CERTCertificate *)dc->data; */
+    return NULL;
+}
+
+static PRBool 
+nss3certificate_isValidAtTime(nssDecodedCert *dc, NSSTime *time)
+{
+    SECCertTimeValidity validity;
+    CERTCertificate *c = (CERTCertificate *)dc->data;
+    validity = CERT_CheckCertValidTimes(c, NSSTime_GetPRTime(time), PR_TRUE);
+    if (validity == secCertTimeValid) {
+	return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+static PRBool 
+nss3certificate_isNewerThan(nssDecodedCert *dc, nssDecodedCert *cmpdc)
+{
+    /* I know this isn't right, but this is glue code anyway */
+    if (cmpdc->type == dc->type) {
+	CERTCertificate *certa = (CERTCertificate *)dc->data;
+	CERTCertificate *certb = (CERTCertificate *)cmpdc->data;
+	return CERT_IsNewer(certa, certb);
+    }
+    return PR_FALSE;
+}
+
+/* CERT_FilterCertListByUsage */
+static PRBool
+nss3certificate_matchUsage(nssDecodedCert *dc, NSSUsage *usage)
+{
+    SECStatus secrv;
+    unsigned int requiredKeyUsage;
+    unsigned int requiredCertType;
+    unsigned int certType;
+    PRBool match;
+    CERTCertificate *cc = (CERTCertificate *)dc->data;
+    SECCertUsage secUsage = usage->nss3usage;
+    PRBool ca = usage->nss3lookingForCA;
+    secrv = CERT_KeyUsageAndTypeForCertUsage(secUsage, ca,
+                                             &requiredKeyUsage,
+                                             &requiredCertType);
+    if (secrv != SECSuccess) {
+	return PR_FALSE;
+    }
+    match = PR_TRUE;
+    secrv = CERT_CheckKeyUsage(cc, requiredKeyUsage);
+    if (secrv != SECSuccess) {
+	match = PR_FALSE;
+    }
+    if (ca) {
+	(void)CERT_IsCACert(cc, &certType);
+    } else {
+	certType = cc->nsCertType;
+    }
+    if (!(certType & requiredCertType)) {
+	match = PR_FALSE;
+    }
+    return match;
+}
+
+static NSSASCII7 *
+nss3certificate_getEmailAddress(nssDecodedCert *dc)
+{
+    CERTCertificate *cc = (CERTCertificate *)dc->data;
+    return cc ? (NSSASCII7 *)cc->emailAddr : NULL;
+}
+
+static PRStatus
+nss3certificate_getDERSerialNumber(nssDecodedCert *dc, 
+                                   NSSDER *serial, NSSArena *arena)
+{
+    CERTCertificate *cc = (CERTCertificate *)dc->data;
+    SECItem derSerial = { 0 };
+    SECStatus secrv;
+    secrv = CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
+    if (secrv == SECSuccess) {
+	(void)nssItem_Create(arena, serial, derSerial.len, derSerial.data);
+	PORT_Free(derSerial.data);
+	return PR_SUCCESS;
+    }
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT nssDecodedCert *
+nssDecodedPKIXCertificate_Create
+(
+  NSSArena *arenaOpt,
+  NSSDER *encoding
+)
+{
+    nssDecodedCert *rvDC;
+    SECItem secDER;
+    rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
+    rvDC->type = NSSCertificateType_PKIX;
+    SECITEM_FROM_NSSITEM(&secDER, encoding);
+    rvDC->data = (void *)CERT_DecodeDERCertificate(&secDER, PR_TRUE, NULL);
+    rvDC->getIdentifier = nss3certificate_getIdentifier;
+    rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
+    rvDC->matchIdentifier = nss3certificate_matchIdentifier;
+    rvDC->getUsage = nss3certificate_getUsage;
+    rvDC->isValidAtTime = nss3certificate_isValidAtTime;
+    rvDC->isNewerThan = nss3certificate_isNewerThan;
+    rvDC->matchUsage = nss3certificate_matchUsage;
+    rvDC->getEmailAddress = nss3certificate_getEmailAddress;
+    rvDC->getDERSerialNumber = nss3certificate_getDERSerialNumber;
+    return rvDC;
+}
+
+static nssDecodedCert *
+create_decoded_pkix_cert_from_nss3cert
+(
+  NSSArena *arenaOpt,
+  CERTCertificate *cc
+)
+{
+    nssDecodedCert *rvDC;
+    rvDC = nss_ZNEW(arenaOpt, nssDecodedCert);
+    rvDC->type = NSSCertificateType_PKIX;
+    rvDC->data = (void *)cc;
+    rvDC->getIdentifier = nss3certificate_getIdentifier;
+    rvDC->getIssuerIdentifier = nss3certificate_getIssuerIdentifier;
+    rvDC->matchIdentifier = nss3certificate_matchIdentifier;
+    rvDC->getUsage = nss3certificate_getUsage;
+    rvDC->isValidAtTime = nss3certificate_isValidAtTime;
+    rvDC->isNewerThan = nss3certificate_isNewerThan;
+    rvDC->matchUsage = nss3certificate_matchUsage;
+    rvDC->getEmailAddress = nss3certificate_getEmailAddress;
+    return rvDC;
+}
+
+NSS_IMPLEMENT PRStatus
+nssDecodedPKIXCertificate_Destroy
+(
+  nssDecodedCert *dc
+)
+{
+    CERTCertificate *cert = (CERTCertificate *)dc->data;
+    PRBool freeSlot = cert->ownSlot;
+    PK11SlotInfo *slot = cert->slot;
+    PRArenaPool *arena  = cert->arena;
+    /* zero cert before freeing. Any stale references to this cert
+     * after this point will probably cause an exception.  */
+    PORT_Memset(cert, 0, sizeof *cert);
+    /* free the arena that contains the cert. */
+    PORT_FreeArena(arena, PR_FALSE);
+    nss_ZFreeIf(dc);
+    if (slot && freeSlot) {
+	PK11_FreeSlot(slot);
+    }
+    return PR_SUCCESS;
+}
+
+/* From pk11cert.c */
+extern PRBool
+PK11_IsUserCert(PK11SlotInfo *, CERTCertificate *, CK_OBJECT_HANDLE);
+
+/* see pk11cert.c:pk11_HandleTrustObject */
+static unsigned int
+get_nss3trust_from_cktrust(CK_TRUST t)
+{
+    unsigned int rt = 0;
+    if (t == CKT_NETSCAPE_TRUSTED) {
+	rt |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
+    }
+    if (t == CKT_NETSCAPE_TRUSTED_DELEGATOR) {
+	rt |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA /*| CERTDB_NS_TRUSTED_CA*/;
+    }
+    if (t == CKT_NETSCAPE_VALID) {
+	rt |= CERTDB_VALID_PEER;
+    }
+    if (t == CKT_NETSCAPE_VALID_DELEGATOR) {
+	rt |= CERTDB_VALID_CA;
+    }
+    /* user */
+    return rt;
+}
+
+static CERTCertTrust *
+cert_trust_from_stan_trust(NSSTrust *t, PRArenaPool *arena)
+{
+    CERTCertTrust *rvTrust;
+    unsigned int client;
+    if (!t) {
+	return NULL;
+    }
+    rvTrust = PORT_ArenaAlloc(arena, sizeof(CERTCertTrust));
+    if (!rvTrust) return NULL;
+    rvTrust->sslFlags = get_nss3trust_from_cktrust(t->serverAuth);
+    client = get_nss3trust_from_cktrust(t->clientAuth);
+    if (client & (CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA)) {
+	client &= ~(CERTDB_TRUSTED_CA|CERTDB_NS_TRUSTED_CA);
+	rvTrust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA;
+    }
+    rvTrust->sslFlags |= client;
+    rvTrust->emailFlags = get_nss3trust_from_cktrust(t->emailProtection);
+    rvTrust->objectSigningFlags = get_nss3trust_from_cktrust(t->codeSigning);
+    return rvTrust;
+}
+
+static int nsstoken_get_trust_order(NSSToken *token)
+{
+    PK11SlotInfo *slot;
+    SECMODModule *module;
+    slot = token->pk11slot;
+    module = PK11_GetModule(slot);
+    return module->trustOrder;
+}
+
+/* check all cert instances for private key */
+static PRBool is_user_cert(NSSCertificate *c, CERTCertificate *cc)
+{
+    PRBool isUser = PR_FALSE;
+    nssCryptokiInstance *instance;
+    nssListIterator *instances = c->object.instances;
+    for (instance  = (nssCryptokiInstance *)nssListIterator_Start(instances);
+         instance != (nssCryptokiInstance *)NULL;
+         instance  = (nssCryptokiInstance *)nssListIterator_Next(instances)) 
+    {
+	if (PK11_IsUserCert(instance->token->pk11slot, cc, instance->handle)) {
+	    isUser = PR_TRUE;
+	}
+    }
+    nssListIterator_Finish(instances);
+    return isUser;
+}
+
+CERTCertTrust * 
+nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc)
+{
+    CERTCertTrust *rvTrust;
+    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
+    NSSToken *tok;
+    NSSTrust *tokenTrust;
+    NSSTrust t;
+    nssListIterator *tokens;
+    int lastTrustOrder, myTrustOrder;
+    tokens = nssList_CreateIterator(td->tokenList);
+    if (!tokens) return NULL;
+    lastTrustOrder = 1<<16; /* just make it big */
+    t.serverAuth = CKT_NETSCAPE_TRUST_UNKNOWN;
+    t.clientAuth = CKT_NETSCAPE_TRUST_UNKNOWN;
+    t.emailProtection = CKT_NETSCAPE_TRUST_UNKNOWN;
+    t.codeSigning = CKT_NETSCAPE_TRUST_UNKNOWN;
+    for (tok  = (NSSToken *)nssListIterator_Start(tokens);
+         tok != (NSSToken *)NULL;
+         tok  = (NSSToken *)nssListIterator_Next(tokens))
+    {
+	tokenTrust = nssToken_FindTrustForCert(tok, NULL, c, 
+	                                       nssTokenSearchType_TokenOnly);
+	if (tokenTrust) {
+	    myTrustOrder = nsstoken_get_trust_order(tok);
+	    if (t.serverAuth == CKT_NETSCAPE_TRUST_UNKNOWN ||
+	         myTrustOrder < lastTrustOrder) {
+		t.serverAuth = tokenTrust->serverAuth;
+	    }
+	    if (t.clientAuth == CKT_NETSCAPE_TRUST_UNKNOWN ||
+	         myTrustOrder < lastTrustOrder) {
+		t.clientAuth = tokenTrust->clientAuth;
+	    }
+	    if (t.emailProtection == CKT_NETSCAPE_TRUST_UNKNOWN ||
+	         myTrustOrder < lastTrustOrder) {
+		t.emailProtection = tokenTrust->emailProtection;
+	    }
+	    if (t.codeSigning == CKT_NETSCAPE_TRUST_UNKNOWN ||
+	         myTrustOrder < lastTrustOrder) {
+		t.codeSigning = tokenTrust->codeSigning;
+	    }
+	    (void)nssTrust_Destroy(tokenTrust);
+	    lastTrustOrder = myTrustOrder;
+	}
+    }
+    nssListIterator_Finish(tokens);
+    nssListIterator_Destroy(tokens);
+    rvTrust = cert_trust_from_stan_trust(&t, cc->arena);
+    if (!rvTrust) return NULL;
+    if (is_user_cert(c, cc)) {
+	rvTrust->sslFlags |= CERTDB_USER;
+	rvTrust->emailFlags |= CERTDB_USER;
+	rvTrust->objectSigningFlags |= CERTDB_USER;
+    }
+    return rvTrust;
+}
+
+static nssCryptokiInstance *
+get_cert_instance(NSSCertificate *c)
+{
+    nssCryptokiInstance *instance, *ci;
+    nssListIterator *instances = c->object.instances;
+    instance = NULL;
+    for (ci  = (nssCryptokiInstance *)nssListIterator_Start(instances);
+         ci != (nssCryptokiInstance *)NULL;
+         ci  = (nssCryptokiInstance *)nssListIterator_Next(instances)) 
+    {
+	if (!instance) {
+	    instance = ci;
+	} else {
+	    /* This only really works for two instances...  But 3.4 can't
+	     * handle more anyway.  The logic is, if there are multiple
+	     * instances, prefer the one that is not internal (e.g., on
+	     * a hardware device.
+	     */
+	    if (PK11_IsInternal(instance->token->pk11slot)) {
+		instance = ci;
+	    }
+	}
+    }
+    nssListIterator_Finish(instances);
+    return instance;
+}
+
+static void
+fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced)
+{
+    NSSTrust *nssTrust;
+    NSSCryptoContext *context = c->object.cryptoContext;
+    nssCryptokiInstance *instance = get_cert_instance(c);
+    NSSUTF8 *stanNick = NULL;
+    if (instance) {
+	stanNick = instance->label;
+    } else if (context) {
+	stanNick = c->object.tempName;
+    }
+    /* fill other fields needed by NSS3 functions using CERTCertificate */
+    if ((!cc->nickname && stanNick) || forced) {
+	PRStatus nssrv;
+	int nicklen, tokenlen, len;
+	NSSUTF8 *tokenName = NULL;
+	char *nick;
+	nicklen = nssUTF8_Size(stanNick, &nssrv);
+	if (instance && !PK11_IsInternal(instance->token->pk11slot)) {
+	    tokenName = nssToken_GetName(instance->token);
+	    tokenlen = nssUTF8_Size(tokenName, &nssrv);
+	} else {
+	    /* don't use token name for internal slot; 3.3 didn't */
+	    tokenlen = 0;
+	}
+	len = tokenlen + nicklen;
+	cc->nickname = PORT_ArenaAlloc(cc->arena, len);
+	nick = cc->nickname;
+	if (tokenName) {
+	    memcpy(nick, tokenName, tokenlen-1);
+	    nick += tokenlen-1;
+	    *nick++ = ':';
+	}
+	memcpy(nick, stanNick, nicklen-1);
+	cc->nickname[len-1] = '\0';
+    }
+    if (context) {
+	/* trust */
+	nssTrust = nssCryptoContext_FindTrustForCertificate(context, c);
+	if (nssTrust) {
+	    cc->trust = cert_trust_from_stan_trust(nssTrust, cc->arena);
+	    nssTrust_Destroy(nssTrust);
+	}
+    } else if (instance) {
+	/* slot */
+	cc->slot = PK11_ReferenceSlot(instance->token->pk11slot);
+	cc->ownSlot = PR_TRUE;
+	/* pkcs11ID */
+	cc->pkcs11ID = instance->handle;
+	/* trust */
+	cc->trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+    } 
+    /* database handle is now the trust domain */
+    cc->dbhandle = c->object.trustDomain;
+    /* subjectList ? */
+    /* istemp and isperm are supported in NSS 3.4 */
+    cc->istemp = PR_FALSE; /* CERT_NewTemp will override this */
+    cc->isperm = PR_TRUE;  /* by default */
+    /* pointer back */
+    cc->nssCertificate = c;
+}
+
+static CERTCertificate *
+stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
+{
+    nssDecodedCert *dc;
+    CERTCertificate *cc;
+    if (!c->decoding) {
+	dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
+	if (!dc) return NULL;
+	c->decoding = dc;
+    } else {
+	dc = c->decoding;
+    }
+    cc = (CERTCertificate *)dc->data;
+    if (cc) {
+	if (!cc->nssCertificate || forceUpdate) {
+	    fill_CERTCertificateFields(c, cc, forceUpdate);
+	} else if (!cc->trust && !c->object.cryptoContext) {
+	    /* if it's a perm cert, it might have been stored before the
+	     * trust, so look for the trust again.  But a temp cert can be
+	     * ignored.
+	     */
+	    cc->trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+	}
+    }
+    return cc;
+}
+
+NSS_IMPLEMENT CERTCertificate *
+STAN_GetCERTCertificate(NSSCertificate *c)
+{
+    return stan_GetCERTCertificate(c, PR_FALSE);
+}
+
+static CK_TRUST
+get_stan_trust(unsigned int t, PRBool isClientAuth) 
+{
+    if (isClientAuth) {
+	if (t & CERTDB_TRUSTED_CLIENT_CA) {
+	    return CKT_NETSCAPE_TRUSTED_DELEGATOR;
+	}
+    } else {
+	if (t & CERTDB_TRUSTED_CA || t & CERTDB_NS_TRUSTED_CA) {
+	    return CKT_NETSCAPE_TRUSTED_DELEGATOR;
+	}
+    }
+    if (t & CERTDB_TRUSTED) {
+	return CKT_NETSCAPE_TRUSTED;
+    }
+    if (t & CERTDB_VALID_CA) {
+	return CKT_NETSCAPE_VALID_DELEGATOR;
+    }
+    if (t & CERTDB_VALID_PEER) {
+	return CKT_NETSCAPE_VALID;
+    }
+    return CKT_NETSCAPE_UNTRUSTED;
+}
+
+NSS_EXTERN NSSCertificate *
+STAN_GetNSSCertificate(CERTCertificate *cc)
+{
+    NSSCertificate *c;
+    nssCryptokiInstance *instance;
+    NSSArena *arena;
+    PRStatus nssrv;
+    c = cc->nssCertificate;
+    if (c) {
+    	return c;
+    }
+    /* i don't think this should happen.  but if it can, need to create
+     * NSSCertificate from CERTCertificate values here.  */
+    /* Yup, it can happen. */
+    arena = NSSArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    c = nss_ZNEW(arena, NSSCertificate);
+    if (!c) {
+	nssArena_Destroy(arena);
+	return NULL;
+    }
+    NSSITEM_FROM_SECITEM(&c->encoding, &cc->derCert);
+    c->type = NSSCertificateType_PKIX;
+    nssrv = nssPKIObject_Initialize(&c->object, arena, cc->dbhandle, NULL);
+    if (nssrv != PR_SUCCESS) {
+	nssPKIObject_Destroy(&c->object);
+    }
+    nssItem_Create(arena,
+                   &c->issuer, cc->derIssuer.len, cc->derIssuer.data);
+    nssItem_Create(arena,
+                   &c->subject, cc->derSubject.len, cc->derSubject.data);
+    if (PR_TRUE) {
+	/* CERTCertificate stores serial numbers decoded.  I need the DER
+	* here.  sigh.
+	*/
+	SECItem derSerial;
+	CERT_SerialNumberFromDERCert(&cc->derCert, &derSerial);
+	nssItem_Create(arena, &c->serial, derSerial.len, derSerial.data);
+	PORT_Free(derSerial.data);
+    }
+    if (cc->emailAddr) {
+        c->email = nssUTF8_Create(arena,
+                                  nssStringType_PrintableString,
+                                  (NSSUTF8 *)cc->emailAddr,
+                                  PORT_Strlen(cc->emailAddr));
+    }
+    if (cc->slot) {
+	instance = nss_ZNEW(arena, nssCryptokiInstance);
+	instance->token = PK11Slot_GetNSSToken(cc->slot);
+	instance->handle = cc->pkcs11ID;
+	instance->isTokenObject = PR_TRUE;
+	if (cc->nickname) {
+	    instance->label = nssUTF8_Create(arena,
+	                                     nssStringType_UTF8String,
+	                                     (NSSUTF8 *)cc->nickname,
+	                                     PORT_Strlen(cc->nickname));
+	}
+	nssList_Add(c->object.instanceList, instance);
+	/* XXX Fix this! */
+	nssListIterator_Destroy(c->object.instances);
+	c->object.instances = nssList_CreateIterator(c->object.instanceList);
+    }
+    c->decoding = create_decoded_pkix_cert_from_nss3cert(NULL, cc);
+    cc->nssCertificate = c;
+    return c;
+}
+
+NSS_EXTERN PRStatus
+STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust)
+{
+    PRStatus nssrv;
+    NSSCertificate *c = STAN_GetNSSCertificate(cc);
+    NSSToken *tok;
+    NSSTrustDomain *td;
+    NSSTrust *nssTrust;
+    NSSArena *arena;
+    CERTCertTrust *oldTrust;
+    nssListIterator *tokens;
+    PRBool moving_object;
+    oldTrust = nssTrust_GetCERTCertTrustForCert(c, cc);
+    if (oldTrust) {
+	if (memcmp(oldTrust, trust, sizeof (CERTCertTrust)) == 0) {
+	    /* ... and the new trust is no different, done) */
+	    return PR_SUCCESS;
+	} else {
+	    /* take over memory already allocated in cc's arena */
+	    cc->trust = oldTrust;
+	}
+    } else {
+	cc->trust = PORT_ArenaAlloc(cc->arena, sizeof(CERTCertTrust));
+    }
+    memcpy(cc->trust, trust, sizeof(CERTCertTrust));
+    /* Set the NSSCerticate's trust */
+    arena = nssArena_Create();
+    if (!arena) return PR_FAILURE;
+    nssTrust = nss_ZNEW(arena, NSSTrust);
+    nssrv = nssPKIObject_Initialize(&nssTrust->object, arena, NULL, NULL);
+    if (nssrv != PR_SUCCESS) {
+	nssPKIObject_Destroy(&nssTrust->object);
+	return PR_FAILURE;
+    }
+    nssTrust->certificate = c;
+    nssTrust->serverAuth = get_stan_trust(trust->sslFlags, PR_FALSE);
+    nssTrust->clientAuth = get_stan_trust(trust->sslFlags, PR_TRUE);
+    nssTrust->emailProtection = get_stan_trust(trust->emailFlags, PR_FALSE);
+    nssTrust->codeSigning = get_stan_trust(trust->objectSigningFlags, PR_FALSE);
+    if (c->object.cryptoContext != NULL) {
+	/* The cert is in a context, set the trust there */
+	NSSCryptoContext *cc = c->object.cryptoContext;
+	nssrv = nssCryptoContext_ImportTrust(cc, nssTrust);
+	if (nssrv != PR_SUCCESS) {
+	    nssTrust_Destroy(nssTrust);
+	    return nssrv;
+	}
+	if (nssList_Count(c->object.instanceList) == 0) {
+	    /* The context is the only instance, finished */
+	    return nssrv;
+	}
+    }
+    td = STAN_GetDefaultTrustDomain();
+    if (PK11_IsReadOnly(cc->slot)) {
+	tokens = nssList_CreateIterator(td->tokenList);
+	if (!tokens) return PR_FAILURE;
+	for (tok  = (NSSToken *)nssListIterator_Start(tokens);
+	     tok != (NSSToken *)NULL;
+	     tok  = (NSSToken *)nssListIterator_Next(tokens))
+	{
+	    if (!PK11_IsReadOnly(tok->pk11slot)) break;
+	}
+	nssListIterator_Finish(tokens);
+	nssListIterator_Destroy(tokens);
+	moving_object = PR_TRUE;
+    } else {
+	/* by default, store trust on same token as cert if writeable */
+	tok = PK11Slot_GetNSSToken(cc->slot);
+	moving_object = PR_FALSE;
+    }
+    if (tok) {
+	if (moving_object) {
+	    /* this is kind of hacky.  the softoken needs the cert
+	     * object in order to store trust.  forcing it to be perm
+	     */
+	    NSSUTF8 *nickname = NSSCertificate_GetNickname(c, NULL);
+	    nssrv = nssToken_ImportCertificate(tok, NULL, c, nickname, PR_TRUE);
+	    if (nssrv != PR_SUCCESS) return nssrv;
+	}
+	nssrv = nssToken_ImportTrust(tok, NULL, nssTrust, PR_TRUE);
+    } else {
+	nssrv = PR_FAILURE;
+    }
+    (void)nssTrust_Destroy(nssTrust);
+    return nssrv;
+}
+
+/* CERT_TraversePermCertsForSubject */
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_TraverseCertificatesBySubject
+(
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    NSSArena *tmpArena;
+    NSSCertificate **subjectCerts;
+    NSSCertificate *c;
+    PRIntn i;
+    tmpArena = NSSArena_Create();
+    subjectCerts = NSSTrustDomain_FindCertificatesBySubject(td, subject, NULL,
+                                                            0, tmpArena);
+    if (subjectCerts) {
+	for (i=0, c = subjectCerts[i]; c; i++) {
+	    nssrv = callback(c, arg);
+	    if (nssrv != PR_SUCCESS) break;
+	}
+    }
+    nssArena_Destroy(tmpArena);
+    return nssrv;
+}
+
+/* CERT_TraversePermCertsForNickname */
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_TraverseCertificatesByNickname
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *nickname,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    NSSArena *tmpArena;
+    NSSCertificate **nickCerts;
+    NSSCertificate *c;
+    PRIntn i;
+    tmpArena = NSSArena_Create();
+    nickCerts = NSSTrustDomain_FindCertificatesByNickname(td, nickname, NULL,
+                                                          0, tmpArena);
+    if (nickCerts) {
+	for (i=0, c = nickCerts[i]; c; i++) {
+	    nssrv = callback(c, arg);
+	    if (nssrv != PR_SUCCESS) break;
+	}
+    }
+    nssArena_Destroy(tmpArena);
+    return nssrv;
+}
+
+/* SEC_TraversePermCerts */
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_TraverseCertificates
+(
+  NSSTrustDomain *td,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    NSSToken *token;
+    nssList *certList;
+    nssTokenCertSearch search;
+    /* grab all cache certs (XXX please only do this here...) 
+     * the alternative is to provide a callback through search that allows
+     * the token to query the cache for the cert during traversal.
+     */
+    certList = nssList_Create(NULL, PR_FALSE);
+    (void)nssTrustDomain_GetCertsFromCache(td, certList);
+    /* set the search criteria */
+    search.callback = callback;
+    search.cbarg = arg;
+    search.cached = certList;
+    search.searchType = nssTokenSearchType_TokenOnly;
+    for (token  = (NSSToken *)nssListIterator_Start(td->tokens);
+         token != (NSSToken *)NULL;
+         token  = (NSSToken *)nssListIterator_Next(td->tokens)) 
+    {
+	nssrv = nssToken_TraverseCertificates(token, NULL, &search);
+    }
+    nssListIterator_Finish(td->tokens);
+    nssList_Destroy(certList);
+    return nssrv;
+}
+
+#if 0
+static CK_CERTIFICATE_TYPE
+get_cert_type(NSSCertificateType nssType)
+{
+    switch (nssType) {
+    case NSSCertificateType_PKIX:
+	return CKC_X_509;
+    default:
+	return CK_INVALID_HANDLE;  /* Not really! CK_INVALID_HANDLE is not a
+				    * type CK_CERTIFICATE_TYPE */
+    }
+}
+#endif
+
+/* CERT_AddTempCertToPerm */
+NSS_EXTERN PRStatus
+nssTrustDomain_AddTempCertToPerm
+(
+  NSSCertificate *c
+)
+{
+#if 0
+    NSSToken *token;
+    CK_CERTIFICATE_TYPE cert_type;
+    CK_ATTRIBUTE cert_template[] =
+    {
+	{ CKA_CLASS,            NULL, 0 },
+	{ CKA_CERTIFICATE_TYPE, NULL, 0 },
+	{ CKA_ID,               NULL, 0 },
+	{ CKA_VALUE,            NULL, 0 },
+	{ CKA_LABEL,            NULL, 0 },
+	{ CKA_ISSUER,           NULL, 0 },
+	{ CKA_SUBJECT,          NULL, 0 },
+	{ CKA_SERIAL_NUMBER,    NULL, 0 }
+    };
+    CK_ULONG ctsize;
+    ctsize = (CK_ULONG)(sizeof(cert_template) / sizeof(cert_template[0]));
+    /* XXX sanity checking needed */
+    cert_type = get_cert_type(c->type);
+    /* Set up the certificate object */
+    NSS_CK_SET_ATTRIBUTE_ITEM(cert_template, 0, &g_ck_class_cert);
+    NSS_CK_SET_ATTRIBUTE_VAR( cert_template, 1, cert_type);
+    NSS_CK_SET_ATTRIBUTE_ITEM(cert_template, 2, &c->id);
+    NSS_CK_SET_ATTRIBUTE_ITEM(cert_template, 3, &c->encoding);
+    NSS_CK_SET_ATTRIBUTE_UTF8(cert_template, 4,  c->nickname);
+    NSS_CK_SET_ATTRIBUTE_ITEM(cert_template, 5, &c->issuer);
+    NSS_CK_SET_ATTRIBUTE_ITEM(cert_template, 6, &c->subject);
+    NSS_CK_SET_ATTRIBUTE_ITEM(cert_template, 7, &c->serial);
+    /* This is a hack, ignoring the 4.0 token ordering scheme */
+    token = STAN_GetInternalToken();
+    c->handle = nssToken_ImportObject(token, NULL, cert_template, ctsize);
+    if (c->handle == CK_INVALID_HANDLE) {
+	return PR_FAILURE;
+    }
+    c->token = token;
+    c->slot = token->slot;
+    /* Do the trust object */
+    return PR_SUCCESS;
+#endif
+    return PR_FAILURE;
+}
+
+static void cert_dump_iter(const void *k, void *v, void *a)
+{
+    NSSCertificate *c = (NSSCertificate *)k;
+    CERTCertificate *cert = STAN_GetCERTCertificate(c);
+    printf("[%2d] \"%s\"\n", c->object.refCount, cert->subjectName);
+}
+
+void
+nss_DumpCertificateCacheInfo()
+{
+    NSSTrustDomain *td;
+    NSSCryptoContext *cc;
+    td = STAN_GetDefaultTrustDomain();
+    cc = STAN_GetDefaultCryptoContext();
+    printf("\n\nCertificates in the cache:\n");
+    nssTrustDomain_DumpCacheInfo(td, cert_dump_iter, NULL);
+    printf("\n\nCertificates in the temporary store:\n");
+    if (cc->certStore) {
+	nssCertificateStore_DumpStoreInfo(cc->certStore, cert_dump_iter, NULL);
+    }
+}
+
diff --git a/security/nss/lib/pki/pki3hack.h b/security/nss/lib/pki/pki3hack.h
new file mode 100644
index 000000000..c79fc747b
--- /dev/null
+++ b/security/nss/lib/pki/pki3hack.h
@@ -0,0 +1,198 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKINSS3HACK_H
+#define PKINSS3HACK_H
+
+#ifdef DEBUG
+static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef NSSDEVT_H
+#include "nssdevt.h"
+#endif /* NSSDEVT_H */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+#include "base.h"
+
+#include "cert.h"
+
+PR_BEGIN_EXTERN_C
+
+#define NSSITEM_FROM_SECITEM(nssit, secit)  \
+    (nssit)->data = (void *)(secit)->data;  \
+    (nssit)->size = (PRUint32)(secit)->len;
+
+#define SECITEM_FROM_NSSITEM(secit, nssit)          \
+    (secit)->data = (unsigned char *)(nssit)->data; \
+    (secit)->len  = (unsigned int)(nssit)->size;
+
+NSS_EXTERN NSSTrustDomain *
+STAN_GetDefaultTrustDomain();
+
+NSS_EXTERN NSSCryptoContext *
+STAN_GetDefaultCryptoContext();
+
+NSS_EXTERN PRStatus
+STAN_LoadDefaultNSS3TrustDomain
+(
+  void
+);
+
+NSS_EXTERN void
+STAN_Shutdown();
+
+NSS_EXTERN void
+STAN_DestroyNSSToken(NSSToken *token);
+
+NSS_EXTERN PRBool
+nssToken_SearchCerts
+(
+  NSSToken *token,
+  PRBool *notPresentOpt
+);
+
+/* renewInstances -- if the cached token certs have multiple instances,
+ * don't destroy them.  If this parameter is false, they will be destroyed
+ * anyway (used for clean shutdown).
+ */
+NSS_EXTERN void
+nssToken_DestroyCertList(NSSToken *token, PRBool renewInstances);
+
+NSS_EXTERN void
+nssCertificateList_DestroyTokenCerts(nssList *certList, NSSToken *token);
+
+NSS_EXTERN void
+nssCertificateList_RemoveTokenCerts(nssList *certList, NSSToken *token);
+
+NSS_EXTERN SECStatus
+STAN_AddModuleToDefaultTrustDomain
+(
+  SECMODModule *module
+);
+
+NSS_EXTERN SECStatus
+STAN_RemoveModuleFromDefaultTrustDomain
+(
+  SECMODModule *module
+);
+
+NSS_EXTERN CERTCertificate *
+STAN_GetCERTCertificate(NSSCertificate *c);
+
+NSS_EXTERN NSSCertificate *
+STAN_GetNSSCertificate(CERTCertificate *c);
+
+NSS_EXTERN CERTCertTrust * 
+nssTrust_GetCERTCertTrustForCert(NSSCertificate *c, CERTCertificate *cc);
+
+NSS_EXTERN PRStatus
+STAN_ChangeCertTrust(CERTCertificate *cc, CERTCertTrust *trust);
+
+/* exposing this */
+NSS_EXTERN NSSCertificate *
+NSSCertificate_Create
+(
+  NSSArena *arenaOpt
+);
+
+/* This function is being put here because it is a hack for 
+ * PK11_FindCertFromNickname.
+ */
+NSS_EXTERN NSSCertificate *
+nssTrustDomain_FindBestCertificateByNicknameForToken
+(
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSUTF8 *name,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+);
+
+/* This function is being put here because it is a hack for 
+ * PK11_FindCertsFromNickname.
+ */
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_FindCertificatesByNicknameForToken
+(
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSUTF8 *name,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+);
+
+/* CERT_TraversePermCertsForSubject */
+NSS_EXTERN PRStatus
+nssTrustDomain_TraverseCertificatesBySubject
+(
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+);
+
+/* CERT_TraversePermCertsForNickname */
+NSS_EXTERN PRStatus
+nssTrustDomain_TraverseCertificatesByNickname
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *nickname,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+);
+
+/* SEC_TraversePermCerts */
+NSS_EXTERN PRStatus
+nssTrustDomain_TraverseCertificates
+(
+  NSSTrustDomain *td,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+);
+
+/* CERT_AddTempCertToPerm */
+NSS_EXTERN PRStatus
+nssTrustDomain_AddTempCertToPerm
+(
+  NSSCertificate *c
+);
+
+PR_END_EXTERN_C
+
+#endif /* PKINSS3HACK_H */
diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h
new file mode 100644
index 000000000..566381055
--- /dev/null
+++ b/security/nss/lib/pki/pkim.h
@@ -0,0 +1,348 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKIM_H
+#define PKIM_H
+
+#ifdef DEBUG
+static const char PKIM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifndef PKITM_H
+#include "pkitm.h"
+#endif /* PKITM_H */
+
+PR_BEGIN_EXTERN_C
+
+NSS_EXTERN NSSToken *
+STAN_GetDefaultCryptoToken
+(
+  void
+);
+
+NSS_EXTERN nssHash *
+nssHash_CreateCertificate
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+);
+
+/* Token ordering routines */
+
+/*
+ * Given a crypto algorithm, return the preferred token for performing
+ * the crypto operation.
+ */
+NSS_EXTERN NSSToken *
+nssTrustDomain_GetCryptoToken
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap
+);
+
+/* The following routines are used to obtain the preferred token on which 
+ * to store particular objects.
+ */
+
+/*
+ * Find the preferred token for storing user certificates.
+ */
+NSS_EXTERN NSSToken *
+nssTrustDomain_GetUserCertToken
+(
+  NSSTrustDomain *td
+);
+
+/*
+ * Find the preferred token for storing email certificates.
+ */
+NSS_EXTERN NSSToken *
+nssTrustDomain_GetEmailCertToken
+(
+  NSSTrustDomain *td
+);
+
+/*
+ * Find the preferred token for storing SSL certificates.
+ */
+NSS_EXTERN NSSToken *
+nssTrustDomain_GetSSLCertToken
+(
+  NSSTrustDomain *td
+);
+
+/*
+ * Find the preferred token for storing root certificates.
+ */
+NSS_EXTERN NSSToken *
+nssTrustDomain_GetRootCertToken
+(
+  NSSTrustDomain *td
+);
+
+/*
+ * Find the preferred token for storing private keys. 
+ */
+NSS_EXTERN NSSToken *
+nssTrustDomain_GetPrivateKeyToken
+(
+  NSSTrustDomain *td
+);
+
+/*
+ * Find the preferred token for storing symmetric keys. 
+ */
+NSS_EXTERN NSSToken *
+nssTrustDomain_GetSymmetricKeyToken
+(
+  NSSTrustDomain *td
+);
+
+/* Certificate cache routines */
+
+NSS_EXTERN PRStatus
+nssTrustDomain_AddCertsToCache
+(
+  NSSTrustDomain *td,
+  NSSCertificate **certs,
+  PRUint32 numCerts
+);
+
+NSS_EXTERN void
+nssTrustDomain_RemoveCertFromCache
+(
+  NSSTrustDomain *td,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN void
+nssTrustDomain_FlushCache
+(
+  NSSTrustDomain *td,
+  PRFloat64 threshold
+);
+
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_DestroyCache
+(
+  NSSTrustDomain *td
+);
+
+/* 
+ * Remove all certs for the given token from the cache.  This is
+ * needed if the token is removed.
+ */
+NSS_EXTERN PRStatus
+nssTrustDomain_RemoveTokenCertsFromCache
+(
+  NSSTrustDomain *td,
+  NSSToken *token
+);
+
+/*
+ * Find all cached certs with this nickname (label).
+ */
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_GetCertsForNicknameFromCache
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *nickname,
+  nssList *certListOpt
+);
+
+/*
+ * Find all cached certs with this email address.
+ */
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_GetCertsForEmailAddressFromCache
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  nssList *certListOpt
+);
+
+/*
+ * Find all cached certs with this subject.
+ */
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_GetCertsForSubjectFromCache
+(
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  nssList *certListOpt
+);
+
+/*
+ * Look for a specific cert in the cache.
+ */
+NSS_EXTERN NSSCertificate *
+nssTrustDomain_GetCertForIssuerAndSNFromCache
+(
+  NSSTrustDomain *td,
+  NSSDER *issuer,
+  NSSDER *serialNum
+);
+
+/*
+ * Look for a specific cert in the cache.
+ */
+NSS_EXTERN NSSCertificate *
+nssTrustDomain_GetCertByDERFromCache
+(
+  NSSTrustDomain *td,
+  NSSDER *der
+);
+
+/* Get all certs from the cache */
+/* XXX this is being included to make some old-style calls word, not to
+ *     say we should keep it
+ */
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_GetCertsFromCache
+(
+  NSSTrustDomain *td,
+  nssList *certListOpt
+);
+
+NSS_EXTERN PRStatus
+nssCertificate_SetCertTrust
+(
+  NSSCertificate *c,
+  NSSTrust *trust
+);
+
+NSS_EXTERN nssDecodedCert *
+nssCertificate_GetDecoding
+(
+  NSSCertificate *c
+);
+
+NSS_EXTERN nssDecodedCert *
+nssDecodedCert_Create
+(
+  NSSArena *arenaOpt,
+  NSSDER *encoding,
+  NSSCertificateType type
+);
+
+NSS_EXTERN PRStatus
+nssDecodedCert_Destroy
+(
+  nssDecodedCert *dc
+);
+
+NSS_EXTERN void 
+nssBestCertificate_SetArgs
+(
+  nssBestCertificateCB *best,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policies
+);
+
+NSS_EXTERN PRStatus 
+nssBestCertificate_Callback
+(
+  NSSCertificate *c, 
+  void *arg
+);
+
+NSS_EXTERN PRStatus
+nssCertificateList_DoCallback
+(
+  nssList *certList, 
+  PRStatus (* callback)(NSSCertificate *c, void *arg),
+  void *arg
+);
+
+NSS_EXTERN void
+nssCertificateList_AddReferences
+(
+  nssList *certList
+);
+
+NSS_EXTERN PRStatus
+nssPKIObject_Initialize
+(
+  struct nssPKIObjectBaseStr *object,
+  NSSArena *arena,
+  NSSTrustDomain *td,
+  NSSCryptoContext *cc
+);
+
+NSS_EXTERN void
+nssPKIObject_AddRef
+(
+  struct nssPKIObjectBaseStr *object
+);
+
+NSS_EXTERN PRBool
+nssPKIObject_Destroy
+(
+  struct nssPKIObjectBaseStr *object
+);
+
+NSS_EXTERN NSSTime *
+NSSTime_Now
+(
+  NSSTime *timeOpt
+);
+
+NSS_EXTERN NSSTime *
+NSSTime_SetPRTime
+(
+  NSSTime *timeOpt,
+  PRTime prTime
+);
+
+NSS_EXTERN PRTime
+NSSTime_GetPRTime
+(
+  NSSTime *time
+);
+
+NSS_EXTERN void
+nssTrustDomain_DumpCacheInfo
+(
+  NSSTrustDomain *td,
+  void (* cert_dump_iter)(const void *, void *, void *),
+  void *arg
+);
+
+PR_END_EXTERN_C
+
+#endif /* PKIM_H */
diff --git a/security/nss/lib/pki/pkistore.c b/security/nss/lib/pki/pkistore.c
new file mode 100644
index 000000000..0b1463fcb
--- /dev/null
+++ b/security/nss/lib/pki/pkistore.c
@@ -0,0 +1,751 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef PKI_H
+#include "pki.h"
+#endif /* PKI_H */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifndef PKISTORE_H
+#include "pkistore.h"
+#endif /* PKISTORE_H */
+
+#ifdef NSS_3_4_CODE
+#include "cert.h"
+#endif
+
+/* 
+ * Certificate Store
+ *
+ * This differs from the cache in that it is a true storage facility.  Items
+ * stay in until they are explicitly removed.  It is only used by crypto
+ * contexts at this time, but may be more generally useful...
+ *
+ */
+
+struct nssCertificateStoreStr 
+{
+    PRBool i_alloced_arena;
+    NSSArena *arena;
+    PZLock *lock;
+    nssHash *subject;
+    nssHash *issuer_and_serial;
+};
+
+typedef struct certificate_hash_entry_str certificate_hash_entry;
+
+struct certificate_hash_entry_str
+{
+    NSSCertificate *cert;
+    NSSTrust *trust;
+    nssSMIMEProfile *profile;
+};
+
+/* XXX This a common function that should be moved out, possibly an
+ *     nssSubjectCertificateList should be created?
+ */
+/* sort the subject list from newest to oldest */
+static PRIntn subject_list_sort(void *v1, void *v2)
+{
+    NSSCertificate *c1 = (NSSCertificate *)v1;
+    NSSCertificate *c2 = (NSSCertificate *)v2;
+    nssDecodedCert *dc1 = nssCertificate_GetDecoding(c1);
+    nssDecodedCert *dc2 = nssCertificate_GetDecoding(c2);
+    if (dc1->isNewerThan(dc1, dc2)) {
+	return -1;
+    } else {
+	return 1;
+    }
+}
+
+NSS_IMPLEMENT nssCertificateStore *
+nssCertificateStore_Create
+(
+  NSSArena *arenaOpt
+)
+{
+    NSSArena *arena;
+    nssCertificateStore *store;
+    PRBool i_alloced_arena;
+    if (arenaOpt) {
+	arena = arenaOpt;
+	i_alloced_arena = PR_FALSE;
+    } else {
+	arena = nssArena_Create();
+	if (!arena) {
+	    return NULL;
+	}
+	i_alloced_arena = PR_TRUE;
+    }
+    store = nss_ZNEW(arena, nssCertificateStore);
+    if (!store) {
+	goto loser;
+    }
+    store->lock = PZ_NewLock(nssILockOther);
+    if (!store->lock) {
+	goto loser;
+    }
+    /* Create the issuer/serial --> {cert, trust, S/MIME profile } hash */
+    store->issuer_and_serial = nssHash_CreateCertificate(arena, 0);
+    if (!store->issuer_and_serial) {
+	goto loser;
+    }
+    /* Create the subject DER --> subject list hash */
+    store->subject = nssHash_CreateItem(arena, 0);
+    if (!store->subject) {
+	goto loser;
+    }
+    store->arena = arena;
+    store->i_alloced_arena = i_alloced_arena;
+    return store;
+loser:
+    if (store) {
+	if (store->lock) {
+	    PZ_DestroyLock(store->lock);
+	}
+	if (store->issuer_and_serial) {
+	    nssHash_Destroy(store->issuer_and_serial);
+	}
+	if (store->subject) {
+	    nssHash_Destroy(store->subject);
+	}
+    }
+    if (i_alloced_arena) {
+	nssArena_Destroy(arena);
+    }
+    return NULL;
+}
+
+NSS_IMPLEMENT void
+nssCertificateStore_Destroy
+(
+  nssCertificateStore *store
+)
+{
+    PZ_DestroyLock(store->lock);
+    nssHash_Destroy(store->issuer_and_serial);
+    nssHash_Destroy(store->subject);
+    if (store->i_alloced_arena) {
+	nssArena_Destroy(store->arena);
+    } else {
+	nss_ZFreeIf(store);
+    }
+}
+
+static PRStatus
+add_certificate_entry
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    PRStatus nssrv;
+    certificate_hash_entry *entry;
+    entry = nss_ZNEW(cert->object.arena, certificate_hash_entry);
+    if (!entry) {
+	return PR_FAILURE;
+    }
+    entry->cert = cert;
+    nssrv = nssHash_Add(store->issuer_and_serial, cert, entry);
+    if (nssrv != PR_SUCCESS) {
+	nss_ZFreeIf(entry);
+    }
+    return nssrv;
+}
+
+static PRStatus
+add_subject_entry
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    PRStatus nssrv;
+    nssList *subjectList;
+    subjectList = (nssList *)nssHash_Lookup(store->subject, &cert->subject);
+    if (subjectList) {
+	/* The subject is already in, add this cert to the list */
+	nssrv = nssList_AddUnique(subjectList, cert);
+    } else {
+	/* Create a new subject list for the subject */
+	subjectList = nssList_Create(NULL, PR_FALSE);
+	if (!subjectList) {
+	    return PR_FAILURE;
+	}
+	nssList_SetSortFunction(subjectList, subject_list_sort);
+	/* Add the cert entry to this list of subjects */
+	nssrv = nssList_Add(subjectList, cert);
+	if (nssrv != PR_SUCCESS) {
+	    return nssrv;
+	}
+	/* Add the subject list to the cache */
+	nssrv = nssHash_Add(store->subject, &cert->subject, subjectList);
+    }
+    return nssrv;
+}
+
+/* declared below */
+static void
+remove_certificate_entry
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+);
+
+NSS_IMPLEMENT PRStatus
+nssCertificateStore_Add
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    PRStatus nssrv;
+    PZ_Lock(store->lock);
+    if (nssHash_Exists(store->issuer_and_serial, cert)) {
+	PZ_Unlock(store->lock);
+	return PR_SUCCESS;
+    }
+    nssrv = add_certificate_entry(store, cert);
+    if (nssrv == PR_SUCCESS) {
+	nssrv = add_subject_entry(store, cert);
+	if (nssrv == PR_SUCCESS) {
+	    nssCertificate_AddRef(cert); /* obtain a reference for the store */
+	} else {
+	    remove_certificate_entry(store, cert);
+	}
+    }
+    PZ_Unlock(store->lock);
+    return nssrv;
+}
+
+static void
+remove_certificate_entry
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    certificate_hash_entry *entry;
+    entry = (certificate_hash_entry *)
+                             nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry) {
+	nssHash_Remove(store->issuer_and_serial, cert);
+	if (entry->trust) {
+	    nssTrust_Destroy(entry->trust);
+	}
+	if (entry->profile) {
+	    nssSMIMEProfile_Destroy(entry->profile);
+	}
+	nss_ZFreeIf(entry);
+    }
+}
+
+static void
+remove_subject_entry
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    nssList *subjectList;
+    /* Get the subject list for the cert's subject */
+    subjectList = (nssList *)nssHash_Lookup(store->subject, &cert->subject);
+    if (subjectList) {
+	/* Remove the cert from the subject hash */
+	nssList_Remove(subjectList, cert);
+	nssHash_Remove(store->subject, &cert->subject);
+	if (nssList_Count(subjectList) == 0) {
+	    nssList_Destroy(subjectList);
+	} else {
+	    /* The cert being released may have keyed the subject entry.
+	     * Since there are still subject certs around, get another and
+	     * rekey the entry just in case.
+	     */
+	    NSSCertificate *subjectCert;
+	    (void)nssList_GetArray(subjectList, (void **)&subjectCert, 1);
+	    nssHash_Add(store->subject, &subjectCert->subject, subjectList);
+	}
+    }
+}
+
+NSS_IMPLEMENT void
+nssCertificateStore_Remove
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    certificate_hash_entry *entry;
+    PZ_Lock(store->lock);
+#ifdef NSS_3_4_CODE
+    if (cert->object.refCount > 2) {
+	/* This continues the hack described in CERT_DestroyCertificate.
+	 * Because NSS 3.4 maintains a single, global, crypto context,
+	 * certs must be explicitly removed from it when there are no
+	 * more references to them.  This is done by destroying the cert
+	 * when there are two references left, the one being destroyed,
+	 * and the one here (read: temp db).
+	 * However, there is a race condition with timing the removal
+	 * of the cert from the temp store and deleting the last
+	 * reference.  In CERT_DestroyCertificate, the refCount is checked,
+	 * and if it is two, a call is made here to remove the temp cert.
+	 * But by the time it gets here (and within the safety of the
+	 * store's lock), another thread could have grabbed a reference
+	 * to it.  Removing it now will wreak havoc.
+	 * Therefore, it is necessary to check the refCount again, 
+	 * after obtaining the store's lock, to make sure the cert is
+	 * actually ready to be deleted.  This check is safe, because
+	 * within the store's lock a cert that has only two references
+	 * *must* have one in the store, and the one being deleted.
+	 * See bug 125263.
+	 */
+	PZ_Unlock(store->lock);
+	return;
+    }
+#endif
+    entry = (certificate_hash_entry *)
+                              nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry && entry->cert == cert) {
+	remove_certificate_entry(store, cert);
+	remove_subject_entry(store, cert);
+	NSSCertificate_Destroy(cert); /* release the store's reference */
+    }
+    PZ_Unlock(store->lock);
+}
+
+static NSSCertificate **
+get_array_from_list
+(
+  nssList *certList,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+)
+{
+    PRUint32 count;
+    NSSCertificate **rvArray = NULL;
+    count = nssList_Count(certList);
+    if (count == 0) {
+	return NULL;
+    }
+    if (maximumOpt > 0) {
+	count = PR_MIN(maximumOpt, count);
+    }
+    if (rvOpt) {
+	nssList_GetArray(certList, (void **)rvOpt, count);
+    } else {
+	rvArray = nss_ZNEWARRAY(arenaOpt, NSSCertificate *, count + 1);
+	if (rvArray) {
+	    nssList_GetArray(certList, (void **)rvArray, count);
+	}
+    }
+    return rvArray;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+nssCertificateStore_FindCertificatesBySubject
+(
+  nssCertificateStore *store,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    nssList *subjectList;
+    PZ_Lock(store->lock);
+    subjectList = (nssList *)nssHash_Lookup(store->subject, subject);
+    if (subjectList) {
+	nssCertificateList_AddReferences(subjectList);
+	rvArray = get_array_from_list(subjectList, 
+	                              rvOpt, maximumOpt, arenaOpt);
+    }
+    PZ_Unlock(store->lock);
+    return rvArray;
+}
+
+/* Because only subject indexing is implemented, all other lookups require
+ * full traversal (unfortunately, PLHashTable doesn't allow you to exit
+ * early from the enumeration).  The assumptions are that 1) lookups by 
+ * fields other than subject will be rare, and 2) the hash will not have
+ * a large number of entries.  These assumptions will be tested.
+ *
+ * XXX
+ * For NSS 3.4, it is worth consideration to do all forms of indexing,
+ * because the only crypto context is global and persistent.
+ */
+
+struct nickname_template_str
+{
+    NSSUTF8 *nickname;
+    nssList *subjectList;
+};
+
+static void match_nickname(const void *k, void *v, void *a)
+{
+    PRStatus nssrv;
+    NSSCertificate *c;
+    NSSUTF8 *nickname;
+    nssList *subjectList = (nssList *)v;
+    struct nickname_template_str *nt = (struct nickname_template_str *)a;
+    nssrv = nssList_GetArray(subjectList, (void **)&c, 1);
+    nickname = NSSCertificate_GetNickname(c, NULL);
+    if (nssrv == PR_SUCCESS && 
+         nssUTF8_Equal(nickname, nt->nickname, &nssrv)) 
+    {
+	nt->subjectList = subjectList;
+    }
+}
+
+/*
+ * Find all cached certs with this label.
+ */
+NSS_IMPLEMENT NSSCertificate **
+nssCertificateStore_FindCertificatesByNickname
+(
+  nssCertificateStore *store,
+  NSSUTF8 *nickname,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    struct nickname_template_str nt;
+    nt.nickname = nickname;
+    nt.subjectList = NULL;
+    PZ_Lock(store->lock);
+    nssHash_Iterate(store->subject, match_nickname, &nt);
+    if (nt.subjectList) {
+	nssCertificateList_AddReferences(nt.subjectList);
+	rvArray = get_array_from_list(nt.subjectList, 
+	                              rvOpt, maximumOpt, arenaOpt);
+    }
+    PZ_Unlock(store->lock);
+    return rvArray;
+}
+
+struct email_template_str
+{
+    NSSASCII7 *email;
+    nssList *emailList;
+};
+
+static void match_email(const void *k, void *v, void *a)
+{
+    PRStatus nssrv;
+    NSSCertificate *c;
+    nssList *subjectList = (nssList *)v;
+    struct email_template_str *et = (struct email_template_str *)a;
+    nssrv = nssList_GetArray(subjectList, (void **)&c, 1);
+    if (nssrv == PR_SUCCESS && 
+         nssUTF8_Equal(c->email, et->email, &nssrv)) 
+    {
+	nssListIterator *iter = nssList_CreateIterator(subjectList);
+	if (iter) {
+	    for (c  = (NSSCertificate *)nssListIterator_Start(iter);
+	         c != (NSSCertificate *)NULL;
+	         c  = (NSSCertificate *)nssListIterator_Next(iter))
+	    {
+		nssList_Add(et->emailList, c);
+	    }
+	    nssListIterator_Finish(iter);
+	    nssListIterator_Destroy(iter);
+	}
+    }
+}
+
+/*
+ * Find all cached certs with this email address.
+ */
+NSS_IMPLEMENT NSSCertificate **
+nssCertificateStore_FindCertificatesByEmail
+(
+  nssCertificateStore *store,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    struct email_template_str et;
+    et.email = email;
+    et.emailList = nssList_Create(NULL, PR_FALSE);
+    if (!et.emailList) {
+	return NULL;
+    }
+    PZ_Lock(store->lock);
+    nssHash_Iterate(store->subject, match_email, &et);
+    if (et.emailList) {
+	/* get references before leaving the store's lock protection */
+	nssCertificateList_AddReferences(et.emailList);
+    }
+    PZ_Unlock(store->lock);
+    if (et.emailList) {
+	rvArray = get_array_from_list(et.emailList, 
+	                              rvOpt, maximumOpt, arenaOpt);
+	nssList_Destroy(et.emailList);
+    }
+    return rvArray;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+nssCertificateStore_FindCertificateByIssuerAndSerialNumber
+(
+  nssCertificateStore *store,
+  NSSDER *issuer,
+  NSSDER *serial
+)
+{
+    certificate_hash_entry *entry;
+    NSSCertificate index;
+    NSSCertificate *rvCert = NULL;
+    index.issuer = *issuer;
+    index.serial = *serial;
+    PZ_Lock(store->lock);
+    entry = (certificate_hash_entry *)
+                           nssHash_Lookup(store->issuer_and_serial, &index);
+    if (entry) {
+	rvCert = nssCertificate_AddRef(entry->cert);
+    }
+    PZ_Unlock(store->lock);
+    return rvCert;
+}
+
+#ifdef NSS_3_4_CODE
+static PRStatus
+issuer_and_serial_from_encoding
+(
+  NSSBER *encoding, 
+  NSSDER *issuer, 
+  NSSDER *serial
+)
+{
+    SECItem derCert, derIssuer, derSerial;
+    SECStatus secrv;
+    derCert.data = (unsigned char *)encoding->data;
+    derCert.len = encoding->size;
+    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
+    if (secrv != SECSuccess) {
+	return PR_FAILURE;
+    }
+    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
+    if (secrv != SECSuccess) {
+	PORT_Free(derIssuer.data);
+	return PR_FAILURE;
+    }
+    issuer->data = derIssuer.data;
+    issuer->size = derIssuer.len;
+    serial->data = derSerial.data;
+    serial->size = derSerial.len;
+    return PR_SUCCESS;
+}
+#endif
+
+NSS_IMPLEMENT NSSCertificate *
+nssCertificateStore_FindCertificateByEncodedCertificate
+(
+  nssCertificateStore *store,
+  NSSDER *encoding
+)
+{
+    PRStatus nssrv = PR_FAILURE;
+    NSSDER issuer, serial;
+    NSSCertificate *rvCert = NULL;
+#ifdef NSS_3_4_CODE
+    nssrv = issuer_and_serial_from_encoding(encoding, &issuer, &serial);
+#endif
+    if (nssrv != PR_SUCCESS) {
+	return NULL;
+    }
+    rvCert = nssCertificateStore_FindCertificateByIssuerAndSerialNumber(store, 
+                                                                     &issuer, 
+                                                                     &serial);
+#ifdef NSS_3_4_CODE
+    PORT_Free(issuer.data);
+    PORT_Free(serial.data);
+#endif
+    return rvCert;
+}
+
+NSS_EXTERN PRStatus
+nssCertificateStore_AddTrust
+(
+  nssCertificateStore *store,
+  NSSTrust *trust
+)
+{
+    NSSCertificate *cert;
+    certificate_hash_entry *entry;
+    cert = trust->certificate;
+    PZ_Lock(store->lock);
+    entry = (certificate_hash_entry *)
+                              nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry) {
+	entry->trust = nssTrust_AddRef(trust);
+    }
+    PZ_Unlock(store->lock);
+    return (entry) ? PR_SUCCESS : PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSTrust *
+nssCertificateStore_FindTrustForCertificate
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    certificate_hash_entry *entry;
+    NSSTrust *rvTrust = NULL;
+    PZ_Lock(store->lock);
+    entry = (certificate_hash_entry *)
+                              nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry && entry->trust) {
+	rvTrust = nssTrust_AddRef(entry->trust);
+    }
+    PZ_Unlock(store->lock);
+    return rvTrust;
+}
+
+NSS_EXTERN PRStatus
+nssCertificateStore_AddSMIMEProfile
+(
+  nssCertificateStore *store,
+  nssSMIMEProfile *profile
+)
+{
+    NSSCertificate *cert;
+    certificate_hash_entry *entry;
+    cert = profile->certificate;
+    PZ_Lock(store->lock);
+    entry = (certificate_hash_entry *)
+                              nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry) {
+	entry->profile = nssSMIMEProfile_AddRef(profile);
+    }
+    PZ_Unlock(store->lock);
+    return (entry) ? PR_SUCCESS : PR_FAILURE;
+}
+
+NSS_IMPLEMENT nssSMIMEProfile *
+nssCertificateStore_FindSMIMEProfileForCertificate
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+)
+{
+    certificate_hash_entry *entry;
+    nssSMIMEProfile *rvProfile = NULL;
+    PZ_Lock(store->lock);
+    entry = (certificate_hash_entry *)
+                              nssHash_Lookup(store->issuer_and_serial, cert);
+    if (entry && entry->profile) {
+	rvProfile = nssSMIMEProfile_AddRef(entry->profile);
+    }
+    PZ_Unlock(store->lock);
+    return rvProfile;
+}
+
+/* XXX this is also used by cache and should be somewhere else */
+
+static PLHashNumber
+nss_certificate_hash
+(
+  const void *key
+)
+{
+    int i;
+    PLHashNumber h;
+    NSSCertificate *c = (NSSCertificate *)key;
+    h = 0;
+    for (i=0; i<c->issuer.size; i++)
+	h = (h >> 28) ^ (h << 4) ^ ((unsigned char *)c->issuer.data)[i];
+    for (i=0; i<c->serial.size; i++)
+	h = (h >> 28) ^ (h << 4) ^ ((unsigned char *)c->serial.data)[i];
+    return h;
+}
+
+static int
+nss_compare_certs(const void *v1, const void *v2)
+{
+    PRStatus ignore;
+    NSSCertificate *c1 = (NSSCertificate *)v1;
+    NSSCertificate *c2 = (NSSCertificate *)v2;
+    return (int)(nssItem_Equal(&c1->issuer, &c2->issuer, &ignore) &&
+                 nssItem_Equal(&c1->serial, &c2->serial, &ignore));
+}
+
+NSS_IMPLEMENT nssHash *
+nssHash_CreateCertificate
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+)
+{
+    return nssHash_Create(arenaOpt, 
+                          numBuckets, 
+                          nss_certificate_hash, 
+                          nss_compare_certs, 
+                          PL_CompareValues);
+}
+
+NSS_IMPLEMENT void
+nssCertificateStore_DumpStoreInfo
+(
+  nssCertificateStore *store,
+  void (* cert_dump_iter)(const void *, void *, void *),
+  void *arg
+)
+{
+    PZ_Lock(store->lock);
+    nssHash_Iterate(store->issuer_and_serial, cert_dump_iter, arg);
+    PZ_Unlock(store->lock);
+}
+
diff --git a/security/nss/lib/pki/pkistore.h b/security/nss/lib/pki/pkistore.h
new file mode 100644
index 000000000..a13186118
--- /dev/null
+++ b/security/nss/lib/pki/pkistore.h
@@ -0,0 +1,178 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKISTORE_H
+#define PKISTORE_H
+
+#ifdef DEBUG
+static const char PKISTORE_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+PR_BEGIN_EXTERN_C
+
+/* 
+ * PKI Stores
+ *
+ * This is a set of routines for managing local stores of PKI objects.
+ * Currently, the only application is in crypto contexts, where the
+ * certificate store is used.  In the future, methods should be added
+ * here for storing local references to keys.
+ */
+
+/* 
+ * nssCertificateStore
+ *
+ * Manages local store of certificate, trust, and S/MIME profile objects.
+ * Within a crypto context, mappings of cert to trust and cert to S/MIME
+ * profile are always 1-1.  Therefore, it is reasonable to store all objects
+ * in a single collection, indexed by the certificate.
+ */
+
+NSS_EXTERN nssCertificateStore *
+nssCertificateStore_Create
+(
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN void
+nssCertificateStore_Destroy
+(
+  nssCertificateStore *store
+);
+
+NSS_EXTERN PRStatus
+nssCertificateStore_Add
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN void
+nssCertificateStore_Remove
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN NSSCertificate **
+nssCertificateStore_FindCertificatesBySubject
+(
+  nssCertificateStore *store,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSCertificate **
+nssCertificateStore_FindCertificatesByNickname
+(
+  nssCertificateStore *store,
+  NSSUTF8 *nickname,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSCertificate **
+nssCertificateStore_FindCertificatesByEmail
+(
+  nssCertificateStore *store,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt,
+  NSSArena *arenaOpt
+);
+
+NSS_EXTERN NSSCertificate *
+nssCertificateStore_FindCertificateByIssuerAndSerialNumber
+(
+  nssCertificateStore *store,
+  NSSDER *issuer,
+  NSSDER *serial
+);
+
+NSS_EXTERN NSSCertificate *
+nssCertificateStore_FindCertificateByEncodedCertificate
+(
+  nssCertificateStore *store,
+  NSSDER *encoding
+);
+
+NSS_EXTERN PRStatus
+nssCertificateStore_AddTrust
+(
+  nssCertificateStore *store,
+  NSSTrust *trust
+);
+
+NSS_EXTERN NSSTrust *
+nssCertificateStore_FindTrustForCertificate
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN PRStatus
+nssCertificateStore_AddSMIMEProfile
+(
+  nssCertificateStore *store,
+  nssSMIMEProfile *profile
+);
+
+NSS_EXTERN nssSMIMEProfile *
+nssCertificateStore_FindSMIMEProfileForCertificate
+(
+  nssCertificateStore *store,
+  NSSCertificate *cert
+);
+
+NSS_EXTERN void
+nssCertificateStore_DumpStoreInfo
+(
+  nssCertificateStore *store,
+  void (* cert_dump_iter)(const void *, void *, void *),
+  void *arg
+);
+
+PR_END_EXTERN_C
+
+#endif /* PKISTORE_H */
diff --git a/security/nss/lib/pki/pkit.h b/security/nss/lib/pki/pkit.h
new file mode 100644
index 000000000..1e0f98a4f
--- /dev/null
+++ b/security/nss/lib/pki/pkit.h
@@ -0,0 +1,191 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKIT_H
+#define PKIT_H
+
+#ifdef DEBUG
+static const char PKIT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * pkit.h
+ *
+ * This file contains definitions for the types of the top-level PKI objects.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#ifdef NSS_3_4_CODE
+#include "certt.h"
+#include "pkcs11t.h"
+#endif /* NSS_3_4_CODE */
+
+#ifndef NSSPKIT_H
+#include "nsspkit.h"
+#endif /* NSSPKIT_H */
+
+#ifndef NSSDEVT_H
+#include "nssdevt.h"
+#endif /* NSSDEVT_H */
+
+#ifndef DEVT_H
+#include "devt.h"
+#endif /* DEVT_H */
+
+PR_BEGIN_EXTERN_C
+
+typedef struct nssDecodedCertStr nssDecodedCert;
+
+typedef struct nssCertificateStoreStr nssCertificateStore;
+
+/* How wide is the scope of this? */
+typedef struct nssSMIMEProfileStr nssSMIMEProfile;
+
+/*
+ * A note on ephemeral certs
+ *
+ * The key objects defined here can only be created on tokens, and can only
+ * exist on tokens.  Therefore, any instance of a key object must have
+ * a corresponding cryptoki instance.  OTOH, certificates created in 
+ * crypto contexts need not be stored as session objects on the token.
+ * There are good performance reasons for not doing so.  The certificate
+ * and trust objects have been defined with a cryptoContext field to
+ * allow for ephemeral certs, which may have a single instance in a crypto
+ * context along with any number (including zero) of cryptoki instances.
+ * Since contexts may not share objects, there can be only one context
+ * for each object.
+ */
+
+/* The common data from which all objects inherit */
+struct nssPKIObjectBaseStr 
+{
+    /* The arena for all object memory */
+    NSSArena *arena;
+    /* Thread-safe reference counting */
+    PZLock *lock;
+    PRInt32 refCount;
+    /* List of nssCryptokiInstance's of the object */
+    nssList *instanceList;
+    nssListIterator *instances;
+    /* The object must live in a trust domain */
+    NSSTrustDomain *trustDomain;
+    /* The object may live in a crypto context */
+    NSSCryptoContext *cryptoContext;
+    /* XXX added so temp certs can have nickname, think more ... */
+    NSSUTF8 *tempName;
+};
+
+struct NSSTrustStr 
+{
+    struct nssPKIObjectBaseStr object;
+    NSSCertificate *certificate;
+    nssTrustLevel serverAuth;
+    nssTrustLevel clientAuth;
+    nssTrustLevel emailProtection;
+    nssTrustLevel codeSigning;
+};
+
+struct nssSMIMEProfileStr
+{
+    struct nssPKIObjectBaseStr object;
+    NSSCertificate *certificate;
+    NSSASCII7 *email;
+    NSSDER *subject;
+    NSSItem *profileTime;
+    NSSItem *profileData;
+};
+
+struct NSSCertificateStr
+{
+    struct nssPKIObjectBaseStr object;
+    NSSCertificateType type;
+    NSSItem id;
+    NSSBER encoding;
+    NSSDER issuer;
+    NSSDER subject;
+    NSSDER serial;
+    NSSASCII7 *email;
+    nssDecodedCert *decoding;
+};
+
+struct NSSPrivateKeyStr;
+
+struct NSSPublicKeyStr;
+
+struct NSSSymmetricKeyStr;
+
+typedef struct nssTDCertificateCacheStr nssTDCertificateCache;
+
+struct NSSTrustDomainStr {
+    PRInt32 refCount;
+    NSSArena *arena;
+    NSSCallback defaultCallback;
+    nssList *tokenList;
+    nssListIterator *tokens;
+    nssTDCertificateCache *cache;
+#ifdef NSS_3_4_CODE
+    void *spkDigestInfo;
+    CERTStatusConfig *statusConfig;
+#endif
+};
+
+struct NSSCryptoContextStr
+{
+    PRInt32 refCount;
+    NSSArena *arena;
+    NSSTrustDomain *td;
+    NSSToken *token;
+    nssSession *session;
+    nssCertificateStore *certStore;
+};
+
+struct NSSTimeStr {
+    PRTime prTime;
+};
+
+struct NSSPoliciesStr;
+
+struct NSSAlgorithmAndParametersStr;
+
+struct NSSPKIXCertificateStr;
+
+PR_END_EXTERN_C
+
+#endif /* PKIT_H */
diff --git a/security/nss/lib/pki/pkitm.h b/security/nss/lib/pki/pkitm.h
new file mode 100644
index 000000000..a943fd834
--- /dev/null
+++ b/security/nss/lib/pki/pkitm.h
@@ -0,0 +1,109 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKITM_H
+#define PKITM_H
+
+#ifdef DEBUG
+static const char PKITM_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * pkitm.h
+ *
+ * This file contains PKI-module specific types.
+ */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * nssDecodedCert
+ *
+ * This is an interface to allow the PKI module access to certificate
+ * information that can only be found by decoding.  The interface is
+ * generic, allowing each certificate type its own way of providing
+ * the information
+ */
+struct nssDecodedCertStr {
+    NSSCertificateType type;
+    void *data;
+    /* returns the unique identifier for the cert */
+    NSSItem *  (*getIdentifier)(nssDecodedCert *dc);
+    /* returns the unique identifier for this cert's issuer */
+    NSSItem *  (*getIssuerIdentifier)(nssDecodedCert *dc);
+    /* is id the identifier for this cert? */
+    PRBool     (*matchIdentifier)(nssDecodedCert *dc, NSSItem *id);
+    /* returns the cert usage */
+    NSSUsage * (*getUsage)(nssDecodedCert *dc);
+    /* is time within the validity period of the cert? */
+    PRBool     (*isValidAtTime)(nssDecodedCert *dc, NSSTime *time);
+    /* is the validity period of this cert newer than cmpdc? */
+    PRBool     (*isNewerThan)(nssDecodedCert *dc, nssDecodedCert *cmpdc);
+    /* does the usage for this cert match the requested usage? */
+    PRBool     (*matchUsage)(nssDecodedCert *dc, NSSUsage *usage);
+    /* extract the email address */
+    NSSASCII7 *(*getEmailAddress)(nssDecodedCert *dc);
+    /* extract the DER-encoded serial number */
+    PRStatus   (*getDERSerialNumber)(nssDecodedCert *dc,
+                                     NSSDER *derSerial, NSSArena *arena);
+};
+
+struct NSSUsageStr {
+    PRBool anyUsage;
+#ifdef NSS_3_4_CODE
+    SECCertUsage nss3usage;
+    PRBool nss3lookingForCA;
+#endif
+};
+
+typedef struct nssBestCertificateCBStr nssBestCertificateCB;
+
+struct nssBestCertificateCBStr {
+    NSSCertificate *cert;
+    NSSTime *time;
+    NSSTime sTime; /* to avoid allocating when unnecessary */
+    NSSUsage *usage;
+    NSSPolicies *policies;
+};
+
+PR_END_EXTERN_C
+
+#endif /* PKITM_H */
diff --git a/security/nss/lib/pki/symmkey.c b/security/nss/lib/pki/symmkey.c
new file mode 100644
index 000000000..773bdc246
--- /dev/null
+++ b/security/nss/lib/pki/symmkey.c
@@ -0,0 +1,318 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+NSS_IMPLEMENT PRStatus
+NSSSymmetricKey_Destroy
+(
+  NSSSymmetricKey *mk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSSymmetricKey_DeleteStoredObject
+(
+  NSSSymmetricKey *mk,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRUint32
+NSSSymmetricKey_GetKeyLength
+(
+  NSSSymmetricKey *mk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return -1;
+}
+
+NSS_IMPLEMENT PRUint32
+NSSSymmetricKey_GetKeyStrength
+(
+  NSSSymmetricKey *mk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return -1;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSSymmetricKey_IsStillPresent
+(
+  NSSSymmetricKey *mk
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSSymmetricKey_GetTrustDomain
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSSymmetricKey_GetToken
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSlot *
+NSSSymmetricKey_GetSlot
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSModule *
+NSSSymmetricKey_GetModule
+(
+  NSSSymmetricKey *mk,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_Encrypt
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_Decrypt
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *encryptedData,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_Sign
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_SignRecover
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSSymmetricKey_Verify
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *data,
+  NSSItem *signature,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_VerifyRecover
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *signature,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_WrapSymmetricKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSSymmetricKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSItem *
+NSSSymmetricKey_WrapPrivateKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPrivateKey *keyToWrap,
+  NSSCallback *uhh,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSSymmetricKey_UnwrapSymmetricKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSOID *target,
+  PRUint32 keySizeOpt,
+  NSSOperations operations,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPrivateKey *
+NSSSymmetricKey_UnwrapPrivateKey
+(
+  NSSSymmetricKey *wrappingKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSItem *wrappedKey,
+  NSSUTF8 *labelOpt,
+  NSSItem *keyIDOpt,
+  PRBool persistant,
+  PRBool sensitive,
+  NSSToken *destinationOpt,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSSymmetricKey_DeriveSymmetricKey
+(
+  NSSSymmetricKey *originalKey,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSOID *target,
+  PRUint32 keySizeOpt,
+  NSSOperations operations,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSSymmetricKey_CreateCryptoContext
+(
+  NSSSymmetricKey *mk,
+  NSSAlgorithmAndParameters *apOpt,
+  NSSCallback *uhh
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
diff --git a/security/nss/lib/pki/tdcache.c b/security/nss/lib/pki/tdcache.c
new file mode 100644
index 000000000..e34c6403a
--- /dev/null
+++ b/security/nss/lib/pki/tdcache.c
@@ -0,0 +1,1095 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef PKIT_H
+#include "pkit.h"
+#endif /* PKIT_H */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef PKI_H
+#include "pki.h"
+#endif /* PKI_H */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifdef NSS_3_4_CODE
+#include "cert.h"
+#endif
+
+#ifdef DEBUG_CACHE
+static PRLogModuleInfo *s_log = NULL;
+#endif
+
+#ifdef DEBUG_CACHE
+static void log_item_dump(const char *msg, NSSItem *it)
+{
+    char buf[33];
+    int i, j;
+    for (i=0; i<10 && i<it->size; i++) {
+	sprintf(&buf[2*i], "%02X", ((PRUint8 *)it->data)[i]);
+    }
+    if (it->size>10) {
+	sprintf(&buf[2*i], "..");
+	i += 1;
+	for (j=it->size-1; i<=16 && j>10; i++, j--) {
+	    sprintf(&buf[2*i], "%02X", ((PRUint8 *)it->data)[j]);
+	}
+    }
+    PR_LOG(s_log, PR_LOG_DEBUG, ("%s: %s", msg, buf));
+}
+#endif
+
+#ifdef DEBUG_CACHE
+static void log_cert_ref(const char *msg, NSSCertificate *c)
+{
+    PR_LOG(s_log, PR_LOG_DEBUG, ("%s: %s", msg,
+                           (c->nickname) ? c->nickname : c->email));
+    log_item_dump("\tserial", &c->serial);
+    log_item_dump("\tsubject", &c->subject);
+}
+#endif
+
+/* Certificate cache routines */
+
+/* XXX
+ * Locking is not handled well at all.  A single, global lock with sub-locks
+ * in the collection types.  Cleanup needed.
+ */
+
+/* should it live in its own arena? */
+struct nssTDCertificateCacheStr 
+{
+    PZLock *lock;
+    NSSArena *arena;
+    nssHash *issuerAndSN;
+    nssHash *subject;
+    nssHash *nickname;
+    nssHash *email;
+};
+
+struct cache_entry_str 
+{
+    union {
+	NSSCertificate *cert;
+	nssList *list;
+	void *value;
+    } entry;
+    PRUint32 hits;
+    PRTime lastHit;
+    NSSArena *arena;
+};
+
+typedef struct cache_entry_str cache_entry;
+
+static cache_entry *
+new_cache_entry(NSSArena *arena, void *value, PRBool ownArena)
+{
+    cache_entry *ce = nss_ZNEW(arena, cache_entry);
+    if (ce) {
+	ce->entry.value = value;
+	ce->hits = 1;
+	ce->lastHit = PR_Now();
+	if (ownArena) {
+	    ce->arena = arena;
+	}
+    }
+    return ce;
+}
+
+/* sort the subject list from newest to oldest */
+static PRIntn subject_list_sort(void *v1, void *v2)
+{
+    NSSCertificate *c1 = (NSSCertificate *)v1;
+    NSSCertificate *c2 = (NSSCertificate *)v2;
+    nssDecodedCert *dc1 = nssCertificate_GetDecoding(c1);
+    nssDecodedCert *dc2 = nssCertificate_GetDecoding(c2);
+    if (dc1->isNewerThan(dc1, dc2)) {
+	return -1;
+    } else {
+	return 1;
+    }
+}
+
+/* this should not be exposed in a header, but is here to keep the above
+ * types/functions static
+ */
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_InitializeCache
+(
+  NSSTrustDomain *td,
+  PRUint32 cacheSize
+)
+{
+    NSSArena *arena;
+    nssTDCertificateCache *cache = td->cache;
+#ifdef DEBUG_CACHE
+    s_log = PR_NewLogModule("nss_cache");
+    PR_ASSERT(s_log);
+#endif
+    PR_ASSERT(!cache);
+    arena = nssArena_Create();
+    if (!arena) {
+	return PR_FAILURE;
+    }
+    cache = nss_ZNEW(arena, nssTDCertificateCache);
+    if (!cache) {
+	nssArena_Destroy(arena);
+	return PR_FAILURE;
+    }
+    cache->lock = PZ_NewLock(nssILockCache);
+    if (!cache->lock) {
+	nssArena_Destroy(arena);
+	return PR_FAILURE;
+    }
+    /* Create the issuer and serial DER --> certificate hash */
+    cache->issuerAndSN = nssHash_CreateCertificate(arena, cacheSize);
+    if (!cache->issuerAndSN) {
+	goto loser;
+    }
+    /* Create the subject DER --> subject list hash */
+    cache->subject = nssHash_CreateItem(arena, cacheSize);
+    if (!cache->subject) {
+	goto loser;
+    }
+    /* Create the nickname --> subject list hash */
+    cache->nickname = nssHash_CreateString(arena, cacheSize);
+    if (!cache->nickname) {
+	goto loser;
+    }
+    /* Create the email --> list of subject lists hash */
+    cache->email = nssHash_CreateString(arena, cacheSize);
+    if (!cache->email) {
+	goto loser;
+    }
+    cache->arena = arena;
+    td->cache = cache;
+#ifdef DEBUG_CACHE
+    PR_LOG(s_log, PR_LOG_DEBUG, ("Cache initialized."));
+#endif
+    return PR_SUCCESS;
+loser:
+    PZ_DestroyLock(cache->lock);
+    nssArena_Destroy(arena);
+    td->cache = NULL;
+#ifdef DEBUG_CACHE
+    PR_LOG(s_log, PR_LOG_DEBUG, ("Cache initialization failed."));
+#endif
+    return PR_FAILURE;
+}
+
+/* The entries of the hashtable are currently dependent on the certificate(s)
+ * that produced them.  That is, the entries will be freed when the cert is
+ * released from the cache.  If there are certs in the cache at any time,
+ * including shutdown, the hash table entries will hold memory.  In order for
+ * clean shutdown, it is necessary for there to be no certs in the cache.
+ */
+
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_DestroyCache
+(
+  NSSTrustDomain *td
+)
+{
+    if (!td->cache) {
+	return PR_FAILURE;
+    }
+    PZ_DestroyLock(td->cache->lock);
+    nssHash_Destroy(td->cache->issuerAndSN);
+    nssHash_Destroy(td->cache->subject);
+    nssHash_Destroy(td->cache->nickname);
+    nssHash_Destroy(td->cache->email);
+    nssArena_Destroy(td->cache->arena);
+    td->cache = NULL;
+#ifdef DEBUG_CACHE
+    PR_LOG(s_log, PR_LOG_DEBUG, ("Cache destroyed."));
+#endif
+    return PR_SUCCESS;
+}
+
+static PRStatus
+remove_issuer_and_serial_entry
+(
+  nssTDCertificateCache *cache,
+  NSSCertificate *cert
+)
+{
+    /* Remove the cert from the issuer/serial hash */
+    nssHash_Remove(cache->issuerAndSN, cert);
+#ifdef DEBUG_CACHE
+    log_cert_ref("removed issuer/sn", cert);
+#endif
+    return PR_SUCCESS;
+}
+
+static PRStatus
+remove_subject_entry
+(
+  nssTDCertificateCache *cache,
+  NSSCertificate *cert,
+  nssList **subjectList,
+  NSSArena **arena
+)
+{
+    PRStatus nssrv;
+    cache_entry *ce;
+    *subjectList = NULL;
+    *arena = NULL;
+    /* Get the subject list for the cert's subject */
+    ce = (cache_entry *)nssHash_Lookup(cache->subject, &cert->subject);
+    if (ce) {
+	/* Remove the cert from the subject hash */
+	nssList_Remove(ce->entry.list, cert);
+	*subjectList = ce->entry.list;
+	*arena = ce->arena;
+	nssrv = PR_SUCCESS;
+#ifdef DEBUG_CACHE
+	log_cert_ref("removed cert", cert);
+	log_item_dump("from subject list", &cert->subject);
+#endif
+    } else {
+	nssrv = PR_FAILURE;
+    }
+    return nssrv;
+}
+
+static PRStatus
+remove_nickname_entry
+(
+  nssTDCertificateCache *cache,
+  NSSCertificate *cert,
+  nssList *subjectList
+)
+{
+    PRStatus nssrv;
+    NSSUTF8 *nickname = NSSCertificate_GetNickname(cert, NULL);
+    if (nickname) {
+	nssHash_Remove(cache->nickname, nickname);
+	nssrv = PR_SUCCESS;
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("removed nickname %s", nickname));
+#endif
+    } else {
+	nssrv = PR_FAILURE;
+    }
+    return nssrv;
+}
+
+static PRStatus
+remove_email_entry
+(
+  nssTDCertificateCache *cache,
+  NSSCertificate *cert,
+  nssList *subjectList
+)
+{
+    PRStatus nssrv = PR_FAILURE;
+    cache_entry *ce;
+    /* Find the subject list in the email hash */
+    if (cert->email) {
+	ce = (cache_entry *)nssHash_Lookup(cache->email, cert->email);
+	if (ce) {
+	    nssList *subjects = ce->entry.list;
+	    /* Remove the subject list from the email hash */
+	    nssList_Remove(subjects, subjectList);
+#ifdef DEBUG_CACHE
+	    log_item_dump("removed subject list", &cert->subject);
+	    PR_LOG(s_log, PR_LOG_DEBUG, ("for email %s", cert->email));
+#endif
+	    if (nssList_Count(subjects) == 0) {
+		/* No more subject lists for email, delete list and
+		* remove hash entry
+		*/
+		(void)nssList_Destroy(subjects);
+		nssHash_Remove(cache->email, cert->email);
+		/* there are no entries left for this address, free space
+		 * used for email entries
+		 */
+		nssArena_Destroy(ce->arena);
+#ifdef DEBUG_CACHE
+		PR_LOG(s_log, PR_LOG_DEBUG, ("removed email %s", cert->email));
+#endif
+	    }
+	    nssrv = PR_SUCCESS;
+	}
+    }
+    return nssrv;
+}
+
+NSS_IMPLEMENT void
+nssTrustDomain_RemoveCertFromCache
+(
+  NSSTrustDomain *td,
+  NSSCertificate *cert
+)
+{
+    nssList *subjectList;
+    PRStatus nssrv;
+    cache_entry *ce;
+    NSSArena *arena;
+#ifdef DEBUG_CACHE
+    log_cert_ref("attempt to remove cert", cert);
+#endif
+    PZ_Lock(td->cache->lock);
+    ce = (cache_entry *)nssHash_Lookup(td->cache->issuerAndSN, cert);
+    if (!ce || ce->entry.cert != cert) {
+	/* If it's not in the cache, or a different cert is (this is really
+	 * for safety reasons, though it shouldn't happen), do nothing 
+	 */
+	PZ_Unlock(td->cache->lock);
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("but it wasn't in the cache"));
+#endif
+	return;
+    }
+    nssrv = remove_issuer_and_serial_entry(td->cache, cert);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    nssrv = remove_subject_entry(td->cache, cert, &subjectList, &arena);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    if (nssList_Count(subjectList) == 0) {
+	PRStatus nssrv2;
+	nssrv = remove_nickname_entry(td->cache, cert, subjectList);
+	nssrv2 = remove_email_entry(td->cache, cert, subjectList);
+#ifndef NSS_3_4_CODE
+	/* XXX Again, 3.4 allows for certs w/o either nickname or email */
+	if (nssrv != PR_SUCCESS && nssrv2 != PR_SUCCESS) {
+	    goto loser;
+	}
+#endif
+	(void)nssList_Destroy(subjectList);
+	nssHash_Remove(td->cache->subject, &cert->subject);
+	/* there are no entries left for this subject, free the space used
+	 * for both the nickname and subject entries
+	 */
+	if (arena) {
+	    nssArena_Destroy(arena);
+	}
+    }
+    PZ_Unlock(td->cache->lock);
+    NSSCertificate_Destroy(cert); /* release the reference */
+    return;
+loser:
+    /* if here, then the cache is inconsistent.  For now, flush it. */
+    PZ_Unlock(td->cache->lock);
+#ifdef DEBUG_CACHE
+    PR_LOG(s_log, PR_LOG_DEBUG, ("remove cert failed, flushing"));
+#endif
+    nssTrustDomain_FlushCache(td, -1.0);
+    NSSCertificate_Destroy(cert); /* release the reference */
+}
+
+/* This is used to remove all certs below a certain threshold, where
+ * the value is determined by how many times the cert has been requested
+ * and when the last request was.
+ */
+NSS_IMPLEMENT void
+nssTrustDomain_FlushCache
+(
+  NSSTrustDomain *td,
+  PRFloat64 threshold
+)
+{
+}
+
+struct token_cert_destructor {
+    nssTDCertificateCache *cache;
+    NSSToken *token;
+};
+
+static void 
+remove_token_certs(const void *k, void *v, void *a)
+{
+#if 0
+    struct NSSItem *identifier = (struct NSSItem *)k;
+    NSSCertificate *c = (NSSCertificate *)v;
+    struct token_cert_destructor *tcd = (struct token_cert_destructor *)a;
+    if (c->token == tcd->token) {
+	nssHash_Remove(tcd->cache->issuerAndSN, identifier);
+	/* remove from the other hashes */
+    }
+#endif
+}
+
+/* 
+ * Remove all certs for the given token from the cache.  This is
+ * needed if the token is removed. 
+ */
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_RemoveTokenCertsFromCache
+(
+  NSSTrustDomain *td,
+  NSSToken *token
+)
+{
+    struct token_cert_destructor tcd;
+    tcd.cache = td->cache;
+    tcd.token = token;
+    PZ_Lock(td->cache->lock);
+    nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, (void *)&tcd);
+    PZ_Unlock(td->cache->lock);
+    return PR_SUCCESS;
+}
+
+static PRStatus
+add_issuer_and_serial_entry
+(
+  NSSArena *arena,
+  nssTDCertificateCache *cache, 
+  NSSCertificate *cert
+)
+{
+    cache_entry *ce;
+    ce = new_cache_entry(arena, (void *)cert, PR_FALSE);
+#ifdef DEBUG_CACHE
+    log_cert_ref("added to issuer/sn", cert);
+#endif
+    return nssHash_Add(cache->issuerAndSN, cert, (void *)ce);
+}
+
+static PRStatus
+add_subject_entry
+(
+  NSSArena *arena,
+  nssTDCertificateCache *cache, 
+  NSSCertificate *cert,
+  nssList **subjectList
+)
+{
+    PRStatus nssrv;
+    nssList *list;
+    cache_entry *ce;
+    *subjectList = NULL;  /* this is only set if a new one is created */
+    ce = (cache_entry *)nssHash_Lookup(cache->subject, &cert->subject);
+    if (ce) {
+	ce->hits++;
+	ce->lastHit = PR_Now();
+	/* The subject is already in, add this cert to the list */
+	nssrv = nssList_AddUnique(ce->entry.list, cert);
+#ifdef DEBUG_CACHE
+	log_cert_ref("added to existing subject list", cert);
+#endif
+    } else {
+	NSSDER *subject;
+	/* Create a new subject list for the subject */
+	list = nssList_Create(arena, PR_FALSE);
+	if (!list) {
+	    return PR_FAILURE;
+	}
+	ce = new_cache_entry(arena, (void *)list, PR_TRUE);
+	if (!ce) {
+	    return PR_FAILURE;
+	}
+	nssList_SetSortFunction(list, subject_list_sort);
+	/* Add the cert entry to this list of subjects */
+	nssrv = nssList_AddUnique(list, cert);
+	if (nssrv != PR_SUCCESS) {
+	    return nssrv;
+	}
+	/* Add the subject list to the cache */
+	subject = nssItem_Duplicate(&cert->subject, arena, NULL);
+	if (!subject) {
+	    return PR_FAILURE;
+	}
+	nssrv = nssHash_Add(cache->subject, subject, ce);
+	if (nssrv != PR_SUCCESS) {
+	    return nssrv;
+	}
+	*subjectList = list;
+#ifdef DEBUG_CACHE
+	log_cert_ref("created subject list", cert);
+#endif
+    }
+    return nssrv;
+}
+
+static PRStatus
+add_nickname_entry
+(
+  NSSArena *arena,
+  nssTDCertificateCache *cache, 
+  NSSCertificate *cert,
+  nssList *subjectList
+)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    NSSUTF8 *certNickname = NSSCertificate_GetNickname(cert, NULL);
+    cache_entry *ce;
+    ce = (cache_entry *)nssHash_Lookup(cache->nickname, certNickname);
+    if (ce) {
+	/* This is a collision.  A nickname entry already exists for this
+	 * subject, but a subject entry didn't.  This would imply there are
+	 * two subjects using the same nickname, which is not allowed.
+	 */
+	return PR_FAILURE;
+    } else {
+	NSSUTF8 *nickname;
+	ce = new_cache_entry(arena, subjectList, PR_FALSE);
+	if (!ce) {
+	    return PR_FAILURE;
+	}
+	nickname = nssUTF8_Duplicate(certNickname, arena);
+	if (!nickname) {
+	    return PR_FAILURE;
+	}
+	nssrv = nssHash_Add(cache->nickname, nickname, ce);
+#ifdef DEBUG_CACHE
+	log_cert_ref("created nickname for", cert);
+#endif
+    }
+    return nssrv;
+}
+
+static PRStatus
+add_email_entry
+(
+  nssTDCertificateCache *cache, 
+  NSSCertificate *cert,
+  nssList *subjectList
+)
+{
+    PRStatus nssrv = PR_SUCCESS;
+    nssList *subjects;
+    cache_entry *ce;
+    ce = (cache_entry *)nssHash_Lookup(cache->email, cert->email);
+    if (ce) {
+	/* Already have an entry for this email address, but not subject */
+	subjects = ce->entry.list;
+	nssrv = nssList_AddUnique(subjects, subjectList);
+	ce->hits++;
+	ce->lastHit = PR_Now();
+#ifdef DEBUG_CACHE
+	log_cert_ref("added subject to email for", cert);
+#endif
+    } else {
+	NSSASCII7 *email;
+	NSSArena *arena;
+	arena = nssArena_Create();
+	if (!arena) {
+	    return PR_FAILURE;
+	}
+	/* Create a new list of subject lists, add this subject */
+	subjects = nssList_Create(arena, PR_TRUE);
+	if (!subjects) {
+	    nssArena_Destroy(arena);
+	    return PR_FAILURE;
+	}
+	/* Add the new subject to the list */
+	nssrv = nssList_AddUnique(subjects, subjectList);
+	if (nssrv != PR_SUCCESS) {
+	    nssArena_Destroy(arena);
+	    return nssrv;
+	}
+	/* Add the new entry to the cache */
+	ce = new_cache_entry(arena, (void *)subjects, PR_TRUE);
+	if (!ce) {
+	    nssArena_Destroy(arena);
+	    return PR_FAILURE;
+	}
+	email = nssUTF8_Duplicate(cert->email, arena);
+	if (!email) {
+	    nssArena_Destroy(arena);
+	    return PR_FAILURE;
+	}
+	nssrv = nssHash_Add(cache->email, email, ce);
+	if (nssrv != PR_SUCCESS) {
+	    nssArena_Destroy(arena);
+	    return nssrv;
+	}
+#ifdef DEBUG_CACHE
+	log_cert_ref("created email for", cert);
+#endif
+    }
+    return nssrv;
+}
+
+extern const NSSError NSS_ERROR_CERTIFICATE_IN_CACHE;
+
+static PRStatus
+add_cert_to_cache
+(
+  NSSTrustDomain *td, 
+  NSSCertificate *cert
+)
+{
+    NSSArena *arena = NULL;
+    nssList *subjectList;
+    PRStatus nssrv;
+    PRUint32 added = 0;
+    PZ_Lock(td->cache->lock);
+    /* If it exists in the issuer/serial hash, it's already in all */
+    if (nssHash_Exists(td->cache->issuerAndSN, cert)) {
+#ifdef DEBUG_CACHE
+	log_cert_ref("attempted to add cert already in cache", cert);
+#endif
+	PZ_Unlock(td->cache->lock);
+	/* collision - most likely, somebody else already added the cert
+	 * to the cache before this thread got around to it.
+	 */
+	nss_SetError(NSS_ERROR_CERTIFICATE_IN_CACHE);
+	return PR_FAILURE;
+    }
+    /* create a new cache entry for this cert within the cert's arena*/
+    nssrv = add_issuer_and_serial_entry(cert->object.arena, td->cache, cert);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    added++;
+    /* create an arena for the nickname and subject entries */
+    arena = nssArena_Create();
+    if (!arena) {
+	goto loser;
+    }
+    /* create a new subject list for this cert, or add to existing */
+    nssrv = add_subject_entry(arena, td->cache, cert, &subjectList);
+    if (nssrv != PR_SUCCESS) {
+	goto loser;
+    }
+    added++;
+    /* If a new subject entry was created, also need nickname and/or email */
+    if (subjectList != NULL) {
+	PRBool handle = PR_FALSE;
+	NSSUTF8 *certNickname = NSSCertificate_GetNickname(cert, NULL);
+	if (certNickname) {
+	    nssrv = add_nickname_entry(arena, td->cache, cert, subjectList);
+	    if (nssrv != PR_SUCCESS) {
+		goto loser;
+	    }
+	    handle = PR_TRUE;
+	    added++;
+	}
+	if (cert->email) {
+	    nssrv = add_email_entry(td->cache, cert, subjectList);
+	    if (nssrv != PR_SUCCESS) {
+		goto loser;
+	    }
+	    handle = PR_TRUE;
+	    added += 2;
+	}
+#ifdef nodef
+	/* I think either a nickname or email address must be associated
+	 * with the cert.  However, certs are passed to NewTemp without
+	 * either.  This worked in the old code, so it must work now.
+	 */
+	if (!handle) {
+	    /* Require either nickname or email handle */
+	    nssrv = PR_FAILURE;
+	    goto loser;
+	}
+#endif
+    }
+    nssCertificate_AddRef(cert);
+    PZ_Unlock(td->cache->lock);
+    return nssrv;
+loser:
+    /* Remove any handles that have been created */
+    subjectList = NULL;
+    if (added >= 1) {
+	(void)remove_issuer_and_serial_entry(td->cache, cert);
+    }
+    if (added >= 2) {
+	(void)remove_subject_entry(td->cache, cert, &subjectList, &arena);
+    }
+    if (added == 3 || added == 5) {
+	(void)remove_nickname_entry(td->cache, cert, subjectList);
+    }
+    if (added >= 4) {
+	(void)remove_email_entry(td->cache, cert, subjectList);
+    }
+    if (subjectList) {
+	nssHash_Remove(td->cache->subject, &cert->subject);
+	nssList_Destroy(subjectList);
+    }
+    if (arena) {
+	nssArena_Destroy(arena);
+    }
+    PZ_Unlock(td->cache->lock);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_AddCertsToCache
+(
+  NSSTrustDomain *td,
+  NSSCertificate **certs,
+  PRUint32 numCerts
+)
+{
+    PRUint32 i;
+    NSSError e;
+    for (i=0; i<numCerts && certs[i]; i++) {
+	if (add_cert_to_cache(td, certs[i]) != PR_SUCCESS) {
+	    if ((e = NSS_GetError()) == NSS_ERROR_CERTIFICATE_IN_CACHE) {
+		/* collision - delete and replace the cert here in favor
+		 * of the already cached entry.  This is safe as long as
+		 * the cert being added here only has a single reference.
+		 * This should be the case as this function is only called
+		 * immediately following a traversal and before any certs
+		 * are returned to the caller.
+		 */
+		NSSCertificate *c;
+		c = nssTrustDomain_GetCertForIssuerAndSNFromCache(td,
+		                                            &certs[i]->issuer,
+		                                            &certs[i]->serial);
+		if (c != certs[i]) {
+		    NSSCertificate_Destroy(certs[i]);
+		    certs[i] = c;
+		} else {
+		    NSSCertificate_Destroy(c);
+		}
+		nss_ClearErrorStack();
+		continue;
+	    }
+	    return PR_FAILURE;
+	} 
+    }
+    return PR_SUCCESS;
+}
+
+static NSSCertificate **
+collect_subject_certs
+(
+  nssList *subjectList,
+  nssList *rvCertListOpt
+)
+{
+    NSSCertificate *c;
+    NSSCertificate **rvArray = NULL;
+    PRUint32 count;
+    nssCertificateList_AddReferences(subjectList);
+    if (rvCertListOpt) {
+	nssListIterator *iter = nssList_CreateIterator(subjectList);
+	for (c  = (NSSCertificate *)nssListIterator_Start(iter);
+	     c != (NSSCertificate *)NULL;
+	     c  = (NSSCertificate *)nssListIterator_Next(iter)) {
+	    nssList_Add(rvCertListOpt, c);
+	}
+	nssListIterator_Finish(iter);
+	nssListIterator_Destroy(iter);
+    } else {
+	count = nssList_Count(subjectList);
+	rvArray = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
+	if (!rvArray) {
+	    return (NSSCertificate **)NULL;
+	}
+	nssList_GetArray(subjectList, (void **)rvArray, count);
+    }
+    return rvArray;
+}
+
+/*
+ * Find all cached certs with this subject.
+ */
+NSS_IMPLEMENT NSSCertificate **
+nssTrustDomain_GetCertsForSubjectFromCache
+(
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  nssList *certListOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    cache_entry *ce;
+#ifdef DEBUG_CACHE
+    log_item_dump("looking for cert by subject", subject);
+#endif
+    PZ_Lock(td->cache->lock);
+    ce = (cache_entry *)nssHash_Lookup(td->cache->subject, subject);
+    if (ce) {
+	ce->hits++;
+	ce->lastHit = PR_Now();
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
+#endif
+	rvArray = collect_subject_certs(ce->entry.list, certListOpt);
+    }
+    PZ_Unlock(td->cache->lock);
+    return rvArray;
+}
+
+/*
+ * Find all cached certs with this label.
+ */
+NSS_IMPLEMENT NSSCertificate **
+nssTrustDomain_GetCertsForNicknameFromCache
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *nickname,
+  nssList *certListOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    cache_entry *ce;
+#ifdef DEBUG_CACHE
+    PR_LOG(s_log, PR_LOG_DEBUG, ("looking for cert by nick %s", nickname));
+#endif
+    PZ_Lock(td->cache->lock);
+    ce = (cache_entry *)nssHash_Lookup(td->cache->nickname, nickname);
+    if (ce) {
+	ce->hits++;
+	ce->lastHit = PR_Now();
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
+#endif
+	rvArray = collect_subject_certs(ce->entry.list, certListOpt);
+    }
+    PZ_Unlock(td->cache->lock);
+    return rvArray;
+}
+
+/*
+ * Find all cached certs with this email address.
+ */
+NSS_IMPLEMENT NSSCertificate **
+nssTrustDomain_GetCertsForEmailAddressFromCache
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  nssList *certListOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    cache_entry *ce;
+    nssList *collectList = NULL;
+    nssListIterator *iter = NULL;
+    nssList *subjectList;
+#ifdef DEBUG_CACHE
+    PR_LOG(s_log, PR_LOG_DEBUG, ("looking for cert by email %s", email));
+#endif
+    PZ_Lock(td->cache->lock);
+    ce = (cache_entry *)nssHash_Lookup(td->cache->email, email);
+    if (ce) {
+	ce->hits++;
+	ce->lastHit = PR_Now();
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
+#endif
+	/* loop over subject lists and get refs for certs */
+	if (certListOpt) {
+	    collectList = certListOpt;
+	} else {
+	    collectList = nssList_Create(NULL, PR_FALSE);
+	    if (!collectList) {
+		PZ_Unlock(td->cache->lock);
+		return NULL;
+	    }
+	}
+	iter = nssList_CreateIterator(ce->entry.list);
+	if (!iter) {
+	    PZ_Unlock(td->cache->lock);
+	    if (!certListOpt) {
+		nssList_Destroy(collectList);
+	    }
+	    return NULL;
+	}
+	for (subjectList  = (nssList *)nssListIterator_Start(iter);
+	     subjectList != (nssList *)NULL;
+	     subjectList  = (nssList *)nssListIterator_Next(iter)) {
+	    (void)collect_subject_certs(subjectList, collectList);
+	}
+	nssListIterator_Finish(iter);
+	nssListIterator_Destroy(iter);
+    }
+    PZ_Unlock(td->cache->lock);
+    if (!certListOpt && collectList) {
+	PRUint32 count = nssList_Count(collectList);
+	rvArray = nss_ZNEWARRAY(NULL, NSSCertificate *, count);
+	if (rvArray) {
+	    nssList_GetArray(collectList, (void **)rvArray, count);
+	}
+	nssList_Destroy(collectList);
+    }
+    return rvArray;
+}
+
+/*
+ * Look for a specific cert in the cache
+ */
+NSS_IMPLEMENT NSSCertificate *
+nssTrustDomain_GetCertForIssuerAndSNFromCache
+(
+  NSSTrustDomain *td,
+  NSSDER *issuer,
+  NSSDER *serial
+)
+{
+    NSSCertificate certkey;
+    NSSCertificate *rvCert = NULL;
+    cache_entry *ce;
+    certkey.issuer.data = issuer->data;
+    certkey.issuer.size = issuer->size;
+    certkey.serial.data = serial->data;
+    certkey.serial.size = serial->size;
+#ifdef DEBUG_CACHE
+    log_item_dump("looking for cert by issuer/sn, issuer", issuer);
+    log_item_dump("                               serial", serial);
+#endif
+    PZ_Lock(td->cache->lock);
+    ce = (cache_entry *)nssHash_Lookup(td->cache->issuerAndSN, &certkey);
+    if (ce) {
+	ce->hits++;
+	ce->lastHit = PR_Now();
+	rvCert = nssCertificate_AddRef(ce->entry.cert);
+#ifdef DEBUG_CACHE
+	PR_LOG(s_log, PR_LOG_DEBUG, ("... found, %d hits", ce->hits));
+#endif
+    }
+    PZ_Unlock(td->cache->lock);
+    return rvCert;
+}
+
+#ifdef NSS_3_4_CODE
+static PRStatus
+issuer_and_serial_from_encoding
+(
+  NSSBER *encoding, 
+  NSSDER *issuer, 
+  NSSDER *serial
+)
+{
+    SECItem derCert, derIssuer, derSerial;
+    SECStatus secrv;
+    derCert.data = (unsigned char *)encoding->data;
+    derCert.len = encoding->size;
+    secrv = CERT_IssuerNameFromDERCert(&derCert, &derIssuer);
+    if (secrv != SECSuccess) {
+	return PR_FAILURE;
+    }
+    secrv = CERT_SerialNumberFromDERCert(&derCert, &derSerial);
+    if (secrv != SECSuccess) {
+	return PR_FAILURE;
+    }
+    issuer->data = derIssuer.data;
+    issuer->size = derIssuer.len;
+    serial->data = derSerial.data;
+    serial->size = derSerial.len;
+    return PR_SUCCESS;
+}
+#endif
+
+/*
+ * Look for a specific cert in the cache
+ */
+NSS_IMPLEMENT NSSCertificate *
+nssTrustDomain_GetCertByDERFromCache
+(
+  NSSTrustDomain *td,
+  NSSDER *der
+)
+{
+    PRStatus nssrv = PR_FAILURE;
+    NSSDER issuer, serial;
+    NSSCertificate *rvCert;
+#ifdef NSS_3_4_CODE
+    nssrv = issuer_and_serial_from_encoding(der, &issuer, &serial);
+#endif
+    if (nssrv != PR_SUCCESS) {
+	return NULL;
+    }
+#ifdef DEBUG_CACHE
+    log_item_dump("looking for cert by DER", der);
+#endif
+    rvCert = nssTrustDomain_GetCertForIssuerAndSNFromCache(td, 
+                                                           &issuer, &serial);
+#ifdef NSS_3_4_CODE
+    PORT_Free(issuer.data);
+    PORT_Free(serial.data);
+#endif
+    return rvCert;
+}
+
+static void cert_iter(const void *k, void *v, void *a)
+{
+    nssList *certList = (nssList *)a;
+    NSSCertificate *c = (NSSCertificate *)k;
+    nssList_Add(certList, nssCertificate_AddRef(c));
+}
+
+NSS_EXTERN NSSCertificate **
+nssTrustDomain_GetCertsFromCache
+(
+  NSSTrustDomain *td,
+  nssList *certListOpt
+)
+{
+    NSSCertificate **rvArray = NULL;
+    nssList *certList;
+    if (certListOpt) {
+	certList = certListOpt;
+    } else {
+	certList = nssList_Create(NULL, PR_FALSE);
+    }
+    PZ_Lock(td->cache->lock);
+    nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList);
+    PZ_Unlock(td->cache->lock);
+    if (!certListOpt) {
+	PRUint32 count = nssList_Count(certList);
+	rvArray = nss_ZNEWARRAY(NULL, NSSCertificate *, count);
+	nssList_GetArray(certList, (void **)rvArray, count);
+	/* array takes the references */
+	nssList_Destroy(certList);
+    }
+    return rvArray;
+}
+
+NSS_IMPLEMENT void
+nssTrustDomain_DumpCacheInfo
+(
+  NSSTrustDomain *td,
+  void (* cert_dump_iter)(const void *, void *, void *),
+  void *arg
+)
+{
+    PZ_Lock(td->cache->lock);
+    nssHash_Iterate(td->cache->issuerAndSN, cert_dump_iter, arg);
+    PZ_Unlock(td->cache->lock);
+}
diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c
new file mode 100644
index 000000000..f3ebc5125
--- /dev/null
+++ b/security/nss/lib/pki/trustdomain.c
@@ -0,0 +1,1172 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef NSSPKI_H
+#include "nsspki.h"
+#endif /* NSSPKI_H */
+
+#ifndef PKI_H
+#include "pki.h"
+#endif /* PKI_H */
+
+#ifndef PKIM_H
+#include "pkim.h"
+#endif /* PKIM_H */
+
+#ifndef DEV_H
+#include "dev.h"
+#endif /* DEV_H */
+
+#ifndef CKHELPER_H
+#include "ckhelper.h"
+#endif /* CKHELPER_H */
+
+#ifdef NSS_3_4_CODE
+#include "cert.h"
+#include "pki3hack.h"
+#endif
+
+extern const NSSError NSS_ERROR_NOT_FOUND;
+
+#define NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE 32
+
+NSS_EXTERN PRStatus
+nssTrustDomain_InitializeCache
+(
+  NSSTrustDomain *td,
+  PRUint32 cacheSize
+);
+
+NSS_IMPLEMENT NSSTrustDomain *
+NSSTrustDomain_Create
+(
+  NSSUTF8 *moduleOpt,
+  NSSUTF8 *uriOpt,
+  NSSUTF8 *opaqueOpt,
+  void *reserved
+)
+{
+    NSSArena *arena;
+    NSSTrustDomain *rvTD;
+    arena = NSSArena_Create();
+    if(!arena) {
+	return (NSSTrustDomain *)NULL;
+    }
+    rvTD = nss_ZNEW(arena, NSSTrustDomain);
+    if (!rvTD) {
+	goto loser;
+    }
+    rvTD->arena = arena;
+    rvTD->refCount = 1;
+    nssTrustDomain_InitializeCache(rvTD, NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE);
+#ifdef NSS_3_4_CODE
+    rvTD->statusConfig = NULL;
+#endif
+    return rvTD;
+loser:
+    nssArena_Destroy(arena);
+    return (NSSTrustDomain *)NULL;
+}
+
+static void
+token_destructor(void *t)
+{
+    NSSToken *tok = (NSSToken *)t;
+#ifdef NSS_3_4_CODE
+    /* in 3.4, also destroy the slot (managed separately) */
+    (void)nssSlot_Destroy(tok->slot);
+    STAN_DestroyNSSToken(tok);
+#else
+    (void)nssToken_Destroy(tok);
+#endif
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_Destroy
+(
+  NSSTrustDomain *td
+)
+{
+    if (--td->refCount == 0) {
+	/* Destroy each token in the list of tokens */
+	if (td->tokens) {
+	    nssListIterator_Destroy(td->tokens);
+	    nssList_Clear(td->tokenList, token_destructor);
+	    nssList_Destroy(td->tokenList);
+	}
+	nssTrustDomain_DestroyCache(td);
+	/* Destroy the trust domain */
+	nssArena_Destroy(td->arena);
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_SetDefaultCallback
+(
+  NSSTrustDomain *td,
+  NSSCallback *newCallback,
+  NSSCallback **oldCallbackOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSCallback *
+NSSTrustDomain_GetDefaultCallback
+(
+  NSSTrustDomain *td,
+  PRStatus *statusOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_LoadModule
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *moduleOpt,
+  NSSUTF8 *uriOpt,
+  NSSUTF8 *opaqueOpt,
+  void *reserved
+)
+{
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_DisableToken
+(
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSError why
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_EnableToken
+(
+  NSSTrustDomain *td,
+  NSSToken *token
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_IsTokenEnabled
+(
+  NSSTrustDomain *td,
+  NSSToken *token,
+  NSSError *whyOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSSlot *
+NSSTrustDomain_FindSlotByName
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *slotName
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSTrustDomain_FindTokenByName
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *tokenName
+)
+{
+    PRStatus nssrv;
+    NSSUTF8 *myName;
+    NSSToken *tok = NULL;
+    for (tok  = (NSSToken *)nssListIterator_Start(td->tokens);
+         tok != (NSSToken *)NULL;
+         tok  = (NSSToken *)nssListIterator_Next(td->tokens))
+    {
+	myName = nssToken_GetName(tok);
+	if (nssUTF8_Equal(tokenName, myName, &nssrv)) break;
+    }
+    nssListIterator_Finish(td->tokens);
+    return tok;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSTrustDomain_FindTokenBySlotName
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *slotName
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSTrustDomain_FindTokenForAlgorithm
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithm
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSToken *
+NSSTrustDomain_FindBestTokenForAlgorithms
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithms[], /* may be null-terminated */
+  PRUint32 nAlgorithmsOpt /* limits the array if nonzero */
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_Login
+(
+  NSSTrustDomain *td,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_Logout
+(
+  NSSTrustDomain *td
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_ImportCertificate
+(
+  NSSTrustDomain *td,
+  NSSCertificate *c
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_ImportPKIXCertificate
+(
+  NSSTrustDomain *td,
+  /* declared as a struct until these "data types" are defined */
+  struct NSSPKIXCertificateStr *pc
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_ImportEncodedCertificate
+(
+  NSSTrustDomain *td,
+  NSSBER *ber
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_ImportEncodedCertificateChain
+(
+  NSSTrustDomain *td,
+  NSSBER *ber,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPrivateKey *
+NSSTrustDomain_ImportEncodedPrivateKey
+(
+  NSSTrustDomain *td,
+  NSSBER *ber,
+  NSSItem *passwordOpt, /* NULL will cause a callback */
+  NSSCallback *uhhOpt,
+  NSSToken *destination
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSPublicKey *
+NSSTrustDomain_ImportEncodedPublicKey
+(
+  NSSTrustDomain *td,
+  NSSBER *ber
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+static void cert_destructor(void *el)
+{
+    NSSCertificate *c = (NSSCertificate *)el;
+    NSSCertificate_Destroy(c);
+}
+
+struct collect_arg_str {
+    nssList *list;
+    PRUint32 maximum;
+};
+
+extern const NSSError NSS_ERROR_MAXIMUM_FOUND;
+
+static PRStatus 
+collect_certs(NSSCertificate *c, void *arg)
+{
+    struct collect_arg_str *ca = (struct collect_arg_str *)arg;
+    /* Add the cert to the return list if not present */
+    if (!nssList_Get(ca->list, (void *)c)) {
+	nssCertificate_AddRef(c);
+	nssList_Add(ca->list, (void *)c);
+    }
+    if (ca->maximum > 0 && nssList_Count(ca->list) >= ca->maximum) {
+	/* signal the end of collection) */
+	nss_SetError(NSS_ERROR_MAXIMUM_FOUND);
+	return PR_FAILURE;
+    }
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestCertificateByNickname
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *name,
+  NSSTime *timeOpt, /* NULL for "now" */
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt /* NULL for none */
+)
+{
+    PRStatus nssrv;
+    NSSToken *token;
+    nssTokenCertSearch search;
+    nssBestCertificateCB best;
+    nssList *nameList;
+    PRBool notPresent;
+    /* set the criteria for determining the best cert */
+    nssBestCertificate_SetArgs(&best, timeOpt, usage, policiesOpt);
+    /* find all matching certs in the cache */
+    nameList = nssList_Create(NULL, PR_FALSE);
+    (void)nssTrustDomain_GetCertsForNicknameFromCache(td, name, nameList);
+    /* set the search criteria */
+    search.callback = nssBestCertificate_Callback;
+    search.cbarg = &best;
+    search.cached = nameList;
+    search.searchType = nssTokenSearchType_TokenOnly;
+    /* traverse the tokens */
+    for (token  = (NSSToken *)nssListIterator_Start(td->tokens);
+         token != (NSSToken *)NULL;
+         token  = (NSSToken *)nssListIterator_Next(td->tokens))
+    {
+	if (nssToken_SearchCerts(token, &notPresent)) {
+	    nssrv = nssToken_TraverseCertificatesByNickname(token, NULL, 
+	                                                    name, &search);
+	}
+	if (notPresent) {
+	    nssCertificateList_DestroyTokenCerts(nameList, token);
+	}
+    }
+    nssListIterator_Finish(td->tokens);
+    nssCertificateList_DoCallback(nameList, nssBestCertificate_Callback, &best);
+    nssList_Clear(nameList, cert_destructor);
+    nssList_Destroy(nameList);
+    if (best.cert) {
+	nssTrustDomain_AddCertsToCache(td, &best.cert, 1);
+    }
+    return best.cert;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindCertificatesByNickname
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *name,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    NSSCertificate **rvCerts = NULL;
+    NSSToken *token;
+    PRUint32 count;
+    PRStatus nssrv;
+    nssList *nameList;
+    nssTokenCertSearch search;
+    struct collect_arg_str ca;
+    PRBool notPresent;
+    /* set up the collection */
+    nameList = nssList_Create(NULL, PR_FALSE);
+    (void)nssTrustDomain_GetCertsForNicknameFromCache(td, name, nameList);
+    ca.list = nameList;
+    ca.maximum = maximumOpt;
+    /* set the search criteria */
+    search.callback = collect_certs;
+    search.cbarg = &ca;
+    search.cached = nameList;
+    search.searchType = nssTokenSearchType_TokenOnly;
+    /* traverse the tokens */
+    for (token  = (NSSToken *)nssListIterator_Start(td->tokens);
+         token != (NSSToken *)NULL;
+         token  = (NSSToken *)nssListIterator_Next(td->tokens))
+    {
+	if (nssToken_SearchCerts(token, &notPresent)) {
+	    nssrv = nssToken_TraverseCertificatesByNickname(token, NULL, 
+	                                                    name, &search);
+	}
+	if (notPresent) {
+	    nssCertificateList_DestroyTokenCerts(nameList, token);
+	}
+    }
+    nssListIterator_Finish(td->tokens);
+    count = nssList_Count(nameList);
+    if (maximumOpt > 0 && count > maximumOpt) count = maximumOpt;
+    if (count > 0) {
+	if (rvOpt) {
+	    nssList_GetArray(nameList, (void **)rvOpt, count);
+	    rvOpt[count] = NULL;
+	} else {
+	    rvCerts = nss_ZNEWARRAY(arenaOpt, NSSCertificate *, count + 1);
+	    nssList_GetArray(nameList, (void **)rvCerts, count);
+	}
+	nssTrustDomain_AddCertsToCache(td, rvCerts, count);
+    }
+    nssList_Destroy(nameList);
+    /* The return array assumes the references from the list */
+    return rvCerts;
+}
+
+static PRBool cert_token_not_present(NSSCertificate *c)
+{
+    nssListIterator *instances;
+    nssCryptokiInstance *instance;
+    PRBool freeIt = PR_FALSE;
+    PRBool notPresent = PR_TRUE;
+    instances = nssList_CreateIterator(c->object.instanceList);
+    for (instance  = (nssCryptokiInstance *)nssListIterator_Start(instances);
+         instance != (nssCryptokiInstance *)NULL;
+         instance  = (nssCryptokiInstance *)nssListIterator_Next(instances))
+    {
+	if (!nssToken_IsPresent(instance->token)) {
+	    nssToken_DestroyCertList(instance->token, PR_TRUE);
+	    nssList_Remove(c->object.instanceList, instance);
+	    freeIt = PR_TRUE;
+	} else {
+	    notPresent = PR_FALSE;
+	}
+    }
+    nssListIterator_Finish(instances);
+    nssListIterator_Destroy(instances);
+    if (freeIt) {
+	nssListIterator_Destroy(c->object.instances);
+	c->object.instances = nssList_CreateIterator(c->object.instanceList);
+    }
+    return notPresent;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindCertificateByIssuerAndSerialNumber
+(
+  NSSTrustDomain *td,
+  NSSDER *issuer,
+  NSSDER *serialNumber
+)
+{
+    NSSCertificate *rvCert = NULL;
+    NSSToken *tok;
+    /* Try the cache */
+    rvCert = nssTrustDomain_GetCertForIssuerAndSNFromCache(td,
+                                                           issuer, 
+                                                           serialNumber);
+    if (rvCert) {
+	if (cert_token_not_present(rvCert)) {
+	    CERT_DestroyCertificate(STAN_GetCERTCertificate(rvCert));
+	    rvCert = NULL;
+	}
+	return rvCert;
+    }
+    /* Not cached, look for it on tokens */
+    for (tok  = (NSSToken *)nssListIterator_Start(td->tokens);
+         tok != (NSSToken *)NULL;
+         tok  = (NSSToken *)nssListIterator_Next(td->tokens))
+    {
+	if (nssToken_SearchCerts(tok, NULL)) {
+	    rvCert = nssToken_FindCertificateByIssuerAndSerialNumber(tok,
+	                                                         NULL,
+	                                                         issuer,
+	                                                         serialNumber,
+	                                        nssTokenSearchType_TokenOnly);
+	}
+#ifdef NSS_3_4_CODE
+	if (!rvCert) {
+	    /* Some tokens expect a decoded serial number.  For compatibility,
+	     * try the search again.
+	     */
+	    NSSDER decodedSerial;
+	    SECItem ds = { 0 };
+	    SECItem sn;
+	    SECStatus secrv;
+	    sn.data = serialNumber->data;
+	    sn.len = serialNumber->size;
+	    secrv = SEC_ASN1DecodeItem(NULL, &ds, SEC_IntegerTemplate, &sn);
+	    if (secrv == SECSuccess) {
+		decodedSerial.data = ds.data;
+		decodedSerial.size = ds.len;
+		if (nssToken_SearchCerts(tok, NULL)) {
+		    rvCert = nssToken_FindCertificateByIssuerAndSerialNumber(
+		                                tok,
+	                                        NULL,
+	                                        issuer,
+	                                        &decodedSerial,
+	                                        nssTokenSearchType_TokenOnly);
+		}
+		PORT_Free(ds.data);
+	    }
+	}
+#endif
+	if (rvCert) {
+	    /* cache it */
+	    nssTrustDomain_AddCertsToCache(td, &rvCert, 1);
+	    break;
+	}
+    }
+    nssListIterator_Finish(td->tokens);
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestCertificateBySubject
+(
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    PRStatus nssrv;
+    NSSToken *token;
+    nssList *subjectList;
+    nssBestCertificateCB best;
+    nssTokenCertSearch search;
+    PRBool notPresent;
+    /* set the criteria for determining the best cert */
+    nssBestCertificate_SetArgs(&best, timeOpt, usage, policiesOpt);
+    /* find all matching certs in the cache */
+    subjectList = nssList_Create(NULL, PR_FALSE);
+    (void)nssTrustDomain_GetCertsForSubjectFromCache(td, subject, subjectList);
+    /* set the search criteria */
+    search.callback = nssBestCertificate_Callback;
+    search.cbarg = &best;
+    search.cached = subjectList;
+    search.searchType = nssTokenSearchType_TokenOnly;
+    /* traverse the tokens */
+    for (token  = (NSSToken *)nssListIterator_Start(td->tokens);
+         token != (NSSToken *)NULL;
+         token  = (NSSToken *)nssListIterator_Next(td->tokens))
+    {
+	if (nssToken_SearchCerts(token, &notPresent)) {
+	    nssrv = nssToken_TraverseCertificatesBySubject(token, NULL, 
+	                                                   subject, &search);
+	}
+	if (notPresent) {
+	    nssCertificateList_DestroyTokenCerts(subjectList, token);
+	}
+    }
+    nssListIterator_Finish(td->tokens);
+    nssCertificateList_DoCallback(subjectList, 
+                                  nssBestCertificate_Callback, &best);
+    nssList_Clear(subjectList, cert_destructor);
+    nssList_Destroy(subjectList);
+    if (best.cert) {
+	nssTrustDomain_AddCertsToCache(td, &best.cert, 1);
+    }
+    return best.cert;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindCertificatesBySubject
+(
+  NSSTrustDomain *td,
+  NSSDER *subject,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    PRStatus nssrv;
+    NSSCertificate **rvCerts = NULL;
+    NSSToken *token;
+    PRUint32 count;
+    nssList *subjectList;
+    struct collect_arg_str ca;
+    nssTokenCertSearch search;
+    PRBool notPresent;
+    /* set up the collection */
+    subjectList = nssList_Create(NULL, PR_FALSE);
+    (void)nssTrustDomain_GetCertsForSubjectFromCache(td, subject, subjectList);
+    ca.list = subjectList;
+    ca.maximum = maximumOpt;
+    /* set the search criteria */
+    search.callback = collect_certs;
+    search.cbarg = &ca;
+    search.cached = subjectList;
+    search.searchType = nssTokenSearchType_TokenOnly;
+    /* traverse the tokens */
+    for (token  = (NSSToken *)nssListIterator_Start(td->tokens);
+         token != (NSSToken *)NULL;
+         token  = (NSSToken *)nssListIterator_Next(td->tokens))
+    {
+	if (nssToken_SearchCerts(token, &notPresent)) {
+	    nssrv = nssToken_TraverseCertificatesBySubject(token, NULL, 
+	                                                   subject, &search);
+	}
+	if (notPresent) {
+	    nssCertificateList_DestroyTokenCerts(subjectList, token);
+	}
+    }
+    nssListIterator_Finish(td->tokens);
+    count = nssList_Count(subjectList);
+    if (maximumOpt > 0 && count > maximumOpt) count = maximumOpt;
+    if (count > 0) {
+	if (rvOpt) {
+	    nssList_GetArray(subjectList, (void **)rvOpt, count);
+	    rvOpt[count] = NULL;
+	} else {
+	    rvCerts = nss_ZNEWARRAY(arenaOpt, NSSCertificate *, count + 1);
+	    nssList_GetArray(subjectList, (void **)rvCerts, count);
+	}
+	nssTrustDomain_AddCertsToCache(td, rvCerts, count);
+    }
+    nssList_Destroy(subjectList);
+    /* The return array assumes the references from the list */
+    return rvCerts;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestCertificateByNameComponents
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *nameComponents,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindCertificatesByNameComponents
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *nameComponents,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindCertificateByEncodedCertificate
+(
+  NSSTrustDomain *td,
+  NSSBER *encodedCertificate
+)
+{
+    NSSCertificate *rvCert = NULL;
+    NSSToken *tok;
+    /* Try the cache */
+    rvCert = nssTrustDomain_GetCertByDERFromCache(td, encodedCertificate);
+    if (rvCert) {
+	if (cert_token_not_present(rvCert)) {
+	    CERT_DestroyCertificate(STAN_GetCERTCertificate(rvCert));
+	    rvCert = NULL;
+	}
+	return rvCert;
+    }
+    /* Not cached, look for it on tokens */
+    for (tok  = (NSSToken *)nssListIterator_Start(td->tokens);
+         tok != (NSSToken *)NULL;
+         tok  = (NSSToken *)nssListIterator_Next(td->tokens))
+    {
+	if (nssToken_SearchCerts(tok, NULL)) {
+	    rvCert = nssToken_FindCertificateByEncodedCertificate(tok, NULL,
+	                                        encodedCertificate,
+	                                        nssTokenSearchType_TokenOnly);
+	}
+	if (rvCert) {
+	    /* cache it */
+	    nssTrustDomain_AddCertsToCache(td, &rvCert, 1);
+	    break;
+	}
+    }
+    nssListIterator_Finish(td->tokens);
+    return rvCert;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindCertificateByEmail
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    PRStatus nssrv;
+    NSSToken *token;
+    nssBestCertificateCB best;
+    nssTokenCertSearch search;
+    nssList *emailList;
+    PRBool notPresent;
+    /* set the criteria for determining the best cert */
+    nssBestCertificate_SetArgs(&best, timeOpt, usage, policiesOpt);
+    /* find all matching certs in the cache */
+    emailList = nssList_Create(NULL, PR_FALSE);
+    (void)nssTrustDomain_GetCertsForEmailAddressFromCache(td, email, emailList);
+    /* set the search criteria */
+    search.callback = nssBestCertificate_Callback;
+    search.cbarg = &best;
+    search.cached = emailList;
+    search.searchType = nssTokenSearchType_TokenOnly;
+    /* traverse the tokens */
+    for (token  = (NSSToken *)nssListIterator_Start(td->tokens);
+         token != (NSSToken *)NULL;
+         token  = (NSSToken *)nssListIterator_Next(td->tokens))
+    {
+	if (nssToken_SearchCerts(token, &notPresent)) {
+	    nssrv = nssToken_TraverseCertificatesByEmail(token, NULL, 
+	                                                 email, &search);
+	}
+	if (notPresent) {
+	    nssCertificateList_DestroyTokenCerts(emailList, token);
+	}
+    }
+    nssListIterator_Finish(td->tokens);
+    nssCertificateList_DoCallback(emailList, 
+                                  nssBestCertificate_Callback, &best);
+    nssList_Clear(emailList, cert_destructor);
+    nssList_Destroy(emailList);
+    if (best.cert) {
+	nssTrustDomain_AddCertsToCache(td, &best.cert, 1);
+    }
+    return best.cert;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindCertificatesByEmail
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *email,
+  NSSCertificate *rvOpt[],
+  PRUint32 maximumOpt, /* 0 for no max */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindCertificateByOCSPHash
+(
+  NSSTrustDomain *td,
+  NSSItem *hash
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestUserCertificate
+(
+  NSSTrustDomain *td,
+  NSSTime *timeOpt,
+  NSSUsage *usage,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindUserCertificates
+(
+  NSSTrustDomain *td,
+  NSSTime *timeOpt,
+  NSSUsage *usageOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestUserCertificateForSSLClientAuth
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindUserCertificatesForSSLClientAuth
+(
+  NSSTrustDomain *td,
+  NSSUTF8 *sslHostOpt,
+  NSSDER *rootCAsOpt[], /* null pointer for none */
+  PRUint32 rootCAsMaxOpt, /* zero means list is null-terminated */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate *
+NSSTrustDomain_FindBestUserCertificateForEmailSigning
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCertificate **
+NSSTrustDomain_FindUserCertificatesForEmailSigning
+(
+  NSSTrustDomain *td,
+  NSSASCII7 *signerOpt,
+  NSSASCII7 *recipientOpt,
+  /* anything more here? */
+  NSSAlgorithmAndParameters *apOpt,
+  NSSPolicies *policiesOpt,
+  NSSCertificate **rvOpt,
+  PRUint32 rvLimit, /* zero for no limit */
+  NSSArena *arenaOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+struct traverse_arg 
+{
+  PRStatus (*callback)(NSSCertificate *c, void *arg);
+  nssList *cached;
+  void *arg;
+};
+
+static PRStatus traverse_callback(NSSCertificate *c, void *arg)
+{
+    PRStatus nssrv;
+    struct traverse_arg *ta = (struct traverse_arg *)arg;
+    NSSCertificate *cp = nssCertificate_AddRef(c);
+    NSSTrustDomain *td = NSSCertificate_GetTrustDomain(c);
+    /* The cert coming in has been retrieved from a token.  It was not in
+     * the cache when the search was begun.  But it may be in the cache now,
+     * and if it isn't, it will be, because it is going to be cracked into
+     * a CERTCertificate and fed into the callback.
+     */
+    nssrv = nssTrustDomain_AddCertsToCache(td, &c, 1);
+    if (!nssList_Get(ta->cached, c)) {
+	/* add it to the cached list for this search */
+	nssCertificate_AddRef(c);
+	nssList_Add(ta->cached, c);
+    }
+    /* This is why the hack of copying the cert was done above.  The pointer
+     * c passed to this function is provided by retrieve_cert.  That function
+     * will destroy the pointer once this function returns.  Since c is a local
+     * copy, there is no way to notify retrieve_cert if it has changed.  That
+     * would happen if the above call to add it to the cache found the cert
+     * already there.  In that case, the pointer c passed to the callback
+     * below will be the cached cert, and the pointer c that retrieve_cert
+     * has will be the same as the copy made above.  Thus, retrieve_cert will
+     * destroy the reference to the copy, the callback will use the reference
+     * to the cached entry, and everyone should be happy.
+     */
+    nssrv = (*ta->callback)(c, ta->arg);
+    /* This function owns a reference to the cert, either from the AddRef
+     * or by getting it from the cache.
+     */
+    CERT_DestroyCertificate(STAN_GetCERTCertificate(c));
+    return nssrv;
+}
+
+#ifdef NSS_3_4_CODE
+static void cert_destructor_with_cache(void *el)
+{
+    NSSCertificate *c = (NSSCertificate *)el;
+    CERTCertificate *cert = STAN_GetCERTCertificate(c);
+    /* It's already been obtained as a CERTCertificate, so it must
+     * be destroyed as one
+     */
+    CERT_DestroyCertificate(cert);
+}
+#endif
+
+NSS_IMPLEMENT PRStatus *
+NSSTrustDomain_TraverseCertificates
+(
+  NSSTrustDomain *td,
+  PRStatus (*callback)(NSSCertificate *c, void *arg),
+  void *arg
+)
+{
+    PRStatus nssrv;
+    NSSToken *token;
+    nssList *certList, *cacheList;
+    nssTokenCertSearch search;
+    struct traverse_arg ta;
+    nssListIterator *tokens;
+    PRBool notPresent;
+    certList = nssList_Create(NULL, PR_FALSE);
+    if (!certList) return NULL;
+    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
+    cacheList = nssList_Clone(certList);
+    if (!cacheList) {
+	goto cleanup;
+    }
+    /* set traverse args */
+    ta.callback = callback;
+    ta.cached = certList;
+    ta.arg = arg;
+    /* set the search criteria */
+    search.callback = traverse_callback;
+    search.cbarg = &ta;
+    search.cached = certList;
+    search.searchType = nssTokenSearchType_TokenOnly;
+    /* Must create a local copy of the token list, because the callback
+     * above may want to traverse the tokens as well.
+     */
+    tokens = nssList_CreateIterator(td->tokenList);
+    if (!tokens) {
+	goto cleanup;
+    }
+    /* traverse the tokens */
+    for (token  = (NSSToken *)nssListIterator_Start(tokens);
+         token != (NSSToken *)NULL;
+         token  = (NSSToken *)nssListIterator_Next(tokens))
+    {
+	if (nssToken_SearchCerts(token, &notPresent)) {
+	    nssrv = nssToken_TraverseCertificates(token, NULL, &search);
+	}
+	if (notPresent) {
+	    nssCertificateList_RemoveTokenCerts(cacheList, token);
+	}
+    }
+    nssListIterator_Finish(tokens);
+    nssListIterator_Destroy(tokens);
+    /* now do the callback on the cached certs, 
+     * sans certs from removed tokens 
+     */
+    nssCertificateList_DoCallback(cacheList, callback, arg);
+    nssList_Destroy(cacheList);
+cleanup:
+#ifdef NSS_3_4_CODE
+    nssList_Clear(certList, cert_destructor_with_cache);
+#else
+    nssList_Clear(certList, cert_destructor);
+#endif
+    nssList_Destroy(certList);
+    return NULL;
+}
+
+NSS_IMPLEMENT PRStatus
+NSSTrustDomain_GenerateKeyPair
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  NSSPrivateKey **pvkOpt,
+  NSSPublicKey **pbkOpt,
+  PRBool privateKeyIsSensitive,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSTrustDomain_GenerateSymmetricKey
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  PRUint32 keysize,
+  NSSToken *destination,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSTrustDomain_GenerateSymmetricKeyFromPassword
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap,
+  NSSUTF8 *passwordOpt, /* if null, prompt */
+  NSSToken *destinationOpt,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSSymmetricKey *
+NSSTrustDomain_FindSymmetricKeyByAlgorithmAndKeyID
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithm,
+  NSSItem *keyID,
+  NSSCallback *uhhOpt
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContext
+(
+  NSSTrustDomain *td,
+  NSSCallback *uhhOpt
+)
+{
+    NSSArena *arena;
+    NSSCryptoContext *rvCC;
+    arena = NSSArena_Create();
+    if (!arena) {
+	return NULL;
+    }
+    rvCC = nss_ZNEW(arena, NSSCryptoContext);
+    if (!rvCC) {
+	return NULL;
+    }
+    rvCC->td = td;
+    rvCC->arena = arena;
+    return rvCC;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContextForAlgorithm
+(
+  NSSTrustDomain *td,
+  NSSOID *algorithm
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
+NSS_IMPLEMENT NSSCryptoContext *
+NSSTrustDomain_CreateCryptoContextForAlgorithmAndParameters
+(
+  NSSTrustDomain *td,
+  NSSAlgorithmAndParameters *ap
+)
+{
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return NULL;
+}
+
diff --git a/security/nss/lib/pki1/.cvsignore b/security/nss/lib/pki1/.cvsignore
new file mode 100644
index 000000000..12bfbfc7c
--- /dev/null
+++ b/security/nss/lib/pki1/.cvsignore
@@ -0,0 +1,3 @@
+oiddata.c
+oiddata.h
+
diff --git a/security/nss/lib/pki1/Makefile b/security/nss/lib/pki1/Makefile
new file mode 100644
index 000000000..9dad761c1
--- /dev/null
+++ b/security/nss/lib/pki1/Makefile
@@ -0,0 +1,46 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# Generate oiddata.h and oiddata.c.
+oidgen: oidgen.perl oids.txt
+	rm -f oiddata.c oiddata.h
+	perl oidgen.perl oiddata.c oiddata.h oids.txt
+
+export::  private_export 
+
diff --git a/security/nss/lib/pki1/atav.c b/security/nss/lib/pki1/atav.c
new file mode 100644
index 000000000..cdf311a37
--- /dev/null
+++ b/security/nss/lib/pki1/atav.c
@@ -0,0 +1,1821 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * atav.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * AttributeTypeAndValue.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * AttributeTypeAndValue
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  AttributeTypeAndValue           ::=     SEQUENCE {
+ *          type            ATTRIBUTE.&id ({SupportedAttributes}),
+ *          value   ATTRIBUTE.&Type ({SupportedAttributes}{@type})}
+ *  
+ *  -- ATTRIBUTE information object class specification
+ *  --  Note: This has been greatly simplified for PKIX !!
+ *  
+ *  ATTRIBUTE               ::=     CLASS {
+ *          &Type,
+ *          &id                     OBJECT IDENTIFIER UNIQUE }
+ *  WITH SYNTAX {
+ *          WITH SYNTAX &Type ID &id }
+ *  
+ * What this means is that the "type" of the value is determined by
+ * the value of the oid.  If we hide the structure, our accessors
+ * can (at least in debug builds) assert value semantics beyond what
+ * the compiler can provide.  Since these things are only used in
+ * RelativeDistinguishedNames, and since RDNs always contain a SET
+ * of these things, we don't lose anything by hiding the structure
+ * (and its size).
+ */
+
+struct NSSATAVStr {
+  NSSBER ber;
+  const NSSOID *oid;
+  NSSUTF8 *value;
+  nssStringType stringForm;
+};
+
+/*
+ * NSSATAV
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSATAV_CreateFromBER   -- constructor
+ *  NSSATAV_CreateFromUTF8  -- constructor
+ *  NSSATAV_Create          -- constructor
+ *
+ *  NSSATAV_Destroy
+ *  NSSATAV_GetDEREncoding
+ *  NSSATAV_GetUTF8Encoding
+ *  NSSATAV_GetType
+ *  NSSATAV_GetValue
+ *  NSSATAV_Compare
+ *  NSSATAV_Duplicate
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssATAV_CreateFromBER   -- constructor
+ *  nssATAV_CreateFromUTF8  -- constructor
+ *  nssATAV_Create          -- constructor
+ *
+ *  nssATAV_Destroy
+ *  nssATAV_GetDEREncoding
+ *  nssATAV_GetUTF8Encoding
+ *  nssATAV_GetType
+ *  nssATAV_GetValue
+ *  nssATAV_Compare
+ *  nssATAV_Duplicate
+ *
+ * In debug builds, the following non-public call is also available:
+ *
+ *  nssATAV_verifyPointer
+ */
+
+/*
+ * NSSATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berATAV
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  /* 
+   * NSSBERs can be created by the user, 
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSBER *)NULL == berATAV ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+
+  if( (void *)NULL == berATAV->data ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_CreateFromBER(arenaOpt, berATAV);
+}
+
+/*
+ * NSSATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringATAV
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  /*
+   * NSSUTF8s can be created by the user,
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSUTF8 *)NULL == stringATAV ) {
+    nss_SetError(NSS_ERROR_INVALID_UTF8);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_CreateFromUTF8(arenaOpt, stringATAV);
+}
+
+/*
+ * NSSATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (const void *)NULL == data ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Create(arenaOpt, oid, data, length);
+}
+
+/*
+ * NSSATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSATAV_Destroy
+(
+  NSSATAV *atav
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Destroy(atav);
+}
+
+/*
+ * NSSATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_IMPLEMENT NSSDER *
+NSSATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSDER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetDEREncoding(atav, arenaOpt);
+}
+
+/*
+ * NSSATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetUTF8Encoding(atav, arenaOpt);
+}
+
+/*
+ * NSSATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An element of enum NSSOIDenum upon success
+ */
+
+NSS_IMPLEMENT const NSSOID *
+NSSATAV_GetType
+(
+  NSSATAV *atav
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSOID *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetType(atav);
+}
+
+/*
+ * NSSATAV_GetValue
+ *
+ * This routine returns a string containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_GetValue(atav, arenaOpt);
+}
+
+/*
+ * NSSATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav1) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav2) ) {
+    return PR_FAILURE;
+  }
+
+  if( (PRBool *)NULL == equalp ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Compare(atav1, atav2, equalp);
+}
+
+/*
+ * NSSATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_IMPLEMENT NSSATAV *
+NSSATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssATAV_Duplicate(atav, arenaOpt);
+}
+
+/*
+ * The pointer-tracking code
+ */
+
+#ifdef DEBUG
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker atav_pointer_tracker;
+
+static PRStatus
+atav_add_pointer
+(
+  const NSSATAV *atav
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&atav_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&atav_pointer_tracker, atav);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+static PRStatus
+atav_remove_pointer
+(
+  const NSSATAV *atav
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&atav_pointer_tracker, atav);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSATAV object,
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an
+ * error on the error stack and return PR_FAILRUE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssATAV_verifyPointer
+(
+  NSSATAV *atav
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&atav_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&atav_pointer_tracker, atav);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_ATAV);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+typedef struct {
+  NSSBER oid;
+  NSSBER value;
+} atav_holder;
+
+static const nssASN1Template nss_atav_template[] = {
+  { nssASN1_SEQUENCE, 0, NULL, sizeof(atav_holder) },
+  { nssASN1_OBJECT_ID, nsslibc_offsetof(atav_holder, oid), NULL, 0 },
+  { nssASN1_ANY, nsslibc_offsetof(atav_holder, value), NULL, 0 },
+  { 0, 0, NULL, 0 }
+};
+
+/*
+ * There are several common attributes, with well-known type aliases
+ * and value semantics.  This table lists the ones we recognize.
+ */
+
+struct nss_attribute_data_str {
+  const NSSOID **oid;
+  nssStringType stringType;
+  PRUint32 minStringLength;
+  PRUint32 maxStringLength; /* zero for no limit */
+};
+
+static const struct nss_attribute_data_str nss_attribute_data[] = {
+  { &NSS_OID_X520_NAME,                     
+    nssStringType_DirectoryString, 1, 32768 },
+  { &NSS_OID_X520_COMMON_NAME,              
+    nssStringType_DirectoryString, 1,    64 },
+  { &NSS_OID_X520_SURNAME,                  
+    nssStringType_DirectoryString, 1,    40 },
+  { &NSS_OID_X520_GIVEN_NAME,               
+    nssStringType_DirectoryString, 1,    16 },
+  { &NSS_OID_X520_INITIALS,                 
+    nssStringType_DirectoryString, 1,     5 },
+  { &NSS_OID_X520_GENERATION_QUALIFIER,     
+    nssStringType_DirectoryString, 1,     3 },
+  { &NSS_OID_X520_DN_QUALIFIER,             
+    nssStringType_PrintableString, 1,     0 },
+  { &NSS_OID_X520_COUNTRY_NAME,             
+    nssStringType_PrintableString, 2,     2 },
+  { &NSS_OID_X520_LOCALITY_NAME,            
+    nssStringType_DirectoryString, 1,   128 },
+  { &NSS_OID_X520_STATE_OR_PROVINCE_NAME,   
+    nssStringType_DirectoryString, 1,   128 },
+  { &NSS_OID_X520_ORGANIZATION_NAME,        
+    nssStringType_DirectoryString, 1,    64 },
+  { &NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 
+    nssStringType_DirectoryString, 1,
+    /*
+     * Note, draft #11 defines both "32" and "64" for this maximum,
+     * in two separate places.  Until it's settled, "conservative
+     * in what you send."  We're always liberal in what we accept.
+     */
+                                         32 },
+  { &NSS_OID_X520_TITLE,                    
+    nssStringType_DirectoryString, 1,    64 },
+  { &NSS_OID_RFC1274_EMAIL,                 
+    nssStringType_PHGString,       1,   128 }
+};
+
+PRUint32 nss_attribute_data_quantity = 
+  (sizeof(nss_attribute_data)/sizeof(nss_attribute_data[0]));
+
+static nssStringType
+nss_attr_underlying_string_form
+(
+  nssStringType type,
+  void *data
+)
+{
+  if( nssStringType_DirectoryString == type ) {
+    PRUint8 tag = *(PRUint8 *)data;
+    switch( tag & nssASN1_TAGNUM_MASK ) {
+    case 20:
+      /*
+       * XXX fgmr-- we have to accept Latin-1 for Teletex; (see
+       * below) but is T61 a suitable value for "Latin-1"?
+       */
+      return nssStringType_TeletexString;
+    case 19:
+      return nssStringType_PrintableString;
+    case 28:
+      return nssStringType_UniversalString;
+    case 30:
+      return nssStringType_BMPString;
+    case 12:
+      return nssStringType_UTF8String;
+    default:
+      return nssStringType_Unknown;
+    }
+  }
+
+  return type;
+}
+    
+
+/*
+ * This routine decodes the attribute value, in a type-specific way.
+ *
+ */
+
+static NSSUTF8 *
+nss_attr_to_utf8
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  NSSItem *item,
+  nssStringType *stringForm
+)
+{
+  NSSUTF8 *rv = (NSSUTF8 *)NULL;
+  PRUint32 i;
+  const struct nss_attribute_data_str *which = 
+    (struct nss_attribute_data_str *)NULL;
+  PRUint32 len = 0;
+
+  for( i = 0; i < nss_attribute_data_quantity; i++ ) {
+    if( *(nss_attribute_data[ i ].oid) == oid ) {
+      which = &nss_attribute_data[i];
+      break;
+    }
+  }
+
+  if( (struct nss_attribute_data_str *)NULL == which ) {
+    /* Unknown OID.  Encode it as hex. */
+    PRUint8 *c;
+    PRUint8 *d = (PRUint8 *)item->data;
+    PRUint32 amt = item->size;
+
+    if( item->size >= 0x7FFFFFFF ) {
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSUTF8 *)NULL;
+    }
+
+    len = 1 + (item->size * 2) + 1; /* '#' + hex + '\0' */
+    rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len);
+    if( (NSSUTF8 *)NULL == rv ) {
+      return (NSSUTF8 *)NULL;
+    }
+
+    c = (PRUint8 *)rv;
+    *c++ = '#'; /* XXX fgmr check this */
+    while( amt > 0 ) {
+      static char hex[16] = "0123456789ABCDEF";
+      *c++ = hex[ ((*d) & 0xf0) >> 4 ];
+      *c++ = hex[ ((*d) & 0x0f)      ];
+    }
+
+    /* *c = '\0'; nss_ZAlloc, remember */
+
+    *stringForm = nssStringType_Unknown; /* force exact comparison */
+  } else {
+    PRStatus status;
+    rv = nssUTF8_CreateFromBER(arenaOpt, which->stringType, 
+                               (NSSBER *)item);
+
+    if( (NSSUTF8 *)NULL == rv ) {
+      return (NSSUTF8 *)NULL;
+    }
+
+    len = nssUTF8_Length(rv, &status);
+    if( PR_SUCCESS != status || len == 0 ) {
+      nss_ZFreeIf(rv);
+      return (NSSUTF8 *)NULL;
+    }
+
+    *stringForm = nss_attr_underlying_string_form(which->stringType,
+                                                  item->data);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  const NSSBER *berATAV
+)
+{
+  atav_holder holder;
+  PRStatus status;
+  NSSATAV *rv;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  /* 
+   * NSSBERs can be created by the user, 
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSBER *)NULL == berATAV ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+
+  if( (void *)NULL == berATAV->data ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  status = nssASN1_DecodeBER(arenaOpt, &holder, 
+                             nss_atav_template, berATAV);
+  if( PR_SUCCESS != status ) {
+    return (NSSATAV *)NULL;
+  }
+
+  rv = nss_ZNEW(arenaOpt, NSSATAV);
+  if( (NSSATAV *)NULL == rv ) {
+    nss_ZFreeIf(holder.oid.data);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->oid = nssOID_CreateFromBER(&holder.oid);
+  if( (NSSOID *)NULL == rv->oid ) {
+    nss_ZFreeIf(rv);
+    nss_ZFreeIf(holder.oid.data);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  nss_ZFreeIf(holder.oid.data);
+
+  rv->ber.data = nss_ZAlloc(arenaOpt, berATAV->size);
+  if( (void *)NULL == rv->ber.data ) {
+    nss_ZFreeIf(rv);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->ber.size = berATAV->size;
+  (void)nsslibc_memcpy(rv->ber.data, berATAV->data, berATAV->size);
+
+  rv->value = nss_attr_to_utf8(arenaOpt, rv->oid, &holder.value,
+                               &rv->stringForm);
+  if( (NSSUTF8 *)NULL == rv->value ) {
+    nss_ZFreeIf(rv->ber.data);
+    nss_ZFreeIf(rv);
+    nss_ZFreeIf(holder.value.data);
+    return (NSSATAV *)NULL;
+  }
+
+  nss_ZFreeIf(holder.value.data);
+
+#ifdef DEBUG
+  if( PR_SUCCESS != atav_add_pointer(rv) ) {
+    nss_ZFreeIf(rv->ber.data);
+    nss_ZFreeIf(rv->value);
+    nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+#endif /* DEBUG */
+
+  return rv;
+}
+
+static PRBool
+nss_atav_utf8_string_is_hex
+(
+  const NSSUTF8 *s
+)
+{
+  /* All hex digits are ASCII, so this works */
+  PRUint8 *p = (PRUint8 *)s;
+
+  for( ; (PRUint8)0 != *p; p++ ) {
+    if( (('0' <= *p) && (*p <= '9')) ||
+        (('A' <= *p) && (*p <= 'F')) ||
+        (('a' <= *p) && (*p <= 'f')) ) {
+      continue;
+    } else {
+      return PR_FALSE;
+    }
+  }
+
+  return PR_TRUE;
+}
+
+static NSSUTF8
+nss_atav_fromhex
+(
+  NSSUTF8 *d
+)
+{
+  NSSUTF8 rv;
+
+  if( d[0] <= '9' ) {
+    rv = (d[0] - '0') * 16;
+  } else if( d[0] >= 'a' ) {
+    rv = (d[0] - 'a' + 10) * 16;
+  } else {
+    rv = (d[0] - 'A' + 10);
+  }
+
+  if( d[1] <= '9' ) {
+    rv += (d[1] - '0');
+  } else if( d[1] >= 'a' ) {
+    rv += (d[1] - 'a' + 10);
+  } else {
+    rv += (d[1] - 'A' + 10);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  const NSSUTF8 *stringATAV
+)
+{
+  char *c;
+  NSSUTF8 *type;
+  NSSUTF8 *value;
+  PRUint32 i;
+  const NSSOID *oid = (NSSOID *)NULL;
+  NSSATAV *rv;
+  NSSItem xitem;
+
+  xitem.data = (void *)NULL;
+
+  for( c = (char *)stringATAV; '\0' != *c; c++ ) {
+    if( '=' == *c ) {
+#ifdef PEDANTIC
+      /*
+       * Theoretically, one could have an '=' in an 
+       * attribute string alias.  We don't, yet, though.
+       */
+      if( (char *)stringATAV == c ) {
+        nss_SetError(NSS_ERROR_INVALID_STRING);
+        return (NSSATAV *)NULL;
+      } else {
+        if( '\\' == c[-1] ) {
+          continue;
+        }
+      }
+#endif /* PEDANTIC */
+      break;
+    }
+  }
+
+  if( '\0' == *c ) {
+    nss_SetError(NSS_ERROR_INVALID_UTF8);
+    return (NSSATAV *)NULL;
+  } else {
+    c++;
+    value = (NSSUTF8 *)c;
+  }
+
+  i = ((NSSUTF8 *)c - stringATAV);
+  type = (NSSUTF8 *)nss_ZAlloc((NSSArena *)NULL, i);
+  if( (NSSUTF8 *)NULL == type ) {
+    return (NSSATAV *)NULL;
+  }
+
+  (void)nsslibc_memcpy(type, stringATAV, i-1);
+
+  c = (char *)stringATAV;
+  if( (('0' <= *c) && (*c <= '9')) || ('#' == *c) ) {
+    oid = nssOID_CreateFromUTF8(type);
+    if( (NSSOID *)NULL == oid ) {
+      nss_ZFreeIf(type);
+      return (NSSATAV *)NULL;
+    }
+  } else {
+    for( i = 0; i < nss_attribute_type_alias_count; i++ ) {
+      PRStatus status;
+      const nssAttributeTypeAliasTable *e = &nss_attribute_type_aliases[i];
+      PRBool match = nssUTF8_CaseIgnoreMatch(type, e->alias, &status);
+      if( PR_SUCCESS != status ) {
+        nss_ZFreeIf(type);
+        return (NSSATAV *)NULL;
+      }
+      if( PR_TRUE == match ) {
+        oid = *(e->oid);
+        break;
+      }
+    }
+
+    if( (NSSOID *)NULL == oid ) {
+      nss_ZFreeIf(type);
+      nss_SetError(NSS_ERROR_UNKNOWN_ATTRIBUTE);
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  nss_ZFreeIf(type);
+  type = (NSSUTF8 *)NULL;
+
+  rv = nss_ZNEW(arenaOpt, NSSATAV);
+  if( (NSSATAV *)NULL == rv ) {
+    return (NSSATAV *)NULL;
+  }
+
+  rv->oid = oid;
+
+  if( '#' == *value ) { /* XXX fgmr.. was it '#'?  or backslash? */
+    PRUint32 size;
+    PRUint32 len;
+    NSSUTF8 *c;
+    NSSUTF8 *d;
+    PRStatus status;
+    /* It's in hex */
+
+    value++;
+    if( PR_TRUE != nss_atav_utf8_string_is_hex(value) ) {
+      (void)nss_ZFreeIf(rv);
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSATAV *)NULL;
+    }
+
+    size = nssUTF8_Size(value, &status);
+    if( PR_SUCCESS != status ) {
+      /* 
+       * Only returns an error on bad pointer (nope) or string
+       * too long.  The defined limits for known attributes are
+       * small enough to fit in PRUint32, and when undefined we
+       * get to apply our own practical limits.  Ergo, I say the 
+       * string is invalid.
+       */
+      (void)nss_ZFreeIf(rv);
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSATAV *)NULL;
+    }
+
+    if( ((size-1) & 1) ) {
+      /* odd length */
+      (void)nss_ZFreeIf(rv);
+      nss_SetError(NSS_ERROR_INVALID_STRING);
+      return (NSSATAV *)NULL;
+    }
+
+    len = (size-1)/2;
+
+    rv->value = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len+1);
+    if( (NSSUTF8 *)NULL == rv->value ) {
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    xitem.size = len;
+    xitem.data = (void *)rv->value;
+
+    for( c = rv->value, d = value; len--; c++, d += 2 ) {
+      *c = nss_atav_fromhex(d);
+    }
+
+    *c = 0;
+  } else {
+    PRStatus status;
+    PRUint32 i, len;
+    PRUint8 *s;
+
+    /*
+     * XXX fgmr-- okay, this is a little wasteful, and should
+     * probably be abstracted out a bit.  Later.
+     */
+
+    rv->value = nssUTF8_Duplicate(value, arenaOpt);
+    if( (NSSUTF8 *)NULL == rv->value ) {
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    len = nssUTF8_Size(rv->value, &status);
+    if( PR_SUCCESS != status ) {
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    s = (PRUint8 *)rv->value;
+    for( i = 0; i < len; i++ ) {
+      if( '\\' == s[i] ) {
+        (void)nsslibc_memcpy(&s[i], &s[i+1], len-i-1);
+      }
+    }
+  }
+
+  /* Now just BER-encode the baby and we're through.. */
+  {
+    const struct nss_attribute_data_str *which = 
+      (struct nss_attribute_data_str *)NULL;
+    PRUint32 i;
+    NSSArena *a;
+    NSSDER *oidder;
+    NSSItem *vitem;
+    atav_holder ah;
+    NSSDER *status;
+
+    for( i = 0; i < nss_attribute_data_quantity; i++ ) {
+      if( *(nss_attribute_data[ i ].oid) == rv->oid ) {
+        which = &nss_attribute_data[i];
+        break;
+      }
+    }
+
+    a = NSSArena_Create();
+    if( (NSSArena *)NULL == a ) {
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    oidder = nssOID_GetDEREncoding(rv->oid, (NSSDER *)NULL, a);
+    if( (NSSDER *)NULL == oidder ) {
+      (void)NSSArena_Destroy(a);
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    if( (struct nss_attribute_data_str *)NULL == which ) {
+      /*
+       * We'll just have to take the user data as an octet stream.
+       */
+      if( (void *)NULL == xitem.data ) {
+        /*
+         * This means that an ATTR entry has been added to oids.txt,
+         * but no corresponding entry has been added to the array
+         * ns_attribute_data[] above.
+         */
+        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      vitem = nssASN1_EncodeItem(a, (NSSDER *)NULL, &xitem, 
+                                 nssASN1Template_OctetString, NSSASN1DER);
+      if( (NSSItem *)NULL == vitem ) {
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      rv->stringForm = nssStringType_Unknown;
+    } else {
+      PRUint32 length = 0;
+      PRStatus stat;
+      
+      length = nssUTF8_Length(rv->value, &stat);
+      if( PR_SUCCESS != stat ) {
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      if( ((0 != which->minStringLength) && 
+           (length < which->minStringLength)) ||
+          ((0 != which->maxStringLength) &&
+           (length > which->maxStringLength)) ) {
+        nss_SetError(NSS_ERROR_INVALID_STRING);
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      vitem = nssUTF8_GetDEREncoding(a, which->stringType, rv->value);
+      if( (NSSItem *)NULL == vitem ) {
+        (void)NSSArena_Destroy(a);
+        (void)nss_ZFreeIf(rv->value);
+        (void)nss_ZFreeIf(rv);
+        return (NSSATAV *)NULL;
+      }
+
+      if( nssStringType_DirectoryString == which->stringType ) {
+        rv->stringForm = nssStringType_UTF8String;
+      } else {
+        rv->stringForm = which->stringType;
+      }
+    }
+
+    ah.oid = *oidder;
+    ah.value = *vitem;
+
+    status = nssASN1_EncodeItem(arenaOpt, &rv->ber, &ah, 
+                                nss_atav_template, NSSASN1DER);
+
+    if( (NSSDER *)NULL == status ) {
+      (void)NSSArena_Destroy(a);
+      (void)nss_ZFreeIf(rv->value);
+      (void)nss_ZFreeIf(rv);
+      return (NSSATAV *)NULL;
+    }
+
+    (void)NSSArena_Destroy(a);
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+)
+{
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (const void *)NULL == data ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (NSSATAV *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  /* XXX fgmr-- oops, forgot this one */
+  return (NSSATAV *)NULL;
+}
+
+/*
+ * nssATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_IMPLEMENT PRStatus
+nssATAV_Destroy
+(
+  NSSATAV *atav
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  (void)nss_ZFreeIf(atav->ber.data);
+  (void)nss_ZFreeIf(atav->value);
+
+#ifdef DEBUG
+  if( PR_SUCCESS != atav_remove_pointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nssATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_IMPLEMENT NSSDER *
+nssATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  NSSDER *rv;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSDER *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  rv = nss_ZNEW(arenaOpt, NSSDER);
+  if( (NSSDER *)NULL == rv ) {
+    return (NSSDER *)NULL;
+  }
+
+  rv->data = nss_ZAlloc(arenaOpt, atav->ber.size);
+  if( (void *)NULL == rv->data ) {
+    (void)nss_ZFreeIf(rv);
+    return (NSSDER *)NULL;
+  }
+
+  rv->size = atav->ber.size;
+  if( NULL == nsslibc_memcpy(rv->data, atav->ber.data, rv->size) ) {
+    (void)nss_ZFreeIf(rv->data);
+    (void)nss_ZFreeIf(rv);
+    return (NSSDER *)NULL;
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  PRUint32 i;
+  const NSSUTF8 *alias = (NSSUTF8 *)NULL;
+  NSSUTF8 *oid;
+  NSSUTF8 *value;
+  PRUint32 oidlen;
+  PRUint32 valuelen;
+  PRUint32 totallen;
+  PRStatus status;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  for( i = 0; i < nss_attribute_type_alias_count; i++ ) {
+    if( *(nss_attribute_type_aliases[i].oid) == atav->oid ) {
+      alias = nss_attribute_type_aliases[i].alias;
+      break;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == alias ) {
+    oid = nssOID_GetUTF8Encoding(atav->oid, (NSSArena *)NULL);
+    if( (NSSUTF8 *)NULL == oid ) {
+      return (NSSUTF8 *)NULL;
+    }
+
+    oidlen = nssUTF8_Size(oid, &status);
+    if( PR_SUCCESS != status ) {
+      (void)nss_ZFreeIf(oid);
+      return (NSSUTF8 *)NULL;
+    }
+  } else {
+    oidlen = nssUTF8_Size(alias, &status);
+    if( PR_SUCCESS != status ) {
+      return (NSSUTF8 *)NULL;
+    }
+    oid = (NSSUTF8 *)NULL;
+  }
+
+  value = nssATAV_GetValue(atav, (NSSArena *)NULL);
+  if( (NSSUTF8 *)NULL == value ) {
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  valuelen = nssUTF8_Size(value, &status);
+  if( PR_SUCCESS != status ) {
+    (void)nss_ZFreeIf(value);
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  totallen = oidlen + valuelen - 1 + 1;
+  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, totallen);
+  if( (NSSUTF8 *)NULL == rv ) {
+    (void)nss_ZFreeIf(value);
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSUTF8 *)NULL == alias ) {
+    if( (void *)NULL == nsslibc_memcpy(rv, oid, oidlen-1) ) {
+      (void)nss_ZFreeIf(rv);
+      (void)nss_ZFreeIf(value);
+      (void)nss_ZFreeIf(oid);
+      return (NSSUTF8 *)NULL;
+    }
+  } else {
+    if( (void *)NULL == nsslibc_memcpy(rv, alias, oidlen-1) ) {
+      (void)nss_ZFreeIf(rv);
+      (void)nss_ZFreeIf(value);
+      return (NSSUTF8 *)NULL;
+    }
+  }
+
+  rv[ oidlen-1 ] = '=';
+
+  if( (void *)NULL == nsslibc_memcpy(&rv[oidlen], value, valuelen) ) {
+    (void)nss_ZFreeIf(rv);
+    (void)nss_ZFreeIf(value);
+    (void)nss_ZFreeIf(oid);
+    return (NSSUTF8 *)NULL;
+  }
+
+  return rv;
+}
+
+/*
+ * nssATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  A valid NSSOID pointer upon success
+ */
+
+NSS_IMPLEMENT const NSSOID *
+nssATAV_GetType
+(
+  NSSATAV *atav
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSOID *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return atav->oid;
+}
+
+/*
+ * nssATAV_GetValue
+ *
+ * This routine returns a NSSUTF8 string containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error upon the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return nssUTF8_Duplicate(atav->value, arenaOpt);
+}
+
+/*
+ * nssATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have set an 
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_IMPLEMENT PRStatus
+nssATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+)
+{
+  nssStringType comparison;
+  PRUint32 len1;
+  PRUint32 len2;
+  PRStatus status;
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav1) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav2) ) {
+    return PR_FAILURE;
+  }
+
+  if( (PRBool *)NULL == equalp ) {
+    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  if( atav1->oid != atav2->oid ) {
+    *equalp = PR_FALSE;
+    return PR_SUCCESS;
+  }
+
+  if( atav1->stringForm != atav2->stringForm ) {
+    if( (nssStringType_PrintableString == atav1->stringForm) ||
+        (nssStringType_PrintableString == atav2->stringForm) ) {
+      comparison = nssStringType_PrintableString;
+    } else if( (nssStringType_PHGString == atav1->stringForm) ||
+               (nssStringType_PHGString == atav2->stringForm) ) {
+      comparison = nssStringType_PHGString;
+    } else {
+      comparison = atav1->stringForm;
+    }
+  } else {
+    comparison = atav1->stringForm;
+  }
+
+  switch( comparison ) {
+  case nssStringType_DirectoryString:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return PR_FAILURE;
+  case nssStringType_TeletexString:
+    break;
+  case nssStringType_PrintableString:
+    *equalp = nssUTF8_PrintableMatch(atav1->value, atav2->value, &status);
+    return status;
+    /* Case-insensitive, with whitespace reduction */
+    break;
+  case nssStringType_UniversalString:
+    break;
+  case nssStringType_BMPString:
+    break;
+  case nssStringType_GeneralString:
+    /* what to do here? */
+    break;
+  case nssStringType_UTF8String:
+    break;
+  case nssStringType_PHGString:
+    /* Case-insensitive (XXX fgmr, actually see draft-11 pg. 21) */
+    *equalp = nssUTF8_CaseIgnoreMatch(atav1->value, atav2->value, &status);
+    return status;
+  case nssStringType_Unknown:
+    break;
+  }
+  
+  len1 = nssUTF8_Size(atav1->value, &status);
+  if( PR_SUCCESS != status ) {
+    return PR_FAILURE;
+  }
+
+  len2 = nssUTF8_Size(atav2->value, &status);
+  if( PR_SUCCESS != status ) {
+    return PR_FAILURE;
+  }
+
+  if( len1 != len2 ) {
+    *equalp = PR_FALSE;
+    return PR_SUCCESS;
+  }
+
+  *equalp = nsslibc_memequal(atav1->value, atav2->value, len1, &status);
+  return status;
+}
+
+
+/*
+ * nssATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_IMPLEMENT NSSATAV *
+nssATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+)
+{
+  NSSATAV *rv;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssATAV_verifyPointer(atav) ) {
+    return (NSSATAV *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSATAV *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  rv = nss_ZNEW(arenaOpt, NSSATAV);
+  if( (NSSATAV *)NULL == rv ) {
+    return (NSSATAV *)NULL;
+  }
+
+  rv->oid = atav->oid;
+  rv->stringForm = atav->stringForm;
+  rv->value = nssUTF8_Duplicate(atav->value, arenaOpt);
+  if( (NSSUTF8 *)NULL == rv->value ) {
+    (void)nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->ber.data = nss_ZAlloc(arenaOpt, atav->ber.size);
+  if( (void *)NULL == rv->ber.data ) {
+    (void)nss_ZFreeIf(rv->value);
+    (void)nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+
+  rv->ber.size = atav->ber.size;
+  if( NULL == nsslibc_memcpy(rv->ber.data, atav->ber.data, 
+                                   atav->ber.size) ) {
+    (void)nss_ZFreeIf(rv->ber.data);
+    (void)nss_ZFreeIf(rv->value);
+    (void)nss_ZFreeIf(rv);
+    return (NSSATAV *)NULL;
+  }
+
+  return rv;
+}
diff --git a/security/nss/lib/pki1/config.mk b/security/nss/lib/pki1/config.mk
new file mode 100644
index 000000000..4d255c57b
--- /dev/null
+++ b/security/nss/lib/pki1/config.mk
@@ -0,0 +1,47 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+ifdef BUILD_IDG
+DEFINES += -DNSSDEBUG
+endif
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
diff --git a/security/nss/lib/pki1/genname.c b/security/nss/lib/pki1/genname.c
new file mode 100644
index 000000000..e7b12806a
--- /dev/null
+++ b/security/nss/lib/pki1/genname.c
@@ -0,0 +1,94 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * genname.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * GeneralName.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * GeneralName
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  GeneralName ::= CHOICE {
+ *          otherName                   [0] INSTANCE OF OTHER-NAME,
+ *          rfc822Name                  [1] IA5String,
+ *          dNSName                     [2] IA5String,
+ *          x400Address                 [3] ORAddress,
+ *          directoryName               [4] Name,
+ *          ediPartyName                [5] EDIPartyName,
+ *          uniformResourceIdentifier   [6] IA5String,
+ *          iPAddress                   [7] OCTET STRING,
+ *          registeredID                [8] OBJECT IDENTIFIER }
+ *  
+ *  OTHER-NAME ::= TYPE-IDENTIFIER
+ *  
+ *  EDIPartyName ::= SEQUENCE {
+ *          nameAssigner        [0] DirectoryString {ub-name} OPTIONAL,
+ *          partyName           [1] DirectoryString {ub-name} }
+ *
+ */
+
+struct nssGeneralNameStr {
+  NSSGeneralNameChoice choice;
+  union {
+    /* OTHER-NAME otherName */
+    NSSUTF8 *rfc822Name;
+    NSSUTF8 *dNSName;
+    /* ORAddress x400Address */
+    NSSName *directoryName;
+    /* EDIPartyName ediPartyName */
+    NSSUTF8 *uniformResourceIdentifier;
+    NSSItem *iPAddress;
+    NSSOID *registeredID;
+  } u;
+};
diff --git a/security/nss/lib/pki1/gnseq.c b/security/nss/lib/pki1/gnseq.c
new file mode 100644
index 000000000..e56ec93b9
--- /dev/null
+++ b/security/nss/lib/pki1/gnseq.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * gnseq.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * GeneralNames (note the ending 's').
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * GeneralNames (or, as we call it, GeneralNameSeq)
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ * A GeneralNames is simply an (ordered) sequence of General Names.
+ * The seqSize variable is  "helper" kept for simplicity.
+ */
+
+struct nssGeneralNameSeqStr {
+  PRUint32 seqSize;
+  NSSGeneralName **generalNames;
+};
diff --git a/security/nss/lib/pki1/manifest.mn b/security/nss/lib/pki1/manifest.mn
new file mode 100644
index 000000000..b4d8c476a
--- /dev/null
+++ b/security/nss/lib/pki1/manifest.mn
@@ -0,0 +1,64 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+CORE_DEPTH = ../../..
+
+# In 4.0, move nss*.h back to EXPORTS
+PRIVATE_EXPORTS = \
+	oiddata.h \
+	pki1.h	  \
+	pki1t.h	  \
+	nsspki1.h  \
+	nsspki1t.h \
+	$(NULL)
+
+EXPORTS =	   \
+	$(NULL)
+
+MODULE = security
+
+CSRCS =		  \
+	atav.c	  \
+	genname.c \
+	gnseq.c	  \
+	name.c	  \
+	oid.c	  \
+	oiddata.c \
+	rdn.c	  \
+	rdnseq.c  \
+	$(NULL)
+
+REQUIRES = security nspr
+
+LIBRARY_NAME = pki1
diff --git a/security/nss/lib/pki1/name.c b/security/nss/lib/pki1/name.c
new file mode 100644
index 000000000..558e1142f
--- /dev/null
+++ b/security/nss/lib/pki1/name.c
@@ -0,0 +1,77 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * name.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * Name.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * Name
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  -- naming data types --
+ *  
+ *  Name            ::=     CHOICE { -- only one possibility for now --
+ *                                          rdnSequence  RDNSequence }
+ *
+ * A name is basically a union of the possible names.  At the moment,
+ * there is only one type of name: an RDNSequence.
+ */
+
+struct nssNameStr {
+  PRUint32 tagPlaceHolder;
+  union {
+    NSSRDNSeq *rdnSequence;
+  } n;
+};
+
diff --git a/security/nss/lib/pki1/nsspki1.h b/security/nss/lib/pki1/nsspki1.h
new file mode 100644
index 000000000..3498ab520
--- /dev/null
+++ b/security/nss/lib/pki1/nsspki1.h
@@ -0,0 +1,2869 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSPKI1_H
+#define NSSPKI1_H
+
+#ifdef DEBUG
+static const char NSSPKI1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nsspki1.h
+ *
+ * This file contains the prototypes of the public NSS routines 
+ * dealing with the PKIX part-1 definitions.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSPKI1T_H
+#include "nsspki1t.h"
+#endif /* NSSPKI1T_H */
+
+#ifndef OIDDATA_H
+#include "oiddata.h"
+#endif /* OIDDATA_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSOID
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSOID_CreateFromBER   -- constructor
+ *  NSSOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  NSSOID_GetDEREncoding
+ *  NSSOID_GetUTF8Encoding
+ */
+
+extern const NSSOID *NSS_OID_UNKNOWN;
+
+/*
+ * NSSOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NSS_OID_UNKNOWN upon error, in which case it 
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromBER
+(
+  NSSBER *berOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_BER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NSS_OID_UNKNOWN
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_STRING;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+NSSOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSATAV_CreateFromBER   -- constructor
+ *  NSSATAV_CreateFromUTF8  -- constructor
+ *  NSSATAV_Create          -- constructor
+ *
+ *  NSSATAV_Destroy
+ *  NSSATAV_GetDEREncoding
+ *  NSSATAV_GetUTF8Encoding
+ *  NSSATAV_GetType
+ *  NSSATAV_GetValue
+ *  NSSATAV_Compare
+ *  NSSATAV_Duplicate
+ */
+
+/*
+ * NSSATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *derATAV
+);
+
+extern const NSSError NSS_ERROR_INVALID_BER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringATAV
+);
+
+extern const NSSError NSS_ERROR_UNKNOWN_ATTRIBUTE;
+extern const NSSError NSS_ERROR_INVALID_STRING;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+);
+
+extern const NSSError NSS_ERROR_INVALID_ARENA;
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_INVALID_POINTER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSATAV_Destroy
+(
+  NSSATAV *atav
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+
+/*
+ * NSSATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_EXTERN NSSDER *
+NSSATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An element of enum NSSOIDenum upon success
+ */
+
+NSS_EXTERN const NSSOID *
+NSSATAV_GetType
+(
+  NSSATAV *atav
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+
+/*
+ * NSSATAV_GetValue
+ *
+ * This routine returns an NSSItem containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
+
+/*
+ * NSSATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_EXTERN NSSATAV *
+NSSATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_ATAV;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * NSSRDN
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSRDN_CreateFromBER   -- constructor
+ *  NSSRDN_CreateFromUTF8  -- constructor
+ *  NSSRDN_Create          -- constructor
+ *  NSSRDN_CreateSimple    -- constructor
+ *
+ *  NSSRDN_Destroy
+ *  NSSRDN_GetDEREncoding
+ *  NSSRDN_GetUTF8Encoding
+ *  NSSRDN_AddATAV
+ *  NSSRDN_GetATAVCount
+ *  NSSRDN_GetATAV
+ *  NSSRDN_GetSimpleATAV
+ *  NSSRDN_Compare
+ *  NSSRDN_Duplicate
+ */
+
+/*
+ * NSSRDN_CreateFromBER
+ *
+ * This routine creates an NSSRDN by decoding a BER- or DER-encoded 
+ * RDN.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDN
+);
+
+/*
+ * NSSRDN_CreateFromUTF8
+ *
+ * This routine creates an NSSRDN by decoding an UTF8 string 
+ * consisting of either a single ATAV in the "equals" format, e.g., 
+ * "uid=smith," or one or more such ATAVs in parentheses, e.g., 
+ * "(sn=Smith,ou=Sales)."  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDN
+);
+
+/*
+ * NSSRDN_Create
+ *
+ * This routine creates an NSSRDN from one or more NSSATAVs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_Create
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav1,
+  ...
+);
+
+/*
+ * NSSRDN_CreateSimple
+ *
+ * This routine creates a simple NSSRDN from a single NSSATAV.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_CreateSimple
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav
+);
+
+/*
+ * NSSRDN_Destroy
+ *
+ * This routine will destroy an RDN object.  It should eventually be
+ * called on all RDNs created without an arena.  While it is not 
+ * necessary to call it on RDNs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will 
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSRDN_Destroy
+(
+  NSSRDN *rdn
+);
+
+/*
+ * NSSRDN_GetDEREncoding
+ *
+ * This routine will DER-encode an RDN object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDN
+ */
+
+NSS_EXTERN NSSDER *
+NSSRDN_GetDEREncoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDN_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDN.  A simple (one-ATAV) RDN will be simply
+ * the string representation of that ATAV; a non-simple RDN will be in
+ * parenthesised form.  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * null upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSRDN_GetUTF8Encoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDN_AddATAV
+ *
+ * This routine adds an ATAV to the set of ATAVs in the specified RDN.
+ * Remember that RDNs consist of an unordered set of ATAVs.  If the
+ * RDN was created with a non-null arena argument, that same arena
+ * will be used for any additional required memory.  If the RDN was 
+ * created with a NULL arena argument, any additional memory will
+ * be obtained from the heap.  This routine returns a PRStatus value;
+ * it will return PR_SUCCESS upon success, and upon failure it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSRDN_AddATAV
+(
+  NSSRDN *rdn,
+  NSSATAV *atav
+);
+
+/*
+ * NSSRDN_GetATAVCount
+ *
+ * This routine returns the cardinality of the set of ATAVs within
+ * the specified RDN.  This routine may return 0 upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+NSSRDN_GetATAVCount
+(
+  NSSRDN *rdn
+);
+
+/*
+ * NSSRDN_GetATAV
+ *
+ * This routine returns a pointer to an ATAV that is a member of
+ * the set of ATAVs within the specified RDN.  While the set of
+ * ATAVs within an RDN is unordered, this routine will return
+ * distinct values for distinct values of 'i' as long as the RDN
+ * is not changed in any way.  The RDN may be changed by calling
+ * NSSRDN_AddATAV.  The value of the variable 'i' is on the range
+ * [0,c) where c is the cardinality returned from NSSRDN_GetATAVCount.
+ * The caller owns the ATAV the pointer to which is returned.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+NSSRDN_GetATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * NSSRDN_GetSimpleATAV
+ *
+ * Most RDNs are actually very simple, with a single ATAV.  This 
+ * routine will return the single ATAV from such an RDN.  The caller
+ * owns the ATAV the pointer to which is returned.  If the optional
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, including the case where
+ * the set of ATAVs in the RDN is nonsingular.  Upon error, this
+ * routine will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_RDN_NOT_SIMPLE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+NSSRDN_GetSimpleATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDN_Compare
+ *
+ * This routine compares two RDNs for equality.  For two RDNs to be
+ * equal, they must have the same number of ATAVs, and every ATAV in
+ * one must be equal to an ATAV in the other.  (Note that the sets
+ * of ATAVs are unordered.)  The result of the comparison will be
+ * stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool.  This routine may return PR_FAILURE
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSRDN_Compare
+(
+  NSSRDN *rdn1,
+  NSSRDN *rdn2,
+  PRBool *equalp
+);
+
+/*
+ * NSSRDN_Duplicate
+ *
+ * This routine duplicates the specified RDN.  If the optional arena
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, in which case it will have
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new RDN
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDN_Duplicate
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSRDNSeq_CreateFromBER   -- constructor
+ *  NSSRDNSeq_CreateFromUTF8  -- constructor
+ *  NSSRDNSeq_Create          -- constructor
+ *
+ *  NSSRDNSeq_Destroy
+ *  NSSRDNSeq_GetDEREncoding
+ *  NSSRDNSeq_GetUTF8Encoding
+ *  NSSRDNSeq_AppendRDN
+ *  NSSRDNSeq_GetRDNCount
+ *  NSSRDNSeq_GetRDN
+ *  NSSRDNSeq_Compare
+ *  NSSRDNSeq_Duplicate
+ */
+
+/*
+ * NSSRDNSeq_CreateFromBER
+ *
+ * This routine creates an NSSRDNSeq by decoding a BER- or DER-encoded 
+ * sequence of RDNs.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDNSeq
+);
+
+/*
+ * NSSRDNSeq_CreateFromUTF8
+ *
+ * This routine creates an NSSRDNSeq by decoding a UTF8 string
+ * consisting of a comma-separated sequence of RDNs, such as
+ * "(sn=Smith,ou=Sales),o=Acme,c=US."  If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDNSeq
+);
+
+/*
+ * NSSRDNSeq_Create
+ *
+ * This routine creates an NSSRDNSeq from one or more NSSRDNs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointero to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSRDN *rdn1,
+  ...
+);
+
+/*
+ * NSSRDNSeq_Destroy
+ *
+ * This routine will destroy an RDNSeq object.  It should eventually 
+ * be called on all RDNSeqs created without an arena.  While it is not
+ * necessary to call it on RDNSeqs created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSRDNSeq_Destroy
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * NSSRDNSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an RDNSeq object.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return null upon error, in which case it will have
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDNSeq
+ */
+
+NSS_EXTERN NSSDER *
+NSSRDNSeq_GetDEREncoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDNSeq as a comma-separated sequence of RDNs.  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSRDNSeq_GetUTF8Encoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq_AppendRDN
+ *
+ * This routine appends an RDN to the end of the existing RDN 
+ * sequence.  If the RDNSeq was created with a non-null arena 
+ * argument, that same arena will be used for any additional required
+ * memory.  If the RDNSeq was created with a NULL arena argument, any
+ * additional memory will be obtained from the heap.  This routine
+ * returns a PRStatus value; it will return PR_SUCCESS upon success,
+ * and upon failure it will create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSRDNSeq_AppendRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSRDN *rdn
+);
+
+/*
+ * NSSRDNSeq_GetRDNCount
+ *
+ * This routine returns the cardinality of the sequence of RDNs within
+ * the specified RDNSeq.  This routine may return 0 upon error, in 
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+NSSRDNSeq_GetRDNCount
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * NSSRDNSeq_GetRDN
+ *
+ * This routine returns a pointer to the i'th RDN in the sequence of
+ * RDNs that make up the specified RDNSeq.  The sequence begins with
+ * the top-level (e.g., "c=US") RDN.  The value of the variable 'i'
+ * is on the range [0,c) where c is the cardinality returned from
+ * NSSRDNSeq_GetRDNCount.  The caller owns the RDN the pointer to which
+ * is returned.  If the optional arena argument is non-null, the memory
+ * used will be obtained from that areana; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.  Note that the 
+ * usual string representation of RDN Sequences is from last to first.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDN
+ */
+
+NSS_EXTERN NSSRDN *
+NSSRDNSeq_GetRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * NSSRDNSeq_Compare
+ *
+ * This routine compares two RDNSeqs for equality.  For two RDNSeqs to 
+ * be equal, they must have the same number of RDNs, and each RDN in
+ * one sequence must be equal to the corresponding RDN in the other
+ * sequence.  The result of the comparison will be stored at the
+ * location pointed to by the "equalp" variable, which must point to a
+ * valid PRBool.  This routine may return PR_FAILURE upon error, in
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSRDNSeq_Compare
+(
+  NSSRDNSeq *rdnseq1,
+  NSSRDNSeq *rdnseq2,
+  PRBool *equalp
+);
+
+/*
+ * NSSRDNSeq_Duplicate
+ *
+ * This routine duplicates the specified RDNSeq.  If the optional arena
+ * argument is non-null, the memory required will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new RDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSRDNSeq_Duplicate
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ * NSSName_CreateFromBER   -- constructor
+ * NSSName_CreateFromUTF8  -- constructor
+ * NSSName_Create          -- constructor
+ *
+ * NSSName_Destroy
+ * NSSName_GetDEREncoding
+ * NSSName_GetUTF8Encoding
+ * NSSName_GetChoice
+ * NSSName_GetRDNSequence
+ * NSSName_GetSpecifiedChoice
+ * NSSName_Compare
+ * NSSName_Duplicate
+ *
+ * NSSName_GetUID
+ * NSSName_GetEmail
+ * NSSName_GetCommonName
+ * NSSName_GetOrganization
+ * NSSName_GetOrganizationalUnits
+ * NSSName_GetStateOrProvince
+ * NSSName_GetLocality
+ * NSSName_GetCountry
+ * NSSName_GetAttribute
+ */
+
+/*
+ * NSSName_CreateFromBER
+ *
+ * This routine creates an NSSName by decoding a BER- or DER-encoded 
+ * (directory) Name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may
+ * return NULL upon error, in which case it will have created an error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+NSSName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berName
+);
+
+/*
+ * NSSName_CreateFromUTF8
+ *
+ * This routine creates an NSSName by decoding a UTF8 string 
+ * consisting of the string representation of one of the choices of 
+ * (directory) names.  Currently the only choice is an RDNSeq.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  The routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+NSSName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringName
+);
+
+/*
+ * NSSName_Create
+ *
+ * This routine creates an NSSName with the specified choice of
+ * underlying name types.  The value of the choice variable must be
+ * one of the values of the NSSNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                     Type
+ *   ========================   ===========
+ *   NSSNameChoiceRdnSequence   NSSRDNSeq *
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+NSSName_Create
+(
+  NSSArena *arenaOpt,
+  NSSNameChoice choice,
+  void *arg
+);
+
+/*
+ * NSSName_Destroy
+ *
+ * This routine will destroy a Name object.  It should eventually be
+ * called on all Names created without an arena.  While it is not
+ * necessary to call it on Names created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSName_Destroy
+(
+  NSSName *name
+);
+
+/*
+ * NSSName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSName
+ */
+
+NSS_EXTERN NSSDER *
+NSSName_GetDEREncoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the Name in the format specified by the 
+ * underlying name choice.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSName_GetUTF8Encoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetChoice
+ *
+ * This routine returns the type of the choice underlying the specified
+ * name.  The return value will be a member of the NSSNameChoice 
+ * enumeration.  This routine may return NSSNameChoiceInvalid upon 
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  NSSNameChoiceInvalid upon error
+ *  An other member of the NSSNameChoice enumeration upon success
+ */
+
+NSS_EXTERN NSSNameChoice
+NSSName_GetChoice
+(
+  NSSName *name
+);
+
+/*
+ * NSSName_GetRDNSequence
+ *
+ * If the choice underlying the specified NSSName is that of an 
+ * RDNSequence, this routine will return a pointer to that RDN
+ * sequence.  Otherwise, this routine will place an error on the
+ * error stack, and return NULL.  If the optional arena argument is
+ * non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The
+ * caller owns the returned pointer.  This routine may return NULL
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+NSSName_GetRDNSequence
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSName matches the specified
+ * choice, a caller-owned pointer to that underlying object will be
+ * returned.  Otherwise, an error will be placed on the error stack and
+ * NULL will be returned.  If the optional arena argument is non-null, 
+ * the memory required will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  The caller owns the returned
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+NSSName_GetSpecifiedChoice
+(
+  NSSName *name,
+  NSSNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_Compare
+ *
+ * This routine compares two Names for equality.  For two Names to be
+ * equal, they must have the same choice of underlying types, and the
+ * underlying values must be equal.  The result of the comparison will
+ * be stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool. This routine may return PR_FAILURE
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSName_Compare
+(
+  NSSName *name1,
+  NSSName *name2,
+  PRBool *equalp
+);
+
+/*
+ * NSSName_Duplicate
+ *
+ * This routine duplicates the specified nssname.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSName
+ */
+
+NSS_EXTERN NSSName *
+NSSName_Duplicate
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a UID attribute, the UID will be the value of 
+ * that attribute.  Note that no UID attribute is defined in either 
+ * PKIX or PKCS#9; rather, this seems to derive from RFC 1274, which 
+ * defines the type as a caseIgnoreString.  We'll return a Directory 
+ * String.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetUID
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing either a PKIX email address or a PKCS#9 email
+ * address, the result will be the value of that attribute.  If the
+ * optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5 String */
+NSSName_GetEmail
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a PKIX Common Name, the result will be that name.  If 
+ * the optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetCommonName
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified name, if the choices and content of the name permit.  
+ * If Name consists of a Sequence of Relative Distinguished names 
+ * containing a PKIX Organization, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetOrganization
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified name, if the choices and content of 
+ * the name permit.  If the Name consists of a Sequence of Relative 
+ * Distinguished Names containing one or more organisational units,
+ * the result will be the values of those attributes.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+NSSName_GetOrganizationalUnits
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a state or province, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetStateOrProvince
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from the 
+ * specified name, if the choices and content of the name permit.  If
+ * the Name consists of a Sequence of Relative Distinguished names
+ * containing a Locality, the result will be the value of that 
+ * attribute.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetLocality
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a Country, the result will be the value of
+ * that attribute..  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may 
+ * return NULL upon error, in which case it will have created an 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+NSSName_GetCountry
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSName_GetAttribute
+ *
+ * If the specified name consists of a Sequence of Relative 
+ * Distinguished Names containing an attribute with the specified 
+ * type, and the actual value of that attribute may be expressed 
+ * with a Directory String, then the value of that attribute will 
+ * be returned as a Directory String.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSName_GetAttribute
+(
+  NSSName *name,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ * NSSGeneralName_CreateFromBER   -- constructor
+ * NSSGeneralName_CreateFromUTF8  -- constructor
+ * NSSGeneralName_Create          -- constructor
+ *
+ * NSSGeneralName_Destroy
+ * NSSGeneralName_GetDEREncoding
+ * NSSGeneralName_GetUTF8Encoding
+ * NSSGeneralName_GetChoice
+ * NSSGeneralName_GetOtherName
+ * NSSGeneralName_GetRfc822Name
+ * NSSGeneralName_GetDNSName
+ * NSSGeneralName_GetX400Address
+ * NSSGeneralName_GetDirectoryName
+ * NSSGeneralName_GetEdiPartyName
+ * NSSGeneralName_GetUniformResourceIdentifier
+ * NSSGeneralName_GetIPAddress
+ * NSSGeneralName_GetRegisteredID
+ * NSSGeneralName_GetSpecifiedChoice
+ * NSSGeneralName_Compare
+ * NSSGeneralName_Duplicate
+ *
+ * NSSGeneralName_GetUID
+ * NSSGeneralName_GetEmail
+ * NSSGeneralName_GetCommonName
+ * NSSGeneralName_GetOrganization
+ * NSSGeneralName_GetOrganizationalUnits
+ * NSSGeneralName_GetStateOrProvince
+ * NSSGeneralName_GetLocality
+ * NSSGeneralName_GetCountry
+ * NSSGeneralName_GetAttribute
+ */
+
+/*
+ * NSSGeneralName_CreateFromBER
+ *
+ * This routine creates an NSSGeneralName by decoding a BER- or DER-
+ * encoded general name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralName
+);
+
+/*
+ * NSSGeneralName_CreateFromUTF8
+ *
+ * This routine creates an NSSGeneralName by decoding a UTF8 string
+ * consisting of the string representation of one of the choices of
+ * general names.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.  The routine may return NULL upon
+ * error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringGeneralName
+);
+
+/*
+ * NSSGeneralName_Create
+ *
+ * This routine creates an NSSGeneralName with the specified choice of
+ * underlying name types.  The value of the choice variable must be one
+ * of the values of the NSSGeneralNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                                         Type
+ *   ============================================   =========
+ *   NSSGeneralNameChoiceOtherName
+ *   NSSGeneralNameChoiceRfc822Name
+ *   NSSGeneralNameChoiceDNSName
+ *   NSSGeneralNameChoiceX400Address
+ *   NSSGeneralNameChoiceDirectoryName              NSSName *
+ *   NSSGeneralNameChoiceEdiPartyName
+ *   NSSGeneralNameChoiceUniformResourceIdentifier
+ *   NSSGeneralNameChoiceIPAddress
+ *   NSSGeneralNameChoiceRegisteredID
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one fo the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_Create
+(
+  NSSGeneralNameChoice choice,
+  void *arg
+);
+
+/*
+ * NSSGeneralName_Destroy
+ * 
+ * This routine will destroy a General Name object.  It should 
+ * eventually be called on all General Names created without an arena.
+ * While it is not necessary to call it on General Names created within
+ * an arena, it is not an error to do so.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS. If 
+ * usuccessful, it will create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralName_Destroy
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * NSSGeneralName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralName
+ */
+
+NSS_EXTERN NSSDER *
+NSSGeneralName_GetDEREncoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the General Name in the format specified by the
+ * underlying name choice.  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSGeneralName_GetUTF8Encoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetChoice
+ *
+ * This routine returns the type of choice underlying the specified 
+ * general name.  The return value will be a member of the 
+ * NSSGeneralNameChoice enumeration.  This routine may return 
+ * NSSGeneralNameChoiceInvalid upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NSSGeneralNameChoiceInvalid upon error
+ *  An other member of the NSSGeneralNameChoice enumeration 
+ */
+
+NSS_EXTERN NSSGeneralNameChoice
+NSSGeneralName_GetChoice
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * NSSGeneralName_GetOtherName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * Other Name, this routine will return a pointer to that Other name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSOtherName
+ */
+
+NSS_EXTERN NSSOtherName *
+NSSGeneralName_GetOtherName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetRfc822Name
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * RFC 822 Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRFC822Name
+ */
+
+NSS_EXTERN NSSRFC822Name *
+NSSGeneralName_GetRfc822Name
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetDNSName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a 
+ * DNS Name, this routine will return a pointer to that DNS name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSDNSName
+ */
+
+NSS_EXTERN NSSDNSName *
+NSSGeneralName_GetDNSName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetX400Address
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * X.400 Address, this routine will return a pointer to that Address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSX400Address
+ */
+
+NSS_EXTERN NSSX400Address *
+NSSGeneralName_GetX400Address
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetDirectoryName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * (directory) Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSName
+ */
+
+NSS_EXTERN NSSName *
+NSSGeneralName_GetName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetEdiPartyName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * EDI Party Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSEdiPartyName
+ */
+
+NSS_EXTERN NSSEdiPartyName *
+NSSGeneralName_GetEdiPartyName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetUniformResourceIdentifier
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * URI, this routine will return a pointer to that URI.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSURI
+ */
+
+NSS_EXTERN NSSURI *
+NSSGeneralName_GetUniformResourceIdentifier
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetIPAddress
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * IP Address , this routine will return a pointer to that address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSIPAddress
+ */
+
+NSS_EXTERN NSSIPAddress *
+NSSGeneralName_GetIPAddress
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetRegisteredID
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * Registered ID, this routine will return a pointer to that ID.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRegisteredID
+ */
+
+NSS_EXTERN NSSRegisteredID *
+NSSGeneralName_GetRegisteredID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSGeneralName matches the
+ * specified choice, a caller-owned pointer to that underlying object
+ * will be returned.  Otherwise, an error will be placed on the error
+ * stack and NULL will be returned.  If the optional arena argument
+ * is non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The caller
+ * owns the returned pointer.  This routine may return NULL upon 
+ * error, in which caes it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+NSSGeneralName_GetSpecifiedChoice
+(
+  NSSGeneralName *generalName,
+  NSSGeneralNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_Compare
+ * 
+ * This routine compares two General Names for equality.  For two 
+ * General Names to be equal, they must have the same choice of
+ * underlying types, and the underlying values must be equal.  The
+ * result of the comparison will be stored at the location pointed
+ * to by the "equalp" variable, which must point to a valid PRBool.
+ * This routine may return PR_FAILURE upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following value:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralName_Compare
+(
+  NSSGeneralName *generalName1,
+  NSSGeneralName *generalName2,
+  PRBool *equalp
+);
+
+/*
+ * NSSGeneralName_Duplicate
+ *
+ * This routine duplicates the specified General Name.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it 
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSGeneralName
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralName_Duplicate
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished Names containing a UID
+ * attribute, the UID will be the value of that attribute.  Note
+ * that no UID attribute is defined in either PKIX or PKCS#9; 
+ * rather, this seems to derive from RFC 1274, which defines the
+ * type as a caseIgnoreString.  We'll return a Directory String.
+ * If the optional arena argument is non-null, the memory used
+ * will be obtained from that arena; otherwise, the memory will be
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetUID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing either
+ * a PKIX email address or a PKCS#9 email address, the result will
+ * be the value of that attribute.  If the General Name is an RFC 822
+ * Name, the result will be the string form of that name.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5String */
+NSSGeneralName_GetEmail
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a PKIX
+ * Common Name, the result will be that name.  If the optional arena 
+ * argument is non-null, the memory used will be obtained from that 
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetCommonName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing an
+ * Organization, the result will be the value of that attribute.  
+ * If the optional arena argument is non-null, the memory used will 
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetOrganization
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified general name, if the choices and 
+ * content of the name permit.  If the General Name is a (directory) 
+ * Name consisting of a Sequence of Relative Distinguished names 
+ * containing one or more organisational units, the result will 
+ * consist of those units.  If the optional arena  argument is non-
+ * null, the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+NSSGeneralName_GetOrganizationalUnits
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a state or 
+ * province, the result will be the value of that attribute.  If the 
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetStateOrProvince
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a Locality, 
+ * the result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetLocality
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified general name, if the choices and content of the name 
+ * permit.  If the General Name is a (directory) Name consisting of a
+ * Sequence of Relative Distinguished names containing a Country, the 
+ * result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+NSSGeneralName_GetCountry
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralName_GetAttribute
+ *
+ * If the specified general name is a (directory) name consisting
+ * of a Sequence of Relative Distinguished Names containing an 
+ * attribute with the specified type, and the actual value of that
+ * attribute may be expressed with a Directory String, then the
+ * value of that attribute will be returned as a Directory String.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+NSSGeneralName_GetAttribute
+(
+  NSSGeneralName *generalName,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralNameSeq
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSGeneralNameSeq_CreateFromBER   -- constructor
+ *  NSSGeneralNameSeq_Create          -- constructor
+ *
+ *  NSSGeneralNameSeq_Destroy
+ *  NSSGeneralNameSeq_GetDEREncoding
+ *  NSSGeneralNameSeq_AppendGeneralName
+ *  NSSGeneralNameSeq_GetGeneralNameCount
+ *  NSSGeneralNameSeq_GetGeneralName
+ *  NSSGeneralNameSeq_Compare
+ *  NSSGeneralnameSeq_Duplicate
+ */
+
+/*
+ * NSSGeneralNameSeq_CreateFromBER
+ *
+ * This routine creates a general name sequence by decoding a BER-
+ * or DER-encoded GeneralNames.  If the optional arena argument is
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+NSSGeneralNameSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralNameSeq
+);
+
+/*
+ * NSSGeneralNameSeq_Create
+ *
+ * This routine creates an NSSGeneralNameSeq from one or more General
+ * Names.  The final argument to this routine must be NULL.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+NSSGeneralNameSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSGeneralName *generalName1,
+  ...
+);
+
+/*
+ * NSSGeneralNameSeq_Destroy
+ *
+ * This routine will destroy an NSSGeneralNameSeq object.  It should
+ * eventually be called on all NSSGeneralNameSeqs created without an
+ * arena.  While it is not necessary to call it on NSSGeneralNameSeq's
+ * created within an arena, it is not an error to do so.  This routine
+ * returns a PRStatus value; if successful, it will return PR_SUCCESS.
+ * If unsuccessful, it will create an error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralNameSeq_Destroy
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * NSSGeneralNameSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an NSSGeneralNameSeq object.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return null upon error, in which
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralNameSeq
+ */
+
+NSS_EXTERN NSSDER *
+NSSGeneralNameSeq_GetDEREncoding
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralNameSeq_AppendGeneralName
+ *
+ * This routine appends a General Name to the end of the existing
+ * General Name Sequence.  If the sequence was created with a non-null
+ * arena argument, that same arena will be used for any additional
+ * required memory.  If the sequence was created with a NULL arena
+ * argument, any additional memory will be obtained from the heap.
+ * This routine returns a PRStatus value; it will return PR_SUCCESS
+ * upon success, and upon failure it will create an error stack and 
+ * return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure.
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralNameSeq_AppendGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSGeneralName *generalName
+);
+
+/*
+ * NSSGeneralNameSeq_GetGeneralNameCount
+ *
+ * This routine returns the cardinality of the specified General name
+ * Sequence.  This routine may return 0 upon error, in which case it
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value;
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+NSSGeneralNameSeq_GetGeneralNameCount
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * NSSGeneralNameSeq_GetGeneralName
+ *
+ * This routine returns a pointer to the i'th General Name in the 
+ * specified General Name Sequence.  The value of the variable 'i' is
+ * on the range [0,c) where c is the cardinality returned from 
+ * NSSGeneralNameSeq_GetGeneralNameCount.  The caller owns the General
+ * Name the pointer to which is returned.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have 
+ * created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to a General Name.
+ */
+
+NSS_EXTERN NSSGeneralName *
+NSSGeneralNameSeq_GetGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * NSSGeneralNameSeq_Compare
+ *
+ * This routine compares two General Name Sequences for equality.  For
+ * two General Name Sequences to be equal, they must have the same
+ * cardinality, and each General Name in one sequence must be equal to
+ * the corresponding General Name in the other.  The result of the
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+NSSGeneralNameSeq_Compare
+(
+  NSSGeneralNameSeq *generalNameSeq1,
+  NSSGeneralNameSeq *generalNameSeq2,
+  PRBool *equalp
+);
+
+/*
+ * NSSGeneralNameSeq_Duplicate
+ *
+ * This routine duplicates the specified sequence of general names.  If
+ * the optional arena argument is non-null, the memory required will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new General Name Sequence.
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+NSSGeneralNameSeq_Duplicate
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+PR_END_EXTERN_C
+
+#endif /* NSSPT1M_H */
diff --git a/security/nss/lib/pki1/nsspki1t.h b/security/nss/lib/pki1/nsspki1t.h
new file mode 100644
index 000000000..8765a3ad3
--- /dev/null
+++ b/security/nss/lib/pki1/nsspki1t.h
@@ -0,0 +1,202 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSPKI1T_H
+#define NSSPKI1T_H
+
+#ifdef DEBUG
+static const char NSSPKI1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nsspki1t.h
+ *
+ * This file contains the public type definitions for the PKIX part-1
+ * objects.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * OBJECT IDENTIFIER
+ *
+ * This is the basic OID that crops up everywhere.
+ */
+
+struct NSSOIDStr;
+typedef struct NSSOIDStr NSSOID;
+
+/*
+ * AttributeTypeAndValue
+ *
+ * This structure contains an attribute type (indicated by an OID), 
+ * and the type-specific value.  RelativeDistinguishedNamess consist
+ * of a set of these.  These are distinct from Attributes (which have
+ * SET of values), from AttributeDescriptions (which have qualifiers
+ * on the types), and from AttributeValueAssertions (which assert a
+ * a value comparison under some matching rule).
+ */
+
+struct NSSATAVStr;
+typedef struct NSSATAVStr NSSATAV;
+
+/*
+ * RelativeDistinguishedName
+ *
+ * This structure contains an unordered set of AttributeTypeAndValue 
+ * objects.  RDNs are used to distinguish a set of objects underneath 
+ * a common object.
+ *
+ * Often, a single ATAV is sufficient to make a unique distinction.
+ * For example, if a company assigns its people unique uid values,
+ * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
+ * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
+ * needed.  For example, if a company needed to distinguish between
+ * two Smiths by specifying their corporate divisions, then in the
+ * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
+ * set of ATAVs forms the RDN.
+ */
+
+struct NSSRDNStr;
+typedef struct NSSRDNStr NSSRDN;
+
+/*
+ * RDNSequence
+ *
+ * This structure contains a sequence of RelativeDistinguishedName
+ * objects.
+ */
+
+struct NSSRDNSeqStr;
+typedef struct NSSRDNSeqStr NSSRDNSeq;
+
+/*
+ * Name
+ *
+ * This structure contains a union of the possible name formats,
+ * which at the moment is limited to an RDNSequence.
+ */
+
+struct NSSNameStr;
+typedef struct NSSNameStr NSSName;
+
+/*
+ * NameChoice
+ *
+ * This enumeration is used to specify choice within a name.
+ */
+
+enum NSSNameChoiceEnum {
+  NSSNameChoiceInvalid = -1,
+  NSSNameChoiceRdnSequence
+};
+typedef enum NSSNameChoiceEnum NSSNameChoice;
+
+/*
+ * GeneralName
+ *
+ * This structure contains a union of the possible general names,
+ * of which there are several.
+ */
+
+struct NSSGeneralNameStr;
+typedef struct NSSGeneralNameStr NSSGeneralName;
+
+/*
+ * GeneralNameChoice
+ *
+ * This enumerates the possible general name types.
+ */
+
+enum NSSGeneralNameChoiceEnum {
+  NSSGeneralNameChoiceInvalid = -1,
+  NSSGeneralNameChoiceOtherName = 0,
+  NSSGeneralNameChoiceRfc822Name = 1,
+  NSSGeneralNameChoiceDNSName = 2,
+  NSSGeneralNameChoiceX400Address = 3,
+  NSSGeneralNameChoiceDirectoryName = 4,
+  NSSGeneralNameChoiceEdiPartyName = 5,
+  NSSGeneralNameChoiceUniformResourceIdentifier = 6,
+  NSSGeneralNameChoiceIPAddress = 7,
+  NSSGeneralNameChoiceRegisteredID = 8
+};
+typedef enum NSSGeneralNameChoiceEnum NSSGeneralNameChoice;
+
+/*
+ * The "other" types of general names.
+ */
+
+struct NSSOtherNameStr;
+typedef struct NSSOtherNameStr NSSOtherName;
+
+struct NSSRFC822NameStr;
+typedef struct NSSRFC822NameStr NSSRFC822Name;
+
+struct NSSDNSNameStr;
+typedef struct NSSDNSNameStr NSSDNSName;
+
+struct NSSX400AddressStr;
+typedef struct NSSX400AddressStr NSSX400Address;
+
+struct NSSEdiPartyNameStr;
+typedef struct NSSEdiPartyNameStr NSSEdiPartyName;
+
+struct NSSURIStr;
+typedef struct NSSURIStr NSSURI;
+
+struct NSSIPAddressStr;
+typedef struct NSSIPAddressStr NSSIPAddress;
+
+struct NSSRegisteredIDStr;
+typedef struct NSSRegisteredIDStr NSSRegisteredID;
+
+/*
+ * GeneralNameSeq
+ *
+ * This structure contains a sequence of GeneralName objects.
+ * Note that the PKIX documents refer to this as "GeneralNames,"
+ * which differs from "GeneralName" by only one letter.  To
+ * try to reduce confusion, we expand the name slightly to
+ * "GeneralNameSeq."
+ */
+
+struct NSSGeneralNameSeqStr;
+typedef struct NSSGeneralNameSeqStr NSSGeneralNameSeq;
+
+PR_END_EXTERN_C
+
+#endif /* NSSPKI1T_H */
diff --git a/security/nss/lib/pki1/oid.c b/security/nss/lib/pki1/oid.c
new file mode 100644
index 000000000..9bddf33ee
--- /dev/null
+++ b/security/nss/lib/pki1/oid.c
@@ -0,0 +1,1615 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * oid.c
+ *
+ * This file contains the implementation of the basic OID routines.
+ */
+
+#ifndef BASE_H
+#include "base.h"
+#endif /* BASE_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+#include "plhash.h"
+#include "plstr.h"
+
+/*
+ * NSSOID
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  NSSOID_CreateFromBER   -- constructor
+ *  NSSOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  NSSOID_GetDEREncoding
+ *  NSSOID_GetUTF8Encoding
+
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssOID_CreateFromBER   -- constructor
+ *  nssOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  nssOID_GetDEREncoding
+ *  nssOID_GetUTF8Encoding
+ *
+ * In debug builds, the following non-public calls are also available:
+ *
+ *  nssOID_verifyPointer
+ *  nssOID_getExplanation
+ *  nssOID_getTaggedUTF8
+ */
+
+const NSSOID *NSS_OID_UNKNOWN = (NSSOID *)NULL;
+
+/*
+ * First, the public "wrappers"
+ */
+
+/*
+ * NSSOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NULL upon error, in which case it 
+ * will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromBER
+(
+  NSSBER *berOid
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  /* 
+   * NSSBERs can be created by the user, 
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSBER *)NULL == berOid ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSOID *)NULL;
+  }
+
+  if( (void *)NULL == berOid->data ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSOID *)NULL;
+  }
+#endif /* DEBUG */
+  
+  return nssOID_CreateFromBER(berOid);
+}
+
+/*
+ * NSSOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NULL
+ * upon error, in which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+NSSOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  /*
+   * NSSUTF8s can be created by the user,
+   * so no pointer-tracking can be checked.
+   */
+
+  if( (NSSUTF8 *)NULL == stringOid ) {
+    nss_SetError(NSS_ERROR_INVALID_UTF8);
+    return (NSSOID *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssOID_CreateFromUTF8(stringOid);
+}
+
+/*
+ * NSSOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have created an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+NSSOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSDER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssOID_GetDEREncoding(oid, rvOpt, arenaOpt);
+}
+
+/*
+ * NSSOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have created an
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssOID_GetUTF8Encoding(oid, arenaOpt);
+}
+
+/*
+ * Next, some internal bookkeeping; including the OID "tag" table 
+ * and the debug-version pointer tracker.
+ */
+
+/*
+ * For implementation reasons (so NSSOIDs can be compared with ==),
+ * we hash all NSSOIDs.  This is the hash table.
+ */
+
+static PLHashTable *oid_hash_table;
+
+/*
+ * And this is its lock.
+ */
+
+static PZLock *oid_hash_lock;
+
+/*
+ * This is the hash function.  We simply XOR the encoded form with
+ * itself in sizeof(PLHashNumber)-byte chunks.  Improving this
+ * routine is left as an excercise for the more mathematically
+ * inclined student.
+ */
+
+static PLHashNumber PR_CALLBACK
+oid_hash
+(
+  const void *key
+)
+{
+  const NSSItem *item = (const NSSItem *)key;
+  PLHashNumber rv = 0;
+
+  PRUint8 *data = (PRUint8 *)item->data;
+  PRUint32 i;
+  PRUint8 *rvc = (PRUint8 *)&rv;
+
+  for( i = 0; i < item->size; i++ ) {
+    rvc[ i % sizeof(rv) ] ^= *data;
+    data++;
+  }
+
+  return rv;
+}
+
+/*
+ * This is the key-compare function.  It simply does a lexical
+ * comparison on the encoded OID form.  This does not result in
+ * quite the same ordering as the "sequence of numbers" order,
+ * but heck it's only used internally by the hash table anyway.
+ */
+
+static PRIntn PR_CALLBACK
+oid_hash_compare
+(
+  const void *k1,
+  const void *k2
+)
+{
+  PRIntn rv;
+
+  const NSSItem *i1 = (const NSSItem *)k1;
+  const NSSItem *i2 = (const NSSItem *)k2;
+
+  PRUint32 size = (i1->size < i2->size) ? i1->size : i2->size;
+
+  rv = (PRIntn)nsslibc_memequal(i1->data, i2->data, size, (PRStatus *)NULL);
+  if( 0 == rv ) {
+    rv = i1->size - i2->size;
+  }
+
+  return !rv;
+}
+
+/*
+ * The pointer-tracking code
+ */
+
+#ifdef DEBUG
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker oid_pointer_tracker;
+
+static PRStatus
+oid_add_pointer
+(
+  const NSSOID *oid
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&oid_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&oid_pointer_tracker, oid);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+#if defined(CAN_DELETE_OIDS)
+/*
+ * We actually don't define NSSOID deletion, since we keep OIDs
+ * in a hash table for easy comparison.  Were we to, this is
+ * what the pointer-removal function would look like.
+ */
+
+static PRStatus
+oid_remove_pointer
+(
+  const NSSOID *oid
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&oid_pointer_tracker, oid);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+#endif /* CAN_DELETE_OIDS */
+
+#endif /* DEBUG */
+
+/*
+ * All dynamically-added OIDs get their memory from one statically-
+ * declared arena here, merely so that any cleanup code will have
+ * an easier time of it.
+ */
+
+static NSSArena *oid_arena;
+
+/*
+ * This is the call-once function which initializes the hashtable.
+ * It creates it, then prepopulates it with all of the builtin OIDs.
+ * It also creates the aforementioned NSSArena.
+ */
+
+static PRStatus PR_CALLBACK
+oid_once_func
+(
+  void
+)
+{
+  PRUint32 i;
+  
+  /* Initialize the arena */
+  oid_arena = nssArena_Create();
+  if( (NSSArena *)NULL == oid_arena ) {
+    goto loser;
+  }
+
+  /* Create the hash table lock */
+  oid_hash_lock = PZ_NewLock(nssILockOID);
+  if( (PZLock *)NULL == oid_hash_lock ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    goto loser;
+  }
+
+  /* Create the hash table */
+  oid_hash_table = PL_NewHashTable(0, oid_hash, oid_hash_compare,
+                                   PL_CompareValues, 
+                                   (PLHashAllocOps *)0,
+                                   (void *)0);
+  if( (PLHashTable *)NULL == oid_hash_table ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    goto loser;
+  }
+
+  /* And populate it with all the builtins */
+  for( i = 0; i < nss_builtin_oid_count; i++ ) {
+    NSSOID *oid = (NSSOID *)&nss_builtin_oids[i];
+    PLHashEntry *e = PL_HashTableAdd(oid_hash_table, &oid->data, oid);
+    if( (PLHashEntry *)NULL == e ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      goto loser;
+    }
+
+#ifdef DEBUG
+    if( PR_SUCCESS != oid_add_pointer(oid) ) {
+      goto loser;
+    }
+#endif /* DEBUG */
+  }
+
+  return PR_SUCCESS;
+
+ loser:
+  if( (PLHashTable *)NULL != oid_hash_table ) {
+    PL_HashTableDestroy(oid_hash_table);
+    oid_hash_table = (PLHashTable *)NULL;
+  }
+
+  if( (PZLock *)NULL != oid_hash_lock ) {
+    PZ_DestroyLock(oid_hash_lock);
+    oid_hash_lock = (PZLock *)NULL;
+  }
+
+  if( (NSSArena *)NULL != oid_arena ) {
+    (void)nssArena_Destroy(oid_arena);
+    oid_arena = (NSSArena *)NULL;
+  }
+
+  return PR_FAILURE;
+}
+
+/*
+ * This is NSPR's once-block.
+ */
+
+static PRCallOnceType oid_call_once;
+
+/*
+ * And this is our multiply-callable internal init routine, which
+ * will call-once our call-once function.
+ */
+
+static PRStatus
+oid_init
+(
+  void
+)
+{
+  return PR_CallOnce(&oid_call_once, oid_once_func);
+}
+
+#ifdef DEBUG
+
+/*
+ * nssOID_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSOID object, 
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an 
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssOID_verifyPointer
+(
+  const NSSOID *oid
+)
+{
+  PRStatus rv;
+
+  rv = oid_init();
+  if( PR_SUCCESS != rv ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_initialize(&oid_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&oid_pointer_tracker, oid);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_NSSOID);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+#endif /* DEBUG */
+
+/*
+ * oid_sanity_check_ber
+ *
+ * This routine merely applies some sanity-checking to the BER-encoded
+ * OID.
+ */
+
+static PRStatus
+oid_sanity_check_ber
+(
+  NSSBER *berOid
+)
+{
+  PRUint32 i;
+  PRUint8 *data = (PRUint8 *)berOid->data;
+
+  /*
+   * The size must be longer than zero bytes.
+   */
+
+  if( berOid->size <= 0 ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * In general, we can't preclude any number from showing up
+   * someday.  We could probably guess that top-level numbers
+   * won't get very big (beyond the current ccitt(0), iso(1),
+   * or joint-ccitt-iso(2)).  However, keep in mind that the
+   * encoding rules wrap the first two numbers together, as
+   *
+   *     (first * 40) + second
+   *
+   * Also, it is noted in the specs that this implies that the
+   * second number won't go above forty.
+   *
+   * 128 encodes 3.8, which seems pretty safe for now.  Let's
+   * check that the first byte is less than that.
+   *
+   * XXX This is a "soft check" -- we may want to exclude it.
+   */
+
+  if( data[0] >= 0x80 ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * In a normalised format, leading 0x80s will never show up.
+   * This means that no 0x80 will be preceeded by the final
+   * byte of a sequence, which would naturaly be less than 0x80.
+   * Our internal encoding for the single-digit OIDs uses 0x80,
+   * but the only places we use them (loading the builtin table,
+   * and adding a UTF8-encoded OID) bypass this check.
+   */
+
+  for( i = 1; i < berOid->size; i++ ) {
+    if( (0x80 == data[i]) && (data[i-1] < 0x80) ) {
+      return PR_FAILURE;
+    }
+  }
+
+  /*
+   * The high bit of each octet indicates that following octets
+   * are included in the current number.  Thus the last byte can't
+   * have the high bit set.
+   */
+
+  if( data[ berOid->size-1 ] >= 0x80 ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * Other than that, any byte sequence is legit.
+   */
+  return PR_SUCCESS;
+}
+
+/*
+ * nssOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NULL upon error, in which case it 
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromBER
+(
+  NSSBER *berOid
+)
+{
+  NSSOID *rv;
+  PLHashEntry *e;
+  
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSOID *)NULL;
+  }
+
+  if( PR_SUCCESS != oid_sanity_check_ber(berOid) ) {
+    nss_SetError(NSS_ERROR_INVALID_BER);
+    return (NSSOID *)NULL;
+  }
+
+  /*
+   * Does it exist?
+   */
+  PZ_Lock(oid_hash_lock);
+  rv = (NSSOID *)PL_HashTableLookup(oid_hash_table, berOid);
+  (void)PZ_Unlock(oid_hash_lock);
+  if( (NSSOID *)NULL != rv ) {
+    /* Found it! */
+    return rv;
+  }
+
+  /*
+   * Doesn't exist-- create it.
+   */
+  rv = nss_ZNEW(oid_arena, NSSOID);
+  if( (NSSOID *)NULL == rv ) {
+    return (NSSOID *)NULL;
+  }
+
+  rv->data.data = nss_ZAlloc(oid_arena, berOid->size);
+  if( (void *)NULL == rv->data.data ) {
+    return (NSSOID *)NULL;
+  }
+
+  rv->data.size = berOid->size;
+  nsslibc_memcpy(rv->data.data, berOid->data, berOid->size);
+
+#ifdef DEBUG
+  rv->tag = "<runtime>";
+  rv->expl = "(OID registered at runtime)";
+#endif /* DEBUG */
+
+  PZ_Lock(oid_hash_lock);
+  e = PL_HashTableAdd(oid_hash_table, &rv->data, rv);
+  (void)PZ_Unlock(oid_hash_lock);
+  if( (PLHashEntry *)NULL == e ) {
+    nss_ZFreeIf(rv->data.data);
+    nss_ZFreeIf(rv);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSOID *)NULL;
+  }
+
+#ifdef DEBUG
+  {
+    PRStatus st;
+    st = oid_add_pointer(rv);
+    if( PR_SUCCESS != st ) {
+      PZ_Lock(oid_hash_lock);
+      (void)PL_HashTableRemove(oid_hash_table, &rv->data);
+      (void)PZ_Unlock(oid_hash_lock);
+      (void)nss_ZFreeIf(rv->data.data);
+      (void)nss_ZFreeIf(rv);
+      return (NSSOID *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return rv;
+}
+
+/*
+ * oid_sanity_check_utf8
+ *
+ * This routine merely applies some sanity-checking to the 
+ * UTF8-encoded OID.
+ */
+
+static PRStatus
+oid_sanity_check_utf8
+(
+  NSSUTF8 *s
+)
+{
+  /*
+   * It may begin with an octothorpe, which we skip.
+   */
+
+  if( '#' == *s ) {
+    s++;
+  }
+
+  /*
+   * It begins with a number
+   */
+
+  if( (*s < '0') || (*s > '9') ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * First number is only one digit long
+   *
+   * XXX This is a "soft check" -- we may want to exclude it
+   */
+
+  if( (s[1] != '.') && (s[1] != '\0') ) {
+    return PR_FAILURE;
+  }
+
+  /*
+   * Every character is either a digit or a period
+   */
+
+  for( ; '\0' != *s; s++ ) {
+    if( ('.' != *s) && ((*s < '0') || (*s > '9')) ) {
+      return PR_FAILURE;
+    }
+
+    /* No two consecutive periods */
+    if( ('.' == *s) && ('.' == s[1]) ) {
+      return PR_FAILURE;
+    }
+  }
+
+  /*
+   * The last character isn't a period
+   */
+
+  if( '.' == *--s ) {
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+static PRUint32
+oid_encode_number
+(
+  PRUint32 n,
+  PRUint8 *dp,
+  PRUint32 nb
+)
+{
+  PRUint32 a[5];
+  PRUint32 i;
+  PRUint32 rv;
+
+  a[0] = (n >> 28) & 0x7f;
+  a[1] = (n >> 21) & 0x7f;
+  a[2] = (n >> 14) & 0x7f;
+  a[3] = (n >>  7) & 0x7f;
+  a[4] =  n        & 0x7f;
+
+  for( i = 0; i < 5; i++ ) {
+    if( 0 != a[i] ) {
+      break;
+    }
+  }
+
+  if( 5 == i ) {
+    i--;
+  }
+
+  rv = 5-i;
+  if( rv > nb ) {
+    return rv;
+  }
+
+  for( ; i < 4; i++ ) {
+    *dp = 0x80 | a[i];
+    dp++;
+  }
+
+  *dp = a[4];
+
+  return rv;
+}
+
+/*
+ * oid_encode_huge
+ *
+ * This routine will convert a huge decimal number into the DER 
+ * encoding for oid numbers.  It is not limited to numbers that will
+ * fit into some wordsize, like oid_encode_number.  But it's not
+ * necessarily very fast, either.  This is here in case some joker
+ * throws us an ASCII oid like 1.2.3.99999999999999999999999999.
+ */
+
+static PRUint32
+oid_encode_huge
+(
+  NSSUTF8 *s,
+  NSSUTF8 *e,
+  PRUint8 *dp,
+  PRUint32 nb
+)
+{
+  PRUint32 slen = (e-s);
+  PRUint32 blen = (slen+1)/2;
+  PRUint8 *st = (PRUint8 *)NULL;
+  PRUint8 *bd = (PRUint8 *)NULL;
+  PRUint32 i;
+  PRUint32 bitno;
+  PRUint8 *last;
+  PRUint8 *first;
+  PRUint32 byteno;
+  PRUint8 mask;
+
+  /* We'll be munging the data, so duplicate it */
+  st = (PRUint8 *)nss_ZAlloc((NSSArena *)NULL, slen);
+  if( (PRUint8 *)NULL == st ) {
+    return 0;
+  }
+
+  /* Don't know ahead of time exactly how long we'll need */
+  bd = (PRUint8 *)nss_ZAlloc((NSSArena *)NULL, blen);
+  if( (PRUint8 *)NULL == bd ) {
+    (void)nss_ZFreeIf(st);
+    return 0;
+  }
+
+  /* Copy the original, and convert ASCII to numbers */
+  for( i = 0; i < slen; i++ ) {
+    st[i] = (PRUint8)(s[i] - '0');
+  }
+
+  last = &st[slen-1];
+  first = &st[0];
+
+  /*
+   * The way we create the binary version is by looking at it 
+   * bit by bit.  Start with the least significant bit.  If the
+   * number is odd, set that bit.  Halve the number (with integer
+   * division), and go to the next least significant bit.  Keep 
+   * going until the number goes to zero.
+   */
+  for( bitno = 0; ; bitno++ ) {
+    PRUint8 *d;
+
+    byteno = bitno/7;
+    mask = (PRUint8)(1 << (bitno%7));
+
+    /* Skip leading zeroes */
+    for( ; first < last; first ++ ) {
+      if( 0 != *first ) {
+        break;
+      }
+    }
+
+    /* Down to one number and it's a zero?  Done. */
+    if( (first == last) && (0 == *last) ) {
+      break;
+    }
+
+    /* Last digit is odd?  Set the bit */
+    if( *last & 1 ) {
+      bd[ byteno ] |= mask;
+    }
+
+
+    /* 
+     * Divide the number in half.  This is just a matter
+     * of going from the least significant digit upwards,
+     * halving each one.  If any digit is odd (other than
+     * the last, which has already been handled), add five
+     * to the digit to its right.
+     */
+    *last /= 2;
+
+    for( d = &last[-1]; d >= first; d-- ) {
+      if( *d & 1 ) {
+        d[1] += 5;
+      }
+
+      *d /= 2;
+    }
+  }
+
+  /* Is there room to write the encoded data? */
+  if( (byteno+1) > nb ) {
+    return (byteno+1);
+  }
+
+  /* Trim any leading zero that crept in there */
+  for( ; byteno > 0; byteno-- ) {
+    if( 0 != bd[ byteno ] ) {
+      break;
+    }
+  }
+
+  /* Copy all but the last, marking the "continue" bit */
+  for( i = 0; i < byteno; i++ ) {
+    dp[i] = bd[ byteno-i ] | 0x80;
+  }
+  /* And the last with the "continue" bit clear */
+  dp[byteno] = bd[0];
+
+  (void)nss_ZFreeIf(bd);
+  (void)nss_ZFreeIf(st);
+  return (byteno+1);
+}
+
+/*
+ * oid_encode_string
+ *
+ * This routine converts a dotted-number OID into a DER-encoded
+ * one.  It assumes we've already sanity-checked the string.
+ */
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static NSSOID *
+oid_encode_string
+(
+  NSSUTF8 *s
+)
+{
+  PRUint32 nn = 0; /* number of numbers */
+  PRUint32 nb = 0; /* number of bytes (estimated) */
+  NSSUTF8 *t;
+  PRUint32 nd = 0; /* number of digits */
+  NSSOID *rv;
+  PRUint8 *dp;
+  PRUint32 a, b;
+  PRUint32 inc;
+
+  /* Dump any octothorpe */
+  if( '#' == *s ) {
+    s++;
+  }
+
+  /* Count up the bytes needed */
+  for( t = s; '\0' != *t; t++ ) {
+    if( '.' == *t ) {
+      nb += (nd+1)/2; /* errs on the big side */
+      nd = 0;
+      nn++;
+    } else {
+      nd++;
+    }
+  }
+  nb += (nd+1)/2;
+  nn++;
+
+  if( 1 == nn ) {
+    /*
+     * We have our own "denormalised" encoding for these,
+     * which is only used internally.
+     */
+    nb++;
+  }
+
+  /* 
+   * Allocate.  Note that we don't use the oid_arena here.. this is
+   * because there really isn't a "free()" for stuff allocated out of
+   * arenas (at least with the current implementation), so this would
+   * keep using up memory each time a UTF8-encoded OID were added.
+   * If need be (if this is the first time this oid has been seen),
+   * we'll copy it.
+   */
+  rv = nss_ZNEW((NSSArena *)NULL, NSSOID);
+  if( (NSSOID *)NULL == rv ) {
+    return (NSSOID *)NULL;
+  }
+
+  rv->data.data = nss_ZAlloc((NSSArena *)NULL, nb);
+  if( (void *)NULL == rv->data.data ) {
+    (void)nss_ZFreeIf(rv);
+    return (NSSOID *)NULL;
+  }
+
+  dp = (PRUint8 *)rv->data.data;
+
+  a = atoi(s);
+
+  if( 1 == nn ) {
+    dp[0] = '\x80';
+    inc = oid_encode_number(a, &dp[1], nb-1);
+    if( inc >= nb ) {
+      goto loser;
+    }
+  } else {
+    for( t = s; '.' != *t; t++ ) {
+      ;
+    }
+
+    t++;
+    b = atoi(t);
+    inc = oid_encode_number(a*40+b, dp, nb);
+    if( inc > nb ) {
+      goto loser;
+    }
+    dp += inc;
+    nb -= inc;
+    nn -= 2;
+
+    while( nn-- > 0 ) {
+      NSSUTF8 *u;
+
+      for( ; '.' != *t; t++ ) {
+        ;
+      }
+
+      t++;
+
+      for( u = t; ('\0' != *u) && ('.' != *u); u++ ) {
+        ;
+      }
+
+      if( (u-t > 9) ) {
+        /* In the billions.  Rats. */
+        inc = oid_encode_huge(t, u, dp, nb);
+      } else {
+        b = atoi(t);
+        inc = oid_encode_number(b, dp, nb);
+      }
+
+      if( inc > nb ) {
+        goto loser;
+      }
+      dp += inc;
+      nb -= inc;
+    }
+  }
+
+  return rv;
+
+ loser:
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  return (NSSOID *)NULL;
+}
+
+/*
+ * nssOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NULL
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+)
+{
+  NSSOID *rv = (NSSOID *)NULL;
+  NSSOID *candidate = (NSSOID *)NULL;
+  PLHashEntry *e;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSOID *)NULL;
+  }
+
+  if( PR_SUCCESS != oid_sanity_check_utf8(stringOid) ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSOID *)NULL;
+  }
+
+  candidate = oid_encode_string(stringOid);
+  if( (NSSOID *)NULL == candidate ) {
+    /* Internal error only */
+    return rv;
+  }
+
+  /*
+   * Does it exist?
+   */
+  PZ_Lock(oid_hash_lock);
+  rv = (NSSOID *)PL_HashTableLookup(oid_hash_table, &candidate->data);
+  (void)PZ_Unlock(oid_hash_lock);
+  if( (NSSOID *)NULL != rv ) {
+    /* Already exists.  Delete my copy and return the original. */
+    (void)nss_ZFreeIf(candidate->data.data);
+    (void)nss_ZFreeIf(candidate);
+    return rv;
+  }
+
+  /* 
+   * Nope.  Add it.  Remember to allocate it out of the oid arena.
+   */
+
+  rv = nss_ZNEW(oid_arena, NSSOID);
+  if( (NSSOID *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->data.data = nss_ZAlloc(oid_arena, candidate->data.size);
+  if( (void *)NULL == rv->data.data ) {
+    goto loser;
+  }
+
+  rv->data.size = candidate->data.size;
+  nsslibc_memcpy(rv->data.data, candidate->data.data, rv->data.size);
+
+  (void)nss_ZFreeIf(candidate->data.data);
+  (void)nss_ZFreeIf(candidate);
+
+#ifdef DEBUG
+  rv->tag = "<runtime>";
+  rv->expl = "(OID registered at runtime)";
+#endif /* DEBUG */
+
+  PZ_Lock(oid_hash_lock);
+  e = PL_HashTableAdd(oid_hash_table, &rv->data, rv);
+  (void)PZ_Unlock(oid_hash_lock);
+  if( (PLHashEntry *)NULL == e ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    goto loser;
+  }
+
+#ifdef DEBUG
+  {
+    PRStatus st;
+    st = oid_add_pointer(rv);
+    if( PR_SUCCESS != st ) {
+      PZ_Lock(oid_hash_lock);
+      (void)PL_HashTableRemove(oid_hash_table, &rv->data);
+      (void)PZ_Unlock(oid_hash_lock);
+      goto loser;
+    }
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (NSSOID *)NULL != candidate ) {
+    (void)nss_ZFreeIf(candidate->data.data);
+  }
+  (void)nss_ZFreeIf(candidate);
+
+  if( (NSSOID *)NULL != rv ) {
+    (void)nss_ZFreeIf(rv->data.data);
+  }
+  (void)nss_ZFreeIf(rv);
+
+  return (NSSOID *)NULL;
+}
+
+/*
+ * nssOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+nssOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  const NSSItem *it;
+  NSSDER *rv;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSDER *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSDER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  it = &oid->data;
+
+  if( (NSSDER *)NULL == rvOpt ) {
+    rv = nss_ZNEW(arenaOpt, NSSDER);
+    if( (NSSDER *)NULL == rv ) {
+      return (NSSDER *)NULL;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  rv->data = nss_ZAlloc(arenaOpt, it->size);
+  if( (void *)NULL == rv->data ) {
+    if( rv != rvOpt ) {
+      (void)nss_ZFreeIf(rv);
+    }
+    return (NSSDER *)NULL;
+  }
+
+  rv->size = it->size;
+  nsslibc_memcpy(rv->data, it->data, it->size);
+
+  return rv;
+}
+
+/*
+ * nssOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  PRUint8 *end;
+  PRUint8 *d;
+  PRUint8 *e;
+  char *a;
+  char *b;
+  PRUint32 len;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  a = (char *)NULL;
+
+  /* d will point to the next sequence of bytes to decode */
+  d = (PRUint8 *)oid->data.data;
+  /* end points to one past the legitimate data */
+  end = &d[ oid->data.size ];
+
+#ifdef NSSDEBUG
+  /*
+   * Guarantee that the for(e=d;e<end;e++) loop below will
+   * terminate.  Our BER sanity-checking code above will prevent
+   * such a BER from being registered, so the only other way one
+   * might show up is if our dotted-decimal encoder above screws
+   * up or our generated list is wrong.  So I'll wrap it with
+   * #ifdef NSSDEBUG and #endif.
+   */
+  if( end[-1] & 0x80 ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * Check for our pseudo-encoded single-digit OIDs
+   */
+  if( (*d == 0x80) && (2 == oid->data.size) ) {
+    /* Funky encoding.  The second byte is the number */
+    a = PR_smprintf("%lu", (PRUint32)d[1]);
+    if( (char *)NULL == a ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (NSSUTF8 *)NULL;
+    }
+    goto done;
+  }
+
+  for( ; d < end; d = &e[1] ) {
+    
+    for( e = d; e < end; e++ ) {
+      if( 0 == (*e & 0x80) ) {
+        break;
+      }
+    }
+    
+    if( ((e-d) > 4) || (((e-d) == 4) && (*d & 0x70)) ) {
+      /* More than a 32-bit number */
+    } else {
+      PRUint32 n = 0;
+      
+      switch( e-d ) {
+      case 4:
+        n |= ((PRUint32)(e[-4] & 0x0f)) << 28;
+      case 3:
+        n |= ((PRUint32)(e[-3] & 0x7f)) << 21;
+      case 2:
+        n |= ((PRUint32)(e[-2] & 0x7f)) << 14;
+      case 1:
+        n |= ((PRUint32)(e[-1] & 0x7f)) <<  7;
+      case 0:
+        n |= ((PRUint32)(e[-0] & 0x7f))      ;
+      }
+      
+      if( (char *)NULL == a ) {
+        /* This is the first number.. decompose it */
+        PRUint32 one = (n/40), two = (n%40);
+        
+        a = PR_smprintf("%lu.%lu", one, two);
+        if( (char *)NULL == a ) {
+          nss_SetError(NSS_ERROR_NO_MEMORY);
+          return (NSSUTF8 *)NULL;
+        }
+      } else {
+        b = PR_smprintf("%s.%lu", a, n);
+        if( (char *)NULL == b ) {
+          PR_smprintf_free(a);
+          nss_SetError(NSS_ERROR_NO_MEMORY);
+          return (NSSUTF8 *)NULL;
+        }
+        
+        PR_smprintf_free(a);
+        a = b;
+      }
+    }
+  }
+
+ done:
+  /*
+   * Even if arenaOpt is NULL, we have to copy the data so that
+   * it'll be freed with the right version of free: ours, not
+   * PR_smprintf_free's.
+   */
+  len = PL_strlen(a);
+  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len);
+  if( (NSSUTF8 *)NULL == rv ) {
+    PR_smprintf_free(a);
+    return (NSSUTF8 *)NULL;
+  }
+
+  nsslibc_memcpy(rv, a, len);
+  PR_smprintf_free(a);
+
+  return rv;
+}
+
+/*
+ * nssOID_getExplanation
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a static pointer to a UTF8-encoded string
+ * describing (in English) the specified OID.  The memory pointed to
+ * by the return value is not owned by the caller, and should not be
+ * freed or modified.  Note that explanations are only provided for
+ * the OIDs built into the NSS library; there is no way to specify an
+ * explanation for dynamically created OIDs.  This routine is intended
+ * only for use in debugging tools such as "derdump."  This routine
+ * may return null upon error, in which case it will have placed an
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *
+ * Return value:
+ *  NULL upon error
+ *  A static pointer to a readonly, non-caller-owned UTF8-encoded
+ *    string explaining the specified OID.
+ */
+
+#ifdef DEBUG
+NSS_EXTERN const NSSUTF8 *
+nssOID_getExplanation
+(
+  NSSOID *oid
+)
+{
+  if( PR_SUCCESS != oid_init() ) {
+    return (const NSSUTF8 *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return oid->expl;
+}
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+#endif /* DEBUG */
+
+/*
+ * nssOID_getTaggedUTF8
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a pointer to a caller-owned UTF8-encoded
+ * string containing a tagged encoding of the specified OID.  Note
+ * that OID (component) tags are only provided for the OIDs built 
+ * into the NSS library; there is no way to specify tags for 
+ * dynamically created OIDs.  This routine is intended for use in
+ * debugging tools such as "derdump."   If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return return null upon error, in which case it will have set 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the tagged encoding of
+ *      this NSSOID
+ */
+
+#ifdef DEBUG
+NSS_EXTERN NSSUTF8 *
+nssOID_getTaggedUTF8
+(
+  NSSOID *oid,
+  NSSArena *arenaOpt
+)
+{
+  NSSUTF8 *rv;
+  char *raw;
+  char *c;
+  char *a = (char *)NULL;
+  char *b;
+  PRBool done = PR_FALSE;
+  PRUint32 len;
+
+  if( PR_SUCCESS != oid_init() ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssOID_verifyPointer(oid) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  a = PR_smprintf("{");
+  if( (char *)NULL == a ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSUTF8 *)NULL;
+  }
+
+  /*
+   * What I'm doing here is getting the text version of the OID,
+   * e.g. 1.2.12.92, then looking up each set of leading numbers
+   * as oids.. e.g. "1," then "1.2," then "1.2.12," etc.  Each of
+   * those will have the leaf tag, and I just build up the string.
+   * I never said this was the most efficient way of doing it,
+   * but hey it's a debug-build thing, and I'm getting really tired
+   * of writing this stupid low-level PKI code.
+   */
+
+  /* I know it's all ASCII, so I can use char */
+  raw = (char *)nssOID_GetUTF8Encoding(oid, (NSSArena *)NULL);
+  if( (char *)NULL == raw ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  for( c = raw; !done; c++ ) {
+    NSSOID *lead;
+    char *lastdot;
+
+    for( ; '.' != *c; c++ ) {
+      if( '\0' == *c ) {
+        done = PR_TRUE;
+        break;
+      }
+    }
+
+    *c = '\0';
+    lead = nssOID_CreateFromUTF8((NSSUTF8 *)raw);
+    if( (NSSOID *)NULL == lead ) {
+      PR_smprintf_free(a);
+      nss_ZFreeIf(raw);
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (NSSUTF8 *)NULL;
+    }
+
+    lastdot = PL_strrchr(raw, '.');
+    if( (char *)NULL == lastdot ) {
+      lastdot = raw;
+    }
+
+    b = PR_smprintf("%s %s(%s) ", a, lead->tag, &lastdot[1]);
+    if( (char *)NULL == b ) {
+      PR_smprintf_free(a);
+      nss_ZFreeIf(raw);
+      /* drop the OID reference on the floor */
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (NSSUTF8 *)NULL;
+    }
+
+    PR_smprintf_free(a);
+    a = b;
+
+    if( !done ) {
+      *c = '.';
+    }
+  }
+
+  nss_ZFreeIf(raw);
+
+  b = PR_smprintf("%s }", a);
+  if( (char *)NULL == b ) {
+    PR_smprintf_free(a);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSUTF8 *)NULL;
+  }
+
+  len = PL_strlen(b);
+  
+  rv = (NSSUTF8 *)nss_ZAlloc(arenaOpt, len+1);
+  if( (NSSUTF8 *)NULL == rv ) {
+    PR_smprintf_free(b);
+    return (NSSUTF8 *)NULL;
+  }
+
+  nsslibc_memcpy(rv, b, len);
+  PR_smprintf_free(b);
+
+  return rv;
+}
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+#endif /* DEBUG */
diff --git a/security/nss/lib/pki1/oiddata.c b/security/nss/lib/pki1/oiddata.c
new file mode 100644
index 000000000..1945421d1
--- /dev/null
+++ b/security/nss/lib/pki1/oiddata.c
@@ -0,0 +1,2933 @@
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$ ; @(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKI1T_H
+#include "pki1t.h"
+#endif /* PKI1T_H */
+
+const NSSOID nss_builtin_oids[] = {
+  {
+#ifdef DEBUG
+    "ccitt",
+    "ITU-T",
+#endif /* DEBUG */
+    { "\x80\x00", 2 }
+  },
+  {
+#ifdef DEBUG
+    "recommendation",
+    "ITU-T Recommendation",
+#endif /* DEBUG */
+    { "\x00", 1 }
+  },
+  {
+#ifdef DEBUG
+    "question",
+    "ITU-T Question",
+#endif /* DEBUG */
+    { "\x01", 1 }
+  },
+  {
+#ifdef DEBUG
+    "administration",
+    "ITU-T Administration",
+#endif /* DEBUG */
+    { "\x02", 1 }
+  },
+  {
+#ifdef DEBUG
+    "network-operator",
+    "ITU-T Network Operator",
+#endif /* DEBUG */
+    { "\x03", 1 }
+  },
+  {
+#ifdef DEBUG
+    "identified-organization",
+    "ITU-T Identified Organization",
+#endif /* DEBUG */
+    { "\x04", 1 }
+  },
+  {
+#ifdef DEBUG
+    "data",
+    "RFC Data",
+#endif /* DEBUG */
+    { "\x09", 1 }
+  },
+  {
+#ifdef DEBUG
+    "pss",
+    "PSS British Telecom X.25 Network",
+#endif /* DEBUG */
+    { "\x09\x92\x26", 3 }
+  },
+  {
+#ifdef DEBUG
+    "ucl",
+    "RFC 1274 UCL Data networks",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c", 7 }
+  },
+  {
+#ifdef DEBUG
+    "pilot",
+    "RFC 1274 pilot",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64", 8 }
+  },
+  {
+#ifdef DEBUG
+    "attributeType",
+    "RFC 1274 Attribute Type",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "uid",
+    "RFC 1274 User Id",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "mail",
+    "RFC 1274 E-mail Addres",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01\x03", 10 }
+  },
+  {
+#ifdef DEBUG
+    "dc",
+    "RFC 2247 Domain Component",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x01\x19", 10 }
+  },
+  {
+#ifdef DEBUG
+    "attributeSyntax",
+    "RFC 1274 Attribute Syntax",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "iA5StringSyntax",
+    "RFC 1274 IA5 String Attribute Syntax",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x03\x04", 10 }
+  },
+  {
+#ifdef DEBUG
+    "caseIgnoreIA5StringSyntax",
+    "RFC 1274 Case-Ignore IA5 String Attribute Syntax",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x03\x05", 10 }
+  },
+  {
+#ifdef DEBUG
+    "objectClass",
+    "RFC 1274 Object Class",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "groups",
+    "RFC 1274 Groups",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x89\x93\xf2\x2c\x64\x0a", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ucl",
+    "RFC 1327 ucl",
+#endif /* DEBUG */
+    { "\x09\x92\x26\x86\xe8\xc4\xb5\xbe\x7f", 9 }
+  },
+  {
+#ifdef DEBUG
+    "iso",
+    "ISO",
+#endif /* DEBUG */
+    { "\x80\x01", 2 }
+  },
+  {
+#ifdef DEBUG
+    "standard",
+    "ISO Standard",
+#endif /* DEBUG */
+    { "\x28", 1 }
+  },
+  {
+#ifdef DEBUG
+    "registration-authority",
+    "ISO Registration Authority",
+#endif /* DEBUG */
+    { "\x29", 1 }
+  },
+  {
+#ifdef DEBUG
+    "member-body",
+    "ISO Member Body",
+#endif /* DEBUG */
+    { "\x2a", 1 }
+  },
+  {
+#ifdef DEBUG
+    "australia",
+    "Australia (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x24", 2 }
+  },
+  {
+#ifdef DEBUG
+    "taiwan",
+    "Taiwan (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x81\x1e", 3 }
+  },
+  {
+#ifdef DEBUG
+    "ireland",
+    "Ireland (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x82\x74", 3 }
+  },
+  {
+#ifdef DEBUG
+    "norway",
+    "Norway (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x84\x42", 3 }
+  },
+  {
+#ifdef DEBUG
+    "sweden",
+    "Sweden (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x85\x70", 3 }
+  },
+  {
+#ifdef DEBUG
+    "great-britain",
+    "Great Britain (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x86\x3a", 3 }
+  },
+  {
+#ifdef DEBUG
+    "us",
+    "United States (ISO)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48", 3 }
+  },
+  {
+#ifdef DEBUG
+    "organization",
+    "US (ISO) organization",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x01", 4 }
+  },
+  {
+#ifdef DEBUG
+    "ansi-z30-50",
+    "ANSI Z39.50",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x13", 5 }
+  },
+  {
+#ifdef DEBUG
+    "dicom",
+    "DICOM",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x18", 5 }
+  },
+  {
+#ifdef DEBUG
+    "ieee-1224",
+    "IEEE 1224",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x21", 5 }
+  },
+  {
+#ifdef DEBUG
+    "ieee-802-10",
+    "IEEE 802.10",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x26", 5 }
+  },
+  {
+#ifdef DEBUG
+    "ieee-802-11",
+    "IEEE 802.11",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x34", 5 }
+  },
+  {
+#ifdef DEBUG
+    "x9-57",
+    "ANSI X9.57",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38", 5 }
+  },
+  {
+#ifdef DEBUG
+    "holdInstruction",
+    "ANSI X9.57 Hold Instruction",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x02", 6 }
+  },
+  {
+#ifdef DEBUG
+    "id-holdinstruction-none",
+    "ANSI X9.57 Hold Instruction: None",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x02\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-holdinstruction-callissuer",
+    "ANSI X9.57 Hold Instruction: Call Issuer",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x02\x02", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-holdinstruction-reject",
+    "ANSI X9.57 Hold Instruction: Reject",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x02\x03", 7 }
+  },
+  {
+#ifdef DEBUG
+    "x9algorithm",
+    "ANSI X9.57 Algorithm",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x04", 6 }
+  },
+  {
+#ifdef DEBUG
+    "id-dsa",
+    "ANSI X9.57 DSA Signature",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x04\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-dsa-with-sha1",
+    "ANSI X9.57 Algorithm DSA Signature with SHA-1 Digest",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x38\x04\x03", 7 }
+  },
+  {
+#ifdef DEBUG
+    "x942",
+    "ANSI X9.42",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x3e", 5 }
+  },
+  {
+#ifdef DEBUG
+    "algorithm",
+    "ANSI X9.42 Algorithm",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x3e\x02", 6 }
+  },
+  {
+#ifdef DEBUG
+    "dhpublicnumber",
+    "Diffie-Hellman Public Key Algorithm",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\xce\x3e\x02\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "entrust",
+    "Entrust Technologies",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf6\x7d", 6 }
+  },
+  {
+#ifdef DEBUG
+    "rsadsi",
+    "RSA Data Security Inc.",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d", 6 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs",
+    "PKCS",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-1",
+    "PKCS #1",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "rsaEncryption",
+    "PKCS #1 RSA Encryption",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "md2WithRSAEncryption",
+    "PKCS #1 MD2 With RSA Encryption",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "md4WithRSAEncryption",
+    "PKCS #1 MD4 With RSA Encryption",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "md5WithRSAEncryption",
+    "PKCS #1 MD5 With RSA Encryption",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "sha1WithRSAEncryption",
+    "PKCS #1 SHA-1 With RSA Encryption",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-5",
+    "PKCS #5",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithMD2AndDES-CBC",
+    "PKCS #5 Password Based Encryption With MD2 and DES-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithMD5AndDES-CBC",
+    "PKCS #5 Password Based Encryption With MD5 and DES-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1AndDES-CBC",
+    "PKCS #5 Password Based Encryption With SHA-1 and DES-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x05\x0a", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-7",
+    "PKCS #7",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07", 8 }
+  },
+  {
+#ifdef DEBUG
+    "data",
+    "PKCS #7 Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "signedData",
+    "PKCS #7 Signed Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "envelopedData",
+    "PKCS #7 Enveloped Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "signedAndEnvelopedData",
+    "PKCS #7 Signed and Enveloped Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "digestedData",
+    "PKCS #7 Digested Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "encryptedData",
+    "PKCS #7 Encrypted Data",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x07\x06", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-9",
+    "PKCS #9",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09", 8 }
+  },
+  {
+#ifdef DEBUG
+    "emailAddress",
+    "PKCS #9 Email Address",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "unstructuredName",
+    "PKCS #9 Unstructured Name",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "contentType",
+    "PKCS #9 Content Type",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "messageDigest",
+    "PKCS #9 Message Digest",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "signingTime",
+    "PKCS #9 Signing Time",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "counterSignature",
+    "PKCS #9 Counter Signature",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x06", 9 }
+  },
+  {
+#ifdef DEBUG
+    "challengePassword",
+    "PKCS #9 Challenge Password",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x07", 9 }
+  },
+  {
+#ifdef DEBUG
+    "unstructuredAddress",
+    "PKCS #9 Unstructured Address",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x08", 9 }
+  },
+  {
+#ifdef DEBUG
+    "extendedCertificateAttributes",
+    "PKCS #9 Extended Certificate Attributes",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x09", 9 }
+  },
+  {
+#ifdef DEBUG
+    "sMIMECapabilities",
+    "PKCS #9 S/MIME Capabilities",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x0f", 9 }
+  },
+  {
+#ifdef DEBUG
+    "friendlyName",
+    "PKCS #9 Friendly Name",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x14", 9 }
+  },
+  {
+#ifdef DEBUG
+    "localKeyID",
+    "PKCS #9 Local Key ID",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x15", 9 }
+  },
+  {
+#ifdef DEBUG
+    "certTypes",
+    "PKCS #9 Certificate Types",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x16", 9 }
+  },
+  {
+#ifdef DEBUG
+    "x509Certificate",
+    "PKCS #9 Certificate Type = X.509",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x16\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "sdsiCertificate",
+    "PKCS #9 Certificate Type = SDSI",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x16\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "crlTypes",
+    "PKCS #9 Certificate Revocation List Types",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x17", 9 }
+  },
+  {
+#ifdef DEBUG
+    "x509Crl",
+    "PKCS #9 CRL Type = X.509",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x09\x17\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12",
+    "PKCS #12",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c", 8 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12PbeIds",
+    "PKCS #12 Password Based Encryption IDs",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And128BitRC4",
+    "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And40BitRC4",
+    "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And3-KeyTripleDES-CBC",
+    "PKCS #12 Password Based Encryption With SHA-1 and 3-key Triple DES-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x03", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And2-KeyTripleDES-CBC",
+    "PKCS #12 Password Based Encryption With SHA-1 and 2-key Triple DES-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x04", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And128BitRC2-CBC",
+    "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC2-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x05", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSHA1And40BitRC2-CBC",
+    "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC2-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x01\x06", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12EspvkIds",
+    "PKCS #12 ESPVK IDs",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs8-key-shrouding",
+    "PKCS #12 Key Shrouding",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x02\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "draft1Pkcs-12Bag-ids",
+    "Draft 1.0 PKCS #12 Bag IDs",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "keyBag",
+    "Draft 1.0 PKCS #12 Key Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "certAndCRLBagId",
+    "Draft 1.0 PKCS #12 Cert and CRL Bag ID",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "secretBagId",
+    "Draft 1.0 PKCS #12 Secret Bag ID",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x03", 10 }
+  },
+  {
+#ifdef DEBUG
+    "safeContentsId",
+    "Draft 1.0 PKCS #12 Safe Contents Bag ID",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x04", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-8ShroudedKeyBagId",
+    "Draft 1.0 PKCS #12 PKCS #8-shrouded Key Bag ID",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x03\x05", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12CertBagIds",
+    "PKCS #12 Certificate Bag IDs",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "x509CertCRLBagId",
+    "PKCS #12 X.509 Certificate and CRL Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x04\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "SDSICertBagID",
+    "PKCS #12 SDSI Certificate Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x04\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12Oids",
+    "PKCS #12 OIDs (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12PbeIds",
+    "PKCS #12 OIDs PBE IDs (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1And128BitRC4",
+    "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC4 (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x01", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1And40BitRC4",
+    "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC4 (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x02", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1AndTripleDES-CBC",
+    "PKCS #12 OIDs PBE with SHA-1 and Triple DES-CBC (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x03", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1And128BitRC2-CBC",
+    "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC2-CBC (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x04", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pbeWithSha1And40BitRC2-CBC",
+    "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC2-CBC (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x01\x05", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12EnvelopingIds",
+    "PKCS #12 OIDs Enveloping IDs (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "rsaEncryptionWith128BitRC4",
+    "PKCS #12 OIDs Enveloping RSA Encryption with 128-bit RC4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02\x01", 11 }
+  },
+  {
+#ifdef DEBUG
+    "rsaEncryptionWith40BitRC4",
+    "PKCS #12 OIDs Enveloping RSA Encryption with 40-bit RC4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02\x02", 11 }
+  },
+  {
+#ifdef DEBUG
+    "rsaEncryptionWithTripleDES",
+    "PKCS #12 OIDs Enveloping RSA Encryption with Triple DES",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x02\x03", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12SignatureIds",
+    "PKCS #12 OIDs Signature IDs (XXX)",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x03", 10 }
+  },
+  {
+#ifdef DEBUG
+    "rsaSignatureWithSHA1Digest",
+    "PKCS #12 OIDs RSA Signature with SHA-1 Digest",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x05\x03\x01", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12Version1",
+    "PKCS #12 Version 1",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a", 9 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-12BagIds",
+    "PKCS #12 Bag IDs",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "keyBag",
+    "PKCS #12 Key Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x01", 11 }
+  },
+  {
+#ifdef DEBUG
+    "pkcs-8ShroudedKeyBag",
+    "PKCS #12 PKCS #8-shrouded Key Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x02", 11 }
+  },
+  {
+#ifdef DEBUG
+    "certBag",
+    "PKCS #12 Certificate Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x03", 11 }
+  },
+  {
+#ifdef DEBUG
+    "crlBag",
+    "PKCS #12 CRL Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x04", 11 }
+  },
+  {
+#ifdef DEBUG
+    "secretBag",
+    "PKCS #12 Secret Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x05", 11 }
+  },
+  {
+#ifdef DEBUG
+    "safeContentsBag",
+    "PKCS #12 Safe Contents Bag",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x01\x0c\x0a\x01\x06", 11 }
+  },
+  {
+#ifdef DEBUG
+    "digest",
+    "RSA digest algorithm",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x02", 7 }
+  },
+  {
+#ifdef DEBUG
+    "md2",
+    "MD2",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x02\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "md4",
+    "MD4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x02\x04", 8 }
+  },
+  {
+#ifdef DEBUG
+    "md5",
+    "MD5",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x02\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "cipher",
+    "RSA cipher algorithm",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x03", 7 }
+  },
+  {
+#ifdef DEBUG
+    "rc2cbc",
+    "RC2-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x03\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "rc4",
+    "RC4",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x03\x04", 8 }
+  },
+  {
+#ifdef DEBUG
+    "desede3cbc",
+    "DES-EDE3-CBC",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x03\x07", 8 }
+  },
+  {
+#ifdef DEBUG
+    "rc5cbcpad",
+    "RC5-CBCPad",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x0d\x03\x09", 8 }
+  },
+  {
+#ifdef DEBUG
+    "microsoft",
+    "Microsoft",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x14", 6 }
+  },
+  {
+#ifdef DEBUG
+    "columbia-university",
+    "Columbia University",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x18", 6 }
+  },
+  {
+#ifdef DEBUG
+    "unisys",
+    "Unisys",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x24", 6 }
+  },
+  {
+#ifdef DEBUG
+    "xapia",
+    "XAPIA",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf7\x7a", 6 }
+  },
+  {
+#ifdef DEBUG
+    "wordperfect",
+    "WordPerfect",
+#endif /* DEBUG */
+    { "\x2a\x86\x48\x86\xf8\x23", 6 }
+  },
+  {
+#ifdef DEBUG
+    "identified-organization",
+    "ISO identified organizations",
+#endif /* DEBUG */
+    { "\x2b", 1 }
+  },
+  {
+#ifdef DEBUG
+    "us-dod",
+    "United States Department of Defense",
+#endif /* DEBUG */
+    { "\x2b\x06", 2 }
+  },
+  {
+#ifdef DEBUG
+    "internet",
+    "The Internet",
+#endif /* DEBUG */
+    { "\x2b\x06\x01", 3 }
+  },
+  {
+#ifdef DEBUG
+    "directory",
+    "Internet: Directory",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x01", 4 }
+  },
+  {
+#ifdef DEBUG
+    "management",
+    "Internet: Management",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x02", 4 }
+  },
+  {
+#ifdef DEBUG
+    "experimental",
+    "Internet: Experimental",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x03", 4 }
+  },
+  {
+#ifdef DEBUG
+    "private",
+    "Internet: Private",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x04", 4 }
+  },
+  {
+#ifdef DEBUG
+    "security",
+    "Internet: Security",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05", 4 }
+  },
+  {
+#ifdef DEBUG
+    "",
+    "",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05", 5 }
+  },
+  {
+#ifdef DEBUG
+    "id-pkix",
+    "Public Key Infrastructure",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07", 6 }
+  },
+  {
+#ifdef DEBUG
+    "PKIX1Explicit88",
+    "RFC 2459 Explicitly Tagged Module, 1988 Syntax",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x00\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "PKIXImplicit88",
+    "RFC 2459 Implicitly Tagged Module, 1988 Syntax",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x00\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "PKIXExplicit93",
+    "RFC 2459 Explicitly Tagged Module, 1993 Syntax",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x00\x03", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-pe",
+    "PKIX Private Certificate Extensions",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-pe-authorityInfoAccess",
+    "Certificate Authority Information Access",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x01\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-qt",
+    "PKIX Policy Qualifier Types",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x02", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-qt-cps",
+    "PKIX CPS Pointer Qualifier",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x02\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-qt-unotice",
+    "PKIX User Notice Qualifier",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x02\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp",
+    "PKIX Key Purpose",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-serverAuth",
+    "TLS Web Server Authentication Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-clientAuth",
+    "TLS Web Client Authentication Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-codeSigning",
+    "Code Signing Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x03", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-emailProtection",
+    "E-Mail Protection Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x04", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-ipsecEndSystem",
+    "IPSEC End System Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-ipsecTunnel",
+    "IPSEC Tunnel Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x06", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-ipsecUser",
+    "IPSEC User Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x07", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-kp-timeStamping",
+    "Time Stamping Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x08", 8 }
+  },
+  {
+#ifdef DEBUG
+    "ocsp-responder",
+    "OCSP Responder Certificate",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x03\x09", 8 }
+  },
+  {
+#ifdef DEBUG
+    "pkix-id-pkix",
+    "",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07", 7 }
+  },
+  {
+#ifdef DEBUG
+    "pkix-id-pkip",
+    "",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "pkix-id-regctrl",
+    "CRMF Registration Control",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "regtoken",
+    "CRMF Registration Control, Registration Token",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "authenticator",
+    "CRMF Registration Control, Registration Authenticator",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkipubinfo",
+    "CRMF Registration Control, PKI Publication Info",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x03", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pki-arch-options",
+    "CRMF Registration Control, PKI Archive Options",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x04", 10 }
+  },
+  {
+#ifdef DEBUG
+    "old-cert-id",
+    "CRMF Registration Control, Old Certificate ID",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x05", 10 }
+  },
+  {
+#ifdef DEBUG
+    "protocol-encryption-key",
+    "CRMF Registration Control, Protocol Encryption Key",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x01\x06", 10 }
+  },
+  {
+#ifdef DEBUG
+    "pkix-id-reginfo",
+    "CRMF Registration Info",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "utf8-pairs",
+    "CRMF Registration Info, UTF8 Pairs",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x02\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "cert-request",
+    "CRMF Registration Info, Certificate Request",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x07\x05\x02\x02", 10 }
+  },
+  {
+#ifdef DEBUG
+    "id-ad",
+    "PKIX Access Descriptors",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-ad-ocsp",
+    "PKIX Online Certificate Status Protocol",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "basic-response",
+    "OCSP Basic Response",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "nonce-extension",
+    "OCSP Nonce Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "response",
+    "OCSP Response Types Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "crl",
+    "OCSP CRL Reference Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "no-check",
+    "OCSP No Check Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "archive-cutoff",
+    "OCSP Archive Cutoff Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x06", 9 }
+  },
+  {
+#ifdef DEBUG
+    "service-locator",
+    "OCSP Service Locator Extension",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x01\x07", 9 }
+  },
+  {
+#ifdef DEBUG
+    "id-ad-caIssuers",
+    "Certificate Authority Issuers",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x05\x05\x07\x30\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "snmpv2",
+    "Internet: SNMPv2",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x06", 4 }
+  },
+  {
+#ifdef DEBUG
+    "mail",
+    "Internet: mail",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x07", 4 }
+  },
+  {
+#ifdef DEBUG
+    "mime-mhs",
+    "Internet: mail MIME mhs",
+#endif /* DEBUG */
+    { "\x2b\x06\x01\x07\x01", 5 }
+  },
+  {
+#ifdef DEBUG
+    "ecma",
+    "European Computers Manufacturing Association",
+#endif /* DEBUG */
+    { "\x2b\x0c", 2 }
+  },
+  {
+#ifdef DEBUG
+    "oiw",
+    "Open Systems Implementors Workshop",
+#endif /* DEBUG */
+    { "\x2b\x0e", 2 }
+  },
+  {
+#ifdef DEBUG
+    "secsig",
+    "Open Systems Implementors Workshop Security Special Interest Group",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03", 3 }
+  },
+  {
+#ifdef DEBUG
+    "oIWSECSIGAlgorithmObjectIdentifiers",
+    "OIW SECSIG Algorithm OIDs",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x01", 4 }
+  },
+  {
+#ifdef DEBUG
+    "algorithm",
+    "OIW SECSIG Algorithm",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02", 4 }
+  },
+  {
+#ifdef DEBUG
+    "desecb",
+    "DES-ECB",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x06", 5 }
+  },
+  {
+#ifdef DEBUG
+    "descbc",
+    "DES-CBC",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x07", 5 }
+  },
+  {
+#ifdef DEBUG
+    "desofb",
+    "DES-OFB",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x08", 5 }
+  },
+  {
+#ifdef DEBUG
+    "descfb",
+    "DES-CFB",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x09", 5 }
+  },
+  {
+#ifdef DEBUG
+    "desmac",
+    "DES-MAC",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x0a", 5 }
+  },
+  {
+#ifdef DEBUG
+    "isoSHAWithRSASignature",
+    "ISO SHA with RSA Signature",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x0f", 5 }
+  },
+  {
+#ifdef DEBUG
+    "desede",
+    "DES-EDE",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x11", 5 }
+  },
+  {
+#ifdef DEBUG
+    "sha1",
+    "SHA-1",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x1a", 5 }
+  },
+  {
+#ifdef DEBUG
+    "bogusDSASignatureWithSHA1Digest",
+    "Forgezza DSA Signature with SHA-1 Digest",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x02\x1b", 5 }
+  },
+  {
+#ifdef DEBUG
+    "authentication-mechanism",
+    "OIW SECSIG Authentication Mechanisms",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x03", 4 }
+  },
+  {
+#ifdef DEBUG
+    "security-attribute",
+    "OIW SECSIG Security Attributes",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x04", 4 }
+  },
+  {
+#ifdef DEBUG
+    "document-definition",
+    "OIW SECSIG Document Definitions used in security",
+#endif /* DEBUG */
+    { "\x2b\x0e\x03\x05", 4 }
+  },
+  {
+#ifdef DEBUG
+    "directory-services-sig",
+    "OIW directory services sig",
+#endif /* DEBUG */
+    { "\x2b\x0e\x07", 3 }
+  },
+  {
+#ifdef DEBUG
+    "ewos",
+    "European Workshop on Open Systems",
+#endif /* DEBUG */
+    { "\x2b\x10", 2 }
+  },
+  {
+#ifdef DEBUG
+    "osf",
+    "Open Software Foundation",
+#endif /* DEBUG */
+    { "\x2b\x16", 2 }
+  },
+  {
+#ifdef DEBUG
+    "nordunet",
+    "Nordunet",
+#endif /* DEBUG */
+    { "\x2b\x17", 2 }
+  },
+  {
+#ifdef DEBUG
+    "nato-id-org",
+    "NATO identified organisation",
+#endif /* DEBUG */
+    { "\x2b\x1a", 2 }
+  },
+  {
+#ifdef DEBUG
+    "teletrust",
+    "Teletrust",
+#endif /* DEBUG */
+    { "\x2b\x24", 2 }
+  },
+  {
+#ifdef DEBUG
+    "smpte",
+    "Society of Motion Picture and Television Engineers",
+#endif /* DEBUG */
+    { "\x2b\x34", 2 }
+  },
+  {
+#ifdef DEBUG
+    "sita",
+    "Societe Internationale de Telecommunications Aeronautiques",
+#endif /* DEBUG */
+    { "\x2b\x45", 2 }
+  },
+  {
+#ifdef DEBUG
+    "iana",
+    "Internet Assigned Numbers Authority",
+#endif /* DEBUG */
+    { "\x2b\x5a", 2 }
+  },
+  {
+#ifdef DEBUG
+    "thawte",
+    "Thawte",
+#endif /* DEBUG */
+    { "\x2b\x65", 2 }
+  },
+  {
+#ifdef DEBUG
+    "joint-iso-ccitt",
+    "Joint ISO/ITU-T assignment",
+#endif /* DEBUG */
+    { "\x80\x02", 2 }
+  },
+  {
+#ifdef DEBUG
+    "presentation",
+    "Joint ISO/ITU-T Presentation",
+#endif /* DEBUG */
+    { "\x50", 1 }
+  },
+  {
+#ifdef DEBUG
+    "asn-1",
+    "Abstract Syntax Notation One",
+#endif /* DEBUG */
+    { "\x51", 1 }
+  },
+  {
+#ifdef DEBUG
+    "acse",
+    "Association Control",
+#endif /* DEBUG */
+    { "\x52", 1 }
+  },
+  {
+#ifdef DEBUG
+    "rtse",
+    "Reliable Transfer",
+#endif /* DEBUG */
+    { "\x53", 1 }
+  },
+  {
+#ifdef DEBUG
+    "rose",
+    "Remote Operations",
+#endif /* DEBUG */
+    { "\x54", 1 }
+  },
+  {
+#ifdef DEBUG
+    "x500",
+    "Directory",
+#endif /* DEBUG */
+    { "\x55", 1 }
+  },
+  {
+#ifdef DEBUG
+    "modules",
+    "X.500 modules",
+#endif /* DEBUG */
+    { "\x55\x01", 2 }
+  },
+  {
+#ifdef DEBUG
+    "service-environment",
+    "X.500 service environment",
+#endif /* DEBUG */
+    { "\x55\x02", 2 }
+  },
+  {
+#ifdef DEBUG
+    "application-context",
+    "X.500 application context",
+#endif /* DEBUG */
+    { "\x55\x03", 2 }
+  },
+  {
+#ifdef DEBUG
+    "id-at",
+    "X.520 attribute types",
+#endif /* DEBUG */
+    { "\x55\x04", 2 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-commonName",
+    "X.520 Common Name",
+#endif /* DEBUG */
+    { "\x55\x04\x03", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-surname",
+    "X.520 Surname",
+#endif /* DEBUG */
+    { "\x55\x04\x04", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-countryName",
+    "X.520 Country Name",
+#endif /* DEBUG */
+    { "\x55\x04\x06", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-localityName",
+    "X.520 Locality Name",
+#endif /* DEBUG */
+    { "\x55\x04\x07", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-stateOrProvinceName",
+    "X.520 State or Province Name",
+#endif /* DEBUG */
+    { "\x55\x04\x08", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-organizationName",
+    "X.520 Organization Name",
+#endif /* DEBUG */
+    { "\x55\x04\x0a", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-organizationalUnitName",
+    "X.520 Organizational Unit Name",
+#endif /* DEBUG */
+    { "\x55\x04\x0b", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-title",
+    "X.520 Title",
+#endif /* DEBUG */
+    { "\x55\x04\x0c", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-name",
+    "X.520 Name",
+#endif /* DEBUG */
+    { "\x55\x04\x29", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-givenName",
+    "X.520 Given Name",
+#endif /* DEBUG */
+    { "\x55\x04\x2a", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-initials",
+    "X.520 Initials",
+#endif /* DEBUG */
+    { "\x55\x04\x2b", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-generationQualifier",
+    "X.520 Generation Qualifier",
+#endif /* DEBUG */
+    { "\x55\x04\x2c", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-at-dnQualifier",
+    "X.520 DN Qualifier",
+#endif /* DEBUG */
+    { "\x55\x04\x2e", 3 }
+  },
+  {
+#ifdef DEBUG
+    "attribute-syntax",
+    "X.500 attribute syntaxes",
+#endif /* DEBUG */
+    { "\x55\x05", 2 }
+  },
+  {
+#ifdef DEBUG
+    "object-classes",
+    "X.500 standard object classes",
+#endif /* DEBUG */
+    { "\x55\x06", 2 }
+  },
+  {
+#ifdef DEBUG
+    "attribute-set",
+    "X.500 attribute sets",
+#endif /* DEBUG */
+    { "\x55\x07", 2 }
+  },
+  {
+#ifdef DEBUG
+    "algorithms",
+    "X.500-defined algorithms",
+#endif /* DEBUG */
+    { "\x55\x08", 2 }
+  },
+  {
+#ifdef DEBUG
+    "encryption",
+    "X.500-defined encryption algorithms",
+#endif /* DEBUG */
+    { "\x55\x08\x01", 3 }
+  },
+  {
+#ifdef DEBUG
+    "rsa",
+    "RSA Encryption Algorithm",
+#endif /* DEBUG */
+    { "\x55\x08\x01\x01", 4 }
+  },
+  {
+#ifdef DEBUG
+    "abstract-syntax",
+    "X.500 abstract syntaxes",
+#endif /* DEBUG */
+    { "\x55\x09", 2 }
+  },
+  {
+#ifdef DEBUG
+    "operational-attribute",
+    "DSA Operational Attributes",
+#endif /* DEBUG */
+    { "\x55\x0c", 2 }
+  },
+  {
+#ifdef DEBUG
+    "matching-rule",
+    "Matching Rule",
+#endif /* DEBUG */
+    { "\x55\x0d", 2 }
+  },
+  {
+#ifdef DEBUG
+    "knowledge-matching-rule",
+    "X.500 knowledge Matching Rules",
+#endif /* DEBUG */
+    { "\x55\x0e", 2 }
+  },
+  {
+#ifdef DEBUG
+    "name-form",
+    "X.500 name forms",
+#endif /* DEBUG */
+    { "\x55\x0f", 2 }
+  },
+  {
+#ifdef DEBUG
+    "group",
+    "X.500 groups",
+#endif /* DEBUG */
+    { "\x55\x10", 2 }
+  },
+  {
+#ifdef DEBUG
+    "subentry",
+    "X.500 subentry",
+#endif /* DEBUG */
+    { "\x55\x11", 2 }
+  },
+  {
+#ifdef DEBUG
+    "operational-attribute-type",
+    "X.500 operational attribute type",
+#endif /* DEBUG */
+    { "\x55\x12", 2 }
+  },
+  {
+#ifdef DEBUG
+    "operational-binding",
+    "X.500 operational binding",
+#endif /* DEBUG */
+    { "\x55\x13", 2 }
+  },
+  {
+#ifdef DEBUG
+    "schema-object-class",
+    "X.500 schema Object class",
+#endif /* DEBUG */
+    { "\x55\x14", 2 }
+  },
+  {
+#ifdef DEBUG
+    "schema-operational-attribute",
+    "X.500 schema operational attributes",
+#endif /* DEBUG */
+    { "\x55\x15", 2 }
+  },
+  {
+#ifdef DEBUG
+    "administrative-role",
+    "X.500 administrative roles",
+#endif /* DEBUG */
+    { "\x55\x17", 2 }
+  },
+  {
+#ifdef DEBUG
+    "access-control-attribute",
+    "X.500 access control attribute",
+#endif /* DEBUG */
+    { "\x55\x18", 2 }
+  },
+  {
+#ifdef DEBUG
+    "ros",
+    "X.500 ros object",
+#endif /* DEBUG */
+    { "\x55\x19", 2 }
+  },
+  {
+#ifdef DEBUG
+    "contract",
+    "X.500 contract",
+#endif /* DEBUG */
+    { "\x55\x1a", 2 }
+  },
+  {
+#ifdef DEBUG
+    "package",
+    "X.500 package",
+#endif /* DEBUG */
+    { "\x55\x1b", 2 }
+  },
+  {
+#ifdef DEBUG
+    "access-control-schema",
+    "X.500 access control schema",
+#endif /* DEBUG */
+    { "\x55\x1c", 2 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce",
+    "X.500 Certificate Extension",
+#endif /* DEBUG */
+    { "\x55\x1d", 2 }
+  },
+  {
+#ifdef DEBUG
+    "subject-directory-attributes",
+    "Certificate Subject Directory Attributes",
+#endif /* DEBUG */
+    { "\x55\x1d\x05", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-subjectDirectoryAttributes",
+    "Certificate Subject Directory Attributes",
+#endif /* DEBUG */
+    { "\x55\x1d\x09", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-subjectKeyIdentifier",
+    "Certificate Subject Key ID",
+#endif /* DEBUG */
+    { "\x55\x1d\x0e", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-keyUsage",
+    "Certificate Key Usage",
+#endif /* DEBUG */
+    { "\x55\x1d\x0f", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-privateKeyUsagePeriod",
+    "Certificate Private Key Usage Period",
+#endif /* DEBUG */
+    { "\x55\x1d\x10", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-subjectAltName",
+    "Certificate Subject Alternate Name",
+#endif /* DEBUG */
+    { "\x55\x1d\x11", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-issuerAltName",
+    "Certificate Issuer Alternate Name",
+#endif /* DEBUG */
+    { "\x55\x1d\x12", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-basicConstraints",
+    "Certificate Basic Constraints",
+#endif /* DEBUG */
+    { "\x55\x1d\x13", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-cRLNumber",
+    "CRL Number",
+#endif /* DEBUG */
+    { "\x55\x1d\x14", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-cRLReasons",
+    "CRL Reason Code",
+#endif /* DEBUG */
+    { "\x55\x1d\x15", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-holdInstructionCode",
+    "Hold Instruction Code",
+#endif /* DEBUG */
+    { "\x55\x1d\x17", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-invalidityDate",
+    "Invalid Date",
+#endif /* DEBUG */
+    { "\x55\x1d\x18", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-deltaCRLIndicator",
+    "Delta CRL Indicator",
+#endif /* DEBUG */
+    { "\x55\x1d\x1b", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-issuingDistributionPoint",
+    "Issuing Distribution Point",
+#endif /* DEBUG */
+    { "\x55\x1d\x1c", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-certificateIssuer",
+    "Certificate Issuer",
+#endif /* DEBUG */
+    { "\x55\x1d\x1d", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-nameConstraints",
+    "Certificate Name Constraints",
+#endif /* DEBUG */
+    { "\x55\x1d\x1e", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-cRLDistributionPoints",
+    "CRL Distribution Points",
+#endif /* DEBUG */
+    { "\x55\x1d\x1f", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-certificatePolicies",
+    "Certificate Policies",
+#endif /* DEBUG */
+    { "\x55\x1d\x20", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-policyMappings",
+    "Certificate Policy Mappings",
+#endif /* DEBUG */
+    { "\x55\x1d\x21", 3 }
+  },
+  {
+#ifdef DEBUG
+    "policy-constraints",
+    "Certificate Policy Constraints (old)",
+#endif /* DEBUG */
+    { "\x55\x1d\x22", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-authorityKeyIdentifier",
+    "Certificate Authority Key Identifier",
+#endif /* DEBUG */
+    { "\x55\x1d\x23", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-policyConstraints",
+    "Certificate Policy Constraints",
+#endif /* DEBUG */
+    { "\x55\x1d\x24", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-ce-extKeyUsage",
+    "Extended Key Usage",
+#endif /* DEBUG */
+    { "\x55\x1d\x25", 3 }
+  },
+  {
+#ifdef DEBUG
+    "id-mgt",
+    "X.500 Management Object",
+#endif /* DEBUG */
+    { "\x55\x1e", 2 }
+  },
+  {
+#ifdef DEBUG
+    "x400",
+    "X.400 MHS",
+#endif /* DEBUG */
+    { "\x56", 1 }
+  },
+  {
+#ifdef DEBUG
+    "ccr",
+    "Committment, Concurrency and Recovery",
+#endif /* DEBUG */
+    { "\x57", 1 }
+  },
+  {
+#ifdef DEBUG
+    "oda",
+    "Office Document Architecture",
+#endif /* DEBUG */
+    { "\x58", 1 }
+  },
+  {
+#ifdef DEBUG
+    "osi-management",
+    "OSI management",
+#endif /* DEBUG */
+    { "\x59", 1 }
+  },
+  {
+#ifdef DEBUG
+    "tp",
+    "Transaction Processing",
+#endif /* DEBUG */
+    { "\x5a", 1 }
+  },
+  {
+#ifdef DEBUG
+    "dor",
+    "Distinguished Object Reference",
+#endif /* DEBUG */
+    { "\x5b", 1 }
+  },
+  {
+#ifdef DEBUG
+    "rdt",
+    "Referenced Data Transfer",
+#endif /* DEBUG */
+    { "\x5c", 1 }
+  },
+  {
+#ifdef DEBUG
+    "nlm",
+    "Network Layer Management",
+#endif /* DEBUG */
+    { "\x5d", 1 }
+  },
+  {
+#ifdef DEBUG
+    "tlm",
+    "Transport Layer Management",
+#endif /* DEBUG */
+    { "\x5e", 1 }
+  },
+  {
+#ifdef DEBUG
+    "llm",
+    "Link Layer Management",
+#endif /* DEBUG */
+    { "\x5f", 1 }
+  },
+  {
+#ifdef DEBUG
+    "country",
+    "Country Assignments",
+#endif /* DEBUG */
+    { "\x60", 1 }
+  },
+  {
+#ifdef DEBUG
+    "canada",
+    "Canada",
+#endif /* DEBUG */
+    { "\x60\x7c", 2 }
+  },
+  {
+#ifdef DEBUG
+    "taiwan",
+    "Taiwan",
+#endif /* DEBUG */
+    { "\x60\x81\x1e", 3 }
+  },
+  {
+#ifdef DEBUG
+    "norway",
+    "Norway",
+#endif /* DEBUG */
+    { "\x60\x84\x42", 3 }
+  },
+  {
+#ifdef DEBUG
+    "switzerland",
+    "Switzerland",
+#endif /* DEBUG */
+    { "\x60\x85\x74", 3 }
+  },
+  {
+#ifdef DEBUG
+    "us",
+    "United States",
+#endif /* DEBUG */
+    { "\x60\x86\x48", 3 }
+  },
+  {
+#ifdef DEBUG
+    "us-company",
+    "United States Company",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01", 4 }
+  },
+  {
+#ifdef DEBUG
+    "us-government",
+    "United States Government (1.101)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65", 5 }
+  },
+  {
+#ifdef DEBUG
+    "us-dod",
+    "United States Department of Defense",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02", 6 }
+  },
+  {
+#ifdef DEBUG
+    "id-infosec",
+    "US DOD Infosec",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "id-modules",
+    "US DOD Infosec modules",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x00", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-algorithms",
+    "US DOD Infosec algorithms (MISSI)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "old-dss",
+    "MISSI DSS Algorithm (Old)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "skipjack-cbc-64",
+    "Skipjack CBC64",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "kea",
+    "MISSI KEA Algorithm",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x0a", 9 }
+  },
+  {
+#ifdef DEBUG
+    "old-kea-dss",
+    "MISSI KEA and DSS Algorithm (Old)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x0c", 9 }
+  },
+  {
+#ifdef DEBUG
+    "dss",
+    "MISSI DSS Algorithm",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x13", 9 }
+  },
+  {
+#ifdef DEBUG
+    "kea-dss",
+    "MISSI KEA and DSS Algorithm",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x14", 9 }
+  },
+  {
+#ifdef DEBUG
+    "alt-kea",
+    "MISSI Alternate KEA Algorithm",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x01\x16", 9 }
+  },
+  {
+#ifdef DEBUG
+    "id-formats",
+    "US DOD Infosec formats",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-policy",
+    "US DOD Infosec policy",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x03", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-object-classes",
+    "US DOD Infosec object classes",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x04", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-attributes",
+    "US DOD Infosec attributes",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "id-attribute-syntax",
+    "US DOD Infosec attribute syntax",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x65\x02\x01\x06", 8 }
+  },
+  {
+#ifdef DEBUG
+    "netscape",
+    "Netscape Communications Corp.",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42", 7 }
+  },
+  {
+#ifdef DEBUG
+    "cert-ext",
+    "Netscape Cert Extensions",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "cert-type",
+    "Certificate Type",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "base-url",
+    "Certificate Extension Base URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "revocation-url",
+    "Certificate Revocation URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ca-revocation-url",
+    "Certificate Authority Revocation URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ca-crl-download-url",
+    "Certificate Authority CRL Download URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ca-cert-url",
+    "Certificate Authority Certificate Download URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x06", 9 }
+  },
+  {
+#ifdef DEBUG
+    "renewal-url",
+    "Certificate Renewal URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x07", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ca-policy-url",
+    "Certificate Authority Policy URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x08", 9 }
+  },
+  {
+#ifdef DEBUG
+    "homepage-url",
+    "Certificate Homepage URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x09", 9 }
+  },
+  {
+#ifdef DEBUG
+    "entity-logo",
+    "Certificate Entity Logo",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0a", 9 }
+  },
+  {
+#ifdef DEBUG
+    "user-picture",
+    "Certificate User Picture",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0b", 9 }
+  },
+  {
+#ifdef DEBUG
+    "ssl-server-name",
+    "Certificate SSL Server Name",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0c", 9 }
+  },
+  {
+#ifdef DEBUG
+    "comment",
+    "Certificate Comment",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0d", 9 }
+  },
+  {
+#ifdef DEBUG
+    "thayes",
+    "",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x01\x0e", 9 }
+  },
+  {
+#ifdef DEBUG
+    "data-type",
+    "Netscape Data Types",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02", 8 }
+  },
+  {
+#ifdef DEBUG
+    "gif",
+    "image/gif",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "jpeg",
+    "image/jpeg",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x02", 9 }
+  },
+  {
+#ifdef DEBUG
+    "url",
+    "URL",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x03", 9 }
+  },
+  {
+#ifdef DEBUG
+    "html",
+    "text/html",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x04", 9 }
+  },
+  {
+#ifdef DEBUG
+    "cert-sequence",
+    "Certificate Sequence",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x02\x05", 9 }
+  },
+  {
+#ifdef DEBUG
+    "directory",
+    "Netscape Directory",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x03", 8 }
+  },
+  {
+#ifdef DEBUG
+    "policy",
+    "Netscape Policy Type OIDs",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x04", 8 }
+  },
+  {
+#ifdef DEBUG
+    "export-approved",
+    "Strong Crypto Export Approved",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x04\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "cert-server",
+    "Netscape Certificate Server",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x05", 8 }
+  },
+  {
+#ifdef DEBUG
+    "",
+    "",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x05\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "recovery-request",
+    "Netscape Cert Server Recovery Request",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x05\x01\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "algs",
+    "Netscape algorithm OIDs",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x06", 8 }
+  },
+  {
+#ifdef DEBUG
+    "smime-kea",
+    "Netscape S/MIME KEA",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x06\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "name-components",
+    "Netscape Name Components",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x07", 8 }
+  },
+  {
+#ifdef DEBUG
+    "nickname",
+    "Netscape Nickname",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x42\x07\x01", 9 }
+  },
+  {
+#ifdef DEBUG
+    "verisign",
+    "Verisign",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x45", 7 }
+  },
+  {
+#ifdef DEBUG
+    "",
+    "",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x45\x01", 8 }
+  },
+  {
+#ifdef DEBUG
+    "",
+    "",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x45\x01\x07", 9 }
+  },
+  {
+#ifdef DEBUG
+    "",
+    "",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x45\x01\x07\x01", 10 }
+  },
+  {
+#ifdef DEBUG
+    "verisign-user-notices",
+    "Verisign User Notices",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x01\x86\xf8\x45\x01\x07\x01\x01", 11 }
+  },
+  {
+#ifdef DEBUG
+    "us-government",
+    "US Government (101)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x65", 4 }
+  },
+  {
+#ifdef DEBUG
+    "us-government2",
+    "US Government (102)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\x66", 4 }
+  },
+  {
+#ifdef DEBUG
+    "old-netscape",
+    "Netscape Communications Corp. (Old)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a", 5 }
+  },
+  {
+#ifdef DEBUG
+    "ns-cert-ext",
+    "Netscape Cert Extensions (Old NS)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x01", 6 }
+  },
+  {
+#ifdef DEBUG
+    "netscape-ok",
+    "Netscape says this cert is ok (Old NS)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x01\x01", 7 }
+  },
+  {
+#ifdef DEBUG
+    "issuer-logo",
+    "Certificate Issuer Logo (Old NS)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x01\x02", 7 }
+  },
+  {
+#ifdef DEBUG
+    "subject-logo",
+    "Certificate Subject Logo (Old NS)",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x01\x03", 7 }
+  },
+  {
+#ifdef DEBUG
+    "ns-file-type",
+    "Netscape File Type",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x02", 6 }
+  },
+  {
+#ifdef DEBUG
+    "ns-image-type",
+    "Netscape Image Type",
+#endif /* DEBUG */
+    { "\x60\x86\x48\xd8\x6a\x03", 6 }
+  },
+  {
+#ifdef DEBUG
+    "registration-procedures",
+    "Registration procedures",
+#endif /* DEBUG */
+    { "\x61", 1 }
+  },
+  {
+#ifdef DEBUG
+    "physical-layer-management",
+    "Physical layer Management",
+#endif /* DEBUG */
+    { "\x62", 1 }
+  },
+  {
+#ifdef DEBUG
+    "mheg",
+    "MHEG",
+#endif /* DEBUG */
+    { "\x63", 1 }
+  },
+  {
+#ifdef DEBUG
+    "guls",
+    "Generic Upper Layer Security",
+#endif /* DEBUG */
+    { "\x64", 1 }
+  },
+  {
+#ifdef DEBUG
+    "tls",
+    "Transport Layer Security Protocol",
+#endif /* DEBUG */
+    { "\x65", 1 }
+  },
+  {
+#ifdef DEBUG
+    "nls",
+    "Network Layer Security Protocol",
+#endif /* DEBUG */
+    { "\x66", 1 }
+  },
+  {
+#ifdef DEBUG
+    "organization",
+    "International organizations",
+#endif /* DEBUG */
+    { "\x67", 1 }
+  }
+};
+
+const PRUint32 nss_builtin_oid_count = 379;
+
+const NSSOID *NSS_OID_RFC1274_UID = (NSSOID *)&nss_builtin_oids[11];
+const NSSOID *NSS_OID_RFC1274_EMAIL = (NSSOID *)&nss_builtin_oids[12];
+const NSSOID *NSS_OID_RFC2247_DC = (NSSOID *)&nss_builtin_oids[13];
+const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE = (NSSOID *)&nss_builtin_oids[43];
+const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST = (NSSOID *)&nss_builtin_oids[44];
+const NSSOID *NSS_OID_X942_DIFFIE_HELMAN_KEY = (NSSOID *)&nss_builtin_oids[47];
+const NSSOID *NSS_OID_PKCS1_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[52];
+const NSSOID *NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[53];
+const NSSOID *NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[54];
+const NSSOID *NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[55];
+const NSSOID *NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[56];
+const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC = (NSSOID *)&nss_builtin_oids[58];
+const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC = (NSSOID *)&nss_builtin_oids[59];
+const NSSOID *NSS_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC = (NSSOID *)&nss_builtin_oids[60];
+const NSSOID *NSS_OID_PKCS7 = (NSSOID *)&nss_builtin_oids[61];
+const NSSOID *NSS_OID_PKCS7_DATA = (NSSOID *)&nss_builtin_oids[62];
+const NSSOID *NSS_OID_PKCS7_SIGNED_DATA = (NSSOID *)&nss_builtin_oids[63];
+const NSSOID *NSS_OID_PKCS7_ENVELOPED_DATA = (NSSOID *)&nss_builtin_oids[64];
+const NSSOID *NSS_OID_PKCS7_SIGNED_ENVELOPED_DATA = (NSSOID *)&nss_builtin_oids[65];
+const NSSOID *NSS_OID_PKCS7_DIGESTED_DATA = (NSSOID *)&nss_builtin_oids[66];
+const NSSOID *NSS_OID_PKCS7_ENCRYPTED_DATA = (NSSOID *)&nss_builtin_oids[67];
+const NSSOID *NSS_OID_PKCS9_EMAIL_ADDRESS = (NSSOID *)&nss_builtin_oids[69];
+const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_NAME = (NSSOID *)&nss_builtin_oids[70];
+const NSSOID *NSS_OID_PKCS9_CONTENT_TYPE = (NSSOID *)&nss_builtin_oids[71];
+const NSSOID *NSS_OID_PKCS9_MESSAGE_DIGEST = (NSSOID *)&nss_builtin_oids[72];
+const NSSOID *NSS_OID_PKCS9_SIGNING_TIME = (NSSOID *)&nss_builtin_oids[73];
+const NSSOID *NSS_OID_PKCS9_COUNTER_SIGNATURE = (NSSOID *)&nss_builtin_oids[74];
+const NSSOID *NSS_OID_PKCS9_CHALLENGE_PASSWORD = (NSSOID *)&nss_builtin_oids[75];
+const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_ADDRESS = (NSSOID *)&nss_builtin_oids[76];
+const NSSOID *NSS_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES = (NSSOID *)&nss_builtin_oids[77];
+const NSSOID *NSS_OID_PKCS9_SMIME_CAPABILITIES = (NSSOID *)&nss_builtin_oids[78];
+const NSSOID *NSS_OID_PKCS9_FRIENDLY_NAME = (NSSOID *)&nss_builtin_oids[79];
+const NSSOID *NSS_OID_PKCS9_LOCAL_KEY_ID = (NSSOID *)&nss_builtin_oids[80];
+const NSSOID *NSS_OID_PKCS9_X509_CERT = (NSSOID *)&nss_builtin_oids[82];
+const NSSOID *NSS_OID_PKCS9_SDSI_CERT = (NSSOID *)&nss_builtin_oids[83];
+const NSSOID *NSS_OID_PKCS9_X509_CRL = (NSSOID *)&nss_builtin_oids[85];
+const NSSOID *NSS_OID_PKCS12 = (NSSOID *)&nss_builtin_oids[86];
+const NSSOID *NSS_OID_PKCS12_PBE_IDS = (NSSOID *)&nss_builtin_oids[87];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4 = (NSSOID *)&nss_builtin_oids[88];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4 = (NSSOID *)&nss_builtin_oids[89];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_3_KEY_TRIPLE_DES_CBC = (NSSOID *)&nss_builtin_oids[90];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_2_KEY_TRIPLE_DES_CBC = (NSSOID *)&nss_builtin_oids[91];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = (NSSOID *)&nss_builtin_oids[92];
+const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = (NSSOID *)&nss_builtin_oids[93];
+const NSSOID *NSS_OID_PKCS12_KEY_BAG = (NSSOID *)&nss_builtin_oids[120];
+const NSSOID *NSS_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG = (NSSOID *)&nss_builtin_oids[121];
+const NSSOID *NSS_OID_PKCS12_CERT_BAG = (NSSOID *)&nss_builtin_oids[122];
+const NSSOID *NSS_OID_PKCS12_CRL_BAG = (NSSOID *)&nss_builtin_oids[123];
+const NSSOID *NSS_OID_PKCS12_SECRET_BAG = (NSSOID *)&nss_builtin_oids[124];
+const NSSOID *NSS_OID_PKCS12_SAFE_CONTENTS_BAG = (NSSOID *)&nss_builtin_oids[125];
+const NSSOID *NSS_OID_MD2 = (NSSOID *)&nss_builtin_oids[127];
+const NSSOID *NSS_OID_MD4 = (NSSOID *)&nss_builtin_oids[128];
+const NSSOID *NSS_OID_MD5 = (NSSOID *)&nss_builtin_oids[129];
+const NSSOID *NSS_OID_RC2_CBC = (NSSOID *)&nss_builtin_oids[131];
+const NSSOID *NSS_OID_RC4 = (NSSOID *)&nss_builtin_oids[132];
+const NSSOID *NSS_OID_DES_EDE3_CBC = (NSSOID *)&nss_builtin_oids[133];
+const NSSOID *NSS_OID_RC5_CBC_PAD = (NSSOID *)&nss_builtin_oids[134];
+const NSSOID *NSS_OID_X509_AUTH_INFO_ACCESS = (NSSOID *)&nss_builtin_oids[154];
+const NSSOID *NSS_OID_PKIX_CPS_POINTER_QUALIFIER = (NSSOID *)&nss_builtin_oids[156];
+const NSSOID *NSS_OID_PKIX_USER_NOTICE_QUALIFIER = (NSSOID *)&nss_builtin_oids[157];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_SERVER_AUTH = (NSSOID *)&nss_builtin_oids[159];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_CLIENT_AUTH = (NSSOID *)&nss_builtin_oids[160];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_CODE_SIGN = (NSSOID *)&nss_builtin_oids[161];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_EMAIL_PROTECTION = (NSSOID *)&nss_builtin_oids[162];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_END_SYSTEM = (NSSOID *)&nss_builtin_oids[163];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = (NSSOID *)&nss_builtin_oids[164];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_USER = (NSSOID *)&nss_builtin_oids[165];
+const NSSOID *NSS_OID_EXT_KEY_USAGE_TIME_STAMP = (NSSOID *)&nss_builtin_oids[166];
+const NSSOID *NSS_OID_OCSP_RESPONDER = (NSSOID *)&nss_builtin_oids[167];
+const NSSOID *NSS_OID_PKIX_REGCTRL_REGTOKEN = (NSSOID *)&nss_builtin_oids[171];
+const NSSOID *NSS_OID_PKIX_REGCTRL_AUTHENTICATOR = (NSSOID *)&nss_builtin_oids[172];
+const NSSOID *NSS_OID_PKIX_REGCTRL_PKIPUBINFO = (NSSOID *)&nss_builtin_oids[173];
+const NSSOID *NSS_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS = (NSSOID *)&nss_builtin_oids[174];
+const NSSOID *NSS_OID_PKIX_REGCTRL_OLD_CERT_ID = (NSSOID *)&nss_builtin_oids[175];
+const NSSOID *NSS_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY = (NSSOID *)&nss_builtin_oids[176];
+const NSSOID *NSS_OID_PKIX_REGINFO_UTF8_PAIRS = (NSSOID *)&nss_builtin_oids[178];
+const NSSOID *NSS_OID_PKIX_REGINFO_CERT_REQUEST = (NSSOID *)&nss_builtin_oids[179];
+const NSSOID *NSS_OID_OID_PKIX_OCSP = (NSSOID *)&nss_builtin_oids[181];
+const NSSOID *NSS_OID_PKIX_OCSP_BASIC_RESPONSE = (NSSOID *)&nss_builtin_oids[182];
+const NSSOID *NSS_OID_PKIX_OCSP_NONCE = (NSSOID *)&nss_builtin_oids[183];
+const NSSOID *NSS_OID_PKIX_OCSP_RESPONSE = (NSSOID *)&nss_builtin_oids[184];
+const NSSOID *NSS_OID_PKIX_OCSP_CRL = (NSSOID *)&nss_builtin_oids[185];
+const NSSOID *NSS_OID_X509_OCSP_NO_CHECK = (NSSOID *)&nss_builtin_oids[186];
+const NSSOID *NSS_OID_PKIX_OCSP_ARCHIVE_CUTOFF = (NSSOID *)&nss_builtin_oids[187];
+const NSSOID *NSS_OID_PKIX_OCSP_SERVICE_LOCATOR = (NSSOID *)&nss_builtin_oids[188];
+const NSSOID *NSS_OID_DES_ECB = (NSSOID *)&nss_builtin_oids[198];
+const NSSOID *NSS_OID_DES_CBC = (NSSOID *)&nss_builtin_oids[199];
+const NSSOID *NSS_OID_DES_OFB = (NSSOID *)&nss_builtin_oids[200];
+const NSSOID *NSS_OID_DES_CFB = (NSSOID *)&nss_builtin_oids[201];
+const NSSOID *NSS_OID_DES_MAC = (NSSOID *)&nss_builtin_oids[202];
+const NSSOID *NSS_OID_ISO_SHA_WITH_RSA_SIGNATURE = (NSSOID *)&nss_builtin_oids[203];
+const NSSOID *NSS_OID_DES_EDE = (NSSOID *)&nss_builtin_oids[204];
+const NSSOID *NSS_OID_SHA1 = (NSSOID *)&nss_builtin_oids[205];
+const NSSOID *NSS_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST = (NSSOID *)&nss_builtin_oids[206];
+const NSSOID *NSS_OID_X520_COMMON_NAME = (NSSOID *)&nss_builtin_oids[231];
+const NSSOID *NSS_OID_X520_SURNAME = (NSSOID *)&nss_builtin_oids[232];
+const NSSOID *NSS_OID_X520_COUNTRY_NAME = (NSSOID *)&nss_builtin_oids[233];
+const NSSOID *NSS_OID_X520_LOCALITY_NAME = (NSSOID *)&nss_builtin_oids[234];
+const NSSOID *NSS_OID_X520_STATE_OR_PROVINCE_NAME = (NSSOID *)&nss_builtin_oids[235];
+const NSSOID *NSS_OID_X520_ORGANIZATION_NAME = (NSSOID *)&nss_builtin_oids[236];
+const NSSOID *NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME = (NSSOID *)&nss_builtin_oids[237];
+const NSSOID *NSS_OID_X520_TITLE = (NSSOID *)&nss_builtin_oids[238];
+const NSSOID *NSS_OID_X520_NAME = (NSSOID *)&nss_builtin_oids[239];
+const NSSOID *NSS_OID_X520_GIVEN_NAME = (NSSOID *)&nss_builtin_oids[240];
+const NSSOID *NSS_OID_X520_INITIALS = (NSSOID *)&nss_builtin_oids[241];
+const NSSOID *NSS_OID_X520_GENERATION_QUALIFIER = (NSSOID *)&nss_builtin_oids[242];
+const NSSOID *NSS_OID_X520_DN_QUALIFIER = (NSSOID *)&nss_builtin_oids[243];
+const NSSOID *NSS_OID_X500_RSA_ENCRYPTION = (NSSOID *)&nss_builtin_oids[249];
+const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTR = (NSSOID *)&nss_builtin_oids[268];
+const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTRIBUTES = (NSSOID *)&nss_builtin_oids[269];
+const NSSOID *NSS_OID_X509_SUBJECT_KEY_ID = (NSSOID *)&nss_builtin_oids[270];
+const NSSOID *NSS_OID_X509_KEY_USAGE = (NSSOID *)&nss_builtin_oids[271];
+const NSSOID *NSS_OID_X509_PRIVATE_KEY_USAGE_PERIOD = (NSSOID *)&nss_builtin_oids[272];
+const NSSOID *NSS_OID_X509_SUBJECT_ALT_NAME = (NSSOID *)&nss_builtin_oids[273];
+const NSSOID *NSS_OID_X509_ISSUER_ALT_NAME = (NSSOID *)&nss_builtin_oids[274];
+const NSSOID *NSS_OID_X509_BASIC_CONSTRAINTS = (NSSOID *)&nss_builtin_oids[275];
+const NSSOID *NSS_OID_X509_CRL_NUMBER = (NSSOID *)&nss_builtin_oids[276];
+const NSSOID *NSS_OID_X509_REASON_CODE = (NSSOID *)&nss_builtin_oids[277];
+const NSSOID *NSS_OID_X509_HOLD_INSTRUCTION_CODE = (NSSOID *)&nss_builtin_oids[278];
+const NSSOID *NSS_OID_X509_INVALID_DATE = (NSSOID *)&nss_builtin_oids[279];
+const NSSOID *NSS_OID_X509_DELTA_CRL_INDICATOR = (NSSOID *)&nss_builtin_oids[280];
+const NSSOID *NSS_OID_X509_ISSUING_DISTRIBUTION_POINT = (NSSOID *)&nss_builtin_oids[281];
+const NSSOID *NSS_OID_X509_CERTIFICATE_ISSUER = (NSSOID *)&nss_builtin_oids[282];
+const NSSOID *NSS_OID_X509_NAME_CONSTRAINTS = (NSSOID *)&nss_builtin_oids[283];
+const NSSOID *NSS_OID_X509_CRL_DIST_POINTS = (NSSOID *)&nss_builtin_oids[284];
+const NSSOID *NSS_OID_X509_CERTIFICATE_POLICIES = (NSSOID *)&nss_builtin_oids[285];
+const NSSOID *NSS_OID_X509_POLICY_MAPPINGS = (NSSOID *)&nss_builtin_oids[286];
+const NSSOID *NSS_OID_X509_AUTH_KEY_ID = (NSSOID *)&nss_builtin_oids[288];
+const NSSOID *NSS_OID_X509_POLICY_CONSTRAINTS = (NSSOID *)&nss_builtin_oids[289];
+const NSSOID *NSS_OID_X509_EXT_KEY_USAGE = (NSSOID *)&nss_builtin_oids[290];
+const NSSOID *NSS_OID_MISSI_DSS_OLD = (NSSOID *)&nss_builtin_oids[314];
+const NSSOID *NSS_OID_FORTEZZA_SKIPJACK = (NSSOID *)&nss_builtin_oids[315];
+const NSSOID *NSS_OID_MISSI_KEA = (NSSOID *)&nss_builtin_oids[316];
+const NSSOID *NSS_OID_MISSI_KEA_DSS_OLD = (NSSOID *)&nss_builtin_oids[317];
+const NSSOID *NSS_OID_MISSI_DSS = (NSSOID *)&nss_builtin_oids[318];
+const NSSOID *NSS_OID_MISSI_KEA_DSS = (NSSOID *)&nss_builtin_oids[319];
+const NSSOID *NSS_OID_MISSI_ALT_KEY = (NSSOID *)&nss_builtin_oids[320];
+const NSSOID *NSS_OID_NS_CERT_EXT_CERT_TYPE = (NSSOID *)&nss_builtin_oids[328];
+const NSSOID *NSS_OID_NS_CERT_EXT_BASE_URL = (NSSOID *)&nss_builtin_oids[329];
+const NSSOID *NSS_OID_NS_CERT_EXT_REVOCATION_URL = (NSSOID *)&nss_builtin_oids[330];
+const NSSOID *NSS_OID_NS_CERT_EXT_CA_REVOCATION_URL = (NSSOID *)&nss_builtin_oids[331];
+const NSSOID *NSS_OID_NS_CERT_EXT_CA_CRL_URL = (NSSOID *)&nss_builtin_oids[332];
+const NSSOID *NSS_OID_NS_CERT_EXT_CA_CERT_URL = (NSSOID *)&nss_builtin_oids[333];
+const NSSOID *NSS_OID_NS_CERT_EXT_CERT_RENEWAL_URL = (NSSOID *)&nss_builtin_oids[334];
+const NSSOID *NSS_OID_NS_CERT_EXT_CA_POLICY_URL = (NSSOID *)&nss_builtin_oids[335];
+const NSSOID *NSS_OID_NS_CERT_EXT_HOMEPAGE_URL = (NSSOID *)&nss_builtin_oids[336];
+const NSSOID *NSS_OID_NS_CERT_EXT_ENTITY_LOGO = (NSSOID *)&nss_builtin_oids[337];
+const NSSOID *NSS_OID_NS_CERT_EXT_USER_PICTURE = (NSSOID *)&nss_builtin_oids[338];
+const NSSOID *NSS_OID_NS_CERT_EXT_SSL_SERVER_NAME = (NSSOID *)&nss_builtin_oids[339];
+const NSSOID *NSS_OID_NS_CERT_EXT_COMMENT = (NSSOID *)&nss_builtin_oids[340];
+const NSSOID *NSS_OID_NS_CERT_EXT_THAYES = (NSSOID *)&nss_builtin_oids[341];
+const NSSOID *NSS_OID_NS_TYPE_GIF = (NSSOID *)&nss_builtin_oids[343];
+const NSSOID *NSS_OID_NS_TYPE_JPEG = (NSSOID *)&nss_builtin_oids[344];
+const NSSOID *NSS_OID_NS_TYPE_URL = (NSSOID *)&nss_builtin_oids[345];
+const NSSOID *NSS_OID_NS_TYPE_HTML = (NSSOID *)&nss_builtin_oids[346];
+const NSSOID *NSS_OID_NS_TYPE_CERT_SEQUENCE = (NSSOID *)&nss_builtin_oids[347];
+const NSSOID *NSS_OID_NS_KEY_USAGE_GOVT_APPROVED = (NSSOID *)&nss_builtin_oids[350];
+const NSSOID *NSS_OID_NETSCAPE_RECOVERY_REQUEST = (NSSOID *)&nss_builtin_oids[353];
+const NSSOID *NSS_OID_NETSCAPE_SMIME_KEA = (NSSOID *)&nss_builtin_oids[355];
+const NSSOID *NSS_OID_NETSCAPE_NICKNAME = (NSSOID *)&nss_builtin_oids[357];
+const NSSOID *NSS_OID_VERISIGN_USER_NOTICES = (NSSOID *)&nss_builtin_oids[362];
+const NSSOID *NSS_OID_NS_CERT_EXT_NETSCAPE_OK = (NSSOID *)&nss_builtin_oids[367];
+const NSSOID *NSS_OID_NS_CERT_EXT_ISSUER_LOGO = (NSSOID *)&nss_builtin_oids[368];
+const NSSOID *NSS_OID_NS_CERT_EXT_SUBJECT_LOGO = (NSSOID *)&nss_builtin_oids[369];
+
+const nssAttributeTypeAliasTable nss_attribute_type_aliases[] = {
+  {
+    "uid",
+    &NSS_OID_RFC1274_UID
+  },
+  {
+    "mail",
+    &NSS_OID_RFC1274_EMAIL
+  },
+  {
+    "dc",
+    &NSS_OID_RFC2247_DC
+  },
+  {
+    "cn",
+    &NSS_OID_X520_COMMON_NAME
+  },
+  {
+    "sn",
+    &NSS_OID_X520_SURNAME
+  },
+  {
+    "c",
+    &NSS_OID_X520_COUNTRY_NAME
+  },
+  {
+    "l",
+    &NSS_OID_X520_LOCALITY_NAME
+  },
+  {
+    "s",
+    &NSS_OID_X520_STATE_OR_PROVINCE_NAME
+  },
+  {
+    "o",
+    &NSS_OID_X520_ORGANIZATION_NAME
+  },
+  {
+    "ou",
+    &NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME
+  },
+  {
+    "title",
+    &NSS_OID_X520_TITLE
+  },
+  {
+    "name",
+    &NSS_OID_X520_NAME
+  },
+  {
+    "givenName",
+    &NSS_OID_X520_GIVEN_NAME
+  },
+  {
+    "initials",
+    &NSS_OID_X520_INITIALS
+  },
+  {
+    "generationQualifier",
+    &NSS_OID_X520_GENERATION_QUALIFIER
+  },
+  {
+    "dnQualifier",
+    &NSS_OID_X520_DN_QUALIFIER
+  }
+};
+
+const PRUint32 nss_attribute_type_alias_count = 16;
+
diff --git a/security/nss/lib/pki1/oiddata.h b/security/nss/lib/pki1/oiddata.h
new file mode 100644
index 000000000..d51c37517
--- /dev/null
+++ b/security/nss/lib/pki1/oiddata.h
@@ -0,0 +1,217 @@
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef OIDDATA_H
+#define OIDDATA_H
+
+#ifdef DEBUG
+static const char OIDDATA_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$ ; @(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef NSSPKI1T_H
+#include "nsspki1t.h"
+#endif /* NSSPKI1T_H */
+
+extern const NSSOID nss_builtin_oids[];
+extern const PRUint32 nss_builtin_oid_count;
+
+/*extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];*/
+/*extern const PRUint32 nss_attribute_type_alias_count;*/
+
+extern const NSSOID *NSS_OID_RFC1274_UID;
+extern const NSSOID *NSS_OID_RFC1274_EMAIL;
+extern const NSSOID *NSS_OID_RFC2247_DC;
+extern const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE;
+extern const NSSOID *NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+extern const NSSOID *NSS_OID_X942_DIFFIE_HELMAN_KEY;
+extern const NSSOID *NSS_OID_PKCS1_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC;
+extern const NSSOID *NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC;
+extern const NSSOID *NSS_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC;
+extern const NSSOID *NSS_OID_PKCS7;
+extern const NSSOID *NSS_OID_PKCS7_DATA;
+extern const NSSOID *NSS_OID_PKCS7_SIGNED_DATA;
+extern const NSSOID *NSS_OID_PKCS7_ENVELOPED_DATA;
+extern const NSSOID *NSS_OID_PKCS7_SIGNED_ENVELOPED_DATA;
+extern const NSSOID *NSS_OID_PKCS7_DIGESTED_DATA;
+extern const NSSOID *NSS_OID_PKCS7_ENCRYPTED_DATA;
+extern const NSSOID *NSS_OID_PKCS9_EMAIL_ADDRESS;
+extern const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_NAME;
+extern const NSSOID *NSS_OID_PKCS9_CONTENT_TYPE;
+extern const NSSOID *NSS_OID_PKCS9_MESSAGE_DIGEST;
+extern const NSSOID *NSS_OID_PKCS9_SIGNING_TIME;
+extern const NSSOID *NSS_OID_PKCS9_COUNTER_SIGNATURE;
+extern const NSSOID *NSS_OID_PKCS9_CHALLENGE_PASSWORD;
+extern const NSSOID *NSS_OID_PKCS9_UNSTRUCTURED_ADDRESS;
+extern const NSSOID *NSS_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES;
+extern const NSSOID *NSS_OID_PKCS9_SMIME_CAPABILITIES;
+extern const NSSOID *NSS_OID_PKCS9_FRIENDLY_NAME;
+extern const NSSOID *NSS_OID_PKCS9_LOCAL_KEY_ID;
+extern const NSSOID *NSS_OID_PKCS9_X509_CERT;
+extern const NSSOID *NSS_OID_PKCS9_SDSI_CERT;
+extern const NSSOID *NSS_OID_PKCS9_X509_CRL;
+extern const NSSOID *NSS_OID_PKCS12;
+extern const NSSOID *NSS_OID_PKCS12_PBE_IDS;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_3_KEY_TRIPLE_DES_CBC;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_2_KEY_TRIPLE_DES_CBC;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC;
+extern const NSSOID *NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
+extern const NSSOID *NSS_OID_PKCS12_KEY_BAG;
+extern const NSSOID *NSS_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG;
+extern const NSSOID *NSS_OID_PKCS12_CERT_BAG;
+extern const NSSOID *NSS_OID_PKCS12_CRL_BAG;
+extern const NSSOID *NSS_OID_PKCS12_SECRET_BAG;
+extern const NSSOID *NSS_OID_PKCS12_SAFE_CONTENTS_BAG;
+extern const NSSOID *NSS_OID_MD2;
+extern const NSSOID *NSS_OID_MD4;
+extern const NSSOID *NSS_OID_MD5;
+extern const NSSOID *NSS_OID_RC2_CBC;
+extern const NSSOID *NSS_OID_RC4;
+extern const NSSOID *NSS_OID_DES_EDE3_CBC;
+extern const NSSOID *NSS_OID_RC5_CBC_PAD;
+extern const NSSOID *NSS_OID_X509_AUTH_INFO_ACCESS;
+extern const NSSOID *NSS_OID_PKIX_CPS_POINTER_QUALIFIER;
+extern const NSSOID *NSS_OID_PKIX_USER_NOTICE_QUALIFIER;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_SERVER_AUTH;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_CLIENT_AUTH;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_CODE_SIGN;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_EMAIL_PROTECTION;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_END_SYSTEM;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_TUNNEL;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_IPSEC_USER;
+extern const NSSOID *NSS_OID_EXT_KEY_USAGE_TIME_STAMP;
+extern const NSSOID *NSS_OID_OCSP_RESPONDER;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_REGTOKEN;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_AUTHENTICATOR;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_PKIPUBINFO;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_OLD_CERT_ID;
+extern const NSSOID *NSS_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY;
+extern const NSSOID *NSS_OID_PKIX_REGINFO_UTF8_PAIRS;
+extern const NSSOID *NSS_OID_PKIX_REGINFO_CERT_REQUEST;
+extern const NSSOID *NSS_OID_OID_PKIX_OCSP;
+extern const NSSOID *NSS_OID_PKIX_OCSP_BASIC_RESPONSE;
+extern const NSSOID *NSS_OID_PKIX_OCSP_NONCE;
+extern const NSSOID *NSS_OID_PKIX_OCSP_RESPONSE;
+extern const NSSOID *NSS_OID_PKIX_OCSP_CRL;
+extern const NSSOID *NSS_OID_X509_OCSP_NO_CHECK;
+extern const NSSOID *NSS_OID_PKIX_OCSP_ARCHIVE_CUTOFF;
+extern const NSSOID *NSS_OID_PKIX_OCSP_SERVICE_LOCATOR;
+extern const NSSOID *NSS_OID_DES_ECB;
+extern const NSSOID *NSS_OID_DES_CBC;
+extern const NSSOID *NSS_OID_DES_OFB;
+extern const NSSOID *NSS_OID_DES_CFB;
+extern const NSSOID *NSS_OID_DES_MAC;
+extern const NSSOID *NSS_OID_ISO_SHA_WITH_RSA_SIGNATURE;
+extern const NSSOID *NSS_OID_DES_EDE;
+extern const NSSOID *NSS_OID_SHA1;
+extern const NSSOID *NSS_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+extern const NSSOID *NSS_OID_X520_COMMON_NAME;
+extern const NSSOID *NSS_OID_X520_SURNAME;
+extern const NSSOID *NSS_OID_X520_COUNTRY_NAME;
+extern const NSSOID *NSS_OID_X520_LOCALITY_NAME;
+extern const NSSOID *NSS_OID_X520_STATE_OR_PROVINCE_NAME;
+extern const NSSOID *NSS_OID_X520_ORGANIZATION_NAME;
+extern const NSSOID *NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME;
+extern const NSSOID *NSS_OID_X520_TITLE;
+extern const NSSOID *NSS_OID_X520_NAME;
+extern const NSSOID *NSS_OID_X520_GIVEN_NAME;
+extern const NSSOID *NSS_OID_X520_INITIALS;
+extern const NSSOID *NSS_OID_X520_GENERATION_QUALIFIER;
+extern const NSSOID *NSS_OID_X520_DN_QUALIFIER;
+extern const NSSOID *NSS_OID_X500_RSA_ENCRYPTION;
+extern const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTR;
+extern const NSSOID *NSS_OID_X509_SUBJECT_DIRECTORY_ATTRIBUTES;
+extern const NSSOID *NSS_OID_X509_SUBJECT_KEY_ID;
+extern const NSSOID *NSS_OID_X509_KEY_USAGE;
+extern const NSSOID *NSS_OID_X509_PRIVATE_KEY_USAGE_PERIOD;
+extern const NSSOID *NSS_OID_X509_SUBJECT_ALT_NAME;
+extern const NSSOID *NSS_OID_X509_ISSUER_ALT_NAME;
+extern const NSSOID *NSS_OID_X509_BASIC_CONSTRAINTS;
+extern const NSSOID *NSS_OID_X509_CRL_NUMBER;
+extern const NSSOID *NSS_OID_X509_REASON_CODE;
+extern const NSSOID *NSS_OID_X509_HOLD_INSTRUCTION_CODE;
+extern const NSSOID *NSS_OID_X509_INVALID_DATE;
+extern const NSSOID *NSS_OID_X509_DELTA_CRL_INDICATOR;
+extern const NSSOID *NSS_OID_X509_ISSUING_DISTRIBUTION_POINT;
+extern const NSSOID *NSS_OID_X509_CERTIFICATE_ISSUER;
+extern const NSSOID *NSS_OID_X509_NAME_CONSTRAINTS;
+extern const NSSOID *NSS_OID_X509_CRL_DIST_POINTS;
+extern const NSSOID *NSS_OID_X509_CERTIFICATE_POLICIES;
+extern const NSSOID *NSS_OID_X509_POLICY_MAPPINGS;
+extern const NSSOID *NSS_OID_X509_AUTH_KEY_ID;
+extern const NSSOID *NSS_OID_X509_POLICY_CONSTRAINTS;
+extern const NSSOID *NSS_OID_X509_EXT_KEY_USAGE;
+extern const NSSOID *NSS_OID_MISSI_DSS_OLD;
+extern const NSSOID *NSS_OID_FORTEZZA_SKIPJACK;
+extern const NSSOID *NSS_OID_MISSI_KEA;
+extern const NSSOID *NSS_OID_MISSI_KEA_DSS_OLD;
+extern const NSSOID *NSS_OID_MISSI_DSS;
+extern const NSSOID *NSS_OID_MISSI_KEA_DSS;
+extern const NSSOID *NSS_OID_MISSI_ALT_KEY;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CERT_TYPE;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_BASE_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_REVOCATION_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_REVOCATION_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_CRL_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_CERT_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CERT_RENEWAL_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_CA_POLICY_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_HOMEPAGE_URL;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_ENTITY_LOGO;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_USER_PICTURE;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_SSL_SERVER_NAME;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_COMMENT;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_THAYES;
+extern const NSSOID *NSS_OID_NS_TYPE_GIF;
+extern const NSSOID *NSS_OID_NS_TYPE_JPEG;
+extern const NSSOID *NSS_OID_NS_TYPE_URL;
+extern const NSSOID *NSS_OID_NS_TYPE_HTML;
+extern const NSSOID *NSS_OID_NS_TYPE_CERT_SEQUENCE;
+extern const NSSOID *NSS_OID_NS_KEY_USAGE_GOVT_APPROVED;
+extern const NSSOID *NSS_OID_NETSCAPE_RECOVERY_REQUEST;
+extern const NSSOID *NSS_OID_NETSCAPE_SMIME_KEA;
+extern const NSSOID *NSS_OID_NETSCAPE_NICKNAME;
+extern const NSSOID *NSS_OID_VERISIGN_USER_NOTICES;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_NETSCAPE_OK;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_ISSUER_LOGO;
+extern const NSSOID *NSS_OID_NS_CERT_EXT_SUBJECT_LOGO;
+
+#endif /* OIDDATA_H */
diff --git a/security/nss/lib/pki1/oidgen.perl b/security/nss/lib/pki1/oidgen.perl
new file mode 100755
index 000000000..2d644481e
--- /dev/null
+++ b/security/nss/lib/pki1/oidgen.perl
@@ -0,0 +1,313 @@
+#!perl
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+$cvs_id = '@(#) $RCSfile$ $Revision$ $Date$ $Name$';
+$cfile = shift;
+$hfile = shift;
+$count = -1;
+while(<>) {
+  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
+  next if (/^\s*$/);
+
+  /^([\S]+)\s+([^"][\S]*|"[^"]*")/;
+  $name = $1;
+  $value = $2;
+  # This is certainly not the best way to dequote the data.
+  $value =~ s/"//g;
+
+  if( $name =~ "OID" ) {
+    $count++;
+    $x[$count]{$name} = $value;
+    $enc = encodeoid($value);
+    $x[$count]{" encoding"} = escapeoid($enc);
+    $x[$count]{" encoding length"} = length($enc);
+  } else {
+    if( $count < 0 ) {
+      $g{$name} = $value;
+    } else {
+      $x[$count]{$name} = $value;
+    }
+  }
+}
+
+# dodump();
+
+doprint($cfile,$hfile);
+
+sub dodump {
+for( $i = 0; $i <= $count; $i++ ) {
+  print "number $i:\n";
+  %y = %{$x[$i]};
+  while(($n,$v) = each(%y)) {
+    print "\t$n ==> $v\n";
+  }
+}
+}
+
+sub doprint {
+open(CFILE, "> $cfile") || die "Can't open $cfile: $!"; 
+open(HFILE, "> $hfile") || die "Can't open $hfile: $!";
+
+print CFILE <<EOD
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifdef DEBUG
+static const char CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+#ifndef PKI1T_H
+#include "pki1t.h"
+#endif /* PKI1T_H */
+
+const NSSOID nss_builtin_oids[] = {
+EOD
+    ;
+
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  print CFILE "  {\n";
+  print CFILE "#ifdef DEBUG\n";
+  print CFILE "    \"$y{TAG}\",\n";
+  print CFILE "    \"$y{EXPL}\",\n";
+  print CFILE "#endif /* DEBUG */\n";
+  print CFILE "    { \"", $y{" encoding"};
+  print CFILE "\", ", $y{" encoding length"}, " }\n";
+
+  if( $i == $count ) {
+    print CFILE "  }\n";
+  } else {
+    print CFILE "  },\n";
+  }
+}
+
+print CFILE "};\n\n";
+
+print CFILE "const PRUint32 nss_builtin_oid_count = ", ($count+1), ";\n\n";
+
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  if( defined($y{NAME}) ) {
+    print CFILE "const NSSOID *$y{NAME} = (NSSOID *)&nss_builtin_oids[$i];\n";
+  }
+}
+
+print CFILE "\n";
+
+$attrcount = -1;
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  if( defined($y{ATTR}) ) {
+    if( defined($y{NAME}) ) {
+      $attrcount++;
+      $attr[$attrcount]{ATTR} = $y{ATTR};
+      $attr[$attrcount]{NAME} = $y{NAME};
+    } else {
+      warn "Attribute $y{ATTR} has no name, and will be omitted!";
+    }
+  }
+}
+
+print CFILE "const nssAttributeTypeAliasTable nss_attribute_type_aliases[] = {\n";
+
+for( $i = 0; $i <= $attrcount; $i++ ) {
+  %y = %{$attr[$i]};
+  print CFILE "  {\n";
+  print CFILE "    \"$y{ATTR}\",\n";
+  print CFILE "    &$y{NAME}\n";
+
+  if( $i == $attrcount ) {
+    print CFILE "  }\n";
+  } else {
+    print CFILE "  },\n";
+  }
+}
+
+print CFILE "};\n\n";
+
+print CFILE "const PRUint32 nss_attribute_type_alias_count = ", ($attrcount+1), ";\n\n";
+
+print HFILE <<EOD
+/* THIS IS A GENERATED FILE */
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef OIDDATA_H
+#define OIDDATA_H
+
+#ifdef DEBUG
+static const char OIDDATA_CVS_ID[] = "$g{CVS_ID} ; $cvs_id";
+#endif /* DEBUG */
+
+#ifndef NSSPKI1T_H
+#include "nsspki1t.h"
+#endif /* NSSPKI1T_H */
+
+extern const NSSOID nss_builtin_oids[];
+extern const PRUint32 nss_builtin_oid_count;
+
+/*extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];*/
+/*extern const PRUint32 nss_attribute_type_alias_count;*/
+
+EOD
+    ;
+
+for( $i = 0; $i <= $count; $i++ ) {
+  %y = %{$x[$i]};
+  if( defined($y{NAME}) ) {
+    print HFILE "extern const NSSOID *$y{NAME};\n";
+  }
+}
+
+print HFILE <<EOD
+
+#endif /* OIDDATA_H */
+EOD
+    ;
+
+close CFILE;
+close HFILE;
+}
+
+sub encodenum {
+    my $v = $_[0];
+    my @d;
+    my $i;
+    my $rv = "";
+
+    while( $v > 128 ) {
+        push @d, ($v % 128);
+        $v /= 128;
+    };
+    push @d, ($v%128);
+
+    for( $i = @d-1; $i > 0; $i-- ) {
+        $rv = $rv . chr(128 + $d[$i]);
+    }
+
+    $rv = $rv . chr($d[0]);
+
+    return $rv;
+}
+
+sub encodeoid {
+    my @o = split(/\./, $_[0]);
+    my $rv = "";
+    my $i;
+
+    if( @o < 2 ) {
+        # NSS's special "illegal" encoding
+        return chr(128) . encodenum($o[0]);
+    }
+
+    $rv = encodenum($o[0] * 40 + $o[1]);
+    shift @o; shift @o;
+
+    foreach $i (@o) {
+        $rv = $rv . encodenum($i);
+    }
+
+    return $rv;
+}
+
+sub escapeoid {
+  my @v = unpack("C*", $_[0]);
+  my $a;
+  my $rv = "";
+
+  foreach $a (@v) {
+    $rv = $rv . sprintf("\\x%02x", $a);
+  }
+
+  return $rv;
+}
diff --git a/security/nss/lib/pki1/oids.txt b/security/nss/lib/pki1/oids.txt
new file mode 100644
index 000000000..df7b3ab28
--- /dev/null
+++ b/security/nss/lib/pki1/oids.txt
@@ -0,0 +1,2115 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CVS_ID "@(#) $RCSfile$ $Revision$ $Date$ $Name$"
+
+# Fields
+#  OID  -- the OID data itself, in dotted-number format
+#  TAG  -- the unofficial but common name.  e.g., when written like
+#          { joint-iso-ccitt(2) country(16) US(840) company(1) netscape(113730) }
+#          those words ("joint-iso-ccitt," "country," etc.) are the tags.
+#  EXPL -- a textual explanation, that should stand by itself
+#  NAME -- the name we use in our code.  If no NAME is given, it won't be included
+#
+# Additionally, some sets of OIDs map to some other spaces.. 
+# additional fields capture that data:
+#
+#  CKM  -- the corresponding Cryptoki Mechanism, if any
+#  CKK  -- the corresponding Cryptoki Key type, if any
+#  ATTR -- the UTF-8 attribute type encoding, if applicable
+#          it should be in the standard presentation style (e.g., lowercase),
+#          already-escaped a la RFC 2253 if necessary (which would only
+#          be necessary if some idiot defined an attribute with, say,
+#          an equals sign in it)
+#  CERT_EXTENSION -- SUPPORTED or UNSUPPORTED certificate extension, if applicable
+
+# Top of the OID tree -- see http://www.alvestrand.no/objectid/top.html
+# 
+OID 0
+TAG ccitt               # ITU-T used to be called CCITT
+EXPL "ITU-T"
+
+# See X.208 Annex C for an explanation of the OIDs below ccitt/itu-t
+
+OID 0.0
+TAG recommendation
+EXPL "ITU-T Recommendation"
+
+OID 0.1
+TAG question
+EXPL "ITU-T Question"
+
+OID 0.2
+TAG administration
+EXPL "ITU-T Administration"
+
+OID 0.3
+TAG network-operator
+EXPL "ITU-T Network Operator"
+
+OID 0.4
+TAG identified-organization
+EXPL "ITU-T Identified Organization"
+
+OID 0.9           # used in some RFCs (unofficial!)
+TAG data
+EXPL "RFC Data"
+
+OID 0.9.2342
+TAG pss
+EXPL "PSS British Telecom X.25 Network"
+
+OID 0.9.2342.19200300
+TAG ucl
+EXPL "RFC 1274 UCL Data networks"
+
+OID 0.9.2342.19200300.100
+TAG pilot
+EXPL "RFC 1274 pilot"
+
+OID 0.9.2342.19200300.100.1
+TAG attributeType
+EXPL "RFC 1274 Attribute Type"
+
+OID 0.9.2342.19200300.100.1.1
+TAG uid
+EXPL "RFC 1274 User Id"
+NAME NSS_OID_RFC1274_UID
+ATTR "uid"
+
+OID 0.9.2342.19200300.100.1.3
+TAG mail
+EXPL "RFC 1274 E-mail Addres"
+NAME NSS_OID_RFC1274_EMAIL
+ATTR "mail" # XXX fgmr
+
+OID 0.9.2342.19200300.100.1.25
+TAG dc
+EXPL "RFC 2247 Domain Component"
+NAME NSS_OID_RFC2247_DC
+ATTR "dc"
+
+OID 0.9.2342.19200300.100.3
+TAG attributeSyntax
+EXPL "RFC 1274 Attribute Syntax"
+
+OID 0.9.2342.19200300.100.3.4
+TAG iA5StringSyntax
+EXPL "RFC 1274 IA5 String Attribute Syntax"
+
+OID 0.9.2342.19200300.100.3.5
+TAG caseIgnoreIA5StringSyntax
+EXPL "RFC 1274 Case-Ignore IA5 String Attribute Syntax"
+
+OID 0.9.2342.19200300.100.4
+TAG objectClass
+EXPL "RFC 1274 Object Class"
+
+OID 0.9.2342.19200300.100.10
+TAG groups
+EXPL "RFC 1274 Groups"
+
+OID 0.9.2342.234219200300 
+TAG ucl
+EXPL "RFC 1327 ucl"
+
+OID 1
+TAG iso
+EXPL "ISO"
+
+# See X.208 Annex B for an explanation of the OIDs below iso
+
+OID 1.0
+TAG standard
+EXPL "ISO Standard"
+
+OID 1.1
+TAG registration-authority
+EXPL "ISO Registration Authority"
+
+OID 1.2
+TAG member-body
+EXPL "ISO Member Body"
+
+OID 1.2.36
+TAG australia
+EXPL "Australia (ISO)"
+
+OID 1.2.158
+TAG taiwan
+EXPL "Taiwan (ISO)"
+
+OID 1.2.372 
+TAG ireland
+EXPL "Ireland (ISO)"
+
+OID 1.2.578 
+TAG norway
+EXPL "Norway (ISO)"
+
+OID 1.2.752 
+TAG sweden
+EXPL "Sweden (ISO)"
+
+OID 1.2.826 
+TAG great-britain
+EXPL "Great Britain (ISO)"
+
+OID 1.2.840
+TAG us
+EXPL "United States (ISO)"
+
+OID 1.2.840.1 
+TAG organization
+EXPL "US (ISO) organization"
+
+OID 1.2.840.10003
+TAG ansi-z30-50
+EXPL "ANSI Z39.50"
+
+OID 1.2.840.10008
+TAG dicom
+EXPL "DICOM"
+
+OID 1.2.840.10017
+TAG ieee-1224
+EXPL "IEEE 1224"
+
+OID 1.2.840.10022
+TAG ieee-802-10
+EXPL "IEEE 802.10"
+
+OID 1.2.840.10036
+TAG ieee-802-11
+EXPL "IEEE 802.11"
+
+OID 1.2.840.10040
+TAG x9-57
+EXPL "ANSI X9.57"
+
+# RFC 2459:
+#
+# holdInstruction OBJECT IDENTIFIER ::=
+#           {iso(1) member-body(2) us(840) x9cm(10040) 2}
+#
+# Note that the appendices of RFC 2459 define the (wrong) value
+# of 2.2.840.10040.2 for this oid.
+OID 1.2.840.10040.2
+TAG holdInstruction
+EXPL "ANSI X9.57 Hold Instruction"
+
+# RFC 2459:
+#
+# id-holdinstruction-none OBJECT IDENTIFIER  ::=
+#                 {holdInstruction 1} -- deprecated
+OID 1.2.840.10040.2.1
+TAG id-holdinstruction-none
+EXPL "ANSI X9.57 Hold Instruction: None"
+
+# RFC 2459:
+#
+# id-holdinstruction-callissuer OBJECT IDENTIFIER ::=
+#                 {holdInstruction 2}
+OID 1.2.840.10040.2.2
+TAG id-holdinstruction-callissuer
+EXPL "ANSI X9.57 Hold Instruction: Call Issuer"
+
+# RFC 2459:
+#
+# id-holdinstruction-reject OBJECT IDENTIFIER ::=
+#                 {holdInstruction 3}
+OID 1.2.840.10040.2.3
+TAG id-holdinstruction-reject
+EXPL "ANSI X9.57 Hold Instruction: Reject"
+
+OID 1.2.840.10040.4
+TAG x9algorithm
+EXPL "ANSI X9.57 Algorithm"
+
+# RFC 2459:
+#
+# id-dsa OBJECT IDENTIFIER ::= {
+#      iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 }
+OID 1.2.840.10040.4.1
+TAG id-dsa
+EXPL "ANSI X9.57 DSA Signature"
+NAME NSS_OID_ANSIX9_DSA_SIGNATURE
+CKM CKM_DSA
+CKK CKK_DSA
+
+# RFC 2459:
+#
+# id-dsa-with-sha1 OBJECT IDENTIFIER ::=  {
+#      iso(1) member-body(2) us(840) x9-57 (10040) x9algorithm(4) 3 }
+OID 1.2.840.10040.4.3
+TAG id-dsa-with-sha1
+EXPL "ANSI X9.57 Algorithm DSA Signature with SHA-1 Digest"
+NAME NSS_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST
+CKM CKM_DSA_SHA1
+
+OID 1.2.840.10046
+TAG x942
+EXPL "ANSI X9.42"
+
+OID 1.2.840.10046.2
+TAG algorithm
+EXPL "ANSI X9.42 Algorithm"
+
+# RFC 2459:
+#
+# dhpublicnumber OBJECT IDENTIFIER ::= {
+#      iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 }
+OID 1.2.840.10046.2.1
+TAG dhpublicnumber
+EXPL "Diffie-Hellman Public Key Algorithm"
+NAME NSS_OID_X942_DIFFIE_HELMAN_KEY
+CKM CKM_DH_PKCS_DERIVE
+CKK CKK_DH
+
+OID 1.2.840.113533
+TAG entrust
+EXPL "Entrust Technologies"
+
+OID 1.2.840.113549 
+TAG rsadsi
+EXPL "RSA Data Security Inc."
+
+OID 1.2.840.113549.1 
+# http://www.rsa.com/rsalabs/pubs/PKCS/
+TAG pkcs
+EXPL "PKCS"
+
+# RFC 2459:
+#
+# pkcs-1 OBJECT IDENTIFIER ::= {
+#      iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
+OID 1.2.840.113549.1.1
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc
+TAG pkcs-1
+EXPL "PKCS #1"
+
+# RFC 2459:
+#
+# rsaEncryption OBJECT IDENTIFIER ::=  { pkcs-1 1 }
+OID 1.2.840.113549.1.1.1
+TAG rsaEncryption
+EXPL "PKCS #1 RSA Encryption"
+NAME NSS_OID_PKCS1_RSA_ENCRYPTION
+CKM CKM_RSA_PKCS
+CKK CKK_RSA
+
+# RFC 2459:
+#
+# md2WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 2 }
+OID 1.2.840.113549.1.1.2 
+TAG md2WithRSAEncryption
+EXPL "PKCS #1 MD2 With RSA Encryption"      
+NAME NSS_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION
+CKM CKM_MD2_RSA_PKCS
+
+OID 1.2.840.113549.1.1.3 
+TAG md4WithRSAEncryption
+EXPL "PKCS #1 MD4 With RSA Encryption"      
+NAME NSS_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION
+# No CKM!
+
+# RFC 2459:
+#
+# md5WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 4 }
+OID 1.2.840.113549.1.1.4 
+TAG md5WithRSAEncryption
+EXPL "PKCS #1 MD5 With RSA Encryption"      
+NAME NSS_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION
+CKM CKM_MD5_RSA_PKCS
+
+# RFC 2459:
+#
+# sha1WithRSAEncryption OBJECT IDENTIFIER  ::=  { pkcs-1 5 }
+OID 1.2.840.113549.1.1.5 
+TAG sha1WithRSAEncryption
+EXPL "PKCS #1 SHA-1 With RSA Encryption"    
+NAME NSS_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION
+CKM CKM_SHA1_RSA_PKCS
+
+OID 1.2.840.113549.1.5 
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-5.asc
+TAG pkcs-5
+EXPL "PKCS #5"
+
+OID 1.2.840.113549.1.5.1 
+TAG pbeWithMD2AndDES-CBC
+EXPL "PKCS #5 Password Based Encryption With MD2 and DES-CBC"     
+NAME NSS_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC
+CKM CKM_PBE_MD2_DES_CBC
+
+OID 1.2.840.113549.1.5.3 
+TAG pbeWithMD5AndDES-CBC
+EXPL "PKCS #5 Password Based Encryption With MD5 and DES-CBC"     
+NAME NSS_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC
+CKM CKM_PBE_MD5_DES_CBC
+
+OID 1.2.840.113549.1.5.10 
+TAG pbeWithSha1AndDES-CBC
+EXPL "PKCS #5 Password Based Encryption With SHA-1 and DES-CBC"   
+NAME NSS_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_DES_CBC
+
+OID 1.2.840.113549.1.7 
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-7.asc
+TAG pkcs-7
+EXPL "PKCS #7"
+NAME NSS_OID_PKCS7
+
+OID 1.2.840.113549.1.7.1
+TAG data
+EXPL "PKCS #7 Data"
+NAME NSS_OID_PKCS7_DATA
+
+OID 1.2.840.113549.1.7.2 
+TAG signedData
+EXPL "PKCS #7 Signed Data"
+NAME NSS_OID_PKCS7_SIGNED_DATA
+
+OID 1.2.840.113549.1.7.3 
+TAG envelopedData
+EXPL "PKCS #7 Enveloped Data"
+NAME NSS_OID_PKCS7_ENVELOPED_DATA
+
+OID 1.2.840.113549.1.7.4 
+TAG signedAndEnvelopedData
+EXPL "PKCS #7 Signed and Enveloped Data"
+NAME NSS_OID_PKCS7_SIGNED_ENVELOPED_DATA
+
+OID 1.2.840.113549.1.7.5 
+TAG digestedData
+EXPL "PKCS #7 Digested Data"
+NAME NSS_OID_PKCS7_DIGESTED_DATA
+
+OID 1.2.840.113549.1.7.6 
+TAG encryptedData
+EXPL "PKCS #7 Encrypted Data"
+NAME NSS_OID_PKCS7_ENCRYPTED_DATA
+
+# RFC 2459:
+#
+# pkcs-9 OBJECT IDENTIFIER ::=
+#        { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
+OID 1.2.840.113549.1.9 
+# ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-9.asc
+TAG pkcs-9
+EXPL "PKCS #9"
+
+# RFC 2459:
+#
+# emailAddress AttributeType      ::= { pkcs-9 1 }
+OID 1.2.840.113549.1.9.1
+TAG emailAddress
+EXPL "PKCS #9 Email Address"
+NAME NSS_OID_PKCS9_EMAIL_ADDRESS
+
+OID 1.2.840.113549.1.9.2 
+TAG unstructuredName
+EXPL "PKCS #9 Unstructured Name"
+NAME NSS_OID_PKCS9_UNSTRUCTURED_NAME
+
+OID 1.2.840.113549.1.9.3 
+TAG contentType
+EXPL "PKCS #9 Content Type"
+NAME NSS_OID_PKCS9_CONTENT_TYPE
+
+OID 1.2.840.113549.1.9.4 
+TAG messageDigest
+EXPL "PKCS #9 Message Digest"
+NAME NSS_OID_PKCS9_MESSAGE_DIGEST
+
+OID 1.2.840.113549.1.9.5 
+TAG signingTime
+EXPL "PKCS #9 Signing Time"
+NAME NSS_OID_PKCS9_SIGNING_TIME
+
+OID 1.2.840.113549.1.9.6 
+TAG counterSignature
+EXPL "PKCS #9 Counter Signature"
+NAME NSS_OID_PKCS9_COUNTER_SIGNATURE
+
+OID 1.2.840.113549.1.9.7 
+TAG challengePassword
+EXPL "PKCS #9 Challenge Password"
+NAME NSS_OID_PKCS9_CHALLENGE_PASSWORD
+
+OID 1.2.840.113549.1.9.8 
+TAG unstructuredAddress
+EXPL "PKCS #9 Unstructured Address"
+NAME NSS_OID_PKCS9_UNSTRUCTURED_ADDRESS
+
+OID 1.2.840.113549.1.9.9 
+TAG extendedCertificateAttributes
+EXPL "PKCS #9 Extended Certificate Attributes"
+NAME NSS_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES
+
+OID 1.2.840.113549.1.9.15 
+TAG sMIMECapabilities
+EXPL "PKCS #9 S/MIME Capabilities"
+NAME NSS_OID_PKCS9_SMIME_CAPABILITIES
+
+OID 1.2.840.113549.1.9.20
+TAG friendlyName
+EXPL "PKCS #9 Friendly Name"
+NAME NSS_OID_PKCS9_FRIENDLY_NAME
+
+OID 1.2.840.113549.1.9.21
+TAG localKeyID
+EXPL "PKCS #9 Local Key ID"
+NAME NSS_OID_PKCS9_LOCAL_KEY_ID
+
+OID 1.2.840.113549.1.9.22 
+TAG certTypes
+EXPL "PKCS #9 Certificate Types"
+
+OID 1.2.840.113549.1.9.22.1
+TAG x509Certificate
+EXPL "PKCS #9 Certificate Type = X.509"
+NAME NSS_OID_PKCS9_X509_CERT
+
+OID 1.2.840.113549.1.9.22.2
+TAG sdsiCertificate
+EXPL "PKCS #9 Certificate Type = SDSI"
+NAME NSS_OID_PKCS9_SDSI_CERT
+
+OID 1.2.840.113549.1.9.23 
+TAG crlTypes
+EXPL "PKCS #9 Certificate Revocation List Types"
+
+OID 1.2.840.113549.1.9.23.1
+TAG x509Crl
+EXPL "PKCS #9 CRL Type = X.509"
+NAME NSS_OID_PKCS9_X509_CRL
+
+OID 1.2.840.113549.1.12
+# http://www.rsa.com/rsalabs/pubs/PKCS/html/pkcs-12.html
+# NOTE -- PKCS #12                          multiple contradictory
+#         documents exist.  Somebody go figure out the canonical
+#         OID list, keeping in mind backwards-compatability..
+TAG pkcs-12
+EXPL "PKCS #12"
+NAME NSS_OID_PKCS12
+
+OID 1.2.840.113549.1.12.1 
+TAG pkcs-12PbeIds
+EXPL "PKCS #12 Password Based Encryption IDs"
+NAME NSS_OID_PKCS12_PBE_IDS
+# We called it SEC_OID_PKCS12_MODE_IDS
+
+OID 1.2.840.113549.1.12.1.1
+TAG pbeWithSHA1And128BitRC4
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC4"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4
+
+OID 1.2.840.113549.1.12.1.2
+TAG pbeWithSHA1And40BitRC4
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC4"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4
+
+OID 1.2.840.113549.1.12.1.3
+TAG pbeWithSHA1And3-KeyTripleDES-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 3-key Triple DES-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_3_KEY_TRIPLE_DES_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC
+
+OID 1.2.840.113549.1.12.1.4
+TAG pbeWithSHA1And2-KeyTripleDES-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 2-key Triple DES-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_2_KEY_TRIPLE_DES_CBC
+CKM CKM_PBE_SHA1_DES2_EDE_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC
+
+OID 1.2.840.113549.1.12.1.5
+TAG pbeWithSHA1And128BitRC2-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 128-bit RC2-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.1.6
+TAG pbeWithSHA1And40BitRC2-CBC
+EXPL "PKCS #12 Password Based Encryption With SHA-1 and 40-bit RC2-CBC"
+NAME NSS_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.2 
+TAG pkcs-12EspvkIds
+EXPL "PKCS #12 ESPVK IDs"
+# We called it SEC_OID_PKCS12_ESPVK_IDS
+
+OID 1.2.840.113549.1.12.2.1
+TAG pkcs8-key-shrouding
+EXPL "PKCS #12 Key Shrouding"
+# We called it SEC_OID_PKCS12_PKCS8_KEY_SHROUDING
+
+OID 1.2.840.113549.1.12.3 
+TAG draft1Pkcs-12Bag-ids
+EXPL "Draft 1.0 PKCS #12 Bag IDs"
+# We called it SEC_OID_PKCS12_BAG_IDS
+
+OID 1.2.840.113549.1.12.3.1
+TAG keyBag
+EXPL "Draft 1.0 PKCS #12 Key Bag"
+# We called it SEC_OID_PKCS12_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.3.2
+TAG certAndCRLBagId
+EXPL "Draft 1.0 PKCS #12 Cert and CRL Bag ID"
+# We called it SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID
+
+OID 1.2.840.113549.1.12.3.3
+TAG secretBagId
+EXPL "Draft 1.0 PKCS #12 Secret Bag ID"
+# We called it SEC_OID_PKCS12_SECRET_BAG_ID
+
+OID 1.2.840.113549.1.12.3.4
+TAG safeContentsId
+EXPL "Draft 1.0 PKCS #12 Safe Contents Bag ID"
+# We called it SEC_OID_PKCS12_SAFE_CONTENTS_ID
+
+OID 1.2.840.113549.1.12.3.5
+TAG pkcs-8ShroudedKeyBagId
+EXPL "Draft 1.0 PKCS #12 PKCS #8-shrouded Key Bag ID"
+# We called it SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.4 
+TAG pkcs-12CertBagIds
+EXPL "PKCS #12 Certificate Bag IDs"
+# We called it SEC_OID_PKCS12_CERT_BAG_IDS
+
+OID 1.2.840.113549.1.12.4.1
+TAG x509CertCRLBagId
+EXPL "PKCS #12 X.509 Certificate and CRL Bag"
+# We called it SEC_OID_PKCS12_X509_CERT_CRL_BAG
+
+OID 1.2.840.113549.1.12.4.2
+TAG SDSICertBagID
+EXPL "PKCS #12 SDSI Certificate Bag"
+# We called it SEC_OID_PKCS12_SDSI_CERT_BAG
+
+OID 1.2.840.113549.1.12.5 
+TAG pkcs-12Oids
+EXPL "PKCS #12 OIDs (XXX)"
+# We called it SEC_OID_PKCS12_OIDS
+
+OID 1.2.840.113549.1.12.5.1 
+TAG pkcs-12PbeIds
+EXPL "PKCS #12 OIDs PBE IDs (XXX)"
+# We called it SEC_OID_PKCS12_PBE_IDS
+
+OID 1.2.840.113549.1.12.5.1.1
+TAG pbeWithSha1And128BitRC4
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC4 (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.1.2
+TAG pbeWithSha1And40BitRC4
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC4 (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.1.3
+TAG pbeWithSha1AndTripleDES-CBC
+EXPL "PKCS #12 OIDs PBE with SHA-1 and Triple DES-CBC (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC
+
+OID 1.2.840.113549.1.12.5.1.4
+TAG pbeWithSha1And128BitRC2-CBC
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 128-bit RC2-CBC (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.5.1.5
+TAG pbeWithSha1And40BitRC2-CBC
+EXPL "PKCS #12 OIDs PBE with SHA-1 and 40-bit RC2-CBC (XXX)"
+CKM CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC
+# We called it SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC
+
+OID 1.2.840.113549.1.12.5.2 
+TAG pkcs-12EnvelopingIds
+EXPL "PKCS #12 OIDs Enveloping IDs (XXX)"
+# We called it SEC_OID_PKCS12_ENVELOPING_IDS
+
+OID 1.2.840.113549.1.12.5.2.1
+TAG rsaEncryptionWith128BitRC4
+EXPL "PKCS #12 OIDs Enveloping RSA Encryption with 128-bit RC4"
+# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.2.2
+TAG rsaEncryptionWith40BitRC4
+EXPL "PKCS #12 OIDs Enveloping RSA Encryption with 40-bit RC4"
+# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4
+
+OID 1.2.840.113549.1.12.5.2.3
+TAG rsaEncryptionWithTripleDES
+EXPL "PKCS #12 OIDs Enveloping RSA Encryption with Triple DES"
+# We called it SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES
+
+OID 1.2.840.113549.1.12.5.3 
+TAG pkcs-12SignatureIds
+EXPL "PKCS #12 OIDs Signature IDs (XXX)"
+# We called it SEC_OID_PKCS12_SIGNATURE_IDS
+
+OID 1.2.840.113549.1.12.5.3.1
+TAG rsaSignatureWithSHA1Digest
+EXPL "PKCS #12 OIDs RSA Signature with SHA-1 Digest"
+# We called it SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST
+
+OID 1.2.840.113549.1.12.10 
+TAG pkcs-12Version1
+EXPL "PKCS #12 Version 1"
+
+OID 1.2.840.113549.1.12.10.1
+TAG pkcs-12BagIds
+EXPL "PKCS #12 Bag IDs"
+
+OID 1.2.840.113549.1.12.10.1.1
+TAG keyBag
+EXPL "PKCS #12 Key Bag"
+NAME NSS_OID_PKCS12_KEY_BAG
+# We called it SEC_OID_PKCS12_V1_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.2
+TAG pkcs-8ShroudedKeyBag
+EXPL "PKCS #12 PKCS #8-shrouded Key Bag"
+NAME NSS_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG
+# We called it SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.3
+TAG certBag
+EXPL "PKCS #12 Certificate Bag"
+NAME NSS_OID_PKCS12_CERT_BAG
+# We called it SEC_OID_PKCS12_V1_CERT_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.4
+TAG crlBag
+EXPL "PKCS #12 CRL Bag"
+NAME NSS_OID_PKCS12_CRL_BAG
+# We called it SEC_OID_PKCS12_V1_CRL_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.5
+TAG secretBag
+EXPL "PKCS #12 Secret Bag"
+NAME NSS_OID_PKCS12_SECRET_BAG
+# We called it SEC_OID_PKCS12_V1_SECRET_BAG_ID
+
+OID 1.2.840.113549.1.12.10.1.6
+TAG safeContentsBag
+EXPL "PKCS #12 Safe Contents Bag"
+NAME NSS_OID_PKCS12_SAFE_CONTENTS_BAG
+# We called it SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID
+
+OID 1.2.840.113549.2
+TAG digest
+EXPL "RSA digest algorithm"
+
+OID 1.2.840.113549.2.2 
+TAG md2
+EXPL "MD2"
+NAME NSS_OID_MD2
+CKM CKM_MD2
+
+OID 1.2.840.113549.2.4 
+TAG md4
+EXPL "MD4"
+NAME NSS_OID_MD4
+# No CKM
+
+OID 1.2.840.113549.2.5
+TAG md5
+EXPL "MD5"
+NAME NSS_OID_MD5
+CKM CKM_MD5
+
+OID 1.2.840.113549.3 
+TAG cipher
+EXPL "RSA cipher algorithm"
+
+OID 1.2.840.113549.3.2 
+TAG rc2cbc
+EXPL "RC2-CBC"
+NAME NSS_OID_RC2_CBC
+CKM_RC2_CBC
+
+OID 1.2.840.113549.3.4 
+TAG rc4
+EXPL "RC4"
+NAME NSS_OID_RC4
+CKM CKM_RC4
+
+OID 1.2.840.113549.3.7 
+TAG desede3cbc
+EXPL "DES-EDE3-CBC"
+NAME NSS_OID_DES_EDE3_CBC
+CKM CKM_DES3_CBC
+
+OID 1.2.840.113549.3.9 
+TAG rc5cbcpad
+EXPL "RC5-CBCPad"
+NAME NSS_OID_RC5_CBC_PAD
+CKM CKM_RC5_CBC
+
+OID 1.2.840.113556
+TAG microsoft
+EXPL "Microsoft"
+
+OID 1.2.840.113560
+TAG columbia-university
+EXPL "Columbia University"
+
+OID 1.2.840.113572
+TAG unisys
+EXPL "Unisys"
+
+OID 1.2.840.113658
+TAG xapia
+EXPL "XAPIA"
+
+OID 1.2.840.113699
+TAG wordperfect
+EXPL "WordPerfect"
+
+OID 1.3
+TAG identified-organization
+EXPL "ISO identified organizations"
+
+OID 1.3.6
+TAG us-dod
+EXPL "United States Department of Defense"
+
+OID 1.3.6.1 
+TAG internet  # See RFC 1065
+EXPL "The Internet"
+
+OID 1.3.6.1.1
+TAG directory
+EXPL "Internet: Directory"
+
+OID 1.3.6.1.2
+TAG management
+EXPL "Internet: Management"
+
+OID 1.3.6.1.3
+TAG experimental
+EXPL "Internet: Experimental"
+
+OID 1.3.6.1.4
+TAG private
+EXPL "Internet: Private"
+
+OID 1.3.6.1.5
+TAG security
+EXPL "Internet: Security"
+
+OID 1.3.6.1.5.5
+
+# RFC 2459:
+#
+# id-pkix  OBJECT IDENTIFIER  ::=
+#          { iso(1) identified-organization(3) dod(6) internet(1)
+#                     security(5) mechanisms(5) pkix(7) }
+OID 1.3.6.1.5.5.7 
+TAG id-pkix
+EXPL "Public Key Infrastructure"
+
+# RFC 2459:
+#
+# PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1)
+#   security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1)}
+OID 1.3.6.1.5.5.7.0.1
+TAG PKIX1Explicit88
+EXPL "RFC 2459 Explicitly Tagged Module, 1988 Syntax"
+
+# RFC 2459:
+#
+# PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1)
+#   security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-88(2)}
+OID 1.3.6.1.5.5.7.0.2
+TAG PKIXImplicit88
+EXPL "RFC 2459 Implicitly Tagged Module, 1988 Syntax"
+
+# RFC 2459:
+#
+# PKIX1Explicit93 {iso(1) identified-organization(3) dod(6) internet(1)
+#    security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-93(3)}
+OID 1.3.6.1.5.5.7.0.3
+TAG PKIXExplicit93
+EXPL "RFC 2459 Explicitly Tagged Module, 1993 Syntax"
+
+# RFC 2459:
+#
+# id-pe OBJECT IDENTIFIER  ::=  { id-pkix 1 }
+#         -- arc for private certificate extensions
+OID 1.3.6.1.5.5.7.1 
+TAG id-pe
+EXPL "PKIX Private Certificate Extensions"
+
+# RFC 2459:
+#
+# id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 }
+OID 1.3.6.1.5.5.7.1.1
+TAG id-pe-authorityInfoAccess
+EXPL "Certificate Authority Information Access"
+NAME NSS_OID_X509_AUTH_INFO_ACCESS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-qt OBJECT IDENTIFIER ::= { id-pkix 2 }
+#         -- arc for policy qualifier types
+OID 1.3.6.1.5.5.7.2 
+TAG id-qt
+EXPL "PKIX Policy Qualifier Types"
+
+# RFC 2459:
+#
+# id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
+#         -- OID for CPS qualifier
+OID 1.3.6.1.5.5.7.2.1
+TAG id-qt-cps
+EXPL "PKIX CPS Pointer Qualifier"
+NAME NSS_OID_PKIX_CPS_POINTER_QUALIFIER
+
+# RFC 2459:
+#
+# id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }
+#         -- OID for user notice qualifier
+OID 1.3.6.1.5.5.7.2.2
+TAG id-qt-unotice
+EXPL "PKIX User Notice Qualifier"
+NAME NSS_OID_PKIX_USER_NOTICE_QUALIFIER
+
+# RFC 2459:
+#
+# id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
+#         -- arc for extended key purpose OIDS
+OID 1.3.6.1.5.5.7.3 
+TAG id-kp
+EXPL "PKIX Key Purpose"
+
+# RFC 2459:
+#
+# id-kp-serverAuth      OBJECT IDENTIFIER ::= { id-kp 1 }
+OID 1.3.6.1.5.5.7.3.1
+TAG id-kp-serverAuth
+EXPL "TLS Web Server Authentication Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_SERVER_AUTH
+
+# RFC 2459:
+#
+# id-kp-clientAuth      OBJECT IDENTIFIER ::= { id-kp 2 }
+OID 1.3.6.1.5.5.7.3.2
+TAG id-kp-clientAuth
+EXPL "TLS Web Client Authentication Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_CLIENT_AUTH
+
+# RFC 2459:
+#
+# id-kp-codeSigning     OBJECT IDENTIFIER ::= { id-kp 3 }
+OID 1.3.6.1.5.5.7.3.3
+TAG id-kp-codeSigning
+EXPL "Code Signing Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_CODE_SIGN
+
+# RFC 2459:
+#
+# id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
+OID 1.3.6.1.5.5.7.3.4
+TAG id-kp-emailProtection
+EXPL "E-Mail Protection Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_EMAIL_PROTECTION
+
+# RFC 2459:
+#
+# id-kp-ipsecEndSystem  OBJECT IDENTIFIER ::= { id-kp 5 }
+OID 1.3.6.1.5.5.7.3.5
+TAG id-kp-ipsecEndSystem
+EXPL "IPSEC End System Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_IPSEC_END_SYSTEM
+
+# RFC 2459:
+#
+# id-kp-ipsecTunnel     OBJECT IDENTIFIER ::= { id-kp 6 }
+OID 1.3.6.1.5.5.7.3.6
+TAG id-kp-ipsecTunnel
+EXPL "IPSEC Tunnel Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_IPSEC_TUNNEL
+
+# RFC 2459:
+#
+# id-kp-ipsecUser       OBJECT IDENTIFIER ::= { id-kp 7 }
+OID 1.3.6.1.5.5.7.3.7
+TAG id-kp-ipsecUser
+EXPL "IPSEC User Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_IPSEC_USER
+
+# RFC 2459:
+#
+# id-kp-timeStamping    OBJECT IDENTIFIER ::= { id-kp 8 }
+OID 1.3.6.1.5.5.7.3.8
+TAG id-kp-timeStamping
+EXPL "Time Stamping Certificate"
+NAME NSS_OID_EXT_KEY_USAGE_TIME_STAMP
+
+OID 1.3.6.1.5.5.7.3.9
+TAG ocsp-responder
+EXPL "OCSP Responder Certificate"
+NAME NSS_OID_OCSP_RESPONDER
+
+OID 1.3.6.1.5.5.7.7 
+TAG pkix-id-pkix
+
+OID 1.3.6.1.5.5.7.7.5 
+TAG pkix-id-pkip
+
+OID 1.3.6.1.5.5.7.7.5.1 
+TAG pkix-id-regctrl
+EXPL "CRMF Registration Control"
+
+OID 1.3.6.1.5.5.7.7.5.1.1
+TAG regtoken
+EXPL "CRMF Registration Control, Registration Token"
+NAME NSS_OID_PKIX_REGCTRL_REGTOKEN
+
+OID 1.3.6.1.5.5.7.7.5.1.2
+TAG authenticator
+EXPL "CRMF Registration Control, Registration Authenticator"
+NAME NSS_OID_PKIX_REGCTRL_AUTHENTICATOR
+
+OID 1.3.6.1.5.5.7.7.5.1.3
+TAG pkipubinfo
+EXPL "CRMF Registration Control, PKI Publication Info"
+NAME NSS_OID_PKIX_REGCTRL_PKIPUBINFO
+
+OID 1.3.6.1.5.5.7.7.5.1.4
+TAG pki-arch-options
+EXPL "CRMF Registration Control, PKI Archive Options"
+NAME NSS_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS
+
+OID 1.3.6.1.5.5.7.7.5.1.5
+TAG old-cert-id
+EXPL "CRMF Registration Control, Old Certificate ID"
+NAME NSS_OID_PKIX_REGCTRL_OLD_CERT_ID
+
+OID 1.3.6.1.5.5.7.7.5.1.6
+TAG protocol-encryption-key
+EXPL "CRMF Registration Control, Protocol Encryption Key"
+NAME NSS_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY
+
+OID 1.3.6.1.5.5.7.7.5.2 
+TAG pkix-id-reginfo
+EXPL "CRMF Registration Info"
+
+OID 1.3.6.1.5.5.7.7.5.2.1
+TAG utf8-pairs
+EXPL "CRMF Registration Info, UTF8 Pairs"
+NAME NSS_OID_PKIX_REGINFO_UTF8_PAIRS
+
+OID 1.3.6.1.5.5.7.7.5.2.2
+TAG cert-request
+EXPL "CRMF Registration Info, Certificate Request"
+NAME NSS_OID_PKIX_REGINFO_CERT_REQUEST
+
+# RFC 2549:
+#
+# id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
+#         -- arc for access descriptors
+OID 1.3.6.1.5.5.7.48 
+TAG id-ad
+EXPL "PKIX Access Descriptors"
+
+# RFC 2549:
+#
+# id-ad-ocsp      OBJECT IDENTIFIER ::= { id-ad 1 }
+OID 1.3.6.1.5.5.7.48.1
+TAG id-ad-ocsp
+EXPL "PKIX Online Certificate Status Protocol"
+NAME NSS_OID_OID_PKIX_OCSP
+
+OID 1.3.6.1.5.5.7.48.1.1
+TAG basic-response
+EXPL "OCSP Basic Response"
+NAME NSS_OID_PKIX_OCSP_BASIC_RESPONSE
+
+OID 1.3.6.1.5.5.7.48.1.2
+TAG nonce-extension
+EXPL "OCSP Nonce Extension"
+NAME NSS_OID_PKIX_OCSP_NONCE
+
+OID 1.3.6.1.5.5.7.48.1.3
+TAG response
+EXPL "OCSP Response Types Extension"
+NAME NSS_OID_PKIX_OCSP_RESPONSE
+
+OID 1.3.6.1.5.5.7.48.1.4
+TAG crl
+EXPL "OCSP CRL Reference Extension"
+NAME NSS_OID_PKIX_OCSP_CRL
+
+OID 1.3.6.1.5.5.7.48.1.5
+TAG no-check
+EXPL "OCSP No Check Extension"
+NAME NSS_OID_X509_OCSP_NO_CHECK  # X509_... ?
+
+OID 1.3.6.1.5.5.7.48.1.6
+TAG archive-cutoff
+EXPL "OCSP Archive Cutoff Extension"
+NAME NSS_OID_PKIX_OCSP_ARCHIVE_CUTOFF
+
+OID 1.3.6.1.5.5.7.48.1.7
+TAG service-locator
+EXPL "OCSP Service Locator Extension"
+NAME NSS_OID_PKIX_OCSP_SERVICE_LOCATOR
+
+# RFC 2549:
+#
+# id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 }
+OID 1.3.6.1.5.5.7.48.2
+TAG id-ad-caIssuers
+EXPL "Certificate Authority Issuers"
+
+OID 1.3.6.1.6
+TAG snmpv2
+EXPL "Internet: SNMPv2"
+
+OID 1.3.6.1.7
+TAG mail
+EXPL "Internet: mail"
+
+OID 1.3.6.1.7.1
+TAG mime-mhs
+EXPL "Internet: mail MIME mhs"
+
+OID 1.3.12 
+TAG ecma
+EXPL "European Computers Manufacturing Association"
+
+OID 1.3.14
+TAG oiw
+EXPL "Open Systems Implementors Workshop"
+
+OID 1.3.14.3 secsig
+TAG secsig
+EXPL "Open Systems Implementors Workshop Security Special Interest Group"
+
+OID 1.3.14.3.1
+TAG oIWSECSIGAlgorithmObjectIdentifiers
+EXPL "OIW SECSIG Algorithm OIDs"
+
+OID 1.3.14.3.2 
+TAG algorithm
+EXPL "OIW SECSIG Algorithm"
+
+OID 1.3.14.3.2.6 
+TAG desecb
+EXPL "DES-ECB"
+NAME NSS_OID_DES_ECB
+CKM CKM_DES_ECB
+
+OID 1.3.14.3.2.7
+TAG descbc
+EXPL "DES-CBC"
+NAME NSS_OID_DES_CBC
+CKM CKM_DES_CBC
+
+OID 1.3.14.3.2.8
+TAG desofb
+EXPL "DES-OFB"
+NAME NSS_OID_DES_OFB
+# No CKM..
+
+OID 1.3.14.3.2.9 
+TAG descfb
+EXPL "DES-CFB"
+NAME NSS_OID_DES_CFB
+# No CKM..
+
+OID 1.3.14.3.2.10
+TAG desmac
+EXPL "DES-MAC"
+NAME NSS_OID_DES_MAC
+CKM CKM_DES_MAC
+
+OID 1.3.14.3.2.15 
+TAG isoSHAWithRSASignature
+EXPL "ISO SHA with RSA Signature"
+NAME NSS_OID_ISO_SHA_WITH_RSA_SIGNATURE
+# No CKM..
+
+OID 1.3.14.3.2.17 
+TAG desede
+EXPL "DES-EDE"
+NAME NSS_OID_DES_EDE
+# No CKM..
+
+OID 1.3.14.3.2.26 
+TAG sha1
+EXPL "SHA-1"
+NAME NSS_OID_SHA1
+CKM CKM_SHA_1
+
+OID 1.3.14.3.2.27
+TAG bogusDSASignatureWithSHA1Digest
+EXPL "Forgezza DSA Signature with SHA-1 Digest"
+NAME NSS_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST
+CKM CKM_DSA_SHA1
+
+OID 1.3.14.3.3
+TAG authentication-mechanism
+EXPL "OIW SECSIG Authentication Mechanisms"
+
+OID 1.3.14.3.4
+TAG security-attribute
+EXPL "OIW SECSIG Security Attributes"
+
+OID 1.3.14.3.5
+TAG document-definition
+EXPL "OIW SECSIG Document Definitions used in security"
+
+OID 1.3.14.7
+TAG directory-services-sig
+EXPL "OIW directory services sig"
+
+OID 1.3.16
+TAG ewos
+EXPL "European Workshop on Open Systems"
+
+OID 1.3.22
+TAG osf
+EXPL "Open Software Foundation"
+
+OID 1.3.23
+TAG nordunet
+EXPL "Nordunet"
+
+OID 1.3.26
+TAG nato-id-org
+EXPL "NATO identified organisation"
+
+OID 1.3.36
+TAG teletrust
+EXPL "Teletrust"
+
+OID 1.3.52
+TAG smpte
+EXPL "Society of Motion Picture and Television Engineers"
+
+OID 1.3.69
+TAG sita
+EXPL "Societe Internationale de Telecommunications Aeronautiques"
+
+OID 1.3.90
+TAG iana
+EXPL "Internet Assigned Numbers Authority"
+
+OID 1.3.101 
+TAG thawte
+EXPL "Thawte"
+
+OID 2 
+TAG joint-iso-ccitt
+EXPL "Joint ISO/ITU-T assignment"
+
+OID 2.0
+TAG presentation
+EXPL "Joint ISO/ITU-T Presentation"
+
+OID 2.1
+TAG asn-1
+EXPL "Abstract Syntax Notation One"
+
+OID 2.2
+TAG acse
+EXPL "Association Control"
+
+OID 2.3
+TAG rtse
+EXPL "Reliable Transfer"
+
+OID 2.4
+TAG rose
+EXPL "Remote Operations"
+
+OID 2.5
+TAG x500
+EXPL "Directory"
+
+OID 2.5.1
+TAG modules
+EXPL "X.500 modules"
+
+OID 2.5.2
+TAG service-environment
+EXPL "X.500 service environment"
+
+OID 2.5.3
+TAG application-context
+EXPL "X.500 application context"
+
+# RFC 2459:
+#
+# id-at           OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
+OID 2.5.4
+TAG id-at
+EXPL "X.520 attribute types"
+
+# RFC 2459:
+#
+# id-at-commonName        AttributeType   ::=     {id-at 3}
+OID 2.5.4.3
+TAG id-at-commonName
+EXPL "X.520 Common Name"
+NAME NSS_OID_X520_COMMON_NAME
+ATTR "cn"
+
+# RFC 2459:
+#
+# id-at-surname           AttributeType   ::=     {id-at 4}
+OID 2.5.4.4
+TAG id-at-surname
+EXPL "X.520 Surname"
+NAME NSS_OID_X520_SURNAME
+ATTR "sn"
+
+# RFC 2459:
+#
+# id-at-countryName       AttributeType   ::=     {id-at 6}
+OID 2.5.4.6
+TAG id-at-countryName
+EXPL "X.520 Country Name"
+NAME NSS_OID_X520_COUNTRY_NAME
+ATTR "c"
+
+# RFC 2459:
+#
+# id-at-localityName      AttributeType   ::=     {id-at 7}
+OID 2.5.4.7
+TAG id-at-localityName
+EXPL "X.520 Locality Name"
+NAME NSS_OID_X520_LOCALITY_NAME
+ATTR "l"
+
+# RFC 2459:
+#
+# id-at-stateOrProvinceName       AttributeType   ::=     {id-at 8}
+OID 2.5.4.8
+TAG id-at-stateOrProvinceName
+EXPL "X.520 State or Province Name"
+NAME NSS_OID_X520_STATE_OR_PROVINCE_NAME
+ATTR "s"
+
+# RFC 2459:
+#
+# id-at-organizationName          AttributeType   ::=     {id-at 10}
+OID 2.5.4.10
+TAG id-at-organizationName
+EXPL "X.520 Organization Name"
+NAME NSS_OID_X520_ORGANIZATION_NAME
+ATTR "o"
+
+# RFC 2459:
+#
+# id-at-organizationalUnitName    AttributeType   ::=     {id-at 11}
+OID 2.5.4.11
+TAG id-at-organizationalUnitName
+EXPL "X.520 Organizational Unit Name"
+NAME NSS_OID_X520_ORGANIZATIONAL_UNIT_NAME
+ATTR "ou"
+
+# RFC 2459:
+#
+# id-at-title     AttributeType   ::=     {id-at 12}
+OID 2.5.4.12
+TAG id-at-title
+EXPL "X.520 Title"
+NAME NSS_OID_X520_TITLE
+ATTR "title"
+
+# RFC 2459:
+#
+# id-at-name              AttributeType   ::=     {id-at 41}
+OID 2.5.4.41
+TAG id-at-name
+EXPL "X.520 Name"
+NAME NSS_OID_X520_NAME
+ATTR "name"
+
+# RFC 2459:
+#
+# id-at-givenName         AttributeType   ::=     {id-at 42}
+OID 2.5.4.42
+TAG id-at-givenName
+EXPL "X.520 Given Name"
+NAME NSS_OID_X520_GIVEN_NAME
+ATTR "givenName"
+
+# RFC 2459:
+#
+# id-at-initials          AttributeType   ::=     {id-at 43}
+OID 2.5.4.43
+TAG id-at-initials
+EXPL "X.520 Initials"
+NAME NSS_OID_X520_INITIALS
+ATTR "initials"
+
+# RFC 2459:
+#
+# id-at-generationQualifier       AttributeType   ::=     {id-at 44}
+OID 2.5.4.44
+TAG id-at-generationQualifier
+EXPL "X.520 Generation Qualifier"
+NAME NSS_OID_X520_GENERATION_QUALIFIER
+ATTR "generationQualifier"
+
+# RFC 2459:
+#
+# id-at-dnQualifier       AttributeType   ::=     {id-at 46}
+OID 2.5.4.46
+TAG id-at-dnQualifier
+EXPL "X.520 DN Qualifier"
+NAME NSS_OID_X520_DN_QUALIFIER
+ATTR "dnQualifier"
+
+OID 2.5.5
+TAG attribute-syntax
+EXPL "X.500 attribute syntaxes"
+
+OID 2.5.6
+TAG object-classes
+EXPL "X.500 standard object classes"
+
+OID 2.5.7
+TAG attribute-set
+EXPL "X.500 attribute sets"
+
+OID 2.5.8
+TAG algorithms
+EXPL "X.500-defined algorithms"
+
+OID 2.5.8.1 
+TAG encryption
+EXPL "X.500-defined encryption algorithms"
+
+OID 2.5.8.1.1 
+TAG rsa
+EXPL "RSA Encryption Algorithm"
+NAME NSS_OID_X500_RSA_ENCRYPTION
+CKM CKM_RSA_X_509
+
+OID 2.5.9
+TAG abstract-syntax
+EXPL "X.500 abstract syntaxes"
+
+OID 2.5.12
+TAG operational-attribute
+EXPL "DSA Operational Attributes"
+
+OID 2.5.13
+TAG matching-rule
+EXPL "Matching Rule"
+
+OID 2.5.14
+TAG knowledge-matching-rule
+EXPL "X.500 knowledge Matching Rules"
+
+OID 2.5.15
+TAG name-form
+EXPL "X.500 name forms"
+
+OID 2.5.16
+TAG group
+EXPL "X.500 groups"
+
+OID 2.5.17
+TAG subentry
+EXPL "X.500 subentry"
+
+OID 2.5.18
+TAG operational-attribute-type
+EXPL "X.500 operational attribute type"
+
+OID 2.5.19
+TAG operational-binding
+EXPL "X.500 operational binding"
+
+OID 2.5.20
+TAG schema-object-class
+EXPL "X.500 schema Object class"
+
+OID 2.5.21
+TAG schema-operational-attribute
+EXPL "X.500 schema operational attributes"
+
+OID 2.5.23
+TAG administrative-role
+EXPL "X.500 administrative roles"
+
+OID 2.5.24
+TAG access-control-attribute
+EXPL "X.500 access control attribute"
+
+OID 2.5.25
+TAG ros
+EXPL "X.500 ros object"
+
+OID 2.5.26
+TAG contract
+EXPL "X.500 contract"
+
+OID 2.5.27
+TAG package
+EXPL "X.500 package"
+
+OID 2.5.28
+TAG access-control-schema
+EXPL "X.500 access control schema"
+
+# RFC 2459:
+#
+# id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29}
+OID 2.5.29
+TAG id-ce
+EXPL "X.500 Certificate Extension"
+
+OID 2.5.29.5
+TAG subject-directory-attributes
+EXPL "Certificate Subject Directory Attributes"
+NAME NSS_OID_X509_SUBJECT_DIRECTORY_ATTR
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 }
+OID 2.5.29.9
+TAG id-ce-subjectDirectoryAttributes
+EXPL "Certificate Subject Directory Attributes"
+NAME NSS_OID_X509_SUBJECT_DIRECTORY_ATTRIBUTES
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }
+OID 2.5.29.14
+TAG id-ce-subjectKeyIdentifier
+EXPL "Certificate Subject Key ID"
+NAME NSS_OID_X509_SUBJECT_KEY_ID
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
+OID 2.5.29.15
+TAG id-ce-keyUsage
+EXPL "Certificate Key Usage"
+NAME NSS_OID_X509_KEY_USAGE
+CERT_EXTENSION SUPPORTED
+# We called it PKCS12_KEY_USAGE
+
+# RFC 2459:
+#
+# id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-ce 16 }
+OID 2.5.29.16
+TAG id-ce-privateKeyUsagePeriod
+EXPL "Certificate Private Key Usage Period"
+NAME NSS_OID_X509_PRIVATE_KEY_USAGE_PERIOD
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
+OID 2.5.29.17
+TAG id-ce-subjectAltName
+EXPL "Certificate Subject Alternate Name"
+NAME NSS_OID_X509_SUBJECT_ALT_NAME
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 }
+OID 2.5.29.18
+TAG id-ce-issuerAltName
+EXPL "Certificate Issuer Alternate Name"
+NAME NSS_OID_X509_ISSUER_ALT_NAME
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
+OID 2.5.29.19
+TAG id-ce-basicConstraints
+EXPL "Certificate Basic Constraints"
+NAME NSS_OID_X509_BASIC_CONSTRAINTS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }
+OID 2.5.29.20
+TAG id-ce-cRLNumber
+EXPL "CRL Number"
+NAME NSS_OID_X509_CRL_NUMBER
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 }
+OID 2.5.29.21
+TAG id-ce-cRLReasons
+EXPL "CRL Reason Code"
+NAME NSS_OID_X509_REASON_CODE
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }
+OID 2.5.29.23
+TAG id-ce-holdInstructionCode
+EXPL "Hold Instruction Code"
+NAME NSS_OID_X509_HOLD_INSTRUCTION_CODE
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-invalidityDate OBJECT IDENTIFIER ::= { id-ce 24 }
+OID 2.5.29.24
+TAG id-ce-invalidityDate
+EXPL "Invalid Date"
+NAME NSS_OID_X509_INVALID_DATE
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
+OID 2.5.29.27
+TAG id-ce-deltaCRLIndicator
+EXPL "Delta CRL Indicator"
+NAME NSS_OID_X509_DELTA_CRL_INDICATOR
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
+OID 2.5.29.28
+TAG id-ce-issuingDistributionPoint
+EXPL "Issuing Distribution Point"
+NAME NSS_OID_X509_ISSUING_DISTRIBUTION_POINT
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-ce 29 }
+OID 2.5.29.29
+TAG id-ce-certificateIssuer
+EXPL "Certificate Issuer"
+NAME NSS_OID_X509_CERTIFICATE_ISSUER
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }
+OID 2.5.29.30
+TAG id-ce-nameConstraints
+EXPL "Certificate Name Constraints"
+NAME NSS_OID_X509_NAME_CONSTRAINTS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-cRLDistributionPoints     OBJECT IDENTIFIER  ::=  {id-ce 31}
+OID 2.5.29.31
+TAG id-ce-cRLDistributionPoints
+EXPL "CRL Distribution Points"
+NAME NSS_OID_X509_CRL_DIST_POINTS
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }
+OID 2.5.29.32
+TAG id-ce-certificatePolicies
+EXPL "Certificate Policies"
+NAME NSS_OID_X509_CERTIFICATE_POLICIES
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }
+OID 2.5.29.33
+TAG id-ce-policyMappings
+EXPL "Certificate Policy Mappings"
+NAME NSS_OID_X509_POLICY_MAPPINGS
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.5.29.34
+TAG policy-constraints
+EXPL "Certificate Policy Constraints (old)"
+CERT_EXTENSION UNSUPPORTED
+
+# RFC 2459:
+#
+# id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }
+OID 2.5.29.35
+TAG id-ce-authorityKeyIdentifier
+EXPL "Certificate Authority Key Identifier"
+NAME NSS_OID_X509_AUTH_KEY_ID
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }
+OID 2.5.29.36
+TAG id-ce-policyConstraints
+EXPL "Certificate Policy Constraints"
+NAME NSS_OID_X509_POLICY_CONSTRAINTS
+CERT_EXTENSION SUPPORTED
+
+# RFC 2459:
+#
+# id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}
+OID 2.5.29.37
+TAG id-ce-extKeyUsage
+EXPL "Extended Key Usage"
+NAME NSS_OID_X509_EXT_KEY_USAGE
+CERT_EXTENSION SUPPORTED
+
+OID 2.5.30
+TAG id-mgt
+EXPL "X.500 Management Object"
+
+OID 2.6
+TAG x400
+EXPL "X.400 MHS"
+
+OID 2.7
+TAG ccr
+EXPL "Committment, Concurrency and Recovery"
+
+OID 2.8
+TAG oda
+EXPL "Office Document Architecture"
+
+OID 2.9
+TAG osi-management
+EXPL "OSI management"
+
+OID 2.10
+TAG tp
+EXPL "Transaction Processing"
+
+OID 2.11
+TAG dor
+EXPL "Distinguished Object Reference"
+
+OID 2.12
+TAG rdt
+EXPL "Referenced Data Transfer"
+
+OID 2.13
+TAG nlm
+EXPL "Network Layer Management"
+
+OID 2.14
+TAG tlm
+EXPL "Transport Layer Management"
+
+OID 2.15
+TAG llm
+EXPL "Link Layer Management"
+
+OID 2.16
+TAG country
+EXPL "Country Assignments"
+
+OID 2.16.124 
+TAG canada
+EXPL "Canada"
+
+OID 2.16.158
+TAG taiwan
+EXPL "Taiwan"
+
+OID 2.16.578 
+TAG norway
+EXPL "Norway"
+
+OID 2.16.756 
+TAG switzerland
+EXPL "Switzerland"
+
+OID 2.16.840 
+TAG us
+EXPL "United States"
+
+OID 2.16.840.1 
+TAG us-company
+EXPL "United States Company"
+
+OID 2.16.840.1.101 
+TAG us-government
+EXPL "United States Government (1.101)"
+
+OID 2.16.840.1.101.2 
+TAG us-dod
+EXPL "United States Department of Defense"
+
+OID 2.16.840.1.101.2.1 
+TAG id-infosec
+EXPL "US DOD Infosec"
+
+OID 2.16.840.1.101.2.1.0 
+TAG id-modules
+EXPL "US DOD Infosec modules"
+
+OID 2.16.840.1.101.2.1.1 
+TAG id-algorithms
+EXPL "US DOD Infosec algorithms (MISSI)"
+
+OID 2.16.840.1.101.2.1.1.2  
+TAG old-dss
+EXPL "MISSI DSS Algorithm (Old)"
+NAME NSS_OID_MISSI_DSS_OLD
+
+# This is labeled as "### mwelch temporary"
+# Is it official?? XXX fgmr
+OID 2.16.840.1.101.2.1.1.4
+TAG skipjack-cbc-64
+EXPL "Skipjack CBC64"
+NAME NSS_OID_FORTEZZA_SKIPJACK
+CKM CKM_SKIPJACK_CBC64
+
+OID 2.16.840.1.101.2.1.1.10
+TAG kea
+EXPL "MISSI KEA Algorithm"
+NAME NSS_OID_MISSI_KEA
+
+OID 2.16.840.1.101.2.1.1.12
+TAG old-kea-dss
+EXPL "MISSI KEA and DSS Algorithm (Old)"
+NAME NSS_OID_MISSI_KEA_DSS_OLD
+
+OID 2.16.840.1.101.2.1.1.19
+TAG dss
+EXPL "MISSI DSS Algorithm"
+NAME NSS_OID_MISSI_DSS
+
+OID 2.16.840.1.101.2.1.1.20
+TAG kea-dss
+EXPL "MISSI KEA and DSS Algorithm"
+NAME NSS_OID_MISSI_KEA_DSS
+
+OID 2.16.840.1.101.2.1.1.22
+TAG alt-kea
+EXPL "MISSI Alternate KEA Algorithm"
+NAME NSS_OID_MISSI_ALT_KEY
+
+OID 2.16.840.1.101.2.1.2 
+TAG id-formats
+EXPL "US DOD Infosec formats"
+
+OID 2.16.840.1.101.2.1.3 
+TAG id-policy
+EXPL "US DOD Infosec policy"
+
+OID 2.16.840.1.101.2.1.4 
+TAG id-object-classes
+EXPL "US DOD Infosec object classes"
+
+OID 2.16.840.1.101.2.1.5 
+TAG id-attributes
+EXPL "US DOD Infosec attributes"
+
+OID 2.16.840.1.101.2.1.6 
+TAG id-attribute-syntax
+EXPL "US DOD Infosec attribute syntax"
+
+OID 2.16.840.1.113730 
+# The Netscape OID space
+TAG netscape
+EXPL "Netscape Communications Corp."
+
+OID 2.16.840.1.113730.1
+TAG cert-ext
+EXPL "Netscape Cert Extensions"
+
+OID 2.16.840.1.113730.1.1
+TAG cert-type
+EXPL "Certificate Type"
+NAME NSS_OID_NS_CERT_EXT_CERT_TYPE
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.2
+TAG base-url
+EXPL "Certificate Extension Base URL"
+NAME NSS_OID_NS_CERT_EXT_BASE_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.3
+TAG revocation-url
+EXPL "Certificate Revocation URL"
+NAME NSS_OID_NS_CERT_EXT_REVOCATION_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.4
+TAG ca-revocation-url
+EXPL "Certificate Authority Revocation URL"
+NAME NSS_OID_NS_CERT_EXT_CA_REVOCATION_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.5
+TAG ca-crl-download-url
+EXPL "Certificate Authority CRL Download URL"
+NAME NSS_OID_NS_CERT_EXT_CA_CRL_URL
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.6
+TAG ca-cert-url
+EXPL "Certificate Authority Certificate Download URL"
+NAME NSS_OID_NS_CERT_EXT_CA_CERT_URL
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.7
+TAG renewal-url
+EXPL "Certificate Renewal URL"
+NAME NSS_OID_NS_CERT_EXT_CERT_RENEWAL_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.8
+TAG ca-policy-url
+EXPL "Certificate Authority Policy URL"
+NAME NSS_OID_NS_CERT_EXT_CA_POLICY_URL
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.9
+TAG homepage-url
+EXPL "Certificate Homepage URL"
+NAME NSS_OID_NS_CERT_EXT_HOMEPAGE_URL
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.10
+TAG entity-logo
+EXPL "Certificate Entity Logo"
+NAME NSS_OID_NS_CERT_EXT_ENTITY_LOGO
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.11
+TAG user-picture
+EXPL "Certificate User Picture"
+NAME NSS_OID_NS_CERT_EXT_USER_PICTURE
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.1.12
+TAG ssl-server-name
+EXPL "Certificate SSL Server Name"
+NAME NSS_OID_NS_CERT_EXT_SSL_SERVER_NAME
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.13
+TAG comment
+EXPL "Certificate Comment"
+NAME NSS_OID_NS_CERT_EXT_COMMENT
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.1.14
+TAG thayes
+EXPL ""
+NAME NSS_OID_NS_CERT_EXT_THAYES
+CERT_EXTENSION SUPPORTED
+
+OID 2.16.840.1.113730.2
+TAG data-type
+EXPL "Netscape Data Types"
+
+OID 2.16.840.1.113730.2.1 
+TAG gif
+EXPL "image/gif"
+NAME NSS_OID_NS_TYPE_GIF
+
+OID 2.16.840.1.113730.2.2 
+TAG jpeg
+EXPL "image/jpeg"
+NAME NSS_OID_NS_TYPE_JPEG
+
+OID 2.16.840.1.113730.2.3 
+TAG url
+EXPL "URL"
+NAME NSS_OID_NS_TYPE_URL
+
+OID 2.16.840.1.113730.2.4 
+TAG html
+EXPL "text/html"
+NAME NSS_OID_NS_TYPE_HTML
+
+OID 2.16.840.1.113730.2.5 
+TAG cert-sequence
+EXPL "Certificate Sequence"
+NAME NSS_OID_NS_TYPE_CERT_SEQUENCE
+
+OID 2.16.840.1.113730.3
+# The Netscape Directory OID space
+TAG directory
+EXPL "Netscape Directory"
+
+OID 2.16.840.1.113730.4
+TAG policy
+EXPL "Netscape Policy Type OIDs"
+
+OID 2.16.840.1.113730.4.1
+TAG export-approved
+EXPL "Strong Crypto Export Approved"
+NAME NSS_OID_NS_KEY_USAGE_GOVT_APPROVED
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.1.113730.5
+TAG cert-server
+EXPL "Netscape Certificate Server"
+
+OID 2.16.840.1.113730.5.1
+
+OID 2.16.840.1.113730.5.1.1
+TAG recovery-request
+EXPL "Netscape Cert Server Recovery Request"
+NAME NSS_OID_NETSCAPE_RECOVERY_REQUEST
+
+OID 2.16.840.1.113730.6
+TAG algs
+EXPL "Netscape algorithm OIDs"
+
+OID 2.16.840.1.113730.6.1
+TAG smime-kea
+EXPL "Netscape S/MIME KEA"
+NAME NSS_OID_NETSCAPE_SMIME_KEA
+
+OID 2.16.840.1.113730.7
+TAG name-components
+EXPL "Netscape Name Components"
+
+OID 2.16.840.1.113730.7.1
+TAG nickname
+EXPL "Netscape Nickname"
+NAME NSS_OID_NETSCAPE_NICKNAME
+
+OID 2.16.840.1.113733 
+TAG verisign
+EXPL "Verisign"
+
+OID 2.16.840.1.113733.1
+
+OID 2.16.840.1.113733.1.7
+
+OID 2.16.840.1.113733.1.7.1
+
+OID 2.16.840.1.113733.1.7.1.1
+TAG verisign-user-notices
+EXPL "Verisign User Notices"
+NAME NSS_OID_VERISIGN_USER_NOTICES
+
+OID 2.16.840.101 
+TAG us-government
+EXPL "US Government (101)"
+
+OID 2.16.840.102 
+TAG us-government2
+EXPL "US Government (102)"
+ 
+OID 2.16.840.11370 
+TAG old-netscape
+EXPL "Netscape Communications Corp. (Old)"
+
+OID 2.16.840.11370.1 
+TAG ns-cert-ext
+EXPL "Netscape Cert Extensions (Old NS)"
+
+OID 2.16.840.11370.1.1 
+TAG netscape-ok
+EXPL "Netscape says this cert is ok (Old NS)"
+NAME NSS_OID_NS_CERT_EXT_NETSCAPE_OK
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.11370.1.2
+TAG issuer-logo
+EXPL "Certificate Issuer Logo (Old NS)"
+NAME NSS_OID_NS_CERT_EXT_ISSUER_LOGO
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.11370.1.3
+TAG subject-logo
+EXPL "Certificate Subject Logo (Old NS)"
+NAME NSS_OID_NS_CERT_EXT_SUBJECT_LOGO
+CERT_EXTENSION UNSUPPORTED
+
+OID 2.16.840.11370.2 
+TAG ns-file-type
+EXPL "Netscape File Type"
+
+OID 2.16.840.11370.3 
+TAG ns-image-type
+EXPL "Netscape Image Type"
+
+OID 2.17
+TAG registration-procedures
+EXPL "Registration procedures"
+
+OID 2.18
+TAG physical-layer-management
+EXPL "Physical layer Management"
+
+OID 2.19
+TAG mheg
+EXPL "MHEG"
+
+OID 2.20
+TAG guls
+EXPL "Generic Upper Layer Security"
+
+OID 2.21
+TAG tls
+EXPL "Transport Layer Security Protocol"
+
+OID 2.22
+TAG nls
+EXPL "Network Layer Security Protocol"
+
+OID 2.23
+TAG organization
+EXPL "International organizations"
diff --git a/security/nss/lib/pki1/pki1.h b/security/nss/lib/pki1/pki1.h
new file mode 100644
index 000000000..15d29685d
--- /dev/null
+++ b/security/nss/lib/pki1/pki1.h
@@ -0,0 +1,3032 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKI1_H
+#define PKI1_H
+
+#ifdef DEBUG
+static const char PKI1_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * pki1.h
+ *
+ * This file contains the prototypes to the non-public NSS routines
+ * relating to the PKIX part-1 objects.
+ */
+
+#ifndef PKI1T_H
+#include "pki1t.h"
+#endif /* PKI1T_H */
+
+#ifndef NSSPKI1_H
+#include "nsspki1.h"
+#endif /* NSSPKI1_H */
+
+PR_BEGIN_EXTERN_C
+
+/* fgmr 19990505 moved these here from oiddata.h */
+extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];
+extern const PRUint32 nss_attribute_type_alias_count;
+
+/*
+ * NSSOID
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssOID_CreateFromBER   -- constructor
+ *  nssOID_CreateFromUTF8  -- constructor
+ *  (there is no explicit destructor)
+ * 
+ *  nssOID_GetDEREncoding
+ *  nssOID_GetUTF8Encoding
+ *
+ * In debug builds, the following non-public calls are also available:
+ *
+ *  nssOID_verifyPointer
+ *  nssOID_getExplanation
+ *  nssOID_getTaggedUTF8
+ */
+
+/*
+ * nssOID_CreateFromBER
+ *
+ * This routine creates an NSSOID by decoding a BER- or DER-encoded
+ * OID.  It may return NSS_OID_UNKNOWN upon error, in which case it 
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromBER
+(
+  NSSBER *berOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_BER;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * nssOID_CreateFromUTF8
+ *
+ * This routine creates an NSSOID by decoding a UTF8 string 
+ * representation of an OID in dotted-number format.  The string may 
+ * optionally begin with an octothorpe.  It may return NSS_OID_UNKNOWN
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An NSSOID upon success
+ */
+
+NSS_EXTERN NSSOID *
+nssOID_CreateFromUTF8
+(
+  NSSUTF8 *stringOid
+);
+
+extern const NSSError NSS_ERROR_INVALID_UTF8;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+
+/*
+ * nssOID_GetDEREncoding
+ *
+ * This routine returns the DER encoding of the specified NSSOID.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return return null upon error, in 
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSOID
+ */
+
+NSS_EXTERN NSSDER *
+nssOID_GetDEREncoding
+(
+  const NSSOID *oid,
+  NSSDER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssOID_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing the dotted-number 
+ * encoding of the specified NSSOID.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return null upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the dotted-digit encoding of 
+ *      this NSSOID
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssOID_GetUTF8Encoding
+(
+  const NSSOID *oid,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssOID_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid poitner to an NSSOID object, 
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an 
+ * error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssOID_verifyPointer
+(
+  const NSSOID *oid
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+#endif /* DEBUG */
+
+/*
+ * nssOID_getExplanation
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a static pointer to a UTF8-encoded string
+ * describing (in English) the specified OID.  The memory pointed to
+ * by the return value is not owned by the caller, and should not be
+ * freed or modified.  Note that explanations are only provided for
+ * the OIDs built into the NSS library; there is no way to specify an
+ * explanation for dynamically created OIDs.  This routine is intended
+ * only for use in debugging tools such as "derdump."  This routine
+ * may return null upon error, in which case it will have placed an
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSOID
+ *
+ * Return value:
+ *  NULL upon error
+ *  A static pointer to a readonly, non-caller-owned UTF8-encoded
+ *    string explaining the specified OID.
+ */
+
+#ifdef DEBUG
+NSS_EXTERN const NSSUTF8 *
+nssOID_getExplanation
+(
+  NSSOID *oid
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+#endif /* DEBUG */
+
+/*
+ * nssOID_getTaggedUTF8
+ *
+ * This method is only present in debug builds.
+ *
+ * This routine will return a pointer to a caller-owned UTF8-encoded
+ * string containing a tagged encoding of the specified OID.  Note
+ * that OID (component) tags are only provided for the OIDs built 
+ * into the NSS library; there is no way to specify tags for 
+ * dynamically created OIDs.  This routine is intended for use in
+ * debugging tools such as "derdump."   If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return return null upon error, in which case it will have set 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the tagged encoding of
+ *      this NSSOID
+ */
+
+#ifdef DEBUG
+NSS_EXTERN NSSUTF8 *
+nssOID_getTaggedUTF8
+(
+  NSSOID *oid,
+  NSSArena *arenaOpt
+);
+
+extern const NSSError NSS_ERROR_INVALID_NSSOID;
+extern const NSSError NSS_ERROR_NO_MEMORY;
+#endif /* DEBUG */
+
+/*
+ * NSSATAV
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssATAV_CreateFromBER   -- constructor
+ *  nssATAV_CreateFromUTF8  -- constructor
+ *  nssATAV_Create          -- constructor
+ *
+ *  nssATAV_Destroy
+ *  nssATAV_GetDEREncoding
+ *  nssATAV_GetUTF8Encoding
+ *  nssATAV_GetType
+ *  nssATAV_GetValue
+ *  nssATAV_Compare
+ *  nssATAV_Duplicate
+ *
+ * In debug builds, the following non-public call is also available:
+ *
+ *  nssATAV_verifyPointer
+ */
+
+/*
+ * nssATAV_CreateFromBER
+ * 
+ * This routine creates an NSSATAV by decoding a BER- or DER-encoded
+ * ATAV.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  const NSSBER *berATAV
+);
+
+/*
+ * nssATAV_CreateFromUTF8
+ *
+ * This routine creates an NSSATAV by decoding a UTF8 string in the
+ * "equals" format, e.g., "c=US."  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  const NSSUTF8 *stringATAV
+);
+
+/*
+ * nssATAV_Create
+ *
+ * This routine creates an NSSATAV from the specified NSSOID and the
+ * specified data. If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.If the specified data length is zero, 
+ * the data is assumed to be terminated by first zero byte; this allows 
+ * UTF8 strings to be easily specified.  This routine may return NULL 
+ * upon error, in which case it will have set an error on the error 
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_NSSOID
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSATAV upon success
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_Create
+(
+  NSSArena *arenaOpt,
+  const NSSOID *oid,
+  const void *data,
+  PRUint32 length
+);
+
+/*
+ * nssATAV_Destroy
+ *
+ * This routine will destroy an ATAV object.  It should eventually be
+ * called on all ATAVs created without an arena.  While it is not 
+ * necessary to call it on ATAVs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssATAV_Destroy
+(
+  NSSATAV *atav
+);
+
+/*
+ * nssATAV_GetDEREncoding
+ *
+ * This routine will DER-encode an ATAV object. If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSATAV
+ */
+
+NSS_EXTERN NSSDER *
+nssATAV_GetDEREncoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the ATAV in "equals" notation (e.g., "o=Acme").  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string containing the "equals" encoding of the 
+ *      ATAV
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssATAV_GetUTF8Encoding
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_GetType
+ *
+ * This routine returns the NSSOID corresponding to the attribute type
+ * in the specified ATAV.  This routine may return NSS_OID_UNKNOWN 
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NSS_OID_UNKNOWN upon error
+ *  An element of enum NSSOIDenum upon success
+ */
+
+NSS_EXTERN const NSSOID *
+nssATAV_GetType
+(
+  NSSATAV *atav
+);
+
+/*
+ * nssATAV_GetValue
+ *
+ * This routine returns a string containing the attribute value
+ * in the specified ATAV.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error upon the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSItem containing the attribute value.
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssATAV_GetValue
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_Compare
+ *
+ * This routine compares two ATAVs for equality.  For two ATAVs to be
+ * equal, the attribute types must be the same, and the attribute 
+ * values must have equal length and contents.  The result of the 
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have set an 
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssATAV_Compare
+(
+  NSSATAV *atav1,
+  NSSATAV *atav2,
+  PRBool *equalp
+);
+
+/*
+ * nssATAV_Duplicate
+ *
+ * This routine duplicates the specified ATAV.  If the optional arena 
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new ATAV
+ */
+
+NSS_EXTERN NSSATAV *
+nssATAV_Duplicate
+(
+  NSSATAV *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssATAV_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSATAV object,
+ * this routine will return PR_SUCCESS.  Otherwise, it will put an
+ * error on the error stack and return PR_FAILRUE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NSSATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+#ifdef DEBUG
+NSS_EXTERN PRStatus
+nssATAV_verifyPointer
+(
+  NSSATAV *atav
+);
+#endif /* DEBUG */
+
+/*
+ * NSSRDN
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssRDN_CreateFromBER   -- constructor
+ *  nssRDN_CreateFromUTF8  -- constructor
+ *  nssRDN_Create          -- constructor
+ *  nssRDN_CreateSimple    -- constructor
+ *
+ *  nssRDN_Destroy
+ *  nssRDN_GetDEREncoding
+ *  nssRDN_GetUTF8Encoding
+ *  nssRDN_AddATAV
+ *  nssRDN_GetATAVCount
+ *  nssRDN_GetATAV
+ *  nssRDN_GetSimpleATAV
+ *  nssRDN_Compare
+ *  nssRDN_Duplicate
+ */
+
+/*
+ * nssRDN_CreateFromBER
+ *
+ * This routine creates an NSSRDN by decoding a BER- or DER-encoded 
+ * RDN.  If the optional arena argument is non-null, the memory used 
+ * will be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error, 
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDN
+);
+
+/*
+ * nssRDN_CreateFromUTF8
+ *
+ * This routine creates an NSSRDN by decoding an UTF8 string 
+ * consisting of either a single ATAV in the "equals" format, e.g., 
+ * "uid=smith," or one or more such ATAVs in parentheses, e.g., 
+ * "(sn=Smith,ou=Sales)."  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error on the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDN
+);
+
+/*
+ * nssRDN_Create
+ *
+ * This routine creates an NSSRDN from one or more NSSATAVs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_Create
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav1,
+  ...
+);
+
+/*
+ * nssRDN_CreateSimple
+ *
+ * This routine creates a simple NSSRDN from a single NSSATAV.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDN upon success
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_CreateSimple
+(
+  NSSArena *arenaOpt,
+  NSSATAV *atav
+);
+
+/*
+ * nssRDN_Destroy
+ *
+ * This routine will destroy an RDN object.  It should eventually be
+ * called on all RDNs created without an arena.  While it is not 
+ * necessary to call it on RDNs created within an arena, it is not an
+ * error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will 
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssRDN_Destroy
+(
+  NSSRDN *rdn
+);
+
+/*
+ * nssRDN_GetDEREncoding
+ *
+ * This routine will DER-encode an RDN object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDN
+ */
+
+NSS_EXTERN NSSDER *
+nssRDN_GetDEREncoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDN_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDN.  A simple (one-ATAV) RDN will be simply
+ * the string representation of that ATAV; a non-simple RDN will be in
+ * parenthesised form.  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * null upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssRDN_GetUTF8Encoding
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDN_AddATAV
+ *
+ * This routine adds an ATAV to the set of ATAVs in the specified RDN.
+ * Remember that RDNs consist of an unordered set of ATAVs.  If the
+ * RDN was created with a non-null arena argument, that same arena
+ * will be used for any additional required memory.  If the RDN was 
+ * created with a NULL arena argument, any additional memory will
+ * be obtained from the heap.  This routine returns a PRStatus value;
+ * it will return PR_SUCCESS upon success, and upon failure it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssRDN_AddATAV
+(
+  NSSRDN *rdn,
+  NSSATAV *atav
+);
+
+/*
+ * nssRDN_GetATAVCount
+ *
+ * This routine returns the cardinality of the set of ATAVs within
+ * the specified RDN.  This routine may return 0 upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+nssRDN_GetATAVCount
+(
+  NSSRDN *rdn
+);
+
+/*
+ * nssRDN_GetATAV
+ *
+ * This routine returns a pointer to an ATAV that is a member of
+ * the set of ATAVs within the specified RDN.  While the set of
+ * ATAVs within an RDN is unordered, this routine will return
+ * distinct values for distinct values of 'i' as long as the RDN
+ * is not changed in any way.  The RDN may be changed by calling
+ * NSSRDN_AddATAV.  The value of the variable 'i' is on the range
+ * [0,c) where c is the cardinality returned from NSSRDN_GetATAVCount.
+ * The caller owns the ATAV the pointer to which is returned.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+nssRDN_GetATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * nssRDN_GetSimpleATAV
+ *
+ * Most RDNs are actually very simple, with a single ATAV.  This 
+ * routine will return the single ATAV from such an RDN.  The caller
+ * owns the ATAV the pointer to which is returned.  If the optional
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, including the case where
+ * the set of ATAVs in the RDN is nonsingular.  Upon error, this
+ * routine will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_RDN_NOT_SIMPLE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSATAV
+ */
+
+NSS_EXTERN NSSATAV *
+nssRDN_GetSimpleATAV
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDN_Compare
+ *
+ * This routine compares two RDNs for equality.  For two RDNs to be
+ * equal, they must have the same number of ATAVs, and every ATAV in
+ * one must be equal to an ATAV in the other.  (Note that the sets
+ * of ATAVs are unordered.)  The result of the comparison will be
+ * stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool.  This routine may return PR_FAILURE
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssRDN_Compare
+(
+  NSSRDN *rdn1,
+  NSSRDN *rdn2,
+  PRBool *equalp
+);
+
+/*
+ * nssRDN_Duplicate
+ *
+ * This routine duplicates the specified RDN.  If the optional arena
+ * argument is non-null, the memory required will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return NULL upon error, in which case it will have
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL on error
+ *  A pointer to a new RDN
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDN_Duplicate
+(
+  NSSRDN *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSRDNSeq
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ *  nssRDNSeq_CreateFromBER   -- constructor
+ *  nssRDNSeq_CreateFromUTF8  -- constructor
+ *  nssRDNSeq_Create          -- constructor
+ *
+ *  nssRDNSeq_Destroy
+ *  nssRDNSeq_GetDEREncoding
+ *  nssRDNSeq_GetUTF8Encoding
+ *  nssRDNSeq_AppendRDN
+ *  nssRDNSeq_GetRDNCount
+ *  nssRDNSeq_GetRDN
+ *  nssRDNSeq_Compare
+ *  nssRDNSeq_Duplicate
+ *
+ *  nssRDNSeq_EvaluateUTF8 -- not an object method
+ */
+
+/*
+ * nssRDNSeq_CreateFromBER
+ *
+ * This routine creates an NSSRDNSeq by decoding a BER- or DER-encoded 
+ * sequence of RDNs.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have set an error on the
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berRDNSeq
+);
+
+/*
+ * nssRDNSeq_CreateFromUTF8
+ *
+ * This routine creates an NSSRDNSeq by decoding a UTF8 string
+ * consisting of a comma-separated sequence of RDNs, such as
+ * "(sn=Smith,ou=Sales),o=Acme,c=US."  If the optional arena argument
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringRDNSeq
+);
+
+/*
+ * nssRDNSeq_Create
+ *
+ * This routine creates an NSSRDNSeq from one or more NSSRDNs.  The
+ * final argument to this routine must be NULL.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_RDN
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointero to an NSSRDNSeq upon success
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSRDN *rdn1,
+  ...
+);
+
+/*
+ * nssRDNSeq_Destroy
+ *
+ * This routine will destroy an RDNSeq object.  It should eventually 
+ * be called on all RDNSeqs created without an arena.  While it is not
+ * necessary to call it on RDNSeqs created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssRDNSeq_Destroy
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * nssRDNSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an RDNSeq object.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from
+ * that arena; otherwise, the memory will be obtained from the heap.
+ * This routine may return null upon error, in which case it will have
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSRDNSeq
+ */
+
+NSS_EXTERN NSSDER *
+nssRDNSeq_GetDEREncoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDNSeq_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the RDNSeq as a comma-separated sequence of RDNs.  
+ * If the optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return null upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssRDNSeq_GetUTF8Encoding
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDNSeq_AppendRDN
+ *
+ * This routine appends an RDN to the end of the existing RDN 
+ * sequence.  If the RDNSeq was created with a non-null arena 
+ * argument, that same arena will be used for any additional required
+ * memory.  If the RDNSeq was created with a NULL arena argument, any
+ * additional memory will be obtained from the heap.  This routine
+ * returns a PRStatus value; it will return PR_SUCCESS upon success,
+ * and upon failure it will set an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssRDNSeq_AppendRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSRDN *rdn
+);
+
+/*
+ * nssRDNSeq_GetRDNCount
+ *
+ * This routine returns the cardinality of the sequence of RDNs within
+ * the specified RDNSeq.  This routine may return 0 upon error, in 
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *
+ * Return value:
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+nssRDNSeq_GetRDNCount
+(
+  NSSRDNSeq *rdnseq
+);
+
+/*
+ * nssRDNSeq_GetRDN
+ *
+ * This routine returns a pointer to the i'th RDN in the sequence of
+ * RDNs that make up the specified RDNSeq.  The sequence begins with
+ * the top-level (e.g., "c=US") RDN.  The value of the variable 'i'
+ * is on the range [0,c) where c is the cardinality returned from
+ * NSSRDNSeq_GetRDNCount.  The caller owns the RDN the pointer to which
+ * is returned.  If the optional arena argument is non-null, the memory
+ * used will be obtained from that areana; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error upon the error stack.  Note
+ * that the usual UTF8 representation of RDN Sequences is from last
+ * to first.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDN
+ */
+
+NSS_EXTERN NSSRDN *
+nssRDNSeq_GetRDN
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * nssRDNSeq_Compare
+ *
+ * This routine compares two RDNSeqs for equality.  For two RDNSeqs to 
+ * be equal, they must have the same number of RDNs, and each RDN in
+ * one sequence must be equal to the corresponding RDN in the other
+ * sequence.  The result of the comparison will be stored at the
+ * location pointed to by the "equalp" variable, which must point to a
+ * valid PRBool.  This routine may return PR_FAILURE upon error, in
+ * which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssRDNSeq_Compare
+(
+  NSSRDNSeq *rdnseq1,
+  NSSRDNSeq *rdnseq2,
+  PRBool *equalp
+);
+
+/*
+ * nssRDNSeq_Duplicate
+ *
+ * This routine duplicates the specified RDNSeq.  If the optional arena
+ * argument is non-null, the memory required will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have 
+ * placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_RDNSEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new RDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssRDNSeq_Duplicate
+(
+  NSSRDNSeq *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssRDNSeq_EvaluateUTF8
+ *
+ * This routine evaluates a UTF8 string, and returns PR_TRUE if the 
+ * string contains the string representation of an RDNSeq.  This 
+ * routine is used by the (directory) Name routines 
+ * nssName_CreateFromUTF8 and nssName_EvaluateUTF8 to determine which
+ * choice of directory name the string may encode.  This routine may 
+ * return PR_FALSE upon error, but it subsumes that condition under the
+ * general "string does not evaluate as an RDNSeq" state, and does not
+ * set an error on the error stack.
+ *
+ * Return value:
+ *  PR_TRUE if the string represents an RDNSeq
+ *  PR_FALSE if otherwise
+ */
+
+NSS_EXTERN PRBool
+nssRDNSeq_EvaluateUTF8
+(
+  NSSUTF8 *str
+);
+
+/*
+ * NSSName
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ * nssName_CreateFromBER   -- constructor
+ * nssName_CreateFromUTF8  -- constructor
+ * nssName_Create          -- constructor
+ *
+ * nssName_Destroy
+ * nssName_GetDEREncoding
+ * nssName_GetUTF8Encoding
+ * nssName_GetChoice
+ * nssName_GetRDNSequence
+ * nssName_GetSpecifiedChoice
+ * nssName_Compare
+ * nssName_Duplicate
+ *
+ * nssName_GetUID
+ * nssName_GetEmail
+ * nssName_GetCommonName
+ * nssName_GetOrganization
+ * nssName_GetOrganizationalUnits
+ * nssName_GetStateOrProvince
+ * nssName_GetLocality
+ * nssName_GetCountry
+ * nssName_GetAttribute
+ *
+ * nssName_EvaluateUTF8 -- not an object method
+ */
+
+/*
+ * nssName_CreateFromBER
+ *
+ * This routine creates an NSSName by decoding a BER- or DER-encoded 
+ * (directory) Name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may
+ * return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+nssName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berName
+);
+
+/*
+ * nssName_CreateFromUTF8
+ *
+ * This routine creates an NSSName by decoding a UTF8 string 
+ * consisting of the string representation of one of the choices of 
+ * (directory) names.  Currently the only choice is an RDNSeq.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  The routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+nssName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringName
+);
+
+/*
+ * nssName_Create
+ *
+ * This routine creates an NSSName with the specified choice of
+ * underlying name types.  The value of the choice variable must be
+ * one of the values of the NSSNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                     Type
+ *   ========================   ===========
+ *   NSSNameChoiceRdnSequence   NSSRDNSeq *
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSName upon success
+ */
+
+NSS_EXTERN NSSName *
+nssName_Create
+(
+  NSSArena *arenaOpt,
+  NSSNameChoice choice,
+  void *arg
+);
+
+/*
+ * nssName_Destroy
+ *
+ * This routine will destroy a Name object.  It should eventually be
+ * called on all Names created without an arena.  While it is not
+ * necessary to call it on Names created within an arena, it is not
+ * an error to do so.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  If unsuccessful, it will
+ * set an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssName_Destroy
+(
+  NSSName *name
+);
+
+/*
+ * nssName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSName
+ */
+
+NSS_EXTERN NSSDER *
+nssName_GetDEREncoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the Name in the format specified by the 
+ * underlying name choice.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to the UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssName_GetUTF8Encoding
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetChoice
+ *
+ * This routine returns the type of the choice underlying the specified
+ * name.  The return value will be a member of the NSSNameChoice 
+ * enumeration.  This routine may return NSSNameChoiceInvalid upon 
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *
+ * Return value:
+ *  NSSNameChoiceInvalid upon error
+ *  An other member of the NSSNameChoice enumeration upon success
+ */
+
+NSS_EXTERN NSSNameChoice
+nssName_GetChoice
+(
+  NSSName *name
+);
+
+/*
+ * nssName_GetRDNSequence
+ *
+ * If the choice underlying the specified NSSName is that of an 
+ * RDNSequence, this routine will return a pointer to that RDN
+ * sequence.  Otherwise, this routine will place an error on the
+ * error stack, and return NULL.  If the optional arena argument is
+ * non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The
+ * caller owns the returned pointer.  This routine may return NULL
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRDNSeq
+ */
+
+NSS_EXTERN NSSRDNSeq *
+nssName_GetRDNSequence
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSName matches the specified
+ * choice, a caller-owned pointer to that underlying object will be
+ * returned.  Otherwise, an error will be placed on the error stack and
+ * NULL will be returned.  If the optional arena argument is non-null, 
+ * the memory required will be obtained from that arena; otherwise, the
+ * memory will be obtained from the heap.  The caller owns the returned
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+nssName_GetSpecifiedChoice
+(
+  NSSName *name,
+  NSSNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_Compare
+ *
+ * This routine compares two Names for equality.  For two Names to be
+ * equal, they must have the same choice of underlying types, and the
+ * underlying values must be equal.  The result of the comparison will
+ * be stored at the location pointed to by the "equalp" variable, which
+ * must point to a valid PRBool. This routine may return PR_FAILURE
+ * upon error, in which case it will have set an error on the error
+ * stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE on error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssName_Compare
+(
+  NSSName *name1,
+  NSSName *name2,
+  PRBool *equalp
+);
+
+/*
+ * nssName_Duplicate
+ *
+ * This routine duplicates the specified nssname.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it
+ * will have placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSName
+ */
+
+NSS_EXTERN NSSName *
+nssName_Duplicate
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a UID attribute, the UID will be the value of 
+ * that attribute.  Note that no UID attribute is defined in either 
+ * PKIX or PKCS#9; rather, this seems to derive from RFC 1274, which 
+ * defines the type as a caseIgnoreString.  We'll return a Directory 
+ * String.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetUID
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing either a PKIX email address or a PKCS#9 email
+ * address, the result will be the value of that attribute.  If the
+ * optional arena argument is non-null, the memory used will be
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5 String */
+nssName_GetEmail
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified name, if the choices and content of the name permit.  
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a PKIX Common Name, the result will be that name.  If 
+ * the optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetCommonName
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified name, if the choices and content of the name permit.  
+ * If Name consists of a Sequence of Relative Distinguished names 
+ * containing a PKIX Organization, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetOrganization
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified name, if the choices and content of 
+ * the name permit.  If the Name consists of a Sequence of Relative 
+ * Distinguished Names containing one or more organisational units,
+ * the result will be the values of those attributes.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+nssName_GetOrganizationalUnits
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished Names
+ * containing a state or province, the result will be the value of 
+ * that attribute.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetStateOrProvince
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from the 
+ * specified name, if the choices and content of the name permit.  If
+ * the Name consists of a Sequence of Relative Distinguished names
+ * containing a Locality, the result will be the value of that 
+ * attribute.  If the optional arena argument is non-null, the memory 
+ * used will be obtained from that arena; otherwise, the memory will 
+ * be obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetLocality
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified name, if the choices and content of the name permit.
+ * If the Name consists of a Sequence of Relative Distinguished 
+ * Names containing a Country, the result will be the value of
+ * that attribute..  If the optional arena argument is non-null, 
+ * the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may 
+ * return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+nssName_GetCountry
+(
+  NSSName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_GetAttribute
+ *
+ * If the specified name consists of a Sequence of Relative 
+ * Distinguished Names containing an attribute with the specified 
+ * type, and the actual value of that attribute may be expressed 
+ * with a Directory String, then the value of that attribute will 
+ * be returned as a Directory String.  If the optional arena argument 
+ * is non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine 
+ * may return NULL upon error, in which case it will have set an error 
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssName_GetAttribute
+(
+  NSSName *name,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssName_EvaluateUTF8
+ *
+ * This routine evaluates a UTF8 string, and returns PR_TRUE if the 
+ * string contains the string representation of an NSSName.  This 
+ * routine is used by the GeneralName routine 
+ * nssGeneralName_CreateFromUTF8 to determine which choice of
+ * general name the string may encode.  This routine may return 
+ * PR_FALSE upon error, but it subsumes that condition under the 
+ * general "string does not evaluate as a Name" state, and does not
+ * set an error on the error stack.
+ * 
+ * Return value:
+ *  PR_TRUE if the string represents a Name
+ *  PR_FALSE otherwise
+ */
+
+NSS_EXTERN PRBool
+nssName_EvaluateUTF8
+(
+  NSSUTF8 *str
+);
+
+/*
+ * NSSGeneralName
+ *
+ * The non-public "methods" regarding this "object" are:
+ *
+ * nssGeneralName_CreateFromBER   -- constructor
+ * nssGeneralName_CreateFromUTF8  -- constructor
+ * nssGeneralName_Create          -- constructor
+ *
+ * nssGeneralName_Destroy
+ * nssGeneralName_GetDEREncoding
+ * nssGeneralName_GetUTF8Encoding
+ * nssGeneralName_GetChoice
+ * nssGeneralName_GetOtherName
+ * nssGeneralName_GetRfc822Name
+ * nssGeneralName_GetDNSName
+ * nssGeneralName_GetX400Address
+ * nssGeneralName_GetDirectoryName
+ * nssGeneralName_GetEdiPartyName
+ * nssGeneralName_GetUniformResourceIdentifier
+ * nssGeneralName_GetIPAddress
+ * nssGeneralName_GetRegisteredID
+ * nssGeneralName_GetSpecifiedChoice
+ * nssGeneralName_Compare
+ * nssGeneralName_Duplicate
+ *
+ * nssGeneralName_GetUID
+ * nssGeneralName_GetEmail
+ * nssGeneralName_GetCommonName
+ * nssGeneralName_GetOrganization
+ * nssGeneralName_GetOrganizationalUnits
+ * nssGeneralName_GetStateOrProvince
+ * nssGeneralName_GetLocality
+ * nssGeneralName_GetCountry
+ * nssGeneralName_GetAttribute
+ */
+
+/*
+ * nssGeneralName_CreateFromBER
+ *
+ * This routine creates an NSSGeneralName by decoding a BER- or DER-
+ * encoded general name.  If the optional arena argument is non-null,
+ * the memory used will be obtained from that arena; otherwise, the 
+ * memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralName
+);
+
+/*
+ * nssGeneralName_CreateFromUTF8
+ *
+ * This routine creates an NSSGeneralName by decoding a UTF8 string
+ * consisting of the string representation of one of the choices of
+ * general names.  If the optional arena argument is non-null, the 
+ * memory used will be obtained from that arena; otherwise, the memory
+ * will be obtained from the heap.  The routine may return NULL upon
+ * error, in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *stringGeneralName
+);
+
+/*
+ * nssGeneralName_Create
+ *
+ * This routine creates an NSSGeneralName with the specified choice of
+ * underlying name types.  The value of the choice variable must be one
+ * of the values of the NSSGeneralNameChoice enumeration, and the type
+ * of the arg variable must be as specified in the following table:
+ *
+ *   Choice                                         Type
+ *   ============================================   =========
+ *   NSSGeneralNameChoiceOtherName
+ *   NSSGeneralNameChoiceRfc822Name
+ *   NSSGeneralNameChoiceDNSName
+ *   NSSGeneralNameChoiceX400Address
+ *   NSSGeneralNameChoiceDirectoryName              NSSName *
+ *   NSSGeneralNameChoiceEdiPartyName
+ *   NSSGeneralNameChoiceUniformResourceIdentifier
+ *   NSSGeneralNameChoiceIPAddress
+ *   NSSGeneralNameChoiceRegisteredID
+ *
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one fo the following values:
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralName upon success
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_Create
+(
+  NSSGeneralNameChoice choice,
+  void *arg
+);
+
+/*
+ * nssGeneralName_Destroy
+ * 
+ * This routine will destroy a General Name object.  It should 
+ * eventually be called on all General Names created without an arena.
+ * While it is not necessary to call it on General Names created within
+ * an arena, it is not an error to do so.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS. If 
+ * usuccessful, it will set an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  PR_FAILURE upon failure
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralName_Destroy
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * nssGeneralName_GetDEREncoding
+ *
+ * This routine will DER-encode a name object.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return null upon error, in which case it will have set
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralName
+ */
+
+NSS_EXTERN NSSDER *
+nssGeneralName_GetDEREncoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetUTF8Encoding
+ *
+ * This routine returns a UTF8 string containing a string 
+ * representation of the General Name in the format specified by the
+ * underlying name choice.  If the optional arena argument is 
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 string
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssGeneralName_GetUTF8Encoding
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetChoice
+ *
+ * This routine returns the type of choice underlying the specified 
+ * general name.  The return value will be a member of the 
+ * NSSGeneralNameChoice enumeration.  This routine may return 
+ * NSSGeneralNameChoiceInvalid upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NSSGeneralNameChoiceInvalid upon error
+ *  An other member of the NSSGeneralNameChoice enumeration 
+ */
+
+NSS_EXTERN NSSGeneralNameChoice
+nssGeneralName_GetChoice
+(
+  NSSGeneralName *generalName
+);
+
+/*
+ * nssGeneralName_GetOtherName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * Other Name, this routine will return a pointer to that Other name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSOtherName
+ */
+
+NSS_EXTERN NSSOtherName *
+nssGeneralName_GetOtherName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetRfc822Name
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * RFC 822 Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRFC822Name
+ */
+
+NSS_EXTERN NSSRFC822Name *
+nssGeneralName_GetRfc822Name
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetDNSName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a 
+ * DNS Name, this routine will return a pointer to that DNS name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSDNSName
+ */
+
+NSS_EXTERN NSSDNSName *
+nssGeneralName_GetDNSName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetX400Address
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * X.400 Address, this routine will return a pointer to that Address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSX400Address
+ */
+
+NSS_EXTERN NSSX400Address *
+nssGeneralName_GetX400Address
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetDirectoryName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * (directory) Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSName
+ */
+
+NSS_EXTERN NSSName *
+nssGeneralName_GetName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetEdiPartyName
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * EDI Party Name, this routine will return a pointer to that name.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSEdiPartyName
+ */
+
+NSS_EXTERN NSSEdiPartyName *
+nssGeneralName_GetEdiPartyName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetUniformResourceIdentifier
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * URI, this routine will return a pointer to that URI.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSURI
+ */
+
+NSS_EXTERN NSSURI *
+nssGeneralName_GetUniformResourceIdentifier
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetIPAddress
+ *
+ * If the choice underlying the specified NSSGeneralName is that of an
+ * IP Address , this routine will return a pointer to that address.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSIPAddress
+ */
+
+NSS_EXTERN NSSIPAddress *
+nssGeneralName_GetIPAddress
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetRegisteredID
+ *
+ * If the choice underlying the specified NSSGeneralName is that of a
+ * Registered ID, this routine will return a pointer to that ID.
+ * Otherwise, this routine will place an error on the error stack, and
+ * return NULL.  If the optional arena argument is non-null, the memory
+ * required will be obtained from that arena; otherwise, the memory 
+ * will be obtained from the heap.  The caller owns the returned 
+ * pointer.  This routine may return NULL upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to an NSSRegisteredID
+ */
+
+NSS_EXTERN NSSRegisteredID *
+nssGeneralName_GetRegisteredID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetSpecifiedChoice
+ *
+ * If the choice underlying the specified NSSGeneralName matches the
+ * specified choice, a caller-owned pointer to that underlying object
+ * will be returned.  Otherwise, an error will be placed on the error
+ * stack and NULL will be returned.  If the optional arena argument
+ * is non-null, the memory required will be obtained from that arena;
+ * otherwise, the memory will be obtained from the heap.  The caller
+ * owns the returned pointer.  This routine may return NULL upon 
+ * error, in which caes it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer, which must be typecast
+ */
+
+NSS_EXTERN void *
+nssGeneralName_GetSpecifiedChoice
+(
+  NSSGeneralName *generalName,
+  NSSGeneralNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_Compare
+ * 
+ * This routine compares two General Names for equality.  For two 
+ * General Names to be equal, they must have the same choice of
+ * underlying types, and the underlying values must be equal.  The
+ * result of the comparison will be stored at the location pointed
+ * to by the "equalp" variable, which must point to a valid PRBool.
+ * This routine may return PR_FAILURE upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following value:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralName_Compare
+(
+  NSSGeneralName *generalName1,
+  NSSGeneralName *generalName2,
+  PRBool *equalp
+);
+
+/*
+ * nssGeneralName_Duplicate
+ *
+ * This routine duplicates the specified General Name.  If the optional
+ * arena argument is non-null, the memory required will be obtained
+ * from that arena; otherwise, the memory will be obtained from the
+ * heap.  This routine may return NULL upon error, in which case it 
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new NSSGeneralName
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralName_Duplicate
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetUID
+ *
+ * This routine will attempt to derive a user identifier from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished Names containing a UID
+ * attribute, the UID will be the value of that attribute.  Note
+ * that no UID attribute is defined in either PKIX or PKCS#9; 
+ * rather, this seems to derive from RFC 1274, which defines the
+ * type as a caseIgnoreString.  We'll return a Directory String.
+ * If the optional arena argument is non-null, the memory used
+ * will be obtained from that arena; otherwise, the memory will be
+ * obtained from the heap.  This routine may return NULL upon error,
+ * in which case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_UID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String.
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetUID
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetEmail
+ *
+ * This routine will attempt to derive an email address from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing either
+ * a PKIX email address or a PKCS#9 email address, the result will
+ * be the value of that attribute.  If the General Name is an RFC 822
+ * Name, the result will be the string form of that name.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_EMAIL
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr IA5String */
+nssGeneralName_GetEmail
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetCommonName
+ *
+ * This routine will attempt to derive a common name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a PKIX
+ * Common Name, the result will be that name.  If the optional arena 
+ * argument is non-null, the memory used will be obtained from that 
+ * arena; otherwise, the memory will be obtained from the heap.  This 
+ * routine may return NULL upon error, in which case it will have set 
+ * an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetCommonName
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetOrganization
+ *
+ * This routine will attempt to derive an organisation name from the
+ * specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing an
+ * Organization, the result will be the value of that attribute.  
+ * If the optional arena argument is non-null, the memory used will 
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetOrganization
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetOrganizationalUnits
+ *
+ * This routine will attempt to derive a sequence of organisational 
+ * unit names from the specified general name, if the choices and 
+ * content of the name permit.  If the General Name is a (directory) 
+ * Name consisting of a Sequence of Relative Distinguished names 
+ * containing one or more organisational units, the result will 
+ * consist of those units.  If the optional arena  argument is non-
+ * null, the memory used will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may return 
+ * NULL upon error, in which case it will have set an error on the 
+ * error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNITS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a null-terminated array of UTF8 Strings
+ */
+
+NSS_EXTERN NSSUTF8 ** /* XXX fgmr DirectoryString */
+nssGeneralName_GetOrganizationalUnits
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetStateOrProvince
+ *
+ * This routine will attempt to derive a state or province name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a state or 
+ * province, the result will be the value of that attribute.  If the 
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_STATE_OR_PROVINCE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetStateOrProvince
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetLocality
+ *
+ * This routine will attempt to derive a locality name from 
+ * the specified general name, if the choices and content of the name
+ * permit.  If the General Name is a (directory) Name consisting
+ * of a Sequence of Relative Distinguished names containing a Locality, 
+ * the result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_LOCALITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetLocality
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetCountry
+ *
+ * This routine will attempt to derive a country name from the 
+ * specified general name, if the choices and content of the name 
+ * permit.  If the General Name is a (directory) Name consisting of a
+ * Sequence of Relative Distinguished names containing a Country, the 
+ * result will be the value of that attribute.  If the optional 
+ * arena argument is non-null, the memory used will be obtained from 
+ * that arena; otherwise, the memory will be obtained from the heap.  
+ * This routine may return NULL upon error, in which case it will have 
+ * set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_COUNTRY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr PrintableString */
+nssGeneralName_GetCountry
+(
+  NSSGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralName_GetAttribute
+ *
+ * If the specified general name is a (directory) name consisting
+ * of a Sequence of Relative Distinguished Names containing an 
+ * attribute with the specified type, and the actual value of that
+ * attribute may be expressed with a Directory String, then the
+ * value of that attribute will be returned as a Directory String.
+ * If the optional arena argument is non-null, the memory used will
+ * be obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_ATTRIBUTE
+ *  NSS_ERROR_ATTRIBUTE_VALUE_NOT_STRING
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a UTF8 String
+ */
+
+NSS_EXTERN NSSUTF8 * /* XXX fgmr DirectoryString */
+nssGeneralName_GetAttribute
+(
+  NSSGeneralName *generalName,
+  NSSOID *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSGeneralNameSeq
+ *
+ * The public "methods" regarding this "object" are:
+ *
+ *  nssGeneralNameSeq_CreateFromBER   -- constructor
+ *  nssGeneralNameSeq_Create          -- constructor
+ *
+ *  nssGeneralNameSeq_Destroy
+ *  nssGeneralNameSeq_GetDEREncoding
+ *  nssGeneralNameSeq_AppendGeneralName
+ *  nssGeneralNameSeq_GetGeneralNameCount
+ *  nssGeneralNameSeq_GetGeneralName
+ *  nssGeneralNameSeq_Compare
+ *  nssGeneralnameSeq_Duplicate
+ */
+
+/*
+ * nssGeneralNameSeq_CreateFromBER
+ *
+ * This routine creates a general name sequence by decoding a BER-
+ * or DER-encoded GeneralNames.  If the optional arena argument is
+ * non-null, the memory used will be obtained from that arena; 
+ * otherwise, the memory will be obtained from the heap.  This routine
+ * may return NULL upon error, in which case it will have set an error
+ * on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+nssGeneralNameSeq_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *berGeneralNameSeq
+);
+
+/*
+ * nssGeneralNameSeq_Create
+ *
+ * This routine creates an NSSGeneralNameSeq from one or more General
+ * Names.  The final argument to this routine must be NULL.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to an NSSGeneralNameSeq upon success
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+nssGeneralNameSeq_Create
+(
+  NSSArena *arenaOpt,
+  NSSGeneralName *generalName1,
+  ...
+);
+
+/*
+ * nssGeneralNameSeq_Destroy
+ *
+ * This routine will destroy an NSSGeneralNameSeq object.  It should
+ * eventually be called on all NSSGeneralNameSeqs created without an
+ * arena.  While it is not necessary to call it on NSSGeneralNameSeq's
+ * created within an arena, it is not an error to do so.  This routine
+ * returns a PRStatus value; if successful, it will return PR_SUCCESS.
+ * If unsuccessful, it will set an error on the error stack and return
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon success
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralNameSeq_Destroy
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * nssGeneralNameSeq_GetDEREncoding
+ *
+ * This routine will DER-encode an NSSGeneralNameSeq object.  If the
+ * optional arena argument is non-null, the memory used will be 
+ * obtained from that arena; otherwise, the memory will be obtained
+ * from the heap.  This routine may return null upon error, in which
+ * case it will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  The DER encoding of this NSSGeneralNameSeq
+ */
+
+NSS_EXTERN NSSDER *
+nssGeneralNameSeq_GetDEREncoding
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssGeneralNameSeq_AppendGeneralName
+ *
+ * This routine appends a General Name to the end of the existing
+ * General Name Sequence.  If the sequence was created with a non-null
+ * arena argument, that same arena will be used for any additional
+ * required memory.  If the sequence was created with a NULL arena
+ * argument, any additional memory will be obtained from the heap.
+ * This routine returns a PRStatus value; it will return PR_SUCCESS
+ * upon success, and upon failure it will set an error on the error
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure.
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralNameSeq_AppendGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSGeneralName *generalName
+);
+
+/*
+ * nssGeneralNameSeq_GetGeneralNameCount
+ *
+ * This routine returns the cardinality of the specified General name
+ * Sequence.  This routine may return 0 upon error, in which case it
+ * will have set an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *
+ * Return value;
+ *  0 upon error
+ *  A positive number upon success
+ */
+
+NSS_EXTERN PRUint32
+nssGeneralNameSeq_GetGeneralNameCount
+(
+  NSSGeneralNameSeq *generalNameSeq
+);
+
+/*
+ * nssGeneralNameSeq_GetGeneralName
+ *
+ * This routine returns a pointer to the i'th General Name in the 
+ * specified General Name Sequence.  The value of the variable 'i' is
+ * on the range [0,c) where c is the cardinality returned from 
+ * NSSGeneralNameSeq_GetGeneralNameCount.  The caller owns the General
+ * Name the pointer to which is returned.  If the optional arena
+ * argument is non-null, the memory used will be obtained from that
+ * arena; otherwise, the memory will be obtained from the heap.  This
+ * routine may return NULL upon error, in which case it will have set
+ * an error upon the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A caller-owned pointer to a General Name.
+ */
+
+NSS_EXTERN NSSGeneralName *
+nssGeneralNameSeq_GetGeneralName
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt,
+  PRUint32 i
+);
+
+/*
+ * nssGeneralNameSeq_Compare
+ *
+ * This routine compares two General Name Sequences for equality.  For
+ * two General Name Sequences to be equal, they must have the same
+ * cardinality, and each General Name in one sequence must be equal to
+ * the corresponding General Name in the other.  The result of the
+ * comparison will be stored at the location pointed to by the "equalp"
+ * variable, which must point to a valid PRBool.  This routine may 
+ * return PR_FAILURE upon error, in which case it will have set an 
+ * error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  PR_FAILURE upon error
+ *  PR_SUCCESS upon a successful comparison (equal or not)
+ */
+
+NSS_EXTERN PRStatus
+nssGeneralNameSeq_Compare
+(
+  NSSGeneralNameSeq *generalNameSeq1,
+  NSSGeneralNameSeq *generalNameSeq2,
+  PRBool *equalp
+);
+
+/*
+ * nssGeneralNameSeq_Duplicate
+ *
+ * This routine duplicates the specified sequence of general names.  If
+ * the optional arena argument is non-null, the memory required will be
+ * obtained from that arena; otherwise, the memory will be obtained 
+ * from the heap.  This routine may return NULL upon error, in which 
+ * case it will have placed an error on the error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_GENERAL_NAME_SEQ
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  NULL upon error
+ *  A pointer to a new General Name Sequence.
+ */
+
+NSS_EXTERN NSSGeneralNameSeq *
+nssGeneralNameSeq_Duplicate
+(
+  NSSGeneralNameSeq *generalNameSeq,
+  NSSArena *arenaOpt
+);
+
+PR_END_EXTERN_C
+
+#endif /* PKI1_H */
diff --git a/security/nss/lib/pki1/pki1t.h b/security/nss/lib/pki1/pki1t.h
new file mode 100644
index 000000000..de6e5c835
--- /dev/null
+++ b/security/nss/lib/pki1/pki1t.h
@@ -0,0 +1,104 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKI1T_H
+#define PKI1T_H
+
+#ifdef DEBUG
+static const char PKI1T_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * pki1t.h
+ *
+ * This file contains definitions for the types used in the PKIX part-1
+ * code, but not available publicly.
+ */
+
+#ifndef BASET_H
+#include "baset.h"
+#endif /* BASET_H */
+
+#ifndef NSSPKI1T_H
+#include "nsspki1t.h"
+#endif /* NSSPKI1T_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * NSSOID
+ *
+ * This structure is used to hold our internal table of built-in OID
+ * data.  The fields are as follows:
+ *
+ *  NSSItem     data -- this is the actual DER-encoded multinumber oid
+ *  const char *expl -- this explains the derivation, and is checked
+ *                      in a unit test.  While the field always exists,
+ *                      it is only populated or used in debug builds.
+ *
+ */
+
+struct NSSOIDStr {
+#ifdef DEBUG
+  const NSSUTF8 *tag;
+  const NSSUTF8 *expl;
+#endif /* DEBUG */
+  NSSItem data;
+};
+
+/*
+ * nssAttributeTypeAliasTable
+ *
+ * Attribute types are passed around as oids (at least in the X.500
+ * and PKI worlds, as opposed to ldap).  However, when written as 
+ * strings they usually have well-known aliases, e.g., "ou" or "c."
+ *
+ * This type defines a table, populated in the generated oiddata.c
+ * file, of the aliases we recognize.
+ *
+ * The fields are as follows:
+ *
+ *  NSSUTF8 *alias -- a well-known string alias for an oid
+ *  NSSOID  *oid   -- the oid to which the alias corresponds
+ *
+ */
+
+struct nssAttributeTypeAliasTableStr {
+  const NSSUTF8 *alias;
+  const NSSOID **oid;
+};
+typedef struct nssAttributeTypeAliasTableStr nssAttributeTypeAliasTable;
+
+PR_END_EXTERN_C
+
+#endif /* PKI1T_H */
diff --git a/security/nss/lib/pki1/rdn.c b/security/nss/lib/pki1/rdn.c
new file mode 100644
index 000000000..f778de22c
--- /dev/null
+++ b/security/nss/lib/pki1/rdn.c
@@ -0,0 +1,73 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * rdn.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * RelativeDistinguishedName.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * RelativeDistinguishedName
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  RelativeDistinguishedName       ::=
+ *                  SET SIZE (1 .. MAX) OF AttributeTypeAndValue
+ *
+ * An RDN is merely an (unordered) set of ATAV's.  The setSize (that's
+ * a noun, not a verb) variable is a "helper" variable kept for
+ * convenience.
+ */
+
+struct nssRDNStr {
+  PRUint32 setSize;
+  NSSATAV **atavs;
+};
diff --git a/security/nss/lib/pki1/rdnseq.c b/security/nss/lib/pki1/rdnseq.c
new file mode 100644
index 000000000..bbd4dfe4b
--- /dev/null
+++ b/security/nss/lib/pki1/rdnseq.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * rdnseq.c
+ *
+ * This file contains the implementation of the PKIX part-1 object
+ * RDNSequence.
+ */
+
+#ifndef NSSBASE_H
+#include "nssbase.h"
+#endif /* NSSBASE_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+#ifndef PKI1_H
+#include "pki1.h"
+#endif /* PKI1_H */
+
+/*
+ * RDNSequence
+ *
+ * From draft-ietf-pkix-ipki-part1-10:
+ *
+ *  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+ *
+ * An RDNSequence is simply an (ordered) sequence of RDN's.  The 
+ * seqSize variable is a "helper" kept for simplicity.
+ */
+
+struct nssRDNSeqStr {
+  PRUint32 seqSize;
+  NSSRDN **rdns;
+};
diff --git a/security/nss/lib/pkix/doc/name_rules.html b/security/nss/lib/pkix/doc/name_rules.html
new file mode 100644
index 000000000..70f9dd72e
--- /dev/null
+++ b/security/nss/lib/pkix/doc/name_rules.html
@@ -0,0 +1,178 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<!--
+   - The contents of this file are subject to the Mozilla Public
+   - License Version 1.1 (the "License"); you may not use this file
+   - except in compliance with the License. You may obtain a copy of
+   - the License at http://www.mozilla.org/MPL/
+   - 
+   - Software distributed under the License is distributed on an "AS
+   - IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+   - implied. See the License for the specific language governing
+   - rights and limitations under the License.
+   - 
+   - The Original Code is the Netscape security libraries.
+   - 
+   - The Initial Developer of the Original Code is Netscape
+   - Communications Corporation.  Portions created by Netscape are 
+   - Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+   - Rights Reserved.
+   - 
+   - Contributor(s):
+   - 
+   - Alternatively, the contents of this file may be used under the
+   - terms of the GNU General Public License Version 2 or later (the
+   - "GPL"), in which case the provisions of the GPL are applicable 
+   - instead of those above.  If you wish to allow use of your 
+   - version of this file only under the terms of the GPL and not to
+   - allow others to use your version of this file under the MPL,
+   - indicate your decision by deleting the provisions above and
+   - replace them with the notice and other provisions required by
+   - the GPL.  If you do not delete the provisions above, a recipient
+   - may use your version of this file under either the MPL or the
+   - GPL.
+  -->
+<html>
+<head>
+   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+   <meta name="GENERATOR" content="Mozilla/4.6 [en] (X11; U; IRIX 6.3 IP32) [Netscape]">
+</head>
+<body>
+
+<h1>
+Notes on libpkix name rules</h1>
+&nbsp;
+<h2>
+Types</h2>
+Every type mentioned in RFC 2459 is reflected in libpkix.&nbsp; The type
+names, defined in <tt>nsspkix.h</tt>, are exactly the names used in the
+RFC with the added prefix of ``<tt>NSSPKIX</tt>.''&nbsp; The <tt>PKIX</tt>
+part of the name is to distinguish between these specifically defined types
+and more general reflections that are used in higher-level trust domains,
+crypto contexts, etc.&nbsp; For example, <tt>NSSPKIXCertificate</tt> is
+a type with specific properties defined in RFC 2459, while <tt>NSSCertificate</tt>
+is a general type, not necessarily based on an X.509 certificate, that
+has additional associated information.
+<p>Additionally, libpkix defines some "helper"&nbsp;types, usually when
+a type definition in the RFC&nbsp;was unusually complex.&nbsp; These types
+are prefixed with <tt>NSSPKIX</tt> as above, but the next letter is lowercase.&nbsp;
+Examples of these types include <tt>NSSPKIXrevokedCertificates</tt> and
+<tt>NSSPKIXpolicyMapping</tt>.
+<br>&nbsp;
+<h2>
+Simple types</h2>
+Many types used in or defined by RFC 2459 have more-or-less equivalent
+``natural'' types.&nbsp; These include <tt>BOOLEAN</tt>, <tt>INTEGER</tt>,
+the string types, and the date types.
+<p><tt>BOOLEAN</tt> values are always automatically converted to and from
+<tt>PRBool</tt> types.
+<p><tt>INTEGER</tt> types are used in two ways: as a ``small integer,''
+typically a quantity, and as an identification value (e.g., the serial
+number of a certificate).&nbsp; In the former situation, the RFC usually
+states that the values may be limited by the application to some value.&nbsp;
+We reflect these integers as <tt>PRInt32</tt> values, which is limited
+to about two billion.&nbsp; (The reason an unsigned integer wasn't used
+is that we use -1 as an error value; while admittedly reserving one half
+of the number space merely to indicate an error is perhaps wasteful, reducing
+the count limit from four billion to two isn't that unreasonable.)&nbsp;
+``Large integer'' uses are reflected as <tt>NSSItem</tt>s.
+<p>String types -- even complicated <tt>CHOICE</tt>s of strings -- are
+always converted to and from <tt>NSSUTF8</tt> strings.&nbsp; Most of the
+string types can handle any UTF-8 string; the few that don't will check
+the <tt>NSSUTF8</tt> string for invalid characters and return an error
+if any are found.
+<p>Date types are always converted to and from <tt>PRTime</tt> values.
+<font color="#FF0000">***FGMR*** or whatever.</font><font color="#000000">&nbsp;
+The RFC-defined types may contain values that may not be represented as
+<tt>PRTime</tt>s; when conversion of such a value is attempted, the error
+<tt>NSS_ERROR_VALUE_OUT_OF_RANGE</tt> will be returned.&nbsp; However,
+types that contain time values have comparator methods defined, so that
+valid comparisons may be made, even if the time is out of the range of
+<tt>PRTime</tt>.</font>
+<br><font color="#000000"></font>&nbsp;
+<h2>
+<font color="#000000">Function names</font></h2>
+<font color="#000000">All function names are created by catenating the
+type name, an underscore, and the name of a method defined on that type.&nbsp;
+In some situations, this does create rather long function names; however,
+since these are usually assocated with the more obscure types, we felt
+that sticking to a common naming system was preferable to inventing new
+names.&nbsp; (The Principle of Least Surprise.)</font>
+<br><font color="#000000"></font>&nbsp;
+<h2>
+<font color="#000000">Universal methods</font></h2>
+<font color="#000000">Every type has a few standard methods:</font>
+<ul>
+<li>
+<tt><font color="#000000">&lt;typename>_CreateFromBER</font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Create</font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Destroy</font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_GetDEREncoding</font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Equal</font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Duplicate</font></tt></li>
+</ul>
+<font color="#000000">For types for which a BER encoding can be created
+which is not the DER&nbsp;encoding, there is a method <tt>&lt;typename>_GetBEREncoding</tt>.</font>
+<br><font color="#000000"></font>&nbsp;
+<h2>
+<font color="#000000">Accessors</font></h2>
+<font color="#000000">Simple accessor method names are constructed with
+``<tt>Get</tt>'' and ``<tt>Set</tt>'' followed by the field name:</font>
+<ul>
+<li>
+<tt><font color="#000000">&lt;typename>_Get&lt;fieldname></font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Set&lt;fieldname></font></tt></li>
+</ul>
+<font color="#000000">Optional fields also have ``<tt>Has</tt>'' and ``<tt>Remove</tt>''
+methods, constructed in the same way.</font>
+<br><font color="#000000"></font>&nbsp;
+<h2>
+<font color="#000000">Sequences</font></h2>
+<font color="#000000">Sequences have the following accessors:</font>
+<ul>
+<li>
+<tt><font color="#000000">&lt;typename>_Get&lt;name>Count</font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Get&lt;name>s</font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Set&lt;name>s</font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Get&lt;name></font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Set&lt;name></font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Append&lt;name></font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Insert&lt;name></font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Remove&lt;name></font></tt></li>
+
+<li>
+<tt><font color="#000000">&lt;typename>_Find&lt;name></font></tt></li>
+</ul>
+<font color="#000000">Sets (unordered sequences) replace the <tt>Append</tt>
+and <tt>Insert</tt> methods with <tt>Add</tt>.&nbsp; The plural Get and
+Set methods operate on arrays of the subtype.</font>
+<br><font color="#000000"></font>&nbsp;
+<br><font color="#000000"></font>&nbsp;
+<br><font color="#000000"></font>&nbsp;
+</body>
+</html>
diff --git a/security/nss/lib/pkix/include/nsspkix.h b/security/nss/lib/pkix/include/nsspkix.h
new file mode 100644
index 000000000..6e55be3a9
--- /dev/null
+++ b/security/nss/lib/pkix/include/nsspkix.h
@@ -0,0 +1,24377 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSPKIX_H
+#define NSSPKIX_H
+
+#ifdef DEBUG
+static const char NSSPKIX_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nsspkix.h
+ *
+ * This file contains the prototypes for the public methods defined
+ * for the PKIX part-1 objects.
+ */
+
+#ifndef NSSPKIXT_H
+#include "nsspkixt.h"
+#endif /* NSSPKIXT_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * Attribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Attribute       ::=     SEQUENCE {
+ *          type            AttributeType,
+ *          values  SET OF AttributeValue
+ *                  -- at least one value is required -- }
+ *
+ * The public calls for the type:
+ * 
+ *  NSSPKIXAttribute_Decode
+ *  NSSPKIXAttribute_Create
+ *  NSSPKIXAttribute_CreateFromArray
+ *  NSSPKIXAttribute_Destroy
+ *  NSSPKIXAttribute_Encode
+ *  NSSPKIXAttribute_GetType
+ *  NSSPKIXAttribute_SetType
+ *  NSSPKIXAttribute_GetValueCount
+ *  NSSPKIXAttribute_GetValues
+ *  NSSPKIXAttribute_SetValues
+ *  NSSPKIXAttribute_GetValue
+ *  NSSPKIXAttribute_SetValue
+ *  NSSPKIXAttribute_AddValue
+ *  NSSPKIXAttribute_RemoveValue
+ *  NSSPKIXAttribute_FindValue
+ *  NSSPKIXAttribute_Equal
+ *  NSSPKIXAttribute_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXAttribute_Decode
+ *
+ * This routine creates an NSSPKIXAttribute by decoding a BER-
+ * or DER-encoded Attribute as defined in RFC 2459.  This
+ * routine may return NULL upon error, in which case it will
+ * have created an error stack.  If the optional arena argument
+ * is non-NULL, that arena will be used for the required memory.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+NSSPKIXAttribute_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXAttribute_Create
+ *
+ * This routine creates an NSSPKIXAttribute from specified components.
+ * This routine may return NULL upon error, in which case it will have
+ * created an error stack.  If the optional arena argument is non-NULL,
+ * that arena will be used for the required memory.  There must be at
+ * least one attribute value specified.  The final argument must be
+ * NULL, to indicate the end of the set of attribute values.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+NSSPKIXAttribute_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  NSSPKIXAttributeValue *value1,
+  ...
+);
+
+/*
+ * NSSPKIXAttribute_CreateFromArray
+ *
+ * This routine creates an NSSPKIXAttribute from specified components.
+ * This routine may return NULL upon error, in which case it will have
+ * created an error stack.  If the optional arena argument is non-NULL,
+ * that arena will be used for the required memory.  There must be at
+ * least one attribute value specified.  The final argument must be
+ * NULL, to indicate the end of the set of attribute values.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+NSSPKIXAttribute_CreateFromArray
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  PRUint32 count,
+  NSSPKIXAttributeValue values[]
+);
+
+/*
+ * NSSPKIXAttribute_Destroy
+ *
+ * This routine destroys an NSSPKIXAttribute.  It should be called on
+ * all such objects created without an arena.  It does not need to be
+ * called for objects created with an arena, but it may be.  This
+ * routine returns a PRStatus value.  Upon error, it will create an
+ * error stack and return PR_FAILURE.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAttribute_Destroy
+(
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * NSSPKIXAttribute_Encode
+ *
+ * This routine returns the BER encoding of the specified 
+ * NSSPKIXAttribute.  {usual rules about itemOpt and arenaOpt}
+ * This routine indicates an error (NSS_ERROR_INVALID_DATA) 
+ * if there are no attribute values (i.e., the last one was removed).
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_DATA
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXAttribute_Encode
+(
+  NSSPKIXAttribute *attribute,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAttribute_GetType
+ *
+ * This routine returns the attribute type oid of the specified
+ * NSSPKIXAttribute.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSPKIXAttributeType pointer upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttributeType *
+NSSPKIXAttribute_GetType
+(
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * NSSPKIXAttribute_SetType
+ *
+ * This routine sets the attribute type oid of the indicated
+ * NSSPKIXAttribute to the specified value.  Since attributes
+ * may be application-defined, no checking can be done on
+ * either the correctness of the attribute type oid value nor
+ * the suitability of the set of attribute values.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAttribute_SetType
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeType *attributeType
+);
+
+/*
+ * NSSPKIXAttribute_GetValueCount
+ *
+ * This routine returns the number of attribute values present in
+ * the specified NSSPKIXAttribute.  This routine returns a PRInt32.
+ * Upon error, this routine returns -1.  This routine indicates an
+ * error if the number of values cannot be expressed as a PRInt32.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXAttribute_GetValueCount
+(
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * NSSPKIXAttribute_GetValues
+ *
+ * This routine returns all of the attribute values in the specified
+ * NSSPKIXAttribute.  If the optional pointer to an array of NSSItems
+ * is non-null, then that array will be used and returned; otherwise,
+ * an array will be allocated and returned.  If the limit is nonzero
+ * (which is must be if the specified array is nonnull), then an
+ * error is indicated if it is smaller than the value count.
+ * {arenaOpt}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSItem's upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttributeValue *
+NSSPKIXAttribute_GetValues
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAttribute_SetValues
+ *
+ * This routine sets all of the values of the specified 
+ * NSSPKIXAttribute to the values in the specified NSSItem array.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAttribute_SetValues
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue values[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXAttribute_GetValue
+ *
+ * This routine returns the i'th attribute value of the set of
+ * values in the specified NSSPKIXAttribute.  Although the set
+ * is unordered, an arbitrary ordering will be maintained until
+ * the data in the attribute is changed.  {usual comments about
+ * itemOpt and arenaOpt}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeValue *
+NSSPKIXAttribute_GetValue
+(
+  NSSPKIXAttribute *attribute,
+  PRInt32 i,
+  NSSPKIXAttributeValue *itemOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAttribute_SetValue
+ *
+ * This routine sets the i'th attribute value {blah blah; copies
+ * memory contents over..}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAttribute_SetValue
+(
+  NSSPKIXAttribute *attribute,
+  PRInt32 i,
+  NSSPKIXAttributeValue *value
+);
+
+/*
+ * NSSPKIXAttribute_AddValue
+ *
+ * This routine adds the specified attribute value to the set in
+ * the specified NSSPKIXAttribute.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAttribute_AddValue
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue *value
+); 
+
+/*
+ * NSSPKIXAttribute_RemoveValue
+ *
+ * This routine removes the i'th attribute value of the set in the
+ * specified NSSPKIXAttribute.  An attempt to remove the last value
+ * will fail.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_AT_MINIMUM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAttribute_RemoveValue
+(
+  NSSPKIXAttribute *attribute,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXAttribute_FindValue
+ *
+ * This routine searches the set of attribute values in the specified
+ * NSSPKIXAttribute for the provided data.  If an exact match is found,
+ * then that value's index is returned.  If an exact match is not 
+ * found, -1 is returned.  If there is more than one exact match, one
+ * index will be returned.  {notes about unorderdness of SET, etc}
+ * If the index may not be represented as an integer, an error is
+ * indicated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXAttribute_FindValue
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue *attributeValue
+);
+
+/*
+ * NSSPKIXAttribute_Equal
+ *
+ * This routine compares two NSSPKIXAttribute's for equality.
+ * It returns PR_TRUE if they are equal, PR_FALSE otherwise.
+ * This routine also returns PR_FALSE upon error; if you're
+ * that worried about it, check for an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXAttribute_Equal
+(
+  NSSPKIXAttribute *one,
+  NSSPKIXAttribute *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXAttribute_Duplicate
+ *
+ * This routine duplicates an NSSPKIXAttribute.  {arenaOpt}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+NSSPKIXAttribute_Duplicate
+(
+  NSSPKIXAttribute *attribute,
+  NSSArena *arenaOpt
+);
+
+/*
+ * AttributeTypeAndValue
+ *
+ * This structure contains an attribute type (indicated by an OID), 
+ * and the type-specific value.  RelativeDistinguishedNames consist
+ * of a set of these.  These are distinct from Attributes (which have
+ * SET of values), from AttributeDescriptions (which have qualifiers
+ * on the types), and from AttributeValueAssertions (which assert a
+ * a value comparison under some matching rule).
+ *
+ * From RFC 2459:
+ *
+ *  AttributeTypeAndValue           ::=     SEQUENCE {
+ *          type    AttributeType,
+ *          value   AttributeValue }
+ * 
+ * The public calls for the type:
+ *
+ *  NSSPKIXAttributeTypeAndValue_Decode
+ *  NSSPKIXAttributeTypeAndValue_CreateFromUTF8
+ *  NSSPKIXAttributeTypeAndValue_Create
+ *  NSSPKIXAttributeTypeAndValue_Destroy
+ *  NSSPKIXAttributeTypeAndValue_Encode
+ *  NSSPKIXAttributeTypeAndValue_GetUTF8Encoding
+ *  NSSPKIXAttributeTypeAndValue_GetType
+ *  NSSPKIXAttributeTypeAndValue_SetType
+ *  NSSPKIXAttributeTypeAndValue_GetValue
+ *  NSSPKIXAttributeTypeAndValue_SetValue
+ *  NSSPKIXAttributeTypeAndValue_Equal
+ *  NSSPKIXAttributeTypeAndValue_Duplicate
+ */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Decode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue *
+NSSPKIXAttributeTypeAndValue_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXAttributeTypeAndValue_CreateFromUTF8
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue *
+NSSPKIXAttributeTypeAndValue_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+);
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Create
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue *
+NSSPKIXAttributeTypeAndValue_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  NSSPKIXAttributeValue *value
+);
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Destroy
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAttributeTypeAndValue_Destroy
+(
+  NSSPKIXAttributeTypeAndValue *atav
+);
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Encode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXAttributeTypeAndValue_Encode
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAttributeTypeAndValue_GetUTF8Encoding
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXAttributeTypeAndValue_GetUTF8Encoding
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAttributeTypeAndValue_GetType
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSPKIXAttributeType pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeType *
+NSSPKIXAttributeTypeAndValue_GetType
+(
+  NSSPKIXAttributeTypeAndValue *atav
+);
+
+/*
+ * NSSPKIXAttributeTypeAndValue_SetType
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAttributeTypeAndValue_SetType
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeType *attributeType
+);
+
+/*
+ * NSSPKIXAttributeTypeAndValue_GetValue
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSAttributeValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeValue *
+NSSPKIXAttributeTypeAndValue_GetValue
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeValue *itemOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAttributeTypeAndValue_SetValue
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAttributeTypeAndValue_SetValue
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeValue *value
+);
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Equal
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXAttributeTypeAndValue_Equal
+(
+  NSSPKIXAttributeTypeAndValue *atav1,
+  NSSPKIXAttributeTypeAndValue *atav2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Duplicate
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue *
+NSSPKIXAttributeTypeAndValue_Duplicate
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520Name
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520name        ::= CHOICE {
+ *        teletexString         TeletexString (SIZE (1..ub-name)),
+ *        printableString       PrintableString (SIZE (1..ub-name)),
+ *        universalString       UniversalString (SIZE (1..ub-name)),
+ *        utf8String            UTF8String (SIZE (1..ub-name)),
+ *        bmpString             BMPString (SIZE(1..ub-name))   }
+ *
+ *  ub-name INTEGER ::=     32768
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXX520Name_Decode
+ *  NSSPKIXX520Name_CreateFromUTF8
+ *  NSSPKIXX520Name_Create (?)
+ *  NSSPKIXX520Name_Destroy
+ *  NSSPKIXX520Name_Encode
+ *  NSSPKIXX520Name_GetUTF8Encoding
+ *  NSSPKIXX520Name_Equal
+ *  NSSPKIXX520Name_Duplicate
+ *
+ * The public data for this type:
+ *
+ *  NSSPKIXX520Name_MAXIMUM_LENGTH
+ *
+ */
+
+/*
+ * NSSPKIXX520Name_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520Name *
+NSSPKIXX520Name_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXX520Name_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520Name *
+NSSPKIXX520Name_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXX520Name_Create
+ *
+ * XXX fgmr: currently nssStringType is a private type.  Thus,
+ * this public method should not exist.  I'm leaving this here
+ * to remind us later what we want to decide.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING_TYPE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+/* 
+ * NSS_EXTERN NSSPKIXX520Name *
+ * NSSPKIXX520Name_Create
+ * (
+ *   NSSArena *arenaOpt,
+ *   nssStringType type,
+ *   NSSItem *data
+ * );
+ */
+
+/*
+ * NSSPKIXX520Name_Destroy
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX520Name_Destroy
+(
+  NSSPKIXX520Name *name
+);
+
+/*
+ * NSSPKIXX520Name_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX520Name_Encode
+(
+  NSSPKIXX520Name *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXX520Name_GetUTF8Encoding
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXX520Name_GetUTF8Encoding
+(
+  NSSPKIXX520Name *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXX520Name_Equal
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXX520Name_Equal
+(
+  NSSPKIXX520Name *name1,
+  NSSPKIXX520Name *name2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXX520Name_Duplicate
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520Name *
+NSSPKIXX520Name_Duplicate
+(
+  NSSPKIXX520Name *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXX520Name_MAXIMUM_LENGTH
+ *
+ * From RFC 2459:
+ *
+ *  ub-name INTEGER ::=     32768
+ */
+
+extern const PRUint32 NSSPKIXX520Name_MAXIMUM_LENGTH;
+
+/*
+ * X520CommonName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520CommonName  ::=      CHOICE {
+ *        teletexString         TeletexString (SIZE (1..ub-common-name)),
+ *        printableString       PrintableString (SIZE (1..ub-common-name)),
+ *        universalString       UniversalString (SIZE (1..ub-common-name)),
+ *        utf8String            UTF8String (SIZE (1..ub-common-name)),
+ *        bmpString             BMPString (SIZE(1..ub-common-name))   }
+ * 
+ *  ub-common-name  INTEGER ::=     64
+ * 
+ * The public calls for this type:
+ *
+ *  NSSPKIXX520CommonName_Decode
+ *  NSSPKIXX520CommonName_CreateFromUTF8
+ *  NSSPKIXX520CommonName_Create (?)
+ *  NSSPKIXX520CommonName_Destroy
+ *  NSSPKIXX520CommonName_Encode
+ *  NSSPKIXX520CommonName_GetUTF8Encoding
+ *  NSSPKIXX520CommonName_Equal
+ *  NSSPKIXX520CommonName_Duplicate
+ *
+ * The public data for this type:
+ *
+ *  NSSPKIXX520CommonName_MAXIMUM_LENGTH
+ *
+ */
+
+/*
+ * NSSPKIXX520CommonName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520CommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520CommonName *
+NSSPKIXX520CommonName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXX520CommonName_Create
+ *
+ * XXX fgmr: currently nssStringType is a private type.  Thus,
+ * this public method should not exist.  I'm leaving this here
+ * to remind us later what we want to decide.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING_TYPE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520CommonName upon success
+ *  NULL upon failure
+ */
+
+/* 
+ * NSS_EXTERN NSSPKIXX520CommonName *
+ * NSSPKIXX520CommonName_Create
+ * (
+ *   NSSArena *arenaOpt,
+ *   nssStringType type,
+ *   NSSItem *data
+ * );
+ */
+
+/*
+ * NSSPKIXX520CommonName_Destroy
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_COMMON_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX520CommonName_Destroy
+(
+  NSSPKIXX520CommonName *name
+);
+
+/*
+ * NSSPKIXX520CommonName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520CommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520CommonName *
+NSSPKIXX520CommonName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXX520CommonName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX520CommonName_Encode
+(
+  NSSPKIXX520CommonName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXX520CommonName_GetUTF8Encoding
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXX520CommonName_GetUTF8Encoding
+(
+  NSSPKIXX520CommonName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXX520CommonName_Equal
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_COMMON_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXX520CommonName_Equal
+(
+  NSSPKIXX520CommonName *name1,
+  NSSPKIXX520CommonName *name2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXX520CommonName_Duplicate
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520CommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520CommonName *
+NSSPKIXX520CommonName_Duplicate
+(
+  NSSPKIXX520CommonName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXX520CommonName_MAXIMUM_LENGTH
+ *
+ * From RFC 2459:
+ *
+ *  ub-common-name  INTEGER ::=     64
+ */
+
+extern const PRUint32 NSSPKIXX520CommonName_MAXIMUM_LENGTH;
+
+/*
+ * X520LocalityName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520LocalityName ::= CHOICE {
+ *        teletexString       TeletexString (SIZE (1..ub-locality-name)),
+ *        printableString     PrintableString (SIZE (1..ub-locality-name)),
+ *        universalString     UniversalString (SIZE (1..ub-locality-name)),
+ *        utf8String          UTF8String (SIZE (1..ub-locality-name)),
+ *        bmpString           BMPString (SIZE(1..ub-locality-name))   }
+ * 
+ * The public calls for this type:
+ *
+ *  NSSPKIXX520LocalityName_Decode
+ *  NSSPKIXX520LocalityName_CreateFromUTF8
+ *  NSSPKIXX520LocalityName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXX520LocalityName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520LocalityName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520LocalityName *
+NSSPKIXX520LocalityName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXX520LocalityName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520LocalityName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520LocalityName *
+NSSPKIXX520LocalityName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXX520LocalityName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX520LocalityName_Encode
+(
+  NSSPKIXX520LocalityName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520StateOrProvinceName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520StateOrProvinceName         ::= CHOICE {
+ *        teletexString       TeletexString (SIZE (1..ub-state-name)),
+ *        printableString     PrintableString (SIZE (1..ub-state-name)),
+ *        universalString     UniversalString (SIZE (1..ub-state-name)),
+ *        utf8String          UTF8String (SIZE (1..ub-state-name)),
+ *        bmpString           BMPString (SIZE(1..ub-state-name))   }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXX520StateOrProvinceName_Decode
+ *  NSSPKIXX520StateOrProvinceName_CreateFromUTF8
+ *  NSSPKIXX520StateOrProvinceName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXX520StateOrProvinceName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520StateOrProvinceName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520StateOrProvinceName *
+NSSPKIXX520StateOrProvinceName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXX520StateOrProvinceName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520StateOrProvinceName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520StateOrProvinceName *
+NSSPKIXX520StateOrProvinceName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXX520StateOrProvinceName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX520StateOrProvinceName_Encode
+(
+  NSSPKIXX520StateOrProvinceName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520OrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520OrganizationName ::= CHOICE {
+ *    teletexString     TeletexString (SIZE (1..ub-organization-name)),
+ *    printableString   PrintableString (SIZE (1..ub-organization-name)),
+ *    universalString   UniversalString (SIZE (1..ub-organization-name)),
+ *    utf8String        UTF8String (SIZE (1..ub-organization-name)),
+ *    bmpString         BMPString (SIZE(1..ub-organization-name))   }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXX520OrganizationName_Decode
+ *  NSSPKIXX520OrganizationName_CreateFromUTF8
+ *  NSSPKIXX520OrganizationName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXX520OrganizationName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520OrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520OrganizationName *
+NSSPKIXX520OrganizationName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXX520OrganizationName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520OrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520OrganizationName *
+NSSPKIXX520OrganizationName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXX520OrganizationName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX520OrganizationName_Encode
+(
+  NSSPKIXX520OrganizationName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520OrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520OrganizationalUnitName ::= CHOICE {
+ *   teletexString    TeletexString (SIZE (1..ub-organizational-unit-name)),
+ *   printableString        PrintableString
+ *                        (SIZE (1..ub-organizational-unit-name)),
+ *   universalString        UniversalString
+ *                        (SIZE (1..ub-organizational-unit-name)),
+ *   utf8String       UTF8String (SIZE (1..ub-organizational-unit-name)),
+ *   bmpString        BMPString (SIZE(1..ub-organizational-unit-name))   }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXX520OrganizationalUnitName_Decode
+ *  NSSPKIXX520OrganizationalUnitName_CreateFromUTF8
+ *  NSSPKIXX520OrganizationalUnitName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXX520OrganizationalUnitName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520OrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520OrganizationalUnitName *
+NSSPKIXX520OrganizationalUnitName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXX520OrganizationalUnitName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520OrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520OrganizationalUnitName *
+NSSPKIXX520OrganizationalUnitName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXX520OrganizationalUnitName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX520OrganizationalUnitName_Encode
+(
+  NSSPKIXX520OrganizationalUnitName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520Title
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520Title ::=   CHOICE {
+ *        teletexString         TeletexString (SIZE (1..ub-title)),
+ *        printableString       PrintableString (SIZE (1..ub-title)),
+ *        universalString       UniversalString (SIZE (1..ub-title)),
+ *        utf8String            UTF8String (SIZE (1..ub-title)),
+ *        bmpString             BMPString (SIZE(1..ub-title))   }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXX520Title_Decode
+ *  NSSPKIXX520Title_CreateFromUTF8
+ *  NSSPKIXX520Title_Encode
+ *
+ */
+
+/*
+ * NSSPKIXX520Title_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Title upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520Title *
+NSSPKIXX520Title_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXX520Title_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Title upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520Title *
+NSSPKIXX520Title_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXX520Title_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX520Title_Encode
+(
+  NSSPKIXX520Title *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520dnQualifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520dnQualifier ::=     PrintableString
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXX520dnQualifier_Decode
+ *  NSSPKIXX520dnQualifier_CreateFromUTF8
+ *  NSSPKIXX520dnQualifier_Encode
+ *
+ */
+
+/*
+ * NSSPKIXX520dnQualifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520dnQualifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520dnQualifier *
+NSSPKIXX520dnQualifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXX520dnQualifier_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520dnQualifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520dnQualifier *
+NSSPKIXX520dnQualifier_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXX520dnQualifier_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX520dnQualifier_Encode
+(
+  NSSPKIXX520dnQualifier *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520countryName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520countryName ::=     PrintableString (SIZE (2)) -- IS 3166 codes
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXX520countryName_Decode
+ *  NSSPKIXX520countryName_CreateFromUTF8
+ *  NSSPKIXX520countryName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXX520countryName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520countryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520countryName *
+NSSPKIXX520countryName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXX520countryName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520countryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520countryName *
+NSSPKIXX520countryName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXX520countryName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX520countryName_Encode
+(
+  NSSPKIXX520countryName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * Pkcs9email
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXPkcs9email_Decode
+ *  NSSPKIXPkcs9email_CreateFromUTF8
+ *  NSSPKIXPkcs9email_Encode
+ *
+ */
+
+/*
+ * NSSPKIXPkcs9email_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPkcs9email upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPkcs9email *
+NSSPKIXPkcs9email_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPkcs9email_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPkcs9email upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPkcs9email *
+NSSPKIXPkcs9email_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXPkcs9email_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPkcs9email_Encode
+(
+  NSSPKIXPkcs9email *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * Name
+ *
+ * This structure contains a union of the possible name formats,
+ * which at the moment is limited to an RDNSequence.
+ *
+ * From RFC 2459:
+ *
+ *  Name            ::=   CHOICE { -- only one possibility for now --
+ *                                   rdnSequence  RDNSequence }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXName_Decode
+ *  NSSPKIXName_CreateFromUTF8
+ *  NSSPKIXName_Create
+ *  NSSPKIXName_CreateFromRDNSequence
+ *  NSSPKIXName_Destroy
+ *  NSSPKIXName_Encode
+ *  NSSPKIXName_GetUTF8Encoding
+ *  NSSPKIXName_GetChoice
+ *  NSSPKIXName_GetRDNSequence
+ *  NSSPKIXName_GetSpecifiedChoice {fgmr remove this}
+ *  NSSPKIXName_SetRDNSequence
+ *  NSSPKIXName_SetSpecifiedChoice
+ *  NSSPKIXName_Equal
+ *  NSSPKIXName_Duplicate
+ *
+ *  (here is where I had specific attribute value gettors in pki1)
+ *
+ */
+
+/*
+ * NSSPKIXName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+NSSPKIXName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXName_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+NSSPKIXName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+);
+
+/*
+ * NSSPKIXName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+NSSPKIXName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXNameChoice choice,
+  void *arg
+);
+
+/*
+ * NSSPKIXName_CreateFromRDNSequence
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+NSSPKIXName_CreateFromRDNSequence
+(
+  NSSArena *arenaOpt,
+  NSSPKIXRDNSequence *rdnSequence
+);
+
+/*
+ * NSSPKIXName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXName_Destroy
+(
+  NSSPKIXName *name
+);
+
+/*
+ * NSSPKIXName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXName_Encode
+(
+  NSSPKIXName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXName_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXName_GetUTF8Encoding
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXName_GetChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  A valid element of the NSSPKIXNameChoice enumeration upon success
+ *  The value NSSPKIXNameChoice_NSSinvalid (-1) upon error
+ */
+
+NSS_EXTERN NSSPKIXNameChoice
+NSSPKIXName_GetChoice
+(
+  NSSPKIXName *name
+);
+
+/*
+ * NSSPKIXName_GetRDNSequence
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ *
+ * Return value:
+ *  A pointer to a valid NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+NSSPKIXName_GetRDNSequence
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXName_GetSpecifiedChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ *
+ * Return value:
+ *  A valid pointer ...
+ *  NULL upon failure
+ */
+
+NSS_EXTERN void *
+NSSPKIXName_GetSpecifiedChoice
+(
+  NSSPKIXName *name,
+  NSSPKIXNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXName_Equal
+(
+  NSSPKIXName *name1,
+  NSSPKIXName *name2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+NSSPKIXName_Duplicate
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * RDNSequence
+ *
+ * This structure contains a sequence of RelativeDistinguishedName
+ * objects.
+ *
+ * From RFC 2459:
+ *
+ *  RDNSequence     ::=   SEQUENCE OF RelativeDistinguishedName
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXRDNSequence_Decode
+ *  NSSPKIXRDNSequence_CreateFromUTF8
+ *  NSSPKIXRDNSequence_Create
+ *  NSSPKIXRDNSequence_CreateFromArray
+ *  NSSPKIXRDNSequence_Destroy
+ *  NSSPKIXRDNSequence_Encode
+ *  NSSPKIXRDNSequence_GetUTF8Encoding
+ *  NSSPKIXRDNSequence_GetRelativeDistinguishedNameCount
+ *  NSSPKIXRDNSequence_GetRelativeDistinguishedNames
+ *  NSSPKIXRDNSequence_SetRelativeDistinguishedNames
+ *  NSSPKIXRDNSequence_GetRelativeDistinguishedName
+ *  NSSPKIXRDNSequence_SetRelativeDistinguishedName
+ *  NSSPKIXRDNSequence_AppendRelativeDistinguishedName
+ *  NSSPKIXRDNSequence_InsertRelativeDistinguishedName
+ *  NSSPKIXRDNSequence_RemoveRelativeDistinguishedName
+ *  NSSPKIXRDNSequence_FindRelativeDistinguishedName
+ *  NSSPKIXRDNSequence_Equal
+ *  NSSPKIXRDNSequence_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXRDNSequence_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+NSSPKIXRDNSequence_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXRDNSequence_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+NSSPKIXRDNSequence_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+);
+
+/*
+ * NSSPKIXRDNSequence_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+NSSPKIXRDNSequence_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXRelativeDistinguishedName *rdn1,
+  ...
+);
+
+/*
+ * NSSPKIXRDNSequence_CreateFromArray
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+NSSPKIXRDNSequence_Create
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  NSSPKIXRelativeDistinguishedName *rdns[]
+);
+
+/*
+ * NSSPKIXRDNSequence_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXRDNSequence_Destroy
+(
+  NSSPKIXRDNSequence *rdnseq
+);
+
+/*
+ * NSSPKIXRDNSequence_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXRDNSequence_Encode
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXRDNSequence_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXRDNSequence_GetUTF8Encoding
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXRDNSequence_GetRelativeDistinguishedNameCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXRDNSequence_GetRelativeDistinguishedNameCount
+(
+  NSSPKIXRDNSequence *rdnseq
+);
+
+/*
+ * NSSPKIXRDNSequence_GetRelativeDistinguishedNames
+ *
+ * This routine returns all of the relative distinguished names in the
+ * specified RDN Sequence.  {...} If the array is allocated, or if the
+ * specified one has extra space, the array will be null-terminated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXRelativeDistinguishedName 
+ *      pointers upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName **
+NSSPKIXRDNSequence_GetRelativeDistinguishedNames
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXRDNSequence_SetRelativeDistinguishedNames
+ *
+ * -- fgmr comments --
+ * If the array pointer itself is null, the set is considered empty.
+ * If the count is zero but the pointer nonnull, the array will be
+ * assumed to be null-terminated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXRDNSequence_SetRelativeDistinguishedNames
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdns[],
+  PRInt32 countOpt
+);
+
+/*
+ * NSSPKIXRDNSequence_GetRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+NSSPKIXRDNSequence_GetRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXRDNSequence_SetRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXRDNSequence_SetRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * NSSPKIXRDNSequence_AppendRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXRDNSequence_AppendRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * NSSPKIXRDNSequence_InsertRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXRDNSequence_InsertRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * NSSPKIXRDNSequence_RemoveRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXRDNSequence_RemoveRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXRDNSequence_FindRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXRDNSequence_FindRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * NSSPKIXRDNSequence_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXRDNSequence_Equal
+(
+  NSSPKIXRDNSequence *one,
+  NSSPKIXRDNSequence *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXRDNSequence_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+NSSPKIXRDNSequence_Duplicate
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * DistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DistinguishedName       ::=   RDNSequence
+ *
+ * This is just a public typedef; no new methods are required. {fgmr-- right?}
+ */
+
+/*
+ * RelativeDistinguishedName
+ *
+ * This structure contains an unordered set of AttributeTypeAndValue 
+ * objects.  RDNs are used to distinguish a set of objects underneath 
+ * a common object.
+ *
+ * Often, a single ATAV is sufficient to make a unique distinction.
+ * For example, if a company assigns its people unique uid values,
+ * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
+ * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
+ * needed.  For example, if a company needed to distinguish between
+ * two Smiths by specifying their corporate divisions, then in the
+ * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
+ * set of ATAVs forms the RDN.
+ *
+ * From RFC 2459:
+ *
+ *  RelativeDistinguishedName  ::=
+ *                      SET SIZE (1 .. MAX) OF AttributeTypeAndValue
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXRelativeDistinguishedName_Decode
+ *  NSSPKIXRelativeDistinguishedName_CreateFromUTF8
+ *  NSSPKIXRelativeDistinguishedName_Create
+ *  NSSPKIXRelativeDistinguishedName_CreateFromArray
+ *  NSSPKIXRelativeDistinguishedName_Destroy
+ *  NSSPKIXRelativeDistinguishedName_Encode
+ *  NSSPKIXRelativeDistinguishedName_GetUTF8Encoding
+ *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
+ *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
+ *  NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
+ *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
+ *  NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
+ *  NSSPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
+ *  NSSPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
+ *  NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
+ *  NSSPKIXRelativeDistinguishedName_Equal
+ *  NSSPKIXRelativeDistinguishedName_Duplicate
+ *
+ * fgmr: Logical additional functions include
+ *
+ *  NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValueByType
+ *    returns PRInt32
+ *  NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValuesByType
+ *    returns array of PRInt32
+ *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueForType
+ *    returns NSSPKIXAttributeTypeAndValue
+ *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValuesForType
+ *    returns array of NSSPKIXAttributeTypeAndValue
+ *  NSSPKIXRelativeDistinguishedName_GetAttributeValueForType
+ *    returns NSSPKIXAttributeValue
+ *  NSSPKIXRelativeDistinguishedName_GetAttributeValuesForType
+ *    returns array of NSSPKIXAttributeValue
+ *
+ * NOTE: the "return array" versions are only meaningful if an RDN may
+ * contain multiple ATAVs with the same type.  Verify in the RFC if
+ * this is possible or not.  If not, nuke those three functions.
+ *
+ */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+NSSPKIXRelativeDistinguishedName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+NSSPKIXRelativeDistinguishedName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+NSSPKIXRelativeDistinguishedName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeTypeAndValue *atav1,
+  ...
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_CreateFromArray
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+NSSPKIXRelativeDistinguishedName_CreateFromArray
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  NSSPKIXAttributeTypeAndValue *atavs[]
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXRelativeDistinguishedName_Destroy
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXRelativeDistinguishedName_Encode
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXRelativeDistinguishedName_GetUTF8Encoding
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXAttributeTypeAndValue 
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue **
+NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atavs[],
+  PRInt32 countOpt
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue *
+NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i,
+  NSSPKIXAttributeTypeAndValue *atav
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atav
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_AT_MINIMUM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atav
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXRelativeDistinguishedName_Equal
+(
+  NSSPKIXRelativeDistinguishedName *one,
+  NSSPKIXRelativeDistinguishedName *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+NSSPKIXRelativeDistinguishedName_Duplicate
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * DirectoryString
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DirectoryString ::= CHOICE {
+ *        teletexString             TeletexString (SIZE (1..MAX)),
+ *        printableString           PrintableString (SIZE (1..MAX)),
+ *        universalString           UniversalString (SIZE (1..MAX)),
+ *        utf8String              UTF8String (SIZE (1..MAX)),
+ *        bmpString               BMPString (SIZE(1..MAX))   }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXDirectoryString_Decode
+ *  NSSPKIXDirectoryString_CreateFromUTF8
+ *  NSSPKIXDirectoryString_Encode
+ *
+ */
+
+/*
+ * NSSPKIXDirectoryString_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDirectoryString upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDirectoryString *
+NSSPKIXDirectoryString_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXDirectoryString_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDirectoryString upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDirectoryString *
+NSSPKIXDirectoryString_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXDirectoryString_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_DIRECTORY_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXDirectoryString_Encode
+(
+  NSSPKIXDirectoryString *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * Certificate
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Certificate  ::=  SEQUENCE  {
+ *       tbsCertificate       TBSCertificate,
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING  }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXCertificate_Decode
+ *  NSSPKIXCertificate_Create
+ *  NSSPKIXCertificate_Destroy
+ *  NSSPKIXCertificate_Encode
+ *  NSSPKIXCertificate_GetTBSCertificate
+ *  NSSPKIXCertificate_SetTBSCertificate
+ *  NSSPKIXCertificate_GetAlgorithmIdentifier
+ *  NSSPKIXCertificate_SetAlgorithmIdentifier
+ *  NSSPKIXCertificate_GetSignature
+ *  NSSPKIXCertificate_SetSignature
+ *  NSSPKIXCertificate_Equal
+ *  NSSPKIXCertificate_Duplicate
+ *
+ *  { inherit TBSCertificate gettors? }
+ *
+ */
+
+/*
+ * NSSPKIXCertificate_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificate *
+NSSPKIXCertificate_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXCertificate_Create
+ *
+ * -- fgmr comments --
+ * { at this level we'll have to just accept a specified signature }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_ALGID
+ *  NSS_ERROR_INVALID_PKIX_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificate *
+NSSPKIXCertificate_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXAlgorithmIdentifier *algID,
+  NSSItem *signature
+);
+
+/*
+ * NSSPKIXCertificate_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificate_Destroy
+(
+  NSSPKIXCertificate *cert
+);
+
+/*
+ * NSSPKIXCertificate_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXCertificate_Encode
+(
+  NSSPKIXCertificate *cert,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCertificate_GetTBSCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertificate *
+NSSPKIXCertificate_GetTBSCertificate
+(
+  NSSPKIXCertificate *cert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCertificate_SetTBSCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificate_SetTBSCertificate
+(
+  NSSPKIXCertificate *cert,
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ * NSSPKIXCertificate_GetAlgorithmIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+NSSPKIXCertificate_GetAlgorithmIdentifier
+(
+  NSSPKIXCertificate *cert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCertificate_SetAlgorithmIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificate_SetAlgorithmIdentifier
+(
+  NSSPKIXCertificate *cert,
+  NSSPKIXAlgorithmIdentifier *algid,
+);
+
+/*
+ * NSSPKIXCertificate_GetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+NSSPKIXCertificate_GetSignature
+(
+  NSSPKIXCertificate *cert,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCertificate_SetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificate_SetSignature
+(
+  NSSPKIXCertificate *cert,
+  NSSItem *signature
+);
+
+/*
+ * NSSPKIXCertificate_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXCertificate_Equal
+(
+  NSSPKIXCertificate *one,
+  NSSPKIXCertificate *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXCertificate_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificate *
+NSSPKIXCertificate_Duplicate
+(
+  NSSPKIXCertificate *cert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TBSCertificate
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TBSCertificate  ::=  SEQUENCE  {
+ *       version         [0]  Version DEFAULT v1,
+ *       serialNumber         CertificateSerialNumber,
+ *       signature            AlgorithmIdentifier,
+ *       issuer               Name,
+ *       validity             Validity,
+ *       subject              Name,
+ *       subjectPublicKeyInfo SubjectPublicKeyInfo,
+ *       issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                            -- If present, version shall be v2 or v3
+ *       subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                            -- If present, version shall be v2 or v3
+ *       extensions      [3]  Extensions OPTIONAL
+ *                            -- If present, version shall be v3 --  }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXTBSCertificate_Decode
+ *  NSSPKIXTBSCertificate_Create
+ *  NSSPKIXTBSCertificate_Destroy
+ *  NSSPKIXTBSCertificate_Encode
+ *  NSSPKIXTBSCertificate_GetVersion
+ *  NSSPKIXTBSCertificate_SetVersion
+ *  NSSPKIXTBSCertificate_GetSerialNumber
+ *  NSSPKIXTBSCertificate_SetSerialNumber
+ *  NSSPKIXTBSCertificate_GetSignature
+ *  NSSPKIXTBSCertificate_SetSignature
+ *    { inherit algid gettors? }
+ *  NSSPKIXTBSCertificate_GetIssuer
+ *  NSSPKIXTBSCertificate_SetIssuer
+ *    { inherit "helper" issuer gettors? }
+ *  NSSPKIXTBSCertificate_GetValidity
+ *  NSSPKIXTBSCertificate_SetValidity
+ *    { inherit validity accessors }
+ *  NSSPKIXTBSCertificate_GetSubject
+ *  NSSPKIXTBSCertificate_SetSubject
+ *  NSSPKIXTBSCertificate_GetSubjectPublicKeyInfo
+ *  NSSPKIXTBSCertificate_SetSubjectPublicKeyInfo
+ *  NSSPKIXTBSCertificate_HasIssuerUniqueID
+ *  NSSPKIXTBSCertificate_GetIssuerUniqueID
+ *  NSSPKIXTBSCertificate_SetIssuerUniqueID
+ *  NSSPKIXTBSCertificate_RemoveIssuerUniqueID
+ *  NSSPKIXTBSCertificate_HasSubjectUniqueID
+ *  NSSPKIXTBSCertificate_GetSubjectUniqueID
+ *  NSSPKIXTBSCertificate_SetSubjectUniqueID
+ *  NSSPKIXTBSCertificate_RemoveSubjectUniqueID
+ *  NSSPKIXTBSCertificate_HasExtensions
+ *  NSSPKIXTBSCertificate_GetExtensions
+ *  NSSPKIXTBSCertificate_SetExtensions
+ *  NSSPKIXTBSCertificate_RemoveExtensions
+ *    { extension accessors }
+ *  NSSPKIXTBSCertificate_Equal
+ *  NSSPKIXTBSCertificate_Duplicate
+ */
+
+/*
+ * NSSPKIXTBSCertificate_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertificate *
+NSSPKIXTBSCertificate_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXTBSCertificate_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_VERSION
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ISSUER_NAME
+ *  NSS_ERROR_INVALID_VALIDITY
+ *  NSS_ERROR_INVALID_SUBJECT_NAME
+ *  NSS_ERROR_INVALID_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_ISSUER_UNIQUE_IDENTIFIER
+ *  NSS_ERROR_INVALID_SUBJECT_UNIQUE_IDENTIFIER
+ *  NSS_ERROR_INVALID_EXTENSION
+ *
+ * Return value:
+ */
+
+NSS_EXTERN NSSPKIXTBSCertificate *
+NSSPKIXTBSCertificate_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXVersion version,
+  NSSPKIXCertificateSerialNumber *serialNumber,
+  NSSPKIXAlgorithmIdentifier *signature,
+  NSSPKIXName *issuer,
+  NSSPKIXValidity *validity,
+  NSSPKIXName *subject,
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSPKIXUniqueIdentifier *issuerUniqueID,
+  NSSPKIXUniqueIdentifier *subjectUniqueID,
+  NSSPKIXExtensions *extensions
+);
+
+/*
+ * NSSPKIXTBSCertificate_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_Destroy
+(
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ * NSSPKIXTBSCertificate_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXTBSCertificate_Encode
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_GetVersion
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid element of the NSSPKIXVersion enumeration upon success
+ *  NSSPKIXVersion_NSSinvalid (-1) upon failure
+ */
+
+NSS_EXTERN NSSPKIXVersion
+NSSPKIXTBSCertificate_GetVersion
+(
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ * NSSPKIXTBSCertificate_SetVersion
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_VERSION
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_SetVersion
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXVersion version
+);
+
+/*
+ * NSSPKIXTBSCertificate_GetSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateSerialNumber *
+NSSPKIXTBSCertificate_GetSerialNumber
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXCertificateSerialNumber *snOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_SetSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_SetSerialNumber
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXCertificateSerialNumber *sn
+);
+
+/*
+ * NSSPKIXTBSCertificate_GetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+NSSPKIXTBSCertificate_GetSignature
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_SetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_SetSignature
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXAlgorithmIdentifier *algID
+);
+
+/*
+ *   { fgmr inherit algid gettors? }
+ */
+
+/*
+ * NSSPKIXTBSCertificate_GetIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+NSSPKIXTBSCertificate_GetIssuer
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_SetIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_SetIssuer
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXName *issuer
+);
+
+/*
+ *   { inherit "helper" issuer gettors? }
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *
+ * Return value:
+ */
+
+/*
+ * NSSPKIXTBSCertificate_GetValidity
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXValidity upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXValidity *
+NSSPKIXTBSCertificate_GetValidity
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_SetValidity
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_SetValidity
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXValidity *validity
+);
+
+/*
+ *   { fgmr inherit validity accessors }
+ */
+
+/*
+ * NSSPKIXTBSCertificate_GetSubject
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+NSSPKIXTBSCertificate_GetSubject
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_SetSubject
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_SetSubject
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXName *subject
+);
+
+/*
+ * NSSPKIXTBSCertificate_GetSubjectPublicKeyInfo
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
+NSSPKIXTBSCertificate_GetSubjectPublicKeyInfo
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_SetSubjectPublicKeyInfo
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_SetSubjectPublicKeyInfo
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXSubjectPublicKeyInfo *spki
+);
+
+/*
+ * NSSPKIXTBSCertificate_HasIssuerUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTBSCertificate_HasIssuerUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_GetIssuerUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_CERT_HAS_NO_ISSUER_UNIQUE_ID
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXUniqueIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXUniqueIdentifier *
+NSSPKIXTBSCertificate_GetIssuerUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXUniqueIdentifier *uidOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_SetIssuerUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_SetIssuerUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXUniqueIdentifier *uid
+);
+
+/*
+ * NSSPKIXTBSCertificate_RemoveIssuerUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_CERT_HAS_NO_ISSUER_UNIQUE_ID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_RemoveIssuerUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ * NSSPKIXTBSCertificate_HasSubjectUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTBSCertificate_HasSubjectUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_GetSubjectUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_CERT_HAS_NO_SUBJECT_UNIQUE_ID
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXUniqueIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXUniqueIdentifier *
+NSSPKIXTBSCertificate_GetSubjectUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXUniqueIdentifier *uidOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_SetSubjectUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_SetSubjectUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXUniqueIdentifier *uid
+);
+
+/*
+ * NSSPKIXTBSCertificate_RemoveSubjectUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_CERT_HAS_NO_SUBJECT_UNIQUE_ID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_RemoveSubjectUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ * NSSPKIXTBSCertificate_HasExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTBSCertificate_HasExtensions
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_GetExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_CERT_HAS_NO_EXTENSIONS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensions upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensions *
+NSSPKIXTBSCertificate_GetExtensions
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_SetExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_SetExtensions
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXExtensions *extensions
+);
+
+/*
+ * NSSPKIXTBSCertificate_RemoveExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_CERT_HAS_NO_EXTENSIONS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertificate_RemoveExtensions
+(
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ *   { extension accessors }
+ */
+
+/*
+ * NSSPKIXTBSCertificate_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTBSCertificate_Equal
+(
+  NSSPKIXTBSCertificate *one,
+  NSSPKIXTBSCertificate *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTBSCertificate_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertificate *
+NSSPKIXTBSCertificate_Duplicate
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * CertificateSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificateSerialNumber  ::=  INTEGER
+ *
+ * This is just a typedef'd NSSBER; no methods are required.
+ * {fgmr -- the asn.1 stuff should have routines to convert
+ * integers to natural types when possible and vv.  we can
+ * refer to them here..}
+ */
+
+/*
+ * Validity
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Validity ::= SEQUENCE {
+ *       notBefore      Time,
+ *       notAfter       Time }
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXValidity_Decode
+ *  NSSPKIXValidity_Create
+ *  NSSPKIXValidity_Encode
+ *  NSSPKIXValidity_Destroy
+ *  NSSPKIXValidity_GetNotBefore
+ *  NSSPKIXValidity_SetNotBefore
+ *  NSSPKIXValidity_GetNotAfter
+ *  NSSPKIXValidity_SetNotAfter
+ *  NSSPKIXValidity_Equal
+ *  NSSPKIXValidity_Compare
+ *  NSSPKIXValidity_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXValidity_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXValidity upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXValidity *
+NSSPKIXValidity_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXValidity_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_TIME
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXValidity upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXValidity *
+NSSPKIXValidity_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXTime notBefore,
+  NSSPKIXTime notAfter
+);
+
+/*
+ * NSSPKIXValidity_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXValidity_Destroy
+(
+  NSSPKIXValidity *validity
+);
+
+/*
+ * NSSPKIXValidity_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXValidity_Encode
+(
+  NSSPKIXValidity *validity,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXValidity_GetNotBefore
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid NSSPKIXTime upon success
+ *  {we need to rethink NSSPKIXTime}
+ */
+
+NSS_EXTERN NSSPKIXTime
+NSSPKIXValidity_GetNotBefore
+(
+  NSSPKIXValidity *validity
+);
+
+/*
+ * NSSPKIXValidity_SetNotBefore
+ *
+ * -- fgmr comments --
+ * {do we require that it be before the "notAfter" value?}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXValidity_SetNotBefore
+(
+  NSSPKIXValidity *validity,
+  NSSPKIXTime notBefore
+);
+
+/*
+ * NSSPKIXValidity_GetNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid NSSPKIXTime upon success
+ *  {we need to rethink NSSPKIXTime}
+ */
+
+NSS_EXTERN NSSPKIXTime
+NSSPKIXValidity_GetNotAfter
+(
+  NSSPKIXValidity *validity
+);
+
+/*
+ * NSSPKIXValidity_SetNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_VALUE_TOO_SMALL
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXValidity_SetNotAfter
+(
+  NSSPKIXValidity *validity,
+  NSSPKIXTime notAfter
+);
+
+/*
+ * NSSPKIXValidity_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXValidity_Equal
+(
+  NSSPKIXValidity *one,
+  NSSPKIXValidity *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXValidity_Compare
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *
+ * Return value:
+ *   1 if the second is "greater" or later than the first
+ *   0 if they are equal
+ *  -1 if the first is "greater" or later than the first
+ *  -2 upon failure
+ */
+
+NSS_EXTERN PRIntn
+NSSPKIXValidity_Compare
+(
+  NSSPKIXValidity *one,
+  NSSPKIXValidity *two
+);
+
+/*
+ * NSSPKIXValidity_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXValidity upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXValidity *
+NSSPKIXValidity_Duplicate
+(
+  NSSPKIXValidity *validity,
+  NSSArena *arenaOpt
+);
+
+/*
+ * Time
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Time ::= CHOICE {
+ *       utcTime        UTCTime,
+ *       generalTime    GeneralizedTime }
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXTime_Decode
+ *  NSSPKIXTime_CreateFromPRTime
+ *  NSSPKIXTime_CreateFromUTF8
+ *  NSSPKIXTime_Destroy
+ *  NSSPKIXTime_Encode
+ *  NSSPKIXTime_GetPRTime
+ *  NSSPKIXTime_GetUTF8Encoding
+ *  NSSPKIXTime_Equal
+ *  NSSPKIXTime_Duplicate
+ *  NSSPKIXTime_Compare
+ *  
+ */
+
+/*
+ * NSSPKIXTime_Decode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTime upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTime *
+NSSPKIXTime_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXTime_CreateFromPRTime
+ *
+ */
+
+NSS_EXTERN NSSPKIXTime *
+NSSPKIXTime_CreateFromPRTime
+(
+  NSSArena *arenaOpt,
+  PRTime prTime
+);
+
+/*
+ * NSSPKIXTime_CreateFromUTF8
+ *
+ */
+
+NSS_EXTERN NSSPKIXTime *
+NSSPKIXTime_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXTime_Destroy
+ *
+ */
+
+NSS_EXTERN PR_STATUS
+NSSPKIXTime_Destroy
+(
+  NSSPKIXTime *time
+);
+
+/*
+ * NSSPKIXTime_Encode
+ *
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXTime_Encode
+(
+  NSSPKIXTime *time,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTime_GetPRTime
+ *
+ * Returns a zero on error
+ */
+
+NSS_EXTERN PRTime
+NSSPKIXTime_GetPRTime
+(
+  NSSPKIXTime *time,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTime_GetUTF8Encoding
+ *
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKXITime_GetUTF8Encoding
+(
+  NSSPKIXTime *time,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTime_Equal
+ *
+ */
+
+NSS_EXTERN PRBool
+NSSPKXITime_Equal
+(
+  NSSPKXITime *time1,
+  NSSPKXITime *time2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTime_Duplicate
+ *
+ */
+
+NSS_EXTERN NSSPKIXTime *
+NSSPKXITime_Duplicate
+(
+  NSSPKIXTime *time,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTime_Compare
+ *
+ * Usual result: -1, 0, 1
+ *  Returns 0 on error
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXTime_Compare
+(
+  NSSPKIXTime *time1,
+  NSSPKIXTime *tiem2,
+  PRStatus *statusOpt
+);
+
+/*
+ * UniqueIdentifier
+ *
+ * -- fgmr comments --
+ * Should we distinguish bitstrings from "regular" items/BERs?
+ * It could be another typedef, but with a separate type to help
+ * remind users about the factor of 8.  OR we could make it a
+ * hard type, and require the use of some (trivial) converters.
+ *
+ * From RFC 2459:
+ *
+ *  UniqueIdentifier  ::=  BIT STRING
+ *
+ */
+
+/*
+ * SubjectPublicKeyInfo
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *       algorithm            AlgorithmIdentifier,
+ *       subjectPublicKey     BIT STRING  }
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXSubjectPublicKeyInfo_Decode
+ *  NSSPKIXSubjectPublicKeyInfo_Create
+ *  NSSPKIXSubjectPublicKeyInfo_Encode
+ *  NSSPKIXSubjectPublicKeyInfo_Destroy
+ *  NSSPKIXSubjectPublicKeyInfo_GetAlgorithm
+ *  NSSPKIXSubjectPublicKeyInfo_SetAlgorithm
+ *  NSSPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
+ *  NSSPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
+ *  NSSPKIXSubjectPublicKeyInfo_Equal
+ *  NSSPKIXSubjectPublicKeyInfo_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXSubjectPublicKeyInfo_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
+NSSPKIXSubjectPublicKeyInfo_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXSubjectPublicKeyInfo_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
+NSSPKIXSubjectPublicKeyInfo_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSItem *subjectPublicKey
+);
+
+/*
+ * NSSPKIXSubjectPublicKeyInfo_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXSubjectPublicKeyInfo_Destroy
+(
+  NSSPKIXSubjectPublicKeyInfo *spki
+);
+
+/*
+ * NSSPKIXSubjectPublicKeyInfo_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXSubjectPublicKeyInfo_Encode
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXSubjectPublicKeyInfo_GetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+NSSPKIXSubjectPublicKeyInfo_GetAlgorithm
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXSubjectPublicKeyInfo_SetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXSubjectPublicKeyInfo_SetAlgorithm
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSPKIXAlgorithmIdentifier *algid
+);
+
+/*
+ * NSSPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+NSSPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSItem *spkOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSItem *spk
+);
+
+/*
+ * NSSPKIXSubjectPublicKeyInfo_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXSubjectPublicKeyInfo_Equal
+(
+  NSSPKIXSubjectPublicKeyInfo *one,
+  NSSPKIXSubjectPublicKeyInfo *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXSubjectPublicKeyInfo_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
+NSSPKIXSubjectPublicKeyInfo_Duplicate
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSArena *arenaOpt
+);
+
+/*
+ * Extensions
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+ *
+ */
+
+/* { FGMR } */
+
+/*
+ * Extension
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Extension  ::=  SEQUENCE  {
+ *       extnID      OBJECT IDENTIFIER,
+ *       critical    BOOLEAN DEFAULT FALSE,
+ *       extnValue   OCTET STRING  }
+ *
+ */
+
+/* { FGMR } */
+
+/*
+ * CertificateList
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificateList  ::=  SEQUENCE  {
+ *       tbsCertList          TBSCertList,
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING  }
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXCertificateList_Decode
+ *  NSSPKIXCertificateList_Create
+ *  NSSPKIXCertificateList_Encode
+ *  NSSPKIXCertificateList_Destroy
+ *  NSSPKIXCertificateList_GetTBSCertList
+ *  NSSPKIXCertificateList_SetTBSCertList
+ *  NSSPKIXCertificateList_GetSignatureAlgorithm
+ *  NSSPKIXCertificateList_SetSignatureAlgorithm
+ *  NSSPKIXCertificateList_GetSignature
+ *  NSSPKIXCertificateList_SetSignature
+ *  NSSPKIXCertificateList_Equal
+ *  NSSPKIXCertificateList_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXCertificateList_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateList *
+NSSPKIXCertificateList_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXCertificateList_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateList *
+NSSPKIXCertificateList_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXTBSCertList *tbsCertList,
+  NSSPKIXAlgorithmIdentifier *sigAlg,
+  NSSItem *signature
+);
+
+/*
+ * NSSPKIXCertificateList_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificateList_Destroy
+(
+  NSSPKIXCertificateList *certList
+);
+
+/*
+ * NSSPKIXCertificateList_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXCertificateList_Encode
+(
+  NSSPKIXCertificateList *certList,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCertificateList_GetTBSCertList
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertList *
+NSSPKIXCertificateList_GetTBSCertList
+(
+  NSSPKIXCertificateList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCertificateList_SetTBSCertList
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificateList_SetTBSCertList
+(
+  NSSPKIXCertificateList *certList,
+  NSSPKIXTBSCertList *tbsCertList
+);
+
+/*
+ * NSSPKIXCertificateList_GetSignatureAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+NSSPKIXCertificateList_GetSignatureAlgorithm
+(
+  NSSPKIXCertificateList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCertificateList_SetSignatureAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificateList_SetSignatureAlgorithm
+(
+  NSSPKIXCertificateList *certList,
+  NSSPKIXAlgorithmIdentifier *sigAlg
+);
+
+/*
+ * NSSPKIXCertificateList_GetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+NSSPKIXCertificateList_GetSignature
+(
+  NSSPKIXCertificateList *certList,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCertificateList_SetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificateList_SetSignature
+(
+  NSSPKIXCertificateList *certList,
+  NSSItem *sig
+);
+
+/*
+ * NSSPKIXCertificateList_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXCertificateList_Equal
+(
+  NSSPKIXCertificateList *one,
+  NSSPKIXCertificateList *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXCertificateList_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateList *
+NSSPKIXCertificateList_Duplicate
+(
+  NSSPKIXCertificateList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TBSCertList
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TBSCertList  ::=  SEQUENCE  {
+ *       version                 Version OPTIONAL,
+ *                                    -- if present, shall be v2
+ *       signature               AlgorithmIdentifier,
+ *       issuer                  Name,
+ *       thisUpdate              Time,
+ *       nextUpdate              Time OPTIONAL,
+ *       revokedCertificates     SEQUENCE OF SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *       crlExtensions           [0] Extensions OPTIONAL
+ *                                           -- if present, shall be v2 -- }
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXTBSCertList_Decode
+ *  NSSPKIXTBSCertList_Create
+ *  NSSPKIXTBSCertList_Destroy
+ *  NSSPKIXTBSCertList_Encode
+ *  NSSPKIXTBSCertList_GetVersion
+ *  NSSPKIXTBSCertList_SetVersion
+ *  NSSPKIXTBSCertList_GetSignature
+ *  NSSPKIXTBSCertList_SetSignature
+ *  NSSPKIXTBSCertList_GetIssuer
+ *  NSSPKIXTBSCertList_SetIssuer
+ *  NSSPKIXTBSCertList_GetThisUpdate
+ *  NSSPKIXTBSCertList_SetThisUpdate
+ *  NSSPKIXTBSCertList_HasNextUpdate
+ *  NSSPKIXTBSCertList_GetNextUpdate
+ *  NSSPKIXTBSCertList_SetNextUpdate
+ *  NSSPKIXTBSCertList_RemoveNextUpdate
+ *  NSSPKIXTBSCertList_GetRevokedCertificates
+ *  NSSPKIXTBSCertList_SetRevokedCertificates
+ *  NSSPKIXTBSCertList_HasCrlExtensions
+ *  NSSPKIXTBSCertList_GetCrlExtensions
+ *  NSSPKIXTBSCertList_SetCrlExtensions
+ *  NSSPKIXTBSCertList_RemoveCrlExtensions
+ *  NSSPKIXTBSCertList_Equal
+ *  NSSPKIXTBSCertList_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXTBSCertList_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertList *
+NSSPKIXTBSCertList_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXTBSCertList_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_VERSION
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_PKIX_TIME
+ *  (something for the times being out of order?)
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertList *
+NSSPKIXTBSCertList_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXVersion version,
+  NSSPKIXAlgorithmIdentifier *signature,
+  NSSPKIXName *issuer,
+  NSSPKIXTime thisUpdate,
+  NSSPKIXTime nextUpdateOpt,
+  NSSPKIXrevokedCertificates *revokedCerts,
+  NSSPKIXExtensions *crlExtensionsOpt
+);
+
+/*
+ * NSSPKIXTBSCertList_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertList_Destroy
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * NSSPKIXTBSCertList_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXTBSCertList_Encode
+(
+  NSSPKIXTBSCertList *certList,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertList_GetVersion
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid element of the NSSPKIXVersion enumeration upon success
+ *  NSSPKIXVersion_NSSinvalid (-1) upon failure
+ */
+
+NSS_EXTERN NSSPKIXVersion
+NSSPKIXTBSCertList_GetVersion
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * NSSPKIXTBSCertList_SetVersion
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_VERSION
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertList_SetVersion
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXVersion version
+);
+
+/*
+ * NSSPKIXTBSCertList_GetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+NSSPKIXTBSCertList_GetSignature
+(
+  NSSPKIXTBSCertList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertList_SetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertList_SetSignature
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXAlgorithmIdentifier *algid,
+);
+
+/*
+ * NSSPKIXTBSCertList_GetIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+NSSPKIXTBSCertList_GetIssuer
+(
+  NSSPKIXTBSCertList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertList_SetIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertList_SetIssuer
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXName *issuer
+);
+
+/*
+ * NSSPKIXTBSCertList_GetThisUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid NSSPKIXTime upon success
+ *  {we need to rethink NSSPKIXTime}
+ */
+
+NSS_EXTERN NSSPKIXTime
+NSSPKIXTBSCertList_GetThisUpdate
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * NSSPKIXTBSCertList_SetThisUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertList_SetThisUpdate
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXTime thisUpdate
+);
+
+/*
+ * NSSPKIXTBSCertList_HasNextUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTBSCertList_HasNextUpdate
+(
+  NSSPKIXTBSCertList *certList,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTBSCertList_GetNextUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid NSSPKIXTime upon success
+ *  {we need to rethink NSSPKIXTime}
+ */
+
+NSS_EXTERN NSSPKIXTime
+NSSPKIXTBSCertList_GetNextUpdate
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * NSSPKIXTBSCertList_SetNextUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_VALUE_TOO_SMALL
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertList_SetNextUpdate
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXTime nextUpdate
+);
+
+/*
+ * NSSPKIXTBSCertList_RemoveNextUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_HAS_NO_NEXT_UPDATE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertList_RemoveNextUpdate
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * NSSPKIXTBSCertList_GetRevokedCertificates
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificates upon succes
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificates *
+NSSPKIXTBSCertList_GetRevokedCertificates
+(
+  NSSPKIXTBSCertList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertList_SetRevokedCertificates
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATES
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertList_SetRevokedCertificates
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXrevokedCertificates *revoked
+);
+
+/*
+ * NSSPKIXTBSCertList_HasCrlExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTBSCertList_HasCrlExtensions
+(
+  NSSPKIXTBSCertList *certList,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTBSCertList_GetCrlExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensions upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensions *
+NSSPKIXTBSCertList_GetCrlExtensions
+(
+  NSSPKIXTBSCertList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTBSCertList_SetCrlExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertList_SetCrlExtensions
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXExtensions *extensions
+);
+
+/*
+ * NSSPKIXTBSCertList_RemoveCrlExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_HAS_NO_EXTENSIONS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTBSCertList_RemoveCrlExtensions
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * NSSPKIXTBSCertList_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTBSCertList_Equal
+(
+  NSSPKIXTBSCertList *one,
+  NSSPKIXTBSCertList *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTBSCertList_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertList *
+NSSPKIXTBSCertList_Duplicate
+(
+  NSSPKIXTBSCertList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * revokedCertificates
+ *
+ * This is a "helper type" to simplify handling of TBSCertList objects.
+ *
+ *       revokedCertificates     SEQUENCE OF SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXrevokedCertificates_Decode
+ *  NSSPKIXrevokedCertificates_Create
+ *  NSSPKIXrevokedCertificates_Encode
+ *  NSSPKIXrevokedCertificates_Destroy
+ *  NSSPKIXrevokedCertificates_GetRevokedCertificateCount
+ *  NSSPKIXrevokedCertificates_GetRevokedCertificates
+ *  NSSPKIXrevokedCertificates_SetRevokedCertificates
+ *  NSSPKIXrevokedCertificates_GetRevokedCertificate
+ *  NSSPKIXrevokedCertificates_SetRevokedCertificate
+ *  NSSPKIXrevokedCertificates_InsertRevokedCertificate
+ *  NSSPKIXrevokedCertificates_AppendRevokedCertificate
+ *  NSSPKIXrevokedCertificates_RemoveRevokedCertificate
+ *  NSSPKIXrevokedCertificates_Equal
+ *  NSSPKIXrevokedCertificates_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXrevokedCertificates_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificates upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificates *
+NSSPKIXrevokedCertificates_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXrevokedCertificates_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificates upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificates *
+NSSPKIXrevokedCertificates_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXrevokedCertificate *rc1,
+  ...
+);
+
+/*
+ * NSSPKIXrevokedCertificates_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXrevokedCertificates_Destroy
+(
+  NSSPKIXrevokedCertificates *rcs
+);
+
+/*
+ * NSSPKIXrevokedCertificates_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXrevokedCertificates_Encode
+(
+  NSSPKIXrevokedCertificates *rcs,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXrevokedCertificates_GetRevokedCertificateCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXrevokedCertificates_GetRevokedCertificateCount
+(
+  NSSPKIXrevokedCertificates *rcs
+);
+
+/*
+ * NSSPKIXrevokedCertificates_GetRevokedCertificates
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXrevokedCertificate pointers
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificate **
+NSSPKIXrevokedCertificates_GetRevokedCertificates
+(
+  NSSPKIXrevokedCertificates *rcs,
+  NSSPKIXrevokedCertificate *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXrevokedCertificates_SetRevokedCertificates
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXrevokedCertificates_SetRevokedCertificates
+(
+  NSSPKIXrevokedCertificates *rcs,
+  NSSPKIXrevokedCertificate *rc[],
+  PRInt32 countOpt
+);
+
+/*
+ * NSSPKIXrevokedCertificates_GetRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificate *
+NSSPKIXrevokedCertificates_GetRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXrevokedCertificates_SetRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXrevokedCertificates_SetRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  PRInt32 i,
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * NSSPKIXrevokedCertificates_InsertRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXrevokedCertificates_InsertRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  PRInt32 i,
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * NSSPKIXrevokedCertificates_AppendRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXrevokedCertificates_AppendRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  PRInt32 i,
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * NSSPKIXrevokedCertificates_RemoveRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXrevokedCertificates_RemoveRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXrevokedCertificates_FindRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  The index of the specified revoked certificate upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXrevokedCertificates_FindRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * NSSPKIXrevokedCertificates_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXrevokedCertificates_Equal
+(
+  NSSPKIXrevokedCertificates *one,
+  NSSPKIXrevokedCertificates *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXrevokedCertificates_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificates upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificates *
+NSSPKIXrevokedCertificates_Duplicate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  NSSArena *arenaOpt
+);
+
+/*
+ * revokedCertificate
+ *
+ * This is a "helper type" to simplify handling of TBSCertList objects.
+ *
+ *                                           SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXrevokedCertificate_Decode
+ *  NSSPKIXrevokedCertificate_Create
+ *  NSSPKIXrevokedCertificate_Encode
+ *  NSSPKIXrevokedCertificate_Destroy
+ *  NSSPKIXrevokedCertificate_GetUserCertificate
+ *  NSSPKIXrevokedCertificate_SetUserCertificate
+ *  NSSPKIXrevokedCertificate_GetRevocationDate
+ *  NSSPKIXrevokedCertificate_SetRevocationDate
+ *  NSSPKIXrevokedCertificate_HasCrlEntryExtensions
+ *  NSSPKIXrevokedCertificate_GetCrlEntryExtensions
+ *  NSSPKIXrevokedCertificate_SetCrlEntryExtensions
+ *  NSSPKIXrevokedCertificate_RemoveCrlEntryExtensions
+ *  NSSPKIXrevokedCertificate_Equal
+ *  NSSPKIXrevokedCertificate_Duplicate
+ *
+ */
+
+
+/*
+ * NSSPKIXrevokedCertificate_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificate *
+NSSPKIXrevokedCertificate_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXrevokedCertificate_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
+ *  NSS_ERROR_INVALID_PKIX_TIME
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificate *
+NSSPKIXrevokedCertificate_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXCertificateSerialNumber *userCertificate,
+  NSSPKIXTime *revocationDate,
+  NSSPKIXExtensions *crlEntryExtensionsOpt
+);
+
+/*
+ * NSSPKIXrevokedCertificate_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXrevokedCertificate_Destroy
+(
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * NSSPKIXrevokedCertificate_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXrevokedCertificate_Encode
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXrevokedCertificate_GetUserCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateSerialNumber *
+NSSPKIXrevokedCertificate_GetUserCertificate
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSArena *arenaOpt
+);  
+
+/*
+ * NSSPKIXrevokedCertificate_SetUserCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXrevokedCertificate_SetUserCertificate
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSPKIXCertificateSerialNumber *csn
+);
+
+/*
+ * NSSPKIXrevokedCertificate_GetRevocationDate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTime upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTime *
+NSSPKIXrevokedCertificate_GetRevocationDate
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSArena *arenaOpt
+);  
+
+/*
+ * NSSPKIXrevokedCertificate_SetRevocationDate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_TIME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXrevokedCertificate_SetRevocationDate
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSPKIXTime *revocationDate
+);
+
+/*
+ * NSSPKIXrevokedCertificate_HasCrlEntryExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXrevokedCertificate_HasCrlEntryExtensions
+(
+  NSSPKIXrevokedCertificate *rc,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXrevokedCertificate_GetCrlEntryExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_NO_EXTENSIONS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensions upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensions *
+NSSPKIXrevokedCertificate_GetCrlEntryExtensions
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSArena *arenaOpt
+);  
+
+/*
+ * NSSPKIXrevokedCertificate_SetCrlEntryExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXrevokedCertificate_SetCrlEntryExtensions
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSPKIXExtensions *crlEntryExtensions
+);
+
+/*
+ * NSSPKIXrevokedCertificate_RemoveCrlEntryExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_EXTENSIONS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXrevokedCertificate_RemoveCrlEntryExtensions
+(
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * NSSPKIXrevokedCertificate_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXrevokedCertificate_Equal
+(
+  NSSPKIXrevokedCertificate *one,
+  NSSPKIXrevokedCertificate *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXrevokedCertificate_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificate *
+NSSPKIXrevokedCertificate_Duplicate
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSArena *arenaOpt
+);
+
+/*
+ * AlgorithmIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ * (1988 syntax)
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *       algorithm               OBJECT IDENTIFIER,
+ *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ *                                  -- contains a value of the type
+ *                                  -- registered for use with the
+ *                                  -- algorithm object identifier value
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXAlgorithmIdentifier_Decode
+ *  NSSPKIXAlgorithmIdentifier_Create
+ *  NSSPKIXAlgorithmIdentifier_Encode
+ *  NSSPKIXAlgorithmIdentifier_Destroy
+ *  NSSPKIXAlgorithmIdentifier_GetAlgorithm
+ *  NSSPKIXAlgorithmIdentifier_SetAlgorithm
+ *  NSSPKIXAlgorithmIdentifier_GetParameters
+ *  NSSPKIXAlgorithmIdentifier_SetParameters
+ *  NSSPKIXAlgorithmIdentifier_Compare
+ *  NSSPKIXAlgorithmIdentifier_Duplicate
+ *    { algorithm-specific parameter types and accessors ? }
+ *
+ */
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+NSSPKIXAlgorithmIdentifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+NSSPKIXAlgorithmIdentifier_Create
+(
+  NSSArena *arenaOpt,
+  NSSOID *algorithm,
+  NSSItem *parameters
+);
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAlgorithmIdentifier_Destroy
+(
+  NSSPKIXAlgorithmIdentifier *algid
+);
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXAlgorithmIdentifier_Encode
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAlgorithmIdentifier_GetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSOID pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSOID *
+NSSPKIXAlgorithmIdentifier_GetAlgorithm
+(
+  NSSPKIXAlgorithmIdentifier *algid
+);
+
+/*
+ * NSSPKIXAlgorithmIdentifier_SetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAlgorithmIdentifier_SetAlgorithm
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSOID *algorithm
+);
+
+/*
+ * NSSPKIXAlgorithmIdentifier_GetParameters
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+NSSPKIXAlgorithmIdentifier_GetParameters
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAlgorithmIdentifier_SetParameters
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAlgorithmIdentifier_SetParameters
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSItem *parameters
+);
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXAlgorithmIdentifier_Equal
+(
+  NSSPKIXAlgorithmIdentifier *algid1,
+  NSSPKIXAlgorithmIdentifier *algid2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+NSSPKIXAlgorithmIdentifier_Duplicate
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { algorithm-specific parameter types and accessors ? }
+ */
+
+/*
+ * ORAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ORAddress ::= SEQUENCE {
+ *     built-in-standard-attributes BuiltInStandardAttributes,
+ *     built-in-domain-defined-attributes
+ *                          BuiltInDomainDefinedAttributes OPTIONAL,
+ *     -- see also teletex-domain-defined-attributes
+ *     extension-attributes ExtensionAttributes OPTIONAL }
+ *  --      The OR-address is semantically absent from the OR-name if the
+ *  --      built-in-standard-attribute sequence is empty and the
+ *  --      built-in-domain-defined-attributes and extension-attributes are
+ *  --      both omitted.
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXORAddress_Decode
+ *  NSSPKIXORAddress_Create
+ *  NSSPKIXORAddress_Destroy
+ *  NSSPKIXORAddress_Encode
+ *  NSSPKIXORAddress_GetBuiltInStandardAttributes
+ *  NSSPKIXORAddress_SetBuiltInStandardAttributes
+ *  NSSPKIXORAddress_HasBuiltInDomainDefinedAttributes
+ *  NSSPKIXORAddress_GetBuiltInDomainDefinedAttributes
+ *  NSSPKIXORAddress_SetBuiltInDomainDefinedAttributes
+ *  NSSPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
+ *  NSSPKIXORAddress_HasExtensionsAttributes
+ *  NSSPKIXORAddress_GetExtensionsAttributes
+ *  NSSPKIXORAddress_SetExtensionsAttributes
+ *  NSSPKIXORAddress_RemoveExtensionsAttributes
+ *  NSSPKIXORAddress_Equal
+ *  NSSPKIXORAddress_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXORAddress_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXORAddres upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXORAddress *
+NSSPKIXORAddress_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXORAddress_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS_ATTRIBUTES
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXORAddres upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXORAddress *
+NSSPKIXORAddress_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXBuiltInDomainDefinedAttributes *biddaOpt,
+  NSSPKIXExtensionAttributes *eaOpt
+);
+
+/*
+ * NSSPKIXORAddress_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXORAddress_Destroy
+(
+  NSSPKIXORAddress *ora
+);
+
+/*
+ * NSSPKIXORAddress_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXORAddress_Encode
+(
+  NSSPKIXORAddress *ora,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXORAddress_GetBuiltInStandardAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
+NSSPKIXORAddress_GetBuiltInStandardAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXORAddress_SetBuiltInStandardAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXORAddress_SetBuiltInStandardAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXORAddress_HasBuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXORAddress_HasBuiltInDomainDefinedAttributes
+(
+  NSSPKIXORAddress *ora,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXORAddress_GetBuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_NO_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
+NSSPKIXORAddress_GetBuiltInDomainDefinedAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXORAddress_SetBuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXORAddress_SetBuiltInDomainDefinedAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_NO_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
+(
+  NSSPKIXORAddress *ora
+);
+
+/*
+ * NSSPKIXORAddress_HasExtensionsAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXORAddress_HasExtensionsAttributes
+(
+  NSSPKIXORAddress *ora,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXORAddress_GetExtensionsAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_NO_EXTENSION_ATTRIBUTES
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttributes *
+NSSPKIXORAddress_GetExtensionsAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXORAddress_SetExtensionsAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXORAddress_SetExtensionsAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSPKIXExtensionAttributes *eaOpt
+);
+
+/*
+ * NSSPKIXORAddress_RemoveExtensionsAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_NO_EXTENSION_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXORAddress_RemoveExtensionsAttributes
+(
+  NSSPKIXORAddress *ora
+);
+
+/*
+ * NSSPKIXORAddress_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXORAddress_Equal
+(
+  NSSPKIXORAddress *ora1,
+  NSSPKIXORAddress *ora2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXORAddress_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXORAddres upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXORAddress *
+NSSPKIXORAddress_Duplicate
+(
+  NSSPKIXORAddress *ora,
+  NSSArena *arenaOpt
+);
+
+/*
+ * BuiltInStandardAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInStandardAttributes ::= SEQUENCE {
+ *     country-name CountryName OPTIONAL,
+ *     administration-domain-name AdministrationDomainName OPTIONAL,
+ *     network-address      [0] NetworkAddress OPTIONAL,
+ *     -- see also extended-network-address
+ *     terminal-identifier  [1] TerminalIdentifier OPTIONAL,
+ *     private-domain-name  [2] PrivateDomainName OPTIONAL,
+ *     organization-name    [3] OrganizationName OPTIONAL,
+ *     -- see also teletex-organization-name
+ *     numeric-user-identifier      [4] NumericUserIdentifier OPTIONAL,
+ *     personal-name        [5] PersonalName OPTIONAL,
+ *     -- see also teletex-personal-name
+ *     organizational-unit-names    [6] OrganizationalUnitNames OPTIONAL
+ *     -- see also teletex-organizational-unit-names -- }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXBuiltInStandardAttributes_Decode
+ *  NSSPKIXBuiltInStandardAttributes_Create
+ *  NSSPKIXBuiltInStandardAttributes_Destroy
+ *  NSSPKIXBuiltInStandardAttributes_Encode
+ *  NSSPKIXBuiltInStandardAttributes_HasCountryName
+ *  NSSPKIXBuiltInStandardAttributes_GetCountryName
+ *  NSSPKIXBuiltInStandardAttributes_SetCountryName
+ *  NSSPKIXBuiltInStandardAttributes_RemoveCountryName
+ *  NSSPKIXBuiltInStandardAttributes_HasAdministrationDomainName
+ *  NSSPKIXBuiltInStandardAttributes_GetAdministrationDomainName
+ *  NSSPKIXBuiltInStandardAttributes_SetAdministrationDomainName
+ *  NSSPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
+ *  NSSPKIXBuiltInStandardAttributes_HasNetworkAddress
+ *  NSSPKIXBuiltInStandardAttributes_GetNetworkAddress
+ *  NSSPKIXBuiltInStandardAttributes_SetNetworkAddress
+ *  NSSPKIXBuiltInStandardAttributes_RemoveNetworkAddress
+ *  NSSPKIXBuiltInStandardAttributes_HasTerminalIdentifier
+ *  NSSPKIXBuiltInStandardAttributes_GetTerminalIdentifier
+ *  NSSPKIXBuiltInStandardAttributes_SetTerminalIdentifier
+ *  NSSPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
+ *  NSSPKIXBuiltInStandardAttributes_HasPrivateDomainName
+ *  NSSPKIXBuiltInStandardAttributes_GetPrivateDomainName
+ *  NSSPKIXBuiltInStandardAttributes_SetPrivateDomainName
+ *  NSSPKIXBuiltInStandardAttributes_RemovePrivateDomainName
+ *  NSSPKIXBuiltInStandardAttributes_HasOrganizationName
+ *  NSSPKIXBuiltInStandardAttributes_GetOrganizationName
+ *  NSSPKIXBuiltInStandardAttributes_SetOrganizationName
+ *  NSSPKIXBuiltInStandardAttributes_RemoveOrganizationName
+ *  NSSPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
+ *  NSSPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
+ *  NSSPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
+ *  NSSPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
+ *  NSSPKIXBuiltInStandardAttributes_HasPersonalName
+ *  NSSPKIXBuiltInStandardAttributes_GetPersonalName
+ *  NSSPKIXBuiltInStandardAttributes_SetPersonalName
+ *  NSSPKIXBuiltInStandardAttributes_RemovePersonalName
+ *  NSSPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
+ *  NSSPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
+ *  NSSPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
+ *  NSSPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
+ *  NSSPKIXBuiltInStandardAttributes_Equal
+ *  NSSPKIXBuiltInStandardAttributes_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
+NSSPKIXBuiltInStandardAttributes_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
+ *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
+ *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
+ *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
+ *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
+NSSPKIXBuiltInStandardAttributes_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXCountryName *countryNameOpt,
+  NSSPKIXAdministrationDomainName *administrationDomainNameOpt,
+  NSSPKIXNetworkAddress *networkAddressOpt,
+  NSSPKIXTerminalIdentifier *terminalIdentifierOpt,
+  NSSPKIXPrivateDomainName *privateDomainNameOpt,
+  NSSPKIXOrganizationName *organizationNameOpt,
+  NSSPKIXNumericUserIdentifier *numericUserIdentifierOpt,
+  NSSPKIXPersonalName *personalNameOpt,
+  NSSPKIXOrganizationalUnitNames *organizationalUnitNamesOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_Destroy
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXBuiltInStandardAttributes_Encode
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_HasCountryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInStandardAttributes_HasCountryName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_GetCountryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCountryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCountryName *
+NSSPKIXBuiltInStandardAttributes_GetCountryName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_SetCountryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_SetCountryName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXCountryName *countryName
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_RemoveCountryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_COUNTRY_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_RemoveCountryName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_HasAdministrationDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInStandardAttributes_HasAdministrationDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_GetAdministrationDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAdministrationDomainName *
+NSSPKIXBuiltInStandardAttributes_GetAdministrationDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_SetAdministrationDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_SetAdministrationDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXAdministrationDomainName *administrationDomainName
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_ADMINISTRATION_DOMAIN_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_HasNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInStandardAttributes_HasNetworkAddress
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_GetNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNetworkAddress *
+NSSPKIXBuiltInStandardAttributes_GetNetworkAddress
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_SetNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_SetNetworkAddress
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXNetworkAddress *networkAddress
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_RemoveNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_NETWORK_ADDRESS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_RemoveNetworkAddress
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_HasTerminalIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInStandardAttributes_HasTerminalIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_GetTerminalIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTerminalIdentifier *
+NSSPKIXBuiltInStandardAttributes_GetTerminalIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_SetTerminalIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_SetTerminalIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXTerminalIdentifier *terminalIdentifier
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_TERMINAL_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_HasPrivateDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInStandardAttributes_HasPrivateDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_GetPrivateDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateDomainName *
+NSSPKIXBuiltInStandardAttributes_GetPrivateDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_SetPrivateDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_SetPrivateDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXPrivateDomainName *privateDomainName
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_RemovePrivateDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_PRIVATE_DOMAIN_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_RemovePrivateDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_HasOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInStandardAttributes_HasOrganizationName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_GetOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationName *
+NSSPKIXBuiltInStandardAttributes_GetOrganizationName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_SetOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_SetOrganizationName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXOrganizationName *organizationName
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_RemoveOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_ORGANIZATION_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_RemoveOrganizationName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNumericUserIdentifier *
+NSSPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXNumericUserIdentifier *numericUserIdentifier
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_NUMERIC_USER_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_HasPersonalName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInStandardAttributes_HasPersonalName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_GetPersonalName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPersonalName *
+NSSPKIXBuiltInStandardAttributes_GetPersonalName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_SetPersonalName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_SetPersonalName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXPersonalName *personalName
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_RemovePersonalName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_RemovePersonalName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitNames *
+NSSPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXOrganizationalUnitNames *organizationalUnitNames
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInStandardAttributes_Equal
+(
+  NSSPKIXBuiltInStandardAttributes *bisa1,
+  NSSPKIXBuiltInStandardAttributes *bisa2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInStandardAttributes_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
+NSSPKIXBuiltInStandardAttributes_Duplicate
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * CountryName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CountryName ::= [APPLICATION 1] CHOICE {
+ *     x121-dcc-code NumericString
+ *                  (SIZE (ub-country-name-numeric-length)),
+ *     iso-3166-alpha2-code PrintableString
+ *                  (SIZE (ub-country-name-alpha-length)) }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXCountryName_Decode
+ *  NSSPKIXCountryName_CreateFromUTF8
+ *  NSSPKIXCountryName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXCountryName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCountryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCountryName *
+NSSPKIXCountryName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXCountryName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCountryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCountryName *
+NSSPKIXCountryName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXCountryName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXCountryName_Encode
+(
+  NSSPKIXCountryName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * AdministrationDomainName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AdministrationDomainName ::= [APPLICATION 2] CHOICE {
+ *     numeric NumericString (SIZE (0..ub-domain-name-length)),
+ *     printable PrintableString (SIZE (0..ub-domain-name-length)) }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXAdministrationDomainName_Decode
+ *  NSSPKIXAdministrationDomainName_CreateFromUTF8
+ *  NSSPKIXAdministrationDomainName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXAdministrationDomainName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAdministrationDomainName *
+NSSPKIXAdministrationDomainName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXAdministrationDomainName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAdministrationDomainName *
+NSSPKIXAdministrationDomainName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXAdministrationDomainName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXAdministrationDomainName_Encode
+(
+  NSSPKIXAdministrationDomainName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X121Address
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXX121Address_Decode
+ *  NSSPKIXX121Address_CreateFromUTF8
+ *  NSSPKIXX121Address_Encode
+ *
+ */
+
+/*
+ * NSSPKIXX121Address_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX121Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX121Address *
+NSSPKIXX121Address_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXX121Address_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX121Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX121Address *
+NSSPKIXX121Address_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXX121Address_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_X121_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXX121Address_Encode
+(
+  NSSPKIXX121Address *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NetworkAddress ::= X121Address  -- see also extended-network-address
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXNetworkAddress_Decode
+ *  NSSPKIXNetworkAddress_CreateFromUTF8
+ *  NSSPKIXNetworkAddress_Encode
+ *
+ */
+
+/*
+ * NSSPKIXNetworkAddress_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNetworkAddress *
+NSSPKIXNetworkAddress_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXNetworkAddress_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNetworkAddress *
+NSSPKIXNetworkAddress_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXNetworkAddress_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXNetworkAddress_Encode
+(
+  NSSPKIXNetworkAddress *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TerminalIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXTerminalIdentifier_Decode
+ *  NSSPKIXTerminalIdentifier_CreateFromUTF8
+ *  NSSPKIXTerminalIdentifier_Encode
+ *
+ */
+
+/*
+ * NSSPKIXTerminalIdentifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTerminalIdentifier *
+NSSPKIXTerminalIdentifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXTerminalIdentifier_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTerminalIdentifier *
+NSSPKIXTerminalIdentifier_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXTerminalIdentifier_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXTerminalIdentifier_Encode
+(
+  NSSPKIXTerminalIdentifier *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PrivateDomainName
+ *
+ * -- fgmr comments -- 
+ *
+ *  PrivateDomainName ::= CHOICE {
+ *     numeric NumericString (SIZE (1..ub-domain-name-length)),
+ *     printable PrintableString (SIZE (1..ub-domain-name-length)) }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXPrivateDomainName_Decode
+ *  NSSPKIXPrivateDomainName_CreateFromUTF8
+ *  NSSPKIXPrivateDomainName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXPrivateDomainName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateDomainName *
+NSSPKIXPrivateDomainName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPrivateDomainName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateDomainName *
+NSSPKIXPrivateDomainName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXPrivateDomainName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPrivateDomainName_Encode
+(
+  NSSPKIXPrivateDomainName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * OrganizationName
+ *
+ * -- fgmr comments --
+ *
+ *  OrganizationName ::= PrintableString
+ *                              (SIZE (1..ub-organization-name-length))
+ * 
+ * The public calls for this type:
+ *
+ *  NSSPKIXOrganizationName_Decode
+ *  NSSPKIXOrganizationName_CreateFromUTF8
+ *  NSSPKIXOrganizationName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXOrganizationName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationName *
+NSSPKIXOrganizationName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXOrganizationName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationName *
+NSSPKIXOrganizationName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXOrganizationName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXOrganizationName_Encode
+(
+  NSSPKIXOrganizationName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NumericUserIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NumericUserIdentifier ::= NumericString
+ *                              (SIZE (1..ub-numeric-user-id-length))
+ * 
+ * The public calls for this type:
+ *
+ *  NSSPKIXNumericUserIdentifier_Decode
+ *  NSSPKIXNumericUserIdentifier_CreateFromUTF8
+ *  NSSPKIXNumericUserIdentifier_Encode
+ *
+ */
+
+/*
+ * NSSPKIXNumericUserIdentifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNumericUserIdentifier *
+NSSPKIXNumericUserIdentifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXNumericUserIdentifier_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNumericUserIdentifier *
+NSSPKIXNumericUserIdentifier_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXNumericUserIdentifier_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXNumericUserIdentifier_Encode
+(
+  NSSPKIXNumericUserIdentifier *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PersonalName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PersonalName ::= SET {
+ *     surname [0] PrintableString (SIZE (1..ub-surname-length)),
+ *     given-name [1] PrintableString
+ *                          (SIZE (1..ub-given-name-length)) OPTIONAL,
+ *     initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
+ *     generation-qualifier [3] PrintableString
+ *                  (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXPersonalName_Decode
+ *  NSSPKIXPersonalName_Create
+ *  NSSPKIXPersonalName_Destroy
+ *  NSSPKIXPersonalName_Encode
+ *  NSSPKIXPersonalName_GetSurname
+ *  NSSPKIXPersonalName_SetSurname
+ *  NSSPKIXPersonalName_HasGivenName
+ *  NSSPKIXPersonalName_GetGivenName
+ *  NSSPKIXPersonalName_SetGivenName
+ *  NSSPKIXPersonalName_RemoveGivenName
+ *  NSSPKIXPersonalName_HasInitials
+ *  NSSPKIXPersonalName_GetInitials
+ *  NSSPKIXPersonalName_SetInitials
+ *  NSSPKIXPersonalName_RemoveInitials
+ *  NSSPKIXPersonalName_HasGenerationQualifier
+ *  NSSPKIXPersonalName_GetGenerationQualifier
+ *  NSSPKIXPersonalName_SetGenerationQualifier
+ *  NSSPKIXPersonalName_RemoveGenerationQualifier
+ *  NSSPKIXPersonalName_Equal
+ *  NSSPKIXPersonalName_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXPersonalName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPersonalName *
+NSSPKIXPersonalName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPersonalName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPersonalName *
+NSSPKIXPersonalName_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *surname,
+  NSSUTF8 *givenNameOpt,
+  NSSUTF8 *initialsOpt,
+  NSSUTF8 *generationQualifierOpt
+);
+
+/*
+ * NSSPKIXPersonalName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPersonalName_Destroy
+(
+  NSSPKIXPersonalName *personalName
+);
+
+/*
+ * NSSPKIXPersonalName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPersonalName_Encode
+(
+  NSSPKIXPersonalName *personalName,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPersonalName_GetSurname
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXPersonalName_GetSurname
+(
+  NSSPKIXPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPersonalName_SetSurname
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPersonalName_SetSurname
+(
+  NSSPKIXPersonalName *personalName,
+  NSSUTF8 *surname
+);
+
+/*
+ * NSSPKIXPersonalName_HasGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPersonalName_HasGivenName
+(
+  NSSPKIXPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPersonalName_GetGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_GIVEN_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXPersonalName_GetGivenName
+(
+  NSSPKIXPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPersonalName_SetGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPersonalName_SetGivenName
+(
+  NSSPKIXPersonalName *personalName,
+  NSSUTF8 *givenName
+);
+
+/*
+ * NSSPKIXPersonalName_RemoveGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_HAS_NO_GIVEN_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPersonalName_RemoveGivenName
+(
+  NSSPKIXPersonalName *personalName
+);
+
+/*
+ * NSSPKIXPersonalName_HasInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPersonalName_HasInitials
+(
+  NSSPKIXPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPersonalName_GetInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXPersonalName_GetInitials
+(
+  NSSPKIXPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPersonalName_SetInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPersonalName_SetInitials
+(
+  NSSPKIXPersonalName *personalName,
+  NSSUTF8 *initials
+);
+
+/*
+ * NSSPKIXPersonalName_RemoveInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPersonalName_RemoveInitials
+(
+  NSSPKIXPersonalName *personalName
+);
+
+/*
+ * NSSPKIXPersonalName_HasGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPersonalName_HasGenerationQualifier
+(
+  NSSPKIXPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPersonalName_GetGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXPersonalName_GetGenerationQualifier
+(
+  NSSPKIXPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPersonalName_SetGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPersonalName_SetGenerationQualifier
+(
+  NSSPKIXPersonalName *personalName,
+  NSSUTF8 *generationQualifier
+);
+
+/*
+ * NSSPKIXPersonalName_RemoveGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPersonalName_RemoveGenerationQualifier
+(
+  NSSPKIXPersonalName *personalName
+);
+
+/*
+ * NSSPKIXPersonalName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPersonalName_Equal
+(
+  NSSPKIXPersonalName *personalName1,
+  NSSPKIXPersonalName *personalName2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPersonalName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPersonalName *
+NSSPKIXPersonalName_Duplicate
+(
+  NSSPKIXPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * OrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
+ *                                          OF OrganizationalUnitName
+ * 
+ * The public calls for the type:
+ *
+ *  NSSPKIXOrganizationalUnitNames_Decode
+ *  NSSPKIXOrganizationalUnitNames_Create
+ *  NSSPKIXOrganizationalUnitNames_Destroy
+ *  NSSPKIXOrganizationalUnitNames_Encode
+ *  NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
+ *  NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
+ *  NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
+ *  NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitName
+ *  NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitName
+ *  NSSPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
+ *  NSSPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
+ *  NSSPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
+ *  NSSPKIXOrganizationalUnitNames_FindOrganizationalUnitName
+ *  NSSPKIXOrganizationalUnitNames_Equal
+ *  NSSPKIXOrganizationalUnitNames_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXOrganizationalUnitNames_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitNames *
+NSSPKIXOrganizationalUnitNames_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitNames *
+NSSPKIXOrganizationalUnitNames_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXOrganizationalUnitName *ou1,
+  ...
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXOrganizationalUnitNames_Destroy
+(
+  NSSPKIXOrganizationalUnitNames *ous
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXOrganizationalUnitNames_Encode
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
+(
+  NSSPKIXOrganizationalUnitNames *ous
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXOrganizationalUnitName
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitName **
+NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSPKIXOrganizationalUnitName *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSPKIXOrganizationalUnitName *ou[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitName *
+NSSPKIXOrganizationalUnitNames_GetOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXOrganizationalUnitNames_SetOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSPKIXOrganizationalUnitName *ou
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSPKIXOrganizationalUnitName *ou
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSPKIXOrganizationalUnitName *ou
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_FindOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *
+ * Return value:
+ *  The index of the specified revoked certificate upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRIntn
+NSSPKIXOrganizationalUnitNames_FindOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSPKIXOrganizationalUnitName *ou
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXOrganizationalUnitNames_Equal
+(
+  NSSPKIXOrganizationalUnitNames *ous1,
+  NSSPKIXOrganizationalUnitNames *ous2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXOrganizationalUnitNames_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitNames *
+NSSPKIXOrganizationalUnitNames_Duplicate
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSArena *arenaOpt
+);
+
+/*
+ * OrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  OrganizationalUnitName ::= PrintableString (SIZE
+ *                          (1..ub-organizational-unit-name-length))
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXOrganizationalUnitName_Decode
+ *  NSSPKIXOrganizationalUnitName_CreateFromUTF8
+ *  NSSPKIXOrganizationalUnitName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXOrganizationalUnitName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitName *
+NSSPKIXOrganizationalUnitName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXOrganizationalUnitName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitName *
+NSSPKIXOrganizationalUnitName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXOrganizationalUnitName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXOrganizationalUnitName_Encode
+(
+  NSSPKIXOrganizationalUnitName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * BuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
+ *                                  (1..ub-domain-defined-attributes) OF
+ *                                  BuiltInDomainDefinedAttribute
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXBuiltInDomainDefinedAttributes_Decode
+ *  NSSPKIXBuiltInDomainDefinedAttributes_Create
+ *  NSSPKIXBuiltInDomainDefinedAttributes_Destroy
+ *  NSSPKIXBuiltInDomainDefinedAttributes_Encode
+ *  NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
+ *  NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
+ *  NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
+ *  NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
+ *  NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
+ *  NSSPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
+ *  NSSPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
+ *  NSSPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
+ *  NSSPKIXBuiltInDomainDefinedAttributes_Equal
+ *  NSSPKIXBuiltInDomainDefinedAttributes_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
+NSSPKIXBuiltInDomainDefinedAttributes_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
+NSSPKIXBuiltInDomainDefinedAttributes_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda1,
+  ...
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInDomainDefinedAttributes_Destroy
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXBuiltInDomainDefinedAttributes_Encode
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXBuiltInDomainDefinedAttribute
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute **
+NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSPKIXBuiltInDomainDefinedAttribut *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSPKIXBuiltInDomainDefinedAttribut *bidda[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
+NSSPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  PRInt32 i,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  PRInt32 i,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_FindBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ * 
+ * Return value:
+ *  The index of the specified revoked certificate upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXBuiltInDomainDefinedAttributes_FindBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInDomainDefinedAttributes_Equal
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas1,
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttributes_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
+NSSPKIXBuiltInDomainDefinedAttributes_Duplicate
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSArena *arenaOpt
+);
+
+/*
+ * BuiltInDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInDomainDefinedAttribute ::= SEQUENCE {
+ *     type PrintableString (SIZE
+ *                          (1..ub-domain-defined-attribute-type-length)),
+ *     value PrintableString (SIZE
+ *                          (1..ub-domain-defined-attribute-value-length))}
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXBuiltInDomainDefinedAttribute_Decode
+ *  NSSPKIXBuiltInDomainDefinedAttribute_Create
+ *  NSSPKIXBuiltInDomainDefinedAttribute_Destroy
+ *  NSSPKIXBuiltInDomainDefinedAttribute_Encode
+ *  NSSPKIXBuiltInDomainDefinedAttribute_GetType
+ *  NSSPKIXBuiltInDomainDefinedAttribute_SetType
+ *  NSSPKIXBuiltInDomainDefinedAttribute_GetValue
+ *  NSSPKIXBuiltInDomainDefinedAttribute_SetValue
+ *  NSSPKIXBuiltInDomainDefinedAttribute_Equal
+ *  NSSPKIXBuiltInDomainDefinedAttribute_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttribute_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
+NSSPKIXBuiltInDomainDefinedAttribute_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttribute_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
+NSSPKIXBuiltInDomainDefinedAttribute_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *type,
+  NSSUTF8 *value
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttribute_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInDomainDefinedAttribute_Destroy
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttribute_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXBuiltInDomainDefinedAttribute_Encode
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttribute_GetType
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXBuiltInDomainDefinedAttribute_GetType
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttribute_SetType
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInDomainDefinedAttribute_SetType
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSUTF8 *type
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttribute_GetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXBuiltInDomainDefinedAttribute_GetValue
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttribute_SetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBuiltInDomainDefinedAttribute_SetValue
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSUTF8 *value
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttribute_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBuiltInDomainDefinedAttribute_Equal
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda1,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBuiltInDomainDefinedAttribute_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
+NSSPKIXBuiltInDomainDefinedAttribute_Duplicate
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * ExtensionAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
+ *                          ExtensionAttribute
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXExtensionAttributes_Decode
+ *  NSSPKIXExtensionAttributes_Create
+ *  NSSPKIXExtensionAttributes_Destroy
+ *  NSSPKIXExtensionAttributes_Encode
+ *  NSSPKIXExtensionAttributes_GetExtensionAttributeCount
+ *  NSSPKIXExtensionAttributes_GetExtensionAttributes
+ *  NSSPKIXExtensionAttributes_SetExtensionAttributes
+ *  NSSPKIXExtensionAttributes_GetExtensionAttribute
+ *  NSSPKIXExtensionAttributes_SetExtensionAttribute
+ *  NSSPKIXExtensionAttributes_InsertExtensionAttribute
+ *  NSSPKIXExtensionAttributes_AppendExtensionAttribute
+ *  NSSPKIXExtensionAttributes_RemoveExtensionAttribute
+ *  NSSPKIXExtensionAttributes_FindExtensionAttribute
+ *  NSSPKIXExtensionAttributes_Equal
+ *  NSSPKIXExtensionAttributes_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXExtensionAttributes_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttributes *
+NSSPKIXExtensionAttributes_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXExtensionAttributes_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttributes *
+NSSPKIXExtensionAttributes_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXExtensionAttribute ea1,
+  ...
+);
+
+/*
+ * NSSPKIXExtensionAttributes_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtensionAttributes_Destroy
+(
+  NSSPKIXExtensionAttributes *eas
+);
+
+/*
+ * NSSPKIXExtensionAttributes_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXExtensionAttributes_Encode
+(
+  NSSPKIXExtensionAttributes *eas
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtensionAttributes_GetExtensionAttributeCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXExtensionAttributes_GetExtensionAttributeCount
+(
+  NSSPKIXExtensionAttributes *eas
+);
+
+/*
+ * NSSPKIXExtensionAttributes_GetExtensionAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXExtensionAttribute pointers
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttribute **
+NSSPKIXExtensionAttributes_GetExtensionAttributes
+(
+  NSSPKIXExtensionAttributes *eas,
+  NSSPKIXExtensionAttribute *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtensionAttributes_SetExtensionAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_INVALID_POINTER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtensionAttributes_SetExtensionAttributes
+(
+  NSSPKIXExtensionAttributes *eas,
+  NSSPKIXExtensionAttribute *ea[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXExtensionAttributes_GetExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttribute upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttribute *
+NSSPKIXExtensionAttributes_GetExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtensionAttributes_SetExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtensionAttributes_SetExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  PRInt32 i,
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * NSSPKIXExtensionAttributes_InsertExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtensionAttributes_InsertExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  PRInt32 i,
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * NSSPKIXExtensionAttributes_AppendExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtensionAttributes_AppendExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * NSSPKIXExtensionAttributes_RemoveExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtensionAttributes_RemoveExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  PRInt32 i,
+);
+
+/*
+ * NSSPKIXExtensionAttributes_FindExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  A nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXExtensionAttributes_FindExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * NSSPKIXExtensionAttributes_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXExtensionAttributes_Equal
+(
+  NSSPKIXExtensionAttributes *eas1,
+  NSSPKIXExtensionAttributes *eas2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXExtensionAttributes_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttributes *
+NSSPKIXExtensionAttributes_Duplicate
+(
+  NSSPKIXExtensionAttributes *eas,
+  NSSArena *arenaOpt
+);
+
+/*
+ * fgmr
+ * There should be accessors to search the ExtensionAttributes and
+ * return the value for a specific value, etc.
+ */
+
+/*
+ * ExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtensionAttribute ::=  SEQUENCE {
+ *     extension-attribute-type [0] INTEGER (0..ub-extension-attributes),
+ *     extension-attribute-value [1]
+ *                          ANY DEFINED BY extension-attribute-type }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXExtensionAttribute_Decode
+ *  NSSPKIXExtensionAttribute_Create
+ *  NSSPKIXExtensionAttribute_Destroy
+ *  NSSPKIXExtensionAttribute_Encode
+ *  NSSPKIXExtensionAttribute_GetExtensionsAttributeType
+ *  NSSPKIXExtensionAttribute_SetExtensionsAttributeType
+ *  NSSPKIXExtensionAttribute_GetExtensionsAttributeValue
+ *  NSSPKIXExtensionAttribute_SetExtensionsAttributeValue
+ *  NSSPKIXExtensionAttribute_Equal
+ *  NSSPKIXExtensionAttribute_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXExtensionAttribute_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttribute upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttribute *
+NSSPKIXExtensionAttribute_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXExtensionAttribute_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE_TYPE
+ *  NSS_ERROR_INVALID_POINTER
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttribute upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttribute *
+NSSPKIXExtensionAttribute_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXExtensionAttributeType type,
+  NSSItem *value
+);
+
+/*
+ * NSSPKIXExtensionAttribute_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtensionAttribute_Destroy
+(
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * NSSPKIXExtensionAttribute_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXExtensionAttribute_Encode
+(
+  NSSPKIXExtensionAttribute *ea,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtensionAttribute_GetExtensionsAttributeType
+ *
+ * -- fgmr comments --
+ * {One of these objects created from BER generated by a program
+ * adhering to a later version of the PKIX standards might have
+ * a value not mentioned in the enumeration definition.  This isn't
+ * a bug.}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  A member of the NSSPKIXExtensionAttributeType enumeration
+ *      upon success
+ *  NSSPKIXExtensionAttributeType_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttributeType
+NSSPKIXExtensionAttribute_GetExtensionsAttributeType
+(
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * NSSPKIXExtensionAttribute_SetExtensionsAttributeType
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtensionAttribute_SetExtensionsAttributeType
+(
+  NSSPKIXExtensionAttribute *ea,
+  NSSPKIXExtensionAttributeType type
+);
+
+/*
+ * NSSPKIXExtensionAttribute_GetExtensionsAttributeValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+NSSPKIXExtensionAttribute_GetExtensionsAttributeValue
+(
+  NSSPKIXExtensionAttribute *ea,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtensionAttribute_SetExtensionsAttributeValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtensionAttribute_SetExtensionsAttributeValue
+(
+  NSSPKIXExtensionAttribute *ea,
+  NSSItem *value
+);
+
+/*
+ * NSSPKIXExtensionAttribute_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXExtensionAttribute_Equal
+(
+  NSSPKIXExtensionAttribute *ea1,
+  NSSPKIXExtensionAttribute *ea2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXExtensionAttribute_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttribute upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttribute *
+NSSPKIXExtensionAttribute_Duplicate
+(
+  NSSPKIXExtensionAttribute *ea,
+  NSSArena *arenaOpt
+);
+
+/*
+ * CommonName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXCommonName_Decode
+ *  NSSPKIXCommonName_CreateFromUTF8
+ *  NSSPKIXCommonName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXCommonName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCommonName *
+NSSPKIXCommonName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXCommonName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCommonName *
+NSSPKIXCommonName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXCommonName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXCommonName_Encode
+(
+  NSSPKIXCommonName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TeletexCommonName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXTeletexCommonName_Decode
+ *  NSSPKIXTeletexCommonName_CreateFromUTF8
+ *  NSSPKIXTeletexCommonName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXTeletexCommonName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexCommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexCommonName *
+NSSPKIXTeletexCommonName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXTeletexCommonName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexCommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexCommonName *
+NSSPKIXTeletexCommonName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXTeletexCommonName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXTeletexCommonName_Encode
+(
+  NSSPKIXTeletexCommonName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TeletexOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexOrganizationName ::=
+ *                  TeletexString (SIZE (1..ub-organization-name-length))
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXTeletexOrganizationName_Decode
+ *  NSSPKIXTeletexOrganizationName_CreateFromUTF8
+ *  NSSPKIXTeletexOrganizationName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXTeletexOrganizationName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationName *
+NSSPKIXTeletexOrganizationName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXTeletexOrganizationName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationName *
+NSSPKIXTeletexOrganizationName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXTeletexOrganizationName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATION_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXTeletexOrganizationName_Encode
+(
+  NSSPKIXTeletexOrganizationName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TeletexPersonalName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexPersonalName ::= SET {
+ *     surname [0] TeletexString (SIZE (1..ub-surname-length)),
+ *     given-name [1] TeletexString
+ *                  (SIZE (1..ub-given-name-length)) OPTIONAL,
+ *     initials [2] TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
+ *     generation-qualifier [3] TeletexString (SIZE
+ *                  (1..ub-generation-qualifier-length)) OPTIONAL }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXTeletexPersonalName_Decode
+ *  NSSPKIXTeletexPersonalName_Create
+ *  NSSPKIXTeletexPersonalName_Destroy
+ *  NSSPKIXTeletexPersonalName_Encode
+ *  NSSPKIXTeletexPersonalName_GetSurname
+ *  NSSPKIXTeletexPersonalName_SetSurname
+ *  NSSPKIXTeletexPersonalName_HasGivenName
+ *  NSSPKIXTeletexPersonalName_GetGivenName
+ *  NSSPKIXTeletexPersonalName_SetGivenName
+ *  NSSPKIXTeletexPersonalName_RemoveGivenName
+ *  NSSPKIXTeletexPersonalName_HasInitials
+ *  NSSPKIXTeletexPersonalName_GetInitials
+ *  NSSPKIXTeletexPersonalName_SetInitials
+ *  NSSPKIXTeletexPersonalName_RemoveInitials
+ *  NSSPKIXTeletexPersonalName_HasGenerationQualifier
+ *  NSSPKIXTeletexPersonalName_GetGenerationQualifier
+ *  NSSPKIXTeletexPersonalName_SetGenerationQualifier
+ *  NSSPKIXTeletexPersonalName_RemoveGenerationQualifier
+ *  NSSPKIXTeletexPersonalName_Equal
+ *  NSSPKIXTeletexPersonalName_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXTeletexPersonalName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexPersonalName *
+NSSPKIXTeletexPersonalName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexPersonalName *
+NSSPKIXTeletexPersonalName_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *surname,
+  NSSUTF8 *givenNameOpt,
+  NSSUTF8 *initialsOpt,
+  NSSUTF8 *generationQualifierOpt
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexPersonalName_Destroy
+(
+  NSSPKIXTeletexPersonalName *personalName
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXTeletexPersonalName_Encode
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_GetSurname
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXTeletexPersonalName_GetSurname
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_SetSurname
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexPersonalName_SetSurname
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSUTF8 *surname
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_HasGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTeletexPersonalName_HasGivenName
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_GetGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXTeletexPersonalName_GetGivenName
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_SetGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexPersonalName_SetGivenName
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSUTF8 *givenName
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_RemoveGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexPersonalName_RemoveGivenName
+(
+  NSSPKIXTeletexPersonalName *personalName
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_HasInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTeletexPersonalName_HasInitials
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_GetInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXTeletexPersonalName_GetInitials
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_SetInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexPersonalName_SetInitials
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSUTF8 *initials
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_RemoveInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexPersonalName_RemoveInitials
+(
+  NSSPKIXTeletexPersonalName *personalName
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_HasGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTeletexPersonalName_HasGenerationQualifier
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_GetGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXTeletexPersonalName_GetGenerationQualifier
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_SetGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexPersonalName_SetGenerationQualifier
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSUTF8 *generationQualifier
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_RemoveGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexPersonalName_RemoveGenerationQualifier
+(
+  NSSPKIXTeletexPersonalName *personalName
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTeletexPersonalName_Equal
+(
+  NSSPKIXTeletexPersonalName *personalName1,
+  NSSPKIXTeletexPersonalName *personalName2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTeletexPersonalName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexPersonalName *
+NSSPKIXTeletexPersonalName_Duplicate
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TeletexOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
+ *          (1..ub-organizational-units) OF TeletexOrganizationalUnitName
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXTeletexOrganizationalUnitNames_Decode
+ *  NSSPKIXTeletexOrganizationalUnitNames_Create
+ *  NSSPKIXTeletexOrganizationalUnitNames_Destroy
+ *  NSSPKIXTeletexOrganizationalUnitNames_Encode
+ *  NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
+ *  NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
+ *  NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
+ *  NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
+ *  NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
+ *  NSSPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
+ *  NSSPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
+ *  NSSPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
+ *  NSSPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
+ *  NSSPKIXTeletexOrganizationalUnitNames_Equal
+ *  NSSPKIXTeletexOrganizationalUnitNames_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
+NSSPKIXTeletexOrganizationalUnitNames_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
+NSSPKIXTeletexOrganizationalUnitNames_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXTeletexOrganizationalUnitName *ou1,
+  ...
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexOrganizationalUnitNames_Destroy
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXTeletexOrganizationalUnitNames_Encode
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXTeletexOrganizationalUnitName
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName **
+NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSPKIXTeletexOrganizationalUnitName *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSPKIXTeletexOrganizationalUnitName *ou[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
+NSSPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSPKIXTeletexOrganizationalUnitName *ou
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSPKIXTeletexOrganizationalUnitName *ou
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSPKIXTeletexOrganizationalUnitName *ou
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *
+ * Return value:
+ *  The index of the specified revoked certificate upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSPKIXTeletexOrganizationalUnitName *ou
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTeletexOrganizationalUnitNames_Equal
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous1,
+  NSSPKIXTeletexOrganizationalUnitNames *ous2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitNames_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
+NSSPKIXTeletexOrganizationalUnitNames_Duplicate
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexOrganizationalUnitName ::= TeletexString
+ *                          (SIZE (1..ub-organizational-unit-name-length))
+ *  
+ * The public calls for this type:
+ *
+ *  NSSPKIXTeletexOrganizationalUnitName_Decode
+ *  NSSPKIXTeletexOrganizationalUnitName_CreateFromUTF8
+ *  NSSPKIXTeletexOrganizationalUnitName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
+NSSPKIXTeletexOrganizationalUnitName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
+NSSPKIXTeletexOrganizationalUnitName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXTeletexOrganizationalUnitName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXTeletexOrganizationalUnitName_Encode
+(
+  NSSPKIXTeletexOrganizationalUnitName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PDSName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXPDSName_Decode
+ *  NSSPKIXPDSName_CreateFromUTF8
+ *  NSSPKIXPDSName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXPDSName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSName *
+NSSPKIXPDSName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPDSName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSName *
+NSSPKIXPDSName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXPDSName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPDSName_Encode
+(
+  NSSPKIXPDSName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PhysicalDeliveryCountryName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PhysicalDeliveryCountryName ::= CHOICE {
+ *     x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
+ *     iso-3166-alpha2-code PrintableString
+ *                          (SIZE (ub-country-name-alpha-length)) }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXPhysicalDeliveryCountryName_Decode
+ *  NSSPKIXPhysicalDeliveryCountryName_CreateFromUTF8
+ *  NSSPKIXPhysicalDeliveryCountryName_Encode
+ *
+ */
+
+/*
+ * NSSPKIXPhysicalDeliveryCountryName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPhysicalDeliveryCountryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPhysicalDeliveryCountryName *
+NSSPKIXPhysicalDeliveryCountryName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPhysicalDeliveryCountryName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPhysicalDeliveryCountryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPhysicalDeliveryCountryName *
+NSSPKIXPhysicalDeliveryCountryName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXPhysicalDeliveryCountryName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PHYSICAL_DELIVERY_COUNTRY_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPhysicalDeliveryCountryName_Encode
+(
+  NSSPKIXPhysicalDeliveryCountryName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PostalCode
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PostalCode ::= CHOICE {
+ *     numeric-code NumericString (SIZE (1..ub-postal-code-length)),
+ *     printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXPostalCode_Decode
+ *  NSSPKIXPostalCode_CreateFromUTF8
+ *  NSSPKIXPostalCode_Encode
+ *
+ */
+
+/*
+ * NSSPKIXPostalCode_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPostalCode upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPostalCode *
+NSSPKIXPostalCode_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPostalCode_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPostalCode upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPostalCode *
+NSSPKIXPostalCode_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXPostalCode_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POSTAL_CODE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPostalCode_Encode
+(
+  NSSPKIXPostalCode *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PDSParameter
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PDSParameter ::= SET {
+ *     printable-string PrintableString
+ *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
+ *     teletex-string TeletexString
+ *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXPDSParameter_Decode
+ *  NSSPKIXPDSParameter_CreateFromUTF8
+ *  NSSPKIXPDSParameter_Create
+ *  NSSPKIXPDSParameter_Delete
+ *  NSSPKIXPDSParameter_Encode
+ *  NSSPKIXPDSParameter_GetUTF8Encoding
+ *  NSSPKIXPDSParameter_HasPrintableString
+ *  NSSPKIXPDSParameter_GetPrintableString
+ *  NSSPKIXPDSParameter_SetPrintableString
+ *  NSSPKIXPDSParameter_RemovePrintableString
+ *  NSSPKIXPDSParameter_HasTeletexString
+ *  NSSPKIXPDSParameter_GetTeletexString
+ *  NSSPKIXPDSParameter_SetTeletexString
+ *  NSSPKIXPDSParameter_RemoveTeletexString
+ *  NSSPKIXPDSParameter_Equal
+ *  NSSPKIXPDSParameter_Duplicate
+ */
+
+/*
+ * NSSPKIXPDSParameter_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSParameter upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSParameter *
+NSSPKIXPDSParameter_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPDSParameter_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSParameter upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSParameter *
+NSSPKIXPDSParameter_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXPDSParameter_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSParameter upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSParameter *
+NSSPKIXPDSParameter_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *printableStringOpt,
+  NSSUTF8 *teletexStringOpt
+);
+
+/*
+ * NSSPKIXPDSParameter_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPDSParameter_Destroy
+(
+  NSSPKIXPDSParameter *p
+);
+
+/*
+ * NSSPKIXPDSParameter_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPDSParameter_Encode
+(
+  NSSPKIXPDSParameter *p,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPDSParameter_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXPDSParameter_GetUTF8Encoding
+(
+  NSSPKIXPDSParameter *p,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPDSParameter_HasPrintableString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPDSParameter_HasPrintableString
+(
+  NSSPKIXPDSParameter *p,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPDSParameter_GetPrintableString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXPDSParameter_GetPrintableString
+(
+  NSSPKIXPDSParameter *p,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPDSParameter_SetPrintableString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPDSParameter_SetPrintableString
+(
+  NSSPKIXPDSParameter *p,
+  NSSUTF8 *printableString
+);
+
+/*
+ * NSSPKIXPDSParameter_RemovePrintableString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPDSParameter_RemovePrintableString
+(
+  NSSPKIXPDSParameter *p
+);
+
+/*
+ * NSSPKIXPDSParameter_HasTeletexString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPDSParameter_HasTeletexString
+(
+  NSSPKIXPDSParameter *p,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPDSParameter_GetTeletexString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXPDSParameter_GetTeletexString
+(
+  NSSPKIXPDSParameter *p,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPDSParameter_SetTeletexString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPDSParameter_SetTeletexString
+(
+  NSSPKIXPDSParameter *p,
+  NSSUTF8 *teletexString
+);
+
+/*
+ * NSSPKIXPDSParameter_RemoveTeletexString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPDSParameter_RemoveTeletexString
+(
+  NSSPKIXPDSParameter *p
+);
+
+/*
+ * NSSPKIXPDSParameter_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPDSParameter_Equal
+(
+  NSSPKIXPDSParameter *p1,
+  NSSPKIXPDSParameter *p2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPDSParameter_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSParameter upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSParameter *
+NSSPKIXPDSParameter_Duplicate
+(
+  NSSPKIXPDSParameter *p,
+  NSSArena *arenaOpt
+);
+
+/*
+ * fgmr: what about these PDS types?
+ *
+ * PhysicalDeliveryOfficeName
+ *
+ * PhysicalDeliveryOfficeNumber
+ *
+ * ExtensionORAddressComponents
+ *
+ * PhysicalDeliveryPersonalName
+ *
+ * PhysicalDeliveryOrganizationName
+ *
+ * ExtensionPhysicalDeliveryAddressComponents
+ *
+ * StreetAddress
+ *
+ * PostOfficeBoxAddress
+ *
+ * PosteRestanteAddress
+ *
+ * UniquePostalName
+ *
+ * LocalPostalAttributes
+ *
+ */
+
+/*
+ * UnformattedPostalAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  UnformattedPostalAddress ::= SET {
+ *     printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
+ *             PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
+ *     teletex-string TeletexString
+ *           (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
+ *
+ * The public calls for the type:
+ *
+ *
+ */
+
+/*
+ * ExtendedNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtendedNetworkAddress ::= CHOICE {
+ *     e163-4-address SEQUENCE {
+ *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
+ *          sub-address [1] NumericString
+ *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
+ *     psap-address [0] PresentationAddress }
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXExtendedNetworkAddress_Decode
+ *  NSSPKIXExtendedNetworkAddress_Create
+ *  NSSPKIXExtendedNetworkAddress_Destroy
+ *  NSSPKIXExtendedNetworkAddress_Encode
+ *  NSSPKIXExtendedNetworkAddress_GetChoice
+ *  NSSPKIXExtendedNetworkAddress_Get
+ *  NSSPKIXExtendedNetworkAddress_GetE1634Address
+ *  NSSPKIXExtendedNetworkAddress_GetPsapAddress
+ *  NSSPKIXExtendedNetworkAddress_Set
+ *  NSSPKIXExtendedNetworkAddress_SetE163Address
+ *  NSSPKIXExtendedNetworkAddress_SetPsapAddress
+ *  NSSPKIXExtendedNetworkAddress_Equal
+ *  NSSPKIXExtendedNetworkAddress_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXExtendedNetworkAddress_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddress *
+NSSPKIXExtendedNetworkAddress_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddress *
+NSSPKIXExtendedNetworkAddress_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXExtendedNetworkAddressChoice choice,
+  void *address
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_CreateFromE1634Address
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddress *
+NSSPKIXExtendedNetworkAddress_CreateFromE1634Address
+(
+  NSSArena *arenaOpt,
+  NSSPKIXe1634Address *e1634address
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_CreateFromPresentationAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddress *
+NSSPKIXExtendedNetworkAddress_CreateFromPresentationAddress
+(
+  NSSArena *arenaOpt,
+  NSSPKIXPresentationAddress *presentationAddress
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtendedNetworkAddress_Destroy
+(
+  NSSPKIXExtendedNetworkAddress *ena
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXExtendedNetworkAddress_Encode
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_GetChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ * 
+ * Return value:
+ *  A valid element of the NSSPKIXExtendedNetworkAddressChoice upon
+ *      success
+ *  The value NSSPKIXExtendedNetworkAddress_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddressChoice
+NSSPKIXExtendedNetworkAddress_GetChoice
+(
+  NSSPKIXExtendedNetworkAddress *ena
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_GetSpecifiedChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ * 
+ * Return value:
+ *  A pointer...
+ *  NULL upon failure
+ */
+
+NSS_EXTERN void *
+NSSPKIXExtendedNetworkAddress_GetSpecifiedChoice
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSPKIXExtendedNetworkAddressChoice which,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_GetE1634Address
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXe1643Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXe1643Address *
+NSSPKIXExtendedNetworkAddress_GetE1634Address
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_GetPresentationAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPresentationAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPresentationAddress *
+NSSPKIXExtendedNetworkAddress_GetPresentationAddress
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_SetSpecifiedChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtendedNetworkAddress_SetSpecifiedChoice
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSPKIXExtendedNetworkAddressChoice which,
+  void *address
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_SetE163Address
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtendedNetworkAddress_SetE163Address
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSPKIXe1634Address *e1634address
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_SetPresentationAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtendedNetworkAddress_SetPresentationAddress
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSPKIXPresentationAddress *presentationAddress
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXExtendedNetworkAddress_Equal
+(
+  NSSPKIXExtendedNetworkAddress *ena1,
+  NSSPKIXExtendedNetworkAddress *ena2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXExtendedNetworkAddress_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddress *
+NSSPKIXExtendedNetworkAddress_Duplicate
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSArena *arenaOpt
+);
+
+/*
+ * e163-4-address
+ *
+ * Helper structure for ExtendedNetworkAddress.
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ * 
+ *     e163-4-address SEQUENCE {
+ *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
+ *          sub-address [1] NumericString
+ *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
+ * 
+ * The public calls for the type:
+ *
+ *  NSSPKIXe1634Address_Decode
+ *  NSSPKIXe1634Address_Create
+ *  NSSPKIXe1634Address_Destroy
+ *  NSSPKIXe1634Address_Encode
+ *  NSSPKIXe1634Address_GetNumber
+ *  NSSPKIXe1634Address_SetNumber
+ *  NSSPKIXe1634Address_HasSubAddress
+ *  NSSPKIXe1634Address_GetSubAddress
+ *  NSSPKIXe1634Address_SetSubAddress
+ *  NSSPKIXe1634Address_RemoveSubAddress
+ *  NSSPKIXe1634Address_Equal
+ *  NSSPKIXe1634Address_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXe1634Address_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXe1634Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXe1634Address *
+NSSPKIXe1634Address_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXe1634Address_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXe1634Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXe1634Address *
+NSSPKIXe1634Address_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *number,
+  NSSUTF8 *subAddressOpt
+);
+
+/*
+ * NSSPKIXe1634Address_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXe1634Address_Destroy
+(
+  NSSPKIXe1634Address *e
+);
+
+/*
+ * NSSPKIXe1634Address_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXe1634Address_Encode
+(
+  NSSPKIXe1634Address *e,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXe1634Address_GetNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXe1634Address_GetNumber
+(
+  NSSPKIXe1634Address *e,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXe1634Address_SetNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXe1634Address_SetNumber
+(
+  NSSPKIXe1634Address *e,
+  NSSUTF8 *number
+);
+
+/*
+ * NSSPKIXe1634Address_HasSubAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXe1634Address_HasSubAddress
+(
+  NSSPKIXe1634Address *e,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXe1634Address_GetSubAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXe1634Address_GetSubAddress
+(
+  NSSPKIXe1634Address *e,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXe1634Address_SetSubAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXe1634Address_SetSubAddress
+(
+  NSSPKIXe1634Address *e,
+  NSSUTF8 *subAddress
+);
+
+/*
+ * NSSPKIXe1634Address_RemoveSubAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXe1634Address_RemoveSubAddress
+(
+  NSSPKIXe1634Address *e
+);
+
+/*
+ * NSSPKIXe1634Address_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXe1634Address_Equal
+(
+  NSSPKIXe1634Address *e1,
+  NSSPKIXe1634Address *e2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXe1634Address_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXe1634Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXe1634Address *
+NSSPKIXe1634Address_Duplicate
+(
+  NSSPKIXe1634Address *e,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PresentationAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PresentationAddress ::= SEQUENCE {
+ *          pSelector       [0] EXPLICIT OCTET STRING OPTIONAL,
+ *          sSelector       [1] EXPLICIT OCTET STRING OPTIONAL,
+ *          tSelector       [2] EXPLICIT OCTET STRING OPTIONAL,
+ *          nAddresses      [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXPresentationAddress_Decode
+ *  NSSPKIXPresentationAddress_Create
+ *  NSSPKIXPresentationAddress_Destroy
+ *  NSSPKIXPresentationAddress_Encode
+ *  NSSPKIXPresentationAddress_HasPSelector
+ *  NSSPKIXPresentationAddress_GetPSelector
+ *  NSSPKIXPresentationAddress_SetPSelector
+ *  NSSPKIXPresentationAddress_RemovePSelector
+ *  NSSPKIXPresentationAddress_HasSSelector
+ *  NSSPKIXPresentationAddress_GetSSelector
+ *  NSSPKIXPresentationAddress_SetSSelector
+ *  NSSPKIXPresentationAddress_RemoveSSelector
+ *  NSSPKIXPresentationAddress_HasTSelector
+ *  NSSPKIXPresentationAddress_GetTSelector
+ *  NSSPKIXPresentationAddress_SetTSelector
+ *  NSSPKIXPresentationAddress_RemoveTSelector
+ *  NSSPKIXPresentationAddress_HasNAddresses
+ *  NSSPKIXPresentationAddress_GetNAddresses
+ *  NSSPKIXPresentationAddress_SetNAddresses
+ *  NSSPKIXPresentationAddress_RemoveNAddresses
+ *{NAddresses must be more complex than that}
+ *  NSSPKIXPresentationAddress_Compare
+ *  NSSPKIXPresentationAddress_Duplicate
+ *
+ */
+
+/*
+ * TeletexDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
+ *     (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
+ * 
+ * The public calls for the type:
+ *
+ *  NSSPKIXTeletexDomainDefinedAttributes_Decode
+ *  NSSPKIXTeletexDomainDefinedAttributes_Create
+ *  NSSPKIXTeletexDomainDefinedAttributes_Destroy
+ *  NSSPKIXTeletexDomainDefinedAttributes_Encode
+ *  NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
+ *  NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
+ *  NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
+ *  NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
+ *  NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
+ *  NSSPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
+ *  NSSPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
+ *  NSSPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
+ *  NSSPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
+ *  NSSPKIXTeletexDomainDefinedAttributes_Equal
+ *  NSSPKIXTeletexDomainDefinedAttributes_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
+NSSPKIXTeletexDomainDefinedAttributes_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
+NSSPKIXTeletexDomainDefinedAttributes_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda1,
+  ...
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexDomainDefinedAttributes_Destroy
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXTeletexDomainDefinedAttributes_Encode
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXTeletexDomainDefinedAttribute
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute **
+NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSPKIXTeletexDomainDefinedAttribute *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
+NSSPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  PRInt32 i,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  PRInt32 i,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ * 
+ * Return value:
+ *  The nonnegative integer upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTeletexDomainDefinedAttributes_Equal
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas1,
+  NSSPKIXTeletexDomainDefinedAttributes *tddas2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttributes_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
+NSSPKIXTeletexDomainDefinedAttributes_Duplicate
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexDomainDefinedAttribute ::= SEQUENCE {
+ *          type TeletexString
+ *                 (SIZE (1..ub-domain-defined-attribute-type-length)),
+ *          value TeletexString
+ *                 (SIZE (1..ub-domain-defined-attribute-value-length)) }
+ * 
+ * The public calls for the type:
+ *
+ *  NSSPKIXTeletexDomainDefinedAttribute_Decode
+ *  NSSPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
+ *  NSSPKIXTeletexDomainDefinedAttribute_Create
+ *  NSSPKIXTeletexDomainDefinedAttribute_Destroy
+ *  NSSPKIXTeletexDomainDefinedAttribute_Encode
+ *  NSSPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
+ *  NSSPKIXTeletexDomainDefinedAttribute_GetType
+ *  NSSPKIXTeletexDomainDefinedAttribute_SetType
+ *  NSSPKIXTeletexDomainDefinedAttribute_GetValue
+ *  NSSPKIXTeletexDomainDefinedAttribute_GetValue
+ *  NSSPKIXTeletexDomainDefinedAttribute_Equal
+ *  NSSPKIXTeletexDomainDefinedAttribute_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
+NSSPKIXTeletexDomainDefinedAttribute_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
+NSSPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
+NSSPKIXTeletexDomainDefinedAttribute_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *type,
+  NSSUTF8 *value
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexDomainDefinedAttribute_Destroy
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXTeletexDomainDefinedAttribute_Encode
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_GetType
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXTeletexDomainDefinedAttribute_GetType
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_SetType
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexDomainDefinedAttribute_SetType
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSUTF8 *type
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_GetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXTeletexDomainDefinedAttribute_GetValue
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_SetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXTeletexDomainDefinedAttribute_SetValue
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSUTF8 *value
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXTeletexDomainDefinedAttribute_Equal
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda1,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXTeletexDomainDefinedAttribute_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
+NSSPKIXTeletexDomainDefinedAttribute_Duplicate
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * AuthorityKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AuthorityKeyIdentifier ::= SEQUENCE {
+ *        keyIdentifier             [0] KeyIdentifier            OPTIONAL,
+ *        authorityCertIssuer       [1] GeneralNames             OPTIONAL,
+ *        authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
+ *      -- authorityCertIssuer and authorityCertSerialNumber shall both
+ *      -- be present or both be absent
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXAuthorityKeyIdentifier_Decode
+ *  NSSPKIXAuthorityKeyIdentifier_Create
+ *  NSSPKIXAuthorityKeyIdentifier_Destroy
+ *  NSSPKIXAuthorityKeyIdentifier_Encode
+ *  NSSPKIXAuthorityKeyIdentifier_HasKeyIdentifier
+ *  NSSPKIXAuthorityKeyIdentifier_GetKeyIdentifier
+ *  NSSPKIXAuthorityKeyIdentifier_SetKeyIdentifier
+ *  NSSPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
+ *  NSSPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
+ *  NSSPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
+ *  NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
+ *  NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
+ *  NSSPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
+ *  NSSPKIXAuthorityKeyIdentifier_Equal
+ *  NSSPKIXAuthorityKeyIdentifier_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
+NSSPKIXAuthorityKeyIdentifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_ARGUMENTS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
+NSSPKIXAuthorityKeyIdentifier_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXKeyIdentifier *keyIdentifierOpt,
+  NSSPKIXGeneralNames *authorityCertIssuerOpt,
+  NSSPKIXCertificateSerialNumber *authorityCertSerialNumberOpt
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAuthorityKeyIdentifier_Destroy
+(
+  NSSPKIXAuthorityKeyIdentifier *aki
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXAuthorityKeyIdentifier_Encode
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_HasKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXAuthorityKeyIdentifier_HasKeyIdentifier
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_GetKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyIdentifier *
+NSSPKIXAuthorityKeyIdentifier_GetKeyIdentifier
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSPKIXKeyIdentifier *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_SetKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAuthorityKeyIdentifier_SetKeyIdentifier
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSPKIXKeyIdentifier *keyIdentifier
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_HAS_NO_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
+(
+  NSSPKIXAuthorityKeyIdentifier *aki
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  PR_TRUE if it has them
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
+(
+  NSSPKIXAuthorityKeyIdentifier *aki
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNames *
+NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateSerialNumber *
+NSSPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSPKIXCertificateSerialNumber *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSPKIXGeneralNames *issuer,
+  NSSPKIXCertificateSerialNumber *serialNumber
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXAuthorityKeyIdentifier_Equal
+(
+  NSSPKIXAuthorityKeyIdentifier *aki1,
+  NSSPKIXAuthorityKeyIdentifier *aki2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXAuthorityKeyIdentifier_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
+NSSPKIXAuthorityKeyIdentifier_Duplicate
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSArena *arenaOpt
+);
+
+/*
+ * KeyUsage
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  KeyUsage ::= BIT STRING {
+ *       digitalSignature        (0),
+ *       nonRepudiation          (1),
+ *       keyEncipherment         (2),
+ *       dataEncipherment        (3),
+ *       keyAgreement            (4),
+ *       keyCertSign             (5),
+ *       cRLSign                 (6),
+ *       encipherOnly            (7),
+ *       decipherOnly            (8) }
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXKeyUsage_Decode
+ *  NSSPKIXKeyUsage_CreateFromUTF8
+ *  NSSPKIXKeyUsage_CreateFromValue
+ *  NSSPKIXKeyUsage_Destroy
+ *  NSSPKIXKeyUsage_Encode
+ *  NSSPKIXKeyUsage_GetUTF8Encoding
+ *  NSSPKIXKeyUsage_GetValue
+ *  NSSPKIXKeyUsage_SetValue
+ *    { bitwise accessors? }
+ *  NSSPKIXKeyUsage_Equal
+ *  NSSPKIXKeyUsage_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXKeyUsage_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyUsage upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyUsage *
+NSSPKIXKeyUsage_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXKeyUsage_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyUsage upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyUsage *
+NSSPKIXKeyUsage_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXKeyUsage_CreateFromValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE_VALUE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyUsage upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyUsage *
+NSSPKIXKeyUsage_CreateFromValue
+(
+  NSSArena *arenaOpt,
+  NSSPKIXKeyUsageValue value
+);
+
+/*
+ * NSSPKIXKeyUsage_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXKeyUsage_Destroy
+(
+  NSSPKIXKeyUsage *keyUsage
+);
+
+/*
+ * NSSPKIXKeyUsage_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXKeyUsage_Encode
+(
+  NSSPKIXKeyUsage *keyUsage,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXKeyUsage_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXKeyUsage_GetUTF8Encoding
+(
+  NSSPKIXKeyUsage *keyUsage,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXKeyUsage_GetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *
+ * Return value:
+ *  A set of NSSKeyUsageValue values OR-d together upon success
+ *  NSSKeyUsage_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSKeyUsageValue
+NSSPKIXKeyUsage_GetValue
+(
+  NSSPKIXKeyUsage *keyUsage
+);
+
+/*
+ * NSSPKIXKeyUsage_SetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE_VALUE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXKeyUsage_SetValue
+(
+  NSSPKIXKeyUsage *keyUsage,
+  NSSPKIXKeyUsageValue value
+);
+
+/*
+ * NSSPKIXKeyUsage_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXKeyUsage_Equal
+(
+  NSSPKIXKeyUsage *keyUsage1,
+  NSSPKIXKeyUsage *keyUsage2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXKeyUsage_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyUsage upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyUsage *
+NSSPKIXKeyUsage_Duplicate
+(
+  NSSPKIXKeyUsage *keyUsage,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PrivateKeyUsagePeriod
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PrivateKeyUsagePeriod ::= SEQUENCE {
+ *       notBefore       [0]     GeneralizedTime OPTIONAL,
+ *       notAfter        [1]     GeneralizedTime OPTIONAL }
+ *       -- either notBefore or notAfter shall be present
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXPrivateKeyUsagePeriod_Decode
+ *  NSSPKIXPrivateKeyUsagePeriod_Create
+ *  NSSPKIXPrivateKeyUsagePeriod_Destroy
+ *  NSSPKIXPrivateKeyUsagePeriod_Encode
+ *  NSSPKIXPrivateKeyUsagePeriod_HasNotBefore
+ *  NSSPKIXPrivateKeyUsagePeriod_GetNotBefore
+ *  NSSPKIXPrivateKeyUsagePeriod_SetNotBefore
+ *  NSSPKIXPrivateKeyUsagePeriod_RemoveNotBefore
+ *  NSSPKIXPrivateKeyUsagePeriod_HasNotAfter
+ *  NSSPKIXPrivateKeyUsagePeriod_GetNotAfter
+ *  NSSPKIXPrivateKeyUsagePeriod_SetNotAfter
+ *  NSSPKIXPrivateKeyUsagePeriod_RemoveNotAfter
+ *  NSSPKIXPrivateKeyUsagePeriod_Equal
+ *  NSSPKIXPrivateKeyUsagePeriod_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
+NSSPKIXPrivateKeyUsagePeriod_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_TIME
+ *  NSS_ERROR_INVALID_ARGUMENTS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
+NSSPKIXPrivateKeyUsagePeriod_Create
+(
+  NSSArena *arenaOpt,
+  NSSTime *notBeforeOpt,
+  NSSTime *notAfterOpt
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPrivateKeyUsagePeriod_Destroy
+(
+  NSSPKIXPrivateKeyUsagePeriod *period
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_DATA
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPrivateKeyUsagePeriod_Encode
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_HasNotBefore
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPrivateKeyUsagePeriod_HasNotBefore
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_GetNotBefore
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_NOT_BEFORE
+ *
+ * Return value:
+ *  NSSTime {fgmr!}
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSTime *
+NSSPKIXPrivateKeyUsagePeriod_GetNotBefore
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_SetNotBefore
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_INVALID_TIME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPrivateKeyUsagePeriod_SetNotBefore
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSTime *notBefore
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_RemoveNotBefore
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_HAS_NO_NOT_BEFORE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPrivateKeyUsagePeriod_RemoveNotBefore
+(
+  NSSPKIXPrivateKeyUsagePeriod *period
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_HasNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPrivateKeyUsagePeriod_HasNotAfter
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_GetNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_NOT_AFTER
+ *
+ * Return value:
+ *  NSSTime {fgmr!}
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSTime *
+NSSPKIXPrivateKeyUsagePeriod_GetNotAfter
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_SetNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_INVALID_TIME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPrivateKeyUsagePeriod_SetNotAfter
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSTime *notAfter
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_RemoveNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_HAS_NO_NOT_AFTER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPrivateKeyUsagePeriod_RemoveNotAfter
+(
+  NSSPKIXPrivateKeyUsagePeriod *period
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPrivateKeyUsagePeriod_Equal
+(
+  NSSPKIXPrivateKeyUsagePeriod *period1,
+  NSSPKIXPrivateKeyUsagePeriod *period2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPrivateKeyUsagePeriod_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
+NSSPKIXPrivateKeyUsagePeriod_Duplicate
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSArena *arenaOpt
+);
+
+/*
+ * CertificatePolicies
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXCertificatePolicies_Decode
+ *  NSSPKIXCertificatePolicies_Create
+ *  NSSPKIXCertificatePolicies_Destroy
+ *  NSSPKIXCertificatePolicies_Encode
+ *  NSSPKIXCertificatePolicies_GetPolicyInformationCount
+ *  NSSPKIXCertificatePolicies_GetPolicyInformations
+ *  NSSPKIXCertificatePolicies_SetPolicyInformations
+ *  NSSPKIXCertificatePolicies_GetPolicyInformation
+ *  NSSPKIXCertificatePolicies_SetPolicyInformation
+ *  NSSPKIXCertificatePolicies_InsertPolicyInformation
+ *  NSSPKIXCertificatePolicies_AppendPolicyInformation
+ *  NSSPKIXCertificatePolicies_RemovePolicyInformation
+ *  NSSPKIXCertificatePolicies_FindPolicyInformation
+ *  NSSPKIXCertificatePolicies_Equal
+ *  NSSPKIXCertificatePolicies_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXCertificatePolicies_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificatePolicies upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificatePolicies *
+NSSPKIXCertificatePolicies_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXCertificatePolicies_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificatePolicies upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificatePolicies *
+NSSPKIXCertificatePolicies_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXPolicyInformation *pi1,
+  ...
+);
+
+/*
+ * NSSPKIXCertificatePolicies_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificatePolicies_Destroy
+(
+  NSSPKIXCertificatePolicies *cp
+);
+
+/*
+ * NSSPKIXCertificatePolicies_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXCertificatePolicies_Encode
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCertificatePolicies_GetPolicyInformationCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXCertificatePolicies_GetPolicyInformationCount
+(
+  NSSPKIXCertificatePolicies *cp
+);
+
+/*
+ * NSSPKIXCertificatePolicies_GetPolicyInformations
+ *
+ * We regret the function name.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXPolicyInformation pointers
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyInformation **
+NSSPKIXCertificatePolicies_GetPolicyInformations
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSPKIXPolicyInformation *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCertificatePolicies_SetPolicyInformations
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificatePolicies_SetPolicyInformations
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSPKIXPolicyInformation *pi[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXCertificatePolicies_GetPolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyInformation upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyInformation *
+NSSPKIXCertificatePolicies_GetPolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCertificatePolicies_SetPolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificatePolicies_SetPolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  PRInt32 i,
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * NSSPKIXCertificatePolicies_InsertPolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificatePolicies_InsertPolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  PRInt32 i,
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * NSSPKIXCertificatePolicies_AppendPolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificatePolicies_AppendPolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * NSSPKIXCertificatePolicies_RemovePolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCertificatePolicies_RemovePolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXCertificatePolicies_FindPolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *
+ * Return value:
+ *  The nonnegative integer upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXCertificatePolicies_FindPolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * NSSPKIXCertificatePolicies_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXCertificatePolicies_Equal
+(
+  NSSPKIXCertificatePolicies *cp1,
+  NSSPKIXCertificatePolicies *cp2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXCertificatePolicies_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificatePolicies upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificatePolicies *
+NSSPKIXCertificatePolicies_Duplicate
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyInformation ::= SEQUENCE {
+ *       policyIdentifier   CertPolicyId,
+ *       policyQualifiers   SEQUENCE SIZE (1..MAX) OF
+ *               PolicyQualifierInfo OPTIONAL }
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXPolicyInformation_Decode
+ *  NSSPKIXPolicyInformation_Create
+ *  NSSPKIXPolicyInformation_Destroy
+ *  NSSPKIXPolicyInformation_Encode
+ *  NSSPKIXPolicyInformation_GetPolicyIdentifier
+ *  NSSPKIXPolicyInformation_SetPolicyIdentifier
+ *  NSSPKIXPolicyInformation_GetPolicyQualifierCount
+ *  NSSPKIXPolicyInformation_GetPolicyQualifiers
+ *  NSSPKIXPolicyInformation_SetPolicyQualifiers
+ *  NSSPKIXPolicyInformation_GetPolicyQualifier
+ *  NSSPKIXPolicyInformation_SetPolicyQualifier
+ *  NSSPKIXPolicyInformation_InsertPolicyQualifier
+ *  NSSPKIXPolicyInformation_AppendPolicyQualifier
+ *  NSSPKIXPolicyInformation_RemovePolicyQualifier
+ *  NSSPKIXPolicyInformation_Equal
+ *  NSSPKIXPolicyInformation_Duplicate
+ *    { and accessors by specific policy qualifier ID }
+ *
+ */
+
+/*
+ * NSSPKIXPolicyInformation_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyInformation upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyInformation *
+NSSPKIXPolicyInformation_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPolicyInformation_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyInformation upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyInformation *
+NSSPKIXPolicyInformation_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXCertPolicyId *id,
+  NSSPKIXPolicyQualifierInfo *pqi1,
+  ...
+);
+
+/*
+ * NSSPKIXPolicyInformation_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyInformation_Destroy
+(
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * NSSPKIXPolicyInformation_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPolicyInformation_Encode
+(
+  NSSPKIXPolicyInformation *pi,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPolicyInformation_GetPolicyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid OID upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertPolicyId *
+NSSPKIXPolicyInformation_GetPolicyIdentifier
+(
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * NSSPKIXPolicyInformation_SetPolicyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyInformation_SetPolicyIdentifier
+(
+  NSSPKIXPolicyInformation *pi,
+  NSSPKIXCertPolicyIdentifier *cpi
+);
+
+/*
+ * NSSPKIXPolicyInformation_GetPolicyQualifierCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXPolicyInformation_GetPolicyQualifierCount
+(
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * NSSPKIXPolicyInformation_GetPolicyQualifiers
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXPolicyQualifierInfo pointers
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierInfo **
+NSSPKIXPolicyInformation_GetPolicyQualifiers
+(
+  NSSPKIXPolicyInformation *pi,
+  NSSPKIXPolicyQualifierInfo *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPolicyInformation_SetPolicyQualifiers
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyInformation_SetPolicyQualifiers
+(
+  NSSPKIXPolicyInformation *pi,
+  NSSPKIXPolicyQualifierInfo *pqi[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXPolicyInformation_GetPolicyQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierInfo *
+NSSPKIXPolicyInformation_GetPolicyQualifier
+(
+  NSSPKIXPolicyInformation *pi,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPolicyInformation_SetPolicyQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyInformation_SetPolicyQualifier
+(
+  NSSPKIXPolicyInformation *pi,
+  PRInt32 i,
+  NSSPKIXPolicyQualifierInfo *pqi
+);
+
+/*
+ * NSSPKIXPolicyInformation_InsertPolicyQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyInformation_InsertPolicyQualifier
+(
+  NSSPKIXPolicyInformation *pi,
+  PRInt32 i,
+  NSSPKIXPolicyQualifierInfo *pqi
+);
+
+/*
+ * NSSPKIXPolicyInformation_AppendPolicyQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyInformation_AppendPolicyQualifier
+(
+  NSSPKIXPolicyInformation *pi,
+  PRInt32 i,
+  NSSPKIXPolicyQualifierInfo *pqi
+);
+
+/*
+ * NSSPKIXPolicyInformation_RemovePolicyQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyInformation_RemovePolicyQualifier
+(
+  NSSPKIXPolicyInformation *pi,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXPolicyInformation_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPolicyInformation_Equal
+(
+  NSSPKIXPolicyInformation *pi1,
+  NSSPKIXPolicyInformation *pi2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPolicyInformation_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyInformation upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyInformation *
+NSSPKIXPolicyInformation_Duplicate
+(
+  NSSPKIXPolicyInformation *pi,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { and accessors by specific policy qualifier ID }
+ *
+ */
+
+/*
+ * PolicyQualifierInfo
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyQualifierInfo ::= SEQUENCE {
+ *         policyQualifierId  PolicyQualifierId,
+ *         qualifier        ANY DEFINED BY policyQualifierId }
+ *
+ * The public calls for the type:
+ *
+ *  NSSPKIXPolicyQualifierInfo_Decode
+ *  NSSPKIXPolicyQualifierInfo_Create
+ *  NSSPKIXPolicyQualifierInfo_Destroy
+ *  NSSPKIXPolicyQualifierInfo_Encode
+ *  NSSPKIXPolicyQualifierInfo_GetPolicyQualifierID
+ *  NSSPKIXPolicyQualifierInfo_SetPolicyQualifierID
+ *  NSSPKIXPolicyQualifierInfo_GetQualifier
+ *  NSSPKIXPolicyQualifierInfo_SetQualifier
+ *  NSSPKIXPolicyQualifierInfo_Equal
+ *  NSSPKIXPolicyQualifierInfo_Duplicate
+ *    { and accessors by specific qualifier id/type }
+ *
+ */
+
+/*
+ * NSSPKIXPolicyQualifierInfo_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierInfo *
+NSSPKIXPolicyQualifierInfo_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPolicyQualifierInfo_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_ID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierInfo *
+NSSPKIXPolicyQualifierInfo_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXPolicyQualifierId *policyQualifierId,
+  NSSItem *qualifier
+);
+
+/*
+ * NSSPKIXPolicyQualifierInfo_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyQualifierInfo_Destroy
+(
+  NSSPKIXPolicyQualifierInfo *pqi
+);
+
+/*
+ * NSSPKIXPolicyQualifierInfo_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPolicyQualifierInfo_Encode
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPolicyQualifierInfo_GetPolicyQualifierId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyQualifierId (an NSSOID) upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierId *
+NSSPKIXPolicyQualifierInfo_GetPolicyQualifierId
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPolicyQualifierInfo_SetPolicyQualifierId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_ID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyQualifierInfo_SetPolicyQualifierId
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSPKIXPolicyQualifierId *pqid
+);
+
+/*
+ * NSSPKIXPolicyQualifierInfo_GetQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+NSSPKIXPolicyQualifierInfo_GetQualifier
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPolicyQualifierInfo_SetQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyQualifierInfo_SetQualifier
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSItem *qualifier
+);
+
+/*
+ * NSSPKIXPolicyQualifierInfo_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPolicyQualifierInfo_Equal
+(
+  NSSPKIXPolicyQualifierInfo *pqi1,
+  NSSPKIXPolicyQualifierInfo *pqi2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPolicyQualifierInfo_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierInfo *
+NSSPKIXPolicyQualifierInfo_Duplicate
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { and accessors by specific qualifier id/type }
+ *
+ */
+
+/*
+ * CPSuri
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CPSuri ::= IA5String
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXCPSuri_Decode
+ *  NSSPKIXCPSuri_CreateFromUTF8
+ *  NSSPKIXCPSuri_Encode
+ *
+ */
+
+/*
+ * NSSPKIXCPSuri_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCPSuri upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCPSuri *
+NSSPKIXCPSuri_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXCPSuri_CreateFromUTF8
+ *
+ * { basically just enforces the length and charset limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCPSuri upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCPSuri *
+NSSPKIXCPSuri_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXCPSuri_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CPS_URI
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXCPSuri_Encode
+(
+  NSSPKIXCPSuri *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * UserNotice
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  UserNotice ::= SEQUENCE {
+ *       noticeRef        NoticeReference OPTIONAL,
+ *       explicitText     DisplayText OPTIONAL}
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXUserNotice_Decode
+ *  NSSPKIXUserNotice_Create
+ *  NSSPKIXUserNotice_Destroy
+ *  NSSPKIXUserNotice_Encode
+ *  NSSPKIXUserNotice_HasNoticeRef
+ *  NSSPKIXUserNotice_GetNoticeRef
+ *  NSSPKIXUserNotice_SetNoticeRef
+ *  NSSPKIXUserNotice_RemoveNoticeRef
+ *  NSSPKIXUserNotice_HasExplicitText
+ *  NSSPKIXUserNotice_GetExplicitText
+ *  NSSPKIXUserNotice_SetExplicitText
+ *  NSSPKIXUserNotice_RemoveExplicitText
+ *  NSSPKIXUserNotice_Equal
+ *  NSSPKIXUserNotice_Duplicate
+ *
+ */
+
+
+/*
+ * NSSPKIXUserNotice_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXUserNotice upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXUserNotice *
+NSSPKIXUserNotice_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXUserNotice_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXUserNotice upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXUserNotice *
+NSSPKIXUserNotice_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXNoticeReference *noticeRef,
+  NSSPKIXDisplayText *explicitText
+);
+
+/*
+ * NSSPKIXUserNotice_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXUserNotice_Destroy
+(
+  NSSPKIXUserNotice *userNotice
+);
+
+/*
+ * NSSPKIXUserNotice_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXUserNotice_Encode
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXUserNotice_HasNoticeRef
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXUserNotice_HasNoticeRef
+(
+  NSSPKIXUserNotice *userNotice,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXUserNotice_GetNoticeRef
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_NOTICE_REF
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNoticeReference upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNoticeReference *
+NSSPKIXUserNotice_GetNoticeRef
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXUserNotice_SetNoticeRef
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXUserNotice_SetNoticeRef
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSPKIXNoticeReference *noticeRef
+);
+
+/*
+ * NSSPKIXUserNotice_RemoveNoticeRef
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_HAS_NO_NOTICE_REF
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXUserNotice_RemoveNoticeRef
+(
+  NSSPKIXUserNotice *userNotice
+);
+
+/*
+ * NSSPKIXUserNotice_HasExplicitText
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ * 
+ * Return value:
+ *  PR_TRUE if it has some
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXUserNotice_HasExplicitText
+(
+  NSSPKIXUserNotice *userNotice,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXUserNotice_GetExplicitText
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_EXPLICIT_TEXT
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDisplayText string upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDisplayText *
+NSSPKIXUserNotice_GetExplicitText
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXUserNotice_SetExplicitText
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXUserNotice_SetExplicitText
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSPKIXDisplayText *explicitText
+);
+
+/*
+ * NSSPKIXUserNotice_RemoveExplicitText
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_HAS_NO_EXPLICIT_TEXT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXUserNotice_RemoveExplicitText
+(
+  NSSPKIXUserNotice *userNotice
+);
+
+/*
+ * NSSPKIXUserNotice_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXUserNotice_Equal
+(
+  NSSPKIXUserNotice *userNotice1,
+  NSSPKIXUserNotice *userNotice2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXUserNotice_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXUserNotice upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXUserNotice *
+NSSPKIXUserNotice_Duplicate
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NoticeReference
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NoticeReference ::= SEQUENCE {
+ *       organization     DisplayText,
+ *       noticeNumbers    SEQUENCE OF INTEGER }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXNoticeReference_Decode
+ *  NSSPKIXNoticeReference_Create
+ *  NSSPKIXNoticeReference_Destroy
+ *  NSSPKIXNoticeReference_Encode
+ *  NSSPKIXNoticeReference_GetOrganization
+ *  NSSPKIXNoticeReference_SetOrganization
+ *  NSSPKIXNoticeReference_GetNoticeNumberCount
+ *  NSSPKIXNoticeReference_GetNoticeNumbers
+ *  NSSPKIXNoticeReference_SetNoticeNumbers
+ *  NSSPKIXNoticeReference_GetNoticeNumber
+ *  NSSPKIXNoticeReference_SetNoticeNumber
+ *  NSSPKIXNoticeReference_InsertNoticeNumber
+ *  NSSPKIXNoticeReference_AppendNoticeNumber
+ *  NSSPKIXNoticeReference_RemoveNoticeNumber
+ *    { maybe number-exists-p gettor? }
+ *  NSSPKIXNoticeReference_Equal
+ *  NSSPKIXNoticeReference_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXNoticeReference_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNoticeReference upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNoticeReference *
+NSSPKIXNoticeReference_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXNoticeReference_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNoticeReference upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNoticeReference *
+NSSPKIXNoticeReference_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXDisplayText *organization,
+  PRUint32 noticeCount,
+  PRInt32 noticeNumber1,
+  ...
+);
+
+/*
+ * { fgmr -- or should the call that takes PRInt32 be _CreateFromValues,
+ *  and the _Create call take NSSBER integers? }
+ */
+
+/*
+ * NSSPKIXNoticeReference_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNoticeReference_Destroy
+(
+  NSSPKIXNoticeReference *nr
+);
+
+/*
+ * NSSPKIXNoticeReference_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXNoticeReference_Encode
+(
+  NSSPKIXNoticeReference *nr,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXNoticeReference_GetOrganization
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDisplayText string upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDisplayText *
+NSSPKIXNoticeReference_GetOrganization
+(
+  NSSPKIXNoticeReference *nr,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXNoticeReference_SetOrganization
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNoticeReference_SetOrganization
+(
+  NSSPKIXNoticeReference *nr,
+  NSSPKIXDisplayText *organization
+);
+
+/*
+ * NSSPKIXNoticeReference_GetNoticeNumberCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXNoticeReference_GetNoticeNumberCount
+(
+  NSSPKIXNoticeReference *nr
+);
+
+/*
+ * NSSPKIXNoticeReference_GetNoticeNumbers
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of PRInt32 values upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN PRInt32 *
+NSSPKIXNoticeReference_GetNoticeNumbers
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXNoticeReference_SetNoticeNumbers
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNoticeReference_SetNoticeNumbers
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 noticeNumbers[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXNoticeReference_GetNoticeNumber
+ *
+ * -- fgmr comments --
+ * Because there is no natural "invalid" notice number value, we must
+ * pass the number by reference, and return an explicit status value.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_POINTER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNoticeReference_GetNoticeNumber
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 i,
+  PRInt32 *noticeNumberP
+);
+  
+/*
+ * NSSPKIXNoticeReference_SetNoticeNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNoticeReference_SetNoticeNumber
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 i,
+  PRInt32 noticeNumber
+);
+
+/*
+ * NSSPKIXNoticeReference_InsertNoticeNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNoticeReference_InsertNoticeNumber
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 i,
+  PRInt32 noticeNumber
+);
+
+/*
+ * NSSPKIXNoticeReference_AppendNoticeNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNoticeReference_AppendNoticeNumber
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 noticeNumber
+);
+
+/*
+ * NSSPKIXNoticeReference_RemoveNoticeNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNoticeReference_RemoveNoticeNumber
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 i
+);
+
+/*
+ *   { maybe number-exists-p gettor? }
+ */
+
+/*
+ * NSSPKIXNoticeReference_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXNoticeReference_Equal
+(
+  NSSPKIXNoticeReference *nr1,
+  NSSPKIXNoticeReference *nr2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXNoticeReference_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNoticeReference upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNoticeReference *
+NSSPKIXNoticeReference_Duplicate
+(
+  NSSPKIXNoticeReference *nr,
+  NSSArena *arenaOpt
+);
+
+/*
+ * DisplayText
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DisplayText ::= CHOICE {
+ *       visibleString    VisibleString  (SIZE (1..200)),
+ *       bmpString        BMPString      (SIZE (1..200)),
+ *       utf8String       UTF8String     (SIZE (1..200)) }
+ * 
+ * The public calls for this type:
+ *
+ *  NSSPKIXDisplayText_Decode
+ *  NSSPKIXDisplayText_CreateFromUTF8
+ *  NSSPKIXDisplayText_Encode
+ *
+ */
+
+/*
+ * NSSPKIXDisplayText_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDisplayText upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDisplayText *
+NSSPKIXDisplayText_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXDisplayText_CreateFromUTF8
+ *
+ * { basically just enforces the length and charset limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDisplayText upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDisplayText *
+NSSPKIXDisplayText_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXDisplayText_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXDisplayText_Encode
+(
+  NSSPKIXDisplayText *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PolicyMappings
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ *       issuerDomainPolicy      CertPolicyId,
+ *       subjectDomainPolicy     CertPolicyId }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXPolicyMappings_Decode
+ *  NSSPKIXPolicyMappings_Create
+ *  NSSPKIXPolicyMappings_Destroy
+ *  NSSPKIXPolicyMappings_Encode
+ *  NSSPKIXPolicyMappings_GetPolicyMappingCount
+ *  NSSPKIXPolicyMappings_GetPolicyMappings
+ *  NSSPKIXPolicyMappings_SetPolicyMappings
+ *  NSSPKIXPolicyMappings_GetPolicyMapping
+ *  NSSPKIXPolicyMappings_SetPolicyMapping
+ *  NSSPKIXPolicyMappings_InsertPolicyMapping
+ *  NSSPKIXPolicyMappings_AppendPolicyMapping
+ *  NSSPKIXPolicyMappings_RemovePolicyMapping
+ *  NSSPKIXPolicyMappings_FindPolicyMapping
+ *  NSSPKIXPolicyMappings_Equal
+ *  NSSPKIXPolicyMappings_Duplicate
+ *  NSSPKIXPolicyMappings_IssuerDomainPolicyExists
+ *  NSSPKIXPolicyMappings_SubjectDomainPolicyExists
+ *  NSSPKIXPolicyMappings_FindIssuerDomainPolicy
+ *  NSSPKIXPolicyMappings_FindSubjectDomainPolicy
+ *  NSSPKIXPolicyMappings_MapIssuerToSubject
+ *  NSSPKIXPolicyMappings_MapSubjectToIssuer
+ *    { find's and map's: what if there's more than one? }
+ *
+ */
+
+/*
+ * NSSPKIXPolicyMappings_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyMappings upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyMappings *
+NSSPKIXPolicyMappings_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPolicyMappings_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyMappings upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyMappings *
+NSSPKIXPolicyMappings_Decode
+(
+  NSSArena *arenaOpt,
+  NSSPKIXpolicyMapping *policyMapping1,
+  ...
+);
+
+/*
+ * NSSPKIXPolicyMappings_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyMappings_Destroy
+(
+  NSSPKIXPolicyMappings *policyMappings
+);
+
+/*
+ * NSSPKIXPolicyMappings_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_DATA
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPolicyMappings_Encode
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPolicyMappings_GetPolicyMappingCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXPolicyMappings_GetPolicyMappingCount
+(
+  NSSPKIXPolicyMappings *policyMappings
+);
+
+/*
+ * NSSPKIXPolicyMappings_GetPolicyMappings
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXpolicyMapping pointers upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXpolicyMapping **
+NSSPKIXPolicyMappings_GetPolicyMappings
+(
+  NSSPKIXPolicyMappings *policyMappings
+  NSSPKIXpolicyMapping *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPolicyMappings_SetPolicyMappings
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyMappings_SetPolicyMappings
+(
+  NSSPKIXPolicyMappings *policyMappings
+  NSSPKIXpolicyMapping *policyMapping[]
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXPolicyMappings_GetPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXpolicyMapping upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXpolicyMapping *
+NSSPKIXPolicyMappings_GetPolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPolicyMappings_SetPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyMappings_SetPolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  PRInt32 i,
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * NSSPKIXPolicyMappings_InsertPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyMappings_InsertPolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  PRInt32 i,
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * NSSPKIXPolicyMappings_AppendPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyMappings_AppendPolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * NSSPKIXPolicyMappings_RemovePolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyMappings_RemovePolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXPolicyMappings_FindPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXPolicyMappings_FindPolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * NSSPKIXPolicyMappings_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPolicyMappings_Equal
+(
+  NSSPKIXPolicyMappings *policyMappings1,
+  NSSPKIXpolicyMappings *policyMappings2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPolicyMappings_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyMappings upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyMappings *
+NSSPKIXPolicyMappings_Duplicate
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPolicyMappings_IssuerDomainPolicyExists
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ * 
+ * Return value:
+ *  PR_TRUE if the specified domain policy OID exists
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPolicyMappings_IssuerDomainPolicyExists
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *issuerDomainPolicy,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPolicyMappings_SubjectDomainPolicyExists
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ * 
+ * Return value:
+ *  PR_TRUE if the specified domain policy OID exists
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPolicyMappings_SubjectDomainPolicyExists
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *subjectDomainPolicy,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPolicyMappings_FindIssuerDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXPolicyMappings_FindIssuerDomainPolicy
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *issuerDomainPolicy
+);
+
+/*
+ * NSSPKIXPolicyMappings_FindSubjectDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXPolicyMappings_FindSubjectDomainPolicy
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *issuerDomainPolicy
+);
+
+/*
+ * NSSPKIXPolicyMappings_MapIssuerToSubject
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NOT_FOUND
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertPolicyId upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertPolicyId *
+NSSPKIXPolicyMappings_MapIssuerToSubject
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *issuerDomainPolicy
+);
+
+/*
+ * NSSPKIXPolicyMappings_MapSubjectToIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NOT_FOUND
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertPolicyId upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertPolicyId *
+NSSPKIXPolicyMappings_MapSubjectToIssuer
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *issuerDomainPolicy
+);
+
+/*
+ * policyMapping
+ *
+ * Helper structure for PolicyMappings
+ *
+ *                                               SEQUENCE {
+ *       issuerDomainPolicy      CertPolicyId,
+ *       subjectDomainPolicy     CertPolicyId }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXpolicyMapping_Decode
+ *  NSSPKIXpolicyMapping_Create
+ *  NSSPKIXpolicyMapping_Destroy
+ *  NSSPKIXpolicyMapping_Encode
+ *  NSSPKIXpolicyMapping_GetIssuerDomainPolicy
+ *  NSSPKIXpolicyMapping_SetIssuerDomainPolicy
+ *  NSSPKIXpolicyMapping_GetSubjectDomainPolicy
+ *  NSSPKIXpolicyMapping_SetSubjectDomainPolicy
+ *  NSSPKIXpolicyMapping_Equal
+ *  NSSPKIXpolicyMapping_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXpolicyMapping_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXpolicyMapping upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXpolicyMapping *
+NSSPKIXpolicyMapping_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXpolicyMapping_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXpolicyMapping upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXpolicyMapping *
+NSSPKIXpolicyMapping_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXCertPolicyId *issuerDomainPolicy,
+  NSSPKIXCertPolicyId *subjectDomainPolicy
+);
+
+/*
+ * NSSPKIXpolicyMapping_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXpolicyMapping_Destroy
+(
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * NSSPKIXpolicyMapping_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_DATA
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXpolicyMapping_Encode
+(
+  NSSPKIXpolicyMapping *policyMapping,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXpolicyMapping_GetIssuerDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertPolicyId OID upon success
+ *  NULL upon faliure
+ */
+
+NSS_EXTERN NSSPKIXCertPolicyId *
+NSSPKIXpolicyMapping_GetIssuerDomainPolicy
+(
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * NSSPKIXpolicyMapping_SetIssuerDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXpolicyMapping_SetIssuerDomainPolicy
+(
+  NSSPKIXpolicyMapping *policyMapping,
+  NSSPKIXCertPolicyId *issuerDomainPolicy
+);
+
+/*
+ * NSSPKIXpolicyMapping_GetSubjectDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertPolicyId OID upon success
+ *  NULL upon faliure
+ */
+
+NSS_EXTERN NSSPKIXCertPolicyId *
+NSSPKIXpolicyMapping_GetSubjectDomainPolicy
+(
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * NSSPKIXpolicyMapping_SetSubjectDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXpolicyMapping_SetSubjectDomainPolicy
+(
+  NSSPKIXpolicyMapping *policyMapping,
+  NSSPKIXCertPolicyId *subjectDomainPolicy
+);
+
+/*
+ * NSSPKIXpolicyMapping_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXpolicyMapping_Equal
+(
+  NSSPKIXpolicyMapping *policyMapping1,
+  NSSPKIXpolicyMapping *policyMapping2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXpolicyMapping_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXpolicyMapping upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXpolicyMapping *
+NSSPKIXpolicyMapping_Duplicate
+(
+  NSSPKIXpolicyMapping *policyMapping,
+  NSSArena *arenaOpt
+);
+
+/*
+ * GeneralName
+ *
+ * This structure contains a union of the possible general names,
+ * of which there are several.
+ *
+ * From RFC 2459:
+ *
+ *  GeneralName ::= CHOICE {
+ *       otherName                       [0]     AnotherName,
+ *       rfc822Name                      [1]     IA5String,
+ *       dNSName                         [2]     IA5String,
+ *       x400Address                     [3]     ORAddress,
+ *       directoryName                   [4]     Name,
+ *       ediPartyName                    [5]     EDIPartyName,
+ *       uniformResourceIdentifier       [6]     IA5String,
+ *       iPAddress                       [7]     OCTET STRING,
+ *       registeredID                    [8]     OBJECT IDENTIFIER }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXGeneralName_Decode
+ *  NSSPKIXGeneralName_CreateFromUTF8
+ *  NSSPKIXGeneralName_Create
+ *  NSSPKIXGeneralName_CreateFromOtherName
+ *  NSSPKIXGeneralName_CreateFromRfc822Name
+ *  NSSPKIXGeneralName_CreateFromDNSName
+ *  NSSPKIXGeneralName_CreateFromX400Address
+ *  NSSPKIXGeneralName_CreateFromDirectoryName
+ *  NSSPKIXGeneralName_CreateFromEDIPartyName
+ *  NSSPKIXGeneralName_CreateFromUniformResourceIdentifier
+ *  NSSPKIXGeneralName_CreateFromIPAddress
+ *  NSSPKIXGeneralName_CreateFromRegisteredID
+ *  NSSPKIXGeneralName_Destroy
+ *  NSSPKIXGeneralName_Encode
+ *  NSSPKIXGeneralName_GetUTF8Encoding
+ *  NSSPKIXGeneralName_GetChoice
+ *  NSSPKIXGeneralName_GetOtherName
+ *  NSSPKIXGeneralName_GetRfc822Name
+ *  NSSPKIXGeneralName_GetDNSName
+ *  NSSPKIXGeneralName_GetX400Address
+ *  NSSPKIXGeneralName_GetDirectoryName
+ *  NSSPKIXGeneralName_GetEDIPartyName
+ *  NSSPKIXGeneralName_GetUniformResourceIdentifier
+ *  NSSPKIXGeneralName_GetIPAddress
+ *  NSSPKIXGeneralName_GetRegisteredID
+ *  NSSPKIXGeneralName_GetSpecifiedChoice
+ *  NSSPKIXGeneralName_Equal
+ *  NSSPKIXGeneralName_Duplicate
+ *  (in pki1 I had specific attribute value gettors here too)
+ *
+ */
+
+/*
+ * NSSPKIXGeneralName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXGeneralName_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * NSSPKIXGeneralName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME_CHOICE
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_INVALID_PKIX_IA5_STRING
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_INVALID_OID
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXGeneralNameChoice choice,
+  void *content
+);
+
+/*
+ * NSSPKIXGeneralName_CreateFromOtherName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_CreateFromOtherName
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAnotherName *otherName
+);
+
+/*
+ * NSSPKIXGeneralName_CreateFromRfc822Name
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_IA5_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_CreateFromRfc822Name
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *rfc822Name
+);
+
+/*
+ * NSSPKIXGeneralName_CreateFromDNSName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_IA5_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_CreateFromDNSName
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *dNSName
+);
+
+/*
+ * NSSPKIXGeneralName_CreateFromX400Address
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_CreateFromX400Address
+(
+  NSSArena *arenaOpt,
+  NSSPKIXORAddress *x400Address
+);
+
+/*
+ * NSSPKIXGeneralName_CreateFromDirectoryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_CreateFromDirectoryName
+(
+  NSSArena *arenaOpt,
+  NSSPKIXName *directoryName
+);
+
+/*
+ * NSSPKIXGeneralName_CreateFromEDIPartyName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_CreateFromEDIPartyName
+(
+  NSSArena *arenaOpt,
+  NSSPKIXEDIPartyName *ediPartyname
+);
+
+/*
+ * NSSPKIXGeneralName_CreateFromUniformResourceIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_IA5_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_CreateFromUniformResourceIdentifier
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *uniformResourceIdentifier
+);
+
+/*
+ * NSSPKIXGeneralName_CreateFromIPAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ITEM
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_CreateFromIPAddress
+(
+  NSSArena *arenaOpt,
+  NSSItem *iPAddress
+);
+
+/*
+ * NSSPKIXGeneralName_CreateFromRegisteredID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_CreateFromRegisteredID
+(
+  NSSArena *arenaOpt,
+  NSSOID *registeredID
+);
+
+/*
+ * NSSPKIXGeneralName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralName_Destroy
+(
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * NSSPKIXGeneralName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXGeneralName_Encode
+(
+  NSSPKIXGeneralName *generalName,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralName_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXGeneralName_GetUTF8Encoding
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralName_GetChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ * 
+ * Return value:
+ *  A valid NSSPKIXGeneralNameChoice value upon success
+ *  NSSPKIXGeneralNameChoice_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNameChoice
+NSSPKIXGeneralName_GetChoice
+(
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * NSSPKIXGeneralName_GetOtherName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAnotherName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAnotherName *
+NSSPKIXGeneralName_GetOtherName
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralName_GetRfc822Name
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXGeneralName_GetRfc822Name
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralName_GetDNSName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXGeneralName_GetDNSName
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralName_GetX400Address
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXORAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXORAddress *
+NSSPKIXGeneralName_GetX400Address
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralName_GetDirectoryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+NSSPKIXGeneralName_GetDirectoryName
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralName_GetEDIPartyName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXEDIPartyName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXEDIPartyName *
+NSSPKIXGeneralName_GetEDIPartyName
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralName_GetUniformResourceIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXGeneralName_GetUniformResourceIdentifier
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralName_GetIPAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+NSSPKIXGeneralName_GetIPAddress
+(
+  NSSPKIXGeneralName *generalName,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralName_GetRegisteredID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSOID upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSOID *
+NSSPKIXGeneralName_GetRegisteredID
+(
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * NSSPKIXGeneralName_GetSpecifiedChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN void *
+NSSPKIXGeneralName_GetSpecifiedChoice
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXGeneralName_Equal
+(
+  NSSPKIXGeneralName *generalName1,
+  NSSPKIXGeneralName *generalName2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXGeneralName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralName_Duplicate
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * (in pki1 I had specific attribute value gettors here too)
+ *
+ */
+
+/*
+ * GeneralNames
+ *
+ * This structure contains a sequence of GeneralName objects.
+ *
+ * From RFC 2459:
+ *
+ *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXGeneralNames_Decode
+ *  NSSPKIXGeneralNames_Create
+ *  NSSPKIXGeneralNames_Destroy
+ *  NSSPKIXGeneralNames_Encode
+ *  NSSPKIXGeneralNames_GetGeneralNameCount
+ *  NSSPKIXGeneralNames_GetGeneralNames
+ *  NSSPKIXGeneralNames_SetGeneralNames
+ *  NSSPKIXGeneralNames_GetGeneralName
+ *  NSSPKIXGeneralNames_SetGeneralName
+ *  NSSPKIXGeneralNames_InsertGeneralName
+ *  NSSPKIXGeneralNames_AppendGeneralName
+ *  NSSPKIXGeneralNames_RemoveGeneralName
+ *  NSSPKIXGeneralNames_FindGeneralName
+ *  NSSPKIXGeneralNames_Equal
+ *  NSSPKIXGeneralNames_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXGeneralNames_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNames *
+NSSPKIXGeneralNames_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXGeneralNames_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNames *
+NSSPKIXGeneralNames_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXGeneralName *generalName1,
+  ...
+);
+
+/*
+ * NSSPKIXGeneralNames_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralNames_Destroy
+(
+  NSSPKIXGeneralNames *generalNames
+);
+
+/*
+ * NSSPKIXGeneralNames_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXGeneralNames_Encode
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralNames_GetGeneralNameCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXGeneralNames_GetGeneralNameCount
+(
+  NSSPKIXGeneralNames *generalNames
+);
+
+/*
+ * NSSPKIXGeneralNames_GetGeneralNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXGeneralName pointers upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName **
+NSSPKIXGeneralNames_GetGeneralNames
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSPKIXGeneralName *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralNames_SetGeneralNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralNames_SetGeneralNames
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSPKIXGeneralName *generalName[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXGeneralNames_GetGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralNames_GetGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralNames_SetGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralNames_SetGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  PRInt32 i,
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * NSSPKIXGeneralNames_InsertGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralNames_InsertGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  PRInt32 i,
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * NSSPKIXGeneralNames_AppendGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralNames_AppendGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * NSSPKIXGeneralNames_RemoveGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralNames_RemoveGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXGeneralNames_FindGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXGeneralNames_FindGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * NSSPKIXGeneralNames_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXGeneralNames_Equal
+(
+  NSSPKIXGeneralNames *generalNames1,
+  NSSPKIXGeneralNames *generalNames2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXGeneralNames_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNames *
+NSSPKIXGeneralNames_Duplicate
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSArena *arenaOpt
+);
+
+/*
+ * AnotherName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AnotherName ::= SEQUENCE {
+ *       type-id    OBJECT IDENTIFIER,
+ *       value      [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXAnotherName_Decode
+ *  NSSPKIXAnotherName_Create
+ *  NSSPKIXAnotherName_Destroy
+ *  NSSPKIXAnotherName_Encode
+ *  NSSPKIXAnotherName_GetTypeId
+ *  NSSPKIXAnotherName_SetTypeId
+ *  NSSPKIXAnotherName_GetValue
+ *  NSSPKIXAnotherName_SetValue
+ *  NSSPKIXAnotherName_Equal
+ *  NSSPKIXAnotherName_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXAnotherName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAnotherName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAnotherName *
+NSSPKIXAnotherName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXAnotherName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAnotherName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAnotherName *
+NSSPKIXAnotherName_Create
+(
+  NSSArena *arenaOpt,
+  NSSOID *typeId,
+  NSSItem *value
+);
+
+/*
+ * NSSPKIXAnotherName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAnotherName_Destroy
+(
+  NSSPKIXAnotherName *anotherName
+);
+
+/*
+ * NSSPKIXAnotherName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXAnotherName_Encode
+(
+  NSSPKIXAnotherName *anotherName,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAnotherName_GetTypeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSOID upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSOID *
+NSSPKIXAnotherName_GetTypeId
+(
+  NSSPKIXAnotherName *anotherName
+);
+
+/*
+ * NSSPKIXAnotherName_SetTypeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAnotherName_SetTypeId
+(
+  NSSPKIXAnotherName *anotherName,
+  NSSOID *typeId
+);
+
+/*
+ * NSSPKIXAnotherName_GetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+NSSPKIXAnotherName_GetValue
+(
+  NSSPKIXAnotherName *anotherName,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAnotherName_SetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ITEM
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAnotherName_SetValue
+(
+  NSSPKIXAnotherName *anotherName,
+  NSSItem *value
+);
+
+/*
+ * NSSPKIXAnotherName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXAnotherName_Equal
+(
+  NSSPKIXAnotherName *anotherName1,
+  NSSPKIXAnotherName *anotherName2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXAnotherName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAnotherName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAnotherName *
+NSSPKIXAnotherName_Duplicate
+(
+  NSSPKIXAnotherName *anotherName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * EDIPartyName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *
+ *  EDIPartyName ::= SEQUENCE {
+ *       nameAssigner            [0]     DirectoryString OPTIONAL,
+ *       partyName               [1]     DirectoryString }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXEDIPartyName_Decode
+ *  NSSPKIXEDIPartyName_Create
+ *  NSSPKIXEDIPartyName_Destroy
+ *  NSSPKIXEDIPartyName_Encode
+ *  NSSPKIXEDIPartyName_HasNameAssigner
+ *  NSSPKIXEDIPartyName_GetNameAssigner
+ *  NSSPKIXEDIPartyName_SetNameAssigner
+ *  NSSPKIXEDIPartyName_RemoveNameAssigner
+ *  NSSPKIXEDIPartyName_GetPartyName
+ *  NSSPKIXEDIPartyName_SetPartyName
+ *  NSSPKIXEDIPartyName_Equal
+ *  NSSPKIXEDIPartyName_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXEDIPartyName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXEDIPartyName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXEDIPartyName *
+NSSPKIXEDIPartyName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXEDIPartyName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXEDIPartyName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXEDIPartyName *
+NSSPKIXEDIPartyName_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *nameAssignerOpt,
+  NSSUTF8 *partyName
+);
+
+/*
+ * NSSPKIXEDIPartyName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXEDIPartyName_Destroy
+(
+  NSSPKIXEDIPartyName *ediPartyName
+);
+
+/*
+ * NSSPKIXEDIPartyName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXEDIPartyName_Encode
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXEDIPartyName_HasNameAssigner
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXEDIPartyName_HasNameAssigner
+(
+  NSSPKIXEDIPartyName *ediPartyName
+);
+
+/*
+ * NSSPKIXEDIPartyName_GetNameAssigner
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_NAME_ASSIGNER
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 string upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXEDIPartyName_GetNameAssigner
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXEDIPartyName_SetNameAssigner
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXEDIPartyName_SetNameAssigner
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSUTF8 *nameAssigner
+);
+
+/*
+ * NSSPKIXEDIPartyName_RemoveNameAssigner
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_HAS_NO_NAME_ASSIGNER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXEDIPartyName_RemoveNameAssigner
+(
+  NSSPKIXEDIPartyName *ediPartyName
+);
+
+/*
+ * NSSPKIXEDIPartyName_GetPartyName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 string upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+NSSPKIXEDIPartyName_GetPartyName
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXEDIPartyName_SetPartyName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXEDIPartyName_SetPartyName
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSUTF8 *partyName
+);
+
+/*
+ * NSSPKIXEDIPartyName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXEDIPartyName_Equal
+(
+  NSSPKIXEDIPartyName *ediPartyName1,
+  NSSPKIXEDIPartyName *ediPartyName2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXEDIPartyName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXEDIPartyName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXEDIPartyName *
+NSSPKIXEDIPartyName_Duplicate
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * SubjectDirectoryAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXSubjectDirectoryAttributes_Decode
+ *  NSSPKIXSubjectDirectoryAttributes_Create
+ *  NSSPKIXSubjectDirectoryAttributes_Destroy
+ *  NSSPKIXSubjectDirectoryAttributes_Encode
+ *  NSSPKIXSubjectDirectoryAttributes_GetAttributeCount
+ *  NSSPKIXSubjectDirectoryAttributes_GetAttributes
+ *  NSSPKIXSubjectDirectoryAttributes_SetAttributes
+ *  NSSPKIXSubjectDirectoryAttributes_GetAttribute
+ *  NSSPKIXSubjectDirectoryAttributes_SetAttribute
+ *  NSSPKIXSubjectDirectoryAttributes_InsertAttribute
+ *  NSSPKIXSubjectDirectoryAttributes_AppendAttribute
+ *  NSSPKIXSubjectDirectoryAttributes_RemoveAttribute
+ *  NSSPKIXSubjectDirectoryAttributes_FindAttribute
+ *  NSSPKIXSubjectDirectoryAttributes_Equal
+ *  NSSPKIXSubjectDirectoryAttributes_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
+NSSPKIXSubjectDirectoryAttributes_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
+NSSPKIXSubjectDirectoryAttributes_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttribute *attribute1,
+  ...
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXSubjectDirectoryAttributes_Destroy
+(
+  NSSPKIXSubjectDirectoryAttributes *sda
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXSubjectDirectoryAttributes_Encode
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_GetAttributeCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXSubjectDirectoryAttributes_GetAttributeCount
+(
+  NSSPKIXSubjectDirectoryAttributes *sda
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_GetAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXAttribute pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttribute **
+NSSPKIXSubjectDirectoryAttributes_GetAttributes
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSPKIXAttribute *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_SetAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXSubjectDirectoryAttributes_SetAttributes
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSAttribute *attributes[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_GetAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon error
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+NSSPKIXSubjectDirectoryAttributes_GetAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_SetAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXSubjectDirectoryAttributes_SetAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  PRInt32 i,
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_InsertAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXSubjectDirectoryAttributes_InsertAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  PRInt32 i,
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_AppendAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXSubjectDirectoryAttributes_AppendAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_RemoveAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXSubjectDirectoryAttributes_RemoveAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_FindAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ATTRIBUTE
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXSubjectDirectoryAttributes_FindAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXSubjectDirectoryAttributes_Equal
+(
+  NSSPKIXSubjectDirectoryAttributes *sda1,
+  NSSPKIXSubjectDirectoryAttributes *sda2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXSubjectDirectoryAttributes_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
+NSSPKIXSubjectDirectoryAttributes_Duplicate
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * BasicConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BasicConstraints ::= SEQUENCE {
+ *       cA                      BOOLEAN DEFAULT FALSE,
+ *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXBasicConstraints_Decode
+ *  NSSPKIXBasicConstraints_Create
+ *  NSSPKIXBasicConstraints_Destroy
+ *  NSSPKIXBasicConstraints_Encode
+ *  NSSPKIXBasicConstraints_GetCA
+ *  NSSPKIXBasicConstraints_SetCA 
+ *  NSSPKIXBasicConstraints_HasPathLenConstraint
+ *  NSSPKIXBasicConstraints_GetPathLenConstraint
+ *  NSSPKIXBasicConstraints_SetPathLenConstraint
+ *  NSSPKIXBasicConstraints_RemovePathLenConstraint
+ *  NSSPKIXBasicConstraints_Equal
+ *  NSSPKIXBasicConstraints_Duplicate
+ *  NSSPKIXBasicConstraints_CompareToPathLenConstraint
+ *
+ */
+
+/*
+ * NSSPKIXBasicConstraints_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBasicConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBasicConstraints *
+NSSPKIXBasicConstraints_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXBasicConstraints_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBasicConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBasicConstraints *
+NSSPKIXBasicConstraints_Create
+(
+  NSSArena *arenaOpt,
+  PRBool ca,
+  PRInt32 pathLenConstraint
+);
+
+/*
+ * NSSPKIXBasicConstraints_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBasicConstraints_Destroy
+(
+  NSSPKIXBasicConstraints *basicConstraints
+);
+
+/*
+ * NSSPKIXBasicConstraints_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXBasicConstraints_Encode
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBasicConstraints_GetCA
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if the CA bit is true
+ *  PR_FALSE if it isn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBasicConstraints_GetCA
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBasicConstraints_SetCA
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBasicConstraints_SetCA
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  PRBool ca
+);
+
+/*
+ * NSSPKIXBasicConstraints_HasPathLenConstraint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBasicConstraints_HasPathLenConstraint
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBasicConstraints_GetPathLenConstraint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXBasicConstraints_GetPathLenConstraint
+(
+  NSSPKIXBasicConstraints *basicConstraints
+);
+
+/*
+ * NSSPKIXBasicConstraints_SetPathLenConstraint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBasicConstraints_SetPathLenConstraint
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  PRInt32 pathLenConstraint
+);
+
+/*
+ * NSSPKIXBasicConstraints_RemovePathLenConstraint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXBasicConstraints_RemovePathLenConstraint
+(
+  NSSPKIXBasicConstraints *basicConstraints
+);
+
+/*
+ * NSSPKIXBasicConstraints_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXBasicConstraints_Equal
+(
+  NSSPKIXBasicConstraints *basicConstraints1,
+  NSSPKIXBasicConstraints *basicConstraints2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXBasicConstraints_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBasicConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBasicConstraints *
+NSSPKIXBasicConstraints_Duplicate
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXBasicConstraints_CompareToPathLenConstraint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
+ * 
+ * Return value:
+ *  1 if the specified value is greater than the pathLenConstraint
+ *  0 if the specified value equals the pathLenConstraint
+ *  -1 if the specified value is less than the pathLenConstraint
+ *  -2 upon error
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXBasicConstraints_CompareToPathLenConstraint
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  PRInt32 value
+);
+
+/*
+ * NameConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NameConstraints ::= SEQUENCE {
+ *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
+ *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXNameConstraints_Decode
+ *  NSSPKIXNameConstraints_Create
+ *  NSSPKIXNameConstraints_Destroy
+ *  NSSPKIXNameConstraints_Encode
+ *  NSSPKIXNameConstraints_HasPermittedSubtrees
+ *  NSSPKIXNameConstraints_GetPermittedSubtrees
+ *  NSSPKIXNameConstraints_SetPermittedSubtrees
+ *  NSSPKIXNameConstraints_RemovePermittedSubtrees
+ *  NSSPKIXNameConstraints_HasExcludedSubtrees
+ *  NSSPKIXNameConstraints_GetExcludedSubtrees
+ *  NSSPKIXNameConstraints_SetExcludedSubtrees
+ *  NSSPKIXNameConstraints_RemoveExcludedSubtrees
+ *  NSSPKIXNameConstraints_Equal
+ *  NSSPKIXNameConstraints_Duplicate
+ *    { and the comparator functions }
+ *
+ */
+
+/*
+ * NSSPKIXNameConstraints_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNameConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNameConstraints *
+NSSPKIXNameConstraints_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXNameConstraints_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNameConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNameConstraints *
+NSSPKIXNameConstraints_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXGeneralSubtrees *permittedSubtrees,
+  NSSPKIXGeneralSubtrees *excludedSubtrees
+);
+
+/*
+ * NSSPKIXNameConstraints_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNameConstraints_Destroy
+(
+  NSSPKIXNameConstraints *nameConstraints
+);
+
+/*
+ * NSSPKIXNameConstraints_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXNameConstraints_Encode
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXNameConstraints_HasPermittedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXNameConstraints_HasPermittedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXNameConstraints_GetPermittedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_PERMITTED_SUBTREES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtrees *
+NSSPKIXNameConstraints_GetPermittedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXNameConstraints_SetPermittedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNameConstraints_SetPermittedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSPKIXGeneralSubtrees *permittedSubtrees
+);
+
+/*
+ * NSSPKIXNameConstraints_RemovePermittedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_PERMITTED_SUBTREES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNameConstraints_RemovePermittedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints
+);
+
+/*
+ * NSSPKIXNameConstraints_HasExcludedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXNameConstraints_HasExcludedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXNameConstraints_GetExcludedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_EXCLUDED_SUBTREES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtrees *
+NSSPKIXNameConstraints_GetExcludedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXNameConstraints_SetExcludedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNameConstraints_SetExcludedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSPKIXGeneralSubtrees *excludedSubtrees
+);
+
+/*
+ * NSSPKIXNameConstraints_RemoveExcludedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_EXCLUDED_SUBTREES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXNameConstraints_RemoveExcludedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints
+);
+
+/*
+ * NSSPKIXNameConstraints_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXNameConstraints_Equal
+(
+  NSSPKIXNameConstraints *nameConstraints1,
+  NSSPKIXNameConstraints *nameConstraints2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXNameConstraints_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNameConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNameConstraints *
+NSSPKIXNameConstraints_Duplicate
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { and the comparator functions }
+ *
+ */
+
+/*
+ * GeneralSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXGeneralSubtrees_Decode
+ *  NSSPKIXGeneralSubtrees_Create
+ *  NSSPKIXGeneralSubtrees_Destroy
+ *  NSSPKIXGeneralSubtrees_Encode
+ *  NSSPKIXGeneralSubtrees_GetGeneralSubtreeCount
+ *  NSSPKIXGeneralSubtrees_GetGeneralSubtrees
+ *  NSSPKIXGeneralSubtrees_SetGeneralSubtrees
+ *  NSSPKIXGeneralSubtrees_GetGeneralSubtree
+ *  NSSPKIXGeneralSubtrees_SetGeneralSubtree
+ *  NSSPKIXGeneralSubtrees_InsertGeneralSubtree
+ *  NSSPKIXGeneralSubtrees_AppendGeneralSubtree
+ *  NSSPKIXGeneralSubtrees_RemoveGeneralSubtree
+ *  NSSPKIXGeneralSubtrees_FindGeneralSubtree
+ *  NSSPKIXGeneralSubtrees_Equal
+ *  NSSPKIXGeneralSubtrees_Duplicate
+ *    { and finders and comparators }
+ *
+ */
+
+/*
+ * NSSPKIXGeneralSubtrees_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtrees *
+NSSPKIXGeneralSubtrees_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtrees *
+NSSPKIXGeneralSubtrees_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXGeneralSubtree *generalSubtree1,
+  ...
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralSubtrees_Destroy
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXGeneralSubtrees_Encode
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_GetGeneralSubtreeCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXGeneralSubtrees_GetGeneralSubtreeCount
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_GetGeneralSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXGeneralSubtree pointers upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtree **
+NSSPKIXGeneralSubtrees_GetGeneralSubtrees
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSPKIXGeneralSubtree *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_SetGeneralSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralSubtrees_SetGeneralSubtrees
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSPKIXGeneralSubtree *generalSubtree[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_GetGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtree upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtree *
+NSSPKIXGeneralSubtrees_GetGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_SetGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralSubtrees_SetGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  PRInt32 i,
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_InsertGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralSubtrees_InsertGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  PRInt32 i,
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_AppendGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralSubtrees_AppendGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_RemoveGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralSubtrees_RemoveGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_FindGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXGeneralSubtrees_FindGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXGeneralSubtrees_Equal
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees1,
+  NSSPKIXGeneralSubtrees *generalSubtrees2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXGeneralSubtrees_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtrees *
+NSSPKIXGeneralSubtrees_Duplicate
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { and finders and comparators }
+ *
+ */
+
+/*
+ * GeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  GeneralSubtree ::= SEQUENCE {
+ *       base                    GeneralName,
+ *       minimum         [0]     BaseDistance DEFAULT 0,
+ *       maximum         [1]     BaseDistance OPTIONAL }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXGeneralSubtree_Decode
+ *  NSSPKIXGeneralSubtree_Create
+ *  NSSPKIXGeneralSubtree_Destroy
+ *  NSSPKIXGeneralSubtree_Encode
+ *  NSSPKIXGeneralSubtree_GetBase
+ *  NSSPKIXGeneralSubtree_SetBase
+ *  NSSPKIXGeneralSubtree_GetMinimum
+ *  NSSPKIXGeneralSubtree_SetMinimum
+ *  NSSPKIXGeneralSubtree_HasMaximum
+ *  NSSPKIXGeneralSubtree_GetMaximum
+ *  NSSPKIXGeneralSubtree_SetMaximum
+ *  NSSPKIXGeneralSubtree_RemoveMaximum
+ *  NSSPKIXGeneralSubtree_Equal
+ *  NSSPKIXGeneralSubtree_Duplicate
+ *  NSSPKIXGeneralSubtree_DistanceInRange
+ *    {other tests and comparators}
+ *
+ */
+
+/*
+ * NSSPKIXGeneralSubtree_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtree upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtree *
+NSSPKIXGeneralSubtree_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXGeneralSubtree_Create
+ *
+ * -- fgmr comments --
+ * The optional maximum value may be omitted by specifying -1.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtree upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtree *
+NSSPKIXGeneralSubtree_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXBaseDistance minimum,
+  NSSPKIXBaseDistance maximumOpt
+);
+
+/*
+ * NSSPKIXGeneralSubtree_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralSubtree_Destroy
+(
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * NSSPKIXGeneralSubtree_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXGeneralSubtree_Encode
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralSubtree_GetBase
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXGeneralSubtree_GetBase
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralSubtree_SetBase
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralSubtree_SetBase
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSPKIXGeneralName *base
+);
+
+/*
+ * NSSPKIXGeneralSubtree_GetMinimum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN NSSPKIXBaseDistance
+NSSPKIXGeneralSubtree_GetMinimum
+(
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * NSSPKIXGeneralSubtree_SetMinimum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralSubtree_SetMinimum
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSPKIXBaseDistance *minimum
+);
+
+/*
+ * NSSPKIXGeneralSubtree_HasMaximum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXGeneralSubtree_HasMaximum
+(
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * NSSPKIXGeneralSubtree_GetMaximum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_HAS_NO_MAXIMUM_BASE_DISTANCE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN NSSPKIXBaseDistance
+NSSPKIXGeneralSubtree_GetMaximum
+(
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * NSSPKIXGeneralSubtree_SetMaximum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralSubtree_SetMaximum
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSPKIXBaseDistance *maximum
+);
+
+/*
+ * NSSPKIXGeneralSubtree_RemoveMaximum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_HAS_NO_MAXIMUM_BASE_DISTANCE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXGeneralSubtree_RemoveMaximum
+(
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * NSSPKIXGeneralSubtree_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXGeneralSubtree_Equal
+(
+  NSSPKIXGeneralSubtree *generalSubtree1,
+  NSSPKIXGeneralSubtree *generalSubtree2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXGeneralSubtree_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtree upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtree *
+NSSPKIXGeneralSubtree_Duplicate
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXGeneralSubtree_DistanceInRange
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_TRUE if the specified value is within the minimum and maximum
+ *      base distances
+ *  PR_FALSE if it isn't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXGeneralSubtree_DistanceInRange
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSPKIXBaseDistance value,
+  PRStatus *statusOpt
+);
+
+/*
+ *   {other tests and comparators}
+ *
+ */
+
+/*
+ * PolicyConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyConstraints ::= SEQUENCE {
+ *       requireExplicitPolicy           [0] SkipCerts OPTIONAL,
+ *       inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
+ * 
+ * The public calls for this type:
+ *
+ *  NSSPKIXPolicyConstraints_Decode
+ *  NSSPKIXPolicyConstraints_Create
+ *  NSSPKIXPolicyConstraints_Destroy
+ *  NSSPKIXPolicyConstraints_Encode
+ *  NSSPKIXPolicyConstraints_HasRequireExplicitPolicy
+ *  NSSPKIXPolicyConstraints_GetRequireExplicitPolicy
+ *  NSSPKIXPolicyConstraints_SetRequireExplicitPolicy
+ *  NSSPKIXPolicyConstraints_RemoveRequireExplicitPolicy
+ *  NSSPKIXPolicyConstraints_HasInhibitPolicyMapping
+ *  NSSPKIXPolicyConstraints_GetInhibitPolicyMapping
+ *  NSSPKIXPolicyConstraints_SetInhibitPolicyMapping
+ *  NSSPKIXPolicyConstraints_RemoveInhibitPolicyMapping
+ *  NSSPKIXPolicyConstraints_Equal
+ *  NSSPKIXPolicyConstraints_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXPolicyConstraints_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyConstraints *
+NSSPKIXPolicyConstraints_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXPolicyConstraints_Create
+ *
+ * -- fgmr comments --
+ * The optional values may be omitted by specifying -1.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyConstraints *
+NSSPKIXPolicyConstraints_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXSkipCerts requireExplicitPolicy,
+  NSSPKIXSkipCerts inhibitPolicyMapping
+);
+
+/*
+ * NSSPKIXPolicyConstraints_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyConstraints_Destroy
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * NSSPKIXPolicyConstraints_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXPolicyConstraints_Encode
+(
+  NSSPKIXPolicyConstraints *policyConstraints,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXPolicyConstraints_HasRequireExplicitPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPolicyConstraints_HasRequireExplicitPolicy
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * NSSPKIXPolicyConstraints_GetRequireExplicitPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_REQUIRE_EXPLICIT_POLICY
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXPolicyConstraints_GetRequireExplicitPolicy
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * NSSPKIXPolicyConstraints_SetRequireExplicitPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyConstraints_SetRequireExplicitPolicy
+(
+  NSSPKIXPolicyConstraints *policyConstraints,
+  NSSPKIXSkipCerts requireExplicitPolicy
+);
+
+/*
+ * NSSPKIXPolicyConstraints_RemoveRequireExplicitPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_REQUIRE_EXPLICIT_POLICY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyConstraints_RemoveRequireExplicitPolicy
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * NSSPKIXPolicyConstraints_HasInhibitPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPolicyConstraints_HasInhibitPolicyMapping
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * NSSPKIXPolicyConstraints_GetInhibitPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_INHIBIT_POLICY_MAPPING
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXPolicyConstraints_GetInhibitPolicyMapping
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * NSSPKIXPolicyConstraints_SetInhibitPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyConstraints_SetInhibitPolicyMapping
+(
+  NSSPKIXPolicyConstraints *policyConstraints,
+  NSSPKIXSkipCerts inhibitPolicyMapping
+);
+
+/*
+ * NSSPKIXPolicyConstraints_RemoveInhibitPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_INHIBIT_POLICY_MAPPING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXPolicyConstraints_RemoveInhibitPolicyMapping
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * NSSPKIXPolicyConstraints_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXPolicyConstraints_Equal
+(
+  NSSPKIXPolicyConstraints *policyConstraints1,
+  NSSPKIXPolicyConstraints *policyConstraints2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXPolicyConstraints_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyConstraints *
+NSSPKIXPolicyConstraints_Duplicate
+(
+  NSSPKIXPolicyConstraints *policyConstraints,
+  NSSArena *arenaOpt
+);
+
+/*
+ * CRLDistPointsSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXCRLDistPointsSyntax_Decode
+ *  NSSPKIXCRLDistPointsSyntax_Create
+ *  NSSPKIXCRLDistPointsSyntax_Destroy
+ *  NSSPKIXCRLDistPointsSyntax_Encode
+ *  NSSPKIXCRLDistPointsSyntax_GetDistributionPointCount
+ *  NSSPKIXCRLDistPointsSyntax_GetDistributionPoints
+ *  NSSPKIXCRLDistPointsSyntax_SetDistributionPoints
+ *  NSSPKIXCRLDistPointsSyntax_GetDistributionPoint
+ *  NSSPKIXCRLDistPointsSyntax_SetDistributionPoint
+ *  NSSPKIXCRLDistPointsSyntax_InsertDistributionPoint
+ *  NSSPKIXCRLDistPointsSyntax_AppendDistributionPoint
+ *  NSSPKIXCRLDistPointsSyntax_RemoveDistributionPoint
+ *  NSSPKIXCRLDistPointsSyntax_FindDistributionPoint
+ *  NSSPKIXCRLDistPointsSyntax_Equal
+ *  NSSPKIXCRLDistPointsSyntax_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
+NSSPKIXCRLDistPointsSyntax_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
+NSSPKIXCRLDistPointsSyntax_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXDistributionPoint *distributionPoint1,
+  ...
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCRLDistPointsSyntax_Destroy
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXCRLDistPointsSyntax_Encode
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_GetDistributionPointCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXCRLDistPointsSyntax_GetDistributionPointCount
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_GetDistributionPoints
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXDistributionPoint pointers 
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPoints **
+NSSPKIXCRLDistPointsSyntax_GetDistributionPoints
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSDistributionPoint *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_SetDistributionPoints
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCRLDistPointsSyntax_SetDistributionPoints
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSDistributionPoint *distributionPoint[]
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_GetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPoint *
+NSSPKIXCRLDistPointsSyntax_GetDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_SetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCRLDistPointsSyntax_SetDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  PRInt32 i,
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_InsertDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCRLDistPointsSyntax_InsertDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  PRInt32 i,
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_AppendDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCRLDistPointsSyntax_AppendDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_RemoveDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXCRLDistPointsSyntax_RemoveDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_FindDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXCRLDistPointsSyntax_FindDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXCRLDistPointsSyntax_Equal
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax1,
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXCRLDistPointsSyntax_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
+NSSPKIXCRLDistPointsSyntax_Duplicate
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSArena *arenaOpt
+);
+
+/*
+ * DistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DistributionPoint ::= SEQUENCE {
+ *       distributionPoint       [0]     DistributionPointName OPTIONAL,
+ *       reasons                 [1]     ReasonFlags OPTIONAL,
+ *       cRLIssuer               [2]     GeneralNames OPTIONAL }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXDistributionPoint_Decode
+ *  NSSPKIXDistributionPoint_Create
+ *  NSSPKIXDistributionPoint_Destroy
+ *  NSSPKIXDistributionPoint_Encode
+ *  NSSPKIXDistributionPoint_HasDistributionPoint
+ *  NSSPKIXDistributionPoint_GetDistributionPoint
+ *  NSSPKIXDistributionPoint_SetDistributionPoint
+ *  NSSPKIXDistributionPoint_RemoveDistributionPoint
+ *  NSSPKIXDistributionPoint_HasReasons
+ *  NSSPKIXDistributionPoint_GetReasons
+ *  NSSPKIXDistributionPoint_SetReasons
+ *  NSSPKIXDistributionPoint_RemoveReasons
+ *  NSSPKIXDistributionPoint_HasCRLIssuer
+ *  NSSPKIXDistributionPoint_GetCRLIssuer
+ *  NSSPKIXDistributionPoint_SetCRLIssuer
+ *  NSSPKIXDistributionPoint_RemoveCRLIssuer
+ *  NSSPKIXDistributionPoint_Equal
+ *  NSSPKIXDistributionPoint_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXDistributionPoint_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPoint *
+NSSPKIXDistributionPoint_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXDistributionPoint_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPoint *
+NSSPKIXDistributionPoint_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXDistributionPointName *distributionPoint,
+  NSSPKIXReasonFlags reasons,
+  NSSPKIXGeneralNames *cRLIssuer
+);
+
+/*
+ * NSSPKIXDistributionPoint_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXDistributionPoint_Destroy
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * NSSPKIXDistributionPoint_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXDistributionPoint_Encode
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXDistributionPoint_HasDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXDistributionPoint_HasDistributionPoint
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * NSSPKIXDistributionPoint_GetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+NSSPKIXDistributionPoint_GetDistributionPoint
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXDistributionPoint_SetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXDistributionPoint_SetDistributionPoint
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSPKIXDistributionPointName *name
+);
+
+/*
+ * NSSPKIXDistributionPoint_RemoveDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXDistributionPoint_RemoveDistributionPoint
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * NSSPKIXDistributionPoint_HasReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXDistributionPoint_HasReasons
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * NSSPKIXDistributionPoint_GetReasons
+ *
+ * It is unlikely that the reason flags are all zero; so zero is
+ * returned in error situations.
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_REASONS
+ * 
+ * Return value:
+ *  A valid nonzero NSSPKIXReasonFlags value upon success
+ *  A valid zero NSSPKIXReasonFlags if the value is indeed zero
+ *  Zero upon error
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags
+NSSPKIXDistributionPoint_GetReasons
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXDistributionPoint_SetReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXDistributionPoint_SetReasons
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSPKIXReasonFlags reasons
+);
+
+/*
+ * NSSPKIXDistributionPoint_RemoveReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_REASONS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXDistributionPoint_RemoveReasons
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * NSSPKIXDistributionPoint_HasCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXDistributionPoint_HasCRLIssuer
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * NSSPKIXDistributionPoint_GetCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_CRL_ISSUER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNames *
+NSSPKIXDistributionPoint_GetCRLIssuer
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXDistributionPoint_SetCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXDistributionPoint_SetCRLIssuer
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSPKIXGeneralNames *cRLIssuer
+);
+
+/*
+ * NSSPKIXDistributionPoint_RemoveCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_CRL_ISSUER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXDistributionPoint_RemoveCRLIssuer
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * NSSPKIXDistributionPoint_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXDistributionPoint_Equal
+(
+  NSSPKIXDistributionPoint *distributionPoint1,
+  NSSPKIXDistributionPoint *distributionPoint2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXDistributionPoint_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPoint *
+NSSPKIXDistributionPoint_Duplicate
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSArena *arenaOpt
+);
+
+/*
+ * DistributionPointName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DistributionPointName ::= CHOICE {
+ *       fullName                [0]     GeneralNames,
+ *       nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXDistributionPointName_Decode
+ *  NSSPKIXDistributionPointName_Create
+ *  NSSPKIXDistributionPointName_CreateFromFullName
+ *  NSSPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
+ *  NSSPKIXDistributionPointName_Destroy
+ *  NSSPKIXDistributionPointName_Encode
+ *  NSSPKIXDistributionPointName_GetChoice
+ *  NSSPKIXDistributionPointName_GetFullName
+ *  NSSPKIXDistributionPointName_GetNameRelativeToCRLIssuer
+ *  NSSPKIXDistributionPointName_Equal
+ *  NSSPKIXDistributionPointName_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXDistributionPointName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+NSSPKIXDistributionPointName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXDistributionPointName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME_CHOICE
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_RELATIVE_DISTINGUISHED_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+NSSPKIXDistributionPointName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXDistributionPointNameChoice which,
+  void *name
+);
+
+/*
+ * NSSPKIXDistributionPointName_CreateFromFullName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+NSSPKIXDistributionPointName_CreateFromFullName
+(
+  NSSArena *arenaOpt,
+  NSSPKIXGeneralNames *fullName
+);
+
+/*
+ * NSSPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RELATIVE_DISTINGUISHED_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+NSSPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
+(
+  NSSArena *arenaOpt,
+  NSSPKIXRelativeDistinguishedName *nameRelativeToCRLIssuer
+);
+
+/*
+ * NSSPKIXDistributionPointName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXDistributionPointName_Destroy
+(
+  NSSPKIXDistributionPointName *dpn
+);
+
+/*
+ * NSSPKIXDistributionPointName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXDistributionPointName_Encode
+(
+  NSSPKIXDistributionPointName *dpn,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXDistributionPointName_GetChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ * 
+ * Return value:
+ *  A valid NSSPKIXDistributionPointNameChoice value upon success
+ *  NSSPKIXDistributionPointNameChoice_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointNameChoice
+NSSPKIXDistributionPointName_GetChoice
+(
+  NSSPKIXDistributionPointName *dpn
+);
+
+/*
+ * NSSPKIXDistributionPointName_GetFullName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralnames *
+NSSPKIXDistributionPointName_GetFullName
+(
+  NSSPKIXDistributionPointName *dpn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXDistributionPointName_GetNameRelativeToCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+NSSPKIXDistributionPointName_GetNameRelativeToCRLIssuer
+(
+  NSSPKIXDistributionPointName *dpn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXDistributionPointName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXDistributionPointName_Equal
+(
+  NSSPKIXDistributionPointName *dpn1,
+  NSSPKIXDistributionPointName *dpn2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXDistributionPointName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+NSSPKIXDistributionPointName_Duplicate
+(
+  NSSPKIXDistributionPointName *dpn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * ReasonFlags
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ReasonFlags ::= BIT STRING {
+ *       unused                  (0),
+ *       keyCompromise           (1),
+ *       cACompromise            (2),
+ *       affiliationChanged      (3),
+ *       superseded              (4),
+ *       cessationOfOperation    (5),
+ *       certificateHold         (6) }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXReasonFlags_Decode
+ *  NSSPKIXReasonFlags_Create
+ *  NSSPKIXReasonFlags_CreateFromMask
+ *  NSSPKIXReasonFlags_Destroy
+ *  NSSPKIXReasonFlags_Encode
+ *  NSSPKIXReasonFlags_GetMask
+ *  NSSPKIXReasonFlags_SetMask
+ *  NSSPKIXReasonFlags_Equal
+ *  NSSPKIXReasonFlags_Duplicate
+ *    { bitwise accessors? }
+ *
+ */
+
+/*
+ * NSSPKIXReasonFlags_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXReasonFlags upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags *
+NSSPKIXReasonFlags_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXReasonFlags_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXReasonFlags upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags *
+NSSPKIXReasonFlags_Create
+(
+  NSSArena *arenaOpt,
+  PRBool keyCompromise,
+  PRBool cACompromise,
+  PRBool affiliationChanged,
+  PRBool superseded,
+  PRBool cessationOfOperation,
+  PRBool certificateHold
+);
+
+/*
+ * NSSPKIXReasonFlags_CreateFromMask
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS_MASK
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXReasonFlags upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags *
+NSSPKIXReasonFlags_CreateFromMask
+(
+  NSSArena *arenaOpt,
+  NSSPKIXReasonFlagsMask why
+);
+
+/*
+ * NSSPKIXReasonFlags_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXReasonFlags_Destroy
+(
+  NSSPKIXReasonFlags *reasonFlags
+);
+
+/*
+ * NSSPKIXReasonFlags_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXReasonFlags_Encode
+(
+  NSSPKIXReasonFlags *reasonFlags,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXReasonFlags_GetMask
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ * 
+ * Return value:
+ *  A valid mask of NSSPKIXReasonFlagsMask values upon success
+ *  NSSPKIXReasonFlagsMask_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlagsMask
+NSSPKIXReasonFlags_GetMask
+(
+  NSSPKIXReasonFlags *reasonFlags
+);
+
+/*
+ * NSSPKIXReasonFlags_SetMask
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS_MASK
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXReasonFlags_SetMask
+(
+  NSSPKIXReasonFlags *reasonFlags,
+  NSSPKIXReasonFlagsMask mask
+);
+
+/*
+ * NSSPKIXReasonFlags_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXReasonFlags_Equal
+(
+  NSSPKIXReasonFlags *reasonFlags1,
+  NSSPKIXReasonFlags *reasonFlags2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXReasonFlags_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXReasonFlags upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags *
+NSSPKIXReasonFlags_Duplicate
+(
+  NSSPKIXReasonFlags *reasonFlags,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { bitwise accessors? }
+ *
+ */
+
+/*
+ * ExtKeyUsageSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXExtKeyUsageSyntax_Decode
+ *  NSSPKIXExtKeyUsageSyntax_Create
+ *  NSSPKIXExtKeyUsageSyntax_Destroy
+ *  NSSPKIXExtKeyUsageSyntax_Encode
+ *  NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
+ *  NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIds
+ *  NSSPKIXExtKeyUsageSyntax_SetKeyPurposeIds
+ *  NSSPKIXExtKeyUsageSyntax_GetKeyPurposeId
+ *  NSSPKIXExtKeyUsageSyntax_SetKeyPurposeId
+ *  NSSPKIXExtKeyUsageSyntax_InsertKeyPurposeId
+ *  NSSPKIXExtKeyUsageSyntax_AppendKeyPurposeId
+ *  NSSPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
+ *  NSSPKIXExtKeyUsageSyntax_FindKeyPurposeId
+ *  NSSPKIXExtKeyUsageSyntax_Equal
+ *  NSSPKIXExtKeyUsageSyntax_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
+NSSPKIXExtKeyUsageSyntax_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
+NSSPKIXExtKeyUsageSyntax_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXKeyPurposeId *kpid1,
+  ...
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtKeyUsageSyntax_Destroy
+(
+  NSSPKIXExtKeyUsageSyntax *eku
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXExtKeyUsageSyntax_Encode
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
+(
+  NSSPKIXExtKeyUsageSyntax *eku
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIds
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXKeyPurposeId pointers upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyPurposeId **
+NSSPKIXExtKeyUsageSyntax_GetKeyPurposeIds
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSPKIXKeyPurposeId *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_SetKeyPurposeIds
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtKeyUsageSyntax_SetKeyPurposeIds
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSPKIXKeyPurposeId *ids[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_GetKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyPurposeId upon success
+ *  NULL upon error
+ */
+
+NSS_EXTERN NSSPKIXKeyPurposeId *
+NSSPKIXExtKeyUsageSyntax_GetKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_SetKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtKeyUsageSyntax_SetKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  PRInt32 i,
+  NSSPKIXKeyPurposeId *id
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_InsertKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtKeyUsageSyntax_InsertKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  PRInt32 i,
+  NSSPKIXKeyPurposeId *id
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_AppendKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtKeyUsageSyntax_AppendKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSPKIXKeyPurposeId *id
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_FindKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified key purpose id upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXExtKeyUsageSyntax_FindKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSPKIXKeyPurposeId *id
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXExtKeyUsageSyntax_Equal
+(
+  NSSPKIXExtKeyUsageSyntax *eku1,
+  NSSPKIXExtKeyUsageSyntax *eku2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXExtKeyUsageSyntax_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
+NSSPKIXExtKeyUsageSyntax_Duplicate
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSArena *arenaOpt
+);
+
+/*
+ * AuthorityInfoAccessSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AuthorityInfoAccessSyntax  ::=
+ *          SEQUENCE SIZE (1..MAX) OF AccessDescription
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXAuthorityInfoAccessSyntax_Decode
+ *  NSSPKIXAuthorityInfoAccessSyntax_Create
+ *  NSSPKIXAuthorityInfoAccessSyntax_Destroy
+ *  NSSPKIXAuthorityInfoAccessSyntax_Encode
+ *  NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
+ *  NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
+ *  NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
+ *  NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescription
+ *  NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescription
+ *  NSSPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
+ *  NSSPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
+ *  NSSPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
+ *  NSSPKIXAuthorityInfoAccessSyntax_FindAccessDescription
+ *  NSSPKIXAuthorityInfoAccessSyntax_Equal
+ *  NSSPKIXAuthorityInfoAccessSyntax_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
+NSSPKIXAuthorityInfoAccessSyntax_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
+NSSPKIXAuthorityInfoAccessSyntax_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAccessDescription *ad1,
+  ...
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAuthorityInfoAccessSyntax_Destroy
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXAuthorityInfoAccessSyntax_Encode
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXAccessDescription pointers
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAccessDescription **
+NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSPKIXAccessDescription *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSPKIXAccessDescription *ad[],
+  PRInt32 count
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAccessDescription upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAccessDescription *
+NSSPKIXAuthorityInfoAccessSyntax_GetAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAuthorityInfoAccessSyntax_SetAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  PRInt32 i,
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  PRInt32 i,
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  PRInt32 i
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_FindAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXAuthorityInfoAccessSyntax_FindAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXAuthorityInfoAccessSyntax_Equal
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias1,
+  NSSPKIXAuthorityInfoAccessSyntax *aias2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXAuthorityInfoAccessSyntax_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
+NSSPKIXAuthorityInfoAccessSyntax_Duplicate
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSArena *arenaOpt
+);
+
+/*
+ * AccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AccessDescription  ::=  SEQUENCE {
+ *          accessMethod          OBJECT IDENTIFIER,
+ *          accessLocation        GeneralName  }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXAccessDescription_Decode
+ *  NSSPKIXAccessDescription_Create
+ *  NSSPKIXAccessDescription_Destroy
+ *  NSSPKIXAccessDescription_Encode
+ *  NSSPKIXAccessDescription_GetAccessMethod
+ *  NSSPKIXAccessDescription_SetAccessMethod
+ *  NSSPKIXAccessDescription_GetAccessLocation
+ *  NSSPKIXAccessDescription_SetAccessLocation
+ *  NSSPKIXAccessDescription_Equal
+ *  NSSPKIXAccessDescription_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXAccessDescription_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAccessDescription upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAccessDescription *
+NSSPKIXAccessDescription_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXAccessDescription_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAccessDescription upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAccessDescription *
+NSSPKIXAccessDescription_Create
+(
+  NSSArena *arenaOpt,
+  NSSOID *accessMethod,
+  NSSPKIXGeneralName *accessLocation
+);
+
+/*
+ * NSSPKIXAccessDescription_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAccessDescription_Destroy
+(
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * NSSPKIXAccessDescription_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXAccessDescription_Encode
+(
+  NSSPKIXAccessDescription *ad,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAccessDescription_GetAccessMethod
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSOID pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSOID *
+NSSPKIXAccessDescription_GetAccessMethod
+(
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * NSSPKIXAccessDescription_SetAccessMethod
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAccessDescription_SetAccessMethod
+(
+  NSSPKIXAccessDescription *ad,
+  NSSOID *accessMethod
+);
+
+/*
+ * NSSPKIXAccessDescription_GetAccessLocation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+NSSPKIXAccessDescription_GetAccessLocation
+(
+  NSSPKIXAccessDescription *ad,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXAccessDescription_SetAccessLocation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAccessDescription_SetAccessLocation
+(
+  NSSPKIXAccessDescription *ad,
+  NSSPKIXGeneralName *accessLocation
+);
+
+/*
+ * NSSPKIXAccessDescription_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXAccessDescription_Equal
+(
+  NSSPKIXAccessDescription *ad1,
+  NSSPKIXAccessDescription *ad2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXAccessDescription_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAccessDescription upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAccessDescription *
+NSSPKIXAccessDescription_Duplicate
+(
+  NSSPKIXAccessDescription *ad,
+  NSSArena *arenaOpt
+);
+
+/*
+ * IssuingDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  IssuingDistributionPoint ::= SEQUENCE {
+ *       distributionPoint       [0] DistributionPointName OPTIONAL,
+ *       onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
+ *       onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
+ *       onlySomeReasons         [3] ReasonFlags OPTIONAL,
+ *       indirectCRL             [4] BOOLEAN DEFAULT FALSE }
+ *
+ * The public calls for this type:
+ *
+ *  NSSPKIXIssuingDistributionPoint_Decode
+ *  NSSPKIXIssuingDistributionPoint_Create
+ *  NSSPKIXIssuingDistributionPoint_Destroy
+ *  NSSPKIXIssuingDistributionPoint_Encode
+ *  NSSPKIXIssuingDistributionPoint_HasDistributionPoint
+ *  NSSPKIXIssuingDistributionPoint_GetDistributionPoint
+ *  NSSPKIXIssuingDistributionPoint_SetDistributionPoint
+ *  NSSPKIXIssuingDistributionPoint_RemoveDistributionPoint
+ *  NSSPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
+ *  NSSPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
+ *  NSSPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
+ *  NSSPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
+ *  NSSPKIXIssuingDistributionPoint_HasOnlySomeReasons
+ *  NSSPKIXIssuingDistributionPoint_GetOnlySomeReasons
+ *  NSSPKIXIssuingDistributionPoint_SetOnlySomeReasons
+ *  NSSPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
+ *  NSSPKIXIssuingDistributionPoint_GetIndirectCRL
+ *  NSSPKIXIssuingDistributionPoint_SetIndirectCRL
+ *  NSSPKIXIssuingDistributionPoint_Equal
+ *  NSSPKIXIssuingDistributionPoint_Duplicate
+ *
+ */
+
+/*
+ * NSSPKIXIssuingDistributionPoint_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXIssuingDistributionPoint *
+NSSPKIXIssuingDistributionPoint_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXIssuingDistributionPoint *
+NSSPKIXIssuingDistributionPoint_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXDistributionPointName *distributionPointOpt,
+  PRBool onlyContainsUserCerts,
+  PRBool onlyContainsCACerts,
+  NSSPKIXReasonFlags *onlySomeReasons
+  PRBool indirectCRL
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXIssuingDistributionPoint_Destroy
+(
+  NSSPKIXIssuingDistributionPoint *idp
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+NSSPKIXIssuingDistributionPoint_Encode
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_HasDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXIssuingDistributionPoint_HasDistributionPoint
+(
+  NSSPKIXIssuingDistributionPoint *idp
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_GetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+NSSPKIXIssuingDistributionPoint_GetDistributionPoint
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_SetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXIssuingDistributionPoint_SetDistributionPoint
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSPKIXDistributionPointName *dpn
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_RemoveDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXIssuingDistributionPoint_RemoveDistributionPoint
+(
+  NSSPKIXIssuingDistributionPoint *idp
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if the onlyContainsUserCerts value is true
+ *  PR_FALSE if it isn't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRBool onlyContainsUserCerts
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if the onlyContainsCACerts value is true
+ *  PR_FALSE if it isn't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRBool onlyContainsCACerts
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_HasOnlySomeReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXIssuingDistributionPoint_HasOnlySomeReasons
+(
+  NSSPKIXIssuingDistributionPoint *idp
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_GetOnlySomeReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_ONLY_SOME_REASONS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXReasonFlags upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags *
+NSSPKIXIssuingDistributionPoint_GetOnlySomeReasons
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_SetOnlySomeReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXIssuingDistributionPoint_SetOnlySomeReasons
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSPKIXReasonFlags *onlySomeReasons
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_ONLY_SOME_REASONS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
+(
+  NSSPKIXIssuingDistributionPoint *idp
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_GetIndirectCRL
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if the indirectCRL value is true
+ *  PR_FALSE if it isn't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXIssuingDistributionPoint_GetIndirectCRL
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_SetIndirectCRL
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXIssuingDistributionPoint_SetIndirectCRL
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRBool indirectCRL
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXIssuingDistributionPoint_Equal
+(
+  NSSPKIXIssuingDistributionPoint *idp1,
+  NSSPKIXIssuingDistributionPoint *idp2,
+  PRStatus *statusOpt
+);
+
+/*
+ * NSSPKIXIssuingDistributionPoint_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXIssuingDistributionPoint *
+NSSPKIXIssuingDistributionPoint_Duplicate
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSArena *arenaOpt
+);
+
+PR_END_EXTERN_C
+
+#endif /* NSSPKIX_H */
diff --git a/security/nss/lib/pkix/include/nsspkixt.h b/security/nss/lib/pkix/include/nsspkixt.h
new file mode 100644
index 000000000..ea35269ff
--- /dev/null
+++ b/security/nss/lib/pkix/include/nsspkixt.h
@@ -0,0 +1,2281 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef NSSPKIXT_H
+#define NSSPKIXT_H
+
+#ifdef DEBUG
+static const char NSSPKIXT_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * nsspkixt.h
+ *
+ * This file contains the public type definitions for the PKIX part-1
+ * objects.  The contents are strongly based on the types defined in
+ * RFC 2459 {fgmr: and others, e.g., s/mime?}.  The type names have
+ * been prefixed with "NSSPKIX."
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * A Note About Strings
+ *
+ * RFC 2459 refers to several types of strings, including UniversalString,
+ * BMPString, UTF8String, TeletexString, PrintableString, IA5String, and
+ * more.  As with the rest of the NSS libraries, all strings are converted
+ * to UTF8 form as soon as possible, and dealt with in that form from
+ * then on.
+ *
+ */
+
+/*
+ * Attribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Attribute       ::=     SEQUENCE {
+ *          type            AttributeType,
+ *          values  SET OF AttributeValue
+ *                  -- at least one value is required -- }
+ *
+ */
+
+struct NSSPKIXAttributeStr;
+typedef struct NSSPKIXAttributeStr NSSPKIXAttribute;
+
+/*
+ * AttributeType
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AttributeType           ::=   OBJECT IDENTIFIER
+ *
+ */
+
+typedef NSSOID NSSPKIXAttributeType;
+
+/*
+ * AttributeValue
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AttributeValue          ::=   ANY
+ *
+ */
+
+typedef NSSItem NSSPKIXAttributeValue;
+
+/*
+ * AttributeTypeAndValue
+ *
+ * This structure contains an attribute type (indicated by an OID), 
+ * and the type-specific value.  RelativeDistinguishedNamess consist
+ * of a set of these.  These are distinct from Attributes (which have
+ * SET of values), from AttributeDescriptions (which have qualifiers
+ * on the types), and from AttributeValueAssertions (which assert a
+ * a value comparison under some matching rule).
+ *
+ * From RFC 2459:
+ *
+ *  AttributeTypeAndValue           ::=     SEQUENCE {
+ *          type    AttributeType,
+ *          value   AttributeValue }
+ * 
+ */
+
+struct NSSPKIXAttributeTypeAndValueStr;
+typedef struct NSSPKIXAttributeTypeAndValueStr NSSPKIXAttributeTypeAndValue;
+
+/*
+ * X520Name
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520name        ::= CHOICE {
+ *        teletexString         TeletexString (SIZE (1..ub-name)),
+ *        printableString       PrintableString (SIZE (1..ub-name)),
+ *        universalString       UniversalString (SIZE (1..ub-name)),
+ *        utf8String            UTF8String (SIZE (1..ub-name)),
+ *        bmpString             BMPString (SIZE(1..ub-name))   }
+ *
+ */
+
+struct NSSPKIXX520NameStr;
+typedef struct NSSPKIXX520NameStr NSSPKIXX520Name;
+
+/*
+ * X520CommonName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520CommonName  ::=      CHOICE {
+ *        teletexString         TeletexString (SIZE (1..ub-common-name)),
+ *        printableString       PrintableString (SIZE (1..ub-common-name)),
+ *        universalString       UniversalString (SIZE (1..ub-common-name)),
+ *        utf8String            UTF8String (SIZE (1..ub-common-name)),
+ *        bmpString             BMPString (SIZE(1..ub-common-name))   }
+ * 
+ */
+
+struct NSSPKIXX520CommonNameStr;
+typedef struct NSSPKIXX520CommonNameStr NSSPKIXX520CommonName;
+
+/*
+ * X520LocalityName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520LocalityName ::= CHOICE {
+ *        teletexString       TeletexString (SIZE (1..ub-locality-name)),
+ *        printableString     PrintableString (SIZE (1..ub-locality-name)),
+ *        universalString     UniversalString (SIZE (1..ub-locality-name)),
+ *        utf8String          UTF8String (SIZE (1..ub-locality-name)),
+ *        bmpString           BMPString (SIZE(1..ub-locality-name))   }
+ * 
+ */
+
+struct NSSPKIXX520LocalityNameStr;
+typedef struct NSSPKIXX520LocalityNameStr NSSPKIXX520LocalityName;
+
+/*
+ * X520StateOrProvinceName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520StateOrProvinceName         ::= CHOICE {
+ *        teletexString       TeletexString (SIZE (1..ub-state-name)),
+ *        printableString     PrintableString (SIZE (1..ub-state-name)),
+ *        universalString     UniversalString (SIZE (1..ub-state-name)),
+ *        utf8String          UTF8String (SIZE (1..ub-state-name)),
+ *        bmpString           BMPString (SIZE(1..ub-state-name))   }
+ *
+ */
+
+struct NSSPKIXX520StateOrProvinceNameStr;
+typedef struct NSSPKIXX520StateOrProvinceNameStr NSSPKIXX520StateOrProvinceName;
+
+/*
+ * X520OrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520OrganizationName ::= CHOICE {
+ *    teletexString     TeletexString (SIZE (1..ub-organization-name)),
+ *    printableString   PrintableString (SIZE (1..ub-organization-name)),
+ *    universalString   UniversalString (SIZE (1..ub-organization-name)),
+ *    utf8String        UTF8String (SIZE (1..ub-organization-name)),
+ *    bmpString         BMPString (SIZE(1..ub-organization-name))   }
+ *
+ */
+
+struct NSSPKIXX520OrganizationNameStr;
+typedef struct NSSPKIXX520OrganizationNameStr NSSPKIXX520OrganizationName;
+
+/*
+ * X520OrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520OrganizationalUnitName ::= CHOICE {
+ *   teletexString    TeletexString (SIZE (1..ub-organizational-unit-name)),
+ *   printableString        PrintableString
+ *                        (SIZE (1..ub-organizational-unit-name)),
+ *   universalString        UniversalString
+ *                        (SIZE (1..ub-organizational-unit-name)),
+ *   utf8String       UTF8String (SIZE (1..ub-organizational-unit-name)),
+ *   bmpString        BMPString (SIZE(1..ub-organizational-unit-name))   }
+ *
+ */
+
+struct NSSPKIXX520OrganizationalUnitNameStr;
+typedef struct NSSPKIXX520OrganizationalUnitNameStr NSSPKIXX520OrganizationalUnitName;
+
+/*
+ * X520Title
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520Title ::=   CHOICE {
+ *        teletexString         TeletexString (SIZE (1..ub-title)),
+ *        printableString       PrintableString (SIZE (1..ub-title)),
+ *        universalString       UniversalString (SIZE (1..ub-title)),
+ *        utf8String            UTF8String (SIZE (1..ub-title)),
+ *        bmpString             BMPString (SIZE(1..ub-title))   }
+ *
+ */
+
+struct NSSPKIXX520TitleStr;
+typedef struct NSSPKIXX520TitleStr NSSPKIXX520Title;
+
+/*
+ * X520dnQualifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520dnQualifier ::=     PrintableString
+ *
+ */
+
+struct NSSPKIXX520dnQualifierStr;
+typedef struct NSSPKIXX520dnQualifierStr NSSPKIXX520dnQualifier;
+
+/*
+ * X520countryName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520countryName ::=     PrintableString (SIZE (2)) -- IS 3166 codes
+ *
+ */
+
+struct NSSPKIXX520countryNameStr;
+typedef struct NSSPKIXX520countryNameStr NSSPKIXX520countryName;
+
+/*
+ * Pkcs9email
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
+ *
+ */
+
+struct NSSPKIXPkcs9emailStr;
+typedef struct NSSPKIXPkcs9emailStr NSSPKIXPkcs9email;
+
+/*
+ * Name
+ *
+ * This structure contains a union of the possible name formats,
+ * which at the moment is limited to an RDNSequence.
+ *
+ * From RFC 2459:
+ *
+ *  Name            ::=   CHOICE { -- only one possibility for now --
+ *                                   rdnSequence  RDNSequence }
+ *
+ */
+
+struct NSSPKIXNameStr;
+typedef struct NSSPKIXNameStr NSSPKIXName;
+
+/*
+ * NameChoice
+ *
+ * This enumeration is used to specify choice within a name.
+ */
+
+enum NSSPKIXNameChoiceEnum {
+  NSSPKIXNameChoice_NSSinvalid = -1,
+  NSSPKIXNameChoice_rdnSequence
+};
+typedef enum NSSPKIXNameChoiceEnum NSSPKIXNameChoice;
+
+/*
+ * RDNSequence
+ *
+ * This structure contains a sequence of RelativeDistinguishedName
+ * objects.
+ *
+ * From RFC 2459:
+ *
+ *  RDNSequence     ::=   SEQUENCE OF RelativeDistinguishedName
+ *
+ */
+
+struct NSSPKIXRDNSequenceStr;
+typedef struct NSSPKIXRDNSequenceStr NSSPKIXRDNSequence;
+
+/*
+ * DistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DistinguishedName       ::=   RDNSequence
+ *
+ */
+
+typedef NSSPKIXRDNSequence NSSPKIXDistinguishedName;
+
+/*
+ * RelativeDistinguishedName
+ *
+ * This structure contains an unordered set of AttributeTypeAndValue 
+ * objects.  RDNs are used to distinguish a set of objects underneath 
+ * a common object.
+ *
+ * Often, a single ATAV is sufficient to make a unique distinction.
+ * For example, if a company assigns its people unique uid values,
+ * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
+ * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
+ * needed.  For example, if a company needed to distinguish between
+ * two Smiths by specifying their corporate divisions, then in the
+ * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
+ * set of ATAVs forms the RDN.
+ *
+ * From RFC 2459:
+ *
+ *  RelativeDistinguishedName  ::=
+ *                      SET SIZE (1 .. MAX) OF AttributeTypeAndValue
+ *
+ */
+
+struct NSSPKIXRelativeDistinguishedNameStr;
+typedef struct NSSPKIXRelativeDistinguishedNameStr NSSPKIXRelativeDistinguishedName;
+
+/*
+ * DirectoryString
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DirectoryString ::= CHOICE {
+ *        teletexString             TeletexString (SIZE (1..MAX)),
+ *        printableString           PrintableString (SIZE (1..MAX)),
+ *        universalString           UniversalString (SIZE (1..MAX)),
+ *        utf8String              UTF8String (SIZE (1..MAX)),
+ *        bmpString               BMPString (SIZE(1..MAX))   }
+ *
+ */
+
+struct NSSPKIXDirectoryStringStr;
+typedef struct NSSPKIXDirectoryStringStr NSSPKIXDirectoryString;
+
+/*
+ * Certificate
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Certificate  ::=  SEQUENCE  {
+ *       tbsCertificate       TBSCertificate,
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING  }
+ *
+ */
+
+struct NSSPKIXCertificateStr;
+typedef struct NSSPKIXCertificateStr NSSPKIXCertificate;
+
+/*
+ * TBSCertificate
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TBSCertificate  ::=  SEQUENCE  {
+ *       version         [0]  Version DEFAULT v1,
+ *       serialNumber         CertificateSerialNumber,
+ *       signature            AlgorithmIdentifier,
+ *       issuer               Name,
+ *       validity             Validity,
+ *       subject              Name,
+ *       subjectPublicKeyInfo SubjectPublicKeyInfo,
+ *       issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                            -- If present, version shall be v2 or v3
+ *       subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                            -- If present, version shall be v2 or v3
+ *       extensions      [3]  Extensions OPTIONAL
+ *                            -- If present, version shall be v3 --  }
+ *
+ */
+
+struct NSSPKIXTBSCertificateStr;
+typedef struct NSSPKIXTBSCertificateStr NSSPKIXTBSCertificate;
+
+/*
+ * Version
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+ *
+ */
+
+enum NSSPKIXVersionEnum {
+  NSSPKIXVersion_NSSinvalid = -1,
+  NSSPKIXVersion_v1 = 0,
+  NSSPKIXVersion_v2 = 1,
+  NSSPKIXVersion_v3 = 2
+};
+typedef enum NSSPKIXVersionEnum NSSPKIXVersion;
+
+/*
+ * CertificateSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificateSerialNumber  ::=  INTEGER
+ *
+ */
+
+typedef NSSBER NSSPKIXCertificateSerialNumber;
+
+/*
+ * Validity
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Validity ::= SEQUENCE {
+ *       notBefore      Time,
+ *       notAfter       Time }
+ *
+ */
+
+struct NSSPKIXValidityStr;
+typedef struct NSSPKIXValidityStr NSSPKIXValidity;
+
+/*
+ * Time
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Time ::= CHOICE {
+ *       utcTime        UTCTime,
+ *       generalTime    GeneralizedTime }
+ *
+ */
+
+struct NSSPKIXTimeStr;
+typedef struct NSSPKIXTimeStr NSSPKIXTime;
+
+/*
+ * UniqueIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  UniqueIdentifier  ::=  BIT STRING
+ *
+ */
+
+typedef NSSBitString NSSPKIXUniqueIdentifier;
+
+/*
+ * SubjectPublicKeyInfo
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *       algorithm            AlgorithmIdentifier,
+ *       subjectPublicKey     BIT STRING  }
+ *
+ */
+
+struct NSSPKIXSubjectPublicKeyInfoStr;
+typedef NSSPKIXSubjectPublicKeyInfoStr NSSPKIXSubjectPublicKeyInfo;
+
+/*
+ * Extensions
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+ *
+ */
+
+struct NSSPKIXExtensionsStr;
+typedef struct NSSPKIXExtensionsStr NSSPKIXExtensions;
+
+/*
+ * Extension
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Extension  ::=  SEQUENCE  {
+ *       extnID      OBJECT IDENTIFIER,
+ *       critical    BOOLEAN DEFAULT FALSE,
+ *       extnValue   OCTET STRING  }
+ *
+ */
+
+struct NSSPKIXExtensionStr;
+typedef struct NSSPKIXExtensionStr NSSPKIXExtension;
+
+/*
+ * CertificateList
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificateList  ::=  SEQUENCE  {
+ *       tbsCertList          TBSCertList,
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING  }
+ *
+ */
+
+struct NSSPKIXCertificateListStr;
+typedef struct NSSPKIXCertificateListStr NSSPKIXCertificateList;
+
+/*
+ * TBSCertList
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TBSCertList  ::=  SEQUENCE  {
+ *       version                 Version OPTIONAL,
+ *                                    -- if present, shall be v2
+ *       signature               AlgorithmIdentifier,
+ *       issuer                  Name,
+ *       thisUpdate              Time,
+ *       nextUpdate              Time OPTIONAL,
+ *       revokedCertificates     SEQUENCE OF SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *       crlExtensions           [0] Extensions OPTIONAL
+ *                                           -- if present, shall be v2 -- }
+ *
+ */
+
+struct NSSPKIXTBSCertListStr;
+typedef struct NSSPKIXTBSCertListStr NSSPKIXTBSCertList;
+
+/*
+ * revokedCertificates
+ *
+ * This is a "helper type" to simplify handling of TBSCertList objects.
+ *
+ *       revokedCertificates     SEQUENCE OF SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *
+ */
+
+struct NSSPKIXrevokedCertificatesStr;
+typedef struct NSSPKIXrevokedCertificatesStr NSSPKIXrevokedCertificates;
+
+/*
+ * revokedCertificate
+ *
+ * This is a "helper type" to simplify handling of TBSCertList objects.
+ *
+ *                                           SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *
+ */
+
+struct NSSPKIXrevokedCertificateStr;
+typedef struct NSSPKIXrevokedCertificateStr NSSPKIXrevokedCertificate;
+
+/*
+ * AlgorithmIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ * (1988 syntax)
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *       algorithm               OBJECT IDENTIFIER,
+ *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ *                                  -- contains a value of the type
+ *                                  -- registered for use with the
+ *                                  -- algorithm object identifier value
+ *
+ *
+ */
+
+struct NSSPKIXAlgorithmIdentifierStr;
+typedef NSSPKIXAlgorithmIdentifierStr NSSPKIXAlgorithmIdentifier;
+
+/*
+ * -- types related to NSSPKIXAlgorithmIdentifiers:
+ *
+ *  Dss-Sig-Value  ::=  SEQUENCE  {
+ *       r       INTEGER,
+ *       s       INTEGER  }
+ *  
+ *  DomainParameters ::= SEQUENCE {
+ *       p       INTEGER, -- odd prime, p=jq +1
+ *       g       INTEGER, -- generator, g
+ *       q       INTEGER, -- factor of p-1
+ *       j       INTEGER OPTIONAL, -- subgroup factor, j>= 2
+ *       validationParms  ValidationParms OPTIONAL }
+ *  
+ *  ValidationParms ::= SEQUENCE {
+ *       seed             BIT STRING,
+ *       pgenCounter      INTEGER }
+ *  
+ *  Dss-Parms  ::=  SEQUENCE  {
+ *       p             INTEGER,
+ *       q             INTEGER,
+ *       g             INTEGER  }
+ *
+ */
+
+/*
+ * ORAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ORAddress ::= SEQUENCE {
+ *     built-in-standard-attributes BuiltInStandardAttributes,
+ *     built-in-domain-defined-attributes
+ *                          BuiltInDomainDefinedAttributes OPTIONAL,
+ *     -- see also teletex-domain-defined-attributes
+ *     extension-attributes ExtensionAttributes OPTIONAL }
+ *  --      The OR-address is semantically absent from the OR-name if the
+ *  --      built-in-standard-attribute sequence is empty and the
+ *  --      built-in-domain-defined-attributes and extension-attributes are
+ *  --      both omitted.
+ *
+ */
+
+struct NSSPKIXORAddressStr;
+typedef struct NSSPKIXORAddressStr NSSPKIXORAddress;
+
+/*
+ * BuiltInStandardAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInStandardAttributes ::= SEQUENCE {
+ *     country-name CountryName OPTIONAL,
+ *     administration-domain-name AdministrationDomainName OPTIONAL,
+ *     network-address      [0] NetworkAddress OPTIONAL,
+ *     -- see also extended-network-address
+ *     terminal-identifier  [1] TerminalIdentifier OPTIONAL,
+ *     private-domain-name  [2] PrivateDomainName OPTIONAL,
+ *     organization-name    [3] OrganizationName OPTIONAL,
+ *     -- see also teletex-organization-name
+ *     numeric-user-identifier      [4] NumericUserIdentifier OPTIONAL,
+ *     personal-name        [5] PersonalName OPTIONAL,
+ *     -- see also teletex-personal-name
+ *     organizational-unit-names    [6] OrganizationalUnitNames OPTIONAL
+ *     -- see also teletex-organizational-unit-names -- }
+ *
+ */
+
+struct NSSPKIXBuiltInStandardAttributesStr;
+typedef struct NSSPKIXBuiltInStandardAttributesStr NSSPKIXBuiltInStandardAttributes;
+
+/*
+ * CountryName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CountryName ::= [APPLICATION 1] CHOICE {
+ *     x121-dcc-code NumericString
+ *                  (SIZE (ub-country-name-numeric-length)),
+ *     iso-3166-alpha2-code PrintableString
+ *                  (SIZE (ub-country-name-alpha-length)) }
+ *
+ */
+
+struct NSSPKIXCountryNameStr;
+typedef struct NSSPKIXCountryNameStr NSSPKIXCountryName;
+
+/*
+ * AdministrationDomainName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AdministrationDomainName ::= [APPLICATION 2] CHOICE {
+ *     numeric NumericString (SIZE (0..ub-domain-name-length)),
+ *     printable PrintableString (SIZE (0..ub-domain-name-length)) }
+ *
+ */
+
+struct NSSPKIXAdministrationDomainNameStr;
+typedef struct NSSPKIXAdministrationDomainNameStr NSSPKIXAdministrationDomainName;
+
+/*
+ * X121Address
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
+ *
+ */
+
+struct NSSPKIXX121AddressStr;
+typedef struct NSSPKIXX121AddressStr NSSPKIXX121Address;
+
+/*
+ * NetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NetworkAddress ::= X121Address  -- see also extended-network-address
+ *
+ */
+
+struct NSSPKIXNetworkAddressStr;
+typedef struct NSSPKIXNetworkAddressStr NSSPKIXNetworkAddress;
+
+/*
+ * TerminalIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
+ *
+ */
+
+struct NSSPKIXTerminalIdentifierStr;
+typedef struct NSSPKIXTerminalIdentifierStr NSSPKIXTerminalIdentifier;
+
+/*
+ * PrivateDomainName
+ *
+ * -- fgmr comments -- 
+ *
+ *  PrivateDomainName ::= CHOICE {
+ *     numeric NumericString (SIZE (1..ub-domain-name-length)),
+ *     printable PrintableString (SIZE (1..ub-domain-name-length)) }
+ *
+ */
+
+struct NSSPKIXPrivateDomainNameStr;
+typedef struct NSSPKIXPrivateDomainNameStr NSSPKIXPrivateDomainName;
+
+/*
+ * OrganizationName
+ *
+ * -- fgmr comments --
+ *
+ *  OrganizationName ::= PrintableString
+ *                              (SIZE (1..ub-organization-name-length))
+ * 
+ */
+
+struct NSSPKIXOrganizationNameStr;
+typedef struct NSSPKIXOrganizationNameStr NSSPKIXOrganizationName;
+
+/*
+ * NumericUserIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NumericUserIdentifier ::= NumericString
+ *                              (SIZE (1..ub-numeric-user-id-length))
+ * 
+ */
+
+struct NSSPKIXNumericUserIdentifierStr;
+typedef struct NSSPKIXNumericUserIdentifierStr NSSPKIXNumericUserIdentifier;
+
+/*
+ * PersonalName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PersonalName ::= SET {
+ *     surname [0] PrintableString (SIZE (1..ub-surname-length)),
+ *     given-name [1] PrintableString
+ *                          (SIZE (1..ub-given-name-length)) OPTIONAL,
+ *     initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
+ *     generation-qualifier [3] PrintableString
+ *                  (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
+ *
+ */
+
+struct NSSPKIXPersonalNameStr;
+typedef NSSPKIXPersonalNameStr NSSPKIXPersonalName;
+
+/*
+ * OrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
+ *                                          OF OrganizationalUnitName
+ * 
+ */
+
+struct NSSPKIXOrganizationalUnitNamesStr;
+typedef NSSPKIXOrganizationalUnitNamesStr NSSPKIXOrganizationalUnitNames;
+
+/*
+ * OrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  OrganizationalUnitName ::= PrintableString (SIZE
+ *                          (1..ub-organizational-unit-name-length))
+ *
+ */
+
+struct NSSPKIXOrganizationalUnitNameStr;
+typedef struct NSSPKIXOrganizationalUnitNameStr NSSPKIXOrganizationalUnitName;
+
+/*
+ * BuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
+ *                                  (1..ub-domain-defined-attributes) OF
+ *                                  BuiltInDomainDefinedAttribute
+ *
+ */
+
+struct NSSPKIXBuiltInDomainDefinedAttributesStr;
+typedef struct NSSPKIXBuiltInDomainDefinedAttributesStr NSSPKIXBuiltInDomainDefinedAttributes;
+
+/*
+ * BuiltInDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInDomainDefinedAttribute ::= SEQUENCE {
+ *     type PrintableString (SIZE
+ *                          (1..ub-domain-defined-attribute-type-length)),
+ *     value PrintableString (SIZE
+ *                          (1..ub-domain-defined-attribute-value-length))}
+ *
+ */
+
+struct NSSPKIXBuiltInDomainDefinedAttributeStr;
+typedef struct NSSPKIXBuiltInDomainDefinedAttributeStr NSSPKIXBuiltInDomainDefinedAttribute;
+
+/*
+ * ExtensionAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
+ *                          ExtensionAttribute
+ *
+ */
+
+struct NSSPKIXExtensionAttributesStr;
+typedef struct NSSPKIXExtensionAttributesStr NSSPKIXExtensionAttributes;
+
+/*
+ * ExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtensionAttribute ::=  SEQUENCE {
+ *     extension-attribute-type [0] INTEGER (0..ub-extension-attributes),
+ *     extension-attribute-value [1]
+ *                          ANY DEFINED BY extension-attribute-type }
+ *
+ */
+
+struct NSSPKIXExtensionAttributeStr;
+typedef struct NSSPKIXExtensionAttributeStr NSSPKIXExtensionAttribute;
+
+/*
+ * ExtensionAttributeType
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  common-name INTEGER ::= 1
+ *  teletex-common-name INTEGER ::= 2
+ *  teletex-organization-name INTEGER ::= 3
+ *  teletex-personal-name INTEGER ::= 4
+ *  teletex-organizational-unit-names INTEGER ::= 5
+ *  teletex-domain-defined-attributes INTEGER ::= 6
+ *  pds-name INTEGER ::= 7
+ *  physical-delivery-country-name INTEGER ::= 8
+ *  postal-code INTEGER ::= 9
+ *  physical-delivery-office-name INTEGER ::= 10
+ *  physical-delivery-office-number INTEGER ::= 11
+ *  extension-OR-address-components INTEGER ::= 12
+ *  physical-delivery-personal-name INTEGER ::= 13
+ *  physical-delivery-organization-name INTEGER ::= 14
+ *  extension-physical-delivery-address-components INTEGER ::= 15
+ *  unformatted-postal-address INTEGER ::= 16
+ *  street-address INTEGER ::= 17
+ *  post-office-box-address INTEGER ::= 18
+ *  poste-restante-address INTEGER ::= 19
+ *  unique-postal-name INTEGER ::= 20
+ *  local-postal-attributes INTEGER ::= 21
+ *  extended-network-address INTEGER ::= 22
+ *  terminal-type  INTEGER ::= 23
+ *
+ */
+
+enum NSSPKIXExtensionAttributeTypeEnum {
+  NSSPKIXExtensionAttributeType_NSSinvalid = -1,
+  NSSPKIXExtensionAttributeType_CommonName = 1,
+  NSSPKIXExtensionAttributeType_TeletexCommonName = 2,
+  NSSPKIXExtensionAttributeType_TeletexOrganizationName = 3,
+  NSSPKIXExtensionAttributeType_TeletexPersonalName = 4,
+  NSSPKIXExtensionAttributeType_TeletexOrganizationalUnitNames = 5,
+  NSSPKIXExtensionAttributeType_TeletexDomainDefinedAttributes = 6,
+  NSSPKIXExtensionAttributeType_PdsName = 7,
+  NSSPKIXExtensionAttributeType_PhysicalDeliveryCountryName = 8,
+  NSSPKIXExtensionAttributeType_PostalCode = 9,
+  NSSPKIXExtensionAttributeType_PhysicalDeliveryOfficeName = 10,
+  NSSPKIXExtensionAttributeType_PhysicalDeliveryOfficeNumber = 11,
+  NSSPKIXExtensionAttributeType_ExtensionOrAddressComponents = 12,
+  NSSPKIXExtensionAttributeType_PhysicalDeliveryPersonalName = 13,
+  NSSPKIXExtensionAttributeType_PhysicalDeliveryOrganizationName = 14,
+  NSSPKIXExtensionAttributeType_ExtensionPhysicalDeliveryAddressComponents = 15,
+  NSSPKIXExtensionAttributeType_UnformattedPostalAddress = 16,
+  NSSPKIXExtensionAttributeType_StreetAddress = 17,
+  NSSPKIXExtensionAttributeType_PostOfficeBoxAddress = 18,
+  NSSPKIXExtensionAttributeType_PosteRestanteAddress = 19,
+  NSSPKIXExtensionAttributeType_UniquePostalName = 20,
+  NSSPKIXExtensionAttributeType_LocalPostalAttributes = 21,
+  NSSPKIXExtensionAttributeType_ExtendedNetworkAddress = 22,
+  NSSPKIXExtensionAttributeType_TerminalType = 23
+};
+typedef enum NSSPKIXExtensionAttributeTypeEnum NSSPKIXExtensionAttributeType;
+
+/*
+ * CommonName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
+ *
+ */
+
+struct NSSPKIXCommonNameStr;
+typedef struct NSSPKIXCommonNameStr NSSPKIXCommonName;
+
+/*
+ * TeletexCommonName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
+ *
+ */
+
+struct NSSPKIXTeletexCommonNameStr;
+typedef struct NSSPKIXTeletexCommonNameStr NSSPKIXTeletexCommonName;
+
+/*
+ * TeletexOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexOrganizationName ::=
+ *                  TeletexString (SIZE (1..ub-organization-name-length))
+ *
+ */
+
+struct NSSPKIXTeletexOrganizationNameStr;
+typedef struct NSSPKIXTeletexOrganizationNameStr NSSPKIXTeletexOrganizationName;
+
+/*
+ * TeletexPersonalName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexPersonalName ::= SET {
+ *     surname [0] TeletexString (SIZE (1..ub-surname-length)),
+ *     given-name [1] TeletexString
+ *                  (SIZE (1..ub-given-name-length)) OPTIONAL,
+ *     initials [2] TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
+ *     generation-qualifier [3] TeletexString (SIZE
+ *                  (1..ub-generation-qualifier-length)) OPTIONAL }
+ *
+ */
+
+struct NSSPKIXTeletexPersonalNameStr;
+typedef struct NSSPKIXTeletexPersonalNameStr NSSPKIXTeletexPersonalName;
+
+/*
+ * TeletexOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
+ *          (1..ub-organizational-units) OF TeletexOrganizationalUnitName
+ *
+ */
+
+struct NSSPKIXTeletexOrganizationalUnitNamesStr;
+typedef struct NSSPKIXTeletexOrganizationalUnitNamesStr NSSPKIXTeletexOrganizationalUnitNames;
+
+/*
+ * TeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexOrganizationalUnitName ::= TeletexString
+ *                          (SIZE (1..ub-organizational-unit-name-length))
+ *  
+ */
+
+struct NSSPKIXTeletexOrganizationalUnitNameStr;
+typedef struct NSSPKIXTeletexOrganizationalUnitNameStr NSSPKIXTeletexOrganizationalUnitName;
+
+/*
+ * PDSName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
+ *
+ */
+
+struct NSSPKIXPDSNameStr;
+typedef struct NSSPKIXPDSNameStr NSSPKIXPDSName;
+
+/*
+ * PhysicalDeliveryCountryName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PhysicalDeliveryCountryName ::= CHOICE {
+ *     x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
+ *     iso-3166-alpha2-code PrintableString
+ *                          (SIZE (ub-country-name-alpha-length)) }
+ *
+ */
+
+struct NSSPKIXPhysicalDeliveryCountryNameStr;
+typedef struct NSSPKIXPhysicalDeliveryCountryNameStr NSSPKIXPhysicalDeliveryCountryName;
+
+/*
+ * PostalCode
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PostalCode ::= CHOICE {
+ *     numeric-code NumericString (SIZE (1..ub-postal-code-length)),
+ *     printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
+ *
+ */
+
+struct NSSPKIXPostalCodeStr;
+typedef struct NSSPKIXPostalCodeStr NSSPKIXPostalCode;
+
+/*
+ * PDSParameter
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PDSParameter ::= SET {
+ *     printable-string PrintableString
+ *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
+ *     teletex-string TeletexString
+ *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
+ *
+ */
+
+struct NSSPKIXPDSParameterStr;
+typedef struct NSSPKIXPDSParameterStr NSSPKIXPDSParameter;
+
+/*
+ * PhysicalDeliveryOfficeName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PhysicalDeliveryOfficeName ::= PDSParameter
+ *
+ */
+
+typedef NSSPKIXPDSParameter NSSPKIXPhysicalDeliveryOfficeName;
+
+/*
+ * PhysicalDeliveryOfficeNumber
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PhysicalDeliveryOfficeNumber ::= PDSParameter
+ *
+ */
+
+typedef NSSPKIXPDSParameter NSSPKIXPhysicalDeliveryOfficeNumber;
+
+/*
+ * ExtensionORAddressComponents
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtensionORAddressComponents ::= PDSParameter
+ *
+ */
+
+typedef NSSPKIXPDSParameter NSSPKIXExtensionORAddressComponents;
+
+/*
+ * PhysicalDeliveryPersonalName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PhysicalDeliveryPersonalName ::= PDSParameter
+ *
+ */
+
+typedef NSSPKIXPDSParameter NSSPKIXPhysicalDeliveryPersonalName;
+
+/*
+ * PhysicalDeliveryOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PhysicalDeliveryOrganizationName ::= PDSParameter
+ *
+ */
+
+typedef NSSPKIXPDSParameter NSSPKIXPhysicalDeliveryOrganizationName;
+
+/*
+ * ExtensionPhysicalDeliveryAddressComponents
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtensionPhysicalDeliveryAddressComponents ::= PDSParameter
+ *
+ */
+
+typedef NSSPKIXPDSParameter NSSPKIXExtensionPhysicalDeliveryAddressComponents;
+
+/*
+ * UnformattedPostalAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  UnformattedPostalAddress ::= SET {
+ *     printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
+ *             PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
+ *     teletex-string TeletexString
+ *           (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
+ *
+ */
+
+struct NSSPKIXUnformattedPostalAddressStr;
+typedef struct NSSPKIXUnformattedPostalAddressStr NSSPKIXUnformattedPostalAddress;
+
+/*
+ * StreetAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  StreetAddress ::= PDSParameter
+ *
+ */
+
+typedef NSSPKIXPDSParameter NSSPKIXStreetAddress;
+
+/*
+ * PostOfficeBoxAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PostOfficeBoxAddress ::= PDSParameter
+ *
+ */
+
+typedef NSSPKIXPDSParameter NSSPKIXPostOfficeBoxAddress;
+
+/*
+ * PosteRestanteAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PosteRestanteAddress ::= PDSParameter
+ *
+ */
+
+typedef NSSPKIXPDSParameter NSSPKIXPosteRestanteAddress;
+
+/*
+ * UniquePostalName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  UniquePostalName ::= PDSParameter
+ *
+ */
+
+typedef NSSPKIXPDSParameter NSSPKIXUniquePostalName;
+
+/*
+ * LocalPostalAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  LocalPostalAttributes ::= PDSParameter
+ *
+ */
+
+typedef NSSPKIXPDSParameter NSSPKIXLocalPostalAttributes;
+
+/*
+ * ExtendedNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtendedNetworkAddress ::= CHOICE {
+ *     e163-4-address SEQUENCE {
+ *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
+ *          sub-address [1] NumericString
+ *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
+ *     psap-address [0] PresentationAddress }
+ *
+ */
+
+struct NSSPKIXExtendedNetworkAddressStr;
+typedef struct NSSPKIXExtendedNetworkAddressStr NSSPKIXExtendedNetworkAddress;
+
+/*
+ * NSSPKIXExtendedNetworkAddressChoice
+ *
+ * Helper enumeration for ExtendedNetworkAddress
+ * -- fgmr comments --
+ *
+ */
+
+enum NSSPKIXExtendedNetworkAddressEnum {
+  NSSPKIXExtendedNetworkAddress_NSSinvalid = -1,
+  NSSPKIXExtendedNetworkAddress_e1634Address,
+  NSSPKIXExtendedNetworkAddress_psapAddress
+};
+typedef enum NSSPKIXExtendedNetworkAddressEnum NSSPKIXExtendedNetworkAddressChoice;
+
+/*
+ * e163-4-address
+ *
+ * Helper structure for ExtendedNetworkAddress.
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ * 
+ *     e163-4-address SEQUENCE {
+ *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
+ *          sub-address [1] NumericString
+ *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
+ * 
+ */
+
+struct NSSe1634addressStr;
+typedef struct NSSe1634addressStr NSSe1634address;
+
+/*
+ * PresentationAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PresentationAddress ::= SEQUENCE {
+ *          pSelector       [0] EXPLICIT OCTET STRING OPTIONAL,
+ *          sSelector       [1] EXPLICIT OCTET STRING OPTIONAL,
+ *          tSelector       [2] EXPLICIT OCTET STRING OPTIONAL,
+ *          nAddresses      [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
+ *
+ */
+
+struct NSSPKIXPresentationAddressStr;
+typedef struct NSSPKIXPresentationAddressStr NSSPKIXPresentationAddress;
+
+/*
+ * TerminalType
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TerminalType ::= INTEGER {
+ *     telex (3),
+ *     teletex (4),
+ *     g3-facsimile (5),
+ *     g4-facsimile (6),
+ *     ia5-terminal (7),
+ *     videotex (8) } (0..ub-integer-options)
+ *
+ */
+
+enum NSSPKIXTerminalTypeEnum {
+  NSSPKIXTerminalType_NSSinvalid = -1,
+  NSSPKIXTerminalType_telex = 3,
+  NSSPKIXTerminalType_teletex = 4,
+  NSSPKIXTerminalType_g3Facsimile = 5,
+  NSSPKIXTerminalType_g4Facsimile = 6,
+  NSSPKIXTerminalType_iA5Terminal = 7,
+  NSSPKIXTerminalType_videotex = 8
+};
+typedef enum NSSPKIXTerminalTypeEnum NSSPKIXTerminalType;
+
+/*
+ * TeletexDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
+ *     (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
+ * 
+ */
+
+struct NSSPKIXTeletexDomainDefinedAttributesStr;
+typedef struct NSSPKIXTeletexDomainDefinedAttributesStr NSSPKIXTeletexDomainDefinedAttributes;
+
+/*
+ * TeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexDomainDefinedAttribute ::= SEQUENCE {
+ *          type TeletexString
+ *                 (SIZE (1..ub-domain-defined-attribute-type-length)),
+ *          value TeletexString
+ *                 (SIZE (1..ub-domain-defined-attribute-value-length)) }
+ * 
+ */
+
+struct NSSPKIXTeletexDomainDefinedAttributeStr;
+typedef struct NSSPKIXTeletexDomainDefinedAttributeStr NSSPKIXTeletexDomainDefinedAttribute;
+
+/*
+ * AuthorityKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AuthorityKeyIdentifier ::= SEQUENCE {
+ *        keyIdentifier             [0] KeyIdentifier            OPTIONAL,
+ *        authorityCertIssuer       [1] GeneralNames             OPTIONAL,
+ *        authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
+ *      -- authorityCertIssuer and authorityCertSerialNumber shall both
+ *      -- be present or both be absent
+ *
+ */
+
+struct NSSPKIXAuthorityKeyIdentifierStr;
+typedef struct NSSPKIXAuthorityKeyIdentifierStr NSSPKIXAuthorityKeyIdentifier;
+
+/*
+ * KeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  KeyIdentifier ::= OCTET STRING
+ *
+ */
+
+typedef NSSItem NSSPKIXKeyIdentifier;
+
+/*
+ * SubjectKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  SubjectKeyIdentifier ::= KeyIdentifier
+ *
+ */
+
+typedef NSSPKIXKeyIdentifier NSSPKIXSubjectKeyIdentifier;
+
+/*
+ * KeyUsage
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  KeyUsage ::= BIT STRING {
+ *       digitalSignature        (0),
+ *       nonRepudiation          (1),
+ *       keyEncipherment         (2),
+ *       dataEncipherment        (3),
+ *       keyAgreement            (4),
+ *       keyCertSign             (5),
+ *       cRLSign                 (6),
+ *       encipherOnly            (7),
+ *       decipherOnly            (8) }
+ *
+ */
+
+struct NSSPKIXKeyUsageStr;
+typedef struct NSSPKIXKeyUsageStr NSSPKIXKeyUsage;
+
+/*
+ * KeyUsageValue
+ *
+ * -- helper for testing many key usages at once
+ *
+ */
+
+enum NSSPKIXKeyUsageValueEnum {
+  NSSPKIXKeyUsage_NSSinvalid = 0,
+  NSSPKIXKeyUsage_DigitalSignature = 0x001,
+  NSSPKIXKeyUsage_NonRepudiation   = 0x002,
+  NSSPKIXKeyUsage_KeyEncipherment  = 0x004,
+  NSSPKIXKeyUsage_DataEncipherment = 0x008,
+  NSSPKIXKeyUsage_KeyAgreement     = 0x010,
+  NSSPKIXKeyUsage_KeyCertSign      = 0x020,
+  NSSPKIXKeyUsage_CRLSign          = 0x040,
+  NSSPKIXKeyUsage_EncipherOnly     = 0x080,
+  NSSPKIXKeyUsage_DecipherOnly     = 0x100
+};
+typedef enum NSSPKIXKeyUsageValueEnum NSSPKIXKeyUsageValue;
+
+/*
+ * PrivateKeyUsagePeriod
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PrivateKeyUsagePeriod ::= SEQUENCE {
+ *       notBefore       [0]     GeneralizedTime OPTIONAL,
+ *       notAfter        [1]     GeneralizedTime OPTIONAL }
+ *       -- either notBefore or notAfter shall be present
+ *
+ */
+
+struct NSSPKIXPrivateKeyUsagePeriodStr;
+typedef struct NSSPKIXPrivateKeyUsagePeriodStr NSSPKIXPrivateKeyUsagePeriod;
+
+/*
+ * CertificatePolicies
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+ *
+ */
+
+struct NSSPKIXCertificatePoliciesStr;
+typedef struct NSSPKIXCertificatePoliciesStr NSSPKIXCertificatePolicies;
+
+/*
+ * PolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyInformation ::= SEQUENCE {
+ *       policyIdentifier   CertPolicyId,
+ *       policyQualifiers   SEQUENCE SIZE (1..MAX) OF
+ *               PolicyQualifierInfo OPTIONAL }
+ *
+ */
+
+struct NSSPKIXPolicyInformationStr;
+typedef struct NSSPKIXPolicyInformationStr NSSPKIXPolicyInformation;
+
+/*
+ * CertPolicyId
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertPolicyId ::= OBJECT IDENTIFIER
+ *
+ */
+
+typedef NSSOID NSSPKIXCertPolicyId;
+
+/*
+ * PolicyQualifierInfo
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyQualifierInfo ::= SEQUENCE {
+ *         policyQualifierId  PolicyQualifierId,
+ *         qualifier        ANY DEFINED BY policyQualifierId }
+ *
+ */
+
+struct NSSPKIXPolicyQualifierInfoStr;
+typedef NSSPKIXPolicyQualifierInfoStr NSSPKIXPolicyQualifierInfo;
+
+/*
+ * PolicyQualifierId
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyQualifierId ::=
+ *      OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )
+ *
+ */
+
+typedef NSSOID NSSPKIXPolicyQualifierId;
+
+/*
+ * CPSuri
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CPSuri ::= IA5String
+ *
+ */
+
+struct NSSPKIXCPSuriStr;
+typedef struct NSSPKIXCPSuriStr NSSPKIXCPSuri;
+
+/*
+ * UserNotice
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  UserNotice ::= SEQUENCE {
+ *       noticeRef        NoticeReference OPTIONAL,
+ *       explicitText     DisplayText OPTIONAL}
+ *
+ */
+
+struct NSSPKIXUserNoticeStr;
+typedef struct NSSPKIXUserNoticeStr NSSPKIXUserNotice;
+
+/*
+ * NoticeReference
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NoticeReference ::= SEQUENCE {
+ *       organization     DisplayText,
+ *       noticeNumbers    SEQUENCE OF INTEGER }
+ *
+ */
+
+struct NSSPKIXNoticeReferenceStr;
+typedef struct NSSPKIXNoticeReferenceStr NSSPKIXNoticeReference;
+
+/*
+ * DisplayText
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DisplayText ::= CHOICE {
+ *       visibleString    VisibleString  (SIZE (1..200)),
+ *       bmpString        BMPString      (SIZE (1..200)),
+ *       utf8String       UTF8String     (SIZE (1..200)) }
+ * 
+ */
+
+struct NSSPKIXDisplayTextStr;
+typedef struct NSSPKIXDisplayTextStr NSSPKIXDisplayText;
+
+/*
+ * PolicyMappings
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ *       issuerDomainPolicy      CertPolicyId,
+ *       subjectDomainPolicy     CertPolicyId }
+ *
+ */
+
+struct NSSPKIXPolicyMappingsStr;
+typedef struct NSSPKIXPolicyMappingsStr NSSPKIXPolicyMappings;
+
+/*
+ * policyMapping
+ *
+ * Helper structure for PolicyMappings
+ *
+ *                                               SEQUENCE {
+ *       issuerDomainPolicy      CertPolicyId,
+ *       subjectDomainPolicy     CertPolicyId }
+ *
+ */
+
+struct NSSPKIXpolicyMappingStr;
+typedef struct NSSPKIXpolicyMappingStr NSSPKIXpolicyMapping;
+
+/*
+ * GeneralName
+ *
+ * This structure contains a union of the possible general names,
+ * of which there are several.
+ *
+ * From RFC 2459:
+ *
+ *  GeneralName ::= CHOICE {
+ *       otherName                       [0]     AnotherName,
+ *       rfc822Name                      [1]     IA5String,
+ *       dNSName                         [2]     IA5String,
+ *       x400Address                     [3]     ORAddress,
+ *       directoryName                   [4]     Name,
+ *       ediPartyName                    [5]     EDIPartyName,
+ *       uniformResourceIdentifier       [6]     IA5String,
+ *       iPAddress                       [7]     OCTET STRING,
+ *       registeredID                    [8]     OBJECT IDENTIFIER }
+ *
+ */
+
+struct NSSPKIXGeneralNameStr;
+typedef struct NSSPKIXGeneralNameStr NSSPKIXGeneralName;
+
+/*
+ * GeneralNameChoice
+ *
+ * This enumerates the possible general name types.
+ */
+
+enum NSSPKIXGeneralNameChoiceEnum {
+  NSSPKIXGeneralNameChoice_NSSinvalid = -1,
+  NSSPKIXGeneralNameChoice_otherName = 0,
+  NSSPKIXGeneralNameChoice_rfc822Name = 1,
+  NSSPKIXGeneralNameChoice_dNSName = 2,
+  NSSPKIXGeneralNameChoice_x400Address = 3,
+  NSSPKIXGeneralNameChoice_directoryName = 4,
+  NSSPKIXGeneralNameChoice_ediPartyName = 5,
+  NSSPKIXGeneralNameChoice_uniformResourceIdentifier = 6,
+  NSSPKIXGeneralNameChoice_iPAddress = 7,
+  NSSPKIXGeneralNameChoice_registeredID = 8
+};
+typedef enum NSSPKIXGeneralNameChoiceEnum NSSPKIXGeneralNameChoice;
+
+/*
+ * GeneralNames
+ *
+ * This structure contains a sequence of GeneralName objects.
+ *
+ * From RFC 2459:
+ *
+ *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ */
+
+struct NSSPKIXGeneralNamesStr;
+typedef struct NSSPKIXGeneralNamesStr NSSPKIXGeneralNames;
+
+/*
+ * SubjectAltName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  SubjectAltName ::= GeneralNames
+ *
+ */
+
+typedef NSSPKIXGeneralNames NSSPKIXSubjectAltName;
+
+/*
+ * AnotherName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AnotherName ::= SEQUENCE {
+ *       type-id    OBJECT IDENTIFIER,
+ *       value      [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ */
+
+struct NSSPKIXAnotherNameStr;
+typedef struct NSSPKIXAnotherNameStr NSSPKIXAnotherName;
+
+/*
+ * EDIPartyName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *
+ *  EDIPartyName ::= SEQUENCE {
+ *       nameAssigner            [0]     DirectoryString OPTIONAL,
+ *       partyName               [1]     DirectoryString }
+ *
+ */
+
+struct NSSPKIXEDIPartyNameStr;
+typedef struct NSSPKIXEDIPartyNameStr NSSPKIXEDIPartyName;
+
+/*
+ * IssuerAltName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  IssuerAltName ::= GeneralNames
+ *
+ */
+
+typedef NSSPKIXGeneralNames NSSPKIXIssuerAltName;
+
+/*
+ * SubjectDirectoryAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+ *
+ */
+
+struct NSSPKIXSubjectDirectoryAttributesStr;
+typedef struct NSSPKIXSubjectDirectoryAttributesStr NSSPKIXSubjectDirectoryAttributes;
+
+/*
+ * BasicConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BasicConstraints ::= SEQUENCE {
+ *       cA                      BOOLEAN DEFAULT FALSE,
+ *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+ *
+ */
+
+struct NSSPKIXBasicConstraintsStr;
+typedef struct NSSPKIXBasicConstraintsStr NSSPKIXBasicConstraints;
+
+/*
+ * NameConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NameConstraints ::= SEQUENCE {
+ *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
+ *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
+ *
+ */
+
+struct NSSPKIXNameConstraintsStr;
+typedef struct NSSPKIXNameConstraintsStr NSSPKIXNameConstraints;
+
+/*
+ * GeneralSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+ *
+ */
+
+struct NSSPKIXGeneralSubtreesStr;
+typedef struct NSSPKIXGeneralSubtreesStr NSSPKIXGeneralSubtrees;
+
+/*
+ * GeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  GeneralSubtree ::= SEQUENCE {
+ *       base                    GeneralName,
+ *       minimum         [0]     BaseDistance DEFAULT 0,
+ *       maximum         [1]     BaseDistance OPTIONAL }
+ *
+ */
+
+struct NSSPKIXGeneralSubtreeStr;
+typedef struct NSSPKIXGeneralSubtreeStr NSSPKIXGeneralSubtree;
+
+/*
+ * BaseDistance
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BaseDistance ::= INTEGER (0..MAX)
+ *
+ */
+
+typedef PRInt32 NSSPKIXBaseDistance;
+
+/*
+ * PolicyConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyConstraints ::= SEQUENCE {
+ *       requireExplicitPolicy           [0] SkipCerts OPTIONAL,
+ *       inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
+ * 
+ */
+
+struct NSSPKIXPolicyConstraintsStr;
+typedef NSSPKIXPolicyConstraintsStr NSSPKIXPolicyConstraints;
+
+/*
+ * SkipCerts
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  SkipCerts ::= INTEGER (0..MAX)
+ *
+ */
+
+typedef NSSItem NSSPKIXSkipCerts;
+
+/*
+ * CRLDistPointsSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+ *
+ */
+
+struct NSSPKIXCRLDistPointsSyntaxStr;
+typedef struct NSSPKIXCRLDistPointsSyntaxStr NSSPKIXCRLDistPointsSyntax;
+
+/*
+ * DistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DistributionPoint ::= SEQUENCE {
+ *       distributionPoint       [0]     DistributionPointName OPTIONAL,
+ *       reasons                 [1]     ReasonFlags OPTIONAL,
+ *       cRLIssuer               [2]     GeneralNames OPTIONAL }
+ *
+ */
+
+struct NSSPKIXDistributionPointStr;
+typedef struct NSSPKIXDistributionPointStr NSSPKIXDistributionPoint;
+
+/*
+ * DistributionPointName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DistributionPointName ::= CHOICE {
+ *       fullName                [0]     GeneralNames,
+ *       nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
+ *
+ */
+
+struct NSSPKIXDistributionPointNameStr;
+typedef struct NSSPKIXDistributionPointNameStr NSSPKIXDistributionPointName;
+
+/*
+ * DistributionPointNameChoice
+ *
+ * -- fgmr comments --
+ *
+ */
+
+enum NSSPKIXDistributionPointNameChoiceEnum {
+  NSSDistributionPointNameChoice_NSSinvalid = -1,
+  NSSDistributionPointNameChoice_FullName = 0,
+  NSSDistributionPointNameChoice_NameRelativeToCRLIssuer = 1
+};
+typedef enum NSSPKIXDistributionPointNameChoiceEnum NSSPKIXDistributionPointNameChoice;
+
+/*
+ * ReasonFlags
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ReasonFlags ::= BIT STRING {
+ *       unused                  (0),
+ *       keyCompromise           (1),
+ *       cACompromise            (2),
+ *       affiliationChanged      (3),
+ *       superseded              (4),
+ *       cessationOfOperation    (5),
+ *       certificateHold         (6) }
+ *
+ */
+
+struct NSSPKIXReasonFlagsStr;
+typedef struct NSSPKIXReasonFlagsStr NSSPKIXReasonFlags;
+
+/*
+ * ReasonFlagsMask
+ *
+ * -- fgmr comments --
+ *
+ */
+
+typedef PRInt32 NSSPKIXReasonFlagsMask;
+const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_NSSinvalid          =  -1;
+const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_KeyCompromise       =  0x02;
+const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_CACompromise        =  0x04;
+const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_AffiliationChanged  =  0x08;
+const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_Superseded          =  0x10;
+const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_CessationOfOperation=  0x20;
+const NSSPKIXReasonFlagsMask NSSPKIXReasonFlagsMask_CertificateHold     =  0x40;
+
+/*
+ * ExtKeyUsageSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+ *
+ */
+
+struct NSSPKIXExtKeyUsageSyntaxStr;
+typedef struct NSSPKIXExtKeyUsageSyntaxStr NSSPKIXExtKeyUsageSyntax;
+
+/*
+ * KeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  KeyPurposeId ::= OBJECT IDENTIFIER
+ *
+ */
+
+typedef NSSOID NSSPKIXKeyPurposeId;
+
+/*
+ * AuthorityInfoAccessSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AuthorityInfoAccessSyntax  ::=
+ *          SEQUENCE SIZE (1..MAX) OF AccessDescription
+ *
+ */
+
+struct NSSPKIXAuthorityInfoAccessSyntaxStr;
+typedef struct NSSPKIXAuthorityInfoAccessSyntaxStr NSSPKIXAuthorityInfoAccessSyntax;
+
+/*
+ * AccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AccessDescription  ::=  SEQUENCE {
+ *          accessMethod          OBJECT IDENTIFIER,
+ *          accessLocation        GeneralName  }
+ *
+ */
+
+struct NSSPKIXAccessDescriptionStr;
+typedef struct NSSPKIXAccessDescriptionStr NSSPKIXAccessDescription;
+
+/*
+ * CRLNumber
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CRLNumber ::= INTEGER (0..MAX)
+ *
+ */
+
+typedef NSSItem NSSPKIXCRLNumber;
+
+/*
+ * IssuingDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  IssuingDistributionPoint ::= SEQUENCE {
+ *       distributionPoint       [0] DistributionPointName OPTIONAL,
+ *       onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
+ *       onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
+ *       onlySomeReasons         [3] ReasonFlags OPTIONAL,
+ *       indirectCRL             [4] BOOLEAN DEFAULT FALSE }
+ *
+ */
+
+struct NSSPKIXIssuingDistributionPointStr;
+typedef struct NSSPKIXIssuingDistributionPointStr NSSPKIXIssuingDistributionPoint;
+
+/*
+ * BaseCRLNumber
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BaseCRLNumber ::= CRLNumber
+ *
+ */
+
+typedef NSSPKIXCRLNumber NSSPKIXBaseCRLNumber;
+
+/*
+ * CRLReason
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CRLReason ::= ENUMERATED {
+ *       unspecified             (0),
+ *       keyCompromise           (1),
+ *       cACompromise            (2),
+ *       affiliationChanged      (3),
+ *       superseded              (4),
+ *       cessationOfOperation    (5),
+ *       certificateHold         (6),
+ *       removeFromCRL           (8) }
+ * 
+ */
+
+enum NSSPKIXCRLReasonEnum {
+  NSSPKIXCRLReasonEnum_NSSinvalid = -1,
+  NSSPKIXCRLReasonEnum_unspecified = 0,
+  NSSPKIXCRLReasonEnum_keyCompromise = 1,
+  NSSPKIXCRLReasonEnum_cACompromise = 2,
+  NSSPKIXCRLReasonEnum_affiliationChanged = 3,
+  NSSPKIXCRLReasonEnum_superseded = 4,
+  NSSPKIXCRLReasonEnum_cessationOfOperation = 5,
+  NSSPKIXCRLReasonEnum_certificateHold = 6,
+  NSSPKIXCRLReasonEnum_removeFromCRL = 8
+};
+typedef enum NSSPKIXCRLReasonEnum NSSPKIXCRLReason;
+
+/*
+ * CertificateIssuer
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificateIssuer ::= GeneralNames
+ *
+ */
+
+typedef NSSPKIXGeneralNames NSSPKIXCertificateIssuer;
+
+/*
+ * HoldInstructionCode
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  HoldInstructionCode ::= OBJECT IDENTIFIER
+ *
+ */
+
+typedef NSSOID NSSPKIXHoldInstructionCode;
+
+/*
+ * InvalidityDate
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  InvalidityDate ::=  GeneralizedTime
+ *
+ */
+
+typedef PRTime NSSPKIXInvalidityDate;
+
+PR_END_EXTERN_C
+
+#endif /* NSSPKIXT_H */
diff --git a/security/nss/lib/pkix/include/pkix.h b/security/nss/lib/pkix/include/pkix.h
new file mode 100644
index 000000000..8ebe95595
--- /dev/null
+++ b/security/nss/lib/pkix/include/pkix.h
@@ -0,0 +1,26086 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKIX_H
+#define PKIX_H
+
+#ifdef DEBUG
+static const char PKIX_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * pkix.h
+ *
+ * This file contains the prototypes for the private methods defined
+ * for the PKIX part-1 objects.
+ */
+
+#ifndef NSSPKIX_H
+#include "nsspkix.h"
+#endif /* NSSPKIX_H */
+
+#ifndef PKIXT_H
+#include "pkixt.h"
+#endif /* PKIXT_H */
+
+#ifndef ASN1T_H
+#include "asn1t.h"
+#endif /* ASN1T_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * Attribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Attribute       ::=     SEQUENCE {
+ *          type            AttributeType,
+ *          values  SET OF AttributeValue
+ *                  -- at least one value is required -- }
+ *
+ * The private calls for the type:
+ * 
+ *  nssPKIXAttribute_Decode
+ *  nssPKIXAttribute_Create
+ *  nssPKIXAttribute_CreateFromArray
+ *  nssPKIXAttribute_Destroy
+ *  nssPKIXAttribute_Encode
+ *  nssPKIXAttribute_GetType
+ *  nssPKIXAttribute_SetType
+ *  nssPKIXAttribute_GetValueCount
+ *  nssPKIXAttribute_GetValues
+ *  nssPKIXAttribute_SetValues
+ *  nssPKIXAttribute_GetValue
+ *  nssPKIXAttribute_SetValue
+ *  nssPKIXAttribute_AddValue
+ *  nssPKIXAttribute_RemoveValue
+ *  nssPKIXAttribute_FindValue
+ *  nssPKIXAttribute_Equal
+ *  nssPKIXAttribute_Duplicate
+ *
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXAttribute_verifyPointer
+ */
+
+/*
+ * nssPKIXAttribute_template
+ *
+ *
+ */
+
+extern const nssASN1Template nssPKIXAttribute_template[];
+
+/*
+ * nssPKIXAttribute_Decode
+ *
+ * This routine creates an NSSPKIXAttribute by decoding a BER-
+ * or DER-encoded Attribute as defined in RFC 2459.  This
+ * routine may return NULL upon error, in which case it will
+ * have created an error stack.  If the optional arena argument
+ * is non-NULL, that arena will be used for the required memory.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+nssPKIXAttribute_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXAttribute_Create
+ *
+ * This routine creates an NSSPKIXAttribute from specified components.
+ * This routine may return NULL upon error, in which case it will have
+ * created an error stack.  If the optional arena argument is non-NULL,
+ * that arena will be used for the required memory.  There must be at
+ * least one attribute value specified.  The final argument must be
+ * NULL, to indicate the end of the set of attribute values.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+nssPKIXAttribute_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  NSSPKIXAttributeValue *value1,
+  ...
+);
+
+/*
+ * nssPKIXAttribute_CreateFromArray
+ *
+ * This routine creates an NSSPKIXAttribute from specified components.
+ * This routine may return NULL upon error, in which case it will have
+ * created an error stack.  If the optional arena argument is non-NULL,
+ * that arena will be used for the required memory.  There must be at
+ * least one attribute value specified.  The final argument must be
+ * NULL, to indicate the end of the set of attribute values.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+nssPKIXAttribute_CreateFromArray
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  PRUint32 count,
+  NSSPKIXAttributeValue values[]
+);
+
+/*
+ * nssPKIXAttribute_Destroy
+ *
+ * This routine destroys an NSSPKIXAttribute.  It should be called on
+ * all such objects created without an arena.  It does not need to be
+ * called for objects created with an arena, but it may be.  This
+ * routine returns a PRStatus value.  Upon error, it will create an
+ * error stack and return PR_FAILURE.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttribute_Destroy
+(
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * nssPKIXAttribute_Encode
+ *
+ * This routine returns the BER encoding of the specified 
+ * NSSPKIXAttribute.  {usual rules about itemOpt and arenaOpt}
+ * This routine indicates an error (NSS_ERROR_INVALID_DATA) 
+ * if there are no attribute values (i.e., the last one was removed).
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_DATA
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXAttribute_Encode
+(
+  NSSPKIXAttribute *attribute,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAttribute_GetType
+ *
+ * This routine returns the attribute type oid of the specified
+ * NSSPKIXAttribute.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSPKIXAttributeType pointer upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttributeType *
+nssPKIXAttribute_GetType
+(
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * nssPKIXAttribute_SetType
+ *
+ * This routine sets the attribute type oid of the indicated
+ * NSSPKIXAttribute to the specified value.  Since attributes
+ * may be application-defined, no checking can be done on
+ * either the correctness of the attribute type oid value nor
+ * the suitability of the set of attribute values.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttribute_SetType
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeType *attributeType
+);
+
+/*
+ * nssPKIXAttribute_GetValueCount
+ *
+ * This routine returns the number of attribute values present in
+ * the specified NSSPKIXAttribute.  This routine returns a PRInt32.
+ * Upon error, this routine returns -1.  This routine indicates an
+ * error if the number of values cannot be expressed as a PRInt32.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXAttribute_GetValueCount
+(
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * nssPKIXAttribute_GetValues
+ *
+ * This routine returns all of the attribute values in the specified
+ * NSSPKIXAttribute.  If the optional pointer to an array of NSSItems
+ * is non-null, then that array will be used and returned; otherwise,
+ * an array will be allocated and returned.  If the limit is nonzero
+ * (which is must be if the specified array is nonnull), then an
+ * error is indicated if it is smaller than the value count.
+ * {arenaOpt}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSItem's upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttributeValue *
+nssPKIXAttribute_GetValues
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAttribute_SetValues
+ *
+ * This routine sets all of the values of the specified 
+ * NSSPKIXAttribute to the values in the specified NSSItem array.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttribute_SetValues
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue values[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXAttribute_GetValue
+ *
+ * This routine returns the i'th attribute value of the set of
+ * values in the specified NSSPKIXAttribute.  Although the set
+ * is unordered, an arbitrary ordering will be maintained until
+ * the data in the attribute is changed.  {usual comments about
+ * itemOpt and arenaOpt}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeValue *
+nssPKIXAttribute_GetValue
+(
+  NSSPKIXAttribute *attribute,
+  PRInt32 i,
+  NSSPKIXAttributeValue *itemOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAttribute_SetValue
+ *
+ * This routine sets the i'th attribute value {blah blah; copies
+ * memory contents over..}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttribute_SetValue
+(
+  NSSPKIXAttribute *attribute,
+  PRInt32 i,
+  NSSPKIXAttributeValue *value
+);
+
+/*
+ * nssPKIXAttribute_AddValue
+ *
+ * This routine adds the specified attribute value to the set in
+ * the specified NSSPKIXAttribute.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttribute_AddValue
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue *value
+); 
+
+/*
+ * nssPKIXAttribute_RemoveValue
+ *
+ * This routine removes the i'th attribute value of the set in the
+ * specified NSSPKIXAttribute.  An attempt to remove the last value
+ * will fail.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_AT_MINIMUM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttribute_RemoveValue
+(
+  NSSPKIXAttribute *attribute,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXAttribute_FindValue
+ *
+ * This routine searches the set of attribute values in the specified
+ * NSSPKIXAttribute for the provided data.  If an exact match is found,
+ * then that value's index is returned.  If an exact match is not 
+ * found, -1 is returned.  If there is more than one exact match, one
+ * index will be returned.  {notes about unorderdness of SET, etc}
+ * If the index may not be represented as an integer, an error is
+ * indicated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXAttribute_FindValue
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue *attributeValue
+);
+
+/*
+ * nssPKIXAttribute_Equal
+ *
+ * This routine compares two NSSPKIXAttribute's for equality.
+ * It returns PR_TRUE if they are equal, PR_FALSE otherwise.
+ * This routine also returns PR_FALSE upon error; if you're
+ * that worried about it, check for an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXAttribute_Equal
+(
+  NSSPKIXAttribute *one,
+  NSSPKIXAttribute *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXAttribute_Duplicate
+ *
+ * This routine duplicates an NSSPKIXAttribute.  {arenaOpt}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+nssPKIXAttribute_Duplicate
+(
+  NSSPKIXAttribute *attribute,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXAttribute_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXAttribute
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttribute_verifyPointer
+(
+  NSSPKIXAttribute *p
+);
+#endif /* DEBUG */
+
+/*
+ * AttributeTypeAndValue
+ *
+ * This structure contains an attribute type (indicated by an OID), 
+ * and the type-specific value.  RelativeDistinguishedNames consist
+ * of a set of these.  These are distinct from Attributes (which have
+ * SET of values), from AttributeDescriptions (which have qualifiers
+ * on the types), and from AttributeValueAssertions (which assert a
+ * a value comparison under some matching rule).
+ *
+ * From RFC 2459:
+ *
+ *  AttributeTypeAndValue           ::=     SEQUENCE {
+ *          type    AttributeType,
+ *          value   AttributeValue }
+ * 
+ * The private calls for the type:
+ *
+ *  nssPKIXAttributeTypeAndValue_Decode
+ *  nssPKIXAttributeTypeAndValue_CreateFromUTF8
+ *  nssPKIXAttributeTypeAndValue_Create
+ *  nssPKIXAttributeTypeAndValue_Destroy
+ *  nssPKIXAttributeTypeAndValue_Encode
+ *  nssPKIXAttributeTypeAndValue_GetUTF8Encoding
+ *  nssPKIXAttributeTypeAndValue_GetType
+ *  nssPKIXAttributeTypeAndValue_SetType
+ *  nssPKIXAttributeTypeAndValue_GetValue
+ *  nssPKIXAttributeTypeAndValue_SetValue
+ *  nssPKIXAttributeTypeAndValue_Equal
+ *  nssPKIXAttributeTypeAndValue_Duplicate
+ *
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXAttributeTypeAndValue_verifyPointer
+ */
+
+/*
+ * nssPKIXAttributeTypeAndValue_Decode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue *
+nssPKIXAttributeTypeAndValue_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXAttributeTypeAndValue_CreateFromUTF8
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue *
+nssPKIXAttributeTypeAndValue_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+);
+
+/*
+ * nssPKIXAttributeTypeAndValue_Create
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue *
+nssPKIXAttributeTypeAndValue_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  NSSPKIXAttributeValue *value
+);
+
+/*
+ * nssPKIXAttributeTypeAndValue_Destroy
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttributeTypeAndValue_Destroy
+(
+  NSSPKIXAttributeTypeAndValue *atav
+);
+
+/*
+ * nssPKIXAttributeTypeAndValue_Encode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXAttributeTypeAndValue_Encode
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAttributeTypeAndValue_GetUTF8Encoding
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXAttributeTypeAndValue_GetUTF8Encoding
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAttributeTypeAndValue_GetType
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSPKIXAttributeType pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeType *
+nssPKIXAttributeTypeAndValue_GetType
+(
+  NSSPKIXAttributeTypeAndValue *atav
+);
+
+/*
+ * nssPKIXAttributeTypeAndValue_SetType
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttributeTypeAndValue_SetType
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeType *attributeType
+);
+
+/*
+ * nssPKIXAttributeTypeAndValue_GetValue
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSAttributeValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeValue *
+nssPKIXAttributeTypeAndValue_GetValue
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeValue *itemOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAttributeTypeAndValue_SetValue
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttributeTypeAndValue_SetValue
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeValue *value
+);
+
+/*
+ * nssPKIXAttributeTypeAndValue_Equal
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXAttributeTypeAndValue_Equal
+(
+  NSSPKIXAttributeTypeAndValue *atav1,
+  NSSPKIXAttributeTypeAndValue *atav2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXAttributeTypeAndValue_Duplicate
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue *
+nssPKIXAttributeTypeAndValue_Duplicate
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXAttributeTypeAndValue_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXAttributeTypeAndValue
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE_TYPE_AND_VALUE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttributeTypeAndValue_verifyPointer
+(
+  NSSPKIXAttributeTypeAndValue *p
+);
+#endif /* DEBUG */
+
+/*
+ * X520Name
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520name        ::= CHOICE {
+ *        teletexString         TeletexString (SIZE (1..ub-name)),
+ *        printableString       PrintableString (SIZE (1..ub-name)),
+ *        universalString       UniversalString (SIZE (1..ub-name)),
+ *        utf8String            UTF8String (SIZE (1..ub-name)),
+ *        bmpString             BMPString (SIZE(1..ub-name))   }
+ *
+ *
+ *  ub-name INTEGER ::=     32768
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXX520Name_Decode
+ *  nssPKIXX520Name_CreateFromUTF8
+ *  nssPKIXX520Name_Create
+ *  nssPKIXX520Name_Destroy
+ *  nssPKIXX520Name_Encode
+ *  nssPKIXX520Name_GetUTF8Encoding
+ *  nssPKIXX520Name_Equal
+ *  nssPKIXX520Name_Duplicate
+ *
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXX520Name_verifyPointer
+ */
+
+/*
+ * nssPKIXX520Name_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520Name *
+nssPKIXX520Name_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXX520Name_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520Name *
+nssPKIXX520Name_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXX520Name_Create
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING_TYPE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520Name *
+nssPKIXX520Name_Create
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  NSSItem *data
+);
+
+/*
+ * nssPKIXX520Name_Destroy
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX520Name_Destroy
+(
+  NSSPKIXX520Name *name
+);
+
+/*
+ * nssPKIXX520Name_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX520Name_Encode
+(
+  NSSPKIXX520Name *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXX520Name_GetUTF8Encoding
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXX520Name_GetUTF8Encoding
+(
+  NSSPKIXX520Name *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXX520Name_Equal
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXX520Name_Equal
+(
+  NSSPKIXX520Name *name1,
+  NSSPKIXX520Name *name2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXX520Name_Duplicate
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520Name *
+nssPKIXX520Name_Duplicate
+(
+  NSSPKIXX520Name *name,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+
+/*
+ * nssPKIXX520Name_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXX520Name
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_X520_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXX520Name_verifyPointer
+(
+  NSSPKIXX520Name *p
+);
+
+#endif /* DEBUG */
+
+/*
+ * X520CommonName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520CommonName  ::=      CHOICE {
+ *        teletexString         TeletexString (SIZE (1..ub-common-name)),
+ *        printableString       PrintableString (SIZE (1..ub-common-name)),
+ *        universalString       UniversalString (SIZE (1..ub-common-name)),
+ *        utf8String            UTF8String (SIZE (1..ub-common-name)),
+ *        bmpString             BMPString (SIZE(1..ub-common-name))   }
+ * 
+ * 
+ *  ub-common-name  INTEGER ::=     64
+ *
+ * The private calls for this type:
+ *
+ *
+ *  nssPKIXX520CommonName_Decode
+ *  nssPKIXX520CommonName_CreateFromUTF8
+ *  nssPKIXX520CommonName_Create
+ *  nssPKIXX520CommonName_Destroy
+ *  nssPKIXX520CommonName_Encode
+ *  nssPKIXX520CommonName_GetUTF8Encoding
+ *  nssPKIXX520CommonName_Equal
+ *  nssPKIXX520CommonName_Duplicate
+ *
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXX520CommonName_verifyPointer
+ */
+
+/*
+ * nssPKIXX520CommonName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520CommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520CommonName *
+nssPKIXX520CommonName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXX520CommonName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520CommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520CommonName *
+nssPKIXX520CommonName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXX520CommonName_Create
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING_TYPE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520CommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520CommonName *
+nssPKIXX520CommonName_Create
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  NSSItem *data
+);
+
+/*
+ * nssPKIXX520CommonName_Destroy
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX520CommonName_Destroy
+(
+  NSSPKIXX520CommonName *name
+);
+
+/*
+ * nssPKIXX520CommonName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX520CommonName_Encode
+(
+  NSSPKIXX520CommonName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXX520CommonName_GetUTF8Encoding
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXX520CommonName_GetUTF8Encoding
+(
+  NSSPKIXX520CommonName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXX520CommonName_Equal
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXX520CommonName_Equal
+(
+  NSSPKIXX520CommonName *name1,
+  NSSPKIXX520CommonName *name2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXX520CommonName_Duplicate
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520CommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520CommonName *
+nssPKIXX520CommonName_Duplicate
+(
+  NSSPKIXX520CommonName *name,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+
+/*
+ * nssPKIXX520CommonName_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXX520CommonName
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_X520_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXX520CommonName_verifyPointer
+(
+  NSSPKIXX520CommonName *p
+);
+
+#endif /* DEBUG */
+
+/*
+ * X520LocalityName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520LocalityName ::= CHOICE {
+ *        teletexString       TeletexString (SIZE (1..ub-locality-name)),
+ *        printableString     PrintableString (SIZE (1..ub-locality-name)),
+ *        universalString     UniversalString (SIZE (1..ub-locality-name)),
+ *        utf8String          UTF8String (SIZE (1..ub-locality-name)),
+ *        bmpString           BMPString (SIZE(1..ub-locality-name))   }
+ * 
+ * The private calls for this type:
+ *
+ *  nssPKIXX520LocalityName_Decode
+ *  nssPKIXX520LocalityName_CreateFromUTF8
+ *  nssPKIXX520LocalityName_Encode
+ *
+ */
+
+/*
+ * nssPKIXX520LocalityName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520LocalityName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520LocalityName *
+nssPKIXX520LocalityName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXX520LocalityName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520LocalityName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520LocalityName *
+nssPKIXX520LocalityName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXX520LocalityName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX520LocalityName_Encode
+(
+  NSSPKIXX520LocalityName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520StateOrProvinceName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520StateOrProvinceName         ::= CHOICE {
+ *        teletexString       TeletexString (SIZE (1..ub-state-name)),
+ *        printableString     PrintableString (SIZE (1..ub-state-name)),
+ *        universalString     UniversalString (SIZE (1..ub-state-name)),
+ *        utf8String          UTF8String (SIZE (1..ub-state-name)),
+ *        bmpString           BMPString (SIZE(1..ub-state-name))   }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXX520StateOrProvinceName_Decode
+ *  nssPKIXX520StateOrProvinceName_CreateFromUTF8
+ *  nssPKIXX520StateOrProvinceName_Encode
+ *
+ */
+
+/*
+ * nssPKIXX520StateOrProvinceName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520StateOrProvinceName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520StateOrProvinceName *
+nssPKIXX520StateOrProvinceName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXX520StateOrProvinceName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520StateOrProvinceName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520StateOrProvinceName *
+nssPKIXX520StateOrProvinceName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXX520StateOrProvinceName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX520StateOrProvinceName_Encode
+(
+  NSSPKIXX520StateOrProvinceName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520OrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520OrganizationName ::= CHOICE {
+ *    teletexString     TeletexString (SIZE (1..ub-organization-name)),
+ *    printableString   PrintableString (SIZE (1..ub-organization-name)),
+ *    universalString   UniversalString (SIZE (1..ub-organization-name)),
+ *    utf8String        UTF8String (SIZE (1..ub-organization-name)),
+ *    bmpString         BMPString (SIZE(1..ub-organization-name))   }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXX520OrganizationName_Decode
+ *  nssPKIXX520OrganizationName_CreateFromUTF8
+ *  nssPKIXX520OrganizationName_Encode
+ *
+ */
+
+/*
+ * nssPKIXX520OrganizationName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520OrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520OrganizationName *
+nssPKIXX520OrganizationName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXX520OrganizationName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520OrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520OrganizationName *
+nssPKIXX520OrganizationName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXX520OrganizationName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX520OrganizationName_Encode
+(
+  NSSPKIXX520OrganizationName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520OrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520OrganizationalUnitName ::= CHOICE {
+ *   teletexString    TeletexString (SIZE (1..ub-organizational-unit-name)),
+ *   printableString        PrintableString
+ *                        (SIZE (1..ub-organizational-unit-name)),
+ *   universalString        UniversalString
+ *                        (SIZE (1..ub-organizational-unit-name)),
+ *   utf8String       UTF8String (SIZE (1..ub-organizational-unit-name)),
+ *   bmpString        BMPString (SIZE(1..ub-organizational-unit-name))   }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXX520OrganizationalUnitName_Decode
+ *  nssPKIXX520OrganizationalUnitName_CreateFromUTF8
+ *  nssPKIXX520OrganizationalUnitName_Encode
+ *
+ */
+
+/*
+ * nssPKIXX520OrganizationalUnitName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520OrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520OrganizationalUnitName *
+nssPKIXX520OrganizationalUnitName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXX520OrganizationalUnitName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520OrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520OrganizationalUnitName *
+nssPKIXX520OrganizationalUnitName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXX520OrganizationalUnitName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX520OrganizationalUnitName_Encode
+(
+  NSSPKIXX520OrganizationalUnitName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520Title
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520Title ::=   CHOICE {
+ *        teletexString         TeletexString (SIZE (1..ub-title)),
+ *        printableString       PrintableString (SIZE (1..ub-title)),
+ *        universalString       UniversalString (SIZE (1..ub-title)),
+ *        utf8String            UTF8String (SIZE (1..ub-title)),
+ *        bmpString             BMPString (SIZE(1..ub-title))   }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXX520Title_Decode
+ *  nssPKIXX520Title_CreateFromUTF8
+ *  nssPKIXX520Title_Encode
+ *
+ */
+
+/*
+ * nssPKIXX520Title_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Title upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520Title *
+nssPKIXX520Title_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXX520Title_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Title upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520Title *
+nssPKIXX520Title_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXX520Title_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX520Title_Encode
+(
+  NSSPKIXX520Title *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520dnQualifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520dnQualifier ::=     PrintableString
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXX520dnQualifier_Decode
+ *  nssPKIXX520dnQualifier_CreateFromUTF8
+ *  nssPKIXX520dnQualifier_Encode
+ *
+ */
+
+/*
+ * nssPKIXX520dnQualifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520dnQualifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520dnQualifier *
+nssPKIXX520dnQualifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXX520dnQualifier_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520dnQualifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520dnQualifier *
+nssPKIXX520dnQualifier_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXX520dnQualifier_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX520dnQualifier_Encode
+(
+  NSSPKIXX520dnQualifier *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X520countryName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X520countryName ::=     PrintableString (SIZE (2)) -- IS 3166 codes
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXX520countryName_Decode
+ *  nssPKIXX520countryName_CreateFromUTF8
+ *  nssPKIXX520countryName_Encode
+ *
+ */
+
+/*
+ * nssPKIXX520countryName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520countryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520countryName *
+nssPKIXX520countryName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXX520countryName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520countryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX520countryName *
+nssPKIXX520countryName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXX520countryName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX520countryName_Encode
+(
+  NSSPKIXX520countryName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * Pkcs9email
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXPkcs9email_Decode
+ *  nssPKIXPkcs9email_CreateFromUTF8
+ *  nssPKIXPkcs9email_Encode
+ *
+ */
+
+/*
+ * nssPKIXPkcs9email_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPkcs9email upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPkcs9email *
+nssPKIXPkcs9email_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPkcs9email_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPkcs9email upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPkcs9email *
+nssPKIXPkcs9email_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXPkcs9email_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPkcs9email_Encode
+(
+  NSSPKIXPkcs9email *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * Name
+ *
+ * This structure contains a union of the possible name formats,
+ * which at the moment is limited to an RDNSequence.
+ *
+ * From RFC 2459:
+ *
+ *  Name            ::=   CHOICE { -- only one possibility for now --
+ *                                   rdnSequence  RDNSequence }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXName_Decode
+ *  nssPKIXName_CreateFromUTF8
+ *  nssPKIXName_Create
+ *  nssPKIXName_CreateFromRDNSequence
+ *  nssPKIXName_Destroy
+ *  nssPKIXName_Encode
+ *  nssPKIXName_GetUTF8Encoding
+ *  nssPKIXName_GetChoice
+ *  nssPKIXName_GetRDNSequence
+ *  nssPKIXName_GetSpecifiedChoice {fgmr remove this}
+{fgmr} _SetRDNSequence
+{fgmr} _SetSpecifiedChoice
+ *  nssPKIXName_Equal
+ *  nssPKIXName_Duplicate
+ *
+ *  (here is where I had specific attribute value gettors in pki1)
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXName_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+nssPKIXName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXName_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+nssPKIXName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+);
+
+/*
+ * nssPKIXName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+nssPKIXName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXNameChoice choice,
+  void *arg
+);
+
+/*
+ * nssPKIXName_CreateFromRDNSequence
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+nssPKIXName_CreateFromRDNSequence
+(
+  NSSArena *arenaOpt,
+  NSSPKIXRDNSequence *rdnSequence
+);
+
+/*
+ * nssPKIXName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXName_Destroy
+(
+  NSSPKIXName *name
+);
+
+/*
+ * nssPKIXName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXName_Encode
+(
+  NSSPKIXName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXName_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXName_GetUTF8Encoding
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXName_GetChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  A valid element of the NSSPKIXNameChoice enumeration upon success
+ *  The value NSSPKIXNameChoice_NSSinvalid (-1) upon error
+ */
+
+NSS_EXTERN NSSPKIXNameChoice
+nssPKIXName_GetChoice
+(
+  NSSPKIXName *name
+);
+
+/*
+ * nssPKIXName_GetRDNSequence
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ *
+ * Return value:
+ *  A pointer to a valid NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+nssPKIXName_GetRDNSequence
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXName_GetSpecifiedChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ *
+ * Return value:
+ *  A valid pointer ...
+ *  NULL upon failure
+ */
+
+NSS_EXTERN void *
+nssPKIXName_GetSpecifiedChoice
+(
+  NSSPKIXName *name,
+  NSSPKIXNameChoice choice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXName_Equal
+(
+  NSSPKIXName *name1,
+  NSSPKIXName *name2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+nssPKIXName_Duplicate
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXName_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXName
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXName_verifyPointer
+(
+  NSSPKIXName *p
+);
+#endif /* DEBUG */
+
+/*
+ * RDNSequence
+ *
+ * This structure contains a sequence of RelativeDistinguishedName
+ * objects.
+ *
+ * From RFC 2459:
+ *
+ *  RDNSequence     ::=   SEQUENCE OF RelativeDistinguishedName
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXRDNSequence_Decode
+ *  nssPKIXRDNSequence_CreateFromUTF8
+ *  nssPKIXRDNSequence_Create
+ *  nssPKIXRDNSequence_CreateFromArray
+ *  nssPKIXRDNSequence_Destroy
+ *  nssPKIXRDNSequence_Encode
+ *  nssPKIXRDNSequence_GetUTF8Encoding
+ *  nssPKIXRDNSequence_GetRelativeDistinguishedNameCount
+ *  nssPKIXRDNSequence_GetRelativeDistinguishedNames
+ *  nssPKIXRDNSequence_SetRelativeDistinguishedNames
+ *  nssPKIXRDNSequence_GetRelativeDistinguishedName
+ *  nssPKIXRDNSequence_SetRelativeDistinguishedName
+ *  nssPKIXRDNSequence_AppendRelativeDistinguishedName
+ *  nssPKIXRDNSequence_InsertRelativeDistinguishedName
+ *  nssPKIXRDNSequence_RemoveRelativeDistinguishedName
+ *  nssPKIXRDNSequence_FindRelativeDistinguishedName
+ *  nssPKIXRDNSequence_Equal
+ *  nssPKIXRDNSequence_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXRDNSequence_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXRDNSequence_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+nssPKIXRDNSequence_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXRDNSequence_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+nssPKIXRDNSequence_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+);
+
+/*
+ * nssPKIXRDNSequence_CreateFromArray
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+nssPKIXRDNSequence_CreateFromArray
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  NSSPKIXRelativeDistinguishedName *rdn1
+);
+
+/*
+ * nssPKIXRDNSequence_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+nssPKIXRDNSequence_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXRelativeDistinguishedName *rdn1,
+  ...
+);
+
+/*
+ * nssPKIXRDNSequence_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRDNSequence_Destroy
+(
+  NSSPKIXRDNSequence *rdnseq
+);
+
+/*
+ * nssPKIXRDNSequence_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXRDNSequence_Encode
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXRDNSequence_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXRDNSequence_GetUTF8Encoding
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXRDNSequence_GetRelativeDistinguishedNameCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXRDNSequence_GetRelativeDistinguishedNameCount
+(
+  NSSPKIXRDNSequence *rdnseq
+);
+
+/*
+ * nssPKIXRDNSequence_GetRelativeDistinguishedNames
+ *
+ * This routine returns all of the relative distinguished names in the
+ * specified RDN Sequence.  {...} If the array is allocated, or if the
+ * specified one has extra space, the array will be null-terminated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXRelativeDistinguishedName 
+ *      pointers upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName **
+nssPKIXRDNSequence_GetRelativeDistinguishedNames
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXRDNSequence_SetRelativeDistinguishedNames
+ *
+ * -- fgmr comments --
+ * If the array pointer itself is null, the set is considered empty.
+ * If the count is zero but the pointer nonnull, the array will be
+ * assumed to be null-terminated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRDNSequence_SetRelativeDistinguishedNames
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdns[],
+  PRInt32 countOpt
+);
+
+/*
+ * nssPKIXRDNSequence_GetRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+nssPKIXRDNSequence_GetRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXRDNSequence_SetRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRDNSequence_SetRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * nssPKIXRDNSequence_AppendRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRDNSequence_AppendRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * nssPKIXRDNSequence_InsertRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRDNSequence_InsertRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * nssPKIXRDNSequence_RemoveRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRDNSequence_RemoveRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXRDNSequence_FindRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXRDNSequence_FindRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * nssPKIXRDNSequence_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXRDNSequence_Equal
+(
+  NSSPKIXRDNSequence *one,
+  NSSPKIXRDNSequence *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXRDNSequence_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+nssPKIXRDNSequence_Duplicate
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXRDNSequence_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXRDNSequence
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRDNSequence_verifyPointer
+(
+  NSSPKIXRDNSequence *p
+);
+#endif /* DEBUG */
+
+/*
+ * DistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DistinguishedName       ::=   RDNSequence
+ *
+ * This is just a public typedef; no new methods are required. {fgmr-- right?}
+ */
+
+/*
+ * RelativeDistinguishedName
+ *
+ * This structure contains an unordered set of AttributeTypeAndValue 
+ * objects.  RDNs are used to distinguish a set of objects underneath 
+ * a common object.
+ *
+ * Often, a single ATAV is sufficient to make a unique distinction.
+ * For example, if a company assigns its people unique uid values,
+ * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
+ * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
+ * needed.  For example, if a company needed to distinguish between
+ * two Smiths by specifying their corporate divisions, then in the
+ * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
+ * set of ATAVs forms the RDN.
+ *
+ * From RFC 2459:
+ *
+ *  RelativeDistinguishedName  ::=
+ *                      SET SIZE (1 .. MAX) OF AttributeTypeAndValue
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXRelativeDistinguishedName_Decode
+ *  nssPKIXRelativeDistinguishedName_CreateFromUTF8
+ *  nssPKIXRelativeDistinguishedName_Create
+ *  nssPKIXRelativeDistinguishedName_CreateFromArray
+ *  nssPKIXRelativeDistinguishedName_Destroy
+ *  nssPKIXRelativeDistinguishedName_Encode
+ *  nssPKIXRelativeDistinguishedName_GetUTF8Encoding
+ *  nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
+ *  nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
+ *  nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
+ *  nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
+ *  nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
+ *  nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
+ *  nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
+ *  nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
+ *  nssPKIXRelativeDistinguishedName_Equal
+ *  nssPKIXRelativeDistinguishedName_Duplicate
+ * 
+ * fgmr: Logical additional functions include
+ *
+ *  NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValueByType
+ *    returns PRInt32
+ *  NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValuesByType
+ *    returns array of PRInt32
+ *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueForType
+ *    returns NSSPKIXAttributeTypeAndValue
+ *  NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValuesForType
+ *    returns array of NSSPKIXAttributeTypeAndValue
+ *  NSSPKIXRelativeDistinguishedName_GetAttributeValueForType
+ *    returns NSSPKIXAttributeValue
+ *  NSSPKIXRelativeDistinguishedName_GetAttributeValuesForType
+ *    returns array of NSSPKIXAttributeValue
+ *
+ * NOTE: the "return array" versions are only meaningful if an RDN may
+ * contain multiple ATAVs with the same type.  Verify in the RFC if
+ * this is possible or not.  If not, nuke those three functions.
+ *
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXRelativeDistinguishedName_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXRelativeDistinguishedName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+nssPKIXRelativeDistinguishedName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+nssPKIXRelativeDistinguishedName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+nssPKIXRelativeDistinguishedName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeTypeAndValue *atav1,
+  ...
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_CreateFromArray
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+nssPKIXRelativeDistinguishedName_CreateFromArray
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  NSSPKIXAttributeTypeAndValue *atavs
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRelativeDistinguishedName_Destroy
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXRelativeDistinguishedName_Encode
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXRelativeDistinguishedName_GetUTF8Encoding
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXAttributeTypeAndValue 
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue **
+nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atavs[],
+  PRInt32 countOpt
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeTypeAndValue *
+nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i,
+  NSSPKIXAttributeTypeAndValue *atav
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atav
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_AT_MINIMUM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atav
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXRelativeDistinguishedName_Equal
+(
+  NSSPKIXRelativeDistinguishedName *one,
+  NSSPKIXRelativeDistinguishedName *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXRelativeDistinguishedName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+nssPKIXRelativeDistinguishedName_Duplicate
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXRelativeDistinguishedName_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXRelativeDistinguishedName
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RELATIVE_DISTINGUISHED_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXRelativeDistinguishedName_verifyPointer
+(
+  NSSPKIXRelativeDistinguishedName *p
+);
+#endif /* DEBUG */
+
+/*
+ * DirectoryString
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DirectoryString ::= CHOICE {
+ *        teletexString             TeletexString (SIZE (1..MAX)),
+ *        printableString           PrintableString (SIZE (1..MAX)),
+ *        universalString           UniversalString (SIZE (1..MAX)),
+ *        utf8String              UTF8String (SIZE (1..MAX)),
+ *        bmpString               BMPString (SIZE(1..MAX))   }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXDirectoryString_Decode
+ *  nssPKIXDirectoryString_CreateFromUTF8
+ *  nssPKIXDirectoryString_Encode
+ *
+ */
+
+/*
+ * nssPKIXDirectoryString_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDirectoryString upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDirectoryString *
+nssPKIXDirectoryString_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXDirectoryString_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDirectoryString upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDirectoryString *
+nssPKIXDirectoryString_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXDirectoryString_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_DIRECTORY_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXDirectoryString_Encode
+(
+  NSSPKIXDirectoryString *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * Certificate
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Certificate  ::=  SEQUENCE  {
+ *       tbsCertificate       TBSCertificate,
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING  }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXCertificate_Decode
+ *  nssPKIXCertificate_Create
+ *  nssPKIXCertificate_Destroy
+ *  nssPKIXCertificate_Encode
+ *  nssPKIXCertificate_GetTBSCertificate
+ *  nssPKIXCertificate_SetTBSCertificate
+ *  nssPKIXCertificate_GetAlgorithmIdentifier
+ *  nssPKIXCertificate_SetAlgorithmIdentifier
+ *  nssPKIXCertificate_GetSignature
+ *  nssPKIXCertificate_SetSignature
+ *  nssPKIXCertificate_Equal
+ *  nssPKIXCertificate_Duplicate
+ *
+ *  { inherit TBSCertificate gettors? }
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXCertificate_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXCertificate_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificate *
+nssPKIXCertificate_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXCertificate_Create
+ *
+ * -- fgmr comments --
+ * { at this level we'll have to just accept a specified signature }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_ALGID
+ *  NSS_ERROR_INVALID_PKIX_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificate *
+nssPKIXCertificate_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXAlgorithmIdentifier *algID,
+  NSSItem *signature
+);
+
+/*
+ * nssPKIXCertificate_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificate_Destroy
+(
+  NSSPKIXCertificate *cert
+);
+
+/*
+ * nssPKIXCertificate_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXCertificate_Encode
+(
+  NSSPKIXCertificate *cert,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCertificate_GetTBSCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertificate *
+nssPKIXCertificate_GetTBSCertificate
+(
+  NSSPKIXCertificate *cert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCertificate_SetTBSCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificate_SetTBSCertificate
+(
+  NSSPKIXCertificate *cert,
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ * nssPKIXCertificate_GetAlgorithmIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+nssPKIXCertificate_GetAlgorithmIdentifier
+(
+  NSSPKIXCertificate *cert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCertificate_SetAlgorithmIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificate_SetAlgorithmIdentifier
+(
+  NSSPKIXCertificate *cert,
+  NSSPKIXAlgorithmIdentifier *algid,
+);
+
+/*
+ * nssPKIXCertificate_GetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+nssPKIXCertificate_GetSignature
+(
+  NSSPKIXCertificate *cert,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCertificate_SetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificate_SetSignature
+(
+  NSSPKIXCertificate *cert,
+  NSSItem *signature
+);
+
+/*
+ * nssPKIXCertificate_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXCertificate_Equal
+(
+  NSSPKIXCertificate *one,
+  NSSPKIXCertificate *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXCertificate_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificate *
+nssPKIXCertificate_Duplicate
+(
+  NSSPKIXCertificate *cert,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXCertificate_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXCertificate
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificate_verifyPointer
+(
+  NSSPKIXCertificate *p
+);
+#endif /* DEBUG */
+
+/*
+ * TBSCertificate
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TBSCertificate  ::=  SEQUENCE  {
+ *       version         [0]  Version DEFAULT v1,
+ *       serialNumber         CertificateSerialNumber,
+ *       signature            AlgorithmIdentifier,
+ *       issuer               Name,
+ *       validity             Validity,
+ *       subject              Name,
+ *       subjectPublicKeyInfo SubjectPublicKeyInfo,
+ *       issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                            -- If present, version shall be v2 or v3
+ *       subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                            -- If present, version shall be v2 or v3
+ *       extensions      [3]  Extensions OPTIONAL
+ *                            -- If present, version shall be v3 --  }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXTBSCertificate_Decode
+ *  nssPKIXTBSCertificate_Create
+ *  nssPKIXTBSCertificate_Destroy
+ *  nssPKIXTBSCertificate_Encode
+ *  nssPKIXTBSCertificate_GetVersion
+ *  nssPKIXTBSCertificate_SetVersion
+ *  nssPKIXTBSCertificate_GetSerialNumber
+ *  nssPKIXTBSCertificate_SetSerialNumber
+ *  nssPKIXTBSCertificate_GetSignature
+ *  nssPKIXTBSCertificate_SetSignature
+ *    { inherit algid gettors? }
+ *  nssPKIXTBSCertificate_GetIssuer
+ *  nssPKIXTBSCertificate_SetIssuer
+ *    { inherit "helper" issuer gettors? }
+ *  nssPKIXTBSCertificate_GetValidity
+ *  nssPKIXTBSCertificate_SetValidity
+ *    { inherit validity accessors }
+ *  nssPKIXTBSCertificate_GetSubject
+ *  nssPKIXTBSCertificate_SetSubject
+ *  nssPKIXTBSCertificate_GetSubjectPublicKeyInfo
+ *  nssPKIXTBSCertificate_SetSubjectPublicKeyInfo
+ *  nssPKIXTBSCertificate_HasIssuerUniqueID
+ *  nssPKIXTBSCertificate_GetIssuerUniqueID
+ *  nssPKIXTBSCertificate_SetIssuerUniqueID
+ *  nssPKIXTBSCertificate_RemoveIssuerUniqueID
+ *  nssPKIXTBSCertificate_HasSubjectUniqueID
+ *  nssPKIXTBSCertificate_GetSubjectUniqueID
+ *  nssPKIXTBSCertificate_SetSubjectUniqueID
+ *  nssPKIXTBSCertificate_RemoveSubjectUniqueID
+ *  nssPKIXTBSCertificate_HasExtensions
+ *  nssPKIXTBSCertificate_GetExtensions
+ *  nssPKIXTBSCertificate_SetExtensions
+ *  nssPKIXTBSCertificate_RemoveExtensions
+ *    { extension accessors }
+ *  nssPKIXTBSCertificate_Equal
+ *  nssPKIXTBSCertificate_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXTBSCertificate_verifyPointer
+ */
+
+/*
+ * nssPKIXTBSCertificate_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertificate *
+nssPKIXTBSCertificate_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXTBSCertificate_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_VERSION
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ISSUER_NAME
+ *  NSS_ERROR_INVALID_VALIDITY
+ *  NSS_ERROR_INVALID_SUBJECT_NAME
+ *  NSS_ERROR_INVALID_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_ISSUER_UNIQUE_IDENTIFIER
+ *  NSS_ERROR_INVALID_SUBJECT_UNIQUE_IDENTIFIER
+ *  NSS_ERROR_INVALID_EXTENSION
+ *
+ * Return value:
+ */
+
+NSS_EXTERN NSSPKIXTBSCertificate *
+nssPKIXTBSCertificate_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXVersion version,
+  NSSPKIXCertificateSerialNumber *serialNumber,
+  NSSPKIXAlgorithmIdentifier *signature,
+  NSSPKIXName *issuer,
+  NSSPKIXValidity *validity,
+  NSSPKIXName *subject,
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSPKIXUniqueIdentifier *issuerUniqueID,
+  NSSPKIXUniqueIdentifier *subjectUniqueID,
+  NSSPKIXExtensions *extensions
+);
+
+/*
+ * nssPKIXTBSCertificate_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_Destroy
+(
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ * nssPKIXTBSCertificate_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXTBSCertificate_Encode
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_GetVersion
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid element of the NSSPKIXVersion enumeration upon success
+ *  NSSPKIXVersion_NSSinvalid (-1) upon failure
+ */
+
+NSS_EXTERN NSSPKIXVersion
+nssPKIXTBSCertificate_GetVersion
+(
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ * nssPKIXTBSCertificate_SetVersion
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_VERSION
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_SetVersion
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXVersion version
+);
+
+/*
+ * nssPKIXTBSCertificate_GetSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateSerialNumber *
+nssPKIXTBSCertificate_GetSerialNumber
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXCertificateSerialNumber *snOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_SetSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_SetSerialNumber
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXCertificateSerialNumber *sn
+);
+
+/*
+ * nssPKIXTBSCertificate_GetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+nssPKIXTBSCertificate_GetSignature
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_SetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_SetSignature
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXAlgorithmIdentifier *algID
+);
+
+/*
+ *   { fgmr inherit algid gettors? }
+ */
+
+/*
+ * nssPKIXTBSCertificate_GetIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+nssPKIXTBSCertificate_GetIssuer
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_SetIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_SetIssuer
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXName *issuer
+);
+
+/*
+ *   { inherit "helper" issuer gettors? }
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *
+ * Return value:
+ */
+
+/*
+ * nssPKIXTBSCertificate_GetValidity
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXValidity upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXValidity *
+nssPKIXTBSCertificate_GetValidity
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_SetValidity
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_SetValidity
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXValidity *validity
+);
+
+/*
+ *   { fgmr inherit validity accessors }
+ */
+
+/*
+ * nssPKIXTBSCertificate_GetSubject
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+nssPKIXTBSCertificate_GetSubject
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_SetSubject
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_SetSubject
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXName *subject
+);
+
+/*
+ * nssPKIXTBSCertificate_GetSubjectPublicKeyInfo
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
+nssPKIXTBSCertificate_GetSubjectPublicKeyInfo
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_SetSubjectPublicKeyInfo
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_SetSubjectPublicKeyInfo
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXSubjectPublicKeyInfo *spki
+);
+
+/*
+ * nssPKIXTBSCertificate_HasIssuerUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTBSCertificate_HasIssuerUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_GetIssuerUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_CERT_HAS_NO_ISSUER_UNIQUE_ID
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXUniqueIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXUniqueIdentifier *
+nssPKIXTBSCertificate_GetIssuerUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXUniqueIdentifier *uidOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_SetIssuerUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_SetIssuerUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXUniqueIdentifier *uid
+);
+
+/*
+ * nssPKIXTBSCertificate_RemoveIssuerUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_CERT_HAS_NO_ISSUER_UNIQUE_ID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_RemoveIssuerUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ * nssPKIXTBSCertificate_HasSubjectUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTBSCertificate_HasSubjectUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_GetSubjectUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_CERT_HAS_NO_SUBJECT_UNIQUE_ID
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXUniqueIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXUniqueIdentifier *
+nssPKIXTBSCertificate_GetSubjectUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXUniqueIdentifier *uidOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_SetSubjectUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_SetSubjectUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXUniqueIdentifier *uid
+);
+
+/*
+ * nssPKIXTBSCertificate_RemoveSubjectUniqueID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_CERT_HAS_NO_SUBJECT_UNIQUE_ID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_RemoveSubjectUniqueID
+(
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ * nssPKIXTBSCertificate_HasExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTBSCertificate_HasExtensions
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_GetExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_CERT_HAS_NO_EXTENSIONS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensions upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensions *
+nssPKIXTBSCertificate_GetExtensions
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_SetExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_SetExtensions
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSPKIXExtensions *extensions
+);
+
+/*
+ * nssPKIXTBSCertificate_RemoveExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_CERT_HAS_NO_EXTENSIONS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_RemoveExtensions
+(
+  NSSPKIXTBSCertificate *tbsCert
+);
+
+/*
+ *   { extension accessors }
+ */
+
+/*
+ * nssPKIXTBSCertificate_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTBSCertificate_Equal
+(
+  NSSPKIXTBSCertificate *one,
+  NSSPKIXTBSCertificate *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTBSCertificate_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertificate *
+nssPKIXTBSCertificate_Duplicate
+(
+  NSSPKIXTBSCertificate *tbsCert,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXTBSCertificate_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXTBSCertificate
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERTIFICATE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertificate_verifyPointer
+(
+  NSSPKIXTBSCertificate *p
+);
+#endif /* DEBUG */
+
+/*
+ * CertificateSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificateSerialNumber  ::=  INTEGER
+ *
+ * This is just a typedef'd NSSBER; no methods are required.
+ * {fgmr -- the asn.1 stuff should have routines to convert
+ * integers to natural types when possible and vv.  we can
+ * refer to them here..}
+ */
+
+/*
+ * Validity
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Validity ::= SEQUENCE {
+ *       notBefore      Time,
+ *       notAfter       Time }
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXValidity_Decode
+ *  nssPKIXValidity_Create
+ *  nssPKIXValidity_Encode
+ *  nssPKIXValidity_Destroy
+ *  nssPKIXValidity_GetNotBefore
+ *  nssPKIXValidity_SetNotBefore
+ *  nssPKIXValidity_GetNotAfter
+ *  nssPKIXValidity_SetNotAfter
+ *  nssPKIXValidity_Equal
+ *  nssPKIXValidity_Compare
+ *  nssPKIXValidity_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXValidity_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXValidity_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXValidity upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXValidity *
+nssPKIXValidity_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXValidity_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_TIME
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXValidity upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXValidity *
+nssPKIXValidity_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXTime notBefore,
+  NSSPKIXTime notAfter
+);
+
+/*
+ * nssPKIXValidity_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXValidity_Destroy
+(
+  NSSPKIXValidity *validity
+);
+
+/*
+ * nssPKIXValidity_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXValidity_Encode
+(
+  NSSPKIXValidity *validity,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXValidity_GetNotBefore
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid NSSPKIXTime upon success
+ *  {we need to rethink NSSPKIXTime}
+ */
+
+NSS_EXTERN NSSPKIXTime
+nssPKIXValidity_GetNotBefore
+(
+  NSSPKIXValidity *validity
+);
+
+/*
+ * nssPKIXValidity_SetNotBefore
+ *
+ * -- fgmr comments --
+ * {do we require that it be before the "notAfter" value?}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXValidity_SetNotBefore
+(
+  NSSPKIXValidity *validity,
+  NSSPKIXTime notBefore
+);
+
+/*
+ * nssPKIXValidity_GetNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid NSSPKIXTime upon success
+ *  {we need to rethink NSSPKIXTime}
+ */
+
+NSS_EXTERN NSSPKIXTime
+nssPKIXValidity_GetNotAfter
+(
+  NSSPKIXValidity *validity
+);
+
+/*
+ * nssPKIXValidity_SetNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_VALUE_TOO_SMALL
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXValidity_SetNotAfter
+(
+  NSSPKIXValidity *validity,
+  NSSPKIXTime notAfter
+);
+
+/*
+ * nssPKIXValidity_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXValidity_Equal
+(
+  NSSPKIXValidity *one,
+  NSSPKIXValidity *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXValidity_Compare
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *
+ * Return value:
+ *   1 if the second is "greater" or later than the first
+ *   0 if they are equal
+ *  -1 if the first is "greater" or later than the first
+ *  -2 upon failure
+ */
+
+NSS_EXTERN PRIntn
+nssPKIXValidity_Compare
+(
+  NSSPKIXValidity *one,
+  NSSPKIXValidity *two
+);
+
+/*
+ * nssPKIXValidity_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXValidity upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXValidity *
+nssPKIXValidity_Duplicate
+(
+  NSSPKIXValidity *validity,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXValidity_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXValidity
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_VALIDITY
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXValidity_verifyPointer
+(
+  NSSPKIXValidity *p
+);
+#endif /* DEBUG */
+
+/*
+ * Time
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Time ::= CHOICE {
+ *       utcTime        UTCTime,
+ *       generalTime    GeneralizedTime }
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXTime_Decode
+ *  nssPKIXTime_CreateFromPRTime
+ *  nssPKIXTime_CreateFromUTF8
+ *  nssPKIXTime_Destroy
+ *  nssPKIXTime_Encode
+ *  nssPKIXTime_GetPRTime
+ *  nssPKIXTime_GetUTF8Encoding
+ *  nssPKIXTime_Equal
+ *  nssPKIXTime_Duplicate
+ *  nssPKIXTime_Compare
+ *
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXTime_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXTime_Decode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTime upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTime *
+nssPKIXTime_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXTime_CreateFromPRTime
+ *
+ */
+
+NSS_EXTERN NSSPKIXTime *
+nssPKIXTime_CreateFromPRTime
+(
+  NSSArena *arenaOpt,
+  PRTime prTime
+);
+
+/*
+ * nssPKIXTime_CreateFromUTF8
+ *
+ */
+
+NSS_EXTERN NSSPKIXTime *
+nssPKIXTime_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXTime_Destroy
+ *
+ */
+
+NSS_EXTERN PR_STATUS
+nssPKIXTime_Destroy
+(
+  NSSPKIXTime *time
+);
+
+/*
+ * nssPKIXTime_Encode
+ *
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXTime_Encode
+(
+  NSSPKIXTime *time,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTime_GetPRTime
+ *
+ * Returns a zero on error
+ */
+
+NSS_EXTERN PRTime
+nssPKIXTime_GetPRTime
+(
+  NSSPKIXTime *time,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTime_GetUTF8Encoding
+ *
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKXITime_GetUTF8Encoding
+(
+  NSSPKIXTime *time,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTime_Equal
+ *
+ */
+
+NSS_EXTERN PRBool
+nssPKXITime_Equal
+(
+  NSSPKXITime *time1,
+  NSSPKXITime *time2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTime_Duplicate
+ *
+ */
+
+NSS_EXTERN NSSPKIXTime *
+nssPKXITime_Duplicate
+(
+  NSSPKIXTime *time,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTime_Compare
+ *
+ * Usual result: -1, 0, 1
+ *  Returns 0 on error
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXTime_Compare
+(
+  NSSPKIXTime *time1,
+  NSSPKIXTime *tiem2,
+  PRStatus *statusOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXTime_verifyPointer
+ *
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTime_verifyPointer
+(
+  NSSPKIXTime *time
+);
+#endif /* DEBUG */
+
+/*
+ * UniqueIdentifier
+ *
+ * From RFC 2459:
+ *
+ *  UniqueIdentifier  ::=  BIT STRING
+ *
+ */
+
+/*
+ * SubjectPublicKeyInfo
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *       algorithm            AlgorithmIdentifier,
+ *       subjectPublicKey     BIT STRING  }
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXSubjectPublicKeyInfo_Decode
+ *  nssPKIXSubjectPublicKeyInfo_Create
+ *  nssPKIXSubjectPublicKeyInfo_Encode
+ *  nssPKIXSubjectPublicKeyInfo_Destroy
+ *  nssPKIXSubjectPublicKeyInfo_GetAlgorithm
+ *  nssPKIXSubjectPublicKeyInfo_SetAlgorithm
+ *  nssPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
+ *  nssPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
+ *  nssPKIXSubjectPublicKeyInfo_Equal
+ *  nssPKIXSubjectPublicKeyInfo_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXSubjectPublicKeyInfo_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXSubjectPublicKeyInfo_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
+nssPKIXSubjectPublicKeyInfo_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXSubjectPublicKeyInfo_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
+nssPKIXSubjectPublicKeyInfo_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSItem *subjectPublicKey
+);
+
+/*
+ * nssPKIXSubjectPublicKeyInfo_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXSubjectPublicKeyInfo_Destroy
+(
+  NSSPKIXSubjectPublicKeyInfo *spki
+);
+
+/*
+ * nssPKIXSubjectPublicKeyInfo_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXSubjectPublicKeyInfo_Encode
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXSubjectPublicKeyInfo_GetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+nssPKIXSubjectPublicKeyInfo_GetAlgorithm
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXSubjectPublicKeyInfo_SetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXSubjectPublicKeyInfo_SetAlgorithm
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSPKIXAlgorithmIdentifier *algid
+);
+
+/*
+ * nssPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+nssPKIXSubjectPublicKeyInfo_GetSubjectPublicKey
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSItem *spkOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXSubjectPublicKeyInfo_SetSubjectPublicKey
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSItem *spk
+);
+
+/*
+ * nssPKIXSubjectPublicKeyInfo_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXSubjectPublicKeyInfo_Equal
+(
+  NSSPKIXSubjectPublicKeyInfo *one,
+  NSSPKIXSubjectPublicKeyInfo *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXSubjectPublicKeyInfo_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectPublicKeyInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectPublicKeyInfo *
+nssPKIXSubjectPublicKeyInfo_Duplicate
+(
+  NSSPKIXSubjectPublicKeyInfo *spki,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXSubjectPublicKeyInfo_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXSubjectPublicKeyInfo
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_PUBLIC_KEY_INFO
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXSubjectPublicKeyInfo_verifyPointer
+(
+  NSSPKIXSubjectPublicKeyInfo *p
+);
+#endif /* DEBUG */
+
+/*
+ * Extensions
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+ *
+ */
+
+/* { FGMR } */
+
+/*
+ * Extension
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Extension  ::=  SEQUENCE  {
+ *       extnID      OBJECT IDENTIFIER,
+ *       critical    BOOLEAN DEFAULT FALSE,
+ *       extnValue   OCTET STRING  }
+ *
+ */
+
+/* { FGMR } */
+
+/*
+ * CertificateList
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificateList  ::=  SEQUENCE  {
+ *       tbsCertList          TBSCertList,
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING  }
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXCertificateList_Decode
+ *  nssPKIXCertificateList_Create
+ *  nssPKIXCertificateList_Encode
+ *  nssPKIXCertificateList_Destroy
+ *  nssPKIXCertificateList_GetTBSCertList
+ *  nssPKIXCertificateList_SetTBSCertList
+ *  nssPKIXCertificateList_GetSignatureAlgorithm
+ *  nssPKIXCertificateList_SetSignatureAlgorithm
+ *  nssPKIXCertificateList_GetSignature
+ *  nssPKIXCertificateList_SetSignature
+ *  nssPKIXCertificateList_Equal
+ *  nssPKIXCertificateList_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXCertificateList_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXCertificateList_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateList *
+nssPKIXCertificateList_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXCertificateList_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateList *
+nssPKIXCertificateList_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXTBSCertList *tbsCertList,
+  NSSPKIXAlgorithmIdentifier *sigAlg,
+  NSSItem *signature
+);
+
+/*
+ * nssPKIXCertificateList_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificateList_Destroy
+(
+  NSSPKIXCertificateList *certList
+);
+
+/*
+ * nssPKIXCertificateList_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXCertificateList_Encode
+(
+  NSSPKIXCertificateList *certList,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCertificateList_GetTBSCertList
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertList *
+nssPKIXCertificateList_GetTBSCertList
+(
+  NSSPKIXCertificateList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCertificateList_SetTBSCertList
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificateList_SetTBSCertList
+(
+  NSSPKIXCertificateList *certList,
+  NSSPKIXTBSCertList *tbsCertList
+);
+
+/*
+ * nssPKIXCertificateList_GetSignatureAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+nssPKIXCertificateList_GetSignatureAlgorithm
+(
+  NSSPKIXCertificateList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCertificateList_SetSignatureAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificateList_SetSignatureAlgorithm
+(
+  NSSPKIXCertificateList *certList,
+  NSSPKIXAlgorithmIdentifier *sigAlg
+);
+
+/*
+ * nssPKIXCertificateList_GetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+nssPKIXCertificateList_GetSignature
+(
+  NSSPKIXCertificateList *certList,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCertificateList_SetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificateList_SetSignature
+(
+  NSSPKIXCertificateList *certList,
+  NSSItem *sig
+);
+
+/*
+ * nssPKIXCertificateList_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXCertificateList_Equal
+(
+  NSSPKIXCertificateList *one,
+  NSSPKIXCertificateList *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXCertificateList_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateList *
+nssPKIXCertificateList_Duplicate
+(
+  NSSPKIXCertificateList *certList,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXCertificateList_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXCertificateList
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_LIST
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificateList_verifyPointer
+(
+  NSSPKIXCertificateList *p
+);
+#endif /* DEBUG */
+
+/*
+ * TBSCertList
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TBSCertList  ::=  SEQUENCE  {
+ *       version                 Version OPTIONAL,
+ *                                    -- if present, shall be v2
+ *       signature               AlgorithmIdentifier,
+ *       issuer                  Name,
+ *       thisUpdate              Time,
+ *       nextUpdate              Time OPTIONAL,
+ *       revokedCertificates     SEQUENCE OF SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *       crlExtensions           [0] Extensions OPTIONAL
+ *                                           -- if present, shall be v2 -- }
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXTBSCertList_Decode
+ *  nssPKIXTBSCertList_Create
+ *  nssPKIXTBSCertList_Destroy
+ *  nssPKIXTBSCertList_Encode
+ *  nssPKIXTBSCertList_GetVersion
+ *  nssPKIXTBSCertList_SetVersion
+ *  nssPKIXTBSCertList_GetSignature
+ *  nssPKIXTBSCertList_SetSignature
+ *  nssPKIXTBSCertList_GetIssuer
+ *  nssPKIXTBSCertList_SetIssuer
+ *  nssPKIXTBSCertList_GetThisUpdate
+ *  nssPKIXTBSCertList_SetThisUpdate
+ *  nssPKIXTBSCertList_HasNextUpdate
+ *  nssPKIXTBSCertList_GetNextUpdate
+ *  nssPKIXTBSCertList_SetNextUpdate
+ *  nssPKIXTBSCertList_RemoveNextUpdate
+ *  nssPKIXTBSCertList_GetRevokedCertificates
+ *  nssPKIXTBSCertList_SetRevokedCertificates
+ *  nssPKIXTBSCertList_HasCrlExtensions
+ *  nssPKIXTBSCertList_GetCrlExtensions
+ *  nssPKIXTBSCertList_SetCrlExtensions
+ *  nssPKIXTBSCertList_RemoveCrlExtensions
+ *  nssPKIXTBSCertList_Equal
+ *  nssPKIXTBSCertList_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXTBSCertList_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXTBSCertList_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertList *
+nssPKIXTBSCertList_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXTBSCertList_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_VERSION
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_PKIX_TIME
+ *  (something for the times being out of order?)
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertList *
+nssPKIXTBSCertList_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXVersion version,
+  NSSPKIXAlgorithmIdentifier *signature,
+  NSSPKIXName *issuer,
+  NSSPKIXTime thisUpdate,
+  NSSPKIXTime nextUpdateOpt,
+  NSSPKIXrevokedCertificates *revokedCerts,
+  NSSPKIXExtensions *crlExtensionsOpt
+);
+
+/*
+ * nssPKIXTBSCertList_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertList_Destroy
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * nssPKIXTBSCertList_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXTBSCertList_Encode
+(
+  NSSPKIXTBSCertList *certList,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertList_GetVersion
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid element of the NSSPKIXVersion enumeration upon success
+ *  NSSPKIXVersion_NSSinvalid (-1) upon failure
+ */
+
+NSS_EXTERN NSSPKIXVersion
+nssPKIXTBSCertList_GetVersion
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * nssPKIXTBSCertList_SetVersion
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_VERSION
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertList_SetVersion
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXVersion version
+);
+
+/*
+ * nssPKIXTBSCertList_GetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+nssPKIXTBSCertList_GetSignature
+(
+  NSSPKIXTBSCertList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertList_SetSignature
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertList_SetSignature
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXAlgorithmIdentifier *algid,
+);
+
+/*
+ * nssPKIXTBSCertList_GetIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+nssPKIXTBSCertList_GetIssuer
+(
+  NSSPKIXTBSCertList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertList_SetIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertList_SetIssuer
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXName *issuer
+);
+
+/*
+ * nssPKIXTBSCertList_GetThisUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid NSSPKIXTime upon success
+ *  {we need to rethink NSSPKIXTime}
+ */
+
+NSS_EXTERN NSSPKIXTime
+nssPKIXTBSCertList_GetThisUpdate
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * nssPKIXTBSCertList_SetThisUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_VALUE_TOO_LARGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertList_SetThisUpdate
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXTime thisUpdate
+);
+
+/*
+ * nssPKIXTBSCertList_HasNextUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTBSCertList_HasNextUpdate
+(
+  NSSPKIXTBSCertList *certList,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTBSCertList_GetNextUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid NSSPKIXTime upon success
+ *  {we need to rethink NSSPKIXTime}
+ */
+
+NSS_EXTERN NSSPKIXTime
+nssPKIXTBSCertList_GetNextUpdate
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * nssPKIXTBSCertList_SetNextUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_VALUE_TOO_SMALL
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertList_SetNextUpdate
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXTime nextUpdate
+);
+
+/*
+ * nssPKIXTBSCertList_RemoveNextUpdate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_HAS_NO_NEXT_UPDATE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertList_RemoveNextUpdate
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * nssPKIXTBSCertList_GetRevokedCertificates
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificates upon succes
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificates *
+nssPKIXTBSCertList_GetRevokedCertificates
+(
+  NSSPKIXTBSCertList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertList_SetRevokedCertificates
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATES
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertList_SetRevokedCertificates
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXrevokedCertificates *revoked
+);
+
+/*
+ * nssPKIXTBSCertList_HasCrlExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTBSCertList_HasCrlExtensions
+(
+  NSSPKIXTBSCertList *certList,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTBSCertList_GetCrlExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensions upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensions *
+nssPKIXTBSCertList_GetCrlExtensions
+(
+  NSSPKIXTBSCertList *certList,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTBSCertList_SetCrlExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertList_SetCrlExtensions
+(
+  NSSPKIXTBSCertList *certList,
+  NSSPKIXExtensions *extensions
+);
+
+/*
+ * nssPKIXTBSCertList_RemoveCrlExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_HAS_NO_EXTENSIONS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertList_RemoveCrlExtensions
+(
+  NSSPKIXTBSCertList *certList
+);
+
+/*
+ * nssPKIXTBSCertList_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTBSCertList_Equal
+(
+  NSSPKIXTBSCertList *one,
+  NSSPKIXTBSCertList *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTBSCertList_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTBSCertList upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTBSCertList *
+nssPKIXTBSCertList_Duplicate
+(
+  NSSPKIXTBSCertList *certList,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXTBSCertList_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXTBSCertList
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TBS_CERT_LIST
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTBSCertList_verifyPointer
+(
+  NSSPKIXTBSCertList *p
+);
+#endif /* DEBUG */
+
+/*
+ * revokedCertificates
+ *
+ * This is a "helper type" to simplify handling of TBSCertList objects.
+ *
+ *       revokedCertificates     SEQUENCE OF SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXrevokedCertificates_Decode
+ *  nssPKIXrevokedCertificates_Create
+ *  nssPKIXrevokedCertificates_Encode
+ *  nssPKIXrevokedCertificates_Destroy
+ *  nssPKIXrevokedCertificates_GetRevokedCertificateCount
+ *  nssPKIXrevokedCertificates_GetRevokedCertificates
+ *  nssPKIXrevokedCertificates_SetRevokedCertificates
+ *  nssPKIXrevokedCertificates_GetRevokedCertificate
+ *  nssPKIXrevokedCertificates_SetRevokedCertificate
+ *  nssPKIXrevokedCertificates_InsertRevokedCertificate
+ *  nssPKIXrevokedCertificates_AppendRevokedCertificate
+ *  nssPKIXrevokedCertificates_RemoveRevokedCertificate
+ *  nssPKIXrevokedCertificates_Equal
+ *  nssPKIXrevokedCertificates_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXrevokedCertificates_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXrevokedCertificates_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificates upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificates *
+nssPKIXrevokedCertificates_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXrevokedCertificates_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificates upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificates *
+nssPKIXrevokedCertificates_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXrevokedCertificate *rc1,
+  ...
+);
+
+/*
+ * nssPKIXrevokedCertificates_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificates_Destroy
+(
+  NSSPKIXrevokedCertificates *rcs
+);
+
+/*
+ * nssPKIXrevokedCertificates_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXrevokedCertificates_Encode
+(
+  NSSPKIXrevokedCertificates *rcs,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXrevokedCertificates_GetRevokedCertificateCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXrevokedCertificates_GetRevokedCertificateCount
+(
+  NSSPKIXrevokedCertificates *rcs
+);
+
+/*
+ * nssPKIXrevokedCertificates_GetRevokedCertificates
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXrevokedCertificate pointers
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificate **
+nssPKIXrevokedCertificates_GetRevokedCertificates
+(
+  NSSPKIXrevokedCertificates *rcs,
+  NSSPKIXrevokedCertificate *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXrevokedCertificates_SetRevokedCertificates
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificates_SetRevokedCertificates
+(
+  NSSPKIXrevokedCertificates *rcs,
+  NSSPKIXrevokedCertificate *rc[],
+  PRInt32 countOpt
+);
+
+/*
+ * nssPKIXrevokedCertificates_GetRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificate *
+nssPKIXrevokedCertificates_GetRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXrevokedCertificates_SetRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificates_SetRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  PRInt32 i,
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * nssPKIXrevokedCertificates_InsertRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificates_InsertRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  PRInt32 i,
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * nssPKIXrevokedCertificates_AppendRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificates_AppendRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  PRInt32 i,
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * nssPKIXrevokedCertificates_RemoveRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificates_RemoveRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXrevokedCertificates_FindRevokedCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  The index of the specified revoked certificate upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXrevokedCertificates_FindRevokedCertificate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * nssPKIXrevokedCertificates_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXrevokedCertificates_Equal
+(
+  NSSPKIXrevokedCertificates *one,
+  NSSPKIXrevokedCertificates *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXrevokedCertificates_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_REVOKED_CERTIFICATES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificates upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificates *
+nssPKIXrevokedCertificates_Duplicate
+(
+  NSSPKIXrevokedCertificates *rcs,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXrevokedCertificates_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXrevokedCertificates
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATES
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificates_verifyPointer
+(
+  NSSPKIXrevokedCertificates *p
+);
+#endif /* DEBUG */
+
+/*
+ * revokedCertificate
+ *
+ * This is a "helper type" to simplify handling of TBSCertList objects.
+ *
+ *                                           SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXrevokedCertificate_Decode
+ *  nssPKIXrevokedCertificate_Create
+ *  nssPKIXrevokedCertificate_Encode
+ *  nssPKIXrevokedCertificate_Destroy
+ *  nssPKIXrevokedCertificate_GetUserCertificate
+ *  nssPKIXrevokedCertificate_SetUserCertificate
+ *  nssPKIXrevokedCertificate_GetRevocationDate
+ *  nssPKIXrevokedCertificate_SetRevocationDate
+ *  nssPKIXrevokedCertificate_HasCrlEntryExtensions
+ *  nssPKIXrevokedCertificate_GetCrlEntryExtensions
+ *  nssPKIXrevokedCertificate_SetCrlEntryExtensions
+ *  nssPKIXrevokedCertificate_RemoveCrlEntryExtensions
+ *  nssPKIXrevokedCertificate_Equal
+ *  nssPKIXrevokedCertificate_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXrevokedCertificate_verifyPointer
+ *
+ */
+
+
+/*
+ * nssPKIXrevokedCertificate_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificate *
+nssPKIXrevokedCertificate_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXrevokedCertificate_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
+ *  NSS_ERROR_INVALID_PKIX_TIME
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificate *
+nssPKIXrevokedCertificate_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXCertificateSerialNumber *userCertificate,
+  NSSPKIXTime *revocationDate,
+  NSSPKIXExtensions *crlEntryExtensionsOpt
+);
+
+/*
+ * nssPKIXrevokedCertificate_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificate_Destroy
+(
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * nssPKIXrevokedCertificate_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXrevokedCertificate_Encode
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXrevokedCertificate_GetUserCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateSerialNumber *
+nssPKIXrevokedCertificate_GetUserCertificate
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSArena *arenaOpt
+);  
+
+/*
+ * nssPKIXrevokedCertificate_SetUserCertificate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_SERIAL_NUMBER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificate_SetUserCertificate
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSPKIXCertificateSerialNumber *csn
+);
+
+/*
+ * nssPKIXrevokedCertificate_GetRevocationDate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTime upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTime *
+nssPKIXrevokedCertificate_GetRevocationDate
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSArena *arenaOpt
+);  
+
+/*
+ * nssPKIXrevokedCertificate_SetRevocationDate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_TIME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificate_SetRevocationDate
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSPKIXTime *revocationDate
+);
+
+/*
+ * nssPKIXrevokedCertificate_HasCrlEntryExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXrevokedCertificate_HasCrlEntryExtensions
+(
+  NSSPKIXrevokedCertificate *rc,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXrevokedCertificate_GetCrlEntryExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_NO_EXTENSIONS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensions upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensions *
+nssPKIXrevokedCertificate_GetCrlEntryExtensions
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSArena *arenaOpt
+);  
+
+/*
+ * nssPKIXrevokedCertificate_SetCrlEntryExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificate_SetCrlEntryExtensions
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSPKIXExtensions *crlEntryExtensions
+);
+
+/*
+ * nssPKIXrevokedCertificate_RemoveCrlEntryExtensions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *  NSS_ERROR_NO_EXTENSIONS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificate_RemoveCrlEntryExtensions
+(
+  NSSPKIXrevokedCertificate *rc
+);
+
+/*
+ * nssPKIXrevokedCertificate_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXrevokedCertificate_Equal
+(
+  NSSPKIXrevokedCertificate *one,
+  NSSPKIXrevokedCertificate *two,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXrevokedCertificate_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXrevokedCertificate upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXrevokedCertificate *
+nssPKIXrevokedCertificate_Duplicate
+(
+  NSSPKIXrevokedCertificate *rc,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXrevokedCertificate_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXrevokedCertificate
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REVOKED_CERTIFICATE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXrevokedCertificate_verifyPointer
+(
+  NSSPKIXrevokedCertificate *p
+);
+#endif /* DEBUG */
+
+/*
+ * AlgorithmIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ * (1988 syntax)
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *       algorithm               OBJECT IDENTIFIER,
+ *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ *                                  -- contains a value of the type
+ *                                  -- registered for use with the
+ *                                  -- algorithm object identifier value
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXAlgorithmIdentifier_Decode
+ *  nssPKIXAlgorithmIdentifier_Create
+ *  nssPKIXAlgorithmIdentifier_Encode
+ *  nssPKIXAlgorithmIdentifier_Destroy
+ *  nssPKIXAlgorithmIdentifier_GetAlgorithm
+ *  nssPKIXAlgorithmIdentifier_SetAlgorithm
+ *  nssPKIXAlgorithmIdentifier_GetParameters
+ *  nssPKIXAlgorithmIdentifier_SetParameters
+ *  nssPKIXAlgorithmIdentifier_Compare
+ *  nssPKIXAlgorithmIdentifier_Duplicate
+ *    { algorithm-specific parameter types and accessors ? }
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXAlgorithmIdentifier_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXAlgorithmIdentifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+nssPKIXAlgorithmIdentifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXAlgorithmIdentifier_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+nssPKIXAlgorithmIdentifier_Create
+(
+  NSSArena *arenaOpt,
+  NSSOID *algorithm,
+  NSSItem *parameters
+);
+
+/*
+ * nssPKIXAlgorithmIdentifier_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAlgorithmIdentifier_Destroy
+(
+  NSSPKIXAlgorithmIdentifier *algid
+);
+
+/*
+ * nssPKIXAlgorithmIdentifier_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXAlgorithmIdentifier_Encode
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAlgorithmIdentifier_GetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSOID pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSOID *
+nssPKIXAlgorithmIdentifier_GetAlgorithm
+(
+  NSSPKIXAlgorithmIdentifier *algid
+);
+
+/*
+ * nssPKIXAlgorithmIdentifier_SetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAlgorithmIdentifier_SetAlgorithm
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSOID *algorithm
+);
+
+/*
+ * nssPKIXAlgorithmIdentifier_GetParameters
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+nssPKIXAlgorithmIdentifier_GetParameters
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAlgorithmIdentifier_SetParameters
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAlgorithmIdentifier_SetParameters
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSItem *parameters
+);
+
+/*
+ * nssPKIXAlgorithmIdentifier_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXAlgorithmIdentifier_Equal
+(
+  NSSPKIXAlgorithmIdentifier *algid1,
+  NSSPKIXAlgorithmIdentifier *algid2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXAlgorithmIdentifier_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAlgorithmIdentifier *
+nssPKIXAlgorithmIdentifier_Duplicate
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { algorithm-specific parameter types and accessors ? }
+ */
+
+#ifdef DEBUG
+/*
+ * nssPKIXAlgorithmIdentifier_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXAlgorithmIdentifier
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAlgorithmIdentifier_verifyPointer
+(
+  NSSPKIXAlgorithmIdentifier *p
+);
+#endif /* DEBUG */
+
+/*
+ * ORAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ORAddress ::= SEQUENCE {
+ *     built-in-standard-attributes BuiltInStandardAttributes,
+ *     built-in-domain-defined-attributes
+ *                          BuiltInDomainDefinedAttributes OPTIONAL,
+ *     -- see also teletex-domain-defined-attributes
+ *     extension-attributes ExtensionAttributes OPTIONAL }
+ *  --      The OR-address is semantically absent from the OR-name if the
+ *  --      built-in-standard-attribute sequence is empty and the
+ *  --      built-in-domain-defined-attributes and extension-attributes are
+ *  --      both omitted.
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXORAddress_Decode
+ *  nssPKIXORAddress_Create
+ *  nssPKIXORAddress_Destroy
+ *  nssPKIXORAddress_Encode
+ *  nssPKIXORAddress_GetBuiltInStandardAttributes
+ *  nssPKIXORAddress_SetBuiltInStandardAttributes
+ *  nssPKIXORAddress_HasBuiltInDomainDefinedAttributes
+ *  nssPKIXORAddress_GetBuiltInDomainDefinedAttributes
+ *  nssPKIXORAddress_SetBuiltInDomainDefinedAttributes
+ *  nssPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
+ *  nssPKIXORAddress_HasExtensionsAttributes
+ *  nssPKIXORAddress_GetExtensionsAttributes
+ *  nssPKIXORAddress_SetExtensionsAttributes
+ *  nssPKIXORAddress_RemoveExtensionsAttributes
+ *  nssPKIXORAddress_Equal
+ *  nssPKIXORAddress_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXORAddress_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXORAddress_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXORAddres upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXORAddress *
+nssPKIXORAddress_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXORAddress_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSIONS_ATTRIBUTES
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXORAddres upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXORAddress *
+nssPKIXORAddress_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXBuiltInDomainDefinedAttributes *biddaOpt,
+  NSSPKIXExtensionAttributes *eaOpt
+);
+
+/*
+ * nssPKIXORAddress_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXORAddress_Destroy
+(
+  NSSPKIXORAddress *ora
+);
+
+/*
+ * nssPKIXORAddress_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXORAddress_Encode
+(
+  NSSPKIXORAddress *ora,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXORAddress_GetBuiltInStandardAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
+nssPKIXORAddress_GetBuiltInStandardAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXORAddress_SetBuiltInStandardAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXORAddress_SetBuiltInStandardAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXORAddress_HasBuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXORAddress_HasBuiltInDomainDefinedAttributes
+(
+  NSSPKIXORAddress *ora,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXORAddress_GetBuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_NO_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
+nssPKIXORAddress_GetBuiltInDomainDefinedAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXORAddress_SetBuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXORAddress_SetBuiltInDomainDefinedAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_NO_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXORAddress_RemoveBuiltInDomainDefinedAttributes
+(
+  NSSPKIXORAddress *ora
+);
+
+/*
+ * nssPKIXORAddress_HasExtensionsAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXORAddress_HasExtensionsAttributes
+(
+  NSSPKIXORAddress *ora,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXORAddress_GetExtensionsAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_NO_EXTENSION_ATTRIBUTES
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttributes *
+nssPKIXORAddress_GetExtensionsAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXORAddress_SetExtensionsAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXORAddress_SetExtensionsAttributes
+(
+  NSSPKIXORAddress *ora,
+  NSSPKIXExtensionAttributes *eaOpt
+);
+
+/*
+ * nssPKIXORAddress_RemoveExtensionsAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_NO_EXTENSION_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXORAddress_RemoveExtensionsAttributes
+(
+  NSSPKIXORAddress *ora
+);
+
+/*
+ * nssPKIXORAddress_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXORAddress_Equal
+(
+  NSSPKIXORAddress *ora1,
+  NSSPKIXORAddress *ora2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXORAddress_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXORAddres upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXORAddress *
+nssPKIXORAddress_Duplicate
+(
+  NSSPKIXORAddress *ora,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXORAddress_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXORAddress
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXORAddress_verifyPointer
+(
+  NSSPKIXORAddress *p
+);
+#endif /* DEBUG */
+
+/*
+ * BuiltInStandardAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInStandardAttributes ::= SEQUENCE {
+ *     country-name CountryName OPTIONAL,
+ *     administration-domain-name AdministrationDomainName OPTIONAL,
+ *     network-address      [0] NetworkAddress OPTIONAL,
+ *     -- see also extended-network-address
+ *     terminal-identifier  [1] TerminalIdentifier OPTIONAL,
+ *     private-domain-name  [2] PrivateDomainName OPTIONAL,
+ *     organization-name    [3] OrganizationName OPTIONAL,
+ *     -- see also teletex-organization-name
+ *     numeric-user-identifier      [4] NumericUserIdentifier OPTIONAL,
+ *     personal-name        [5] PersonalName OPTIONAL,
+ *     -- see also teletex-personal-name
+ *     organizational-unit-names    [6] OrganizationalUnitNames OPTIONAL
+ *     -- see also teletex-organizational-unit-names -- }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXBuiltInStandardAttributes_Decode
+ *  nssPKIXBuiltInStandardAttributes_Create
+ *  nssPKIXBuiltInStandardAttributes_Destroy
+ *  nssPKIXBuiltInStandardAttributes_Encode
+ *  nssPKIXBuiltInStandardAttributes_HasCountryName
+ *  nssPKIXBuiltInStandardAttributes_GetCountryName
+ *  nssPKIXBuiltInStandardAttributes_SetCountryName
+ *  nssPKIXBuiltInStandardAttributes_RemoveCountryName
+ *  nssPKIXBuiltInStandardAttributes_HasAdministrationDomainName
+ *  nssPKIXBuiltInStandardAttributes_GetAdministrationDomainName
+ *  nssPKIXBuiltInStandardAttributes_SetAdministrationDomainName
+ *  nssPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
+ *  nssPKIXBuiltInStandardAttributes_HasNetworkAddress
+ *  nssPKIXBuiltInStandardAttributes_GetNetworkAddress
+ *  nssPKIXBuiltInStandardAttributes_SetNetworkAddress
+ *  nssPKIXBuiltInStandardAttributes_RemoveNetworkAddress
+ *  nssPKIXBuiltInStandardAttributes_HasTerminalIdentifier
+ *  nssPKIXBuiltInStandardAttributes_GetTerminalIdentifier
+ *  nssPKIXBuiltInStandardAttributes_SetTerminalIdentifier
+ *  nssPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
+ *  nssPKIXBuiltInStandardAttributes_HasPrivateDomainName
+ *  nssPKIXBuiltInStandardAttributes_GetPrivateDomainName
+ *  nssPKIXBuiltInStandardAttributes_SetPrivateDomainName
+ *  nssPKIXBuiltInStandardAttributes_RemovePrivateDomainName
+ *  nssPKIXBuiltInStandardAttributes_HasOrganizationName
+ *  nssPKIXBuiltInStandardAttributes_GetOrganizationName
+ *  nssPKIXBuiltInStandardAttributes_SetOrganizationName
+ *  nssPKIXBuiltInStandardAttributes_RemoveOrganizationName
+ *  nssPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
+ *  nssPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
+ *  nssPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
+ *  nssPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
+ *  nssPKIXBuiltInStandardAttributes_HasPersonalName
+ *  nssPKIXBuiltInStandardAttributes_GetPersonalName
+ *  nssPKIXBuiltInStandardAttributes_SetPersonalName
+ *  nssPKIXBuiltInStandardAttributes_RemovePersonalName
+ *  nssPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
+ *  nssPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
+ *  nssPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
+ *  nssPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
+ *  nssPKIXBuiltInStandardAttributes_Equal
+ *  nssPKIXBuiltInStandardAttributes_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXBuiltInStandardAttributes_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXBuiltInStandardAttributes_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
+nssPKIXBuiltInStandardAttributes_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
+ *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
+ *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
+ *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
+ *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
+nssPKIXBuiltInStandardAttributes_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXCountryName *countryNameOpt,
+  NSSPKIXAdministrationDomainName *administrationDomainNameOpt,
+  NSSPKIXNetworkAddress *networkAddressOpt,
+  NSSPKIXTerminalIdentifier *terminalIdentifierOpt,
+  NSSPKIXPrivateDomainName *privateDomainNameOpt,
+  NSSPKIXOrganizationName *organizationNameOpt,
+  NSSPKIXNumericUserIdentifier *numericUserIdentifierOpt,
+  NSSPKIXPersonalName *personalNameOpt,
+  NSSPKIXOrganizationalUnitNames *organizationalUnitNamesOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_Destroy
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXBuiltInStandardAttributes_Encode
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_HasCountryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInStandardAttributes_HasCountryName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_GetCountryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCountryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCountryName *
+nssPKIXBuiltInStandardAttributes_GetCountryName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_SetCountryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_SetCountryName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXCountryName *countryName
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_RemoveCountryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_COUNTRY_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_RemoveCountryName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_HasAdministrationDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInStandardAttributes_HasAdministrationDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_GetAdministrationDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAdministrationDomainName *
+nssPKIXBuiltInStandardAttributes_GetAdministrationDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_SetAdministrationDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_SetAdministrationDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXAdministrationDomainName *administrationDomainName
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_ADMINISTRATION_DOMAIN_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_RemoveAdministrationDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_HasNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInStandardAttributes_HasNetworkAddress
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_GetNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNetworkAddress *
+nssPKIXBuiltInStandardAttributes_GetNetworkAddress
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_SetNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_SetNetworkAddress
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXNetworkAddress *networkAddress
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_RemoveNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_NETWORK_ADDRESS
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_RemoveNetworkAddress
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_HasTerminalIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInStandardAttributes_HasTerminalIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_GetTerminalIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTerminalIdentifier *
+nssPKIXBuiltInStandardAttributes_GetTerminalIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_SetTerminalIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_SetTerminalIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXTerminalIdentifier *terminalIdentifier
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_TERMINAL_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_RemoveTerminalIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_HasPrivateDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInStandardAttributes_HasPrivateDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_GetPrivateDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateDomainName *
+nssPKIXBuiltInStandardAttributes_GetPrivateDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_SetPrivateDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_SetPrivateDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXPrivateDomainName *privateDomainName
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_RemovePrivateDomainName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_PRIVATE_DOMAIN_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_RemovePrivateDomainName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_HasOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInStandardAttributes_HasOrganizationName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_GetOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationName *
+nssPKIXBuiltInStandardAttributes_GetOrganizationName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_SetOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_SetOrganizationName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXOrganizationName *organizationName
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_RemoveOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_ORGANIZATION_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_RemoveOrganizationName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInStandardAttributes_HasNumericUserIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNumericUserIdentifier *
+nssPKIXBuiltInStandardAttributes_GetNumericUserIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_SetNumericUserIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXNumericUserIdentifier *numericUserIdentifier
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_NUMERIC_USER_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_RemoveNumericUserIdentifier
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_HasPersonalName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInStandardAttributes_HasPersonalName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_GetPersonalName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPersonalName *
+nssPKIXBuiltInStandardAttributes_GetPersonalName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_SetPersonalName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_SetPersonalName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXPersonalName *personalName
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_RemovePersonalName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_RemovePersonalName
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInStandardAttributes_HasOrganizationLUnitNames
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitNames *
+nssPKIXBuiltInStandardAttributes_GetOrganizationLUnitNames
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_SetOrganizationLUnitNames
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSPKIXOrganizationalUnitNames *organizationalUnitNames
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_RemoveOrganizationLUnitNames
+(
+  NSSPKIXBuiltInStandardAttributes *bisa
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInStandardAttributes_Equal
+(
+  NSSPKIXBuiltInStandardAttributes *bisa1,
+  NSSPKIXBuiltInStandardAttributes *bisa2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInStandardAttributes_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInStandardAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInStandardAttributes *
+nssPKIXBuiltInStandardAttributes_Duplicate
+(
+  NSSPKIXBuiltInStandardAttributes *bisa,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXBuiltInStandardAttributes_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXBuiltInStandardAttributes
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_STANDARD_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInStandardAttributes_verifyPointer
+(
+  NSSPKIXBuiltInStandardAttributes *p
+);
+#endif /* DEBUG */
+
+/*
+ * CountryName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CountryName ::= [APPLICATION 1] CHOICE {
+ *     x121-dcc-code NumericString
+ *                  (SIZE (ub-country-name-numeric-length)),
+ *     iso-3166-alpha2-code PrintableString
+ *                  (SIZE (ub-country-name-alpha-length)) }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXCountryName_Decode
+ *  nssPKIXCountryName_CreateFromUTF8
+ *  nssPKIXCountryName_Encode
+ *
+ */
+
+/*
+ * nssPKIXCountryName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCountryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCountryName *
+nssPKIXCountryName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXCountryName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCountryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCountryName *
+nssPKIXCountryName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXCountryName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_COUNTRY_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXCountryName_Encode
+(
+  NSSPKIXCountryName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * AdministrationDomainName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AdministrationDomainName ::= [APPLICATION 2] CHOICE {
+ *     numeric NumericString (SIZE (0..ub-domain-name-length)),
+ *     printable PrintableString (SIZE (0..ub-domain-name-length)) }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXAdministrationDomainName_Decode
+ *  nssPKIXAdministrationDomainName_CreateFromUTF8
+ *  nssPKIXAdministrationDomainName_Encode
+ *
+ */
+
+/*
+ * nssPKIXAdministrationDomainName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAdministrationDomainName *
+nssPKIXAdministrationDomainName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXAdministrationDomainName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAdministrationDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAdministrationDomainName *
+nssPKIXAdministrationDomainName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXAdministrationDomainName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ADMINISTRATION_DOMAIN_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXAdministrationDomainName_Encode
+(
+  NSSPKIXAdministrationDomainName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * X121Address
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  X121Address ::= NumericString (SIZE (1..ub-x121-address-length))
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXX121Address_Decode
+ *  nssPKIXX121Address_CreateFromUTF8
+ *  nssPKIXX121Address_Encode
+ *
+ */
+
+/*
+ * nssPKIXX121Address_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX121Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX121Address *
+nssPKIXX121Address_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXX121Address_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX121Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXX121Address *
+nssPKIXX121Address_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXX121Address_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_X121_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXX121Address_Encode
+(
+  NSSPKIXX121Address *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NetworkAddress ::= X121Address  -- see also extended-network-address
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXNetworkAddress_Decode
+ *  nssPKIXNetworkAddress_CreateFromUTF8
+ *  nssPKIXNetworkAddress_Encode
+ *
+ */
+
+/*
+ * nssPKIXNetworkAddress_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNetworkAddress *
+nssPKIXNetworkAddress_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXNetworkAddress_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNetworkAddress *
+nssPKIXNetworkAddress_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXNetworkAddress_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NETWORK_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXNetworkAddress_Encode
+(
+  NSSPKIXNetworkAddress *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TerminalIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TerminalIdentifier ::= PrintableString (SIZE (1..ub-terminal-id-length))
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXTerminalIdentifier_Decode
+ *  nssPKIXTerminalIdentifier_CreateFromUTF8
+ *  nssPKIXTerminalIdentifier_Encode
+ *
+ */
+
+/*
+ * nssPKIXTerminalIdentifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTerminalIdentifier *
+nssPKIXTerminalIdentifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXTerminalIdentifier_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTerminalIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTerminalIdentifier *
+nssPKIXTerminalIdentifier_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXTerminalIdentifier_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TERMINAL_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXTerminalIdentifier_Encode
+(
+  NSSPKIXTerminalIdentifier *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PrivateDomainName
+ *
+ * -- fgmr comments -- 
+ *
+ *  PrivateDomainName ::= CHOICE {
+ *     numeric NumericString (SIZE (1..ub-domain-name-length)),
+ *     printable PrintableString (SIZE (1..ub-domain-name-length)) }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXPrivateDomainName_Decode
+ *  nssPKIXPrivateDomainName_CreateFromUTF8
+ *  nssPKIXPrivateDomainName_Encode
+ *
+ */
+
+/*
+ * nssPKIXPrivateDomainName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateDomainName *
+nssPKIXPrivateDomainName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPrivateDomainName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateDomainName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateDomainName *
+nssPKIXPrivateDomainName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXPrivateDomainName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_DOMAIN_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPrivateDomainName_Encode
+(
+  NSSPKIXPrivateDomainName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * OrganizationName
+ *
+ * -- fgmr comments --
+ *
+ *  OrganizationName ::= PrintableString
+ *                              (SIZE (1..ub-organization-name-length))
+ * 
+ * The private calls for this type:
+ *
+ *  nssPKIXOrganizationName_Decode
+ *  nssPKIXOrganizationName_CreateFromUTF8
+ *  nssPKIXOrganizationName_Encode
+ *
+ */
+
+/*
+ * nssPKIXOrganizationName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationName *
+nssPKIXOrganizationName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXOrganizationName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationName *
+nssPKIXOrganizationName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXOrganizationName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATION_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXOrganizationName_Encode
+(
+  NSSPKIXOrganizationName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * NumericUserIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NumericUserIdentifier ::= NumericString
+ *                              (SIZE (1..ub-numeric-user-id-length))
+ * 
+ * The private calls for this type:
+ *
+ *  nssPKIXNumericUserIdentifier_Decode
+ *  nssPKIXNumericUserIdentifier_CreateFromUTF8
+ *  nssPKIXNumericUserIdentifier_Encode
+ *
+ */
+
+/*
+ * nssPKIXNumericUserIdentifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNumericUserIdentifier *
+nssPKIXNumericUserIdentifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXNumericUserIdentifier_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_UTF8
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNumericUserIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNumericUserIdentifier *
+nssPKIXNumericUserIdentifier_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXNumericUserIdentifier_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NUMERIC_USER_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXNumericUserIdentifier_Encode
+(
+  NSSPKIXNumericUserIdentifier *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PersonalName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PersonalName ::= SET {
+ *     surname [0] PrintableString (SIZE (1..ub-surname-length)),
+ *     given-name [1] PrintableString
+ *                          (SIZE (1..ub-given-name-length)) OPTIONAL,
+ *     initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
+ *     generation-qualifier [3] PrintableString
+ *                  (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXPersonalName_Decode
+ *  nssPKIXPersonalName_Create
+ *  nssPKIXPersonalName_Destroy
+ *  nssPKIXPersonalName_Encode
+ *  nssPKIXPersonalName_GetSurname
+ *  nssPKIXPersonalName_SetSurname
+ *  nssPKIXPersonalName_HasGivenName
+ *  nssPKIXPersonalName_GetGivenName
+ *  nssPKIXPersonalName_SetGivenName
+ *  nssPKIXPersonalName_RemoveGivenName
+ *  nssPKIXPersonalName_HasInitials
+ *  nssPKIXPersonalName_GetInitials
+ *  nssPKIXPersonalName_SetInitials
+ *  nssPKIXPersonalName_RemoveInitials
+ *  nssPKIXPersonalName_HasGenerationQualifier
+ *  nssPKIXPersonalName_GetGenerationQualifier
+ *  nssPKIXPersonalName_SetGenerationQualifier
+ *  nssPKIXPersonalName_RemoveGenerationQualifier
+ *  nssPKIXPersonalName_Equal
+ *  nssPKIXPersonalName_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXPersonalName_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXPersonalName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPersonalName *
+nssPKIXPersonalName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPersonalName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPersonalName *
+nssPKIXPersonalName_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *surname,
+  NSSUTF8 *givenNameOpt,
+  NSSUTF8 *initialsOpt,
+  NSSUTF8 *generationQualifierOpt
+);
+
+/*
+ * nssPKIXPersonalName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPersonalName_Destroy
+(
+  NSSPKIXPersonalName *personalName
+);
+
+/*
+ * nssPKIXPersonalName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPersonalName_Encode
+(
+  NSSPKIXPersonalName *personalName,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPersonalName_GetSurname
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXPersonalName_GetSurname
+(
+  NSSPKIXPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPersonalName_SetSurname
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPersonalName_SetSurname
+(
+  NSSPKIXPersonalName *personalName,
+  NSSUTF8 *surname
+);
+
+/*
+ * nssPKIXPersonalName_HasGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPersonalName_HasGivenName
+(
+  NSSPKIXPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPersonalName_GetGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_GIVEN_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXPersonalName_GetGivenName
+(
+  NSSPKIXPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPersonalName_SetGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPersonalName_SetGivenName
+(
+  NSSPKIXPersonalName *personalName,
+  NSSUTF8 *givenName
+);
+
+/*
+ * nssPKIXPersonalName_RemoveGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_HAS_NO_GIVEN_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPersonalName_RemoveGivenName
+(
+  NSSPKIXPersonalName *personalName
+);
+
+/*
+ * nssPKIXPersonalName_HasInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPersonalName_HasInitials
+(
+  NSSPKIXPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPersonalName_GetInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXPersonalName_GetInitials
+(
+  NSSPKIXPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPersonalName_SetInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPersonalName_SetInitials
+(
+  NSSPKIXPersonalName *personalName,
+  NSSUTF8 *initials
+);
+
+/*
+ * nssPKIXPersonalName_RemoveInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPersonalName_RemoveInitials
+(
+  NSSPKIXPersonalName *personalName
+);
+
+/*
+ * nssPKIXPersonalName_HasGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPersonalName_HasGenerationQualifier
+(
+  NSSPKIXPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPersonalName_GetGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXPersonalName_GetGenerationQualifier
+(
+  NSSPKIXPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPersonalName_SetGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPersonalName_SetGenerationQualifier
+(
+  NSSPKIXPersonalName *personalName,
+  NSSUTF8 *generationQualifier
+);
+
+/*
+ * nssPKIXPersonalName_RemoveGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPersonalName_RemoveGenerationQualifier
+(
+  NSSPKIXPersonalName *personalName
+);
+
+/*
+ * nssPKIXPersonalName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPersonalName_Equal
+(
+  NSSPKIXPersonalName *personalName1,
+  NSSPKIXPersonalName *personalName2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPersonalName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPersonalName *
+nssPKIXPersonalName_Duplicate
+(
+  NSSPKIXPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXPersonalName_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXPersonalName
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPersonalName_verifyPointer
+(
+  NSSPKIXPersonalName *p
+);
+#endif /* DEBUG */
+
+/*
+ * OrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
+ *                                          OF OrganizationalUnitName
+ * 
+ * The private calls for the type:
+ *
+ *  nssPKIXOrganizationalUnitNames_Decode
+ *  nssPKIXOrganizationalUnitNames_Create
+ *  nssPKIXOrganizationalUnitNames_Destroy
+ *  nssPKIXOrganizationalUnitNames_Encode
+ *  nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
+ *  nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
+ *  nssPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
+ *  nssPKIXOrganizationalUnitNames_GetOrganizationalUnitName
+ *  nssPKIXOrganizationalUnitNames_SetOrganizationalUnitName
+ *  nssPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
+ *  nssPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
+ *  nssPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
+ *  nssPKIXOrganizationalUnitNames_FindOrganizationalUnitName
+ *  nssPKIXOrganizationalUnitNames_Equal
+ *  nssPKIXOrganizationalUnitNames_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXOrganizationalUnitNames_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXOrganizationalUnitNames_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitNames *
+nssPKIXOrganizationalUnitNames_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitNames *
+nssPKIXOrganizationalUnitNames_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXOrganizationalUnitName *ou1,
+  ...
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXOrganizationalUnitNames_Destroy
+(
+  NSSPKIXOrganizationalUnitNames *ous
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXOrganizationalUnitNames_Encode
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNameCount
+(
+  NSSPKIXOrganizationalUnitNames *ous
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXOrganizationalUnitName
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitName **
+nssPKIXOrganizationalUnitNames_GetOrganizationalUnitNames
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSPKIXOrganizationalUnitName *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXOrganizationalUnitNames_SetOrganizationalUnitNames
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSPKIXOrganizationalUnitName *ou[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_GetOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitName *
+nssPKIXOrganizationalUnitNames_GetOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_SetOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXOrganizationalUnitNames_SetOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSPKIXOrganizationalUnitName *ou
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXOrganizationalUnitNames_InsertOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSPKIXOrganizationalUnitName *ou
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXOrganizationalUnitNames_AppendOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSPKIXOrganizationalUnitName *ou
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXOrganizationalUnitNames_RemoveOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_FindOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *
+ * Return value:
+ *  The index of the specified revoked certificate upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRIntn
+nssPKIXOrganizationalUnitNames_FindOrganizationalUnitName
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSPKIXOrganizationalUnitName *ou
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXOrganizationalUnitNames_Equal
+(
+  NSSPKIXOrganizationalUnitNames *ous1,
+  NSSPKIXOrganizationalUnitNames *ous2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXOrganizationalUnitNames_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitNames *
+nssPKIXOrganizationalUnitNames_Duplicate
+(
+  NSSPKIXOrganizationalUnitNames *ous,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXOrganizationalUnitNames_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXOrganizationalUnitNames
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXOrganizationalUnitNames_verifyPointer
+(
+  NSSPKIXOrganizationalUnitNames *p
+);
+#endif /* DEBUG */
+
+/*
+ * OrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  OrganizationalUnitName ::= PrintableString (SIZE
+ *                          (1..ub-organizational-unit-name-length))
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXOrganizationalUnitName_Decode
+ *  nssPKIXOrganizationalUnitName_CreateFromUTF8
+ *  nssPKIXOrganizationalUnitName_Encode
+ *
+ */
+
+/*
+ * nssPKIXOrganizationalUnitName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitName *
+nssPKIXOrganizationalUnitName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXOrganizationalUnitName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXOrganizationalUnitName *
+nssPKIXOrganizationalUnitName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXOrganizationalUnitName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXOrganizationalUnitName_Encode
+(
+  NSSPKIXOrganizationalUnitName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * BuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
+ *                                  (1..ub-domain-defined-attributes) OF
+ *                                  BuiltInDomainDefinedAttribute
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXBuiltInDomainDefinedAttributes_Decode
+ *  nssPKIXBuiltInDomainDefinedAttributes_Create
+ *  nssPKIXBuiltInDomainDefinedAttributes_Destroy
+ *  nssPKIXBuiltInDomainDefinedAttributes_Encode
+ *  nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
+ *  nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
+ *  nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
+ *  nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
+ *  nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
+ *  nssPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
+ *  nssPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
+ *  nssPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
+ *  nssPKIXBuiltInDomainDefinedAttributes_Equal
+ *  nssPKIXBuiltInDomainDefinedAttributes_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXBuiltInDomainDefinedAttributes_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
+nssPKIXBuiltInDomainDefinedAttributes_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
+nssPKIXBuiltInDomainDefinedAttributes_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda1,
+  ...
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInDomainDefinedAttributes_Destroy
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXBuiltInDomainDefinedAttributes_Encode
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributeCount
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXBuiltInDomainDefinedAttribute
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute **
+nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttributes
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSPKIXBuiltInDomainDefinedAttribut *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttributes
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSPKIXBuiltInDomainDefinedAttribut *bidda[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
+nssPKIXBuiltInDomainDefinedAttributes_GetBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInDomainDefinedAttributes_SetBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  PRInt32 i,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInDomainDefinedAttributes_InsertBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  PRInt32 i,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInDomainDefinedAttributes_AppendBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInDomainDefinedAttributes_RemoveBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_FindBuiltIndomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ * 
+ * Return value:
+ *  The index of the specified revoked certificate upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXBuiltInDomainDefinedAttributes_FindBuiltIndomainDefinedAttribute
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInDomainDefinedAttributes_Equal
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas1,
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttributes *
+nssPKIXBuiltInDomainDefinedAttributes_Duplicate
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *biddas,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXBuiltInDomainDefinedAttributes_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXBuiltInDomainDefinedAttributes
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInDomainDefinedAttributes_verifyPointer
+(
+  NSSPKIXBuiltInDomainDefinedAttributes *p
+);
+#endif /* DEBUG */
+
+/*
+ * BuiltInDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInDomainDefinedAttribute ::= SEQUENCE {
+ *     type PrintableString (SIZE
+ *                          (1..ub-domain-defined-attribute-type-length)),
+ *     value PrintableString (SIZE
+ *                          (1..ub-domain-defined-attribute-value-length))}
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXBuiltInDomainDefinedAttribute_Decode
+ *  nssPKIXBuiltInDomainDefinedAttribute_Create
+ *  nssPKIXBuiltInDomainDefinedAttribute_Destroy
+ *  nssPKIXBuiltInDomainDefinedAttribute_Encode
+ *  nssPKIXBuiltInDomainDefinedAttribute_GetType
+ *  nssPKIXBuiltInDomainDefinedAttribute_SetType
+ *  nssPKIXBuiltInDomainDefinedAttribute_GetValue
+ *  nssPKIXBuiltInDomainDefinedAttribute_SetValue
+ *  nssPKIXBuiltInDomainDefinedAttribute_Equal
+ *  nssPKIXBuiltInDomainDefinedAttribute_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXBuiltInDomainDefinedAttribute_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttribute_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
+nssPKIXBuiltInDomainDefinedAttribute_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttribute_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
+nssPKIXBuiltInDomainDefinedAttribute_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *type,
+  NSSUTF8 *value
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttribute_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInDomainDefinedAttribute_Destroy
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttribute_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXBuiltInDomainDefinedAttribute_Encode
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttribute_GetType
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXBuiltInDomainDefinedAttribute_GetType
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttribute_SetType
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInDomainDefinedAttribute_SetType
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSUTF8 *type
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttribute_GetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXBuiltInDomainDefinedAttribute_GetValue
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttribute_SetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInDomainDefinedAttribute_SetValue
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSUTF8 *value
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttribute_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBuiltInDomainDefinedAttribute_Equal
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda1,
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBuiltInDomainDefinedAttribute_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBuiltInDomainDefinedAttribute *
+nssPKIXBuiltInDomainDefinedAttribute_Duplicate
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *bidda,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXBuiltInDomainDefinedAttribute_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXBuiltInDomainDefinedAttribute
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BUILT_IN_DOMAIN_DEFINED_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBuiltInDomainDefinedAttribute_verifyPointer
+(
+  NSSPKIXBuiltInDomainDefinedAttribute *p
+);
+#endif /* DEBUG */
+
+/*
+ * ExtensionAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
+ *                          ExtensionAttribute
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXExtensionAttributes_Decode
+ *  nssPKIXExtensionAttributes_Create
+ *  nssPKIXExtensionAttributes_Destroy
+ *  nssPKIXExtensionAttributes_Encode
+ *  nssPKIXExtensionAttributes_GetExtensionAttributeCount
+ *  nssPKIXExtensionAttributes_GetExtensionAttributes
+ *  nssPKIXExtensionAttributes_SetExtensionAttributes
+ *  nssPKIXExtensionAttributes_GetExtensionAttribute
+ *  nssPKIXExtensionAttributes_SetExtensionAttribute
+ *  nssPKIXExtensionAttributes_InsertExtensionAttribute
+ *  nssPKIXExtensionAttributes_AppendExtensionAttribute
+ *  nssPKIXExtensionAttributes_RemoveExtensionAttribute
+ *  nssPKIXExtensionAttributes_FindExtensionAttribute
+ *  nssPKIXExtensionAttributes_Equal
+ *  nssPKIXExtensionAttributes_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXExtensionAttributes_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXExtensionAttributes_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttributes *
+nssPKIXExtensionAttributes_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXExtensionAttributes_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttributes *
+nssPKIXExtensionAttributes_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXExtensionAttribute ea1,
+  ...
+);
+
+/*
+ * nssPKIXExtensionAttributes_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtensionAttributes_Destroy
+(
+  NSSPKIXExtensionAttributes *eas
+);
+
+/*
+ * nssPKIXExtensionAttributes_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXExtensionAttributes_Encode
+(
+  NSSPKIXExtensionAttributes *eas
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtensionAttributes_GetExtensionAttributeCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXExtensionAttributes_GetExtensionAttributeCount
+(
+  NSSPKIXExtensionAttributes *eas
+);
+
+/*
+ * nssPKIXExtensionAttributes_GetExtensionAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXExtensionAttribute pointers
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttribute **
+nssPKIXExtensionAttributes_GetExtensionAttributes
+(
+  NSSPKIXExtensionAttributes *eas,
+  NSSPKIXExtensionAttribute *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtensionAttributes_SetExtensionAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_INVALID_POINTER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtensionAttributes_SetExtensionAttributes
+(
+  NSSPKIXExtensionAttributes *eas,
+  NSSPKIXExtensionAttribute *ea[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXExtensionAttributes_GetExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttribute upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttribute *
+nssPKIXExtensionAttributes_GetExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtensionAttributes_SetExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtensionAttributes_SetExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  PRInt32 i,
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * nssPKIXExtensionAttributes_InsertExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtensionAttributes_InsertExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  PRInt32 i,
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * nssPKIXExtensionAttributes_AppendExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtensionAttributes_AppendExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * nssPKIXExtensionAttributes_RemoveExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtensionAttributes_RemoveExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  PRInt32 i,
+);
+
+/*
+ * nssPKIXExtensionAttributes_FindExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  A nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXExtensionAttributes_FindExtensionAttribute
+(
+  NSSPKIXExtensionAttributes *eas,
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * nssPKIXExtensionAttributes_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXExtensionAttributes_Equal
+(
+  NSSPKIXExtensionAttributes *eas1,
+  NSSPKIXExtensionAttributes *eas2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXExtensionAttributes_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttributes upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttributes *
+nssPKIXExtensionAttributes_Duplicate
+(
+  NSSPKIXExtensionAttributes *eas,
+  NSSArena *arenaOpt
+);
+
+/*
+ * fgmr
+ * There should be accessors to search the ExtensionAttributes and
+ * return the value for a specific value, etc.
+ */
+
+#ifdef DEBUG
+/*
+ * nssPKIXExtensionAttributes_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXExtensionAttributes
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtensionAttributes_verifyPointer
+(
+  NSSPKIXExtensionAttributes *p
+);
+#endif /* DEBUG */
+
+/*
+ * ExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtensionAttribute ::=  SEQUENCE {
+ *     extension-attribute-type [0] INTEGER (0..ub-extension-attributes),
+ *     extension-attribute-value [1]
+ *                          ANY DEFINED BY extension-attribute-type }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXExtensionAttribute_Decode
+ *  nssPKIXExtensionAttribute_Create
+ *  nssPKIXExtensionAttribute_Destroy
+ *  nssPKIXExtensionAttribute_Encode
+ *  nssPKIXExtensionAttribute_GetExtensionsAttributeType
+ *  nssPKIXExtensionAttribute_SetExtensionsAttributeType
+ *  nssPKIXExtensionAttribute_GetExtensionsAttributeValue
+ *  nssPKIXExtensionAttribute_SetExtensionsAttributeValue
+ *  nssPKIXExtensionAttribute_Equal
+ *  nssPKIXExtensionAttribute_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXExtensionAttribute_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXExtensionAttribute_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttribute upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttribute *
+nssPKIXExtensionAttribute_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXExtensionAttribute_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE_TYPE
+ *  NSS_ERROR_INVALID_POINTER
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttribute upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttribute *
+nssPKIXExtensionAttribute_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXExtensionAttributeType type,
+  NSSItem *value
+);
+
+/*
+ * nssPKIXExtensionAttribute_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtensionAttribute_Destroy
+(
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * nssPKIXExtensionAttribute_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXExtensionAttribute_Encode
+(
+  NSSPKIXExtensionAttribute *ea,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtensionAttribute_GetExtensionsAttributeType
+ *
+ * -- fgmr comments --
+ * {One of these objects created from BER generated by a program
+ * adhering to a later version of the PKIX standards might have
+ * a value not mentioned in the enumeration definition.  This isn't
+ * a bug.}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  A member of the NSSPKIXExtensionAttributeType enumeration
+ *      upon success
+ *  NSSPKIXExtensionAttributeType_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttributeType
+nssPKIXExtensionAttribute_GetExtensionsAttributeType
+(
+  NSSPKIXExtensionAttribute *ea
+);
+
+/*
+ * nssPKIXExtensionAttribute_SetExtensionsAttributeType
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtensionAttribute_SetExtensionsAttributeType
+(
+  NSSPKIXExtensionAttribute *ea,
+  NSSPKIXExtensionAttributeType type
+);
+
+/*
+ * nssPKIXExtensionAttribute_GetExtensionsAttributeValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+nssPKIXExtensionAttribute_GetExtensionsAttributeValue
+(
+  NSSPKIXExtensionAttribute *ea,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtensionAttribute_SetExtensionsAttributeValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtensionAttribute_SetExtensionsAttributeValue
+(
+  NSSPKIXExtensionAttribute *ea,
+  NSSItem *value
+);
+
+/*
+ * nssPKIXExtensionAttribute_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXExtensionAttribute_Equal
+(
+  NSSPKIXExtensionAttribute *ea1,
+  NSSPKIXExtensionAttribute *ea2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXExtensionAttribute_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtensionAttribute upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtensionAttribute *
+nssPKIXExtensionAttribute_Duplicate
+(
+  NSSPKIXExtensionAttribute *ea,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXExtensionAttribute_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXExtensionAttribute
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENSION_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtensionAttribute_verifyPointer
+(
+  NSSPKIXExtensionAttribute *p
+);
+#endif /* DEBUG */
+
+/*
+ * CommonName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CommonName ::= PrintableString (SIZE (1..ub-common-name-length))
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXCommonName_Decode
+ *  nssPKIXCommonName_CreateFromUTF8
+ *  nssPKIXCommonName_Encode
+ *
+ */
+
+/*
+ * nssPKIXCommonName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCommonName *
+nssPKIXCommonName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXCommonName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCommonName *
+nssPKIXCommonName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXCommonName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXCommonName_Encode
+(
+  NSSPKIXCommonName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TeletexCommonName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexCommonName ::= TeletexString (SIZE (1..ub-common-name-length))
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXTeletexCommonName_Decode
+ *  nssPKIXTeletexCommonName_CreateFromUTF8
+ *  nssPKIXTeletexCommonName_Encode
+ *
+ */
+
+/*
+ * nssPKIXTeletexCommonName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexCommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexCommonName *
+nssPKIXTeletexCommonName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXTeletexCommonName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexCommonName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexCommonName *
+nssPKIXTeletexCommonName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXTeletexCommonName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_COMMON_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXTeletexCommonName_Encode
+(
+  NSSPKIXTeletexCommonName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TeletexOrganizationName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexOrganizationName ::=
+ *                  TeletexString (SIZE (1..ub-organization-name-length))
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXTeletexOrganizationName_Decode
+ *  nssPKIXTeletexOrganizationName_CreateFromUTF8
+ *  nssPKIXTeletexOrganizationName_Encode
+ *
+ */
+
+/*
+ * nssPKIXTeletexOrganizationName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationName *
+nssPKIXTeletexOrganizationName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXTeletexOrganizationName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationName *
+nssPKIXTeletexOrganizationName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXTeletexOrganizationName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATION_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXTeletexOrganizationName_Encode
+(
+  NSSPKIXTeletexOrganizationName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * TeletexPersonalName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexPersonalName ::= SET {
+ *     surname [0] TeletexString (SIZE (1..ub-surname-length)),
+ *     given-name [1] TeletexString
+ *                  (SIZE (1..ub-given-name-length)) OPTIONAL,
+ *     initials [2] TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
+ *     generation-qualifier [3] TeletexString (SIZE
+ *                  (1..ub-generation-qualifier-length)) OPTIONAL }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXTeletexPersonalName_Decode
+ *  nssPKIXTeletexPersonalName_Create
+ *  nssPKIXTeletexPersonalName_Destroy
+ *  nssPKIXTeletexPersonalName_Encode
+ *  nssPKIXTeletexPersonalName_GetSurname
+ *  nssPKIXTeletexPersonalName_SetSurname
+ *  nssPKIXTeletexPersonalName_HasGivenName
+ *  nssPKIXTeletexPersonalName_GetGivenName
+ *  nssPKIXTeletexPersonalName_SetGivenName
+ *  nssPKIXTeletexPersonalName_RemoveGivenName
+ *  nssPKIXTeletexPersonalName_HasInitials
+ *  nssPKIXTeletexPersonalName_GetInitials
+ *  nssPKIXTeletexPersonalName_SetInitials
+ *  nssPKIXTeletexPersonalName_RemoveInitials
+ *  nssPKIXTeletexPersonalName_HasGenerationQualifier
+ *  nssPKIXTeletexPersonalName_GetGenerationQualifier
+ *  nssPKIXTeletexPersonalName_SetGenerationQualifier
+ *  nssPKIXTeletexPersonalName_RemoveGenerationQualifier
+ *  nssPKIXTeletexPersonalName_Equal
+ *  nssPKIXTeletexPersonalName_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXTeletexPersonalName_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXTeletexPersonalName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexPersonalName *
+nssPKIXTeletexPersonalName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXTeletexPersonalName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexPersonalName *
+nssPKIXTeletexPersonalName_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *surname,
+  NSSUTF8 *givenNameOpt,
+  NSSUTF8 *initialsOpt,
+  NSSUTF8 *generationQualifierOpt
+);
+
+/*
+ * nssPKIXTeletexPersonalName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexPersonalName_Destroy
+(
+  NSSPKIXTeletexPersonalName *personalName
+);
+
+/*
+ * nssPKIXTeletexPersonalName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXTeletexPersonalName_Encode
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexPersonalName_GetSurname
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXTeletexPersonalName_GetSurname
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexPersonalName_SetSurname
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexPersonalName_SetSurname
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSUTF8 *surname
+);
+
+/*
+ * nssPKIXTeletexPersonalName_HasGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTeletexPersonalName_HasGivenName
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTeletexPersonalName_GetGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXTeletexPersonalName_GetGivenName
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexPersonalName_SetGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexPersonalName_SetGivenName
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSUTF8 *givenName
+);
+
+/*
+ * nssPKIXTeletexPersonalName_RemoveGivenName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexPersonalName_RemoveGivenName
+(
+  NSSPKIXTeletexPersonalName *personalName
+);
+
+/*
+ * nssPKIXTeletexPersonalName_HasInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTeletexPersonalName_HasInitials
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTeletexPersonalName_GetInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXTeletexPersonalName_GetInitials
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexPersonalName_SetInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexPersonalName_SetInitials
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSUTF8 *initials
+);
+
+/*
+ * nssPKIXTeletexPersonalName_RemoveInitials
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexPersonalName_RemoveInitials
+(
+  NSSPKIXTeletexPersonalName *personalName
+);
+
+/*
+ * nssPKIXTeletexPersonalName_HasGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTeletexPersonalName_HasGenerationQualifier
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTeletexPersonalName_GetGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXTeletexPersonalName_GetGenerationQualifier
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexPersonalName_SetGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexPersonalName_SetGenerationQualifier
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSUTF8 *generationQualifier
+);
+
+/*
+ * nssPKIXTeletexPersonalName_RemoveGenerationQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexPersonalName_RemoveGenerationQualifier
+(
+  NSSPKIXTeletexPersonalName *personalName
+);
+
+/*
+ * nssPKIXTeletexPersonalName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTeletexPersonalName_Equal
+(
+  NSSPKIXTeletexPersonalName *personalName1,
+  NSSPKIXTeletexPersonalName *personalName2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTeletexPersonalName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexPersonalName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexPersonalName *
+nssPKIXTeletexPersonalName_Duplicate
+(
+  NSSPKIXTeletexPersonalName *personalName,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXTeletexPersonalName_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXTeletexPersonalName
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_PERSONAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexPersonalName_verifyPointer
+(
+  NSSPKIXTeletexPersonalName *p
+);
+#endif /* DEBUG */
+
+/*
+ * TeletexOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
+ *          (1..ub-organizational-units) OF TeletexOrganizationalUnitName
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXTeletexOrganizationalUnitNames_Decode
+ *  nssPKIXTeletexOrganizationalUnitNames_Create
+ *  nssPKIXTeletexOrganizationalUnitNames_Destroy
+ *  nssPKIXTeletexOrganizationalUnitNames_Encode
+ *  nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
+ *  nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
+ *  nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
+ *  nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
+ *  nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
+ *  nssPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
+ *  nssPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
+ *  nssPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
+ *  nssPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
+ *  nssPKIXTeletexOrganizationalUnitNames_Equal
+ *  nssPKIXTeletexOrganizationalUnitNames_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXTeletexOrganizationalUnitNames_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
+nssPKIXTeletexOrganizationalUnitNames_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
+nssPKIXTeletexOrganizationalUnitNames_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXTeletexOrganizationalUnitName *ou1,
+  ...
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexOrganizationalUnitNames_Destroy
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXTeletexOrganizationalUnitNames_Encode
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNameCount
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXTeletexOrganizationalUnitName
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName **
+nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitNames
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSPKIXTeletexOrganizationalUnitName *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitNames
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSPKIXTeletexOrganizationalUnitName *ou[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
+nssPKIXTeletexOrganizationalUnitNames_GetTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexOrganizationalUnitNames_SetTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSPKIXTeletexOrganizationalUnitName *ou
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexOrganizationalUnitNames_InsertTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  PRInt32 i,
+  NSSPKIXTeletexOrganizationalUnitName *ou
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexOrganizationalUnitNames_AppendTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSPKIXTeletexOrganizationalUnitName *ou
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexOrganizationalUnitNames_RemoveTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *
+ * Return value:
+ *  The index of the specified revoked certificate upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXTeletexOrganizationalUnitNames_FindTeletexOrganizationalUnitName
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSPKIXTeletexOrganizationalUnitName *ou
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTeletexOrganizationalUnitNames_Equal
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous1,
+  NSSPKIXTeletexOrganizationalUnitNames *ous2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitNames *
+nssPKIXTeletexOrganizationalUnitNames_Duplicate
+(
+  NSSPKIXTeletexOrganizationalUnitNames *ous,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXTeletexOrganizationalUnitNames_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXTeletexOrganizationalUnitNames
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexOrganizationalUnitNames_verifyPointer
+(
+  NSSPKIXTeletexOrganizationalUnitNames *p
+);
+#endif /* DEBUG */
+
+/*
+ * TeletexOrganizationalUnitName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexOrganizationalUnitName ::= TeletexString
+ *                          (SIZE (1..ub-organizational-unit-name-length))
+ *  
+ * The private calls for this type:
+ *
+ *  nssPKIXTeletexOrganizationalUnitName_Decode
+ *  nssPKIXTeletexOrganizationalUnitName_CreateFromUTF8
+ *  nssPKIXTeletexOrganizationalUnitName_Encode
+ *
+ */
+
+/*
+ * nssPKIXTeletexOrganizationalUnitName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
+nssPKIXTeletexOrganizationalUnitName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexOrganizationalUnitName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexOrganizationalUnitName *
+nssPKIXTeletexOrganizationalUnitName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXTeletexOrganizationalUnitName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_ORGANIZATIONAL_UNIT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXTeletexOrganizationalUnitName_Encode
+(
+  NSSPKIXTeletexOrganizationalUnitName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PDSName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PDSName ::= PrintableString (SIZE (1..ub-pds-name-length))
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXPDSName_Decode
+ *  nssPKIXPDSName_CreateFromUTF8
+ *  nssPKIXPDSName_Encode
+ *
+ */
+
+/*
+ * nssPKIXPDSName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSName *
+nssPKIXPDSName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPDSName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSName *
+nssPKIXPDSName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXPDSName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPDSName_Encode
+(
+  NSSPKIXPDSName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PhysicalDeliveryCountryName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PhysicalDeliveryCountryName ::= CHOICE {
+ *     x121-dcc-code NumericString (SIZE (ub-country-name-numeric-length)),
+ *     iso-3166-alpha2-code PrintableString
+ *                          (SIZE (ub-country-name-alpha-length)) }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXPhysicalDeliveryCountryName_Decode
+ *  nssPKIXPhysicalDeliveryCountryName_CreateFromUTF8
+ *  nssPKIXPhysicalDeliveryCountryName_Encode
+ *
+ */
+
+/*
+ * nssPKIXPhysicalDeliveryCountryName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPhysicalDeliveryCountryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPhysicalDeliveryCountryName *
+nssPKIXPhysicalDeliveryCountryName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPhysicalDeliveryCountryName_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPhysicalDeliveryCountryName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPhysicalDeliveryCountryName *
+nssPKIXPhysicalDeliveryCountryName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXPhysicalDeliveryCountryName_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PHYSICAL_DELIVERY_COUNTRY_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPhysicalDeliveryCountryName_Encode
+(
+  NSSPKIXPhysicalDeliveryCountryName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PostalCode
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PostalCode ::= CHOICE {
+ *     numeric-code NumericString (SIZE (1..ub-postal-code-length)),
+ *     printable-code PrintableString (SIZE (1..ub-postal-code-length)) }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXPostalCode_Decode
+ *  nssPKIXPostalCode_CreateFromUTF8
+ *  nssPKIXPostalCode_Encode
+ *
+ */
+
+/*
+ * nssPKIXPostalCode_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPostalCode upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPostalCode *
+nssPKIXPostalCode_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPostalCode_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPostalCode upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPostalCode *
+nssPKIXPostalCode_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXPostalCode_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POSTAL_CODE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPostalCode_Encode
+(
+  NSSPKIXPostalCode *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PDSParameter
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PDSParameter ::= SET {
+ *     printable-string PrintableString
+ *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
+ *     teletex-string TeletexString
+ *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXPDSParameter_Decode
+ *  nssPKIXPDSParameter_CreateFromUTF8
+ *  nssPKIXPDSParameter_Create
+ *  nssPKIXPDSParameter_Delete
+ *  nssPKIXPDSParameter_Encode
+ *  nssPKIXPDSParameter_GetUTF8Encoding
+ *  nssPKIXPDSParameter_HasPrintableString
+ *  nssPKIXPDSParameter_GetPrintableString
+ *  nssPKIXPDSParameter_SetPrintableString
+ *  nssPKIXPDSParameter_RemovePrintableString
+ *  nssPKIXPDSParameter_HasTeletexString
+ *  nssPKIXPDSParameter_GetTeletexString
+ *  nssPKIXPDSParameter_SetTeletexString
+ *  nssPKIXPDSParameter_RemoveTeletexString
+ *  nssPKIXPDSParameter_Equal
+ *  nssPKIXPDSParameter_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXPDSParameter_verifyPointer
+ */
+
+/*
+ * nssPKIXPDSParameter_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSParameter upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSParameter *
+nssPKIXPDSParameter_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPDSParameter_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSParameter upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSParameter *
+nssPKIXPDSParameter_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXPDSParameter_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSParameter upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSParameter *
+nssPKIXPDSParameter_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *printableStringOpt,
+  NSSUTF8 *teletexStringOpt
+);
+
+/*
+ * nssPKIXPDSParameter_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPDSParameter_Destroy
+(
+  NSSPKIXPDSParameter *p
+);
+
+/*
+ * nssPKIXPDSParameter_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPDSParameter_Encode
+(
+  NSSPKIXPDSParameter *p,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPDSParameter_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXPDSParameter_GetUTF8Encoding
+(
+  NSSPKIXPDSParameter *p,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPDSParameter_HasPrintableString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPDSParameter_HasPrintableString
+(
+  NSSPKIXPDSParameter *p,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPDSParameter_GetPrintableString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXPDSParameter_GetPrintableString
+(
+  NSSPKIXPDSParameter *p,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPDSParameter_SetPrintableString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPDSParameter_SetPrintableString
+(
+  NSSPKIXPDSParameter *p,
+  NSSUTF8 *printableString
+);
+
+/*
+ * nssPKIXPDSParameter_RemovePrintableString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPDSParameter_RemovePrintableString
+(
+  NSSPKIXPDSParameter *p
+);
+
+/*
+ * nssPKIXPDSParameter_HasTeletexString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPDSParameter_HasTeletexString
+(
+  NSSPKIXPDSParameter *p,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPDSParameter_GetTeletexString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXPDSParameter_GetTeletexString
+(
+  NSSPKIXPDSParameter *p,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPDSParameter_SetTeletexString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPDSParameter_SetTeletexString
+(
+  NSSPKIXPDSParameter *p,
+  NSSUTF8 *teletexString
+);
+
+/*
+ * nssPKIXPDSParameter_RemoveTeletexString
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPDSParameter_RemoveTeletexString
+(
+  NSSPKIXPDSParameter *p
+);
+
+/*
+ * nssPKIXPDSParameter_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPDSParameter_Equal
+(
+  NSSPKIXPDSParameter *p1,
+  NSSPKIXPDSParameter *p2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPDSParameter_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPDSParameter upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPDSParameter *
+nssPKIXPDSParameter_Duplicate
+(
+  NSSPKIXPDSParameter *p,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXPDSParameter_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXPDSParameter
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PDS_PARAMETER
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPDSParameter_verifyPointer
+(
+  NSSPKIXPDSParameter *p
+);
+#endif /* DEBUG */
+
+/*
+ * fgmr: what about these PDS types?
+ *
+ * PhysicalDeliveryOfficeName
+ *
+ * PhysicalDeliveryOfficeNumber
+ *
+ * ExtensionORAddressComponents
+ *
+ * PhysicalDeliveryPersonalName
+ *
+ * PhysicalDeliveryOrganizationName
+ *
+ * ExtensionPhysicalDeliveryAddressComponents
+ *
+ * StreetAddress
+ *
+ * PostOfficeBoxAddress
+ *
+ * PosteRestanteAddress
+ *
+ * UniquePostalName
+ *
+ * LocalPostalAttributes
+ *
+ */
+
+/*
+ * UnformattedPostalAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  UnformattedPostalAddress ::= SET {
+ *     printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
+ *             PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
+ *     teletex-string TeletexString
+ *           (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
+ *
+ * The private calls for the type:
+ *
+ *
+ */
+
+/*
+ * ExtendedNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtendedNetworkAddress ::= CHOICE {
+ *     e163-4-address SEQUENCE {
+ *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
+ *          sub-address [1] NumericString
+ *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
+ *     psap-address [0] PresentationAddress }
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXExtendedNetworkAddress_Decode
+ *  nssPKIXExtendedNetworkAddress_Create
+ *  nssPKIXExtendedNetworkAddress_Encode
+ *  nssPKIXExtendedNetworkAddress_Destroy
+ *  nssPKIXExtendedNetworkAddress_GetChoice
+ *  nssPKIXExtendedNetworkAddress_Get
+ *  nssPKIXExtendedNetworkAddress_GetE1634Address
+ *  nssPKIXExtendedNetworkAddress_GetPsapAddress
+ *  nssPKIXExtendedNetworkAddress_Set
+ *  nssPKIXExtendedNetworkAddress_SetE163Address
+ *  nssPKIXExtendedNetworkAddress_SetPsapAddress
+ *  nssPKIXExtendedNetworkAddress_Equal
+ *  nssPKIXExtendedNetworkAddress_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXExtendedNetworkAddress_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXExtendedNetworkAddress_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddress *
+nssPKIXExtendedNetworkAddress_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddress *
+nssPKIXExtendedNetworkAddress_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXExtendedNetworkAddressChoice choice,
+  void *address
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_CreateFromE1634Address
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddress *
+nssPKIXExtendedNetworkAddress_CreateFromE1634Address
+(
+  NSSArena *arenaOpt,
+  NSSPKIXe1634Address *e1634address
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_CreateFromPresentationAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddress *
+nssPKIXExtendedNetworkAddress_CreateFromPresentationAddress
+(
+  NSSArena *arenaOpt,
+  NSSPKIXPresentationAddress *presentationAddress
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtendedNetworkAddress_Destroy
+(
+  NSSPKIXExtendedNetworkAddress *ena
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXExtendedNetworkAddress_Encode
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_GetChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ * 
+ * Return value:
+ *  A valid element of the NSSPKIXExtendedNetworkAddressChoice upon
+ *      success
+ *  The value nssPKIXExtendedNetworkAddress_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddressChoice
+nssPKIXExtendedNetworkAddress_GetChoice
+(
+  NSSPKIXExtendedNetworkAddress *ena
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_GetSpecifiedChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ * 
+ * Return value:
+ *  A pointer...
+ *  NULL upon failure
+ */
+
+NSS_EXTERN void *
+nssPKIXExtendedNetworkAddress_GetSpecifiedChoice
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSPKIXExtendedNetworkAddressChoice which,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_GetE1634Address
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXe1643Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXe1643Address *
+nssPKIXExtendedNetworkAddress_GetE1634Address
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_GetPresentationAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPresentationAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPresentationAddress *
+nssPKIXExtendedNetworkAddress_GetPresentationAddress
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_SetSpecifiedChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtendedNetworkAddress_SetSpecifiedChoice
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSPKIXExtendedNetworkAddressChoice which,
+  void *address
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_SetE163Address
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtendedNetworkAddress_SetE163Address
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSPKIXe1634Address *e1634address
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_SetPresentationAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_PRESENTATION_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtendedNetworkAddress_SetPresentationAddress
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSPKIXPresentationAddress *presentationAddress
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXExtendedNetworkAddress_Equal
+(
+  NSSPKIXExtendedNetworkAddress *ena1,
+  NSSPKIXExtendedNetworkAddress *ena2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXExtendedNetworkAddress_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtendedNetworkAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtendedNetworkAddress *
+nssPKIXExtendedNetworkAddress_Duplicate
+(
+  NSSPKIXExtendedNetworkAddress *ena,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXExtendedNetworkAddress_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXExtendedNetworkAddress
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXTENDED_NETWORK_ADDRESS
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtendedNetworkAddress_verifyPointer
+(
+  NSSPKIXExtendedNetworkAddress *p
+);
+#endif /* DEBUG */
+
+/*
+ * e163-4-address
+ *
+ * Helper structure for ExtendedNetworkAddress.
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ * 
+ *     e163-4-address SEQUENCE {
+ *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
+ *          sub-address [1] NumericString
+ *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
+ * 
+ * The private calls for the type:
+ *
+ *  nssPKIXe1634Address_Decode
+ *  nssPKIXe1634Address_Create
+ *  nssPKIXe1634Address_Destroy
+ *  nssPKIXe1634Address_Encode
+ *  nssPKIXe1634Address_GetNumber
+ *  nssPKIXe1634Address_SetNumber
+ *  nssPKIXe1634Address_HasSubAddress
+ *  nssPKIXe1634Address_GetSubAddress
+ *  nssPKIXe1634Address_SetSubAddress
+ *  nssPKIXe1634Address_RemoveSubAddress
+ *  nssPKIXe1634Address_Equal
+ *  nssPKIXe1634Address_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXe1634Address_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXe1634Address_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXe1634Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXe1634Address *
+nssPKIXe1634Address_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXe1634Address_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXe1634Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXe1634Address *
+nssPKIXe1634Address_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *number,
+  NSSUTF8 *subAddressOpt
+);
+
+/*
+ * nssPKIXe1634Address_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXe1634Address_Destroy
+(
+  NSSPKIXe1634Address *e
+);
+
+/*
+ * nssPKIXe1634Address_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXe1634Address_Encode
+(
+  NSSPKIXe1634Address *e,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXe1634Address_GetNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXe1634Address_GetNumber
+(
+  NSSPKIXe1634Address *e,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXe1634Address_SetNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXe1634Address_SetNumber
+(
+  NSSPKIXe1634Address *e,
+  NSSUTF8 *number
+);
+
+/*
+ * nssPKIXe1634Address_HasSubAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXe1634Address_HasSubAddress
+(
+  NSSPKIXe1634Address *e,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXe1634Address_GetSubAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXe1634Address_GetSubAddress
+(
+  NSSPKIXe1634Address *e,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXe1634Address_SetSubAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXe1634Address_SetSubAddress
+(
+  NSSPKIXe1634Address *e,
+  NSSUTF8 *subAddress
+);
+
+/*
+ * nssPKIXe1634Address_RemoveSubAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXe1634Address_RemoveSubAddress
+(
+  NSSPKIXe1634Address *e
+);
+
+/*
+ * nssPKIXe1634Address_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXe1634Address_Equal
+(
+  NSSPKIXe1634Address *e1,
+  NSSPKIXe1634Address *e2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXe1634Address_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXe1634Address upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXe1634Address *
+nssPKIXe1634Address_Duplicate
+(
+  NSSPKIXe1634Address *e,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXe1634Address_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXe1634Address
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_E163_4_ADDRESS
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXe1634Address_verifyPointer
+(
+  NSSPKIXe1634Address *p
+);
+#endif /* DEBUG */
+
+/*
+ * PresentationAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PresentationAddress ::= SEQUENCE {
+ *          pSelector       [0] EXPLICIT OCTET STRING OPTIONAL,
+ *          sSelector       [1] EXPLICIT OCTET STRING OPTIONAL,
+ *          tSelector       [2] EXPLICIT OCTET STRING OPTIONAL,
+ *          nAddresses      [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXPresentationAddress_Decode
+ *  nssPKIXPresentationAddress_Create
+ *  nssPKIXPresentationAddress_Destroy
+ *  nssPKIXPresentationAddress_Encode
+ *  nssPKIXPresentationAddress_HasPSelector
+ *  nssPKIXPresentationAddress_GetPSelector
+ *  nssPKIXPresentationAddress_SetPSelector
+ *  nssPKIXPresentationAddress_RemovePSelector
+ *  nssPKIXPresentationAddress_HasSSelector
+ *  nssPKIXPresentationAddress_GetSSelector
+ *  nssPKIXPresentationAddress_SetSSelector
+ *  nssPKIXPresentationAddress_RemoveSSelector
+ *  nssPKIXPresentationAddress_HasTSelector
+ *  nssPKIXPresentationAddress_GetTSelector
+ *  nssPKIXPresentationAddress_SetTSelector
+ *  nssPKIXPresentationAddress_RemoveTSelector
+ *  nssPKIXPresentationAddress_HasNAddresses
+ *  nssPKIXPresentationAddress_GetNAddresses
+ *  nssPKIXPresentationAddress_SetNAddresses
+ *  nssPKIXPresentationAddress_RemoveNAddresses
+ *{NAddresses must be more complex than that}
+ *  nssPKIXPresentationAddress_Compare
+ *  nssPKIXPresentationAddress_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  _verifyPointer
+ *
+ */
+
+/*
+ * TeletexDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
+ *     (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
+ * 
+ * The private calls for the type:
+ *
+ *  nssPKIXTeletexDomainDefinedAttributes_Decode
+ *  nssPKIXTeletexDomainDefinedAttributes_Create
+ *  nssPKIXTeletexDomainDefinedAttributes_Destroy
+ *  nssPKIXTeletexDomainDefinedAttributes_Encode
+ *  nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
+ *  nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
+ *  nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
+ *  nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
+ *  nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
+ *  nssPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
+ *  nssPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
+ *  nssPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
+ *  nssPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
+ *  nssPKIXTeletexDomainDefinedAttributes_Equal
+ *  nssPKIXTeletexDomainDefinedAttributes_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXTeletexDomainDefinedAttributes_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
+nssPKIXTeletexDomainDefinedAttributes_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
+nssPKIXTeletexDomainDefinedAttributes_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda1,
+  ...
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexDomainDefinedAttributes_Destroy
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXTeletexDomainDefinedAttributes_Encode
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributeCount
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXTeletexDomainDefinedAttribute
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute **
+nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttributes
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSPKIXTeletexDomainDefinedAttribute *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttributes
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
+nssPKIXTeletexDomainDefinedAttributes_GetTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexDomainDefinedAttributes_SetTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  PRInt32 i,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexDomainDefinedAttributes_InsertTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  PRInt32 i,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexDomainDefinedAttributes_AppendTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexDomainDefinedAttributes_RemoveTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ * 
+ * Return value:
+ *  The nonnegative integer upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXTeletexDomainDefinedAttributes_FindTeletexDomainDefinedAttribute
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTeletexDomainDefinedAttributes_Equal
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas1,
+  NSSPKIXTeletexDomainDefinedAttributes *tddas2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttributes *
+nssPKIXTeletexDomainDefinedAttributes_Duplicate
+(
+  NSSPKIXTeletexDomainDefinedAttributes *tddas,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXTeletexDomainDefinedAttributes_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXTeletexDomainDefinedAttributes
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexDomainDefinedAttributes_verifyPointer
+(
+  NSSPKIXTeletexDomainDefinedAttributes *p
+);
+#endif /* DEBUG */
+
+/*
+ * TeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexDomainDefinedAttribute ::= SEQUENCE {
+ *          type TeletexString
+ *                 (SIZE (1..ub-domain-defined-attribute-type-length)),
+ *          value TeletexString
+ *                 (SIZE (1..ub-domain-defined-attribute-value-length)) }
+ * 
+ * The private calls for the type:
+ *
+ *  nssPKIXTeletexDomainDefinedAttribute_Decode
+ *  nssPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
+ *  nssPKIXTeletexDomainDefinedAttribute_Create
+ *  nssPKIXTeletexDomainDefinedAttribute_Destroy
+ *  nssPKIXTeletexDomainDefinedAttribute_Encode
+ *  nssPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
+ *  nssPKIXTeletexDomainDefinedAttribute_GetType
+ *  nssPKIXTeletexDomainDefinedAttribute_SetType
+ *  nssPKIXTeletexDomainDefinedAttribute_GetValue
+ *  nssPKIXTeletexDomainDefinedAttribute_GetValue
+ *  nssPKIXTeletexDomainDefinedAttribute_Equal
+ *  nssPKIXTeletexDomainDefinedAttribute_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXTeletexDomainDefinedAttribute_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
+nssPKIXTeletexDomainDefinedAttribute_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
+nssPKIXTeletexDomainDefinedAttribute_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
+nssPKIXTeletexDomainDefinedAttribute_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *type,
+  NSSUTF8 *value
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexDomainDefinedAttribute_Destroy
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXTeletexDomainDefinedAttribute_Encode
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXTeletexDomainDefinedAttribute_GetUTF8Encoding
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_GetType
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXTeletexDomainDefinedAttribute_GetType
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_SetType
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexDomainDefinedAttribute_SetType
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSUTF8 *type
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_GetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXTeletexDomainDefinedAttribute_GetValue
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_SetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexDomainDefinedAttribute_SetValue
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSUTF8 *value
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXTeletexDomainDefinedAttribute_Equal
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda1,
+  NSSPKIXTeletexDomainDefinedAttribute *tdda2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXTeletexDomainDefinedAttribute *
+nssPKIXTeletexDomainDefinedAttribute_Duplicate
+(
+  NSSPKIXTeletexDomainDefinedAttribute *tdda,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXTeletexDomainDefinedAttribute_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXTeletexDomainDefinedAttribute
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_TELETEX_DOMAIN_DEFINED_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXTeletexDomainDefinedAttribute_verifyPointer
+(
+  NSSPKIXTeletexDomainDefinedAttribute *p
+);
+#endif /* DEBUG */
+
+/*
+ * AuthorityKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AuthorityKeyIdentifier ::= SEQUENCE {
+ *        keyIdentifier             [0] KeyIdentifier            OPTIONAL,
+ *        authorityCertIssuer       [1] GeneralNames             OPTIONAL,
+ *        authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
+ *      -- authorityCertIssuer and authorityCertSerialNumber shall both
+ *      -- be present or both be absent
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXAuthorityKeyIdentifier_Decode
+ *  nssPKIXAuthorityKeyIdentifier_Create
+ *  nssPKIXAuthorityKeyIdentifier_Destroy
+ *  nssPKIXAuthorityKeyIdentifier_Encode
+ *  nssPKIXAuthorityKeyIdentifier_HasKeyIdentifier
+ *  nssPKIXAuthorityKeyIdentifier_GetKeyIdentifier
+ *  nssPKIXAuthorityKeyIdentifier_SetKeyIdentifier
+ *  nssPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
+ *  nssPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
+ *  nssPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
+ *  nssPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
+ *  nssPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
+ *  nssPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
+ *  nssPKIXAuthorityKeyIdentifier_Equal
+ *  nssPKIXAuthorityKeyIdentifier_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXAuthorityKeyIdentifier_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
+nssPKIXAuthorityKeyIdentifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_ARGUMENTS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
+nssPKIXAuthorityKeyIdentifier_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXKeyIdentifier *keyIdentifierOpt,
+  NSSPKIXGeneralNames *authorityCertIssuerOpt,
+  NSSPKIXCertificateSerialNumber *authorityCertSerialNumberOpt
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityKeyIdentifier_Destroy
+(
+  NSSPKIXAuthorityKeyIdentifier *aki
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXAuthorityKeyIdentifier_Encode
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_HasKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXAuthorityKeyIdentifier_HasKeyIdentifier
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_GetKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyIdentifier *
+nssPKIXAuthorityKeyIdentifier_GetKeyIdentifier
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSPKIXKeyIdentifier *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_SetKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityKeyIdentifier_SetKeyIdentifier
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSPKIXKeyIdentifier *keyIdentifier
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_HAS_NO_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityKeyIdentifier_RemoveKeyIdentifier
+(
+  NSSPKIXAuthorityKeyIdentifier *aki
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  PR_TRUE if it has them
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXAuthorityKeyIdentifier_HasAuthorityCertIssuerAndSerialNumber
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityKeyIdentifier_RemoveAuthorityCertIssuerAndSerialNumber
+(
+  NSSPKIXAuthorityKeyIdentifier *aki
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNames *
+nssPKIXAuthorityKeyIdentifier_GetAuthorityCertIssuer
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_AUTHORITY_CERT_ISSUER_AND_SERIAL_NUMBER
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificateSerialNumber upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificateSerialNumber *
+nssPKIXAuthorityKeyIdentifier_GetAuthorityCertSerialNumber
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSPKIXCertificateSerialNumber *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityKeyIdentifier_SetAuthorityCertIssuerAndSerialNumber
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSPKIXGeneralNames *issuer,
+  NSSPKIXCertificateSerialNumber *serialNumber
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXAuthorityKeyIdentifier_Equal
+(
+  NSSPKIXAuthorityKeyIdentifier *aki1,
+  NSSPKIXAuthorityKeyIdentifier *aki2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXAuthorityKeyIdentifier_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityKeyIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityKeyIdentifier *
+nssPKIXAuthorityKeyIdentifier_Duplicate
+(
+  NSSPKIXAuthorityKeyIdentifier *aki,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXAuthorityKeyIdentifier_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXAuthorityKeyIdentifier
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_KEY_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityKeyIdentifier_verifyPointer
+(
+  NSSPKIXAuthorityKeyIdentifier *p
+);
+#endif /* DEBUG */
+
+/*
+ * KeyUsage
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  KeyUsage ::= BIT STRING {
+ *       digitalSignature        (0),
+ *       nonRepudiation          (1),
+ *       keyEncipherment         (2),
+ *       dataEncipherment        (3),
+ *       keyAgreement            (4),
+ *       keyCertSign             (5),
+ *       cRLSign                 (6),
+ *       encipherOnly            (7),
+ *       decipherOnly            (8) }
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXKeyUsage_Decode
+ *  nssPKIXKeyUsage_CreateFromUTF8
+ *  nssPKIXKeyUsage_CreateFromValue
+ *  nssPKIXKeyUsage_Destroy
+ *  nssPKIXKeyUsage_Encode
+ *  nssPKIXKeyUsage_GetUTF8Encoding
+ *  nssPKIXKeyUsage_GetValue
+ *  nssPKIXKeyUsage_SetValue
+ *    { bitwise accessors? }
+ *  nssPKIXKeyUsage_Equal
+ *  nssPKIXKeyUsage_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXKeyUsage_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXKeyUsage_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyUsage upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyUsage *
+nssPKIXKeyUsage_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXKeyUsage_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyUsage upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyUsage *
+nssPKIXKeyUsage_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXKeyUsage_CreateFromValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE_VALUE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyUsage upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyUsage *
+nssPKIXKeyUsage_CreateFromValue
+(
+  NSSArena *arenaOpt,
+  NSSPKIXKeyUsageValue value
+);
+
+/*
+ * nssPKIXKeyUsage_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXKeyUsage_Destroy
+(
+  NSSPKIXKeyUsage *keyUsage
+);
+
+/*
+ * nssPKIXKeyUsage_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXKeyUsage_Encode
+(
+  NSSPKIXKeyUsage *keyUsage,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXKeyUsage_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXKeyUsage_GetUTF8Encoding
+(
+  NSSPKIXKeyUsage *keyUsage,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXKeyUsage_GetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *
+ * Return value:
+ *  A set of NSSKeyUsageValue values OR-d together upon success
+ *  NSSKeyUsage_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSKeyUsageValue
+nssPKIXKeyUsage_GetValue
+(
+  NSSPKIXKeyUsage *keyUsage
+);
+
+/*
+ * nssPKIXKeyUsage_SetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE_VALUE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXKeyUsage_SetValue
+(
+  NSSPKIXKeyUsage *keyUsage,
+  NSSPKIXKeyUsageValue value
+);
+
+/*
+ * nssPKIXKeyUsage_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXKeyUsage_Equal
+(
+  NSSPKIXKeyUsage *keyUsage1,
+  NSSPKIXKeyUsage *keyUsage2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXKeyUsage_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyUsage upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyUsage *
+nssPKIXKeyUsage_Duplicate
+(
+  NSSPKIXKeyUsage *keyUsage,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXKeyUsage_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXKeyUsage
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_KEY_USAGE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXKeyUsage_verifyPointer
+(
+  NSSPKIXKeyUsage *p
+);
+#endif /* DEBUG */
+
+/*
+ * PrivateKeyUsagePeriod
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PrivateKeyUsagePeriod ::= SEQUENCE {
+ *       notBefore       [0]     GeneralizedTime OPTIONAL,
+ *       notAfter        [1]     GeneralizedTime OPTIONAL }
+ *       -- either notBefore or notAfter shall be present
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXPrivateKeyUsagePeriod_Decode
+ *  nssPKIXPrivateKeyUsagePeriod_Create
+ *  nssPKIXPrivateKeyUsagePeriod_Destroy
+ *  nssPKIXPrivateKeyUsagePeriod_Encode
+ *  nssPKIXPrivateKeyUsagePeriod_HasNotBefore
+ *  nssPKIXPrivateKeyUsagePeriod_GetNotBefore
+ *  nssPKIXPrivateKeyUsagePeriod_SetNotBefore
+ *  nssPKIXPrivateKeyUsagePeriod_RemoveNotBefore
+ *  nssPKIXPrivateKeyUsagePeriod_HasNotAfter
+ *  nssPKIXPrivateKeyUsagePeriod_GetNotAfter
+ *  nssPKIXPrivateKeyUsagePeriod_SetNotAfter
+ *  nssPKIXPrivateKeyUsagePeriod_RemoveNotAfter
+ *  nssPKIXPrivateKeyUsagePeriod_Equal
+ *  nssPKIXPrivateKeyUsagePeriod_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXPrivateKeyUsagePeriod_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
+nssPKIXPrivateKeyUsagePeriod_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_TIME
+ *  NSS_ERROR_INVALID_ARGUMENTS
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
+nssPKIXPrivateKeyUsagePeriod_Create
+(
+  NSSArena *arenaOpt,
+  NSSTime *notBeforeOpt,
+  NSSTime *notAfterOpt
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPrivateKeyUsagePeriod_Destroy
+(
+  NSSPKIXPrivateKeyUsagePeriod *period
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_DATA
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPrivateKeyUsagePeriod_Encode
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_HasNotBefore
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPrivateKeyUsagePeriod_HasNotBefore
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_GetNotBefore
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_NOT_BEFORE
+ *
+ * Return value:
+ *  NSSTime {fgmr!}
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSTime *
+nssPKIXPrivateKeyUsagePeriod_GetNotBefore
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_SetNotBefore
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_INVALID_TIME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPrivateKeyUsagePeriod_SetNotBefore
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSTime *notBefore
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_RemoveNotBefore
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_HAS_NO_NOT_BEFORE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPrivateKeyUsagePeriod_RemoveNotBefore
+(
+  NSSPKIXPrivateKeyUsagePeriod *period
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_HasNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPrivateKeyUsagePeriod_HasNotAfter
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_GetNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_NOT_AFTER
+ *
+ * Return value:
+ *  NSSTime {fgmr!}
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSTime *
+nssPKIXPrivateKeyUsagePeriod_GetNotAfter
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_SetNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_INVALID_TIME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPrivateKeyUsagePeriod_SetNotAfter
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSTime *notAfter
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_RemoveNotAfter
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_HAS_NO_NOT_AFTER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPrivateKeyUsagePeriod_RemoveNotAfter
+(
+  NSSPKIXPrivateKeyUsagePeriod *period
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPrivateKeyUsagePeriod_Equal
+(
+  NSSPKIXPrivateKeyUsagePeriod *period1,
+  NSSPKIXPrivateKeyUsagePeriod *period2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPrivateKeyUsagePeriod_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPrivateKeyUsagePeriod upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPrivateKeyUsagePeriod *
+nssPKIXPrivateKeyUsagePeriod_Duplicate
+(
+  NSSPKIXPrivateKeyUsagePeriod *period,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXPrivateKeyUsagePeriod_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXPrivateKeyUsagePeriod
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_PRIVATE_KEY_USAGE_PERIOD
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPrivateKeyUsagePeriod_verifyPointer
+(
+  NSSPKIXPrivateKeyUsagePeriod *p
+);
+#endif /* DEBUG */
+
+/*
+ * CertificatePolicies
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXCertificatePolicies_Decode
+ *  nssPKIXCertificatePolicies_Create
+ *  nssPKIXCertificatePolicies_Destroy
+ *  nssPKIXCertificatePolicies_Encode
+ *  nssPKIXCertificatePolicies_GetPolicyInformationCount
+ *  nssPKIXCertificatePolicies_GetPolicyInformations
+ *  nssPKIXCertificatePolicies_SetPolicyInformations
+ *  nssPKIXCertificatePolicies_GetPolicyInformation
+ *  nssPKIXCertificatePolicies_SetPolicyInformation
+ *  nssPKIXCertificatePolicies_InsertPolicyInformation
+ *  nssPKIXCertificatePolicies_AppendPolicyInformation
+ *  nssPKIXCertificatePolicies_RemovePolicyInformation
+ *  nssPKIXCertificatePolicies_FindPolicyInformation
+ *  nssPKIXCertificatePolicies_Equal
+ *  nssPKIXCertificatePolicies_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXCertificatePolicies_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXCertificatePolicies_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificatePolicies upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificatePolicies *
+nssPKIXCertificatePolicies_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXCertificatePolicies_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificatePolicies upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificatePolicies *
+nssPKIXCertificatePolicies_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXPolicyInformation *pi1,
+  ...
+);
+
+/*
+ * nssPKIXCertificatePolicies_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificatePolicies_Destroy
+(
+  NSSPKIXCertificatePolicies *cp
+);
+
+/*
+ * nssPKIXCertificatePolicies_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXCertificatePolicies_Encode
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCertificatePolicies_GetPolicyInformationCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXCertificatePolicies_GetPolicyInformationCount
+(
+  NSSPKIXCertificatePolicies *cp
+);
+
+/*
+ * nssPKIXCertificatePolicies_GetPolicyInformations
+ *
+ * We regret the function name.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXPolicyInformation pointers
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyInformation **
+nssPKIXCertificatePolicies_GetPolicyInformations
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSPKIXPolicyInformation *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCertificatePolicies_SetPolicyInformations
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificatePolicies_SetPolicyInformations
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSPKIXPolicyInformation *pi[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXCertificatePolicies_GetPolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyInformation upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyInformation *
+nssPKIXCertificatePolicies_GetPolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCertificatePolicies_SetPolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificatePolicies_SetPolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  PRInt32 i,
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * nssPKIXCertificatePolicies_InsertPolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificatePolicies_InsertPolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  PRInt32 i,
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * nssPKIXCertificatePolicies_AppendPolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificatePolicies_AppendPolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * nssPKIXCertificatePolicies_RemovePolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificatePolicies_RemovePolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXCertificatePolicies_FindPolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *
+ * Return value:
+ *  The nonnegative integer upon success
+ *  -1 upon failure
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXCertificatePolicies_FindPolicyInformation
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * nssPKIXCertificatePolicies_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXCertificatePolicies_Equal
+(
+  NSSPKIXCertificatePolicies *cp1,
+  NSSPKIXCertificatePolicies *cp2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXCertificatePolicies_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertificatePolicies upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertificatePolicies *
+nssPKIXCertificatePolicies_Duplicate
+(
+  NSSPKIXCertificatePolicies *cp,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXCertificatePolicies_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXCertificatePolicies
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CERTIFICATE_POLICIES
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCertificatePolicies_verifyPointer
+(
+  NSSPKIXCertificatePolicies *p
+);
+#endif /* DEBUG */
+
+/*
+ * PolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyInformation ::= SEQUENCE {
+ *       policyIdentifier   CertPolicyId,
+ *       policyQualifiers   SEQUENCE SIZE (1..MAX) OF
+ *               PolicyQualifierInfo OPTIONAL }
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXPolicyInformation_Decode
+ *  nssPKIXPolicyInformation_Create
+ *  nssPKIXPolicyInformation_Destroy
+ *  nssPKIXPolicyInformation_Encode
+ *  nssPKIXPolicyInformation_GetPolicyIdentifier
+ *  nssPKIXPolicyInformation_SetPolicyIdentifier
+ *  nssPKIXPolicyInformation_GetPolicyQualifierCount
+ *  nssPKIXPolicyInformation_GetPolicyQualifiers
+ *  nssPKIXPolicyInformation_SetPolicyQualifiers
+ *  nssPKIXPolicyInformation_GetPolicyQualifier
+ *  nssPKIXPolicyInformation_SetPolicyQualifier
+ *  nssPKIXPolicyInformation_InsertPolicyQualifier
+ *  nssPKIXPolicyInformation_AppendPolicyQualifier
+ *  nssPKIXPolicyInformation_RemovePolicyQualifier
+ *  nssPKIXPolicyInformation_Equal
+ *  nssPKIXPolicyInformation_Duplicate
+ *    { and accessors by specific policy qualifier ID }
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXPolicyInformation_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXPolicyInformation_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyInformation upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyInformation *
+nssPKIXPolicyInformation_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPolicyInformation_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyInformation upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyInformation *
+nssPKIXPolicyInformation_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXCertPolicyId *id,
+  NSSPKIXPolicyQualifierInfo *pqi1,
+  ...
+);
+
+/*
+ * nssPKIXPolicyInformation_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyInformation_Destroy
+(
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * nssPKIXPolicyInformation_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPolicyInformation_Encode
+(
+  NSSPKIXPolicyInformation *pi,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPolicyInformation_GetPolicyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid OID upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertPolicyId *
+nssPKIXPolicyInformation_GetPolicyIdentifier
+(
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * nssPKIXPolicyInformation_SetPolicyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyInformation_SetPolicyIdentifier
+(
+  NSSPKIXPolicyInformation *pi,
+  NSSPKIXCertPolicyIdentifier *cpi
+);
+
+/*
+ * nssPKIXPolicyInformation_GetPolicyQualifierCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXPolicyInformation_GetPolicyQualifierCount
+(
+  NSSPKIXPolicyInformation *pi
+);
+
+/*
+ * nssPKIXPolicyInformation_GetPolicyQualifiers
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXPolicyQualifierInfo pointers
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierInfo **
+nssPKIXPolicyInformation_GetPolicyQualifiers
+(
+  NSSPKIXPolicyInformation *pi,
+  NSSPKIXPolicyQualifierInfo *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPolicyInformation_SetPolicyQualifiers
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyInformation_SetPolicyQualifiers
+(
+  NSSPKIXPolicyInformation *pi,
+  NSSPKIXPolicyQualifierInfo *pqi[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXPolicyInformation_GetPolicyQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierInfo *
+nssPKIXPolicyInformation_GetPolicyQualifier
+(
+  NSSPKIXPolicyInformation *pi,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPolicyInformation_SetPolicyQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyInformation_SetPolicyQualifier
+(
+  NSSPKIXPolicyInformation *pi,
+  PRInt32 i,
+  NSSPKIXPolicyQualifierInfo *pqi
+);
+
+/*
+ * nssPKIXPolicyInformation_InsertPolicyQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyInformation_InsertPolicyQualifier
+(
+  NSSPKIXPolicyInformation *pi,
+  PRInt32 i,
+  NSSPKIXPolicyQualifierInfo *pqi
+);
+
+/*
+ * nssPKIXPolicyInformation_AppendPolicyQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyInformation_AppendPolicyQualifier
+(
+  NSSPKIXPolicyInformation *pi,
+  PRInt32 i,
+  NSSPKIXPolicyQualifierInfo *pqi
+);
+
+/*
+ * nssPKIXPolicyInformation_RemovePolicyQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyInformation_RemovePolicyQualifier
+(
+  NSSPKIXPolicyInformation *pi,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXPolicyInformation_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPolicyInformation_Equal
+(
+  NSSPKIXPolicyInformation *pi1,
+  NSSPKIXPolicyInformation *pi2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPolicyInformation_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyInformation upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyInformation *
+nssPKIXPolicyInformation_Duplicate
+(
+  NSSPKIXPolicyInformation *pi,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { and accessors by specific policy qualifier ID }
+ *
+ */
+
+#ifdef DEBUG
+/*
+ * nssPKIXPolicyInformation_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXPolicyInformation
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_INFORMATION
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyInformation_verifyPointer
+(
+  NSSPKIXPolicyInformation *p
+);
+#endif /* DEBUG */
+
+/*
+ * PolicyQualifierInfo
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyQualifierInfo ::= SEQUENCE {
+ *         policyQualifierId  PolicyQualifierId,
+ *         qualifier        ANY DEFINED BY policyQualifierId }
+ *
+ * The private calls for the type:
+ *
+ *  nssPKIXPolicyQualifierInfo_Decode
+ *  nssPKIXPolicyQualifierInfo_Create
+ *  nssPKIXPolicyQualifierInfo_Destroy
+ *  nssPKIXPolicyQualifierInfo_Encode
+ *  nssPKIXPolicyQualifierInfo_GetPolicyQualifierID
+ *  nssPKIXPolicyQualifierInfo_SetPolicyQualifierID
+ *  nssPKIXPolicyQualifierInfo_GetQualifier
+ *  nssPKIXPolicyQualifierInfo_SetQualifier
+ *  nssPKIXPolicyQualifierInfo_Equal
+ *  nssPKIXPolicyQualifierInfo_Duplicate
+ *    { and accessors by specific qualifier id/type }
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXPolicyQualifierInfo_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXPolicyQualifierInfo_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierInfo *
+nssPKIXPolicyQualifierInfo_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPolicyQualifierInfo_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_ID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierInfo *
+nssPKIXPolicyQualifierInfo_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXPolicyQualifierId *policyQualifierId,
+  NSSItem *qualifier
+);
+
+/*
+ * nssPKIXPolicyQualifierInfo_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyQualifierInfo_Destroy
+(
+  NSSPKIXPolicyQualifierInfo *pqi
+);
+
+/*
+ * nssPKIXPolicyQualifierInfo_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPolicyQualifierInfo_Encode
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPolicyQualifierInfo_GetPolicyQualifierId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyQualifierId (an NSSOID) upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierId *
+nssPKIXPolicyQualifierInfo_GetPolicyQualifierId
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPolicyQualifierInfo_SetPolicyQualifierId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_ID
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyQualifierInfo_SetPolicyQualifierId
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSPKIXPolicyQualifierId *pqid
+);
+
+/*
+ * nssPKIXPolicyQualifierInfo_GetQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+nssPKIXPolicyQualifierInfo_GetQualifier
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPolicyQualifierInfo_SetQualifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyQualifierInfo_SetQualifier
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSItem *qualifier
+);
+
+/*
+ * nssPKIXPolicyQualifierInfo_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPolicyQualifierInfo_Equal
+(
+  NSSPKIXPolicyQualifierInfo *pqi1,
+  NSSPKIXPolicyQualifierInfo *pqi2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPolicyQualifierInfo_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyQualifierInfo upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyQualifierInfo *
+nssPKIXPolicyQualifierInfo_Duplicate
+(
+  NSSPKIXPolicyQualifierInfo *pqi,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { and accessors by specific qualifier id/type }
+ *
+ */
+#ifdef DEBUG
+/*
+ * nssPKIXPolicyQualifierInfo_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXPolicyQualifierInfo
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_QUALIFIER_INFO
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyQualifierInfo_verifyPointer
+(
+  NSSPKIXPolicyQualifierInfo *p
+);
+#endif /* DEBUG */
+
+/*
+ * CPSuri
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CPSuri ::= IA5String
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXCPSuri_Decode
+ *  nssPKIXCPSuri_CreateFromUTF8
+ *  nssPKIXCPSuri_Encode
+ *
+ */
+
+/*
+ * nssPKIXCPSuri_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCPSuri upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCPSuri *
+nssPKIXCPSuri_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXCPSuri_CreateFromUTF8
+ *
+ * { basically just enforces the length and charset limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCPSuri upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCPSuri *
+nssPKIXCPSuri_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXCPSuri_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CPS_URI
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXCPSuri_Encode
+(
+  NSSPKIXCPSuri *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * UserNotice
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  UserNotice ::= SEQUENCE {
+ *       noticeRef        NoticeReference OPTIONAL,
+ *       explicitText     DisplayText OPTIONAL}
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXUserNotice_Decode
+ *  nssPKIXUserNotice_Create
+ *  nssPKIXUserNotice_Destroy
+ *  nssPKIXUserNotice_Encode
+ *  nssPKIXUserNotice_HasNoticeRef
+ *  nssPKIXUserNotice_GetNoticeRef
+ *  nssPKIXUserNotice_SetNoticeRef
+ *  nssPKIXUserNotice_RemoveNoticeRef
+ *  nssPKIXUserNotice_HasExplicitText
+ *  nssPKIXUserNotice_GetExplicitText
+ *  nssPKIXUserNotice_SetExplicitText
+ *  nssPKIXUserNotice_RemoveExplicitText
+ *  nssPKIXUserNotice_Equal
+ *  nssPKIXUserNotice_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXUserNotice_verifyPointer
+ *
+ */
+
+
+/*
+ * nssPKIXUserNotice_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXUserNotice upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXUserNotice *
+nssPKIXUserNotice_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXUserNotice_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXUserNotice upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXUserNotice *
+nssPKIXUserNotice_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXNoticeReference *noticeRef,
+  NSSPKIXDisplayText *explicitText
+);
+
+/*
+ * nssPKIXUserNotice_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXUserNotice_Destroy
+(
+  NSSPKIXUserNotice *userNotice
+);
+
+/*
+ * nssPKIXUserNotice_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXUserNotice_Encode
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXUserNotice_HasNoticeRef
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXUserNotice_HasNoticeRef
+(
+  NSSPKIXUserNotice *userNotice,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXUserNotice_GetNoticeRef
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_NOTICE_REF
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNoticeReference upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNoticeReference *
+nssPKIXUserNotice_GetNoticeRef
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXUserNotice_SetNoticeRef
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXUserNotice_SetNoticeRef
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSPKIXNoticeReference *noticeRef
+);
+
+/*
+ * nssPKIXUserNotice_RemoveNoticeRef
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_HAS_NO_NOTICE_REF
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXUserNotice_RemoveNoticeRef
+(
+  NSSPKIXUserNotice *userNotice
+);
+
+/*
+ * nssPKIXUserNotice_HasExplicitText
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ * 
+ * Return value:
+ *  PR_TRUE if it has some
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXUserNotice_HasExplicitText
+(
+  NSSPKIXUserNotice *userNotice,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXUserNotice_GetExplicitText
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_EXPLICIT_TEXT
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDisplayText string upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDisplayText *
+nssPKIXUserNotice_GetExplicitText
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXUserNotice_SetExplicitText
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXUserNotice_SetExplicitText
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSPKIXDisplayText *explicitText
+);
+
+/*
+ * nssPKIXUserNotice_RemoveExplicitText
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_HAS_NO_EXPLICIT_TEXT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXUserNotice_RemoveExplicitText
+(
+  NSSPKIXUserNotice *userNotice
+);
+
+/*
+ * nssPKIXUserNotice_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXUserNotice_Equal
+(
+  NSSPKIXUserNotice *userNotice1,
+  NSSPKIXUserNotice *userNotice2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXUserNotice_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXUserNotice upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXUserNotice *
+nssPKIXUserNotice_Duplicate
+(
+  NSSPKIXUserNotice *userNotice,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXUserNotice_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXUserNotice
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_USER_NOTICE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXUserNotice_verifyPointer
+(
+  NSSPKIXUserNotice *p
+);
+#endif /* DEBUG */
+
+/*
+ * NoticeReference
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NoticeReference ::= SEQUENCE {
+ *       organization     DisplayText,
+ *       noticeNumbers    SEQUENCE OF INTEGER }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXNoticeReference_Decode
+ *  nssPKIXNoticeReference_Create
+ *  nssPKIXNoticeReference_Destroy
+ *  nssPKIXNoticeReference_Encode
+ *  nssPKIXNoticeReference_GetOrganization
+ *  nssPKIXNoticeReference_SetOrganization
+ *  nssPKIXNoticeReference_GetNoticeNumberCount
+ *  nssPKIXNoticeReference_GetNoticeNumbers
+ *  nssPKIXNoticeReference_SetNoticeNumbers
+ *  nssPKIXNoticeReference_GetNoticeNumber
+ *  nssPKIXNoticeReference_SetNoticeNumber
+ *  nssPKIXNoticeReference_InsertNoticeNumber
+ *  nssPKIXNoticeReference_AppendNoticeNumber
+ *  nssPKIXNoticeReference_RemoveNoticeNumber
+ *    { maybe number-exists-p gettor? }
+ *  nssPKIXNoticeReference_Equal
+ *  nssPKIXNoticeReference_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXNoticeReference_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXNoticeReference_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNoticeReference upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNoticeReference *
+nssPKIXNoticeReference_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXNoticeReference_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNoticeReference upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNoticeReference *
+nssPKIXNoticeReference_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXDisplayText *organization,
+  PRUint32 noticeCount,
+  PRInt32 noticeNumber1,
+  ...
+);
+
+/*
+ * { fgmr -- or should the call that takes PRInt32 be _CreateFromValues,
+ *  and the _Create call take NSSBER integers? }
+ */
+
+/*
+ * nssPKIXNoticeReference_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNoticeReference_Destroy
+(
+  NSSPKIXNoticeReference *nr
+);
+
+/*
+ * nssPKIXNoticeReference_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXNoticeReference_Encode
+(
+  NSSPKIXNoticeReference *nr,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXNoticeReference_GetOrganization
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDisplayText string upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDisplayText *
+nssPKIXNoticeReference_GetOrganization
+(
+  NSSPKIXNoticeReference *nr,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXNoticeReference_SetOrganization
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNoticeReference_SetOrganization
+(
+  NSSPKIXNoticeReference *nr,
+  NSSPKIXDisplayText *organization
+);
+
+/*
+ * nssPKIXNoticeReference_GetNoticeNumberCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXNoticeReference_GetNoticeNumberCount
+(
+  NSSPKIXNoticeReference *nr
+);
+
+/*
+ * nssPKIXNoticeReference_GetNoticeNumbers
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of PRInt32 values upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN PRInt32 *
+nssPKIXNoticeReference_GetNoticeNumbers
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXNoticeReference_SetNoticeNumbers
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNoticeReference_SetNoticeNumbers
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 noticeNumbers[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXNoticeReference_GetNoticeNumber
+ *
+ * -- fgmr comments --
+ * Because there is no natural "invalid" notice number value, we must
+ * pass the number by reference, and return an explicit status value.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_POINTER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNoticeReference_GetNoticeNumber
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 i,
+  PRInt32 *noticeNumberP
+);
+  
+/*
+ * nssPKIXNoticeReference_SetNoticeNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNoticeReference_SetNoticeNumber
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 i,
+  PRInt32 noticeNumber
+);
+
+/*
+ * nssPKIXNoticeReference_InsertNoticeNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNoticeReference_InsertNoticeNumber
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 i,
+  PRInt32 noticeNumber
+);
+
+/*
+ * nssPKIXNoticeReference_AppendNoticeNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNoticeReference_AppendNoticeNumber
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 noticeNumber
+);
+
+/*
+ * nssPKIXNoticeReference_RemoveNoticeNumber
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNoticeReference_RemoveNoticeNumber
+(
+  NSSPKIXNoticeReference *nr,
+  PRInt32 i
+);
+
+/*
+ *   { maybe number-exists-p gettor? }
+ */
+
+/*
+ * nssPKIXNoticeReference_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXNoticeReference_Equal
+(
+  NSSPKIXNoticeReference *nr1,
+  NSSPKIXNoticeReference *nr2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXNoticeReference_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNoticeReference upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNoticeReference *
+nssPKIXNoticeReference_Duplicate
+(
+  NSSPKIXNoticeReference *nr,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXNoticeReference_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXNoticeReference
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NOTICE_REFERENCE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNoticeReference_verifyPointer
+(
+  NSSPKIXNoticeReference *p
+);
+#endif /* DEBUG */
+
+/*
+ * DisplayText
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DisplayText ::= CHOICE {
+ *       visibleString    VisibleString  (SIZE (1..200)),
+ *       bmpString        BMPString      (SIZE (1..200)),
+ *       utf8String       UTF8String     (SIZE (1..200)) }
+ * 
+ * The private calls for this type:
+ *
+ *  nssPKIXDisplayText_Decode
+ *  nssPKIXDisplayText_CreateFromUTF8
+ *  nssPKIXDisplayText_Encode
+ *
+ */
+
+/*
+ * nssPKIXDisplayText_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDisplayText upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDisplayText *
+nssPKIXDisplayText_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXDisplayText_CreateFromUTF8
+ *
+ * { basically just enforces the length and charset limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDisplayText upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDisplayText *
+nssPKIXDisplayText_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXDisplayText_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISPLAY_TEXT
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXDisplayText_Encode
+(
+  NSSPKIXDisplayText *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * PolicyMappings
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ *       issuerDomainPolicy      CertPolicyId,
+ *       subjectDomainPolicy     CertPolicyId }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXPolicyMappings_Decode
+ *  nssPKIXPolicyMappings_Create
+ *  nssPKIXPolicyMappings_Destroy
+ *  nssPKIXPolicyMappings_Encode
+ *  nssPKIXPolicyMappings_GetPolicyMappingCount
+ *  nssPKIXPolicyMappings_GetPolicyMappings
+ *  nssPKIXPolicyMappings_SetPolicyMappings
+ *  nssPKIXPolicyMappings_GetPolicyMapping
+ *  nssPKIXPolicyMappings_SetPolicyMapping
+ *  nssPKIXPolicyMappings_InsertPolicyMapping
+ *  nssPKIXPolicyMappings_AppendPolicyMapping
+ *  nssPKIXPolicyMappings_RemovePolicyMapping
+ *  nssPKIXPolicyMappings_FindPolicyMapping
+ *  nssPKIXPolicyMappings_Equal
+ *  nssPKIXPolicyMappings_Duplicate
+ *  nssPKIXPolicyMappings_IssuerDomainPolicyExists
+ *  nssPKIXPolicyMappings_SubjectDomainPolicyExists
+ *  nssPKIXPolicyMappings_FindIssuerDomainPolicy
+ *  nssPKIXPolicyMappings_FindSubjectDomainPolicy
+ *  nssPKIXPolicyMappings_MapIssuerToSubject
+ *  nssPKIXPolicyMappings_MapSubjectToIssuer
+ *    { find's and map's: what if there's more than one? }
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXPolicyMappings_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXPolicyMappings_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyMappings upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyMappings *
+nssPKIXPolicyMappings_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPolicyMappings_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyMappings upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyMappings *
+nssPKIXPolicyMappings_Decode
+(
+  NSSArena *arenaOpt,
+  NSSPKIXpolicyMapping *policyMapping1,
+  ...
+);
+
+/*
+ * nssPKIXPolicyMappings_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyMappings_Destroy
+(
+  NSSPKIXPolicyMappings *policyMappings
+);
+
+/*
+ * nssPKIXPolicyMappings_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_DATA
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPolicyMappings_Encode
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPolicyMappings_GetPolicyMappingCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXPolicyMappings_GetPolicyMappingCount
+(
+  NSSPKIXPolicyMappings *policyMappings
+);
+
+/*
+ * nssPKIXPolicyMappings_GetPolicyMappings
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXpolicyMapping pointers upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXpolicyMapping **
+nssPKIXPolicyMappings_GetPolicyMappings
+(
+  NSSPKIXPolicyMappings *policyMappings
+  NSSPKIXpolicyMapping *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPolicyMappings_SetPolicyMappings
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyMappings_SetPolicyMappings
+(
+  NSSPKIXPolicyMappings *policyMappings
+  NSSPKIXpolicyMapping *policyMapping[]
+  PRInt32 count
+);
+
+/*
+ * nssPKIXPolicyMappings_GetPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXpolicyMapping upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXpolicyMapping *
+nssPKIXPolicyMappings_GetPolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPolicyMappings_SetPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyMappings_SetPolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  PRInt32 i,
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * nssPKIXPolicyMappings_InsertPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyMappings_InsertPolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  PRInt32 i,
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * nssPKIXPolicyMappings_AppendPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyMappings_AppendPolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * nssPKIXPolicyMappings_RemovePolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyMappings_RemovePolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  PRInt32 i
+);
+
+/*
+ * nssPKIXPolicyMappings_FindPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXPolicyMappings_FindPolicyMapping
+(
+  NSSPKIXPolicyMappings *policyMappings
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * nssPKIXPolicyMappings_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPolicyMappings_Equal
+(
+  NSSPKIXPolicyMappings *policyMappings1,
+  NSSPKIXpolicyMappings *policyMappings2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPolicyMappings_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyMappings upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyMappings *
+nssPKIXPolicyMappings_Duplicate
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXPolicyMappings_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXPolicyMappings
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyMappings_verifyPointer
+(
+  NSSPKIXPolicyMappings *p
+);
+#endif /* DEBUG */
+
+/*
+ * nssPKIXPolicyMappings_IssuerDomainPolicyExists
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ * 
+ * Return value:
+ *  PR_TRUE if the specified domain policy OID exists
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPolicyMappings_IssuerDomainPolicyExists
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *issuerDomainPolicy,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPolicyMappings_SubjectDomainPolicyExists
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ * 
+ * Return value:
+ *  PR_TRUE if the specified domain policy OID exists
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPolicyMappings_SubjectDomainPolicyExists
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *subjectDomainPolicy,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPolicyMappings_FindIssuerDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXPolicyMappings_FindIssuerDomainPolicy
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *issuerDomainPolicy
+);
+
+/*
+ * nssPKIXPolicyMappings_FindSubjectDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXPolicyMappings_FindSubjectDomainPolicy
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *issuerDomainPolicy
+);
+
+/*
+ * nssPKIXPolicyMappings_MapIssuerToSubject
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NOT_FOUND
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertPolicyId upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertPolicyId *
+nssPKIXPolicyMappings_MapIssuerToSubject
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *issuerDomainPolicy
+);
+
+/*
+ * nssPKIXPolicyMappings_MapSubjectToIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPINGS
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NOT_FOUND
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertPolicyId upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCertPolicyId *
+nssPKIXPolicyMappings_MapSubjectToIssuer
+(
+  NSSPKIXPolicyMappings *policyMappings,
+  NSSPKIXCertPolicyId *issuerDomainPolicy
+);
+
+/*
+ * policyMapping
+ *
+ * Helper structure for PolicyMappings
+ *
+ *                                               SEQUENCE {
+ *       issuerDomainPolicy      CertPolicyId,
+ *       subjectDomainPolicy     CertPolicyId }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXpolicyMapping_Decode
+ *  nssPKIXpolicyMapping_Create
+ *  nssPKIXpolicyMapping_Destroy
+ *  nssPKIXpolicyMapping_Encode
+ *  nssPKIXpolicyMapping_GetIssuerDomainPolicy
+ *  nssPKIXpolicyMapping_SetIssuerDomainPolicy
+ *  nssPKIXpolicyMapping_GetSubjectDomainPolicy
+ *  nssPKIXpolicyMapping_SetSubjectDomainPolicy
+ *  nssPKIXpolicyMapping_Equal
+ *  nssPKIXpolicyMapping_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXpolicyMapping_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXpolicyMapping_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXpolicyMapping upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXpolicyMapping *
+nssPKIXpolicyMapping_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXpolicyMapping_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXpolicyMapping upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXpolicyMapping *
+nssPKIXpolicyMapping_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXCertPolicyId *issuerDomainPolicy,
+  NSSPKIXCertPolicyId *subjectDomainPolicy
+);
+
+/*
+ * nssPKIXpolicyMapping_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXpolicyMapping_Destroy
+(
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * nssPKIXpolicyMapping_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_DATA
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXpolicyMapping_Encode
+(
+  NSSPKIXpolicyMapping *policyMapping,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXpolicyMapping_GetIssuerDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertPolicyId OID upon success
+ *  NULL upon faliure
+ */
+
+NSS_EXTERN NSSPKIXCertPolicyId *
+nssPKIXpolicyMapping_GetIssuerDomainPolicy
+(
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * nssPKIXpolicyMapping_SetIssuerDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXpolicyMapping_SetIssuerDomainPolicy
+(
+  NSSPKIXpolicyMapping *policyMapping,
+  NSSPKIXCertPolicyId *issuerDomainPolicy
+);
+
+/*
+ * nssPKIXpolicyMapping_GetSubjectDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCertPolicyId OID upon success
+ *  NULL upon faliure
+ */
+
+NSS_EXTERN NSSPKIXCertPolicyId *
+nssPKIXpolicyMapping_GetSubjectDomainPolicy
+(
+  NSSPKIXpolicyMapping *policyMapping
+);
+
+/*
+ * nssPKIXpolicyMapping_SetSubjectDomainPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_INVALID_PKIX_CERT_POLICY_ID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXpolicyMapping_SetSubjectDomainPolicy
+(
+  NSSPKIXpolicyMapping *policyMapping,
+  NSSPKIXCertPolicyId *subjectDomainPolicy
+);
+
+/*
+ * nssPKIXpolicyMapping_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXpolicyMapping_Equal
+(
+  NSSPKIXpolicyMapping *policyMapping1,
+  NSSPKIXpolicyMapping *policyMapping2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXpolicyMapping_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXpolicyMapping upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXpolicyMapping *
+nssPKIXpolicyMapping_Duplicate
+(
+  NSSPKIXpolicyMapping *policyMapping,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXpolicyMapping_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXpolicyMapping
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_MAPPING
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXpolicyMapping_verifyPointer
+(
+  NSSPKIXpolicyMapping *p
+);
+#endif /* DEBUG */
+
+/*
+ * GeneralName
+ *
+ * This structure contains a union of the possible general names,
+ * of which there are several.
+ *
+ * From RFC 2459:
+ *
+ *  GeneralName ::= CHOICE {
+ *       otherName                       [0]     AnotherName,
+ *       rfc822Name                      [1]     IA5String,
+ *       dNSName                         [2]     IA5String,
+ *       x400Address                     [3]     ORAddress,
+ *       directoryName                   [4]     Name,
+ *       ediPartyName                    [5]     EDIPartyName,
+ *       uniformResourceIdentifier       [6]     IA5String,
+ *       iPAddress                       [7]     OCTET STRING,
+ *       registeredID                    [8]     OBJECT IDENTIFIER }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXGeneralName_Decode
+ *  nssPKIXGeneralName_CreateFromUTF8
+ *  nssPKIXGeneralName_Create
+ *  nssPKIXGeneralName_CreateFromOtherName
+ *  nssPKIXGeneralName_CreateFromRfc822Name
+ *  nssPKIXGeneralName_CreateFromDNSName
+ *  nssPKIXGeneralName_CreateFromX400Address
+ *  nssPKIXGeneralName_CreateFromDirectoryName
+ *  nssPKIXGeneralName_CreateFromEDIPartyName
+ *  nssPKIXGeneralName_CreateFromUniformResourceIdentifier
+ *  nssPKIXGeneralName_CreateFromIPAddress
+ *  nssPKIXGeneralName_CreateFromRegisteredID
+ *  nssPKIXGeneralName_Destroy
+ *  nssPKIXGeneralName_Encode
+ *  nssPKIXGeneralName_GetUTF8Encoding
+ *  nssPKIXGeneralName_GetChoice
+ *  nssPKIXGeneralName_GetOtherName
+ *  nssPKIXGeneralName_GetRfc822Name
+ *  nssPKIXGeneralName_GetDNSName
+ *  nssPKIXGeneralName_GetX400Address
+ *  nssPKIXGeneralName_GetDirectoryName
+ *  nssPKIXGeneralName_GetEDIPartyName
+ *  nssPKIXGeneralName_GetUniformResourceIdentifier
+ *  nssPKIXGeneralName_GetIPAddress
+ *  nssPKIXGeneralName_GetRegisteredID
+ *  nssPKIXGeneralName_GetSpecifiedChoice
+ *  nssPKIXGeneralName_Equal
+ *  nssPKIXGeneralName_Duplicate
+ *  (in pki1 I had specific attribute value gettors here too)
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXGeneralName_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXGeneralName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXGeneralName_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+);
+
+/*
+ * nssPKIXGeneralName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME_CHOICE
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_INVALID_PKIX_IA5_STRING
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_INVALID_OID
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXGeneralNameChoice choice,
+  void *content
+);
+
+/*
+ * nssPKIXGeneralName_CreateFromOtherName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_CreateFromOtherName
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAnotherName *otherName
+);
+
+/*
+ * nssPKIXGeneralName_CreateFromRfc822Name
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_IA5_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_CreateFromRfc822Name
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *rfc822Name
+);
+
+/*
+ * nssPKIXGeneralName_CreateFromDNSName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_IA5_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_CreateFromDNSName
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *dNSName
+);
+
+/*
+ * nssPKIXGeneralName_CreateFromX400Address
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_OR_ADDRESS
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_CreateFromX400Address
+(
+  NSSArena *arenaOpt,
+  NSSPKIXORAddress *x400Address
+);
+
+/*
+ * nssPKIXGeneralName_CreateFromDirectoryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_CreateFromDirectoryName
+(
+  NSSArena *arenaOpt,
+  NSSPKIXName *directoryName
+);
+
+/*
+ * nssPKIXGeneralName_CreateFromEDIPartyName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_CreateFromEDIPartyName
+(
+  NSSArena *arenaOpt,
+  NSSPKIXEDIPartyName *ediPartyname
+);
+
+/*
+ * nssPKIXGeneralName_CreateFromUniformResourceIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_IA5_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_CreateFromUniformResourceIdentifier
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *uniformResourceIdentifier
+);
+
+/*
+ * nssPKIXGeneralName_CreateFromIPAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ITEM
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_CreateFromIPAddress
+(
+  NSSArena *arenaOpt,
+  NSSItem *iPAddress
+);
+
+/*
+ * nssPKIXGeneralName_CreateFromRegisteredID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_CreateFromRegisteredID
+(
+  NSSArena *arenaOpt,
+  NSSOID *registeredID
+);
+
+/*
+ * nssPKIXGeneralName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralName_Destroy
+(
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * nssPKIXGeneralName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXGeneralName_Encode
+(
+  NSSPKIXGeneralName *generalName,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralName_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXGeneralName_GetUTF8Encoding
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralName_GetChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ * 
+ * Return value:
+ *  A valid NSSPKIXGeneralNameChoice value upon success
+ *  NSSPKIXGeneralNameChoice_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNameChoice
+nssPKIXGeneralName_GetChoice
+(
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * nssPKIXGeneralName_GetOtherName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAnotherName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAnotherName *
+nssPKIXGeneralName_GetOtherName
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralName_GetRfc822Name
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXGeneralName_GetRfc822Name
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralName_GetDNSName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXGeneralName_GetDNSName
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralName_GetX400Address
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXORAddress upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXORAddress *
+nssPKIXGeneralName_GetX400Address
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralName_GetDirectoryName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXName *
+nssPKIXGeneralName_GetDirectoryName
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralName_GetEDIPartyName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXEDIPartyName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXEDIPartyName *
+nssPKIXGeneralName_GetEDIPartyName
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralName_GetUniformResourceIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXGeneralName_GetUniformResourceIdentifier
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralName_GetIPAddress
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+nssPKIXGeneralName_GetIPAddress
+(
+  NSSPKIXGeneralName *generalName,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralName_GetRegisteredID
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSOID upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSOID *
+nssPKIXGeneralName_GetRegisteredID
+(
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * nssPKIXGeneralName_GetSpecifiedChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN void *
+nssPKIXGeneralName_GetSpecifiedChoice
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXGeneralName_Equal
+(
+  NSSPKIXGeneralName *generalName1,
+  NSSPKIXGeneralName *generalName2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXGeneralName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralName_Duplicate
+(
+  NSSPKIXGeneralName *generalName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * (in pki1 I had specific attribute value gettors here too)
+ *
+ */
+
+#ifdef DEBUG
+/*
+ * nssPKIXGeneralName_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXGeneralName
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralName_verifyPointer
+(
+  NSSPKIXGeneralName *p
+);
+#endif /* DEBUG */
+
+/*
+ * GeneralNames
+ *
+ * This structure contains a sequence of GeneralName objects.
+ *
+ * From RFC 2459:
+ *
+ *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXGeneralNames_Decode
+ *  nssPKIXGeneralNames_Create
+ *  nssPKIXGeneralNames_Destroy
+ *  nssPKIXGeneralNames_Encode
+ *  nssPKIXGeneralNames_GetGeneralNameCount
+ *  nssPKIXGeneralNames_GetGeneralNames
+ *  nssPKIXGeneralNames_SetGeneralNames
+ *  nssPKIXGeneralNames_GetGeneralName
+ *  nssPKIXGeneralNames_SetGeneralName
+ *  nssPKIXGeneralNames_InsertGeneralName
+ *  nssPKIXGeneralNames_AppendGeneralName
+ *  nssPKIXGeneralNames_RemoveGeneralName
+ *  nssPKIXGeneralNames_FindGeneralName
+ *  nssPKIXGeneralNames_Equal
+ *  nssPKIXGeneralNames_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXGeneralNames_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXGeneralNames_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNames *
+nssPKIXGeneralNames_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXGeneralNames_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNames *
+nssPKIXGeneralNames_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXGeneralName *generalName1,
+  ...
+);
+
+/*
+ * nssPKIXGeneralNames_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralNames_Destroy
+(
+  NSSPKIXGeneralNames *generalNames
+);
+
+/*
+ * nssPKIXGeneralNames_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXGeneralNames_Encode
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralNames_GetGeneralNameCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXGeneralNames_GetGeneralNameCount
+(
+  NSSPKIXGeneralNames *generalNames
+);
+
+/*
+ * nssPKIXGeneralNames_GetGeneralNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXGeneralName pointers upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName **
+nssPKIXGeneralNames_GetGeneralNames
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSPKIXGeneralName *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralNames_SetGeneralNames
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralNames_SetGeneralNames
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSPKIXGeneralName *generalName[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXGeneralNames_GetGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralNames_GetGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralNames_SetGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralNames_SetGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  PRInt32 i,
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * nssPKIXGeneralNames_InsertGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralNames_InsertGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  PRInt32 i,
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * nssPKIXGeneralNames_AppendGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralNames_AppendGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * nssPKIXGeneralNames_RemoveGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralNames_RemoveGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXGeneralNames_FindGeneralName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXGeneralNames_FindGeneralName
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSPKIXGeneralName *generalName
+);
+
+/*
+ * nssPKIXGeneralNames_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXGeneralNames_Equal
+(
+  NSSPKIXGeneralNames *generalNames1,
+  NSSPKIXGeneralNames *generalNames2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXGeneralNames_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNames *
+nssPKIXGeneralNames_Duplicate
+(
+  NSSPKIXGeneralNames *generalNames,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXGeneralNames_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXGeneralNames
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralNames_verifyPointer
+(
+  NSSPKIXGeneralNames *p
+);
+#endif /* DEBUG */
+
+/*
+ * AnotherName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AnotherName ::= SEQUENCE {
+ *       type-id    OBJECT IDENTIFIER,
+ *       value      [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXAnotherName_Decode
+ *  nssPKIXAnotherName_Create
+ *  nssPKIXAnotherName_Destroy
+ *  nssPKIXAnotherName_Encode
+ *  nssPKIXAnotherName_GetTypeId
+ *  nssPKIXAnotherName_SetTypeId
+ *  nssPKIXAnotherName_GetValue
+ *  nssPKIXAnotherName_SetValue
+ *  nssPKIXAnotherName_Equal
+ *  nssPKIXAnotherName_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXAnotherName_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXAnotherName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAnotherName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAnotherName *
+nssPKIXAnotherName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXAnotherName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAnotherName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAnotherName *
+nssPKIXAnotherName_Create
+(
+  NSSArena *arenaOpt,
+  NSSOID *typeId,
+  NSSItem *value
+);
+
+/*
+ * nssPKIXAnotherName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAnotherName_Destroy
+(
+  NSSPKIXAnotherName *anotherName
+);
+
+/*
+ * nssPKIXAnotherName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXAnotherName_Encode
+(
+  NSSPKIXAnotherName *anotherName,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAnotherName_GetTypeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSOID upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSOID *
+nssPKIXAnotherName_GetTypeId
+(
+  NSSPKIXAnotherName *anotherName
+);
+
+/*
+ * nssPKIXAnotherName_SetTypeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAnotherName_SetTypeId
+(
+  NSSPKIXAnotherName *anotherName,
+  NSSOID *typeId
+);
+
+/*
+ * nssPKIXAnotherName_GetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSItem *
+nssPKIXAnotherName_GetValue
+(
+  NSSPKIXAnotherName *anotherName,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAnotherName_SetValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ITEM
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAnotherName_SetValue
+(
+  NSSPKIXAnotherName *anotherName,
+  NSSItem *value
+);
+
+/*
+ * nssPKIXAnotherName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXAnotherName_Equal
+(
+  NSSPKIXAnotherName *anotherName1,
+  NSSPKIXAnotherName *anotherName2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXAnotherName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAnotherName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAnotherName *
+nssPKIXAnotherName_Duplicate
+(
+  NSSPKIXAnotherName *anotherName,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXAnotherName_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXAnotherName
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ANOTHER_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAnotherName_verifyPointer
+(
+  NSSPKIXAnotherName *p
+);
+#endif /* DEBUG */
+
+/*
+ * EDIPartyName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *
+ *  EDIPartyName ::= SEQUENCE {
+ *       nameAssigner            [0]     DirectoryString OPTIONAL,
+ *       partyName               [1]     DirectoryString }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXEDIPartyName_Decode
+ *  nssPKIXEDIPartyName_Create
+ *  nssPKIXEDIPartyName_Destroy
+ *  nssPKIXEDIPartyName_Encode
+ *  nssPKIXEDIPartyName_HasNameAssigner
+ *  nssPKIXEDIPartyName_GetNameAssigner
+ *  nssPKIXEDIPartyName_SetNameAssigner
+ *  nssPKIXEDIPartyName_RemoveNameAssigner
+ *  nssPKIXEDIPartyName_GetPartyName
+ *  nssPKIXEDIPartyName_SetPartyName
+ *  nssPKIXEDIPartyName_Equal
+ *  nssPKIXEDIPartyName_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXEDIPartyName_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXEDIPartyName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXEDIPartyName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXEDIPartyName *
+nssPKIXEDIPartyName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXEDIPartyName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXEDIPartyName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXEDIPartyName *
+nssPKIXEDIPartyName_Create
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *nameAssignerOpt,
+  NSSUTF8 *partyName
+);
+
+/*
+ * nssPKIXEDIPartyName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXEDIPartyName_Destroy
+(
+  NSSPKIXEDIPartyName *ediPartyName
+);
+
+/*
+ * nssPKIXEDIPartyName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXEDIPartyName_Encode
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXEDIPartyName_HasNameAssigner
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXEDIPartyName_HasNameAssigner
+(
+  NSSPKIXEDIPartyName *ediPartyName
+);
+
+/*
+ * nssPKIXEDIPartyName_GetNameAssigner
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_HAS_NO_NAME_ASSIGNER
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 string upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXEDIPartyName_GetNameAssigner
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXEDIPartyName_SetNameAssigner
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXEDIPartyName_SetNameAssigner
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSUTF8 *nameAssigner
+);
+
+/*
+ * nssPKIXEDIPartyName_RemoveNameAssigner
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_HAS_NO_NAME_ASSIGNER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXEDIPartyName_RemoveNameAssigner
+(
+  NSSPKIXEDIPartyName *ediPartyName
+);
+
+/*
+ * nssPKIXEDIPartyName_GetPartyName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSUTF8 string upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSUTF8 *
+nssPKIXEDIPartyName_GetPartyName
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXEDIPartyName_SetPartyName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_STRING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXEDIPartyName_SetPartyName
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSUTF8 *partyName
+);
+
+/*
+ * nssPKIXEDIPartyName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXEDIPartyName_Equal
+(
+  NSSPKIXEDIPartyName *ediPartyName1,
+  NSSPKIXEDIPartyName *ediPartyName2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXEDIPartyName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXEDIPartyName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXEDIPartyName *
+nssPKIXEDIPartyName_Duplicate
+(
+  NSSPKIXEDIPartyName *ediPartyName,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXEDIPartyName_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXEDIPartyName
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EDI_PARTY_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXEDIPartyName_verifyPointer
+(
+  NSSPKIXEDIPartyName *p
+);
+#endif /* DEBUG */
+
+/*
+ * SubjectDirectoryAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXSubjectDirectoryAttributes_Decode
+ *  nssPKIXSubjectDirectoryAttributes_Create
+ *  nssPKIXSubjectDirectoryAttributes_Destroy
+ *  nssPKIXSubjectDirectoryAttributes_Encode
+ *  nssPKIXSubjectDirectoryAttributes_GetAttributeCount
+ *  nssPKIXSubjectDirectoryAttributes_GetAttributes
+ *  nssPKIXSubjectDirectoryAttributes_SetAttributes
+ *  nssPKIXSubjectDirectoryAttributes_GetAttribute
+ *  nssPKIXSubjectDirectoryAttributes_SetAttribute
+ *  nssPKIXSubjectDirectoryAttributes_InsertAttribute
+ *  nssPKIXSubjectDirectoryAttributes_AppendAttribute
+ *  nssPKIXSubjectDirectoryAttributes_RemoveAttribute
+ *  nssPKIXSubjectDirectoryAttributes_FindAttribute
+ *  nssPKIXSubjectDirectoryAttributes_Equal
+ *  nssPKIXSubjectDirectoryAttributes_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXSubjectDirectoryAttributes_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
+nssPKIXSubjectDirectoryAttributes_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
+nssPKIXSubjectDirectoryAttributes_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttribute *attribute1,
+  ...
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXSubjectDirectoryAttributes_Destroy
+(
+  NSSPKIXSubjectDirectoryAttributes *sda
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXSubjectDirectoryAttributes_Encode
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_GetAttributeCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXSubjectDirectoryAttributes_GetAttributeCount
+(
+  NSSPKIXSubjectDirectoryAttributes *sda
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_GetAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXAttribute pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttribute **
+nssPKIXSubjectDirectoryAttributes_GetAttributes
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSPKIXAttribute *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_SetAttributes
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXSubjectDirectoryAttributes_SetAttributes
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSAttribute *attributes[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_GetAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon error
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+nssPKIXSubjectDirectoryAttributes_GetAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_SetAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXSubjectDirectoryAttributes_SetAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  PRInt32 i,
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_InsertAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXSubjectDirectoryAttributes_InsertAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  PRInt32 i,
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_AppendAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXSubjectDirectoryAttributes_AppendAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_RemoveAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXSubjectDirectoryAttributes_RemoveAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_FindAttribute
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ATTRIBUTE
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXSubjectDirectoryAttributes_FindAttribute
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSPKIXAttribute *attribute
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXSubjectDirectoryAttributes_Equal
+(
+  NSSPKIXSubjectDirectoryAttributes *sda1,
+  NSSPKIXSubjectDirectoryAttributes *sda2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXSubjectDirectoryAttributes_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXSubjectDirectoryAttributes upon 
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXSubjectDirectoryAttributes *
+nssPKIXSubjectDirectoryAttributes_Duplicate
+(
+  NSSPKIXSubjectDirectoryAttributes *sda,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXSubjectDirectoryAttributes_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXSubjectDirectoryAttributes
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_SUBJECT_DIRECTORY_ATTRIBUTES
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXSubjectDirectoryAttributes_verifyPointer
+(
+  NSSPKIXSubjectDirectoryAttributes *p
+);
+#endif /* DEBUG */
+
+/*
+ * BasicConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BasicConstraints ::= SEQUENCE {
+ *       cA                      BOOLEAN DEFAULT FALSE,
+ *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXBasicConstraints_Decode
+ *  nssPKIXBasicConstraints_Create
+ *  nssPKIXBasicConstraints_Destroy
+ *  nssPKIXBasicConstraints_Encode
+ *  nssPKIXBasicConstraints_GetCA
+ *  nssPKIXBasicConstraints_SetCA 
+ *  nssPKIXBasicConstraints_HasPathLenConstraint
+ *  nssPKIXBasicConstraints_GetPathLenConstraint
+ *  nssPKIXBasicConstraints_SetPathLenConstraint
+ *  nssPKIXBasicConstraints_RemovePathLenConstraint
+ *  nssPKIXBasicConstraints_Equal
+ *  nssPKIXBasicConstraints_Duplicate
+ *  nssPKIXBasicConstraints_CompareToPathLenConstraint
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXBasicConstraints_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXBasicConstraints_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBasicConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBasicConstraints *
+nssPKIXBasicConstraints_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXBasicConstraints_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBasicConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBasicConstraints *
+nssPKIXBasicConstraints_Create
+(
+  NSSArena *arenaOpt,
+  PRBool ca,
+  PRInt32 pathLenConstraint
+);
+
+/*
+ * nssPKIXBasicConstraints_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBasicConstraints_Destroy
+(
+  NSSPKIXBasicConstraints *basicConstraints
+);
+
+/*
+ * nssPKIXBasicConstraints_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXBasicConstraints_Encode
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXBasicConstraints_GetCA
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if the CA bit is true
+ *  PR_FALSE if it isn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBasicConstraints_GetCA
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBasicConstraints_SetCA
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBasicConstraints_SetCA
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  PRBool ca
+);
+
+/*
+ * nssPKIXBasicConstraints_HasPathLenConstraint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBasicConstraints_HasPathLenConstraint
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBasicConstraints_GetPathLenConstraint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXBasicConstraints_GetPathLenConstraint
+(
+  NSSPKIXBasicConstraints *basicConstraints
+);
+
+/*
+ * nssPKIXBasicConstraints_SetPathLenConstraint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBasicConstraints_SetPathLenConstraint
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  PRInt32 pathLenConstraint
+);
+
+/*
+ * nssPKIXBasicConstraints_RemovePathLenConstraint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBasicConstraints_RemovePathLenConstraint
+(
+  NSSPKIXBasicConstraints *basicConstraints
+);
+
+/*
+ * nssPKIXBasicConstraints_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXBasicConstraints_Equal
+(
+  NSSPKIXBasicConstraints *basicConstraints1,
+  NSSPKIXBasicConstraints *basicConstraints2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXBasicConstraints_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXBasicConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXBasicConstraints *
+nssPKIXBasicConstraints_Duplicate
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXBasicConstraints_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXBasicConstraints
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXBasicConstraints_verifyPointer
+(
+  NSSPKIXBasicConstraints *p
+);
+#endif /* DEBUG */
+
+/*
+ * nssPKIXBasicConstraints_CompareToPathLenConstraint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_BASIC_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_PATH_LEN_CONSTRAINT
+ * 
+ * Return value:
+ *  1 if the specified value is greater than the pathLenConstraint
+ *  0 if the specified value equals the pathLenConstraint
+ *  -1 if the specified value is less than the pathLenConstraint
+ *  -2 upon error
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXBasicConstraints_CompareToPathLenConstraint
+(
+  NSSPKIXBasicConstraints *basicConstraints,
+  PRInt32 value
+);
+
+/*
+ * NameConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NameConstraints ::= SEQUENCE {
+ *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
+ *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXNameConstraints_Decode
+ *  nssPKIXNameConstraints_Create
+ *  nssPKIXNameConstraints_Destroy
+ *  nssPKIXNameConstraints_Encode
+ *  nssPKIXNameConstraints_HasPermittedSubtrees
+ *  nssPKIXNameConstraints_GetPermittedSubtrees
+ *  nssPKIXNameConstraints_SetPermittedSubtrees
+ *  nssPKIXNameConstraints_RemovePermittedSubtrees
+ *  nssPKIXNameConstraints_HasExcludedSubtrees
+ *  nssPKIXNameConstraints_GetExcludedSubtrees
+ *  nssPKIXNameConstraints_SetExcludedSubtrees
+ *  nssPKIXNameConstraints_RemoveExcludedSubtrees
+ *  nssPKIXNameConstraints_Equal
+ *  nssPKIXNameConstraints_Duplicate
+ *    { and the comparator functions }
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXNameConstraints_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXNameConstraints_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNameConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNameConstraints *
+nssPKIXNameConstraints_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXNameConstraints_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNameConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNameConstraints *
+nssPKIXNameConstraints_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXGeneralSubtrees *permittedSubtrees,
+  NSSPKIXGeneralSubtrees *excludedSubtrees
+);
+
+/*
+ * nssPKIXNameConstraints_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNameConstraints_Destroy
+(
+  NSSPKIXNameConstraints *nameConstraints
+);
+
+/*
+ * nssPKIXNameConstraints_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXNameConstraints_Encode
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXNameConstraints_HasPermittedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXNameConstraints_HasPermittedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXNameConstraints_GetPermittedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_PERMITTED_SUBTREES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtrees *
+nssPKIXNameConstraints_GetPermittedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXNameConstraints_SetPermittedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNameConstraints_SetPermittedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSPKIXGeneralSubtrees *permittedSubtrees
+);
+
+/*
+ * nssPKIXNameConstraints_RemovePermittedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_PERMITTED_SUBTREES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNameConstraints_RemovePermittedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints
+);
+
+/*
+ * nssPKIXNameConstraints_HasExcludedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXNameConstraints_HasExcludedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXNameConstraints_GetExcludedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_EXCLUDED_SUBTREES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtrees *
+nssPKIXNameConstraints_GetExcludedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXNameConstraints_SetExcludedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNameConstraints_SetExcludedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSPKIXGeneralSubtrees *excludedSubtrees
+);
+
+/*
+ * nssPKIXNameConstraints_RemoveExcludedSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_EXCLUDED_SUBTREES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNameConstraints_RemoveExcludedSubtrees
+(
+  NSSPKIXNameConstraints *nameConstraints
+);
+
+/*
+ * nssPKIXNameConstraints_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXNameConstraints_Equal
+(
+  NSSPKIXNameConstraints *nameConstraints1,
+  NSSPKIXNameConstraints *nameConstraints2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXNameConstraints_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXNameConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXNameConstraints *
+nssPKIXNameConstraints_Duplicate
+(
+  NSSPKIXNameConstraints *nameConstraints,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { and the comparator functions }
+ *
+ */
+
+#ifdef DEBUG
+/*
+ * nssPKIXNameConstraints_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXNameConstraints
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME_CONSTRAINTS
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXNameConstraints_verifyPointer
+(
+  NSSPKIXNameConstraints *p
+);
+#endif /* DEBUG */
+
+/*
+ * GeneralSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXGeneralSubtrees_Decode
+ *  nssPKIXGeneralSubtrees_Create
+ *  nssPKIXGeneralSubtrees_Destroy
+ *  nssPKIXGeneralSubtrees_Encode
+ *  nssPKIXGeneralSubtrees_GetGeneralSubtreeCount
+ *  nssPKIXGeneralSubtrees_GetGeneralSubtrees
+ *  nssPKIXGeneralSubtrees_SetGeneralSubtrees
+ *  nssPKIXGeneralSubtrees_GetGeneralSubtree
+ *  nssPKIXGeneralSubtrees_SetGeneralSubtree
+ *  nssPKIXGeneralSubtrees_InsertGeneralSubtree
+ *  nssPKIXGeneralSubtrees_AppendGeneralSubtree
+ *  nssPKIXGeneralSubtrees_RemoveGeneralSubtree
+ *  nssPKIXGeneralSubtrees_FindGeneralSubtree
+ *  nssPKIXGeneralSubtrees_Equal
+ *  nssPKIXGeneralSubtrees_Duplicate
+ *    { and finders and comparators }
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXGeneralSubtrees_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXGeneralSubtrees_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtrees *
+nssPKIXGeneralSubtrees_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXGeneralSubtrees_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtrees *
+nssPKIXGeneralSubtrees_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXGeneralSubtree *generalSubtree1,
+  ...
+);
+
+/*
+ * nssPKIXGeneralSubtrees_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtrees_Destroy
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees
+);
+
+/*
+ * nssPKIXGeneralSubtrees_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXGeneralSubtrees_Encode
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralSubtrees_GetGeneralSubtreeCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXGeneralSubtrees_GetGeneralSubtreeCount
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees
+);
+
+/*
+ * nssPKIXGeneralSubtrees_GetGeneralSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXGeneralSubtree pointers upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtree **
+nssPKIXGeneralSubtrees_GetGeneralSubtrees
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSPKIXGeneralSubtree *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralSubtrees_SetGeneralSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtrees_SetGeneralSubtrees
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSPKIXGeneralSubtree *generalSubtree[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXGeneralSubtrees_GetGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtree upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtree *
+nssPKIXGeneralSubtrees_GetGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralSubtrees_SetGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtrees_SetGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  PRInt32 i,
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * nssPKIXGeneralSubtrees_InsertGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtrees_InsertGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  PRInt32 i,
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * nssPKIXGeneralSubtrees_AppendGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtrees_AppendGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * nssPKIXGeneralSubtrees_RemoveGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtrees_RemoveGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXGeneralSubtrees_FindGeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXGeneralSubtrees_FindGeneralSubtree
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * nssPKIXGeneralSubtrees_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXGeneralSubtrees_Equal
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees1,
+  NSSPKIXGeneralSubtrees *generalSubtrees2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXGeneralSubtrees_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtrees upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtrees *
+nssPKIXGeneralSubtrees_Duplicate
+(
+  NSSPKIXGeneralSubtrees *generalSubtrees,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { and finders and comparators }
+ *
+ */
+
+#ifdef DEBUG
+/*
+ * nssPKIXGeneralSubtrees_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXGeneralSubtrees
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREES
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtrees_verifyPointer
+(
+  NSSPKIXGeneralSubtrees *p
+);
+#endif /* DEBUG */
+
+/*
+ * GeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  GeneralSubtree ::= SEQUENCE {
+ *       base                    GeneralName,
+ *       minimum         [0]     BaseDistance DEFAULT 0,
+ *       maximum         [1]     BaseDistance OPTIONAL }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXGeneralSubtree_Decode
+ *  nssPKIXGeneralSubtree_Create
+ *  nssPKIXGeneralSubtree_Destroy
+ *  nssPKIXGeneralSubtree_Encode
+ *  nssPKIXGeneralSubtree_GetBase
+ *  nssPKIXGeneralSubtree_SetBase
+ *  nssPKIXGeneralSubtree_GetMinimum
+ *  nssPKIXGeneralSubtree_SetMinimum
+ *  nssPKIXGeneralSubtree_HasMaximum
+ *  nssPKIXGeneralSubtree_GetMaximum
+ *  nssPKIXGeneralSubtree_SetMaximum
+ *  nssPKIXGeneralSubtree_RemoveMaximum
+ *  nssPKIXGeneralSubtree_Equal
+ *  nssPKIXGeneralSubtree_Duplicate
+ *  nssPKIXGeneralSubtree_DistanceInRange
+ *    {other tests and comparators}
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXGeneralSubtree_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXGeneralSubtree_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtree upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtree *
+nssPKIXGeneralSubtree_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXGeneralSubtree_Create
+ *
+ * -- fgmr comments --
+ * The optional maximum value may be omitted by specifying -1.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtree upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtree *
+nssPKIXGeneralSubtree_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXBaseDistance minimum,
+  NSSPKIXBaseDistance maximumOpt
+);
+
+/*
+ * nssPKIXGeneralSubtree_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtree_Destroy
+(
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * nssPKIXGeneralSubtree_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXGeneralSubtree_Encode
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralSubtree_GetBase
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXGeneralSubtree_GetBase
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXGeneralSubtree_SetBase
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtree_SetBase
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSPKIXGeneralName *base
+);
+
+/*
+ * nssPKIXGeneralSubtree_GetMinimum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN NSSPKIXBaseDistance
+nssPKIXGeneralSubtree_GetMinimum
+(
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * nssPKIXGeneralSubtree_SetMinimum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtree_SetMinimum
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSPKIXBaseDistance *minimum
+);
+
+/*
+ * nssPKIXGeneralSubtree_HasMaximum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXGeneralSubtree_HasMaximum
+(
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * nssPKIXGeneralSubtree_GetMaximum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_HAS_NO_MAXIMUM_BASE_DISTANCE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN NSSPKIXBaseDistance
+nssPKIXGeneralSubtree_GetMaximum
+(
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * nssPKIXGeneralSubtree_SetMaximum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtree_SetMaximum
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSPKIXBaseDistance *maximum
+);
+
+/*
+ * nssPKIXGeneralSubtree_RemoveMaximum
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_HAS_NO_MAXIMUM_BASE_DISTANCE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtree_RemoveMaximum
+(
+  NSSPKIXGeneralSubtree *generalSubtree
+);
+
+/*
+ * nssPKIXGeneralSubtree_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXGeneralSubtree_Equal
+(
+  NSSPKIXGeneralSubtree *generalSubtree1,
+  NSSPKIXGeneralSubtree *generalSubtree2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXGeneralSubtree_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralSubtree upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralSubtree *
+nssPKIXGeneralSubtree_Duplicate
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXGeneralSubtree_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXGeneralSubtree
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXGeneralSubtree_verifyPointer
+(
+  NSSPKIXGeneralSubtree *p
+);
+#endif /* DEBUG */
+
+/*
+ * nssPKIXGeneralSubtree_DistanceInRange
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_SUBTREE
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_TRUE if the specified value is within the minimum and maximum
+ *      base distances
+ *  PR_FALSE if it isn't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXGeneralSubtree_DistanceInRange
+(
+  NSSPKIXGeneralSubtree *generalSubtree,
+  NSSPKIXBaseDistance value,
+  PRStatus *statusOpt
+);
+
+/*
+ *   {other tests and comparators}
+ *
+ */
+
+/*
+ * PolicyConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyConstraints ::= SEQUENCE {
+ *       requireExplicitPolicy           [0] SkipCerts OPTIONAL,
+ *       inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
+ * 
+ * The private calls for this type:
+ *
+ *  nssPKIXPolicyConstraints_Decode
+ *  nssPKIXPolicyConstraints_Create
+ *  nssPKIXPolicyConstraints_Destroy
+ *  nssPKIXPolicyConstraints_Encode
+ *  nssPKIXPolicyConstraints_HasRequireExplicitPolicy
+ *  nssPKIXPolicyConstraints_GetRequireExplicitPolicy
+ *  nssPKIXPolicyConstraints_SetRequireExplicitPolicy
+ *  nssPKIXPolicyConstraints_RemoveRequireExplicitPolicy
+ *  nssPKIXPolicyConstraints_HasInhibitPolicyMapping
+ *  nssPKIXPolicyConstraints_GetInhibitPolicyMapping
+ *  nssPKIXPolicyConstraints_SetInhibitPolicyMapping
+ *  nssPKIXPolicyConstraints_RemoveInhibitPolicyMapping
+ *  nssPKIXPolicyConstraints_Equal
+ *  nssPKIXPolicyConstraints_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXPolicyConstraints_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXPolicyConstraints_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyConstraints *
+nssPKIXPolicyConstraints_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXPolicyConstraints_Create
+ *
+ * -- fgmr comments --
+ * The optional values may be omitted by specifying -1.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyConstraints *
+nssPKIXPolicyConstraints_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXSkipCerts requireExplicitPolicy,
+  NSSPKIXSkipCerts inhibitPolicyMapping
+);
+
+/*
+ * nssPKIXPolicyConstraints_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyConstraints_Destroy
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * nssPKIXPolicyConstraints_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXPolicyConstraints_Encode
+(
+  NSSPKIXPolicyConstraints *policyConstraints,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXPolicyConstraints_HasRequireExplicitPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPolicyConstraints_HasRequireExplicitPolicy
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * nssPKIXPolicyConstraints_GetRequireExplicitPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_REQUIRE_EXPLICIT_POLICY
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXPolicyConstraints_GetRequireExplicitPolicy
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * nssPKIXPolicyConstraints_SetRequireExplicitPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyConstraints_SetRequireExplicitPolicy
+(
+  NSSPKIXPolicyConstraints *policyConstraints,
+  NSSPKIXSkipCerts requireExplicitPolicy
+);
+
+/*
+ * nssPKIXPolicyConstraints_RemoveRequireExplicitPolicy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_REQUIRE_EXPLICIT_POLICY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyConstraints_RemoveRequireExplicitPolicy
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * nssPKIXPolicyConstraints_HasInhibitPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPolicyConstraints_HasInhibitPolicyMapping
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * nssPKIXPolicyConstraints_GetInhibitPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_INHIBIT_POLICY_MAPPING
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXPolicyConstraints_GetInhibitPolicyMapping
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * nssPKIXPolicyConstraints_SetInhibitPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_INVALID_VALUE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyConstraints_SetInhibitPolicyMapping
+(
+  NSSPKIXPolicyConstraints *policyConstraints,
+  NSSPKIXSkipCerts inhibitPolicyMapping
+);
+
+/*
+ * nssPKIXPolicyConstraints_RemoveInhibitPolicyMapping
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_HAS_NO_INHIBIT_POLICY_MAPPING
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyConstraints_RemoveInhibitPolicyMapping
+(
+  NSSPKIXPolicyConstraints *policyConstraints
+);
+
+/*
+ * nssPKIXPolicyConstraints_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXPolicyConstraints_Equal
+(
+  NSSPKIXPolicyConstraints *policyConstraints1,
+  NSSPKIXPolicyConstraints *policyConstraints2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXPolicyConstraints_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXPolicyConstraints upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXPolicyConstraints *
+nssPKIXPolicyConstraints_Duplicate
+(
+  NSSPKIXPolicyConstraints *policyConstraints,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXPolicyConstraints_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXPolicyConstraints
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_POLICY_CONSTRAINTS
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXPolicyConstraints_verifyPointer
+(
+  NSSPKIXPolicyConstraints *p
+);
+#endif /* DEBUG */
+
+/*
+ * CRLDistPointsSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXCRLDistPointsSyntax_Decode
+ *  nssPKIXCRLDistPointsSyntax_Create
+ *  nssPKIXCRLDistPointsSyntax_Destroy
+ *  nssPKIXCRLDistPointsSyntax_Encode
+ *  nssPKIXCRLDistPointsSyntax_GetDistributionPointCount
+ *  nssPKIXCRLDistPointsSyntax_GetDistributionPoints
+ *  nssPKIXCRLDistPointsSyntax_SetDistributionPoints
+ *  nssPKIXCRLDistPointsSyntax_GetDistributionPoint
+ *  nssPKIXCRLDistPointsSyntax_SetDistributionPoint
+ *  nssPKIXCRLDistPointsSyntax_InsertDistributionPoint
+ *  nssPKIXCRLDistPointsSyntax_AppendDistributionPoint
+ *  nssPKIXCRLDistPointsSyntax_RemoveDistributionPoint
+ *  nssPKIXCRLDistPointsSyntax_FindDistributionPoint
+ *  nssPKIXCRLDistPointsSyntax_Equal
+ *  nssPKIXCRLDistPointsSyntax_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXCRLDistPointsSyntax_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXCRLDistPointsSyntax_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
+nssPKIXCRLDistPointsSyntax_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
+nssPKIXCRLDistPointsSyntax_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXDistributionPoint *distributionPoint1,
+  ...
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCRLDistPointsSyntax_Destroy
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXCRLDistPointsSyntax_Encode
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_GetDistributionPointCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXCRLDistPointsSyntax_GetDistributionPointCount
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_GetDistributionPoints
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXDistributionPoint pointers 
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPoints **
+nssPKIXCRLDistPointsSyntax_GetDistributionPoints
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSDistributionPoint *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_SetDistributionPoints
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCRLDistPointsSyntax_SetDistributionPoints
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSDistributionPoint *distributionPoint[]
+  PRInt32 count
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_GetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPoint *
+nssPKIXCRLDistPointsSyntax_GetDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_SetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCRLDistPointsSyntax_SetDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  PRInt32 i,
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_InsertDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCRLDistPointsSyntax_InsertDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  PRInt32 i,
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_AppendDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCRLDistPointsSyntax_AppendDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_RemoveDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCRLDistPointsSyntax_RemoveDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_FindDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXCRLDistPointsSyntax_FindDistributionPoint
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXCRLDistPointsSyntax_Equal
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax1,
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXCRLDistPointsSyntax_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXCRLDistPointsSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXCRLDistPointsSyntax *
+nssPKIXCRLDistPointsSyntax_Duplicate
+(
+  NSSPKIXCRLDistPointsSyntax *crlDistPointsSyntax,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXCRLDistPointsSyntax_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXCRLDistPointsSyntax
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_CRL_DIST_POINTS_SYNTAX
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXCRLDistPointsSyntax_verifyPointer
+(
+  NSSPKIXCRLDistPointsSyntax *p
+);
+#endif /* DEBUG */
+
+/*
+ * DistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DistributionPoint ::= SEQUENCE {
+ *       distributionPoint       [0]     DistributionPointName OPTIONAL,
+ *       reasons                 [1]     ReasonFlags OPTIONAL,
+ *       cRLIssuer               [2]     GeneralNames OPTIONAL }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXDistributionPoint_Decode
+ *  nssPKIXDistributionPoint_Create
+ *  nssPKIXDistributionPoint_Destroy
+ *  nssPKIXDistributionPoint_Encode
+ *  nssPKIXDistributionPoint_HasDistributionPoint
+ *  nssPKIXDistributionPoint_GetDistributionPoint
+ *  nssPKIXDistributionPoint_SetDistributionPoint
+ *  nssPKIXDistributionPoint_RemoveDistributionPoint
+ *  nssPKIXDistributionPoint_HasReasons
+ *  nssPKIXDistributionPoint_GetReasons
+ *  nssPKIXDistributionPoint_SetReasons
+ *  nssPKIXDistributionPoint_RemoveReasons
+ *  nssPKIXDistributionPoint_HasCRLIssuer
+ *  nssPKIXDistributionPoint_GetCRLIssuer
+ *  nssPKIXDistributionPoint_SetCRLIssuer
+ *  nssPKIXDistributionPoint_RemoveCRLIssuer
+ *  nssPKIXDistributionPoint_Equal
+ *  nssPKIXDistributionPoint_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXDistributionPoint_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXDistributionPoint_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPoint *
+nssPKIXDistributionPoint_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXDistributionPoint_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPoint *
+nssPKIXDistributionPoint_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXDistributionPointName *distributionPoint,
+  NSSPKIXReasonFlags reasons,
+  NSSPKIXGeneralNames *cRLIssuer
+);
+
+/*
+ * nssPKIXDistributionPoint_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXDistributionPoint_Destroy
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * nssPKIXDistributionPoint_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXDistributionPoint_Encode
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXDistributionPoint_HasDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXDistributionPoint_HasDistributionPoint
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * nssPKIXDistributionPoint_GetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+nssPKIXDistributionPoint_GetDistributionPoint
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXDistributionPoint_SetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXDistributionPoint_SetDistributionPoint
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSPKIXDistributionPointName *name
+);
+
+/*
+ * nssPKIXDistributionPoint_RemoveDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXDistributionPoint_RemoveDistributionPoint
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * nssPKIXDistributionPoint_HasReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXDistributionPoint_HasReasons
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * nssPKIXDistributionPoint_GetReasons
+ *
+ * It is unlikely that the reason flags are all zero; so zero is
+ * returned in error situations.
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_REASONS
+ * 
+ * Return value:
+ *  A valid nonzero NSSPKIXReasonFlags value upon success
+ *  A valid zero NSSPKIXReasonFlags if the value is indeed zero
+ *  Zero upon error
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags
+nssPKIXDistributionPoint_GetReasons
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXDistributionPoint_SetReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXDistributionPoint_SetReasons
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSPKIXReasonFlags reasons
+);
+
+/*
+ * nssPKIXDistributionPoint_RemoveReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_REASONS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXDistributionPoint_RemoveReasons
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * nssPKIXDistributionPoint_HasCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXDistributionPoint_HasCRLIssuer
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * nssPKIXDistributionPoint_GetCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_CRL_ISSUER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralNames *
+nssPKIXDistributionPoint_GetCRLIssuer
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXDistributionPoint_SetCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXDistributionPoint_SetCRLIssuer
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSPKIXGeneralNames *cRLIssuer
+);
+
+/*
+ * nssPKIXDistributionPoint_RemoveCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_CRL_ISSUER
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXDistributionPoint_RemoveCRLIssuer
+(
+  NSSPKIXDistributionPoint *distributionPoint
+);
+
+/*
+ * nssPKIXDistributionPoint_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXDistributionPoint_Equal
+(
+  NSSPKIXDistributionPoint *distributionPoint1,
+  NSSPKIXDistributionPoint *distributionPoint2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXDistributionPoint_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPoint *
+nssPKIXDistributionPoint_Duplicate
+(
+  NSSPKIXDistributionPoint *distributionPoint,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXDistributionPoint_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXDistributionPoint
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXDistributionPoint_verifyPointer
+(
+  NSSPKIXDistributionPoint *p
+);
+#endif /* DEBUG */
+
+/*
+ * DistributionPointName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DistributionPointName ::= CHOICE {
+ *       fullName                [0]     GeneralNames,
+ *       nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXDistributionPointName_Decode
+ *  nssPKIXDistributionPointName_Create
+ *  nssPKIXDistributionPointName_CreateFromFullName
+ *  nssPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
+ *  nssPKIXDistributionPointName_Destroy
+ *  nssPKIXDistributionPointName_Encode
+ *  nssPKIXDistributionPointName_GetChoice
+ *  nssPKIXDistributionPointName_GetFullName
+ *  nssPKIXDistributionPointName_GetNameRelativeToCRLIssuer
+ *  nssPKIXDistributionPointName_Equal
+ *  nssPKIXDistributionPointName_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXDistributionPointName_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXDistributionPointName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+nssPKIXDistributionPointName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXDistributionPointName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME_CHOICE
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ *  NSS_ERROR_INVALID_PKIX_RELATIVE_DISTINGUISHED_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+nssPKIXDistributionPointName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXDistributionPointNameChoice which,
+  void *name
+);
+
+/*
+ * nssPKIXDistributionPointName_CreateFromFullName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAMES
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+nssPKIXDistributionPointName_CreateFromFullName
+(
+  NSSArena *arenaOpt,
+  NSSPKIXGeneralNames *fullName
+);
+
+/*
+ * nssPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RELATIVE_DISTINGUISHED_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+nssPKIXDistributionPointName_CreateFromNameRelativeToCRLIssuer
+(
+  NSSArena *arenaOpt,
+  NSSPKIXRelativeDistinguishedName *nameRelativeToCRLIssuer
+);
+
+/*
+ * nssPKIXDistributionPointName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXDistributionPointName_Destroy
+(
+  NSSPKIXDistributionPointName *dpn
+);
+
+/*
+ * nssPKIXDistributionPointName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXDistributionPointName_Encode
+(
+  NSSPKIXDistributionPointName *dpn,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXDistributionPointName_GetChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ * 
+ * Return value:
+ *  A valid NSSPKIXDistributionPointNameChoice value upon success
+ *  NSSPKIXDistributionPointNameChoice_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointNameChoice
+nssPKIXDistributionPointName_GetChoice
+(
+  NSSPKIXDistributionPointName *dpn
+);
+
+/*
+ * nssPKIXDistributionPointName_GetFullName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralNames upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralnames *
+nssPKIXDistributionPointName_GetFullName
+(
+  NSSPKIXDistributionPointName *dpn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXDistributionPointName_GetNameRelativeToCRLIssuer
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_WRONG_CHOICE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+nssPKIXDistributionPointName_GetNameRelativeToCRLIssuer
+(
+  NSSPKIXDistributionPointName *dpn,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXDistributionPointName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXDistributionPointName_Equal
+(
+  NSSPKIXDistributionPointName *dpn1,
+  NSSPKIXDistributionPointName *dpn2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXDistributionPointName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+nssPKIXDistributionPointName_Duplicate
+(
+  NSSPKIXDistributionPointName *dpn,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXDistributionPointName_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXDistributionPointName
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXDistributionPointName_verifyPointer
+(
+  NSSPKIXDistributionPointName *p
+);
+#endif /* DEBUG */
+
+/*
+ * ReasonFlags
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ReasonFlags ::= BIT STRING {
+ *       unused                  (0),
+ *       keyCompromise           (1),
+ *       cACompromise            (2),
+ *       affiliationChanged      (3),
+ *       superseded              (4),
+ *       cessationOfOperation    (5),
+ *       certificateHold         (6) }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXReasonFlags_Decode
+ *  nssPKIXReasonFlags_Create
+ *  nssPKIXReasonFlags_CreateFromMask
+ *  nssPKIXReasonFlags_Destroy
+ *  nssPKIXReasonFlags_Encode
+ *  nssPKIXReasonFlags_GetMask
+ *  nssPKIXReasonFlags_SetMask
+ *  nssPKIXReasonFlags_Equal
+ *  nssPKIXReasonFlags_Duplicate
+ *    { bitwise accessors? }
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXReasonFlags_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXReasonFlags_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXReasonFlags upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags *
+nssPKIXReasonFlags_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXReasonFlags_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXReasonFlags upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags *
+nssPKIXReasonFlags_Create
+(
+  NSSArena *arenaOpt,
+  PRBool keyCompromise,
+  PRBool cACompromise,
+  PRBool affiliationChanged,
+  PRBool superseded,
+  PRBool cessationOfOperation,
+  PRBool certificateHold
+);
+
+/*
+ * nssPKIXReasonFlags_CreateFromMask
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS_MASK
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXReasonFlags upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags *
+nssPKIXReasonFlags_CreateFromMask
+(
+  NSSArena *arenaOpt,
+  NSSPKIXReasonFlagsMask why
+);
+
+/*
+ * nssPKIXReasonFlags_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXReasonFlags_Destroy
+(
+  NSSPKIXReasonFlags *reasonFlags
+);
+
+/*
+ * nssPKIXReasonFlags_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXReasonFlags_Encode
+(
+  NSSPKIXReasonFlags *reasonFlags,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXReasonFlags_GetMask
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ * 
+ * Return value:
+ *  A valid mask of NSSPKIXReasonFlagsMask values upon success
+ *  NSSPKIXReasonFlagsMask_NSSinvalid upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlagsMask
+nssPKIXReasonFlags_GetMask
+(
+  NSSPKIXReasonFlags *reasonFlags
+);
+
+/*
+ * nssPKIXReasonFlags_SetMask
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS_MASK
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXReasonFlags_SetMask
+(
+  NSSPKIXReasonFlags *reasonFlags,
+  NSSPKIXReasonFlagsMask mask
+);
+
+/*
+ * nssPKIXReasonFlags_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXReasonFlags_Equal
+(
+  NSSPKIXReasonFlags *reasonFlags1,
+  NSSPKIXReasonFlags *reasonFlags2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXReasonFlags_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXReasonFlags upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags *
+nssPKIXReasonFlags_Duplicate
+(
+  NSSPKIXReasonFlags *reasonFlags,
+  NSSArena *arenaOpt
+);
+
+/*
+ *   { bitwise accessors? }
+ *
+ */
+
+#ifdef DEBUG
+/*
+ * nssPKIXReasonFlags_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXReasonFlags
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXReasonFlags_verifyPointer
+(
+  NSSPKIXReasonFlags *p
+);
+#endif /* DEBUG */
+
+/*
+ * ExtKeyUsageSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXExtKeyUsageSyntax_Decode
+ *  nssPKIXExtKeyUsageSyntax_Create
+ *  nssPKIXExtKeyUsageSyntax_Destroy
+ *  nssPKIXExtKeyUsageSyntax_Encode
+ *  nssPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
+ *  nssPKIXExtKeyUsageSyntax_GetKeyPurposeIds
+ *  nssPKIXExtKeyUsageSyntax_SetKeyPurposeIds
+ *  nssPKIXExtKeyUsageSyntax_GetKeyPurposeId
+ *  nssPKIXExtKeyUsageSyntax_SetKeyPurposeId
+ *  nssPKIXExtKeyUsageSyntax_InsertKeyPurposeId
+ *  nssPKIXExtKeyUsageSyntax_AppendKeyPurposeId
+ *  nssPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
+ *  nssPKIXExtKeyUsageSyntax_FindKeyPurposeId
+ *  nssPKIXExtKeyUsageSyntax_Equal
+ *  nssPKIXExtKeyUsageSyntax_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXExtKeyUsageSyntax_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXExtKeyUsageSyntax_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
+nssPKIXExtKeyUsageSyntax_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
+nssPKIXExtKeyUsageSyntax_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXKeyPurposeId *kpid1,
+  ...
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtKeyUsageSyntax_Destroy
+(
+  NSSPKIXExtKeyUsageSyntax *eku
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXExtKeyUsageSyntax_Encode
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXExtKeyUsageSyntax_GetKeyPurposeIdCount
+(
+  NSSPKIXExtKeyUsageSyntax *eku
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_GetKeyPurposeIds
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXKeyPurposeId pointers upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXKeyPurposeId **
+nssPKIXExtKeyUsageSyntax_GetKeyPurposeIds
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSPKIXKeyPurposeId *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_SetKeyPurposeIds
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtKeyUsageSyntax_SetKeyPurposeIds
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSPKIXKeyPurposeId *ids[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_GetKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXKeyPurposeId upon success
+ *  NULL upon error
+ */
+
+NSS_EXTERN NSSPKIXKeyPurposeId *
+nssPKIXExtKeyUsageSyntax_GetKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_SetKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtKeyUsageSyntax_SetKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  PRInt32 i,
+  NSSPKIXKeyPurposeId *id
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_InsertKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtKeyUsageSyntax_InsertKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  PRInt32 i,
+  NSSPKIXKeyPurposeId *id
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_AppendKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtKeyUsageSyntax_AppendKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSPKIXKeyPurposeId *id
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtKeyUsageSyntax_RemoveKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_FindKeyPurposeId
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_KEY_PURPOSE_ID
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified key purpose id upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXExtKeyUsageSyntax_FindKeyPurposeId
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSPKIXKeyPurposeId *id
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXExtKeyUsageSyntax_Equal
+(
+  NSSPKIXExtKeyUsageSyntax *eku1,
+  NSSPKIXExtKeyUsageSyntax *eku2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXExtKeyUsageSyntax_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXExtKeyUsageSyntax upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXExtKeyUsageSyntax *
+nssPKIXExtKeyUsageSyntax_Duplicate
+(
+  NSSPKIXExtKeyUsageSyntax *eku,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXExtKeyUsageSyntax_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXExtKeyUsageSyntax
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_EXT_KEY_USAGE_SYNTAX
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXExtKeyUsageSyntax_verifyPointer
+(
+  NSSPKIXExtKeyUsageSyntax *p
+);
+#endif /* DEBUG */
+
+/*
+ * AuthorityInfoAccessSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AuthorityInfoAccessSyntax  ::=
+ *          SEQUENCE SIZE (1..MAX) OF AccessDescription
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXAuthorityInfoAccessSyntax_Decode
+ *  nssPKIXAuthorityInfoAccessSyntax_Create
+ *  nssPKIXAuthorityInfoAccessSyntax_Destroy
+ *  nssPKIXAuthorityInfoAccessSyntax_Encode
+ *  nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
+ *  nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
+ *  nssPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
+ *  nssPKIXAuthorityInfoAccessSyntax_GetAccessDescription
+ *  nssPKIXAuthorityInfoAccessSyntax_SetAccessDescription
+ *  nssPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
+ *  nssPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
+ *  nssPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
+ *  nssPKIXAuthorityInfoAccessSyntax_FindAccessDescription
+ *  nssPKIXAuthorityInfoAccessSyntax_Equal
+ *  nssPKIXAuthorityInfoAccessSyntax_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXAuthorityInfoAccessSyntax_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
+nssPKIXAuthorityInfoAccessSyntax_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
+nssPKIXAuthorityInfoAccessSyntax_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAccessDescription *ad1,
+  ...
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityInfoAccessSyntax_Destroy
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXAuthorityInfoAccessSyntax_Encode
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptionCount
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ * 
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXAccessDescription pointers
+ *      upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAccessDescription **
+nssPKIXAuthorityInfoAccessSyntax_GetAccessDescriptions
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSPKIXAccessDescription *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityInfoAccessSyntax_SetAccessDescriptions
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSPKIXAccessDescription *ad[],
+  PRInt32 count
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_GetAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAccessDescription upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAccessDescription *
+nssPKIXAuthorityInfoAccessSyntax_GetAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  PRInt32 i,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_SetAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityInfoAccessSyntax_SetAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  PRInt32 i,
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityInfoAccessSyntax_InsertAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  PRInt32 i,
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityInfoAccessSyntax_AppendAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityInfoAccessSyntax_RemoveAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  PRInt32 i
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_FindAccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ * 
+ * Return value:
+ *  The index of the specified policy mapping upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+nssPKIXAuthorityInfoAccessSyntax_FindAccessDescription
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXAuthorityInfoAccessSyntax_Equal
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias1,
+  NSSPKIXAuthorityInfoAccessSyntax *aias2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAuthorityInfoAccessSyntax upon
+ *      success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAuthorityInfoAccessSyntax *
+nssPKIXAuthorityInfoAccessSyntax_Duplicate
+(
+  NSSPKIXAuthorityInfoAccessSyntax *aias,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXAuthorityInfoAccessSyntax_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXAuthorityInfoAccessSyntax
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_AUTHORITY_INFO_ACCESS_SYNTAX
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAuthorityInfoAccessSyntax_verifyPointer
+(
+  NSSPKIXAuthorityInfoAccessSyntax *p
+);
+#endif /* DEBUG */
+
+/*
+ * AccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AccessDescription  ::=  SEQUENCE {
+ *          accessMethod          OBJECT IDENTIFIER,
+ *          accessLocation        GeneralName  }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXAccessDescription_Decode
+ *  nssPKIXAccessDescription_Create
+ *  nssPKIXAccessDescription_Destroy
+ *  nssPKIXAccessDescription_Encode
+ *  nssPKIXAccessDescription_GetAccessMethod
+ *  nssPKIXAccessDescription_SetAccessMethod
+ *  nssPKIXAccessDescription_GetAccessLocation
+ *  nssPKIXAccessDescription_SetAccessLocation
+ *  nssPKIXAccessDescription_Equal
+ *  nssPKIXAccessDescription_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXAccessDescription_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXAccessDescription_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAccessDescription upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAccessDescription *
+nssPKIXAccessDescription_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXAccessDescription_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAccessDescription upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAccessDescription *
+nssPKIXAccessDescription_Create
+(
+  NSSArena *arenaOpt,
+  NSSOID *accessMethod,
+  NSSPKIXGeneralName *accessLocation
+);
+
+/*
+ * nssPKIXAccessDescription_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAccessDescription_Destroy
+(
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * nssPKIXAccessDescription_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXAccessDescription_Encode
+(
+  NSSPKIXAccessDescription *ad,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAccessDescription_GetAccessMethod
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSOID pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSOID *
+nssPKIXAccessDescription_GetAccessMethod
+(
+  NSSPKIXAccessDescription *ad
+);
+
+/*
+ * nssPKIXAccessDescription_SetAccessMethod
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAccessDescription_SetAccessMethod
+(
+  NSSPKIXAccessDescription *ad,
+  NSSOID *accessMethod
+);
+
+/*
+ * nssPKIXAccessDescription_GetAccessLocation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXGeneralName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXGeneralName *
+nssPKIXAccessDescription_GetAccessLocation
+(
+  NSSPKIXAccessDescription *ad,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXAccessDescription_SetAccessLocation
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_INVALID_PKIX_GENERAL_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAccessDescription_SetAccessLocation
+(
+  NSSPKIXAccessDescription *ad,
+  NSSPKIXGeneralName *accessLocation
+);
+
+/*
+ * nssPKIXAccessDescription_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXAccessDescription_Equal
+(
+  NSSPKIXAccessDescription *ad1,
+  NSSPKIXAccessDescription *ad2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXAccessDescription_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXAccessDescription upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAccessDescription *
+nssPKIXAccessDescription_Duplicate
+(
+  NSSPKIXAccessDescription *ad,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXAccessDescription_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXAccessDescription
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ACCESS_DESCRIPTION
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAccessDescription_verifyPointer
+(
+  NSSPKIXAccessDescription *p
+);
+#endif /* DEBUG */
+
+/*
+ * IssuingDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  IssuingDistributionPoint ::= SEQUENCE {
+ *       distributionPoint       [0] DistributionPointName OPTIONAL,
+ *       onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
+ *       onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
+ *       onlySomeReasons         [3] ReasonFlags OPTIONAL,
+ *       indirectCRL             [4] BOOLEAN DEFAULT FALSE }
+ *
+ * The private calls for this type:
+ *
+ *  nssPKIXIssuingDistributionPoint_Decode
+ *  nssPKIXIssuingDistributionPoint_Create
+ *  nssPKIXIssuingDistributionPoint_Destroy
+ *  nssPKIXIssuingDistributionPoint_Encode
+ *  nssPKIXIssuingDistributionPoint_HasDistributionPoint
+ *  nssPKIXIssuingDistributionPoint_GetDistributionPoint
+ *  nssPKIXIssuingDistributionPoint_SetDistributionPoint
+ *  nssPKIXIssuingDistributionPoint_RemoveDistributionPoint
+ *  nssPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
+ *  nssPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
+ *  nssPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
+ *  nssPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
+ *  nssPKIXIssuingDistributionPoint_HasOnlySomeReasons
+ *  nssPKIXIssuingDistributionPoint_GetOnlySomeReasons
+ *  nssPKIXIssuingDistributionPoint_SetOnlySomeReasons
+ *  nssPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
+ *  nssPKIXIssuingDistributionPoint_GetIndirectCRL
+ *  nssPKIXIssuingDistributionPoint_SetIndirectCRL
+ *  nssPKIXIssuingDistributionPoint_Equal
+ *  nssPKIXIssuingDistributionPoint_Duplicate
+ * 
+ * In debug builds, the following call is available:
+ *
+ *  nssPKIXIssuingDistributionPoint_verifyPointer
+ *
+ */
+
+/*
+ * nssPKIXIssuingDistributionPoint_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXIssuingDistributionPoint *
+nssPKIXIssuingDistributionPoint_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXIssuingDistributionPoint *
+nssPKIXIssuingDistributionPoint_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXDistributionPointName *distributionPointOpt,
+  PRBool onlyContainsUserCerts,
+  PRBool onlyContainsCACerts,
+  NSSPKIXReasonFlags *onlySomeReasons
+  PRBool indirectCRL
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXIssuingDistributionPoint_Destroy
+(
+  NSSPKIXIssuingDistributionPoint *idp
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXIssuingDistributionPoint_Encode
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_HasDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXIssuingDistributionPoint_HasDistributionPoint
+(
+  NSSPKIXIssuingDistributionPoint *idp
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_GetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXDistributionPointName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXDistributionPointName *
+nssPKIXIssuingDistributionPoint_GetDistributionPoint
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_SetDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_PKIX_DISTRIBUTION_POINT_NAME
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXIssuingDistributionPoint_SetDistributionPoint
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSPKIXDistributionPointName *dpn
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_RemoveDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXIssuingDistributionPoint_RemoveDistributionPoint
+(
+  NSSPKIXIssuingDistributionPoint *idp
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if the onlyContainsUserCerts value is true
+ *  PR_FALSE if it isn't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXIssuingDistributionPoint_GetOnlyContainsUserCerts
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXIssuingDistributionPoint_SetOnlyContainsUserCerts
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRBool onlyContainsUserCerts
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if the onlyContainsCACerts value is true
+ *  PR_FALSE if it isn't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXIssuingDistributionPoint_GetOnlyContainsCACerts
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXIssuingDistributionPoint_SetOnlyContainsCACerts
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRBool onlyContainsCACerts
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_HasOnlySomeReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if it has one
+ *  PR_FALSE if it doesn't
+ *  PR_FALSE upon failure
+ */
+
+NSS_EXTERN PRBool
+nssPKIXIssuingDistributionPoint_HasOnlySomeReasons
+(
+  NSSPKIXIssuingDistributionPoint *idp
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_GetOnlySomeReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_ONLY_SOME_REASONS
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXReasonFlags upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXReasonFlags *
+nssPKIXIssuingDistributionPoint_GetOnlySomeReasons
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSArena *arenaOpt
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_SetOnlySomeReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_INVALID_PKIX_REASON_FLAGS
+ *  NSS_ERROR_NO_MEMORY
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXIssuingDistributionPoint_SetOnlySomeReasons
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSPKIXReasonFlags *onlySomeReasons
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_HAS_NO_ONLY_SOME_REASONS
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXIssuingDistributionPoint_RemoveOnlySomeReasons
+(
+  NSSPKIXIssuingDistributionPoint *idp
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_GetIndirectCRL
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if the indirectCRL value is true
+ *  PR_FALSE if it isn't
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXIssuingDistributionPoint_GetIndirectCRL
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_SetIndirectCRL
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXIssuingDistributionPoint_SetIndirectCRL
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  PRBool indirectCRL
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ * 
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+nssPKIXIssuingDistributionPoint_Equal
+(
+  NSSPKIXIssuingDistributionPoint *idp1,
+  NSSPKIXIssuingDistributionPoint *idp2,
+  PRStatus *statusOpt
+);
+
+/*
+ * nssPKIXIssuingDistributionPoint_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXIssuingDistributionPoint upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXIssuingDistributionPoint *
+nssPKIXIssuingDistributionPoint_Duplicate
+(
+  NSSPKIXIssuingDistributionPoint *idp,
+  NSSArena *arenaOpt
+);
+
+#ifdef DEBUG
+/*
+ * nssPKIXIssuingDistributionPoint_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXIssuingDistributionPoint
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ISSUING_DISTRIBUTION_POINT
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXIssuingDistributionPoint_verifyPointer
+(
+  NSSPKIXIssuingDistributionPoint *p
+);
+#endif /* DEBUG */
+
+PR_END_EXTERN_C
+
+#endif /* NSSPKIX_H */
diff --git a/security/nss/lib/pkix/include/pkixm.h b/security/nss/lib/pkix/include/pkixm.h
new file mode 100644
index 000000000..c273848b5
--- /dev/null
+++ b/security/nss/lib/pkix/include/pkixm.h
@@ -0,0 +1,969 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKIXM_H
+#define PKIXM_H
+
+#ifdef DEBUG
+static const char PKIXM_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * pkixm.h
+ *
+ * This file contains the private type definitions for the 
+ * PKIX part-1 objects.  Mostly, this file contains the actual 
+ * structure definitions for the NSSPKIX types declared in nsspkixt.h.
+ */
+
+#ifndef PKIXTM_H
+#include "pkixtm.h"
+#endif /* PKIXTM_H */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * nss_pkix_Attribute_v_create
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+nss_pkix_Attribute_v_create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  PRUint32 count,
+  va_list ap
+);
+
+#ifdef DEBUG
+
+/*
+ * nss_pkix_Attribute_add_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine adds an NSSPKIXAttribute pointer to
+ * the internal pointer-tracker.  This routine should only be used 
+ * by the NSSPKIX module.  This routine returns a PRStatus value; 
+ * upon error it will place an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nss_pkix_Attribute_add_pointer
+(
+  const NSSPKIXAttribute *p
+);
+
+/*
+ * nss_pkix_Attribute_remove_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine removes a valid NSSPKIXAttribute
+ * pointer from the internal pointer-tracker.  This routine should 
+ * only be used by the NSSPKIX module.  This routine returns a 
+ * PRStatus value; upon error it will place an error on the error 
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nss_pkix_Attribute_remove_pointer
+(
+  const NSSPKIXAttribute *p
+);
+
+#endif /* DEBUG */
+
+
+#ifdef DEBUG
+
+NSS_EXTERN PRStatus
+nss_pkix_AttributeTypeAndValue_add_pointer
+(
+  const NSSPKIXAttributeTypeAndValue *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_AttributeTypeAndValue_remove_pointer
+(
+  const NSSPKIXAttributeTypeAndValue *p
+);
+
+#endif /* DEBUG */
+
+/*
+ * nss_pkix_X520Name_DoUTF8
+ *
+ */
+
+NSS_EXTERN PR_STATUS
+nss_pkix_X520Name_DoUTF8
+(
+  NSSPKIXX520Name *name
+);
+
+#ifdef DEBUG
+
+NSS_EXTERN PRStatus
+nss_pkix_X520Name_add_pointer
+(
+  const NSSPKIXX520Name *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_X520Name_remove_pointer
+(
+  const NSSPKIXX520Name *p
+);
+
+#endif /* DEBUG */
+
+/*
+ * nss_pkix_X520CommonName_DoUTF8
+ *
+ */
+
+NSS_EXTERN PR_STATUS
+nss_pkix_X520CommonName_DoUTF8
+(
+  NSSPKIXX520CommonName *name
+);
+
+#ifdef DEBUG
+
+NSS_EXTERN PRStatus
+nss_pkix_X520CommonName_add_pointer
+(
+  const NSSPKIXX520CommonName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_X520CommonName_remove_pointer
+(
+  const NSSPKIXX520CommonName *p
+);
+
+
+NSS_EXTERN PRStatus
+nss_pkix_Name_add_pointer
+(
+  const NSSPKIXName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_Name_remove_pointer
+(
+  const NSSPKIXName *p
+);
+
+/*
+ * nss_pkix_RDNSequence_v_create
+ */
+
+NSS_EXTERN NSSPKIXRDNSequence *
+nss_pkix_RDNSequence_v_create
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  va_list ap
+);
+
+/*
+ * nss_pkix_RDNSequence_Clear
+ *
+ * Wipes out cached data.
+ */
+
+NSS_EXTERN PRStatus
+nss_pkix_RDNSequence_Clear
+(
+  NSSPKIXRDNSequence *rdnseq
+);
+
+#ifdef DEBUG
+
+#ifdef NSSDEBUG
+
+NSS_EXTERN PRStatus
+nss_pkix_RDNSequence_register
+(
+  NSSPKIXRDNSequence *rdnseq
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_RDNSequence_deregister
+(
+  NSSPKIXRDNSequence *rdnseq
+);
+
+#endif /* NSSDEBUG */
+
+NSS_EXTERN PRStatus
+nss_pkix_RDNSequence_add_pointer
+(
+  const NSSPKIXRDNSequence *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_RDNSequence_remove_pointer
+(
+  const NSSPKIXRDNSequence *p
+);
+
+#endif /* DEBUG */
+
+/*
+ * nss_pkix_RelativeDistinguishedName_v_create
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+nss_pkix_RelativeDistinguishedName_V_Create
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  va_list ap
+);
+
+/*
+ * nss_pkix_RelativeDistinguishedName_Clear
+ *
+ * Wipes out cached data.
+ */
+
+NSS_EXTERN PRStatus
+nss_pkix_RelativeDistinguishedName_Clear
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+#ifdef DEBUG
+
+#ifdef NSSDEBUG
+
+NSS_EXTERN PRStatus
+nss_pkix_RelativeDistinguishedName_register
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_RelativeDistinguishedName_deregister
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+);
+
+#endif /* NSSDEBUG */
+
+NSS_EXTERN PRStatus
+nss_pkix_RelativeDistinguishedName_add_pointer
+(
+  const NSSPKIXRelativeDistinguishedName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_RelativeDistinguishedName_remove_pointer
+(
+  const NSSPKIXRelativeDistinguishedName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_Certificate_add_pointer
+(
+  const NSSPKIXCertificate *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_Certificate_remove_pointer
+(
+  const NSSPKIXCertificate *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TBSCertificate_add_pointer
+(
+  const NSSPKIXTBSCertificate *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TBSCertificate_remove_pointer
+(
+  const NSSPKIXTBSCertificate *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_Validity_add_pointer
+(
+  const NSSPKIXValidity *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_Validity_remove_pointer
+(
+  const NSSPKIXValidity *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_SubjectPublicKeyInfo_add_pointer
+(
+  const NSSPKIXSubjectPublicKeyInfo *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_SubjectPublicKeyInfo_remove_pointer
+(
+  const NSSPKIXSubjectPublicKeyInfo *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_CertificateList_add_pointer
+(
+  const NSSPKIXCertificateList *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_CertificateList_remove_pointer
+(
+  const NSSPKIXCertificateList *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TBSCertList_add_pointer
+(
+  const NSSPKIXTBSCertList *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TBSCertList_remove_pointer
+(
+  const NSSPKIXTBSCertList *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_revokedCertificates_add_pointer
+(
+  const NSSPKIXrevokedCertificates *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_revokedCertificates_remove_pointer
+(
+  const NSSPKIXrevokedCertificates *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_revokedCertificate_add_pointer
+(
+  const NSSPKIXrevokedCertificate *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_revokedCertificate_remove_pointer
+(
+  const NSSPKIXrevokedCertificate *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_AlgorithmIdentifier_add_pointer
+(
+  const NSSPKIXAlgorithmIdentifier *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_AlgorithmIdentifier_remove_pointer
+(
+  const NSSPKIXAlgorithmIdentifier *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ORAddress_add_pointer
+(
+  const NSSPKIXORAddress *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ORAddress_remove_pointer
+(
+  const NSSPKIXORAddress *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_BuiltInStandardAttributes_add_pointer
+(
+  const NSSPKIXBuiltInStandardAttributes *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_BuiltInStandardAttributes_remove_pointer
+(
+  const NSSPKIXBuiltInStandardAttributes *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PersonalName_add_pointer
+(
+  const NSSPKIXPersonalName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PersonalName_remove_pointer
+(
+  const NSSPKIXPersonalName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_OrganizationalUnitNames_add_pointer
+(
+  const NSSPKIXOrganizationalUnitNames *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_OrganizationalUnitNames_remove_pointer
+(
+  const NSSPKIXOrganizationalUnitNames *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_BuiltInDomainDefinedAttributes_add_pointer
+(
+  const NSSPKIXBuiltInDomainDefinedAttributes *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_BuiltInDomainDefinedAttributes_remove_pointer
+(
+  const NSSPKIXBuiltInDomainDefinedAttributes *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_BuiltInDomainDefinedAttribute_add_pointer
+(
+  const NSSPKIXBuiltInDomainDefinedAttribute *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_BuiltInDomainDefinedAttribute_remove_pointer
+(
+  const NSSPKIXBuiltInDomainDefinedAttribute *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ExtensionAttributes_add_pointer
+(
+  const NSSPKIXExtensionAttributes *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ExtensionAttributes_remove_pointer
+(
+  const NSSPKIXExtensionAttribute *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ExtensionAttribute_add_pointer
+(
+  const NSSPKIXExtensionAttribute *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ExtensionAttribute_remove_pointer
+(
+  const NSSPKIXExtensionAttribute *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TeletexPersonalName_add_pointer
+(
+  const NSSPKIXTeletexPersonalName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TeletexPersonalName_remove_pointer
+(
+  const NSSPKIXTeletexPersonalName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TeletexOrganizationalUnitNames_add_pointer
+(
+  const NSSPKIXTeletexOrganizationalUnitNames *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TeletexOrganizationalUnitNames_remove_pointer
+(
+  const NSSPKIXTeletexOrganizationalUnitNames *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PDSParameter_add_pointer
+(
+  const NSSPKIXPDSParameter *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PDSParameter_remove_pointer
+(
+  const NSSPKIXPDSParameter *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ExtendedNetworkAddress_add_pointer
+(
+  const NSSPKIXExtendedNetworkAddress *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ExtendedNetworkAddress_remove_pointer
+(
+  const NSSPKIXExtendedNetworkAddress *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_e1634Address_add_pointer
+(
+  const NSSPKIXe1634Address *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_e1634Address_remove_pointer
+(
+  const NSSPKIXe1634Address *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TeletexDomainDefinedAttributes_add_pointer
+(
+  const NSSPKIXTeletexDomainDefinedAttributes *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TeletexDomainDefinedAttributes_remove_pointer
+(
+  const NSSPKIXTeletexDomainDefinedAttributes *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TeletexDomainDefinedAttribute_add_pointer
+(
+  const NSSPKIXTeletexDomainDefinedAttribute *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_TeletexDomainDefinedAttribute_remove_pointer
+(
+  const NSSPKIXTeletexDomainDefinedAttribute *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_AuthorityKeyIdentifier_add_pointer
+(
+  const NSSPKIXAuthorityKeyIdentifier *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_AuthorityKeyIdentifier_remove_pointer
+(
+  const NSSPKIXAuthorityKeyIdentifier *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_KeyUsage_add_pointer
+(
+  const NSSPKIXKeyUsage *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_KeyUsage_remove_pointer
+(
+  const NSSPKIXKeyUsage *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PrivateKeyUsagePeriod_add_pointer
+(
+  const NSSPKIXPrivateKeyUsagePeriod *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PrivateKeyUsagePeriod_remove_pointer
+(
+  const NSSPKIXPrivateKeyUsagePeriod *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_CertificatePolicies_add_pointer
+(
+  const NSSPKIXCertificatePolicies *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_CertificatePolicies_remove_pointer
+(
+  const NSSPKIXCertificatePolicies *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PolicyInformation_add_pointer
+(
+  const NSSPKIXPolicyInformation *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PolicyInformation_remove_pointer
+(
+  const NSSPKIXPolicyInformation *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PolicyQualifierInfo_add_pointer
+(
+  const NSSPKIXPolicyQualifierInfo *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PolicyQualifierInfo_remove_pointer
+(
+  const NSSPKIXPolicyQualifierInfo *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_UserNotice_add_pointer
+(
+  const NSSPKIXUserNotice *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_UserNotice_remove_pointer
+(
+  const NSSPKIXUserNotice *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_NoticeReference_add_pointer
+(
+  const NSSPKIXNoticeReference *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_NoticeReference_remove_pointer
+(
+  const NSSPKIXNoticeReference *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PolicyMappings_add_pointer
+(
+  const NSSPKIXPolicyMappings *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PolicyMappings_remove_pointer
+(
+  const NSSPKIXPolicyMappings *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_policyMapping_add_pointer
+(
+  const NSSPKIXpolicyMapping *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_policyMapping_remove_pointer
+(
+  const NSSPKIXpolicyMapping *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_GeneralName_add_pointer
+(
+  const NSSPKIXGeneralName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_GeneralName_remove_pointer
+(
+  const NSSPKIXGeneralName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_GeneralNames_add_pointer
+(
+  const NSSPKIXGeneralNames *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_GeneralNames_remove_pointer
+(
+  const NSSPKIXGeneralNames *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_AnotherName_add_pointer
+(
+  const NSSPKIXAnotherName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_AnotherName_remove_pointer
+(
+  const NSSPKIXAnotherName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_EDIPartyName_add_pointer
+(
+  const NSSPKIXEDIPartyName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_EDIPartyName_remove_pointer
+(
+  const NSSPKIXEDIPartyName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_SubjectDirectoryAttributes_add_pointer
+(
+  const NSSPKIXSubjectDirectoryAttributes *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_SubjectDirectoryAttributes_remove_pointer
+(
+  const NSSPKIXSubjectDirectoryAttributes *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_BasicConstraints_add_pointer
+(
+  const NSSPKIXBasicConstraints *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_BasicConstraints_remove_pointer
+(
+  const NSSPKIXBasicConstraints *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_NameConstraints_add_pointer
+(
+  const NSSPKIXNameConstraints *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_NameConstraints_remove_pointer
+(
+  const NSSPKIXNameConstraints *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_GeneralSubtrees_add_pointer
+(
+  const NSSPKIXGeneralSubtrees *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_GeneralSubtrees_remove_pointer
+(
+  const NSSPKIXGeneralSubtrees *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_GeneralSubtree_add_pointer
+(
+  const NSSPKIXGeneralSubtree *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_GeneralSubtree_remove_pointer
+(
+  const NSSPKIXGeneralSubtree *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PolicyConstraints_add_pointer
+(
+  const NSSPKIXPolicyConstraints *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_PolicyConstraints_remove_pointer
+(
+  const NSSPKIXPolicyConstraints *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_CRLDistPointsSyntax_add_pointer
+(
+  const NSSPKIXCRLDistPointsSyntax *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_CRLDistPointsSyntax_remove_pointer
+(
+  const NSSPKIXCRLDistPointsSyntax *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_DistributionPoint_add_pointer
+(
+  const NSSPKIXDistributionPoint *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_DistributionPoint_remove_pointer
+(
+  const NSSPKIXDistributionPoint *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_DistributionPointName_add_pointer
+(
+  const NSSPKIXDistributionPointName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_DistributionPointName_remove_pointer
+(
+  const NSSPKIXDistributionPointName *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ReasonFlags_add_pointer
+(
+  const NSSPKIXReasonFlags *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ReasonFlags_remove_pointer
+(
+  const NSSPKIXReasonFlags *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ExtKeyUsageSyntax_add_pointer
+(
+  const NSSPKIXExtKeyUsageSyntax *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_ExtKeyUsageSyntax_remove_pointer
+(
+  const NSSPKIXExtKeyUsageSyntax *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_AuthorityInfoAccessSyntax_add_pointer
+(
+  const NSSPKIXAuthorityInfoAccessSyntax *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_AuthorityInfoAccessSyntax_remove_pointer
+(
+  const NSSPKIXAuthorityInfoAccessSyntax *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_AccessDescription_add_pointer
+(
+  const NSSPKIXAccessDescription *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_AccessDescription_remove_pointer
+(
+  const NSSPKIXAccessDescription *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_IssuingDistributionPoint_add_pointer
+(
+  const NSSPKIXIssuingDistributionPoint *p
+);
+
+NSS_EXTERN PRStatus
+nss_pkix_IssuingDistributionPoint_remove_pointer
+(
+  const NSSPKIXIssuingDistributionPoint *p
+);
+
+#endif /* DEBUG */
+
+PR_END_EXTERN_C
+
+#endif /* PKIXM_H */
diff --git a/security/nss/lib/pkix/include/pkixt.h b/security/nss/lib/pkix/include/pkixt.h
new file mode 100644
index 000000000..b620cfb8c
--- /dev/null
+++ b/security/nss/lib/pkix/include/pkixt.h
@@ -0,0 +1,57 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKIXT_H
+#define PKIXT_H
+
+#ifdef DEBUG
+static const char PKIXT_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * pkixt.h
+ *
+ * This file contains the private type definitions for the 
+ * PKIX part-1 objects.  Mostly, this file contains the actual 
+ * structure definitions for the NSSPKIX types declared in nsspkixt.h.
+ */
+
+#ifndef NSSPKIXT_H
+#include "nsspkixt.h"
+#endif /* NSSPKIXT_H */
+
+PR_BEGIN_EXTERN_C
+
+PR_END_EXTERN_C
+
+#endif /* PKIXT_H */
diff --git a/security/nss/lib/pkix/include/pkixtm.h b/security/nss/lib/pkix/include/pkixtm.h
new file mode 100644
index 000000000..1a9e57af0
--- /dev/null
+++ b/security/nss/lib/pkix/include/pkixtm.h
@@ -0,0 +1,1581 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef PKIXTM_H
+#define PKIXTM_H
+
+#ifdef DEBUG
+static const char PKIXTM_CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * pkixtm.h
+ *
+ * This file contains the module-private type definitions for the 
+ * PKIX part-1 objects.  Mostly, this file contains the actual 
+ * structure definitions for the NSSPKIX types declared in nsspkixt.h.
+ */
+
+#ifndef NSSPKIXT_H
+#include "nsspkixt.h"
+#endif /* NSSPKIXT_H */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * Attribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Attribute       ::=     SEQUENCE {
+ *          type            AttributeType,
+ *          values  SET OF AttributeValue
+ *                  -- at least one value is required -- }
+ *
+ */
+
+struct NSSPKIXAttributeStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSBER *ber;
+  NSSDER *der;
+  nssASN1Item asn1type;
+  nssASN1Item **asn1values;
+  NSSPKIXAttributeType *type;
+  PRUint32 valuesCount;
+};
+
+/*
+ * AttributeTypeAndValue
+ *
+ * This structure contains an attribute type (indicated by an OID), 
+ * and the type-specific value.  RelativeDistinguishedNamess consist
+ * of a set of these.  These are distinct from Attributes (which have
+ * SET of values), from AttributeDescriptions (which have qualifiers
+ * on the types), and from AttributeValueAssertions (which assert a
+ * a value comparison under some matching rule).
+ *
+ * From RFC 2459:
+ *
+ *  AttributeTypeAndValue           ::=     SEQUENCE {
+ *          type    AttributeType,
+ *          value   AttributeValue }
+ * 
+ */
+
+struct NSSPKIXAttributeTypeAndValueStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  nssASN1Item asn1type;
+  nssASN1Item asn1value;
+  NSSPKIXAttributeType *type;
+  NSSUTF8 *utf8;
+};
+
+/*
+ * X520Name
+ *
+ * From RFC 2459:
+ *
+ *  X520name        ::= CHOICE {
+ *        teletexString         TeletexString (SIZE (1..ub-name)),
+ *        printableString       PrintableString (SIZE (1..ub-name)),
+ *        universalString       UniversalString (SIZE (1..ub-name)),
+ *        utf8String            UTF8String (SIZE (1..ub-name)),
+ *        bmpString             BMPString (SIZE(1..ub-name))   }
+ *
+ *
+ *  ub-name INTEGER ::=     32768
+ *
+ */
+
+struct NSSPKIXX520NameStr {
+  nssASN1Item string;
+  NSSUTF8 *utf8;
+  NSSDER *der;
+  PRBool wasPrintable;
+  PRBool inArena;
+};
+
+/*
+ * From RFC 2459:
+ *
+ *  X520CommonName  ::=      CHOICE {
+ *        teletexString         TeletexString (SIZE (1..ub-common-name)),
+ *        printableString       PrintableString (SIZE (1..ub-common-name)),
+ *        universalString       UniversalString (SIZE (1..ub-common-name)),
+ *        utf8String            UTF8String (SIZE (1..ub-common-name)),
+ *        bmpString             BMPString (SIZE(1..ub-common-name))   }
+ * 
+ *  ub-common-name  INTEGER ::=     64
+ *
+ */
+
+struct NSSPKIXX520CommonNameStr {
+};
+
+/*
+ * Name
+ *
+ * This structure contains a union of the possible name formats,
+ * which at the moment is limited to an RDNSequence.
+ *
+ * From RFC 2459:
+ *
+ *  Name            ::=   CHOICE { -- only one possibility for now --
+ *                                   rdnSequence  RDNSequence }
+ *
+ */
+
+struct NSSPKIXNameStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *ber;
+  NSSDER *der;
+  NSSUTF8 *utf;
+  NSSPKIXNameChoice choice;
+  union {
+    NSSPKIXRDNSequence *rdnSequence;
+  } u;
+};
+
+/*
+ * RDNSequence
+ *
+ * This structure contains a sequence of RelativeDistinguishedName
+ * objects.
+ *
+ * From RFC 2459:
+ *
+ *  RDNSequence     ::=   SEQUENCE OF RelativeDistinguishedName
+ *
+ */
+
+struct NSSPKIXRDNSequenceStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSBER *ber;
+  NSSDER *der;
+  NSSUTF8 *utf8;
+  PRUint32 count;
+  NSSPKIXRelativeDistinguishedName **rdns;
+};
+
+/*
+ * RelativeDistinguishedName
+ *
+ * This structure contains an unordered set of AttributeTypeAndValue 
+ * objects.  RDNs are used to distinguish a set of objects underneath 
+ * a common object.
+ *
+ * Often, a single ATAV is sufficient to make a unique distinction.
+ * For example, if a company assigns its people unique uid values,
+ * then in the Name "uid=smith,ou=People,o=Acme,c=US" the "uid=smith"
+ * ATAV by itself forms an RDN.  However, sometimes a set of ATAVs is
+ * needed.  For example, if a company needed to distinguish between
+ * two Smiths by specifying their corporate divisions, then in the
+ * Name "(cn=Smith,ou=Sales),ou=People,o=Acme,c=US" the parenthesised
+ * set of ATAVs forms the RDN.
+ *
+ * From RFC 2459:
+ *
+ *  RelativeDistinguishedName  ::=
+ *                      SET SIZE (1 .. MAX) OF AttributeTypeAndValue
+ *
+ */
+
+struct NSSPKIXRelativeDistinguishedNameStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSBER *ber;
+  NSSUTF8 *utf8;
+  PRUint32 count;
+  NSSPKIXAttributeTypeAndValue **atavs;
+};
+
+/*
+ * Certificate
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Certificate  ::=  SEQUENCE  {
+ *       tbsCertificate       TBSCertificate,
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING  }
+ *
+ */
+
+struct NSSPKIXCertificateStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXTBSCertificate *tbsCertificate;
+  NSSPKIXAlgorithmIdentifier *signatureAlgorithm;
+  NSSItem *signature;
+};
+
+/*
+ * TBSCertificate
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TBSCertificate  ::=  SEQUENCE  {
+ *       version         [0]  Version DEFAULT v1,
+ *       serialNumber         CertificateSerialNumber,
+ *       signature            AlgorithmIdentifier,
+ *       issuer               Name,
+ *       validity             Validity,
+ *       subject              Name,
+ *       subjectPublicKeyInfo SubjectPublicKeyInfo,
+ *       issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                            -- If present, version shall be v2 or v3
+ *       subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                            -- If present, version shall be v2 or v3
+ *       extensions      [3]  Extensions OPTIONAL
+ *                            -- If present, version shall be v3 --  }
+ *
+ */
+
+struct NSSPKIXTBSCertificateStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXVersion version;
+  NSSPKIXCertificateSerialNumber serialNumber;
+  NSSPKIXAlgorithmIdentifier *signature;
+  NSSPKIXName *issuer;
+  NSSPKIXValidity *validity;
+  NSSPKIXName *subject;
+  NSSPKIXSubjectPublicKeyInfo *subjectPublicKeyInfo;
+  NSSPKIXUniqueIdentifier *issuerUniqueID;
+  NSSPKIXUniqueIdentifier *subjectUniqueID;
+  NSSPKIXExtensions *extensions;
+};
+
+/*
+ * Validity
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Validity ::= SEQUENCE {
+ *       notBefore      Time,
+ *       notAfter       Time }
+ *
+ */
+
+struct NSSPKIXValidityStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * Time
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Time ::= CHOICE {
+ *       utcTime        UTCTime,
+ *       generalTime    GeneralizedTime }
+ *
+ */
+
+struct NSSPKIXTimeStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSBER *ber;
+  nssASN1Item asn1item;
+  PRTime prTime;
+  PRBool prTimeValid;
+};
+
+/*
+ * SubjectPublicKeyInfo
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *       algorithm            AlgorithmIdentifier,
+ *       subjectPublicKey     BIT STRING  }
+ *
+ */
+
+struct NSSPKIXSubjectPublicKeyInfoStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXAlgorithmIdentifier *algorithm;
+  NSSItem *subjectPublicKey;
+};
+
+/*
+ * Extensions
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+ *
+ */
+
+struct NSSPKIXExtensionsStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * Extension
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  Extension  ::=  SEQUENCE  {
+ *       extnID      OBJECT IDENTIFIER,
+ *       critical    BOOLEAN DEFAULT FALSE,
+ *       extnValue   OCTET STRING  }
+ *
+ */
+
+struct NSSPKIXExtensionStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSOID *extnID;
+  PRBool critical;
+  NSSItem *extnValue;
+};
+
+/*
+ * CertificateList
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificateList  ::=  SEQUENCE  {
+ *       tbsCertList          TBSCertList,
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING  }
+ *
+ */
+
+struct NSSPKIXCertificateListStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXTBSCertList *tbsCertList;
+  NSSPKIXAlgorithmIdentifier *signatureAlgorithm;
+  NSSItem *signature;
+};
+
+/*
+ * TBSCertList
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TBSCertList  ::=  SEQUENCE  {
+ *       version                 Version OPTIONAL,
+ *                                    -- if present, shall be v2
+ *       signature               AlgorithmIdentifier,
+ *       issuer                  Name,
+ *       thisUpdate              Time,
+ *       nextUpdate              Time OPTIONAL,
+ *       revokedCertificates     SEQUENCE OF SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *       crlExtensions           [0] Extensions OPTIONAL
+ *                                           -- if present, shall be v2 -- }
+ *
+ */
+
+struct NSSPKIXTBSCertListStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXVersion version;
+  NSSPKIXAlgorithmIdentifier *signature;
+  NSSPKIXName *issuer;
+  -time- thisUpdate;
+  -time- nextUpdate;
+  NSSPKIXrevokedCertificates *revokedCertificates;
+  NSSPKIXExtensions *crlExtensions;  
+};
+
+/*
+ * revokedCertificates
+ *
+ * This is a "helper type" to simplify handling of TBSCertList objects.
+ *
+ *       revokedCertificates     SEQUENCE OF SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *
+ */
+
+struct NSSPKIXrevokedCertificatesStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * revokedCertificate
+ *
+ * This is a "helper type" to simplify handling of TBSCertList objects.
+ *
+ *                                           SEQUENCE  {
+ *            userCertificate         CertificateSerialNumber,
+ *            revocationDate          Time,
+ *            crlEntryExtensions      Extensions OPTIONAL
+ *                                           -- if present, shall be v2
+ *                                 }  OPTIONAL,
+ *
+ */
+
+struct NSSPKIXrevokedCertificateStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXCertificateSerialNumber *userCertificate;
+  -time- revocationDate;
+  NSSPKIXExtensions *crlEntryExtensions;
+};
+
+/*
+ * AlgorithmIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ * (1988 syntax)
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *       algorithm               OBJECT IDENTIFIER,
+ *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ *                                  -- contains a value of the type
+ *                                  -- registered for use with the
+ *                                  -- algorithm object identifier value
+ *
+ *
+ */
+
+struct NSSPKIXAlgorithmIdentifierStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSBER *ber;
+  NSSOID *algorithm;
+  NSSItem *parameters;
+};
+
+/*
+ * -- types related to NSSPKIXAlgorithmIdentifiers:
+ *
+ *  Dss-Sig-Value  ::=  SEQUENCE  {
+ *       r       INTEGER,
+ *       s       INTEGER  }
+ *  
+ *  DomainParameters ::= SEQUENCE {
+ *       p       INTEGER, -- odd prime, p=jq +1
+ *       g       INTEGER, -- generator, g
+ *       q       INTEGER, -- factor of p-1
+ *       j       INTEGER OPTIONAL, -- subgroup factor, j>= 2
+ *       validationParms  ValidationParms OPTIONAL }
+ *  
+ *  ValidationParms ::= SEQUENCE {
+ *       seed             BIT STRING,
+ *       pgenCounter      INTEGER }
+ *  
+ *  Dss-Parms  ::=  SEQUENCE  {
+ *       p             INTEGER,
+ *       q             INTEGER,
+ *       g             INTEGER  }
+ *
+ */
+
+/*
+ * ORAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ORAddress ::= SEQUENCE {
+ *     built-in-standard-attributes BuiltInStandardAttributes,
+ *     built-in-domain-defined-attributes
+ *                          BuiltInDomainDefinedAttributes OPTIONAL,
+ *     -- see also teletex-domain-defined-attributes
+ *     extension-attributes ExtensionAttributes OPTIONAL }
+ *  --      The OR-address is semantically absent from the OR-name if the
+ *  --      built-in-standard-attribute sequence is empty and the
+ *  --      built-in-domain-defined-attributes and extension-attributes are
+ *  --      both omitted.
+ *
+ */
+
+struct NSSPKIXORAddressStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXBuiltInStandardAttributes *builtInStandardAttributes;
+  NSSPKIXBuiltInDomainDefinedAttributes *builtInDomainDefinedAttributes;
+  NSSPKIXExtensionsAttributes *extensionAttributes;
+};
+
+/*
+ * BuiltInStandardAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInStandardAttributes ::= SEQUENCE {
+ *     country-name CountryName OPTIONAL,
+ *     administration-domain-name AdministrationDomainName OPTIONAL,
+ *     network-address      [0] NetworkAddress OPTIONAL,
+ *     -- see also extended-network-address
+ *     terminal-identifier  [1] TerminalIdentifier OPTIONAL,
+ *     private-domain-name  [2] PrivateDomainName OPTIONAL,
+ *     organization-name    [3] OrganizationName OPTIONAL,
+ *     -- see also teletex-organization-name
+ *     numeric-user-identifier      [4] NumericUserIdentifier OPTIONAL,
+ *     personal-name        [5] PersonalName OPTIONAL,
+ *     -- see also teletex-personal-name
+ *     organizational-unit-names    [6] OrganizationalUnitNames OPTIONAL
+ *     -- see also teletex-organizational-unit-names -- }
+ *
+ */
+
+struct NSSPKIXBuiltInStandardAttributesStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXCountryName *countryName;
+  NSSPKIXAdministrationDomainName *administrationDomainName;
+  NSSPKIXNetworkAddress *networkAddress;
+  NSSPKIXTerminalIdentifier *terminalIdentifier;
+  NSSPKIXPrivateDomainName *privateDomainName;
+  NSSPKIXOrganizationName *organizationName;
+  NSSPKIXNumericUserIdentifier *numericUserIdentifier;
+  NSSPKIXPersonalName *personalName;
+  NSSPKIXOrganizationalUnitNames *organizationalUnitNames;
+};
+
+/*
+ * PersonalName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PersonalName ::= SET {
+ *     surname [0] PrintableString (SIZE (1..ub-surname-length)),
+ *     given-name [1] PrintableString
+ *                          (SIZE (1..ub-given-name-length)) OPTIONAL,
+ *     initials [2] PrintableString (SIZE (1..ub-initials-length)) OPTIONAL,
+ *     generation-qualifier [3] PrintableString
+ *                  (SIZE (1..ub-generation-qualifier-length)) OPTIONAL }
+ *
+ */
+
+struct NSSPKIXPersonalNameStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSUTF8 *surname;
+  NSSUTF8 *givenName;
+  NSSUTF8 *initials;
+  NSSUTF8 *generationQualifier;
+};
+
+/*
+ * OrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
+ *                                          OF OrganizationalUnitName
+ * 
+ */
+
+struct NSSPKIXOrganizationalUnitNamesStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * BuiltInDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInDomainDefinedAttributes ::= SEQUENCE SIZE
+ *                                  (1..ub-domain-defined-attributes) OF
+ *                                  BuiltInDomainDefinedAttribute
+ *
+ */
+
+struct NSSPKIXBuiltInDomainDefinedAttributesStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * BuiltInDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BuiltInDomainDefinedAttribute ::= SEQUENCE {
+ *     type PrintableString (SIZE
+ *                          (1..ub-domain-defined-attribute-type-length)),
+ *     value PrintableString (SIZE
+ *                          (1..ub-domain-defined-attribute-value-length))}
+ *
+ */
+
+struct NSSPKIXBuiltInDomainDefinedAttributeStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSUTF8 *type;
+  NSSUTF8 *value;
+};
+
+/*
+ * ExtensionAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtensionAttributes ::= SET SIZE (1..ub-extension-attributes) OF
+ *                          ExtensionAttribute
+ *
+ */
+
+struct NSSPKIXExtensionAttributesStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * ExtensionAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtensionAttribute ::=  SEQUENCE {
+ *     extension-attribute-type [0] INTEGER (0..ub-extension-attributes),
+ *     extension-attribute-value [1]
+ *                          ANY DEFINED BY extension-attribute-type }
+ *
+ */
+
+struct NSSPKIXExtensionAttributeStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXExtensionsAttributeType extensionAttributeType;
+  NSSItem *extensionAttributeValue;
+};
+
+/*
+ * TeletexPersonalName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexPersonalName ::= SET {
+ *     surname [0] TeletexString (SIZE (1..ub-surname-length)),
+ *     given-name [1] TeletexString
+ *                  (SIZE (1..ub-given-name-length)) OPTIONAL,
+ *     initials [2] TeletexString (SIZE (1..ub-initials-length)) OPTIONAL,
+ *     generation-qualifier [3] TeletexString (SIZE
+ *                  (1..ub-generation-qualifier-length)) OPTIONAL }
+ *
+ */
+
+struct NSSPKIXTeletexPersonalNameStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSUTF8 *surname;
+  NSSUTF8 *givenName;
+  NSSUTF8 *initials;
+  NSSUTF8 *generationQualifier;
+};
+
+/*
+ * TeletexOrganizationalUnitNames
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexOrganizationalUnitNames ::= SEQUENCE SIZE
+ *          (1..ub-organizational-units) OF TeletexOrganizationalUnitName
+ *
+ */
+
+struct NSSPKIXTeletexOrganizationalUnitNamesStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * PDSParameter
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PDSParameter ::= SET {
+ *     printable-string PrintableString
+ *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL,
+ *     teletex-string TeletexString
+ *                  (SIZE(1..ub-pds-parameter-length)) OPTIONAL }
+ *
+ */
+
+struct NSSPKIXPDSParameterStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSUTF8 *printableString;
+  NSSTUF8 *teletexString;
+};
+
+/*
+ * UnformattedPostalAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  UnformattedPostalAddress ::= SET {
+ *     printable-address SEQUENCE SIZE (1..ub-pds-physical-address-lines) OF
+ *             PrintableString (SIZE (1..ub-pds-parameter-length)) OPTIONAL,
+ *     teletex-string TeletexString
+ *           (SIZE (1..ub-unformatted-address-length)) OPTIONAL }
+ *
+ */
+
+struct NSSPKIXUnformattedPostalAddressStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+  NSSUTF8 *teletexString;
+};
+
+/*
+ * ExtendedNetworkAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtendedNetworkAddress ::= CHOICE {
+ *     e163-4-address SEQUENCE {
+ *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
+ *          sub-address [1] NumericString
+ *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
+ *     psap-address [0] PresentationAddress }
+ *
+ */
+
+struct NSSPKIXExtendedNetworkAddressStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXExtendedNetworkAddressChoice choice;
+  union {
+    NSSe1634address *e1634Address;
+    NSSPKIXPresentationAddress *psapAddress;
+  } u;
+};
+
+/*
+ * e163-4-address
+ *
+ * Helper structure for ExtendedNetworkAddress.
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ * 
+ *     e163-4-address SEQUENCE {
+ *          number [0] NumericString (SIZE (1..ub-e163-4-number-length)),
+ *          sub-address [1] NumericString
+ *                  (SIZE (1..ub-e163-4-sub-address-length)) OPTIONAL },
+ * 
+ */
+
+struct NSSe1634addressStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSUTF8 *number;
+  NSSUTF8 *subAddress;
+};
+
+/*
+ * PresentationAddress
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PresentationAddress ::= SEQUENCE {
+ *          pSelector       [0] EXPLICIT OCTET STRING OPTIONAL,
+ *          sSelector       [1] EXPLICIT OCTET STRING OPTIONAL,
+ *          tSelector       [2] EXPLICIT OCTET STRING OPTIONAL,
+ *          nAddresses      [3] EXPLICIT SET SIZE (1..MAX) OF OCTET STRING }
+ *
+ */
+
+struct NSSPKIXPresentationAddressStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSItem *pSelector;
+  NSSItem *sSelector;
+  NSSItem *tSelector;
+  NSSItem *nAddresses[]; --fgmr--
+};
+
+/*
+ * TeletexDomainDefinedAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexDomainDefinedAttributes ::= SEQUENCE SIZE
+ *     (1..ub-domain-defined-attributes) OF TeletexDomainDefinedAttribute
+ * 
+ */
+
+struct NSSPKIXTeletexDomainDefinedAttributesStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * TeletexDomainDefinedAttribute
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  TeletexDomainDefinedAttribute ::= SEQUENCE {
+ *          type TeletexString
+ *                 (SIZE (1..ub-domain-defined-attribute-type-length)),
+ *          value TeletexString
+ *                 (SIZE (1..ub-domain-defined-attribute-value-length)) }
+ * 
+ */
+
+struct NSSPKIXTeletexDomainDefinedAttributeStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSUTF8 *type;
+  NSSUTF8 *value;
+};
+
+/*
+ * AuthorityKeyIdentifier
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AuthorityKeyIdentifier ::= SEQUENCE {
+ *        keyIdentifier             [0] KeyIdentifier            OPTIONAL,
+ *        authorityCertIssuer       [1] GeneralNames             OPTIONAL,
+ *        authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }
+ *      -- authorityCertIssuer and authorityCertSerialNumber shall both
+ *      -- be present or both be absent
+ *
+ */
+
+struct NSSPKIXAuthorityKeyIdentifierStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXKeyIdentifier *keyIdentifier;
+  NSSPKIXGeneralNames *authorityCertIssuer;
+  NSSPKIXCertificateSerialNumber *authorityCertSerialNumber;
+};
+
+/*
+ * KeyUsage
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  KeyUsage ::= BIT STRING {
+ *       digitalSignature        (0),
+ *       nonRepudiation          (1),
+ *       keyEncipherment         (2),
+ *       dataEncipherment        (3),
+ *       keyAgreement            (4),
+ *       keyCertSign             (5),
+ *       cRLSign                 (6),
+ *       encipherOnly            (7),
+ *       decipherOnly            (8) }
+ *
+ */
+
+struct NSSPKIXKeyUsageStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXKeyUsageValue keyUsage;
+};
+
+/*
+ * PrivateKeyUsagePeriod
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PrivateKeyUsagePeriod ::= SEQUENCE {
+ *       notBefore       [0]     GeneralizedTime OPTIONAL,
+ *       notAfter        [1]     GeneralizedTime OPTIONAL }
+ *       -- either notBefore or notAfter shall be present
+ *
+ */
+
+struct NSSPKIXPrivateKeyUsagePeriodStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  --time--
+  --time--
+};
+
+/*
+ * CertificatePolicies
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CertificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+ *
+ */
+
+struct NSSPKIXCertificatePoliciesStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * PolicyInformation
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyInformation ::= SEQUENCE {
+ *       policyIdentifier   CertPolicyId,
+ *       policyQualifiers   SEQUENCE SIZE (1..MAX) OF
+ *               PolicyQualifierInfo OPTIONAL }
+ *
+ */
+
+struct NSSPKIXPolicyInformationStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXCertPolicyId *policyIdentifier;
+  NSSPKIXPolicyQualifierInfo *policyQualifiers[];
+  --fgmr--
+};
+
+/*
+ * PolicyQualifierInfo
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyQualifierInfo ::= SEQUENCE {
+ *         policyQualifierId  PolicyQualifierId,
+ *         qualifier        ANY DEFINED BY policyQualifierId }
+ *
+ */
+
+struct NSSPKIXPolicyQualifierInfoStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXPolicyQualifierId *policyQualifierId;
+  NSSItem *qualifier;
+};
+
+/*
+ * UserNotice
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  UserNotice ::= SEQUENCE {
+ *       noticeRef        NoticeReference OPTIONAL,
+ *       explicitText     DisplayText OPTIONAL}
+ *
+ */
+
+struct NSSPKIXUserNoticeStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXNoticeReference *noticeRef;
+  NSSPKIXDisplayText *explicitText;
+};
+
+/*
+ * NoticeReference
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NoticeReference ::= SEQUENCE {
+ *       organization     DisplayText,
+ *       noticeNumbers    SEQUENCE OF INTEGER }
+ *
+ */
+
+struct NSSPKIXNoticeReferenceStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXDisplayText *organization;
+  NSSItem *noticeNumbers[]; --fgmr--
+  ...
+};
+
+/*
+ * PolicyMappings
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ *       issuerDomainPolicy      CertPolicyId,
+ *       subjectDomainPolicy     CertPolicyId }
+ *
+ */
+
+struct NSSPKIXPolicyMappingsStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXpolicyMapping *policyMappings[]; --fgmr--
+  ...
+};
+
+/*
+ * policyMapping
+ *
+ * Helper structure for PolicyMappings
+ *
+ *                                               SEQUENCE {
+ *       issuerDomainPolicy      CertPolicyId,
+ *       subjectDomainPolicy     CertPolicyId }
+ *
+ */
+
+struct NSSPKIXpolicyMappingStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXCertPolicyId *issuerDomainPolicy;
+  NSSPKIXCertPolicyId *subjectDomainPolicy;
+};
+
+/*
+ * GeneralName
+ *
+ * This structure contains a union of the possible general names,
+ * of which there are several.
+ *
+ * From RFC 2459:
+ *
+ *  GeneralName ::= CHOICE {
+ *       otherName                       [0]     AnotherName,
+ *       rfc822Name                      [1]     IA5String,
+ *       dNSName                         [2]     IA5String,
+ *       x400Address                     [3]     ORAddress,
+ *       directoryName                   [4]     Name,
+ *       ediPartyName                    [5]     EDIPartyName,
+ *       uniformResourceIdentifier       [6]     IA5String,
+ *       iPAddress                       [7]     OCTET STRING,
+ *       registeredID                    [8]     OBJECT IDENTIFIER }
+ *
+ */
+
+struct NSSPKIXGeneralNameStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXGeneralNameChoice choice;
+  union {
+    NSSPKIXAnotherName *otherName;
+    NSSUTF8 *rfc822Name;
+    NSSUTF8 *dNSName;
+    NSSPKIXORAddress *x400Address;
+    NSSPKIXName *directoryName;
+    NSSEDIPartyName *ediPartyName;
+    NSSUTF8 *uniformResourceIdentifier;
+    NSSItem *iPAddress;
+    NSSOID *registeredID;
+  } u;
+};
+
+/*
+ * GeneralNames
+ *
+ * This structure contains a sequence of GeneralName objects.
+ *
+ * From RFC 2459:
+ *
+ *  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ */
+
+struct NSSPKIXGeneralNamesStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * AnotherName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AnotherName ::= SEQUENCE {
+ *       type-id    OBJECT IDENTIFIER,
+ *       value      [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ */
+
+struct NSSPKIXAnotherNameStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSOID *typeId;
+  NSSItem *value;
+};
+
+/*
+ * EDIPartyName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *
+ *  EDIPartyName ::= SEQUENCE {
+ *       nameAssigner            [0]     DirectoryString OPTIONAL,
+ *       partyName               [1]     DirectoryString }
+ *
+ */
+
+struct NSSPKIXEDIPartyNameStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXDirectoryString *nameAssigner;
+  NSSPKIXDirectoryString *partyname;
+};
+
+/*
+ * SubjectDirectoryAttributes
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute
+ *
+ */
+
+struct NSSPKIXSubjectDirectoryAttributesStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * BasicConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  BasicConstraints ::= SEQUENCE {
+ *       cA                      BOOLEAN DEFAULT FALSE,
+ *       pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+ *
+ */
+
+struct NSSPKIXBasicConstraintsStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  PRBool cA;
+  PRInt32 pathLenConstraint; --fgmr--
+};
+
+/*
+ * NameConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  NameConstraints ::= SEQUENCE {
+ *       permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
+ *       excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
+ *
+ */
+
+struct NSSPKIXNameConstraintsStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXGeneralSubtrees *permittedSubtrees;
+  NSSPKIXGeneralSubtrees *excludedSubtrees;
+};
+
+/*
+ * GeneralSubtrees
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+ *
+ */
+
+struct NSSPKIXGeneralSubtreesStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * GeneralSubtree
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  GeneralSubtree ::= SEQUENCE {
+ *       base                    GeneralName,
+ *       minimum         [0]     BaseDistance DEFAULT 0,
+ *       maximum         [1]     BaseDistance OPTIONAL }
+ *
+ */
+
+struct NSSPKIXGeneralSubtreeStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXGeneralName;
+  NSSPKIXBaseDistance minimum;
+  NSSPKIXBaseDistance maximum;
+};
+
+/*
+ * PolicyConstraints
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  PolicyConstraints ::= SEQUENCE {
+ *       requireExplicitPolicy           [0] SkipCerts OPTIONAL,
+ *       inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
+ * 
+ */
+
+struct NSSPKIXPolicyConstraintsStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXSkipCerts *requireExplicitPolicy;
+  NSSPKIXSkipCerts *inhibitPolicyMapping;
+};
+
+/*
+ * CRLDistPointsSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
+ *
+ */
+
+struct NSSPKIXCRLDistPointsSyntaxStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * DistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DistributionPoint ::= SEQUENCE {
+ *       distributionPoint       [0]     DistributionPointName OPTIONAL,
+ *       reasons                 [1]     ReasonFlags OPTIONAL,
+ *       cRLIssuer               [2]     GeneralNames OPTIONAL }
+ *
+ */
+
+struct NSSPKIXDistributionPointStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXDistributionPointName *distributionPoint;
+  NSSPKIXReasonFlags *reasons;
+  NSSPKIXGeneralNames *cRLIssuer;
+};
+
+/*
+ * DistributionPointName
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  DistributionPointName ::= CHOICE {
+ *       fullName                [0]     GeneralNames,
+ *       nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
+ *
+ */
+
+struct NSSPKIXDistributionPointNameStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXDistributionPointNameChoice choice;
+  union {
+    NSSPKIXGeneralNames *fullName;
+    NSSPKIXRelativeDistinguishedName *nameRelativeToCRLIssuer;
+  } u;
+};
+
+/*
+ * ReasonFlags
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ReasonFlags ::= BIT STRING {
+ *       unused                  (0),
+ *       keyCompromise           (1),
+ *       cACompromise            (2),
+ *       affiliationChanged      (3),
+ *       superseded              (4),
+ *       cessationOfOperation    (5),
+ *       certificateHold         (6) }
+ *
+ */
+
+struct NSSPKIXReasonFlagsStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXReasonFlagsMask reasonFlags;
+};
+
+/*
+ * ExtKeyUsageSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+ *
+ */
+
+struct NSSPKIXExtKeyUsageSyntaxStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * AuthorityInfoAccessSyntax
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AuthorityInfoAccessSyntax  ::=
+ *          SEQUENCE SIZE (1..MAX) OF AccessDescription
+ *
+ */
+
+struct NSSPKIXAuthorityInfoAccessSyntaxStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  ...
+};
+
+/*
+ * AccessDescription
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  AccessDescription  ::=  SEQUENCE {
+ *          accessMethod          OBJECT IDENTIFIER,
+ *          accessLocation        GeneralName  }
+ *
+ */
+
+struct NSSPKIXAccessDescriptionStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSOID *accessMethod;
+  NSSPKIXGeneralName *accessLocation;
+};
+
+/*
+ * IssuingDistributionPoint
+ *
+ * -- fgmr comments --
+ *
+ * From RFC 2459:
+ *
+ *  IssuingDistributionPoint ::= SEQUENCE {
+ *       distributionPoint       [0] DistributionPointName OPTIONAL,
+ *       onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
+ *       onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
+ *       onlySomeReasons         [3] ReasonFlags OPTIONAL,
+ *       indirectCRL             [4] BOOLEAN DEFAULT FALSE }
+ *
+ */
+
+struct NSSPKIXIssuingDistributionPointStr {
+  NSSArena *arena;
+  PRBool i_allocated_arena;
+  NSSDER *der;
+  NSSPKIXDistributionPointName *distributionPoint;
+  PRBool onlyContainsUserCerts;
+  PRBool onlyContainsCACerts;
+  NSSPKIXReasonFlags onlySomeReasons;
+  PRBool indirectCRL;
+};
+
+PR_END_EXTERN_C
+
+#endif /* PKIXTM_H */
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Create.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Create.c
new file mode 100644
index 000000000..cf95b4e26
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/Create.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
+NSSPKIXAlgorithmIdentifier_Create
+(
+  NSSArena *arenaOpt,
+  NSSOID *algorithm,
+  NSSItem *parameters
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAlgorithmIdentifier *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(algorithm) ) {
+    return (NSSPKIXAlgorithmIdentifier *)NULL;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(parameters) ) {
+    return (NSSPKIXAlgorithmIdentifier *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAlgorithmIdentifier_Create(arenaOpt, algorithm, parameters);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Decode.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Decode.c
new file mode 100644
index 000000000..1e4e47b03
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/Decode.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
+NSSPKIXAlgorithmIdentifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAlgorithmIdentifier *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXAlgorithmIdentifier *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAlgorithmIdentifier_Decode(arenaOpt, ber);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Destroy.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Destroy.c
new file mode 100644
index 000000000..f2a901151
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/Destroy.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXAlgorithmIdentifier_Destroy
+(
+  NSSPKIXAlgorithmIdentifier *algid
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAlgorithmIdentifier_Destroy(algid);
+}
+
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Duplicate.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Duplicate.c
new file mode 100644
index 000000000..186ab49bc
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/Duplicate.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
+NSSPKIXAlgorithmIdentifier_Duplicate
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return (NSSPKIXAlgorithmIdentifier *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAlgorithmIdentifier *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAlgorithmIdentifier_Duplicate(algid, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Encode.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Encode.c
new file mode 100644
index 000000000..d390b3595
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/Encode.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+NSSPKIXAlgorithmIdentifier_Encode
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAlgorithmIdentifier_Encode(algid, encoding, rvOpt, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/Equal.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/Equal.c
new file mode 100644
index 000000000..65c52a2ba
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/Equal.c
@@ -0,0 +1,83 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAlgorithmIdentifier_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+NSSPKIXAlgorithmIdentifier_Equal
+(
+  NSSPKIXAlgorithmIdentifier *algid1,
+  NSSPKIXAlgorithmIdentifier *algid2,
+  PRStatus *statusOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAlgorithmIdentifier_Equal(algid1, algid2, statusOpt);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/GetAlgorithm.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/GetAlgorithm.c
new file mode 100644
index 000000000..be7493a66
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/GetAlgorithm.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAlgorithmIdentifier_GetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSOID pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSOID *
+NSSPKIXAlgorithmIdentifier_GetAlgorithm
+(
+  NSSPKIXAlgorithmIdentifier *algid
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return (NSSOID *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAlgorithmIdentifier_GetAlgorithm(algid);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/GetParameters.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/GetParameters.c
new file mode 100644
index 000000000..e94622e23
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/GetParameters.c
@@ -0,0 +1,80 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAlgorithmIdentifier_GetParameters
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSItem *
+NSSPKIXAlgorithmIdentifier_GetParameters
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return (NSSItem *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSItem *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAlgorithmIdentifier_GetParameters(algid, rvOpt, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/MClear.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/MClear.c
new file mode 100644
index 000000000..0797fbd49
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/MClear.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+/*
+ * nss_pkix_AlgorithmIdentifier_Clear
+ *
+ * Wipes out cached data.
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_AlgorithmIdentifier_Clear
+(
+  NSSPKIXAlgorithmIdentifier *algid
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSBER *)NULL != algid->ber ) {
+    nss_ZFreeIf(algid->ber->data);
+    nss_ZFreeIf(algid->ber);
+  }
+
+  if( (NSSDER *)NULL != algid->der ) {
+    nss_ZFreeIf(algid->der->data);
+    nss_ZFreeIf(algid->der);
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PCreate.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PCreate.c
new file mode 100644
index 000000000..c527a6a56
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/PCreate.c
@@ -0,0 +1,138 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAlgorithmIdentifier_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_POINTER
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
+nssPKIXAlgorithmIdentifier_Create
+(
+  NSSArena *arenaOpt,
+  NSSOID *algorithm,
+  NSSItem *parameters
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXAlgorithmIdentifier *rv = (NSSPKIXAlgorithmIdentifier *)NULL;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAlgorithmIdentifier *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(algorithm) ) {
+    return (NSSPKIXAlgorithmIdentifier *)NULL;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(parameters) ) {
+    return (NSSPKIXAlgorithmIdentifier *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXAlgorithmIdentifier);
+  if( (NSSPKIXAlgorithmIdentifier *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->algorithm = algorithm;
+  rv->parameters = nssItem_Duplicate(parameters, arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == rv->parameters ) {
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_AlgorithmIdentifier_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXAlgorithmIdentifier *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PDecode.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PDecode.c
new file mode 100644
index 000000000..9713d34db
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/PDecode.c
@@ -0,0 +1,137 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAlgorithmIdentifier_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
+nssPKIXAlgorithmIdentifier_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXAlgorithmIdentifier *rv = (NSSPKIXAlgorithmIdentifier *)NULL;
+  PRStatus status;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAlgorithmIdentifier *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXAlgorithmIdentifier *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXAlgorithmIdentifier);
+  if( (NSSPKIXAlgorithmIdentifier *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == rv->ber ) {
+    goto loser;
+  }
+
+  status = nssASN1_DecodeBER(arena, rv, nssPKIXAlgorithmIdentifier_template, ber);
+  if( PR_SUCCESS != status ) {
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_AlgorithmIdentifier_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXAlgorithmIdentifier *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PDestroy.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PDestroy.c
new file mode 100644
index 000000000..7ef4d1fe1
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/PDestroy.c
@@ -0,0 +1,76 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAlgorithmIdentifier_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAlgorithmIdentifier_Destroy
+(
+  NSSPKIXAlgorithmIdentifier *algid
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+#ifdef DEBUG
+  (void)nss_pkix_AlgorithmIdentifier_remove_pointer(algid);
+#endif /* DEBUG */
+
+  if( PR_TRUE == algid->i_allocated_arena ) {
+    return nssArena_Destroy(algid->arena);
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PDuplicate.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PDuplicate.c
new file mode 100644
index 000000000..ae3cf72b2
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/PDuplicate.c
@@ -0,0 +1,144 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAlgorithmIdentifier_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAlgorithmIdentifier upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAlgorithmIdentifier *
+nssPKIXAlgorithmIdentifier_Duplicate
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSArena *arenaOpt
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXAlgorithmIdentifier *rv = (NSSPKIXAlgorithmIdentifier *)NULL;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return (NSSPKIXAlgorithmIdentifier *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAlgorithmIdentifier *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXAlgorithmIdentifier);
+  if( (NSSPKIXAlgorithmIdentifier *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+
+  rv->ber = nssItem_Duplicate(algid->ber, arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == rv->ber ) {
+    goto loser;
+  }
+
+  rv->der = nssItem_Duplicate(algid->der, arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == rv->der ) {
+    goto loser;
+  }
+
+  rv->algorithm = algid->algorithm;
+
+  rv->parameters = nssItem_Duplicate(algid->parameters, arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == rv->parameters ) {
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_AlgorithmIdentifier_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXAlgorithmIdentifier *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PEncode.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PEncode.c
new file mode 100644
index 000000000..c9939350a
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/PEncode.c
@@ -0,0 +1,117 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAlgorithmIdentifier_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+nssPKIXAlgorithmIdentifier_Encode
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  switch( encoding ) {
+  case NSSASN1BER:
+    if( (NSSBER *)NULL != algid->ber ) {
+      it = algid->ber;
+      goto done;
+    }
+    /*FALLTHROUGH*/
+  case NSSASN1DER:
+    if( (NSSDER *)NULL != algid->der ) {
+      it = algid->der;
+      goto done;
+    }
+    break;
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
+    return (NSSBER *)NULL;
+  }
+
+  it = nssASN1_EncodeItem(algid->arena, (NSSItem *)NULL, algid,
+                          nssPKIXAlgorithmIdentifier_template, encoding);
+  if( (NSSBER *)NULL == it ) {
+    return (NSSBER *)NULL;
+  }
+
+  switch( encoding ) {
+  case NSSASN1BER:
+    algid->ber = it;
+    break;
+  case NSSASN1DER:
+    algid->der = it;
+    break;
+  default:
+    PR_ASSERT(0);
+    break;
+  }
+
+ done:
+  return nssItem_Duplicate(it, arenaOpt, rvOpt);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PEqual.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PEqual.c
new file mode 100644
index 000000000..423dfdb74
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/PEqual.c
@@ -0,0 +1,88 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAlgorithmIdentifier_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssPKIXAlgorithmIdentifier_Equal
+(
+  NSSPKIXAlgorithmIdentifier *algid1,
+  NSSPKIXAlgorithmIdentifier *algid2,
+  PRStatus *statusOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( algid1->algorithm != algid2->algorithm ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_SUCCESS;
+    }
+    return PR_FALSE;
+  }
+
+  return nssItem_Equal(algid1->parameters, algid2->parameters, statusOpt);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetAlgorithm.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetAlgorithm.c
new file mode 100644
index 000000000..4c7c37b6e
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetAlgorithm.c
@@ -0,0 +1,69 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAlgorithmIdentifier_GetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSOID pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSOID *
+nssPKIXAlgorithmIdentifier_GetAlgorithm
+(
+  NSSPKIXAlgorithmIdentifier *algid
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return (NSSOID *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  return algid->algorithm;
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetParameters.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetParameters.c
new file mode 100644
index 000000000..5d6f1decb
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/PGetParameters.c
@@ -0,0 +1,78 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAlgorithmIdentifier_GetParameters
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSItem upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSItem *
+nssPKIXAlgorithmIdentifier_GetParameters
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSItem *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return (NSSItem *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSItem *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  return nssItem_Duplicate(algid->parameters, arenaOpt, rvOpt);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetAlgorithm.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetAlgorithm.c
new file mode 100644
index 000000000..ccf9f23e2
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetAlgorithm.c
@@ -0,0 +1,75 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAlgorithmIdentifier_SetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAlgorithmIdentifier_SetAlgorithm
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSOID *algorithm
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(algorithm) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  algid->algorithm = algorithm;
+  return nss_pkix_AlgorithmIdentifier_Clear(algid);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetParameters.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetParameters.c
new file mode 100644
index 000000000..d5a7e8424
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/PSetParameters.c
@@ -0,0 +1,86 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAlgorithmIdentifier_SetParameters
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAlgorithmIdentifier_SetParameters
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSItem *parameters
+)
+{
+  NSSItem *prev;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(parameters) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  prev = algid->parameters;
+
+  algid->parameters = nssItem_Duplicate(parameters, algid->arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == algid->parameters ) {
+    algid->parameters = prev;
+    return PR_FAILURE;
+  }
+
+  (void)nssItem_Destroy(prev);
+  return nss_pkix_AlgorithmIdentifier_Clear(algid);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/SetAlgorithm.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/SetAlgorithm.c
new file mode 100644
index 000000000..d829643e0
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/SetAlgorithm.c
@@ -0,0 +1,76 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAlgorithmIdentifier_SetAlgorithm
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXAlgorithmIdentifier_SetAlgorithm
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSOID *algorithm
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(algorithm) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAlgorithmIdentifier_SetAlgorithm(algid, algorithm);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/SetParameters.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/SetParameters.c
new file mode 100644
index 000000000..d751fb689
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/SetParameters.c
@@ -0,0 +1,77 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAlgorithmIdentifier_SetParameters
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ALGORITHM_IDENTIFIER
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXAlgorithmIdentifier_SetParameters
+(
+  NSSPKIXAlgorithmIdentifier *algid,
+  NSSItem *parameters
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAlgorithmIdentifier_verifyPointer(algid) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(parameters) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAlgorithmIdentifier_SetParameters(algid, parameters);
+}
diff --git a/security/nss/lib/pkix/src/AlgorithmIdentifier/verifyPointer.c b/security/nss/lib/pkix/src/AlgorithmIdentifier/verifyPointer.c
new file mode 100644
index 000000000..c9a9f8072
--- /dev/null
+++ b/security/nss/lib/pkix/src/AlgorithmIdentifier/verifyPointer.c
@@ -0,0 +1,182 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+#ifdef DEBUG
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker pkix_algid_pointer_tracker;
+
+/*
+ * nss_pkix_AlgorithmIdentifier_add_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine adds an NSSPKIXAlgorithmIdentifier pointer to
+ * the internal pointer-tracker.  This routine should only be used 
+ * by the NSSPKIX module.  This routine returns a PRStatus value; 
+ * upon error it will place an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_AlgorithmIdentifier_add_pointer
+(
+  const NSSPKIXAlgorithmIdentifier *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_algid_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&pkix_algid_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  rv = nssArena_registerDestructor(p->arena,
+         nss_pkix_AlgorithmIdentifier_remove_pointer, p);
+  if( PR_SUCCESS != rv ) {
+    (void)nss_pkix_AlgorithmIdentifier_remove_pointer(p);
+    return rv;
+  }
+
+  return rv;
+}
+
+/*
+ * nss_pkix_AlgorithmIdentifier_remove_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine removes a valid NSSPKIXAlgorithmIdentifier
+ * pointer from the internal pointer-tracker.  This routine should 
+ * only be used by the NSSPKIX module.  This routine returns a 
+ * PRStatus value; upon error it will place an error on the error 
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_AlgorithmIdentifier_remove_pointer
+(
+  const NSSPKIXAlgorithmIdentifier *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&pkix_algid_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  /*
+   * nssArena_deregisterDestructor(p->arena,
+   *   nss_pkix_AlgorithmIdentifier_remove_pointer, p);
+   */
+
+  return rv;
+}
+
+/*
+ * nssPKIXAlgorithmIdentifier_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXAlgorithmIdentifier
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAlgorithmIdentifier_verifyPointer
+(
+  NSSPKIXAlgorithmIdentifier *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_algid_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&pkix_algid_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+#endif /* DEBUG */
+
diff --git a/security/nss/lib/pkix/src/Attribute/AddValue.c b/security/nss/lib/pkix/src/Attribute/AddValue.c
new file mode 100644
index 000000000..aad082c50
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/AddValue.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_AddValue
+ *
+ * This routine adds the specified attribute value to the set in
+ * the specified NSSPKIXAttribute.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXAttribute_AddValue
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue *value
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_AddValue(attribute, value);
+}
+
diff --git a/security/nss/lib/pkix/src/Attribute/Create.c b/security/nss/lib/pkix/src/Attribute/Create.c
new file mode 100644
index 000000000..9fe406b2d
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/Create.c
@@ -0,0 +1,141 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_Create
+ *
+ * This routine creates an NSSPKIXAttribute from specified components.
+ * This routine may return NULL upon error, in which case it will have
+ * created an error stack.  If the optional arena argument is non-NULL,
+ * that arena will be used for the required memory.  There must be at
+ * least one attribute value specified.  The final argument must be
+ * NULL, to indicate the end of the set of attribute values.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_INSUFFICIENT_VALUES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttribute *
+NSSPKIXAttribute_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  NSSPKIXAttributeValue *value1,
+  ...
+)
+{
+  va_list ap;
+  NSSPKIXAttribute *rv;
+  PRUint32 count;
+
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
+    return (NSSPKIXAttribute *)NULL;
+  }
+
+  if( (NSSPKIXAttributeValue *)NULL == value1 ) {
+    nss_SetError(NSS_ERROR_INSUFFICIENT_VALUES);
+    return (NSSPKIXAttribute *)NULL;
+  }
+
+  {
+    va_start(ap, typeOid);
+
+    while( 1 ) {
+      NSSPKIXAttributeValue *v;
+      v = (NSSPKIXAttributeValue *)va_arg(ap, NSSPKIXAttributeValue *);
+      if( (NSSPKIXAttributeValue *)NULL == v ) {
+        break;
+      }
+    
+      if( PR_SUCCESS != nssItem_verifyPointer(v) ) {
+        va_end(ap);
+        return (NSSPKIXAttribute *)NULL;
+      }
+    }
+
+    va_end(ap);
+  }
+#endif /* DEBUG */
+
+  va_start(ap, typeOid);
+
+  for( count = 0; ; count++ ) {
+    NSSPKIXAttributeValue *v;
+    v = (NSSPKIXAttributeValue *)va_arg(ap, NSSPKIXAttributeValue *);
+    if( (NSSPKIXAttributeValue *)NULL == v ) {
+      break;
+    }
+
+#ifdef PEDANTIC
+    if( count == 0xFFFFFFFF ) {
+      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+      va_end(ap);
+      return (NSSPKIXAttribute *)NULL;
+    }
+#endif /* PEDANTIC */
+  }
+
+  va_end(ap);
+
+  va_start(ap, typeOid);
+  rv = nss_pkix_Attribute_V_Create(arenaOpt, typeOid, count, ap);
+  va_end(ap);
+
+  return rv;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/CreateFromArray.c b/security/nss/lib/pkix/src/Attribute/CreateFromArray.c
new file mode 100644
index 000000000..2928c3bcc
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/CreateFromArray.c
@@ -0,0 +1,97 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_CreateFromArray
+ *
+ * This routine creates an NSSPKIXAttribute from specified components.
+ * This routine may return NULL upon error, in which case it will have
+ * created an error stack.  If the optional arena argument is non-NULL,
+ * that arena will be used for the required memory.  There must be at
+ * least one attribute value specified.  The final argument must be
+ * NULL, to indicate the end of the set of attribute values.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttribute *
+NSSPKIXAttribute_CreateFromArray
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  PRUint32 count,
+  NSSPKIXAttributeValue values[]
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
+    return (NSSPKIXAttribute *)NULL;
+  }
+
+  {
+    PRUint32 i;
+
+    for( i = 0; i < count; i++ ) {
+      if( PR_SUCCESS != nssItem_verifyPointer(&values[i]) ) {
+        return (NSSPKIXAttribute *)NULL;
+      }
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_CreateFromArray(arenaOpt, typeOid, count, values);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/Decode.c b/security/nss/lib/pkix/src/Attribute/Decode.c
new file mode 100644
index 000000000..a16f195cd
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/Decode.c
@@ -0,0 +1,84 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_Decode
+ *
+ * This routine creates an NSSPKIXAttribute by decoding a BER-
+ * or DER-encoded Attribute as defined in RFC 2459.  This
+ * routine may return NULL upon error, in which case it will
+ * have created an error stack.  If the optional arena argument
+ * is non-NULL, that arena will be used for the required memory.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttribute *
+NSSPKIXAttribute_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXAttribute *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_Decode(arenaOpt, ber);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/Destroy.c b/security/nss/lib/pkix/src/Attribute/Destroy.c
new file mode 100644
index 000000000..bd9454fca
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/Destroy.c
@@ -0,0 +1,74 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_Destroy
+ *
+ * This routine destroys an NSSPKIXAttribute.  It should be called on
+ * all such objects created without an arena.  It does not need to be
+ * called for objects created with an arena, but it may be.  This
+ * routine returns a PRStatus value.  Upon error, it will create an
+ * error stack and return PR_FAILURE.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+NSSPKIXAttribute_Destroy
+(
+  NSSPKIXAttribute *attribute
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_Destroy(attribute);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/Duplicate.c b/security/nss/lib/pkix/src/Attribute/Duplicate.c
new file mode 100644
index 000000000..146a49610
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/Duplicate.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_Duplicate
+ *
+ * This routine duplicates an NSSPKIXAttribute.  {arenaOpt}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttribute *
+NSSPKIXAttribute_Duplicate
+(
+  NSSPKIXAttribute *attribute,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return (NSSPKIXAttribute *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_Duplicate(attribute, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/Encode.c b/security/nss/lib/pkix/src/Attribute/Encode.c
new file mode 100644
index 000000000..179bd3d68
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/Encode.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_Encode
+ *
+ * This routine returns an ASN.1 encoding of the specified 
+ * NSSPKIXAttribute.  {usual rules about itemOpt and arenaOpt}
+ * This routine indicates an error (NSS_ERROR_INVALID_DATA) 
+ * if there are no attribute values (i.e., the last one was removed).
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_DATA
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+NSSPKIXAttribute_Encode
+(
+  NSSPKIXAttribute *attribute,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_Encode(attribute, encoding, rvOpt, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/Equal.c b/security/nss/lib/pkix/src/Attribute/Equal.c
new file mode 100644
index 000000000..d91782aea
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/Equal.c
@@ -0,0 +1,88 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_Equal
+ *
+ * This routine compares two NSSPKIXAttribute's for equality.
+ * It returns PR_TRUE if they are equal, PR_FALSE otherwise.
+ * This routine also returns PR_FALSE upon error; if you're
+ * that worried about it, check for an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+NSSPKIXAttribute_Equal
+(
+  NSSPKIXAttribute *one,
+  NSSPKIXAttribute *two,
+  PRStatus *statusOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(one) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(two) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+
+    return PR_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_Equal(one, two);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/FindValue.c b/security/nss/lib/pkix/src/Attribute/FindValue.c
new file mode 100644
index 000000000..ba725051f
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/FindValue.c
@@ -0,0 +1,84 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_FindValue
+ *
+ * This routine searches the set of attribute values in the specified
+ * NSSPKIXAttribute for the provided data.  If an exact match is found,
+ * then that value's index is returned.  If an exact match is not 
+ * found, -1 is returned.  If there is more than one exact match, one
+ * index will be returned.  {notes about unorderdness of SET, etc}
+ * If the index may not be represented as an integer, an error is
+ * indicated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_IMPLEMENT PRInt32
+NSSPKIXAttribute_FindValue
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue *value
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_FindValue(attribute, value);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/GetType.c b/security/nss/lib/pkix/src/Attribute/GetType.c
new file mode 100644
index 000000000..0bae2b988
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/GetType.c
@@ -0,0 +1,72 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_GetType
+ *
+ * This routine returns the attribute type oid of the specified
+ * NSSPKIXAttribute.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSPKIXAttributeType pointer upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeType *
+NSSPKIXAttribute_GetType
+(
+  NSSPKIXAttribute *attribute
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return (NSSPKIXAttributeType *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_GetType(attribute);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/GetValue.c b/security/nss/lib/pkix/src/Attribute/GetValue.c
new file mode 100644
index 000000000..afce8d135
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/GetValue.c
@@ -0,0 +1,86 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_GetValue
+ *
+ * This routine returns the i'th attribute value of the set of
+ * values in the specified NSSPKIXAttribute.  Although the set
+ * is unordered, an arbitrary ordering will be maintained until
+ * the data in the attribute is changed.  {usual comments about
+ * itemOpt and arenaOpt}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeValue *
+NSSPKIXAttribute_GetValue
+(
+  NSSPKIXAttribute *attribute,
+  PRInt32 i,
+  NSSPKIXAttributeValue *itemOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return (NSSPKIXAttributeValue *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeValue *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_GetValue(attribute, i, itemOpt, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/GetValueCount.c b/security/nss/lib/pkix/src/Attribute/GetValueCount.c
new file mode 100644
index 000000000..0cdc36b60
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/GetValueCount.c
@@ -0,0 +1,75 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_GetValueCount
+ *
+ * This routine returns the number of attribute values present in
+ * the specified NSSPKIXAttribute.  This routine returns a PRInt32.
+ * Upon error, this routine returns -1.  This routine indicates an
+ * error if the number of values cannot be expressed as a PRInt32.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_IMPLEMENT PRInt32
+NSSPKIXAttribute_GetValueCount
+(
+  NSSPKIXAttribute *attribute
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return -1;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_GetValueCount(attribute);
+}
+
diff --git a/security/nss/lib/pkix/src/Attribute/GetValues.c b/security/nss/lib/pkix/src/Attribute/GetValues.c
new file mode 100644
index 000000000..986af03d1
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/GetValues.c
@@ -0,0 +1,88 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_GetValues
+ *
+ * This routine returns all of the attribute values in the specified
+ * NSSPKIXAttribute.  If the optional pointer to an array of NSSItems
+ * is non-null, then that array will be used and returned; otherwise,
+ * an array will be allocated and returned.  If the limit is nonzero
+ * (which is must be if the specified array is nonnull), then an
+ * error is indicated if it is smaller than the value count.
+ * {arenaOpt}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSItem's upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeValue *
+NSSPKIXAttribute_GetValues
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return (NSSPKIXAttributeValue *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
+      return (NSSPKIXAttributeValue *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_GetValues(attribute, rvOpt, limit, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/MClear.c b/security/nss/lib/pkix/src/Attribute/MClear.c
new file mode 100644
index 000000000..6fb77ba7d
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/MClear.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nss_pkix_Attribute_Clear
+ *
+ * Wipes out cached data.
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_Attribute_Clear
+(
+  NSSPKIXAttribute *a
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSBER *)NULL != a->ber ) {
+    nss_ZFreeIf(a->ber->data);
+    nss_ZFreeIf(a->ber);
+  }
+
+  if( (NSSDER *)NULL != a->der ) {
+    nss_ZFreeIf(a->der->data);
+    nss_ZFreeIf(a->der);
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/MCount.c b/security/nss/lib/pkix/src/Attribute/MCount.c
new file mode 100644
index 000000000..abb0831cb
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/MCount.c
@@ -0,0 +1,87 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+/*
+ * nss_pkix_Attribute_Count
+ *
+ * This module-private routine sets the valuesCount part of the
+ * NSSPKIXAttribute argument.  It does no checking, and is intended
+ * only for use inside the NSSPKIXAttribute implementation itself.
+ * There is no error return.  There is no return value.
+ */
+
+NSS_IMPLEMENT void
+nss_pkix_Attribute_Count
+(
+  NSSPKIXAttribute *a
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  PR_ASSERT((nssASN1Item **)NULL != a->asn1values);
+  if( (nssASN1Item *)NULL == a->asn1values ) {
+    nss_SetError(NSS_ERROR_ASSERTION_FAILED);
+    return;
+  }
+
+  if( 0 == a->valuesCount ) {
+    PRUint32 i;
+    for( i = 0; i < 0xFFFFFFFF; i++ ) {
+      if( (nssASN1Item *)NULL == a->asn1values[i] ) {
+        break;
+      }
+    }
+
+#ifdef PEDANTIC
+    if( 0xFFFFFFFF == i ) {
+      return;
+    }
+#endif /* PEDANTIC */
+
+    a->valuesCount = i;
+  }
+
+  return;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/MVCreate.c b/security/nss/lib/pkix/src/Attribute/MVCreate.c
new file mode 100644
index 000000000..1a54026d4
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/MVCreate.c
@@ -0,0 +1,165 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+/*
+ * nss_pkix_Attribute_V_Create
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_INTERNAL_ERROR;
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttribute *
+nss_pkix_Attribute_V_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  PRUint32 count,
+  va_list ap
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXAttribute *rv = (NSSPKIXAttribute *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXAttribute);
+  if( (NSSPKIXAttribute *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+
+  rv->type = typeOid;
+  {
+    NSSItem typeder;
+    NSSItem *x = nssOID_GetDEREncoding(rv->type, &typeder, arena);
+    if( (NSSItem *)NULL == x ) {
+      goto loser;
+    }
+
+    rv->asn1type.size = typeder.size;
+    rv->asn1type.data = typeder.data;
+  }
+
+  rv->valuesCount = count;
+
+  rv->asn1values = nss_ZNEWARRAY(arena, nssASN1Item *, count);
+  if( (nssASN1Item **)NULL == rv->asn1values ) {
+    goto loser;
+  }
+
+  for( i = 0; i < count; i++ ) {
+    NSSItem tmp;
+    NSSPKIXAttributeValue *v = (NSSPKIXAttributeValue *)
+      va_arg(ap, NSSPKIXAttributeValue *);
+
+    rv->asn1values[i] = nss_ZNEW(arena, nssASN1Item);
+    if( (nssASN1Item *)NULL == rv->asn1values[i] ) {
+      goto loser;
+    }
+
+    if( (NSSItem *)NULL == nssItem_Duplicate(v, arena, &tmp) ) {
+      goto loser;
+    }
+
+    rv->asn1values[i].size = tmp.size;
+    rv->asn1values[i].data = tmp.data;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Attribute_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != 
+      nssArena_registerDestructor(arena,
+                                  nss_pkix_Attribute_remove_pointer, 
+                                  rv) ) {
+    (void)nss_pkix_Attribute_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXAttribute *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PAddValue.c b/security/nss/lib/pkix/src/Attribute/PAddValue.c
new file mode 100644
index 000000000..732845490
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PAddValue.c
@@ -0,0 +1,140 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_AddValue
+ *
+ * This routine adds the specified attribute value to the set in
+ * the specified NSSPKIXAttribute.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAttribute_AddValue
+(
+  NSSPKIXAttribute *a,
+  NSSPKIXAttributeValue *value
+)
+{
+  PRUint32 newcount;
+  nssASN1Item **new_asn1_items = (nssASN1Item **)NULL;
+  NSSItem tmp;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  PR_ASSERT((nssASN1Item **)NULL != a->asn1values);
+  if( (nssASN1Item **)NULL == a->asn1values ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return PR_FAILURE;
+  }
+
+  if( 0 == a->valuesCount ) {
+    PRUint32 i;
+
+    for( i = 0; i < 0xFFFFFFFF; i++ ) {
+      if( (nssASN1Item *)NULL == a->asn1values[i] ) {
+        break;
+      }
+    }
+
+#ifdef PEDANTIC
+    if( 0xFFFFFFFF == i ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+      /* Internal error is that we don't handle them this big */
+      return PR_FAILURE;
+    }
+#endif /* PEDANTIC */
+
+    a->valuesCount = i;
+  }
+
+  newcount = a->valuesCount + 1;
+  /* Check newcount for a rollover. */
+
+  /* Remember that our asn1values array is NULL-terminated */
+  new_asn1_items = (nssASN1Item **)nss_ZRealloc(a->asn1values,
+                     ((newcount+1) * sizeof(nssASN1Item *)));
+  if( (nssASN1Item **)NULL == new_asn1_items ) {
+    goto loser;
+  }
+
+  new_asn1_items[ a->valuesCount ] = nss_ZNEW(a->arena, nssASN1Item);
+  if( (nssASN1Item *)NULL == new_asn1_items[ a->valuesCount ] ) {
+    goto loser;
+  }
+
+  if( (NSSItem *)NULL == nssItem_Duplicate(value, a->arena, &tmp) ) {
+    goto loser;
+  }
+
+  new_asn1_items[ a->valuesCount ]->size = tmp.size;
+  new_asn1_items[ a->valuesCount ]->data = tmp.data;
+
+  a->valuesCount++;
+  a->asn1values = new_asn1_items;
+
+  return nss_pkix_Attribute_Clear(a);
+
+ loser:
+  if( (nssASN1Item **)NULL != new_asn1_items ) {
+    nss_ZFreeIf(new_asn1_items[ newcount-1 ]);
+    /* We could realloc back down, but we actually know it's a no-op */
+    a->asn1values = new_asn1_items;
+  }
+
+  return PR_FAILURE;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PCreate.c b/security/nss/lib/pkix/src/Attribute/PCreate.c
new file mode 100644
index 000000000..40dc5c07c
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PCreate.c
@@ -0,0 +1,139 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_Create
+ *
+ * This routine creates an NSSPKIXAttribute from specified components.
+ * This routine may return NULL upon error, in which case it will have
+ * created an error stack.  If the optional arena argument is non-NULL,
+ * that arena will be used for the required memory.  There must be at
+ * least one attribute value specified.  The final argument must be
+ * NULL, to indicate the end of the set of attribute values.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_INSUFFICIENT_VALUES
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXAttribute *
+nssPKIXAttribute_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  NSSPKIXAttributeValue *value1,
+  ...
+)
+{
+  va_list ap;
+  NSSPKIXAttribute *rv;
+  PRUint32 count;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
+    return (NSSPKIXAttribute *)NULL;
+  }
+
+  if( (NSSPKIXAttributeValue *)NULL == value1 ) {
+    nss_SetError(NSS_ERROR_INSUFFICIENT_VALUES);
+    return (NSSPKIXAttribute *)NULL;
+  }
+
+  {
+    va_start(ap, typeOid);
+
+    while( 1 ) {
+      NSSPKIXAttributeValue *v;
+      v = (NSSPKIXAttributeValue *)va_arg(ap, NSSPKIXAttributeValue *);
+      if( (NSSPKIXAttributeValue *)NULL == v ) {
+        break;
+      }
+    
+      if( PR_SUCCESS != nssItem_verifyPointer(v) ) {
+        va_end(ap);
+        return (NSSPKIXAttribute *)NULL;
+      }
+    }
+
+    va_end(ap);
+  }
+#endif /* NSSDEBUG */
+
+  va_start(ap, typeOid);
+
+  for( count = 0; ; count++ ) {
+    NSSPKIXAttributeValue *v;
+    v = (NSSPKIXAttributeValue *)va_arg(ap, NSSPKIXAttributeValue *);
+    if( (NSSPKIXAttributeValue *)NULL == v ) {
+      break;
+    }
+
+#ifdef PEDANTIC
+    if( count == 0xFFFFFFFF ) {
+      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+      va_end(ap);
+      return (NSSPKIXAttribute *)NULL;
+    }
+#endif /* PEDANTIC */
+  }
+
+  va_end(ap);
+
+  va_start(ap, typeOid);
+  rv = nss_pkix_Attribute_V_Create(arenaOpt, typeOid, count, ap);
+  va_end(ap);
+
+  return rv;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PCreateFromArray.c b/security/nss/lib/pkix/src/Attribute/PCreateFromArray.c
new file mode 100644
index 000000000..c2d301d12
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PCreateFromArray.c
@@ -0,0 +1,191 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXAttribute_CreateFromArray
+ *
+ * This routine creates an NSSPKIXAttribute from specified components.
+ * This routine may return NULL upon error, in which case it will have
+ * created an error stack.  If the optional arena argument is non-NULL,
+ * that arena will be used for the required memory.  There must be at
+ * least one attribute value specified.  The final argument must be
+ * NULL, to indicate the end of the set of attribute values.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttribute *
+nssPKIXAttribute_CreateFromArray
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  PRUint32 count,
+  NSSPKIXAttributeValue values[]
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXAttribute *rv = (NSSPKIXAttribute *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
+    return (NSSPKIXAttribute *)NULL;
+  }
+
+  for( i = 0; i < count; i++ ) {
+    if( PR_SUCCESS != nssItem_verifyPointer(&values[i]) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXAttribute);
+  if( (NSSPKIXAttribute *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+
+  rv->type = typeOid;
+  {
+    NSSItem typeder;
+    NSSItem *x = nssOID_GetDEREncoding(rv->type, &typeder, arena);
+    if( (NSSItem *)NULL == x ) {
+      goto loser;
+    }
+
+    rv->asn1type.size = typeder.size;
+    rv->asn1type.data = typeder.data;
+  }
+
+  rv->valuesCount = count;
+
+  rv->asn1values = nss_ZNEWARRAY(arena, nssASN1Item *, count);
+  if( (nssASN1Item **)NULL == rv->asn1values ) {
+    goto loser;
+  }
+
+  for( i = 0; i < count; i++ ) {
+    NSSItem tmp;
+    NSSPKIXAttributeValue *v = &values[i];
+
+    rv->asn1values[i] = nss_ZNEW(arena, nssASN1Item);
+    if( (nssASN1Item *)NULL == rv->asn1values[i] ) {
+      goto loser;
+    }
+
+    if( (NSSItem *)NULL == nssItem_Duplicate(v, arena, &tmp) ) {
+      goto loser;
+    }
+
+    rv->asn1values[i].size = tmp.size;
+    rv->asn1values[i].data = tmp.data;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Attribute_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != 
+      nssArena_registerDestructor(arena, 
+                                  nss_pkix_Attribute_remove_pointer, 
+                                  rv) ) {
+    (void)nss_pkix_Attribute_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXAttribute *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PDecode.c b/security/nss/lib/pkix/src/Attribute/PDecode.c
new file mode 100644
index 000000000..49a059404
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PDecode.c
@@ -0,0 +1,153 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXAttribute_Decode
+ *
+ * This routine creates an NSSPKIXAttribute by decoding a BER-
+ * or DER-encoded Attribute as defined in RFC 2459.  This
+ * routine may return NULL upon error, in which case it will
+ * have created an error stack.  If the optional arena argument
+ * is non-NULL, that arena will be used for the required memory.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttribute *
+nssPKIXAttribute_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXAttribute *rv = (NSSPKIXAttribute *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXAttribute *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXAttribute);
+  if( (NSSPKIXAttribute *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == rv->ber ) {
+    goto loser;
+  }
+
+  status = nssASN1_DecodeBER(arena, rv, nssPKIXAttribute_template, ber);
+  if( PR_SUCCESS != status ) {
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Attribute_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
+        nss_pkix_Attribute_remove_pointer, rv) ) {
+    (void)nss_pkix_Attribute_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXAttribute *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PDestroy.c b/security/nss/lib/pkix/src/Attribute/PDestroy.c
new file mode 100644
index 000000000..5f2b5a135
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PDestroy.c
@@ -0,0 +1,82 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_Destroy
+ *
+ * This routine destroys an NSSPKIXAttribute.  It should be called on
+ * all such objects created without an arena.  It does not need to be
+ * called for objects created with an arena, but it may be.  This
+ * routine returns a PRStatus value.  Upon error, it place an error on 
+ * the error stack and return PR_FAILURE.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAttribute_Destroy
+(
+  NSSPKIXAttribute *attribute
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+#ifdef DEBUG
+  (void)nss_pkix_Attribute_remove_pointer(attribute);
+  (void)nssArena_RemoveDestructor(arena, nss_pkix_Attribute_remove_pointer, 
+                                  attribute);
+#endif /* DEBUG */
+
+  if( PR_TRUE == attribute->i_allocated_arena ) {
+    return nssArena_Destroy(attribute->arena);
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PDuplicate.c b/security/nss/lib/pkix/src/Attribute/PDuplicate.c
new file mode 100644
index 000000000..765510e59
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PDuplicate.c
@@ -0,0 +1,189 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_Duplicate
+ *
+ * This routine duplicates an NSSPKIXAttribute.  {arenaOpt}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttribute upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttribute *
+nssPKIXAttribute_Duplicate
+(
+  NSSPKIXAttribute *attribute,
+  NSSArena *arenaOpt
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXAttribute *rv = (NSSPKIXAttribute *)NULL;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return PR_FAILURE;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return PR_FAILURE;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXAttribute);
+  if( (NSSPKIXAttribute *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+
+  if( (NSSBER *)NULL != attribute->ber ) {
+    rv->ber = nssItem_Duplicate(arena, attribute->ber, (NSSItem *)NULL);
+    if( (NSSBER *)NULL == rv->ber ) {
+      goto loser;
+    }
+  }
+
+  if( (NSSDER *)NULL != attribute->der ) {
+    rv->der = nssItem_Duplicate(arena, attribute->der, (NSSItem *)NULL);
+    if( (NSSDER *)NULL == rv->der ) {
+      goto loser;
+    }
+  }
+
+  if( (void *)NULL != attribute->asn1type.data ) {
+    rv->asn1type.size = attribute->asn1type.size;
+    rv->asn1type.data = nss_ZAlloc(arena, attribute->asn1type.size);
+    if( (void *)NULL == rv->asn1type.data ) {
+      goto loser;
+    }
+    (void)nsslibc_memcpy(rv->asn1type.data, attribute->asn1type.data, 
+                         rv->asn1type.size);
+  }
+    
+  if( (nssASN1Item **)NULL != attribute->asn1values ) {
+    rv->asn1values = nss_ZNEWARRAY(arena, nssASN1Item *, attribute->valuesCount);
+    if( (nssASN1Item **)NULL == rv->asn1values ) {
+      goto loser;
+    }
+
+    for( i = 0; i < attribute->valuesCount; i++ ) {
+      nssASN1Item *src;
+      nssASN1Item *dst;
+
+      src = attribute->asn1values[i];
+      dst = nss_ZNEW(arena, nssASN1Item);
+      if( (nssASN1Item *)NULL == dst ) {
+        goto loser;
+      }
+
+      rv->asn1values[i] = dst;
+
+      dst->size = src->size;
+      dst->data = nss_ZAlloc(arena, dst->size);
+      if( (void *)NULL == dst->data ) {
+        goto loser;
+      }
+      (void)nsslibc_memcpy(dst->data, src->data, src->size);
+    }
+  }
+
+  rv->type = attribute->type; /* NULL or otherwise */
+  rv->valuescount = attribute->valuesCount;
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Attribute_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != 
+      nssArena_registerDestructor(arena,
+                                  nss_pkix_Attribute_remove_pointer, 
+                                  rv) ) {
+    (void)nss_pkix_Attribute_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXAttribute *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PEncode.c b/security/nss/lib/pkix/src/Attribute/PEncode.c
new file mode 100644
index 000000000..7fc647ed2
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PEncode.c
@@ -0,0 +1,126 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXAttribute_Encode
+ *
+ * This routine returns an ASN.1 encoding of the specified 
+ * NSSPKIXAttribute.  {usual rules about itemOpt and arenaOpt}
+ * This routine indicates an error (NSS_ERROR_INVALID_DATA) 
+ * if there are no attribute values (i.e., the last one was removed).
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_DATA
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+nssPKIXAttribute_Encode
+(
+  NSSPKIXAttribute *a,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  NSSBER *it;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  switch( encoding ) {
+  case NSSASN1BER:
+    if( (NSSBER *)NULL != a->ber ) {
+      it = a->ber;
+      goto done;
+    }
+    /*FALLTHROUGH*/
+  case NSSASN1DER:
+    if( (NSSDER *)NULL != a->der ) {
+      it = a->der;
+      goto done;
+    }
+    break;
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
+    return (NSSBER *)NULL;
+  }
+
+  it = nssASN1_EncodeItem(a->arena, (NSSItem *)NULL, a, 
+                          nssPKIXAttribute_template, encoding);
+  if( (NSSBER *)NULL == it ) {
+    return (NSSBER *)NULL;
+  }
+
+  switch( encoding ) {
+  case NSSASN1BER:
+    a->ber = it;
+    break;
+  case NSSASN1DER:
+    a->der = it;
+    break;
+  default:
+    PR_ASSERT(0);
+    break;
+  }
+
+ done:
+  return nssItem_Duplicate(it, arenaOpt, rvOpt);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PEqual.c b/security/nss/lib/pkix/src/Attribute/PEqual.c
new file mode 100644
index 000000000..247bfd575
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PEqual.c
@@ -0,0 +1,164 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_Equal
+ *
+ * This routine compares two NSSPKIXAttribute's for equality.
+ * It returns PR_TRUE if they are equal, PR_FALSE otherwise.
+ * This routine also returns PR_FALSE upon error; if you're
+ * that worried about it, check for an error stack.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssPKIXAttribute_Equal
+(
+  NSSPKIXAttribute *one,
+  NSSPKIXAttribute *two,
+  PRStatus *statusOpt
+)
+{
+  PRStatus dummyStatus = PR_SUCCESS; /* quiet warnings */
+  PRStatus *status;
+  PRUint32 i;
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    status = statusOpt;
+    *status = PR_SUCCESS;
+  } else {
+    status = &dummyStatus;
+  }
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(one) ) {
+    *status = PR_FAILURE;
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(two) ) {
+    *status = PR_FAILURE;
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( ((NSSDER *)NULL != one->der) && ((NSSDER *)NULL != two->der) ) {
+    return nssItem_Equal(one->der, two->der, statusOpt);
+  }
+
+  if( (NSSPKIXAttributeType *)NULL == one->type ) {
+    NSSItem berOid;
+    berOid.size = one->asn1type.size;
+    berOid.data = one->asn1type.data;
+    one->type = (NSSPKIXAttributeType *)NSSOID_CreateFromBER(&berOid);
+  }
+
+  if( (NSSPKIXAttributeType *)NULL == two->type ) {
+    NSSItem berOid;
+    berOid.size = two->asn1type.size;
+    berOid.data = two->asn1type.data;
+    two->type = (NSSPKIXAttributeType *)NSSOID_CreateFromBER(&berOid);
+  }
+
+  if( one->type != two->type ) {
+    return PR_FALSE;
+  }
+
+  if( 0 == one->valuesCount ) {
+    nss_pkix_Attribute_Count(one);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == one->valuesCount ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    *statusOpt = PR_FAILURE;
+    return PR_FALSE;
+  }
+#endif /* PEDANTIC */
+
+  if( 0 == two->valuesCount ) {
+    nss_pkix_Attribute_Count(two);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == two->valuesCount ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    *statusOpt = PR_FAILURE;
+    return PR_FALSE;
+  }
+#endif /* PEDANTIC */
+
+  if( one->valuesCount != two->valuesCount ) {
+    return PR_FALSE;
+  }
+
+  *status = nss_pkix_Attribute_Distinguish(one);
+  if( PR_FAILURE == *status ) {
+    return PR_FALSE;
+  }
+
+  *status = nss_pkix_Attribute_Distinguish(two);
+  if( PR_FAILURE == *status ) {
+    return PR_FALSE;
+  }
+
+  for( i == 0; i < one->valuesCount; i++ ) {
+    NSSItem onetmp, twotmp;
+
+    onetmp.size = one->asn1values[i]->size;
+    onetmp.data = one->asn1values[i]->data;
+    twotmp.size = two->asn1values[i]->size;
+    twotmp.data = two->asn1values[i]->data;
+
+    if( PR_FALSE == nssItem_Equal(&one, &two, statusOpt) ) {
+      return PR_FALSE;
+    }
+  }
+
+  return PR_TRUE;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PFindValue.c b/security/nss/lib/pkix/src/Attribute/PFindValue.c
new file mode 100644
index 000000000..0f1095f0c
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PFindValue.c
@@ -0,0 +1,107 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_FindValue
+ *
+ * This routine searches the set of attribute values in the specified
+ * NSSPKIXAttribute for the provided data.  If an exact match is found,
+ * then that value's index is returned.  If an exact match is not 
+ * found, -1 is returned.  If there is more than one exact match, one
+ * index will be returned.  {notes about unorderdness of SET, etc}
+ * If the index may not be represented as an integer, an error is
+ * indicated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_IMPLEMENT PRInt32
+nssPKIXAttribute_FindValue
+(
+  NSSPKIXAttribute *a,
+  NSSPKIXAttributeValue *attributeValue
+)
+{
+  PRUint32 i;
+  nssASN1Item **a;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  PR_ASSERT((nssASN1Item **)NULL != a->asn1values);
+  if( (nssASN1Item **)NULL == a->asn1values ) {
+    nss_SetError(NSS_ERROR_ASSERTION_FAILED);
+    return -1;
+  }
+
+  for( i = 0, a = &a->asn1values[0]; *a; a++, (i > 0x7fffffff) || i++ ) {
+    NSSItem tmp;
+
+    tmp.size = (*a)->size;
+    tmp.data = (*a)->data;
+
+    if( PR_TRUE == nssItem_Equal(attributeValue, &tmp, (PRStatus *)NULL) ) {
+      if( i > 0x7fffffff ) {
+        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+        return -1;
+      }
+      return (PRInt32)i;
+    }
+  }
+
+  nss_SetError(NSS_ERROR_NOT_FOUND);
+  return -1;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PGetType.c b/security/nss/lib/pkix/src/Attribute/PGetType.c
new file mode 100644
index 000000000..4b61431b8
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PGetType.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_GetType
+ *
+ * This routine returns the attribute type oid of the specified
+ * NSSPKIXAttribute.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSPKIXAttributeType pointer upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeType *
+nssPKIXAttribute_GetType
+(
+  NSSPKIXAttribute *a
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
+    return (NSSPKIXAttributeType *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSPKIXAttributeType *)NULL == a->type ) {
+    NSSItem ber;
+
+    ber.size = a->asn1type.size;
+    ber.data = a->asn1type.data;
+
+    a->type = (NSSPKIXAttributeType *)NSSOID_CreateFromBER(&ber);
+  }
+
+  return a->type;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PGetValue.c b/security/nss/lib/pkix/src/Attribute/PGetValue.c
new file mode 100644
index 000000000..bbf12ca67
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PGetValue.c
@@ -0,0 +1,98 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_GetValue
+ *
+ * This routine returns the i'th attribute value of the set of
+ * values in the specified NSSPKIXAttribute.  Although the set
+ * is unordered, an arbitrary ordering will be maintained until
+ * the data in the attribute is changed.  {usual comments about
+ * itemOpt and arenaOpt} [0,valueCount)
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeValue *
+nssPKIXAttribute_GetValue
+(
+  NSSPKIXAttribute *attribute,
+  PRInt32 i,
+  NSSPKIXAttributeValue *itemOpt,
+  NSSArena *arenaOpt
+)
+{
+  NSSItem tmp;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return (NSSPKIXAttributeValue *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeValue *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == attribute->valuesCount ) {
+    nss_pkix_Attribute_Count(attribute);
+  }
+
+  if( (i < 0) || (i >= attribute->valuesCount) ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXAttributeValue *)NULL;
+  }
+
+  tmp.size = attribute->asn1values[i]->size;
+  tmp.data = attribute->asn1values[i]->data;
+
+  return nssItem_Duplicate(&tmp, arenaOpt, itemOpt);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PGetValueCount.c b/security/nss/lib/pkix/src/Attribute/PGetValueCount.c
new file mode 100644
index 000000000..ada1d403d
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PGetValueCount.c
@@ -0,0 +1,88 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_GetValueCount
+ *
+ * This routine returns the number of attribute values present in
+ * the specified NSSPKIXAttribute.  This routine returns a PRInt32.
+ * Upon error, this routine returns -1.  This routine indicates an
+ * error if the number of values cannot be expressed as a PRInt32.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_IMPLEMENT PRInt32
+nssPKIXAttribute_GetValueCount
+(
+  NSSPKIXAttribute *attribute
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return -1;
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == attribute->valuesCount ) {
+    nss_pkix_Attribute_Count(attribute);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == attribute->valuesCount ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return -1;
+  }
+#endif /* PEDANTIC */
+
+  if( attribute->valuesCount > 0x7fffffff ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return -1;
+  }
+
+  return (PRInt32)(attribute->valuesCount);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PGetValues.c b/security/nss/lib/pkix/src/Attribute/PGetValues.c
new file mode 100644
index 000000000..ccc11dbe0
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PGetValues.c
@@ -0,0 +1,145 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_GetValues
+ *
+ * This routine returns all of the attribute values in the specified
+ * NSSPKIXAttribute.  If the optional pointer to an array of NSSItems
+ * is non-null, then that array will be used and returned; otherwise,
+ * an array will be allocated and returned.  If the limit is nonzero
+ * (which is must be if the specified array is nonnull), then an
+ * error is indicated if it is smaller than the value count.
+ * {arenaOpt}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSItem's upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeValue *
+nssPKIXAttribute_GetValues
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+)
+{
+  NSSPKIXAttributeValue *rv = (NSSPKIXAttributeValue *)NULL;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return (NSSPKIXAttributeValue *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
+      return (NSSPKIXAttributeValue *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == attribute->valuesCount ) {
+    nss_pkix_Attribute_Count(attribute);
+  }
+  
+#ifdef PEDANTIC
+  if( 0 == attribute->valuesCount ) {
+    if( 0 == limit ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+    } else {
+      nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
+    }
+    return (NSSPKIXAttributeValue *)NULL;
+  }
+#endif /* PEDANTIC */
+
+  if( (limit < attribute->valuesCount) &&
+      !((0 == limit) && ((NSSPKIXAttributeValue *)NULL == rvOpt)) ) {
+    nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
+    return (NSSPKIXAttributeValue *)NULL;
+  }
+
+  limit = attribute->valuesCount;
+  if( (NSSPKIXAttributeValue *)NULL == rvOpt ) {
+    rv = nss_ZNEWARRAY(arenaOpt, NSSPKIXAttributeValue, limit);
+    if( (NSSPKIXAttributeValue *)NULL == rv ) {
+      return (NSSPKIXAttributeValue *)NULL;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  for( i = 0; i < limit; i++ ) {
+    NSSAttributeValue tmp;
+    nssASN1Item *p = attribute->asn1values[i];
+    NSSAttributeValue *r = &rv[i];
+
+    tmp.size = p->size;
+    tmp.data = p->data;
+
+    if( (NSSItem *)NULL == nssItem_Duplicate(&tmp, arenaOpt, r) ) {
+      goto loser;
+    }
+  }
+
+  return rv;
+
+ loser:
+  for( i = 0; i < limit; i++ ) {
+    NSSAttributeValue *r = &rv[i];
+    nss_ZFreeIf(r->data);
+  }
+
+  if( rv != rvOpt ) {
+    nss_ZFreeIf(rv);
+  }
+
+  return (NSSAttributeValue *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PRemoveValue.c b/security/nss/lib/pkix/src/Attribute/PRemoveValue.c
new file mode 100644
index 000000000..6da2ebc07
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PRemoveValue.c
@@ -0,0 +1,121 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_RemoveValue
+ *
+ * This routine removes the i'th attribute value of the set in the
+ * specified NSSPKIXAttribute.  An attempt to remove the last value
+ * will fail.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_AT_MINIMUM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+PR_IMPLEMENET(PRStatus)
+nssPKIXAttribute_RemoveValue
+(
+  NSSPKIXAttribute *a,
+  PRInt32 i
+)
+{
+  nssASN1Item **ip;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == a->valuesCount ) {
+    nss_pkix_Attribute_Count(a);
+  }
+
+  if( i < 0 ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return PR_FAILURE;
+  }
+
+  if( 1 == a->valuesCount ) {
+    nss_SetError(NSS_ERROR_AT_MINIMUM);
+    return PR_FAILURE;
+  }
+
+#ifdef PEDANTIC
+  if( 0 == a->valuesCount ) {
+    /* Too big.. but we can still remove one */
+    nss_ZFreeIf(a->asn1values[i].data);
+    for( ip = &a->asn1values[i]; *ip; ip++ ) {
+      ip[0] = ip[1];
+    }
+  } else
+#endif /* PEDANTIC */
+
+  {
+    nssASN1Item *si;
+    PRUint32 end;
+
+    if( i >= a->valueCount ) {
+      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+      return PR_FAILURE;
+    }
+
+    end = a->valuesCount - 1;
+
+    si = a->asn1values[i];
+    a->asn1values[i] = a->asn1values[ end ];
+    a->asn1values[ end ] = (nssASN1Item *)NULL;
+
+    nss_ZFreeIf(si->data);
+    nss_ZFreeIf(si);
+
+    /* We could realloc down, but we know it's a no-op */
+    a->valuesCount = end;
+  }
+
+  return nss_pkix_Attribute_Clear(a);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PSetType.c b/security/nss/lib/pkix/src/Attribute/PSetType.c
new file mode 100644
index 000000000..8f430aab3
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PSetType.c
@@ -0,0 +1,90 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_SetType
+ *
+ * This routine sets the attribute type oid of the indicated
+ * NSSPKIXAttribute to the specified value.  Since attributes
+ * may be application-defined, no checking can be done on
+ * either the correctness of the attribute type oid value nor
+ * the suitability of the set of attribute values.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAttribute_SetType
+(
+  NSSPKIXAttribute *a,
+  NSSPKIXAttributeType *attributeType
+)
+{
+  NSSDER tmp;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(attributeType) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  a->type = attributeType;
+
+  nss_ZFreeIf(a->asn1type.data);
+  if( (NSSDER *)NULL == nssOID_GetDEREncoding(a->type, &tmp, a->arena) ) {
+    return PR_FAILURE;
+  }
+
+  a->asn1type.size = tmp.size;
+  a->asn1type.data = tmp.data;
+
+  return nss_pkix_Attribute_Clear(a);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PSetValue.c b/security/nss/lib/pkix/src/Attribute/PSetValue.c
new file mode 100644
index 000000000..4fd490a6a
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PSetValue.c
@@ -0,0 +1,102 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_SetValue
+ *
+ * This routine sets the i'th attribute value {blah blah; copies
+ * memory contents over..}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAttribute_SetValue
+(
+  NSSPKIXAttribute *a,
+  PRInt32 i,
+  NSSPKIXAttributeValue *value
+)
+{
+  NSSItem tmp;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( i < 0 ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return PR_FAILURE;
+  }
+
+  if( 0 == a->valuesCount ) {
+    nss_pkix_Attribute_Count(a);
+  }
+
+  if( (0 != a->valuesCount) && (i > a->valuesCount) ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return PR_FAILURE;
+  }
+
+  if( (NSSItem *)NULL == nssItem_Duplicate(value, a->arena, &tmp) ) {
+    return PR_FAILURE;
+  }
+
+  nss_ZFreeIf(a->asn1values[i]->data);
+  a->asn1values[i]->size = tmp.size;
+  a->asn1values[i]->data = tmp.data;
+
+  return nss_pkix_Attribute_Clear(a);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/PSetValues.c b/security/nss/lib/pkix/src/Attribute/PSetValues.c
new file mode 100644
index 000000000..64df8eb55
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/PSetValues.c
@@ -0,0 +1,135 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttribute_SetValues
+ *
+ * This routine sets all of the values of the specified 
+ * NSSPKIXAttribute to the values in the specified NSSItem array.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAttribute_SetValues
+(
+  NSSPKIXAttribute *a,
+  NSSPKIXAttributeValue values[],
+  PRInt32 count
+)
+{
+  nssASN1Item **ip;
+  nssASN1Item *newarray;
+  PRUint32 i;
+  nssArenaMark *mark;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(a) ) {
+    return PR_FAILURE;
+  }
+
+  if( (NSSPKIXAttributeValue *)NULL == values ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( count < 1 ) {
+    nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  PR_ASSERT((nssASN1Item **)NULL != a->asn1values);
+  if( (nssASN1Item **)NULL == a->asn1values ) {
+    nss_SetError(NSS_ERROR_ASSERTION_FAILED);
+    return PR_FAILURE;
+  }
+
+  mark = nssArena_Mark(a->arena);
+  if( (nssArenaMark *)NULL == mark ) {
+    return PR_FAILURE;
+  }
+
+  newarray = nss_ZNEWARRAY(a->arena, nssASN1Item *, count);
+  if( (nssASN1Item *)NULL == newarray ) {
+    return PR_FAILURE;
+  }
+
+  for( i = 0; i < count; i++ ) {
+    NSSItem tmp;
+
+    newarray[i] = nss_ZNEW(a->arena, nssASN1Item);
+    if( (nssASN1Item *)NULL == newarray[i] ) {
+      goto loser;
+    }
+
+    if( (NSSItem *)NULL == nssItem_Duplicate(&values[i], a->arena, &tmp) ) {
+      goto loser;
+    }
+
+    newarray[i]->size = tmp.size;
+    newarray[i]->data = tmp.data;
+  }
+
+  for( ip = &a->asn1values[0]; *ip; ip++ ) {
+    nss_ZFreeIf((*ip)->data);
+    nss_ZFreeIf(*ip);
+  }
+
+  nss_ZFreeIf(a->asn1values);
+  
+  a->asn1values = newarray;
+  a->valuesCount = count;
+
+  (void)nss_pkix_Attribute_Clear(a);
+  return nssArena_Unmark(a->arena, mark);
+
+ loser:
+  (void)nssArena_Release(a->arena, mark);
+  return PR_FAILURE;
+}
diff --git a/security/nss/lib/pkix/src/Attribute/RemoveValue.c b/security/nss/lib/pkix/src/Attribute/RemoveValue.c
new file mode 100644
index 000000000..e869fd96a
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/RemoveValue.c
@@ -0,0 +1,76 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_RemoveValue
+ *
+ * This routine removes the i'th attribute value of the set in the
+ * specified NSSPKIXAttribute.  An attempt to remove the last value
+ * will fail.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_AT_MINIMUM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXAttribute_RemoveValue
+(
+  NSSPKIXAttribute *attribute,
+  PRInt32 i
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_RemoveValue(attribute, i);
+}
+
diff --git a/security/nss/lib/pkix/src/Attribute/SetType.c b/security/nss/lib/pkix/src/Attribute/SetType.c
new file mode 100644
index 000000000..4975c8f8a
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/SetType.c
@@ -0,0 +1,80 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_SetType
+ *
+ * This routine sets the attribute type oid of the indicated
+ * NSSPKIXAttribute to the specified value.  Since attributes
+ * may be application-defined, no checking can be done on
+ * either the correctness of the attribute type oid value nor
+ * the suitability of the set of attribute values.
+ *
+ * The error value may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXAttribute_SetType
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeType *attributeType
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(attributeType) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_SetType(attribute, attributeType);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/SetValue.c b/security/nss/lib/pkix/src/Attribute/SetValue.c
new file mode 100644
index 000000000..43f74ad26
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/SetValue.c
@@ -0,0 +1,80 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_SetValue
+ *
+ * This routine sets the i'th attribute value {blah blah; copies
+ * memory contents over..}
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXAttribute_SetValue
+(
+  NSSPKIXAttribute *attribute,
+  PRInt32 i,
+  NSSPKIXAttributeValue *value
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttribute_SetValue(attribute, i, value);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/SetValues.c b/security/nss/lib/pkix/src/Attribute/SetValues.c
new file mode 100644
index 000000000..7c3645cf7
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/SetValues.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttribute_SetValues
+ *
+ * This routine sets all of the values of the specified 
+ * NSSPKIXAttribute to the values in the specified NSSItem array.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXAttribute_SetValues
+(
+  NSSPKIXAttribute *attribute,
+  NSSPKIXAttributeValue values[],
+  PRInt32 count
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttribute_verifyPointer(attribute) ) {
+    return PR_FAILURE;
+  }
+
+  if( (NSSPKIXAttributeValue *)NULL == values ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  if( count < 1 ) {
+    nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKXIAttribute_SetValues(attribute, values, count);
+}
diff --git a/security/nss/lib/pkix/src/Attribute/template.c b/security/nss/lib/pkix/src/Attribute/template.c
new file mode 100644
index 000000000..850b6a9b0
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/template.c
@@ -0,0 +1,58 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXAttribute_template
+ *
+ *
+ */
+
+const nssASN1Template nssPKIXAttribute_template[] = {
+  { nssASN1_SEQUENCE, 0, NULL, sizeof(NSSPKIXAttribute) },
+  { nssASN1_OBJECT_ID, offsetof(NSSPKIXAttribute, asn1type) },
+  { nssASN1_SET_OF, offsetof(NSSPKIXAttribute, asn1values), 
+    nssASN1Template_Any },
+  { 0 }
+};
diff --git a/security/nss/lib/pkix/src/Attribute/verifyPointer.c b/security/nss/lib/pkix/src/Attribute/verifyPointer.c
new file mode 100644
index 000000000..c0ae3ed84
--- /dev/null
+++ b/security/nss/lib/pkix/src/Attribute/verifyPointer.c
@@ -0,0 +1,170 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+#ifdef DEBUG
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker pkix_attribute_pointer_tracker;
+
+/*
+ * nss_pkix_Attribute_add_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine adds an NSSPKIXAttribute pointer to
+ * the internal pointer-tracker.  This routine should only be used 
+ * by the NSSPKIX module.  This routine returns a PRStatus value; 
+ * upon error it will place an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_Attribute_add_pointer
+(
+  const NSSPKIXAttribute *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_attribute_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&pkix_attribute_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nss_pkix_Attribute_remove_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine removes a valid NSSPKIXAttribute
+ * pointer from the internal pointer-tracker.  This routine should 
+ * only be used by the NSSPKIX module.  This routine returns a 
+ * PRStatus value; upon error it will place an error on the error 
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_Attribute_remove_pointer
+(
+  const NSSPKIXAttribute *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&pkix_attribute_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+
+/*
+ * nssPKIXAttribute_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXAttribute
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAttribute_verifyPointer
+(
+  NSSPKIXAttribute *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_attribute_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&pkix_attribute_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+#endif /* DEBUG */
+
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Create.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Create.c
new file mode 100644
index 000000000..84e721f80
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/Create.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Create
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
+NSSPKIXAttributeTypeAndValue_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  NSSPKIXAttributeValue *value
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue(arenaOpt, typeOid, value);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/CreateFromUTF8.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/CreateFromUTF8.c
new file mode 100644
index 000000000..72e0a3114
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/CreateFromUTF8.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_CreateFromUTF8
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
+NSSPKIXAttributeTypeAndValue_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue_CreateFromUTF8(arenaOpt, string);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Decode.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Decode.c
new file mode 100644
index 000000000..33b657303
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/Decode.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Decode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
+NSSPKIXAttributeTypeAndValue_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue_Decode(arenaOpt, ber);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Destroy.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Destroy.c
new file mode 100644
index 000000000..b3c28a03f
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/Destroy.c
@@ -0,0 +1,70 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Destroy
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXAttributeTypeAndValue_Destroy
+(
+  NSSPKIXAttributeTypeAndValue *atav
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue_Destroy(atav);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Duplicate.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Duplicate.c
new file mode 100644
index 000000000..09d1f27c3
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/Duplicate.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Duplicate
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
+NSSPKIXAttributeTypeAndValue_Duplicate
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue_Duplicate(atav, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Encode.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Encode.c
new file mode 100644
index 000000000..1b67be84d
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/Encode.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Encode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+NSSPKIXAttributeTypeAndValue_Encode
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue_Encode(atav, encoding, rvOpt, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/Equal.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/Equal.c
new file mode 100644
index 000000000..0cbf06eca
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/Equal.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_Equal
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+NSSPKIXAttributeTypeAndValue_Equal
+(
+  NSSPKIXAttributeTypeAndValue *atav1,
+  NSSPKIXAttributeTypeAndValue *atav2,
+  PRStatus *statusOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav1) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav2) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+
+    return PR_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue_Equal(atav1, atav2, statusOpt);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/GetType.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/GetType.c
new file mode 100644
index 000000000..68e2f48f6
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/GetType.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_GetType
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSPKIXAttributeType pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeType *
+NSSPKIXAttributeTypeAndValue_GetType
+(
+  NSSPKIXAttributeTypeAndValue *atav
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return (NSSPKIXAttributeType *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue_GetType(atav);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/GetUTF8Encoding.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/GetUTF8Encoding.c
new file mode 100644
index 000000000..611e4bcb9
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/GetUTF8Encoding.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_GetUTF8Encoding
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSPKIXAttributeTypeAndValue_GetUTF8Encoding
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue_GetUTF8Encoding(atav, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/GetValue.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/GetValue.c
new file mode 100644
index 000000000..5516c63ea
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/GetValue.c
@@ -0,0 +1,80 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_GetValue
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSAttributeValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeValue *
+NSSPKIXAttributeTypeAndValue_GetValue
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeValue *itemOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return (NSSPKIXAttributeValue *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeValue *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue_GetValue(atav, itemOpt, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/MClear.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/MClear.c
new file mode 100644
index 000000000..eeae7db86
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/MClear.c
@@ -0,0 +1,73 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nss_pkix_AttributeTypeAndValue_Clear
+ *
+ * Wipes out cached data.
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_AttributeTypeAndValue_Clear
+(
+  NSSPKIXAttributeTypeAndValue *atav
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSBER *)NULL != atav->ber ) {
+    nss_ZFreeIf(atav->ber->data);
+    nss_ZFreeIf(atav->ber);
+  }
+
+  if( (NSSDER *)NULL != atav->der ) {
+    nss_ZFreeIf(atav->der->data);
+    nss_ZFreeIf(atav->der);
+  }
+
+  nss_ZFreeIf(atav->utf8);
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreate.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreate.c
new file mode 100644
index 000000000..2dc6d8ac5
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreate.c
@@ -0,0 +1,154 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_Create
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
+nssPKIXAttributeTypeAndValue_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeType *typeOid,
+  NSSPKIXAttributeValue *value
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXAttributeTypeAndValue *rv = (NSSPKIXAttributeTypeAndValue *)NULL;
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(typeOid) ) {
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+#endif /* DEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXAttributeTypeAndValue);
+  if( (NSSPKIXAttributeTypeAndValue *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->type = typeOid;
+
+  {
+    NSSItem tmp;
+    if( (NSSItem *)NULL == nssOID_GetDEREncoding(typeOid, arena, &tmp) ) {
+      goto loser;
+    }
+
+    rv->asn1type.size = tmp.size;
+    rv->asn1type.data = tmp.data;
+  }
+
+  {
+    NSSItem tmp;
+    if( (NSSItem *)NULL == nssItem_Duplicate(value, arena, &tmp) ) {
+      goto loser;
+    }
+
+    rv->asn1value.size = tmp.size;
+    rv->asn1value.data = tmp.data;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_AttributeTypeAndValue_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXAttributeTypeAndValue *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreateFromUTF8.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreateFromUTF8.c
new file mode 100644
index 000000000..a2fa289ea
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PCreateFromUTF8.c
@@ -0,0 +1,137 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_CreateFromUTF8
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
+nssPKIXAttributeTypeAndValue_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXAttributeTypeAndValue *rv = (NSSPKIXAttributeTypeAndValue *)NULL;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXAttributeTypeAndValue);
+  if( (NSSPKIXAttributeTypeAndValue *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->utf8 = nssUTF8_Duplicate(string, arena);
+  if( (NSSUTF8 *)NULL == rv->utf8 ) {
+    goto loser;
+  }
+  
+  /* Fill this in later from ../pki1/atav.c implementation */
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  goto loser;
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_AttributeTypeAndValue_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXAttributeTypeAndValue *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PDecode.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PDecode.c
new file mode 100644
index 000000000..9e017526c
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PDecode.c
@@ -0,0 +1,144 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_Decode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
+nssPKIXAttributeTypeAndValue_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXAttributeTypeAndValue *rv = (NSSPKIXAttributeTypeAndValue *)NULL;
+  PRStatus status;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXAttributeTypeAndValue);
+  if( (NSSPKIXAttributeTypeAndValue *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  /* For this object, BER is DER */
+  rv->der = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == rv->ber ) {
+    goto loser;
+  }
+
+  status = nssASN1_DecodeBER(arena, rv, 
+                             nssPKIXAttributeTypeAndValue_template,
+                             ber);
+  if( PR_SUCCESS != status ) {
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_AttributeTypeAndValue_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXAttributeTypeAndValue *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PDestroy.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PDestroy.c
new file mode 100644
index 000000000..47242f545
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PDestroy.c
@@ -0,0 +1,78 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_Destroy
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAttributeTypeAndValue_Destroy
+(
+  NSSPKIXAttributeTypeAndValue *atav
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+#ifdef DEBUG
+  (void)nss_pkix_AttributeTypeAndValue_remove_pointer(atav);
+  (void)nssArena_RemoveDestructor(arena, 
+    nss_pkix_AttributeTypeAndValue_remove_pointer, atav);
+#endif /* DEBUG */
+
+  if( PR_TRUE == atav->i_allocated_arena ) {
+    return nssArena_Destroy(atav->arena);
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PDuplicate.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PDuplicate.c
new file mode 100644
index 000000000..53fc85171
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PDuplicate.c
@@ -0,0 +1,165 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_Duplicate
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
+nssPKIXAttributeTypeAndValue_Duplicate
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSArena *arenaOpt
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXAttributeTypeAndValue *rv = (NSSPKIXAttributeTypeAndValue *)NULL;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXAttributeTypeAndValue);
+  if( (NSSPKIXAttributeTypeAndValue *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+
+  if( (NSSDER *)NULL != atav->der ) {
+    rv->der = nssItem_Duplicate(atav->der, arena, (NSSItem *)NULL);
+    if( (NSSDER *)NULL == rv->der ) {
+      goto loser; /* actually, this isn't fatal */
+    }
+  }
+
+  {
+    NSSItem src, dst;
+    src.size = atav->asn1type.size;
+    src.data = atav->asn1type.data;
+    if( (NSSItem *)NULL == nssItem_Duplicate(&src, arena, &dst) ) {
+      goto loser;
+    }
+    rv->asn1type.size = dst.size;
+    rv->asn1type.data = dst.data;
+  }
+
+  {
+    NSSItem src, dst;
+    src.size = atav->asn1value.size;
+    src.data = atav->asn1value.data;
+    if( (NSSItem *)NULL == nssItem_Duplicate(&src, arena, &dst) ) {
+      goto loser;
+    }
+    rv->asn1value.size = dst.size;
+    rv->asn1value.data = dst.data;
+  }
+
+  rv->type = atav->type;
+
+  if( (NSSUTF8 *)NULL != atav->utf8 ) {
+    rv->utf8 = nssUTF8_Duplicate(atav->utf8, arena);
+    if( (NSSUTF8 *)NULL == rv->utf8 ) {
+      goto loser; /* actually, this isn't fatal */
+    }
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_AttributeTypeAndValue_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXAttributeTypeAndValue *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PEncode.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PEncode.c
new file mode 100644
index 000000000..64a77e590
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PEncode.c
@@ -0,0 +1,101 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_Encode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSBER *
+nssPKIXAttributeTypeAndValue_Encode
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  switch( encoding ) {
+  case NSSASN1BER:
+  case NSSASN1DER:
+    break;
+  case NSSASN1CER:
+  case NSSASN1LWER:
+  case NSSASN1PER:
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
+    return (NSSBER *)NULL;
+  }
+
+  /* For this item its DER is BER */
+
+  if( (NSSDER *)NULL == atav->der ) {
+    atav->der = nssASN1_EncodeDER(atav->arena, (NSSItem *)NULL, a,
+                  nssPKIXAtributeTypeAndValue_template, NSSASN1DER);
+    if( (NSSDER *)NULL == atav->der ) {
+      return (NSSBER *)NULL;
+    }
+  }
+
+  return nssItem_Duplicate(a->der, arenaOpt, rvOpt);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PEqual.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PEqual.c
new file mode 100644
index 000000000..67dc970f1
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PEqual.c
@@ -0,0 +1,95 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_Equal
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssPKIXAttributeTypeAndValue_Equal
+(
+  NSSPKIXAttributeTypeAndValue *atav1,
+  NSSPKIXAttributeTypeAndValue *atav2,
+  PRStatus *statusOpt
+)
+{
+  NSSItem one, two;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav1) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav2) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  one.size = atav1->asn1type.size;
+  one.data = atav1->asn1type.data;
+  two.size = atav2->asn1type.size;
+  two.data = atav2->asn1type.data;
+
+  if( PR_FALSE == nssItem_Equal(&one, &two, statusOpt) ) {
+    return PR_FALSE;
+  }
+
+  one.size = atav1->asn1value.size;
+  one.data = atav1->asn1value.data;
+  two.size = atav2->asn1value.size;
+  two.data = atav2->asn1value.data;
+
+  return nssItem_Equal(&one, &two, statusOpt);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetType.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetType.c
new file mode 100644
index 000000000..20411e8ee
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetType.c
@@ -0,0 +1,78 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_GetType
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSPKIXAttributeType pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeType *
+nssPKIXAttributeTypeAndValue_GetType
+(
+  NSSPKIXAttributeTypeAndValue *atav
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSPKIXAttributeType *)NULL == atav->type ) {
+    NSSItem ber;
+
+    ber.size = atav->asn1type.size;
+    ber.data = atav->asn1type.data;
+
+    atav->type = (NSSPKIXAttributeType *)NSSOID_CreateFromBER(&ber);
+  }
+
+  return atav->type;
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetUTF8Encoding.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetUTF8Encoding.c
new file mode 100644
index 000000000..41145b3cf
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetUTF8Encoding.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_GetUTF8Encoding
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssPKIXAttributeTypeAndValue_GetUTF8Encoding
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSUTF8 *)NULL == atav->utf8 ) {
+    /* xxx fgmr fill this in from the ../pki1/atav.c implementation */
+  }
+
+  return nssUTF8_Duplicate(atav->utf8, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetValue.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetValue.c
new file mode 100644
index 000000000..33f9e5b2b
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PGetValue.c
@@ -0,0 +1,83 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_GetValue
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSAttributeValue upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXAttributeValue *
+nssPKIXAttributeTypeAndValue_GetValue
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeValue *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  NSSItem tmp;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  tmp.size = atav->asn1value.size;
+  tmp.data = atav->asn1value.data;
+
+  return nssItem_Duplicate(&tmp, arenaOpt, rvOpt);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetType.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetType.c
new file mode 100644
index 000000000..4e25b88cc
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetType.c
@@ -0,0 +1,86 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_SetType
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN PRStatus
+nssPKIXAttributeTypeAndValue_SetType
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeType *attributeType
+)
+{
+  NSSDER tmp;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(attributeType) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  atav->type = attributeType;
+
+  nss_ZFreeIf(atav->asn1type.data);
+  if( (NSSDER *)NULL == nssOID_GetDEREncoding(atav->type, &tmp, atav->arena) ) {
+    return PR_FAILURE;
+  }
+
+  atav->asn1type.size = tmp.size;
+  atav->asn1type.data = tmp.data;
+
+  return nss_pkix_AttributeTypeAndValue_Clear(atav);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetValue.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetValue.c
new file mode 100644
index 000000000..82de4db00
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/PSetValue.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_SetValue
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAttributeTypeAndValue_SetValue
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeValue *value
+)
+{
+  NSSItem tmp;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSItem *)NULL == nssItem_Duplicate(value, atav->arena, &tmp) ) {
+    return PR_FAILURE;
+  }
+
+  nss_ZFreeIf(atav->asn1value.data);
+  atav->asn1value.size = tmp.size;
+  atav->asn1value.data = tmp.data;
+
+  return nss_pkix_AttributeTypeAndValue_Clear(atav);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/SetType.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/SetType.c
new file mode 100644
index 000000000..672b7b738
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/SetType.c
@@ -0,0 +1,76 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_SetType
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_OID
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXAttributeTypeAndValue_SetType
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeType *attributeType
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssOID_verifyPointer(attributeType) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue_SetType(atav, attributeType);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/SetValue.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/SetValue.c
new file mode 100644
index 000000000..fafc54d6c
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/SetValue.c
@@ -0,0 +1,77 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXAttributeTypeAndValue_SetValue
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXAttributeTypeAndValue_SetValue
+(
+  NSSPKIXAttributeTypeAndValue *atav,
+  NSSPKIXAttributeValue *value
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(value) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXAttributeTypeAndValue_SetValue(atav, value);
+}
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/template.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/template.c
new file mode 100644
index 000000000..548a4fac9
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/template.c
@@ -0,0 +1,56 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXAttributeTypeAndValue_template
+ *
+ */
+
+const nssASN1Template nssPKIXAttributeTypeAndValue_template[] = {
+  { nssASN1_SEQUENCE, 0, NULL, sizeof(NSSPKIXAttributeTypeAndValue) },
+  { nssASN1_OBJECT_ID, offsetof(NSSPKIXAttributeTypeAndValue, asn1type) },
+  { nssASN1_ANY, offsetof(NSSPKIXAttributeTypeAndValue, asn1value) },
+  { 0 }
+};
diff --git a/security/nss/lib/pkix/src/AttributeTypeAndValue/verifyPointer.c b/security/nss/lib/pkix/src/AttributeTypeAndValue/verifyPointer.c
new file mode 100644
index 000000000..340e19c1b
--- /dev/null
+++ b/security/nss/lib/pkix/src/AttributeTypeAndValue/verifyPointer.c
@@ -0,0 +1,184 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+#ifdef DEBUG
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker pkix_atav_pointer_tracker;
+
+/*
+ * nss_pkix_AttributeTypeAndValue_add_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine adds an NSSPKIXAttributeTypeAndValue 
+ * pointer to the internal pointer-tracker.  This routine should only 
+ * be used by the NSSPKIX module.  This routine returns a PRStatus 
+ * value; upon error it will place an error on the error stack and 
+ * return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_AttributeTypeAndValue_add_pointer
+(
+  const NSSPKIXAttributeTypeAndValue *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_atav_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&pkix_atav_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  rv = nssArena_registerDestructor(arena,
+         nss_pkix_AttributeTypeAndValue_remove_pointer, p);
+  if( PR_SUCCESS != rv ) {
+    (void)nss_pkix_AttributeTypeAndValue_remove_pointer(p);
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nss_pkix_AttributeTypeAndValue_remove_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine removes a valid 
+ * NSSPKIXAttributeTypeAndValue pointer from the internal 
+ * pointer-tracker.  This routine should only be used by the 
+ * NSSPKIX module.  This routine returns a PRStatus value; 
+ * upon error it will place an error on the error stack and 
+ * return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_AttributeTypeAndValue_remove_pointer
+(
+  const NSSPKIXAttributeTypeAndValue *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&pkix_atav_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  /*
+   * nssArena_deregisterDestructor(p->arena, 
+   *   nss_pkix_AttributeTypeAndValue_remove_pointer, p);
+   */
+
+  return rv;
+}
+
+/*
+ * nssPKIXAttributeTypeAndValue_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an 
+ * NSSPKIXAttributeTypeAndValue object, this routine will return 
+ * PR_SUCCESS.  Otherwise, it will put an error on the error stack 
+ * and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXAttributeTypeAndValue_verifyPointer
+(
+  NSSPKIXAttributeTypeAndValue *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_atav_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&pkix_atav_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+#endif /* DEBUG */
+
diff --git a/security/nss/lib/pkix/src/Name/Create.c b/security/nss/lib/pkix/src/Name/Create.c
new file mode 100644
index 000000000..dc9059f0b
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/Create.c
@@ -0,0 +1,93 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXName *
+NSSPKIXName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXNameChoice choice,
+  void *arg
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXName *)NULL;
+    }
+  }
+
+  switch( choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    {
+      NSSPKIXRDNSequence *r = (NSSPKIXRDNSequence *)arg;
+      if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(r) ) {
+        return (NSSPKIXName *)NULL;
+      }
+    }
+
+    break;
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    nss_SetError(NSS_ERROR_INVALID_CHOICE);
+    return (NSSPKIXName *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXName_Create(arenaOpt, choice, arg);
+}
diff --git a/security/nss/lib/pkix/src/Name/CreateFromRDNSequence.c b/security/nss/lib/pkix/src/Name/CreateFromRDNSequence.c
new file mode 100644
index 000000000..da07742cc
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/CreateFromRDNSequence.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_CreateFromRDNSequence
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXName *
+NSSPKIXName_CreateFromRDNSequence
+(
+  NSSArena *arenaOpt,
+  NSSPKIXRDNSequence *rdnSequence
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXName *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnSequence) ) {
+    return (NSSPKIXName *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXName_CreateFromRDNSequence(arenaOpt, rdnSequence);
+}
diff --git a/security/nss/lib/pkix/src/Name/CreateFromUTF8.c b/security/nss/lib/pkix/src/Name/CreateFromUTF8.c
new file mode 100644
index 000000000..f2111ea75
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/CreateFromUTF8.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXName *
+NSSPKIXName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXName *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXName_CreateFromUTF8(arenaOpt, string);
+}
diff --git a/security/nss/lib/pkix/src/Name/Decode.c b/security/nss/lib/pkix/src/Name/Decode.c
new file mode 100644
index 000000000..b30fac01e
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/Decode.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_CreateFromBER
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXName *
+NSSPKIXName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXName *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXName *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXName_CreateFromBER(arenaOpt, ber);
+}
diff --git a/security/nss/lib/pkix/src/Name/Destroy.c b/security/nss/lib/pkix/src/Name/Destroy.c
new file mode 100644
index 000000000..c8c2bc9f2
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/Destroy.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXName_Destroy
+(
+  NSSPKIXName *name
+)
+{
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXName_Destroy(name);
+}
diff --git a/security/nss/lib/pkix/src/Name/Duplicate.c b/security/nss/lib/pkix/src/Name/Duplicate.c
new file mode 100644
index 000000000..6c8831729
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/Duplicate.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXName *
+NSSPKIXName_Duplicate
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return (NSSDER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSDER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXName_Duplicate(name, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Name/Encode.c b/security/nss/lib/pkix/src/Name/Encode.c
new file mode 100644
index 000000000..344a53724
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/Encode.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+NSSPKIXName_Encode
+(
+  NSSPKIXName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXName_Encode(name, rvOpt, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Name/Equal.c b/security/nss/lib/pkix/src/Name/Equal.c
new file mode 100644
index 000000000..9a74eef94
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/Equal.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+NSSPKIXName_Equal
+(
+  NSSPKIXName *name1,
+  NSSPKIXName *name2,
+  PRStatus *statusOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(name1) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(name2) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+
+    return PR_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIX_Equal(name1, name2, statusOpt);
+}
diff --git a/security/nss/lib/pkix/src/Name/GetChoice.c b/security/nss/lib/pkix/src/Name/GetChoice.c
new file mode 100644
index 000000000..8a36ada00
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/GetChoice.c
@@ -0,0 +1,70 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_GetChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  A valid element of the NSSPKIXNameChoice enumeration upon success
+ *  The value NSSPKIXNameChoice_NSSinvalid (-1) upon error
+ */
+
+NSS_IMPLEMENT NSSPKIXNameChoice
+NSSPKIXName_GetChoice
+(
+  NSSPKIXName *name
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return NSSPKIXNameChoice_NSSinvalid;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXName_GetChoice(name);
+}
diff --git a/security/nss/lib/pkix/src/Name/GetRDNSequence.c b/security/nss/lib/pkix/src/Name/GetRDNSequence.c
new file mode 100644
index 000000000..94562ae3c
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/GetRDNSequence.c
@@ -0,0 +1,80 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_GetRDNSequence
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ *
+ * Return value:
+ *  A pointer to a valid NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+NSSPKIXName_GetRDNSequence
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return (NSSPKIXRDNSequence *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRDNSequence *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXName_GetRDNSequence(name, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Name/GetSpecifiedChoice.c b/security/nss/lib/pkix/src/Name/GetSpecifiedChoice.c
new file mode 100644
index 000000000..3de2d5b84
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/GetSpecifiedChoice.c
@@ -0,0 +1,90 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_GetSpecifiedChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ *
+ * Return value:
+ *  A valid pointer ...
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT void *
+NSSPKIXName_GetSpecifiedChoice
+(
+  NSSPKIXName *name,
+  NSSPKIXNameChoice choice,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(name) ) {
+    return (void *)NULL;
+  }
+
+  switch( choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    break;
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    nss_SetError(NSS_ERROR_INVALID_CHOICE);
+    return (void *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (void *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXName_GetSpecifiedChoice(name, choice, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Name/GetUTF8Encoding.c b/security/nss/lib/pkix/src/Name/GetUTF8Encoding.c
new file mode 100644
index 000000000..c86dd94b2
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/GetUTF8Encoding.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXName_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSPKIXName_GetUTF8Encoding
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXName_GetUTF8Encoding(name, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Name/MClear.c b/security/nss/lib/pkix/src/Name/MClear.c
new file mode 100644
index 000000000..e8d6b1961
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/MClear.c
@@ -0,0 +1,73 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nss_pkix_Name_Clear
+ *
+ * Wipes out cached data.
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_Name_Clear
+(
+  NSSPKIXName *name
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSBER *)NULL != name->ber ) {
+    nss_ZFreeIf(name->ber->data);
+    nss_ZFreeIf(name->ber);
+  }
+
+  if( (NSSDER *)NULL != name->der ) {
+    nss_ZFreeIf(name->der->data);
+    nss_ZFreeIf(name->der);
+  }
+
+  nss_ZFreeIf(name->utf8);
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/Name/Mregister.c b/security/nss/lib/pkix/src/Name/Mregister.c
new file mode 100644
index 000000000..09ddb9d99
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/Mregister.c
@@ -0,0 +1,72 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifdef NSSDEBUG
+/*
+ * nss_pkix_Name_register
+ *
+ * Registers whatever sub-component exists within this Name.
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_Name_register
+(
+  NSSPKIXName *name
+)
+{
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return PR_FAILURE;
+  }
+
+  switch( name->choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    /* add pointer */
+    /* (sub-)register pointer */
+    /* add destructor to arena */
+    break;
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/Name/PCreate.c b/security/nss/lib/pkix/src/Name/PCreate.c
new file mode 100644
index 000000000..e93737599
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PCreate.c
@@ -0,0 +1,173 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_CHOICE
+ *  NSS_ERROR_INVALID_ARGUMENT
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXName *
+nssPKIXName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXNameChoice choice,
+  void *arg
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXName *rv = (NSSPKIXName *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXName *)NULL;
+    }
+  }
+
+  switch( choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    if( (PR_SUCCESS != nssPKIXRDNSequence_verifyPointer((NSSPKIXRDNSequence *)arg) ) ) {
+      nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+      return (NSSPKIXName *)NULL;
+    }
+    break;
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    nss_SetError(NSS_ERROR_INVALID_CHOICE);
+    return (NSSPKIXName *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  switch( choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    break;
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    nss_SetError(NSS_ERROR_INVALID_CHOICE);
+    goto loser;
+  }
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXName);
+  if( (NSSPKIXName *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->utf8 = nssUTF8_Duplicate(string, arena);
+  if( (NSSUTF8 *)NULL == rv->utf8 ) {
+    goto loser;
+  }
+  
+  rv->choice = choice;
+  switch( choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    rv->u.rdnSequence = nssPKIXRDNSequence_Duplicate((NSSPKIXRDNSequence *)arg, arena);
+    if( (NSSPKIXRDNSequence *)NULL == rv->u.rdnSequence ) {
+      goto loser;
+    }
+    break;
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    nss_SetError(NSS_ERROR_INVALID_CHOICE);
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Name_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
+        nss_pkix_Name_remove_pointer, rv) ) {
+    (void)nss_pkix_Name_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXName *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Name/PCreateFromRDNSequence.c b/security/nss/lib/pkix/src/Name/PCreateFromRDNSequence.c
new file mode 100644
index 000000000..169e409a3
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PCreateFromRDNSequence.c
@@ -0,0 +1,145 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_CreateFromRDNSequence
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXName *
+nssPKIXName_CreateFromRDNSequence
+(
+  NSSArena *arenaOpt,
+  NSSPKIXRDNSequence *rdnSequence
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXName *rv = (NSSPKIXName *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXName *)NULL;
+    }
+  }
+
+  if( (PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnSequence) ) ) {
+    return (NSSPKIXName *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXName);
+  if( (NSSPKIXName *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->utf8 = nssUTF8_Duplicate(string, arena);
+  if( (NSSUTF8 *)NULL == rv->utf8 ) {
+    goto loser;
+  }
+  
+  rv->choice = NSSPKIXNameChoice_rdnSequence;
+  rv->u.rdnSequence = nssPKIXRDNSequence_Duplicate(rdnSequence, arena);
+  if( (NSSPKIXRDNSequence *)NULL == rv->u.rdnSequence ) {
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Name_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
+        nss_pkix_Name_remove_pointer, rv) ) {
+    (void)nss_pkix_Name_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXName *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Name/PCreateFromUTF8.c b/security/nss/lib/pkix/src/Name/PCreateFromUTF8.c
new file mode 100644
index 000000000..0939a19e3
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PCreateFromUTF8.c
@@ -0,0 +1,145 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXName *
+nssPKIXName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXName *rv = (NSSPKIXName *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXName *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXName *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXName);
+  if( (NSSPKIXName *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->utf8 = nssUTF8_Duplicate(string, arena);
+  if( (NSSUTF8 *)NULL == rv->utf8 ) {
+    goto loser;
+  }
+  
+  /* Insert intelligence here -- fgmr */
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  goto loser;
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Name_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
+        nss_pkix_Name_remove_pointer, rv) ) {
+    (void)nss_pkix_Name_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXName *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Name/PDecode.c b/security/nss/lib/pkix/src/Name/PDecode.c
new file mode 100644
index 000000000..d3f20d473
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PDecode.c
@@ -0,0 +1,138 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_CreateFromBER
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXName *
+nssPKIXName_CreateFromBER
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXName *rv = (NSSPKIXName *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXName *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXName *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXName);
+  if( (NSSPKIXName *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == rv->ber ) {
+    goto loser;
+  }
+
+  status = nssASN1_DecodeBER(arena, rv, nssPKIXName_template, ber);
+  if( PR_SUCCESS != status ) {
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Name_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXName *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Name/PDestroy.c b/security/nss/lib/pkix/src/Name/PDestroy.c
new file mode 100644
index 000000000..f1fd41721
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PDestroy.c
@@ -0,0 +1,76 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXName_Destroy
+(
+  NSSPKIXName *name
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+#ifdef DEBUG
+  (void)nss_pkix_Name_remove_pointer(name);
+#endif /* DEBUG */
+
+  if( PR_TRUE == name->i_allocated_arena ) {
+    return nssArena_Destroy(name->arena);
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/Name/PDuplicate.c b/security/nss/lib/pkix/src/Name/PDuplicate.c
new file mode 100644
index 000000000..c5788a0f1
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PDuplicate.c
@@ -0,0 +1,172 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXName *
+nssPKIXName_Duplicate
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXName *rv = (NSSPKIXName *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXName *)NULL;
+    }
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXName);
+  if( (NSSPKIXName *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+
+  if( (NSSBER *)NULL != name->ber ) {
+    rv->ber = nssItem_Duplicate(name->ber, arena, (NSSItem *)NULL);
+    if( (NSSBER *)NULL == rv->ber ) {
+      goto loser;
+    }
+  }
+
+  if( (NSSDER *)NULL != name->der ) {
+    rv->der = nssItem_Duplicate(name->der, arena, (NSSItem *)NULL);
+    if( (NSSDER *)NULL == rv->der ) {
+      goto loser;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL != name->utf8 ) {
+    rv->utf8 = nssUTF8_duplicate(name->utf8, arena);
+    if( (NSSUTF8 *)NULL == rv->utf8 ) {
+      goto loser;
+    }
+  }
+  
+  rv->choice = name->choice;
+  switch( name->choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    rv->u.rdnSequence = nssPKIXRDNSequence_Duplicate(name->u.rdnSequence, arena);
+    if( (NSSPKIXRDNSequence *)NULL == rv->u.rdnSequence ) {
+      goto loser;
+    }
+    break;
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Name_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
+        nss_pkix_Name_remove_pointer, rv) ) {
+    (void)nss_pkix_Name_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXName *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Name/PEncode.c b/security/nss/lib/pkix/src/Name/PEncode.c
new file mode 100644
index 000000000..469b528fb
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PEncode.c
@@ -0,0 +1,118 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+nssPKIXName_Encode
+(
+  NSSPKIXName *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  NSSBER *it;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  switch( encoding ) {
+  case NSSASN1BER:
+    if( (NSSBER *)NULL != name->ber ) {
+      it = name->ber;
+      goto done;
+    }
+    /*FALLTHROUGH*/
+  case NSSASN1DER:
+    if( (NSSDER *)NULL != name->der ) {
+      it = name->der;
+      goto done;
+    }
+    break;
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
+    return (NSSBER *)NULL;
+  }
+
+  it = nssASN1_EncodeItem(name->arena, (NSSItem *)NULL, name,
+                          nssPKIXName_template, encoding);
+  if( (NSSBER *)NULL == it ) {
+    return (NSSBER *)NULL;
+  }
+
+  switch( encoding ) {
+  case NSSASN1BER:
+    name->ber = it;
+    break;
+  case NSSASN1DER:
+    name->der = it;
+    break;
+  default:
+    PR_ASSERT(0);
+    break;
+  }
+
+ done:
+  return nssItem_Duplicate(it, arenaOpt, rvOpt);
+}
diff --git a/security/nss/lib/pkix/src/Name/PEqual.c b/security/nss/lib/pkix/src/Name/PEqual.c
new file mode 100644
index 000000000..5ad91dd2a
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PEqual.c
@@ -0,0 +1,104 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssPKIXName_Equal
+(
+  NSSPKIXName *one,
+  NSSPKIXName *two,
+  PRStatus *statusOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(one) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(two) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( ((NSSDER *)NULL != one->der) && ((NSSDER *)NULL != two->der) ) {
+    return nssItem_Equal(one->der, two->der, statusOpt);
+  }
+
+  if( one->choice != two->choice ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_SUCCESS;
+    }
+    return PR_FALSE;
+  }
+
+  switch( one->choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    return nssPKIXRDNSequence_Equal(one->u.rdnSequence, two->u.rdnSequence, statusOpt);
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    break;
+  }
+
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_FAILURE;
+  }
+  return PR_FALSE;
+}
diff --git a/security/nss/lib/pkix/src/Name/PGetChoice.c b/security/nss/lib/pkix/src/Name/PGetChoice.c
new file mode 100644
index 000000000..f34a93908
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PGetChoice.c
@@ -0,0 +1,68 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_GetChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *
+ * Return value:
+ *  A valid element of the NSSPKIXNameChoice enumeration upon success
+ *  The value NSSPKIXNameChoice_NSSinvalid (-1) upon error
+ */
+
+NSS_IMPLEMENT NSSPKIXNameChoice
+nssPKIXName_GetChoice
+(
+  NSSPKIXName *name
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return NSSPKIXNameChoice_NSSinvalid;
+  }
+#endif /* NSSDEBUG */
+
+  return name->choice;
+}
diff --git a/security/nss/lib/pkix/src/Name/PGetRDNSequence.c b/security/nss/lib/pkix/src/Name/PGetRDNSequence.c
new file mode 100644
index 000000000..0899e550d
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PGetRDNSequence.c
@@ -0,0 +1,87 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_GetRDNSequence
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ *
+ * Return value:
+ *  A pointer to a valid NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+nssPKIXName_GetRDNSequence
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return (NSSPKIXRDNSequence *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRDNSequence *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  switch( name->choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    return nssPKIXRDNSequence_Duplicate(name->u.rdnSequence, arenaOpt);
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    break;
+  }
+
+  nss_SetError(NSS_ERROR_WRONG_CHOICE);
+  return (NSSPKIXRDNSequence *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Name/PGetSpecifiedChoice.c b/security/nss/lib/pkix/src/Name/PGetSpecifiedChoice.c
new file mode 100644
index 000000000..a24c8ea86
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PGetSpecifiedChoice.c
@@ -0,0 +1,93 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_GetSpecifiedChoice
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_WRONG_CHOICE
+ *
+ * Return value:
+ *  A valid pointer ...
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT void *
+nssPKIXName_GetSpecifiedChoice
+(
+  NSSPKIXName *name,
+  NSSPKIXNameChoice choice,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return (void *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (void *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( choice != name->choice ) {
+    nss_SetError(NSS_ERROR_WRONG_CHOICE);
+    return (void *)NULL;
+  }
+
+  switch( name->choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    return (void *)nssPKIXRDNSequence_Duplicate(name->u.rdnSequence, arenaOpt);
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    break;
+  }
+
+  nss_SetError(NSS_ERROR_WRONG_CHOICE);
+  return (NSSPKIXRDNSequence *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Name/PGetUTF8Encoding.c b/security/nss/lib/pkix/src/Name/PGetUTF8Encoding.c
new file mode 100644
index 000000000..164229277
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/PGetUTF8Encoding.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXName_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_NAME
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssPKIXName_GetUTF8Encoding
+(
+  NSSPKIXName *name,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXName_verifyPointer(name) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSUTF8 *)NULL == name->utf8 ) {
+    /* xxx fgmr fill this in from pki1 implementation */
+  }
+
+  return nssUTF8_Duplicate(name->utf8, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Name/template.c b/security/nss/lib/pkix/src/Name/template.c
new file mode 100644
index 000000000..72ac85466
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/template.c
@@ -0,0 +1,56 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXName_template
+ *
+ */
+
+const nssASN1Template nssPKIXName_template[] = {
+  { nssASN1_CHOICE, offsetof(NSSPKIXName, choice), 0, sizeof(NSSPKIXName) },
+  { nssASN1_POINTER, offsetof(NSSPKIXName, u.rdnSequence), 
+    nssPKIXRDNSequence_template, NSSPKIXNameChoice_rdnSequence },
+  { 0 }
+};
diff --git a/security/nss/lib/pkix/src/Name/verifyPointer.c b/security/nss/lib/pkix/src/Name/verifyPointer.c
new file mode 100644
index 000000000..6c27e5910
--- /dev/null
+++ b/security/nss/lib/pkix/src/Name/verifyPointer.c
@@ -0,0 +1,210 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+#ifdef DEBUG
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker pkix_name_pointer_tracker;
+
+/*
+ * nss_pkix_Name_add_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine adds an NSSPKIXName pointer to
+ * the internal pointer-tracker.  This routine should only be used 
+ * by the NSSPKIX module.  This routine returns a PRStatus value; 
+ * upon error it will place an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_Name_add_pointer
+(
+  const NSSPKIXName *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_name_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&pkix_name_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  rv = nssArena_registerDestructor(p->arena,
+         nss_pkix_Name_remove_pointer, p);
+  if( PR_SUCCESS != rv ) {
+    (void)nss_pkix_Name_remove_pointer(p);
+    return rv;
+  }
+
+#ifdef NSSDEBUG
+  switch( p->choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    rv = nss_pkix_RDNSequence_register(p->u.rdnSequence);
+    break;
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    rv = PR_FAILURE;
+    break;
+  }
+
+  if( PR_SUCCESS != rv ) {
+    (void)nss_pkix_Name_remove_pointer(p);
+  }
+#endif /* NSSDEBUG */
+
+  return rv;
+}
+
+/*
+ * nss_pkix_Name_remove_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine removes a valid NSSPKIXName
+ * pointer from the internal pointer-tracker.  This routine should 
+ * only be used by the NSSPKIX module.  This routine returns a 
+ * PRStatus value; upon error it will place an error on the error 
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_Name_remove_pointer
+(
+  const NSSPKIXName *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&pkix_name_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+#ifdef NSSDEBUG
+  switch( p->choice ) {
+  case NSSPKIXNameChoice_rdnSequence:
+    (void)nss_pkix_RDNSequence_register(p->u.rdnSequence);
+    break;
+  case NSSPKIXNameChoice_NSSinvalid:
+  default:
+    break;
+  }
+#endif /* NSSDEBUG */
+
+  /*
+   * nssArena_deregisterDestructor(p->arena,
+   *   nss_pkix_Name_remove_pointer, p);
+   */
+
+  return rv;
+}
+
+/*
+ * nssPKIXName_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXName
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXName_verifyPointer
+(
+  NSSPKIXName *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_name_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&pkix_name_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+#endif /* DEBUG */
+
diff --git a/security/nss/lib/pkix/src/RDNSequence/AppendRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/AppendRelativeDistinguishedName.c
new file mode 100644
index 000000000..4e0d0d018
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/AppendRelativeDistinguishedName.c
@@ -0,0 +1,77 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_AppendRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXRDNSequence_AppendRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_AppendRelativeDistinguishedName(rdnseq, rdn);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Create.c b/security/nss/lib/pkix/src/RDNSequence/Create.c
new file mode 100644
index 000000000..52b8a851c
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/Create.c
@@ -0,0 +1,125 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+NSSPKIXRDNSequence_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXRelativeDistinguishedName *rdn1,
+  ...
+)
+{
+  va_list ap;
+  NSSPKIXRDNSequence *rv;
+  PRUint32 count;
+
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRDNSequence *)NULL;
+    }
+  }
+
+  /* Is there a nonzero minimum number of RDNs required? */
+
+  {
+    va_start(ap, arenaOpt);
+
+    while( 1 ) {
+      NSSPKIXRelativeDistinguishedName *rdn;
+      rdn = (NSSPKIXRelativeDistinguishedName *)va_arg(ap, NSSPKIXRelativeDistinguishedName *);
+      if( (NSSPKIXRelativeDistinguishedName *)NULL == rdn ) {
+        break;
+      }
+
+      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+        va_end(ap);
+        return (NSSPKIXRDNSequence *)NULL;
+      }
+    }
+
+    va_end(ap);
+  }
+#endif /* DEBUG */
+
+  va_start(ap, arenaOpt);
+
+  for( count = 0; ; count++ ) {
+    NSSPKIXRelativeDistinguishedName *rdn;
+    rdn = (NSSPKIXRelativeDistinguishedName *)va_arg(ap, NSSPKIXRelativeDistinguishedName *);
+    if( (NSSPKIXRelativeDistinguishedName *)NULL == rdn ) {
+      break;
+    }
+
+#ifdef PEDANTIC
+    if( count == 0xFFFFFFFF ) {
+      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+      va_end(ap);
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+#endif /* PEDANTIC */
+  }
+
+  va_end(ap);
+
+  va_start(ap, arenaOpt);
+  rv = nss_pkix_RDNSequence_V_Create(arenaOpt, count, ap);
+  va_end(ap);
+
+  return rv;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/CreateFromArray.c b/security/nss/lib/pkix/src/RDNSequence/CreateFromArray.c
new file mode 100644
index 000000000..b6412187c
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/CreateFromArray.c
@@ -0,0 +1,86 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_CreateFromArray
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+NSSPKIXRDNSequence_Create
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  NSSPKIXRelativeDistinguishedName *rdns[]
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+
+  {
+    PRUint32 i;
+
+    for( i = 0; i < count; i++ ) {
+      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(&rdns[i]) ) {
+        return (NSSPKIXAttribute *)NULL;
+      }
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_CreateFromArray(arenaOpt, count, rnds);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/CreateFromUTF8.c b/security/nss/lib/pkix/src/RDNSequence/CreateFromUTF8.c
new file mode 100644
index 000000000..dcdbc54a2
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/CreateFromUTF8.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+NSSPKIXRDNSequence_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRDNSequence *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXRDNSequence *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_CreateFromUTF8(arenaOpt, string);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Decode.c b/security/nss/lib/pkix/src/RDNSequence/Decode.c
new file mode 100644
index 000000000..ebbad116a
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/Decode.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+NSSPKIXRDNSequence_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRDNSequence *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXRDNSequence *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_Decode(arenaOpt, ber);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Destroy.c b/security/nss/lib/pkix/src/RDNSequence/Destroy.c
new file mode 100644
index 000000000..5962364e5
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/Destroy.c
@@ -0,0 +1,70 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXRDNSequence_Destroy
+(
+  NSSPKIXRDNSequence *rdnseq
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_Destroy(rdnseq);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Duplicate.c b/security/nss/lib/pkix/src/RDNSequence/Duplicate.c
new file mode 100644
index 000000000..2bf53ba59
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/Duplicate.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+NSSPKIXRDNSequence_Duplicate
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return (NSSPKIXRDNSequence *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRDNSequence *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_Duplicate(rdnseq, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Encode.c b/security/nss/lib/pkix/src/RDNSequence/Encode.c
new file mode 100644
index 000000000..84ab4db67
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/Encode.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+NSSPKIXRDNSequence_Encode
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_Encode(rdnseq, encoding, rvOpt, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/Equal.c b/security/nss/lib/pkix/src/RDNSequence/Equal.c
new file mode 100644
index 000000000..fe0fa0f07
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/Equal.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+NSSPKIXRDNSequence_Equal
+(
+  NSSPKIXRDNSequence *one,
+  NSSPKIXRDNSequence *two,
+  PRStatus *statusOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(one) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(two) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+
+    return PR_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_Equal(one, two, statusOpt);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/FindRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/FindRelativeDistinguishedName.c
new file mode 100644
index 000000000..cb04286d3
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/FindRelativeDistinguishedName.c
@@ -0,0 +1,78 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_FindRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_IMPLEMENT PRInt32
+NSSPKIXRDNSequence_FindRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_FindRelativeDistinguishedName(rdnseq, rdn);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedName.c
new file mode 100644
index 000000000..9b152f4da
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedName.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_GetRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
+NSSPKIXRDNSequence_GetRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_GetRelativeDistinguishedName(rdnseq, i, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNameCount.c b/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNameCount.c
new file mode 100644
index 000000000..05b5e89b4
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNameCount.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_GetRelativeDistinguishedNameCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_IMPLEMENT PRInt32
+NSSPKIXRDNSequence_GetRelativeDistinguishedNameCount
+(
+  NSSPKIXRDNSequence *rdnseq
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return -1;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_GetRelativeDistinguishedNameCount(rdnseq);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNames.c b/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNames.c
new file mode 100644
index 000000000..06d419bed
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/GetRelativeDistinguishedNames.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_GetRelativeDistinguishedNames
+ *
+ * This routine returns all of the relative distinguished names in the
+ * specified RDN Sequence.  {...} If the array is allocated, or if the
+ * specified one has extra space, the array will be null-terminated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXRelativeDistinguishedName 
+ *      pointers upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName **
+NSSPKIXRDNSequence_GetRelativeDistinguishedNames
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return (NSSPKIXRelativeDistinguishedName **)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
+      return (NSSPKIXRelativeDistinguishedName **)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_GetRelativeDistinguishedNames(rdnseq, rvOpt, limit, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/GetUTF8Encoding.c b/security/nss/lib/pkix/src/RDNSequence/GetUTF8Encoding.c
new file mode 100644
index 000000000..4519a5ba4
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/GetUTF8Encoding.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSPKIXRDNSequence_GetUTF8Encoding
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_GetUTF8Encoding(rdnseq, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/InsertRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/InsertRelativeDistinguishedName.c
new file mode 100644
index 000000000..433c2a315
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/InsertRelativeDistinguishedName.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_InsertRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXRDNSequence_InsertRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_InsertRelativeDistinguishedName(rdnseq, i, rdn);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/MClear.c b/security/nss/lib/pkix/src/RDNSequence/MClear.c
new file mode 100644
index 000000000..7df7eb099
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/MClear.c
@@ -0,0 +1,73 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nss_pkix_RDNSequence_Clear
+ *
+ * Wipes out cached data.
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_RDNSequence_Clear
+(
+  NSSPKIXRDNSequence *rdnseq
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSBER *)NULL != rdnseq->ber ) {
+    nss_ZFreeIf(rdnseq->ber->data);
+    nss_ZFreeIf(rdnseq->ber);
+  }
+
+  if( (NSSDER *)NULL != rdnseq->der ) {
+    nss_ZFreeIf(rdnseq->der->data);
+    nss_ZFreeIf(rdnseq->der);
+  }
+
+  nss_ZFreeIf(rdnseq->utf8);
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/MCount.c b/security/nss/lib/pkix/src/RDNSequence/MCount.c
new file mode 100644
index 000000000..649721c9f
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/MCount.c
@@ -0,0 +1,82 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+/*
+ * nss_pkix_RDNSequence_Count
+ */
+
+NSS_IMPLEMENT void
+nss_pkix_RDNSequence_Count
+(
+  NSSPKIXRDNSequence *rdnseq
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  PR_ASSERT((NSSPKIXRelativeDistinguishedName **)NULL != rdnseq->rdns);
+  if( (NSSPKIXRelativeDistinguishedName **)NULL == rdnseq->rdns ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return PR_FAILURE;
+  }
+
+  if( 0 == rdnseq->count ) {
+    PRUint32 i;
+    for( i = 0; i < 0xFFFFFFFF; i++ ) {
+      if( (NSSPKIXRelativeDistinguishedName *)NULL == rdnseq->rdns[i] ) {
+        break;
+      }
+    }
+
+#ifdef PEDANTIC
+    if( 0xFFFFFFFF == i ) {
+      return;
+    }
+#endif /* PEDANTIC */
+
+    rdnseq->count = i;
+  }
+
+  return;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/MVCreate.c b/security/nss/lib/pkix/src/RDNSequence/MVCreate.c
new file mode 100644
index 000000000..caeb1995f
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/MVCreate.c
@@ -0,0 +1,141 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nss_pkix_RDNSequence_v_create
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+nss_pkix_RDNSequence_v_create
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  va_list ap
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXRDNSequence *rv = (NSSPKIXRDNSequence *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRDNSequence *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXRDNSequence);
+  if( (NSSPKIXRDNSequence *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->count = count;
+
+  rv->rdns = nss_ZNEWARRAY(arena, NSSPKIXRelativeDistinguishedName *, count);
+  if( (NSSPKIXRelativeDistinguishedName **)NULL == rv->rdns ) {
+    goto loser;
+  }
+
+  for( i = 0; i < count; i++ ) {
+    NSSPKIXRelativeDistinguishedName *v = (NSSPKIXRelativeDistinguishedName *)
+      va_arg(ap, NSSPKIXRelativeDistinguishedName *);
+
+#ifdef NSSDEBUG
+    /* 
+     * It's okay to test this down here, since 
+     * supposedly these have already been checked.
+     */
+    if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(v) ) {
+      goto loser;
+    }
+#endif /* NSSDEBUG */
+
+    rv->rdns[i] = nssPKIXRelativeDistinguishedName_Duplicate(v, arena);
+    if( (NSSPKIXRelativeDistinguishedName *)NULL == rv->rdns[i] ) {
+      goto loser;
+    }
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_RDNSequence_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXRDNSequence *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PAppendRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PAppendRelativeDistinguishedName.c
new file mode 100644
index 000000000..9d1ea4875
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PAppendRelativeDistinguishedName.c
@@ -0,0 +1,105 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_AppendRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRDNSequence_AppendRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+  NSSPKIXRelativeDistinguishedName **na;
+  NSSPKIXRelativeDistinguishedName *dup;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == rdnseq->count ) {
+    nss_pkix_RDNSequence_Count(rdnseq);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == rdnseq->count ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+#endif /* PEDANTIC */
+
+  na = (NSSPKIXRelativeDistinguishedName **)
+    nss_ZRealloc(rdnseq->rdns, ((rdnseq->count+2) * 
+      sizeof(NSSPKIXRelativeDistinguishedName *)));
+  if( (NSSPKIXRelativeDistinguishedName **)NULL == na ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  rdnseq->rdns = na;
+
+  dup = nssPKIXRelativeDistinguishedName_Duplicate(rdn, rdnseq->arena);
+  if( (NSSPKIXRelativeDistinguishedName *)NULL == dup ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  na[ rdnseq->count++ ] = dup;
+
+  return nss_pkix_RDNSequence_Clear(rdnseq);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PCreate.c b/security/nss/lib/pkix/src/RDNSequence/PCreate.c
new file mode 100644
index 000000000..0fdc6848f
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PCreate.c
@@ -0,0 +1,123 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+nssPKIXRDNSequence_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXRelativeDistinguishedName *rdn1,
+  ...
+)
+{
+  va_list ap;
+  NSSPKIXRDNSequence *rv;
+  PRUint32 count;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRDNSequence *)NULL;
+    }
+  }
+
+  /* Is there a nonzero minimum number of RDNs required? */
+
+  {
+    va_start(ap, arenaOpt);
+
+    while( 1 ) {
+      NSSPKIXRelativeDistinguishedName *rdn;
+      rdn = (NSSPKIXRelativeDistinguishedName *)va_arg(ap, NSSPKIXRelativeDistinguishedName *);
+      if( (NSSPKIXRelativeDistinguishedName *)NULL == rdn ) {
+        break;
+      }
+
+      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+        va_end(ap);
+        return (NSSPKIXRDNSequence *)NULL;
+      }
+    }
+
+    va_end(ap);
+  }
+#endif /* NSSDEBUG */
+
+  va_start(ap, arenaOpt);
+
+  for( count = 0; ; count++ ) {
+    NSSPKIXRelativeDistinguishedName *rdn;
+    rdn = (NSSPKIXRelativeDistinguishedName *)va_arg(ap, NSSPKIXRelativeDistinguishedName *);
+    if( (NSSPKIXRelativeDistinguishedName *)NULL == rdn ) {
+      break;
+    }
+
+#ifdef PEDANTIC
+    if( count == 0xFFFFFFFF ) {
+      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+      va_end(ap);
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+#endif /* PEDANTIC */
+  }
+
+  va_end(ap);
+
+  va_start(ap, arenaOpt);
+  rv = nss_pkix_RDNSequence_V_Create(arenaOpt, count, ap);
+  va_end(ap);
+
+  return rv;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PCreateFromArray.c b/security/nss/lib/pkix/src/RDNSequence/PCreateFromArray.c
new file mode 100644
index 000000000..0e244cb73
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PCreateFromArray.c
@@ -0,0 +1,151 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_CreateFromArray
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+nssPKIXRDNSequence_CreateFromArray
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  NSSPKIXRelativeDistinguishedName *rdns[]
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXRDNSequence *rv = (NSSPKIXRDNSequence *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+
+  {
+    PRUint32 i;
+
+    for( i = 0; i < count; i++ ) {
+      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(&rdns[i]) ) {
+        return (NSSPKIXAttribute *)NULL;
+      }
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXRDNSequence);
+  if( (NSSPKIXRDNSequence *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->count = count;
+
+  rv->rdns = nss_ZNEWARRAY(arena, NSSPKIXRelativeDistinguishedName *, (count+1));
+  if( (NSSPKIXRelativeDistinguishedName **)NULL == rv->rdns ) {
+    goto loser;
+  }
+
+  for( i = 0; i < count; i++ ) {
+    NSSPKIXRelativeDistinguishedName *v = rdns[i];
+
+    rv->rdns[i] = nssPKIXRelativeDistinguishedName_Duplicate(v, arena);
+    if( (NSSPKIXRelativeDistinguishedName *)NULL == rv->rdns[i] ) {
+      goto loser;
+    }
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_RDNSequence_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXRDNSequence *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PCreateFromUTF8.c b/security/nss/lib/pkix/src/RDNSequence/PCreateFromUTF8.c
new file mode 100644
index 000000000..196332665
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PCreateFromUTF8.c
@@ -0,0 +1,139 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+nssPKIXRDNSequence_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXRDNSequence *rv = (NSSPKIXRDNSequence *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRDNSequence *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXRDNSequence *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXRDNSequence);
+  if( (NSSPKIXRDNSequence *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->utf8 = nssUTF8_Duplicate(string, arena);
+  if( (NSSUTF8 *)NULL == rv->utf8 ) {
+    goto loser;
+  }
+  
+  /* Insert intelligence here -- fgmr */
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  goto loser;
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_RDNSequence_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXRDNSequence *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PDecode.c b/security/nss/lib/pkix/src/RDNSequence/PDecode.c
new file mode 100644
index 000000000..557f5bc32
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PDecode.c
@@ -0,0 +1,138 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+nssPKIXRDNSequence_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXRDNSequence *rv = (NSSPKIXRDNSequence *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRDNSequence *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXRDNSequence *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXRDNSequence);
+  if( (NSSPKIXRDNSequence *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == rv->ber ) {
+    goto loser;
+  }
+
+  status = nssASN1_DecodeBER(arena, rv, nssPKIXRDNSequence_template, ber);
+  if( PR_SUCCESS != status ) {
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_RDNSequence_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXRDNSequence *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PDestroy.c b/security/nss/lib/pkix/src/RDNSequence/PDestroy.c
new file mode 100644
index 000000000..17cc846cf
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PDestroy.c
@@ -0,0 +1,76 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRDNSequence_Destroy
+(
+  NSSPKIXRDNSequence *rdnseq
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+#ifdef DEBUG
+  (void)nss_pkix_RDNSequence_remove_pointer(rdnseq);
+#endif /* DEBUG */
+
+  if( PR_TRUE == rdnseq->i_allocated_arena ) {
+    return nssArena_Destroy(rdnseq->arena);
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PDuplicate.c b/security/nss/lib/pkix/src/RDNSequence/PDuplicate.c
new file mode 100644
index 000000000..a57828692
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PDuplicate.c
@@ -0,0 +1,177 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRDNSequence upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRDNSequence *
+nssPKIXRDNSequence_Duplicate
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSArena *arenaOpt
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXRDNSequence *rv = (NSSPKIXRDNSequence *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXRDNSequence);
+  if( (NSSPKIXRDNSequence *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+
+  if( (NSSBER *)NULL != rdnseq->ber ) {
+    rv->ber = nssItem_Duplicate(rdnseq->ber, arena, (NSSItem *)NULL);
+    if( (NSSBER *)NULL == rv->ber ) {
+      goto loser;
+    }
+  }
+
+  if( (NSSDER *)NULL != rdnseq->der ) {
+    rv->der = nssItem_Duplicate(rdnseq->der, arena, (NSSItem *)NULL);
+    if( (NSSDER *)NULL == rv->der ) {
+      goto loser;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL != rdnseq->utf8 ) {
+    rv->utf8 = nssUTF8_duplicate(rdnseq->utf8, arena);
+    if( (NSSUTF8 *)NULL == rv->utf8 ) {
+      goto loser;
+    }
+  }
+
+  if( 0 == rdnseq->count ) {
+    nss_pkix_RDNSequence_Count(rdnseq);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == rdnseq->count ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+#endif /* PEDANTIC */
+
+  rv->count = rdnseq->count;
+
+  rv->rdns = nss_ZNEWARRAY(arena, NSSPKIXRelativeDistinguishedName *, (rv->count+1));
+  if( (NSSPKIXRelativeDistinguishedName **)NULL == rv->rdns ) {
+    goto loser;
+  }
+
+  for( i = 0; i < count; i++ ) {
+    NSSPKIXRelativeDistinguishedName *v = rdnseq->rdns[i];
+
+    rv->rdns[i] = nssPKIXRelativeDistinguishedName_Duplicate(v, arena);
+    if( (NSSPKIXRelativeDistinguishedName *)NULL == rv->rdns[i] ) {
+      goto loser;
+    }
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_RDNSequence_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXRDNSequence *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PEncode.c b/security/nss/lib/pkix/src/RDNSequence/PEncode.c
new file mode 100644
index 000000000..5700fa099
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PEncode.c
@@ -0,0 +1,118 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+nssPKIXRDNSequence_Encode
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  NSSBER *it;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  switch( encoding ) {
+  case NSSASN1BER:
+    if( (NSSBER *)NULL != rdnseq->ber ) {
+      it = rdnseq->ber;
+      goto done;
+    }
+    /*FALLTHROUGH*/
+  case NSSASN1DER:
+    if( (NSSDER *)NULL != rdnseq->der ) {
+      it = rdnseq->der;
+      goto done;
+    }
+    break;
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
+    return (NSSBER *)NULL;
+  }
+
+  it = nssASN1_EncodeItem(rdnseq->arena, (NSSItem *)NULL, rdnseq,
+                          nssPKIXRDNSequence_template, encoding);
+  if( (NSSBER *)NULL == it ) {
+    return (NSSBER *)NULL;
+  }
+
+  switch( encoding ) {
+  case NSSASN1BER:
+    rdnseq->ber = it;
+    break;
+  case NSSASN1DER:
+    rdnseq->der = it;
+    break;
+  default:
+    PR_ASSERT(0);
+    break;
+  }
+
+ done:
+  return nssItem_Duplicate(it, arenaOpt, rvOpt);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PEqual.c b/security/nss/lib/pkix/src/RDNSequence/PEqual.c
new file mode 100644
index 000000000..a1dd5af53
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PEqual.c
@@ -0,0 +1,107 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssPKIXRDNSequence_Equal
+(
+  NSSPKIXRDNSequence *one,
+  NSSPKIXRDNSequence *two,
+  PRStatus *statusOpt
+)
+{
+  NSSPKIXRelativeDistinguishedName **a;
+  NSSPKIXRelativeDistinguishedName **b;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(one) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(two) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* NSSDEBUG */
+
+  if( ((NSSDER *)NULL != one->der) && ((NSSDER *)NULL != two->der) ) {
+    return nssItem_Equal(one->der, two->der, statusOpt);
+  }
+
+  /*
+   * Since this is a sequence, the order is significant.
+   * So we just walk down both lists, comparing.
+   */
+
+  for( a = one->rdns, b = two->rdns; *a && *b; a++, b++ ) {
+    if( PR_FALSE == nssPKIXRelativeDistinguishedName_Equal(*a, *b, statusOpt) ) {
+      return PR_FALSE;
+    }
+  }
+
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_SUCCESS;
+  }
+
+  if( *a || *b ) {
+    return PR_FALSE;
+  }
+
+  return PR_TRUE;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PFindRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PFindRelativeDistinguishedName.c
new file mode 100644
index 000000000..8064b9636
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PFindRelativeDistinguishedName.c
@@ -0,0 +1,90 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_FindRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_IMPLEMENT PRInt32
+nssPKIXRDNSequence_FindRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+  PRUint32 i;
+  NSSPKIXRelativeDistinguishedName **a;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  for( i = 0, a = rdnseq->rdns; *a; a++, (i > 0x7fffffff) || i++ ) {
+    if( PR_TRUE == nssPKIXRelativeDistinguishedName_Equal(*a, rdn) ) {
+      if( i > 0x7fffffff ) {
+        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+        return -1;
+      }
+      return (PRInt32)i;
+    }
+  }
+
+  nss_SetError(NSS_ERROR_NOT_FOUND);
+  return -1;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedName.c
new file mode 100644
index 000000000..7ea20d259
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedName.c
@@ -0,0 +1,96 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_GetRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
+nssPKIXRDNSequence_GetRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSArena *arenaOpt
+)
+{
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == rdnseq->count ) {
+    nss_pkix_RDNSequence_Count(rdnseq);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == rdnseq->count ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+#endif /* PEDANTIC */
+
+  if( (i < 0) || (i >= rdnseq->count) ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  return nssPKIXRelativeDistinguishedName_Duplicate(rdnseq->rdns[i], arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNameCount.c b/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNameCount.c
new file mode 100644
index 000000000..a01077db1
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNameCount.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_GetRelativeDistinguishedNameCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_IMPLEMENT PRInt32
+nssPKIXRDNSequence_GetRelativeDistinguishedNameCount
+(
+  NSSPKIXRDNSequence *rdnseq
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return -1;
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == rdnseq->count ) {
+    nss_pkix_RDNSequence_Count(rdnseq);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == rdnseq->count ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return -1;
+  }
+#endif /* PEDANTIC */
+
+  if( rdnseq->count > 0x7fffffff ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return -1;
+  }
+
+  return (PRInt32)(rdnseq->count);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNames.c b/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNames.c
new file mode 100644
index 000000000..115480dfd
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PGetRelativeDistinguishedNames.c
@@ -0,0 +1,135 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_GetRelativeDistinguishedNames
+ *
+ * This routine returns all of the relative distinguished names in the
+ * specified RDN Sequence.  {...} If the array is allocated, or if the
+ * specified one has extra space, the array will be null-terminated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXRelativeDistinguishedName 
+ *      pointers upon success
+ *  NULL upon failure.
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName **
+nssPKIXRDNSequence_GetRelativeDistinguishedNames
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+)
+{
+  NSSPKIXRelativeDistinguishedName **rv = (NSSPKIXRelativeDistinguishedName **)NULL;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return (NSSPKIXRelativeDistinguishedName **)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
+      return (NSSPKIXRelativeDistinguishedName **)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == rdnseq->count ) {
+    nss_pkix_RDNSequence_Count(rdnseq);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == rdnseq->count ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXRelativeDistinguishedName **)NULL;
+  }
+#endif /* PEDANTIC */
+
+  if( (limit < rdnseq->count) &&
+      !((0 == limit) && ((NSSPKIXRelativeDistinguishedName **)NULL == rvOpt)) ) {
+    nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
+    return (NSSPKIXRelativeDistinguishedName **)NULL;
+  }
+
+  limit = rdnseq->count;
+  if( (NSSPKIXRelativeDistinguishedName **)NULL == rvOpt ) {
+    rv = nss_ZNEWARRAY(arenaOpt, NSSPKIXRelativeDistinguishedName *, limit);
+    if( (NSSPKIXRelativeDistinguishedName **)NULL == rv ) {
+      return (NSSPKIXRelativeDistinguishedName **)NULL;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  for( i = 0; i < limit; i++ ) {
+    rv[i] = nssPKIXRelativedistinguishedName_Duplicate(rdnseq->rdns[i], arenaOpt);
+    if( (NSSPKIXRelativeDistinguishedName *)NULL == rv[i] ) {
+      goto loser;
+    }
+  }
+
+  return rv;
+
+ loser:
+  for( i = 0; i < limit; i++ ) {
+    NSSPKIXRelativeDistinguishedName *x = rv[i];
+    if( (NSSPKIXRelativeDistinguishedName *)NULL == x ) {
+      break;
+    }
+    (void)nssPKIXRelativeDistinguishedName_Destroy(x);
+  }
+
+  if( rv != rvOpt ) {
+    nss_ZFreeIf(rv);
+  }
+
+  return (NSSPKIXRelativeDistinguishedName **)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PGetUTF8Encoding.c b/security/nss/lib/pkix/src/RDNSequence/PGetUTF8Encoding.c
new file mode 100644
index 000000000..2250bf960
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PGetUTF8Encoding.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssPKIXRDNSequence_GetUTF8Encoding
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSUTF8 *)NULL == rdnseq->utf8 ) {
+    /* xxx fgmr fill this in from pki1 implementation */
+  }
+
+  return nssUTF8_Duplicate(rdnseq->utf8, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PInsertRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PInsertRelativeDistinguishedName.c
new file mode 100644
index 000000000..213866694
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PInsertRelativeDistinguishedName.c
@@ -0,0 +1,117 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_InsertRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRDNSequence_InsertRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+  NSSPKIXRelativeDistinguishedName **na;
+  NSSPKIXRelativeDistinguishedName *dup;
+  PRInt32 c;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == rdnseq->count ) {
+    nss_pkix_RDNSequence_Count(rdnseq);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == rdnseq->count ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+#endif /* PEDANTIC */
+
+  if( (i < 0) || (i >= rdnseq->count) ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  na = (NSSPKIXRelativeDistinguishedName **)
+    nss_ZRealloc(rdnseq->rdns, ((rdnseq->count+2) * 
+      sizeof(NSSPKIXRelativeDistinguishedName *)));
+  if( (NSSPKIXRelativeDistinguishedName **)NULL == na ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  rdnseq->rdns = na;
+
+  dup = nssPKIXRelativeDistinguishedName_Duplicate(rdn, rdnseq->arena);
+  if( (NSSPKIXRelativeDistinguishedName *)NULL == dup ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  for( c = rdnseq->count; c > i; c-- ) {
+    na[ c ] = na[ c-1 ];
+  }
+
+  na[ i ] = dup;
+  rdnseq->count++;
+
+  return nss_pkix_RDNSequence_Clear(rdnseq);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PRemoveRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PRemoveRelativeDistinguishedName.c
new file mode 100644
index 000000000..447620c77
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PRemoveRelativeDistinguishedName.c
@@ -0,0 +1,104 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_RemoveRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRDNSequence_RemoveRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i
+)
+{
+  NSSPKIXRelativeDistinguishedName **na;
+  PRInt32 c;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == rdnseq->count ) {
+    nss_pkix_RDNSequence_Count(rdnseq);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == rdnseq->count ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+#endif /* PEDANTIC */
+
+  if( (i < 0) || (i >= rdnseq->count) ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  nssPKIXRelativeDistinguishedName_Destroy(rdnseq->rdns[i]);
+
+  rdnseq->rdns[i] = rdnseq->rdns[ rdnseq->count ];
+  rdnseq->rdns[ rdnseq->count ] = (NSSPKIXRelativeDistinguishedName *)NULL;
+  rdnseq->count--;
+
+  na = (NSSPKIXRelativeDistinguishedName **)
+    nss_ZRealloc(rdnseq->rdns, ((rdnseq->count) * 
+      sizeof(NSSPKIXRelativeDistinguishedName *)));
+  if( (NSSPKIXRelativeDistinguishedName **)NULL == na ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  rdnseq->rdns = na;
+
+  return nss_pkix_RDNSequence_Clear(rdnseq);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedName.c
new file mode 100644
index 000000000..5c8123266
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedName.c
@@ -0,0 +1,103 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_SetRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRDNSequence_SetRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+  NSSPKIXRelativeDistinguishedName *dup;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == rdnseq->count ) {
+    nss_pkix_RDNSequence_Count(rdnseq);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == rdnseq->count ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+#endif /* PEDANTIC */
+
+  if( (i < 0) || (i >= rdnseq->count) ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  dup = nssPKIXRelativeDistinguishedName_Duplicate(rdn, rdnseq->arena);
+  if( (NSSPKIXRelativeDistinguishedName *)NULL == dup ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  nssPKIXRelativeDistinguishedName_Destroy(rdnseq->rdns[i]);
+  rdnseq->rdns[i] = dup;
+
+  return nss_pkix_RDNSequence_Clear(rdnseq);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedNames.c b/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedNames.c
new file mode 100644
index 000000000..b0320a4b7
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/PSetRelativeDistinguishedNames.c
@@ -0,0 +1,153 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRDNSequence_SetRelativeDistinguishedNames
+ *
+ * -- fgmr comments --
+ * If the array pointer itself is null, the set is considered empty.
+ * If the count is zero but the pointer nonnull, the array will be
+ * assumed to be null-terminated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRDNSequence_SetRelativeDistinguishedNames
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdns[],
+  PRInt32 countOpt
+)
+{
+  NSSPKIXRelativeDistinguishedName **ip;
+  NSSPKIXRelativeDistinguishedName **newarray;
+  PRUint32 i;
+  nssArenaMark *mark;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+
+  if( (NSSPKIXRelativeDistinguishedName **)NULL == rdns ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  {
+    PRUint32 i, count;
+
+    if( 0 == countOpt ) {
+      for( i = 0; i < 0x80000000; i++ ) {
+        if( (NSSPKIXRelativeDistinguishedName *)NULL == rdns[i] ) {
+          break;
+        }
+      }
+
+#ifdef PEDANTIC
+      if( 0x80000000 == i ) {
+        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+        return PR_FAILURE;
+      }
+#endif /* PEDANTIC */
+
+      count = (PRUint32)i;
+    } else {
+      if( countOpt < 0 ) {
+        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+        return PR_FAILURE;
+      }
+
+      count = (PRUint32)countOpt;
+    }
+
+    for( i = 0; i < count; i++ ) {
+      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdns[i]) ) {
+        return PR_FAILURE;
+      }
+    }
+  }
+#endif /* NSSDEBUG */
+
+  mark = nssArena_Mark(rdnseq->mark);
+  if( (nssArenaMark *)NULL == mark ) {
+    return PR_FAILURE;
+  }
+
+  newarray = nss_ZNEWARRAY(rdnseq->arena, NSSPKIXRelativeDistinguishedName *, countOpt);
+  if( (NSSPKIXRelativeDistinguishedName **)NULL == newarray ) {
+    goto loser;
+  }
+
+  for( i = 0; i < countOpt; i++ ) {
+    newarray[i] = nssPKIXRelativeDistinguishedName_Duplicate(rdns[i], rdnseq->arena);
+    if( (NSSPKIXRelativeDistinguishedName *)NULL == newarray[i] ) {
+      goto loser;
+    }
+  }
+
+  for( i = 0; i < rdnseq->count; i++ ) {
+    if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_Destroy(rdnseq->rdns[i]) ) {
+      goto loser;
+    }
+  }
+
+  nss_ZFreeIf(rdnseq->rdns);
+
+  rdnseq->count = countOpt;
+  rdnseq->rdns = newarray;
+
+  (void)nss_pkix_RDNSequence_Clear(rdnseq);
+
+  return nssArena_Unmark(rdnseq->arena, mark);
+
+ loser:
+  (void)nssArena_Release(a->arena, mark);
+  return PR_FAILURE;
+}
+
diff --git a/security/nss/lib/pkix/src/RDNSequence/RemoveRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/RemoveRelativeDistinguishedName.c
new file mode 100644
index 000000000..141ab7f37
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/RemoveRelativeDistinguishedName.c
@@ -0,0 +1,72 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_RemoveRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXRDNSequence_RemoveRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_RemoveRelativeDistinguishedName(rdnseq, i);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedName.c b/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedName.c
new file mode 100644
index 000000000..7484eb55d
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedName.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_SetRelativeDistinguishedName
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXRDNSequence_SetRelativeDistinguishedName
+(
+  NSSPKIXRDNSequence *rdnseq,
+  PRInt32 i,
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_SetRelativeDistinguishedName(rdnseq, i, rdn);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedNames.c b/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedNames.c
new file mode 100644
index 000000000..40e7c8247
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/SetRelativeDistinguishedNames.c
@@ -0,0 +1,115 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRDNSequence_SetRelativeDistinguishedNames
+ *
+ * -- fgmr comments --
+ * If the array pointer itself is null, the set is considered empty.
+ * If the count is zero but the pointer nonnull, the array will be
+ * assumed to be null-terminated.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN_SEQUENCE
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXRDNSequence_SetRelativeDistinguishedNames
+(
+  NSSPKIXRDNSequence *rdnseq,
+  NSSPKIXRelativeDistinguishedName *rdns[],
+  PRInt32 countOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRDNSequence_verifyPointer(rdnseq) ) {
+    return PR_FAILURE;
+  }
+
+  if( (NSSPKIXRelativeDistinguishedName **)NULL == rdns ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  {
+    PRUint32 i, count;
+
+    if( 0 == countOpt ) {
+      for( i = 0; i < 0x80000000; i++ ) {
+        if( (NSSPKIXRelativeDistinguishedName *)NULL == rdns[i] ) {
+          break;
+        }
+      }
+
+#ifdef PEDANTIC
+      if( 0x80000000 == i ) {
+        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+        return PR_FAILURE;
+      }
+#endif /* PEDANTIC */
+
+      count = (PRUint32)i;
+    } else {
+      if( countOpt < 0 ) {
+        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+        return PR_FAILURE;
+      }
+
+      count = (PRUint32)countOpt;
+    }
+
+    for( i = 0; i < count; i++ ) {
+      if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdns[i]) ) {
+        return PR_FAILURE;
+      }
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRDNSequence_SetRelativeDistinguishedNames(rdnseq, rdns, countOpt);
+}
diff --git a/security/nss/lib/pkix/src/RDNSequence/template.c b/security/nss/lib/pkix/src/RDNSequence/template.c
new file mode 100644
index 000000000..ff5bbc0ba
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/template.c
@@ -0,0 +1,55 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXRDNSequence_template
+ *
+ */
+
+const nssASN1Template nssPKIXRDNSequence_template[] = {
+  { nssASN1_SEQUENCE_OF, offsetof(NSSPKIXRDNSequence, rdns),
+    nssPKIXRelativeDistinguishedName_template },
+  { 0 }
+};
diff --git a/security/nss/lib/pkix/src/RDNSequence/verifyPointer.c b/security/nss/lib/pkix/src/RDNSequence/verifyPointer.c
new file mode 100644
index 000000000..47a53a5c4
--- /dev/null
+++ b/security/nss/lib/pkix/src/RDNSequence/verifyPointer.c
@@ -0,0 +1,205 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+#ifdef DEBUG
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker pkix_rdnseq_pointer_tracker;
+
+/*
+ * nss_pkix_RDNSequence_add_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine adds an NSSPKIXRDNSequence pointer to
+ * the internal pointer-tracker.  This routine should only be used 
+ * by the NSSPKIX module.  This routine returns a PRStatus value; 
+ * upon error it will place an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_RDNSequence_add_pointer
+(
+  const NSSPKIXRDNSequence *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_rdnseq_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&pkix_rdnseq_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  rv = nssArena_registerDestructor(arena,
+         nss_pkix_RDNSequence_remove_pointer, p);
+  if( PR_SUCCESS != rv ) {
+    (void)nss_pkix_RDNSequence_remove_pointer(p);
+    return rv;
+  }
+
+#ifdef NSSDEBUG
+  {
+    NSSPKIXRelativeDistinguishedName *r;
+
+    for( r = p->rdns; *r; r++ ) {
+      if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(*r) ) {
+        (void)nss_pkix_RDNSequence_remove_pointer(p);
+        return PR_FAILURE;
+      }
+    }
+  }
+#endif /* NSSDEBUG */
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nss_pkix_RDNSequence_remove_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine removes a valid NSSPKIXRDNSequence
+ * pointer from the internal pointer-tracker.  This routine should 
+ * only be used by the NSSPKIX module.  This routine returns a 
+ * PRStatus value; upon error it will place an error on the error 
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_RDNSequence_remove_pointer
+(
+  const NSSPKIXRDNSequence *p
+)
+{
+  PRStatus rv;
+
+#ifdef NSSDEBUG
+  {
+    NSSPKIXRelativeDistinguishedName *r;
+
+    for( r = p->rdns; *r; r++ ) {
+      (void)nss_pkix_RelativeDistinguishedName_remove_pointer(*r);
+    }
+  }
+#endif /* NSSDEBUG */
+
+  rv = nssPointerTracker_remove(&pkix_rdnseq_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  /*
+   * nssArena_deregisterDestructor(p->arena,
+   *   nss_pkix_RDNSequence_remove_pointer, p);
+   */
+
+  return rv;
+}
+
+/*
+ * nssPKIXRDNSequence_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXRDNSequence
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRDNSequence_verifyPointer
+(
+  NSSPKIXRDNSequence *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_rdnseq_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&pkix_rdnseq_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+#endif /* DEBUG */
+
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/AddAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/AddAttributeTypeAndValue.c
new file mode 100644
index 000000000..efb142396
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/AddAttributeTypeAndValue.c
@@ -0,0 +1,77 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atav
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue(rdn, atav);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Create.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Create.c
new file mode 100644
index 000000000..52e139c69
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/Create.c
@@ -0,0 +1,125 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+NSSPKIXRelativeDistinguishedName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeTypeAndValue *atav1,
+  ...
+)
+{
+  va_list ap;
+  NSSPKIXRelativeDistinguishedName *rv;
+  PRUint32 count;
+
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+
+  /* Is there a nonzero minimum number of ATAVs required? */
+
+  {
+    va_start(ap, arenaOpt);
+
+    while( 1 ) {
+      NSSPKIXAttributeTypeAndValue *atav;
+      atav = (NSSPKIXAttributeTypeAndValue *)va_arg(ap, NSSPKIXAttributeTypeAndValue *);
+      if( (NSSPKIXAttributeTypeAndValue *)NULL == atav ) {
+        break;
+      }
+
+      if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+        va_end(ap);
+        return (NSSPKIXRelativeDistinguishedName *)NULL;
+      }
+    }
+
+    va_end(ap);
+  }
+#endif /* DEBUG */
+
+  va_start(ap, arenaOpt);
+
+  for( count = 0; ; count++ ) {
+    NSSPKIXAttributeTypeAndValue *atav;
+    atav = (NSSPKIXAttributeTypeAndValue *)va_arg(ap, NSSPKIXAttributeTypeAndValue *);
+    if( (NSSPKIXAttributeTypeAndValue *)NULL == atav ) {
+      break;
+    }
+
+#ifdef PEDANTIC
+    if( count == 0xFFFFFFFF ) {
+      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+      va_end(ap);
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+#endif /* PEDANTIC */
+  }
+
+  va_end(ap);
+
+  va_start(ap, arenaOpt);
+  rv = nss_pkix_RelativeDistinguishedName_V_Create(arenaOpt, count, ap);
+  va_end(ap);
+
+  return rv;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromArray.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromArray.c
new file mode 100644
index 000000000..0c01be4da
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromArray.c
@@ -0,0 +1,86 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_CreateFromArray
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
+NSSPKIXRelativeDistinguishedName_CreateFromArray
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  NSSPKIXAttributeTypeAndValue *atavs[]
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+
+  {
+    PRUint32 i;
+
+    for( i = 0; i < count; i++ ) {
+      if( PR_SUCCESS != nssAttributeTypeAndValue_verifyPointer(&atavs[i]) ) {
+        return (NSSPKIXAttribute *)NULL;
+      }
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_CreateFromArray(arenaOpt, count, atavs);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromUTF8.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromUTF8.c
new file mode 100644
index 000000000..990b7acd2
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/CreateFromUTF8.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
+NSSPKIXRelativeDistinguishedName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_CreateFromUTF8(arenaOpt, string);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Decode.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Decode.c
new file mode 100644
index 000000000..b8d0b243a
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/Decode.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
+NSSPKIXRelativeDistinguishedName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_Decode(arenaOpt, ber);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Destroy.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Destroy.c
new file mode 100644
index 000000000..ca8b1e85f
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/Destroy.c
@@ -0,0 +1,70 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXRelativeDistinguishedName_Destroy
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_Destroy(rdn);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Duplicate.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Duplicate.c
new file mode 100644
index 000000000..416b405e8
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/Duplicate.c
@@ -0,0 +1,80 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
+NSSPKIXRelativeDistinguishedName_Duplicate
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_Duplicate(rdn, arenaOpt);
+}
+
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Encode.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Encode.c
new file mode 100644
index 000000000..ea6b82a55
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/Encode.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+NSSPKIXRelativeDistinguishedName_Encode
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_Encode(rdn, encoding, rvOpt, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/Equal.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/Equal.c
new file mode 100644
index 000000000..3e4a3fc3e
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/Equal.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_EXTERN PRBool
+NSSPKIXRelativeDistinguishedName_Equal
+(
+  NSSPKIXRelativeDistinguishedName *one,
+  NSSPKIXRelativeDistinguishedName *two,
+  PRStatus *statusOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(one) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(two) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+
+    return PR_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_Equal(one, two, statusOpt);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/FindAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/FindAttributeTypeAndValue.c
new file mode 100644
index 000000000..65032b1c1
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/FindAttributeTypeAndValue.c
@@ -0,0 +1,78 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_EXTERN PRInt32
+NSSPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atav
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue(rdn, atav);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValue.c
new file mode 100644
index 000000000..1a58bd132
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValue.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
+NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue(rdn, i, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValueCount.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValueCount.c
new file mode 100644
index 000000000..1209e726c
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValueCount.c
@@ -0,0 +1,72 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_IMPLEMENT PRInt32
+NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return -1;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount(rdn);
+}
+
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValues.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValues.c
new file mode 100644
index 000000000..7efc30173
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetAttributeTypeAndValues.c
@@ -0,0 +1,83 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXAttributeTypeAndValue 
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue **
+NSSPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return (NSSPKIXAttributeTypeAndValue **)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
+      return (NSSPKIXAttributeTypeAndValue **)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues(rdn, rvOpt, limit, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/GetUTF8Encoding.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetUTF8Encoding.c
new file mode 100644
index 000000000..9c428ae40
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/GetUTF8Encoding.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSPKIXRelativeDistinguishedName_GetUTF8Encoding
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_GetUTF8Encoding(rdn, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/MClear.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/MClear.c
new file mode 100644
index 000000000..2b1a93820
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/MClear.c
@@ -0,0 +1,73 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nss_pkix_RelativeDistinguishedName_Clear
+ *
+ * Wipes out cached data.
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_RelativeDistinguishedName_Clear
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSBER *)NULL != rdn->ber ) {
+    nss_ZFreeIf(rdn->ber->data);
+    nss_ZFreeIf(rdn->ber);
+  }
+
+  if( (NSSDER *)NULL != rdn->der ) {
+    nss_ZFreeIf(rdn->der->data);
+    nss_ZFreeIf(rdn->der);
+  }
+
+  nss_ZFreeIf(rdn->utf8);
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/MCount.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/MCount.c
new file mode 100644
index 000000000..23d976160
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/MCount.c
@@ -0,0 +1,82 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+/*
+ * nss_pkix_RelativeDistinguishedName_Count
+ */
+
+NSS_IMPLEMENT void
+nss_pkix_RelativeDistinguishedName_Count
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return;
+  }
+#endif /* NSSDEBUG */
+
+  PR_ASSERT((NSSPKIXAttributeTypeAndValue **)NULL != rdn->atavs);
+  if( (NSSPKIXAttributeTypeAndValue **)NULL == rdn->atavs ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return PR_FAILURE;
+  }
+
+  if( 0 == rdn->count ) {
+    PRUint32 i;
+    for( i = 0; i < 0xFFFFFFFF; i++ ) {
+      if( (NSSPKIXAttributeTypeAndValue *)NULL == rdn->atavs[i] ) {
+        break;
+      }
+    }
+
+#ifdef PEDANTIC
+    if( 0xFFFFFFFF == i ) {
+      return;
+    }
+#endif /* PEDANTIC */
+
+    rdn->count = i;
+  }
+
+  return;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/MVCreate.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/MVCreate.c
new file mode 100644
index 000000000..c40a4b6e7
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/MVCreate.c
@@ -0,0 +1,158 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+/*
+ * nss_pkix_RelativeDistinguishedName_v_create
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_OID
+ *  NSS_ERROR_INVALID_ITEM
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure.
+ */
+
+NSS_EXTERN NSSPKIXRelativeDistinguishedName *
+nss_pkix_RelativeDistinguishedName_V_Create
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  va_list ap
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXRelativeDistinguishedName *rv = (NSSPKIXRelativeDistinguishedName *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXRelativeDistinguishedName);
+  if( (NSSPKIXRelativeDistinguishedName *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->count = count;
+
+  rv->atav = nss_ZNEWARRAY(arena, NSSPKIXAttributeTypeAndValue *, count);
+  if( (NSSPKIXAttributeTypeAndValue **)NULL == rv->atav ) {
+    goto loser;
+  }
+
+  for( i = 0; i < count; i++ ) {
+    NSSPKIXAttributeTypeAndValue *v = (NSSPKIXAttributeTypeAndValue *)
+      va_arg(ap, NSSPKIXAttributeTypeAndValue *);
+
+#ifdef NSSDEBUG
+    /* 
+     * It's okay to test this down here, since 
+     * supposedly these have already been checked.
+     */
+    if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(v) ) {
+      goto loser;
+    }
+#endif /* NSSDEBUG */
+
+    rv->atav[i] = nssPKIXAttributeTypeAndValue_Duplicate(v, arena);
+    if( (NSSPKIXAttributeTypeAndValue *)NULL == rv->atav[i] ) {
+      goto loser;
+    }
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
+        nss_pkix_RelativeDistinguishedName_remove_pointer, rv) ) {
+    (void)nss_pkix_RelativeDistinguishedName_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXRelativeDistinguishedName *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PAddAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PAddAttributeTypeAndValue.c
new file mode 100644
index 000000000..68541d17e
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PAddAttributeTypeAndValue.c
@@ -0,0 +1,107 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRelativeDistinguishedName_AddAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atav
+)
+{
+  PRUint32 newcount;
+  NSSPKIXAttributeTypeAndValue **newarray;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  PR_ASSERT((NSSPKIXAttributeTypeAndValue **)NULL != rdn->atavs);
+  if( (NSSPKIXAttributeTypeAndValue **)NULL == rdn->atavs ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return PR_FAILURE;
+  }
+
+  if( 0 == rdn->count ) {
+    nss_pkix_RelativeDistinguishedName_Count(rdn);
+  }
+
+  newcount = rdn->count+1;
+  /* Check newcount for a rollover. */
+
+  /* Remember that our atavs array is NULL-terminated */
+  newarray = (NSSPKIXAttributeTypeAndValue **)nss_ZRealloc(rdn->atavs,
+               ((newcount+1) * sizeof(NSSPKIXAttributeTypeAndValue *)));
+  if( (NSSPKIXAttributeTypeAndValue **)NULL == newarray ) {
+    return PR_FAILURE;
+  }
+
+  rdn->atavs = newarray;
+
+  rdn->atavs[ rdn->count ] = nssPKIXAttributeTypeAndValue_Duplicate(atav, rdn->arena);
+  if( (NSSPKIXAttributeTypeAndValue *)NULL == rdn->atavs[ rdn->count ] ) {
+    return PR_FAILURE; /* array is "too big" but whatever */
+  }
+
+  rdn->count = newcount;
+
+  return nss_pkix_RelativeDistinguishedName_Clear(rdn);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreate.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreate.c
new file mode 100644
index 000000000..a3a1f7315
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreate.c
@@ -0,0 +1,123 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_Create
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
+nssPKIXRelativeDistinguishedName_Create
+(
+  NSSArena *arenaOpt,
+  NSSPKIXAttributeTypeAndValue *atav1,
+  ...
+)
+{
+  va_list ap;
+  NSSPKIXRelativeDistinguishedName *rv;
+  PRUint32 count;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+
+  /* Is there a nonzero minimum number of ATAVs required? */
+
+  {
+    va_start(ap, arenaOpt);
+
+    while( 1 ) {
+      NSSPKIXAttributeTypeAndValue *atav;
+      atav = (NSSPKIXAttributeTypeAndValue *)va_arg(ap, NSSPKIXAttributeTypeAndValue *);
+      if( (NSSPKIXAttributeTypeAndValue *)NULL == atav ) {
+        break;
+      }
+
+      if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+        va_end(ap);
+        return (NSSPKIXRelativeDistinguishedName *)NULL;
+      }
+    }
+
+    va_end(ap);
+  }
+#endif /* NSSDEBUG */
+
+  va_start(ap, arenaOpt);
+
+  for( count = 0; ; count++ ) {
+    NSSPKIXAttributeTypeAndValue *atav;
+    atav = (NSSPKIXAttributeTypeAndValue *)va_arg(ap, NSSPKIXAttributeTypeAndValue *);
+    if( (NSSPKIXAttributeTypeAndValue *)NULL == atav ) {
+      break;
+    }
+
+#ifdef PEDANTIC
+    if( count == 0xFFFFFFFF ) {
+      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+      va_end(ap);
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+#endif /* PEDANTIC */
+  }
+
+  va_end(ap);
+
+  va_start(ap, arenaOpt);
+  rv = nss_pkix_RelativeDistinguishedName_V_Create(arenaOpt, count, ap);
+  va_end(ap);
+
+  return rv;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromArray.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromArray.c
new file mode 100644
index 000000000..fa7e27eed
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromArray.c
@@ -0,0 +1,151 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_CreateFromArray
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
+nssPKIXRelativeDistinguishedName_CreateFromArray
+(
+  NSSArena *arenaOpt,
+  PRUint32 count,
+  NSSPKIXAttributeTypeAndValue *atavs
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXRelativeDistinguishedName *rv = (NSSPKIXRelativeDistinguishedName *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+
+  {
+    PRUint32 i;
+
+    for( i = 0; i < count; i++ ) {
+      if( PR_SUCCESS != nssAttributeTypeAndValue_verifyPointer(&atavs[i]) ) {
+        return (NSSPKIXAttribute *)NULL;
+      }
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXRelativeDistinguishedName);
+  if( (NSSPKIXRelativeDistinguishedName *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->count = count;
+
+  rv->atav = nss_ZNEWARRAY(arena, NSSPKIXAttributeTypeAndValue *, count);
+  if( (NSSPKIXAttributeTypeAndValue **)NULL == rv->atav ) {
+    goto loser;
+  }
+
+  for( i = 0; i < count; i++ ) {
+    NSSPKIXAttributeTypeAndValue *v = atavs[i];
+
+    rv->atav[i] = nssPKIXAttributeTypeAndValue_Duplicate(v, arena);
+    if( (NSSPKIXAttributeTypeAndValue *)NULL == rv->atav[i] ) {
+      goto loser;
+    }
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXRelativeDistinguishedName *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromUTF8.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromUTF8.c
new file mode 100644
index 000000000..2f2f995be
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PCreateFromUTF8.c
@@ -0,0 +1,139 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_CreateFromUTF8
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_UNKNOWN_ATTRIBUTE
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
+nssPKIXRelativeDistinguishedName_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *string
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXRelativeDistinguishedName *rv = (NSSPKIXRelativeDistinguishedName *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == string ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXRelativeDistinguishedName);
+  if( (NSSPKIXRelativeDistinguishedName *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->utf8 = nssUTF8_Duplicate(string, arena);
+  if( (NSSUTF8 *)NULL == rv->utf8 ) {
+    goto loser;
+  }
+  
+  /* Insert intelligence here -- fgmr */
+  nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  goto loser;
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXRelativeDistinguishedName *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PDecode.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PDecode.c
new file mode 100644
index 000000000..ad1766280
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PDecode.c
@@ -0,0 +1,142 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
+nssPKIXRelativeDistinguishedName_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXRelativeDistinguishedName *rv = (NSSPKIXRelativeDistinguishedName *)NULL;
+  PRStatus status;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXRelativeDistinguishedName);
+  if( (NSSPKIXRelativeDistinguishedName *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == rv->ber ) {
+    goto loser;
+  }
+
+  status = nssASN1_DecodeBER(arena, rv, nssPKIXRelativeDistinguishedName_template, ber);
+  if( PR_SUCCESS != status ) {
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXRelativeDistinguishedName *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PDestroy.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PDestroy.c
new file mode 100644
index 000000000..94b8fcf00
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PDestroy.c
@@ -0,0 +1,76 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_Destroy
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRelativeDistinguishedName_Destroy
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+#ifdef DEBUG
+  (void)nss_pkix_RelativeDistinguishedName_remove_pointer(rdn);
+#endif /* DEBUG */
+
+  if( PR_TRUE == rdn->i_allocated_arena ) {
+    return nssArena_Destroy(rdn->arena);
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PDuplicate.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PDuplicate.c
new file mode 100644
index 000000000..0277b7b01
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PDuplicate.c
@@ -0,0 +1,177 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_Duplicate
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXRelativeDistinguishedName upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXRelativeDistinguishedName *
+nssPKIXRelativeDistinguishedName_Duplicate
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSArena *arenaOpt
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXRelativeDistinguishedName *rv = (NSSPKIXRelativeDistinguishedName *)NULL;
+  PRStatus status;
+  PRUint32 i;
+  NSSPKIXAttributeTypeAndValue **from, **to;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return (NSSPKIXRelativeDistinguishedName *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXRelativeDistinguishedName *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXRelativeDistinguishedName);
+  if( (NSSPKIXRelativeDistinguishedName *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+
+  if( (NSSDER *)NULL != rdn->der ) {
+    rv->der = nssItem_Duplicate(rdn->der, arena, (NSSItem *)NULL);
+    if( (NSSDER *)NULL == rv->der ) {
+      goto loser;
+    }
+  }
+
+  if( (NSSBER *)NULL != rdn->ber ) {
+    rv->ber = nssItem_Duplicate(rdn->ber, arena, (NSSItem *)NULL);
+    if( (NSSBER *)NULL == rv->ber ) {
+      goto loser;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL != rdn->utf8 ) {
+    rv->utf8 = nssUTF8_Duplicate(rdn->utf8, arena);
+    if( (NSSUTF8 *)NULL == rv->utf8 ) {
+      goto loser;
+    }
+  }
+
+  rv->count = rdn->count;
+
+  {
+    if( 0 == rdn->count ) {
+      nss_pkix_RelativeDistinguishedName_Count(rdn);
+      if( 0 == rdn->count ) {
+        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+        goto loser;
+      }
+
+      rv->count = rdn->count; /* might as well save it */
+    }
+
+    rv->atavs = nss_ZNEWARRAY(arena, NSSPKIXAttributeTypeAndValue *, rdn->count + 1);
+    if( (NSSPKIXAttributeTypeAndValue *)NULL == rv->atavs ) {
+      goto loser;
+    }
+  }
+
+  for( from = &rdn->atavs[0], to = &rv->atavs[0]; *from; from++, to++ ) {
+    *to = nssPKIXAttributeTypeAndValue_Duplicate(*from, arena);
+    if( (NSSPKIXAttributeTypeAndValue *)NULL == *to ) {
+      goto loser;
+    }
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_RelativeDistinguishedName_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXRelativeDistinguishedName *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PEncode.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PEncode.c
new file mode 100644
index 000000000..d2af9470b
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PEncode.c
@@ -0,0 +1,123 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_Encode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+nssPKIXRelativeDistinguishedName_Encode
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  NSSBER *it;
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  switch( encoding ) {
+  case NSSASN1BER:
+    if( (NSSBER *)NULL != rdn->ber ) {
+      it = rdn->ber;
+      goto done;
+    }
+    /*FALLTHROUGH*/
+  case NSSASN1DER:
+    if( (NSSDER *)NULL != rdn->der ) {
+      it = rdn->der;
+      goto done;
+    }
+    break;
+  default:
+    nss_SetError(NSS_ERROR_UNSUPPORTED_ENCODING);
+    return (NSSBER *)NULL;
+  }
+
+  it = nssASN1_EncodeItem(rdn->arena, (NSSItem *)NULL, rdn,
+                          nssPKIXRelativeDistinguishedName_template,
+                          encoding);
+  if( (NSSBER *)NULL == it ) {
+    return (NSSBER *)NULL;
+  }
+
+  switch( encoding ) {
+  case NSSASN1BER:
+    rdn->ber = it;
+    break;
+  case NSSASN1DER:
+    rdn->der = it;
+    break;
+  default:
+    PR_ASSERT(0);
+    break;
+  }
+
+ done:
+  return nssItem_Duplicate(it, arenaOpt, rvOpt);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PEqual.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PEqual.c
new file mode 100644
index 000000000..2ac566a8b
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PEqual.c
@@ -0,0 +1,101 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_Equal
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssPKIXRelativeDistinguishedName_Equal
+(
+  NSSPKIXRelativeDistinguishedName *one,
+  NSSPKIXRelativeDistinguishedName *two,
+  PRStatus *statusOpt
+)
+{
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(one) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(two) ) {
+    goto loser;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSDER *)NULL == one->der ) {
+    one->der = nssASN1_EncodeItem(one->arena, (NSSItem *)NULL, one,
+                                  nssPKIXRelativeDistinguishedName_template,
+                                  NSSASN1DER);
+    if( (NSSDER *)NULL == one->der ) {
+      goto loser;
+    }
+  }
+
+  if( (NSSDER *)NULL == two->der ) {
+    two->der = nssASN1_EncodeItem(two->arena, (NSSItem *)NULL, two,
+                                  nssPKIXRelativeDistinguishedName_template,
+                                  NSSASN1DER);
+    if( (NSSDER *)NULL == two->der ) {
+      goto loser;
+    }
+  }
+
+  return nssItem_Equal(one->der, two->der, statusOpt);
+
+ loser:
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_FAILURE;
+  }
+
+  return PR_FALSE;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PFindAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PFindAttributeTypeAndValue.c
new file mode 100644
index 000000000..ee7c55e10
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PFindAttributeTypeAndValue.c
@@ -0,0 +1,96 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NOT_FOUND
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  The index of the specified attribute value upon success
+ *  -1 upon failure.
+ */
+
+NSS_IMPLEMENT PRInt32
+nssPKIXRelativeDistinguishedName_FindAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atav
+)
+{
+  PRUint32 i;
+  NSSPKIXAttributeTypeAndValue **a;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return -1;
+  }
+
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return -1;
+  }
+#endif /* NSSDEBUG */
+
+  PR_ASSERT((NSSPKIXAttributeTypeAndValue **)NULL != rdn->atavs);
+  if( (NSSPKIXAttributeTypeAndValue **)NULL == rdn->atavs ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return -1;
+  }
+
+  for( i = 0, a = rdn->atavs; *a; a++, (i > 0x7fffffff) || i++ ) {
+    if( PR_TRUE == nssPKIXAttributeTypeAndValue_Equal(*a, atav) ) {
+      if( i > 0x7fffffff ) {
+        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+        return -1;
+      }
+      return (PRInt32)i;
+    }
+  }
+
+  nss_SetError(NSS_ERROR_NOT_FOUND);
+  return -1;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValue.c
new file mode 100644
index 000000000..22c3abac6
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValue.c
@@ -0,0 +1,89 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXAttributeTypeAndValue upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue *
+nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i,
+  NSSArena *arenaOpt
+)
+{
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttributeTypeAndValue *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == rdn->count ) {
+    nss_pkix_RelativeDistinguishedName_Count(rdn);
+  }
+
+  if( (i < 0) || (i >= rdn->count) ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXAttributeTypeAndValue *)NULL;
+  }
+
+  return nssPKIXAttributeTypeAndValue_Duplicate(rdn->atavs[i], arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValueCount.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValueCount.c
new file mode 100644
index 000000000..df8e1b48e
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValueCount.c
@@ -0,0 +1,85 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *
+ * Return value:
+ *  Nonnegative integer upon success
+ *  -1 upon failure.
+ */
+
+NSS_IMPLEMENT PRInt32
+nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValueCount
+(
+  NSSPKIXRelativeDistinguishedName *rdn
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return -1;
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == rdn->count ) {
+    nss_pkix_RelativeDistinguishedName_Count(rdn);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == rdn->count ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return -1;
+  }
+#endif /* PEDANTIC */
+
+  if( rdn->count > 0x7fffffff ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return -1;
+  }
+
+  return (PRInt32)(rdn->count);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValues.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValues.c
new file mode 100644
index 000000000..7675d5ad3
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetAttributeTypeAndValues.c
@@ -0,0 +1,133 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_ARRAY_TOO_SMALL
+ *
+ * Return value:
+ *  A valid pointer to an array of NSSPKIXAttributeTypeAndValue 
+ *      pointers upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXAttributeTypeAndValue **
+nssPKIXRelativeDistinguishedName_GetAttributeTypeAndValues
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *rvOpt[],
+  PRInt32 limit,
+  NSSArena *arenaOpt
+)
+{
+  NSSPKIXAttributeTypeAndValue **rv = (NSSPKIXAttributeTypeAndValue **)NULL;
+  PRUint32 i;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return (NSSPKIXAttributeTypeAndValue **)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyOpt(attribute) ) {
+      return (NSSPKIXAttributeTypeAndValue **)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == rdn->count ) {
+    nss_pkix_RelativeDistinguishedName_Count(rdn);
+  }
+
+#ifdef PEDANTIC
+  if( 0 == rdn->count ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return (NSSPKIXAttributeTypeAndValue **)NULL;
+  }
+#endif /* PEDANTIC */
+
+  if( (limit < rdn->count) &&
+      !((0 == limit) && ((NSSPKIXAttributeTypeAndValue **)NULL == rvOpt)) ) {
+    nss_SetError(NSS_ERROR_ARRAY_TOO_SMALL);
+    return (NSSPKIXAttributeTypeAndValue **)NULL;
+  }
+
+  limit = rdn->count;
+  if( (NSSPKIXAttributeTypeAndValue **)NULL == rvOpt ) {
+    rv = nss_ZNEWARRAY(arenaOpt, NSSPKIXAttributeTypeAndValue *, limit);
+    if( (NSSPKIXAttributeTypeAndValue **)NULL == rv ) {
+      return (NSSPKIXAttributeTypeAndValue **)NULL;
+    }
+  } else {
+    rv = rvOpt;
+  }
+
+  for( i = 0; i < limit; i++ ) {
+    rv[i] = nssPKIXAttributeTypeAndValue_Duplicate(rdn->atav[i], arenaOpt);
+    if( (NSSPKIXAttributeTypeAndValue *)NULL == rv[i] ) {
+      goto loser;
+    }
+  }
+
+  return rv;
+
+ loser:
+  for( i = 0; i < limit; i++ ) {
+    NSSPKIXAttributeTypeAndValue *x = rv[i];
+    if( (NSSPKIXAttributeTypeAndValue *)NULL == x ) {
+      break;
+    }
+    (void)nssPKIXAttributeTypeAndValue_Destroy(x);
+  }
+
+  if( rv != rvOpt ) {
+    nss_ZFreeIf(rv);
+  }
+
+  return (NSSPKIXAttributeTypeAndValue **)NULL;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetUTF8Encoding.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetUTF8Encoding.c
new file mode 100644
index 000000000..01abf228c
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PGetUTF8Encoding.c
@@ -0,0 +1,81 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_GetUTF8Encoding
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ARENA
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSUTF8 pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssPKIXRelativeDistinguishedName_GetUTF8Encoding
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSUTF8 *)NULL == rdn->utf8 ) {
+    /* xxx fgmr fill this in from pki1 implementation */
+  }
+
+  return nssUTF8_Duplicate(rdn->utf8, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PRemoveAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PRemoveAttributeTypeAndValue.c
new file mode 100644
index 000000000..84b5cc819
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PRemoveAttributeTypeAndValue.c
@@ -0,0 +1,121 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_AT_MINIMUM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i
+)
+{
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == rdn->count ) {
+    nss_pkix_RelativeDistinguishedName_Count(rdn);
+  }
+
+  if( i < 0 ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return PR_FAILURE;
+  }
+
+  /* Is there a technical minimum? */
+  /*
+   *  if( 1 == rdn->count ) {
+   *    nss_SetError(NSS_ERROR_AT_MINIMUM);
+   *    return PR_FAILURE;
+   *  }
+   */
+
+#ifdef PEDANTIC
+  if( 0 == rdn->count ) {
+    NSSPKIXAttributeTypeAndValue **ip;
+    /* Too big.. but we can still remove one */
+    nssPKIXAttributeTypeAndValue_Destroy(rdn->atavs[i]);
+    for( ip = &rdn->atavs[i]; *ip; ip++ ) {
+      ip[0] = ip[1];
+    }
+  } else
+#endif /* PEDANTIC */
+
+  {
+    NSSPKIXAttributeTypeAndValue *si;
+    PRUint32 end;
+
+    if( i >= rdn->count ) {
+      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+      return PR_FAILURE;
+    }
+
+    end = rdn->count - 1;
+    
+    si = rdn->atavs[i];
+    rdn->atavs[i] = rdn->atavs[end];
+    rdn->atavs[end] = (NSSPKIXAttributeTypeAndValue *)NULL;
+
+    nssPKIXAttributeTypeAndValue_Destroy(si);
+
+    /* We could realloc down, but we know it's a no-op */
+    rdn->count = end;
+  }
+
+  return nss_pkix_RelativeDistinguishedName_Clear(rdn);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValue.c
new file mode 100644
index 000000000..01439e2e7
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValue.c
@@ -0,0 +1,102 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i,
+  NSSPKIXAttributeTypeAndValue *atav
+)
+{
+  NSSPKIXAttributeTypeAndValue *dup;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  PR_ASSERT((NSSPKIXAttributeTypeAndValue **)NULL != rdn->atavs);
+  if( (NSSPKIXAttributeTypeAndValue **)NULL == rdn->atavs ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return PR_FAILURE;
+  }
+
+  if( 0 == rdn->count ) {
+    nss_pkix_RelativeDistinguishedName_Count(rdn);
+  }
+
+  if( (i < 0) || (i >= rdn->count) ) {
+    nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+    return PR_FAILURE;
+  }
+
+  dup = nssPKIXAttributeTypeAndValue_Duplicate(atav, rdn->arena);
+  if( (NSSPKIXAttributeTypeAndValue *)NULL == dup ) {
+    return PR_FAILURE;
+  }
+
+  nssPKIXAttributeTypeAndValue_Destroy(rdn->atavs[i]);
+  rdn->atavs[i] = dup;
+
+  return nss_pkix_RelativeDistinguishedName_Clear(rdn);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValues.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValues.c
new file mode 100644
index 000000000..839839ea2
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/PSetAttributeTypeAndValues.c
@@ -0,0 +1,166 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atavs[],
+  PRInt32 countOpt
+)
+{
+  NSSPKIXAttributeTypeAndValue **ip;
+  NSSPKIXAttributeTypeAndValue **newarray;
+  PRUint32 i;
+  nssArenaMark *mark;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+
+  if( (NSSPKIXAttributeTypeAndValues **)NULL == atavs ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  {
+    PRUint32 i, count;
+
+    if( 0 == countOpt ) {
+      for( i = 0; i < 0x80000000; i++ ) {
+        if( (NSSPKIXAttributeTypeAndValue *)NULL == atav[i] ) {
+          break;
+        }
+      }
+
+#ifdef PEDANTIC
+      if( 0x80000000 == i ) {
+        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+        return PR_FAILURE;
+      }
+#endif /* PEDANTIC */
+
+      count = (PRUint32)i;
+    } else {
+      if( countOpt < 0 ) {
+        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+        return PR_FAILURE;
+      }
+
+      count = (PRUint32)countOpt;
+    }
+
+    for( i = 0; i < count; i++ ) {
+      if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav[i]) ) {
+        return PR_FAILURE;
+      }
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( 0 == countOpt ) {
+    for( i = 0; i < 0xffffffff; i++ ) {
+      if( (NSSPKIXAttributeTypeAndValue *)NULL == atavs[i] ) {
+        break;
+      }
+    }
+
+#ifdef PEDANTIC
+    if( 0xffffffff == 0 ) {
+      nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+      reutrn PR_FAILURE;
+    }
+#endif /* PEDANTIC */
+
+    countOpt = i;
+  }
+
+  mark = nssArena_Mark(rdn->mark);
+  if( (nssArenaMark *)NULL == mark ) {
+    return PR_FAILURE;
+  }
+
+  newarray = nss_ZNEWARRAY(rdn->arena, NSSPKIXAttributeTypeAndValue *, countOpt);
+  if( (NSSPKIXAttributeTypeAndValue **)NULL == newarray ) {
+    goto loser;
+  }
+
+  for( i = 0; i < countOpt; i++ ) {
+    newarray[i] = nssPKIXAttributeTypeAndValue_Duplicate(atavs[i], rdn->arena);
+    if( (NSSPKIXAttributeTypeAndValue *)NULL == newarray[i] ) {
+      goto loser;
+    }
+  }
+
+  for( i = 0; i < rdn->count; i++ ) {
+    if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_Destroy(rdn->atavs[i]) ) {
+      goto loser;
+    }
+  }
+
+  nss_ZFreeIf(rdn->atavs);
+
+  rdn->count = countOpt;
+  rdn->atavs = newarray;
+
+  (void)nss_pkix_RelativeDistinguishedName_Clear(rdn);
+
+  return nssArena_Unmark(rdn->arena, mark);
+
+ loser:
+  (void)nssArena_Release(a->arena, mark);
+  return PR_FAILURE;
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/RemoveAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/RemoveAttributeTypeAndValue.c
new file mode 100644
index 000000000..b9f1deb66
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/RemoveAttributeTypeAndValue.c
@@ -0,0 +1,73 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_AT_MINIMUM
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_RemoveAttributeTypeAndValue(rdn, i);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValue.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValue.c
new file mode 100644
index 000000000..fa2224a6b
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValue.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_VALUE_OUT_OF_RANGE
+ *  NSS_ERROR_INVALID_PKIX_ATAV
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValue
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  PRInt32 i,
+  NSSPKIXAttributeTypeAndValue *atav
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+
+  if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atav) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValue(rdn, i, atav);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValues.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValues.c
new file mode 100644
index 000000000..c6a8f0434
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/SetAttributeTypeAndValues.c
@@ -0,0 +1,113 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_RDN
+ *  NSS_ERROR_INVALID_POINTER
+ *  NSS_ERROR_INVALID_ATAV
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+NSSPKIXRelativeDistinguishedName_SetAttributeTypeAndValues
+(
+  NSSPKIXRelativeDistinguishedName *rdn,
+  NSSPKIXAttributeTypeAndValue *atavs[],
+  PRInt32 countOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXRelativeDistinguishedName_verifyPointer(rdn) ) {
+    return PR_FAILURE;
+  }
+
+  if( (NSSPKIXAttributeTypeAndValue **)NULL == atavs ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return PR_FAILURE;
+  }
+
+  {
+    PRUint32 i, count;
+
+    if( 0 == countOpt ) {
+      for( i = 0; i < 0x80000000; i++ ) {
+        if( (NSSPKIXAttributeTypeAndValue *)NULL == atavs[i] ) {
+          break;
+        }
+      }
+
+#ifdef PEDANTIC
+      if( 0x80000000 == i ) {
+        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+        return PR_FAILURE;
+      }
+#endif /* PEDANTIC */
+
+      count = (PRUint32)i;
+    } else {
+      if( countOpt < 0 ) {
+        nss_SetError(NSS_ERROR_VALUE_OUT_OF_RANGE);
+        return PR_FAILURE;
+      }
+
+      count = (PRUint32)countOpt;
+    }
+
+    for( i = 0; i < count; i++ ) {
+      if( PR_SUCCESS != nssPKIXAttributeTypeAndValue_verifyPointer(atavs[i]) ) {
+        return PR_FAILURE;
+      }
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXRelativeDistinguishedName_SetAttributeTypeAndValues(rdn, atavs, countOpt);
+}
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/template.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/template.c
new file mode 100644
index 000000000..fff01836a
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/template.c
@@ -0,0 +1,55 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXRelativeDistinguishedName_template
+ *
+ */
+
+const nssASN1Template nssPKIXRelativeDistinguishedName_template[] = {
+  { nssASN1_SET_OF, offsetof(NSSPKIXRelativeDistinguishedName, atavs),
+    nssPKIXAttributeTypeAndValue_template, 
+    sizeof(NSSPKIXRelativeDistinguishedName) }
+};
diff --git a/security/nss/lib/pkix/src/RelativeDistinguishedName/verifyPointer.c b/security/nss/lib/pkix/src/RelativeDistinguishedName/verifyPointer.c
new file mode 100644
index 000000000..d7274abae
--- /dev/null
+++ b/security/nss/lib/pkix/src/RelativeDistinguishedName/verifyPointer.c
@@ -0,0 +1,205 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+#ifdef DEBUG
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker pkix_rdn_pointer_tracker;
+
+/*
+ * nss_pkix_RelativeDistinguishedName_add_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine adds an NSSPKIXRelativeDistinguishedName pointer to
+ * the internal pointer-tracker.  This routine should only be used 
+ * by the NSSPKIX module.  This routine returns a PRStatus value; 
+ * upon error it will place an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_RelativeDistinguishedName_add_pointer
+(
+  const NSSPKIXRelativeDistinguishedName *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_rdn_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&pkix_rdn_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  rv = nssArena_registerDestructor(p->arena,
+         nss_pkix_RelativeDistinguishedName_remove_pointer, p);
+  if( PR_SUCCESS != rv ) {
+    (void)nss_pkix_RelativeDistinguishedName_remove_pointer(p);
+    return rv;
+  }
+
+#ifdef NSSDEBUG
+  {
+    NSSPKIXAttributeTypeAndValue *a;
+
+    for( a = p->atavs; *a; a++ ) {
+      if( PR_SUCCESS != nss_pkix_AttributeTypeAndValue_add_pointer(*a) ) {
+        nss_pkix_RelativeDistinguishedName_remove_pointer(p);
+        return PR_FAILURE;
+      }
+    }
+  }
+#endif /* NSSDEBUG */
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nss_pkix_RelativeDistinguishedName_remove_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine removes a valid NSSPKIXRelativeDistinguishedName
+ * pointer from the internal pointer-tracker.  This routine should 
+ * only be used by the NSSPKIX module.  This routine returns a 
+ * PRStatus value; upon error it will place an error on the error 
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_RelativeDistinguishedName_remove_pointer
+(
+  const NSSPKIXRelativeDistinguishedName *p
+)
+{
+  PRStatus rv;
+
+#ifdef NSSDEBUG
+  {
+    NSSPKIXAttributeTypeAndValue *a;
+
+    for( a = p->atavs; *a; a++ ) {
+      (void)nss_pkix_AttributeTypeAndValue_remove_pointer(*a);
+    }
+  }
+#endif /* NSSDEBUG */
+
+  rv = nssPointerTracker_remove(&pkix_rdn_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  /*
+   * nssArena_deregisterDestructor(p->arena, 
+   *   nss_pkix_RelativeDistinguishedName_remove_pointer, p);
+   */
+
+  return rv;
+}
+
+/*
+ * nssPKIXRelativeDistinguishedName_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXRelativeDistinguishedName
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_ATTRIBUTE
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXRelativeDistinguishedName_verifyPointer
+(
+  NSSPKIXRelativeDistinguishedName *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_rdn_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&pkix_rdn_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_ATTRIBUTE);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+#endif /* DEBUG */
+
diff --git a/security/nss/lib/pkix/src/Time/Compare.c b/security/nss/lib/pkix/src/Time/Compare.c
new file mode 100644
index 000000000..6a125d6c6
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/Compare.c
@@ -0,0 +1,75 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXTime_Compare
+ *
+ * Usual result: -1, 0, 1
+ *  Returns 0 on error
+ */
+
+NSS_IMPLEMENT PRInt32
+NSSPKIXTime_Compare
+(
+  NSSPKIXTime *time1,
+  NSSPKIXTime *tiem2,
+  PRStatus *statusOpt
+)
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time1) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return 0;
+  }
+
+  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time2) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return 0;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXTime_Compare(time1, time2, statusOpt);
+}
diff --git a/security/nss/lib/pkix/src/Time/CreateFromPRTime.c b/security/nss/lib/pkix/src/Time/CreateFromPRTime.c
new file mode 100644
index 000000000..909adb14e
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/CreateFromPRTime.c
@@ -0,0 +1,65 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXTime_CreateFromPRTime
+ *
+ */
+
+NSS_IMPLEMENT NSSPKIXTime *
+NSSPKIXTime_CreateFromPRTime
+(
+  NSSArena *arenaOpt,
+  PRTime prTime
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXTime *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXTime_CreateFromPRTime(arenaOpt, prTime);
+}
diff --git a/security/nss/lib/pkix/src/Time/CreateFromUTF8.c b/security/nss/lib/pkix/src/Time/CreateFromUTF8.c
new file mode 100644
index 000000000..469741ac6
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/CreateFromUTF8.c
@@ -0,0 +1,70 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXTime_CreateFromUTF8
+ *
+ */
+
+NSS_EXTERN NSSPKIXTime *
+NSSPKIXTime_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXTime *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == utf8 ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXTime *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXTime_CreateFromUTF8(arenaOpt, utf8);
+}
diff --git a/security/nss/lib/pkix/src/Time/Decode.c b/security/nss/lib/pkix/src/Time/Decode.c
new file mode 100644
index 000000000..948dc0b93
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/Decode.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXTime_Decode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTime upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXTime *
+NSSPKIXTime_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXTime *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXTime *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXTime_Decode(arenaOpt, ber);
+}
diff --git a/security/nss/lib/pkix/src/Time/Destroy.c b/security/nss/lib/pkix/src/Time/Destroy.c
new file mode 100644
index 000000000..d694850ef
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/Destroy.c
@@ -0,0 +1,62 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXTime_Destroy
+ *
+ */
+
+NSS_IMPLEMENT PR_STATUS
+NSSPKIXTime_Destroy
+(
+  NSSPKIXTime *time
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
+    return PR_FAILURE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXTime_Destroy(time);
+}
diff --git a/security/nss/lib/pkix/src/Time/Duplicate.c b/security/nss/lib/pkix/src/Time/Duplicate.c
new file mode 100644
index 000000000..dee6f61e9
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/Duplicate.c
@@ -0,0 +1,69 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXTime_Duplicate
+ *
+ */
+
+NSS_IMPLEMENT NSSPKIXTime *
+NSSPKXITime_Duplicate
+(
+  NSSPKIXTime *time,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
+    return (NSSPKXITime *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXTime *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXTime_Duplicate(time, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Time/Encode.c b/security/nss/lib/pkix/src/Time/Encode.c
new file mode 100644
index 000000000..9063e4f3a
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/Encode.c
@@ -0,0 +1,71 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXTime_Encode
+ *
+ */
+
+NSS_IMPLEMENT NSSBER *
+NSSPKIXTime_Encode
+(
+  NSSPKIXTime *time,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXTime_Encode(time, encoding, rvOpt, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Time/Equal.c b/security/nss/lib/pkix/src/Time/Equal.c
new file mode 100644
index 000000000..4ed05acd5
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/Equal.c
@@ -0,0 +1,74 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXTime_Equal
+ *
+ */
+
+NSS_IMPLEMENT PRBool
+NSSPKXITime_Equal
+(
+  NSSPKXITime *time1,
+  NSSPKXITime *time2,
+  PRStatus *statusOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time1) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time2) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXTime_Equal(time1, time2, statusOpt);
+}
diff --git a/security/nss/lib/pkix/src/Time/GetPRTime.c b/security/nss/lib/pkix/src/Time/GetPRTime.c
new file mode 100644
index 000000000..5871a482d
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/GetPRTime.c
@@ -0,0 +1,64 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXTime_GetPRTime
+ *
+ * Returns a zero on error
+ */
+
+NSS_IMPLEMENT PRTime
+NSSPKIXTime_GetPRTime
+(
+  NSSPKIXTime *time,
+  PRStatus *statusOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
+    return (PRTime)0;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXTime_GetPRTime(time, statusOpt);
+}
diff --git a/security/nss/lib/pkix/src/Time/GetUTF8Encoding.c b/security/nss/lib/pkix/src/Time/GetUTF8Encoding.c
new file mode 100644
index 000000000..7fc383b81
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/GetUTF8Encoding.c
@@ -0,0 +1,69 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXTime_GetUTF8Encoding
+ *
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSPKXITime_GetUTF8Encoding
+(
+  NSSPKIXTime *time,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXTime_GetUTF8Encoding(time, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/Time/PCreateFromPRTime.c b/security/nss/lib/pkix/src/Time/PCreateFromPRTime.c
new file mode 100644
index 000000000..13805e65d
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/PCreateFromPRTime.c
@@ -0,0 +1,117 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXTime_CreateFromPRTime
+ *
+ */
+
+NSS_IMPLEMENT NSSPKIXTime *
+nssPKIXTime_CreateFromPRTime
+(
+  NSSArena *arenaOpt,
+  PRTime prTime
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXTime *rv = (NSSPKIXTime *)NULL;
+  PRStatus status;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXTime *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXTime);
+  if( (NSSPKIXTime *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+
+  rv->prTime = prTime;
+  rv->prTimeValid = PR_TRUE;
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Time_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXTime *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Time/PCreateFromUTF8.c b/security/nss/lib/pkix/src/Time/PCreateFromUTF8.c
new file mode 100644
index 000000000..1a15639ed
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/PCreateFromUTF8.c
@@ -0,0 +1,121 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXTime_CreateFromUTF8
+ *
+ */
+
+NSS_IMPLEMENT NSSPKIXTime *
+nssPKIXTime_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXTime *rv = (NSSPKIXTime *)NULL;
+  PRStatus status;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXTime *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == utf8 ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXTime *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXTime);
+  if( (NSSPKIXTime *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+
+  /* fgmr base on nspr's pl implementation? */
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Time_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXTime *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Time/PDecode.c b/security/nss/lib/pkix/src/Time/PDecode.c
new file mode 100644
index 000000000..385665468
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/PDecode.c
@@ -0,0 +1,137 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXTime_Decode
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXTime upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXTime *
+nssPKIXTime_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  NSSArena *arena;
+  PRBool arena_allocated = PR_FALSE;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  NSSPKIXTime *rv = (NSSPKIXTime *)NULL;
+  PRStatus status;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXTime *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXTime *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    arena = nssArena_Create();
+    if( (NSSArena *)NULL == arena ) {
+      goto loser;
+    }
+    arena_allocated = PR_TRUE;
+  } else {
+    arena = arenaOpt;
+    mark = nssArena_Mark(arena);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arena, NSSPKIXTime);
+  if( (NSSPKIXTime *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->arena = arena;
+  rv->i_allocated_arena = arena_allocated;
+  rv->ber = nssItem_Duplicate(ber, arena, (NSSItem *)NULL);
+  if( (NSSItem *)NULL == rv->ber ) {
+    goto loser;
+  }
+
+  status = nssASN1_DecodeBER(arena, rv, nssPKIXTime_template, ber);
+  if( PR_SUCCESS != status ) {
+    goto loser;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arena, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_Time_add_pointer(rv) ) {
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arena, mark);
+  }
+
+  if( PR_TRUE == arena_allocated ) {
+    (void)nssArena_Destroy(arena);
+  }
+
+  return (NSSPKIXTime *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/Time/PDestroy.c b/security/nss/lib/pkix/src/Time/PDestroy.c
new file mode 100644
index 000000000..973974b51
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/PDestroy.c
@@ -0,0 +1,68 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXTime_Destroy
+ *
+ */
+
+NSS_IMPLEMENT PR_STATUS
+nssPKIXTime_Destroy
+(
+  NSSPKIXTime *time
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+#ifdef DEBUG
+  (void)nss_pkix_Time_remove_pointer(time);
+#endif /* DEBUG */
+
+  if( PR_TRUE == time->i_allocated_arena ) {
+    return nssArena_Destroy(time->arena);
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/Time/PEncode.c b/security/nss/lib/pkix/src/Time/PEncode.c
new file mode 100644
index 000000000..8904fac50
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/PEncode.c
@@ -0,0 +1,66 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXTime_Encode
+ *
+ */
+
+NSS_IMPLEMENT NSSBER *
+nssPKIXTime_Encode
+(
+  NSSPKIXTime *time,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXTime_verifyPointer(time) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
diff --git a/security/nss/lib/pkix/src/Time/template.c b/security/nss/lib/pkix/src/Time/template.c
new file mode 100644
index 000000000..38c4f3c78
--- /dev/null
+++ b/security/nss/lib/pkix/src/Time/template.c
@@ -0,0 +1,54 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXTime_template
+ *
+ */
+
+const nssASN1Template nssPKIXTime_template[] = {
+  { nssASN1_INLINE, offsetof(NSSPKIXTime, asn1item), 
+    nssASN1Template_Any, sizeof(NSSPKIXTime) }
+};
diff --git a/security/nss/lib/pkix/src/X520Name/CreateFromUTF8.c b/security/nss/lib/pkix/src/X520Name/CreateFromUTF8.c
new file mode 100644
index 000000000..84df20054
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/CreateFromUTF8.c
@@ -0,0 +1,105 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXX520Name_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXX520Name *
+NSSPKIXX520Name_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+)
+{
+  PRStatus status = PR_SUCCESS;
+  PRUint32 length;
+  nss_ClearErrorStack();
+  
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXX520Name *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == utf8 ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXX520Name *)NULL;
+  }
+#endif /* DEBUG */
+
+  length = nssUTF8_Length(utf8, &status); 
+  if( PR_SUCCESS != status ) {
+    if( NSS_ERROR_VALUE_TOO_LARGE == NSS_GetError() ) {
+      nss_SetError(NSS_ERROR_STRING_TOO_LONG);
+    }
+    return (NSSPKIXX520Name *)NULL;
+  }
+
+  if( (length < 1 ) || (length > NSSPKIXX520Name_MAXIMUM_LENGTH) ) {
+    nss_SetError(NSS_ERROR_STRING_TOO_LONG);
+  }
+
+  return nssPKIXX520Name_CreateFromUTF8(arenaOpt, utf8);
+}
+
+/*
+ * NSSPKIXX520Name_MAXIMUM_LENGTH
+ *
+ * From RFC 2459:
+ *
+ *  ub-name INTEGER ::=     32768
+ */
+
+const PRUint32 NSSPKIXX520Name_MAXIMUM_LENGTH = 32768;
diff --git a/security/nss/lib/pkix/src/X520Name/Decode.c b/security/nss/lib/pkix/src/X520Name/Decode.c
new file mode 100644
index 000000000..ac59d5598
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/Decode.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXX520Name_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXX520Name *
+NSSPKIXX520Name_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXAttribute *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXX520Name_Decode(arenaOpt, ber);
+}
diff --git a/security/nss/lib/pkix/src/X520Name/Destroy.c b/security/nss/lib/pkix/src/X520Name/Destroy.c
new file mode 100644
index 000000000..49037d3b4
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/Destroy.c
@@ -0,0 +1,70 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXX520Name_Destroy
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT NSSDER *
+NSSPKIXX520Name_Destroy
+(
+  NSSPKIXX520Name *name
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
+    return (NSSDER *)NULL;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXX520Name_Destroy(name);
+}
diff --git a/security/nss/lib/pkix/src/X520Name/Duplicate.c b/security/nss/lib/pkix/src/X520Name/Duplicate.c
new file mode 100644
index 000000000..bcb4b5a2b
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/Duplicate.c
@@ -0,0 +1,79 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXX520Name_Duplicate
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXX520Name *
+NSSPKIXX520Name_Duplicate
+(
+  NSSPKIXX520Name *name,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
+    return (NSSPKIXAttribute *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXX520Name_Duplicate(name, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/X520Name/Encode.c b/security/nss/lib/pkix/src/X520Name/Encode.c
new file mode 100644
index 000000000..83cfd5442
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/Encode.c
@@ -0,0 +1,80 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXX520Name_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+NSSPKIXX520Name_Encode
+(
+  NSSPKIXX520Name *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXX520Name_Encode(name, encoding, rvOpt, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/X520Name/Equal.c b/security/nss/lib/pkix/src/X520Name/Equal.c
new file mode 100644
index 000000000..75842e8f5
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/Equal.c
@@ -0,0 +1,83 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXX520Name_Equal
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+NSSPKIXX520Name_Equal
+(
+  NSSPKIXX520Name *name1,
+  NSSPKIXX520Name *name2,
+  PRStatus *statusOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name1) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name2) ) {
+    if( (PRStatus *)NULL != statusOpt ) {
+      *statusOpt = PR_FAILURE;
+    }
+    return PR_FALSE;
+  }
+#endif /* DEBUG */
+
+  return nssPKIXX520Name_Equal(name1, name2, statusOpt);
+}
diff --git a/security/nss/lib/pkix/src/X520Name/GetUTF8Encoding.c b/security/nss/lib/pkix/src/X520Name/GetUTF8Encoding.c
new file mode 100644
index 000000000..2e42124eb
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/GetUTF8Encoding.c
@@ -0,0 +1,78 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * NSSPKIXX520Name_GetUTF8Encoding
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSDER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+NSSPKIXX520Name_GetUTF8Encoding
+(
+  NSSPKIXX520Name *name,
+  NSSArena *arenaOpt
+)
+{
+  nss_ClearErrorStack();
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* DEBUG */
+
+  return nssPKIXX520Name_GetUTF8Encoding(name, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/X520Name/MDoUTF8.c b/security/nss/lib/pkix/src/X520Name/MDoUTF8.c
new file mode 100644
index 000000000..69cbf691e
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/MDoUTF8.c
@@ -0,0 +1,97 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+/*
+ * nss_pkix_X520Name_DoUTF8
+ *
+ */
+
+NSS_IMPLEMENT PR_STATUS
+nss_pkix_X520Name_DoUTF8
+(
+  NSSPKIXX520Name *name
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSUTF8 *)NULL == name->utf8 ) {
+    PRUint8 tag = (*(PRUint8 *)name->string.data) & nssASN1_TAG_MASK;
+    nssStringType type;
+    void *data = (void *)&((PRUint8 *)name->string.data)[1];
+    PRUint32 size = name->string.size-1;
+
+    switch( tag ) {
+    case nssASN1_TELETEX_STRING:
+      type = nssStringType_TeletexString;
+      break;
+    case nssASN1_PRINTABLE_STRING:
+      type = nssStringType_PrintableString;
+      break;
+    case nssASN1_UNIVERSAL_STRING:
+      type = nssStringType_UniversalString;
+      break;
+    case nssASN1_BMP_STRING:
+      type = nssStringType_BMPString;
+      break;
+    case nssASN1_UTF8_STRING:
+      type = nssStringType_UTF8String;
+      break;
+    default:
+      nss_SetError(NSS_ERROR_INVALID_BER);
+      return PR_FAILURE;
+    }
+
+    name->utf8 = nssUTF8_Create(arenaOpt, type, data, size);
+    if( (NSSUTF8 *)NULL == name->utf8 ) {
+      return PR_FAILURE;
+    }
+
+    if( nssASN1_PRINTABLE_STRING == tag ) {
+      name->wasPrintable = PR_TRUE;
+    }
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/X520Name/PCreate.c b/security/nss/lib/pkix/src/X520Name/PCreate.c
new file mode 100644
index 000000000..c507a8f75
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/PCreate.c
@@ -0,0 +1,169 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXX520Name_Create
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_STRING_TYPE
+ *  NSS_ERROR_INVALID_ITEM
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXX520Name *
+nssPKIXX520Name_Create
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  NSSItem *data
+)
+{
+  NSSPKIXX520Name *rv = (NSSPKIXX520Name *)NULL;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXX520Name *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(data) ) {
+    return (NSSPKIXX520Name *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  switch( type ) {
+  case nssStringType_TeletexString:
+  case nssStringType_PrintableString:
+  case nssStringType_UniversalString:
+  case nssStringType_UTF8String:
+  case nssStringType_BMPString:
+    break;
+  default:
+    nss_SetError(NSS_ERROR_INVALID_STRING_TYPE);
+    goto loser;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    mark = nssArena_Mark(arenaOpt);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arenaOpt, NSSPKIXX520Name);
+  if( (NSSPKIXX520Name *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->utf8 = nssUTF8_Create(arenaOpt, type, data->data, data->size);
+  if( (NSSUTF8 *)NULL == rv->utf8 ) {
+    goto loser;
+  }
+
+  if( nssStringType_PrintableString == type ) {
+    rv->wasPrintable = PR_TRUE;
+  }
+
+  rv->der = nssUTF8_GetDEREncoding(arenaOpt, type, rv->utf8);
+  if( (NSSDER *)NULL == rv->der ) {
+    goto loser;
+  }
+
+  rv->string.size = rv->der->size;
+  rv->string.data = nss_ZAlloc(arenaOpt, rv->string.size);
+  if( (void *)NULL == rv->string.data ) {
+    goto loser;
+  }
+
+  (void)nsslibc_memcpy(rv->string.data, rv->der->data, rv->string.size);
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    rv->inArena = PR_TRUE;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arenaOpt, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_X520Name_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
+        nss_pkix_X520Name_remove_pointer, rv) ) {
+    (void)nss_pkix_X520Name_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arenaOpt, mark);
+  }
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    if( (NSSPKIXX520Name *)NULL != rv ) {
+      if( (NSSDER *)NULL != rv->der ) {
+        nss_ZFreeIf(rv->der->data);
+        nss_ZFreeIf(rv->der);
+      }
+
+      nss_ZFreeIf(rv->string.data);
+      nss_ZFreeIf(rv->utf8);
+      nss_ZFreeIf(rv);
+    }
+  }
+
+  return (NSSPKIXX520Name *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/X520Name/PCreateFromUTF8.c b/security/nss/lib/pkix/src/X520Name/PCreateFromUTF8.c
new file mode 100644
index 000000000..0459f8c51
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/PCreateFromUTF8.c
@@ -0,0 +1,164 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXX520Name_CreateFromUTF8
+ *
+ * { basically just enforces the length limit }
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXX520Name *
+nssPKIXX520Name_CreateFromUTF8
+(
+  NSSArena *arenaOpt,
+  NSSUTF8 *utf8
+)
+{
+  NSSPKIXX520Name *rv = (NSSPKIXX520Name *)NULL;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXX520Name *)NULL;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == utf8 ) {
+    nss_SetError(NSS_ERROR_INVALID_STRING);
+    return (NSSPKIXX520Name *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    mark = nssArena_Mark(arenaOpt);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arenaOpt, NSSPKIXX520Name);
+  if( (NSSPKIXX520Name *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->utf8 = nssUTF8_Duplicate(utf8, arenaOpt);
+  if( (NSSUTF8 *)NULL == rv->utf8 ) {
+    goto loser;
+  }
+
+  /*
+   * RFC 2459 states (s. 4.1.2.4) that certificates issued after
+   * 2003-12-31 MUST encode strings as UTF8Strings, and until
+   * then they may be encoded as PrintableStrings, BMPStrings,
+   * or UTF8Strings (when the character sets allow).  However, it
+   * specifically notes that even before 2003-12-31, strings may
+   * be encoded as UTF8Strings.  So unless something important
+   * breaks, I'll do UTF8Strings.
+   */
+
+  rv->der = nssUTF8_GetDEREncoding(arenaOpt, nssStringType_UTF8String, 
+                                   utf8);
+  if( (NSSDER *)NULL == rv->der ) {
+    goto loser;
+  }
+
+  rv->string.size = rv->der->size;
+  rv->string.data = nss_ZAlloc(arenaOpt, rv->string.size);
+  if( (void *)NULL == rv->string.data ) {
+    goto loser;
+  }
+
+  (void)nsslibc_memcpy(rv->string.data, rv->der->size, rv->string.size);
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    rv->inArena = PR_TRUE;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arenaOpt, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_X520Name_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
+        nss_pkix_X520Name_remove_pointer, rv) ) {
+    (void)nss_pkix_X520Name_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arenaOpt, mark);
+  }
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    if( (NSSPKIXX520Name *)NULL != rv ) {
+      if( (NSSDER *)NULL != rv->der ) {
+        nss_ZFreeIf(rv->der->data);
+        nss_ZFreeIf(rv->der);
+      }
+
+      nss_ZFreeIf(rv->string.data);
+      nss_ZFreeIf(rv->utf8);
+      nss_ZFreeIf(rv);
+    }
+  }
+
+  return (NSSPKIXX520Name *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/X520Name/PDecode.c b/security/nss/lib/pkix/src/X520Name/PDecode.c
new file mode 100644
index 000000000..8228c8db4
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/PDecode.c
@@ -0,0 +1,135 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXX520Name_Decode
+ *
+ * -- fgmr comments --
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_BER
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXX520Name *
+nssPKIXX520Name_Decode
+(
+  NSSArena *arenaOpt,
+  NSSBER *ber
+)
+{
+  NSSPKIXX520Name *rv = (NSSPKIXX520Name *)NULL;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+  PRStatus status;
+
+#ifdef NSSDEBUG
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+
+  if( PR_SUCCESS != nssItem_verifyPointer(ber) ) {
+    return (NSSPKIXAttribute *)NULL;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    mark = nssArena_Mark(arenaOpt);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arenaOpt, NSSPKIXX520Name);
+  if( (NSSPKIXX520Name *)NULL == rv ) {
+    goto loser;
+  }
+
+  status = nssASN1_DecodeBER(arenaOpt, rv, nssPKIXX520_template, ber);
+  if( PR_SUCCESS != status ) {
+    goto loser;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    rv->inArena = PR_TRUE;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arenaOpt, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_X520Name_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
+        nss_pkix_X520Name_remove_pointer, rv) ) {
+    (void)nss_pkix_X520Name_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arenaOpt, mark);
+  }
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    if( (NSSPKIXX520Name *)NULL != rv ) {
+      nss_ZFreeIf(rv->string.data);
+      nss_ZFreeIf(rv->utf8);
+      nss_ZFreeIf(rv);
+    }
+  }
+
+  return (NSSPKIXX520Name *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/X520Name/PDestroy.c b/security/nss/lib/pkix/src/X520Name/PDestroy.c
new file mode 100644
index 000000000..9a9bdaaa2
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/PDestroy.c
@@ -0,0 +1,87 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXX520Name_Destroy
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_EXTERN NSSDER *
+nssPKIXX520Name_Destroy
+(
+  NSSPKIXX520Name *name
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
+    return PR_FAILURE;
+  }
+#endif /* NSSDEBUG */
+
+  if( PR_TRUE != name->inArena ) {
+    /*
+     * Note that inArena is merely a hint.  If this object was
+     * created passively, this flag will be NULL no matter if
+     * it was in an arena or not.  However, you may safely
+     * (try to) free memory in an NSSArena, so this isn't a
+     * problem.
+     */
+
+    if( (NSSDER *)NULL != name->der ) {
+      nss_ZFreeIf(name->der->data);
+      nss_ZFreeIf(name->der);
+    }
+
+    nss_ZFreeIf(name->utf8);
+    nss_ZFreeIf(name->string.data);
+    nss_ZFreeIf(name);
+  }
+
+  return PR_SUCCESS;
+}
diff --git a/security/nss/lib/pkix/src/X520Name/PDuplicate.c b/security/nss/lib/pkix/src/X520Name/PDuplicate.c
new file mode 100644
index 000000000..a2b6d7e53
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/PDuplicate.c
@@ -0,0 +1,158 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXX520Name_Duplicate
+ *
+ * 
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INVALID_ARENA
+ * 
+ * Return value:
+ *  A valid pointer to an NSSPKIXX520Name upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSPKIXX520Name *
+nssPKIXX520Name_Duplicate
+(
+  NSSPKIXX520Name *name,
+  NSSArena *arenaOpt
+)
+{
+  NSSPKIXX520Name *rv = (NSSPKIXX520Name *)NULL;
+  nssArenaMark *mark = (nssArenaMark *)NULL;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
+    return (NSSPKIXAttribute *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSPKIXAttribute *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    mark = nssArena_Mark(arenaOpt);
+    if( (nssArenaMark *)NULL == mark ) {
+      goto loser;
+    }
+  }
+
+  rv = nss_ZNEW(arenaOpt, NSSPKIXX520Name);
+  if( (NSSPKIXX520Name *)NULL == rv ) {
+    goto loser;
+  }
+
+  rv->string.size = name->string.size;
+  rv->string.data = nss_ZAlloc(arenaOpt, name->string.size);
+  if( (void *)NULL == rv->string.data ) {
+    goto loser;
+  }
+
+  (void)nsslibc_memcpy(rv->string.data, name->string.data, name->string.size);
+
+  if( (NSSUTF8 *)NULL != name->utf8 ) {
+    rv->utf8 = nssUTF8_Duplicate(name->utf8, arenaOpt);
+    if( (NSSUTF8 *)NULL == rv->utf8 ) {
+      goto loser;
+    }
+  }
+
+  if( (NSSDER *)NULL != name->der ) {
+    rv->der = nssItem_Duplicate(name->der, arenaOpt, (NSSItem *)NULL);
+    if( (NSSDER *)NULL == rv->der ) {
+      goto loser;
+    }
+  }
+
+  rv->wasPrintable = name->wasPrintable;
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    rv->inArena = PR_TRUE;
+  }
+
+  if( (nssArenaMark *)NULL != mark ) {
+    if( PR_SUCCESS != nssArena_Unmark(arenaOpt, mark) ) {
+      goto loser;
+    }
+  }
+
+#ifdef DEBUG
+  if( PR_SUCCESS != nss_pkix_X520Name_add_pointer(rv) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssArena_registerDestructor(arena, 
+        nss_pkix_X520Name_remove_pointer, rv) ) {
+    (void)nss_pkix_X520Name_remove_pointer(rv);
+    goto loser;
+  }
+#endif /* DEBUG */
+
+  return rv;
+
+ loser:
+  if( (nssArenaMark *)NULL != mark ) {
+    (void)nssArena_Release(arenaOpt, mark);
+  }
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    if( (NSSPKIXX520Name *)NULL != rv ) {
+      if( (NSSDER *)NULL != rv->der ) {
+        nss_ZFreeIf(rv->der->data);
+        nss_ZFreeIf(rv->der);
+      }
+
+      nss_ZFreeIf(rv->string.data);
+      nss_ZFreeIf(rv->utf8);
+      nss_ZFreeIf(rv);
+    }
+  }
+
+  return (NSSPKIXX520Name *)NULL;
+}
diff --git a/security/nss/lib/pkix/src/X520Name/PEncode.c b/security/nss/lib/pkix/src/X520Name/PEncode.c
new file mode 100644
index 000000000..d9f001bae
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/PEncode.c
@@ -0,0 +1,93 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXX520Name_Encode
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSBER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSBER *
+nssPKIXX520Name_Encode
+(
+  NSSPKIXX520Name *name,
+  NSSASN1EncodingType encoding,
+  NSSBER *rvOpt,
+  NSSArena *arenaOpt
+)
+{
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
+    return (NSSBER *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSBER *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSDER *)NULL == name->der ) {
+    /* XXX fgmr */
+    if( (NSSUTF8 *)NULL == name->utf8 ) {
+      if( PR_SUCCESS != nss_pkix_X520Name_DoUTF8(name) ) {
+        return (NSSBER *)NULL;
+      }
+    }
+
+    rv->der = nssUTF8_GetDEREncoding(arenaOpt, type, rv->utf8);
+    if( (NSSDER *)NULL == rv->der ) {
+      return (NSSBER *)NULL;
+    }
+  }
+
+  return nssItem_Duplicate(name->der, arenaOpt, rvOpt);
+}
diff --git a/security/nss/lib/pkix/src/X520Name/PEqual.c b/security/nss/lib/pkix/src/X520Name/PEqual.c
new file mode 100644
index 000000000..9ebe75005
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/PEqual.c
@@ -0,0 +1,100 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXX520Name_Equal
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *
+ * Return value:
+ *  PR_TRUE if the two objects have equal values
+ *  PR_FALSE otherwise
+ *  PR_FALSE upon error
+ */
+
+NSS_IMPLEMENT PRBool
+nssPKIXX520Name_Equal
+(
+  NSSPKIXX520Name *name1,
+  NSSPKIXX520Name *name2,
+  PRStatus *statusOpt
+)
+{
+  PRBool rv;
+
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name1) ) {
+    goto loser;
+  }
+
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name2) ) {
+    goto loser;
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSUTF8 *)NULL == name1->utf8 ) {
+    if( PR_SUCCESS != nss_pkix_X520Name_DoUTF8(name1) ) {
+      goto loser;
+    }
+  }
+
+  if( (NSSUTF8 *)NULL == name2->utf8 ) {
+    if( PR_SUCCESS != nss_pkix_X520Name_DoUTF8(name2) ) {
+      goto loser;
+    }
+  }
+
+  if( (PR_TRUE == name1->wasPrintable) && (PR_TRUE == name2->wasPrintable) ) {
+    return nssUTF8_PrintableMatch(name1->utf8, name2->utf8, statusOpt);
+  }
+
+  return nssUTF8_Equal(name1->utf8, name2->utf8, statusOpt);
+
+ loser:
+  if( (PRStatus *)NULL != statusOpt ) {
+    *statusOpt = PR_FAILURE;
+  }
+
+  return PR_FALSE;
+}
diff --git a/security/nss/lib/pkix/src/X520Name/PGetUTF8Encoding.c b/security/nss/lib/pkix/src/X520Name/PGetUTF8Encoding.c
new file mode 100644
index 000000000..b023b1fea
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/PGetUTF8Encoding.c
@@ -0,0 +1,82 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+/*
+ * nssPKIXX520Name_GetUTF8Encoding
+ *
+ *
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_X520_NAME
+ *  NSS_ERROR_NO_MEMORY
+ *
+ * Return value:
+ *  A valid NSSDER pointer upon success
+ *  NULL upon failure
+ */
+
+NSS_IMPLEMENT NSSUTF8 *
+nssPKIXX520Name_GetUTF8Encoding
+(
+  NSSPKIXX520Name *name,
+  NSSArena *arenaOpt
+)
+{
+#ifdef NSSDEBUG
+  if( PR_SUCCESS != nssPKIXX520Name_verifyPointer(name) ) {
+    return (NSSUTF8 *)NULL;
+  }
+
+  if( (NSSArena *)NULL != arenaOpt ) {
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+#endif /* NSSDEBUG */
+
+  if( (NSSUTF8 *)NULL == name->utf8 ) {
+    if( PR_SUCCESS != nss_pkix_X520Name_DoUTF8(name) ) {
+      return (NSSUTF8 *)NULL;
+    }
+  }
+  
+  return nssUTF8_Duplicate(rv->utf8, arenaOpt);
+}
diff --git a/security/nss/lib/pkix/src/X520Name/template.c b/security/nss/lib/pkix/src/X520Name/template.c
new file mode 100644
index 000000000..63f18e724
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/template.c
@@ -0,0 +1,56 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIX_H
+#include "pkix.h"
+#endif /* PKIX_H */
+
+#ifndef ASN1_H
+#include "asn1.h"
+#endif /* ASN1_H */
+
+/*
+ * nssPKIXX520Name_template
+ *
+ *
+ */
+
+const nssASN1Template nssPKIXX520Name_template[] = {
+  { nssASN1_ANY, offsetof(NSSPKIXX520Name, string), NULL, 
+    sizeof(NSSPKIXX520Name) },
+  { 0 }
+};
diff --git a/security/nss/lib/pkix/src/X520Name/verifyPointer.c b/security/nss/lib/pkix/src/X520Name/verifyPointer.c
new file mode 100644
index 000000000..9e447797d
--- /dev/null
+++ b/security/nss/lib/pkix/src/X520Name/verifyPointer.c
@@ -0,0 +1,169 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $Source$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#ifndef PKIXM_H
+#include "pkixm.h"
+#endif /* PKIXM_H */
+
+#ifdef DEBUG
+
+extern const NSSError NSS_ERROR_INTERNAL_ERROR;
+
+static nssPointerTracker pkix_x520_name_pointer_tracker;
+
+/*
+ * nss_pkix_X520Name_add_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine adds an NSSPKIXX520Name pointer to
+ * the internal pointer-tracker.  This routine should only be used 
+ * by the NSSPKIX module.  This routine returns a PRStatus value; 
+ * upon error it will place an error on the error stack and return 
+ * PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_NO_MEMORY
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_X520Name_add_pointer
+(
+  const NSSPKIXX520Name *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_x520_name_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&pkix_x520_name_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    }
+
+    return rv;
+  }
+
+  return PR_SUCCESS;
+}
+
+/*
+ * nss_pkix_X520Name_remove_pointer
+ *
+ * This method is only present in debug builds.
+ *
+ * This module-private routine removes a valid NSSPKIXX520Name
+ * pointer from the internal pointer-tracker.  This routine should 
+ * only be used by the NSSPKIX module.  This routine returns a 
+ * PRStatus value; upon error it will place an error on the error 
+ * stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INTERNAL_ERROR
+ *
+ * Return value:
+ *  PR_SUCCESS upon success
+ *  PR_FAILURE upon failure
+ */
+
+NSS_IMPLEMENT PRStatus
+nss_pkix_X520Name_remove_pointer
+(
+  const NSSPKIXX520Name *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_remove(&pkix_x520_name_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
+
+  return rv;
+}
+
+/*
+ * nssPKIXX520Name_verifyPointer
+ *
+ * This method is only present in debug builds.
+ *
+ * If the specified pointer is a valid pointer to an NSSPKIXX520Name
+ * object, this routine will return PR_SUCCESS.  Otherwise, it will 
+ * put an error on the error stack and return PR_FAILURE.
+ *
+ * The error may be one of the following values:
+ *  NSS_ERROR_INVALID_PKIX_X520_NAME
+ *
+ * Return value:
+ *  PR_SUCCESS if the pointer is valid
+ *  PR_FAILURE if it isn't
+ */
+
+NSS_IMPLEMENT PRStatus
+nssPKIXX520Name_verifyPointer
+(
+  NSSPKIXX520Name *p
+)
+{
+  PRStatus rv;
+
+  rv = nssPointerTracker_initialize(&pkix_x520_name_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_X520_NAME);
+    return PR_FAILURE;
+  }
+
+  rv = nssPointerTracker_verify(&pkix_x520_name_pointer_tracker, p);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_PKIX_X520_NAME);
+    return PR_FAILURE;
+  }
+
+  return PR_SUCCESS;
+}
+
+#endif /* DEBUG */
diff --git a/security/nss/lib/smime/Makefile b/security/nss/lib/smime/Makefile
new file mode 100644
index 000000000..cb85677bc
--- /dev/null
+++ b/security/nss/lib/smime/Makefile
@@ -0,0 +1,76 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h
new file mode 100644
index 000000000..f2f50a654
--- /dev/null
+++ b/security/nss/lib/smime/cms.h
@@ -0,0 +1,1082 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Interfaces of the CMS implementation.
+ *
+ * $Id$
+ */
+
+#ifndef _CMS_H_
+#define _CMS_H_
+
+#include "seccomon.h"
+
+#include "secoidt.h"
+#include "certt.h"
+#include "keyt.h"
+#include "hasht.h"
+#include "cmst.h"
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/************************************************************************
+ * cmsdecode.c - CMS decoding
+ ************************************************************************/
+
+/*
+ * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message
+ *
+ * "poolp" - pointer to arena for message, or NULL if new pool should be created
+ * "cb", "cb_arg" - callback function and argument for delivery of inner content
+ *                  inner content will be stored in the message if cb is NULL.
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ */
+extern NSSCMSDecoderContext *
+NSS_CMSDecoder_Start(PRArenaPool *poolp,
+		      NSSCMSContentCallback cb, void *cb_arg,
+		      PK11PasswordFunc pwfn, void *pwfn_arg,
+		      NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg);
+
+/*
+ * NSS_CMSDecoder_Update - feed DER-encoded data to decoder
+ */
+extern SECStatus
+NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, unsigned long len);
+
+/*
+ * NSS_CMSDecoder_Cancel - cancel a decoding process
+ */
+extern void
+NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx);
+
+/*
+ * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding
+ */
+extern NSSCMSMessage *
+NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx);
+
+/*
+ * NSS_CMSMessage_CreateFromDER - decode a CMS message from DER encoded data
+ */
+extern NSSCMSMessage *
+NSS_CMSMessage_CreateFromDER(SECItem *DERmessage,
+		    NSSCMSContentCallback cb, void *cb_arg,
+		    PK11PasswordFunc pwfn, void *pwfn_arg,
+		    NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg);
+
+/************************************************************************
+ * cmsencode.c - CMS encoding
+ ************************************************************************/
+
+/*
+ * NSS_CMSEncoder_Start - set up encoding of a CMS message
+ *
+ * "cmsg" - message to encode
+ * "outputfn", "outputarg" - callback function for delivery of DER-encoded output
+ *                           will not be called if NULL.
+ * "dest" - if non-NULL, pointer to SECItem that will hold the DER-encoded output
+ * "destpoolp" - pool to allocate DER-encoded output in
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ * "detached_digestalgs", "detached_digests" - digests from detached content
+ */
+extern NSSCMSEncoderContext *
+NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
+			NSSCMSContentCallback outputfn, void *outputarg,
+			SECItem *dest, PLArenaPool *destpoolp,
+			PK11PasswordFunc pwfn, void *pwfn_arg,
+			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
+			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests);
+
+/*
+ * NSS_CMSEncoder_Update - take content data delivery from the user
+ *
+ * "p7ecx" - encoder context
+ * "data" - content data
+ * "len" - length of content data
+ */
+extern SECStatus
+NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len);
+
+/*
+ * NSS_CMSEncoder_Finish - signal the end of data
+ *
+ * we need to walk down the chain of encoders and the finish them from the innermost out
+ */
+extern SECStatus
+NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx);
+
+/************************************************************************
+ * cmsmessage.c - CMS message object
+ ************************************************************************/
+
+/*
+ * NSS_CMSMessage_Create - create a CMS message object
+ *
+ * "poolp" - arena to allocate memory from, or NULL if new arena should be created
+ */
+extern NSSCMSMessage *
+NSS_CMSMessage_Create(PLArenaPool *poolp);
+
+/*
+ * NSS_CMSMessage_SetEncodingParams - set up a CMS message object for encoding or decoding
+ *
+ * "cmsg" - message object
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ * "detached_digestalgs", "detached_digests" - digests from detached content
+ *
+ * used internally.
+ */
+extern void
+NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
+			PK11PasswordFunc pwfn, void *pwfn_arg,
+			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
+			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests);
+
+/*
+ * NSS_CMSMessage_Destroy - destroy a CMS message and all of its sub-pieces.
+ */
+extern void
+NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_Copy - return a copy of the given message. 
+ *
+ * The copy may be virtual or may be real -- either way, the result needs
+ * to be passed to NSS_CMSMessage_Destroy later (as does the original).
+ */
+extern NSSCMSMessage *
+NSS_CMSMessage_Copy(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_GetArena - return a pointer to the message's arena pool
+ */
+extern PLArenaPool *
+NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_GetContentInfo - return a pointer to the top level contentInfo
+ */
+extern NSSCMSContentInfo *
+NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg);
+
+/*
+ * Return a pointer to the actual content. 
+ * In the case of those types which are encrypted, this returns the *plain* content.
+ * In case of nested contentInfos, this descends and retrieves the innermost content.
+ */
+extern SECItem *
+NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_ContentLevelCount - count number of levels of CMS content objects in this message
+ *
+ * CMS data content objects do not count.
+ */
+extern int
+NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_ContentLevel - find content level #n
+ *
+ * CMS data content objects do not count.
+ */
+extern NSSCMSContentInfo *
+NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n);
+
+/*
+ * NSS_CMSMessage_ContainsCertsOrCrls - see if message contains certs along the way
+ */
+extern PRBool
+NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_IsEncrypted - see if message contains a encrypted submessage
+ */
+extern PRBool
+NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_IsSigned - see if message contains a signed submessage
+ *
+ * If the CMS message has a SignedData with a signature (not just a SignedData)
+ * return true; false otherwise.  This can/should be called before calling
+ * VerifySignature, which will always indicate failure if no signature is
+ * present, but that does not mean there even was a signature!
+ * Note that the content itself can be empty (detached content was sent
+ * another way); it is the presence of the signature that matters.
+ */
+extern PRBool
+NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg);
+
+/*
+ * NSS_CMSMessage_IsContentEmpty - see if content is empty
+ *
+ * returns PR_TRUE is innermost content length is < minLen
+ * XXX need the encrypted content length (why?)
+ */
+extern PRBool
+NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen);
+
+/************************************************************************
+ * cmscinfo.c - CMS contentInfo methods
+ ************************************************************************/
+
+/*
+ * NSS_CMSContentInfo_Destroy - destroy a CMS contentInfo and all of its sub-pieces.
+ */
+extern void
+NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo);
+
+/*
+ * NSS_CMSContentInfo_GetChildContentInfo - get content's contentInfo (if it exists)
+ */
+extern NSSCMSContentInfo *
+NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo);
+
+/*
+ * NSS_CMSContentInfo_SetContent - set cinfo's content type & content to CMS object
+ */
+extern SECStatus
+NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECOidTag type, void *ptr);
+
+/*
+ * NSS_CMSContentInfo_SetContent_XXXX - typesafe wrappers for NSS_CMSContentInfo_SetType
+ *   set cinfo's content type & content to CMS object
+ */
+extern SECStatus
+NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECItem *data, PRBool detached);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContent_SignedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSSignedData *sigd);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContent_EnvelopedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEnvelopedData *envd);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSDigestedData *digd);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSContentInfo_GetContent - get pointer to inner content
+ *
+ * needs to be casted...
+ */
+extern void *
+NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo);
+
+/* 
+ * NSS_CMSContentInfo_GetInnerContent - get pointer to innermost content
+ *
+ * this is typically only called by NSS_CMSMessage_GetContent()
+ */
+extern SECItem *
+NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo);
+
+/*
+ * NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result
+ * for future reference) and return the inner content type.
+ */
+extern SECOidTag
+NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo);
+
+extern SECItem *
+NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo);
+
+/*
+ * NSS_CMSContentInfo_GetContentEncAlgTag - find out (saving pointer to lookup result
+ * for future reference) and return the content encryption algorithm tag.
+ */
+extern SECOidTag
+NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo);
+
+/*
+ * NSS_CMSContentInfo_GetContentEncAlg - find out and return the content encryption algorithm tag.
+ */
+extern SECAlgorithmID *
+NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
+				    SECOidTag bulkalgtag, SECItem *parameters, int keysize);
+
+extern SECStatus
+NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
+				    SECAlgorithmID *algid, int keysize);
+
+extern void
+NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey);
+
+extern PK11SymKey *
+NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo);
+
+extern int
+NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo);
+
+/************************************************************************
+ * cmsutil.c - CMS misc utility functions
+ ************************************************************************/
+
+/*
+ * NSS_CMSArray_SortByDER - sort array of objects by objects' DER encoding
+ *
+ * make sure that the order of the objects guarantees valid DER (which must be
+ * in lexigraphically ascending order for a SET OF); if reordering is necessary it
+ * will be done in place (in objs).
+ */
+extern SECStatus
+NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void **objs2);
+
+/*
+ * NSS_CMSUtil_DERCompare - for use with NSS_CMSArray_Sort to
+ *  sort arrays of SECItems containing DER
+ */
+extern int
+NSS_CMSUtil_DERCompare(void *a, void *b);
+
+/*
+ * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
+ * algorithms.
+ *
+ * algorithmArray - array of algorithm IDs
+ * algid - algorithmid of algorithm to pick
+ *
+ * Returns:
+ *  An integer containing the index of the algorithm in the array or -1 if 
+ *  algorithm was not found.
+ */
+extern int
+NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid);
+
+/*
+ * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
+ * algorithms.
+ *
+ * algorithmArray - array of algorithm IDs
+ * algiddata - id of algorithm to pick
+ *
+ * Returns:
+ *  An integer containing the index of the algorithm in the array or -1 if 
+ *  algorithm was not found.
+ */
+extern int
+NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algtag);
+
+extern const SECHashObject *
+NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid);
+
+/*
+ * XXX I would *really* like to not have to do this, but the current
+ * signing interface gives me little choice.
+ */
+extern SECOidTag
+NSS_CMSUtil_MakeSignatureAlgorithm(SECOidTag hashalg, SECOidTag encalg);
+
+extern const SEC_ASN1Template *
+NSS_CMSUtil_GetTemplateByTypeTag(SECOidTag type);
+
+extern size_t
+NSS_CMSUtil_GetSizeByTypeTag(SECOidTag type);
+
+extern NSSCMSContentInfo *
+NSS_CMSContent_GetContentInfo(void *msg, SECOidTag type);
+
+extern const char *
+NSS_CMSUtil_VerificationStatusToString(NSSCMSVerificationStatus vs);
+
+/************************************************************************
+ * cmssigdata.c - CMS signedData methods
+ ************************************************************************/
+
+extern NSSCMSSignedData *
+NSS_CMSSignedData_Create(NSSCMSMessage *cmsg);
+
+extern void
+NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData
+ *     before start of encoding.
+ *
+ * In detail:
+ *  - find out about the right value to put into sigd->version
+ *  - come up with a list of digestAlgorithms (which should be the union of the algorithms
+ *         in the signerinfos).
+ *         If we happen to have a pre-set list of algorithms (and digest values!), we
+ *         check if we have all the signerinfos' algorithms. If not, this is an error.
+ */
+extern SECStatus
+NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd);
+
+extern SECStatus
+NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - create the signatures in all the SignerInfos
+ *
+ * Please note that nothing is done to the Certificates and CRLs in the message - this
+ * is entirely the responsibility of our callers.
+ */
+extern SECStatus
+NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd);
+
+extern SECStatus
+NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a SignedData
+ *     after all the encapsulated data was passed through the decoder.
+ */
+extern SECStatus
+NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData
+ *     after all decoding is finished.
+ */
+extern SECStatus
+NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd);
+
+/* 
+ * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list
+ */
+extern NSSCMSSignerInfo **
+NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd);
+
+extern int
+NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd);
+
+extern NSSCMSSignerInfo *
+NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i);
+
+/* 
+ * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list
+ */
+extern SECAlgorithmID **
+NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo
+ */
+extern NSSCMSContentInfo *
+NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd);
+
+/* 
+ * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list
+ */
+extern SECItem **
+NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd);
+
+extern SECStatus
+NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb,
+				SECCertUsage certusage, PRBool keepcerts);
+
+/*
+ * NSS_CMSSignedData_HasDigests - see if we have digests in place
+ */
+extern PRBool
+NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd);
+
+/*
+ * NSS_CMSSignedData_VerifySignerInfo - check a signature.
+ *
+ * The digests were either calculated during decoding (and are stored in the
+ * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests.
+ *
+ * The verification checks if the signing cert is valid and has a trusted chain
+ * for the purpose specified by "certusage".
+ */
+extern SECStatus
+NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, CERTCertDBHandle *certdb,
+				    SECCertUsage certusage);
+
+/*
+ * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message
+*/
+extern SECStatus
+NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, 
+                                  CERTCertDBHandle *certdb, 
+                                  SECCertUsage usage);
+
+extern SECStatus
+NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist);
+
+/*
+ * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs 
+ */
+extern SECStatus
+NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert);
+
+extern SECStatus
+NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert);
+
+extern PRBool
+NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd);
+
+extern SECStatus
+NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd,
+				NSSCMSSignerInfo *signerinfo);
+
+extern SECItem *
+NSS_CMSSignedData_GetDigestByAlgTag(NSSCMSSignedData *sigd, SECOidTag algtag);
+
+extern SECStatus
+NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd,
+				SECAlgorithmID **digestalgs,
+				SECItem **digests);
+
+extern SECStatus
+NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd,
+				SECOidTag digestalgtag,
+				SECItem *digestdata);
+
+extern SECStatus
+NSS_CMSSignedData_AddDigest(PRArenaPool *poolp,
+				NSSCMSSignedData *sigd,
+				SECOidTag digestalgtag,
+				SECItem *digest);
+
+extern SECItem *
+NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag);
+
+/*
+ * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData.
+ *
+ * cert          - base certificates that will be included
+ * include_chain - if true, include the complete cert chain for cert
+ *
+ * More certs and chains can be added via AddCertificate and AddCertChain.
+ *
+ * An error results in a return value of NULL and an error set.
+ */
+extern NSSCMSSignedData *
+NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain);
+
+/************************************************************************
+ * cmssiginfo.c - signerinfo methods
+ ************************************************************************/
+
+extern NSSCMSSignerInfo *
+NSS_CMSSignerInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert, SECOidTag digestalgtag);
+
+/*
+ * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure
+ */
+extern void
+NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si);
+
+/*
+ * NSS_CMSSignerInfo_Sign - sign something
+ *
+ */
+extern SECStatus
+NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType);
+
+extern SECStatus
+NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb,
+			    SECCertUsage certusage);
+
+/*
+ * NSS_CMSSignerInfo_Verify - verify the signature of a single SignerInfo
+ *
+ * Just verifies the signature. The assumption is that verification of the certificate
+ * is done already.
+ */
+extern SECStatus
+NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType);
+
+extern NSSCMSVerificationStatus
+NSS_CMSSignerInfo_GetVerificationStatus(NSSCMSSignerInfo *signerinfo);
+
+extern SECOidData *
+NSS_CMSSignerInfo_GetDigestAlg(NSSCMSSignerInfo *signerinfo);
+
+extern SECOidTag
+NSS_CMSSignerInfo_GetDigestAlgTag(NSSCMSSignerInfo *signerinfo);
+
+extern int
+NSS_CMSSignerInfo_GetVersion(NSSCMSSignerInfo *signerinfo);
+
+extern CERTCertificateList *
+NSS_CMSSignerInfo_GetCertList(NSSCMSSignerInfo *signerinfo);
+
+/*
+ * NSS_CMSSignerInfo_GetSigningTime - return the signing time,
+ *				      in UTCTime format, of a CMS signerInfo.
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to XXXX (what?)
+ * A return value of NULL is an error.
+ */
+extern SECStatus
+NSS_CMSSignerInfo_GetSigningTime(NSSCMSSignerInfo *sinfo, PRTime *stime);
+
+/*
+ * Return the signing cert of a CMS signerInfo.
+ *
+ * the certs in the enclosing SignedData must have been imported already
+ */
+extern CERTCertificate *
+NSS_CMSSignerInfo_GetSigningCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb);
+
+/*
+ * NSS_CMSSignerInfo_GetSignerCommonName - return the common name of the signer
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to allocated memory, which must be freed.
+ * A return value of NULL is an error.
+ */
+extern char *
+NSS_CMSSignerInfo_GetSignerCommonName(NSSCMSSignerInfo *sinfo);
+
+/*
+ * NSS_CMSSignerInfo_GetSignerEmailAddress - return the common name of the signer
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to allocated memory, which must be freed.
+ * A return value of NULL is an error.
+ */
+extern char *
+NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo);
+
+/*
+ * NSS_CMSSignerInfo_AddAuthAttr - add an attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ */
+extern SECStatus
+NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr);
+
+/*
+ * NSS_CMSSignerInfo_AddUnauthAttr - add an attribute to the
+ * unauthenticated attributes of "signerinfo". 
+ */
+extern SECStatus
+NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr);
+
+/* 
+ * NSS_CMSSignerInfo_AddSigningTime - add the signing time to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ *
+ * This is expected to be included in outgoing signed
+ * messages for email (S/MIME) but is likely useful in other situations.
+ *
+ * This should only be added once; a second call will do nothing.
+ *
+ * XXX This will probably just shove the current time into "signerinfo"
+ * but it will not actually get signed until the entire item is
+ * processed for encoding.  Is this (expected to be small) delay okay?
+ */
+extern SECStatus
+NSS_CMSSignerInfo_AddSigningTime(NSSCMSSignerInfo *signerinfo, PRTime t);
+
+/*
+ * NSS_CMSSignerInfo_AddSMIMECaps - add a SMIMECapabilities attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo".
+ *
+ * This is expected to be included in outgoing signed
+ * messages for email (S/MIME).
+ */
+extern SECStatus
+NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo);
+
+/*
+ * NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo".
+ *
+ * This is expected to be included in outgoing signed messages for email (S/MIME).
+ */
+SECStatus
+NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb);
+
+/* 
+ * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo
+ */
+extern SECStatus
+NSS_CMSSignerInfo_AddCounterSignature(NSSCMSSignerInfo *signerinfo,
+				    SECOidTag digestalg, CERTCertificate signingcert);
+
+/*
+ * XXXX the following needs to be done in the S/MIME layer code
+ * after signature of a signerinfo is verified
+ */
+extern SECStatus
+NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo);
+
+/*
+ * NSS_CMSSignerInfo_IncludeCerts - set cert chain inclusion mode for this signer
+ */
+extern SECStatus
+NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, NSSCMSCertChainMode cm, SECCertUsage usage);
+
+/************************************************************************
+ * cmsenvdata.c - CMS envelopedData methods
+ ************************************************************************/
+
+/*
+ * NSS_CMSEnvelopedData_Create - create an enveloped data message
+ */
+extern NSSCMSEnvelopedData *
+NSS_CMSEnvelopedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize);
+
+/*
+ * NSS_CMSEnvelopedData_Destroy - destroy an enveloped data message
+ */
+extern void
+NSS_CMSEnvelopedData_Destroy(NSSCMSEnvelopedData *edp);
+
+/*
+ * NSS_CMSEnvelopedData_GetContentInfo - return pointer to this envelopedData's contentinfo
+ */
+extern NSSCMSContentInfo *
+NSS_CMSEnvelopedData_GetContentInfo(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_AddRecipient - add a recipientinfo to the enveloped data msg
+ *
+ * rip must be created on the same pool as edp - this is not enforced, though.
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_AddRecipient(NSSCMSEnvelopedData *edp, NSSCMSRecipientInfo *rip);
+
+/*
+ * NSS_CMSEnvelopedData_Encode_BeforeStart - prepare this envelopedData for encoding
+ *
+ * at this point, we need
+ * - recipientinfos set up with recipient's certificates
+ * - a content encryption algorithm (if none, 3DES will be used)
+ *
+ * this function will generate a random content encryption key (aka bulk key),
+ * initialize the recipientinfos with certificate identification and wrap the bulk key
+ * using the proper algorithm for every certificiate.
+ * it will finally set the bulk algorithm and key so that the encode step can find it.
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_Encode_BeforeData - set up encryption
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_Encode_AfterData - finalize this envelopedData for encoding
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, 
+ * derive bulk key & set up our contentinfo
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_Decode_AfterData - finish decrypting this envelopedData's content
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd);
+
+/*
+ * NSS_CMSEnvelopedData_Decode_AfterEnd - finish decoding this envelopedData
+ */
+extern SECStatus
+NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd);
+
+
+/************************************************************************
+ * cmsrecinfo.c - CMS recipientInfo methods
+ ************************************************************************/
+
+/*
+ * NSS_CMSRecipientInfo_Create - create a recipientinfo
+ *
+ * we currently do not create KeyAgreement recipientinfos with multiple recipientEncryptedKeys
+ * the certificate is supposed to have been verified by the caller
+ */
+extern NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert);
+
+extern void
+NSS_CMSRecipientInfo_Destroy(NSSCMSRecipientInfo *ri);
+
+extern int
+NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri);
+
+extern SECItem *
+NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex);
+
+
+extern SECOidTag
+NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri);
+
+extern SECStatus
+NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, SECOidTag bulkalgtag);
+
+extern PK11SymKey *
+NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex,
+		CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag);
+
+/************************************************************************
+ * cmsencdata.c - CMS encryptedData methods
+ ************************************************************************/
+/*
+ * NSS_CMSEncryptedData_Create - create an empty encryptedData object.
+ *
+ * "algorithm" specifies the bulk encryption algorithm to use.
+ * "keysize" is the key size.
+ * 
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+extern NSSCMSEncryptedData *
+NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize);
+
+/*
+ * NSS_CMSEncryptedData_Destroy - destroy an encryptedData object
+ */
+extern void
+NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_GetContentInfo - return pointer to encryptedData object's contentInfo
+ */
+extern NSSCMSContentInfo *
+NSS_CMSEncryptedData_GetContentInfo(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Encode_BeforeStart - do all the necessary things to a EncryptedData
+ *     before encoding begins.
+ *
+ * In particular:
+ *  - set the correct version value.
+ *  - get the encryption key
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Encode_BeforeData - set up encryption
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Encode_AfterData - finalize this encryptedData for encoding
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Decode_BeforeData - find bulk key & set up decryption
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Decode_AfterData - finish decrypting this encryptedData's content
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd);
+
+/*
+ * NSS_CMSEncryptedData_Decode_AfterEnd - finish decoding this encryptedData
+ */
+extern SECStatus
+NSS_CMSEncryptedData_Decode_AfterEnd(NSSCMSEncryptedData *encd);
+
+/************************************************************************
+ * cmsdigdata.c - CMS encryptedData methods
+ ************************************************************************/
+/*
+ * NSS_CMSDigestedData_Create - create a digestedData object (presumably for encoding)
+ *
+ * version will be set by NSS_CMSDigestedData_Encode_BeforeStart
+ * digestAlg is passed as parameter
+ * contentInfo must be filled by the user
+ * digest will be calculated while encoding
+ */
+extern NSSCMSDigestedData *
+NSS_CMSDigestedData_Create(NSSCMSMessage *cmsg, SECAlgorithmID *digestalg);
+
+/*
+ * NSS_CMSDigestedData_Destroy - destroy a digestedData object
+ */
+extern void
+NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_GetContentInfo - return pointer to digestedData object's contentInfo
+ */
+extern NSSCMSContentInfo *
+NSS_CMSDigestedData_GetContentInfo(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Encode_BeforeStart - do all the necessary things to a DigestedData
+ *     before encoding begins.
+ *
+ * In particular:
+ *  - set the right version number. The contentInfo's content type must be set up already.
+ */
+extern SECStatus
+NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Encode_BeforeData - do all the necessary things to a DigestedData
+ *     before the encapsulated data is passed through the encoder.
+ *
+ * In detail:
+ *  - set up the digests if necessary
+ */
+extern SECStatus
+NSS_CMSDigestedData_Encode_BeforeData(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Encode_AfterData - do all the necessary things to a DigestedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - finish the digests
+ */
+extern SECStatus
+NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Decode_BeforeData - do all the necessary things to a DigestedData
+ *     before the encapsulated data is passed through the encoder.
+ *
+ * In detail:
+ *  - set up the digests if necessary
+ */
+extern SECStatus
+NSS_CMSDigestedData_Decode_BeforeData(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Decode_AfterData - do all the necessary things to a DigestedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - finish the digests
+ */
+extern SECStatus
+NSS_CMSDigestedData_Decode_AfterData(NSSCMSDigestedData *digd);
+
+/*
+ * NSS_CMSDigestedData_Decode_AfterEnd - finalize a digestedData.
+ *
+ * In detail:
+ *  - check the digests for equality
+ */
+extern SECStatus
+NSS_CMSDigestedData_Decode_AfterEnd(NSSCMSDigestedData *digd);
+
+/************************************************************************
+ * cmsdigest.c - digestion routines
+ ************************************************************************/
+
+/*
+ * NSS_CMSDigestContext_StartMultiple - start digest calculation using all the
+ *  digest algorithms in "digestalgs" in parallel.
+ */
+extern NSSCMSDigestContext *
+NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs);
+
+/*
+ * NSS_CMSDigestContext_StartSingle - same as NSS_CMSDigestContext_StartMultiple, but
+ *  only one algorithm.
+ */
+extern NSSCMSDigestContext *
+NSS_CMSDigestContext_StartSingle(SECAlgorithmID *digestalg);
+
+/*
+ * NSS_CMSDigestContext_Update - feed more data into the digest machine
+ */
+extern void
+NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, const unsigned char *data, int len);
+
+/*
+ * NSS_CMSDigestContext_Cancel - cancel digesting operation
+ */
+extern void
+NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx);
+
+/*
+ * NSS_CMSDigestContext_FinishMultiple - finish the digests and put them
+ *  into an array of SECItems (allocated on poolp)
+ */
+extern SECStatus
+NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
+			    SECItem ***digestsp);
+
+/*
+ * NSS_CMSDigestContext_FinishSingle - same as NSS_CMSDigestContext_FinishMultiple,
+ *  but for one digest.
+ */
+extern SECStatus
+NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
+			    SECItem *digest);
+
+/************************************************************************
+ * 
+ ************************************************************************/
+
+/* shortcuts for basic use */
+
+/*
+ * NSS_CMSDEREncode - DER Encode a CMS message, with input being
+ *                    the plaintext message and derOut being the output,
+ *                    stored in arena's pool.
+ */
+extern SECStatus
+NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, 
+                 PLArenaPool *arena);
+
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _CMS_H_ */
diff --git a/security/nss/lib/smime/cmsarray.c b/security/nss/lib/smime/cmsarray.c
new file mode 100644
index 000000000..68d7e1963
--- /dev/null
+++ b/security/nss/lib/smime/cmsarray.c
@@ -0,0 +1,212 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS array functions.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "secerr.h"
+
+/*
+ * ARRAY FUNCTIONS
+ *
+ * In NSS, arrays are rather primitive arrays of pointers.
+ * Makes it easy to walk the array, but hard to count elements
+ * and manage the storage.
+ *
+ * This is a feeble attempt to encapsulate the functionality
+ * and get rid of hundreds of lines of similar code
+ */
+
+/*
+ * NSS_CMSArray_Alloc - allocate an array in an arena
+ *
+ * This allocates space for the array of pointers
+ */
+void **
+NSS_CMSArray_Alloc(PRArenaPool *poolp, int n)
+{
+    return (void **)PORT_ArenaZAlloc(poolp, n * sizeof(void *));
+}
+
+/*
+ * NSS_CMSArray_Add - add an element to the end of an array
+ *
+ * The array of pointers is either created (if array was empty before) or grown.
+ */
+SECStatus
+NSS_CMSArray_Add(PRArenaPool *poolp, void ***array, void *obj)
+{
+    void **p;
+    int n;
+    void **dest;
+
+    PORT_Assert(array != NULL);
+    if (array == NULL)
+	return SECFailure;
+
+    if (*array == NULL) {
+	dest = (void **)PORT_ArenaAlloc(poolp, 2 * sizeof(void *));
+	n = 0;
+    } else {
+	n = 0; p = *array;
+	while (*p++)
+	    n++;
+	dest = (void **)PORT_ArenaGrow (poolp, 
+			      *array,
+			      (n + 1) * sizeof(void *),
+			      (n + 2) * sizeof(void *));
+    }
+    dest[n] = obj;
+    dest[n+1] = NULL;
+    *array = dest;
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSArray_IsEmpty - check if array is empty
+ */
+PRBool
+NSS_CMSArray_IsEmpty(void **array)
+{
+    return (array == NULL || array[0] == NULL);
+}
+
+/*
+ * NSS_CMSArray_Count - count number of elements in array
+ */
+int
+NSS_CMSArray_Count(void **array)
+{
+    int n = 0;
+
+    if (array == NULL)
+	return 0;
+
+    while (*array++ != NULL)
+	n++;
+
+    return n;
+}
+
+/*
+ * NSS_CMSArray_Sort - sort an array in place
+ *
+ * If "secondary" or "tertiary are not NULL, it must be arrays with the same
+ *  number of elements as "primary". The same reordering will get applied to it.
+ *
+ * "compare" is a function that returns 
+ *  < 0 when the first element is less than the second
+ *  = 0 when the first element is equal to the second
+ *  > 0 when the first element is greater than the second
+ * to acheive ascending ordering.
+ */
+void
+NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondary, void **tertiary)
+{
+    int n, i, limit, lastxchg;
+    void *tmp;
+
+    n = NSS_CMSArray_Count(primary);
+
+    PORT_Assert(secondary == NULL || NSS_CMSArray_Count(secondary) == n);
+    PORT_Assert(tertiary == NULL || NSS_CMSArray_Count(tertiary) == n);
+    
+    if (n <= 1)	/* ordering is fine */
+	return;
+    
+    /* yes, ladies and gentlemen, it's BUBBLE SORT TIME! */
+    limit = n - 1;
+    while (1) {
+	lastxchg = 0;
+	for (i = 0; i < limit; i++) {
+	    if ((*compare)(primary[i], primary[i+1]) > 0) {
+		/* exchange the neighbours */
+		tmp = primary[i+1];
+		primary[i+1] = primary[i];
+		primary[i] = tmp;
+		if (secondary) {		/* secondary array? */
+		    tmp = secondary[i+1];	/* exchange there as well */
+		    secondary[i+1] = secondary[i];
+		    secondary[i] = tmp;
+		}
+		if (tertiary) {			/* tertiary array? */
+		    tmp = tertiary[i+1];	/* exchange there as well */
+		    tertiary[i+1] = tertiary[i];
+		    tertiary[i] = tmp;
+		}
+		lastxchg = i+1;	/* index of the last element bubbled up */
+	    }
+	}
+	if (lastxchg == 0)	/* no exchanges, so array is sorted */
+	    break;		/* we're done */
+	limit = lastxchg;	/* array is sorted up to [limit] */
+    }
+}
+
+#if 0
+
+/* array iterator stuff... not used */
+
+typedef void **NSSCMSArrayIterator;
+
+/* iterator */
+NSSCMSArrayIterator
+NSS_CMSArray_First(void **array)
+{
+    if (array == NULL || array[0] == NULL)
+	return NULL;
+    return (NSSCMSArrayIterator)&(array[0]);
+}
+
+void *
+NSS_CMSArray_Obj(NSSCMSArrayIterator iter)
+{
+    void **p = (void **)iter;
+
+    return *iter;	/* which is NULL if we are at the end of the array */
+}
+
+NSSCMSArrayIterator
+NSS_CMSArray_Next(NSSCMSArrayIterator iter)
+{
+    void **p = (void **)iter;
+
+    return (NSSCMSArrayIterator)(p + 1);
+}
+
+#endif
diff --git a/security/nss/lib/smime/cmsasn1.c b/security/nss/lib/smime/cmsasn1.c
new file mode 100644
index 000000000..be44c7524
--- /dev/null
+++ b/security/nss/lib/smime/cmsasn1.c
@@ -0,0 +1,575 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS ASN.1 templates
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "prtime.h"
+#include "secerr.h"
+
+
+extern const SEC_ASN1Template nss_cms_set_of_attribute_template[];
+
+SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
+SEC_ASN1_MKSUB(CERT_SetOfSignedCrlTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_PointerToOctetStringTemplate)
+SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)
+
+/* -----------------------------------------------------------------------------
+ * MESSAGE
+ * (uses NSSCMSContentInfo)
+ */
+
+/* forward declaration */
+static const SEC_ASN1Template *
+nss_cms_choose_content_template(void *src_or_dest, PRBool encoding);
+
+static const SEC_ASN1TemplateChooserPtr nss_cms_chooser
+	= nss_cms_choose_content_template;
+
+const SEC_ASN1Template NSSCMSMessageTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSMessage) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(NSSCMSMessage,contentInfo.contentType) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
+     | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(NSSCMSMessage,contentInfo.content),
+	  &nss_cms_chooser },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSS_PointerToCMSMessageTemplate[] = {
+    { SEC_ASN1_POINTER, 0, NSSCMSMessageTemplate }
+};
+
+/* -----------------------------------------------------------------------------
+ * ENCAPSULATED & ENCRYPTED CONTENTINFO
+ * (both use a NSSCMSContentInfo)
+ */
+static const SEC_ASN1Template NSSCMSEncapsulatedContentInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSContentInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(NSSCMSContentInfo,contentType) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_MAY_STREAM |
+	SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSContentInfo,rawContent),
+	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSSCMSEncryptedContentInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSContentInfo) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(NSSCMSContentInfo,contentType) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSContentInfo,contentEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM | 
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSContentInfo,rawContent),
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * SIGNED DATA
+ */
+
+const SEC_ASN1Template NSSCMSSignerInfoTemplate[];
+
+const SEC_ASN1Template NSSCMSSignedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSSignedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSSignedData,version) },
+    { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSSignedData,digestAlgorithms),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSSignedData,contentInfo),
+	  NSSCMSEncapsulatedContentInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSSignedData,rawCerts),
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
+	  offsetof(NSSCMSSignedData,crls),
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
+    { SEC_ASN1_SET_OF,
+	  offsetof(NSSCMSSignedData,signerInfos),
+	  NSSCMSSignerInfoTemplate },
+    { 0 }
+};
+
+const SEC_ASN1Template NSS_PointerToCMSSignedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, NSSCMSSignedDataTemplate }
+};
+
+/* -----------------------------------------------------------------------------
+ * signeridentifier
+ */
+
+static const SEC_ASN1Template NSSCMSSignerIdentifierTemplate[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSCMSSignerIdentifier,identifierType), NULL,
+	  sizeof(NSSCMSSignerIdentifier) },
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSSignerIdentifier,id.subjectKeyID),
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) ,
+	  NSSCMSRecipientID_SubjectKeyID },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSSignerIdentifier,id.issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
+	  NSSCMSRecipientID_IssuerSN },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * signerinfo
+ */
+
+const SEC_ASN1Template NSSCMSSignerInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSSignerInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSSignerInfo,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSSignerInfo,signerIdentifier),
+	  NSSCMSSignerIdentifierTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSSignerInfo,digestAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(NSSCMSSignerInfo,authAttr),
+	  nss_cms_set_of_attribute_template },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSSignerInfo,digestEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSSignerInfo,encDigest) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(NSSCMSSignerInfo,unAuthAttr),
+	  nss_cms_set_of_attribute_template },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * ENVELOPED DATA
+ */
+
+static const SEC_ASN1Template NSSCMSOriginatorInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSOriginatorInfo) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSOriginatorInfo,rawCerts),
+	  SEC_ASN1_SUB(SEC_SetOfAnyTemplate) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
+	  offsetof(NSSCMSOriginatorInfo,crls),
+	  SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) },
+    { 0 }
+};
+
+const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
+
+const SEC_ASN1Template NSSCMSEnvelopedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSEnvelopedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSEnvelopedData,version) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(NSSCMSEnvelopedData,originatorInfo),
+	  NSSCMSOriginatorInfoTemplate },
+    { SEC_ASN1_SET_OF,
+	  offsetof(NSSCMSEnvelopedData,recipientInfos),
+	  NSSCMSRecipientInfoTemplate },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSEnvelopedData,contentInfo),
+	  NSSCMSEncryptedContentInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(NSSCMSEnvelopedData,unprotectedAttr),
+	  nss_cms_set_of_attribute_template },
+    { 0 }
+};
+
+const SEC_ASN1Template NSS_PointerToCMSEnvelopedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, NSSCMSEnvelopedDataTemplate }
+};
+
+/* here come the 15 gazillion templates for all the v3 varieties of RecipientInfo */
+
+/* -----------------------------------------------------------------------------
+ * key transport recipient info
+ */
+
+static const SEC_ASN1Template NSSCMSRecipientIdentifierTemplate[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSCMSRecipientIdentifier,identifierType), NULL,
+	  sizeof(NSSCMSRecipientIdentifier) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 0,
+	  offsetof(NSSCMSRecipientIdentifier,id.subjectKeyID),
+	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) ,
+	  NSSCMSRecipientID_SubjectKeyID },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSRecipientIdentifier,id.issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
+	  NSSCMSRecipientID_IssuerSN },
+    { 0 }
+};
+
+
+static const SEC_ASN1Template NSSCMSKeyTransRecipientInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSKeyTransRecipientInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSKeyTransRecipientInfo,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSKeyTransRecipientInfo,recipientIdentifier),
+	  NSSCMSRecipientIdentifierTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSKeyTransRecipientInfo,keyEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSKeyTransRecipientInfo,encKey) },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * key agreement recipient info
+ */
+
+static const SEC_ASN1Template NSSCMSOriginatorPublicKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSOriginatorPublicKey) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSOriginatorPublicKey,algorithmIdentifier),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSOriginatorPublicKey,publicKey),
+	  SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { 0 }
+};
+
+
+static const SEC_ASN1Template NSSCMSOriginatorIdentifierOrKeyTemplate[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSCMSOriginatorIdentifierOrKey,identifierType), NULL,
+	  sizeof(NSSCMSOriginatorIdentifierOrKey) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
+	  NSSCMSOriginatorIDOrKey_IssuerSN },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
+      SEC_ASN1_XTRN | 1,
+	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.subjectKeyID),
+	  SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) ,
+	  NSSCMSOriginatorIDOrKey_SubjectKeyID },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+	  offsetof(NSSCMSOriginatorIdentifierOrKey,id.originatorPublicKey),
+	  NSSCMSOriginatorPublicKeyTemplate,
+	  NSSCMSOriginatorIDOrKey_OriginatorPublicKey },
+    { 0 }
+};
+
+const SEC_ASN1Template NSSCMSRecipientKeyIdentifierTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSRecipientKeyIdentifier) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSRecipientKeyIdentifier,subjectKeyIdentifier) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSRecipientKeyIdentifier,date) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSRecipientKeyIdentifier,other) },
+    { 0 }
+};
+
+
+static const SEC_ASN1Template NSSCMSKeyAgreeRecipientIdentifierTemplate[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,identifierType), NULL,
+	  sizeof(NSSCMSKeyAgreeRecipientIdentifier) },
+    { SEC_ASN1_POINTER | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
+	  NSSCMSKeyAgreeRecipientID_IssuerSN },
+    { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.recipientKeyIdentifier),
+	  NSSCMSRecipientKeyIdentifierTemplate,
+	  NSSCMSKeyAgreeRecipientID_RKeyID },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSSCMSRecipientEncryptedKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSRecipientEncryptedKey) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSRecipientEncryptedKey,recipientIdentifier),
+	  NSSCMSKeyAgreeRecipientIdentifierTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSRecipientEncryptedKey,encKey),
+	  SEC_ASN1_SUB(SEC_BitStringTemplate) },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSSCMSKeyAgreeRecipientInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSKeyAgreeRecipientInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSKeyAgreeRecipientInfo,version) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+	  offsetof(NSSCMSKeyAgreeRecipientInfo,originatorIdentifierOrKey),
+	  NSSCMSOriginatorIdentifierOrKeyTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+      SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+	  offsetof(NSSCMSKeyAgreeRecipientInfo,ukm),
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSKeyAgreeRecipientInfo,keyEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_SEQUENCE_OF,
+	  offsetof(NSSCMSKeyAgreeRecipientInfo,recipientEncryptedKeys),
+	  NSSCMSRecipientEncryptedKeyTemplate },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * KEK recipient info
+ */
+
+static const SEC_ASN1Template NSSCMSKEKIdentifierTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSKEKIdentifier) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSKEKIdentifier,keyIdentifier) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSKEKIdentifier,date) },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSKEKIdentifier,other) },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSSCMSKEKRecipientInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSKEKRecipientInfo) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSKEKRecipientInfo,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSKEKRecipientInfo,kekIdentifier),
+	  NSSCMSKEKIdentifierTemplate },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSKEKRecipientInfo,keyEncAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSKEKRecipientInfo,encKey) },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ * recipient info
+ */
+const SEC_ASN1Template NSSCMSRecipientInfoTemplate[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSCMSRecipientInfo,recipientInfoType), NULL,
+	  sizeof(NSSCMSRecipientInfo) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(NSSCMSRecipientInfo,ri.keyAgreeRecipientInfo),
+	  NSSCMSKeyAgreeRecipientInfoTemplate,
+	  NSSCMSRecipientInfoID_KeyAgree },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2,
+	  offsetof(NSSCMSRecipientInfo,ri.kekRecipientInfo),
+	  NSSCMSKEKRecipientInfoTemplate,
+	  NSSCMSRecipientInfoID_KEK },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSRecipientInfo,ri.keyTransRecipientInfo),
+	  NSSCMSKeyTransRecipientInfoTemplate,
+	  NSSCMSRecipientInfoID_KeyTrans },
+    { 0 }
+};
+
+/* -----------------------------------------------------------------------------
+ *
+ */
+
+const SEC_ASN1Template NSSCMSDigestedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSDigestedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSDigestedData,version) },
+    { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+	  offsetof(NSSCMSDigestedData,digestAlg),
+	  SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSDigestedData,contentInfo),
+	  NSSCMSEncapsulatedContentInfoTemplate },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSDigestedData,digest) },
+    { 0 }
+};
+
+const SEC_ASN1Template NSS_PointerToCMSDigestedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, NSSCMSDigestedDataTemplate }
+};
+
+const SEC_ASN1Template NSSCMSEncryptedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
+	  0, NULL, sizeof(NSSCMSEncryptedData) },
+    { SEC_ASN1_INTEGER,
+	  offsetof(NSSCMSEncryptedData,version) },
+    { SEC_ASN1_INLINE,
+	  offsetof(NSSCMSEncryptedData,contentInfo),
+	  NSSCMSEncryptedContentInfoTemplate },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(NSSCMSEncryptedData,unprotectedAttr),
+	  nss_cms_set_of_attribute_template },
+    { 0 }
+};
+
+const SEC_ASN1Template NSS_PointerToCMSEncryptedDataTemplate[] = {
+    { SEC_ASN1_POINTER, 0, NSSCMSEncryptedDataTemplate }
+};
+
+/* -----------------------------------------------------------------------------
+ * FORTEZZA KEA
+ */
+const SEC_ASN1Template NSS_SMIMEKEAParamTemplateSkipjack[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
+	{ 0 }
+};
+
+const SEC_ASN1Template NSS_SMIMEKEAParamTemplateNoSkipjack[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(NSSCMSSMIMEKEAParameters,nonSkipjackIV) },
+	{ 0 }
+};
+
+const SEC_ASN1Template NSS_SMIMEKEAParamTemplateAllParams[] = {
+	{ SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSSMIMEKEAParameters) },
+	{ SEC_ASN1_OCTET_STRING /* | SEC_ASN1_OPTIONAL */,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorKEAKey) },
+	{ SEC_ASN1_OCTET_STRING,
+	  offsetof(NSSCMSSMIMEKEAParameters,originatorRA) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(NSSCMSSMIMEKEAParameters,nonSkipjackIV) },
+	{ SEC_ASN1_OCTET_STRING  | SEC_ASN1_OPTIONAL ,
+	  offsetof(NSSCMSSMIMEKEAParameters,bulkKeySize) },
+	{ 0 }
+};
+
+const SEC_ASN1Template *
+nss_cms_get_kea_template(NSSCMSKEATemplateSelector whichTemplate)
+{
+	const SEC_ASN1Template *returnVal = NULL;
+
+	switch(whichTemplate)
+	{
+	case NSSCMSKEAUsesNonSkipjack:
+		returnVal = NSS_SMIMEKEAParamTemplateNoSkipjack;
+		break;
+	case NSSCMSKEAUsesSkipjack:
+		returnVal = NSS_SMIMEKEAParamTemplateSkipjack;
+		break;
+	case NSSCMSKEAUsesNonSkipjackWithPaddedEncKey:
+	default:
+		returnVal = NSS_SMIMEKEAParamTemplateAllParams;
+		break;
+	}
+	return returnVal;
+}
+
+/* -----------------------------------------------------------------------------
+ *
+ */
+static const SEC_ASN1Template *
+nss_cms_choose_content_template(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    NSSCMSContentInfo *cinfo;
+
+    PORT_Assert (src_or_dest != NULL);
+    if (src_or_dest == NULL)
+	return NULL;
+
+    cinfo = (NSSCMSContentInfo *)src_or_dest;
+    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+    default:
+	theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+	break;
+    case SEC_OID_PKCS7_DATA:
+	theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate);
+	break;
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	theTemplate = NSS_PointerToCMSSignedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	theTemplate = NSS_PointerToCMSEnvelopedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	theTemplate = NSS_PointerToCMSDigestedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	theTemplate = NSS_PointerToCMSEncryptedDataTemplate;
+	break;
+    }
+    return theTemplate;
+}
diff --git a/security/nss/lib/smime/cmsattr.c b/security/nss/lib/smime/cmsattr.c
new file mode 100644
index 000000000..4217e6c78
--- /dev/null
+++ b/security/nss/lib/smime/cmsattr.c
@@ -0,0 +1,453 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS attributes.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+
+/*
+ * -------------------------------------------------------------------
+ * XXX The following Attribute stuff really belongs elsewhere.
+ * The Attribute type is *not* part of CMS but rather X.501.
+ * But for now, since CMS is the only customer of attributes,
+ * we define them here.  Once there is a use outside of CMS,
+ * then change the attribute types and functions from internal
+ * to external naming convention, and move them elsewhere!
+ */
+
+
+/*
+ * NSS_CMSAttribute_Create - create an attribute
+ *
+ * if value is NULL, the attribute won't have a value. It can be added later
+ * with NSS_CMSAttribute_AddValue.
+ */
+NSSCMSAttribute *
+NSS_CMSAttribute_Create(PRArenaPool *poolp, SECOidTag oidtag, SECItem *value, PRBool encoded)
+{
+    NSSCMSAttribute *attr;
+    SECItem *copiedvalue;
+    void *mark;
+
+    PORT_Assert (poolp != NULL);
+
+    mark = PORT_ArenaMark (poolp);
+
+    attr = (NSSCMSAttribute *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSAttribute));
+    if (attr == NULL)
+	goto loser;
+
+    attr->typeTag = SECOID_FindOIDByTag(oidtag);
+    if (attr->typeTag == NULL)
+	goto loser;
+
+    if (SECITEM_CopyItem(poolp, &(attr->type), &(attr->typeTag->oid)) != SECSuccess)
+	goto loser;
+
+    if (value != NULL) {
+	if ((copiedvalue = SECITEM_AllocItem(poolp, NULL, value->len)) == NULL)
+	    goto loser;
+
+	if (SECITEM_CopyItem(poolp, copiedvalue, value) != SECSuccess)
+	    goto loser;
+
+	NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)copiedvalue);
+    }
+
+    attr->encoded = encoded;
+
+    PORT_ArenaUnmark (poolp, mark);
+
+    return attr;
+
+loser:
+    PORT_Assert (mark != NULL);
+    PORT_ArenaRelease (poolp, mark);
+    return NULL;
+}
+
+/*
+ * NSS_CMSAttribute_AddValue - add another value to an attribute
+ */
+SECStatus
+NSS_CMSAttribute_AddValue(PLArenaPool *poolp, NSSCMSAttribute *attr, SECItem *value)
+{
+    SECItem copiedvalue;
+    void *mark;
+
+    PORT_Assert (poolp != NULL);
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* XXX we need an object memory model #$%#$%! */
+    if (SECITEM_CopyItem(poolp, &copiedvalue, value) != SECSuccess)
+	goto loser;
+
+    if (NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)&copiedvalue) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_Assert (mark != NULL);
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+/*
+ * NSS_CMSAttribute_GetType - return the OID tag
+ */
+SECOidTag
+NSS_CMSAttribute_GetType(NSSCMSAttribute *attr)
+{
+    SECOidData *typetag;
+
+    typetag = SECOID_FindOID(&(attr->type));
+    if (typetag == NULL)
+	return SEC_OID_UNKNOWN;
+
+    return typetag->offset;
+}
+
+/*
+ * NSS_CMSAttribute_GetValue - return the first attribute value
+ *
+ * We do some sanity checking first:
+ * - Multiple values are *not* expected.
+ * - Empty values are *not* expected.
+ */
+SECItem *
+NSS_CMSAttribute_GetValue(NSSCMSAttribute *attr)
+{
+    SECItem *value;
+
+    if (attr == NULL)
+	return NULL;
+
+    value = attr->values[0];
+
+    if (value == NULL || value->data == NULL || value->len == 0)
+	return NULL;
+
+    if (attr->values[1] != NULL)
+	return NULL;
+
+    return value;
+}
+
+/*
+ * NSS_CMSAttribute_CompareValue - compare the attribute's first value against data
+ */
+PRBool
+NSS_CMSAttribute_CompareValue(NSSCMSAttribute *attr, SECItem *av)
+{
+    SECItem *value;
+    
+    if (attr == NULL)
+	return PR_FALSE;
+
+    value = NSS_CMSAttribute_GetValue(attr);
+
+    return (value != NULL && value->len == av->len &&
+	PORT_Memcmp (value->data, av->data, value->len) == 0);
+}
+
+/*
+ * templates and functions for separate ASN.1 encoding of attributes
+ *
+ * used in NSS_CMSAttributeArray_Reorder
+ */
+
+/*
+ * helper function for dynamic template determination of the attribute value
+ */
+static const SEC_ASN1Template *
+cms_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)
+{
+    const SEC_ASN1Template *theTemplate;
+    NSSCMSAttribute *attribute;
+    SECOidData *oiddata;
+    PRBool encoded;
+
+    PORT_Assert (src_or_dest != NULL);
+    if (src_or_dest == NULL)
+	return NULL;
+
+    attribute = (NSSCMSAttribute *)src_or_dest;
+
+    if (encoding && attribute->encoded)
+	/* we're encoding, and the attribute value is already encoded. */
+	return SEC_ASN1_GET(SEC_AnyTemplate);
+
+    /* get attribute's typeTag */
+    oiddata = attribute->typeTag;
+    if (oiddata == NULL) {
+	oiddata = SECOID_FindOID(&attribute->type);
+	attribute->typeTag = oiddata;
+    }
+
+    if (oiddata == NULL) {
+	/* still no OID tag? OID is unknown then. en/decode value as ANY. */
+	encoded = PR_TRUE;
+	theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+    } else {
+	switch (oiddata->offset) {
+	case SEC_OID_PKCS9_SMIME_CAPABILITIES:
+	case SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE:
+	    /* these guys need to stay DER-encoded */
+	default:
+	    /* same goes for OIDs that are not handled here */
+	    encoded = PR_TRUE;
+	    theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+	    break;
+	    /* otherwise choose proper template */
+	case SEC_OID_PKCS9_EMAIL_ADDRESS:
+	case SEC_OID_RFC1274_MAIL:
+	case SEC_OID_PKCS9_UNSTRUCTURED_NAME:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);
+	    break;
+	case SEC_OID_PKCS9_CONTENT_TYPE:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_ObjectIDTemplate);
+	    break;
+	case SEC_OID_PKCS9_MESSAGE_DIGEST:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);
+	    break;
+	case SEC_OID_PKCS9_SIGNING_TIME:
+	    encoded = PR_FALSE;
+	    theTemplate = SEC_ASN1_GET(SEC_UTCTimeTemplate);
+	    break;
+	  /* XXX Want other types here, too */
+	}
+    }
+
+    if (encoding) {
+	/*
+	 * If we are encoding and we think we have an already-encoded value,
+	 * then the code which initialized this attribute should have set
+	 * the "encoded" property to true (and we would have returned early,
+	 * up above).  No devastating error, but that code should be fixed.
+	 * (It could indicate that the resulting encoded bytes are wrong.)
+	 */
+	PORT_Assert (!encoded);
+    } else {
+	/*
+	 * We are decoding; record whether the resulting value is
+	 * still encoded or not.
+	 */
+	attribute->encoded = encoded;
+    }
+    return theTemplate;
+}
+
+static const SEC_ASN1TemplateChooserPtr cms_attr_chooser
+	= cms_attr_choose_attr_value_template;
+
+const SEC_ASN1Template nss_cms_attribute_template[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSCMSAttribute) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(NSSCMSAttribute,type) },
+    { SEC_ASN1_DYNAMIC | SEC_ASN1_SET_OF,
+	  offsetof(NSSCMSAttribute,values),
+	  &cms_attr_chooser },
+    { 0 }
+};
+
+const SEC_ASN1Template nss_cms_set_of_attribute_template[] = {
+    { SEC_ASN1_SET_OF, 0, nss_cms_attribute_template },
+};
+
+/* =============================================================================
+ * Attribute Array methods
+ */
+
+/*
+ * NSS_CMSAttributeArray_Encode - encode an Attribute array as SET OF Attributes
+ *
+ * If you are wondering why this routine does not reorder the attributes
+ * first, and might be tempted to make it do so, see the comment by the
+ * call to ReorderAttributes in cmsencode.c.  (Or, see who else calls this
+ * and think long and hard about the implications of making it always
+ * do the reordering.)
+ */
+SECItem *
+NSS_CMSAttributeArray_Encode(PRArenaPool *poolp, NSSCMSAttribute ***attrs, SECItem *dest)
+{
+    return SEC_ASN1EncodeItem (poolp, dest, (void *)attrs, nss_cms_set_of_attribute_template);
+}
+
+/*
+ * NSS_CMSAttributeArray_Reorder - sort attribute array by attribute's DER encoding
+ *
+ * make sure that the order of the attributes guarantees valid DER (which must be
+ * in lexigraphically ascending order for a SET OF); if reordering is necessary it
+ * will be done in place (in attrs).
+ */
+SECStatus
+NSS_CMSAttributeArray_Reorder(NSSCMSAttribute **attrs)
+{
+    return NSS_CMSArray_SortByDER((void **)attrs, nss_cms_attribute_template, NULL);
+}
+
+/*
+ * NSS_CMSAttributeArray_FindAttrByOidTag - look through a set of attributes and
+ * find one that matches the specified object ID.
+ *
+ * If "only" is true, then make sure that there is not more than one attribute
+ * of the same type.  Otherwise, just return the first one found. (XXX Does
+ * anybody really want that first-found behavior?  It was like that when I found it...)
+ */
+NSSCMSAttribute *
+NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag, PRBool only)
+{
+    SECOidData *oid;
+    NSSCMSAttribute *attr1, *attr2;
+
+    if (attrs == NULL)
+	return NULL;
+
+    oid = SECOID_FindOIDByTag(oidtag);
+    if (oid == NULL)
+	return NULL;
+
+    while ((attr1 = *attrs++) != NULL) {
+	if (attr1->type.len == oid->oid.len && PORT_Memcmp (attr1->type.data,
+							    oid->oid.data,
+							    oid->oid.len) == 0)
+	    break;
+    }
+
+    if (attr1 == NULL)
+	return NULL;
+
+    if (!only)
+	return attr1;
+
+    while ((attr2 = *attrs++) != NULL) {
+	if (attr2->type.len == oid->oid.len && PORT_Memcmp (attr2->type.data,
+							    oid->oid.data,
+							    oid->oid.len) == 0)
+	    break;
+    }
+
+    if (attr2 != NULL)
+	return NULL;
+
+    return attr1;
+}
+
+/*
+ * NSS_CMSAttributeArray_AddAttr - add an attribute to an
+ * array of attributes. 
+ */
+SECStatus
+NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSCMSAttribute *attr)
+{
+    NSSCMSAttribute *oattr;
+    void *mark;
+    SECOidTag type;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* find oidtag of attr */
+    type = NSS_CMSAttribute_GetType(attr);
+
+    /* see if we have one already */
+    oattr = NSS_CMSAttributeArray_FindAttrByOidTag(*attrs, type, PR_FALSE);
+    PORT_Assert (oattr == NULL);
+    if (oattr != NULL)
+	goto loser;	/* XXX or would it be better to replace it? */
+
+    /* no, shove it in */
+    if (NSS_CMSArray_Add(poolp, (void ***)attrs, (void *)attr) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+/*
+ * NSS_CMSAttributeArray_SetAttr - set an attribute's value in a set of attributes
+ */
+SECStatus
+NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECOidTag type, SECItem *value, PRBool encoded)
+{
+    NSSCMSAttribute *attr;
+    void *mark;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* see if we have one already */
+    attr = NSS_CMSAttributeArray_FindAttrByOidTag(*attrs, type, PR_FALSE);
+    if (attr == NULL) {
+	/* not found? create one! */
+	attr = NSS_CMSAttribute_Create(poolp, type, value, encoded);
+	if (attr == NULL)
+	    goto loser;
+	/* and add it to the list */
+	if (NSS_CMSArray_Add(poolp, (void ***)attrs, (void *)attr) != SECSuccess)
+	    goto loser;
+    } else {
+	/* found, shove it in */
+	/* XXX we need a decent memory model @#$#$!#!!! */
+	attr->values[0] = value;
+	attr->encoded = encoded;
+    }
+
+    PORT_ArenaUnmark (poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
diff --git a/security/nss/lib/smime/cmscinfo.c b/security/nss/lib/smime/cmscinfo.c
new file mode 100644
index 000000000..9e4a2dc5e
--- /dev/null
+++ b/security/nss/lib/smime/cmscinfo.c
@@ -0,0 +1,327 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS contentInfo methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "pk11func.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "secerr.h"
+
+/*
+ * NSS_CMSContentInfo_Create - create a content info
+ *
+ * version is set in the _Finalize procedures for each content type
+ */
+
+/*
+ * NSS_CMSContentInfo_Destroy - destroy a CMS contentInfo and all of its sub-pieces.
+ */
+void
+NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
+{
+    SECOidTag kind;
+
+    kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+    switch (kind) {
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	NSS_CMSEnvelopedData_Destroy(cinfo->content.envelopedData);
+	break;
+      case SEC_OID_PKCS7_SIGNED_DATA:
+	NSS_CMSSignedData_Destroy(cinfo->content.signedData);
+	break;
+      case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	NSS_CMSEncryptedData_Destroy(cinfo->content.encryptedData);
+	break;
+      case SEC_OID_PKCS7_DIGESTED_DATA:
+	NSS_CMSDigestedData_Destroy(cinfo->content.digestedData);
+	break;
+      default:
+	/* XXX Anything else that needs to be "manually" freed/destroyed? */
+	break;
+    }
+    if (cinfo->bulkkey)
+	PK11_FreeSymKey(cinfo->bulkkey);
+    
+    /* we live in a pool, so no need to worry about storage */
+}
+
+/*
+ * NSS_CMSContentInfo_GetChildContentInfo - get content's contentInfo (if it exists)
+ */
+NSSCMSContentInfo *
+NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo)
+{
+    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+    case SEC_OID_PKCS7_DATA:
+	return NULL;
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	return &(cinfo->content.signedData->contentInfo);
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	return &(cinfo->content.envelopedData->contentInfo);
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	return &(cinfo->content.digestedData->contentInfo);
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	return &(cinfo->content.encryptedData->contentInfo);
+    default:
+	return NULL;
+    }
+}
+
+/*
+ * NSS_CMSContentInfo_SetContent - set content type & content
+ */
+SECStatus
+NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECOidTag type, void *ptr)
+{
+    SECStatus rv;
+
+    cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
+    if (cinfo->contentTypeTag == NULL)
+	return SECFailure;
+    
+    /* do not copy the oid, just create a reference */
+    rv = SECITEM_CopyItem (cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
+    if (rv != SECSuccess)
+	return SECFailure;
+
+    cinfo->content.pointer = ptr;
+
+    if (type != SEC_OID_PKCS7_DATA) {
+	/* as we always have some inner data,
+	 * we need to set it to something, just to fool the encoder enough to work on it
+	 * and get us into nss_cms_encoder_notify at that point */
+	cinfo->rawContent = SECITEM_AllocItem(cmsg->poolp, NULL, 1);
+	if (cinfo->rawContent == NULL) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return SECFailure;
+	}
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSContentInfo_SetContent_XXXX - typesafe wrappers for NSS_CMSContentInfo_SetContent
+ */
+
+/*
+ * data == NULL -> pass in data via NSS_CMSEncoder_Update
+ * data != NULL -> take this data
+ */
+SECStatus
+NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECItem *data, PRBool detached)
+{
+    if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess)
+	return SECFailure;
+    cinfo->rawContent = (detached) ? 
+			    NULL : (data) ? 
+				data : SECITEM_AllocItem(cmsg->poolp, NULL, 1);
+    return SECSuccess;
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContent_SignedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSSignedData *sigd)
+{
+    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_SIGNED_DATA, (void *)sigd);
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContent_EnvelopedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEnvelopedData *envd)
+{
+    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_ENVELOPED_DATA, (void *)envd);
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSDigestedData *digd)
+{
+    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DIGESTED_DATA, (void *)digd);
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEncryptedData *encd)
+{
+    return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_ENCRYPTED_DATA, (void *)encd);
+}
+
+/*
+ * NSS_CMSContentInfo_GetContent - get pointer to inner content
+ *
+ * needs to be casted...
+ */
+void *
+NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
+{
+    switch (cinfo->contentTypeTag->offset) {
+    case SEC_OID_PKCS7_DATA:
+    case SEC_OID_PKCS7_SIGNED_DATA:
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	return cinfo->content.pointer;
+    default:
+	return NULL;
+    }
+}
+
+/* 
+ * NSS_CMSContentInfo_GetInnerContent - get pointer to innermost content
+ *
+ * this is typically only called by NSS_CMSMessage_GetContent()
+ */
+SECItem *
+NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
+{
+    NSSCMSContentInfo *ccinfo;
+
+    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+    case SEC_OID_PKCS7_DATA:
+	return cinfo->content.data;	/* end of recursion - every message has to have a data cinfo */
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	if ((ccinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) == NULL)
+	    break;
+	return NSS_CMSContentInfo_GetContent(ccinfo);
+    default:
+	PORT_Assert(0);
+	break;
+    }
+    return NULL;
+}
+
+/*
+ * NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result
+ * for future reference) and return the inner content type.
+ */
+SECOidTag
+NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
+{
+    if (cinfo->contentTypeTag == NULL)
+	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+
+    if (cinfo->contentTypeTag == NULL)
+	return SEC_OID_UNKNOWN;
+
+    return cinfo->contentTypeTag->offset;
+}
+
+SECItem *
+NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
+{
+    if (cinfo->contentTypeTag == NULL)
+	cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+
+    if (cinfo->contentTypeTag == NULL)
+	return NULL;
+
+    return &(cinfo->contentTypeTag->oid);
+}
+
+/*
+ * NSS_CMSContentInfo_GetContentEncAlgTag - find out (saving pointer to lookup result
+ * for future reference) and return the content encryption algorithm tag.
+ */
+SECOidTag
+NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
+{
+    if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN)
+	cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg));
+
+    return cinfo->contentEncAlgTag;
+}
+
+/*
+ * NSS_CMSContentInfo_GetContentEncAlg - find out and return the content encryption algorithm tag.
+ */
+SECAlgorithmID *
+NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo)
+{
+    return &(cinfo->contentEncAlg);
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
+				    SECOidTag bulkalgtag, SECItem *parameters, int keysize)
+{
+    SECStatus rv;
+
+    rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters);
+    if (rv != SECSuccess)
+	return SECFailure;
+    cinfo->keysize = keysize;
+    return SECSuccess;
+}
+
+SECStatus
+NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo,
+				    SECAlgorithmID *algid, int keysize)
+{
+    SECStatus rv;
+
+    rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid);
+    if (rv != SECSuccess)
+	return SECFailure;
+    if (keysize >= 0)
+	cinfo->keysize = keysize;
+    return SECSuccess;
+}
+
+void
+NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey)
+{
+    cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
+    cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
+}
+
+PK11SymKey *
+NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
+{
+    if (cinfo->bulkkey == NULL)
+	return NULL;
+
+    return PK11_ReferenceSymKey(cinfo->bulkkey);
+}
+
+int
+NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo)
+{
+    return cinfo->keysize;
+}
diff --git a/security/nss/lib/smime/cmscipher.c b/security/nss/lib/smime/cmscipher.c
new file mode 100644
index 000000000..27e5668aa
--- /dev/null
+++ b/security/nss/lib/smime/cmscipher.c
@@ -0,0 +1,792 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Encryption/decryption routines for CMS implementation, none of which are exported.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "secoid.h"
+#include "secitem.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "secpkcs5.h"
+
+/*
+ * -------------------------------------------------------------------
+ * Cipher stuff.
+ */
+
+typedef SECStatus (*nss_cms_cipher_function) (void *, unsigned char *, unsigned int *,
+					unsigned int, const unsigned char *, unsigned int);
+typedef SECStatus (*nss_cms_cipher_destroy) (void *, PRBool);
+
+#define BLOCK_SIZE 4096
+
+struct NSSCMSCipherContextStr {
+    void *		cx;			/* PK11 cipher context */
+    nss_cms_cipher_function doit;
+    nss_cms_cipher_destroy destroy;
+    PRBool		encrypt;		/* encrypt / decrypt switch */
+    int			block_size;		/* block & pad sizes for cipher */
+    int			pad_size;
+    int			pending_count;		/* pending data (not yet en/decrypted */
+    unsigned char	pending_buf[BLOCK_SIZE];/* because of blocking */
+};
+
+/*
+ * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption
+ * based on the given bulk * encryption key and algorithm identifier (which may include an iv).
+ *
+ * XXX Once both are working, it might be nice to combine this and the
+ * function below (for starting up encryption) into one routine, and just
+ * have two simple cover functions which call it. 
+ */
+NSSCMSCipherContext *
+NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid)
+{
+    NSSCMSCipherContext *cc;
+    void *ciphercx;
+    CK_MECHANISM_TYPE mechanism;
+    SECItem *param;
+    PK11SlotInfo *slot;
+    SECOidTag algtag;
+
+    algtag = SECOID_GetAlgorithmTag(algid);
+
+    /* set param and mechanism */
+    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
+	CK_MECHANISM pbeMech, cryptoMech;
+	SECItem *pbeParams;
+	SEC_PKCS5KeyAndPassword *keyPwd;
+
+	PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM));
+	PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM));
+
+	/* HACK ALERT!
+	 * in this case, key is not actually a PK11SymKey *, but a SEC_PKCS5KeyAndPassword *
+	 */
+	keyPwd = (SEC_PKCS5KeyAndPassword *)key;
+	key = keyPwd->key;
+
+	/* find correct PK11 mechanism and parameters to initialize pbeMech */
+	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
+	pbeParams = PK11_ParamFromAlgid(algid);
+	if (!pbeParams)
+	    return NULL;
+	pbeMech.pParameter = pbeParams->data;
+	pbeMech.ulParameterLen = pbeParams->len;
+
+	/* now map pbeMech to cryptoMech */
+	if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, keyPwd->pwitem,
+						  PR_FALSE) != CKR_OK) { 
+	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
+	    return NULL;
+	}
+	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
+
+	/* and use it to initialize param & mechanism */
+	if ((param = (SECItem *)PORT_ZAlloc(sizeof(SECItem))) == NULL)
+	     return NULL;
+
+	param->data = (unsigned char *)cryptoMech.pParameter;
+	param->len = cryptoMech.ulParameterLen;
+	mechanism = cryptoMech.mechanism;
+    } else {
+	mechanism = PK11_AlgtagToMechanism(algtag);
+	if ((param = PK11_ParamFromAlgid(algid)) == NULL)
+	    return NULL;
+    }
+
+    cc = (NSSCMSCipherContext *)PORT_ZAlloc(sizeof(NSSCMSCipherContext));
+    if (cc == NULL) {
+	SECITEM_FreeItem(param,PR_TRUE);
+	return NULL;
+    }
+
+    /* figure out pad and block sizes */
+    cc->pad_size = PK11_GetBlockSize(mechanism, param);
+    slot = PK11_GetSlotFromKey(key);
+    cc->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : cc->pad_size;
+    PK11_FreeSlot(slot);
+
+    /* create PK11 cipher context */
+    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_DECRYPT, key, param);
+    SECITEM_FreeItem(param, PR_TRUE);
+    if (ciphercx == NULL) {
+	PORT_Free (cc);
+	return NULL;
+    }
+
+    cc->cx = ciphercx;
+    cc->doit =  (nss_cms_cipher_function) PK11_CipherOp;
+    cc->destroy = (nss_cms_cipher_destroy) PK11_DestroyContext;
+    cc->encrypt = PR_FALSE;
+    cc->pending_count = 0;
+
+    return cc;
+}
+
+/*
+ * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption,
+ * based on the given bulk encryption key and algorithm tag.  Fill in the algorithm
+ * identifier (which may include an iv) appropriately.
+ *
+ * XXX Once both are working, it might be nice to combine this and the
+ * function above (for starting up decryption) into one routine, and just
+ * have two simple cover functions which call it. 
+ */
+NSSCMSCipherContext *
+NSS_CMSCipherContext_StartEncrypt(PRArenaPool *poolp, PK11SymKey *key, SECAlgorithmID *algid)
+{
+    NSSCMSCipherContext *cc;
+    void *ciphercx;
+    SECItem *param;
+    SECStatus rv;
+    CK_MECHANISM_TYPE mechanism;
+    PK11SlotInfo *slot;
+    PRBool needToEncodeAlgid = PR_FALSE;
+    SECOidTag algtag = SECOID_GetAlgorithmTag(algid);
+
+    /* set param and mechanism */
+    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {
+	CK_MECHANISM pbeMech, cryptoMech;
+	SECItem *pbeParams;
+	SEC_PKCS5KeyAndPassword *keyPwd;
+
+	PORT_Memset(&pbeMech, 0, sizeof(CK_MECHANISM));
+	PORT_Memset(&cryptoMech, 0, sizeof(CK_MECHANISM));
+
+	/* HACK ALERT!
+	 * in this case, key is not actually a PK11SymKey *, but a SEC_PKCS5KeyAndPassword *
+	 */
+	keyPwd = (SEC_PKCS5KeyAndPassword *)key;
+	key = keyPwd->key;
+
+	/* find correct PK11 mechanism and parameters to initialize pbeMech */
+	pbeMech.mechanism = PK11_AlgtagToMechanism(algtag);
+	pbeParams = PK11_ParamFromAlgid(algid);
+	if (!pbeParams)
+	    return NULL;
+	pbeMech.pParameter = pbeParams->data;
+	pbeMech.ulParameterLen = pbeParams->len;
+
+	/* now map pbeMech to cryptoMech */
+	if (PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech, keyPwd->pwitem,
+						  PR_FALSE) != CKR_OK) { 
+	    SECITEM_ZfreeItem(pbeParams, PR_TRUE);
+	    return NULL;
+	}
+	SECITEM_ZfreeItem(pbeParams, PR_TRUE);
+
+	/* and use it to initialize param & mechanism */
+	if ((param = (SECItem *)PORT_ZAlloc(sizeof(SECItem))) == NULL)
+	    return NULL;
+
+	param->data = (unsigned char *)cryptoMech.pParameter;
+	param->len = cryptoMech.ulParameterLen;
+	mechanism = cryptoMech.mechanism;
+    } else {
+	mechanism = PK11_AlgtagToMechanism(algtag);
+	if ((param = PK11_GenerateNewParam(mechanism, key)) == NULL)
+	    return NULL;
+	needToEncodeAlgid = PR_TRUE;
+    }
+
+    cc = (NSSCMSCipherContext *)PORT_ZAlloc(sizeof(NSSCMSCipherContext));
+    if (cc == NULL)
+	return NULL;
+
+    /* now find pad and block sizes for our mechanism */
+    cc->pad_size = PK11_GetBlockSize(mechanism,param);
+    slot = PK11_GetSlotFromKey(key);
+    cc->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : cc->pad_size;
+    PK11_FreeSlot(slot);
+
+    /* and here we go, creating a PK11 cipher context */
+    ciphercx = PK11_CreateContextBySymKey(mechanism, CKA_ENCRYPT, key, param);
+    if (ciphercx == NULL) {
+	PORT_Free(cc);
+	cc = NULL;
+	goto loser;
+    }
+
+    /*
+     * These are placed after the CreateContextBySymKey() because some
+     * mechanisms have to generate their IVs from their card (i.e. FORTEZZA).
+     * Don't move it from here.
+     * XXX is that right? the purpose of this is to get the correct algid
+     *     containing the IVs etc. for encoding. this means we need to set this up
+     *     BEFORE encoding the algid in the contentInfo, right?
+     */
+    if (needToEncodeAlgid) {
+	rv = PK11_ParamToAlgid(algtag, param, poolp, algid);
+	if(rv != SECSuccess) {
+	    PORT_Free(cc);
+	    cc = NULL;
+	    goto loser;
+	}
+    }
+
+    cc->cx = ciphercx;
+    cc->doit = (nss_cms_cipher_function)PK11_CipherOp;
+    cc->destroy = (nss_cms_cipher_destroy)PK11_DestroyContext;
+    cc->encrypt = PR_TRUE;
+    cc->pending_count = 0;
+
+loser:
+    SECITEM_FreeItem(param, PR_TRUE);
+
+    return cc;
+}
+
+void
+NSS_CMSCipherContext_Destroy(NSSCMSCipherContext *cc)
+{
+    PORT_Assert(cc != NULL);
+    if (cc == NULL)
+	return;
+    (*cc->destroy)(cc->cx, PR_TRUE);
+    PORT_Free(cc);
+}
+
+/*
+ * NSS_CMSCipherContext_DecryptLength - find the output length of the next call to decrypt.
+ *
+ * cc - the cipher context
+ * input_len - number of bytes used as input
+ * final - true if this is the final chunk of data
+ *
+ * Result can be used to perform memory allocations.  Note that the amount
+ * is exactly accurate only when not doing a block cipher or when final
+ * is false, otherwise it is an upper bound on the amount because until
+ * we see the data we do not know how many padding bytes there are
+ * (always between 1 and bsize).
+ *
+ * Note that this can return zero, which does not mean that the decrypt
+ * operation can be skipped!  (It simply means that there are not enough
+ * bytes to make up an entire block; the bytes will be reserved until
+ * there are enough to encrypt/decrypt at least one block.)  However,
+ * if zero is returned it *does* mean that no output buffer need be
+ * passed in to the subsequent decrypt operation, as no output bytes
+ * will be stored.
+ */
+unsigned int
+NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final)
+{
+    int blocks, block_size;
+
+    PORT_Assert (! cc->encrypt);
+
+    block_size = cc->block_size;
+
+    /*
+     * If this is not a block cipher, then we always have the same
+     * number of output bytes as we had input bytes.
+     */
+    if (block_size == 0)
+	return input_len;
+
+    /*
+     * On the final call, we will always use up all of the pending
+     * bytes plus all of the input bytes, *but*, there will be padding
+     * at the end and we cannot predict how many bytes of padding we
+     * will end up removing.  The amount given here is actually known
+     * to be at least 1 byte too long (because we know we will have
+     * at least 1 byte of padding), but seemed clearer/better to me.
+     */
+    if (final)
+	return cc->pending_count + input_len;
+
+    /*
+     * Okay, this amount is exactly what we will output on the
+     * next cipher operation.  We will always hang onto the last
+     * 1 - block_size bytes for non-final operations.  That is,
+     * we will do as many complete blocks as we can *except* the
+     * last block (complete or partial).  (This is because until
+     * we know we are at the end, we cannot know when to interpret
+     * and removing the padding byte(s), which are guaranteed to
+     * be there.)
+     */
+    blocks = (cc->pending_count + input_len - 1) / block_size;
+    return blocks * block_size;
+}
+
+/*
+ * NSS_CMSCipherContext_EncryptLength - find the output length of the next call to encrypt.
+ *
+ * cc - the cipher context
+ * input_len - number of bytes used as input
+ * final - true if this is the final chunk of data
+ *
+ * Result can be used to perform memory allocations.
+ *
+ * Note that this can return zero, which does not mean that the encrypt
+ * operation can be skipped!  (It simply means that there are not enough
+ * bytes to make up an entire block; the bytes will be reserved until
+ * there are enough to encrypt/decrypt at least one block.)  However,
+ * if zero is returned it *does* mean that no output buffer need be
+ * passed in to the subsequent encrypt operation, as no output bytes
+ * will be stored.
+ */
+unsigned int
+NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final)
+{
+    int blocks, block_size;
+    int pad_size;
+
+    PORT_Assert (cc->encrypt);
+
+    block_size = cc->block_size;
+    pad_size = cc->pad_size;
+
+    /*
+     * If this is not a block cipher, then we always have the same
+     * number of output bytes as we had input bytes.
+     */
+    if (block_size == 0)
+	return input_len;
+
+    /*
+     * On the final call, we only send out what we need for
+     * remaining bytes plus the padding.  (There is always padding,
+     * so even if we have an exact number of blocks as input, we
+     * will add another full block that is just padding.)
+     */
+    if (final) {
+	if (pad_size == 0) {
+    	    return cc->pending_count + input_len;
+	} else {
+    	    blocks = (cc->pending_count + input_len) / pad_size;
+	    blocks++;
+	    return blocks*pad_size;
+	}
+    }
+
+    /*
+     * Now, count the number of complete blocks of data we have.
+     */
+    blocks = (cc->pending_count + input_len) / block_size;
+
+
+    return blocks * block_size;
+}
+
+
+/*
+ * NSS_CMSCipherContext_Decrypt - do the decryption
+ *
+ * cc - the cipher context
+ * output - buffer for decrypted result bytes
+ * output_len_p - number of bytes in output
+ * max_output_len - upper bound on bytes to put into output
+ * input - pointer to input bytes
+ * input_len - number of input bytes
+ * final - true if this is the final chunk of data
+ *
+ * Decrypts a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the decrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "cc" is the return value from NSS_CMSCipher_StartDecrypt.
+ * When "final" is true, this is the last of the data to be decrypted.
+ *
+ * This is much more complicated than it sounds when the cipher is
+ * a block-type, meaning that the decryption function will only
+ * operate on whole blocks.  But our caller is operating stream-wise,
+ * and can pass in any number of bytes.  So we need to keep track
+ * of block boundaries.  We save excess bytes between calls in "cc".
+ * We also need to determine which bytes are padding, and remove
+ * them from the output.  We can only do this step when we know we
+ * have the final block of data.  PKCS #7 specifies that the padding
+ * used for a block cipher is a string of bytes, each of whose value is
+ * the same as the length of the padding, and that all data is padded.
+ * (Even data that starts out with an exact multiple of blocks gets
+ * added to it another block, all of which is padding.)
+ */ 
+SECStatus
+NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final)
+{
+    int blocks, bsize, pcount, padsize;
+    unsigned int max_needed, ifraglen, ofraglen, output_len;
+    unsigned char *pbuf;
+    SECStatus rv;
+
+    PORT_Assert (! cc->encrypt);
+
+    /*
+     * Check that we have enough room for the output.  Our caller should
+     * already handle this; failure is really an internal error (i.e. bug).
+     */
+    max_needed = NSS_CMSCipherContext_DecryptLength(cc, input_len, final);
+    PORT_Assert (max_output_len >= max_needed);
+    if (max_output_len < max_needed) {
+	/* PORT_SetError (XXX); */
+	return SECFailure;
+    }
+
+    /*
+     * hardware encryption does not like small decryption sizes here, so we
+     * allow both blocking and padding.
+     */
+    bsize = cc->block_size;
+    padsize = cc->pad_size;
+
+    /*
+     * When no blocking or padding work to do, we can simply call the
+     * cipher function and we are done.
+     */
+    if (bsize == 0) {
+	return (* cc->doit) (cc->cx, output, output_len_p, max_output_len,
+			      input, input_len);
+    }
+
+    pcount = cc->pending_count;
+    pbuf = cc->pending_buf;
+
+    output_len = 0;
+
+    if (pcount) {
+	/*
+	 * Try to fill in an entire block, starting with the bytes
+	 * we already have saved away.
+	 */
+	while (input_len && pcount < bsize) {
+	    pbuf[pcount++] = *input++;
+	    input_len--;
+	}
+	/*
+	 * If we have at most a whole block and this is not our last call,
+	 * then we are done for now.  (We do not try to decrypt a lone
+	 * single block because we cannot interpret the padding bytes
+	 * until we know we are handling the very last block of all input.)
+	 */
+	if (input_len == 0 && !final) {
+	    cc->pending_count = pcount;
+	    if (output_len_p)
+		*output_len_p = 0;
+	    return SECSuccess;
+	}
+	/*
+	 * Given the logic above, we expect to have a full block by now.
+	 * If we do not, there is something wrong, either with our own
+	 * logic or with (length of) the data given to us.
+	 */
+	PORT_Assert ((padsize == 0) || (pcount % padsize) == 0);
+	if ((padsize != 0) && (pcount % padsize) != 0) {
+	    PORT_Assert (final);	
+	    PORT_SetError (SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+	/*
+	 * Decrypt the block.
+	 */
+	rv = (*cc->doit)(cc->cx, output, &ofraglen, max_output_len,
+			    pbuf, pcount);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then NSS_CMSCipherContext_DecryptLength needs to be made smarter!
+	 */
+	PORT_Assert(ofraglen == pcount);
+
+	/*
+	 * Account for the bytes now in output.
+	 */
+	max_output_len -= ofraglen;
+	output_len += ofraglen;
+	output += ofraglen;
+    }
+
+    /*
+     * If this is our last call, we expect to have an exact number of
+     * blocks left to be decrypted; we will decrypt them all.
+     * 
+     * If not our last call, we always save between 1 and bsize bytes
+     * until next time.  (We must do this because we cannot be sure
+     * that none of the decrypted bytes are padding bytes until we
+     * have at least another whole block of data.  You cannot tell by
+     * looking -- the data could be anything -- you can only tell by
+     * context, knowing you are looking at the last block.)  We could
+     * decrypt a whole block now but it is easier if we just treat it
+     * the same way we treat partial block bytes.
+     */
+    if (final) {
+	if (padsize) {
+	    blocks = input_len / padsize;
+	    ifraglen = blocks * padsize;
+	} else ifraglen = input_len;
+	PORT_Assert (ifraglen == input_len);
+
+	if (ifraglen != input_len) {
+	    PORT_SetError(SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+    } else {
+	blocks = (input_len - 1) / bsize;
+	ifraglen = blocks * bsize;
+	PORT_Assert (ifraglen < input_len);
+
+	pcount = input_len - ifraglen;
+	PORT_Memcpy (pbuf, input + ifraglen, pcount);
+	cc->pending_count = pcount;
+    }
+
+    if (ifraglen) {
+	rv = (* cc->doit)(cc->cx, output, &ofraglen, max_output_len,
+			    input, ifraglen);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then sec_PKCS7DecryptLength needs to be made smarter!
+	 */
+	PORT_Assert (ifraglen == ofraglen);
+	if (ifraglen != ofraglen) {
+	    PORT_SetError(SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+
+	output_len += ofraglen;
+    } else {
+	ofraglen = 0;
+    }
+
+    /*
+     * If we just did our very last block, "remove" the padding by
+     * adjusting the output length.
+     */
+    if (final && (padsize != 0)) {
+	unsigned int padlen = *(output + ofraglen - 1);
+	PORT_Assert (padlen > 0 && padlen <= padsize);
+	if (padlen == 0 || padlen > padsize) {
+	    PORT_SetError(SEC_ERROR_BAD_DATA);
+	    return SECFailure;
+	}
+	output_len -= padlen;
+    }
+
+    PORT_Assert (output_len_p != NULL || output_len == 0);
+    if (output_len_p != NULL)
+	*output_len_p = output_len;
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSCipherContext_Encrypt - do the encryption
+ *
+ * cc - the cipher context
+ * output - buffer for decrypted result bytes
+ * output_len_p - number of bytes in output
+ * max_output_len - upper bound on bytes to put into output
+ * input - pointer to input bytes
+ * input_len - number of input bytes
+ * final - true if this is the final chunk of data
+ *
+ * Encrypts a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the encrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "cc" is the return value from NSS_CMSCipher_StartEncrypt.
+ * When "final" is true, this is the last of the data to be encrypted.
+ *
+ * This is much more complicated than it sounds when the cipher is
+ * a block-type, meaning that the encryption function will only
+ * operate on whole blocks.  But our caller is operating stream-wise,
+ * and can pass in any number of bytes.  So we need to keep track
+ * of block boundaries.  We save excess bytes between calls in "cc".
+ * We also need to add padding bytes at the end.  PKCS #7 specifies
+ * that the padding used for a block cipher is a string of bytes,
+ * each of whose value is the same as the length of the padding,
+ * and that all data is padded.  (Even data that starts out with
+ * an exact multiple of blocks gets added to it another block,
+ * all of which is padding.)
+ *
+ * XXX I would kind of like to combine this with the function above
+ * which does decryption, since they have a lot in common.  But the
+ * tricky parts about padding and filling blocks would be much
+ * harder to read that way, so I left them separate.  At least for
+ * now until it is clear that they are right.
+ */ 
+SECStatus
+NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final)
+{
+    int blocks, bsize, padlen, pcount, padsize;
+    unsigned int max_needed, ifraglen, ofraglen, output_len;
+    unsigned char *pbuf;
+    SECStatus rv;
+
+    PORT_Assert (cc->encrypt);
+
+    /*
+     * Check that we have enough room for the output.  Our caller should
+     * already handle this; failure is really an internal error (i.e. bug).
+     */
+    max_needed = NSS_CMSCipherContext_EncryptLength (cc, input_len, final);
+    PORT_Assert (max_output_len >= max_needed);
+    if (max_output_len < max_needed) {
+	/* PORT_SetError (XXX); */
+	return SECFailure;
+    }
+
+    bsize = cc->block_size;
+    padsize = cc->pad_size;
+
+    /*
+     * When no blocking and padding work to do, we can simply call the
+     * cipher function and we are done.
+     */
+    if (bsize == 0) {
+	return (*cc->doit)(cc->cx, output, output_len_p, max_output_len,
+			      input, input_len);
+    }
+
+    pcount = cc->pending_count;
+    pbuf = cc->pending_buf;
+
+    output_len = 0;
+
+    if (pcount) {
+	/*
+	 * Try to fill in an entire block, starting with the bytes
+	 * we already have saved away.
+	 */
+	while (input_len && pcount < bsize) {
+	    pbuf[pcount++] = *input++;
+	    input_len--;
+	}
+	/*
+	 * If we do not have a full block and we know we will be
+	 * called again, then we are done for now.
+	 */
+	if (pcount < bsize && !final) {
+	    cc->pending_count = pcount;
+	    if (output_len_p != NULL)
+		*output_len_p = 0;
+	    return SECSuccess;
+	}
+	/*
+	 * If we have a whole block available, encrypt it.
+	 */
+	if ((padsize == 0) || (pcount % padsize) == 0) {
+	    rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
+				pbuf, pcount);
+	    if (rv != SECSuccess)
+		return rv;
+
+	    /*
+	     * For now anyway, all of our ciphers have the same number of
+	     * bytes of output as they do input.  If this ever becomes untrue,
+	     * then sec_PKCS7EncryptLength needs to be made smarter!
+	     */
+	    PORT_Assert (ofraglen == pcount);
+
+	    /*
+	     * Account for the bytes now in output.
+	     */
+	    max_output_len -= ofraglen;
+	    output_len += ofraglen;
+	    output += ofraglen;
+
+	    pcount = 0;
+	}
+    }
+
+    if (input_len) {
+	PORT_Assert (pcount == 0);
+
+	blocks = input_len / bsize;
+	ifraglen = blocks * bsize;
+
+	if (ifraglen) {
+	    rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
+				input, ifraglen);
+	    if (rv != SECSuccess)
+		return rv;
+
+	    /*
+	     * For now anyway, all of our ciphers have the same number of
+	     * bytes of output as they do input.  If this ever becomes untrue,
+	     * then sec_PKCS7EncryptLength needs to be made smarter!
+	     */
+	    PORT_Assert (ifraglen == ofraglen);
+
+	    max_output_len -= ofraglen;
+	    output_len += ofraglen;
+	    output += ofraglen;
+	}
+
+	pcount = input_len - ifraglen;
+	PORT_Assert (pcount < bsize);
+	if (pcount)
+	    PORT_Memcpy (pbuf, input + ifraglen, pcount);
+    }
+
+    if (final) {
+	padlen = padsize - (pcount % padsize);
+	PORT_Memset (pbuf + pcount, padlen, padlen);
+	rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len,
+			    pbuf, pcount+padlen);
+	if (rv != SECSuccess)
+	    return rv;
+
+	/*
+	 * For now anyway, all of our ciphers have the same number of
+	 * bytes of output as they do input.  If this ever becomes untrue,
+	 * then sec_PKCS7EncryptLength needs to be made smarter!
+	 */
+	PORT_Assert (ofraglen == (pcount+padlen));
+	output_len += ofraglen;
+    } else {
+	cc->pending_count = pcount;
+    }
+
+    PORT_Assert (output_len_p != NULL || output_len == 0);
+    if (output_len_p != NULL)
+	*output_len_p = output_len;
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/smime/cmsdecode.c b/security/nss/lib/smime/cmsdecode.c
new file mode 100644
index 000000000..906fbaa25
--- /dev/null
+++ b/security/nss/lib/smime/cmsdecode.c
@@ -0,0 +1,692 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS decoding.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "prtime.h"
+#include "secerr.h"
+
+struct NSSCMSDecoderContextStr {
+    SEC_ASN1DecoderContext *		dcx;		/* ASN.1 decoder context */
+    NSSCMSMessage *			cmsg;		/* backpointer to the root message */
+    SECOidTag				type;		/* type of message */
+    NSSCMSContent			content;	/* pointer to message */
+    NSSCMSDecoderContext *		childp7dcx;	/* inner CMS decoder context */
+    PRBool				saw_contents;
+    int					error;
+    NSSCMSContentCallback		cb;
+    void *				cb_arg;
+};
+
+static void nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len,
+                          int depth, SEC_ASN1EncodingPart data_kind);
+static SECStatus nss_cms_before_data(NSSCMSDecoderContext *p7dcx);
+static SECStatus nss_cms_after_data(NSSCMSDecoderContext *p7dcx);
+static SECStatus nss_cms_after_end(NSSCMSDecoderContext *p7dcx);
+static void nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, 
+			     const unsigned char *data, unsigned long len, PRBool final);
+
+extern const SEC_ASN1Template NSSCMSMessageTemplate[];
+
+/* 
+ * nss_cms_decoder_notify -
+ *  this is the driver of the decoding process. It gets called by the ASN.1
+ *  decoder before and after an object is decoded.
+ *  at various points in the decoding process, we intercept to set up and do
+ *  further processing.
+ */
+static void
+nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth)
+{
+    NSSCMSDecoderContext *p7dcx;
+    NSSCMSContentInfo *rootcinfo, *cinfo;
+    PRBool after = !before;
+
+    p7dcx = (NSSCMSDecoderContext *)arg;
+    rootcinfo = &(p7dcx->cmsg->contentInfo);
+
+    /* XXX error handling: need to set p7dcx->error */
+
+#ifdef CMSDEBUG 
+    fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth);
+#endif
+
+    /* so what are we working on right now? */
+    switch (p7dcx->type) {
+    case SEC_OID_UNKNOWN:
+	/*
+	 * right now, we are still decoding the OUTER (root) cinfo
+	 * As soon as we know the inner content type, set up the info,
+	 * but NO inner decoder or filter. The root decoder handles the first
+	 * level children by itself - only for encapsulated contents (which
+	 * are encoded as DER inside of an OCTET STRING) we need to set up a
+	 * child decoder...
+	 */
+	if (after && dest == &(rootcinfo->contentType)) {
+	    p7dcx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
+	    p7dcx->content = rootcinfo->content;	/* is this ready already ? need to alloc? */
+	    /* XXX yes we need to alloc -- continue here */
+	}
+	break;
+    case SEC_OID_PKCS7_DATA:
+	/* this can only happen if the outermost cinfo has DATA in it */
+	/* otherwise, we handle this type implicitely in the inner decoders */
+
+	if (before && dest == &(rootcinfo->content)) {
+	    /* fake it to cause the filter to put the data in the right place... */
+	    /* we want the ASN.1 decoder to deliver the decoded bytes to us from now on */
+	    SEC_ASN1DecoderSetFilterProc(p7dcx->dcx,
+					  nss_cms_decoder_update_filter,
+					  p7dcx,
+					  (PRBool)(p7dcx->cb != NULL));
+	    break;
+	}
+
+	if (after && dest == &(rootcinfo->content.data)) {
+	    /* remove the filter */
+	    SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
+	}
+	break;
+
+    case SEC_OID_PKCS7_SIGNED_DATA:
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+
+	if (before && dest == &(rootcinfo->content))
+	    break;					/* we're not there yet */
+
+	if (p7dcx->content.pointer == NULL)
+	    p7dcx->content = rootcinfo->content;
+
+	/* get this data type's inner contentInfo */
+	cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
+
+	if (before && dest == &(cinfo->contentType)) {
+	    /* at this point, set up the &%$&$ back pointer */
+	    /* we cannot do it later, because the content itself is optional! */
+	    /* please give me C++ */
+	    switch (p7dcx->type) {
+	    case SEC_OID_PKCS7_SIGNED_DATA:
+		p7dcx->content.signedData->cmsg = p7dcx->cmsg;
+		break;
+	    case SEC_OID_PKCS7_DIGESTED_DATA:
+		p7dcx->content.digestedData->cmsg = p7dcx->cmsg;
+		break;
+	    case SEC_OID_PKCS7_ENVELOPED_DATA:
+		p7dcx->content.envelopedData->cmsg = p7dcx->cmsg;
+		break;
+	    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+		p7dcx->content.encryptedData->cmsg = p7dcx->cmsg;
+		break;
+	    default:
+		PORT_Assert(0);
+		break;
+	    }
+	}
+
+	if (before && dest == &(cinfo->rawContent)) {
+	    /* we want the ASN.1 decoder to deliver the decoded bytes to us from now on */
+	    SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, nss_cms_decoder_update_filter,
+					  p7dcx, (PRBool)(p7dcx->cb != NULL));
+
+
+	    /* we're right in front of the data */
+	    if (nss_cms_before_data(p7dcx) != SECSuccess) {
+		SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);	/* stop all processing */
+		p7dcx->error = PORT_GetError();
+	    }
+	}
+	if (after && dest == &(cinfo->rawContent)) {
+	    /* we're right after of the data */
+	    if (nss_cms_after_data(p7dcx) != SECSuccess)
+		p7dcx->error = PORT_GetError();
+
+	    /* we don't need to see the contents anymore */
+	    SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
+	}
+	break;
+
+#if 0 /* NIH */
+    case SEC_OID_PKCS7_AUTHENTICATED_DATA:
+#endif
+    default:
+	/* unsupported or unknown message type - fail (more or less) gracefully */
+	p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE;
+	break;
+    }
+}
+
+/*
+ * nss_cms_before_data - set up the current encoder to receive data
+ */
+static SECStatus
+nss_cms_before_data(NSSCMSDecoderContext *p7dcx)
+{
+    SECStatus rv;
+    SECOidTag childtype;
+    PLArenaPool *poolp;
+    NSSCMSDecoderContext *childp7dcx;
+    NSSCMSContentInfo *cinfo;
+    const SEC_ASN1Template *template;
+    void *mark = NULL;
+    size_t size;
+    
+    poolp = p7dcx->cmsg->poolp;
+
+    /* call _Decode_BeforeData handlers */
+    switch (p7dcx->type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	/* we're decoding a signedData, so set up the digests */
+	rv = NSS_CMSSignedData_Decode_BeforeData(p7dcx->content.signedData);
+	if (rv != SECSuccess)
+	    return SECFailure;
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	/* we're encoding a digestedData, so set up the digest */
+	rv = NSS_CMSDigestedData_Decode_BeforeData(p7dcx->content.digestedData);
+	if (rv != SECSuccess)
+	    return SECFailure;
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	rv = NSS_CMSEnvelopedData_Decode_BeforeData(p7dcx->content.envelopedData);
+	if (rv != SECSuccess)
+	    return SECFailure;
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	rv = NSS_CMSEncryptedData_Decode_BeforeData(p7dcx->content.encryptedData);
+	if (rv != SECSuccess)
+	    return SECFailure;
+	break;
+    default:
+	return SECFailure;
+    }
+
+    /* ok, now we have a pointer to cinfo */
+    /* find out what kind of data is encapsulated */
+    
+    cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
+    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+
+    if (childtype == SEC_OID_PKCS7_DATA) {
+	cinfo->content.data = SECITEM_AllocItem(poolp, NULL, 0);
+	if (cinfo->content.data == NULL)
+	    /* set memory error */
+	    return SECFailure;
+
+	p7dcx->childp7dcx = NULL;
+	return SECSuccess;
+    }
+
+    /* set up inner decoder */
+
+    if ((template = NSS_CMSUtil_GetTemplateByTypeTag(childtype)) == NULL)
+	return SECFailure;
+
+    childp7dcx = (NSSCMSDecoderContext *)PORT_ZAlloc(sizeof(NSSCMSDecoderContext));
+    if (childp7dcx == NULL)
+	return SECFailure;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* allocate space for the stuff we're creating */
+    size = NSS_CMSUtil_GetSizeByTypeTag(childtype);
+    childp7dcx->content.pointer = (void *)PORT_ArenaZAlloc(poolp, size);
+    if (childp7dcx->content.pointer == NULL)
+	goto loser;
+
+    /* start the child decoder */
+    childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer, template);
+    if (childp7dcx->dcx == NULL)
+	goto loser;
+
+    /* the new decoder needs to notify, too */
+    SEC_ASN1DecoderSetNotifyProc(childp7dcx->dcx, nss_cms_decoder_notify, childp7dcx);
+
+    /* tell the parent decoder that it needs to feed us the content data */
+    p7dcx->childp7dcx = childp7dcx;
+
+    childp7dcx->type = childtype;	/* our type */
+
+    childp7dcx->cmsg = p7dcx->cmsg;	/* backpointer to root message */
+
+    /* should the child decoder encounter real data, it needs to give it to the caller */
+    childp7dcx->cb = p7dcx->cb;
+    childp7dcx->cb_arg = p7dcx->cb_arg;
+
+    /* now set up the parent to hand decoded data to the next level decoder */
+    p7dcx->cb = (NSSCMSContentCallback)NSS_CMSDecoder_Update;
+    p7dcx->cb_arg = childp7dcx;
+
+    PORT_ArenaUnmark(poolp, mark);
+
+    return SECSuccess;
+
+loser:
+    if (mark)
+	PORT_ArenaRelease(poolp, mark);
+    if (childp7dcx)
+	PORT_Free(childp7dcx);
+    p7dcx->childp7dcx = NULL;
+    return SECFailure;
+}
+
+static SECStatus
+nss_cms_after_data(NSSCMSDecoderContext *p7dcx)
+{
+    PLArenaPool *poolp;
+    NSSCMSDecoderContext *childp7dcx;
+    SECStatus rv = SECFailure;
+
+    poolp = p7dcx->cmsg->poolp;
+
+    /* Handle last block. This is necessary to flush out the last bytes
+     * of a possibly incomplete block */
+    nss_cms_decoder_work_data(p7dcx, NULL, 0, PR_TRUE);
+
+    /* finish any "inner" decoders - there's no more data coming... */
+    if (p7dcx->childp7dcx != NULL) {
+	childp7dcx = p7dcx->childp7dcx;
+	if (childp7dcx->dcx != NULL) {
+	    if (SEC_ASN1DecoderFinish(childp7dcx->dcx) != SECSuccess) {
+		/* do what? free content? */
+		rv = SECFailure;
+	    } else {
+		rv = nss_cms_after_end(childp7dcx);
+	    }
+	    if (rv != SECSuccess)
+		goto done;
+	}
+	PORT_Free(p7dcx->childp7dcx);
+	p7dcx->childp7dcx = NULL;
+    }
+
+    switch (p7dcx->type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	/* this will finish the digests and verify */
+	rv = NSS_CMSSignedData_Decode_AfterData(p7dcx->content.signedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	rv = NSS_CMSEnvelopedData_Decode_AfterData(p7dcx->content.envelopedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	rv = NSS_CMSDigestedData_Decode_AfterData(p7dcx->content.digestedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	rv = NSS_CMSEncryptedData_Decode_AfterData(p7dcx->content.encryptedData);
+	break;
+    case SEC_OID_PKCS7_DATA:
+	/* do nothing */
+	break;
+    default:
+	rv = SECFailure;
+	break;
+    }
+done:
+    return rv;
+}
+
+static SECStatus
+nss_cms_after_end(NSSCMSDecoderContext *p7dcx)
+{
+    SECStatus rv;
+    PLArenaPool *poolp;
+
+    poolp = p7dcx->cmsg->poolp;
+
+    switch (p7dcx->type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	rv = NSS_CMSSignedData_Decode_AfterEnd(p7dcx->content.signedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	rv = NSS_CMSEnvelopedData_Decode_AfterEnd(p7dcx->content.envelopedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	rv = NSS_CMSDigestedData_Decode_AfterEnd(p7dcx->content.digestedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	rv = NSS_CMSEncryptedData_Decode_AfterEnd(p7dcx->content.encryptedData);
+	break;
+    case SEC_OID_PKCS7_DATA:
+	rv = SECSuccess;
+	break;
+    default:
+	rv = SECFailure;	/* we should not have got that far... */
+	break;
+    }
+    return rv;
+}
+
+/*
+ * nss_cms_decoder_work_data - handle decoded data bytes.
+ *
+ * This function either decrypts the data if needed, and/or calculates digests
+ * on it, then either stores it or passes it on to the next level decoder.
+ */
+static void
+nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, 
+			     const unsigned char *data, unsigned long len,
+			     PRBool final)
+{
+    NSSCMSContentInfo *cinfo;
+    unsigned char *buf = NULL;
+    unsigned char *dest;
+    unsigned int offset;
+    SECStatus rv;
+    SECItem *storage;
+
+    /*
+     * We should really have data to process, or we should be trying
+     * to finish/flush the last block.  (This is an overly paranoid
+     * check since all callers are in this file and simple inspection
+     * proves they do it right.  But it could find a bug in future
+     * modifications/development, that is why it is here.)
+     */
+    PORT_Assert ((data != NULL && len) || final);
+
+    cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
+
+    if (cinfo->ciphcx != NULL) {
+	/*
+	 * we are decrypting.
+	 * 
+	 * XXX If we get an error, we do not want to do the digest or callback,
+	 * but we want to keep decoding.  Or maybe we want to stop decoding
+	 * altogether if there is a callback, because obviously we are not
+	 * sending the data back and they want to know that.
+	 */
+
+	unsigned int outlen = 0;	/* length of decrypted data */
+	unsigned int buflen;		/* length available for decrypted data */
+
+	/* find out about the length of decrypted data */
+	buflen = NSS_CMSCipherContext_DecryptLength(cinfo->ciphcx, len, final);
+
+	/*
+	 * it might happen that we did not provide enough data for a full
+	 * block (decryption unit), and that there is no output available
+	 */
+
+	/* no output available, AND no input? */
+	if (buflen == 0 && len == 0)
+	    goto loser;	/* bail out */
+
+	/*
+	 * have inner decoder: pass the data on (means inner content type is NOT data)
+	 * no inner decoder: we have DATA in here: either call callback or store
+	 */
+	if (buflen != 0) {
+	    /* there will be some output - need to make room for it */
+	    /* allocate buffer from the heap */
+	    buf = (unsigned char *)PORT_Alloc(buflen);
+	    if (buf == NULL) {
+		p7dcx->error = SEC_ERROR_NO_MEMORY;
+		goto loser;
+	    }
+	}
+
+	/*
+	 * decrypt incoming data
+	 * buf can still be NULL here (and buflen == 0) here if we don't expect
+	 * any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to
+	 * keep track of incoming data
+	 */
+	rv = NSS_CMSCipherContext_Decrypt(cinfo->ciphcx, buf, &outlen, buflen,
+			       data, len, final);
+	if (rv != SECSuccess) {
+	    p7dcx->error = PORT_GetError();
+	    goto loser;
+	}
+
+	PORT_Assert (final || outlen == buflen);
+	
+	/* swap decrypted data in */
+	data = buf;
+	len = outlen;
+    }
+
+    if (len == 0)
+	goto done;		/* nothing more to do */
+
+    /*
+     * Update the running digests with plaintext bytes (if we need to).
+     */
+    if (cinfo->digcx)
+	NSS_CMSDigestContext_Update(cinfo->digcx, data, len);
+
+    /* at this point, we have the plain decoded & decrypted data */
+    /* which is either more encoded DER which we need to hand to the child decoder */
+    /*              or data we need to hand back to our caller */
+
+    /* pass the content back to our caller or */
+    /* feed our freshly decrypted and decoded data into child decoder */
+    if (p7dcx->cb != NULL) {
+	(*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len);
+    }
+#if 1
+    else
+#endif
+    if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) {
+	/* store it in "inner" data item as well */
+	/* find the DATA item in the encapsulated cinfo and store it there */
+	storage = cinfo->content.data;
+
+	offset = storage->len;
+	if (storage->len == 0) {
+	    dest = (unsigned char *)PORT_ArenaAlloc(p7dcx->cmsg->poolp, len);
+	} else {
+	    dest = (unsigned char *)PORT_ArenaGrow(p7dcx->cmsg->poolp, 
+				  storage->data,
+				  storage->len,
+				  storage->len + len);
+	}
+	if (dest == NULL) {
+	    p7dcx->error = SEC_ERROR_NO_MEMORY;
+	    goto loser;
+	}
+
+	storage->data = dest;
+	storage->len += len;
+
+	/* copy it in */
+	PORT_Memcpy(storage->data + offset, data, len);
+    }
+
+done:
+loser:
+    if (buf)
+	PORT_Free (buf);
+}
+
+/*
+ * nss_cms_decoder_update_filter - process ASN.1 data
+ *
+ * once we have set up a filter in nss_cms_decoder_notify(),
+ * all data processed by the ASN.1 decoder is also passed through here.
+ * we pass the content bytes (as opposed to length and tag bytes) on to
+ * nss_cms_decoder_work_data().
+ */
+static void
+nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len,
+			  int depth, SEC_ASN1EncodingPart data_kind)
+{
+    NSSCMSDecoderContext *p7dcx;
+
+    PORT_Assert (len);	/* paranoia */
+    if (len == 0)
+	return;
+
+    p7dcx = (NSSCMSDecoderContext*)arg;
+
+    p7dcx->saw_contents = PR_TRUE;
+
+    /* pass on the content bytes only */
+    if (data_kind == SEC_ASN1_Contents)
+	nss_cms_decoder_work_data(p7dcx, (const unsigned char *) data, len, PR_FALSE);
+}
+
+/*
+ * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message
+ *
+ * "poolp" - pointer to arena for message, or NULL if new pool should be created
+ * "cb", "cb_arg" - callback function and argument for delivery of inner content
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ */
+NSSCMSDecoderContext *
+NSS_CMSDecoder_Start(PRArenaPool *poolp,
+		      NSSCMSContentCallback cb, void *cb_arg,
+		      PK11PasswordFunc pwfn, void *pwfn_arg,
+		      NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg)
+{
+    NSSCMSDecoderContext *p7dcx;
+    NSSCMSMessage *cmsg;
+
+    cmsg = NSS_CMSMessage_Create(poolp);
+    if (cmsg == NULL)
+	return NULL;
+
+    NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg,
+					NULL, NULL);
+
+    p7dcx = (NSSCMSDecoderContext*)PORT_ZAlloc(sizeof(NSSCMSDecoderContext));
+    if (p7dcx == NULL) {
+	NSS_CMSMessage_Destroy(cmsg);
+	return NULL;
+    }
+
+    p7dcx->dcx = SEC_ASN1DecoderStart(cmsg->poolp, cmsg, NSSCMSMessageTemplate);
+    if (p7dcx->dcx == NULL) {
+	PORT_Free (p7dcx);
+	NSS_CMSMessage_Destroy(cmsg);
+	return NULL;
+    }
+
+    SEC_ASN1DecoderSetNotifyProc (p7dcx->dcx, nss_cms_decoder_notify, p7dcx);
+
+    p7dcx->cmsg = cmsg;
+    p7dcx->type = SEC_OID_UNKNOWN;
+
+    p7dcx->cb = cb;
+    p7dcx->cb_arg = cb_arg;
+
+    return p7dcx;
+}
+
+/*
+ * NSS_CMSDecoder_Update - feed DER-encoded data to decoder
+ */
+SECStatus
+NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, unsigned long len)
+{
+    if (p7dcx->dcx != NULL && p7dcx->error == 0) {	/* if error is set already, don't bother */
+	if (SEC_ASN1DecoderUpdate (p7dcx->dcx, buf, len) != SECSuccess) {
+	    p7dcx->error = PORT_GetError();
+	    PORT_Assert (p7dcx->error);
+	    if (p7dcx->error == 0)
+		p7dcx->error = -1;
+	}
+    }
+
+    if (p7dcx->error == 0)
+	return SECSuccess;
+
+    /* there has been a problem, let's finish the decoder */
+    if (p7dcx->dcx != NULL) {
+	(void) SEC_ASN1DecoderFinish (p7dcx->dcx);
+	p7dcx->dcx = NULL;
+    }
+    PORT_SetError (p7dcx->error);
+
+    return SECFailure;
+}
+
+/*
+ * NSS_CMSDecoder_Cancel - stop decoding in case of error
+ */
+void
+NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx)
+{
+    /* XXXX what about inner decoders? running digests? decryption? */
+    /* XXXX there's a leak here! */
+    NSS_CMSMessage_Destroy(p7dcx->cmsg);
+    (void)SEC_ASN1DecoderFinish(p7dcx->dcx);
+    PORT_Free(p7dcx);
+}
+
+/*
+ * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding
+ */
+NSSCMSMessage *
+NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx)
+{
+    NSSCMSMessage *cmsg;
+
+    cmsg = p7dcx->cmsg;
+
+    if (p7dcx->dcx == NULL || SEC_ASN1DecoderFinish(p7dcx->dcx) != SECSuccess ||
+	nss_cms_after_end(p7dcx) != SECSuccess)
+    {
+	NSS_CMSMessage_Destroy(cmsg);	/* needs to get rid of pool if it's ours */
+	cmsg = NULL;
+    }
+
+    PORT_Free(p7dcx);
+    return cmsg;
+}
+
+NSSCMSMessage *
+NSS_CMSMessage_CreateFromDER(SECItem *DERmessage,
+		    NSSCMSContentCallback cb, void *cb_arg,
+		    PK11PasswordFunc pwfn, void *pwfn_arg,
+		    NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg)
+{
+    NSSCMSDecoderContext *p7dcx;
+
+    /* first arg(poolp) == NULL => create our own pool */
+    p7dcx = NSS_CMSDecoder_Start(NULL, cb, cb_arg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg);
+    (void) NSS_CMSDecoder_Update(p7dcx, (char *)DERmessage->data, DERmessage->len);
+    return NSS_CMSDecoder_Finish(p7dcx);
+}
+
diff --git a/security/nss/lib/smime/cmsdigdata.c b/security/nss/lib/smime/cmsdigdata.c
new file mode 100644
index 000000000..9d57a5266
--- /dev/null
+++ b/security/nss/lib/smime/cmsdigdata.c
@@ -0,0 +1,224 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS digestedData methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "secitem.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "secerr.h"
+
+/*
+ * NSS_CMSDigestedData_Create - create a digestedData object (presumably for encoding)
+ *
+ * version will be set by NSS_CMSDigestedData_Encode_BeforeStart
+ * digestAlg is passed as parameter
+ * contentInfo must be filled by the user
+ * digest will be calculated while encoding
+ */
+NSSCMSDigestedData *
+NSS_CMSDigestedData_Create(NSSCMSMessage *cmsg, SECAlgorithmID *digestalg)
+{
+    void *mark;
+    NSSCMSDigestedData *digd;
+    PLArenaPool *poolp;
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    digd = (NSSCMSDigestedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSDigestedData));
+    if (digd == NULL)
+	goto loser;
+
+    digd->cmsg = cmsg;
+
+    if (SECOID_CopyAlgorithmID (poolp, &(digd->digestAlg), digestalg) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return digd;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/*
+ * NSS_CMSDigestedData_Destroy - destroy a digestedData object
+ */
+void
+NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd)
+{
+    /* everything's in a pool, so don't worry about the storage */
+    NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
+    return;
+}
+
+/*
+ * NSS_CMSDigestedData_GetContentInfo - return pointer to digestedData object's contentInfo
+ */
+NSSCMSContentInfo *
+NSS_CMSDigestedData_GetContentInfo(NSSCMSDigestedData *digd)
+{
+    return &(digd->contentInfo);
+}
+
+/*
+ * NSS_CMSDigestedData_Encode_BeforeStart - do all the necessary things to a DigestedData
+ *     before encoding begins.
+ *
+ * In particular:
+ *  - set the right version number. The contentInfo's content type must be set up already.
+ */
+SECStatus
+NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd)
+{
+    unsigned long version;
+    SECItem *dummy;
+
+    version = NSS_CMS_DIGESTED_DATA_VERSION_DATA;
+    if (NSS_CMSContentInfo_GetContentTypeTag(&(digd->contentInfo)) != SEC_OID_PKCS7_DATA)
+	version = NSS_CMS_DIGESTED_DATA_VERSION_ENCAP;
+
+    dummy = SEC_ASN1EncodeInteger(digd->cmsg->poolp, &(digd->version), version);
+    return (dummy == NULL) ? SECFailure : SECSuccess;
+}
+
+/*
+ * NSS_CMSDigestedData_Encode_BeforeData - do all the necessary things to a DigestedData
+ *     before the encapsulated data is passed through the encoder.
+ *
+ * In detail:
+ *  - set up the digests if necessary
+ */
+SECStatus
+NSS_CMSDigestedData_Encode_BeforeData(NSSCMSDigestedData *digd)
+{
+    /* set up the digests */
+    if (digd->digestAlg.algorithm.len != 0 && digd->digest.len == 0) {
+	/* if digest is already there, do nothing */
+	digd->contentInfo.digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
+	if (digd->contentInfo.digcx == NULL)
+	    return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSDigestedData_Encode_AfterData - do all the necessary things to a DigestedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - finish the digests
+ */
+SECStatus
+NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd)
+{
+    /* did we have digest calculation going on? */
+    if (digd->contentInfo.digcx) {
+	if (NSS_CMSDigestContext_FinishSingle(digd->contentInfo.digcx,
+				    digd->cmsg->poolp, &(digd->digest)) != SECSuccess)
+	    return SECFailure;		/* error has been set by NSS_CMSDigestContext_FinishSingle */
+	digd->contentInfo.digcx = NULL;
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSDigestedData_Decode_BeforeData - do all the necessary things to a DigestedData
+ *     before the encapsulated data is passed through the encoder.
+ *
+ * In detail:
+ *  - set up the digests if necessary
+ */
+SECStatus
+NSS_CMSDigestedData_Decode_BeforeData(NSSCMSDigestedData *digd)
+{
+    /* is there a digest algorithm yet? */
+    if (digd->digestAlg.algorithm.len == 0)
+	return SECFailure;
+
+    digd->contentInfo.digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg));
+    if (digd->contentInfo.digcx == NULL)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSDigestedData_Decode_AfterData - do all the necessary things to a DigestedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - finish the digests
+ */
+SECStatus
+NSS_CMSDigestedData_Decode_AfterData(NSSCMSDigestedData *digd)
+{
+    /* did we have digest calculation going on? */
+    if (digd->contentInfo.digcx) {
+	if (NSS_CMSDigestContext_FinishSingle(digd->contentInfo.digcx,
+				    digd->cmsg->poolp, &(digd->cdigest)) != SECSuccess)
+	    return SECFailure;		/* error has been set by NSS_CMSDigestContext_FinishSingle */
+	digd->contentInfo.digcx = NULL;
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSDigestedData_Decode_AfterEnd - finalize a digestedData.
+ *
+ * In detail:
+ *  - check the digests for equality
+ */
+SECStatus
+NSS_CMSDigestedData_Decode_AfterEnd(NSSCMSDigestedData *digd)
+{
+    /* did we have digest calculation going on? */
+    if (digd->cdigest.len != 0) {
+	/* XXX comparision btw digest & cdigest */
+	/* XXX set status */
+	/* TODO!!!! */
+    }
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/smime/cmsdigest.c b/security/nss/lib/smime/cmsdigest.c
new file mode 100644
index 000000000..6c7bd918b
--- /dev/null
+++ b/security/nss/lib/smime/cmsdigest.c
@@ -0,0 +1,259 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS digesting.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+
+
+struct NSSCMSDigestContextStr {
+    PRBool		saw_contents;
+    int			digcnt;
+    void **		digcxs;
+const SECHashObject **	digobjs;
+};
+
+/*
+ * NSS_CMSDigestContext_StartMultiple - start digest calculation using all the
+ *  digest algorithms in "digestalgs" in parallel.
+ */
+NSSCMSDigestContext *
+NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs)
+{
+    NSSCMSDigestContext *cmsdigcx;
+    const SECHashObject *digobj;
+    void *digcx;
+    int digcnt;
+    int i;
+
+    digcnt = (digestalgs == NULL) ? 0 : NSS_CMSArray_Count((void **)digestalgs);
+
+    cmsdigcx = (NSSCMSDigestContext *)PORT_Alloc(sizeof(NSSCMSDigestContext));
+    if (cmsdigcx == NULL)
+	return NULL;
+
+    if (digcnt > 0) {
+	cmsdigcx->digcxs = (void **)PORT_Alloc(digcnt * sizeof (void *));
+	cmsdigcx->digobjs = (const SECHashObject **)PORT_Alloc(digcnt * sizeof(SECHashObject *));
+	if (cmsdigcx->digcxs == NULL || cmsdigcx->digobjs == NULL)
+	    goto loser;
+    }
+
+    cmsdigcx->digcnt = 0;
+
+    /*
+     * Create a digest object context for each algorithm.
+     */
+    for (i = 0; i < digcnt; i++) {
+	digobj = NSS_CMSUtil_GetHashObjByAlgID(digestalgs[i]);
+	/*
+	 * Skip any algorithm we do not even recognize; obviously,
+	 * this could be a problem, but if it is critical then the
+	 * result will just be that the signature does not verify.
+	 * We do not necessarily want to error out here, because
+	 * the particular algorithm may not actually be important,
+	 * but we cannot know that until later.
+	 */
+	if (digobj == NULL)
+	    continue;
+
+	digcx = (*digobj->create)();
+	if (digcx != NULL) {
+	    (*digobj->begin) (digcx);
+	    cmsdigcx->digobjs[cmsdigcx->digcnt] = digobj;
+	    cmsdigcx->digcxs[cmsdigcx->digcnt] = digcx;
+	    cmsdigcx->digcnt++;
+	}
+    }
+
+    cmsdigcx->saw_contents = PR_FALSE;
+
+    return cmsdigcx;
+
+loser:
+    if (cmsdigcx) {
+	if (cmsdigcx->digobjs)
+	    PORT_Free(cmsdigcx->digobjs);
+	if (cmsdigcx->digcxs)
+	    PORT_Free(cmsdigcx->digcxs);
+    }
+    return NULL;
+}
+
+/*
+ * NSS_CMSDigestContext_StartSingle - same as NSS_CMSDigestContext_StartMultiple, but
+ *  only one algorithm.
+ */
+NSSCMSDigestContext *
+NSS_CMSDigestContext_StartSingle(SECAlgorithmID *digestalg)
+{
+    SECAlgorithmID *digestalgs[] = { NULL, NULL };		/* fake array */
+
+    digestalgs[0] = digestalg;
+    return NSS_CMSDigestContext_StartMultiple(digestalgs);
+}
+
+/*
+ * NSS_CMSDigestContext_Update - feed more data into the digest machine
+ */
+void
+NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, const unsigned char *data, int len)
+{
+    int i;
+
+    cmsdigcx->saw_contents = PR_TRUE;
+
+    for (i = 0; i < cmsdigcx->digcnt; i++)
+	(*cmsdigcx->digobjs[i]->update)(cmsdigcx->digcxs[i], data, len);
+}
+
+/*
+ * NSS_CMSDigestContext_Cancel - cancel digesting operation
+ */
+void
+NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx)
+{
+    int i;
+
+    for (i = 0; i < cmsdigcx->digcnt; i++)
+	(*cmsdigcx->digobjs[i]->destroy)(cmsdigcx->digcxs[i], PR_TRUE);
+}
+
+/*
+ * NSS_CMSDigestContext_FinishMultiple - finish the digests and put them
+ *  into an array of SECItems (allocated on poolp)
+ */
+SECStatus
+NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
+			    SECItem ***digestsp)
+{
+    const SECHashObject *digobj;
+    void *digcx;
+    SECItem **digests, *digest;
+    int i;
+    void *mark;
+    SECStatus rv = SECFailure;
+
+    /* no contents? do not update digests */
+    if (digestsp == NULL || !cmsdigcx->saw_contents) {
+	for (i = 0; i < cmsdigcx->digcnt; i++)
+	    (*cmsdigcx->digobjs[i]->destroy)(cmsdigcx->digcxs[i], PR_TRUE);
+	rv = SECSuccess;
+	goto cleanup;
+    }
+
+    mark = PORT_ArenaMark (poolp);
+
+    /* allocate digest array & SECItems on arena */
+    digests = (SECItem **)PORT_ArenaAlloc(poolp, (cmsdigcx->digcnt+1) * sizeof(SECItem *));
+    digest = (SECItem *)PORT_ArenaZAlloc(poolp, cmsdigcx->digcnt * sizeof(SECItem));
+    if (digests == NULL || digest == NULL) {
+	goto loser;
+    }
+
+    for (i = 0; i < cmsdigcx->digcnt; i++, digest++) {
+	digcx = cmsdigcx->digcxs[i];
+	digobj = cmsdigcx->digobjs[i];
+
+	digest->data = (unsigned char*)PORT_ArenaAlloc(poolp, digobj->length);
+	if (digest->data == NULL)
+	    goto loser;
+	digest->len = digobj->length;
+	(* digobj->end)(digcx, digest->data, &(digest->len), digest->len);
+	digests[i] = digest;
+	(* digobj->destroy)(digcx, PR_TRUE);
+    }
+    digests[i] = NULL;
+    *digestsp = digests;
+
+    rv = SECSuccess;
+
+loser:
+    if (rv == SECSuccess)
+	PORT_ArenaUnmark(poolp, mark);
+    else
+	PORT_ArenaRelease(poolp, mark);
+
+cleanup:
+    if (cmsdigcx->digcnt > 0) {
+	PORT_Free(cmsdigcx->digcxs);
+	PORT_Free(cmsdigcx->digobjs);
+    }
+    PORT_Free(cmsdigcx);
+
+    return rv;
+}
+
+/*
+ * NSS_CMSDigestContext_FinishSingle - same as NSS_CMSDigestContext_FinishMultiple,
+ *  but for one digest.
+ */
+SECStatus
+NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp,
+			    SECItem *digest)
+{
+    SECStatus rv = SECFailure;
+    SECItem **dp;
+    PLArenaPool *arena = NULL;
+
+    if ((arena = PORT_NewArena(1024)) == NULL)
+	goto loser;
+
+    /* get the digests into arena, then copy the first digest into poolp */
+    if (NSS_CMSDigestContext_FinishMultiple(cmsdigcx, arena, &dp) != SECSuccess)
+	goto loser;
+
+    /* now copy it into poolp */
+    if (SECITEM_CopyItem(poolp, digest, dp[0]) != SECSuccess)
+	goto loser;
+
+    rv = SECSuccess;
+
+loser:
+    if (arena)
+	PORT_FreeArena(arena, PR_FALSE);
+
+    return rv;
+}
diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c
new file mode 100644
index 000000000..61aae96d8
--- /dev/null
+++ b/security/nss/lib/smime/cmsencdata.c
@@ -0,0 +1,281 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS encryptedData methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "secpkcs5.h"
+
+/*
+ * NSS_CMSEncryptedData_Create - create an empty encryptedData object.
+ *
+ * "algorithm" specifies the bulk encryption algorithm to use.
+ * "keysize" is the key size.
+ * 
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+NSSCMSEncryptedData *
+NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize)
+{
+    void *mark;
+    NSSCMSEncryptedData *encd;
+    PLArenaPool *poolp;
+    SECAlgorithmID *pbe_algid;
+    SECStatus rv;
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    encd = (NSSCMSEncryptedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSEncryptedData));
+    if (encd == NULL)
+	goto loser;
+
+    encd->cmsg = cmsg;
+
+    /* version is set in NSS_CMSEncryptedData_Encode_BeforeStart() */
+
+    switch (algorithm) {
+    /* XXX hmmm... hardcoded algorithms? */
+    case SEC_OID_RC2_CBC:
+    case SEC_OID_DES_EDE3_CBC:
+    case SEC_OID_DES_CBC:
+	rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(encd->contentInfo), algorithm, NULL, keysize);
+	break;
+    default:
+	/* Assume password-based-encryption.  At least, try that. */
+	pbe_algid = PK11_CreatePBEAlgorithmID(algorithm, 1, NULL);
+	if (pbe_algid == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	rv = NSS_CMSContentInfo_SetContentEncAlgID(poolp, &(encd->contentInfo), pbe_algid, keysize);
+	SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE);
+	break;
+    }
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return encd;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/*
+ * NSS_CMSEncryptedData_Destroy - destroy an encryptedData object
+ */
+void
+NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd)
+{
+    /* everything's in a pool, so don't worry about the storage */
+    NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
+    return;
+}
+
+/*
+ * NSS_CMSEncryptedData_GetContentInfo - return pointer to encryptedData object's contentInfo
+ */
+NSSCMSContentInfo *
+NSS_CMSEncryptedData_GetContentInfo(NSSCMSEncryptedData *encd)
+{
+    return &(encd->contentInfo);
+}
+
+/*
+ * NSS_CMSEncryptedData_Encode_BeforeStart - do all the necessary things to a EncryptedData
+ *     before encoding begins.
+ *
+ * In particular:
+ *  - set the correct version value.
+ *  - get the encryption key
+ */
+SECStatus
+NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd)
+{
+    int version;
+    PK11SymKey *bulkkey = NULL;
+    SECItem *dummy;
+    NSSCMSContentInfo *cinfo = &(encd->contentInfo);
+
+    if (NSS_CMSArray_IsEmpty((void **)encd->unprotectedAttr))
+	version = NSS_CMS_ENCRYPTED_DATA_VERSION;
+    else
+	version = NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR;
+    
+    dummy = SEC_ASN1EncodeInteger (encd->cmsg->poolp, &(encd->version), version);
+    if (dummy == NULL)
+	return SECFailure;
+
+    /* now get content encryption key (bulk key) by using our cmsg callback */
+    if (encd->cmsg->decrypt_key_cb)
+	bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, 
+		    NSS_CMSContentInfo_GetContentEncAlg(cinfo));
+    if (bulkkey == NULL)
+	return SECFailure;
+
+    /* store the bulk key in the contentInfo so that the encoder can find it */
+    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEncryptedData_Encode_BeforeData - set up encryption
+ */
+SECStatus
+NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd)
+{
+    NSSCMSContentInfo *cinfo;
+    PK11SymKey *bulkkey;
+    SECAlgorithmID *algid;
+
+    cinfo = &(encd->contentInfo);
+
+    /* find bulkkey and algorithm - must have been set by NSS_CMSEncryptedData_Encode_BeforeStart */
+    bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo);
+    if (bulkkey == NULL)
+	return SECFailure;
+    algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
+    if (algid == NULL)
+	return SECFailure;
+
+    /* this may modify algid (with IVs generated in a token).
+     * it is therefore essential that algid is a pointer to the "real" contentEncAlg,
+     * not just to a copy */
+    cinfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(encd->cmsg->poolp, bulkkey, algid);
+    PK11_FreeSymKey(bulkkey);
+    if (cinfo->ciphcx == NULL)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEncryptedData_Encode_AfterData - finalize this encryptedData for encoding
+ */
+SECStatus
+NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd)
+{
+    if (encd->contentInfo.ciphcx)
+	NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
+
+    /* nothing to do after data */
+    return SECSuccess;
+}
+
+
+/*
+ * NSS_CMSEncryptedData_Decode_BeforeData - find bulk key & set up decryption
+ */
+SECStatus
+NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd)
+{
+    PK11SymKey *bulkkey = NULL;
+    NSSCMSContentInfo *cinfo;
+    SECAlgorithmID *bulkalg;
+    SECStatus rv = SECFailure;
+
+    cinfo = &(encd->contentInfo);
+
+    bulkalg = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
+
+    if (encd->cmsg->decrypt_key_cb == NULL)	/* no callback? no key../ */
+	goto loser;
+
+    bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, bulkalg);
+    if (bulkkey == NULL)
+	/* no success finding a bulk key */
+	goto loser;
+
+    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
+
+    cinfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
+    if (cinfo->ciphcx == NULL)
+	goto loser;		/* error has been set by NSS_CMSCipherContext_StartDecrypt */
+
+    /* 
+     * HACK ALERT!!
+     * For PKCS5 Encryption Algorithms, the bulkkey is actually a different
+     * structure.  Therefore, we need to set the bulkkey to the actual key 
+     * prior to freeing it.
+     */
+    if (SEC_PKCS5IsAlgorithmPBEAlg(bulkalg)) {
+	SEC_PKCS5KeyAndPassword *keyPwd = (SEC_PKCS5KeyAndPassword *)bulkkey;
+	bulkkey = keyPwd->key;
+    }
+
+    /* we are done with (this) bulkkey now. */
+    PK11_FreeSymKey(bulkkey);
+
+    rv = SECSuccess;
+
+loser:
+    return rv;
+}
+
+/*
+ * NSS_CMSEncryptedData_Decode_AfterData - finish decrypting this encryptedData's content
+ */
+SECStatus
+NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd)
+{
+    NSS_CMSCipherContext_Destroy(encd->contentInfo.ciphcx);
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEncryptedData_Decode_AfterEnd - finish decoding this encryptedData
+ */
+SECStatus
+NSS_CMSEncryptedData_Decode_AfterEnd(NSSCMSEncryptedData *encd)
+{
+    /* apply final touches */
+    return SECSuccess;
+}
diff --git a/security/nss/lib/smime/cmsencode.c b/security/nss/lib/smime/cmsencode.c
new file mode 100644
index 000000000..978f02a55
--- /dev/null
+++ b/security/nss/lib/smime/cmsencode.c
@@ -0,0 +1,743 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS encoding.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "secrng.h"
+#include "secitem.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+struct nss_cms_encoder_output {
+    NSSCMSContentCallback outputfn;
+    void *outputarg;
+    PLArenaPool *destpoolp;
+    SECItem *dest;
+};
+
+struct NSSCMSEncoderContextStr {
+    SEC_ASN1EncoderContext *	ecx;		/* ASN.1 encoder context */
+    PRBool			ecxupdated;	/* true if data was handed in */
+    NSSCMSMessage *		cmsg;		/* pointer to the root message */
+    SECOidTag			type;		/* type tag of the current content */
+    NSSCMSContent		content;	/* pointer to current content */
+    struct nss_cms_encoder_output output;	/* output function */
+    int				error;		/* error code */
+    NSSCMSEncoderContext *	childp7ecx;	/* link to child encoder context */
+};
+
+static SECStatus nss_cms_before_data(NSSCMSEncoderContext *p7ecx);
+static SECStatus nss_cms_after_data(NSSCMSEncoderContext *p7ecx);
+static SECStatus nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len);
+static SECStatus nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,
+			     const unsigned char *data, unsigned long len,
+			     PRBool final, PRBool innermost);
+
+extern const SEC_ASN1Template NSSCMSMessageTemplate[];
+
+/*
+ * The little output function that the ASN.1 encoder calls to hand
+ * us bytes which we in turn hand back to our caller (via the callback
+ * they gave us).
+ */
+static void
+nss_cms_encoder_out(void *arg, const char *buf, unsigned long len,
+		      int depth, SEC_ASN1EncodingPart data_kind)
+{
+    struct nss_cms_encoder_output *output = (struct nss_cms_encoder_output *)arg;
+    unsigned char *dest;
+    unsigned long offset;
+
+#ifdef CMSDEBUG
+    int i;
+
+    fprintf(stderr, "kind = %d, depth = %d, len = %d\n", data_kind, depth, len);
+    for (i=0; i < len; i++) {
+	fprintf(stderr, " %02x%s", (unsigned int)buf[i] & 0xff, ((i % 16) == 15) ? "\n" : "");
+    }
+    if ((i % 16) != 0)
+	fprintf(stderr, "\n");
+#endif
+
+    if (output->outputfn != NULL)
+	/* call output callback with DER data */
+	output->outputfn(output->outputarg, buf, len);
+
+    if (output->dest != NULL) {
+	/* store DER data in SECItem */
+	offset = output->dest->len;
+	if (offset == 0) {
+	    dest = (unsigned char *)PORT_ArenaAlloc(output->destpoolp, len);
+	} else {
+	    dest = (unsigned char *)PORT_ArenaGrow(output->destpoolp, 
+				  output->dest->data,
+				  output->dest->len,
+				  output->dest->len + len);
+	}
+	if (dest == NULL)
+	    /* oops */
+	    return;
+
+	output->dest->data = dest;
+	output->dest->len += len;
+
+	/* copy it in */
+	PORT_Memcpy(output->dest->data + offset, buf, len);
+    }
+}
+
+/*
+ * nss_cms_encoder_notify - ASN.1 encoder callback
+ *
+ * this function is called by the ASN.1 encoder before and after the encoding of
+ * every object. here, it is used to keep track of data structures, set up
+ * encryption and/or digesting and possibly set up child encoders.
+ */
+static void
+nss_cms_encoder_notify(void *arg, PRBool before, void *dest, int depth)
+{
+    NSSCMSEncoderContext *p7ecx;
+    NSSCMSContentInfo *rootcinfo, *cinfo;
+    PRBool after = !before;
+    PLArenaPool *poolp;
+    SECOidTag childtype;
+    SECItem *item;
+
+    p7ecx = (NSSCMSEncoderContext *)arg;
+    PORT_Assert(p7ecx != NULL);
+
+    rootcinfo = &(p7ecx->cmsg->contentInfo);
+    poolp = p7ecx->cmsg->poolp;
+
+#ifdef CMSDEBUG
+    fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth);
+#endif
+
+    /*
+     * Watch for the content field, at which point we want to instruct
+     * the ASN.1 encoder to start taking bytes from the buffer.
+     */
+    switch (p7ecx->type) {
+    default:
+    case SEC_OID_UNKNOWN:
+	/* we're still in the root message */
+	if (after && dest == &(rootcinfo->contentType)) {
+	    /* got the content type OID now - so find out the type tag */
+	    p7ecx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
+	    /* set up a pointer to our current content */
+	    p7ecx->content = rootcinfo->content;
+	}
+	break;
+
+    case SEC_OID_PKCS7_DATA:
+	if (before && dest == &(rootcinfo->rawContent)) {
+	    /* just set up encoder to grab from user - no encryption or digesting */
+	    if ((item = rootcinfo->content.data) != NULL)
+		(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);
+	    else
+		SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);
+	    SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx);	/* no need to get notified anymore */
+	}
+	break;
+
+    case SEC_OID_PKCS7_SIGNED_DATA:
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+
+	/* when we know what the content is, we encode happily until we reach the inner content */
+	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+	childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+
+	if (after && dest == &(cinfo->contentType)) {
+	    /* we're right before encoding the data (if we have some or not) */
+	    /* (for encrypted data, we're right before the contentEncAlg which may change */
+	    /*  in nss_cms_before_data because of IV calculation when setting up encryption) */
+	    if (nss_cms_before_data(p7ecx) != SECSuccess)
+		p7ecx->error = PORT_GetError();
+	}
+	if (before && dest == &(cinfo->rawContent)) {
+	    if (childtype == SEC_OID_PKCS7_DATA && (item = cinfo->content.data) != NULL)
+		/* we have data - feed it in */
+		(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);
+	    else
+		/* else try to get it from user */
+		SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);
+	}
+	if (after && dest == &(cinfo->rawContent)) {
+	    if (nss_cms_after_data(p7ecx) != SECSuccess)
+		p7ecx->error = PORT_GetError();
+	    SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx);	/* no need to get notified anymore */
+	}
+	break;
+    }
+}
+
+/*
+ * nss_cms_before_data - setup the current encoder to receive data
+ */
+static SECStatus
+nss_cms_before_data(NSSCMSEncoderContext *p7ecx)
+{
+    SECStatus rv;
+    SECOidTag childtype;
+    NSSCMSContentInfo *cinfo;
+    PLArenaPool *poolp;
+    NSSCMSEncoderContext *childp7ecx;
+    const SEC_ASN1Template *template;
+
+    poolp = p7ecx->cmsg->poolp;
+
+    /* call _Encode_BeforeData handlers */
+    switch (p7ecx->type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	/* we're encoding a signedData, so set up the digests */
+	rv = NSS_CMSSignedData_Encode_BeforeData(p7ecx->content.signedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	/* we're encoding a digestedData, so set up the digest */
+	rv = NSS_CMSDigestedData_Encode_BeforeData(p7ecx->content.digestedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	rv = NSS_CMSEnvelopedData_Encode_BeforeData(p7ecx->content.envelopedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	rv = NSS_CMSEncryptedData_Encode_BeforeData(p7ecx->content.encryptedData);
+	break;
+    default:
+	rv = SECFailure;
+    }
+    if (rv != SECSuccess)
+	return SECFailure;
+
+    /* ok, now we have a pointer to cinfo */
+    /* find out what kind of data is encapsulated */
+    
+    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+
+    switch (childtype) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+#if 0
+    case SEC_OID_PKCS7_DATA:		/* XXX here also??? maybe yes! */
+#endif
+	/* in these cases, we need to set up a child encoder! */
+	/* create new encoder context */
+	childp7ecx = PORT_ZAlloc(sizeof(NSSCMSEncoderContext));
+	if (childp7ecx == NULL)
+	    return SECFailure;
+
+	/* the CHILD encoder needs to hand its encoded data to the CURRENT encoder
+	 * (which will encrypt and/or digest it)
+	 * this needs to route back into our update function
+	 * which finds the lowest encoding context & encrypts and computes digests */
+	childp7ecx->type = childtype;
+	childp7ecx->content = cinfo->content;
+	/* use the non-recursive update function here, of course */
+	childp7ecx->output.outputfn = (NSSCMSContentCallback)nss_cms_encoder_update;
+	childp7ecx->output.outputarg = p7ecx;
+	childp7ecx->output.destpoolp = NULL;
+	childp7ecx->output.dest = NULL;
+	childp7ecx->cmsg = p7ecx->cmsg;
+
+	template = NSS_CMSUtil_GetTemplateByTypeTag(childtype);
+	if (template == NULL)
+	    goto loser;		/* cannot happen */
+
+	/* now initialize the data for encoding the first third */
+	switch (childp7ecx->type) {
+	case SEC_OID_PKCS7_SIGNED_DATA:
+	    rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData);
+	    break;
+	case SEC_OID_PKCS7_ENVELOPED_DATA:
+	    rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData);
+	    break;
+	case SEC_OID_PKCS7_DIGESTED_DATA:
+	    rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData);
+	    break;
+	case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);
+	    break;
+	case SEC_OID_PKCS7_DATA:
+	    rv = SECSuccess;
+	    break;
+	default:
+	    PORT_Assert(0);
+	    break;
+	}
+	if (rv != SECSuccess)
+	    goto loser;
+
+	/*
+	 * Initialize the BER encoder.
+	 */
+	childp7ecx->ecx = SEC_ASN1EncoderStart(cinfo->content.pointer, template,
+					   nss_cms_encoder_out, &(childp7ecx->output));
+	if (childp7ecx->ecx == NULL)
+	    goto loser;
+
+	childp7ecx->ecxupdated = PR_FALSE;
+
+	/*
+	 * Indicate that we are streaming.  We will be streaming until we
+	 * get past the contents bytes.
+	 */
+	SEC_ASN1EncoderSetStreaming(childp7ecx->ecx);
+
+	/*
+	 * The notify function will watch for the contents field.
+	 */
+	SEC_ASN1EncoderSetNotifyProc(childp7ecx->ecx, nss_cms_encoder_notify, childp7ecx);
+
+	/* please note that we are NOT calling SEC_ASN1EncoderUpdate here to kick off the */
+	/* encoding process - we'll do that from the update function instead */
+	/* otherwise we'd be encoding data from a call of the notify function of the */
+	/* parent encoder (which would not work) */
+
+	/* this will kick off the encoding process & encode everything up to the content bytes,
+	 * at which point the notify function sets streaming mode (and possibly creates
+	 * another child encoder). */
+	if (SEC_ASN1EncoderUpdate(childp7ecx->ecx, NULL, 0) != SECSuccess)
+	    goto loser;
+
+	p7ecx->childp7ecx = childp7ecx;
+	break;
+
+    case SEC_OID_PKCS7_DATA:
+	p7ecx->childp7ecx = NULL;
+	break;
+    default:
+	/* we do not know this type */
+	p7ecx->error = SEC_ERROR_BAD_DER;
+	break;
+    }
+
+    return SECSuccess;
+
+loser:
+    if (childp7ecx) {
+	if (childp7ecx->ecx)
+	    SEC_ASN1EncoderFinish(childp7ecx->ecx);
+	PORT_Free(childp7ecx);
+    }
+    return SECFailure;
+}
+
+static SECStatus
+nss_cms_after_data(NSSCMSEncoderContext *p7ecx)
+{
+    SECStatus rv = SECFailure;
+
+    switch (p7ecx->type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	/* this will finish the digests and sign */
+	rv = NSS_CMSSignedData_Encode_AfterData(p7ecx->content.signedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	rv = NSS_CMSEnvelopedData_Encode_AfterData(p7ecx->content.envelopedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	rv = NSS_CMSDigestedData_Encode_AfterData(p7ecx->content.digestedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	rv = NSS_CMSEncryptedData_Encode_AfterData(p7ecx->content.encryptedData);
+	break;
+    case SEC_OID_PKCS7_DATA:
+	/* do nothing */
+	break;
+    default:
+	rv = SECFailure;
+	break;
+    }
+    return rv;
+}
+
+/*
+ * nss_cms_encoder_work_data - process incoming data
+ *
+ * (from the user or the next encoding layer)
+ * Here, we need to digest and/or encrypt, then pass it on
+ */
+static SECStatus
+nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,
+			     const unsigned char *data, unsigned long len,
+			     PRBool final, PRBool innermost)
+{
+    unsigned char *buf = NULL;
+    SECStatus rv;
+    NSSCMSContentInfo *cinfo;
+
+    rv = SECSuccess;		/* may as well be optimistic */
+
+    /*
+     * We should really have data to process, or we should be trying
+     * to finish/flush the last block.  (This is an overly paranoid
+     * check since all callers are in this file and simple inspection
+     * proves they do it right.  But it could find a bug in future
+     * modifications/development, that is why it is here.)
+     */
+    PORT_Assert ((data != NULL && len) || final);
+
+    /* we got data (either from the caller, or from a lower level encoder) */
+    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+
+    /* Update the running digest. */
+    if (len && cinfo->digcx != NULL)
+	NSS_CMSDigestContext_Update(cinfo->digcx, data, len);
+
+    /* Encrypt this chunk. */
+    if (cinfo->ciphcx != NULL) {
+	unsigned int inlen;	/* length of data being encrypted */
+	unsigned int outlen;	/* length of encrypted data */
+	unsigned int buflen;	/* length available for encrypted data */
+
+	inlen = len;
+	buflen = NSS_CMSCipherContext_EncryptLength(cinfo->ciphcx, inlen, final);
+	if (buflen == 0) {
+	    /*
+	     * No output is expected, but the input data may be buffered
+	     * so we still have to call Encrypt.
+	     */
+	    rv = NSS_CMSCipherContext_Encrypt(cinfo->ciphcx, NULL, NULL, 0,
+				   data, inlen, final);
+	    if (final) {
+		len = 0;
+		goto done;
+	    }
+	    return rv;
+	}
+
+	if (dest != NULL)
+	    buf = (unsigned char*)PORT_ArenaAlloc(p7ecx->cmsg->poolp, buflen);
+	else
+	    buf = (unsigned char*)PORT_Alloc(buflen);
+
+	if (buf == NULL) {
+	    rv = SECFailure;
+	} else {
+	    rv = NSS_CMSCipherContext_Encrypt(cinfo->ciphcx, buf, &outlen, buflen,
+				   data, inlen, final);
+	    data = buf;
+	    len = outlen;
+	}
+	if (rv != SECSuccess)
+	    /* encryption or malloc failed? */
+	    return rv;
+    }
+
+
+    /*
+     * at this point (data,len) has everything we'd like to give to the CURRENT encoder
+     * (which will encode it, then hand it back to the user or the parent encoder)
+     * We don't encode the data if we're innermost and we're told not to include the data
+     */
+    if (p7ecx->ecx != NULL && len && (!innermost || cinfo->rawContent != NULL))
+	rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, (const char *)data, len);
+
+done:
+
+    if (cinfo->ciphcx != NULL) {
+	if (dest != NULL) {
+	    dest->data = buf;
+	    dest->len = len;
+	} else if (buf != NULL) {
+	    PORT_Free (buf);
+	}
+    }
+    return rv;
+}
+
+/*
+ * nss_cms_encoder_update - deliver encoded data to the next higher level
+ *
+ * no recursion here because we REALLY want to end up at the next higher encoder!
+ */
+static SECStatus
+nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len)
+{
+    /* XXX Error handling needs help.  Return what?  Do "Finish" on failure? */
+    return nss_cms_encoder_work_data (p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_FALSE);
+}
+
+/*
+ * NSS_CMSEncoder_Start - set up encoding of a CMS message
+ *
+ * "cmsg" - message to encode
+ * "outputfn", "outputarg" - callback function for delivery of DER-encoded output
+ *                           will not be called if NULL.
+ * "dest" - if non-NULL, pointer to SECItem that will hold the DER-encoded output
+ * "destpoolp" - pool to allocate DER-encoded output in
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ * "detached_digestalgs", "detached_digests" - digests from detached content
+ */
+NSSCMSEncoderContext *
+NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,
+			NSSCMSContentCallback outputfn, void *outputarg,
+			SECItem *dest, PLArenaPool *destpoolp,
+			PK11PasswordFunc pwfn, void *pwfn_arg,
+			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
+			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
+{
+    NSSCMSEncoderContext *p7ecx;
+    SECStatus rv;
+    NSSCMSContentInfo *cinfo;
+
+    NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg,
+					detached_digestalgs, detached_digests);
+
+    p7ecx = (NSSCMSEncoderContext *)PORT_ZAlloc(sizeof(NSSCMSEncoderContext));
+    if (p7ecx == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    p7ecx->cmsg = cmsg;
+    p7ecx->output.outputfn = outputfn;
+    p7ecx->output.outputarg = outputarg;
+    p7ecx->output.dest = dest;
+    p7ecx->output.destpoolp = destpoolp;
+    p7ecx->type = SEC_OID_UNKNOWN;
+
+    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
+
+    switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);
+	break;
+    default:
+	rv = SECFailure;
+	break;
+    }
+    if (rv != SECSuccess)
+	return NULL;
+
+    /* Initialize the BER encoder.
+     * Note that this will not encode anything until the first call to SEC_ASN1EncoderUpdate */
+    p7ecx->ecx = SEC_ASN1EncoderStart(cmsg, NSSCMSMessageTemplate,
+				       nss_cms_encoder_out, &(p7ecx->output));
+    if (p7ecx->ecx == NULL) {
+	PORT_Free (p7ecx);
+	return NULL;
+    }
+    p7ecx->ecxupdated = PR_FALSE;
+
+    /*
+     * Indicate that we are streaming.  We will be streaming until we
+     * get past the contents bytes.
+     */
+    SEC_ASN1EncoderSetStreaming(p7ecx->ecx);
+
+    /*
+     * The notify function will watch for the contents field.
+     */
+    SEC_ASN1EncoderSetNotifyProc(p7ecx->ecx, nss_cms_encoder_notify, p7ecx);
+
+    /* this will kick off the encoding process & encode everything up to the content bytes,
+     * at which point the notify function sets streaming mode (and possibly creates
+     * a child encoder). */
+    if (SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0) != SECSuccess) {
+	PORT_Free (p7ecx);
+	return NULL;
+    }
+
+    return p7ecx;
+}
+
+/*
+ * NSS_CMSEncoder_Update - take content data delivery from the user
+ *
+ * "p7ecx" - encoder context
+ * "data" - content data
+ * "len" - length of content data
+ *
+ * need to find the lowest level (and call SEC_ASN1EncoderUpdate on the way down),
+ * then hand the data to the work_data fn
+ */
+SECStatus
+NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len)
+{
+    SECStatus rv;
+    NSSCMSContentInfo *cinfo;
+    SECOidTag childtype;
+
+    if (p7ecx->error)
+	return SECFailure;
+
+    /* hand data to the innermost decoder */
+    if (p7ecx->childp7ecx) {
+	/* recursion here */
+	rv = NSS_CMSEncoder_Update(p7ecx->childp7ecx, data, len);
+    } else {
+	/* we are at innermost decoder */
+	/* find out about our inner content type - must be data */
+	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+	childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+	if (childtype != SEC_OID_PKCS7_DATA)
+	    return SECFailure;
+	/* and we must not have preset data */
+	if (cinfo->content.data != NULL)
+	    return SECFailure;
+
+	/*  hand it the data so it can encode it (let DER trickle up the chain) */
+	rv = nss_cms_encoder_work_data(p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_TRUE);
+    }
+    return rv;
+}
+
+/*
+ * NSS_CMSEncoder_Cancel - stop all encoding
+ *
+ * we need to walk down the chain of encoders and the finish them from the innermost out
+ */
+SECStatus
+NSS_CMSEncoder_Cancel(NSSCMSEncoderContext *p7ecx)
+{
+    SECStatus rv = SECFailure;
+
+    /* XXX do this right! */
+
+    /*
+     * Finish any inner decoders before us so that all the encoded data is flushed
+     * This basically finishes all the decoders from the innermost to the outermost.
+     * Finishing an inner decoder may result in data being updated to the outer decoder
+     * while we are already in NSS_CMSEncoder_Finish, but that's allright.
+     */
+    if (p7ecx->childp7ecx) {
+	rv = NSS_CMSEncoder_Cancel(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */
+	/* remember rv for now */
+    }
+
+    /*
+     * On the way back up, there will be no more data (if we had an
+     * inner encoder, it is done now!)
+     * Flush out any remaining data and/or finish digests.
+     */
+    rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL));
+    if (rv != SECSuccess)
+	goto loser;
+
+    p7ecx->childp7ecx = NULL;
+
+    /* kick the encoder back into working mode again.
+     * We turn off streaming stuff (which will cause the encoder to continue
+     * encoding happily, now that we have all the data (like digests) ready for it).
+     */
+    SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);
+    SEC_ASN1EncoderClearStreaming(p7ecx->ecx);
+
+    /* now that TakeFromBuf is off, this will kick this encoder to finish encoding */
+    rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);
+
+loser:
+    SEC_ASN1EncoderFinish(p7ecx->ecx);
+    PORT_Free (p7ecx);
+    return rv;
+}
+
+/*
+ * NSS_CMSEncoder_Finish - signal the end of data
+ *
+ * we need to walk down the chain of encoders and the finish them from the innermost out
+ */
+SECStatus
+NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx)
+{
+    SECStatus rv = SECFailure;
+    NSSCMSContentInfo *cinfo;
+    SECOidTag childtype;
+
+    /*
+     * Finish any inner decoders before us so that all the encoded data is flushed
+     * This basically finishes all the decoders from the innermost to the outermost.
+     * Finishing an inner decoder may result in data being updated to the outer decoder
+     * while we are already in NSS_CMSEncoder_Finish, but that's allright.
+     */
+    if (p7ecx->childp7ecx) {
+	rv = NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    /*
+     * On the way back up, there will be no more data (if we had an
+     * inner encoder, it is done now!)
+     * Flush out any remaining data and/or finish digests.
+     */
+    rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL));
+    if (rv != SECSuccess)
+	goto loser;
+
+    p7ecx->childp7ecx = NULL;
+
+    /* find out about our inner content type - must be data */
+    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);
+    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+    if (childtype == SEC_OID_PKCS7_DATA && cinfo->content.data == NULL) {
+	SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);
+	/* now that TakeFromBuf is off, this will kick this encoder to finish encoding */
+	rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);
+    }
+
+    SEC_ASN1EncoderClearStreaming(p7ecx->ecx);
+
+    if (p7ecx->error)
+	rv = SECFailure;
+
+loser:
+    SEC_ASN1EncoderFinish(p7ecx->ecx);
+    PORT_Free (p7ecx);
+    return rv;
+}
diff --git a/security/nss/lib/smime/cmsenvdata.c b/security/nss/lib/smime/cmsenvdata.c
new file mode 100644
index 000000000..111ada533
--- /dev/null
+++ b/security/nss/lib/smime/cmsenvdata.c
@@ -0,0 +1,424 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS envelopedData methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "secpkcs5.h"
+
+/*
+ * NSS_CMSEnvelopedData_Create - create an enveloped data message
+ */
+NSSCMSEnvelopedData *
+NSS_CMSEnvelopedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize)
+{
+    void *mark;
+    NSSCMSEnvelopedData *envd;
+    PLArenaPool *poolp;
+    SECStatus rv;
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    envd = (NSSCMSEnvelopedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSEnvelopedData));
+    if (envd == NULL)
+	goto loser;
+
+    envd->cmsg = cmsg;
+
+    /* version is set in NSS_CMSEnvelopedData_Encode_BeforeStart() */
+
+    rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(envd->contentInfo), algorithm, NULL, keysize);
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return envd;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Destroy - destroy an enveloped data message
+ */
+void
+NSS_CMSEnvelopedData_Destroy(NSSCMSEnvelopedData *edp)
+{
+    NSSCMSRecipientInfo **recipientinfos;
+    NSSCMSRecipientInfo *ri;
+
+    if (edp == NULL)
+	return;
+
+    recipientinfos = edp->recipientInfos;
+    if (recipientinfos == NULL)
+	return;
+
+    while ((ri = *recipientinfos++) != NULL)
+	NSS_CMSRecipientInfo_Destroy(ri);
+
+   NSS_CMSContentInfo_Destroy(&(edp->contentInfo));
+
+}
+
+/*
+ * NSS_CMSEnvelopedData_GetContentInfo - return pointer to this envelopedData's contentinfo
+ */
+NSSCMSContentInfo *
+NSS_CMSEnvelopedData_GetContentInfo(NSSCMSEnvelopedData *envd)
+{
+    return &(envd->contentInfo);
+}
+
+/*
+ * NSS_CMSEnvelopedData_AddRecipient - add a recipientinfo to the enveloped data msg
+ *
+ * rip must be created on the same pool as edp - this is not enforced, though.
+ */
+SECStatus
+NSS_CMSEnvelopedData_AddRecipient(NSSCMSEnvelopedData *edp, NSSCMSRecipientInfo *rip)
+{
+    void *mark;
+    SECStatus rv;
+
+    /* XXX compare pools, if not same, copy rip into edp's pool */
+
+    PR_ASSERT(edp != NULL);
+    PR_ASSERT(rip != NULL);
+
+    mark = PORT_ArenaMark(edp->cmsg->poolp);
+
+    rv = NSS_CMSArray_Add(edp->cmsg->poolp, (void ***)&(edp->recipientInfos), (void *)rip);
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease(edp->cmsg->poolp, mark);
+	return SECFailure;
+    }
+
+    PORT_ArenaUnmark (edp->cmsg->poolp, mark);
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Encode_BeforeStart - prepare this envelopedData for encoding
+ *
+ * at this point, we need
+ * - recipientinfos set up with recipient's certificates
+ * - a content encryption algorithm (if none, 3DES will be used)
+ *
+ * this function will generate a random content encryption key (aka bulk key),
+ * initialize the recipientinfos with certificate identification and wrap the bulk key
+ * using the proper algorithm for every certificiate.
+ * it will finally set the bulk algorithm and key so that the encode step can find it.
+ */
+SECStatus
+NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd)
+{
+    int version;
+    NSSCMSRecipientInfo **recipientinfos;
+    NSSCMSContentInfo *cinfo;
+    PK11SymKey *bulkkey = NULL;
+    SECOidTag bulkalgtag;
+    CK_MECHANISM_TYPE type;
+    PK11SlotInfo *slot;
+    SECStatus rv;
+    SECItem *dummy;
+    PLArenaPool *poolp;
+    extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
+    void *mark = NULL;
+    int i;
+
+    poolp = envd->cmsg->poolp;
+    cinfo = &(envd->contentInfo);
+
+    recipientinfos = envd->recipientInfos;
+    if (recipientinfos == NULL) {
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+#if 0
+	PORT_SetErrorString("Cannot find recipientinfos to encode.");
+#endif
+	goto loser;
+    }
+
+    version = NSS_CMS_ENVELOPED_DATA_VERSION_REG;
+    if (envd->originatorInfo != NULL || envd->unprotectedAttr != NULL) {
+	version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV;
+    } else {
+	for (i = 0; recipientinfos[i] != NULL; i++) {
+	    if (NSS_CMSRecipientInfo_GetVersion(recipientinfos[i]) != 0) {
+		version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV;
+		break;
+	    }
+	}
+    }
+    dummy = SEC_ASN1EncodeInteger(poolp, &(envd->version), version);
+    if (dummy == NULL)
+	goto loser;
+
+    /* now we need to have a proper content encryption algorithm
+     * on the SMIME level, we would figure one out by looking at SMIME capabilities
+     * we cannot do that on our level, so if none is set already, we'll just go
+     * with one of the mandatory algorithms (3DES) */
+    if ((bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo)) == SEC_OID_UNKNOWN) {
+	rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, cinfo, SEC_OID_DES_EDE3_CBC, NULL, 168);
+	if (rv != SECSuccess)
+	    goto loser;
+	bulkalgtag = SEC_OID_DES_EDE3_CBC;
+    } 
+
+    /* generate a random bulk key suitable for content encryption alg */
+    type = PK11_AlgtagToMechanism(bulkalgtag);
+    slot = PK11_GetBestSlot(type, envd->cmsg->pwfn_arg);
+    if (slot == NULL)
+	goto loser;	/* error has been set by PK11_GetBestSlot */
+
+    /* this is expensive... */
+    bulkkey = PK11_KeyGen(slot, type, NULL, NSS_CMSContentInfo_GetBulkKeySize(cinfo) / 8, envd->cmsg->pwfn_arg);
+    PK11_FreeSlot(slot);
+    if (bulkkey == NULL)
+	goto loser;	/* error has been set by PK11_KeyGen */
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* Encrypt the bulk key with the public key of each recipient.  */
+    for (i = 0; recipientinfos[i] != NULL; i++) {
+	rv = NSS_CMSRecipientInfo_WrapBulkKey(recipientinfos[i], bulkkey, bulkalgtag);
+	if (rv != SECSuccess)
+	    goto loser;	/* error has been set by NSS_CMSRecipientInfo_EncryptBulkKey */
+	    		/* could be: alg not supported etc. */
+    }
+
+    /* the recipientinfos are all finished. now sort them by DER for SET OF encoding */
+    rv = NSS_CMSArray_SortByDER((void **)envd->recipientInfos, NSSCMSRecipientInfoTemplate, NULL);
+    if (rv != SECSuccess)
+	goto loser;	/* error has been set by NSS_CMSArray_SortByDER */
+
+    /* store the bulk key in the contentInfo so that the encoder can find it */
+    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
+
+    PORT_ArenaUnmark(poolp, mark);
+
+    PK11_FreeSymKey(bulkkey);
+
+    return SECSuccess;
+
+loser:
+    if (mark != NULL)
+	PORT_ArenaRelease (poolp, mark);
+    if (bulkkey)
+	PK11_FreeSymKey(bulkkey);
+
+    return SECFailure;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Encode_BeforeData - set up encryption
+ *
+ * it is essential that this is called before the contentEncAlg is encoded, because
+ * setting up the encryption may generate IVs and thus change it!
+ */
+SECStatus
+NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd)
+{
+    NSSCMSContentInfo *cinfo;
+    PK11SymKey *bulkkey;
+    SECAlgorithmID *algid;
+
+    cinfo = &(envd->contentInfo);
+
+    /* find bulkkey and algorithm - must have been set by NSS_CMSEnvelopedData_Encode_BeforeStart */
+    bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo);
+    if (bulkkey == NULL)
+	return SECFailure;
+    algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
+    if (algid == NULL)
+	return SECFailure;
+
+    /* this may modify algid (with IVs generated in a token).
+     * it is essential that algid is a pointer to the contentEncAlg data, not a
+     * pointer to a copy! */
+    cinfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(envd->cmsg->poolp, bulkkey, algid);
+    PK11_FreeSymKey(bulkkey);
+    if (cinfo->ciphcx == NULL)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Encode_AfterData - finalize this envelopedData for encoding
+ */
+SECStatus
+NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd)
+{
+    if (envd->contentInfo.ciphcx) {
+	NSS_CMSCipherContext_Destroy(envd->contentInfo.ciphcx);
+	envd->contentInfo.ciphcx = NULL;
+    }
+
+    /* nothing else to do after data */
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, 
+ * derive bulk key & set up our contentinfo
+ */
+SECStatus
+NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd)
+{
+    NSSCMSRecipientInfo *ri;
+    PK11SymKey *bulkkey = NULL;
+    SECOidTag bulkalgtag;
+    SECAlgorithmID *bulkalg;
+    SECStatus rv = SECFailure;
+    NSSCMSContentInfo *cinfo;
+    NSSCMSRecipient **recipient_list = NULL;
+    NSSCMSRecipient *recipient;
+    int rlIndex;
+
+    if (NSS_CMSArray_Count((void **)envd->recipientInfos) == 0) {
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+#if 0
+	PORT_SetErrorString("No recipient data in envelope.");
+#endif
+	goto loser;
+    }
+
+    /* look if one of OUR cert's issuerSN is on the list of recipients, and if so,  */
+    /* get the cert and private key for it right away */
+    recipient_list = nss_cms_recipient_list_create(envd->recipientInfos);
+    if (recipient_list == NULL)
+	goto loser;
+
+    /* what about multiple recipientInfos that match?
+     * especially if, for some reason, we could not produce a bulk key with the first match?!
+     * we could loop & feed partial recipient_list to PK11_FindCertAndKeyByRecipientList...
+     * maybe later... */
+    rlIndex = PK11_FindCertAndKeyByRecipientListNew(recipient_list, envd->cmsg->pwfn_arg);
+
+    /* if that fails, then we're not an intended recipient and cannot decrypt */
+    if (rlIndex < 0) {
+	PORT_SetError(SEC_ERROR_NOT_A_RECIPIENT);
+#if 0
+	PORT_SetErrorString("Cannot decrypt data because proper key cannot be found.");
+#endif
+	goto loser;
+    }
+
+    recipient = recipient_list[rlIndex];
+    if (!recipient->cert || !recipient->privkey) {
+	/* XXX should set an error code ?!? */
+	goto loser;
+    }
+    /* get a pointer to "our" recipientinfo */
+    ri = envd->recipientInfos[recipient->riIndex];
+
+    cinfo = &(envd->contentInfo);
+    bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo);
+    bulkkey = NSS_CMSRecipientInfo_UnwrapBulkKey(ri,recipient->subIndex,
+						    recipient->cert,
+						    recipient->privkey,
+						    bulkalgtag);
+    if (bulkkey == NULL) {
+	/* no success finding a bulk key */
+	goto loser;
+    }
+
+    NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
+
+    bulkalg = NSS_CMSContentInfo_GetContentEncAlg(cinfo);
+
+    cinfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg);
+    if (cinfo->ciphcx == NULL)
+	goto loser;		/* error has been set by NSS_CMSCipherContext_StartDecrypt */
+
+    /* 
+     * HACK ALERT!!
+     * For PKCS5 Encryption Algorithms, the bulkkey is actually a different
+     * structure.  Therefore, we need to set the bulkkey to the actual key 
+     * prior to freeing it.
+     */
+    if (SEC_PKCS5IsAlgorithmPBEAlg(bulkalg)) {
+	SEC_PKCS5KeyAndPassword *keyPwd = (SEC_PKCS5KeyAndPassword *)bulkkey;
+	bulkkey = keyPwd->key;
+    }
+
+    rv = SECSuccess;
+
+loser:
+    if (bulkkey)
+	PK11_FreeSymKey(bulkkey);
+    if (recipient_list != NULL)
+	nss_cms_recipient_list_destroy(recipient_list);
+    return rv;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Decode_AfterData - finish decrypting this envelopedData's content
+ */
+SECStatus
+NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd)
+{
+    if (envd->contentInfo.ciphcx) {
+	NSS_CMSCipherContext_Destroy(envd->contentInfo.ciphcx);
+	envd->contentInfo.ciphcx = NULL;
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSEnvelopedData_Decode_AfterEnd - finish decoding this envelopedData
+ */
+SECStatus
+NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd)
+{
+    /* apply final touches */
+    return SECSuccess;
+}
+
diff --git a/security/nss/lib/smime/cmslocal.h b/security/nss/lib/smime/cmslocal.h
new file mode 100644
index 000000000..e7f15c4e1
--- /dev/null
+++ b/security/nss/lib/smime/cmslocal.h
@@ -0,0 +1,330 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Support routines for CMS implementation, none of which are exported.
+ *
+ * Do not export this file!  If something in here is really needed outside
+ * of smime code, first try to add a CMS interface which will do it for
+ * you.  If that has a problem, then just move out what you need, changing
+ * its name as appropriate!
+ *
+ * $Id$
+ */
+
+#ifndef _CMSLOCAL_H_
+#define _CMSLOCAL_H_
+
+#include "cms.h"
+#include "cmsreclist.h"
+#include "secasn1t.h"
+
+extern const SEC_ASN1Template NSSCMSContentInfoTemplate[];
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/***********************************************************************
+ * cmscipher.c - en/decryption routines
+ ***********************************************************************/
+
+/*
+ * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption
+ * based on the given bulk * encryption key and algorithm identifier (which may include an iv).
+ */
+extern NSSCMSCipherContext *
+NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid);
+
+/*
+ * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption,
+ * based on the given bulk encryption key and algorithm tag.  Fill in the algorithm
+ * identifier (which may include an iv) appropriately.
+ */
+extern NSSCMSCipherContext *
+NSS_CMSCipherContext_StartEncrypt(PRArenaPool *poolp, PK11SymKey *key, SECAlgorithmID *algid);
+
+extern void
+NSS_CMSCipherContext_Destroy(NSSCMSCipherContext *cc);
+
+/*
+ * NSS_CMSCipherContext_DecryptLength - find the output length of the next call to decrypt.
+ *
+ * cc - the cipher context
+ * input_len - number of bytes used as input
+ * final - true if this is the final chunk of data
+ *
+ * Result can be used to perform memory allocations.  Note that the amount
+ * is exactly accurate only when not doing a block cipher or when final
+ * is false, otherwise it is an upper bound on the amount because until
+ * we see the data we do not know how many padding bytes there are
+ * (always between 1 and bsize).
+ */
+extern unsigned int
+NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final);
+
+/*
+ * NSS_CMSCipherContext_EncryptLength - find the output length of the next call to encrypt.
+ *
+ * cc - the cipher context
+ * input_len - number of bytes used as input
+ * final - true if this is the final chunk of data
+ *
+ * Result can be used to perform memory allocations.
+ */
+extern unsigned int
+NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final);
+
+/*
+ * NSS_CMSCipherContext_Decrypt - do the decryption
+ *
+ * cc - the cipher context
+ * output - buffer for decrypted result bytes
+ * output_len_p - number of bytes in output
+ * max_output_len - upper bound on bytes to put into output
+ * input - pointer to input bytes
+ * input_len - number of input bytes
+ * final - true if this is the final chunk of data
+ *
+ * Decrypts a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the decrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "cc" is the return value from NSS_CMSCipher_StartDecrypt.
+ * When "final" is true, this is the last of the data to be decrypted.
+ */ 
+extern SECStatus
+NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final);
+
+/*
+ * NSS_CMSCipherContext_Encrypt - do the encryption
+ *
+ * cc - the cipher context
+ * output - buffer for decrypted result bytes
+ * output_len_p - number of bytes in output
+ * max_output_len - upper bound on bytes to put into output
+ * input - pointer to input bytes
+ * input_len - number of input bytes
+ * final - true if this is the final chunk of data
+ *
+ * Encrypts a given length of input buffer (starting at "input" and
+ * containing "input_len" bytes), placing the encrypted bytes in
+ * "output" and storing the output length in "*output_len_p".
+ * "cc" is the return value from NSS_CMSCipher_StartEncrypt.
+ * When "final" is true, this is the last of the data to be encrypted.
+ */ 
+extern SECStatus
+NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output,
+		  unsigned int *output_len_p, unsigned int max_output_len,
+		  const unsigned char *input, unsigned int input_len,
+		  PRBool final);
+
+/************************************************************************
+ * cmspubkey.c - public key operations
+ ************************************************************************/
+
+/*
+ * NSS_CMSUtil_EncryptSymKey_RSA - wrap a symmetric key with RSA
+ *
+ * this function takes a symmetric key and encrypts it using an RSA public key
+ * according to PKCS#1 and RFC2633 (S/MIME)
+ */
+extern SECStatus
+NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
+			SECItem *encKey);
+
+/*
+ * NSS_CMSUtil_DecryptSymKey_RSA - unwrap a RSA-wrapped symmetric key
+ *
+ * this function takes an RSA-wrapped symmetric key and unwraps it, returning a symmetric
+ * key handle. Please note that the actual unwrapped key data may not be allowed to leave
+ * a hardware token...
+ */
+extern PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag);
+
+extern SECStatus
+NSS_CMSUtil_EncryptSymKey_MISSI(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
+			SECOidTag symalgtag, SECItem *encKey, SECItem **pparams, void *pwfn_arg);
+
+extern PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_MISSI(SECKEYPrivateKey *privkey, SECItem *encKey,
+			SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg);
+
+extern SECStatus
+NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
+			SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg,
+			SECItem *originatorPubKey);
+
+extern PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey,
+			SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg);
+
+/************************************************************************
+ * cmsreclist.c - recipient list stuff
+ ************************************************************************/
+extern NSSCMSRecipient **nss_cms_recipient_list_create(NSSCMSRecipientInfo **recipientinfos);
+extern void nss_cms_recipient_list_destroy(NSSCMSRecipient **recipient_list);
+extern NSSCMSRecipientEncryptedKey *NSS_CMSRecipientEncryptedKey_Create(PLArenaPool *poolp);
+
+/************************************************************************
+ * cmsarray.c - misc array functions
+ ************************************************************************/
+/*
+ * NSS_CMSArray_Alloc - allocate an array in an arena
+ */
+extern void **
+NSS_CMSArray_Alloc(PRArenaPool *poolp, int n);
+
+/*
+ * NSS_CMSArray_Add - add an element to the end of an array
+ */
+extern SECStatus
+NSS_CMSArray_Add(PRArenaPool *poolp, void ***array, void *obj);
+
+/*
+ * NSS_CMSArray_IsEmpty - check if array is empty
+ */
+extern PRBool
+NSS_CMSArray_IsEmpty(void **array);
+
+/*
+ * NSS_CMSArray_Count - count number of elements in array
+ */
+extern int
+NSS_CMSArray_Count(void **array);
+
+/*
+ * NSS_CMSArray_Sort - sort an array ascending, in place
+ *
+ * If "secondary" is not NULL, the same reordering gets applied to it.
+ * If "tertiary" is not NULL, the same reordering gets applied to it.
+ * "compare" is a function that returns 
+ *  < 0 when the first element is less than the second
+ *  = 0 when the first element is equal to the second
+ *  > 0 when the first element is greater than the second
+ */
+extern void
+NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondary, void **tertiary);
+
+/************************************************************************
+ * cmsattr.c - misc attribute functions
+ ************************************************************************/
+/*
+ * NSS_CMSAttribute_Create - create an attribute
+ *
+ * if value is NULL, the attribute won't have a value. It can be added later
+ * with NSS_CMSAttribute_AddValue.
+ */
+extern NSSCMSAttribute *
+NSS_CMSAttribute_Create(PRArenaPool *poolp, SECOidTag oidtag, SECItem *value, PRBool encoded);
+
+/*
+ * NSS_CMSAttribute_AddValue - add another value to an attribute
+ */
+extern SECStatus
+NSS_CMSAttribute_AddValue(PLArenaPool *poolp, NSSCMSAttribute *attr, SECItem *value);
+
+/*
+ * NSS_CMSAttribute_GetType - return the OID tag
+ */
+extern SECOidTag
+NSS_CMSAttribute_GetType(NSSCMSAttribute *attr);
+
+/*
+ * NSS_CMSAttribute_GetValue - return the first attribute value
+ *
+ * We do some sanity checking first:
+ * - Multiple values are *not* expected.
+ * - Empty values are *not* expected.
+ */
+extern SECItem *
+NSS_CMSAttribute_GetValue(NSSCMSAttribute *attr);
+
+/*
+ * NSS_CMSAttribute_CompareValue - compare the attribute's first value against data
+ */
+extern PRBool
+NSS_CMSAttribute_CompareValue(NSSCMSAttribute *attr, SECItem *av);
+
+/*
+ * NSS_CMSAttributeArray_Encode - encode an Attribute array as SET OF Attributes
+ *
+ * If you are wondering why this routine does not reorder the attributes
+ * first, and might be tempted to make it do so, see the comment by the
+ * call to ReorderAttributes in cmsencode.c.  (Or, see who else calls this
+ * and think long and hard about the implications of making it always
+ * do the reordering.)
+ */
+extern SECItem *
+NSS_CMSAttributeArray_Encode(PRArenaPool *poolp, NSSCMSAttribute ***attrs, SECItem *dest);
+
+/*
+ * NSS_CMSAttributeArray_Reorder - sort attribute array by attribute's DER encoding
+ *
+ * make sure that the order of the attributes guarantees valid DER (which must be
+ * in lexigraphically ascending order for a SET OF); if reordering is necessary it
+ * will be done in place (in attrs).
+ */
+extern SECStatus
+NSS_CMSAttributeArray_Reorder(NSSCMSAttribute **attrs);
+
+/*
+ * NSS_CMSAttributeArray_FindAttrByOidTag - look through a set of attributes and
+ * find one that matches the specified object ID.
+ *
+ * If "only" is true, then make sure that there is not more than one attribute
+ * of the same type.  Otherwise, just return the first one found. (XXX Does
+ * anybody really want that first-found behavior?  It was like that when I found it...)
+ */
+extern NSSCMSAttribute *
+NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag, PRBool only);
+
+/*
+ * NSS_CMSAttributeArray_AddAttr - add an attribute to an
+ * array of attributes. 
+ */
+extern SECStatus
+NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSCMSAttribute *attr);
+
+/*
+ * NSS_CMSAttributeArray_SetAttr - set an attribute's value in a set of attributes
+ */
+extern SECStatus
+NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECOidTag type, SECItem *value, PRBool encoded);
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _CMSLOCAL_H_ */
diff --git a/security/nss/lib/smime/cmsmessage.c b/security/nss/lib/smime/cmsmessage.c
new file mode 100644
index 000000000..21a730e6f
--- /dev/null
+++ b/security/nss/lib/smime/cmsmessage.c
@@ -0,0 +1,315 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS message methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+/*
+ * NSS_CMSMessage_Create - create a CMS message object
+ *
+ * "poolp" - arena to allocate memory from, or NULL if new arena should be created
+ */
+NSSCMSMessage *
+NSS_CMSMessage_Create(PLArenaPool *poolp)
+{
+    void *mark = NULL;
+    NSSCMSMessage *cmsg;
+    PRBool poolp_is_ours = PR_FALSE;
+
+    if (poolp == NULL) {
+	poolp = PORT_NewArena (1024);           /* XXX what is right value? */
+	if (poolp == NULL)
+	    return NULL;
+	poolp_is_ours = PR_TRUE;
+    } 
+
+    if (!poolp_is_ours)
+	mark = PORT_ArenaMark(poolp);
+
+    cmsg = (NSSCMSMessage *)PORT_ArenaZAlloc (poolp, sizeof(NSSCMSMessage));
+    if (cmsg == NULL) {
+	if (!poolp_is_ours) {
+	    if (mark) {
+		PORT_ArenaRelease(poolp, mark);
+	    }
+	} else
+	    PORT_FreeArena(poolp, PR_FALSE);
+	return NULL;
+    }
+
+    cmsg->poolp = poolp;
+    cmsg->poolp_is_ours = poolp_is_ours;
+    cmsg->refCount = 1;
+
+    if (mark)
+	PORT_ArenaUnmark(poolp, mark);
+
+    return cmsg;
+}
+
+/*
+ * NSS_CMSMessage_SetEncodingParams - set up a CMS message object for encoding or decoding
+ *
+ * "cmsg" - message object
+ * "pwfn", pwfn_arg" - callback function for getting token password
+ * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
+ * "detached_digestalgs", "detached_digests" - digests from detached content
+ */
+void
+NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
+			PK11PasswordFunc pwfn, void *pwfn_arg,
+			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
+			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
+{
+    if (pwfn)
+	PK11_SetPasswordFunc(pwfn);
+    cmsg->pwfn_arg = pwfn_arg;
+    cmsg->decrypt_key_cb = decrypt_key_cb;
+    cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg;
+    cmsg->detached_digestalgs = detached_digestalgs;
+    cmsg->detached_digests = detached_digests;
+}
+
+/*
+ * NSS_CMSMessage_Destroy - destroy a CMS message and all of its sub-pieces.
+ */
+void
+NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
+{
+    PORT_Assert (cmsg->refCount > 0);
+    if (cmsg->refCount <= 0)	/* oops */
+	return;
+
+    cmsg->refCount--;		/* thread safety? */
+    if (cmsg->refCount > 0)
+	return;
+
+    NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo));
+
+    /* if poolp is not NULL, cmsg is the owner of its arena */
+    if (cmsg->poolp_is_ours)
+	PORT_FreeArena (cmsg->poolp, PR_FALSE);	/* XXX clear it? */
+}
+
+/*
+ * NSS_CMSMessage_Copy - return a copy of the given message. 
+ *
+ * The copy may be virtual or may be real -- either way, the result needs
+ * to be passed to NSS_CMSMessage_Destroy later (as does the original).
+ */
+NSSCMSMessage *
+NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
+{
+    if (cmsg == NULL)
+	return NULL;
+
+    PORT_Assert (cmsg->refCount > 0);
+
+    cmsg->refCount++; /* XXX chrisk thread safety? */
+    return cmsg;
+}
+
+/*
+ * NSS_CMSMessage_GetArena - return a pointer to the message's arena pool
+ */
+PLArenaPool *
+NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
+{
+    return cmsg->poolp;
+}
+
+/*
+ * NSS_CMSMessage_GetContentInfo - return a pointer to the top level contentInfo
+ */
+NSSCMSContentInfo *
+NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
+{
+    return &(cmsg->contentInfo);
+}
+
+/*
+ * Return a pointer to the actual content. 
+ * In the case of those types which are encrypted, this returns the *plain* content.
+ * In case of nested contentInfos, this descends and retrieves the innermost content.
+ */
+SECItem *
+NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg)
+{
+    /* this is a shortcut */
+    return NSS_CMSContentInfo_GetInnerContent(NSS_CMSMessage_GetContentInfo(cmsg));
+}
+
+/*
+ * NSS_CMSMessage_ContentLevelCount - count number of levels of CMS content objects in this message
+ *
+ * CMS data content objects do not count.
+ */
+int
+NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg)
+{
+    int count = 0;
+    NSSCMSContentInfo *cinfo;
+
+    /* walk down the chain of contentinfos */
+    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+	count++;
+    }
+    return count;
+}
+
+/*
+ * NSS_CMSMessage_ContentLevel - find content level #n
+ *
+ * CMS data content objects do not count.
+ */
+NSSCMSContentInfo *
+NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n)
+{
+    int count = 0;
+    NSSCMSContentInfo *cinfo;
+
+    /* walk down the chain of contentinfos */
+    for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+	count++;
+    }
+
+    return cinfo;
+}
+
+/*
+ * NSS_CMSMessage_ContainsCertsOrCrls - see if message contains certs along the way
+ */
+PRBool
+NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg)
+{
+    NSSCMSContentInfo *cinfo;
+
+    /* descend into CMS message */
+    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+	if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
+	    continue;	/* next level */
+	
+	if (NSS_CMSSignedData_ContainsCertsOrCrls(cinfo->content.signedData))
+	    return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+/*
+ * NSS_CMSMessage_IsEncrypted - see if message contains a encrypted submessage
+ */
+PRBool
+NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg)
+{
+    NSSCMSContentInfo *cinfo;
+
+    /* walk down the chain of contentinfos */
+    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo))
+    {
+	switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+	case SEC_OID_PKCS7_ENVELOPED_DATA:
+	case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	    return PR_TRUE;
+	default:
+	    break;
+	}
+    }
+    return PR_FALSE;
+}
+
+/*
+ * NSS_CMSMessage_IsSigned - see if message contains a signed submessage
+ *
+ * If the CMS message has a SignedData with a signature (not just a SignedData)
+ * return true; false otherwise.  This can/should be called before calling
+ * VerifySignature, which will always indicate failure if no signature is
+ * present, but that does not mean there even was a signature!
+ * Note that the content itself can be empty (detached content was sent
+ * another way); it is the presence of the signature that matters.
+ */
+PRBool
+NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg)
+{
+    NSSCMSContentInfo *cinfo;
+
+    /* walk down the chain of contentinfos */
+    for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo))
+    {
+	switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+	case SEC_OID_PKCS7_SIGNED_DATA:
+	    if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos))
+		return PR_TRUE;
+	    break;
+	default:
+	    break;
+	}
+    }
+    return PR_FALSE;
+}
+
+/*
+ * NSS_CMSMessage_IsContentEmpty - see if content is empty
+ *
+ * returns PR_TRUE is innermost content length is < minLen
+ * XXX need the encrypted content length (why?)
+ */
+PRBool
+NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen)
+{
+    SECItem *item = NULL;
+
+    if (cmsg == NULL)
+	return PR_TRUE;
+
+    item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg));
+
+    if (!item) {
+	return PR_TRUE;
+    } else if(item->len <= minLen) {
+	return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
diff --git a/security/nss/lib/smime/cmspubkey.c b/security/nss/lib/smime/cmspubkey.c
new file mode 100644
index 000000000..3e06da556
--- /dev/null
+++ b/security/nss/lib/smime/cmspubkey.c
@@ -0,0 +1,542 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS public key crypto
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+/* ====== RSA ======================================================================= */
+
+/*
+ * NSS_CMSUtil_EncryptSymKey_RSA - wrap a symmetric key with RSA
+ *
+ * this function takes a symmetric key and encrypts it using an RSA public key
+ * according to PKCS#1 and RFC2633 (S/MIME)
+ */
+SECStatus
+NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *bulkkey,
+			SECItem *encKey)
+{
+    SECOidTag certalgtag;	/* the certificate's encryption algorithm */
+    SECOidTag encalgtag;	/* the algorithm used for key exchange/agreement */
+    SECStatus rv;
+    SECKEYPublicKey *publickey;
+    int data_len;
+    void *mark = NULL;
+
+    /* sanity check */
+    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+    PORT_Assert(certalgtag == SEC_OID_PKCS1_RSA_ENCRYPTION);
+
+    encalgtag = SEC_OID_PKCS1_RSA_ENCRYPTION;
+    publickey = CERT_ExtractPublicKey(cert);
+    if (publickey == NULL)
+	goto loser;
+	
+    mark = PORT_ArenaMark(poolp);
+    if (!mark)
+	goto loser;
+
+    /* allocate memory for the encrypted key */
+    data_len = SECKEY_PublicKeyStrength(publickey);	/* block size (assumed to be > keylen) */
+    encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, data_len);
+    encKey->len = data_len;
+    if (encKey->data == NULL)
+	goto loser;
+
+    /* encrypt the key now */
+    rv = PK11_PubWrapSymKey(PK11_AlgtagToMechanism(SEC_OID_PKCS1_RSA_ENCRYPTION),
+				publickey, bulkkey, encKey);
+
+    SECKEY_DestroyPublicKey(publickey);
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    if (mark) {
+	PORT_ArenaRelease(poolp, mark);
+    }
+    return SECFailure;
+}
+
+/*
+ * NSS_CMSUtil_DecryptSymKey_RSA - unwrap a RSA-wrapped symmetric key
+ *
+ * this function takes an RSA-wrapped symmetric key and unwraps it, returning a symmetric
+ * key handle. Please note that the actual unwrapped key data may not be allowed to leave
+ * a hardware token...
+ */
+PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag)
+{
+    /* that's easy */
+    return PK11_PubUnwrapSymKey(privkey, encKey, PK11_AlgtagToMechanism(bulkalgtag), CKA_DECRYPT, 0);
+}
+
+/* ====== MISSI (Fortezza) ========================================================== */
+
+extern const SEC_ASN1Template NSS_SMIMEKEAParamTemplateAllParams[];
+
+SECStatus
+NSS_CMSUtil_EncryptSymKey_MISSI(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *bulkkey,
+			SECOidTag symalgtag, SECItem *encKey, SECItem **pparams, void *pwfn_arg)
+{
+    SECOidTag certalgtag;	/* the certificate's encryption algorithm */
+    SECOidTag encalgtag;	/* the algorithm used for key exchange/agreement */
+    SECStatus rv = SECFailure;
+    SECItem *params = NULL;
+    SECStatus err;
+    PK11SymKey *tek;
+    CERTCertificate *ourCert;
+    SECKEYPublicKey *ourPubKey, *publickey = NULL;
+    SECKEYPrivateKey *ourPrivKey = NULL;
+    NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
+    NSSCMSSMIMEKEAParameters keaParams;
+    PLArenaPool *arena = NULL;
+    extern const SEC_ASN1Template *nss_cms_get_kea_template(NSSCMSKEATemplateSelector whichTemplate);
+
+    /* Clear keaParams, since cleanup code checks the lengths */
+    (void) memset(&keaParams, 0, sizeof(keaParams));
+
+    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+    PORT_Assert(certalgtag == SEC_OID_MISSI_KEA_DSS_OLD ||
+		certalgtag == SEC_OID_MISSI_KEA_DSS ||
+		certalgtag == SEC_OID_MISSI_KEA);
+
+#define SMIME_FORTEZZA_RA_LENGTH 128
+#define SMIME_FORTEZZA_IV_LENGTH 24
+#define SMIME_FORTEZZA_MAX_KEY_SIZE 256
+
+    /* We really want to show our KEA tag as the key exchange algorithm tag. */
+    encalgtag = SEC_OID_NETSCAPE_SMIME_KEA;
+
+    /* Get the public key of the recipient. */
+    publickey = CERT_ExtractPublicKey(cert);
+    if (publickey == NULL) goto loser;
+
+    /* Find our own cert, and extract its keys. */
+    ourCert = PK11_FindBestKEAMatch(cert, pwfn_arg);
+    if (ourCert == NULL) goto loser;
+
+    arena = PORT_NewArena(1024);
+    if (arena == NULL)
+	goto loser;
+
+    ourPubKey = CERT_ExtractPublicKey(ourCert);
+    if (ourPubKey == NULL) {
+	CERT_DestroyCertificate(ourCert);
+	goto loser;
+    }
+
+    /* While we're here, copy the public key into the outgoing
+     * KEA parameters. */
+    SECITEM_CopyItem(arena, &(keaParams.originatorKEAKey), &(ourPubKey->u.fortezza.KEAKey));
+    SECKEY_DestroyPublicKey(ourPubKey);
+    ourPubKey = NULL;
+
+    /* Extract our private key in order to derive the KEA key. */
+    ourPrivKey = PK11_FindKeyByAnyCert(ourCert, pwfn_arg);
+    CERT_DestroyCertificate(ourCert); /* we're done with this */
+    if (!ourPrivKey)
+	goto loser;
+
+    /* Prepare raItem with 128 bytes (filled with zeros). */
+    keaParams.originatorRA.data = (unsigned char *)PORT_ArenaAlloc(arena,SMIME_FORTEZZA_RA_LENGTH);
+    keaParams.originatorRA.len = SMIME_FORTEZZA_RA_LENGTH;
+
+    /* Generate the TEK (token exchange key) which we use
+     * to wrap the bulk encryption key. (keaparams.originatorRA) will be
+     * filled with a random seed which we need to send to
+     * the recipient. (user keying material in RFC2630/DSA speak) */
+    tek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
+			 &keaParams.originatorRA, NULL,
+			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+			 CKA_WRAP, 0,  pwfn_arg);
+
+    SECKEY_DestroyPublicKey(publickey);
+    SECKEY_DestroyPrivateKey(ourPrivKey);
+    publickey = NULL;
+    ourPrivKey = NULL;
+    
+    if (!tek)
+	goto loser;
+
+    /* allocate space for the wrapped key data */
+    encKey->data = (unsigned char *)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
+    encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
+
+    if (encKey->data == NULL) {
+	PK11_FreeSymKey(tek);
+	goto loser;
+    }
+
+    /* Wrap the bulk key. What we do with the resulting data
+       depends on whether we're using Skipjack to wrap the key. */
+    switch (PK11_AlgtagToMechanism(symalgtag)) {
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+	/* SKIPJACK, we use the wrap mechanism because we can do it on the hardware */
+	err = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, bulkkey, encKey);
+	whichKEA = NSSCMSKEAUsesSkipjack;
+	break;
+    default:
+	/* Not SKIPJACK, we encrypt the raw key data */
+	keaParams.nonSkipjackIV.data = 
+	  (unsigned char *)PORT_ArenaAlloc(arena, SMIME_FORTEZZA_IV_LENGTH);
+	keaParams.nonSkipjackIV.len = SMIME_FORTEZZA_IV_LENGTH;
+	err = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV, tek, bulkkey, encKey);
+	if (err != SECSuccess)
+	    goto loser;
+
+	if (encKey->len != PK11_GetKeyLength(bulkkey)) {
+	    /* The size of the encrypted key is not the same as
+	       that of the original bulk key, presumably due to
+	       padding. Encode and store the real size of the
+	       bulk key. */
+	    if (SEC_ASN1EncodeInteger(arena, &keaParams.bulkKeySize, PK11_GetKeyLength(bulkkey)) == NULL)
+		err = (SECStatus)PORT_GetError();
+	    else
+		/* use full template for encoding */
+		whichKEA = NSSCMSKEAUsesNonSkipjackWithPaddedEncKey;
+	}
+	else
+	    /* enc key length == bulk key length */
+	    whichKEA = NSSCMSKEAUsesNonSkipjack; 
+	break;
+    }
+
+    PK11_FreeSymKey(tek);
+
+    if (err != SECSuccess)
+	goto loser;
+
+    PORT_Assert(whichKEA != NSSCMSKEAInvalid);
+
+    /* Encode the KEA parameters into the recipient info. */
+    params = SEC_ASN1EncodeItem(poolp, NULL, &keaParams, nss_cms_get_kea_template(whichKEA));
+    if (params == NULL)
+	goto loser;
+
+    /* pass back the algorithm params */
+    *pparams = params;
+
+    rv = SECSuccess;
+
+loser:
+    if (arena)
+	PORT_FreeArena(arena, PR_FALSE);
+    if (publickey)
+        SECKEY_DestroyPublicKey(publickey);
+    if (ourPrivKey)
+        SECKEY_DestroyPrivateKey(ourPrivKey);
+    return rv;
+}
+
+PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_MISSI(SECKEYPrivateKey *privkey, SECItem *encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
+{
+    /* fortezza: do a key exchange */
+    SECStatus err;
+    CK_MECHANISM_TYPE bulkType;
+    PK11SymKey *tek;
+    SECKEYPublicKey *originatorPubKey;
+    NSSCMSSMIMEKEAParameters keaParams;
+    PK11SymKey *bulkkey;
+    int bulkLength;
+
+    (void) memset(&keaParams, 0, sizeof(keaParams));
+
+    /* NOTE: this uses the SMIME v2 recipientinfo for compatibility.
+       All additional KEA parameters are DER-encoded in the encryption algorithm parameters */
+
+    /* Decode the KEA algorithm parameters. */
+    err = SEC_ASN1DecodeItem(NULL, &keaParams, NSS_SMIMEKEAParamTemplateAllParams,
+			     &(keyEncAlg->parameters));
+    if (err != SECSuccess)
+	goto loser;
+
+    /* get originator's public key */
+   originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
+			   keaParams.originatorKEAKey.len);
+   if (originatorPubKey == NULL)
+	  goto loser;
+    
+   /* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
+      The Derive function generates a shared secret and combines it with the originatorRA
+      data to come up with an unique session key */
+   tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
+			 &keaParams.originatorRA, NULL,
+			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+			 CKA_WRAP, 0, pwfn_arg);
+   SECKEY_DestroyPublicKey(originatorPubKey);	/* not needed anymore */
+   if (tek == NULL)
+	goto loser;
+    
+    /* Now that we have the TEK, unwrap the bulk key
+       with which to decrypt the message. We have to
+       do one of two different things depending on 
+       whether Skipjack was used for *bulk* encryption 
+       of the message. */
+    bulkType = PK11_AlgtagToMechanism(bulkalgtag);
+    switch (bulkType) {
+    case CKM_SKIPJACK_CBC64:
+    case CKM_SKIPJACK_ECB64:
+    case CKM_SKIPJACK_OFB64:
+    case CKM_SKIPJACK_CFB64:
+    case CKM_SKIPJACK_CFB32:
+    case CKM_SKIPJACK_CFB16:
+    case CKM_SKIPJACK_CFB8:
+	/* Skipjack is being used as the bulk encryption algorithm.*/
+	/* Unwrap the bulk key. */
+	bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
+				    encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
+	break;
+    default:
+	/* Skipjack was not used for bulk encryption of this
+	   message. Use Skipjack CBC64, with the nonSkipjackIV
+	   part of the KEA key parameters, to decrypt 
+	   the bulk key. If the optional parameter bulkKeySize is present,
+	   bulk key size is different than the encrypted key size */
+	if (keaParams.bulkKeySize.len > 0) {
+	    err = SEC_ASN1DecodeItem(NULL, &bulkLength,
+				     SEC_ASN1_GET(SEC_IntegerTemplate),
+				     &keaParams.bulkKeySize);
+	    if (err != SECSuccess)
+		goto loser;
+	}
+	
+	bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV, 
+				    encKey, bulkType, CKA_DECRYPT, bulkLength);
+	break;
+    }
+    return bulkkey;
+loser:
+    return NULL;
+}
+
+/* ====== ESDH (Ephemeral-Static Diffie-Hellman) ==================================== */
+
+SECStatus
+NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
+			SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg,
+			SECItem *pubKey)
+{
+#if 0 /* not yet done */
+    SECOidTag certalgtag;	/* the certificate's encryption algorithm */
+    SECOidTag encalgtag;	/* the algorithm used for key exchange/agreement */
+    SECStatus rv;
+    SECItem *params = NULL;
+    int data_len;
+    SECStatus err;
+    PK11SymKey *tek;
+    CERTCertificate *ourCert;
+    SECKEYPublicKey *ourPubKey;
+    NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
+
+    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+    PORT_Assert(certalgtag == SEC_OID_X942_DIFFIE_HELMAN_KEY);
+
+    /* We really want to show our KEA tag as the key exchange algorithm tag. */
+    encalgtag = SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN;
+
+    /* Get the public key of the recipient. */
+    publickey = CERT_ExtractPublicKey(cert);
+    if (publickey == NULL) goto loser;
+
+    /* XXXX generate a DH key pair on a PKCS11 module (XXX which parameters?) */
+    /* XXXX */ourCert = PK11_FindBestKEAMatch(cert, wincx);
+    if (ourCert == NULL) goto loser;
+
+    arena = PORT_NewArena(1024);
+    if (arena == NULL) goto loser;
+
+    /* While we're here, extract the key pair's public key data and copy it into */
+    /* the outgoing parameters. */
+    /* XXXX */ourPubKey = CERT_ExtractPublicKey(ourCert);
+    if (ourPubKey == NULL)
+    {
+	goto loser;
+    }
+    SECITEM_CopyItem(arena, pubKey, /* XXX */&(ourPubKey->u.fortezza.KEAKey));
+    SECKEY_DestroyPublicKey(ourPubKey); /* we only need the private key from now on */
+    ourPubKey = NULL;
+
+    /* Extract our private key in order to derive the KEA key. */
+    ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
+    CERT_DestroyCertificate(ourCert); /* we're done with this */
+    if (!ourPrivKey) goto loser;
+
+    /* If ukm desired, prepare it - allocate enough space (filled with zeros). */
+    if (ukm) {
+	ukm->data = (unsigned char*)PORT_ArenaZAlloc(arena,/* XXXX */);
+	ukm->len = /* XXXX */;
+    }
+
+    /* Generate the KEK (key exchange key) according to RFC2631 which we use
+     * to wrap the bulk encryption key. */
+    kek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
+			 ukm, NULL,
+			 /* XXXX */CKM_KEA_KEY_DERIVE, /* XXXX */CKM_SKIPJACK_WRAP,
+			 CKA_WRAP, 0, wincx);
+
+    SECKEY_DestroyPublicKey(publickey);
+    SECKEY_DestroyPrivateKey(ourPrivKey);
+    publickey = NULL;
+    ourPrivKey = NULL;
+    
+    if (!kek)
+	goto loser;
+
+    /* allocate space for the encrypted CEK (bulk key) */
+    encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
+    encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
+
+    if (encKey->data == NULL)
+    {
+	PK11_FreeSymKey(kek);
+	goto loser;
+    }
+
+
+    /* Wrap the bulk key using CMSRC2WRAP or CMS3DESWRAP, depending on the */
+    /* bulk encryption algorithm */
+    switch (/* XXXX */PK11_AlgtagToMechanism(enccinfo->encalg))
+    {
+    case /* XXXX */CKM_SKIPJACK_CFB8:
+	err = PK11_WrapSymKey(/* XXXX */CKM_CMS3DES_WRAP, NULL, kek, bulkkey, encKey);
+	whichKEA = NSSCMSKEAUsesSkipjack;
+	break;
+    case /* XXXX */CKM_SKIPJACK_CFB8:
+	err = PK11_WrapSymKey(/* XXXX */CKM_CMSRC2_WRAP, NULL, kek, bulkkey, encKey);
+	whichKEA = NSSCMSKEAUsesSkipjack;
+	break;
+    default:
+	/* XXXX what do we do here? Neither RC2 nor 3DES... */
+        err = SECFailure;
+        /* set error */
+	break;
+    }
+
+    PK11_FreeSymKey(kek);	/* we do not need the KEK anymore */
+    if (err != SECSuccess)
+	goto loser;
+
+    PORT_Assert(whichKEA != NSSCMSKEAInvalid);
+
+    /* see RFC2630 12.3.1.1 "keyEncryptionAlgorithm must be ..." */
+    /* params is the DER encoded key wrap algorithm (with parameters!) (XXX) */
+    params = SEC_ASN1EncodeItem(arena, NULL, &keaParams, sec_pkcs7_get_kea_template(whichKEA));
+    if (params == NULL)
+	goto loser;
+
+    /* now set keyEncAlg */
+    rv = SECOID_SetAlgorithmID(poolp, keyEncAlg, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN, params);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /* XXXXXXX this is not right yet */
+loser:
+    if (arena) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    if (publickey) {
+        SECKEY_DestroyPublicKey(publickey);
+    }
+    if (ourPrivKey) {
+        SECKEY_DestroyPrivateKey(ourPrivKey);
+    }
+#endif
+    return SECFailure;
+}
+
+PK11SymKey *
+NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg)
+{
+#if 0 /* not yet done */
+    SECStatus err;
+    CK_MECHANISM_TYPE bulkType;
+    PK11SymKey *tek;
+    SECKEYPublicKey *originatorPubKey;
+    NSSCMSSMIMEKEAParameters keaParams;
+
+   /* XXXX get originator's public key */
+   originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
+			   keaParams.originatorKEAKey.len);
+   if (originatorPubKey == NULL)
+      goto loser;
+    
+   /* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
+      The Derive function generates a shared secret and combines it with the originatorRA
+      data to come up with an unique session key */
+   tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
+			 &keaParams.originatorRA, NULL,
+			 CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
+			 CKA_WRAP, 0, pwfn_arg);
+   SECKEY_DestroyPublicKey(originatorPubKey);	/* not needed anymore */
+   if (tek == NULL)
+	goto loser;
+    
+    /* Now that we have the TEK, unwrap the bulk key
+       with which to decrypt the message. */
+    /* Skipjack is being used as the bulk encryption algorithm.*/
+    /* Unwrap the bulk key. */
+    bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
+				encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
+
+    return bulkkey;
+
+loser:
+#endif
+    return NULL;
+}
+
diff --git a/security/nss/lib/smime/cmsrecinfo.c b/security/nss/lib/smime/cmsrecinfo.c
new file mode 100644
index 000000000..dfe05a07a
--- /dev/null
+++ b/security/nss/lib/smime/cmsrecinfo.c
@@ -0,0 +1,428 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS recipientInfo methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+/*
+ * NSS_CMSRecipientInfo_Create - create a recipientinfo
+ *
+ * we currently do not create KeyAgreement recipientinfos with multiple recipientEncryptedKeys
+ * the certificate is supposed to have been verified by the caller
+ */
+NSSCMSRecipientInfo *
+NSS_CMSRecipientInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert)
+{
+    NSSCMSRecipientInfo *ri;
+    void *mark;
+    SECOidTag certalgtag;
+    SECStatus rv = SECSuccess;
+    NSSCMSRecipientEncryptedKey *rek;
+    NSSCMSOriginatorIdentifierOrKey *oiok;
+    unsigned long version;
+    SECItem *dummy;
+    PLArenaPool *poolp;
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    ri = (NSSCMSRecipientInfo *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSRecipientInfo));
+    if (ri == NULL)
+	goto loser;
+
+    ri->cmsg = cmsg;
+    ri->cert = CERT_DupCertificate(cert);
+    if (ri->cert == NULL)
+	goto loser;
+
+    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+
+    switch (certalgtag) {
+    case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	ri->recipientInfoType = NSSCMSRecipientInfoID_KeyTrans;
+	/* hardcoded issuerSN choice for now */
+	ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType = NSSCMSRecipientID_IssuerSN;
+	ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert);
+	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	break;
+    case SEC_OID_MISSI_KEA_DSS_OLD:
+    case SEC_OID_MISSI_KEA_DSS:
+    case SEC_OID_MISSI_KEA:
+	/* backward compatibility - this is not really a keytrans operation */
+	ri->recipientInfoType = NSSCMSRecipientInfoID_KeyTrans;
+	/* hardcoded issuerSN choice for now */
+	ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType = NSSCMSRecipientID_IssuerSN;
+	ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert);
+	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	break;
+    case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
+	/* a key agreement op */
+	ri->recipientInfoType = NSSCMSRecipientInfoID_KeyAgree;
+
+	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+	/* we do not support the case where multiple recipients 
+	 * share the same KeyAgreeRecipientInfo and have multiple RecipientEncryptedKeys
+	 * in this case, we would need to walk all the recipientInfos, take the
+	 * ones that do KeyAgreement algorithms and join them, algorithm by algorithm
+	 * Then, we'd generate ONE ukm and OriginatorIdentifierOrKey */
+
+	/* only epheremal-static Diffie-Hellman is supported for now
+	 * this is the only form of key agreement that provides potential anonymity
+	 * of the sender, plus we do not have to include certs in the message */
+
+	/* force single recipientEncryptedKey for now */
+	if ((rek = NSS_CMSRecipientEncryptedKey_Create(poolp)) == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+
+	/* hardcoded IssuerSN choice for now */
+	rek->recipientIdentifier.identifierType = NSSCMSKeyAgreeRecipientID_IssuerSN;
+	if ((rek->recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+
+	oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
+
+	/* see RFC2630 12.3.1.1 */
+	oiok->identifierType = NSSCMSOriginatorIDOrKey_OriginatorPublicKey;
+
+	rv = NSS_CMSArray_Add(poolp, (void ***)&ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys,
+				    (void *)rek);
+
+	break;
+    default:
+	/* other algorithms not supported yet */
+	/* NOTE that we do not support any KEK algorithm */
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	rv = SECFailure;
+	break;
+    }
+
+    if (rv == SECFailure)
+	goto loser;
+
+    /* set version */
+    switch (ri->recipientInfoType) {
+    case NSSCMSRecipientInfoID_KeyTrans:
+	if (ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType == NSSCMSRecipientID_IssuerSN)
+	    version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN;
+	else
+	    version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY;
+	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyTransRecipientInfo.version), version);
+	if (dummy == NULL)
+	    goto loser;
+	break;
+    case NSSCMSRecipientInfoID_KeyAgree:
+	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyAgreeRecipientInfo.version),
+						NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION);
+	if (dummy == NULL)
+	    goto loser;
+	break;
+    case NSSCMSRecipientInfoID_KEK:
+	/* NOTE: this cannot happen as long as we do not support any KEK algorithm */
+	dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.kekRecipientInfo.version),
+						NSS_CMS_KEK_RECIPIENT_INFO_VERSION);
+	if (dummy == NULL)
+	    goto loser;
+	break;
+    
+    }
+
+    PORT_ArenaUnmark (poolp, mark);
+    return ri;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return NULL;
+}
+
+void
+NSS_CMSRecipientInfo_Destroy(NSSCMSRecipientInfo *ri)
+{
+    /* version was allocated on the pool, so no need to destroy it */
+    /* issuerAndSN was allocated on the pool, so no need to destroy it */
+    if (ri->cert != NULL)
+	CERT_DestroyCertificate(ri->cert);
+    /* recipientInfo structure itself was allocated on the pool, so no need to destroy it */
+    /* we're done. */
+}
+
+int
+NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri)
+{
+    unsigned long version;
+    SECItem *versionitem = NULL;
+
+    switch (ri->recipientInfoType) {
+    case NSSCMSRecipientInfoID_KeyTrans:
+	/* ignore subIndex */
+	versionitem = &(ri->ri.keyTransRecipientInfo.version);
+	break;
+    case NSSCMSRecipientInfoID_KEK:
+	/* ignore subIndex */
+	versionitem = &(ri->ri.kekRecipientInfo.version);
+	break;
+    case NSSCMSRecipientInfoID_KeyAgree:
+	versionitem = &(ri->ri.keyAgreeRecipientInfo.version);
+	break;
+    }
+
+    PORT_Assert(versionitem);
+    if (versionitem == NULL) 
+	return 0;
+
+    /* always take apart the SECItem */
+    if (SEC_ASN1DecodeInteger(versionitem, &version) != SECSuccess)
+	return 0;
+    else
+	return (int)version;
+}
+
+SECItem *
+NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex)
+{
+    SECItem *enckey = NULL;
+
+    switch (ri->recipientInfoType) {
+    case NSSCMSRecipientInfoID_KeyTrans:
+	/* ignore subIndex */
+	enckey = &(ri->ri.keyTransRecipientInfo.encKey);
+	break;
+    case NSSCMSRecipientInfoID_KEK:
+	/* ignore subIndex */
+	enckey = &(ri->ri.kekRecipientInfo.encKey);
+	break;
+    case NSSCMSRecipientInfoID_KeyAgree:
+	enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
+	break;
+    }
+    return enckey;
+}
+
+
+SECOidTag
+NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri)
+{
+    SECOidTag encalgtag = SEC_OID_SHA1; /* set to not a valid encryption alg */
+
+    switch (ri->recipientInfoType) {
+    case NSSCMSRecipientInfoID_KeyTrans:
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg));
+	break;
+    case NSSCMSRecipientInfoID_KeyAgree:
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg));
+	break;
+    case NSSCMSRecipientInfoID_KEK:
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg));
+	break;
+    }
+    return encalgtag;
+}
+
+SECStatus
+NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, SECOidTag bulkalgtag)
+{
+    CERTCertificate *cert;
+    SECOidTag certalgtag;
+    SECStatus rv = SECSuccess;
+    SECItem *params = NULL;
+    NSSCMSRecipientEncryptedKey *rek;
+    NSSCMSOriginatorIdentifierOrKey *oiok;
+    PLArenaPool *poolp;
+
+    poolp = ri->cmsg->poolp;
+    cert = ri->cert;
+    PORT_Assert (cert != NULL);
+    if (cert == NULL)
+	return SECFailure;
+
+    /* XXX set ri->recipientInfoType to the proper value here */
+    /* or should we look if it's been set already ? */
+
+    certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+    switch (certalgtag) {
+    case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	/* wrap the symkey */
+	if (NSS_CMSUtil_EncryptSymKey_RSA(poolp, cert, bulkkey, &ri->ri.keyTransRecipientInfo.encKey) != SECSuccess) {
+	    rv = SECFailure;
+	    break;
+	}
+
+	rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, NULL);
+	break;
+    case SEC_OID_MISSI_KEA_DSS_OLD:
+    case SEC_OID_MISSI_KEA_DSS:
+    case SEC_OID_MISSI_KEA:
+	rv = NSS_CMSUtil_EncryptSymKey_MISSI(poolp, cert, bulkkey,
+					bulkalgtag,
+					&ri->ri.keyTransRecipientInfo.encKey,
+					&params, ri->cmsg->pwfn_arg);
+	if (rv != SECSuccess)
+	    break;
+
+	/* here, we DO need to pass the params to the wrap function because, with
+	 * RSA, there is no funny stuff going on with generation of IV vectors or so */
+	rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, params);
+	break;
+    case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
+	rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[0];
+	if (rek == NULL) {
+	    rv = SECFailure;
+	    break;
+	}
+
+	oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
+	PORT_Assert(oiok->identifierType == NSSCMSOriginatorIDOrKey_OriginatorPublicKey);
+
+	/* see RFC2630 12.3.1.1 */
+	if (SECOID_SetAlgorithmID(poolp, &oiok->id.originatorPublicKey.algorithmIdentifier,
+				    SEC_OID_X942_DIFFIE_HELMAN_KEY, NULL) != SECSuccess) {
+	    rv = SECFailure;
+	    break;
+	}
+
+	/* this will generate a key pair, compute the shared secret, */
+	/* derive a key and ukm for the keyEncAlg out of it, encrypt the bulk key with */
+	/* the keyEncAlg, set encKey, keyEncAlg, publicKey etc. */
+	rv = NSS_CMSUtil_EncryptSymKey_ESDH(poolp, cert, bulkkey,
+					&rek->encKey,
+					&ri->ri.keyAgreeRecipientInfo.ukm,
+					&ri->ri.keyAgreeRecipientInfo.keyEncAlg,
+					&oiok->id.originatorPublicKey.publicKey);
+
+	break;
+    default:
+	/* other algorithms not supported yet */
+	/* NOTE that we do not support any KEK algorithm */
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	rv = SECFailure;
+	break;
+    }
+    return rv;
+}
+
+PK11SymKey *
+NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, 
+	CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag)
+{
+    PK11SymKey *bulkkey = NULL;
+    SECAlgorithmID *encalg;
+    SECOidTag encalgtag;
+    SECItem *enckey;
+    int error;
+
+    ri->cert = CERT_DupCertificate(cert);
+        	/* mark the recipientInfo so we can find it later */
+
+    switch (ri->recipientInfoType) {
+    case NSSCMSRecipientInfoID_KeyTrans:
+	encalg = &(ri->ri.keyTransRecipientInfo.keyEncAlg);
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg));
+	enckey = &(ri->ri.keyTransRecipientInfo.encKey); /* ignore subIndex */
+	switch (encalgtag) {
+	case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	    /* RSA encryption algorithm: */
+	    /* get the symmetric (bulk) key by unwrapping it using our private key */
+	    bulkkey = NSS_CMSUtil_DecryptSymKey_RSA(privkey, enckey, bulkalgtag);
+	    break;
+	case SEC_OID_NETSCAPE_SMIME_KEA:
+	    /* FORTEZZA key exchange algorithm */
+	    /* the supplemental data is in the parameters of encalg */
+	    bulkkey = NSS_CMSUtil_DecryptSymKey_MISSI(privkey, enckey, encalg, bulkalgtag, ri->cmsg->pwfn_arg);
+	    break;
+	default:
+	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
+	    goto loser;
+	}
+	break;
+    case NSSCMSRecipientInfoID_KeyAgree:
+	encalg = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg);
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg));
+	enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
+	switch (encalgtag) {
+	case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+	    /* Diffie-Helman key exchange */
+	    /* XXX not yet implemented */
+	    /* XXX problem: SEC_OID_X942_DIFFIE_HELMAN_KEY points to a PKCS3 mechanism! */
+	    /* we support ephemeral-static DH only, so if the recipientinfo */
+	    /* has originator stuff in it, we punt (or do we? shouldn't be that hard...) */
+	    /* first, we derive the KEK (a symkey!) using a Derive operation, then we get the */
+	    /* content encryption key using a Unwrap op */
+	    /* the derive operation has to generate the key using the algorithm in RFC2631 */
+	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
+	    break;
+	default:
+	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
+	    goto loser;
+	}
+	break;
+    case NSSCMSRecipientInfoID_KEK:
+	encalg = &(ri->ri.kekRecipientInfo.keyEncAlg);
+	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg));
+	enckey = &(ri->ri.kekRecipientInfo.encKey);
+	/* not supported yet */
+	error = SEC_ERROR_UNSUPPORTED_KEYALG;
+	goto loser;
+	break;
+    }
+    /* XXXX continue here */
+    return bulkkey;
+
+loser:
+    return NULL;
+}
diff --git a/security/nss/lib/smime/cmsreclist.c b/security/nss/lib/smime/cmsreclist.c
new file mode 100644
index 000000000..b6fc62ee4
--- /dev/null
+++ b/security/nss/lib/smime/cmsreclist.c
@@ -0,0 +1,187 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS recipient list functions
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+
+static int
+nss_cms_recipients_traverse(NSSCMSRecipientInfo **recipientinfos, NSSCMSRecipient **recipient_list)
+{
+    int count = 0;
+    int rlindex = 0;
+    int i, j;
+    NSSCMSRecipient *rle;
+    NSSCMSRecipientInfo *ri;
+    NSSCMSRecipientEncryptedKey *rek;
+
+    for (i = 0; recipientinfos[i] != NULL; i++) {
+	ri = recipientinfos[i];
+	switch (ri->recipientInfoType) {
+	case NSSCMSRecipientInfoID_KeyTrans:
+	    if (recipient_list) {
+		/* alloc one & fill it out */
+		rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient));
+		if (rle == NULL)
+		    return -1;
+		
+		rle->riIndex = i;
+		rle->subIndex = -1;
+		switch (ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType) {
+		case NSSCMSRecipientID_IssuerSN:
+		    rle->kind = RLIssuerSN;
+		    rle->id.issuerAndSN = ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN;
+		    break;
+		case NSSCMSRecipientID_SubjectKeyID:
+		    rle->kind = RLSubjKeyID;
+		    rle->id.subjectKeyID = ri->ri.keyTransRecipientInfo.recipientIdentifier.id.subjectKeyID;
+		    break;
+		}
+		recipient_list[rlindex++] = rle;
+	    } else {
+		count++;
+	    }
+	    break;
+	case NSSCMSRecipientInfoID_KeyAgree:
+	    if (ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys == NULL)
+		break;
+	    for (j=0; ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j] != NULL; j++) {
+		if (recipient_list) {
+		    rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j];
+		    /* alloc one & fill it out */
+		    rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient));
+		    if (rle == NULL)
+			return -1;
+		    
+		    rle->riIndex = i;
+		    rle->subIndex = j;
+		    switch (rek->recipientIdentifier.identifierType) {
+		    case NSSCMSKeyAgreeRecipientID_IssuerSN:
+			rle->kind = RLIssuerSN;
+			rle->id.issuerAndSN = rek->recipientIdentifier.id.issuerAndSN;
+			break;
+		    case NSSCMSKeyAgreeRecipientID_RKeyID:
+			rle->kind = RLSubjKeyID;
+			rle->id.subjectKeyID = rek->recipientIdentifier.id.recipientKeyIdentifier.subjectKeyIdentifier;
+			break;
+		    }
+		    recipient_list[rlindex++] = rle;
+		} else {
+		    count++;
+		}
+	    }
+	    break;
+	case NSSCMSRecipientInfoID_KEK:
+	    /* KEK is not implemented */
+	    break;
+	}
+    }
+    /* if we have a recipient list, we return on success (-1, above, on failure) */
+    /* otherwise, we return the count. */
+    if (recipient_list) {
+	recipient_list[rlindex] = NULL;
+	return 0;
+    } else {
+	return count;
+    }
+}
+
+NSSCMSRecipient **
+nss_cms_recipient_list_create(NSSCMSRecipientInfo **recipientinfos)
+{
+    int count, rv;
+    NSSCMSRecipient **recipient_list;
+
+    /* count the number of recipient identifiers */
+    count = nss_cms_recipients_traverse(recipientinfos, NULL);
+    if (count <= 0) {
+	/* no recipients? */
+	PORT_SetError(SEC_ERROR_BAD_DATA);
+#if 0
+	PORT_SetErrorString("Cannot find recipient data in envelope.");
+#endif
+	return NULL;
+    }
+
+    /* allocate an array of pointers */
+    recipient_list = (NSSCMSRecipient **)
+		    PORT_ZAlloc((count + 1) * sizeof(NSSCMSRecipient *));
+    if (recipient_list == NULL)
+	return NULL;
+
+    /* now fill in the recipient_list */
+    rv = nss_cms_recipients_traverse(recipientinfos, recipient_list);
+    if (rv < 0) {
+	nss_cms_recipient_list_destroy(recipient_list);
+	return NULL;
+    }
+    return recipient_list;
+}
+
+void
+nss_cms_recipient_list_destroy(NSSCMSRecipient **recipient_list)
+{
+    int i;
+    NSSCMSRecipient *recipient;
+
+    for (i=0; recipient_list[i] != NULL; i++) {
+	recipient = recipient_list[i];
+	if (recipient->cert)
+	    CERT_DestroyCertificate(recipient->cert);
+	if (recipient->privkey)
+	    SECKEY_DestroyPrivateKey(recipient->privkey);
+	if (recipient->slot)
+	    PK11_FreeSlot(recipient->slot);
+	PORT_Free(recipient);
+    }
+    PORT_Free(recipient_list);
+}
+
+NSSCMSRecipientEncryptedKey *
+NSS_CMSRecipientEncryptedKey_Create(PLArenaPool *poolp)
+{
+    return (NSSCMSRecipientEncryptedKey *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSRecipientEncryptedKey));
+}
diff --git a/security/nss/lib/smime/cmsreclist.h b/security/nss/lib/smime/cmsreclist.h
new file mode 100644
index 000000000..19b13e115
--- /dev/null
+++ b/security/nss/lib/smime/cmsreclist.h
@@ -0,0 +1,59 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * $Id$
+ */
+
+#ifndef _CMSRECLIST_H
+#define _CMSRECLIST_H
+
+struct NSSCMSRecipientStr {
+    int				riIndex;	/* this recipient's index in recipientInfo array */
+    int				subIndex;	/* index into recipientEncryptedKeys */
+						/* (only in NSSCMSKeyAgreeRecipientInfoStr) */
+    enum {RLIssuerSN=0, RLSubjKeyID=1} kind;	/* for conversion recipientinfos -> recipientlist */
+    union {
+	CERTIssuerAndSN *	issuerAndSN;
+	SECItem *		subjectKeyID;
+    } id;
+
+    /* result data (filled out for each recipient that's us) */
+    CERTCertificate *		cert;
+    SECKEYPrivateKey *		privkey;
+    PK11SlotInfo *		slot;
+};
+
+typedef struct NSSCMSRecipientStr NSSCMSRecipient;
+
+#endif /* _CMSRECLIST_H */
diff --git a/security/nss/lib/smime/cmssigdata.c b/security/nss/lib/smime/cmssigdata.c
new file mode 100644
index 000000000..fab7189f2
--- /dev/null
+++ b/security/nss/lib/smime/cmssigdata.c
@@ -0,0 +1,902 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS signedData methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+/*#include "cdbhdl.h"*/
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+
+NSSCMSSignedData *
+NSS_CMSSignedData_Create(NSSCMSMessage *cmsg)
+{
+    void *mark;
+    NSSCMSSignedData *sigd;
+    PLArenaPool *poolp;
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    sigd = (NSSCMSSignedData *)PORT_ArenaZAlloc (poolp, sizeof(NSSCMSSignedData));
+    if (sigd == NULL)
+	goto loser;
+
+    sigd->cmsg = cmsg;
+
+    /* signerInfos, certs, certlists, crls are all empty */
+    /* version is set in NSS_CMSSignedData_Finalize() */
+
+    PORT_ArenaUnmark(poolp, mark);
+    return sigd;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+void
+NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd)
+{
+    CERTCertificate **certs, *cert;
+    CERTCertificateList **certlists, *certlist;
+    NSSCMSSignerInfo **signerinfos, *si;
+
+    if (sigd == NULL)
+	return;
+
+    certs = sigd->certs;
+    certlists = sigd->certLists;
+    signerinfos = sigd->signerInfos;
+
+    if (certs != NULL) {
+	while ((cert = *certs++) != NULL)
+	    CERT_DestroyCertificate (cert);
+    }
+
+    if (certlists != NULL) {
+	while ((certlist = *certlists++) != NULL)
+	    CERT_DestroyCertificateList (certlist);
+    }
+
+    if (signerinfos != NULL) {
+	while ((si = *signerinfos++) != NULL)
+	    NSS_CMSSignerInfo_Destroy(si);
+    }
+
+    /* everything's in a pool, so don't worry about the storage */
+   NSS_CMSContentInfo_Destroy(&(sigd->contentInfo));
+
+}
+
+/*
+ * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData
+ *     before start of encoding.
+ *
+ * In detail:
+ *  - find out about the right value to put into sigd->version
+ *  - come up with a list of digestAlgorithms (which should be the union of the algorithms
+ *         in the signerinfos).
+ *         If we happen to have a pre-set list of algorithms (and digest values!), we
+ *         check if we have all the signerinfos' algorithms. If not, this is an error.
+ */
+SECStatus
+NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd)
+{
+    NSSCMSSignerInfo *signerinfo;
+    SECOidTag digestalgtag;
+    SECItem *dummy;
+    int version;
+    SECStatus rv;
+    PRBool haveDigests = PR_FALSE;
+    int n, i;
+    PLArenaPool *poolp;
+
+    poolp = sigd->cmsg->poolp;
+
+    /* we assume that we have precomputed digests if there is a list of algorithms, and */
+    /* a chunk of data for each of those algorithms */
+    if (sigd->digestAlgorithms != NULL && sigd->digests != NULL) {
+	for (i=0; sigd->digestAlgorithms[i] != NULL; i++) {
+	    if (sigd->digests[i] == NULL)
+		break;
+	}
+	if (sigd->digestAlgorithms[i] == NULL)	/* reached the end of the array? */
+	    haveDigests = PR_TRUE;		/* yes: we must have all the digests */
+    }
+	    
+    version = NSS_CMS_SIGNED_DATA_VERSION_BASIC;
+
+    /* RFC2630 5.1 "version is the syntax version number..." */
+    if (NSS_CMSContentInfo_GetContentTypeTag(&(sigd->contentInfo)) != SEC_OID_PKCS7_DATA)
+	version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
+
+    /* prepare all the SignerInfos (there may be none) */
+    for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) {
+	signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i);
+
+	/* RFC2630 5.1 "version is the syntax version number..." */
+	if (NSS_CMSSignerInfo_GetVersion(signerinfo) != NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN)
+	    version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
+	
+	/* collect digestAlgorithms from SignerInfos */
+	/* (we need to know which algorithms we have when the content comes in) */
+	/* do not overwrite any existing digestAlgorithms (and digest) */
+	digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
+	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
+	if (n < 0 && haveDigests) {
+	    /* oops, there is a digestalg we do not have a digest for */
+	    /* but we were supposed to have all the digests already... */
+	    goto loser;
+	} else if (n < 0) {
+	    /* add the digestAlgorithm & a NULL digest */
+	    rv = NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, NULL);
+	    if (rv != SECSuccess)
+		goto loser;
+	} else {
+	    /* found it, nothing to do */
+	}
+    }
+
+    dummy = SEC_ASN1EncodeInteger(poolp, &(sigd->version), (long)version);
+    if (dummy == NULL)
+	return SECFailure;
+
+    /* this is a SET OF, so we need to sort them guys */
+    rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms, 
+                                SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
+				(void **)sigd->digests);
+    if (rv != SECSuccess)
+	return SECFailure;
+    
+    return SECSuccess;
+
+loser:
+    return SECFailure;
+}
+
+SECStatus
+NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd)
+{
+    /* set up the digests */
+    if (sigd->digestAlgorithms != NULL) {
+	sigd->contentInfo.digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
+	if (sigd->contentInfo.digcx == NULL)
+	    return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData
+ *     after all the encapsulated data was passed through the encoder.
+ *
+ * In detail:
+ *  - create the signatures in all the SignerInfos
+ *
+ * Please note that nothing is done to the Certificates and CRLs in the message - this
+ * is entirely the responsibility of our callers.
+ */
+SECStatus
+NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd)
+{
+    NSSCMSSignerInfo **signerinfos, *signerinfo;
+    NSSCMSContentInfo *cinfo;
+    SECOidTag digestalgtag;
+    SECStatus ret = SECFailure;
+    SECStatus rv;
+    SECItem *contentType;
+    int certcount;
+    int i, ci, cli, n, rci, si;
+    PLArenaPool *poolp;
+    CERTCertificateList *certlist;
+    extern const SEC_ASN1Template NSSCMSSignerInfoTemplate[];
+
+    poolp = sigd->cmsg->poolp;
+    cinfo = &(sigd->contentInfo);
+
+    /* did we have digest calculation going on? */
+    if (cinfo->digcx) {
+	rv = NSS_CMSDigestContext_FinishMultiple(cinfo->digcx, poolp, &(sigd->digests));
+	if (rv != SECSuccess)
+	    goto loser;		/* error has been set by NSS_CMSDigestContext_FinishMultiple */
+	cinfo->digcx = NULL;
+    }
+
+    signerinfos = sigd->signerInfos;
+    certcount = 0;
+
+    /* prepare all the SignerInfos (there may be none) */
+    for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) {
+	signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i);
+
+	/* find correct digest for this signerinfo */
+	digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
+	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
+	if (n < 0 || sigd->digests == NULL || sigd->digests[n] == NULL) {
+	    /* oops - digest not found */
+	    PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
+	    goto loser;
+	}
+
+	/* XXX if our content is anything else but data, we need to force the
+	 * presence of signed attributes (RFC2630 5.3 "signedAttributes is a
+	 * collection...") */
+
+	/* pass contentType here as we want a contentType attribute */
+	if ((contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo)) == NULL)
+	    goto loser;
+
+	/* sign the thing */
+	rv = NSS_CMSSignerInfo_Sign(signerinfo, sigd->digests[n], contentType);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	/* while we're at it, count number of certs in certLists */
+	certlist = NSS_CMSSignerInfo_GetCertList(signerinfo);
+	if (certlist)
+	    certcount += certlist->len;
+    }
+
+    /* this is a SET OF, so we need to sort them guys */
+    rv = NSS_CMSArray_SortByDER((void **)signerinfos, NSSCMSSignerInfoTemplate, NULL);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * now prepare certs & crls
+     */
+
+    /* count the rest of the certs */
+    if (sigd->certs != NULL) {
+	for (ci = 0; sigd->certs[ci] != NULL; ci++)
+	    certcount++;
+    }
+
+    if (sigd->certLists != NULL) {
+	for (cli = 0; sigd->certLists[cli] != NULL; cli++)
+	    certcount += sigd->certLists[cli]->len;
+    }
+
+    if (certcount == 0) {
+	sigd->rawCerts = NULL;
+    } else {
+	/*
+	 * Combine all of the certs and cert chains into rawcerts.
+	 * Note: certcount is an upper bound; we may not need that many slots
+	 * but we will allocate anyway to avoid having to do another pass.
+	 * (The temporary space saving is not worth it.)
+	 *
+	 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
+	 *  SetOfDERcertficates implementation
+	 */
+	sigd->rawCerts = (SECItem **)PORT_ArenaAlloc(poolp, (certcount + 1) * sizeof(SECItem *));
+	if (sigd->rawCerts == NULL)
+	    return SECFailure;
+
+	/*
+	 * XXX Want to check for duplicates and not add *any* cert that is
+	 * already in the set.  This will be more important when we start
+	 * dealing with larger sets of certs, dual-key certs (signing and
+	 * encryption), etc.  For the time being we can slide by...
+	 *
+	 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
+	 *  SetOfDERcertficates implementation
+	 */
+	rci = 0;
+	if (signerinfos != NULL) {
+	    for (si = 0; signerinfos[si] != NULL; si++) {
+		signerinfo = signerinfos[si];
+		for (ci = 0; ci < signerinfo->certList->len; ci++)
+		    sigd->rawCerts[rci++] = &(signerinfo->certList->certs[ci]);
+	    }
+	}
+
+	if (sigd->certs != NULL) {
+	    for (ci = 0; sigd->certs[ci] != NULL; ci++)
+		sigd->rawCerts[rci++] = &(sigd->certs[ci]->derCert);
+	}
+
+	if (sigd->certLists != NULL) {
+	    for (cli = 0; sigd->certLists[cli] != NULL; cli++) {
+		for (ci = 0; ci < sigd->certLists[cli]->len; ci++)
+		    sigd->rawCerts[rci++] = &(sigd->certLists[cli]->certs[ci]);
+	    }
+	}
+
+	sigd->rawCerts[rci] = NULL;
+
+	/* this is a SET OF, so we need to sort them guys - we have the DER already, though */
+	NSS_CMSArray_Sort((void **)sigd->rawCerts, NSS_CMSUtil_DERCompare, NULL, NULL);
+    }
+
+    ret = SECSuccess;
+
+loser:
+    return ret;
+}
+
+SECStatus
+NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd)
+{
+    /* set up the digests */
+    if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) {
+	/* if digests are already there, do nothing */
+	sigd->contentInfo.digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
+	if (sigd->contentInfo.digcx == NULL)
+	    return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a SignedData
+ *     after all the encapsulated data was passed through the decoder.
+ */
+SECStatus
+NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd)
+{
+    /* did we have digest calculation going on? */
+    if (sigd->contentInfo.digcx) {
+	if (NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.digcx, sigd->cmsg->poolp, &(sigd->digests)) != SECSuccess)
+	    return SECFailure;	/* error has been set by NSS_CMSDigestContext_FinishMultiple */
+	sigd->contentInfo.digcx = NULL;
+    }
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData
+ *     after all decoding is finished.
+ */
+SECStatus
+NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd)
+{
+    NSSCMSSignerInfo **signerinfos;
+    int i;
+
+    /* set cmsg for all the signerinfos */
+    signerinfos = sigd->signerInfos;
+
+    /* set cmsg for all the signerinfos */
+    if (signerinfos) {
+	for (i = 0; signerinfos[i] != NULL; i++)
+	    signerinfos[i]->cmsg = sigd->cmsg;
+    }
+
+    return SECSuccess;
+}
+
+/* 
+ * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list
+ */
+NSSCMSSignerInfo **
+NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd)
+{
+    return sigd->signerInfos;
+}
+
+int
+NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd)
+{
+    return NSS_CMSArray_Count((void **)sigd->signerInfos);
+}
+
+NSSCMSSignerInfo *
+NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i)
+{
+    return sigd->signerInfos[i];
+}
+
+/* 
+ * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list
+ */
+SECAlgorithmID **
+NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd)
+{
+    return sigd->digestAlgorithms;
+}
+
+/*
+ * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo
+ */
+NSSCMSContentInfo *
+NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd)
+{
+    return &(sigd->contentInfo);
+}
+
+/* 
+ * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list
+ */
+SECItem **
+NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd)
+{
+    return sigd->rawCerts;
+}
+
+SECStatus
+NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb,
+				SECCertUsage certusage, PRBool keepcerts)
+{
+    int certcount;
+    SECStatus rv;
+    int i;
+
+    certcount = NSS_CMSArray_Count((void **)sigd->rawCerts);
+
+    rv = CERT_ImportCerts(certdb, certusage, certcount, sigd->rawCerts, NULL,
+			  keepcerts, PR_FALSE, NULL);
+
+    /* XXX CRL handling */
+
+    if (sigd->signerInfos != NULL) {
+	/* fill in all signerinfo's certs */
+	for (i = 0; sigd->signerInfos[i] != NULL; i++)
+	    (void)NSS_CMSSignerInfo_GetSigningCertificate(sigd->signerInfos[i], certdb);
+    }
+
+    return rv;
+}
+
+/*
+ * XXX the digests need to be passed in BETWEEN the decoding and the verification in case
+ *     of external signatures!
+ */
+
+/*
+ * NSS_CMSSignedData_VerifySignerInfo - check the signatures.
+ *
+ * The digests were either calculated during decoding (and are stored in the
+ * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests.
+ *
+ * The verification checks if the signing cert is valid and has a trusted chain
+ * for the purpose specified by "certusage".
+ */
+SECStatus
+NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, 
+			    CERTCertDBHandle *certdb, SECCertUsage certusage)
+{
+    NSSCMSSignerInfo *signerinfo;
+    NSSCMSContentInfo *cinfo;
+    SECOidData *algiddata;
+    SECItem *contentType, *digest;
+
+    cinfo = &(sigd->contentInfo);
+
+    signerinfo = sigd->signerInfos[i];
+
+    /* verify certificate */
+    if (NSS_CMSSignerInfo_VerifyCertificate(signerinfo, certdb, certusage) != SECSuccess)
+	return SECFailure;		/* error is set by NSS_CMSSignerInfo_VerifyCertificate */
+
+    /* find digest and contentType for signerinfo */
+    algiddata = NSS_CMSSignerInfo_GetDigestAlg(signerinfo);
+    digest = NSS_CMSSignedData_GetDigestByAlgTag(sigd, algiddata->offset);
+    contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo);
+
+    /* now verify signature */
+    return NSS_CMSSignerInfo_Verify(signerinfo, digest, contentType);
+}
+
+/*
+ * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message
+ */
+SECStatus
+NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, 
+                                  CERTCertDBHandle *certdb, 
+                                  SECCertUsage usage)
+{
+    CERTCertificate *cert;
+    SECStatus rv = SECSuccess;
+    int i;
+    int count;
+
+    if (!sigd || !certdb || !sigd->rawCerts) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    count = NSS_CMSArray_Count((void**)sigd->rawCerts);
+    for (i=0; i < count; i++) {
+	if (sigd->certs && sigd->certs[i]) {
+	    cert = sigd->certs[i];
+	} else {
+	    cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]);
+	    if (!cert) {
+		rv = SECFailure;
+		break;
+	    }
+	}
+	rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, PR_Now(), 
+                              NULL, NULL);
+    }
+
+    return rv;
+}
+
+/*
+ * NSS_CMSSignedData_HasDigests - see if we have digests in place
+ */
+PRBool
+NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd)
+{
+    return (sigd->digests != NULL);
+}
+
+SECStatus
+NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist)
+{
+    SECStatus rv;
+
+    PORT_Assert(certlist != NULL);
+
+    if (certlist == NULL)
+	return SECFailure;
+
+    /* XXX memory?? a certlist has an arena of its own and is not refcounted!?!? */
+    rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certLists), (void *)certlist);
+
+    return rv;
+}
+
+/*
+ * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs 
+ */
+SECStatus
+NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert)
+{
+    CERTCertificateList *certlist;
+    SECCertUsage usage;
+    SECStatus rv;
+
+    usage = certUsageEmailSigner;
+
+    /* do not include root */
+    certlist = CERT_CertChainFromCert(cert, usage, PR_FALSE);
+    if (certlist == NULL)
+	return SECFailure;
+
+    rv = NSS_CMSSignedData_AddCertList(sigd, certlist);
+
+    return rv;
+}
+
+SECStatus
+NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert)
+{
+    CERTCertificate *c;
+    SECStatus rv;
+
+    PORT_Assert(cert != NULL);
+
+    if (cert == NULL)
+	return SECFailure;
+
+    c = CERT_DupCertificate(cert);
+    rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certs), (void *)c);
+    return rv;
+}
+
+PRBool
+NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd)
+{
+    if (sigd->rawCerts != NULL && sigd->rawCerts[0] != NULL)
+	return PR_TRUE;
+    else if (sigd->crls != NULL && sigd->crls[0] != NULL)
+	return PR_TRUE;
+    else
+	return PR_FALSE;
+}
+
+SECStatus
+NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd,
+				NSSCMSSignerInfo *signerinfo)
+{
+    void *mark;
+    SECStatus rv;
+    SECOidTag digestalgtag;
+    PLArenaPool *poolp;
+
+    poolp = sigd->cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* add signerinfo */
+    rv = NSS_CMSArray_Add(poolp, (void ***)&(sigd->signerInfos), (void *)signerinfo);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * add empty digest
+     * Empty because we don't have it yet. Either it gets created during encoding
+     * (if the data is present) or has to be set externally.
+     * XXX maybe pass it in optionally?
+     */
+    digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
+    rv = NSS_CMSSignedData_SetDigestValue(sigd, digestalgtag, NULL);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * The last thing to get consistency would be adding the digest.
+     */
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+SECItem *
+NSS_CMSSignedData_GetDigestByAlgTag(NSSCMSSignedData *sigd, SECOidTag algtag)
+{
+    int idx;
+
+    idx = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, algtag);
+    return sigd->digests[idx];
+}
+
+/*
+ * NSS_CMSSignedData_SetDigests - set a signedData's digests member
+ *
+ * "digestalgs" - array of digest algorithm IDs
+ * "digests"    - array of digests corresponding to the digest algorithms
+ */
+SECStatus
+NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd,
+				SECAlgorithmID **digestalgs,
+				SECItem **digests)
+{
+    int cnt, i, idx;
+
+    if (sigd->digestAlgorithms == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* we assume that the digests array is just not there yet */
+    PORT_Assert(sigd->digests == NULL);
+    if (sigd->digests != NULL) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+
+    /* now allocate one (same size as digestAlgorithms) */
+    cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
+    sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
+    if (sigd->digests == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) {
+	/* try to find the sigd's i'th digest algorithm in the array we passed in */
+	idx = NSS_CMSAlgArray_GetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]);
+	if (idx < 0) {
+	    PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
+	    return SECFailure;
+	}
+
+	/* found it - now set it */
+	if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL ||
+	    SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess)
+	{
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus
+NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd,
+				SECOidTag digestalgtag,
+				SECItem *digestdata)
+{
+    SECItem *digest = NULL;
+    PLArenaPool *poolp;
+    void *mark;
+    int n, cnt;
+
+    poolp = sigd->cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+   
+    if (digestdata) {
+        digest = (SECItem *) PORT_ArenaZAlloc(poolp,sizeof(SECItem));
+
+	/* copy digestdata item to arena (in case we have it and are not only making room) */
+	if (SECITEM_CopyItem(poolp, digest, digestdata) != SECSuccess)
+	    goto loser;
+    }
+
+    /* now allocate one (same size as digestAlgorithms) */
+    if (sigd->digests == NULL) {
+        cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
+        sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
+        if (sigd->digests == NULL) {
+	        PORT_SetError(SEC_ERROR_NO_MEMORY);
+	        return SECFailure;
+        }
+    }
+
+    n = -1;
+    if (sigd->digestAlgorithms != NULL)
+	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
+
+    /* if not found, add a digest */
+    if (n < 0) {
+	if (NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, digest) != SECSuccess)
+	    goto loser;
+    } else {
+	/* replace NULL pointer with digest item (and leak previous value) */
+	sigd->digests[n] = digest;
+    }
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+SECStatus
+NSS_CMSSignedData_AddDigest(PRArenaPool *poolp,
+				NSSCMSSignedData *sigd,
+				SECOidTag digestalgtag,
+				SECItem *digest)
+{
+    SECAlgorithmID *digestalg;
+    void *mark;
+
+    mark = PORT_ArenaMark(poolp);
+
+    digestalg = PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID));
+    if (digestalg == NULL)
+	goto loser;
+
+    if (SECOID_SetAlgorithmID (poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */
+	goto loser;
+
+    if (NSS_CMSArray_Add(poolp, (void ***)&(sigd->digestAlgorithms), (void *)digestalg) != SECSuccess ||
+	/* even if digest is NULL, add dummy to have same-size array */
+	NSS_CMSArray_Add(poolp, (void ***)&(sigd->digests), (void *)digest) != SECSuccess)
+    {
+	goto loser;
+    }
+
+    PORT_ArenaUnmark(poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return SECFailure;
+}
+
+SECItem *
+NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag)
+{
+    int n;
+
+    if (sigd->digestAlgorithms == NULL)
+	return NULL;
+
+    n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
+
+    return (n < 0) ? NULL : sigd->digests[n];
+}
+
+/* =============================================================================
+ * Misc. utility functions
+ */
+
+/*
+ * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData.
+ *
+ * cert          - base certificates that will be included
+ * include_chain - if true, include the complete cert chain for cert
+ *
+ * More certs and chains can be added via AddCertificate and AddCertChain.
+ *
+ * An error results in a return value of NULL and an error set.
+ *
+ * XXXX CRLs
+ */
+NSSCMSSignedData *
+NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain)
+{
+    NSSCMSSignedData *sigd;
+    void *mark;
+    PLArenaPool *poolp;
+    SECStatus rv;
+
+    poolp = cmsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+
+    sigd = NSS_CMSSignedData_Create(cmsg);
+    if (sigd == NULL)
+	goto loser;
+
+    /* no signerinfos, thus no digestAlgorithms */
+
+    /* but certs */
+    if (include_chain) {
+	rv = NSS_CMSSignedData_AddCertChain(sigd, cert);
+    } else {
+	rv = NSS_CMSSignedData_AddCertificate(sigd, cert);
+    }
+    if (rv != SECSuccess)
+	goto loser;
+
+    /* RFC2630 5.2 sez:
+     * In the degenerate case where there are no signers, the
+     * EncapsulatedContentInfo value being "signed" is irrelevant.  In this
+     * case, the content type within the EncapsulatedContentInfo value being
+     * "signed" should be id-data (as defined in section 4), and the content
+     * field of the EncapsulatedContentInfo value should be omitted.
+     */
+    rv = NSS_CMSContentInfo_SetContent_Data(cmsg, &(sigd->contentInfo), NULL, PR_TRUE);
+    if (rv != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return sigd;
+
+loser:
+    if (sigd)
+	NSS_CMSSignedData_Destroy(sigd);
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/* TODO:
+ * NSS_CMSSignerInfo_GetReceiptRequest()
+ * NSS_CMSSignedData_HasReceiptRequest()
+ * easy way to iterate over signers
+ */
+
diff --git a/security/nss/lib/smime/cmssiginfo.c b/security/nss/lib/smime/cmssiginfo.c
new file mode 100644
index 000000000..4dbdcb7bf
--- /dev/null
+++ b/security/nss/lib/smime/cmssiginfo.c
@@ -0,0 +1,885 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS signerInfo methods.
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+#include "secder.h"
+#include "cryptohi.h"
+
+#include "smime.h"
+
+/* =============================================================================
+ * SIGNERINFO
+ */
+
+NSSCMSSignerInfo *
+NSS_CMSSignerInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert, SECOidTag digestalgtag)
+{
+    void *mark;
+    NSSCMSSignerInfo *signerinfo;
+    int version;
+    PLArenaPool *poolp;
+
+    poolp = cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    signerinfo = (NSSCMSSignerInfo *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSSignerInfo));
+    if (signerinfo == NULL) {
+	PORT_ArenaRelease(poolp, mark);
+	return NULL;
+    }
+
+    if ((signerinfo->cert = CERT_DupCertificate(cert)) == NULL)
+	goto loser;
+
+    signerinfo->cmsg = cmsg;
+
+    signerinfo->signerIdentifier.identifierType = NSSCMSSignerID_IssuerSN;	/* hardcoded for now */
+    if ((signerinfo->signerIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL)
+	goto loser;
+
+    /* set version right now */
+    version = NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN;
+    /* RFC2630 5.3 "version is the syntax version number. If the .... " */
+    if (signerinfo->signerIdentifier.identifierType == NSSCMSSignerID_SubjectKeyID)
+	version = NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY;
+    (void)SEC_ASN1EncodeInteger(poolp, &(signerinfo->version), (long)version);
+
+    if (SECOID_SetAlgorithmID(poolp, &signerinfo->digestAlg, digestalgtag, NULL) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark(poolp, mark);
+    return signerinfo;
+
+loser:
+    PORT_ArenaRelease(poolp, mark);
+    return NULL;
+}
+
+/*
+ * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure
+ */
+void
+NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si)
+{
+    if (si->cert != NULL)
+	CERT_DestroyCertificate(si->cert);
+
+    if (si->certList != NULL) 
+	CERT_DestroyCertificateList(si->certList);
+
+    /* XXX storage ??? */
+}
+
+/*
+ * NSS_CMSSignerInfo_Sign - sign something
+ *
+ */
+SECStatus
+NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType)
+{
+    CERTCertificate *cert;
+    SECKEYPrivateKey *privkey = NULL;
+    SECOidTag digestalgtag;
+    SECOidTag signalgtag;
+    SECItem signature = { 0 };
+    SECStatus rv;
+    PLArenaPool *poolp, *tmppoolp; 
+
+    PORT_Assert (digest != NULL);
+
+    poolp = signerinfo->cmsg->poolp;
+
+    cert = signerinfo->cert;
+
+    if ((privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg)) == NULL)
+	goto loser;
+
+    digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
+    /*
+     * XXX I think there should be a cert-level interface for this,
+     * so that I do not have to know about subjectPublicKeyInfo...
+     */
+    signalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+
+    /* Fortezza MISSI have weird signature formats.  Map them to standard DSA formats */
+    signalgtag = PK11_FortezzaMapSig(signalgtag);
+
+    if (signerinfo->authAttr != NULL) {
+	SECItem encoded_attrs;
+
+	/* find and fill in the message digest attribute. */
+	rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), SEC_OID_PKCS9_MESSAGE_DIGEST, digest, PR_FALSE);
+	if (rv != SECSuccess)
+	    goto loser;
+
+	if (contentType != NULL) {
+	    /* if the caller wants us to, find and fill in the content type attribute. */
+	    rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), SEC_OID_PKCS9_CONTENT_TYPE, contentType, PR_FALSE);
+	    if (rv != SECSuccess)
+		goto loser;
+	}
+
+	if ((tmppoolp = PORT_NewArena (1024)) == NULL) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+
+	/*
+	 * Before encoding, reorder the attributes so that when they
+	 * are encoded, they will be conforming DER, which is required
+	 * to have a specific order and that is what must be used for
+	 * the hash/signature.  We do this here, rather than building
+	 * it into EncodeAttributes, because we do not want to do
+	 * such reordering on incoming messages (which also uses
+	 * EncodeAttributes) or our old signatures (and other "broken"
+	 * implementations) will not verify.  So, we want to guarantee
+	 * that we send out good DER encodings of attributes, but not
+	 * to expect to receive them.
+	 */
+	if (NSS_CMSAttributeArray_Reorder(signerinfo->authAttr) != SECSuccess)
+	    goto loser;
+
+	encoded_attrs.data = NULL;
+	encoded_attrs.len = 0;
+	if (NSS_CMSAttributeArray_Encode(tmppoolp, &(signerinfo->authAttr), &encoded_attrs) == NULL)
+	    goto loser;
+
+	rv = SEC_SignData(&signature, encoded_attrs.data, encoded_attrs.len, privkey,
+			   NSS_CMSUtil_MakeSignatureAlgorithm(digestalgtag, signalgtag));
+	PORT_FreeArena(tmppoolp, PR_FALSE);	/* awkward memory management :-( */
+    } else {
+	rv = SGN_Digest(privkey, digestalgtag, &signature, digest);
+    }
+
+    SECKEY_DestroyPrivateKey(privkey);
+    privkey = NULL;
+
+    if (rv != SECSuccess)
+	goto loser;
+
+    if (SECITEM_CopyItem(poolp, &(signerinfo->encDigest), &signature) != SECSuccess)
+	goto loser;
+
+    SECITEM_FreeItem(&signature, PR_FALSE);
+
+    if (SECOID_SetAlgorithmID(poolp, &(signerinfo->digestEncAlg), signalgtag, NULL) != SECSuccess)
+	goto loser;
+
+    return SECSuccess;
+
+loser:
+    if (signature.len != 0)
+	SECITEM_FreeItem (&signature, PR_FALSE);
+    if (privkey)
+	SECKEY_DestroyPrivateKey(privkey);
+    return SECFailure;
+}
+
+SECStatus
+NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb,
+			    SECCertUsage certusage)
+{
+    CERTCertificate *cert;
+    int64 stime;
+
+    if ((cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb)) == NULL) {
+	signerinfo->verificationStatus = NSSCMSVS_SigningCertNotFound;
+	return SECFailure;
+    }
+
+    /*
+     * Get and convert the signing time; if available, it will be used
+     * both on the cert verification and for importing the sender
+     * email profile.
+     */
+    if (NSS_CMSSignerInfo_GetSigningTime (signerinfo, &stime) != SECSuccess)
+	stime = PR_Now();	/* not found or conversion failed, so check against now */
+    
+    /*
+     * XXX  This uses the signing time, if available.  Additionally, we
+     * might want to, if there is no signing time, get the message time
+     * from the mail header itself, and use that.  That would require
+     * a change to our interface though, and for S/MIME callers to pass
+     * in a time (and for non-S/MIME callers to pass in nothing, or
+     * maybe make them pass in the current time, always?).
+     */
+    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certusage, stime, signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
+	signerinfo->verificationStatus = NSSCMSVS_SigningCertNotTrusted;
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
+ * NSS_CMSSignerInfo_Verify - verify the signature of a single SignerInfo
+ *
+ * Just verifies the signature. The assumption is that verification of the certificate
+ * is done already.
+ */
+SECStatus
+NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType)
+{
+    SECKEYPublicKey *publickey = NULL;
+    NSSCMSAttribute *attr;
+    SECItem encoded_attrs;
+    CERTCertificate *cert;
+    NSSCMSVerificationStatus vs = NSSCMSVS_Unverified;
+    PLArenaPool *poolp;
+
+    if (signerinfo == NULL)
+	return SECFailure;
+
+    /* NSS_CMSSignerInfo_GetSigningCertificate will fail if 2nd parm is NULL and */
+    /* cert has not been verified */
+    if ((cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, NULL)) == NULL) {
+	vs = NSSCMSVS_SigningCertNotFound;
+	goto loser;
+    }
+
+    if ((publickey = CERT_ExtractPublicKey(cert)) == NULL) {
+	vs = NSSCMSVS_ProcessingError;
+	goto loser;
+    }
+
+    /*
+     * XXX This may not be the right set of algorithms to check.
+     * I'd prefer to trust that just calling VFY_Verify{Data,Digest}
+     * would do the right thing (and set an error if it could not);
+     * then additional algorithms could be handled by that code
+     * and we would Just Work.  So this check should just be removed,
+     * but not until the VFY code is better at setting errors.
+     */
+    switch (SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg))) {
+    case SEC_OID_PKCS1_RSA_ENCRYPTION:
+    case SEC_OID_ANSIX9_DSA_SIGNATURE:
+    case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+	/* ok */
+	break;
+    case SEC_OID_UNKNOWN:
+	vs = NSSCMSVS_SignatureAlgorithmUnknown;
+	goto loser;
+    default:
+	vs = NSSCMSVS_SignatureAlgorithmUnsupported;
+	goto loser;
+    }
+
+    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) {
+	if (contentType) {
+	    /*
+	     * Check content type
+	     *
+	     * RFC2630 sez that if there are any authenticated attributes,
+	     * then there must be one for content type which matches the
+	     * content type of the content being signed, and there must
+	     * be one for message digest which matches our message digest.
+	     * So check these things first.
+	     */
+	    if ((attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
+					SEC_OID_PKCS9_CONTENT_TYPE, PR_TRUE)) == NULL)
+	    {
+		vs = NSSCMSVS_MalformedSignature;
+		goto loser;
+	    }
+		
+	    if (NSS_CMSAttribute_CompareValue(attr, contentType) == PR_FALSE) {
+		vs = NSSCMSVS_MalformedSignature;
+		goto loser;
+	    }
+	}
+
+	/*
+	 * Check digest
+	 */
+	if ((attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, SEC_OID_PKCS9_MESSAGE_DIGEST, PR_TRUE)) == NULL)
+	{
+	    vs = NSSCMSVS_MalformedSignature;
+	    goto loser;
+	}
+	if (NSS_CMSAttribute_CompareValue(attr, digest) == PR_FALSE) {
+	    vs = NSSCMSVS_DigestMismatch;
+	    goto loser;
+	}
+
+	if ((poolp = PORT_NewArena (1024)) == NULL) {
+	    vs = NSSCMSVS_ProcessingError;
+	    goto loser;
+	}
+
+	/*
+	 * Check signature
+	 *
+	 * The signature is based on a digest of the DER-encoded authenticated
+	 * attributes.  So, first we encode and then we digest/verify.
+	 * we trust the decoder to have the attributes in the right (sorted) order
+	 */
+	encoded_attrs.data = NULL;
+	encoded_attrs.len = 0;
+
+	if (NSS_CMSAttributeArray_Encode(poolp, &(signerinfo->authAttr), &encoded_attrs) == NULL ||
+		encoded_attrs.data == NULL || encoded_attrs.len == 0)
+	{
+	    vs = NSSCMSVS_ProcessingError;
+	    goto loser;
+	}
+
+	vs = (VFY_VerifyData (encoded_attrs.data, encoded_attrs.len,
+			publickey, &(signerinfo->encDigest),
+			SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg)),
+			signerinfo->cmsg->pwfn_arg) != SECSuccess) ? NSSCMSVS_BadSignature : NSSCMSVS_GoodSignature;
+
+	PORT_FreeArena(poolp, PR_FALSE);	/* awkward memory management :-( */
+
+    } else {
+	SECItem *sig;
+
+	/* No authenticated attributes. The signature is based on the plain message digest. */
+	sig = &(signerinfo->encDigest);
+	if (sig->len == 0)
+	    goto loser;
+
+	vs = (VFY_VerifyDigest(digest, publickey, sig,
+			SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg)),
+			signerinfo->cmsg->pwfn_arg) != SECSuccess) ? NSSCMSVS_BadSignature : NSSCMSVS_GoodSignature;
+    }
+
+    if (vs == NSSCMSVS_BadSignature) {
+	/*
+	 * XXX Change the generic error into our specific one, because
+	 * in that case we get a better explanation out of the Security
+	 * Advisor.  This is really a bug in our error strings (the
+	 * "generic" error has a lousy/wrong message associated with it
+	 * which assumes the signature verification was done for the
+	 * purposes of checking the issuer signature on a certificate)
+	 * but this is at least an easy workaround and/or in the
+	 * Security Advisor, which specifically checks for the error
+	 * SEC_ERROR_PKCS7_BAD_SIGNATURE and gives more explanation
+	 * in that case but does not similarly check for
+	 * SEC_ERROR_BAD_SIGNATURE.  It probably should, but then would
+	 * probably say the wrong thing in the case that it *was* the
+	 * certificate signature check that failed during the cert
+	 * verification done above.  Our error handling is really a mess.
+	 */
+	if (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE)
+	    PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE);
+    }
+
+    if (publickey != NULL)
+	SECKEY_DestroyPublicKey (publickey);
+
+    signerinfo->verificationStatus = vs;
+
+    return (vs == NSSCMSVS_GoodSignature) ? SECSuccess : SECFailure;
+
+loser:
+    if (publickey != NULL)
+	SECKEY_DestroyPublicKey (publickey);
+
+    signerinfo->verificationStatus = vs;
+
+    PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
+    return SECFailure;
+}
+
+NSSCMSVerificationStatus
+NSS_CMSSignerInfo_GetVerificationStatus(NSSCMSSignerInfo *signerinfo)
+{
+    return signerinfo->verificationStatus;
+}
+
+SECOidData *
+NSS_CMSSignerInfo_GetDigestAlg(NSSCMSSignerInfo *signerinfo)
+{
+    return SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
+}
+
+SECOidTag
+NSS_CMSSignerInfo_GetDigestAlgTag(NSSCMSSignerInfo *signerinfo)
+{
+    SECOidData *algdata;
+
+    algdata = SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
+    if (algdata != NULL)
+	return algdata->offset;
+    else
+	return SEC_OID_UNKNOWN;
+}
+
+CERTCertificateList *
+NSS_CMSSignerInfo_GetCertList(NSSCMSSignerInfo *signerinfo)
+{
+    return signerinfo->certList;
+}
+
+int
+NSS_CMSSignerInfo_GetVersion(NSSCMSSignerInfo *signerinfo)
+{
+    unsigned long version;
+
+    /* always take apart the SECItem */
+    if (SEC_ASN1DecodeInteger(&(signerinfo->version), &version) != SECSuccess)
+	return 0;
+    else
+	return (int)version;
+}
+
+/*
+ * NSS_CMSSignerInfo_GetSigningTime - return the signing time,
+ *				      in UTCTime format, of a CMS signerInfo.
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to XXXX (what?)
+ * A return value of NULL is an error.
+ */
+SECStatus
+NSS_CMSSignerInfo_GetSigningTime(NSSCMSSignerInfo *sinfo, PRTime *stime)
+{
+    NSSCMSAttribute *attr;
+    SECItem *value;
+
+    if (sinfo == NULL)
+	return SECFailure;
+
+    if (sinfo->signingTime != 0) {
+	*stime = sinfo->signingTime;	/* cached copy */
+	return SECSuccess;
+    }
+
+    attr = NSS_CMSAttributeArray_FindAttrByOidTag(sinfo->authAttr, SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE);
+    /* XXXX multi-valued attributes NIH */
+    if (attr == NULL || (value = NSS_CMSAttribute_GetValue(attr)) == NULL)
+	return SECFailure;
+    if (DER_UTCTimeToTime(stime, value) != SECSuccess)
+	return SECFailure;
+    sinfo->signingTime = *stime;	/* make cached copy */
+    return SECSuccess;
+}
+
+/*
+ * Return the signing cert of a CMS signerInfo.
+ *
+ * the certs in the enclosing SignedData must have been imported already
+ */
+CERTCertificate *
+NSS_CMSSignerInfo_GetSigningCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb)
+{
+    CERTCertificate *cert;
+
+    if (signerinfo->cert != NULL)
+	return signerinfo->cert;
+
+    /* no certdb, and cert hasn't been set yet? */
+    if (certdb == NULL)
+	return NULL;
+
+    /*
+     * This cert will also need to be freed, but since we save it
+     * in signerinfo for later, we do not want to destroy it when
+     * we leave this function -- we let the clean-up of the entire
+     * cinfo structure later do the destroy of this cert.
+     */
+    switch (signerinfo->signerIdentifier.identifierType) {
+    case NSSCMSSignerID_IssuerSN:
+	cert = CERT_FindCertByIssuerAndSN(certdb, signerinfo->signerIdentifier.id.issuerAndSN);
+	break;
+    case NSSCMSSignerID_SubjectKeyID:
+#if 0 /* not yet implemented */
+	cert = CERT_FindCertBySubjectKeyID(certdb, signerinfo->signerIdentifier.id.subjectKeyID);
+#else
+	cert = NULL;
+#endif
+	break;
+    default:
+	cert = NULL;
+	break;
+    }
+
+    /* cert can be NULL at that point */
+    signerinfo->cert = cert;	/* earmark it */
+
+    return cert;
+}
+
+/*
+ * NSS_CMSSignerInfo_GetSignerCommonName - return the common name of the signer
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to allocated memory, which must be freed.
+ * A return value of NULL is an error.
+ */
+char *
+NSS_CMSSignerInfo_GetSignerCommonName(NSSCMSSignerInfo *sinfo)
+{
+    CERTCertificate *signercert;
+
+    /* will fail if cert is not verified */
+    if ((signercert = NSS_CMSSignerInfo_GetSigningCertificate(sinfo, NULL)) == NULL)
+	return NULL;
+
+    return (CERT_GetCommonName(&signercert->subject));
+}
+
+/*
+ * NSS_CMSSignerInfo_GetSignerEmailAddress - return the common name of the signer
+ *
+ * sinfo - signerInfo data for this signer
+ *
+ * Returns a pointer to allocated memory, which must be freed.
+ * A return value of NULL is an error.
+ */
+char *
+NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo)
+{
+    CERTCertificate *signercert;
+
+    if ((signercert = NSS_CMSSignerInfo_GetSigningCertificate(sinfo, NULL)) == NULL)
+	return NULL;
+
+    if (signercert->emailAddr == NULL)
+	return NULL;
+
+    return (PORT_Strdup(signercert->emailAddr));
+}
+
+/*
+ * NSS_CMSSignerInfo_AddAuthAttr - add an attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ */
+SECStatus
+NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr)
+{
+    return NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->authAttr), attr);
+}
+
+/*
+ * NSS_CMSSignerInfo_AddUnauthAttr - add an attribute to the
+ * unauthenticated attributes of "signerinfo". 
+ */
+SECStatus
+NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr)
+{
+    return NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->unAuthAttr), attr);
+}
+
+/* 
+ * NSS_CMSSignerInfo_AddSigningTime - add the signing time to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ *
+ * This is expected to be included in outgoing signed
+ * messages for email (S/MIME) but is likely useful in other situations.
+ *
+ * This should only be added once; a second call will do nothing.
+ *
+ * XXX This will probably just shove the current time into "signerinfo"
+ * but it will not actually get signed until the entire item is
+ * processed for encoding.  Is this (expected to be small) delay okay?
+ */
+SECStatus
+NSS_CMSSignerInfo_AddSigningTime(NSSCMSSignerInfo *signerinfo, PRTime t)
+{
+    NSSCMSAttribute *attr;
+    SECItem stime;
+    void *mark;
+    PLArenaPool *poolp;
+
+    poolp = signerinfo->cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    /* create new signing time attribute */
+    if (DER_TimeToUTCTime(&stime, t) != SECSuccess)
+	goto loser;
+
+    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_PKCS9_SIGNING_TIME, &stime, PR_FALSE)) == NULL) {
+	SECITEM_FreeItem (&stime, PR_FALSE);
+	goto loser;
+    }
+
+    SECITEM_FreeItem (&stime, PR_FALSE);
+
+    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark (poolp, mark);
+
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+/* 
+ * NSS_CMSSignerInfo_AddSMIMECaps - add a SMIMECapabilities attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ *
+ * This is expected to be included in outgoing signed
+ * messages for email (S/MIME).
+ */
+SECStatus
+NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo)
+{
+    NSSCMSAttribute *attr;
+    SECItem *smimecaps = NULL;
+    void *mark;
+    PLArenaPool *poolp;
+
+    poolp = signerinfo->cmsg->poolp;
+
+    mark = PORT_ArenaMark(poolp);
+
+    smimecaps = SECITEM_AllocItem(poolp, NULL, 0);
+    if (smimecaps == NULL)
+	goto loser;
+
+    /* create new signing time attribute */
+    if (NSS_SMIMEUtil_CreateSMIMECapabilities(poolp, smimecaps,
+			    PK11_FortezzaHasKEA(signerinfo->cert)) != SECSuccess)
+	goto loser;
+
+    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_PKCS9_SMIME_CAPABILITIES, smimecaps, PR_TRUE)) == NULL)
+	goto loser;
+
+    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark (poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+/* 
+ * NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo". 
+ *
+ * This is expected to be included in outgoing signed messages for email (S/MIME).
+ */
+SECStatus
+NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb)
+{
+    NSSCMSAttribute *attr;
+    SECItem *smimeekp = NULL;
+    void *mark;
+    PLArenaPool *poolp;
+
+    /* verify this cert for encryption */
+    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
+	return SECFailure;
+    }
+
+    poolp = signerinfo->cmsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+
+    smimeekp = SECITEM_AllocItem(poolp, NULL, 0);
+    if (smimeekp == NULL)
+	goto loser;
+
+    /* create new signing time attribute */
+    if (NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess)
+	goto loser;
+
+    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL)
+	goto loser;
+
+    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark (poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+/* 
+ * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo
+ *
+ * 1. digest the DER-encoded signature value of the original signerinfo
+ * 2. create new signerinfo with correct version, sid, digestAlg
+ * 3. add message-digest authAttr, but NO content-type
+ * 4. sign the authAttrs
+ * 5. DER-encode the new signerInfo
+ * 6. add the whole thing to original signerInfo's unAuthAttrs
+ *    as a SEC_OID_PKCS9_COUNTER_SIGNATURE attribute
+ *
+ * XXXX give back the new signerinfo?
+ */
+SECStatus
+NSS_CMSSignerInfo_AddCounterSignature(NSSCMSSignerInfo *signerinfo,
+				    SECOidTag digestalg, CERTCertificate signingcert)
+{
+    /* XXXX TBD XXXX */
+    return SECFailure;
+}
+
+/*
+ * XXXX the following needs to be done in the S/MIME layer code
+ * after signature of a signerinfo is verified
+ */
+SECStatus
+NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo)
+{
+    CERTCertificate *cert = NULL;
+    SECItem *profile = NULL;
+    NSSCMSAttribute *attr;
+    SECItem *utc_stime = NULL;
+    SECItem *ekp;
+    CERTCertDBHandle *certdb;
+    int save_error;
+    SECStatus rv;
+
+    certdb = CERT_GetDefaultCertDB();
+
+    /* sanity check - see if verification status is ok (unverified does not count...) */
+    if (signerinfo->verificationStatus != NSSCMSVS_GoodSignature)
+	return SECFailure;
+
+    /* find preferred encryption cert */
+    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr) &&
+	(attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
+			       SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, PR_TRUE)) != NULL)
+    { /* we have a SMIME_ENCRYPTION_KEY_PREFERENCE attribute! */
+	ekp = NSS_CMSAttribute_GetValue(attr);
+	if (ekp == NULL)
+	    return SECFailure;
+
+	/* we assume that all certs coming with the message have been imported to the */
+	/* temporary database */
+	cert = NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(certdb, ekp);
+	if (cert == NULL)
+	    return SECFailure;
+    }
+
+    if (cert == NULL) {
+	/* no preferred cert found?
+	 * find the cert the signerinfo is signed with instead */
+	cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb);
+	if (cert == NULL || cert->emailAddr == NULL)
+	    return SECFailure;
+    }
+
+    /* verify this cert for encryption (has been verified for signing so far) */    /* don't verify this cert for encryption. It may just be a signing cert.
+     * that's OK, we can still save the S/MIME profile. The encryption cert
+     * should have already been saved */
+#ifdef notdef
+    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
+	return SECFailure;
+    }
+#endif
+
+    /* XXX store encryption cert permanently? */
+
+    /*
+     * Remember the current error set because we do not care about
+     * anything set by the functions we are about to call.
+     */
+    save_error = PORT_GetError();
+
+    if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) {
+	attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
+				       SEC_OID_PKCS9_SMIME_CAPABILITIES,
+				       PR_TRUE);
+	profile = NSS_CMSAttribute_GetValue(attr);
+	attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
+				       SEC_OID_PKCS9_SIGNING_TIME,
+				       PR_TRUE);
+	utc_stime = NSS_CMSAttribute_GetValue(attr);
+    }
+
+    rv = CERT_SaveSMimeProfile (cert, profile, utc_stime);
+
+    /*
+     * Restore the saved error in case the calls above set a new
+     * one that we do not actually care about.
+     */
+    PORT_SetError (save_error);
+
+    return rv;
+}
+
+/*
+ * NSS_CMSSignerInfo_IncludeCerts - set cert chain inclusion mode for this signer
+ */
+SECStatus
+NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, NSSCMSCertChainMode cm, SECCertUsage usage)
+{
+    if (signerinfo->cert == NULL)
+	return SECFailure;
+
+    /* don't leak if we get called twice */
+    if (signerinfo->certList != NULL) {
+	CERT_DestroyCertificateList(signerinfo->certList);
+	signerinfo->certList = NULL;
+    }
+
+    switch (cm) {
+    case NSSCMSCM_None:
+	signerinfo->certList = NULL;
+	break;
+    case NSSCMSCM_CertOnly:
+	signerinfo->certList = CERT_CertListFromCert(signerinfo->cert);
+	break;
+    case NSSCMSCM_CertChain:
+	signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_FALSE);
+	break;
+    case NSSCMSCM_CertChainWithRoot:
+	signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_TRUE);
+	break;
+    }
+
+    if (cm != NSSCMSCM_None && signerinfo->certList == NULL)
+	return SECFailure;
+    
+    return SECSuccess;
+}
diff --git a/security/nss/lib/smime/cmst.h b/security/nss/lib/smime/cmst.h
new file mode 100644
index 000000000..f963109c9
--- /dev/null
+++ b/security/nss/lib/smime/cmst.h
@@ -0,0 +1,490 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Header for CMS types.
+ *
+ * $Id$
+ */
+
+#ifndef _CMST_H_
+#define _CMST_H_
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "certt.h"
+#include "secmodt.h"
+#include "secmodt.h"
+
+#include "plarena.h"
+
+/* Non-opaque objects.  NOTE, though: I want them to be treated as
+ * opaque as much as possible.  If I could hide them completely,
+ * I would.  (I tried, but ran into trouble that was taking me too
+ * much time to get out of.)  I still intend to try to do so.
+ * In fact, the only type that "outsiders" should even *name* is
+ * NSSCMSMessage, and they should not reference its fields.
+ */
+/* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.
+ * This is because when we search the recipient list for the cert and key we
+ * want, we need to invert the order of the loops we used to have. The old
+ * loops were:
+ *
+ *  For each recipient {
+ *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
+ *       [which unrolls to... ]
+ *       For each slot {
+ *            Log into slot;
+ *            search slot for cert;
+ *      }
+ *  }
+ *
+ *  the new loop searchs all the recipients at once on a slot. this allows
+ *  PKCS #11 to order slots in such a way that logout slots don't get checked
+ *  if we can find the cert on a logged in slot. This eliminates lots of
+ *  spurious password prompts when smart cards are installed... so why this
+ *  comment? If you make NSSCMSRecipientInfo completely opaque, you need
+ *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
+ *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
+ *  function.
+ */
+
+typedef struct NSSCMSMessageStr NSSCMSMessage;
+
+typedef union NSSCMSContentUnion NSSCMSContent;
+typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;
+
+typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
+typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
+typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;
+
+typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
+typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
+typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
+
+typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
+typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
+
+typedef struct NSSCMSSMIMEKEAParametersStr NSSCMSSMIMEKEAParameters;
+
+typedef struct NSSCMSAttributeStr NSSCMSAttribute;
+
+typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
+typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
+
+typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
+typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
+
+/*
+ * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
+ * If specified, this is where the content bytes (only) will be "sent"
+ * as they are recovered during the decoding.
+ * And:
+ * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
+ * This is where the DER-encoded bytes will be "sent".
+ *
+ * XXX Should just combine this with NSSCMSEncoderContentCallback type
+ * and use a simpler, common name.
+ */
+typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len);
+
+/*
+ * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
+ * to retrieve the decryption key.  This function is intended to be
+ * used for EncryptedData content info's which do not have a key available
+ * in a certificate, etc.
+ */
+typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid);
+
+
+/* =============================================================================
+ * ENCAPSULATED CONTENTINFO & CONTENTINFO
+ */
+
+union NSSCMSContentUnion {
+    /* either unstructured */
+    SECItem *			data;
+    /* or structured data */
+    NSSCMSDigestedData *	digestedData;
+    NSSCMSEncryptedData	*	encryptedData;
+    NSSCMSEnvelopedData	*	envelopedData;
+    NSSCMSSignedData *		signedData;
+    /* or anonymous pointer to something */
+    void *			pointer;
+};
+
+struct NSSCMSContentInfoStr {
+    SECItem			contentType;
+    NSSCMSContent		content;
+    /* --------- local; not part of encoding --------- */
+    SECOidData *		contentTypeTag;	
+
+    /* additional info for encryptedData and envelopedData */
+    /* we waste this space for signedData and digestedData. sue me. */
+
+    SECAlgorithmID		contentEncAlg;
+    SECItem *			rawContent;		/* encrypted DER, optional */
+							/* XXXX bytes not encrypted, but encoded? */
+    /* --------- local; not part of encoding --------- */
+    PK11SymKey *		bulkkey;		/* bulk encryption key */
+    int				keysize;		/* size of bulk encryption key
+							 * (only used by creation code) */
+    SECOidTag			contentEncAlgTag;	/* oid tag of encryption algorithm
+							 * (only used by creation code) */
+    NSSCMSCipherContext		*ciphcx;		/* context for en/decryption going on */
+    NSSCMSDigestContext		*digcx;			/* context for digesting going on */
+};
+
+/* =============================================================================
+ * MESSAGE
+ */
+
+struct NSSCMSMessageStr {
+    NSSCMSContentInfo	contentInfo;		/* "outer" cinfo */
+    /* --------- local; not part of encoding --------- */
+    PLArenaPool *	poolp;
+    PRBool		poolp_is_ours;
+    int			refCount;
+    /* properties of the "inner" data */
+    SECAlgorithmID **	detached_digestalgs;
+    SECItem **		detached_digests;
+    void *		pwfn_arg;
+    NSSCMSGetDecryptKeyCallback decrypt_key_cb;
+    void *		decrypt_key_cb_arg;
+};
+
+/* =============================================================================
+ * SIGNEDDATA
+ */
+
+struct NSSCMSSignedDataStr {
+    SECItem			version;
+    SECAlgorithmID **		digestAlgorithms;
+    NSSCMSContentInfo		contentInfo;
+    SECItem **			rawCerts;
+    CERTSignedCrl **		crls;
+    NSSCMSSignerInfo **		signerInfos;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;			/* back pointer to message */
+    SECItem **			digests;
+    CERTCertificate **		certs;
+    CERTCertificateList **	certLists;
+};
+#define NSS_CMS_SIGNED_DATA_VERSION_BASIC	1	/* what we *create* */
+#define NSS_CMS_SIGNED_DATA_VERSION_EXT		3	/* what we *create* */
+
+typedef enum {
+    NSSCMSVS_Unverified = 0,
+    NSSCMSVS_GoodSignature = 1,
+    NSSCMSVS_BadSignature = 2,
+    NSSCMSVS_DigestMismatch = 3,
+    NSSCMSVS_SigningCertNotFound = 4,
+    NSSCMSVS_SigningCertNotTrusted = 5,
+    NSSCMSVS_SignatureAlgorithmUnknown = 6,
+    NSSCMSVS_SignatureAlgorithmUnsupported = 7,
+    NSSCMSVS_MalformedSignature = 8,
+    NSSCMSVS_ProcessingError = 9
+} NSSCMSVerificationStatus;
+
+typedef enum {
+    NSSCMSSignerID_IssuerSN = 0,
+    NSSCMSSignerID_SubjectKeyID = 1
+} NSSCMSSignerIDSelector;
+
+struct NSSCMSSignerIdentifierStr {
+    NSSCMSSignerIDSelector identifierType;
+    union {
+	CERTIssuerAndSN *issuerAndSN;
+	SECItem *subjectKeyID;
+    } id;
+};
+
+struct NSSCMSSignerInfoStr {
+    SECItem			version;
+    NSSCMSSignerIdentifier	signerIdentifier;
+    SECAlgorithmID		digestAlg;
+    NSSCMSAttribute **		authAttr;
+    SECAlgorithmID		digestEncAlg;
+    SECItem			encDigest;
+    NSSCMSAttribute **		unAuthAttr;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;			/* back pointer to message */
+    CERTCertificate *		cert;
+    CERTCertificateList *	certList;
+    PRTime			signingTime;
+    NSSCMSVerificationStatus	verificationStatus;
+};
+#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN	1	/* what we *create* */
+#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY	3	/* what we *create* */
+
+typedef enum {
+    NSSCMSCM_None = 0,
+    NSSCMSCM_CertOnly = 1,
+    NSSCMSCM_CertChain = 2,
+    NSSCMSCM_CertChainWithRoot = 3
+} NSSCMSCertChainMode;
+
+/* =============================================================================
+ * ENVELOPED DATA
+ */
+struct NSSCMSEnvelopedDataStr {
+    SECItem			version;
+    NSSCMSOriginatorInfo *	originatorInfo;		/* optional */
+    NSSCMSRecipientInfo **	recipientInfos;
+    NSSCMSContentInfo		contentInfo;
+    NSSCMSAttribute **		unprotectedAttr;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;			/* back pointer to message */
+};
+#define NSS_CMS_ENVELOPED_DATA_VERSION_REG	0	/* what we *create* */
+#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV	2	/* what we *create* */
+
+struct NSSCMSOriginatorInfoStr {
+    SECItem **			rawCerts;
+    CERTSignedCrl **		crls;
+    /* --------- local; not part of encoding --------- */
+    CERTCertificate **		certs;
+};
+
+/* -----------------------------------------------------------------------------
+ * key transport recipient info
+ */
+typedef enum {
+    NSSCMSRecipientID_IssuerSN = 0,
+    NSSCMSRecipientID_SubjectKeyID = 1
+} NSSCMSRecipientIDSelector;
+
+struct NSSCMSRecipientIdentifierStr {
+    NSSCMSRecipientIDSelector	identifierType;
+    union {
+	CERTIssuerAndSN		*issuerAndSN;
+	SECItem 		*subjectKeyID;
+    } id;
+};
+typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;
+
+struct NSSCMSKeyTransRecipientInfoStr {
+    SECItem			version;
+    NSSCMSRecipientIdentifier	recipientIdentifier;
+    SECAlgorithmID		keyEncAlg;
+    SECItem			encKey;
+};
+typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;
+
+#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN	0	/* what we *create* */
+#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY		2	/* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * key agreement recipient info
+ */
+struct NSSCMSOriginatorPublicKeyStr {
+    SECAlgorithmID			algorithmIdentifier;
+    SECItem				publicKey;			/* bit string! */
+};
+typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;
+
+typedef enum {
+    NSSCMSOriginatorIDOrKey_IssuerSN = 0,
+    NSSCMSOriginatorIDOrKey_SubjectKeyID = 1,
+    NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2
+} NSSCMSOriginatorIDOrKeySelector;
+
+struct NSSCMSOriginatorIdentifierOrKeyStr {
+    NSSCMSOriginatorIDOrKeySelector identifierType;
+    union {
+	CERTIssuerAndSN			*issuerAndSN;		/* static-static */
+	SECItem				*subjectKeyID;		/* static-static */
+	NSSCMSOriginatorPublicKey	originatorPublicKey;	/* ephemeral-static */
+    } id;
+};
+typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;
+
+struct NSSCMSRecipientKeyIdentifierStr {
+    SECItem *				subjectKeyIdentifier;
+    SECItem *				date;			/* optional */
+    SECItem *				other;			/* optional */
+};
+typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;
+
+typedef enum {
+    NSSCMSKeyAgreeRecipientID_IssuerSN = 0,
+    NSSCMSKeyAgreeRecipientID_RKeyID = 1
+} NSSCMSKeyAgreeRecipientIDSelector;
+
+struct NSSCMSKeyAgreeRecipientIdentifierStr {
+    NSSCMSKeyAgreeRecipientIDSelector	identifierType;
+    union {
+	CERTIssuerAndSN			*issuerAndSN;
+	NSSCMSRecipientKeyIdentifier	recipientKeyIdentifier;
+    } id;
+};
+typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;
+
+struct NSSCMSRecipientEncryptedKeyStr {
+    NSSCMSKeyAgreeRecipientIdentifier	recipientIdentifier;
+    SECItem				encKey;
+};
+typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;
+
+struct NSSCMSKeyAgreeRecipientInfoStr {
+    SECItem				version;
+    NSSCMSOriginatorIdentifierOrKey	originatorIdentifierOrKey;
+    SECItem *				ukm;				/* optional */
+    SECAlgorithmID			keyEncAlg;
+    NSSCMSRecipientEncryptedKey **	recipientEncryptedKeys;
+};
+typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;
+
+#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION	3	/* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * KEK recipient info
+ */
+struct NSSCMSKEKIdentifierStr {
+    SECItem			keyIdentifier;
+    SECItem *			date;			/* optional */
+    SECItem *			other;			/* optional */
+};
+typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;
+
+struct NSSCMSKEKRecipientInfoStr {
+    SECItem			version;
+    NSSCMSKEKIdentifier		kekIdentifier;
+    SECAlgorithmID		keyEncAlg;
+    SECItem			encKey;
+};
+typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;
+
+#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION	4	/* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * recipient info
+ */
+
+typedef enum {
+    NSSCMSRecipientInfoID_KeyTrans = 0,
+    NSSCMSRecipientInfoID_KeyAgree = 1,
+    NSSCMSRecipientInfoID_KEK = 2
+} NSSCMSRecipientInfoIDSelector;
+
+struct NSSCMSRecipientInfoStr {
+    NSSCMSRecipientInfoIDSelector recipientInfoType;
+    union {
+	NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
+	NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
+	NSSCMSKEKRecipientInfo kekRecipientInfo;
+    } ri;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;			/* back pointer to message */
+    CERTCertificate *		cert;			/* recipient's certificate */
+};
+
+/* =============================================================================
+ * DIGESTED DATA
+ */
+struct NSSCMSDigestedDataStr {
+    SECItem			version;
+    SECAlgorithmID		digestAlg;
+    NSSCMSContentInfo		contentInfo;
+    SECItem			digest;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;		/* back pointer */
+    SECItem			cdigest;	/* calculated digest */
+};
+#define NSS_CMS_DIGESTED_DATA_VERSION_DATA	0	/* what we *create* */
+#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP	2	/* what we *create* */
+
+/* =============================================================================
+ * ENCRYPTED DATA
+ */
+struct NSSCMSEncryptedDataStr {
+    SECItem			version;
+    NSSCMSContentInfo		contentInfo;
+    NSSCMSAttribute **		unprotectedAttr;	/* optional */
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *		cmsg;		/* back pointer */
+};
+#define NSS_CMS_ENCRYPTED_DATA_VERSION		0	/* what we *create* */
+#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR	2	/* what we *create* */
+
+/* =============================================================================
+ * FORTEZZA KEA
+ */
+
+/* An enumerated type used to select templates based on the encryption
+   scenario and data specifics. */
+typedef enum {
+    NSSCMSKEAInvalid = -1,
+    NSSCMSKEAUsesSkipjack = 0,
+    NSSCMSKEAUsesNonSkipjack = 1,
+    NSSCMSKEAUsesNonSkipjackWithPaddedEncKey = 2
+} NSSCMSKEATemplateSelector;
+
+/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
+                but I cannot think of a more appropriate place at this time. */
+struct NSSCMSSMIMEKEAParametersStr {
+    SECItem originatorKEAKey;	/* sender KEA key (encrypted?) */
+    SECItem originatorRA;	/* random number generated by sender */
+    SECItem nonSkipjackIV;	/* init'n vector for SkipjackCBC64
+			           decryption of KEA key if Skipjack
+				   is not the bulk algorithm used on
+				   the message */
+    SECItem bulkKeySize;	/* if Skipjack is not the bulk
+			           algorithm used on the message,
+				   and the size of the bulk encryption
+				   key is not the same as that of
+				   originatorKEAKey (due to padding
+				   perhaps), this field will contain
+				   the real size of the bulk encryption
+				   key. */
+};
+
+/*
+ * *****************************************************************************
+ * *****************************************************************************
+ * *****************************************************************************
+ */
+
+/*
+ * See comment above about this type not really belonging to CMS.
+ */
+struct NSSCMSAttributeStr {
+    /* The following fields make up an encoded Attribute: */
+    SECItem			type;
+    SECItem **			values;	/* data may or may not be encoded */
+    /* The following fields are not part of an encoded Attribute: */
+    SECOidData *		typeTag;
+    PRBool			encoded;	/* when true, values are encoded */
+};
+
+#endif /* _CMST_H_ */
diff --git a/security/nss/lib/smime/cmsutil.c b/security/nss/lib/smime/cmsutil.c
new file mode 100644
index 000000000..f7899d881
--- /dev/null
+++ b/security/nss/lib/smime/cmsutil.c
@@ -0,0 +1,393 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * CMS miscellaneous utility functions.
+ *
+ * $Id$
+ */
+
+#include "nssrenam.h"
+
+#include "cmslocal.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "secerr.h"
+#include "sechash.h"
+
+/*
+ * NSS_CMSArray_SortByDER - sort array of objects by objects' DER encoding
+ *
+ * make sure that the order of the objects guarantees valid DER (which must be
+ * in lexigraphically ascending order for a SET OF); if reordering is necessary it
+ * will be done in place (in objs).
+ */
+SECStatus
+NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void **objs2)
+{
+    PRArenaPool *poolp;
+    int num_objs;
+    SECItem **enc_objs;
+    SECStatus rv = SECFailure;
+    int i;
+
+    if (objs == NULL)					/* already sorted */
+	return SECSuccess;
+
+    num_objs = NSS_CMSArray_Count((void **)objs);
+    if (num_objs == 0 || num_objs == 1)		/* already sorted. */
+	return SECSuccess;
+
+    poolp = PORT_NewArena (1024);	/* arena for temporaries */
+    if (poolp == NULL)
+	return SECFailure;		/* no memory; nothing we can do... */
+
+    /*
+     * Allocate arrays to hold the individual encodings which we will use
+     * for comparisons and the reordered attributes as they are sorted.
+     */
+    enc_objs = (SECItem **)PORT_ArenaZAlloc(poolp, (num_objs + 1) * sizeof(SECItem *));
+    if (enc_objs == NULL)
+	goto loser;
+
+    /* DER encode each individual object. */
+    for (i = 0; i < num_objs; i++) {
+	enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate);
+	if (enc_objs[i] == NULL)
+	    goto loser;
+    }
+    enc_objs[num_objs] = NULL;
+
+    /* now compare and sort objs by the order of enc_objs */
+    NSS_CMSArray_Sort((void **)enc_objs, NSS_CMSUtil_DERCompare, objs, objs2);
+
+    rv = SECSuccess;
+
+loser:
+    PORT_FreeArena (poolp, PR_FALSE);
+    return rv;
+}
+
+/*
+ * NSS_CMSUtil_DERCompare - for use with NSS_CMSArray_Sort to
+ *  sort arrays of SECItems containing DER
+ */
+int
+NSS_CMSUtil_DERCompare(void *a, void *b)
+{
+    SECItem *der1 = (SECItem *)a;
+    SECItem *der2 = (SECItem *)b;
+    int j;
+
+    /*
+     * Find the lowest (lexigraphically) encoding.  One that is
+     * shorter than all the rest is known to be "less" because each
+     * attribute is of the same type (a SEQUENCE) and so thus the
+     * first octet of each is the same, and the second octet is
+     * the length (or the length of the length with the high bit
+     * set, followed by the length, which also works out to always
+     * order the shorter first).  Two (or more) that have the
+     * same length need to be compared byte by byte until a mismatch
+     * is found.
+     */
+    if (der1->len != der2->len)
+	return (der1->len < der2->len) ? -1 : 1;
+
+    for (j = 0; j < der1->len; j++) {
+	if (der1->data[j] == der2->data[j])
+	    continue;
+	return (der1->data[j] < der2->data[j]) ? -1 : 1;
+    }
+    return 0;
+}
+
+/*
+ * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 
+ * algorithms.
+ *
+ * algorithmArray - array of algorithm IDs
+ * algid - algorithmid of algorithm to pick
+ *
+ * Returns:
+ *  An integer containing the index of the algorithm in the array or -1 if 
+ *  algorithm was not found.
+ */
+int
+NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid)
+{
+    int i;
+
+    if (algorithmArray == NULL || algorithmArray[0] == NULL)
+	return -1;
+
+    for (i = 0; algorithmArray[i] != NULL; i++) {
+	if (SECOID_CompareAlgorithmID(algorithmArray[i], algid) == SECEqual)
+	    break;	/* bingo */
+    }
+
+    if (algorithmArray[i] == NULL)
+	return -1;	/* not found */
+
+    return i;
+}
+
+/*
+ * NSS_CMSAlgArray_GetIndexByAlgTag - find a specific algorithm in an array of 
+ * algorithms.
+ *
+ * algorithmArray - array of algorithm IDs
+ * algtag - algorithm tag of algorithm to pick
+ *
+ * Returns:
+ *  An integer containing the index of the algorithm in the array or -1 if 
+ *  algorithm was not found.
+ */
+int
+NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algtag)
+{
+    SECOidData *algid;
+    int i;
+
+    if (algorithmArray == NULL || algorithmArray[0] == NULL)
+	return -1;
+
+    for (i = 0; algorithmArray[i] != NULL; i++) {
+	algid = SECOID_FindOID(&(algorithmArray[i]->algorithm));
+	if (algid->offset == algtag)
+	    break;	/* bingo */
+    }
+
+    if (algorithmArray[i] == NULL)
+	return -1;	/* not found */
+
+    return i;
+}
+
+const SECHashObject *
+NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid)
+{
+    SECOidData *oiddata;
+    const SECHashObject *digobj;
+
+    /* here are the algorithms we know */
+    oiddata = SECOID_FindOID(&(algid->algorithm));
+    if (oiddata == NULL) {
+	digobj = NULL;
+    } else {
+	switch (oiddata->offset) {
+	case SEC_OID_MD2:
+	    digobj = HASH_GetHashObject(HASH_AlgMD2);
+	    break;
+	case SEC_OID_MD5:
+	    digobj = HASH_GetHashObject(HASH_AlgMD5);
+	    break;
+	case SEC_OID_SHA1:
+	    digobj = HASH_GetHashObject(HASH_AlgSHA1);
+	    break;
+	default:
+	    digobj = NULL;
+	    break;
+	}
+    }
+    return digobj;
+}
+
+/*
+ * XXX I would *really* like to not have to do this, but the current
+ * signing interface gives me little choice.
+ */
+SECOidTag
+NSS_CMSUtil_MakeSignatureAlgorithm(SECOidTag hashalg, SECOidTag encalg)
+{
+    switch (encalg) {
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	switch (hashalg) {
+	  case SEC_OID_MD2:
+	    return SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
+	  case SEC_OID_MD5:
+	    return SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
+	  case SEC_OID_SHA1:
+	    return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+	  default:
+	    return SEC_OID_UNKNOWN;
+	}
+      case SEC_OID_ANSIX9_DSA_SIGNATURE:
+      case SEC_OID_MISSI_KEA_DSS:
+      case SEC_OID_MISSI_DSS:
+	switch (hashalg) {
+	  case SEC_OID_SHA1:
+	    return SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+	  default:
+	    return SEC_OID_UNKNOWN;
+	}
+      default:
+	break;
+    }
+
+    return encalg;		/* maybe it is already the right algid */
+}
+
+const SEC_ASN1Template *
+NSS_CMSUtil_GetTemplateByTypeTag(SECOidTag type)
+{
+    const SEC_ASN1Template *template;
+    extern const SEC_ASN1Template NSSCMSSignedDataTemplate[];
+    extern const SEC_ASN1Template NSSCMSEnvelopedDataTemplate[];
+    extern const SEC_ASN1Template NSSCMSEncryptedDataTemplate[];
+    extern const SEC_ASN1Template NSSCMSDigestedDataTemplate[];
+
+    switch (type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	template = NSSCMSSignedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	template = NSSCMSEnvelopedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	template = NSSCMSEncryptedDataTemplate;
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	template = NSSCMSDigestedDataTemplate;
+	break;
+    default:
+    case SEC_OID_PKCS7_DATA:
+	template = NULL;
+	break;
+    }
+    return template;
+}
+
+size_t
+NSS_CMSUtil_GetSizeByTypeTag(SECOidTag type)
+{
+    size_t size;
+
+    switch (type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	size = sizeof(NSSCMSSignedData);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	size = sizeof(NSSCMSEnvelopedData);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	size = sizeof(NSSCMSEncryptedData);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	size = sizeof(NSSCMSDigestedData);
+	break;
+    default:
+    case SEC_OID_PKCS7_DATA:
+	size = 0;
+	break;
+    }
+    return size;
+}
+
+NSSCMSContentInfo *
+NSS_CMSContent_GetContentInfo(void *msg, SECOidTag type)
+{
+    NSSCMSContent c;
+    NSSCMSContentInfo *cinfo;
+
+    PORT_Assert(msg != NULL);
+
+    c.pointer = msg;
+    switch (type) {
+    case SEC_OID_PKCS7_SIGNED_DATA:
+	cinfo = &(c.signedData->contentInfo);
+	break;
+    case SEC_OID_PKCS7_ENVELOPED_DATA:
+	cinfo = &(c.envelopedData->contentInfo);
+	break;
+    case SEC_OID_PKCS7_ENCRYPTED_DATA:
+	cinfo = &(c.encryptedData->contentInfo);
+	break;
+    case SEC_OID_PKCS7_DIGESTED_DATA:
+	cinfo = &(c.digestedData->contentInfo);
+	break;
+    default:
+	cinfo = NULL;
+    }
+    return cinfo;
+}
+
+const char *
+NSS_CMSUtil_VerificationStatusToString(NSSCMSVerificationStatus vs)
+{
+    switch (vs) {
+    case NSSCMSVS_Unverified:			return "Unverified";
+    case NSSCMSVS_GoodSignature:		return "GoodSignature";
+    case NSSCMSVS_BadSignature:			return "BadSignature";
+    case NSSCMSVS_DigestMismatch:		return "DigestMismatch";
+    case NSSCMSVS_SigningCertNotFound:		return "SigningCertNotFound";
+    case NSSCMSVS_SigningCertNotTrusted:	return "SigningCertNotTrusted";
+    case NSSCMSVS_SignatureAlgorithmUnknown:	return "SignatureAlgorithmUnknown";
+    case NSSCMSVS_SignatureAlgorithmUnsupported: return "SignatureAlgorithmUnsupported";
+    case NSSCMSVS_MalformedSignature:		return "MalformedSignature";
+    case NSSCMSVS_ProcessingError:		return "ProcessingError";
+    default:					return "Unknown";
+    }
+}
+
+SECStatus
+NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, 
+                 PLArenaPool *arena)
+{
+    NSSCMSEncoderContext *ecx;
+    SECStatus rv = SECSuccess;
+    if (!cmsg || !derOut || !arena) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    ecx = NSS_CMSEncoder_Start(cmsg, 0, 0, derOut, arena, 0, 0, 0, 0, 0, 0);
+    if (!ecx) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return SECFailure;
+    }
+    if (input) {
+	rv = NSS_CMSEncoder_Update(ecx, (const char*)input->data, input->len);
+	if (rv) {
+	    PORT_SetError(SEC_ERROR_BAD_DATA);
+	}
+    }
+    rv |= NSS_CMSEncoder_Finish(ecx);
+    if (rv) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+    }
+    return rv;
+}
diff --git a/security/nss/lib/smime/config.mk b/security/nss/lib/smime/config.mk
new file mode 100644
index 000000000..95a180b71
--- /dev/null
+++ b/security/nss/lib/smime/config.mk
@@ -0,0 +1,79 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+RELEASE_LIBS = $(TARGETS)
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
+IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).lib
+
+RES = $(OBJDIR)/smime.res
+RESNAME = smime.rc
+
+EXTRA_SHARED_LIBS += \
+	$(DIST)/lib/nss3.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+
+else
+
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib/ \
+	-lnss3 \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+
+ifeq ($(OS_ARCH), Darwin)
+EXTRA_SHARED_LIBS += -dylib_file @executable_path/libsoftokn3.dylib:$(DIST)/lib/libsoftokn3.dylib
+endif
+
+endif
+
+
+SHARED_LIBRARY_LIBS = \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
+	$(NULL)
+
+SHARED_LIBRARY_DIRS = \
+	../pkcs12 \
+	../pkcs7 \
+	$(NULL)
+
+
diff --git a/security/nss/lib/smime/manifest.mn b/security/nss/lib/smime/manifest.mn
new file mode 100644
index 000000000..328a55e25
--- /dev/null
+++ b/security/nss/lib/smime/manifest.mn
@@ -0,0 +1,77 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	cms.h \
+	cmst.h \
+	smime.h \
+	cmsreclist.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	cmslocal.h \
+	$(NULL)
+
+MODULE = security
+MAPFILE = $(OBJDIR)/smime.def
+
+CSRCS = \
+	cmsarray.c \
+	cmsasn1.c \
+	cmsattr.c \
+	cmscinfo.c \
+	cmscipher.c \
+	cmsdecode.c \
+	cmsdigdata.c \
+	cmsdigest.c \
+	cmsencdata.c \
+	cmsencode.c \
+	cmsenvdata.c \
+	cmsmessage.c \
+	cmspubkey.c \
+	cmsrecinfo.c \
+	cmsreclist.c \
+	cmssigdata.c \
+	cmssiginfo.c \
+	cmsutil.c \
+	smimemessage.c \
+	smimeutil.c \
+	smimever.c \
+	$(NULL)
+
+REQUIRES = security dbm
+
+LIBRARY_NAME = smime
+LIBRARY_VERSION = 3
diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def
new file mode 100644
index 000000000..0e9874939
--- /dev/null
+++ b/security/nss/lib/smime/smime.def
@@ -0,0 +1,205 @@
+;+#
+;+# The contents of this file are subject to the Mozilla Public
+;+# License Version 1.1 (the "License"); you may not use this file
+;+# except in compliance with the License. You may obtain a copy of
+;+# the License at http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS
+;+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+;+# implied. See the License for the specific language governing
+;+# rights and limitations under the License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is Netscape
+;+# Communications Corporation.  Portions created by Netscape are
+;+# Copyright (C) 2000 Netscape Communications Corporation.  All
+;+# Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#
+;+# Alternatively, the contents of this file may be used under the
+;+# terms of the GNU General Public License Version 2 or later (the
+;+# "GPL"), in which case the provisions of the GPL are applicable
+;+# instead of those above.  If you wish to allow use of your
+;+# version of this file only under the terms of the GPL and not to
+;+# allow others to use your version of this file under the MPL,
+;+# indicate your decision by deleting the provisions above and
+;+# replace them with the notice and other provisions required by
+;+# the GPL.  If you do not delete the provisions above, a recipient
+;+# may use your version of this file under either the MPL or the
+;+# GPL.
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+
+;+NSS_3.2 {               # NSS 3.2 release
+;+    global:
+LIBRARY smime3 ;-
+EXPORTS	;-
+NSS_CMSContentInfo_GetBulkKey;
+NSS_CMSContentInfo_GetBulkKeySize;
+NSS_CMSContentInfo_GetContent;
+NSS_CMSContentInfo_GetContentEncAlgTag;
+NSS_CMSContentInfo_GetContentTypeTag;
+NSS_CMSContentInfo_SetBulkKey;
+NSS_CMSContentInfo_SetContent;
+NSS_CMSContentInfo_SetContentEncAlg;
+NSS_CMSContentInfo_SetContent_Data;
+NSS_CMSContentInfo_SetContent_DigestedData;
+NSS_CMSContentInfo_SetContent_EncryptedData;
+NSS_CMSContentInfo_SetContent_EnvelopedData;
+NSS_CMSContentInfo_SetContent_SignedData;
+NSS_CMSDEREncode;
+NSS_CMSDecoder_Cancel;
+NSS_CMSDecoder_Finish;
+NSS_CMSDecoder_Start;
+NSS_CMSDecoder_Update;
+NSS_CMSDigestContext_Cancel;
+NSS_CMSDigestContext_FinishMultiple;
+NSS_CMSDigestContext_FinishSingle;
+NSS_CMSDigestContext_StartMultiple;
+NSS_CMSDigestContext_StartSingle;
+NSS_CMSDigestContext_Update;
+NSS_CMSDigestedData_Create;
+NSS_CMSDigestedData_Destroy;
+NSS_CMSDigestedData_GetContentInfo;
+NSS_CMSEncoder_Cancel;
+NSS_CMSEncoder_Finish;
+NSS_CMSEncoder_Start;
+NSS_CMSEncoder_Update;
+NSS_CMSEncryptedData_Create;
+NSS_CMSEncryptedData_Destroy;
+NSS_CMSEncryptedData_GetContentInfo;
+NSS_CMSEnvelopedData_AddRecipient;
+NSS_CMSEnvelopedData_Create;
+NSS_CMSEnvelopedData_Destroy;
+NSS_CMSEnvelopedData_GetContentInfo;
+NSS_CMSMessage_ContentLevel;
+NSS_CMSMessage_ContentLevelCount;
+NSS_CMSMessage_Copy;
+NSS_CMSMessage_Create;
+NSS_CMSMessage_CreateFromDER;
+NSS_CMSMessage_Destroy;
+NSS_CMSMessage_GetContent;
+NSS_CMSMessage_GetContentInfo;
+NSS_CMSRecipientInfo_Create;
+NSS_CMSRecipientInfo_Destroy;
+NSS_CMSSignedData_AddCertChain;
+NSS_CMSSignedData_AddCertList;
+NSS_CMSSignedData_AddCertificate;
+NSS_CMSSignedData_AddDigest;
+NSS_CMSSignedData_AddSignerInfo;
+NSS_CMSSignedData_Create;
+NSS_CMSSignedData_CreateCertsOnly;
+NSS_CMSSignedData_Destroy;
+NSS_CMSSignedData_GetContentInfo;
+NSS_CMSSignedData_GetDigestAlgs;
+NSS_CMSSignedData_GetSignerInfo;
+NSS_CMSSignedData_HasDigests;
+NSS_CMSSignedData_ImportCerts;
+NSS_CMSSignedData_SetDigests;
+NSS_CMSSignedData_SignerInfoCount;
+NSS_CMSSignedData_VerifyCertsOnly;
+NSS_CMSSignedData_VerifySignerInfo;
+NSS_CMSSignerInfo_AddSMIMECaps;
+NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs;
+NSS_CMSSignerInfo_AddSigningTime;
+NSS_CMSSignerInfo_Create;
+NSS_CMSSignerInfo_Destroy;
+NSS_CMSSignerInfo_GetCertList;
+NSS_CMSSignerInfo_GetSignerCommonName;
+NSS_CMSSignerInfo_GetSignerEmailAddress;
+NSS_CMSSignerInfo_GetSigningCertificate;
+NSS_CMSSignerInfo_GetSigningTime;
+NSS_CMSSignerInfo_GetVerificationStatus;
+NSS_CMSSignerInfo_GetVersion;
+NSS_CMSSignerInfo_IncludeCerts;
+NSS_CMSUtil_VerificationStatusToString;
+NSS_SMIMEUtil_FindBulkAlgForRecipients;
+CERT_DecodeCertPackage;
+SEC_PKCS7AddRecipient;
+SEC_PKCS7AddSigningTime;
+SEC_PKCS7ContentType;
+SEC_PKCS7CreateData;
+SEC_PKCS7CreateEncryptedData;
+SEC_PKCS7CreateEnvelopedData;
+SEC_PKCS7CreateSignedData;
+SEC_PKCS7DecodeItem;
+SEC_PKCS7DecoderFinish;
+SEC_PKCS7DecoderStart;
+SEC_PKCS7DecoderUpdate;
+SEC_PKCS7DecryptContents;
+SEC_PKCS7DestroyContentInfo;
+SEC_PKCS7EncoderFinish;
+SEC_PKCS7EncoderStart;
+SEC_PKCS7EncoderUpdate;
+SEC_PKCS7GetCertificateList;
+SEC_PKCS7GetContent;
+SEC_PKCS7GetEncryptionAlgorithm;
+SEC_PKCS7IncludeCertChain;
+SEC_PKCS7IsContentEmpty;
+SEC_PKCS7VerifySignature;
+SEC_PKCS12AddCertAndKey;
+SEC_PKCS12AddPasswordIntegrity;
+SEC_PKCS12CreateExportContext;
+SEC_PKCS12CreatePasswordPrivSafe;
+SEC_PKCS12CreateUnencryptedSafe;
+SEC_PKCS12EnableCipher;
+SEC_PKCS12Encode;
+SEC_PKCS12DecoderImportBags;
+SEC_PKCS12DecoderFinish;
+SEC_PKCS12DecoderStart;
+SEC_PKCS12DecoderUpdate;
+SEC_PKCS12DecoderValidateBags;
+SEC_PKCS12DecoderVerify;
+SEC_PKCS12DestroyExportContext;
+SEC_PKCS12IsEncryptionAllowed;
+SEC_PKCS12SetPreferredCipher;
+;+    local:
+;+        *;
+;+};
+;+NSS_3.2.1 {               # NSS 3.2.1 release
+;+    global:
+NSSSMIME_VersionCheck;
+;+    local:
+;+        *;
+;+};
+;+NSS_3.3 {     # NSS 3.3 release
+;+    global:
+SEC_PKCS7AddCertificate;
+SEC_PKCS7CreateCertsOnly;
+SEC_PKCS7Encode;
+;+    local:
+;+       *;
+;+};
+;+NSS_3.4 {     # NSS 3.4 release
+;+    global:
+CERT_DecodeCertFromPackage;
+NSS_CMSMessage_IsSigned;
+NSS_CMSSignedData_SetDigestValue;
+NSS_SMIMESignerInfo_SaveSMIMEProfile;
+SEC_PKCS12DecoderGetCerts;
+SEC_PKCS7ContainsCertsOrCrls;
+SEC_PKCS7ContentIsEncrypted;
+SEC_PKCS7ContentIsSigned;
+SEC_PKCS7CopyContentInfo;
+SEC_PKCS7GetSignerCommonName;
+SEC_PKCS7GetSignerEmailAddress;
+SEC_PKCS7GetSigningTime;
+SEC_PKCS7SetContent;
+SEC_PKCS7VerifyDetachedSignature;
+SECMIME_DecryptionAllowed;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/smime/smime.h b/security/nss/lib/smime/smime.h
new file mode 100644
index 000000000..1832634f7
--- /dev/null
+++ b/security/nss/lib/smime/smime.h
@@ -0,0 +1,148 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Header file for routines specific to S/MIME.  Keep things that are pure
+ * pkcs7 out of here; this is for S/MIME policy, S/MIME interoperability, etc.
+ *
+ * $Id$
+ */
+
+#ifndef _SECMIME_H_
+#define _SECMIME_H_ 1
+
+#include "cms.h"
+
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/*
+ * Initialize the local recording of the user S/MIME cipher preferences.
+ * This function is called once for each cipher, the order being
+ * important (first call records greatest preference, and so on).
+ * When finished, it is called with a "which" of CIPHER_FAMILID_MASK.
+ * If the function is called again after that, it is assumed that
+ * the preferences are being reset, and the old preferences are
+ * discarded.
+ *
+ * XXX This is for a particular user, and right now the storage is
+ * XXX local, static.  The preference should be stored elsewhere to allow
+ * XXX for multiple uses of one library?  How does SSL handle this;
+ * XXX it has something similar?
+ *
+ *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
+ *    for example SMIME_DES_CBC_56).
+ *  - If "on" is non-zero then the named cipher is enabled, otherwise
+ *    it is disabled.  (It is not necessary to call the function for
+ *    ciphers that are disabled, however, as that is the default.)
+ *
+ * If the cipher preference is successfully recorded, SECSuccess
+ * is returned.  Otherwise SECFailure is returned.  The only errors
+ * are due to failure allocating memory or bad parameters/calls:
+ *	SEC_ERROR_XXX ("which" is not in the S/MIME cipher family)
+ *	SEC_ERROR_XXX (function is being called more times than there
+ *		are known/expected ciphers)
+ */
+extern SECStatus NSS_SMIMEUtil_EnableCipher(long which, int on);
+
+/*
+ * Initialize the local recording of the S/MIME policy.
+ * This function is called to allow/disallow a particular cipher.
+ *
+ * XXX This is for a the current module, I think, so local, static storage
+ * XXX is okay.  Is that correct, or could multiple uses of the same
+ * XXX library expect to operate under different policies?
+ *
+ *  - The "which" values are defined in ciferfam.h (the SMIME_* values,
+ *    for example SMIME_DES_CBC_56).
+ *  - If "on" is non-zero then the named cipher is enabled, otherwise
+ *    it is disabled.
+ */
+extern SECStatus NSS_SMIMEUtils_AllowCipher(long which, int on);
+
+/*
+ * Does the current policy allow S/MIME decryption of this particular
+ * algorithm and keysize?
+ */
+extern PRBool NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key);
+
+/*
+ * Does the current policy allow *any* S/MIME encryption (or decryption)?
+ *
+ * This tells whether or not *any* S/MIME encryption can be done,
+ * according to policy.  Callers may use this to do nicer user interface
+ * (say, greying out a checkbox so a user does not even try to encrypt
+ * a message when they are not allowed to) or for any reason they want
+ * to check whether S/MIME encryption (or decryption, for that matter)
+ * may be done.
+ *
+ * It takes no arguments.  The return value is a simple boolean:
+ *   PR_TRUE means encryption (or decryption) is *possible*
+ *	(but may still fail due to other reasons, like because we cannot
+ *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
+ *   PR_FALSE means encryption (or decryption) is not permitted
+ *
+ * There are no errors from this routine.
+ */
+extern PRBool NSS_SMIMEUtil_EncryptionPossible(void);
+
+/*
+ * NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities attr value
+ *
+ * scans the list of allowed and enabled ciphers and construct a PKCS9-compliant
+ * S/MIME capabilities attribute value.
+ */
+extern SECStatus NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest, PRBool includeFortezzaCiphers);
+
+/*
+ * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value
+ */
+extern SECStatus NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert);
+
+/*
+ * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference - find cert marked by EncryptionKeyPreference
+ *          attribute
+ */
+extern CERTCertificate *NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, SECItem *DERekp);
+
+/*
+ * NSS_SMIMEUtil_FindBulkAlgForRecipients - find bulk algorithm suitable for all recipients
+ */
+extern SECStatus
+NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize);
+
+/************************************************************************/
+SEC_END_PROTOS
+
+#endif /* _SECMIME_H_ */
diff --git a/security/nss/lib/smime/smime.rc b/security/nss/lib/smime/smime.rc
new file mode 100644
index 000000000..f75da062d
--- /dev/null
+++ b/security/nss/lib/smime/smime.rc
@@ -0,0 +1,98 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nss.h"
+#include <winver.h>
+
+#define MY_LIBNAME "smime"
+#define MY_FILEDESCRIPTION "NSS S/MIME Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if NSS_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Netscape Communications Corporation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", NSS_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "LegalCopyright", "Copyright \251 1994-2001 Netscape Communications Corporation\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", NSS_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/smime/smimemessage.c b/security/nss/lib/smime/smimemessage.c
new file mode 100644
index 000000000..81c1f9d4d
--- /dev/null
+++ b/security/nss/lib/smime/smimemessage.c
@@ -0,0 +1,215 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * SMIME message methods
+ *
+ * $Id$
+ */
+
+#include "cmslocal.h"
+#include "smime.h"
+
+#include "cert.h"
+#include "key.h"
+#include "secasn1.h"
+#include "secitem.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "prtime.h"
+#include "secerr.h"
+
+
+#if 0
+/*
+ * NSS_SMIMEMessage_CreateEncrypted - start an S/MIME encrypting context.
+ *
+ * "scert" is the cert for the sender.  It will be checked for validity.
+ * "rcerts" are the certs for the recipients.  They will also be checked.
+ *
+ * "certdb" is the cert database to use for verifying the certs.
+ * It can be NULL if a default database is available (like in the client).
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+NSSCMSMessage *
+NSS_SMIMEMessage_CreateEncrypted(CERTCertificate *scert,
+			CERTCertificate **rcerts,
+			CERTCertDBHandle *certdb,
+			PK11PasswordFunc pwfn,
+			void *pwfn_arg)
+{
+    NSSCMSMessage *cmsg;
+    long cipher;
+    SECOidTag encalg;
+    int keysize;
+    int mapi, rci;
+
+    cipher = smime_choose_cipher (scert, rcerts);
+    if (cipher < 0)
+	return NULL;
+
+    mapi = smime_mapi_by_cipher (cipher);
+    if (mapi < 0)
+	return NULL;
+
+    /*
+     * XXX This is stretching it -- CreateEnvelopedData should probably
+     * take a cipher itself of some sort, because we cannot know what the
+     * future will bring in terms of parameters for each type of algorithm.
+     * For example, just an algorithm and keysize is *not* sufficient to
+     * fully specify the usage of RC5 (which also needs to know rounds and
+     * block size).  Work this out into a better API!
+     */
+    encalg = smime_cipher_map[mapi].algtag;
+    keysize = smime_keysize_by_cipher (cipher);
+    if (keysize < 0)
+	return NULL;
+
+    cinfo = SEC_PKCS7CreateEnvelopedData (scert, certUsageEmailRecipient,
+					  certdb, encalg, keysize,
+					  pwfn, pwfn_arg);
+    if (cinfo == NULL)
+	return NULL;
+
+    for (rci = 0; rcerts[rci] != NULL; rci++) {
+	if (rcerts[rci] == scert)
+	    continue;
+	if (SEC_PKCS7AddRecipient (cinfo, rcerts[rci], certUsageEmailRecipient,
+				   NULL) != SECSuccess) {
+	    SEC_PKCS7DestroyContentInfo (cinfo);
+	    return NULL;
+	}
+    }
+
+    return cinfo;
+}
+
+
+/*
+ * Start an S/MIME signing context.
+ *
+ * "scert" is the cert that will be used to sign the data.  It will be
+ * checked for validity.
+ *
+ * "ecert" is the signer's encryption cert.  If it is different from
+ * scert, then it will be included in the signed message so that the
+ * recipient can save it for future encryptions.
+ *
+ * "certdb" is the cert database to use for verifying the cert.
+ * It can be NULL if a default database is available (like in the client).
+ * 
+ * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
+ * XXX There should be SECMIME functions for hashing, or the hashing should
+ * be built into this interface, which we would like because we would
+ * support more smartcards that way, and then this argument should go away.)
+ *
+ * "digest" is the actual digest of the data.  It must be provided in
+ * the case of detached data or NULL if the content will be included.
+ *
+ * This function already does all of the stuff specific to S/MIME protocol
+ * and local policy; the return value just needs to be passed to
+ * SEC_PKCS7Encode() or to SEC_PKCS7EncoderStart() to create the encoded data,
+ * and finally to SEC_PKCS7DestroyContentInfo().
+ *
+ * An error results in a return value of NULL and an error set.
+ * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
+ */
+
+NSSCMSMessage *
+NSS_SMIMEMessage_CreateSigned(CERTCertificate *scert,
+		      CERTCertificate *ecert,
+		      CERTCertDBHandle *certdb,
+		      SECOidTag digestalgtag,
+		      SECItem *digest,
+		      PK11PasswordFunc pwfn,
+		      void *pwfn_arg)
+{
+    NSSCMSMessage *cmsg;
+    NSSCMSSignedData *sigd;
+    NSSCMSSignerInfo *signerinfo;
+
+    /* See note in header comment above about digestalg. */
+    PORT_Assert (digestalgtag == SEC_OID_SHA1);
+
+    cmsg = NSS_CMSMessage_Create(NULL);
+    if (cmsg == NULL)
+	return NULL;
+
+    sigd = NSS_CMSSignedData_Create(cmsg);
+    if (sigd == NULL)
+	goto loser;
+
+    /* create just one signerinfo */
+    signerinfo = NSS_CMSSignerInfo_Create(cmsg, scert, digestalgtag);
+    if (signerinfo == NULL)
+	goto loser;
+
+    /* Add the signing time to the signerinfo.  */
+    if (NSS_CMSSignerInfo_AddSigningTime(signerinfo, PR_Now()) != SECSuccess)
+	goto loser;
+    
+    /* and add the SMIME profile */
+    if (NSS_SMIMESignerInfo_AddSMIMEProfile(signerinfo, scert) != SECSuccess)
+	goto loser;
+
+    /* now add the signerinfo to the signeddata */
+    if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess)
+	goto loser;
+
+    /* include the signing cert and its entire chain */
+    /* note that there are no checks for duplicate certs in place, as all the */
+    /* essential data structures (like set of certificate) are not there */
+    if (NSS_CMSSignedData_AddCertChain(sigd, scert) != SECSuccess)
+	goto loser;
+
+    /* If the encryption cert and the signing cert differ, then include
+     * the encryption cert too. */
+    if ( ( ecert != NULL ) && ( ecert != scert ) ) {
+	if (NSS_CMSSignedData_AddCertificate(sigd, ecert) != SECSuccess)
+	    goto loser;
+    }
+
+    return cmsg;
+loser:
+    if (cmsg)
+	NSS_CMSMessage_Destroy(cmsg);
+    return NULL;
+}
+#endif
diff --git a/security/nss/lib/smime/smimesym.c b/security/nss/lib/smime/smimesym.c
new file mode 100644
index 000000000..e7bb771e5
--- /dev/null
+++ b/security/nss/lib/smime/smimesym.c
@@ -0,0 +1,8 @@
+extern void SEC_PKCS7DecodeItem();
+extern void SEC_PKCS7DestroyContentInfo();
+
+smime_CMDExports() {
+	SEC_PKCS7DecodeItem();
+	SEC_PKCS7DestroyContentInfo();
+}
+
diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c
new file mode 100644
index 000000000..c137ca1e0
--- /dev/null
+++ b/security/nss/lib/smime/smimeutil.c
@@ -0,0 +1,741 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Stuff specific to S/MIME policy and interoperability.
+ *
+ * $Id$
+ */
+
+#include "secmime.h"
+#include "secoid.h"
+#include "pk11func.h"
+#include "ciferfam.h"	/* for CIPHER_FAMILY symbols */
+#include "secasn1.h"
+#include "secitem.h"
+#include "cert.h"
+#include "key.h"
+#include "secerr.h"
+#include "cms.h"
+#include "nss.h"
+
+SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)
+SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
+
+/* various integer's ASN.1 encoding */
+static unsigned char asn1_int40[] = { SEC_ASN1_INTEGER, 0x01, 0x28 };
+static unsigned char asn1_int64[] = { SEC_ASN1_INTEGER, 0x01, 0x40 };
+static unsigned char asn1_int128[] = { SEC_ASN1_INTEGER, 0x02, 0x00, 0x80 };
+
+/* RC2 algorithm parameters (used in smime_cipher_map) */
+static SECItem param_int40 = { siBuffer, asn1_int40, sizeof(asn1_int40) };
+static SECItem param_int64 = { siBuffer, asn1_int64, sizeof(asn1_int64) };
+static SECItem param_int128 = { siBuffer, asn1_int128, sizeof(asn1_int128) };
+
+/*
+ * XXX Would like the "parameters" field to be a SECItem *, but the
+ * encoder is having trouble with optional pointers to an ANY.  Maybe
+ * once that is fixed, can change this back...
+ */
+typedef struct {
+    SECItem capabilityID;
+    SECItem parameters;
+    long cipher;		/* optimization */
+} NSSSMIMECapability;
+
+static const SEC_ASN1Template NSSSMIMECapabilityTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSSMIMECapability) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(NSSSMIMECapability,capabilityID), },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	  offsetof(NSSSMIMECapability,parameters), },
+    { 0, }
+};
+
+static const SEC_ASN1Template NSSSMIMECapabilitiesTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, NSSSMIMECapabilityTemplate }
+};
+
+/*
+ * NSSSMIMEEncryptionKeyPreference - if we find one of these, it needs to prompt us
+ *  to store this and only this certificate permanently for the sender email address.
+ */
+typedef enum {
+    NSSSMIMEEncryptionKeyPref_IssuerSN,
+    NSSSMIMEEncryptionKeyPref_RKeyID,
+    NSSSMIMEEncryptionKeyPref_SubjectKeyID
+} NSSSMIMEEncryptionKeyPrefSelector;
+
+typedef struct {
+    NSSSMIMEEncryptionKeyPrefSelector selector;
+    union {
+	CERTIssuerAndSN			*issuerAndSN;
+	NSSCMSRecipientKeyIdentifier	*recipientKeyID;
+	SECItem				*subjectKeyID;
+    } id;
+} NSSSMIMEEncryptionKeyPreference;
+
+extern const SEC_ASN1Template NSSCMSRecipientKeyIdentifierTemplate[];
+
+static const SEC_ASN1Template smime_encryptionkeypref_template[] = {
+    { SEC_ASN1_CHOICE,
+	  offsetof(NSSSMIMEEncryptionKeyPreference,selector), NULL,
+	  sizeof(NSSSMIMEEncryptionKeyPreference) },
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+	  offsetof(NSSSMIMEEncryptionKeyPreference,id.issuerAndSN),
+	  SEC_ASN1_SUB(CERT_IssuerAndSNTemplate),
+	  NSSSMIMEEncryptionKeyPref_IssuerSN },
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1,
+	  offsetof(NSSSMIMEEncryptionKeyPreference,id.recipientKeyID),
+	  NSSCMSRecipientKeyIdentifierTemplate,
+	  NSSSMIMEEncryptionKeyPref_IssuerSN },
+    { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2,
+	  offsetof(NSSSMIMEEncryptionKeyPreference,id.subjectKeyID),
+	  SEC_ASN1_SUB(SEC_OctetStringTemplate),
+	  NSSSMIMEEncryptionKeyPref_SubjectKeyID },
+    { 0, }
+};
+
+/* smime_cipher_map - map of SMIME symmetric "ciphers" to algtag & parameters */
+typedef struct {
+    unsigned long cipher;
+    SECOidTag algtag;
+    SECItem *parms;
+    PRBool enabled;	/* in the user's preferences */
+    PRBool allowed;	/* per export policy */
+} smime_cipher_map_entry;
+
+/* global: list of supported SMIME symmetric ciphers, ordered roughly by increasing strength */
+static smime_cipher_map_entry smime_cipher_map[] = {
+/*    cipher			algtag			parms		enabled  allowed */
+/*    ---------------------------------------------------------------------------------- */
+    { SMIME_RC2_CBC_40,		SEC_OID_RC2_CBC,	&param_int40,	PR_TRUE, PR_TRUE },
+    { SMIME_DES_CBC_56,		SEC_OID_DES_CBC,	NULL,		PR_TRUE, PR_TRUE },
+    { SMIME_RC2_CBC_64,		SEC_OID_RC2_CBC,	&param_int64,	PR_TRUE, PR_TRUE },
+    { SMIME_RC2_CBC_128,	SEC_OID_RC2_CBC,	&param_int128,	PR_TRUE, PR_TRUE },
+    { SMIME_DES_EDE3_168,	SEC_OID_DES_EDE3_CBC,	NULL,		PR_TRUE, PR_TRUE },
+    { SMIME_FORTEZZA,		SEC_OID_FORTEZZA_SKIPJACK, NULL,	PR_TRUE, PR_TRUE }
+};
+static const int smime_cipher_map_count = sizeof(smime_cipher_map) / sizeof(smime_cipher_map_entry);
+
+/*
+ * smime_mapi_by_cipher - find index into smime_cipher_map by cipher
+ */
+static int
+smime_mapi_by_cipher(unsigned long cipher)
+{
+    int i;
+
+    for (i = 0; i < smime_cipher_map_count; i++) {
+	if (smime_cipher_map[i].cipher == cipher)
+	    return i;	/* bingo */
+    }
+    return -1;		/* should not happen if we're consistent, right? */
+}
+
+/*
+ * NSS_SMIME_EnableCipher - this function locally records the user's preference
+ */
+SECStatus 
+NSS_SMIMEUtil_EnableCipher(unsigned long which, PRBool on)
+{
+    unsigned long mask;
+    int mapi;
+
+    mask = which & CIPHER_FAMILYID_MASK;
+
+    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
+    if (mask != CIPHER_FAMILYID_SMIME)
+	/* XXX set an error! */
+    	return SECFailure;
+
+    mapi = smime_mapi_by_cipher(which);
+    if (mapi < 0)
+	/* XXX set an error */
+	return SECFailure;
+
+    /* do we try to turn on a forbidden cipher? */
+    if (!smime_cipher_map[mapi].allowed && on) {
+	PORT_SetError (SEC_ERROR_BAD_EXPORT_ALGORITHM);
+	return SECFailure;
+    }
+
+    if (smime_cipher_map[mapi].enabled != on)
+	smime_cipher_map[mapi].enabled = on;
+
+    return SECSuccess;
+}
+
+
+/*
+ * this function locally records the export policy
+ */
+SECStatus 
+NSS_SMIMEUtil_AllowCipher(unsigned long which, PRBool on)
+{
+    unsigned long mask;
+    int mapi;
+
+    mask = which & CIPHER_FAMILYID_MASK;
+
+    PORT_Assert (mask == CIPHER_FAMILYID_SMIME);
+    if (mask != CIPHER_FAMILYID_SMIME)
+	/* XXX set an error! */
+    	return SECFailure;
+
+    mapi = smime_mapi_by_cipher(which);
+    if (mapi < 0)
+	/* XXX set an error */
+	return SECFailure;
+
+    if (smime_cipher_map[mapi].allowed != on)
+	smime_cipher_map[mapi].allowed = on;
+
+    return SECSuccess;
+}
+
+/*
+ * Based on the given algorithm (including its parameters, in some cases!)
+ * and the given key (may or may not be inspected, depending on the
+ * algorithm), find the appropriate policy algorithm specification
+ * and return it.  If no match can be made, -1 is returned.
+ */
+static SECStatus
+nss_smime_get_cipher_for_alg_and_key(SECAlgorithmID *algid, PK11SymKey *key, unsigned long *cipher)
+{
+    SECOidTag algtag;
+    unsigned int keylen_bits;
+    SECStatus rv = SECSuccess;
+    unsigned long c;
+
+    algtag = SECOID_GetAlgorithmTag(algid);
+    switch (algtag) {
+    case SEC_OID_RC2_CBC:
+	keylen_bits = PK11_GetKeyStrength(key, algid);
+	switch (keylen_bits) {
+	case 40:
+	    c = SMIME_RC2_CBC_40;
+	case 64:
+	    c = SMIME_RC2_CBC_64;
+	case 128:
+	    c = SMIME_RC2_CBC_128;
+	default:
+	    rv = SECFailure;
+	    break;
+	}
+	break;
+    case SEC_OID_DES_CBC:
+	c = SMIME_DES_CBC_56;
+    case SEC_OID_DES_EDE3_CBC:
+	c = SMIME_DES_EDE3_168;
+    case SEC_OID_FORTEZZA_SKIPJACK:
+	c = SMIME_FORTEZZA;
+    default:
+	rv = SECFailure;
+    }
+    if (rv == SECSuccess)
+	*cipher = c;
+    return rv;
+}
+
+static PRBool
+nss_smime_cipher_allowed(unsigned long which)
+{
+    int mapi;
+
+    mapi = smime_mapi_by_cipher(which);
+    if (mapi < 0)
+	return PR_FALSE;
+    return smime_cipher_map[mapi].allowed;
+}
+
+PRBool
+NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key)
+{
+    unsigned long which;
+
+    if (nss_smime_get_cipher_for_alg_and_key(algid, key, &which) != SECSuccess)
+	return PR_FALSE;
+
+    return nss_smime_cipher_allowed(which);
+}
+
+
+/*
+ * NSS_SMIME_EncryptionPossible - check if any encryption is allowed
+ *
+ * This tells whether or not *any* S/MIME encryption can be done,
+ * according to policy.  Callers may use this to do nicer user interface
+ * (say, greying out a checkbox so a user does not even try to encrypt
+ * a message when they are not allowed to) or for any reason they want
+ * to check whether S/MIME encryption (or decryption, for that matter)
+ * may be done.
+ *
+ * It takes no arguments.  The return value is a simple boolean:
+ *   PR_TRUE means encryption (or decryption) is *possible*
+ *	(but may still fail due to other reasons, like because we cannot
+ *	find all the necessary certs, etc.; PR_TRUE is *not* a guarantee)
+ *   PR_FALSE means encryption (or decryption) is not permitted
+ *
+ * There are no errors from this routine.
+ */
+PRBool
+NSS_SMIMEUtil_EncryptionPossible(void)
+{
+    int i;
+
+    for (i = 0; i < smime_cipher_map_count; i++) {
+	if (smime_cipher_map[i].allowed)
+	    return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+
+static int
+nss_SMIME_FindCipherForSMIMECap(NSSSMIMECapability *cap)
+{
+    int i;
+    SECOidTag capIDTag;
+
+    /* we need the OIDTag here */
+    capIDTag = SECOID_FindOIDTag(&(cap->capabilityID));
+
+    /* go over all the SMIME ciphers we know and see if we find a match */
+    for (i = 0; i < smime_cipher_map_count; i++) {
+	if (smime_cipher_map[i].algtag != capIDTag)
+	    continue;
+	/*
+	 * XXX If SECITEM_CompareItem allowed NULLs as arguments (comparing
+	 * 2 NULLs as equal and NULL and non-NULL as not equal), we could
+	 * use that here instead of all of the following comparison code.
+	 */
+	if (cap->parameters.data == NULL && smime_cipher_map[i].parms == NULL)
+	    break;	/* both empty: bingo */
+
+	if (cap->parameters.data != NULL && smime_cipher_map[i].parms != NULL &&
+	    cap->parameters.len == smime_cipher_map[i].parms->len &&
+	    PORT_Memcmp (cap->parameters.data, smime_cipher_map[i].parms->data,
+			     cap->parameters.len) == 0)
+	{
+	    break;	/* both not empty, same length & equal content: bingo */
+	}
+    }
+
+    if (i == smime_cipher_map_count)
+	return 0;				/* no match found */
+    else
+	return smime_cipher_map[i].cipher;	/* match found, point to cipher */
+}
+
+/*
+ * smime_choose_cipher - choose a cipher that works for all the recipients
+ *
+ * "scert"  - sender's certificate
+ * "rcerts" - recipient's certificates
+ */
+static long
+smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts)
+{
+    PRArenaPool *poolp;
+    long cipher;
+    long chosen_cipher;
+    int *cipher_abilities;
+    int *cipher_votes;
+    int weak_mapi;
+    int strong_mapi;
+    int rcount, mapi, max, i;
+    PRBool scert_is_fortezza = (scert == NULL) ? PR_FALSE : PK11_FortezzaHasKEA(scert);
+
+    chosen_cipher = SMIME_RC2_CBC_40;		/* the default, LCD */
+    weak_mapi = smime_mapi_by_cipher(chosen_cipher);
+
+    poolp = PORT_NewArena (1024);		/* XXX what is right value? */
+    if (poolp == NULL)
+	goto done;
+
+    cipher_abilities = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int));
+    cipher_votes     = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int));
+    if (cipher_votes == NULL || cipher_abilities == NULL)
+	goto done;
+
+    /* If the user has the Fortezza preference turned on, make
+     *  that the strong cipher. Otherwise, use triple-DES. */
+    strong_mapi = smime_mapi_by_cipher (SMIME_DES_EDE3_168);
+    if (scert_is_fortezza) {
+	mapi = smime_mapi_by_cipher(SMIME_FORTEZZA);
+	if (mapi >= 0 && smime_cipher_map[mapi].enabled)
+	    strong_mapi = mapi;
+    }
+
+    /* walk all the recipient's certs */
+    for (rcount = 0; rcerts[rcount] != NULL; rcount++) {
+	SECItem *profile;
+	NSSSMIMECapability **caps;
+	int pref;
+
+	/* the first cipher that matches in the user's SMIME profile gets
+	 * "smime_cipher_map_count" votes; the next one gets "smime_cipher_map_count" - 1
+	 * and so on. If every cipher matches, the last one gets 1 (one) vote */
+	pref = smime_cipher_map_count;
+
+	/* find recipient's SMIME profile */
+	profile = CERT_FindSMimeProfile(rcerts[rcount]);
+
+	if (profile != NULL && profile->data != NULL && profile->len > 0) {
+	    /* we have a profile (still DER-encoded) */
+	    caps = NULL;
+	    /* decode it */
+	    if (SEC_ASN1DecodeItem(poolp, &caps, NSSSMIMECapabilitiesTemplate, profile) == SECSuccess &&
+		    caps != NULL)
+	    {
+		/* walk the SMIME capabilities for this recipient */
+		for (i = 0; caps[i] != NULL; i++) {
+		    cipher = nss_SMIME_FindCipherForSMIMECap(caps[i]);
+		    mapi = smime_mapi_by_cipher(cipher);
+		    if (mapi >= 0) {
+			/* found the cipher */
+			cipher_abilities[mapi]++;
+			cipher_votes[mapi] += pref;
+			--pref;
+		    }
+		}
+	    }
+	} else {
+	    /* no profile found - so we can only assume that the user can do
+	     * the mandatory algorithms which is RC2-40 (weak crypto) and 3DES (strong crypto) */
+	    SECKEYPublicKey *key;
+	    unsigned int pklen_bits;
+
+	    /*
+	     * if recipient's public key length is > 512, vote for a strong cipher
+	     * please not that the side effect of this is that if only one recipient
+	     * has an export-level public key, the strong cipher is disabled.
+	     *
+	     * XXX This is probably only good for RSA keys.  What I would
+	     * really like is a function to just say;  Is the public key in
+	     * this cert an export-length key?  Then I would not have to
+	     * know things like the value 512, or the kind of key, or what
+	     * a subjectPublicKeyInfo is, etc.
+	     */
+	    key = CERT_ExtractPublicKey(rcerts[rcount]);
+	    pklen_bits = 0;
+	    if (key != NULL) {
+		pklen_bits = SECKEY_PublicKeyStrength (key) * 8;
+		SECKEY_DestroyPublicKey (key);
+	    }
+
+	    if (pklen_bits > 512) {
+		/* cast votes for the strong algorithm */
+		cipher_abilities[strong_mapi]++;
+		cipher_votes[strong_mapi] += pref;
+		pref--;
+	    } 
+
+	    /* always cast (possibly less) votes for the weak algorithm */
+	    cipher_abilities[weak_mapi]++;
+	    cipher_votes[weak_mapi] += pref;
+	}
+	if (profile != NULL)
+	    SECITEM_FreeItem(profile, PR_TRUE);
+    }
+
+    /* find cipher that is agreeable by all recipients and that has the most votes */
+    max = 0;
+    for (mapi = 0; mapi < smime_cipher_map_count; mapi++) {
+	/* if not all of the recipients can do this, forget it */
+	if (cipher_abilities[mapi] != rcount)
+	    continue;
+	/* if cipher is not enabled or not allowed by policy, forget it */
+	if (!smime_cipher_map[mapi].enabled || !smime_cipher_map[mapi].allowed)
+	    continue;
+	/* if we're not doing fortezza, but the cipher is fortezza, forget it */
+	if (!scert_is_fortezza  && (smime_cipher_map[mapi].cipher == SMIME_FORTEZZA))
+	    continue;
+	/* now see if this one has more votes than the last best one */
+	if (cipher_votes[mapi] >= max) {
+	    /* if equal number of votes, prefer the ones further down in the list */
+	    /* with the expectation that these are higher rated ciphers */
+	    chosen_cipher = smime_cipher_map[mapi].cipher;
+	    max = cipher_votes[mapi];
+	}
+    }
+    /* if no common cipher was found, chosen_cipher stays at the default */
+
+done:
+    if (poolp != NULL)
+	PORT_FreeArena (poolp, PR_FALSE);
+
+    return chosen_cipher;
+}
+
+/*
+ * XXX This is a hack for now to satisfy our current interface.
+ * Eventually, with more parameters needing to be specified, just
+ * looking up the keysize is not going to be sufficient.
+ */
+static int
+smime_keysize_by_cipher (unsigned long which)
+{
+    int keysize;
+
+    switch (which) {
+      case SMIME_RC2_CBC_40:
+	keysize = 40;
+	break;
+      case SMIME_RC2_CBC_64:
+	keysize = 64;
+	break;
+      case SMIME_RC2_CBC_128:
+	keysize = 128;
+	break;
+      case SMIME_DES_CBC_56:
+      case SMIME_DES_EDE3_168:
+      case SMIME_FORTEZZA:
+	/*
+	 * These are special; since the key size is fixed, we actually
+	 * want to *avoid* specifying a key size.
+	 */
+	keysize = 0;
+	break;
+      default:
+	keysize = -1;
+	break;
+    }
+
+    return keysize;
+}
+
+/*
+ * NSS_SMIMEUtil_FindBulkAlgForRecipients - find bulk algorithm suitable for all recipients
+ *
+ * it would be great for UI purposes if there would be a way to find out which recipients
+ * prevented a strong cipher from being used...
+ */
+SECStatus
+NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize)
+{
+    unsigned long cipher;
+    int mapi;
+
+    cipher = smime_choose_cipher(NULL, rcerts);
+    mapi = smime_mapi_by_cipher(cipher);
+
+    *bulkalgtag = smime_cipher_map[mapi].algtag;
+    *keysize = smime_keysize_by_cipher(smime_cipher_map[mapi].algtag);
+
+    return SECSuccess;
+}
+
+/*
+ * NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities for this instance of NSS
+ *
+ * scans the list of allowed and enabled ciphers and construct a PKCS9-compliant
+ * S/MIME capabilities attribute value.
+ *
+ * XXX Please note that, in contradiction to RFC2633 2.5.2, the capabilities only include
+ * symmetric ciphers, NO signature algorithms or key encipherment algorithms.
+ *
+ * "poolp" - arena pool to create the S/MIME capabilities data on
+ * "dest" - SECItem to put the data in
+ * "includeFortezzaCiphers" - PR_TRUE if fortezza ciphers should be included
+ */
+SECStatus
+NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest, PRBool includeFortezzaCiphers)
+{
+    NSSSMIMECapability *cap;
+    NSSSMIMECapability **smime_capabilities;
+    smime_cipher_map_entry *map;
+    SECOidData *oiddata;
+    SECItem *dummy;
+    int i, capIndex;
+
+    /* if we have an old NSSSMIMECapability array, we'll reuse it (has the right size) */
+    /* smime_cipher_map_count + 1 is an upper bound - we might end up with less */
+    smime_capabilities = (NSSSMIMECapability **)PORT_ZAlloc((smime_cipher_map_count + 1)
+				      * sizeof(NSSSMIMECapability *));
+    if (smime_capabilities == NULL)
+	return SECFailure;
+
+    capIndex = 0;
+
+    /* Add all the symmetric ciphers
+     * We walk the cipher list backwards, as it is ordered by increasing strength,
+     * we prefer the stronger cipher over a weaker one, and we have to list the
+     * preferred algorithm first */
+    for (i = smime_cipher_map_count - 1; i >= 0; i--) {
+	/* Find the corresponding entry in the cipher map. */
+	map = &(smime_cipher_map[i]);
+	if (!map->enabled)
+	    continue;
+
+	/* If we're using a non-Fortezza cert, only advertise non-Fortezza
+	   capabilities. (We advertise all capabilities if we have a 
+	   Fortezza cert.) */
+	if ((!includeFortezzaCiphers) && (map->cipher == SMIME_FORTEZZA))
+	    continue;
+
+	/* get next SMIME capability */
+	cap = (NSSSMIMECapability *)PORT_ZAlloc(sizeof(NSSSMIMECapability));
+	if (cap == NULL)
+	    break;
+	smime_capabilities[capIndex++] = cap;
+
+	oiddata = SECOID_FindOIDByTag(map->algtag);
+	if (oiddata == NULL)
+	    break;
+
+	cap->capabilityID.data = oiddata->oid.data;
+	cap->capabilityID.len = oiddata->oid.len;
+	cap->parameters.data = map->parms ? map->parms->data : NULL;
+	cap->parameters.len = map->parms ? map->parms->len : 0;
+	cap->cipher = smime_cipher_map[i].cipher;
+    }
+
+    /* XXX add signature algorithms */
+    /* XXX add key encipherment algorithms */
+
+    smime_capabilities[capIndex] = NULL;	/* last one - now encode */
+    dummy = SEC_ASN1EncodeItem(poolp, dest, &smime_capabilities, NSSSMIMECapabilitiesTemplate);
+
+    /* now that we have the proper encoded SMIMECapabilities (or not),
+     * free the work data */
+    for (i = 0; smime_capabilities[i] != NULL; i++)
+	PORT_Free(smime_capabilities[i]);
+    PORT_Free(smime_capabilities);
+
+    return (dummy == NULL) ? SECFailure : SECSuccess;
+}
+
+/*
+ * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value
+ *
+ * "poolp" - arena pool to create the attr value on
+ * "dest" - SECItem to put the data in
+ * "cert" - certificate that should be marked as preferred encryption key
+ *          cert is expected to have been verified for EmailRecipient usage.
+ */
+SECStatus
+NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert)
+{
+    NSSSMIMEEncryptionKeyPreference ekp;
+    SECItem *dummy = NULL;
+    PLArenaPool *tmppoolp = NULL;
+
+    if (cert == NULL)
+	goto loser;
+
+    tmppoolp = PORT_NewArena(1024);
+    if (tmppoolp == NULL)
+	goto loser;
+
+    /* XXX hardcoded IssuerSN choice for now */
+    ekp.selector = NSSSMIMEEncryptionKeyPref_IssuerSN;
+    ekp.id.issuerAndSN = CERT_GetCertIssuerAndSN(tmppoolp, cert);
+    if (ekp.id.issuerAndSN == NULL)
+	goto loser;
+
+    dummy = SEC_ASN1EncodeItem(poolp, dest, &ekp, smime_encryptionkeypref_template);
+
+loser:
+    if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
+
+    return (dummy == NULL) ? SECFailure : SECSuccess;
+}
+
+/*
+ * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference -
+ *				find cert marked by EncryptionKeyPreference attribute
+ *
+ * "certdb" - handle for the cert database to look in
+ * "DERekp" - DER-encoded value of S/MIME Encryption Key Preference attribute
+ *
+ * if certificate is supposed to be found among the message's included certificates,
+ * they are assumed to have been imported already.
+ */
+CERTCertificate *
+NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, SECItem *DERekp)
+{
+    PLArenaPool *tmppoolp = NULL;
+    CERTCertificate *cert = NULL;
+    NSSSMIMEEncryptionKeyPreference ekp;
+
+    tmppoolp = PORT_NewArena(1024);
+    if (tmppoolp == NULL)
+	return NULL;
+
+    /* decode DERekp */
+    if (SEC_ASN1DecodeItem(tmppoolp, &ekp, smime_encryptionkeypref_template, DERekp) != SECSuccess)
+	goto loser;
+
+    /* find cert */
+    switch (ekp.selector) {
+    case NSSSMIMEEncryptionKeyPref_IssuerSN:
+	cert = CERT_FindCertByIssuerAndSN(certdb, ekp.id.issuerAndSN);
+	break;
+    case NSSSMIMEEncryptionKeyPref_RKeyID:
+    case NSSSMIMEEncryptionKeyPref_SubjectKeyID:
+	/* XXX not supported yet - we need to be able to look up certs by SubjectKeyID */
+	break;
+    default:
+	PORT_Assert(0);
+    }
+loser:
+    if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
+
+    return cert;
+}
+
+extern const char __nss_smime_rcsid[];
+extern const char __nss_smime_sccsid[];
+
+PRBool
+NSSSMIME_VersionCheck(const char *importedVersion)
+{
+    /*
+     * This is the secret handshake algorithm.
+     *
+     * This release has a simple version compatibility
+     * check algorithm.  This release is not backward
+     * compatible with previous major releases.  It is
+     * not compatible with future major, minor, or
+     * patch releases.
+     */
+    volatile char c; /* force a reference that won't get optimized away */
+
+    c = __nss_smime_rcsid[0] + __nss_smime_sccsid[0]; 
+
+    return NSS_VersionCheck(importedVersion);
+}
+
diff --git a/security/nss/lib/smime/smimever.c b/security/nss/lib/smime/smimever.c
new file mode 100644
index 000000000..d10e7a6a3
--- /dev/null
+++ b/security/nss/lib/smime/smimever.c
@@ -0,0 +1,53 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/* Library identity and versioning */
+
+#include "nss.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_smime_rcsid[] = "$Header: NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_smime_sccsid[] = "@(#)NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/softoken/Makefile b/security/nss/lib/softoken/Makefile
new file mode 100644
index 000000000..fa3b20648
--- /dev/null
+++ b/security/nss/lib/softoken/Makefile
@@ -0,0 +1,91 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
+# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile
+# pkcs11c.c in 64-bit mode for unknown reasons.  A workaround is
+# to compile it with optimizations turned on.  (Bugzilla bug #63815)
+ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3)
+ifeq ($(USE_64),1)
+ifndef BUILD_OPT
+$(OBJDIR)/pkcs11.o: pkcs11.c
+	@$(MAKE_OBJDIR)
+	$(CC) -o $@ -c -O2 $(CFLAGS) $<
+$(OBJDIR)/pkcs11c.o: pkcs11c.c
+	@$(MAKE_OBJDIR)
+	$(CC) -o $@ -c -O2 $(CFLAGS) $<
+endif
+endif
+endif
diff --git a/security/nss/lib/softoken/alghmac.c b/security/nss/lib/softoken/alghmac.c
new file mode 100644
index 000000000..60abd73d0
--- /dev/null
+++ b/security/nss/lib/softoken/alghmac.c
@@ -0,0 +1,155 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "sechash.h"
+#include "secport.h"
+#include "alghmac.h"
+/*#include "secoid.h"*/
+
+#define HMAC_PAD_SIZE 64
+
+struct HMACContextStr {
+    void *hash;
+    const SECHashObject *hashobj;
+    unsigned char ipad[HMAC_PAD_SIZE];
+    unsigned char opad[HMAC_PAD_SIZE];
+};
+
+void
+HMAC_Destroy(HMACContext *cx)
+{
+    if (cx == NULL)
+	return;
+
+    if (cx->hash != NULL)
+	cx->hashobj->destroy(cx->hash, PR_TRUE);
+    PORT_ZFree(cx, sizeof(HMACContext));
+}
+
+HMACContext *
+HMAC_Create(const SECHashObject *hash_obj, const unsigned char *secret, 
+            unsigned int   secret_len)
+{
+    HMACContext *cx;
+    int i;
+    unsigned char hashed_secret[SHA1_LENGTH];
+
+    cx = (HMACContext*)PORT_ZAlloc(sizeof(HMACContext));
+    if (cx == NULL)
+	return NULL;
+    cx->hashobj = hash_obj;
+
+    cx->hash = cx->hashobj->create();
+    if (cx->hash == NULL)
+	goto loser;
+
+    if (secret_len > HMAC_PAD_SIZE) {
+	cx->hashobj->begin( cx->hash);
+	cx->hashobj->update(cx->hash, secret, secret_len);
+	cx->hashobj->end(   cx->hash, hashed_secret, &secret_len, 
+	                 sizeof hashed_secret);
+	if (secret_len != cx->hashobj->length)
+	    goto loser;
+	secret = (const unsigned char *)&hashed_secret[0];
+    }
+
+    PORT_Memset(cx->ipad, 0x36, sizeof cx->ipad);
+    PORT_Memset(cx->opad, 0x5c, sizeof cx->opad);
+
+    /* fold secret into padding */
+    for (i = 0; i < secret_len; i++) {
+	cx->ipad[i] ^= secret[i];
+	cx->opad[i] ^= secret[i];
+    }
+    PORT_Memset(hashed_secret, 0, sizeof hashed_secret);
+    return cx;
+
+loser:
+    PORT_Memset(hashed_secret, 0, sizeof hashed_secret);
+    HMAC_Destroy(cx);
+    return NULL;
+}
+
+void
+HMAC_Begin(HMACContext *cx)
+{
+    /* start inner hash */
+    cx->hashobj->begin(cx->hash);
+    cx->hashobj->update(cx->hash, cx->ipad, sizeof(cx->ipad));
+}
+
+void
+HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len)
+{
+    cx->hashobj->update(cx->hash, data, data_len);
+}
+
+SECStatus
+HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
+	    unsigned int max_result_len)
+{
+    if (max_result_len < cx->hashobj->length)
+	return SECFailure;
+
+    cx->hashobj->end(cx->hash, result, result_len, max_result_len);
+    if (*result_len != cx->hashobj->length)
+	return SECFailure;
+
+    cx->hashobj->begin(cx->hash);
+    cx->hashobj->update(cx->hash, cx->opad, sizeof(cx->opad));
+    cx->hashobj->update(cx->hash, result, *result_len);
+    cx->hashobj->end(cx->hash, result, result_len, max_result_len);
+    return SECSuccess;
+}
+
+HMACContext *
+HMAC_Clone(HMACContext *cx)
+{
+    HMACContext *newcx;
+
+    newcx = (HMACContext*)PORT_ZAlloc(sizeof(HMACContext));
+    if (newcx == NULL)
+	goto loser;
+
+    newcx->hashobj = cx->hashobj;
+    newcx->hash = cx->hashobj->clone(cx->hash);
+    if (newcx->hash == NULL)
+	goto loser;
+    PORT_Memcpy(newcx->ipad, cx->ipad, sizeof(cx->ipad));
+    PORT_Memcpy(newcx->opad, cx->opad, sizeof(cx->opad));
+    return newcx;
+
+loser:
+    HMAC_Destroy(newcx);
+    return NULL;
+}
diff --git a/security/nss/lib/softoken/alghmac.h b/security/nss/lib/softoken/alghmac.h
new file mode 100644
index 000000000..3cb1a74dc
--- /dev/null
+++ b/security/nss/lib/softoken/alghmac.h
@@ -0,0 +1,88 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _ALGHMAC_H_
+#define _ALGHMAC_H_
+
+typedef struct HMACContextStr HMACContext;
+
+SEC_BEGIN_PROTOS
+
+/* destroy HMAC context */
+extern void
+HMAC_Destroy(HMACContext *cx);
+
+/* create HMAC context
+ *  hash_alg	the algorithm with which the HMAC is performed.  This 
+ *		should be, SEC_OID_MD5, SEC_OID_SHA1, or SEC_OID_MD2.
+ *  secret	the secret with which the HMAC is performed.
+ *  secret_len	the length of the secret, limited to at most 64 bytes.
+ *
+ * NULL is returned if an error occurs or the secret is > 64 bytes.
+ */
+extern HMACContext *
+HMAC_Create(const SECHashObject *hashObj, const unsigned char *secret, 
+	    unsigned int secret_len);
+
+/* reset HMAC for a fresh round */
+extern void
+HMAC_Begin(HMACContext *cx);
+
+/* update HMAC 
+ *  cx		HMAC Context
+ *  data	the data to perform HMAC on
+ *  data_len	the length of the data to process
+ */
+extern void 
+HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len);
+
+/* Finish HMAC -- place the results within result
+ *  cx		HMAC context
+ *  result	buffer for resulting hmac'd data
+ *  result_len	where the resultant hmac length is stored
+ *  max_result_len  maximum possible length that can be stored in result
+ */
+extern SECStatus
+HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
+	    unsigned int max_result_len);
+
+/* clone a copy of the HMAC state.  this is usefult when you would
+ * need to keep a running hmac but also need to extract portions 
+ * partway through the process.
+ */
+extern HMACContext *
+HMAC_Clone(HMACContext *cx);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/softoken/cdbhdl.h b/security/nss/lib/softoken/cdbhdl.h
new file mode 100644
index 000000000..b606e9876
--- /dev/null
+++ b/security/nss/lib/softoken/cdbhdl.h
@@ -0,0 +1,54 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * cdbhdl.h - certificate database handle
+ *   private to the certdb module
+ *
+ * $Id$
+ */
+#ifndef _CDBHDL_H_
+#define _CDBHDL_H_
+
+#include "nspr.h"
+#include "mcom_db.h"
+#include "pcertt.h"
+
+/*
+ * Handle structure for open certificate databases
+ */
+struct NSSLOWCERTCertDBHandleStr {
+    DB *permCertDB;
+    PZMonitor *dbMon;
+};
+
+#endif
diff --git a/security/nss/lib/softoken/config.mk b/security/nss/lib/softoken/config.mk
new file mode 100644
index 000000000..b59f0cf32
--- /dev/null
+++ b/security/nss/lib/softoken/config.mk
@@ -0,0 +1,97 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+
+ifdef MOZILLA_CLIENT
+DEFINES += -DMOZ_CLIENT
+endif
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+CRYPTODIR=../freebl
+ifdef MOZILLA_SECURITY_BUILD
+	CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)crypto.$(LIB_SUFFIX)
+	CRYPTODIR=../crypto
+endif
+
+EXTRA_LIBS += \
+	$(CRYPTOLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
+	$(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
+IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).lib
+
+RES = $(OBJDIR)/$(LIBRARY_NAME).res
+RESNAME = $(LIBRARY_NAME).rc
+
+ifdef MOZILLA_BSAFE_BUILD
+	EXTRA_LIBS+=$(DIST)/lib/bsafe$(BSAFEVER).lib
+endif
+
+EXTRA_SHARED_LIBS += \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+
+else
+
+ifdef MOZILLA_BSAFE_BUILD
+	EXTRA_LIBS+=$(DIST)/lib/$(LIB_PREFIX)bsafe.$(LIB_SUFFIX)
+endif
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib/ \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+ifndef USE_64
+ifeq ($(CPU_ARCH),sparc)
+# The -R '$ORIGIN' linker option instructs libsoftokn3.so to search for its
+# dependencies (libfreebl_*.so) in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+endif
+endif
+endif
diff --git a/security/nss/lib/softoken/dbinit.c b/security/nss/lib/softoken/dbinit.c
new file mode 100644
index 000000000..8fa73fef2
--- /dev/null
+++ b/security/nss/lib/softoken/dbinit.c
@@ -0,0 +1,224 @@
+/*
+ * NSS utility functions
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ # $Id$
+ */
+
+#include <ctype.h>
+#include "seccomon.h"
+#include "prinit.h"
+#include "prprf.h"
+#include "prmem.h"
+#include "pcertt.h"
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "secrng.h"
+#include "cdbhdl.h"
+#include "pkcs11i.h"
+
+static char *
+pk11_certdb_name_cb(void *arg, int dbVersion)
+{
+    const char *configdir = (const char *)arg;
+    const char *dbver;
+
+    switch (dbVersion) {
+      case 7:
+	dbver = "7";
+	break;
+      case 6:
+	dbver = "6";
+	break;
+      case 5:
+	dbver = "5";
+	break;
+      case 4:
+      default:
+	dbver = "";
+	break;
+    }
+
+    return PR_smprintf(CERT_DB_FMT, configdir, dbver);
+}
+    
+static char *
+pk11_keydb_name_cb(void *arg, int dbVersion)
+{
+    const char *configdir = (const char *)arg;
+    const char *dbver;
+    
+    switch (dbVersion) {
+      case 4:
+	dbver = "4";
+	break;
+      case 3:
+	dbver = "3";
+	break;
+      case 1:
+	dbver = "1";
+	break;
+      case 2:
+      default:
+	dbver = "";
+	break;
+    }
+
+    return PR_smprintf(KEY_DB_FMT, configdir, dbver);
+}
+
+/* for now... we need to define vendor specific codes here.
+ */
+#define CKR_CERTDB_FAILED	CKR_DEVICE_ERROR
+#define CKR_KEYDB_FAILED	CKR_DEVICE_ERROR
+
+static CK_RV
+pk11_OpenCertDB(const char * configdir, const char *prefix, PRBool readOnly,
+    					    NSSLOWCERTCertDBHandle **certdbPtr)
+{
+    NSSLOWCERTCertDBHandle *certdb = NULL;
+    CK_RV        crv = CKR_CERTDB_FAILED;
+    SECStatus    rv;
+    char * name = NULL;
+
+    if (prefix == NULL) {
+	prefix = "";
+    }
+
+    name = PR_smprintf("%s" PATH_SEPARATOR "%s",configdir,prefix);
+    if (name == NULL) goto loser;
+
+    certdb = (NSSLOWCERTCertDBHandle*)PORT_ZAlloc(sizeof(NSSLOWCERTCertDBHandle));
+    if (certdb == NULL) 
+    	goto loser;
+
+/* fix when we get the DB in */
+    rv = nsslowcert_OpenCertDB(certdb, readOnly, 
+				pk11_certdb_name_cb, (void *)name, PR_FALSE);
+    if (rv == SECSuccess) {
+	crv = CKR_OK;
+	*certdbPtr = certdb;
+	certdb = NULL;
+    }
+loser: 
+    if (certdb) PR_Free(certdb);
+    if (name) PORT_Free(name);
+    return crv;
+}
+
+static CK_RV
+pk11_OpenKeyDB(const char * configdir, const char *prefix, PRBool readOnly,
+    						NSSLOWKEYDBHandle **keydbPtr)
+{
+    NSSLOWKEYDBHandle *keydb;
+    char * name = NULL;
+
+    if (prefix == NULL) {
+	prefix = "";
+    }
+    name = PR_smprintf("%s" PATH_SEPARATOR "%s",configdir,prefix);	
+    if (name == NULL) 
+	return SECFailure;
+    keydb = nsslowkey_OpenKeyDB(readOnly, pk11_keydb_name_cb, (void *)name);
+    PORT_Free(name);
+    if (keydb == NULL)
+	return CKR_KEYDB_FAILED;
+    *keydbPtr = keydb;
+
+    return CKR_OK;
+}
+
+
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ * 			"https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ * 			"https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * readOnly - Boolean: true if the databases are to be openned read only.
+ * nocertdb - Don't open the cert DB and key DB's, just initialize the 
+ *			Volatile certdb.
+ * nomoddb - Don't open the security module DB, just initialize the 
+ *			PKCS #11 module.
+ * forceOpen - Continue to force initializations even if the databases cannot
+ * 			be opened.
+ */
+CK_RV
+pk11_DBInit(const char *configdir, const char *certPrefix, 
+	    const char *keyPrefix, PRBool readOnly, 
+	    PRBool noCertDB, PRBool noKeyDB, PRBool forceOpen,
+	    NSSLOWCERTCertDBHandle **certdbPtr, NSSLOWKEYDBHandle **keydbPtr)
+{
+    CK_RV crv = CKR_OK;
+
+
+    if (!noCertDB) {
+	crv = pk11_OpenCertDB(configdir, certPrefix, readOnly, certdbPtr);
+	if (crv != CKR_OK) {
+	    if (!forceOpen) goto loser;
+	    crv = CKR_OK;
+	}
+    }
+    if (!noKeyDB) {
+
+	crv = pk11_OpenKeyDB(configdir, keyPrefix, readOnly, keydbPtr);
+	if (crv != CKR_OK) {
+	    if (!forceOpen) goto loser;
+	    crv = CKR_OK;
+	}
+    }
+
+
+loser:
+    return crv;
+}
+
+
+void
+pk11_DBShutdown(NSSLOWCERTCertDBHandle *certHandle, 
+		NSSLOWKEYDBHandle *keyHandle)
+{
+    if (certHandle) {
+    	nsslowcert_ClosePermCertDB(certHandle);
+	PORT_Free(certHandle);
+	certHandle= NULL;
+    }
+
+    if (keyHandle) {
+    	nsslowkey_CloseKeyDB(keyHandle);
+	keyHandle= NULL;
+    }
+}
diff --git a/security/nss/lib/softoken/fipstest.c b/security/nss/lib/softoken/fipstest.c
new file mode 100644
index 000000000..15e490090
--- /dev/null
+++ b/security/nss/lib/softoken/fipstest.c
@@ -0,0 +1,1093 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "softoken.h"   /* Required for RC2-ECB, RC2-CBC, RC4, DES-ECB,  */
+                        /*              DES-CBC, DES3-ECB, DES3-CBC, RSA */
+                        /*              and DSA.                         */
+#include "seccomon.h"   /* Required for RSA and DSA. */
+#include "lowkeyi.h"     /* Required for RSA and DSA. */
+#include "pkcs11.h"     /* Required for PKCS #11. */
+#include "secerr.h"
+
+/* FIPS preprocessor directives for RC2-ECB and RC2-CBC.        */
+#define FIPS_RC2_KEY_LENGTH                      5  /*  40-bits */
+#define FIPS_RC2_ENCRYPT_LENGTH                  8  /*  64-bits */
+#define FIPS_RC2_DECRYPT_LENGTH                  8  /*  64-bits */
+
+
+/* FIPS preprocessor directives for RC4.                        */
+#define FIPS_RC4_KEY_LENGTH                      5  /*  40-bits */
+#define FIPS_RC4_ENCRYPT_LENGTH                  8  /*  64-bits */
+#define FIPS_RC4_DECRYPT_LENGTH                  8  /*  64-bits */
+
+
+/* FIPS preprocessor directives for DES-ECB and DES-CBC.        */
+#define FIPS_DES_ENCRYPT_LENGTH                  8  /*  64-bits */
+#define FIPS_DES_DECRYPT_LENGTH                  8  /*  64-bits */
+
+
+/* FIPS preprocessor directives for DES3-CBC and DES3-ECB.      */
+#define FIPS_DES3_ENCRYPT_LENGTH                 8  /*  64-bits */
+#define FIPS_DES3_DECRYPT_LENGTH                 8  /*  64-bits */
+
+
+/* FIPS preprocessor directives for MD2.                        */
+#define FIPS_MD2_HASH_MESSAGE_LENGTH            64  /* 512-bits */
+
+
+/* FIPS preprocessor directives for MD5.                        */
+#define FIPS_MD5_HASH_MESSAGE_LENGTH            64  /* 512-bits */
+
+
+/* FIPS preprocessor directives for SHA-1.                      */
+#define FIPS_SHA1_HASH_MESSAGE_LENGTH           64  /* 512-bits */
+
+
+/* FIPS preprocessor directives for RSA.                        */
+#define FIPS_RSA_TYPE                           siBuffer
+#define FIPS_RSA_PUBLIC_EXPONENT_LENGTH          1  /*   8-bits */
+#define FIPS_RSA_PRIVATE_VERSION_LENGTH          1  /*   8-bits */
+#define FIPS_RSA_MESSAGE_LENGTH                 16  /* 128-bits */
+#define FIPS_RSA_COEFFICIENT_LENGTH             32  /* 256-bits */
+#define FIPS_RSA_PRIME0_LENGTH                  33  /* 264-bits */
+#define FIPS_RSA_PRIME1_LENGTH                  33  /* 264-bits */
+#define FIPS_RSA_EXPONENT0_LENGTH               33  /* 264-bits */
+#define FIPS_RSA_EXPONENT1_LENGTH               33  /* 264-bits */
+#define FIPS_RSA_PRIVATE_EXPONENT_LENGTH        64  /* 512-bits */
+#define FIPS_RSA_ENCRYPT_LENGTH                 64  /* 512-bits */
+#define FIPS_RSA_DECRYPT_LENGTH                 64  /* 512-bits */
+#define FIPS_RSA_CRYPTO_LENGTH                  64  /* 512-bits */
+#define FIPS_RSA_SIGNATURE_LENGTH               64  /* 512-bits */
+#define FIPS_RSA_MODULUS_LENGTH                 65  /* 520-bits */
+
+
+/* FIPS preprocessor directives for DSA.                        */
+#define FIPS_DSA_TYPE                           siBuffer
+#define FIPS_DSA_DIGEST_LENGTH                  20  /* 160-bits */
+#define FIPS_DSA_SUBPRIME_LENGTH                20  /* 160-bits */
+#define FIPS_DSA_SIGNATURE_LENGTH               40  /* 320-bits */
+#define FIPS_DSA_PRIME_LENGTH                   64  /* 512-bits */
+#define FIPS_DSA_BASE_LENGTH                    64  /* 512-bits */
+
+static CK_RV
+pk11_fips_RC2_PowerUpSelfTest( void )
+{
+    /* RC2 Known Key (40-bits). */
+    static PRUint8 rc2_known_key[] = { "RSARC" };
+
+    /* RC2-CBC Known Initialization Vector (64-bits). */
+    static PRUint8 rc2_cbc_known_initialization_vector[] = {"Security"};
+
+    /* RC2 Known Plaintext (64-bits). */
+    static PRUint8 rc2_ecb_known_plaintext[] = {"Netscape"};
+    static PRUint8 rc2_cbc_known_plaintext[] = {"Netscape"};
+
+    /* RC2 Known Ciphertext (64-bits). */
+    static PRUint8 rc2_ecb_known_ciphertext[] = {
+				  0x1a,0x71,0x33,0x54,0x8d,0x5c,0xd2,0x30};
+    static PRUint8 rc2_cbc_known_ciphertext[] = {
+				  0xff,0x41,0xdb,0x94,0x8a,0x4c,0x33,0xb3};
+
+    /* RC2 variables. */
+    PRUint8        rc2_computed_ciphertext[FIPS_RC2_ENCRYPT_LENGTH];
+    PRUint8        rc2_computed_plaintext[FIPS_RC2_DECRYPT_LENGTH];
+    RC2Context *   rc2_context;
+    unsigned int   rc2_bytes_encrypted;
+    unsigned int   rc2_bytes_decrypted;
+    SECStatus      rc2_status;
+
+
+    /******************************************************/
+    /* RC2-ECB Single-Round Known Answer Encryption Test: */
+    /******************************************************/
+
+    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
+                                     NULL, NSS_RC2,
+                                     FIPS_RC2_KEY_LENGTH );
+
+    if( rc2_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc2_status = RC2_Encrypt( rc2_context, rc2_computed_ciphertext,
+                              &rc2_bytes_encrypted, FIPS_RC2_ENCRYPT_LENGTH,
+                              rc2_ecb_known_plaintext,
+                              FIPS_RC2_DECRYPT_LENGTH );
+
+    RC2_DestroyContext( rc2_context, PR_TRUE );
+
+    if( ( rc2_status != SECSuccess ) ||
+        ( rc2_bytes_encrypted != FIPS_RC2_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc2_computed_ciphertext, rc2_ecb_known_ciphertext,
+                       FIPS_RC2_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* RC2-ECB Single-Round Known Answer Decryption Test: */
+    /******************************************************/
+
+    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
+                                     NULL, NSS_RC2,
+                                     FIPS_RC2_KEY_LENGTH );
+
+    if( rc2_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc2_status = RC2_Decrypt( rc2_context, rc2_computed_plaintext,
+                              &rc2_bytes_decrypted, FIPS_RC2_DECRYPT_LENGTH,
+                              rc2_ecb_known_ciphertext,
+                              FIPS_RC2_ENCRYPT_LENGTH );
+
+    RC2_DestroyContext( rc2_context, PR_TRUE );
+
+    if( ( rc2_status != SECSuccess ) ||
+        ( rc2_bytes_decrypted != FIPS_RC2_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc2_computed_plaintext, rc2_ecb_known_plaintext,
+                       FIPS_RC2_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* RC2-CBC Single-Round Known Answer Encryption Test: */
+    /******************************************************/
+
+    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
+                                     rc2_cbc_known_initialization_vector,
+                                     NSS_RC2_CBC, FIPS_RC2_KEY_LENGTH );
+
+    if( rc2_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc2_status = RC2_Encrypt( rc2_context, rc2_computed_ciphertext,
+                              &rc2_bytes_encrypted, FIPS_RC2_ENCRYPT_LENGTH,
+                              rc2_cbc_known_plaintext,
+                              FIPS_RC2_DECRYPT_LENGTH );
+
+    RC2_DestroyContext( rc2_context, PR_TRUE );
+
+    if( ( rc2_status != SECSuccess ) ||
+        ( rc2_bytes_encrypted != FIPS_RC2_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc2_computed_ciphertext, rc2_cbc_known_ciphertext,
+                       FIPS_RC2_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* RC2-CBC Single-Round Known Answer Decryption Test: */
+    /******************************************************/
+
+    rc2_context = RC2_CreateContext( rc2_known_key, FIPS_RC2_KEY_LENGTH,
+                                     rc2_cbc_known_initialization_vector,
+                                     NSS_RC2_CBC, FIPS_RC2_KEY_LENGTH );
+
+    if( rc2_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc2_status = RC2_Decrypt( rc2_context, rc2_computed_plaintext,
+                              &rc2_bytes_decrypted, FIPS_RC2_DECRYPT_LENGTH,
+                              rc2_cbc_known_ciphertext,
+                              FIPS_RC2_ENCRYPT_LENGTH );
+
+    RC2_DestroyContext( rc2_context, PR_TRUE );
+
+    if( ( rc2_status != SECSuccess ) ||
+        ( rc2_bytes_decrypted != FIPS_RC2_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc2_computed_plaintext, rc2_ecb_known_plaintext,
+                       FIPS_RC2_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+static CK_RV
+pk11_fips_RC4_PowerUpSelfTest( void )
+{
+    /* RC4 Known Key (40-bits). */
+    static PRUint8 rc4_known_key[] = { "RSARC" };
+
+    /* RC4 Known Plaintext (64-bits). */
+    static PRUint8 rc4_known_plaintext[] = { "Netscape" };
+
+    /* RC4 Known Ciphertext (64-bits). */
+    static PRUint8 rc4_known_ciphertext[] = {
+				0x29,0x33,0xc7,0x9a,0x9d,0x6c,0x09,0xdd};
+
+    /* RC4 variables. */
+    PRUint8        rc4_computed_ciphertext[FIPS_RC4_ENCRYPT_LENGTH];
+    PRUint8        rc4_computed_plaintext[FIPS_RC4_DECRYPT_LENGTH];
+    RC4Context *   rc4_context;
+    unsigned int   rc4_bytes_encrypted;
+    unsigned int   rc4_bytes_decrypted;
+    SECStatus      rc4_status;
+
+
+    /**************************************************/
+    /* RC4 Single-Round Known Answer Encryption Test: */
+    /**************************************************/
+
+    rc4_context = RC4_CreateContext( rc4_known_key, FIPS_RC4_KEY_LENGTH );
+
+    if( rc4_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc4_status = RC4_Encrypt( rc4_context, rc4_computed_ciphertext,
+                              &rc4_bytes_encrypted, FIPS_RC4_ENCRYPT_LENGTH,
+                              rc4_known_plaintext, FIPS_RC4_DECRYPT_LENGTH );
+
+    RC4_DestroyContext( rc4_context, PR_TRUE );
+
+    if( ( rc4_status != SECSuccess ) ||
+        ( rc4_bytes_encrypted != FIPS_RC4_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc4_computed_ciphertext, rc4_known_ciphertext,
+                       FIPS_RC4_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /**************************************************/
+    /* RC4 Single-Round Known Answer Decryption Test: */
+    /**************************************************/
+
+    rc4_context = RC4_CreateContext( rc4_known_key, FIPS_RC4_KEY_LENGTH );
+
+    if( rc4_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    rc4_status = RC4_Decrypt( rc4_context, rc4_computed_plaintext,
+                              &rc4_bytes_decrypted, FIPS_RC4_DECRYPT_LENGTH,
+                              rc4_known_ciphertext, FIPS_RC4_ENCRYPT_LENGTH );
+
+    RC4_DestroyContext( rc4_context, PR_TRUE );
+
+    if( ( rc4_status != SECSuccess ) ||
+        ( rc4_bytes_decrypted != FIPS_RC4_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( rc4_computed_plaintext, rc4_known_plaintext,
+                       FIPS_RC4_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+static CK_RV
+pk11_fips_DES_PowerUpSelfTest( void )
+{
+    /* DES Known Key (56-bits). */
+    static PRUint8 des_known_key[] = { "ANSI DES" };
+
+    /* DES-CBC Known Initialization Vector (64-bits). */
+    static PRUint8 des_cbc_known_initialization_vector[] = { "Security" };
+
+    /* DES Known Plaintext (64-bits). */
+    static PRUint8 des_ecb_known_plaintext[] = { "Netscape" };
+    static PRUint8 des_cbc_known_plaintext[] = { "Netscape" };
+
+    /* DES Known Ciphertext (64-bits). */
+    static PRUint8 des_ecb_known_ciphertext[] = {
+			       0x26,0x14,0xe9,0xc3,0x28,0x80,0x50,0xb0};
+    static PRUint8 des_cbc_known_ciphertext[]  = {
+			       0x5e,0x95,0x94,0x5d,0x76,0xa2,0xd3,0x7d};
+
+    /* DES variables. */
+    PRUint8        des_computed_ciphertext[FIPS_DES_ENCRYPT_LENGTH];
+    PRUint8        des_computed_plaintext[FIPS_DES_DECRYPT_LENGTH];
+    DESContext *   des_context;
+    unsigned int   des_bytes_encrypted;
+    unsigned int   des_bytes_decrypted;
+    SECStatus      des_status;
+
+
+    /******************************************************/
+    /* DES-ECB Single-Round Known Answer Encryption Test: */
+    /******************************************************/
+
+    des_context = DES_CreateContext( des_known_key, NULL, NSS_DES, PR_TRUE );
+
+    if( des_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des_status = DES_Encrypt( des_context, des_computed_ciphertext,
+                              &des_bytes_encrypted, FIPS_DES_ENCRYPT_LENGTH,
+                              des_ecb_known_plaintext,
+                              FIPS_DES_DECRYPT_LENGTH );
+
+    DES_DestroyContext( des_context, PR_TRUE );
+
+    if( ( des_status != SECSuccess ) ||
+        ( des_bytes_encrypted != FIPS_DES_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des_computed_ciphertext, des_ecb_known_ciphertext,
+                       FIPS_DES_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* DES-ECB Single-Round Known Answer Decryption Test: */
+    /******************************************************/
+
+    des_context = DES_CreateContext( des_known_key, NULL, NSS_DES, PR_FALSE );
+
+    if( des_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des_status = DES_Decrypt( des_context, des_computed_plaintext,
+                              &des_bytes_decrypted, FIPS_DES_DECRYPT_LENGTH,
+                              des_ecb_known_ciphertext,
+                              FIPS_DES_ENCRYPT_LENGTH );
+
+    DES_DestroyContext( des_context, PR_TRUE );
+
+    if( ( des_status != SECSuccess ) ||
+        ( des_bytes_decrypted != FIPS_DES_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des_computed_plaintext, des_ecb_known_plaintext,
+                       FIPS_DES_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* DES-CBC Single-Round Known Answer Encryption Test. */
+    /******************************************************/
+
+    des_context = DES_CreateContext( des_known_key,
+                                     des_cbc_known_initialization_vector,
+                                     NSS_DES_CBC, PR_TRUE );
+
+    if( des_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des_status = DES_Encrypt( des_context, des_computed_ciphertext,
+                              &des_bytes_encrypted, FIPS_DES_ENCRYPT_LENGTH,
+                              des_cbc_known_plaintext,
+                              FIPS_DES_DECRYPT_LENGTH );
+
+    DES_DestroyContext( des_context, PR_TRUE );
+
+    if( ( des_status != SECSuccess ) ||
+        ( des_bytes_encrypted != FIPS_DES_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des_computed_ciphertext, des_cbc_known_ciphertext,
+                       FIPS_DES_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /******************************************************/
+    /* DES-CBC Single-Round Known Answer Decryption Test. */
+    /******************************************************/
+
+    des_context = DES_CreateContext( des_known_key,
+                                     des_cbc_known_initialization_vector,
+                                     NSS_DES_CBC, PR_FALSE );
+
+    if( des_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des_status = DES_Decrypt( des_context, des_computed_plaintext,
+                              &des_bytes_decrypted, FIPS_DES_DECRYPT_LENGTH,
+                              des_cbc_known_ciphertext,
+                              FIPS_DES_ENCRYPT_LENGTH );
+
+    DES_DestroyContext( des_context, PR_TRUE );
+
+    if( ( des_status != SECSuccess ) ||
+        ( des_bytes_decrypted != FIPS_DES_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des_computed_plaintext, des_cbc_known_plaintext,
+                       FIPS_DES_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+static CK_RV
+pk11_fips_DES3_PowerUpSelfTest( void )
+{
+    /* DES3 Known Key (56-bits). */
+    static PRUint8 des3_known_key[] = { "ANSI Triple-DES Key Data" };
+
+    /* DES3-CBC Known Initialization Vector (64-bits). */
+    static PRUint8 des3_cbc_known_initialization_vector[] = { "Security" };
+
+    /* DES3 Known Plaintext (64-bits). */
+    static PRUint8 des3_ecb_known_plaintext[] = { "Netscape" };
+    static PRUint8 des3_cbc_known_plaintext[] = { "Netscape" };
+
+    /* DES3 Known Ciphertext (64-bits). */
+    static PRUint8 des3_ecb_known_ciphertext[] = {
+			   0x55,0x8e,0xad,0x3c,0xee,0x49,0x69,0xbe};
+    static PRUint8 des3_cbc_known_ciphertext[] = {
+			   0x43,0xdc,0x6a,0xc1,0xaf,0xa6,0x32,0xf5};
+
+    /* DES3 variables. */
+    PRUint8        des3_computed_ciphertext[FIPS_DES3_ENCRYPT_LENGTH];
+    PRUint8        des3_computed_plaintext[FIPS_DES3_DECRYPT_LENGTH];
+    DESContext *   des3_context;
+    unsigned int   des3_bytes_encrypted;
+    unsigned int   des3_bytes_decrypted;
+    SECStatus      des3_status;
+
+
+    /*******************************************************/
+    /* DES3-ECB Single-Round Known Answer Encryption Test. */
+    /*******************************************************/
+
+    des3_context = DES_CreateContext( des3_known_key, NULL,
+                                     NSS_DES_EDE3, PR_TRUE );
+
+    if( des3_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des3_status = DES_Encrypt( des3_context, des3_computed_ciphertext,
+                               &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH,
+                               des3_ecb_known_plaintext,
+                               FIPS_DES3_DECRYPT_LENGTH );
+
+    DES_DestroyContext( des3_context, PR_TRUE );
+
+    if( ( des3_status != SECSuccess ) ||
+        ( des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des3_computed_ciphertext, des3_ecb_known_ciphertext,
+                       FIPS_DES3_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /*******************************************************/
+    /* DES3-ECB Single-Round Known Answer Decryption Test. */
+    /*******************************************************/
+
+    des3_context = DES_CreateContext( des3_known_key, NULL,
+                                     NSS_DES_EDE3, PR_FALSE );
+
+    if( des3_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des3_status = DES_Decrypt( des3_context, des3_computed_plaintext,
+                               &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH,
+                               des3_ecb_known_ciphertext,
+                               FIPS_DES3_ENCRYPT_LENGTH );
+
+    DES_DestroyContext( des3_context, PR_TRUE );
+
+    if( ( des3_status != SECSuccess ) ||
+        ( des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des3_computed_plaintext, des3_ecb_known_plaintext,
+                       FIPS_DES3_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /*******************************************************/
+    /* DES3-CBC Single-Round Known Answer Encryption Test. */
+    /*******************************************************/
+
+    des3_context = DES_CreateContext( des3_known_key,
+                                      des3_cbc_known_initialization_vector,
+                                      NSS_DES_EDE3_CBC, PR_TRUE );
+
+    if( des3_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des3_status = DES_Encrypt( des3_context, des3_computed_ciphertext,
+                               &des3_bytes_encrypted, FIPS_DES3_ENCRYPT_LENGTH,
+                               des3_cbc_known_plaintext,
+                               FIPS_DES3_DECRYPT_LENGTH );
+
+    DES_DestroyContext( des3_context, PR_TRUE );
+
+    if( ( des3_status != SECSuccess ) ||
+        ( des3_bytes_encrypted != FIPS_DES3_ENCRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des3_computed_ciphertext, des3_cbc_known_ciphertext,
+                       FIPS_DES3_ENCRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+
+    /*******************************************************/
+    /* DES3-CBC Single-Round Known Answer Decryption Test. */
+    /*******************************************************/
+
+    des3_context = DES_CreateContext( des3_known_key,
+                                      des3_cbc_known_initialization_vector,
+                                      NSS_DES_EDE3_CBC, PR_FALSE );
+
+    if( des3_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    des3_status = DES_Decrypt( des3_context, des3_computed_plaintext,
+                               &des3_bytes_decrypted, FIPS_DES3_DECRYPT_LENGTH,
+                               des3_cbc_known_ciphertext,
+                               FIPS_DES3_ENCRYPT_LENGTH );
+
+    DES_DestroyContext( des3_context, PR_TRUE );
+
+    if( ( des3_status != SECSuccess ) ||
+        ( des3_bytes_decrypted != FIPS_DES3_DECRYPT_LENGTH ) ||
+        ( PORT_Memcmp( des3_computed_plaintext, des3_cbc_known_plaintext,
+                       FIPS_DES3_DECRYPT_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+static CK_RV
+pk11_fips_MD2_PowerUpSelfTest( void )
+{
+    /* MD2 Known Hash Message (512-bits). */
+    static PRUint8 md2_known_hash_message[] = {
+	"The test message for the MD2, MD5, and SHA-1 hashing algorithms." };
+
+    /* MD2 Known Digest Message (128-bits). */
+    static PRUint8 md2_known_digest[]  = {
+				   0x41,0x5a,0x12,0xb2,0x3f,0x28,0x97,0x17,
+				   0x0c,0x71,0x4e,0xcc,0x40,0xc8,0x1d,0x1b};
+
+    /* MD2 variables. */
+    MD2Context * md2_context;
+    unsigned int md2_bytes_hashed;
+    PRUint8      md2_computed_digest[MD2_LENGTH];
+
+
+    /***********************************************/
+    /* MD2 Single-Round Known Answer Hashing Test. */
+    /***********************************************/
+
+    md2_context = MD2_NewContext();
+
+    if( md2_context == NULL )
+        return( CKR_HOST_MEMORY );
+
+    MD2_Begin( md2_context );
+
+    MD2_Update( md2_context, md2_known_hash_message,
+                FIPS_MD2_HASH_MESSAGE_LENGTH );
+
+    MD2_End( md2_context, md2_computed_digest, &md2_bytes_hashed, MD2_LENGTH );
+
+    MD2_DestroyContext( md2_context , PR_TRUE );
+
+    if( ( md2_bytes_hashed != MD2_LENGTH ) ||
+        ( PORT_Memcmp( md2_computed_digest, md2_known_digest,
+                       MD2_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+static CK_RV
+pk11_fips_MD5_PowerUpSelfTest( void )
+{
+    /* MD5 Known Hash Message (512-bits). */
+    static PRUint8 md5_known_hash_message[] = {
+	"The test message for the MD2, MD5, and SHA-1 hashing algorithms." };
+
+    /* MD5 Known Digest Message (128-bits). */
+    static PRUint8 md5_known_digest[]  = {
+				   0x25,0xc8,0xc0,0x10,0xc5,0x6e,0x68,0x28,
+				   0x28,0xa4,0xa5,0xd2,0x98,0x9a,0xea,0x2d};
+
+    /* MD5 variables. */
+    PRUint8        md5_computed_digest[MD5_LENGTH];
+    SECStatus      md5_status;
+
+
+    /***********************************************/
+    /* MD5 Single-Round Known Answer Hashing Test. */
+    /***********************************************/
+
+    md5_status = MD5_HashBuf( md5_computed_digest, md5_known_hash_message,
+                              FIPS_MD5_HASH_MESSAGE_LENGTH );
+
+    if( ( md5_status != SECSuccess ) ||
+        ( PORT_Memcmp( md5_computed_digest, md5_known_digest,
+                       MD5_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+static CK_RV
+pk11_fips_SHA1_PowerUpSelfTest( void )
+{
+    /* SHA-1 Known Hash Message (512-bits). */
+    static PRUint8 sha1_known_hash_message[] = {
+	 "The test message for the MD2, MD5, and SHA-1 hashing algorithms." };
+
+    /* SHA-1 Known Digest Message (160-bits). */
+    static PRUint8 sha1_known_digest[] = {
+			       0x0a,0x6d,0x07,0xba,0x1e,0xbd,0x8a,0x1b,
+			       0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0,
+			       0xe0,0x68,0x47,0x7a};
+
+    /* SHA-1 variables. */
+    PRUint8        sha1_computed_digest[SHA1_LENGTH];
+    SECStatus      sha1_status;
+
+
+    /*************************************************/
+    /* SHA-1 Single-Round Known Answer Hashing Test. */
+    /*************************************************/
+
+    sha1_status = SHA1_HashBuf( sha1_computed_digest, sha1_known_hash_message,
+                                FIPS_SHA1_HASH_MESSAGE_LENGTH );
+
+    if( ( sha1_status != SECSuccess ) ||
+        ( PORT_Memcmp( sha1_computed_digest, sha1_known_digest,
+                       SHA1_LENGTH ) != 0 ) )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+}
+
+
+static CK_RV
+pk11_fips_RSA_PowerUpSelfTest( void )
+{
+    /* RSA Known Modulus used in both Public/Private Key Values (520-bits). */
+    static PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = {
+                                 0x00,0xa1,0xe9,0x5e,0x66,0x88,0xe2,0xf2,
+                                 0x2b,0xe7,0x70,0x36,0x33,0xbc,0xeb,0x55,
+                                 0x55,0xf1,0x60,0x18,0x3c,0xfb,0xd2,0x79,
+                                 0xf6,0xc4,0xb8,0x09,0xe3,0x12,0xf6,0x63,
+                                 0x6d,0xc7,0x8e,0x19,0xc0,0x0e,0x10,0x78,
+                                 0xc1,0xfe,0x2a,0x41,0x74,0x2d,0xf7,0xc4,
+                                 0x69,0xa7,0x3c,0xbc,0x8a,0xc8,0x31,0x2b,
+                                 0x4f,0x60,0xf0,0xf1,0xec,0x5a,0x29,0xec,
+                                 0x6b};
+
+    /* RSA Known Public Key Values (8-bits). */
+    static PRUint8 rsa_public_exponent[] = { 0x03 };
+
+    /* RSA Known Private Key Values (version                 is   8-bits), */
+    /*                              (private exponent        is 512-bits), */
+    /*                              (private prime0          is 264-bits), */
+    /*                              (private prime1          is 264-bits), */
+    /*                              (private prime exponent0 is 264-bits), */
+    /*                              (private prime exponent1 is 264-bits), */
+    /*                          and (private coefficient     is 256-bits). */
+    static PRUint8 rsa_version[] = { 0x00 };
+    static PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] = {
+				  0x6b,0xf0,0xe9,0x99,0xb0,0x97,0x4c,0x1d,
+				  0x44,0xf5,0x79,0x77,0xd3,0x47,0x8e,0x39,
+				  0x4b,0x95,0x65,0x7d,0xfd,0x36,0xfb,0xf9,
+				  0xd8,0x7a,0xb1,0x42,0x0c,0xa4,0x42,0x48,
+				  0x20,0x1c,0x6b,0x7d,0x5d,0xa3,0x58,0xd6,
+				  0x95,0xd6,0x41,0xe3,0xd6,0x73,0xad,0xdb,
+				  0x3b,0x89,0x00,0x8a,0xcd,0x1d,0xb9,0x06,
+				  0xac,0xac,0x0e,0x02,0x72,0x1c,0xf8,0xab };
+    static PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH]   = {
+				      0x00,0xd2,0x2c,0x9d,0xef,0x7c,0x8f,0x58,
+				      0x93,0x19,0xa1,0x77,0x0e,0x38,0x3e,0x85,
+				      0xb4,0xaf,0xcc,0x99,0xa5,0x43,0xbf,0x97,
+				      0xdc,0x46,0xb8,0x3f,0x6e,0x85,0x18,0x00,
+				      0x81};
+    static PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH]   = {
+				      0x00,0xc5,0x36,0xda,0x94,0x85,0x0c,0x1a,
+				      0xed,0x03,0xc7,0x67,0x90,0x34,0x0b,0xb9,
+				      0xec,0x1e,0x22,0xa2,0x15,0x50,0xc4,0xfd,
+				      0xe9,0x17,0x36,0x9d,0x7a,0x29,0xe6,0x76,
+				      0xeb};
+    static PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = {
+					 0x00,0x8c,0x1d,0xbe,0x9f,0xa8,
+					 0x5f,0x90,0x62,0x11,0x16,0x4f,
+					 0x5e,0xd0,0x29,0xae,0x78,0x75,
+					 0x33,0x11,0x18,0xd7,0xd5,0x0f,
+					 0xe8,0x2f,0x25,0x7f,0x9f,0x03,
+					 0x65,0x55,0xab};
+    static PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = {
+					 0x00,0x83,0x79,0xe7,0x0d,0xae,
+					 0x08,0x11,0xf3,0x57,0xda,0x45,
+					 0x0a,0xcd,0x5d,0x26,0x9d,0x69,
+					 0x6c,0x6c,0x0e,0x35,0xd8,0xa9,
+					 0x46,0x0f,0x79,0xbe,0x51,0x71,
+					 0x44,0x4f,0x47};
+    static PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = {
+					 0x54,0x8d,0xb8,0xdc,0x8b,0xde,0xbb,
+					 0x08,0xc9,0x67,0xb7,0xa9,0x5f,0xa5,
+					 0xc4,0x5e,0x67,0xaa,0xfe,0x1a,0x08,
+					 0xeb,0x48,0x43,0xcb,0xb0,0xb9,0x38,
+					 0x3a,0x31,0x39,0xde};
+
+
+    /* RSA Known Plaintext (512-bits). */
+    static PRUint8 rsa_known_plaintext[] = {
+                                         "Known plaintext utilized for RSA"
+                                         " Encryption and Decryption test." };
+
+    /* RSA Known Ciphertext (512-bits). */
+    static PRUint8 rsa_known_ciphertext[] = {
+				      0x12,0x80,0x3a,0x53,0xee,0x93,0x81,0xa5,
+				      0xf7,0x40,0xc5,0xb1,0xef,0xd9,0x27,0xaf,
+				      0xef,0x4b,0x87,0x44,0x00,0xd0,0xda,0xcf,
+				      0x10,0x57,0x4c,0xd5,0xc3,0xed,0x84,0xdc,
+				      0x74,0x03,0x19,0x69,0x2c,0xd6,0x54,0x3e,
+				      0xd2,0xe3,0x90,0xb6,0x67,0x91,0x2f,0x1f,
+				      0x54,0x13,0x99,0x00,0x0b,0xfd,0x52,0x7f,
+				      0xd8,0xc6,0xdb,0x8a,0xfe,0x06,0xf3,0xb1};
+
+    /* RSA Known Message (128-bits). */
+    static PRUint8 rsa_known_message[]  = { "Netscape Forever" };
+
+    /* RSA Known Signed Hash (512-bits). */
+    static PRUint8 rsa_known_signature[] = {
+				     0x27,0x23,0xa6,0x71,0x57,0xc8,0x70,0x5f,
+				     0x70,0x0e,0x06,0x7b,0x96,0x6a,0xaa,0x41,
+				     0x6e,0xab,0x67,0x4b,0x5f,0x76,0xc4,0x53,
+				     0x23,0xd7,0x57,0x7a,0x3a,0xbc,0x4c,0x27,
+				     0x65,0xca,0xde,0x9f,0xd3,0x1d,0xa4,0x5a,
+				     0xf9,0x8f,0xb2,0x05,0xa3,0x86,0xf9,0x66,
+				     0x55,0x4c,0x68,0x50,0x66,0xa4,0xe9,0x17,
+				     0x45,0x11,0xb8,0x1a,0xfc,0xbc,0x79,0x3b};
+
+
+    static RSAPublicKey    bl_public_key = { NULL, 
+      { FIPS_RSA_TYPE, rsa_modulus,         FIPS_RSA_MODULUS_LENGTH },
+      { FIPS_RSA_TYPE, rsa_public_exponent, FIPS_RSA_PUBLIC_EXPONENT_LENGTH }
+    };
+    static RSAPrivateKey   bl_private_key = { NULL,
+      { FIPS_RSA_TYPE, rsa_version,          FIPS_RSA_PRIVATE_VERSION_LENGTH },
+      { FIPS_RSA_TYPE, rsa_modulus,          FIPS_RSA_MODULUS_LENGTH },
+      { FIPS_RSA_TYPE, rsa_public_exponent,  FIPS_RSA_PUBLIC_EXPONENT_LENGTH },
+      { FIPS_RSA_TYPE, rsa_private_exponent, FIPS_RSA_PRIVATE_EXPONENT_LENGTH },
+      { FIPS_RSA_TYPE, rsa_prime0,           FIPS_RSA_PRIME0_LENGTH },
+      { FIPS_RSA_TYPE, rsa_prime1,           FIPS_RSA_PRIME1_LENGTH },
+      { FIPS_RSA_TYPE, rsa_exponent0,        FIPS_RSA_EXPONENT0_LENGTH },
+      { FIPS_RSA_TYPE, rsa_exponent1,        FIPS_RSA_EXPONENT1_LENGTH },
+      { FIPS_RSA_TYPE, rsa_coefficient,      FIPS_RSA_COEFFICIENT_LENGTH }
+    };
+
+    /* RSA variables. */
+#ifdef CREATE_TEMP_ARENAS
+    PLArenaPool *         rsa_public_arena;
+    PLArenaPool *         rsa_private_arena;
+#endif
+    NSSLOWKEYPublicKey *  rsa_public_key;
+    NSSLOWKEYPrivateKey * rsa_private_key;
+    unsigned int          rsa_bytes_signed;
+    SECStatus             rsa_status;
+
+    NSSLOWKEYPublicKey    low_public_key   = { NULL, NSSLOWKEYRSAKey, };
+    NSSLOWKEYPrivateKey   low_private_key  = { NULL, NSSLOWKEYRSAKey, };
+    PRUint8               rsa_computed_ciphertext[FIPS_RSA_ENCRYPT_LENGTH];
+    PRUint8               rsa_computed_plaintext[FIPS_RSA_DECRYPT_LENGTH];
+    PRUint8               rsa_computed_signature[FIPS_RSA_SIGNATURE_LENGTH];
+
+    /****************************************/
+    /* Compose RSA Public/Private Key Pair. */
+    /****************************************/
+
+    low_public_key.u.rsa  = bl_public_key;
+    low_private_key.u.rsa = bl_private_key;
+
+    rsa_public_key  = &low_public_key;
+    rsa_private_key = &low_private_key;
+
+#ifdef CREATE_TEMP_ARENAS
+    /* Create some space for the RSA public key. */
+    rsa_public_arena = PORT_NewArena( NSS_SOFTOKEN_DEFAULT_CHUNKSIZE );
+
+    if( rsa_public_arena == NULL ) {
+        PORT_SetError( SEC_ERROR_NO_MEMORY );
+        return( CKR_HOST_MEMORY );
+    }
+
+    /* Create some space for the RSA private key. */
+    rsa_private_arena = PORT_NewArena( NSS_SOFTOKEN_DEFAULT_CHUNKSIZE );
+
+    if( rsa_private_arena == NULL ) {
+        PORT_FreeArena( rsa_public_arena, PR_TRUE );
+        PORT_SetError( SEC_ERROR_NO_MEMORY );
+        return( CKR_HOST_MEMORY );
+    }
+
+    rsa_public_key->arena = rsa_public_arena;
+    rsa_private_key->arena = rsa_private_arena;
+#endif
+
+    /**************************************************/
+    /* RSA Single-Round Known Answer Encryption Test. */
+    /**************************************************/
+
+    /* Perform RSA Public Key Encryption. */
+    rsa_status = RSA_PublicKeyOp(&rsa_public_key->u.rsa, 
+                                 rsa_computed_ciphertext, rsa_known_plaintext);
+
+    if( ( rsa_status != SECSuccess ) ||
+        ( PORT_Memcmp( rsa_computed_ciphertext, rsa_known_ciphertext,
+                       FIPS_RSA_ENCRYPT_LENGTH ) != 0 ) )
+        goto rsa_loser;
+
+    /**************************************************/
+    /* RSA Single-Round Known Answer Decryption Test. */
+    /**************************************************/
+
+    /* Perform RSA Private Key Decryption. */
+    rsa_status = RSA_PrivateKeyOp(&rsa_private_key->u.rsa, 
+                                  rsa_computed_plaintext, rsa_known_ciphertext);
+
+    if( ( rsa_status != SECSuccess ) ||
+        ( PORT_Memcmp( rsa_computed_plaintext, rsa_known_plaintext,
+                       FIPS_RSA_DECRYPT_LENGTH ) != 0 ) )
+        goto rsa_loser;
+
+
+    /*************************************************/
+    /* RSA Single-Round Known Answer Signature Test. */
+    /*************************************************/
+
+    /* Perform RSA signature with the RSA private key. */
+    rsa_status = RSA_Sign( rsa_private_key, rsa_computed_signature,
+                           &rsa_bytes_signed,
+                           FIPS_RSA_SIGNATURE_LENGTH, rsa_known_message,
+                           FIPS_RSA_MESSAGE_LENGTH );
+
+    if( ( rsa_status != SECSuccess ) ||
+        ( rsa_bytes_signed != FIPS_RSA_SIGNATURE_LENGTH ) ||
+        ( PORT_Memcmp( rsa_computed_signature, rsa_known_signature,
+                       FIPS_RSA_SIGNATURE_LENGTH ) != 0 ) )
+        goto rsa_loser;
+
+
+    /****************************************************/
+    /* RSA Single-Round Known Answer Verification Test. */
+    /****************************************************/
+
+    /* Perform RSA verification with the RSA public key. */
+    rsa_status = RSA_CheckSign( rsa_public_key,
+                                rsa_computed_signature,
+                                FIPS_RSA_SIGNATURE_LENGTH,
+                                rsa_known_message,
+                                FIPS_RSA_MESSAGE_LENGTH );
+
+    if( rsa_status != SECSuccess )
+        goto rsa_loser;
+
+    /* Dispose of all RSA key material. */
+    nsslowkey_DestroyPublicKey( rsa_public_key );
+    nsslowkey_DestroyPrivateKey( rsa_private_key );
+
+    return( CKR_OK );
+
+
+rsa_loser:
+
+    nsslowkey_DestroyPublicKey( rsa_public_key );
+    nsslowkey_DestroyPrivateKey( rsa_private_key );
+
+    return( CKR_DEVICE_ERROR );
+}
+
+
+static CK_RV
+pk11_fips_DSA_PowerUpSelfTest( void )
+{
+    /* DSA Known P (512-bits), Q (160-bits), and G (512-bits) Values. */
+    static PRUint8 dsa_P[] = {
+                           0x8d,0xf2,0xa4,0x94,0x49,0x22,0x76,0xaa,
+                           0x3d,0x25,0x75,0x9b,0xb0,0x68,0x69,0xcb,
+                           0xea,0xc0,0xd8,0x3a,0xfb,0x8d,0x0c,0xf7,
+                           0xcb,0xb8,0x32,0x4f,0x0d,0x78,0x82,0xe5,
+                           0xd0,0x76,0x2f,0xc5,0xb7,0x21,0x0e,0xaf,
+                           0xc2,0xe9,0xad,0xac,0x32,0xab,0x7a,0xac,
+                           0x49,0x69,0x3d,0xfb,0xf8,0x37,0x24,0xc2,
+                           0xec,0x07,0x36,0xee,0x31,0xc8,0x02,0x91};
+    static PRUint8 dsa_Q[] = {
+                           0xc7,0x73,0x21,0x8c,0x73,0x7e,0xc8,0xee,
+                           0x99,0x3b,0x4f,0x2d,0xed,0x30,0xf4,0x8e,
+                           0xda,0xce,0x91,0x5f};
+    static PRUint8 dsa_G[] = {
+                           0x62,0x6d,0x02,0x78,0x39,0xea,0x0a,0x13,
+                           0x41,0x31,0x63,0xa5,0x5b,0x4c,0xb5,0x00,
+                           0x29,0x9d,0x55,0x22,0x95,0x6c,0xef,0xcb,
+                           0x3b,0xff,0x10,0xf3,0x99,0xce,0x2c,0x2e,
+                           0x71,0xcb,0x9d,0xe5,0xfa,0x24,0xba,0xbf,
+                           0x58,0xe5,0xb7,0x95,0x21,0x92,0x5c,0x9c,
+                           0xc4,0x2e,0x9f,0x6f,0x46,0x4b,0x08,0x8c,
+                           0xc5,0x72,0xaf,0x53,0xe6,0xd7,0x88,0x02};
+
+    /* DSA Known Random Values (known random key block       is 160-bits)  */
+    /*                     and (known random signature block is 160-bits). */
+    static PRUint8 dsa_known_random_key_block[] = {
+                                                      "Mozilla Rules World!"};
+    static PRUint8 dsa_known_random_signature_block[] = {
+                                                      "Random DSA Signature"};
+
+    /* DSA Known Digest (160-bits) */
+    static PRUint8 dsa_known_digest[] = { "DSA Signature Digest" };
+
+    /* DSA Known Signature (320-bits). */
+    static PRUint8 dsa_known_signature[] = {
+			     0x39,0x0d,0x84,0xb1,0xf7,0x52,0x89,0xba,
+			     0xec,0x1e,0xa8,0xe2,0x00,0x8e,0x37,0x8f,
+			     0xc2,0xf5,0xf8,0x70,0x11,0xa8,0xc7,0x02,
+			     0x0e,0x75,0xcf,0x6b,0x54,0x4a,0x52,0xe8,
+			     0xd8,0x6d,0x4a,0xe8,0xee,0x56,0x8e,0x59};
+
+    /* DSA variables. */
+    DSAPrivateKey *        dsa_private_key;
+    SECStatus              dsa_status;
+    SECItem                dsa_signature_item;
+    SECItem                dsa_digest_item;
+    DSAPublicKey           dsa_public_key;
+    PRUint8                dsa_computed_signature[FIPS_DSA_SIGNATURE_LENGTH];
+    static PQGParams       dsa_pqg = { NULL,
+			    { FIPS_DSA_TYPE, dsa_P, FIPS_DSA_PRIME_LENGTH },
+			    { FIPS_DSA_TYPE, dsa_Q, FIPS_DSA_SUBPRIME_LENGTH },
+			    { FIPS_DSA_TYPE, dsa_G, FIPS_DSA_BASE_LENGTH }};
+
+    /*******************************************/
+    /* Generate a DSA public/private key pair. */
+    /*******************************************/
+
+    /* Generate a DSA public/private key pair. */
+
+    dsa_status = DSA_NewKeyFromSeed(&dsa_pqg, dsa_known_random_key_block,
+                                    &dsa_private_key);
+
+    if( dsa_status != SECSuccess )
+	return( CKR_HOST_MEMORY );
+
+    /* construct public key from private key. */
+    dsa_public_key.params      = dsa_private_key->params;
+    dsa_public_key.publicValue = dsa_private_key->publicValue;
+
+    /*************************************************/
+    /* DSA Single-Round Known Answer Signature Test. */
+    /*************************************************/
+
+    dsa_signature_item.data = dsa_computed_signature;
+    dsa_signature_item.len  = sizeof dsa_computed_signature;
+
+    dsa_digest_item.data    = dsa_known_digest;
+    dsa_digest_item.len     = SHA1_LENGTH;
+
+    /* Perform DSA signature process. */
+    dsa_status = DSA_SignDigestWithSeed( dsa_private_key, 
+                                         &dsa_signature_item,
+					 &dsa_digest_item,
+					 dsa_known_random_signature_block );
+
+    if( ( dsa_status != SECSuccess ) ||
+        ( dsa_signature_item.len != FIPS_DSA_SIGNATURE_LENGTH ) ||
+        ( PORT_Memcmp( dsa_computed_signature, dsa_known_signature,
+                       FIPS_DSA_SIGNATURE_LENGTH ) != 0 ) ) {
+        dsa_status = SECFailure;
+    } else {
+
+    /****************************************************/
+    /* DSA Single-Round Known Answer Verification Test. */
+    /****************************************************/
+
+    /* Perform DSA verification process. */
+    dsa_status = DSA_VerifyDigest( &dsa_public_key, 
+                                   &dsa_signature_item,
+				   &dsa_digest_item);
+    }
+
+    PORT_FreeArena(dsa_private_key->params.arena, PR_TRUE);
+    /* Don't free public key, it uses same arena as private key */
+
+    /* Verify DSA signature. */
+    if( dsa_status != SECSuccess )
+        return( CKR_DEVICE_ERROR );
+
+    return( CKR_OK );
+
+
+}
+
+
+CK_RV
+pk11_fipsPowerUpSelfTest( void )
+{
+    CK_RV rv;
+
+    /* RC2 Power-Up SelfTest(s). */
+    rv = pk11_fips_RC2_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* RC4 Power-Up SelfTest(s). */
+    rv = pk11_fips_RC4_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* DES Power-Up SelfTest(s). */
+    rv = pk11_fips_DES_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* DES3 Power-Up SelfTest(s). */
+    rv = pk11_fips_DES3_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* MD2 Power-Up SelfTest(s). */
+    rv = pk11_fips_MD2_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* MD5 Power-Up SelfTest(s). */
+    rv = pk11_fips_MD5_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* SHA-1 Power-Up SelfTest(s). */
+    rv = pk11_fips_SHA1_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* RSA Power-Up SelfTest(s). */
+    rv = pk11_fips_RSA_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* DSA Power-Up SelfTest(s). */
+    rv = pk11_fips_DSA_PowerUpSelfTest();
+
+    if( rv != CKR_OK )
+        return rv;
+
+    /* Passed Power-Up SelfTest(s). */
+    return( CKR_OK );
+}
+
diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c
new file mode 100644
index 000000000..e3abfaf88
--- /dev/null
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -0,0 +1,979 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ *   This implementation has two slots:
+ *	slot 1 is our generic crypto support. It does not require login
+ *   (unless you've enabled FIPS). It supports Public Key ops, and all they
+ *   bulk ciphers and hashes. It can also support Private Key ops for imported
+ *   Private keys. It does not have any token storage.
+ *	slot 2 is our private key support. It requires a login before use. It
+ *   can store Private Keys and Certs as token objects. Currently only private
+ *   keys and their associated Certificates are saved on the token.
+ *
+ *   In this implementation, session objects are only visible to the session
+ *   that created or generated them.
+ */
+#include "seccomon.h"
+#include "softoken.h"
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "pkcs11.h"
+#include "pkcs11i.h"
+
+
+/*
+ * ******************** Password Utilities *******************************
+ */
+static PRBool isLoggedIn = PR_FALSE;
+static PRBool fatalError = PR_FALSE;
+
+/* Fips required checks before any useful crypto graphic services */
+static CK_RV pk11_fipsCheck(void) {
+    if (isLoggedIn != PR_TRUE) 
+	return CKR_USER_NOT_LOGGED_IN;
+    if (fatalError) 
+	return CKR_DEVICE_ERROR;
+    return CKR_OK;
+}
+
+
+#define PK11_FIPSCHECK() \
+    CK_RV rv; \
+    if ((rv = pk11_fipsCheck()) != CKR_OK) return rv;
+
+#define PK11_FIPSFATALCHECK() \
+    if (fatalError) return CKR_DEVICE_ERROR;
+
+
+/* grab an attribute out of a raw template */
+void *
+fc_getAttribute(CK_ATTRIBUTE_PTR pTemplate, 
+				CK_ULONG ulCount, CK_ATTRIBUTE_TYPE type)
+{
+    int i;
+
+    for (i=0; i < (int) ulCount; i++) {
+	if (pTemplate[i].type == type) {
+	    return pTemplate[i].pValue;
+	}
+    }
+    return NULL;
+}
+
+
+#define __PASTE(x,y)	x##y
+
+/* ------------- forward declare all the NSC_ functions ------------- */
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(NS,name)
+#define CK_NEED_ARG_LIST 1
+
+#include "pkcs11f.h"
+
+/* ------------- forward declare all the FIPS functions ------------- */
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(F,name)
+#define CK_NEED_ARG_LIST 1
+
+#include "pkcs11f.h"
+
+/* ------------- build the CK_CRYPTO_TABLE ------------------------- */
+static CK_FUNCTION_LIST pk11_fipsTable = {
+    { 1, 10 },
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+#define CK_PKCS11_FUNCTION_INFO(name) __PASTE(F,name),
+
+
+#include "pkcs11f.h"
+
+};
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+static CK_RV
+fips_login_if_key_object(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
+{
+    CK_RV rv;
+    CK_OBJECT_CLASS objClass;
+    CK_ATTRIBUTE class; 
+    class.type = CKA_CLASS;
+    class.pValue = &objClass;
+    class.ulValueLen = sizeof(objClass);
+    rv = NSC_GetAttributeValue(hSession, hObject, &class, 1);
+    if (rv == CKR_OK) {
+	if ((objClass == CKO_PRIVATE_KEY) || (objClass == CKO_SECRET_KEY)) {
+	    rv = pk11_fipsCheck();
+	}
+    }
+    return rv;
+}
+
+
+/**********************************************************************
+ *
+ *     Start of PKCS 11 functions 
+ *
+ **********************************************************************/
+/* return the function list */
+CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) {
+    *pFunctionList = &pk11_fipsTable;
+    return CKR_OK;
+}
+
+
+/* FC_Initialize initializes the PKCS #11 library. */
+CK_RV FC_Initialize(CK_VOID_PTR pReserved) {
+    CK_RV crv;
+
+    crv = nsc_CommonInitialize(pReserved, PR_TRUE);
+
+    /* not an 'else' rv can be set by either PK11_LowInit or PK11_SlotInit*/
+    if (crv != CKR_OK) {
+	fatalError = PR_TRUE;
+	return crv;
+    }
+
+    fatalError = PR_FALSE; /* any error has been reset */
+
+    crv = pk11_fipsPowerUpSelfTest();
+    if (crv != CKR_OK) {
+	fatalError = PR_TRUE;
+	return crv;
+    }
+
+    return CKR_OK;
+}
+
+/*FC_Finalize indicates that an application is done with the PKCS #11 library.*/
+CK_RV FC_Finalize (CK_VOID_PTR pReserved) {
+   /* this should free up FIPS Slot */
+   return NSC_Finalize (pReserved);
+}
+
+
+/* FC_GetInfo returns general information about PKCS #11. */
+CK_RV  FC_GetInfo(CK_INFO_PTR pInfo) {
+    return NSC_GetInfo(pInfo);
+}
+
+/* FC_GetSlotList obtains a list of slots in the system. */
+CK_RV FC_GetSlotList(CK_BBOOL tokenPresent,
+	 		CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
+    return NSC_GetSlotList(tokenPresent,pSlotList,pulCount);
+}
+	
+/* FC_GetSlotInfo obtains information about a particular slot in the system. */
+CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
+
+    CK_RV crv;
+
+    crv = NSC_GetSlotInfo(slotID,pInfo);
+    if (crv != CKR_OK) {
+	return crv;
+    }
+
+    return CKR_OK;
+}
+
+
+/*FC_GetTokenInfo obtains information about a particular token in the system.*/
+ CK_RV FC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo) {
+    CK_RV crv;
+
+    crv = NSC_GetTokenInfo(slotID,pInfo);
+    pInfo->flags |= CKF_RNG | CKF_LOGIN_REQUIRED;
+    return crv;
+
+}
+
+
+
+/*FC_GetMechanismList obtains a list of mechanism types supported by a token.*/
+ CK_RV FC_GetMechanismList(CK_SLOT_ID slotID,
+	CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pusCount) {
+    PK11_FIPSFATALCHECK();
+    if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID;
+    /* FIPS Slot supports all functions */
+    return NSC_GetMechanismList(slotID,pMechanismList,pusCount);
+}
+
+
+/* FC_GetMechanismInfo obtains information about a particular mechanism 
+ * possibly supported by a token. */
+ CK_RV FC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+    					CK_MECHANISM_INFO_PTR pInfo) {
+    PK11_FIPSFATALCHECK();
+    if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID;
+    /* FIPS Slot supports all functions */
+    return NSC_GetMechanismInfo(slotID,type,pInfo);
+}
+
+
+/* FC_InitToken initializes a token. */
+ CK_RV FC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin,
+ 				CK_ULONG usPinLen,CK_CHAR_PTR pLabel) {
+    return CKR_HOST_MEMORY; /*is this the right function for not implemented*/
+}
+
+
+/* FC_InitPIN initializes the normal user's PIN. */
+ CK_RV FC_InitPIN(CK_SESSION_HANDLE hSession,
+    					CK_CHAR_PTR pPin, CK_ULONG ulPinLen) {
+    return NSC_InitPIN(hSession,pPin,ulPinLen);
+}
+
+
+/* FC_SetPIN modifies the PIN of user that is currently logged in. */
+/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
+ CK_RV FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
+    CK_ULONG usOldLen, CK_CHAR_PTR pNewPin, CK_ULONG usNewLen) {
+    CK_RV rv;
+    if ((rv = pk11_fipsCheck()) != CKR_OK) return rv;
+    return NSC_SetPIN(hSession,pOldPin,usOldLen,pNewPin,usNewLen);
+}
+
+/* FC_OpenSession opens a session between an application and a token. */
+ CK_RV FC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+   CK_VOID_PTR pApplication,CK_NOTIFY Notify,CK_SESSION_HANDLE_PTR phSession) {
+    PK11_FIPSFATALCHECK();
+    return NSC_OpenSession(slotID,flags,pApplication,Notify,phSession);
+}
+
+
+/* FC_CloseSession closes a session between an application and a token. */
+ CK_RV FC_CloseSession(CK_SESSION_HANDLE hSession) {
+    return NSC_CloseSession(hSession);
+}
+
+
+/* FC_CloseAllSessions closes all sessions with a token. */
+ CK_RV FC_CloseAllSessions (CK_SLOT_ID slotID) {
+    return NSC_CloseAllSessions (slotID);
+}
+
+
+/* FC_GetSessionInfo obtains information about the session. */
+ CK_RV FC_GetSessionInfo(CK_SESSION_HANDLE hSession,
+						CK_SESSION_INFO_PTR pInfo) {
+    CK_RV rv;
+    PK11_FIPSFATALCHECK();
+
+    rv = NSC_GetSessionInfo(hSession,pInfo);
+    if (rv == CKR_OK) {
+	if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) {
+		pInfo->state = CKS_RO_USER_FUNCTIONS;
+	}
+	if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) {
+		pInfo->state = CKS_RW_USER_FUNCTIONS;
+	}
+    }
+    return rv;
+}
+
+/* FC_Login logs a user into a token. */
+ CK_RV FC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+				    CK_CHAR_PTR pPin, CK_ULONG usPinLen) {
+    CK_RV rv;
+    PK11_FIPSFATALCHECK();
+    rv = NSC_Login(hSession,userType,pPin,usPinLen);
+    if (rv == CKR_OK)
+	isLoggedIn = PR_TRUE;
+    else if (rv == CKR_USER_ALREADY_LOGGED_IN)
+    {
+	isLoggedIn = PR_TRUE;
+
+	/* Provide FIPS PUB 140-1 power-up self-tests on demand. */
+	rv = pk11_fipsPowerUpSelfTest();
+	if (rv == CKR_OK)
+		return CKR_USER_ALREADY_LOGGED_IN;
+	else
+		fatalError = PR_TRUE;
+    }
+    return rv;
+}
+
+/* FC_Logout logs a user out from a token. */
+ CK_RV FC_Logout(CK_SESSION_HANDLE hSession) {
+    PK11_FIPSCHECK();
+ 
+    rv = NSC_Logout(hSession);
+    isLoggedIn = PR_FALSE;
+    return rv;
+}
+
+
+/* FC_CreateObject creates a new object. */
+ CK_RV FC_CreateObject(CK_SESSION_HANDLE hSession,
+		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 
+					CK_OBJECT_HANDLE_PTR phObject) {
+    CK_OBJECT_CLASS * classptr;
+    PK11_FIPSCHECK();
+    classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate,ulCount,CKA_CLASS);
+    if (classptr == NULL) return CKR_TEMPLATE_INCOMPLETE;
+
+    /* FIPS can't create keys from raw key material */
+    if ((*classptr == CKO_SECRET_KEY) || (*classptr == CKO_PRIVATE_KEY)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    return NSC_CreateObject(hSession,pTemplate,ulCount,phObject);
+}
+
+
+
+
+
+/* FC_CopyObject copies an object, creating a new object for the copy. */
+ CK_RV FC_CopyObject(CK_SESSION_HANDLE hSession,
+       CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount,
+					CK_OBJECT_HANDLE_PTR phNewObject) {
+    CK_RV rv;
+    PK11_FIPSFATALCHECK();
+    rv = fips_login_if_key_object(hSession, hObject);
+    if (rv != CKR_OK) {
+	return rv;
+    }
+    return NSC_CopyObject(hSession,hObject,pTemplate,usCount,phNewObject);
+}
+
+
+/* FC_DestroyObject destroys an object. */
+ CK_RV FC_DestroyObject(CK_SESSION_HANDLE hSession,
+		 				CK_OBJECT_HANDLE hObject) {
+    CK_RV rv;
+    PK11_FIPSFATALCHECK();
+    rv = fips_login_if_key_object(hSession, hObject);
+    if (rv != CKR_OK) {
+	return rv;
+    }
+    return NSC_DestroyObject(hSession,hObject);
+}
+
+
+/* FC_GetObjectSize gets the size of an object in bytes. */
+ CK_RV FC_GetObjectSize(CK_SESSION_HANDLE hSession,
+    			CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pusSize) {
+    CK_RV rv;
+    PK11_FIPSFATALCHECK();
+    rv = fips_login_if_key_object(hSession, hObject);
+    if (rv != CKR_OK) {
+	return rv;
+    }
+    return NSC_GetObjectSize(hSession, hObject, pusSize);
+}
+
+
+/* FC_GetAttributeValue obtains the value of one or more object attributes. */
+ CK_RV FC_GetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
+    CK_RV rv;
+    PK11_FIPSFATALCHECK();
+    rv = fips_login_if_key_object(hSession, hObject);
+    if (rv != CKR_OK) {
+	return rv;
+    }
+    return NSC_GetAttributeValue(hSession,hObject,pTemplate,usCount);
+}
+
+
+/* FC_SetAttributeValue modifies the value of one or more object attributes */
+ CK_RV FC_SetAttributeValue (CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
+    CK_RV rv;
+    PK11_FIPSFATALCHECK();
+    rv = fips_login_if_key_object(hSession, hObject);
+    if (rv != CKR_OK) {
+	return rv;
+    }
+    return NSC_SetAttributeValue(hSession,hObject,pTemplate,usCount);
+}
+
+
+
+/* FC_FindObjectsInit initializes a search for token and session objects 
+ * that match a template. */
+ CK_RV FC_FindObjectsInit(CK_SESSION_HANDLE hSession,
+    			CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
+    /* let publically readable object be found */
+    int i;
+    CK_RV rv;
+    PRBool needLogin = PR_FALSE;
+
+    PK11_FIPSFATALCHECK();
+
+    for (i=0; i < usCount; i++) {
+	CK_OBJECT_CLASS class;
+	if (pTemplate[i].type != CKA_CLASS) {
+	    continue;
+	}
+	if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) {
+	    continue;
+	}
+	if (pTemplate[i].pValue == NULL) {
+	    continue;
+	}
+	class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
+	if ((class == CKO_PRIVATE_KEY) || (class == CKO_SECRET_KEY)) {
+	    needLogin = PR_TRUE;
+	    break;
+	}
+    }
+    if (needLogin) {
+	if ((rv = pk11_fipsCheck()) != CKR_OK) return rv;
+    }
+    return NSC_FindObjectsInit(hSession,pTemplate,usCount);
+}
+
+
+/* FC_FindObjects continues a search for token and session objects 
+ * that match a template, obtaining additional object handles. */
+ CK_RV FC_FindObjects(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE_PTR phObject,CK_ULONG usMaxObjectCount,
+    					CK_ULONG_PTR pusObjectCount) {
+    /* let publically readable object be found */
+    PK11_FIPSFATALCHECK();
+    return NSC_FindObjects(hSession,phObject,usMaxObjectCount,
+    							pusObjectCount);
+}
+
+
+/*
+ ************** Crypto Functions:     Encrypt ************************
+ */
+
+/* FC_EncryptInit initializes an encryption operation. */
+ CK_RV FC_EncryptInit(CK_SESSION_HANDLE hSession,
+		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
+    PK11_FIPSCHECK();
+    return NSC_EncryptInit(hSession,pMechanism,hKey);
+}
+
+/* FC_Encrypt encrypts single-part data. */
+ CK_RV FC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+    		CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData,
+					 CK_ULONG_PTR pusEncryptedDataLen) {
+    PK11_FIPSCHECK();
+    return NSC_Encrypt(hSession,pData,usDataLen,pEncryptedData,
+							pusEncryptedDataLen);
+}
+
+
+/* FC_EncryptUpdate continues a multiple-part encryption operation. */
+ CK_RV FC_EncryptUpdate(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pPart, CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart,	
+					CK_ULONG_PTR pusEncryptedPartLen) {
+    PK11_FIPSCHECK();
+    return NSC_EncryptUpdate(hSession,pPart,usPartLen,pEncryptedPart,
+						pusEncryptedPartLen);
+}
+
+
+/* FC_EncryptFinal finishes a multiple-part encryption operation. */
+ CK_RV FC_EncryptFinal(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pusLastEncryptedPartLen) {
+
+    PK11_FIPSCHECK();
+    return NSC_EncryptFinal(hSession,pLastEncryptedPart,
+						pusLastEncryptedPartLen);
+}
+
+/*
+ ************** Crypto Functions:     Decrypt ************************
+ */
+
+
+/* FC_DecryptInit initializes a decryption operation. */
+ CK_RV FC_DecryptInit( CK_SESSION_HANDLE hSession,
+			 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
+    PK11_FIPSCHECK();
+    return NSC_DecryptInit(hSession,pMechanism,hKey);
+}
+
+/* FC_Decrypt decrypts encrypted data in a single part. */
+ CK_RV FC_Decrypt(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pEncryptedData,CK_ULONG usEncryptedDataLen,CK_BYTE_PTR pData,
+    						CK_ULONG_PTR pusDataLen) {
+    PK11_FIPSCHECK();
+    return NSC_Decrypt(hSession,pEncryptedData,usEncryptedDataLen,pData,
+    								pusDataLen);
+}
+
+
+/* FC_DecryptUpdate continues a multiple-part decryption operation. */
+ CK_RV FC_DecryptUpdate(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pEncryptedPart, CK_ULONG usEncryptedPartLen,
+    				CK_BYTE_PTR pPart, CK_ULONG_PTR pusPartLen) {
+    PK11_FIPSCHECK();
+    return NSC_DecryptUpdate(hSession,pEncryptedPart,usEncryptedPartLen,
+    							pPart,pusPartLen);
+}
+
+
+/* FC_DecryptFinal finishes a multiple-part decryption operation. */
+ CK_RV FC_DecryptFinal(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pLastPart, CK_ULONG_PTR pusLastPartLen) {
+    PK11_FIPSCHECK();
+    return NSC_DecryptFinal(hSession,pLastPart,pusLastPartLen);
+}
+
+
+/*
+ ************** Crypto Functions:     Digest (HASH)  ************************
+ */
+
+/* FC_DigestInit initializes a message-digesting operation. */
+ CK_RV FC_DigestInit(CK_SESSION_HANDLE hSession,
+    					CK_MECHANISM_PTR pMechanism) {
+    PK11_FIPSFATALCHECK();
+    return NSC_DigestInit(hSession, pMechanism);
+}
+
+
+/* FC_Digest digests data in a single part. */
+ CK_RV FC_Digest(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pDigest,
+    						CK_ULONG_PTR pusDigestLen) {
+    PK11_FIPSFATALCHECK();
+    return NSC_Digest(hSession,pData,usDataLen,pDigest,pusDigestLen);
+}
+
+
+/* FC_DigestUpdate continues a multiple-part message-digesting operation. */
+ CK_RV FC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
+					    CK_ULONG usPartLen) {
+    PK11_FIPSFATALCHECK();
+    return NSC_DigestUpdate(hSession,pPart,usPartLen);
+}
+
+
+/* FC_DigestFinal finishes a multiple-part message-digesting operation. */
+ CK_RV FC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
+    						CK_ULONG_PTR pusDigestLen) {
+    PK11_FIPSFATALCHECK();
+    return NSC_DigestFinal(hSession,pDigest,pusDigestLen);
+}
+
+
+/*
+ ************** Crypto Functions:     Sign  ************************
+ */
+
+/* FC_SignInit initializes a signature (private key encryption) operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+ CK_RV FC_SignInit(CK_SESSION_HANDLE hSession,
+		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
+    PK11_FIPSCHECK();
+    return NSC_SignInit(hSession,pMechanism,hKey);
+}
+
+
+/* FC_Sign signs (encrypts with private key) data in a single part,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+ CK_RV FC_Sign(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pData,CK_ULONG usDataLen,CK_BYTE_PTR pSignature,
+    					CK_ULONG_PTR pusSignatureLen) {
+    PK11_FIPSCHECK();
+    return NSC_Sign(hSession,pData,usDataLen,pSignature,pusSignatureLen);
+}
+
+
+/* FC_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+ CK_RV FC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
+    							CK_ULONG usPartLen) {
+    PK11_FIPSCHECK();
+    return NSC_SignUpdate(hSession,pPart,usPartLen);
+}
+
+
+/* FC_SignFinal finishes a multiple-part signature operation, 
+ * returning the signature. */
+ CK_RV FC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
+					    CK_ULONG_PTR pusSignatureLen) {
+    PK11_FIPSCHECK();
+    return NSC_SignFinal(hSession,pSignature,pusSignatureLen);
+}
+
+/*
+ ************** Crypto Functions:     Sign Recover  ************************
+ */
+/* FC_SignRecoverInit initializes a signature operation,
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+ CK_RV FC_SignRecoverInit(CK_SESSION_HANDLE hSession,
+			 CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
+    PK11_FIPSCHECK();
+    return NSC_SignRecoverInit(hSession,pMechanism,hKey);
+}
+
+
+/* FC_SignRecover signs data in a single operation
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+ CK_RV FC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+  CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pusSignatureLen) {
+    PK11_FIPSCHECK();
+    return NSC_SignRecover(hSession,pData,usDataLen,pSignature,pusSignatureLen);
+}
+
+/*
+ ************** Crypto Functions:     verify  ************************
+ */
+
+/* FC_VerifyInit initializes a verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature (e.g. DSA) */
+ CK_RV FC_VerifyInit(CK_SESSION_HANDLE hSession,
+			   CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
+    PK11_FIPSCHECK();
+    return NSC_VerifyInit(hSession,pMechanism,hKey);
+}
+
+
+/* FC_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+ CK_RV FC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+    CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen) {
+    /* make sure we're legal */
+    PK11_FIPSCHECK();
+    return NSC_Verify(hSession,pData,usDataLen,pSignature,usSignatureLen);
+}
+
+
+/* FC_VerifyUpdate continues a multiple-part verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+ CK_RV FC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+						CK_ULONG usPartLen) {
+    PK11_FIPSCHECK();
+    return NSC_VerifyUpdate(hSession,pPart,usPartLen);
+}
+
+
+/* FC_VerifyFinal finishes a multiple-part verification operation, 
+ * checking the signature. */
+ CK_RV FC_VerifyFinal(CK_SESSION_HANDLE hSession,
+			CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen) {
+    PK11_FIPSCHECK();
+    return NSC_VerifyFinal(hSession,pSignature,usSignatureLen);
+}
+
+/*
+ ************** Crypto Functions:     Verify  Recover ************************
+ */
+
+/* FC_VerifyRecoverInit initializes a signature verification operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+ CK_RV FC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
+    PK11_FIPSCHECK();
+    return NSC_VerifyRecoverInit(hSession,pMechanism,hKey);
+}
+
+
+/* FC_VerifyRecover verifies a signature in a single-part operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+ CK_RV FC_VerifyRecover(CK_SESSION_HANDLE hSession,
+		 CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen,
+    				CK_BYTE_PTR pData,CK_ULONG_PTR pusDataLen) {
+    PK11_FIPSCHECK();
+    return NSC_VerifyRecover(hSession,pSignature,usSignatureLen,pData,
+								pusDataLen);
+}
+
+/*
+ **************************** Key Functions:  ************************
+ */
+
+/* FC_GenerateKey generates a secret key, creating a new key object. */
+ CK_RV FC_GenerateKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,
+    						CK_OBJECT_HANDLE_PTR phKey) {
+    CK_BBOOL *boolptr;
+
+    PK11_FIPSCHECK();
+
+    /* all secret keys must be sensitive, if the upper level code tries to say
+     * otherwise, reject it. */
+    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, ulCount, CKA_SENSITIVE);
+    if (boolptr != NULL) {
+	if (!(*boolptr)) {
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+    }
+
+    return NSC_GenerateKey(hSession,pMechanism,pTemplate,ulCount,phKey);
+}
+
+
+/* FC_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+ CK_RV FC_GenerateKeyPair (CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+    CK_ULONG usPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+    CK_ULONG usPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
+					CK_OBJECT_HANDLE_PTR phPrivateKey) {
+    CK_BBOOL *boolptr;
+
+    PK11_FIPSCHECK();
+
+    /* all private keys must be sensitive, if the upper level code tries to say
+     * otherwise, reject it. */
+    boolptr = (CK_BBOOL *) fc_getAttribute(pPrivateKeyTemplate, 
+				usPrivateKeyAttributeCount, CKA_SENSITIVE);
+    if (boolptr != NULL) {
+	if (!(*boolptr)) {
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+    }
+    return NSC_GenerateKeyPair (hSession,pMechanism,pPublicKeyTemplate,
+    		usPublicKeyAttributeCount,pPrivateKeyTemplate,
+		usPrivateKeyAttributeCount,phPublicKey,phPrivateKey);
+}
+
+
+/* FC_WrapKey wraps (i.e., encrypts) a key. */
+ CK_RV FC_WrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
+    CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
+					 CK_ULONG_PTR pusWrappedKeyLen) {
+    PK11_FIPSCHECK();
+    return NSC_WrapKey(hSession,pMechanism,hWrappingKey,hKey,pWrappedKey,
+							pusWrappedKeyLen);
+}
+
+
+/* FC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
+ CK_RV FC_UnwrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
+    CK_BYTE_PTR pWrappedKey, CK_ULONG usWrappedKeyLen,
+    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usAttributeCount,
+						 CK_OBJECT_HANDLE_PTR phKey) {
+    CK_BBOOL *boolptr;
+
+    PK11_FIPSCHECK();
+
+    /* all secret keys must be sensitive, if the upper level code tries to say
+     * otherwise, reject it. */
+    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, 
+					usAttributeCount, CKA_SENSITIVE);
+    if (boolptr != NULL) {
+	if (!(*boolptr)) {
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+    }
+    return NSC_UnwrapKey(hSession,pMechanism,hUnwrappingKey,pWrappedKey,
+			usWrappedKeyLen,pTemplate,usAttributeCount,phKey);
+}
+
+
+/* FC_DeriveKey derives a key from a base key, creating a new key object. */
+ CK_RV FC_DeriveKey( CK_SESSION_HANDLE hSession,
+	 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
+	 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usAttributeCount, 
+						CK_OBJECT_HANDLE_PTR phKey) {
+    CK_BBOOL *boolptr;
+
+    PK11_FIPSCHECK();
+
+    /* all secret keys must be sensitive, if the upper level code tries to say
+     * otherwise, reject it. */
+    boolptr = (CK_BBOOL *) fc_getAttribute(pTemplate, 
+					usAttributeCount, CKA_SENSITIVE);
+    if (boolptr != NULL) {
+	if (!(*boolptr)) {
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+    }
+    return NSC_DeriveKey(hSession,pMechanism,hBaseKey,pTemplate,
+			usAttributeCount, phKey);
+}
+
+/*
+ **************************** Radom Functions:  ************************
+ */
+
+/* FC_SeedRandom mixes additional seed material into the token's random number 
+ * generator. */
+ CK_RV FC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+    CK_ULONG usSeedLen) {
+    CK_RV crv;
+
+    PK11_FIPSFATALCHECK();
+    crv = NSC_SeedRandom(hSession,pSeed,usSeedLen);
+    if (crv != CKR_OK) {
+	fatalError = PR_TRUE;
+    }
+    return crv;
+}
+
+
+/* FC_GenerateRandom generates random data. */
+ CK_RV FC_GenerateRandom(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR	pRandomData, CK_ULONG usRandomLen) {
+    CK_RV crv;
+
+    PK11_FIPSFATALCHECK();
+    crv = NSC_GenerateRandom(hSession,pRandomData,usRandomLen);
+    if (crv != CKR_OK) {
+	fatalError = PR_TRUE;
+    }
+    return crv;
+}
+
+
+/* FC_GetFunctionStatus obtains an updated status of a function running 
+ * in parallel with an application. */
+ CK_RV FC_GetFunctionStatus(CK_SESSION_HANDLE hSession) {
+    PK11_FIPSCHECK();
+    return NSC_GetFunctionStatus(hSession);
+}
+
+
+/* FC_CancelFunction cancels a function running in parallel */
+ CK_RV FC_CancelFunction(CK_SESSION_HANDLE hSession) {
+    PK11_FIPSCHECK();
+    return NSC_CancelFunction(hSession);
+}
+
+/*
+ ****************************  Version 1.1 Functions:  ************************
+ */
+
+/* FC_GetOperationState saves the state of the cryptographic 
+ *operation in a session. */
+CK_RV FC_GetOperationState(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pOperationState, CK_ULONG_PTR pulOperationStateLen) {
+    PK11_FIPSFATALCHECK();
+    return NSC_GetOperationState(hSession,pOperationState,pulOperationStateLen);
+}
+
+
+/* FC_SetOperationState restores the state of the cryptographic operation 
+ * in a session. */
+CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pOperationState, CK_ULONG  ulOperationStateLen,
+        CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey) {
+    PK11_FIPSFATALCHECK();
+    return NSC_SetOperationState(hSession,pOperationState,ulOperationStateLen,
+        				hEncryptionKey,hAuthenticationKey);
+}
+
+/* FC_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV FC_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
+    /* let publically readable object be found */
+    PK11_FIPSFATALCHECK();
+    return NSC_FindObjectsFinal(hSession);
+}
+
+
+/* Dual-function cryptographic operations */
+
+/* FC_DigestEncryptUpdate continues a multiple-part digesting and encryption 
+ * operation. */
+CK_RV FC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
+    CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
+					 CK_ULONG_PTR pulEncryptedPartLen) {
+    PK11_FIPSCHECK();
+    return NSC_DigestEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
+					 pulEncryptedPartLen);
+}
+
+
+/* FC_DecryptDigestUpdate continues a multiple-part decryption and digesting 
+ * operation. */
+CK_RV FC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
+     CK_BYTE_PTR  pEncryptedPart, CK_ULONG  ulEncryptedPartLen,
+    				CK_BYTE_PTR  pPart, CK_ULONG_PTR pulPartLen) {
+
+    PK11_FIPSCHECK();
+    return NSC_DecryptDigestUpdate(hSession, pEncryptedPart,ulEncryptedPartLen,
+    				pPart,pulPartLen);
+}
+
+/* FC_SignEncryptUpdate continues a multiple-part signing and encryption 
+ * operation. */
+CK_RV FC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
+	 CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
+					 CK_ULONG_PTR pulEncryptedPartLen) {
+
+    PK11_FIPSCHECK();
+    return NSC_SignEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
+					 pulEncryptedPartLen);
+}
+
+/* FC_DecryptVerifyUpdate continues a multiple-part decryption and verify 
+ * operation. */
+CK_RV FC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pEncryptedData, CK_ULONG  ulEncryptedDataLen, 
+				CK_BYTE_PTR  pData, CK_ULONG_PTR pulDataLen) {
+
+    PK11_FIPSCHECK();
+    return NSC_DecryptVerifyUpdate(hSession,pEncryptedData,ulEncryptedDataLen, 
+				pData,pulDataLen);
+}
+
+
+/* FC_DigestKey continues a multi-part message-digesting operation,
+ * by digesting the value of a secret key as part of the data already digested.
+ */
+CK_RV FC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) {
+    PK11_FIPSCHECK();
+    return NSC_DigestKey(hSession,hKey);
+}
+
+
+CK_RV FC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
+							 CK_VOID_PTR pReserved)
+{
+    return NSC_WaitForSlotEvent(flags, pSlot, pReserved);
+}
diff --git a/security/nss/lib/softoken/keydb.c b/security/nss/lib/softoken/keydb.c
new file mode 100644
index 000000000..2f9c1bdda
--- /dev/null
+++ b/security/nss/lib/softoken/keydb.c
@@ -0,0 +1,2574 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * Private Key Database code
+ *
+ * $Id$
+ */
+
+#include "lowkeyi.h"
+#include "seccomon.h"
+#include "sechash.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "blapi.h"
+#include "secitem.h"
+#include "pcert.h"
+#include "mcom_db.h"
+#include "lowpbe.h"
+#include "secerr.h"
+
+#include "keydbi.h"
+
+/*
+ * Record keys for keydb
+ */
+#define SALT_STRING "global-salt"
+#define VERSION_STRING "Version"
+#define KEYDB_PW_CHECK_STRING	"password-check"
+#define KEYDB_PW_CHECK_LEN	14
+#define KEYDB_FAKE_PW_CHECK_STRING	"fake-password-check"
+#define KEYDB_FAKE_PW_CHECK_LEN	19
+
+/* Size of the global salt for key database */
+#define SALT_LENGTH     16
+
+/* ASN1 Templates for new decoder/encoder */
+const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
+    { SEC_ASN1_INTEGER,
+	offsetof(NSSLOWKEYPrivateKeyInfo,version) },
+    { SEC_ASN1_INLINE,
+	offsetof(NSSLOWKEYPrivateKeyInfo,algorithm),
+	SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(NSSLOWKEYPrivateKeyInfo,privateKey) },
+    { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_PointerToPrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_POINTER, 0, nsslowkey_PrivateKeyInfoTemplate }
+};
+
+const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	0, NULL, sizeof(NSSLOWKEYEncryptedPrivateKeyInfo) },
+    { SEC_ASN1_INLINE,
+	offsetof(NSSLOWKEYEncryptedPrivateKeyInfo,algorithm),
+	SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_OCTET_STRING,
+	offsetof(NSSLOWKEYEncryptedPrivateKeyInfo,encryptedData) },
+    { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_PointerToEncryptedPrivateKeyInfoTemplate[] = {
+	{ SEC_ASN1_POINTER, 0, nsslowkey_EncryptedPrivateKeyInfoTemplate }
+};
+
+
+/* ====== Default key databse encryption algorithm ====== */
+
+static SECOidTag defaultKeyDBAlg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
+
+/*
+ * Default algorithm for encrypting data in the key database
+ */
+SECOidTag
+nsslowkey_GetDefaultKeyDBAlg(void)
+{
+    return(defaultKeyDBAlg);
+}
+
+void
+nsslowkey_SetDefaultKeyDBAlg(SECOidTag alg)
+{
+    defaultKeyDBAlg = alg;
+
+    return;
+}
+
+static void
+sec_destroy_dbkey(NSSLOWKEYDBKey *dbkey)
+{
+    if ( dbkey && dbkey->arena ) {
+	PORT_FreeArena(dbkey->arena, PR_FALSE);
+    }
+}
+
+static void
+free_dbt(DBT *dbt)
+{
+    if ( dbt ) {
+	PORT_Free(dbt->data);
+	PORT_Free(dbt);
+    }
+    
+    return;
+}
+
+/*
+ * format of key database entries for version 3 of database:
+ *	byte offset	field
+ *	-----------	-----
+ *	0		version
+ *	1		salt-len
+ *	2		nn-len
+ *	3..		salt-data
+ *	...		nickname
+ *	...		encrypted-key-data
+ */
+static DBT *
+encode_dbkey(NSSLOWKEYDBKey *dbkey,unsigned char version)
+{
+    DBT *bufitem = NULL;
+    unsigned char *buf;
+    int nnlen;
+    char *nn;
+    
+    bufitem = (DBT *)PORT_ZAlloc(sizeof(DBT));
+    if ( bufitem == NULL ) {
+	goto loser;
+    }
+    
+    if ( dbkey->nickname ) {
+	nn = dbkey->nickname;
+	nnlen = PORT_Strlen(nn) + 1;
+    } else {
+	nn = "";
+	nnlen = 1;
+    }
+    
+    /* compute the length of the record */
+    /* 1 + 1 + 1 == version number header + salt length + nn len */
+    bufitem->size = dbkey->salt.len + nnlen + dbkey->derPK.len + 1 + 1 + 1;
+    
+    bufitem->data = (void *)PORT_ZAlloc(bufitem->size);
+    if ( bufitem->data == NULL ) {
+	goto loser;
+    }
+
+    buf = (unsigned char *)bufitem->data;
+    
+    /* set version number */
+    buf[0] = version;
+
+    /* set length of salt */
+    PORT_Assert(dbkey->salt.len < 256);
+    buf[1] = dbkey->salt.len;
+
+    /* set length of nickname */
+    PORT_Assert(nnlen < 256);
+    buf[2] = nnlen;
+
+    /* copy salt */
+    PORT_Memcpy(&buf[3], dbkey->salt.data, dbkey->salt.len);
+
+    /* copy nickname */
+    PORT_Memcpy(&buf[3 + dbkey->salt.len], nn, nnlen);
+
+    /* copy encrypted key */
+    PORT_Memcpy(&buf[3 + dbkey->salt.len + nnlen], dbkey->derPK.data,
+	      dbkey->derPK.len);
+    
+    return(bufitem);
+    
+loser:
+    if ( bufitem ) {
+	free_dbt(bufitem);
+    }
+    
+    return(NULL);
+}
+
+static NSSLOWKEYDBKey *
+decode_dbkey(DBT *bufitem, int expectedVersion)
+{
+    NSSLOWKEYDBKey *dbkey;
+    PLArenaPool *arena = NULL;
+    unsigned char *buf;
+    int version;
+    int keyoff;
+    int nnlen;
+    int saltoff;
+    
+    buf = (unsigned char *)bufitem->data;
+
+    version = buf[0];
+    
+    if ( version != expectedVersion ) {
+	goto loser;
+    }
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey));
+    if ( dbkey == NULL ) {
+	goto loser;
+    }
+
+    dbkey->arena = arena;
+    dbkey->salt.data = NULL;
+    dbkey->derPK.data = NULL;
+    
+    dbkey->salt.len = buf[1];
+    dbkey->salt.data = (unsigned char *)PORT_ArenaZAlloc(arena, dbkey->salt.len);
+    if ( dbkey->salt.data == NULL ) {
+	goto loser;
+    }
+
+    saltoff = 2;
+    keyoff = 2 + dbkey->salt.len;
+    
+    if ( expectedVersion >= 3 ) {
+	nnlen = buf[2];
+	if ( nnlen ) {
+	    dbkey->nickname = (char *)PORT_ArenaZAlloc(arena, nnlen + 1);
+	    if ( dbkey->nickname ) {
+		PORT_Memcpy(dbkey->nickname, &buf[keyoff+1], nnlen);
+	    }
+	}
+	keyoff += ( nnlen + 1 );
+	saltoff = 3;
+    }
+
+    PORT_Memcpy(dbkey->salt.data, &buf[saltoff], dbkey->salt.len);
+    
+    dbkey->derPK.len = bufitem->size - keyoff;
+    dbkey->derPK.data = (unsigned char *)PORT_ArenaZAlloc(arena,dbkey->derPK.len);
+    if ( dbkey->derPK.data == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(dbkey->derPK.data, &buf[keyoff], dbkey->derPK.len);
+    
+    return(dbkey);
+    
+loser:
+
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+static NSSLOWKEYDBKey *
+get_dbkey(NSSLOWKEYDBHandle *handle, DBT *index)
+{
+    NSSLOWKEYDBKey *dbkey;
+    DBT entry;
+    int ret;
+    
+    /* get it from the database */
+    ret = (* handle->db->get)(handle->db, index, &entry, 0);
+    if ( ret ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return NULL;
+    }
+
+    /* set up dbkey struct */
+
+    dbkey = decode_dbkey(&entry, handle->version);
+
+    return(dbkey);
+}
+
+static SECStatus
+put_dbkey(NSSLOWKEYDBHandle *handle, DBT *index, NSSLOWKEYDBKey *dbkey, PRBool update)
+{
+    DBT *keydata = NULL;
+    int status;
+    
+    keydata = encode_dbkey(dbkey, handle->version);
+    if ( keydata == NULL ) {
+	goto loser;
+    }
+    
+    /* put it in the database */
+    if ( update ) {
+	status = (* handle->db->put)(handle->db, index, keydata, 0);
+    } else {
+	status = (* handle->db->put)(handle->db, index, keydata,
+				     R_NOOVERWRITE);
+    }
+    
+    if ( status ) {
+	goto loser;
+    }
+
+    /* sync the database */
+    status = (* handle->db->sync)(handle->db, 0);
+    if ( status ) {
+	goto loser;
+    }
+
+    free_dbt(keydata);
+    return(SECSuccess);
+
+loser:
+    if ( keydata ) {
+	free_dbt(keydata);
+    }
+    
+    return(SECFailure);
+}
+
+SECStatus
+nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, 
+		 SECStatus (* keyfunc)(DBT *k, DBT *d, void *pdata),
+		 void *udata )
+{
+    DBT data;
+    DBT key;
+    SECStatus status;
+    int ret;
+
+    if (handle == NULL) {
+	return(SECFailure);
+    }
+
+    ret = (* handle->db->seq)(handle->db, &key, &data, R_FIRST);
+    if ( ret ) {
+	return(SECFailure);
+    }
+    
+    do {
+	/* skip version record */
+	if ( data.size > 1 ) {
+	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
+		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
+		    continue;
+		}
+	    }
+
+	    /* skip password check */
+	    if ( key.size == KEYDB_PW_CHECK_LEN ) {
+		if ( PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING,
+				 KEYDB_PW_CHECK_LEN) == 0 ) {
+		    continue;
+		}
+	    }
+	    
+	    status = (* keyfunc)(&key, &data, udata);
+	    if (status != SECSuccess) {
+		return(status);
+	    }
+	}
+    } while ( (* handle->db->seq)(handle->db, &key, &data, R_NEXT) == 0 );
+
+    return(SECSuccess);
+}
+
+typedef struct keyNode {
+    struct keyNode *next;
+    DBT key;
+} keyNode;
+
+typedef struct {
+    PLArenaPool *arena;
+    keyNode *head;
+} keyList;
+
+static SECStatus
+sec_add_key_to_list(DBT *key, DBT *data, void *arg)
+{
+    keyList *keylist;
+    keyNode *node;
+    void *keydata;
+    
+    keylist = (keyList *)arg;
+
+    /* allocate the node struct */
+    node = (keyNode*)PORT_ArenaZAlloc(keylist->arena, sizeof(keyNode));
+    if ( node == NULL ) {
+	return(SECFailure);
+    }
+    
+    /* allocate room for key data */
+    keydata = PORT_ArenaZAlloc(keylist->arena, key->size);
+    if ( keydata == NULL ) {
+	return(SECFailure);
+    }
+
+    /* link node into list */
+    node->next = keylist->head;
+    keylist->head = node;
+
+    /* copy key into node */
+    PORT_Memcpy(keydata, key->data, key->size);
+    node->key.size = key->size;
+    node->key.data = keydata;
+    
+    return(SECSuccess);
+}
+
+static SECItem *
+decodeKeyDBGlobalSalt(DBT *saltData)
+{
+    SECItem *saltitem;
+    
+    saltitem = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if ( saltitem == NULL ) {
+	return(NULL);
+    }
+    
+    saltitem->data = (unsigned char *)PORT_ZAlloc(saltData->size);
+    if ( saltitem->data == NULL ) {
+	PORT_Free(saltitem);
+	return(NULL);
+    }
+    
+    saltitem->len = saltData->size;
+    PORT_Memcpy(saltitem->data, saltData->data, saltitem->len);
+    
+    return(saltitem);
+}
+
+static SECItem *
+GetKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle)
+{
+    DBT saltKey;
+    DBT saltData;
+    int ret;
+    
+    saltKey.data = SALT_STRING;
+    saltKey.size = sizeof(SALT_STRING) - 1;
+
+    ret = (* handle->db->get)(handle->db, &saltKey, &saltData, 0);
+    if ( ret ) {
+	return(NULL);
+    }
+
+    return(decodeKeyDBGlobalSalt(&saltData));
+}
+
+static SECStatus
+makeGlobalVersion(NSSLOWKEYDBHandle *handle)
+{
+    unsigned char version;
+    DBT versionData;
+    DBT versionKey;
+    int status;
+    
+    version = NSSLOWKEY_DB_FILE_VERSION;
+    versionData.data = &version;
+    versionData.size = 1;
+    versionKey.data = VERSION_STRING;
+    versionKey.size = sizeof(VERSION_STRING)-1;
+		
+    /* put version string into the database now */
+    status = (* handle->db->put)(handle->db, &versionKey, &versionData, 0);
+    if ( status ) {
+	return(SECFailure);
+    }
+    handle->version = version;
+
+    return(SECSuccess);
+}
+
+
+static SECStatus
+makeGlobalSalt(NSSLOWKEYDBHandle *handle)
+{
+    DBT saltKey;
+    DBT saltData;
+    unsigned char saltbuf[16];
+    int status;
+    
+    saltKey.data = SALT_STRING;
+    saltKey.size = sizeof(SALT_STRING) - 1;
+
+    saltData.data = (void *)saltbuf;
+    saltData.size = sizeof(saltbuf);
+    RNG_GenerateGlobalRandomBytes(saltbuf, sizeof(saltbuf));
+
+    /* put global salt into the database now */
+    status = (* handle->db->put)( handle->db, &saltKey, &saltData, 0);
+    if ( status ) {
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+static char *
+keyDBFilenameCallback(void *arg, int dbVersion)
+{
+    return(PORT_Strdup((char *)arg));
+}
+
+NSSLOWKEYDBHandle *
+nsslowkey_OpenKeyDBFilename(char *dbname, PRBool readOnly)
+{
+    return(nsslowkey_OpenKeyDB(readOnly, keyDBFilenameCallback,
+			   (void *)dbname));
+}
+
+static SECStatus
+ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
+		       SECItem *oldpwitem, SECItem *newpwitem,
+		       SECOidTag new_algorithm);
+/*
+ * Second pass of updating the key db.  This time we have a password.
+ */
+static SECStatus
+nsslowkey_UpdateKeyDBPass2(NSSLOWKEYDBHandle *handle, SECItem *pwitem)
+{
+    SECStatus rv;
+    
+    rv = ChangeKeyDBPasswordAlg(handle, pwitem, pwitem,
+			     nsslowkey_GetDefaultKeyDBAlg());
+    
+    return(rv);
+}
+
+static SECStatus
+encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg,
+		   SECItem *encCheck);
+
+static unsigned char
+nsslowkey_version(DB *db)
+{
+    DBT versionKey;
+    DBT versionData;
+    int ret;
+    versionKey.data = VERSION_STRING;
+    versionKey.size = sizeof(VERSION_STRING)-1;
+
+    /* lookup version string in database */
+    ret = (* db->get)( db, &versionKey, &versionData, 0 );
+
+    /* error accessing the database */
+    if ( ret < 0 ) {
+	return 255;
+    }
+
+    if ( ret == 1 ) {
+	return 0;
+    }
+    return *( (unsigned char *)versionData.data);
+}
+
+#ifdef NSS_USE_KEY4_DB
+nsslowkey_UpdateKey3DBPass1(NSSLOWKEYDBHandle *handle)
+{
+    SECStatus rv;
+    DBT checkKey;
+    DBT checkData;
+    DBT saltKey;
+    DBT saltData;
+    DBT key;
+    DBT data;
+    DBT newKey;
+    unsigned char buf[SHA1_LENGTH];
+    unsigned char version;
+    SECItem *rc4key = NULL;
+    NSSLOWKEYDBKey *dbkey = NULL;
+    SECItem *oldSalt = NULL;
+    int ret;
+    SECItem checkitem;
+
+    if ( handle->updatedb == NULL ) {
+	return(SECSuccess);
+    }
+
+    /*
+     * check the version record
+     */
+    version = nsslowkey_version(handle->updatedb);
+    if (version != 3) {
+	goto done;
+    }
+
+    saltKey.data = SALT_STRING;
+    saltKey.size = sizeof(SALT_STRING) - 1;
+
+    ret = (* handle->updatedb->get)(handle->updatedb, &saltKey, &saltData, 0);
+    if ( ret ) {
+	/* no salt in old db, so it is corrupted */
+	goto done;
+    }
+
+    oldSalt = decodeKeyDBGlobalSalt(&saltData);
+    if ( oldSalt == NULL ) {
+	/* bad salt in old db, so it is corrupted */
+	goto done;
+    }
+
+    /*
+     * look for a pw check entry
+     */
+    checkKey.data = KEYDB_PW_CHECK_STRING;
+    checkKey.size = KEYDB_PW_CHECK_LEN;
+    
+    ret = (* handle->updatedb->get)(handle->updatedb, &checkKey,
+				   &checkData, 0 );
+    if (ret) {
+	checkKey.data = KEYDB_FAKE_PW_CHECK_STRING;
+	checkKey.size = KEYDB_FAKE_PW_CHECK_LEN;
+	ret = (* handle->updatedb->get)(handle->updatedb, &checkKey,
+				   &checkData, 0 );
+	if (ret) {
+	    goto done;
+	}
+    } 
+
+    /* put global salt into the new database now */
+    ret = (* handle->db->put)( handle->db, &saltKey, &saltData, 0);
+    if ( ret ) {
+	goto done;
+    }
+
+    if (checkKey.size == KEYDB_PW_CHECK_LEN) {
+	dbkey = decode_dbkey(&checkData, 3);
+	if ( dbkey == NULL ) {
+	    goto done;
+	}
+	rv = put_dbkey(handle, &checkKey, dbkey, PR_FALSE);
+	ret = (rv != SECSuccess);
+    } else {
+	ret = (* handle->db->put)(handle->db, &checkKey, &checkData, 0);
+    }
+    if ( ret ) {
+	goto done;
+    }
+    
+    /* now traverse the database */
+    ret = (* handle->updatedb->seq)(handle->updatedb, &key, &data, R_FIRST);
+    if ( ret ) {
+	goto done;
+    }
+    
+    do {
+
+	/* skip version record */
+	if ( data.size > 1 ) {
+	    /* skip salt */
+	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
+		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
+		    continue;
+		}
+	    }
+	    /* skip pw check entry */
+	    if ( key.size == checkKey.size ) {
+		if ( PORT_Memcmp(key.data, checkKey.data, key.size) == 0 ) {
+		    continue;
+		}
+	    }
+	    dbkey = decode_dbkey(&data, 3);
+	    if ( dbkey == NULL ) {
+		continue;
+	    }
+	    SHA1_HashBuf(buf,key.data,key.size);
+	    newKey.data = buf;
+	    newKey.size = SHA1_LENGTH;
+
+	    rv = put_dbkey(handle, &newKey, dbkey, PR_FALSE);
+
+	    sec_destroy_dbkey(dbkey);
+
+	}
+    } while ( (* handle->updatedb->seq)(handle->updatedb, &key, &data,
+					R_NEXT) == 0 );
+
+done:
+    /* sync the database */
+    ret = (* handle->db->sync)(handle->db, 0);
+
+    (* handle->updatedb->close)(handle->updatedb);
+    handle->updatedb = NULL;
+
+    if ( oldSalt ) {
+	SECITEM_FreeItem(oldSalt, PR_TRUE);
+    }
+    return(SECSuccess);
+}
+#endif
+
+static PRBool
+seckey_HasAServerKey(DB *db)
+{
+    DBT key;
+    DBT data;
+    int ret;
+    PRBool found = PR_FALSE;
+
+    ret = (* db->seq)(db, &key, &data, R_FIRST);
+    if ( ret ) {
+	return PR_FALSE;
+    }
+    
+    do {
+	/* skip version record */
+	if ( data.size > 1 ) {
+	    /* skip salt */
+	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
+		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
+		    continue;
+		}
+	    }
+	    /* skip pw check entry */
+	    if ( key.size == KEYDB_PW_CHECK_LEN ) {
+		if ( PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING, 
+						KEYDB_PW_CHECK_LEN) == 0 ) {
+		    continue;
+		}
+	    }
+
+	    /* keys stored by nickname will have 0 as the last byte of the
+	     * db key.  Other keys must be stored by modulus.  We will not
+	     * update those because they are left over from a keygen that
+	     * never resulted in a cert.
+	     */
+	    if ( ((unsigned char *)key.data)[key.size-1] != 0 ) {
+		continue;
+	    }
+
+	    if (PORT_Strcmp(key.data,"Server-Key") == 0) {
+		found = PR_TRUE;
+	        break;
+	    }
+	    
+	}
+    } while ( (* db->seq)(db, &key, &data, R_NEXT) == 0 );
+
+    return found;
+}
+/*
+ * currently updates key database from v2 to v3
+ */
+static SECStatus
+nsslowkey_UpdateKeyDBPass1(NSSLOWKEYDBHandle *handle)
+{
+    SECStatus rv;
+    DBT checkKey;
+    DBT checkData;
+    DBT saltKey;
+    DBT saltData;
+    DBT key;
+    DBT data;
+    unsigned char version;
+    SECItem *rc4key = NULL;
+    NSSLOWKEYDBKey *dbkey = NULL;
+    SECItem *oldSalt = NULL;
+    int ret;
+    SECItem checkitem;
+
+    if ( handle->updatedb == NULL ) {
+	return(SECSuccess);
+    }
+
+    /*
+     * check the version record
+     */
+    version = nsslowkey_version(handle->updatedb);
+    if (version != 2) {
+	goto done;
+    }
+
+    saltKey.data = SALT_STRING;
+    saltKey.size = sizeof(SALT_STRING) - 1;
+
+    ret = (* handle->updatedb->get)(handle->updatedb, &saltKey, &saltData, 0);
+    if ( ret ) {
+	/* no salt in old db, so it is corrupted */
+	goto done;
+    }
+
+    oldSalt = decodeKeyDBGlobalSalt(&saltData);
+    if ( oldSalt == NULL ) {
+	/* bad salt in old db, so it is corrupted */
+	goto done;
+    }
+
+    /*
+     * look for a pw check entry
+     */
+    checkKey.data = KEYDB_PW_CHECK_STRING;
+    checkKey.size = KEYDB_PW_CHECK_LEN;
+    
+    ret = (* handle->updatedb->get)(handle->updatedb, &checkKey,
+				   &checkData, 0 );
+    if (ret) {
+	/*
+	 * if we have a key, but no KEYDB_PW_CHECK_STRING, then this must
+	 * be an old server database, and it does have a password associated
+	 * with it. Put a fake entry in so we can identify this db when we do
+	 * get the password for it.
+	 */
+	if (seckey_HasAServerKey(handle->updatedb)) {
+	    DBT fcheckKey;
+	    DBT fcheckData;
+
+	    /*
+	     * include a fake string
+	     */
+	    fcheckKey.data = KEYDB_FAKE_PW_CHECK_STRING;
+	    fcheckKey.size = KEYDB_FAKE_PW_CHECK_LEN;
+	    fcheckData.data = "1";
+	    fcheckData.size = 1;
+	    /* put global salt into the new database now */
+	    ret = (* handle->db->put)( handle->db, &saltKey, &saltData, 0);
+	    if ( ret ) {
+		goto done;
+	    }
+	    ret = (* handle->db->put)( handle->db, &fcheckKey, &fcheckData, 0);
+	    if ( ret ) {
+		goto done;
+	    }
+	} else {
+	    goto done;
+	}
+    } else {
+	/* put global salt into the new database now */
+	ret = (* handle->db->put)( handle->db, &saltKey, &saltData, 0);
+	if ( ret ) {
+	    goto done;
+	}
+
+	dbkey = decode_dbkey(&checkData, 2);
+	if ( dbkey == NULL ) {
+	    goto done;
+	}
+	checkitem = dbkey->derPK;
+	dbkey->derPK.data = NULL;
+    
+	/* format the new pw check entry */
+	rv = encodePWCheckEntry(NULL, &dbkey->derPK, SEC_OID_RC4, &checkitem);
+	if ( rv != SECSuccess ) {
+	    goto done;
+	}
+
+	rv = put_dbkey(handle, &checkKey, dbkey, PR_TRUE);
+	if ( rv != SECSuccess ) {
+	    goto done;
+	}
+
+	/* free the dbkey */
+	sec_destroy_dbkey(dbkey);
+	dbkey = NULL;
+    }
+    
+    
+    /* now traverse the database */
+    ret = (* handle->updatedb->seq)(handle->updatedb, &key, &data, R_FIRST);
+    if ( ret ) {
+	goto done;
+    }
+    
+    do {
+	/* skip version record */
+	if ( data.size > 1 ) {
+	    /* skip salt */
+	    if ( key.size == ( sizeof(SALT_STRING) - 1 ) ) {
+		if ( PORT_Memcmp(key.data, SALT_STRING, key.size) == 0 ) {
+		    continue;
+		}
+	    }
+	    /* skip pw check entry */
+	    if ( key.size == checkKey.size ) {
+		if ( PORT_Memcmp(key.data, checkKey.data, key.size) == 0 ) {
+		    continue;
+		}
+	    }
+
+	    /* keys stored by nickname will have 0 as the last byte of the
+	     * db key.  Other keys must be stored by modulus.  We will not
+	     * update those because they are left over from a keygen that
+	     * never resulted in a cert.
+	     */
+	    if ( ((unsigned char *)key.data)[key.size-1] != 0 ) {
+		continue;
+	    }
+	    
+	    dbkey = decode_dbkey(&data, 2);
+	    if ( dbkey == NULL ) {
+		continue;
+	    }
+
+	    /* This puts the key into the new database with the same
+	     * index (nickname) that it had before.  The second pass
+	     * of the update will have the password.  It will decrypt
+	     * and re-encrypt the entries using a new algorithm.
+	     */
+	    dbkey->nickname = (char *)key.data;
+	    rv = put_dbkey(handle, &key, dbkey, PR_FALSE);
+	    dbkey->nickname = NULL;
+
+	    sec_destroy_dbkey(dbkey);
+	}
+    } while ( (* handle->updatedb->seq)(handle->updatedb, &key, &data,
+					R_NEXT) == 0 );
+
+    dbkey = NULL;
+
+done:
+    /* sync the database */
+    ret = (* handle->db->sync)(handle->db, 0);
+
+    (* handle->updatedb->close)(handle->updatedb);
+    handle->updatedb = NULL;
+    
+    if ( rc4key ) {
+	SECITEM_FreeItem(rc4key, PR_TRUE);
+    }
+    
+    if ( oldSalt ) {
+	SECITEM_FreeItem(oldSalt, PR_TRUE);
+    }
+    
+    if ( dbkey ) {
+	sec_destroy_dbkey(dbkey);
+    }
+
+    return(SECSuccess);
+}
+
+	
+	    
+
+NSSLOWKEYDBHandle *
+nsslowkey_OpenKeyDB(PRBool readOnly, NSSLOWKEYDBNameFunc namecb, void *cbarg)
+{
+    NSSLOWKEYDBHandle *handle;
+    int ret;
+    SECStatus rv;
+    int openflags;
+    char *dbname = NULL;
+    PRBool updated = PR_FALSE;
+    
+    handle = (NSSLOWKEYDBHandle *)PORT_ZAlloc (sizeof(NSSLOWKEYDBHandle));
+    if (handle == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+    
+    if ( readOnly ) {
+	openflags = O_RDONLY;
+    } else {
+	openflags = O_RDWR;
+    }
+
+    dbname = (*namecb)(cbarg, NSSLOWKEY_DB_FILE_VERSION);
+    if ( dbname == NULL ) {
+	goto loser;
+    }
+
+    handle->dbname = PORT_Strdup(dbname);
+    handle->readOnly = readOnly;
+    
+    handle->db = dbopen( dbname, openflags, 0600, DB_HASH, 0 );
+
+    /* check for correct version number */
+    if (handle->db != NULL) {
+	handle->version = nsslowkey_version(handle->db);
+	if (handle->version == 255) {
+	    goto loser;
+	}
+	if (handle->version != NSSLOWKEY_DB_FILE_VERSION ) {
+	    /* bogus version number record, reset the database */
+	    (* handle->db->close)( handle->db );
+	    handle->db = NULL;
+
+	    goto newdb;
+	}
+
+    }
+
+newdb:
+	
+    /* if first open fails, try to create a new DB */
+    if ( handle->db == NULL ) {
+#ifdef NSS_USE_KEY4_DB
+	char *dbname3 = (*namecb)(cbarg, 3);
+
+	if ( readOnly ) {
+	    if (dbname3 == NULL) {
+		goto loser;
+	    }
+	    handle->db = dbopen( dbname3, O_RDONLY, 0600, DB_HASH, 0 );
+	    PORT_Free(handle->dbname);
+    	    handle->dbname = dbname3;
+	    dbname3 = NULL;
+	    if (handle->db == NULL) {
+		goto loser;
+	    }
+	    handle->version = nsslowkey_version(handle->db);
+	    if (handle->version != 3) {
+		/* bogus version number record, reset the database */
+		(* handle->db->close)( handle->db );
+		handle->db = NULL;
+		goto loser;
+	    }
+	    goto done;
+	}
+#else
+	if ( readOnly ) {
+	    goto loser;
+	}
+#endif
+	
+	handle->db = dbopen( dbname,
+			     O_RDWR | O_CREAT | O_TRUNC, 0600, DB_HASH, 0 );
+
+        PORT_Free( dbname );
+        dbname = NULL;
+
+	/* if create fails then we lose */
+	if ( handle->db == NULL ) {
+	    goto loser;
+	}
+
+	rv = makeGlobalVersion(handle);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+
+#ifdef NSS_USE_KEY4_DB
+	handle->updatedb = dbopen( dbname3, O_RDONLY, 0600, DB_HASH, 0 );
+	PORT_Free(dbname3);
+	dbname3 = NULL;
+	if (handle->updatedb) {
+	    /*
+	     * copy the key data, all the real work happens in pass2
+	     */
+	    rv = nsslowkey_UpdateKey3DBPass1(handle);
+	    if ( rv == SECSuccess ) {
+		updated = PR_TRUE;
+	    }
+	    goto skip_v2_db;
+	}
+#endif /* NSS_USE_KEY4_DB */
+	/*
+	 * try to update from v2 db
+	 */
+	dbname = (*namecb)(cbarg, 2);
+	if ( dbname != NULL ) {
+	    handle->updatedb = dbopen( dbname, O_RDONLY, 0600, DB_HASH, 0 );
+            PORT_Free( dbname );
+            dbname = NULL;
+
+	    if ( handle->updatedb ) {
+		/*
+		 * Try to update the db using a null password.  If the db
+		 * doesn't have a password, then this will work.  If it does
+		 * have a password, then this will fail and we will do the
+		 * update later
+		 */
+		rv = nsslowkey_UpdateKeyDBPass1(handle);
+		if ( rv == SECSuccess ) {
+		    updated = PR_TRUE;
+		}
+	    }
+	    
+	}
+
+#ifdef NSS_USE_KEY4_DB
+skip_v2_db:
+#endif
+	/* we are using the old salt if we updated from an old db */
+	if ( ! updated ) {
+	    rv = makeGlobalSalt(handle);
+	    if ( rv != SECSuccess ) {
+		goto loser;
+	    }
+	}
+	
+	/* sync the database */
+	ret = (* handle->db->sync)(handle->db, 0);
+	if ( ret ) {
+	    goto loser;
+	}
+    }
+
+#ifdef NSS_USE_KEY4_DB
+done:
+#endif
+    handle->global_salt = GetKeyDBGlobalSalt(handle);
+    if ( dbname )
+        PORT_Free( dbname );
+    return handle;
+
+loser:
+
+    if ( dbname )
+        PORT_Free( dbname );
+    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+
+    if ( handle->db ) {
+	(* handle->db->close)(handle->db);
+    }
+    if ( handle->updatedb ) {
+	(* handle->updatedb->close)(handle->updatedb);
+    }
+    PORT_Free(handle);
+    return NULL;
+}
+
+/*
+ * Close the database
+ */
+void
+nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle)
+{
+    if (handle != NULL) {
+	if (handle->db != NULL) {
+	    (* handle->db->close)(handle->db);
+	}
+	if (handle->dbname) PORT_Free(handle->dbname);
+	if (handle->global_salt) {
+	    SECITEM_FreeItem(handle->global_salt,PR_TRUE);
+	}
+	    
+	PORT_Free(handle);
+    }
+}
+
+/* Get the key database version */
+int
+nsslowkey_GetKeyDBVersion(NSSLOWKEYDBHandle *handle)
+{
+    PORT_Assert(handle != NULL);
+
+    return handle->version;
+}
+
+/*
+ * Delete a private key that was stored in the database
+ */
+SECStatus
+nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, SECItem *pubkey)
+{
+    DBT namekey;
+    int ret;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(SECFailure);
+    }
+
+    /* set up db key and data */
+    namekey.data = pubkey->data;
+    namekey.size = pubkey->len;
+
+    /* delete it from the database */
+    ret = (* handle->db->del)(handle->db, &namekey, 0);
+    if ( ret ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(SECFailure);
+    }
+
+    /* sync the database */
+    ret = (* handle->db->sync)(handle->db, 0);
+    if ( ret ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+/*
+ * Store a key in the database, indexed by its public key modulus.(value!)
+ */
+SECStatus
+nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, 
+			   NSSLOWKEYPrivateKey *privkey,
+			   SECItem *pubKeyData,
+			   char *nickname,
+			   SECItem *arg)
+{
+    return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, 
+	     nickname, arg, nsslowkey_GetDefaultKeyDBAlg(),PR_FALSE);
+}
+
+SECStatus
+nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle, 
+			   NSSLOWKEYPrivateKey *privkey,
+			   SECItem *pubKeyData,
+			   char *nickname,
+			   SECItem *arg)
+{
+    return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, 
+	     nickname, arg, nsslowkey_GetDefaultKeyDBAlg(),PR_TRUE);
+}
+
+/* see if the public key for this cert is in the database filed
+ * by modulus
+ */
+PRBool
+nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle, NSSLOWCERTCertificate *cert)
+{
+    NSSLOWKEYPublicKey *pubkey = NULL;
+    DBT namekey;
+    DBT dummy;
+    int status;
+    
+    /* get cert's public key */
+    pubkey = nsslowcert_ExtractPublicKey(cert);
+    if ( pubkey == NULL ) {
+	return PR_FALSE;
+    }
+
+    /* TNH - make key from NSSLOWKEYPublicKey */
+    switch (pubkey->keyType) {
+      case NSSLOWKEYRSAKey:
+	namekey.data = pubkey->u.rsa.modulus.data;
+	namekey.size = pubkey->u.rsa.modulus.len;
+	break;
+      case NSSLOWKEYDSAKey:
+	namekey.data = pubkey->u.dsa.publicValue.data;
+	namekey.size = pubkey->u.dsa.publicValue.len;
+	break;
+      case NSSLOWKEYDHKey:
+	namekey.data = pubkey->u.dh.publicValue.data;
+	namekey.size = pubkey->u.dh.publicValue.len;
+	break;
+      default:
+	/* XXX We don't do Fortezza or DH yet. */
+	return PR_FALSE;
+    }
+
+    if (handle->version != 3) {
+	unsigned char buf[SHA1_LENGTH];
+	SHA1_HashBuf(buf,namekey.data,namekey.size);
+	/* NOTE: don't use pubkey after this! it's now thrashed */
+	PORT_Memcpy(namekey.data,buf,sizeof(buf));
+	namekey.size = sizeof(buf);
+    }
+
+    status = (* handle->db->get)(handle->db, &namekey, &dummy, 0);
+    nsslowkey_DestroyPublicKey(pubkey);
+    if ( status ) {
+	return PR_FALSE;
+    }
+    
+    return PR_TRUE;
+}
+
+/*
+ * check to see if the user has a password
+ */
+SECStatus
+nsslowkey_HasKeyDBPassword(NSSLOWKEYDBHandle *handle)
+{
+    DBT checkkey, checkdata;
+    int ret;
+
+    if (handle == NULL) {
+	return(SECFailure);
+    }
+
+    checkkey.data = KEYDB_PW_CHECK_STRING;
+    checkkey.size = KEYDB_PW_CHECK_LEN;
+    
+    ret = (* handle->db->get)(handle->db, &checkkey, &checkdata, 0 );
+    if ( ret ) {
+	/* see if this was an updated DB first */
+	checkkey.data = KEYDB_FAKE_PW_CHECK_STRING;
+	checkkey.size = KEYDB_FAKE_PW_CHECK_LEN;
+	ret = (* handle->db->get)(handle->db, &checkkey, &checkdata, 0 );
+    	if ( ret ) {
+	    return(SECFailure);
+	}
+    }
+
+    return(SECSuccess);
+}
+
+/*
+ * Set up the password checker in the key database.
+ * This is done by encrypting a known plaintext with the user's key.
+ */
+SECStatus
+nsslowkey_SetKeyDBPassword(NSSLOWKEYDBHandle *handle, SECItem *pwitem)
+{
+    return nsslowkey_SetKeyDBPasswordAlg(handle, pwitem,
+				      nsslowkey_GetDefaultKeyDBAlg());
+}
+
+static SECStatus
+HashPassword(unsigned char *hashresult, char *pw, SECItem *salt)
+{
+    SHA1Context *cx;
+    unsigned int outlen;
+    cx = SHA1_NewContext();
+    if ( cx == NULL ) {
+	return(SECFailure);
+    }
+    
+    SHA1_Begin(cx);
+    if ( ( salt != NULL ) && ( salt->data != NULL ) ) {
+	SHA1_Update(cx, salt->data, salt->len);
+    }
+    
+    SHA1_Update(cx, (unsigned char *)pw, PORT_Strlen(pw));
+    SHA1_End(cx, hashresult, &outlen, SHA1_LENGTH);
+    
+    SHA1_DestroyContext(cx, PR_TRUE);
+    
+    return(SECSuccess);
+}
+
+SECItem *
+nsslowkey_HashPassword(char *pw, SECItem *salt)
+{
+    SECItem *pwitem;
+    SECStatus rv;
+    
+    pwitem = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if ( pwitem == NULL ) {
+	return(NULL);
+    }
+    pwitem->len = SHA1_LENGTH;
+    pwitem->data = (unsigned char *)PORT_ZAlloc(SHA1_LENGTH);
+    if ( pwitem->data == NULL ) {
+	PORT_Free(pwitem);
+	return(NULL);
+    }
+    if ( pw ) {
+	rv = HashPassword(pwitem->data, pw, salt);
+	if ( rv != SECSuccess ) {
+	    SECITEM_ZfreeItem(pwitem, PR_TRUE);
+	    return(NULL);
+	}
+    }
+    
+    return(pwitem);
+}
+
+/* Derive the actual password value for the database from a pw string */
+SECItem *
+nsslowkey_DeriveKeyDBPassword(NSSLOWKEYDBHandle *keydb, char *pw)
+{
+    PORT_Assert(keydb != NULL);
+    PORT_Assert(pw != NULL);
+    if (keydb == NULL || pw == NULL) return(NULL);
+
+    return nsslowkey_HashPassword(pw, keydb->global_salt);
+}
+
+#if 0
+/* Appears obsolete - TNH */
+/* get the algorithm with which a private key
+ * is encrypted.
+ */
+SECOidTag 
+seckey_get_private_key_algorithm(NSSLOWKEYDBHandle *keydb, DBT *index)   
+{
+    NSSLOWKEYDBKey *dbkey = NULL;
+    SECOidTag algorithm = SEC_OID_UNKNOWN;
+    NSSLOWKEYEncryptedPrivateKeyInfo *epki = NULL;
+    PLArenaPool *poolp = NULL;
+    SECStatus rv;
+
+    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if(poolp == NULL)
+	return (SECOidTag)SECFailure;  /* TNH - this is bad */
+
+    dbkey = get_dbkey(keydb, index);
+    if(dbkey == NULL)
+	return (SECOidTag)SECFailure;
+
+    epki = (NSSLOWKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(poolp, 
+	sizeof(NSSLOWKEYEncryptedPrivateKeyInfo));
+    if(epki == NULL)
+	goto loser;
+    rv = SEC_ASN1DecodeItem(poolp, epki, 
+	nsslowkey_EncryptedPrivateKeyInfoTemplate, &dbkey->derPK);
+    if(rv == SECFailure)
+	goto loser;
+
+    algorithm = SECOID_GetAlgorithmTag(&epki->algorithm);
+
+    /* let success fall through */
+loser:
+    if(poolp != NULL)
+	PORT_FreeArena(poolp, PR_TRUE);\
+    if(dbkey != NULL)
+	sec_destroy_dbkey(dbkey);
+
+    return algorithm;
+}
+#endif
+	
+/*
+ * Derive an RC4 key from a password key and a salt.  This
+ * was the method to used to encrypt keys in the version 2?
+ * database
+ */
+SECItem *
+seckey_create_rc4_key(SECItem *pwitem, SECItem *salt)
+{
+    MD5Context *md5 = NULL;
+    unsigned int part;
+    SECStatus rv = SECFailure;
+    SECItem *key = NULL;
+
+    key = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(key != NULL)
+    {
+	key->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
+		MD5_LENGTH);
+	key->len = MD5_LENGTH;
+	if(key->data != NULL)
+	{
+	    md5 = MD5_NewContext();
+	    if ( md5 != NULL ) 
+	    {
+		MD5_Begin(md5);
+		MD5_Update(md5, salt->data, salt->len);
+		MD5_Update(md5, pwitem->data, pwitem->len);
+		MD5_End(md5, key->data, &part, MD5_LENGTH);
+		MD5_DestroyContext(md5, PR_TRUE);
+		rv = SECSuccess;
+	    }
+	}
+	
+	if(rv != SECSuccess)
+	{
+	    SECITEM_FreeItem(key, PR_TRUE);
+	    key = NULL;
+	}
+    }
+
+    return key;
+}
+
+SECItem *
+seckey_create_rc4_salt(void)
+{
+    SECItem *salt = NULL;
+    SECStatus rv = SECFailure;
+
+    salt = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(salt == NULL)
+	return NULL;
+
+    salt->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
+	SALT_LENGTH);
+    if(salt->data != NULL)
+    {
+	salt->len = SALT_LENGTH;
+	RNG_GenerateGlobalRandomBytes(salt->data, salt->len);
+	rv = SECSuccess;
+    }
+	
+    if(rv == SECFailure)
+    {
+	SECITEM_FreeItem(salt, PR_TRUE);
+	salt = NULL;
+    }
+
+    return salt;
+}
+
+SECItem *
+seckey_rc4_decode(SECItem *key, SECItem *src)
+{
+    SECItem *dest = NULL;
+    RC4Context *ctxt = NULL;
+    SECStatus rv = SECFailure;
+
+    if((key == NULL) || (src == NULL))
+	return NULL;
+
+    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(dest == NULL)
+	return NULL;
+
+    dest->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
+	(src->len + 64));  /* TNH - padding? */
+    if(dest->data != NULL)
+    {
+	ctxt = RC4_CreateContext(key->data, key->len);
+	if(ctxt != NULL)
+	{
+	    rv = RC4_Decrypt(ctxt, dest->data, &dest->len,
+		    src->len + 64, src->data, src->len);
+	    RC4_DestroyContext(ctxt, PR_TRUE);
+	}
+    }
+
+    if(rv == SECFailure)
+	if(dest != NULL)
+	{
+	    SECITEM_FreeItem(dest, PR_TRUE);
+	    dest = NULL;
+	}
+
+    return dest;
+}
+
+/* TNH - keydb is unused */
+/* TNH - the pwitem should be the derived key for RC4 */
+NSSLOWKEYEncryptedPrivateKeyInfo *
+seckey_encrypt_private_key(
+	NSSLOWKEYPrivateKey *pk, SECItem *pwitem, NSSLOWKEYDBHandle *keydb,
+	SECOidTag algorithm, SECItem **salt)
+{
+    NSSLOWKEYEncryptedPrivateKeyInfo *epki = NULL;
+    NSSLOWKEYPrivateKeyInfo *pki = NULL;
+    SECStatus rv = SECFailure;
+    PLArenaPool *temparena = NULL, *permarena = NULL;
+    SECItem *der_item = NULL;
+    NSSPKCS5PBEParameter *param = NULL;
+    SECItem *dummy = NULL, *dest = NULL;
+    SECAlgorithmID *algid;
+
+    *salt = NULL;
+    permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(permarena == NULL)
+	return NULL;
+
+    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(temparena == NULL)
+	goto loser;
+
+    /* allocate structures */
+    epki = (NSSLOWKEYEncryptedPrivateKeyInfo *)PORT_ArenaZAlloc(permarena,
+	sizeof(NSSLOWKEYEncryptedPrivateKeyInfo));
+    pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, 
+	sizeof(NSSLOWKEYPrivateKeyInfo));
+    der_item = (SECItem *)PORT_ArenaZAlloc(temparena, sizeof(SECItem));
+    if((epki == NULL) || (pki == NULL) || (der_item == NULL))
+	goto loser;
+
+    epki->arena = permarena;
+
+    /* setup private key info */
+    dummy = SEC_ASN1EncodeInteger(temparena, &(pki->version), 
+	NSSLOWKEY_PRIVATE_KEY_INFO_VERSION);
+    if(dummy == NULL)
+	goto loser;
+
+    /* Encode the key, and set the algorithm (with params) */
+    switch (pk->keyType) {
+      case NSSLOWKEYRSAKey:
+        prepare_low_rsa_priv_key_for_asn1(pk);
+	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, 
+				   nsslowkey_RSAPrivateKeyTemplate);
+	if (dummy == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	
+	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), 
+				   SEC_OID_PKCS1_RSA_ENCRYPTION, 0);
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+	
+	break;
+      case NSSLOWKEYDSAKey:
+        prepare_low_dsa_priv_key_for_asn1(pk);
+	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
+				   nsslowkey_DSAPrivateKeyTemplate);
+	if (dummy == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	
+        prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
+	dummy = SEC_ASN1EncodeItem(temparena, NULL, &pk->u.dsa.params,
+				   nsslowkey_PQGParamsTemplate);
+	if (dummy == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+	
+	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
+				   SEC_OID_ANSIX9_DSA_SIGNATURE, dummy);
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+	
+	break;
+      case NSSLOWKEYDHKey:
+        prepare_low_dh_priv_key_for_asn1(pk);
+	dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
+				   nsslowkey_DHPrivateKeyTemplate);
+	if (dummy == NULL) {
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
+				   SEC_OID_X942_DIFFIE_HELMAN_KEY, dummy);
+	if (rv == SECFailure) {
+	    goto loser;
+	}
+	break;
+      default:
+	/* We don't support DH or Fortezza private keys yet */
+	PORT_Assert(PR_FALSE);
+	break;
+    }
+
+    /* setup encrypted private key info */
+    dummy = SEC_ASN1EncodeItem(temparena, der_item, pki, 
+	nsslowkey_PrivateKeyInfoTemplate);
+    if(dummy == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = SECFailure; /* assume failure */
+    *salt = seckey_create_rc4_salt();
+    if (*salt == NULL) {
+	goto loser;
+    }
+
+    param = nsspkcs5_NewParam(algorithm,*salt,1);
+    if (param == NULL) {
+	goto loser;
+    }
+
+    dest = nsspkcs5_CipherData(param, pwitem, der_item, PR_TRUE, NULL);
+    if (dest == NULL) {
+	goto loser;
+    }
+
+    rv = SECITEM_CopyItem(permarena, &epki->encryptedData, dest);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    algid = nsspkcs5_CreateAlgorithmID(permarena, algorithm, param);
+    if (algid == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = SECOID_CopyAlgorithmID(permarena, &epki->algorithm, algid);
+    SECOID_DestroyAlgorithmID(algid, PR_TRUE);
+
+loser:
+    if(dest != NULL)
+	SECITEM_FreeItem(dest, PR_TRUE);
+
+    if(param != NULL)
+       nsspkcs5_DestroyPBEParameter(param);
+
+    /* let success fall through */
+
+    if(rv == SECFailure)
+    {
+	PORT_FreeArena(permarena, PR_TRUE);
+	epki = NULL;
+	if(*salt != NULL)
+	    SECITEM_FreeItem(*salt, PR_TRUE);
+    }
+
+    if(temparena != NULL)
+	PORT_FreeArena(temparena, PR_TRUE);
+
+    return epki;
+}
+
+static SECStatus 
+seckey_put_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, SECItem *pwitem,
+		       NSSLOWKEYPrivateKey *pk, char *nickname, PRBool update,
+		       SECOidTag algorithm)
+{
+    NSSLOWKEYDBKey *dbkey = NULL;
+    NSSLOWKEYEncryptedPrivateKeyInfo *epki = NULL;
+    PLArenaPool *temparena = NULL, *permarena = NULL;
+    SECItem *dummy = NULL;
+    SECItem *salt = NULL;
+    SECStatus rv = SECFailure;
+
+    if((keydb == NULL) || (index == NULL) || (pwitem == NULL) ||
+	(pk == NULL))
+	return SECFailure;
+	
+    permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(permarena == NULL)
+	return SECFailure;
+
+    dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(permarena, sizeof(NSSLOWKEYDBKey));
+    if(dbkey == NULL)
+	goto loser;
+    dbkey->arena = permarena;
+    dbkey->nickname = nickname;
+
+    /* TNH - for RC4, the salt should be created here */
+	
+    epki = seckey_encrypt_private_key(pk, pwitem, keydb, algorithm, &salt);
+    if(epki == NULL)
+	goto loser;
+    temparena = epki->arena;
+
+    if(salt != NULL)
+    {
+	rv = SECITEM_CopyItem(permarena, &(dbkey->salt), salt);
+	SECITEM_ZfreeItem(salt, PR_TRUE);
+    }
+
+    dummy = SEC_ASN1EncodeItem(permarena, &(dbkey->derPK), epki, 
+	nsslowkey_EncryptedPrivateKeyInfoTemplate);
+    if(dummy == NULL)
+	rv = SECFailure;
+    else
+	rv = put_dbkey(keydb, index, dbkey, update);
+
+    /* let success fall through */
+loser:
+    if(rv != SECSuccess)
+	if(permarena != NULL)
+	    PORT_FreeArena(permarena, PR_TRUE);
+    if(temparena != NULL)
+	PORT_FreeArena(temparena, PR_TRUE);
+
+    return rv;
+}
+
+/*
+ * Store a key in the database, indexed by its public key modulus.
+ * Note that the nickname is optional.  It was only used by keyutil.
+ */
+SECStatus
+nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, 
+			      NSSLOWKEYPrivateKey *privkey,
+			      SECItem *pubKeyData,
+			      char *nickname,
+			      SECItem *pwitem,
+			      SECOidTag algorithm,
+                              PRBool update)
+{
+    DBT namekey;
+    SECStatus rv;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(SECFailure);
+    }
+
+    /* set up db key and data */
+    namekey.data = pubKeyData->data;
+    namekey.size = pubKeyData->len;
+
+    /* encrypt the private key */
+    rv = seckey_put_private_key(handle, &namekey, pwitem, privkey, nickname,
+				update, algorithm);
+    
+    return(rv);
+}
+
+NSSLOWKEYPrivateKey *
+seckey_decrypt_private_key(NSSLOWKEYEncryptedPrivateKeyInfo *epki,
+			   SECItem *pwitem)
+{
+    NSSLOWKEYPrivateKey *pk = NULL;
+    NSSLOWKEYPrivateKeyInfo *pki = NULL;
+    SECStatus rv = SECFailure;
+    SECOidTag algorithm;
+    PLArenaPool *temparena = NULL, *permarena = NULL;
+    SECItem *salt = NULL, *dest = NULL, *key = NULL;
+    NSSPKCS5PBEParameter *param;
+
+    if((epki == NULL) || (pwitem == NULL))
+	goto loser;
+
+    temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if((temparena == NULL) || (permarena == NULL))
+	goto loser;
+
+    /* allocate temporary items */
+    pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, 
+	sizeof(NSSLOWKEYPrivateKeyInfo));
+
+    /* allocate permanent arena items */
+    pk = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(permarena,
+	sizeof(NSSLOWKEYPrivateKey));
+
+    if((pk == NULL) || (pki == NULL))
+	goto loser;
+
+    pk->arena = permarena;
+	
+    algorithm = SECOID_GetAlgorithmTag(&(epki->algorithm));
+    switch(algorithm)
+    {
+	case SEC_OID_RC4:
+	    salt = SECITEM_DupItem(&epki->algorithm.parameters);
+	    if(salt != NULL)
+	    {
+		key = seckey_create_rc4_key(pwitem, salt);
+		if(key != NULL)
+		{
+		    dest = seckey_rc4_decode(key, &epki->encryptedData);
+		}
+	    }	
+	    if(salt != NULL)
+		SECITEM_ZfreeItem(salt, PR_TRUE);
+	    if(key != NULL)
+		SECITEM_ZfreeItem(key, PR_TRUE);
+	    break;
+	default:
+	    /* we depend on the fact that if this key was encoded with
+	     * DES, that the pw was also encoded with DES, so we don't have
+	     * to do the update here, the password code will handle it. */
+	    param = nsspkcs5_AlgidToParam(&epki->algorithm);
+	    if (param == NULL) {
+		break;
+	    }
+	    dest = nsspkcs5_CipherData(param, pwitem, &epki->encryptedData, 
+							PR_FALSE, NULL);
+	    nsspkcs5_DestroyPBEParameter(param);
+	    break;
+    }
+
+    if(dest != NULL)
+    {
+	rv = SEC_ASN1DecodeItem(temparena, pki, 
+	    nsslowkey_PrivateKeyInfoTemplate, dest);
+	if(rv == SECSuccess)
+	{
+	    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
+	      case SEC_OID_X500_RSA_ENCRYPTION:
+	      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+		pk->keyType = NSSLOWKEYRSAKey;
+		prepare_low_rsa_priv_key_for_asn1(pk);
+		rv = SEC_ASN1DecodeItem(permarena, pk,
+					nsslowkey_RSAPrivateKeyTemplate,
+					&pki->privateKey);
+		break;
+	      case SEC_OID_ANSIX9_DSA_SIGNATURE:
+		pk->keyType = NSSLOWKEYDSAKey;
+		prepare_low_dsa_priv_key_for_asn1(pk);
+		rv = SEC_ASN1DecodeItem(permarena, pk,
+					nsslowkey_DSAPrivateKeyTemplate,
+					&pki->privateKey);
+		if (rv != SECSuccess)
+		    goto loser;
+		prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
+		rv = SEC_ASN1DecodeItem(permarena, &pk->u.dsa.params,
+					nsslowkey_PQGParamsTemplate,
+					&pki->algorithm.parameters);
+		break;
+	      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+		pk->keyType = NSSLOWKEYDHKey;
+		prepare_low_dh_priv_key_for_asn1(pk);
+		rv = SEC_ASN1DecodeItem(permarena, pk,
+					nsslowkey_DHPrivateKeyTemplate,
+					&pki->privateKey);
+		break;
+	      default:
+		rv = SECFailure;
+		break;
+	    }
+	}
+	else if(PORT_GetError() == SEC_ERROR_BAD_DER)
+	{
+	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	    goto loser;
+	}
+    }
+
+    /* let success fall through */
+loser:
+    if(temparena != NULL)
+	PORT_FreeArena(temparena, PR_TRUE);
+    if(dest != NULL)
+	SECITEM_ZfreeItem(dest, PR_TRUE);
+
+    if(rv != SECSuccess)
+    {
+	if(permarena != NULL)
+	    PORT_FreeArena(permarena, PR_TRUE);
+	pk = NULL;
+    }
+
+    return pk;
+}
+
+static NSSLOWKEYPrivateKey *
+seckey_decode_encrypted_private_key(NSSLOWKEYDBKey *dbkey, SECItem *pwitem)
+{
+    NSSLOWKEYPrivateKey *pk = NULL;
+    NSSLOWKEYEncryptedPrivateKeyInfo *epki;
+    PLArenaPool *temparena = NULL;
+    SECStatus rv;
+    SECOidTag algorithm;
+
+    if( ( dbkey == NULL ) || ( pwitem == NULL ) ) {
+	return NULL;
+    }
+
+    temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if(temparena == NULL) {
+	return NULL;
+    }
+
+    epki = (NSSLOWKEYEncryptedPrivateKeyInfo *)
+	PORT_ArenaZAlloc(temparena, sizeof(NSSLOWKEYEncryptedPrivateKeyInfo));
+
+    if(epki == NULL) {
+	goto loser;
+    }
+
+    rv = SEC_ASN1DecodeItem(temparena, epki,
+			    nsslowkey_EncryptedPrivateKeyInfoTemplate,
+			    &(dbkey->derPK)); 
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+
+    algorithm = SECOID_GetAlgorithmTag(&(epki->algorithm));
+    switch(algorithm)
+    {
+      case SEC_OID_RC4:
+	/* TNH - this code should derive the actual RC4 key from salt and
+           pwitem */
+	rv = SECITEM_CopyItem(temparena, &(epki->algorithm.parameters),
+			      &(dbkey->salt));
+	break;
+      default:
+	break;
+    }
+
+    pk = seckey_decrypt_private_key(epki, pwitem);
+
+    /* let success fall through */
+loser:
+
+    PORT_FreeArena(temparena, PR_TRUE);
+    return pk;
+}
+
+NSSLOWKEYPrivateKey *
+seckey_get_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, char **nickname,
+		       SECItem *pwitem)
+{
+    NSSLOWKEYDBKey *dbkey = NULL;
+    NSSLOWKEYPrivateKey *pk = NULL;
+
+    if( ( keydb == NULL ) || ( index == NULL ) || ( pwitem == NULL ) ) {
+	return NULL;
+    }
+
+    dbkey = get_dbkey(keydb, index);
+    if(dbkey == NULL) {
+	goto loser;
+    }
+    
+    if ( nickname ) {
+	if ( dbkey->nickname && ( dbkey->nickname[0] != 0 ) ) {
+	    *nickname = PORT_Strdup(dbkey->nickname);
+	} else {
+	    *nickname = NULL;
+	}
+    }
+    
+    pk = seckey_decode_encrypted_private_key(dbkey, pwitem);
+    
+    /* let success fall through */
+loser:
+
+    if ( dbkey != NULL ) {
+	sec_destroy_dbkey(dbkey);
+    }
+
+    return pk;
+}
+
+/*
+ * used by pkcs11 to import keys into it's object format... In the future
+ * we really need a better way to tie in...
+ */
+NSSLOWKEYPrivateKey *
+nsslowkey_DecryptKey(DBT *key, SECItem *pwitem,
+					 NSSLOWKEYDBHandle *handle) {
+    return seckey_get_private_key(handle,key,NULL,pwitem);
+}
+
+/*
+ * Find a key in the database, indexed by its public key modulus
+ * This is used to find keys that have been stored before their
+ * certificate arrives.  Once the certificate arrives the key
+ * is looked up by the public modulus in the certificate, and the
+ * re-stored by its nickname.
+ */
+NSSLOWKEYPrivateKey *
+nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus,
+			  				 SECItem *pwitem)
+{
+    DBT namekey;
+    NSSLOWKEYPrivateKey *pk = NULL;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return NULL;
+    }
+
+    /* set up db key */
+    namekey.data = modulus->data;
+    namekey.size = modulus->len;
+
+    pk = seckey_get_private_key(handle, &namekey, NULL, pwitem);
+    
+    /* no need to free dbkey, since its on the stack, and the data it
+     * points to is owned by the database
+     */
+    return(pk);
+}
+
+char *
+nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle, 
+					SECItem *modulus, SECItem *pwitem)
+{
+    DBT namekey;
+    NSSLOWKEYPrivateKey *pk = NULL;
+    char *nickname = NULL;
+
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return NULL;
+    }
+
+    /* set up db key */
+    namekey.data = modulus->data;
+    namekey.size = modulus->len;
+
+    pk = seckey_get_private_key(handle, &namekey, &nickname, pwitem);
+    if (pk) {
+	nsslowkey_DestroyPrivateKey(pk);
+    }
+    
+    /* no need to free dbkey, since its on the stack, and the data it
+     * points to is owned by the database
+     */
+    return(nickname);
+}
+/* ===== ENCODING ROUTINES ===== */
+
+static SECStatus
+encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg,
+		   SECItem *encCheck)
+{
+    SECOidData *oidData;
+    SECStatus rv;
+    
+    oidData = SECOID_FindOIDByTag(alg);
+    if ( oidData == NULL ) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    entry->len = 1 + oidData->oid.len + encCheck->len;
+    if ( arena ) {
+	entry->data = (unsigned char *)PORT_ArenaAlloc(arena, entry->len);
+    } else {
+	entry->data = (unsigned char *)PORT_Alloc(entry->len);
+    }
+    
+    if ( entry->data == NULL ) {
+	goto loser;
+    }
+	
+    /* first length of oid */
+    entry->data[0] = (unsigned char)oidData->oid.len;
+    /* next oid itself */
+    PORT_Memcpy(&entry->data[1], oidData->oid.data, oidData->oid.len);
+    /* finally the encrypted check string */
+    PORT_Memcpy(&entry->data[1+oidData->oid.len], encCheck->data,
+		encCheck->len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Set up the password checker in the key database.
+ * This is done by encrypting a known plaintext with the user's key.
+ */
+SECStatus
+nsslowkey_SetKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle, 
+			   SECItem *pwitem, SECOidTag algorithm)
+{
+    DBT checkkey;
+    NSSPKCS5PBEParameter *param = NULL;
+    SECStatus rv = SECFailure;
+    NSSLOWKEYDBKey *dbkey = NULL;
+    PLArenaPool *arena;
+    SECItem *salt = NULL;
+    SECItem *dest = NULL, test_key;
+    
+    if (handle == NULL) {
+	return(SECFailure);
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	rv = SECFailure;
+	goto loser;
+    }
+    
+    dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey));
+    if ( dbkey == NULL ) {
+	rv = SECFailure;
+	goto loser;
+    }
+    
+    dbkey->arena = arena;
+
+    /* encrypt key */
+    checkkey.data = test_key.data = (unsigned char *)KEYDB_PW_CHECK_STRING;
+    checkkey.size = test_key.len = KEYDB_PW_CHECK_LEN;
+
+    salt = seckey_create_rc4_salt();
+    if(salt == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    param = nsspkcs5_NewParam(algorithm, salt, 1);
+    if (param == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    dest = nsspkcs5_CipherData(param, pwitem, &test_key, PR_TRUE, NULL);
+    if (dest == NULL)
+    {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = SECITEM_CopyItem(arena, &dbkey->salt, salt);
+    if (rv == SECFailure) {
+	goto loser;
+    }
+   
+    rv = encodePWCheckEntry(arena, &dbkey->derPK, algorithm, dest);
+	
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+	
+    rv = put_dbkey(handle, &checkkey, dbkey, PR_TRUE);
+    
+    /* let success fall through */
+loser: 
+    if ( arena != NULL ) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+    
+    if ( dest != NULL ) {
+	SECITEM_ZfreeItem(dest, PR_TRUE);
+    }
+    
+    if ( salt != NULL ) {
+	SECITEM_ZfreeItem(salt, PR_TRUE);
+    }
+
+    if (param != NULL) {
+	nsspkcs5_DestroyPBEParameter(param);
+    }
+	
+    return(rv);
+}
+
+static SECStatus
+seckey_CheckKeyDB1Password(NSSLOWKEYDBHandle *handle, SECItem *pwitem)
+{
+    SECStatus rv = SECFailure;
+    keyList keylist;
+    keyNode *node = NULL;
+    NSSLOWKEYPrivateKey *privkey = NULL;
+
+
+    /*
+     * first find a key
+     */
+
+    /* traverse the database, collecting the keys of all records */
+    keylist.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( keylist.arena == NULL ) 
+    {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return(SECFailure);
+    }
+    keylist.head = NULL;
+    
+    /* TNH - TraverseKeys should not be public, since it exposes
+       the underlying DBT data type. */
+    rv = nsslowkey_TraverseKeys(handle, sec_add_key_to_list, (void *)&keylist);
+    if ( rv != SECSuccess ) 
+	goto done;
+
+    /* just get the first key from the list */
+    node = keylist.head;
+
+    /* no private keys, accept any password */
+    if (node == NULL) {
+	rv = SECSuccess;
+	goto done;
+    }
+    privkey = seckey_get_private_key(handle, &node->key, NULL, pwitem);
+    if (privkey == NULL) {
+	 rv = SECFailure;
+	 goto done;
+    }
+
+    /* if we can decrypt the private key, then we had the correct password */
+    rv = SECSuccess;
+    nsslowkey_DestroyPrivateKey(privkey);
+
+done:
+
+    /* free the arena */
+    if ( keylist.arena ) {
+	PORT_FreeArena(keylist.arena, PR_FALSE);
+    }
+    
+    return(rv);
+}
+
+/*
+ * check to see if the user has typed the right password
+ */
+SECStatus
+nsslowkey_CheckKeyDBPassword(NSSLOWKEYDBHandle *handle, SECItem *pwitem)
+{
+    DBT checkkey;
+    DBT checkdata;
+    NSSPKCS5PBEParameter *param = NULL;
+    SECStatus rv = SECFailure;
+    NSSLOWKEYDBKey *dbkey = NULL;
+    SECItem *key = NULL;
+    SECItem *dest = NULL;
+    SECOidTag algorithm;
+    SECItem oid;
+    SECItem encstring;
+    PRBool update = PR_FALSE;
+    int ret;
+    
+    if (handle == NULL) {
+	goto loser;
+    }
+
+    checkkey.data = KEYDB_PW_CHECK_STRING;
+    checkkey.size = KEYDB_PW_CHECK_LEN;
+    
+    dbkey = get_dbkey(handle, &checkkey);
+    
+    if ( dbkey == NULL ) {
+	checkkey.data = KEYDB_FAKE_PW_CHECK_STRING;
+	checkkey.size = KEYDB_FAKE_PW_CHECK_LEN;
+	ret = (* handle->db->get)(handle->db, &checkkey,
+				   &checkdata, 0 );
+	if (ret) {
+	    goto loser;
+	}
+	/* if we have the fake PW_CHECK, then try to decode the key
+	 * rather than the pwcheck item.
+	 */
+	rv = seckey_CheckKeyDB1Password(handle,pwitem);
+	if (rv == SECSuccess) {
+	    /* OK we have enough to complete our conversion */
+	    nsslowkey_UpdateKeyDBPass2(handle,pwitem);
+	}
+	return rv;
+    }
+
+    /* build the oid item */
+    oid.len = dbkey->derPK.data[0];
+    oid.data = &dbkey->derPK.data[1];
+    
+    /* make sure entry is the correct length
+     * since we are probably using a block cipher, the block will be
+     * padded, so we may get a bit more than the exact size we need.
+     */
+    if ( dbkey->derPK.len < (KEYDB_PW_CHECK_LEN + 1 + oid.len ) ) {
+	goto loser;
+    }
+
+    /* find the algorithm tag */
+    algorithm = SECOID_FindOIDTag(&oid);
+
+    /* make a secitem of the encrypted check string */
+    encstring.len = dbkey->derPK.len - ( oid.len + 1 );
+    encstring.data = &dbkey->derPK.data[oid.len+1];
+    
+    switch(algorithm)
+    {
+	case SEC_OID_RC4:
+	    key = seckey_create_rc4_key(pwitem, &dbkey->salt);
+	    if(key != NULL) {
+		dest = seckey_rc4_decode(key, &encstring);
+		SECITEM_FreeItem(key, PR_TRUE);
+	    }
+	    break;
+	default:
+	    param = nsspkcs5_NewParam(algorithm, &dbkey->salt, 1);
+	    if (param != NULL) {
+                /* Decrypt - this function implements a workaround for
+                 * a previous coding error.  It will decrypt values using
+                 * DES rather than 3DES, if the initial try at 3DES
+                 * decryption fails.  In this case, the update flag is
+                 * set to TRUE.  This indication is used later to force
+                 * an update of the database to "real" 3DES encryption.
+                 */
+		dest = nsspkcs5_CipherData(param, pwitem, 
+					   &encstring, PR_FALSE, &update);
+		nsspkcs5_DestroyPBEParameter(param);
+	    }	
+	    break;
+    }
+
+    if(dest == NULL) {
+	goto loser;
+    }
+
+    if ((dest->len == KEYDB_PW_CHECK_LEN) &&
+	(PORT_Memcmp(dest->data, 
+		     KEYDB_PW_CHECK_STRING, KEYDB_PW_CHECK_LEN) == 0)) {
+	rv = SECSuccess;
+	/* we succeeded */
+	if ( algorithm == SEC_OID_RC4 ) {
+	    /* partially updated database */
+	    nsslowkey_UpdateKeyDBPass2(handle, pwitem);
+	}
+        /* Force an update of the password to remove the incorrect DES
+         * encryption (see the note above)
+         */
+	if (update && 
+	     (algorithm == SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC)) {
+	    /* data base was encoded with DES not triple des, fix it */
+	    nsslowkey_UpdateKeyDBPass2(handle,pwitem);
+	}
+    }
+			
+loser:
+    sec_destroy_dbkey(dbkey);
+    if(dest != NULL) {
+    	SECITEM_ZfreeItem(dest, PR_TRUE);
+    }
+
+    return(rv);
+}
+
+/*
+ *  Change the database password and/or algorithm.  This internal
+ *  routine does not check the old password.  That must be done by 
+ *  the caller.
+ */
+static SECStatus
+ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
+		       SECItem *oldpwitem, SECItem *newpwitem,
+		       SECOidTag new_algorithm)
+{
+    SECStatus rv;
+    keyList keylist;
+    keyNode *node = NULL;
+    NSSLOWKEYPrivateKey *privkey = NULL;
+    char *nickname;
+    DBT newkey;
+    int ret;
+
+    /* traverse the database, collecting the keys of all records */
+    keylist.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( keylist.arena == NULL ) 
+    {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return(SECFailure);
+    }
+    keylist.head = NULL;
+    
+    /* TNH - TraverseKeys should not be public, since it exposes
+       the underlying DBT data type. */
+    rv = nsslowkey_TraverseKeys(handle, sec_add_key_to_list, (void *)&keylist);
+    if ( rv != SECSuccess ) 
+	goto loser;
+
+    /* walk the list, re-encrypting each entry */
+    node = keylist.head;
+    while ( node != NULL ) 
+    {
+	privkey = seckey_get_private_key(handle, &node->key, &nickname,
+					 oldpwitem);
+	
+	if (privkey == NULL) {
+	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* delete the old record */
+	ret = (* handle->db->del)(handle->db, &node->key, 0);
+	if ( ret ) {
+	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	    rv = SECFailure;
+	    goto loser;
+	}
+	
+	/* get the public key, which we use as the database index */
+
+	switch (privkey->keyType) {
+	  case NSSLOWKEYRSAKey:
+	    newkey.data = privkey->u.rsa.modulus.data;
+	    newkey.size = privkey->u.rsa.modulus.len;
+	    break;
+	  case NSSLOWKEYDSAKey:
+	    newkey.data = privkey->u.dsa.publicValue.data;
+	    newkey.size = privkey->u.dsa.publicValue.len;
+	    break;
+	  case NSSLOWKEYDHKey:
+	    newkey.data = privkey->u.dh.publicValue.data;
+	    newkey.size = privkey->u.dh.publicValue.len;
+	    break;
+	  default:
+	    return SECFailure;
+	}
+
+	rv = seckey_put_private_key(handle, &newkey, newpwitem, privkey,
+				    nickname, PR_TRUE, new_algorithm);
+	
+	if ( rv != SECSuccess ) 
+	{
+	    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	/* next node */
+	node = node->next;
+    }
+
+    rv = nsslowkey_SetKeyDBPasswordAlg(handle, newpwitem, new_algorithm);
+
+loser:
+
+    /* free the arena */
+    if ( keylist.arena ) {
+	PORT_FreeArena(keylist.arena, PR_FALSE);
+    }
+    
+    return(rv);
+}
+
+/*
+ * Re-encrypt the entire key database with a new password.
+ * NOTE: The really  should create a new database rather than doing it
+ * in place in the original
+ */
+SECStatus
+nsslowkey_ChangeKeyDBPassword(NSSLOWKEYDBHandle *handle,
+			      SECItem *oldpwitem, SECItem *newpwitem)
+{
+    SECStatus rv;
+    
+    if (handle == NULL) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	rv = SECFailure;
+	goto loser;
+    }
+
+    rv = nsslowkey_CheckKeyDBPassword(handle, oldpwitem);
+    if ( rv != SECSuccess ) {
+	return(SECFailure);  /* return rv? */
+    }
+
+    rv = ChangeKeyDBPasswordAlg(handle, oldpwitem, newpwitem, 
+				nsslowkey_GetDefaultKeyDBAlg());
+
+loser:
+    return(rv);
+}
+    
+
+#define MAX_DB_SIZE 0xffff 
+/*
+ * Clear out all the keys in the existing database
+ */
+SECStatus
+nsslowkey_ResetKeyDB(NSSLOWKEYDBHandle *handle)
+{
+    SECStatus rv;
+    int ret;
+    int errors = 0;
+
+    if ( handle->db == NULL ) {
+	return(SECSuccess);
+    }
+
+    if (handle->readOnly) {
+	/* set an error code */
+	return SECFailure;
+     }
+
+    PORT_Assert(handle->dbname != NULL);
+    if (handle->dbname == NULL) {
+	return SECFailure;
+    }
+
+    (* handle->db->close)(handle->db);
+    handle->db = dbopen( handle->dbname,
+			     O_RDWR | O_CREAT | O_TRUNC, 0600, DB_HASH, 0 );
+    if (handle->db == NULL) {
+	/* set an error code */
+	return SECFailure;
+    }
+    
+    rv = makeGlobalVersion(handle);
+    if ( rv != SECSuccess ) {
+	errors++;
+	goto done;
+    }
+
+    rv = makeGlobalSalt(handle);
+    if ( rv != SECSuccess ) {
+	errors++;
+	goto done;
+    }
+
+    if (handle->global_salt) {
+	SECITEM_FreeItem(handle->global_salt,PR_TRUE);
+    }
+    handle->global_salt = GetKeyDBGlobalSalt(handle);
+
+done:
+    /* sync the database */
+    ret = (* handle->db->sync)(handle->db, 0);
+
+    return (errors == 0 ? SECSuccess : SECFailure);
+}
diff --git a/security/nss/lib/softoken/keydbi.h b/security/nss/lib/softoken/keydbi.h
new file mode 100644
index 000000000..5e8c70fe6
--- /dev/null
+++ b/security/nss/lib/softoken/keydbi.h
@@ -0,0 +1,80 @@
+/*
+ * private.h - Private data structures for the software token library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef _KEYDBI_H_
+#define _KEYDBI_H_
+
+#include "nspr.h"
+#include "seccomon.h"
+#include "mcom_db.h"
+
+/*
+ * Handle structure for open key databases
+ */
+struct NSSLOWKEYDBHandleStr {
+    DB *db;
+    DB *updatedb;		/* used when updating an old version */
+    SECItem *global_salt;	/* password hashing salt for this db */
+    int version;		/* version of the database */
+    char *dbname;		/* name of the openned DB */
+    PRBool readOnly;		/* is the DB read only */
+};
+
+/*
+** Typedef for callback for traversing key database.
+**      "key" is the key used to index the data in the database (nickname)
+**      "data" is the key data
+**      "pdata" is the user's data 
+*/
+typedef SECStatus (* NSSLOWKEYTraverseKeysFunc)(DBT *key, DBT *data, void *pdata);
+
+
+SEC_BEGIN_PROTOS
+
+/*
+** Traverse the entire key database, and pass the nicknames and keys to a 
+** user supplied function.
+**      "f" is the user function to call for each key
+**      "udata" is the user's data, which is passed through to "f"
+*/
+extern SECStatus nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, 
+				NSSLOWKEYTraverseKeysFunc f,
+				void *udata);
+
+SEC_END_PROTOS
+
+#endif /* _KEYDBI_H_ */
diff --git a/security/nss/lib/softoken/lowcert.c b/security/nss/lib/softoken/lowcert.c
new file mode 100644
index 000000000..961f6a6f6
--- /dev/null
+++ b/security/nss/lib/softoken/lowcert.c
@@ -0,0 +1,495 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Certificate handling code
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "secder.h"
+#include "nssilock.h"
+#include "prmon.h"
+#include "prtime.h"
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "secasn1.h"
+#include "secoid.h"
+
+/* should have been in a 'util' header */
+extern const SEC_ASN1Template CERT_ValidityTemplate[];
+
+static const SEC_ASN1Template nsslowcert_CertKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(NSSLOWCERTCertKey) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
+	  SEC_ASN1_CONTEXT_SPECIFIC | 0, 0, SEC_SkipTemplate },	/* version */ 
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWCERTCertKey,serialNumber) },
+    { SEC_ASN1_SKIP },		/* signature algorithm */
+    { SEC_ASN1_ANY, offsetof(NSSLOWCERTCertKey,derIssuer) },
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+
+const SEC_ASN1Template nsslowcert_SubjectPublicKeyInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWCERTSubjectPublicKeyInfo) },
+    { SEC_ASN1_INLINE, offsetof(NSSLOWCERTSubjectPublicKeyInfo,algorithm),
+          SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_BIT_STRING,
+          offsetof(NSSLOWCERTSubjectPublicKeyInfo,subjectPublicKey), },
+    { 0, }
+};
+
+const SEC_ASN1Template nsslowcert_CertificateTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+      0, NULL, sizeof(NSSLOWCERTCertificate) },
+    { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+          SEC_ASN1_CONTEXT_SPECIFIC | 0, 0, SEC_SkipTemplate }, /* version */
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWCERTCertificate,serialNumber) },
+    { SEC_ASN1_SKIP }, /* Signature algorithm */
+    { SEC_ASN1_ANY, offsetof(NSSLOWCERTCertificate,derIssuer) },
+    { SEC_ASN1_INLINE,
+          offsetof(NSSLOWCERTCertificate,validity),
+          CERT_ValidityTemplate },
+    { SEC_ASN1_ANY, offsetof(NSSLOWCERTCertificate,derSubject) },
+    { SEC_ASN1_INLINE,
+          offsetof(NSSLOWCERTCertificate,subjectPublicKeyInfo),
+          nsslowcert_SubjectPublicKeyInfoTemplate },
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+const SEC_ASN1Template nsslowcert_SignedCertificateTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWCERTCertificate) },
+    { SEC_ASN1_INLINE, 0, nsslowcert_CertificateTemplate },
+    { SEC_ASN1_SKIP_REST },
+    { 0 }
+};
+const SEC_ASN1Template nsslowcert_SignedDataTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWCERTSignedData) },
+    { SEC_ASN1_ANY, offsetof(NSSLOWCERTSignedData,data), },
+    { SEC_ASN1_SKIP_REST },
+    { 0, }
+};
+const SEC_ASN1Template nsslowcert_RSAPublicKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPublicKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.rsa.modulus), },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.rsa.publicExponent), },
+    { 0, }
+};
+const SEC_ASN1Template nsslowcert_DSAPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.dsa.publicValue), },
+    { 0, }
+};
+const SEC_ASN1Template nsslowcert_DHPublicKeyTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey,u.dh.publicValue), },
+    { 0, }
+};
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+static void
+prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+    pubk->u.rsa.modulus.type = siUnsignedInteger;
+    pubk->u.rsa.publicExponent.type = siUnsignedInteger;
+}
+
+static void
+prepare_low_dsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+    pubk->u.dsa.publicValue.type = siUnsignedInteger;
+    pubk->u.dsa.params.prime.type = siUnsignedInteger;
+    pubk->u.dsa.params.subPrime.type = siUnsignedInteger;
+    pubk->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+static void
+prepare_low_dh_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+    pubk->u.dh.prime.type = siUnsignedInteger;
+    pubk->u.dh.base.type = siUnsignedInteger;
+    pubk->u.dh.publicValue.type = siUnsignedInteger;
+}
+
+/*
+ * Allow use of default cert database, so that apps(such as mozilla) don't
+ * have to pass the handle all over the place.
+ */
+static NSSLOWCERTCertDBHandle *default_pcert_db_handle = 0;
+
+void
+nsslowcert_SetDefaultCertDB(NSSLOWCERTCertDBHandle *handle)
+{
+    default_pcert_db_handle = handle;
+    
+    return;
+}
+
+NSSLOWCERTCertDBHandle *
+nsslowcert_GetDefaultCertDB(void)
+{
+    return(default_pcert_db_handle);
+}
+
+
+SECStatus
+nsslowcert_GetCertTimes(NSSLOWCERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
+{
+    int rv;
+    
+    /* convert DER not-before time */
+    rv = DER_UTCTimeToTime(notBefore, &c->validity.notBefore);
+    if (rv) {
+	return(SECFailure);
+    }
+    
+    /* convert DER not-after time */
+    rv = DER_UTCTimeToTime(notAfter, &c->validity.notAfter);
+    if (rv) {
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+/*
+ * is certa newer than certb?  If one is expired, pick the other one.
+ */
+PRBool
+nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb)
+{
+    PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now;
+    SECStatus rv;
+    PRBool newerbefore, newerafter;
+    
+    rv = nsslowcert_GetCertTimes(certa, &notBeforeA, &notAfterA);
+    if ( rv != SECSuccess ) {
+	return(PR_FALSE);
+    }
+    
+    rv = nsslowcert_GetCertTimes(certb, &notBeforeB, &notAfterB);
+    if ( rv != SECSuccess ) {
+	return(PR_TRUE);
+    }
+
+    newerbefore = PR_FALSE;
+    if ( LL_CMP(notBeforeA, >, notBeforeB) ) {
+	newerbefore = PR_TRUE;
+    }
+
+    newerafter = PR_FALSE;
+    if ( LL_CMP(notAfterA, >, notAfterB) ) {
+	newerafter = PR_TRUE;
+    }
+    
+    if ( newerbefore && newerafter ) {
+	return(PR_TRUE);
+    }
+    
+    if ( ( !newerbefore ) && ( !newerafter ) ) {
+	return(PR_FALSE);
+    }
+
+    /* get current UTC time */
+    now = PR_Now();
+
+    if ( newerbefore ) {
+	/* cert A was issued after cert B, but expires sooner */
+	/* if A is expired, then pick B */
+	if ( LL_CMP(notAfterA, <, now ) ) {
+	    return(PR_FALSE);
+	}
+	return(PR_TRUE);
+    } else {
+	/* cert B was issued after cert A, but expires sooner */
+	/* if B is expired, then pick A */
+	if ( LL_CMP(notAfterB, <, now ) ) {
+	    return(PR_TRUE);
+	}
+	return(PR_FALSE);
+    }
+}
+
+#define SOFT_DEFAULT_CHUNKSIZE 2048
+
+/*
+ * take a DER certificate and decode it into a certificate structure
+ */
+NSSLOWCERTCertificate *
+nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, PRBool copyDER,
+			 char *nickname)
+{
+    NSSLOWCERTCertificate *cert;
+    PRArenaPool *arena;
+    void *data;
+    int rv;
+    int len;
+    
+    /* make a new arena */
+    arena = PORT_NewArena(SOFT_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	return 0;
+    }
+
+    /* allocate the certificate structure */
+    cert = (NSSLOWCERTCertificate *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWCERTCertificate));
+    
+    if ( !cert ) {
+	goto loser;
+    }
+    
+    cert->arena = arena;
+    
+    if ( copyDER ) {
+	/* copy the DER data for the cert into this arena */
+	data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len);
+	if ( !data ) {
+	    goto loser;
+	}
+	cert->derCert.data = (unsigned char *)data;
+	cert->derCert.len = derSignedCert->len;
+	PORT_Memcpy(data, derSignedCert->data, derSignedCert->len);
+    } else {
+	/* point to passed in DER data */
+	cert->derCert = *derSignedCert;
+    }
+
+    /* decode the certificate info */
+    rv = SEC_ASN1DecodeItem(arena, cert, nsslowcert_SignedCertificateTemplate,
+                    &cert->derCert);
+
+    /* cert->subjectKeyID;	 x509v3 subject key identifier */
+    cert->dbEntry = NULL;
+    cert ->trust = NULL;
+
+    /* generate and save the database key for the cert */
+    rv = nsslowcert_KeyFromDERCert(arena, &cert->derCert, &cert->certKey);
+    if ( rv ) {
+	goto loser;
+    }
+
+    /* set the nickname */
+    if ( nickname == NULL ) {
+	cert->nickname = NULL;
+    } else {
+	/* copy and install the nickname */
+	len = PORT_Strlen(nickname) + 1;
+	cert->nickname = (char*)PORT_ArenaAlloc(arena, len);
+	if ( cert->nickname == NULL ) {
+	    goto loser;
+	}
+
+	PORT_Memcpy(cert->nickname, nickname, len);
+    }
+
+#ifdef FIXME
+    /* initialize the subjectKeyID */
+    rv = cert_GetKeyID(cert);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* set the email address */
+    cert->emailAddr = CERT_GetCertificateEmailAddress(cert);
+    
+#endif
+    
+    cert->referenceCount = 1;
+    
+    return(cert);
+    
+loser:
+
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(0);
+}
+
+char *
+nsslowcert_FixupEmailAddr(char *emailAddr)
+{
+    char *retaddr;
+    char *str;
+
+    if ( emailAddr == NULL ) {
+	return(NULL);
+    }
+    
+    /* copy the string */
+    str = retaddr = PORT_Strdup(emailAddr);
+    if ( str == NULL ) {
+	return(NULL);
+    }
+    
+    /* make it lower case */
+    while ( *str ) {
+	*str = tolower( *str );
+	str++;
+    }
+    
+    return(retaddr);
+}
+
+static SECStatus
+nsslowcert_KeyFromIssuerAndSN(PRArenaPool *arena, SECItem *issuer, SECItem *sn,
+			SECItem *key)
+{
+
+    key->len = sn->len + issuer->len;
+
+    key->data = (unsigned char*)PORT_ArenaAlloc(arena, key->len);
+    if ( !key->data ) {
+	goto loser;
+    }
+
+    /* copy the serialNumber */
+    PORT_Memcpy(key->data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+
+
+/*
+ * Generate a database key, based on serial number and issuer, from a
+ * DER certificate.
+ */
+SECStatus
+nsslowcert_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key)
+{
+    int rv;
+    NSSLOWCERTSignedData sd;
+    NSSLOWCERTCertKey certkey;
+
+    PORT_Memset(&sd, 0, sizeof(NSSLOWCERTSignedData));    
+    PORT_Memset(&certkey, 0, sizeof(NSSLOWCERTCertKey));    
+
+    rv = SEC_ASN1DecodeItem(arena, &sd, nsslowcert_SignedDataTemplate, derCert);
+    
+    if ( rv ) {
+	goto loser;
+    }
+    
+    PORT_Memset(&certkey, 0, sizeof(NSSLOWCERTCertKey));
+    rv = SEC_ASN1DecodeItem(arena, &certkey, 
+					nsslowcert_CertKeyTemplate, &sd.data);
+
+    if ( rv ) {
+	goto loser;
+    }
+
+    return(nsslowcert_KeyFromIssuerAndSN(arena, &certkey.derIssuer,
+				   &certkey.serialNumber, key));
+loser:
+    return(SECFailure);
+}
+
+NSSLOWKEYPublicKey *
+nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *cert)
+{
+    NSSLOWCERTSubjectPublicKeyInfo *spki = &cert->subjectPublicKeyInfo;
+    NSSLOWKEYPublicKey *pubk;
+    SECItem os;
+    SECStatus rv;
+    PRArenaPool *arena;
+    SECOidTag tag;
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+        return NULL;
+
+    pubk = (NSSLOWKEYPublicKey *) 
+		PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPublicKey));
+    if (pubk == NULL) {
+        PORT_FreeArena (arena, PR_FALSE);
+        return NULL;
+    }
+
+    pubk->arena = arena;
+
+    /* Convert bit string length from bits to bytes */
+    os = spki->subjectPublicKey;
+    DER_ConvertBitString (&os);
+
+    tag = SECOID_GetAlgorithmTag(&spki->algorithm);
+    switch ( tag ) {
+      case SEC_OID_X500_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+        pubk->keyType = NSSLOWKEYRSAKey;
+        prepare_low_rsa_pub_key_for_asn1(pubk);
+        rv = SEC_ASN1DecodeItem(arena, pubk, 
+				nsslowcert_RSAPublicKeyTemplate, &os);
+        if (rv == SECSuccess)
+            return pubk;
+        break;
+      case SEC_OID_ANSIX9_DSA_SIGNATURE:
+        pubk->keyType = NSSLOWKEYDSAKey;
+        prepare_low_dsa_pub_key_for_asn1(pubk);
+        rv = SEC_ASN1DecodeItem(arena, pubk,
+				 nsslowcert_DSAPublicKeyTemplate, &os);
+        if (rv == SECSuccess) return pubk;
+        break;
+      case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+        pubk->keyType = NSSLOWKEYDHKey;
+        prepare_low_dh_pub_key_for_asn1(pubk);
+        rv = SEC_ASN1DecodeItem(arena, pubk,
+				 nsslowcert_DHPublicKeyTemplate, &os);
+        if (rv == SECSuccess) return pubk;
+        break;
+      default:
+        rv = SECFailure;
+        break;
+    }
+
+    nsslowkey_DestroyPublicKey (pubk);
+    return NULL;
+}
+
diff --git a/security/nss/lib/softoken/lowkey.c b/security/nss/lib/softoken/lowkey.c
new file mode 100644
index 000000000..1e3c6144b
--- /dev/null
+++ b/security/nss/lib/softoken/lowkey.c
@@ -0,0 +1,378 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include "lowkeyi.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secder.h"
+#include "base64.h"
+#include "secasn1.h"
+#include "pcert.h"
+#include "secerr.h"
+
+
+const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,prime) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,subPrime) },
+    { SEC_ASN1_INTEGER, offsetof(PQGParams,base) },
+    { 0, }
+};
+
+const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.version) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.modulus) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.publicExponent) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.privateExponent) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime1) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime2) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent1) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent2) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.coefficient) },
+    { 0 }                                                                     
+};                                                                            
+
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.publicValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
+    { 0, }
+};
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dsa.privateValue) },
+};
+
+const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = {
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.publicValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.privateValue) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.base) },
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.prime) },
+    { 0, }
+};
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+void
+prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.rsa.modulus.type = siUnsignedInteger;
+    key->u.rsa.publicExponent.type = siUnsignedInteger;
+    key->u.rsa.privateExponent.type = siUnsignedInteger;
+    key->u.rsa.prime1.type = siUnsignedInteger;
+    key->u.rsa.prime2.type = siUnsignedInteger;
+    key->u.rsa.exponent1.type = siUnsignedInteger;
+    key->u.rsa.exponent2.type = siUnsignedInteger;
+    key->u.rsa.coefficient.type = siUnsignedInteger;
+}
+
+void
+prepare_low_pqg_params_for_asn1(PQGParams *params)
+{
+    params->prime.type = siUnsignedInteger;
+    params->subPrime.type = siUnsignedInteger;
+    params->base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dsa.publicValue.type = siUnsignedInteger;
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+    key->u.dsa.params.prime.type = siUnsignedInteger;
+    key->u.dsa.params.subPrime.type = siUnsignedInteger;
+    key->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dsa.privateValue.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+    key->u.dh.prime.type = siUnsignedInteger;
+    key->u.dh.base.type = siUnsignedInteger;
+    key->u.dh.publicValue.type = siUnsignedInteger;
+    key->u.dh.privateValue.type = siUnsignedInteger;
+}
+
+void
+nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
+{
+    if (privk && privk->arena) {
+	PORT_FreeArena(privk->arena, PR_TRUE);
+    }
+}
+
+void
+nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk)
+{
+    if (pubk && pubk->arena) {
+	PORT_FreeArena(pubk->arena, PR_FALSE);
+    }
+}
+unsigned
+nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
+{
+    unsigned char b0;
+
+    /* interpret modulus length as key strength... in
+     * fortezza that's the public key length */
+
+    switch (pubk->keyType) {
+    case NSSLOWKEYRSAKey:
+    	b0 = pubk->u.rsa.modulus.data[0];
+    	return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
+    default:
+	break;
+    }
+    return 0;
+}
+
+unsigned
+nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privk)
+{
+
+    unsigned char b0;
+
+    switch (privk->keyType) {
+    case NSSLOWKEYRSAKey:
+	b0 = privk->u.rsa.modulus.data[0];
+	return b0 ? privk->u.rsa.modulus.len : privk->u.rsa.modulus.len - 1;
+    default:
+	break;
+    }
+    return 0;
+}
+
+NSSLOWKEYPublicKey *
+nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
+{
+    NSSLOWKEYPublicKey *pubk;
+    PLArenaPool *arena;
+
+
+    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+        PORT_SetError (SEC_ERROR_NO_MEMORY);
+        return NULL;
+    }
+
+    switch(privk->keyType) {
+      case NSSLOWKEYRSAKey:
+      case NSSLOWKEYNullKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						sizeof (NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    if (privk->keyType == NSSLOWKEYNullKey) return pubk;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.rsa.modulus,
+				  &privk->u.rsa.modulus);
+	    if (rv == SECSuccess) {
+		rv = SECITEM_CopyItem (arena, &pubk->u.rsa.publicExponent,
+				       &privk->u.rsa.publicExponent);
+		if (rv == SECSuccess)
+		    return pubk;
+	    }
+	    nsslowkey_DestroyPublicKey (pubk);
+	} else {
+	    PORT_SetError (SEC_ERROR_NO_MEMORY);
+	}
+	break;
+      case NSSLOWKEYDSAKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
+				  &privk->u.dsa.publicValue);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+				  &privk->u.dsa.params.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+				  &privk->u.dsa.params.subPrime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+				  &privk->u.dsa.params.base);
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+      case NSSLOWKEYDHKey:
+	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+						    sizeof(NSSLOWKEYPublicKey));
+	if (pubk != NULL) {
+	    SECStatus rv;
+
+	    pubk->arena = arena;
+	    pubk->keyType = privk->keyType;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
+				  &privk->u.dh.publicValue);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
+				  &privk->u.dh.prime);
+	    if (rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
+				  &privk->u.dh.base);
+	    if (rv == SECSuccess) return pubk;
+	}
+	break;
+	/* No Fortezza in Low Key implementations (Fortezza keys aren't
+	 * stored in our data base */
+    default:
+	break;
+    }
+
+    PORT_FreeArena (arena, PR_FALSE);
+    return NULL;
+}
+
+NSSLOWKEYPrivateKey *
+nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey)
+{
+    NSSLOWKEYPrivateKey *returnKey = NULL;
+    SECStatus rv = SECFailure;
+    PLArenaPool *poolp;
+
+    if(!privKey) {
+	return NULL;
+    }
+
+    poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if(!poolp) {
+	return NULL;
+    }
+
+    returnKey = (NSSLOWKEYPrivateKey*)PORT_ArenaZAlloc(poolp, sizeof(NSSLOWKEYPrivateKey));
+    if(!returnKey) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    returnKey->keyType = privKey->keyType;
+    returnKey->arena = poolp;
+
+    switch(privKey->keyType) {
+	case NSSLOWKEYRSAKey:
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.modulus), 
+	    				&(privKey->u.rsa.modulus));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.version), 
+	    				&(privKey->u.rsa.version));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.publicExponent), 
+	    				&(privKey->u.rsa.publicExponent));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.privateExponent), 
+	    				&(privKey->u.rsa.privateExponent));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime1), 
+	    				&(privKey->u.rsa.prime1));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime2), 
+	    				&(privKey->u.rsa.prime2));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent1), 
+	    				&(privKey->u.rsa.exponent1));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent2), 
+	    				&(privKey->u.rsa.exponent2));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.coefficient), 
+	    				&(privKey->u.rsa.coefficient));
+	    if(rv != SECSuccess) break;
+	    break;
+	case NSSLOWKEYDSAKey:
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.publicValue),
+	    				&(privKey->u.dsa.publicValue));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.privateValue),
+	    				&(privKey->u.dsa.privateValue));
+	    if(rv != SECSuccess) break;
+	    returnKey->u.dsa.params.arena = poolp;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.prime),
+					&(privKey->u.dsa.params.prime));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.subPrime),
+					&(privKey->u.dsa.params.subPrime));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.base),
+					&(privKey->u.dsa.params.base));
+	    if(rv != SECSuccess) break;
+	    break;
+	case NSSLOWKEYDHKey:
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.publicValue),
+	    				&(privKey->u.dh.publicValue));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.privateValue),
+	    				&(privKey->u.dh.privateValue));
+	    if(rv != SECSuccess) break;
+	    returnKey->u.dsa.params.arena = poolp;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.prime),
+					&(privKey->u.dh.prime));
+	    if(rv != SECSuccess) break;
+	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.base),
+					&(privKey->u.dh.base));
+	    if(rv != SECSuccess) break;
+	    break;
+	default:
+	    rv = SECFailure;
+    }
+
+loser:
+
+    if(rv != SECSuccess) {
+	PORT_FreeArena(poolp, PR_TRUE);
+	returnKey = NULL;
+    }
+
+    return returnKey;
+}
diff --git a/security/nss/lib/softoken/lowkeyi.h b/security/nss/lib/softoken/lowkeyi.h
new file mode 100644
index 000000000..ccece767e
--- /dev/null
+++ b/security/nss/lib/softoken/lowkeyi.h
@@ -0,0 +1,266 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * key.h - public data structures and prototypes for the private key library
+ *
+ * $Id$
+ */
+
+#ifndef _LOWKEYI_H_
+#define _LOWKEYI_H_
+
+#include "prtypes.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "pcertt.h"
+#include "lowkeyti.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type.  This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
+extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+
+typedef char * (* NSSLOWKEYDBNameFunc)(void *arg, int dbVersion);
+    
+/*
+** Open a key database.
+*/
+extern NSSLOWKEYDBHandle *nsslowkey_OpenKeyDB(PRBool readOnly,
+					   NSSLOWKEYDBNameFunc namecb,
+					   void *cbarg);
+
+extern NSSLOWKEYDBHandle *nsslowkey_OpenKeyDBFilename(char *filename,
+						   PRBool readOnly);
+
+/*
+ * Clear out all the keys in the existing database
+ */
+extern SECStatus nsslowkey_ResetKeyDB(NSSLOWKEYDBHandle *handle);
+
+/*
+** Close the specified key database.
+*/
+extern void nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle);
+
+/*
+ * Get the version number of the database
+ */
+extern int nsslowkey_GetKeyDBVersion(NSSLOWKEYDBHandle *handle);
+
+/*
+** Support a default key database.
+*/
+extern void nsslowkey_SetDefaultKeyDB(NSSLOWKEYDBHandle *handle);
+extern NSSLOWKEYDBHandle *nsslowkey_GetDefaultKeyDB(void);
+
+/* set the alg id of the key encryption algorithm */
+extern void nsslowkey_SetDefaultKeyDBAlg(SECOidTag alg);
+
+/*
+ * given a password and salt, produce a hash of the password
+ */
+extern SECItem *nsslowkey_HashPassword(char *pw, SECItem *salt);
+
+/*
+ * Derive the actual password value for a key database from the
+ * password string value.  The derivation uses global salt value
+ * stored in the key database.
+ */
+extern SECItem *
+nsslowkey_DeriveKeyDBPassword(NSSLOWKEYDBHandle *handle, char *pw);
+
+/*
+** Delete a key from the database
+*/
+extern SECStatus nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, 
+				  SECItem *pubkey);
+
+/*
+** Store a key in the database, indexed by its public key modulus.
+**	"pk" is the private key to store
+**	"f" is a the callback function for getting the password
+**	"arg" is the argument for the callback
+*/
+extern SECStatus nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, 
+					    NSSLOWKEYPrivateKey *pk,
+					    SECItem *pubKeyData,
+					    char *nickname,
+					    SECItem *arg);
+
+/* does the key for this cert exist in the database filed by modulus */
+extern PRBool nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle,
+					 NSSLOWCERTCertificate *cert);
+
+extern SECStatus nsslowkey_HasKeyDBPassword(NSSLOWKEYDBHandle *handle);
+extern SECStatus nsslowkey_SetKeyDBPassword(NSSLOWKEYDBHandle *handle,
+				     SECItem *pwitem);
+extern SECStatus nsslowkey_CheckKeyDBPassword(NSSLOWKEYDBHandle *handle,
+					   SECItem *pwitem);
+extern SECStatus nsslowkey_ChangeKeyDBPassword(NSSLOWKEYDBHandle *handle,
+					    SECItem *oldpwitem,
+					    SECItem *newpwitem);
+
+/*
+** Destroy a private key object.
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
+
+/*
+** Destroy a public key object.
+**	"key" the object
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key);
+
+/*
+** Return the modulus length of "pubKey".
+*/
+extern unsigned int nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubKey);
+
+
+/*
+** Return the modulus length of "privKey".
+*/
+extern unsigned int nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privKey);
+
+
+/*
+** Convert a low private key "privateKey" into a public low key
+*/
+extern NSSLOWKEYPublicKey 
+		*nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey);
+
+/*
+ * Set the Key Database password.
+ *   handle is a handle to the key database
+ *   pwitem is the new password
+ *   algorithm is the algorithm by which the key database 
+ *   	password is to be encrypted.
+ * On failure, SECFailure is returned, otherwise SECSuccess is 
+ * returned.
+ */
+extern SECStatus 
+nsslowkey_SetKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
+			SECItem *pwitem, 
+			SECOidTag algorithm);
+
+/* Check the key database password.
+ *   handle is a handle to the key database
+ *   pwitem is the suspect password
+ *   algorithm is the algorithm by which the key database 
+ *   	password is to be encrypted.
+ * The password is checked against plaintext to see if it is the
+ * actual password.  If it is not, SECFailure is returned.
+ */
+extern SECStatus 
+nsslowkey_CheckKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
+				SECItem *pwitem, 
+				SECOidTag algorithm);
+
+/* Change the key database password and/or algorithm by which
+ * the password is stored with.  
+ *   handle is a handle to the key database
+ *   old_pwitem is the current password
+ *   new_pwitem is the new password
+ *   old_algorithm is the algorithm by which the key database 
+ *   	password is currently encrypted.
+ *   new_algorithm is the algorithm with which the new password
+ *      is to be encrypted.
+ * A return of anything but SECSuccess indicates failure.
+ */
+extern SECStatus 
+nsslowkey_ChangeKeyDBPasswordAlg(NSSLOWKEYDBHandle *handle,
+			      SECItem *oldpwitem, SECItem *newpwitem,
+			      SECOidTag old_algorithm);
+
+SECStatus
+nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle,
+                           NSSLOWKEYPrivateKey *privkey,
+                           SECItem *pubKeyData,
+                           char *nickname,
+                           SECItem *arg);
+
+/* Store key by modulus and specify an encryption algorithm to use.
+ *   handle is the pointer to the key database,
+ *   privkey is the private key to be stored,
+ *   f and arg are the function and arguments to the callback
+ *       to get a password,
+ *   algorithm is the algorithm which the privKey is to be stored.
+ * A return of anything but SECSuccess indicates failure.
+ */
+extern SECStatus 
+nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, 
+			      NSSLOWKEYPrivateKey *privkey, 
+			      SECItem *pubKeyData,
+			      char *nickname,
+			      SECItem *arg,
+			      SECOidTag algorithm,
+                              PRBool update); 
+
+/* Find key by modulus.  This function is the inverse of store key
+ * by modulus.  An attempt to locate the key with "modulus" is 
+ * performed.  If the key is found, the private key is returned,
+ * else NULL is returned.
+ *   modulus is the modulus to locate
+ */
+extern NSSLOWKEYPrivateKey *
+nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus, 
+			  SECItem *arg);
+
+extern char *
+nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle,
+                                        SECItem *modulus, SECItem *pwitem);
+
+
+/* Make a copy of a low private key in it's own arena.
+ * a return of NULL indicates an error.
+ */
+extern NSSLOWKEYPrivateKey *
+nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey);
+
+
+SEC_END_PROTOS
+
+#endif /* _LOWKEYI_H_ */
diff --git a/security/nss/lib/softoken/lowkeyti.h b/security/nss/lib/softoken/lowkeyti.h
new file mode 100644
index 000000000..dc03c4cdf
--- /dev/null
+++ b/security/nss/lib/softoken/lowkeyti.h
@@ -0,0 +1,142 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifndef _LOWKEYTI_H_
+#define _LOWKEYTI_H_ 1
+
+#include "blapit.h"
+#include "prtypes.h"
+#include "plarena.h"
+#include "secitem.h"
+#include "secasn1t.h"
+#include "secoidt.h"
+/*#include "secmodt.h"
+#include "pkcs11t.h" */
+
+
+/*
+ * a key in/for the data base
+ */
+struct NSSLOWKEYDBKeyStr {
+    PLArenaPool *arena;
+    int version;
+    char *nickname;
+    SECItem salt;
+    SECItem derPK;
+};
+typedef struct NSSLOWKEYDBKeyStr NSSLOWKEYDBKey;
+
+typedef struct NSSLOWKEYDBHandleStr NSSLOWKEYDBHandle;
+
+#ifdef NSS_USE_KEY4_DB
+#define NSSLOWKEY_DB_FILE_VERSION 4
+#else
+#define NSSLOWKEY_DB_FILE_VERSION 3
+#endif
+
+#define NSSLOWKEY_VERSION	    0	/* what we *create* */
+
+/*
+** Typedef for callback to get a password "key".
+*/
+extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
+extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
+
+extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
+
+
+/*
+** A PKCS#8 private key info object
+*/
+struct NSSLOWKEYPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECItem version;
+    SECAlgorithmID algorithm;
+    SECItem privateKey;
+};
+typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
+#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION	0	/* what we *create* */
+
+/*
+** A PKCS#8 private key info object
+*/
+struct NSSLOWKEYEncryptedPrivateKeyInfoStr {
+    PLArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem encryptedData;
+};
+typedef struct NSSLOWKEYEncryptedPrivateKeyInfoStr NSSLOWKEYEncryptedPrivateKeyInfo;
+
+
+typedef enum { 
+    NSSLOWKEYNullKey = 0, 
+    NSSLOWKEYRSAKey = 1, 
+    NSSLOWKEYDSAKey = 2, 
+    NSSLOWKEYDHKey = 4
+} NSSLOWKEYType;
+
+/*
+** An RSA public key object.
+*/
+struct NSSLOWKEYPublicKeyStr {
+    PLArenaPool *arena;
+    NSSLOWKEYType keyType ;
+    union {
+        RSAPublicKey rsa;
+	DSAPublicKey dsa;
+	DHPublicKey  dh;
+    } u;
+};
+typedef struct NSSLOWKEYPublicKeyStr NSSLOWKEYPublicKey;
+
+/*
+** Low Level private key object
+** This is only used by the raw Crypto engines (crypto), keydb (keydb),
+** and PKCS #11. Everyone else uses the high level key structure.
+*/
+struct NSSLOWKEYPrivateKeyStr {
+    PLArenaPool *arena;
+    NSSLOWKEYType keyType;
+    union {
+        RSAPrivateKey rsa;
+	DSAPrivateKey dsa;
+	DHPrivateKey  dh;
+    } u;
+};
+typedef struct NSSLOWKEYPrivateKeyStr NSSLOWKEYPrivateKey;
+
+#endif	/* _LOWKEYTI_H_ */
diff --git a/security/nss/lib/softoken/lowpbe.c b/security/nss/lib/softoken/lowpbe.c
new file mode 100644
index 000000000..51831b4db
--- /dev/null
+++ b/security/nss/lib/softoken/lowpbe.c
@@ -0,0 +1,1181 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "secport.h"
+#include "hasht.h"
+#include "pkcs11t.h"
+#include "blapi.h"
+#include "hasht.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "lowpbe.h"
+#include "secoid.h"
+#include "alghmac.h"
+#include "softoken.h"
+#include "secerr.h"
+
+/* template for PKCS 5 PBE Parameter.  This template has been expanded
+ * based upon the additions in PKCS 12.  This should eventually be moved
+ * if RSA updates PKCS 5.
+ */
+static const SEC_ASN1Template NSSPKCS5PBEParameterTemplate[] =
+{
+    { SEC_ASN1_SEQUENCE, 
+	0, NULL, sizeof(NSSPKCS5PBEParameter) },
+    { SEC_ASN1_OCTET_STRING, 
+	offsetof(NSSPKCS5PBEParameter, salt) },
+    { SEC_ASN1_INTEGER,
+	offsetof(NSSPKCS5PBEParameter, iteration) },
+    { 0 }
+};
+
+static const SEC_ASN1Template NSSPKCS5PKCS12V2PBEParameterTemplate[] =
+{   
+    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) },
+    { SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) },
+    { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) },
+    { 0 }
+};
+
+SECStatus
+nsspkcs5_HashBuf(const SECHashObject *hashObj, unsigned char *dest,
+					 unsigned char *src, int len)
+{
+    void *ctx;
+    unsigned int retLen;
+
+    ctx = hashObj->create();
+    if(ctx == NULL) {
+	return SECFailure;
+    }
+    hashObj->begin(ctx);
+    hashObj->update(ctx, src, len);
+    hashObj->end(ctx, dest, &retLen, hashObj->length);
+    hashObj->destroy(ctx, PR_TRUE);
+    return SECSuccess;
+}
+
+/* generate bits using any hash
+ */
+static SECItem *
+nsspkcs5_PBKDF1(const SECHashObject *hashObj, SECItem *salt, SECItem *pwd, 
+						int iter, PRBool faulty3DES) 
+{
+    SECItem *hash = NULL, *pre_hash = NULL;
+    SECStatus rv = SECFailure;
+
+    if((salt == NULL) || (pwd == NULL) || (iter < 0)) {
+	return NULL;
+    }
+	
+    hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    pre_hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+
+    if((hash != NULL) && (pre_hash != NULL)) {
+	int i, ph_len;
+
+	ph_len = hashObj->length;
+	if((salt->len + pwd->len) > hashObj->length) {
+	    ph_len = salt->len + pwd->len;
+	}
+
+	rv = SECFailure;
+
+	/* allocate buffers */
+	hash->data = (unsigned char *)PORT_ZAlloc(SHA1_LENGTH);
+	hash->len = hashObj->length;
+	pre_hash->data = (unsigned char *)PORT_ZAlloc(ph_len);
+
+	/* in pbeSHA1TripleDESCBC there was an allocation error that made
+	 * it into the caller.  We do not want to propagate those errors
+	 * further, so we are doing it correctly, but reading the old method.
+	 */
+	if (faulty3DES) {
+	    pre_hash->len = ph_len;
+	} else {
+	    pre_hash->len = salt->len + pwd->len;
+	}
+
+	/* preform hash */
+	if ((hash->data != NULL) && (pre_hash->data != NULL)) {
+	    rv = SECSuccess;
+	    /* check for 0 length password */
+	    if(pwd->len > 0) {
+		PORT_Memcpy(pre_hash->data, pwd->data, pwd->len);
+	    }
+	    if(salt->len > 0) {
+		PORT_Memcpy((pre_hash->data+pwd->len), salt->data, salt->len);
+	    }
+	    for(i = 0; ((i < iter) && (rv == SECSuccess)); i++) {
+		rv = nsspkcs5_HashBuf(hashObj, hash->data, 
+					pre_hash->data, pre_hash->len);
+		if(rv != SECFailure) {
+		    pre_hash->len = hashObj->length;
+		    PORT_Memcpy(pre_hash->data, hash->data, hashObj->length);
+		}
+	    }
+	}
+    }
+
+    if(pre_hash != NULL) {
+	SECITEM_FreeItem(pre_hash, PR_TRUE);
+    }
+
+    if((rv != SECSuccess) && (hash != NULL)) {
+	SECITEM_FreeItem(hash, PR_TRUE);
+	hash = NULL;
+    }
+
+    return hash;
+}
+
+/* this bit generation routine is described in PKCS 12 and the proposed
+ * extensions to PKCS 5.  an initial hash is generated following the
+ * instructions laid out in PKCS 5.  If the number of bits generated is
+ * insufficient, then the method discussed in the proposed extensions to
+ * PKCS 5 in PKCS 12 are used.  This extension makes use of the HMAC
+ * function.  And the P_Hash function from the TLS standard.
+ */
+static SECItem *
+nsspkcs5_PFXPBE(const SECHashObject *hashObj, NSSPKCS5PBEParameter *pbe_param,
+				SECItem *init_hash, unsigned int bytes_needed)
+{
+    SECItem *ret_bits = NULL;
+    int hash_size = 0;
+    unsigned int i;
+    unsigned int hash_iter;
+    unsigned int dig_len;
+    SECStatus rv = SECFailure;
+    unsigned char *state = NULL;
+    unsigned int state_len;
+    HMACContext *cx = NULL;
+
+    hash_size = hashObj->length;
+    hash_iter = (bytes_needed + (unsigned int)hash_size - 1) / hash_size;
+
+    /* allocate return buffer */
+    ret_bits = (SECItem  *)PORT_ZAlloc(sizeof(SECItem));
+    if(ret_bits == NULL)
+	return NULL;
+    ret_bits->data = (unsigned char *)PORT_ZAlloc((hash_iter * hash_size) + 1);
+    ret_bits->len = (hash_iter * hash_size);
+    if(ret_bits->data == NULL) {
+	PORT_Free(ret_bits);
+	return NULL;
+    }
+
+    /* allocate intermediate hash buffer.  8 is for the 8 bytes of
+     * data which are added based on iteration number 
+     */
+
+    if ((unsigned int)hash_size > pbe_param->salt.len) {
+	state_len = hash_size;
+    } else {
+	state_len = pbe_param->salt.len;
+    }
+    state = (unsigned char *)PORT_ZAlloc(state_len);
+    if(state == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+    if(pbe_param->salt.len > 0) {
+	PORT_Memcpy(state, pbe_param->salt.data, pbe_param->salt.len);
+    }
+
+    cx = HMAC_Create(hashObj, init_hash->data, init_hash->len);
+    if (cx == NULL) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    for(i = 0; i < hash_iter; i++) { 
+
+	/* generate output bits */
+	HMAC_Begin(cx);
+	HMAC_Update(cx, state, state_len);
+	HMAC_Update(cx, pbe_param->salt.data, pbe_param->salt.len);
+	rv = HMAC_Finish(cx, ret_bits->data + (i * hash_size),
+			 &dig_len, hash_size);
+	if (rv != SECSuccess)
+	    goto loser;
+	PORT_Assert((unsigned int)hash_size == dig_len);
+
+	/* generate new state */
+	HMAC_Begin(cx);
+	HMAC_Update(cx, state, state_len);
+	rv = HMAC_Finish(cx, state, &state_len, state_len);
+	if (rv != SECSuccess)
+	    goto loser;
+	PORT_Assert(state_len == dig_len);
+    }
+
+loser:
+    if (state != NULL)
+	PORT_ZFree(state, state_len);
+    HMAC_Destroy(cx);
+
+    if(rv != SECSuccess) {
+	SECITEM_ZfreeItem(ret_bits, PR_TRUE);
+	ret_bits = NULL;
+    }
+
+    return ret_bits;
+}
+
+/* generate bits for the key and iv determination.  if enough bits
+ * are not generated using PKCS 5, then we need to generate more bits
+ * based on the extension proposed in PKCS 12
+ */
+static SECItem *
+nsspkcs5_PBKDF1Extended(const SECHashObject *hashObj,
+	 NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, PRBool faulty3DES)
+{
+    SECItem * hash 		= NULL;
+    SECItem * newHash 		= NULL;
+    int       bytes_needed;
+    int       bytes_available;
+    
+    bytes_needed = pbe_param->ivLen + pbe_param->keyLen;
+    bytes_available = hashObj->length;
+    
+    hash = nsspkcs5_PBKDF1(hashObj, &pbe_param->salt, pwitem, 
+						pbe_param->iter, faulty3DES);
+
+    if(hash == NULL) {
+	return NULL;
+    }
+
+    if(bytes_needed <= bytes_available) {
+	return hash;
+    } 
+
+    newHash = nsspkcs5_PFXPBE(hashObj, pbe_param, hash, bytes_needed);
+    if (hash != newHash)
+	SECITEM_FreeItem(hash, PR_TRUE);
+    return newHash;
+}
+
+#ifdef PBKDF2
+
+/*
+ * PBDKDF2 is PKCS #5 v2.0 it's currently not used by NSS
+ */
+/*
+ * We This is safe because hLen for all our
+ * HMAC algorithms are multiples of 4.
+ */
+static void
+xorbytes(unsigned char *dest, unsigned char *src, int len)
+{
+#ifdef PARANOIA
+    while (len--) {
+    	*dest = *dest ^ *src;
+	dest++;
+	src++;
+    }
+#else
+    PRUInt32 dest32 = (PRUInt32 *)dest;
+    PRUInt32 src32 = (PRUInt32 *)dest;
+    while (len -= sizeof(PRUInt32)) {
+    	*dest32 = *dest32 ^ *src32;
+	dest++;
+	src++;
+    }
+#endif
+}
+
+static SECStatus
+nsspkcs5_PBKFD2_F(const SECHashObject *hashobj, SECItem *pwitem, SECItem *salt,
+			int iterations, unsigned int i, unsigned char *T)
+{
+    int j;
+    HMACContext *cx = NULL;
+    unsigned int hLen = hashObject->length
+    SECStatus rv = SECFailure;
+    unsigned char *last = NULL;
+    int lastLength = salt->len + 4;
+
+    cx=HMAC_Create(hashobj,pwitem->data,pwitem->len);
+    if (cx == NULL) {
+	goto loser;
+    }
+    PORT_Memset(T,0,hLen);
+    realLastLength= MAX(lastLength,hLen);
+    last = PORT_Alloc(realLastLength);
+    if (last == NULL) {
+	goto loser;
+    }
+    PORT_Memcpy(last,salt.data,salt.len);
+    last[salt->len  ] = (i >> 24) & 0xff;
+    last[salt->len+1] = (i >> 16) & 0xff;
+    last[salt->len+2] = (i >> 8) & 0xff;
+    last[salt->len+3] =    i  & 0xff;
+
+    /* NOTE: we need at least one iteration to return success! */
+    for (j=0; j < interations; j++) {
+	rv =HMAC_Begin(cx);
+	if (rv !=SECSuccess) {
+	   break;
+	}
+	HMAC_Update(cx,last,lastLength);
+	rv =HMAC_Finish(cx,last,&lastLength,hLen);
+	if (rv !=SECSuccess) {
+	   break;
+	}
+	do_xor(T,last,hLen);
+    }
+loser:
+    if (cx) {
+	HMAC_DestroyContext(cx);
+    }
+    if (last) {
+	PORT_ZFree(last,reaLastLength);
+    }
+    return rv;
+}
+
+static SECItem *
+nsspkcs5_PBKFD2(const SECHashObject *hashObj, NSSPKCS5PBEParameter *pbe_param, 
+							SECItem *pwitem)
+{
+    unsigned int dkLen = bytesNeeded;
+    unsigned int hLen = hashObject->length
+    unsigned int l = (dkLen+hLen-1) / hLen;
+    unsigned char *rp;
+    SECItem *result;
+    SECItem *salt = pbe_param->salt;
+    int interations = pbe_param->iter;
+    int bytesNeeded = pbe_param->keyLen;
+
+    result = SECITEM_AllocItem(NULL,NULL,l*hLen);
+    if (result == NULL) {
+	return NULL;
+    }
+
+    T = PORT_Alloc(hLen);
+    if (T == NULL) {
+	goto loser;
+    }
+
+    for (i=0,rp=results->data; i < l ; i++, rp +=hLen) {
+	rv = nsspkcs5_PBKFD2_F(hashobj,pwitem,salt,iterations,i,T);
+	if (rv != SECSuccess) {
+	    break;
+	}
+	PORT_Memcpy(rp,T,hLen);
+    }
+
+loser:
+    if (T) {
+	PORT_ZFree(T);
+    }
+    if (rv != SECSuccess) {
+	SECITEM_FreeITEM(result,PR_TRUE);
+	result = NULL;
+    } else {
+	result->len = dkLen;
+    }
+	
+    return result;
+}
+#endif
+
+#define HMAC_BUFFER 64
+#define NSSPBE_ROUNDUP(x,y) ((((x)+((y)-1))/(y))*(y))
+#define NSSPBE_MIN(x,y) ((x) < (y) ? (x) : (y))
+/*
+ * This is the extended PBE function defined by the final PKCS #12 spec.
+ */
+static SECItem *
+nsspkcs5_PKCS12PBE(const SECHashObject *hashObject, 
+		   NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, 
+		   PBEBitGenID bitGenPurpose, unsigned int bytesNeeded)
+{
+    PRArenaPool *arena = NULL;
+    unsigned int SLen,PLen;
+    unsigned int hashLength = hashObject->length;
+    unsigned char *S, *P;
+    SECItem *A = NULL, B, D, I;
+    SECItem *salt = &pbe_param->salt;
+    unsigned int c,i = 0;
+    unsigned int hashLen, iter;
+    unsigned char *iterBuf;
+    void *hash = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if(!arena) {
+	return NULL;
+    }
+
+    /* how many hash object lengths are needed */
+    c = (bytesNeeded + (hashLength-1))/hashLength;
+
+    /* initialize our buffers */
+    D.len = HMAC_BUFFER;
+    /* B and D are the same length, use one alloc go get both */
+    D.data = (unsigned char*)PORT_ArenaZAlloc(arena, D.len*2);
+    B.len = D.len;
+    B.data = D.data + D.len;
+
+    /* if all goes well, A will be returned, so don't use our temp arena */
+    A = SECITEM_AllocItem(NULL,NULL,c*hashLength);
+    if (A == NULL) {
+	goto loser;
+    }
+    
+    SLen = NSSPBE_ROUNDUP(salt->len,HMAC_BUFFER);
+    PLen = NSSPBE_ROUNDUP(pwitem->len,HMAC_BUFFER);
+    I.len = SLen+PLen;
+    I.data = (unsigned char*)PORT_ArenaZAlloc(arena, I.len);
+    if (I.data == NULL) {
+	goto loser;
+    }
+
+    /* S & P are only used to initialize I */
+    S = I.data;
+    P = S + SLen;
+
+    PORT_Memset(D.data, (char)bitGenPurpose, D.len);
+    if (SLen) {
+	for (i=0; i < SLen; i += salt->len) {
+	    PORT_Memcpy(S+i, salt->data, NSSPBE_MIN(SLen-i,salt->len));
+	}
+    } 
+    if (PLen) {
+	for (i=0; i < PLen; i += pwitem->len) {
+	    PORT_Memcpy(P+i, pwitem->data, NSSPBE_MIN(PLen-i,pwitem->len));
+	}
+    } 
+
+    iterBuf = (unsigned char*)PORT_ArenaZAlloc(arena,hashLength);
+    if (iterBuf == NULL) {
+	goto loser;
+    }
+
+    hash = hashObject->create();
+    if(!hash) {
+	goto loser;
+    }
+    /* calculate the PBE now */
+    for(i = 0; i < c; i++) {
+	int Bidx;	/* must be signed or the for loop won't terminate */
+	unsigned int k, j;
+	unsigned char *Ai = A->data+i*hashLength;
+
+
+	for(iter = 0; iter < pbe_param->iter; iter++) {
+	    hashObject->begin(hash);
+
+	    if (iter) {
+		hashObject->update(hash, iterBuf, hashLen);
+	    } else {
+		hashObject->update(hash, D.data, D.len);
+		hashObject->update(hash, I.data, I.len); 
+	    }
+
+	    hashObject->end(hash, iterBuf, &hashLen, hashObject->length);
+	    if(hashLen != hashObject->length) {
+		break;
+	    }
+	}
+
+	PORT_Memcpy(Ai, iterBuf, hashLength);
+	for (Bidx = 0; Bidx < B.len; Bidx += hashLength) {
+	    PORT_Memcpy(B.data+Bidx,iterBuf,NSSPBE_MIN(B.len-Bidx,hashLength));
+	}
+
+	k = I.len/B.len;
+	for(j = 0; j < k; j++) {
+	    unsigned int q, carryBit;
+	    unsigned char *Ij = I.data + j*B.len;
+
+	    /* (Ij = Ij+B+1) */
+	    for (Bidx = (B.len-1), q=1, carryBit=0; Bidx >= 0; Bidx--,q=0) {
+		q += (unsigned int)Ij[Bidx];
+		q += (unsigned int)B.data[Bidx];
+		q += carryBit;
+
+		carryBit = (q > 0xff);
+		Ij[Bidx] = (unsigned char)(q & 0xff);
+	    }
+	}
+    }
+loser:
+    if (hash) {
+    	hashObject->destroy(hash, PR_TRUE);
+    }
+    if(arena) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+
+    /* if i != c, then we didn't complete the loop above and must of failed
+     * somwhere along the way */
+    if (i != c) {
+	SECITEM_ZfreeItem(A,PR_TRUE);
+	A = NULL;
+    } else {
+    	A->len = bytesNeeded;
+    }
+    
+    return A;
+}
+
+/*
+ * generate key as per PKCS 5
+ */
+SECItem *
+nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem,
+		      SECItem *iv, PRBool faulty3DES)
+{
+    SECItem *hash = NULL, *key = NULL;
+    const SECHashObject *hashObj;
+    PRBool getIV = PR_FALSE;
+
+    if((pbe_param == NULL) || (pwitem == NULL)) {
+	return NULL;
+    }
+
+    key = SECITEM_AllocItem(NULL,NULL,pbe_param->keyLen);
+    if (key == NULL) {
+	return NULL;
+    }
+
+    if ((pbe_param->ivLen) && (iv->data == NULL)) {
+	getIV = PR_TRUE;
+    	iv->data = (unsigned char *)PORT_Alloc(pbe_param->ivLen);
+    	if (iv->data == NULL) {
+	    goto loser;
+	}
+	iv->len = pbe_param->ivLen;
+    }
+
+    hashObj = &SECRawHashObjects[pbe_param->hashType];
+    switch (pbe_param->pbeType) {
+    case NSSPKCS5_PBKDF1:
+	hash = nsspkcs5_PBKDF1Extended(hashObj,pbe_param,pwitem,faulty3DES);
+	if (hash == NULL) {
+	    goto loser;
+	}
+	PORT_Assert(hash->len >= key->len+iv->len);
+	if (getIV) {
+	    PORT_Memcpy(iv->data, hash->data+(hash->len - iv->len),iv->len);
+	}
+    	break;
+#ifdef PBKDF2
+    case NSSPKCS5_PBKDF2:
+	hash = nsspkcs5_PBKDF2(hashObj,pbe_param,pwitem);
+	PORT_Assert(!getIV);
+    	break;
+#endif
+    case NSSPKCS5_PKCS12_V2:
+	if (getIV) {
+	    hash = nsspkcs5_PKCS12PBE(hashObj,pbe_param,pwitem,
+						pbeBitGenCipherIV,iv->len);
+	    if (hash == NULL) {
+		goto loser;
+	    }
+	    PORT_Memcpy(iv->data,hash->data,iv->len);
+	    SECITEM_ZfreeItem(hash,PR_TRUE);
+	    hash = NULL;
+	}
+	hash = nsspkcs5_PKCS12PBE(hashObj,pbe_param,pwitem,
+						pbe_param->keyID,key->len);
+    default:
+	break;
+    }
+
+    if (hash == NULL) {
+	goto loser;
+    }
+
+    if (pbe_param->is2KeyDES) {
+	PORT_Memcpy(key->data, hash->data, (key->len * 2) / 3);
+	PORT_Memcpy(&(key->data[(key->len  * 2) / 3]), key->data,
+		    key->len / 3);
+    } else {
+	PORT_Memcpy(key->data, hash->data, key->len);
+    }
+
+    SECITEM_FreeItem(hash, PR_TRUE);
+    return key;
+
+loser:
+    if (getIV && iv->data) {
+	PORT_ZFree(iv->data,iv->len);
+	iv->data = NULL;
+    }
+
+    SECITEM_ZfreeItem(key, PR_TRUE);
+    return NULL;
+}
+
+static SECStatus
+nsspkcs5_FillInParam(SECOidTag algorithm, NSSPKCS5PBEParameter *pbe_param)
+{
+    PRBool skipType = PR_FALSE;
+
+    pbe_param->keyLen = 5;
+    pbe_param->ivLen = 8;
+    pbe_param->hashType = HASH_AlgSHA1;
+    pbe_param->pbeType = NSSPKCS5_PBKDF1;
+    pbe_param->encAlg = SEC_OID_RC2_CBC;
+    pbe_param->is2KeyDES = PR_FALSE;
+    switch(algorithm) {
+    /* DES3 Algorithms */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
+	pbe_param->is2KeyDES = PR_TRUE;
+	/* fall through */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
+	pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
+	/* fall through */
+    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
+	pbe_param->keyLen = 24;
+	pbe_param->encAlg = SEC_OID_DES_EDE3_CBC;
+	break;
+
+    /* DES Algorithms */
+    case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+    	pbe_param->hashType = HASH_AlgMD2;
+	goto finish_des;
+    case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+    	pbe_param->hashType = HASH_AlgMD5;
+	/* fall through */
+    case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
+finish_des:
+	pbe_param->keyLen = 8;
+	pbe_param->encAlg =  SEC_OID_DES_CBC;
+	break;
+
+    /* RC2 Algorithms */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	pbe_param->keyLen = 16;
+	/* fall through */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
+	break;
+    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+	pbe_param->keyLen = 16;
+	/* fall through */
+    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+	break;
+
+    /* RC4 algorithms */
+    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	skipType = PR_TRUE;
+	/* fall through */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
+	pbe_param->keyLen = 16;
+	/* fall through */
+    case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
+	if (!skipType) {
+    	    pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
+	}
+	/* fall through */
+    case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
+        pbe_param->ivLen = 0;
+        pbe_param->encAlg =  SEC_OID_RC4;
+        break;
+    default:
+        return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+/* decode the algid and generate a PKCS 5 parameter from it
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_NewParam(SECOidTag alg, SECItem *salt, int iterator)
+{
+    PRArenaPool *arena = NULL;
+    NSSPKCS5PBEParameter *pbe_param = NULL;
+    SECStatus rv = SECFailure;
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (arena == NULL)
+	return NULL;
+
+    /* allocate memory for the parameter */
+    pbe_param = (NSSPKCS5PBEParameter *)PORT_ArenaZAlloc(arena, 
+	sizeof(NSSPKCS5PBEParameter));
+
+    if (pbe_param == NULL) {
+	goto loser;
+    }
+
+    pbe_param->poolp = arena;
+
+    rv = nsspkcs5_FillInParam(alg, pbe_param);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    pbe_param->iter = iterator;
+    if (salt) {
+	rv = SECITEM_CopyItem(arena,&pbe_param->salt,salt);
+    }
+
+    /* default key gen */
+    pbe_param->keyID = pbeBitGenCipherKey;
+
+loser:
+    if (rv != SECSuccess) {
+	PORT_FreeArena(arena, PR_TRUE);
+	pbe_param = NULL;
+    }
+
+    return pbe_param;
+}
+
+/* decode the algid and generate a PKCS 5 parameter from it
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_AlgidToParam(SECAlgorithmID *algid)
+{
+    NSSPKCS5PBEParameter *pbe_param = NULL;
+    SECOidTag algorithm;
+    SECStatus rv = SECFailure;
+
+    if (algid == NULL) {
+	return NULL;
+    }
+
+    algorithm = SECOID_GetAlgorithmTag(algid);
+    if (algorithm == SEC_OID_UNKNOWN) {
+	goto loser;
+    }
+
+    pbe_param = nsspkcs5_NewParam(algorithm, NULL, 1);
+    if (pbe_param == NULL) {
+	goto loser;
+    }
+
+    /* decode parameter */
+    rv = SECFailure;
+    switch (pbe_param->pbeType) {
+    case NSSPKCS5_PBKDF1:
+	rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, 
+	    NSSPKCS5PBEParameterTemplate, &algid->parameters);
+	break;
+    case NSSPKCS5_PKCS12_V2:
+	rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, 
+		NSSPKCS5PKCS12V2PBEParameterTemplate, &algid->parameters);
+	break;
+    case NSSPKCS5_PBKDF2:
+	break;
+    }
+
+loser:
+    if (rv == SECSuccess) {
+    	pbe_param->iter = DER_GetInteger(&pbe_param->iteration);
+    } else {
+	nsspkcs5_DestroyPBEParameter(pbe_param);
+	pbe_param = NULL;
+    }
+
+    return pbe_param;
+}
+
+/* destroy a pbe parameter.  it assumes that the parameter was 
+ * generated using the appropriate create function and therefor
+ * contains an arena pool.
+ */
+void 
+nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *pbe_param)
+{
+    if (pbe_param != NULL) {
+	PORT_FreeArena(pbe_param->poolp, PR_TRUE);
+    }
+}
+
+
+/* crypto routines */
+/* perform DES encryption and decryption.  these routines are called
+ * by nsspkcs5_CipherData.  In the case of an error, NULL is returned.
+ */
+static SECItem *
+sec_pkcs5_des(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des, 
+								PRBool encrypt)
+{
+    SECItem *dest;
+    SECItem *dup_src;
+    SECStatus rv = SECFailure;
+    int pad;
+
+    if((src == NULL) || (key == NULL) || (iv == NULL))
+	return NULL;
+
+    dup_src = SECITEM_DupItem(src);
+    if(dup_src == NULL) {
+	return NULL;
+    }
+
+    if(encrypt != PR_FALSE) {
+	void *dummy;
+
+	dummy = DES_PadBuffer(NULL, dup_src->data, 
+	    dup_src->len, &dup_src->len);
+	if(dummy == NULL) {
+	    SECITEM_FreeItem(dup_src, PR_TRUE);
+	    return NULL;
+	}
+	dup_src->data = (unsigned char*)dummy;
+    }
+
+    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(dest != NULL) {
+	/* allocate with over flow */
+	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
+	if(dest->data != NULL) {
+	    DESContext *ctxt;
+	    ctxt = DES_CreateContext(key->data, iv->data, 
+			(triple_des ? NSS_DES_EDE3_CBC : NSS_DES_CBC), 
+			encrypt);
+	
+	    if(ctxt != NULL) {
+		rv = ((encrypt != PR_TRUE) ? DES_Decrypt : DES_Encrypt)(
+			ctxt, dest->data, &dest->len,
+			dup_src->len + 64, dup_src->data, dup_src->len);
+
+		/* remove padding -- assumes 64 bit blocks */
+		if((encrypt == PR_FALSE) && (rv == SECSuccess)) {
+		    pad = dest->data[dest->len-1];
+		    if((pad > 0) && (pad <= 8)) {
+			if(dest->data[dest->len-pad] != pad) {
+			    rv = SECFailure;
+			    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+			} else {
+			    dest->len -= pad;
+			}
+		    } else {
+			rv = SECFailure;
+			PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+		    }
+		}
+		DES_DestroyContext(ctxt, PR_TRUE);
+	    }
+	}
+    }
+
+    if(rv == SECFailure) {
+	if(dest != NULL) {
+	    SECITEM_FreeItem(dest, PR_TRUE);
+	}
+	dest = NULL;
+    }
+
+    if(dup_src != NULL) {
+	SECITEM_FreeItem(dup_src, PR_TRUE);
+    }
+
+    return dest;
+}
+
+/* perform rc2 encryption/decryption if an error occurs, NULL is returned
+ */
+static SECItem *
+sec_pkcs5_rc2(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy, 
+								PRBool encrypt)
+{
+    SECItem *dest;
+    SECItem *dup_src;
+    SECStatus rv = SECFailure;
+    int pad;
+
+    if((src == NULL) || (key == NULL) || (iv == NULL)) {
+	return NULL;
+    }
+
+    dup_src = SECITEM_DupItem(src);
+    if(dup_src == NULL) {
+	return NULL;
+    }
+
+    if(encrypt != PR_FALSE) {
+	void *dummy;
+
+	dummy = DES_PadBuffer(NULL, dup_src->data, 
+			      dup_src->len, &dup_src->len);
+	if(dummy == NULL) {
+	    SECITEM_FreeItem(dup_src, PR_TRUE);
+	    return NULL;
+	}
+	dup_src->data = (unsigned char*)dummy;
+    }
+
+    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(dest != NULL) {
+	dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
+	if(dest->data != NULL) {
+	    RC2Context *ctxt;
+
+	    ctxt = RC2_CreateContext(key->data, key->len, iv->data,
+					 	NSS_RC2_CBC, key->len);
+
+	    if(ctxt != NULL) {
+		rv = ((encrypt != PR_TRUE) ? RC2_Decrypt : RC2_Encrypt)(
+			ctxt, dest->data, &dest->len,
+			dup_src->len + 64, dup_src->data, dup_src->len);
+
+		/* assumes 8 byte blocks  -- remove padding */	
+		if((rv == SECSuccess) && (encrypt != PR_TRUE)) {
+		    pad = dest->data[dest->len-1];
+		    if((pad > 0) && (pad <= 8)) {
+			if(dest->data[dest->len-pad] != pad) {
+			    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+			    rv = SECFailure;
+			} else {
+			    dest->len -= pad;
+			}
+		    } else {
+			PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+			rv = SECFailure;
+		    }
+		}
+
+	    }
+	}
+    }
+
+    if((rv != SECSuccess) && (dest != NULL)) {
+	SECITEM_FreeItem(dest, PR_TRUE);
+	dest = NULL;
+    }
+
+    if(dup_src != NULL) {
+	SECITEM_FreeItem(dup_src, PR_TRUE);
+    }
+
+    return dest;
+}
+
+/* perform rc4 encryption and decryption */
+static SECItem *
+sec_pkcs5_rc4(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy_op,
+								 PRBool encrypt)
+{
+    SECItem *dest;
+    SECStatus rv = SECFailure;
+
+    if((src == NULL) || (key == NULL) || (iv == NULL)) {
+	return NULL;
+    }
+
+    dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+    if(dest != NULL) {
+	dest->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
+	    (src->len + 64));
+	if(dest->data != NULL) {
+	    RC4Context *ctxt;
+
+	    ctxt = RC4_CreateContext(key->data, key->len);
+	    if(ctxt) { 
+		rv = ((encrypt != PR_FALSE) ? RC4_Decrypt : RC4_Encrypt)(
+				ctxt, dest->data, &dest->len,
+				src->len + 64, src->data, src->len);
+		RC4_DestroyContext(ctxt, PR_TRUE);
+	    }
+	}
+    }
+
+    if((rv != SECSuccess) && (dest)) {
+	SECITEM_FreeItem(dest, PR_TRUE);
+	dest = NULL;
+    }
+
+    return dest;
+}
+/* function pointer template for crypto functions */
+typedef SECItem *(* pkcs5_crypto_func)(SECItem *key, SECItem *iv,
+                                         SECItem *src, PRBool op1, PRBool op2);
+
+/* performs the cipher operation on the src and returns the result.
+ * if an error occurs, NULL is returned. 
+ *
+ * a null length password is allowed.  this corresponds to encrypting
+ * the data with ust the salt.
+ */
+/* change this to use PKCS 11? */
+SECItem *
+nsspkcs5_CipherData(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, 
+		    SECItem *src, PRBool encrypt, PRBool *update)
+{
+    SECItem *key = NULL, iv;
+    SECItem *dest = NULL;
+    PRBool tripleDES = PR_TRUE;
+    pkcs5_crypto_func cryptof;
+
+    iv.data = NULL;
+
+    if (update) { 
+        *update = PR_FALSE;
+    }
+
+    if ((pwitem == NULL) || (src == NULL)) {
+	return NULL;
+    }
+
+    /* get key, and iv */
+    key = nsspkcs5_ComputeKeyAndIV(pbe_param, pwitem, &iv, PR_FALSE);
+    if(key == NULL) {
+	return NULL;
+    }
+
+    switch(pbe_param->encAlg) {
+    case SEC_OID_DES_EDE3_CBC:
+	cryptof = sec_pkcs5_des;
+	tripleDES = PR_TRUE;
+	break;
+    case SEC_OID_DES_CBC:
+	cryptof = sec_pkcs5_des;
+	tripleDES = PR_FALSE;
+	break;
+    case SEC_OID_RC2_CBC:
+	cryptof = sec_pkcs5_rc2;
+	break;
+    case SEC_OID_RC4:
+	cryptof = sec_pkcs5_rc4;
+	break;
+    default:
+	cryptof = NULL;
+	break;
+    }
+
+    if (cryptof == NULL) {
+	goto loser;
+    }
+
+    dest = (*cryptof)(key, &iv, src, tripleDES, encrypt);
+    /* 
+     * it's possible for some keys and keydb's to claim to
+     * be triple des when they're really des. In this case
+     * we simply try des. If des works we set the update flag
+     * so the key db knows it needs to update all it's entries.
+     *  The case can only happen on decrypted of a 
+     *  SEC_OID_DES_EDE3_CBD.
+     */
+    if ((dest == NULL) && (encrypt == PR_FALSE) && 
+				(pbe_param->encAlg == SEC_OID_DES_EDE3_CBC)) {
+	dest = (*cryptof)(key, &iv, src, PR_FALSE, encrypt);
+	if (update && (dest != NULL)) *update = PR_TRUE;
+    }
+
+loser:
+    if (key != NULL) {
+	SECITEM_ZfreeItem(key, PR_TRUE);
+    }
+    if (iv.data != NULL) {
+	SECITEM_ZfreeItem(&iv, PR_FALSE);
+    }
+
+    return dest;
+}
+
+/* creates a algorithm ID containing the PBE algorithm and appropriate
+ * parameters.  the required parameter is the algorithm.  if salt is
+ * not specified, it is generated randomly.  if IV is specified, it overrides
+ * the PKCS 5 generation of the IV.  
+ *
+ * the returned SECAlgorithmID should be destroyed using 
+ * SECOID_DestroyAlgorithmID
+ */
+SECAlgorithmID *
+nsspkcs5_CreateAlgorithmID(PRArenaPool *arena, SECOidTag algorithm, 
+					NSSPKCS5PBEParameter *pbe_param)
+{
+    SECAlgorithmID *algid, *ret_algid = NULL;
+    SECItem der_param;
+    SECStatus rv = SECFailure;
+    void *dummy = NULL;
+
+    if (arena == NULL) {
+	return NULL;
+    }
+
+    der_param.data = NULL;
+    der_param.len = 0;
+
+    /* generate the algorithm id */
+    algid = (SECAlgorithmID *)PORT_ArenaZAlloc(arena, sizeof(SECAlgorithmID));
+    if (algid == NULL) {
+	goto loser;
+    }
+
+    if (pbe_param->iteration.data == NULL) {
+	dummy = SEC_ASN1EncodeInteger(pbe_param->poolp,&pbe_param->iteration,
+								pbe_param->iter);
+	if (dummy == NULL) {
+	    goto loser;
+	}
+    }
+    switch (pbe_param->pbeType) {
+    case NSSPKCS5_PBKDF1:
+	dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
+					NSSPKCS5PBEParameterTemplate);
+	break;
+    case NSSPKCS5_PKCS12_V2:
+	dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
+	    				NSSPKCS5PKCS12V2PBEParameterTemplate);
+	break;
+    default:
+	break;
+    }
+
+    if (dummy == NULL) {
+	goto loser;
+    }
+	
+    rv = SECOID_SetAlgorithmID(arena, algid, algorithm, &der_param);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID));
+    if (ret_algid == NULL) {
+	goto loser;
+    }
+
+    rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid);
+    if (rv != SECSuccess) {
+	SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE);
+	ret_algid = NULL;
+    }
+
+loser:	
+
+    return ret_algid;
+}
diff --git a/security/nss/lib/softoken/lowpbe.h b/security/nss/lib/softoken/lowpbe.h
new file mode 100644
index 000000000..8ddee11a6
--- /dev/null
+++ b/security/nss/lib/softoken/lowpbe.h
@@ -0,0 +1,132 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _SECPKCS5_H_
+#define _SECPKCS5_H_
+
+#include "plarena.h"
+#include "secitem.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "hasht.h"
+
+typedef SECItem * (* SEC_PKCS5GetPBEPassword)(void *arg);
+
+/* used for V2 PKCS 12 Draft Spec */ 
+typedef enum {
+    pbeBitGenIDNull = 0,
+    pbeBitGenCipherKey = 0x01,
+    pbeBitGenCipherIV = 0x02,
+    pbeBitGenIntegrityKey = 0x03
+} PBEBitGenID;
+
+typedef enum {
+    NSSPKCS5_PBKDF1 = 0,
+    NSSPKCS5_PBKDF2 = 1,
+    NSSPKCS5_PKCS12_V2 = 2
+} NSSPKCS5PBEType;
+
+typedef struct NSSPKCS5PBEParameterStr NSSPKCS5PBEParameter;
+
+struct NSSPKCS5PBEParameterStr {
+    PRArenaPool *poolp;
+    SECItem	salt;		/* octet string */
+    SECItem	iteration;	/* integer */
+
+    /* used locally */
+    int		iter;
+    int 	keyLen;
+    int		ivLen;
+    HASH_HashType hashType;
+    NSSPKCS5PBEType pbeType;
+    PBEBitGenID	keyID;
+    SECOidTag	encAlg;
+    PRBool	is2KeyDES;
+};
+
+
+SEC_BEGIN_PROTOS
+/* Create a PKCS5 Algorithm ID
+ * The algorithm ID is set up using the PKCS #5 parameter structure
+ *  algorithm is the PBE algorithm ID for the desired algorithm
+ *  pbe is a pbe param block with all the info needed to create the 
+ *   algorithm id.
+ * If an error occurs or the algorithm specified is not supported 
+ * or is not a password based encryption algorithm, NULL is returned.
+ * Otherwise, a pointer to the algorithm id is returned.
+ */
+extern SECAlgorithmID *
+nsspkcs5_CreateAlgorithmID(PRArenaPool *arena, SECOidTag algorithm, 
+						NSSPKCS5PBEParameter *pbe);
+
+/*
+ * Convert an Algorithm ID to a PBE Param.
+ * NOTE: this does not suppport PKCS 5 v2 because it's only used for the
+ * keyDB which only support PKCS 5 v1, PFX, and PKCS 12.
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_AlgidToParam(SECAlgorithmID *algid);
+
+/*
+ * Convert an Algorithm ID to a PBE Param.
+ * NOTE: this does not suppport PKCS 5 v2 because it's only used for the
+ * keyDB which only support PKCS 5 v1, PFX, and PKCS 12.
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_NewParam(SECOidTag alg, SECItem *salt, int iterator);
+
+
+/* Encrypt/Decrypt data using password based encryption.  
+ *  algid is the PBE algorithm identifier,
+ *  pwitem is the password,
+ *  src is the source for encryption/decryption,
+ *  encrypt is PR_TRUE for encryption, PR_FALSE for decryption.
+ * The key and iv are generated based upon PKCS #5 then the src
+ * is either encrypted or decrypted.  If an error occurs, NULL
+ * is returned, otherwise the ciphered contents is returned.
+ */
+extern SECItem *
+nsspkcs5_CipherData(NSSPKCS5PBEParameter *, SECItem *pwitem,
+		    SECItem *src, PRBool encrypt, PRBool *update);
+
+extern SECItem *
+nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *, SECItem *pwitem,
+		    			SECItem *iv, PRBool faulty3DES);
+
+/* Destroys PBE parameter */
+extern void
+nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *param);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/softoken/manifest.mn b/security/nss/lib/softoken/manifest.mn
new file mode 100644
index 000000000..59da34782
--- /dev/null
+++ b/security/nss/lib/softoken/manifest.mn
@@ -0,0 +1,87 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../../..
+
+MODULE = security
+
+REQUIRES = dbm
+
+LIBRARY_NAME = softokn
+LIBRARY_VERSION = 3
+MAPFILE = $(OBJDIR)/softokn.def
+
+#
+# turn this on to get key4 generation and use.
+#
+# key4.db is properly indexed so we don't have to do db traversals to find keys.
+# turning on key4.db will automatically upgrade to key4 on startup if we open
+# the directory R/W and key4.db doesn't exist. If we open the directory up
+# R/O it opens and used the old key3.db without any update at all.
+#
+#DEFINES += -DNSS_USE_KEY4_DB
+
+
+EXPORTS = \
+	pkcs11.h \
+	pkcs11f.h \
+	pkcs11p.h \
+	pkcs11t.h \
+	pkcs11n.h \
+	pkcs11u.h \
+	$(NULL)
+
+PRIVATE_EXPORTS = \
+	alghmac.h \
+	pk11pars.h \
+	pkcs11i.h \
+	$(NULL)
+
+CSRCS = \
+	alghmac.c \
+	dbinit.c \
+	fipstest.c \
+	fipstokn.c \
+	keydb.c    \
+	lowcert.c  \
+	lowkey.c   \
+	lowpbe.c   \
+	padbuf.c   \
+	pcertdb.c \
+	pk11db.c \
+	pkcs11.c   \
+	pkcs11c.c  \
+	pkcs11u.c  \
+	rawhash.c \
+	rsawrapr.c  \
+	softkver.c  \
+	$(NULL)
diff --git a/security/nss/lib/softoken/padbuf.c b/security/nss/lib/softoken/padbuf.c
new file mode 100644
index 000000000..a4e28947a
--- /dev/null
+++ b/security/nss/lib/softoken/padbuf.c
@@ -0,0 +1,77 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include "blapit.h"
+#include "secport.h"
+#include "secerr.h"
+
+/*
+ * Prepare a buffer for DES encryption, growing to the appropriate boundary,
+ * filling with the appropriate padding.
+ *
+ * NOTE: If arena is non-NULL, we re-allocate from there, otherwise
+ * we assume (and use) XP memory (re)allocation.
+ */
+unsigned char *
+DES_PadBuffer(PRArenaPool *arena, unsigned char *inbuf, unsigned int inlen,
+	      unsigned int *outlen)
+{
+    unsigned char *outbuf;
+    unsigned int   des_len;
+    unsigned int   i;
+    unsigned char  des_pad_len;
+
+    /*
+     * We need from 1 to DES_KEY_LENGTH bytes -- we *always* grow.
+     * The extra bytes contain the value of the length of the padding:
+     * if we have 2 bytes of padding, then the padding is "0x02, 0x02".
+     */
+    des_len = (inlen + DES_KEY_LENGTH) & ~(DES_KEY_LENGTH - 1);
+
+    if (arena != NULL) {
+	outbuf = (unsigned char*)PORT_ArenaGrow (arena, inbuf, inlen, des_len);
+    } else {
+	outbuf = (unsigned char*)PORT_Realloc (inbuf, des_len);
+    }
+
+    if (outbuf == NULL) {
+	PORT_SetError (SEC_ERROR_NO_MEMORY);
+	return NULL;
+    }
+
+    des_pad_len = des_len - inlen;
+    for (i = inlen; i < des_len; i++)
+	outbuf[i] = des_pad_len;
+
+    *outlen = des_len;
+    return outbuf;
+}
diff --git a/security/nss/lib/softoken/pcert.h b/security/nss/lib/softoken/pcert.h
new file mode 100644
index 000000000..d7e48004e
--- /dev/null
+++ b/security/nss/lib/softoken/pcert.h
@@ -0,0 +1,198 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _PCERTDB_H_
+#define _PCERTDB_H_
+
+#include "plarena.h"
+#include "prlong.h"
+#include "pcertt.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+** Add a DER encoded certificate to the permanent database.
+**	"derCert" is the DER encoded certificate.
+**	"nickname" is the nickname to use for the cert
+**	"trust" is the trust parameters for the cert
+*/
+SECStatus nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *handle, 
+			NSSLOWCERTCertificate *cert,
+				char *nickname, NSSLOWCERTCertTrust *trust);
+
+SECStatus nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert);
+
+typedef SECStatus (PR_CALLBACK * PermCertCallback)(NSSLOWCERTCertificate *cert,
+                                                   SECItem *k, void *pdata);
+/*
+** Traverse the entire permanent database, and pass the certs off to a
+** user supplied function.
+**	"certfunc" is the user function to call for each certificate
+**	"udata" is the user's data, which is passed through to "certfunc"
+*/
+SECStatus
+nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle,
+		      PermCertCallback certfunc,
+		      void *udata );
+
+PRBool
+nsslowcert_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle);
+
+SECItem *
+nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle, SECItem *crlKey,
+				 		char **urlp, PRBool isKRL);
+
+SECStatus
+nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle,SECItem *derName,
+								PRBool isKRL);
+SECStatus
+nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl ,
+				SECItem *derKey, char *url, PRBool isKRL);
+
+NSSLOWCERTCertDBHandle *nsslowcert_GetDefaultCertDB();
+NSSLOWKEYPublicKey *nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *);
+
+NSSLOWCERTCertificate *
+nsslowcert_NewTempCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert,
+                        char *nickname, PRBool isperm, PRBool copyDER);
+NSSLOWCERTCertificate *
+nsslowcert_DupCertificate(NSSLOWCERTCertificate *cert);
+void nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert);
+
+/*
+ * Lookup a certificate in the databases without locking
+ *	"certKey" is the database key to look for
+ *
+ * XXX - this should be internal, but pkcs 11 needs to call it during a
+ * traversal.
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey);
+
+/*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database.  Return the cert if found.
+**	"issuerAndSN" is the issuer and serial number to look for
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_FindCertByIssuerAndSN (NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
+
+/*
+** Find a certificate in the database by a DER encoded certificate
+**	"derCert" is the DER encoded certificate
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert);
+
+/* convert an email address to lower case */
+char *nsslowcert_FixupEmailAddr(char *emailAddr);
+
+/*
+** Decode a DER encoded certificate into an NSSLOWCERTCertificate structure
+**      "derSignedCert" is the DER encoded signed certificate
+**      "copyDER" is true if the DER should be copied, false if the
+**              existing copy should be referenced
+**      "nickname" is the nickname to use in the database.  If it is NULL
+**              then a temporary nickname is generated.
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname);
+
+SECStatus
+nsslowcert_KeyFromDERCert(PRArenaPool *arena, SECItem *derCert, SECItem *key);
+
+certDBEntrySMime *
+nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *certHandle,
+							 char *emailAddr);
+void
+nsslowcert_DestroyDBEntry(certDBEntry *entry);
+
+SECStatus
+nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
+                NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile);
+
+void
+nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle);
+
+/*
+ * is certa newer than certb?  If one is expired, pick the other one.
+ */
+PRBool
+nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb);
+
+
+SECStatus
+nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle,
+		      certDBEntryType type,
+		      SECStatus (* callback)(SECItem *data, SECItem *key,
+					    certDBEntryType type, void *pdata),
+		      void *udata );
+SECStatus
+nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+				 SECItem *derSubject,
+				 NSSLOWCERTCertCallback cb, void *cbarg);
+int
+nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+							 SECItem *derSubject);
+SECStatus
+nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+	 	char *nickname, NSSLOWCERTCertCallback cb, void *cbarg);
+
+int
+nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle, 
+							char *nickname);
+SECStatus
+nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert,
+					 NSSLOWCERTCertTrust *trust);
+
+SECStatus
+nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr, 
+	SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime);
+
+/*
+ * Change the trust attributes of a certificate and make them permanent
+ * in the database.
+ */
+SECStatus
+nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle, 
+	  	NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust);
+
+PRBool
+nsslowcert_hasTrust(NSSLOWCERTCertificate *cert);
+
+void
+nsslowcert_DestroyGlobalLocks(void);
+
+SEC_END_PROTOS
+
+ #endif /* _PCERTDB_H_ */
diff --git a/security/nss/lib/softoken/pcertdb.c b/security/nss/lib/softoken/pcertdb.c
new file mode 100644
index 000000000..b392d36a3
--- /dev/null
+++ b/security/nss/lib/softoken/pcertdb.c
@@ -0,0 +1,4495 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Permanent Certificate database handling code 
+ *
+ * $Id$
+ */
+#include "prtime.h"
+
+#include "lowkeyti.h"
+#include "pcert.h"
+#include "mcom_db.h"
+#include "pcert.h"
+#include "secitem.h"
+#include "secder.h"
+
+/* Call to PK11_FreeSlot below */
+
+#include "secasn1.h"
+#include "secerr.h"
+#include "nssilock.h"
+#include "prmon.h"
+#include "nsslocks.h"
+#include "base64.h"
+#include "sechash.h"
+#include "plhash.h"
+
+#include "cdbhdl.h"
+
+/* forward declaration */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByDERCertNoLocking(NSSLOWCERTCertDBHandle *handle, SECItem *derCert);
+
+/*
+ * the following functions are wrappers for the db library that implement
+ * a global lock to make the database thread safe.
+ */
+static PZLock *dbLock = NULL;
+
+void
+certdb_InitDBLock(NSSLOWCERTCertDBHandle *handle)
+{
+    if (dbLock == NULL) {
+	nss_InitLock(&dbLock, nssILockCertDB);
+	PORT_Assert(dbLock != NULL);
+    }
+
+    return;
+}
+
+/*
+ * Acquire the global lock on the cert database.
+ * This lock is currently used for the following operations:
+ *	adding or deleting a cert to either the temp or perm databases
+ *	converting a temp to perm or perm to temp
+ *	changing (maybe just adding!?) the trust of a cert
+ *      chaning the DB status checking Configuration
+ */
+static void
+nsslowcert_LockDB(NSSLOWCERTCertDBHandle *handle)
+{
+    PZ_EnterMonitor(handle->dbMon);
+    return;
+}
+
+/*
+ * Free the global cert database lock.
+ */
+static void
+nsslowcert_UnlockDB(NSSLOWCERTCertDBHandle *handle)
+{
+    PRStatus prstat;
+    
+    prstat = PZ_ExitMonitor(handle->dbMon);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+    
+    return;
+}
+
+static PZLock *certRefCountLock = NULL;
+
+/*
+ * Acquire the cert reference count lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+static void
+nsslowcert_LockCertRefCount(NSSLOWCERTCertificate *cert)
+{
+    if ( certRefCountLock == NULL ) {
+	nss_InitLock(&certRefCountLock, nssILockRefLock);
+	PORT_Assert(certRefCountLock != NULL);
+    }
+    
+    PZ_Lock(certRefCountLock);
+    return;
+}
+
+/*
+ * Free the cert reference count lock
+ */
+static void
+nsslowcert_UnlockCertRefCount(NSSLOWCERTCertificate *cert)
+{
+    PRStatus prstat;
+
+    PORT_Assert(certRefCountLock != NULL);
+    
+    prstat = PZ_Unlock(certRefCountLock);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+
+    return;
+}
+
+static PZLock *certTrustLock = NULL;
+
+/*
+ * Acquire the cert trust lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void
+nsslowcert_LockCertTrust(NSSLOWCERTCertificate *cert)
+{
+    if ( certTrustLock == NULL ) {
+	nss_InitLock(&certTrustLock, nssILockCertDB);
+	PORT_Assert(certTrustLock != NULL);
+    }
+    
+    PZ_Lock(certTrustLock);
+    return;
+}
+
+/*
+ * Free the cert trust lock
+ */
+void
+nsslowcert_UnlockCertTrust(NSSLOWCERTCertificate *cert)
+{
+    PRStatus prstat;
+
+    PORT_Assert(certTrustLock != NULL);
+    
+    prstat = PZ_Unlock(certTrustLock);
+    
+    PORT_Assert(prstat == PR_SUCCESS);
+
+    return;
+}
+
+NSSLOWCERTCertificate *
+nsslowcert_DupCertificate(NSSLOWCERTCertificate *c)
+{
+    if (c) {
+	nsslowcert_LockCertRefCount(c);
+	++c->referenceCount;
+	nsslowcert_UnlockCertRefCount(c);
+    }
+    return c;
+}
+
+static int
+certdb_Get(DB *db, DBT *key, DBT *data, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+    
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+    
+    ret = (* db->get)(db, key, data, flags);
+
+    prstat = PZ_Unlock(dbLock);
+
+    return(ret);
+}
+
+static int
+certdb_Put(DB *db, DBT *key, DBT *data, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+
+    ret = (* db->put)(db, key, data, flags);
+    
+    prstat = PZ_Unlock(dbLock);
+
+    return(ret);
+}
+
+static int
+certdb_Sync(DB *db, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+
+    ret = (* db->sync)(db, flags);
+    
+    prstat = PZ_Unlock(dbLock);
+
+    return(ret);
+}
+
+static int
+certdb_Del(DB *db, DBT *key, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+
+    ret = (* db->del)(db, key, flags);
+    
+    prstat = PZ_Unlock(dbLock);
+
+    return(ret);
+}
+
+static int
+certdb_Seq(DB *db, DBT *key, DBT *data, unsigned int flags)
+{
+    PRStatus prstat;
+    int ret;
+    
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+    
+    ret = (* db->seq)(db, key, data, flags);
+
+    prstat = PZ_Unlock(dbLock);
+
+    return(ret);
+}
+
+static void
+certdb_Close(DB *db)
+{
+    PRStatus prstat;
+
+    PORT_Assert(dbLock != NULL);
+    PZ_Lock(dbLock);
+
+    (* db->close)(db);
+    
+    prstat = PZ_Unlock(dbLock);
+
+    return;
+}
+
+/* forward references */
+static void nsslowcert_DestroyCertificateNoLocking(NSSLOWCERTCertificate *cert);
+
+static SECStatus
+DeleteDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryType type, SECItem *dbkey)
+{
+    DBT key;
+    int ret;
+
+    /* init the database key */
+    key.data = dbkey->data;
+    key.size = dbkey->len;
+    
+    dbkey->data[0] = (unsigned char)type;
+
+    /* delete entry from database */
+    ret = certdb_Del(handle->permCertDB, &key, 0 );
+    if ( ret != 0 ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    ret = certdb_Sync(handle->permCertDB, 0);
+    if ( ret ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+ReadDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCommon *entry,
+	    SECItem *dbkey, SECItem *dbentry, PRArenaPool *arena)
+{
+    DBT data, key;
+    int ret;
+    unsigned char *buf;
+    
+    /* init the database key */
+    key.data = dbkey->data;
+    key.size = dbkey->len;
+    
+    dbkey->data[0] = (unsigned char)entry->type;
+
+    /* read entry from database */
+    ret = certdb_Get(handle->permCertDB, &key, &data, 0 );
+    if ( ret != 0 ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* validate the entry */
+    if ( data.size < SEC_DB_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    buf = (unsigned char *)data.data;
+    if ( buf[0] != (unsigned char)CERT_DB_FILE_VERSION ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    if ( buf[1] != (unsigned char)entry->type ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    /* copy out header information */
+    entry->version = (unsigned int)buf[0];
+    entry->type = (certDBEntryType)buf[1];
+    entry->flags = (unsigned int)buf[2];
+    
+    /* format body of entry for return to caller */
+    dbentry->len = data.size - SEC_DB_ENTRY_HEADER_LEN;
+    if ( dbentry->len ) {
+	dbentry->data = (unsigned char *)PORT_ArenaAlloc(arena, dbentry->len);
+	if ( dbentry->data == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+    
+	PORT_Memcpy(dbentry->data, &buf[SEC_DB_ENTRY_HEADER_LEN],
+		  dbentry->len);
+    } else {
+	dbentry->data = NULL;
+    }
+    
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/**
+ ** Implement low level database access
+ **/
+static SECStatus
+WriteDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCommon *entry,
+	     SECItem *dbkey, SECItem *dbentry)
+{
+    int ret;
+    DBT data, key;
+    unsigned char *buf;
+    
+    data.data = dbentry->data;
+    data.size = dbentry->len;
+    
+    buf = (unsigned char*)data.data;
+    
+    buf[0] = (unsigned char)entry->version;
+    buf[1] = (unsigned char)entry->type;
+    buf[2] = (unsigned char)entry->flags;
+    
+    key.data = dbkey->data;
+    key.size = dbkey->len;
+    
+    dbkey->data[0] = (unsigned char)entry->type;
+
+    /* put the record into the database now */
+    ret = certdb_Put(handle->permCertDB, &key, &data, 0);
+
+    if ( ret != 0 ) {
+	goto loser;
+    }
+
+    ret = certdb_Sync( handle->permCertDB, 0 );
+    
+    if ( ret ) {
+	goto loser;
+    }
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * encode a database cert record
+ */
+static SECStatus
+EncodeDBCertEntry(certDBEntryCert *entry, PRArenaPool *arena, SECItem *dbitem)
+{
+    unsigned int nnlen;
+    unsigned char *buf;
+    char *nn;
+    char zbuf = 0;
+    
+    if ( entry->nickname ) {
+	nn = entry->nickname;
+    } else {
+	nn = &zbuf;
+    }
+    nnlen = PORT_Strlen(nn) + 1;
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem->len = entry->derCert.len + nnlen + DB_CERT_ENTRY_HEADER_LEN +
+	SEC_DB_ENTRY_HEADER_LEN;
+    
+    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+    if ( dbitem->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    /* fill in database record */
+    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    buf[0] = ( entry->trust.sslFlags >> 8 ) & 0xff;
+    buf[1] = entry->trust.sslFlags & 0xff;
+    buf[2] = ( entry->trust.emailFlags >> 8 ) & 0xff;
+    buf[3] = entry->trust.emailFlags & 0xff;
+    buf[4] = ( entry->trust.objectSigningFlags >> 8 ) & 0xff;
+    buf[5] = entry->trust.objectSigningFlags & 0xff;
+    buf[6] = ( entry->derCert.len >> 8 ) & 0xff;
+    buf[7] = entry->derCert.len & 0xff;
+    buf[8] = ( nnlen >> 8 ) & 0xff;
+    buf[9] = nnlen & 0xff;
+    
+    PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN], entry->derCert.data,
+	      entry->derCert.len);
+
+    PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN + entry->derCert.len],
+	      nn, nnlen);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * encode a database key for a cert record
+ */
+static SECStatus
+EncodeDBCertKey(SECItem *certKey, PRArenaPool *arena, SECItem *dbkey)
+{
+    dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN;
+    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+    if ( dbkey->data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
+	      certKey->data, certKey->len);
+    dbkey->data[0] = certDBEntryTypeCert;
+
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+EncodeDBGenericKey(SECItem *certKey, PRArenaPool *arena, SECItem *dbkey, 
+				certDBEntryType entryType)
+{
+    /*
+     * we only allow _one_ KRL key!
+     */
+    if (entryType == certDBEntryTypeKeyRevocation) {
+	dbkey->len = SEC_DB_KEY_HEADER_LEN;
+ 	dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+	if ( dbkey->data == NULL ) {
+	    goto loser;
+	}
+        dbkey->data[0] = (unsigned char) entryType;
+        return(SECSuccess);
+    }
+    
+
+    dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN;
+    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+    if ( dbkey->data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
+	      certKey->data, certKey->len);
+    dbkey->data[0] = (unsigned char) entryType;
+
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+DecodeDBCertEntry(certDBEntryCert *entry, SECItem *dbentry)
+{
+    unsigned int nnlen;
+    int headerlen;
+    int lenoff;
+
+    /* allow updates of old versions of the database */
+    switch ( entry->common.version ) {
+      case 5:
+	headerlen = DB_CERT_V5_ENTRY_HEADER_LEN;
+	lenoff = 3;
+	break;
+      case 6:
+	/* should not get here */
+	PORT_Assert(0);
+	headerlen = DB_CERT_V6_ENTRY_HEADER_LEN;
+	lenoff = 3;
+	break;
+      case 7:
+	headerlen = DB_CERT_ENTRY_HEADER_LEN;
+	lenoff = 6;
+	break;
+      default:
+	/* better not get here */
+	PORT_Assert(0);
+	headerlen = DB_CERT_V5_ENTRY_HEADER_LEN;
+	lenoff = 3;
+	break;
+    }
+    
+    /* is record long enough for header? */
+    if ( dbentry->len < headerlen ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* is database entry correct length? */
+    entry->derCert.len = ( ( dbentry->data[lenoff] << 8 ) |
+			  dbentry->data[lenoff+1] );
+    nnlen = ( ( dbentry->data[lenoff+2] << 8 ) | dbentry->data[lenoff+3] );
+    if ( ( entry->derCert.len + nnlen + headerlen )
+	!= dbentry->len) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* copy the dercert */
+    entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+							   entry->derCert.len);
+    if ( entry->derCert.data == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    PORT_Memcpy(entry->derCert.data, &dbentry->data[headerlen],
+	      entry->derCert.len);
+
+    /* copy the nickname */
+    if ( nnlen > 1 ) {
+	entry->nickname = (char *)PORT_ArenaAlloc(entry->common.arena, nnlen);
+	if ( entry->nickname == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->nickname,
+		    &dbentry->data[headerlen +
+				   entry->derCert.len],
+		    nnlen);
+    } else {
+	entry->nickname = NULL;
+    }
+    
+    if ( entry->common.version < 7 ) {
+	/* allow updates of v5 db */
+	entry->trust.sslFlags = dbentry->data[0];
+	entry->trust.emailFlags = dbentry->data[1];
+	entry->trust.objectSigningFlags = dbentry->data[2];
+    } else {
+	entry->trust.sslFlags = ( dbentry->data[0] << 8 ) | dbentry->data[1];
+	entry->trust.emailFlags = ( dbentry->data[2] << 8 ) | dbentry->data[3];
+	entry->trust.objectSigningFlags =
+	    ( dbentry->data[4] << 8 ) | dbentry->data[5];
+    }
+    
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+
+/*
+ * Create a new certDBEntryCert from existing data
+ */
+static certDBEntryCert *
+NewDBCertEntry(SECItem *derCert, char *nickname,
+	       NSSLOWCERTCertTrust *trust, int flags)
+{
+    certDBEntryCert *entry;
+    PRArenaPool *arena = NULL;
+    int nnlen;
+    
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
+
+    if ( !arena ) {
+	goto loser;
+    }
+	
+    entry = (certDBEntryCert *)PORT_ArenaZAlloc(arena, sizeof(certDBEntryCert));
+
+    if ( entry == NULL ) {
+	goto loser;
+    }
+    
+    /* fill in the dbCert */
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeCert;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+    
+    if ( trust ) {
+	entry->trust = *trust;
+    }
+
+    entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, derCert->len);
+    if ( !entry->derCert.data ) {
+	goto loser;
+    }
+    entry->derCert.len = derCert->len;
+    PORT_Memcpy(entry->derCert.data, derCert->data, derCert->len);
+    
+    nnlen = ( nickname ? strlen(nickname) + 1 : 0 );
+    
+    if ( nnlen ) {
+	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
+	if ( !entry->nickname ) {
+	    goto loser;
+	}
+	PORT_Memcpy(entry->nickname, nickname, nnlen);
+	
+    } else {
+	entry->nickname = 0;
+    }
+
+    return(entry);
+
+loser:
+    
+    /* allocation error, free arena and return */
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    return(0);
+}
+
+/*
+ * Decode a version 4 DBCert from the byte stream database format
+ * and construct a current database entry struct
+ */
+static certDBEntryCert *
+DecodeV4DBCertEntry(unsigned char *buf, int len)
+{
+    certDBEntryCert *entry;
+    int certlen;
+    int nnlen;
+    PRArenaPool *arena;
+    
+    /* make sure length is at least long enough for the header */
+    if ( len < DBCERT_V4_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(0);
+    }
+
+    /* get other lengths */
+    certlen = buf[3] << 8 | buf[4];
+    nnlen = buf[5] << 8 | buf[6];
+    
+    /* make sure DB entry is the right size */
+    if ( ( certlen + nnlen + DBCERT_V4_HEADER_LEN ) != len ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	return(0);
+    }
+
+    /* allocate arena */
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
+
+    if ( !arena ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return(0);
+    }
+	
+    /* allocate structure and members */
+    entry = (certDBEntryCert *)  PORT_ArenaAlloc(arena, sizeof(certDBEntryCert));
+
+    if ( !entry ) {
+	goto loser;
+    }
+
+    entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, certlen);
+    if ( !entry->derCert.data ) {
+	goto loser;
+    }
+    entry->derCert.len = certlen;
+    
+    if ( nnlen ) {
+	entry->nickname = (char *) PORT_ArenaAlloc(arena, nnlen);
+	if ( !entry->nickname ) {
+	    goto loser;
+	}
+    } else {
+	entry->nickname = 0;
+    }
+
+    entry->common.arena = arena;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.type = certDBEntryTypeCert;
+    entry->common.flags = 0;
+    entry->trust.sslFlags = buf[0];
+    entry->trust.emailFlags = buf[1];
+    entry->trust.objectSigningFlags = buf[2];
+
+    PORT_Memcpy(entry->derCert.data, &buf[DBCERT_V4_HEADER_LEN], certlen);
+    PORT_Memcpy(entry->nickname, &buf[DBCERT_V4_HEADER_LEN + certlen], nnlen);
+
+    if (PORT_Strcmp(entry->nickname,"Server-Cert") == 0) {
+	entry->trust.sslFlags |= CERTDB_USER;
+    }
+
+    return(entry);
+    
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    return(0);
+}
+
+/*
+ * Encode a Certificate database entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBCertEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry)
+{
+    SECItem dbitem, dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECItem tmpitem;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBCertEntry(entry, tmparena, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* get the database key and format it */
+    rv = nsslowcert_KeyFromDERCert(tmparena, &entry->derCert, &tmpitem);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    rv = EncodeDBCertKey(&tmpitem, tmparena, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+    
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+}
+
+
+/*
+ * delete a certificate entry
+ */
+static SECStatus
+DeleteDBCertEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
+{
+    SECItem dbkey;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+
+    rv = EncodeDBCertKey(certKey, arena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = DeleteDBEntry(handle, certDBEntryTypeCert, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(SECFailure);
+}
+
+/*
+ * Read a certificate entry
+ */
+static certDBEntryCert *
+ReadDBCertEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
+{
+    PRArenaPool *arena = NULL;
+    PRArenaPool *tmparena = NULL;
+    certDBEntryCert *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    entry = (certDBEntryCert *)PORT_ArenaAlloc(arena, sizeof(certDBEntryCert));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeCert;
+
+    rv = EncodeDBCertKey(certKey, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    rv = DecodeDBCertEntry(entry, &dbentry);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(entry);
+    
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * encode a database cert record
+ */
+static SECStatus
+EncodeDBCrlEntry(certDBEntryRevocation *entry, PRArenaPool *arena, SECItem *dbitem)
+{
+    unsigned int nnlen = 0;
+    unsigned char *buf;
+  
+    if (entry->url) {  
+	nnlen = PORT_Strlen(entry->url) + 1;
+    }
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem->len = entry->derCrl.len + nnlen 
+		+ SEC_DB_ENTRY_HEADER_LEN + DB_CRL_ENTRY_HEADER_LEN;
+    
+    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+    if ( dbitem->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    /* fill in database record */
+    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    buf[0] = ( entry->derCrl.len >> 8 ) & 0xff;
+    buf[1] = entry->derCrl.len & 0xff;
+    buf[2] = ( nnlen >> 8 ) & 0xff;
+    buf[3] = nnlen & 0xff;
+    
+    PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN], entry->derCrl.data,
+	      entry->derCrl.len);
+
+    if (nnlen != 0) {
+	PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
+	      entry->url, nnlen);
+    }
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+DecodeDBCrlEntry(certDBEntryRevocation *entry, SECItem *dbentry)
+{
+    unsigned int nnlen;
+    
+    /* is record long enough for header? */
+    if ( dbentry->len < DB_CRL_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* is database entry correct length? */
+    entry->derCrl.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
+    nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
+    if ( ( entry->derCrl.len + nnlen + DB_CRL_ENTRY_HEADER_LEN )
+	!= dbentry->len) {
+      /* CRL entry is greater than 64 K. Hack to make this continue to work */
+      if (dbentry->len >= (0xffff - DB_CRL_ENTRY_HEADER_LEN) - nnlen) {
+          entry->derCrl.len = 
+                      (dbentry->len - DB_CRL_ENTRY_HEADER_LEN) - nnlen;
+      } else {
+          PORT_SetError(SEC_ERROR_BAD_DATABASE);
+          goto loser;
+      }    
+    }
+    
+    /* copy the dercert */
+    entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+							 entry->derCrl.len);
+    if ( entry->derCrl.data == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    PORT_Memcpy(entry->derCrl.data, &dbentry->data[DB_CRL_ENTRY_HEADER_LEN],
+	      entry->derCrl.len);
+
+    /* copy the url */
+    entry->url = NULL;
+    if (nnlen != 0) {
+	entry->url = (char *)PORT_ArenaAlloc(entry->common.arena, nnlen);
+	if ( entry->url == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->url,
+	      &dbentry->data[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
+	      nnlen);
+    }
+    
+    return(SECSuccess);
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Create a new certDBEntryRevocation from existing data
+ */
+static certDBEntryRevocation *
+NewDBCrlEntry(SECItem *derCrl, char * url, certDBEntryType crlType, int flags)
+{
+    certDBEntryRevocation *entry;
+    PRArenaPool *arena = NULL;
+    int nnlen;
+    
+    arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
+
+    if ( !arena ) {
+	goto loser;
+    }
+	
+    entry = (certDBEntryRevocation*)
+			PORT_ArenaZAlloc(arena, sizeof(certDBEntryRevocation));
+
+    if ( entry == NULL ) {
+	goto loser;
+    }
+    
+    /* fill in the dbRevolcation */
+    entry->common.arena = arena;
+    entry->common.type = crlType;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+    
+
+    entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(arena, derCrl->len);
+    if ( !entry->derCrl.data ) {
+	goto loser;
+    }
+
+    if (url) {
+	nnlen = PORT_Strlen(url) + 1;
+	entry->url  = (char *)PORT_ArenaAlloc(arena, nnlen);
+	if ( !entry->url ) {
+	    goto loser;
+	}
+	PORT_Memcpy(entry->url, url, nnlen);
+    } else {
+	entry->url = NULL;
+    }
+
+	
+    entry->derCrl.len = derCrl->len;
+    PORT_Memcpy(entry->derCrl.data, derCrl->data, derCrl->len);
+
+    return(entry);
+
+loser:
+    
+    /* allocation error, free arena and return */
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    return(0);
+}
+
+
+static SECStatus
+WriteDBCrlEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryRevocation *entry,
+				SECItem *crlKey )
+{
+    SECItem dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECItem encodedEntry;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+
+    rv = EncodeDBCrlEntry(entry, tmparena, &encodedEntry);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    rv = EncodeDBGenericKey(crlKey, tmparena, &dbkey, entry->common.type);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+    
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &encodedEntry);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+}
+/*
+ * delete a crl entry
+ */
+static SECStatus
+DeleteDBCrlEntry(NSSLOWCERTCertDBHandle *handle, SECItem *crlKey, 
+						certDBEntryType crlType)
+{
+    SECItem dbkey;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+
+    rv = EncodeDBGenericKey(crlKey, arena, &dbkey, crlType);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = DeleteDBEntry(handle, crlType, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(SECFailure);
+}
+
+/*
+ * Read a certificate entry
+ */
+static certDBEntryRevocation *
+ReadDBCrlEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey,
+						certDBEntryType crlType)
+{
+    PRArenaPool *arena = NULL;
+    PRArenaPool *tmparena = NULL;
+    certDBEntryRevocation *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    entry = (certDBEntryRevocation *)
+			PORT_ArenaAlloc(arena, sizeof(certDBEntryRevocation));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = crlType;
+
+    rv = EncodeDBGenericKey(certKey, tmparena, &dbkey, crlType);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    rv = DecodeDBCrlEntry(entry, &dbentry);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(entry);
+    
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * destroy a database entry
+ */
+static void
+DestroyDBEntry(certDBEntry *entry)
+{
+    PRArenaPool *arena = entry->common.arena;
+
+    /* Zero out the entry struct, so that any further attempts to use it
+     * will cause an exception (e.g. null pointer reference). */
+    PORT_Memset(&entry->common, 0, sizeof entry->common);
+    PORT_FreeArena(arena, PR_FALSE);
+
+    return;
+}
+
+void
+nsslowcert_DestroyDBEntry(certDBEntry *entry)
+{
+    DestroyDBEntry(entry);
+    return;
+}
+
+/*
+ * Encode a database nickname record
+ */
+static SECStatus
+EncodeDBNicknameEntry(certDBEntryNickname *entry, PRArenaPool *arena,
+		      SECItem *dbitem)
+{
+    unsigned char *buf;
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem->len = entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN +
+	SEC_DB_ENTRY_HEADER_LEN;
+    
+    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+    if ( dbitem->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    /* fill in database record */
+    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
+    buf[1] = entry->subjectName.len & 0xff;
+    
+    PORT_Memcpy(&buf[DB_NICKNAME_ENTRY_HEADER_LEN], entry->subjectName.data,
+	      entry->subjectName.len);
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Encode a database key for a nickname record
+ */
+static SECStatus
+EncodeDBNicknameKey(char *nickname, PRArenaPool *arena,
+		    SECItem *dbkey)
+{
+    unsigned int nnlen;
+    
+    nnlen = PORT_Strlen(nickname) + 1; /* includes null */
+
+    /* now get the database key and format it */
+    dbkey->len = nnlen + SEC_DB_KEY_HEADER_LEN;
+    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+    if ( dbkey->data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], nickname, nnlen);
+    dbkey->data[0] = certDBEntryTypeNickname;
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+DecodeDBNicknameEntry(certDBEntryNickname *entry, SECItem *dbentry,
+                      char *nickname)
+{
+    /* is record long enough for header? */
+    if ( dbentry->len < DB_NICKNAME_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* is database entry correct length? */
+    entry->subjectName.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
+    if (( entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN ) !=
+	dbentry->len ){
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* copy the certkey */
+    entry->subjectName.data =
+	(unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+					 entry->subjectName.len);
+    if ( entry->subjectName.data == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    PORT_Memcpy(entry->subjectName.data,
+	      &dbentry->data[DB_NICKNAME_ENTRY_HEADER_LEN],
+	      entry->subjectName.len);
+    
+    entry->nickname = (char *)PORT_ArenaAlloc(entry->common.arena, 
+                                              PORT_Strlen(nickname)+1);
+    if ( entry->nickname ) {
+	PORT_Strcpy(entry->nickname, nickname);
+    }
+    
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * create a new nickname entry
+ */
+static certDBEntryNickname *
+NewDBNicknameEntry(char *nickname, SECItem *subjectName, unsigned int flags)
+{
+    PRArenaPool *arena = NULL;
+    certDBEntryNickname *entry;
+    int nnlen;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena,
+						 sizeof(certDBEntryNickname));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* init common fields */
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeNickname;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+
+    /* copy the nickname */
+    nnlen = PORT_Strlen(nickname) + 1;
+    
+    entry->nickname = (char*)PORT_ArenaAlloc(arena, nnlen);
+    if ( entry->nickname == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(entry->nickname, nickname, nnlen);
+    
+    rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    return(entry);
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * delete a nickname entry
+ */
+static SECStatus
+DeleteDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, char *nickname)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    SECItem dbkey;
+    
+    if ( nickname == NULL ) {
+	return(SECSuccess);
+    }
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+
+    rv = EncodeDBNicknameKey(nickname, arena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = DeleteDBEntry(handle, certDBEntryTypeNickname, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(SECFailure);
+}
+
+/*
+ * Read a nickname entry
+ */
+static certDBEntryNickname *
+ReadDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, char *nickname)
+{
+    PRArenaPool *arena = NULL;
+    PRArenaPool *tmparena = NULL;
+    certDBEntryNickname *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena,
+						 sizeof(certDBEntryNickname));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeNickname;
+
+    rv = EncodeDBNicknameKey(nickname, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    /* is record long enough for header? */
+    if ( dbentry.len < DB_NICKNAME_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    rv = DecodeDBNicknameEntry(entry, &dbentry, nickname);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(entry);
+    
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * Encode a nickname entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryNickname *entry)
+{
+    SECItem dbitem, dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBNicknameEntry(entry, tmparena, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = EncodeDBNicknameKey(entry->nickname, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+    
+}
+
+SECStatus
+EncodeDBSMimeEntry(certDBEntrySMime *entry, PRArenaPool *arena,
+		   SECItem *dbitem)
+{
+    unsigned char *buf;
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem->len = entry->subjectName.len + entry->smimeOptions.len +
+	entry->optionsDate.len +
+	DB_SMIME_ENTRY_HEADER_LEN + SEC_DB_ENTRY_HEADER_LEN;
+    
+    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+    if ( dbitem->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    /* fill in database record */
+    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    buf[0] = ( entry->subjectName.len >> 8 ) & 0xff;
+    buf[1] = entry->subjectName.len & 0xff;
+    buf[2] = ( entry->smimeOptions.len >> 8 ) & 0xff;
+    buf[3] = entry->smimeOptions.len & 0xff;
+    buf[4] = ( entry->optionsDate.len >> 8 ) & 0xff;
+    buf[5] = entry->optionsDate.len & 0xff;
+
+    /* if no smime options, then there should not be an options date either */
+    PORT_Assert( ! ( ( entry->smimeOptions.len == 0 ) &&
+		    ( entry->optionsDate.len != 0 ) ) );
+    
+    PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN], entry->subjectName.data,
+	      entry->subjectName.len);
+    if ( entry->smimeOptions.len ) {
+	PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN+entry->subjectName.len],
+		    entry->smimeOptions.data,
+		    entry->smimeOptions.len);
+	PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN + entry->subjectName.len +
+			 entry->smimeOptions.len],
+		    entry->optionsDate.data,
+		    entry->optionsDate.len);
+    }
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Encode a database key for a SMIME record
+ */
+static SECStatus
+EncodeDBSMimeKey(char *emailAddr, PRArenaPool *arena,
+		 SECItem *dbkey)
+{
+    unsigned int addrlen;
+    
+    addrlen = PORT_Strlen(emailAddr) + 1; /* includes null */
+
+    /* now get the database key and format it */
+    dbkey->len = addrlen + SEC_DB_KEY_HEADER_LEN;
+    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+    if ( dbkey->data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], emailAddr, addrlen);
+    dbkey->data[0] = certDBEntryTypeSMimeProfile;
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Decode a database SMIME record
+ */
+static SECStatus
+DecodeDBSMimeEntry(certDBEntrySMime *entry, SECItem *dbentry, char *emailAddr)
+{
+    /* is record long enough for header? */
+    if ( dbentry->len < DB_SMIME_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* is database entry correct length? */
+    entry->subjectName.len = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
+    entry->smimeOptions.len = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
+    entry->optionsDate.len = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] );
+    if (( entry->subjectName.len + entry->smimeOptions.len +
+	 entry->optionsDate.len + DB_SMIME_ENTRY_HEADER_LEN ) != dbentry->len){
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    /* copy the subject name */
+    entry->subjectName.data =
+	(unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+					 entry->subjectName.len);
+    if ( entry->subjectName.data == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    PORT_Memcpy(entry->subjectName.data,
+	      &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN],
+	      entry->subjectName.len);
+
+    /* copy the smime options */
+    if ( entry->smimeOptions.len ) {
+	entry->smimeOptions.data =
+	    (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+					     entry->smimeOptions.len);
+	if ( entry->smimeOptions.data == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->smimeOptions.data,
+		    &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN +
+				   entry->subjectName.len],
+		    entry->smimeOptions.len);
+    }
+    if ( entry->optionsDate.len ) {
+	entry->optionsDate.data =
+	    (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+					     entry->optionsDate.len);
+	if ( entry->optionsDate.data == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->optionsDate.data,
+		    &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN +
+				   entry->subjectName.len +
+				   entry->smimeOptions.len],
+		    entry->optionsDate.len);
+    }
+
+    /* both options and options date must either exist or not exist */
+    if ( ( ( entry->optionsDate.len == 0 ) ||
+	  ( entry->smimeOptions.len == 0 ) ) &&
+	entry->smimeOptions.len != entry->optionsDate.len ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    entry->emailAddr = (char *)PORT_ArenaAlloc(entry->common.arena,
+						PORT_Strlen(emailAddr)+1);
+    if ( entry->emailAddr ) {
+	PORT_Strcpy(entry->emailAddr, emailAddr);
+    }
+    
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * create a new SMIME entry
+ */
+static certDBEntrySMime *
+NewDBSMimeEntry(char *emailAddr, SECItem *subjectName, SECItem *smimeOptions,
+		SECItem *optionsDate, unsigned int flags)
+{
+    PRArenaPool *arena = NULL;
+    certDBEntrySMime *entry;
+    int addrlen;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    entry = (certDBEntrySMime *)PORT_ArenaAlloc(arena,
+						sizeof(certDBEntrySMime));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* init common fields */
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeSMimeProfile;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+
+    /* copy the email addr */
+    addrlen = PORT_Strlen(emailAddr) + 1;
+    
+    entry->emailAddr = (char*)PORT_ArenaAlloc(arena, addrlen);
+    if ( entry->emailAddr == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Memcpy(entry->emailAddr, emailAddr, addrlen);
+    
+    /* copy the subject name */
+    rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* copy the smime options */
+    if ( smimeOptions ) {
+	rv = SECITEM_CopyItem(arena, &entry->smimeOptions, smimeOptions);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    } else {
+	PORT_Assert(optionsDate == NULL);
+	entry->smimeOptions.data = NULL;
+	entry->smimeOptions.len = 0;
+    }
+
+    /* copy the options date */
+    if ( optionsDate ) {
+	rv = SECITEM_CopyItem(arena, &entry->optionsDate, optionsDate);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    } else {
+	PORT_Assert(smimeOptions == NULL);
+	entry->optionsDate.data = NULL;
+	entry->optionsDate.len = 0;
+    }
+    
+    return(entry);
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * delete a SMIME entry
+ */
+static SECStatus
+DeleteDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr)
+{
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    SECItem dbkey;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+
+    rv = EncodeDBSMimeKey(emailAddr, arena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = DeleteDBEntry(handle, certDBEntryTypeSMimeProfile, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(SECFailure);
+}
+
+/*
+ * Read a SMIME entry
+ */
+certDBEntrySMime *
+nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr)
+{
+    PRArenaPool *arena = NULL;
+    PRArenaPool *tmparena = NULL;
+    certDBEntrySMime *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    entry = (certDBEntrySMime *)PORT_ArenaAlloc(arena,
+						sizeof(certDBEntrySMime));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeSMimeProfile;
+
+    rv = EncodeDBSMimeKey(emailAddr, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    /* is record long enough for header? */
+    if ( dbentry.len < DB_SMIME_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+
+    rv = DecodeDBSMimeEntry(entry, &dbentry, emailAddr);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(entry);
+    
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * Encode a SMIME entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, certDBEntrySMime *entry)
+{
+    SECItem dbitem, dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBSMimeEntry(entry, tmparena, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    rv = EncodeDBSMimeKey(entry->emailAddr, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+    
+}
+
+/*
+ * Encode a database subject record
+ */
+static SECStatus
+EncodeDBSubjectEntry(certDBEntrySubject *entry, PRArenaPool *arena,
+		     SECItem *dbitem)
+{
+    unsigned char *buf;
+    int len;
+    unsigned int ncerts;
+    unsigned int i;
+    unsigned char *tmpbuf;
+    unsigned int nnlen = 0;
+    unsigned int eaddrlen = 0;
+    int keyidoff;
+    SECItem *certKeys;
+    SECItem *keyIDs;
+    
+    if ( entry->nickname ) {
+	nnlen = PORT_Strlen(entry->nickname) + 1;
+    }
+    if ( entry->emailAddr ) {
+	eaddrlen = PORT_Strlen(entry->emailAddr) + 1;
+    }
+    
+    ncerts = entry->ncerts;
+    
+    /* compute the length of the entry */
+    keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
+    len = keyidoff + 4 * ncerts;
+    for ( i = 0; i < ncerts; i++ ) {
+	len += entry->certKeys[i].len;
+	len += entry->keyIDs[i].len;
+    }
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem->len = len + SEC_DB_ENTRY_HEADER_LEN;
+    
+    dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+    if ( dbitem->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    /* fill in database record */
+    buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    buf[0] = ( ncerts >> 8 ) & 0xff;
+    buf[1] = ncerts & 0xff;
+    buf[2] = ( nnlen >> 8 ) & 0xff;
+    buf[3] = nnlen & 0xff;
+    buf[4] = ( eaddrlen >> 8 ) & 0xff;
+    buf[5] = eaddrlen & 0xff;
+
+    PORT_Memcpy(&buf[DB_SUBJECT_ENTRY_HEADER_LEN], entry->nickname, nnlen);
+    PORT_Memcpy(&buf[DB_SUBJECT_ENTRY_HEADER_LEN+nnlen], entry->emailAddr,
+		eaddrlen);
+    
+    for ( i = 0; i < ncerts; i++ ) {
+
+	certKeys = entry->certKeys;
+	keyIDs = entry->keyIDs;
+
+	buf[keyidoff+i*2] = ( certKeys[i].len >> 8 ) & 0xff;
+	buf[keyidoff+1+i*2] = certKeys[i].len & 0xff;
+	buf[keyidoff+ncerts*2+i*2] = ( keyIDs[i].len >> 8 ) & 0xff;
+	buf[keyidoff+1+ncerts*2+i*2] = keyIDs[i].len & 0xff;
+    }
+    
+    /* temp pointer used to stuff certkeys and keyids into the buffer */
+    tmpbuf = &buf[keyidoff+ncerts*4];
+
+    for ( i = 0; i < ncerts; i++ ) {
+	certKeys = entry->certKeys;
+	PORT_Memcpy(tmpbuf, certKeys[i].data, certKeys[i].len);
+	tmpbuf = tmpbuf + certKeys[i].len;
+    }
+    
+    for ( i = 0; i < ncerts; i++ ) {
+	keyIDs = entry->keyIDs;
+	PORT_Memcpy(tmpbuf, keyIDs[i].data, keyIDs[i].len);
+	tmpbuf = tmpbuf + keyIDs[i].len;
+    }
+
+    PORT_Assert(tmpbuf == &buf[len]);
+    
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * Encode a database key for a subject record
+ */
+static SECStatus
+EncodeDBSubjectKey(SECItem *derSubject, PRArenaPool *arena,
+		   SECItem *dbkey)
+{
+    dbkey->len = derSubject->len + SEC_DB_KEY_HEADER_LEN;
+    dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+    if ( dbkey->data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], derSubject->data,
+	      derSubject->len);
+    dbkey->data[0] = certDBEntryTypeSubject;
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+static SECStatus
+DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry,
+		     SECItem *derSubject)
+{
+    unsigned int ncerts;
+    PRArenaPool *arena;
+    unsigned int len, itemlen;
+    unsigned char *tmpbuf;
+    unsigned int i;
+    SECStatus rv;
+    unsigned int keyidoff;
+    unsigned int nnlen, eaddrlen;
+    
+    arena = entry->common.arena;
+
+    rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* is record long enough for header? */
+    if ( dbentry->len < DB_SUBJECT_ENTRY_HEADER_LEN ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    entry->ncerts = ncerts = ( ( dbentry->data[0] << 8 ) | dbentry->data[1] );
+    nnlen = ( ( dbentry->data[2] << 8 ) | dbentry->data[3] );
+    eaddrlen = ( ( dbentry->data[4] << 8 ) | dbentry->data[5] );
+    if ( dbentry->len < ( ncerts * 4 + DB_SUBJECT_ENTRY_HEADER_LEN +
+			 nnlen + eaddrlen) ) {
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena,
+						 sizeof(SECItem) * ncerts);
+    entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena,
+					       sizeof(SECItem) * ncerts);
+
+    if ( ( entry->certKeys == NULL ) || ( entry->keyIDs == NULL ) ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    if ( nnlen > 1 ) { /* null terminator is stored */
+	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
+	if ( entry->nickname == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->nickname,
+		    &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN],
+		    nnlen);
+    } else {
+	entry->nickname = NULL;
+    }
+    
+    if ( eaddrlen > 1 ) { /* null terminator is stored */
+	entry->emailAddr = (char *)PORT_ArenaAlloc(arena, eaddrlen);
+	if ( entry->emailAddr == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->emailAddr,
+		    &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN+nnlen],
+		    eaddrlen);
+    } else {
+	entry->emailAddr = NULL;
+    }
+    
+    /* collect the lengths of the certKeys and keyIDs, and total the
+     * overall length.
+     */
+    keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
+    len = keyidoff + 4 * ncerts;
+
+    tmpbuf = &dbentry->data[0];
+    
+    for ( i = 0; i < ncerts; i++ ) {
+
+	itemlen = ( tmpbuf[keyidoff + 2*i] << 8 ) | tmpbuf[keyidoff + 1 + 2*i] ;
+	len += itemlen;
+	entry->certKeys[i].len = itemlen;
+
+	itemlen = ( tmpbuf[keyidoff + 2*ncerts + 2*i] << 8 ) |
+	    tmpbuf[keyidoff + 1 + 2*ncerts + 2*i] ;
+	len += itemlen;
+	entry->keyIDs[i].len = itemlen;
+    }
+    
+    /* is database entry correct length? */
+    if ( len != dbentry->len ){
+	PORT_SetError(SEC_ERROR_BAD_DATABASE);
+	goto loser;
+    }
+    
+    tmpbuf = &tmpbuf[keyidoff + 4*ncerts];
+    for ( i = 0; i < ncerts; i++ ) {
+	entry->certKeys[i].data =
+	    (unsigned char *)PORT_ArenaAlloc(arena, entry->certKeys[i].len);
+	if ( entry->certKeys[i].data == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->certKeys[i].data, tmpbuf, entry->certKeys[i].len);
+	tmpbuf = &tmpbuf[entry->certKeys[i].len];
+    }
+
+    for ( i = 0; i < ncerts; i++ ) {
+	entry->keyIDs[i].data =
+	    (unsigned char *)PORT_ArenaAlloc(arena, entry->keyIDs[i].len);
+	if ( entry->keyIDs[i].data == NULL ) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    goto loser;
+	}
+	PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, entry->keyIDs[i].len);
+	tmpbuf = &tmpbuf[entry->keyIDs[i].len];
+    }
+    
+    PORT_Assert(tmpbuf == &dbentry->data[dbentry->len]);
+    
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * create a new subject entry with a single cert
+ */
+static certDBEntrySubject *
+NewDBSubjectEntry(SECItem *derSubject, SECItem *certKey,
+		  SECItem *keyID, char *nickname, char *emailAddr,
+		  unsigned int flags)
+{
+    PRArenaPool *arena = NULL;
+    certDBEntrySubject *entry;
+    SECStatus rv;
+    unsigned int nnlen;
+    unsigned int eaddrlen;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
+						  sizeof(certDBEntrySubject));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    /* init common fields */
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeSubject;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+
+    /* copy the subject */
+    rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    entry->ncerts = 1;
+    /* copy nickname */
+    if ( nickname && ( *nickname != '\0' ) ) {
+	nnlen = PORT_Strlen(nickname) + 1;
+	entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
+	if ( entry->nickname == NULL ) {
+	    goto loser;
+	}
+						  
+	PORT_Memcpy(entry->nickname, nickname, nnlen);
+    } else {
+	entry->nickname = NULL;
+    }
+    
+    /* copy email addr */
+    if ( emailAddr && ( *emailAddr != '\0' ) ) {
+	emailAddr = nsslowcert_FixupEmailAddr(emailAddr);
+	if ( emailAddr == NULL ) {
+	    entry->emailAddr = NULL;
+	    goto loser;
+	}
+	
+	eaddrlen = PORT_Strlen(emailAddr) + 1;
+	entry->emailAddr = (char *)PORT_ArenaAlloc(arena, eaddrlen);
+	if ( entry->emailAddr == NULL ) {
+	    PORT_Free(emailAddr);
+	    goto loser;
+	}
+	
+	PORT_Memcpy(entry->emailAddr, emailAddr, eaddrlen);
+	PORT_Free(emailAddr);
+    } else {
+	entry->emailAddr = NULL;
+    }
+    
+    /* allocate space for certKeys and keyIDs */
+    entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
+    entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
+    if ( ( entry->certKeys == NULL ) || ( entry->keyIDs == NULL ) ) {
+	goto loser;
+    }
+
+    /* copy the certKey and keyID */
+    rv = SECITEM_CopyItem(arena, &entry->certKeys[0], certKey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    rv = SECITEM_CopyItem(arena, &entry->keyIDs[0], keyID);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    return(entry);
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * delete a subject entry
+ */
+static SECStatus
+DeleteDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject)
+{
+    SECItem dbkey;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBSubjectKey(derSubject, arena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = DeleteDBEntry(handle, certDBEntryTypeSubject, &dbkey);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(SECFailure);
+}
+
+/*
+ * Read the subject entry
+ */
+static certDBEntrySubject *
+ReadDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject)
+{
+    PRArenaPool *arena = NULL;
+    PRArenaPool *tmparena = NULL;
+    certDBEntrySubject *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    SECStatus rv;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
+						sizeof(certDBEntrySubject));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeSubject;
+
+    rv = EncodeDBSubjectKey(derSubject, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+
+    rv = DecodeDBSubjectEntry(entry, &dbentry, derSubject);
+    if ( rv == SECFailure ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(entry);
+    
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * Encode a subject name entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, certDBEntrySubject *entry)
+{
+    SECItem dbitem, dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBSubjectEntry(entry, tmparena, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBSubjectKey(&entry->derSubject, tmparena, &dbkey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+    
+}
+
+static SECStatus
+UpdateSubjectWithEmailAddr(NSSLOWCERTCertDBHandle *dbhandle, 
+					SECItem *derSubject, char *emailAddr)
+{
+    PRBool save = PR_FALSE, delold = PR_FALSE;
+    certDBEntrySubject *entry = NULL;
+    SECStatus rv;
+   
+    if (emailAddr) { 
+	emailAddr = nsslowcert_FixupEmailAddr(emailAddr);
+	if (emailAddr == NULL) {
+	    return SECFailure;
+	}
+    }
+
+    entry = ReadDBSubjectEntry(dbhandle,derSubject);    
+    if (entry == NULL) {
+	goto loser;
+    }
+    
+    if ( entry->emailAddr ) {
+	if ( (emailAddr == NULL) || 
+		(PORT_Strcmp(entry->emailAddr, emailAddr) != 0) ) {
+	    save = PR_TRUE;
+	    delold = PR_TRUE;
+	}
+    } else if (emailAddr) {
+	save = PR_TRUE;
+    }
+
+    if ( delold ) {
+	/* delete the old smime entry, because this cert now has a new
+	 * smime entry pointing to it
+	 */
+	PORT_Assert(save);
+	PORT_Assert(entry->emailAddr != NULL);
+	DeleteDBSMimeEntry(dbhandle, entry->emailAddr);
+    }
+
+    if ( save ) {
+	unsigned int len;
+	
+	PORT_Assert(entry != NULL);
+	if (emailAddr) {
+	    len = PORT_Strlen(emailAddr) + 1;
+	    entry->emailAddr = (char *)PORT_ArenaAlloc(entry->common.arena, len);
+	    if ( entry->emailAddr == NULL ) {
+		goto loser;
+	    }
+	    PORT_Memcpy(entry->emailAddr, emailAddr, len);
+	} else {
+	    entry->emailAddr = NULL;
+	}
+	
+	/* delete the subject entry */
+	DeleteDBSubjectEntry(dbhandle, derSubject);
+
+	/* write the new one */
+	rv = WriteDBSubjectEntry(dbhandle, entry);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+
+    DestroyDBEntry((certDBEntry *)entry);
+    if (emailAddr) PORT_Free(emailAddr);
+    return(SECSuccess);
+
+loser:
+    if (entry) DestroyDBEntry((certDBEntry *)entry);
+    if (emailAddr) PORT_Free(emailAddr);
+    return(SECFailure);
+}
+
+/*
+ * writes a nickname to an existing subject entry that does not currently
+ * have one
+ */
+static SECStatus
+AddNicknameToSubject(NSSLOWCERTCertDBHandle *dbhandle,
+			NSSLOWCERTCertificate *cert, char *nickname)
+{
+    certDBEntrySubject *entry;
+    SECStatus rv;
+    
+    if ( nickname == NULL ) {
+	return(SECFailure);
+    }
+    
+    entry = ReadDBSubjectEntry(dbhandle,&cert->derSubject);
+    PORT_Assert(entry != NULL);
+    if ( entry == NULL ) {
+	goto loser;
+    }
+    
+    PORT_Assert(entry->nickname == NULL);
+    if ( entry->nickname != NULL ) {
+	goto loser;
+    }
+    
+    entry->nickname = (nickname) ? 
+			PORT_ArenaStrdup(entry->common.arena, nickname) : NULL;
+    
+    if ( entry->nickname == NULL ) {
+	goto loser;
+    }
+	
+    /* delete the subject entry */
+    DeleteDBSubjectEntry(dbhandle, &cert->derSubject);
+
+    /* write the new one */
+    rv = WriteDBSubjectEntry(dbhandle, entry);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    return(SECSuccess);
+
+loser:
+    return(SECFailure);
+}
+
+/*
+ * create a new version entry
+ */
+static certDBEntryVersion *
+NewDBVersionEntry(unsigned int flags)
+{
+    PRArenaPool *arena = NULL;
+    certDBEntryVersion *entry;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    entry = (certDBEntryVersion *)PORT_ArenaAlloc(arena,
+					       sizeof(certDBEntryVersion));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeVersion;
+    entry->common.version = CERT_DB_FILE_VERSION;
+    entry->common.flags = flags;
+
+    return(entry);
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+/*
+ * Read the version entry
+ */
+static certDBEntryVersion *
+ReadDBVersionEntry(NSSLOWCERTCertDBHandle *handle)
+{
+    PRArenaPool *arena = NULL;
+    PRArenaPool *tmparena = NULL;
+    certDBEntryVersion *entry;
+    SECItem dbkey;
+    SECItem dbentry;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    entry = (certDBEntryVersion *)PORT_ArenaAlloc(arena,
+						sizeof(certDBEntryVersion));
+    if ( entry == NULL ) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    entry->common.arena = arena;
+    entry->common.type = certDBEntryTypeVersion;
+
+    /* now get the database key and format it */
+    dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
+    dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
+    if ( dbkey.data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY,
+	      SEC_DB_VERSION_KEY_LEN);
+
+    ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(entry);
+    
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(NULL);
+}
+
+
+/*
+ * Encode a version entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBVersionEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryVersion *entry)
+{
+    SECItem dbitem, dbkey;
+    PRArenaPool *tmparena = NULL;
+    SECStatus rv;
+    
+    tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( tmparena == NULL ) {
+	goto loser;
+    }
+    
+    /* allocate space for encoded database record, including space
+     * for low level header
+     */
+    dbitem.len = SEC_DB_ENTRY_HEADER_LEN;
+    
+    dbitem.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbitem.len);
+    if ( dbitem.data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	goto loser;
+    }
+    
+    /* now get the database key and format it */
+    dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
+    dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
+    if ( dbkey.data == NULL ) {
+	goto loser;
+    }
+    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY,
+	      SEC_DB_VERSION_KEY_LEN);
+
+    /* now write it to the database */
+    rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    PORT_FreeArena(tmparena, PR_FALSE);
+    return(SECSuccess);
+
+loser:
+    if ( tmparena ) {
+	PORT_FreeArena(tmparena, PR_FALSE);
+    }
+    return(SECFailure);
+}
+
+/*
+ * cert is no longer a perm cert, but will remain a temp cert
+ */
+static SECStatus
+RemovePermSubjectNode(NSSLOWCERTCertificate *cert)
+{
+    certDBEntrySubject *entry;
+    unsigned int i;
+    SECStatus rv;
+    
+    entry = ReadDBSubjectEntry(cert->dbhandle,&cert->derSubject);
+    PORT_Assert(entry);
+    if ( entry == NULL ) {
+	return(SECFailure);
+    }
+
+    PORT_Assert(entry->ncerts);
+    rv = SECFailure;
+    
+    if ( entry->ncerts > 1 ) {
+	for ( i = 0; i < entry->ncerts; i++ ) {
+	    if ( SECITEM_CompareItem(&entry->certKeys[i], &cert->certKey) ==
+		SECEqual ) {
+		/* copy rest of list forward one entry */
+		for ( i = i + 1; i < entry->ncerts; i++ ) {
+		    entry->certKeys[i-1] = entry->certKeys[i];
+		    entry->keyIDs[i-1] = entry->keyIDs[i];
+		}
+		entry->ncerts--;
+		DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
+		rv = WriteDBSubjectEntry(cert->dbhandle, entry);
+		break;
+	    }
+	}
+    } else {
+	/* no entries left, delete the perm entry in the DB */
+	if ( entry->emailAddr ) {
+	    /* if the subject had an email record, then delete it too */
+	    DeleteDBSMimeEntry(cert->dbhandle, entry->emailAddr);
+	}
+	
+	DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
+    }
+    DestroyDBEntry((certDBEntry *)entry);
+
+    return(rv);
+}
+
+/*
+ * add a cert to the perm subject list
+ */
+static SECStatus
+AddPermSubjectNode(certDBEntrySubject *entry, NSSLOWCERTCertificate *cert, 
+								char *nickname)
+{
+    SECItem *newCertKeys, *newKeyIDs;
+    int i;
+    SECStatus rv;
+    NSSLOWCERTCertificate *cmpcert;
+    unsigned int nnlen;
+    int ncerts;
+    
+
+    PORT_Assert(entry);    
+    ncerts = entry->ncerts;
+	
+    if ( nickname && entry->nickname ) {
+	/* nicknames must be the same */
+	PORT_Assert(PORT_Strcmp(nickname, entry->nickname) == 0);
+    }
+
+    if ( ( entry->nickname == NULL ) && ( nickname != NULL ) ) {
+	/* copy nickname into the entry */
+	nnlen = PORT_Strlen(nickname) + 1;
+	entry->nickname = (char *)PORT_ArenaAlloc(entry->common.arena,nnlen);
+	if ( entry->nickname == NULL ) {
+	    return(SECFailure);
+	}
+	PORT_Memcpy(entry->nickname, nickname, nnlen);
+    }
+	
+    /* a DB entry already exists, so add this cert */
+    newCertKeys = (SECItem *)PORT_ArenaAlloc(entry->common.arena,
+					 sizeof(SECItem) * ( ncerts + 1 ) );
+    newKeyIDs = (SECItem *)PORT_ArenaAlloc(entry->common.arena,
+					 sizeof(SECItem) * ( ncerts + 1 ) );
+
+    if ( ( newCertKeys == NULL ) || ( newKeyIDs == NULL ) ) {
+	    return(SECFailure);
+    }
+
+    for ( i = 0; i < ncerts; i++ ) {
+	cmpcert = nsslowcert_FindCertByKey(cert->dbhandle,
+						  &entry->certKeys[i]);
+	PORT_Assert(cmpcert);
+	if ( nsslowcert_IsNewer(cert, cmpcert) ) {
+	    /* insert before cmpcert */
+	    rv = SECITEM_CopyItem(entry->common.arena, &newCertKeys[i],
+				      &cert->certKey);
+	    if ( rv != SECSuccess ) {
+		return(SECFailure);
+	    }
+	    rv = SECITEM_CopyItem(entry->common.arena, &newKeyIDs[i],
+				      &cert->subjectKeyID);
+	    if ( rv != SECSuccess ) {
+		return(SECFailure);
+	    }
+	    /* copy the rest of the entry */
+	    for ( ; i < ncerts; i++ ) {
+		newCertKeys[i+1] = entry->certKeys[i];
+		newKeyIDs[i+1] = entry->keyIDs[i];
+	    }
+
+	    /* update certKeys and keyIDs */
+	    entry->certKeys = newCertKeys;
+	    entry->keyIDs = newKeyIDs;
+		
+	    /* increment count */
+	    entry->ncerts++;
+	    break;
+	}
+	/* copy this cert entry */
+	newCertKeys[i] = entry->certKeys[i];
+	newKeyIDs[i] = entry->keyIDs[i];
+    }
+
+    if ( entry->ncerts == ncerts ) {
+	/* insert new one at end */
+	rv = SECITEM_CopyItem(entry->common.arena, &newCertKeys[ncerts],
+				  &cert->certKey);
+	if ( rv != SECSuccess ) {
+	    return(SECFailure);
+	}
+	rv = SECITEM_CopyItem(entry->common.arena, &newKeyIDs[ncerts],
+				  &cert->subjectKeyID);
+	if ( rv != SECSuccess ) {
+	    return(SECFailure);
+	}
+
+	/* update certKeys and keyIDs */
+	entry->certKeys = newCertKeys;
+	entry->keyIDs = newKeyIDs;
+		
+	/* increment count */
+	entry->ncerts++;
+    }
+    DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
+    rv = WriteDBSubjectEntry(cert->dbhandle, entry);
+    return(rv);
+}
+
+
+SECStatus
+nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+				 SECItem *derSubject,
+				 NSSLOWCERTCertCallback cb, void *cbarg)
+{
+    certDBEntrySubject *entry;
+    int i;
+    NSSLOWCERTCertificate *cert;
+    SECStatus rv = SECSuccess;
+    
+    entry = ReadDBSubjectEntry(handle, derSubject);
+
+    if ( entry == NULL ) {
+	return(SECFailure);
+    }
+    
+    for( i = 0; i < entry->ncerts; i++ ) {
+	cert = nsslowcert_FindCertByKey(handle, &entry->certKeys[i]);
+	rv = (* cb)(cert, cbarg);
+	nsslowcert_DestroyCertificate(cert);
+	if ( rv == SECFailure ) {
+	    break;
+	}
+    }
+
+    DestroyDBEntry((certDBEntry *)entry);
+
+    return(rv);
+}
+
+int
+nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+							 SECItem *derSubject)
+{
+    certDBEntrySubject *entry;
+    int ret;
+    
+    entry = ReadDBSubjectEntry(handle, derSubject);
+
+    if ( entry == NULL ) {
+	return(SECFailure);
+    }
+
+    ret = entry->ncerts;
+    
+    DestroyDBEntry((certDBEntry *)entry);
+    
+    return(ret);
+}
+
+SECStatus
+nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+		 	char *nickname, NSSLOWCERTCertCallback cb, void *cbarg)
+{
+    certDBEntryNickname *nnentry = NULL;
+    certDBEntrySMime *smentry = NULL;
+    SECStatus rv;
+    SECItem *derSubject = NULL;
+    
+    nnentry = ReadDBNicknameEntry(handle, nickname);
+    if ( nnentry ) {
+	derSubject = &nnentry->subjectName;
+    } else {
+	smentry = nsslowcert_ReadDBSMimeEntry(handle, nickname);
+	if ( smentry ) {
+	    derSubject = &smentry->subjectName;
+	}
+    }
+    
+    if ( derSubject ) {
+	rv = nsslowcert_TraversePermCertsForSubject(handle, derSubject,
+					      cb, cbarg);
+    } else {
+	rv = SECFailure;
+    }
+
+    if ( nnentry ) {
+	DestroyDBEntry((certDBEntry *)nnentry);
+    }
+    if ( smentry ) {
+	DestroyDBEntry((certDBEntry *)smentry);
+    }
+    
+    return(rv);
+}
+
+int
+nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle, 
+								char *nickname)
+{
+    certDBEntryNickname *entry;
+    int ret;
+    
+    entry = ReadDBNicknameEntry(handle, nickname);
+    
+    if ( entry ) {
+	ret = nsslowcert_NumPermCertsForSubject(handle, &entry->subjectName);
+	DestroyDBEntry((certDBEntry *)entry);
+    } else {
+	ret = 0;
+    }
+    return(ret);
+}
+
+/*
+ * add a nickname to a cert that doesn't have one
+ */
+static SECStatus
+AddNicknameToPermCert(NSSLOWCERTCertDBHandle *dbhandle,
+				NSSLOWCERTCertificate *cert, char *nickname)
+{
+    certDBEntryCert *entry;
+    int rv;
+
+    entry = cert->dbEntry;
+    PORT_Assert(entry != NULL);
+    if ( entry == NULL ) {
+	goto loser;
+    }
+
+    entry->nickname = PORT_ArenaStrdup(entry->common.arena, nickname);
+
+    rv = WriteDBCertEntry(dbhandle, entry);
+    if ( rv ) {
+	goto loser;
+    }
+
+    cert->nickname = PORT_ArenaStrdup(cert->arena, nickname);
+    return(SECSuccess);
+    
+loser:
+    return(SECFailure);
+}
+
+/*
+ * add a nickname to a cert that is already in the perm database, but doesn't
+ * have one yet (it is probably an e-mail cert).
+ */
+SECStatus
+nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle,
+				NSSLOWCERTCertificate *cert, char *nickname)
+{
+    SECStatus rv = SECFailure;
+    certDBEntrySubject *entry = NULL;
+    
+    nsslowcert_LockDB(dbhandle);
+    
+    PORT_Assert(cert->nickname == NULL);
+    
+    if ( cert->nickname != NULL ) {
+	rv = SECSuccess;
+	goto loser;
+    }
+
+    entry = ReadDBSubjectEntry(dbhandle, &cert->derSubject);
+    if (entry == NULL) goto loser;
+
+    if ( entry->nickname == NULL ) {
+	/* no nickname for subject */
+	rv = AddNicknameToSubject(dbhandle, cert, nickname);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+	rv = AddNicknameToPermCert(dbhandle, cert, nickname);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    } else {
+	/* subject already has a nickname */
+	rv = AddNicknameToPermCert(dbhandle, cert, entry->nickname);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+    rv = SECSuccess;
+
+loser:
+    if (entry) {
+	DestroyDBEntry((certDBEntry *)entry);
+    }
+    nsslowcert_UnlockDB(dbhandle);
+    return(rv);
+}
+
+static certDBEntryCert *
+AddCertToPermDB(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTCertificate *cert,
+		char *nickname, NSSLOWCERTCertTrust *trust)
+{
+    certDBEntryCert *certEntry = NULL;
+    certDBEntryNickname *nicknameEntry = NULL;
+    certDBEntrySubject *subjectEntry = NULL;
+    int state = 0;
+    SECStatus rv;
+    PRBool donnentry = PR_FALSE;
+
+    if ( nickname ) {
+	donnentry = PR_TRUE;
+    }
+
+    subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
+	
+    if ( subjectEntry ) {
+	donnentry = PR_FALSE;
+	nickname = subjectEntry->nickname;
+    }
+    
+    certEntry = NewDBCertEntry(&cert->derCert, nickname, trust, 0);
+    if ( certEntry == NULL ) {
+	goto loser;
+    }
+    
+    if ( donnentry ) {
+	nicknameEntry = NewDBNicknameEntry(nickname, &cert->derSubject, 0);
+	if ( nicknameEntry == NULL ) {
+	    goto loser;
+	}
+    }
+    
+    rv = WriteDBCertEntry(handle, certEntry);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    state = 1;
+    
+    if ( nicknameEntry ) {
+	rv = WriteDBNicknameEntry(handle, nicknameEntry);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+    
+    state = 2;
+
+    cert->dbhandle = handle;
+    
+    /* add to or create new subject entry */
+    if ( subjectEntry ) {
+	/* REWRITE BASED ON SUBJECT ENTRY */
+	cert->dbhandle = handle;
+	rv = AddPermSubjectNode(subjectEntry, cert, nickname);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    } else {
+	/* make a new subject entry - this case is only used when updating
+	 * an old version of the database.  This is OK because the oldnickname
+	 * db format didn't allow multiple certs with the same subject.
+	 */
+	/* where does subjectKeyID and certKey come from? */
+	subjectEntry = NewDBSubjectEntry(&cert->derSubject, &cert->certKey,
+					 &cert->subjectKeyID, nickname,
+					 NULL, 0);
+	if ( subjectEntry == NULL ) {
+	    goto loser;
+	}
+	rv = WriteDBSubjectEntry(handle, subjectEntry);
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+    }
+    
+    state = 3;
+    
+    if ( nicknameEntry ) {
+	DestroyDBEntry((certDBEntry *)nicknameEntry);
+    }
+    
+    if ( subjectEntry ) {
+	DestroyDBEntry((certDBEntry *)subjectEntry);
+    }
+
+    return(certEntry);
+
+loser:
+    /* don't leave partial entry in the database */
+    if ( state > 0 ) {
+	rv = DeleteDBCertEntry(handle, &cert->certKey);
+    }
+    if ( ( state > 1 ) && donnentry ) {
+	rv = DeleteDBNicknameEntry(handle, nickname);
+    }
+    if ( state > 2 ) {
+	rv = DeleteDBSubjectEntry(handle, &cert->derSubject);
+    }
+    if ( certEntry ) {
+	DestroyDBEntry((certDBEntry *)certEntry);
+    }
+    if ( nicknameEntry ) {
+	DestroyDBEntry((certDBEntry *)nicknameEntry);
+    }
+    if ( subjectEntry ) {
+	DestroyDBEntry((certDBEntry *)subjectEntry);
+    }
+
+    return(NULL);
+}
+
+/*
+ * NOTE - Version 6 DB did not go out to the real world in a release,
+ * so we can remove this function in a later release.
+ */
+static SECStatus
+UpdateV6DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+    int ret;
+    DBT key, data;
+    unsigned char *buf, *tmpbuf = NULL;
+    certDBEntryType type;
+    certDBEntryNickname *nnEntry = NULL;
+    certDBEntrySubject *subjectEntry = NULL;
+    certDBEntrySMime *emailEntry = NULL;
+    char *nickname;
+    char *emailAddr;
+    SECStatus rv;
+    
+    /*
+     * Sequence through the old database and copy all of the entries
+     * to the new database.  Subject name entries will have the new
+     * fields inserted into them (with zero length).
+     */
+    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
+    if ( ret ) {
+	return(SECFailure);
+    }
+
+    do {
+	buf = (unsigned char *)data.data;
+	
+	if ( data.size >= 3 ) {
+	    if ( buf[0] == 6 ) { /* version number */
+		type = (certDBEntryType)buf[1];
+		if ( type == certDBEntryTypeSubject ) {
+		    /* expando subjecto entrieo */
+		    tmpbuf = (unsigned char *)PORT_Alloc(data.size + 4);
+		    if ( tmpbuf ) {
+			/* copy header stuff */
+			PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN + 2);
+			/* insert 4 more bytes of zero'd header */
+			PORT_Memset(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 2],
+				    0, 4);
+			/* copy rest of the data */
+			PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6],
+				    &buf[SEC_DB_ENTRY_HEADER_LEN + 2],
+				    data.size - (SEC_DB_ENTRY_HEADER_LEN + 2));
+
+			data.data = (void *)tmpbuf;
+			data.size += 4;
+			buf = tmpbuf;
+		    }
+		} else if ( type == certDBEntryTypeCert ) {
+		    /* expando certo entrieo */
+		    tmpbuf = (unsigned char *)PORT_Alloc(data.size + 3);
+		    if ( tmpbuf ) {
+			/* copy header stuff */
+			PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN);
+
+			/* copy trust flage, setting msb's to 0 */
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN] = 0;
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+1] =
+			    buf[SEC_DB_ENTRY_HEADER_LEN];
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+2] = 0;
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+3] =
+			    buf[SEC_DB_ENTRY_HEADER_LEN+1];
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+4] = 0;
+			tmpbuf[SEC_DB_ENTRY_HEADER_LEN+5] =
+			    buf[SEC_DB_ENTRY_HEADER_LEN+2];
+			
+			/* copy rest of the data */
+			PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6],
+				    &buf[SEC_DB_ENTRY_HEADER_LEN + 3],
+				    data.size - (SEC_DB_ENTRY_HEADER_LEN + 3));
+
+			data.data = (void *)tmpbuf;
+			data.size += 3;
+			buf = tmpbuf;
+		    }
+
+		}
+
+		/* update the record version number */
+		buf[0] = CERT_DB_FILE_VERSION;
+
+		/* copy to the new database */
+		ret = certdb_Put(handle->permCertDB, &key, &data, 0);
+		if ( tmpbuf ) {
+		    PORT_Free(tmpbuf);
+		    tmpbuf = NULL;
+		}
+	    }
+	}
+    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
+
+    ret = certdb_Sync(handle->permCertDB, 0);
+
+    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
+    if ( ret ) {
+	return(SECFailure);
+    }
+
+    do {
+	buf = (unsigned char *)data.data;
+	
+	if ( data.size >= 3 ) {
+	    if ( buf[0] == CERT_DB_FILE_VERSION ) { /* version number */
+		type = (certDBEntryType)buf[1];
+		if ( type == certDBEntryTypeNickname ) {
+		    nickname = &((char *)key.data)[1];
+
+		    /* get the matching nickname entry in the new DB */
+		    nnEntry = ReadDBNicknameEntry(handle, nickname);
+		    if ( nnEntry == NULL ) {
+			goto endloop;
+		    }
+		    
+		    /* find the subject entry pointed to by nickname */
+		    subjectEntry = ReadDBSubjectEntry(handle,
+						      &nnEntry->subjectName);
+		    if ( subjectEntry == NULL ) {
+			goto endloop;
+		    }
+		    
+		    subjectEntry->nickname =
+			(char *)PORT_ArenaAlloc(subjectEntry->common.arena,
+						key.size - 1);
+		    if ( subjectEntry->nickname ) {
+			PORT_Memcpy(subjectEntry->nickname, nickname,
+				    key.size - 1);
+			rv = WriteDBSubjectEntry(handle, subjectEntry);
+		    }
+		} else if ( type == certDBEntryTypeSMimeProfile ) {
+		    emailAddr = &((char *)key.data)[1];
+
+		    /* get the matching smime entry in the new DB */
+		    emailEntry = nsslowcert_ReadDBSMimeEntry(handle, emailAddr);
+		    if ( emailEntry == NULL ) {
+			goto endloop;
+		    }
+		    
+		    /* find the subject entry pointed to by nickname */
+		    subjectEntry = ReadDBSubjectEntry(handle,
+						      &emailEntry->subjectName);
+		    if ( subjectEntry == NULL ) {
+			goto endloop;
+		    }
+		    
+		    subjectEntry->nickname =
+			(char *)PORT_ArenaAlloc(subjectEntry->common.arena,
+						key.size - 1);
+		    if ( subjectEntry->emailAddr ) {
+			PORT_Memcpy(subjectEntry->emailAddr, emailAddr,
+				    key.size - 1);
+			rv = WriteDBSubjectEntry(handle, subjectEntry);
+		    }
+		}
+		
+endloop:
+		if ( subjectEntry ) {
+		    DestroyDBEntry((certDBEntry *)subjectEntry);
+		    subjectEntry = NULL;
+		}
+		if ( nnEntry ) {
+		    DestroyDBEntry((certDBEntry *)nnEntry);
+		    nnEntry = NULL;
+		}
+		if ( emailEntry ) {
+		    DestroyDBEntry((certDBEntry *)emailEntry);
+		    emailEntry = NULL;
+		}
+	    }
+	}
+    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
+
+    ret = certdb_Sync(handle->permCertDB, 0);
+
+    (* updatedb->close)(updatedb);
+    return(SECSuccess);
+}
+
+
+static SECStatus
+updateV5Callback(NSSLOWCERTCertificate *cert, SECItem *k, void *pdata)
+{
+    NSSLOWCERTCertDBHandle *handle;
+    certDBEntryCert *entry;
+    NSSLOWCERTCertTrust *trust;
+    
+    handle = (NSSLOWCERTCertDBHandle *)pdata;
+    trust = &cert->dbEntry->trust;
+
+    /* SSL user certs can be used for email if they have an email addr */
+    if ( cert->emailAddr && ( trust->sslFlags & CERTDB_USER ) &&
+	( trust->emailFlags == 0 ) ) {
+	trust->emailFlags = CERTDB_USER;
+    }
+    /* servers didn't set the user flags on the server cert.. */
+    if (PORT_Strcmp(cert->dbEntry->nickname,"Server-Cert") == 0) {
+	trust->sslFlags |= CERTDB_USER;
+    }
+    
+    entry = AddCertToPermDB(handle, cert, cert->dbEntry->nickname,
+			    &cert->dbEntry->trust);
+    if ( entry ) {
+	DestroyDBEntry((certDBEntry *)entry);
+    }
+    
+    return(SECSuccess);
+}
+
+static SECStatus
+UpdateV5DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+    NSSLOWCERTCertDBHandle updatehandle;
+    SECStatus rv;
+    
+    updatehandle.permCertDB = updatedb;
+    updatehandle.dbMon = PZ_NewMonitor(nssILockCertDB);
+    
+    rv = nsslowcert_TraversePermCerts(&updatehandle, updateV5Callback,
+			       (void *)handle);
+    
+    PZ_DestroyMonitor(updatehandle.dbMon);
+
+    (* updatedb->close)(updatedb);
+    return(SECSuccess);
+}
+
+static PRBool
+isV4DB(DB *db) {
+    DBT key,data;
+    int ret;
+
+    key.data = "Version";
+    key.size = 7;
+
+    ret = (*db->get)(db, &key, &data, 0);
+    if (ret) {
+	return PR_FALSE;
+    }
+
+    if ((data.size == 1) && (*(unsigned char *)data.data <= 4))  {
+	return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
+
+static SECStatus
+UpdateV4DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+    DBT key, data;
+    certDBEntryCert *entry, *entry2;
+    SECItem derSubject;
+    int ret;
+    PRArenaPool *arena = NULL;
+    NSSLOWCERTCertificate *cert;
+
+    ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
+
+    if ( ret ) {
+	return(SECFailure);
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return(SECFailure);
+    }
+    
+    do {
+	if ( data.size != 1 ) { /* skip version number */
+
+	    /* decode the old DB entry */
+	    entry = (certDBEntryCert *)DecodeV4DBCertEntry((unsigned char*)data.data, data.size);
+	    derSubject.data = NULL;
+	    
+	    if ( entry ) {
+		cert = nsslowcert_DecodeDERCertificate(&entry->derCert, PR_TRUE,
+						 entry->nickname);
+
+		if ( cert != NULL ) {
+		    /* add to new database */
+		    entry2 = AddCertToPermDB(handle, cert, entry->nickname,
+					     &entry->trust);
+		    
+		    nsslowcert_DestroyCertificate(cert);
+		    if ( entry2 ) {
+			DestroyDBEntry((certDBEntry *)entry2);
+		    }
+		}
+		DestroyDBEntry((certDBEntry *)entry);
+	    }
+	}
+    } while ( (* updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0 );
+
+    PORT_FreeArena(arena, PR_FALSE);
+    (* updatedb->close)(updatedb);
+    return(SECSuccess);
+}
+
+
+/*
+ * return true if a database key conflict exists
+ */
+PRBool
+nsslowcert_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle)
+{
+    SECStatus rv;
+    DBT tmpdata;
+    DBT namekey;
+    int ret;
+    SECItem keyitem;
+    PRArenaPool *arena = NULL;
+    SECItem derKey;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+
+    /* get the db key of the cert */
+    rv = nsslowcert_KeyFromDERCert(arena, derCert, &derKey);
+    if ( rv != SECSuccess ) {
+        goto loser;
+    }
+
+    rv = EncodeDBCertKey(&derKey, arena, &keyitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    namekey.data = keyitem.data;
+    namekey.size = keyitem.len;
+    
+    ret = certdb_Get(handle->permCertDB, &namekey, &tmpdata, 0);
+    if ( ret == 0 ) {
+	goto loser;
+    }
+
+    PORT_FreeArena(arena, PR_FALSE);
+    
+    return(PR_FALSE);
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(PR_TRUE);
+}
+
+/*
+ * return true if a nickname conflict exists
+ * NOTE: caller must have already made sure that this exact cert
+ * doesn't exist in the DB
+ */
+static PRBool
+nsslowcert_CertNicknameConflict(char *nickname, SECItem *derSubject,
+			 NSSLOWCERTCertDBHandle *handle)
+{
+    PRBool rv;
+    certDBEntryNickname *entry;
+    
+    if ( nickname == NULL ) {
+	return(PR_FALSE);
+    }
+    
+    entry = ReadDBNicknameEntry(handle, nickname);
+
+    if ( entry == NULL ) {
+	/* no entry for this nickname, so no conflict */
+	return(PR_FALSE);
+    }
+
+    rv = PR_TRUE;
+    if ( SECITEM_CompareItem(derSubject, &entry->subjectName) == SECEqual ) {
+	/* if subject names are the same, then no conflict */
+	rv = PR_FALSE;
+    }
+
+    DestroyDBEntry((certDBEntry *)entry);
+    return(rv);
+}
+
+/*
+ * Open the certificate database and index databases.  Create them if
+ * they are not there or bad.
+ */
+static SECStatus
+nsslowcert_OpenPermCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
+		   NSSLOWCERTDBNameFunc namecb, void *cbarg)
+{
+    SECStatus rv;
+    int openflags;
+    certDBEntryVersion *versionEntry = NULL;
+    DB *updatedb = NULL;
+    char *tmpname;
+    char *certdbname;
+    PRBool updated = PR_FALSE;
+    PRBool forceUpdate = PR_FALSE;
+    
+    certdbname = (* namecb)(cbarg, CERT_DB_FILE_VERSION);
+    if ( certdbname == NULL ) {
+	return(SECFailure);
+    }
+    
+    if ( readOnly ) {
+	openflags = O_RDONLY;
+    } else {
+	openflags = O_RDWR;
+    }
+    
+    /*
+     * first open the permanent file based database.
+     */
+    handle->permCertDB = dbopen( certdbname, openflags, 0600, DB_HASH, 0 );
+
+    /* check for correct version number */
+    if ( handle->permCertDB ) {
+	versionEntry = ReadDBVersionEntry(handle);
+
+	if ( versionEntry == NULL ) {
+	    /* no version number */
+	    certdb_Close(handle->permCertDB);
+	    handle->permCertDB = 0;
+	} else if ( versionEntry->common.version != CERT_DB_FILE_VERSION ) {
+	    /* wrong version number, can't update in place */
+	    DestroyDBEntry((certDBEntry *)versionEntry);
+	    PORT_Free(certdbname);
+	    return(SECFailure);
+	} else {
+	    DestroyDBEntry((certDBEntry *)versionEntry);
+	    versionEntry = NULL;
+	}
+    }
+
+
+    /* if first open fails, try to create a new DB */
+    if ( handle->permCertDB == NULL ) {
+
+	/* don't create if readonly */
+	if ( readOnly ) {
+	    goto loser;
+	}
+	
+	handle->permCertDB = dbopen(certdbname,
+				    O_RDWR | O_CREAT | O_TRUNC,
+				    0600, DB_HASH, 0);
+
+	/* if create fails then we lose */
+	if ( handle->permCertDB == 0 ) {
+	    goto loser;
+	}
+
+	versionEntry = NewDBVersionEntry(0);
+	if ( versionEntry == NULL ) {
+	    goto loser;
+	}
+	
+	rv = WriteDBVersionEntry(handle, versionEntry);
+
+	DestroyDBEntry((certDBEntry *)versionEntry);
+
+	if ( rv != SECSuccess ) {
+	    goto loser;
+	}
+
+	/* try to upgrade old db here */
+	tmpname = (* namecb)(cbarg, 6);	/* get v6 db name */
+	if ( tmpname ) {
+	    updatedb = dbopen( tmpname, O_RDONLY, 0600, DB_HASH, 0 );
+	    PORT_Free(tmpname);
+	    if ( updatedb ) {
+		rv = UpdateV6DB(handle, updatedb);
+		if ( rv != SECSuccess ) {
+		    goto loser;
+		}
+		updated = PR_TRUE;
+	    } else { /* no v6 db, so try v5 db */
+		tmpname = (* namecb)(cbarg, 5);	/* get v5 db name */
+		if ( tmpname ) {
+		    updatedb = dbopen( tmpname, O_RDONLY, 0600, DB_HASH, 0 );
+		    PORT_Free(tmpname);
+		    if ( updatedb ) {
+			rv = UpdateV5DB(handle, updatedb);
+			if ( rv != SECSuccess ) {
+			    goto loser;
+			}
+			updated = PR_TRUE;
+		    } else { /* no v5 db, so try v4 db */
+			/* try to upgrade v4 db */
+			tmpname = (* namecb)(cbarg, 4);	/* get v4 db name */
+			if ( tmpname ) {
+			    updatedb = dbopen( tmpname, O_RDONLY, 0600,
+					      DB_HASH, 0 );
+			    PORT_Free(tmpname);
+			    if ( updatedb ) {
+				/* NES has v5 db's with v4 db names! */
+				if (isV4DB(updatedb)) {
+				    rv = UpdateV4DB(handle, updatedb);
+				} else {
+				    rv = UpdateV5DB(handle, updatedb);
+				}
+				if ( rv != SECSuccess ) {
+				    goto loser;
+				}
+				forceUpdate = PR_TRUE;
+				updated = PR_TRUE;
+			    }
+			}
+		    }
+		}
+	    }
+	}
+
+	/* Root certs are no longer automatically added to the DB. They
+	 * come from and external PKCS #11 file.
+	 */
+    }
+
+    PORT_Free(certdbname);
+    
+    return (SECSuccess);
+    
+loser:
+
+    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+    
+    if ( handle->permCertDB ) {
+	certdb_Close(handle->permCertDB);
+	handle->permCertDB = 0;
+    }
+
+    PORT_Free(certdbname);
+
+    return(SECFailure);
+}
+
+/*
+ * delete all DB records associated with a particular certificate
+ */
+static SECStatus
+DeletePermCert(NSSLOWCERTCertificate *cert)
+{
+    SECStatus rv;
+    SECStatus ret;
+
+    ret = SECSuccess;
+    
+    rv = DeleteDBCertEntry(cert->dbhandle, &cert->certKey);
+    if ( rv != SECSuccess ) {
+	ret = SECFailure;
+    }
+    
+    if ( cert->nickname ) {
+	rv = DeleteDBNicknameEntry(cert->dbhandle, cert->nickname);
+	if ( rv != SECSuccess ) {
+	    ret = SECFailure;
+	}
+    }
+    
+    rv = RemovePermSubjectNode(cert);
+
+    return(ret);
+}
+
+/*
+ * Delete a certificate from the permanent database.
+ */
+SECStatus
+nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert)
+{
+    SECStatus rv;
+    
+    nsslowcert_LockDB(cert->dbhandle);
+    /* delete the records from the permanent database */
+    rv = DeletePermCert(cert);
+
+    /* get rid of dbcert and stuff pointing to it */
+    DestroyDBEntry((certDBEntry *)cert->dbEntry);
+    cert->dbEntry = NULL;
+    cert->trust = NULL;
+
+    nsslowcert_UnlockDB(cert->dbhandle);
+    return(rv);
+}
+
+/*
+ * Traverse all of the entries in the database of a particular type
+ * call the given function for each one.
+ */
+SECStatus
+nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle,
+		      certDBEntryType type,
+		      SECStatus (* callback)(SECItem *data, SECItem *key,
+					    certDBEntryType type, void *pdata),
+		      void *udata )
+{
+    DBT data;
+    DBT key;
+    SECStatus rv;
+    int ret;
+    SECItem dataitem;
+    SECItem keyitem;
+    unsigned char *buf;
+    unsigned char *keybuf;
+    
+    ret = certdb_Seq(handle->permCertDB, &key, &data, R_FIRST);
+
+    if ( ret ) {
+	return(SECFailure);
+    }
+    
+    do {
+	buf = (unsigned char *)data.data;
+	
+	if ( buf[1] == (unsigned char)type ) {
+	    dataitem.len = data.size;
+	    dataitem.data = buf;
+            dataitem.type = siBuffer;
+	    keyitem.len = key.size - SEC_DB_KEY_HEADER_LEN;
+	    keybuf = (unsigned char *)key.data;
+	    keyitem.data = &keybuf[SEC_DB_KEY_HEADER_LEN];
+            keyitem.type = siBuffer;
+	    
+	    rv = (* callback)(&dataitem, &keyitem, type, udata);
+	    if ( rv != SECSuccess ) {
+		return(rv);
+	    }
+	}
+    } while ( certdb_Seq(handle->permCertDB, &key, &data, R_NEXT) == 0 );
+
+    return(SECSuccess);
+}
+/*
+ * Decode a certificate and enter it into the temporary certificate database.
+ * Deal with nicknames correctly
+ *
+ * This is the private entry point.
+ */
+static NSSLOWCERTCertificate *
+DecodeACert(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry)
+{
+    NSSLOWCERTCertificate *cert = NULL;
+    
+    cert = nsslowcert_DecodeDERCertificate(&entry->derCert, PR_TRUE,
+							 entry->nickname );
+    
+    if ( cert == NULL ) {
+	goto loser;
+    }
+
+    cert->dbhandle = handle;
+    cert->dbEntry = entry;
+    cert->trust = &entry->trust;
+
+    return(cert);
+
+loser:
+    return(0);
+}
+
+typedef struct {
+    PermCertCallback certfunc;
+    NSSLOWCERTCertDBHandle *handle;
+    void *data;
+} PermCertCallbackState;
+
+/*
+ * traversal callback to decode certs and call callers callback
+ */
+static SECStatus
+certcallback(SECItem *dbdata, SECItem *dbkey, certDBEntryType type, void *data)
+{
+    PermCertCallbackState *mystate;
+    SECStatus rv;
+    certDBEntryCert *entry;
+    SECItem entryitem;
+    NSSLOWCERTCertificate *cert;
+    PRArenaPool *arena = NULL;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    entry = (certDBEntryCert *)PORT_ArenaAlloc(arena, sizeof(certDBEntryCert));
+    mystate = (PermCertCallbackState *)data;
+    entry->common.version = (unsigned int)dbdata->data[0];
+    entry->common.type = (certDBEntryType)dbdata->data[1];
+    entry->common.flags = (unsigned int)dbdata->data[2];
+    entry->common.arena = arena;
+    
+    entryitem.len = dbdata->len - SEC_DB_ENTRY_HEADER_LEN;
+    entryitem.data = &dbdata->data[SEC_DB_ENTRY_HEADER_LEN];
+    
+    rv = DecodeDBCertEntry(entry, &entryitem);
+    if (rv != SECSuccess ) {
+	goto loser;
+    }
+    entry->derCert.type = siBuffer;
+   
+    /* note: Entry is 'inheritted'.  */
+    cert = DecodeACert(mystate->handle, entry);
+
+    rv = (* mystate->certfunc)(cert, dbkey, mystate->data);
+
+    /* arena stored in entry destroyed by nsslowcert_DestroyCertificate */
+    nsslowcert_DestroyCertificateNoLocking(cert);
+
+    return(rv);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return(SECFailure);
+}
+
+/*
+ * Traverse all of the certificates in the permanent database and
+ * call the given function for each one; expect the caller to have lock.
+ */
+static SECStatus
+TraversePermCertsNoLocking(NSSLOWCERTCertDBHandle *handle,
+			   SECStatus (* certfunc)(NSSLOWCERTCertificate *cert,
+						  SECItem *k,
+						  void *pdata),
+			   void *udata )
+{
+    SECStatus rv;
+    PermCertCallbackState mystate;
+
+    mystate.certfunc = certfunc;
+    mystate.handle = handle;
+    mystate.data = udata;
+    rv = nsslowcert_TraverseDBEntries(handle, certDBEntryTypeCert, certcallback,
+			       (void *)&mystate);
+    
+    return(rv);
+}
+
+/*
+ * Traverse all of the certificates in the permanent database and
+ * call the given function for each one.
+ */
+SECStatus
+nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle,
+		      SECStatus (* certfunc)(NSSLOWCERTCertificate *cert, SECItem *k,
+					    void *pdata),
+		      void *udata )
+{
+    SECStatus rv;
+
+    nsslowcert_LockDB(handle);
+    rv = TraversePermCertsNoLocking(handle, certfunc, udata);
+    nsslowcert_UnlockDB(handle);
+    
+    return(rv);
+}
+
+
+
+/*
+ * Close the database
+ */
+void
+nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle)
+{
+    if ( handle ) {
+	if ( handle->permCertDB ) {
+	    certdb_Close( handle->permCertDB );
+	    handle->permCertDB = NULL;
+	}
+	if (handle->dbMon) {
+    	    PZ_DestroyMonitor(handle->dbMon);
+	    handle->dbMon = NULL;
+	}
+    }
+    return;
+}
+
+/*
+ * Get the trust attributes from a certificate
+ */
+SECStatus
+nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust)
+{
+    SECStatus rv;
+    
+    nsslowcert_LockCertTrust(cert);
+    
+    if ( cert->trust == NULL ) {
+	rv = SECFailure;
+    } else {
+	*trust = *cert->trust;
+	rv = SECSuccess;
+    }
+    
+    nsslowcert_UnlockCertTrust(cert);
+    return(rv);
+}
+
+/*
+ * Change the trust attributes of a certificate and make them permanent
+ * in the database.
+ */
+SECStatus
+nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle, 
+	 	 	NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust)
+{
+    certDBEntryCert *entry;
+    int rv;
+    SECStatus ret;
+    
+    nsslowcert_LockDB(handle);
+    nsslowcert_LockCertTrust(cert);
+    /* only set the trust on permanent certs */
+    if ( cert->trust == NULL ) {
+	ret = SECFailure;
+	goto done;
+    }
+
+    *cert->trust = *trust;
+    if ( cert->dbEntry == NULL ) {
+	ret = SECSuccess; /* not in permanent database */
+	goto done;
+    }
+    
+    entry = cert->dbEntry;
+    entry->trust = *trust;
+    
+    rv = WriteDBCertEntry(handle, entry);
+    if ( rv ) {
+	ret = SECFailure;
+	goto done;
+    }
+
+    ret = SECSuccess;
+    
+done:
+    nsslowcert_UnlockCertTrust(cert);
+    nsslowcert_UnlockDB(handle);
+    return(ret);
+}
+
+
+SECStatus
+nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *dbhandle,
+    NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust)
+{
+    char *oldnn;
+    certDBEntryCert *entry;
+    PRBool conflict;
+    SECStatus ret;
+
+    nsslowcert_LockDB(dbhandle);
+    
+    PORT_Assert(!cert->dbEntry);
+
+    /* don't add a conflicting nickname */
+    conflict = nsslowcert_CertNicknameConflict(nickname, &cert->derSubject,
+					dbhandle);
+    if ( conflict ) {
+	ret = SECFailure;
+	goto done;
+    }
+    
+    /* save old nickname so that we can delete it */
+    oldnn = cert->nickname;
+
+    entry = AddCertToPermDB(dbhandle, cert, nickname, trust);
+    
+    if ( entry == NULL ) {
+	ret = SECFailure;
+	goto done;
+    }
+    
+    cert->nickname = (entry->nickname) ? PORT_ArenaStrdup(cert->arena,entry->nickname) : NULL;
+    cert->trust = &entry->trust;
+    cert->dbEntry = entry;
+    
+    ret = SECSuccess;
+done:
+    nsslowcert_UnlockDB(dbhandle);
+    return(ret);
+}
+
+/*
+ * Open the certificate database and index databases.  Create them if
+ * they are not there or bad.
+ */
+SECStatus
+nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
+		NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile)
+{
+    int rv;
+
+    certdb_InitDBLock(handle);
+    
+    handle->dbMon = PZ_NewMonitor(nssILockCertDB);
+    PORT_Assert(handle->dbMon != NULL);
+
+    rv = nsslowcert_OpenPermCertDB(handle, readOnly, namecb, cbarg);
+    if ( rv ) {
+	goto loser;
+    }
+
+    return (SECSuccess);
+    
+loser:
+
+    PORT_SetError(SEC_ERROR_BAD_DATABASE);
+    return(SECFailure);
+}
+
+
+/*
+ * Lookup a certificate in the databases.
+ */
+static NSSLOWCERTCertificate *
+FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey, PRBool lockdb)
+{
+    SECItem keyitem;
+    DBT key;
+    SECStatus rv;
+    NSSLOWCERTCertificate *cert = NULL;
+    PRArenaPool *arena = NULL;
+    certDBEntryCert *entry;
+    PRBool locked = PR_FALSE;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBCertKey(certKey, arena, &keyitem);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    key.data = keyitem.data;
+    key.size = keyitem.len;
+    
+    if ( lockdb ) {
+	locked = PR_TRUE;
+	nsslowcert_LockDB(handle);
+    }
+	
+    /* find in perm database */
+    entry = ReadDBCertEntry(handle, certKey);
+	
+    if ( entry == NULL ) {
+ 	goto loser;
+    }
+  
+    /* inherit entry */  
+    cert = DecodeACert(handle, entry);
+
+loser:
+    if ( locked ) {
+	nsslowcert_UnlockDB(handle);
+    }
+
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    
+    return(cert);
+}
+
+/*
+ * Lookup a certificate in the databases without locking
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
+{
+    return(FindCertByKey(handle, certKey, PR_FALSE));
+}
+
+/*
+ * Generate a key from an issuerAndSerialNumber, and find the
+ * associated cert in the database.
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN)
+{
+    SECItem certKey;
+    SECItem *sn = &issuerAndSN->serialNumber;
+    SECItem *issuer = &issuerAndSN->derIssuer;
+    NSSLOWCERTCertificate *cert;
+    int data_left = sn->len-1;
+    int data_len = sn->len;
+    int index = 0;
+
+    /* automatically detect DER encoded serial numbers and remove the der
+     * encoding since the database expects unencoded data. 
+     * if it's DER encoded, there must be at least 3 bytes, tag, len, data */
+    if ((sn->len >= 3) && (sn->data[0] == 0x2)) {
+	/* remove the der encoding of the serial number before generating the
+	 * key.. */
+	data_left = sn->len-2;
+	data_len = sn->data[1];
+	index = 2;
+
+	/* extended length ? (not very likely for a serial number) */
+	if (data_len & 0x80) {
+	    int len_count = data_len & 0x7f;
+
+	    data_len = 0;
+	    data_left -= len_count;
+	    if (data_left > 0) {
+		while (len_count --) {
+		    data_len = (data_len << 8) | sn->data[index++];
+		}
+	    } 
+	}
+	/* XXX leaving any leading zeros on the serial number for backwards
+	 * compatibility
+	 */
+	/* not a valid der, must be just an unlucky serial number value */
+	if (data_len != data_left) {
+	    data_len = sn->len;
+	    index = 0;
+	}
+    }
+
+    certKey.data = (unsigned char*)PORT_Alloc(sn->len + issuer->len);
+    certKey.len = data_len + issuer->len;
+    
+    if ( certKey.data == NULL ) {
+	return(0);
+    }
+
+    /* first try the serial number as hand-decoded above*/
+    /* copy the serialNumber */
+    PORT_Memcpy(certKey.data, &sn->data[index], data_len);
+
+    /* copy the issuer */
+    PORT_Memcpy( &certKey.data[data_len],issuer->data,issuer->len);
+
+    cert = nsslowcert_FindCertByKey(handle, &certKey);
+    if (cert) {
+	PORT_Free(certKey.data);
+	return (cert);
+    }
+
+    /* didn't find it, try by der encoded serial number */
+    /* copy the serialNumber */
+    PORT_Memcpy(certKey.data, sn->data, sn->len);
+
+    /* copy the issuer */
+    PORT_Memcpy( &certKey.data[sn->len], issuer->data, issuer->len);
+    certKey.len = sn->len + issuer->len;
+
+    cert = nsslowcert_FindCertByKey(handle, &certKey);
+    
+    PORT_Free(certKey.data);
+    
+    return(cert);
+}
+
+/*
+ * look for the given DER certificate in the database
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert)
+{
+    PRArenaPool *arena;
+    SECItem certKey;
+    SECStatus rv;
+    NSSLOWCERTCertificate *cert = NULL;
+    
+    /* create a scratch arena */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	return(NULL);
+    }
+    
+    /* extract the database key from the cert */
+    rv = nsslowcert_KeyFromDERCert(arena, derCert, &certKey);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+
+    /* find the certificate */
+    cert = nsslowcert_FindCertByKey(handle, &certKey);
+    
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    return(cert);
+}
+
+static void
+DestroyCertificate(NSSLOWCERTCertificate *cert, PRBool lockdb)
+{
+    int refCount;
+    NSSLOWCERTCertDBHandle *handle;
+    
+    if ( cert ) {
+
+	handle = cert->dbhandle;
+
+	/*
+	 * handle may be NULL, for example if the cert was created with
+	 * nsslowcert_DecodeDERCertificate.
+	 */
+	if ( lockdb && handle ) {
+	    nsslowcert_LockDB(handle);
+	}
+
+        nsslowcert_LockCertRefCount(cert);
+	PORT_Assert(cert->referenceCount > 0);
+	refCount = --cert->referenceCount;
+        nsslowcert_UnlockCertRefCount(cert);
+
+	if ( ( refCount == 0 ) ) {
+	    certDBEntryCert *entry  = cert->dbEntry;
+	    PRArenaPool *    arena  = cert->arena;
+
+	    if ( entry ) {
+		DestroyDBEntry((certDBEntry *)entry);
+            }
+
+	    /* zero cert before freeing. Any stale references to this cert
+	     * after this point will probably cause an exception.  */
+	    PORT_Memset(cert, 0, sizeof *cert);
+
+	    cert = NULL;
+	    
+	    /* free the arena that contains the cert. */
+	    PORT_FreeArena(arena, PR_FALSE);
+        }
+	if ( lockdb && handle ) {
+	    nsslowcert_UnlockDB(handle);
+	}
+    }
+
+    return;
+}
+
+void
+nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert)
+{
+    DestroyCertificate(cert, PR_TRUE);
+    return;
+}
+
+static void
+nsslowcert_DestroyCertificateNoLocking(NSSLOWCERTCertificate *cert)
+{
+    DestroyCertificate(cert, PR_FALSE);
+    return;
+}
+
+/*
+ * Lookup a CRL in the databases. We mirror the same fast caching data base
+ *  caching stuff used by certificates....?
+ */
+SECItem *
+nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle, SECItem *crlKey, 
+		char **url, PRBool isKRL)
+{
+    SECItem keyitem;
+    DBT key;
+    SECStatus rv;
+    SECItem *crl = NULL;
+    PRArenaPool *arena = NULL;
+    certDBEntryRevocation *entry = NULL;
+    certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation  
+					: certDBEntryTypeRevocation;
+    
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;
+    }
+    
+    rv = EncodeDBGenericKey(crlKey, arena, &keyitem, crlType);
+    if ( rv != SECSuccess ) {
+	goto loser;
+    }
+    
+    key.data = keyitem.data;
+    key.size = keyitem.len;
+
+    /* find in perm database */
+    entry = ReadDBCrlEntry(handle, crlKey, crlType);
+	
+    if ( entry == NULL ) {
+	goto loser;
+    }
+
+    if (url && entry->url) {
+	*url = PORT_Strdup(entry->url);
+    }
+    crl = SECITEM_DupItem(&entry->derCrl);
+
+loser:
+    if ( arena ) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    if (entry) {
+	DestroyDBEntry((certDBEntry *)entry);
+    }
+    
+    return(crl);
+}
+
+/*
+ * replace the existing URL in the data base with a new one
+ */
+SECStatus
+nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, 
+			SECItem *crlKey, char *url, PRBool isKRL)
+{
+    SECStatus rv = SECFailure;
+    certDBEntryRevocation *entry = NULL;
+    certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation  
+					: certDBEntryTypeRevocation;
+    DeleteDBCrlEntry(handle, crlKey, crlType);
+
+    /* Write the new entry into the data base */
+    entry = NewDBCrlEntry(derCrl, url, crlType, 0);
+    if (entry == NULL) goto done;
+
+    rv = WriteDBCrlEntry(handle, entry, crlKey);
+    if (rv != SECSuccess) goto done;
+
+done:
+    if (entry) {
+	DestroyDBEntry((certDBEntry *)entry);
+    }
+    return rv;
+}
+
+SECStatus
+nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle, SECItem *derName,
+								 PRBool isKRL)
+{
+    SECStatus rv;
+    certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation  
+					: certDBEntryTypeRevocation;
+    
+    rv = DeleteDBCrlEntry(handle, derName, crlType);
+    if (rv != SECSuccess) goto done;
+  
+done:
+    return rv;
+}
+
+
+PRBool
+nsslowcert_hasTrust(NSSLOWCERTCertificate *cert)
+{
+    NSSLOWCERTCertTrust *trust;
+
+    if (cert->trust == NULL) {
+	return PR_FALSE;
+    }
+    trust = cert->trust;
+    return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) && 
+		(trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) && 
+			(trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN));
+}
+
+/*
+ * This function has the logic that decides if another person's cert and
+ * email profile from an S/MIME message should be saved.  It can deal with
+ * the case when there is no profile.
+ */
+SECStatus
+nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr, 
+	SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime)
+{
+    certDBEntrySMime *entry = NULL;
+    SECStatus rv = SECFailure;;
+
+    /* find our existing entry */
+    entry = nsslowcert_ReadDBSMimeEntry(dbhandle, emailAddr);
+
+    if ( entry ) {
+	/* keep our old db entry consistant for old applications. */
+	if (!SECITEM_ItemsAreEqual(derSubject, &entry->subjectName)) {
+	    UpdateSubjectWithEmailAddr(dbhandle, &entry->subjectName, NULL);
+	} 
+	DestroyDBEntry((certDBEntry *)entry);
+	entry = NULL;
+    }
+
+    /* now save the entry */
+    entry = NewDBSMimeEntry(emailAddr, derSubject, emailProfile,
+				profileTime, 0);
+    if ( entry == NULL ) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    nsslowcert_LockDB(dbhandle);
+
+    rv = DeleteDBSMimeEntry(dbhandle, emailAddr);
+    /* if delete fails, try to write new entry anyway... */
+
+    /* link subject entry back here */
+    rv = UpdateSubjectWithEmailAddr(dbhandle, derSubject, emailAddr);
+    if ( rv != SECSuccess ) {
+	    nsslowcert_UnlockDB(dbhandle);
+	    goto loser;
+    }
+	
+    rv = WriteDBSMimeEntry(dbhandle, entry);
+    if ( rv != SECSuccess ) {
+	    nsslowcert_UnlockDB(dbhandle);
+	    goto loser;
+    }
+
+    nsslowcert_UnlockDB(dbhandle);
+
+    rv = SECSuccess;
+    
+loser:
+    if ( entry ) {
+	DestroyDBEntry((certDBEntry *)entry);
+    }
+    return(rv);
+}
+
+void
+nsslowcert_DestroyGlobalLocks()
+{
+    if (dbLock) {
+	PZ_DestroyLock(dbLock);
+	dbLock = NULL;
+    }
+    if (certRefCountLock) {
+	PZ_DestroyLock(certRefCountLock);
+	certRefCountLock = NULL;
+    }
+    if (certTrustLock) {
+	PZ_DestroyLock(certTrustLock);
+	certTrustLock = NULL;
+    }
+}
diff --git a/security/nss/lib/softoken/pcertt.h b/security/nss/lib/softoken/pcertt.h
new file mode 100644
index 000000000..0170de389
--- /dev/null
+++ b/security/nss/lib/softoken/pcertt.h
@@ -0,0 +1,432 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * certt.h - public data structures for the certificate library
+ *
+ * $Id$
+ */
+#ifndef _PCERTT_H_
+#define _PCERTT_H_
+
+#include "prclist.h"
+#include "pkcs11t.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "plarena.h"
+#include "prcvar.h"
+#include "nssilock.h"
+#include "prio.h"
+#include "prmon.h"
+
+
+/* Non-opaque objects */
+typedef struct NSSLOWCERTCertDBHandleStr               NSSLOWCERTCertDBHandle;
+typedef struct NSSLOWCERTCertKeyStr                    NSSLOWCERTCertKey;
+
+typedef struct NSSLOWCERTCertTrustStr                  NSSLOWCERTCertTrust;
+typedef struct NSSLOWCERTCertificateStr                NSSLOWCERTCertificate;
+typedef struct NSSLOWCERTCertificateListStr            NSSLOWCERTCertificateList;
+typedef struct NSSLOWCERTIssuerAndSNStr                NSSLOWCERTIssuerAndSN;
+typedef struct NSSLOWCERTSignedDataStr                 NSSLOWCERTSignedData;
+typedef struct NSSLOWCERTSubjectPublicKeyInfoStr       NSSLOWCERTSubjectPublicKeyInfo;
+typedef struct NSSLOWCERTValidityStr                   NSSLOWCERTValidity;
+
+/*
+** An X.509 validity object
+*/
+struct NSSLOWCERTValidityStr {
+    PRArenaPool *arena;
+    SECItem notBefore;
+    SECItem notAfter;
+};
+
+/*
+ * A serial number and issuer name, which is used as a database key
+ */
+struct NSSLOWCERTCertKeyStr {
+    SECItem serialNumber;
+    SECItem derIssuer;
+};
+
+/*
+** A signed data object. Used to implement the "signed" macro used
+** in the X.500 specs.
+*/
+struct NSSLOWCERTSignedDataStr {
+    SECItem data;
+    SECAlgorithmID signatureAlgorithm;
+    SECItem signature;
+};
+
+/*
+** An X.509 subject-public-key-info object
+*/
+struct NSSLOWCERTSubjectPublicKeyInfoStr {
+    PRArenaPool *arena;
+    SECAlgorithmID algorithm;
+    SECItem subjectPublicKey;
+};
+
+typedef struct _certDBEntryCert certDBEntryCert;
+typedef struct _certDBEntryRevocation certDBEntryRevocation;
+
+struct NSSLOWCERTCertTrustStr {
+    unsigned int sslFlags;
+    unsigned int emailFlags;
+    unsigned int objectSigningFlags;
+};
+
+/*
+** An X.509 certificate object (the unsigned form)
+*/
+struct NSSLOWCERTCertificateStr {
+    /* the arena is used to allocate any data structures that have the same
+     * lifetime as the cert.  This is all stuff that hangs off of the cert
+     * structure, and is all freed at the same time.  I is used when the
+     * cert is decoded, destroyed, and at some times when it changes
+     * state
+     */
+    PRArenaPool *arena;
+    NSSLOWCERTCertDBHandle *dbhandle;
+
+    SECItem derCert;			/* original DER for the cert */
+    SECItem derIssuer;			/* DER for issuer name */
+    SECItem serialNumber;
+    SECItem derSubject;			/* DER for subject name */
+    NSSLOWCERTSubjectPublicKeyInfo subjectPublicKeyInfo;
+    SECItem certKey;			/* database key for this cert */
+    NSSLOWCERTValidity validity;
+    certDBEntryCert *dbEntry;		/* database entry struct */
+    SECItem subjectKeyID;	/* x509v3 subject key identifier */
+    char *nickname;
+    char *emailAddr;
+    NSSLOWCERTCertTrust *trust;
+
+    /* the reference count is modified whenever someone looks up, dups
+     * or destroys a certificate
+     */
+    int referenceCount;
+};
+#define SEC_CERTIFICATE_VERSION_1		0	/* default created */
+#define SEC_CERTIFICATE_VERSION_2		1	/* v2 */
+#define SEC_CERTIFICATE_VERSION_3		2	/* v3 extensions */
+
+#define SEC_CRL_VERSION_1		0	/* default */
+#define SEC_CRL_VERSION_2		1	/* v2 extensions */
+
+struct NSSLOWCERTIssuerAndSNStr {
+    SECItem derIssuer;
+    SECItem serialNumber;
+};
+
+typedef SECStatus (* NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg);
+
+/* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */
+/* callback to return database name based on version number */
+typedef char * (*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion);
+
+/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
+
+#include "secasn1t.h"	/* way down here because I expect template stuff to
+			 * move out of here anyway */
+
+SEC_BEGIN_PROTOS
+
+extern const SEC_ASN1Template nsslowcert_CertificateTemplate[];
+extern const SEC_ASN1Template nsslowcert_SignedDataTemplate[];
+extern const SEC_ASN1Template NSSLOWKEY_PublicKeyTemplate[];
+extern const SEC_ASN1Template nsslowcert_SubjectPublicKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowcert_ValidityTemplate[];
+
+SEC_END_PROTOS
+
+/*
+ * Certificate Database related definitions and data structures
+ */
+
+/* version number of certificate database */
+#define CERT_DB_FILE_VERSION		7
+#ifdef USE_NS_ROOTS
+#define CERT_DB_CONTENT_VERSION		28
+#else
+#define CERT_DB_CONTENT_VERSION		2
+#endif
+
+#define SEC_DB_ENTRY_HEADER_LEN		3
+#define SEC_DB_KEY_HEADER_LEN		1
+
+/* All database entries have this form:
+ * 	
+ *	byte offset	field
+ *	-----------	-----
+ *	0		version
+ *	1		type
+ *	2		flags
+ */
+
+/* database entry types */
+typedef enum {
+    certDBEntryTypeVersion = 0,
+    certDBEntryTypeCert = 1,
+    certDBEntryTypeNickname = 2,
+    certDBEntryTypeSubject = 3,
+    certDBEntryTypeRevocation = 4,
+    certDBEntryTypeKeyRevocation = 5,
+    certDBEntryTypeSMimeProfile = 6,
+    certDBEntryTypeContentVersion = 7
+} certDBEntryType;
+
+typedef struct {
+    certDBEntryType type;
+    unsigned int version;
+    unsigned int flags;
+    PRArenaPool *arena;
+} certDBEntryCommon;
+
+/*
+ * Certificate entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		sslFlags-msb
+ *	1		sslFlags-lsb
+ *	2		emailFlags-msb
+ *	3		emailFlags-lsb
+ *	4		objectSigningFlags-msb
+ *	5		objectSigningFlags-lsb
+ *	6		derCert-len-msb
+ *	7		derCert-len-lsb
+ *	8		nickname-len-msb
+ *	9		nickname-len-lsb
+ *	...		derCert
+ *	...		nickname
+ *
+ * NOTE: the nickname string as stored in the database is null terminated,
+ *		in other words, the last byte of the db entry is always 0
+ *		if a nickname is present.
+ * NOTE: if nickname is not present, then nickname-len-msb and
+ *		nickname-len-lsb will both be zero.
+ */
+struct _certDBEntryCert {
+    certDBEntryCommon common;
+    NSSLOWCERTCertTrust trust;
+    SECItem derCert;
+    char *nickname;
+};
+
+/*
+ * Certificate Nickname entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		subjectname-len-msb
+ *	1	        subjectname-len-lsb
+ *	2...		subjectname
+ *
+ * The database key for this type of entry is a nickname string
+ * The "subjectname" value is the DER encoded DN of the identity
+ *   that matches this nickname.
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char *nickname;
+    SECItem subjectName;
+} certDBEntryNickname;
+
+#define DB_NICKNAME_ENTRY_HEADER_LEN 2
+
+/*
+ * Certificate Subject entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		ncerts-msb
+ *	1		ncerts-lsb
+ *	2		nickname-msb
+ *	3		nickname-lsb
+ *	4		emailAddr-msb
+ *	5		emailAddr-lsb
+ *	...		nickname
+ *	...		emailAddr
+ *	...+2*i		certkey-len-msb
+ *	...+1+2*i       certkey-len-lsb
+ *	...+2*ncerts+2*i keyid-len-msb
+ *	...+1+2*ncerts+2*i keyid-len-lsb
+ *	...		certkeys
+ *	...		keyids
+ *
+ * The database key for this type of entry is the DER encoded subject name
+ * The "certkey" value is an array of  certificate database lookup keys that
+ *   points to the database entries for the certificates that matche
+ *   this subject.
+ *
+ */
+typedef struct _certDBEntrySubject {
+    certDBEntryCommon common;
+    SECItem derSubject;
+    unsigned int ncerts;
+    char *nickname;
+    char *emailAddr;
+    SECItem *certKeys;
+    SECItem *keyIDs;
+} certDBEntrySubject;
+
+#define DB_SUBJECT_ENTRY_HEADER_LEN 6
+
+/*
+ * Certificate SMIME profile entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		subjectname-len-msb
+ *	1	        subjectname-len-lsb
+ *	2		smimeoptions-len-msb
+ *	3		smimeoptions-len-lsb
+ *	4		options-date-len-msb
+ *	5		options-date-len-lsb
+ *	6...		subjectname
+ *	...		smimeoptions
+ *	...		options-date
+ *
+ * The database key for this type of entry is the email address string
+ * The "subjectname" value is the DER encoded DN of the identity
+ *   that matches this nickname.
+ * The "smimeoptions" value is a string that represents the algorithm
+ *   capabilities on the remote user.
+ * The "options-date" is the date that the smime options value was created.
+ *   This is generally the signing time of the signed message that contained
+ *   the options.  It is a UTCTime value.
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char *emailAddr;
+    SECItem subjectName;
+    SECItem smimeOptions;
+    SECItem optionsDate;
+} certDBEntrySMime;
+
+#define DB_SMIME_ENTRY_HEADER_LEN 6
+
+/*
+ * Crl/krl entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		derCert-len-msb
+ *	1		derCert-len-lsb
+ *	2		url-len-msb
+ *	3		url-len-lsb
+ *	...		derCert
+ *	...		url
+ *
+ * NOTE: the url string as stored in the database is null terminated,
+ *		in other words, the last byte of the db entry is always 0
+ *		if a nickname is present. 
+ * NOTE: if url is not present, then url-len-msb and
+ *		url-len-lsb will both be zero.
+ */
+#define DB_CRL_ENTRY_HEADER_LEN	4
+struct _certDBEntryRevocation {
+    certDBEntryCommon common;
+    SECItem	derCrl;
+    char	*url;	/* where to load the crl from */
+};
+
+/*
+ * Database Version Entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	only the low level header...
+ *
+ * The database key for this type of entry is the string "Version"
+ */
+typedef struct {
+    certDBEntryCommon common;
+} certDBEntryVersion;
+
+#define SEC_DB_VERSION_KEY "Version"
+#define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY)
+
+/*
+ * Database Content Version Entry:
+ *
+ *	byte offset	field
+ *	-----------	-----
+ *	0		contentVersion
+ *
+ * The database key for this type of entry is the string "ContentVersion"
+ */
+typedef struct {
+    certDBEntryCommon common;
+    char contentVersion;
+} certDBEntryContentVersion;
+
+#define SEC_DB_CONTENT_VERSION_KEY "ContentVersion"
+#define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY)
+
+typedef union {
+    certDBEntryCommon common;
+    certDBEntryVersion version;
+    certDBEntryCert cert;
+    certDBEntryNickname nickname;
+    certDBEntrySubject subject;
+    certDBEntryRevocation revocation;
+} certDBEntry;
+
+/* length of the fixed part of a database entry */
+#define DBCERT_V4_HEADER_LEN	7
+#define DB_CERT_V5_ENTRY_HEADER_LEN	7
+#define DB_CERT_V6_ENTRY_HEADER_LEN	7
+#define DB_CERT_ENTRY_HEADER_LEN	10
+
+/* common flags for all types of certificates */
+#define CERTDB_VALID_PEER	(1<<0)
+#define CERTDB_TRUSTED		(1<<1)
+#define CERTDB_SEND_WARN	(1<<2)
+#define CERTDB_VALID_CA		(1<<3)
+#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
+#define CERTDB_NS_TRUSTED_CA	(1<<5)
+#define CERTDB_USER		(1<<6)
+#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
+#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
+#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
+#define CERTDB_NOT_TRUSTED	(1<<10) /* explicitly don't trust this cert */
+#define CERTDB_TRUSTED_UNKNOWN	(1<<11) /* accept trust from another source */
+
+/* bits not affected by the CKO_NETSCAPE_TRUST object */
+#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | CERTDB_VALID_PEER | \
+        CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \
+                                        CERTDB_GOVT_APPROVED_CA)
+
+#endif /* _PCERTT_H_ */
diff --git a/security/nss/lib/softoken/pk11db.c b/security/nss/lib/softoken/pk11db.c
new file mode 100644
index 000000000..fcc906d06
--- /dev/null
+++ b/security/nss/lib/softoken/pk11db.c
@@ -0,0 +1,814 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/* 
+ *  The following code handles the storage of PKCS 11 modules used by the
+ * NSS. This file is written to abstract away how the modules are
+ * stored so we can deside that later.
+ */
+
+#include "pk11pars.h"
+#include "pkcs11i.h"
+#include "mcom_db.h"
+
+#define FREE_CLEAR(p) if (p) { PORT_Free(p); p = NULL; }
+
+static void
+secmod_parseTokenFlags(char *tmp, pk11_token_parameters *parsed) { 
+    parsed->readOnly = pk11_argHasFlag("flags","readOnly",tmp);
+    parsed->noCertDB = pk11_argHasFlag("flags","noCertDB",tmp);
+    parsed->noKeyDB = pk11_argHasFlag("flags","noKeyDB",tmp);
+    parsed->forceOpen = pk11_argHasFlag("flags","forceOpen",tmp);
+    parsed->pwRequired = pk11_argHasFlag("flags","passwordRequired",tmp);
+    return;
+}
+
+static void
+secmod_parseFlags(char *tmp, pk11_parameters *parsed) { 
+    parsed->noModDB = pk11_argHasFlag("flags","noModDB",tmp);
+    parsed->readOnly = pk11_argHasFlag("flags","readOnly",tmp);
+    /* keep legacy interface working */
+    parsed->noCertDB = pk11_argHasFlag("flags","noCertDB",tmp);
+    parsed->forceOpen = pk11_argHasFlag("flags","forceOpen",tmp);
+    parsed->pwRequired = pk11_argHasFlag("flags","passwordRequired",tmp);
+    return;
+}
+
+CK_RV
+secmod_parseTokenParameters(char *param, pk11_token_parameters *parsed) 
+{
+    int next;
+    char *tmp;
+    char *index;
+    index = pk11_argStrip(param);
+
+    while (*index) {
+	PK11_HANDLE_STRING_ARG(index,parsed->configdir,"configDir=",;)
+	PK11_HANDLE_STRING_ARG(index,parsed->certPrefix,"certPrefix=",;)
+	PK11_HANDLE_STRING_ARG(index,parsed->keyPrefix,"keyPrefix=",;)
+	PK11_HANDLE_STRING_ARG(index,parsed->tokdes,"tokenDescription=",;)
+	PK11_HANDLE_STRING_ARG(index,parsed->slotdes,"slotDescription=",;)
+	PK11_HANDLE_STRING_ARG(index,tmp,"minPWLen=", 
+			if(tmp) { parsed->minPW=atoi(tmp); PORT_Free(tmp); })
+	PK11_HANDLE_STRING_ARG(index,tmp,"flags=", 
+	   if(tmp) { secmod_parseTokenFlags(param,parsed); PORT_Free(tmp); })
+	PK11_HANDLE_FINAL_ARG(index)
+   }
+   return CKR_OK;
+}
+
+static void
+secmod_parseTokens(char *tokenParams, pk11_parameters *parsed)
+{
+    char *tokenIndex;
+    pk11_token_parameters *tokens = NULL;
+    int i=0,count = 0,next;
+
+    if ((tokenParams == NULL) || (*tokenParams == 0))  return;
+
+    /* first count the number of slots */
+    for (tokenIndex = pk11_argStrip(tokenParams); *tokenIndex;
+		tokenIndex = pk11_argStrip(pk11_argSkipParameter(tokenIndex))) {
+	count++;
+    }
+
+    /* get the data structures */
+    tokens = (pk11_token_parameters *) 
+			PORT_ZAlloc(count*sizeof(pk11_token_parameters));
+    if (tokens == NULL) return;
+
+    for (tokenIndex = pk11_argStrip(tokenParams), i = 0;
+					*tokenIndex && i < count ; i++ ) {
+	char *name;
+	name = pk11_argGetName(tokenIndex,&next);
+	tokenIndex += next;
+
+	tokens[i].slotID = pk11_argDecodeNumber(name);
+        tokens[i].readOnly = PR_TRUE;
+	tokens[i].noCertDB = PR_TRUE;
+	tokens[i].noKeyDB = PR_TRUE;
+	if (!pk11_argIsBlank(*tokenIndex)) {
+	    char *args = pk11_argFetchValue(tokenIndex,&next);
+	    tokenIndex += next;
+	    if (args) {
+		secmod_parseTokenParameters(args,&tokens[i]);
+		PORT_Free(args);
+	    }
+	}
+	if (name) PORT_Free(name);
+	tokenIndex = pk11_argStrip(tokenIndex);
+    }
+    parsed->token_count = i;
+    parsed->tokens = tokens;
+    return; 
+}
+
+CK_RV
+secmod_parseParameters(char *param, pk11_parameters *parsed, PRBool isFIPS) 
+{
+    int next;
+    char *tmp;
+    char *index;
+    char *certPrefix = NULL, *keyPrefix = NULL;
+    char *tokdes = NULL, *ptokdes = NULL;
+    char *slotdes = NULL, *pslotdes = NULL;
+    char *fslotdes = NULL, *fpslotdes = NULL;
+    char *minPW = NULL;
+    index = pk11_argStrip(param);
+
+    PORT_Memset(parsed, 0, sizeof(pk11_parameters));
+
+    while (*index) {
+	PK11_HANDLE_STRING_ARG(index,parsed->configdir,"configDir=",;)
+	PK11_HANDLE_STRING_ARG(index,parsed->secmodName,"secmod=",;)
+	PK11_HANDLE_STRING_ARG(index,parsed->man,"manufacturerID=",;)
+	PK11_HANDLE_STRING_ARG(index,parsed->libdes,"libraryDescription=",;)
+	/* constructed values, used so legacy interfaces still work */
+	PK11_HANDLE_STRING_ARG(index,certPrefix,"certPrefix=",;)
+        PK11_HANDLE_STRING_ARG(index,keyPrefix,"keyPrefix=",;)
+        PK11_HANDLE_STRING_ARG(index,tokdes,"cryptoTokenDescription=",;)
+        PK11_HANDLE_STRING_ARG(index,ptokdes,"dbTokenDescription=",;)
+        PK11_HANDLE_STRING_ARG(index,slotdes,"cryptoSlotDescription=",;)
+        PK11_HANDLE_STRING_ARG(index,pslotdes,"dbSlotDescription=",;)
+        PK11_HANDLE_STRING_ARG(index,fslotdes,"FIPSSlotDescription=",;)
+        PK11_HANDLE_STRING_ARG(index,minPW,"FIPSTokenDescription=",;)
+	PK11_HANDLE_STRING_ARG(index,tmp,"minPWLen=",;)
+
+	PK11_HANDLE_STRING_ARG(index,tmp,"flags=", 
+		if(tmp) { secmod_parseFlags(param,parsed); PORT_Free(tmp); })
+	PK11_HANDLE_STRING_ARG(index,tmp,"tokens=", 
+		if(tmp) { secmod_parseTokens(tmp,parsed); PORT_Free(tmp); })
+	PK11_HANDLE_FINAL_ARG(index)
+    }
+    if (parsed->tokens == NULL) {
+	int  count = isFIPS ? 1 : 2;
+	int  index = count-1;
+	pk11_token_parameters *tokens = NULL;
+
+	tokens = (pk11_token_parameters *) 
+			PORT_ZAlloc(count*sizeof(pk11_token_parameters));
+	if (tokens == NULL) {
+	    goto loser;
+	}
+	parsed->tokens = tokens;
+    	parsed->token_count = count;
+	tokens[index].slotID = isFIPS ? FIPS_SLOT_ID : PRIVATE_KEY_SLOT_ID;
+	tokens[index].certPrefix = certPrefix;
+	tokens[index].keyPrefix = keyPrefix;
+	tokens[index].minPW = minPW ? atoi(minPW) : 0;
+	tokens[index].readOnly = parsed->readOnly;
+	tokens[index].noCertDB = parsed->noCertDB;
+	tokens[index].noKeyDB = parsed->noCertDB;
+	tokens[index].forceOpen = parsed->forceOpen;
+	tokens[index].pwRequired = parsed->pwRequired;
+	certPrefix = NULL;
+	keyPrefix = NULL;
+	if (isFIPS) {
+	    tokens[index].tokdes = fslotdes;
+	    tokens[index].slotdes = fpslotdes;
+	    fslotdes = NULL;
+	    fpslotdes = NULL;
+	} else {
+	    tokens[index].tokdes = ptokdes;
+	    tokens[index].slotdes = pslotdes;
+	    tokens[0].slotID = NETSCAPE_SLOT_ID;
+	    tokens[0].tokdes = tokdes;
+	    tokens[0].slotdes = slotdes;
+	    tokens[0].noCertDB = PR_TRUE;
+	    tokens[0].noKeyDB = PR_TRUE;
+	    ptokdes = NULL;
+	    pslotdes = NULL;
+	    tokdes = NULL;
+	    slotdes = NULL;
+	}
+    }
+
+loser:
+    FREE_CLEAR(certPrefix);
+    FREE_CLEAR(keyPrefix);
+    FREE_CLEAR(tokdes);
+    FREE_CLEAR(ptokdes);
+    FREE_CLEAR(slotdes);
+    FREE_CLEAR(pslotdes);
+    FREE_CLEAR(fslotdes);
+    FREE_CLEAR(fpslotdes);
+    FREE_CLEAR(minPW);
+    return CKR_OK;
+}
+
+void
+secmod_freeParams(pk11_parameters *params)
+{
+    int i;
+
+    for (i=0; i < params->token_count; i++) {
+	FREE_CLEAR(params->tokens[i].configdir);
+	FREE_CLEAR(params->tokens[i].certPrefix);
+	FREE_CLEAR(params->tokens[i].keyPrefix);
+	FREE_CLEAR(params->tokens[i].tokdes);
+	FREE_CLEAR(params->tokens[i].slotdes);
+    }
+
+    FREE_CLEAR(params->configdir);
+    FREE_CLEAR(params->secmodName);
+    FREE_CLEAR(params->man);
+    FREE_CLEAR(params->libdes); 
+    FREE_CLEAR(params->tokens);
+}
+
+
+char *
+secmod_getSecmodName(char *param, PRBool *rw)
+{
+    int next;
+    char *configdir = NULL;
+    char *secmodName = NULL;
+    char *value = NULL;
+    char *save_params = param;
+    param = pk11_argStrip(param);
+	
+
+    while (*param) {
+	PK11_HANDLE_STRING_ARG(param,configdir,"configDir=",;)
+	PK11_HANDLE_STRING_ARG(param,secmodName,"secmod=",;)
+	PK11_HANDLE_FINAL_ARG(param)
+   }
+
+   *rw = PR_TRUE;
+   if (pk11_argHasFlag("flags","readOnly",save_params) ||
+	pk11_argHasFlag("flags","noModDB",save_params)) *rw = PR_FALSE;
+
+   if (!secmodName || *secmodName == '\0') secmodName = PORT_Strdup(SECMOD_DB);
+
+   if (configdir) {
+	value = PR_smprintf("%s" PATH_SEPARATOR "%s",configdir,secmodName);
+   } else {
+	value = PORT_Strdup(secmodName);
+   }
+   PORT_Free(secmodName);
+   if (configdir) PORT_Free(configdir);
+   return value;
+}
+
+/* Construct a database key for a given module */
+static SECStatus secmod_MakeKey(DBT *key, char * module) {
+    int len = 0;
+    char *commonName;
+
+    commonName = pk11_argGetParamValue("name",module);
+    if (commonName == NULL) {
+	commonName = pk11_argGetParamValue("library",module);
+    }
+    if (commonName == NULL) return SECFailure;
+    len = PORT_Strlen(commonName);
+    key->data = commonName;
+    key->size = len;
+    return SECSuccess;
+}
+
+/* free out constructed database key */
+static void secmod_FreeKey(DBT *key) {
+    if (key->data) {
+	PORT_Free(key->data);
+    }
+    key->data = NULL;
+    key->size = 0;
+}
+
+typedef struct secmodDataStr secmodData;
+typedef struct secmodSlotDataStr secmodSlotData;
+struct secmodDataStr {
+    unsigned char major;
+    unsigned char minor;
+    unsigned char nameStart[2];
+    unsigned char slotOffset[2];
+    unsigned char internal;
+    unsigned char fips;
+    unsigned char ssl[8];
+    unsigned char trustOrder[4];
+    unsigned char cipherOrder[4];
+    unsigned char reserved1;
+    unsigned char isModuleDB;
+    unsigned char isModuleDBOnly;
+    unsigned char isCritical;
+    unsigned char reserved[4];
+    unsigned char names[6];	/* enough space for the length fields */
+};
+
+struct secmodSlotDataStr {
+    unsigned char slotID[4];
+    unsigned char defaultFlags[4];
+    unsigned char timeout[4];
+    unsigned char askpw;
+    unsigned char hasRootCerts;
+    unsigned char reserved[18]; /* this makes it a round 32 bytes */
+};
+
+#define SECMOD_DB_VERSION_MAJOR 0
+#define SECMOD_DB_VERSION_MINOR 6
+#define SECMOD_DB_EXT1_VERSION_MAJOR 0
+#define SECMOD_DB_EXT1_VERSION_MINOR 6
+#define SECMOD_DB_NOUI_VERSION_MAJOR 0
+#define SECMOD_DB_NOUI_VERSION_MINOR 4
+
+#define SECMOD_PUTSHORT(dest,src) \
+	(dest)[1] = (unsigned char) ((src)&0xff); \
+	(dest)[0] = (unsigned char) (((src) >> 8) & 0xff);
+#define SECMOD_PUTLONG(dest,src) \
+	(dest)[3] = (unsigned char) ((src)&0xff); \
+	(dest)[2] = (unsigned char) (((src) >> 8) & 0xff); \
+	(dest)[1] = (unsigned char) (((src) >> 16) & 0xff); \
+	(dest)[0] = (unsigned char) (((src) >> 24) & 0xff);
+#define SECMOD_GETSHORT(src) \
+	((unsigned short) (((src)[0] << 8) | (src)[1]))
+#define SECMOD_GETLONG(src) \
+	((unsigned long) (( (unsigned long) (src)[0] << 24) | \
+			( (unsigned long) (src)[1] << 16)  | \
+			( (unsigned long) (src)[2] << 8) | \
+			(unsigned long) (src)[3]))
+
+/*
+ * build a data base entry from a module 
+ */
+static SECStatus secmod_EncodeData(DBT *data, char * module) {
+    secmodData *encoded = NULL;
+    secmodSlotData *slot;
+    unsigned char *dataPtr;
+    unsigned short len, len2 = 0, len3 = 0;
+    int count = 0;
+    unsigned short offset;
+    int dataLen, i;
+    unsigned long order;
+    unsigned long  ssl[2];
+    char *commonName = NULL , *dllName = NULL, *param = NULL, *nss = NULL;
+    char *slotParams, *ciphers;
+    PK11PreSlotInfo *slotInfo = NULL;
+    SECStatus rv = SECFailure;
+
+    rv = pk11_argParseModuleSpec(module,&dllName,&commonName,&param,&nss);
+    if (rv != SECSuccess) return rv;
+    rv = SECFailure;
+
+    if (commonName == NULL) {
+	/* set error */
+	goto loser;
+    }
+
+    len = PORT_Strlen(commonName);
+    if (dllName) {
+    	len2 = PORT_Strlen(dllName);
+    }
+    if (param) {
+	len3 = PORT_Strlen(param);
+    }
+
+    slotParams = pk11_argGetParamValue("slotParams",nss); 
+    slotInfo = pk11_argParseSlotInfo(NULL,slotParams,&count);
+    if (slotParams) PORT_Free(slotParams);
+
+    if (count && slotInfo == NULL) {
+	/* set error */
+	goto loser;
+    }
+
+    dataLen = sizeof(secmodData) + len + len2 + len3 + sizeof(unsigned short) +
+				 count*sizeof(secmodSlotData);
+
+    data->data = (unsigned char *) PORT_ZAlloc(dataLen);
+    encoded = (secmodData *)data->data;
+    dataPtr = (unsigned char *) data->data;
+    data->size = dataLen;
+
+    if (encoded == NULL) {
+	/* set error */
+	goto loser;
+    }
+
+    encoded->major = SECMOD_DB_VERSION_MAJOR;
+    encoded->minor = SECMOD_DB_VERSION_MINOR;
+    encoded->internal = (unsigned char) 
+			(pk11_argHasFlag("flags","internal",nss) ? 1 : 0);
+    encoded->fips = (unsigned char) 
+			(pk11_argHasFlag("flags","FIPS",nss) ? 1 : 0);
+    encoded->isModuleDB = (unsigned char) 
+			(pk11_argHasFlag("flags","isModuleDB",nss) ? 1 : 0);
+    encoded->isModuleDBOnly = (unsigned char) 
+			(pk11_argHasFlag("flags","isModuleDBOnly",nss) ? 1 : 0);
+    encoded->isCritical = (unsigned char) 
+			(pk11_argHasFlag("flags","critical",nss) ? 1 : 0);
+
+    order = pk11_argReadLong("trustOrder",nss, PK11_DEFAULT_TRUST_ORDER, NULL);
+    SECMOD_PUTLONG(encoded->trustOrder,order);
+    order = pk11_argReadLong("cipherOrder",nss,PK11_DEFAULT_CIPHER_ORDER,NULL);
+    SECMOD_PUTLONG(encoded->cipherOrder,order);
+
+   
+    ciphers = pk11_argGetParamValue("ciphers",nss); 
+    pk11_argSetNewCipherFlags(&ssl[0], ciphers);
+    SECMOD_PUTLONG(encoded->ssl,ssl[0]);
+    SECMOD_PUTLONG(&encoded->ssl[4],ssl[1]);
+
+    offset = (unsigned long) &(((secmodData *)0)->names[0]);
+    SECMOD_PUTSHORT(encoded->nameStart,offset);
+    offset = offset + len + len2 + len3 + 3*sizeof(unsigned short);
+    SECMOD_PUTSHORT(encoded->slotOffset,offset);
+
+
+    SECMOD_PUTSHORT(&dataPtr[offset],((unsigned short)count));
+    slot = (secmodSlotData *)(dataPtr+offset+sizeof(unsigned short));
+
+    offset = 0;
+    SECMOD_PUTSHORT(encoded->names,len);
+    offset += sizeof(unsigned short);
+    PORT_Memcpy(&encoded->names[offset],commonName,len);
+    offset += len;
+
+
+    SECMOD_PUTSHORT(&encoded->names[offset],len2);
+    offset += sizeof(unsigned short);
+    if (len2) PORT_Memcpy(&encoded->names[offset],dllName,len2);
+    offset += len2;
+
+    SECMOD_PUTSHORT(&encoded->names[offset],len3);
+    offset += sizeof(unsigned short);
+    if (len3) PORT_Memcpy(&encoded->names[offset],param,len3);
+    offset += len3;
+
+    if (count) {
+	for (i=0; i < count; i++) {
+	    SECMOD_PUTLONG(slot[i].slotID, slotInfo[i].slotID);
+	    SECMOD_PUTLONG(slot[i].defaultFlags,
+					slotInfo[i].defaultFlags);
+	    SECMOD_PUTLONG(slot[i].timeout,slotInfo[i].timeout);
+	    slot[i].askpw = slotInfo[i].askpw;
+	    slot[i].hasRootCerts = slotInfo[i].hasRootCerts;
+	    PORT_Memset(slot[i].reserved, 0, sizeof(slot[i].reserved));
+	}
+    }
+    rv = SECSuccess;
+
+loser:
+    if (commonName) PORT_Free(commonName);
+    if (dllName) PORT_Free(dllName);
+    if (param) PORT_Free(param);
+    if (slotInfo) PORT_Free(slotInfo);
+    return rv;
+
+}
+
+static void 
+secmod_FreeData(DBT *data)
+{
+    if (data->data) {
+	PORT_Free(data->data);
+    }
+}
+
+/*
+ * build a module from the data base entry.
+ */
+static char *
+secmod_DecodeData(char *defParams, DBT *data, PRBool *retInternal)
+{
+    secmodData *encoded;
+    secmodSlotData *slots;
+    char *commonName = NULL,*dllName = NULL,*parameters = NULL;
+    unsigned char *names;
+    unsigned short len;
+    unsigned long slotCount;
+    unsigned short offset;
+    PRBool isOldVersion  = PR_FALSE;
+    PRBool internal, isFIPS, isModuleDB=PR_FALSE, isModuleDBOnly=PR_FALSE;
+    PRBool extended=PR_FALSE;
+    PRBool hasRootCerts=PR_FALSE,hasRootTrust=PR_FALSE;
+    unsigned long trustOrder=PK11_DEFAULT_TRUST_ORDER, 
+				cipherOrder=PK11_DEFAULT_CIPHER_ORDER;
+    unsigned long ssl0=0, ssl1=0;
+    char **slotStrings = NULL;
+    unsigned long slotID,defaultFlags,timeout;
+    char *nss,*moduleSpec;
+    int i;
+
+    PLArenaPool *arena;
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (arena == NULL) return NULL;
+
+    encoded = (secmodData *)data->data;
+    names = (unsigned char *)data->data;
+    offset = SECMOD_GETSHORT(encoded->slotOffset);
+    slots = (secmodSlotData *) (names + offset + 2);
+    slotCount = SECMOD_GETSHORT(names + offset);
+    names += SECMOD_GETSHORT(encoded->nameStart);
+
+    * retInternal = internal = (encoded->internal != 0) ? PR_TRUE: PR_FALSE;
+    isFIPS = (encoded->fips != 0) ? PR_TRUE: PR_FALSE;
+    len = SECMOD_GETSHORT(names);
+
+    if (internal && (encoded->major == SECMOD_DB_NOUI_VERSION_MAJOR) &&
+ 	(encoded->minor <= SECMOD_DB_NOUI_VERSION_MINOR)) {
+	isOldVersion = PR_TRUE;
+    }
+
+    if ((encoded->major == SECMOD_DB_EXT1_VERSION_MAJOR) &&
+	(encoded->minor >= SECMOD_DB_EXT1_VERSION_MINOR)) {
+	trustOrder = SECMOD_GETLONG(encoded->trustOrder);
+	cipherOrder = SECMOD_GETLONG(encoded->cipherOrder);
+	isModuleDB = (encoded->isModuleDB != 0) ? PR_TRUE: PR_FALSE;
+	isModuleDBOnly = (encoded->isModuleDBOnly != 0) ? PR_TRUE: PR_FALSE;
+	extended = PR_TRUE;
+    } 
+
+    if (internal && !extended) {
+	trustOrder = 0;
+	cipherOrder = 100;
+    }
+
+    /* decode the common name */
+    commonName = (char*)PORT_ArenaAlloc(arena,len+1);
+    if (commonName == NULL) {
+	PORT_FreeArena(arena,PR_TRUE);
+	return NULL;
+    }
+    PORT_Memcpy(commonName,&names[2],len);
+    commonName[len] = 0;
+
+    /* decode the DLL name */
+    names += len+2;
+    len = SECMOD_GETSHORT(names);
+    if (len) {
+	dllName = (char*)PORT_ArenaAlloc(arena,len + 1);
+	if (dllName == NULL) {
+	    PORT_FreeArena(arena,PR_TRUE);
+	    return NULL;
+	}
+	PORT_Memcpy(dllName,&names[2],len);
+	dllName[len] = 0;
+    }
+    if (!internal && extended) {
+	names += len+2;
+	len = SECMOD_GETSHORT(names);
+	if (len) {
+	    parameters = (char*)PORT_ArenaAlloc(arena,len + 1);
+	    if (parameters == NULL) {
+		PORT_FreeArena(arena,PR_TRUE);
+		return NULL;
+	    }
+	    PORT_Memcpy(parameters,&names[2],len);
+	    parameters[len] = 0;
+	}
+    }
+    if (internal) {
+	parameters = PORT_ArenaStrdup(arena,defParams);
+    }
+
+    /* decode SSL cipher enable flags */
+    ssl0 = SECMOD_GETLONG(encoded->ssl);
+    ssl1 = SECMOD_GETLONG(&encoded->ssl[4]);
+
+    /*  slotCount; */
+    slotStrings = (char **)PORT_ArenaAlloc(arena, slotCount * sizeof(char *));
+    for (i=0; i < (int) slotCount; i++) {
+	slotID = SECMOD_GETLONG(slots[i].slotID);
+	defaultFlags = SECMOD_GETLONG(slots[i].defaultFlags);
+	if (isOldVersion && internal && (slotID != 2)) {
+		unsigned long internalFlags=
+			pk11_argSlotFlags("slotFlags",SECMOD_SLOT_FLAGS);
+		defaultFlags |= internalFlags;
+	}
+	timeout = SECMOD_GETLONG(slots[i].timeout);
+	hasRootCerts = slots[i].hasRootCerts;
+	if (hasRootCerts && !extended) {
+	    trustOrder = 100;
+	}
+
+	slotStrings[i] = pk11_mkSlotString(slotID,defaultFlags,
+			timeout,slots[i].askpw,hasRootCerts,hasRootTrust);
+    }
+
+    nss = pk11_mkNSS(slotStrings, slotCount, internal, isFIPS, isModuleDB, 
+	isModuleDBOnly, internal, trustOrder, cipherOrder, ssl0, ssl1);
+    moduleSpec = pk11_mkNewModuleSpec(dllName,commonName,parameters,nss);
+    PR_smprintf_free(nss);
+    PORT_FreeArena(arena,PR_TRUE);
+
+    return (moduleSpec);
+}
+
+
+
+static DB *secmod_OpenDB(char *dbName, PRBool readOnly) {
+    DB *pkcs11db = NULL;
+   
+    /* I'm sure we should do more checks here sometime... */
+    pkcs11db = dbopen(dbName, readOnly ? O_RDONLY : O_RDWR, 0600, DB_HASH, 0);
+
+    /* didn't exist? create it */
+    if (pkcs11db == NULL) {
+	 if (readOnly) return NULL;
+
+	 pkcs11db = dbopen( dbName,
+			     O_RDWR | O_CREAT | O_TRUNC, 0600, DB_HASH, 0 );
+	 if (pkcs11db) (* pkcs11db->sync)(pkcs11db, 0);
+    }
+    return pkcs11db;
+}
+
+static void secmod_CloseDB(DB *pkcs11db) {
+     (*pkcs11db->close)(pkcs11db);
+}
+
+static char *
+secmod_addEscape(const char *string, char quote)
+{
+    char *newString = 0;
+    int escapes = 0, size = 0;
+    const char *src;
+    char *dest;
+
+    for (src=string; *src ; src++) {
+	if ((*src == quote) || (*src == '\\')) escapes++;
+	size++;
+    }
+
+    newString = PORT_ZAlloc(escapes+size+1); 
+    if (newString == NULL) {
+	return NULL;
+    }
+
+    for (src=string, dest=newString; *src; src++,dest++) {
+	if ((*src == '\\') || (*src == quote)) {
+	    *dest++ = '\\';
+	}
+	*dest = *src;
+    }
+
+    return newString;
+}
+
+#define SECMOD_STEP 10
+#define PK11_DEFAULT_INTERNAL_INIT "library= name=\"NSS Internal PKCS #11 Module\" parameters=\"%s\" NSS=\"Flags=internal,critical trustOrder=0 cipherOrder=100 slotParams=(1={%s askpw=any timeout=30})\""
+/*
+ * Read all the existing modules in
+ */
+char **
+secmod_ReadPermDB(char *dbname, char *params, PRBool rw) {
+    DBT key,data;
+    int ret;
+    DB *pkcs11db = NULL;
+    char **moduleList = NULL;
+    int moduleCount = 1;
+    int useCount = SECMOD_STEP;
+
+    moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
+    if (moduleList == NULL) return NULL;
+
+    pkcs11db = secmod_OpenDB(dbname,PR_TRUE);
+    if (pkcs11db == NULL) goto done;
+
+    /* read and parse the file or data base */
+    ret = (*pkcs11db->seq)(pkcs11db, &key, &data, R_FIRST);
+    if (ret)  goto done;
+
+
+    do {
+	char *moduleString;
+	PRBool internal = PR_FALSE;
+	if ((moduleCount+1) >= useCount) {
+	    useCount += SECMOD_STEP;
+	    moduleList = 
+		(char **)PORT_Realloc(moduleList,useCount*sizeof(char *));
+	    if (moduleList == NULL) goto done;
+	    PORT_Memset(&moduleList[moduleCount+1],0,
+						sizeof(char *)*SECMOD_STEP);
+	}
+	moduleString = secmod_DecodeData(params,&data,&internal);
+	if (internal) {
+	    moduleList[0] = moduleString;
+	} else {
+	    moduleList[moduleCount] = moduleString;
+	    moduleCount++;
+	}
+    } while ( (*pkcs11db->seq)(pkcs11db, &key, &data, R_NEXT) == 0);
+
+done:
+    if (!moduleList[0]) {
+	char * newparams = secmod_addEscape(params,'"');
+	if (newparams) {
+	    moduleList[0] = PR_smprintf(PK11_DEFAULT_INTERNAL_INIT,newparams,
+						SECMOD_SLOT_FLAGS);
+	    PORT_Free(newparams);
+	}
+    }
+    /* deal with trust cert db here */
+
+    if (pkcs11db) {
+	secmod_CloseDB(pkcs11db);
+    } else {
+	secmod_AddPermDB(dbname,moduleList[0], rw) ;
+    }
+    return moduleList;
+}
+
+/*
+ * Delete a module from the Data Base
+ */
+SECStatus
+secmod_DeletePermDB(char *dbname, char *args, PRBool rw) {
+    DBT key;
+    SECStatus rv = SECFailure;
+    DB *pkcs11db = NULL;
+    int ret;
+
+    if (!rw) return SECFailure;
+
+    /* make sure we have a db handle */
+    pkcs11db = secmod_OpenDB(dbname,PR_FALSE);
+    if (pkcs11db == NULL) {
+	return SECFailure;
+    }
+
+    rv = secmod_MakeKey(&key,args);
+    if (rv != SECSuccess) goto done;
+    rv = SECFailure;
+    ret = (*pkcs11db->del)(pkcs11db, &key, 0);
+    secmod_FreeKey(&key);
+    if (ret != 0) goto done;
+
+
+    ret = (*pkcs11db->sync)(pkcs11db, 0);
+    if (ret == 0) rv = SECSuccess;
+
+done:
+    secmod_CloseDB(pkcs11db);
+    return rv;
+}
+
+/*
+ * Add a module to the Data base 
+ */
+SECStatus
+secmod_AddPermDB(char *dbname, char *module, PRBool rw) {
+    DBT key,data;
+    SECStatus rv = SECFailure;
+    DB *pkcs11db = NULL;
+    int ret;
+
+
+    if (!rw) return SECFailure;
+
+    /* make sure we have a db handle */
+    pkcs11db = secmod_OpenDB(dbname,PR_FALSE);
+    if (pkcs11db == NULL) {
+	return SECFailure;
+    }
+
+    rv = secmod_MakeKey(&key,module);
+    if (rv != SECSuccess) goto done;
+    rv = secmod_EncodeData(&data,module);
+    if (rv != SECSuccess) {
+	secmod_FreeKey(&key);
+	goto done;
+    }
+    rv = SECFailure;
+    ret = (*pkcs11db->put)(pkcs11db, &key, &data, 0);
+    secmod_FreeKey(&key);
+    secmod_FreeData(&data);
+    if (ret != 0) goto done;
+
+    ret = (*pkcs11db->sync)(pkcs11db, 0);
+    if (ret == 0) rv = SECSuccess;
+
+done:
+    secmod_CloseDB(pkcs11db);
+    return rv;
+}
diff --git a/security/nss/lib/softoken/pk11pars.h b/security/nss/lib/softoken/pk11pars.h
new file mode 100644
index 000000000..389599a9d
--- /dev/null
+++ b/security/nss/lib/softoken/pk11pars.h
@@ -0,0 +1,852 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * The following handles the loading, unloading and management of
+ * various PCKS #11 modules
+ */
+
+
+/*
+ * this header file contains routines for parsing PKCS #11 module spec
+ * strings. It contains 'C' code and should only be included in one module.
+ * Currently it is included in both softoken and the wrapper.
+ */
+#include <ctype.h>
+#include "pkcs11.h"
+#include "seccomon.h"
+#include "prprf.h"
+#include "secmodt.h"
+#include "pk11init.h"
+
+#define PK11_ARG_LIBRARY_PARAMETER "library="
+#define PK11_ARG_NAME_PARAMETER "name="
+#define PK11_ARG_MODULE_PARAMETER "parameters="
+#define PK11_ARG_NSS_PARAMETER "NSS="
+#define PK11_ARG_FORTEZZA_FLAG "FORTEZZA"
+#define PK11_ARG_ESCAPE '\\'
+
+struct pk11argSlotFlagTable {
+    char *name;
+    int len;
+    unsigned long value;
+};
+
+#define PK11_DEFAULT_CIPHER_ORDER 0
+#define PK11_DEFAULT_TRUST_ORDER 50
+
+
+#define PK11_ARG_ENTRY(arg,flag) \
+{ #arg , sizeof(#arg)-1, flag }
+static struct pk11argSlotFlagTable pk11_argSlotFlagTable[] = {
+	PK11_ARG_ENTRY(RSA,SECMOD_RSA_FLAG),
+	PK11_ARG_ENTRY(DSA,SECMOD_RSA_FLAG),
+	PK11_ARG_ENTRY(RC2,SECMOD_RC4_FLAG),
+	PK11_ARG_ENTRY(RC4,SECMOD_RC2_FLAG),
+	PK11_ARG_ENTRY(DES,SECMOD_DES_FLAG),
+	PK11_ARG_ENTRY(DH,SECMOD_DH_FLAG),
+	PK11_ARG_ENTRY(FORTEZZA,SECMOD_FORTEZZA_FLAG),
+	PK11_ARG_ENTRY(RC5,SECMOD_RC5_FLAG),
+	PK11_ARG_ENTRY(SHA1,SECMOD_SHA1_FLAG),
+	PK11_ARG_ENTRY(MD5,SECMOD_MD5_FLAG),
+	PK11_ARG_ENTRY(MD2,SECMOD_MD2_FLAG),
+	PK11_ARG_ENTRY(SSL,SECMOD_SSL_FLAG),
+	PK11_ARG_ENTRY(TLS,SECMOD_TLS_FLAG),
+	PK11_ARG_ENTRY(AES,SECMOD_AES_FLAG),
+	PK11_ARG_ENTRY(PublicCerts,SECMOD_FRIENDLY_FLAG),
+	PK11_ARG_ENTRY(RANDOM,SECMOD_RANDOM_FLAG),
+};
+
+#define PK11_HANDLE_STRING_ARG(param,target,value,command) \
+    if (PORT_Strncasecmp(param,value,sizeof(value)-1) == 0) { \
+	param += sizeof(value)-1; \
+	target = pk11_argFetchValue(param,&next); \
+	param += next; \
+	command ;\
+    } else  
+
+#define PK11_HANDLE_FINAL_ARG(param) \
+    { param = pk11_argSkipParameter(param); } param = pk11_argStrip(param);
+	
+
+static int pk11_argSlotFlagTableSize = 
+	sizeof(pk11_argSlotFlagTable)/sizeof(pk11_argSlotFlagTable[0]);
+
+
+static PRBool pk11_argGetPair(char c) {
+    switch (c) {
+    case '\'': return c;
+    case '\"': return c;
+    case '<': return '>';
+    case '{': return '}';
+    case '[': return ']';
+    case '(': return ')';
+    default: break;
+    }
+    return ' ';
+}
+
+static PRBool pk11_argIsBlank(char c) {
+   return isspace(c);
+}
+
+static PRBool pk11_argIsEscape(char c) {
+    return c == '\\';
+}
+
+static PRBool pk11_argIsQuote(char c) {
+    switch (c) {
+    case '\'':
+    case '\"':
+    case '<':
+    case '{': /* } end curly to keep vi bracket matching working */
+    case '(': /* ) */
+    case '[': /* ] */ return PR_TRUE;
+    default: break;
+    }
+    return PR_FALSE;
+}
+
+static PRBool pk11_argHasChar(char *v, char c)
+{
+   for ( ;*v; v++) {
+	if (*v == c) return PR_TRUE;
+   }
+   return PR_FALSE;
+}
+
+static PRBool pk11_argHasBlanks(char *v)
+{
+   for ( ;*v; v++) {
+	if (pk11_argIsBlank(*v)) return PR_TRUE;
+   }
+   return PR_FALSE;
+}
+
+static char *pk11_argStrip(char *c) {
+   while (*c && pk11_argIsBlank(*c)) c++;
+   return c;
+}
+
+static char *
+pk11_argFindEnd(char *string) {
+    char endChar = ' ';
+    PRBool lastEscape = PR_FALSE;
+
+    if (pk11_argIsQuote(*string)) {
+	endChar = pk11_argGetPair(*string);
+	string++;
+    }
+
+    for (;*string; string++) {
+	if (lastEscape) {
+	    lastEscape = PR_FALSE;
+	    continue;
+	}
+	if (pk11_argIsEscape(*string) && !lastEscape) {
+	    lastEscape = PR_TRUE;
+	    continue;
+	} 
+	if ((endChar == ' ') && pk11_argIsBlank(*string)) break;
+	if (*string == endChar) {
+	    break;
+	}
+    }
+
+    return string;
+}
+
+static char *
+pk11_argFetchValue(char *string, int *pcount)
+{
+    char *end = pk11_argFindEnd(string);
+    char *retString, *copyString;
+    PRBool lastEscape = PR_FALSE;
+
+    *pcount = (end - string)+1;
+
+    if (*pcount == 0) return NULL;
+
+    copyString = retString = (char *)PORT_Alloc(*pcount);
+    if (retString == NULL) return NULL;
+
+    if (pk11_argIsQuote(*string)) string++;
+    for (; string < end; string++) {
+	if (pk11_argIsEscape(*string) && !lastEscape) {
+	    lastEscape = PR_TRUE;
+	    continue;
+	}
+	lastEscape = PR_FALSE;
+	*copyString++ = *string;
+    }
+    *copyString = 0;
+    return retString;
+}
+
+static char *
+pk11_argSkipParameter(char *string) 
+{
+     char *end;
+     /* look for the end of the <name>= */
+     for (;*string; string++) {
+	if (*string == '=') { string++; break; }
+	if (pk11_argIsBlank(*string)) return(string); 
+     }
+
+     end = pk11_argFindEnd(string);
+     if (*end) end++;
+     return end;
+}
+
+
+static SECStatus
+pk11_argParseModuleSpec(char *modulespec, char **lib, char **mod, 
+					char **parameters, char **nss)
+{
+    int next;
+    modulespec = pk11_argStrip(modulespec);
+
+    *lib = *mod = *parameters = 0;
+
+    while (*modulespec) {
+	PK11_HANDLE_STRING_ARG(modulespec,*lib,PK11_ARG_LIBRARY_PARAMETER,;)
+	PK11_HANDLE_STRING_ARG(modulespec,*mod,PK11_ARG_NAME_PARAMETER,;)
+	PK11_HANDLE_STRING_ARG(modulespec,*parameters,
+						PK11_ARG_MODULE_PARAMETER,;)
+	PK11_HANDLE_STRING_ARG(modulespec,*nss,PK11_ARG_NSS_PARAMETER,;)
+	PK11_HANDLE_FINAL_ARG(modulespec)
+   }
+   return SECSuccess;
+}
+
+
+static char *
+pk11_argGetParamValue(char *paramName,char *parameters)
+{
+    char searchValue[256];
+    int paramLen = strlen(paramName);
+    char *returnValue = NULL;
+    int next;
+
+    if ((parameters == NULL) || (*parameters == 0)) return NULL;
+
+    PORT_Assert(paramLen+2 < sizeof(searchValue));
+
+    PORT_Strcpy(searchValue,paramName);
+    PORT_Strcat(searchValue,"=");
+    while (*parameters) {
+	if (PORT_Strncasecmp(parameters,searchValue,paramLen+1) == 0) {
+	    parameters += paramLen+1;
+	    returnValue = pk11_argFetchValue(parameters,&next);
+	    break;
+	} else {
+	    parameters = pk11_argSkipParameter(parameters);
+	}
+	parameters = pk11_argStrip(parameters);
+   }
+   return returnValue;
+}
+    
+
+static char *
+pk11_argNextFlag(char *flags)
+{
+    for (; *flags ; flags++) {
+	if (*flags == ',') {
+	    flags++;
+	    break;
+	}
+    }
+    return flags;
+}
+
+static PRBool
+pk11_argHasFlag(char *label, char *flag, char *parameters)
+{
+    char *flags,*index;
+    int len = strlen(flag);
+    PRBool found = PR_FALSE;
+
+    flags = pk11_argGetParamValue(label,parameters);
+    if (flags == NULL) return PR_FALSE;
+
+    for (index=flags; *index; index=pk11_argNextFlag(index)) {
+	if (PORT_Strncasecmp(index,flag,len) == 0) {
+	    found=PR_TRUE;
+	    break;
+	}
+    }
+    PORT_Free(flags);
+    return found;
+}
+
+static void
+pk11_argSetNewCipherFlags(unsigned long *newCiphers,char *cipherList)
+{
+    newCiphers[0] = newCiphers[1] = 0;
+    if ((cipherList == NULL) || (*cipherList == 0)) return;
+
+    for (;*cipherList; cipherList=pk11_argNextFlag(cipherList)) {
+	if (PORT_Strncasecmp(cipherList,PK11_ARG_FORTEZZA_FLAG,
+				sizeof(PK11_ARG_FORTEZZA_FLAG)-1) == 0) {
+	    newCiphers[0] |= SECMOD_FORTEZZA_FLAG;
+	} 
+
+	/* add additional flags here as necessary */
+	/* direct bit mapping escape */
+	if (*cipherList == 0) {
+	   if (cipherList[1] == 'l') {
+		newCiphers[1] |= atoi(&cipherList[2]);
+	   } else {
+		newCiphers[0] |= atoi(&cipherList[2]);
+	   }
+	}
+    }
+}
+
+
+/*
+ * decode a number. handle octal (leading '0'), hex (leading '0x') or decimal
+ */
+static long
+pk11_argDecodeNumber(char *num)
+{
+    int	radix = 10;
+    unsigned long value = 0;
+    long retValue = 0;
+    int sign = 1;
+    int digit;
+
+    if (num == NULL) return retValue;
+
+    num = pk11_argStrip(num);
+
+    if (*num == '-') {
+	sign = -1;
+	num++;
+    }
+
+    if (*num == '0') {
+	radix = 8;
+	num++;
+	if ((*num == 'x') || (*num == 'X')) {
+	    radix = 16;
+	    num++;
+	}
+    }
+
+   
+    for ( ;*num; num++ ) {
+	if (isdigit(*num)) {
+	    digit = *num - '0';
+	} else if ((*num >= 'a') && (*num <= 'f'))  {
+	    digit = *num - 'a' + 10;
+	} else if ((*num >= 'A') && (*num <= 'F'))  {
+	    digit = *num - 'A' + 10;
+	} else {
+	    break;
+	}
+	if (digit >= radix) break;
+	value = value*radix + digit;
+    }
+
+    retValue = ((int) value) * sign;
+    return retValue;
+}
+
+static long
+pk11_argReadLong(char *label,char *params, long defValue, PRBool *isdefault)
+{
+    char *value;
+    long retValue;
+    if (isdefault) *isdefault = PR_FALSE; 
+
+    value = pk11_argGetParamValue(label,params);
+    if (value == NULL) {
+	if (isdefault) *isdefault = PR_TRUE;
+	return defValue;
+    }
+    retValue = pk11_argDecodeNumber(value);
+    if (value) PORT_Free(value);
+
+    return retValue;
+}
+
+
+static unsigned long
+pk11_argSlotFlags(char *label,char *params)
+{
+    char *flags,*index;
+    unsigned long retValue = 0;
+    int i;
+    PRBool all = PR_FALSE;
+
+    flags = pk11_argGetParamValue(label,params);
+    if (flags == NULL) return 0;
+
+    if (PORT_Strcasecmp(flags,"all") == 0) all = PR_TRUE;
+
+    for (index=flags; *index; index=pk11_argNextFlag(index)) {
+	for (i=0; i < pk11_argSlotFlagTableSize; i++) {
+	    if (all || (PORT_Strncasecmp(index, pk11_argSlotFlagTable[i].name,
+				pk11_argSlotFlagTable[i].len) == 0)) {
+		retValue |= pk11_argSlotFlagTable[i].value;
+	    }
+	}
+    }
+    PORT_Free(flags);
+    return retValue;
+}
+
+
+static void
+pk11_argDecodeSingleSlotInfo(char *name,char *params,PK11PreSlotInfo *slotInfo)
+{
+    char *askpw;
+
+    slotInfo->slotID=pk11_argDecodeNumber(name);
+    slotInfo->defaultFlags=pk11_argSlotFlags("slotFlags",params);
+    slotInfo->timeout=pk11_argReadLong("timeout",params, 0, NULL);
+
+    askpw = pk11_argGetParamValue("askpw",params);
+    slotInfo->askpw = 0;
+
+    if (askpw) {
+	if (PORT_Strcasecmp(askpw,"every") == 0) {
+    	    slotInfo->askpw = -1;
+	} else if (PORT_Strcasecmp(askpw,"timeout") == 0) {
+    	    slotInfo->askpw = 1;
+	} 
+	PORT_Free(askpw);
+	slotInfo->defaultFlags |= PK11_OWN_PW_DEFAULTS;
+    }
+    slotInfo->hasRootCerts = pk11_argHasFlag("rootFlags","hasRootCerts",params);
+    slotInfo->hasRootTrust = pk11_argHasFlag("rootFlags","hasRootTrust",params);
+}
+
+static char *
+pk11_argGetName(char *inString, int *next) 
+{
+    char *name=NULL;
+    char *string;
+    int len;
+
+    /* look for the end of the <name>= */
+    for (string = inString;*string; string++) {
+	if (*string == '=') { break; }
+	if (pk11_argIsBlank(*string)) break;
+    }
+
+    len = string - inString;
+
+    *next = len; 
+    if (*string == '=') (*next) += 1;
+    if (len > 0) {
+	name = PORT_Alloc(len+1);
+	PORT_Strncpy(name,inString,len);
+	name[len] = 0;
+    }
+    return name;
+}
+
+static PK11PreSlotInfo *
+pk11_argParseSlotInfo(PRArenaPool *arena, char *slotParams, int *retCount)
+{
+    char *slotIndex;
+    PK11PreSlotInfo *slotInfo = NULL;
+    int i=0,count = 0,next;
+
+    *retCount = 0;
+    if ((slotParams == NULL) || (*slotParams == 0))  return NULL;
+
+    /* first count the number of slots */
+    for (slotIndex = pk11_argStrip(slotParams); *slotIndex; 
+		slotIndex = pk11_argStrip(pk11_argSkipParameter(slotIndex))) {
+	count++;
+    }
+
+    /* get the data structures */
+    if (arena) {
+	slotInfo = (PK11PreSlotInfo *) 
+			PORT_ArenaAlloc(arena,count*sizeof(PK11PreSlotInfo));
+	PORT_Memset(slotInfo,0,count*sizeof(PK11PreSlotInfo));
+    } else {
+	slotInfo = (PK11PreSlotInfo *) 
+			PORT_ZAlloc(count*sizeof(PK11PreSlotInfo));
+    }
+    if (slotInfo == NULL) return NULL;
+
+    for (slotIndex = pk11_argStrip(slotParams), i = 0; 
+					*slotIndex && i < count ; ) {
+	char *name;
+	name = pk11_argGetName(slotIndex,&next);
+	slotIndex += next;
+
+	if (!pk11_argIsBlank(*slotIndex)) {
+	    char *args = pk11_argFetchValue(slotIndex,&next);
+	    slotIndex += next;
+	    if (args) {
+		pk11_argDecodeSingleSlotInfo(name,args,&slotInfo[i]);
+		i++;
+		PORT_Free(args);
+	    }
+	}
+	if (name) PORT_Free(name);
+	slotIndex = pk11_argStrip(slotIndex);
+    }
+    *retCount = i;
+    return slotInfo;
+}
+
+static char *pk11_nullString = "";
+
+static char *
+pk11_formatValue(PRArenaPool *arena, char *value, char quote)
+{
+    char *vp,*vp2,*retval;
+    int size = 0, escapes = 0;
+
+    for (vp=value; *vp ;vp++) {
+	if ((*vp == quote) || (*vp == PK11_ARG_ESCAPE)) escapes++;
+	size++;
+    }
+    if (arena) {
+	retval = PORT_ArenaZAlloc(arena,size+escapes+1);
+    } else {
+	retval = PORT_ZAlloc(size+escapes+1);
+    }
+    if (retval == NULL) return NULL;
+    vp2 = retval;
+    for (vp=value; *vp; vp++) {
+	if ((*vp == quote) || (*vp == PK11_ARG_ESCAPE)) 
+				*vp2++ = PK11_ARG_ESCAPE;
+	*vp2++ = *vp;
+    }
+    return retval;
+}
+    
+static char *pk11_formatPair(char *name,char *value, char quote)
+{
+    char openQuote = quote;
+    char closeQuote = pk11_argGetPair(quote);
+    char *newValue = NULL;
+    char *returnValue;
+    PRBool need_quote = PR_FALSE;
+
+    if (!value || (*value == 0)) return pk11_nullString;
+
+    if (pk11_argHasBlanks(value) || pk11_argIsQuote(value[0]))
+							 need_quote=PR_TRUE;
+
+    if ((need_quote && pk11_argHasChar(value,closeQuote))
+				 || pk11_argHasChar(value,PK11_ARG_ESCAPE)) {
+	value = newValue = pk11_formatValue(NULL, value,quote);
+	if (newValue == NULL) return pk11_nullString;
+    }
+    if (need_quote) {
+    	returnValue = PR_smprintf("%s=%c%s%c",name,openQuote,value,closeQuote);
+    } else {
+    	returnValue = PR_smprintf("%s=%s",name,value);
+    }
+    if (returnValue == NULL) returnValue = pk11_nullString;
+
+    if (newValue) PORT_Free(newValue);
+
+    return returnValue;
+}
+
+static char *pk11_formatIntPair(char *name,unsigned long value, unsigned long def)
+{
+    char *returnValue;
+
+    if (value == def) return pk11_nullString;
+
+    returnValue = PR_smprintf("%s=%d",name,value);
+
+    return returnValue;
+}
+
+static void
+pk11_freePair(char *pair)
+{
+    if (pair && pair != pk11_nullString) {
+	PR_smprintf_free(pair);
+    }
+}
+
+#define MAX_FLAG_SIZE  sizeof("internal")+sizeof("FIPS")+sizeof("moduleDB")+\
+				sizeof("moduleDBOnly")+sizeof("critical")
+static char *
+pk11_mkNSSFlags(PRBool internal, PRBool isFIPS,
+		PRBool isModuleDB, PRBool isModuleDBOnly, PRBool isCritical)
+{
+    char *flags = (char *)PORT_ZAlloc(MAX_FLAG_SIZE);
+    PRBool first = PR_TRUE;
+
+    PORT_Memset(flags,0,MAX_FLAG_SIZE);
+    if (internal) {
+	PORT_Strcat(flags,"internal");
+	first = PR_FALSE;
+    }
+    if (isFIPS) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"FIPS");
+	first = PR_FALSE;
+    }
+    if (isModuleDB) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"moduleDB");
+	first = PR_FALSE;
+    }
+    if (isModuleDBOnly) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"moduleDBOnly");
+	first = PR_FALSE;
+    }
+    if (isCritical) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"critical");
+	first = PR_FALSE;
+    }
+    return flags;
+}
+
+static char *
+pk11_mkCipherFlags(unsigned long ssl0, unsigned long ssl1)
+{
+    char *cipher = NULL;
+    int i;
+
+    for (i=0; i < sizeof(ssl0)*8; i++) {
+	if (ssl0 & (1<<i)) {
+	    char *string;
+	    if ((1<<i) == SECMOD_FORTEZZA_FLAG) {
+		string = PR_smprintf("%s","FORTEZZA");
+	    } else {
+		string = PR_smprintf("0h0x%08x",1<<i);
+	    }
+	    if (cipher) {
+		char *tmp;
+		tmp = PR_smprintf("%s,%s",cipher,string);
+		PR_smprintf_free(cipher);
+		PR_smprintf_free(string);
+		tmp = cipher;
+	    } else {
+		cipher = string;
+	    }
+	}
+    }
+    for (i=0; i < sizeof(ssl0)*8; i++) {
+	if (ssl1 & (1<<i)) {
+	    if (cipher) {
+		char *tmp;
+		tmp = PR_smprintf("%s,0l0x%08",cipher,1<<i);
+		PR_smprintf_free(cipher);
+		tmp = cipher;
+	    } else {
+		cipher = PR_smprintf("0l0x%08x",1<<i);
+	    }
+	}
+    }
+
+    return cipher;
+}
+
+static char *
+pk11_mkSlotFlags(unsigned long defaultFlags)
+{
+    char *flags=NULL;
+    int i,j;
+
+    for (i=0; i < sizeof(defaultFlags)*8; i++) {
+	if (defaultFlags & (1<<i)) {
+	    char *string = NULL;
+
+	    for (j=0; j < pk11_argSlotFlagTableSize; j++) {
+		if (pk11_argSlotFlagTable[j].value == (1<<i)) {
+		    string = pk11_argSlotFlagTable[j].name;
+		    break;
+		}
+	    }
+	    if (string) {
+		if (flags) {
+		    char *tmp;
+		    tmp = PR_smprintf("%s,%s",flags,string);
+		    PR_smprintf_free(flags);
+		    flags = tmp;
+		} else {
+		    flags = PR_smprintf("%s",string);
+		}
+	    }
+	}
+    }
+
+    return flags;
+}
+
+#define PK11_MAX_ROOT_FLAG_SIZE  sizeof("hasRootCerts")+sizeof("hasRootTrust")
+
+static char *
+pk11_mkRootFlags(PRBool hasRootCerts, PRBool hasRootTrust)
+{
+    char *flags= (char *)PORT_ZAlloc(PK11_MAX_ROOT_FLAG_SIZE);
+    PRBool first = PR_TRUE;
+
+    PORT_Memset(flags,0,PK11_MAX_ROOT_FLAG_SIZE);
+    if (hasRootCerts) {
+	PORT_Strcat(flags,"hasRootCerts");
+	first = PR_FALSE;
+    }
+    if (hasRootTrust) {
+	if (!first) PORT_Strcat(flags,",");
+	PORT_Strcat(flags,"hasRootTrust");
+	first = PR_FALSE;
+    }
+    return flags;
+}
+
+static char *
+pk11_mkSlotString(unsigned long slotID, unsigned long defaultFlags,
+		  unsigned long timeout, unsigned char askpw_in,
+		  unsigned char hasRootCerts, unsigned char hasRootTrust) {
+    char *askpw,*flags,*rootFlags,*slotString;
+    char *flagPair,*rootFlagsPair;
+	
+    switch (askpw_in) {
+    case 0xff:
+	askpw = "every";
+	break;
+    case 1:
+	askpw = "timeout";
+	break;
+    default:
+	askpw = "any";
+	break;
+    }
+    flags = pk11_mkSlotFlags(defaultFlags);
+    rootFlags = pk11_mkRootFlags(hasRootCerts,hasRootTrust);
+    flagPair=pk11_formatPair("slotFlags",flags,'\'');
+    rootFlagsPair=pk11_formatPair("rootFlags",rootFlags,'\'');
+    if (flags) PR_smprintf_free(flags);
+    if (rootFlags) PORT_Free(rootFlags);
+    if (defaultFlags & PK11_OWN_PW_DEFAULTS) {
+    	slotString = PR_smprintf("0x%08x=[%s askpw=%s timeout=%d %s]",slotID,flagPair,askpw,timeout,rootFlagsPair);
+    } else {
+    	slotString = PR_smprintf("0x%08x=[%s %s]",slotID,flagPair,rootFlagsPair);
+    }
+    pk11_freePair(flagPair);
+    pk11_freePair(rootFlagsPair);
+    return slotString;
+}
+
+static char *
+pk11_mkNSS(char **slotStrings, int slotCount, PRBool internal, PRBool isFIPS,
+	  PRBool isModuleDB,  PRBool isModuleDBOnly, PRBool isCritical, 
+	  unsigned long trustOrder, unsigned long cipherOrder,
+				unsigned long ssl0, unsigned long ssl1) {
+    int slotLen, i;
+    char *slotParams, *ciphers, *nss, *nssFlags, *tmp;
+    char *trustOrderPair,*cipherOrderPair,*slotPair,*cipherPair,*flagPair;
+
+
+    /* now let's build up the string
+     * first the slot infos
+     */
+    slotLen=0;
+    for (i=0; i < (int)slotCount; i++) {
+	slotLen += PORT_Strlen(slotStrings[i])+1;
+    }
+    slotLen += 1; /* space for the final NULL */
+
+    slotParams = (char *)PORT_ZAlloc(slotLen);
+    PORT_Memset(slotParams,0,slotLen);
+    for (i=0; i < (int)slotCount; i++) {
+	PORT_Strcat(slotParams,slotStrings[i]);
+	PORT_Strcat(slotParams," ");
+	PR_smprintf_free(slotStrings[i]);
+	slotStrings[i]=NULL;
+    }
+    
+    /*
+     * now the NSS structure
+     */
+    nssFlags = pk11_mkNSSFlags(internal,isFIPS,isModuleDB,isModuleDBOnly,
+							isCritical); 
+	/* for now only the internal module is critical */
+    ciphers = pk11_mkCipherFlags(ssl0, ssl1);
+
+    trustOrderPair=pk11_formatIntPair("trustOrder",trustOrder,
+					PK11_DEFAULT_TRUST_ORDER);
+    cipherOrderPair=pk11_formatIntPair("cipherOrder",cipherOrder,
+					PK11_DEFAULT_CIPHER_ORDER);
+    slotPair=pk11_formatPair("slotParams",slotParams,'{'); /* } */
+    if (slotParams) PORT_Free(slotParams);
+    cipherPair=pk11_formatPair("ciphers",ciphers,'\'');
+    if (ciphers) PR_smprintf_free(ciphers);
+    flagPair=pk11_formatPair("Flags",nssFlags,'\'');
+    if (nssFlags) PORT_Free(nssFlags);
+    nss = PR_smprintf("%s %s %s %s %s",trustOrderPair,
+			cipherOrderPair,slotPair,cipherPair,flagPair);
+    pk11_freePair(trustOrderPair);
+    pk11_freePair(cipherOrderPair);
+    pk11_freePair(slotPair);
+    pk11_freePair(cipherPair);
+    pk11_freePair(flagPair);
+    tmp = pk11_argStrip(nss);
+    if (*tmp == '\0') {
+	PR_smprintf_free(nss);
+	nss = NULL;
+    }
+    return nss;
+}
+
+static char *
+pk11_mkNewModuleSpec(char *dllName, char *commonName, char *parameters, 
+								char *NSS) {
+    char *moduleSpec;
+    char *lib,*name,*param,*nss;
+
+    /*
+     * now the final spec
+     */
+    lib = pk11_formatPair("library",dllName,'\"');
+    name = pk11_formatPair("name",commonName,'\"');
+    param = pk11_formatPair("parameters",parameters,'\"');
+    nss = pk11_formatPair("NSS",NSS,'\"');
+    moduleSpec = PR_smprintf("%s %s %s %s", lib,name,param,nss);
+    pk11_freePair(lib);
+    pk11_freePair(name);
+    pk11_freePair(param);
+    pk11_freePair(nss);
+    return (moduleSpec);
+}
+
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
new file mode 100644
index 000000000..bd20ea8b8
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -0,0 +1,4192 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ *	Dr Stephen Henson <stephen.henson@gemplus.com>
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ *   This implementation has two slots:
+ *	slot 1 is our generic crypto support. It does not require login.
+ *   It supports Public Key ops, and all they bulk ciphers and hashes. 
+ *   It can also support Private Key ops for imported Private keys. It does 
+ *   not have any token storage.
+ *	slot 2 is our private key support. It requires a login before use. It
+ *   can store Private Keys and Certs as token objects. Currently only private
+ *   keys and their associated Certificates are saved on the token.
+ *
+ *   In this implementation, session objects are only visible to the session
+ *   that created or generated them.
+ */
+#include "seccomon.h"
+#include "secitem.h"
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "softoken.h"
+#include "lowkeyi.h"
+#include "blapi.h"
+#include "secder.h"
+#include "secport.h"
+#include "pcert.h"
+#include "secrng.h"
+
+#include "keydbi.h" 
+
+ 
+/*
+ * ******************** Static data *******************************
+ */
+
+/* The next three strings must be exactly 32 characters long */
+static char *manufacturerID      = "mozilla.org                     ";
+static char manufacturerID_space[33];
+static char *libraryDescription  = "NSS Internal Crypto Services    ";
+static char libraryDescription_space[33];
+
+#define __PASTE(x,y)    x##y
+
+/*
+ * we renamed all our internal functions, get the correct
+ * definitions for them...
+ */ 
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+
+#define CK_EXTERN extern
+#define CK_PKCS11_FUNCTION_INFO(func) \
+		CK_RV __PASTE(NS,func)
+#define CK_NEED_ARG_LIST	1
+ 
+#include "pkcs11f.h"
+ 
+ 
+ 
+/* build the crypto module table */
+static const CK_FUNCTION_LIST pk11_funcList = {
+    { 1, 10 },
+ 
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+ 
+#define CK_PKCS11_FUNCTION_INFO(func) \
+				__PASTE(NS,func),
+#include "pkcs11f.h"
+ 
+};
+ 
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+ 
+ 
+#undef __PASTE
+
+/* List of DES Weak Keys */ 
+typedef unsigned char desKey[8];
+static const desKey  pk11_desWeakTable[] = {
+#ifdef noParity
+    /* weak */
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e },
+    { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 },
+    { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe },
+    /* semi-weak */
+    { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe },
+    { 0xfe, 0x00, 0xfe, 0x00, 0x00, 0xfe, 0x00, 0xfe },
+
+    { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 },
+    { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e },
+
+    { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0x0f, 0x00, 0x0f },
+    { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 },
+
+    { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe },
+    { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e },
+
+    { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e },
+    { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 },
+
+    { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe },
+    { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 },
+#else
+    /* weak */
+    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
+    { 0x1f, 0x1f, 0x1f, 0x1f, 0x0e, 0x0e, 0x0e, 0x0e },
+    { 0xe0, 0xe0, 0xe0, 0xe0, 0xf1, 0xf1, 0xf1, 0xf1 },
+    { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe },
+
+    /* semi-weak */
+    { 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe },
+    { 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01 },
+
+    { 0x1f, 0xe0, 0x1f, 0xe0, 0x0e, 0xf1, 0x0e, 0xf1 },
+    { 0xe0, 0x1f, 0xe0, 0x1f, 0xf1, 0x0e, 0xf1, 0x0e },
+
+    { 0x01, 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1 },
+    { 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1, 0x01 },
+
+    { 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe },
+    { 0xfe, 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e },
+
+    { 0x01, 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e },
+    { 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e, 0x01 },
+
+    { 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1, 0xfe }, 
+    { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1 }
+#endif
+};
+
+    
+static const int pk11_desWeakTableSize = sizeof(pk11_desWeakTable)/
+						sizeof(pk11_desWeakTable[0]);
+
+/* DES KEY Parity conversion table. Takes each byte/2 as an index, returns
+ * that byte with the proper parity bit set */
+static const unsigned char parityTable[256] = {
+/* Even...0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e */
+/* E */   0x01,0x02,0x04,0x07,0x08,0x0b,0x0d,0x0e,
+/* Odd....0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e */
+/* O */   0x10,0x13,0x15,0x16,0x19,0x1a,0x1c,0x1f,
+/* Odd....0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e */
+/* O */   0x20,0x23,0x25,0x26,0x29,0x2a,0x2c,0x2f,
+/* Even...0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e */
+/* E */   0x31,0x32,0x34,0x37,0x38,0x3b,0x3d,0x3e,
+/* Odd....0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e */
+/* O */   0x40,0x43,0x45,0x46,0x49,0x4a,0x4c,0x4f,
+/* Even...0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e */
+/* E */   0x51,0x52,0x54,0x57,0x58,0x5b,0x5d,0x5e,
+/* Even...0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e */
+/* E */   0x61,0x62,0x64,0x67,0x68,0x6b,0x6d,0x6e,
+/* Odd....0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e */
+/* O */   0x70,0x73,0x75,0x76,0x79,0x7a,0x7c,0x7f,
+/* Odd....0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e */
+/* O */   0x80,0x83,0x85,0x86,0x89,0x8a,0x8c,0x8f,
+/* Even...0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e */
+/* E */   0x91,0x92,0x94,0x97,0x98,0x9b,0x9d,0x9e,
+/* Even...0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae */
+/* E */   0xa1,0xa2,0xa4,0xa7,0xa8,0xab,0xad,0xae,
+/* Odd....0xb0,0xb2,0xb4,0xb6,0xb8,0xba,0xbc,0xbe */
+/* O */   0xb0,0xb3,0xb5,0xb6,0xb9,0xba,0xbc,0xbf,
+/* Even...0xc0,0xc2,0xc4,0xc6,0xc8,0xca,0xcc,0xce */
+/* E */   0xc1,0xc2,0xc4,0xc7,0xc8,0xcb,0xcd,0xce,
+/* Odd....0xd0,0xd2,0xd4,0xd6,0xd8,0xda,0xdc,0xde */
+/* O */   0xd0,0xd3,0xd5,0xd6,0xd9,0xda,0xdc,0xdf,
+/* Odd....0xe0,0xe2,0xe4,0xe6,0xe8,0xea,0xec,0xee */
+/* O */   0xe0,0xe3,0xe5,0xe6,0xe9,0xea,0xec,0xef,
+/* Even...0xf0,0xf2,0xf4,0xf6,0xf8,0xfa,0xfc,0xfe */
+/* E */   0xf1,0xf2,0xf4,0xf7,0xf8,0xfb,0xfd,0xfe,
+};
+
+/* Mechanisms */
+struct mechanismList {
+    CK_MECHANISM_TYPE	type;
+    CK_MECHANISM_INFO	domestic;
+    PRBool		privkey;
+};
+
+/*
+ * the following table includes a complete list of mechanism defined by
+ * PKCS #11 version 2.01. Those Mechanisms not supported by this PKCS #11
+ * module are ifdef'ed out.
+ */
+#define CKF_EN_DE		CKF_ENCRYPT      | CKF_DECRYPT
+#define CKF_WR_UN		CKF_WRAP         | CKF_UNWRAP
+#define CKF_SN_VR		CKF_SIGN         | CKF_VERIFY
+#define CKF_SN_RE		CKF_SIGN_RECOVER | CKF_VERIFY_RECOVER
+
+#define CKF_EN_DE_WR_UN 	CKF_EN_DE       | CKF_WR_UN
+#define CKF_SN_VR_RE		CKF_SN_VR       | CKF_SN_RE
+#define CKF_DUZ_IT_ALL		CKF_EN_DE_WR_UN | CKF_SN_VR_RE
+
+#define CK_MAX 0xffffffff
+
+static const struct mechanismList mechanisms[] = {
+
+     /*
+      * PKCS #11 Mechanism List.
+      *
+      * The first argument is the PKCS #11 Mechanism we support.
+      * The second argument is Mechanism info structure. It includes:
+      *    The minimum key size,
+      *       in bits for RSA, DSA, DH, KEA, RC2 and RC4 * algs.
+      *       in bytes for RC5, AES, and CAST*
+      *       ignored for DES*, IDEA and FORTEZZA based
+      *    The maximum key size,
+      *       in bits for RSA, DSA, DH, KEA, RC2 and RC4 * algs.
+      *       in bytes for RC5, AES, and CAST*
+      *       ignored for DES*, IDEA and FORTEZZA based
+      *     Flags
+      *	      What operations are supported by this mechanism.
+      *  The third argument is a bool which tells if this mechanism is 
+      *    supported in the database token.
+      *
+      */
+
+     /* ------------------------- RSA Operations ---------------------------*/
+     {CKM_RSA_PKCS_KEY_PAIR_GEN,{128,CK_MAX,CKF_GENERATE_KEY_PAIR},PR_TRUE},
+     {CKM_RSA_PKCS,		{128,CK_MAX,CKF_DUZ_IT_ALL},	PR_TRUE},
+#ifdef PK11_RSA9796_SUPPORTED
+     {CKM_RSA_9796,		{128,CK_MAX,CKF_DUZ_IT_ALL},	PR_TRUE}, 
+#endif
+     {CKM_RSA_X_509,		{128,CK_MAX,CKF_DUZ_IT_ALL},	PR_TRUE}, 
+     /* -------------- RSA Multipart Signing Operations -------------------- */
+     {CKM_MD2_RSA_PKCS,		{128,CK_MAX,CKF_SN_VR}, 	PR_TRUE},
+     {CKM_MD5_RSA_PKCS,		{128,CK_MAX,CKF_SN_VR}, 	PR_TRUE},
+     {CKM_SHA1_RSA_PKCS,	{128,CK_MAX,CKF_SN_VR}, 	PR_TRUE},
+     /* ------------------------- DSA Operations --------------------------- */
+     {CKM_DSA_KEY_PAIR_GEN,	{512, 1024, CKF_GENERATE_KEY_PAIR}, PR_TRUE},
+     {CKM_DSA,			{512, 1024, CKF_SN_VR},		PR_TRUE},
+     {CKM_DSA_SHA1,		{512, 1024, CKF_SN_VR},		PR_TRUE},
+     /* -------------------- Diffie Hellman Operations --------------------- */
+     /* no diffie hellman yet */
+     {CKM_DH_PKCS_KEY_PAIR_GEN,	{128, 1024, CKF_GENERATE_KEY_PAIR}, PR_TRUE}, 
+     {CKM_DH_PKCS_DERIVE,	{128, 1024, CKF_DERIVE}, 	PR_TRUE}, 
+     /* ------------------------- RC2 Operations --------------------------- */
+     {CKM_RC2_KEY_GEN,		{1, 128, CKF_GENERATE},		PR_FALSE},
+     {CKM_RC2_ECB,		{1, 128, CKF_EN_DE_WR_UN},	PR_FALSE},
+     {CKM_RC2_CBC,		{1, 128, CKF_EN_DE_WR_UN},	PR_FALSE},
+     {CKM_RC2_MAC,		{1, 128, CKF_SN_VR},		PR_FALSE},
+     {CKM_RC2_MAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_FALSE},
+     {CKM_RC2_CBC_PAD,		{1, 128, CKF_EN_DE_WR_UN},	PR_FALSE},
+     /* ------------------------- RC4 Operations --------------------------- */
+     {CKM_RC4_KEY_GEN,		{1, 256, CKF_GENERATE},		PR_FALSE},
+     {CKM_RC4,			{1, 256, CKF_EN_DE_WR_UN},	PR_FALSE},
+     /* ------------------------- DES Operations --------------------------- */
+     {CKM_DES_KEY_GEN,		{ 8,  8, CKF_GENERATE},		PR_FALSE},
+     {CKM_DES_ECB,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
+     {CKM_DES_CBC,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
+     {CKM_DES_MAC,		{ 8,  8, CKF_SN_VR},		PR_FALSE},
+     {CKM_DES_MAC_GENERAL,	{ 8,  8, CKF_SN_VR},		PR_FALSE},
+     {CKM_DES_CBC_PAD,		{ 8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
+     {CKM_DES2_KEY_GEN,		{24, 24, CKF_GENERATE},		PR_FALSE},
+     {CKM_DES3_KEY_GEN,		{24, 24, CKF_GENERATE},		PR_TRUE },
+     {CKM_DES3_ECB,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
+     {CKM_DES3_CBC,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
+     {CKM_DES3_MAC,		{24, 24, CKF_SN_VR},		PR_TRUE },
+     {CKM_DES3_MAC_GENERAL,	{24, 24, CKF_SN_VR},		PR_TRUE },
+     {CKM_DES3_CBC_PAD,		{24, 24, CKF_EN_DE_WR_UN},	PR_TRUE },
+     /* ------------------------- CDMF Operations --------------------------- */
+     {CKM_CDMF_KEY_GEN,		{8,  8, CKF_GENERATE},		PR_FALSE},
+     {CKM_CDMF_ECB,		{8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
+     {CKM_CDMF_CBC,		{8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
+     {CKM_CDMF_MAC,		{8,  8, CKF_SN_VR},		PR_FALSE},
+     {CKM_CDMF_MAC_GENERAL,	{8,  8, CKF_SN_VR},		PR_FALSE},
+     {CKM_CDMF_CBC_PAD,		{8,  8, CKF_EN_DE_WR_UN},	PR_FALSE},
+     /* ------------------------- AES Operations --------------------------- */
+     {CKM_AES_KEY_GEN,		{16, 32, CKF_GENERATE},		PR_FALSE},
+     {CKM_AES_ECB,		{16, 32, CKF_EN_DE_WR_UN},	PR_FALSE},
+     {CKM_AES_CBC,		{16, 32, CKF_EN_DE_WR_UN},	PR_FALSE},
+     {CKM_AES_MAC,		{16, 32, CKF_SN_VR},		PR_FALSE},
+     {CKM_AES_MAC_GENERAL,	{16, 32, CKF_SN_VR},		PR_FALSE},
+     {CKM_AES_CBC_PAD,		{16, 32, CKF_EN_DE_WR_UN},	PR_FALSE},
+     /* ------------------------- Hashing Operations ----------------------- */
+     {CKM_MD2,			{0,   0, CKF_DIGEST},		PR_FALSE},
+     {CKM_MD2_HMAC,		{1, 128, CKF_SN_VR},		PR_FALSE},
+     {CKM_MD2_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_FALSE},
+     {CKM_MD5,			{0,   0, CKF_DIGEST},		PR_FALSE},
+     {CKM_MD5_HMAC,		{1, 128, CKF_SN_VR},		PR_FALSE},
+     {CKM_MD5_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_FALSE},
+     {CKM_SHA_1,		{0,   0, CKF_DIGEST},		PR_FALSE},
+     {CKM_SHA_1_HMAC,		{1, 128, CKF_SN_VR},		PR_FALSE},
+     {CKM_SHA_1_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_FALSE},
+     {CKM_TLS_PRF_GENERAL,	{0, 512, CKF_SN_VR},		PR_FALSE},
+     /* ------------------------- CAST Operations --------------------------- */
+#ifdef NSS_SOFTOKEN_DOES_CAST
+     /* Cast operations are not supported ( yet? ) */
+     {CKM_CAST_KEY_GEN,		{1,  8, CKF_GENERATE},		PR_FALSE}, 
+     {CKM_CAST_ECB,		{1,  8, CKF_EN_DE_WR_UN},	PR_FALSE}, 
+     {CKM_CAST_CBC,		{1,  8, CKF_EN_DE_WR_UN},	PR_FALSE}, 
+     {CKM_CAST_MAC,		{1,  8, CKF_SN_VR},		PR_FALSE}, 
+     {CKM_CAST_MAC_GENERAL,	{1,  8, CKF_SN_VR},		PR_FALSE}, 
+     {CKM_CAST_CBC_PAD,		{1,  8, CKF_EN_DE_WR_UN},	PR_FALSE}, 
+     {CKM_CAST3_KEY_GEN,	{1, 16, CKF_GENERATE},		PR_FALSE}, 
+     {CKM_CAST3_ECB,		{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
+     {CKM_CAST3_CBC,		{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
+     {CKM_CAST3_MAC,		{1, 16, CKF_SN_VR},		PR_FALSE}, 
+     {CKM_CAST3_MAC_GENERAL,	{1, 16, CKF_SN_VR},		PR_FALSE}, 
+     {CKM_CAST3_CBC_PAD,	{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
+     {CKM_CAST5_KEY_GEN,	{1, 16, CKF_GENERATE},		PR_FALSE}, 
+     {CKM_CAST5_ECB,		{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
+     {CKM_CAST5_CBC,		{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
+     {CKM_CAST5_MAC,		{1, 16, CKF_SN_VR},		PR_FALSE}, 
+     {CKM_CAST5_MAC_GENERAL,	{1, 16, CKF_SN_VR},		PR_FALSE}, 
+     {CKM_CAST5_CBC_PAD,	{1, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
+#endif
+#if NSS_SOFTOKEN_DOES_RC5
+     /* ------------------------- RC5 Operations --------------------------- */
+     {CKM_RC5_KEY_GEN,		{1, 32, CKF_GENERATE}, 	PR_FALSE},
+     	{CKM_RC5_ECB,		{1, 32, CKF_EN_DE_WR_UN},	PR_FALSE},
+     {CKM_RC5_CBC,		{1, 32, CKF_EN_DE_WR_UN},	PR_FALSE},
+     {CKM_RC5_MAC,		{1, 32, CKF_SN_VR},  		PR_FALSE},
+     {CKM_RC5_MAC_GENERAL,	{1, 32, CKF_SN_VR},  		PR_FALSE},
+     {CKM_RC5_CBC_PAD,		{1, 32, CKF_EN_DE_WR_UN}, 	PR_FALSE},
+#endif
+#ifdef NSS_SOFTOKEN_DOES_IDEA
+     /* ------------------------- IDEA Operations -------------------------- */
+     {CKM_IDEA_KEY_GEN,		{16, 16, CKF_GENERATE}, 	PR_FALSE}, 
+     {CKM_IDEA_ECB,		{16, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
+     {CKM_IDEA_CBC,		{16, 16, CKF_EN_DE_WR_UN},	PR_FALSE}, 
+     {CKM_IDEA_MAC,		{16, 16, CKF_SN_VR},		PR_FALSE}, 
+     {CKM_IDEA_MAC_GENERAL,	{16, 16, CKF_SN_VR},		PR_FALSE}, 
+     {CKM_IDEA_CBC_PAD,		{16, 16, CKF_EN_DE_WR_UN}, 	PR_FALSE}, 
+#endif
+     /* --------------------- Secret Key Operations ------------------------ */
+     {CKM_GENERIC_SECRET_KEY_GEN,	{1, 32, CKF_GENERATE}, PR_FALSE}, 
+     {CKM_CONCATENATE_BASE_AND_KEY,	{1, 32, CKF_GENERATE}, PR_FALSE}, 
+     {CKM_CONCATENATE_BASE_AND_DATA,	{1, 32, CKF_GENERATE}, PR_FALSE}, 
+     {CKM_CONCATENATE_DATA_AND_BASE,	{1, 32, CKF_GENERATE}, PR_FALSE}, 
+     {CKM_XOR_BASE_AND_DATA,		{1, 32, CKF_GENERATE}, PR_FALSE}, 
+     {CKM_EXTRACT_KEY_FROM_KEY,		{1, 32, CKF_DERIVE},   PR_FALSE}, 
+     /* ---------------------- SSL Key Derivations ------------------------- */
+     {CKM_SSL3_PRE_MASTER_KEY_GEN,	{48, 48, CKF_GENERATE}, PR_FALSE}, 
+     {CKM_SSL3_MASTER_KEY_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_SSL3_MASTER_KEY_DERIVE_DH,	{8, 128, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_SSL3_KEY_AND_MAC_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_SSL3_MD5_MAC,			{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_SSL3_SHA1_MAC,		{ 0, 20, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_MD5_KEY_DERIVATION,		{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_MD2_KEY_DERIVATION,		{ 0, 16, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_SHA1_KEY_DERIVATION,		{ 0, 20, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_TLS_MASTER_KEY_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_TLS_MASTER_KEY_DERIVE_DH,	{8, 128, CKF_DERIVE},   PR_FALSE}, 
+     {CKM_TLS_KEY_AND_MAC_DERIVE,	{48, 48, CKF_DERIVE},   PR_FALSE}, 
+     /* ---------------------- PBE Key Derivations  ------------------------ */
+     {CKM_PBE_MD2_DES_CBC,		{8, 8, CKF_DERIVE},   PR_TRUE},
+     {CKM_PBE_MD5_DES_CBC,		{8, 8, CKF_DERIVE},   PR_TRUE},
+     /* ------------------ NETSCAPE PBE Key Derivations  ------------------- */
+     {CKM_NETSCAPE_PBE_SHA1_DES_CBC,	     { 8, 8, CKF_GENERATE}, PR_TRUE},
+     {CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, {24,24, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_DES3_EDE_CBC,	     {24,24, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_DES2_EDE_CBC,	     {24,24, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_RC2_40_CBC,		     {40,40, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_RC2_128_CBC,		     {128,128, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_RC4_40,		     {40,40, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBE_SHA1_RC4_128,		     {128,128, CKF_GENERATE}, PR_TRUE},
+     {CKM_PBA_SHA1_WITH_SHA1_HMAC,	     {20,20, CKF_GENERATE}, PR_TRUE},
+     {CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN,    {20,20, CKF_GENERATE}, PR_TRUE},
+     {CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN,     {16,16, CKF_GENERATE}, PR_TRUE},
+     {CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN,     {16,16, CKF_GENERATE}, PR_TRUE},
+};
+static CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]);
+
+static char *
+pk11_setStringName(const char *inString, char *buffer, int buffer_length)
+{
+    int full_length, string_length;
+
+    full_length = buffer_length -1;
+    string_length = PORT_Strlen(inString);
+    /* 
+     *  shorten the string, respecting utf8 encoding
+     *  to do so, we work backward from the end 
+     *  bytes looking from the end are either:
+     *    - ascii [0x00,0x7f]
+     *    - the [2-n]th byte of a multibyte sequence 
+     *        [0x3F,0xBF], i.e, most significant 2 bits are '10'
+     *    - the first byte of a multibyte sequence [0xC0,0xFD],
+     *        i.e, most significant 2 bits are '11'
+     *
+     *    When the string is too long, we lop off any trailing '10' bytes,
+     *  if any. When these are all eliminated we lop off
+     *  one additional byte. Thus if we lopped any '10'
+     *  we'll be lopping a '11' byte (the first byte of the multibyte sequence),
+     *  otherwise we're lopping off an ascii character.
+     *
+     *    To test for '10' bytes, we first AND it with 
+     *  11000000 (0xc0) so that we get 10000000 (0x80) if and only if
+     *  the byte starts with 10. We test for equality.
+     */
+    while ( string_length > full_length ) {
+	/* need to shorten */
+	while ( string_length > 0 && 
+	      ((inString[string_length-1]&(char)0xc0) == (char)0x80)) {
+	    /* lop off '10' byte */
+	    string_length--;
+	}
+	/* 
+	 * test string_length in case bad data is received
+	 * and string consisted of all '10' bytes,
+	 * avoiding any infinite loop
+         */
+	if ( string_length ) {
+	    /* remove either '11' byte or an asci byte */
+	    string_length--;
+	}
+    }
+    PORT_Memset(buffer,' ',full_length);
+    buffer[full_length] = 0;
+    PORT_Memcpy(buffer,inString,string_length);
+    return buffer;
+}
+/*
+ * Configuration utils
+ */
+static CK_RV
+pk11_configure(const char *man, const char *libdes)
+{
+
+    /* make sure the internationalization was done correctly... */
+    if (man) {
+	manufacturerID = pk11_setStringName(man,manufacturerID_space,
+						sizeof(manufacturerID_space));
+    }
+    if (libdes) {
+	libraryDescription = pk11_setStringName(libdes,
+		libraryDescription_space, sizeof(libraryDescription_space));
+    }
+
+    return CKR_OK;
+}
+
+/*
+ * ******************** Password Utilities *******************************
+ */
+
+/*
+ * see if the key DB password is enabled
+ */
+PRBool
+pk11_hasNullPassword(NSSLOWKEYDBHandle *keydb,SECItem **pwitem)
+{
+    PRBool pwenabled;
+    
+    pwenabled = PR_FALSE;
+    *pwitem = NULL;
+    if (nsslowkey_HasKeyDBPassword (keydb) == SECSuccess) {
+	*pwitem = nsslowkey_HashPassword("", keydb->global_salt);
+	if ( *pwitem ) {
+	    if (nsslowkey_CheckKeyDBPassword (keydb, *pwitem) == SECSuccess) {
+		pwenabled = PR_TRUE;
+	    } else {
+	    	SECITEM_ZfreeItem(*pwitem, PR_TRUE);
+		*pwitem = NULL;
+	    }
+	}
+    }
+
+    return pwenabled;
+}
+
+/*
+ * ******************** Object Creation Utilities ***************************
+ */
+
+
+/* Make sure a given attribute exists. If it doesn't, initialize it to
+ * value and len
+ */
+CK_RV
+pk11_defaultAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type,void *value,
+							unsigned int len)
+{
+    if ( !pk11_hasAttribute(object, type)) {
+	return pk11_AddAttributeType(object,type,value,len);
+    }
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Data Object 
+ */
+static CK_RV
+pk11_handleDataObject(PK11Session *session,PK11Object *object)
+{
+    CK_RV crv;
+
+    /* first reject private and token data objects */
+    if (pk11_isTrue(object,CKA_PRIVATE) || pk11_isTrue(object,CKA_TOKEN)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* now just verify the required date fields */
+    crv = pk11_defaultAttribute(object,CKA_APPLICATION,NULL,0);
+    if (crv != CKR_OK) return crv;
+    crv = pk11_defaultAttribute(object,CKA_VALUE,NULL,0);
+    if (crv != CKR_OK) return crv;
+
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Certificate Object 
+ */
+static CK_RV
+pk11_handleCertObject(PK11Session *session,PK11Object *object)
+{
+    CK_CERTIFICATE_TYPE type;
+    PK11Attribute *attribute;
+    CK_RV crv;
+
+    /* certificates must have a type */
+    if ( !pk11_hasAttribute(object,CKA_CERTIFICATE_TYPE) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* we can't store any certs private */
+    if (pk11_isTrue(object,CKA_PRIVATE)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+	
+    /* We only support X.509 Certs for now */
+    attribute = pk11_FindAttribute(object,CKA_CERTIFICATE_TYPE);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+    type = *(CK_CERTIFICATE_TYPE *)attribute->attrib.pValue;
+    pk11_FreeAttribute(attribute);
+
+    if (type != CKC_X_509) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* X.509 Certificate */
+
+    /* make sure we have a cert */
+    if ( !pk11_hasAttribute(object,CKA_VALUE) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* in PKCS #11, Subject is a required field */
+    if ( !pk11_hasAttribute(object,CKA_SUBJECT) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* in PKCS #11, Issuer is a required field */
+    if ( !pk11_hasAttribute(object,CKA_ISSUER) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* in PKCS #11, Serial is a required field */
+    if ( !pk11_hasAttribute(object,CKA_SERIAL_NUMBER) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* add it to the object */
+    object->objectInfo = NULL;
+    object->infoFree = (PK11Free) NULL;
+    
+    /* now just verify the required date fields */
+    crv = pk11_defaultAttribute(object, CKA_ID, NULL, 0);
+    if (crv != CKR_OK) { return crv; }
+
+    if (pk11_isTrue(object,CKA_TOKEN)) {
+	PK11Slot *slot = session->slot;
+	SECItem derCert;
+	NSSLOWCERTCertificate *cert;
+ 	NSSLOWCERTCertTrust *trust = NULL;
+ 	NSSLOWCERTCertTrust userTrust = 
+		{ CERTDB_USER, CERTDB_USER, CERTDB_USER };
+ 	NSSLOWCERTCertTrust defTrust = 
+		{ CERTDB_TRUSTED_UNKNOWN, 
+			CERTDB_TRUSTED_UNKNOWN, CERTDB_TRUSTED_UNKNOWN };
+	char *label;
+	SECStatus rv;
+	PRBool inDB = PR_TRUE;
+
+	if (slot->certDB == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+
+	/* get the der cert */ 
+	attribute = pk11_FindAttribute(object,CKA_VALUE);
+	PORT_Assert(attribute);
+
+	derCert.data = (unsigned char *)attribute->attrib.pValue;
+	derCert.len = attribute->attrib.ulValueLen ;
+
+	label = pk11_getString(object,CKA_LABEL);
+
+	cert =  nsslowcert_FindCertByDERCert(slot->certDB, &derCert);
+        if (cert == NULL) {
+	    cert = nsslowcert_DecodeDERCertificate(&derCert,PR_FALSE,label);
+	    inDB = PR_FALSE;
+	}
+	if (cert == NULL) {
+	    if (label) PORT_Free(label);
+    	    pk11_FreeAttribute(attribute);
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+
+	if (slot->keyDB && nsslowkey_KeyForCertExists(slot->keyDB,cert)) {
+	    trust = &userTrust;
+	}
+	if (!inDB) {
+	    if (!trust) trust = &defTrust;
+	    rv = nsslowcert_AddPermCert(slot->certDB, cert, label, trust);
+	} else {
+	    rv = trust ? nsslowcert_ChangeCertTrust(slot->certDB,cert,trust) :
+				SECSuccess;
+	}
+
+	if (label) PORT_Free(label);
+	pk11_FreeAttribute(attribute);
+	if (rv != SECSuccess) {
+	    nsslowcert_DestroyCertificate(cert);
+	    return CKR_DEVICE_ERROR;
+	}
+	object->handle=pk11_mkHandle(slot,&cert->certKey,PK11_TOKEN_TYPE_CERT);
+	nsslowcert_DestroyCertificate(cert);
+    }
+
+    return CKR_OK;
+}
+
+unsigned int
+pk11_MapTrust(CK_TRUST trust, PRBool clientAuth)
+{
+    unsigned int trustCA = clientAuth ? CERTDB_TRUSTED_CLIENT_CA :
+							CERTDB_TRUSTED_CA;
+    switch (trust) {
+    case CKT_NETSCAPE_TRUSTED:
+	return CERTDB_VALID_PEER|CERTDB_TRUSTED;
+    case CKT_NETSCAPE_TRUSTED_DELEGATOR:
+	return CERTDB_VALID_CA|trustCA;
+    case CKT_NETSCAPE_UNTRUSTED:
+	return CERTDB_NOT_TRUSTED;
+    case CKT_NETSCAPE_MUST_VERIFY:
+	return 0;
+    case CKT_NETSCAPE_VALID: /* implies must verify */
+	return CERTDB_VALID_PEER;
+    case CKT_NETSCAPE_VALID_DELEGATOR: /* implies must verify */
+	return CERTDB_VALID_CA;
+    default:
+	break;
+    }
+    return CERTDB_TRUSTED_UNKNOWN;
+}
+    
+	
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+pk11_handleTrustObject(PK11Session *session,PK11Object *object)
+{
+    NSSLOWCERTIssuerAndSN issuerSN;
+
+    /* we can't store any certs private */
+    if (pk11_isTrue(object,CKA_PRIVATE)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* certificates must have a type */
+    if ( !pk11_hasAttribute(object,CKA_ISSUER) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    if ( !pk11_hasAttribute(object,CKA_SERIAL_NUMBER) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    if ( !pk11_hasAttribute(object,CKA_CERT_SHA1_HASH) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    if ( !pk11_hasAttribute(object,CKA_CERT_MD5_HASH) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    if (pk11_isTrue(object,CKA_TOKEN)) {
+	PK11Slot *slot = session->slot;
+	PK11Attribute *issuer = NULL;
+	PK11Attribute *serial = NULL;
+	NSSLOWCERTCertificate *cert = NULL;
+	PK11Attribute *trust;
+        CK_TRUST sslTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+        CK_TRUST clientTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+        CK_TRUST emailTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+        CK_TRUST signTrust = CKT_NETSCAPE_TRUST_UNKNOWN;
+ 	NSSLOWCERTCertTrust dbTrust;
+	SECStatus rv;
+
+
+	if (slot->certDB == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+	issuer = pk11_FindAttribute(object,CKA_ISSUER);
+	PORT_Assert(issuer);
+	issuerSN.derIssuer.data = (unsigned char *)issuer->attrib.pValue;
+	issuerSN.derIssuer.len = issuer->attrib.ulValueLen ;
+
+	serial = pk11_FindAttribute(object,CKA_SERIAL_NUMBER);
+	PORT_Assert(serial);
+	issuerSN.serialNumber.data = (unsigned char *)serial->attrib.pValue;
+	issuerSN.serialNumber.len = serial->attrib.ulValueLen ;
+
+	cert = nsslowcert_FindCertByIssuerAndSN(slot->certDB,&issuerSN);
+	pk11_FreeAttribute(serial);
+	pk11_FreeAttribute(issuer);
+
+	if (cert == NULL) {
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+	
+	trust = pk11_FindAttribute(object,CKA_TRUST_SERVER_AUTH);
+	if (trust) {
+	    if (trust->attrib.ulValueLen == sizeof(CK_TRUST)) {
+		PORT_Memcpy(&sslTrust,trust->attrib.pValue, sizeof(sslTrust));
+	    }
+	    pk11_FreeAttribute(trust);
+	}
+	trust = pk11_FindAttribute(object,CKA_TRUST_CLIENT_AUTH);
+	if (trust) {
+	    if (trust->attrib.ulValueLen == sizeof(CK_TRUST)) {
+		PORT_Memcpy(&clientTrust,trust->attrib.pValue,
+							 sizeof(clientTrust));
+	    }
+	    pk11_FreeAttribute(trust);
+	}
+	trust = pk11_FindAttribute(object,CKA_TRUST_EMAIL_PROTECTION);
+	if (trust) {
+	    if (trust->attrib.ulValueLen == sizeof(CK_TRUST)) {
+		PORT_Memcpy(&emailTrust,trust->attrib.pValue,
+							sizeof(emailTrust));
+	    }
+	    pk11_FreeAttribute(trust);
+	}
+	trust = pk11_FindAttribute(object,CKA_TRUST_CODE_SIGNING);
+	if (trust) {
+	    if (trust->attrib.ulValueLen == sizeof(CK_TRUST)) {
+		PORT_Memcpy(&signTrust,trust->attrib.pValue,
+							sizeof(signTrust));
+	    }
+	    pk11_FreeAttribute(trust);
+	}
+
+	/* preserve certain old fields */
+	if (cert->trust) {
+	    dbTrust.sslFlags =
+			  cert->trust->sslFlags & CERTDB_PRESERVE_TRUST_BITS;
+	    dbTrust.emailFlags=
+			cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS;
+	    dbTrust.objectSigningFlags = 
+		cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS;
+	}
+
+	dbTrust.sslFlags = pk11_MapTrust(sslTrust,PR_FALSE);
+	dbTrust.sslFlags |= pk11_MapTrust(clientTrust,PR_TRUE);
+	dbTrust.emailFlags = pk11_MapTrust(emailTrust,PR_FALSE);
+	dbTrust.objectSigningFlags = pk11_MapTrust(signTrust,PR_FALSE);
+
+	rv = nsslowcert_ChangeCertTrust(slot->certDB,cert,&dbTrust);
+	object->handle=pk11_mkHandle(slot,&cert->certKey,PK11_TOKEN_TYPE_TRUST);
+	nsslowcert_DestroyCertificate(cert);
+	if (rv != SECSuccess) {
+	   return CKR_DEVICE_ERROR;
+	}
+    }
+
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+pk11_handleSMimeObject(PK11Session *session,PK11Object *object)
+{
+
+    /* we can't store any certs private */
+    if (pk11_isTrue(object,CKA_PRIVATE)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* certificates must have a type */
+    if ( !pk11_hasAttribute(object,CKA_SUBJECT) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    if ( !pk11_hasAttribute(object,CKA_NETSCAPE_EMAIL) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    if (pk11_isTrue(object,CKA_TOKEN)) {
+	PK11Slot *slot = session->slot;
+	SECItem derSubj,rawProfile,rawTime,emailKey;
+	SECItem *pRawProfile = NULL;
+	SECItem *pRawTime = NULL;
+	char *email = NULL;
+    	PK11Attribute *subject,*profile,*time;
+	SECStatus rv;
+
+	PORT_Assert(slot);
+	if (slot->certDB == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+
+	/* lookup SUBJECT */
+	subject = pk11_FindAttribute(object,CKA_SUBJECT);
+	PORT_Assert(subject);
+	derSubj.data = (unsigned char *)subject->attrib.pValue;
+	derSubj.len = subject->attrib.ulValueLen ;
+
+	/* lookup VALUE */
+	profile = pk11_FindAttribute(object,CKA_VALUE);
+	if (profile) {
+	    rawProfile.data = (unsigned char *)profile->attrib.pValue;
+	    rawProfile.len = profile->attrib.ulValueLen ;
+	    pRawProfile = &rawProfile;
+	}
+
+	/* lookup Time */
+	time = pk11_FindAttribute(object,CKA_NETSCAPE_SMIME_TIMESTAMP);
+	if (time) {
+	    rawTime.data = (unsigned char *)time->attrib.pValue;
+	    rawTime.len = time->attrib.ulValueLen ;
+	    pRawTime = &rawTime;
+	}
+
+
+	email = pk11_getString(object,CKA_NETSCAPE_EMAIL);
+
+	/* Store CRL by SUBJECT */
+	rv = nsslowcert_SaveSMimeProfile(slot->certDB, email, &derSubj, 
+				pRawProfile,pRawTime);
+
+    	pk11_FreeAttribute(subject);
+    	if (profile) pk11_FreeAttribute(profile);
+    	if (time) pk11_FreeAttribute(time);
+	if (rv != SECSuccess) {
+    	    PORT_Free(email);
+	    return CKR_DEVICE_ERROR;
+	}
+	emailKey.data = (unsigned char *)email;
+	emailKey.len = PORT_Strlen(email)+1;
+
+	object->handle = pk11_mkHandle(slot, &emailKey, PK11_TOKEN_TYPE_SMIME);
+    	PORT_Free(email);
+    }
+
+    return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object 
+ */
+static CK_RV
+pk11_handleCrlObject(PK11Session *session,PK11Object *object)
+{
+
+    /* we can't store any certs private */
+    if (pk11_isTrue(object,CKA_PRIVATE)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* certificates must have a type */
+    if ( !pk11_hasAttribute(object,CKA_SUBJECT) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    if ( !pk11_hasAttribute(object,CKA_VALUE) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    if (pk11_isTrue(object,CKA_TOKEN)) {
+	PK11Slot *slot = session->slot;
+	PRBool isKRL = PR_FALSE;
+	SECItem derSubj,derCrl;
+	char *url = NULL;
+    	PK11Attribute *subject,*crl;
+	SECStatus rv;
+
+	PORT_Assert(slot);
+	if (slot->certDB == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+
+	/* lookup SUBJECT */
+	subject = pk11_FindAttribute(object,CKA_SUBJECT);
+	PORT_Assert(subject);
+	derSubj.data = (unsigned char *)subject->attrib.pValue;
+	derSubj.len = subject->attrib.ulValueLen ;
+
+	/* lookup VALUE */
+	crl = pk11_FindAttribute(object,CKA_VALUE);
+	PORT_Assert(crl);
+	derCrl.data = (unsigned char *)crl->attrib.pValue;
+	derCrl.len = crl->attrib.ulValueLen ;
+
+
+	url = pk11_getString(object,CKA_NETSCAPE_URL);
+	isKRL = pk11_isTrue(object,CKA_NETSCAPE_KRL);
+
+	/* Store CRL by SUBJECT */
+	rv = nsslowcert_AddCrl(slot->certDB, &derCrl, &derSubj, url, isKRL);
+
+	if (url) {
+	    PORT_Free(url);
+	}
+    	pk11_FreeAttribute(crl);
+	if (rv != SECSuccess) {
+    	    pk11_FreeAttribute(subject);
+	    return CKR_DEVICE_ERROR;
+	}
+
+	object->handle = pk11_mkHandle(slot,&derSubj,
+			isKRL ? PK11_TOKEN_KRL_HANDLE : PK11_TOKEN_TYPE_CRL);
+    	pk11_FreeAttribute(subject);
+    }
+
+    return CKR_OK;
+}
+
+NSSLOWKEYPublicKey * pk11_GetPubKey(PK11Object *object,CK_KEY_TYPE key);
+/*
+ * check the consistancy and initialize a Public Key Object 
+ */
+static CK_RV
+pk11_handlePublicKeyObject(PK11Session *session, PK11Object *object,
+							 CK_KEY_TYPE key_type)
+{
+    CK_BBOOL encrypt = CK_TRUE;
+    CK_BBOOL recover = CK_TRUE;
+    CK_BBOOL wrap = CK_TRUE;
+    CK_BBOOL derive = CK_FALSE;
+    CK_BBOOL verify = CK_TRUE;
+    CK_ATTRIBUTE_TYPE pubKeyAttr = CKA_VALUE;
+    CK_RV crv;
+
+    switch (key_type) {
+    case CKK_RSA:
+	if ( !pk11_hasAttribute(object, CKA_MODULUS)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_PUBLIC_EXPONENT)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	pubKeyAttr = CKA_MODULUS;
+	break;
+    case CKK_DSA:
+	if ( !pk11_hasAttribute(object, CKA_SUBPRIME)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+    case CKK_DH:
+	if ( !pk11_hasAttribute(object, CKA_PRIME)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_BASE)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_VALUE)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if (key_type == CKK_DH) {
+	    verify = CK_FALSE;
+	    derive = CK_TRUE;
+ 	}
+	encrypt = CK_FALSE;
+	recover = CK_FALSE;
+	wrap = CK_FALSE;
+	break;
+    default:
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+    /* make sure the required fields exist */
+    crv = pk11_defaultAttribute(object,CKA_SUBJECT,NULL,0);
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_ENCRYPT,&encrypt,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_VERIFY,&verify,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_VERIFY_RECOVER,
+						&recover,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_WRAP,&wrap,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_DERIVE,&derive,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    object->objectInfo = pk11_GetPubKey(object,key_type);
+    object->infoFree = (PK11Free) nsslowkey_DestroyPublicKey;
+
+    if (pk11_isTrue(object,CKA_TOKEN)) {
+	PK11Slot *slot = session->slot;
+	NSSLOWKEYPrivateKey *priv;
+	SECItem pubKey;
+
+	crv = pk11_Attribute2SSecItem(NULL,&pubKey,object,pubKeyAttr);
+	if (crv != CKR_OK) return crv;
+
+	PORT_Assert(pubKey.data);
+	if (slot->keyDB == NULL) {
+	    PORT_Free(pubKey.data);
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+	if (slot->keyDB->version != 3) {
+	    unsigned char buf[SHA1_LENGTH];
+	    SHA1_HashBuf(buf,pubKey.data,pubKey.len);
+	    PORT_Memcpy(pubKey.data,buf,sizeof(buf));
+	    pubKey.len = sizeof(buf);
+	}
+	/* make sure the associated private key already exists */
+	/* only works if we are logged in */
+	priv = nsslowkey_FindKeyByPublicKey(slot->keyDB, &pubKey,
+							 slot->password);
+	if (priv == NULL) {
+	    PORT_Free(pubKey.data);
+	    return CKR_ATTRIBUTE_VALUE_INVALID;
+	}
+	nsslowkey_DestroyPrivateKey(priv);
+
+	object->handle = pk11_mkHandle(slot, &pubKey, PK11_TOKEN_TYPE_PUB);
+	PORT_Free(pubKey.data);
+    }
+
+    return CKR_OK;
+}
+
+static NSSLOWKEYPrivateKey * pk11_mkPrivKey(PK11Object *object,CK_KEY_TYPE key);
+/*
+ * check the consistancy and initialize a Private Key Object 
+ */
+static CK_RV
+pk11_handlePrivateKeyObject(PK11Session *session,PK11Object *object,CK_KEY_TYPE key_type)
+{
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL encrypt = CK_TRUE;
+    CK_BBOOL recover = CK_TRUE;
+    CK_BBOOL wrap = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    SECItem mod;
+    CK_RV crv;
+
+    switch (key_type) {
+    case CKK_RSA:
+	if ( !pk11_hasAttribute(object, CKA_MODULUS)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_PUBLIC_EXPONENT)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_PRIVATE_EXPONENT)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_PRIME_1)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_PRIME_2)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_EXPONENT_1)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_EXPONENT_2)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_COEFFICIENT)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	/* make sure Netscape DB attribute is set correctly */
+	crv = pk11_Attribute2SSecItem(NULL, &mod, object, CKA_MODULUS);
+	if (crv != CKR_OK) return crv;
+	crv = pk11_forceAttribute(object, CKA_NETSCAPE_DB, 
+						pk11_item_expand(&mod));
+	if (mod.data) PORT_Free(mod.data);
+	if (crv != CKR_OK) return crv;
+	
+	break;
+    case CKK_DSA:
+	if ( !pk11_hasAttribute(object, CKA_SUBPRIME)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_NETSCAPE_DB)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+    case CKK_DH:
+	if ( !pk11_hasAttribute(object, CKA_PRIME)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_BASE)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if ( !pk11_hasAttribute(object, CKA_VALUE)) {
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	encrypt = CK_FALSE;
+	recover = CK_FALSE;
+	wrap = CK_FALSE;
+	break;
+    default:
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    crv = pk11_defaultAttribute(object,CKA_SUBJECT,NULL,0);
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_SENSITIVE,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_EXTRACTABLE,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_DECRYPT,&encrypt,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_SIGN,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_SIGN_RECOVER,&recover,
+							     sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_UNWRAP,&wrap,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    /* the next two bits get modified only in the key gen and token cases */
+    crv = pk11_forceAttribute(object,CKA_ALWAYS_SENSITIVE,
+						&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_forceAttribute(object,CKA_NEVER_EXTRACTABLE,
+						&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    /* should we check the non-token RSA private keys? */
+
+    if (pk11_isTrue(object,CKA_TOKEN)) {
+	PK11Slot *slot = session->slot;
+	NSSLOWKEYPrivateKey *privKey;
+	char *label;
+	SECStatus rv = SECSuccess;
+	SECItem pubKey;
+
+	if (slot->keyDB == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+
+	privKey=pk11_mkPrivKey(object,key_type);
+	if (privKey == NULL) return CKR_HOST_MEMORY;
+	label = pk11_getString(object,CKA_LABEL);
+
+	crv = pk11_Attribute2SSecItem(NULL,&pubKey,object,CKA_NETSCAPE_DB);
+	if (crv != CKR_OK) {
+	    if (label) PORT_Free(label);
+	    nsslowkey_DestroyPrivateKey(privKey);
+	    return CKR_TEMPLATE_INCOMPLETE;
+	}
+	if (slot->keyDB->version != 3) {
+	    unsigned char buf[SHA1_LENGTH];
+	    SHA1_HashBuf(buf,pubKey.data,pubKey.len);
+	    PORT_Memcpy(pubKey.data,buf,sizeof(buf));
+	    pubKey.len = sizeof(buf);
+	}
+
+        if (key_type == CKK_RSA) {
+	    rv = RSA_PrivateKeyCheck(&privKey->u.rsa);
+	    if (rv == SECFailure) {
+		goto fail;
+	    }
+	}
+	rv = nsslowkey_StoreKeyByPublicKey(object->slot->keyDB,
+			privKey, &pubKey, label, object->slot->password);
+
+fail:
+	if (label) PORT_Free(label);
+	object->handle = pk11_mkHandle(slot,&pubKey,PK11_TOKEN_TYPE_PRIV);
+	if (pubKey.data) PORT_Free(pubKey.data);
+	nsslowkey_DestroyPrivateKey(privKey);
+	if (rv != SECSuccess) return CKR_DEVICE_ERROR;
+    } else {
+	object->objectInfo = pk11_mkPrivKey(object,key_type);
+	if (object->objectInfo == NULL) return CKR_HOST_MEMORY;
+	object->infoFree = (PK11Free) nsslowkey_DestroyPrivateKey;
+	/* now NULL out the sensitive attributes */
+	if (pk11_isTrue(object,CKA_SENSITIVE)) {
+	    pk11_nullAttribute(object,CKA_PRIVATE_EXPONENT);
+	    pk11_nullAttribute(object,CKA_PRIME_1);
+	    pk11_nullAttribute(object,CKA_PRIME_2);
+	    pk11_nullAttribute(object,CKA_EXPONENT_1);
+	    pk11_nullAttribute(object,CKA_EXPONENT_2);
+	    pk11_nullAttribute(object,CKA_COEFFICIENT);
+	}
+    }
+    return CKR_OK;
+}
+
+/* forward delcare the DES formating function for handleSecretKey */
+void pk11_FormatDESKey(unsigned char *key, int length);
+static NSSLOWKEYPrivateKey *pk11_mkSecretKeyRep(PK11Object *object);
+
+/* Validate secret key data, and set defaults */
+static CK_RV
+validateSecretKey(PK11Session *session, PK11Object *object, 
+					CK_KEY_TYPE key_type, PRBool isFIPS)
+{
+    CK_RV crv;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    PK11Attribute *attribute = NULL;
+    crv = pk11_defaultAttribute(object,CKA_SENSITIVE,
+				isFIPS?&cktrue:&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_EXTRACTABLE,
+						&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_ENCRYPT,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_DECRYPT,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_SIGN,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_VERIFY,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_WRAP,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_UNWRAP,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    if ( !pk11_hasAttribute(object, CKA_VALUE)) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    /* the next two bits get modified only in the key gen and token cases */
+    crv = pk11_forceAttribute(object,CKA_ALWAYS_SENSITIVE,
+						&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_forceAttribute(object,CKA_NEVER_EXTRACTABLE,
+						&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    /* some types of keys have a value length */
+    crv = CKR_OK;
+    switch (key_type) {
+    /* force CKA_VALUE_LEN to be set */
+    case CKK_GENERIC_SECRET:
+    case CKK_RC2:
+    case CKK_RC4:
+#if NSS_SOFTOKEN_DOES_RC5
+    case CKK_RC5:
+#endif
+#ifdef NSS_SOFTOKEN_DOES_CAST
+    case CKK_CAST:
+    case CKK_CAST3:
+    case CKK_CAST5:
+#endif
+#if NSS_SOFTOKEN_DOES_IDEA
+    case CKK_IDEA:
+#endif
+	attribute = pk11_FindAttribute(object,CKA_VALUE);
+	/* shouldn't happen */
+	if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+	crv = pk11_forceAttribute(object, CKA_VALUE_LEN, 
+			&attribute->attrib.ulValueLen, sizeof(CK_ULONG));
+	pk11_FreeAttribute(attribute);
+	break;
+    /* force the value to have the correct parity */
+    case CKK_DES:
+    case CKK_DES2:
+    case CKK_DES3:
+    case CKK_CDMF:
+	attribute = pk11_FindAttribute(object,CKA_VALUE);
+	/* shouldn't happen */
+	if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+	pk11_FormatDESKey((unsigned char*)attribute->attrib.pValue,
+						 attribute->attrib.ulValueLen);
+	pk11_FreeAttribute(attribute);
+	break;
+    default:
+	break;
+    }
+
+    return crv;
+}
+/*
+ * check the consistancy and initialize a Secret Key Object 
+ */
+static CK_RV
+pk11_handleSecretKeyObject(PK11Session *session,PK11Object *object,
+					CK_KEY_TYPE key_type, PRBool isFIPS)
+{
+    CK_RV crv;
+    NSSLOWKEYPrivateKey *privKey = NULL;
+    SECItem pubKey;
+    char *label = NULL;
+
+    pubKey.data = 0;
+
+    /* First validate and set defaults */
+    crv = validateSecretKey(session, object, key_type, isFIPS);
+    if (crv != CKR_OK) goto loser;
+
+    /* If the object is a TOKEN object, store in the database */
+    if (pk11_isTrue(object,CKA_TOKEN)) {
+	PK11Slot *slot = session->slot;
+	SECStatus rv = SECSuccess;
+
+	if (slot->keyDB == NULL) {
+	    return CKR_TOKEN_WRITE_PROTECTED;
+	}
+	privKey=pk11_mkSecretKeyRep(object);
+	if (privKey == NULL) return CKR_HOST_MEMORY;
+
+	label = pk11_getString(object,CKA_LABEL);
+
+	crv = pk11_Attribute2SecItem(NULL, &pubKey, object, CKA_ID);  
+						/* Should this be ID? */
+	if (crv != CKR_OK) goto loser;
+
+	PORT_Assert(slot->keyDB);
+	rv = nsslowkey_StoreKeyByPublicKey(slot->keyDB,
+			privKey, &pubKey, label, slot->password);
+	if (rv != SECSuccess) {
+	    crv = CKR_DEVICE_ERROR;
+	    goto loser;
+	}
+
+	object->handle = pk11_mkHandle(slot,&pubKey,PK11_TOKEN_TYPE_KEY);
+    }
+
+loser:
+    if (label) PORT_Free(label);
+    if (privKey) nsslowkey_DestroyPrivateKey(privKey);
+    if (pubKey.data) PORT_Free(pubKey.data);
+
+    return crv;
+}
+
+/*
+ * check the consistancy and initialize a Key Object 
+ */
+static CK_RV
+pk11_handleKeyObject(PK11Session *session, PK11Object *object)
+{
+    PK11Attribute *attribute;
+    CK_KEY_TYPE key_type;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_RV crv;
+
+    /* verify the required fields */
+    if ( !pk11_hasAttribute(object,CKA_KEY_TYPE) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* now verify the common fields */
+    crv = pk11_defaultAttribute(object,CKA_ID,NULL,0);
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_START_DATE,NULL,0);
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_END_DATE,NULL,0);
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+    crv = pk11_defaultAttribute(object,CKA_LOCAL,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    /* get the key type */
+    attribute = pk11_FindAttribute(object,CKA_KEY_TYPE);
+    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
+    pk11_FreeAttribute(attribute);
+
+    switch (object->objclass) {
+    case CKO_PUBLIC_KEY:
+	return pk11_handlePublicKeyObject(session,object,key_type);
+    case CKO_PRIVATE_KEY:
+	return pk11_handlePrivateKeyObject(session,object,key_type);
+    case CKO_SECRET_KEY:
+	/* make sure the required fields exist */
+	return pk11_handleSecretKeyObject(session,object,key_type,
+			     (PRBool)(session->slot->slotID == FIPS_SLOT_ID));
+    default:
+	break;
+    }
+    return CKR_ATTRIBUTE_VALUE_INVALID;
+}
+
+/*
+ * check the consistancy and Verify a DSA Parameter Object 
+ */
+static CK_RV
+pk11_handleDSAParameterObject(PK11Session *session, PK11Object *object)
+{
+    PK11Attribute *primeAttr = NULL;
+    PK11Attribute *subPrimeAttr = NULL;
+    PK11Attribute *baseAttr = NULL;
+    PK11Attribute *seedAttr = NULL;
+    PK11Attribute *hAttr = NULL;
+    PK11Attribute *attribute;
+    CK_RV crv = CKR_TEMPLATE_INCOMPLETE;
+    PQGParams params;
+    PQGVerify vfy, *verify = NULL;
+    SECStatus result,rv;
+
+    primeAttr = pk11_FindAttribute(object,CKA_PRIME);
+    if (primeAttr == NULL) goto loser;
+    params.prime.data = primeAttr->attrib.pValue;
+    params.prime.len = primeAttr->attrib.ulValueLen;
+
+    subPrimeAttr = pk11_FindAttribute(object,CKA_SUBPRIME);
+    if (subPrimeAttr == NULL) goto loser;
+    params.subPrime.data = subPrimeAttr->attrib.pValue;
+    params.subPrime.len = subPrimeAttr->attrib.ulValueLen;
+
+    baseAttr = pk11_FindAttribute(object,CKA_BASE);
+    if (baseAttr == NULL) goto loser;
+    params.base.data = baseAttr->attrib.pValue;
+    params.base.len = baseAttr->attrib.ulValueLen;
+
+    attribute = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_COUNTER);
+    if (attribute != NULL) {
+	vfy.counter = *(CK_ULONG *) attribute->attrib.pValue;
+	pk11_FreeAttribute(attribute);
+
+	seedAttr = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_SEED);
+	if (seedAttr == NULL) goto loser;
+	vfy.seed.data = seedAttr->attrib.pValue;
+	vfy.seed.len = seedAttr->attrib.ulValueLen;
+
+	hAttr = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_H);
+	if (hAttr == NULL) goto loser;
+	vfy.h.data = hAttr->attrib.pValue;
+	vfy.h.len = hAttr->attrib.ulValueLen;
+
+	verify = &vfy;
+    }
+
+    crv = CKR_FUNCTION_FAILED;
+    rv = PQG_VerifyParams(&params,verify,&result);
+    if (rv == SECSuccess) {
+	crv = (result== SECSuccess) ? CKR_OK : CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+loser:
+    if (hAttr) pk11_FreeAttribute(hAttr);
+    if (seedAttr) pk11_FreeAttribute(seedAttr);
+    if (baseAttr) pk11_FreeAttribute(baseAttr);
+    if (subPrimeAttr) pk11_FreeAttribute(subPrimeAttr);
+    if (primeAttr) pk11_FreeAttribute(primeAttr);
+
+    return crv;
+}
+
+/*
+ * check the consistancy and initialize a Key Parameter Object 
+ */
+static CK_RV
+pk11_handleKeyParameterObject(PK11Session *session, PK11Object *object)
+{
+    PK11Attribute *attribute;
+    CK_KEY_TYPE key_type;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_RV crv;
+
+    /* verify the required fields */
+    if ( !pk11_hasAttribute(object,CKA_KEY_TYPE) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* now verify the common fields */
+    crv = pk11_defaultAttribute(object,CKA_LOCAL,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    /* get the key type */
+    attribute = pk11_FindAttribute(object,CKA_KEY_TYPE);
+    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
+    pk11_FreeAttribute(attribute);
+
+    switch (key_type) {
+    case CKK_DSA:
+	return pk11_handleDSAParameterObject(session,object);
+	
+    default:
+	break;
+    }
+    return CKR_KEY_TYPE_INCONSISTENT;
+}
+
+/* 
+ * Handle Object does all the object consistancy checks, automatic attribute
+ * generation, attribute defaulting, etc. If handleObject succeeds, the object
+ * will be assigned an object handle, and the object installed in the session
+ * or stored in the DB.
+ */
+CK_RV
+pk11_handleObject(PK11Object *object, PK11Session *session)
+{
+    PK11Slot *slot = session->slot;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_BBOOL cktrue = CK_TRUE;
+    PK11Attribute *attribute;
+    CK_RV crv;
+
+    /* make sure all the base object types are defined. If not set the
+     * defaults */
+    crv = pk11_defaultAttribute(object,CKA_TOKEN,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK) return crv;
+    crv = pk11_defaultAttribute(object,CKA_PRIVATE,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK) return crv;
+    crv = pk11_defaultAttribute(object,CKA_LABEL,NULL,0);
+    if (crv != CKR_OK) return crv;
+    crv = pk11_defaultAttribute(object,CKA_MODIFIABLE,&cktrue,sizeof(CK_BBOOL));
+    if (crv != CKR_OK) return crv;
+
+    /* don't create a private object if we aren't logged in */
+    if ((!slot->isLoggedIn) && (slot->needLogin) &&
+				(pk11_isTrue(object,CKA_PRIVATE))) {
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+
+
+    if (((session->info.flags & CKF_RW_SESSION) == 0) &&
+				(pk11_isTrue(object,CKA_TOKEN))) {
+	return CKR_SESSION_READ_ONLY;
+    }
+	
+    /* PKCS #11 object ID's are unique for all objects on a
+     * token */
+    PK11_USE_THREADS(PZ_Lock(slot->objectLock);)
+    object->handle = slot->tokenIDCount++;
+    PK11_USE_THREADS(PZ_Unlock(slot->objectLock);)
+
+    /* get the object class */
+    attribute = pk11_FindAttribute(object,CKA_CLASS);
+    if (attribute == NULL) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    object->objclass = *(CK_OBJECT_CLASS *)attribute->attrib.pValue;
+    pk11_FreeAttribute(attribute);
+
+    /* now handle the specific. Get a session handle for these functions
+     * to use */
+    switch (object->objclass) {
+    case CKO_DATA:
+	crv = pk11_handleDataObject(session,object);
+	break;
+    case CKO_CERTIFICATE:
+	crv = pk11_handleCertObject(session,object);
+	break;
+    case CKO_NETSCAPE_TRUST:
+	crv = pk11_handleTrustObject(session,object);
+	break;
+    case CKO_NETSCAPE_CRL:
+	crv = pk11_handleCrlObject(session,object);
+	break;
+    case CKO_NETSCAPE_SMIME:
+	crv = pk11_handleSMimeObject(session,object);
+	break;
+    case CKO_PRIVATE_KEY:
+    case CKO_PUBLIC_KEY:
+    case CKO_SECRET_KEY:
+	crv = pk11_handleKeyObject(session,object);
+	break;
+    case CKO_KG_PARAMETERS:
+	crv = pk11_handleKeyParameterObject(session,object);
+	break;
+    default:
+	crv = CKR_ATTRIBUTE_VALUE_INVALID;
+	break;
+    }
+
+    /* can't fail from here on out unless the pk_handlXXX functions have
+     * failed the request */
+    if (crv != CKR_OK) {
+	return crv;
+    }
+
+    /* now link the object into the slot and session structures */
+    if (pk11_isToken(object->handle)) {
+	pk11_convertSessionToToken(object);
+    } else {
+	object->slot = slot;
+	pk11_AddObject(session,object);
+    }
+
+    return CKR_OK;
+}
+
+/*
+ * ******************** Public Key Utilities ***************************
+ */
+/* Generate a low public key structure from an object */
+NSSLOWKEYPublicKey *pk11_GetPubKey(PK11Object *object,CK_KEY_TYPE key_type)
+{
+    NSSLOWKEYPublicKey *pubKey;
+    PLArenaPool *arena;
+    CK_RV crv;
+
+    if (object->objclass != CKO_PUBLIC_KEY) {
+	return NULL;
+    }
+
+    if (pk11_isToken(object->handle)) {
+/* ferret out the token object handle */
+    }
+
+    /* If we already have a key, use it */
+    if (object->objectInfo) {
+	return (NSSLOWKEYPublicKey *)object->objectInfo;
+    }
+
+    /* allocate the structure */
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) return NULL;
+
+    pubKey = (NSSLOWKEYPublicKey *)
+			PORT_ArenaAlloc(arena,sizeof(NSSLOWKEYPublicKey));
+    if (pubKey == NULL) {
+    	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+
+    /* fill in the structure */
+    pubKey->arena = arena;
+    switch (key_type) {
+    case CKK_RSA:
+	pubKey->keyType = NSSLOWKEYRSAKey;
+	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.rsa.modulus,
+							object,CKA_MODULUS);
+    	if (crv != CKR_OK) break;
+    	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.rsa.publicExponent,
+						object,CKA_PUBLIC_EXPONENT);
+	break;
+    case CKK_DSA:
+	pubKey->keyType = NSSLOWKEYDSAKey;
+	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.dsa.params.prime,
+							object,CKA_PRIME);
+    	if (crv != CKR_OK) break;
+	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.dsa.params.subPrime,
+							object,CKA_SUBPRIME);
+    	if (crv != CKR_OK) break;
+	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.dsa.params.base,
+							object,CKA_BASE);
+    	if (crv != CKR_OK) break;
+    	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.dsa.publicValue,
+							object,CKA_VALUE);
+	break;
+    case CKK_DH:
+	pubKey->keyType = NSSLOWKEYDHKey;
+	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.dh.prime,
+							object,CKA_PRIME);
+    	if (crv != CKR_OK) break;
+	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.dh.base,
+							object,CKA_BASE);
+    	if (crv != CKR_OK) break;
+    	crv = pk11_Attribute2SSecItem(arena,&pubKey->u.dsa.publicValue,
+							object,CKA_VALUE);
+	break;
+    default:
+	crv = CKR_KEY_TYPE_INCONSISTENT;
+	break;
+    }
+    if (crv != CKR_OK) {
+    	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+
+    object->objectInfo = pubKey;
+    object->infoFree = (PK11Free) nsslowkey_DestroyPublicKey;
+    return pubKey;
+}
+
+/* make a private key from a verified object */
+static NSSLOWKEYPrivateKey *
+pk11_mkPrivKey(PK11Object *object,CK_KEY_TYPE key_type)
+{
+    NSSLOWKEYPrivateKey *privKey;
+    PLArenaPool *arena;
+    CK_RV crv = CKR_OK;
+    SECStatus rv;
+
+    PORT_Assert(!pk11_isToken(object->handle));
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) return NULL;
+
+    privKey = (NSSLOWKEYPrivateKey *)
+			PORT_ArenaAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
+    if (privKey == NULL)  {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+
+    /* in future this would be a switch on key_type */
+    privKey->arena = arena;
+    switch (key_type) {
+    case CKK_RSA:
+	privKey->keyType = NSSLOWKEYRSAKey;
+	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.modulus,
+							object,CKA_MODULUS);
+	if (crv != CKR_OK) break;
+	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.publicExponent,object,
+							CKA_PUBLIC_EXPONENT);
+	if (crv != CKR_OK) break;
+	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.privateExponent,object,
+							CKA_PRIVATE_EXPONENT);
+	if (crv != CKR_OK) break;
+	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.prime1,object,
+								CKA_PRIME_1);
+	if (crv != CKR_OK) break;
+	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.prime2,object,
+								CKA_PRIME_2);
+	if (crv != CKR_OK) break;
+	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.exponent1,
+						object, CKA_EXPONENT_1);
+	if (crv != CKR_OK) break;
+	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.exponent2,
+							object, CKA_EXPONENT_2);
+	if (crv != CKR_OK) break;
+	crv=pk11_Attribute2SSecItem(arena,&privKey->u.rsa.coefficient,object,
+							      CKA_COEFFICIENT);
+	if (crv != CKR_OK) break;
+        rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version,
+                          NSSLOWKEY_VERSION);
+	if (rv != SECSuccess) crv = CKR_HOST_MEMORY;
+	break;
+
+    case CKK_DSA:
+	privKey->keyType = NSSLOWKEYDSAKey;
+	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dsa.params.prime,
+							object,CKA_PRIME);
+    	if (crv != CKR_OK) break;
+	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dsa.params.subPrime,
+							object,CKA_SUBPRIME);
+    	if (crv != CKR_OK) break;
+	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dsa.params.base,
+							object,CKA_BASE);
+    	if (crv != CKR_OK) break;
+    	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dsa.privateValue,
+							object,CKA_VALUE);
+    	if (crv != CKR_OK) break;
+    	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dsa.publicValue,
+							object,CKA_NETSCAPE_DB);
+	/* can't set the public value.... */
+	break;
+
+    case CKK_DH:
+	privKey->keyType = NSSLOWKEYDHKey;
+	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dh.prime,
+							object,CKA_PRIME);
+    	if (crv != CKR_OK) break;
+	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dh.base,
+							object,CKA_BASE);
+    	if (crv != CKR_OK) break;
+    	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dh.privateValue,
+							object,CKA_VALUE);
+    	if (crv != CKR_OK) break;
+    	crv = pk11_Attribute2SSecItem(arena,&privKey->u.dh.publicValue,
+							object,CKA_NETSCAPE_DB);
+	break;
+    default:
+	crv = CKR_KEY_TYPE_INCONSISTENT;
+	break;
+    }
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+    return privKey;
+}
+
+
+/* Generate a low private key structure from an object */
+NSSLOWKEYPrivateKey *
+pk11_GetPrivKey(PK11Object *object,CK_KEY_TYPE key_type)
+{
+    NSSLOWKEYPrivateKey *priv = NULL;
+
+    if (object->objclass != CKO_PRIVATE_KEY) {
+	return NULL;
+    }
+    if (object->objectInfo) {
+	return (NSSLOWKEYPrivateKey *)object->objectInfo;
+    }
+
+    if (pk11_isToken(object->handle)) {
+	/* grab it from the data base */
+	PK11TokenObject *to = pk11_narrowToTokenObject(object);
+
+	PORT_Assert(to);
+	PORT_Assert(object->slot->keyDB);	
+	priv = nsslowkey_FindKeyByPublicKey(object->slot->keyDB, &to->dbKey,
+				       object->slot->password);
+    } else {
+	priv = pk11_mkPrivKey(object, key_type);
+    }
+    object->objectInfo = priv;
+    object->infoFree = (PK11Free) nsslowkey_DestroyPrivateKey;
+    return priv;
+}
+
+/*
+ **************************** Symetric Key utils ************************
+ */
+/*
+ * set the DES key with parity bits correctly
+ */
+void
+pk11_FormatDESKey(unsigned char *key, int length)
+{
+    int i;
+
+    /* format the des key */
+    for (i=0; i < length; i++) {
+	key[i] = parityTable[key[i]>>1];
+    }
+}
+
+/*
+ * check a des key (des2 or des3 subkey) for weak keys.
+ */
+PRBool
+pk11_CheckDESKey(unsigned char *key)
+{
+    int i;
+
+    /* format the des key with parity  */
+    pk11_FormatDESKey(key, 8);
+
+    for (i=0; i < pk11_desWeakTableSize; i++) {
+	if (PORT_Memcmp(key,pk11_desWeakTable[i],8) == 0) {
+	    return PR_TRUE;
+	}
+    }
+    return PR_FALSE;
+}
+
+/*
+ * check if a des or triple des key is weak.
+ */
+PRBool
+pk11_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type)
+{
+
+    switch(key_type) {
+    case CKK_DES:
+	return pk11_CheckDESKey(key);
+    case CKM_DES2_KEY_GEN:
+	if (pk11_CheckDESKey(key)) return PR_TRUE;
+	return pk11_CheckDESKey(&key[8]);
+    case CKM_DES3_KEY_GEN:
+	if (pk11_CheckDESKey(key)) return PR_TRUE;
+	if (pk11_CheckDESKey(&key[8])) return PR_TRUE;
+	return pk11_CheckDESKey(&key[16]);
+    default:
+	break;
+    }
+    return PR_FALSE;
+}
+
+
+/* make a fake private key representing a symmetric key */
+static NSSLOWKEYPrivateKey *
+pk11_mkSecretKeyRep(PK11Object *object)
+{
+    NSSLOWKEYPrivateKey *privKey;
+    PLArenaPool *arena = 0;
+    CK_RV crv;
+    SECStatus rv;
+    static unsigned char derZero[1] = { 0 };
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
+
+    privKey = (NSSLOWKEYPrivateKey *)
+			PORT_ArenaAlloc(arena,sizeof(NSSLOWKEYPrivateKey));
+    if (privKey == NULL) { crv = CKR_HOST_MEMORY; goto loser; }
+
+    privKey->arena = arena;
+
+    /* Secret keys are represented in the database as "fake" RSA keys.  The RSA key
+     * is marked as a secret key representation by setting the public exponent field
+     * to 0, which is an invalid RSA exponent.  The other fields are set as follows:
+     *   modulus - CKA_ID value for the secret key
+     *   private exponent - CKA_VALUE (the key itself)
+     *   coefficient - CKA_KEY_TYPE, which indicates what encryption algorithm
+     *      is used for the key.
+     *   all others - set to integer 0
+     */
+    privKey->keyType = NSSLOWKEYRSAKey;
+
+    /* The modulus is set to the key id of the symmetric key */
+    crv=pk11_Attribute2SecItem(arena,&privKey->u.rsa.modulus,object,CKA_ID);
+    if (crv != CKR_OK) goto loser;
+
+    /* The public exponent is set to 0 length to indicate a special key */
+    privKey->u.rsa.publicExponent.len = sizeof derZero;
+    privKey->u.rsa.publicExponent.data = derZero;
+
+    /* The private exponent is the actual key value */
+    crv=pk11_Attribute2SecItem(arena,&privKey->u.rsa.privateExponent,object,CKA_VALUE);
+    if (crv != CKR_OK) goto loser;
+
+    /* All other fields empty - needs testing */
+    privKey->u.rsa.prime1.len = sizeof derZero;
+    privKey->u.rsa.prime1.data = derZero;
+
+    privKey->u.rsa.prime2.len = sizeof derZero;
+    privKey->u.rsa.prime2.data = derZero;
+
+    privKey->u.rsa.exponent1.len = sizeof derZero;
+    privKey->u.rsa.exponent1.data = derZero;
+
+    privKey->u.rsa.exponent2.len = sizeof derZero;
+    privKey->u.rsa.exponent2.data = derZero;
+
+    /* Coeficient set to KEY_TYPE */
+    crv=pk11_Attribute2SecItem(arena,&privKey->u.rsa.coefficient,object,CKA_KEY_TYPE);
+    if (crv != CKR_OK) goto loser;
+
+    /* Private key version field set normally for compatibility */
+    rv = DER_SetUInteger(privKey->arena, 
+			&privKey->u.rsa.version, NSSLOWKEY_VERSION);
+    if (rv != SECSuccess) { crv = CKR_HOST_MEMORY; goto loser; }
+
+loser:
+    if (crv != CKR_OK) {
+	PORT_FreeArena(arena,PR_FALSE);
+	privKey = 0;
+    }
+
+    return privKey;
+}
+
+static PRBool
+isSecretKey(NSSLOWKEYPrivateKey *privKey)
+{
+  if (privKey->keyType == NSSLOWKEYRSAKey && 
+		privKey->u.rsa.publicExponent.len == 1 &&
+      				privKey->u.rsa.publicExponent.data[0] == 0)
+    return PR_TRUE;
+
+  return PR_FALSE;
+}
+
+/**********************************************************************
+ *
+ *     Start of PKCS 11 functions 
+ *
+ **********************************************************************/
+
+
+/* return the function list */
+CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
+{
+    *pFunctionList = (CK_FUNCTION_LIST_PTR) &pk11_funcList;
+    return CKR_OK;
+}
+
+/* return the function list */
+CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
+{
+    return NSC_GetFunctionList(pFunctionList);
+}
+
+static PLHashNumber
+pk11_HashNumber(const void *key)
+{
+    return (PLHashNumber) key;
+}
+
+/*
+ * eventually I'd like to expunge all occurances of XXX_SLOT_ID and
+ * just go with the info in the slot. This is one place, however,
+ * where it might be a little difficult.
+ */
+const char *
+pk11_getDefTokName(CK_SLOT_ID slotID)
+{
+    static char buf[33];
+
+    switch (slotID) {
+    case NETSCAPE_SLOT_ID:
+	return "NSS Generic Crypto Services     ";
+    case PRIVATE_KEY_SLOT_ID:
+	return "NSS Certificate DB              ";
+    case FIPS_SLOT_ID:
+        return "NSS FIPS-140-1 Cerificate DB    ";
+    default:
+	break;
+    }
+    sprintf(buf,"NSS Application Token %08x  ",(unsigned int) slotID);
+    return buf;
+}
+
+const char *
+pk11_getDefSlotName(CK_SLOT_ID slotID)
+{
+    static char buf[65];
+
+    switch (slotID) {
+    case NETSCAPE_SLOT_ID:
+	return 
+	 "NSS Internal Cryptographic Services Version 3.4                 ";
+    case PRIVATE_KEY_SLOT_ID:
+	return 
+	 "NSS User Private Key and Certificate Services                   ";
+    case FIPS_SLOT_ID:
+        return 
+         "Netscape FIPS-140-1 User Private Key Services                   ";
+    default:
+	break;
+    }
+    sprintf(buf,
+     "NSS Application Slot %08x                                   ",
+							(unsigned int) slotID);
+    return buf;
+}
+
+static CK_ULONG nscSlotCount = 0;
+static CK_SLOT_ID_PTR nscSlotList = NULL;
+static CK_ULONG nscSlotListSize = 0;
+static PLHashTable *nscSlotHashTable = NULL;
+
+/* look up a slot structure from the ID (used to be a macro when we only
+ * had two slots) */
+PK11Slot *
+pk11_SlotFromID(CK_SLOT_ID slotID)
+{
+    return (PK11Slot *)PL_HashTableLookupConst(nscSlotHashTable, (void *)slotID);
+}
+
+PK11Slot *
+pk11_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
+{
+    int slotIDIndex = (handle >> 24) & 0xff;
+
+    if (slotIDIndex >= nscSlotCount) {
+	return NULL;
+    }
+
+    return pk11_SlotFromID(nscSlotList[slotIDIndex]);
+}
+ 
+PK11Slot * pk11_NewSlotFromID(CK_SLOT_ID slotID)
+{
+    PK11Slot *slot = NULL;
+    PLHashEntry *entry;
+
+    if (nscSlotList == NULL) {
+	nscSlotListSize = NSC_SLOT_LIST_BLOCK_SIZE;
+	nscSlotList = (CK_SLOT_ID *)
+			PORT_ZAlloc(nscSlotListSize*sizeof(CK_SLOT_ID));
+	if (nscSlotList == NULL) {
+	    return NULL;
+	}
+    }
+    if (nscSlotCount >= nscSlotListSize) {
+	nscSlotListSize += NSC_SLOT_LIST_BLOCK_SIZE;
+	nscSlotList = (CK_SLOT_ID *) PORT_Realloc(nscSlotList,
+					nscSlotListSize*sizeof(CK_SLOT_ID));
+	if (nscSlotList == NULL) {
+	    return NULL;
+	}
+    }
+
+    if (nscSlotHashTable == NULL) {
+	nscSlotHashTable = PL_NewHashTable(64,pk11_HashNumber,PL_CompareValues,
+					PL_CompareValues, NULL, 0);
+	if (nscSlotHashTable == NULL) {
+	    return NULL;
+	}
+    }
+
+    slot = (PK11Slot *) PORT_ZAlloc(sizeof(PK11Slot));
+    if (slot == NULL) {
+	return NULL;
+    }
+
+    entry = PL_HashTableAdd(nscSlotHashTable,(void *)slotID,slot);
+    if (entry == NULL) {
+	PORT_Free(slot);
+	return NULL;
+    }
+    slot->index = nscSlotCount;
+    nscSlotList[nscSlotCount++] = slotID;
+
+    return slot;
+}
+
+/*
+ * initialize one of the slot structures. figure out which by the ID
+ */
+CK_RV
+PK11_SlotInit(char *configdir,pk11_token_parameters *params)
+{
+    int i;
+    CK_SLOT_ID slotID = params->slotID;
+    PK11Slot *slot = pk11_NewSlotFromID(slotID);
+    PRBool needLogin = !params->noKeyDB;
+    CK_RV crv;
+
+    if (slot == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+#ifdef PKCS11_USE_THREADS
+    slot->slotLock = PZ_NewLock(nssILockSession);
+    if (slot->slotLock == NULL) return CKR_HOST_MEMORY;
+    for (i=0; i < NUMBER_OF_SESSION_LOCKS; i++) {
+        slot->sessionLock[i] = PZ_NewLock(nssILockSession);
+        if (slot->sessionLock[i] == NULL) return CKR_HOST_MEMORY;
+    }
+    slot->objectLock = PZ_NewLock(nssILockObject);
+    if (slot->objectLock == NULL) return CKR_HOST_MEMORY;
+#else
+    slot->slotLock = NULL;
+    for (i=0; i < NUMBER_OF_SESSION_LOCKS; i++) {
+        slot->sessionLock[i] = NULL;
+    }
+    slot->objectLock = NULL;
+#endif
+    for(i=0; i < SESSION_HASH_SIZE; i++) {
+	slot->head[i] = NULL;
+    }
+    for(i=0; i < TOKEN_OBJECT_HASH_SIZE; i++) {
+	slot->tokObjects[i] = NULL;
+    }
+    slot->tokenHashTable = PL_NewHashTable(64,pk11_HashNumber,PL_CompareValues,
+					SECITEM_HashCompare, NULL, 0);
+    if (slot->tokenHashTable == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    slot->password = NULL;
+    slot->hasTokens = PR_FALSE;
+    slot->sessionIDCount = 0;
+    slot->sessionIDConflict = 0;
+    slot->sessionCount = 0;
+    slot->rwSessionCount = 0;
+    slot->tokenIDCount = 1;
+    slot->needLogin = PR_FALSE;
+    slot->isLoggedIn = PR_FALSE;
+    slot->ssoLoggedIn = PR_FALSE;
+    slot->DB_loaded = PR_FALSE;
+    slot->slotID = slotID;
+    slot->certDB = NULL;
+    slot->keyDB = NULL;
+    slot->minimumPinLen = 0;
+    slot->readOnly = params->readOnly;
+    pk11_setStringName(params->tokdes ? params->tokdes : 
+	pk11_getDefTokName(slotID), slot->tokDescription, 
+						sizeof(slot->tokDescription));
+    pk11_setStringName(params->slotdes ? params->slotdes : 
+	pk11_getDefSlotName(slotID), slot->slotDescription, 
+						sizeof(slot->slotDescription));
+
+    if ((!params->noCertDB) || (!params->noKeyDB)) {
+	crv = pk11_DBInit(params->configdir ? params->configdir : configdir,
+		params->certPrefix, params->keyPrefix, params->readOnly,
+		params->noCertDB, params->noKeyDB, params->forceOpen, 
+						&slot->certDB, &slot->keyDB);
+	if (crv != CKR_OK) {
+	    /* shoutdown slot? */
+	    return crv;
+	}
+    }
+    if (needLogin) {
+	/* if the data base is initialized with a null password,remember that */
+	slot->needLogin = 
+		(PRBool)!pk11_hasNullPassword(slot->keyDB,&slot->password);
+	if (params->minPW <= PK11_MAX_PIN) {
+	    slot->minimumPinLen = params->minPW;
+	}
+	if ((slot->minimumPinLen == 0) && (params->pwRequired) && 
+		(slot->minimumPinLen <= PK11_MAX_PIN)) {
+	    slot->minimumPinLen = 1;
+	}
+    }
+    return CKR_OK;
+}
+
+static PRIntn
+pk11_freeHashItem(PLHashEntry* entry, PRIntn index, void *arg)
+{
+    SECItem *item = (SECItem *)entry->value;
+
+    SECITEM_FreeItem(item, PR_TRUE);
+    return HT_ENUMERATE_NEXT;
+}
+
+/*
+ * initialize one of the slot structures. figure out which by the ID
+ */
+static CK_RV
+pk11_DestroySlotData(PK11Slot *slot)
+{
+    int i;
+
+#ifdef PKCS11_USE_THREADS
+    if (slot->slotLock) {
+	PZ_DestroyLock(slot->slotLock);
+	slot->slotLock = NULL;
+    }
+    for (i=0; i < NUMBER_OF_SESSION_LOCKS; i++) {
+        if (slot->sessionLock[i]) {
+            PZ_DestroyLock(slot->sessionLock[i]);
+            slot->sessionLock[i] = NULL;
+        }
+    }
+    if (slot->objectLock) {
+	PZ_DestroyLock(slot->objectLock);
+	slot->objectLock = NULL;
+    }
+#endif
+
+    PL_HashTableEnumerateEntries(slot->tokenHashTable,pk11_freeHashItem,NULL);
+    PL_HashTableDestroy(slot->tokenHashTable);
+
+    for(i=0; i < TOKEN_OBJECT_HASH_SIZE; i++) {
+	PK11Object *object = slot->tokObjects[i];
+	slot->tokObjects[i] = NULL;
+	if (object) pk11_FreeObject(object);
+    }
+
+    for(i=0; i < SESSION_HASH_SIZE; i++) {
+	PK11Session *session = slot->head[i];
+	slot->head[i] = NULL;
+	if (session) pk11_FreeSession(session);
+    }
+    pk11_DBShutdown(slot->certDB,slot->keyDB);
+
+    PORT_Free(slot);
+    return CKR_OK;
+}
+
+/*
+ * handle the SECMOD.db
+ */
+char **
+NSC_ModuleDBFunc(unsigned long function,char *parameters, char *args)
+{
+    char *secmod;
+    PRBool rw;
+    static char *success="Success";
+    char **rvstr = NULL;
+
+    secmod = secmod_getSecmodName(parameters,&rw);
+
+    switch (function) {
+    case SECMOD_MODULE_DB_FUNCTION_FIND:
+	rvstr = secmod_ReadPermDB(secmod,parameters,rw);
+	break;
+    case SECMOD_MODULE_DB_FUNCTION_ADD:
+	rvstr = (secmod_AddPermDB(secmod,args,rw) == SECSuccess) 
+							? &success: NULL;
+	break;
+    case SECMOD_MODULE_DB_FUNCTION_DEL:
+	rvstr = (secmod_DeletePermDB(secmod,args,rw) == SECSuccess) 
+							? &success: NULL;
+	break;
+    }
+    if (secmod) PR_smprintf_free(secmod);
+    return rvstr;
+}
+
+
+static PRBool nsc_init = PR_FALSE;
+/* NSC_Initialize initializes the Cryptoki library. */
+CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
+{
+    CK_RV crv = CKR_OK;
+    SECStatus rv;
+    CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *) pReserved;
+    int i;
+
+    if (nsc_init) {
+	return crv;
+    }
+
+    rv = RNG_RNGInit();         /* initialize random number generator */
+    if (rv != SECSuccess) {
+	crv = CKR_DEVICE_ERROR;
+	goto loser;
+    }
+    RNG_SystemInfoForRNG();
+
+
+    /* NOTE:
+     * we should be getting out mutexes from this list, not statically binding
+     * them from NSPR. This should happen before we allow the internal to split
+     * off from the rest on NSS.
+     */
+
+    /* initialize the key and cert db's */
+    nsslowkey_SetDefaultKeyDBAlg
+			     (SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC);
+    crv = CKR_ARGUMENTS_BAD;
+    if ((init_args && init_args->LibraryParameters)) {
+	pk11_parameters paramStrings;
+       
+	crv = secmod_parseParameters
+		((char *)init_args->LibraryParameters, &paramStrings, isFIPS);
+	if (crv != CKR_OK) {
+	    return crv;
+	}
+	crv = pk11_configure(paramStrings.man, paramStrings.libdes);
+        if (crv != CKR_OK) {
+	    goto loser;
+	}
+
+	for (i=0; i < paramStrings.token_count; i++) {
+	    crv = 
+		PK11_SlotInit(paramStrings.configdir, &paramStrings.tokens[i]);
+	    if (crv != CKR_OK) break;
+	}
+loser:
+	secmod_freeParams(&paramStrings);
+    }
+    nsc_init = (PRBool) (crv == CKR_OK);
+
+    return crv;
+}
+
+CK_RV NSC_Initialize(CK_VOID_PTR pReserved)
+{
+    return nsc_CommonInitialize(pReserved,PR_FALSE);
+}
+
+/* NSC_Finalize indicates that an application is done with the 
+ * Cryptoki library.*/
+CK_RV NSC_Finalize (CK_VOID_PTR pReserved)
+{
+    PK11Slot *slot = NULL;
+    CK_SLOT_ID slotID;
+    int i;
+
+    if (!nsc_init) {
+	return CKR_OK;
+    }
+
+    /* free all the slots */
+    if (nscSlotList) {
+	CK_ULONG tmpSlotCount = nscSlotCount;
+	CK_SLOT_ID_PTR tmpSlotList = nscSlotList;
+	PLHashTable *tmpSlotHashTable = nscSlotHashTable;
+
+	/* now clear out the statics */
+	nscSlotList = NULL;
+	nscSlotCount = 0;
+	nscSlotHashTable = NULL;
+	nscSlotListSize = 0;
+
+	for (i=0; i < tmpSlotCount; i++) {
+	    slotID = tmpSlotList[i];
+	    slot = (PK11Slot *)
+			PL_HashTableLookup(tmpSlotHashTable, (void *)slotID);
+	    PORT_Assert(slot);
+	    if (!slot) continue;
+	    pk11_DestroySlotData(slot);
+	    PL_HashTableRemove(tmpSlotHashTable, (void *)slotID);
+	}
+	PORT_Free(tmpSlotList);
+	PL_HashTableDestroy(tmpSlotHashTable);
+    }
+
+    nsslowcert_DestroyGlobalLocks();
+
+#ifdef LEAK_TEST
+    /*
+     * do we really want to throw away all our hard earned entropy here!!?
+     * No we don't! Not calling RNG_RNGShutdown only 'leaks' data on the 
+     * initial call to RNG_Init(). So the only reason to call this is to clean
+     * up leak detection warnings on shutdown. In many cases we *don't* want
+     * to free up the global RNG context because the application has Finalized
+     * simply to swap profiles. We don't want to loose the entropy we've 
+     * already collected.
+     */
+    RNG_RNGShutdown();
+#endif
+
+    pk11_CleanupFreeLists();
+    /* tell freeBL to clean up after itself */
+    BL_Cleanup();
+    nsc_init = PR_FALSE;
+
+    return CKR_OK;
+}
+
+extern const char __nss_softokn_rcsid[];
+extern const char __nss_softokn_sccsid[];
+
+/* NSC_GetInfo returns general information about Cryptoki. */
+CK_RV  NSC_GetInfo(CK_INFO_PTR pInfo)
+{
+    volatile char c; /* force a reference that won't get optimized away */
+
+    c = __nss_softokn_rcsid[0] + __nss_softokn_sccsid[0]; 
+    pInfo->cryptokiVersion.major = 2;
+    pInfo->cryptokiVersion.minor = 11;
+    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
+    pInfo->libraryVersion.major = 3;
+    pInfo->libraryVersion.minor = 2;
+    PORT_Memcpy(pInfo->libraryDescription,libraryDescription,32);
+    pInfo->flags = 0;
+    return CKR_OK;
+}
+
+/* NSC_GetSlotList obtains a list of slots in the system. */
+CK_RV NSC_GetSlotList(CK_BBOOL tokenPresent,
+	 		CK_SLOT_ID_PTR	pSlotList, CK_ULONG_PTR pulCount)
+{
+    *pulCount = nscSlotCount;
+    if (pSlotList != NULL) {
+	PORT_Memcpy(pSlotList,nscSlotList,nscSlotCount*sizeof(CK_SLOT_ID));
+    }
+    return CKR_OK;
+}
+	
+/* NSC_GetSlotInfo obtains information about a particular slot in the system. */
+CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
+{
+    PK11Slot *slot = pk11_SlotFromID(slotID);
+    if (slot == NULL) return CKR_SLOT_ID_INVALID;
+
+    pInfo->firmwareVersion.major = 0;
+    pInfo->firmwareVersion.minor = 0;
+    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
+    PORT_Memcpy(pInfo->slotDescription,slot->slotDescription,64);
+    pInfo->flags = CKF_TOKEN_PRESENT;
+    /* ok we really should read it out of the keydb file. */
+    /* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */
+    pInfo->hardwareVersion.major = 3;
+    pInfo->hardwareVersion.minor = 4;
+    return CKR_OK;
+}
+
+#define CKF_THREAD_SAFE 0x8000 /* for now */
+
+/* NSC_GetTokenInfo obtains information about a particular token in 
+ * the system. */
+CK_RV NSC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo)
+{
+    PK11Slot *slot = pk11_SlotFromID(slotID);
+    NSSLOWKEYDBHandle *handle;
+
+    if (slot == NULL) return CKR_SLOT_ID_INVALID;
+
+    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
+    PORT_Memcpy(pInfo->model,"NSS 3           ",16);
+    PORT_Memcpy(pInfo->serialNumber,"0000000000000000",16);
+    pInfo->ulMaxSessionCount = 0; /* arbitrarily large */
+    pInfo->ulSessionCount = slot->sessionCount;
+    pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
+    pInfo->ulRwSessionCount = slot->rwSessionCount;
+    pInfo->firmwareVersion.major = 0;
+    pInfo->firmwareVersion.minor = 0;
+    PORT_Memcpy(pInfo->label,slot->tokDescription,32);
+    handle = slot->keyDB;
+    if (handle == NULL) {
+        pInfo->flags= CKF_RNG | CKF_WRITE_PROTECTED | CKF_THREAD_SAFE;
+	pInfo->ulMaxPinLen = 0;
+	pInfo->ulMinPinLen = 0;
+	pInfo->ulTotalPublicMemory = 0;
+	pInfo->ulFreePublicMemory = 0;
+	pInfo->ulTotalPrivateMemory = 0;
+	pInfo->ulFreePrivateMemory = 0;
+	pInfo->hardwareVersion.major = 4;
+	pInfo->hardwareVersion.minor = 0;
+    } else {
+	/*
+	 * we have three possible states which we may be in:
+	 *   (1) No DB password has been initialized. This also means we
+	 *   have no keys in the key db.
+	 *   (2) Password initialized to NULL. This means we have keys, but
+	 *   the user has chosen not use a password.
+	 *   (3) Finally we have an initialized password whicn is not NULL, and
+	 *   we will need to prompt for it.
+	 */
+	if (nsslowkey_HasKeyDBPassword(handle) == SECFailure) {
+	    pInfo->flags = CKF_THREAD_SAFE | CKF_LOGIN_REQUIRED;
+	} else if (!slot->needLogin) {
+	    pInfo->flags = CKF_THREAD_SAFE | CKF_USER_PIN_INITIALIZED;
+	} else {
+	    pInfo->flags = CKF_THREAD_SAFE | 
+				CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED;
+	}
+	pInfo->ulMaxPinLen = PK11_MAX_PIN;
+	pInfo->ulMinPinLen = 0;
+	if (slot->minimumPinLen > 0) {
+	    pInfo->ulMinPinLen = (CK_ULONG)slot->minimumPinLen;
+	}
+	pInfo->ulTotalPublicMemory = 1;
+	pInfo->ulFreePublicMemory = 1;
+	pInfo->ulTotalPrivateMemory = 1;
+	pInfo->ulFreePrivateMemory = 1;
+	pInfo->hardwareVersion.major = CERT_DB_FILE_VERSION;
+	pInfo->hardwareVersion.minor = handle->version;
+    }
+    return CKR_OK;
+}
+
+
+
+/* NSC_GetMechanismList obtains a list of mechanism types 
+ * supported by a token. */
+CK_RV NSC_GetMechanismList(CK_SLOT_ID slotID,
+	CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount)
+{
+    int i;
+
+    switch (slotID) {
+    case NETSCAPE_SLOT_ID:
+	*pulCount = mechanismCount;
+	if (pMechanismList != NULL) {
+	    for (i=0; i < (int) mechanismCount; i++) {
+		pMechanismList[i] = mechanisms[i].type;
+	    }
+	}
+	break;
+     default:
+	*pulCount = 0;
+	for (i=0; i < (int) mechanismCount; i++) {
+	    if (mechanisms[i].privkey) {
+		(*pulCount)++;
+		if (pMechanismList != NULL) {
+		    *pMechanismList++ = mechanisms[i].type;
+		}
+	    }
+	}
+	break;
+    }
+    return CKR_OK;
+}
+
+
+/* NSC_GetMechanismInfo obtains information about a particular mechanism 
+ * possibly supported by a token. */
+CK_RV NSC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+    					CK_MECHANISM_INFO_PTR pInfo)
+{
+    PRBool isPrivateKey;
+    int i;
+
+    switch (slotID) {
+    case NETSCAPE_SLOT_ID:
+	isPrivateKey = PR_FALSE;
+	break;
+    default:
+	isPrivateKey = PR_TRUE;
+	break;
+    }
+    for (i=0; i < (int) mechanismCount; i++) {
+        if (type == mechanisms[i].type) {
+	    if (isPrivateKey && !mechanisms[i].privkey) {
+    		return CKR_MECHANISM_INVALID;
+	    }
+	    PORT_Memcpy(pInfo,&mechanisms[i].domestic,
+						sizeof(CK_MECHANISM_INFO));
+	    return CKR_OK;
+	}
+    }
+    return CKR_MECHANISM_INVALID;
+}
+
+static SECStatus
+pk11_TurnOffUser(NSSLOWCERTCertificate *cert, SECItem *k, void *arg)
+{
+   NSSLOWCERTCertTrust trust;
+   SECStatus rv;
+
+   rv = nsslowcert_GetCertTrust(cert,&trust);
+   if (rv == SECSuccess && ((trust.emailFlags & CERTDB_USER) ||
+			    (trust.sslFlags & CERTDB_USER) ||
+			    (trust.objectSigningFlags & CERTDB_USER))) {
+	trust.emailFlags &= ~CERTDB_USER;
+	trust.sslFlags &= ~CERTDB_USER;
+	trust.objectSigningFlags &= ~CERTDB_USER;
+	nsslowcert_ChangeCertTrust(cert->dbhandle,cert,&trust);
+   }
+   return SECSuccess;
+}
+
+/* NSC_InitToken initializes a token. */
+CK_RV NSC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin,
+ 				CK_ULONG ulPinLen,CK_CHAR_PTR pLabel) {
+    PK11Slot *slot = pk11_SlotFromID(slotID);
+    NSSLOWKEYDBHandle *handle;
+    NSSLOWCERTCertDBHandle *certHandle;
+    SECStatus rv;
+    int i;
+    PK11Object *object;
+
+    if (slot == NULL) return CKR_SLOT_ID_INVALID;
+
+    /* don't initialize the database if we aren't talking to a token
+     * that uses the key database.
+     */
+    if (slotID == NETSCAPE_SLOT_ID) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    /* first, delete all our loaded key and cert objects from our 
+     * internal list. */
+    PK11_USE_THREADS(PZ_Lock(slot->objectLock);)
+    for (i=0; i < TOKEN_OBJECT_HASH_SIZE; i++) {
+	do {
+	    object = slot->tokObjects[i];
+	    /* hand deque */
+	    /* this duplicates function of NSC_close session functions, but 
+	     * because we know that we are freeing all the sessions, we can
+	     * do more efficient processing */
+	    if (object) {
+		slot->tokObjects[i] = object->next;
+
+		if (object->next) object->next->prev = NULL;
+		object->next = object->prev = NULL;
+	    }
+	    if (object) pk11_FreeObject(object);
+	} while (object != NULL);
+    }
+    slot->DB_loaded = PR_FALSE;
+    PK11_USE_THREADS(PZ_Unlock(slot->objectLock);)
+
+    /* then clear out the key database */
+    handle = slot->keyDB;
+    if (handle == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+
+    /* what to do on an error here? */
+    rv = nsslowkey_ResetKeyDB(handle);
+
+    /* finally  mark all the user certs as non-user certs */
+    certHandle = slot->certDB;
+    if (certHandle == NULL) return CKR_OK;
+
+    nsslowcert_TraversePermCerts(certHandle,pk11_TurnOffUser, NULL);
+
+    return CKR_OK; /*is this the right function for not implemented*/
+}
+
+
+/* NSC_InitPIN initializes the normal user's PIN. */
+CK_RV NSC_InitPIN(CK_SESSION_HANDLE hSession,
+    					CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
+{
+    PK11Session *sp;
+    PK11Slot *slot;
+    NSSLOWKEYDBHandle *handle;
+    SECItem *newPin;
+    char newPinStr[PK11_MAX_PIN+1];
+    SECStatus rv;
+
+    
+    sp = pk11_SessionFromHandle(hSession);
+    if (sp == NULL) {
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    slot = pk11_SlotFromSession(sp);
+    if (slot == NULL) {
+	pk11_FreeSession(sp);
+	return CKR_SESSION_HANDLE_INVALID;;
+    }
+
+    handle = slot->keyDB;
+    if (handle == NULL) {
+	pk11_FreeSession(sp);
+	return CKR_PIN_LEN_RANGE;
+    }
+
+
+    if (sp->info.state != CKS_RW_SO_FUNCTIONS) {
+	pk11_FreeSession(sp);
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+
+    pk11_FreeSession(sp);
+
+    /* make sure the pins aren't too long */
+    if (ulPinLen > PK11_MAX_PIN) {
+	return CKR_PIN_LEN_RANGE;
+    }
+    if (ulPinLen < slot->minimumPinLen) {
+	return CKR_PIN_LEN_RANGE;
+    }
+
+    if (nsslowkey_HasKeyDBPassword(handle) != SECFailure) {
+	return CKR_DEVICE_ERROR;
+    }
+
+    /* convert to null terminated string */
+    PORT_Memcpy(newPinStr,pPin,ulPinLen);
+    newPinStr[ulPinLen] = 0; 
+
+    /* build the hashed pins which we pass around */
+    newPin = nsslowkey_HashPassword(newPinStr,handle->global_salt);
+    PORT_Memset(newPinStr,0,sizeof(newPinStr));
+
+    /* change the data base */
+    rv = nsslowkey_SetKeyDBPassword(handle,newPin);
+
+    /* Now update our local copy of the pin */
+    if (rv == SECSuccess) {
+	if (slot->password) {
+    	    SECITEM_ZfreeItem(slot->password, PR_TRUE);
+	}
+	slot->password = newPin;
+	if (ulPinLen == 0) slot->needLogin = PR_FALSE;
+	return CKR_OK;
+    }
+    SECITEM_ZfreeItem(newPin, PR_TRUE);
+    return CKR_PIN_INCORRECT;
+}
+
+
+/* NSC_SetPIN modifies the PIN of user that is currently logged in. */
+/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
+CK_RV NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
+    CK_ULONG ulOldLen, CK_CHAR_PTR pNewPin, CK_ULONG ulNewLen)
+{
+    PK11Session *sp;
+    PK11Slot *slot;
+    NSSLOWKEYDBHandle *handle;
+    SECItem *newPin;
+    SECItem *oldPin;
+    char newPinStr[PK11_MAX_PIN+1],oldPinStr[PK11_MAX_PIN+1];
+    SECStatus rv;
+
+    
+    sp = pk11_SessionFromHandle(hSession);
+    if (sp == NULL) {
+	return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    slot = pk11_SlotFromSession(sp);
+    if (!slot) {
+	pk11_FreeSession(sp);
+	return CKR_SESSION_HANDLE_INVALID;;
+    }
+
+    handle = slot->keyDB;
+    if (handle == NULL) {
+	pk11_FreeSession(sp);
+	return CKR_PIN_LEN_RANGE;
+    }
+
+    if (slot->needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) {
+	pk11_FreeSession(sp);
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+
+    pk11_FreeSession(sp);
+
+    /* make sure the pins aren't too long */
+    if ((ulNewLen > PK11_MAX_PIN) || (ulOldLen > PK11_MAX_PIN)) {
+	return CKR_PIN_LEN_RANGE;
+    }
+    if (ulNewLen < slot->minimumPinLen) {
+	return CKR_PIN_LEN_RANGE;
+    }
+
+
+    /* convert to null terminated string */
+    PORT_Memcpy(newPinStr,pNewPin,ulNewLen);
+    newPinStr[ulNewLen] = 0; 
+    PORT_Memcpy(oldPinStr,pOldPin,ulOldLen);
+    oldPinStr[ulOldLen] = 0; 
+
+    /* build the hashed pins which we pass around */
+    newPin = nsslowkey_HashPassword(newPinStr,handle->global_salt);
+    oldPin = nsslowkey_HashPassword(oldPinStr,handle->global_salt);
+    PORT_Memset(newPinStr,0,sizeof(newPinStr));
+    PORT_Memset(oldPinStr,0,sizeof(oldPinStr));
+
+    /* change the data base */
+    rv = nsslowkey_ChangeKeyDBPassword(handle,oldPin,newPin);
+
+    /* Now update our local copy of the pin */
+    SECITEM_ZfreeItem(oldPin, PR_TRUE);
+    if (rv == SECSuccess) {
+	if (slot->password) {
+    	    SECITEM_ZfreeItem(slot->password, PR_TRUE);
+	}
+	slot->password = newPin;
+	slot->needLogin = (PRBool)(ulNewLen != 0);
+	return CKR_OK;
+    }
+    SECITEM_ZfreeItem(newPin, PR_TRUE);
+    return CKR_PIN_INCORRECT;
+}
+
+/* NSC_OpenSession opens a session between an application and a token. */
+CK_RV NSC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+   CK_VOID_PTR pApplication,CK_NOTIFY Notify,CK_SESSION_HANDLE_PTR phSession)
+{
+    PK11Slot *slot;
+    CK_SESSION_HANDLE sessionID;
+    PK11Session *session;
+    PK11Session *sameID;
+
+    slot = pk11_SlotFromID(slotID);
+    if (slot == NULL) return CKR_SLOT_ID_INVALID;
+
+    /* new session (we only have serial sessions) */
+    session = pk11_NewSession(slotID, Notify, pApplication,
+						 flags | CKF_SERIAL_SESSION);
+    if (session == NULL) return CKR_HOST_MEMORY;
+
+    PK11_USE_THREADS(PZ_Lock(slot->slotLock);)
+    if (slot->readOnly && (flags & CKF_RW_SESSION)) {
+	/* NETSCAPE_SLOT_ID is Read ONLY */
+	session->info.flags &= ~CKF_RW_SESSION;
+    }
+    slot->sessionCount++;
+    if (session->info.flags & CKF_RW_SESSION) {
+	slot->rwSessionCount++;
+    }
+    PK11_USE_THREADS(PZ_Unlock(slot->slotLock);)
+
+    do {
+        do {
+            sessionID = (PR_AtomicIncrement(&slot->sessionIDCount) & 0xffffff)
+                        | (slot->index << 24);
+        } while (sessionID == CK_INVALID_HANDLE);
+        PK11_USE_THREADS(PZ_Lock(PK11_SESSION_LOCK(slot,sessionID));)
+        pk11queue_find(sameID, sessionID, slot->head, SESSION_HASH_SIZE);
+        if (sameID == NULL) {
+            session->handle = sessionID;
+            pk11_update_state(slot, session);
+            pk11queue_add(session, sessionID, slot->head, SESSION_HASH_SIZE);
+        } else {
+            slot->sessionIDConflict++;  /* for debugging */
+        }
+        PK11_USE_THREADS(PZ_Unlock(PK11_SESSION_LOCK(slot,sessionID));)
+    } while (sameID != NULL);
+
+    *phSession = sessionID;
+    return CKR_OK;
+}
+
+
+/* NSC_CloseSession closes a session between an application and a token. */
+CK_RV NSC_CloseSession(CK_SESSION_HANDLE hSession)
+{
+    PK11Slot *slot;
+    PK11Session *session;
+    SECItem *pw = NULL;
+    PRBool sessionFound;
+
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    slot = pk11_SlotFromSession(session);
+    sessionFound = PR_FALSE;
+
+    /* lock */
+    PK11_USE_THREADS(PZ_Lock(PK11_SESSION_LOCK(slot,hSession));)
+    if (pk11queue_is_queued(session,hSession,slot->head,SESSION_HASH_SIZE)) {
+	sessionFound = PR_TRUE;
+	pk11queue_delete(session,hSession,slot->head,SESSION_HASH_SIZE);
+	session->refCount--; /* can't go to zero while we hold the reference */
+	PORT_Assert(session->refCount > 0);
+    }
+    PK11_USE_THREADS(PZ_Unlock(PK11_SESSION_LOCK(slot,hSession));)
+
+    PK11_USE_THREADS(PZ_Lock(slot->slotLock);)
+    if (sessionFound) {
+	slot->sessionCount--;
+	if (session->info.flags & CKF_RW_SESSION) {
+	    slot->rwSessionCount--;
+	}
+    }
+    if (slot->sessionCount == 0) {
+	pw = slot->password;
+	slot->isLoggedIn = PR_FALSE;
+	slot->password = NULL;
+    }
+    PK11_USE_THREADS(PZ_Unlock(slot->slotLock);)
+
+    pk11_FreeSession(session);
+    if (pw) SECITEM_ZfreeItem(pw, PR_TRUE);
+    return CKR_OK;
+}
+
+
+/* NSC_CloseAllSessions closes all sessions with a token. */
+CK_RV NSC_CloseAllSessions (CK_SLOT_ID slotID)
+{
+    PK11Slot *slot;
+    SECItem *pw = NULL;
+    PK11Session *session;
+    int i;
+
+    slot = pk11_SlotFromID(slotID);
+    if (slot == NULL) return CKR_SLOT_ID_INVALID;
+
+    /* first log out the card */
+    PK11_USE_THREADS(PZ_Lock(slot->slotLock);)
+    pw = slot->password;
+    slot->isLoggedIn = PR_FALSE;
+    slot->password = NULL;
+    PK11_USE_THREADS(PZ_Unlock(slot->slotLock);)
+    if (pw) SECITEM_ZfreeItem(pw, PR_TRUE);
+
+    /* now close all the current sessions */
+    /* NOTE: If you try to open new sessions before NSC_CloseAllSessions
+     * completes, some of those new sessions may or may not be closed by
+     * NSC_CloseAllSessions... but any session running when this code starts
+     * will guarrenteed be close, and no session will be partially closed */
+    for (i=0; i < SESSION_HASH_SIZE; i++) {
+	do {
+	    PK11_USE_THREADS(PZ_Lock(PK11_SESSION_LOCK(slot,i));)
+	    session = slot->head[i];
+	    /* hand deque */
+	    /* this duplicates function of NSC_close session functions, but 
+	     * because we know that we are freeing all the sessions, we can
+	     * do more efficient processing */
+	    if (session) {
+		slot->head[i] = session->next;
+		if (session->next) session->next->prev = NULL;
+		session->next = session->prev = NULL;
+		PK11_USE_THREADS(PZ_Unlock(PK11_SESSION_LOCK(slot,i));)
+		PK11_USE_THREADS(PZ_Lock(slot->slotLock);)
+		slot->sessionCount--;
+		if (session->info.flags & CKF_RW_SESSION) {
+		    slot->rwSessionCount--;
+		}
+		PK11_USE_THREADS(PZ_Unlock(slot->slotLock);)
+	    } else {
+		PK11_USE_THREADS(PZ_Unlock(PK11_SESSION_LOCK(slot,i));)
+	    }
+	    if (session) pk11_FreeSession(session);
+	} while (session != NULL);
+    }
+    return CKR_OK;
+}
+
+
+/* NSC_GetSessionInfo obtains information about the session. */
+CK_RV NSC_GetSessionInfo(CK_SESSION_HANDLE hSession,
+    						CK_SESSION_INFO_PTR pInfo)
+{
+    PK11Session *session;
+
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+
+    PORT_Memcpy(pInfo,&session->info,sizeof(CK_SESSION_INFO));
+    pk11_FreeSession(session);
+    return CKR_OK;
+}
+
+/* NSC_Login logs a user into a token. */
+CK_RV NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+				    CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
+{
+    PK11Slot *slot;
+    PK11Session *session;
+    NSSLOWKEYDBHandle *handle;
+    SECItem *pin;
+    char pinStr[PK11_MAX_PIN+1];
+
+
+    /* get the slot */
+    slot = pk11_SlotFromSessionHandle(hSession);
+
+    /* make sure the session is valid */
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+	if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    }
+    pk11_FreeSession(session);
+
+    /* can't log into the Netscape Slot */
+    if (slot->slotID == NETSCAPE_SLOT_ID)
+	 return CKR_USER_TYPE_INVALID;
+
+    if (slot->isLoggedIn) return CKR_USER_ALREADY_LOGGED_IN;
+    slot->ssoLoggedIn = PR_FALSE;
+
+    if (ulPinLen > PK11_MAX_PIN) return CKR_PIN_LEN_RANGE;
+
+    /* convert to null terminated string */
+    PORT_Memcpy(pinStr,pPin,ulPinLen);
+    pinStr[ulPinLen] = 0; 
+
+    handle = slot->keyDB;
+    if (handle == NULL) {
+	 return CKR_USER_TYPE_INVALID;
+    }
+
+    /*
+     * Deal with bootstrap. We allow the SSO to login in with a NULL
+     * password if and only if we haven't initialized the KEY DB yet.
+     * We only allow this on a RW session.
+     */
+    if (nsslowkey_HasKeyDBPassword(handle) == SECFailure) {
+	/* allow SSO's to log in only if there is not password on the
+	 * key database */
+	if (((userType == CKU_SO) && (session->info.flags & CKF_RW_SESSION))
+	    /* fips always needs to authenticate, even if there isn't a db */
+					|| (slot->slotID == FIPS_SLOT_ID)) {
+	    /* should this be a fixed password? */
+	    if (ulPinLen == 0) {
+		SECItem *pw;
+    		PK11_USE_THREADS(PZ_Lock(slot->slotLock);)
+		pw = slot->password;
+		slot->password = NULL;
+		slot->isLoggedIn = PR_TRUE;
+		slot->ssoLoggedIn = (PRBool)(userType == CKU_SO);
+		PK11_USE_THREADS(PZ_Unlock(slot->slotLock);)
+		pk11_update_all_states(slot);
+		SECITEM_ZfreeItem(pw,PR_TRUE);
+		return CKR_OK;
+	    }
+	    return CKR_PIN_INCORRECT;
+	} 
+	return CKR_USER_TYPE_INVALID;
+    } 
+
+    /* don't allow the SSO to log in if the user is already initialized */
+    if (userType != CKU_USER) { return CKR_USER_TYPE_INVALID; }
+
+
+    /* build the hashed pins which we pass around */
+    pin = nsslowkey_HashPassword(pinStr,handle->global_salt);
+    if (pin == NULL) return CKR_HOST_MEMORY;
+
+    if (nsslowkey_CheckKeyDBPassword(handle,pin) == SECSuccess) {
+	SECItem *tmp;
+	PK11_USE_THREADS(PZ_Lock(slot->slotLock);)
+	tmp = slot->password;
+	slot->isLoggedIn = PR_TRUE;
+	slot->password = pin;
+	PK11_USE_THREADS(PZ_Unlock(slot->slotLock);)
+        if (tmp) SECITEM_ZfreeItem(tmp, PR_TRUE);
+
+	/* update all sessions */
+	pk11_update_all_states(slot);
+	return CKR_OK;
+    }
+
+    SECITEM_ZfreeItem(pin, PR_TRUE);
+    return CKR_PIN_INCORRECT;
+}
+
+/* NSC_Logout logs a user out from a token. */
+CK_RV NSC_Logout(CK_SESSION_HANDLE hSession)
+{
+    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
+    PK11Session *session;
+    SECItem *pw = NULL;
+
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+	if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    if (!slot->isLoggedIn) return CKR_USER_NOT_LOGGED_IN;
+
+    PK11_USE_THREADS(PZ_Lock(slot->slotLock);)
+    pw = slot->password;
+    slot->isLoggedIn = PR_FALSE;
+    slot->ssoLoggedIn = PR_FALSE;
+    slot->password = NULL;
+    PK11_USE_THREADS(PZ_Unlock(slot->slotLock);)
+    if (pw) SECITEM_ZfreeItem(pw, PR_TRUE);
+
+    pk11_update_all_states(slot);
+    return CKR_OK;
+}
+
+
+/* NSC_CreateObject creates a new object. */
+CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession,
+		CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, 
+					CK_OBJECT_HANDLE_PTR phObject)
+{
+    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
+    PK11Session *session;
+    PK11Object *object;
+    CK_RV crv;
+    int i;
+
+
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    object = pk11_NewObject(slot); /* fill in the handle later */
+    if (object == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * load the template values into the object
+     */
+    for (i=0; i < (int) ulCount; i++) {
+	crv = pk11_AddAttributeType(object,pk11_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) {
+	    pk11_FreeObject(object);
+	    return crv;
+	}
+    }
+
+    /* get the session */
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+	pk11_FreeObject(object);
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    /*
+     * handle the base object stuff
+     */
+    crv = pk11_handleObject(object,session);
+    *phObject = object->handle;
+    pk11_FreeSession(session);
+    pk11_FreeObject(object);
+
+    return crv;
+}
+
+
+/* NSC_CopyObject copies an object, creating a new object for the copy. */
+CK_RV NSC_CopyObject(CK_SESSION_HANDLE hSession,
+       CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+					CK_OBJECT_HANDLE_PTR phNewObject) 
+{
+    PK11Object *destObject,*srcObject;
+    PK11Session *session;
+    CK_RV crv = CKR_OK;
+    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
+    int i;
+
+    /* Get srcObject so we can find the class */
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+    srcObject = pk11_ObjectFromHandle(hObject,session);
+    if (srcObject == NULL) {
+	pk11_FreeSession(session);
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+    /*
+     * create an object to hang the attributes off of
+     */
+    destObject = pk11_NewObject(slot); /* fill in the handle later */
+    if (destObject == NULL) {
+	pk11_FreeSession(session);
+        pk11_FreeObject(srcObject);
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * load the template values into the object
+     */
+    for (i=0; i < (int) ulCount; i++) {
+	if (pk11_modifyType(pTemplate[i].type,srcObject->objclass) == PK11_NEVER) {
+	    crv = CKR_ATTRIBUTE_READ_ONLY;
+	    break;
+	}
+	crv = pk11_AddAttributeType(destObject,pk11_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) { break; }
+    }
+    if (crv != CKR_OK) {
+	pk11_FreeSession(session);
+        pk11_FreeObject(srcObject);
+	pk11_FreeObject(destObject);
+	return crv;
+    }
+
+    /* sensitive can only be changed to CK_TRUE */
+    if (pk11_hasAttribute(destObject,CKA_SENSITIVE)) {
+	if (!pk11_isTrue(destObject,CKA_SENSITIVE)) {
+	    pk11_FreeSession(session);
+            pk11_FreeObject(srcObject);
+	    pk11_FreeObject(destObject);
+	    return CKR_ATTRIBUTE_READ_ONLY;
+	}
+    }
+
+    /*
+     * now copy the old attributes from the new attributes
+     */
+    /* don't create a token object if we aren't in a rw session */
+    /* we need to hold the lock to copy a consistant version of
+     * the object. */
+    crv = pk11_CopyObject(destObject,srcObject);
+
+    destObject->objclass = srcObject->objclass;
+    pk11_FreeObject(srcObject);
+    if (crv != CKR_OK) {
+	pk11_FreeObject(destObject);
+	pk11_FreeSession(session);
+	return crv;
+    }
+
+    crv = pk11_handleObject(destObject,session);
+    *phNewObject = destObject->handle;
+    pk11_FreeSession(session);
+    pk11_FreeObject(destObject);
+    
+    return crv;
+}
+
+
+/* NSC_GetObjectSize gets the size of an object in bytes. */
+CK_RV NSC_GetObjectSize(CK_SESSION_HANDLE hSession,
+    			CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) {
+    *pulSize = 0;
+    return CKR_OK;
+}
+
+
+/* NSC_GetAttributeValue obtains the value of one or more object attributes. */
+CK_RV NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
+    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
+    PK11Session *session;
+    PK11Object *object;
+    PK11Attribute *attribute;
+    PRBool sensitive;
+    int i;
+
+    /*
+     * make sure we're allowed
+     */
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    object = pk11_ObjectFromHandle(hObject,session);
+    pk11_FreeSession(session);
+    if (object == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    /* don't read a private object if we aren't logged in */
+    if ((!slot->isLoggedIn) && (slot->needLogin) &&
+				(pk11_isTrue(object,CKA_PRIVATE))) {
+	pk11_FreeObject(object);
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+
+    sensitive = pk11_isTrue(object,CKA_SENSITIVE);
+    for (i=0; i < (int) ulCount; i++) {
+	/* Make sure that this attribute is retrievable */
+	if (sensitive && pk11_isSensitive(pTemplate[i].type,object->objclass)) {
+	    pk11_FreeObject(object);
+	    return CKR_ATTRIBUTE_SENSITIVE;
+	}
+	attribute = pk11_FindAttribute(object,pTemplate[i].type);
+	if (attribute == NULL) {
+	    pk11_FreeObject(object);
+	    return CKR_ATTRIBUTE_TYPE_INVALID;
+	}
+	if (pTemplate[i].pValue != NULL) {
+	    PORT_Memcpy(pTemplate[i].pValue,attribute->attrib.pValue,
+						attribute->attrib.ulValueLen);
+	}
+	pTemplate[i].ulValueLen = attribute->attrib.ulValueLen;
+	pk11_FreeAttribute(attribute);
+    }
+
+    pk11_FreeObject(object);
+    return CKR_OK;
+}
+
+/* NSC_SetAttributeValue modifies the value of one or more object attributes */
+CK_RV NSC_SetAttributeValue (CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
+    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
+    PK11Session *session;
+    PK11Attribute *attribute;
+    PK11Object *object;
+    PRBool isToken;
+    CK_RV crv = CKR_OK;
+    CK_BBOOL legal;
+    int i;
+
+    /*
+     * make sure we're allowed
+     */
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    object = pk11_ObjectFromHandle(hObject,session);
+    if (object == NULL) {
+        pk11_FreeSession(session);
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    /* don't modify a private object if we aren't logged in */
+    if ((!slot->isLoggedIn) && (slot->needLogin) &&
+				(pk11_isTrue(object,CKA_PRIVATE))) {
+	pk11_FreeSession(session);
+	pk11_FreeObject(object);
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+
+    /* don't modify a token object if we aren't in a rw session */
+    isToken = pk11_isTrue(object,CKA_TOKEN);
+    if (((session->info.flags & CKF_RW_SESSION) == 0) && isToken) {
+	pk11_FreeSession(session);
+	pk11_FreeObject(object);
+	return CKR_SESSION_READ_ONLY;
+    }
+    pk11_FreeSession(session);
+
+    /* only change modifiable objects */
+    if (!pk11_isTrue(object,CKA_MODIFIABLE)) {
+	pk11_FreeObject(object);
+	return CKR_ATTRIBUTE_READ_ONLY;
+    }
+
+    for (i=0; i < (int) ulCount; i++) {
+	/* Make sure that this attribute is changeable */
+	switch (pk11_modifyType(pTemplate[i].type,object->objclass)) {
+	case PK11_NEVER:
+	case PK11_ONCOPY:
+        default:
+	    crv = CKR_ATTRIBUTE_READ_ONLY;
+	    break;
+
+        case PK11_SENSITIVE:
+	    legal = (pTemplate[i].type == CKA_EXTRACTABLE) ? CK_FALSE : CK_TRUE;
+	    if ((*(CK_BBOOL *)pTemplate[i].pValue) != legal) {
+	        crv = CKR_ATTRIBUTE_READ_ONLY;
+	    }
+	    break;
+        case PK11_ALWAYS:
+	    break;
+	}
+	if (crv != CKR_OK) break;
+
+	/* find the old attribute */
+	attribute = pk11_FindAttribute(object,pTemplate[i].type);
+	if (attribute == NULL) {
+	    crv =CKR_ATTRIBUTE_TYPE_INVALID;
+	    break;
+	}
+    	pk11_FreeAttribute(attribute);
+	crv = pk11_forceAttribute(object,pk11_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) break;
+
+    }
+
+    pk11_FreeObject(object);
+    return crv;
+}
+
+/*
+ * find any certs that may match the template and load them.
+ */
+#define NSC_CERT	0x00000001
+#define NSC_TRUST	0x00000002
+#define NSC_CRL		0x00000004
+#define NSC_SMIME	0x00000008
+#define NSC_PRIVATE	0x00000010
+#define NSC_PUBLIC	0x00000020
+#define NSC_KEY		0x00000040
+
+/*
+ * structure to collect key handles.
+ */
+typedef struct pk11CrlDataStr {
+    PK11Slot *slot;
+    PK11SearchResults *searchHandles;
+    CK_ATTRIBUTE *template;
+    CK_ULONG templ_count;
+} pk11CrlData;
+
+
+static SECStatus
+pk11_crl_collect(SECItem *data, SECItem *key, certDBEntryType type, void *arg)
+{
+    pk11CrlData *crlData;
+    CK_OBJECT_HANDLE class_handle;
+    PK11Slot *slot;
+    
+    crlData = (pk11CrlData *)arg;
+    slot = crlData->slot;
+
+    class_handle = (type == certDBEntryTypeRevocation) ? PK11_TOKEN_TYPE_CRL :
+							PK11_TOKEN_KRL_HANDLE;
+    if (pk11_tokenMatch(slot, key, class_handle,
+			crlData->template, crlData->templ_count)) {
+	pk11_addHandle(crlData->searchHandles,
+				 pk11_mkHandle(slot,key,class_handle));
+    }
+    return(SECSuccess);
+}
+
+static void
+pk11_searchCrls(PK11Slot *slot, SECItem *derSubject, PRBool isKrl, 
+		unsigned long classFlags, PK11SearchResults *search,
+		CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
+{
+    NSSLOWCERTCertDBHandle *certHandle = NULL;
+
+    certHandle = slot->certDB;
+    if (certHandle == NULL) {
+	return;
+    }
+    if (derSubject->data != NULL)  {
+	SECItem *crl = 
+	    nsslowcert_FindCrlByKey(certHandle,derSubject,NULL,isKrl);
+
+	if (crl != NULL) {
+	    pk11_addHandle(search, pk11_mkHandle(slot,derSubject,
+		isKrl ? PK11_TOKEN_KRL_HANDLE : PK11_TOKEN_TYPE_CRL));
+	}
+    } else {
+	pk11CrlData crlData;
+
+	/* traverse */
+	crlData.slot = slot;
+	crlData.searchHandles = search;
+	crlData.template = pTemplate;
+	crlData.templ_count = ulCount;
+	nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeRevocation,
+		pk11_crl_collect, (void *)&crlData);
+	nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeKeyRevocation,
+		pk11_crl_collect, (void *)&crlData);
+    } 
+}
+
+/*
+ * structure to collect key handles.
+ */
+typedef struct pk11KeyDataStr {
+    PK11Slot *slot;
+    PK11SearchResults *searchHandles;
+    SECItem *id;
+    CK_ATTRIBUTE *template;
+    CK_ULONG templ_count;
+    unsigned long classFlags;
+    PRBool isLoggedIn;
+    PRBool strict;
+} pk11KeyData;
+
+
+static SECStatus
+pk11_key_collect(DBT *key, DBT *data, void *arg)
+{
+    pk11KeyData *keyData;
+    NSSLOWKEYPrivateKey *privKey = NULL;
+    SECItem tmpDBKey;
+    PK11Slot *slot;
+    
+    keyData = (pk11KeyData *)arg;
+    slot = keyData->slot;
+
+    tmpDBKey.data = key->data;
+    tmpDBKey.len = key->size;
+
+    PORT_Assert(slot->keyDB);
+    if (!keyData->strict && keyData->id) {
+	SECItem result;
+	PRBool haveMatch;
+	unsigned char hashKey[SHA1_LENGTH];
+	result.data = hashKey;
+	result.len = sizeof(hashKey);
+
+	if (keyData->id->len == 0) {
+	    haveMatch = PR_TRUE; /* taking any key */
+	} else {
+	    SHA1_HashBuf( hashKey, key->data, key->size ); /* match id */
+	    haveMatch = SECITEM_ItemsAreEqual(keyData->id,&result);
+	    if (!haveMatch && ((unsigned char *)key->data)[0] == 0) {
+		/* This is a fix for backwards compatibility.  The key
+		 * database indexes private keys by the public key, and
+		 * versions of NSS prior to 3.4 stored the public key as
+		 * a signed integer.  The public key is now treated as an
+		 * unsigned integer, with no leading zero.  In order to
+		 * correctly compute the hash of an old key, it is necessary
+		 * to fallback and detect the leading zero.
+		 */
+		SHA1_HashBuf(hashKey, 
+		             (unsigned char *)key->data + 1, key->size - 1);
+		haveMatch = SECITEM_ItemsAreEqual(keyData->id,&result);
+	    }
+	}
+	if (haveMatch) {
+	    if (keyData->classFlags & NSC_PRIVATE)  {
+		pk11_addHandle(keyData->searchHandles,
+			pk11_mkHandle(slot,&tmpDBKey,PK11_TOKEN_TYPE_PRIV));
+	    }
+	    if (keyData->classFlags & NSC_PUBLIC) {
+		pk11_addHandle(keyData->searchHandles,
+			pk11_mkHandle(slot,&tmpDBKey,PK11_TOKEN_TYPE_PUB));
+	    }
+	    /* NSC_KEY Already handled */
+	}
+	return SECSuccess;
+    }
+
+    privKey = nsslowkey_FindKeyByPublicKey(keyData->slot->keyDB, &tmpDBKey, 
+						 keyData->slot->password);
+    if ( privKey == NULL ) {
+	goto loser;
+    }
+
+    if (isSecretKey(privKey)) {
+	if ((keyData->classFlags & NSC_KEY) && 
+		pk11_tokenMatch(keyData->slot, &tmpDBKey, PK11_TOKEN_TYPE_KEY,
+			keyData->template, keyData->templ_count)) {
+	    pk11_addHandle(keyData->searchHandles,
+		pk11_mkHandle(keyData->slot, &tmpDBKey, PK11_TOKEN_TYPE_KEY));
+	}
+    } else {
+	if ((keyData->classFlags & NSC_PRIVATE) && 
+		pk11_tokenMatch(keyData->slot, &tmpDBKey, PK11_TOKEN_TYPE_PRIV,
+			keyData->template, keyData->templ_count)) {
+	    pk11_addHandle(keyData->searchHandles,
+		pk11_mkHandle(keyData->slot,&tmpDBKey,PK11_TOKEN_TYPE_PRIV));
+	}
+	if ((keyData->classFlags & NSC_PUBLIC) && 
+		pk11_tokenMatch(keyData->slot, &tmpDBKey, PK11_TOKEN_TYPE_PUB,
+			keyData->template, keyData->templ_count)) {
+	    pk11_addHandle(keyData->searchHandles,
+		pk11_mkHandle(keyData->slot, &tmpDBKey,PK11_TOKEN_TYPE_PUB));
+	}
+    }
+
+loser:
+    if ( privKey ) {
+	nsslowkey_DestroyPrivateKey(privKey);
+    }
+    return(SECSuccess);
+}
+
+static void
+pk11_searchKeys(PK11Slot *slot, SECItem *key_id, PRBool isLoggedIn,
+	unsigned long classFlags, PK11SearchResults *search,
+	CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
+{
+    NSSLOWKEYDBHandle *keyHandle = NULL;
+    NSSLOWKEYPrivateKey *privKey;
+    pk11KeyData keyData;
+
+    keyHandle = slot->keyDB;
+    if (keyHandle == NULL) {
+	return;
+    }
+
+    if (key_id->data) {
+	privKey = nsslowkey_FindKeyByPublicKey(keyHandle, key_id, slot->password);
+	if (privKey) {
+	    if (classFlags & NSC_KEY) {
+    	        pk11_addHandle(search,
+			pk11_mkHandle(slot,key_id,PK11_TOKEN_TYPE_KEY));
+	    }
+	    if (classFlags & NSC_PRIVATE) {
+    	        pk11_addHandle(search,
+			pk11_mkHandle(slot,key_id,PK11_TOKEN_TYPE_PRIV));
+	    }
+	    if (classFlags & NSC_PUBLIC) {
+    	        pk11_addHandle(search,
+			pk11_mkHandle(slot,key_id,PK11_TOKEN_TYPE_PUB));
+	    }
+    	    nsslowkey_DestroyPrivateKey(privKey);
+	}
+	/* don't do the traversal if we have an up to date db */
+	if (keyHandle->version != 3) {
+	    return;
+	}
+    }
+    keyData.slot = slot;
+    keyData.searchHandles = search;
+    keyData.id = key_id;
+    keyData.template = pTemplate;
+    keyData.templ_count = ulCount;
+    keyData.isLoggedIn = isLoggedIn;
+    keyData.classFlags = classFlags;
+    keyData.strict = NSC_STRICT;
+
+    nsslowkey_TraverseKeys(keyHandle, pk11_key_collect, &keyData);
+}
+
+/*
+ * structure to collect certs into
+ */
+typedef struct pk11CertDataStr {
+    PK11Slot *slot;
+    int cert_count;
+    int max_cert_count;
+    NSSLOWCERTCertificate **certs;
+    CK_ATTRIBUTE *template;
+    CK_ULONG	templ_count;
+    unsigned long classFlags;
+    PRBool	strict;
+} pk11CertData;
+
+/*
+ * collect all the certs from the traverse call.
+ */	
+static SECStatus
+pk11_cert_collect(NSSLOWCERTCertificate *cert,void *arg)
+{
+    pk11CertData *cd = (pk11CertData *)arg;
+
+    if (cd->certs == NULL) {
+	return SECFailure;
+    }
+
+    if (cd->strict) {
+	if ((cd->classFlags & NSC_CERT) && !pk11_tokenMatch(cd->slot,
+	  &cert->certKey, PK11_TOKEN_TYPE_CERT, cd->template,cd->templ_count)) {
+	    return SECSuccess;
+	}
+	if ((cd->classFlags & NSC_TRUST) && !pk11_tokenMatch(cd->slot,
+	  &cert->certKey, PK11_TOKEN_TYPE_TRUST, 
+					     cd->template, cd->templ_count)) {
+	    return SECSuccess;
+	}
+    }
+
+    /* allocate more space if we need it. This should only happen in
+     * the general traversal case */
+    if (cd->cert_count >= cd->max_cert_count) {
+	int size;
+	cd->max_cert_count += NSC_CERT_BLOCK_SIZE;
+	size = cd->max_cert_count * sizeof (NSSLOWCERTCertificate *);
+	cd->certs = (NSSLOWCERTCertificate **)PORT_Realloc(cd->certs,size);
+	if (cd->certs == NULL) {
+	    return SECFailure;
+	}
+    }
+
+    cd->certs[cd->cert_count++] = nsslowcert_DupCertificate(cert);
+    return SECSuccess;
+}
+
+/* provide impedence matching ... */
+static SECStatus
+pk11_cert_collect2(NSSLOWCERTCertificate *cert, SECItem *dymmy, void *arg)
+{
+    return pk11_cert_collect(cert, arg);
+}
+
+static void
+pk11_searchSingleCert(pk11CertData *certData,NSSLOWCERTCertificate *cert)
+{
+    if (cert == NULL) {
+	    return;
+    }
+    if (certData->strict && 
+	!pk11_tokenMatch(certData->slot, &cert->certKey, PK11_TOKEN_TYPE_CERT, 
+				certData->template,certData->templ_count)) {
+	nsslowcert_DestroyCertificate(cert);
+	return;
+    }
+    certData->certs = (NSSLOWCERTCertificate **) 
+				PORT_Alloc(sizeof (NSSLOWCERTCertificate *));
+    if (certData->certs == NULL) {
+	nsslowcert_DestroyCertificate(cert);
+	return;
+    }
+    certData->certs[0] = cert;
+    certData->cert_count = 1;
+}
+
+static void
+pk11_CertSetupData(pk11CertData *certData,int count)
+{
+    certData->max_cert_count = count;
+
+    if (certData->max_cert_count <= 0) {
+	return;
+    }
+    certData->certs = (NSSLOWCERTCertificate **)
+			 PORT_Alloc( count * sizeof(NSSLOWCERTCertificate *));
+    return;
+}
+
+static void
+pk11_searchCertsAndTrust(PK11Slot *slot, SECItem *derCert, SECItem *name, 
+			SECItem *derSubject, NSSLOWCERTIssuerAndSN *issuerSN, 
+			SECItem *email,
+			unsigned long classFlags, PK11SearchResults *handles, 
+			CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+    NSSLOWCERTCertDBHandle *certHandle = NULL;
+    pk11CertData certData;
+    int i;
+
+    certHandle = slot->certDB;
+    if (certHandle == NULL) return;
+
+    certData.slot = slot;
+    certData.max_cert_count = 0;
+    certData.certs = NULL;
+    certData.cert_count = 0;
+    certData.template = pTemplate;
+    certData.templ_count = ulCount;
+    certData.classFlags = classFlags; 
+    certData.strict = NSC_STRICT; 
+
+
+    /*
+     * Find the Cert.
+     */
+    if (derCert->data != NULL) {
+	NSSLOWCERTCertificate *cert = 
+			nsslowcert_FindCertByDERCert(certHandle,derCert);
+	pk11_searchSingleCert(&certData,cert);
+    } else if (name->data != NULL) {
+	char *tmp_name = (char*)PORT_Alloc(name->len+1);
+	int count;
+
+	if (tmp_name == NULL) {
+	    return;
+	}
+	PORT_Memcpy(tmp_name,name->data,name->len);
+	tmp_name[name->len] = 0;
+
+	count= nsslowcert_NumPermCertsForNickname(certHandle,tmp_name);
+	pk11_CertSetupData(&certData,count);
+	nsslowcert_TraversePermCertsForNickname(certHandle,tmp_name,
+				pk11_cert_collect, &certData);
+	PORT_Free(tmp_name);
+    } else if (derSubject->data != NULL) {
+	int count;
+
+	count = nsslowcert_NumPermCertsForSubject(certHandle,derSubject);
+	pk11_CertSetupData(&certData,count);
+	nsslowcert_TraversePermCertsForSubject(certHandle,derSubject,
+				pk11_cert_collect, &certData);
+    } else if ((issuerSN->derIssuer.data != NULL) && 
+			(issuerSN->serialNumber.data != NULL)) {
+	NSSLOWCERTCertificate *cert = 
+		nsslowcert_FindCertByIssuerAndSN(certHandle,issuerSN);
+
+	pk11_searchSingleCert(&certData,cert);
+    } else if (email->data != NULL) {
+	char *tmp_name = (char*)PORT_Alloc(email->len+1);
+	certDBEntrySMime *entry = NULL;
+
+	if (tmp_name == NULL) {
+	    return;
+	}
+	PORT_Memcpy(tmp_name,email->data,email->len);
+	tmp_name[email->len] = 0;
+
+	entry = nsslowcert_ReadDBSMimeEntry(certHandle,tmp_name);
+	if (entry) {
+	    int count;
+	    SECItem *subjectName = &entry->subjectName;
+
+	    count = nsslowcert_NumPermCertsForSubject(certHandle, subjectName);
+	    pk11_CertSetupData(&certData,count);
+	    nsslowcert_TraversePermCertsForSubject(certHandle, subjectName, 
+						pk11_cert_collect, &certData);
+
+	    nsslowcert_DestroyDBEntry((certDBEntry *)entry);
+	}
+	PORT_Free(tmp_name);
+    } else {
+	/* we aren't filtering the certs, we are working on all, so turn
+	 * on the strict filters. */
+        certData.strict = PR_TRUE;
+	pk11_CertSetupData(&certData,NSC_CERT_BLOCK_SIZE);
+	nsslowcert_TraversePermCerts(certHandle, pk11_cert_collect2, &certData);
+    }
+
+    /*
+     * build the handles
+     */	
+    for (i=0 ; i < certData.cert_count ; i++) {
+	NSSLOWCERTCertificate *cert = certData.certs[i];
+
+	/* if we filtered it would have been on the stuff above */
+	if (classFlags & NSC_CERT) {
+	    pk11_addHandle(handles,
+		pk11_mkHandle(slot,&cert->certKey,PK11_TOKEN_TYPE_CERT));
+	}
+	if ((classFlags & NSC_TRUST) && nsslowcert_hasTrust(cert)) {
+	    pk11_addHandle(handles,
+		pk11_mkHandle(slot,&cert->certKey,PK11_TOKEN_TYPE_TRUST));
+	}
+	nsslowcert_DestroyCertificate(cert);
+    }
+
+    if (certData.certs) PORT_Free(certData.certs);
+    return;
+}
+
+static void
+pk11_searchSMime(PK11Slot *slot, SECItem *email, PK11SearchResults *handles, 
+			CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+    NSSLOWCERTCertDBHandle *certHandle = NULL;
+    certDBEntrySMime *entry;
+
+    certHandle = slot->certDB;
+    if (certHandle == NULL) return;
+
+    if (email->data != NULL) {
+	char *tmp_name = (char*)PORT_Alloc(email->len+1);
+
+	if (tmp_name == NULL) {
+	    return;
+	}
+	PORT_Memcpy(tmp_name,email->data,email->len);
+	tmp_name[email->len] = 0;
+
+	entry = nsslowcert_ReadDBSMimeEntry(certHandle,tmp_name);
+	if (entry) {
+	    SECItem emailKey;
+
+	    emailKey.data = (unsigned char *)tmp_name;
+	    emailKey.len = PORT_Strlen(tmp_name)+1;
+	    pk11_addHandle(handles,
+		pk11_mkHandle(slot,&emailKey,PK11_TOKEN_TYPE_SMIME));
+	    nsslowcert_DestroyDBEntry((certDBEntry *)entry);
+	}
+	PORT_Free(tmp_name);
+    }
+    return;
+}
+
+static CK_RV
+pk11_searchTokenList(PK11Slot *slot, PK11SearchResults *search,
+	 		CK_ATTRIBUTE *pTemplate, CK_LONG ulCount, 
+			PRBool *tokenOnly, PRBool isLoggedIn)
+{
+    int i;
+    PRBool isKrl = PR_FALSE;
+    SECItem derCert = { siBuffer, NULL, 0 };
+    SECItem derSubject = { siBuffer, NULL, 0 };
+    SECItem name = { siBuffer, NULL, 0 };
+    SECItem email = { siBuffer, NULL, 0 };
+    SECItem key_id = { siBuffer, NULL, 0 };
+    SECItem cert_sha1_hash = { siBuffer, NULL, 0 };
+    SECItem cert_md5_hash  = { siBuffer, NULL, 0 };
+    NSSLOWCERTIssuerAndSN issuerSN = {
+	{ siBuffer, NULL, 0 },
+	{ siBuffer, NULL, 0 }
+    };
+    SECItem *copy = NULL;
+    unsigned long classFlags = 
+	NSC_CERT|NSC_TRUST|NSC_PRIVATE|NSC_PUBLIC|NSC_KEY|NSC_SMIME|NSC_CRL;
+
+    /* if we aren't logged in, don't look for private or secret keys */
+    if (!isLoggedIn) {
+	classFlags &= ~(NSC_PRIVATE|NSC_KEY);
+    }
+
+    /*
+     * look for things to search on token objects for. If the right options
+     * are specified, we can use them as direct indeces into the database
+     * (rather than using linear searches. We can also use the attributes to
+     * limit the kinds of objects we are searching for. Later we can use this
+     * array to filter the remaining objects more finely.
+     */
+    for (i=0 ;classFlags && i < (int)ulCount; i++) {
+
+	switch (pTemplate[i].type) {
+	case CKA_SUBJECT:
+	    copy = &derSubject;
+	    classFlags &= (NSC_CERT|NSC_PRIVATE|NSC_PUBLIC|NSC_SMIME|NSC_CRL);
+	    break;
+	case CKA_ISSUER: 
+	    copy = &issuerSN.derIssuer;
+	    classFlags &= (NSC_CERT|NSC_TRUST);
+	    break;
+	case CKA_SERIAL_NUMBER: 
+	    copy = &issuerSN.serialNumber;
+	    classFlags &= (NSC_CERT|NSC_TRUST);
+	    break;
+	case CKA_VALUE:
+	    copy = &derCert;
+	    classFlags &= (NSC_CERT|NSC_CRL|NSC_SMIME);
+	    break;
+	case CKA_LABEL:
+	    copy = &name;
+	    break;
+	case CKA_NETSCAPE_EMAIL:
+	    copy = &email;
+	    classFlags &= NSC_SMIME|NSC_CERT;
+	    break;
+	case CKA_NETSCAPE_SMIME_TIMESTAMP:
+	    classFlags &= NSC_SMIME;
+	    break;
+	case CKA_CLASS:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) {
+		classFlags = 0;
+		break;;
+	    }
+	    switch (*((CK_OBJECT_CLASS *)pTemplate[i].pValue)) {
+	    case CKO_CERTIFICATE:
+		classFlags &= NSC_CERT;
+		break;
+	    case CKO_NETSCAPE_TRUST:
+		classFlags &= NSC_TRUST;
+		break;
+	    case CKO_NETSCAPE_CRL:
+		classFlags &= NSC_CRL;
+		break;
+	    case CKO_NETSCAPE_SMIME:
+		classFlags &= NSC_SMIME;
+		break;
+	    case CKO_PRIVATE_KEY:
+		classFlags &= NSC_PRIVATE;
+		break;
+	    case CKO_PUBLIC_KEY:
+		classFlags &= NSC_PUBLIC;
+		break;
+	    case CKO_SECRET_KEY:
+		classFlags &= NSC_KEY;
+		break;
+	    default:
+		classFlags = 0;
+		break;
+	    }
+	    break;
+	case CKA_PRIVATE:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
+		classFlags &= (NSC_PRIVATE|NSC_KEY);
+	    } else {
+		classFlags &= ~(NSC_PRIVATE|NSC_KEY);
+	    }
+	    break;
+	case CKA_SENSITIVE:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
+		classFlags &= (NSC_PRIVATE|NSC_KEY);
+	    } else {
+		classFlags = 0;
+	    }
+	    break;
+	case CKA_TOKEN:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
+		*tokenOnly = PR_TRUE;
+	    } else {
+		classFlags = 0;
+	    }
+	    break;
+	case CKA_CERT_SHA1_HASH:
+	    classFlags &= NSC_TRUST;
+	    copy = &cert_sha1_hash; break;
+	case CKA_CERT_MD5_HASH:
+	    classFlags &= NSC_TRUST;
+	    copy = &cert_md5_hash; break;
+	case CKA_CERTIFICATE_TYPE:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_CERTIFICATE_TYPE)) {
+		classFlags = 0;
+	    }
+	    classFlags &= NSC_CERT;
+	    if (*((CK_CERTIFICATE_TYPE *)pTemplate[i].pValue) != CKC_X_509) {
+		classFlags = 0;
+	    }
+	    break;
+	case CKA_ID:
+	    copy = &key_id;
+	    classFlags &= (NSC_CERT|NSC_PRIVATE|NSC_KEY|NSC_PUBLIC);
+	    break;
+	case CKA_NETSCAPE_KRL:
+	    if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+		classFlags = 0;
+	    }
+	    classFlags &= NSC_CRL;
+	    isKrl = (PRBool)(*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE);
+	    break;
+	case CKA_MODIFIABLE:
+	     break;
+	case CKA_KEY_TYPE:
+	case CKA_DERIVE:
+	    classFlags &= NSC_PUBLIC|NSC_PRIVATE|NSC_KEY;
+	    break;
+	case CKA_VERIFY_RECOVER:
+	    classFlags &= NSC_PUBLIC;
+	    break;
+	case CKA_SIGN_RECOVER:
+	    classFlags &= NSC_PRIVATE;
+	    break;
+	case CKA_ENCRYPT:
+	case CKA_VERIFY:
+	case CKA_WRAP:
+	    classFlags &= NSC_PUBLIC|NSC_KEY;
+	    break;
+	case CKA_DECRYPT:
+	case CKA_SIGN:
+	case CKA_UNWRAP:
+	case CKA_ALWAYS_SENSITIVE:
+	case CKA_EXTRACTABLE:
+	case CKA_NEVER_EXTRACTABLE:
+	    classFlags &= NSC_PRIVATE|NSC_KEY;
+	    break;
+	/* can't be a certificate if it doesn't match one of the above 
+	 * attributes */
+	default: 
+	     classFlags  = 0;
+	     break;
+	}
+ 	if (copy) {
+	    copy->data = (unsigned char*)pTemplate[i].pValue;
+	    copy->len = pTemplate[i].ulValueLen;
+	}
+	copy = NULL;
+    }
+
+
+    /* certs */
+    if (classFlags & (NSC_CERT|NSC_TRUST)) {
+	pk11_searchCertsAndTrust(slot,&derCert,&name,&derSubject,
+				 &issuerSN, &email,classFlags,search, 
+				pTemplate, ulCount);
+    }
+
+    /* keys */
+    if (classFlags & (NSC_PRIVATE|NSC_PUBLIC|NSC_KEY)) {
+	pk11_searchKeys(slot, &key_id, isLoggedIn, classFlags, search,
+			pTemplate, ulCount);
+    }
+
+    /* crl's */
+    if (classFlags & NSC_CRL) {
+	pk11_searchCrls(slot, &derSubject, isKrl, classFlags, search,
+			pTemplate, ulCount);
+    }
+    /* Add S/MIME entry stuff */
+    if (classFlags & NSC_SMIME) {
+	pk11_searchSMime(slot, &email, search, pTemplate, ulCount);
+    }
+    return CKR_OK;
+}
+	
+
+/* NSC_FindObjectsInit initializes a search for token and session objects 
+ * that match a template. */
+CK_RV NSC_FindObjectsInit(CK_SESSION_HANDLE hSession,
+    			CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount)
+{
+    PK11SearchResults *search = NULL, *freeSearch = NULL;
+    PK11Session *session = NULL;
+    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
+    PRBool tokenOnly = PR_FALSE;
+    CK_RV crv = CKR_OK;
+    PRBool isLoggedIn;
+    
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+	crv = CKR_SESSION_HANDLE_INVALID;
+	goto loser;
+    }
+   
+    search = (PK11SearchResults *)PORT_Alloc(sizeof(PK11SearchResults));
+    if (search == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    search->handles = (CK_OBJECT_HANDLE *)
+		PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * NSC_SEARCH_BLOCK_SIZE);
+    if (search->handles == NULL) {
+	crv = CKR_HOST_MEMORY;
+	goto loser;
+    }
+    search->index = 0;
+    search->size = 0;
+    search->array_size = NSC_SEARCH_BLOCK_SIZE;
+    isLoggedIn = (PRBool)((!slot->needLogin) || slot->isLoggedIn);
+
+    crv = pk11_searchTokenList(slot, search, pTemplate, ulCount, &tokenOnly,
+								isLoggedIn);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+    
+    /* build list of found objects in the session */
+    if (!tokenOnly) {
+	crv = pk11_searchObjectList(search, slot->tokObjects,
+			slot->objectLock, pTemplate, ulCount, isLoggedIn);
+    }
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    if ((freeSearch = session->search) != NULL) {
+	session->search = NULL;
+	pk11_FreeSearch(freeSearch);
+    }
+    session->search = search;
+    pk11_FreeSession(session);
+    return CKR_OK;
+
+loser:
+    if (search) {
+	pk11_FreeSearch(search);
+    }
+    if (session) {
+	pk11_FreeSession(session);
+    }
+    return crv;
+}
+
+
+/* NSC_FindObjects continues a search for token and session objects 
+ * that match a template, obtaining additional object handles. */
+CK_RV NSC_FindObjects(CK_SESSION_HANDLE hSession,
+    CK_OBJECT_HANDLE_PTR phObject,CK_ULONG ulMaxObjectCount,
+    					CK_ULONG_PTR pulObjectCount)
+{
+    PK11Session *session;
+    PK11SearchResults *search;
+    int	transfer;
+    int left;
+
+    *pulObjectCount = 0;
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    if (session->search == NULL) {
+	pk11_FreeSession(session);
+	return CKR_OK;
+    }
+    search = session->search;
+    left = session->search->size - session->search->index;
+    transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount;
+    if (transfer > 0) {
+	PORT_Memcpy(phObject,&search->handles[search->index],
+                                        transfer*sizeof(CK_OBJECT_HANDLE_PTR));
+    } else {
+       *phObject = CK_INVALID_HANDLE;
+    }
+
+    search->index += transfer;
+    if (search->index == search->size) {
+	session->search = NULL;
+	pk11_FreeSearch(search);
+    }
+    *pulObjectCount = transfer;
+    pk11_FreeSession(session);
+    return CKR_OK;
+}
+
+/* NSC_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV NSC_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+    PK11Session *session;
+    PK11SearchResults *search;
+
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    search = session->search;
+    session->search = NULL;
+    pk11_FreeSession(session);
+    if (search != NULL) {
+	pk11_FreeSearch(search);
+    }
+    return CKR_OK;
+}
+
+
+
+CK_RV NSC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
+							 CK_VOID_PTR pReserved)
+{
+    return CKR_FUNCTION_NOT_SUPPORTED;
+}
diff --git a/security/nss/lib/softoken/pkcs11.h b/security/nss/lib/softoken/pkcs11.h
new file mode 100644
index 000000000..9b54421e7
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11.h
@@ -0,0 +1,319 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): RSA Labs
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security In.c Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ *
+ * The latest version of this header can be found at:
+ *    http://www.rsalabs.com/pkcs/pkcs-11/index.html
+ */
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 6 platform-specific macros must be defined.  These
+ * macros are described below, and typical definitions for them
+ * are also given.  Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a PKCS #11 library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 6 macros, the packing convention
+ * for PKCS #11 structures should be set.  The PKCS #11
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * In a Win32 environment, this might be done by using the
+ * following preprocessor directive before including pkcs11.h
+ * or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * In a Win16 environment, this might be done by using the
+ * following preprocessor directive before including pkcs11.h
+ * or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own here.  You might
+ * not need to do anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object.  It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * In a Win32 environment, it might be defined by
+ *
+ * #define CK_PTR *
+ *
+ * In a Win16 environment, it might be defined by
+ *
+ * #define CK_PTR far *
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
+ * an exportable PKCS #11 library function definition out of a
+ * return type and a function name.  It should be used in the
+ * following fashion to define the exposed PKCS #11 functions in
+ * a PKCS #11 library:
+ *
+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * )
+ * {
+ *   ...
+ * }
+ *
+ * For defining a function in a Win32 PKCS #11 .dll, it might be
+ * defined by
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllexport) name
+ *
+ * For defining a function in a Win16 PKCS #11 .dll, it might be
+ * defined by
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable PKCS #11 library function declaration out of a
+ * return type and a function name.  It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * );
+ *
+ * For declaring a function in a Win32 PKCS #11 .dll, it might
+ * be defined by
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllimport) name
+ *
+ * For declaring a function in a Win16 PKCS #11 .dll, it might
+ * be defined by
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a PKCS #11 API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name.  It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a PKCS #11 API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // PKCS #11 API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * For accessing functions in a Win32 PKCS #11 .dll, in might be
+ * defined by
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __declspec(dllimport) (* name)
+ *
+ * For accessing functions in a Win16 PKCS #11 .dll, it might be
+ * defined by
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV.  It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * In a Win32 environment, it might be defined by
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ * In a Win16 environment, it might be defined by
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various PKCS #11 types and #define'd values are in the
+ * file pkcs11t.h. */
+#include "pkcs11t.h"
+
+#define __PASTE(x,y)      x##y
+
+
+/* packing defines */
+#include "pkcs11p.h"
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the PKCS #11
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points.  That is, for
+ * each PKCS #11 function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the PKCS #11
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points.  A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's PKCS #11 version
+ * and then a whole slew of function pointers to the routines in
+ * the library.  This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  __PASTE(CK_,name) name;
+  
+struct CK_FUNCTION_LIST {
+
+  CK_VERSION    version;  /* PKCS #11 version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the PKCS #11
+ * function prototypes. */
+#include "pkcs11f.h" 
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+/* unpack */
+#include "pkcs11u.h"
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
new file mode 100644
index 000000000..d4dfc1b75
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -0,0 +1,5283 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ *	Dr Stephen Henson <stephen.henson@gemplus.com>
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ *   This implementation has two slots:
+ *	slot 1 is our generic crypto support. It does not require login.
+ *   It supports Public Key ops, and all they bulk ciphers and hashes. 
+ *   It can also support Private Key ops for imported Private keys. It does 
+ *   not have any token storage.
+ *	slot 2 is our private key support. It requires a login before use. It
+ *   can store Private Keys and Certs as token objects. Currently only private
+ *   keys and their associated Certificates are saved on the token.
+ *
+ *   In this implementation, session objects are only visible to the session
+ *   that created or generated them.
+ */
+#include "seccomon.h"
+#include "secitem.h"
+#include "secport.h"
+#include "blapi.h"
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "sechash.h"
+#include "secder.h"
+#include "secdig.h"
+#include "lowpbe.h"	/* We do PBE below */
+#include "pkcs11t.h"
+#include "secoid.h"
+#include "alghmac.h"
+#include "softoken.h"
+#include "secasn1.h"
+/*#include "secmodi.h" */
+
+#include "pcert.h"
+#include "ssl3prot.h" 	/* for SSL3_RANDOM_LENGTH */
+
+#define __PASTE(x,y)    x##y
+
+/*
+ * we renamed all our internal functions, get the correct
+ * definitions for them...
+ */ 
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+
+#define CK_EXTERN extern
+#define CK_PKCS11_FUNCTION_INFO(func) \
+		CK_RV __PASTE(NS,func)
+#define CK_NEED_ARG_LIST	1
+ 
+#include "pkcs11f.h"
+
+
+/* forward static declaration. */
+static SECStatus pk11_PRF(const SECItem *secret, const char *label, 
+                          SECItem *seed, SECItem *result);  
+
+#define PK11_OFFSETOF(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
+
+static void pk11_Null(void *data, PRBool freeit)
+{
+    return;
+} 
+
+/*
+ * free routines.... Free local type  allocated data, and convert
+ * other free routines to the destroy signature.
+ */
+static void
+pk11_FreePrivKey(NSSLOWKEYPrivateKey *key, PRBool freeit)
+{
+    nsslowkey_DestroyPrivateKey(key);
+}
+
+static void
+pk11_HMAC_Destroy(HMACContext *context, PRBool freeit)
+{
+    HMAC_Destroy(context);
+}
+
+static void
+pk11_Space(void *data, PRBool freeit)
+{
+    PORT_Free(data);
+} 
+
+
+/*
+ * turn a CDMF key into a des key. CDMF is an old IBM scheme to export DES by
+ * Deprecating a full des key to 40 bit key strenth.
+ */
+static CK_RV
+pk11_cdmf2des(unsigned char *cdmfkey, unsigned char *deskey)
+{
+    unsigned char key1[8] = { 0xc4, 0x08, 0xb0, 0x54, 0x0b, 0xa1, 0xe0, 0xae };
+    unsigned char key2[8] = { 0xef, 0x2c, 0x04, 0x1c, 0xe6, 0x38, 0x2f, 0xe6 };
+    unsigned char enc_src[8];
+    unsigned char enc_dest[8];
+    unsigned int leng,i;
+    DESContext *descx;
+    SECStatus rv;
+    
+    
+    /* zero the parity bits */
+    for (i=0; i < 8; i++) {
+	enc_src[i] = cdmfkey[i] & 0xfe;
+    }
+
+    /* encrypt with key 1 */
+    descx = DES_CreateContext(key1, NULL, NSS_DES, PR_TRUE);
+    if (descx == NULL) return CKR_HOST_MEMORY;
+    rv = DES_Encrypt(descx, enc_dest, &leng, 8, enc_src, 8);
+    DES_DestroyContext(descx,PR_TRUE);
+    if (rv != SECSuccess) return CKR_DEVICE_ERROR;
+
+    /* xor source with des, zero the parity bits and depricate the key*/
+    for (i=0; i < 8; i++) {
+	if (i & 1) {
+	    enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0xfe;
+	} else {
+	    enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0x0e;
+	}
+    }
+
+    /* encrypt with key 2 */
+    descx = DES_CreateContext(key2, NULL, NSS_DES, PR_TRUE);
+    if (descx == NULL) return CKR_HOST_MEMORY;
+    rv = DES_Encrypt(descx, deskey, &leng, 8, enc_src, 8);
+    DES_DestroyContext(descx,PR_TRUE);
+    if (rv != SECSuccess) return CKR_DEVICE_ERROR;
+
+    /* set the corret parity on our new des key */	
+    pk11_FormatDESKey(deskey, 8);
+    return CKR_OK;
+}
+
+
+static CK_RV
+pk11_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		 CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE etype,
+		 PK11ContextType contextType, PRBool isEncrypt);
+/*
+ * Calculate a Lynx checksum for CKM_LYNX_WRAP mechanism.
+ */
+static CK_RV
+pk11_calcLynxChecksum(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hWrapKey,
+	unsigned char *checksum, unsigned char *key, CK_ULONG len)
+{
+
+    CK_BYTE E[10];
+    CK_ULONG Elen = sizeof (E);
+    CK_BYTE C[8];
+    CK_ULONG Clen = sizeof (C);
+    unsigned short sum1 = 0, sum2 = 0;
+    CK_MECHANISM mech = { CKM_DES_ECB, NULL, 0 };
+    int i;
+    CK_RV crv;
+
+    if (len != 8) return CKR_WRAPPED_KEY_LEN_RANGE;
+    
+    /* zero the parity bits */
+    for (i=0; i < 8; i++) {
+	sum1 = sum1 + key[i];
+	sum2 = sum2 + sum1;
+    }
+
+    /* encrypt with key 1 */
+
+    crv = pk11_CryptInit(hSession,&mech,hWrapKey,CKA_WRAP, PK11_ENCRYPT, 
+								PR_TRUE);
+    if (crv != CKR_OK) return crv;
+
+    crv = NSC_Encrypt(hSession,key,len,E,&Elen);
+    if (crv != CKR_OK) return crv;
+
+    E[8] = (sum2 >> 8) & 0xff;
+    E[9] = sum2 & 0xff;
+
+    crv = pk11_CryptInit(hSession,&mech,hWrapKey,CKA_WRAP, PK11_ENCRYPT, 
+								PR_TRUE);
+    if (crv != CKR_OK) return crv;
+
+    crv = NSC_Encrypt(hSession,&E[2],len,C,&Clen);
+    if (crv != CKR_OK) return crv;
+
+    checksum[0] = C[6];
+    checksum[1] = C[7];
+    
+    return CKR_OK;
+}
+/* NSC_DestroyObject destroys an object. */
+CK_RV
+NSC_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
+{
+    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
+    PK11Session *session;
+    PK11Object *object;
+    PK11FreeStatus status;
+
+    /*
+     * This whole block just makes sure we really can destroy the
+     * requested object.
+     */
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    object = pk11_ObjectFromHandle(hObject,session);
+    if (object == NULL) {
+	pk11_FreeSession(session);
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    /* don't destroy a private object if we aren't logged in */
+    if ((!slot->isLoggedIn) && (slot->needLogin) &&
+				(pk11_isTrue(object,CKA_PRIVATE))) {
+	pk11_FreeSession(session);
+	pk11_FreeObject(object);
+	return CKR_USER_NOT_LOGGED_IN;
+    }
+
+    /* don't destroy a token object if we aren't in a rw session */
+
+    if (((session->info.flags & CKF_RW_SESSION) == 0) &&
+				(pk11_isTrue(object,CKA_TOKEN))) {
+	pk11_FreeSession(session);
+	pk11_FreeObject(object);
+	return CKR_SESSION_READ_ONLY;
+    }
+
+    pk11_DeleteObject(session,object);
+
+    pk11_FreeSession(session);
+
+    /*
+     * get some indication if the object is destroyed. Note: this is not
+     * 100%. Someone may have an object reference outstanding (though that
+     * should not be the case by here. Also note that the object is "half"
+     * destroyed. Our internal representation is destroyed, but it may still
+     * be in the data base.
+     */
+    status = pk11_FreeObject(object);
+
+    return (status != PK11_DestroyFailure) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+
+/*
+ ************** Crypto Functions:     Utilities ************************
+ */
+
+
+/* 
+ * return a context based on the PK11Context type.
+ */
+PK11SessionContext *
+pk11_ReturnContextByType(PK11Session *session, PK11ContextType type)
+{
+    switch (type) {
+	case PK11_ENCRYPT:
+	case PK11_DECRYPT:
+	    return session->enc_context;
+	case PK11_HASH:
+	    return session->hash_context;
+	case PK11_SIGN:
+	case PK11_SIGN_RECOVER:
+	case PK11_VERIFY:
+	case PK11_VERIFY_RECOVER:
+	    return session->hash_context;
+    }
+    return NULL;
+}
+
+/* 
+ * change a context based on the PK11Context type.
+ */
+void
+pk11_SetContextByType(PK11Session *session, PK11ContextType type, 
+						PK11SessionContext *context)
+{
+    switch (type) {
+	case PK11_ENCRYPT:
+	case PK11_DECRYPT:
+	    session->enc_context = context;
+	    break;
+	case PK11_HASH:
+	    session->hash_context = context;
+	    break;
+	case PK11_SIGN:
+	case PK11_SIGN_RECOVER:
+	case PK11_VERIFY:
+	case PK11_VERIFY_RECOVER:
+	    session->hash_context = context;
+	    break;
+    }
+    return;
+}
+
+/*
+ * code to grab the context. Needed by every C_XXXUpdate, C_XXXFinal,
+ * and C_XXX function. The function takes a session handle, the context type,
+ * and wether or not the session needs to be multipart. It returns the context,
+ * and optionally returns the session pointer (if sessionPtr != NULL) if session
+ * pointer is returned, the caller is responsible for freeing it.
+ */
+static CK_RV
+pk11_GetContext(CK_SESSION_HANDLE handle,PK11SessionContext **contextPtr,
+	PK11ContextType type, PRBool needMulti, PK11Session **sessionPtr)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+
+    session = pk11_SessionFromHandle(handle);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    context = pk11_ReturnContextByType(session,type);
+    /* make sure the context is valid */
+    if((context==NULL)||(context->type!=type)||(needMulti&&!(context->multi))){
+        pk11_FreeSession(session);
+	return CKR_OPERATION_NOT_INITIALIZED;
+    }
+    *contextPtr = context;
+    if (sessionPtr != NULL) {
+	*sessionPtr = session;
+    } else {
+	pk11_FreeSession(session);
+    }
+    return CKR_OK;
+}
+
+/*
+ ************** Crypto Functions:     Encrypt ************************
+ */
+
+/*
+ * All the NSC_InitXXX functions have a set of common checks and processing they
+ * all need to do at the beginning. This is done here.
+ */
+static CK_RV
+pk11_InitGeneric(PK11Session *session,PK11SessionContext **contextPtr,
+		 PK11ContextType ctype,PK11Object **keyPtr,
+		 CK_OBJECT_HANDLE hKey, CK_KEY_TYPE *keyTypePtr,
+		 CK_OBJECT_CLASS pubKeyType, CK_ATTRIBUTE_TYPE operation)
+{
+    PK11Object *key = NULL;
+    PK11Attribute *att;
+    PK11SessionContext *context;
+
+    /* We can only init if there is not current context active */
+    if (pk11_ReturnContextByType(session,ctype) != NULL) {
+	return CKR_OPERATION_ACTIVE;
+    }
+
+    /* find the key */
+    if (keyPtr) {
+	unsigned int size;
+        key = pk11_ObjectFromHandle(hKey,session);
+        if (key == NULL) {
+	    return CKR_KEY_HANDLE_INVALID;
+    	}
+
+	/* make sure it's a valid  key for this operation */
+	if (((key->objclass != CKO_SECRET_KEY) && (key->objclass != pubKeyType))
+					|| !pk11_isTrue(key,operation)) {
+	    pk11_FreeObject(key);
+	    return CKR_KEY_TYPE_INCONSISTENT;
+	}
+	/* get the key type */
+	att = pk11_FindAttribute(key,CKA_KEY_TYPE);
+	PORT_Assert(att != NULL);
+	size = sizeof(CK_KEY_TYPE);
+	if (att->attrib.ulValueLen < size) {
+	    CK_KEY_TYPE kt;
+	    int i;
+	    int shift;
+#ifdef IS_LITTLE_ENDIAN
+	    shift = 0;
+#else
+	    shift = (att->attrib.ulValueLen - 1) * 8;
+#endif
+	    kt = 0;
+	    for (i=att->attrib.ulValueLen - 1; i>=0; i--) {
+		kt |= ((unsigned char *)att->attrib.pValue)[i] << shift;
+#ifdef IS_LITTLE_ENDIAN
+		shift += 8;
+#else
+		shift -= 8;
+#endif
+	    }
+	    *keyTypePtr = kt;
+	} else {
+ 	    *keyTypePtr = *((CK_KEY_TYPE *)att->attrib.pValue);
+	}
+	pk11_FreeAttribute(att);
+	*keyPtr = key;
+    }
+
+    /* allocate the context structure */
+    context = (PK11SessionContext *)PORT_Alloc(sizeof(PK11SessionContext));
+    if (context == NULL) {
+	if (key) pk11_FreeObject(key);
+	return CKR_HOST_MEMORY;
+    }
+    context->type = ctype;
+    context->multi = PR_TRUE;
+    context->cipherInfo = NULL;
+    context->hashInfo = NULL;
+    context->doPad = PR_FALSE;
+    context->padDataLength = 0;
+    context->key = key;
+
+    *contextPtr = context;
+    return CKR_OK;
+}
+
+/* NSC_CryptInit initializes an encryption/Decryption operation. */
+/* This function is used by NSC_EncryptInit and NSC_WrapKey. The only difference
+ * in their uses if whether or not etype is CKA_ENCRYPT or CKA_WRAP */
+static CK_RV
+pk11_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		 CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE etype,
+		 PK11ContextType contextType, PRBool isEncrypt)
+{
+    PK11Session *session;
+    PK11Object *key;
+    PK11SessionContext *context;
+    PK11Attribute *att;
+    CK_RC2_CBC_PARAMS *rc2_param;
+#if NSS_SOFTOKEN_DOES_RC5
+    CK_RC5_CBC_PARAMS *rc5_param;
+    SECItem rc5Key;
+#endif
+    CK_KEY_TYPE key_type;
+    CK_RV crv = CKR_OK;
+    unsigned effectiveKeyLength;
+    unsigned char newdeskey[8];
+    PRBool useNewKey=PR_FALSE;
+    int t;
+
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+
+    crv = pk11_InitGeneric(session,&context,contextType,&key,hKey,&key_type,
+    			isEncrypt ?CKO_PUBLIC_KEY:CKO_PRIVATE_KEY, etype);
+						
+    if (crv != CKR_OK) {
+	pk11_FreeSession(session);
+	return crv;
+    }
+
+    context->doPad = PR_FALSE;
+    switch(pMechanism->mechanism) {
+    case CKM_RSA_PKCS:
+    case CKM_RSA_X_509:
+	if (key_type != CKK_RSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	context->multi = PR_FALSE;
+	context->cipherInfo =  isEncrypt ? 
+			(void *)pk11_GetPubKey(key,CKK_RSA) :
+					(void *)pk11_GetPrivKey(key,CKK_RSA);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	if (isEncrypt) {
+	    context->update = (PK11Cipher) 
+		(pMechanism->mechanism == CKM_RSA_X_509
+					? RSA_EncryptRaw : RSA_EncryptBlock);
+	} else {
+	    context->update = (PK11Cipher) 
+		(pMechanism->mechanism == CKM_RSA_X_509
+					? RSA_DecryptRaw : RSA_DecryptBlock);
+	}
+	context->destroy = pk11_Null;
+	break;
+    case CKM_RC2_CBC_PAD:
+	context->doPad = PR_TRUE;
+	context->blockSize = 8;
+	/* fall thru */
+    case CKM_RC2_ECB:
+    case CKM_RC2_CBC:
+	if (key_type != CKK_RC2) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att = pk11_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	rc2_param = (CK_RC2_CBC_PARAMS *)pMechanism->pParameter;
+	effectiveKeyLength = (rc2_param->ulEffectiveBits+7)/8;
+	context->cipherInfo = 
+	    RC2_CreateContext((unsigned char*)att->attrib.pValue,
+			      att->attrib.ulValueLen, rc2_param->iv,
+			      pMechanism->mechanism == CKM_RC2_ECB ? NSS_RC2 :
+			      NSS_RC2_CBC,effectiveKeyLength);
+	pk11_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->update = (PK11Cipher) (isEncrypt ? RC2_Encrypt : RC2_Decrypt);
+	context->destroy = (PK11Destroy) RC2_DestroyContext;
+	break;
+#if NSS_SOFTOKEN_DOES_RC5
+    case CKM_RC5_CBC_PAD:
+	context->doPad = PR_TRUE;
+	/* fall thru */
+    case CKM_RC5_ECB:
+    case CKM_RC5_CBC:
+	if (key_type != CKK_RC5) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att = pk11_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	rc5_param = (CK_RC5_CBC_PARAMS *)pMechanism->pParameter;
+	if (context->doPad) {
+	   context->blockSize = rc5_param->ulWordsize*2;
+	}
+	rc5Key.data = (unsigned char*)att->attrib.pValue;
+	rc5Key.len = att->attrib.ulValueLen;
+	context->cipherInfo = RC5_CreateContext(&rc5Key,rc5_param->ulRounds,
+	   rc5_param->ulWordsize,rc5_param->pIv,
+		 pMechanism->mechanism == CKM_RC5_ECB ? NSS_RC5 : NSS_RC5_CBC);
+	pk11_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->update = (PK11Cipher) (isEncrypt ? RC5_Encrypt : RC5_Decrypt);
+	context->destroy = (PK11Destroy) RC5_DestroyContext;
+	break;
+#endif
+    case CKM_RC4:
+	if (key_type != CKK_RC4) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att = pk11_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	context->cipherInfo = 
+	    RC4_CreateContext((unsigned char*)att->attrib.pValue,
+			      att->attrib.ulValueLen);
+	pk11_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;  /* WRONG !!! */
+	    break;
+	}
+	context->update = (PK11Cipher) (isEncrypt ? RC4_Encrypt : RC4_Decrypt);
+	context->destroy = (PK11Destroy) RC4_DestroyContext;
+	break;
+    case CKM_CDMF_CBC_PAD:
+	context->doPad = PR_TRUE;
+	context->blockSize = 8;
+	/* fall thru */
+    case CKM_CDMF_ECB:
+    case CKM_CDMF_CBC:
+	if (key_type != CKK_CDMF) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	t = (pMechanism->mechanism == CKM_CDMF_ECB) ? NSS_DES : NSS_DES_CBC;
+	useNewKey=PR_TRUE;
+	if (crv != CKR_OK) break;
+	goto finish_des;
+    case CKM_DES_ECB:
+	if (key_type != CKK_DES) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	t = NSS_DES;
+	goto finish_des;
+    case CKM_DES_CBC_PAD:
+	context->doPad = PR_TRUE;
+	context->blockSize = 8;
+	/* fall thru */
+    case CKM_DES_CBC:
+	if (key_type != CKK_DES) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	t = NSS_DES_CBC;
+	goto finish_des;
+    case CKM_DES3_ECB:
+	if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	t = NSS_DES_EDE3;
+	goto finish_des;
+    case CKM_DES3_CBC_PAD:
+	context->doPad = PR_TRUE;
+	context->blockSize = 8;
+	/* fall thru */
+    case CKM_DES3_CBC:
+	if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	t = NSS_DES_EDE3_CBC;
+finish_des:
+	att = pk11_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	if (useNewKey) {
+	    crv = pk11_cdmf2des((unsigned char*)att->attrib.pValue,newdeskey);
+	    if (crv != CKR_OK) {
+		pk11_FreeAttribute(att);
+		break;
+	     }
+	}
+	context->cipherInfo = DES_CreateContext(
+		useNewKey ? newdeskey : (unsigned char*)att->attrib.pValue,
+		(unsigned char*)pMechanism->pParameter,t, isEncrypt);
+	pk11_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->update = (PK11Cipher) (isEncrypt ? DES_Encrypt : DES_Decrypt);
+	context->destroy = (PK11Destroy) DES_DestroyContext;
+
+	break;
+    case CKM_AES_CBC_PAD:
+	context->doPad = PR_TRUE;
+	context->blockSize = 16;
+	/* fall thru */
+    case CKM_AES_ECB:
+    case CKM_AES_CBC:
+	if (key_type != CKK_AES) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att = pk11_FindAttribute(key,CKA_VALUE);
+	if (att == NULL) {
+	    crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	context->cipherInfo = AES_CreateContext(
+	    (unsigned char*)att->attrib.pValue,
+	    (unsigned char*)pMechanism->pParameter,
+	    pMechanism->mechanism == CKM_AES_ECB ? NSS_AES : NSS_AES_CBC,
+	    isEncrypt, att->attrib.ulValueLen, 16);
+	pk11_FreeAttribute(att);
+	if (context->cipherInfo == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->update = (PK11Cipher) (isEncrypt ? AES_Encrypt : AES_Decrypt);
+	context->destroy = (PK11Destroy) AES_DestroyContext;
+
+	break;
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        pk11_FreeContext(context);
+	pk11_FreeSession(session);
+	return crv;
+    }
+    pk11_SetContextByType(session, contextType, context);
+    pk11_FreeSession(session);
+    return CKR_OK;
+}
+
+/* NSC_EncryptInit initializes an encryption operation. */
+CK_RV NSC_EncryptInit(CK_SESSION_HANDLE hSession,
+		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+    return pk11_CryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT, 
+						PK11_ENCRYPT, PR_TRUE);
+}
+
+/* NSC_EncryptUpdate continues a multiple-part encryption operation. */
+CK_RV NSC_EncryptUpdate(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,	
+					CK_ULONG_PTR pulEncryptedPartLen)
+{
+    PK11SessionContext *context;
+    unsigned int outlen,i;
+    unsigned int padoutlen = 0;
+    unsigned int maxout = *pulEncryptedPartLen;
+    CK_RV crv;
+    SECStatus rv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_ENCRYPT,PR_TRUE,NULL);
+    if (crv != CKR_OK) return crv;
+
+    /* do padding */
+    if (context->doPad) {
+	/* deal with previous buffered data */
+	if (context->padDataLength != 0) {
+	    /* fill in the padded to a full block size */
+	    for (i=context->padDataLength; 
+			(ulPartLen != 0) && i < context->blockSize; i++) {
+		context->padBuf[i] = *pPart++;
+		ulPartLen--;
+		context->padDataLength++;
+	    }
+
+	    /* not enough data to encrypt yet? then return */
+	    if (context->padDataLength != context->blockSize) {
+		*pulEncryptedPartLen = 0;
+		return CKR_OK;
+	    }
+	    /* encrypt the current padded data */
+    	    rv = (*context->update)(context->cipherInfo,pEncryptedPart, 
+		&outlen,context->blockSize,context->padBuf,context->blockSize);
+    	    if (rv != SECSuccess) return CKR_DEVICE_ERROR;
+	    pEncryptedPart += padoutlen;
+	    maxout -= padoutlen;
+	}
+	/* save the residual */
+	context->padDataLength = ulPartLen % context->blockSize;
+	if (context->padDataLength) {
+	    PORT_Memcpy(context->padBuf,
+			&pPart[ulPartLen-context->padDataLength],
+							context->padDataLength);
+	    ulPartLen -= context->padDataLength;
+	}
+	/* if we've exhausted our new buffer, we're done */
+	if (ulPartLen == 0) {
+	    *pulEncryptedPartLen = padoutlen;
+	    return CKR_OK;
+	}
+    }
+	
+
+
+    /* do it: NOTE: this assumes buf size in is >= buf size out! */
+    rv = (*context->update)(context->cipherInfo,pEncryptedPart, 
+					&outlen, maxout, pPart, ulPartLen);
+    *pulEncryptedPartLen = (CK_ULONG) (outlen + padoutlen);
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+
+/* NSC_EncryptFinal finishes a multiple-part encryption operation. */
+CK_RV NSC_EncryptFinal(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    unsigned int outlen,i;
+    unsigned int maxout = *pulLastEncryptedPartLen;
+    CK_RV crv;
+    SECStatus rv = SECSuccess;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_ENCRYPT,PR_TRUE,&session);
+    if (crv != CKR_OK) return crv;
+
+    *pulLastEncryptedPartLen = 0;
+
+    /* do padding */
+    if (context->doPad) {
+	unsigned char  padbyte = (unsigned char) 
+				(context->blockSize - context->padDataLength); 
+	/* fill out rest of pad buffer with pad magic*/
+	for (i=context->padDataLength; i < context->blockSize; i++) {
+	    context->padBuf[i] = padbyte;
+	}
+	rv = (*context->update)(context->cipherInfo,pLastEncryptedPart, 
+			&outlen, maxout, context->padBuf, context->blockSize);
+	if (rv == SECSuccess) *pulLastEncryptedPartLen = (CK_ULONG) outlen;
+    }
+
+    /* do it */
+    pk11_SetContextByType(session, PK11_ENCRYPT, NULL);
+    pk11_FreeContext(context);
+    pk11_FreeSession(session);
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/* NSC_Encrypt encrypts single-part data. */
+CK_RV NSC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+    		CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
+					 CK_ULONG_PTR pulEncryptedDataLen)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    unsigned int outlen;
+    unsigned int maxoutlen = *pulEncryptedDataLen;
+    CK_RV crv;
+    CK_RV crv2;
+    SECStatus rv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_ENCRYPT,PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+
+    if (context->doPad) {
+	CK_ULONG finalLen;
+	/* padding is fairly complicated, have the update and final 
+	 * code deal with it */
+        pk11_FreeSession(session);
+	crv = NSC_EncryptUpdate(hSession,pData,ulDataLen,pEncryptedData,
+							pulEncryptedDataLen);
+	if (crv != CKR_OK) *pulEncryptedDataLen = 0;
+	maxoutlen -= *pulEncryptedDataLen;
+	pEncryptedData += *pulEncryptedDataLen;
+	finalLen = maxoutlen;
+	crv2 = NSC_EncryptFinal(hSession, pEncryptedData, &finalLen);
+	if (crv2 == CKR_OK) { *pulEncryptedDataLen += finalLen; }
+	return crv == CKR_OK ? crv2 :crv;
+    }
+	
+
+    /* do it: NOTE: this assumes buf size is big enough. */
+    rv = (*context->update)(context->cipherInfo, pEncryptedData, 
+					&outlen, maxoutlen, pData, ulDataLen);
+    *pulEncryptedDataLen = (CK_ULONG) outlen;
+    pk11_FreeContext(context);
+    pk11_SetContextByType(session, PK11_ENCRYPT, NULL);
+    pk11_FreeSession(session);
+
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+
+/*
+ ************** Crypto Functions:     Decrypt ************************
+ */
+
+/* NSC_DecryptInit initializes a decryption operation. */
+CK_RV NSC_DecryptInit( CK_SESSION_HANDLE hSession,
+			 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+    return pk11_CryptInit(hSession, pMechanism, hKey, CKA_DECRYPT,
+						PK11_DECRYPT, PR_FALSE);
+}
+
+/* NSC_DecryptUpdate continues a multiple-part decryption operation. */
+CK_RV NSC_DecryptUpdate(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen,
+    				CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen)
+{
+    PK11SessionContext *context;
+    unsigned int padoutlen = 0;
+    unsigned int outlen;
+    unsigned int maxout = *pulPartLen;
+    CK_RV crv;
+    SECStatus rv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_DECRYPT,PR_TRUE,NULL);
+    if (crv != CKR_OK) return crv;
+
+    if (context->doPad) {
+	/* first decrypt our saved buffer */
+	if (context->padDataLength != 0) {
+    	    rv = (*context->update)(context->cipherInfo, pPart, &padoutlen,
+		 maxout, context->padBuf, context->blockSize);
+    	    if (rv != SECSuccess)  return CKR_DEVICE_ERROR;
+	    pPart += padoutlen;
+	    maxout -= padoutlen;
+	}
+	/* now save the final block for the next decrypt or the final */
+	PORT_Memcpy(context->padBuf,&pEncryptedPart[ulEncryptedPartLen -
+				context->blockSize], context->blockSize);
+	context->padDataLength = context->blockSize;
+	ulEncryptedPartLen -= context->padDataLength;
+    }
+
+    /* do it: NOTE: this assumes buf size in is >= buf size out! */
+    rv = (*context->update)(context->cipherInfo,pPart, &outlen,
+		 maxout, pEncryptedPart, ulEncryptedPartLen);
+    *pulPartLen = (CK_ULONG) (outlen + padoutlen);
+    return (rv == SECSuccess)  ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+
+/* NSC_DecryptFinal finishes a multiple-part decryption operation. */
+CK_RV NSC_DecryptFinal(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pLastPart, CK_ULONG_PTR pulLastPartLen)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    unsigned int outlen;
+    unsigned int maxout = *pulLastPartLen;
+    CK_RV crv;
+    SECStatus rv = SECSuccess;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_DECRYPT,PR_TRUE,&session);
+    if (crv != CKR_OK) return crv;
+
+    *pulLastPartLen = 0;
+    if (context->doPad) {
+	/* decrypt our saved buffer */
+	if (context->padDataLength != 0) {
+	    /* this assumes that pLastPart is big enough to hold the *whole*
+	     * buffer!!! */
+    	    rv = (*context->update)(context->cipherInfo, pLastPart, &outlen,
+		 maxout, context->padBuf, context->blockSize);
+    	    if (rv == SECSuccess) {
+		unsigned int padSize = 
+			    (unsigned int) pLastPart[context->blockSize-1];
+		if ((padSize > context->blockSize) || (padSize == 0)) {
+		    rv = SECFailure;
+		} else {
+		    *pulLastPartLen = outlen - padSize;
+		}
+	    }
+	}
+    }
+
+    /* do it */
+    pk11_SetContextByType(session, PK11_DECRYPT, NULL);
+    pk11_FreeContext(context);
+    pk11_FreeSession(session);
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/* NSC_Decrypt decrypts encrypted data in a single part. */
+CK_RV NSC_Decrypt(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pEncryptedData,CK_ULONG ulEncryptedDataLen,CK_BYTE_PTR pData,
+    						CK_ULONG_PTR pulDataLen)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    unsigned int outlen;
+    unsigned int maxoutlen = *pulDataLen;
+    CK_RV crv;
+    CK_RV crv2;
+    SECStatus rv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_DECRYPT,PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+
+    if (context->doPad) {
+	CK_ULONG finalLen;
+	/* padding is fairly complicated, have the update and final 
+	 * code deal with it */
+        pk11_FreeSession(session);
+	crv = NSC_DecryptUpdate(hSession,pEncryptedData,ulEncryptedDataLen,
+							pData, pulDataLen);
+	if (crv != CKR_OK) *pulDataLen = 0;
+	maxoutlen -= *pulDataLen;
+	pData += *pulDataLen;
+	finalLen = maxoutlen;
+	crv2 = NSC_DecryptFinal(hSession, pData, &finalLen);
+	if (crv2 == CKR_OK) { *pulDataLen += finalLen; }
+	return crv == CKR_OK ? crv2 :crv;
+    }
+
+    rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen, 
+					pEncryptedData, ulEncryptedDataLen);
+    *pulDataLen = (CK_ULONG) outlen;
+    pk11_FreeContext(context);
+    pk11_SetContextByType(session, PK11_DECRYPT, NULL);
+    pk11_FreeSession(session);
+    return (rv == SECSuccess)  ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+
+
+/*
+ ************** Crypto Functions:     Digest (HASH)  ************************
+ */
+
+/* NSC_DigestInit initializes a message-digesting operation. */
+CK_RV NSC_DigestInit(CK_SESSION_HANDLE hSession,
+    					CK_MECHANISM_PTR pMechanism)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    MD2Context *md2_context;
+    MD5Context *md5_context;
+    SHA1Context *sha1_context;
+    CK_RV crv = CKR_OK;
+
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    crv = pk11_InitGeneric(session,&context,PK11_HASH,NULL,0,NULL, 0, 0);
+    if (crv != CKR_OK) {
+	pk11_FreeSession(session);
+	return crv;
+    }
+
+    switch(pMechanism->mechanism) {
+    case CKM_MD2:
+	md2_context = MD2_NewContext();
+	context->cipherInfo = (void *)md2_context;
+	context->cipherInfoLen = MD2_FlattenSize(md2_context);
+	context->currentMech = CKM_MD2;
+        if (context->cipherInfo == NULL) {
+	    crv= CKR_HOST_MEMORY;
+	    
+	}
+	context->hashUpdate = (PK11Hash) MD2_Update;
+	context->end = (PK11End) MD2_End;
+	context->destroy = (PK11Destroy) MD2_DestroyContext;
+	MD2_Begin(md2_context);
+	break;
+    case CKM_MD5:
+	md5_context = MD5_NewContext();
+	context->cipherInfo = (void *)md5_context;
+	context->cipherInfoLen = MD5_FlattenSize(md5_context);
+	context->currentMech = CKM_MD5;
+        if (context->cipherInfo == NULL) {
+	    crv= CKR_HOST_MEMORY;
+	    
+	}
+	context->hashUpdate = (PK11Hash) MD5_Update;
+	context->end = (PK11End) MD5_End;
+	context->destroy = (PK11Destroy) MD5_DestroyContext;
+	MD5_Begin(md5_context);
+	break;
+    case CKM_SHA_1:
+	sha1_context = SHA1_NewContext();
+	context->cipherInfo = (void *)sha1_context;
+	context->cipherInfoLen = SHA1_FlattenSize(sha1_context);
+	context->currentMech = CKM_SHA_1;
+        if (context->cipherInfo == NULL) {
+	    crv= CKR_HOST_MEMORY;
+	    break;
+	}
+	context->hashUpdate = (PK11Hash) SHA1_Update;
+	context->end = (PK11End) SHA1_End;
+	context->destroy = (PK11Destroy) SHA1_DestroyContext;
+	SHA1_Begin(sha1_context);
+	break;
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        pk11_FreeContext(context);
+	pk11_FreeSession(session);
+	return crv;
+    }
+    pk11_SetContextByType(session, PK11_HASH, context);
+    pk11_FreeSession(session);
+    return CKR_OK;
+}
+
+
+/* NSC_Digest digests data in a single part. */
+CK_RV NSC_Digest(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pDigest,
+    						CK_ULONG_PTR pulDigestLen)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    unsigned int digestLen;
+    unsigned int maxout = *pulDigestLen;
+    CK_RV crv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_HASH,PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+
+    /* do it: */
+    (*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
+    /*  NOTE: this assumes buf size is bigenough for the algorithm */
+    (*context->end)(context->cipherInfo, pDigest, &digestLen,maxout);
+    *pulDigestLen = digestLen;
+
+    pk11_SetContextByType(session, PK11_HASH, NULL);
+    pk11_FreeContext(context);
+    pk11_FreeSession(session);
+    return CKR_OK;
+}
+
+
+/* NSC_DigestUpdate continues a multiple-part message-digesting operation. */
+CK_RV NSC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
+					    CK_ULONG ulPartLen)
+{
+    PK11SessionContext *context;
+    CK_RV crv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_HASH,PR_TRUE,NULL);
+    if (crv != CKR_OK) return crv;
+    /* do it: */
+    (*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
+    return CKR_OK;
+}
+
+
+/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
+CK_RV NSC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
+    						CK_ULONG_PTR pulDigestLen)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    unsigned int maxout = *pulDigestLen;
+    unsigned int digestLen;
+    CK_RV crv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession, &context, PK11_HASH, PR_TRUE, &session);
+    if (crv != CKR_OK) return crv;
+
+    if (pDigest != NULL) {
+        (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
+        *pulDigestLen = digestLen;
+    } else {
+	*pulDigestLen = 0;
+    }
+
+    pk11_SetContextByType(session, PK11_HASH, NULL);
+    pk11_FreeContext(context);
+    pk11_FreeSession(session);
+    return CKR_OK;
+}
+
+/*
+ * this helper functions are used by Generic Macing and Signing functions
+ * that use hashes as part of their operations. 
+ */
+static CK_RV
+pk11_doSubMD2(PK11SessionContext *context) {
+	MD2Context *md2_context = MD2_NewContext();
+	context->hashInfo = (void *)md2_context;
+        if (context->hashInfo == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+	context->hashUpdate = (PK11Hash) MD2_Update;
+	context->end = (PK11End) MD2_End;
+	context->hashdestroy = (PK11Destroy) MD2_DestroyContext;
+	MD2_Begin(md2_context);
+	return CKR_OK;
+}
+
+static CK_RV
+pk11_doSubMD5(PK11SessionContext *context) {
+	MD5Context *md5_context = MD5_NewContext();
+	context->hashInfo = (void *)md5_context;
+        if (context->hashInfo == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+	context->hashUpdate = (PK11Hash) MD5_Update;
+	context->end = (PK11End) MD5_End;
+	context->hashdestroy = (PK11Destroy) MD5_DestroyContext;
+	MD5_Begin(md5_context);
+	return CKR_OK;
+}
+
+static CK_RV
+pk11_doSubSHA1(PK11SessionContext *context) {
+	SHA1Context *sha1_context = SHA1_NewContext();
+	context->hashInfo = (void *)sha1_context;
+        if (context->hashInfo == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+	context->hashUpdate = (PK11Hash) SHA1_Update;
+	context->end = (PK11End) SHA1_End;
+	context->hashdestroy = (PK11Destroy) SHA1_DestroyContext;
+	SHA1_Begin(sha1_context);
+	return CKR_OK;
+}
+
+/*
+ * HMAC General copies only a portion of the result. This update routine likes
+ * the final HMAC output with the signature.
+ */
+static SECStatus
+pk11_HMACCopy(CK_ULONG *copyLen,unsigned char *sig,unsigned int *sigLen,
+		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
+{
+    if (maxLen < *copyLen) return SECFailure;
+    PORT_Memcpy(sig,hash,*copyLen);
+    *sigLen = *copyLen;
+    return SECSuccess;
+}
+
+/* Verify is just a compare for HMAC */
+static SECStatus
+pk11_HMACCmp(CK_ULONG *copyLen,unsigned char *sig,unsigned int sigLen,
+				unsigned char *hash, unsigned int hashLen)
+{
+    return PORT_Memcmp(sig,hash,*copyLen) ? SECSuccess : SECFailure ;
+}
+
+/*
+ * common HMAC initalization routine
+ */
+static CK_RV
+pk11_doHMACInit(PK11SessionContext *context,HASH_HashType hash,
+					PK11Object *key, CK_ULONG mac_size)
+{
+    PK11Attribute *keyval;
+    HMACContext *HMACcontext;
+    CK_ULONG *intpointer;
+    const SECHashObject *hashObj = &SECRawHashObjects[hash];
+
+    keyval = pk11_FindAttribute(key,CKA_VALUE);
+    if (keyval == NULL) return CKR_KEY_SIZE_RANGE;
+
+    HMACcontext = HMAC_Create(hashObj, 
+		(const unsigned char*)keyval->attrib.pValue,
+						 keyval->attrib.ulValueLen);
+    context->hashInfo = HMACcontext;
+    context->multi = PR_TRUE;
+    pk11_FreeAttribute(keyval);
+    if (context->hashInfo == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    context->hashUpdate = (PK11Hash) HMAC_Update;
+    context->end = (PK11End) HMAC_Finish;
+
+    context->hashdestroy = (PK11Destroy) pk11_HMAC_Destroy;
+    intpointer = (CK_ULONG *) PORT_Alloc(sizeof(CK_ULONG));
+    if (intpointer == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+    *intpointer = mac_size;
+    context->cipherInfo = (void *) intpointer;
+    context->destroy = (PK11Destroy) pk11_Space;
+    context->update = (PK11Cipher) pk11_HMACCopy;
+    context->verify = (PK11Verify) pk11_HMACCmp;
+    HMAC_Begin(HMACcontext);
+    return CKR_OK;
+}
+
+/*
+ *  SSL Macing support. SSL Macs are inited, then update with the base
+ * hashing algorithm, then finalized in sign and verify
+ */
+
+/*
+ * FROM SSL:
+ * 60 bytes is 3 times the maximum length MAC size that is supported.
+ * We probably should have one copy of this table. We still need this table
+ * in ssl to 'sign' the handshake hashes.
+ */
+static unsigned char ssl_pad_1 [60] = {
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36
+};
+static unsigned char ssl_pad_2 [60] = {
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c
+};
+
+static SECStatus
+pk11_SSLMACSign(PK11SSLMACInfo *info,unsigned char *sig,unsigned int *sigLen,
+		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
+{
+    unsigned char tmpBuf[PK11_MAX_MAC_LENGTH];
+    unsigned int out;
+
+    info->begin(info->hashContext);
+    info->update(info->hashContext,info->key,info->keySize);
+    info->update(info->hashContext,ssl_pad_2,info->padSize);
+    info->update(info->hashContext,hash,hashLen);
+    info->end(info->hashContext,tmpBuf,&out,PK11_MAX_MAC_LENGTH);
+    PORT_Memcpy(sig,tmpBuf,info->macSize);
+    *sigLen = info->macSize;
+    return SECSuccess;
+}
+
+static SECStatus
+pk11_SSLMACVerify(PK11SSLMACInfo *info,unsigned char *sig,unsigned int sigLen,
+		unsigned char *hash, unsigned int hashLen)
+{
+    unsigned char tmpBuf[PK11_MAX_MAC_LENGTH];
+    unsigned int out;
+
+    info->begin(info->hashContext);
+    info->update(info->hashContext,info->key,info->keySize);
+    info->update(info->hashContext,ssl_pad_2,info->padSize);
+    info->update(info->hashContext,hash,hashLen);
+    info->end(info->hashContext,tmpBuf,&out,PK11_MAX_MAC_LENGTH);
+    return (PORT_Memcmp(sig,tmpBuf,info->macSize) == 0) ? 
+						SECSuccess : SECFailure;
+}
+
+/*
+ * common HMAC initalization routine
+ */
+static CK_RV
+pk11_doSSLMACInit(PK11SessionContext *context,SECOidTag oid,
+					PK11Object *key, CK_ULONG mac_size)
+{
+    PK11Attribute *keyval;
+    PK11Begin begin;
+    int padSize;
+    PK11SSLMACInfo *sslmacinfo;
+    CK_RV crv = CKR_MECHANISM_INVALID;
+
+    if (oid == SEC_OID_SHA1) {
+	crv = pk11_doSubSHA1(context);
+	begin = (PK11Begin) SHA1_Begin;
+	if (crv != CKR_OK) return crv;
+	padSize = 40;
+    } else {
+	crv = pk11_doSubMD5(context);
+	if (crv != CKR_OK) return crv;
+	begin = (PK11Begin) MD5_Begin;
+	padSize = 48;
+    }
+    context->multi = PR_TRUE;
+
+    keyval = pk11_FindAttribute(key,CKA_VALUE);
+    if (keyval == NULL) return CKR_KEY_SIZE_RANGE;
+
+    context->hashUpdate(context->hashInfo,keyval->attrib.pValue,
+						 keyval->attrib.ulValueLen);
+    context->hashUpdate(context->hashInfo,ssl_pad_1,padSize);
+    sslmacinfo = (PK11SSLMACInfo *) PORT_Alloc(sizeof(PK11SSLMACInfo));
+    if (sslmacinfo == NULL) {
+        pk11_FreeAttribute(keyval);
+	return CKR_HOST_MEMORY;
+    }
+    sslmacinfo->macSize = mac_size;
+    sslmacinfo->hashContext = context->hashInfo;
+    PORT_Memcpy(sslmacinfo->key,keyval->attrib.pValue,
+					keyval->attrib.ulValueLen);
+    sslmacinfo->keySize = keyval->attrib.ulValueLen;
+    sslmacinfo->begin = begin;
+    sslmacinfo->end = context->end;
+    sslmacinfo->update = context->hashUpdate;
+    sslmacinfo->padSize = padSize;
+    pk11_FreeAttribute(keyval);
+    context->cipherInfo = (void *) sslmacinfo;
+    context->destroy = (PK11Destroy) pk11_Space;
+    context->update = (PK11Cipher) pk11_SSLMACSign;
+    context->verify = (PK11Verify) pk11_SSLMACVerify;
+    return CKR_OK;
+}
+
+typedef struct {
+    PRUint32	cxSize;		/* size of allocated block, in bytes.        */
+    PRUint32	cxKeyLen;	/* number of bytes of cxBuf containing key.  */
+    PRUint32	cxDataLen;	/* number of bytes of cxBuf containing data. */
+    SECStatus	cxRv;		/* records failure of void functions.        */
+    unsigned char cxBuf[512];	/* actual size may be larger than 512.       */
+} TLSPRFContext;
+
+static void
+pk11_TLSPRFHashUpdate(TLSPRFContext *cx, const unsigned char *data, 
+                        unsigned int data_len)
+{
+    PRUint32 bytesUsed = PK11_OFFSETOF(TLSPRFContext, cxBuf) + 
+                         cx->cxKeyLen + cx->cxDataLen;
+
+    if (cx->cxRv != SECSuccess)	/* function has previously failed. */
+    	return;
+    if (bytesUsed + data_len > cx->cxSize) {
+	/* We don't use realloc here because 
+	** (a) realloc doesn't zero out the old block, and 
+	** (b) if realloc fails, we lose the old block.
+	*/
+	PRUint32 blockSize = bytesUsed + data_len + 512;
+    	TLSPRFContext *new_cx = (TLSPRFContext *)PORT_Alloc(blockSize);
+	if (!new_cx) {
+	   cx->cxRv = SECFailure;
+	   return;
+	}
+	PORT_Memcpy(new_cx, cx, cx->cxSize);
+	new_cx->cxSize = blockSize;
+
+	PORT_ZFree(cx, cx->cxSize);
+	cx = new_cx;
+    }
+    PORT_Memcpy(cx->cxBuf + cx->cxKeyLen + cx->cxDataLen, data, data_len);
+    cx->cxDataLen += data_len;
+}
+
+static void 
+pk11_TLSPRFEnd(TLSPRFContext *ctx, unsigned char *hashout,
+	 unsigned int *pDigestLen, unsigned int maxDigestLen)
+{
+    *pDigestLen = 0; /* tells Verify that no data has been input yet. */
+}
+
+/* Compute the PRF values from the data previously input. */
+static SECStatus
+pk11_TLSPRFUpdate(TLSPRFContext *cx, 
+                  unsigned char *sig,		/* output goes here. */
+		  unsigned int * sigLen, 	/* how much output.  */
+		  unsigned int   maxLen, 	/* output buffer size */
+		  unsigned char *hash, 		/* unused. */
+		  unsigned int   hashLen)	/* unused. */
+{
+    SECStatus rv;
+    SECItem sigItem;
+    SECItem seedItem;
+    SECItem secretItem;
+
+    if (cx->cxRv != SECSuccess)
+    	return cx->cxRv;
+
+    secretItem.data = cx->cxBuf;
+    secretItem.len  = cx->cxKeyLen;
+
+    seedItem.data = cx->cxBuf + cx->cxKeyLen;
+    seedItem.len  = cx->cxDataLen;
+
+    sigItem.data = sig;
+    sigItem.len  = maxLen;
+
+    rv = pk11_PRF(&secretItem, NULL, &seedItem, &sigItem);
+    if (rv == SECSuccess && sigLen != NULL)
+    	*sigLen = sigItem.len;
+    return rv;
+
+}
+
+static SECStatus
+pk11_TLSPRFVerify(TLSPRFContext *cx, 
+                  unsigned char *sig, 		/* input, for comparison. */
+		  unsigned int   sigLen,	/* length of sig.         */
+		  unsigned char *hash, 		/* data to be verified.   */
+		  unsigned int   hashLen)	/* size of hash data.     */
+{
+    unsigned char * tmp    = (unsigned char *)PORT_Alloc(sigLen);
+    unsigned int    tmpLen = sigLen;
+    SECStatus       rv;
+
+    if (!tmp)
+    	return SECFailure;
+    if (hashLen) {
+    	/* hashLen is non-zero when the user does a one-step verify.
+	** In this case, none of the data has been input yet.
+	*/
+    	pk11_TLSPRFHashUpdate(cx, hash, hashLen);
+    }
+    rv = pk11_TLSPRFUpdate(cx, tmp, &tmpLen, sigLen, NULL, 0);
+    if (rv == SECSuccess) {
+    	rv = (SECStatus)(1 - !PORT_Memcmp(tmp, sig, sigLen));
+    }
+    PORT_ZFree(tmp, sigLen);
+    return rv;
+}
+
+static void
+pk11_TLSPRFHashDestroy(TLSPRFContext *cx, PRBool freeit)
+{
+    if (freeit)
+	PORT_ZFree(cx, cx->cxSize);
+}
+
+static CK_RV
+pk11_TLSPRFInit(PK11SessionContext *context, 
+		  PK11Object *        key, 
+		  CK_KEY_TYPE         key_type)
+{
+    PK11Attribute * keyVal;
+    TLSPRFContext * prf_cx;
+    CK_RV           crv = CKR_HOST_MEMORY;
+    PRUint32        keySize;
+    PRUint32        blockSize;
+
+    if (key_type != CKK_GENERIC_SECRET)
+    	return CKR_KEY_TYPE_INCONSISTENT; /* CKR_KEY_FUNCTION_NOT_PERMITTED */
+
+    context->multi = PR_TRUE;
+
+    keyVal = pk11_FindAttribute(key, CKA_VALUE);
+    keySize = (!keyVal) ? 0 : keyVal->attrib.ulValueLen;
+    blockSize = keySize + sizeof(TLSPRFContext);
+    prf_cx = (TLSPRFContext *)PORT_Alloc(blockSize);
+    if (!prf_cx) 
+    	goto done;
+    prf_cx->cxSize    = blockSize;
+    prf_cx->cxKeyLen  = keySize;
+    prf_cx->cxDataLen = 0;
+    prf_cx->cxRv        = SECSuccess;
+    if (keySize)
+	PORT_Memcpy(prf_cx->cxBuf, keyVal->attrib.pValue, keySize);
+
+    context->hashInfo    = (void *) prf_cx;
+    context->cipherInfo  = (void *) prf_cx;
+    context->hashUpdate  = (PK11Hash)    pk11_TLSPRFHashUpdate;
+    context->end         = (PK11End)     pk11_TLSPRFEnd;
+    context->update      = (PK11Cipher)  pk11_TLSPRFUpdate;
+    context->verify      = (PK11Verify)  pk11_TLSPRFVerify;
+    context->destroy     = (PK11Destroy) pk11_Null;
+    context->hashdestroy = (PK11Destroy) pk11_TLSPRFHashDestroy;
+    crv = CKR_OK;
+
+done:
+    if (keyVal) 
+	pk11_FreeAttribute(keyVal);
+    return crv;
+}
+
+/*
+ ************** Crypto Functions:     Sign  ************************
+ */
+
+/*
+ * Check if We're using CBCMacing and initialize the session context if we are.
+ */
+static CK_RV
+pk11_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ 	CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE keyUsage,
+						 PK11ContextType contextType)
+	
+{
+    CK_MECHANISM cbc_mechanism;
+    CK_ULONG mac_bytes = PK11_INVALID_MAC_SIZE;
+    CK_RC2_CBC_PARAMS rc2_params;
+#if NSS_SOFTOKEN_DOES_RC5
+    CK_RC5_CBC_PARAMS rc5_params;
+    CK_RC5_MAC_GENERAL_PARAMS *rc5_mac;
+#endif
+    unsigned char ivBlock[PK11_MAX_BLOCK_SIZE];
+    PK11SessionContext *context;
+    CK_RV crv;
+    int blockSize;
+
+    switch (pMechanism->mechanism) {
+    case CKM_RC2_MAC_GENERAL:
+	mac_bytes = 
+	    ((CK_RC2_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength;
+	/* fall through */
+    case CKM_RC2_MAC:
+	/* this works because ulEffectiveBits is in the same place in both the
+	 * CK_RC2_MAC_GENERAL_PARAMS and CK_RC2_CBC_PARAMS */
+	rc2_params.ulEffectiveBits = ((CK_RC2_MAC_GENERAL_PARAMS *)
+				pMechanism->pParameter)->ulEffectiveBits;
+	PORT_Memset(rc2_params.iv,0,sizeof(rc2_params.iv));
+	cbc_mechanism.mechanism = CKM_RC2_CBC;
+	cbc_mechanism.pParameter = &rc2_params;
+	cbc_mechanism.ulParameterLen = sizeof(rc2_params);
+	blockSize = 8;
+	break;
+#if NSS_SOFTOKEN_DOES_RC5
+    case CKM_RC5_MAC_GENERAL:
+	mac_bytes = 
+	    ((CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength;
+	/* fall through */
+    case CKM_RC5_MAC:
+	/* this works because ulEffectiveBits is in the same place in both the
+	 * CK_RC5_MAC_GENERAL_PARAMS and CK_RC5_CBC_PARAMS */
+	rc5_mac = (CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter;
+	rc5_params.ulWordsize = rc5_mac->ulWordsize;
+	rc5_params.ulRounds = rc5_mac->ulRounds;
+	rc5_params.pIv = ivBlock;
+	blockSize = rc5_mac->ulWordsize*2;
+	rc5_params.ulIvLen = blockSize;
+	PORT_Memset(ivBlock,0,blockSize);
+	cbc_mechanism.mechanism = CKM_RC5_CBC;
+	cbc_mechanism.pParameter = &rc5_params;
+	cbc_mechanism.ulParameterLen = sizeof(rc5_params);
+	break;
+#endif
+    /* add cast and idea later */
+    case CKM_DES_MAC_GENERAL:
+	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+	/* fall through */
+    case CKM_DES_MAC:
+	blockSize = 8;
+	PORT_Memset(ivBlock,0,blockSize);
+	cbc_mechanism.mechanism = CKM_DES_CBC;
+	cbc_mechanism.pParameter = &ivBlock;
+	cbc_mechanism.ulParameterLen = blockSize;
+	break;
+    case CKM_DES3_MAC_GENERAL:
+	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+	/* fall through */
+    case CKM_DES3_MAC:
+	blockSize = 8;
+	PORT_Memset(ivBlock,0,blockSize);
+	cbc_mechanism.mechanism = CKM_DES3_CBC;
+	cbc_mechanism.pParameter = &ivBlock;
+	cbc_mechanism.ulParameterLen = blockSize;
+	break;
+    case CKM_CDMF_MAC_GENERAL:
+	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+	/* fall through */
+    case CKM_CDMF_MAC:
+	blockSize = 8;
+	PORT_Memset(ivBlock,0,blockSize);
+	cbc_mechanism.mechanism = CKM_CDMF_CBC;
+	cbc_mechanism.pParameter = &ivBlock;
+	cbc_mechanism.ulParameterLen = blockSize;
+	break;
+    case CKM_AES_MAC_GENERAL:
+	mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+	/* fall through */
+    case CKM_AES_MAC:
+	blockSize = 16;
+	PORT_Memset(ivBlock,0,blockSize);
+	cbc_mechanism.mechanism = CKM_AES_CBC;
+	cbc_mechanism.pParameter = &ivBlock;
+	cbc_mechanism.ulParameterLen = blockSize;
+	break;
+    default:
+	return CKR_FUNCTION_NOT_SUPPORTED;
+    }
+
+    crv = pk11_CryptInit(hSession, &cbc_mechanism, hKey, keyUsage,
+							contextType, PR_TRUE);
+    if (crv != CKR_OK) return crv;
+    crv = pk11_GetContext(hSession,&context,contextType,PR_TRUE,NULL);
+
+    /* this shouldn't happen! */
+    PORT_Assert(crv == CKR_OK);
+    if (crv != CKR_OK) return crv;
+    context->blockSize = blockSize;
+    if (mac_bytes == PK11_INVALID_MAC_SIZE) mac_bytes = blockSize/2;
+    context->macSize = mac_bytes;
+    return CKR_OK;
+}
+
+/*
+ * encode RSA PKCS #1 Signature data before signing... 
+ */
+static SECStatus
+pk11_HashSign(PK11HashSignInfo *info,unsigned char *sig,unsigned int *sigLen,
+		unsigned int maxLen,unsigned char *hash, unsigned int hashLen)
+{
+    
+    SECStatus rv = SECFailure;
+    SECItem digder;
+    PLArenaPool *arena = NULL;
+    SGNDigestInfo *di = NULL;
+
+    digder.data = NULL;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) { goto loser; }
+    
+    /* Construct digest info */
+    di = SGN_CreateDigestInfo(info->hashOid, hash, hashLen);
+    if (!di) { goto loser; }
+
+    /* Der encode the digest as a DigestInfo */
+    rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /*
+    ** Encrypt signature after constructing appropriate PKCS#1 signature
+    ** block
+    */
+    rv = RSA_Sign(info->key,sig,sigLen,maxLen,digder.data,digder.len);
+
+  loser:
+    SGN_DestroyDigestInfo(di);
+    if (arena != NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+    }
+    return rv;
+}
+
+static SECStatus
+nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen,
+                               void *dataBuf, unsigned int dataLen)
+{
+    SECItem signature, digest;
+    NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
+
+    signature.data = (unsigned char *)sigBuf;
+    signature.len = sigLen;
+    digest.data = (unsigned char *)dataBuf;
+    digest.len = dataLen;
+    return DSA_VerifyDigest(&(key->u.dsa), &signature, &digest);
+}
+
+static SECStatus
+nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
+                  unsigned int *sigLen, unsigned int maxSigLen,
+                  void *dataBuf, unsigned int dataLen)
+{
+    SECItem signature = { 0 }, digest;
+    SECStatus rv;
+    NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
+
+    (void)SECITEM_AllocItem(NULL, &signature, maxSigLen);
+    digest.data = (unsigned char *)dataBuf;
+    digest.len = dataLen;
+    rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest);
+    *sigLen = signature.len;
+    PORT_Memcpy(sigBuf, signature.data, signature.len);
+    SECITEM_FreeItem(&signature, PR_FALSE);
+    return rv;
+}
+
+/* NSC_SignInit setups up the signing operations. There are three basic
+ * types of signing:
+ *	(1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
+ *  to data in a single Sign operation (which often looks a lot like an
+ *  encrypt, with data coming in and data going out).
+ *	(2) Hash based signing, where we continually hash the data, then apply
+ *  some sort of signature to the end.
+ *	(3) Block Encryption CBC MAC's, where the Data is encrypted with a key,
+ *  and only the final block is part of the mac.
+ *
+ *  For case number 3, we initialize a context much like the Encryption Context
+ *  (in fact we share code). We detect case 3 in C_SignUpdate, C_Sign, and 
+ *  C_Final by the following method... if it's not multi-part, and it's doesn't
+ *  have a hash context, it must be a block Encryption CBC MAC.
+ *
+ *  For case number 2, we initialize a hash structure, as well as make it 
+ *  multi-part. Updates are simple calls to the hash update function. Final
+ *  calls the hashend, then passes the result to the 'update' function (which
+ *  operates as a final signature function). In some hash based MAC'ing (as
+ *  opposed to hash base signatures), the update function is can be simply a 
+ *  copy (as is the case with HMAC).
+ */
+CK_RV NSC_SignInit(CK_SESSION_HANDLE hSession,
+		 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+    PK11Session *session;
+    PK11Object *key;
+    PK11SessionContext *context;
+    CK_KEY_TYPE key_type;
+    CK_RV crv = CKR_OK;
+    NSSLOWKEYPrivateKey *privKey;
+    PK11HashSignInfo *info = NULL;
+
+    /* Block Cipher MACing Algorithms use a different Context init method..*/
+    crv = pk11_InitCBCMac(hSession, pMechanism, hKey, CKA_SIGN, PK11_SIGN);
+    if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv;
+
+    /* we're not using a block cipher mac */
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    crv = pk11_InitGeneric(session,&context,PK11_SIGN,&key,hKey,&key_type,
+						CKO_PRIVATE_KEY,CKA_SIGN);
+    if (crv != CKR_OK) {
+	pk11_FreeSession(session);
+	return crv;
+    }
+
+    context->multi = PR_FALSE;
+
+    switch(pMechanism->mechanism) {
+    case CKM_MD5_RSA_PKCS:
+        context->multi = PR_TRUE;
+	crv = pk11_doSubMD5(context);
+	if (crv != CKR_OK) break;
+	context->update = (PK11Cipher) pk11_HashSign;
+	info = (PK11HashSignInfo *)PORT_Alloc(sizeof(PK11HashSignInfo));
+	if (info == NULL) {
+	   crv = CKR_HOST_MEMORY;
+	   break;
+	}
+	info->hashOid = SEC_OID_MD5;
+	goto finish_rsa;
+    case CKM_MD2_RSA_PKCS:
+        context->multi = PR_TRUE;
+	crv = pk11_doSubMD2(context);
+	if (crv != CKR_OK) break;
+	context->update = (PK11Cipher) pk11_HashSign;
+	info = (PK11HashSignInfo *)PORT_Alloc(sizeof(PK11HashSignInfo));
+	if (info == NULL) {
+	   crv = CKR_HOST_MEMORY;
+	   break;
+	}
+	info->hashOid = SEC_OID_MD2;
+	goto finish_rsa;
+    case CKM_SHA1_RSA_PKCS:
+        context->multi = PR_TRUE;
+	crv = pk11_doSubSHA1(context);
+	if (crv != CKR_OK) break;
+	context->update = (PK11Cipher) pk11_HashSign;
+	info = (PK11HashSignInfo *)PORT_Alloc(sizeof(PK11HashSignInfo));
+	if (info == NULL) {
+	   crv = CKR_HOST_MEMORY;
+	   break;
+	}
+	info->hashOid = SEC_OID_SHA1;
+	goto finish_rsa;
+    case CKM_RSA_PKCS:
+	context->update = (PK11Cipher) RSA_Sign;
+	goto finish_rsa;
+    case CKM_RSA_X_509:
+	context->update = (PK11Cipher)  RSA_SignRaw;
+finish_rsa:
+	if (key_type != CKK_RSA) {
+	    if (info) PORT_Free(info);
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	context->multi = PR_FALSE;
+	privKey = pk11_GetPrivKey(key,CKK_RSA);
+	if (privKey == NULL) {
+	    if (info) PORT_Free(info);
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	/* OK, info is allocated only if we're doing hash and sign mechanism.
+	 * It's necessary to be able to set the correct OID in the final 
+	 * signature.
+	 */
+	if (info) {
+	    info->key = privKey;
+	    context->cipherInfo = info;
+	    context->destroy = (PK11Destroy)pk11_Space;
+	} else {
+	    context->cipherInfo = privKey;
+	    context->destroy = (PK11Destroy)pk11_Null;
+	}
+	break;
+
+    case CKM_DSA_SHA1:
+        context->multi = PR_TRUE;
+	crv = pk11_doSubSHA1(context);
+	if (crv != CKR_OK) break;
+	/* fall through */
+    case CKM_DSA:
+	if (key_type != CKK_DSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	privKey = pk11_GetPrivKey(key,CKK_DSA);
+	if (privKey == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->cipherInfo = privKey;
+	context->update     = (PK11Cipher) nsc_DSA_Sign_Stub;
+	context->destroy    = (privKey == key->objectInfo) ?
+		(PK11Destroy) pk11_Null:(PK11Destroy)pk11_FreePrivKey;
+
+	break;
+    case CKM_MD2_HMAC_GENERAL:
+	crv = pk11_doHMACInit(context,HASH_AlgMD2,key,
+				*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_MD2_HMAC:
+	crv = pk11_doHMACInit(context,HASH_AlgMD2,key,MD2_LENGTH);
+	break;
+    case CKM_MD5_HMAC_GENERAL:
+	crv = pk11_doHMACInit(context,HASH_AlgMD5,key,
+				*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_MD5_HMAC:
+	crv = pk11_doHMACInit(context,HASH_AlgMD5,key,MD5_LENGTH);
+	break;
+    case CKM_SHA_1_HMAC_GENERAL:
+	crv = pk11_doHMACInit(context,HASH_AlgSHA1,key,
+				*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_SHA_1_HMAC:
+	crv = pk11_doHMACInit(context,HASH_AlgSHA1,key,SHA1_LENGTH);
+	break;
+    case CKM_SSL3_MD5_MAC:
+	crv = pk11_doSSLMACInit(context,SEC_OID_MD5,key,
+					*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_SSL3_SHA1_MAC:
+	crv = pk11_doSSLMACInit(context,SEC_OID_SHA1,key,
+					*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_TLS_PRF_GENERAL:
+	crv = pk11_TLSPRFInit(context, key, key_type);
+	break;
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        pk11_FreeContext(context);
+	pk11_FreeSession(session);
+	return crv;
+    }
+    pk11_SetContextByType(session, PK11_SIGN, context);
+    pk11_FreeSession(session);
+    return CKR_OK;
+}
+
+
+/* MACUpdate is the common implementation for SignUpdate and VerifyUpdate.
+ * (sign and verify only very in their setup and final operations) */
+static CK_RV 
+pk11_MACUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
+    					CK_ULONG ulPartLen,PK11ContextType type)
+{
+    unsigned int outlen;
+    PK11SessionContext *context;
+    CK_RV crv;
+    SECStatus rv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,type,PR_FALSE,NULL);
+    if (crv != CKR_OK) return crv;
+
+    if (context->hashInfo) {
+	(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
+	return CKR_OK;
+    }
+
+    /* must be block cipher macing */
+
+    /* deal with previous buffered data */
+    if (context->padDataLength != 0) {
+	int i;
+	/* fill in the padded to a full block size */
+	for (i=context->padDataLength; (ulPartLen != 0) && 
+					i < (int)context->blockSize; i++) {
+	    context->padBuf[i] = *pPart++;
+	    ulPartLen--;
+	    context->padDataLength++;
+	}
+
+	/* not enough data to encrypt yet? then return */
+	if (context->padDataLength != context->blockSize)  return CKR_OK;
+	/* encrypt the current padded data */
+    	rv = (*context->update)(context->cipherInfo,context->macBuf,&outlen,
+			PK11_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
+    	if (rv != SECSuccess) return CKR_DEVICE_ERROR;
+    }
+
+    /* save the residual */
+    context->padDataLength = ulPartLen % context->blockSize;
+    if (context->padDataLength) {
+	    PORT_Memcpy(context->padBuf,
+			&pPart[ulPartLen-context->padDataLength],
+							context->padDataLength);
+	    ulPartLen -= context->padDataLength;
+    }
+
+    /* if we've exhausted our new buffer, we're done */
+    if (ulPartLen == 0) { return CKR_OK; }
+
+    /* run the data through out encrypter */	
+    while (ulPartLen) {
+    	rv = (*context->update)(context->cipherInfo, context->padBuf, &outlen, 
+			PK11_MAX_BLOCK_SIZE, pPart, context->blockSize);
+	if (rv != SECSuccess) return CKR_DEVICE_ERROR;
+	/* paranoia.. make sure we exit the loop */
+	PORT_Assert(ulPartLen >= context->blockSize);
+	if (ulPartLen < context->blockSize) break;
+	ulPartLen -= context->blockSize;
+    }
+
+    return CKR_OK;
+	
+}
+
+/* NSC_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_RV NSC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
+    							CK_ULONG ulPartLen)
+{
+    return pk11_MACUpdate(hSession, pPart, ulPartLen, PK11_SIGN);
+}
+
+
+/* NSC_SignFinal finishes a multiple-part signature operation, 
+ * returning the signature. */
+CK_RV NSC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
+					    CK_ULONG_PTR pulSignatureLen)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    unsigned int outlen;
+    unsigned int digestLen;
+    unsigned int maxoutlen = *pulSignatureLen;
+    unsigned char tmpbuf[PK11_MAX_MAC_LENGTH];
+    CK_RV crv;
+    SECStatus rv = SECSuccess;
+
+    /* make sure we're legal */
+    *pulSignatureLen = 0;
+    crv = pk11_GetContext(hSession,&context,PK11_SIGN,PR_TRUE,&session);
+    if (crv != CKR_OK) return crv;
+
+    if (context->hashInfo) {
+        (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
+	rv = (*context->update)(context->cipherInfo, pSignature,
+					&outlen, maxoutlen, tmpbuf, digestLen);
+        *pulSignatureLen = (CK_ULONG) outlen;
+    } else {
+	/* deal with the last block if any residual */
+	if (context->padDataLength) {
+	    /* fill out rest of pad buffer with pad magic*/
+	    int i;
+	    for (i=context->padDataLength; i < (int)context->blockSize; i++) {
+		context->padBuf[i] = 0;
+	    }
+	    rv = (*context->update)(context->cipherInfo,context->macBuf,
+		&outlen,PK11_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
+	}
+	if (rv == SECSuccess) {
+	    PORT_Memcpy(pSignature,context->macBuf,context->macSize);
+	    *pulSignatureLen = context->macSize;
+	}
+    }
+
+    pk11_FreeContext(context);
+    pk11_SetContextByType(session, PK11_SIGN, NULL);
+    pk11_FreeSession(session);
+
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/* NSC_Sign signs (encrypts with private key) data in a single part,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_RV NSC_Sign(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pSignature,
+    					CK_ULONG_PTR pulSignatureLen)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    unsigned int outlen;
+    unsigned int maxoutlen = *pulSignatureLen;
+    CK_RV crv,crv2;
+    SECStatus rv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_SIGN,PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+
+    /* multi part Signing are completely implemented by SignUpdate and
+     * sign Final */
+    if (context->multi) {
+        pk11_FreeSession(session);
+	crv = NSC_SignUpdate(hSession,pData,ulDataLen);
+	if (crv != CKR_OK) *pulSignatureLen = 0;
+	crv2 = NSC_SignFinal(hSession, pSignature, pulSignatureLen);
+	return crv == CKR_OK ? crv2 :crv;
+    }
+
+    rv = (*context->update)(context->cipherInfo, pSignature,
+					&outlen, maxoutlen, pData, ulDataLen);
+    *pulSignatureLen = (CK_ULONG) outlen;
+    pk11_FreeContext(context);
+    pk11_SetContextByType(session, PK11_SIGN, NULL);
+    pk11_FreeSession(session);
+
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+
+/*
+ ************** Crypto Functions:     Sign Recover  ************************
+ */
+/* NSC_SignRecoverInit initializes a signature operation,
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+CK_RV NSC_SignRecoverInit(CK_SESSION_HANDLE hSession,
+			 CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)
+{
+    switch (pMechanism->mechanism) {
+    case CKM_RSA_PKCS:
+    case CKM_RSA_X_509:
+	return NSC_SignInit(hSession,pMechanism,hKey);
+    default:
+	break;
+    }
+    return CKR_MECHANISM_INVALID;
+}
+
+
+/* NSC_SignRecover signs data in a single operation
+ * where the (digest) data can be recovered from the signature. 
+ * E.g. encryption with the user's private key */
+CK_RV NSC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+  CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)
+{
+    return NSC_Sign(hSession,pData,ulDataLen,pSignature,pulSignatureLen);
+}
+
+/*
+ ************** Crypto Functions:     verify  ************************
+ */
+
+/* Handle RSA Signature formating */
+static SECStatus
+pk11_hashCheckSign(PK11HashVerifyInfo *info, unsigned char *sig, 
+	unsigned int sigLen, unsigned char *digest, unsigned int digestLen)
+{
+
+    SECItem it;
+    SGNDigestInfo *di = NULL;
+    SECStatus rv = SECSuccess;
+    
+    it.data = NULL;
+
+    if (info->key == NULL) goto loser;
+
+    it.len = nsslowkey_PublicModulusLen(info->key); 
+    if (!it.len) goto loser;
+
+    it.data = (unsigned char *) PORT_Alloc(it.len);
+    if (it.data == NULL) goto loser;
+
+    /* decrypt the block */
+    rv = RSA_CheckSignRecover(info->key, it.data, &it.len, it.len, sig, sigLen);
+    if (rv != SECSuccess) goto loser;
+
+    di = SGN_DecodeDigestInfo(&it);
+    if (di == NULL) goto loser;
+    if (di->digest.len != digestLen)  goto loser; 
+
+    /* make sure the tag is OK */
+    if (SECOID_GetAlgorithmTag(&di->digestAlgorithm) != info->hashOid) {
+	goto loser;
+    }
+    /* Now check the signature */
+    if (PORT_Memcmp(digest, di->digest.data, di->digest.len) == 0) {
+	goto done;
+    }
+
+  loser:
+    rv = SECFailure;
+
+  done:
+    if (it.data != NULL) PORT_Free(it.data);
+    if (di != NULL) SGN_DestroyDigestInfo(di);
+    
+    return rv;
+}
+
+/* NSC_VerifyInit initializes a verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature (e.g. DSA) */
+CK_RV NSC_VerifyInit(CK_SESSION_HANDLE hSession,
+			   CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) 
+{
+    PK11Session *session;
+    PK11Object *key;
+    PK11SessionContext *context;
+    CK_KEY_TYPE key_type;
+    CK_RV crv = CKR_OK;
+    NSSLOWKEYPublicKey *pubKey;
+    PK11HashVerifyInfo *info = NULL;
+
+    /* Block Cipher MACing Algorithms use a different Context init method..*/
+    crv = pk11_InitCBCMac(hSession, pMechanism, hKey, CKA_VERIFY, PK11_VERIFY);
+    if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv;
+
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    crv = pk11_InitGeneric(session,&context,PK11_VERIFY,&key,hKey,&key_type,
+						CKO_PUBLIC_KEY,CKA_VERIFY);
+    if (crv != CKR_OK) {
+	pk11_FreeSession(session);
+	return crv;
+    }
+
+    context->multi = PR_FALSE;
+
+    switch(pMechanism->mechanism) {
+    case CKM_MD5_RSA_PKCS:
+        context->multi = PR_TRUE;
+	crv = pk11_doSubMD5(context);
+	if (crv != CKR_OK) break;
+	context->verify = (PK11Verify) pk11_hashCheckSign;
+	info = (PK11HashVerifyInfo *)PORT_Alloc(sizeof(PK11HashVerifyInfo));
+	if (info == NULL) {
+	   crv = CKR_HOST_MEMORY;
+	   break;
+	}
+	info->hashOid = SEC_OID_MD5;
+	goto finish_rsa;
+    case CKM_MD2_RSA_PKCS:
+        context->multi = PR_TRUE;
+	crv = pk11_doSubMD2(context);
+	if (crv != CKR_OK) break;
+	context->verify = (PK11Verify) pk11_hashCheckSign;
+	info = (PK11HashVerifyInfo *)PORT_Alloc(sizeof(PK11HashVerifyInfo));
+	if (info == NULL) {
+	   crv = CKR_HOST_MEMORY;
+	   break;
+	}
+	info->hashOid = SEC_OID_MD2;
+	goto finish_rsa;
+    case CKM_SHA1_RSA_PKCS:
+        context->multi = PR_TRUE;
+	crv = pk11_doSubSHA1(context);
+	if (crv != CKR_OK) break;
+	context->verify = (PK11Verify) pk11_hashCheckSign;
+	info = (PK11HashVerifyInfo *)PORT_Alloc(sizeof(PK11HashVerifyInfo));
+	if (info == NULL) {
+	   crv = CKR_HOST_MEMORY;
+	   break;
+	}
+	info->hashOid = SEC_OID_SHA1;
+	goto finish_rsa;
+    case CKM_RSA_PKCS:
+	context->verify = (PK11Verify) RSA_CheckSign;
+	goto finish_rsa;
+    case CKM_RSA_X_509:
+	context->verify = (PK11Verify) RSA_CheckSignRaw;
+finish_rsa:
+	if (key_type != CKK_RSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	pubKey = pk11_GetPubKey(key,CKK_RSA);
+	if (pubKey == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	if (info) {
+	    info->key = pubKey;
+	    context->cipherInfo = info;
+	    context->destroy = pk11_Space;
+	} else {
+	    context->cipherInfo = pubKey;
+	    context->destroy = pk11_Null;
+	}
+	break;
+    case CKM_DSA_SHA1:
+        context->multi = PR_TRUE;
+	crv = pk11_doSubSHA1(context);
+	if (crv != CKR_OK) break;
+	/* fall through */
+    case CKM_DSA:
+	if (key_type != CKK_DSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	context->multi = PR_FALSE;
+	pubKey = pk11_GetPubKey(key,CKK_DSA);
+	if (pubKey == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->cipherInfo = pubKey;
+	context->verify     = (PK11Verify) nsc_DSA_Verify_Stub;
+	context->destroy    = pk11_Null;
+	break;
+
+    case CKM_MD2_HMAC_GENERAL:
+	crv = pk11_doHMACInit(context,HASH_AlgMD2,key,
+				*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_MD2_HMAC:
+	crv = pk11_doHMACInit(context,HASH_AlgMD2,key,MD2_LENGTH);
+	break;
+    case CKM_MD5_HMAC_GENERAL:
+	crv = pk11_doHMACInit(context,HASH_AlgMD5,key,
+				*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_MD5_HMAC:
+	crv = pk11_doHMACInit(context,HASH_AlgMD5,key,MD5_LENGTH);
+	break;
+    case CKM_SHA_1_HMAC_GENERAL:
+	crv = pk11_doHMACInit(context,HASH_AlgSHA1,key,
+				*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_SHA_1_HMAC:
+	crv = pk11_doHMACInit(context,HASH_AlgSHA1,key,SHA1_LENGTH);
+	break;
+    case CKM_SSL3_MD5_MAC:
+	crv = pk11_doSSLMACInit(context,SEC_OID_MD5,key,
+					*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_SSL3_SHA1_MAC:
+	crv = pk11_doSSLMACInit(context,SEC_OID_SHA1,key,
+					*(CK_ULONG *)pMechanism->pParameter);
+	break;
+    case CKM_TLS_PRF_GENERAL:
+	crv = pk11_TLSPRFInit(context, key, key_type);
+
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_Free(context);
+	pk11_FreeSession(session);
+	return crv;
+    }
+    pk11_SetContextByType(session, PK11_VERIFY, context);
+    pk11_FreeSession(session);
+    return CKR_OK;
+}
+
+/* NSC_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+    CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    CK_RV crv;
+    SECStatus rv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_VERIFY,PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+
+    rv = (*context->verify)(context->cipherInfo,pSignature, ulSignatureLen,
+							 pData, ulDataLen);
+    pk11_FreeContext(context);
+    pk11_SetContextByType(session, PK11_VERIFY, NULL);
+    pk11_FreeSession(session);
+
+    return (rv == SECSuccess) ? CKR_OK : CKR_SIGNATURE_INVALID;
+
+}
+
+
+/* NSC_VerifyUpdate continues a multiple-part verification operation, 
+ * where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature */
+CK_RV NSC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+						CK_ULONG ulPartLen)
+{
+    return pk11_MACUpdate(hSession, pPart, ulPartLen, PK11_VERIFY);
+}
+
+
+/* NSC_VerifyFinal finishes a multiple-part verification operation, 
+ * checking the signature. */
+CK_RV NSC_VerifyFinal(CK_SESSION_HANDLE hSession,
+			CK_BYTE_PTR pSignature,CK_ULONG ulSignatureLen)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    unsigned int outlen;
+    unsigned int digestLen;
+    unsigned char tmpbuf[PK11_MAX_MAC_LENGTH];
+    CK_RV crv;
+    SECStatus rv = SECSuccess;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_VERIFY,PR_TRUE,&session);
+    if (crv != CKR_OK) return crv;
+
+    if (context->hashInfo) {
+        (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
+	rv = (*context->verify)(context->cipherInfo, pSignature, 
+					ulSignatureLen, tmpbuf, digestLen);
+    } else {
+	if (context->padDataLength) {
+	    /* fill out rest of pad buffer with pad magic*/
+	    int i;
+	    for (i=context->padDataLength; i < (int)context->blockSize; i++) {
+		context->padBuf[i] = 0;
+	    }
+	    rv = (*context->update)(context->cipherInfo,context->macBuf, 
+		&outlen,PK11_MAX_BLOCK_SIZE,context->padBuf,context->blockSize);
+	}
+	if (rv == SECSuccess) {
+	    rv =(PORT_Memcmp(pSignature,context->macBuf,context->macSize) == 0)
+				 ? SECSuccess : SECFailure;
+	}
+    }
+
+    pk11_FreeContext(context);
+    pk11_SetContextByType(session, PK11_VERIFY, NULL);
+    pk11_FreeSession(session);
+    return (rv == SECSuccess) ? CKR_OK : CKR_SIGNATURE_INVALID;
+
+}
+
+/*
+ ************** Crypto Functions:     Verify  Recover ************************
+ */
+
+/* NSC_VerifyRecoverInit initializes a signature verification operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+CK_RV NSC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
+			CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)
+{
+    PK11Session *session;
+    PK11Object *key;
+    PK11SessionContext *context;
+    CK_KEY_TYPE key_type;
+    CK_RV crv = CKR_OK;
+    NSSLOWKEYPublicKey *pubKey;
+
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+    crv = pk11_InitGeneric(session,&context,PK11_VERIFY_RECOVER,
+			&key,hKey,&key_type,CKO_PUBLIC_KEY,CKA_VERIFY_RECOVER);
+    if (crv != CKR_OK) {
+	pk11_FreeSession(session);
+	return crv;
+    }
+
+    context->multi = PR_TRUE;
+
+    switch(pMechanism->mechanism) {
+    case CKM_RSA_PKCS:
+    case CKM_RSA_X_509:
+	if (key_type != CKK_RSA) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	context->multi = PR_FALSE;
+	pubKey = pk11_GetPubKey(key,CKK_RSA);
+	if (pubKey == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	context->cipherInfo = pubKey;
+	context->update = (PK11Cipher) (pMechanism->mechanism == CKM_RSA_X_509
+			? RSA_CheckSignRecoverRaw : RSA_CheckSignRecover);
+	context->destroy = pk11_Null;
+	break;
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    if (crv != CKR_OK) {
+        PORT_Free(context);
+	pk11_FreeSession(session);
+	return crv;
+    }
+    pk11_SetContextByType(session, PK11_VERIFY_RECOVER, context);
+    pk11_FreeSession(session);
+    return CKR_OK;
+}
+
+
+/* NSC_VerifyRecover verifies a signature in a single-part operation, 
+ * where the data is recovered from the signature. 
+ * E.g. Decryption with the user's public key */
+CK_RV NSC_VerifyRecover(CK_SESSION_HANDLE hSession,
+		 CK_BYTE_PTR pSignature,CK_ULONG ulSignatureLen,
+    				CK_BYTE_PTR pData,CK_ULONG_PTR pulDataLen)
+{
+    PK11Session *session;
+    PK11SessionContext *context;
+    unsigned int outlen;
+    unsigned int maxoutlen = *pulDataLen;
+    CK_RV crv;
+    SECStatus rv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession,&context,PK11_VERIFY_RECOVER,
+							PR_FALSE,&session);
+    if (crv != CKR_OK) return crv;
+
+    rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen, 
+						pSignature, ulSignatureLen);
+    *pulDataLen = (CK_ULONG) outlen;
+    pk11_FreeContext(context);
+    pk11_SetContextByType(session, PK11_VERIFY_RECOVER, NULL);
+    pk11_FreeSession(session);
+    return (rv == SECSuccess)  ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/*
+ **************************** Random Functions:  ************************
+ */
+
+/* NSC_SeedRandom mixes additional seed material into the token's random number 
+ * generator. */
+CK_RV NSC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+    CK_ULONG ulSeedLen) 
+{
+    SECStatus rv;
+
+    rv = RNG_RandomUpdate(pSeed, ulSeedLen);
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/* NSC_GenerateRandom generates random data. */
+CK_RV NSC_GenerateRandom(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR	pRandomData, CK_ULONG ulRandomLen)
+{
+    SECStatus rv;
+
+    rv = RNG_GenerateGlobalRandomBytes(pRandomData, ulRandomLen);
+    return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/*
+ **************************** Key Functions:  ************************
+ */
+
+
+/*
+ * generate a password based encryption key. This code uses
+ * PKCS5 to do the work.
+ */
+static CK_RV
+nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism,
+			char *buf, CK_ULONG *key_length, PRBool faulty3DES)
+{
+    SECItem *pbe_key = NULL, iv, pwitem;
+    CK_PBE_PARAMS *pbe_params = NULL;
+
+    *key_length = 0;
+    iv.data = NULL; iv.len = 0;
+
+    pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
+
+    pwitem.data = (unsigned char *)pbe_params->pPassword;
+    pwitem.len = (unsigned int)pbe_params->ulPasswordLen;
+    pbe_key = nsspkcs5_ComputeKeyAndIV(pkcs5_pbe, &pwitem, &iv, faulty3DES);
+    if (pbe_key == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    PORT_Memcpy(buf, pbe_key->data, pbe_key->len);
+    *key_length = pbe_key->len;
+    SECITEM_ZfreeItem(pbe_key, PR_TRUE);
+    pbe_key = NULL;
+
+    if (iv.data && pbe_params->pInitVector != NULL) {
+	PORT_Memcpy(pbe_params->pInitVector, iv.data, iv.len);
+    }
+    return CKR_OK;
+}
+static CK_RV
+nsc_parameter_gen(CK_KEY_TYPE key_type, PK11Object *key)
+{
+    PK11Attribute *attribute;
+    CK_ULONG counter;
+    unsigned int seedBits = 0;
+    unsigned int primeBits;
+    CK_RV crv = CKR_OK;
+    PQGParams *params = NULL;
+    PQGVerify *vfy = NULL;
+    SECStatus rv;
+
+    attribute = pk11_FindAttribute(key, CKA_PRIME_BITS);
+    if (attribute == NULL) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    primeBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
+    pk11_FreeAttribute(attribute);
+
+    attribute = pk11_FindAttribute(key, CKA_NETSCAPE_PQG_SEED_BITS);
+    if (attribute != NULL) {
+	seedBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
+	pk11_FreeAttribute(attribute);
+    }
+
+    pk11_DeleteAttributeType(key,CKA_PRIME_BITS);
+    pk11_DeleteAttributeType(key,CKA_NETSCAPE_PQG_SEED_BITS);
+
+    if (seedBits == 0) {
+	rv = PQG_ParamGen(primeBits, &params, &vfy);
+    } else {
+	rv = PQG_ParamGenSeedLen(primeBits,seedBits/8, &params, &vfy);
+    }
+
+    if (rv != SECSuccess) {
+	return CKR_DEVICE_ERROR;
+    }
+    crv = pk11_AddAttributeType(key,CKA_PRIME,
+				 params->prime.data, params->prime.len);
+    if (crv != CKR_OK) goto loser;
+    crv = pk11_AddAttributeType(key,CKA_SUBPRIME,
+				 params->subPrime.data, params->subPrime.len);
+    if (crv != CKR_OK) goto loser;
+    crv = pk11_AddAttributeType(key,CKA_BASE,
+				 params->base.data, params->base.len);
+    if (crv != CKR_OK) goto loser;
+    counter = vfy->counter;
+    crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_COUNTER,
+				 &counter, sizeof(counter));
+    crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_SEED,
+				 vfy->seed.data, vfy->seed.len);
+    if (crv != CKR_OK) goto loser;
+    crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_H,
+				 vfy->h.data, vfy->h.len);
+    if (crv != CKR_OK) goto loser;
+
+loser:
+    if (params) {
+	PQG_DestroyParams(params);
+    }
+    if (vfy) {
+	PQG_DestroyVerify(vfy);
+    }
+    return crv;
+}
+
+    
+
+    
+
+
+
+static CK_RV
+nsc_SetupBulkKeyGen(CK_MECHANISM_TYPE mechanism, CK_KEY_TYPE *key_type,
+							CK_ULONG *key_length)
+{
+    CK_RV crv = CKR_OK;
+
+    switch (mechanism) {
+    case CKM_RC2_KEY_GEN:
+	*key_type = CKK_RC2;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
+#if NSS_SOFTOKEN_DOES_RC5
+    case CKM_RC5_KEY_GEN:
+	*key_type = CKK_RC5;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
+#endif
+    case CKM_RC4_KEY_GEN:
+	*key_type = CKK_RC4;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
+    case CKM_GENERIC_SECRET_KEY_GEN:
+	*key_type = CKK_GENERIC_SECRET;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
+    case CKM_CDMF_KEY_GEN:
+	*key_type = CKK_CDMF;
+	*key_length = 8;
+	break;
+    case CKM_DES_KEY_GEN:
+	*key_type = CKK_DES;
+	*key_length = 8;
+	break;
+    case CKM_DES2_KEY_GEN:
+	*key_type = CKK_DES2;
+	*key_length = 16;
+	break;
+    case CKM_DES3_KEY_GEN:
+	*key_type = CKK_DES3;
+	*key_length = 24;
+	break;
+    case CKM_AES_KEY_GEN:
+	*key_type = CKK_AES;
+	if (*key_length == 0) crv = CKR_TEMPLATE_INCOMPLETE;
+	break;
+    default:
+	PORT_Assert(0);
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    return crv;
+}
+
+CK_RV
+nsc_SetupHMACKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe)
+{
+    SECItem  salt;
+    CK_PBE_PARAMS *pbe_params = NULL;
+    NSSPKCS5PBEParameter *params;
+    PRArenaPool *arena = NULL;
+    SECStatus rv;
+
+    *pbe = NULL;
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (arena == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    params = (NSSPKCS5PBEParameter *) PORT_ArenaZAlloc(arena,
+				sizeof(NSSPKCS5PBEParameter));
+    if (params == NULL) {
+	PORT_FreeArena(arena,PR_TRUE);
+	return CKR_HOST_MEMORY;
+    }
+
+    params->poolp = arena;
+    params->ivLen = 0;
+    params->pbeType = NSSPKCS5_PKCS12_V2;
+    params->hashType = HASH_AlgSHA1;
+    params->encAlg = SEC_OID_SHA1; /* any invalid value */
+    params->is2KeyDES = PR_FALSE;
+    params->keyID = pbeBitGenIntegrityKey;
+    pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
+    params->iter = pbe_params->ulIteration;
+
+    salt.data = (unsigned char *)pbe_params->pSalt;
+    salt.len = (unsigned int)pbe_params->ulSaltLen;
+    rv = SECITEM_CopyItem(arena,&params->salt,&salt);
+    if (rv != SECSuccess) {
+	PORT_FreeArena(arena,PR_TRUE);
+	return CKR_HOST_MEMORY;
+    }
+    switch (pMechanism->mechanism) {
+    case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
+    case CKM_PBA_SHA1_WITH_SHA1_HMAC:
+	params->hashType = HASH_AlgSHA1; 
+	params->keyLen = 20;
+	break;
+    case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
+	params->hashType = HASH_AlgMD5; 
+	params->keyLen = 16;
+	break;
+    case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
+	params->hashType = HASH_AlgMD2; 
+	params->keyLen = 16;
+	break;
+    default:
+	PORT_FreeArena(arena,PR_TRUE);
+	return CKR_MECHANISM_INVALID;
+    }
+    *pbe = params;
+    return CKR_OK;
+}
+/* maybe this should be table driven? */
+static CK_RV
+nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter  **pbe,
+							CK_KEY_TYPE *key_type)
+{
+    CK_RV crv = CKR_OK;
+    SECOidData *oid;
+    CK_PBE_PARAMS *pbe_params;
+    NSSPKCS5PBEParameter *params;
+    SECItem salt;
+
+    *pbe = NULL;
+
+    oid = SECOID_FindOIDByMechanism(pMechanism->mechanism);
+    if (oid == NULL) {
+	return CKR_MECHANISM_INVALID;
+    }
+
+    pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
+    salt.data = (unsigned char *)pbe_params->pSalt;
+    salt.len = (unsigned int)pbe_params->ulSaltLen;
+
+    params=nsspkcs5_NewParam(oid->offset, &salt, pbe_params->ulIteration);
+    if (params == NULL) {
+	return CKR_MECHANISM_INVALID;
+    }
+
+
+    switch (params->encAlg) {
+    case SEC_OID_DES_CBC:
+	*key_type = CKK_DES;
+	break;
+    case SEC_OID_DES_EDE3_CBC:
+	*key_type = params->is2KeyDES ? CKK_DES2 : CKK_DES3;
+	break;
+    case SEC_OID_RC2_CBC:
+	*key_type = CKK_RC2;
+	break;
+    case SEC_OID_RC4:
+	*key_type = CKK_RC4;
+	break;
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	nsspkcs5_DestroyPBEParameter(params);
+	break;
+    }
+    if (crv == CKR_OK) {
+    	*pbe = params;
+    }
+    return crv;
+}
+
+/* NSC_GenerateKey generates a secret key, creating a new key object. */
+CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount,
+    						CK_OBJECT_HANDLE_PTR phKey)
+{
+    PK11Object *key;
+    PK11Session *session;
+    PRBool checkWeak = PR_FALSE;
+    CK_ULONG key_length = 0;
+    CK_KEY_TYPE key_type = CKK_INVALID_KEY_TYPE;
+    CK_OBJECT_CLASS objclass = CKO_SECRET_KEY;
+    CK_RV crv = CKR_OK;
+    CK_BBOOL cktrue = CK_TRUE;
+    int i;
+    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
+    char buf[MAX_KEY_LEN];
+    enum {nsc_pbe, nsc_ssl, nsc_bulk, nsc_param} key_gen_type;
+    NSSPKCS5PBEParameter *pbe_param;
+    SSL3RSAPreMasterSecret *rsa_pms;
+    CK_VERSION *version;
+    /* in very old versions of NSS, there were implementation errors with key 
+     * generation methods.  We want to beable to read these, but not 
+     * produce them any more.  The affected algorithm was 3DES.
+     */
+    PRBool faultyPBE3DES = PR_FALSE;
+
+
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    key = pk11_NewObject(slot); /* fill in the handle later */
+    if (key == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * load the template values into the object
+     */
+    for (i=0; i < (int) ulCount; i++) {
+	if (pTemplate[i].type == CKA_VALUE_LEN) {
+	    key_length = *(CK_ULONG *)pTemplate[i].pValue;
+	    continue;
+	}
+
+	crv = pk11_AddAttributeType(key,pk11_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) break;
+    }
+    if (crv != CKR_OK) {
+	pk11_FreeObject(key);
+	return crv;
+    }
+
+    /* make sure we don't have any class, key_type, or value fields */
+    pk11_DeleteAttributeType(key,CKA_CLASS);
+    pk11_DeleteAttributeType(key,CKA_KEY_TYPE);
+    pk11_DeleteAttributeType(key,CKA_VALUE);
+
+    /* Now Set up the parameters to generate the key (based on mechanism) */
+    key_gen_type = nsc_bulk; /* bulk key by default */
+    switch (pMechanism->mechanism) {
+    case CKM_CDMF_KEY_GEN:
+    case CKM_DES_KEY_GEN:
+    case CKM_DES2_KEY_GEN:
+    case CKM_DES3_KEY_GEN:
+	checkWeak = PR_TRUE;
+    case CKM_RC2_KEY_GEN:
+    case CKM_RC4_KEY_GEN:
+    case CKM_GENERIC_SECRET_KEY_GEN:
+    case CKM_AES_KEY_GEN:
+#if NSS_SOFTOKEN_DOES_RC5
+    case CKM_RC5_KEY_GEN:
+#endif
+	crv = nsc_SetupBulkKeyGen(pMechanism->mechanism,&key_type,&key_length);
+	break;
+    case CKM_SSL3_PRE_MASTER_KEY_GEN:
+	key_type = CKK_GENERIC_SECRET;
+	key_length = 48;
+	key_gen_type = nsc_ssl;
+	break;
+    case CKM_PBA_SHA1_WITH_SHA1_HMAC:
+    case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
+    case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
+    case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
+	key_gen_type = nsc_pbe;
+	key_type = CKK_GENERIC_SECRET;
+	crv = nsc_SetupHMACKeyGen(pMechanism, &pbe_param);
+	break;
+    case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+	faultyPBE3DES = PR_TRUE;
+    case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+    case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+    case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+    case CKM_PBE_SHA1_DES3_EDE_CBC:
+    case CKM_PBE_SHA1_DES2_EDE_CBC:
+    case CKM_PBE_SHA1_RC2_128_CBC:
+    case CKM_PBE_SHA1_RC2_40_CBC:
+    case CKM_PBE_SHA1_RC4_128:
+    case CKM_PBE_SHA1_RC4_40:
+    case CKM_PBE_MD5_DES_CBC:
+    case CKM_PBE_MD2_DES_CBC:
+	key_gen_type = nsc_pbe;
+	crv = nsc_SetupPBEKeyGen(pMechanism,&pbe_param, &key_type);
+	break;
+    case CKM_DSA_PARAMETER_GEN:
+	key_gen_type = nsc_param;
+	key_type = CKK_DSA;
+	objclass = CKO_KG_PARAMETERS;
+	crv = CKR_OK;
+	break;
+    default:
+	crv = CKR_MECHANISM_INVALID;
+	break;
+    }
+
+    /* make sure we aren't going to overflow the buffer */
+    if (sizeof(buf) < key_length) {
+	/* someone is getting pretty optimistic about how big their key can
+	 * be... */
+        crv = CKR_TEMPLATE_INCONSISTENT;
+    }
+
+    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
+
+    /* if there was no error,
+     * key_type *MUST* be set in the switch statement above */
+    PORT_Assert( key_type != CKK_INVALID_KEY_TYPE );
+
+    /*
+     * now to the actual key gen.
+     */
+    switch (key_gen_type) {
+    case nsc_pbe:
+	crv = nsc_pbe_key_gen(pbe_param, pMechanism, buf, &key_length,
+			       faultyPBE3DES);
+	nsspkcs5_DestroyPBEParameter(pbe_param);
+	break;
+    case nsc_ssl:
+	rsa_pms = (SSL3RSAPreMasterSecret *)buf;
+	version = (CK_VERSION *)pMechanism->pParameter;
+	rsa_pms->client_version[0] = version->major;
+        rsa_pms->client_version[1] = version->minor;
+        crv = 
+	    NSC_GenerateRandom(0,&rsa_pms->random[0], sizeof(rsa_pms->random));
+	break;
+    case nsc_bulk:
+	/* get the key, check for weak keys and repeat if found */
+	do {
+            crv = NSC_GenerateRandom(0, (unsigned char *)buf, key_length);
+	} while (crv == CKR_OK && checkWeak && 
+			pk11_IsWeakKey((unsigned char *)buf,key_type));
+	break;
+    case nsc_param:
+	/* generate parameters */
+	*buf = 0;
+	crv = nsc_parameter_gen(key_type,key);
+	break;
+    }
+
+    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
+
+    /* Add the class, key_type, and value */
+    crv = pk11_AddAttributeType(key,CKA_CLASS,&objclass,sizeof(CK_OBJECT_CLASS));
+    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
+    crv = pk11_AddAttributeType(key,CKA_KEY_TYPE,&key_type,sizeof(CK_KEY_TYPE));
+    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
+    if (key_length != 0) {
+	crv = pk11_AddAttributeType(key,CKA_VALUE,buf,key_length);
+	if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
+    }
+
+    /* get the session */
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+	pk11_FreeObject(key);
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    /*
+     * handle the base object stuff
+     */
+    crv = pk11_handleObject(key,session);
+    pk11_FreeSession(session);
+    if (pk11_isTrue(key,CKA_SENSITIVE)) {
+	pk11_forceAttribute(key,CKA_ALWAYS_SENSITIVE,&cktrue,sizeof(CK_BBOOL));
+    }
+    if (!pk11_isTrue(key,CKA_EXTRACTABLE)) {
+	pk11_forceAttribute(key,CKA_NEVER_EXTRACTABLE,&cktrue,sizeof(CK_BBOOL));
+    }
+
+    *phKey = key->handle;
+    pk11_FreeObject(key);
+    return crv;
+}
+
+
+
+/* NSC_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+CK_RV NSC_GenerateKeyPair (CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+    CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+    CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPrivateKey,
+    					CK_OBJECT_HANDLE_PTR phPublicKey)
+{
+    PK11Object *	publicKey,*privateKey;
+    PK11Session *	session;
+    CK_KEY_TYPE 	key_type;
+    CK_RV 		crv 	= CKR_OK;
+    CK_BBOOL 		cktrue 	= CK_TRUE;
+    SECStatus 		rv;
+    CK_OBJECT_CLASS 	pubClass = CKO_PUBLIC_KEY;
+    CK_OBJECT_CLASS 	privClass = CKO_PRIVATE_KEY;
+    int 		i;
+    PK11Slot *		slot 	= pk11_SlotFromSessionHandle(hSession);
+
+    /* RSA */
+    int 		public_modulus_bits = 0;
+    SECItem 		pubExp;
+    RSAPrivateKey *	rsaPriv;
+
+    /* DSA */
+    PQGParams 		pqgParam;
+    DHParams  		dhParam;
+    DSAPrivateKey *	dsaPriv;
+
+    /* Diffie Hellman */
+    int 		private_value_bits = 0;
+    DHPrivateKey *	dhPriv;
+
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    publicKey = pk11_NewObject(slot); /* fill in the handle later */
+    if (publicKey == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * load the template values into the publicKey
+     */
+    for (i=0; i < (int) ulPublicKeyAttributeCount; i++) {
+	if (pPublicKeyTemplate[i].type == CKA_MODULUS_BITS) {
+	    public_modulus_bits = *(CK_ULONG *)pPublicKeyTemplate[i].pValue;
+	    continue;
+	}
+
+	crv = pk11_AddAttributeType(publicKey,
+				    pk11_attr_expand(&pPublicKeyTemplate[i]));
+	if (crv != CKR_OK) break;
+    }
+
+    if (crv != CKR_OK) {
+	pk11_FreeObject(publicKey);
+	return CKR_HOST_MEMORY;
+    }
+
+    privateKey = pk11_NewObject(slot); /* fill in the handle later */
+    if (privateKey == NULL) {
+	pk11_FreeObject(publicKey);
+	return CKR_HOST_MEMORY;
+    }
+    /*
+     * now load the private key template
+     */
+    for (i=0; i < (int) ulPrivateKeyAttributeCount; i++) {
+	if (pPrivateKeyTemplate[i].type == CKA_VALUE_BITS) {
+	    private_value_bits = *(CK_ULONG *)pPrivateKeyTemplate[i].pValue;
+	    continue;
+	}
+
+	crv = pk11_AddAttributeType(privateKey,
+				    pk11_attr_expand(&pPrivateKeyTemplate[i]));
+	if (crv != CKR_OK) break;
+    }
+
+    if (crv != CKR_OK) {
+	pk11_FreeObject(publicKey);
+	pk11_FreeObject(privateKey);
+	return CKR_HOST_MEMORY;
+    }
+    pk11_DeleteAttributeType(privateKey,CKA_CLASS);
+    pk11_DeleteAttributeType(privateKey,CKA_KEY_TYPE);
+    pk11_DeleteAttributeType(privateKey,CKA_VALUE);
+    pk11_DeleteAttributeType(publicKey,CKA_CLASS);
+    pk11_DeleteAttributeType(publicKey,CKA_KEY_TYPE);
+    pk11_DeleteAttributeType(publicKey,CKA_VALUE);
+
+    /* Now Set up the parameters to generate the key (based on mechanism) */
+    switch (pMechanism->mechanism) {
+    case CKM_RSA_PKCS_KEY_PAIR_GEN:
+	/* format the keys */
+    	pk11_DeleteAttributeType(publicKey,CKA_MODULUS);
+    	pk11_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
+    	pk11_DeleteAttributeType(privateKey,CKA_MODULUS);
+    	pk11_DeleteAttributeType(privateKey,CKA_PRIVATE_EXPONENT);
+    	pk11_DeleteAttributeType(privateKey,CKA_PUBLIC_EXPONENT);
+    	pk11_DeleteAttributeType(privateKey,CKA_PRIME_1);
+    	pk11_DeleteAttributeType(privateKey,CKA_PRIME_2);
+    	pk11_DeleteAttributeType(privateKey,CKA_EXPONENT_1);
+    	pk11_DeleteAttributeType(privateKey,CKA_EXPONENT_2);
+    	pk11_DeleteAttributeType(privateKey,CKA_COEFFICIENT);
+	key_type = CKK_RSA;
+	if (public_modulus_bits == 0) {
+	    crv = CKR_TEMPLATE_INCOMPLETE;
+	    break;
+	}
+
+	/* extract the exponent */
+	crv=pk11_Attribute2SSecItem(NULL,&pubExp,publicKey,CKA_PUBLIC_EXPONENT);
+	if (crv != CKR_OK) break;
+        crv = pk11_AddAttributeType(privateKey,CKA_PUBLIC_EXPONENT,
+				    		    pk11_item_expand(&pubExp));
+	if (crv != CKR_OK) {
+	    PORT_Free(pubExp.data);
+	    break;
+	}
+
+	rsaPriv = RSA_NewKey(public_modulus_bits, &pubExp);
+	PORT_Free(pubExp.data);
+	if (rsaPriv == NULL) {
+	    crv = CKR_DEVICE_ERROR;
+	    break;
+	}
+        /* now fill in the RSA dependent paramenters in the public key */
+        crv = pk11_AddAttributeType(publicKey,CKA_MODULUS,
+			   pk11_item_expand(&rsaPriv->modulus));
+	if (crv != CKR_OK) goto kpg_done;
+        /* now fill in the RSA dependent paramenters in the private key */
+        crv = pk11_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
+			   pk11_item_expand(&rsaPriv->modulus));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = pk11_AddAttributeType(privateKey,CKA_MODULUS,
+			   pk11_item_expand(&rsaPriv->modulus));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = pk11_AddAttributeType(privateKey,CKA_PRIVATE_EXPONENT,
+			   pk11_item_expand(&rsaPriv->privateExponent));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = pk11_AddAttributeType(privateKey,CKA_PRIME_1,
+			   pk11_item_expand(&rsaPriv->prime1));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = pk11_AddAttributeType(privateKey,CKA_PRIME_2,
+			   pk11_item_expand(&rsaPriv->prime2));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = pk11_AddAttributeType(privateKey,CKA_EXPONENT_1,
+			   pk11_item_expand(&rsaPriv->exponent1));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = pk11_AddAttributeType(privateKey,CKA_EXPONENT_2,
+			   pk11_item_expand(&rsaPriv->exponent2));
+	if (crv != CKR_OK) goto kpg_done;
+        crv = pk11_AddAttributeType(privateKey,CKA_COEFFICIENT,
+			   pk11_item_expand(&rsaPriv->coefficient));
+kpg_done:
+	/* Should zeroize the contents first, since this func doesn't. */
+	PORT_FreeArena(rsaPriv->arena, PR_TRUE);
+	break;
+    case CKM_DSA_KEY_PAIR_GEN:
+    	pk11_DeleteAttributeType(publicKey,CKA_VALUE);
+    	pk11_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
+	pk11_DeleteAttributeType(privateKey,CKA_PRIME);
+	pk11_DeleteAttributeType(privateKey,CKA_SUBPRIME);
+	pk11_DeleteAttributeType(privateKey,CKA_BASE);
+	key_type = CKK_DSA;
+
+	/* extract the necessary paramters and copy them to the private key */
+	crv=pk11_Attribute2SSecItem(NULL,&pqgParam.prime,publicKey,CKA_PRIME);
+	if (crv != CKR_OK) break;
+	crv=pk11_Attribute2SSecItem(NULL,&pqgParam.subPrime,publicKey,
+	                            CKA_SUBPRIME);
+	if (crv != CKR_OK) {
+	    PORT_Free(pqgParam.prime.data);
+	    break;
+	}
+	crv=pk11_Attribute2SSecItem(NULL,&pqgParam.base,publicKey,CKA_BASE);
+	if (crv != CKR_OK) {
+	    PORT_Free(pqgParam.prime.data);
+	    PORT_Free(pqgParam.subPrime.data);
+	    break;
+	}
+        crv = pk11_AddAttributeType(privateKey,CKA_PRIME,
+				    pk11_item_expand(&pqgParam.prime));
+	if (crv != CKR_OK) {
+	    PORT_Free(pqgParam.prime.data);
+	    PORT_Free(pqgParam.subPrime.data);
+	    PORT_Free(pqgParam.base.data);
+	    break;
+	}
+        crv = pk11_AddAttributeType(privateKey,CKA_SUBPRIME,
+			    	    pk11_item_expand(&pqgParam.subPrime));
+	if (crv != CKR_OK) {
+	    PORT_Free(pqgParam.prime.data);
+	    PORT_Free(pqgParam.subPrime.data);
+	    PORT_Free(pqgParam.base.data);
+	    break;
+	}
+        crv = pk11_AddAttributeType(privateKey,CKA_BASE,
+			    	    pk11_item_expand(&pqgParam.base));
+	if (crv != CKR_OK) {
+	    PORT_Free(pqgParam.prime.data);
+	    PORT_Free(pqgParam.subPrime.data);
+	    PORT_Free(pqgParam.base.data);
+	    break;
+	}
+
+	/* Generate the key */
+	rv = DSA_NewKey(&pqgParam, &dsaPriv);
+
+	PORT_Free(pqgParam.prime.data);
+	PORT_Free(pqgParam.subPrime.data);
+	PORT_Free(pqgParam.base.data);
+
+	if (rv != SECSuccess) { crv = CKR_DEVICE_ERROR; break; }
+
+	/* store the generated key into the attributes */
+        crv = pk11_AddAttributeType(publicKey,CKA_VALUE,
+			   pk11_item_expand(&dsaPriv->publicValue));
+	if (crv != CKR_OK) goto dsagn_done;
+
+        /* now fill in the RSA dependent paramenters in the private key */
+        crv = pk11_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
+			   pk11_item_expand(&dsaPriv->publicValue));
+	if (crv != CKR_OK) goto dsagn_done;
+        crv = pk11_AddAttributeType(privateKey,CKA_VALUE,
+			   pk11_item_expand(&dsaPriv->privateValue));
+
+dsagn_done:
+	/* should zeroize, since this function doesn't. */
+	PORT_FreeArena(dsaPriv->params.arena, PR_TRUE);
+	break;
+
+    case CKM_DH_PKCS_KEY_PAIR_GEN:
+	pk11_DeleteAttributeType(privateKey,CKA_PRIME);
+	pk11_DeleteAttributeType(privateKey,CKA_BASE);
+	pk11_DeleteAttributeType(privateKey,CKA_VALUE);
+	key_type = CKK_DH;
+
+	/* extract the necessary parameters and copy them to private keys */
+        crv = pk11_Attribute2SSecItem(NULL, &dhParam.prime, publicKey, 
+				      CKA_PRIME);
+	if (crv != CKR_OK) break;
+	crv = pk11_Attribute2SSecItem(NULL, &dhParam.base, publicKey, CKA_BASE);
+	if (crv != CKR_OK) {
+	  PORT_Free(dhParam.prime.data);
+	  break;
+	}
+	crv = pk11_AddAttributeType(privateKey, CKA_PRIME, 
+				    pk11_item_expand(&dhParam.prime));
+	if (crv != CKR_OK) {
+	  PORT_Free(dhParam.prime.data);
+	  PORT_Free(dhParam.base.data);
+	  break;
+	}
+	crv = pk11_AddAttributeType(privateKey, CKA_BASE, 
+				    pk11_item_expand(&dhParam.base));
+	if (crv != CKR_OK) goto dhgn_done;
+
+	rv = DH_NewKey(&dhParam, &dhPriv);
+	PORT_Free(dhParam.prime.data);
+	PORT_Free(dhParam.base.data);
+	if (rv != SECSuccess) { 
+	  crv = CKR_DEVICE_ERROR;
+	  break;
+	}
+
+	crv=pk11_AddAttributeType(publicKey, CKA_VALUE, 
+				pk11_item_expand(&dhPriv->publicValue));
+	if (crv != CKR_OK) goto dhgn_done;
+
+	crv=pk11_AddAttributeType(privateKey, CKA_VALUE, 
+			      pk11_item_expand(&dhPriv->privateValue));
+
+dhgn_done:
+	/* should zeroize, since this function doesn't. */
+	PORT_FreeArena(dhPriv->arena, PR_TRUE);
+	break;
+
+    default:
+	crv = CKR_MECHANISM_INVALID;
+    }
+
+    if (crv != CKR_OK) {
+	pk11_FreeObject(privateKey);
+	pk11_FreeObject(publicKey);
+	return crv;
+    }
+
+
+    /* Add the class, key_type The loop lets us check errors blow out
+     *  on errors and clean up at the bottom */
+    session = NULL; /* make pedtantic happy... session cannot leave the*/
+		    /* loop below NULL unless an error is set... */
+    do {
+	crv = pk11_AddAttributeType(privateKey,CKA_CLASS,&privClass,
+						sizeof(CK_OBJECT_CLASS));
+        if (crv != CKR_OK) break;
+	crv = pk11_AddAttributeType(publicKey,CKA_CLASS,&pubClass,
+						sizeof(CK_OBJECT_CLASS));
+        if (crv != CKR_OK) break;
+	crv = pk11_AddAttributeType(privateKey,CKA_KEY_TYPE,&key_type,
+						sizeof(CK_KEY_TYPE));
+        if (crv != CKR_OK) break;
+	crv = pk11_AddAttributeType(publicKey,CKA_KEY_TYPE,&key_type,
+						sizeof(CK_KEY_TYPE));
+        if (crv != CKR_OK) break;
+        session = pk11_SessionFromHandle(hSession);
+        if (session == NULL) crv = CKR_SESSION_HANDLE_INVALID;
+    } while (0);
+
+    if (crv != CKR_OK) {
+	 pk11_FreeObject(privateKey);
+	 pk11_FreeObject(publicKey);
+	 return crv;
+    }
+
+    /*
+     * handle the base object cleanup for the public Key
+     */
+    crv = pk11_handleObject(privateKey,session);
+    if (crv != CKR_OK) {
+        pk11_FreeSession(session);
+	pk11_FreeObject(privateKey);
+	pk11_FreeObject(publicKey);
+	return crv;
+    }
+
+    /*
+     * handle the base object cleanup for the private Key
+     * If we have any problems, we destroy the public Key we've
+     * created and linked.
+     */
+    crv = pk11_handleObject(publicKey,session);
+    pk11_FreeSession(session);
+    if (crv != CKR_OK) {
+	pk11_FreeObject(publicKey);
+	NSC_DestroyObject(hSession,privateKey->handle);
+	pk11_FreeObject(privateKey);
+	return crv;
+    }
+    if (pk11_isTrue(privateKey,CKA_SENSITIVE)) {
+	pk11_forceAttribute(privateKey,CKA_ALWAYS_SENSITIVE,
+						&cktrue,sizeof(CK_BBOOL));
+    }
+    if (pk11_isTrue(publicKey,CKA_SENSITIVE)) {
+	pk11_forceAttribute(publicKey,CKA_ALWAYS_SENSITIVE,
+						&cktrue,sizeof(CK_BBOOL));
+    }
+    if (!pk11_isTrue(privateKey,CKA_EXTRACTABLE)) {
+	pk11_forceAttribute(privateKey,CKA_NEVER_EXTRACTABLE,
+						&cktrue,sizeof(CK_BBOOL));
+    }
+    if (!pk11_isTrue(publicKey,CKA_EXTRACTABLE)) {
+	pk11_forceAttribute(publicKey,CKA_NEVER_EXTRACTABLE,
+						&cktrue,sizeof(CK_BBOOL));
+    }
+    *phPrivateKey = privateKey->handle;
+    *phPublicKey = publicKey->handle;
+    pk11_FreeObject(publicKey);
+    pk11_FreeObject(privateKey);
+
+    return CKR_OK;
+}
+
+static SECItem *pk11_PackagePrivateKey(PK11Object *key)
+{
+    NSSLOWKEYPrivateKey *lk = NULL;
+    NSSLOWKEYPrivateKeyInfo *pki = NULL;
+    PK11Attribute *attribute = NULL;
+    PLArenaPool *arena = NULL;
+    SECOidTag algorithm = SEC_OID_UNKNOWN;
+    void *dummy, *param = NULL;
+    SECStatus rv = SECSuccess;
+    SECItem *encodedKey = NULL;
+
+    if(!key) {
+	return NULL;
+    }
+
+    attribute = pk11_FindAttribute(key, CKA_KEY_TYPE);
+    if(!attribute) {
+	return NULL;
+    }
+
+    lk = pk11_GetPrivKey(key, *(CK_KEY_TYPE *)attribute->attrib.pValue);
+    pk11_FreeAttribute(attribute);
+    if(!lk) {
+	return NULL;
+    }
+
+    arena = PORT_NewArena(2048); 	/* XXX different size? */
+    if(!arena) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    pki = (NSSLOWKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena, 
+					sizeof(NSSLOWKEYPrivateKeyInfo));
+    if(!pki) {
+	rv = SECFailure;
+	goto loser;
+    }
+    pki->arena = arena;
+
+    param = NULL;
+    switch(lk->keyType) {
+	case NSSLOWKEYRSAKey:
+	    prepare_low_rsa_priv_key_for_asn1(lk);
+	    dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
+				       nsslowkey_RSAPrivateKeyTemplate);
+	    algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION;
+	    break;
+	case NSSLOWKEYDSAKey:
+            prepare_low_dsa_priv_key_export_for_asn1(lk);
+	    dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
+				       nsslowkey_DSAPrivateKeyExportTemplate);
+	    prepare_low_pqg_params_for_asn1(&lk->u.dsa.params);
+	    param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params),
+				       nsslowkey_PQGParamsTemplate);
+	    algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE;
+	    break;
+	case NSSLOWKEYDHKey:
+	default:
+	    dummy = NULL;
+	    break;
+    }
+ 
+    if(!dummy || ((lk->keyType == NSSLOWKEYDSAKey) && !param)) {
+	goto loser;
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, &pki->algorithm, algorithm, 
+			       (SECItem*)param);
+    if(rv != SECSuccess) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    dummy = SEC_ASN1EncodeInteger(arena, &pki->version,
+				  NSSLOWKEY_PRIVATE_KEY_INFO_VERSION);
+    if(!dummy) {
+	rv = SECFailure;
+	goto loser;
+    }
+
+    encodedKey = SEC_ASN1EncodeItem(NULL, NULL, pki, 
+				    nsslowkey_PrivateKeyInfoTemplate);
+
+loser:
+    if(arena) {
+	PORT_FreeArena(arena, PR_TRUE);
+    }
+
+    if(lk && (lk != key->objectInfo)) {
+	nsslowkey_DestroyPrivateKey(lk);
+    }
+ 
+    if(param) {
+	SECITEM_ZfreeItem((SECItem*)param, PR_TRUE);
+    }
+
+    if(rv != SECSuccess) {
+	return NULL;
+    }
+
+    return encodedKey;
+}
+    
+/* it doesn't matter yet, since we colapse error conditions in the
+ * level above, but we really should map those few key error differences */
+CK_RV pk11_mapWrap(CK_RV crv) { return crv; }
+
+/* NSC_WrapKey wraps (i.e., encrypts) a key. */
+CK_RV NSC_WrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
+    CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
+					 CK_ULONG_PTR pulWrappedKeyLen)
+{
+    PK11Session *session;
+    PK11Attribute *attribute;
+    PK11Object *key;
+    CK_RV crv;
+    PRBool isLynks = PR_FALSE;
+    CK_ULONG len = 0;
+
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+    	return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    key = pk11_ObjectFromHandle(hKey,session);
+    pk11_FreeSession(session);
+    if (key == NULL) {
+	return CKR_KEY_HANDLE_INVALID;
+    }
+
+    switch(key->objclass) {
+	case CKO_SECRET_KEY:
+	    attribute = pk11_FindAttribute(key,CKA_VALUE);
+
+	    if (attribute == NULL) {
+		crv = CKR_KEY_TYPE_INCONSISTENT;
+		break;
+	    }
+	    if (pMechanism->mechanism == CKM_KEY_WRAP_LYNKS) {
+		isLynks = PR_TRUE;
+		pMechanism->mechanism = CKM_DES_ECB;
+		len = *pulWrappedKeyLen;
+	    }
+     
+	    crv = pk11_CryptInit(hSession, pMechanism, hWrappingKey, 
+					CKA_WRAP, PK11_ENCRYPT, PR_TRUE);
+	    if (crv != CKR_OK) {
+		pk11_FreeAttribute(attribute);
+		break;
+	    }
+	    crv = NSC_Encrypt(hSession, (CK_BYTE_PTR)attribute->attrib.pValue, 
+		    attribute->attrib.ulValueLen,pWrappedKey,pulWrappedKeyLen);
+
+	    if (isLynks && (crv == CKR_OK)) {
+		unsigned char buf[2];
+		crv = pk11_calcLynxChecksum(hSession,hWrappingKey,buf,
+			(unsigned char*)attribute->attrib.pValue,
+			attribute->attrib.ulValueLen);
+		if (len >= 10) {
+		    pWrappedKey[8] = buf[0];
+		    pWrappedKey[9] = buf[1];
+		    *pulWrappedKeyLen = 10;
+		}
+	    }
+	    pk11_FreeAttribute(attribute);
+	    break;
+
+	case CKO_PRIVATE_KEY:
+	    {
+		SECItem *bpki = pk11_PackagePrivateKey(key);
+
+		if(!bpki) {
+		    crv = CKR_KEY_TYPE_INCONSISTENT;
+		    break;
+		}
+
+		crv = pk11_CryptInit(hSession, pMechanism, hWrappingKey,
+					CKA_WRAP, PK11_ENCRYPT, PR_TRUE);
+		if(crv != CKR_OK) {
+		    SECITEM_ZfreeItem(bpki, PR_TRUE);
+		    crv = CKR_KEY_TYPE_INCONSISTENT;
+		    break;
+		}
+
+		crv = NSC_Encrypt(hSession, bpki->data, bpki->len,
+					pWrappedKey, pulWrappedKeyLen);
+		SECITEM_ZfreeItem(bpki, PR_TRUE);
+		break;
+	    }
+
+	default:
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+    }
+    pk11_FreeObject(key);
+
+    return pk11_mapWrap(crv);
+}
+
+/*
+ * import a pprivate key info into the desired slot
+ */
+static SECStatus
+pk11_unwrapPrivateKey(PK11Object *key, SECItem *bpki)
+{
+    CK_BBOOL cktrue = CK_TRUE; 
+    CK_KEY_TYPE keyType = CKK_RSA;
+    SECStatus rv = SECFailure;
+    const SEC_ASN1Template *keyTemplate, *paramTemplate;
+    void *paramDest = NULL;
+    PLArenaPool *arena;
+    NSSLOWKEYPrivateKey *lpk = NULL;
+    NSSLOWKEYPrivateKeyInfo *pki = NULL;
+    SECItem *ck_id = NULL;
+    CK_RV crv = CKR_KEY_TYPE_INCONSISTENT;
+
+    arena = PORT_NewArena(2048);
+    if(!arena) {
+	return SECFailure;
+    }
+
+    pki = (NSSLOWKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena, 
+					sizeof(NSSLOWKEYPrivateKeyInfo));
+    if(!pki) {
+	PORT_FreeArena(arena, PR_TRUE);
+	return SECFailure;
+    }
+
+    if(SEC_ASN1DecodeItem(arena, pki, nsslowkey_PrivateKeyInfoTemplate, bpki) 
+				!= SECSuccess) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return SECFailure;
+    }
+
+    lpk = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(arena,
+						  sizeof(NSSLOWKEYPrivateKey));
+    if(lpk == NULL) {
+	goto loser;
+    }
+    lpk->arena = arena;
+
+    switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
+	case SEC_OID_PKCS1_RSA_ENCRYPTION:
+	    keyTemplate = nsslowkey_RSAPrivateKeyTemplate;
+	    paramTemplate = NULL;
+	    paramDest = NULL;
+	    lpk->keyType = NSSLOWKEYRSAKey;
+	    prepare_low_rsa_priv_key_for_asn1(lpk);
+	    break;
+	case SEC_OID_ANSIX9_DSA_SIGNATURE:
+	    keyTemplate = nsslowkey_DSAPrivateKeyExportTemplate;
+	    paramTemplate = nsslowkey_PQGParamsTemplate;
+	    paramDest = &(lpk->u.dsa.params);
+	    lpk->keyType = NSSLOWKEYDSAKey;
+	    prepare_low_dsa_priv_key_export_for_asn1(lpk);
+	    prepare_low_pqg_params_for_asn1(&lpk->u.dsa.params);
+	    break;
+	/* case NSSLOWKEYDHKey: */
+	default:
+	    keyTemplate = NULL;
+	    paramTemplate = NULL;
+	    paramDest = NULL;
+	    break;
+    }
+
+    if(!keyTemplate) {
+	goto loser;
+    }
+
+    /* decode the private key and any algorithm parameters */
+    rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
+    if(rv != SECSuccess) {
+	goto loser;
+    }
+    if(paramDest && paramTemplate) {
+	rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, 
+				 &(pki->algorithm.parameters));
+	if(rv != SECSuccess) {
+	    goto loser;
+	}
+    }
+
+    rv = SECFailure;
+
+    switch (lpk->keyType) {
+        case NSSLOWKEYRSAKey:
+	    keyType = CKK_RSA;
+	    if(pk11_hasAttribute(key, CKA_NETSCAPE_DB)) {
+		pk11_DeleteAttributeType(key, CKA_NETSCAPE_DB);
+	    }
+	    crv = pk11_AddAttributeType(key, CKA_KEY_TYPE, &keyType, 
+					sizeof(keyType));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_UNWRAP, &cktrue, 
+					sizeof(CK_BBOOL));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_DECRYPT, &cktrue, 
+					sizeof(CK_BBOOL));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_SIGN, &cktrue, 
+					sizeof(CK_BBOOL));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, 
+				    sizeof(CK_BBOOL));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_MODULUS, 
+				pk11_item_expand(&lpk->u.rsa.modulus));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_PUBLIC_EXPONENT, 
+	     			pk11_item_expand(&lpk->u.rsa.publicExponent));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_PRIVATE_EXPONENT, 
+	     			pk11_item_expand(&lpk->u.rsa.privateExponent));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_PRIME_1, 
+				pk11_item_expand(&lpk->u.rsa.prime1));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_PRIME_2, 
+	     			pk11_item_expand(&lpk->u.rsa.prime2));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_EXPONENT_1, 
+	     			pk11_item_expand(&lpk->u.rsa.exponent1));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_EXPONENT_2, 
+	     			pk11_item_expand(&lpk->u.rsa.exponent2));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_COEFFICIENT, 
+	     			pk11_item_expand(&lpk->u.rsa.coefficient));
+	    break;
+        case NSSLOWKEYDSAKey:
+	    keyType = CKK_DSA;
+	    crv = (pk11_hasAttribute(key, CKA_NETSCAPE_DB)) ? CKR_OK :
+						CKR_KEY_TYPE_INCONSISTENT;
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_KEY_TYPE, &keyType, 
+						sizeof(keyType));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_SIGN, &cktrue, 
+						sizeof(CK_BBOOL));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, 
+						sizeof(CK_BBOOL)); 
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_PRIME,    
+				    pk11_item_expand(&lpk->u.dsa.params.prime));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_SUBPRIME,
+				 pk11_item_expand(&lpk->u.dsa.params.subPrime));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_BASE,  
+				    pk11_item_expand(&lpk->u.dsa.params.base));
+	    if(crv != CKR_OK) break;
+	    crv = pk11_AddAttributeType(key, CKA_VALUE, 
+			pk11_item_expand(&lpk->u.dsa.privateValue));
+	    if(crv != CKR_OK) break;
+	    break;
+#ifdef notdef
+        case NSSLOWKEYDHKey:
+	    template = dhTemplate;
+	    templateCount = sizeof(dhTemplate)/sizeof(CK_ATTRIBUTE);
+	    keyType = CKK_DH;
+	    break;
+#endif
+	/* what about fortezza??? */
+	default:
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+    }
+
+loser:
+    if(ck_id) {
+	SECITEM_ZfreeItem(ck_id, PR_TRUE);
+    }
+
+    if(lpk) {
+	nsslowkey_DestroyPrivateKey(lpk);
+    }
+
+    if(crv != CKR_OK) {
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+/* NSC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
+CK_RV NSC_UnwrapKey(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
+    CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+						 CK_OBJECT_HANDLE_PTR phKey)
+{
+    PK11Object *key = NULL;
+    PK11Session *session;
+    int key_length = 0;
+    unsigned char * buf = NULL;
+    CK_RV crv = CKR_OK;
+    int i;
+    CK_ULONG bsize = ulWrappedKeyLen;
+    PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
+    SECItem bpki;
+    CK_OBJECT_CLASS target_type = CKO_SECRET_KEY;
+    PRBool isLynks = PR_FALSE;
+
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    key = pk11_NewObject(slot); /* fill in the handle later */
+    if (key == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * load the template values into the object
+     */
+    for (i=0; i < (int) ulAttributeCount; i++) {
+	if (pTemplate[i].type == CKA_VALUE_LEN) {
+	    key_length = *(CK_ULONG *)pTemplate[i].pValue;
+	    continue;
+	}
+        if (pTemplate[i].type == CKA_CLASS) {
+	    target_type = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
+	}
+	crv = pk11_AddAttributeType(key,pk11_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) break;
+    }
+    if (crv != CKR_OK) {
+	pk11_FreeObject(key);
+	return crv;
+    }
+
+    /* LYNKS is a special key wrapping mechanism */
+    if (pMechanism->mechanism == CKM_KEY_WRAP_LYNKS) {
+	isLynks = PR_TRUE;
+	pMechanism->mechanism = CKM_DES_ECB;
+	ulWrappedKeyLen -= 2; /* don't decrypt the checksum */
+    }
+
+    crv = pk11_CryptInit(hSession,pMechanism,hUnwrappingKey,CKA_UNWRAP,
+							PK11_DECRYPT, PR_FALSE);
+    if (crv != CKR_OK) {
+	pk11_FreeObject(key);
+	return pk11_mapWrap(crv);
+    }
+
+    /* allocate the buffer to decrypt into 
+     * this assumes the unwrapped key is never larger than the
+     * wrapped key. For all the mechanisms we support this is true */
+    buf = (unsigned char *)PORT_Alloc( ulWrappedKeyLen);
+    bsize = ulWrappedKeyLen;
+
+    crv = NSC_Decrypt(hSession, pWrappedKey, ulWrappedKeyLen, buf, &bsize);
+    if (crv != CKR_OK) {
+	pk11_FreeObject(key);
+	PORT_Free(buf);
+	return pk11_mapWrap(crv);
+    }
+
+    switch(target_type) {
+	case CKO_SECRET_KEY:
+	    if (!pk11_hasAttribute(key,CKA_KEY_TYPE)) {
+		crv = CKR_TEMPLATE_INCOMPLETE;
+		break;
+	    }
+
+	    /* verify the Lynx checksum */
+	    if (isLynks) {
+		unsigned char checkSum[2];
+		crv = pk11_calcLynxChecksum(hSession,hUnwrappingKey,checkSum,
+								buf,bsize);
+		if (crv != CKR_OK) break;
+		if ((ulWrappedKeyLen != 8) || (pWrappedKey[8] != checkSum[0]) 
+			|| (pWrappedKey[9] != checkSum[1])) {
+		    crv = CKR_WRAPPED_KEY_INVALID;
+		    break;
+		}
+	    }
+
+	    if(key_length == 0) {
+		key_length = bsize;
+	    }
+	    if (key_length > MAX_KEY_LEN) {
+		crv = CKR_TEMPLATE_INCONSISTENT;
+		break;
+	    }
+    
+	    /* add the value */
+	    crv = pk11_AddAttributeType(key,CKA_VALUE,buf,key_length);
+	    break;
+	case CKO_PRIVATE_KEY:
+	    bpki.data = (unsigned char *)buf;
+	    bpki.len = bsize;
+	    crv = CKR_OK;
+	    if(pk11_unwrapPrivateKey(key, &bpki) != SECSuccess) {
+		crv = CKR_TEMPLATE_INCOMPLETE;
+	    }
+	    break;
+	default:
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+    }
+
+    PORT_ZFree(buf, bsize);
+    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
+
+    /* get the session */
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+	pk11_FreeObject(key);
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    /*
+     * handle the base object stuff
+     */
+    crv = pk11_handleObject(key,session);
+    *phKey = key->handle;
+    pk11_FreeSession(session);
+    pk11_FreeObject(key);
+
+    return crv;
+
+}
+
+/*
+ * The SSL key gen mechanism create's lots of keys. This function handles the
+ * details of each of these key creation.
+ */
+static CK_RV
+pk11_buildSSLKey(CK_SESSION_HANDLE hSession, PK11Object *baseKey, 
+    PRBool isMacKey, unsigned char *keyBlock, unsigned int keySize,
+						 CK_OBJECT_HANDLE *keyHandle)
+{
+    PK11Object *key;
+    PK11Session *session;
+    CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_RV crv = CKR_HOST_MEMORY;
+
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    *keyHandle = CK_INVALID_HANDLE;
+    key = pk11_NewObject(baseKey->slot); 
+    if (key == NULL) return CKR_HOST_MEMORY;
+    pk11_narrowToSessionObject(key)->wasDerived = PR_TRUE;
+
+    crv = pk11_CopyObject(key,baseKey);
+    if (crv != CKR_OK) goto loser;
+    if (isMacKey) {
+	crv = pk11_forceAttribute(key,CKA_KEY_TYPE,&keyType,sizeof(keyType));
+	if (crv != CKR_OK) goto loser;
+	crv = pk11_forceAttribute(key,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = pk11_forceAttribute(key,CKA_ENCRYPT,&ckfalse,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = pk11_forceAttribute(key,CKA_DECRYPT,&ckfalse,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = pk11_forceAttribute(key,CKA_SIGN,&cktrue,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = pk11_forceAttribute(key,CKA_VERIFY,&cktrue,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = pk11_forceAttribute(key,CKA_WRAP,&ckfalse,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+	crv = pk11_forceAttribute(key,CKA_UNWRAP,&ckfalse,sizeof(CK_BBOOL));
+	if (crv != CKR_OK) goto loser;
+    }
+    crv = pk11_forceAttribute(key,CKA_VALUE,keyBlock,keySize);
+    if (crv != CKR_OK) goto loser;
+
+    /* get the session */
+    crv = CKR_HOST_MEMORY;
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) { goto loser; }
+
+    crv = pk11_handleObject(key,session);
+    pk11_FreeSession(session);
+    *keyHandle = key->handle;
+loser:
+    if (key) pk11_FreeObject(key);
+    return crv;
+}
+
+/*
+ * if there is an error, we need to free the keys we already created in SSL
+ * This is the routine that will do it..
+ */
+static void
+pk11_freeSSLKeys(CK_SESSION_HANDLE session,
+				CK_SSL3_KEY_MAT_OUT *returnedMaterial ) {
+	if (returnedMaterial->hClientMacSecret != CK_INVALID_HANDLE) {
+	   NSC_DestroyObject(session,returnedMaterial->hClientMacSecret);
+	}
+	if (returnedMaterial->hServerMacSecret != CK_INVALID_HANDLE) {
+	   NSC_DestroyObject(session, returnedMaterial->hServerMacSecret);
+	}
+	if (returnedMaterial->hClientKey != CK_INVALID_HANDLE) {
+	   NSC_DestroyObject(session, returnedMaterial->hClientKey);
+	}
+	if (returnedMaterial->hServerKey != CK_INVALID_HANDLE) {
+	   NSC_DestroyObject(session, returnedMaterial->hServerKey);
+	}
+}
+
+/*
+ * when deriving from sensitive and extractable keys, we need to preserve some
+ * of the semantics in the derived key. This helper routine maintains these
+ * semantics.
+ */
+static CK_RV
+pk11_DeriveSensitiveCheck(PK11Object *baseKey,PK11Object *destKey) {
+    PRBool hasSensitive;
+    PRBool sensitive = PR_FALSE;
+    PRBool hasExtractable;
+    PRBool extractable = PR_TRUE;
+    CK_RV crv = CKR_OK;
+    PK11Attribute *att;
+
+    hasSensitive = PR_FALSE;
+    att = pk11_FindAttribute(destKey,CKA_SENSITIVE);
+    if (att) {
+        hasSensitive = PR_TRUE;
+	sensitive = (PRBool) *(CK_BBOOL *)att->attrib.pValue;
+	pk11_FreeAttribute(att);
+    }
+
+    hasExtractable = PR_FALSE;
+    att = pk11_FindAttribute(destKey,CKA_EXTRACTABLE);
+    if (att) {
+        hasExtractable = PR_TRUE;
+	extractable = (PRBool) *(CK_BBOOL *)att->attrib.pValue;
+	pk11_FreeAttribute(att);
+    }
+
+
+    /* don't make a key more accessible */
+    if (pk11_isTrue(baseKey,CKA_SENSITIVE) && hasSensitive && 
+						(sensitive == PR_FALSE)) {
+	return CKR_KEY_FUNCTION_NOT_PERMITTED;
+    }
+    if (!pk11_isTrue(baseKey,CKA_EXTRACTABLE) && hasExtractable && 
+						(extractable == PR_TRUE)) {
+	return CKR_KEY_FUNCTION_NOT_PERMITTED;
+    }
+
+    /* inherit parent's sensitivity */
+    if (!hasSensitive) {
+        att = pk11_FindAttribute(baseKey,CKA_SENSITIVE);
+	if (att == NULL) return CKR_KEY_TYPE_INCONSISTENT;
+	crv = pk11_defaultAttribute(destKey,pk11_attr_expand(&att->attrib));
+	pk11_FreeAttribute(att);
+	if (crv != CKR_OK) return crv;
+    }
+    if (!hasExtractable) {
+        att = pk11_FindAttribute(baseKey,CKA_EXTRACTABLE);
+	if (att == NULL) return CKR_KEY_TYPE_INCONSISTENT;
+	crv = pk11_defaultAttribute(destKey,pk11_attr_expand(&att->attrib));
+	pk11_FreeAttribute(att);
+	if (crv != CKR_OK) return crv;
+    }
+
+    /* we should inherit the parent's always extractable/ never sensitive info,
+     * but handleObject always forces this attributes, so we would need to do
+     * something special. */
+    return CKR_OK;
+}
+
+/*
+ * make known fixed PKCS #11 key types to their sizes in bytes
+ */	
+static unsigned long
+pk11_MapKeySize(CK_KEY_TYPE keyType) {
+    switch (keyType) {
+    case CKK_CDMF:
+	return 8;
+    case CKK_DES:
+	return 8;
+    case CKK_DES2:
+	return 16;
+    case CKK_DES3:
+	return 24;
+    /* IDEA and CAST need to be added */
+    default:
+	break;
+    }
+    return 0;
+}
+
+#define PHASH_STATE_MAX_LEN 20
+
+/* TLS P_hash function */
+static SECStatus
+pk11_P_hash(HASH_HashType hashType, const SECItem *secret, const char *label, 
+	SECItem *seed, SECItem *result)
+{
+    unsigned char state[PHASH_STATE_MAX_LEN];
+    unsigned char outbuf[PHASH_STATE_MAX_LEN];
+    unsigned int state_len = 0, label_len = 0, outbuf_len = 0, chunk_size;
+    unsigned int remaining;
+    unsigned char *res;
+    SECStatus status;
+    HMACContext *cx;
+    SECStatus rv = SECFailure;
+    const SECHashObject *hashObj = &SECRawHashObjects[hashType];
+
+    PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len));
+    PORT_Assert((seed != NULL) && (seed->data != NULL));
+    PORT_Assert((result != NULL) && (result->data != NULL));
+
+    remaining = result->len;
+    res = result->data;
+
+    if (label != NULL)
+	label_len = PORT_Strlen(label);
+
+    cx = HMAC_Create(hashObj, secret->data, secret->len);
+    if (cx == NULL)
+	goto loser;
+
+    /* initialize the state = A(1) = HMAC_hash(secret, seed) */
+    HMAC_Begin(cx);
+    HMAC_Update(cx, (unsigned char *)label, label_len);
+    HMAC_Update(cx, seed->data, seed->len);
+    status = HMAC_Finish(cx, state, &state_len, PHASH_STATE_MAX_LEN);
+    if (status != SECSuccess)
+	goto loser;
+
+    /* generate a block at a time until we're done */
+    while (remaining > 0) {
+
+	HMAC_Begin(cx);
+	HMAC_Update(cx, state, state_len);
+	if (label_len)
+	    HMAC_Update(cx, (unsigned char *)label, label_len);
+	HMAC_Update(cx, seed->data, seed->len);
+	status = HMAC_Finish(cx, outbuf, &outbuf_len, PHASH_STATE_MAX_LEN);
+	if (status != SECSuccess)
+	    goto loser;
+
+        /* Update the state = A(i) = HMAC_hash(secret, A(i-1)) */
+	HMAC_Begin(cx); 
+	HMAC_Update(cx, state, state_len); 
+	status = HMAC_Finish(cx, state, &state_len, PHASH_STATE_MAX_LEN);
+	if (status != SECSuccess)
+	    goto loser;
+
+	chunk_size = PR_MIN(outbuf_len, remaining);
+	PORT_Memcpy(res, &outbuf, chunk_size);
+	res += chunk_size;
+	remaining -= chunk_size;
+    }
+
+    rv = SECSuccess;
+
+loser:
+    /* if (cx) HMAC_Destroy(cx); */
+    /* clear out state so it's not left on the stack */
+    if (cx) HMAC_Destroy(cx);
+    PORT_Memset(state, 0, sizeof(state));
+    PORT_Memset(outbuf, 0, sizeof(outbuf));
+    return rv;
+}
+
+static SECStatus
+pk11_PRF(const SECItem *secret, const char *label, SECItem *seed, 
+         SECItem *result)
+{
+    SECStatus rv = SECFailure, status;
+    unsigned int i;
+    SECItem tmp = { siBuffer, NULL, 0};
+    SECItem S1;
+    SECItem S2;
+
+    PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len));
+    PORT_Assert((seed != NULL) && (seed->data != NULL));
+    PORT_Assert((result != NULL) && (result->data != NULL));
+
+    S1.type = siBuffer;
+    S1.len  = (secret->len / 2) + (secret->len & 1);
+    S1.data = secret->data;
+
+    S2.type = siBuffer;
+    S2.len  = S1.len;
+    S2.data = secret->data + (secret->len - S2.len);
+
+    tmp.data = (unsigned char*)PORT_Alloc(result->len);
+    if (tmp.data == NULL)
+	goto loser;
+    tmp.len = result->len;
+
+    status = pk11_P_hash(HASH_AlgMD5, &S1, label, seed, result);
+    if (status != SECSuccess)
+	goto loser;
+
+    status = pk11_P_hash(HASH_AlgSHA1, &S2, label, seed, &tmp);
+    if (status != SECSuccess)
+	goto loser;
+
+    for (i = 0; i < result->len; i++)
+	result->data[i] ^= tmp.data[i];
+
+    rv = SECSuccess;
+
+loser:
+    if (tmp.data != NULL)
+	PORT_ZFree(tmp.data, tmp.len);
+    return rv;
+}
+
+/*
+ * SSL Key generation given pre master secret
+ */
+#define NUM_MIXERS 9
+static const char * const mixers[NUM_MIXERS] = { 
+    "A", 
+    "BB", 
+    "CCC", 
+    "DDDD", 
+    "EEEEE", 
+    "FFFFFF", 
+    "GGGGGGG",
+    "HHHHHHHH",
+    "IIIIIIIII" };
+#define SSL3_PMS_LENGTH 48
+#define SSL3_MASTER_SECRET_LENGTH 48
+
+
+/* NSC_DeriveKey derives a key from a base key, creating a new key object. */
+CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession,
+	 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
+	 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, 
+						CK_OBJECT_HANDLE_PTR phKey)
+{
+    PK11Session *   session;
+    PK11Slot    *   slot	= pk11_SlotFromSessionHandle(hSession);
+    PK11Object  *   key;
+    PK11Object  *   sourceKey;
+    PK11Attribute * att;
+    PK11Attribute * att2;
+    unsigned char * buf;
+    SHA1Context *   sha;
+    MD5Context *    md5;
+    MD2Context *    md2;
+    CK_ULONG        macSize;
+    CK_ULONG        tmpKeySize;
+    CK_ULONG        IVSize;
+    CK_ULONG        keySize	= 0;
+    CK_RV           crv 	= CKR_OK;
+    CK_BBOOL        cktrue	= CK_TRUE;
+    CK_KEY_TYPE     keyType	= CKK_GENERIC_SECRET;
+    CK_OBJECT_CLASS classType	= CKO_SECRET_KEY;
+    CK_KEY_DERIVATION_STRING_DATA *stringPtr;
+    PRBool          isTLS = PR_FALSE;
+    PRBool          isDH = PR_FALSE;
+    SECStatus       rv;
+    int             i;
+    unsigned int    outLen;
+    unsigned char   sha_out[SHA1_LENGTH];
+    unsigned char   key_block[NUM_MIXERS * MD5_LENGTH];
+    unsigned char   key_block2[MD5_LENGTH];
+
+    /*
+     * now lets create an object to hang the attributes off of
+     */
+    if (phKey) *phKey = CK_INVALID_HANDLE;
+
+    key = pk11_NewObject(slot); /* fill in the handle later */
+    if (key == NULL) {
+	return CKR_HOST_MEMORY;
+    }
+
+    /*
+     * load the template values into the object
+     */
+    for (i=0; i < (int) ulAttributeCount; i++) {
+	crv = pk11_AddAttributeType(key,pk11_attr_expand(&pTemplate[i]));
+	if (crv != CKR_OK) break;
+
+	if (pTemplate[i].type == CKA_KEY_TYPE) {
+	    keyType = *(CK_KEY_TYPE *)pTemplate[i].pValue;
+	}
+	if (pTemplate[i].type == CKA_VALUE_LEN) {
+	    keySize = *(CK_ULONG *)pTemplate[i].pValue;
+	}
+    }
+    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
+
+    if (keySize == 0) {
+	keySize = pk11_MapKeySize(keyType);
+    }
+
+    /* Derive can only create SECRET KEY's currently... */
+    classType = CKO_SECRET_KEY;
+    crv = pk11_forceAttribute (key,CKA_CLASS,&classType,sizeof(classType));
+    if (crv != CKR_OK) {
+	pk11_FreeObject(key);
+	return crv;
+    }
+
+    /* look up the base key we're deriving with */ 
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) {
+	pk11_FreeObject(key);
+        return CKR_SESSION_HANDLE_INVALID;
+    }
+
+    sourceKey = pk11_ObjectFromHandle(hBaseKey,session);
+    pk11_FreeSession(session);
+    if (sourceKey == NULL) {
+	pk11_FreeObject(key);
+        return CKR_KEY_HANDLE_INVALID;
+    }
+
+    /* don't use key derive to expose sensitive keys */
+    crv = pk11_DeriveSensitiveCheck(sourceKey,key);
+    if (crv != CKR_OK) {
+	pk11_FreeObject(key);
+	pk11_FreeObject(sourceKey);
+        return crv;
+    }
+
+    /* get the value of the base key */
+    att = pk11_FindAttribute(sourceKey,CKA_VALUE);
+    if (att == NULL) {
+	pk11_FreeObject(key);
+	pk11_FreeObject(sourceKey);
+        return CKR_KEY_HANDLE_INVALID;
+    }
+
+    switch (pMechanism->mechanism) {
+    /*
+     * generate the master secret 
+     */
+    case CKM_TLS_MASTER_KEY_DERIVE:
+    case CKM_TLS_MASTER_KEY_DERIVE_DH:
+	isTLS = PR_TRUE;
+	/* fall thru */
+    case CKM_SSL3_MASTER_KEY_DERIVE:
+    case CKM_SSL3_MASTER_KEY_DERIVE_DH:
+      {
+	CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ssl3_master;
+	SSL3RSAPreMasterSecret *rsa_pms;
+        if ((pMechanism->mechanism == CKM_SSL3_MASTER_KEY_DERIVE_DH) ||
+            (pMechanism->mechanism == CKM_TLS_MASTER_KEY_DERIVE_DH))
+		isDH = PR_TRUE;
+
+	/* first do the consistancy checks */
+	if (!isDH && (att->attrib.ulValueLen != SSL3_PMS_LENGTH)) {
+	    crv = CKR_KEY_TYPE_INCONSISTENT;
+	    break;
+	}
+	att2 = pk11_FindAttribute(sourceKey,CKA_KEY_TYPE);
+	if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
+					CKK_GENERIC_SECRET)) {
+	    if (att2) pk11_FreeAttribute(att2);
+	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+	    break;
+	}
+	pk11_FreeAttribute(att2);
+	if (keyType != CKK_GENERIC_SECRET) {
+	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+	    break;
+	}
+	if ((keySize != 0) && (keySize != SSL3_MASTER_SECRET_LENGTH)) {
+	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+	    break;
+	}
+
+
+	/* finally do the key gen */
+	ssl3_master = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *)
+					pMechanism->pParameter;
+	if (ssl3_master->pVersion) {
+	    PK11SessionObject *sessKey = pk11_narrowToSessionObject(key);
+	    rsa_pms = (SSL3RSAPreMasterSecret *) att->attrib.pValue;
+	    /* don't leak more key material then necessary for SSL to work */
+	    if ((sessKey == NULL) || sessKey->wasDerived) {
+		ssl3_master->pVersion->major = 0xff;
+		ssl3_master->pVersion->minor = 0xff;
+	    } else {
+		ssl3_master->pVersion->major = rsa_pms->client_version[0];
+		ssl3_master->pVersion->minor = rsa_pms->client_version[1];
+	    }
+	}
+	if (ssl3_master->RandomInfo.ulClientRandomLen != SSL3_RANDOM_LENGTH) {
+	   crv = CKR_MECHANISM_PARAM_INVALID;
+	   break;
+	}
+	if (ssl3_master->RandomInfo.ulServerRandomLen != SSL3_RANDOM_LENGTH) {
+	   crv = CKR_MECHANISM_PARAM_INVALID;
+	   break;
+	}
+
+        if (isTLS) {
+	    unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2];
+	    SECItem crsr = { siBuffer, NULL, 0 };
+	    SECItem master = { siBuffer, NULL, 0 };
+	    SECItem pms = { siBuffer, NULL, 0 };
+	    SECStatus status;
+
+	    pms.data = (unsigned char*)att->attrib.pValue;
+	    pms.len = att->attrib.ulValueLen;
+	    master.data = key_block;
+	    master.len = SSL3_MASTER_SECRET_LENGTH;
+	    crsr.data = crsrdata;
+	    crsr.len = sizeof(crsrdata);
+
+	    PORT_Memcpy(crsrdata, ssl3_master->RandomInfo.pClientRandom,
+							 SSL3_RANDOM_LENGTH);
+	    PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, 
+		ssl3_master->RandomInfo.pServerRandom, SSL3_RANDOM_LENGTH);
+
+	    status = pk11_PRF(&pms, "master secret", &crsr, &master);
+	    if (status != SECSuccess) {
+	    	crv = CKR_FUNCTION_FAILED;
+		break;
+	    }
+	} else {
+	    /* now allocate the hash contexts */
+	    md5 = MD5_NewContext();
+	    if (md5 == NULL) { 
+		crv = CKR_HOST_MEMORY;
+		break;
+	    }
+	    sha = SHA1_NewContext();
+	    if (sha == NULL) { 
+		PORT_Free(md5);
+		crv = CKR_HOST_MEMORY;
+		break;
+	    }
+            for (i = 0; i < 3; i++) {
+              SHA1_Begin(sha);
+              SHA1_Update(sha, (unsigned char*) mixers[i], strlen(mixers[i]));
+              SHA1_Update(sha, (const unsigned char*)att->attrib.pValue, 
+			  att->attrib.ulValueLen);
+              SHA1_Update(sha, ssl3_master->RandomInfo.pClientRandom,
+				ssl3_master->RandomInfo.ulClientRandomLen);
+              SHA1_Update(sha, ssl3_master->RandomInfo.pServerRandom, 
+				ssl3_master->RandomInfo.ulServerRandomLen);
+              SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH);
+              PORT_Assert(outLen == SHA1_LENGTH);
+              MD5_Begin(md5);
+              MD5_Update(md5, (const unsigned char*)att->attrib.pValue, 
+			 att->attrib.ulValueLen);
+              MD5_Update(md5, sha_out, outLen);
+              MD5_End(md5, &key_block[i*MD5_LENGTH], &outLen, MD5_LENGTH);
+              PORT_Assert(outLen == MD5_LENGTH);
+            }
+	    PORT_Free(md5);
+	    PORT_Free(sha);
+	}
+
+	/* store the results */
+	crv = pk11_forceAttribute
+			(key,CKA_VALUE,key_block,SSL3_MASTER_SECRET_LENGTH);
+	if (crv != CKR_OK) break;
+	keyType = CKK_GENERIC_SECRET;
+	crv = pk11_forceAttribute (key,CKA_KEY_TYPE,&keyType,sizeof(keyType));
+	if (isTLS) {
+	    /* TLS's master secret is used to "sign" finished msgs with PRF. */
+	    /* XXX This seems like a hack.   But PK11_Derive only accepts 
+	     * one "operation" argument. */
+	    crv = pk11_forceAttribute(key,CKA_SIGN,  &cktrue,sizeof(CK_BBOOL));
+	    if (crv != CKR_OK) break;
+	    crv = pk11_forceAttribute(key,CKA_VERIFY,&cktrue,sizeof(CK_BBOOL));
+	    if (crv != CKR_OK) break;
+	    /* While we're here, we might as well force this, too. */
+	    crv = pk11_forceAttribute(key,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL));
+	    if (crv != CKR_OK) break;
+	}
+	break;
+      }
+
+    case CKM_TLS_KEY_AND_MAC_DERIVE:
+	isTLS = PR_TRUE;
+	/* fall thru */
+    case CKM_SSL3_KEY_AND_MAC_DERIVE:
+      {
+	CK_SSL3_KEY_MAT_PARAMS *ssl3_keys;
+	CK_SSL3_KEY_MAT_OUT *   ssl3_keys_out;
+	CK_ULONG                effKeySize;
+
+	crv = pk11_DeriveSensitiveCheck(sourceKey,key);
+	if (crv != CKR_OK) break;
+
+	if (att->attrib.ulValueLen != SSL3_MASTER_SECRET_LENGTH) {
+	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+	    break;
+	}
+	att2 = pk11_FindAttribute(sourceKey,CKA_KEY_TYPE);
+	if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
+					CKK_GENERIC_SECRET)) {
+	    if (att2) pk11_FreeAttribute(att2);
+	    crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+	    break;
+	}
+	pk11_FreeAttribute(att2);
+	md5 = MD5_NewContext();
+	if (md5 == NULL) { 
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	sha = SHA1_NewContext();
+	if (sha == NULL) { 
+	    PORT_Free(md5);
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	ssl3_keys = (CK_SSL3_KEY_MAT_PARAMS *) pMechanism->pParameter;
+	/*
+	 * clear out our returned keys so we can recover on failure
+	 */
+	ssl3_keys_out = ssl3_keys->pReturnedKeyMaterial;
+	ssl3_keys_out->hClientMacSecret = CK_INVALID_HANDLE;
+	ssl3_keys_out->hServerMacSecret = CK_INVALID_HANDLE;
+	ssl3_keys_out->hClientKey       = CK_INVALID_HANDLE;
+	ssl3_keys_out->hServerKey       = CK_INVALID_HANDLE;
+
+	/*
+	 * generate the key material: This looks amazingly similar to the
+	 * PMS code, and is clearly crying out for a function to provide it.
+	 */
+	if (isTLS) {
+	    SECStatus     status;
+	    SECItem       master = { siBuffer, NULL, 0 };
+	    SECItem       srcr   = { siBuffer, NULL, 0 };
+	    SECItem       keyblk = { siBuffer, NULL, 0 };
+	    unsigned char srcrdata[SSL3_RANDOM_LENGTH * 2];
+
+	    master.data = (unsigned char*)att->attrib.pValue;
+	    master.len  = att->attrib.ulValueLen;
+	    srcr.data   = srcrdata;
+	    srcr.len    = sizeof srcrdata;
+	    keyblk.data = key_block;
+	    keyblk.len  = sizeof key_block;
+
+	    PORT_Memcpy(srcrdata, 
+	                ssl3_keys->RandomInfo.pServerRandom,
+			SSL3_RANDOM_LENGTH);
+	    PORT_Memcpy(srcrdata + SSL3_RANDOM_LENGTH, 
+		        ssl3_keys->RandomInfo.pClientRandom, 
+			SSL3_RANDOM_LENGTH);
+
+	    status = pk11_PRF(&master, "key expansion", &srcr, &keyblk);
+	    if (status != SECSuccess) {
+		goto key_and_mac_derive_fail;
+	    }
+	} else {
+	    /* key_block = 
+	     *     MD5(master_secret + SHA('A' + master_secret + 
+	     *                      ServerHello.random + ClientHello.random)) +
+	     *     MD5(master_secret + SHA('BB' + master_secret + 
+	     *                      ServerHello.random + ClientHello.random)) +
+	     *     MD5(master_secret + SHA('CCC' + master_secret + 
+	     *                      ServerHello.random + ClientHello.random)) +
+	     *     [...];
+	     */
+	    for (i = 0; i < NUM_MIXERS; i++) {
+	      SHA1_Begin(sha);
+	      SHA1_Update(sha, (unsigned char*) mixers[i], strlen(mixers[i]));
+	      SHA1_Update(sha, (const unsigned char*)att->attrib.pValue, 
+			  att->attrib.ulValueLen);
+              SHA1_Update(sha, ssl3_keys->RandomInfo.pServerRandom, 
+				ssl3_keys->RandomInfo.ulServerRandomLen);
+              SHA1_Update(sha, ssl3_keys->RandomInfo.pClientRandom,
+				ssl3_keys->RandomInfo.ulClientRandomLen);
+	      SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH);
+	      PORT_Assert(outLen == SHA1_LENGTH);
+	      MD5_Begin(md5);
+	      MD5_Update(md5, (const unsigned char*)att->attrib.pValue,
+			 att->attrib.ulValueLen);
+	      MD5_Update(md5, sha_out, outLen);
+	      MD5_End(md5, &key_block[i*MD5_LENGTH], &outLen, MD5_LENGTH);
+	      PORT_Assert(outLen == MD5_LENGTH);
+	    }
+	}
+
+	/*
+	 * Put the key material where it goes.
+	 */
+	i = 0;			/* now shows how much consumed */
+	macSize    = ssl3_keys->ulMacSizeInBits/8;
+	effKeySize = ssl3_keys->ulKeySizeInBits/8;
+	IVSize     = ssl3_keys->ulIVSizeInBits/8;
+	if (keySize == 0) {
+	    effKeySize = keySize;
+	}
+
+	/* 
+	 * The key_block is partitioned as follows:
+	 * client_write_MAC_secret[CipherSpec.hash_size]
+	 */
+	crv = pk11_buildSSLKey(hSession,key,PR_TRUE,&key_block[i],macSize,
+					 &ssl3_keys_out->hClientMacSecret);
+	if (crv != CKR_OK)
+	    goto key_and_mac_derive_fail;
+
+	i += macSize;
+
+	/* 
+	 * server_write_MAC_secret[CipherSpec.hash_size]
+	 */
+	crv = pk11_buildSSLKey(hSession,key,PR_TRUE,&key_block[i],macSize,
+					    &ssl3_keys_out->hServerMacSecret);
+	if (crv != CKR_OK) {
+	    goto key_and_mac_derive_fail;
+	}
+	i += macSize;
+
+	if (keySize) {
+	    if (!ssl3_keys->bIsExport) {
+		/* 
+		** Generate Domestic write keys and IVs.
+		** client_write_key[CipherSpec.key_material]
+		*/
+		crv = pk11_buildSSLKey(hSession,key,PR_FALSE,&key_block[i],
+					keySize, &ssl3_keys_out->hClientKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+		i += keySize;
+
+		/* 
+		** server_write_key[CipherSpec.key_material]
+		*/
+		crv = pk11_buildSSLKey(hSession,key,PR_FALSE,&key_block[i],
+					keySize, &ssl3_keys_out->hServerKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+		i += keySize;
+
+		/* 
+		** client_write_IV[CipherSpec.IV_size]
+		*/
+		PORT_Memcpy(ssl3_keys_out->pIVClient, &key_block[i], IVSize);
+		i += IVSize;
+
+		/* 
+		** server_write_IV[CipherSpec.IV_size]
+		*/
+		PORT_Memcpy(ssl3_keys_out->pIVServer, &key_block[i], IVSize);
+	    	i += IVSize;
+		PORT_Assert(i <= sizeof key_block);
+
+	    } else if (!isTLS) {
+
+		/*
+		** Generate SSL3 Export write keys and IVs.
+		** client_write_key[CipherSpec.key_material]
+		** final_client_write_key = MD5(client_write_key +
+		**                   ClientHello.random + ServerHello.random);
+		*/
+		MD5_Begin(md5);
+		MD5_Update(md5, &key_block[i], effKeySize);
+            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
+				ssl3_keys->RandomInfo.ulClientRandomLen);
+            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
+				ssl3_keys->RandomInfo.ulServerRandomLen);
+		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
+		i += effKeySize;
+		crv = pk11_buildSSLKey(hSession,key,PR_FALSE,key_block2,
+				 	keySize,&ssl3_keys_out->hClientKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+
+		/*
+		** server_write_key[CipherSpec.key_material]
+		** final_server_write_key = MD5(server_write_key +
+		**                    ServerHello.random + ClientHello.random);
+		*/
+		MD5_Begin(md5);
+		MD5_Update(md5, &key_block[i], effKeySize);
+            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
+				ssl3_keys->RandomInfo.ulServerRandomLen);
+            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
+				ssl3_keys->RandomInfo.ulClientRandomLen);
+		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
+		i += effKeySize;
+		crv = pk11_buildSSLKey(hSession,key,PR_FALSE,key_block2,
+					 keySize,&ssl3_keys_out->hServerKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+
+		/*
+		** client_write_IV = 
+		**	MD5(ClientHello.random + ServerHello.random);
+		*/
+		MD5_Begin(md5);
+            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
+				ssl3_keys->RandomInfo.ulClientRandomLen);
+            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
+				ssl3_keys->RandomInfo.ulServerRandomLen);
+		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
+		PORT_Memcpy(ssl3_keys_out->pIVClient, key_block2, IVSize);
+
+		/*
+		** server_write_IV = 
+		**	MD5(ServerHello.random + ClientHello.random);
+		*/
+		MD5_Begin(md5);
+            	MD5_Update(md5, ssl3_keys->RandomInfo.pServerRandom, 
+				ssl3_keys->RandomInfo.ulServerRandomLen);
+            	MD5_Update(md5, ssl3_keys->RandomInfo.pClientRandom,
+				ssl3_keys->RandomInfo.ulClientRandomLen);
+		MD5_End(md5, key_block2, &outLen, MD5_LENGTH);
+		PORT_Memcpy(ssl3_keys_out->pIVServer, key_block2, IVSize);
+
+	    } else {
+
+		/*
+		** Generate TLS Export write keys and IVs.
+		*/
+		SECStatus     status;
+		SECItem       secret = { siBuffer, NULL, 0 };
+		SECItem       crsr   = { siBuffer, NULL, 0 };
+		SECItem       keyblk = { siBuffer, NULL, 0 };
+		unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2];
+
+		crsr.data   = crsrdata;
+		crsr.len    = sizeof crsrdata;
+
+		PORT_Memcpy(crsrdata, 
+		            ssl3_keys->RandomInfo.pClientRandom, 
+			    SSL3_RANDOM_LENGTH);
+		PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, 
+			    ssl3_keys->RandomInfo.pServerRandom,
+			    SSL3_RANDOM_LENGTH);
+
+
+		/*
+		** client_write_key[CipherSpec.key_material]
+		** final_client_write_key = PRF(client_write_key, 
+		**                              "client write key",
+		**                              client_random + server_random);
+		*/
+		secret.data = &key_block[i];
+		secret.len  = effKeySize;
+		i          += effKeySize;
+		keyblk.data = key_block2;
+		keyblk.len  = sizeof key_block2;
+		status = pk11_PRF(&secret, "client write key", &crsr, &keyblk);
+		if (status != SECSuccess) {
+		    goto key_and_mac_derive_fail;
+		}
+		crv = pk11_buildSSLKey(hSession, key, PR_FALSE, key_block2, 
+				       keySize, &ssl3_keys_out->hClientKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+
+		/*
+		** server_write_key[CipherSpec.key_material]
+		** final_server_write_key = PRF(server_write_key,
+		**                              "server write key",
+		**                              client_random + server_random);
+		*/
+		secret.data = &key_block[i];
+		secret.len  = effKeySize;
+		i          += effKeySize;
+		keyblk.data = key_block2;
+		keyblk.len  = sizeof key_block2;
+		status = pk11_PRF(&secret, "server write key", &crsr, &keyblk);
+		if (status != SECSuccess) {
+		    goto key_and_mac_derive_fail;
+		}
+		crv = pk11_buildSSLKey(hSession, key, PR_FALSE, key_block2, 
+				       keySize, &ssl3_keys_out->hServerKey);
+		if (crv != CKR_OK) {
+		    goto key_and_mac_derive_fail;
+		}
+
+		/*
+		** iv_block = PRF("", "IV block", 
+		**                    client_random + server_random);
+		** client_write_IV[SecurityParameters.IV_size]
+		** server_write_IV[SecurityParameters.IV_size]
+		*/
+		if (IVSize) {
+		    secret.data = NULL;
+		    secret.len  = 0;
+		    keyblk.data = &key_block[i];
+		    keyblk.len  = 2 * IVSize;
+		    status = pk11_PRF(&secret, "IV block", &crsr, &keyblk);
+		    if (status != SECSuccess) {
+			goto key_and_mac_derive_fail;
+		    }
+		    PORT_Memcpy(ssl3_keys_out->pIVClient, keyblk.data, IVSize);
+		    PORT_Memcpy(ssl3_keys_out->pIVServer, keyblk.data + IVSize,
+                                IVSize);
+		}
+	    }
+	}
+
+	crv = CKR_OK;
+
+	if (0) {
+key_and_mac_derive_fail:
+	    if (crv == CKR_OK)
+	    	crv = CKR_FUNCTION_FAILED;
+	    pk11_freeSSLKeys(hSession, ssl3_keys_out);
+	}
+	MD5_DestroyContext(md5, PR_TRUE);
+	SHA1_DestroyContext(sha, PR_TRUE);
+	pk11_FreeObject(key);
+	key = NULL;
+	break;
+      }
+
+    case CKM_CONCATENATE_BASE_AND_KEY:
+      {
+	PK11Object *newKey;
+
+	crv = pk11_DeriveSensitiveCheck(sourceKey,key);
+	if (crv != CKR_OK) break;
+
+	session = pk11_SessionFromHandle(hSession);
+	if (session == NULL) {
+            crv = CKR_SESSION_HANDLE_INVALID;
+	    break;
+    	}
+
+	newKey = pk11_ObjectFromHandle(*(CK_OBJECT_HANDLE *)
+					pMechanism->pParameter,session);
+	pk11_FreeSession(session);
+	if ( newKey == NULL) {
+            crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+
+	if (pk11_isTrue(newKey,CKA_SENSITIVE)) {
+	    crv = pk11_forceAttribute(newKey,CKA_SENSITIVE,&cktrue,
+							sizeof(CK_BBOOL));
+	    if (crv != CKR_OK) {
+		pk11_FreeObject(newKey);
+		break;
+	    }
+	}
+
+	att2 = pk11_FindAttribute(newKey,CKA_VALUE);
+	if (att2 == NULL) {
+	    pk11_FreeObject(newKey);
+            crv = CKR_KEY_HANDLE_INVALID;
+	    break;
+	}
+	tmpKeySize = att->attrib.ulValueLen+att2->attrib.ulValueLen;
+	if (keySize == 0) keySize = tmpKeySize;
+	if (keySize > tmpKeySize) {
+	    pk11_FreeObject(newKey);
+	    pk11_FreeAttribute(att2);
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
+	if (buf == NULL) {
+	    pk11_FreeAttribute(att2);
+	    pk11_FreeObject(newKey);
+	    crv = CKR_HOST_MEMORY;	
+	    break;
+	}
+
+	PORT_Memcpy(buf,att->attrib.pValue,att->attrib.ulValueLen);
+	PORT_Memcpy(buf+att->attrib.ulValueLen,
+				att2->attrib.pValue,att2->attrib.ulValueLen);
+
+	crv = pk11_forceAttribute (key,CKA_VALUE,buf,keySize);
+	PORT_ZFree(buf,tmpKeySize);
+	pk11_FreeAttribute(att2);
+	pk11_FreeObject(newKey);
+	break;
+      }
+
+    case CKM_CONCATENATE_BASE_AND_DATA:
+	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
+	tmpKeySize = att->attrib.ulValueLen+stringPtr->ulLen;
+	if (keySize == 0) keySize = tmpKeySize;
+	if (keySize > tmpKeySize) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
+	if (buf == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+
+	PORT_Memcpy(buf,att->attrib.pValue,att->attrib.ulValueLen);
+	PORT_Memcpy(buf+att->attrib.ulValueLen,stringPtr->pData,
+							stringPtr->ulLen);
+
+	crv = pk11_forceAttribute (key,CKA_VALUE,buf,keySize);
+	PORT_ZFree(buf,tmpKeySize);
+	break;
+    case CKM_CONCATENATE_DATA_AND_BASE:
+	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
+	tmpKeySize = att->attrib.ulValueLen+stringPtr->ulLen;
+	if (keySize == 0) keySize = tmpKeySize;
+	if (keySize > tmpKeySize) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	buf = (unsigned char*)PORT_Alloc(tmpKeySize);
+	if (buf == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+
+	PORT_Memcpy(buf,stringPtr->pData,stringPtr->ulLen);
+	PORT_Memcpy(buf+stringPtr->ulLen,att->attrib.pValue,
+							att->attrib.ulValueLen);
+
+	crv = pk11_forceAttribute (key,CKA_VALUE,buf,keySize);
+	PORT_ZFree(buf,tmpKeySize);
+	break;
+    case CKM_XOR_BASE_AND_DATA:
+	stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
+	tmpKeySize = PR_MIN(att->attrib.ulValueLen,stringPtr->ulLen);
+	if (keySize == 0) keySize = tmpKeySize;
+	if (keySize > tmpKeySize) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	buf = (unsigned char*)PORT_Alloc(keySize);
+	if (buf == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+
+	
+	PORT_Memcpy(buf,att->attrib.pValue,keySize);
+	for (i=0; i < (int)keySize; i++) {
+	    buf[i] ^= stringPtr->pData[i];
+	}
+
+	crv = pk11_forceAttribute (key,CKA_VALUE,buf,keySize);
+	PORT_ZFree(buf,keySize);
+	break;
+
+    case CKM_EXTRACT_KEY_FROM_KEY:
+      {
+	/* the following assumes 8 bits per byte */
+	CK_ULONG extract = *(CK_EXTRACT_PARAMS *)pMechanism->pParameter;
+	CK_ULONG shift   = extract & 0x7;      /* extract mod 8 the fast way */
+	CK_ULONG offset  = extract >> 3;       /* extract div 8 the fast way */
+
+	if (keySize == 0)  {
+	    crv = CKR_TEMPLATE_INCOMPLETE;
+	    break;
+	}
+	/* make sure we have enough bits in the original key */
+	if (att->attrib.ulValueLen < 
+			(offset + keySize + ((shift != 0)? 1 :0)) ) {
+	    crv = CKR_MECHANISM_PARAM_INVALID;
+	    break;
+	}
+	buf = (unsigned char*)PORT_Alloc(keySize);
+	if (buf == NULL) {
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+
+	/* copy the bits we need into the new key */	
+	for (i=0; i < (int)keySize; i++) {
+	    unsigned char *value =
+			 ((unsigned char *)att->attrib.pValue)+offset+i;
+	    if (shift) {
+	        buf[i] = (value[0] << (shift)) | (value[1] >> (8 - shift));
+	    } else {
+		buf[i] = value[0];
+	    }
+	}
+
+	crv = pk11_forceAttribute (key,CKA_VALUE,buf,keySize);
+	PORT_ZFree(buf,keySize);
+	break;
+      }
+    case CKM_MD2_KEY_DERIVATION:
+	if (keySize == 0) keySize = MD2_LENGTH;
+	if (keySize > MD2_LENGTH) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	/* now allocate the hash contexts */
+	md2 = MD2_NewContext();
+	if (md2 == NULL) { 
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	MD2_Begin(md2);
+	MD2_Update(md2,(const unsigned char*)att->attrib.pValue,
+		   att->attrib.ulValueLen);
+	MD2_End(md2,key_block,&outLen,MD2_LENGTH);
+	MD2_DestroyContext(md2, PR_TRUE);
+
+	crv = pk11_forceAttribute (key,CKA_VALUE,key_block,keySize);
+	break;
+    case CKM_MD5_KEY_DERIVATION:
+	if (keySize == 0) keySize = MD5_LENGTH;
+	if (keySize > MD5_LENGTH) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	/* now allocate the hash contexts */
+	md5 = MD5_NewContext();
+	if (md5 == NULL) { 
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	MD5_Begin(md5);
+	MD5_Update(md5,(const unsigned char*)att->attrib.pValue,
+		   att->attrib.ulValueLen);
+	MD5_End(md5,key_block,&outLen,MD5_LENGTH);
+	MD5_DestroyContext(md5, PR_TRUE);
+
+	crv = pk11_forceAttribute (key,CKA_VALUE,key_block,keySize);
+	break;
+     case CKM_SHA1_KEY_DERIVATION:
+	if (keySize == 0) keySize = SHA1_LENGTH;
+	if (keySize > SHA1_LENGTH) {
+	    crv = CKR_TEMPLATE_INCONSISTENT;
+	    break;
+	}
+	/* now allocate the hash contexts */
+	sha = SHA1_NewContext();
+	if (sha == NULL) { 
+	    crv = CKR_HOST_MEMORY;
+	    break;
+	}
+	SHA1_Begin(sha);
+	SHA1_Update(sha,(const unsigned char*)att->attrib.pValue,
+		    att->attrib.ulValueLen);
+	SHA1_End(sha,key_block,&outLen,SHA1_LENGTH);
+	SHA1_DestroyContext(sha, PR_TRUE);
+
+	crv = pk11_forceAttribute(key,CKA_VALUE,key_block,keySize);
+	break;
+
+    case CKM_DH_PKCS_DERIVE:
+      {
+	SECItem  derived,  dhPublic;
+	SECItem  dhPrime,  dhValue;
+	/* sourceKey - values for the local existing low key */
+	/* get prime and value attributes */
+	crv = pk11_Attribute2SecItem(NULL, &dhPrime, sourceKey, CKA_PRIME); 
+	if (crv != SECSuccess) break;
+	crv = pk11_Attribute2SecItem(NULL, &dhValue, sourceKey, CKA_VALUE); 
+	if (crv != SECSuccess) {
+ 	    PORT_Free(dhPrime.data);
+	    break;
+	}
+
+	dhPublic.data = pMechanism->pParameter;
+	dhPublic.len  = pMechanism->ulParameterLen;
+
+	/* calculate private value - oct */
+	rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize); 
+
+	PORT_Free(dhPrime.data);
+	PORT_Free(dhValue.data);
+     
+	if (rv == SECSuccess) {
+	    pk11_forceAttribute(key, CKA_VALUE, derived.data, derived.len);
+	    PORT_ZFree(derived.data, derived.len);
+	} else
+	    crv = CKR_HOST_MEMORY;
+	    
+	break;
+      }
+
+    default:
+	crv = CKR_MECHANISM_INVALID;
+    }
+    pk11_FreeAttribute(att);
+    pk11_FreeObject(sourceKey);
+    if (crv != CKR_OK) { 
+	if (key) pk11_FreeObject(key);
+	return crv;
+    }
+
+    /* link the key object into the list */
+    if (key) {
+	PK11SessionObject *sessKey = pk11_narrowToSessionObject(key);
+	PORT_Assert(sessKey);
+	/* get the session */
+	sessKey->wasDerived = PR_TRUE;
+	session = pk11_SessionFromHandle(hSession);
+	if (session == NULL) {
+	    pk11_FreeObject(key);
+	    return CKR_HOST_MEMORY;
+	}
+
+	crv = pk11_handleObject(key,session);
+	pk11_FreeSession(session);
+	*phKey = key->handle;
+	pk11_FreeObject(key);
+    }
+    return crv;
+}
+
+
+/* NSC_GetFunctionStatus obtains an updated status of a function running 
+ * in parallel with an application. */
+CK_RV NSC_GetFunctionStatus(CK_SESSION_HANDLE hSession)
+{
+    return CKR_FUNCTION_NOT_PARALLEL;
+}
+
+/* NSC_CancelFunction cancels a function running in parallel */
+CK_RV NSC_CancelFunction(CK_SESSION_HANDLE hSession)
+{
+    return CKR_FUNCTION_NOT_PARALLEL;
+}
+
+/* NSC_GetOperationState saves the state of the cryptographic 
+ *operation in a session.
+ * NOTE: This code only works for digest functions for now. eventually need
+ * to add full flatten/resurect to our state stuff so that all types of state
+ * can be saved */
+CK_RV NSC_GetOperationState(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pOperationState, CK_ULONG_PTR pulOperationStateLen)
+{
+    PK11SessionContext *context;
+    PK11Session *session;
+    CK_RV crv;
+
+    /* make sure we're legal */
+    crv = pk11_GetContext(hSession, &context, PK11_HASH, PR_TRUE, &session);
+    if (crv != CKR_OK) return crv;
+
+    *pulOperationStateLen = context->cipherInfoLen + sizeof(CK_MECHANISM_TYPE)
+				+ sizeof(PK11ContextType);
+    if (pOperationState == NULL) {
+        pk11_FreeSession(session);
+	return CKR_OK;
+    }
+    PORT_Memcpy(pOperationState,&context->type,sizeof(PK11ContextType));
+    pOperationState += sizeof(PK11ContextType);
+    PORT_Memcpy(pOperationState,&context->currentMech,
+						sizeof(CK_MECHANISM_TYPE));
+    pOperationState += sizeof(CK_MECHANISM_TYPE);
+    PORT_Memcpy(pOperationState,context->cipherInfo,context->cipherInfoLen);
+    pk11_FreeSession(session);
+    return CKR_OK;
+}
+
+
+#define pk11_Decrement(stateSize,len) \
+	stateSize = ((stateSize) > (CK_ULONG)(len)) ? \
+				((stateSize) - (CK_ULONG)(len)) : 0;
+
+/* NSC_SetOperationState restores the state of the cryptographic 
+ * operation in a session. This is coded like it can restore lots of
+ * states, but it only works for truly flat cipher structures. */
+CK_RV NSC_SetOperationState(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pOperationState, CK_ULONG  ulOperationStateLen,
+        CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey)
+{
+    PK11SessionContext *context;
+    PK11Session *session;
+    PK11ContextType type;
+    CK_MECHANISM mech;
+    CK_RV crv = CKR_OK;
+
+    while (ulOperationStateLen != 0) {
+	/* get what type of state we're dealing with... */
+	PORT_Memcpy(&type,pOperationState, sizeof(PK11ContextType));
+
+	/* fix up session contexts based on type */
+	session = pk11_SessionFromHandle(hSession);
+	if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+	context = pk11_ReturnContextByType(session, type);
+	pk11_SetContextByType(session, type, NULL);
+	if (context) { 
+	     pk11_FreeContext(context);
+	}
+	pOperationState += sizeof(PK11ContextType);
+	pk11_Decrement(ulOperationStateLen,sizeof(PK11ContextType));
+
+
+	/* get the mechanism structure */
+	PORT_Memcpy(&mech.mechanism,pOperationState,sizeof(CK_MECHANISM_TYPE));
+	pOperationState += sizeof(CK_MECHANISM_TYPE);
+	pk11_Decrement(ulOperationStateLen, sizeof(CK_MECHANISM_TYPE));
+	/* should be filled in... but not necessary for hash */
+	mech.pParameter = NULL;
+	mech.ulParameterLen = 0;
+	switch (type) {
+	case PK11_HASH:
+	    crv = NSC_DigestInit(hSession,&mech);
+	    if (crv != CKR_OK) break;
+	    crv = pk11_GetContext(hSession, &context, PK11_HASH, PR_TRUE, 
+								NULL);
+	    if (crv != CKR_OK) break;
+	    PORT_Memcpy(context->cipherInfo,pOperationState,
+						context->cipherInfoLen);
+	    pOperationState += context->cipherInfoLen;
+	    pk11_Decrement(ulOperationStateLen,context->cipherInfoLen);
+	    break;
+	default:
+	    /* do sign/encrypt/decrypt later */
+	    crv = CKR_SAVED_STATE_INVALID;
+         }
+         pk11_FreeSession(session);
+	 if (crv != CKR_OK) break;
+    }
+    return crv;
+}
+
+/* Dual-function cryptographic operations */
+
+/* NSC_DigestEncryptUpdate continues a multiple-part digesting and encryption 
+ * operation. */
+CK_RV NSC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
+    CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
+					 CK_ULONG_PTR pulEncryptedPartLen)
+{
+    CK_RV crv;
+
+    crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart,	
+						      pulEncryptedPartLen);
+    if (crv != CKR_OK) return crv;
+    crv = NSC_DigestUpdate(hSession,pPart,ulPartLen);
+
+    return crv;
+}
+
+
+/* NSC_DecryptDigestUpdate continues a multiple-part decryption and 
+ * digesting operation. */
+CK_RV NSC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
+    CK_BYTE_PTR  pEncryptedPart, CK_ULONG  ulEncryptedPartLen,
+    				CK_BYTE_PTR  pPart, CK_ULONG_PTR pulPartLen)
+{
+    CK_RV crv;
+
+    crv = NSC_DecryptUpdate(hSession,pEncryptedPart, ulEncryptedPartLen, 
+							pPart,	pulPartLen);
+    if (crv != CKR_OK) return crv;
+    crv = NSC_DigestUpdate(hSession,pPart,*pulPartLen);
+
+    return crv;
+}
+
+
+/* NSC_SignEncryptUpdate continues a multiple-part signing and 
+ * encryption operation. */
+CK_RV NSC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR  pPart,
+	 CK_ULONG  ulPartLen, CK_BYTE_PTR  pEncryptedPart,
+					 CK_ULONG_PTR pulEncryptedPartLen)
+{
+    CK_RV crv;
+
+    crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart,	
+						      pulEncryptedPartLen);
+    if (crv != CKR_OK) return crv;
+    crv = NSC_SignUpdate(hSession,pPart,ulPartLen);
+
+    return crv;
+}
+
+
+/* NSC_DecryptVerifyUpdate continues a multiple-part decryption 
+ * and verify operation. */
+CK_RV NSC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, 
+	CK_BYTE_PTR  pEncryptedData, CK_ULONG  ulEncryptedDataLen, 
+				CK_BYTE_PTR  pData, CK_ULONG_PTR pulDataLen)
+{
+    CK_RV crv;
+
+    crv = NSC_DecryptUpdate(hSession,pEncryptedData, ulEncryptedDataLen, 
+							pData,	pulDataLen);
+    if (crv != CKR_OK) return crv;
+    crv = NSC_VerifyUpdate(hSession, pData, *pulDataLen);
+
+    return crv;
+}
+
+/* NSC_DigestKey continues a multi-part message-digesting operation,
+ * by digesting the value of a secret key as part of the data already digested.
+ */
+CK_RV NSC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) 
+{
+    PK11Session *session = NULL;
+    PK11Object *key = NULL;
+    PK11Attribute *att;
+    CK_RV crv;
+
+    session = pk11_SessionFromHandle(hSession);
+    if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
+
+    key = pk11_ObjectFromHandle(hKey,session);
+    pk11_FreeSession(session);
+    if (key == NULL)  return CKR_KEY_HANDLE_INVALID;
+
+    /* PUT ANY DIGEST KEY RESTRICTION CHECKS HERE */
+
+    /* make sure it's a valid  key for this operation */
+    if (key->objclass != CKO_SECRET_KEY) {
+	pk11_FreeObject(key);
+	return CKR_KEY_TYPE_INCONSISTENT;
+    }
+    /* get the key value */
+    att = pk11_FindAttribute(key,CKA_VALUE);
+    pk11_FreeObject(key);
+
+    crv = NSC_DigestUpdate(hSession,(CK_BYTE_PTR)att->attrib.pValue,
+			   att->attrib.ulValueLen);
+    pk11_FreeAttribute(att);
+    return crv;
+}
diff --git a/security/nss/lib/softoken/pkcs11f.h b/security/nss/lib/softoken/pkcs11f.h
new file mode 100644
index 000000000..70d34da5e
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11f.h
@@ -0,0 +1,934 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security In.c Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/* This function contains pretty much everything about all the */
+/* PKCS #11  function prototypes.  Because this information is */
+/* used for more than just declaring function prototypes, the */
+/* order of the functions appearing herein is important, and */
+/* should not be altered. */
+
+
+
+/* General-purpose */
+
+/* C_Initialize initializes the PKCS #11 library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
+                            * cast to CK_C_INITIALIZE_ARGS_PTR
+                            * and dereferenced */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * PKCS #11 library. */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about PKCS #11. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_INFO_PTR   pInfo  /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
+                                            * function list */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
+  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
+  CK_ULONG_PTR   pulCount       /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID       slotID,  /* the ID of the slot */
+  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID        slotID,  /* ID of the token's slot */
+  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,          /* ID of token's slot */
+  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
+  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,  /* ID of the token's slot */
+  CK_MECHANISM_TYPE     type,    /* type of mechanism */
+  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+(
+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
+  CK_SLOT_ID         slotID,    /* ID of the token's slot */
+  CK_CHAR_PTR        pPin,      /* the SO's initial PIN */
+  CK_ULONG           ulPinLen,  /* length in bytes of the PIN */
+  CK_UTF8CHAR_PTR    pLabel     /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_CHAR_PTR       pPin,      /* the normal user's PIN */
+  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_CHAR_PTR       pOldPin,   /* the old PIN */
+  CK_ULONG          ulOldLen,  /* length of the old PIN */
+  CK_CHAR_PTR       pNewPin,   /* the new PIN */
+  CK_ULONG          ulNewLen   /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,        /* the slot's ID */
+  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
+  CK_VOID_PTR           pApplication,  /* passed to callback */
+  CK_NOTIFY             Notify,        /* callback function */
+  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID     slotID  /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE   hSession,  /* the session's handle */
+  CK_SESSION_INFO_PTR pInfo      /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session. */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,             /* session's handle */
+  CK_BYTE_PTR       pOperationState,      /* gets state */
+  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session. */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR      pOperationState,      /* holds state */
+  CK_ULONG         ulOperationStateLen,  /* holds state length */
+  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
+  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_USER_TYPE      userType,  /* the user type */
+  CK_CHAR_PTR       pPin,      /* the user's PIN */
+  CK_ULONG          ulPinLen   /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
+  CK_ULONG          ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy. */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
+  CK_ULONG             ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject    /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
+  CK_ULONG_PTR      pulSize    /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes. */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
+  CK_ULONG          ulCount     /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE    hSession,          /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
+ CK_ULONG             ulMaxObjectCount,  /* max handles to get */
+ CK_ULONG_PTR         pulObjectCount     /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pData,               /* the plaintext data */
+  CK_ULONG          ulDataLen,           /* bytes of plaintext */
+  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pPart,              /* the plaintext data */
+  CK_ULONG          ulPartLen,          /* plaintext data len */
+  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,                /* session handle */
+  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
+  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
+  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
+  CK_BYTE_PTR       pData,              /* gets plaintext */
+  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
+  CK_ULONG          ulEncryptedPartLen,  /* input length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
+  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pData,        /* data to be digested */
+  CK_ULONG          ulDataLen,    /* bytes of data to digest */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* data to be digested */
+  CK_ULONG          ulPartLen  /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested. */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ *signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* the data to sign */
+  CK_ULONG          ulPartLen  /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation, 
+ * returning the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ *  cannot be recovered from the signature (e.g. DSA). */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */ 
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation, 
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pData,          /* signed data */
+  CK_ULONG          ulDataLen,      /* length of signed data */
+  CK_BYTE_PTR       pSignature,     /* signature */
+  CK_ULONG          ulSignatureLen  /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data, 
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* signed data */
+  CK_ULONG          ulPartLen  /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pSignature,     /* signature to verify */
+  CK_ULONG          ulSignatureLen  /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* signature to verify */
+  CK_ULONG          ulSignatureLen,  /* signature length */
+  CK_BYTE_PTR       pData,           /* gets signed data */
+  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
+  CK_ULONG             ulCount,     /* # of attrs in template */
+  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair, 
+ * creating new key objects. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,                    /* session
+                                                     * handle */
+  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
+                                                     * mech. */
+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
+                                                     * for pub.
+                                                     * key */
+  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
+                                                     * attrs. */
+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
+                                                     * for priv.
+                                                     * key */
+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
+                                                     * attrs. */
+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
+                                                     * key
+                                                     * handle */
+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
+                                                     * priv. key
+                                                     * handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
+  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
+  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
+  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
+  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object. */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
+  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
+  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
+  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
+  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator. */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pSeed,     /* the seed material */
+  CK_ULONG          ulSeedLen  /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_BYTE_PTR       RandomData,  /* receives the random data */
+  CK_ULONG          ulRandomLen  /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel. */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Functions added in for PKCS #11 Version 2.01 or later */
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur. */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FLAGS flags,        /* blocking/nonblocking flag */
+  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
+  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
+);
+#endif
diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h
new file mode 100644
index 000000000..391f2f152
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11i.h
@@ -0,0 +1,646 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Internal data structures and functions used by pkcs11.c
+ */
+#ifndef _PKCS11I_H_
+#define _PKCS11I_H_ 1
+
+#include "nssilock.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "lowkeyti.h"
+#include "pkcs11t.h"
+#include "pcertt.h"
+
+
+/* 
+ * Configuration Defines 
+ *
+ * The following defines affect the space verse speed trade offs of
+ * the PKCS #11 module. For the most part the current settings are optimized
+ * for web servers, where we want faster speed and lower lock contention at
+ * the expense of space.
+ */
+
+#define PKCS11_USE_THREADS	/* set to true of you are need threads */
+/* 
+ *  Attribute Allocation strategy:
+ *
+ * 1) static allocation (PKCS11_STATIC_ATTRIBUTES set
+ *			 PKCS11_REF_COUNT_ATTRIBUTES not set)
+ *   Attributes are pre-allocated as part of the session object and used from
+ *   the object array.
+ *
+ * 2) heap allocation with ref counting (PKCS11_STATIC_ATTRIBUTES not set
+ *			 		PKCS11_REF_COUNT_ATTRIBUTES set)
+ *   Attributes are allocated from the heap when needed and freed when their
+ *   reference count goes to zero.
+ *
+ * 3) arena allocation (PKCS11_STATIC_ATTRIBUTES  not set
+ *			 PKCS11_REF_COUNT_ATTRIBUTE not set)
+ *   Attributes are allocated from the arena when needed and freed only when
+ *   the object goes away.
+ */
+#define PKCS11_STATIC_ATTRIBUTES	
+/*#define   PKCS11_REF_COUNT_ATTRIBUTES		 */
+/* the next two are only active if PKCS11_STATIC_ATTRIBUTES is set */
+#define MAX_OBJS_ATTRS 45	/* number of attributes to preallocate in
+				 * the object (must me the absolute max) */
+#define ATTR_SPACE 50  		/* Maximum size of attribute data before extra
+				 * data needs to be allocated. This is set to
+				 * enough space to hold an SSL MASTER secret */
+
+#define NSC_STRICT      PR_FALSE  /* forces the code to do strict template
+				   * matching when doing C_FindObject on token
+				   * objects. This will slow down search in
+				   * NSS. */
+/* default search block allocations and increments */
+#define NSC_CERT_BLOCK_SIZE     50
+#define NSC_SEARCH_BLOCK_SIZE   5 
+#define NSC_SLOT_LIST_BLOCK_SIZE 10
+
+/* these are data base storage hashes, not cryptographic hashes.. The define
+ * the effective size of the various object hash tables */
+#ifdef MOZ_CLIENT
+/* clients care more about memory usage than lookup performance on
+ * cyrptographic objects. Clients also have less objects around to play with 
+ *
+ * we eventually should make this configurable at runtime! Especially now that
+ * NSS is a shared library.
+ */
+#define ATTRIBUTE_HASH_SIZE 32 
+#define SESSION_OBJECT_HASH_SIZE 16
+#define TOKEN_OBJECT_HASH_SIZE 32
+#define SESSION_HASH_SIZE 32
+#else
+#define ATTRIBUTE_HASH_SIZE 32
+#define SESSION_OBJECT_HASH_SIZE 32
+#define TOKEN_OBJECT_HASH_SIZE 1024
+#define SESSION_HASH_SIZE 1024
+#define MAX_OBJECT_LIST_SIZE 800  /* how many objects to keep on the free list
+				   * before we start freeing them */
+#endif
+#define MAX_KEY_LEN 256
+
+/*
+ * LOG2_BUCKETS_PER_SESSION_LOCK must be a prime number.
+ * With SESSION_HASH_SIZE=1024, LOG2 can be 9, 5, 1, or 0.
+ * With SESSION_HASH_SIZE=4096, LOG2 can be 11, 9, 5, 1, or 0.
+ *
+ * HASH_SIZE   LOG2_BUCKETS_PER   BUCKETS_PER_LOCK  NUMBER_OF_BUCKETS
+ * 1024        9                  512               2
+ * 1024        5                  32                32
+ * 1024        1                  2                 512
+ * 1024        0                  1                 1024
+ * 4096        11                 2048              2
+ * 4096        9                  512               8
+ * 4096        5                  32                128
+ * 4096        1                  2                 2048
+ * 4096        0                  1                 4096
+ */
+#define LOG2_BUCKETS_PER_SESSION_LOCK 1
+#define BUCKETS_PER_SESSION_LOCK (1 << (LOG2_BUCKETS_PER_SESSION_LOCK))
+#define NUMBER_OF_SESSION_LOCKS (SESSION_HASH_SIZE/BUCKETS_PER_SESSION_LOCK)
+/* NOSPREAD sessionID to hash table index macro has been slower. */
+#if 0
+#define NOSPREAD
+#endif
+
+#ifdef PKCS11_USE_THREADS
+#define PK11_USE_THREADS(x) x
+#else
+#define PK11_USE_THREADS(x) 
+#endif
+
+/* define typedefs, double as forward declarations as well */
+typedef struct PK11AttributeStr PK11Attribute;
+typedef struct PK11ObjectListStr PK11ObjectList;
+typedef struct PK11ObjectListElementStr PK11ObjectListElement;
+typedef struct PK11ObjectStr PK11Object;
+typedef struct PK11SessionObjectStr PK11SessionObject;
+typedef struct PK11TokenObjectStr PK11TokenObject;
+typedef struct PK11SessionStr PK11Session;
+typedef struct PK11SlotStr PK11Slot;
+typedef struct PK11SessionContextStr PK11SessionContext;
+typedef struct PK11SearchResultsStr PK11SearchResults;
+typedef struct PK11HashVerifyInfoStr PK11HashVerifyInfo;
+typedef struct PK11HashSignInfoStr PK11HashSignInfo;
+typedef struct PK11SSLMACInfoStr PK11SSLMACInfo;
+
+/* define function pointer typdefs for pointer tables */
+typedef void (*PK11Destroy)(void *, PRBool);
+typedef void (*PK11Begin)(void *);
+typedef SECStatus (*PK11Cipher)(void *,void *,unsigned int *,unsigned int,
+					void *, unsigned int);
+typedef SECStatus (*PK11Verify)(void *,void *,unsigned int,void *,unsigned int);
+typedef void (*PK11Hash)(void *,void *,unsigned int);
+typedef void (*PK11End)(void *,void *,unsigned int *,unsigned int);
+typedef void (*PK11Free)(void *);
+
+/* Value to tell if an attribute is modifiable or not.
+ *    NEVER: attribute is only set on creation.
+ *    ONCOPY: attribute is set on creation and can only be changed on copy.
+ *    SENSITIVE: attribute can only be changed to TRUE.
+ *    ALWAYS: attribute can always be changed.
+ */
+typedef enum {
+	PK11_NEVER = 0,
+	PK11_ONCOPY = 1,
+	PK11_SENSITIVE = 2,
+	PK11_ALWAYS = 3
+} PK11ModifyType;
+
+/*
+ * Free Status Enum... tell us more information when we think we're
+ * deleting an object.
+ */
+typedef enum {
+	PK11_DestroyFailure,
+	PK11_Destroyed,
+	PK11_Busy
+} PK11FreeStatus;
+
+/*
+ * attribute values of an object.
+ */
+struct PK11AttributeStr {
+    PK11Attribute  	*next;
+    PK11Attribute  	*prev;
+    PRBool		freeAttr;
+    PRBool		freeData;
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+    int 		refCount;
+    PZLock 		*refLock;
+#endif
+    /*must be called handle to make pk11queue_find work */
+    CK_ATTRIBUTE_TYPE	handle;
+    CK_ATTRIBUTE 	attrib;
+#ifdef PKCS11_STATIC_ATTRIBUTES
+    unsigned char space[ATTR_SPACE];
+#endif
+};
+
+
+/*
+ * doubly link list of objects
+ */
+struct PK11ObjectListStr {
+    PK11ObjectList *next;
+    PK11ObjectList *prev;
+    PK11Object	   *parent;
+};
+
+/*
+ * PKCS 11 crypto object structure
+ */
+struct PK11ObjectStr {
+    PK11Object *next;
+    PK11Object	*prev;
+    CK_OBJECT_CLASS 	objclass;
+    CK_OBJECT_HANDLE	handle;
+    int 		refCount;
+    PZLock 		*refLock;
+    PK11Slot	   	*slot;
+    void 		*objectInfo;
+    PK11Free 		infoFree;
+#ifndef PKCS11_STATIC_ATTRIBUTES
+    PLArenaPool	*arena;
+#endif
+};
+
+struct PK11TokenObjectStr {
+    PK11Object  obj;
+    SECItem	dbKey;
+};
+
+struct PK11SessionObjectStr {
+    PK11Object	   obj;
+    PK11ObjectList sessionList;
+    PZLock		*attributeLock;
+    PK11Session   	*session;
+    PRBool		wasDerived;
+    PK11Attribute 	*head[ATTRIBUTE_HASH_SIZE];
+#ifdef PKCS11_STATIC_ATTRIBUTES
+    int nextAttr;
+    PK11Attribute	attrList[MAX_OBJS_ATTRS];
+#endif
+};
+
+/*
+ * struct to deal with a temparary list of objects
+ */
+struct PK11ObjectListElementStr {
+    PK11ObjectListElement	*next;
+    PK11Object 			*object;
+};
+
+/*
+ * Area to hold Search results
+ */
+struct PK11SearchResultsStr {
+    CK_OBJECT_HANDLE	*handles;
+    int			size;
+    int			index;
+    int			array_size;
+};
+
+
+/* 
+ * the universal crypto/hash/sign/verify context structure
+ */
+typedef enum {
+    PK11_ENCRYPT,
+    PK11_DECRYPT,
+    PK11_HASH,
+    PK11_SIGN,
+    PK11_SIGN_RECOVER,
+    PK11_VERIFY,
+    PK11_VERIFY_RECOVER
+} PK11ContextType;
+
+
+#define PK11_MAX_BLOCK_SIZE 16
+/* currently SHA1 is the biggest hash length */
+#define PK11_MAX_MAC_LENGTH 20
+#define PK11_INVALID_MAC_SIZE 0xffffffff
+
+struct PK11SessionContextStr {
+    PK11ContextType	type;
+    PRBool		multi; 		/* is multipart */
+    PRBool		doPad; 		/* use PKCS padding for block ciphers */
+    unsigned int	blockSize; 	/* blocksize for padding */
+    unsigned int	padDataLength; 	/* length of the valid data in padbuf */
+    unsigned char	padBuf[PK11_MAX_BLOCK_SIZE];
+    unsigned char	macBuf[PK11_MAX_BLOCK_SIZE];
+    CK_ULONG		macSize;	/* size of a general block cipher mac*/
+    void		*cipherInfo;
+    void		*hashInfo;
+    unsigned int	cipherInfoLen;
+    CK_MECHANISM_TYPE	currentMech;
+    PK11Cipher		update;
+    PK11Hash		hashUpdate;
+    PK11End		end;
+    PK11Destroy		destroy;
+    PK11Destroy		hashdestroy;
+    PK11Verify		verify;
+    unsigned int	maxLen;
+    PK11Object		*key;
+};
+
+/*
+ * Sessions (have objects)
+ */
+struct PK11SessionStr {
+    PK11Session        *next;
+    PK11Session        *prev;
+    CK_SESSION_HANDLE	handle;
+    int			refCount;
+    PZLock		*objectLock;
+    int			objectIDCount;
+    CK_SESSION_INFO	info;
+    CK_NOTIFY		notify;
+    CK_VOID_PTR		appData;
+    PK11Slot		*slot;
+    PK11SearchResults	*search;
+    PK11SessionContext	*enc_context;
+    PK11SessionContext	*hash_context;
+    PK11SessionContext	*sign_context;
+    PK11ObjectList	*objects[1];
+};
+
+/*
+ * slots (have sessions and objects)
+ *
+ * The array of sessionLock's protect the session hash table (head[])
+ * as well as the reference count of session objects in that bucket
+ * (head[]->refCount),  objectLock protects all elements of the token
+ * object hash table (tokObjects[], tokenIDCount, and tokenHashTable),
+ * and slotLock protects the remaining protected elements:
+ * password, isLoggedIn, ssoLoggedIn, sessionCount, and rwSessionCount.
+ */
+struct PK11SlotStr {
+    CK_SLOT_ID		slotID;
+    PZLock		*slotLock;
+    PZLock		*sessionLock[NUMBER_OF_SESSION_LOCKS];
+    PZLock		*objectLock;
+    SECItem		*password;
+    PRBool		hasTokens;
+    PRBool		isLoggedIn;
+    PRBool		ssoLoggedIn;
+    PRBool		needLogin;
+    PRBool		DB_loaded;
+    PRBool		readOnly;
+    NSSLOWCERTCertDBHandle *certDB;
+    NSSLOWKEYDBHandle	*keyDB;
+    int			minimumPinLen;
+    PRInt32		sessionIDCount;  /* atomically incremented */
+    int			sessionIDConflict;  /* not protected by a lock */
+    int			sessionCount;
+    int			rwSessionCount;
+    int			tokenIDCount;
+    int			index;
+    PLHashTable		*tokenHashTable;
+    PK11Object		*tokObjects[TOKEN_OBJECT_HASH_SIZE];
+    PK11Session		*head[SESSION_HASH_SIZE];
+    char		tokDescription[33];
+    char		slotDescription[64];
+};
+
+/*
+ * special joint operations Contexts
+ */
+struct PK11HashVerifyInfoStr {
+    SECOidTag   	hashOid;
+    NSSLOWKEYPublicKey	*key;
+};
+
+struct PK11HashSignInfoStr {
+    SECOidTag   	hashOid;
+    NSSLOWKEYPrivateKey	*key;
+};
+
+/* context for the Final SSLMAC message */
+struct PK11SSLMACInfoStr {
+    void 		*hashContext;
+    PK11Begin		begin;
+    PK11Hash		update;
+    PK11End		end;
+    CK_ULONG		macSize;
+    int			padSize;
+    unsigned char	key[MAX_KEY_LEN];
+    unsigned int	keySize;
+};
+
+/*
+ * session handle modifiers
+ */
+#define PK11_SESSION_SLOT_MASK	0xff000000L
+
+/*
+ * object handle modifiers
+ */
+#define PK11_TOKEN_MASK		0x80000000L
+#define PK11_TOKEN_MAGIC	0x80000000L
+#define PK11_TOKEN_TYPE_MASK	0x70000000L
+/* keydb (high bit == 0) */
+#define PK11_TOKEN_TYPE_PRIV	0x10000000L
+#define PK11_TOKEN_TYPE_PUB	0x20000000L
+#define PK11_TOKEN_TYPE_KEY	0x30000000L
+/* certdb (high bit == 1) */
+#define PK11_TOKEN_TYPE_TRUST	0x40000000L
+#define PK11_TOKEN_TYPE_CRL	0x50000000L
+#define PK11_TOKEN_TYPE_SMIME	0x60000000L
+#define PK11_TOKEN_TYPE_CERT	0x70000000L
+
+#define PK11_TOKEN_KRL_HANDLE	(PK11_TOKEN_MAGIC|PK11_TOKEN_TYPE_CRL|1)
+/* how big a password/pin we can deal with */
+#define PK11_MAX_PIN	255
+
+/* slot ID's */
+#define NETSCAPE_SLOT_ID 1
+#define PRIVATE_KEY_SLOT_ID 2
+#define FIPS_SLOT_ID 3
+
+/* slot helper macros */
+#define pk11_SlotFromSession(sp) ((sp)->slot)
+#define pk11_isToken(id) (((id) & PK11_TOKEN_MASK) == PK11_TOKEN_MAGIC)
+
+/* queueing helper macros */
+#define pk11_hash(value,size) ((value) & (size-1))/*size must be a power of 2*/
+#define pk11queue_add(element,id,head,hash_size) \
+	{ int tmp = pk11_hash(id,hash_size); \
+	(element)->next = (head)[tmp]; \
+	(element)->prev = NULL; \
+	if ((head)[tmp]) (head)[tmp]->prev = (element); \
+	(head)[tmp] = (element); }
+#define pk11queue_find(element,id,head,hash_size) \
+	for( (element) = (head)[pk11_hash(id,hash_size)]; (element) != NULL; \
+					 (element) = (element)->next) { \
+	    if ((element)->handle == (id)) { break; } }
+#define pk11queue_is_queued(element,id,head,hash_size) \
+	( ((element)->next) || ((element)->prev) || \
+	 ((head)[pk11_hash(id,hash_size)] == (element)) )
+#define pk11queue_delete(element,id,head,hash_size) \
+	if ((element)->next) (element)->next->prev = (element)->prev; \
+	if ((element)->prev) (element)->prev->next = (element)->next; \
+	   else (head)[pk11_hash(id,hash_size)] = ((element)->next); \
+	(element)->next = NULL; \
+	(element)->prev = NULL; \
+
+/* sessionID (handle) is used to determine session lock bucket */
+#ifdef NOSPREAD
+/* NOSPREAD:	(ID>>L2LPB) & (perbucket-1) */
+#define PK11_SESSION_LOCK(slot,handle) \
+    ((slot)->sessionLock[((handle) >> LOG2_BUCKETS_PER_SESSION_LOCK) \
+        & (NUMBER_OF_SESSION_LOCKS-1)])
+#else
+/* SPREAD:	ID & (perbucket-1) */
+#define PK11_SESSION_LOCK(slot,handle) \
+    ((slot)->sessionLock[(handle) & (NUMBER_OF_SESSION_LOCKS-1)])
+#endif
+
+/* expand an attribute & secitem structures out */
+#define pk11_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
+#define pk11_item_expand(ip) (ip)->data,(ip)->len
+
+typedef struct pk11_token_parametersStr {
+    CK_SLOT_ID slotID;
+    char *configdir;
+    char *certPrefix;
+    char *keyPrefix;
+    char *tokdes;
+    char *slotdes;
+    int minPW; 
+    PRBool readOnly;
+    PRBool noCertDB;
+    PRBool noKeyDB;
+    PRBool forceOpen;
+    PRBool pwRequired;
+} pk11_token_parameters;
+
+typedef struct pk11_parametersStr {
+    char *configdir;
+    char *secmodName;
+    char *man;
+    char *libdes; 
+    PRBool readOnly;
+    PRBool noModDB;
+    PRBool noCertDB;
+    PRBool forceOpen;
+    PRBool pwRequired;
+    pk11_token_parameters *tokens;
+    int token_count;
+} pk11_parameters;
+
+
+/* machine dependent path stuff used by dbinit.c and pk11db.c */
+#ifdef macintosh
+#define PATH_SEPARATOR ":"
+#define SECMOD_DB "Security Modules"
+#define CERT_DB_FMT "%sCertificates%s"
+#define KEY_DB_FMT "%sKey Database%s"
+#else
+#define PATH_SEPARATOR "/"
+#define SECMOD_DB "secmod.db"
+#define CERT_DB_FMT "%scert%s.db"
+#define KEY_DB_FMT "%skey%s.db"
+#endif
+
+SEC_BEGIN_PROTOS
+
+extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS);
+/* shared functions between PKCS11.c and PK11FIPS.c */
+extern CK_RV PK11_SlotInit(char *configdir,pk11_token_parameters *params);
+
+/* internal utility functions used by pkcs11.c */
+extern PK11Attribute *pk11_FindAttribute(PK11Object *object,
+					 CK_ATTRIBUTE_TYPE type);
+extern void pk11_FreeAttribute(PK11Attribute *attribute);
+extern CK_RV pk11_AddAttributeType(PK11Object *object, CK_ATTRIBUTE_TYPE type,
+				   void *valPtr,
+				  CK_ULONG length);
+extern CK_RV pk11_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
+				    PK11Object *object, CK_ATTRIBUTE_TYPE type);
+extern PRBool pk11_hasAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type);
+extern PRBool pk11_isTrue(PK11Object *object, CK_ATTRIBUTE_TYPE type);
+extern void pk11_DeleteAttributeType(PK11Object *object,
+				     CK_ATTRIBUTE_TYPE type);
+extern CK_RV pk11_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
+				    PK11Object *object, CK_ATTRIBUTE_TYPE type);
+extern CK_RV pk11_Attribute2SSecItem(PLArenaPool *arena, SECItem *item,
+				     PK11Object *object,
+				     CK_ATTRIBUTE_TYPE type);
+extern PK11ModifyType pk11_modifyType(CK_ATTRIBUTE_TYPE type,
+				      CK_OBJECT_CLASS inClass);
+extern PRBool pk11_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
+extern char *pk11_getString(PK11Object *object, CK_ATTRIBUTE_TYPE type);
+extern void pk11_nullAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type);
+extern CK_RV pk11_forceAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type,
+				 void *value, unsigned int len);
+extern CK_RV pk11_defaultAttribute(PK11Object *object, CK_ATTRIBUTE_TYPE type,
+				   void *value, unsigned int len);
+extern unsigned int pk11_MapTrust(CK_TRUST trust, PRBool clientAuth);
+
+extern PK11Object *pk11_NewObject(PK11Slot *slot);
+extern CK_RV pk11_CopyObject(PK11Object *destObject, PK11Object *srcObject);
+extern PK11FreeStatus pk11_FreeObject(PK11Object *object);
+extern CK_RV pk11_DeleteObject(PK11Session *session, PK11Object *object);
+extern void pk11_ReferenceObject(PK11Object *object);
+extern PK11Object *pk11_ObjectFromHandle(CK_OBJECT_HANDLE handle,
+					 PK11Session *session);
+extern void pk11_AddSlotObject(PK11Slot *slot, PK11Object *object);
+extern void pk11_AddObject(PK11Session *session, PK11Object *object);
+
+extern CK_RV pk11_searchObjectList(PK11SearchResults *search,
+				   PK11Object **head, PZLock *lock,
+				   CK_ATTRIBUTE_PTR inTemplate, int count,
+				   PRBool isLoggedIn);
+extern PK11ObjectListElement *pk11_FreeObjectListElement(
+					     PK11ObjectListElement *objectList);
+extern void pk11_FreeObjectList(PK11ObjectListElement *objectList);
+extern void pk11_FreeSearch(PK11SearchResults *search);
+extern CK_RV pk11_handleObject(PK11Object *object, PK11Session *session);
+
+extern PK11Slot *pk11_SlotFromID(CK_SLOT_ID slotID);
+extern PK11Slot *pk11_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
+extern PK11Session *pk11_SessionFromHandle(CK_SESSION_HANDLE handle);
+extern void pk11_FreeSession(PK11Session *session);
+extern PK11Session *pk11_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
+				    CK_VOID_PTR pApplication, CK_FLAGS flags);
+extern void pk11_update_state(PK11Slot *slot,PK11Session *session);
+extern void pk11_update_all_states(PK11Slot *slot);
+extern void pk11_FreeContext(PK11SessionContext *context);
+extern void pk11_CleanupFreeLists(void);
+
+extern NSSLOWKEYPublicKey *pk11_GetPubKey(PK11Object *object,
+					  CK_KEY_TYPE key_type);
+extern NSSLOWKEYPrivateKey *pk11_GetPrivKey(PK11Object *object,
+					    CK_KEY_TYPE key_type);
+extern void pk11_FormatDESKey(unsigned char *key, int length);
+extern PRBool pk11_CheckDESKey(unsigned char *key);
+extern PRBool pk11_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type);
+
+extern CK_RV secmod_parseParameters(char *param, pk11_parameters *parsed,
+								PRBool isFIPS);
+extern void secmod_freeParams(pk11_parameters *params);
+extern char *secmod_getSecmodName(char *params, PRBool *rw);
+extern char ** secmod_ReadPermDB(char *dbname, char *params, PRBool rw);
+extern SECStatus secmod_DeletePermDB(char *dbname,char *args, PRBool rw);
+extern SECStatus secmod_AddPermDB(char *dbname, char *module, PRBool rw);
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ *                      "https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ *                      "https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * readOnly - Boolean: true if the databases are to be openned read only.
+ * nocertdb - Don't open the cert DB and key DB's, just initialize the
+ *                      Volatile certdb.
+ * nomoddb - Don't open the security module DB, just initialize the
+ *                      PKCS #11 module.
+ * forceOpen - Continue to force initializations even if the databases cannot
+ *                      be opened.
+ */
+CK_RV pk11_DBInit(const char *configdir, const char *certPrefix,
+	 	const char *keyPrefix, PRBool readOnly, PRBool noCertDB, 
+		PRBool noKeyDB, PRBool forceOpen, 
+		NSSLOWCERTCertDBHandle **certDB, NSSLOWKEYDBHandle **keyDB);
+
+void pk11_DBShutdown(NSSLOWCERTCertDBHandle *certHandle, 
+		     NSSLOWKEYDBHandle *keyHandle);
+
+/*
+ * narrow objects
+ */
+PK11SessionObject * pk11_narrowToSessionObject(PK11Object *);
+PK11TokenObject * pk11_narrowToTokenObject(PK11Object *);
+
+/*
+ * token object utilities
+ */
+void pk11_addHandle(PK11SearchResults *search, CK_OBJECT_HANDLE handle);
+PRBool pk11_tokenMatch(PK11Slot *slot, SECItem *dbKey, CK_OBJECT_HANDLE class,
+                                        CK_ATTRIBUTE_PTR theTemplate,int count);
+CK_OBJECT_HANDLE pk11_mkHandle(PK11Slot *slot, 
+					SECItem *dbKey, CK_OBJECT_HANDLE class);
+PK11Object * pk11_NewTokenObject(PK11Slot *slot, SECItem *dbKey, 
+						CK_OBJECT_HANDLE handle);
+PK11TokenObject *pk11_convertSessionToToken(PK11Object *so);
+
+SEC_END_PROTOS
+
+#endif /* _PKCS11I_H_ */
diff --git a/security/nss/lib/softoken/pkcs11n.h b/security/nss/lib/softoken/pkcs11n.h
new file mode 100644
index 000000000..7ee4c6c34
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11n.h
@@ -0,0 +1,223 @@
+/* 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ *      Dr Stephen Henson <stephen.henson@gemplus.com>
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _PKCS11N_H_
+#define _PKCS11N_H_
+
+#ifdef DEBUG
+static const char CKT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+/*
+ * pkcs11n.h
+ *
+ * This file contains the NSS-specific type definitions for Cryptoki
+ * (PKCS#11).
+ */
+
+/*
+ * NSSCK_VENDOR_NETSCAPE
+ *
+ * Cryptoki reserves the high half of all the number spaces for
+ * vendor-defined use.  I'd like to keep all of our Netscape-
+ * specific values together, but not in the oh-so-obvious
+ * 0x80000001, 0x80000002, etc. area.  So I've picked an offset,
+ * and constructed values for the beginnings of our spaces.
+ *
+ * Note that some "historical" Netscape values don't fall within
+ * this range.
+ */
+#define NSSCK_VENDOR_NETSCAPE 0x4E534350 /* NSCP */
+
+/*
+ * Netscape-defined object classes
+ * 
+ */
+#define CKO_NETSCAPE (CKO_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
+
+#define CKO_NETSCAPE_CRL                (CKO_NETSCAPE + 1)
+#define CKO_NETSCAPE_SMIME              (CKO_NETSCAPE + 2)
+#define CKO_NETSCAPE_TRUST              (CKO_NETSCAPE + 3)
+#define CKO_NETSCAPE_BUILTIN_ROOT_LIST  (CKO_NETSCAPE + 4)
+
+/*
+ * Netscape-defined key types
+ *
+ */
+#define CKK_NETSCAPE (CKK_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
+
+#define CKK_NETSCAPE_PKCS8              (CKK_NETSCAPE + 1)
+/*
+ * Netscape-defined certificate types
+ *
+ */
+#define CKC_NETSCAPE (CKC_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
+
+/*
+ * Netscape-defined object attributes
+ *
+ */
+#define CKA_NETSCAPE (CKA_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
+
+#define CKA_NETSCAPE_URL                (CKA_NETSCAPE +  1)
+#define CKA_NETSCAPE_EMAIL              (CKA_NETSCAPE +  2)
+#define CKA_NETSCAPE_SMIME_INFO         (CKA_NETSCAPE +  3)
+#define CKA_NETSCAPE_SMIME_TIMESTAMP    (CKA_NETSCAPE +  4)
+#define CKA_NETSCAPE_PKCS8_SALT         (CKA_NETSCAPE +  5)
+#define CKA_NETSCAPE_PASSWORD_CHECK     (CKA_NETSCAPE +  6)
+#define CKA_NETSCAPE_EXPIRES            (CKA_NETSCAPE +  7)
+#define CKA_NETSCAPE_KRL                (CKA_NETSCAPE +  8)
+
+#define CKA_NETSCAPE_PQG_COUNTER        (CKA_NETSCAPE +  20)
+#define CKA_NETSCAPE_PQG_SEED           (CKA_NETSCAPE +  21)
+#define CKA_NETSCAPE_PQG_H              (CKA_NETSCAPE +  22)
+#define CKA_NETSCAPE_PQG_SEED_BITS      (CKA_NETSCAPE +  23)
+
+/*
+ * Trust attributes:
+ *
+ * If trust goes standard, these probably will too.  So I'll
+ * put them all in one place.
+ */
+
+#define CKA_TRUST (CKA_NETSCAPE + 0x2000)
+
+/* "Usage" key information */
+#define CKA_TRUST_DIGITAL_SIGNATURE     (CKA_TRUST +  1)
+#define CKA_TRUST_NON_REPUDIATION       (CKA_TRUST +  2)
+#define CKA_TRUST_KEY_ENCIPHERMENT      (CKA_TRUST +  3)
+#define CKA_TRUST_DATA_ENCIPHERMENT     (CKA_TRUST +  4)
+#define CKA_TRUST_KEY_AGREEMENT         (CKA_TRUST +  5)
+#define CKA_TRUST_KEY_CERT_SIGN         (CKA_TRUST +  6)
+#define CKA_TRUST_CRL_SIGN              (CKA_TRUST +  7)
+
+/* "Purpose" trust information */
+#define CKA_TRUST_SERVER_AUTH           (CKA_TRUST +  8)
+#define CKA_TRUST_CLIENT_AUTH           (CKA_TRUST +  9)
+#define CKA_TRUST_CODE_SIGNING          (CKA_TRUST + 10)
+#define CKA_TRUST_EMAIL_PROTECTION      (CKA_TRUST + 11)
+#define CKA_TRUST_IPSEC_END_SYSTEM      (CKA_TRUST + 12)
+#define CKA_TRUST_IPSEC_TUNNEL          (CKA_TRUST + 13)
+#define CKA_TRUST_IPSEC_USER            (CKA_TRUST + 14)
+#define CKA_TRUST_TIME_STAMPING         (CKA_TRUST + 15)
+#define CKA_CERT_SHA1_HASH	        (CKA_TRUST + 100)
+#define CKA_CERT_MD5_HASH		(CKA_TRUST + 101)
+
+/* Netscape trust stuff */
+/* XXX fgmr new ones here-- step-up, etc. */
+
+/* HISTORICAL: define used to pass in the database key for DSA private keys */
+#define CKA_NETSCAPE_DB                 0xD5A0DB00L
+#define CKA_NETSCAPE_TRUST              0x80000001L
+
+/*
+ * Netscape-defined crypto mechanisms
+ *
+ */
+#define CKM_NETSCAPE (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
+/*
+ * HISTORICAL:
+ * Do not attempt to use these. They are only used by NETSCAPE's internal
+ * PKCS #11 interface. Most of these are place holders for other mechanism
+ * and will change in the future.
+ */
+#define CKM_NETSCAPE_PBE_SHA1_DES_CBC           0x80000002L
+#define CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC    0x80000003L
+#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC    0x80000004L
+#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC   0x80000005L
+#define CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4        0x80000006L
+#define CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4       0x80000007L
+#define CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC   0x80000008L
+#define CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN      0x80000009L
+#define CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN       0x8000000aL
+#define CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN       0x8000000bL
+
+#define CKM_TLS_PRF_GENERAL                     0x80000373L
+
+
+/*
+ * Netscape-defined return values
+ *
+ */
+#define CKR_NETSCAPE (CKM_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
+
+/*
+ * Trust info
+ *
+ * This isn't part of the Cryptoki standard (yet), so I'm putting
+ * all the definitions here.  Some of this would move to nssckt.h
+ * if trust info were made part of the standard.  In view of this
+ * possibility, I'm putting my (Netscape) values in the netscape
+ * vendor space, like everything else.
+ */
+
+typedef CK_ULONG          CK_TRUST;
+
+/* The following trust types are defined: */
+#define CKT_VENDOR_DEFINED     0x80000000
+
+#define CKT_NETSCAPE (CKT_VENDOR_DEFINED|NSSCK_VENDOR_NETSCAPE)
+
+/* If trust goes standard, these'll probably drop out of vendor space. */
+#define CKT_NETSCAPE_TRUSTED            (CKT_NETSCAPE + 1)
+#define CKT_NETSCAPE_TRUSTED_DELEGATOR  (CKT_NETSCAPE + 2)
+#define CKT_NETSCAPE_UNTRUSTED          (CKT_NETSCAPE + 3)
+#define CKT_NETSCAPE_MUST_VERIFY        (CKT_NETSCAPE + 4)
+#define CKT_NETSCAPE_TRUST_UNKNOWN      (CKT_NETSCAPE + 5) /* default */
+
+/* 
+ * These may well remain Netscape-specific; I'm only using them
+ * to cache resolution data.
+ */
+#define CKT_NETSCAPE_VALID              (CKT_NETSCAPE + 10)
+#define CKT_NETSCAPE_VALID_DELEGATOR    (CKT_NETSCAPE + 11)
+
+
+/*
+ * These are not really PKCS #11 values specifically. They are the 'loadable'
+ * module spec NSS uses. The are available for others to use as well, but not
+ * part of the formal PKCS #11 spec.
+ *
+ * The function 'FIND' returns an array of PKCS #11 initialization strings
+ * The function 'ADD' takes a PKCS #11 initialization string and stores it.
+ * The function 'DEL' takes a 'name= library=' value and deletes the associated
+ *  string.
+ */
+#define SECMOD_MODULE_DB_FUNCTION_FIND  0
+#define SECMOD_MODULE_DB_FUNCTION_ADD   1
+#define SECMOD_MODULE_DB_FUNCTION_DEL   2
+typedef char ** (PR_CALLBACK *SECMODModuleDBFunc)(unsigned long function,
+                                        char *parameters, char *moduleSpec);
+
+#endif /* _PKCS11N_H_ */
diff --git a/security/nss/lib/softoken/pkcs11p.h b/security/nss/lib/softoken/pkcs11p.h
new file mode 100644
index 000000000..0a30e8ee4
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11p.h
@@ -0,0 +1,49 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security Inc. Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/* these data types are platform/implementation dependent. */
+/*
+ * Packing was removed from the shipped RSA header files, even
+ * though it's still needed. put in a central file to help merging..
+ */
+
+#if defined(_WIN32)
+#pragma warning(disable:4103)
+#pragma pack(push, cryptoki, 1)
+#endif
+
diff --git a/security/nss/lib/softoken/pkcs11t.h b/security/nss/lib/softoken/pkcs11t.h
new file mode 100644
index 000000000..9ebed9e85
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11t.h
@@ -0,0 +1,1366 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security In.c Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/* See top of pkcs11.h for information about the macros that
+ * must be defined and the structure-packing conventions that
+ * must be set before including this file.
+ */
+
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+#ifndef CK_FALSE
+#define CK_FALSE             0
+#endif
+
+#ifndef CK_TRUE
+#define CK_TRUE              (!CK_FALSE)
+#endif
+
+#include "prtypes.h"
+
+#define CK_PTR *
+#define CK_NULL_PTR 0
+#define CK_CALLBACK_FUNCTION(rv,func) rv (PR_CALLBACK * func)
+#define CK_DECLARE_FUNCTION(rv,func) PR_EXTERN(rv) func
+#define CK_DECLARE_FUNCTION_POINTER(rv,func) rv (PR_CALLBACK * func)
+
+#define CK_INVALID_SESSION	0
+
+/* an unsigned 8-bit value */
+typedef unsigned char     CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE           CK_CHAR;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE           CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE           CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+/* CK_LONG is new for v2.0 */
+typedef long int          CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG          CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION (~0UL)
+#define CK_EFFECTIVELY_INFINITE    0
+
+
+typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
+typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
+typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
+typedef void        CK_PTR   CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session */
+/* handle or object handle */
+#define CK_INVALID_HANDLE 0
+
+
+/* pack */
+#include "pkcs11p.h"
+
+typedef struct CK_VERSION {
+  CK_BYTE       major;  /* integer portion of version number */
+  CK_BYTE       minor;  /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+ /* manufacturerID and libraryDecription have been changed from
+  * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_VERSION    cryptokiVersion;     /* PKCS #11 interface ver */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_FLAGS      flags;               /* must be zero */
+
+  /* libraryDescription and libraryVersion are new for v2.0 */
+  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
+  CK_VERSION    libraryVersion;          /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR    CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * PKCS #11 provides to an application */
+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER       0
+
+
+typedef CK_ULONG          CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+ /* slotDescription and manufacturerID have been changed from
+  * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
+  CK_FLAGS      flags;
+
+  /* hardwareVersion and firmwareVersion are new for v2.0 */
+  CK_VERSION    hardwareVersion;  /* version of hardware */
+  CK_VERSION    firmwareVersion;  /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag              Mask        Meaning
+ */
+#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
+#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
+#define CKF_HW_SLOT           0x00000004  /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+ /* label, manufacturerID, and model have been changed from
+  * CK_CHAR to CK_UTF8CHAR for v2.10 */
+  CK_UTF8CHAR   label[32];           /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_UTF8CHAR   model[16];           /* blank padded */
+  CK_CHAR       serialNumber[16];    /* blank padded */
+  CK_FLAGS      flags;               /* see below */
+
+  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
+   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
+   * changed from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
+  CK_ULONG      ulSessionCount;        /* sess. now open */
+  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
+  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
+  CK_ULONG      ulMaxPinLen;           /* in bytes */
+  CK_ULONG      ulMinPinLen;           /* in bytes */
+  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
+  CK_ULONG      ulFreePublicMemory;    /* in bytes */
+  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
+  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
+
+  /* hardwareVersion, firmwareVersion, and time are new for
+   * v2.0 */
+  CK_VERSION    hardwareVersion;       /* version of hardware */
+  CK_VERSION    firmwareVersion;       /* version of firmware */
+  CK_CHAR       utcTime[16];           /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ *      Bit Flag                    Mask        Meaning 
+ */
+#define CKF_RNG                     0x00000001  /* has random #
+                                                 * generator */
+#define CKF_WRITE_PROTECTED         0x00000002  /* token is
+                                                 * write-
+                                                 * protected */
+#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
+                                                 * login */
+#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
+                                                 * PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state */
+#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
+
+/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
+ * that the token has some sort of clock.  The time on that
+ * clock is returned in the token info structure */
+#define CKF_CLOCK_ON_TOKEN          0x00000040
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the PKCS #11 library itself */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
+
+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign) */
+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
+
+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
+ * token has been initialized using C_InitializeToken or an 
+ * equivalent mechanism outside the scope of PKCS #11.
+ * Calling C_InitializeToken when this flag is set will cause 
+ * the token to be reinitialized. */
+#define CKF_TOKEN_INITIALIZED       0x00000400
+
+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is 
+ * true, the token supports secondary authentication for 
+ * private key objects. */
+/* DEPRICATED in v2.11 */
+#define CKF_SECONDARY_AUTHENTICATION  0x00000800
+
+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an 
+ * incorrect user login PIN has been entered at least once 
+ * since the last successful authentication. */
+#define CKF_USER_PIN_COUNT_LOW       0x00010000
+
+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect user PIN will it to become locked. */
+#define CKF_USER_PIN_FINAL_TRY       0x00020000
+
+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the 
+ * user PIN has been locked. User login to the token is not 
+ * possible. */
+#define CKF_USER_PIN_LOCKED          0x00040000
+
+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true, 
+ * the user PIN value is the default value set by token 
+ * initialization or manufacturing. */
+#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
+
+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an 
+ * incorrect SO login PIN has been entered at least once since 
+ * the last successful authentication. */
+#define CKF_SO_PIN_COUNT_LOW         0x00100000
+
+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect SO PIN will it to become locked. */
+#define CKF_SO_PIN_FINAL_TRY         0x00200000
+
+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO 
+ * PIN has been locked. SO login to the token is not possible.
+ */
+#define CKF_SO_PIN_LOCKED            0x00400000
+
+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true, 
+ * the SO PIN value is the default value set by token 
+ * initialization or manufacturing. */
+#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a PKCS #11-assigned value that
+ * identifies a session */
+typedef CK_ULONG          CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; 
+
+
+/* CK_USER_TYPE enumerates the types of PKCS #11 users */
+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO    0
+/* Normal user */
+#define CKU_USER  1
+
+
+/* CK_STATE enumerates the session states */
+/* CK_STATE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_STATE;
+#define CKS_RO_PUBLIC_SESSION  0
+#define CKS_RO_USER_FUNCTIONS  1
+#define CKS_RW_PUBLIC_SESSION  2
+#define CKS_RW_USER_FUNCTIONS  3
+#define CKS_RW_SO_FUNCTIONS    4
+
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+  CK_SLOT_ID    slotID;
+  CK_STATE      state;
+  CK_FLAGS      flags;          /* see below */
+
+  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulDeviceError;  /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ *      Bit Flag                Mask        Meaning
+ */
+#define CKF_RW_SESSION          0x00000002  /* session is r/w */
+#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object  */
+typedef CK_ULONG          CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that PKCS #11 recognizes.  It is defined
+ * as follows: */
+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+/* CKO_HW_FEATURE is new for v2.10 */
+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
+#define CKO_DATA              0x00000000
+#define CKO_CERTIFICATE       0x00000001
+#define CKO_PUBLIC_KEY        0x00000002
+#define CKO_PRIVATE_KEY       0x00000003
+#define CKO_SECRET_KEY        0x00000004
+#define CKO_HW_FEATURE        0x00000005
+#define CKO_DOMAIN_PARAMETERS 0x00000006
+#define CKO_KG_PARAMETERS     0x00000006
+#define CKO_VENDOR_DEFINED    0x80000000
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
+ * value that identifies the hardware feature type of an object
+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
+typedef CK_ULONG          CK_HW_FEATURE_TYPE;
+ 
+/* The following hardware feature types are defined */
+#define CKH_MONOTONIC_COUNTER  0x00000001
+#define CKH_CLOCK           0x00000002
+#define CKH_VENDOR_DEFINED  0x80000000
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA             0x00000000
+#define CKK_DSA             0x00000001
+#define CKK_DH              0x00000002
+
+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
+/* CKK_X9_42_DH is new for v2.11 */
+#define CKK_ECDSA           0x00000003 /* deprecated in v2.11 */
+#define CKK_EC              0x00000003
+#define CKK_X9_42_DH	    0x00000004
+#define CKK_KEA             0x00000005
+
+#define CKK_GENERIC_SECRET  0x00000010
+#define CKK_RC2             0x00000011
+#define CKK_RC4             0x00000012
+#define CKK_DES             0x00000013
+#define CKK_DES2            0x00000014
+#define CKK_DES3            0x00000015
+
+/* all these key types are new for v2.0 */
+#define CKK_CAST            0x00000016
+#define CKK_CAST3           0x00000017
+#define CKK_CAST5           0x00000018 /* deprecated in v2.11 */
+#define CKK_CAST128         0x00000018
+#define CKK_RC5             0x00000019
+#define CKK_IDEA            0x0000001A
+#define CKK_SKIPJACK        0x0000001B
+#define CKK_BATON           0x0000001C
+#define CKK_JUNIPER         0x0000001D
+#define CKK_CDMF            0x0000001E
+
+/* all these key types are new for v2.11 */
+#define CKK_AES             0x0000001F
+
+#define CKK_VENDOR_DEFINED  0x80000000
+#define CKK_INVALID_KEY_TYPE 0xffffffff
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type */
+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG          CK_CERTIFICATE_TYPE;
+
+/* The following certificate types are defined: */
+/* CKC_X_509_ATTR_CERT is new for v2.10 */
+#define CKC_X_509           0x00000000
+#define CKC_X_509_ATTR_CERT 0x00000001
+#define CKC_VENDOR_DEFINED  0x80000000
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type */
+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
+
+/* The following attribute types are defined: */
+#define CKA_CLASS              0x00000000
+#define CKA_TOKEN              0x00000001
+#define CKA_PRIVATE            0x00000002
+#define CKA_LABEL              0x00000003
+#define CKA_APPLICATION        0x00000010
+#define CKA_VALUE              0x00000011
+
+/* CKA_OBJECT_ID is new for v2.10 */
+#define CKA_OBJECT_ID          0x00000012
+
+#define CKA_CERTIFICATE_TYPE   0x00000080
+#define CKA_ISSUER             0x00000081
+#define CKA_SERIAL_NUMBER      0x00000082
+
+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new 
+ * for v2.10 */
+#define CKA_AC_ISSUER          0x00000083
+#define CKA_OWNER              0x00000084
+#define CKA_ATTR_TYPES         0x00000085
+/* CKA_TRUSTED is new for v2.11 */
+#define CKA_TRUSTED            0x00000086
+
+#define CKA_KEY_TYPE           0x00000100
+#define CKA_SUBJECT            0x00000101
+#define CKA_ID                 0x00000102
+#define CKA_SENSITIVE          0x00000103
+#define CKA_ENCRYPT            0x00000104
+#define CKA_DECRYPT            0x00000105
+#define CKA_WRAP               0x00000106
+#define CKA_UNWRAP             0x00000107
+#define CKA_SIGN               0x00000108
+#define CKA_SIGN_RECOVER       0x00000109
+#define CKA_VERIFY             0x0000010A
+#define CKA_VERIFY_RECOVER     0x0000010B
+#define CKA_DERIVE             0x0000010C
+#define CKA_START_DATE         0x00000110
+#define CKA_END_DATE           0x00000111
+#define CKA_MODULUS            0x00000120
+#define CKA_MODULUS_BITS       0x00000121
+#define CKA_PUBLIC_EXPONENT    0x00000122
+#define CKA_PRIVATE_EXPONENT   0x00000123
+#define CKA_PRIME_1            0x00000124
+#define CKA_PRIME_2            0x00000125
+#define CKA_EXPONENT_1         0x00000126
+#define CKA_EXPONENT_2         0x00000127
+#define CKA_COEFFICIENT        0x00000128
+#define CKA_PRIME              0x00000130
+#define CKA_SUBPRIME           0x00000131
+#define CKA_BASE               0x00000132
+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
+#define CKA_PRIME_BITS         0x00000133
+#define CKA_SUB_PRIME_BITS     0x00000134
+#define CKA_VALUE_BITS         0x00000160
+#define CKA_VALUE_LEN          0x00000161
+
+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
+ * and CKA_EC_POINT are new for v2.0 */
+#define CKA_EXTRACTABLE        0x00000162
+#define CKA_LOCAL              0x00000163
+#define CKA_NEVER_EXTRACTABLE  0x00000164
+#define CKA_ALWAYS_SENSITIVE   0x00000165
+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
+#define CKA_KEY_GEN_MECHANISM  0x00000166
+#define CKA_MODIFIABLE         0x00000170
+#define CKA_ECDSA_PARAMS       0x00000180 /* depricated v2.11 */
+#define CKA_EC_PARAMS          0x00000180
+#define CKA_EC_POINT           0x00000181
+
+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, 
+ * CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
+ * are new for v2.10 */
+#define CKA_SECONDARY_AUTH     0x00000200 /* depricated v2.11 */
+#define CKA_AUTH_PIN_FLAGS     0x00000201 /* depricated v2.11 */
+#define CKA_HW_FEATURE_TYPE    0x00000300
+#define CKA_RESET_ON_INIT      0x00000301
+#define CKA_HAS_RESET          0x00000302
+
+#define CKA_VENDOR_DEFINED     0x80000000
+
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute */
+typedef struct CK_ATTRIBUTE {
+  CK_ATTRIBUTE_TYPE type;
+  CK_VOID_PTR       pValue;
+
+  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
+  CK_ULONG          ulValueLen;  /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
+  CK_CHAR       month[2];  /* the month ("01" - "12") */
+  CK_CHAR       day[2];    /* the day   ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type */
+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG          CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
+#define CKM_RSA_PKCS                   0x00000001
+#define CKM_RSA_9796                   0x00000002
+#define CKM_RSA_X_509                  0x00000003
+
+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
+ * are new for v2.0.  They are mechanisms which hash and sign */
+#define CKM_MD2_RSA_PKCS               0x00000004
+#define CKM_MD5_RSA_PKCS               0x00000005
+#define CKM_SHA1_RSA_PKCS              0x00000006
+
+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS & CKM_RSA_OAEP
+ * are new for 2.10 */
+#define CKM_RIPEMD128_RSA_PKCS         0x00000007
+#define CKM_RIPEMD160_RSA_PKCS         0x00000008
+#define CKM_RSA_PKCS_OAEP              0x00000009
+
+/* CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31 & CKM_RSA_X9_31_KEY_PAIR_GEN
+ * are new for 2.11 */
+#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
+#define CKM_RSA_X9_31                  0x0000000B
+#define CKM_SHA1_RSA_X9_31             0x0000000C
+
+#define CKM_DSA_KEY_PAIR_GEN           0x00000010
+#define CKM_DSA                        0x00000011
+#define CKM_DSA_SHA1                   0x00000012
+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
+#define CKM_DH_PKCS_DERIVE             0x00000021
+
+/* CKM_X9_42_DH_PKCS_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
+ * CKM_X9_42_DH_HYBRID_DERIVE, & CKM_X9_42_MQV_DERIVE
+ * are new for v2.11 */
+#define CKM_X9_42_DH_PKCS_KEY_PAIR_GEN 0x00000030
+#define CKM_X9_42_DH_DERIVE            0x00000031
+#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
+#define CKM_X9_42_MQV_DERIVE           0x00000033
+
+#define CKM_RC2_KEY_GEN                0x00000100
+#define CKM_RC2_ECB                    0x00000101
+#define CKM_RC2_CBC                    0x00000102
+#define CKM_RC2_MAC                    0x00000103
+
+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
+#define CKM_RC2_MAC_GENERAL            0x00000104
+#define CKM_RC2_CBC_PAD                0x00000105
+
+#define CKM_RC4_KEY_GEN                0x00000110
+#define CKM_RC4                        0x00000111
+#define CKM_DES_KEY_GEN                0x00000120
+#define CKM_DES_ECB                    0x00000121
+#define CKM_DES_CBC                    0x00000122
+#define CKM_DES_MAC                    0x00000123
+
+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
+#define CKM_DES_MAC_GENERAL            0x00000124
+#define CKM_DES_CBC_PAD                0x00000125
+
+#define CKM_DES2_KEY_GEN               0x00000130
+#define CKM_DES3_KEY_GEN               0x00000131
+#define CKM_DES3_ECB                   0x00000132
+#define CKM_DES3_CBC                   0x00000133
+#define CKM_DES3_MAC                   0x00000134
+
+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
+#define CKM_DES3_MAC_GENERAL           0x00000135
+#define CKM_DES3_CBC_PAD               0x00000136
+#define CKM_CDMF_KEY_GEN               0x00000140
+#define CKM_CDMF_ECB                   0x00000141
+#define CKM_CDMF_CBC                   0x00000142
+#define CKM_CDMF_MAC                   0x00000143
+#define CKM_CDMF_MAC_GENERAL           0x00000144
+#define CKM_CDMF_CBC_PAD               0x00000145
+
+#define CKM_MD2                        0x00000200
+
+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD2_HMAC                   0x00000201
+#define CKM_MD2_HMAC_GENERAL           0x00000202
+
+#define CKM_MD5                        0x00000210
+
+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD5_HMAC                   0x00000211
+#define CKM_MD5_HMAC_GENERAL           0x00000212
+
+#define CKM_SHA_1                      0x00000220
+
+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
+#define CKM_SHA_1_HMAC                 0x00000221
+#define CKM_SHA_1_HMAC_GENERAL         0x00000222
+
+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC, 
+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
+#define CKM_RIPEMD128                  0x00000230
+#define CKM_RIPEMD128_HMAC             0x00000231
+#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
+#define CKM_RIPEMD160                  0x00000240
+#define CKM_RIPEMD160_HMAC             0x00000241
+#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
+
+/* All of the following mechanisms are new for v2.0 */
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST_KEY_GEN               0x00000300
+#define CKM_CAST_ECB                   0x00000301
+#define CKM_CAST_CBC                   0x00000302
+#define CKM_CAST_MAC                   0x00000303
+#define CKM_CAST_MAC_GENERAL           0x00000304
+#define CKM_CAST_CBC_PAD               0x00000305
+#define CKM_CAST3_KEY_GEN              0x00000310
+#define CKM_CAST3_ECB                  0x00000311
+#define CKM_CAST3_CBC                  0x00000312
+#define CKM_CAST3_MAC                  0x00000313
+#define CKM_CAST3_MAC_GENERAL          0x00000314
+#define CKM_CAST3_CBC_PAD              0x00000315
+#define CKM_CAST5_KEY_GEN              0x00000320
+#define CKM_CAST128_KEY_GEN            0x00000320
+#define CKM_CAST5_ECB                  0x00000321
+#define CKM_CAST128_ECB                0x00000321
+#define CKM_CAST5_CBC                  0x00000322
+#define CKM_CAST128_CBC                0x00000322
+#define CKM_CAST5_MAC                  0x00000323
+#define CKM_CAST128_MAC                0x00000323
+#define CKM_CAST5_MAC_GENERAL          0x00000324
+#define CKM_CAST128_MAC_GENERAL        0x00000324
+#define CKM_CAST5_CBC_PAD              0x00000325
+#define CKM_CAST128_CBC_PAD            0x00000325
+#define CKM_RC5_KEY_GEN                0x00000330
+#define CKM_RC5_ECB                    0x00000331
+#define CKM_RC5_CBC                    0x00000332
+#define CKM_RC5_MAC                    0x00000333
+#define CKM_RC5_MAC_GENERAL            0x00000334
+#define CKM_RC5_CBC_PAD                0x00000335
+#define CKM_IDEA_KEY_GEN               0x00000340
+#define CKM_IDEA_ECB                   0x00000341
+#define CKM_IDEA_CBC                   0x00000342
+#define CKM_IDEA_MAC                   0x00000343
+#define CKM_IDEA_MAC_GENERAL           0x00000344
+#define CKM_IDEA_CBC_PAD               0x00000345
+#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
+#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
+#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
+#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
+#define CKM_XOR_BASE_AND_DATA          0x00000364
+#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
+#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
+#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
+#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
+
+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE,
+ * CKM_TLS_MASTER_KEY_DERIVE_DH, & CKM_SSL3_MASTER_KEY_DERIVE_DH
+ * are new for v2.11. */
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
+#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
+#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
+#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
+#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
+
+#define CKM_SSL3_MD5_MAC               0x00000380
+#define CKM_SSL3_SHA1_MAC              0x00000381
+#define CKM_MD5_KEY_DERIVATION         0x00000390
+#define CKM_MD2_KEY_DERIVATION         0x00000391
+#define CKM_SHA1_KEY_DERIVATION        0x00000392
+#define CKM_PBE_MD2_DES_CBC            0x000003A0
+#define CKM_PBE_MD5_DES_CBC            0x000003A1
+#define CKM_PBE_MD5_CAST_CBC           0x000003A2
+#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
+#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
+#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
+#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
+#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
+#define CKM_PBE_SHA1_RC4_128           0x000003A6
+#define CKM_PBE_SHA1_RC4_40            0x000003A7
+#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
+#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
+#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
+#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
+
+/* CKM_PKCS5_PBKD2 is new for v2.10 */
+#define CKM_PKCS5_PBKD2                0x000003B0
+
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
+#define CKM_KEY_WRAP_LYNKS             0x00000400
+#define CKM_KEY_WRAP_SET_OAEP          0x00000401
+
+/* Fortezza mechanisms */
+#define CKM_SKIPJACK_KEY_GEN           0x00001000
+#define CKM_SKIPJACK_ECB64             0x00001001
+#define CKM_SKIPJACK_CBC64             0x00001002
+#define CKM_SKIPJACK_OFB64             0x00001003
+#define CKM_SKIPJACK_CFB64             0x00001004
+#define CKM_SKIPJACK_CFB32             0x00001005
+#define CKM_SKIPJACK_CFB16             0x00001006
+#define CKM_SKIPJACK_CFB8              0x00001007
+#define CKM_SKIPJACK_WRAP              0x00001008
+#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
+#define CKM_SKIPJACK_RELAYX            0x0000100a
+#define CKM_KEA_KEY_PAIR_GEN           0x00001010
+#define CKM_KEA_KEY_DERIVE             0x00001011
+#define CKM_FORTEZZA_TIMESTAMP         0x00001020
+#define CKM_BATON_KEY_GEN              0x00001030
+#define CKM_BATON_ECB128               0x00001031
+#define CKM_BATON_ECB96                0x00001032
+#define CKM_BATON_CBC128               0x00001033
+#define CKM_BATON_COUNTER              0x00001034
+#define CKM_BATON_SHUFFLE              0x00001035
+#define CKM_BATON_WRAP                 0x00001036
+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040 /* depricated in v2.11 */
+#define CKM_EC_KEY_PAIR_GEN            0x00001040
+#define CKM_ECDSA                      0x00001041
+#define CKM_ECDSA_SHA1                 0x00001042
+
+/* ECDH1 is new for 2.11 */
+#define CKM_ECDH1_DERIVE               0x00001043
+#define CKM_ECDH1_COFACTOR_DERIVE      0x00001044
+#define CKM_ECMQV_DERIVE               0x00001045
+
+#define CKM_JUNIPER_KEY_GEN            0x00001060
+#define CKM_JUNIPER_ECB128             0x00001061
+#define CKM_JUNIPER_CBC128             0x00001062
+#define CKM_JUNIPER_COUNTER            0x00001063
+#define CKM_JUNIPER_SHUFFLE            0x00001064
+#define CKM_JUNIPER_WRAP               0x00001065
+#define CKM_FASTHASH                   0x00001070
+
+/* AES is new for 2.11 */
+#define CKM_AES_KEY_GEN                0x00001080
+#define CKM_AES_ECB                    0x00001081
+#define CKM_AES_CBC                    0x00001082
+#define CKM_AES_MAC                    0x00001083
+#define CKM_AES_MAC_GENERAL            0x00001084
+#define CKM_AES_CBC_PAD                0x00001085
+
+/* CKM_DSA_PARAMETER_GEN, CKM_DH_PKCS_PARAMETER_GEN,
+ * and CKM_DH_X9_42_PARAMETER_GEN are new for 2.11 */
+#define CKM_DSA_PARAMETER_GEN          0x00002000
+#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
+#define CKM_DH_X9_42_PARAMETER_GEN     0x00002002
+
+#define CKM_VENDOR_DEFINED             0x80000000
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism  */
+typedef struct CK_MECHANISM {
+  CK_MECHANISM_TYPE mechanism;
+  CK_VOID_PTR       pParameter;
+
+  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG          ulParameterLen;  /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism */
+typedef struct CK_MECHANISM_INFO {
+    CK_ULONG    ulMinKeySize;
+    CK_ULONG    ulMaxKeySize;
+    CK_FLAGS    flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ *      Bit Flag               Mask        Meaning */
+#define CKF_HW                 0x00000001  /* performed by HW */
+
+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
+ * and CKF_DERIVE are new for v2.0.  They specify whether or not
+ * a mechanism can be used for a particular task */
+/* The flags CKF_EC_FP, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
+ * CKF_EC_UNCOMPRESS, and  CKF_EC_COMPRESS are new for v2.11 */
+#define CKF_ENCRYPT            0x00000100
+#define CKF_DECRYPT            0x00000200
+#define CKF_DIGEST             0x00000400
+#define CKF_SIGN               0x00000800
+#define CKF_SIGN_RECOVER       0x00001000
+#define CKF_VERIFY             0x00002000
+#define CKF_VERIFY_RECOVER     0x00004000
+#define CKF_GENERATE           0x00008000
+#define CKF_GENERATE_KEY_PAIR  0x00010000
+#define CKF_WRAP               0x00020000
+#define CKF_UNWRAP             0x00040000
+#define CKF_DERIVE             0x00080000
+#define CKF_EC_FP              0x00100000
+#define CKF_EC_F_2M            0x00200000
+#define CKF_EC_ECPARAMETERS    0x00400000
+#define CKF_EC_NAMEDCURVE      0x00800000
+#define CKF_EC_UNCOMPRESS      0x01000000
+#define CKF_EC_COMPRESS        0x02000000
+
+#define CKF_EXTENSION          0x80000000  /* FALSE for 2.01 */
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+
+/* CK_RV is a value that identifies the return value of a
+ * PKCS #11 function */
+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG          CK_RV;
+
+#define CKR_OK                                0x00000000
+#define CKR_CANCEL                            0x00000001
+#define CKR_HOST_MEMORY                       0x00000002
+#define CKR_SLOT_ID_INVALID                   0x00000003
+
+/* CKR_FLAGS_INVALID was removed for v2.0 */
+
+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
+#define CKR_GENERAL_ERROR                     0x00000005
+#define CKR_FUNCTION_FAILED                   0x00000006
+
+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
+ * and CKR_CANT_LOCK are new for v2.01 */
+#define CKR_ARGUMENTS_BAD                     0x00000007
+#define CKR_NO_EVENT                          0x00000008
+#define CKR_NEED_TO_CREATE_THREADS            0x00000009
+#define CKR_CANT_LOCK                         0x0000000A
+
+#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
+#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
+#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
+#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
+#define CKR_DATA_INVALID                      0x00000020
+#define CKR_DATA_LEN_RANGE                    0x00000021
+#define CKR_DEVICE_ERROR                      0x00000030
+#define CKR_DEVICE_MEMORY                     0x00000031
+#define CKR_DEVICE_REMOVED                    0x00000032
+#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
+#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
+#define CKR_FUNCTION_CANCELED                 0x00000050
+#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
+
+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
+#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
+
+#define CKR_KEY_HANDLE_INVALID                0x00000060
+
+/* CKR_KEY_SENSITIVE was removed for v2.0 */
+
+#define CKR_KEY_SIZE_RANGE                    0x00000062
+#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
+
+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
+ * v2.0 */
+#define CKR_KEY_NOT_NEEDED                    0x00000064
+#define CKR_KEY_CHANGED                       0x00000065
+#define CKR_KEY_NEEDED                        0x00000066
+#define CKR_KEY_INDIGESTIBLE                  0x00000067
+#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
+#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
+#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
+
+/* CKR_KEY_PARAMS_INVALID is new for v2.11 */
+#define CKR_KEY_PARAMS_INVALID                0x0000006B
+
+#define CKR_MECHANISM_INVALID                 0x00000070
+#define CKR_MECHANISM_PARAM_INVALID           0x00000071
+
+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
+ * were removed for v2.0 */
+#define CKR_OBJECT_HANDLE_INVALID             0x00000082
+#define CKR_OPERATION_ACTIVE                  0x00000090
+#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
+#define CKR_PIN_INCORRECT                     0x000000A0
+#define CKR_PIN_INVALID                       0x000000A1
+#define CKR_PIN_LEN_RANGE                     0x000000A2
+
+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
+#define CKR_PIN_EXPIRED                       0x000000A3
+#define CKR_PIN_LOCKED                        0x000000A4
+
+#define CKR_SESSION_CLOSED                    0x000000B0
+#define CKR_SESSION_COUNT                     0x000000B1
+#define CKR_SESSION_HANDLE_INVALID            0x000000B3
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
+#define CKR_SESSION_READ_ONLY                 0x000000B5
+#define CKR_SESSION_EXISTS                    0x000000B6
+
+/* CKR_SESSION_READ_ONLY_EXISTS and
+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
+#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
+#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
+
+#define CKR_SIGNATURE_INVALID                 0x000000C0
+#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
+#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
+#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
+#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
+#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
+#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
+#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
+#define CKR_USER_NOT_LOGGED_IN                0x00000101
+#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
+#define CKR_USER_TYPE_INVALID                 0x00000103
+
+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
+ * are new to v2.01 */
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
+#define CKR_USER_TOO_MANY_TYPES               0x00000105
+
+#define CKR_WRAPPED_KEY_INVALID               0x00000110
+#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
+#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
+#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
+#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
+
+/* New for v2.0 */
+#define CKR_RANDOM_NO_RNG                     0x00000121
+
+/* New for v2.11 */
+#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
+
+/* These are new to v2.0 */
+#define CKR_BUFFER_TOO_SMALL                  0x00000150
+#define CKR_SAVED_STATE_INVALID               0x00000160
+#define CKR_INFORMATION_SENSITIVE             0x00000170
+#define CKR_STATE_UNSAVEABLE                  0x00000180
+
+/* These are new to v2.01 */
+#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
+#define CKR_MUTEX_BAD                         0x000001A0
+#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
+
+#define CKR_VENDOR_DEFINED                    0x80000000
+
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_NOTIFICATION   event,
+  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
+);
+
+
+/* CK_FUNCTION_LIST is a structure holding a PKCS #11 spec
+ * version and pointers of appropriate types to all the
+ * PKCS #11 functions */
+/* CK_FUNCTION_LIST is new for v2.0 */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize */
+typedef struct CK_C_INITIALIZE_ARGS {
+  CK_CREATEMUTEX CreateMutex;
+  CK_DESTROYMUTEX DestroyMutex;
+  CK_LOCKMUTEX LockMutex;
+  CK_UNLOCKMUTEX UnlockMutex;
+  CK_FLAGS flags;
+  CK_CHAR_PTR *LibraryParameters;
+  CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag                           Mask       Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
+#define CKF_OS_LOCKING_OK                  0x00000002
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK     1
+
+/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10. 
+ * CK_RSA_PKCS_OAEP_MGF_TYPE  is used to indicate the Message 
+ * Generation Function (MGF) applied to a message block when 
+ * formatting a message block for the PKCS #1 OAEP encryption 
+ * scheme. */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_MGF_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_MGF_TYPE CK_PTR CK_RSA_PKCS_OAEP_MGF_TYPE_PTR;
+
+/* The following MGFs are defined */
+#define CKG_MGF1_SHA1         0x00000001
+
+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10. 
+ * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
+ * of the encoding parameter when formatting a message block 
+ * for the PKCS #1 OAEP encryption scheme. */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
+
+/* The following encoding parameter sources are defined */
+#define CKZ_DATA_SPECIFIED    0x00000001
+
+/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
+ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the 
+ * CKM_RSA_PKCS_OAEP mechanism. */
+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+       CK_MECHANISM_TYPE hashAlg;
+       CK_RSA_PKCS_OAEP_MGF_TYPE mgf;
+       CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+       CK_VOID_PTR pSourceData;
+       CK_ULONG ulSourceDataLen;
+} CK_RSA_PKCS_OAEP_PARAMS;
+
+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism */
+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
+typedef struct CK_KEA_DERIVE_PARAMS {
+  CK_BBOOL      isSender;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pRandomB;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
+ * holds the effective keysize */
+typedef CK_ULONG          CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism */
+typedef struct CK_RC2_CBC_PARAMS {
+  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
+   * v2.0 */
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+
+  CK_BYTE       iv[8];            /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism */
+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms */
+/* CK_RC5_PARAMS is new for v2.0 */
+typedef struct CK_RC5_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism */
+/* CK_RC5_CBC_PARAMS is new for v2.0 */
+typedef struct CK_RC5_CBC_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+  CK_BYTE_PTR   pIv;         /* pointer to IV */
+  CK_ULONG      ulIvLen;     /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism */
+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulWordsize;   /* wordsize in bits */
+  CK_ULONG      ulRounds;     /* number of rounds */
+  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
+ * the MAC */
+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+  CK_ULONG      ulPasswordLen;
+  CK_BYTE_PTR   pPassword;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+  CK_ULONG      ulPAndGLen;
+  CK_ULONG      ulQLen;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pPrimeP;
+  CK_BYTE_PTR   pBaseG;
+  CK_BYTE_PTR   pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+  CK_SKIPJACK_PRIVATE_WRAP_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism */
+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+  CK_ULONG      ulOldWrappedXLen;
+  CK_BYTE_PTR   pOldWrappedX;
+  CK_ULONG      ulOldPasswordLen;
+  CK_BYTE_PTR   pOldPassword;
+  CK_ULONG      ulOldPublicDataLen;
+  CK_BYTE_PTR   pOldPublicData;
+  CK_ULONG      ulOldRandomLen;
+  CK_BYTE_PTR   pOldRandomA;
+  CK_ULONG      ulNewPasswordLen;
+  CK_BYTE_PTR   pNewPassword;
+  CK_ULONG      ulNewPublicDataLen;
+  CK_BYTE_PTR   pNewPublicData;
+  CK_ULONG      ulNewRandomLen;
+  CK_BYTE_PTR   pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+  CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+  CK_CHAR_PTR  pInitVector;
+  CK_CHAR_PTR  pPassword;
+  CK_ULONG     ulPasswordLen;
+  CK_CHAR_PTR  pSalt;
+  CK_ULONG     ulSaltLen;
+  CK_ULONG     ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism */
+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+  CK_BYTE       bBC;     /* block contents byte */
+  CK_BYTE_PTR   pX;      /* extra data */
+  CK_ULONG      ulXLen;  /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
+  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_RANDOM_DATA {
+  CK_BYTE_PTR  pClientRandom;
+  CK_ULONG     ulClientRandomLen;
+  CK_BYTE_PTR  pServerRandom;
+  CK_ULONG     ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+  CK_SSL3_RANDOM_DATA RandomInfo;
+  CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hClientMacSecret;
+  CK_OBJECT_HANDLE hServerMacSecret;
+  CK_OBJECT_HANDLE hClientKey;
+  CK_OBJECT_HANDLE hServerKey;
+  CK_BYTE_PTR      pIVClient;
+  CK_BYTE_PTR      pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_BBOOL                bIsExport;
+  CK_SSL3_RANDOM_DATA     RandomInfo;
+  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+  CK_BYTE_PTR pData;
+  CK_ULONG    ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+  CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key */
+/* CK_EXTRACT_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to 
+ * indicate the Pseudo-Random Function (PRF) used to generate 
+ * key bits using PKCS #5 PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
+
+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
+
+/* The following PRFs are defined in PKCS #5 v2.0. */
+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
+
+
+/* CK_PKCS5_PBKD2_SALT_SOURCE_TYPE is new for v2.10.
+ * CK_PKCS5_PBKD2_SALT_SOURCE_TYPE is used to indicate the 
+ * source of the salt value when deriving a key using PKCS #5 
+ * PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
+
+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
+
+/* The following salt value sources are defined in PKCS #5 v2.0. */
+#define CKZ_SALT_SPECIFIED        0x00000001
+
+/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
+ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the 
+ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
+typedef struct CK_PKCS5_PBKD2_PARAMS {
+       CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+       CK_VOID_PTR pSaltSourceData;
+       CK_ULONG ulSaltSourceDataLen;
+       CK_ULONG iterations;
+       CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+       CK_VOID_PTR pPrfData;
+       CK_ULONG ulPrfDataLen;
+} CK_PKCS5_PBKD2_PARAMS;
+ 
+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
+
+/* Netscape Specific defines */
+#include "pkcs11n.h"
+
+/* undo packing */
+#include "pkcs11u.h"
+
+#endif
diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c
new file mode 100644
index 000000000..2dd69ed39
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -0,0 +1,2667 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Internal PKCS #11 functions. Should only be called by pkcs11.c
+ */
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "pcertt.h"
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "secasn1.h"
+#include "blapi.h"
+
+/*
+ * ******************** Attribute Utilities *******************************
+ */
+
+/*
+ * create a new attribute with type, value, and length. Space is allocated
+ * to hold value.
+ */
+static PK11Attribute *
+pk11_NewAttribute(PK11Object *object,
+	CK_ATTRIBUTE_TYPE type, CK_VOID_PTR value, CK_ULONG len)
+{
+    PK11Attribute *attribute;
+
+#ifdef PKCS11_STATIC_ATTRIBUTES
+    PK11SessionObject *so = pk11_narrowToSessionObject(object);
+    int index;
+
+    if (so == NULL)  {
+	/* allocate new attribute in a buffer */
+	PORT_Assert(0);
+    }
+    /* 
+     * PKCS11_STATIC_ATTRIBUTES attempts to keep down contention on Malloc and Arena locks
+     * by limiting the number of these calls on high traversed paths. this
+     * is done for attributes by 'allocating' them from a pool already allocated
+     * by the parent object.
+     */
+    PK11_USE_THREADS(PZ_Lock(so->attributeLock);)
+    index = so->nextAttr++;
+    PK11_USE_THREADS(PZ_Unlock(so->attributeLock);)
+    PORT_Assert(index < MAX_OBJS_ATTRS);
+    if (index >= MAX_OBJS_ATTRS) return NULL;
+
+    attribute = &so->attrList[index];
+    attribute->attrib.type = type;
+    attribute->freeAttr = PR_FALSE;
+    attribute->freeData = PR_FALSE;
+    if (value) {
+        if (len <= ATTR_SPACE) {
+	    attribute->attrib.pValue = attribute->space;
+	} else {
+	    attribute->attrib.pValue = PORT_Alloc(len);
+    	    attribute->freeData = PR_TRUE;
+	}
+	if (attribute->attrib.pValue == NULL) {
+	    return NULL;
+	}
+	PORT_Memcpy(attribute->attrib.pValue,value,len);
+	attribute->attrib.ulValueLen = len;
+    } else {
+	attribute->attrib.pValue = NULL;
+	attribute->attrib.ulValueLen = 0;
+    }
+#else
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+    attribute = (PK11Attribute*)PORT_Alloc(sizeof(PK11Attribute));
+    attribute->freeAttr = PR_TRUE;
+#else
+    attribute = (PK11Attribute*)PORT_ArenaAlloc(object->arena,sizeof(PK11Attribute));
+    attribute->freeAttr = PR_FALSE;
+#endif /* PKCS11_REF_COUNT_ATTRIBUTES */
+    if (attribute == NULL) return NULL;
+    attribute->freeData = PR_FALSE;
+
+    if (value) {
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+	attribute->attrib.pValue = PORT_Alloc(len);
+	attribute->freeData = PR_TRUE;
+#else
+	attribute->attrib.pValue = PORT_ArenaAlloc(object->arena,len);
+#endif /* PKCS11_REF_COUNT_ATTRIBUTES */
+	if (attribute->attrib.pValue == NULL) {
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+	    PORT_Free(attribute);
+#endif /* PKCS11_REF_COUNT_ATTRIBUTES */
+	    return NULL;
+	}
+	PORT_Memcpy(attribute->attrib.pValue,value,len);
+	attribute->attrib.ulValueLen = len;
+    } else {
+	attribute->attrib.pValue = NULL;
+	attribute->attrib.ulValueLen = 0;
+    }
+#endif /* PKCS11_STATIC_ATTRIBUTES */
+    attribute->attrib.type = type;
+    attribute->handle = type;
+    attribute->next = attribute->prev = NULL;
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+    attribute->refCount = 1;
+#ifdef PKCS11_USE_THREADS
+    attribute->refLock = PZ_NewLock(nssILockRefLock);
+    if (attribute->refLock == NULL) {
+	if (attribute->attrib.pValue) PORT_Free(attribute->attrib.pValue);
+	PORT_Free(attribute);
+	return NULL;
+    }
+#else
+    attribute->refLock = NULL;
+#endif
+#endif /* PKCS11_REF_COUNT_ATTRIBUTES */
+    return attribute;
+}
+
+static PK11Attribute *
+pk11_NewTokenAttribute(CK_ATTRIBUTE_TYPE type, CK_VOID_PTR value,
+						CK_ULONG len, PRBool copy)
+{
+    PK11Attribute *attribute;
+
+    attribute = (PK11Attribute*)PORT_Alloc(sizeof(PK11Attribute));
+
+    if (attribute == NULL) return NULL;
+    attribute->attrib.type = type;
+    attribute->handle = type;
+    attribute->next = attribute->prev = NULL;
+    attribute->freeAttr = PR_TRUE;
+    attribute->freeData = PR_FALSE;
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+    attribute->refCount = 1;
+#ifdef PKCS11_USE_THREADS
+    attribute->refLock = PZ_NewLock(nssILockRefLock);
+    if (attribute->refLock == NULL) {
+	PORT_Free(attribute);
+	return NULL;
+    }
+#else
+    attribute->refLock = NULL;
+#endif
+#endif /* PKCS11_REF_COUNT_ATTRIBUTES */
+    attribute->attrib.type = type;
+    if (!copy) {
+	attribute->attrib.pValue = value;
+	attribute->attrib.ulValueLen = len;
+	return attribute;
+    }
+
+    if (value) {
+#ifdef PKCS11_STATIC_ATTRIBUTES
+        if (len <= ATTR_SPACE) {
+	    attribute->attrib.pValue = attribute->space;
+	} else {
+	    attribute->attrib.pValue = PORT_Alloc(len);
+	    attribute->freeData = PR_TRUE;
+	}
+#else
+	attribute->attrib.pValue = PORT_Alloc(len);
+	attribute->freeData = PR_TRUE;
+#endif
+	if (attribute->attrib.pValue == NULL) {
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+	    if (attribute->refLock) {
+		PK11_USE_THREADS(PZ_DestroyLock(attribute->refLock);)
+	    }
+#endif
+	    PORT_Free(attribute);
+	    return NULL;
+	}
+	PORT_Memcpy(attribute->attrib.pValue,value,len);
+	attribute->attrib.ulValueLen = len;
+    } else {
+	attribute->attrib.pValue = NULL;
+	attribute->attrib.ulValueLen = 0;
+    }
+    return attribute;
+}
+
+static PK11Attribute *
+pk11_NewTokenAttributeSigned(CK_ATTRIBUTE_TYPE type, CK_VOID_PTR value, 
+						CK_ULONG len, PRBool copy)
+{
+    unsigned char * dval = (unsigned char *)value;
+    if (*dval == 0) {
+	dval++;
+	len--;
+    }
+    return pk11_NewTokenAttribute(type,dval,len,copy);
+}
+
+/*
+ * Free up all the memory associated with an attribute. Reference count
+ * must be zero to call this.
+ */
+static void
+pk11_DestroyAttribute(PK11Attribute *attribute)
+{
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+    PORT_Assert(attribute->refCount == 0);
+    PK11_USE_THREADS(PZ_DestroyLock(attribute->refLock);)
+#endif
+    if (attribute->freeData) {
+	if (attribute->attrib.pValue) {
+	    /* clear out the data in the attribute value... it may have been
+	     * sensitive data */
+	    PORT_Memset(attribute->attrib.pValue, 0,
+						attribute->attrib.ulValueLen);
+	}
+	PORT_Free(attribute->attrib.pValue);
+    }
+    PORT_Free(attribute);
+}
+
+/*
+ * release a reference to an attribute structure
+ */
+void
+pk11_FreeAttribute(PK11Attribute *attribute)
+{
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+    PRBool destroy = PR_FALSE;
+#endif
+
+    if (attribute->freeAttr) {
+	pk11_DestroyAttribute(attribute);
+	return;
+    }
+
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+    PK11_USE_THREADS(PZ_Lock(attribute->refLock);)
+    if (attribute->refCount == 1) destroy = PR_TRUE;
+    attribute->refCount--;
+    PK11_USE_THREADS(PZ_Unlock(attribute->refLock);)
+
+    if (destroy) pk11_DestroyAttribute(attribute);
+#endif
+}
+
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+#define PK11_DEF_ATTRIBUTE(value,len) \
+   { NULL, NULL, PR_FALSE, PR_FALSE, 1, NULL, 0, { 0, value, len } }
+
+#else
+#define PK11_DEF_ATTRIBUTE(value,len) \
+   { NULL, NULL, PR_FALSE, PR_FALSE, 0, { 0, value, len } }
+#endif
+
+CK_BBOOL pk11_staticTrueValue = CK_TRUE;
+CK_BBOOL pk11_staticFalseValue = CK_FALSE;
+static const PK11Attribute pk11_StaticTrueAttr = 
+  PK11_DEF_ATTRIBUTE(&pk11_staticTrueValue,sizeof(pk11_staticTrueValue));
+static const PK11Attribute pk11_StaticFalseAttr = 
+  PK11_DEF_ATTRIBUTE(&pk11_staticFalseValue,sizeof(pk11_staticFalseValue));
+static const PK11Attribute pk11_StaticNullAttr = PK11_DEF_ATTRIBUTE(NULL,0);
+
+CK_CERTIFICATE_TYPE pk11_staticX509Value = CKC_X_509;
+static const PK11Attribute pk11_StaticX509Attr =
+  PK11_DEF_ATTRIBUTE(&pk11_staticX509Value, sizeof(pk11_staticX509Value));
+CK_TRUST pk11_staticTrustedValue = CKT_NETSCAPE_TRUSTED;
+CK_TRUST pk11_staticTrustedDelegatorValue = CKT_NETSCAPE_TRUSTED_DELEGATOR;
+CK_TRUST pk11_staticValidDelegatorValue = CKT_NETSCAPE_VALID_DELEGATOR;
+CK_TRUST pk11_staticUnTrustedValue = CKT_NETSCAPE_UNTRUSTED;
+CK_TRUST pk11_staticTrustUnknownValue = CKT_NETSCAPE_TRUST_UNKNOWN;
+CK_TRUST pk11_staticValidPeerValue = CKT_NETSCAPE_VALID;
+CK_TRUST pk11_staticMustVerifyValue = CKT_NETSCAPE_MUST_VERIFY;
+static const PK11Attribute pk11_StaticTrustedAttr =
+  PK11_DEF_ATTRIBUTE(&pk11_staticTrustedValue,
+				sizeof(pk11_staticTrustedValue));
+static const PK11Attribute pk11_StaticTrustedDelegatorAttr =
+  PK11_DEF_ATTRIBUTE(&pk11_staticTrustedDelegatorValue,
+				sizeof(pk11_staticTrustedDelegatorValue));
+static const PK11Attribute pk11_StaticValidDelegatorAttr =
+  PK11_DEF_ATTRIBUTE(&pk11_staticValidDelegatorValue,
+				sizeof(pk11_staticValidDelegatorValue));
+static const PK11Attribute pk11_StaticUnTrustedAttr =
+  PK11_DEF_ATTRIBUTE(&pk11_staticUnTrustedValue,
+				sizeof(pk11_staticUnTrustedValue));
+static const PK11Attribute pk11_StaticTrustUnknownAttr =
+  PK11_DEF_ATTRIBUTE(&pk11_staticTrustUnknownValue,
+				sizeof(pk11_staticTrustUnknownValue));
+static const PK11Attribute pk11_StaticValidPeerAttr =
+  PK11_DEF_ATTRIBUTE(&pk11_staticValidPeerValue,
+				sizeof(pk11_staticValidPeerValue));
+static const PK11Attribute pk11_StaticMustVerifyAttr =
+  PK11_DEF_ATTRIBUTE(&pk11_staticMustVerifyValue,
+				sizeof(pk11_staticMustVerifyValue));
+
+static void pk11_FreeItem(SECItem *item)
+{
+    SECITEM_FreeItem(item, PR_TRUE);
+}
+
+static certDBEntrySMime *
+pk11_getSMime(PK11TokenObject *object)
+{
+    certDBEntrySMime *entry;
+
+    if (object->obj.objclass != CKO_NETSCAPE_SMIME) {
+	return NULL;
+    }
+    if (object->obj.objectInfo) {
+	return (certDBEntrySMime *)object->obj.objectInfo;
+    }
+
+    entry = nsslowcert_ReadDBSMimeEntry(object->obj.slot->certDB,
+						(char *)object->dbKey.data);
+    object->obj.objectInfo = (void *)entry;
+    object->obj.infoFree = (PK11Free) nsslowcert_DestroyDBEntry;
+    return entry;
+}
+
+static SECItem *
+pk11_getCrl(PK11TokenObject *object)
+{
+    SECItem *crl;
+    PRBool isKrl;
+
+    if (object->obj.objclass != CKO_NETSCAPE_CRL) {
+	return NULL;
+    }
+    if (object->obj.objectInfo) {
+	return (SECItem *)object->obj.objectInfo;
+    }
+
+    isKrl = (PRBool) object->obj.handle == PK11_TOKEN_KRL_HANDLE;
+    crl = nsslowcert_FindCrlByKey(object->obj.slot->certDB,&object->dbKey,
+								NULL,isKrl);
+    object->obj.objectInfo = (void *)crl;
+    object->obj.infoFree = (PK11Free) pk11_FreeItem;
+    return crl;
+}
+
+static char *
+pk11_getUrl(PK11TokenObject *object)
+{
+    SECItem *crl;
+    PRBool isKrl;
+    char *url = NULL;
+
+    if (object->obj.objclass != CKO_NETSCAPE_CRL) {
+	return NULL;
+    }
+
+    isKrl = (PRBool) object->obj.handle == PK11_TOKEN_KRL_HANDLE;
+    crl = nsslowcert_FindCrlByKey(object->obj.slot->certDB,&object->dbKey,
+								&url,isKrl);
+    if (object->obj.objectInfo == NULL) {
+	object->obj.objectInfo = (void *)crl;
+	object->obj.infoFree = (PK11Free) pk11_FreeItem;
+    } else {
+	if (crl) SECITEM_FreeItem(crl,PR_TRUE);
+    }
+    return url;
+}
+
+static NSSLOWCERTCertificate *
+pk11_getCert(PK11TokenObject *object)
+{
+    NSSLOWCERTCertificate *cert;
+
+    if ((object->obj.objclass != CKO_CERTIFICATE) &&
+	 		(object->obj.objclass != CKO_NETSCAPE_TRUST)) {
+	return NULL;
+    }
+    if (object->obj.objectInfo) {
+	return (NSSLOWCERTCertificate *)object->obj.objectInfo;
+    }
+    cert = nsslowcert_FindCertByKey(object->obj.slot->certDB,&object->dbKey);
+    object->obj.objectInfo = (void *)cert;
+    object->obj.infoFree = (PK11Free) nsslowcert_DestroyCertificate ;
+    return cert;
+}
+
+static NSSLOWKEYPublicKey *
+pk11_GetPublicKey(PK11TokenObject *object)
+{
+    NSSLOWKEYPublicKey *pubKey;
+    NSSLOWKEYPrivateKey *privKey;
+
+    if (object->obj.objclass != CKO_PUBLIC_KEY) {
+	return NULL;
+    }
+    if (object->obj.objectInfo) {
+	return (NSSLOWKEYPublicKey *)object->obj.objectInfo;
+    }
+    privKey = nsslowkey_FindKeyByPublicKey(object->obj.slot->keyDB,
+				&object->dbKey, object->obj.slot->password);
+    if (privKey == NULL) {
+	return NULL;
+    }
+    pubKey = nsslowkey_ConvertToPublicKey(privKey);
+    nsslowkey_DestroyPrivateKey(privKey);
+    object->obj.objectInfo = (void *) pubKey;
+    object->obj.infoFree = (PK11Free) nsslowkey_DestroyPublicKey ;
+    return pubKey;
+}
+
+static NSSLOWKEYPrivateKey *
+pk11_GetPrivateKey(PK11TokenObject *object)
+{
+    NSSLOWKEYPrivateKey *privKey;
+
+    if ((object->obj.objclass != CKO_PRIVATE_KEY) && 
+			(object->obj.objclass != CKO_SECRET_KEY)) {
+	return NULL;
+    }
+    if (object->obj.objectInfo) {
+	return (NSSLOWKEYPrivateKey *)object->obj.objectInfo;
+    }
+    privKey = nsslowkey_FindKeyByPublicKey(object->obj.slot->keyDB,
+				&object->dbKey, object->obj.slot->password);
+    if (privKey == NULL) {
+	return NULL;
+    }
+    object->obj.objectInfo = (void *) privKey;
+    object->obj.infoFree = (PK11Free) nsslowkey_DestroyPrivateKey ;
+    return privKey;
+}
+
+/* pk11_GetPubItem returns data associated with the public key.
+ * one only needs to free the public key. This comment is here
+ * because this sematic would be non-obvious otherwise. All callers
+ * should include this comment.
+ */
+static SECItem *
+pk11_GetPubItem(NSSLOWKEYPublicKey *pubKey) {
+    SECItem *pubItem = NULL;
+    /* get value to compare from the cert's public key */
+    switch ( pubKey->keyType ) {
+    case NSSLOWKEYRSAKey:
+	    pubItem = &pubKey->u.rsa.modulus;
+	    break;
+    case NSSLOWKEYDSAKey:
+	    pubItem = &pubKey->u.dsa.publicValue;
+	    break;
+    case NSSLOWKEYDHKey:
+	    pubItem = &pubKey->u.dh.publicValue;
+	    break;
+    default:
+	    break;
+    }
+    return pubItem;
+}
+
+static const SEC_ASN1Template pk11_SerialTemplate[] = {
+    { SEC_ASN1_INTEGER, offsetof(NSSLOWCERTCertificate,serialNumber) },
+    { 0 }
+};
+
+static PK11Attribute *
+pk11_FindRSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_RSA;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return pk11_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.rsa.modulus.data,key->u.rsa.modulus.len);
+	return pk11_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
+    case CKA_DERIVE:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_ENCRYPT:
+    case CKA_VERIFY:
+    case CKA_VERIFY_RECOVER:
+    case CKA_WRAP:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_MODULUS:
+	return pk11_NewTokenAttributeSigned(type,key->u.rsa.modulus.data,
+					key->u.rsa.modulus.len, PR_FALSE);
+    case CKA_PUBLIC_EXPONENT:
+	return pk11_NewTokenAttributeSigned(type,key->u.rsa.publicExponent.data,
+				key->u.rsa.publicExponent.len, PR_FALSE);
+    default:
+	break;
+    }
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindDSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_DSA;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return pk11_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.dsa.publicValue.data,
+						key->u.dsa.publicValue.len);
+	return pk11_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
+    case CKA_DERIVE:
+    case CKA_ENCRYPT:
+    case CKA_VERIFY_RECOVER:
+    case CKA_WRAP:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_VERIFY:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_VALUE:
+	return pk11_NewTokenAttributeSigned(type,key->u.dsa.publicValue.data,
+					key->u.dsa.publicValue.len, PR_FALSE);
+    case CKA_PRIME:
+	return pk11_NewTokenAttributeSigned(type,key->u.dsa.params.prime.data,
+					key->u.dsa.params.prime.len, PR_FALSE);
+    case CKA_SUBPRIME:
+	return pk11_NewTokenAttributeSigned(type,
+				key->u.dsa.params.subPrime.data,
+				key->u.dsa.params.subPrime.len, PR_FALSE);
+    case CKA_BASE:
+	return pk11_NewTokenAttributeSigned(type,key->u.dsa.params.base.data,
+					key->u.dsa.params.base.len, PR_FALSE);
+    default:
+	break;
+    }
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindDHPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_DH;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return pk11_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.dh.publicValue.data,key->u.dh.publicValue.len);
+	return pk11_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
+    case CKA_DERIVE:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_ENCRYPT:
+    case CKA_VERIFY:
+    case CKA_VERIFY_RECOVER:
+    case CKA_WRAP:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_VALUE:
+	return pk11_NewTokenAttributeSigned(type,key->u.dh.publicValue.data,
+					key->u.dh.publicValue.len, PR_FALSE);
+    case CKA_PRIME:
+	return pk11_NewTokenAttributeSigned(type,key->u.dh.prime.data,
+					key->u.dh.prime.len, PR_FALSE);
+    case CKA_BASE:
+	return pk11_NewTokenAttributeSigned(type,key->u.dh.base.data,
+					key->u.dh.base.len, PR_FALSE);
+    default:
+	break;
+    }
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindPublicKeyAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
+{
+    NSSLOWKEYPublicKey *key;
+    PK11Attribute *att = NULL;
+    char *label;
+
+    switch (type) {
+    case CKA_PRIVATE:
+    case CKA_SENSITIVE:
+    case CKA_ALWAYS_SENSITIVE:
+    case CKA_NEVER_EXTRACTABLE:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_MODIFIABLE:
+    case CKA_EXTRACTABLE:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_LABEL:
+        label = nsslowkey_FindKeyNicknameByPublicKey(object->obj.slot->keyDB,
+				&object->dbKey, object->obj.slot->password);
+	if (label == NULL) {
+	   return (PK11Attribute *)&pk11_StaticNullAttr;
+	}
+	att = pk11_NewTokenAttribute(type,label,PORT_Strlen(label), PR_TRUE);
+	PORT_Free(label);
+	return att;
+    default:
+	break;
+    }
+
+    key = pk11_GetPublicKey(object);
+    if (key == NULL) {
+	return NULL;
+    }
+
+    switch (key->keyType) {
+    case NSSLOWKEYRSAKey:
+	return pk11_FindRSAPublicKeyAttribute(key,type);
+    case NSSLOWKEYDSAKey:
+	return pk11_FindDSAPublicKeyAttribute(key,type);
+    case NSSLOWKEYDHKey:
+	return pk11_FindDHPublicKeyAttribute(key,type);
+    default:
+	break;
+    }
+
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindSecretKeyAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
+{
+    NSSLOWKEYPrivateKey *key;
+    char *label;
+    PK11Attribute *att;
+
+    switch (type) {
+    case CKA_PRIVATE:
+    case CKA_SENSITIVE:
+    case CKA_ALWAYS_SENSITIVE:
+    case CKA_EXTRACTABLE:
+    case CKA_DERIVE:
+    case CKA_ENCRYPT:
+    case CKA_DECRYPT:
+    case CKA_SIGN:
+    case CKA_VERIFY:
+    case CKA_WRAP:
+    case CKA_UNWRAP:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_NEVER_EXTRACTABLE:
+    case CKA_MODIFIABLE:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_LABEL:
+        label = nsslowkey_FindKeyNicknameByPublicKey(object->obj.slot->keyDB,
+				&object->dbKey, object->obj.slot->password);
+	if (label == NULL) {
+	   return (PK11Attribute *)&pk11_StaticNullAttr;
+	}
+	att = pk11_NewTokenAttribute(type,label,PORT_Strlen(label), PR_TRUE);
+	PORT_Free(label);
+	return att;
+    default:
+	break;
+    }
+
+    key = pk11_GetPrivateKey(object);
+    if (key == NULL) {
+	return NULL;
+    }
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return pk11_NewTokenAttribute(type,key->u.rsa.coefficient.data,
+					key->u.rsa.coefficient.len, PR_FALSE);
+    case CKA_VALUE:
+	return pk11_NewTokenAttribute(type,key->u.rsa.privateExponent.data,
+				key->u.rsa.privateExponent.len, PR_FALSE);
+    }
+
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindRSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key,
+							 CK_ATTRIBUTE_TYPE type)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_RSA;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return pk11_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.rsa.modulus.data,key->u.rsa.modulus.len);
+	return pk11_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
+    case CKA_DERIVE:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_DECRYPT:
+    case CKA_SIGN:
+    case CKA_SIGN_RECOVER:
+    case CKA_UNWRAP:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_MODULUS:
+	return pk11_NewTokenAttributeSigned(type,key->u.rsa.modulus.data,
+					key->u.rsa.modulus.len, PR_FALSE);
+    case CKA_PUBLIC_EXPONENT:
+	return pk11_NewTokenAttributeSigned(type,key->u.rsa.publicExponent.data,
+				key->u.rsa.publicExponent.len, PR_FALSE);
+    case CKA_PRIVATE_EXPONENT:
+    case CKA_PRIME_1:
+    case CKA_PRIME_2:
+    case CKA_EXPONENT_1:
+    case CKA_EXPONENT_2:
+    case CKA_COEFFICIENT:
+	return (PK11Attribute *) &pk11_StaticNullAttr;
+    default:
+	break;
+    }
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindDSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, 
+							CK_ATTRIBUTE_TYPE type)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_DSA;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return pk11_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.dsa.publicValue.data,
+						key->u.dsa.publicValue.len);
+	return pk11_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
+    case CKA_DERIVE:
+    case CKA_DECRYPT:
+    case CKA_SIGN_RECOVER:
+    case CKA_UNWRAP:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_SIGN:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_VALUE:
+	return (PK11Attribute *) &pk11_StaticNullAttr;
+    case CKA_PRIME:
+	return pk11_NewTokenAttributeSigned(type,key->u.dsa.params.prime.data,
+					key->u.dsa.params.prime.len, PR_FALSE);
+    case CKA_SUBPRIME:
+	return pk11_NewTokenAttributeSigned(type,
+				key->u.dsa.params.subPrime.data,
+				key->u.dsa.params.subPrime.len, PR_FALSE);
+    case CKA_BASE:
+	return pk11_NewTokenAttributeSigned(type,key->u.dsa.params.base.data,
+					key->u.dsa.params.base.len, PR_FALSE);
+    default:
+	break;
+    }
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindDHPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type)
+{
+    unsigned char hash[SHA1_LENGTH];
+    CK_KEY_TYPE keyType = CKK_DH;
+
+    switch (type) {
+    case CKA_KEY_TYPE:
+	return pk11_NewTokenAttribute(type,&keyType,sizeof(keyType), PR_TRUE);
+    case CKA_ID:
+	SHA1_HashBuf(hash,key->u.dh.publicValue.data,key->u.dh.publicValue.len);
+	return pk11_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
+    case CKA_DERIVE:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_DECRYPT:
+    case CKA_SIGN:
+    case CKA_SIGN_RECOVER:
+    case CKA_UNWRAP:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_VALUE:
+	return (PK11Attribute *) &pk11_StaticNullAttr;
+    case CKA_PRIME:
+	return pk11_NewTokenAttributeSigned(type,key->u.dh.prime.data,
+					key->u.dh.prime.len, PR_FALSE);
+    case CKA_BASE:
+	return pk11_NewTokenAttributeSigned(type,key->u.dh.base.data,
+					key->u.dh.base.len, PR_FALSE);
+    default:
+	break;
+    }
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindPrivateKeyAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
+{
+    NSSLOWKEYPrivateKey *key;
+    char *label;
+    PK11Attribute *att;
+
+    switch (type) {
+    case CKA_PRIVATE:
+    case CKA_SENSITIVE:
+    case CKA_ALWAYS_SENSITIVE:
+    case CKA_EXTRACTABLE:
+    case CKA_MODIFIABLE:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_NEVER_EXTRACTABLE:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_SUBJECT:
+	   return (PK11Attribute *)&pk11_StaticNullAttr;
+    case CKA_LABEL:
+        label = nsslowkey_FindKeyNicknameByPublicKey(object->obj.slot->keyDB,
+				&object->dbKey, object->obj.slot->password);
+	if (label == NULL) {
+	   return (PK11Attribute *)&pk11_StaticNullAttr;
+	}
+	att = pk11_NewTokenAttribute(type,label,PORT_Strlen(label), PR_TRUE);
+	PORT_Free(label);
+	return att;
+    default:
+	break;
+    }
+    key = pk11_GetPrivateKey(object);
+    if (key == NULL) {
+	return NULL;
+    }
+    switch (key->keyType) {
+    case NSSLOWKEYRSAKey:
+	return pk11_FindRSAPrivateKeyAttribute(key,type);
+    case NSSLOWKEYDSAKey:
+	return pk11_FindDSAPrivateKeyAttribute(key,type);
+    case NSSLOWKEYDHKey:
+	return pk11_FindDHPrivateKeyAttribute(key,type);
+    default:
+	break;
+    }
+
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindSMIMEAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
+{
+    certDBEntrySMime *entry;
+    switch (type) {
+    case CKA_PRIVATE:
+    case CKA_MODIFIABLE:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_NETSCAPE_EMAIL:
+	return pk11_NewTokenAttribute(type,object->dbKey.data,
+						object->dbKey.len-1, PR_FALSE);
+    case CKA_SENSITIVE:
+	return NULL;
+    default:
+	break;
+    }
+    entry = pk11_getSMime(object);
+    if (entry == NULL) {
+	return NULL;
+    }
+    switch (type) {
+    case CKA_NETSCAPE_SMIME_TIMESTAMP:
+	return pk11_NewTokenAttribute(type,entry->optionsDate.data,
+					entry->optionsDate.len, PR_FALSE);
+    case CKA_SUBJECT:
+	return pk11_NewTokenAttribute(type,entry->subjectName.data,
+					entry->subjectName.len, PR_FALSE);
+    case CKA_VALUE:
+	return pk11_NewTokenAttribute(type,entry->smimeOptions.data,
+					entry->smimeOptions.len, PR_FALSE);
+    default:
+	break;
+    }
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindTrustAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
+{
+    NSSLOWCERTCertificate *cert;
+    unsigned char hash[SHA1_LENGTH];
+    SECItem *item;
+    PK11Attribute *attr;
+    unsigned int trustFlags;
+
+    switch (type) {
+    case CKA_PRIVATE:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_MODIFIABLE:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_SENSITIVE:
+	return NULL;
+    default:
+	break;
+    }
+    cert = pk11_getCert(object);
+    if (cert == NULL) {
+	return NULL;
+    }
+    switch (type) {
+    case CKA_CERT_SHA1_HASH:
+	SHA1_HashBuf(hash,cert->derCert.data,cert->derCert.len);
+	return pk11_NewTokenAttribute(type,hash,SHA1_LENGTH, PR_TRUE);
+    case CKA_CERT_MD5_HASH:
+	MD5_HashBuf(hash,cert->derCert.data,cert->derCert.len);
+	return pk11_NewTokenAttribute(type,hash,MD5_LENGTH, PR_TRUE);
+    case CKA_ISSUER:
+	return pk11_NewTokenAttribute(type,cert->derIssuer.data,
+						cert->derIssuer.len, PR_FALSE);
+    case CKA_SERIAL_NUMBER:
+	item = SEC_ASN1EncodeItem(NULL,NULL,cert,pk11_SerialTemplate);
+	if (item == NULL) break;
+	attr = pk11_NewTokenAttribute(type, item->data, item->len, PR_TRUE);
+	SECITEM_FreeItem(item,PR_TRUE);
+	return attr;
+    case CKA_TRUST_CLIENT_AUTH:
+	trustFlags = cert->trust->sslFlags & CERTDB_TRUSTED_CLIENT_CA ?
+		cert->trust->sslFlags | CERTDB_TRUSTED_CA : 0 ;
+	goto trust;
+    case CKA_TRUST_SERVER_AUTH:
+	trustFlags = cert->trust->sslFlags;
+	goto trust;
+    case CKA_TRUST_EMAIL_PROTECTION:
+	trustFlags = cert->trust->emailFlags;
+	goto trust;
+    case CKA_TRUST_CODE_SIGNING:
+	trustFlags = cert->trust->objectSigningFlags;
+trust:
+	if (trustFlags & CERTDB_TRUSTED_CA ) {
+	    return (PK11Attribute *)&pk11_StaticTrustedDelegatorAttr;
+	}
+	if (trustFlags & CERTDB_TRUSTED) {
+	    return (PK11Attribute *)&pk11_StaticTrustedAttr;
+	}
+	if (trustFlags & CERTDB_NOT_TRUSTED) {
+	    return (PK11Attribute *)&pk11_StaticUnTrustedAttr;
+	}
+	if (trustFlags & CERTDB_TRUSTED_UNKNOWN) {
+	    return (PK11Attribute *)&pk11_StaticTrustUnknownAttr;
+	}
+	if (trustFlags & CERTDB_VALID_CA) {
+	    return (PK11Attribute *)&pk11_StaticValidDelegatorAttr;
+	}
+	if (trustFlags & CERTDB_VALID_PEER) {
+	    return (PK11Attribute *)&pk11_StaticValidPeerAttr;
+	}
+	return (PK11Attribute *)&pk11_StaticMustVerifyAttr;
+    default:
+	break;
+    }
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindCrlAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
+{
+    SECItem *crl;
+    char *url;
+
+    switch (type) {
+    case CKA_PRIVATE:
+    case CKA_MODIFIABLE:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_NETSCAPE_KRL:
+	return (PK11Attribute *) ((object->obj.handle == PK11_TOKEN_KRL_HANDLE) 
+			? &pk11_StaticTrueAttr : &pk11_StaticFalseAttr);
+    case CKA_NETSCAPE_URL:
+	url = pk11_getUrl(object);
+	if (url == NULL) {
+	    return (PK11Attribute *) &pk11_StaticNullAttr;
+	}
+	return pk11_NewTokenAttribute(type, url, PORT_Strlen(url)+1, PR_TRUE);
+    case CKA_VALUE:
+	crl = pk11_getCrl(object);
+	if (crl == NULL) break;
+	return pk11_NewTokenAttribute(type, crl->data, crl->len, PR_FALSE);
+    case CKA_SUBJECT:
+	return pk11_NewTokenAttribute(type,object->dbKey.data,
+						object->dbKey.len, PR_FALSE);
+    default:
+	break;
+    }
+    return NULL;
+}
+
+static PK11Attribute *
+pk11_FindCertAttribute(PK11TokenObject *object, CK_ATTRIBUTE_TYPE type)
+{
+    NSSLOWCERTCertificate *cert;
+    NSSLOWKEYPublicKey  *pubKey;
+    unsigned char hash[SHA1_LENGTH];
+    SECItem *item;
+    PK11Attribute *attr;
+
+    switch (type) {
+    case CKA_PRIVATE:
+	return (PK11Attribute *) &pk11_StaticFalseAttr;
+    case CKA_MODIFIABLE:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_CERTIFICATE_TYPE:
+        /* hardcoding X.509 into here */
+        return (PK11Attribute *)&pk11_StaticX509Attr;
+    case CKA_SENSITIVE:
+	return NULL;
+    default:
+	break;
+    }
+    cert = pk11_getCert(object);
+    if (cert == NULL) {
+	return NULL;
+    }
+    switch (type) {
+    case CKA_VALUE:
+	return pk11_NewTokenAttribute(type,cert->derCert.data,
+						cert->derCert.len,PR_FALSE);
+    case CKA_ID:
+	pubKey = nsslowcert_ExtractPublicKey(cert);
+	if (pubKey == NULL) break;
+	item = pk11_GetPubItem(pubKey);
+	if (item == NULL) {
+	    nsslowkey_DestroyPublicKey(pubKey);
+	    break;
+	}
+	SHA1_HashBuf(hash,item->data,item->len);
+	/* item is imbedded in pubKey, just free the key */
+	nsslowkey_DestroyPublicKey(pubKey);
+	return pk11_NewTokenAttribute(type, hash, SHA1_LENGTH, PR_TRUE);
+    case CKA_LABEL:
+	return cert->nickname ? pk11_NewTokenAttribute(type, cert->nickname,
+				PORT_Strlen(cert->nickname), PR_FALSE) :
+					(PK11Attribute *) &pk11_StaticNullAttr;
+    case CKA_SUBJECT:
+	return pk11_NewTokenAttribute(type,cert->derSubject.data,
+						cert->derSubject.len, PR_FALSE);
+    case CKA_ISSUER:
+	return pk11_NewTokenAttribute(type,cert->derIssuer.data,
+						cert->derIssuer.len, PR_FALSE);
+    case CKA_SERIAL_NUMBER:
+	item = SEC_ASN1EncodeItem(NULL,NULL,cert,pk11_SerialTemplate);
+	if (item == NULL) break;
+	attr = pk11_NewTokenAttribute(type, item->data, item->len, PR_TRUE);
+	SECITEM_FreeItem(item,PR_TRUE);
+	return attr;
+    case CKA_NETSCAPE_EMAIL:
+	return cert->emailAddr ? pk11_NewTokenAttribute(type, cert->emailAddr,
+				PORT_Strlen(cert->emailAddr), PR_FALSE) :
+					(PK11Attribute *) &pk11_StaticNullAttr;
+    default:
+	break;
+    }
+    return NULL;
+}
+    
+static PK11Attribute *    
+pk11_FindTokenAttribute(PK11TokenObject *object,CK_ATTRIBUTE_TYPE type)
+{
+    /* handle the common ones */
+    switch (type) {
+    case CKA_CLASS:
+	return pk11_NewTokenAttribute(type,&object->obj.objclass,
+					sizeof(object->obj.objclass),PR_FALSE);
+    case CKA_TOKEN:
+	return (PK11Attribute *) &pk11_StaticTrueAttr;
+    case CKA_LABEL:
+	if (  (object->obj.objclass == CKO_CERTIFICATE) 
+	   || (object->obj.objclass == CKO_PRIVATE_KEY)
+	   || (object->obj.objclass == CKO_PUBLIC_KEY)
+	   || (object->obj.objclass == CKO_SECRET_KEY)) {
+	    break;
+	}
+	return (PK11Attribute *) &pk11_StaticNullAttr;
+    default:
+	break;
+    }
+    switch (object->obj.objclass) {
+    case CKO_CERTIFICATE:
+	return pk11_FindCertAttribute(object,type);
+    case CKO_NETSCAPE_CRL:
+	return pk11_FindCrlAttribute(object,type);
+    case CKO_NETSCAPE_TRUST:
+	return pk11_FindTrustAttribute(object,type);
+    case CKO_NETSCAPE_SMIME:
+	return pk11_FindSMIMEAttribute(object,type);
+    case CKO_PUBLIC_KEY:
+	return pk11_FindPublicKeyAttribute(object,type);
+    case CKO_PRIVATE_KEY:
+	return pk11_FindPrivateKeyAttribute(object,type);
+    case CKO_SECRET_KEY:
+	return pk11_FindSecretKeyAttribute(object,type);
+    default:
+	break;
+    }
+    PORT_Assert(0);
+    return NULL;
+} 
+
+/*
+ * look up and attribute structure from a type and Object structure.
+ * The returned attribute is referenced and needs to be freed when 
+ * it is no longer needed.
+ */
+PK11Attribute *
+pk11_FindAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type)
+{
+    PK11Attribute *attribute;
+    PK11SessionObject *sessObject = pk11_narrowToSessionObject(object);
+
+    if (sessObject == NULL) {
+	return pk11_FindTokenAttribute(pk11_narrowToTokenObject(object),type);
+    }
+
+    PK11_USE_THREADS(PZ_Lock(sessObject->attributeLock);)
+    pk11queue_find(attribute,type,sessObject->head,ATTRIBUTE_HASH_SIZE);
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+    if (attribute) {
+	/* atomic increment would be nice here */
+	PK11_USE_THREADS(PZ_Lock(attribute->refLock);)
+	attribute->refCount++;
+	PK11_USE_THREADS(PZ_Unlock(attribute->refLock);)
+    }
+#endif
+    PK11_USE_THREADS(PZ_Unlock(sessObject->attributeLock);)
+
+    return(attribute);
+}
+
+
+
+PRBool
+pk11_hasAttributeToken(PK11TokenObject *object)
+{
+    return PR_FALSE;
+}
+
+/*
+ * return true if object has attribute
+ */
+PRBool
+pk11_hasAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type)
+{
+    PK11Attribute *attribute;
+    PK11SessionObject *sessObject = pk11_narrowToSessionObject(object);
+
+    if (sessObject == NULL) {
+	return pk11_hasAttributeToken(pk11_narrowToTokenObject(object));
+    }
+
+    PK11_USE_THREADS(PZ_Lock(sessObject->attributeLock);)
+    pk11queue_find(attribute,type,sessObject->head,ATTRIBUTE_HASH_SIZE);
+    PK11_USE_THREADS(PZ_Unlock(sessObject->attributeLock);)
+
+    return (PRBool)(attribute != NULL);
+}
+
+/*
+ * add an attribute to an object
+ */
+static void
+pk11_AddAttribute(PK11Object *object,PK11Attribute *attribute)
+{
+    PK11SessionObject *sessObject = pk11_narrowToSessionObject(object);
+
+    if (sessObject == NULL) return;
+    PK11_USE_THREADS(PZ_Lock(sessObject->attributeLock);)
+    pk11queue_add(attribute,attribute->handle,
+				sessObject->head,ATTRIBUTE_HASH_SIZE);
+    PK11_USE_THREADS(PZ_Unlock(sessObject->attributeLock);)
+}
+
+/* 
+ * copy an unsigned attribute into a SECItem. Secitem is allocated in
+ * the specified arena.
+ */
+CK_RV
+pk11_Attribute2SSecItem(PLArenaPool *arena,SECItem *item,PK11Object *object,
+                                      CK_ATTRIBUTE_TYPE type)
+{
+    PK11Attribute *attribute;
+    unsigned char *start;
+
+    item->data = NULL;
+
+    attribute = pk11_FindAttribute(object, type);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+
+    (void)SECITEM_AllocItem(arena, item, attribute->attrib.ulValueLen);
+    if (item->data == NULL) {
+	pk11_FreeAttribute(attribute);
+	return CKR_HOST_MEMORY;
+    }
+    PORT_Memcpy(item->data, attribute->attrib.pValue, item->len);
+    pk11_FreeAttribute(attribute);
+    return CKR_OK;
+}
+
+
+/*
+ * delete an attribute from an object
+ */
+static void
+pk11_DeleteAttribute(PK11Object *object, PK11Attribute *attribute)
+{
+    PK11SessionObject *sessObject = pk11_narrowToSessionObject(object);
+
+    if (sessObject == NULL) {
+	return ;
+    }
+    PK11_USE_THREADS(PZ_Lock(sessObject->attributeLock);)
+    if (pk11queue_is_queued(attribute,attribute->handle,
+				sessObject->head,ATTRIBUTE_HASH_SIZE)) {
+	pk11queue_delete(attribute,attribute->handle,
+				sessObject->head,ATTRIBUTE_HASH_SIZE);
+    }
+    PK11_USE_THREADS(PZ_Unlock(sessObject->attributeLock);)
+    pk11_FreeAttribute(attribute);
+}
+
+/*
+ * this is only valid for CK_BBOOL type attributes. Return the state
+ * of that attribute.
+ */
+PRBool
+pk11_isTrue(PK11Object *object,CK_ATTRIBUTE_TYPE type)
+{
+    PK11Attribute *attribute;
+    PRBool tok = PR_FALSE;
+
+    attribute=pk11_FindAttribute(object,type);
+    if (attribute == NULL) { return PR_FALSE; }
+    tok = (PRBool)(*(CK_BBOOL *)attribute->attrib.pValue);
+    pk11_FreeAttribute(attribute);
+
+    return tok;
+}
+
+/*
+ * force an attribute to null.
+ * this is for sensitive keys which are stored in the database, we don't
+ * want to keep this info around in memory in the clear.
+ */
+void
+pk11_nullAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type)
+{
+    PK11Attribute *attribute;
+
+    attribute=pk11_FindAttribute(object,type);
+    if (attribute == NULL) return;
+
+    if (attribute->attrib.pValue != NULL) {
+	PORT_Memset(attribute->attrib.pValue,0,attribute->attrib.ulValueLen);
+	if (attribute->freeData) {
+	    PORT_Free(attribute->attrib.pValue);
+	}
+	attribute->freeData = PR_FALSE;
+	attribute->attrib.pValue = NULL;
+	attribute->attrib.ulValueLen = 0;
+    }
+    pk11_FreeAttribute(attribute);
+}
+static CK_RV
+pk11_SetPrivateKeyAttribute(PK11TokenObject *to, CK_ATTRIBUTE_TYPE type, 
+						void *value, unsigned int len)
+{
+    NSSLOWKEYPrivateKey *privKey;
+    char *nickname = NULL;
+    SECStatus rv;
+
+    /* we can't change the ID and we don't store the subject, but let the
+     * upper layers feel better about the fact we tried to set these */
+    if ((type == CKA_ID) || (type == CKA_SUBJECT)) {
+	return CKR_OK;
+    }
+
+    if (to->obj.slot->keyDB == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+    if (type != CKA_LABEL) {
+	return CKR_ATTRIBUTE_READ_ONLY;
+    }
+
+    privKey = pk11_GetPrivateKey(to);
+    if (privKey == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+    if (value != NULL) {
+	nickname = PORT_ZAlloc(len+1);
+	if (nickname == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+	PORT_Memcpy(nickname,value,len);
+	nickname[len] = 0;
+    }
+    rv = nsslowkey_UpdateNickname(to->obj.slot->keyDB, privKey, &to->dbKey, 
+					nickname, to->obj.slot->password);
+    if (nickname) PORT_Free(nickname);
+    if (rv != SECSuccess) {
+	return CKR_DEVICE_ERROR;
+    }
+    return CKR_OK;
+}
+
+static CK_RV
+pk11_SetTrustAttribute(PK11TokenObject *to, CK_ATTRIBUTE_TYPE type, 
+						void *value, unsigned int len)
+{
+    unsigned int flags;
+    CK_TRUST  trust;
+    NSSLOWCERTCertificate *cert;
+    NSSLOWCERTCertTrust dbTrust;
+    SECStatus rv;
+
+    if (to->obj.slot->certDB == NULL) {
+	return CKR_TOKEN_WRITE_PROTECTED;
+    }
+    if (len != sizeof (CK_TRUST)) {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    trust = *(CK_TRUST *)value;
+    flags = pk11_MapTrust(trust, (PRBool) (type == CKA_TRUST_SERVER_AUTH));
+
+    cert = pk11_getCert(to);
+    if (cert == NULL) {
+	return CKR_OBJECT_HANDLE_INVALID;
+    }
+    dbTrust = *cert->trust;
+
+    switch (type) {
+    case CKA_TRUST_EMAIL_PROTECTION:
+	dbTrust.emailFlags = flags |
+		(cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS);
+	break;
+    case CKA_TRUST_CODE_SIGNING:
+	dbTrust.objectSigningFlags = flags |
+		(cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS);
+	break;
+    case CKA_TRUST_CLIENT_AUTH:
+	dbTrust.sslFlags = flags | (cert->trust->sslFlags & 
+				(CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CA));
+	break;
+    case CKA_TRUST_SERVER_AUTH:
+	dbTrust.sslFlags = flags | (cert->trust->sslFlags & 
+			(CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CLIENT_CA));
+	break;
+    default:
+	return CKR_ATTRIBUTE_READ_ONLY;
+    }
+
+    rv = nsslowcert_ChangeCertTrust(to->obj.slot->certDB,cert,&dbTrust);
+    if (rv != SECSuccess) {
+	return CKR_DEVICE_ERROR;
+    }
+    return CKR_OK;
+}
+
+static CK_RV
+pk11_forceTokenAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type, 
+						void *value, unsigned int len)
+{
+    PK11Attribute *attribute;
+    PK11TokenObject *to = pk11_narrowToTokenObject(object);
+    CK_RV crv = CKR_ATTRIBUTE_READ_ONLY;
+
+    PORT_Assert(to);
+    if (to == NULL) {
+	return CKR_DEVICE_ERROR;
+    }
+
+    /* if we are just setting it to the value we already have,
+     * allow it to happen. */
+    attribute=pk11_FindAttribute(object,type);
+    if ((attribute->attrib.ulValueLen == len) &&
+	PORT_Memcmp(attribute->attrib.pValue,value,len) == 0) {
+	pk11_FreeAttribute(attribute);
+	return CKR_OK;
+    }
+
+    switch (object->objclass) {
+    case CKO_CERTIFICATE:
+	/* change NICKNAME, EMAIL,  */
+	break;
+    case CKO_NETSCAPE_CRL:
+	/* change URL */
+	break;
+    case CKO_NETSCAPE_TRUST:
+	crv = pk11_SetTrustAttribute(to,type,value,len);
+	break;
+    case CKO_PRIVATE_KEY:
+    case CKO_SECRET_KEY:
+	crv = pk11_SetPrivateKeyAttribute(to,type,value,len);
+	break;
+    }
+    pk11_FreeAttribute(attribute);
+    return crv;
+}
+	
+/*
+ * force an attribute to a spaecif value.
+ */
+CK_RV
+pk11_forceAttribute(PK11Object *object,CK_ATTRIBUTE_TYPE type, void *value,
+						unsigned int len)
+{
+    PK11Attribute *attribute;
+    void *att_val = NULL;
+    PRBool freeData = PR_FALSE;
+
+    if (pk11_isToken(object->handle)) {
+	return pk11_forceTokenAttribute(object,type,value,len);
+    }
+    attribute=pk11_FindAttribute(object,type);
+    if (attribute == NULL) return pk11_AddAttributeType(object,type,value,len);
+
+
+    if (value) {
+#ifdef PKCS11_STATIC_ATTRIBUTES
+        if (len <= ATTR_SPACE) {
+	    att_val = attribute->space;
+	} else {
+	    att_val = PORT_Alloc(len);
+	    freeData = PR_TRUE;
+	}
+#else
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+	att_val = PORT_Alloc(len);
+	freeData = PR_TRUE;
+#else
+	att_val = PORT_ArenaAlloc(object->arena,len);
+#endif /* PKCS11_REF_COUNT_ATTRIBUTES */
+#endif /* PKCS11_STATIC_ATTRIBUTES */
+	if (att_val == NULL) {
+	    return CKR_HOST_MEMORY;
+	}
+	if (attribute->attrib.pValue == att_val) {
+	    PORT_Memset(attribute->attrib.pValue,0,
+					attribute->attrib.ulValueLen);
+	}
+	PORT_Memcpy(att_val,value,len);
+    }
+    if (attribute->attrib.pValue != NULL) {
+	if (attribute->attrib.pValue != att_val) {
+	    PORT_Memset(attribute->attrib.pValue,0,
+					attribute->attrib.ulValueLen);
+	}
+	if (attribute->freeData) {
+	    PORT_Free(attribute->attrib.pValue);
+	}
+	attribute->freeData = PR_FALSE;
+	attribute->attrib.pValue = NULL;
+	attribute->attrib.ulValueLen = 0;
+    }
+    if (att_val) {
+	attribute->attrib.pValue = att_val;
+	attribute->attrib.ulValueLen = len;
+	attribute->freeData = freeData;
+    }
+    pk11_FreeAttribute(attribute);
+    return CKR_OK;
+}
+
+/*
+ * return a null terminated string from attribute 'type'. This string
+ * is allocated and needs to be freed with PORT_Free() When complete.
+ */
+char *
+pk11_getString(PK11Object *object,CK_ATTRIBUTE_TYPE type)
+{
+    PK11Attribute *attribute;
+    char *label = NULL;
+
+    attribute=pk11_FindAttribute(object,type);
+    if (attribute == NULL) return NULL;
+
+    if (attribute->attrib.pValue != NULL) {
+	label = (char *) PORT_Alloc(attribute->attrib.ulValueLen+1);
+	if (label == NULL) {
+    	    pk11_FreeAttribute(attribute);
+	    return NULL;
+	}
+
+	PORT_Memcpy(label,attribute->attrib.pValue,
+						attribute->attrib.ulValueLen);
+	label[attribute->attrib.ulValueLen] = 0;
+    }
+    pk11_FreeAttribute(attribute);
+    return label;
+}
+
+/*
+ * decode when a particular attribute may be modified
+ * 	PK11_NEVER: This attribute must be set at object creation time and
+ *  can never be modified.
+ *	PK11_ONCOPY: This attribute may be modified only when you copy the
+ *  object.
+ *	PK11_SENSITIVE: The CKA_SENSITIVE attribute can only be changed from
+ *  CK_FALSE to CK_TRUE.
+ *	PK11_ALWAYS: This attribute can always be modified.
+ * Some attributes vary their modification type based on the class of the 
+ *   object.
+ */
+PK11ModifyType
+pk11_modifyType(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
+{
+    /* if we don't know about it, user user defined, always allow modify */
+    PK11ModifyType mtype = PK11_ALWAYS; 
+
+    switch(type) {
+    /* NEVER */
+    case CKA_CLASS:
+    case CKA_CERTIFICATE_TYPE:
+    case CKA_KEY_TYPE:
+    case CKA_MODULUS:
+    case CKA_MODULUS_BITS:
+    case CKA_PUBLIC_EXPONENT:
+    case CKA_PRIVATE_EXPONENT:
+    case CKA_PRIME:
+    case CKA_SUBPRIME:
+    case CKA_BASE:
+    case CKA_PRIME_1:
+    case CKA_PRIME_2:
+    case CKA_EXPONENT_1:
+    case CKA_EXPONENT_2:
+    case CKA_COEFFICIENT:
+    case CKA_VALUE_LEN:
+    case CKA_ALWAYS_SENSITIVE:
+    case CKA_NEVER_EXTRACTABLE:
+    case CKA_NETSCAPE_DB:
+	mtype = PK11_NEVER;
+	break;
+
+    /* ONCOPY */
+    case CKA_TOKEN:
+    case CKA_PRIVATE:
+    case CKA_MODIFIABLE:
+	mtype = PK11_ONCOPY;
+	break;
+
+    /* SENSITIVE */
+    case CKA_SENSITIVE:
+    case CKA_EXTRACTABLE:
+	mtype = PK11_SENSITIVE;
+	break;
+
+    /* ALWAYS */
+    case CKA_LABEL:
+    case CKA_APPLICATION:
+    case CKA_ID:
+    case CKA_SERIAL_NUMBER:
+    case CKA_START_DATE:
+    case CKA_END_DATE:
+    case CKA_DERIVE:
+    case CKA_ENCRYPT:
+    case CKA_DECRYPT:
+    case CKA_SIGN:
+    case CKA_VERIFY:
+    case CKA_SIGN_RECOVER:
+    case CKA_VERIFY_RECOVER:
+    case CKA_WRAP:
+    case CKA_UNWRAP:
+	mtype = PK11_ALWAYS;
+	break;
+
+    /* DEPENDS ON CLASS */
+    case CKA_VALUE:
+	mtype = (inClass == CKO_DATA) ? PK11_ALWAYS : PK11_NEVER;
+	break;
+
+    case CKA_SUBJECT:
+	mtype = (inClass == CKO_CERTIFICATE) ? PK11_NEVER : PK11_ALWAYS;
+	break;
+    default:
+	break;
+    }
+    return mtype;
+}
+
+/* decode if a particular attribute is sensitive (cannot be read
+ * back to the user of if the object is set to SENSITIVE) */
+PRBool
+pk11_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
+{
+    switch(type) {
+    /* ALWAYS */
+    case CKA_PRIVATE_EXPONENT:
+    case CKA_PRIME_1:
+    case CKA_PRIME_2:
+    case CKA_EXPONENT_1:
+    case CKA_EXPONENT_2:
+    case CKA_COEFFICIENT:
+	return PR_TRUE;
+
+    /* DEPENDS ON CLASS */
+    case CKA_VALUE:
+	/* PRIVATE and SECRET KEYS have SENSITIVE values */
+	return (PRBool)((inClass == CKO_PRIVATE_KEY) || (inClass == CKO_SECRET_KEY));
+
+    default:
+	break;
+    }
+    return PR_FALSE;
+}
+
+/* 
+ * copy an attribute into a SECItem. Secitem is allocated in the specified
+ * arena.
+ */
+CK_RV
+pk11_Attribute2SecItem(PLArenaPool *arena,SECItem *item,PK11Object *object,
+					CK_ATTRIBUTE_TYPE type)
+{
+    int len;
+    PK11Attribute *attribute;
+
+    attribute = pk11_FindAttribute(object, type);
+    if (attribute == NULL) return CKR_TEMPLATE_INCOMPLETE;
+    len = attribute->attrib.ulValueLen;
+
+    if (arena) {
+    	item->data = (unsigned char *) PORT_ArenaAlloc(arena,len);
+    } else {
+    	item->data = (unsigned char *) PORT_Alloc(len);
+    }
+    if (item->data == NULL) {
+	pk11_FreeAttribute(attribute);
+	return CKR_HOST_MEMORY;
+    }
+    item->len = len;
+    PORT_Memcpy(item->data,attribute->attrib.pValue, len);
+    pk11_FreeAttribute(attribute);
+    return CKR_OK;
+}
+
+void
+pk11_DeleteAttributeType(PK11Object *object,CK_ATTRIBUTE_TYPE type)
+{
+    PK11Attribute *attribute;
+    attribute = pk11_FindAttribute(object, type);
+    if (attribute == NULL) return ;
+    pk11_DeleteAttribute(object,attribute);
+    pk11_FreeAttribute(attribute);
+}
+
+CK_RV
+pk11_AddAttributeType(PK11Object *object,CK_ATTRIBUTE_TYPE type,void *valPtr,
+							CK_ULONG length)
+{
+    PK11Attribute *attribute;
+    attribute = pk11_NewAttribute(object,type,valPtr,length);
+    if (attribute == NULL) { return CKR_HOST_MEMORY; }
+    pk11_AddAttribute(object,attribute);
+    return CKR_OK;
+}
+
+/*
+ * ******************** Object Utilities *******************************
+ */
+
+static SECStatus
+pk11_deleteTokenKeyByHandle(PK11Slot *slot, CK_OBJECT_HANDLE handle)
+{
+   SECItem *item;
+   PRBool rem;
+
+   item = (SECItem *)PL_HashTableLookup(slot->tokenHashTable, (void *)handle);
+   if (item) {
+	SECITEM_FreeItem(item,PR_TRUE);
+   }
+   rem = PL_HashTableRemove(slot->tokenHashTable,(void *)handle) ;
+   return rem ? SECSuccess : SECFailure;
+}
+
+static SECStatus
+pk11_addTokenKeyByHandle(PK11Slot *slot, CK_OBJECT_HANDLE handle, SECItem *key)
+{
+    PLHashEntry *entry;
+    SECItem *item;
+
+    item = SECITEM_DupItem(key);
+    if (item == NULL) {
+	return SECFailure;
+    }
+    entry = PL_HashTableAdd(slot->tokenHashTable,(void *)handle,item);
+    if (entry == NULL) {
+	SECITEM_FreeItem(item,PR_TRUE);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static SECItem *
+pk11_lookupTokenKeyByHandle(PK11Slot *slot, CK_OBJECT_HANDLE handle)
+{
+    return (SECItem *)PL_HashTableLookup(slot->tokenHashTable, (void *)handle);
+}
+
+/*
+ * use the refLock. This operations should be very rare, so the added
+ * contention on the ref lock should be lower than the overhead of adding
+ * a new lock. We use separate functions for this just in case I'm wrong.
+ */
+static void
+pk11_tokenKeyLock(PK11Slot *slot) {
+    PK11_USE_THREADS(PZ_Lock(slot->objectLock);)
+}
+
+static void
+pk11_tokenKeyUnlock(PK11Slot *slot) {
+    PK11_USE_THREADS(PZ_Unlock(slot->objectLock);)
+}
+
+
+/* allocation hooks that allow us to recycle old object structures */
+#ifdef MAX_OBJECT_LIST_SIZE
+static PK11Object * objectFreeList = NULL;
+static PZLock *objectLock = NULL;
+static int object_count = 0;
+#endif
+PK11Object *
+pk11_GetObjectFromList(PRBool *hasLocks) {
+    PK11Object *object;
+
+#if MAX_OBJECT_LIST_SIZE
+    if (objectLock == NULL) {
+	objectLock = PZ_NewLock(nssILockObject);
+    }
+
+    PK11_USE_THREADS(PZ_Lock(objectLock));
+    object = objectFreeList;
+    if (object) {
+	objectFreeList = object->next;
+	object_count--;
+    }    	
+    PK11_USE_THREADS(PZ_Unlock(objectLock));
+    if (object) {
+	object->next = object->prev = NULL;
+        *hasLocks = PR_TRUE;
+	return object;
+    }
+#endif
+
+    object  = (PK11Object*)PORT_ZAlloc(sizeof(PK11SessionObject));
+    *hasLocks = PR_FALSE;
+    return object;
+}
+
+static void
+pk11_PutObjectToList(PK11SessionObject *object) {
+#ifdef MAX_OBJECT_LIST_SIZE
+    if (object_count < MAX_OBJECT_LIST_SIZE) {
+	PK11_USE_THREADS(PZ_Lock(objectLock));
+	object->obj.next = objectFreeList;
+	objectFreeList = &object->obj;
+	object_count++;
+	PK11_USE_THREADS(PZ_Unlock(objectLock));
+	return;
+     }
+#endif
+    PK11_USE_THREADS(PZ_DestroyLock(object->attributeLock);)
+    PK11_USE_THREADS(PZ_DestroyLock(object->obj.refLock);)
+    object->attributeLock = object->obj.refLock = NULL;
+    PORT_Free(object);
+}
+
+static PK11Object *
+pk11_freeObjectData(PK11Object *object) {
+   PK11Object *next = object->next;
+
+   PORT_Free(object);
+   return next;
+}
+   
+void
+pk11_CleanupFreeLists()
+{
+#ifdef MAX_OBJECT_LIST_SIZE
+    PK11Object *object;
+
+    if (!objectLock) {
+	return;
+    }
+    PK11_USE_THREADS(PZ_Lock(objectLock));
+    for (object= objectFreeList; object != NULL; 
+					object = pk11_freeObjectData(object)) {
+#ifdef PKCS11_USE_THREADS
+	PZ_DestroyLock(object->refLock);
+	PZ_DestroyLock(((PK11SessionObject *)object)->attributeLock);
+#endif
+    }
+    object_count = 0;
+    objectFreeList = NULL;
+    PK11_USE_THREADS(PZ_Unlock(objectLock));
+    PZ_DestroyLock(objectLock);
+    objectLock = NULL;
+#endif
+}
+
+
+/*
+ * Create a new object
+ */
+PK11Object *
+pk11_NewObject(PK11Slot *slot)
+{
+    PK11Object *object;
+    PK11SessionObject *sessObject;
+    PRBool hasLocks = PR_FALSE;
+    int i;
+
+
+#ifdef PKCS11_STATIC_ATTRIBUTES
+    object = pk11_GetObjectFromList(&hasLocks);
+    if (object == NULL) {
+	return NULL;
+    }
+    sessObject = (PK11SessionObject *)object;
+    sessObject->nextAttr = 0;
+
+    for (i=0; i < MAX_OBJS_ATTRS; i++) {
+	sessObject->attrList[i].attrib.pValue = NULL;
+	sessObject->attrList[i].freeData = PR_FALSE;
+    }
+#else
+    PRArenaPool *arena;
+
+    arena = PORT_NewArena(2048);
+    if (arena == NULL) return NULL;
+
+    object = (PK11Object*)PORT_ArenaAlloc(arena,sizeof(PK11SessionObject));
+    if (object == NULL) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+    object->arena = arena;
+
+    sessObject = (PK11SessionObject *)object;
+#endif
+
+    object->handle = 0;
+    object->next = object->prev = NULL;
+    object->slot = slot;
+    object->objclass = 0xffff;
+    object->refCount = 1;
+    sessObject->sessionList.next = NULL;
+    sessObject->sessionList.prev = NULL;
+    sessObject->sessionList.parent = object;
+    sessObject->session = NULL;
+    sessObject->wasDerived = PR_FALSE;
+#ifdef PKCS11_USE_THREADS
+    if (!hasLocks) object->refLock = PZ_NewLock(nssILockRefLock);
+    if (object->refLock == NULL) {
+#ifdef PKCS11_STATIC_ATTRIBUTES
+	PORT_Free(object);
+#else
+	PORT_FreeArena(arena,PR_FALSE);
+#endif
+	return NULL;
+    }
+    if (!hasLocks) sessObject->attributeLock = PZ_NewLock(nssILockAttribute);
+    if (sessObject->attributeLock == NULL) {
+	PK11_USE_THREADS(PZ_DestroyLock(object->refLock);)
+#ifdef PKCS11_STATIC_ATTRIBUTES
+	PORT_Free(object);
+#else
+	PORT_FreeArena(arena,PR_FALSE);
+#endif
+	return NULL;
+    }
+#else
+    sessObject->attributeLock = NULL;
+    object->refLock = NULL;
+#endif
+    for (i=0; i < ATTRIBUTE_HASH_SIZE; i++) {
+	sessObject->head[i] = NULL;
+    }
+    object->objectInfo = NULL;
+    object->infoFree = NULL;
+    return object;
+}
+
+static CK_RV
+pk11_DestroySessionObjectData(PK11SessionObject *so)
+{
+	int i;
+
+#ifdef PKCS11_STATIC_ATTRIBUTES
+	for (i=0; i < MAX_OBJS_ATTRS; i++) {
+	    unsigned char *value = so->attrList[i].attrib.pValue;
+	    if (value) {
+		PORT_Memset(value,0,so->attrList[i].attrib.ulValueLen);
+		if (so->attrList[i].freeData) {
+		    PORT_Free(value);
+		}
+		so->attrList[i].attrib.pValue = NULL;
+		so->attrList[i].freeData = PR_FALSE;
+	    }
+	}
+#endif
+
+#ifdef PKCS11_REF_COUNT_ATTRIBUTES
+	/* clean out the attributes */
+	/* since no one is referencing us, it's safe to walk the chain
+	 * without a lock */
+	for (i=0; i < ATTRIBUTE_HASH_SIZE; i++) {
+	    PK11Attribute *ap,*next;
+	    for (ap = so->head[i]; ap != NULL; ap = next) {
+		next = ap->next;
+		/* paranoia */
+		ap->next = ap->prev = NULL;
+		pk11_FreeAttribute(ap);
+	    }
+	    so->head[i] = NULL;
+	}
+#endif
+/*	PK11_USE_THREADS(PZ_DestroyLock(so->attributeLock));*/
+	return CKR_OK;
+}
+
+/*
+ * free all the data associated with an object. Object reference count must
+ * be 'zero'.
+ */
+static CK_RV
+pk11_DestroyObject(PK11Object *object)
+{
+    CK_RV crv = CKR_OK;
+    PK11SessionObject *so = pk11_narrowToSessionObject(object);
+    PK11TokenObject *to = pk11_narrowToTokenObject(object);
+
+    PORT_Assert(object->refCount == 0);
+
+    /* delete the database value */
+    if (to) {
+	if (to->dbKey.data) {
+	   PORT_Free(to->dbKey.data);
+	   to->dbKey.data = NULL;
+	}
+    } 
+    if (so) {
+	pk11_DestroySessionObjectData(so);
+    }
+    if (object->objectInfo) {
+	(*object->infoFree)(object->objectInfo);
+    }
+#ifdef PKCS11_STATIC_ATTRIBUTES
+    if (so) {
+	pk11_PutObjectToList(so);
+    } else {
+	if (object->refLock) {
+	    PK11_USE_THREADS(PZ_DestroyLock(object->refLock);)
+	}
+	PORT_Free(to);
+    }
+#else
+    if (object->refLock) {
+        PK11_USE_THREADS(PZ_DestroyLock(object->refLock);)
+    }
+    arena = object->arena;
+    PORT_FreeArena(arena,PR_FALSE);
+#endif
+    return crv;
+}
+
+void
+pk11_ReferenceObject(PK11Object *object)
+{
+    PK11_USE_THREADS(PZ_Lock(object->refLock);)
+    object->refCount++;
+    PK11_USE_THREADS(PZ_Unlock(object->refLock);)
+}
+
+static PK11Object *
+pk11_ObjectFromHandleOnSlot(CK_OBJECT_HANDLE handle, PK11Slot *slot)
+{
+    PK11Object **head;
+    PZLock *lock;
+    PK11Object *object;
+
+    if (pk11_isToken(handle)) {
+	return pk11_NewTokenObject(slot, NULL, handle);
+    }
+
+    head = slot->tokObjects;
+    lock = slot->objectLock;
+
+    PK11_USE_THREADS(PZ_Lock(lock);)
+    pk11queue_find(object,handle,head,TOKEN_OBJECT_HASH_SIZE);
+    if (object) {
+	pk11_ReferenceObject(object);
+    }
+    PK11_USE_THREADS(PZ_Unlock(lock);)
+
+    return(object);
+}
+/*
+ * look up and object structure from a handle. OBJECT_Handles only make
+ * sense in terms of a given session.  make a reference to that object
+ * structure returned.
+ */
+PK11Object *
+pk11_ObjectFromHandle(CK_OBJECT_HANDLE handle, PK11Session *session)
+{
+    PK11Slot *slot = pk11_SlotFromSession(session);
+
+    return pk11_ObjectFromHandleOnSlot(handle,slot);
+}
+
+
+/*
+ * release a reference to an object handle
+ */
+PK11FreeStatus
+pk11_FreeObject(PK11Object *object)
+{
+    PRBool destroy = PR_FALSE;
+    CK_RV crv;
+
+    PK11_USE_THREADS(PZ_Lock(object->refLock);)
+    if (object->refCount == 1) destroy = PR_TRUE;
+    object->refCount--;
+    PK11_USE_THREADS(PZ_Unlock(object->refLock);)
+
+    if (destroy) {
+	crv = pk11_DestroyObject(object);
+	if (crv != CKR_OK) {
+	   return PK11_DestroyFailure;
+	} 
+	return PK11_Destroyed;
+    }
+    return PK11_Busy;
+}
+ 
+/*
+ * add an object to a slot and session queue. These two functions
+ * adopt the object.
+ */
+void
+pk11_AddSlotObject(PK11Slot *slot, PK11Object *object)
+{
+    PK11_USE_THREADS(PZ_Lock(slot->objectLock);)
+    pk11queue_add(object,object->handle,slot->tokObjects,
+							TOKEN_OBJECT_HASH_SIZE);
+    PK11_USE_THREADS(PZ_Unlock(slot->objectLock);)
+}
+
+void
+pk11_AddObject(PK11Session *session, PK11Object *object)
+{
+    PK11Slot *slot = pk11_SlotFromSession(session);
+    PK11SessionObject *so = pk11_narrowToSessionObject(object);
+
+    if (so) {
+	PK11_USE_THREADS(PZ_Lock(session->objectLock);)
+	pk11queue_add(&so->sessionList,0,session->objects,0);
+	so->session = session;
+	PK11_USE_THREADS(PZ_Unlock(session->objectLock);)
+    }
+    pk11_AddSlotObject(slot,object);
+    pk11_ReferenceObject(object);
+} 
+
+/*
+ * add an object to a slot andsession queue
+ */
+CK_RV
+pk11_DeleteObject(PK11Session *session, PK11Object *object)
+{
+    PK11Slot *slot = pk11_SlotFromSession(session);
+    PK11SessionObject *so = pk11_narrowToSessionObject(object);
+    PK11TokenObject *to = pk11_narrowToTokenObject(object);
+    CK_RV crv = CKR_OK;
+    SECStatus rv;
+    NSSLOWCERTCertificate *cert;
+    NSSLOWCERTCertTrust tmptrust;
+    PRBool isKrl;
+
+  /* Handle Token case */
+    if (so && so->session) {
+	PK11Session *session = so->session;
+	PK11_USE_THREADS(PZ_Lock(session->objectLock);)
+	pk11queue_delete(&so->sessionList,0,session->objects,0);
+	PK11_USE_THREADS(PZ_Unlock(session->objectLock);)
+	PK11_USE_THREADS(PZ_Lock(slot->objectLock);)
+	pk11queue_delete(object,object->handle,slot->tokObjects,
+						TOKEN_OBJECT_HASH_SIZE);
+	PK11_USE_THREADS(PZ_Unlock(slot->objectLock);)
+	pk11_FreeObject(object); /* reduce it's reference count */
+    } else {
+	PORT_Assert(to);
+	/* remove the objects from the real data base */
+	switch (object->handle & PK11_TOKEN_TYPE_MASK) {
+	case PK11_TOKEN_TYPE_PRIV:
+	case PK11_TOKEN_TYPE_KEY:
+	    /* KEYID is the public KEY for DSA and DH, and the MODULUS for
+	     *  RSA */
+	    PORT_Assert(slot->keyDB);
+	    rv = nsslowkey_DeleteKey(slot->keyDB, &to->dbKey);
+	    if (rv != SECSuccess) crv= CKR_DEVICE_ERROR;
+	    break;
+	case PK11_TOKEN_TYPE_PUB:
+	    break; /* public keys only exist at the behest of the priv key */
+	case PK11_TOKEN_TYPE_CERT:
+	    cert = nsslowcert_FindCertByKey(slot->certDB,&to->dbKey);
+	    if (cert == NULL) {
+		crv = CKR_DEVICE_ERROR;
+		break;
+	    }
+	    rv = nsslowcert_DeletePermCertificate(cert);
+	    if (rv != SECSuccess) crv = CKR_DEVICE_ERROR;
+	    nsslowcert_DestroyCertificate(cert);
+	    break;
+	case PK11_TOKEN_TYPE_CRL:
+	    isKrl = (PRBool) (object->handle == PK11_TOKEN_KRL_HANDLE);
+	    rv = nsslowcert_DeletePermCRL(slot->certDB,&to->dbKey,isKrl);
+	    if (rv == SECFailure) crv = CKR_DEVICE_ERROR;
+	    break;
+	case PK11_TOKEN_TYPE_TRUST:
+	    cert = nsslowcert_FindCertByKey(slot->certDB,&to->dbKey);
+	    if (cert == NULL) {
+		crv = CKR_DEVICE_ERROR;
+		break;
+	    }
+	    tmptrust = *cert->trust;
+	    tmptrust.sslFlags &= CERTDB_PRESERVE_TRUST_BITS;
+	    tmptrust.emailFlags &= CERTDB_PRESERVE_TRUST_BITS;
+	    tmptrust.objectSigningFlags &= CERTDB_PRESERVE_TRUST_BITS;
+	    tmptrust.sslFlags |= CERTDB_TRUSTED_UNKNOWN;
+	    tmptrust.emailFlags |= CERTDB_TRUSTED_UNKNOWN;
+	    tmptrust.objectSigningFlags |= CERTDB_TRUSTED_UNKNOWN;
+	    rv = nsslowcert_ChangeCertTrust(slot->certDB,cert,&tmptrust);
+	    if (rv != SECSuccess) crv = CKR_DEVICE_ERROR;
+	    nsslowcert_DestroyCertificate(cert);
+	    break;
+	default:
+	    break;
+	}
+	pk11_tokenKeyLock(object->slot);
+	pk11_deleteTokenKeyByHandle(object->slot,object->handle);
+	pk11_tokenKeyUnlock(object->slot);
+    } 
+    return crv;
+}
+
+/*
+ * copy the attributes from one object to another. Don't overwrite existing
+ * attributes. NOTE: This is a pretty expensive operation since it
+ * grabs the attribute locks for the src object for a *long* time.
+ */
+CK_RV
+pk11_CopyObject(PK11Object *destObject,PK11Object *srcObject)
+{
+    PK11Attribute *attribute;
+    PK11SessionObject *src_so = pk11_narrowToSessionObject(srcObject);
+    int i;
+
+    if (src_so == NULL) {
+	return CKR_DEVICE_ERROR; /* can't copy token objects yet */
+    }
+
+    PK11_USE_THREADS(PZ_Lock(src_so->attributeLock);)
+    for(i=0; i < ATTRIBUTE_HASH_SIZE; i++) {
+	attribute = src_so->head[i];
+	do {
+	    if (attribute) {
+		if (!pk11_hasAttribute(destObject,attribute->handle)) {
+		    /* we need to copy the attribute since each attribute
+		     * only has one set of link list pointers */
+		    PK11Attribute *newAttribute = pk11_NewAttribute(
+			  destObject,pk11_attr_expand(&attribute->attrib));
+		    if (newAttribute == NULL) {
+			PK11_USE_THREADS(PZ_Unlock(src_so->attributeLock);)
+			return CKR_HOST_MEMORY;
+		    }
+		    pk11_AddAttribute(destObject,newAttribute);
+		}
+		attribute=attribute->next;
+	    }
+	} while (attribute != NULL);
+    }
+    PK11_USE_THREADS(PZ_Unlock(src_so->attributeLock);)
+    return CKR_OK;
+}
+
+/*
+ * ******************** Search Utilities *******************************
+ */
+
+/* add an object to a search list */
+CK_RV
+AddToList(PK11ObjectListElement **list,PK11Object *object)
+{
+     PK11ObjectListElement *newElem = 
+	(PK11ObjectListElement *)PORT_Alloc(sizeof(PK11ObjectListElement));
+
+     if (newElem == NULL) return CKR_HOST_MEMORY;
+
+     newElem->next = *list;
+     newElem->object = object;
+     pk11_ReferenceObject(object);
+
+    *list = newElem;
+    return CKR_OK;
+}
+
+
+/* return true if the object matches the template */
+PRBool
+pk11_objectMatch(PK11Object *object,CK_ATTRIBUTE_PTR theTemplate,int count)
+{
+    int i;
+
+    for (i=0; i < count; i++) {
+	PK11Attribute *attribute = pk11_FindAttribute(object,theTemplate[i].type);
+	if (attribute == NULL) {
+	    return PR_FALSE;
+	}
+	if (attribute->attrib.ulValueLen == theTemplate[i].ulValueLen) {
+	    if (PORT_Memcmp(attribute->attrib.pValue,theTemplate[i].pValue,
+					theTemplate[i].ulValueLen) == 0) {
+        	pk11_FreeAttribute(attribute);
+		continue;
+	    }
+	}
+        pk11_FreeAttribute(attribute);
+	return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
+/* search through all the objects in the queue and return the template matches
+ * in the object list.
+ */
+CK_RV
+pk11_searchObjectList(PK11SearchResults *search,PK11Object **head,
+        PZLock *lock, CK_ATTRIBUTE_PTR theTemplate, int count, PRBool isLoggedIn)
+{
+    int i;
+    PK11Object *object;
+    CK_RV crv = CKR_OK;
+
+    for(i=0; i < TOKEN_OBJECT_HASH_SIZE; i++) {
+        /* We need to hold the lock to copy a consistant version of
+         * the linked list. */
+        PK11_USE_THREADS(PZ_Lock(lock);)
+	for (object = head[i]; object != NULL; object= object->next) {
+	    if (pk11_objectMatch(object,theTemplate,count)) {
+		/* don't return objects that aren't yet visible */
+		if ((!isLoggedIn) && pk11_isTrue(object,CKA_PRIVATE)) continue;
+		pk11_addHandle(search,object->handle);
+	    }
+	}
+        PK11_USE_THREADS(PZ_Unlock(lock);)
+    }
+    return crv;
+}
+
+/*
+ * free a single list element. Return the Next object in the list.
+ */
+PK11ObjectListElement *
+pk11_FreeObjectListElement(PK11ObjectListElement *objectList)
+{
+    PK11ObjectListElement *ol = objectList->next;
+
+    pk11_FreeObject(objectList->object);
+    PORT_Free(objectList);
+    return ol;
+}
+
+/* free an entire object list */
+void
+pk11_FreeObjectList(PK11ObjectListElement *objectList)
+{
+    PK11ObjectListElement *ol;
+
+    for (ol= objectList; ol != NULL; ol = pk11_FreeObjectListElement(ol)) {}
+}
+
+/*
+ * free a search structure
+ */
+void
+pk11_FreeSearch(PK11SearchResults *search)
+{
+    if (search->handles) {
+	PORT_Free(search->handles);
+    }
+    PORT_Free(search);
+}
+
+/*
+ * ******************** Session Utilities *******************************
+ */
+
+/* update the sessions state based in it's flags and wether or not it's
+ * logged in */
+void
+pk11_update_state(PK11Slot *slot,PK11Session *session)
+{
+    if (slot->isLoggedIn) {
+	if (slot->ssoLoggedIn) {
+    	    session->info.state = CKS_RW_SO_FUNCTIONS;
+	} else if (session->info.flags & CKF_RW_SESSION) {
+    	    session->info.state = CKS_RW_USER_FUNCTIONS;
+	} else {
+    	    session->info.state = CKS_RO_USER_FUNCTIONS;
+	}
+    } else {
+	if (session->info.flags & CKF_RW_SESSION) {
+    	    session->info.state = CKS_RW_PUBLIC_SESSION;
+	} else {
+    	    session->info.state = CKS_RO_PUBLIC_SESSION;
+	}
+    }
+}
+
+/* update the state of all the sessions on a slot */
+void
+pk11_update_all_states(PK11Slot *slot)
+{
+    int i;
+    PK11Session *session;
+
+    for (i=0; i < SESSION_HASH_SIZE; i++) {
+	PK11_USE_THREADS(PZ_Lock(PK11_SESSION_LOCK(slot,i));)
+	for (session = slot->head[i]; session; session = session->next) {
+	    pk11_update_state(slot,session);
+	}
+	PK11_USE_THREADS(PZ_Unlock(PK11_SESSION_LOCK(slot,i));)
+    }
+}
+
+/*
+ * context are cipher and digest contexts that are associated with a session
+ */
+void
+pk11_FreeContext(PK11SessionContext *context)
+{
+    if (context->cipherInfo) {
+	(*context->destroy)(context->cipherInfo,PR_TRUE);
+    }
+    if (context->hashInfo) {
+	(*context->hashdestroy)(context->hashInfo,PR_TRUE);
+    }
+    if (context->key) {
+	pk11_FreeObject(context->key);
+	context->key = NULL;
+    }
+    PORT_Free(context);
+}
+
+/*
+ * create a new nession. NOTE: The session handle is not set, and the
+ * session is not added to the slot's session queue.
+ */
+PK11Session *
+pk11_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication,
+							     CK_FLAGS flags)
+{
+    PK11Session *session;
+    PK11Slot *slot = pk11_SlotFromID(slotID);
+
+    if (slot == NULL) return NULL;
+
+    session = (PK11Session*)PORT_Alloc(sizeof(PK11Session));
+    if (session == NULL) return NULL;
+
+    session->next = session->prev = NULL;
+    session->refCount = 1;
+    session->enc_context = NULL;
+    session->hash_context = NULL;
+    session->sign_context = NULL;
+    session->search = NULL;
+    session->objectIDCount = 1;
+#ifdef PKCS11_USE_THREADS
+    session->objectLock = PZ_NewLock(nssILockObject);
+    if (session->objectLock == NULL) {
+	PORT_Free(session);
+	return NULL;
+    }
+#else
+    session->objectLock = NULL;
+#endif
+    session->objects[0] = NULL;
+
+    session->slot = slot;
+    session->notify = notify;
+    session->appData = pApplication;
+    session->info.flags = flags;
+    session->info.slotID = slotID;
+    session->info.ulDeviceError = 0;
+    pk11_update_state(slot,session);
+    return session;
+}
+
+
+/* free all the data associated with a session. */
+static void
+pk11_DestroySession(PK11Session *session)
+{
+    PK11ObjectList *op,*next;
+    PORT_Assert(session->refCount == 0);
+
+    /* clean out the attributes */
+    /* since no one is referencing us, it's safe to walk the chain
+     * without a lock */
+    for (op = session->objects[0]; op != NULL; op = next) {
+        next = op->next;
+        /* paranoia */
+	op->next = op->prev = NULL;
+	pk11_DeleteObject(session,op->parent);
+    }
+    PK11_USE_THREADS(PZ_DestroyLock(session->objectLock);)
+    if (session->enc_context) {
+	pk11_FreeContext(session->enc_context);
+    }
+    if (session->hash_context) {
+	pk11_FreeContext(session->hash_context);
+    }
+    if (session->sign_context) {
+	pk11_FreeContext(session->sign_context);
+    }
+    if (session->search) {
+	pk11_FreeSearch(session->search);
+    }
+    PORT_Free(session);
+}
+
+
+/*
+ * look up a session structure from a session handle
+ * generate a reference to it.
+ */
+PK11Session *
+pk11_SessionFromHandle(CK_SESSION_HANDLE handle)
+{
+    PK11Slot	*slot = pk11_SlotFromSessionHandle(handle);
+    PK11Session *session;
+
+    PK11_USE_THREADS(PZ_Lock(PK11_SESSION_LOCK(slot,handle));)
+    pk11queue_find(session,handle,slot->head,SESSION_HASH_SIZE);
+    if (session) session->refCount++;
+    PK11_USE_THREADS(PZ_Unlock(PK11_SESSION_LOCK(slot,handle));)
+
+    return (session);
+}
+
+/*
+ * release a reference to a session handle
+ */
+void
+pk11_FreeSession(PK11Session *session)
+{
+    PRBool destroy = PR_FALSE;
+    PK11_USE_THREADS(PK11Slot *slot = pk11_SlotFromSession(session);)
+
+    PK11_USE_THREADS(PZ_Lock(PK11_SESSION_LOCK(slot,session->handle));)
+    if (session->refCount == 1) destroy = PR_TRUE;
+    session->refCount--;
+    PK11_USE_THREADS(PZ_Unlock(PK11_SESSION_LOCK(slot,session->handle));)
+
+    if (destroy) pk11_DestroySession(session);
+}
+/*
+ * handle Token Object stuff
+ */
+static void
+pk11_XORHash(unsigned char *key, unsigned char *dbkey, int len)
+{
+   int i;
+
+   PORT_Memset(key, 0, 4);
+
+   for (i=0; i < len-4; i += 4) {
+	key[0] ^= dbkey[i];
+	key[1] ^= dbkey[i+1];
+	key[2] ^= dbkey[i+2];
+	key[3] ^= dbkey[i+3];
+   }
+}
+
+/* Make a token handle for an object and record it so we can find it again */
+CK_OBJECT_HANDLE
+pk11_mkHandle(PK11Slot *slot, SECItem *dbKey, CK_OBJECT_HANDLE class)
+{
+    unsigned char hashBuf[4];
+    CK_OBJECT_HANDLE handle;
+    SECItem *key;
+
+    handle = class;
+    /* there is only one KRL, use a fixed handle for it */
+    if (handle != PK11_TOKEN_KRL_HANDLE) {
+	pk11_XORHash(hashBuf,dbKey->data,dbKey->len);
+	handle = (hashBuf[0] << 24) | (hashBuf[1] << 16) | 
+					(hashBuf[2] << 8)  | hashBuf[3];
+	handle = PK11_TOKEN_MAGIC | class | 
+			(handle & ~(PK11_TOKEN_TYPE_MASK|PK11_TOKEN_MASK));
+	/* we have a CRL who's handle has randomly matched the reserved KRL
+	 * handle, increment it */
+	if (handle == PK11_TOKEN_KRL_HANDLE) {
+	    handle++;
+	}
+    }
+
+    pk11_tokenKeyLock(slot);
+    while ((key = pk11_lookupTokenKeyByHandle(slot,handle)) != NULL) {
+	if (SECITEM_ItemsAreEqual(key,dbKey)) {
+    	   pk11_tokenKeyUnlock(slot);
+	   return handle;
+	}
+	handle++;
+    }
+    pk11_addTokenKeyByHandle(slot,handle,dbKey);
+    pk11_tokenKeyUnlock(slot);
+    return handle;
+}
+
+void
+pk11_addHandle(PK11SearchResults *search, CK_OBJECT_HANDLE handle)
+{
+    if (search->handles == NULL) {
+	return;
+    }
+    if (search->size >= search->array_size) {
+	search->array_size += NSC_SEARCH_BLOCK_SIZE;
+	search->handles = (CK_OBJECT_HANDLE *) PORT_Realloc(search->handles,
+				 sizeof(CK_OBJECT_HANDLE)* search->array_size);
+	if (search->handles == NULL) {
+	   return;
+	}
+    }
+    search->handles[search->size] = handle;
+    search->size++;
+}
+
+static const CK_OBJECT_HANDLE pk11_classArray[] = {
+    0, CKO_PRIVATE_KEY, CKO_PUBLIC_KEY, CKO_SECRET_KEY,
+    CKO_NETSCAPE_TRUST, CKO_NETSCAPE_CRL, CKO_NETSCAPE_SMIME,
+     CKO_CERTIFICATE };
+
+#define handleToClass(handle) \
+    pk11_classArray[((handle & PK11_TOKEN_TYPE_MASK))>>28]
+
+PK11Object *
+pk11_NewTokenObject(PK11Slot *slot, SECItem *dbKey, CK_OBJECT_HANDLE handle)
+{
+    PK11Object *object = NULL;
+    PK11TokenObject *tokObject = NULL;
+    SECStatus rv;
+
+#ifdef PKCS11_STATIC_ATTRIBUTES
+    object = (PK11Object *) PORT_ZAlloc(sizeof(PK11TokenObject));
+    if (object == NULL) {
+	return NULL;
+    }
+#else
+    PRArenaPool *arena;
+
+    arena = PORT_NewArena(2048);
+    if (arena == NULL) return NULL;
+
+    object = (PK11Object*)PORT_ArenaZAlloc(arena,sizeof(PK11TokenObject));
+    if (object == NULL) {
+	PORT_FreeArena(arena,PR_FALSE);
+	return NULL;
+    }
+    object->arena = arena;
+#endif
+    tokObject = (PK11TokenObject *) object;
+
+    object->objclass = handleToClass(handle);
+    object->handle = handle;
+    object->slot = slot;
+    object->objectInfo = NULL;
+    object->infoFree = NULL;
+    if (dbKey == NULL) {
+	pk11_tokenKeyLock(slot);
+	dbKey = pk11_lookupTokenKeyByHandle(slot,handle);
+	if (dbKey == NULL) {
+    	    pk11_tokenKeyUnlock(slot);
+	    goto loser;
+	}
+	rv = SECITEM_CopyItem(NULL,&tokObject->dbKey,dbKey);
+	pk11_tokenKeyUnlock(slot);
+    } else {
+	rv = SECITEM_CopyItem(NULL,&tokObject->dbKey,dbKey);
+    }
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+#ifdef PKCS11_USE_THREADS
+    object->refLock = PZ_NewLock(nssILockRefLock);
+    if (object->refLock == NULL) {
+	goto loser;
+    }
+#endif
+    object->refCount = 1;
+
+    return object;
+loser:
+    if (object) {
+	(void) pk11_DestroyObject(object);
+    }
+    return NULL;
+
+}
+
+PRBool
+pk11_tokenMatch(PK11Slot *slot, SECItem *dbKey, CK_OBJECT_HANDLE class,
+					CK_ATTRIBUTE_PTR theTemplate,int count)
+{
+    PK11Object *object;
+    PRBool ret;
+
+    object = pk11_NewTokenObject(slot,dbKey,PK11_TOKEN_MASK|class);
+    if (object == NULL) {
+	return PR_FALSE;
+    }
+
+    ret = pk11_objectMatch(object,theTemplate,count);
+    pk11_FreeObject(object);
+    return ret;
+}
+
+PK11TokenObject *
+pk11_convertSessionToToken(PK11Object *obj)
+{
+    SECItem *key;
+    PK11SessionObject *so = (PK11SessionObject *)obj;
+    PK11TokenObject *to = pk11_narrowToTokenObject(obj);
+    SECStatus rv;
+
+    pk11_DestroySessionObjectData(so);
+    PK11_USE_THREADS(PZ_DestroyLock(so->attributeLock));
+    if (to == NULL) {
+	return NULL;
+    }
+    pk11_tokenKeyLock(so->obj.slot);
+    key = pk11_lookupTokenKeyByHandle(so->obj.slot,so->obj.handle);
+    if (key == NULL) {
+    	pk11_tokenKeyUnlock(so->obj.slot);
+	return NULL;
+    }
+    rv = SECITEM_CopyItem(NULL,&to->dbKey,key);
+    pk11_tokenKeyUnlock(so->obj.slot);
+    if (rv == SECFailure) {
+	return NULL;
+    }
+
+    return to;
+
+}
+
+PK11SessionObject *
+pk11_narrowToSessionObject(PK11Object *obj)
+{
+    return !pk11_isToken(obj->handle) ? (PK11SessionObject *)obj : NULL;
+}
+
+PK11TokenObject *
+pk11_narrowToTokenObject(PK11Object *obj)
+{
+    return pk11_isToken(obj->handle) ? (PK11TokenObject *)obj : NULL;
+}
+
diff --git a/security/nss/lib/softoken/pkcs11u.h b/security/nss/lib/softoken/pkcs11u.h
new file mode 100644
index 000000000..0addf0f6f
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11u.h
@@ -0,0 +1,47 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security Inc. Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/*
+ * reset any packing set by pkcs11p.h
+ */
+
+#if defined (_WIN32)
+#pragma warning(disable:4103)
+#pragma pack(pop, cryptoki)
+#endif
+
diff --git a/security/nss/lib/softoken/rawhash.c b/security/nss/lib/softoken/rawhash.c
new file mode 100644
index 000000000..9250bf62b
--- /dev/null
+++ b/security/nss/lib/softoken/rawhash.c
@@ -0,0 +1,111 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nspr.h"
+#include "sechash.h"
+#include "blapi.h"	/* below the line */
+
+
+static void *
+null_hash_new_context(void)
+{
+    return NULL;
+}
+
+static void *
+null_hash_clone_context(void *v)
+{
+    PORT_Assert(v == NULL);
+    return NULL;
+}
+
+static void
+null_hash_begin(void *v)
+{
+}
+
+static void
+null_hash_update(void *v, const unsigned char *input, unsigned int length)
+{
+}
+
+static void
+null_hash_end(void *v, unsigned char *output, unsigned int *outLen,
+	      unsigned int maxOut)
+{
+    *outLen = 0;
+}
+
+static void
+null_hash_destroy_context(void *v, PRBool b)
+{
+    PORT_Assert(v == NULL);
+}
+
+
+const SECHashObject SECRawHashObjects[] = {
+  { 0,
+    (void * (*)(void)) null_hash_new_context,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) null_hash_destroy_context,
+    (void (*)(void *)) null_hash_begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) null_hash_update,
+    (void (*)(void *, unsigned char *, unsigned int *,
+	      unsigned int)) null_hash_end
+  },
+  { MD2_LENGTH,
+    (void * (*)(void)) MD2_NewContext,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) MD2_DestroyContext,
+    (void (*)(void *)) MD2_Begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) MD2_Update,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) MD2_End
+  },
+  { MD5_LENGTH,
+    (void * (*)(void)) MD5_NewContext,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) MD5_DestroyContext,
+    (void (*)(void *)) MD5_Begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) MD5_Update,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) MD5_End
+  },
+  { SHA1_LENGTH,
+    (void * (*)(void)) SHA1_NewContext,
+    (void * (*)(void *)) null_hash_clone_context,
+    (void (*)(void *, PRBool)) SHA1_DestroyContext,
+    (void (*)(void *)) SHA1_Begin,
+    (void (*)(void *, const unsigned char *, unsigned int)) SHA1_Update,
+    (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) SHA1_End
+  },
+};
+
diff --git a/security/nss/lib/softoken/rsawrapr.c b/security/nss/lib/softoken/rsawrapr.c
new file mode 100644
index 000000000..b17d4fc8e
--- /dev/null
+++ b/security/nss/lib/softoken/rsawrapr.c
@@ -0,0 +1,865 @@
+/*
+ * PKCS#1 encoding and decoding functions.
+ * This file is believed to contain no code licensed from other parties.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "blapi.h"
+#include "softoken.h"
+#include "sechash.h"
+
+#include "lowkeyi.h"
+#include "secerr.h"
+
+#define RSA_BLOCK_MIN_PAD_LEN		8
+#define RSA_BLOCK_FIRST_OCTET		0x00
+#define RSA_BLOCK_PRIVATE0_PAD_OCTET	0x00
+#define RSA_BLOCK_PRIVATE_PAD_OCTET	0xff
+#define RSA_BLOCK_AFTER_PAD_OCTET	0x00
+
+#define OAEP_SALT_LEN		8
+#define OAEP_PAD_LEN		8
+#define OAEP_PAD_OCTET		0x00
+
+#define FLAT_BUFSIZE 512	/* bytes to hold flattened SHA1Context. */
+
+static SHA1Context *
+SHA1_CloneContext(SHA1Context *original)
+{
+    SHA1Context *  clone	= NULL;
+    unsigned char *pBuf;
+    int            sha1ContextSize = SHA1_FlattenSize(original);
+    SECStatus      frv;
+    unsigned char  buf[FLAT_BUFSIZE];
+
+    PORT_Assert(sizeof buf >= sha1ContextSize);
+    if (sizeof buf >= sha1ContextSize) {
+    	pBuf = buf;
+    } else {
+        pBuf = PORT_Alloc(sha1ContextSize);
+	if (!pBuf)
+	    goto done;
+    }
+
+    frv = SHA1_Flatten(original, pBuf);
+    if (frv == SECSuccess) {
+	clone = SHA1_Resurrect(pBuf, NULL);
+	memset(pBuf, 0, sha1ContextSize);
+    }
+done:
+    if (pBuf != buf)
+    	PORT_Free(pBuf);
+    return clone;
+}
+
+/*
+ * Modify data by XORing it with a special hash of salt.
+ */
+static SECStatus
+oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
+		 unsigned char *salt, unsigned int saltlen)
+{
+    SHA1Context *sha1cx;
+    unsigned char *dp, *dataend;
+    unsigned char end_octet;
+
+    sha1cx = SHA1_NewContext();
+    if (sha1cx == NULL) {
+	return SECFailure;
+    }
+
+    /*
+     * Get a hash of salt started; we will use it several times,
+     * adding in a different end octet (x00, x01, x02, ...).
+     */
+    SHA1_Begin (sha1cx);
+    SHA1_Update (sha1cx, salt, saltlen);
+    end_octet = 0;
+
+    dp = data;
+    dataend = data + datalen;
+
+    while (dp < dataend) {
+	SHA1Context *sha1cx_h1;
+	unsigned int sha1len, sha1off;
+	unsigned char sha1[SHA1_LENGTH];
+
+	/*
+	 * Create hash of (salt || end_octet)
+	 */
+	sha1cx_h1 = SHA1_CloneContext (sha1cx);
+	SHA1_Update (sha1cx_h1, &end_octet, 1);
+	SHA1_End (sha1cx_h1, sha1, &sha1len, sizeof(sha1));
+	SHA1_DestroyContext (sha1cx_h1, PR_TRUE);
+	PORT_Assert (sha1len == SHA1_LENGTH);
+
+	/*
+	 * XOR that hash with the data.
+	 * When we have fewer than SHA1_LENGTH octets of data
+	 * left to xor, use just the low-order ones of the hash.
+	 */
+	sha1off = 0;
+	if ((dataend - dp) < SHA1_LENGTH)
+	    sha1off = SHA1_LENGTH - (dataend - dp);
+	while (sha1off < SHA1_LENGTH)
+	    *dp++ ^= sha1[sha1off++];
+
+	/*
+	 * Bump for next hash chunk.
+	 */
+	end_octet++;
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * Modify salt by XORing it with a special hash of data.
+ */
+static SECStatus
+oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
+		 unsigned char *data, unsigned int datalen)
+{
+    unsigned char sha1[SHA1_LENGTH];
+    unsigned char *psalt, *psha1, *saltend;
+    SECStatus rv;
+
+    /*
+     * Create a hash of data.
+     */
+    rv = SHA1_HashBuf (sha1, data, datalen);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    /*
+     * XOR the low-order octets of that hash with salt.
+     */
+    PORT_Assert (saltlen <= SHA1_LENGTH);
+    saltend = salt + saltlen;
+    psalt = salt;
+    psha1 = sha1 + SHA1_LENGTH - saltlen;
+    while (psalt < saltend) {
+	*psalt++ ^= *psha1++;
+    }
+
+    return SECSuccess;
+}
+
+/*
+ * Format one block of data for public/private key encryption using
+ * the rules defined in PKCS #1.
+ */
+static unsigned char *
+rsa_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType,
+		   SECItem *data)
+{
+    unsigned char *block;
+    unsigned char *bp;
+    int padLen;
+    int i;
+
+    block = (unsigned char *) PORT_Alloc(modulusLen);
+    if (block == NULL)
+	return NULL;
+
+    bp = block;
+
+    /*
+     * All RSA blocks start with two octets:
+     *	0x00 || BlockType
+     */
+    *bp++ = RSA_BLOCK_FIRST_OCTET;
+    *bp++ = (unsigned char) blockType;
+
+    switch (blockType) {
+
+      /*
+       * Blocks intended for private-key operation.
+       */
+      case RSA_BlockPrivate0: /* essentially unused */
+      case RSA_BlockPrivate:	 /* preferred method */
+	/*
+	 * 0x00 || BT || Pad || 0x00 || ActualData
+	 *   1      1   padLen    1      data->len
+	 * Pad is either all 0x00 or all 0xff bytes, depending on blockType.
+	 */
+	padLen = modulusLen - data->len - 3;
+	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+	PORT_Memset (bp,
+		   blockType == RSA_BlockPrivate0
+			? RSA_BLOCK_PRIVATE0_PAD_OCTET
+			: RSA_BLOCK_PRIVATE_PAD_OCTET,
+		   padLen);
+	bp += padLen;
+	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+	PORT_Memcpy (bp, data->data, data->len);
+	break;
+
+      /*
+       * Blocks intended for public-key operation.
+       */
+      case RSA_BlockPublic:
+
+	/*
+	 * 0x00 || BT || Pad || 0x00 || ActualData
+	 *   1      1   padLen    1      data->len
+	 * Pad is all non-zero random bytes.
+	 */
+	padLen = modulusLen - data->len - 3;
+	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+	for (i = 0; i < padLen; i++) {
+	    /* Pad with non-zero random data. */
+	    do {
+		RNG_GenerateGlobalRandomBytes(bp + i, 1);
+	    } while (bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
+	}
+	bp += padLen;
+	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+	PORT_Memcpy (bp, data->data, data->len);
+
+	break;
+
+      /*
+       * Blocks intended for public-key operation, using
+       * Optimal Asymmetric Encryption Padding (OAEP).
+       */
+      case RSA_BlockOAEP:
+	/*
+	 * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
+	 *   1      1     OAEP_SALT_LEN     OAEP_PAD_LEN + data->len [+ N]
+	 *
+	 * where:
+	 *   PaddedData is "Pad1 || ActualData [|| Pad2]"
+	 *   Salt is random data.
+	 *   Pad1 is all zeros.
+	 *   Pad2, if present, is random data.
+	 *   (The "modified" fields are all the same length as the original
+	 * unmodified values; they are just xor'd with other values.)
+	 *
+	 *   Modified1 is an XOR of PaddedData with a special octet
+	 * string constructed of iterated hashing of Salt (see below).
+	 *   Modified2 is an XOR of Salt with the low-order octets of
+	 * the hash of Modified1 (see farther below ;-).
+	 *
+	 * Whew!
+	 */
+
+
+	/*
+	 * Salt
+	 */
+	RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
+	bp += OAEP_SALT_LEN;
+
+	/*
+	 * Pad1
+	 */
+	PORT_Memset (bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
+	bp += OAEP_PAD_LEN;
+
+	/*
+	 * Data
+	 */
+	PORT_Memcpy (bp, data->data, data->len);
+	bp += data->len;
+
+	/*
+	 * Pad2
+	 */
+	if (bp < (block + modulusLen))
+	    RNG_GenerateGlobalRandomBytes(bp, block - bp + modulusLen);
+
+	/*
+	 * Now we have the following:
+	 * 0x00 || BT || Salt || PaddedData
+	 * (From this point on, "Pad1 || Data [|| Pad2]" is treated
+	 * as the one entity PaddedData.)
+	 *
+	 * We need to turn PaddedData into Modified1.
+	 */
+	if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
+			     modulusLen - 2 - OAEP_SALT_LEN,
+			     block + 2, OAEP_SALT_LEN) != SECSuccess) {
+	    PORT_Free (block);
+	    return NULL;
+	}
+
+	/*
+	 * Now we have:
+	 * 0x00 || BT || Salt || Modified1(PaddedData)
+	 *
+	 * The remaining task is to turn Salt into Modified2.
+	 */
+	if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
+			     block + 2 + OAEP_SALT_LEN,
+			     modulusLen - 2 - OAEP_SALT_LEN) != SECSuccess) {
+	    PORT_Free (block);
+	    return NULL;
+	}
+
+	break;
+
+      default:
+	PORT_Assert (0);
+	PORT_Free (block);
+	return NULL;
+    }
+
+    return block;
+}
+
+static SECStatus
+rsa_FormatBlock(SECItem *result, unsigned modulusLen,
+		RSA_BlockType blockType, SECItem *data)
+{
+    /*
+     * XXX For now assume that the data length fits in a single
+     * XXX encryption block; the ASSERTs below force this.
+     * XXX To fix it, each case will have to loop over chunks whose
+     * XXX lengths satisfy the assertions, until all data is handled.
+     * XXX (Unless RSA has more to say about how to handle data
+     * XXX which does not fit in a single encryption block?)
+     * XXX And I do not know what the result is supposed to be,
+     * XXX so the interface to this function may need to change
+     * XXX to allow for returning multiple blocks, if they are
+     * XXX not wanted simply concatenated one after the other.
+     */
+
+    switch (blockType) {
+      case RSA_BlockPrivate0:
+      case RSA_BlockPrivate:
+      case RSA_BlockPublic:
+	/*
+	 * 0x00 || BT || Pad || 0x00 || ActualData
+	 *
+	 * The "3" below is the first octet + the second octet + the 0x00
+	 * octet that always comes just before the ActualData.
+	 */
+	PORT_Assert (data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
+
+	result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+	if (result->data == NULL) {
+	    result->len = 0;
+	    return SECFailure;
+	}
+	result->len = modulusLen;
+
+	break;
+
+      case RSA_BlockOAEP:
+	/*
+	 * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
+	 *
+	 * The "2" below is the first octet + the second octet.
+	 * (The other fields do not contain the clear values, but are
+	 * the same length as the clear values.)
+	 */
+	PORT_Assert (data->len <= (modulusLen - (2 + OAEP_SALT_LEN
+						 + OAEP_PAD_LEN)));
+
+	result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+	if (result->data == NULL) {
+	    result->len = 0;
+	    return SECFailure;
+	}
+	result->len = modulusLen;
+
+	break;
+
+      case RSA_BlockRaw:
+	/*
+	 * Pad || ActualData
+	 * Pad is zeros. The application is responsible for recovering
+	 * the actual data.
+	 */
+	result->data = (unsigned char*)PORT_ZAlloc(modulusLen);
+	result->len = modulusLen;
+	PORT_Memcpy(result->data+(modulusLen-data->len),data->data,data->len);
+	break;
+
+      default:
+	PORT_Assert (0);
+	result->data = NULL;
+	result->len = 0;
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_Sign(NSSLOWKEYPrivateKey *key, 
+         unsigned char *      output, 
+	 unsigned int *       output_len,
+         unsigned int         maxOutputLen, 
+	 unsigned char *      input, 
+	 unsigned int         input_len)
+{
+    SECStatus     rv          = SECSuccess;
+    unsigned int  modulus_len = nsslowkey_PrivateModulusLen(key);
+    SECItem       formatted;
+    SECItem       unformatted;
+
+    if (maxOutputLen < modulus_len) 
+    	return SECFailure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	return SECFailure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPrivate,
+			 &unformatted);
+    if (rv != SECSuccess) 
+    	goto done;
+
+    rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
+    *output_len = modulus_len;
+
+    goto done;
+
+done:
+    if (formatted.data != NULL) 
+    	PORT_ZFree(formatted.data, modulus_len);
+    return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSign(NSSLOWKEYPublicKey *key,
+              unsigned char *     sign, 
+	      unsigned int        sign_len, 
+	      unsigned char *     hash, 
+	      unsigned int        hash_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
+    unsigned int    i;
+    unsigned char * buffer;
+
+    modulus_len = nsslowkey_PublicModulusLen(key);
+    if (sign_len != modulus_len) 
+    	goto failure;
+    if (hash_len > modulus_len - 8) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * check the padding that was used
+     */
+    if (buffer[0] != 0 || buffer[1] != 1) 
+    	goto loser;
+    for (i = 2; i < modulus_len - hash_len - 1; i++) {
+	if (buffer[i] == 0) 
+	    break;
+	if (buffer[i] != 0xff) 
+	    goto loser;
+    }
+
+    /*
+     * make sure we get the same results
+     */
+    if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, hash_len) != 0)
+	goto loser;
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRecover(NSSLOWKEYPublicKey *key,
+                     unsigned char *     data,
+                     unsigned int *      data_len, 
+		     unsigned int        max_output_len, 
+		     unsigned char *     sign,
+		     unsigned int        sign_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
+    unsigned int    i;
+    unsigned char * buffer;
+
+    if (sign_len != modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+    if (rv != SECSuccess)
+    	goto loser;
+    *data_len = 0;
+
+    /*
+     * check the padding that was used
+     */
+    if (buffer[0] != 0 || buffer[1] != 1) 
+    	goto loser;
+    for (i = 2; i < modulus_len; i++) {
+	if (buffer[i] == 0) {
+	    *data_len = modulus_len - i - 1;
+	    break;
+	}
+	if (buffer[i] != 0xff) 
+	    goto loser;
+    }
+    if (*data_len == 0) 
+    	goto loser;
+    if (*data_len > max_output_len) 
+    	goto loser;
+
+    /*
+     * make sure we get the same results
+     */
+    PORT_Memcpy(data,buffer + modulus_len - *data_len, *data_len);
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_EncryptBlock(NSSLOWKEYPublicKey *key, 
+                 unsigned char *     output, 
+		 unsigned int *      output_len,
+                 unsigned int        max_output_len, 
+		 unsigned char *     input, 
+		 unsigned int        input_len)
+{
+    SECStatus     rv;
+    unsigned int  modulus_len = nsslowkey_PublicModulusLen(key);
+    SECItem       formatted;
+    SECItem       unformatted;
+
+    formatted.data = NULL;
+    if (max_output_len < modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPublic,
+			 &unformatted);
+    if (rv != SECSuccess) 
+	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
+    if (rv != SECSuccess) 
+    	goto failure;
+
+    PORT_ZFree(formatted.data, modulus_len);
+    *output_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    if (formatted.data != NULL) 
+	PORT_ZFree(formatted.data, modulus_len);
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_DecryptBlock(NSSLOWKEYPrivateKey *key, 
+                 unsigned char *      output, 
+		 unsigned int *       output_len,
+                 unsigned int         max_output_len, 
+		 unsigned char *      input, 
+		 unsigned int         input_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PrivateModulusLen(key);
+    unsigned int    i;
+    unsigned char * buffer;
+
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+    if (input_len != modulus_len)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PrivateKeyOp(&key->u.rsa, buffer, input);
+    if (rv != SECSuccess) 
+    	goto loser;
+
+    if (buffer[0] != 0 || buffer[1] != 2) 
+    	goto loser;
+    *output_len = 0;
+    for (i = 2; i < modulus_len; i++) {
+	if (buffer[i] == 0) {
+	    *output_len = modulus_len - i - 1;
+	    break;
+	}
+    }
+    if (*output_len == 0) 
+    	goto loser;
+    if (*output_len > max_output_len) 
+    	goto loser;
+
+    PORT_Memcpy(output, buffer + modulus_len - *output_len, *output_len);
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+/*
+ * added to make pkcs #11 happy
+ *   RAW is RSA_X_509
+ */
+SECStatus
+RSA_SignRaw(NSSLOWKEYPrivateKey *key, 
+            unsigned char *      output, 
+	    unsigned int *       output_len,
+            unsigned int         maxOutputLen, 
+	    unsigned char *      input, 
+	    unsigned int         input_len)
+{
+    SECStatus    rv          = SECSuccess;
+    unsigned int modulus_len = nsslowkey_PrivateModulusLen(key);
+    SECItem      formatted;
+    SECItem      unformatted;
+
+    if (maxOutputLen < modulus_len) 
+    	return SECFailure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	return SECFailure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
+    if (rv != SECSuccess) 
+    	goto done;
+
+    rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, formatted.data);
+    *output_len = modulus_len;
+
+done:
+    if (formatted.data != NULL) 
+    	PORT_ZFree(formatted.data, modulus_len);
+    return rv;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRaw(NSSLOWKEYPublicKey *key,
+                 unsigned char *     sign, 
+		 unsigned int        sign_len, 
+		 unsigned char *     hash, 
+		 unsigned int        hash_len)
+{
+    SECStatus       rv;
+    unsigned int    modulus_len = nsslowkey_PublicModulusLen(key);
+    unsigned char * buffer;
+
+    if (sign_len != modulus_len) 
+    	goto failure;
+    if (hash_len > modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    buffer = (unsigned char *)PORT_Alloc(modulus_len + 1);
+    if (!buffer)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+     * make sure we get the same results
+     */
+    /* NOTE: should we verify the leading zeros? */
+    if (PORT_Memcmp(buffer + (modulus_len-hash_len), hash, hash_len) != 0)
+	goto loser;
+
+    PORT_Free(buffer);
+    return SECSuccess;
+
+loser:
+    PORT_Free(buffer);
+failure:
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_CheckSignRecoverRaw(NSSLOWKEYPublicKey *key,
+                        unsigned char *     data,
+                        unsigned int *      data_len, 
+			unsigned int        max_output_len, 
+			unsigned char *     sign,
+			unsigned int        sign_len)
+{
+    SECStatus      rv;
+    unsigned int   modulus_len = nsslowkey_PublicModulusLen(key);
+
+    if (sign_len != modulus_len) 
+    	goto failure;
+    if (max_output_len < modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, data, sign);
+    if (rv != SECSuccess)
+	goto failure;
+
+    *data_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    return SECFailure;
+}
+
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_EncryptRaw(NSSLOWKEYPublicKey *key, 
+	       unsigned char *     output, 
+	       unsigned int *      output_len,
+               unsigned int        max_output_len, 
+	       unsigned char *     input, 
+	       unsigned int        input_len)
+{
+    SECStatus rv;
+    unsigned int  modulus_len = nsslowkey_PublicModulusLen(key);
+    SECItem       formatted;
+    SECItem       unformatted;
+
+    formatted.data = NULL;
+    if (max_output_len < modulus_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+
+    unformatted.len  = input_len;
+    unformatted.data = input;
+    formatted.data   = NULL;
+    rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, &unformatted);
+    if (rv != SECSuccess)
+	goto failure;
+
+    rv = RSA_PublicKeyOp(&key->u.rsa, output, formatted.data);
+    if (rv != SECSuccess) 
+    	goto failure;
+
+    PORT_ZFree(formatted.data, modulus_len);
+    *output_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    if (formatted.data != NULL) 
+	PORT_ZFree(formatted.data, modulus_len);
+    return SECFailure;
+}
+
+/* XXX Doesn't set error code */
+SECStatus
+RSA_DecryptRaw(NSSLOWKEYPrivateKey *key, 
+               unsigned char *      output, 
+	       unsigned int *       output_len,
+               unsigned int         max_output_len, 
+	       unsigned char *      input, 
+	       unsigned int         input_len)
+{
+    SECStatus     rv;
+    unsigned int  modulus_len = nsslowkey_PrivateModulusLen(key);
+
+    if (modulus_len <= 0) 
+    	goto failure;
+    if (modulus_len > max_output_len) 
+    	goto failure;
+    PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+    if (key->keyType != NSSLOWKEYRSAKey)
+    	goto failure;
+    if (input_len != modulus_len) 
+    	goto failure;
+
+    rv = RSA_PrivateKeyOp(&key->u.rsa, output, input);
+    if (rv != SECSuccess)
+    	goto failure;
+
+    *output_len = modulus_len;
+    return SECSuccess;
+
+failure:
+    return SECFailure;
+}
diff --git a/security/nss/lib/softoken/softkver.c b/security/nss/lib/softoken/softkver.c
new file mode 100644
index 000000000..a518a101e
--- /dev/null
+++ b/security/nss/lib/softoken/softkver.c
@@ -0,0 +1,59 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2002 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/* Library identity and versioning */
+
+#include "nss.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+#if defined(MOZ_CLIENT)
+#define _CLIENT_STRING " for Clients"
+#else
+#define _CLIENT_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_softokn_rcsid[] = "$Header: NSS " NSS_VERSION _CLIENT_STRING _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_softokn_sccsid[] = "@(#)NSS " NSS_VERSION _CLIENT_STRING _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h
new file mode 100644
index 000000000..f9fb06222
--- /dev/null
+++ b/security/nss/lib/softoken/softoken.h
@@ -0,0 +1,157 @@
+/*
+ * softoken.h - private data structures and prototypes for the softoken lib
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef _SOFTOKEN_H_
+#define _SOFTOKEN_H_
+
+#include "blapi.h"
+#include "lowkeyti.h"
+#include "softoknt.h"
+#include "secoidt.h"
+
+#include "pkcs11t.h"     /* CK_RV Required for pk11_fipsPowerUpSelfTest(). */
+
+SEC_BEGIN_PROTOS
+
+/*
+** RSA encryption/decryption. When encrypting/decrypting the output
+** buffer must be at least the size of the public key modulus.
+*/
+
+/*
+** Format some data into a PKCS#1 encryption block, preparing the
+** data for RSA encryption.
+**	"result" where the formatted block is stored (memory is allocated)
+**	"modulusLen" the size of the formatted block
+**	"blockType" what block type to use (SEC_RSABlock*)
+**	"data" the data to format
+*/
+extern SECStatus RSA_FormatBlock(SECItem *result,
+				 unsigned int modulusLen,
+				 RSA_BlockType blockType,
+				 SECItem *data);
+/*
+** Similar, but just returns a pointer to the allocated memory, *and*
+** will *only* format one block, even if we (in the future) modify
+** RSA_FormatBlock() to loop over multiples of modulusLen.
+*/
+extern unsigned char *RSA_FormatOneBlock(unsigned int modulusLen,
+					 RSA_BlockType blockType,
+					 SECItem *data);
+
+
+
+/*
+ * convenience wrappers for doing single RSA operations. They create the
+ * RSA context internally and take care of the formatting
+ * requirements. Blinding happens automagically within RSA_SignHash and
+ * RSA_DecryptBlock.
+ */
+extern
+SECStatus RSA_Sign(NSSLOWKEYPrivateKey *key, unsigned char *output,
+		       unsigned int *outputLen, unsigned int maxOutputLen,
+		       unsigned char *input, unsigned int inputLen);
+extern
+SECStatus RSA_CheckSign(NSSLOWKEYPublicKey *key, unsigned char *sign,
+			    unsigned int signLength, unsigned char *hash,
+			    unsigned int hashLength);
+extern
+SECStatus RSA_CheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data,
+    			    unsigned int *data_len,unsigned int max_output_len, 
+			    unsigned char *sign, unsigned int sign_len);
+extern
+SECStatus RSA_EncryptBlock(NSSLOWKEYPublicKey *key, unsigned char *output,
+			   unsigned int *outputLen, unsigned int maxOutputLen,
+			   unsigned char *input, unsigned int inputLen);
+extern
+SECStatus RSA_DecryptBlock(NSSLOWKEYPrivateKey *key, unsigned char *output,
+			   unsigned int *outputLen, unsigned int maxOutputLen,
+			   unsigned char *input, unsigned int inputLen);
+
+/*
+ * added to make pkcs #11 happy
+ *   RAW is RSA_X_509
+ */
+extern
+SECStatus RSA_SignRaw( NSSLOWKEYPrivateKey *key, unsigned char *output,
+			 unsigned int *output_len, unsigned int maxOutputLen,
+			 unsigned char *input, unsigned int input_len);
+extern
+SECStatus RSA_CheckSignRaw( NSSLOWKEYPublicKey *key, unsigned char *sign, 
+			    unsigned int sign_len, unsigned char *hash, 
+			    unsigned int hash_len);
+extern
+SECStatus RSA_CheckSignRecoverRaw( NSSLOWKEYPublicKey *key, unsigned char *data,
+			    unsigned int *data_len, unsigned int max_output_len,
+			    unsigned char *sign, unsigned int sign_len);
+extern
+SECStatus RSA_EncryptRaw( NSSLOWKEYPublicKey *key, unsigned char *output,
+			    unsigned int *output_len,
+			    unsigned int max_output_len, 
+			    unsigned char *input, unsigned int input_len);
+extern
+SECStatus RSA_DecryptRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
+			     unsigned int *output_len,
+    			     unsigned int max_output_len,
+			     unsigned char *input, unsigned int input_len);
+
+/*
+** Prepare a buffer for DES encryption, growing to the appropriate boundary,
+** filling with the appropriate padding.
+** We add from 1 to DES_KEY_LENGTH bytes -- we *always* grow.
+** The extra bytes contain the value of the length of the padding:
+** if we have 2 bytes of padding, then the padding is "0x02, 0x02".
+**
+** NOTE: If arena is non-NULL, we re-allocate from there, otherwise
+** we assume (and use) PR memory (re)allocation.
+** Maybe this belongs in util?
+*/
+extern unsigned char * DES_PadBuffer(PRArenaPool *arena, unsigned char *inbuf, 
+                                     unsigned int inlen, unsigned int *outlen);
+
+
+/****************************************/
+/*
+** Power-Up selftests required for FIPS and invoked only
+** under PKCS #11 FIPS mode.
+*/
+extern CK_RV pk11_fipsPowerUpSelfTest( void ); 
+
+
+SEC_END_PROTOS
+
+#endif /* _SOFTOKEN_H_ */
diff --git a/security/nss/lib/softoken/softokn.def b/security/nss/lib/softoken/softokn.def
new file mode 100644
index 000000000..d851aa34d
--- /dev/null
+++ b/security/nss/lib/softoken/softokn.def
@@ -0,0 +1,57 @@
+;+#
+;+# The contents of this file are subject to the Mozilla Public
+;+# License Version 1.1 (the "License"); you may not use this file
+;+# except in compliance with the License. You may obtain a copy of
+;+# the License at http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS
+;+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+;+# implied. See the License for the specific language governing
+;+# rights and limitations under the License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is Netscape
+;+# Communications Corporation.  Portions created by Netscape are
+;+# Copyright (C) 2000 Netscape Communications Corporation.  All
+;+# Rights Reserved.
+;+#
+;+# Contributor(s): 
+;+#	Dr Stephen Henson <stephen.henson@gemplus.com>
+;+#
+;+# Alternatively, the contents of this file may be used under the
+;+# terms of the GNU General Public License Version 2 or later (the
+;+# "GPL"), in which case the provisions of the GPL are applicable
+;+# instead of those above.  If you wish to allow use of your
+;+# version of this file only under the terms of the GPL and not to
+;+# allow others to use your version of this file under the MPL,
+;+# indicate your decision by deleting the provisions above and
+;+# replace them with the notice and other provisions required by
+;+# the GPL.  If you do not delete the provisions above, a recipient
+;+# may use your version of this file under either the MPL or the
+;+# GPL.
+;+#
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#	line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.  
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.  
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+NSS_3.4 {       # NSS 3.4 release
+;+    global:
+LIBRARY softokn3 ;-
+EXPORTS ;-
+C_GetFunctionList; Make this function like a real PKCS #11 module as well
+FC_GetFunctionList;
+NSC_GetFunctionList;
+NSC_ModuleDBFunc;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/softoken/softokn.rc b/security/nss/lib/softoken/softokn.rc
new file mode 100644
index 000000000..8c4c6f7c6
--- /dev/null
+++ b/security/nss/lib/softoken/softokn.rc
@@ -0,0 +1,102 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nss.h"
+#include <winver.h>
+
+#define MY_LIBNAME "softokn"
+#ifdef MOZ_CLIENT
+#define MY_FILEDESCRIPTION "NSS Builtin Crypto PKCS #11 Library for Clients"
+#else
+#define MY_FILEDESCRIPTION "NSS Builtin Crypto PKCS #11 Library"
+#endif
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if NSS_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Netscape Communications Corporation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", NSS_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "LegalCopyright", "Copyright \251 1994-2001 Netscape Communications Corporation\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", NSS_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/softoken/softoknt.h b/security/nss/lib/softoken/softoknt.h
new file mode 100644
index 000000000..da66c9042
--- /dev/null
+++ b/security/nss/lib/softoken/softoknt.h
@@ -0,0 +1,61 @@
+/*
+ * softoknt.h - public data structures for the software token library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef _SOFTOKNT_H_
+#define _SOFTOKNT_H_
+
+/*
+ * RSA block types
+ *
+ * The actual values are important -- they are fixed, *not* arbitrary.
+ * The explicit value assignments are not needed (because C would give
+ * us those same values anyway) but are included as a reminder...
+ */
+typedef enum {
+    RSA_BlockPrivate0 = 0,	/* unused, really */
+    RSA_BlockPrivate = 1,	/* pad for a private-key operation */
+    RSA_BlockPublic = 2,	/* pad for a public-key operation */
+    RSA_BlockOAEP = 3,		/* use OAEP padding */
+				/* XXX is this only for a public-key
+				   operation? If so, add "Public" */
+    RSA_BlockRaw = 4,		/* simply justify the block appropriately */
+    RSA_BlockTotal
+} RSA_BlockType;
+
+#define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE   2048
+
+#endif /* _SOFTOKNT_H_ */
diff --git a/security/nss/lib/ssl/Makefile b/security/nss/lib/ssl/Makefile
new file mode 100644
index 000000000..9b652250d
--- /dev/null
+++ b/security/nss/lib/ssl/Makefile
@@ -0,0 +1,87 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+CSRCS	+= win32err.c
+DEFINES += -DIN_LIBSSL
+else
+ifeq ($(OS_TARGET),OS2)
+CSRCS	+= os2_err.c
+else
+CSRCS	+= unix_err.c
+endif
+endif
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+export:: private_export
+
diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c
new file mode 100644
index 000000000..bd473f11f
--- /dev/null
+++ b/security/nss/lib/ssl/authcert.c
@@ -0,0 +1,115 @@
+/*
+ * NSS utility functions
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "prerror.h"
+#include "secitem.h"
+#include "prnetdb.h"
+#include "cert.h"
+#include "nspr.h"
+#include "secder.h"
+#include "key.h"
+#include "nss.h"
+#include "ssl.h"
+#include "pk11func.h"	/* for PK11_ function calls */
+
+/*
+ * This callback used by SSL to pull client sertificate upon
+ * server request
+ */
+SECStatus 
+NSS_GetClientAuthData(void *                       arg, 
+                      PRFileDesc *                 socket, 
+		      struct CERTDistNamesStr *    caNames, 
+		      struct CERTCertificateStr ** pRetCert, 
+		      struct SECKEYPrivateKeyStr **pRetKey)
+{
+  CERTCertificate *  cert = NULL;
+  SECKEYPrivateKey * privkey = NULL;
+  char *             chosenNickName = (char *)arg;    /* CONST */
+  void *             proto_win  = NULL;
+  SECStatus          rv         = SECFailure;
+  
+  proto_win = SSL_RevealPinArg(socket);
+  
+  if (chosenNickName) {
+    cert = PK11_FindCertFromNickname(chosenNickName, proto_win);
+    if ( cert ) {
+      privkey = PK11_FindKeyByAnyCert(cert, proto_win);
+      if ( privkey ) {
+	rv = SECSuccess;
+      } else {
+	CERT_DestroyCertificate(cert);
+      }
+    }
+  } else { /* no name given, automatically find the right cert. */
+    CERTCertNicknames * names;
+    int                 i;
+      
+    names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
+				  SEC_CERT_NICKNAMES_USER, proto_win);
+    if (names != NULL) {
+      for (i = 0; i < names->numnicknames; i++) {
+	cert = PK11_FindCertFromNickname(names->nicknames[i],proto_win);
+	if ( !cert )
+	  continue;
+	/* Only check unexpired certs */
+	if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != 
+	    secCertTimeValid ) {
+	  CERT_DestroyCertificate(cert);
+	  continue;
+	}
+	rv = NSS_CmpCertChainWCANames(cert, caNames);
+	if ( rv == SECSuccess ) {
+	  privkey = PK11_FindKeyByAnyCert(cert, proto_win);
+	  if ( privkey )
+	    break;
+	}
+	rv = SECFailure;
+	CERT_DestroyCertificate(cert);
+      } 
+      CERT_FreeNicknames(names);
+    }
+  }
+  if (rv == SECSuccess) {
+    *pRetCert = cert;
+    *pRetKey  = privkey;
+  }
+  return rv;
+}
+
diff --git a/security/nss/lib/ssl/cmpcert.c b/security/nss/lib/ssl/cmpcert.c
new file mode 100644
index 000000000..5e557828e
--- /dev/null
+++ b/security/nss/lib/ssl/cmpcert.c
@@ -0,0 +1,117 @@
+/*
+ * NSS utility functions
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "prerror.h"
+#include "secitem.h"
+#include "prnetdb.h"
+#include "cert.h"
+#include "nspr.h"
+#include "secder.h"
+#include "key.h"
+#include "nss.h"
+
+/*
+ * Look to see if any of the signers in the cert chain for "cert" are found
+ * in the list of caNames.  
+ * Returns SECSuccess if so, SECFailure if not.
+ */
+SECStatus
+NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
+{
+  SECItem *         caname;
+  CERTCertificate * curcert;
+  CERTCertificate * oldcert;
+  PRInt32           contentlen;
+  int               j;
+  int               headerlen;
+  int               depth;
+  SECStatus         rv;
+  SECItem           issuerName;
+  SECItem           compatIssuerName;
+  
+  depth=0;
+  curcert = CERT_DupCertificate(cert);
+  
+  while( curcert ) {
+    issuerName = curcert->derIssuer;
+    
+    /* compute an alternate issuer name for compatibility with 2.0
+     * enterprise server, which send the CA names without
+     * the outer layer of DER hearder
+     */
+    rv = DER_Lengths(&issuerName, &headerlen, (uint32 *)&contentlen);
+    if ( rv == SECSuccess ) {
+      compatIssuerName.data = &issuerName.data[headerlen];
+      compatIssuerName.len = issuerName.len - headerlen;
+    } else {
+      compatIssuerName.data = NULL;
+      compatIssuerName.len = 0;
+    }
+    
+    for (j = 0; j < caNames->nnames; j++) {
+      caname = &caNames->names[j];
+      if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
+	rv = SECSuccess;
+	CERT_DestroyCertificate(curcert);
+	goto done;
+      } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
+	rv = SECSuccess;
+	CERT_DestroyCertificate(curcert);
+	goto done;
+      }
+    }
+    if ( ( depth <= 20 ) &&
+	 ( SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject)
+	   != SECEqual ) ) {
+      oldcert = curcert;
+      curcert = CERT_FindCertByName(curcert->dbhandle,
+				    &curcert->derIssuer);
+      CERT_DestroyCertificate(oldcert);
+      depth++;
+    } else {
+      CERT_DestroyCertificate(curcert);
+      curcert = NULL;
+    }
+  }
+  rv = SECFailure;
+  
+done:
+  return rv;
+}
+
diff --git a/security/nss/lib/ssl/config.mk b/security/nss/lib/ssl/config.mk
new file mode 100644
index 000000000..e6f9123f6
--- /dev/null
+++ b/security/nss/lib/ssl/config.mk
@@ -0,0 +1,70 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+# don't want the 32 in the shared library name
+SHARED_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).dll
+IMPORT_LIBRARY = $(OBJDIR)/$(LIBRARY_NAME)$(LIBRARY_VERSION).lib
+
+RES = $(OBJDIR)/ssl.res
+RESNAME = ssl.rc
+
+EXTRA_SHARED_LIBS += \
+	$(DIST)/lib/nss3.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plc4.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)plds4.lib \
+	$(DIST)/lib/$(NSPR31_LIB_PREFIX)nspr4.lib \
+	$(NULL)
+else
+
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+	-L$(DIST)/lib/ \
+	-lnss3 \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+
+ifeq ($(OS_ARCH), BeOS)
+EXTRA_SHARED_LIBS += -lbe
+endif
+
+ifeq ($(OS_ARCH), Darwin)
+EXTRA_SHARED_LIBS += -dylib_file @executable_path/libsoftokn3.dylib:$(DIST)/lib/libsoftokn3.dylib
+endif
+
+endif
diff --git a/security/nss/lib/ssl/emulate.c b/security/nss/lib/ssl/emulate.c
new file mode 100644
index 000000000..9d5734e5a
--- /dev/null
+++ b/security/nss/lib/ssl/emulate.c
@@ -0,0 +1,633 @@
+/*
+ * Functions that emulate PR_AcceptRead and PR_TransmitFile for SSL sockets.
+ * Each Layered NSPR protocol (like SSL) must unfortunately contain its 
+ * own implementation of these functions.  This code was taken from NSPR.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "nspr.h"
+
+#if defined( XP_UNIX ) || defined( XP_BEOS )
+#include <fcntl.h>
+#endif
+#if defined(WIN32)
+#include <windef.h>
+#include <winbase.h>
+#endif
+#include <string.h>
+
+#define AMASK 7	/* mask for alignment of PRNetAddr */
+
+/*
+ * _PR_EmulateAcceptRead
+ *
+ *  Accept an incoming connection on sd, set *nd to point to the
+ *  newly accepted socket, read 'amount' bytes from the accepted
+ *  socket.
+ *
+ *  buf is a buffer of length = amount + (2 * sizeof(PRNetAddr)) + 32
+ *  *raddr points to the PRNetAddr of the accepted connection upon
+ *  return
+ *
+ *  return number of bytes read or -1 on error
+ *
+ */
+PRInt32 
+ssl_EmulateAcceptRead(	PRFileDesc *   sd, 
+			PRFileDesc **  nd,
+			PRNetAddr **   raddr, 
+			void *         buf, 
+			PRInt32        amount, 
+			PRIntervalTime timeout)
+{
+    PRFileDesc *   newsockfd;
+    PRInt32        rv;
+    PRNetAddr      remote;
+
+    if (!(newsockfd = PR_Accept(sd, &remote, PR_INTERVAL_NO_TIMEOUT))) {
+	return -1;
+    }
+
+    rv = PR_Recv(newsockfd, buf, amount, 0, timeout);
+    if (rv >= 0) {
+	ptrdiff_t pNetAddr = (((ptrdiff_t)buf) + amount + AMASK) & ~AMASK;
+
+	*nd = newsockfd;
+	*raddr = (PRNetAddr *)pNetAddr;
+	memcpy((void *)pNetAddr, &remote, sizeof(PRNetAddr));
+	return rv;
+    }
+
+    PR_Close(newsockfd);
+    return -1;
+}
+
+
+#if !defined( XP_UNIX ) && !defined( WIN32 ) && !defined( XP_BEOS )
+/*
+ * _PR_EmulateTransmitFile
+ *
+ *  Send file fd across socket sd. If headers is non-NULL, 'hlen'
+ *  bytes of headers is sent before sending the file.
+ *
+ *  PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
+ *
+ *  return number of bytes sent or -1 on error
+ *
+ */
+#define _TRANSMITFILE_BUFSIZE	(16 * 1024)
+
+PRInt32 
+ssl_EmulateTransmitFile(    PRFileDesc *        sd, 
+			    PRFileDesc *        fd,
+			    const void *        headers, 
+			    PRInt32             hlen, 
+			    PRTransmitFileFlags flags,
+			    PRIntervalTime      timeout)
+{
+    char *  buf 	= NULL;
+    PRInt32 count 	= 0;
+    PRInt32 rlen;
+    PRInt32 rv;
+
+    buf = PR_MALLOC(_TRANSMITFILE_BUFSIZE);
+    if (buf == NULL) {
+	PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
+	return -1;
+    }
+
+    /*
+     * send headers, first
+     */
+    while (hlen) {
+	rv =  PR_Send(sd, headers, hlen, 0, timeout);
+	if (rv < 0) {
+	    /* PR_Send() has invoked PR_SetError(). */
+	    rv = -1;
+	    goto done;
+	} 
+	count += rv;
+	headers = (const void*) ((const char*)headers + rv);
+	hlen -= rv;
+    }
+    /*
+     * send file, next
+     */
+    while ((rlen = PR_Read(fd, buf, _TRANSMITFILE_BUFSIZE)) > 0) {
+	while (rlen) {
+	    char *bufptr = buf;
+
+	    rv =  PR_Send(sd, bufptr, rlen,0,PR_INTERVAL_NO_TIMEOUT);
+	    if (rv < 0) {
+		/* PR_Send() has invoked PR_SetError(). */
+		rv = -1;
+		goto done;
+	    } 
+	    count += rv;
+	    bufptr = ((char*)bufptr + rv);
+	    rlen -= rv;
+	}
+    }
+    if (rlen == 0) {
+	/*
+	 * end-of-file
+	 */
+	if (flags & PR_TRANSMITFILE_CLOSE_SOCKET)
+	    PR_Close(sd);
+	rv = count;
+    } else {
+	PR_ASSERT(rlen < 0);
+	/* PR_Read() has invoked PR_SetError(). */
+	rv = -1;
+    }
+
+done:
+    if (buf)
+	PR_DELETE(buf);
+    return rv;
+}
+#else
+
+#define TRANSMITFILE_MMAP_CHUNK (256 * 1024)
+
+/*
+ * _PR_UnixTransmitFile
+ *
+ *  Send file fd across socket sd. If headers is non-NULL, 'hlen'
+ *  bytes of headers is sent before sending the file.
+ *
+ *  PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
+ *
+ *  return number of bytes sent or -1 on error
+ *
+ */
+
+PRInt32 
+ssl_EmulateTransmitFile(    PRFileDesc *        sd, 
+			    PRFileDesc *        fd,
+			    const void *        headers, 
+			    PRInt32             hlen, 
+			    PRTransmitFileFlags flags,
+			    PRIntervalTime      timeout)
+{
+    void *            addr = NULL;
+    PRFileMap *       mapHandle = NULL;
+    PRInt32           count     = 0;
+    PRInt32           index     = 0;
+    PRInt32           len	= 0;
+    PRInt32           rv;
+    struct PRFileInfo info;
+    struct PRIOVec    iov[2];
+
+    /* Get file size */
+    if (PR_SUCCESS != PR_GetOpenFileInfo(fd, &info)) {
+	count = -1;
+	goto done;
+    }
+    if (hlen) {
+	iov[index].iov_base = (char *) headers;
+	iov[index].iov_len  = hlen;
+	index++;
+    }
+    if (info.size > 0) {
+	mapHandle = PR_CreateFileMap(fd, info.size, PR_PROT_READONLY);
+	if (mapHandle == NULL) {
+	    count = -1;
+	    goto done;
+	}
+	/*
+	 * If the file is large, mmap and send the file in chunks so as
+	 * to not consume too much virtual address space
+	 */
+	len = PR_MIN(info.size , TRANSMITFILE_MMAP_CHUNK );
+	/*
+	 * Map in (part of) file. Take care of zero-length files.
+	 */
+	if (len) {
+	    addr = PR_MemMap(mapHandle, 0, len);
+	    if (addr == NULL) {
+		count = -1;
+		goto done;
+	    }
+	}
+	iov[index].iov_base = (char*)addr;
+	iov[index].iov_len = len;
+	index++;
+    }
+    if (!index)
+    	goto done;
+    rv = PR_Writev(sd, iov, index, timeout);
+    if (len) {
+	PR_MemUnmap(addr, len);
+    }
+    if (rv >= 0) {
+	PR_ASSERT(rv == hlen + len);
+	info.size -= len;
+	count     += rv;
+    } else {
+	count = -1;
+	goto done;
+    }
+    /*
+     * send remaining bytes of the file, if any
+     */
+    len = PR_MIN(info.size , TRANSMITFILE_MMAP_CHUNK );
+    while (len > 0) {
+	/*
+	 * Map in (part of) file
+	 */
+	PR_ASSERT((count - hlen) % TRANSMITFILE_MMAP_CHUNK == 0);
+	addr = PR_MemMap(mapHandle, count - hlen, len);
+	if (addr == NULL) {
+	    count = -1;
+	    goto done;
+	}
+	rv =  PR_Send(sd, addr, len, 0, timeout);
+	PR_MemUnmap(addr, len);
+	if (rv >= 0) {
+	    PR_ASSERT(rv == len);
+	    info.size -= rv;
+	    count     += rv;
+	    len = PR_MIN(info.size , TRANSMITFILE_MMAP_CHUNK );
+	} else {
+	    count = -1;
+	    goto done;
+	}
+    }
+done:
+    if ((count >= 0) && (flags & PR_TRANSMITFILE_CLOSE_SOCKET))
+	PR_Close(sd);
+    if (mapHandle != NULL)
+    	PR_CloseFileMap(mapHandle);
+    return count;
+}
+#endif  /* XP_UNIX || WIN32 || XP_BEOS */
+
+
+
+
+#if !defined( XP_UNIX ) && !defined( WIN32 ) && !defined( XP_BEOS )
+/*
+ * _PR_EmulateSendFile
+ *
+ *  Send file sfd->fd across socket sd. The header and trailer buffers
+ *  specified in the 'sfd' argument are sent before and after the file,
+ *  respectively.
+ *
+ *  PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
+ *
+ *  return number of bytes sent or -1 on error
+ *
+ */
+
+PRInt32 
+ssl_EmulateSendFile(PRFileDesc *sd, PRSendFileData *sfd,
+                    PRTransmitFileFlags flags, PRIntervalTime timeout)
+{
+    char *       buf = NULL;
+    const void * buffer;
+    PRInt32      rv;
+    PRInt32      count = 0;
+    PRInt32      rlen;
+    PRInt32      buflen;
+    PRInt32      sendbytes;
+    PRInt32      readbytes;
+
+#define _SENDFILE_BUFSIZE   (16 * 1024)
+
+    buf = (char*)PR_MALLOC(_SENDFILE_BUFSIZE);
+    if (buf == NULL) {
+        PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
+        return -1;
+    }
+
+    /*
+     * send header, first
+     */
+    buflen = sfd->hlen;
+    buffer = sfd->header;
+    while (buflen) {
+        rv =  PR_Send(sd, buffer, buflen, 0, timeout);
+        if (rv < 0) {
+            /* PR_Send() has invoked PR_SetError(). */
+            rv = -1;
+            goto done;
+        } else {
+            count += rv;
+            buffer = (const void*) ((const char*)buffer + rv);
+            buflen -= rv;
+        }
+    }
+    /*
+     * send file, next
+     */
+
+    if (PR_Seek(sfd->fd, sfd->file_offset, PR_SEEK_SET) < 0) {
+        rv = -1;
+        goto done;
+    }
+    sendbytes = sfd->file_nbytes;
+    if (sendbytes == 0) {
+        /* send entire file */
+        while ((rlen = PR_Read(sfd->fd, buf, _SENDFILE_BUFSIZE)) > 0) {
+            while (rlen) {
+                char *bufptr = buf;
+
+                rv =  PR_Send(sd, bufptr, rlen, 0, timeout);
+                if (rv < 0) {
+                    /* PR_Send() has invoked PR_SetError(). */
+                    rv = -1;
+                    goto done;
+                } else {
+                    count += rv;
+                    bufptr = ((char*)bufptr + rv);
+                    rlen -= rv;
+                }
+            }
+        }
+        if (rlen < 0) {
+            /* PR_Read() has invoked PR_SetError(). */
+            rv = -1;
+            goto done;
+        }
+    } else {
+        readbytes = PR_MIN(sendbytes, _SENDFILE_BUFSIZE);
+        while (readbytes && ((rlen = PR_Read(sfd->fd, buf, readbytes)) > 0)) {
+            while (rlen) {
+                char *bufptr = buf;
+
+                rv =  PR_Send(sd, bufptr, rlen, 0, timeout);
+                if (rv < 0) {
+                    /* PR_Send() has invoked PR_SetError(). */
+                    rv = -1;
+                    goto done;
+                } else {
+                    count += rv;
+                    sendbytes -= rv;
+                    bufptr = ((char*)bufptr + rv);
+                    rlen -= rv;
+                }
+            }
+	    readbytes = PR_MIN(sendbytes, _SENDFILE_BUFSIZE);
+        }
+        if (rlen < 0) {
+            /* PR_Read() has invoked PR_SetError(). */
+            rv = -1;
+            goto done;
+        } else if (sendbytes != 0) {
+            /*
+             * there are fewer bytes in file to send than specified
+             */
+	    PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+            rv = -1;
+            goto done;
+        }
+    }
+    /*
+     * send trailer, last
+     */
+    buflen = sfd->tlen;
+    buffer = sfd->trailer;
+    while (buflen) {
+        rv =  PR_Send(sd, buffer, buflen, 0, timeout);
+        if (rv < 0) {
+            /* PR_Send() has invoked PR_SetError(). */
+            rv = -1;
+            goto done;
+        } else {
+            count += rv;
+            buffer = (const void*) ((const char*)buffer + rv);
+            buflen -= rv;
+        }
+    }
+    rv = count;
+
+done:
+    if (buf)
+        PR_DELETE(buf);
+    if ((rv >= 0) && (flags & PR_TRANSMITFILE_CLOSE_SOCKET))
+	PR_Close(sd);
+    return rv;
+}
+
+#else /* UNIX, NT, and BEOS handled below */
+
+/*
+ * _PR_UnixSendFile
+ *
+ *    Send file sfd->fd across socket sd. If header/trailer are specified
+ *    they are sent before and after the file, respectively.
+ *
+ *    PR_TRANSMITFILE_CLOSE_SOCKET flag - close socket after sending file
+ *
+ *    return number of bytes sent or -1 on error
+ *
+ */
+#define SENDFILE_MMAP_CHUNK    (256 * 1024)
+
+PRInt32 
+ssl_EmulateSendFile(PRFileDesc *sd, PRSendFileData *sfd,
+                    PRTransmitFileFlags flags, PRIntervalTime timeout)
+{
+    void *            addr = NULL;
+    PRFileMap *       mapHandle  	= NULL;
+    PRInt32           count 		= 0;
+    PRInt32           file_bytes;
+    PRInt32           index 		= 0;
+    PRInt32           len;
+    PRInt32           rv;
+    PRUint32          addr_offset;
+    PRUint32          file_mmap_offset;
+    PRUint32          mmap_len;
+    PRUint32          pagesize;
+    struct PRFileInfo info;
+    struct PRIOVec    iov[3];
+
+    /* Get file size */
+    if (PR_SUCCESS != PR_GetOpenFileInfo(sfd->fd, &info)) {
+	count = -1;
+	goto done;
+    }
+    if (sfd->file_nbytes && 
+		(info.size < (sfd->file_offset + sfd->file_nbytes))) {
+        /*
+         * there are fewer bytes in file to send than specified
+         */
+	PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+        count = -1;
+        goto done;
+    }
+    if (sfd->file_nbytes)
+        file_bytes = sfd->file_nbytes;
+    else
+        file_bytes = info.size - sfd->file_offset;
+
+#if defined(WIN32)
+    {
+        SYSTEM_INFO sysinfo;
+        GetSystemInfo(&sysinfo);
+        pagesize = sysinfo.dwAllocationGranularity;
+    }
+#else
+    pagesize = PR_GetPageSize();
+#endif
+    /*
+     * If the file is large, mmap and send the file in chunks so as
+     * to not consume too much virtual address space
+     */
+    if (!sfd->file_offset || !(sfd->file_offset & (pagesize - 1))) {
+        /*
+         * case 1: page-aligned file offset
+         */
+        mmap_len = PR_MIN(file_bytes, SENDFILE_MMAP_CHUNK);
+        len      = mmap_len;
+        file_mmap_offset = sfd->file_offset;
+        addr_offset = 0;
+    } else {
+        /*
+         * case 2: non page-aligned file offset
+         */
+        /* find previous page boundary */
+        file_mmap_offset = (sfd->file_offset & ~(pagesize - 1));
+
+        /* number of initial bytes to skip in mmap'd segment */
+        addr_offset = sfd->file_offset - file_mmap_offset;
+        PR_ASSERT(addr_offset > 0);
+        mmap_len = PR_MIN(file_bytes + addr_offset, SENDFILE_MMAP_CHUNK);
+        len      = mmap_len - addr_offset;
+    }
+    /*
+     * OK I've convinced myself that length has to be possitive (file_bytes is 
+     * negative or  SENDFILE_MMAP_CHUNK is less than pagesize). Just assert 
+     * that this is the case so we catch problems in debug builds.
+     */
+    PR_ASSERT(len >= 0);
+
+    /*
+     * Map in (part of) file. Take care of zero-length files.
+     */
+    if (len > 0) {
+	mapHandle = PR_CreateFileMap(sfd->fd, info.size, PR_PROT_READONLY);
+	if (!mapHandle) {
+	    count = -1;
+	    goto done;
+	}
+	addr = PR_MemMap(mapHandle, file_mmap_offset, mmap_len);
+        if (!addr) {
+            count = -1;
+            goto done;
+        }
+    }
+    /*
+     * send headers, first, followed by the file
+     */
+    if (sfd->hlen) {
+        iov[index].iov_base = (char *) sfd->header;
+        iov[index].iov_len  = sfd->hlen;
+        index++;
+    }
+    if (len) {
+        iov[index].iov_base = (char*)addr + addr_offset;
+        iov[index].iov_len  = len;
+        index++;
+    }
+    if ((file_bytes == len) && (sfd->tlen)) {
+        /*
+         * all file data is mapped in; send the trailer too
+         */
+        iov[index].iov_base = (char *) sfd->trailer;
+        iov[index].iov_len  = sfd->tlen;
+        index++;
+    }
+    rv = PR_Writev(sd, iov, index, timeout);
+    if (len)
+        PR_MemUnmap(addr, mmap_len);
+    if (rv < 0) {
+        count = -1;
+        goto done;
+    }
+
+    PR_ASSERT(rv == sfd->hlen + len + ((len == file_bytes) ? sfd->tlen : 0));
+
+    file_bytes -= len;
+    count      += rv;
+    if (!file_bytes)    /* header, file and trailer are sent */
+	goto done;
+
+    /*
+     * send remaining bytes of the file, if any
+     */
+    len = PR_MIN(file_bytes, SENDFILE_MMAP_CHUNK);
+    while (len > 0) {
+	/*
+	 * Map in (part of) file
+	 */
+	file_mmap_offset = sfd->file_offset + count - sfd->hlen;
+	PR_ASSERT((file_mmap_offset % pagesize) == 0);
+
+	addr = PR_MemMap(mapHandle, file_mmap_offset, len);
+        if (!addr) {
+            count = -1;
+            goto done;
+        }
+	rv = PR_Send(sd, addr, len, 0, timeout);
+	PR_MemUnmap(addr, len);
+	if (rv < 0) {
+	    count = -1;
+	    goto done;
+	}
+
+	PR_ASSERT(rv == len);
+	file_bytes -= rv;
+	count      += rv;
+	len = PR_MIN(file_bytes, SENDFILE_MMAP_CHUNK);
+    }
+    PR_ASSERT(0 == file_bytes);
+    if (sfd->tlen) {
+        rv =  PR_Send(sd, sfd->trailer, sfd->tlen, 0, timeout);
+        if (rv >= 0) {
+            PR_ASSERT(rv == sfd->tlen);
+            count += rv;
+        } else
+            count = -1;
+    }
+done:
+    if (mapHandle)
+    	PR_CloseFileMap(mapHandle);
+    if ((count >= 0) && (flags & PR_TRANSMITFILE_CLOSE_SOCKET))
+	PR_Close(sd);
+    return count;
+}
+#endif /* UNIX, NT, and BEOS */
diff --git a/security/nss/lib/ssl/manifest.mn b/security/nss/lib/ssl/manifest.mn
new file mode 100644
index 000000000..066c5620c
--- /dev/null
+++ b/security/nss/lib/ssl/manifest.mn
@@ -0,0 +1,83 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../../..
+
+# DEFINES = -DTRACE
+
+
+PRIVATE_EXPORTS = \
+	ssl3prot.h \
+	sslimpl.h \
+	$(NULL)
+
+EXPORTS = \
+	ssl.h \
+	sslt.h \
+	sslerr.h \
+	sslproto.h \
+	preenc.h \
+	$(NULL)
+
+MODULE = security
+MAPFILE = $(OBJDIR)/ssl.def
+
+CSRCS = \
+	emulate.c \
+	prelib.c \
+	ssl3con.c \
+	ssl3gthr.c \
+	sslauth.c \
+	sslcon.c \
+	ssldef.c \
+	sslenum.c \
+	sslerr.c \
+	sslgathr.c \
+	sslmutex.c \
+	sslnonce.c \
+	sslreveal.c \
+	sslsecur.c \
+	sslsnce.c \
+	sslsock.c \
+	ssltrace.c \
+	sslver.c \
+	authcert.c \
+	cmpcert.c \
+	nsskea.c \
+	sslinfo.c \
+	$(NULL)
+
+
+REQUIRES = security dbm
+
+LIBRARY_NAME = ssl
+LIBRARY_VERSION = 3
diff --git a/security/nss/lib/ssl/notes.txt b/security/nss/lib/ssl/notes.txt
new file mode 100644
index 000000000..a36f242ee
--- /dev/null
+++ b/security/nss/lib/ssl/notes.txt
@@ -0,0 +1,161 @@
+The contents of this file are subject to the Mozilla Public
+License Version 1.1 (the "License"); you may not use this file
+except in compliance with the License. You may obtain a copy of
+the License at http://www.mozilla.org/MPL/
+
+Software distributed under the License is distributed on an "AS
+IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+implied. See the License for the specific language governing
+rights and limitations under the License.
+
+The Original Code is the Netscape security libraries.
+
+The Initial Developer of the Original Code is Netscape
+Communications Corporation.  Portions created by Netscape are 
+Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+Rights Reserved.
+
+Contributor(s):
+
+Alternatively, the contents of this file may be used under the
+terms of the GNU General Public License Version 2 or later (the
+"GPL"), in which case the provisions of the GPL are applicable 
+instead of those above.  If you wish to allow use of your 
+version of this file only under the terms of the GPL and not to
+allow others to use your version of this file under the MPL,
+indicate your decision by deleting the provisions above and
+replace them with the notice and other provisions required by
+the GPL.  If you do not delete the provisions above, a recipient
+may use your version of this file under either the MPL or the
+GPL.
+
+SSL's Buffers: enumerated and explained.
+
+---------------------------------------------------------------------------
+incoming:
+
+gs = ss->gather
+hs = ss->ssl3->hs
+
+gs->inbuf	SSL3 only: incoming (encrypted) ssl records are placed here,
+		and then decrypted (or copied) to gs->buf.
+
+gs->buf		SSL2: incoming SSL records are put here, and then decrypted
+		in place.
+		SSL3: ssl3_HandleHandshake puts decrypted ssl records here.
+
+hs.msg_body	(SSL3 only) When an incoming handshake message spans more 
+		than one ssl record, the first part(s) of it are accumulated 
+		here until it all arrives.
+
+hs.msgState	(SSL3 only) an alternative set of pointers/lengths for gs->buf.
+		Used only when a handleHandshake function returns SECWouldBlock.
+		ssl3_HandleHandshake remembers how far it previously got by
+		using these pointers instead of gs->buf when it is called 
+		after a previous SECWouldBlock return.
+
+---------------------------------------------------------------------------
+outgoing:
+
+sec = ss->sec
+ci  = ss->sec->ci	/* connect info */
+
+ci->sendBuf	Outgoing handshake messages are appended to this buffer.
+		This buffer will then be sent as a single SSL record.
+
+sec->writeBuf	outgoing ssl records are constructed here and encrypted in 
+		place before being written or copied to pendingBuf.
+
+ss->pendingBuf	contains outgoing ciphertext that was saved after a write
+		attempt to the socket failed, e.g. EWouldBlock. 
+		Generally empty with blocking sockets (should be no incomplete
+		writes).
+
+ss->saveBuf	Used only by socks code.  Intended to be used to buffer 
+		outgoing data until a socks handshake completes.  However,
+		this buffer is always empty.  There is no code to put 
+		anything into it.
+
+---------------------------------------------------------------------------
+
+SECWouldBlock means that the function cannot make progress because it is 
+waiting for some event OTHER THAN socket I/O completion (e.g. waiting for 
+user dialog to finish).  It is not the same as EWOULDBLOCK.
+
+---------------------------------------------------------------------------
+
+Rank (order) of locks
+
+[ReadLock ->]\ [firstHandshake ->] [ssl3Handshake ->] recvbuf \ -> "spec"
+[WriteLock->]/                                        xmitbuf /
+
+crypto and hash Data that must be protected while turning plaintext into
+ciphertext:
+
+SSL2: 	(in ssl2_Send*)
+	sec->hash*
+	sec->hashcx 	(ptr and data)
+	sec->enc
+	sec->writecx*	(ptr and content)
+	sec->sendSecret*(ptr and content)
+	sec->sendSequence		locked by xmitBufLock
+	sec->blockSize
+	sec->writeBuf*  (ptr & content)	locked by xmitBufLock
+	"in"				locked by xmitBufLock
+
+SSl3:	(in ssl3_SendPlainText)
+	ss->ssl3		    (the pointer)
+	ss->ssl3->current_write*    (the pointer and the data in the spec
+				     and any data referenced by the spec.
+
+	ss->sec->isServer
+	ss->sec->writebuf* (ptr & content) locked by xmitBufLock
+	"buf" 				   locked by xmitBufLock
+
+crypto and hash data that must be protected while turning ciphertext into 
+plaintext:
+
+SSL2:	(in ssl2_GatherData)
+	gs->*				(locked by recvBufLock )
+	sec->dec
+	sec->readcx
+	sec->hash* 		(ptr and data)
+	sec->hashcx 		(ptr and data)
+
+SSL3:	(in ssl3_HandleRecord )
+	ssl3->current_read*	(the pointer and all data refernced)
+	ss->sec->isServer
+
+
+Data that must be protected while being used by a "writer":
+
+ss->pendingBuf.*
+ss->saveBuf.*		(which is dead)
+
+in ssl3_sendPlainText
+
+ss->ssl3->current_write-> (spec)
+ss->sec->writeBuf.*
+ss->sec->isServer 
+
+in SendBlock
+
+ss->sec->hash->length
+ss->sec->blockSize
+ss->sec->writeBuf.*
+ss->sec->sendSecret
+ss->sec->sendSequence
+ss->sec->writecx	*
+ss->pendingBuf
+
+--------------------------------------------------------------------------
+
+Data variables (not const) protected by the "sslGlobalDataLock".  
+Note, this really should be a reader/writer lock.
+
+allowedByPolicy		sslcon.c
+maybeAllowedByPolicy	sslcon.c
+chosenPreference	sslcon.c
+policyWasSet		sslcon.c
+
+cipherSuites[] 		ssl3con.c
diff --git a/security/nss/lib/ssl/nsskea.c b/security/nss/lib/ssl/nsskea.c
new file mode 100644
index 000000000..ec7be1735
--- /dev/null
+++ b/security/nss/lib/ssl/nsskea.c
@@ -0,0 +1,75 @@
+/*
+ * Return SSLKEAType derived from cert's Public Key algorithm info.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ # $Id$
+ */
+
+#include "cert.h"
+#include "ssl.h"	/* for SSLKEAType */
+#include "secoid.h"
+
+SSLKEAType
+NSS_FindCertKEAType(CERTCertificate * cert)
+{
+  SSLKEAType keaType = kt_null; 
+  int tag;
+  
+  if (!cert) goto loser;
+  
+  tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+  
+  switch (tag) {
+  case SEC_OID_X500_RSA_ENCRYPTION:
+  case SEC_OID_PKCS1_RSA_ENCRYPTION:
+    keaType = kt_rsa;
+    break;
+  case SEC_OID_MISSI_KEA_DSS_OLD:
+  case SEC_OID_MISSI_KEA_DSS:
+  case SEC_OID_MISSI_DSS_OLD:
+  case SEC_OID_MISSI_DSS:
+    keaType = kt_fortezza;
+    break;
+  case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+    keaType = kt_dh;
+    break;
+  default:
+    keaType = kt_null;
+  }
+  
+ loser:
+  
+  return keaType;
+
+}
+
diff --git a/security/nss/lib/ssl/os2_err.c b/security/nss/lib/ssl/os2_err.c
new file mode 100644
index 000000000..77d49df2f
--- /dev/null
+++ b/security/nss/lib/ssl/os2_err.c
@@ -0,0 +1,310 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * this code will continue to need to be replicated.
+ * 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "prerror.h"
+#include "prlog.h"
+#include <errno.h>
+
+
+/*
+ * Based on win32err.c
+ * OS2TODO Stub everything for now to build. HCT
+ */
+
+/* forward declaration. */
+void nss_MD_os2_map_default_error(PRInt32 err);
+
+void nss_MD_os2_map_opendir_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_closedir_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_readdir_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_delete_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+/* The error code for stat() is in errno. */
+void nss_MD_os2_map_stat_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_fstat_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_rename_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+/* The error code for access() is in errno. */
+void nss_MD_os2_map_access_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_mkdir_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_rmdir_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_read_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_transmitfile_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_write_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_lseek_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_fsync_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+/*
+ * For both CloseHandle() and closesocket().
+ */
+void nss_MD_os2_map_close_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_socket_error(PRInt32 err)
+{
+//  PR_ASSERT(err != WSANOTINITIALISED);
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_recv_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_recvfrom_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_send_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//     case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_sendto_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_accept_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
+//    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_acceptex_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_connect_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAEWOULDBLOCK: prError = PR_IN_PROGRESS_ERROR; break;
+//    case WSAEINVAL: 	prError = PR_ALREADY_INITIATED_ERROR; break;
+//    case WSAETIMEDOUT: 	prError = PR_IO_TIMEOUT_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_bind_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//  case WSAEINVAL: 	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_listen_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
+//    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_shutdown_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_getsockname_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_getpeername_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_getsockopt_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_setsockopt_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_open_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+void nss_MD_os2_map_gethostname_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+/* Win32 select() only works on sockets.  So in this
+** context, WSAENOTSOCK is equivalent to EBADF on Unix.  
+*/
+void nss_MD_os2_map_select_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+//    case WSAENOTSOCK:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    default:		nss_MD_os2_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_os2_map_lockf_error(PRInt32 err)
+{
+    nss_MD_os2_map_default_error(err);
+}
+
+
+
+void nss_MD_os2_map_default_error(PRInt32 err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+//    case ENOENT: 		prError = PR_FILE_NOT_FOUND_ERROR; break;
+//    case ERROR_ACCESS_DENIED: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+//    case ERROR_ALREADY_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
+//    case ERROR_DISK_CORRUPT: 	prError = PR_IO_ERROR; break;
+//    case ERROR_DISK_FULL: 	prError = PR_NO_DEVICE_SPACE_ERROR; break;
+//    case ERROR_DISK_OPERATION_FAILED: prError = PR_IO_ERROR; break;
+//    case ERROR_DRIVE_LOCKED: 	prError = PR_FILE_IS_LOCKED_ERROR; break;
+//    case ERROR_FILENAME_EXCED_RANGE: prError = PR_NAME_TOO_LONG_ERROR; break;
+//    case ERROR_FILE_CORRUPT: 	prError = PR_IO_ERROR; break;
+//    case ERROR_FILE_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
+//    case ERROR_FILE_INVALID: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+#if ERROR_FILE_NOT_FOUND != ENOENT
+//    case ERROR_FILE_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
+#endif
+    default: 			prError = PR_UNKNOWN_ERROR; break;
+    }
+    PR_SetError(prError, err);
+}
+
diff --git a/security/nss/lib/ssl/os2_err.h b/security/nss/lib/ssl/os2_err.h
new file mode 100644
index 000000000..7f80c0177
--- /dev/null
+++ b/security/nss/lib/ssl/os2_err.h
@@ -0,0 +1,83 @@
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * This code will continue to need to be replicated.
+ * 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+/*  NSPR doesn't make these functions public, so we have to duplicate
+**  them in NSS.
+*/
+
+//HCT  Based on Win32err.h
+extern void nss_MD_os2_map_accept_error(PRInt32 err);
+extern void nss_MD_os2_map_acceptex_error(PRInt32 err);
+extern void nss_MD_os2_map_access_error(PRInt32 err);
+extern void nss_MD_os2_map_bind_error(PRInt32 err);
+extern void nss_MD_os2_map_close_error(PRInt32 err);
+extern void nss_MD_os2_map_closedir_error(PRInt32 err);
+extern void nss_MD_os2_map_connect_error(PRInt32 err);
+extern void nss_MD_os2_map_default_error(PRInt32 err);
+extern void nss_MD_os2_map_delete_error(PRInt32 err);
+extern void nss_MD_os2_map_fstat_error(PRInt32 err);
+extern void nss_MD_os2_map_fsync_error(PRInt32 err);
+extern void nss_MD_os2_map_gethostname_error(PRInt32 err);
+extern void nss_MD_os2_map_getpeername_error(PRInt32 err);
+extern void nss_MD_os2_map_getsockname_error(PRInt32 err);
+extern void nss_MD_os2_map_getsockopt_error(PRInt32 err);
+extern void nss_MD_os2_map_listen_error(PRInt32 err);
+extern void nss_MD_os2_map_lockf_error(PRInt32 err);
+extern void nss_MD_os2_map_lseek_error(PRInt32 err);
+extern void nss_MD_os2_map_mkdir_error(PRInt32 err);
+extern void nss_MD_os2_map_open_error(PRInt32 err);
+extern void nss_MD_os2_map_opendir_error(PRInt32 err);
+extern void nss_MD_os2_map_read_error(PRInt32 err);
+extern void nss_MD_os2_map_readdir_error(PRInt32 err);
+extern void nss_MD_os2_map_recv_error(PRInt32 err);
+extern void nss_MD_os2_map_recvfrom_error(PRInt32 err);
+extern void nss_MD_os2_map_rename_error(PRInt32 err);
+extern void nss_MD_os2_map_rmdir_error(PRInt32 err);
+extern void nss_MD_os2_map_select_error(PRInt32 err);
+extern void nss_MD_os2_map_send_error(PRInt32 err);
+extern void nss_MD_os2_map_sendto_error(PRInt32 err);
+extern void nss_MD_os2_map_setsockopt_error(PRInt32 err);
+extern void nss_MD_os2_map_shutdown_error(PRInt32 err);
+extern void nss_MD_os2_map_socket_error(PRInt32 err);
+extern void nss_MD_os2_map_stat_error(PRInt32 err);
+extern void nss_MD_os2_map_transmitfile_error(PRInt32 err);
+extern void nss_MD_os2_map_write_error(PRInt32 err);
diff --git a/security/nss/lib/ssl/preenc.h b/security/nss/lib/ssl/preenc.h
new file mode 100644
index 000000000..3dfbe1e92
--- /dev/null
+++ b/security/nss/lib/ssl/preenc.h
@@ -0,0 +1,161 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil -*- */
+
+/*
+ * Functions and types used by https servers to send (download) pre-encrypted 
+ * files over SSL connections that use Fortezza ciphersuites.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "prio.h"
+
+typedef struct PEHeaderStr PEHeader;
+
+#define PE_MIME_TYPE "application/pre-encrypted"
+
+
+/*
+ * unencrypted header. The 'top' half of this header is generic. The union
+ * is type specific, and may include bulk cipher type information
+ * (Fortezza supports only Fortezza Bulk encryption). Only fortezza 
+ * pre-encrypted is defined.
+ */
+typedef struct PEFortezzaHeaderStr PEFortezzaHeader;
+typedef struct PEFortezzaGeneratedHeaderStr PEFortezzaGeneratedHeader;
+typedef struct PEFixedKeyHeaderStr PEFixedKeyHeader;
+typedef struct PERSAKeyHeaderStr PERSAKeyHeader;
+
+struct PEFortezzaHeaderStr {
+    unsigned char key[12];      /* Ks wrapped MEK */
+    unsigned char iv[24];       /* iv for this MEK */
+    unsigned char hash[20];     /* SHA hash of file */
+    unsigned char serial[8];    /* serial number of the card that owns
+                                     * Ks */
+};
+
+struct PEFortezzaGeneratedHeaderStr {
+    unsigned char key[12];      /* TEK wrapped MEK */
+    unsigned char iv[24];       /* iv for this MEK */
+    unsigned char hash[20];     /* SHA hash of file */
+    unsigned char Ra[128];      /* RA to generate TEK */
+    unsigned char Y[128];       /* Y to generate TEK */
+};
+
+struct PEFixedKeyHeaderStr {
+    unsigned char pkcs11Mech[4];  /* Symetric key operation */
+    unsigned char labelLen[2];	  /* length of the token label */
+    unsigned char keyIDLen[2];	  /* length of the token Key ID */
+    unsigned char ivLen[2];	  /* length of IV */
+    unsigned char keyLen[2];	  /* length of key (DES3_ECB encrypted) */
+    unsigned char data[1];	  /* start of data */
+};
+
+struct PERSAKeyHeaderStr {
+    unsigned char pkcs11Mech[4];  /* Symetric key operation */
+    unsigned char issuerLen[2];	  /* length of cert issuer */
+    unsigned char serialLen[2];	  /* length of the cert serial */
+    unsigned char ivLen[2];	  /* length of IV */
+    unsigned char keyLen[2];	  /* length of key (RSA encrypted) */
+    unsigned char data[1];	  /* start of data */
+};
+
+/* macros to get at the variable length data fields */
+#define PEFIXED_Label(header) (header->data)
+#define PEFIXED_KeyID(header) (&header->data[GetInt2(header->labelLen)])
+#define PEFIXED_IV(header) (&header->data[GetInt2(header->labelLen)\
+						+GetInt2(header->keyIDLen)])
+#define PEFIXED_Key(header) (&header->data[GetInt2(header->labelLen)\
+			+GetInt2(header->keyIDLen)+GetInt2(header->keyLen)])
+#define PERSA_Issuer(header) (header->data)
+#define PERSA_Serial(header) (&header->data[GetInt2(header->issuerLen)])
+#define PERSA_IV(header) (&header->data[GetInt2(header->issuerLen)\
+						+GetInt2(header->serialLen)])
+#define PERSA_Key(header) (&header->data[GetInt2(header->issuerLen)\
+			+GetInt2(header->serialLen)+GetInt2(header->keyLen)])
+struct PEHeaderStr {
+    unsigned char magic  [2];		/* always 0xC0DE */
+    unsigned char len    [2];		/* length of PEHeader */
+    unsigned char type   [2];		/* FORTEZZA, DIFFIE-HELMAN, RSA */
+    unsigned char version[2];		/* version number: 1.0 */
+    union {
+        PEFortezzaHeader          fortezza;
+        PEFortezzaGeneratedHeader g_fortezza;
+	PEFixedKeyHeader          fixed;
+	PERSAKeyHeader            rsa;
+    } u;
+};
+
+#define PE_CRYPT_INTRO_LEN 8
+#define PE_INTRO_LEN 4
+#define PE_BASE_HEADER_LEN  8
+
+#define PRE_BLOCK_SIZE 8         /* for decryption blocks */
+
+
+/*
+ * Platform neutral encode/decode macros.
+ */
+#define GetInt2(c) ((c[0] << 8) | c[1])
+#define GetInt4(c) (((unsigned long)c[0] << 24)|((unsigned long)c[1] << 16)\
+			|((unsigned long)c[2] << 8)| ((unsigned long)c[3]))
+#define PutInt2(c,i) ((c[1] = (i) & 0xff), (c[0] = ((i) >> 8) & 0xff))
+#define PutInt4(c,i) ((c[0]=((i) >> 24) & 0xff),(c[1]=((i) >> 16) & 0xff),\
+			(c[2] = ((i) >> 8) & 0xff), (c[3] = (i) & 0xff))
+
+/*
+ * magic numbers.
+ */
+#define PRE_MAGIC		0xc0de
+#define PRE_VERSION		0x1010
+#define PRE_FORTEZZA_FILE	0x00ff  /* pre-encrypted file on disk */
+#define PRE_FORTEZZA_STREAM	0x00f5  /* pre-encrypted file in stream */
+#define PRE_FORTEZZA_GEN_STREAM	0x00f6  /* Generated pre-encrypted file */
+#define PRE_FIXED_FILE		0x000f  /* fixed key on disk */
+#define PRE_RSA_FILE		0x001f  /* RSA in file */
+#define PRE_FIXED_STREAM	0x0005  /* fixed key in stream */
+
+/*
+ * internal implementation info
+ */
+
+
+/* convert an existing stream header to a version with local parameters */
+PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *,
+				       int *headerSize);
+
+/* convert an existing file header to one suitable for streaming out */
+PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *,
+				       int *headerSize);
+
diff --git a/security/nss/lib/ssl/prelib.c b/security/nss/lib/ssl/prelib.c
new file mode 100644
index 000000000..1c7351a39
--- /dev/null
+++ b/security/nss/lib/ssl/prelib.c
@@ -0,0 +1,251 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil -*- */
+
+/*
+ * Functions used by https servers to send (download) pre-encrypted files
+ * over SSL connections that use Fortezza ciphersuites.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "cert.h"
+#include "ssl.h"
+#include "keyhi.h"
+#include "secitem.h"
+#include "sslimpl.h"
+#include "pkcs11t.h"
+#include "preenc.h"
+#include "pk11func.h"
+
+static unsigned char fromHex(char x) {
+    if ((x >= '0') && (x <= '9')) return x-'0';
+    if ((x >= 'a') && (x <= 'f')) return x-'a'+10;
+    return x-'A'+10;
+}
+
+PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *inHeader, 
+								int *headerSize)
+{
+    PK11SymKey *key, *tek, *Ks;
+    sslSocket *ss;
+    PK11SlotInfo *slot;
+    CK_TOKEN_INFO info;
+    int oldHeaderSize;
+    PEHeader *header;
+    SECStatus rv;
+    SECItem item;
+    int i;
+    
+    if (fd == NULL) {
+        /* XXX set an error */
+        return NULL;
+    }
+    
+    ss = ssl_FindSocket(fd);
+    if (ss == NULL) {
+        return NULL;
+    }
+    
+    PORT_Assert(ss->ssl3 != NULL);
+    if (ss->ssl3 == NULL) {
+	return NULL;
+    }
+
+    if (GetInt2(inHeader->magic) != PRE_MAGIC) {
+	return NULL;
+    }
+
+    oldHeaderSize = GetInt2(inHeader->len);
+    header = (PEHeader *) PORT_ZAlloc(oldHeaderSize);
+    if (header == NULL) {
+	return NULL;
+    }
+
+    switch (GetInt2(inHeader->type)) {
+    case PRE_FORTEZZA_FILE:
+    case PRE_FORTEZZA_GEN_STREAM:
+    case PRE_FIXED_FILE:
+    case PRE_RSA_FILE:
+    default:
+	*headerSize = oldHeaderSize;
+	PORT_Memcpy(header,inHeader,oldHeaderSize);
+	return header;
+
+    case PRE_FORTEZZA_STREAM:
+	*headerSize = PE_BASE_HEADER_LEN + sizeof(PEFortezzaHeader);
+        PutInt2(header->magic,PRE_MAGIC);
+	PutInt2(header->len,*headerSize);
+	PutInt2(header->type, PRE_FORTEZZA_FILE);
+	PORT_Memcpy(header->version,inHeader->version,sizeof(header->version));
+	PORT_Memcpy(header->u.fortezza.hash,inHeader->u.fortezza.hash,
+					     sizeof(header->u.fortezza.hash));
+	PORT_Memcpy(header->u.fortezza.iv,inHeader->u.fortezza.iv,
+					      sizeof(header->u.fortezza.iv));
+
+	/* get the kea context from the session */
+	tek = ss->ssl3->fortezza.tek;
+	if (tek == NULL) {
+	    PORT_Free(header);
+	    return NULL;
+	}
+
+
+	/* get the slot and the serial number */
+	slot = PK11_GetSlotFromKey(tek);
+	if (slot == NULL) {
+	    PORT_Free(header);
+	    return NULL;
+	}
+	rv = PK11_GetTokenInfo(slot,&info);
+	if (rv != SECSuccess) {
+	    PORT_Free(header);
+	    PK11_FreeSlot(slot);
+	    return NULL;
+	}
+
+	/* Look up the Token Fixed Key */
+	Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, ss->pkcs11PinArg);
+	PK11_FreeSlot(slot);
+	if (Ks == NULL) {
+	    PORT_Free(header);
+	    return NULL;
+	}
+
+	/* unwrap the key with the TEK */
+	item.data = inHeader->u.fortezza.key;
+	item.len = sizeof(inHeader->u.fortezza.key);
+	key = PK11_UnwrapSymKey(tek,CKM_SKIPJACK_WRAP,
+                        NULL, &item, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
+	if (key == NULL) {
+	    PORT_Free(header);
+	    PK11_FreeSymKey(Ks);
+	    return NULL;
+	}
+
+	/* rewrap with the local Ks */
+	item.data = header->u.fortezza.key;
+	item.len = sizeof(header->u.fortezza.key);
+	rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks, key, &item);
+	PK11_FreeSymKey(Ks);
+	PK11_FreeSymKey(key);
+	if (rv != SECSuccess) {
+	    PORT_Free(header);
+	    return NULL;
+	}
+    
+	/* copy our local serial number into header */
+	for (i=0; i < sizeof(header->u.fortezza.serial); i++) {
+	    header->u.fortezza.serial[i] = 
+		(fromHex(info.serialNumber[i*2]) << 4) 	|
+					fromHex(info.serialNumber[i*2 + 1]);
+	}
+	break;
+    case PRE_FIXED_STREAM:
+	/* not implemented yet */
+	PORT_Free(header);
+	return NULL;
+    }
+    
+    return(header);
+}
+
+/*
+ * this one needs to allocate space and work for RSA & FIXED key files as well
+ */
+PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *header, 
+							int *headerSize)
+{
+    PK11SymKey *key, *tek, *Ks;
+    sslSocket *ss;
+    PK11SlotInfo *slot;
+    SECStatus rv;
+    SECItem item;
+    
+    *headerSize = 0; /* hack */
+ 
+    if (fd == NULL) {
+        /* XXX set an error */
+        return NULL;
+    }
+    
+    ss = ssl_FindSocket(fd);
+    if (ss == NULL) {
+        return NULL;
+    }
+    
+    PORT_Assert(ss->ssl3 != NULL);
+    if (ss->ssl3 == NULL) {
+	return NULL;
+    }
+
+    /* get the kea context from the session */
+    tek = ss->ssl3->fortezza.tek;
+    if (tek == NULL) {
+	return NULL;
+    }
+
+    slot = PK11_GetSlotFromKey(tek);
+    if (slot == NULL) return NULL;
+    Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, PK11_GetWindow(tek));
+    PK11_FreeSlot(slot);
+    if (Ks == NULL) return NULL;
+
+
+    /* unwrap with the local Ks */
+    item.data = header->u.fortezza.key;
+    item.len = sizeof(header->u.fortezza.key);
+    /* rewrap the key with the TEK */
+    key = PK11_UnwrapSymKey(Ks,CKM_SKIPJACK_WRAP,
+                        NULL, &item, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
+    if (key == NULL) {
+        PK11_FreeSymKey(Ks);
+	return NULL;
+    }
+
+    rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, key, &item);
+    PK11_FreeSymKey(Ks);
+    PK11_FreeSymKey(key);
+    if (rv != SECSuccess) {
+	return NULL;
+    }
+    
+    /* copy over our local serial number */
+    PORT_Memset(header->u.fortezza.serial,0,sizeof(header->u.fortezza.serial));
+    
+    /* change type to stream */
+    PutInt2(header->type, PRE_FORTEZZA_STREAM);
+    
+    return(header);
+}
+
+
diff --git a/security/nss/lib/ssl/ssl.def b/security/nss/lib/ssl/ssl.def
new file mode 100644
index 000000000..7833ae741
--- /dev/null
+++ b/security/nss/lib/ssl/ssl.def
@@ -0,0 +1,117 @@
+;+#
+;+# The contents of this file are subject to the Mozilla Public
+;+# License Version 1.1 (the "License"); you may not use this file
+;+# except in compliance with the License. You may obtain a copy of
+;+# the License at http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS
+;+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+;+# implied. See the License for the specific language governing
+;+# rights and limitations under the License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is Netscape
+;+# Communications Corporation.  Portions created by Netscape are
+;+# Copyright (C) 2000 Netscape Communications Corporation.  All
+;+# Rights Reserved.
+;+#
+;+# Contributor(s):
+;+#
+;+# Alternatively, the contents of this file may be used under the
+;+# terms of the GNU General Public License Version 2 or later (the
+;+# "GPL"), in which case the provisions of the GPL are applicable
+;+# instead of those above.  If you wish to allow use of your
+;+# version of this file only under the terms of the GPL and not to
+;+# allow others to use your version of this file under the MPL,
+;+# indicate your decision by deleting the provisions above and
+;+# replace them with the notice and other provisions required by
+;+# the GPL.  If you do not delete the provisions above, a recipient
+;+# may use your version of this file under either the MPL or the
+;+# GPL.
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+#   1. For all unix platforms, the string ";-"  means "remove this line"
+;+#   2. For all unix platforms, the string " DATA " will be removed from any 
+;+#     line on which it occurs.
+;+#   3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+#      On AIX, lines containing ";+" will be removed.
+;+#   4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+#   5. For all unix platforms, after the above processing has taken place,
+;+#    all characters after the first ";" on the line will be removed.
+;+#    And for AIX, the first ";" will also be removed.
+;+#  This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+#   directives are hidden behind ";", ";+", and ";-"
+;+
+;+NSS_3.2 {       # NSS 3.2 release
+;+    global:
+LIBRARY ssl3 ;-
+EXPORTS ;-
+SSL_ImplementedCiphers DATA ;
+SSL_NumImplementedCiphers DATA ;
+NSS_CmpCertChainWCANames;
+NSS_FindCertKEAType;
+NSS_GetClientAuthData;
+NSS_SetDomesticPolicy;
+NSS_SetExportPolicy;
+NSS_SetFrancePolicy;
+SSL_AuthCertificate;
+SSL_AuthCertificateHook;
+SSL_BadCertHook;
+SSL_CertDBHandleSet;
+SSL_CipherPolicyGet;
+SSL_CipherPolicySet;
+SSL_CipherPrefGet;
+SSL_CipherPrefGetDefault;
+SSL_CipherPrefSet;
+SSL_CipherPrefSetDefault;
+SSL_ClearSessionCache;
+SSL_ConfigMPServerSIDCache;
+SSL_ConfigSecureServer;
+SSL_ConfigServerSessionIDCache;
+SSL_DataPending;
+SSL_ForceHandshake;
+SSL_GetClientAuthDataHook;
+SSL_GetSessionID;
+SSL_GetStatistics;
+SSL_HandshakeCallback;
+SSL_ImportFD;
+SSL_InheritMPServerSIDCache;
+SSL_InvalidateSession;
+SSL_OptionGet;
+SSL_OptionGetDefault;
+SSL_OptionSet;
+SSL_OptionSetDefault;
+SSL_PeerCertificate;
+SSL_PreencryptedFileToStream;
+SSL_PreencryptedStreamToFile;
+SSL_ReHandshake;
+SSL_ResetHandshake;
+SSL_RestartHandshakeAfterCertReq;
+SSL_RestartHandshakeAfterServerCert;
+SSL_RevealCert;
+SSL_RevealPinArg;
+SSL_RevealURL;
+SSL_SecurityStatus;
+SSL_SetPKCS11PinArg;
+SSL_SetSockPeerID;
+SSL_SetURL;
+;+    local:
+;+*;
+;+};
+;+NSS_3.2.1 {       # NSS 3.2.1 release
+;+    global:
+NSSSSL_VersionCheck;
+;+    local:
+;+*;
+;+};
+;+NSS_3.4 {         # NSS 3.4   release
+;+    global:
+SSL_GetChannelInfo;
+SSL_GetCipherSuiteInfo;
+SSL_GetMaxServerCacheLocks;
+SSL_LocalCertificate;
+SSL_SetMaxServerCacheLocks;
+;+    local:
+;+*;
+;+};
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
new file mode 100644
index 000000000..34f5cbf24
--- /dev/null
+++ b/security/nss/lib/ssl/ssl.h
@@ -0,0 +1,439 @@
+/*
+ * This file contains prototypes for the public SSL functions.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef __ssl_h_
+#define __ssl_h_
+
+#include "prtypes.h"
+#include "prerror.h"
+#include "prio.h"
+#include "seccomon.h"
+#include "cert.h"
+#include "keyt.h"
+
+#include "sslt.h"  /* public ssl data types */
+
+#if defined(_WIN32) && !defined(IN_LIBSSL) && !defined(NSS_USE_STATIC_LIBS)
+#define SSL_IMPORT extern __declspec(dllimport)
+#else
+#define SSL_IMPORT extern
+#endif
+
+SEC_BEGIN_PROTOS
+
+/* constant table enumerating all implemented SSL 2 and 3 cipher suites. */
+SSL_IMPORT const PRUint16 SSL_ImplementedCiphers[];
+
+/* number of entries in the above table. */
+SSL_IMPORT const PRUint16 SSL_NumImplementedCiphers;
+
+/* Macro to tell which ciphers in table are SSL2 vs SSL3/TLS. */
+#define SSL_IS_SSL2_CIPHER(which) (((which) & 0xfff0) == 0xff00)
+
+/*
+** Imports fd into SSL, returning a new socket.  Copies SSL configuration
+** from model.
+*/
+SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
+
+/*
+** Enable/disable an ssl mode
+**
+** 	SSL_SECURITY:
+** 		enable/disable use of SSL security protocol before connect
+**
+** 	SSL_SOCKS:
+** 		enable/disable use of socks before connect
+**		(No longer supported).
+**
+** 	SSL_REQUEST_CERTIFICATE:
+** 		require a certificate during secure connect
+*/
+/* options */
+#define SSL_SECURITY			1
+#define SSL_SOCKS			2
+#define SSL_REQUEST_CERTIFICATE		3
+#define SSL_HANDSHAKE_AS_CLIENT		5 /* force accept to hs as client */
+#define SSL_HANDSHAKE_AS_SERVER		6 /* force connect to hs as server */
+#define SSL_ENABLE_SSL2			7 /* enable ssl v2 (on by default) */
+#define SSL_ENABLE_SSL3		        8 /* enable ssl v3 (on by default) */
+#define SSL_NO_CACHE		        9 /* don't use the session cache */
+#define SSL_REQUIRE_CERTIFICATE        10
+#define SSL_ENABLE_FDX                 11 /* permit simultaneous read/write */
+#define SSL_V2_COMPATIBLE_HELLO        12 /* send v3 client hello in v2 fmt */
+#define SSL_ENABLE_TLS		       13 /* enable TLS (off by default) */
+#define SSL_ROLLBACK_DETECTION         14 /* for compatibility, default: on */
+
+#ifdef SSL_DEPRECATED_FUNCTION 
+/* Old deprecated function names */
+SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on);
+SSL_IMPORT SECStatus SSL_EnableDefault(int option, PRBool on);
+#endif
+
+/* New function names */
+SSL_IMPORT SECStatus SSL_OptionSet(PRFileDesc *fd, PRInt32 option, PRBool on);
+SSL_IMPORT SECStatus SSL_OptionGet(PRFileDesc *fd, PRInt32 option, PRBool *on);
+SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on);
+SSL_IMPORT SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on);
+SSL_IMPORT SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle);
+
+/*
+** Control ciphers that SSL uses. If on is non-zero then the named cipher
+** is enabled, otherwise it is disabled. 
+** The "cipher" values are defined in sslproto.h (the SSL_EN_* values).
+** EnableCipher records user preferences.
+** SetPolicy sets the policy according to the policy module.
+*/
+#ifdef SSL_DEPRECATED_FUNCTION 
+/* Old deprecated function names */
+SSL_IMPORT SECStatus SSL_EnableCipher(long which, PRBool enabled);
+SSL_IMPORT SECStatus SSL_SetPolicy(long which, int policy);
+#endif
+
+/* New function names */
+SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool enabled);
+SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *enabled);
+SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled);
+SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled);
+SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy);
+SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
+
+/* Values for "policy" argument to SSL_PolicySet */
+/* Values returned by SSL_CipherPolicyGet. */
+#define SSL_NOT_ALLOWED		 0	      /* or invalid or unimplemented */
+#define SSL_ALLOWED		 1
+#define SSL_RESTRICTED		 2	      /* only with "Step-Up" certs. */
+
+/*
+** Reset the handshake state for fd. This will make the complete SSL
+** handshake protocol execute from the ground up on the next i/o
+** operation.
+*/
+SSL_IMPORT SECStatus SSL_ResetHandshake(PRFileDesc *fd, PRBool asServer);
+
+/*
+** Force the handshake for fd to complete immediately.  This blocks until
+** the complete SSL handshake protocol is finished.
+*/
+SSL_IMPORT SECStatus SSL_ForceHandshake(PRFileDesc *fd);
+
+/*
+** Query security status of socket. *on is set to one if security is
+** enabled. *keySize will contain the stream key size used. *issuer will
+** contain the RFC1485 verison of the name of the issuer of the
+** certificate at the other end of the connection. For a client, this is
+** the issuer of the server's certificate; for a server, this is the
+** issuer of the client's certificate (if any). Subject is the subject of
+** the other end's certificate. The pointers can be zero if the desired
+** data is not needed.  All strings returned by this function are owned
+** by SSL, and will be freed when the socket is closed.
+*/
+SSL_IMPORT SECStatus SSL_SecurityStatus(PRFileDesc *fd, int *on, char **cipher,
+			                int *keySize, int *secretKeySize,
+			                char **issuer, char **subject);
+
+/* Values for "on" */
+#define SSL_SECURITY_STATUS_NOOPT	-1
+#define SSL_SECURITY_STATUS_OFF		0
+#define SSL_SECURITY_STATUS_ON_HIGH	1
+#define SSL_SECURITY_STATUS_ON_LOW	2
+#define SSL_SECURITY_STATUS_FORTEZZA	3
+
+/*
+** Return the certificate for our SSL peer. If the client calls this
+** it will always return the server's certificate. If the server calls
+** this, it may return NULL if client authentication is not enabled or
+** if the client had no certificate when asked.
+**	"fd" the socket "file" descriptor
+*/
+SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
+
+/*
+** Authenticate certificate hook. Called when a certificate comes in
+** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
+** certificate.
+*/
+typedef SECStatus (PR_CALLBACK *SSLAuthCertificate)(void *arg, PRFileDesc *fd, 
+                                                    PRBool checkSig,
+                                                    PRBool isServer);
+
+SSL_IMPORT SECStatus SSL_AuthCertificateHook(PRFileDesc *fd, 
+					     SSLAuthCertificate f,
+				             void *arg);
+
+/* An implementation of the certificate authentication hook */
+SSL_IMPORT SECStatus SSL_AuthCertificate(void *arg, PRFileDesc *fd, 
+					 PRBool checkSig, PRBool isServer);
+
+/*
+ * Prototype for SSL callback to get client auth data from the application.
+ *	arg - application passed argument
+ *	caNames - pointer to distinguished names of CAs that the server likes
+ *	pRetCert - pointer to pointer to cert, for return of cert
+ *	pRetKey - pointer to key pointer, for return of key
+ */
+typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg,
+                                PRFileDesc *fd,
+                                CERTDistNames *caNames,
+                                CERTCertificate **pRetCert,/*return */
+                                SECKEYPrivateKey **pRetKey);/* return */
+
+/*
+ * Set the client side callback for SSL to retrieve user's private key
+ * and certificate.
+ *	fd - the file descriptor for the connection in question
+ *	f - the application's callback that delivers the key and cert
+ *	a - application specific data
+ */
+SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, 
+			                       SSLGetClientAuthData f, void *a);
+
+
+/*
+ * Set the client side argument for SSL to retrieve PKCS #11 pin.
+ *	fd - the file descriptor for the connection in question
+ *	a - pkcs11 application specific data
+ */
+SSL_IMPORT SECStatus SSL_SetPKCS11PinArg(PRFileDesc *fd, void *a);
+
+/*
+** This is a callback for dealing with server certs that are not authenticated
+** by the client.  The client app can decide that it actually likes the
+** cert by some external means and restart the connection.
+*/
+typedef SECStatus (PR_CALLBACK *SSLBadCertHandler)(void *arg, PRFileDesc *fd);
+SSL_IMPORT SECStatus SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, 
+				     void *arg);
+
+/*
+** Configure ssl for running a secure server. Needs the
+** certificate for the server and the servers private key. The arguments
+** are copied.
+*/
+SSL_IMPORT SECStatus SSL_ConfigSecureServer(
+				PRFileDesc *fd, CERTCertificate *cert,
+				SECKEYPrivateKey *key, SSLKEAType kea);
+
+/*
+** Configure a secure servers session-id cache. Define the maximum number
+** of entries in the cache, the longevity of the entires, and the directory
+** where the cache files will be placed.  These values can be zero, and 
+** if so, the implementation will choose defaults.
+** This version of the function is for use in applications that have only one 
+** process that uses the cache (even if that process has multiple threads).
+*/
+SSL_IMPORT SECStatus SSL_ConfigServerSessionIDCache(int      maxCacheEntries,
+					            PRUint32 timeout,
+					            PRUint32 ssl3_timeout,
+				              const char *   directory);
+/*
+** Like SSL_ConfigServerSessionIDCache, with one important difference.
+** If the application will run multiple processes (as opposed to, or in 
+** addition to multiple threads), then it must call this function, instead
+** of calling SSL_ConfigServerSessionIDCache().
+** This has nothing to do with the number of processORs, only processEs.
+** This function sets up a Server Session ID (SID) cache that is safe for
+** access by multiple processes on the same system.
+*/
+SSL_IMPORT SECStatus SSL_ConfigMPServerSIDCache(int      maxCacheEntries, 
+				                PRUint32 timeout,
+			       	                PRUint32 ssl3_timeout, 
+		                          const char *   directory);
+
+/* Get and set the configured maximum number of mutexes used for the 
+** server's store of SSL sessions.  This value is used by the server 
+** session ID cache initialization functions shown above.  Note that on 
+** some platforms, these mutexes are actually implemented with POSIX 
+** semaphores, or with unnamed pipes.  The default value varies by platform.
+** An attempt to set a too-low maximum will return an error and the 
+** configured value will not be changed.
+*/
+SSL_IMPORT PRUint32  SSL_GetMaxServerCacheLocks(void);
+SSL_IMPORT SECStatus SSL_SetMaxServerCacheLocks(PRUint32 maxLocks);
+
+/* environment variable set by SSL_ConfigMPServerSIDCache, and queried by
+ * SSL_InheritMPServerSIDCache when envString is NULL.
+ */
+#define SSL_ENV_VAR_NAME            "SSL_INHERITANCE"
+
+/* called in child to inherit SID Cache variables. 
+ * If envString is NULL, this function will use the value of the environment
+ * variable "SSL_INHERITANCE", otherwise the string value passed in will be 
+ * used.
+ */
+SSL_IMPORT SECStatus SSL_InheritMPServerSIDCache(const char * envString);
+
+/*
+** Set the callback on a particular socket that gets called when we finish
+** performing a handshake.
+*/
+typedef void (PR_CALLBACK *SSLHandshakeCallback)(PRFileDesc *fd,
+                                                 void *client_data);
+SSL_IMPORT SECStatus SSL_HandshakeCallback(PRFileDesc *fd, 
+			          SSLHandshakeCallback cb, void *client_data);
+
+/*
+** For the server, request a new handshake.  For the client, begin a new
+** handshake.  If flushCache is non-zero, the SSL3 cache entry will be 
+** flushed first, ensuring that a full SSL handshake will be done.
+** If flushCache is zero, and an SSL connection is established, it will 
+** do the much faster session restart handshake.  This will change the 
+** session keys without doing another private key operation.
+*/
+SSL_IMPORT SECStatus SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache);
+
+#ifdef SSL_DEPRECATED_FUNCTION 
+/* deprecated!
+** For the server, request a new handshake.  For the client, begin a new
+** handshake.  Flushes SSL3 session cache entry first, ensuring that a 
+** full handshake will be done.  
+** This call is equivalent to SSL_ReHandshake(fd, PR_TRUE)
+*/
+SSL_IMPORT SECStatus SSL_RedoHandshake(PRFileDesc *fd);
+#endif
+
+/*
+ * Allow the application to pass a URL or hostname into the SSL library
+ */
+SSL_IMPORT SECStatus SSL_SetURL(PRFileDesc *fd, const char *url);
+
+/*
+** Return the number of bytes that SSL has waiting in internal buffers.
+** Return 0 if security is not enabled.
+*/
+SSL_IMPORT int SSL_DataPending(PRFileDesc *fd);
+
+/*
+** Invalidate the SSL session associated with fd.
+*/
+SSL_IMPORT SECStatus SSL_InvalidateSession(PRFileDesc *fd);
+
+/*
+** Return a SECItem containing the SSL session ID associated with the fd.
+*/
+SSL_IMPORT SECItem *SSL_GetSessionID(PRFileDesc *fd);
+
+/*
+** Clear out the client's SSL session cache, not the server's session cache.
+*/
+SSL_IMPORT void SSL_ClearSessionCache(void);
+
+/*
+** Set peer information so we can correctly look up SSL session later.
+** You only have to do this if you're tunneling through a proxy.
+*/
+SSL_IMPORT SECStatus SSL_SetSockPeerID(PRFileDesc *fd, char *peerID);
+
+/*
+** Reveal the security information for the peer. 
+*/
+SSL_IMPORT CERTCertificate * SSL_RevealCert(PRFileDesc * socket);
+SSL_IMPORT void * SSL_RevealPinArg(PRFileDesc * socket);
+SSL_IMPORT char * SSL_RevealURL(PRFileDesc * socket);
+
+
+/* This callback may be passed to the SSL library via a call to
+ * SSL_GetClientAuthDataHook() for each SSL client socket.
+ * It will be invoked when SSL needs to know what certificate and private key
+ * (if any) to use to respond to a request for client authentication.
+ * If arg is non-NULL, it is a pointer to a NULL-terminated string containing
+ * the nickname of the cert/key pair to use.
+ * If arg is NULL, this function will search the cert and key databases for 
+ * a suitable match and send it if one is found.
+ */
+SSL_IMPORT SECStatus
+NSS_GetClientAuthData(void *                       arg,
+                      PRFileDesc *                 socket,
+                      struct CERTDistNamesStr *    caNames,
+                      struct CERTCertificateStr ** pRetCert,
+                      struct SECKEYPrivateKeyStr **pRetKey);
+
+/*
+ * Look to see if any of the signers in the cert chain for "cert" are found
+ * in the list of caNames.  
+ * Returns SECSuccess if so, SECFailure if not.
+ * Used by NSS_GetClientAuthData.  May be used by other callback functions.
+ */
+SSL_IMPORT SECStatus NSS_CmpCertChainWCANames(CERTCertificate *cert, 
+                                          CERTDistNames *caNames);
+
+/* 
+ * Returns key exchange type of the keys in an SSL server certificate.
+ */
+SSL_IMPORT SSLKEAType NSS_FindCertKEAType(CERTCertificate * cert);
+
+/* Set cipher policies to a predefined Domestic (U.S.A.) policy.
+ * This essentially enables all supported ciphers.
+ */
+SSL_IMPORT SECStatus NSS_SetDomesticPolicy(void);
+
+/* Set cipher policies to a predefined Policy that is exportable from the USA
+ *   according to present U.S. policies as we understand them.
+ * See documentation for the list.
+ * Note that your particular application program may be able to obtain
+ *   an export license with more or fewer capabilities than those allowed
+ *   by this function.  In that case, you should use SSL_SetPolicy()
+ *   to explicitly allow those ciphers you may legally export.
+ */
+SSL_IMPORT SECStatus NSS_SetExportPolicy(void);
+
+/* Set cipher policies to a predefined Policy that is exportable from the USA
+ *   according to present U.S. policies as we understand them, and that the 
+ *   nation of France will permit to be imported into their country.
+ * See documentation for the list.
+ */
+SSL_IMPORT SECStatus NSS_SetFrancePolicy(void);
+
+SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void);
+
+/* Report more information than SSL_SecurityStatus.
+** Caller supplies the info struct.  Function fills it in.
+*/
+SSL_IMPORT SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info,
+                                        PRUintn len);
+SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, 
+                                        SSLCipherSuiteInfo *info, PRUintn len);
+
+/*
+** Return a new reference to the certificate that was most recently sent
+** to the peer on this SSL/TLS connection, or NULL if none has been sent.
+*/
+SSL_IMPORT CERTCertificate * SSL_LocalCertificate(PRFileDesc *fd);
+
+SEC_END_PROTOS
+
+#endif /* __ssl_h_ */
diff --git a/security/nss/lib/ssl/ssl.rc b/security/nss/lib/ssl/ssl.rc
new file mode 100644
index 000000000..864c94f94
--- /dev/null
+++ b/security/nss/lib/ssl/ssl.rc
@@ -0,0 +1,98 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nss.h"
+#include <winver.h>
+
+#define MY_LIBNAME "ssl"
+#define MY_FILEDESCRIPTION "NSS SSL Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define NSS_VMAJOR_STR STRINGIZE2(NSS_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if NSS_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME NSS_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ PRODUCTVERSION NSS_VMAJOR,NSS_VMINOR,NSS_VPATCH,0
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+    BLOCK "StringFileInfo"
+    BEGIN
+        BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+        BEGIN
+            VALUE "CompanyName", "Netscape Communications Corporation\0"
+            VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+            VALUE "FileVersion", NSS_VERSION "\0"
+            VALUE "InternalName", MY_INTERNAL_NAME "\0"
+            VALUE "LegalCopyright", "Copyright \251 1994-2001 Netscape Communications Corporation\0"
+            VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+            VALUE "ProductName", "Network Security Services\0"
+            VALUE "ProductVersion", NSS_VERSION "\0"
+        END
+    END
+    BLOCK "VarFileInfo"
+    BEGIN
+        VALUE "Translation", 0x409, 1200
+    END
+END
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
new file mode 100644
index 000000000..1e2da2e94
--- /dev/null
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -0,0 +1,7967 @@
+/*
+ * SSL3 Protocol
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ *	Dr Stephen Henson <stephen.henson@gemplus.com>
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "nssrenam.h"
+#include "cert.h"
+#include "ssl.h"
+#include "cryptohi.h"	/* for DSAU_ stuff */
+#include "keyhi.h"
+#include "secder.h"
+#include "secitem.h"
+
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "sslerr.h"
+#include "prtime.h"
+#include "prinrval.h"
+#include "prerror.h"
+#include "pratom.h"
+#include "prthread.h"
+
+#include "pk11func.h"
+#include "secmod.h"
+#include "nsslocks.h"
+
+#include <stdio.h>
+
+#ifndef PK11_SETATTRS
+#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
+		(x)->pValue=(v); (x)->ulValueLen = (l);
+#endif
+
+static void      ssl3_CleanupPeerCerts(ssl3State *ssl3);
+static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
+                                       PK11SlotInfo * serverKeySlot);
+static SECStatus ssl3_GenerateSessionKeys(sslSocket *ss, const PK11SymKey *pms);
+static SECStatus ssl3_HandshakeFailure(      sslSocket *ss);
+static SECStatus ssl3_InitState(             sslSocket *ss);
+static sslSessionID *ssl3_NewSessionID(      sslSocket *ss, PRBool is_server);
+static SECStatus ssl3_SendCertificate(       sslSocket *ss);
+static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
+static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
+static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
+static SECStatus ssl3_SendServerHello(       sslSocket *ss);
+static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
+static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
+
+static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
+			     int maxOutputLen, const unsigned char *input,
+			     int inputLen);
+
+#define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
+#define MIN_SEND_BUF_LENGTH  4000
+
+#define MAX_CIPHER_SUITES 20
+
+/* This list of SSL3 cipher suites is sorted in descending order of
+ * precedence (desirability).  It only includes cipher suites we implement.
+ * This table is modified by SSL3_SetPolicy().
+ */
+static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+   /*      cipher_suite                         policy      enabled is_present*/
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA,     	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+
+ { SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,      SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_RSA_WITH_RC4_128_MD5,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_WITH_RC4_128_SHA,               SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA,     	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+
+ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_WITH_3DES_EDE_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+
+ { SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+
+ { SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_RSA_FIPS_WITH_DES_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_WITH_DES_CBC_SHA,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+
+ { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_EXPORT_WITH_RC4_40_MD5,         SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_FORTEZZA_DMS_WITH_NULL_SHA,         SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_WITH_NULL_MD5,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}
+};
+
+static const /*SSL3CompressionMethod*/ uint8 compressions [] = {
+    compression_null
+};
+
+static const int compressionMethodsCount =
+		sizeof(compressions) / sizeof(compressions[0]);
+
+static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = {
+    ct_RSA_sign,
+    ct_DSS_sign,
+};
+
+static const /*SSL3ClientCertificateType */ uint8 fortezza_certificate_types [] = {
+    ct_Fortezza,
+};
+
+/*
+ * make sure there is room in the write buffer for padding and
+ * other compression and cryptographic expansions
+ */
+#define SSL3_BUFFER_FUDGE     100
+
+#define SET_ERROR_CODE		/* reminder */
+#define SEND_ALERT		/* reminder */
+#define TEST_FOR_FAILURE	/* reminder */
+#define DEAL_WITH_FAILURE	/* reminder */
+
+#define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
+
+
+/* This is a hack to make sure we don't do double handshakes for US policy */
+PRBool ssl3_global_policy_some_restricted = PR_FALSE;
+
+/* This global item is used only in servers.  It is is initialized by
+** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
+*/
+CERTDistNames *ssl3_server_ca_list = NULL;
+static SSL3Statistics ssl3stats;
+
+/* indexed by SSL3BulkCipher */
+static const ssl3BulkCipherDef bulk_cipher_defs[] = {
+    /* cipher          calg        keySz secretSz  type  ivSz BlkSz keygen */
+    {cipher_null,      calg_null,      0,  0, type_stream,  0, 0, kg_null},
+    {cipher_rc4,       calg_rc4,      16, 16, type_stream,  0, 0, kg_strong},
+    {cipher_rc4_40,    calg_rc4,      16,  5, type_stream,  0, 0, kg_export},
+    {cipher_rc4_56,    calg_rc4,      16,  7, type_stream,  0, 0, kg_export},
+    {cipher_rc2,       calg_rc2,      16, 16, type_block,   8, 8, kg_strong},
+    {cipher_rc2_40,    calg_rc2,      16,  5, type_block,   8, 8, kg_export},
+    {cipher_des,       calg_des,       8,  8, type_block,   8, 8, kg_strong},
+    {cipher_3des,      calg_3des,     24, 24, type_block,   8, 8, kg_strong},
+    {cipher_des40,     calg_des,       8,  5, type_block,   8, 8, kg_export},
+    {cipher_idea,      calg_idea,     16, 16, type_block,   8, 8, kg_strong},
+    {cipher_fortezza,  calg_fortezza, 10, 10, type_block,  24, 8, kg_null},
+    {cipher_aes_128,   calg_aes,      16, 16, type_block,  16,16, kg_strong},
+    {cipher_aes_256,   calg_aes,      32, 32, type_block,  16,16, kg_strong},
+    {cipher_missing,   calg_null,      0,  0, type_stream,  0, 0, kg_null},
+};
+
+static const ssl3KEADef kea_defs[] = { /* indexed by SSL3KeyExchangeAlgorithm */
+    /* kea              exchKeyType signKeyType is_limited limit  tls_keygen */
+    {kea_null,           kt_null,     sign_null, PR_FALSE,   0, PR_FALSE},
+    {kea_rsa,            kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_rsa_export,     kt_rsa,      sign_rsa,  PR_TRUE,  512, PR_FALSE},
+    {kea_rsa_export_1024,kt_rsa,      sign_rsa,  PR_TRUE, 1024, PR_FALSE},
+    {kea_dh_dss,         kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_dh_dss_export,  kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
+    {kea_dh_rsa,         kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_dh_rsa_export,  kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
+    {kea_dhe_dss,        kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_dhe_dss_export, kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
+    {kea_dhe_rsa,        kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_dhe_rsa_export, kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
+    {kea_dh_anon,        kt_dh,       sign_null, PR_FALSE,   0, PR_FALSE},
+    {kea_dh_anon_export, kt_dh,       sign_null, PR_TRUE,  512, PR_FALSE},
+    {kea_fortezza,       kt_fortezza, sign_dsa,  PR_FALSE,   0, PR_FALSE},
+    {kea_rsa_fips,       kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_TRUE },
+};
+
+/* must use ssl_LookupCipherSuiteDef to access */
+static const ssl3CipherSuiteDef cipher_suite_defs[] = {
+/*  cipher_suite                    bulk_cipher_alg mac_alg key_exchange_alg */
+
+    {SSL_NULL_WITH_NULL_NULL,       cipher_null,   mac_null, kea_null},
+    {SSL_RSA_WITH_NULL_MD5,         cipher_null,   mac_md5, kea_rsa},
+    {SSL_RSA_WITH_NULL_SHA,         cipher_null,   mac_sha, kea_rsa},
+    {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
+    {SSL_RSA_WITH_RC4_128_MD5,      cipher_rc4,    mac_md5, kea_rsa},
+    {SSL_RSA_WITH_RC4_128_SHA,      cipher_rc4,    mac_sha, kea_rsa},
+    {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+                                    cipher_rc2_40, mac_md5, kea_rsa_export},
+#if 0 /* not implemented */
+    {SSL_RSA_WITH_IDEA_CBC_SHA,     cipher_idea,   mac_sha, kea_rsa},
+    {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_rsa_export},
+#endif
+    {SSL_RSA_WITH_DES_CBC_SHA,      cipher_des,    mac_sha, kea_rsa},
+    {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,   mac_sha, kea_rsa},
+    {SSL_DHE_DSS_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_dss},
+    {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+                                    cipher_3des,   mac_sha, kea_dhe_dss},
+    {TLS_DHE_DSS_WITH_RC4_128_SHA,  cipher_rc4,    mac_sha, kea_dhe_dss},
+#if 0 /* not implemented */
+    {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_dh_dss_export},
+    {SSL_DH_DSS_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_dss},
+    {SSL_DH_DSS_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_dss},
+    {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
+    {SSL_DH_RSA_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_rsa},
+    {SSL_DH_RSA_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_rsa},
+    {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_dh_dss_export},
+    {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_dh_rsa_export},
+#endif
+    {SSL_DHE_RSA_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_rsa},
+    {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+                                    cipher_3des,   mac_sha, kea_dhe_rsa},
+#if 0
+    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
+    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4,    mac_md5, kea_dh_anon_export},
+    {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+                                    cipher_des40,  mac_sha, kea_dh_anon_export},
+    {SSL_DH_ANON_DES_CBC_SHA,       cipher_des,    mac_sha, kea_dh_anon},
+    {SSL_DH_ANON_3DES_CBC_SHA,      cipher_3des,   mac_sha, kea_dh_anon},
+#endif
+
+    {SSL_FORTEZZA_DMS_WITH_NULL_SHA, cipher_null,  mac_sha, kea_fortezza},
+    {SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,
+                                  cipher_fortezza, mac_sha, kea_fortezza},
+    {SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_fortezza},
+
+/* New TLS cipher suites */
+    {TLS_RSA_WITH_AES_128_CBC_SHA,     	cipher_aes_128, mac_sha, kea_rsa},
+    {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_dss},
+    {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_rsa},
+    {TLS_RSA_WITH_AES_256_CBC_SHA,     	cipher_aes_256, mac_sha, kea_rsa},
+    {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_dss},
+    {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_rsa},
+#if 0
+    {TLS_DH_DSS_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_dss},
+    {TLS_DH_RSA_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_rsa},
+    {TLS_DH_ANON_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dh_anon},
+    {TLS_DH_DSS_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_dss},
+    {TLS_DH_RSA_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_rsa},
+    {TLS_DH_ANON_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dh_anon},
+#endif
+
+    {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+                                    cipher_des,    mac_sha,kea_rsa_export_1024},
+    {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
+                                    cipher_rc4_56, mac_sha,kea_rsa_export_1024},
+
+    {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
+    {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
+
+};
+
+static const CK_MECHANISM_TYPE kea_alg_defs[] = {
+    0x80000000L,
+    CKM_RSA_PKCS,
+    CKM_DH_PKCS_DERIVE,
+    CKM_KEA_KEY_DERIVE
+};
+
+typedef struct SSLCipher2MechStr {
+    SSLCipherAlgorithm  calg;
+    CK_MECHANISM_TYPE   cmech;
+} SSLCipher2Mech;
+
+static const SSLCipher2Mech alg2Mech[] = {
+    { calg_null     , (CK_MECHANISM_TYPE)0x80000000L	},
+    { calg_rc4      , CKM_RC4				},
+    { calg_rc2      , CKM_RC2_CBC			},
+    { calg_des      , CKM_DES_CBC			},
+    { calg_3des     , CKM_DES3_CBC			},
+    { calg_idea     , CKM_IDEA_CBC			},
+    { calg_fortezza , CKM_SKIPJACK_CBC64		},
+    { calg_aes      , CKM_AES_CBC			},
+/*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
+};
+
+#define mmech_null     (CK_MECHANISM_TYPE)0x80000000L
+#define mmech_md5      CKM_SSL3_MD5_MAC
+#define mmech_sha      CKM_SSL3_SHA1_MAC
+#define mmech_md5_hmac CKM_MD5_HMAC
+#define mmech_sha_hmac CKM_SHA_1_HMAC
+
+static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
+    /* mac      mmech       pad_size  mac_size                       */
+    { mac_null, mmech_null,       0,  0          },
+    { mac_md5,  mmech_md5,       48,  MD5_LENGTH },
+    { mac_sha,  mmech_sha,       40,  SHA1_LENGTH},
+    {hmac_md5,  mmech_md5_hmac,  48,  MD5_LENGTH },
+    {hmac_sha,  mmech_sha_hmac,  40,  SHA1_LENGTH},
+};
+
+/* indexed by SSL3BulkCipher */
+const char * const ssl3_cipherName[] = {
+    "NULL",
+    "RC4",
+    "RC4-40",
+    "RC4-56",
+    "RC2-CBC",
+    "RC2-CBC-40",
+    "DES-CBC",
+    "3DES-EDE-CBC",
+    "DES-CBC-40",
+    "IDEA-CBC",
+    "FORTEZZA",
+    "missing"
+};
+
+#if defined(TRACE)
+
+static char *
+ssl3_DecodeHandshakeType(int msgType)
+{
+    char * rv;
+    static char line[40];
+
+    switch(msgType) {
+    case hello_request:	        rv = "hello_request (0)";               break;
+    case client_hello:	        rv = "client_hello  (1)";               break;
+    case server_hello:	        rv = "server_hello  (2)";               break;
+    case certificate:	        rv = "certificate  (11)";               break;
+    case server_key_exchange:	rv = "server_key_exchange (12)";        break;
+    case certificate_request:	rv = "certificate_request (13)";        break;
+    case server_hello_done:	rv = "server_hello_done   (14)";        break;
+    case certificate_verify:	rv = "certificate_verify  (15)";        break;
+    case client_key_exchange:	rv = "client_key_exchange (16)";        break;
+    case finished:	        rv = "finished     (20)";               break;
+    default:
+        sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
+	rv = line;
+    }
+    return rv;
+}
+
+static char *
+ssl3_DecodeContentType(int msgType)
+{
+    char * rv;
+    static char line[40];
+
+    switch(msgType) {
+    case content_change_cipher_spec:
+                                rv = "change_cipher_spec (20)";         break;
+    case content_alert:	        rv = "alert      (21)";                 break;
+    case content_handshake:	rv = "handshake  (22)";                 break;
+    case content_application_data:
+                                rv = "application_data (23)";           break;
+    default:
+        sprintf(line, "*UNKNOWN* record type! (%d)", msgType);
+	rv = line;
+    }
+    return rv;
+}
+
+#endif
+
+SSL3Statistics * 
+SSL_GetStatistics(void)
+{
+    return &ssl3stats;
+}
+
+/* return pointer to ssl3CipherSuiteDef for suite, or NULL */
+/* XXX This does a linear search.  A binary search would be better. */
+static const ssl3CipherSuiteDef *
+ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
+{
+    int cipher_suite_def_len =
+	sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
+    int i;
+
+    for (i = 0; i < cipher_suite_def_len; i++) {
+	if (cipher_suite_defs[i].cipher_suite == suite)
+	    return &cipher_suite_defs[i];
+    }
+    PORT_Assert(PR_FALSE);  /* We should never get here. */
+    PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+    return NULL;
+}
+
+/* Find the cipher configuration struct associate with suite */
+/* XXX This does a linear search.  A binary search would be better. */
+static ssl3CipherSuiteCfg *
+ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, ssl3CipherSuiteCfg *suites)
+{
+    int i;
+
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	if (suites[i].cipher_suite == suite)
+	    return &suites[i];
+    }
+    /* return NULL and let the caller handle it.  */
+    PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+    return NULL;
+}
+
+
+/* Initialize the suite->isPresent value for config_match
+ * Returns count of enabled ciphers supported by extant tokens,
+ * regardless of policy or user preference.
+ * If this returns zero, the user cannot do SSL v3.
+ */
+int
+ssl3_config_match_init(sslSocket *ss)
+{
+    ssl3CipherSuiteCfg *      suite;
+    const ssl3CipherSuiteDef *cipher_def;
+    SSLCipherAlgorithm        cipher_alg;
+    CK_MECHANISM_TYPE         cipher_mech;
+    SSL3KEAType               exchKeyType;
+    int                       i;
+    int                       numPresent		= 0;
+    int                       numEnabled		= 0;
+    PRBool                    isServer;
+    sslServerCerts           *svrAuth;
+
+    if (!ss->enableSSL3 && !ss->enableTLS) {
+    	return 0;
+    }
+    isServer = (PRBool)( ss && ss->sec.isServer );
+
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	suite = &ss->cipherSuites[i];
+	if (suite->enabled) {
+	    ++numEnabled;
+	    /* We need the cipher defs to see if we have a token that can handle
+	     * this cipher.  It isn't part of the static definition.
+	     */
+	    cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
+	    if (!cipher_def) {
+	    	suite->isPresent = PR_FALSE;
+		continue;
+	    }
+	    cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg;
+	    PORT_Assert(  alg2Mech[cipher_alg].calg == cipher_alg);
+	    cipher_mech = alg2Mech[cipher_alg].cmech;
+	    exchKeyType =
+	    	    kea_defs[cipher_def->key_exchange_alg].exchKeyType;
+	    svrAuth = ss->serverCerts + exchKeyType;
+
+	    /* Mark the suites that are backed by real tokens, certs and keys */
+	    suite->isPresent = (PRBool)
+		(((exchKeyType == kt_null) ||
+		    ((!isServer || (svrAuth->serverKey &&
+				   svrAuth->serverCertChain)) &&
+		    PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
+		((cipher_alg == calg_null) || PK11_TokenExists(cipher_mech)));
+	    if (suite->isPresent)
+	    	++numPresent;
+	}
+    }
+    PORT_Assert(numPresent > 0 || numEnabled == 0);
+    if (numPresent <= 0) {
+	PORT_SetError(SSL_ERROR_NO_CIPHERS_SUPPORTED);
+    }
+    return numPresent;
+}
+
+
+/* return PR_TRUE if suite matches policy and enabled state */
+/* It would be a REALLY BAD THING (tm) if we ever permitted the use
+** of a cipher that was NOT_ALLOWED.  So, if this is ever called with
+** policy == SSL_NOT_ALLOWED, report no match.
+*/
+/* adjust suite enabled to the availability of a token that can do the
+ * cipher suite. */
+static PRBool
+config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
+{
+    PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
+    if (policy == SSL_NOT_ALLOWED || !enabled)
+    	return PR_FALSE;
+    return (PRBool)(suite->enabled &&
+                    suite->isPresent &&
+	            suite->policy != SSL_NOT_ALLOWED &&
+		    suite->policy <= policy);
+}
+
+/* return number of cipher suites that match policy and enabled state */
+/* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
+static int
+count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
+{
+    int i, count = 0;
+
+    if (!ss->enableSSL3 && !ss->enableTLS) {
+    	return 0;
+    }
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	if (config_match(&ss->cipherSuites[i], policy, enabled))
+	    count++;
+    }
+    if (count <= 0) {
+	PORT_SetError(SSL_ERROR_SSL_DISABLED);
+    }
+    return count;
+}
+
+static PRBool
+anyRestrictedEnabled(sslSocket *ss)
+{
+    int i;
+
+    if (!ss->enableSSL3 && !ss->enableTLS) {
+    	return PR_FALSE;
+    }
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+	if (suite->policy == SSL_RESTRICTED &&
+	    suite->enabled &&
+	    suite->isPresent)
+	    return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
+/*
+ * Null compression, mac and encryption functions
+ */
+
+static SECStatus
+Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
+	    const unsigned char *input, int inputLen)
+{
+    *outputLen = inputLen;
+    if (input != output)
+	PORT_Memcpy(output, input, inputLen);
+    return SECSuccess;
+}
+
+
+/*
+ * SSL3 Utility functions
+ */
+
+SECStatus
+ssl3_NegotiateVersion(sslSocket *ss, SSL3ProtocolVersion peerVersion)
+{
+    SSL3ProtocolVersion version;
+    SSL3ProtocolVersion maxVersion;
+
+    if (ss->enableTLS) {
+	maxVersion = SSL_LIBRARY_VERSION_3_1_TLS;
+    } else if (ss->enableSSL3) {
+	maxVersion = SSL_LIBRARY_VERSION_3_0;
+    } else {
+    	/* what are we doing here? */
+	PORT_Assert(ss->enableSSL3 || ss->enableTLS);
+	PORT_SetError(SSL_ERROR_SSL_DISABLED);
+	return SECFailure;
+    }
+
+    ss->version = version = PR_MIN(maxVersion, peerVersion);
+
+    if ((version == SSL_LIBRARY_VERSION_3_1_TLS && ss->enableTLS) ||
+    	(version == SSL_LIBRARY_VERSION_3_0     && ss->enableSSL3)) {
+	return SECSuccess;
+    }
+
+    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+    return SECFailure;
+
+}
+
+static SECStatus
+ssl3_GetNewRandom(SSL3Random *random)
+{
+    PRIntervalTime gmt = PR_IntervalToSeconds(PR_IntervalNow());
+    SECStatus rv;
+
+    random->rand[0] = (unsigned char)(gmt >> 24);
+    random->rand[1] = (unsigned char)(gmt >> 16);
+    random->rand[2] = (unsigned char)(gmt >>  8);
+    random->rand[3] = (unsigned char)(gmt);
+
+    /* first 4 bytes are reserverd for time */
+    rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
+    }
+    return rv;
+}
+
+static SECStatus
+ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, 
+                PRBool isTLS)
+{
+    SECStatus rv		= SECFailure;
+    PRBool    doDerEncode       = PR_FALSE;
+    int       signatureLen;
+    SECItem   hashItem;
+
+    buf->data    = NULL;
+    signatureLen = PK11_SignatureLen(key);
+    if (signatureLen <= 0) {
+	PORT_SetError(SEC_ERROR_INVALID_KEY);
+        goto done;
+    }
+
+    buf->len  = (unsigned)signatureLen;
+    buf->data = (unsigned char *)PORT_Alloc(signatureLen + 1);
+    if (!buf->data)
+        goto done;	/* error code was set. */
+
+    switch (key->keyType) {
+    case rsaKey:
+    	hashItem.data = hash->md5;
+    	hashItem.len = sizeof(SSL3Hashes);
+	break;
+    case dsaKey:
+    case fortezzaKey:
+	doDerEncode = isTLS;
+	hashItem.data = hash->sha;
+	hashItem.len = sizeof(hash->sha);
+	break;
+    default:
+	PORT_SetError(SEC_ERROR_INVALID_KEY);
+	goto done;
+    }
+    PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
+
+    rv = PK11_Sign(key, buf, &hashItem);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
+    } else if (doDerEncode) {
+	SECItem   derSig	= {siBuffer, NULL, 0};
+
+    	rv = DSAU_EncodeDerSig(&derSig, buf);
+	if (rv == SECSuccess) {
+	    PORT_Free(buf->data);	/* discard unencoded signature. */
+	    *buf = derSig;		/* give caller encoded signature. */
+	} else if (derSig.data) {
+	    PORT_Free(derSig.data);
+	}
+    }
+
+    PRINT_BUF(60, (NULL, "signed hashes", (unsigned char*)buf->data, buf->len));
+done:
+    if (rv != SECSuccess && buf->data) {
+	PORT_Free(buf->data);
+	buf->data = NULL;
+    }
+    return rv;
+}
+
+
+static SECStatus
+ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, 
+                        SECItem *buf, PRBool isTLS, void *pwArg)
+{
+    SECKEYPublicKey * key;
+    SECItem *         signature	= NULL;
+    SECStatus         rv;
+    SECItem           hashItem;
+
+
+    PRINT_BUF(60, (NULL, "check signed hashes",
+                  buf->data, buf->len));
+
+    key = CERT_ExtractPublicKey(cert);
+    if (key == NULL) {
+	/* CERT_ExtractPublicKey doesn't set error code */
+	PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+    	return SECFailure;
+    }
+
+    switch (key->keyType) {
+    case rsaKey:
+    	hashItem.data = hash->md5;
+    	hashItem.len = sizeof(SSL3Hashes);
+	break;
+    case dsaKey:
+    case fortezzaKey:
+	hashItem.data = hash->sha;
+	hashItem.len = sizeof(hash->sha);
+	if (isTLS) {
+	    signature = DSAU_DecodeDerSig(buf);
+	    if (!signature) {
+	    	PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+		return SECFailure;
+	    }
+	    buf = signature;
+	}
+	break;
+    default:
+    	SECKEY_DestroyPublicKey(key);
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+	return SECFailure;
+    }
+
+    PRINT_BUF(60, (NULL, "hash(es) to be verified",
+                  hashItem.data, hashItem.len));
+
+    rv = PK11_Verify(key, buf, &hashItem, pwArg);
+    SECKEY_DestroyPublicKey(key);
+    if (signature) {
+    	SECITEM_FreeItem(signature, PR_TRUE);
+    }
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+    }
+    return rv;
+}
+
+
+/* Caller must set hiLevel error code. */
+static SECStatus
+ssl3_ComputeExportRSAKeyHash(SECItem modulus, SECItem publicExponent,
+			     SSL3Random *client_rand, SSL3Random *server_rand,
+			     SSL3Hashes *hashes)
+{
+    PK11Context * md5 		= NULL;
+    PK11Context * sha 		= NULL;
+    PRUint8     * hashBuf;
+    PRUint8     * pBuf;
+    SECStatus     rv 		= SECSuccess;
+    unsigned int  outLen;
+    unsigned int  bufLen;
+    PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
+
+    bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
+    if (bufLen <= sizeof buf) {
+    	hashBuf = buf;
+    } else {
+    	hashBuf = PORT_Alloc(bufLen);
+	if (!hashBuf) {
+	    return SECFailure;
+	}
+    }
+
+    md5 = PK11_CreateDigestContext(SEC_OID_MD5);
+    if (md5 == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	rv = SECFailure; /* Caller must set hiLevel error code. */
+	goto done;
+    }
+    sha = PK11_CreateDigestContext(SEC_OID_SHA1);
+    if (sha == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	rv = SECFailure; /* Caller must set hiLevel error code. */
+	goto done;
+    }
+
+    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 
+    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
+    memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
+    	pBuf += SSL3_RANDOM_LENGTH;
+    pBuf[0]  = (PRUint8)(modulus.len >> 8);
+    pBuf[1]  = (PRUint8)(modulus.len);
+    	pBuf += 2;
+    memcpy(pBuf, modulus.data, modulus.len);
+    	pBuf += modulus.len;
+    pBuf[0] = (PRUint8)(publicExponent.len >> 8);
+    pBuf[1] = (PRUint8)(publicExponent.len);
+    	pBuf += 2;
+    memcpy(pBuf, publicExponent.data, publicExponent.len);
+    	pBuf += publicExponent.len;
+    PORT_Assert(pBuf - hashBuf == bufLen);
+
+    rv  = PK11_DigestBegin(md5);
+    rv |= PK11_DigestOp(md5, hashBuf, bufLen);
+    rv |= PK11_DigestFinal(md5, hashes->md5, &outLen, MD5_LENGTH);
+    PORT_Assert(rv != SECSuccess || outLen == MD5_LENGTH);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+    	rv = SECFailure;
+	goto done;
+    }
+
+    rv  = PK11_DigestBegin(sha);
+    rv |= PK11_DigestOp(sha, hashBuf, bufLen);
+    rv |= PK11_DigestFinal(sha, hashes->sha, &outLen, SHA1_LENGTH);
+    PORT_Assert(rv != SECSuccess || outLen == SHA1_LENGTH);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+    	rv = SECFailure;
+	goto done;
+    }
+
+    PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
+    PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result", hashes->md5, MD5_LENGTH));
+    PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
+
+done:
+    if (md5 != NULL) PK11_DestroyContext(md5, PR_TRUE);
+    if (sha != NULL) PK11_DestroyContext(sha, PR_TRUE);
+    if (hashBuf != buf && hashBuf != NULL)
+    	PORT_Free(hashBuf);
+    return rv;
+}
+
+/* Caller must set hiLevel error code. */
+static SECStatus
+ssl3_ComputeDHKeyHash(SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
+			     SSL3Random *client_rand, SSL3Random *server_rand,
+			     SSL3Hashes *hashes)
+{
+    PK11Context * md5 		= NULL;
+    PK11Context * sha 		= NULL;
+    PRUint8     * hashBuf;
+    PRUint8     * pBuf;
+    SECStatus     rv 		= SECSuccess;
+    unsigned int  outLen;
+    unsigned int  bufLen;
+    PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
+
+    bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
+    if (bufLen <= sizeof buf) {
+    	hashBuf = buf;
+    } else {
+    	hashBuf = PORT_Alloc(bufLen);
+	if (!hashBuf) {
+	    return SECFailure;
+	}
+    }
+
+    md5 = PK11_CreateDigestContext(SEC_OID_MD5);
+    if (md5 == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	rv = SECFailure; /* Caller must set hiLevel error code. */
+	goto done;
+    }
+    sha = PK11_CreateDigestContext(SEC_OID_SHA1);
+    if (sha == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	rv = SECFailure; /* Caller must set hiLevel error code. */
+	goto done;
+    }
+
+    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 
+    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
+    memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
+    	pBuf += SSL3_RANDOM_LENGTH;
+    pBuf[0]  = (PRUint8)(dh_p.len >> 8);
+    pBuf[1]  = (PRUint8)(dh_p.len);
+    	pBuf += 2;
+    memcpy(pBuf, dh_p.data, dh_p.len);
+    	pBuf += dh_p.len;
+    pBuf[0] = (PRUint8)(dh_g.len >> 8);
+    pBuf[1] = (PRUint8)(dh_g.len);
+    	pBuf += 2;
+    memcpy(pBuf, dh_g.data, dh_g.len);
+    	pBuf += dh_g.len;
+    pBuf[0] = (PRUint8)(dh_Ys.len >> 8);
+    pBuf[1] = (PRUint8)(dh_Ys.len);
+    	pBuf += 2;
+    memcpy(pBuf, dh_Ys.data, dh_Ys.len);
+    	pBuf += dh_Ys.len;
+    PORT_Assert(pBuf - hashBuf == bufLen);
+
+    rv  = PK11_DigestBegin(md5);
+    rv |= PK11_DigestOp(md5, hashBuf, bufLen);
+    rv |= PK11_DigestFinal(md5, hashes->md5, &outLen, MD5_LENGTH);
+    PORT_Assert(rv != SECSuccess || outLen == MD5_LENGTH);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+    	rv = SECFailure;
+	goto done;
+    }
+
+    rv  = PK11_DigestBegin(sha);
+    rv |= PK11_DigestOp(sha, hashBuf, bufLen);
+    rv |= PK11_DigestFinal(sha, hashes->sha, &outLen, SHA1_LENGTH);
+    PORT_Assert(rv != SECSuccess || outLen == SHA1_LENGTH);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+    	rv = SECFailure;
+	goto done;
+    }
+
+    PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
+    PRINT_BUF(95, (NULL, "DHkey hash: MD5 result", hashes->md5, MD5_LENGTH));
+    PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result", hashes->sha, SHA1_LENGTH));
+
+done:
+    if (md5 != NULL) PK11_DestroyContext(md5, PR_TRUE);
+    if (sha != NULL) PK11_DestroyContext(sha, PR_TRUE);
+    if (hashBuf != buf && hashBuf != NULL)
+    	PORT_Free(hashBuf);
+    return rv;
+}
+/* Caller must set hiLevel error code. */
+static SECStatus
+ssl3_ComputeFortezzaPublicKeyHash(SECItem publicValue, unsigned char * hash)
+{
+    PK11Context *sha 	= NULL;
+    SECStatus    rv	= SECFailure;
+    unsigned int outLen;
+
+    sha = PK11_CreateDigestContext(SEC_OID_SHA1);
+    if (sha == NULL) {
+	return rv; /* Caller must set hiLevel error code. */
+    }
+
+    rv  = PK11_DigestBegin(sha);
+    rv |= PK11_DigestOp(sha, (unsigned char *)publicValue.data, publicValue.len);
+    rv |= PK11_DigestFinal(sha, hash, &outLen, SHA1_LENGTH);
+    PORT_Assert(rv != SECSuccess || outLen == SHA1_LENGTH);
+    if (rv != SECSuccess)
+    	rv = SECFailure;
+    PK11_DestroyContext(sha, PR_TRUE);
+
+    return rv;
+}
+
+
+static void
+ssl3_BumpSequenceNumber(SSL3SequenceNumber *num)
+{
+    num->low++;
+    if (num->low == 0)
+	num->high++;
+}
+
+/* Called only from ssl3_DestroyCipherSpec (immediately below). */
+static void
+ssl3_CleanupKeyMaterial(ssl3KeyMaterial *mat)
+{
+    if (mat->write_key != NULL) {
+	PK11_FreeSymKey(mat->write_key);
+	mat->write_key = NULL;
+    }
+    if (mat->write_mac_key != NULL) {
+	PK11_FreeSymKey(mat->write_mac_key);
+	mat->write_mac_key = NULL;
+    }
+    if (mat->write_mac_context != NULL) {
+	PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
+	mat->write_mac_context = NULL;
+    }
+}
+
+/* Called from ssl3_SendChangeCipherSpecs() and ssl3_HandleChangeCipherSpecs()
+** Caller must hold SpecWriteLock.
+*/
+static void
+ssl3_DestroyCipherSpec(ssl3CipherSpec *spec)
+{
+
+/*  PORT_Assert( ssl_HaveSpecWriteLock(ss)); Don't have ss! */
+
+    if (spec->destroy) {
+	spec->destroy(spec->encodeContext,PR_TRUE);
+	spec->destroy(spec->decodeContext,PR_TRUE);
+	spec->encodeContext = NULL; /* paranoia */
+	spec->decodeContext = NULL;
+    }
+    if (spec->master_secret != NULL) {
+	PK11_FreeSymKey(spec->master_secret);
+	spec->master_secret = NULL;
+    }
+    ssl3_CleanupKeyMaterial(&spec->client);
+    ssl3_CleanupKeyMaterial(&spec->server);
+    spec->destroy=NULL;
+}
+
+/* Called from ssl3_HandleServerHello(), ssl3_SendServerHello()
+** Caller must hold the ssl3 handshake lock.
+** Acquires & releases SpecWriteLock.
+*/
+static SECStatus
+ssl3_SetupPendingCipherSpec(sslSocket *ss, ssl3State *ssl3)
+{
+    ssl3CipherSpec *          pwSpec;
+    ssl3CipherSpec *          cwSpec;
+    ssl3CipherSuite           suite     = ssl3->hs.cipher_suite;
+    SSL3MACAlgorithm          mac;
+    SSL3BulkCipher            cipher;
+    SSL3KeyExchangeAlgorithm  kea;
+    const ssl3CipherSuiteDef *suite_def;
+    PRBool                    isTLS;
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    ssl_GetSpecWriteLock(ss);  /*******************************/
+
+    pwSpec = ssl3->pwSpec;
+    PORT_Assert(pwSpec == ssl3->prSpec);
+
+    /* This hack provides maximal interoperability with SSL 3 servers. */
+    cwSpec = ss->ssl3->cwSpec;
+    if (cwSpec->mac_def->mac == mac_null) {
+	/* SSL records are not being MACed. */
+	cwSpec->version = ss->version;
+    }
+
+    pwSpec->version  = ss->version;
+    isTLS  = (PRBool)(pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
+		SSL_GETPID(), ss->fd, suite));
+
+    suite_def = ssl_LookupCipherSuiteDef(suite);
+    if (suite_def == NULL) {
+	ssl_ReleaseSpecWriteLock(ss);
+	return SECFailure;	/* error code set by ssl_LookupCipherSuiteDef */
+    }
+
+
+    cipher = suite_def->bulk_cipher_alg;
+    kea    = suite_def->key_exchange_alg;
+    mac    = suite_def->mac_alg;
+    if (isTLS)
+	mac += 2;
+
+    ssl3->hs.suite_def = suite_def;
+    ssl3->hs.kea_def   = &kea_defs[kea];
+    PORT_Assert(ssl3->hs.kea_def->kea == kea);
+
+    pwSpec->cipher_def   = &bulk_cipher_defs[cipher];
+    PORT_Assert(pwSpec->cipher_def->cipher == cipher);
+
+    pwSpec->mac_def = &mac_defs[mac];
+    PORT_Assert(pwSpec->mac_def->mac == mac);
+
+
+    ss->sec.keyBits       = pwSpec->cipher_def->key_size        * BPB;
+    ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
+    ss->sec.cipherType    = cipher;
+
+    pwSpec->encodeContext = NULL;
+    pwSpec->decodeContext = NULL;
+
+    pwSpec->mac_size = pwSpec->mac_def->mac_size;
+
+    ssl_ReleaseSpecWriteLock(ss);  /*******************************/
+    return SECSuccess;
+}
+
+/*
+ * Called from: ssl3_SendClientKeyExchange 	(for Full handshake)
+ *              ssl3_HandleClientKeyExchange	(for Full handshake)
+ *              ssl3_HandleServerHello		(for session restart)
+ *              ssl3_HandleClientHello		(for session restart)
+ * Sets error code, but caller probably should override to disambiguate.
+ * NULL pms means re-use old master_secret.
+ */
+static SECStatus
+ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
+{
+      ssl3CipherSpec  *  pwSpec;
+const ssl3BulkCipherDef *cipher_def;
+      PK11Context *      serverContext = NULL;
+      PK11Context *      clientContext = NULL;
+      SECItem *          param;
+      CK_ULONG           macLength;
+      SSLCipherAlgorithm calg;
+      SECStatus          rv;
+      CK_MECHANISM_TYPE  mechanism;
+      CK_MECHANISM_TYPE  mac_mech;
+      SECItem            iv;
+      SECItem            mac_param;
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    ssl_GetSpecWriteLock(ss);	/**************************************/
+
+    PORT_Assert(ss->ssl3->prSpec == ss->ssl3->pwSpec);
+
+    pwSpec        = ss->ssl3->pwSpec;
+    cipher_def    = pwSpec->cipher_def;
+    macLength     = pwSpec->mac_size;
+
+    /* generate session keys from pms (if pms is not NULL) or ms */
+    rv = ssl3_GenerateSessionKeys(ss, pms);
+    if (rv != SECSuccess) {
+    	goto bail_out;	/* err code set by ssl3_GenerateSessionKeys */
+    }
+
+    pwSpec->client.write_mac_context = NULL;
+    pwSpec->server.write_mac_context = NULL;
+
+    mac_param.data = (unsigned char *)&macLength;
+    mac_param.len  = sizeof(macLength);
+    mac_mech       = pwSpec->mac_def->mmech;
+
+    if (cipher_def->calg == calg_null) {
+	pwSpec->encode  = Null_Cipher;
+	pwSpec->decode  = Null_Cipher;
+        pwSpec->destroy = NULL;
+	pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
+		mac_mech, CKA_SIGN, pwSpec->client.write_mac_key, &mac_param);
+	if (pwSpec->client.write_mac_context == NULL)  {
+	    ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
+	    goto fail;
+	}
+	pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
+		mac_mech, CKA_SIGN, pwSpec->server.write_mac_key, &mac_param);
+	if (pwSpec->server.write_mac_context == NULL) {
+	    ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
+	    goto fail;
+	}
+	goto success;
+    }
+
+    calg = cipher_def->calg;
+    PORT_Assert(alg2Mech[calg].calg == calg);
+    mechanism = alg2Mech[calg].cmech;
+
+    /*
+     * build the server context
+     */
+    iv.data = pwSpec->server.write_iv;
+    iv.len  = cipher_def->iv_size;
+    param = PK11_ParamFromIV(mechanism, &iv);
+    if (param == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
+    	goto fail;
+    }
+    serverContext = PK11_CreateContextBySymKey(mechanism,
+				(ss->sec.isServer ? CKA_ENCRYPT : CKA_DECRYPT),
+				pwSpec->server.write_key, param);
+    iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
+    if (iv.data)
+    	PORT_Memcpy(pwSpec->server.write_iv, iv.data, iv.len);
+    SECITEM_FreeItem(param, PR_TRUE);
+    if (serverContext == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
+    	goto fail;
+    }
+
+    /*
+     * build the client context
+     */
+    iv.data = pwSpec->client.write_iv;
+    iv.len  = cipher_def->iv_size;
+    param = PK11_ParamFromIV(mechanism, &iv);
+    if (param == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_IV_PARAM_FAILURE);
+    	goto fail;
+    }
+    clientContext = PK11_CreateContextBySymKey(mechanism,
+				(ss->sec.isServer ? CKA_DECRYPT : CKA_ENCRYPT),
+				pwSpec->client.write_key, param);
+    iv.data = PK11_IVFromParam(mechanism, param, (int *)&iv.len);
+    if (iv.data)
+    	PORT_Memcpy(pwSpec->client.write_iv, iv.data, iv.len);
+    SECITEM_FreeItem(param,PR_TRUE);
+    if (clientContext == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
+    	goto fail;
+    }
+
+    pwSpec->encodeContext = (ss->sec.isServer) ? serverContext : clientContext;
+    pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
+    pwSpec->encode  = (SSLCipher) PK11_CipherOp;
+    pwSpec->decode  = (SSLCipher) PK11_CipherOp;
+    pwSpec->destroy = (SSLDestroy) PK11_DestroyContext;
+
+    serverContext = NULL;
+    clientContext = NULL;
+
+    pwSpec->client.write_mac_context = PK11_CreateContextBySymKey(
+		mac_mech,CKA_SIGN, pwSpec->client.write_mac_key,&mac_param);
+    if (pwSpec->client.write_mac_context == NULL)  {
+	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
+    	goto fail;
+    }
+    pwSpec->server.write_mac_context = PK11_CreateContextBySymKey(
+		mac_mech, CKA_SIGN, pwSpec->server.write_mac_key,&mac_param);
+    if (pwSpec->server.write_mac_context == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE);
+    	goto fail;
+    }
+success:
+    ssl_ReleaseSpecWriteLock(ss);	/******************************/
+    return SECSuccess;
+
+fail:
+    if (serverContext != NULL) PK11_DestroyContext(serverContext, PR_TRUE);
+    if (clientContext != NULL) PK11_DestroyContext(clientContext, PR_TRUE);
+    if (pwSpec->client.write_mac_context != NULL) {
+    	PK11_DestroyContext(pwSpec->client.write_mac_context,PR_TRUE);
+	pwSpec->client.write_mac_context = NULL;
+    }
+    if (pwSpec->server.write_mac_context != NULL) {
+    	PK11_DestroyContext(pwSpec->server.write_mac_context,PR_TRUE);
+	pwSpec->server.write_mac_context = NULL;
+    }
+bail_out:
+    ssl_ReleaseSpecWriteLock(ss);
+    return SECFailure;
+}
+
+/*
+ * 60 bytes is 3 times the maximum length MAC size that is supported.
+ */
+static const unsigned char mac_pad_1 [60] = {
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+    0x36, 0x36, 0x36, 0x36
+};
+static const unsigned char mac_pad_2 [60] = {
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+    0x5c, 0x5c, 0x5c, 0x5c
+};
+
+/* Called from: ssl3_SendRecord()
+**		ssl3_HandleRecord()
+** Caller must already hold the SpecReadLock. (wish we could assert that!)
+*/
+static SECStatus
+ssl3_ComputeRecordMAC(
+    ssl3CipherSpec *   spec,
+    PK11Context *      mac_context,
+    SSL3ContentType    type,
+    SSL3ProtocolVersion version,
+    SSL3SequenceNumber seq_num,
+    SSL3Opaque *       input,
+    int                inputLength,
+    unsigned char *    outbuf,
+    unsigned int *     outLength)
+{
+    const ssl3MACDef * mac_def;
+    SECStatus          rv;
+    unsigned int       tempLen;
+    unsigned char      temp[MAX_MAC_LENGTH];
+
+/*  ssl_GetSpecReadLock(ss);  Don't have "ss"! */
+
+    mac_def = spec->mac_def;
+    if (mac_def->mac == mac_null) {
+	*outLength = 0;
+/*	ssl_ReleaseSpecReadLock(ss); */
+	return SECSuccess;
+    }
+
+    temp[0] = (unsigned char)(seq_num.high >> 24);
+    temp[1] = (unsigned char)(seq_num.high >> 16);
+    temp[2] = (unsigned char)(seq_num.high >>  8);
+    temp[3] = (unsigned char)(seq_num.high >>  0);
+    temp[4] = (unsigned char)(seq_num.low  >> 24);
+    temp[5] = (unsigned char)(seq_num.low  >> 16);
+    temp[6] = (unsigned char)(seq_num.low  >>  8);
+    temp[7] = (unsigned char)(seq_num.low  >>  0);
+    temp[8] = type;
+
+    /* TLS MAC includes the record's version field, SSL's doesn't.
+    ** We decide which MAC defintion to use based on the version of 
+    ** the protocol that was negotiated when the spec became current,
+    ** NOT based on the version value in the record itself.
+    ** But, we use the record'v version value in the computation.
+    */
+    if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
+	temp[9]  = MSB(inputLength);
+	temp[10] = LSB(inputLength);
+	tempLen  = 11;
+    } else {
+    	/* New TLS hash includes version. */
+	temp[9]  = MSB(version);
+	temp[10] = LSB(version);
+	temp[11] = MSB(inputLength);
+	temp[12] = LSB(inputLength);
+	tempLen  = 13;
+    }
+
+    PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
+    PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
+
+    rv  = PK11_DigestBegin(mac_context);
+    rv |= PK11_DigestOp(mac_context, temp, tempLen);
+    rv |= PK11_DigestOp(mac_context, input, inputLength);
+
+    rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
+    PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
+
+/*  ssl_ReleaseSpecReadLock(ss); */
+
+    PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
+
+    if (rv != SECSuccess) {
+    	rv = SECFailure;
+	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
+    }
+    return rv;
+}
+
+/* Process the plain text before sending it.
+ * Returns the number of bytes of plaintext that were succesfully sent
+ * 	plus the number of bytes of plaintext that were copied into the
+ *	output (write) buffer.
+ * Returns SECFailure on a hard IO error, memory error, or crypto error.
+ * Does NOT return SECWouldBlock.
+ */
+static PRInt32
+ssl3_SendRecord(   sslSocket *        ss,
+                   SSL3ContentType    type,
+		   const SSL3Opaque * buf,
+		   PRInt32            bytes,
+		   PRInt32            flags)
+{
+    ssl3CipherSpec *          cwSpec;
+    sslBuffer      *          write 	  = &ss->sec.writeBuf;
+    const ssl3BulkCipherDef * cipher_def;
+    SECStatus                 rv;
+    PRUint32                  bufSize     =  0;
+    PRInt32                   sent        =  0;
+    PRInt32                   cipherBytes = -1;
+    PRBool                    isBlocking  = ssl_SocketIsBlocking(ss);
+    PRBool                    ssl3WasNull = PR_FALSE;
+
+    SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s bytes=%d",
+		SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
+		bytes));
+    PRINT_BUF(3, (ss, "Send record (plain text)", buf, bytes));
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+
+    if (ss->ssl3 == NULL) {
+	/* This can happen on a server if the very first incoming record
+	** looks like a defective ssl3 record (e.g. too long), and we're
+	** trying to send an alert.
+	*/
+	ssl3WasNull = PR_TRUE;
+	PR_ASSERT(type == content_alert);
+	rv = ssl3_InitState(ss);
+	if (rv != SECSuccess) {
+	    return SECFailure;	/* ssl3_InitState has set the error code. */
+    	}
+    }
+
+    while (bytes > 0) {
+    	PRInt32   count;
+	PRUint32  contentLen;
+	PRUint32  fragLen;
+	PRUint32  macLen;
+
+	contentLen = PR_MIN(bytes, MAX_FRAGMENT_LENGTH);
+	if (write->space < contentLen + SSL3_BUFFER_FUDGE) {
+	    rv = sslBuffer_Grow(write, contentLen + SSL3_BUFFER_FUDGE);
+	    if (rv != SECSuccess) {
+		SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
+			 SSL_GETPID(), ss->fd, contentLen + SSL3_BUFFER_FUDGE));
+		return SECFailure; /* sslBuffer_Grow set a memory error code. */
+	    }
+	}
+
+	/* This variable records 
+	 * the actual size of the buffer we allocated above. Some
+	 * algorithms (FORTEZZA) will expand the number of bytes it needs to
+	 * send data. If we only supply the output buffer with the same number
+	 * of bytes as the input buffer, we will fail.
+	 */
+	bufSize = contentLen + SSL3_BUFFER_FUDGE;
+
+	/*
+	 * null compression is easy to do
+	 */
+	PORT_Memcpy(write->buf + SSL3_RECORD_HEADER_LENGTH, buf, contentLen);
+	buf   += contentLen;
+	bytes -= contentLen;
+	PORT_Assert( bytes >= 0 );
+
+	ssl_GetSpecReadLock(ss);	/********************************/
+
+	cwSpec = ss->ssl3->cwSpec;
+	cipher_def = cwSpec->cipher_def;
+	/*
+	 * Add the MAC
+	 */
+	rv = ssl3_ComputeRecordMAC(
+	    cwSpec, (ss->sec.isServer) ? cwSpec->server.write_mac_context
+	                               : cwSpec->client.write_mac_context,
+	    type, cwSpec->version, cwSpec->write_seq_num,
+	    write->buf + SSL3_RECORD_HEADER_LENGTH, contentLen,
+	    write->buf + contentLen + SSL3_RECORD_HEADER_LENGTH, &macLen);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
+	    goto spec_locked_loser;
+	}
+	fragLen = contentLen + macLen;	/* needs to be encrypted */
+	PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
+
+	/*
+	 * Pad the text (if we're doing a block cipher)
+	 * then Encrypt it
+	 */
+	if (cipher_def->type == type_block) {
+	    int             padding_length;
+	    int             i;
+	    unsigned char * pBuf;
+
+	    /* Assume blockSize is a power of two */
+	    padding_length = cipher_def->block_size - 1 -
+		((fragLen) & (cipher_def->block_size - 1));
+	    fragLen += padding_length + 1;
+	    PORT_Assert((fragLen % cipher_def->block_size) == 0);
+
+	    /* Pad according to TLS rules (also acceptable to SSL3). */
+	    pBuf = &write->buf[fragLen + SSL3_RECORD_HEADER_LENGTH - 1];
+	    for (i = padding_length + 1; i > 0; --i) {
+	    	*pBuf-- = padding_length;
+	    }
+	}
+	rv = cwSpec->encode(
+	    cwSpec->encodeContext, write->buf + SSL3_RECORD_HEADER_LENGTH,
+	    &cipherBytes, bufSize, write->buf + SSL3_RECORD_HEADER_LENGTH,
+	    fragLen);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_ENCRYPTION_FAILURE);
+spec_locked_loser:
+	    ssl_ReleaseSpecReadLock(ss);
+	    return SECFailure;
+	}
+	PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
+
+	/*
+	 * XXX should we zero out our copy of the buffer after compressing
+	 * and encryption ??
+	 */
+
+	ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
+
+	ssl_ReleaseSpecReadLock(ss); /************************************/
+
+	/* PORT_Assert(fragLen == cipherBytes); */
+	write->len    = cipherBytes + SSL3_RECORD_HEADER_LENGTH;
+	write->buf[0] = type;
+	write->buf[1] = MSB(cwSpec->version);
+	write->buf[2] = LSB(cwSpec->version);
+	write->buf[3] = MSB(cipherBytes);
+	write->buf[4] = LSB(cipherBytes);
+
+	PRINT_BUF(50, (ss, "send (encrypted) record data:", write->buf, write->len));
+
+	/* If there's still some previously saved ciphertext,
+	 * or the caller doesn't want us to send the data yet,
+	 * then add all our new ciphertext to the amount previously saved.
+	 */
+	if ((ss->pendingBuf.len > 0) ||
+	    (flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
+
+	    rv = ssl_SaveWriteData(ss, &ss->pendingBuf,
+				   write->buf, write->len);
+	    if (rv != SECSuccess) {
+		/* presumably a memory error, SEC_ERROR_NO_MEMORY */
+		return SECFailure;
+	    }
+	    write->len = 0;	/* All cipher text is saved away. */
+
+	    if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {
+
+		ss->handshakeBegun = 1;
+		count = ssl_SendSavedWriteData(ss, &ss->pendingBuf,
+		                               &ssl_DefSend);
+		if (count < 0 && PR_GetError() != PR_WOULD_BLOCK_ERROR) {
+		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
+		    return SECFailure;
+		}
+	    }
+	} else if (write->len > 0) {
+	    ss->handshakeBegun = 1;
+	    count = ssl_DefSend(ss, write->buf, write->len,
+				flags & ~ssl_SEND_FLAG_MASK);
+	    if (count < 0) {
+		if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
+		    ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
+		    return (sent > 0) ? sent : SECFailure;
+		}
+		/* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
+		count = 0;
+	    }
+	    /* now take all the remaining unsent newly-generated ciphertext and
+	     * append it to the buffer of previously unsent ciphertext.
+	     */
+	    if ((unsigned)count < write->len) {
+		rv = ssl_SaveWriteData(ss, &ss->pendingBuf,
+				       write->buf + (unsigned)count,
+				       write->len - (unsigned)count);
+		if (rv != SECSuccess) {
+		    /* presumably a memory error, SEC_ERROR_NO_MEMORY */
+		    return SECFailure;
+		}
+	    }
+	    write->len = 0;
+	}
+	sent += contentLen;
+	if ((flags & ssl_SEND_FLAG_NO_BUFFER) &&
+	    (isBlocking || (ss->pendingBuf.len > 0))) {
+	    break;
+	}
+    }
+    return sent;
+}
+
+/* Attempt to send the content of "in" in an SSL application_data record.
+ * Returns "len" or SECFailure,   never SECWouldBlock, nor SECSuccess.
+ */
+int
+ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
+			 PRInt32 len, PRInt32 flags)
+{
+    PRInt32   sent	= 0;
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+
+    while (len > 0) {
+	PRInt32   count;
+
+	if (sent > 0) {
+	    ssl_ReleaseXmitBufLock(ss);
+	    PR_Sleep(PR_INTERVAL_NO_WAIT);	/* PR_Yield(); */
+	    ssl_GetXmitBufLock(ss);
+	}
+	count = ssl3_SendRecord(ss, content_application_data, in, len,
+	                           flags | ssl_SEND_FLAG_NO_BUFFER);
+	if (count < 0) {
+	    return (sent > 0) ? sent : count;
+				    /* error code set by ssl3_SendRecord */
+	}
+	sent += count;
+	len  -= count;
+	in   += count;
+    }
+    return sent;
+}
+
+/* Attempt to send the content of sendBuf buffer in an SSL handshake record.
+ * This function returns SECSuccess or SECFailure, never SECWouldBlock.
+ * It used to always set sendBuf.len to 0, even when returning SECFailure.
+ * Now it does not.
+ *
+ * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
+ *             ssl3_AppendHandshake(), ssl3_SendClientHello(),
+ *             ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
+ *             ssl3_SendFinished(),
+ */
+static SECStatus
+ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
+{
+    PRInt32 rv;
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+
+    if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
+	return SECSuccess;
+
+    rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf,
+			 ss->sec.ci.sendBuf.len, flags);
+    if (rv < 0) {
+	return (SECStatus)rv;	/* error code set by ssl3_SendRecord */
+    }
+    ss->sec.ci.sendBuf.len = 0;
+    return SECSuccess;
+}
+
+/*
+ * Called from ssl3_HandleAlert and from ssl3_HandleCertificate when
+ * the remote client sends a negative response to our certificate request.
+ * Returns SECFailure if the application has required client auth.
+ *         SECSuccess otherwise.
+ */
+static SECStatus
+ssl3_HandleNoCertificate(sslSocket *ss)
+{
+    if (ss->sec.peerCert != NULL) {
+	if (ss->sec.peerKey != NULL) {
+	    SECKEY_DestroyPublicKey(ss->sec.peerKey);
+	    ss->sec.peerKey = NULL;
+	}
+	CERT_DestroyCertificate(ss->sec.peerCert);
+	ss->sec.peerCert = NULL;
+    }
+    ssl3_CleanupPeerCerts(ss->ssl3);
+
+    /* If the server has required client-auth blindly but doesn't
+     * actually look at the certificate it won't know that no
+     * certificate was presented so we shutdown the socket to ensure
+     * an error.  We only do this if we haven't already completed the
+     * first handshake because if we're redoing the handshake we 
+     * know the server is paying attention to the certificate.
+     */
+    if ((ss->requireCertificate == 1) ||
+	(!ss->firstHsDone && (ss->requireCertificate > 1))) {
+	PRFileDesc * lower;
+
+	ss->sec.uncache(ss->sec.ci.sid);
+	SSL3_SendAlert(ss, alert_fatal, bad_certificate);
+
+	lower = ss->fd->lower;
+#ifdef _WIN32
+	lower->methods->shutdown(lower, PR_SHUTDOWN_SEND);
+#else
+	lower->methods->shutdown(lower, PR_SHUTDOWN_BOTH);
+#endif
+	PORT_SetError(SSL_ERROR_NO_CERTIFICATE);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/************************************************************************
+ * Alerts
+ */
+
+/*
+** Acquires both handshake and XmitBuf locks.
+** Called from: ssl3_IllegalParameter	<-
+**              ssl3_HandshakeFailure	<-
+**              ssl3_HandleAlert	<- ssl3_HandleRecord.
+**              ssl3_HandleChangeCipherSpecs <- ssl3_HandleRecord
+**              ssl3_ConsumeHandshakeVariable <-
+**              ssl3_HandleHelloRequest	<-
+**              ssl3_HandleServerHello	<-
+**              ssl3_HandleServerKeyExchange <-
+**              ssl3_HandleCertificateRequest <-
+**              ssl3_HandleServerHelloDone <-
+**              ssl3_HandleClientHello	<-
+**              ssl3_HandleV2ClientHello <-
+**              ssl3_HandleCertificateVerify <-
+**              ssl3_HandleFortezzaClientKeyExchange <-
+**              ssl3_HandleClientKeyExchange <-
+**              ssl3_HandleCertificate	<-
+**              ssl3_HandleFinished	<-
+**              ssl3_HandleHandshakeMessage <-
+**              ssl3_HandleRecord	<-
+**
+*/
+SECStatus
+SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
+{
+    uint8 	bytes[2];
+    SECStatus	rv;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send alert record, level=%d desc=%d",
+		SSL_GETPID(), ss->fd, level, desc));
+
+    bytes[0] = level;
+    bytes[1] = desc;
+
+    ssl_GetSSL3HandshakeLock(ss);
+    if (level == alert_fatal) {
+	if (ss->sec.ci.sid) {
+	    ss->sec.uncache(ss->sec.ci.sid);
+	}
+    }
+    ssl_GetXmitBufLock(ss);
+    rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+    if (rv == SECSuccess) {
+	PRInt32 sent;
+	sent = ssl3_SendRecord(ss, content_alert, bytes, 2, 0);
+	rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
+    }
+    ssl_ReleaseXmitBufLock(ss);
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    return rv;	/* error set by ssl3_FlushHandshake or ssl3_SendRecord */
+}
+
+/*
+ * Send illegal_parameter alert.  Set generic error number.
+ */
+static SECStatus
+ssl3_IllegalParameter(sslSocket *ss)
+{
+    PRBool isTLS;
+
+    isTLS = (PRBool)(ss->ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+    (void)SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+    PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
+                                   : SSL_ERROR_BAD_SERVER );
+    return SECFailure;
+}
+
+/*
+ * Send handshake_Failure alert.  Set generic error number.
+ */
+static SECStatus
+ssl3_HandshakeFailure(sslSocket *ss)
+{
+    (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
+    PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
+                                    : SSL_ERROR_BAD_SERVER );
+    return SECFailure;
+}
+
+/*
+ * Send handshake_Failure alert.  Set generic error number.
+ */
+static SECStatus
+ssl3_DecodeError(sslSocket *ss)
+{
+    (void)SSL3_SendAlert(ss, alert_fatal, 
+		  ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error 
+							: illegal_parameter);
+    PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
+                                    : SSL_ERROR_BAD_SERVER );
+    return SECFailure;
+}
+
+/* Called from ssl3_HandleRecord.
+** Caller must hold both RecvBuf and Handshake locks.
+*/
+static SECStatus
+ssl3_HandleAlert(sslSocket *ss, sslBuffer *buf)
+{
+    SSL3AlertLevel       level;
+    SSL3AlertDescription desc;
+    int                  error;
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle alert record", SSL_GETPID(), ss->fd));
+
+    if (buf->len != 2) {
+	(void)ssl3_DecodeError(ss);
+	PORT_SetError(SSL_ERROR_RX_MALFORMED_ALERT);
+	return SECFailure;
+    }
+    level = (SSL3AlertLevel)buf->buf[0];
+    desc  = (SSL3AlertDescription)buf->buf[1];
+    buf->len = 0;
+    SSL_TRC(5, ("%d: SSL3[%d] received alert, level = %d, description = %d",
+        SSL_GETPID(), ss->fd, level, desc));
+
+    switch (desc) {
+    case close_notify:		ss->recvdCloseNotify = 1;
+		        	error = SSL_ERROR_CLOSE_NOTIFY_ALERT;     break;
+    case unexpected_message: 	error = SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT;
+									  break;
+    case bad_record_mac: 	error = SSL_ERROR_BAD_MAC_ALERT; 	  break;
+    case decryption_failed: 	error = SSL_ERROR_DECRYPTION_FAILED_ALERT; 
+    									  break;
+    case record_overflow: 	error = SSL_ERROR_RECORD_OVERFLOW_ALERT;  break;
+    case decompression_failure: error = SSL_ERROR_DECOMPRESSION_FAILURE_ALERT;
+									  break;
+    case handshake_failure: 	error = SSL_ERROR_HANDSHAKE_FAILURE_ALERT;
+			        					  break;
+    case no_certificate: 	error = SSL_ERROR_NO_CERTIFICATE;	  break;
+    case bad_certificate: 	error = SSL_ERROR_BAD_CERT_ALERT; 	  break;
+    case unsupported_certificate:error = SSL_ERROR_UNSUPPORTED_CERT_ALERT;break;
+    case certificate_revoked: 	error = SSL_ERROR_REVOKED_CERT_ALERT; 	  break;
+    case certificate_expired: 	error = SSL_ERROR_EXPIRED_CERT_ALERT; 	  break;
+    case certificate_unknown: 	error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
+			        					  break;
+    case illegal_parameter: 	error = SSL_ERROR_ILLEGAL_PARAMETER_ALERT;break;
+
+    /* All alerts below are TLS only. */
+    case unknown_ca: 		error = SSL_ERROR_UNKNOWN_CA_ALERT;       break;
+    case access_denied: 	error = SSL_ERROR_ACCESS_DENIED_ALERT;    break;
+    case decode_error: 		error = SSL_ERROR_DECODE_ERROR_ALERT;     break;
+    case decrypt_error: 	error = SSL_ERROR_DECRYPT_ERROR_ALERT;    break;
+    case export_restriction: 	error = SSL_ERROR_EXPORT_RESTRICTION_ALERT; 
+    									  break;
+    case protocol_version: 	error = SSL_ERROR_PROTOCOL_VERSION_ALERT; break;
+    case insufficient_security: error = SSL_ERROR_INSUFFICIENT_SECURITY_ALERT; 
+    									  break;
+    case internal_error: 	error = SSL_ERROR_INTERNAL_ERROR_ALERT;   break;
+    case user_canceled: 	error = SSL_ERROR_USER_CANCELED_ALERT;    break;
+    case no_renegotiation: 	error = SSL_ERROR_NO_RENEGOTIATION_ALERT; break;
+    default: 			error = SSL_ERROR_RX_UNKNOWN_ALERT; 	  break;
+    }
+    if (level == alert_fatal) {
+	ss->sec.uncache(ss->sec.ci.sid);
+	if ((ss->ssl3->hs.ws == wait_server_hello) &&
+	    (desc == handshake_failure)) {
+	    /* XXX This is a hack.  We're assuming that any handshake failure
+	     * XXX on the client hello is a failure to match ciphers.
+	     */
+	    error = SSL_ERROR_NO_CYPHER_OVERLAP;
+	}
+	PORT_SetError(error);
+	return SECFailure;
+    }
+    if ((desc == no_certificate) && (ss->ssl3->hs.ws == wait_client_cert)) {
+    	/* I'm a server. I've requested a client cert. He hasn't got one. */
+	SECStatus rv;
+
+	PORT_Assert(ss->sec.isServer);
+	ss->ssl3->hs.ws = wait_client_key;
+	rv = ssl3_HandleNoCertificate(ss);
+	return rv;
+    }
+    return SECSuccess;
+}
+
+/*
+ * Change Cipher Specs
+ * Called from ssl3_HandleServerHelloDone,
+ *             ssl3_HandleClientHello,
+ * and         ssl3_HandleFinished
+ *
+ * Acquires and releases spec write lock, to protect switching the current
+ * and pending write spec pointers.
+ */
+
+static SECStatus
+ssl3_SendChangeCipherSpecs(sslSocket *ss)
+{
+    uint8             change = change_cipher_spec_choice;
+    ssl3State *       ssl3   = ss->ssl3;
+    ssl3CipherSpec *  pwSpec;
+    SECStatus         rv;
+    PRInt32           sent;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+    if (rv != SECSuccess) {
+	return rv;	/* error code set by ssl3_FlushHandshake */
+    }
+    sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1,
+                              ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+    if (sent < 0) {
+	return (SECStatus)sent;	/* error code set by ssl3_SendRecord */
+    }
+
+    /* swap the pending and current write specs. */
+    ssl_GetSpecWriteLock(ss);	/**************************************/
+    pwSpec                     = ss->ssl3->pwSpec;
+    pwSpec->write_seq_num.high = 0;
+    pwSpec->write_seq_num.low  = 0;
+
+    ssl3->pwSpec = ssl3->cwSpec;
+    ssl3->cwSpec = pwSpec;
+
+    SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
+		SSL_GETPID(), ss->fd ));
+
+    /* We need to free up the contexts, keys and certs ! */
+    /* If we are really through with the old cipher spec
+     * (Both the read and write sides have changed) destroy it.
+     */
+    if (ss->ssl3->prSpec == ss->ssl3->pwSpec) {
+    	ssl3_DestroyCipherSpec(ss->ssl3->pwSpec);
+    }
+    ssl_ReleaseSpecWriteLock(ss); /**************************************/
+
+    return SECSuccess;
+}
+
+/* Called from ssl3_HandleRecord.
+** Caller must hold both RecvBuf and Handshake locks.
+ *
+ * Acquires and releases spec write lock, to protect switching the current
+ * and pending write spec pointers.
+*/
+static SECStatus
+ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
+{
+    ssl3CipherSpec *           prSpec;
+    SSL3WaitState              ws      = ss->ssl3->hs.ws;
+    SSL3ChangeCipherSpecChoice change;
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record",
+		SSL_GETPID(), ss->fd));
+
+    if (ws != wait_change_cipher && ws != wait_cert_verify) {
+	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
+	return SECFailure;
+    }
+
+    if(buf->len != 1) {
+	(void)ssl3_DecodeError(ss);
+	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+	return SECFailure;
+    }
+    change = (SSL3ChangeCipherSpecChoice)buf->buf[0];
+    if (change != change_cipher_spec_choice) {
+	/* illegal_parameter is correct here for both SSL3 and TLS. */
+	(void)ssl3_IllegalParameter(ss);
+	PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+	return SECFailure;
+    }
+    buf->len = 0;
+
+    /* Swap the pending and current read specs. */
+    ssl_GetSpecWriteLock(ss);   /*************************************/
+    prSpec                    = ss->ssl3->prSpec;
+    prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0;
+
+    ss->ssl3->prSpec  = ss->ssl3->crSpec;
+    ss->ssl3->crSpec  = prSpec;
+    ss->ssl3->hs.ws         = wait_finished;
+
+    SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
+		SSL_GETPID(), ss->fd ));
+
+    /* If we are really through with the old cipher prSpec
+     * (Both the read and write sides have changed) destroy it.
+     */
+    if (ss->ssl3->prSpec == ss->ssl3->pwSpec) {
+    	ssl3_DestroyCipherSpec(ss->ssl3->prSpec);
+    }
+    ssl_ReleaseSpecWriteLock(ss);   /*************************************/
+    return SECSuccess;
+}
+
+/*
+ * Key generation given pre master secret, or master secret (if !pms).
+ * Sets a useful error code when returning SECFailure.
+ *
+ * Called only from ssl3_InitPendingCipherSpec(),
+ *
+ * which in turn is called from
+ *              ssl3_SendClientKeyExchange      (for Full handshake)
+ *              ssl3_HandleClientKeyExchange    (for Full handshake)
+ *              ssl3_HandleServerHello          (for session restart)
+ *              ssl3_HandleClientHello          (for session restart)
+ * Caller MUST hold the specWriteLock, and SSL3HandshakeLock.
+ * ssl3_InitPendingCipherSpec does that.
+ */
+static SECStatus
+ssl3_GenerateSessionKeys(sslSocket *ss, const PK11SymKey *pms)
+{
+    ssl3CipherSpec *         pwSpec     = ss->ssl3->pwSpec;
+    const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
+    const ssl3KEADef *       kea_def    = ss->ssl3->hs.kea_def;
+    unsigned char *   cr     = (unsigned char *)&ss->ssl3->hs.client_random;
+    unsigned char *   sr     = (unsigned char *)&ss->ssl3->hs.server_random;
+    PK11SymKey *      symKey = NULL;
+    PK11SlotInfo *    slot   = NULL;
+    void *            pwArg  = ss->pkcs11PinArg;
+    PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
+                                (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
+    PRBool            skipKeysAndIVs = (PRBool)
+    					((cipher_def->calg == calg_fortezza) ||
+					 (cipher_def->calg == calg_null));
+    PRBool            isDH = (PRBool) (ss->ssl3->hs.kea_def->exchKeyType == kt_dh);
+    CK_MECHANISM_TYPE master_derive;
+    CK_MECHANISM_TYPE key_derive;
+    CK_MECHANISM_TYPE bulk_mechanism;
+    SECItem           params;
+    int               keySize;
+    CK_FLAGS          keyFlags;
+    CK_VERSION        pms_version;
+    CK_SSL3_KEY_MAT_PARAMS key_material_params;
+    CK_SSL3_KEY_MAT_OUT    returnedKeys;
+    CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
+    SSLCipherAlgorithm calg;
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ssl_HaveSpecWriteLock(ss));
+    PORT_Assert(ss->ssl3->prSpec == ss->ssl3->pwSpec);
+    if (isTLS) {
+	if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
+	else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
+	key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
+	keyFlags      = CKF_SIGN | CKF_VERIFY;
+    } else {
+	if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
+	else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
+	key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
+	keyFlags      = 0;
+    }
+
+    if (pms || !pwSpec->master_secret) {
+	master_params.pVersion                     = &pms_version;
+	master_params.RandomInfo.pClientRandom     = cr;
+	master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
+	master_params.RandomInfo.pServerRandom     = sr;
+	master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
+
+	params.data = (unsigned char *) &master_params;
+	params.len  = sizeof master_params;
+    }
+
+    if (pms != NULL) {
+	pwSpec->master_secret = PK11_DeriveWithFlags((PK11SymKey *)pms, 
+					master_derive, &params, key_derive, 
+					CKA_DERIVE, 0, keyFlags);
+	if (!isDH && pwSpec->master_secret && ss->detectRollBack) {
+	    SSL3ProtocolVersion client_version;
+	    client_version = pms_version.major << 8 | pms_version.minor;
+	    if (client_version != ss->clientHelloVersion) {
+		/* Destroy it.  Version roll-back detected. */
+		PK11_FreeSymKey(pwSpec->master_secret);
+	    	pwSpec->master_secret = NULL;
+	    }
+	}
+	if (pwSpec->master_secret == NULL) {
+	    /* Generate a faux master secret in the same slot as the old one. */
+	    PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
+	    PK11SymKey *   fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
+
+	    PK11_FreeSlot(slot);
+	    if (fpms != NULL) {
+		pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 
+					master_derive, &params, key_derive, 
+					CKA_DERIVE, 0, keyFlags);
+		PK11_FreeSymKey(fpms);
+	    }
+	}
+    }
+    if (pwSpec->master_secret == NULL) {
+	/* Generate a faux master secret from the internal slot. */
+	PK11SlotInfo *  slot = PK11_GetInternalSlot();
+	PK11SymKey *    fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
+
+	PK11_FreeSlot(slot);
+	if (fpms != NULL) {
+	    pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 
+					master_derive, &params, key_derive, 
+					CKA_DERIVE, 0, keyFlags);
+	    if (pwSpec->master_secret == NULL) {
+	    	pwSpec->master_secret = fpms; /* use the fpms as the master. */
+		fpms = NULL;
+	    }
+	}
+	if (fpms) {
+	    PK11_FreeSymKey(fpms);
+    	}
+    }
+    if (pwSpec->master_secret == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+	return SECFailure;
+    }
+
+    /*
+     * generate the key material
+     */
+    key_material_params.ulMacSizeInBits = pwSpec->mac_size           * BPB;
+    key_material_params.ulKeySizeInBits = cipher_def->secret_key_size* BPB;
+    key_material_params.ulIVSizeInBits  = cipher_def->iv_size        * BPB;
+
+    key_material_params.bIsExport = (CK_BBOOL)(kea_def->is_limited);
+    /* was:	(CK_BBOOL)(cipher_def->keygen_mode != kg_strong); */
+
+    key_material_params.RandomInfo.pClientRandom     = cr;
+    key_material_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
+    key_material_params.RandomInfo.pServerRandom     = sr;
+    key_material_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
+    key_material_params.pReturnedKeyMaterial         = &returnedKeys;
+
+    returnedKeys.pIVClient = pwSpec->client.write_iv;
+    returnedKeys.pIVServer = pwSpec->server.write_iv;
+    keySize                = cipher_def->key_size;
+
+    if (skipKeysAndIVs) {
+	keySize                             = 0;
+        key_material_params.ulKeySizeInBits = 0;
+        key_material_params.ulIVSizeInBits  = 0;
+    	returnedKeys.pIVClient              = NULL;
+    	returnedKeys.pIVServer              = NULL;
+    }
+
+    calg = cipher_def->calg;
+    PORT_Assert(     alg2Mech[calg].calg == calg);
+    bulk_mechanism = alg2Mech[calg].cmech;
+
+    params.data    = (unsigned char *)&key_material_params;
+    params.len     = sizeof(key_material_params);
+
+    /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
+     * DERIVE by DEFAULT */
+    symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
+                         bulk_mechanism, CKA_ENCRYPT, keySize);
+    if (!symKey) {
+	ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+	return SECFailure;
+    }
+    /* we really should use the actual mac'ing mechanism here, but we
+     * don't because these types are used to map keytype anyway and both
+     * mac's map to the same keytype.
+     */
+    slot  = PK11_GetSlotFromKey(symKey);
+
+    PK11_FreeSlot(slot); /* slot is held until the key is freed */
+    pwSpec->client.write_mac_key =
+    	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
+	    CKM_SSL3_SHA1_MAC, returnedKeys.hClientMacSecret, PR_TRUE, pwArg);
+    if (pwSpec->client.write_mac_key == NULL ) {
+	goto loser;	/* loser sets err */
+    }
+    pwSpec->server.write_mac_key =
+    	PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
+	    CKM_SSL3_SHA1_MAC, returnedKeys.hServerMacSecret, PR_TRUE, pwArg);
+    if (pwSpec->server.write_mac_key == NULL ) {
+	goto loser;	/* loser sets err */
+    }
+    if (!skipKeysAndIVs) {
+	pwSpec->client.write_key =
+		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
+		     bulk_mechanism, returnedKeys.hClientKey, PR_TRUE, pwArg);
+	if (pwSpec->client.write_key == NULL ) {
+	    goto loser;	/* loser sets err */
+	}
+	pwSpec->server.write_key =
+		PK11_SymKeyFromHandle(slot, symKey, PK11_OriginDerive,
+		     bulk_mechanism, returnedKeys.hServerKey, PR_TRUE, pwArg);
+	if (pwSpec->server.write_key == NULL ) {
+	    goto loser;	/* loser sets err */
+	}
+    }
+    PK11_FreeSymKey(symKey);
+    return SECSuccess;
+
+
+loser:
+    if (symKey) PK11_FreeSymKey(symKey);
+    ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+    return SECFailure;
+}
+
+/*
+ * Handshake messages
+ */
+/* Called from	ssl3_AppendHandshake()
+**		ssl3_StartHandshakeHash()
+**		ssl3_HandleV2ClientHello()
+**		ssl3_HandleHandshakeMessage()
+** Caller must hold the ssl3Handshake lock.
+*/
+static SECStatus
+ssl3_UpdateHandshakeHashes(sslSocket *ss, unsigned char *b, unsigned int l)
+{
+    ssl3State *ssl3	= ss->ssl3;
+    SECStatus  rv;
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
+
+    rv = PK11_DigestOp(ssl3->hs.md5, b, l);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	return rv;
+    }
+    rv = PK11_DigestOp(ssl3->hs.sha, b, l);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	return rv;
+    }
+    return rv;
+}
+
+/**************************************************************************
+ * Append Handshake functions.
+ * All these functions set appropriate error codes.
+ * Most rely on ssl3_AppendHandshake to set the error code.
+ **************************************************************************/
+static SECStatus
+ssl3_AppendHandshake(sslSocket *ss, const void *void_src, PRInt32 bytes)
+{
+    unsigned char *  src  = (unsigned char *)void_src;
+    int              room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
+    SECStatus        rv;
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) ); /* protects sendBuf. */
+
+    if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
+	rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
+		 PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes)));
+	if (rv != SECSuccess)
+	    return rv;	/* sslBuffer_Grow has set a memory error code. */
+	room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
+    }
+
+    PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char*)void_src, bytes));
+    rv = ssl3_UpdateHandshakeHashes(ss, src, bytes);
+    if (rv != SECSuccess)
+	return rv;	/* error code set by ssl3_UpdateHandshakeHashes */
+
+    while (bytes > room) {
+	if (room > 0)
+	    PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, 
+	                room);
+	ss->sec.ci.sendBuf.len += room;
+	rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+	if (rv != SECSuccess) {
+	    return rv;	/* error code set by ssl3_FlushHandshake */
+	}
+	bytes -= room;
+	src += room;
+	room = ss->sec.ci.sendBuf.space;
+	PORT_Assert(ss->sec.ci.sendBuf.len == 0);
+    }
+    PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src, bytes);
+    ss->sec.ci.sendBuf.len += bytes;
+    return SECSuccess;
+}
+
+static SECStatus
+ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize)
+{
+    SECStatus rv;
+    uint8     b[4];
+    uint8 *   p = b;
+
+    switch (lenSize) {
+      case 4:
+	*p++ = (num >> 24) & 0xff;
+      case 3:
+	*p++ = (num >> 16) & 0xff;
+      case 2:
+	*p++ = (num >> 8) & 0xff;
+      case 1:
+	*p = num & 0xff;
+    }
+    SSL_TRC(60, ("%d: number:", SSL_GETPID()));
+    rv = ssl3_AppendHandshake(ss, &b[0], lenSize);
+    return rv;	/* error code set by AppendHandshake, if applicable. */
+}
+
+static SECStatus
+ssl3_AppendHandshakeVariable(
+    sslSocket *ss, const SSL3Opaque *src, PRInt32 bytes, PRInt32 lenSize)
+{
+    SECStatus rv;
+
+    PORT_Assert((bytes < (1<<8) && lenSize == 1) ||
+	      (bytes < (1L<<16) && lenSize == 2) ||
+	      (bytes < (1L<<24) && lenSize == 3));
+
+    SSL_TRC(60,("%d: append variable:", SSL_GETPID()));
+    rv = ssl3_AppendHandshakeNumber(ss, bytes, lenSize);
+    if (rv != SECSuccess) {
+	return rv;	/* error code set by AppendHandshake, if applicable. */
+    }
+    SSL_TRC(60, ("data:"));
+    rv = ssl3_AppendHandshake(ss, src, bytes);
+    return rv;	/* error code set by AppendHandshake, if applicable. */
+}
+
+static SECStatus
+ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
+{
+    SECStatus rv;
+
+    SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
+    	SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
+    PRINT_BUF(60, (ss, "MD5 handshake hash:",
+    	          (unsigned char*)ss->ssl3->hs.md5, MD5_LENGTH));
+    PRINT_BUF(95, (ss, "SHA handshake hash:",
+    	          (unsigned char*)ss->ssl3->hs.sha, SHA1_LENGTH));
+
+    rv = ssl3_AppendHandshakeNumber(ss, t, 1);
+    if (rv != SECSuccess) {
+    	return rv;	/* error code set by AppendHandshake, if applicable. */
+    }
+    rv = ssl3_AppendHandshakeNumber(ss, length, 3);
+    return rv;		/* error code set by AppendHandshake, if applicable. */
+}
+
+/**************************************************************************
+ * Consume Handshake functions.
+ *
+ * All data used in these functions is protected by two locks,
+ * the RecvBufLock and the SSL3HandshakeLock
+ **************************************************************************/
+
+/* Read up the next "bytes" number of bytes from the (decrypted) input
+ * stream "b" (which is *length bytes long). Copy them into buffer "v".
+ * Reduces *length by bytes.  Advances *b by bytes.
+ *
+ * If this function returns SECFailure, it has already sent an alert,
+ * and has set a generic error code.  The caller should probably
+ * override the generic error code by setting another.
+ */
+static SECStatus
+ssl3_ConsumeHandshake(sslSocket *ss, void *v, PRInt32 bytes, SSL3Opaque **b,
+		      PRUint32 *length)
+{
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (bytes > *length) {
+	return ssl3_DecodeError(ss);
+    }
+    PORT_Memcpy(v, *b, bytes);
+    PRINT_BUF(60, (ss, "consume bytes:", *b, bytes));
+    *b      += bytes;
+    *length -= bytes;
+    return SECSuccess;
+}
+
+/* Read up the next "bytes" number of bytes from the (decrypted) input
+ * stream "b" (which is *length bytes long), and interpret them as an
+ * integer in network byte order.  Returns the received value.
+ * Reduces *length by bytes.  Advances *b by bytes.
+ *
+ * Returns SECFailure (-1) on failure.
+ * This value is indistinguishable from the equivalent received value.
+ * Only positive numbers are to be received this way.
+ * Thus, the largest value that may be sent this way is 0x7fffffff.
+ * On error, an alert has been sent, and a generic error code has been set.
+ */
+static PRInt32
+ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRInt32 bytes, SSL3Opaque **b,
+			    PRUint32 *length)
+{
+    PRInt32   num = 0;
+    int       i;
+    SECStatus status;
+    uint8     buf[4];
+
+    status = ssl3_ConsumeHandshake(ss, buf, bytes, b, length);
+    if (status != SECSuccess) {
+	/* ssl3_DecodeError has already been called */
+	return SECFailure;
+    }
+    for (i = 0; i < bytes; i++)
+	num = (num << 8) + buf[i];
+    return num;
+}
+
+/* Read in two values from the incoming decrypted byte stream "b", which is
+ * *length bytes long.  The first value is a number whose size is "bytes"
+ * bytes long.  The second value is a byte-string whose size is the value
+ * of the first number received.  The latter byte-string, and its length,
+ * is returned in the SECItem i.
+ *
+ * Returns SECFailure (-1) on failure.
+ * On error, an alert has been sent, and a generic error code has been set.
+ */
+static SECStatus
+ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes,
+			      SSL3Opaque **b, PRUint32 *length)
+{
+    PRInt32   count;
+    SECStatus rv;
+
+    PORT_Assert(bytes <= 3);
+    i->len  = 0;
+    i->data = NULL;
+    count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length);
+    if (count < 0) { 		/* Can't test for SECSuccess here. */
+    	return SECFailure;
+    }
+    if (count > 0) {
+	i->data = (unsigned char*)PORT_Alloc(count);
+	if (i->data == NULL) {
+	    /* XXX inconsistent.  In other places, we don't send alerts for
+	     * our own memory failures.  But here we do... */
+	    (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return SECFailure;
+	}
+	i->len = count;
+	rv = ssl3_ConsumeHandshake(ss, i->data, i->len, b, length);
+	if (rv != SECSuccess) {
+	    PORT_Free(i->data);
+	    i->data = NULL;
+	    return rv;	/* alert has already been sent. */
+	}
+    }
+    return SECSuccess;
+}
+
+/**************************************************************************
+ * end of Consume Handshake functions.
+ **************************************************************************/
+
+/* Extract the hashes of handshake messages to this point.
+ * Called from ssl3_SendCertificateVerify
+ *             ssl3_SendFinished
+ *             ssl3_HandleHandshakeMessage
+ *
+ * Caller must hold the SSL3HandshakeLock.
+ * Caller must hold a read or write lock on the Spec R/W lock.
+ *	(There is presently no way to assert on a Read lock.)
+ */
+static SECStatus
+ssl3_ComputeHandshakeHashes(sslSocket *     ss,
+                            ssl3CipherSpec *spec,   /* uses ->master_secret */
+			    SSL3Hashes *    hashes, /* output goes here. */
+			    uint32          sender)
+{
+    ssl3State *   ssl3      = ss->ssl3;
+    PK11Context * md5;
+    PK11Context * sha       = NULL;
+    SECStatus     rv        = SECSuccess;
+    unsigned int  outLength;
+    PRBool        isTLS;
+    SSL3Opaque    md5_inner[MAX_MAC_LENGTH];
+    SSL3Opaque    sha_inner[MAX_MAC_LENGTH];
+    unsigned char s[4];
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
+
+    md5 = PK11_CloneContext(ssl3->hs.md5);
+    if (md5 == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+    	return SECFailure;
+    }
+
+    sha = PK11_CloneContext(ssl3->hs.sha);
+    if (sha == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	goto loser;
+    }
+
+    if (!isTLS) {
+	/* compute hashes for SSL3. */
+
+	s[0] = (unsigned char)(sender >> 24);
+	s[1] = (unsigned char)(sender >> 16);
+	s[2] = (unsigned char)(sender >> 8);
+	s[3] = (unsigned char)sender;
+
+	if (sender != 0) {
+	    rv |= PK11_DigestOp(md5, s, 4);
+	    PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
+	}
+
+	PRINT_BUF(95, (NULL, "MD5 inner: MAC Pad 1", mac_pad_1, mac_defs[mac_md5].pad_size));
+
+	rv |= PK11_DigestKey(md5,spec->master_secret);
+	rv |= PK11_DigestOp(md5, mac_pad_1, mac_defs[mac_md5].pad_size);
+	rv |= PK11_DigestFinal(md5, md5_inner, &outLength, MD5_LENGTH);
+	PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	PRINT_BUF(95, (NULL, "MD5 inner: result", md5_inner, outLength));
+
+	if (sender != 0) {
+	    rv |= PK11_DigestOp(sha, s, 4);
+	    PRINT_BUF(95, (NULL, "SHA inner: sender", s, 4));
+	}
+
+	PRINT_BUF(95, (NULL, "SHA inner: MAC Pad 1", mac_pad_1, mac_defs[mac_sha].pad_size));
+
+
+	rv |= PK11_DigestKey(sha, spec->master_secret);
+	rv |= PK11_DigestOp(sha, mac_pad_1, mac_defs[mac_sha].pad_size);
+	rv |= PK11_DigestFinal(sha, sha_inner, &outLength, SHA1_LENGTH);
+	PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	    rv = SECFailure;
+	    goto loser;
+	}
+
+	PRINT_BUF(95, (NULL, "SHA inner: result", sha_inner, outLength));
+
+	PRINT_BUF(95, (NULL, "MD5 outer: MAC Pad 2", mac_pad_2, mac_defs[mac_md5].pad_size));
+	PRINT_BUF(95, (NULL, "MD5 outer: MD5 inner", md5_inner, MD5_LENGTH));
+
+	rv |= PK11_DigestBegin(md5);
+	rv |= PK11_DigestKey(md5, spec->master_secret);
+	rv |= PK11_DigestOp(md5, mac_pad_2, mac_defs[mac_md5].pad_size);
+	rv |= PK11_DigestOp(md5, md5_inner, MD5_LENGTH);
+    }
+    rv |= PK11_DigestFinal(md5, hashes->md5, &outLength, MD5_LENGTH);
+    PORT_Assert(rv != SECSuccess || outLength == MD5_LENGTH);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	rv = SECFailure;
+	goto loser;
+    }
+
+    PRINT_BUF(60, (NULL, "MD5 outer: result", hashes->md5, MD5_LENGTH));
+
+    if (!isTLS) {
+	PRINT_BUF(95, (NULL, "SHA outer: MAC Pad 2", mac_pad_2, mac_defs[mac_sha].pad_size));
+	PRINT_BUF(95, (NULL, "SHA outer: SHA inner", sha_inner, SHA1_LENGTH));
+
+	rv |= PK11_DigestBegin(sha);
+	rv |= PK11_DigestKey(sha,spec->master_secret);
+	rv |= PK11_DigestOp(sha, mac_pad_2, mac_defs[mac_sha].pad_size);
+	rv |= PK11_DigestOp(sha, sha_inner, SHA1_LENGTH);
+    }
+    rv |= PK11_DigestFinal(sha, hashes->sha, &outLength, SHA1_LENGTH);
+    PORT_Assert(rv != SECSuccess || outLength == SHA1_LENGTH);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	rv = SECFailure;
+	goto loser;
+    }
+
+    PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH));
+
+    rv = SECSuccess;
+
+loser:
+    if (md5) PK11_DestroyContext(md5, PR_TRUE);
+    if (sha) PK11_DestroyContext(sha, PR_TRUE);
+
+    return rv;
+}
+
+/*
+ * SSL 2 based implementations pass in the initial outbound buffer
+ * so that the handshake hash can contain the included information.
+ *
+ * Called from ssl2_BeginClientHandshake() in sslcon.c
+ */
+SECStatus
+ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length)
+{
+    SECStatus rv;
+
+    ssl_GetSSL3HandshakeLock(ss);  /**************************************/
+
+    rv = ssl3_InitState(ss);
+    if (rv != SECSuccess) {
+	goto done;		/* ssl3_InitState has set the error code. */
+    }
+
+    PORT_Memset(&ss->ssl3->hs.client_random, 0, SSL3_RANDOM_LENGTH);
+    PORT_Memcpy(
+	&ss->ssl3->hs.client_random.rand[SSL3_RANDOM_LENGTH - SSL_CHALLENGE_BYTES],
+	&ss->sec.ci.clientChallenge,
+	SSL_CHALLENGE_BYTES);
+
+    rv = ssl3_UpdateHandshakeHashes(ss, buf, length);
+    /* if it failed, ssl3_UpdateHandshakeHashes has set the error code. */
+
+done:
+    ssl_ReleaseSSL3HandshakeLock(ss);  /**************************************/
+    return rv;
+}
+
+/**************************************************************************
+ * end of Handshake Hash functions.
+ * Begin Send and Handle functions for handshakes.
+ **************************************************************************/
+
+/* Called from ssl3_HandleHelloRequest(),
+ *             ssl3_HandleFinished() (for step-up)
+ *             ssl3_RedoHandshake()
+ *             ssl2_BeginClientHandshake (when resuming ssl3 session)
+ */
+SECStatus
+ssl3_SendClientHello(sslSocket *ss)
+{
+    sslSessionID *   sid;
+    ssl3CipherSpec * cwSpec;
+    SECStatus        rv;
+    int              i;
+    int              length;
+    int              num_suites;
+    int              actual_count = 0;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
+		ss->fd));
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+
+    rv = ssl3_InitState(ss);
+    if (rv != SECSuccess) {
+	return rv;		/* ssl3_InitState has set the error code. */
+    }
+
+    SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
+	    SSL_GETPID(), ss->fd ));
+    rv = PK11_DigestBegin(ss->ssl3->hs.md5);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	return rv;
+    }
+    rv = PK11_DigestBegin(ss->ssl3->hs.sha);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	return rv;
+    }
+
+    /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
+     * handles expired entries and other details.
+     * XXX If we've been called from ssl2_BeginClientHandshake, then
+     * this lookup is duplicative and wasteful.
+     */
+    sid = (ss->noCache) ? NULL
+	    : ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, ss->url);
+
+    /* We can't resume based on a different token. If the sid exists,
+     * make sure the token that holds the master secret still exists ...
+     * If we previously did client-auth, make sure that the token that holds
+     * the private key still exists, is logged in, hasn't been removed, etc.
+     * Also for fortezza, make sure that the card that holds the session keys
+     * exist as well... */
+    if (sid) {
+	PK11SlotInfo *slot;
+	PRBool sidOK = PR_TRUE;
+	slot = (!sid->u.ssl3.masterValid) ? NULL :
+	                     SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
+	                                       sid->u.ssl3.masterSlotID);
+	if (slot == NULL) {
+	   sidOK = PR_FALSE;
+	} else {
+	    PK11SymKey *wrapKey = NULL;
+	    if (!PK11_IsPresent(slot) ||
+		((wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
+					    sid->u.ssl3.masterWrapMech,
+					    sid->u.ssl3.masterWrapSeries,
+					    ss->pkcs11PinArg)) == NULL) ) {
+		sidOK = PR_FALSE;
+	    }
+	    if (wrapKey) PK11_FreeSymKey(wrapKey);
+	    PK11_FreeSlot(slot);
+	    slot = NULL;
+	}
+	/* do sid-has-FORTEZZA-slot check */
+    	if (sid->u.ssl3.hasFortezza) {
+	    /* do has fortezza check */
+	    if (!PK11_VerifyKeyOK(sid->u.ssl3.tek))
+	    	sidOK = PR_FALSE;
+	}
+
+	/* If we previously did client-auth, make sure that the token that
+	** holds the private key still exists, is logged in, hasn't been
+	** removed, etc.
+	*/
+	if (sidOK && sid->u.ssl3.clAuthValid) {
+	    slot = SECMOD_LookupSlot(sid->u.ssl3.clAuthModuleID,
+	                             sid->u.ssl3.clAuthSlotID);
+	    if (slot == NULL ||
+	        !PK11_IsPresent(slot) ||
+		sid->u.ssl3.clAuthSeries     != PK11_GetSlotSeries(slot) ||
+		sid->u.ssl3.clAuthSlotID     != PK11_GetSlotID(slot)     ||
+		sid->u.ssl3.clAuthModuleID   != PK11_GetModuleID(slot)   ||
+                !PK11_IsLoggedIn(slot, NULL)) {
+	        sidOK = PR_FALSE;
+	    }
+	    if (slot) {
+		PK11_FreeSlot(slot);
+		slot = NULL;
+	    }
+	}
+
+	if (!sidOK) {
+	    ++ssl3stats.sch_sid_cache_not_ok;
+	    (*ss->sec.uncache)(sid);
+	    ssl_FreeSID(sid);
+	    sid = NULL;
+	}
+    }
+
+    if (sid) {
+	++ssl3stats.sch_sid_cache_hits;
+
+	rv = ssl3_NegotiateVersion(ss, sid->version);
+	if (rv != SECSuccess)
+	    return rv;	/* error code was set */
+
+	PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
+		      sid->u.ssl3.sessionIDLength));
+
+	ss->ssl3->policy = sid->u.ssl3.policy;
+    } else {
+	++ssl3stats.sch_sid_cache_misses;
+
+	rv = ssl3_NegotiateVersion(ss, SSL_LIBRARY_VERSION_3_1_TLS);
+	if (rv != SECSuccess)
+	    return rv;	/* error code was set */
+
+	sid = ssl3_NewSessionID(ss, PR_FALSE);
+	if (!sid) {
+	    return SECFailure;	/* memory error is set */
+        }
+    }
+
+    ssl_GetSpecWriteLock(ss);
+    cwSpec = ss->ssl3->cwSpec;
+    if (cwSpec->mac_def->mac == mac_null) {
+	/* SSL records are not being MACed. */
+	cwSpec->version = ss->version;
+    }
+    ssl_ReleaseSpecWriteLock(ss);
+
+    if (ss->sec.ci.sid != NULL) {
+	ssl_FreeSID(ss->sec.ci.sid);	/* decrement ref count, free if zero */
+    }
+    ss->sec.ci.sid = sid;
+
+    ss->sec.send = ssl3_SendApplicationData;
+
+    /* shouldn't get here if SSL3 is disabled, but ... */
+    PORT_Assert(ss->enableSSL3 || ss->enableTLS);
+    if (!ss->enableSSL3 && !ss->enableTLS) {
+	PORT_SetError(SSL_ERROR_SSL_DISABLED);
+    	return SECFailure;
+    }
+
+    /* how many suites does our PKCS11 support (regardless of policy)? */
+    num_suites = ssl3_config_match_init(ss);
+    if (!num_suites)
+    	return SECFailure;	/* ssl3_config_match_init has set error code. */
+
+    /* how many suites are permitted by policy and user preference? */
+    num_suites = count_cipher_suites(ss, ss->ssl3->policy, PR_TRUE);
+    if (!num_suites)
+    	return SECFailure;	/* count_cipher_suites has set error code. */
+
+    length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
+	1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
+	2 + num_suites*sizeof(ssl3CipherSuite) +
+	1 + compressionMethodsCount;
+
+    rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    ss->clientHelloVersion = ss->version;
+    rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+    rv = ssl3_GetNewRandom(&ss->ssl3->hs.client_random);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by GetNewRandom. */
+    }
+    rv = ssl3_AppendHandshake(ss, &ss->ssl3->hs.client_random,
+                              SSL3_RANDOM_LENGTH);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    if (sid)
+	rv = ssl3_AppendHandshakeVariable(
+	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
+    else
+	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+
+
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+	if (config_match(suite, ss->ssl3->policy, PR_TRUE)) {
+	    actual_count++;
+	    if (actual_count > num_suites) {
+		/* set error card removal/insertion error */
+		PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
+		return SECFailure;
+	    }
+	    rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
+					    sizeof(ssl3CipherSuite));
+	    if (rv != SECSuccess) {
+		return rv;	/* err set by ssl3_AppendHandshake* */
+	    }
+	}
+    }
+
+    /* if cards were removed or inserted between count_cipher_suites and
+     * generating our list, detect the error here rather than send it off to
+     * the server.. */
+    if (actual_count != num_suites) {
+	/* Card removal/insertion error */
+	PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
+	return SECFailure;
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, compressionMethodsCount, 1);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_AppendHandshake* */
+    }
+    for (i = 0; i < compressionMethodsCount; i++) {
+	rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
+	if (rv != SECSuccess) {
+	    return rv;	/* err set by ssl3_AppendHandshake* */
+	}
+    }
+
+    rv = ssl3_FlushHandshake(ss, 0);
+    if (rv != SECSuccess) {
+	return rv;	/* error code set by ssl3_FlushHandshake */
+    }
+
+    ss->ssl3->hs.ws = wait_server_hello;
+    return rv;
+}
+
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Hello Request.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleHelloRequest(sslSocket *ss)
+{
+    sslSessionID *sid = ss->sec.ci.sid;
+    SECStatus     rv;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle hello_request handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert(ss->ssl3);
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->ssl3->hs.ws == wait_server_hello)
+	return SECSuccess;
+    if (ss->ssl3->hs.ws != idle_handshake || ss->sec.isServer) {
+	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
+	return SECFailure;
+    }
+    if (sid) {
+	ss->sec.uncache(sid);
+	ssl_FreeSID(sid);
+	ss->sec.ci.sid = NULL;
+    }
+
+    ssl_GetXmitBufLock(ss);
+    rv = ssl3_SendClientHello(ss);
+    ssl_ReleaseXmitBufLock(ss);
+
+    return rv;
+}
+
+#define UNKNOWN_WRAP_MECHANISM 0x7fffffff
+
+static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
+    CKM_DES3_ECB,
+    CKM_CAST5_ECB,
+    CKM_DES_ECB,
+    CKM_KEY_WRAP_LYNKS,
+    CKM_IDEA_ECB,
+    CKM_CAST3_ECB,
+    CKM_CAST_ECB,
+    CKM_RC5_ECB,
+    CKM_RC2_ECB,
+    CKM_CDMF_ECB,
+    CKM_SKIPJACK_WRAP,
+    CKM_SKIPJACK_CBC64,
+    UNKNOWN_WRAP_MECHANISM
+};
+
+static int
+ssl_FindIndexByWrapMechanism(CK_MECHANISM_TYPE mech)
+{
+    const CK_MECHANISM_TYPE *pMech = wrapMechanismList;
+
+    while (mech != *pMech && *pMech != UNKNOWN_WRAP_MECHANISM) {
+    	++pMech;
+    }
+    return (*pMech == UNKNOWN_WRAP_MECHANISM) ? -1
+                                              : (pMech - wrapMechanismList);
+}
+
+static PK11SymKey *
+ssl_UnwrapSymWrappingKey(
+	SSLWrappedSymWrappingKey *pWswk,
+	SECKEYPrivateKey *        svrPrivKey,
+	SSL3KEAType               exchKeyType,
+	CK_MECHANISM_TYPE         masterWrapMech,
+	void *                    pwArg)
+{
+    PK11SymKey *             unwrappedWrappingKey  = NULL;
+    SECItem                  wrappedKey;
+
+    /* found the wrapping key on disk. */
+    PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
+    PORT_Assert(pWswk->exchKeyType      == exchKeyType);
+    if (pWswk->symWrapMechanism != masterWrapMech ||
+	pWswk->exchKeyType      != exchKeyType) {
+	goto loser;
+    }
+    wrappedKey.type = siBuffer;
+    wrappedKey.data = pWswk->wrappedSymmetricWrappingkey;
+    wrappedKey.len  = pWswk->wrappedSymKeyLen;
+    PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey);
+
+    switch (exchKeyType) {
+    PK11SymKey *      Ks;
+    PK11SlotInfo *    slot;
+    SECItem           param;
+
+    case kt_fortezza:
+	/* get the slot that the fortezza server private key is in. */
+	slot = PK11_GetSlotFromPrivateKey(svrPrivKey);
+	if (slot == NULL) {
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+
+	/* Look up the Token Fixed Key */
+	Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_CBC64, NULL, pwArg);
+	PK11_FreeSlot(slot);
+	if (Ks == NULL) {
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+
+	/* unwrap client write key with the local Ks and IV */
+	param.type = siBuffer;
+    	param.data = pWswk->wrapIV;
+    	param.len  = pWswk->wrapIVLen;
+	unwrappedWrappingKey =
+	    PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_CBC64, &param, &wrappedKey,
+			      masterWrapMech, CKA_UNWRAP, 0);
+	PK11_FreeSymKey(Ks);
+	break;
+
+    case kt_rsa:
+	unwrappedWrappingKey =
+	    PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
+				 masterWrapMech, CKA_UNWRAP, 0);
+	break;
+    default:
+	/* Assert? */
+	SET_ERROR_CODE
+	goto loser;
+    }
+loser:
+    return unwrappedWrappingKey;
+}
+
+/* Each process sharing the server session ID cache has its own array of
+ * SymKey pointers for the symmetric wrapping keys that are used to wrap
+ * the master secrets.  There is one key for each KEA type.  These Symkeys
+ * correspond to the wrapped SymKeys kept in the server session cache.
+ */
+
+typedef struct {
+    PK11SymKey *      symWrapKey[kt_kea_size];
+} ssl3SymWrapKey;
+
+/* Try to get wrapping key for mechanism from in-memory array.
+ * If that fails, look for one on disk.
+ * If that fails, generate a new one, put the new one on disk,
+ * Put the new key in the in-memory array.
+ */
+static PK11SymKey *
+getWrappingKey( sslSocket *       ss,
+		PK11SlotInfo *    masterSecretSlot,
+		SSL3KEAType       exchKeyType,
+                CK_MECHANISM_TYPE masterWrapMech,
+	        void *            pwArg)
+{
+    CERTCertificate *        svrCert;
+    SECKEYPrivateKey *       svrPrivKey;
+    SECKEYPublicKey *        svrPubKey             = NULL;
+    PK11SymKey *             unwrappedWrappingKey  = NULL;
+    PK11SymKey **            pSymWrapKey;
+    CK_MECHANISM_TYPE        asymWrapMechanism = CKM_INVALID_MECHANISM;
+    int                      length;
+    int                      symWrapMechIndex;
+    SECStatus                rv;
+    SECItem                  wrappedKey;
+    SSLWrappedSymWrappingKey wswk;
+
+    static PZLock *          symWrapKeysLock;
+    static ssl3SymWrapKey    symWrapKeys[SSL_NUM_WRAP_MECHS];
+
+    svrPrivKey  = ss->serverCerts[exchKeyType].serverKey;
+    PORT_Assert(svrPrivKey != NULL);
+    if (!svrPrivKey) {
+    	return NULL;	/* why are we here?!? */
+    }
+
+    symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
+    PORT_Assert(symWrapMechIndex >= 0);
+    if (symWrapMechIndex < 0)
+    	return NULL;	/* invalid masterWrapMech. */
+
+    pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType];
+
+    /* atomically initialize the lock */
+    if (!symWrapKeysLock)
+	nss_InitLock(&symWrapKeysLock, nssILockOther);
+
+    PZ_Lock(symWrapKeysLock);
+
+    unwrappedWrappingKey = *pSymWrapKey;
+    if (unwrappedWrappingKey != NULL) {
+	if (PK11_VerifyKeyOK(unwrappedWrappingKey)) {
+	    unwrappedWrappingKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
+	    goto done;
+	}
+	/* slot series has changed, so this key is no good any more. */
+	PK11_FreeSymKey(unwrappedWrappingKey);
+	*pSymWrapKey = unwrappedWrappingKey = NULL;
+    }
+
+    /* Try to get wrapped SymWrapping key out of the (disk) cache. */
+    /* Following call fills in wswk on success. */
+    if (ssl_GetWrappingKey(symWrapMechIndex, exchKeyType, &wswk)) {
+    	/* found the wrapped sym wrapping key on disk. */
+	unwrappedWrappingKey =
+	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
+                                     masterWrapMech, pwArg);
+	if (unwrappedWrappingKey) {
+	    goto install;
+	}
+    }
+
+    if (!masterSecretSlot) 	/* caller doesn't want to create a new one. */
+    	goto loser;
+
+    length = PK11_GetBestKeyLength(masterSecretSlot, masterWrapMech);
+    /* Zero length means fixed key length algorithm, or error.
+     * It's ambiguous.
+     */
+    unwrappedWrappingKey = PK11_KeyGen(masterSecretSlot, masterWrapMech, NULL,
+                                       length, pwArg);
+    if (!unwrappedWrappingKey) {
+    	goto loser;
+    }
+
+    /* Prepare the buffer to receive the wrappedWrappingKey,
+     * the symmetric wrapping key wrapped using the server's pub key.
+     */
+    PORT_Memset(&wswk, 0, sizeof wswk);	/* eliminate UMRs. */
+
+    svrCert         = ss->serverCerts[exchKeyType].serverCert;
+    svrPubKey       = CERT_ExtractPublicKey(svrCert);
+    if (svrPubKey == NULL) {
+	/* CERT_ExtractPublicKey doesn't set error code */
+	PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+    	goto loser;
+    }
+    wrappedKey.type = siBuffer;
+    wrappedKey.len  = SECKEY_PublicKeyStrength(svrPubKey);
+    wrappedKey.data = wswk.wrappedSymmetricWrappingkey;
+
+    PORT_Assert(wrappedKey.len <= sizeof wswk.wrappedSymmetricWrappingkey);
+    if (wrappedKey.len > sizeof wswk.wrappedSymmetricWrappingkey)
+    	goto loser;
+
+    /* wrap symmetric wrapping key in server's public key. */
+    switch (exchKeyType) {
+    PK11SymKey *      Ks;
+    PK11SlotInfo *    fSlot;
+    SECItem           param;
+
+    case kt_fortezza:
+	/* get the slot that the fortezza server private key is in. */
+	fSlot = PK11_GetSlotFromPrivateKey(svrPrivKey);
+	if (fSlot == NULL) {
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+
+	/* Look up the Token Fixed Key */
+	Ks = PK11_FindFixedKey(fSlot, CKM_SKIPJACK_CBC64, NULL, pwArg);
+	PK11_FreeSlot(fSlot);
+	if (Ks == NULL) {
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+
+	/* wrap symmetricWrapping key with the local Ks */
+	param.type = siBuffer;
+    	param.data = wswk.wrapIV;
+    	param.len  = sizeof wswk.wrapIV;
+	rv = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, &param, Ks,
+	                     unwrappedWrappingKey, &wrappedKey);
+	wswk.wrapIVLen = param.len;
+	PK11_FreeSymKey(Ks);
+	asymWrapMechanism = CKM_SKIPJACK_CBC64;
+	break;
+
+    case kt_rsa:
+	asymWrapMechanism = CKM_RSA_PKCS;
+	rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
+	                        unwrappedWrappingKey, &wrappedKey);
+	break;
+
+    default:
+	rv = SECFailure;
+	break;
+    }
+
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    PORT_Assert(asymWrapMechanism != CKM_INVALID_MECHANISM);
+
+    wswk.symWrapMechanism  = masterWrapMech;
+    wswk.symWrapMechIndex  = symWrapMechIndex;
+    wswk.asymWrapMechanism = asymWrapMechanism;
+    wswk.exchKeyType       = exchKeyType;
+    wswk.wrappedSymKeyLen  = wrappedKey.len;
+
+    /* put it on disk. */
+    /* If the wrapping key for this KEA type has already been set, 
+     * then abandon the value we just computed and 
+     * use the one we got from the disk.
+     */
+    if (ssl_SetWrappingKey(&wswk)) {
+    	/* somebody beat us to it.  The original contents of our wswk
+	 * has been replaced with the content on disk.  Now, discard
+	 * the key we just created and unwrap this new one.
+	 */
+    	PK11_FreeSymKey(unwrappedWrappingKey);
+
+	unwrappedWrappingKey =
+	    ssl_UnwrapSymWrappingKey(&wswk, svrPrivKey, exchKeyType,
+                                     masterWrapMech, pwArg);
+    }
+
+install:
+    if (unwrappedWrappingKey) {
+	*pSymWrapKey = PK11_ReferenceSymKey(unwrappedWrappingKey);
+    }
+
+loser:
+done:
+    if (svrPubKey) {
+    	SECKEY_DestroyPublicKey(svrPubKey);
+	svrPubKey = NULL;
+    }
+    PZ_Unlock(symWrapKeysLock);
+    return unwrappedWrappingKey;
+}
+
+
+static SECStatus
+ssl3_FortezzaAppendHandshake(sslSocket *ss, unsigned char * data, int len)
+{
+    SSL3FortezzaKeys *fortezza_CKE  = NULL;
+    SECStatus         rv            = SECFailure;
+
+    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
+	    (sizeof(*fortezza_CKE)-sizeof(fortezza_CKE->y_c)) + 1 + len);
+    if (rv == SECSuccess) {
+        rv = ssl3_AppendHandshakeVariable(ss, data, len, 1);
+    }
+    return rv;	/* err set by ssl3_AppendHandshake* */
+}
+
+/* Called from ssl3_SendClientKeyExchange(). */
+static SECStatus
+sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
+{
+    PK11SymKey *	pms 		= NULL;
+    SECStatus           rv    		= SECFailure;
+    SECItem 		enc_pms 	= {siBuffer, NULL, 0};
+    PRBool              isTLS;
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ssl_HaveXmitBufLock(ss));
+
+    /* Generate the pre-master secret ...  */
+    ssl_GetSpecWriteLock(ss);
+    isTLS = (PRBool)(ss->ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    pms = ssl3_GenerateRSAPMS(ss, ss->ssl3->pwSpec, NULL);
+    ssl_ReleaseSpecWriteLock(ss);
+    if (pms == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    /* Get the wrapped (encrypted) pre-master secret, enc_pms */
+    enc_pms.len  = SECKEY_PublicKeyStrength(svrPubKey);
+    enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
+    if (enc_pms.data == NULL) {
+	goto loser;	/* err set by PORT_Alloc */
+    }
+
+    /* wrap pre-master secret in server's public key. */
+    rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, svrPubKey, pms, &enc_pms);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    rv = ssl3_InitPendingCipherSpec(ss,  pms);
+    PK11_FreeSymKey(pms); pms = NULL;
+
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
+				    isTLS ? enc_pms.len + 2 : enc_pms.len);
+    if (rv != SECSuccess) {
+	goto loser;	/* err set by ssl3_AppendHandshake* */
+    }
+    if (isTLS) {
+    	rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2);
+    } else {
+	rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len);
+    }
+    if (rv != SECSuccess) {
+	goto loser;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    rv = SECSuccess;
+
+loser:
+    if (enc_pms.data != NULL) {
+	PORT_Free(enc_pms.data);
+    }
+    if (pms != NULL) {
+    	PK11_FreeSymKey(pms);
+    }
+    return rv;
+}
+
+/* Called from ssl3_SendClientKeyExchange(). */
+static SECStatus
+sendDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
+{
+    PK11SymKey *	pms 		= NULL;
+    SECStatus           rv    		= SECFailure;
+    PRBool              isTLS;
+    CK_MECHANISM_TYPE	target;
+
+    SECKEYDHParams	dhParam;		/* DH parameters */
+    SECKEYPublicKey	*pubKey = NULL;		/* Ephemeral DH key */
+    SECKEYPrivateKey	*privKey = NULL;	/* Ephemeral DH key */
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ssl_HaveXmitBufLock(ss));
+
+    isTLS = (PRBool)(ss->ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    /* Copy DH parameters from server key */
+
+    dhParam.prime.data = svrPubKey->u.dh.prime.data;
+    dhParam.prime.len = svrPubKey->u.dh.prime.len;
+    dhParam.base.data = svrPubKey->u.dh.base.data;
+    dhParam.base.len = svrPubKey->u.dh.base.len;
+
+    /* Generate ephemeral DH keypair */
+    privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL);
+    if (!privKey || !pubKey) {
+	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+	    rv = SECFailure;
+	    goto loser;
+    }
+    PRINT_BUF(50, (ss, "DH public value:",
+					pubKey->u.dh.publicValue.data,
+					pubKey->u.dh.publicValue.len));
+
+    if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
+    else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
+
+    /* Determine the PMS */
+
+    pms = PK11_PubDerive(privKey, svrPubKey, PR_FALSE, NULL, NULL,
+			    CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
+
+    if (pms == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    SECKEY_DestroyPrivateKey(privKey);
+    privKey = NULL;
+
+    rv = ssl3_InitPendingCipherSpec(ss,  pms);
+    PK11_FreeSymKey(pms); pms = NULL;
+
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
+					pubKey->u.dh.publicValue.len + 2);
+    if (rv != SECSuccess) {
+	goto loser;	/* err set by ssl3_AppendHandshake* */
+    }
+    rv = ssl3_AppendHandshakeVariable(ss, 
+					pubKey->u.dh.publicValue.data,
+					pubKey->u.dh.publicValue.len, 2);
+    SECKEY_DestroyPublicKey(pubKey);
+    pubKey = NULL;
+
+    if (rv != SECSuccess) {
+	goto loser;	/* err set by ssl3_AppendHandshake* */
+    }
+
+    rv = SECSuccess;
+
+
+loser:
+
+    if(pms) PK11_FreeSymKey(pms);
+    if(privKey) SECKEY_DestroyPrivateKey(privKey);
+    if(pubKey) SECKEY_DestroyPublicKey(pubKey);
+    return rv;
+}
+
+/* fortezza client-auth portion of ClientKeyExchange message
+ * This function appends the KEA public key from the client's  V3 cert
+ * (empty for a V1 cert) to the outgoing ClientKeyExchange message.
+ * For a V3 cert, it also computes the Fortezza public key hash of that key
+ * and signs that hash with the client's signing private key.
+ * It also finds and returns the client's KEA private key.
+ *
+ * Called from sendFortezzaClientKeyExchange <- ssl3_SendClientKeyExchange()
+ */
+static SECKEYPrivateKey *
+sendFortezzaCKXClientAuth(sslSocket *ss, SSL3FortezzaKeys * fortezza_CKE)
+{
+    SECKEYPublicKey *	pubKey 		= NULL;
+    SECKEYPrivateKey *	privKeaKey 	= NULL;
+    CERTCertificate *	peerCert 	= ss->sec.peerCert;
+    void *		pwArg 		= ss->pkcs11PinArg;
+    SECStatus 		rv 		= SECFailure;
+    SECItem 		sigItem;
+    SECItem 		hashItem;
+
+    /* extract our own local public key. */
+    pubKey = CERT_ExtractPublicKey(ss->ssl3->clientCertificate);
+    if (!pubKey) {
+	ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+	goto loser;
+    }
+
+    if (pubKey->keyType == fortezzaKey) {
+	/* fortezza clientauth with fortezza V1 certificate */
+	rv = ssl3_FortezzaAppendHandshake(ss, NULL, 0);
+	if (rv != SECSuccess) {
+	    goto loser;	/* err was set by AppendHandshake. */
+	}
+	privKeaKey = PK11_FindKeyByAnyCert(ss->ssl3->clientCertificate, pwArg);
+	if (!privKeaKey) {
+	    ssl_MapLowLevelError(SEC_ERROR_NO_KEY);
+	}
+
+    } else {
+	/* fortezza clientauth w/ V3 certificate or non fortezza cert*/
+	CERTCertificate *   ccert 		= NULL;
+	SECKEYPublicKey *   foundPubKey 	= NULL;
+	unsigned char       hash[SHA1_LENGTH];
+
+	ccert = PK11_FindBestKEAMatch(peerCert, pwArg);
+	if (ccert == NULL) {
+	    PORT_SetError(SSL_ERROR_FORTEZZA_PQG);
+	    goto v3_loser;
+	}
+
+	foundPubKey = CERT_ExtractPublicKey(ccert);
+	if (foundPubKey == NULL) {
+	    ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+	    goto v3_loser;
+	}
+
+	if (foundPubKey->keyType == keaKey) {
+	    rv = ssl3_FortezzaAppendHandshake(ss,
+			    foundPubKey->u.kea.publicValue.data,
+			    foundPubKey->u.kea.publicValue.len);
+	    if (rv != SECSuccess) {
+		goto v3_loser; /* err was set by AppendHandshake. */
+	    }
+
+	    rv = ssl3_ComputeFortezzaPublicKeyHash(
+			    foundPubKey->u.kea.publicValue, hash);
+	    if (rv != SECSuccess) {
+		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+		goto v3_loser;
+	    }
+	} else {
+	    rv = ssl3_FortezzaAppendHandshake(ss,
+			    foundPubKey->u.fortezza.KEAKey.data,
+			    foundPubKey->u.fortezza.KEAKey.len);
+	    if (rv != SECSuccess) {
+		goto v3_loser; /* err was set by AppendHandshake. */
+	    }
+
+	    rv = ssl3_ComputeFortezzaPublicKeyHash(
+			    foundPubKey->u.fortezza.KEAKey, hash);
+	    if (rv != SECSuccess) {
+		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+		goto v3_loser;
+	    }
+	}
+
+	hashItem.data = (unsigned char *) hash;
+	hashItem.len  = SHA1_LENGTH;
+
+	sigItem.data  = fortezza_CKE->y_signature;
+	sigItem.len   = sizeof fortezza_CKE->y_signature;
+
+	rv = PK11_Sign(ss->ssl3->clientPrivateKey, &sigItem, &hashItem);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    goto v3_loser;
+	}
+
+	privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg);
+	if (!privKeaKey) {
+	    ssl_MapLowLevelError(SEC_ERROR_NO_KEY);
+	}
+
+v3_loser:
+	if (foundPubKey)
+	    SECKEY_DestroyPublicKey(foundPubKey);
+	if (ccert)
+	    CERT_DestroyCertificate(ccert);
+    } /* fortezza clientauth w/ V3 certificate or non fortezza cert*/
+
+loser:
+
+    if (pubKey)
+	SECKEY_DestroyPublicKey(pubKey);
+    return privKeaKey;
+} /* End of fortezza client-auth. */
+
+
+/* fortezza without client-auth */
+/* fortezza client-auth portion of ClientKeyExchange message
+ * This function appends the public KEA key from the client's cert
+ * to the outgoing ClientKeyExchange message.
+ * It also finds and returns the client's KEA private key.
+ *
+ * Called from sendFortezzaClientKeyExchange <- ssl3_SendClientKeyExchange()
+ */
+static SECKEYPrivateKey *
+sendFortezzaCKXNoClientAuth(sslSocket *ss)
+{
+    SECKEYPublicKey *   foundPubKey 	= NULL;
+    SECKEYPrivateKey *	privKeaKey 	= NULL;
+    CERTCertificate *	ccert 		= NULL;
+    CERTCertificate *	peerCert 	= ss->sec.peerCert;
+    void *		pwArg 		= ss->pkcs11PinArg;
+    SECStatus 		rv 		= SECFailure;
+
+    ccert = PK11_FindBestKEAMatch(peerCert, pwArg);
+    if (ccert == NULL) {
+	PORT_SetError(SSL_ERROR_FORTEZZA_PQG);
+	goto loser;
+    }
+
+    foundPubKey = CERT_ExtractPublicKey(ccert);
+    if (foundPubKey == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+	goto loser;
+    }
+
+    if (foundPubKey->keyType == fortezzaKey) {
+	/* fortezza V1 cert */
+	rv = ssl3_FortezzaAppendHandshake(ss,
+				    foundPubKey->u.fortezza.KEAKey.data,
+				    foundPubKey->u.fortezza.KEAKey.len);
+	if (rv != SECSuccess) {
+	    goto loser; /* err was set by AppendHandshake. */
+	}
+	privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg);
+	if (!privKeaKey) {
+	    ssl_MapLowLevelError(SEC_ERROR_NO_KEY);
+	}
+    } else {
+	/* fortezza V3 cert */
+	rv = ssl3_FortezzaAppendHandshake(ss,
+				    foundPubKey->u.kea.publicValue.data,
+				    foundPubKey->u.kea.publicValue.len);
+	if (rv != SECSuccess) {
+	    goto loser; /* err was set by AppendHandshake. */
+	}
+	privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg);
+	if (!privKeaKey) {
+	    ssl_MapLowLevelError(SEC_ERROR_NO_KEY);
+	}
+    }
+
+loser:
+    if (foundPubKey)
+	SECKEY_DestroyPublicKey(foundPubKey);
+    if (ccert)
+	CERT_DestroyCertificate(ccert);
+    return privKeaKey;
+}
+
+/* Called from ssl3_SendClientKeyExchange().  */
+static SECStatus
+sendFortezzaClientKeyExchange(sslSocket * ss, SECKEYPublicKey * serverKey)
+{
+    ssl3CipherSpec *	pwSpec = NULL;
+    sslSessionID *	sid 		= ss->sec.ci.sid;
+    PK11SlotInfo *	slot		= NULL;
+    PK11SymKey *	pms 		= NULL;
+    PK11SymKey *	tek		= NULL;
+    PK11SymKey *	client_write_key = NULL;
+    PK11SymKey *	server_write_key = NULL;
+    SECKEYPrivateKey *	privKeaKey 	= NULL;
+    void *		pwArg 		= ss->pkcs11PinArg;
+    SECStatus 		rv 		= SECFailure;
+    CK_VERSION 		version;
+    SECItem 		param;
+    SECItem 		raItem;
+    SECItem 		rbItem;
+    SECItem 		enc_pms;
+    SECItem 		item;
+    SSL3FortezzaKeys	fortezza_CKE;
+    PRBool              releaseSpecWriteLock = PR_FALSE;
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    /* first get an appropriate slot for doing MACing.
+     * Note: This slot will NOT be a Fortezza slot because Fortezza
+     * cannot generate an SSL3 pre-master-secret.
+     */
+    slot = PK11_GetBestSlot(CKM_SSL3_PRE_MASTER_KEY_GEN, pwArg);
+    if (slot == NULL) {
+	PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
+	goto loser;
+    }
+
+    /* create a pre-Master secret */
+    version.major = MSB(ss->version);
+    version.minor = LSB(ss->version);
+
+    param.data = (unsigned char *)&version;
+    param.len  = sizeof version;
+
+    pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN,
+			 &param, 0, pwArg);
+    PK11_FreeSlot(slot);
+    slot = NULL;
+    if (pms == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    /* If we don't have a certificate, we need to read out your public key.
+     * This changes a bit when we need to deal with the PQG stuff
+     */
+    PORT_Memset(fortezza_CKE.y_signature, 0, sizeof fortezza_CKE.y_signature);
+
+    /* Send the KEA public key and get the KEA private key. */
+    if (ss->ssl3->clientCertificate != NULL) {
+	/* with client-auth */
+	privKeaKey = sendFortezzaCKXClientAuth(ss, &fortezza_CKE);
+    } else {
+	/* without client-auth */
+	privKeaKey = sendFortezzaCKXNoClientAuth(ss);
+    }
+    if (privKeaKey == NULL) {
+	rv = SECFailure;
+	goto loser;	/* error was already set. */
+    }
+
+    /* Now we derive the TEK, and generate r_c the client's "random" public key.
+     * r_c is generated and filled in by the PubDerive call below.
+     */
+    raItem.data = fortezza_CKE.r_c;
+    raItem.len  = sizeof fortezza_CKE.r_c;
+
+    /* R_s == server's "random" public key, sent in the Server Key Exchange */
+    rbItem.data = ss->ssl3->fortezza.R_s;
+    rbItem.len  = sizeof ss->ssl3->fortezza.R_s;
+
+    tek = PK11_PubDerive(privKeaKey, serverKey, PR_TRUE, /* generate r_c */
+                         &raItem, &rbItem, CKM_KEA_KEY_DERIVE,
+			 CKM_SKIPJACK_WRAP, CKA_WRAP, 0, pwArg);
+    SECKEY_DestroyPrivateKey(privKeaKey);
+    privKeaKey = NULL;
+    if (tek == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(tek); /* can't fail. */
+
+    /* encrypt the pms with the TEK.
+     * NB: PK11_WrapSymKey will generate and output the encrypted PMS
+     *     AND the IV for decrypting the PMS.
+     */
+    param.data   = fortezza_CKE.master_secret_iv;
+    param.len    = sizeof fortezza_CKE.master_secret_iv;
+
+    enc_pms.data = fortezza_CKE.encrypted_preMasterSecret;
+    enc_pms.len  = sizeof fortezza_CKE.encrypted_preMasterSecret;
+
+    rv = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, &param, tek, pms, &enc_pms);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+    rv = SECFailure;	/* not there yet. */
+
+    slot = PK11_GetSlotFromKey(tek);
+
+    ssl_GetSpecWriteLock(ss); releaseSpecWriteLock = PR_TRUE;
+
+    pwSpec  = ss->ssl3->pwSpec;
+    pwSpec->client.write_key = client_write_key =
+		    PK11_KeyGen(slot, CKM_SKIPJACK_CBC64, NULL, 0, pwArg);
+    if (client_write_key == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+    /* the -1 is a hack. It's supposed to be key size, but we use it
+     * to tell the wrapper that we're doing a weird PKCS #11 key gen.
+     * Usually the result of key gen is an encrypt key. This is not
+     * the case with SSL, where this key is a decrypt key.
+     */
+    pwSpec->server.write_key = server_write_key =
+		    PK11_KeyGen(slot, CKM_SKIPJACK_CBC64, NULL, -1, pwArg);
+    if (server_write_key == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    rv = ssl3_InitPendingCipherSpec(ss,  pms);
+    PK11_FreeSymKey(pms); pms = NULL;
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    /* copy the keys and IVs out now */
+    item.data = fortezza_CKE.wrapped_client_write_key;
+    item.len  = sizeof fortezza_CKE.wrapped_client_write_key;
+    rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, client_write_key, &item);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    item.data = fortezza_CKE.wrapped_server_write_key;
+    item.len  = sizeof fortezza_CKE.wrapped_server_write_key;
+    rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, server_write_key, &item);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto loser;
+    }
+
+    /* we only get the generated IV's if we're doing skipjack.  */
+    if (pwSpec->cipher_def->calg == calg_fortezza) {
+	PORT_Memcpy(fortezza_CKE.client_write_iv, pwSpec->client.write_iv,
+				    sizeof fortezza_CKE.client_write_iv);
+	PORT_Memcpy(fortezza_CKE.server_write_iv, pwSpec->server.write_iv,
+				    sizeof fortezza_CKE.server_write_iv);
+    } else {
+	/* generate IVs to make old servers happy */
+	rv = PK11_GenerateFortezzaIV(client_write_key,
+	                             fortezza_CKE.client_write_iv,
+	                             sizeof fortezza_CKE.client_write_iv);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    goto loser;
+	}
+	rv = PK11_GenerateFortezzaIV(server_write_key,
+	                             fortezza_CKE.server_write_iv,
+	                             sizeof fortezza_CKE.server_write_iv);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    goto loser;
+	}
+    }
+
+    /* NOTE: This technique of writing out the struct, rather than writing
+     * out the individual members works only because all the rest of the
+     * values are fixed-length strings of well-defined byte order.
+     * Add one SECItem or one Number and we will need to break the elements out.
+     */
+    rv = ssl3_AppendHandshake(ss, &fortezza_CKE.r_c,
+			      (sizeof fortezza_CKE - sizeof fortezza_CKE.y_c));
+    if (rv != SECSuccess) {
+	goto loser;	/* err was set by AppendHandshake. */
+    }
+
+    /* now we initialize our contexts */
+    sid->u.ssl3.hasFortezza = PR_TRUE;
+    sid->u.ssl3.tek         = tek; tek = NULL; 	/* adopt.. */
+
+    if (pwSpec->cipher_def->calg == calg_fortezza) {
+	sid->u.ssl3.clientWriteKey =
+			    PK11_ReferenceSymKey(pwSpec->client.write_key);
+	sid->u.ssl3.serverWriteKey=
+			    PK11_ReferenceSymKey(pwSpec->server.write_key);
+
+	PORT_Memcpy(sid->u.ssl3.keys.client_write_iv,
+	            pwSpec->client.write_iv,
+		    sizeof sid->u.ssl3.keys.client_write_iv);
+	PORT_Memcpy(sid->u.ssl3.keys.server_write_iv,
+	            pwSpec->server.write_iv,
+		    sizeof sid->u.ssl3.keys.server_write_iv);
+
+	rv = PK11_SaveContext((PK11Context *)pwSpec->encodeContext,
+			      sid->u.ssl3.clientWriteSave,
+			      &sid->u.ssl3.clientWriteSaveLen,
+			      sizeof sid->u.ssl3.clientWriteSave);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    goto loser;
+	}
+    } else {
+	PK11_FreeSymKey(client_write_key);
+	pwSpec->client.write_key = client_write_key = NULL;
+
+	PK11_FreeSymKey(server_write_key);
+	pwSpec->server.write_key = server_write_key = NULL;
+
+	rv = SECSuccess;
+    }
+    /* FALL THROUGH */
+
+loser:
+    if (tek)    PK11_FreeSymKey(tek);
+    if (slot)   PK11_FreeSlot(slot);
+    if (pms)    PK11_FreeSymKey(pms);
+    if (rv != SECSuccess) {
+    	if (client_write_key) {
+	    PK11_FreeSymKey(client_write_key);
+	    pwSpec->client.write_key = client_write_key = NULL;
+	}
+    	if (server_write_key) {
+	    PK11_FreeSymKey(server_write_key);
+	    pwSpec->server.write_key = server_write_key = NULL;
+	}
+    }
+    if (releaseSpecWriteLock)
+	ssl_GetSpecWriteLock(ss);
+    return rv;
+}
+
+/* Called from ssl3_HandleServerHelloDone(). */
+static SECStatus
+ssl3_SendClientKeyExchange(sslSocket *ss)
+{
+    SECKEYPublicKey *	serverKey 	= NULL;
+    SECStatus 		rv 		= SECFailure;
+    PRBool              isTLS;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send client_key_exchange handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    if (ss->sec.peerKey == NULL) {
+	serverKey = CERT_ExtractPublicKey(ss->sec.peerCert);
+	if (serverKey == NULL) {
+	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+	    return SECFailure;
+	}
+    } else {
+	serverKey = ss->sec.peerKey;
+	ss->sec.peerKey = NULL; /* we're done with it now */
+    }
+
+    isTLS = (PRBool)(ss->ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+    /* enforce limits on kea key sizes. */
+    if (ss->ssl3->hs.kea_def->is_limited) {
+	int keyLen = SECKEY_PublicKeyStrength(serverKey);	/* bytes */
+
+	if (keyLen * BPB > ss->ssl3->hs.kea_def->key_size_limit) {
+	    if (isTLS)
+		(void)SSL3_SendAlert(ss, alert_fatal, export_restriction);
+	    else
+		(void)ssl3_HandshakeFailure(ss);
+	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
+	    goto loser;
+	}
+    }
+
+    ss->sec.keaType    = ss->ssl3->hs.kea_def->exchKeyType;
+    ss->sec.keaKeyBits = SECKEY_PublicKeyStrength(serverKey) * BPB;
+
+    switch (ss->ssl3->hs.kea_def->exchKeyType) {
+    case kt_rsa:
+	rv = sendRSAClientKeyExchange(ss, serverKey);
+	break;
+
+    case kt_fortezza:
+	rv = sendFortezzaClientKeyExchange(ss, serverKey);
+	break;
+
+    case kt_dh:
+	rv = sendDHClientKeyExchange(ss, serverKey);
+	break;
+
+    default:
+	/* got an unknown or unsupported Key Exchange Algorithm.  */
+	SEND_ALERT
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+	break;
+    }
+
+    SSL_TRC(3, ("%d: SSL3[%d]: DONE sending client_key_exchange",
+		SSL_GETPID(), ss->fd));
+
+loser:
+    if (serverKey) 
+    	SECKEY_DestroyPublicKey(serverKey);
+    return rv;	/* err code already set. */
+}
+
+/* Called from ssl3_HandleServerHelloDone(). */
+static SECStatus
+ssl3_SendCertificateVerify(sslSocket *ss)
+{
+    ssl3State *   ssl3 		= ss->ssl3;
+    SECStatus     rv		= SECFailure;
+    PRBool        isTLS;
+    SECItem       buf           = {siBuffer, NULL, 0};
+    SSL3Hashes    hashes;
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
+		SSL_GETPID(), ss->fd));
+
+    ssl_GetSpecReadLock(ss);
+    rv = ssl3_ComputeHandshakeHashes(ss, ssl3->pwSpec, &hashes, 0);
+    ssl_ReleaseSpecReadLock(ss);
+    if (rv != SECSuccess) {
+	goto done;	/* err code was set by ssl3_ComputeHandshakeHashes */
+    }
+
+    isTLS = (PRBool)(ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+    rv = ssl3_SignHashes(&hashes, ssl3->clientPrivateKey, &buf, isTLS);
+    if (rv == SECSuccess) {
+	PK11SlotInfo * slot;
+	sslSessionID * sid   = ss->sec.ci.sid;
+
+    	/* Remember the info about the slot that did the signing.
+	** Later, when doing an SSL restart handshake, verify this.
+	** These calls are mere accessors, and can't fail.
+	*/
+	slot = PK11_GetSlotFromPrivateKey(ss->ssl3->clientPrivateKey);
+	sid->u.ssl3.clAuthSeries     = PK11_GetSlotSeries(slot);
+	sid->u.ssl3.clAuthSlotID     = PK11_GetSlotID(slot);
+	sid->u.ssl3.clAuthModuleID   = PK11_GetModuleID(slot);
+	sid->u.ssl3.clAuthValid      = PR_TRUE;
+	PK11_FreeSlot(slot);
+    }
+    /* If we're doing RSA key exchange, we're all done with the private key
+     * here.  Diffie-Hellman & Fortezza key exchanges need the client's
+     * private key for the key exchange.
+     */
+    if (ssl3->hs.kea_def->exchKeyType == kt_rsa) {
+	SECKEY_DestroyPrivateKey(ssl3->clientPrivateKey);
+	ssl3->clientPrivateKey = NULL;
+    }
+    if (rv != SECSuccess) {
+	goto done;	/* err code was set by ssl3_SignHashes */
+    }
+
+    rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2);
+    if (rv != SECSuccess) {
+	goto done;	/* error code set by AppendHandshake */
+    }
+    rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
+    if (rv != SECSuccess) {
+	goto done;	/* error code set by AppendHandshake */
+    }
+
+done:
+    if (buf.data)
+	PORT_Free(buf.data);
+    return rv;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 ServerHello message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    sslSessionID *sid		= ss->sec.ci.sid;
+    PRInt32       temp;		/* allow for consume number failure */
+    PRBool        suite_found   = PR_FALSE;
+    int           i;
+    int           errCode	= SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
+    SECStatus     rv;
+    SECItem       sidBytes 	= {siBuffer, NULL, 0};
+    PRBool        sid_match;
+    PRBool        isTLS		= PR_FALSE;
+    SSL3AlertDescription desc   = illegal_parameter;
+    SSL3ProtocolVersion version;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
+    	SSL_GETPID(), ss->fd));
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    rv = ssl3_InitState(ss);
+    if (rv != SECSuccess) {
+	errCode = PORT_GetError(); /* ssl3_InitState has set the error code. */
+	goto alert_loser;
+    }
+    if (ss->ssl3->hs.ws != wait_server_hello) {
+        errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
+	desc    = unexpected_message;
+	goto alert_loser;
+    }
+
+    temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+    if (temp < 0) {
+    	goto loser; 	/* alert has been sent */
+    }
+    version = (SSL3ProtocolVersion)temp;
+
+    /* this is appropriate since the negotiation is complete, and we only
+    ** know SSL 3.x.
+    */
+    if (MSB(version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
+    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
+	goto alert_loser;
+    }
+
+    rv = ssl3_NegotiateVersion(ss, version);
+    if (rv != SECSuccess) {
+    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
+	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+	goto alert_loser;
+    }
+    isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
+
+    rv = ssl3_ConsumeHandshake(
+	ss, &ss->ssl3->hs.server_random, SSL3_RANDOM_LENGTH, &b, &length);
+    if (rv != SECSuccess) {
+    	goto loser; 	/* alert has been sent */
+    }
+
+    rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
+    if (rv != SECSuccess) {
+    	goto loser; 	/* alert has been sent */
+    }
+    if (sidBytes.len > SSL3_SESSIONID_BYTES) {
+	if (isTLS)
+	    desc = decode_error;
+	goto alert_loser;	/* malformed. */
+    }
+
+    /* find selected cipher suite in our list. */
+    temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+    if (temp < 0) {
+    	goto loser; 	/* alert has been sent */
+    }
+    ssl3_config_match_init(ss);
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+	if ((temp == suite->cipher_suite) &&
+	    (config_match(suite, ss->ssl3->policy, PR_TRUE))) {
+	    suite_found = PR_TRUE;
+	    break;	/* success */
+	}
+    }
+    if (!suite_found) {
+    	desc    = handshake_failure;
+	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+	goto alert_loser;
+    }
+    ss->ssl3->hs.cipher_suite = (ssl3CipherSuite)temp;
+    ss->ssl3->hs.suite_def    = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
+    PORT_Assert(ss->ssl3->hs.suite_def);
+    if (!ss->ssl3->hs.suite_def) {
+    	PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
+	goto loser;	/* we don't send alerts for our screw-ups. */
+    }
+
+    /* find selected compression method in our list. */
+    temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
+    if (temp < 0) {
+    	goto loser; 	/* alert has been sent */
+    }
+    suite_found = PR_FALSE;
+    for (i = 0; i < compressionMethodsCount; i++) {
+	if (temp == compressions[i])  {
+	    suite_found = PR_TRUE;
+	    break;	/* success */
+    	}
+    }
+    if (!suite_found) {
+    	desc    = handshake_failure;
+	errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
+	goto alert_loser;
+    }
+    ss->ssl3->hs.compression = (SSL3CompressionMethod)temp;
+
+    if (length != 0) {	/* malformed */
+	goto alert_loser;
+    }
+
+    /* Any errors after this point are not "malformed" errors. */
+    desc    = handshake_failure;
+
+    /* we need to call ssl3_SetupPendingCipherSpec here so we can check the
+     * key exchange algorithm. */
+    rv = ssl3_SetupPendingCipherSpec(ss, ss->ssl3);
+    if (rv != SECSuccess) {
+	goto alert_loser;	/* error code is set. */
+    }
+
+    /* We may or may not have sent a session id, we may get one back or
+     * not and if so it may match the one we sent.
+     * Attempt to restore the master secret to see if this is so...
+     * Don't consider failure to find a matching SID an error.
+     */
+    sid_match = (PRBool)(sidBytes.len > 0 &&
+	sidBytes.len == sid->u.ssl3.sessionIDLength &&
+	!PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len));
+
+    if (sid_match &&
+	sid->version == ss->version &&
+	sid->u.ssl3.cipherSuite == ss->ssl3->hs.cipher_suite) do {
+	PK11SlotInfo *slot;
+	PK11SymKey *  wrapKey;     /* wrapping key */
+	SECItem       wrappedMS;   /* wrapped master secret. */
+	CK_FLAGS      keyFlags      = 0;
+
+        ss->sec.authAlgorithm = sid->authAlgorithm;
+	ss->sec.authKeyBits   = sid->authKeyBits;
+	ss->sec.keaType       = sid->keaType;
+	ss->sec.keaKeyBits    = sid->keaKeyBits;
+
+	slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
+	                         sid->u.ssl3.masterSlotID);
+	if (slot == NULL) {
+	    break;		/* not considered an error. */
+	}
+	if (!PK11_IsPresent(slot)) {
+	    PK11_FreeSlot(slot);
+	    break;		/* not considered an error. */
+	}
+	wrapKey = PK11_GetWrapKey(slot, sid->u.ssl3.masterWrapIndex,
+				  sid->u.ssl3.masterWrapMech,
+				  sid->u.ssl3.masterWrapSeries,
+				  ss->pkcs11PinArg);
+	PK11_FreeSlot(slot);
+	if (wrapKey == NULL) {
+	    break;		/* not considered an error. */
+	}
+
+	if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
+	    keyFlags = CKF_SIGN | CKF_VERIFY;
+	}
+
+        wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
+	wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
+	ss->ssl3->pwSpec->master_secret =
+	    PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
+	    		NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
+		        CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
+	errCode = PORT_GetError();
+	PK11_FreeSymKey(wrapKey);
+	if (ss->ssl3->pwSpec->master_secret == NULL) {
+	    break;	/* errorCode set just after call to UnwrapSymKey. */
+	}
+
+	/* Got a Match */
+	++ssl3stats.hsh_sid_cache_hits;
+	ss->ssl3->hs.ws         = wait_change_cipher;
+	ss->ssl3->hs.isResuming = PR_TRUE;
+
+	/* copy the peer cert from the SID */
+	if (sid->peerCert != NULL) {
+	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
+	}
+
+	/* reload the FORTEZZA key material. These keys aren't generated
+	 * by the master secret, but by the key exchange. We restart by
+	 * reusing these keys. */
+	if (sid->u.ssl3.hasFortezza) {
+	    ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(sid->u.ssl3.tek);
+	}
+	if (ss->ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) {
+	    ss->ssl3->pwSpec->client.write_key =
+	    		PK11_ReferenceSymKey(sid->u.ssl3.clientWriteKey);
+	    ss->ssl3->pwSpec->server.write_key =
+	    		PK11_ReferenceSymKey(sid->u.ssl3.serverWriteKey);
+	    /* add the tek later for pre-encrypted files */
+	    PORT_Memcpy(ss->ssl3->pwSpec->client.write_iv,
+			sid->u.ssl3.keys.client_write_iv,
+			sizeof sid->u.ssl3.keys.client_write_iv);
+	    PORT_Memcpy(ss->ssl3->pwSpec->server.write_iv,
+			sid->u.ssl3.keys.server_write_iv,
+			sizeof sid->u.ssl3.keys.server_write_iv);
+	}
+
+	/* NULL value for PMS signifies re-use of the old MS */
+	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
+	if (rv != SECSuccess) {
+	    goto alert_loser;	/* err code was set by ssl3_InitPendingCipherSpec */
+	}
+	if (ss->ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) {
+	    rv = PK11_RestoreContext(
+			(PK11Context *)ss->ssl3->pwSpec->encodeContext,
+			sid->u.ssl3.clientWriteSave,
+			sid->u.ssl3.clientWriteSaveLen);
+	    if (rv != SECSuccess) {
+		goto alert_loser;	/* err is set. */
+	    }
+	}
+	SECITEM_ZfreeItem(&sidBytes, PR_FALSE);	
+	return SECSuccess;
+    } while (0);
+
+    if (sid_match)
+	++ssl3stats.hsh_sid_cache_not_ok;
+    else
+	++ssl3stats.hsh_sid_cache_misses;
+
+    /* throw the old one away */
+    sid->u.ssl3.resumable = PR_FALSE;
+    (*ss->sec.uncache)(sid);
+    ssl_FreeSID(sid);
+
+    /* get a new sid */
+    ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
+    if (sid == NULL) {
+	goto alert_loser;	/* memory error is set. */
+    }
+
+    sid->version = ss->version;
+    sid->u.ssl3.sessionIDLength = sidBytes.len;
+    PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
+    SECITEM_ZfreeItem(&sidBytes, PR_FALSE);
+
+    ss->ssl3->hs.isResuming = PR_FALSE;
+    ss->ssl3->hs.ws         = wait_server_cert;
+    return SECSuccess;
+
+alert_loser:
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+
+loser:
+    if (sidBytes.data != NULL)
+	SECITEM_ZfreeItem(&sidBytes, PR_FALSE);
+    errCode = ssl_MapLowLevelError(errCode);
+    return SECFailure;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 ServerKeyExchange message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    PRArenaPool *    arena     = NULL;
+    SECKEYPublicKey *peerKey   = NULL;
+    PRBool           isTLS;
+    SECStatus        rv;
+    int              errCode   = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
+    SSL3AlertDescription desc  = illegal_parameter;
+    SECItem          modulus   = {siBuffer, NULL, 0};
+    SECItem          exponent  = {siBuffer, NULL, 0};
+    SECItem          signature = {siBuffer, NULL, 0};
+    SECItem          dh_p      = {siBuffer, NULL, 0};
+    SECItem          dh_g      = {siBuffer, NULL, 0};
+    SECItem          dh_Ys     = {siBuffer, NULL, 0};
+    SSL3Hashes       hashes;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
+		SSL_GETPID(), ss->fd));
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->ssl3->hs.ws != wait_server_key &&
+	ss->ssl3->hs.ws != wait_server_cert) {
+	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
+	desc    = unexpected_message;
+	goto alert_loser;
+    }
+    if (ss->sec.peerCert == NULL) {
+	errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
+	desc    = unexpected_message;
+	goto alert_loser;
+    }
+
+    isTLS = (PRBool)(ss->ssl3->prSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    switch (ss->ssl3->hs.kea_def->exchKeyType) {
+
+    case kt_rsa:
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	if (length != 0) {
+	    if (isTLS)
+		desc = decode_error;
+	    goto alert_loser;		/* malformed. */
+	}
+
+	/* failures after this point are not malformed handshakes. */
+	/* TLS: send decrypt_error if signature failed. */
+    	desc = isTLS ? decrypt_error : handshake_failure;
+
+    	/*
+     	 *  check to make sure the hash is signed by right guy
+     	 */
+    	rv = ssl3_ComputeExportRSAKeyHash(modulus, exponent,
+					  &ss->ssl3->hs.client_random,
+					  &ss->ssl3->hs.server_random, &hashes);
+        if (rv != SECSuccess) {
+	    errCode =
+	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    goto alert_loser;
+	}
+        rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
+				    isTLS, ss->pkcs11PinArg);
+	if (rv != SECSuccess)  {
+	    errCode =
+	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    goto alert_loser;
+	}
+
+	/*
+	 * we really need to build a new key here because we can no longer
+	 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
+	 * pkcs11 slots and ID's.
+	 */
+    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if (arena == NULL) {
+	    goto no_memory;
+	}
+
+    	peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
+    	if (peerKey == NULL) {
+            PORT_FreeArena(arena, PR_FALSE);
+	    goto no_memory;
+	}
+
+	peerKey->arena              = arena;
+	peerKey->keyType            = rsaKey;
+	peerKey->pkcs11Slot         = NULL;
+	peerKey->pkcs11ID           = CK_INVALID_HANDLE;
+	if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus,        &modulus) ||
+	    SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent))
+	{
+            PORT_FreeArena(arena, PR_FALSE);
+	    goto no_memory;
+        }
+    	ss->sec.peerKey = peerKey;
+	SECITEM_FreeItem(&modulus,   PR_FALSE);
+	SECITEM_FreeItem(&exponent,  PR_FALSE);
+	SECITEM_FreeItem(&signature, PR_FALSE);
+    	ss->ssl3->hs.ws = wait_cert_request;
+    	return SECSuccess;
+
+    case kt_dh:
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed. */
+	}
+    	if (length != 0) {
+	    if (isTLS)
+		desc = decode_error;
+	    goto alert_loser;		/* malformed. */
+	}
+
+	PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
+	PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
+	PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
+
+	/* failures after this point are not malformed handshakes. */
+	/* TLS: send decrypt_error if signature failed. */
+    	desc = isTLS ? decrypt_error : handshake_failure;
+
+    	/*
+     	 *  check to make sure the hash is signed by right guy
+     	 */
+    	rv = ssl3_ComputeDHKeyHash(dh_p, dh_g, dh_Ys,
+					  &ss->ssl3->hs.client_random,
+					  &ss->ssl3->hs.server_random, &hashes);
+        if (rv != SECSuccess) {
+	    errCode =
+	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    goto alert_loser;
+	}
+        rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
+				    isTLS, ss->pkcs11PinArg);
+	if (rv != SECSuccess)  {
+	    errCode =
+	    	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    goto alert_loser;
+	}
+
+	/*
+	 * we really need to build a new key here because we can no longer
+	 * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
+	 * pkcs11 slots and ID's.
+	 */
+    	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+	if (arena == NULL) {
+	    goto no_memory;
+	}
+
+    	ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
+    	if (peerKey == NULL) {
+	    goto no_memory;
+	}
+
+	peerKey->arena              = arena;
+	peerKey->keyType            = dhKey;
+	peerKey->pkcs11Slot         = NULL;
+	peerKey->pkcs11ID           = CK_INVALID_HANDLE;
+
+	if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime,        &dh_p) ||
+	    SECITEM_CopyItem(arena, &peerKey->u.dh.base,         &dh_g) ||
+	    SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue,  &dh_Ys))
+	{
+            PORT_FreeArena(arena, PR_FALSE);
+	    goto no_memory;
+        }
+    	ss->sec.peerKey = peerKey;
+	SECITEM_FreeItem(&dh_p,   PR_FALSE);
+	SECITEM_FreeItem(&dh_g,  PR_FALSE);
+	SECITEM_FreeItem(&dh_Ys, PR_FALSE);
+    	ss->ssl3->hs.ws = wait_cert_request;
+    	return SECSuccess;
+
+    case kt_fortezza:
+
+	/* Fortezza needs *BOTH* a server cert message
+	 * and a server key exchange message.
+ 	 */
+	if (ss->ssl3->hs.ws == wait_server_cert) {
+	    errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
+	    desc    = unexpected_message;
+	    goto alert_loser;
+	}
+	/* Get the server's "random" public key. */
+    	rv = ssl3_ConsumeHandshake(ss, ss->ssl3->fortezza.R_s,
+				   sizeof ss->ssl3->fortezza.R_s, &b, &length);
+    	if (rv != SECSuccess) {
+	    goto loser;		/* malformed */
+	}
+
+    	ss->ssl3->hs.ws = wait_cert_request;
+    	return SECSuccess;
+
+    default:
+    	desc    = handshake_failure;
+	errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
+	break;		/* goto alert_loser; */
+    }
+
+alert_loser:
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+loser:
+    if (modulus.data   != NULL) SECITEM_FreeItem(&modulus,   PR_FALSE);
+    if (exponent.data  != NULL) SECITEM_FreeItem(&exponent,  PR_FALSE);
+    if (signature.data != NULL) SECITEM_FreeItem(&signature, PR_FALSE);
+    if (dh_p.data != NULL) SECITEM_FreeItem(&dh_p, PR_FALSE);
+    if (dh_g.data != NULL) SECITEM_FreeItem(&dh_g, PR_FALSE);
+    if (dh_Ys.data != NULL) SECITEM_FreeItem(&dh_Ys, PR_FALSE);
+    PORT_SetError( errCode );
+    return SECFailure;
+
+no_memory:	/* no-memory error has already been set. */
+    if (modulus.data   != NULL) SECITEM_FreeItem(&modulus,   PR_FALSE);
+    if (exponent.data  != NULL) SECITEM_FreeItem(&exponent,  PR_FALSE);
+    if (signature.data != NULL) SECITEM_FreeItem(&signature, PR_FALSE);
+    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+    return SECFailure;
+}
+
+
+typedef struct dnameNode {
+    struct dnameNode *next;
+    SECItem           name;
+} dnameNode;
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Certificate Request message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    ssl3State *          ssl3        = ss->ssl3;
+    PRArenaPool *        arena       = NULL;
+    dnameNode *          node;
+    unsigned char *      data;
+    PRInt32              remaining;
+    PRInt32              len;
+    PRBool               isTLS       = PR_FALSE;
+    int                  i;
+    int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_REQUEST;
+    int                  nnames      = 0;
+    SECStatus            rv;
+    SSL3AlertDescription desc        = illegal_parameter;
+    SECItem              cert_types  = {siBuffer, NULL, 0};
+    CERTDistNames        ca_list;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
+		SSL_GETPID(), ss->fd));
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ssl3->hs.ws != wait_cert_request &&
+    	ssl3->hs.ws != wait_server_key) {
+	desc    = unexpected_message;
+	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
+	goto alert_loser;
+    }
+
+    /* clean up anything left from previous handshake. */
+    if (ssl3->clientCertChain != NULL) {
+       CERT_DestroyCertificateList(ssl3->clientCertChain);
+       ssl3->clientCertChain = NULL;
+    }
+
+    isTLS = (PRBool)(ssl3->prSpec->version > SSL_LIBRARY_VERSION_3_0);
+    rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
+    if (rv != SECSuccess)
+    	goto loser;		/* malformed, alert has been sent */
+
+    arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+    	goto no_mem;
+
+    remaining = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+    if (remaining < 0)
+    	goto loser;	 	/* malformed, alert has been sent */
+
+    ca_list.head = node = PORT_ArenaZNew(arena, dnameNode);
+    if (node == NULL)
+    	goto no_mem;
+
+    while (remaining != 0) {
+	if (remaining < 2)
+	    goto alert_loser;	/* malformed */
+
+	node->name.len = len = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+	if (len < 0)
+	    goto loser;		/* malformed, alert has been sent */
+
+	remaining -= 2;
+	if (remaining < len)
+	    goto alert_loser;	/* malformed */
+
+	data = node->name.data = (unsigned char*)PORT_ArenaAlloc(arena, len);
+	if (data == NULL)
+	    goto no_mem;
+
+	rv = ssl3_ConsumeHandshake(ss, data, len, &b, &length);
+	if (rv != SECSuccess)
+	    goto loser;		/* malformed, alert has been sent */
+
+	remaining -= len;
+	nnames++;
+	if (remaining == 0)
+	    break;		/* success */
+
+	node->next = PORT_ArenaZNew(arena, dnameNode);
+	node = node->next;
+	if (node == NULL)
+	    goto no_mem;
+    }
+
+    ca_list.nnames = nnames;
+    ca_list.names  = (SECItem*)PORT_ArenaAlloc(arena, nnames * sizeof(SECItem));
+    if (ca_list.names == NULL)
+        goto no_mem;
+
+    for(i = 0, node = (dnameNode*)ca_list.head;
+	i < nnames;
+	i++, node = node->next) {
+	ca_list.names[i] = node->name;
+    }
+
+    if (length != 0)
+        goto alert_loser;   	/* malformed */
+
+    desc = no_certificate;
+    ssl3->hs.ws = wait_hello_done;
+
+    if (ss->getClientAuthData == NULL) {
+	rv = SECFailure; /* force it to send a no_certificate alert */
+    } else {
+	/* XXX Should pass cert_types in this call!! */
+	rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
+						 ss->fd, &ca_list,
+						 &ssl3->clientCertificate,
+						 &ssl3->clientPrivateKey);
+    }
+    switch (rv) {
+    case SECWouldBlock:	/* getClientAuthData has put up a dialog box. */
+	ssl_SetAlwaysBlock(ss);
+	break;	/* not an error */
+
+    case SECSuccess:
+	/* Setting ssl3->clientCertChain non-NULL will cause
+	 * ssl3_HandleServerHelloDone to call SendCertificate.
+	 */
+	ssl3->clientCertChain = CERT_CertChainFromCert(ssl3->clientCertificate,
+			certUsageSSLClient, PR_FALSE);
+	if (ssl3->clientCertChain == NULL) {
+	    if (ssl3->clientCertificate != NULL) {
+		CERT_DestroyCertificate(ssl3->clientCertificate);
+		ssl3->clientCertificate = NULL;
+	    }
+	    if (ssl3->clientPrivateKey != NULL) {
+		SECKEY_DestroyPrivateKey(ssl3->clientPrivateKey);
+		ssl3->clientPrivateKey = NULL;
+	    }
+	    goto send_no_certificate;
+	}
+	break;	/* not an error */
+
+    case SECFailure:
+    default:
+send_no_certificate:
+	if (isTLS) {
+	    ssl3->sendEmptyCert = PR_TRUE;
+	} else {
+	    (void)SSL3_SendAlert(ss, alert_warning, no_certificate);
+	}
+	rv = SECSuccess;
+	break;
+    }
+    goto done;
+
+no_mem:
+    rv = SECFailure;
+    PORT_SetError(SEC_ERROR_NO_MEMORY);
+    goto done;
+
+alert_loser:
+    if (isTLS && desc == illegal_parameter)
+    	desc = decode_error;
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+loser:
+    PORT_SetError(errCode);
+    rv = SECFailure;
+done:
+    if (arena != NULL)
+    	PORT_FreeArena(arena, PR_FALSE);
+    if (cert_types.data != NULL)
+    	SECITEM_FreeItem(&cert_types, PR_FALSE);
+    return rv;
+}
+
+/*
+ * attempt to restart the handshake after asynchronously handling
+ * a request for the client's certificate.
+ *
+ * inputs:
+ *	cert	Client cert chosen by application.
+ *		Note: ssl takes this reference, and does not bump the
+ *		reference count.  The caller should drop its reference
+ *		without calling CERT_DestroyCert after calling this function.
+ *
+ *	key	Private key associated with cert.  This function makes a
+ *		copy of the private key, so the caller remains responsible
+ *		for destroying its copy after this function returns.
+ *
+ *	certChain  DER-encoded certs, client cert and its signers.
+ *		Note: ssl takes this reference, and does not copy the chain.
+ *		The caller should drop its reference without destroying the
+ *		chain.  SSL will free the chain when it is done with it.
+ *
+ * Return value: XXX
+ *
+ * XXX This code only works on the initial handshake on a connection, XXX
+ *     It does not work on a subsequent handshake (redo).
+ *
+ * Caller holds 1stHandshakeLock.
+ */
+SECStatus
+ssl3_RestartHandshakeAfterCertReq(sslSocket *         ss,
+				CERTCertificate *    cert,
+				SECKEYPrivateKey *   key,
+				CERTCertificateList *certChain)
+{
+    SECStatus        rv          = SECSuccess;
+
+    if (MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0)) {
+	/* XXX This code only works on the initial handshake on a connection,
+	** XXX It does not work on a subsequent handshake (redo).
+	*/
+	if (ss->handshake != 0) {
+	    ss->handshake               = ssl_GatherRecord1stHandshake;
+	    ss->ssl3->clientCertificate = cert;
+	    ss->ssl3->clientCertChain   = certChain;
+	    if (key == NULL) {
+		(void)SSL3_SendAlert(ss, alert_warning, no_certificate);
+		ss->ssl3->clientPrivateKey = NULL;
+	    } else {
+		ss->ssl3->clientPrivateKey = SECKEY_CopyPrivateKey(key);
+	    }
+	    ssl_GetRecvBufLock(ss);
+	    if (ss->ssl3->hs.msgState.buf != NULL) {
+		rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
+	    }
+	    ssl_ReleaseRecvBufLock(ss);
+	}
+    }
+    return rv;
+}
+
+
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Server Hello Done message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleServerHelloDone(sslSocket *ss)
+{
+    SECStatus     rv;
+    SSL3WaitState ws          = ss->ssl3->hs.ws;
+    PRBool        send_verify = PR_FALSE;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake",
+		SSL_GETPID(), ss->fd));
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ws != wait_hello_done  &&
+        ws != wait_server_cert &&
+	ws != wait_server_key  &&
+	ws != wait_cert_request) {
+	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
+	return SECFailure;
+    }
+
+    ssl_GetXmitBufLock(ss);		/*******************************/
+
+    if (ss->ssl3->sendEmptyCert) {
+	ss->ssl3->sendEmptyCert = PR_FALSE;
+	rv = ssl3_SendEmptyCertificate(ss);
+	/* Don't send verify */
+	if (rv != SECSuccess) {
+	    goto loser;	/* error code is set. */
+    	}
+    } else
+    if (ss->ssl3->clientCertChain  != NULL &&
+	ss->ssl3->clientPrivateKey != NULL) {
+	send_verify = PR_TRUE;
+	rv = ssl3_SendCertificate(ss);
+	if (rv != SECSuccess) {
+	    goto loser;	/* error code is set. */
+    	}
+    }
+
+    rv = ssl3_SendClientKeyExchange(ss);
+    if (rv != SECSuccess) {
+    	goto loser;	/* err is set. */
+    }
+
+    if (send_verify) {
+	rv = ssl3_SendCertificateVerify(ss);
+	if (rv != SECSuccess) {
+	    goto loser;	/* err is set. */
+        }
+    }
+    rv = ssl3_SendChangeCipherSpecs(ss);
+    if (rv != SECSuccess) {
+	goto loser;	/* err code was set. */
+    }
+    rv = ssl3_SendFinished(ss, 0);
+    if (rv != SECSuccess) {
+	goto loser;	/* err code was set. */
+    }
+
+    ssl_ReleaseXmitBufLock(ss);		/*******************************/
+
+    ss->ssl3->hs.ws = wait_change_cipher;
+    return SECSuccess;
+
+loser:
+    ssl_ReleaseXmitBufLock(ss);
+    return rv;
+}
+
+/*
+ * Routines used by servers
+ */
+static SECStatus
+ssl3_SendHelloRequest(sslSocket *ss)
+{
+    SECStatus rv;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send hello_request handshake", SSL_GETPID(),
+		ss->fd));
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+
+    rv = ssl3_AppendHandshakeHeader(ss, hello_request, 0);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake */
+    }
+    rv = ssl3_FlushHandshake(ss, 0);
+    if (rv != SECSuccess) {
+	return rv;	/* error code set by ssl3_FlushHandshake */
+    }
+    ss->ssl3->hs.ws = wait_client_hello;
+    return SECSuccess;
+}
+
+/* Sets memory error when returning NULL.
+ * Called from:
+ *	ssl3_SendClientHello()
+ *	ssl3_HandleServerHello()
+ *	ssl3_HandleClientHello()
+ *	ssl3_HandleV2ClientHello()
+ */
+static sslSessionID *
+ssl3_NewSessionID(sslSocket *ss, PRBool is_server)
+{
+    sslSessionID *sid;
+
+    sid = PORT_ZNew(sslSessionID);
+    if (sid == NULL)
+    	return sid;
+
+    sid->peerID		= (ss->peerID == NULL) ? NULL : PORT_Strdup(ss->peerID);
+    sid->urlSvrName	= (ss->url    == NULL) ? NULL : PORT_Strdup(ss->url);
+    sid->addr           = ss->sec.ci.peer;
+    sid->port           = ss->sec.ci.port;
+    sid->references     = 1;
+    sid->cached         = never_cached;
+    sid->version        = ss->version;
+
+    sid->u.ssl3.resumable      = PR_TRUE;
+    sid->u.ssl3.policy         = SSL_ALLOWED;
+    sid->u.ssl3.hasFortezza    = PR_FALSE;
+    sid->u.ssl3.clientWriteKey = NULL;
+    sid->u.ssl3.serverWriteKey = NULL;
+    sid->u.ssl3.tek            = NULL;
+
+    if (is_server) {
+	SECStatus rv;
+	int       pid = SSL_GETPID();
+
+	sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
+	sid->u.ssl3.sessionID[0]    = (pid >> 8) & 0xff;
+	sid->u.ssl3.sessionID[1]    =  pid       & 0xff;
+	rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2,
+	                         SSL3_SESSIONID_BYTES -2);
+	if (rv != SECSuccess) {
+	    ssl_FreeSID(sid);
+	    ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
+	    return NULL;
+    	}
+    }
+    return sid;
+}
+
+/* Called from:  ssl3_HandleClientHello, ssl3_HandleV2ClientHello */
+static SECStatus
+ssl3_SendServerHelloSequence(sslSocket *ss)
+{
+    const ssl3KEADef *kea_def;
+    SECStatus         rv;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: begin send server_hello sequence",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+
+    rv = ssl3_SendServerHello(ss);
+    if (rv != SECSuccess) {
+	return rv;	/* err code is set. */
+    }
+    rv = ssl3_SendCertificate(ss);
+    if (rv != SECSuccess) {
+	return rv;	/* error code is set. */
+    }
+    /* We have to do this after the call to ssl3_SendServerHello,
+     * because kea_def is set up by ssl3_SendServerHello().
+     */
+    kea_def = ss->ssl3->hs.kea_def;
+    ss->ssl3->hs.usedStepDownKey = PR_FALSE;
+    if (kea_def->kea == kea_fortezza) {
+	rv = ssl3_SendServerKeyExchange(ss);
+	if (rv != SECSuccess) {
+	    return rv;	/* err code was set. */
+	}
+    } else if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
+	/* see if we can legally use the key in the cert. */
+	int keyLen;  /* bytes */
+
+	keyLen = PK11_GetPrivateModulusLen(
+			    ss->serverCerts[kea_def->exchKeyType].serverKey);
+
+	if (keyLen > 0 &&
+	    keyLen * BPB <= kea_def->key_size_limit ) {
+	    /* XXX AND cert is not signing only!! */
+	    /* just fall through and use it. */
+	} else if (ss->stepDownKeyPair != NULL) {
+	    ss->ssl3->hs.usedStepDownKey = PR_TRUE;
+	    rv = ssl3_SendServerKeyExchange(ss);
+	    if (rv != SECSuccess) {
+		return rv;	/* err code was set. */
+	    }
+	} else {
+#ifndef HACKED_EXPORT_SERVER
+	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
+	    return rv;
+#endif
+	}
+    }
+
+    if (ss->requestCertificate) {
+	rv = ssl3_SendCertificateRequest(ss);
+	if (rv != SECSuccess) {
+	    return rv;		/* err code is set. */
+	}
+    }
+    rv = ssl3_SendServerHelloDone(ss);
+    if (rv != SECSuccess) {
+	return rv;		/* err code is set. */
+    }
+
+    ss->ssl3->hs.ws = (ss->requestCertificate) ? wait_client_cert
+                                               : wait_client_key;
+    return SECSuccess;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Client Hello message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    sslSessionID *      sid      = NULL;
+    ssl3State *         ssl3;
+    PRInt32		tmp;
+    unsigned int        i;
+    int                 j;
+    SECStatus           rv;
+    int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
+    SSL3AlertDescription desc    = illegal_parameter;
+    SSL3ProtocolVersion version;
+    SECItem             sidBytes = {siBuffer, NULL, 0};
+    SECItem             suites   = {siBuffer, NULL, 0};
+    SECItem             comps    = {siBuffer, NULL, 0};
+    PRBool              haveSpecWriteLock = PR_FALSE;
+    PRBool              haveXmitBufLock   = PR_FALSE;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
+    	SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    /* Get peer name of client */
+    rv = ssl_GetPeerInfo(ss);
+    if (rv != SECSuccess) {
+	return rv;		/* error code is set. */
+    }
+
+    rv = ssl3_InitState(ss);
+    if (rv != SECSuccess) {
+	return rv;		/* ssl3_InitState has set the error code. */
+    }
+    ssl3 = ss->ssl3;
+
+    if ((ssl3->hs.ws != wait_client_hello) &&
+	(ssl3->hs.ws != idle_handshake)) {
+	desc    = unexpected_message;
+	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
+	goto alert_loser;
+    }
+
+    tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+    if (tmp < 0)
+	goto loser;		/* malformed, alert already sent */
+    ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
+    rv = ssl3_NegotiateVersion(ss, version);
+    if (rv != SECSuccess) {
+    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
+	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+	goto alert_loser;
+    }
+
+    /* grab the client random data. */
+    rv = ssl3_ConsumeHandshake(
+	ss, &ssl3->hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed */
+    }
+
+    /* grab the client's SID, if present. */
+    rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed */
+    }
+
+    if (sidBytes.len > 0) {
+	SSL_TRC(7, ("%d: SSL3[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
+                    SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
+		    ss->sec.ci.peer.pr_s6_addr32[1], 
+		    ss->sec.ci.peer.pr_s6_addr32[2],
+		    ss->sec.ci.peer.pr_s6_addr32[3]));
+	sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sidBytes.data, sidBytes.len,
+	                        ss->dbHandle);
+    }
+    SECITEM_FreeItem(&sidBytes, PR_FALSE);
+
+    /* grab the list of cipher suites. */
+    rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed */
+    }
+
+    /* grab the list of compression methods. */
+    rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed */
+    }
+
+    /* It's OK for length to be non-zero here.
+     * Non-zero length means that some new protocol revision has extended
+     * the client hello message.
+     */
+
+    desc = handshake_failure;
+
+    if (sid != NULL) {
+	/* We've found a session cache entry for this client.
+	 * Now, if we're going to require a client-auth cert,
+	 * and we don't already have this client's cert in the session cache,
+	 * and this is the first handshake on this connection (not a redo),
+	 * then drop this old cache entry and start a new session.
+	 */
+	if ((sid->peerCert == NULL) && ss->requestCertificate &&
+	    ((ss->requireCertificate == 1) ||
+	     ((ss->requireCertificate == 2) && !ss->firstHsDone))) {
+
+	    ++ssl3stats.hch_sid_cache_not_ok;
+	    ss->sec.uncache(sid);
+	    ssl_FreeSID(sid);
+	    sid = NULL;
+	}
+    }
+
+    /* Look for a matching cipher suite. */
+    j = ssl3_config_match_init(ss);
+    if (j <= 0) {		/* no ciphers are working/supported by PK11 */
+    	errCode = PORT_GetError();	/* error code is already set. */
+	goto alert_loser;
+    }
+    /* If we already have a session for this client, be sure to pick the
+    ** same cipher suite we picked before.
+    ** This is not a loop, despite appearances.
+    */
+    if (sid) do {
+	ssl3CipherSuiteCfg *suite = ss->cipherSuites;
+	for (j = ssl_V3_SUITES_IMPLEMENTED; j > 0; --j, ++suite) {
+	    if (suite->cipher_suite == sid->u.ssl3.cipherSuite)
+		break;
+	}
+	if (!j)
+	    break;
+	if (!config_match(suite, ssl3->policy, PR_TRUE))
+	    break;
+	for (i = 0; i < suites.len; i += 2) {
+	    if ((suites.data[i]     == MSB(suite->cipher_suite)) &&
+	        (suites.data[i + 1] == LSB(suite->cipher_suite))) {
+
+		ssl3->hs.cipher_suite = suite->cipher_suite;
+		ssl3->hs.suite_def =
+		    ssl_LookupCipherSuiteDef(ssl3->hs.cipher_suite);
+		goto suite_found;
+	    }
+	}
+    } while (0);
+
+    /* Select a cipher suite.
+    ** NOTE: This suite selection algorithm should be the same as the one in
+    ** ssl3_HandleV2ClientHello().  
+    */
+    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+	if (!config_match(suite, ssl3->policy, PR_TRUE))
+	    continue;
+	for (i = 0; i < suites.len; i += 2) {
+	    if ((suites.data[i]     == MSB(suite->cipher_suite)) &&
+	        (suites.data[i + 1] == LSB(suite->cipher_suite))) {
+
+		ssl3->hs.cipher_suite = suite->cipher_suite;
+		ssl3->hs.suite_def =
+		    ssl_LookupCipherSuiteDef(ssl3->hs.cipher_suite);
+		goto suite_found;
+	    }
+	}
+    }
+    errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+    goto alert_loser;
+
+suite_found:
+    /* Look for a matching compression algorithm. */
+    for (i = 0; i < comps.len; i++) {
+	for (j = 0; j < compressionMethodsCount; j++) {
+	    if (comps.data[i] == compressions[j]) {
+		ssl3->hs.compression = (SSL3CompressionMethod)compressions[j];
+		goto compression_found;
+	    }
+	}
+    }
+    errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
+    				/* null compression must be supported */
+    goto alert_loser;
+
+compression_found:
+    PORT_Free(suites.data);
+    suites.data = NULL;
+    PORT_Free(comps.data);
+    comps.data = NULL;
+
+    ss->sec.send = ssl3_SendApplicationData;
+
+    /* If there are any failures while processing the old sid,
+     * we don't consider them to be errors.  Instead, We just behave
+     * as if the client had sent us no sid to begin with, and make a new one.
+     */
+    if (sid != NULL) do {
+	PK11SlotInfo *  slot;
+	PK11SymKey *    wrapKey; 	/* wrapping key */
+	SECItem         wrappedKey;  	/* wrapped key */
+	ssl3CipherSpec *pwSpec;
+	CK_FLAGS        keyFlags      = 0;
+
+	if (sid->version != ss->version  ||
+	    sid->u.ssl3.cipherSuite != ssl3->hs.cipher_suite) {
+	    break;	/* not an error */
+	}
+
+	if (ss->sec.ci.sid) {
+	    ss->sec.uncache(ss->sec.ci.sid);
+	    PORT_Assert(ss->sec.ci.sid != sid);  /* should be impossible, but ... */
+	    if (ss->sec.ci.sid != sid) {
+		ssl_FreeSID(ss->sec.ci.sid);
+	    }
+	    ss->sec.ci.sid = NULL;
+	}
+	/* we need to resurrect the master secret.... */
+
+	ssl_GetSpecWriteLock(ss);  haveSpecWriteLock = PR_TRUE;
+	pwSpec = ssl3->pwSpec;
+
+	wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
+	                         sid->u.ssl3.masterWrapMech, ss->pkcs11PinArg);
+	if (!wrapKey) {
+	    /* we have a SID cache entry, but no wrapping key for it??? */
+	    break;
+	}
+
+	if (ss->version > SSL_LIBRARY_VERSION_3_0) {	/* isTLS */
+	    keyFlags = CKF_SIGN | CKF_VERIFY;
+	}
+
+        wrappedKey.data = sid->u.ssl3.keys.wrapped_master_secret;
+	wrappedKey.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
+
+	/* unwrap the master secret. */
+	pwSpec->master_secret =
+	    PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
+	    		NULL, &wrappedKey, CKM_SSL3_MASTER_KEY_DERIVE,
+			CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
+	PK11_FreeSymKey(wrapKey);
+	if (pwSpec->master_secret == NULL) {
+	    break;	/* not an error */
+	}
+	ss->sec.ci.sid = sid;
+	if (sid->peerCert != NULL) {
+	    ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
+	}
+
+	/*
+	 * Old SID passed all tests, so resume this old session.
+	 *
+	 * XXX make sure compression still matches
+	 */
+	++ssl3stats.hch_sid_cache_hits;
+	ssl3->hs.isResuming = PR_TRUE;
+
+        ss->sec.authAlgorithm = sid->authAlgorithm;
+	ss->sec.authKeyBits   = sid->authKeyBits;
+	ss->sec.keaType       = sid->keaType;
+	ss->sec.keaKeyBits    = sid->keaKeyBits;
+
+	/* server sids don't remember the server cert we previously sent,
+	** but they do remember the kea type we originally used, so we
+	** can locate it again, provided that the current ssl socket
+	** has had its server certs configured the same as the previous one.
+	*/
+	ss->sec.localCert     = 
+		CERT_DupCertificate(ss->serverCerts[sid->keaType].serverCert);
+
+	ssl_GetXmitBufLock(ss); haveXmitBufLock = PR_TRUE;
+
+	rv = ssl3_SendServerHello(ss);
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
+
+	/* reload the FORTEZZA key material.
+	 * On Fortezza, the following keys & IVs are generated by the KEA,
+	 * not from the PMS.  Since we're not going to redo the KEA, we
+	 * have to save & restore them for Fortezza.
+	 * use kea because we haven't call InitCipher Specs yet...?
+	 */
+	if (ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) {
+	    PK11SymKey *      Ks;
+	    SECItem           item;
+
+	    PORT_Memcpy(pwSpec->client.write_iv,
+		sid->u.ssl3.keys.client_write_iv,
+		sizeof sid->u.ssl3.keys.client_write_iv);
+	    PORT_Memcpy(pwSpec->server.write_iv,
+		sid->u.ssl3.keys.server_write_iv,
+		sizeof sid->u.ssl3.keys.server_write_iv);
+
+	    /* Now, unwrap the client and server write keys with Ks */
+
+	    /* get the slot that the fortezza server private key is in. */
+	    slot = PK11_GetSlotFromPrivateKey(
+	                                ss->serverCerts[kt_fortezza].serverKey);
+	    if (slot == NULL) {
+		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+		goto loser;
+	    }
+
+	    /* Look up the Token Fixed Key */
+	    Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL,
+	                           ss->pkcs11PinArg);
+	    PK11_FreeSlot(slot);
+	    if (Ks == NULL) {
+		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+		goto loser;
+	    }
+
+	    /* unwrap client write key with the local Ks */
+	    item.data = sid->u.ssl3.keys.wrapped_client_write_key;
+	    item.len  = sizeof sid->u.ssl3.keys.wrapped_client_write_key;
+
+	    pwSpec->client.write_key =
+		    PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_WRAP, NULL, &item,
+				      CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
+	    if (pwSpec->client.write_key == NULL) {
+		SEND_ALERT
+		ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE);
+		goto loser;
+	    }
+
+	    /* unwrap server write key with the local Ks */
+	    item.data = sid->u.ssl3.keys.wrapped_server_write_key;
+	    item.len  = sizeof sid->u.ssl3.keys.wrapped_server_write_key;
+
+	    pwSpec->server.write_key =
+		    PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_WRAP, NULL, &item,
+				      CKM_SKIPJACK_CBC64, CKA_ENCRYPT, 0);
+	    if (pwSpec->server.write_key == NULL) {
+		PK11_FreeSymKey(pwSpec->client.write_key);
+		pwSpec->client.write_key = NULL;
+		SEND_ALERT
+		ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE);
+		goto loser;
+	    }
+	    /* Set flag that says "generate 8 byte random prefix plaintext." */
+	    PK11_SetFortezzaHack(pwSpec->server.write_key);	/* can't fail */
+
+	}
+
+	if (haveSpecWriteLock) {
+	    ssl_ReleaseSpecWriteLock(ss);
+	    haveSpecWriteLock = PR_FALSE;
+	}
+
+	/* NULL value for PMS signifies re-use of the old MS */
+	rv = ssl3_InitPendingCipherSpec(ss,  NULL);
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
+
+	rv = ssl3_SendChangeCipherSpecs(ss);
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
+	rv = ssl3_SendFinished(ss, 0);
+	ssl3->hs.ws = wait_change_cipher;
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
+
+	if (haveXmitBufLock) {
+	    ssl_ReleaseXmitBufLock(ss);
+	    haveXmitBufLock = PR_FALSE;
+	}
+
+        return SECSuccess;
+    } while (0);
+
+    if (haveSpecWriteLock) {
+	ssl_ReleaseSpecWriteLock(ss);
+	haveSpecWriteLock = PR_FALSE;
+    }
+
+    if (sid) { 	/* we had a sid, but it's no longer valid, free it */
+	++ssl3stats.hch_sid_cache_not_ok;
+	ss->sec.uncache(sid);
+	ssl_FreeSID(sid);
+	sid = NULL;
+    }
+    ++ssl3stats.hch_sid_cache_misses;
+
+    sid = ssl3_NewSessionID(ss, PR_TRUE);
+    if (sid == NULL) {
+	errCode = PORT_GetError();
+	goto loser;	/* memory error is set. */
+    }
+    ss->sec.ci.sid = sid;
+
+    ssl3->hs.isResuming = PR_FALSE;
+    ssl_GetXmitBufLock(ss);
+    rv = ssl3_SendServerHelloSequence(ss);
+    ssl_ReleaseXmitBufLock(ss);
+    if (rv != SECSuccess) {
+	errCode = PORT_GetError();
+	goto loser;
+    }
+
+    if (haveXmitBufLock) {
+	ssl_ReleaseXmitBufLock(ss);
+	haveXmitBufLock = PR_FALSE;
+    }
+
+    return SECSuccess;
+
+alert_loser:
+    if (haveSpecWriteLock) {
+	ssl_ReleaseSpecWriteLock(ss);
+	haveSpecWriteLock = PR_FALSE;
+    }
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+    /* FALLTHRU */
+loser:
+    if (haveSpecWriteLock) {
+	ssl_ReleaseSpecWriteLock(ss);
+	haveSpecWriteLock = PR_FALSE;
+    }
+
+    if (sidBytes.data != NULL) SECITEM_FreeItem(&sidBytes, PR_FALSE);
+    if (suites.data   != NULL) SECITEM_FreeItem(&suites,   PR_FALSE);
+    if (comps.data    != NULL) SECITEM_FreeItem(&comps,    PR_FALSE);
+
+    if (haveXmitBufLock) {
+	ssl_ReleaseXmitBufLock(ss);
+	haveXmitBufLock = PR_FALSE;
+    }
+
+    PORT_SetError(errCode);
+    return SECFailure;
+}
+
+/*
+ * ssl3_HandleV2ClientHello is used when a V2 formatted hello comes
+ * in asking to use the V3 handshake.
+ * Called from ssl2_HandleClientHelloMessage() in sslcon.c
+ */
+SECStatus
+ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
+{
+    sslSessionID *      sid 		= NULL;
+    unsigned char *     suites;
+    unsigned char *     random;
+    SSL3ProtocolVersion version;
+    SECStatus           rv;
+    int                 i;
+    int                 j;
+    int                 sid_length;
+    int                 suite_length;
+    int                 rand_length;
+    int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
+    SSL3AlertDescription desc    = handshake_failure;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle v2 client_hello", SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+
+    ssl_GetSSL3HandshakeLock(ss);
+
+    rv = ssl3_InitState(ss);
+    if (rv != SECSuccess) {
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	return rv;		/* ssl3_InitState has set the error code. */
+    }
+
+    if (ss->ssl3->hs.ws != wait_client_hello) {
+	desc    = unexpected_message;
+	errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
+	goto loser;	/* alert_loser */
+    }
+
+    version      = (buffer[1] << 8) | buffer[2];
+    suite_length = (buffer[3] << 8) | buffer[4];
+    sid_length   = (buffer[5] << 8) | buffer[6];
+    rand_length  = (buffer[7] << 8) | buffer[8];
+    ss->clientHelloVersion = version;
+
+    rv = ssl3_NegotiateVersion(ss, version);
+    if (rv != SECSuccess) {
+	/* send back which ever alert client will understand. */
+    	desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version : handshake_failure;
+	errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+	goto alert_loser;
+    }
+
+    /* if we get a non-zero SID, just ignore it. */
+    if (length !=
+        SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length + rand_length) {
+	SSL_DBG(("%d: SSL3[%d]: bad v2 client hello message, len=%d should=%d",
+		 SSL_GETPID(), ss->fd, length,
+		 SSL_HL_CLIENT_HELLO_HBYTES + suite_length + sid_length +
+		 rand_length));
+	goto loser;	/* malformed */	/* alert_loser */
+    }
+
+    suites = buffer + SSL_HL_CLIENT_HELLO_HBYTES;
+    random = suites + suite_length + sid_length;
+
+    if (rand_length < SSL_MIN_CHALLENGE_BYTES ||
+	rand_length > SSL_MAX_CHALLENGE_BYTES) {
+	goto loser;	/* malformed */	/* alert_loser */
+    }
+
+    PORT_Assert(SSL_MAX_CHALLENGE_BYTES == SSL3_RANDOM_LENGTH);
+
+    PORT_Memset(&ss->ssl3->hs.client_random, 0, SSL3_RANDOM_LENGTH);
+    PORT_Memcpy(
+	&ss->ssl3->hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
+	random, rand_length);
+
+    PRINT_BUF(60, (ss, "client random:", &ss->ssl3->hs.client_random.rand[0],
+		   SSL3_RANDOM_LENGTH));
+
+    i = ssl3_config_match_init(ss);
+    if (i <= 0) {
+    	errCode = PORT_GetError();	/* error code is already set. */
+	goto alert_loser;
+    }
+
+    /* Select a cipher suite.
+    ** NOTE: This suite selection algorithm should be the same as the one in
+    ** ssl3_HandleClientHello().  
+    */
+    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+	if (!config_match(suite, ss->ssl3->policy, PR_TRUE))
+	    continue;
+	for (i = 0; i < suite_length; i += 3) {
+	    if ((suites[i]   == 0) &&
+		(suites[i+1] == MSB(suite->cipher_suite)) &&
+		(suites[i+2] == LSB(suite->cipher_suite))) {
+
+		ss->ssl3->hs.cipher_suite = suite->cipher_suite;
+		ss->ssl3->hs.suite_def =
+		    ssl_LookupCipherSuiteDef(ss->ssl3->hs.cipher_suite);
+		goto suite_found;
+	    }
+	}
+    }
+    errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
+    goto alert_loser;
+
+suite_found:
+
+    ss->ssl3->hs.compression = compression_null;
+    ss->sec.send            = ssl3_SendApplicationData;
+
+    /* we don't even search for a cache hit here.  It's just a miss. */
+    ++ssl3stats.hch_sid_cache_misses;
+    sid = ssl3_NewSessionID(ss, PR_TRUE);
+    if (sid == NULL) {
+    	errCode = PORT_GetError();
+	goto loser;	/* memory error is set. */
+    }
+    ss->sec.ci.sid = sid;
+    /* do not worry about memory leak of sid since it now belongs to ci */
+
+    /* We have to update the handshake hashes before we can send stuff */
+    rv = ssl3_UpdateHandshakeHashes(ss, buffer, length);
+    if (rv != SECSuccess) {
+    	errCode = PORT_GetError();
+	goto loser;
+    }
+
+    ssl_GetXmitBufLock(ss);
+    rv = ssl3_SendServerHelloSequence(ss);
+    ssl_ReleaseXmitBufLock(ss);
+    if (rv != SECSuccess) {
+    	errCode = PORT_GetError();
+	goto loser;
+    }
+
+    /* XXX_1 	The call stack to here is:
+     * ssl_Do1stHandshake -> ssl2_HandleClientHelloMessage -> here.
+     * ssl2_HandleClientHelloMessage returns whatever we return here.
+     * ssl_Do1stHandshake will continue looping if it gets back either
+     *		SECSuccess or SECWouldBlock.
+     * SECSuccess is preferable here.  See XXX_1 in sslgathr.c.
+     */
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    return SECSuccess;
+
+alert_loser:
+    SSL3_SendAlert(ss, alert_fatal, desc);
+loser:
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    PORT_SetError(errCode);
+    return SECFailure;
+}
+
+/* The negotiated version number has been already placed in ss->version.
+**
+** Called from:  ssl3_HandleClientHello                     (resuming session),
+** 	ssl3_SendServerHelloSequence <- ssl3_HandleClientHello   (new session),
+** 	ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
+*/
+static SECStatus
+ssl3_SendServerHello(sslSocket *ss)
+{
+    sslSessionID *sid;
+    SECStatus     rv;
+    PRUint32      length;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
+		ss->fd));
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
+
+    if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
+	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	return SECFailure;
+    }
+
+    sid = ss->sec.ci.sid;
+    length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
+             ((sid == NULL) ? 0: SSL3_SESSIONID_BYTES) +
+	     sizeof(ssl3CipherSuite) + 1;
+    rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+    rv = ssl3_GetNewRandom(&ss->ssl3->hs.server_random);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
+	return rv;
+    }
+    rv = ssl3_AppendHandshake(
+	ss, &ss->ssl3->hs.server_random, SSL3_RANDOM_LENGTH);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+
+    if (sid)
+	rv = ssl3_AppendHandshakeVariable(
+	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
+    else
+	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3->hs.cipher_suite, 2);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+    rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3->hs.compression, 1);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by AppendHandshake. */
+    }
+    rv = ssl3_SetupPendingCipherSpec(ss, ss->ssl3);
+    if (rv != SECSuccess) {
+	return rv;	/* err set by ssl3_SetupPendingCipherSpec */
+    }
+
+    return SECSuccess;
+}
+
+
+static SECStatus
+ssl3_SendServerKeyExchange(sslSocket *ss)
+{
+const ssl3KEADef *     kea_def     = ss->ssl3->hs.kea_def;
+    SECStatus          rv          = SECFailure;
+    int                length;
+    PRBool             isTLS;
+    SECItem            signed_hash = {siBuffer, NULL, 0};
+    SSL3Hashes         hashes;
+    SECKEYPublicKey *  sdPub;	/* public key for step-down */
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    switch (kea_def->exchKeyType) {
+    case kt_rsa:
+	/* Perform SSL Step-Down here. */
+	sdPub = ss->stepDownKeyPair->pubKey;
+	PORT_Assert(sdPub != NULL);
+	if (!sdPub) {
+	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    return SECFailure;
+	}
+    	rv = ssl3_ComputeExportRSAKeyHash(sdPub->u.rsa.modulus,
+					  sdPub->u.rsa.publicExponent,
+	                                  &ss->ssl3->hs.client_random,
+	                                  &ss->ssl3->hs.server_random,
+	                                  &hashes);
+        if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    return rv;
+	}
+
+	isTLS = (PRBool)(ss->ssl3->pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+	rv = ssl3_SignHashes(&hashes, ss->serverCerts[kt_rsa].serverKey, 
+	                     &signed_hash, isTLS);
+        if (rv != SECSuccess) {
+	    goto loser;		/* ssl3_SignHashes has set err. */
+	}
+	if (signed_hash.data == NULL) {
+	    /* how can this happen and rv == SECSuccess ?? */
+	    PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+	    goto loser;
+	}
+	length = 2 + sdPub->u.rsa.modulus.len +
+	         2 + sdPub->u.rsa.publicExponent.len +
+	         2 + signed_hash.len;
+
+	rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
+	if (rv != SECSuccess) {
+	    goto loser; 	/* err set by AppendHandshake. */
+	}
+
+	rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data,
+					  sdPub->u.rsa.modulus.len, 2);
+	if (rv != SECSuccess) {
+	    goto loser; 	/* err set by AppendHandshake. */
+	}
+
+	rv = ssl3_AppendHandshakeVariable(
+				ss, sdPub->u.rsa.publicExponent.data,
+				sdPub->u.rsa.publicExponent.len, 2);
+	if (rv != SECSuccess) {
+	    goto loser; 	/* err set by AppendHandshake. */
+	}
+
+	rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
+	                                  signed_hash.len, 2);
+	if (rv != SECSuccess) {
+	    goto loser; 	/* err set by AppendHandshake. */
+	}
+	PORT_Free(signed_hash.data);
+	return SECSuccess;
+
+    case kt_fortezza:
+
+	/* Set server's "random" public key R_s to the email value == 1 */
+	PORT_Memset(ss->ssl3->fortezza.R_s, 0, sizeof(ss->ssl3->fortezza.R_s));
+	ss->ssl3->fortezza.R_s[127] = 1;
+
+	/* don't waste time signing the random number */
+	length = sizeof (ss->ssl3->fortezza.R_s) /*+ 2 + signed_hash.len*/;
+
+	rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
+	if (rv != SECSuccess) {
+	    goto loser; 	/* err set by AppendHandshake. */
+	}
+
+	rv = ssl3_AppendHandshake( ss, &ss->ssl3->fortezza.R_s,
+					sizeof(ss->ssl3->fortezza.R_s));
+	if (rv != SECSuccess) {
+	    goto loser; 	/* err set by AppendHandshake. */
+	}
+	return SECSuccess;
+
+    case kt_dh:
+    case kt_null:
+    default:
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+	break;
+    }
+loser:
+    if (signed_hash.data != NULL) 
+    	PORT_Free(signed_hash.data);
+    return SECFailure;
+}
+
+
+static SECStatus
+ssl3_SendCertificateRequest(sslSocket *ss)
+{
+    SECItem *      name;
+    CERTDistNames *ca_list;
+const uint8 *      certTypes;
+    SECItem *      names	= NULL;
+    SECStatus      rv;
+    int            length;
+    int            i;
+    int            calen	= 0;
+    int            nnames	= 0;
+    int            certTypesLength;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    /* ssl3->ca_list is initialized to NULL, and never changed. */
+    ca_list = ss->ssl3->ca_list;
+    if (!ca_list) {
+	ca_list = ssl3_server_ca_list;
+    }
+
+    if (ca_list != NULL) {
+	names = ca_list->names;
+	nnames = ca_list->nnames;
+    }
+
+    if (!nnames) {
+	PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA);
+	return SECFailure;
+    }
+
+    for (i = 0, name = names; i < nnames; i++, name++) {
+	calen += 2 + name->len;
+    }
+
+    if (ss->ssl3->hs.kea_def->exchKeyType == kt_fortezza) {
+	certTypes       = fortezza_certificate_types;
+	certTypesLength = sizeof fortezza_certificate_types;
+    } else {
+	certTypes       = certificate_types;
+	certTypesLength = sizeof certificate_types;
+    }
+
+    length = 1 + certTypesLength + 2 + calen;
+
+    rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    rv = ssl3_AppendHandshakeNumber(ss, calen, 2);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    for (i = 0, name = names; i < nnames; i++, name++) {
+	rv = ssl3_AppendHandshakeVariable(ss, name->data, name->len, 2);
+	if (rv != SECSuccess) {
+	    return rv; 		/* err set by AppendHandshake. */
+	}
+    }
+
+    return SECSuccess;
+}
+
+static SECStatus
+ssl3_SendServerHelloDone(sslSocket *ss)
+{
+    SECStatus rv;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send server_hello_done handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    rv = ssl3_AppendHandshakeHeader(ss, server_hello_done, 0);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    rv = ssl3_FlushHandshake(ss, 0);
+    if (rv != SECSuccess) {
+	return rv;	/* error code set by ssl3_FlushHandshake */
+    }
+    return SECSuccess;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Certificate Verify message
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
+			     SSL3Hashes *hashes)
+{
+    SECItem              signed_hash = {siBuffer, NULL, 0};
+    SECStatus            rv;
+    int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
+    SSL3AlertDescription desc        = handshake_failure;
+    PRBool               isTLS;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
+		SSL_GETPID(), ss->fd));
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->ssl3->hs.ws != wait_cert_verify || ss->sec.peerCert == NULL) {
+	desc    = unexpected_message;
+	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
+	goto alert_loser;
+    }
+
+    rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
+    if (rv != SECSuccess) {
+	goto loser;		/* malformed. */
+    }
+
+    isTLS = (PRBool)(ss->ssl3->prSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    /* XXX verify that the key & kea match */
+    rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash,
+				 isTLS, ss->pkcs11PinArg);
+    if (rv != SECSuccess) {
+    	errCode = PORT_GetError();
+	desc = isTLS ? decrypt_error : handshake_failure;
+	goto alert_loser;
+    }
+
+    PORT_Free(signed_hash.data);
+    signed_hash.data = NULL;
+
+    if (length != 0) {
+	desc    = isTLS ? decode_error : illegal_parameter;
+	goto alert_loser;	/* malformed */
+    }
+    ss->ssl3->hs.ws = wait_change_cipher;
+    return SECSuccess;
+
+alert_loser:
+    SSL3_SendAlert(ss, alert_fatal, desc);
+loser:
+    if (signed_hash.data != NULL) SECITEM_FreeItem(&signed_hash, PR_FALSE);
+    PORT_SetError(errCode);
+    return SECFailure;
+}
+
+/*
+** Called from ssl3_HandleClientKeyExchange()
+*/
+static SECStatus
+ssl3_HandleFortezzaClientKeyExchange(sslSocket *ss, SSL3Opaque *b,
+				     PRUint32 length,
+                                     SECKEYPrivateKey *serverKey)
+{
+    SECKEYPublicKey * pubKey            = NULL;
+    PK11SymKey *      tek               = NULL;
+    PK11SymKey *      pms;
+    PK11SymKey *      Ks		= NULL;
+    sslSessionID *    sid 		= ss->sec.ci.sid;
+    ssl3CipherSpec *  pwSpec 		= ss->ssl3->pwSpec;
+    void *            pwArg             = ss->pkcs11PinArg;
+    SECStatus         rv;
+    SECItem           raItem;
+    SECItem           rbItem;
+    SECItem           param;
+    SECItem           item;
+    SECItem           enc_pms;
+    SSL3FortezzaKeys  fortezza_CKE;
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    fortezza_CKE.y_c.data = NULL;
+    rv = ssl3_ConsumeHandshakeVariable(ss, &fortezza_CKE.y_c, 1, &b, &length);
+    if (rv != SECSuccess) {
+	PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH);
+	goto fortezza_loser;
+    }
+    rv = ssl3_ConsumeHandshake(ss, &fortezza_CKE.r_c,
+	                       sizeof fortezza_CKE - sizeof fortezza_CKE.y_c,
+	                       &b, &length);
+    if (rv != SECSuccess) {
+	PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH);
+	goto fortezza_loser;
+    }
+
+    /* Build a Token Encryption key (tek). TEK's can never be unloaded
+     * from the card, but given these parameters, and *OUR* fortezza
+     * card, we can always regenerate the same one on the fly.
+     */
+    if (ss->sec.peerCert != NULL) {
+	/* client-auth case */
+
+	pubKey = CERT_ExtractPublicKey(ss->sec.peerCert);
+	if (pubKey == NULL) {
+	    SEND_ALERT
+	    PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+	    rv = SECFailure;
+	    goto fortezza_loser;
+	}
+
+	if (pubKey->keyType != fortezzaKey) {
+	    /* handle V3 client-auth case */
+	    SECItem       sigItem;
+	    SECItem       hashItem;
+	    unsigned char hash[SHA1_LENGTH];
+
+	    rv = ssl3_ComputeFortezzaPublicKeyHash(fortezza_CKE.y_c, hash);
+	    if (rv != SECSuccess) {
+		SEND_ALERT
+		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+		goto fortezza_loser;
+	    }
+	    sigItem.data  = fortezza_CKE.y_signature;
+	    sigItem.len   = sizeof fortezza_CKE.y_signature;
+
+	    hashItem.data = hash;
+	    hashItem.len  = sizeof hash;
+
+	    rv = PK11_Verify(pubKey, &sigItem, &hashItem, pwArg);
+	    if (rv != SECSuccess) {
+		SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+		ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+		goto fortezza_loser;
+	    }
+	    SECKEY_DestroyPublicKey(pubKey); pubKey = NULL;
+	}
+    }
+    rv = SECFailure;
+
+    /* Make the public key if necessary */
+    if (fortezza_CKE.y_c.len != 0) {
+	if (pubKey != NULL) {
+	    /* The client is not allowed to send the public key
+	     * if it can be extracted from the certificate. */
+	    SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+	    PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    goto fortezza_loser;
+	}
+	pubKey = PK11_MakeKEAPubKey(fortezza_CKE.y_c.data,
+				    fortezza_CKE.y_c.len);
+    }
+    if (pubKey == NULL) {
+	/* no public Key in either the cert or the protocol message*/
+	SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+	PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto fortezza_loser;
+    }
+
+    /* Now we derive the TEK.  r_c is the client's "random" public key. */
+    raItem.data = fortezza_CKE.r_c;
+    raItem.len  = sizeof(fortezza_CKE.r_c);
+
+    /* R_s == server's "random" public key, sent in the Server Key Exchange */
+    rbItem.data = ss->ssl3->fortezza.R_s;
+    rbItem.len  = sizeof ss->ssl3->fortezza.R_s;
+
+    tek = PK11_PubDerive(serverKey, pubKey, PR_FALSE, /* don't gen r_c */
+                         &raItem, &rbItem, CKM_KEA_KEY_DERIVE,
+			 CKM_SKIPJACK_WRAP, CKA_WRAP, 0, pwArg);
+    SECKEY_DestroyPublicKey(pubKey); pubKey = NULL;
+    if (tek == NULL) {
+	SEND_ALERT
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	goto fortezza_loser;
+    }
+
+    ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(tek);
+
+    if (pwSpec->cipher_def->calg == calg_fortezza) {
+	item.data = fortezza_CKE.wrapped_client_write_key;
+	item.len  = sizeof fortezza_CKE.wrapped_client_write_key;
+
+	pwSpec->client.write_key =
+		PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL, &item,
+		                  CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
+	if (pwSpec->client.write_key == NULL) {
+	    SEND_ALERT
+	    ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE);
+	    goto fortezza_loser;
+	}
+
+	item.data = fortezza_CKE.wrapped_server_write_key;
+	item.len  = sizeof fortezza_CKE.wrapped_server_write_key;
+
+	pwSpec->server.write_key =
+		PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL, &item,
+		                  CKM_SKIPJACK_CBC64, CKA_ENCRYPT, 0);
+	if (pwSpec->server.write_key == NULL) {
+	    PK11_FreeSymKey(pwSpec->client.write_key);
+	    pwSpec->client.write_key = NULL;
+	    SEND_ALERT
+	    ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE);
+	    goto fortezza_loser;
+	}
+	/* Set a flag that says "generate 8 byte random prefix plaintext." */
+	PK11_SetFortezzaHack(pwSpec->server.write_key);	/* can't fail */
+
+	PORT_Memcpy(pwSpec->client.write_iv, fortezza_CKE.client_write_iv,
+		    sizeof fortezza_CKE.client_write_iv);
+	PORT_Memcpy(pwSpec->server.write_iv, fortezza_CKE.server_write_iv,
+		    sizeof fortezza_CKE.server_write_iv);
+
+    }
+
+    /* decrypt the pms with the TEK */
+    enc_pms.data = fortezza_CKE.encrypted_preMasterSecret;
+    enc_pms.len  = sizeof fortezza_CKE.encrypted_preMasterSecret;
+
+    param.data = fortezza_CKE.master_secret_iv;
+    param.len  = sizeof fortezza_CKE.master_secret_iv;
+
+    pms = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64, &param, &enc_pms,
+			    CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
+    if (pms == NULL) {
+	SEND_ALERT
+	ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE);
+	goto fortezza_loser;
+    }
+
+    rv = ssl3_InitPendingCipherSpec(ss,  pms);
+    PK11_FreeSymKey(pms);
+    if (rv != SECSuccess) {
+	SEND_ALERT
+	goto fortezza_loser; 	/* err code is set. */
+    }
+
+    if (pwSpec->cipher_def->calg == calg_fortezza) {
+	PK11SlotInfo *    slot;
+
+	sid->u.ssl3.clientWriteKey =
+			    PK11_ReferenceSymKey(pwSpec->client.write_key);
+	sid->u.ssl3.serverWriteKey =
+			    PK11_ReferenceSymKey(pwSpec->server.write_key);
+
+	PORT_Memcpy(sid->u.ssl3.keys.client_write_iv, pwSpec->client.write_iv,
+		    sizeof sid->u.ssl3.keys.client_write_iv);
+	PORT_Memcpy(sid->u.ssl3.keys.server_write_iv, pwSpec->server.write_iv,
+		    sizeof sid->u.ssl3.keys.server_write_iv);
+
+	/* Now, wrap the client and server write keys in Ks for storage
+	 * in the on-disk sid.
+	 */
+
+	slot = PK11_GetSlotFromKey(tek); 	/* get ref to the slot */
+	if (slot == NULL) {
+	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    goto fortezza_loser;
+	}
+
+	/* Look up the Token Fixed Key */
+	Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, ss->pkcs11PinArg);
+	PK11_FreeSlot(slot);
+	if (Ks == NULL) {
+	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    goto fortezza_loser;
+	}
+
+	/* rewrap server write key with the local Ks */
+	item.data = sid->u.ssl3.keys.wrapped_server_write_key;
+	item.len  = sizeof sid->u.ssl3.keys.wrapped_server_write_key;
+	rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks,
+	                     pwSpec->server.write_key, &item);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    goto fortezza_loser;
+	}
+
+	/* rewrap client write key with the local Ks */
+	item.data = sid->u.ssl3.keys.wrapped_client_write_key;
+	item.len  = sizeof sid->u.ssl3.keys.wrapped_client_write_key;
+	rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks,
+	                     pwSpec->client.write_key, &item);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    goto fortezza_loser;
+	}
+
+	/* wrap the master secret later, when we handle the client's
+	 * finished message.
+	 */
+    }
+
+    sid->u.ssl3.hasFortezza = PR_TRUE;
+    sid->u.ssl3.tek = tek; tek = NULL;
+
+    rv = SECSuccess;
+
+fortezza_loser:
+    if (Ks)  PK11_FreeSymKey(Ks);
+    if (tek) PK11_FreeSymKey(tek);
+    if (pubKey) SECKEY_DestroyPublicKey(pubKey);
+    if (fortezza_CKE.y_c.data != NULL)
+    	SECITEM_FreeItem(&fortezza_CKE.y_c, PR_FALSE);
+    return rv;
+}
+
+/* find a slot that is able to generate a PMS and wrap it with RSA.
+ * Then generate and return the PMS.
+ * If the serverKeySlot parameter is non-null, this function will use
+ * that slot to do the job, otherwise it will find a slot.
+ *
+ * Called from  ssl3_GenerateSessionKeys()         (above)
+ *		sendRSAClientKeyExchange()         (above)
+ *		ssl3_HandleRSAClientKeyExchange()  (below)
+ * Caller must hold the SpecWriteLock, the SSL3HandshakeLock
+ */
+static PK11SymKey *
+ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
+                    PK11SlotInfo * serverKeySlot)
+{
+    PK11SymKey *      pms		= NULL;
+    PK11SlotInfo *    slot		= serverKeySlot;
+    void *	      pwArg 		= ss->pkcs11PinArg;
+    SECItem           param;
+    CK_VERSION 	      version;
+    CK_MECHANISM_TYPE mechanism_array[3];
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (slot == NULL) {
+	SSLCipherAlgorithm calg;
+	/* The specReadLock would suffice here, but we cannot assert on
+	** read locks.  Also, all the callers who call with a non-null
+	** slot already hold the SpecWriteLock.
+	*/
+	PORT_Assert( ssl_HaveSpecWriteLock(ss));
+	PORT_Assert(ss->ssl3->prSpec == ss->ssl3->pwSpec);
+
+        calg = spec->cipher_def->calg;
+	PORT_Assert(alg2Mech[calg].calg == calg);
+
+	/* First get an appropriate slot.  */
+	mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
+	mechanism_array[1] = CKM_RSA_PKCS;
+	mechanism_array[2] = alg2Mech[calg].cmech;
+
+	slot = PK11_GetBestSlotMultiple(mechanism_array, 3, pwArg);
+	if (slot == NULL) {
+	   /* can't find a slot with all three, find a slot with the minimum */
+	    slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
+	    if (slot == NULL) {
+		PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
+		return pms;	/* which is NULL */
+	    }
+	}
+    }
+
+    /* Generate the pre-master secret ...  */
+    version.major = MSB(ss->clientHelloVersion);
+    version.minor = LSB(ss->clientHelloVersion);
+
+    param.data = (unsigned char *)&version;
+    param.len  = sizeof version;
+
+    pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
+    if (!serverKeySlot)
+	PK11_FreeSlot(slot);
+    if (pms == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+    }
+    return pms;
+}
+
+/* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
+ * return any indication of failure of the Client Key Exchange message,
+ * where that failure is caused by the content of the client's message.
+ * This function must not return SECFailure for any reason that is directly
+ * or indirectly caused by the content of the client's encrypted PMS.
+ * We must not send an alert and also not drop the connection.
+ * Instead, we generate a random PMS.  This will cause a failure
+ * in the processing the finished message, which is exactly where
+ * the failure must occur.
+ *
+ * Called from ssl3_HandleClientKeyExchange
+ */
+static SECStatus
+ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
+                                SSL3Opaque *b,
+				PRUint32 length,
+				SECKEYPrivateKey *serverKey)
+{
+    PK11SymKey *      pms;
+    SECStatus         rv;
+    SECItem           enc_pms;
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    enc_pms.data = b;
+    enc_pms.len  = length;
+
+    if (ss->ssl3->prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
+	PRInt32 kLen;
+	kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
+	if (kLen < 0) {
+	    PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	    return SECFailure;
+	}
+	if ((unsigned)kLen < enc_pms.len) {
+	    enc_pms.len = kLen;
+	}
+    }
+    /*
+     * decrypt pms out of the incoming buffer
+     * Note: CKM_SSL3_PRE_MASTER_KEY_GEN is NOT the mechanism used to do 
+     *	the unwrap.  Rather, it is the mechanism with which the unwrapped
+     *	pms will be used.
+     */
+    pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
+			       CKM_SSL3_PRE_MASTER_KEY_GEN, CKA_DERIVE, 0);
+    if (pms != NULL) {
+	PRINT_BUF(60, (ss, "decrypted premaster secret:",
+		       PK11_GetKeyData(pms)->data,
+		       PK11_GetKeyData(pms)->len));
+    } else {
+	/* unwrap failed.  Generate a bogus pre-master secret and carry on. */
+	PK11SlotInfo *  slot   = PK11_GetSlotFromPrivateKey(serverKey);
+
+	ssl_GetSpecWriteLock(ss);
+	pms = ssl3_GenerateRSAPMS(ss, ss->ssl3->prSpec, slot);
+	ssl_ReleaseSpecWriteLock(ss);
+
+	PK11_FreeSlot(slot);
+    }
+
+    if (pms == NULL) {
+	/* last gasp.  */
+	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+	return SECFailure;
+    }
+
+    rv = ssl3_InitPendingCipherSpec(ss,  pms);
+    PK11_FreeSymKey(pms);
+    if (rv != SECSuccess) {
+	SEND_ALERT
+	return SECFailure;	/* error code set by ssl3_InitPendingCipherSpec */
+    }
+    return SECSuccess;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 ClientKeyExchange message from the remote client
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    SECKEYPrivateKey *serverKey         = NULL;
+    SECStatus         rv;
+const ssl3KEADef *    kea_def;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (ss->ssl3->hs.ws != wait_client_key) {
+	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+    	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
+	return SECFailure;
+    }
+
+    kea_def   = ss->ssl3->hs.kea_def;
+
+    serverKey =  (ss->ssl3->hs.usedStepDownKey
+#ifdef DEBUG
+		 && kea_def->is_limited /* XXX OR cert is signing only */
+		 && kea_def->exchKeyType == kt_rsa 
+		 && ss->stepDownKeyPair != NULL
+#endif
+		 ) ? ss->stepDownKeyPair->privKey
+		   : ss->serverCerts[kea_def->exchKeyType].serverKey;
+
+    if (ss->ssl3->hs.usedStepDownKey
+#ifdef DEBUG
+	 && kea_def->is_limited /* XXX OR cert is signing only */
+	 && kea_def->exchKeyType == kt_rsa 
+	 && ss->stepDownKeyPair != NULL
+#endif
+	 ) { 
+    	serverKey = ss->stepDownKeyPair->privKey;
+	ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
+    } else {
+	sslServerCerts * sc = ss->serverCerts + kea_def->exchKeyType;
+	serverKey           = sc->serverKey;
+	ss->sec.keaKeyBits = sc->serverKeyBits;
+    }
+
+    if (serverKey == NULL) {
+    	SEND_ALERT
+	PORT_SetError(SSL_ERROR_NO_SERVER_KEY_FOR_ALG);
+	return SECFailure;
+    }
+
+    ss->sec.keaType    = kea_def->exchKeyType;
+
+    switch (kea_def->exchKeyType) {
+    case kt_rsa:
+	rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
+	if (rv != SECSuccess) {
+	    SEND_ALERT
+	    return SECFailure;	/* error code set by ssl3_InitPendingCipherSpec */
+	}
+	break;
+
+    case kt_fortezza:
+	rv = ssl3_HandleFortezzaClientKeyExchange(ss, b, length, serverKey);
+	if (rv != SECSuccess) {
+	    return SECFailure;	/* error code set */
+	}
+	break;
+
+    default:
+	(void) ssl3_HandshakeFailure(ss);
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+	return SECFailure;
+    }
+    ss->ssl3->hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher;
+    return SECSuccess;
+
+}
+
+/* This is TLS's equivalent of sending a no_certificate alert. */
+static SECStatus
+ssl3_SendEmptyCertificate(sslSocket *ss)
+{
+    SECStatus            rv;
+
+    rv = ssl3_AppendHandshakeHeader(ss, certificate, 3);
+    if (rv == SECSuccess) {
+	rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
+    }
+    return rv;	/* error, if any, set by functions called above. */
+}
+
+/*
+ * Used by both client and server.
+ * Called from HandleServerHelloDone and from SendServerHelloSequence.
+ */
+static SECStatus
+ssl3_SendCertificate(sslSocket *ss)
+{
+    SECStatus            rv;
+    CERTCertificateList *certChain;
+    int                  len 		= 0;
+    int                  i;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send certificate handshake",
+		SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    if (ss->sec.localCert)
+    	CERT_DestroyCertificate(ss->sec.localCert);
+    if (ss->sec.isServer) {
+	sslServerCerts * sc = 
+			ss->serverCerts + ss->ssl3->hs.kea_def->exchKeyType;
+	certChain              = sc->serverCertChain;
+	ss->sec.authKeyBits   = sc->serverKeyBits;
+	ss->sec.authAlgorithm = ss->ssl3->hs.kea_def->signKeyType;
+	ss->sec.localCert     = CERT_DupCertificate(sc->serverCert);
+    } else {
+	certChain          = ss->ssl3->clientCertChain;
+	ss->sec.localCert = CERT_DupCertificate(ss->ssl3->clientCertificate);
+    }
+
+    if (certChain) {
+	for (i = 0; i < certChain->len; i++) {
+	    len += certChain->certs[i].len + 3;
+	}
+    }
+
+    rv = ssl3_AppendHandshakeHeader(ss, certificate, len + 3);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    rv = ssl3_AppendHandshakeNumber(ss, len, 3);
+    if (rv != SECSuccess) {
+	return rv; 		/* err set by AppendHandshake. */
+    }
+    for (i = 0; i < certChain->len; i++) {
+	rv = ssl3_AppendHandshakeVariable(ss, certChain->certs[i].data,
+					  certChain->certs[i].len, 3);
+	if (rv != SECSuccess) {
+	    return rv; 		/* err set by AppendHandshake. */
+	}
+    }
+
+    return SECSuccess;
+}
+
+/* This is used to delete the CA certificates in the peer certificate chain
+ * from the cert database after they've been validated.
+ */
+static void
+ssl3_CleanupPeerCerts(ssl3State *ssl3)
+{
+    PRArenaPool * arena = ssl3->peerCertArena;
+    ssl3CertNode *certs = (ssl3CertNode *)ssl3->peerCertChain;
+
+    for (; certs; certs = certs->next) {
+	CERT_DestroyCertificate(certs->cert);
+    }
+    if (arena) PORT_FreeArena(arena, PR_FALSE);
+    ssl3->peerCertArena = NULL;
+    ssl3->peerCertChain = NULL;
+}
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Certificate message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    ssl3CertNode *   c;
+    ssl3CertNode *   certs 	= NULL;
+    PRArenaPool *    arena 	= NULL;
+    ssl3State *      ssl3  	= ss->ssl3;
+    CERTCertificate *cert;
+    PRInt32          remaining  = 0;
+    PRInt32          size;
+    SECStatus        rv;
+    PRBool           isServer	= (PRBool)(!!ss->sec.isServer);
+    PRBool           trusted 	= PR_FALSE;
+    PRBool           isTLS;
+    SSL3AlertDescription desc	= bad_certificate;
+    int              errCode    = SSL_ERROR_RX_MALFORMED_CERTIFICATE;
+    SECItem          certItem;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle certificate handshake",
+		SSL_GETPID(), ss->fd));
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    if ((ssl3->hs.ws != wait_server_cert) &&
+	(ssl3->hs.ws != wait_client_cert)) {
+	desc    = unexpected_message;
+	errCode = SSL_ERROR_RX_UNEXPECTED_CERTIFICATE;
+	goto alert_loser;
+    }
+
+    if (ss->sec.peerCert != NULL) {
+	if (ss->sec.peerKey) {
+	    SECKEY_DestroyPublicKey(ss->sec.peerKey);
+	    ss->sec.peerKey = NULL;
+	}
+	CERT_DestroyCertificate(ss->sec.peerCert);
+	ss->sec.peerCert = NULL;
+    }
+
+    ssl3_CleanupPeerCerts(ssl3);
+    isTLS = (PRBool)(ssl3->prSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    /* It is reported that some TLS client sends a Certificate message
+    ** with a zero-length message body.  We'll treat that case like a
+    ** normal no_certificates message to maximize interoperability.
+    */
+    if (length) {
+	remaining = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
+	if (remaining < 0)
+	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
+    }
+
+    if (!remaining) {
+	if (!(isTLS && isServer))
+	    goto alert_loser;
+    	/* This is TLS's version of a no_certificate alert. */
+    	/* I'm a server. I've requested a client cert. He hasn't got one. */
+	rv = ssl3_HandleNoCertificate(ss);
+	if (rv != SECSuccess) {
+	    errCode = PORT_GetError();
+	    goto loser;
+	}
+	goto cert_block;
+    }
+
+    ssl3->peerCertArena = arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( arena == NULL ) {
+	goto loser;	/* don't send alerts on memory errors */
+    }
+
+    /* First get the peer cert. */
+    remaining -= 3;
+    if (remaining < 0)
+	goto decode_loser;
+
+    size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
+    if (size < 0)
+	goto loser;	/* fatal alert already sent by ConsumeHandshake. */
+
+    remaining -= size;
+    if (remaining < 0)
+	goto decode_loser;
+
+    certItem.data = (unsigned char*)PORT_ArenaAlloc(arena, size);
+    if (certItem.data == NULL) {
+	goto loser;	/* don't send alerts on memory errors */
+    }
+
+    certItem.len = size;
+    rv = ssl3_ConsumeHandshake(ss, certItem.data, certItem.len, &b, &length);
+    if (rv != SECSuccess)
+	goto loser;	/* fatal alert already sent by ConsumeHandshake. */
+
+    ss->sec.peerCert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
+                                            PR_FALSE, PR_TRUE);
+    if (ss->sec.peerCert == NULL) {
+	/* We should report an alert if the cert was bad, but not if the
+	 * problem was just some local problem, like memory error.
+	 */
+	goto ambiguous_err;
+    }
+
+    /* Now get all of the CA certs. */
+    while (remaining != 0) {
+	remaining -= 3;
+	if (remaining < 0)
+	    goto decode_loser;
+
+	size = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
+	if (size < 0)
+	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
+
+	remaining -= size;
+	if (remaining < 0)
+	    goto decode_loser;
+
+	certItem.data = (unsigned char*)PORT_ArenaAlloc(arena, size);
+	if (certItem.data == NULL) {
+	    goto loser;	/* don't send alerts on memory errors */
+	}
+
+	certItem.len = size;
+	rv = ssl3_ConsumeHandshake(ss, certItem.data, certItem.len,
+				   &b, &length);
+	if (rv != SECSuccess)
+	    goto loser;	/* fatal alert already sent by ConsumeHandshake. */
+
+	c = PORT_ArenaNew(arena, ssl3CertNode);
+	if (c == NULL) {
+	    goto loser;	/* don't send alerts on memory errors */
+	}
+
+	c->cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
+	                                  PR_FALSE, PR_TRUE);
+	if (c->cert == NULL) {
+	    goto ambiguous_err;
+	}
+
+	if (c->cert->trust)
+	    trusted = PR_TRUE;
+
+	c->next = certs;
+	certs = c;
+    }
+
+    if (remaining != 0)
+        goto decode_loser;
+
+    SECKEY_UpdateCertPQG(ss->sec.peerCert);
+
+    /*
+     * We're making a fortezza connection, and the card hasn't unloaded it's
+     * certs, try to  unload those certs now.
+     */
+    if (!trusted) {
+	CERTCertificate *ccert;
+
+	ccert = PK11_FindBestKEAMatch(ss->sec.peerCert, ss->pkcs11PinArg);
+	if (ccert) 
+	    CERT_DestroyCertificate(ccert);
+    }
+
+
+    rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
+					   PR_TRUE, isServer);
+    if (rv) {
+	errCode = PORT_GetError();
+	if (!ss->handleBadCert) {
+	    goto bad_cert;
+	}
+	rv = (SECStatus)(*ss->handleBadCert)(ss->badCertArg, ss->fd);
+	if ( rv ) {
+	    if ( rv == SECWouldBlock ) {
+		/* someone will handle this connection asynchronously*/
+		SSL_DBG(("%d: SSL3[%d]: go to async cert handler",
+			 SSL_GETPID(), ss->fd));
+		ssl3->peerCertChain = certs;
+		certs               = NULL;
+		ssl_SetAlwaysBlock(ss);
+		goto cert_block;
+	    }
+	    /* cert is bad */
+	    goto bad_cert;
+	}
+	/* cert is good */
+    }
+
+    /* start SSL Step Up, if appropriate */
+    cert = ss->sec.peerCert;
+    if (!isServer &&
+    	ssl3_global_policy_some_restricted &&
+        ssl3->policy == SSL_ALLOWED &&
+	anyRestrictedEnabled(ss) &&
+	SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
+	                                 PR_FALSE, /* checkSig */
+				         certUsageSSLServerWithStepUp,
+/*XXX*/				         ss->authCertificateArg) ) {
+	ssl3->policy         = SSL_RESTRICTED;
+	ssl3->hs.rehandshake = PR_TRUE;
+    }
+
+    ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
+
+    if (!ss->sec.isServer) {
+	/* set the server authentication and key exchange types and sizes
+	** from the value in the cert.  If the key exchange key is different,
+	** it will get fixed when we handle the server key exchange message.
+	*/
+	SECKEYPublicKey * pubKey  = CERT_ExtractPublicKey(cert);
+	ss->sec.authAlgorithm = ssl3->hs.kea_def->signKeyType;
+	ss->sec.keaType       = ssl3->hs.kea_def->exchKeyType;
+	if (pubKey) {
+	    ss->sec.keaKeyBits = ss->sec.authKeyBits =
+			      SECKEY_PublicKeyStrength(pubKey) * BPB;
+	    SECKEY_DestroyPublicKey(pubKey); 
+	    pubKey = NULL;
+    	}
+    }
+
+    ssl3->peerCertChain = certs;  certs = NULL;  arena = NULL;
+
+cert_block:
+    if (ss->sec.isServer) {
+	ssl3->hs.ws = wait_client_key;
+    } else {
+	ssl3->hs.ws = wait_cert_request; /* disallow server_key_exchange */
+	if (ssl3->hs.kea_def->is_limited ||
+	    /* XXX OR server cert is signing only. */
+	    ssl3->hs.kea_def->kea == kea_fortezza ||
+	    ssl3->hs.kea_def->exchKeyType == kt_dh) {
+	    ssl3->hs.ws = wait_server_key; /* allow server_key_exchange */
+	}
+    }
+
+    /* rv must normally be equal to SECSuccess here.  If we called
+     * handleBadCert, it can also be SECWouldBlock.
+     */
+    return rv;
+
+ambiguous_err:
+    errCode = PORT_GetError();
+    switch (errCode) {
+    case PR_OUT_OF_MEMORY_ERROR:
+    case SEC_ERROR_BAD_DATABASE:
+    case SEC_ERROR_NO_MEMORY:
+	if (isTLS) {
+	    desc = internal_error;
+	    goto alert_loser;
+	}
+	goto loser;
+    }
+    /* fall through to bad_cert. */
+
+bad_cert:	/* caller has set errCode. */
+    switch (errCode) {
+    case SEC_ERROR_LIBRARY_FAILURE:     desc = unsupported_certificate; break;
+    case SEC_ERROR_EXPIRED_CERTIFICATE: desc = certificate_expired;     break;
+    case SEC_ERROR_REVOKED_CERTIFICATE: desc = certificate_revoked;     break;
+    case SEC_ERROR_INADEQUATE_KEY_USAGE:
+    case SEC_ERROR_INADEQUATE_CERT_TYPE:
+		                        desc = certificate_unknown;     break;
+    case SEC_ERROR_UNTRUSTED_CERT:
+		    desc = isTLS ? access_denied : certificate_unknown; break;
+    case SEC_ERROR_UNKNOWN_ISSUER:      
+    case SEC_ERROR_UNTRUSTED_ISSUER:    
+		    desc = isTLS ? unknown_ca : certificate_unknown; break;
+    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+		    desc = isTLS ? unknown_ca : certificate_expired; break;
+
+    case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
+    case SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID:
+    case SEC_ERROR_CA_CERT_INVALID:
+    case SEC_ERROR_BAD_SIGNATURE:
+    default:                            desc = bad_certificate;     break;
+    }
+    SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
+	     SSL_GETPID(), ss->fd, errCode));
+
+    goto alert_loser;
+
+decode_loser:
+    desc = isTLS ? decode_error : bad_certificate;
+
+alert_loser:
+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
+
+loser:
+    ssl3->peerCertChain = certs;  certs = NULL;  arena = NULL;
+    ssl3_CleanupPeerCerts(ssl3);
+
+    if (ss->sec.peerCert != NULL) {
+	CERT_DestroyCertificate(ss->sec.peerCert);
+	ss->sec.peerCert = NULL;
+    }
+    (void)ssl_MapLowLevelError(errCode);
+    return SECFailure;
+}
+
+
+/* restart an SSL connection that we stopped to run certificate dialogs
+** XXX	Need to document here how an application marks a cert to show that
+**	the application has accepted it (overridden CERT_VerifyCert).
+ *
+ * XXX This code only works on the initial handshake on a connection, XXX
+ *     It does not work on a subsequent handshake (redo).
+ *
+ * Return value: XXX
+ *
+ * Caller holds 1stHandshakeLock.
+*/
+int
+ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
+{
+    CERTCertificate * cert;
+    ssl3State       * ssl3	= ss->ssl3;
+    int               rv	= SECSuccess;
+
+    if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
+	SET_ERROR_CODE
+    	return SECFailure;
+    }
+    if (!ss->ssl3) {
+	SET_ERROR_CODE
+    	return SECFailure;
+    }
+
+    cert = ss->sec.peerCert;
+
+    /* Permit step up if user decided to accept the cert */
+    if (!ss->sec.isServer &&
+    	ssl3_global_policy_some_restricted &&
+        ssl3->policy == SSL_ALLOWED &&
+	anyRestrictedEnabled(ss) &&
+	(SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert,
+	                                  PR_FALSE, /* checksig */
+				          certUsageSSLServerWithStepUp,
+/*XXX*/				          ss->authCertificateArg) )) {
+	ssl3->policy         = SSL_RESTRICTED;
+	ssl3->hs.rehandshake = PR_TRUE;
+    }
+
+    if (ss->handshake != NULL) {
+	ss->handshake = ssl_GatherRecord1stHandshake;
+	ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
+
+	ssl_GetRecvBufLock(ss);
+	if (ssl3->hs.msgState.buf != NULL) {
+	    rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
+	}
+	ssl_ReleaseRecvBufLock(ss);
+    }
+
+    return rv;
+}
+
+static SECStatus
+ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
+			PRBool          isServer,
+                const   SSL3Finished *  hashes,
+                        TLSFinished  *  tlsFinished)
+{
+    PK11Context *prf_context;
+    const char * label;
+    unsigned int len;
+    SECStatus    rv;
+    SECItem      param 		= {siBuffer, NULL, 0};
+
+    label = isServer ? "server finished" : "client finished";
+    len   = 15;
+
+    prf_context = 
+	PK11_CreateContextBySymKey(CKM_TLS_PRF_GENERAL, CKA_SIGN, 
+	                           spec->master_secret, &param);
+    if (!prf_context)
+    	return SECFailure;
+
+    rv  = PK11_DigestBegin(prf_context);
+    rv |= PK11_DigestOp(prf_context, (const unsigned char *) label, len);
+    rv |= PK11_DigestOp(prf_context, hashes->md5, sizeof *hashes);
+    rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, 
+                           &len, sizeof *tlsFinished);
+    PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished);
+
+    PK11_DestroyContext(prf_context, PR_TRUE);
+    return rv;
+}
+
+/* called from ssl3_HandleServerHelloDone
+ *             ssl3_HandleClientHello
+ *             ssl3_HandleFinished
+ */
+static SECStatus
+ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
+{
+    ssl3CipherSpec *cwSpec;
+    PRBool          isTLS;
+    PRBool          isServer = ss->sec.isServer;
+    SECStatus       rv;
+    SSL3Sender      sender = isServer ? sender_server : sender_client;
+    SSL3Finished    hashes;
+    TLSFinished     tlsFinished;
+
+    SSL_TRC(3, ("%d: SSL3[%d]: send finished handshake", SSL_GETPID(), ss->fd));
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss));
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    ssl_GetSpecReadLock(ss);
+    cwSpec = ss->ssl3->cwSpec;
+    isTLS = (PRBool)(cwSpec->version > SSL_LIBRARY_VERSION_3_0);
+    rv = ssl3_ComputeHandshakeHashes(ss, cwSpec, &hashes, sender);
+    if (isTLS && rv == SECSuccess) {
+	rv = ssl3_ComputeTLSFinished(cwSpec, isServer, &hashes, &tlsFinished);
+    }
+    ssl_ReleaseSpecReadLock(ss);
+    if (rv != SECSuccess) {
+	goto fail;	/* err code was set by ssl3_ComputeHandshakeHashes */
+    }
+
+    if (isTLS) {
+	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof tlsFinished);
+	if (rv != SECSuccess) 
+	    goto fail; 		/* err set by AppendHandshake. */
+	rv = ssl3_AppendHandshake(ss, &tlsFinished, sizeof tlsFinished);
+	if (rv != SECSuccess) 
+	    goto fail; 		/* err set by AppendHandshake. */
+    } else {
+	rv = ssl3_AppendHandshakeHeader(ss, finished, sizeof hashes);
+	if (rv != SECSuccess) 
+	    goto fail; 		/* err set by AppendHandshake. */
+	rv = ssl3_AppendHandshake(ss, &hashes, sizeof hashes);
+	if (rv != SECSuccess) 
+	    goto fail; 		/* err set by AppendHandshake. */
+    }
+    rv = ssl3_FlushHandshake(ss, flags);
+    if (rv != SECSuccess) {
+	goto fail;	/* error code set by ssl3_FlushHandshake */
+    }
+    return SECSuccess;
+
+fail:
+    return rv;
+}
+
+
+
+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
+ * ssl3 Finished message from the peer.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
+		    const SSL3Hashes *hashes)
+{
+    ssl3State *       ssl3	   = ss->ssl3;
+    sslSessionID *    sid	   = ss->sec.ci.sid;
+    PK11SymKey *      wrappingKey  = NULL;
+    PK11SlotInfo *    symKeySlot;
+    void *            pwArg        = ss->pkcs11PinArg;
+    SECStatus         rv;
+    PRBool            isServer     = ss->sec.isServer;
+    PRBool            isTLS;
+    PRBool            doStepUp;
+    CK_MECHANISM_TYPE mechanism;
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
+    	SSL_GETPID(), ss->fd));
+
+    if (ssl3->hs.ws != wait_finished) {
+	SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+    	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
+	return SECFailure;
+    }
+
+    isTLS = (PRBool)(ssl3->crSpec->version > SSL_LIBRARY_VERSION_3_0);
+    if (isTLS) {
+	TLSFinished tlsFinished;
+
+	if (length != sizeof tlsFinished) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
+	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
+	    return SECFailure;
+	}
+	rv = ssl3_ComputeTLSFinished(ssl3->crSpec, !isServer, 
+	                             hashes, &tlsFinished);
+	if (rv != SECSuccess ||
+	    0 != PORT_Memcmp(&tlsFinished, b, length)) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, decrypt_error);
+	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+	    return SECFailure;
+	}
+    } else {
+	if (length != sizeof(SSL3Hashes)) {
+	    (void)ssl3_IllegalParameter(ss);
+	    PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
+	    return SECFailure;
+	}
+
+	if (0 != PORT_Memcmp(hashes, b, length)) {
+	    (void)ssl3_HandshakeFailure(ss);
+	    PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+	    return SECFailure;
+	}
+    }
+
+    doStepUp = (PRBool)(!isServer && ssl3->hs.rehandshake);
+
+    ssl_GetXmitBufLock(ss);	/*************************************/
+
+    if ((isServer && !ssl3->hs.isResuming) ||
+	(!isServer && ssl3->hs.isResuming)) {
+	PRInt32 flags = 0;
+
+	rv = ssl3_SendChangeCipherSpecs(ss);
+	if (rv != SECSuccess) {
+	    goto xmit_loser;	/* err is set. */
+	}
+	/* If this thread is in SSL_SecureSend (trying to write some data) 
+	** or if it is going to step up, 
+	** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the 
+	** last two handshake messages (change cipher spec and finished) 
+	** will be sent in the same send/write call as the application data.
+	*/
+	if (doStepUp || ss->writerThread == PR_GetCurrentThread()) {
+	    flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
+	}
+	rv = ssl3_SendFinished(ss, flags);
+	if (rv != SECSuccess) {
+	    goto xmit_loser;	/* err is set. */
+	}
+    }
+
+    /* Optimization: don't cache this connection if we're going to step up. */
+    if (doStepUp) {
+	ssl_FreeSID(sid);
+	ss->sec.ci.sid     = sid = NULL;
+	ssl3->hs.rehandshake = PR_FALSE;
+	rv = ssl3_SendClientHello(ss);
+xmit_loser:
+	ssl_ReleaseXmitBufLock(ss);
+	return rv;	/* err code is set if appropriate. */
+    }
+
+    ssl_ReleaseXmitBufLock(ss);	/*************************************/
+
+    /* The first handshake is now completed. */
+    ss->handshake           = NULL;
+    ss->firstHsDone         = PR_TRUE;
+    ss->gs.writeOffset = 0;
+    ss->gs.readOffset  = 0;
+
+  if (sid->cached == never_cached) {
+
+    /* fill in the sid */
+    sid->u.ssl3.cipherSuite = ssl3->hs.cipher_suite;
+    sid->u.ssl3.compression = ssl3->hs.compression;
+    sid->u.ssl3.policy      = ssl3->policy;
+    sid->u.ssl3.exchKeyType = ssl3->hs.kea_def->exchKeyType;
+    sid->version            = ss->version;
+    sid->authAlgorithm      = ss->sec.authAlgorithm;
+    sid->authKeyBits        = ss->sec.authKeyBits;
+    sid->keaType            = ss->sec.keaType;
+    sid->keaKeyBits         = ss->sec.keaKeyBits;
+    sid->lastAccessTime     = sid->creationTime = ssl_Time();
+    sid->expirationTime     = sid->creationTime + ssl3_sid_timeout;
+    sid->localCert          = CERT_DupCertificate(ss->sec.localCert);
+
+    ssl_GetSpecReadLock(ss);	/*************************************/
+    symKeySlot = PK11_GetSlotFromKey(ssl3->crSpec->master_secret);
+    if (!isServer) {
+	int  wrapKeyIndex;
+	int  incarnation;
+
+	/* these next few functions are mere accessors and don't fail. */
+	sid->u.ssl3.masterWrapIndex  = wrapKeyIndex =
+				       PK11_GetCurrentWrapIndex(symKeySlot);
+	PORT_Assert(wrapKeyIndex == 0);	/* array has only one entry! */
+
+	sid->u.ssl3.masterWrapSeries = incarnation =
+				       PK11_GetSlotSeries(symKeySlot);
+	sid->u.ssl3.masterSlotID   = PK11_GetSlotID(symKeySlot);
+	sid->u.ssl3.masterModuleID = PK11_GetModuleID(symKeySlot);
+	sid->u.ssl3.masterValid    = PR_TRUE;
+
+	/* Get the default wrapping key, for wrapping the master secret before
+	 * placing it in the SID cache entry. */
+	wrappingKey = PK11_GetWrapKey(symKeySlot, wrapKeyIndex,
+				      CKM_INVALID_MECHANISM, incarnation,
+				      pwArg);
+	if (wrappingKey) {
+	    mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
+	} else {
+	    int keyLength;
+	    /* if the wrappingKey doesn't exist, attempt to create it.
+	     * Note: we intentionally ignore errors here.  If we cannot
+	     * generate a wrapping key, it is not fatal to this SSL connection,
+	     * but we will not be able to restart this session.
+	     */
+	    mechanism = PK11_GetBestWrapMechanism(symKeySlot);
+	    keyLength = PK11_GetBestKeyLength(symKeySlot, mechanism);
+	    /* Zero length means fixed key length algorithm, or error.
+	     * It's ambiguous.
+	     */
+	    wrappingKey = PK11_KeyGen(symKeySlot, mechanism, NULL,
+                                      keyLength, pwArg);
+	    if (wrappingKey) {
+	    	PK11_SetWrapKey(symKeySlot, wrapKeyIndex, wrappingKey);
+	    }
+	}
+    } else {
+	/* server. */
+	mechanism = PK11_GetBestWrapMechanism(symKeySlot);
+	if (mechanism != CKM_INVALID_MECHANISM) {
+	    wrappingKey =
+	    	getWrappingKey(ss, symKeySlot, ssl3->hs.kea_def->exchKeyType,
+			       mechanism, pwArg);
+	    if (wrappingKey) {
+		mechanism = PK11_GetMechanism(wrappingKey); /* can't fail. */
+	    }
+	}
+    }
+
+    sid->u.ssl3.masterWrapMech = mechanism;
+    PK11_FreeSlot(symKeySlot);
+
+    rv = SECFailure;
+    if (wrappingKey) {
+	SECItem msItem;
+
+	msItem.data = sid->u.ssl3.keys.wrapped_master_secret;
+	msItem.len  = sizeof sid->u.ssl3.keys.wrapped_master_secret;
+	rv = PK11_WrapSymKey(mechanism, NULL, wrappingKey,
+			     ssl3->crSpec->master_secret, &msItem);
+	/* rv is examined below. */
+	sid->u.ssl3.keys.wrapped_master_secret_len = msItem.len;
+	PK11_FreeSymKey(wrappingKey);
+    }
+    ssl_ReleaseSpecReadLock(ss);  /*************************************/
+
+    /* If the wrap failed, we don't cache the sid.
+     * The connection continues normally however.
+     */
+    if (!ss->noCache && rv == SECSuccess) {
+	(*ss->sec.cache)(sid);
+    }
+  }
+    ss->ssl3->hs.ws = idle_handshake;
+
+    /* Do the handshake callback for sslv3 here. */
+    if (ss->handshakeCallback != NULL) {
+	(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+    }
+
+    return SECSuccess;
+}
+
+/* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
+ * hanshake message.
+ * Caller must hold Handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+{
+    SECStatus         rv 	= SECSuccess;
+    SSL3HandshakeType type 	= ss->ssl3->hs.msg_type;
+    SSL3Hashes        hashes;	/* computed hashes are put here. */
+    PRUint8           hdr[4];
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+    /*
+     * We have to compute the hashes before we update them with the
+     * current message.
+     */
+    ssl_GetSpecReadLock(ss);	/************************************/
+    if((type == finished) || (type == certificate_verify)) {
+	SSL3Sender      sender = (SSL3Sender)0;
+	ssl3CipherSpec *rSpec  = ss->ssl3->prSpec;
+
+	if (type == finished) {
+	    sender = ss->sec.isServer ? sender_client : sender_server;
+	    rSpec  = ss->ssl3->crSpec;
+	}
+	rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
+    }
+    ssl_ReleaseSpecReadLock(ss); /************************************/
+    if (rv != SECSuccess) {
+	return rv;	/* error code was set by ssl3_ComputeHandshakeHashes*/
+    }
+    SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
+		ss->fd, ssl3_DecodeHandshakeType(ss->ssl3->hs.msg_type)));
+    PRINT_BUF(60, (ss, "MD5 handshake hash:",
+    	      (unsigned char*)ss->ssl3->hs.md5, MD5_LENGTH));
+    PRINT_BUF(95, (ss, "SHA handshake hash:",
+    	      (unsigned char*)ss->ssl3->hs.sha, SHA1_LENGTH));
+
+    hdr[0] = (PRUint8)ss->ssl3->hs.msg_type;
+    hdr[1] = (PRUint8)(length >> 16);
+    hdr[2] = (PRUint8)(length >>  8);
+    hdr[3] = (PRUint8)(length      );
+
+    /* Start new handshake hashes when we start a new handshake */
+    if (ss->ssl3->hs.msg_type == client_hello) {
+	SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
+		SSL_GETPID(), ss->fd ));
+	rv = PK11_DigestBegin(ss->ssl3->hs.md5);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	    return rv;
+	}
+	rv = PK11_DigestBegin(ss->ssl3->hs.sha);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	    return rv;
+	}
+    }
+    /* We should not include hello_request messages in the handshake hashes */
+    if (ss->ssl3->hs.msg_type != hello_request) {
+	rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
+	if (rv != SECSuccess) return rv;	/* err code already set. */
+	rv = ssl3_UpdateHandshakeHashes(ss, b, length);
+	if (rv != SECSuccess) return rv;	/* err code already set. */
+    }
+
+    PORT_SetError(0);	/* each message starts with no error. */
+    switch (ss->ssl3->hs.msg_type) {
+    case hello_request:
+	if (length != 0) {
+	    (void)ssl3_DecodeError(ss);
+	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
+	    return SECFailure;
+	}
+	if (ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleHelloRequest(ss);
+	break;
+    case client_hello:
+	if (!ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleClientHello(ss, b, length);
+	break;
+    case server_hello:
+	if (ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleServerHello(ss, b, length);
+	break;
+    case certificate:
+	rv = ssl3_HandleCertificate(ss, b, length);
+	break;
+    case server_key_exchange:
+	if (ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleServerKeyExchange(ss, b, length);
+	break;
+    case certificate_request:
+	if (ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleCertificateRequest(ss, b, length);
+	break;
+    case server_hello_done:
+	if (length != 0) {
+	    (void)ssl3_DecodeError(ss);
+	    PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_DONE);
+	    return SECFailure;
+	}
+	if (ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleServerHelloDone(ss);
+	break;
+    case certificate_verify:
+	if (!ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
+	break;
+    case client_key_exchange:
+	if (!ss->sec.isServer) {
+	    (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	    PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
+	    return SECFailure;
+	}
+	rv = ssl3_HandleClientKeyExchange(ss, b, length);
+	break;
+    case finished:
+        rv = ssl3_HandleFinished(ss, b, length, &hashes);
+	break;
+    default:
+	(void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+	PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
+ * origBuf is the decrypted ssl record content.
+ * Caller must hold the handshake and RecvBuf locks.
+ */
+static SECStatus
+ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
+{
+    /*
+     * There may be a partial handshake message already in the handshake
+     * state. The incoming buffer may contain another portion, or a
+     * complete message or several messages followed by another portion.
+     *
+     * Each message is made contiguous before being passed to the actual
+     * message parser.
+     */
+    ssl3State *ssl3 = ss->ssl3;
+    sslBuffer *buf = &ssl3->hs.msgState; /* do not lose the original buffer pointer */
+    SECStatus rv;
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (buf->buf == NULL) {
+	*buf = *origBuf;
+    }
+    while (buf->len > 0) {
+	while (ssl3->hs.header_bytes < 4) {
+	    uint8 t;
+	    t = *(buf->buf++);
+	    buf->len--;
+	    if (ssl3->hs.header_bytes++ == 0)
+		ssl3->hs.msg_type = (SSL3HandshakeType)t;
+	    else
+		ssl3->hs.msg_len = (ssl3->hs.msg_len << 8) + t;
+
+#define MAX_HANDSHAKE_MSG_LEN 0x1ffff	/* 128k - 1 */
+
+	    if (ssl3->hs.header_bytes == 4) {
+		if (ssl3->hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
+		    (void)ssl3_DecodeError(ss);
+		    PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+		    return SECFailure;
+		}
+	    }
+#undef MAX_HANDSHAKE_MSG_LEN
+	    if (buf->len == 0 && ssl3->hs.msg_len > 0) {
+		buf->buf = NULL;
+		return SECSuccess;
+	    }
+	}
+
+	/*
+	 * Header has been gathered and there is at least one byte of new
+	 * data available for this message. If it can be done right out
+	 * of the original buffer, then use it from there.
+	 */
+	if (ssl3->hs.msg_body.len == 0 && buf->len >= ssl3->hs.msg_len) {
+	    /* handle it from input buffer */
+	    rv = ssl3_HandleHandshakeMessage(ss, buf->buf, ssl3->hs.msg_len);
+	    if (rv == SECFailure) {
+		/* This test wants to fall through on either
+		 * SECSuccess or SECWouldBlock.
+		 * ssl3_HandleHandshakeMessage MUST set the error code.
+		 */
+		return rv;
+	    }
+	    buf->buf += ssl3->hs.msg_len;
+	    buf->len -= ssl3->hs.msg_len;
+	    ssl3->hs.msg_len = 0;
+	    ssl3->hs.header_bytes = 0;
+	    if (rv != SECSuccess) { /* return if SECWouldBlock. */
+		return rv;
+	    }
+	} else {
+	    /* must be copied to msg_body and dealt with from there */
+	    unsigned int bytes;
+
+	    bytes = PR_MIN(buf->len, ssl3->hs.msg_len);
+
+	    /* Grow the buffer if needed */
+	    if (bytes > ssl3->hs.msg_body.space - ssl3->hs.msg_body.len) {
+		rv = sslBuffer_Grow(&ssl3->hs.msg_body,
+		                  ssl3->hs.msg_body.len + bytes);
+		if (rv != SECSuccess) {
+		    /* sslBuffer_Grow has set a memory error code. */
+		    return SECFailure;
+	    	}
+	    }
+	    PORT_Memcpy(ssl3->hs.msg_body.buf + ssl3->hs.msg_body.len,
+		      buf->buf, buf->len);
+	    buf->buf += bytes;
+	    buf->len -= bytes;
+
+	    /* should not be more than one message in msg_body */
+	    PORT_Assert(ssl3->hs.msg_body.len <= ssl3->hs.msg_len);
+
+	    /* if we have a whole message, do it */
+	    if (ssl3->hs.msg_body.len == ssl3->hs.msg_len) {
+		rv = ssl3_HandleHandshakeMessage(
+		    ss, ssl3->hs.msg_body.buf, ssl3->hs.msg_len);
+		/*
+		 * XXX This appears to be wrong.  This error handling
+		 * should clean up after a SECWouldBlock return, like the
+		 * error handling used 40 lines before/above this one,
+		 */
+		if (rv != SECSuccess) {
+		    /* ssl3_HandleHandshakeMessage MUST set error code. */
+		    return rv;
+		}
+		ssl3->hs.msg_body.len = 0;
+		ssl3->hs.msg_len      = 0;
+		ssl3->hs.header_bytes = 0;
+	    } else {
+		PORT_Assert(buf->len == 0);
+		break;
+	    }
+	}
+    }	/* end loop */
+
+    origBuf->len = 0;	/* So ssl3_GatherAppDataRecord will keep looping. */
+    buf->buf = NULL;	/* not a leak. */
+    return SECSuccess;
+}
+
+/* if cText is non-null, then decipher, check MAC, and decompress the
+ * SSL record from cText->buf (typically gs->inbuf)
+ * into databuf (typically gs->buf), and any previous contents of databuf
+ * is lost.  Then handle databuf according to its SSL record type,
+ * unless it's an application record.
+ *
+ * If cText is NULL, then the ciphertext has previously been deciphered and
+ * checked, and is already sitting in databuf.  It is processed as an SSL
+ * Handshake message.
+ *
+ * DOES NOT process the decrypted/decompressed application data.
+ * On return, databuf contains the decrypted/decompressed record.
+ *
+ * Called from ssl3_GatherCompleteHandshake
+ *             ssl3_RestartHandshakeAfterCertReq
+ *             ssl3_RestartHandshakeAfterServerCert
+ *
+ * Caller must hold the RecvBufLock.
+ *
+ * This function aquires and releases the SSL3Handshake Lock, holding the
+ * lock around any calls to functions that handle records other than
+ * Application Data records.
+ */
+SECStatus
+ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText, sslBuffer *databuf)
+{
+const ssl3BulkCipherDef *cipher_def;
+    ssl3State *          ssl3 			= ss->ssl3;
+    ssl3CipherSpec *     crSpec;
+    SECStatus            rv;
+    unsigned int         hashBytes;
+    unsigned int         padding_length;
+    PRBool               isTLS;
+    SSL3ContentType      rType;
+    SSL3Opaque           hash[MAX_MAC_LENGTH];
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+
+    if (ssl3 == NULL) {
+	ssl_GetSSL3HandshakeLock(ss);
+	rv = ssl3_InitState(ss);
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	if (rv != SECSuccess) {
+	    return rv;		/* ssl3_InitState has set the error code. */
+    	}
+    }
+
+    ssl3 = ss->ssl3;
+
+    /* cText is NULL when we're called from ssl3_RestartHandshakeAfterXXX().
+     * This implies that databuf holds a previously deciphered SSL Handshake
+     * message.
+     */
+    if (cText == NULL) {
+	SSL_DBG(("%d: SSL3[%d]: HandleRecord, resuming handshake",
+		 SSL_GETPID(), ss->fd));
+	rType = content_handshake;
+	goto process_it;
+    }
+
+    databuf->len = 0; /* filled in by decode call below. */
+    if (databuf->space < MAX_FRAGMENT_LENGTH) {
+	rv = sslBuffer_Grow(databuf, MAX_FRAGMENT_LENGTH + 2048);
+	if (rv != SECSuccess) {
+	    SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
+		     SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
+	    /* sslBuffer_Grow has set a memory error code. */
+	    return SECFailure;
+	}
+    }
+
+    PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf, cText->buf->len));
+
+    ssl_GetSpecReadLock(ss); /******************************************/
+
+    crSpec = ssl3->crSpec;
+    cipher_def = crSpec->cipher_def;
+    isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    if (isTLS && cText->buf->len > (MAX_FRAGMENT_LENGTH + 2048)) {
+	ssl_ReleaseSpecReadLock(ss);
+	SSL3_SendAlert(ss, alert_fatal, record_overflow);
+	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+	return SECFailure;
+    }
+    /* decrypt from cText buf to databuf. */
+    rv = crSpec->decode(
+	crSpec->decodeContext, databuf->buf, (int *)&databuf->len,
+	databuf->space, cText->buf->buf, cText->buf->len);
+
+    PRINT_BUF(80, (ss, "cleartext:", databuf->buf, databuf->len));
+    if (rv != SECSuccess) {
+	ssl_ReleaseSpecReadLock(ss);
+	ssl_MapLowLevelError(SSL_ERROR_DECRYPTION_FAILURE);
+	if (isTLS)
+	    (void)SSL3_SendAlert(ss, alert_fatal, decryption_failed);
+	ssl_MapLowLevelError(SSL_ERROR_DECRYPTION_FAILURE);
+	return SECFailure;
+    }
+
+    /* If it's a block cipher, check and strip the padding. */
+    if (cipher_def->type == type_block) {
+	padding_length = *(databuf->buf + databuf->len - 1);
+	/* TLS permits padding to exceed the block size, up to 255 bytes. */
+	if (padding_length + crSpec->mac_size >= databuf->len)
+	    goto bad_pad;
+	/* if TLS, check value of first padding byte. */
+	if (padding_length && isTLS && padding_length != 
+		*(databuf->buf + databuf->len - 1 - padding_length))
+	    goto bad_pad;
+	databuf->len -= padding_length + 1;
+	if (databuf->len <= 0) {
+bad_pad:
+	    /* must not hold spec lock when calling SSL3_SendAlert. */
+	    ssl_ReleaseSpecReadLock(ss);
+	    /* SSL3 doesn't have an alert for bad padding, so use bad mac. */
+	    SSL3_SendAlert(ss, alert_fatal, 
+			   isTLS ? decryption_failed : bad_record_mac);
+	    PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
+	    return SECFailure;
+	}
+    }
+
+    /* Check the MAC. */
+    if (databuf->len < crSpec->mac_size) {
+    	/* record is too short to have a valid mac. */
+	goto bad_mac;
+    }
+    databuf->len -= crSpec->mac_size;
+    rType = cText->type;
+    rv = ssl3_ComputeRecordMAC(
+    	crSpec, (ss->sec.isServer) ? crSpec->client.write_mac_context
+				    : crSpec->server.write_mac_context,
+	rType, cText->version, crSpec->read_seq_num, 
+	databuf->buf, databuf->len, hash, &hashBytes);
+    if (rv != SECSuccess) {
+	ssl_ReleaseSpecReadLock(ss);
+	ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
+	return rv;
+    }
+
+    if (hashBytes != (unsigned)crSpec->mac_size ||
+	PORT_Memcmp(databuf->buf + databuf->len, hash, crSpec->mac_size) != 0) {
+bad_mac:
+	/* must not hold spec lock when calling SSL3_SendAlert. */
+	ssl_ReleaseSpecReadLock(ss);
+	SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+	PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+
+	SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
+
+	return SECFailure;
+    }
+
+    ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
+
+    ssl_ReleaseSpecReadLock(ss); /*****************************************/
+
+    /*
+     * The decrypted data is now in databuf.
+     *
+     * the null decompression routine is right here
+     */
+
+    /*
+    ** Having completed the decompression, check the length again. 
+    */
+    if (isTLS && databuf->len > (MAX_FRAGMENT_LENGTH + 1024)) {
+	SSL3_SendAlert(ss, alert_fatal, record_overflow);
+	PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+	return SECFailure;
+    }
+
+    /* Application data records are processed by the caller of this
+    ** function, not by this function.
+    */
+    if (rType == content_application_data) {
+    	return SECSuccess;
+    }
+
+    /* It's a record that must be handled by ssl itself, not the application.
+    */
+process_it:
+    /* XXX  Get the xmit lock here.  Odds are very high that we'll be xmiting
+     * data ang getting the xmit lock here prevents deadlocks.
+     */
+    ssl_GetSSL3HandshakeLock(ss);
+
+    /* All the functions called in this switch MUST set error code if
+    ** they return SECFailure or SECWouldBlock.
+    */
+    switch (rType) {
+    case content_change_cipher_spec:
+	rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
+	break;
+    case content_alert:
+	rv = ssl3_HandleAlert(ss, databuf);
+	break;
+    case content_handshake:
+	rv = ssl3_HandleHandshake(ss, databuf);
+	break;
+    case content_application_data:
+	rv = SECSuccess;
+	break;
+    default:
+	SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
+		 SSL_GETPID(), ss->fd, cText->type));
+	/* XXX Send an alert ???  */
+	PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
+	rv = SECFailure;
+	break;
+    }
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    return rv;
+
+}
+
+/*
+ * Initialization functions
+ */
+
+/* Called from ssl3_InitState, immediately below. */
+/* Caller must hold the SpecWriteLock. */
+static void
+ssl3_InitCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
+{
+    spec->cipher_def               = &bulk_cipher_defs[cipher_null];
+    PORT_Assert(spec->cipher_def->cipher == cipher_null);
+    spec->mac_def                  = &mac_defs[mac_null];
+    PORT_Assert(spec->mac_def->mac == mac_null);
+    spec->encode                   = Null_Cipher;
+    spec->decode                   = Null_Cipher;
+    spec->destroy                  = NULL;
+    spec->mac_size                 = 0;
+    spec->master_secret            = NULL;
+
+    spec->client.write_key         = NULL;
+    spec->client.write_mac_key     = NULL;
+    spec->client.write_mac_context = NULL;
+
+    spec->server.write_key         = NULL;
+    spec->server.write_mac_key     = NULL;
+    spec->server.write_mac_context = NULL;
+
+    spec->write_seq_num.high       = 0;
+    spec->write_seq_num.low        = 0;
+
+    spec->read_seq_num.high        = 0;
+    spec->read_seq_num.low         = 0;
+
+    spec->version                  = ss->enableTLS
+                                          ? SSL_LIBRARY_VERSION_3_1_TLS
+                                          : SSL_LIBRARY_VERSION_3_0;
+}
+
+/* Called from:	ssl3_SendRecord
+**		ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
+**		ssl3_SendClientHello()
+**		ssl3_HandleServerHello()
+**		ssl3_HandleClientHello()
+**		ssl3_HandleV2ClientHello()
+**		ssl3_HandleRecord()
+**
+** This function should perhaps acquire and release the SpecWriteLock.
+**
+**
+*/
+static SECStatus
+ssl3_InitState(sslSocket *ss)
+{
+    ssl3State *  ssl3 = NULL;
+    PK11Context *md5  = NULL;
+    PK11Context *sha  = NULL;
+    SECStatus    rv;
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss));
+
+    /* reinitialization for renegotiated sessions XXX */
+    if (ss->ssl3 != NULL)
+	return SECSuccess;
+
+    ssl3 = PORT_ZNew(ssl3State); /* zero on purpose */
+    if (ssl3 == NULL)
+	return SECFailure;	/* PORT_ZAlloc has set memory error code. */
+
+    /* note that entire HandshakeState is zero, including the buffer */
+    ssl3->policy = SSL_ALLOWED;
+
+    ssl_GetSpecWriteLock(ss);
+    ssl3->crSpec = ssl3->cwSpec = &ssl3->specs[0];
+    ssl3->prSpec = ssl3->pwSpec = &ssl3->specs[1];
+    ssl3->hs.rehandshake = PR_FALSE;
+    ssl3_InitCipherSpec(ss, ssl3->crSpec);
+    ssl3_InitCipherSpec(ss, ssl3->prSpec);
+    ssl3->fortezza.tek = NULL;
+
+    ssl3->hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
+    ssl_ReleaseSpecWriteLock(ss);
+
+    /*
+     * note: We should probably lookup an SSL3 slot for these
+     * handshake hashes in hopes that we wind up with the same slots
+     * that the master secret will wind up in ...
+     */
+    SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
+    ssl3->hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
+    if (md5 == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	goto loser;
+    }
+    rv = PK11_DigestBegin(ssl3->hs.md5);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	goto loser;
+    }
+
+    sha = ssl3->hs.sha = PK11_CreateDigestContext(SEC_OID_SHA1);
+    if (sha == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	goto loser;
+    }
+    rv = PK11_DigestBegin(ssl3->hs.sha);
+    if (rv != SECSuccess) {
+	ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+	goto loser;
+    }
+
+    /* Don't hide this from the rest of the world any more. */
+    ss->ssl3 = ssl3;
+
+    return SECSuccess;
+
+loser:
+    if (md5 != NULL) PK11_DestroyContext(md5, PR_TRUE);
+    if (sha != NULL) PK11_DestroyContext(sha, PR_TRUE);
+    if (ssl3 != NULL) PORT_Free(ssl3);
+    return SECFailure;
+}
+
+/* Returns a reference counted object that contains a key pair.
+ * Or NULL on failure.  Initial ref count is 1.
+ * Uses the keys in the pair as input.
+ */
+ssl3KeyPair *
+ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
+{
+    ssl3KeyPair * pair;
+
+    if (!privKey || !pubKey) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+    	return NULL;
+    }
+    pair = PORT_ZNew(ssl3KeyPair);
+    if (!pair)
+    	return NULL;			/* error code is set. */
+    pair->refCount = 1;
+    pair->privKey  = privKey;
+    pair->pubKey   = pubKey;
+    return pair;			/* success */
+}
+
+ssl3KeyPair *
+ssl3_GetKeyPairRef(ssl3KeyPair * keyPair)
+{
+    PR_AtomicIncrement(&keyPair->refCount);
+    return keyPair;
+}
+
+void
+ssl3_FreeKeyPair(ssl3KeyPair * keyPair)
+{
+    PRInt32 newCount =  PR_AtomicDecrement(&keyPair->refCount);
+    if (!newCount) {
+	SECKEY_DestroyPrivateKey(keyPair->privKey);
+	SECKEY_DestroyPublicKey( keyPair->pubKey);
+    	PORT_Free(keyPair);
+    }
+}
+
+
+
+/*
+ * Creates the public and private RSA keys for SSL Step down.
+ * Called from SSL_ConfigSecureServer in sslsecur.c
+ */
+SECStatus
+ssl3_CreateRSAStepDownKeys(sslSocket *ss)
+{
+    SECStatus             rv  	 = SECSuccess;
+    SECKEYPrivateKey *    privKey;		/* RSA step down key */
+    SECKEYPublicKey *     pubKey;		/* RSA step down key */
+
+    if (ss->stepDownKeyPair)
+	ssl3_FreeKeyPair(ss->stepDownKeyPair);
+    ss->stepDownKeyPair = NULL;
+#ifndef HACKED_EXPORT_SERVER
+    /* Sigh, should have a get key strength call for private keys */
+    if (PK11_GetPrivateModulusLen(ss->serverCerts[kt_rsa].serverKey) >
+                                                     EXPORT_RSA_KEY_LENGTH) {
+	/* need to ask for the key size in bits */
+	privKey = SECKEY_CreateRSAPrivateKey(EXPORT_RSA_KEY_LENGTH * BPB,
+					     &pubKey, NULL);
+    	if (!privKey || !pubKey ||
+	    !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
+	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+	    rv = SECFailure;
+	}
+    }
+#endif
+    return rv;
+}
+
+
+/* record the export policy for this cipher suite */
+SECStatus
+ssl3_SetPolicy(ssl3CipherSuite which, int policy)
+{
+    ssl3CipherSuiteCfg *suite;
+
+    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
+    if (suite == NULL) {
+	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
+    }
+    suite->policy = policy;
+
+    if (policy == SSL_RESTRICTED) {
+	ssl3_global_policy_some_restricted = PR_TRUE;
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *oPolicy)
+{
+    ssl3CipherSuiteCfg *suite;
+    PRInt32             policy;
+    SECStatus           rv;
+
+    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
+    if (suite) {
+    	policy = suite->policy;
+	rv     = SECSuccess;
+    } else {
+    	policy = SSL_NOT_ALLOWED;
+	rv     = SECFailure;	/* err code was set by Lookup. */
+    }
+    *oPolicy = policy;
+    return rv;
+}
+
+/* record the user preference for this suite */
+SECStatus
+ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool enabled)
+{
+    ssl3CipherSuiteCfg *suite;
+
+    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
+    if (suite == NULL) {
+	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
+    }
+    suite->enabled = enabled;
+    return SECSuccess;
+}
+
+/* return the user preference for this suite */
+SECStatus
+ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *enabled)
+{
+    ssl3CipherSuiteCfg *suite;
+    PRBool              pref;
+    SECStatus           rv;
+
+    suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
+    if (suite) {
+    	pref   = suite->enabled;
+	rv     = SECSuccess;
+    } else {
+    	pref   = SSL_NOT_ALLOWED;
+	rv     = SECFailure;	/* err code was set by Lookup. */
+    }
+    *enabled = pref;
+    return rv;
+}
+
+SECStatus
+ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool enabled)
+{
+    ssl3CipherSuiteCfg *suite;
+
+    suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
+    if (suite == NULL) {
+	return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
+    }
+    suite->enabled = enabled;
+    return SECSuccess;
+}
+
+SECStatus
+ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
+{
+    ssl3CipherSuiteCfg *suite;
+    PRBool              pref;
+    SECStatus           rv;
+
+    suite = ssl_LookupCipherSuiteCfg(which, ss->cipherSuites);
+    if (suite) {
+    	pref   = suite->enabled;
+	rv     = SECSuccess;
+    } else {
+    	pref   = SSL_NOT_ALLOWED;
+	rv     = SECFailure;	/* err code was set by Lookup. */
+    }
+    *enabled = pref;
+    return rv;
+}
+
+/* copy global default policy into socket. */
+void
+ssl3_InitSocketPolicy(sslSocket *ss)
+{
+    PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
+}
+
+/* ssl3_config_match_init must have already been called by
+ * the caller of this function.
+ */
+SECStatus
+ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
+{
+    int i, count = 0;
+
+    PORT_Assert(ss != 0);
+    if (!ss) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+    if (!ss->enableSSL3 && !ss->enableTLS) {
+    	*size = 0;
+	return SECSuccess;
+    }
+    if (cs == NULL) {
+	*size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
+	return SECSuccess;
+    }
+
+    /* ssl3_config_match_init was called by the caller of this function. */
+    for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+	if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
+	    if (cs != NULL) {
+		*cs++ = 0x00;
+		*cs++ = (suite->cipher_suite >> 8) & 0xFF;
+		*cs++ =  suite->cipher_suite       & 0xFF;
+	    }
+	    count++;
+	}
+    }
+    *size = count;
+    return SECSuccess;
+}
+
+/*
+** If ssl3 socket has completed the first handshake, and is in idle state, 
+** then start a new handshake.
+** If flushCache is true, the SID cache will be flushed first, forcing a
+** "Full" handshake (not a session restart handshake), to be done.
+**
+** called from SSL_RedoHandshake(), which already holds the handshake locks.
+*/
+SECStatus
+ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache)
+{
+    sslSessionID *   sid = ss->sec.ci.sid;
+    SECStatus        rv;
+
+    PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) );
+
+    if (!ss->firstHsDone ||
+        ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
+	 ss->ssl3 && (ss->ssl3->hs.ws != idle_handshake))) {
+	PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
+	return SECFailure;
+    }
+    if (sid && flushCache) {
+	ss->sec.uncache(sid);	/* remove it from whichever cache it's in. */
+	ssl_FreeSID(sid);	/* dec ref count and free if zero. */
+	ss->sec.ci.sid = NULL;
+    }
+
+    ssl_GetXmitBufLock(ss);	/**************************************/
+
+    /* start off a new handshake. */
+    rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
+                            : ssl3_SendClientHello(ss);
+
+    ssl_ReleaseXmitBufLock(ss);	/**************************************/
+    return rv;
+}
+
+/* Called from ssl_FreeSocket() in sslsock.c */
+void
+ssl3_DestroySSL3Info(ssl3State *ssl3)
+{
+    if (ssl3 == NULL)
+	return;		/* success the easy way. */
+
+    if (ssl3->clientCertificate != NULL)
+	CERT_DestroyCertificate(ssl3->clientCertificate);
+
+    if (ssl3->clientPrivateKey != NULL)
+	SECKEY_DestroyPrivateKey(ssl3->clientPrivateKey);
+
+    if (ssl3->peerCertArena != NULL)
+	ssl3_CleanupPeerCerts(ssl3);
+
+    if (ssl3->clientCertChain != NULL) {
+       CERT_DestroyCertificateList(ssl3->clientCertChain);
+       ssl3->clientCertChain = NULL;
+    }
+
+    /* clean up handshake */
+    if (ssl3->hs.md5) {
+	PK11_DestroyContext(ssl3->hs.md5,PR_TRUE);
+    }
+    if (ssl3->hs.sha) {
+	PK11_DestroyContext(ssl3->hs.sha,PR_TRUE);
+    }
+
+    if (ssl3->fortezza.tek != NULL) {
+	PK11_FreeSymKey(ssl3->fortezza.tek);
+    }
+    /* free the SSL3Buffer (msg_body) */
+    PORT_Free(ssl3->hs.msg_body.buf);
+
+    /* free up the CipherSpecs */
+    ssl3_DestroyCipherSpec(&ssl3->specs[0]);
+    ssl3_DestroyCipherSpec(&ssl3->specs[1]);
+
+    PORT_Free(ssl3);
+}
+
+/* End of ssl3con.c */
diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c
new file mode 100644
index 000000000..92e1523b6
--- /dev/null
+++ b/security/nss/lib/ssl/ssl3gthr.c
@@ -0,0 +1,236 @@
+/*
+ * Gather (Read) entire SSL3 records from socket into buffer.  
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "ssl3prot.h"
+
+/* 
+ * Attempt to read in an entire SSL3 record.
+ * Blocks here for blocking sockets, otherwise returns -1 with 
+ * 	PR_WOULD_BLOCK_ERROR when socket would block.
+ *
+ * returns  1 if received a complete SSL3 record.
+ * returns  0 if recv returns EOF
+ * returns -1 if recv returns <0  
+ *	(The error value may have already been set to PR_WOULD_BLOCK_ERROR)
+ *
+ * Caller must hold the recv buf lock.
+ *
+ * The Gather state machine has 3 states:  GS_INIT, GS_HEADER, GS_DATA.
+ * GS_HEADER: waiting for the 5-byte SSL3 record header to come in.
+ * GS_DATA:   waiting for the body of the SSL3 record   to come in.
+ *
+ * This loop returns when either (a) an error or EOF occurs, 
+ *	(b) PR_WOULD_BLOCK_ERROR,
+ * 	(c) data (entire SSL3 record) has been received.
+ */
+static int
+ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags)
+{
+    unsigned char *bp;
+    unsigned char *lbp;
+    int            nb;
+    int            err;
+    int            rv		= 1;
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    if (gs->state == GS_INIT) {
+	gs->state       = GS_HEADER;
+	gs->remainder   = 5;
+	gs->offset      = 0;
+	gs->writeOffset = 0;
+	gs->readOffset  = 0;
+	gs->inbuf.len   = 0;
+    }
+    
+    lbp = gs->inbuf.buf;
+    for(;;) {
+	SSL_TRC(30, ("%d: SSL3[%d]: gather state %d (need %d more)",
+		SSL_GETPID(), ss->fd, gs->state, gs->remainder));
+	bp = ((gs->state != GS_HEADER) ? lbp : gs->hdr) + gs->offset;
+	nb = ssl_DefRecv(ss, bp, gs->remainder, flags);
+
+	if (nb > 0) {
+	    PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
+	} else if (nb == 0) {
+	    /* EOF */
+	    SSL_TRC(30, ("%d: SSL3[%d]: EOF", SSL_GETPID(), ss->fd));
+	    rv = 0;
+	    break;
+	} else /* if (nb < 0) */ {
+	    SSL_DBG(("%d: SSL3[%d]: recv error %d", SSL_GETPID(), ss->fd,
+		     PR_GetError()));
+	    rv = SECFailure;
+	    break;
+	}
+
+	PORT_Assert( nb <= gs->remainder );
+	if (nb > gs->remainder) {
+	    /* ssl_DefRecv is misbehaving!  this error is fatal to SSL. */
+	    gs->state = GS_INIT;         /* so we don't crash next time */
+	    rv = SECFailure;
+	    break;
+	}
+
+	gs->offset    += nb;
+	gs->remainder -= nb;
+	if (gs->state == GS_DATA)
+	    gs->inbuf.len += nb;
+
+	/* if there's more to go, read some more. */
+	if (gs->remainder > 0) {
+	    continue;
+	}
+
+	/* have received entire record header, or entire record. */
+	switch (gs->state) {
+	case GS_HEADER:
+	    /*
+	    ** Have received SSL3 record header in gs->hdr.
+	    ** Now extract the length of the following encrypted data, 
+	    ** and then read in the rest of the SSL3 record into gs->inbuf.
+	    */
+	    gs->remainder = (gs->hdr[3] << 8) | gs->hdr[4];
+
+	    /* This is the max fragment length for an encrypted fragment
+	    ** plus the size of the record header.
+	    */
+	    if(gs->remainder > (MAX_FRAGMENT_LENGTH + 2048 + 5)) {
+		SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+		gs->state = GS_INIT;
+		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+		return SECFailure;
+	    }
+
+	    gs->state     = GS_DATA;
+	    gs->offset    = 0;
+	    gs->inbuf.len = 0;
+
+	    if (gs->remainder > gs->inbuf.space) {
+		err = sslBuffer_Grow(&gs->inbuf, gs->remainder);
+		if (err) {	/* realloc has set error code to no mem. */
+		    return err;
+		}
+		lbp = gs->inbuf.buf;
+	    }
+	    break;	/* End this case.  Continue around the loop. */
+
+
+	case GS_DATA:
+	    /* 
+	    ** SSL3 record has been completely received.
+	    */
+	    gs->state = GS_INIT;
+	    return 1;
+	}
+    }
+
+    return rv;
+}
+
+/* Gather in a record and when complete, Handle that record.
+ * Repeat this until the handshake is complete, 
+ * or until application data is available.
+ *
+ * Returns  1 when the handshake is completed without error, or 
+ *                 application data is available.
+ * Returns  0 if ssl3_GatherData hits EOF.
+ * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
+ * Returns -2 on SECWouldBlock return from ssl3_HandleRecord.
+ *
+ * Called from ssl_GatherRecord1stHandshake       in sslcon.c, 
+ *    and from SSL_ForceHandshake in sslsecur.c
+ *    and from ssl3_GatherAppDataRecord below (<- DoRecv in sslsecur.c).
+ *
+ * Caller must hold the recv buf lock.
+ */
+int
+ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
+{
+    SSL3Ciphertext cText;
+    int            rv;
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    do {
+	/* bring in the next sslv3 record. */
+	rv = ssl3_GatherData(ss, &ss->gs, flags);
+	if (rv <= 0) {
+	    return rv;
+	}
+	
+	/* decipher it, and handle it if it's a handshake. 
+	 * If it's application data, ss->gs.buf will not be empty upon return. 
+	 */
+	cText.type    = (SSL3ContentType)ss->gs.hdr[0];
+	cText.version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2];
+	cText.buf     = &ss->gs.inbuf;
+	rv = ssl3_HandleRecord(ss, &cText, &ss->gs.buf);
+	if (rv < 0) {
+	    return ss->recvdCloseNotify ? 0 : rv;
+	}
+    } while (ss->ssl3->hs.ws != idle_handshake && ss->gs.buf.len == 0);
+
+    ss->gs.readOffset = 0;
+    ss->gs.writeOffset = ss->gs.buf.len;
+    return 1;
+}
+
+/* Repeatedly gather in a record and when complete, Handle that record.
+ * Repeat this until some application data is received.
+ *
+ * Returns  1 when application data is available.
+ * Returns  0 if ssl3_GatherData hits EOF.
+ * Returns -1 on read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
+ * Returns -2 on SECWouldBlock return from ssl3_HandleRecord.
+ *
+ * Called from DoRecv in sslsecur.c
+ * Caller must hold the recv buf lock.
+ */
+int
+ssl3_GatherAppDataRecord(sslSocket *ss, int flags)
+{
+    int            rv;
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    do {
+	rv = ssl3_GatherCompleteHandshake(ss, flags);
+    } while (rv > 0 && ss->gs.buf.len == 0);
+
+    return rv;
+}
diff --git a/security/nss/lib/ssl/ssl3prot.h b/security/nss/lib/ssl/ssl3prot.h
new file mode 100644
index 000000000..d4a603b05
--- /dev/null
+++ b/security/nss/lib/ssl/ssl3prot.h
@@ -0,0 +1,305 @@
+/*
+ * Various and sundry protocol constants. DON'T CHANGE THESE. These
+ * values are defined by the SSL 3.0 protocol specification.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef __ssl3proto_h_
+#define __ssl3proto_h_
+
+typedef uint8 SSL3Opaque;
+
+typedef uint16 SSL3ProtocolVersion;
+/* version numbers are defined in sslproto.h */
+
+typedef uint16 ssl3CipherSuite;
+/* The cipher suites are defined in sslproto.h */
+
+#define MAX_CERT_TYPES			10
+#define MAX_COMPRESSION_METHODS		10
+#define MAX_MAC_LENGTH			64
+#define MAX_PADDING_LENGTH		64
+#define MAX_KEY_LENGTH			64
+#define EXPORT_KEY_LENGTH		 5
+#define SSL3_RANDOM_LENGTH		32
+
+#define SSL3_RECORD_HEADER_LENGTH	 5
+
+#define MAX_FRAGMENT_LENGTH		16384
+     
+typedef enum {
+    content_change_cipher_spec = 20, 
+    content_alert              = 21,
+    content_handshake          = 22, 
+    content_application_data   = 23
+} SSL3ContentType;
+
+typedef struct {
+    SSL3ContentType     type;
+    SSL3ProtocolVersion version;
+    uint16              length;
+    SECItem             fragment;
+} SSL3Plaintext;
+
+typedef struct {
+    SSL3ContentType     type;
+    SSL3ProtocolVersion version;
+    uint16              length;
+    SECItem             fragment;
+} SSL3Compressed;
+
+typedef struct {
+    SECItem    content;
+    SSL3Opaque MAC[MAX_MAC_LENGTH];
+} SSL3GenericStreamCipher;
+
+typedef struct {
+    SECItem    content;
+    SSL3Opaque MAC[MAX_MAC_LENGTH];
+    uint8      padding[MAX_PADDING_LENGTH];
+    uint8      padding_length;
+} SSL3GenericBlockCipher;
+
+typedef enum { change_cipher_spec_choice = 1 } SSL3ChangeCipherSpecChoice;
+
+typedef struct {
+    SSL3ChangeCipherSpecChoice choice;
+} SSL3ChangeCipherSpec;
+
+typedef enum { alert_warning = 1, alert_fatal = 2 } SSL3AlertLevel;
+
+typedef enum {
+    close_notify            = 0,
+    unexpected_message      = 10,
+    bad_record_mac          = 20,
+    decryption_failed       = 21,	/* TLS only */
+    record_overflow         = 22,	/* TLS only */
+    decompression_failure   = 30,
+    handshake_failure       = 40,
+    no_certificate          = 41,	/* SSL3 only, NOT TLS */
+    bad_certificate         = 42,
+    unsupported_certificate = 43,
+    certificate_revoked     = 44,
+    certificate_expired     = 45,
+    certificate_unknown     = 46,
+    illegal_parameter       = 47,
+
+/* All alerts below are TLS only. */
+    unknown_ca              = 48,
+    access_denied           = 49,
+    decode_error            = 50,
+    decrypt_error           = 51,
+    export_restriction      = 60,
+    protocol_version        = 70,
+    insufficient_security   = 71,
+    internal_error          = 80,
+    user_canceled           = 90,
+    no_renegotiation        = 100
+
+} SSL3AlertDescription;
+
+typedef struct {
+    SSL3AlertLevel       level;
+    SSL3AlertDescription description;
+} SSL3Alert;
+
+typedef enum {
+    hello_request	= 0, 
+    client_hello	= 1, 
+    server_hello	= 2,
+    certificate 	= 11, 
+    server_key_exchange = 12,
+    certificate_request	= 13, 
+    server_hello_done	= 14,
+    certificate_verify	= 15, 
+    client_key_exchange	= 16, 
+    finished		= 20
+} SSL3HandshakeType;
+
+typedef struct {
+    uint8 empty;
+} SSL3HelloRequest;
+     
+typedef struct {
+    SSL3Opaque rand[SSL3_RANDOM_LENGTH];
+} SSL3Random;
+     
+typedef struct {
+    SSL3Opaque id[32];
+    uint8 length;
+} SSL3SessionID;
+     
+typedef enum { compression_null = 0 } SSL3CompressionMethod;
+     
+typedef struct {
+    SSL3ProtocolVersion   client_version;
+    SSL3Random            random;
+    SSL3SessionID         session_id;
+    SECItem               cipher_suites;
+    uint8                 cm_count;
+    SSL3CompressionMethod compression_methods[MAX_COMPRESSION_METHODS];
+} SSL3ClientHello;
+     
+typedef struct  {
+    SSL3ProtocolVersion   server_version;
+    SSL3Random            random;
+    SSL3SessionID         session_id;
+    ssl3CipherSuite       cipher_suite;
+    SSL3CompressionMethod compression_method;
+} SSL3ServerHello;
+     
+typedef struct {
+    SECItem list;
+} SSL3Certificate;
+
+/* SSL3SignType moved to ssl.h */
+
+/* The SSL key exchange method used */     
+typedef enum {
+    kea_null, 
+    kea_rsa, 
+    kea_rsa_export,
+    kea_rsa_export_1024,
+    kea_dh_dss, 
+    kea_dh_dss_export, 
+    kea_dh_rsa, 
+    kea_dh_rsa_export,
+    kea_dhe_dss, 
+    kea_dhe_dss_export, 
+    kea_dhe_rsa, 
+    kea_dhe_rsa_export,
+    kea_dh_anon, 
+    kea_dh_anon_export, 
+    kea_fortezza, 
+    kea_rsa_fips
+} SSL3KeyExchangeAlgorithm;
+     
+typedef struct {
+    SECItem modulus;
+    SECItem exponent;
+} SSL3ServerRSAParams;
+
+typedef struct {
+    SECItem p;
+    SECItem g;
+    SECItem Ys;
+} SSL3ServerDHParams;
+
+typedef struct {
+    union {
+	SSL3ServerDHParams dh;
+	SSL3ServerRSAParams rsa;
+    } u;
+} SSL3ServerParams;
+
+typedef struct {
+    uint8 md5[16];
+    uint8 sha[20];
+} SSL3Hashes;
+     
+typedef struct {
+    union {
+	SSL3Opaque anonymous;
+	SSL3Hashes certified;
+    } u;
+} SSL3ServerKeyExchange;
+     
+typedef enum {
+    ct_RSA_sign 	=  1, 
+    ct_DSS_sign 	=  2, 
+    ct_RSA_fixed_DH 	=  3,
+    ct_DSS_fixed_DH 	=  4, 
+    ct_RSA_ephemeral_DH =  5, 
+    ct_DSS_ephemeral_DH =  6,
+    ct_Fortezza 	= 20
+} SSL3ClientCertificateType;
+     
+typedef SECItem *SSL3DistinquishedName;
+
+typedef struct {
+    SSL3Opaque client_version[2];
+    SSL3Opaque random[46];
+} SSL3RSAPreMasterSecret;
+     
+typedef SECItem SSL3EncryptedPreMasterSecret;
+
+/* Following struct is the format of a Fortezza ClientKeyExchange message. */
+typedef struct {
+    SECItem    y_c;
+    SSL3Opaque r_c                      [128];
+    SSL3Opaque y_signature              [40];
+    SSL3Opaque wrapped_client_write_key [12];
+    SSL3Opaque wrapped_server_write_key [12];
+    SSL3Opaque client_write_iv          [24];
+    SSL3Opaque server_write_iv          [24];
+    SSL3Opaque master_secret_iv         [24];
+    SSL3Opaque encrypted_preMasterSecret[48];
+} SSL3FortezzaKeys;
+
+typedef SSL3Opaque SSL3MasterSecret[48];
+
+typedef enum { implicit, explicit } SSL3PublicValueEncoding;
+     
+typedef struct {
+    union {
+	SSL3Opaque implicit;
+	SECItem    explicit;
+    } dh_public;
+} SSL3ClientDiffieHellmanPublic;
+     
+typedef struct {
+    union {
+	SSL3EncryptedPreMasterSecret  rsa;
+	SSL3ClientDiffieHellmanPublic diffie_helman;
+	SSL3FortezzaKeys              fortezza;
+    } exchange_keys;
+} SSL3ClientKeyExchange;
+
+typedef SSL3Hashes SSL3PreSignedCertificateVerify;
+
+typedef SECItem SSL3CertificateVerify;
+
+typedef enum {
+    sender_client = 0x434c4e54,
+    sender_server = 0x53525652
+} SSL3Sender;
+
+typedef SSL3Hashes SSL3Finished;   
+
+typedef struct {
+    SSL3Opaque verify_data[12];
+} TLSFinished;
+
+#endif /* __ssl3proto_h_ */
diff --git a/security/nss/lib/ssl/sslauth.c b/security/nss/lib/ssl/sslauth.c
new file mode 100644
index 000000000..6be86ec9b
--- /dev/null
+++ b/security/nss/lib/ssl/sslauth.c
@@ -0,0 +1,272 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+#include "cert.h"
+#include "secitem.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "pk11func.h"
+
+/* NEED LOCKS IN HERE.  */
+CERTCertificate *
+SSL_PeerCertificate(PRFileDesc *fd)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
+		 SSL_GETPID(), fd));
+	return 0;
+    }
+    if (ss->useSecurity && ss->sec.peerCert) {
+	return CERT_DupCertificate(ss->sec.peerCert);
+    }
+    return 0;
+}
+
+/* NEED LOCKS IN HERE.  */
+CERTCertificate *
+SSL_LocalCertificate(PRFileDesc *fd)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
+		 SSL_GETPID(), fd));
+	return NULL;
+    }
+    if (ss->useSecurity) {
+    	if (ss->sec.localCert) {
+	    return CERT_DupCertificate(ss->sec.localCert);
+	}
+	if (ss->sec.ci.sid && ss->sec.ci.sid->localCert) {
+	    return CERT_DupCertificate(ss->sec.ci.sid->localCert);
+	}
+    }
+    return NULL;
+}
+
+
+
+/* NEED LOCKS IN HERE.  */
+SECStatus
+SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
+		   char **ip, char **sp)
+{
+    sslSocket *ss;
+    const char *cipherName;
+    PRBool isDes = PR_FALSE;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SecurityStatus",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    if (cp) *cp = 0;
+    if (kp0) *kp0 = 0;
+    if (kp1) *kp1 = 0;
+    if (ip) *ip = 0;
+    if (sp) *sp = 0;
+    if (op) {
+	*op = SSL_SECURITY_STATUS_OFF;
+    }
+
+    if (ss->useSecurity && ss->firstHsDone) {
+
+	if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+	    cipherName = ssl_cipherName[ss->sec.cipherType];
+	} else {
+	    cipherName = ssl3_cipherName[ss->sec.cipherType];
+	}
+	if (cipherName && PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE;
+	/* do same key stuff for fortezza */
+    
+	if (cp) {
+	    *cp = PORT_Strdup(cipherName);
+	}
+
+	if (kp0) {
+	    *kp0 = ss->sec.keyBits;
+	    if (isDes) *kp0 = (*kp0 * 7) / 8;
+	}
+	if (kp1) {
+	    *kp1 = ss->sec.secretKeyBits;
+	    if (isDes) *kp1 = (*kp1 * 7) / 8;
+	}
+	if (op) {
+	    if (ss->sec.keyBits == 0) {
+		*op = SSL_SECURITY_STATUS_OFF;
+	    } else if (ss->sec.secretKeyBits < 90) {
+		*op = SSL_SECURITY_STATUS_ON_LOW;
+
+	    } else {
+		*op = SSL_SECURITY_STATUS_ON_HIGH;
+	    }
+	}
+
+	if (ip || sp) {
+	    CERTCertificate *cert;
+
+	    cert = ss->sec.peerCert;
+	    if (cert) {
+		if (ip) {
+		    *ip = CERT_NameToAscii(&cert->issuer);
+		}
+		if (sp) {
+		    *sp = CERT_NameToAscii(&cert->subject);
+		}
+	    } else {
+		if (ip) {
+		    *ip = PORT_Strdup("no certificate");
+		}
+		if (sp) {
+		    *sp = PORT_Strdup("no certificate");
+		}
+	    }
+	}
+    }
+
+    return SECSuccess;
+}
+
+/************************************************************************/
+
+/* NEED LOCKS IN HERE.  */
+SECStatus
+SSL_AuthCertificateHook(PRFileDesc *s, SSLAuthCertificate func, void *arg)
+{
+    sslSocket *ss;
+    SECStatus rv;
+
+    ss = ssl_FindSocket(s);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in AuthCertificateHook",
+		 SSL_GETPID(), s));
+	return SECFailure;
+    }
+
+    ss->authCertificate = func;
+    ss->authCertificateArg = arg;
+
+    return SECSuccess;
+}
+
+/* NEED LOCKS IN HERE.  */
+SECStatus 
+SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
+			      void *arg)
+{
+    sslSocket *ss;
+    SECStatus rv;
+
+    ss = ssl_FindSocket(s);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
+		 SSL_GETPID(), s));
+	return SECFailure;
+    }
+
+    ss->getClientAuthData = func;
+    ss->getClientAuthDataArg = arg;
+    return SECSuccess;
+}
+
+/* NEED LOCKS IN HERE.  */
+SECStatus 
+SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
+{
+    sslSocket *ss;
+    SECStatus rv;
+
+    ss = ssl_FindSocket(s);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in GetClientAuthDataHook",
+		 SSL_GETPID(), s));
+	return SECFailure;
+    }
+
+    ss->pkcs11PinArg = arg;
+    return SECSuccess;
+}
+
+
+/* This is the "default" authCert callback function.  It is called when a 
+ * certificate message is received from the peer and the local application
+ * has not registered an authCert callback function.
+ */
+SECStatus
+SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
+{
+    SECStatus          rv;
+    CERTCertDBHandle * handle;
+    sslSocket *        ss;
+    SECCertUsage       certUsage;
+    const char *             hostname    = NULL;
+    
+    ss = ssl_FindSocket(fd);
+    PORT_Assert(ss != NULL);
+    if (!ss) {
+	return SECFailure;
+    }
+
+    handle = (CERTCertDBHandle *)arg;
+
+    /* this may seem backwards, but isn't. */
+    certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
+
+    rv = CERT_VerifyCertNow(handle, ss->sec.peerCert, checkSig, certUsage,
+			    ss->pkcs11PinArg);
+
+    if ( rv != SECSuccess || isServer )
+	return rv;
+  
+    /* cert is OK.  This is the client side of an SSL connection.
+     * Now check the name field in the cert against the desired hostname.
+     * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
+     */
+    hostname = ss->url;
+    if (hostname && hostname[0])
+	rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
+    else 
+	rv = SECFailure;
+    if (rv != SECSuccess)
+	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+
+    return rv;
+}
diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c
new file mode 100644
index 000000000..a1bfb4ce9
--- /dev/null
+++ b/security/nss/lib/ssl/sslcon.c
@@ -0,0 +1,3762 @@
+/* 
+ * SSL v2 handshake functions, and functions common to SSL2 and SSL3.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "nssrenam.h"
+#include "cert.h"
+#include "secitem.h"
+#include "sechash.h"
+#include "cryptohi.h"		/* for SGN_ funcs */
+#include "keyhi.h" 		/* for SECKEY_ high level functions. */
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "ssl3prot.h"
+#include "sslerr.h"
+#include "pk11func.h"
+#include "prinit.h"
+#include "prtime.h" 	/* for PR_Now() */
+
+#define XXX
+static PRBool policyWasSet;
+
+/* This ordered list is indexed by (SSL_CK_xx * 3)   */
+/* Second and third bytes are MSB and LSB of master key length. */
+static const PRUint8 allCipherSuites[] = {
+    0,						0,    0,
+    SSL_CK_RC4_128_WITH_MD5,			0x00, 0x80,
+    SSL_CK_RC4_128_EXPORT40_WITH_MD5,		0x00, 0x80,
+    SSL_CK_RC2_128_CBC_WITH_MD5,		0x00, 0x80,
+    SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,	0x00, 0x80,
+    SSL_CK_IDEA_128_CBC_WITH_MD5,		0x00, 0x80,
+    SSL_CK_DES_64_CBC_WITH_MD5,			0x00, 0x40,
+    SSL_CK_DES_192_EDE3_CBC_WITH_MD5,		0x00, 0xC0,
+    0,						0,    0
+};
+
+#define ssl2_NUM_SUITES_IMPLEMENTED 6
+
+/* This list is sent back to the client when the client-hello message 
+ * contains no overlapping ciphers, so the client can report what ciphers
+ * are supported by the server.  Unlike allCipherSuites (above), this list
+ * is sorted by descending preference, not by cipherSuite number. 
+ */
+static const PRUint8 implementedCipherSuites[ssl2_NUM_SUITES_IMPLEMENTED * 3] = {
+    SSL_CK_RC4_128_WITH_MD5,			0x00, 0x80,
+    SSL_CK_RC2_128_CBC_WITH_MD5,		0x00, 0x80,
+    SSL_CK_DES_192_EDE3_CBC_WITH_MD5,		0x00, 0xC0,
+    SSL_CK_DES_64_CBC_WITH_MD5,			0x00, 0x40,
+    SSL_CK_RC4_128_EXPORT40_WITH_MD5,		0x00, 0x80,
+    SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,	0x00, 0x80
+};
+
+typedef struct ssl2SpecsStr {
+    PRUint8           nkm; /* do this many hashes to generate key material. */
+    PRUint8           nkd; /* size of readKey and writeKey in bytes. */
+    PRUint8           blockSize;
+    PRUint8           blockShift;
+    CK_MECHANISM_TYPE mechanism;
+    PRUint8           keyLen;	/* cipher symkey size in bytes. */
+    PRUint8           pubLen;	/* publicly reveal this many bytes of key. */
+    PRUint8           ivLen;	/* length of IV data at *ca.	*/
+} ssl2Specs;
+
+static const ssl2Specs ssl_Specs[] = {
+/* NONE                                 */ 
+				{  0,  0, 0, 0, },
+/* SSL_CK_RC4_128_WITH_MD5		*/ 
+				{  2, 16, 1, 0, CKM_RC4,       16,   0, 0, },
+/* SSL_CK_RC4_128_EXPORT40_WITH_MD5	*/ 
+				{  2, 16, 1, 0, CKM_RC4,       16,  11, 0, },
+/* SSL_CK_RC2_128_CBC_WITH_MD5		*/ 
+				{  2, 16, 8, 3, CKM_RC2_CBC,   16,   0, 8, },
+/* SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5	*/ 
+				{  2, 16, 8, 3, CKM_RC2_CBC,   16,  11, 8, },
+/* SSL_CK_IDEA_128_CBC_WITH_MD5		*/ 
+				{  0,  0, 0, 0, },
+/* SSL_CK_DES_64_CBC_WITH_MD5		*/ 
+				{  1,  8, 8, 3, CKM_DES_CBC,    8,   0, 8, },
+/* SSL_CK_DES_192_EDE3_CBC_WITH_MD5	*/ 
+				{  3, 24, 8, 3, CKM_DES3_CBC,  24,   0, 8, },
+};
+
+#define SET_ERROR_CODE	  /* reminder */
+#define TEST_FOR_FAILURE  /* reminder */
+
+/*
+** Put a string tag in the library so that we can examine an executable
+** and see what kind of security it supports.
+*/
+const char *ssl_version = "SECURITY_VERSION:"
+			" +us"
+			" +export"
+#ifdef TRACE
+			" +trace"
+#endif
+#ifdef DEBUG
+			" +debug"
+#endif
+			;
+
+const char * const ssl_cipherName[] = {
+    "unknown",
+    "RC4",
+    "RC4-Export",
+    "RC2-CBC",
+    "RC2-CBC-Export",
+    "IDEA-CBC",
+    "DES-CBC",
+    "DES-EDE3-CBC",
+    "unknown",
+    "Fortezza",
+};
+
+
+/* bit-masks, showing which SSLv2 suites are allowed.
+ * lsb corresponds to first cipher suite in allCipherSuites[].
+ */
+static PRUint16	allowedByPolicy;          /* all off by default */
+static PRUint16	maybeAllowedByPolicy;     /* all off by default */
+static PRUint16	chosenPreference = 0xff;  /* all on  by default */
+
+/* bit values for the above two bit masks */
+#define SSL_CB_RC4_128_WITH_MD5              (1 << SSL_CK_RC4_128_WITH_MD5)
+#define SSL_CB_RC4_128_EXPORT40_WITH_MD5     (1 << SSL_CK_RC4_128_EXPORT40_WITH_MD5)
+#define SSL_CB_RC2_128_CBC_WITH_MD5          (1 << SSL_CK_RC2_128_CBC_WITH_MD5)
+#define SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 (1 << SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)
+#define SSL_CB_IDEA_128_CBC_WITH_MD5         (1 << SSL_CK_IDEA_128_CBC_WITH_MD5)
+#define SSL_CB_DES_64_CBC_WITH_MD5           (1 << SSL_CK_DES_64_CBC_WITH_MD5)
+#define SSL_CB_DES_192_EDE3_CBC_WITH_MD5     (1 << SSL_CK_DES_192_EDE3_CBC_WITH_MD5)
+#define SSL_CB_IMPLEMENTED \
+   (SSL_CB_RC4_128_WITH_MD5              | \
+    SSL_CB_RC4_128_EXPORT40_WITH_MD5     | \
+    SSL_CB_RC2_128_CBC_WITH_MD5          | \
+    SSL_CB_RC2_128_CBC_EXPORT40_WITH_MD5 | \
+    SSL_CB_DES_64_CBC_WITH_MD5           | \
+    SSL_CB_DES_192_EDE3_CBC_WITH_MD5)
+
+
+/* Construct a socket's list of cipher specs from the global default values.
+ */
+static SECStatus
+ssl2_ConstructCipherSpecs(sslSocket *ss) 
+{
+    PRUint8 *	        cs		= NULL;
+    unsigned int	allowed;
+    unsigned int	count;
+    int 		ssl3_count	= 0;
+    int 		final_count;
+    int 		i;
+    SECStatus 		rv;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    count = 0;
+    PORT_Assert(ss != 0);
+    allowed = !ss->enableSSL2 ? 0 :
+    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
+    while (allowed) {
+    	if (allowed & 1) 
+	    ++count;
+	allowed >>= 1;
+    }
+
+    /* Call ssl3_config_match_init() once here, 
+     * instead of inside ssl3_ConstructV2CipherSpecsHack(),
+     * because the latter gets called twice below, 
+     * and then again in ssl2_BeginClientHandshake().
+     */
+    ssl3_config_match_init(ss);
+
+    /* ask SSL3 how many cipher suites it has. */
+    rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3_count);
+    if (rv < 0) 
+	return rv;
+    count += ssl3_count;
+
+    /* Allocate memory to hold cipher specs */
+    if (count > 0)
+	cs = (PRUint8*) PORT_Alloc(count * 3);
+    else
+	PORT_SetError(SSL_ERROR_SSL_DISABLED);
+    if (cs == NULL)
+    	return SECFailure;
+
+    if (ss->cipherSpecs != NULL) {
+	PORT_Free(ss->cipherSpecs);
+    }
+    ss->cipherSpecs     = cs;
+    ss->sizeCipherSpecs = count * 3;
+
+    /* fill in cipher specs for SSL2 cipher suites */
+    allowed = !ss->enableSSL2 ? 0 :
+    	(ss->allowedByPolicy & ss->chosenPreference & SSL_CB_IMPLEMENTED);
+    for (i = 0; i < ssl2_NUM_SUITES_IMPLEMENTED * 3; i += 3) {
+	const PRUint8 * hs = implementedCipherSuites + i;
+	int             ok = allowed & (1U << hs[0]);
+	if (ok) {
+	    cs[0] = hs[0];
+	    cs[1] = hs[1];
+	    cs[2] = hs[2];
+	    cs += 3;
+	}
+    }
+
+    /* now have SSL3 add its suites onto the end */
+    rv = ssl3_ConstructV2CipherSpecsHack(ss, cs, &final_count);
+    
+    /* adjust for any difference between first pass and second pass */
+    ss->sizeCipherSpecs -= (ssl3_count - final_count) * 3;
+
+    return rv;
+}
+
+/* This function is called immediately after ssl2_ConstructCipherSpecs()
+** at the beginning of a handshake.  It detects cases where a protocol
+** (e.g. SSL2 or SSL3) is logically enabled, but all its cipher suites
+** for that protocol have been disabled.  If such cases, it clears the 
+** enable bit for the protocol.  If no protocols remain enabled, or
+** if no cipher suites are found, it sets the error code and returns
+** SECFailure, otherwise it returns SECSuccess.
+*/
+static SECStatus
+ssl2_CheckConfigSanity(sslSocket *ss)
+{
+    unsigned int      allowed;
+    int               ssl3CipherCount = 0;
+    SECStatus         rv;
+
+    /* count the SSL2 and SSL3 enabled ciphers.
+     * if either is zero, clear the socket's enable for that protocol.
+     */
+    if (!ss->cipherSpecs)
+    	goto disabled;
+
+    allowed = ss->allowedByPolicy & ss->chosenPreference;
+    if (! allowed)
+	ss->enableSSL2 = PR_FALSE;     /* not really enabled if no ciphers */
+
+    /* ssl3_config_match_init was called in ssl2_ConstructCipherSpecs(). */
+    /* Ask how many ssl3 CipherSuites were enabled. */
+    rv = ssl3_ConstructV2CipherSpecsHack(ss, NULL, &ssl3CipherCount);
+    if (rv != SECSuccess || ssl3CipherCount <= 0) {
+	ss->enableSSL3 = PR_FALSE;     /* not really enabled if no ciphers */
+	ss->enableTLS  = PR_FALSE;
+    }
+
+    if (!ss->enableSSL2 && !ss->enableSSL3 && !ss->enableTLS) {
+	SSL_DBG(("%d: SSL[%d]: Can't handshake! both v2 and v3 disabled.",
+		 SSL_GETPID(), ss->fd));
+disabled:
+	PORT_SetError(SSL_ERROR_SSL_DISABLED);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* 
+ * Since this is a global (not per-socket) setting, we cannot use the
+ * HandshakeLock to protect this.  Probably want a global lock.
+ */
+SECStatus
+ssl2_SetPolicy(PRInt32 which, PRInt32 policy)
+{
+    PRUint32  bitMask;
+    SECStatus rv       = SECSuccess;
+
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+    	return SECFailure;
+    }
+
+    if (policy == SSL_ALLOWED) {
+	allowedByPolicy 	|= bitMask;
+	maybeAllowedByPolicy 	|= bitMask;
+    } else if (policy == SSL_RESTRICTED) {
+    	allowedByPolicy 	&= ~bitMask;
+	maybeAllowedByPolicy 	|= bitMask;
+    } else {
+    	allowedByPolicy 	&= ~bitMask;
+    	maybeAllowedByPolicy 	&= ~bitMask;
+    }
+    allowedByPolicy 		&= SSL_CB_IMPLEMENTED;
+    maybeAllowedByPolicy 	&= SSL_CB_IMPLEMENTED;
+
+    policyWasSet = PR_TRUE;
+    return rv;
+}
+
+SECStatus
+ssl2_GetPolicy(PRInt32 which, PRInt32 *oPolicy)
+{
+    PRUint32     bitMask;
+    PRInt32      policy;
+
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    /* Caller assures oPolicy is not null. */
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+	*oPolicy = SSL_NOT_ALLOWED;
+    	return SECFailure;
+    }
+
+    if (maybeAllowedByPolicy & bitMask) {
+    	policy = (allowedByPolicy & bitMask) ? SSL_ALLOWED : SSL_RESTRICTED;
+    } else {
+	policy = SSL_NOT_ALLOWED;
+    }
+
+    *oPolicy = policy;
+    return SECSuccess;
+}
+
+/* 
+ * Since this is a global (not per-socket) setting, we cannot use the
+ * HandshakeLock to protect this.  Probably want a global lock.
+ * Called from SSL_CipherPrefSetDefault in sslsock.c
+ * These changes have no effect on any sslSockets already created. 
+ */
+SECStatus
+ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
+{
+    PRUint32     bitMask;
+    
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+    	return SECFailure;
+    }
+
+    if (enabled)
+	chosenPreference |= bitMask;
+    else
+    	chosenPreference &= ~bitMask;
+    chosenPreference &= SSL_CB_IMPLEMENTED;
+
+    return SECSuccess;
+}
+
+SECStatus 
+ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
+{
+    PRBool       rv       = PR_FALSE;
+    PRUint32     bitMask;
+
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+	*enabled = PR_FALSE;
+    	return SECFailure;
+    }
+
+    rv = (PRBool)((chosenPreference & bitMask) != 0);
+    *enabled = rv;
+    return SECSuccess;
+}
+
+SECStatus 
+ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled)
+{
+    PRUint32     bitMask;
+    
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+    	return SECFailure;
+    }
+
+    if (enabled)
+	ss->chosenPreference |= bitMask;
+    else
+    	ss->chosenPreference &= ~bitMask;
+    ss->chosenPreference &= SSL_CB_IMPLEMENTED;
+
+    return SECSuccess;
+}
+
+SECStatus 
+ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled)
+{
+    PRBool       rv       = PR_FALSE;
+    PRUint32     bitMask;
+
+    which &= 0x000f;
+    bitMask = 1 << which;
+
+    if (!(bitMask & SSL_CB_IMPLEMENTED)) {
+    	PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
+	*enabled = PR_FALSE;
+    	return SECFailure;
+    }
+
+    rv = (PRBool)((ss->chosenPreference & bitMask) != 0);
+    *enabled = rv;
+    return SECSuccess;
+}
+
+
+/* copy global default policy into socket. */
+void      
+ssl2_InitSocketPolicy(sslSocket *ss)
+{
+    ss->allowedByPolicy		= allowedByPolicy;
+    ss->maybeAllowedByPolicy	= maybeAllowedByPolicy;
+    ss->chosenPreference 	= chosenPreference;
+}
+
+
+/************************************************************************/
+
+/* Called from ssl2_CreateSessionCypher(), which already holds handshake lock.
+ */
+static SECStatus
+ssl2_CreateMAC(sslSecurityInfo *sec, SECItem *readKey, SECItem *writeKey, 
+          int cipherChoice)
+{
+    switch (cipherChoice) {
+
+      case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
+      case SSL_CK_RC2_128_CBC_WITH_MD5:
+      case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
+      case SSL_CK_RC4_128_WITH_MD5:
+      case SSL_CK_DES_64_CBC_WITH_MD5:
+      case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
+	sec->hash = HASH_GetHashObject(HASH_AlgMD5);
+	SECITEM_CopyItem(0, &sec->sendSecret, writeKey);
+	SECITEM_CopyItem(0, &sec->rcvSecret, readKey);
+	break;
+
+      default:
+	PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	return SECFailure;
+    }
+    sec->hashcx = (*sec->hash->create)();
+    if (sec->hashcx == NULL)
+	return SECFailure;
+    return SECSuccess;
+}
+
+/************************************************************************
+ * All the Send functions below must acquire and release the socket's 
+ * xmitBufLock.
+ */
+
+/* Called from all the Send* functions below. */
+static SECStatus
+ssl2_GetSendBuffer(sslSocket *ss, unsigned int len)
+{
+    SECStatus rv = SECSuccess;
+
+    PORT_Assert(ssl_HaveXmitBufLock(ss));
+
+    if (len < 128) {
+	len = 128;
+    }
+    if (len > ss->sec.ci.sendBuf.space) {
+	rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, len);
+	if (rv != SECSuccess) {
+	    SSL_DBG(("%d: SSL[%d]: ssl2_GetSendBuffer failed, tried to get %d bytes",
+		     SSL_GETPID(), ss->fd, len));
+	    rv = SECFailure;
+	}
+    }
+    return rv;
+}
+
+/* Called from:
+ * ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
+ * ssl2_HandleRequestCertificate()     <- ssl2_HandleMessage() <- 
+ 					ssl_Do1stHandshake()
+ * ssl2_HandleMessage()                <- ssl_Do1stHandshake()
+ * ssl2_HandleServerHelloMessage() <- ssl_Do1stHandshake()
+                                     after ssl2_BeginClientHandshake()
+ * ssl2_RestartHandshakeAfterCertReq() <- Called from certdlgs.c in nav.
+ * ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake() 
+                                     after ssl2_BeginServerHandshake()
+ * 
+ * Acquires and releases the socket's xmitBufLock.
+ */	
+int
+ssl2_SendErrorMessage(sslSocket *ss, int error)
+{
+    int rv;
+    PRUint8 msg[SSL_HL_ERROR_HBYTES];
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    msg[0] = SSL_MT_ERROR;
+    msg[1] = MSB(error);
+    msg[2] = LSB(error);
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending error %d", SSL_GETPID(), ss->fd, error));
+
+    ss->handshakeBegun = 1;
+    rv = (*ss->sec.send)(ss, msg, sizeof(msg), 0);
+    if (rv >= 0) {
+	rv = SECSuccess;
+    }
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from ssl2_TryToFinish().  
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static SECStatus
+ssl2_SendClientFinishedMessage(sslSocket *ss)
+{
+    SECStatus        rv    = SECSuccess;
+    int              sent;
+    PRUint8    msg[1 + SSL_CONNECTIONID_BYTES];
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    if (ss->sec.ci.sentFinished == 0) {
+	ss->sec.ci.sentFinished = 1;
+
+	SSL_TRC(3, ("%d: SSL[%d]: sending client-finished",
+		    SSL_GETPID(), ss->fd));
+
+	msg[0] = SSL_MT_CLIENT_FINISHED;
+	PORT_Memcpy(msg+1, ss->sec.ci.connectionID, 
+	            sizeof(ss->sec.ci.connectionID));
+
+	DUMP_MSG(29, (ss, msg, 1 + sizeof(ss->sec.ci.connectionID)));
+	sent = (*ss->sec.send)(ss, msg, 1 + sizeof(ss->sec.ci.connectionID), 0);
+	rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
+    }
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from 
+ * ssl2_HandleClientSessionKeyMessage() <- ssl2_HandleClientHelloMessage()
+ * ssl2_HandleClientHelloMessage()  <- ssl_Do1stHandshake() 
+                                      after ssl2_BeginServerHandshake()
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static SECStatus
+ssl2_SendServerVerifyMessage(sslSocket *ss)
+{
+    PRUint8 *        msg;
+    int              sendLen;
+    int              sent;
+    SECStatus        rv;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    sendLen = 1 + SSL_CHALLENGE_BYTES;
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv != SECSuccess) {
+	goto done;
+    }
+
+    msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_SERVER_VERIFY;
+    PORT_Memcpy(msg+1, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
+
+    DUMP_MSG(29, (ss, msg, sendLen));
+    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
+
+    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
+
+done:
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from ssl2_TryToFinish(). 
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static SECStatus
+ssl2_SendServerFinishedMessage(sslSocket *ss)
+{
+    sslSessionID *   sid;
+    PRUint8 *        msg;
+    int              sendLen, sent;
+    SECStatus        rv    = SECSuccess;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    if (ss->sec.ci.sentFinished == 0) {
+	ss->sec.ci.sentFinished = 1;
+	PORT_Assert(ss->sec.ci.sid != 0);
+	sid = ss->sec.ci.sid;
+
+	SSL_TRC(3, ("%d: SSL[%d]: sending server-finished",
+		    SSL_GETPID(), ss->fd));
+
+	sendLen = 1 + sizeof(sid->u.ssl2.sessionID);
+	rv = ssl2_GetSendBuffer(ss, sendLen);
+	if (rv != SECSuccess) {
+	    goto done;
+	}
+
+	msg = ss->sec.ci.sendBuf.buf;
+	msg[0] = SSL_MT_SERVER_FINISHED;
+	PORT_Memcpy(msg+1, sid->u.ssl2.sessionID,
+		    sizeof(sid->u.ssl2.sessionID));
+
+	DUMP_MSG(29, (ss, msg, sendLen));
+	sent = (*ss->sec.send)(ss, msg, sendLen, 0);
+
+	if (sent < 0) {
+	    /* If send failed, it is now a bogus  session-id */
+	    (*ss->sec.uncache)(sid);
+	    rv = (SECStatus)sent;
+	} else if (!ss->noCache) {
+	    /* Put the sid in session-id cache, (may already be there) */
+	    (*ss->sec.cache)(sid);
+	    rv = SECSuccess;
+	}
+	ssl_FreeSID(sid);
+	ss->sec.ci.sid = 0;
+    }
+done:
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from ssl2_ClientSetupSessionCypher() <- 
+ *						ssl2_HandleServerHelloMessage() 
+ *                                           after ssl2_BeginClientHandshake()
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static SECStatus
+ssl2_SendSessionKeyMessage(sslSocket *ss, int cipher, int keySize,
+		      PRUint8 *ca, int caLen,
+		      PRUint8 *ck, int ckLen,
+		      PRUint8 *ek, int ekLen)
+{
+    PRUint8 *        msg;
+    int              sendLen;
+    int              sent;
+    SECStatus        rv;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    sendLen = SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen;
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv != SECSuccess) 
+	goto done;
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending client-session-key",
+		SSL_GETPID(), ss->fd));
+
+    msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_CLIENT_MASTER_KEY;
+    msg[1] = cipher;
+    msg[2] = MSB(keySize);
+    msg[3] = LSB(keySize);
+    msg[4] = MSB(ckLen);
+    msg[5] = LSB(ckLen);
+    msg[6] = MSB(ekLen);
+    msg[7] = LSB(ekLen);
+    msg[8] = MSB(caLen);
+    msg[9] = LSB(caLen);
+    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES, ck, ckLen);
+    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen, ek, ekLen);
+    PORT_Memcpy(msg+SSL_HL_CLIENT_MASTER_KEY_HBYTES+ckLen+ekLen, ca, caLen);
+
+    DUMP_MSG(29, (ss, msg, sendLen));
+    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
+    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
+done:
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from ssl2_TriggerNextMessage() <- ssl2_HandleMessage() 
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static SECStatus
+ssl2_SendCertificateRequestMessage(sslSocket *ss)
+{
+    PRUint8 *        msg;
+    int              sent;
+    int              sendLen;
+    SECStatus        rv;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    sendLen = SSL_HL_REQUEST_CERTIFICATE_HBYTES + SSL_CHALLENGE_BYTES;
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv != SECSuccess) 
+	goto done;
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending certificate request",
+		SSL_GETPID(), ss->fd));
+
+    /* Generate random challenge for client to encrypt */
+    PK11_GenerateRandom(ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
+
+    msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_REQUEST_CERTIFICATE;
+    msg[1] = SSL_AT_MD5_WITH_RSA_ENCRYPTION;
+    PORT_Memcpy(msg + SSL_HL_REQUEST_CERTIFICATE_HBYTES, 
+                ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
+
+    DUMP_MSG(29, (ss, msg, sendLen));
+    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
+    rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
+done:
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/* Called from ssl2_HandleRequestCertificate() <- ssl2_HandleMessage()
+ *             ssl2_RestartHandshakeAfterCertReq() <- (application)
+ * Acquires and releases the socket's xmitBufLock.
+ */
+static int
+ssl2_SendCertificateResponseMessage(sslSocket *ss, SECItem *cert, 
+                                    SECItem *encCode)
+{
+    PRUint8 *msg;
+    int rv, sendLen;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    sendLen = SSL_HL_CLIENT_CERTIFICATE_HBYTES + encCode->len + cert->len;
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv) 
+    	goto done;
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending certificate response",
+		SSL_GETPID(), ss->fd));
+
+    msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_CLIENT_CERTIFICATE;
+    msg[1] = SSL_CT_X509_CERTIFICATE;
+    msg[2] = MSB(cert->len);
+    msg[3] = LSB(cert->len);
+    msg[4] = MSB(encCode->len);
+    msg[5] = LSB(encCode->len);
+    PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES, cert->data, cert->len);
+    PORT_Memcpy(msg + SSL_HL_CLIENT_CERTIFICATE_HBYTES + cert->len,
+	      encCode->data, encCode->len);
+
+    DUMP_MSG(29, (ss, msg, sendLen));
+    rv = (*ss->sec.send)(ss, msg, sendLen, 0);
+    if (rv >= 0) {
+	rv = SECSuccess;
+    }
+done:
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+    return rv;
+}
+
+/********************************************************************
+**  Send functions above this line must aquire & release the socket's   
+**	xmitBufLock.  
+** All the ssl2_Send functions below this line are called vis ss->sec.send
+**	and require that the caller hold the xmitBufLock.
+*/
+
+/*
+** Called from ssl2_SendStream, ssl2_SendBlock, but not from ssl2_SendClear.
+*/
+static SECStatus
+ssl2_CalcMAC(PRUint8             * result, 
+	     sslSecurityInfo     * sec,
+	     const PRUint8       * data, 
+	     unsigned int          dataLen,
+	     unsigned int          paddingLen)
+{
+    const PRUint8 *      secret		= sec->sendSecret.data;
+    unsigned int         secretLen	= sec->sendSecret.len;
+    unsigned long        sequenceNumber = sec->sendSequence;
+    unsigned int         nout;
+    PRUint8              seq[4];
+    PRUint8              padding[32];/* XXX max blocksize? */
+
+    if (!sec->hash || !sec->hash->length)
+    	return SECSuccess;
+    if (!sec->hashcx)
+    	return SECFailure;
+
+    /* Reset hash function */
+    (*sec->hash->begin)(sec->hashcx);
+
+    /* Feed hash the data */
+    (*sec->hash->update)(sec->hashcx, secret, secretLen);
+    (*sec->hash->update)(sec->hashcx, data, dataLen);
+    PORT_Memset(padding, paddingLen, paddingLen);
+    (*sec->hash->update)(sec->hashcx, padding, paddingLen);
+
+    seq[0] = (PRUint8) (sequenceNumber >> 24);
+    seq[1] = (PRUint8) (sequenceNumber >> 16);
+    seq[2] = (PRUint8) (sequenceNumber >> 8);
+    seq[3] = (PRUint8) (sequenceNumber);
+
+    PRINT_BUF(60, (0, "calc-mac secret:", secret, secretLen));
+    PRINT_BUF(60, (0, "calc-mac data:", data, dataLen));
+    PRINT_BUF(60, (0, "calc-mac padding:", padding, paddingLen));
+    PRINT_BUF(60, (0, "calc-mac seq:", seq, 4));
+
+    (*sec->hash->update)(sec->hashcx, seq, 4);
+
+    /* Get result */
+    (*sec->hash->end)(sec->hashcx, result, &nout, sec->hash->length);
+
+    return SECSuccess;
+}
+
+/*
+** Maximum transmission amounts. These are tiny bit smaller than they
+** need to be (they account for the MAC length plus some padding),
+** assuming the MAC is 16 bytes long and the padding is a max of 7 bytes
+** long. This gives an additional 9 bytes of slop to work within.
+*/
+#define MAX_STREAM_CYPHER_LEN	0x7fe0
+#define MAX_BLOCK_CYPHER_LEN	0x3fe0
+
+/*
+** Send some data in the clear. 
+** Package up data with the length header and send it.
+**
+** Return count of bytes succesfully written, or negative number (failure).
+*/
+static PRInt32 
+ssl2_SendClear(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
+{
+    PRUint8         * out;
+    int               rv;
+    int               amount;
+    int               count	= 0;
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+
+    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes in the clear",
+		 SSL_GETPID(), ss->fd, len));
+    PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
+
+    while (len) {
+	amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
+	if (amount + 2 > ss->sec.writeBuf.space) {
+	    rv = sslBuffer_Grow(&ss->sec.writeBuf, amount + 2);
+	    if (rv != SECSuccess) {
+		count = rv;
+		break;
+	    }
+	}
+	out = ss->sec.writeBuf.buf;
+
+	/*
+	** Construct message.
+	*/
+	out[0] = 0x80 | MSB(amount);
+	out[1] = LSB(amount);
+	PORT_Memcpy(&out[2], in, amount);
+
+	/* Now send the data */
+	rv = ssl_DefSend(ss, out, amount + 2, flags & ~ssl_SEND_FLAG_MASK);
+	if (rv < 0) {
+	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
+		rv = 0;
+	    } else {
+		/* Return short write if some data already went out... */
+		if (count == 0)
+		    count = rv;
+		break;
+	    }
+	}
+
+	if ((unsigned)rv < (amount + 2)) {
+	    /* Short write.  Save the data and return. */
+	    if (ssl_SaveWriteData(ss, &ss->pendingBuf, out + rv,
+				   amount + 2 - rv) == SECFailure) {
+		count = SECFailure;
+	    } else {
+		count += amount;
+		ss->sec.sendSequence++;
+	    }
+	    break;
+	}
+
+	ss->sec.sendSequence++;
+	in    += amount;
+	count += amount;
+	len   -= amount;
+    }
+
+    return count;
+}
+
+/*
+** Send some data, when using a stream cipher. Stream ciphers have a
+** block size of 1. Package up the data with the length header
+** and send it.
+*/
+static PRInt32 
+ssl2_SendStream(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
+{
+    PRUint8       *  out;
+    int              rv;
+    int              count	= 0;
+
+    int              amount;
+    PRUint8          macLen;
+    int              nout;
+    int              buflen;
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+
+    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using stream cipher",
+		 SSL_GETPID(), ss->fd, len));
+    PRINT_BUF(50, (ss, "clear data:", (PRUint8*) in, len));
+
+    while (len) {
+	ssl_GetSpecReadLock(ss);  /*************************************/
+
+	macLen = ss->sec.hash->length;
+	amount = PR_MIN( len, MAX_STREAM_CYPHER_LEN );
+	buflen = amount + 2 + macLen;
+	if (buflen > ss->sec.writeBuf.space) {
+	    rv = sslBuffer_Grow(&ss->sec.writeBuf, buflen);
+	    if (rv != SECSuccess) {
+		goto loser;
+	    }
+	}
+	out    = ss->sec.writeBuf.buf;
+	nout   = amount + macLen;
+	out[0] = 0x80 | MSB(nout);
+	out[1] = LSB(nout);
+
+	/* Calculate MAC */
+	rv = ssl2_CalcMAC(out+2, 		/* put MAC here */
+	                  &ss->sec, 
+		          in, amount, 		/* input addr & length */
+			  0); 			/* no padding */
+	if (rv != SECSuccess) 
+	    goto loser;
+
+	/* Encrypt MAC */
+	rv = (*ss->sec.enc)(ss->sec.writecx, out+2, &nout, macLen, out+2, macLen);
+	if (rv) goto loser;
+
+	/* Encrypt data from caller */
+	rv = (*ss->sec.enc)(ss->sec.writecx, out+2+macLen, &nout, amount, in, amount);
+	if (rv) goto loser;
+
+	ssl_ReleaseSpecReadLock(ss);  /*************************************/
+
+	PRINT_BUF(50, (ss, "encrypted data:", out, buflen));
+
+	rv = ssl_DefSend(ss, out, buflen, flags & ~ssl_SEND_FLAG_MASK);
+	if (rv < 0) {
+	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
+		SSL_TRC(50, ("%d: SSL[%d]: send stream would block, "
+			     "saving data", SSL_GETPID(), ss->fd));
+		rv = 0;
+	    } else {
+		SSL_TRC(10, ("%d: SSL[%d]: send stream error %d",
+			     SSL_GETPID(), ss->fd, PORT_GetError()));
+		/* Return short write if some data already went out... */
+		if (count == 0)
+		    count = rv;
+		goto done;
+	    }
+	}
+
+	if ((unsigned)rv < buflen) {
+	    /* Short write.  Save the data and return. */
+	    if (ssl_SaveWriteData(ss, &ss->pendingBuf, out + rv,
+				  buflen - rv) == SECFailure) {
+		count = SECFailure;
+	    } else {
+	    	count += amount;
+		ss->sec.sendSequence++;
+	    }
+	    goto done;
+	}
+
+	ss->sec.sendSequence++;
+	in    += amount;
+	count += amount;
+	len   -= amount;
+    }
+
+done:
+    return count;
+
+loser:
+    ssl_ReleaseSpecReadLock(ss);
+    return SECFailure;
+}
+
+/*
+** Send some data, when using a block cipher. Package up the data with
+** the length header and send it.
+*/
+/* XXX assumes blocksize is > 7 */
+static PRInt32
+ssl2_SendBlock(sslSocket *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags)
+{
+    PRUint8       *  out;  		    /* begining of output buffer.    */
+    PRUint8       *  op;		    /* next output byte goes here.   */
+    int              rv;		    /* value from funcs we called.   */
+    int              count	= 0;        /* this function's return value. */
+
+    unsigned int     hlen;		    /* output record hdr len, 2 or 3 */
+    unsigned int     macLen;		    /* MAC is this many bytes long.  */
+    int              amount;		    /* of plaintext to go in record. */
+    unsigned int     padding;		    /* add this many padding byte.   */
+    int              nout;		    /* ciphertext size after header. */
+    int              buflen;		    /* size of generated record.     */
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+
+    SSL_TRC(10, ("%d: SSL[%d]: sending %d bytes using block cipher",
+		 SSL_GETPID(), ss->fd, len));
+    PRINT_BUF(50, (ss, "clear data:", in, len));
+
+    while (len) {
+	ssl_GetSpecReadLock(ss);  /*************************************/
+
+	macLen = ss->sec.hash->length;
+	/* Figure out how much to send, including mac and padding */
+	amount  = PR_MIN( len, MAX_BLOCK_CYPHER_LEN );
+	nout    = amount + macLen;
+	padding = nout & (ss->sec.blockSize - 1);
+	if (padding) {
+	    hlen    = 3;
+	    padding = ss->sec.blockSize - padding;
+	    nout   += padding;
+	} else {
+	    hlen = 2;
+	}
+	buflen = hlen + nout;
+	if (buflen > ss->sec.writeBuf.space) {
+	    rv = sslBuffer_Grow(&ss->sec.writeBuf, buflen);
+	    if (rv != SECSuccess) {
+		goto loser;
+	    }
+	}
+	out = ss->sec.writeBuf.buf;
+
+	/* Construct header */
+	op = out;
+	if (padding) {
+	    *op++ = MSB(nout);
+	    *op++ = LSB(nout);
+	    *op++ = padding;
+	} else {
+	    *op++ = 0x80 | MSB(nout);
+	    *op++ = LSB(nout);
+	}
+
+	/* Calculate MAC */
+	rv = ssl2_CalcMAC(op, 		/* MAC goes here. */
+	                  &ss->sec, 
+		          in, amount, 	/* intput addr, len */
+			  padding);
+	if (rv != SECSuccess) 
+	    goto loser;
+	op += macLen;
+
+	/* Copy in the input data */
+	/* XXX could eliminate the copy by folding it into the encryption */
+	PORT_Memcpy(op, in, amount);
+	op += amount;
+	if (padding) {
+	    PORT_Memset(op, padding, padding);
+	    op += padding;
+	}
+
+	/* Encrypt result */
+	rv = (*ss->sec.enc)(ss->sec.writecx, out+hlen, &nout, buflen-hlen,
+			 out+hlen, op - (out + hlen));
+	if (rv) 
+	    goto loser;
+
+	ssl_ReleaseSpecReadLock(ss);  /*************************************/
+
+	PRINT_BUF(50, (ss, "final xmit data:", out, op - out));
+
+	rv = ssl_DefSend(ss, out, op - out, flags & ~ssl_SEND_FLAG_MASK);
+	if (rv < 0) {
+	    if (PORT_GetError() == PR_WOULD_BLOCK_ERROR) {
+		rv = 0;
+	    } else {
+		SSL_TRC(10, ("%d: SSL[%d]: send block error %d",
+			     SSL_GETPID(), ss->fd, PORT_GetError()));
+		/* Return short write if some data already went out... */
+		if (count == 0)
+		    count = rv;
+		goto done;
+	    }
+	}
+
+	if (rv < (op - out)) {
+	    /* Short write.  Save the data and return. */
+	    if (ssl_SaveWriteData(ss, &ss->pendingBuf, out + rv,
+				  op - out - rv) == SECFailure) {
+		count = SECFailure;
+	    } else {
+		count += amount;
+		ss->sec.sendSequence++;
+	    }
+	    goto done;
+	}
+
+	ss->sec.sendSequence++;
+	in    += amount;
+	count += amount;
+	len   -= amount;
+    }
+
+done:
+    return count;
+
+loser:
+    ssl_ReleaseSpecReadLock(ss);
+    return SECFailure;
+}
+
+/*
+** Called from: ssl2_HandleServerHelloMessage,
+**              ssl2_HandleClientSessionKeyMessage,
+**              ssl2_RestartHandshakeAfterServerCert,
+**              ssl2_HandleClientHelloMessage,
+**              
+*/
+static void
+ssl2_UseEncryptedSendFunc(sslSocket *ss)
+{
+    ssl_GetXmitBufLock(ss);
+    PORT_Assert(ss->sec.hashcx != 0);
+
+    ss->gs.encrypted = 1;
+    ss->sec.send = (ss->sec.blockSize > 1) ? ssl2_SendBlock : ssl2_SendStream;
+    ssl_ReleaseXmitBufLock(ss);
+}
+
+/* Called while initializing socket in ssl_CreateSecurityInfo().
+** This function allows us to keep the name of ssl2_SendClear static.
+*/
+void
+ssl2_UseClearSendFunc(sslSocket *ss)
+{
+    ss->sec.send = ssl2_SendClear;
+}
+
+/************************************************************************
+** 			END of Send functions.                          * 
+*************************************************************************/
+
+/***********************************************************************
+ * For SSL3, this gathers in and handles records/messages until either 
+ *	the handshake is complete or application data is available.
+ *
+ * For SSL2, this gathers in only the next SSLV2 record.
+ *
+ * Called from ssl_Do1stHandshake() via function pointer ss->handshake.
+ * Caller must hold handshake lock.
+ * This function acquires and releases the RecvBufLock.
+ *
+ * returns SECSuccess for success.
+ * returns SECWouldBlock when that value is returned by ssl2_GatherRecord() or
+ *	ssl3_GatherCompleteHandshake().
+ * returns SECFailure on all other errors.
+ *
+ * The gather functions called by ssl_GatherRecord1stHandshake are expected 
+ * 	to return values interpreted as follows:
+ *  1 : the function completed without error.
+ *  0 : the function read EOF.
+ * -1 : read error, or PR_WOULD_BLOCK_ERROR, or handleRecord error.
+ * -2 : the function wants ssl_GatherRecord1stHandshake to be called again 
+ *	immediately, by ssl_Do1stHandshake.
+ *
+ * This code is similar to, and easily confused with, DoRecv() in sslsecur.c
+ *
+ * This function is called from ssl_Do1stHandshake().  
+ * The following functions put ssl_GatherRecord1stHandshake into ss->handshake:
+ *	ssl2_HandleMessage
+ *	ssl2_HandleVerifyMessage
+ *	ssl2_HandleServerHelloMessage
+ *	ssl2_BeginClientHandshake	
+ *	ssl2_HandleClientSessionKeyMessage
+ *	ssl2_RestartHandshakeAfterCertReq 
+ *	ssl3_RestartHandshakeAfterCertReq 
+ *	ssl2_RestartHandshakeAfterServerCert 
+ *	ssl3_RestartHandshakeAfterServerCert 
+ *	ssl2_HandleClientHelloMessage
+ *	ssl2_BeginServerHandshake
+ */
+SECStatus
+ssl_GatherRecord1stHandshake(sslSocket *ss)
+{
+    int rv;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetRecvBufLock(ss);
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	/* Wait for handshake to complete, or application data to arrive.  */
+	rv = ssl3_GatherCompleteHandshake(ss, 0);
+    } else {
+	/* See if we have a complete record */
+	rv = ssl2_GatherRecord(ss, 0);
+    }
+    SSL_TRC(10, ("%d: SSL[%d]: handshake gathering, rv=%d",
+		 SSL_GETPID(), ss->fd, rv));
+
+    ssl_ReleaseRecvBufLock(ss);
+
+    if (rv <= 0) {
+	if (rv == SECWouldBlock) {
+	    /* Progress is blocked waiting for callback completion.  */
+	    SSL_TRC(10, ("%d: SSL[%d]: handshake blocked (need %d)",
+			 SSL_GETPID(), ss->fd, ss->gs.remainder));
+	    return SECWouldBlock;
+	}
+	if (rv == 0) {
+	    /* EOF. Loser  */
+	    PORT_SetError(PR_END_OF_FILE_ERROR);
+	}
+	return SECFailure;	/* rv is < 0 here. */
+    }
+
+    SSL_TRC(10, ("%d: SSL[%d]: got handshake record of %d bytes",
+		 SSL_GETPID(), ss->fd, ss->gs.recordLen));
+
+    ss->handshake = 0;	/* makes ssl_Do1stHandshake call ss->nextHandshake.*/
+    return SECSuccess;
+}
+
+/************************************************************************/
+
+/* Called from ssl2_ServerSetupSessionCypher()
+ *             ssl2_ClientSetupSessionCypher()
+ */
+static SECStatus
+ssl2_FillInSID(sslSessionID * sid, 
+          int            cipher,
+	  PRUint8       *keyData, 
+	  int            keyLen,
+	  PRUint8       *ca, 
+	  int            caLen,
+	  int            keyBits, 
+	  int            secretKeyBits,
+	  SSLSignType    authAlgorithm,
+	  PRUint32       authKeyBits,
+	  SSLKEAType     keaType,
+	  PRUint32       keaKeyBits)
+{
+    PORT_Assert(sid->references == 1);
+    PORT_Assert(sid->cached == never_cached);
+    PORT_Assert(sid->u.ssl2.masterKey.data == 0);
+    PORT_Assert(sid->u.ssl2.cipherArg.data == 0);
+
+    sid->version = SSL_LIBRARY_VERSION_2;
+
+    sid->u.ssl2.cipherType = cipher;
+    sid->u.ssl2.masterKey.data = (PRUint8*) PORT_Alloc(keyLen);
+    if (!sid->u.ssl2.masterKey.data) {
+	return SECFailure;
+    }
+    PORT_Memcpy(sid->u.ssl2.masterKey.data, keyData, keyLen);
+    sid->u.ssl2.masterKey.len = keyLen;
+    sid->u.ssl2.keyBits       = keyBits;
+    sid->u.ssl2.secretKeyBits = secretKeyBits;
+    sid->authAlgorithm        = authAlgorithm;
+    sid->authKeyBits          = authKeyBits;
+    sid->keaType              = keaType;
+    sid->keaKeyBits           = keaKeyBits;
+    sid->lastAccessTime = sid->creationTime = ssl_Time();
+    sid->expirationTime = sid->creationTime + ssl_sid_timeout;
+
+    if (caLen) {
+	sid->u.ssl2.cipherArg.data = (PRUint8*) PORT_Alloc(caLen);
+	if (!sid->u.ssl2.cipherArg.data) {
+	    return SECFailure;
+	}
+	sid->u.ssl2.cipherArg.len = caLen;
+	PORT_Memcpy(sid->u.ssl2.cipherArg.data, ca, caLen);
+    }
+    return SECSuccess;
+}
+
+/*
+** Construct session keys given the masterKey (tied to the session-id),
+** the client's challenge and the server's nonce.
+**
+** Called from ssl2_CreateSessionCypher() <-
+*/
+static SECStatus
+ssl2_ProduceKeys(sslSocket *    ss, 
+            SECItem *      readKey, 
+	    SECItem *      writeKey,
+	    SECItem *      masterKey, 
+	    PRUint8 *      challenge,
+	    PRUint8 *      nonce, 
+	    int            cipherType)
+{
+    PK11Context * cx        = 0;
+    unsigned      nkm       = 0; /* number of hashes to generate key mat. */
+    unsigned      nkd       = 0; /* size of readKey and writeKey. */
+    unsigned      part;
+    unsigned      i;
+    unsigned      off;
+    SECStatus     rv;
+    PRUint8       countChar;
+    PRUint8       km[3*16];	/* buffer for key material. */
+
+    readKey->data = 0;
+    writeKey->data = 0;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    rv = SECSuccess;
+    cx = PK11_CreateDigestContext(SEC_OID_MD5);
+    if (cx == NULL) {
+	ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	return SECFailure;
+    }
+
+    nkm = ssl_Specs[cipherType].nkm;
+    nkd = ssl_Specs[cipherType].nkd;
+
+    readKey->data = (PRUint8*) PORT_Alloc(nkd);
+    if (!readKey->data) 
+    	goto loser;
+    readKey->len = nkd;
+
+    writeKey->data = (PRUint8*) PORT_Alloc(nkd);
+    if (!writeKey->data) 
+    	goto loser;
+    writeKey->len = nkd;
+
+    /* Produce key material */
+    countChar = '0';
+    for (i = 0, off = 0; i < nkm; i++, off += 16) {
+	rv  = PK11_DigestBegin(cx);
+	rv |= PK11_DigestOp(cx, masterKey->data, masterKey->len);
+	rv |= PK11_DigestOp(cx, &countChar,      1);
+	rv |= PK11_DigestOp(cx, challenge,       SSL_CHALLENGE_BYTES);
+	rv |= PK11_DigestOp(cx, nonce,           SSL_CONNECTIONID_BYTES);
+	rv |= PK11_DigestFinal(cx, km+off, &part, MD5_LENGTH);
+	if (rv != SECSuccess) {
+	    ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+	    rv = SECFailure;
+	    goto loser;
+	}
+	countChar++;
+    }
+
+    /* Produce keys */
+    PORT_Memcpy(readKey->data,  km,       nkd);
+    PORT_Memcpy(writeKey->data, km + nkd, nkd);
+
+loser:
+    PK11_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+/* Called from ssl2_ServerSetupSessionCypher() 
+**                  <- ssl2_HandleClientSessionKeyMessage()
+**                          <- ssl2_HandleClientHelloMessage()
+** and from    ssl2_ClientSetupSessionCypher() 
+**                  <- ssl2_HandleServerHelloMessage()
+*/
+static SECStatus
+ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient)
+{
+    SECItem         * rk = NULL;
+    SECItem         * wk = NULL;
+    SECItem *         param;
+    SECStatus         rv;
+    int               cipherType  = sid->u.ssl2.cipherType;
+    PK11SlotInfo *    slot        = NULL;
+    CK_MECHANISM_TYPE mechanism;
+    SECItem           readKey;
+    SECItem           writeKey;
+
+    void *readcx = 0;
+    void *writecx = 0;
+    readKey.data = 0;
+    writeKey.data = 0;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+    if((ss->sec.ci.sid == 0))
+    	goto sec_loser;	/* don't crash if asserts are off */
+
+    /* Trying to cut down on all these switch statements that should be tables.
+     * So, test cipherType once, here, and then use tables below. 
+     */
+    switch (cipherType) {
+    case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
+    case SSL_CK_RC4_128_WITH_MD5:
+    case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
+    case SSL_CK_RC2_128_CBC_WITH_MD5:
+    case SSL_CK_DES_64_CBC_WITH_MD5:
+    case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
+	break;
+
+    default:
+	SSL_DBG(("%d: SSL[%d]: ssl2_CreateSessionCypher: unknown cipher=%d",
+		 SSL_GETPID(), ss->fd, cipherType));
+	PORT_SetError(isClient ? SSL_ERROR_BAD_SERVER : SSL_ERROR_BAD_CLIENT);
+	goto sec_loser;
+    }
+ 
+    rk = isClient ? &readKey  : &writeKey;
+    wk = isClient ? &writeKey : &readKey;
+
+    /* Produce the keys for this session */
+    rv = ssl2_ProduceKeys(ss, &readKey, &writeKey, &sid->u.ssl2.masterKey,
+		     ss->sec.ci.clientChallenge, ss->sec.ci.connectionID,
+		     cipherType);
+    if (rv != SECSuccess) 
+	goto loser;
+    PRINT_BUF(7, (ss, "Session read-key: ", rk->data, rk->len));
+    PRINT_BUF(7, (ss, "Session write-key: ", wk->data, wk->len));
+
+    PORT_Memcpy(ss->sec.ci.readKey, readKey.data, readKey.len);
+    PORT_Memcpy(ss->sec.ci.writeKey, writeKey.data, writeKey.len);
+    ss->sec.ci.keySize = readKey.len;
+
+    /* Setup the MAC */
+    rv = ssl2_CreateMAC(&ss->sec, rk, wk, cipherType);
+    if (rv != SECSuccess) 
+    	goto loser;
+
+    /* First create the session key object */
+    SSL_TRC(3, ("%d: SSL[%d]: using %s", SSL_GETPID(), ss->fd,
+	    ssl_cipherName[cipherType]));
+
+
+    mechanism  = ssl_Specs[cipherType].mechanism;
+
+    /* set destructer before we call loser... */
+    ss->sec.destroy = (void (*)(void*, PRBool)) PK11_DestroyContext;
+    slot = PK11_GetBestSlot(mechanism, ss->pkcs11PinArg);
+    if (slot == NULL)
+	goto loser;
+
+    param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
+    if (param == NULL)
+	goto loser;
+    readcx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
+					CKA_DECRYPT, rk, param,
+					ss->pkcs11PinArg);
+    SECITEM_FreeItem(param, PR_TRUE);
+    if (readcx == NULL)
+	goto loser;
+
+    /* build the client context */
+    param = PK11_ParamFromIV(mechanism, &sid->u.ssl2.cipherArg);
+    if (param == NULL)
+	goto loser;
+    writecx = PK11_CreateContextByRawKey(slot, mechanism, PK11_OriginUnwrap,
+					 CKA_ENCRYPT, wk, param,
+					 ss->pkcs11PinArg);
+    SECITEM_FreeItem(param,PR_TRUE);
+    if (writecx == NULL)
+	goto loser;
+    PK11_FreeSlot(slot);
+
+    rv = SECSuccess;
+    ss->sec.enc           = (SSLCipher) PK11_CipherOp;
+    ss->sec.dec           = (SSLCipher) PK11_CipherOp;
+    ss->sec.readcx        = (void *) readcx;
+    ss->sec.writecx       = (void *) writecx;
+    ss->sec.blockSize     = ssl_Specs[cipherType].blockSize;
+    ss->sec.blockShift    = ssl_Specs[cipherType].blockShift;
+    ss->sec.cipherType    = sid->u.ssl2.cipherType;
+    ss->sec.keyBits       = sid->u.ssl2.keyBits;
+    ss->sec.secretKeyBits = sid->u.ssl2.secretKeyBits;
+    goto done;
+
+  loser:
+    if (ss->sec.destroy) {
+	if (readcx)  (*ss->sec.destroy)(readcx, PR_TRUE);
+	if (writecx) (*ss->sec.destroy)(writecx, PR_TRUE);
+    }
+    ss->sec.destroy = NULL;
+    if (slot) PK11_FreeSlot(slot);
+
+  sec_loser:
+    rv = SECFailure;
+
+  done:
+    if (rk) {
+	SECITEM_ZfreeItem(rk, PR_FALSE);
+    }
+    if (wk) {
+	SECITEM_ZfreeItem(wk, PR_FALSE);
+    }
+    return rv;
+}
+
+/*
+** Setup the server ciphers given information from a CLIENT-MASTER-KEY
+** message.
+** 	"ss"      pointer to the ssl-socket object
+** 	"cipher"  the cipher type to use
+** 	"keyBits" the size of the final cipher key
+** 	"ck"      the clear-key data
+** 	"ckLen"   the number of bytes of clear-key data
+** 	"ek"      the encrypted-key data
+** 	"ekLen"   the number of bytes of encrypted-key data
+** 	"ca"      the cipher-arg data
+** 	"caLen"   the number of bytes of cipher-arg data
+**
+** The MASTER-KEY is constructed by first decrypting the encrypted-key
+** data. This produces the SECRET-KEY-DATA. The MASTER-KEY is composed by
+** concatenating the clear-key data with the SECRET-KEY-DATA. This code
+** checks to make sure that the client didn't send us an improper amount
+** of SECRET-KEY-DATA (it restricts the length of that data to match the
+** spec).
+**
+** Called from ssl2_HandleClientSessionKeyMessage().
+*/
+static SECStatus
+ssl2_ServerSetupSessionCypher(sslSocket *ss, int cipher, unsigned int keyBits,
+			 PRUint8 *ck, unsigned int ckLen,
+			 PRUint8 *ek, unsigned int ekLen,
+			 PRUint8 *ca, unsigned int caLen)
+{
+    PRUint8           *kk = NULL;
+    sslSessionID *    sid;
+    PRUint8       *   kbuf = 0;	/* buffer for RSA decrypted data. */
+    unsigned int      el1;	/* length of RSA decrypted data in kbuf */
+    unsigned int      keySize;
+    unsigned int      modulusLen;
+    SECStatus         rv;
+    PRUint8           mkbuf[SSL_MAX_MASTER_KEY_BYTES];
+    sslServerCerts  * sc = ss->serverCerts + kt_rsa;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ssl_HaveRecvBufLock(ss)   );
+    PORT_Assert((sc->serverKey != 0));
+    PORT_Assert((ss->sec.ci.sid != 0));
+    sid = ss->sec.ci.sid;
+
+    keySize = (keyBits + 7) >> 3;
+    /* Is the message just way too big? */
+    if (keySize > SSL_MAX_MASTER_KEY_BYTES) {
+	/* bummer */
+	SSL_DBG(("%d: SSL[%d]: keySize=%d ckLen=%d max session key size=%d",
+		 SSL_GETPID(), ss->fd, keySize, ckLen,
+		 SSL_MAX_MASTER_KEY_BYTES));
+	PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	goto loser;
+    }
+
+
+    /* Trying to cut down on all these switch statements that should be tables.
+     * So, test cipherType once, here, and then use tables below. 
+     */
+    switch (cipher) {
+    case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
+    case SSL_CK_RC4_128_WITH_MD5:
+    case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
+    case SSL_CK_RC2_128_CBC_WITH_MD5:
+    case SSL_CK_DES_64_CBC_WITH_MD5:
+    case SSL_CK_DES_192_EDE3_CBC_WITH_MD5:
+	break;
+
+    default:
+	SSL_DBG(("%d: SSL[%d]: ssl2_ServerSetupSessionCypher: unknown cipher=%d",
+		 SSL_GETPID(), ss->fd, cipher));
+	PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	goto loser;
+    }
+
+    /* For export ciphers, make sure they didn't send too much key data. */
+    if (ckLen != ssl_Specs[cipher].pubLen) {
+	SSL_DBG(("%d: SSL[%d]: odd secret key size, keySize=%d ckLen=%d!",
+		 SSL_GETPID(), ss->fd, keySize, ckLen));
+	/* Somebody tried to sneak by a strange secret key */
+	PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	goto loser;
+    }
+
+    /* allocate the buffer to hold the decrypted portion of the key. */
+    /* XXX Haven't done any range check on ekLen. */
+    kbuf = (PRUint8*) PORT_Alloc(ekLen);
+    if (!kbuf) {
+	goto loser;
+    }
+
+    /*
+    ** Decrypt encrypted half of the key. Note that encrypted half has
+    ** been made to match the modulus size of our public key using
+    ** PKCS#1. keySize is the real size of the data that is interesting.
+    ** NOTE: PK11_PubDecryptRaw will barf on a non-RSA key. This is
+    ** desired behavior here.
+    */
+    rv = PK11_PubDecryptRaw(sc->serverKey, kbuf, &el1, ekLen, ek, ekLen);
+    if (rv != SECSuccess) 
+	goto hide_loser;
+
+    modulusLen = PK11_GetPrivateModulusLen(sc->serverKey);
+    if (modulusLen == -1) {
+	/* If the key was really bad, then PK11_pubDecryptRaw
+	 * would have failed, therefore the we must assume that the card
+	 * is just being a pain and not giving us the modulus... but it
+	 * should be the same size as the encrypted key length, so use it
+	 * and keep cranking */
+	modulusLen = ekLen;
+    }
+    /* Is the length of the decrypted data (el1) the expected value? */
+    if (modulusLen != el1) 
+	goto hide_loser;
+
+    /* Cheaply verify that PKCS#1 was used to format the encryption block */
+    kk = kbuf + modulusLen - (keySize - ckLen);
+    if ((kbuf[0] != 0x00) || (kbuf[1] != 0x02) || (kk[-1] != 0x00)) {
+	/* Tsk tsk. */
+	SSL_DBG(("%d: SSL[%d]: strange encryption block",
+		 SSL_GETPID(), ss->fd));
+	PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	goto hide_loser;
+    }
+
+    /* Make sure we're not subject to a version rollback attack. */
+    if (ss->enableSSL3 || ss->enableTLS) {
+	PRUint8 threes[8] = { 0x03, 0x03, 0x03, 0x03,
+			      0x03, 0x03, 0x03, 0x03 };
+	
+	if (PORT_Memcmp(kk - 8 - 1, threes, 8) == 0) {
+	    PORT_SetError(SSL_ERROR_BAD_CLIENT);
+	    goto hide_loser;
+	}
+    }
+    if (0) {
+hide_loser:
+	/* Defense against the Bleichenbacher attack.
+	 * Provide the client with NO CLUES that the decrypted master key
+	 * was erroneous.  Don't send any error messages.
+	 * Instead, Generate a completely bogus master key .
+	 */
+	PK11_GenerateRandom(kbuf, ekLen);
+	if (!kk) {
+	    kk = kbuf + ekLen - (keySize-ckLen);
+	}
+    }
+
+    /*
+    ** Construct master key out of the pieces.
+    */
+    if (ckLen) {
+	PORT_Memcpy(mkbuf, ck, ckLen);
+    }
+    PORT_Memcpy(mkbuf+ckLen, kk, keySize-ckLen);
+
+    /* Fill in session-id */
+    rv = ssl2_FillInSID(sid, cipher, mkbuf, keySize, ca, caLen,
+		   keyBits, keyBits - (ckLen<<3),
+		   ss->sec.authAlgorithm, ss->sec.authKeyBits,
+		   ss->sec.keaType,       ss->sec.keaKeyBits);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* Create session ciphers */
+    rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    SSL_TRC(1, ("%d: SSL[%d]: server, using %s cipher, clear=%d total=%d",
+		SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
+		ckLen<<3, keySize<<3));
+    rv = SECSuccess;
+    goto done;
+
+  loser:
+    rv = SECFailure;
+
+  done:
+    PORT_Free(kbuf);
+    return rv;
+}
+
+/************************************************************************/
+
+/*
+** Rewrite the incoming cipher specs, comparing to list of specs we support,
+** (ss->cipherSpecs) and eliminating anything we don't support
+**
+*  Note: Our list may contain SSL v3 ciphers.  
+*  We MUST NOT match on any of those.  
+*  Fortunately, this is easy to detect because SSLv3 ciphers have zero
+*  in the first byte, and none of the SSLv2 ciphers do.
+*
+*  Called from ssl2_HandleClientHelloMessage().
+*/
+static int
+ssl2_QualifyCypherSpecs(sslSocket *ss, 
+                        PRUint8 *  cs, /* cipher specs in client hello msg. */
+		        int        csLen)
+{
+    PRUint8 *    ms;
+    PRUint8 *    hs;
+    PRUint8 *    qs;
+    int          mc;
+    int          hc;
+    PRUint8      qualifiedSpecs[ssl2_NUM_SUITES_IMPLEMENTED * 3];
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ssl_HaveRecvBufLock(ss)   );
+
+    if (!ss->cipherSpecs) {
+	ssl2_ConstructCipherSpecs(ss);
+    }
+
+    PRINT_BUF(10, (ss, "specs from client:", cs, csLen));
+    qs = qualifiedSpecs;
+    ms = ss->cipherSpecs;
+    for (mc = ss->sizeCipherSpecs; mc > 0; mc -= 3, ms += 3) {
+	if (ms[0] == 0)
+	    continue;
+	for (hs = cs, hc = csLen; hc > 0; hs += 3, hc -= 3) {
+	    if ((hs[0] == ms[0]) &&
+		(hs[1] == ms[1]) &&
+		(hs[2] == ms[2])) {
+		/* Copy this cipher spec into the "keep" section */
+		qs[0] = hs[0];
+		qs[1] = hs[1];
+		qs[2] = hs[2];
+		qs   += 3;
+		break;
+	    }
+	}
+    }
+    hc = qs - qualifiedSpecs;
+    PRINT_BUF(10, (ss, "qualified specs from client:", qualifiedSpecs, hc));
+    PORT_Memcpy(cs, qualifiedSpecs, hc);
+    return hc;
+}
+
+/*
+** Pick the best cipher we can find, given the array of server cipher
+** specs.  Returns cipher number (e.g. SSL_CK_*), or -1 for no overlap.
+** If succesful, stores the master key size (bytes) in *pKeyLen.
+**
+** This is correct only for the client side, but presently
+** this function is only called from 
+**	ssl2_ClientSetupSessionCypher() <- ssl2_HandleServerHelloMessage()
+**
+** Note that most servers only return a single cipher suite in their 
+** ServerHello messages.  So, the code below for finding the "best" cipher
+** suite usually has only one choice.  The client and server should send 
+** their cipher suite lists sorted in descending order by preference.
+*/
+static int
+ssl2_ChooseSessionCypher(sslSocket *ss, 
+                         int        hc,    /* number of cs's in hs. */
+		         PRUint8 *  hs,    /* server hello's cipher suites. */
+		         int *      pKeyLen) /* out: sym key size in bytes. */
+{
+    PRUint8 *       ms;
+    unsigned int    i;
+    int             bestKeySize;
+    int             bestRealKeySize;
+    int             bestCypher;
+    int             keySize;
+    int             realKeySize;
+    PRUint8 *       ohs               = hs;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ssl_HaveRecvBufLock(ss)   );
+
+    if (!ss->cipherSpecs) {
+	ssl2_ConstructCipherSpecs(ss);
+    }
+
+    if (!ss->preferredCipher) {
+	const PRUint8 * preferred = implementedCipherSuites;
+    	unsigned int    allowed = ss->allowedByPolicy & ss->chosenPreference &
+	                       SSL_CB_IMPLEMENTED;
+	if (allowed) {
+	    for (i = ssl2_NUM_SUITES_IMPLEMENTED; i > 0; --i) {
+		if (0 != (allowed & (1U << preferred[0]))) {
+		    ss->preferredCipher = preferred;
+		    break;
+		}
+		preferred += 3;
+	    }
+	}
+    }
+    /*
+    ** Scan list of ciphers recieved from peer and look for a match in
+    ** our list.  
+    *  Note: Our list may contain SSL v3 ciphers.  
+    *  We MUST NOT match on any of those.  
+    *  Fortunately, this is easy to detect because SSLv3 ciphers have zero
+    *  in the first byte, and none of the SSLv2 ciphers do.
+    */
+    bestKeySize = bestRealKeySize = 0;
+    bestCypher = -1;
+    while (--hc >= 0) {
+	for (i = 0, ms = ss->cipherSpecs; i < ss->sizeCipherSpecs; i += 3, ms += 3) {
+	    if ((hs[0] == ss->preferredCipher[0]) &&
+		(hs[1] == ss->preferredCipher[1]) &&
+		(hs[2] == ss->preferredCipher[2]) &&
+		 hs[0] != 0) {
+		/* Pick this cipher immediately! */
+		*pKeyLen = (((hs[1] << 8) | hs[2]) + 7) >> 3;
+		return hs[0];
+	    }
+	    if ((hs[0] == ms[0]) && (hs[1] == ms[1]) && (hs[2] == ms[2]) &&
+	         hs[0] != 0) {
+		/* Found a match */
+
+		/* Use secret keySize to determine which cipher is best */
+		realKeySize = (hs[1] << 8) | hs[2];
+		switch (hs[0]) {
+		  case SSL_CK_RC4_128_EXPORT40_WITH_MD5:
+		  case SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5:
+		    keySize = 40;
+		    break;
+		  default:
+		    keySize = realKeySize;
+		    break;
+		}
+		if (keySize > bestKeySize) {
+		    bestCypher = hs[0];
+		    bestKeySize = keySize;
+		    bestRealKeySize = realKeySize;
+		}
+	    }
+	}
+	hs += 3;
+    }
+    if (bestCypher < 0) {
+	/*
+	** No overlap between server and client. Re-examine server list
+	** to see what kind of ciphers it does support so that we can set
+	** the error code appropriately.
+	*/
+	if ((ohs[0] == SSL_CK_RC4_128_WITH_MD5) ||
+	    (ohs[0] == SSL_CK_RC2_128_CBC_WITH_MD5)) {
+	    PORT_SetError(SSL_ERROR_US_ONLY_SERVER);
+	} else if ((ohs[0] == SSL_CK_RC4_128_EXPORT40_WITH_MD5) ||
+		   (ohs[0] == SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5)) {
+	    PORT_SetError(SSL_ERROR_EXPORT_ONLY_SERVER);
+	} else {
+	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	}
+	SSL_DBG(("%d: SSL[%d]: no cipher overlap", SSL_GETPID(), ss->fd));
+	goto loser;
+    }
+    *pKeyLen = (bestRealKeySize + 7) >> 3;
+    return bestCypher;
+
+  loser:
+    return -1;
+}
+
+static SECStatus
+ssl2_ClientHandleServerCert(sslSocket *ss, PRUint8 *certData, int certLen)
+{
+    CERTCertificate *cert      = NULL;
+    SECItem          certItem;
+
+    certItem.data = certData;
+    certItem.len  = certLen;
+
+    /* decode the certificate */
+    cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
+				   PR_FALSE, PR_TRUE);
+    
+    if (cert == NULL) {
+	SSL_DBG(("%d: SSL[%d]: decode of server certificate fails",
+		 SSL_GETPID(), ss->fd));
+	PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+	return SECFailure;
+    }
+
+#ifdef TRACE
+    {
+	if (ssl_trace >= 1) {
+	    char *issuer;
+	    char *subject;
+	    issuer = CERT_NameToAscii(&cert->issuer);
+	    subject = CERT_NameToAscii(&cert->subject);
+	    SSL_TRC(1,("%d: server certificate issuer: '%s'",
+		       SSL_GETPID(), issuer ? issuer : "OOPS"));
+	    SSL_TRC(1,("%d: server name: '%s'",
+		       SSL_GETPID(), subject ? subject : "OOPS"));
+	    PORT_Free(issuer);
+	    PORT_Free(subject);
+	}
+    }
+#endif
+
+    ss->sec.peerCert = cert;
+    return SECSuccess;
+}
+
+
+/*
+ * Format one block of data for public/private key encryption using
+ * the rules defined in PKCS #1. SSL2 does this itself to handle the
+ * rollback detection.
+ */
+#define RSA_BLOCK_MIN_PAD_LEN           8
+#define RSA_BLOCK_FIRST_OCTET           0x00
+#define RSA_BLOCK_AFTER_PAD_OCTET       0x00
+#define RSA_BLOCK_PUBLIC_OCTET       	0x02
+unsigned char *
+ssl_FormatSSL2Block(unsigned modulusLen, SECItem *data)
+{
+    unsigned char *block;
+    unsigned char *bp;
+    int padLen;
+    SECStatus rv;
+    int i;
+
+    PORT_Assert (data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
+    block = (unsigned char *) PORT_Alloc(modulusLen);
+    if (block == NULL)
+	return NULL;
+
+    bp = block;
+
+    /*
+     * All RSA blocks start with two octets:
+     *	0x00 || BlockType
+     */
+    *bp++ = RSA_BLOCK_FIRST_OCTET;
+    *bp++ = RSA_BLOCK_PUBLIC_OCTET;
+
+    /*
+     * 0x00 || BT || Pad || 0x00 || ActualData
+     *   1      1   padLen    1      data->len
+     * Pad is all non-zero random bytes.
+     */
+    padLen = modulusLen - data->len - 3;
+    PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+    rv = PK11_GenerateRandom(bp, padLen);
+    if (rv == SECFailure) goto loser;
+    /* replace all the 'zero' bytes */
+    for (i = 0; i < padLen; i++) {
+	while (bp[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
+    	    rv = PK11_GenerateRandom(bp+i, 1);
+	    if (rv == SECFailure) goto loser;
+	}
+    }
+    bp += padLen;
+    *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+    PORT_Memcpy (bp, data->data, data->len);
+
+    return block;
+loser:
+    if (block) PORT_Free(block);
+    return NULL;
+}
+
+/*
+** Given the server's public key and cipher specs, generate a session key
+** that is ready to use for encrypting/decrypting the byte stream. At
+** the same time, generate the SSL_MT_CLIENT_MASTER_KEY message and
+** send it to the server.
+**
+** Called from ssl2_HandleServerHelloMessage()
+*/
+static SECStatus
+ssl2_ClientSetupSessionCypher(sslSocket *ss, PRUint8 *cs, int csLen)
+{
+    sslSessionID *    sid;
+    PRUint8 *         ca;	/* points to iv data, or NULL if none. */
+    PRUint8 *         ekbuf 		= 0;
+    CERTCertificate * cert 		= 0;
+    SECKEYPublicKey * serverKey 	= 0;
+    unsigned          modulusLen 	= 0;
+    SECStatus         rv;
+    int               cipher;
+    int               keyLen;	/* cipher symkey size in bytes. */
+    int               ckLen;	/* publicly reveal this many bytes of key. */
+    int               caLen;	/* length of IV data at *ca.	*/
+    int               nc;
+
+    unsigned char *eblock;	/* holds unencrypted PKCS#1 formatted key. */
+    SECItem           rek;	/* holds portion of symkey to be encrypted. */
+
+    PRUint8           keyData[SSL_MAX_MASTER_KEY_BYTES];
+    PRUint8           iv     [8];
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    eblock = NULL;
+
+    sid = ss->sec.ci.sid;
+    PORT_Assert(sid != 0);
+
+    cert = ss->sec.peerCert;
+    
+    serverKey = CERT_ExtractPublicKey(cert);
+    if (!serverKey) {
+	SSL_DBG(("%d: SSL[%d]: extract public key failed: error=%d",
+		 SSL_GETPID(), ss->fd, PORT_GetError()));
+	PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+	rv = SECFailure;
+	goto loser2;
+    }
+
+    ss->sec.authAlgorithm = ssl_sign_rsa;
+    ss->sec.keaType       = ssl_kea_rsa;
+    ss->sec.keaKeyBits    = \
+    ss->sec.authKeyBits   = SECKEY_PublicKeyStrength(serverKey) * BPB;
+
+    /* Choose a compatible cipher with the server */
+    nc = csLen / 3;
+    cipher = ssl2_ChooseSessionCypher(ss, nc, cs, &keyLen);
+    if (cipher < 0) {
+	/* ssl2_ChooseSessionCypher has set error code. */
+	ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
+	goto loser;
+    }
+
+    /* Generate the random keys */
+    PK11_GenerateRandom(keyData, sizeof(keyData));
+
+    /*
+    ** Next, carve up the keys into clear and encrypted portions. The
+    ** clear data is taken from the start of keyData and the encrypted
+    ** portion from the remainder. Note that each of these portions is
+    ** carved in half, one half for the read-key and one for the
+    ** write-key.
+    */
+    ca = 0;
+
+    /* We know that cipher is a legit value here, because 
+     * ssl2_ChooseSessionCypher doesn't return bogus values.
+     */
+    ckLen = ssl_Specs[cipher].pubLen;	/* cleartext key length. */
+    caLen = ssl_Specs[cipher].ivLen;	/* IV length.		*/
+    if (caLen) {
+	PORT_Assert(sizeof iv >= caLen);
+    	PK11_GenerateRandom(iv, caLen);
+	ca = iv;
+    }
+
+    /* Fill in session-id */
+    rv = ssl2_FillInSID(sid, cipher, keyData, keyLen,
+		   ca, caLen, keyLen << 3, (keyLen - ckLen) << 3,
+		   ss->sec.authAlgorithm, ss->sec.authKeyBits,
+		   ss->sec.keaType,       ss->sec.keaKeyBits);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    SSL_TRC(1, ("%d: SSL[%d]: client, using %s cipher, clear=%d total=%d",
+		SSL_GETPID(), ss->fd, ssl_cipherName[cipher],
+		ckLen<<3, keyLen<<3));
+
+    /* Now setup read and write ciphers */
+    rv = ssl2_CreateSessionCypher(ss, sid, PR_TRUE);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /*
+    ** Fill in the encryption buffer with some random bytes. Then 
+    ** copy in the portion of the session key we are encrypting.
+    */
+    modulusLen = SECKEY_PublicKeyStrength(serverKey);
+    rek.data   = keyData + ckLen;
+    rek.len    = keyLen  - ckLen;
+    eblock = ssl_FormatSSL2Block(modulusLen, &rek);
+    if (eblock == NULL) 
+    	goto loser;
+
+    /* Set up the padding for version 2 rollback detection. */
+    /* XXX We should really use defines here */
+    if (ss->enableSSL3 || ss->enableTLS) {
+	PORT_Assert((modulusLen - rek.len) > 12);
+	PORT_Memset(eblock + modulusLen - rek.len - 8 - 1, 0x03, 8);
+    }
+    ekbuf = (PRUint8*) PORT_Alloc(modulusLen);
+    if (!ekbuf) 
+	goto loser;
+    PRINT_BUF(10, (ss, "master key encryption block:",
+		   eblock, modulusLen));
+
+    /* Encrypt ekitem */
+    rv = PK11_PubEncryptRaw(serverKey, ekbuf, eblock, modulusLen,
+						ss->pkcs11PinArg);
+    if (rv) 
+    	goto loser;
+
+    /*  Now we have everything ready to send */
+    rv = ssl2_SendSessionKeyMessage(ss, cipher, keyLen << 3, ca, caLen,
+			       keyData, ckLen, ekbuf, modulusLen);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    rv = SECSuccess;
+    goto done;
+
+  loser:
+    rv = SECFailure;
+
+  loser2:
+  done:
+    PORT_Memset(keyData, 0, sizeof(keyData));
+    PORT_ZFree(ekbuf, modulusLen);
+    PORT_ZFree(eblock, modulusLen);
+    SECKEY_DestroyPublicKey(serverKey);
+    return rv;
+}
+
+/************************************************************************/
+
+/* 
+ * Called from ssl2_HandleMessage in response to SSL_MT_SERVER_FINISHED message.
+ * Caller holds recvBufLock and handshakeLock
+ */
+static void
+ssl2_ClientRegSessionID(sslSocket *ss, PRUint8 *s)
+{
+    sslSessionID *sid = ss->sec.ci.sid;
+
+    /* Record entry in nonce cache */
+    if (sid->peerCert == NULL) {
+	PORT_Memcpy(sid->u.ssl2.sessionID, s, sizeof(sid->u.ssl2.sessionID));
+	sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
+
+    }
+    if (!ss->noCache)
+	(*ss->sec.cache)(sid);
+}
+
+/* Called from ssl2_HandleMessage() */
+static SECStatus
+ssl2_TriggerNextMessage(sslSocket *ss)
+{
+    SECStatus        rv;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    if ((ss->sec.ci.requiredElements & CIS_HAVE_CERTIFICATE) &&
+	!(ss->sec.ci.sentElements & CIS_HAVE_CERTIFICATE)) {
+	ss->sec.ci.sentElements |= CIS_HAVE_CERTIFICATE;
+	rv = ssl2_SendCertificateRequestMessage(ss);
+	return rv;
+    }
+    return SECSuccess;
+}
+
+/* See if it's time to send our finished message, or if the handshakes are
+** complete.  Send finished message if appropriate.
+** Returns SECSuccess unless anything goes wrong.
+**
+** Called from ssl2_HandleMessage,
+**             ssl2_HandleVerifyMessage 
+**             ssl2_HandleServerHelloMessage
+**             ssl2_HandleClientSessionKeyMessage
+**             ssl2_RestartHandshakeAfterCertReq
+**             ssl2_RestartHandshakeAfterServerCert
+*/
+static SECStatus
+ssl2_TryToFinish(sslSocket *ss)
+{
+    SECStatus        rv;
+    char             e, ef;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    e = ss->sec.ci.elements;
+    ef = e | CIS_HAVE_FINISHED;
+    if ((ef & ss->sec.ci.requiredElements) == ss->sec.ci.requiredElements) {
+	if (ss->sec.isServer) {
+	    /* Send server finished message if we already didn't */
+	    rv = ssl2_SendServerFinishedMessage(ss);
+	} else {
+	    /* Send client finished message if we already didn't */
+	    rv = ssl2_SendClientFinishedMessage(ss);
+	}
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+	if ((e & ss->sec.ci.requiredElements) == ss->sec.ci.requiredElements) {
+	    /* Totally finished */
+	    ss->handshake = 0;
+	    return SECSuccess;
+	}
+    }
+    return SECSuccess;
+}
+
+/*
+** Called from ssl2_HandleRequestCertificate
+**             ssl2_RestartHandshakeAfterCertReq
+*/
+static SECStatus
+ssl2_SignResponse(sslSocket *ss,
+	     SECKEYPrivateKey *key,
+	     SECItem *response)
+{
+    SGNContext *     sgn = NULL;
+    PRUint8 *        challenge;
+    unsigned int     len;
+    SECStatus        rv		= SECFailure;
+    
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    challenge = ss->sec.ci.serverChallenge;
+    len = ss->sec.ci.serverChallengeLen;
+    
+    /* Sign the expected data... */
+    sgn = SGN_NewContext(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,key);
+    if (!sgn) 
+    	goto done;
+    rv = SGN_Begin(sgn);
+    if (rv != SECSuccess) 
+    	goto done;
+    rv = SGN_Update(sgn, ss->sec.ci.readKey, ss->sec.ci.keySize);
+    if (rv != SECSuccess) 
+    	goto done;
+    rv = SGN_Update(sgn, ss->sec.ci.writeKey, ss->sec.ci.keySize);
+    if (rv != SECSuccess) 
+    	goto done;
+    rv = SGN_Update(sgn, challenge, len);
+    if (rv != SECSuccess) 
+    	goto done;
+    rv = SGN_Update(sgn, ss->sec.peerCert->derCert.data, 
+                         ss->sec.peerCert->derCert.len);
+    if (rv != SECSuccess) 
+    	goto done;
+    rv = SGN_End(sgn, response);
+    if (rv != SECSuccess) 
+    	goto done;
+
+done:
+    SGN_DestroyContext(sgn, PR_TRUE);
+    return rv == SECSuccess ? SECSuccess : SECFailure;
+}
+
+/*
+** Try to handle a request-certificate message. Get client's certificate
+** and private key and sign a message for the server to see.
+** Caller must hold handshakeLock 
+**
+** Called from ssl2_HandleMessage().
+*/
+static int
+ssl2_HandleRequestCertificate(sslSocket *ss)
+{
+    CERTCertificate * cert	= NULL;	/* app-selected client cert. */
+    SECKEYPrivateKey *key	= NULL;	/* priv key for cert. */
+    SECStatus         rv;
+    SECItem           response;
+    int               ret	= 0;
+    PRUint8           authType;
+
+
+    /*
+     * These things all need to be initialized before we can "goto loser".
+     */
+    response.data = NULL;
+
+    /* get challenge info from connectionInfo */
+    authType = ss->sec.ci.authType;
+
+    if (authType != SSL_AT_MD5_WITH_RSA_ENCRYPTION) {
+	SSL_TRC(7, ("%d: SSL[%d]: unsupported auth type 0x%x", SSL_GETPID(),
+		    ss->fd, authType));
+	goto no_cert_error;
+    }
+
+    /* Get certificate and private-key from client */
+    if (!ss->getClientAuthData) {
+	SSL_TRC(7, ("%d: SSL[%d]: client doesn't support client-auth",
+		    SSL_GETPID(), ss->fd));
+	goto no_cert_error;
+    }
+    ret = (*ss->getClientAuthData)(ss->getClientAuthDataArg, ss->fd,
+				   NULL, &cert, &key);
+    if ( ret == SECWouldBlock ) {
+	ssl_SetAlwaysBlock(ss);
+	goto done;
+    }
+
+    if (ret) {
+	goto no_cert_error;
+    }
+
+    rv = ssl2_SignResponse(ss, key, &response);
+    if ( rv != SECSuccess ) {
+	ret = -1;
+	goto loser;
+    }
+
+    /* Send response message */
+    ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
+
+    /* Now, remember the cert we sent. But first, forget any previous one. */
+    if (ss->sec.localCert) {
+	CERT_DestroyCertificate(ss->sec.localCert);
+    }
+    ss->sec.localCert = CERT_DupCertificate(cert);
+    PORT_Assert(!ss->sec.ci.sid->localCert);
+    if (ss->sec.ci.sid->localCert) {
+	CERT_DestroyCertificate(ss->sec.ci.sid->localCert);
+    }
+    ss->sec.ci.sid->localCert = cert;
+    cert = NULL;
+
+    goto done;
+
+  no_cert_error:
+    SSL_TRC(7, ("%d: SSL[%d]: no certificate (ret=%d)", SSL_GETPID(),
+		ss->fd, ret));
+    ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
+
+  loser:
+  done:
+    if ( cert ) {
+	CERT_DestroyCertificate(cert);
+    }
+    if ( key ) {
+	SECKEY_DestroyPrivateKey(key);
+    }
+    if ( response.data ) {
+	PORT_Free(response.data);
+    }
+    
+    return ret;
+}
+
+/*
+** Called from ssl2_HandleMessage for SSL_MT_CLIENT_CERTIFICATE message.
+** Caller must hold HandshakeLock and RecvBufLock, since cd and response
+** are contained in the gathered input data.
+*/
+static SECStatus
+ssl2_HandleClientCertificate(sslSocket *    ss, 
+                             PRUint8        certType,	/* XXX unused */
+			     PRUint8 *      cd, 
+			     unsigned int   cdLen,
+			     PRUint8 *      response,
+			     unsigned int   responseLen)
+{
+    CERTCertificate *cert	= NULL;
+    SECKEYPublicKey *pubKey	= NULL;
+    VFYContext *     vfy	= NULL;
+    SECItem *        derCert;
+    SECStatus        rv		= SECFailure;
+    SECItem          certItem;
+    SECItem          rep;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+    PORT_Assert( ssl_HaveRecvBufLock(ss)   );
+
+    /* Extract the certificate */
+    certItem.data = cd;
+    certItem.len  = cdLen;
+
+    cert = CERT_NewTempCertificate(ss->dbHandle, &certItem, NULL,
+			 	   PR_FALSE, PR_TRUE);
+    if (cert == NULL) {
+	goto loser;
+    }
+
+    /* save the certificate, since the auth routine will need it */
+    ss->sec.peerCert = cert;
+
+    /* Extract the public key */
+    pubKey = CERT_ExtractPublicKey(cert);
+    if (!pubKey) 
+    	goto loser;
+    
+    /* Verify the response data... */
+    rep.data = response;
+    rep.len = responseLen;
+    /* SSL 2.0 only supports RSA certs, so we don't have to worry about
+     * DSA here. */
+    vfy = VFY_CreateContext(pubKey, &rep, SEC_OID_PKCS1_RSA_ENCRYPTION,
+			    ss->pkcs11PinArg);
+    if (!vfy) 
+    	goto loser;
+    rv = VFY_Begin(vfy);
+    if (rv) 
+    	goto loser;
+
+    rv = VFY_Update(vfy, ss->sec.ci.readKey, ss->sec.ci.keySize);
+    if (rv) 
+    	goto loser;
+    rv = VFY_Update(vfy, ss->sec.ci.writeKey, ss->sec.ci.keySize);
+    if (rv) 
+    	goto loser;
+    rv = VFY_Update(vfy, ss->sec.ci.serverChallenge, SSL_CHALLENGE_BYTES);
+    if (rv) 
+    	goto loser;
+
+    derCert = &ss->serverCerts[kt_rsa].serverCert->derCert;
+    rv = VFY_Update(vfy, derCert->data, derCert->len);
+    if (rv) 
+    	goto loser;
+    rv = VFY_End(vfy);
+    if (rv) 
+    	goto loser;
+
+    /* Now ask the server application if it likes the certificate... */
+    rv = (SECStatus) (*ss->authCertificate)(ss->authCertificateArg,
+					    ss->fd, PR_TRUE, PR_TRUE);
+    /* Hey, it liked it. */
+    if (SECSuccess == rv) 
+	goto done;
+
+loser:
+    ss->sec.peerCert = NULL;
+    CERT_DestroyCertificate(cert);
+
+done:
+    VFY_DestroyContext(vfy, PR_TRUE);
+    SECKEY_DestroyPublicKey(pubKey);
+    return rv;
+}
+
+/*
+** Handle remaining messages between client/server. Process finished
+** messages from either side and any authentication requests.
+** This should only be called for SSLv2 handshake messages, 
+** not for application data records.
+** Caller must hold handshake lock.
+**
+** Called from ssl_Do1stHandshake().
+** 
+*/
+static SECStatus
+ssl2_HandleMessage(sslSocket *ss)
+{
+    PRUint8 *        data;
+    PRUint8 *        cid;
+    unsigned         len, certType, certLen, responseLen;
+    int              rv;
+    int              rv2;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    ssl_GetRecvBufLock(ss);
+
+    data = ss->gs.buf.buf + ss->gs.recordOffset;
+
+    if (ss->gs.recordLen < 1) {
+	goto bad_peer;
+    }
+    SSL_TRC(3, ("%d: SSL[%d]: received %d message",
+		SSL_GETPID(), ss->fd, data[0]));
+    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
+
+    switch (data[0]) {
+    case SSL_MT_CLIENT_FINISHED:
+	if (ss->sec.ci.elements & CIS_HAVE_FINISHED) {
+	    SSL_DBG(("%d: SSL[%d]: dup client-finished message",
+		     SSL_GETPID(), ss->fd));
+	    goto bad_peer;
+	}
+
+	/* See if nonce matches */
+	len = ss->gs.recordLen - 1;
+	cid = data + 1;
+	if ((len != sizeof(ss->sec.ci.connectionID)) ||
+	    (PORT_Memcmp(ss->sec.ci.connectionID, cid, len) != 0)) {
+	    SSL_DBG(("%d: SSL[%d]: bad connection-id", SSL_GETPID(), ss->fd));
+	    PRINT_BUF(5, (ss, "sent connection-id",
+			  ss->sec.ci.connectionID, 
+			  sizeof(ss->sec.ci.connectionID)));
+	    PRINT_BUF(5, (ss, "rcvd connection-id", cid, len));
+	    goto bad_peer;
+	}
+
+	SSL_TRC(5, ("%d: SSL[%d]: got client finished, waiting for 0x%d",
+		    SSL_GETPID(), ss->fd, 
+		    ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
+	ss->sec.ci.elements |= CIS_HAVE_FINISHED;
+	break;
+
+    case SSL_MT_SERVER_FINISHED:
+	if (ss->sec.ci.elements & CIS_HAVE_FINISHED) {
+	    SSL_DBG(("%d: SSL[%d]: dup server-finished message",
+		     SSL_GETPID(), ss->fd));
+	    goto bad_peer;
+	}
+
+	if (ss->gs.recordLen - 1 != SSL2_SESSIONID_BYTES) {
+	    SSL_DBG(("%d: SSL[%d]: bad server-finished message, len=%d",
+		     SSL_GETPID(), ss->fd, ss->gs.recordLen));
+	    goto bad_peer;
+	}
+	ssl2_ClientRegSessionID(ss, data+1);
+	SSL_TRC(5, ("%d: SSL[%d]: got server finished, waiting for 0x%d",
+		    SSL_GETPID(), ss->fd, 
+		    ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
+	ss->sec.ci.elements |= CIS_HAVE_FINISHED;
+	break;
+
+    case SSL_MT_REQUEST_CERTIFICATE:
+	len = ss->gs.recordLen - 2;
+	if ((len != SSL_MIN_CHALLENGE_BYTES) ||
+	    (len > SSL_MAX_CHALLENGE_BYTES)) {
+	    /* Bad challenge */
+	    SSL_DBG(("%d: SSL[%d]: bad cert request message: code len=%d",
+		     SSL_GETPID(), ss->fd, len));
+	    goto bad_peer;
+	}
+	
+	/* save auth request info */
+	ss->sec.ci.authType           = data[1];
+	ss->sec.ci.serverChallengeLen = len;
+	PORT_Memcpy(ss->sec.ci.serverChallenge, data + 2, len);
+	
+	rv = ssl2_HandleRequestCertificate(ss);
+	if (rv == SECWouldBlock) {
+	    SSL_TRC(3, ("%d: SSL[%d]: async cert request",
+			SSL_GETPID(), ss->fd));
+	    /* someone is handling this asynchronously */
+	    ssl_ReleaseRecvBufLock(ss);
+	    return SECWouldBlock;
+	}
+	if (rv) {
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+	break;
+
+    case SSL_MT_CLIENT_CERTIFICATE:
+	if (!ss->authCertificate) {
+	    /* Server asked for authentication and can't handle it */
+	    PORT_SetError(SSL_ERROR_BAD_SERVER);
+	    goto loser;
+	}
+	if (ss->gs.recordLen < SSL_HL_CLIENT_CERTIFICATE_HBYTES) {
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+	certType    = data[1];
+	certLen     = (data[2] << 8) | data[3];
+	responseLen = (data[4] << 8) | data[5];
+	if (certType != SSL_CT_X509_CERTIFICATE) {
+	    PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
+	    goto loser;
+	}
+	rv = ssl2_HandleClientCertificate(ss, data[1],
+		data + SSL_HL_CLIENT_CERTIFICATE_HBYTES,
+		certLen,
+		data + SSL_HL_CLIENT_CERTIFICATE_HBYTES + certLen,
+		responseLen);
+	if (rv) {
+	    rv2 = ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+	ss->sec.ci.elements |= CIS_HAVE_CERTIFICATE;
+	break;
+
+    case SSL_MT_ERROR:
+	rv = (data[1] << 8) | data[2];
+	SSL_TRC(2, ("%d: SSL[%d]: got error message, error=0x%x",
+		    SSL_GETPID(), ss->fd, rv));
+
+	/* Convert protocol error number into API error number */
+	switch (rv) {
+	  case SSL_PE_NO_CYPHERS:
+	    rv = SSL_ERROR_NO_CYPHER_OVERLAP;
+	    break;
+	  case SSL_PE_NO_CERTIFICATE:
+	    rv = SSL_ERROR_NO_CERTIFICATE;
+	    break;
+	  case SSL_PE_BAD_CERTIFICATE:
+	    rv = SSL_ERROR_BAD_CERTIFICATE;
+	    break;
+	  case SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE:
+	    rv = SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE;
+	    break;
+	  default:
+	    goto bad_peer;
+	}
+	/* XXX make certificate-request optionally fail... */
+	PORT_SetError(rv);
+	goto loser;
+
+    default:
+	SSL_DBG(("%d: SSL[%d]: unknown message %d",
+		 SSL_GETPID(), ss->fd, data[0]));
+	goto loser;
+    }
+
+    SSL_TRC(3, ("%d: SSL[%d]: handled %d message, required=0x%x got=0x%x",
+		SSL_GETPID(), ss->fd, data[0],
+		ss->sec.ci.requiredElements, ss->sec.ci.elements));
+
+    rv = ssl2_TryToFinish(ss);
+    if (rv != SECSuccess) 
+	goto loser;
+
+    ss->gs.recordLen = 0;
+    ssl_ReleaseRecvBufLock(ss);
+
+    if (ss->handshake == 0) {
+	return SECSuccess;
+    }
+
+    ss->handshake     = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake = ssl2_HandleMessage;
+    return ssl2_TriggerNextMessage(ss);
+
+  bad_peer:
+    PORT_SetError(ss->sec.isServer ? SSL_ERROR_BAD_CLIENT : SSL_ERROR_BAD_SERVER);
+    /* FALL THROUGH */
+
+  loser:
+    ssl_ReleaseRecvBufLock(ss);
+    return SECFailure;
+}
+
+/************************************************************************/
+
+/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage or 
+** ssl2_RestartHandshakeAfterServerCert.
+*/
+static SECStatus
+ssl2_HandleVerifyMessage(sslSocket *ss)
+{
+    PRUint8 *        data;
+    SECStatus        rv;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+    ssl_GetRecvBufLock(ss);
+
+    data = ss->gs.buf.buf + ss->gs.recordOffset;
+    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
+    if ((ss->gs.recordLen != 1 + SSL_CHALLENGE_BYTES) ||
+	(data[0] != SSL_MT_SERVER_VERIFY) ||
+	PORT_Memcmp(data+1, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES)) {
+	/* Bad server */
+	PORT_SetError(SSL_ERROR_BAD_SERVER);
+	goto loser;
+    }
+    ss->sec.ci.elements |= CIS_HAVE_VERIFY;
+
+    SSL_TRC(5, ("%d: SSL[%d]: got server-verify, required=0x%d got=0x%x",
+		SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
+		ss->sec.ci.elements));
+
+    rv = ssl2_TryToFinish(ss);
+    if (rv) 
+	goto loser;
+
+    ss->gs.recordLen = 0;
+    ssl_ReleaseRecvBufLock(ss);
+
+    if (ss->handshake == 0) {
+	return SECSuccess;
+    }
+    ss->handshake         = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake     = ssl2_HandleMessage;
+    return SECSuccess;
+
+
+  loser:
+    ssl_ReleaseRecvBufLock(ss);
+    return SECFailure;
+}
+
+/* Not static because ssl2_GatherData() tests ss->nextHandshake for this value.
+ * ICK! 
+ * Called from ssl_Do1stHandshake after ssl2_BeginClientHandshake()
+ */
+SECStatus
+ssl2_HandleServerHelloMessage(sslSocket *ss)
+{
+    sslSessionID *   sid;
+    PRUint8 *        cert;
+    PRUint8 *        cs;
+    PRUint8 *        data;
+    SECStatus        rv; 
+    int              needed, sidHit, certLen, csLen, cidLen, certType, err;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    if (!ss->enableSSL2) {
+	PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+	return SECFailure;
+    }
+
+    ssl_GetRecvBufLock(ss);
+
+    PORT_Assert(ss->sec.ci.sid != 0);
+    sid = ss->sec.ci.sid;
+
+    data = ss->gs.buf.buf + ss->gs.recordOffset;
+    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
+
+    /* Make sure first message has some data and is the server hello message */
+    if ((ss->gs.recordLen < SSL_HL_SERVER_HELLO_HBYTES)
+	|| (data[0] != SSL_MT_SERVER_HELLO)) {
+	if ((data[0] == SSL_MT_ERROR) && (ss->gs.recordLen == 3)) {
+	    err = (data[1] << 8) | data[2];
+	    if (err == SSL_PE_NO_CYPHERS) {
+		PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+		goto loser;
+	    }
+	}
+	goto bad_server;
+    }
+
+    sidHit      = data[1];
+    certType    = data[2];
+    ss->version = (data[3] << 8) | data[4];
+    certLen     = (data[5] << 8) | data[6];
+    csLen       = (data[7] << 8) | data[8];
+    cidLen      = (data[9] << 8) | data[10];
+    cert        = data + SSL_HL_SERVER_HELLO_HBYTES;
+    cs          = cert + certLen;
+
+    SSL_TRC(5,
+	    ("%d: SSL[%d]: server-hello, hit=%d vers=%x certLen=%d csLen=%d cidLen=%d",
+	     SSL_GETPID(), ss->fd, sidHit, ss->version, certLen,
+	     csLen, cidLen));
+    if (ss->version != SSL_LIBRARY_VERSION_2) {
+        if (ss->version < SSL_LIBRARY_VERSION_2) {
+	  SSL_TRC(3, ("%d: SSL[%d]: demoting self (%x) to server version (%x)",
+		      SSL_GETPID(), ss->fd, SSL_LIBRARY_VERSION_2,
+		      ss->version));
+	} else {
+	  SSL_TRC(1, ("%d: SSL[%d]: server version is %x (we are %x)",
+		    SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
+	  /* server claims to be newer but does not follow protocol */
+	  PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
+	  goto loser;
+	}
+    }
+
+    /* Save connection-id for later */
+    PORT_Memcpy(ss->sec.ci.connectionID, cs + csLen, 
+                sizeof(ss->sec.ci.connectionID));
+
+    /* See if session-id hit */
+    needed = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED | CIS_HAVE_VERIFY;
+    if (sidHit) {
+	if (certLen || csLen) {
+	    /* Uh oh - bogus server */
+	    SSL_DBG(("%d: SSL[%d]: client, huh? hit=%d certLen=%d csLen=%d",
+		     SSL_GETPID(), ss->fd, sidHit, certLen, csLen));
+	    goto bad_server;
+	}
+
+	/* Total winner. */
+	SSL_TRC(1, ("%d: SSL[%d]: client, using nonce for peer=0x%08x "
+		    "port=0x%04x",
+		    SSL_GETPID(), ss->fd, ss->sec.ci.peer, ss->sec.ci.port));
+	ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
+        ss->sec.authAlgorithm = sid->authAlgorithm;
+	ss->sec.authKeyBits   = sid->authKeyBits;
+	ss->sec.keaType       = sid->keaType;
+	ss->sec.keaKeyBits    = sid->keaKeyBits;
+	rv = ssl2_CreateSessionCypher(ss, sid, PR_TRUE);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    } else {
+	if (certType != SSL_CT_X509_CERTIFICATE) {
+	    PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
+	    goto loser;
+	}
+	if (csLen == 0) {
+	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	    SSL_DBG(("%d: SSL[%d]: no cipher overlap",
+		     SSL_GETPID(), ss->fd));
+	    goto loser;
+	}
+	if (certLen == 0) {
+	    SSL_DBG(("%d: SSL[%d]: client, huh? certLen=%d csLen=%d",
+		     SSL_GETPID(), ss->fd, certLen, csLen));
+	    goto bad_server;
+	}
+
+	if (sid->cached != never_cached) {
+	    /* Forget our session-id - server didn't like it */
+	    SSL_TRC(7, ("%d: SSL[%d]: server forgot me, uncaching session-id",
+			SSL_GETPID(), ss->fd));
+	    (*ss->sec.uncache)(sid);
+	    ssl_FreeSID(sid);
+	    ss->sec.ci.sid = sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
+	    if (!sid) {
+		goto loser;
+	    }
+	    sid->references = 1;
+	    sid->addr = ss->sec.ci.peer;
+	    sid->port = ss->sec.ci.port;
+	}
+
+	/* decode the server's certificate */
+	rv = ssl2_ClientHandleServerCert(ss, cert, certLen);
+	if (rv != SECSuccess) {
+	    if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
+		(void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
+	    }
+	    goto loser;
+	}
+
+	/* Setup new session cipher */
+	rv = ssl2_ClientSetupSessionCypher(ss, cs, csLen);
+	if (rv != SECSuccess) {
+	    if (PORT_GetError() == SSL_ERROR_BAD_CERTIFICATE) {
+		(void) ssl2_SendErrorMessage(ss, SSL_PE_BAD_CERTIFICATE);
+	    }
+	    goto loser;
+	}
+    }
+
+    /* Build up final list of required elements */
+    ss->sec.ci.elements         = CIS_HAVE_MASTER_KEY;
+    ss->sec.ci.requiredElements = needed;
+
+  if (!sidHit) {
+    /* verify the server's certificate. if sidHit, don't check signatures */
+    rv = (* ss->authCertificate)(ss->authCertificateArg, ss->fd, 
+				 (PRBool)(!sidHit), PR_FALSE);
+    if (rv) {
+	if (ss->handleBadCert) {
+	    rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
+	    if ( rv ) {
+		if ( rv == SECWouldBlock ) {
+		    /* someone will handle this connection asynchronously*/
+
+		    SSL_DBG(("%d: SSL[%d]: go to async cert handler",
+			     SSL_GETPID(), ss->fd));
+		    ssl_ReleaseRecvBufLock(ss);
+		    ssl_SetAlwaysBlock(ss);
+		    return SECWouldBlock;
+		}
+		/* cert is bad */
+		SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
+			 SSL_GETPID(), ss->fd, PORT_GetError()));
+		goto loser;
+
+	    }
+	    /* cert is good */
+	} else {
+	    SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d",
+		     SSL_GETPID(), ss->fd, PORT_GetError()));
+	    goto loser;
+	}
+    }
+  }
+    /*
+    ** At this point we have a completed session key and our session
+    ** cipher is setup and ready to go. Switch to encrypted write routine
+    ** as all future message data is to be encrypted.
+    */
+    ssl2_UseEncryptedSendFunc(ss);
+
+    rv = ssl2_TryToFinish(ss);
+    if (rv != SECSuccess) 
+	goto loser;
+
+    ss->gs.recordLen = 0;
+
+    ssl_ReleaseRecvBufLock(ss);
+
+    if (ss->handshake == 0) {
+	return SECSuccess;
+    }
+
+    SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
+		SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements, 
+		ss->sec.ci.elements));
+    ss->handshake     = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake = ssl2_HandleVerifyMessage;
+    return SECSuccess;
+
+  bad_server:
+    PORT_SetError(SSL_ERROR_BAD_SERVER);
+    /* FALL THROUGH */
+
+  loser:
+    ssl_ReleaseRecvBufLock(ss);
+    return SECFailure;
+}
+
+/* Sends out the initial client Hello message on the connection.
+ * Acquires and releases the socket's xmitBufLock.
+ */
+SECStatus
+ssl2_BeginClientHandshake(sslSocket *ss)
+{
+    sslSessionID      *sid;
+    PRUint8           *msg;
+    PRUint8           *cp;
+    PRUint8           *localCipherSpecs = NULL;
+    unsigned int      localCipherSize;
+    unsigned int      i;
+    int               sendLen, sidLen = 0;
+    SECStatus         rv;
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    ss->sec.isServer     = 0;
+    ss->sec.sendSequence = 0;
+    ss->sec.rcvSequence  = 0;
+    ssl_ChooseSessionIDProcs(&ss->sec);
+
+    if (!ss->cipherSpecs) {
+	rv = ssl2_ConstructCipherSpecs(ss);
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    /* count the SSL2 and SSL3 enabled ciphers.
+     * if either is zero, clear the socket's enable for that protocol.
+     */
+    rv = ssl2_CheckConfigSanity(ss);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /* Get peer name of server */
+    rv = ssl_GetPeerInfo(ss);
+    if (rv < 0) {
+#ifdef HPUX11
+        /*
+         * On some HP-UX B.11.00 systems, getpeername() occasionally
+         * fails with ENOTCONN after a successful completion of
+         * non-blocking connect.  I found that if we do a write()
+         * and then retry getpeername(), it will work.
+         */
+        if (PR_GetError() == PR_NOT_CONNECTED_ERROR) {
+            char dummy;
+            (void) PR_Write(ss->fd->lower, &dummy, 0);
+            rv = ssl_GetPeerInfo(ss);
+            if (rv < 0) {
+                goto loser;
+            }
+        }
+#else
+	goto loser;
+#endif
+    }
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending client-hello", SSL_GETPID(), ss->fd));
+
+    /* Try to find server in our session-id cache */
+    if (ss->noCache) {
+	sid = NULL;
+    } else {
+	sid = ssl_LookupSID(&ss->sec.ci.peer, ss->sec.ci.port, ss->peerID, 
+	                    ss->url);
+    }
+    while (sid) {  /* this isn't really a loop */
+	/* if we're not doing this SID's protocol any more, drop it. */
+	if (((sid->version  < SSL_LIBRARY_VERSION_3_0) && !ss->enableSSL2) ||
+	    ((sid->version == SSL_LIBRARY_VERSION_3_0) && !ss->enableSSL3) ||
+	    ((sid->version >  SSL_LIBRARY_VERSION_3_0) && !ss->enableTLS)) {
+	    ss->sec.uncache(sid);
+	    ssl_FreeSID(sid);
+	    sid = NULL;
+	    break;
+	}
+	if (ss->enableSSL2 && sid->version < SSL_LIBRARY_VERSION_3_0) {
+	    /* If the cipher in this sid is not enabled, drop it. */
+	    for (i = 0; i < ss->sizeCipherSpecs; i += 3) {
+		if (ss->cipherSpecs[i] == sid->u.ssl2.cipherType)
+		    break;
+	    }
+	    if (i >= ss->sizeCipherSpecs) {
+		ss->sec.uncache(sid);
+		ssl_FreeSID(sid);
+		sid = NULL;
+		break;
+	    }
+	}
+	sidLen = sizeof(sid->u.ssl2.sessionID);
+	PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl2.sessionID,
+		      sidLen));
+	ss->version = sid->version;
+	PORT_Assert(!ss->sec.localCert);
+	if (ss->sec.localCert) {
+	    CERT_DestroyCertificate(ss->sec.localCert);
+	}
+	ss->sec.localCert     = CERT_DupCertificate(sid->localCert);
+	break;  /* this isn't really a loop */
+    } 
+    if (!sid) {
+	sidLen = 0;
+	sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
+	if (!sid) {
+	    goto loser;
+	}
+	sid->references = 1;
+	sid->cached     = never_cached;
+	sid->addr       = ss->sec.ci.peer;
+	sid->port       = ss->sec.ci.port;
+	if (ss->peerID != NULL) {
+	    sid->peerID = PORT_Strdup(ss->peerID);
+	}
+	if (ss->url != NULL) {
+	    sid->urlSvrName = PORT_Strdup(ss->url);
+	}
+    }
+    ss->sec.ci.sid = sid;
+
+    PORT_Assert(sid != NULL);
+
+    if ((sid->version >= SSL_LIBRARY_VERSION_3_0 || !ss->v2CompatibleHello) &&
+        (ss->enableSSL3 || ss->enableTLS)) {
+
+	ss->gs.state      = GS_INIT;
+	ss->handshake     = ssl_GatherRecord1stHandshake;
+
+	/* ssl3_SendClientHello will override this if it succeeds. */
+	ss->version       = SSL_LIBRARY_VERSION_3_0;
+
+	ssl_GetXmitBufLock(ss);    /***************************************/
+	ssl_GetSSL3HandshakeLock(ss);
+	rv =  ssl3_SendClientHello(ss);
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	ssl_ReleaseXmitBufLock(ss); /***************************************/
+
+	return rv;
+    }
+   
+    if (!ss->cipherSpecs) {
+        rv = ssl2_ConstructCipherSpecs(ss);
+	if (rv < 0) {
+	    return rv;
+    	}
+    }
+    localCipherSpecs = ss->cipherSpecs;
+    localCipherSize  = ss->sizeCipherSpecs;
+
+    sendLen = SSL_HL_CLIENT_HELLO_HBYTES + localCipherSize + sidLen +
+	SSL_CHALLENGE_BYTES;
+
+    /* Generate challenge bytes for server */
+    PK11_GenerateRandom(ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
+
+    ssl_GetXmitBufLock(ss);    /***************************************/
+
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv) 
+    	goto unlock_loser;
+
+    /* Construct client-hello message */
+    cp = msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_CLIENT_HELLO;
+    if ( ss->enableTLS ) {
+	ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_1_TLS;
+    } else if ( ss->enableSSL3 ) {
+	ss->clientHelloVersion = SSL_LIBRARY_VERSION_3_0;
+    } else {
+	ss->clientHelloVersion = SSL_LIBRARY_VERSION_2;
+    }
+    
+    msg[1] = MSB(ss->clientHelloVersion);
+    msg[2] = LSB(ss->clientHelloVersion);
+    msg[3] = MSB(localCipherSize);
+    msg[4] = LSB(localCipherSize);
+    msg[5] = MSB(sidLen);
+    msg[6] = LSB(sidLen);
+    msg[7] = MSB(SSL_CHALLENGE_BYTES);
+    msg[8] = LSB(SSL_CHALLENGE_BYTES);
+    cp += SSL_HL_CLIENT_HELLO_HBYTES;
+    PORT_Memcpy(cp, localCipherSpecs, localCipherSize);
+    cp += localCipherSize;
+    if (sidLen) {
+	PORT_Memcpy(cp, sid->u.ssl2.sessionID, sidLen);
+	cp += sidLen;
+    }
+    PORT_Memcpy(cp, ss->sec.ci.clientChallenge, SSL_CHALLENGE_BYTES);
+
+    /* Send it to the server */
+    DUMP_MSG(29, (ss, msg, sendLen));
+    ss->handshakeBegun = 1;
+    rv = (*ss->sec.send)(ss, msg, sendLen, 0);
+
+    ssl_ReleaseXmitBufLock(ss);    /***************************************/
+
+    if (rv < 0) {
+	goto loser;
+    }
+
+    rv = ssl3_StartHandshakeHash(ss, msg, sendLen);
+    if (rv < 0) {
+	goto loser;
+    }
+
+    /* Setup to receive servers hello message */
+    ssl_GetRecvBufLock(ss);
+    ss->gs.recordLen = 0;
+    ssl_ReleaseRecvBufLock(ss);
+
+    ss->handshake     = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake = ssl2_HandleServerHelloMessage;
+    return SECSuccess;
+
+unlock_loser:
+    ssl_ReleaseXmitBufLock(ss);
+loser:
+    return SECFailure;
+}
+
+/************************************************************************/
+
+/* Handle the CLIENT-MASTER-KEY message. 
+** Acquires and releases RecvBufLock.
+** Called from ssl2_HandleClientHelloMessage(). 
+*/
+static SECStatus
+ssl2_HandleClientSessionKeyMessage(sslSocket *ss)
+{
+    PRUint8 *        data;
+    unsigned int     caLen;
+    unsigned int     ckLen;
+    unsigned int     ekLen;
+    unsigned int     keySize;
+    int              cipher;
+    SECStatus        rv;
+
+
+    ssl_GetRecvBufLock(ss);
+
+    data = ss->gs.buf.buf + ss->gs.recordOffset;
+    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
+
+    if ((ss->gs.recordLen < SSL_HL_CLIENT_MASTER_KEY_HBYTES)
+	|| (data[0] != SSL_MT_CLIENT_MASTER_KEY)) {
+	goto bad_client;
+    }
+    cipher  = data[1];
+    keySize = (data[2] << 8) | data[3];
+    ckLen   = (data[4] << 8) | data[5];
+    ekLen   = (data[6] << 8) | data[7];
+    caLen   = (data[8] << 8) | data[9];
+
+    SSL_TRC(5, ("%d: SSL[%d]: session-key, cipher=%d keySize=%d ckLen=%d ekLen=%d caLen=%d",
+		SSL_GETPID(), ss->fd, cipher, keySize, ckLen, ekLen, caLen));
+
+    if (ss->gs.recordLen < 
+    	    SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen + caLen) {
+	SSL_DBG(("%d: SSL[%d]: protocol size mismatch dataLen=%d",
+		 SSL_GETPID(), ss->fd, ss->gs.recordLen));
+	goto bad_client;
+    }
+
+    /* Use info from client to setup session key */
+    /* XXX should validate cipher&keySize are in our array */
+    rv = ssl2_ServerSetupSessionCypher(ss, cipher, keySize,
+		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES,                 ckLen,
+		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen,         ekLen,
+		data + SSL_HL_CLIENT_MASTER_KEY_HBYTES + ckLen + ekLen, caLen);
+    ss->gs.recordLen = 0;	/* we're done with this record. */
+
+    ssl_ReleaseRecvBufLock(ss);
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+    ss->sec.ci.elements |= CIS_HAVE_MASTER_KEY;
+    ssl2_UseEncryptedSendFunc(ss);
+
+    /* Send server verify message now that keys are established */
+    rv = ssl2_SendServerVerifyMessage(ss);
+    if (rv != SECSuccess) 
+	goto loser;
+
+    rv = ssl2_TryToFinish(ss);
+    if (rv != SECSuccess) 
+	goto loser;
+    if (ss->handshake == 0) {
+	return SECSuccess;
+    }
+
+    SSL_TRC(5, ("%d: SSL[%d]: server: waiting for elements=0x%d",
+		SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements ^ ss->sec.ci.elements));
+    ss->handshake         = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake     = ssl2_HandleMessage;
+
+    return ssl2_TriggerNextMessage(ss);
+
+bad_client:
+    ssl_ReleaseRecvBufLock(ss);
+    PORT_SetError(SSL_ERROR_BAD_CLIENT);
+    /* FALLTHROUGH */
+
+loser:
+    return SECFailure;
+}
+
+/*
+ * attempt to restart the handshake after asynchronously handling
+ * a request for the client's certificate.
+ *
+ * inputs:  
+ *	cert	Client cert chosen by application.
+ *	key	Private key associated with cert.  
+ *
+ * XXX: need to make ssl2 and ssl3 versions of this function agree on whether
+ *	they take the reference, or bump the ref count!
+ *
+ * Return value: XXX
+ *
+ * Caller holds 1stHandshakeLock.
+ */
+int
+ssl2_RestartHandshakeAfterCertReq(sslSocket *          ss,
+				  CERTCertificate *    cert, 
+				  SECKEYPrivateKey *   key)
+{
+    int              ret;
+    SECStatus        rv          = SECSuccess;
+    SECItem          response;
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) 
+    	return SECFailure;
+
+    response.data = NULL;
+
+    /* generate error if no cert or key */
+    if ( ( cert == NULL ) || ( key == NULL ) ) {
+	goto no_cert;
+    }
+    
+    /* generate signed response to the challenge */
+    rv = ssl2_SignResponse(ss, key, &response);
+    if ( rv != SECSuccess ) {
+	goto no_cert;
+    }
+    
+    /* Send response message */
+    ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response);
+    if (ret) {
+	goto no_cert;
+    }
+
+    /* try to finish the handshake */
+    ret = ssl2_TryToFinish(ss);
+    if (ret) {
+	goto loser;
+    }
+    
+    /* done with handshake */
+    if (ss->handshake == 0) {
+	ret = SECSuccess;
+	goto done;
+    }
+
+    /* continue handshake */
+    ssl_GetRecvBufLock(ss);
+    ss->gs.recordLen = 0;
+    ssl_ReleaseRecvBufLock(ss);
+
+    ss->handshake     = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake = ssl2_HandleMessage;
+    ret = ssl2_TriggerNextMessage(ss);
+    goto done;
+    
+no_cert:
+    /* no cert - send error */
+    ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE);
+    goto done;
+    
+loser:
+    ret = SECFailure;
+done:
+    /* free allocated data */
+    if ( response.data ) {
+	PORT_Free(response.data);
+    }
+    
+    return ret;
+}
+
+
+/* restart an SSL connection that we stopped to run certificate dialogs 
+** XXX	Need to document here how an application marks a cert to show that
+**	the application has accepted it (overridden CERT_VerifyCert).
+ *
+ * Return value: XXX
+ *
+ * Caller holds 1stHandshakeLock.
+*/
+int
+ssl2_RestartHandshakeAfterServerCert(sslSocket *ss)
+{
+    int rv	= SECSuccess;
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) 
+	return SECFailure;
+
+    /* SSL 2
+    ** At this point we have a completed session key and our session
+    ** cipher is setup and ready to go. Switch to encrypted write routine
+    ** as all future message data is to be encrypted.
+    */
+    ssl2_UseEncryptedSendFunc(ss);
+
+    rv = ssl2_TryToFinish(ss);
+    if (rv == SECSuccess && ss->handshake != NULL) {	
+	/* handshake is not yet finished. */
+
+	SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x",
+		SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements,
+		ss->sec.ci.elements));
+
+	ssl_GetRecvBufLock(ss);
+	ss->gs.recordLen = 0;	/* mark it all used up. */
+	ssl_ReleaseRecvBufLock(ss);
+
+	ss->handshake     = ssl_GatherRecord1stHandshake;
+	ss->nextHandshake = ssl2_HandleVerifyMessage;
+    }
+
+    return rv;
+}
+
+/*
+** Handle the initial hello message from the client
+**
+** not static because ssl2_GatherData() tests ss->nextHandshake for this value.
+*/
+SECStatus
+ssl2_HandleClientHelloMessage(sslSocket *ss)
+{
+    sslSessionID    *sid;
+    sslServerCerts * sc;
+    CERTCertificate *serverCert;
+    PRUint8         *msg;
+    PRUint8         *data;
+    PRUint8         *cs;
+    PRUint8         *sd;
+    PRUint8         *cert = NULL;
+    PRUint8         *challenge;
+    unsigned int    challengeLen;
+    SECStatus       rv; 
+    int             csLen;
+    int             sendLen;
+    int             sdLen;
+    int             certLen;
+    int             pid;
+    int             sent;
+    int             gotXmitBufLock = 0;
+#if defined(SOLARIS) && defined(i386)
+    volatile PRUint8 hit;
+#else
+    int             hit;
+#endif
+    PRUint8         csImpl[sizeof implementedCipherSuites];
+
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    sc = ss->serverCerts + kt_rsa;
+    serverCert = sc->serverCert;
+
+    ssl_GetRecvBufLock(ss);
+
+
+    data = ss->gs.buf.buf + ss->gs.recordOffset;
+    DUMP_MSG(29, (ss, data, ss->gs.recordLen));
+
+    /* Make sure first message has some data and is the client hello message */
+    if ((ss->gs.recordLen < SSL_HL_CLIENT_HELLO_HBYTES)
+	|| (data[0] != SSL_MT_CLIENT_HELLO)) {
+	goto bad_client;
+    }
+
+    /* Get peer name of client */
+    rv = ssl_GetPeerInfo(ss);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    /* Examine version information */
+    /*
+     * See if this might be a V2 client hello asking to use the V3 protocol
+     */
+    if ((data[0] == SSL_MT_CLIENT_HELLO) && 
+        (data[1] >= MSB(SSL_LIBRARY_VERSION_3_0)) && 
+	(ss->enableSSL3 || ss->enableTLS)) {
+	rv = ssl3_HandleV2ClientHello(ss, data, ss->gs.recordLen);
+	if (rv != SECFailure) { /* Success */
+	    ss->handshake             = NULL;
+	    ss->nextHandshake         = ssl_GatherRecord1stHandshake;
+	    ss->securityHandshake     = NULL;
+	    ss->gs.state              = GS_INIT;
+
+	    /* ssl3_HandleV3ClientHello has set ss->version,
+	    ** and has gotten us a brand new sid.  
+	    */
+	    ss->sec.ci.sid->version  = ss->version;
+	}
+	ssl_ReleaseRecvBufLock(ss);
+	return rv;
+    }
+    /* Previously, there was a test here to see if SSL2 was enabled.
+    ** If not, an error code was set, and SECFailure was returned,
+    ** without sending any error code to the other end of the connection.
+    ** That test has been removed.  If SSL2 has been disabled, there
+    ** should be no SSL2 ciphers enabled, and consequently, the code
+    ** below should send the ssl2 error message SSL_PE_NO_CYPHERS.
+    ** We now believe this is the correct thing to do, even when SSL2
+    ** has been explicitly disabled by the application.
+    */
+
+    /* Extract info from message */
+    ss->version = (data[1] << 8) | data[2];
+
+    /* If some client thinks ssl v2 is 2.0 instead of 0.2, we'll allow it.  */
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	ss->version = SSL_LIBRARY_VERSION_2;
+    }
+    
+    csLen        = (data[3] << 8) | data[4];
+    sdLen        = (data[5] << 8) | data[6];
+    challengeLen = (data[7] << 8) | data[8];
+    cs           = data + SSL_HL_CLIENT_HELLO_HBYTES;
+    sd           = cs + csLen;
+    challenge    = sd + sdLen;
+    PRINT_BUF(7, (ss, "server, client session-id value:", sd, sdLen));
+
+    if ((unsigned)ss->gs.recordLen != 
+            SSL_HL_CLIENT_HELLO_HBYTES + csLen + sdLen + challengeLen) {
+	SSL_DBG(("%d: SSL[%d]: bad client hello message, len=%d should=%d",
+		 SSL_GETPID(), ss->fd, ss->gs.recordLen,
+		 SSL_HL_CLIENT_HELLO_HBYTES+csLen+sdLen+challengeLen));
+	goto bad_client;
+    }
+
+    SSL_TRC(3, ("%d: SSL[%d]: client version is %x",
+		SSL_GETPID(), ss->fd, ss->version));
+    if (ss->version != SSL_LIBRARY_VERSION_2) {
+	if (ss->version > SSL_LIBRARY_VERSION_2) {
+	    /*
+	    ** Newer client than us. Things are ok because new clients
+	    ** are required to be backwards compatible with old servers.
+	    ** Change version number to our version number so that client
+	    ** knows whats up.
+	    */
+	    ss->version = SSL_LIBRARY_VERSION_2;
+	} else {
+	    SSL_TRC(1, ("%d: SSL[%d]: client version is %x (we are %x)",
+		SSL_GETPID(), ss->fd, ss->version, SSL_LIBRARY_VERSION_2));
+	    PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
+	    goto loser;
+	}
+    }
+
+    /* Qualify cipher specs before returning them to client */
+    csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
+    if (csLen == 0) {
+	/* no overlap, send client our list of supported SSL v2 ciphers. */
+        cs    = csImpl;
+	csLen = sizeof implementedCipherSuites;
+    	PORT_Memcpy(cs, implementedCipherSuites, csLen);
+	csLen = ssl2_QualifyCypherSpecs(ss, cs, csLen);
+	if (csLen == 0) {
+	  /* We don't support any SSL v2 ciphers! */
+	  ssl2_SendErrorMessage(ss, SSL_PE_NO_CYPHERS);
+	  PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+	  goto loser;
+	}
+	/* Since this handhsake is going to fail, don't cache it. */
+	ss->noCache = 1; 
+    }
+
+    /* Squirrel away the challenge for later */
+    PORT_Memcpy(ss->sec.ci.clientChallenge, challenge, challengeLen);
+
+    /* Examine message and see if session-id is good */
+    ss->sec.ci.elements = 0;
+    if (sdLen > 0 && !ss->noCache) {
+	SSL_TRC(7, ("%d: SSL[%d]: server, lookup client session-id for 0x%08x%08x%08x%08x",
+		    SSL_GETPID(), ss->fd, ss->sec.ci.peer.pr_s6_addr32[0],
+		    ss->sec.ci.peer.pr_s6_addr32[1], 
+		    ss->sec.ci.peer.pr_s6_addr32[2],
+		    ss->sec.ci.peer.pr_s6_addr32[3]));
+	sid = (*ssl_sid_lookup)(&ss->sec.ci.peer, sd, sdLen, ss->dbHandle);
+    } else {
+	sid = NULL;
+    }
+    if (sid) {
+	/* Got a good session-id. Short cut! */
+	SSL_TRC(1, ("%d: SSL[%d]: server, using session-id for 0x%08x (age=%d)",
+		    SSL_GETPID(), ss->fd, ss->sec.ci.peer, 
+		    ssl_Time() - sid->creationTime));
+	PRINT_BUF(1, (ss, "session-id value:", sd, sdLen));
+	ss->sec.ci.sid = sid;
+	ss->sec.ci.elements = CIS_HAVE_MASTER_KEY;
+	hit = 1;
+	certLen = 0;
+	csLen = 0;
+
+        ss->sec.authAlgorithm = sid->authAlgorithm;
+	ss->sec.authKeyBits   = sid->authKeyBits;
+	ss->sec.keaType       = sid->keaType;
+	ss->sec.keaKeyBits    = sid->keaKeyBits;
+
+	rv = ssl2_CreateSessionCypher(ss, sid, PR_FALSE);
+	if (rv != SECSuccess) {
+	    goto loser;
+	}
+    } else {
+	SECItem * derCert   = &serverCert->derCert;
+
+	SSL_TRC(7, ("%d: SSL[%d]: server, lookup nonce missed",
+		    SSL_GETPID(), ss->fd));
+	if (!serverCert) {
+	    SET_ERROR_CODE
+	    goto loser;
+	}
+	hit = 0;
+	sid = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
+	if (!sid) {
+	    goto loser;
+	}
+	sid->references = 1;
+	sid->addr = ss->sec.ci.peer;
+	sid->port = ss->sec.ci.port;
+
+	/* Invent a session-id */
+	ss->sec.ci.sid = sid;
+	PK11_GenerateRandom(sid->u.ssl2.sessionID+2, SSL2_SESSIONID_BYTES-2);
+
+	pid = SSL_GETPID();
+	sid->u.ssl2.sessionID[0] = MSB(pid);
+	sid->u.ssl2.sessionID[1] = LSB(pid);
+	cert    = derCert->data;
+	certLen = derCert->len;
+
+	/* pretend that server sids remember the local cert. */
+	PORT_Assert(!sid->localCert);
+	if (sid->localCert) {
+	    CERT_DestroyCertificate(sid->localCert);
+	}
+	sid->localCert     = CERT_DupCertificate(serverCert);
+
+	ss->sec.authAlgorithm = ssl_sign_rsa;
+	ss->sec.keaType       = ssl_kea_rsa;
+	ss->sec.keaKeyBits    = \
+	ss->sec.authKeyBits   = ss->serverCerts[kt_rsa].serverKeyBits;
+    }
+
+    /* server sids don't remember the local cert, so whether we found
+    ** a sid or not, just "remember" we used the rsa server cert.
+    */
+    if (ss->sec.localCert) {
+	CERT_DestroyCertificate(ss->sec.localCert);
+    }
+    ss->sec.localCert     = CERT_DupCertificate(serverCert);
+
+    /* Build up final list of required elements */
+    ss->sec.ci.requiredElements = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED;
+    if (ss->requestCertificate) {
+	ss->sec.ci.requiredElements |= CIS_HAVE_CERTIFICATE;
+    }
+    ss->sec.ci.sentElements = 0;
+
+    /* Send hello message back to client */
+    sendLen = SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen
+	    + SSL_CONNECTIONID_BYTES;
+
+    ssl_GetXmitBufLock(ss); gotXmitBufLock = 1;
+    rv = ssl2_GetSendBuffer(ss, sendLen);
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    SSL_TRC(3, ("%d: SSL[%d]: sending server-hello (%d)",
+		SSL_GETPID(), ss->fd, sendLen));
+
+    msg = ss->sec.ci.sendBuf.buf;
+    msg[0] = SSL_MT_SERVER_HELLO;
+    msg[1] = hit;
+    msg[2] = SSL_CT_X509_CERTIFICATE;
+    msg[3] = MSB(ss->version);
+    msg[4] = LSB(ss->version);
+    msg[5] = MSB(certLen);
+    msg[6] = LSB(certLen);
+    msg[7] = MSB(csLen);
+    msg[8] = LSB(csLen);
+    msg[9] = MSB(SSL_CONNECTIONID_BYTES);
+    msg[10] = LSB(SSL_CONNECTIONID_BYTES);
+    if (certLen) {
+	PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES, cert, certLen);
+    }
+    if (csLen) {
+	PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen, cs, csLen);
+    }
+    PORT_Memcpy(msg+SSL_HL_SERVER_HELLO_HBYTES+certLen+csLen, 
+                ss->sec.ci.connectionID, SSL_CONNECTIONID_BYTES);
+
+    DUMP_MSG(29, (ss, msg, sendLen));
+
+    ss->handshakeBegun = 1;
+    sent = (*ss->sec.send)(ss, msg, sendLen, 0);
+    if (sent < 0) {
+	goto loser;
+    }
+    ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
+
+    ss->gs.recordLen = 0;
+    ss->handshake = ssl_GatherRecord1stHandshake;
+    if (hit) {
+	/* Old SID Session key is good. Go encrypted */
+	ssl2_UseEncryptedSendFunc(ss);
+
+	/* Send server verify message now that keys are established */
+	rv = ssl2_SendServerVerifyMessage(ss);
+	if (rv != SECSuccess) 
+	    goto loser;
+
+	ss->nextHandshake = ssl2_HandleMessage;
+	ssl_ReleaseRecvBufLock(ss);
+	rv = ssl2_TriggerNextMessage(ss);
+	return rv;
+    }
+    ss->nextHandshake = ssl2_HandleClientSessionKeyMessage;
+    ssl_ReleaseRecvBufLock(ss);
+    return SECSuccess;
+
+  bad_client:
+    PORT_SetError(SSL_ERROR_BAD_CLIENT);
+    /* FALLTHROUGH */
+
+  loser:
+    if (gotXmitBufLock) {
+    	ssl_ReleaseXmitBufLock(ss); gotXmitBufLock = 0;
+    }
+    SSL_TRC(10, ("%d: SSL[%d]: server, wait for client-hello lossage",
+		 SSL_GETPID(), ss->fd));
+    ssl_ReleaseRecvBufLock(ss);
+    return SECFailure;
+}
+
+SECStatus
+ssl2_BeginServerHandshake(sslSocket *ss)
+{
+    SECStatus        rv;
+    sslServerCerts * rsaAuth = ss->serverCerts + kt_rsa;
+
+    ss->sec.isServer = 1;
+    ssl_ChooseSessionIDProcs(&ss->sec);
+    ss->sec.sendSequence = 0;
+    ss->sec.rcvSequence = 0;
+
+    /* don't turn on SSL2 if we don't have an RSA key and cert */
+    if (!rsaAuth->serverKey || !rsaAuth->serverCert) {
+	ss->enableSSL2 = PR_FALSE;
+    }
+
+    if (!ss->cipherSpecs) {
+	rv = ssl2_ConstructCipherSpecs(ss);
+	if (rv != SECSuccess)
+	    goto loser;
+    }
+
+    /* count the SSL2 and SSL3 enabled ciphers.
+     * if either is zero, clear the socket's enable for that protocol.
+     */
+    rv = ssl2_CheckConfigSanity(ss);
+    if (rv != SECSuccess)
+	goto loser;
+
+    /*
+    ** Generate connection-id. Always do this, even if things fail
+    ** immediately. This way the random number generator is always
+    ** rolling around, every time we get a connection.
+    */
+    PK11_GenerateRandom(ss->sec.ci.connectionID, 
+                        sizeof(ss->sec.ci.connectionID));
+
+    ss->gs.recordLen = 0;
+    ss->handshake     = ssl_GatherRecord1stHandshake;
+    ss->nextHandshake = ssl2_HandleClientHelloMessage;
+    return SECSuccess;
+
+loser:
+    return SECFailure;
+}
+
+/* This function doesn't really belong in this file.
+** It's here to keep AIX compilers from optimizing it away, 
+** and not including it in the DSO.
+*/
+
+#include "nss.h"
+extern const char __nss_ssl_rcsid[];
+extern const char __nss_ssl_sccsid[];
+
+PRBool
+NSSSSL_VersionCheck(const char *importedVersion)
+{
+    /*
+     * This is the secret handshake algorithm.
+     *
+     * This release has a simple version compatibility
+     * check algorithm.  This release is not backward
+     * compatible with previous major releases.  It is
+     * not compatible with future major, minor, or
+     * patch releases.
+     */
+    volatile char c; /* force a reference that won't get optimized away */
+
+    c = __nss_ssl_rcsid[0] + __nss_ssl_sccsid[0]; 
+    return NSS_VersionCheck(importedVersion);
+}
diff --git a/security/nss/lib/ssl/ssldef.c b/security/nss/lib/ssl/ssldef.c
new file mode 100644
index 000000000..bb4883cf3
--- /dev/null
+++ b/security/nss/lib/ssl/ssldef.c
@@ -0,0 +1,249 @@
+/*
+ * "Default" SSLSocket methods, used by sockets that do neither SSL nor socks.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+
+#if defined(WIN32)
+#define MAP_ERROR(from,to) if (err == from) { PORT_SetError(to); }
+#define DEFINE_ERROR       PRErrorCode err = PR_GetError();
+#else
+#define MAP_ERROR(from,to)
+#define DEFINE_ERROR
+#endif
+
+int ssl_DefConnect(sslSocket *ss, const PRNetAddr *sa)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->connect(lower, sa, ss->cTimeout);
+    return rv;
+}
+
+int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->bind(lower, addr);
+    return rv;
+}
+
+int ssl_DefListen(sslSocket *ss, int backlog)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->listen(lower, backlog);
+    return rv;
+}
+
+int ssl_DefShutdown(sslSocket *ss, int how)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->shutdown(lower, how);
+    return rv;
+}
+
+int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->recv(lower, (void *)buf, len, flags, ss->rTimeout);
+    if (rv < 0) {
+	DEFINE_ERROR
+	MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
+    } else if (rv > len) {
+	PORT_Assert(rv <= len);
+	PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/* Default (unencrypted) send.
+ * Returns SECSuccess or SECFailure,  NOT SECWouldBlock. 
+ * Returns positive count if any data was written. 
+ * ALWAYS check for a short write after calling ssl_DefSend.
+ */
+int ssl_DefSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv, count;
+
+#if NSS_DISABLE_NAGLE_DELAYS
+    /* Although this is overkill, we disable Nagle delays completely for 
+    ** SSL sockets.
+    */
+    if (ss->useSecurity && !ss->delayDisabled) {
+	ssl_EnableNagleDelay(ss, PR_FALSE);   /* ignore error */
+    	ss->delayDisabled = 1;
+    }
+#endif
+    count = 0;
+    for (;;) {
+	rv = lower->methods->send(lower, (const void *)buf, len,
+				 flags, ss->wTimeout);
+	if (rv < 0) {
+	    PRErrorCode err = PR_GetError();
+	    if (err == PR_WOULD_BLOCK_ERROR) {
+		ss->lastWriteBlocked = 1;
+		return count ? count : rv;
+	    }
+	    ss->lastWriteBlocked = 0;
+	    MAP_ERROR(PR_CONNECT_ABORTED_ERROR, PR_CONNECT_RESET_ERROR)
+	    /* Loser */
+	    return rv;
+	}
+	count += rv;
+	if (rv < len) {
+	    /* Short send. Send the rest in the next call */
+	    buf += rv;
+	    len -= rv;
+	    continue;
+	}
+	break;
+    }
+    ss->lastWriteBlocked = 0;
+    return count;
+}
+
+int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->read(lower, (void *)buf, len);
+    if (rv < 0) {
+	DEFINE_ERROR
+	MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
+    }
+    return rv;
+}
+
+int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv, count;
+
+    count = 0;
+    for (;;) {
+	rv = lower->methods->write(lower, (void *)buf, len);
+	if (rv < 0) {
+	    PRErrorCode err = PR_GetError();
+	    if (err == PR_WOULD_BLOCK_ERROR) {
+		ss->lastWriteBlocked = 1;
+		return count ? count : rv;
+	    }
+	    ss->lastWriteBlocked = 0;
+	    MAP_ERROR(PR_CONNECT_ABORTED_ERROR, PR_CONNECT_RESET_ERROR)
+	    /* Loser */
+	    return rv;
+	}
+	count += rv;
+	if (rv != len) {
+	    /* Short write. Send the rest in the next call */
+	    buf += rv;
+	    len -= rv;
+	    continue;
+	}
+	break;
+    }
+    ss->lastWriteBlocked = 0;
+    return count;
+}
+
+int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->getpeername(lower, name);
+    return rv;
+}
+
+int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name)
+{
+    PRFileDesc *lower = ss->fd->lower;
+    int rv;
+
+    rv = lower->methods->getsockname(lower, name);
+    return rv;
+}
+
+int ssl_DefClose(sslSocket *ss)
+{
+    PRFileDesc *fd;
+    PRFileDesc *popped;
+    int         rv;
+
+    fd    = ss->fd;
+
+    /* First, remove the SSL layer PRFileDesc from the socket's stack, 
+    ** then invoke the SSL layer's PRFileDesc destructor.
+    ** This must happen before the next layer down is closed.
+    */
+    PORT_Assert(fd->higher == NULL);
+    if (fd->higher) {
+	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
+	return SECFailure;
+    }
+    ss->fd = NULL;
+
+    /* PR_PopIOLayer will swap the contents of the top two PRFileDescs on
+    ** the stack, and then remove the second one.  This way, the address
+    ** of the PRFileDesc on the top of the stack doesn't change.
+    */
+    popped = PR_PopIOLayer(fd, PR_TOP_IO_LAYER); 
+    popped->dtor(popped);
+
+    /* fd is now the PRFileDesc for the next layer down.
+    ** Now close the underlying socket. 
+    */
+    rv = fd->methods->close(fd);
+
+    ssl_FreeSocket(ss);
+
+    SSL_TRC(5, ("%d: SSL[%d]: closing, rv=%d errno=%d",
+		SSL_GETPID(), fd, rv, PORT_GetError()));
+    return rv;
+}
diff --git a/security/nss/lib/ssl/sslenum.c b/security/nss/lib/ssl/sslenum.c
new file mode 100644
index 000000000..f055ded54
--- /dev/null
+++ b/security/nss/lib/ssl/sslenum.c
@@ -0,0 +1,100 @@
+/*
+ * Table enumerating all implemented cipher suites
+ * Part of public API.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ *	Dr Stephen Henson <stephen.henson@gemplus.com>
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "ssl.h"
+#include "sslproto.h"
+
+const PRUint16 SSL_ImplementedCiphers[] = {
+
+    /* 256-bit */
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+
+    /* 128-bit */
+    SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,
+    TLS_DHE_DSS_WITH_RC4_128_SHA,
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+    SSL_RSA_WITH_RC4_128_MD5,
+    SSL_RSA_WITH_RC4_128_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+
+    /* 112-bit 3DES */
+    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+    SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA,
+
+    /* 80 bit skipjack */
+    SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* KEA + SkipJack */
+
+    /* 56-bit DES "domestic" cipher suites */
+    SSL_DHE_RSA_WITH_DES_CBC_SHA,
+    SSL_DHE_DSS_WITH_DES_CBC_SHA,
+    SSL_RSA_FIPS_WITH_DES_CBC_SHA,
+    SSL_RSA_WITH_DES_CBC_SHA,
+
+    /* export ciphersuites with 1024-bit public key exchange keys */
+    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
+    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+
+    /* export ciphersuites with 512-bit public key exchange keys */
+    SSL_RSA_EXPORT_WITH_RC4_40_MD5,
+    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+
+    /* ciphersuites with no encryption */
+    SSL_FORTEZZA_DMS_WITH_NULL_SHA,
+    SSL_RSA_WITH_NULL_MD5,
+
+    /* SSL2 cipher suites. */
+    SSL_EN_RC4_128_WITH_MD5,
+    SSL_EN_RC2_128_CBC_WITH_MD5,
+    SSL_EN_DES_192_EDE3_CBC_WITH_MD5,  /* actually 112, not 192 */
+    SSL_EN_DES_64_CBC_WITH_MD5,
+    SSL_EN_RC4_128_EXPORT40_WITH_MD5,
+    SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,
+
+    0
+
+};
+
+const PRUint16 SSL_NumImplementedCiphers = 
+    (sizeof SSL_ImplementedCiphers) / (sizeof SSL_ImplementedCiphers[0]) - 1;
+
diff --git a/security/nss/lib/ssl/sslerr.c b/security/nss/lib/ssl/sslerr.c
new file mode 100644
index 000000000..f3e57d44d
--- /dev/null
+++ b/security/nss/lib/ssl/sslerr.c
@@ -0,0 +1,71 @@
+/*
+ * Function to set error code only when meaningful error has not already 
+ * been set.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "prerror.h"
+#include "secerr.h"
+#include "sslerr.h"
+#include "seccomon.h"
+
+/* look at the current value of PR_GetError, and evaluate it to see
+ * if it is meaningful or meaningless (out of context). 
+ * If it is meaningless, replace it with the hiLevelError.
+ * Returns the chosen error value.
+ */
+int
+ssl_MapLowLevelError(int hiLevelError)
+{
+    int oldErr	= PORT_GetError();
+
+    switch (oldErr) {
+
+    case 0:
+    case PR_IO_ERROR:
+    case SEC_ERROR_IO:
+    case SEC_ERROR_BAD_DATA:
+    case SEC_ERROR_LIBRARY_FAILURE:
+    case SEC_ERROR_EXTENSION_NOT_FOUND:
+    case SSL_ERROR_BAD_CLIENT:
+    case SSL_ERROR_BAD_SERVER:
+    case SSL_ERROR_SESSION_NOT_FOUND:
+    	PORT_SetError(hiLevelError);
+	return hiLevelError;
+
+    default:	/* leave the majority of error codes alone. */
+	return oldErr;
+    }
+}
diff --git a/security/nss/lib/ssl/sslerr.h b/security/nss/lib/ssl/sslerr.h
new file mode 100644
index 000000000..3285fb60c
--- /dev/null
+++ b/security/nss/lib/ssl/sslerr.h
@@ -0,0 +1,188 @@
+/*
+ * Enumeration of all SSL-specific error codes.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+#ifndef __SSL_ERR_H_
+#define __SSL_ERR_H_
+
+
+#define SSL_ERROR_BASE				(-0x3000)
+#define SSL_ERROR_LIMIT				(SSL_ERROR_BASE + 1000)
+
+#define IS_SSL_ERROR(code) \
+    (((code) >= SSL_ERROR_BASE) && ((code) < SSL_ERROR_LIMIT))
+
+#ifndef NO_SECURITY_ERROR_ENUM
+typedef enum {
+SSL_ERROR_EXPORT_ONLY_SERVER 		= (SSL_ERROR_BASE +  0),
+SSL_ERROR_US_ONLY_SERVER 		= (SSL_ERROR_BASE +  1),
+SSL_ERROR_NO_CYPHER_OVERLAP 		= (SSL_ERROR_BASE +  2),
+/* 
+ * Received an alert reporting what we did wrong.  (more alerts below)
+ */
+SSL_ERROR_NO_CERTIFICATE /*_ALERT */	= (SSL_ERROR_BASE +  3),
+SSL_ERROR_BAD_CERTIFICATE            	= (SSL_ERROR_BASE +  4),
+					/* error 5 is obsolete */
+SSL_ERROR_BAD_CLIENT 			= (SSL_ERROR_BASE +  6),
+SSL_ERROR_BAD_SERVER 			= (SSL_ERROR_BASE +  7),
+SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	= (SSL_ERROR_BASE +  8),
+SSL_ERROR_UNSUPPORTED_VERSION 		= (SSL_ERROR_BASE +  9),
+					/* error 10 is obsolete */
+SSL_ERROR_WRONG_CERTIFICATE		= (SSL_ERROR_BASE + 11),
+SSL_ERROR_BAD_CERT_DOMAIN 		= (SSL_ERROR_BASE + 12),
+SSL_ERROR_POST_WARNING 			= (SSL_ERROR_BASE + 13),
+SSL_ERROR_SSL2_DISABLED 		= (SSL_ERROR_BASE + 14),
+SSL_ERROR_BAD_MAC_READ 			= (SSL_ERROR_BASE + 15),
+/* 
+ * Received an alert reporting what we did wrong.
+ * (two more alerts above, and many more below)
+ */
+SSL_ERROR_BAD_MAC_ALERT 		= (SSL_ERROR_BASE + 16),
+SSL_ERROR_BAD_CERT_ALERT                = (SSL_ERROR_BASE + 17),
+SSL_ERROR_REVOKED_CERT_ALERT 		= (SSL_ERROR_BASE + 18),
+SSL_ERROR_EXPIRED_CERT_ALERT 		= (SSL_ERROR_BASE + 19),
+
+SSL_ERROR_SSL_DISABLED 			= (SSL_ERROR_BASE + 20),
+SSL_ERROR_FORTEZZA_PQG 			= (SSL_ERROR_BASE + 21),
+SSL_ERROR_UNKNOWN_CIPHER_SUITE		= (SSL_ERROR_BASE + 22),
+SSL_ERROR_NO_CIPHERS_SUPPORTED		= (SSL_ERROR_BASE + 23),
+SSL_ERROR_BAD_BLOCK_PADDING		= (SSL_ERROR_BASE + 24),
+SSL_ERROR_RX_RECORD_TOO_LONG		= (SSL_ERROR_BASE + 25),
+SSL_ERROR_TX_RECORD_TOO_LONG		= (SSL_ERROR_BASE + 26),
+/* 
+ * Received a malformed (too long or short) SSL handshake.
+ */
+SSL_ERROR_RX_MALFORMED_HELLO_REQUEST	= (SSL_ERROR_BASE + 27),
+SSL_ERROR_RX_MALFORMED_CLIENT_HELLO	= (SSL_ERROR_BASE + 28),
+SSL_ERROR_RX_MALFORMED_SERVER_HELLO	= (SSL_ERROR_BASE + 29),
+SSL_ERROR_RX_MALFORMED_CERTIFICATE	= (SSL_ERROR_BASE + 30),
+SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH	= (SSL_ERROR_BASE + 31),
+SSL_ERROR_RX_MALFORMED_CERT_REQUEST	= (SSL_ERROR_BASE + 32),
+SSL_ERROR_RX_MALFORMED_HELLO_DONE	= (SSL_ERROR_BASE + 33),
+SSL_ERROR_RX_MALFORMED_CERT_VERIFY	= (SSL_ERROR_BASE + 34),
+SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH	= (SSL_ERROR_BASE + 35),
+SSL_ERROR_RX_MALFORMED_FINISHED 	= (SSL_ERROR_BASE + 36),
+/* 
+ * Received a malformed (too long or short) SSL record.
+ */
+SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER 	= (SSL_ERROR_BASE + 37),
+SSL_ERROR_RX_MALFORMED_ALERT	 	= (SSL_ERROR_BASE + 38),
+SSL_ERROR_RX_MALFORMED_HANDSHAKE 	= (SSL_ERROR_BASE + 39),
+SSL_ERROR_RX_MALFORMED_APPLICATION_DATA	= (SSL_ERROR_BASE + 40),
+/*
+ * Received an SSL handshake that was inappropriate for the state we're in.
+ * E.g. Server received message from server, or wrong state in state machine.
+ */
+SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST	= (SSL_ERROR_BASE + 41),
+SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO	= (SSL_ERROR_BASE + 42),
+SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO	= (SSL_ERROR_BASE + 43),
+SSL_ERROR_RX_UNEXPECTED_CERTIFICATE	= (SSL_ERROR_BASE + 44),
+SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH	= (SSL_ERROR_BASE + 45),
+SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST	= (SSL_ERROR_BASE + 46),
+SSL_ERROR_RX_UNEXPECTED_HELLO_DONE	= (SSL_ERROR_BASE + 47),
+SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY	= (SSL_ERROR_BASE + 48),
+SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH	= (SSL_ERROR_BASE + 49),
+SSL_ERROR_RX_UNEXPECTED_FINISHED 	= (SSL_ERROR_BASE + 50),
+/*
+ * Received an SSL record that was inappropriate for the state we're in.
+ */
+SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER 	= (SSL_ERROR_BASE + 51),
+SSL_ERROR_RX_UNEXPECTED_ALERT	 	= (SSL_ERROR_BASE + 52),
+SSL_ERROR_RX_UNEXPECTED_HANDSHAKE 	= (SSL_ERROR_BASE + 53),
+SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA= (SSL_ERROR_BASE + 54),
+/*
+ * Received record/message with unknown discriminant.
+ */
+SSL_ERROR_RX_UNKNOWN_RECORD_TYPE	= (SSL_ERROR_BASE + 55),
+SSL_ERROR_RX_UNKNOWN_HANDSHAKE 		= (SSL_ERROR_BASE + 56),
+SSL_ERROR_RX_UNKNOWN_ALERT 		= (SSL_ERROR_BASE + 57),
+/* 
+ * Received an alert reporting what we did wrong.  (more alerts above)
+ */
+SSL_ERROR_CLOSE_NOTIFY_ALERT 		= (SSL_ERROR_BASE + 58),
+SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT 	= (SSL_ERROR_BASE + 59),
+SSL_ERROR_DECOMPRESSION_FAILURE_ALERT 	= (SSL_ERROR_BASE + 60),
+SSL_ERROR_HANDSHAKE_FAILURE_ALERT 	= (SSL_ERROR_BASE + 61),
+SSL_ERROR_ILLEGAL_PARAMETER_ALERT 	= (SSL_ERROR_BASE + 62),
+SSL_ERROR_UNSUPPORTED_CERT_ALERT 	= (SSL_ERROR_BASE + 63),
+SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT 	= (SSL_ERROR_BASE + 64),
+
+SSL_ERROR_GENERATE_RANDOM_FAILURE	= (SSL_ERROR_BASE + 65),
+SSL_ERROR_SIGN_HASHES_FAILURE		= (SSL_ERROR_BASE + 66),
+SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE	= (SSL_ERROR_BASE + 67),
+SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 68),
+SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 69),
+
+SSL_ERROR_ENCRYPTION_FAILURE		= (SSL_ERROR_BASE + 70),
+SSL_ERROR_DECRYPTION_FAILURE		= (SSL_ERROR_BASE + 71),
+SSL_ERROR_SOCKET_WRITE_FAILURE		= (SSL_ERROR_BASE + 72),
+
+SSL_ERROR_MD5_DIGEST_FAILURE		= (SSL_ERROR_BASE + 73),
+SSL_ERROR_SHA_DIGEST_FAILURE		= (SSL_ERROR_BASE + 74),
+SSL_ERROR_MAC_COMPUTATION_FAILURE	= (SSL_ERROR_BASE + 75),
+SSL_ERROR_SYM_KEY_CONTEXT_FAILURE	= (SSL_ERROR_BASE + 76),
+SSL_ERROR_SYM_KEY_UNWRAP_FAILURE	= (SSL_ERROR_BASE + 77),
+SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED	= (SSL_ERROR_BASE + 78),
+SSL_ERROR_IV_PARAM_FAILURE		= (SSL_ERROR_BASE + 79),
+SSL_ERROR_INIT_CIPHER_SUITE_FAILURE	= (SSL_ERROR_BASE + 80),
+SSL_ERROR_SESSION_KEY_GEN_FAILURE	= (SSL_ERROR_BASE + 81),
+SSL_ERROR_NO_SERVER_KEY_FOR_ALG		= (SSL_ERROR_BASE + 82),
+SSL_ERROR_TOKEN_INSERTION_REMOVAL	= (SSL_ERROR_BASE + 83),
+SSL_ERROR_TOKEN_SLOT_NOT_FOUND		= (SSL_ERROR_BASE + 84),
+SSL_ERROR_NO_COMPRESSION_OVERLAP	= (SSL_ERROR_BASE + 85),
+SSL_ERROR_HANDSHAKE_NOT_COMPLETED	= (SSL_ERROR_BASE + 86),
+SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE	= (SSL_ERROR_BASE + 87),
+SSL_ERROR_CERT_KEA_MISMATCH		= (SSL_ERROR_BASE + 88),
+SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA	= (SSL_ERROR_BASE + 89),
+SSL_ERROR_SESSION_NOT_FOUND		= (SSL_ERROR_BASE + 90),
+
+SSL_ERROR_DECRYPTION_FAILED_ALERT	= (SSL_ERROR_BASE + 91),
+SSL_ERROR_RECORD_OVERFLOW_ALERT		= (SSL_ERROR_BASE + 92),
+SSL_ERROR_UNKNOWN_CA_ALERT		= (SSL_ERROR_BASE + 93),
+SSL_ERROR_ACCESS_DENIED_ALERT		= (SSL_ERROR_BASE + 94),
+SSL_ERROR_DECODE_ERROR_ALERT		= (SSL_ERROR_BASE + 95),
+SSL_ERROR_DECRYPT_ERROR_ALERT		= (SSL_ERROR_BASE + 96),
+SSL_ERROR_EXPORT_RESTRICTION_ALERT	= (SSL_ERROR_BASE + 97),
+SSL_ERROR_PROTOCOL_VERSION_ALERT	= (SSL_ERROR_BASE + 98),
+SSL_ERROR_INSUFFICIENT_SECURITY_ALERT	= (SSL_ERROR_BASE + 99),
+SSL_ERROR_INTERNAL_ERROR_ALERT		= (SSL_ERROR_BASE + 100),
+SSL_ERROR_USER_CANCELED_ALERT		= (SSL_ERROR_BASE + 101),
+SSL_ERROR_NO_RENEGOTIATION_ALERT	= (SSL_ERROR_BASE + 102),
+
+SSL_ERROR_END_OF_LIST	/* let the c compiler determine the value of this. */
+} SSLErrorCodes;
+#endif /* NO_SECURITY_ERROR_ENUM */
+
+#endif /* __SSL_ERR_H_ */
diff --git a/security/nss/lib/ssl/sslgathr.c b/security/nss/lib/ssl/sslgathr.c
new file mode 100644
index 000000000..9f06a25e3
--- /dev/null
+++ b/security/nss/lib/ssl/sslgathr.c
@@ -0,0 +1,476 @@
+/*
+ * Gather (Read) entire SSL2 records from socket into buffer.  
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+
+/* Forward static declarations */
+static SECStatus ssl2_HandleV3HandshakeRecord(sslSocket *ss);
+
+/*
+** Gather a single record of data from the receiving stream. This code
+** first gathers the header (2 or 3 bytes long depending on the value of
+** the most significant bit in the first byte) then gathers up the data
+** for the record into gs->buf. This code handles non-blocking I/O
+** and is to be called multiple times until ss->sec.recordLen != 0.
+** This function decrypts the gathered record in place, in gs_buf.
+ *
+ * Caller must hold RecvBufLock. 
+ *
+ * Returns +1 when it has gathered a complete SSLV2 record.
+ * Returns  0 if it hits EOF.
+ * Returns -1 (SECFailure)    on any error
+ * Returns -2 (SECWouldBlock) when it gathers an SSL v3 client hello header.
+**
+** The SSL2 Gather State machine has 4 states:
+** GS_INIT   - Done reading in previous record.  Haven't begun to read in
+**             next record.  When ssl2_GatherData is called with the machine
+**             in this state, the machine will attempt to read the first 3
+**             bytes of the SSL2 record header, and will advance the state
+**             to GS_HEADER.
+**
+** GS_HEADER - The machine is in this state while waiting for the completion
+**             of the first 3 bytes of the SSL2 record.  When complete, the
+**             machine will compute the remaining unread length of this record
+**             and will initiate a read of that many bytes.  The machine will
+**             advance to one of two states, depending on whether the record
+**             is encrypted (GS_MAC), or unencrypted (GS_DATA).
+**
+** GS_MAC    - The machine is in this state while waiting for the remainder 
+**             of the SSL2 record to be read in.  When the read is completed,
+**             the machine checks the record for valid length, decrypts it,
+**             and checks and discards the MAC, then advances to GS_INIT.
+**
+** GS_DATA   - The machine is in this state while waiting for the remainder
+**             of the unencrypted SSL2 record to be read in.  Upon completion,
+**             the machine advances to the GS_INIT state and returns the data.
+*/
+int 
+ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags)
+{
+    unsigned char *  bp;
+    unsigned char *  pBuf;
+    int              nb, err, rv;
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+
+    if (gs->state == GS_INIT) {
+	/* Initialize gathering engine */
+	gs->state         = GS_HEADER;
+	gs->remainder     = 3;
+	gs->count         = 3;
+	gs->offset        = 0;
+	gs->recordLen     = 0;
+	gs->recordPadding = 0;
+	gs->hdr[2]        = 0;
+
+	gs->writeOffset   = 0;
+	gs->readOffset    = 0;
+    }
+    if (gs->encrypted) {
+	PORT_Assert(ss->sec.hash != 0);
+    }
+
+    pBuf = gs->buf.buf;
+    for (;;) {
+	SSL_TRC(30, ("%d: SSL[%d]: gather state %d (need %d more)",
+		     SSL_GETPID(), ss->fd, gs->state, gs->remainder));
+	bp = ((gs->state != GS_HEADER) ? pBuf : gs->hdr) + gs->offset;
+	nb = ssl_DefRecv(ss, bp, gs->remainder, flags);
+	if (nb > 0) {
+	    PRINT_BUF(60, (ss, "raw gather data:", bp, nb));
+	}
+	if (nb == 0) {
+	    /* EOF */
+	    SSL_TRC(30, ("%d: SSL[%d]: EOF", SSL_GETPID(), ss->fd));
+	    rv = 0;
+	    break;
+	}
+	if (nb < 0) {
+	    SSL_DBG(("%d: SSL[%d]: recv error %d", SSL_GETPID(), ss->fd,
+		     PR_GetError()));
+	    rv = SECFailure;
+	    break;
+	}
+
+	gs->offset    += nb;
+	gs->remainder -= nb;
+
+	if (gs->remainder > 0) {
+	    continue;
+	}
+
+	/* Probably finished this piece */
+	switch (gs->state) {
+	case GS_HEADER: 
+	    if ((ss->enableSSL3 || ss->enableTLS) && !ss->firstHsDone) {
+
+		PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+		/* If this looks like an SSL3 handshake record, 
+		** and we're expecting an SSL2 Hello message from our peer, 
+		** handle it here.
+		*/
+		if (gs->hdr[0] == content_handshake) {
+		    if ((ss->nextHandshake == ssl2_HandleClientHelloMessage) ||
+			(ss->nextHandshake == ssl2_HandleServerHelloMessage)) {
+			rv = ssl2_HandleV3HandshakeRecord(ss);
+			if (rv == SECFailure) {
+			    return SECFailure;
+			}
+		    }
+		    /* XXX_1	The call stack to here is:
+		     * ssl_Do1stHandshake -> ssl_GatherRecord1stHandshake -> 
+		     *			ssl2_GatherRecord -> here.
+		     * We want to return all the way out to ssl_Do1stHandshake,
+		     * and have it call ssl_GatherRecord1stHandshake again. 
+		     * ssl_GatherRecord1stHandshake will call 
+		     * ssl3_GatherCompleteHandshake when it is called again.
+		     *
+		     * Returning SECWouldBlock here causes 
+		     * ssl_GatherRecord1stHandshake to return without clearing 
+		     * ss->handshake, ensuring that ssl_Do1stHandshake will 
+		     * call it again immediately.
+		     * 
+		     * If we return 1 here, ssl_GatherRecord1stHandshake will 
+		     * clear ss->handshake before returning, and thus will not 
+		     * be called again by ssl_Do1stHandshake.  
+		     */
+		    return SECWouldBlock;
+		} else if (gs->hdr[0] == content_alert) {
+		    if (ss->nextHandshake == ssl2_HandleServerHelloMessage) {
+			/* XXX This is a hack.  We're assuming that any failure
+			 * XXX on the client hello is a failure to match
+			 * XXX ciphers.
+			 */
+			PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+			return SECFailure;
+		    }
+		}
+	    }	/* ((ss->enableSSL3 || ss->enableTLS) && !ss->firstHsDone) */
+
+	    /* we've got the first 3 bytes.  The header may be two or three. */
+	    if (gs->hdr[0] & 0x80) {
+		/* This record has a 2-byte header, and no padding */
+		gs->count = ((gs->hdr[0] & 0x7f) << 8) | gs->hdr[1];
+		gs->recordPadding = 0;
+	    } else {
+		/* This record has a 3-byte header that is all read in now. */
+		gs->count = ((gs->hdr[0] & 0x3f) << 8) | gs->hdr[1];
+	    /*  is_escape =  (gs->hdr[0] & 0x40) != 0; */
+		gs->recordPadding = gs->hdr[2];
+	    }
+
+	    if (gs->count > gs->buf.space) {
+		err = sslBuffer_Grow(&gs->buf, gs->count);
+		if (err) {
+		    return err;
+		}
+		pBuf = gs->buf.buf;
+	    }
+
+
+	    if (gs->hdr[0] & 0x80) {
+	    	/* we've already read in the first byte of the body.
+		** Put it into the buffer.
+		*/
+		pBuf[0]        = gs->hdr[2];
+		gs->offset    = 1;
+		gs->remainder = gs->count - 1;
+	    } else {
+		gs->offset    = 0;
+		gs->remainder = gs->count;
+	    }
+
+	    if (gs->encrypted) {
+		gs->state     = GS_MAC;
+		gs->recordLen = gs->count - gs->recordPadding
+		                          - ss->sec.hash->length;
+	    } else {
+		gs->state     = GS_DATA;
+		gs->recordLen = gs->count;
+	    }
+
+	    break;
+
+
+	case GS_MAC:
+	    /* Have read in entire rest of the ciphertext.  
+	    ** Check for valid length.
+	    ** Decrypt it.
+	    ** Check the MAC.
+	    */
+	    PORT_Assert(gs->encrypted);
+
+	  {
+	    unsigned int     macLen;
+	    int              nout;
+	    unsigned char    mac[SSL_MAX_MAC_BYTES];
+
+	    ssl_GetSpecReadLock(ss); /**********************************/
+
+	    /* If this is a stream cipher, blockSize will be 1,
+	     * and this test will always be false.
+	     * If this is a block cipher, this will detect records
+	     * that are not a multiple of the blocksize in length.
+	     */
+	    if (gs->count & (ss->sec.blockSize - 1)) {
+		/* This is an error. Sender is misbehaving */
+		SSL_DBG(("%d: SSL[%d]: sender, count=%d blockSize=%d",
+			 SSL_GETPID(), ss->fd, gs->count,
+			 ss->sec.blockSize));
+		PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
+		rv = SECFailure;
+		goto spec_locked_done;
+	    }
+	    PORT_Assert(gs->count == gs->offset);
+
+	    if (gs->offset == 0) {
+		rv = 0;			/* means EOF. */
+		goto spec_locked_done;
+	    }
+
+	    /* Decrypt the portion of data that we just recieved.
+	    ** Decrypt it in place.
+	    */
+	    rv = (*ss->sec.dec)(ss->sec.readcx, pBuf, &nout, gs->offset,
+			     pBuf, gs->offset);
+	    if (rv != SECSuccess) {
+		goto spec_locked_done;
+	    }
+
+
+	    /* Have read in all the MAC portion of record 
+	    **
+	    ** Prepare MAC by resetting it and feeding it the shared secret
+	    */
+	    macLen = ss->sec.hash->length;
+	    if (gs->offset >= macLen) {
+		uint32           sequenceNumber = ss->sec.rcvSequence++;
+		unsigned char    seq[4];
+
+		seq[0] = (unsigned char) (sequenceNumber >> 24);
+		seq[1] = (unsigned char) (sequenceNumber >> 16);
+		seq[2] = (unsigned char) (sequenceNumber >> 8);
+		seq[3] = (unsigned char) (sequenceNumber);
+
+		(*ss->sec.hash->begin)(ss->sec.hashcx);
+		(*ss->sec.hash->update)(ss->sec.hashcx, ss->sec.rcvSecret.data,
+				        ss->sec.rcvSecret.len);
+		(*ss->sec.hash->update)(ss->sec.hashcx, pBuf + macLen, 
+				        gs->offset - macLen);
+		(*ss->sec.hash->update)(ss->sec.hashcx, seq, 4);
+		(*ss->sec.hash->end)(ss->sec.hashcx, mac, &macLen, macLen);
+	    }
+
+	    PORT_Assert(macLen == ss->sec.hash->length);
+
+	    ssl_ReleaseSpecReadLock(ss);  /******************************/
+
+	    if (PORT_Memcmp(mac, pBuf, macLen) != 0) {
+		/* MAC's didn't match... */
+		SSL_DBG(("%d: SSL[%d]: mac check failed, seq=%d",
+			 SSL_GETPID(), ss->fd, ss->sec.rcvSequence));
+		PRINT_BUF(1, (ss, "computed mac:", mac, macLen));
+		PRINT_BUF(1, (ss, "received mac:", pBuf, macLen));
+		PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+		rv = SECFailure;
+		goto cleanup;
+	    }
+
+
+	    PORT_Assert(gs->recordPadding + macLen <= gs->offset);
+	    if (gs->recordPadding + macLen <= gs->offset) {
+		gs->recordOffset  = macLen;
+		gs->readOffset    = macLen;
+		gs->writeOffset   = gs->offset - gs->recordPadding;
+		rv = 1;
+	    } else {
+		PORT_SetError(SSL_ERROR_BAD_BLOCK_PADDING);
+cleanup:
+		/* nothing in the buffer any more. */
+		gs->recordOffset  = 0;
+		gs->readOffset    = 0;
+	    	gs->writeOffset   = 0;
+		rv = SECFailure;
+	    }
+
+	    gs->recordLen     = gs->writeOffset - gs->readOffset;
+	    gs->recordPadding = 0;	/* forget we did any padding. */
+	    gs->state = GS_INIT;
+
+
+	    if (rv > 0) {
+		PRINT_BUF(50, (ss, "recv clear record:", 
+		               pBuf + gs->recordOffset, gs->recordLen));
+	    }
+	    return rv;
+
+spec_locked_done:
+	    ssl_ReleaseSpecReadLock(ss);
+	    return rv;
+	  }
+
+	case GS_DATA:
+	    /* Have read in all the DATA portion of record */
+
+	    gs->recordOffset  = 0;
+	    gs->readOffset    = 0;
+	    gs->writeOffset   = gs->offset;
+	    PORT_Assert(gs->recordLen == gs->writeOffset - gs->readOffset);
+	    gs->recordLen     = gs->offset;
+	    gs->recordPadding = 0;
+	    gs->state         = GS_INIT;
+
+	    ++ss->sec.rcvSequence;
+
+	    PRINT_BUF(50, (ss, "recv clear record:", 
+	                   pBuf + gs->recordOffset, gs->recordLen));
+	    return 1;
+
+	}	/* end switch gs->state */
+    }		/* end gather loop. */
+    return rv;
+}
+
+/*
+** Gather a single record of data from the receiving stream. This code
+** first gathers the header (2 or 3 bytes long depending on the value of
+** the most significant bit in the first byte) then gathers up the data
+** for the record into the readBuf. This code handles non-blocking I/O
+** and is to be called multiple times until ss->sec.recordLen != 0.
+ *
+ * Returns +1 when it has gathered a complete SSLV2 record.
+ * Returns  0 if it hits EOF.
+ * Returns -1 (SECFailure)    on any error
+ * Returns -2 (SECWouldBlock) 
+ *
+ * Called by ssl_GatherRecord1stHandshake in sslcon.c, 
+ * and by DoRecv in sslsecur.c
+ * Caller must hold RecvBufLock.
+ */
+int 
+ssl2_GatherRecord(sslSocket *ss, int flags)
+{
+    return ssl2_GatherData(ss, &ss->gs, flags);
+}
+
+/*
+ * Returns +1 when it has gathered a complete SSLV2 record.
+ * Returns  0 if it hits EOF.
+ * Returns -1 (SECFailure)    on any error
+ * Returns -2 (SECWouldBlock) 
+ *
+ * Called from SocksStartGather in sslsocks.c
+ * Caller must hold RecvBufLock. 
+ */
+int 
+ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, unsigned int count)
+{
+    int rv;
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    gs->state     = GS_DATA;
+    gs->remainder = count;
+    gs->count     = count;
+    gs->offset    = 0;
+    if (count > gs->buf.space) {
+	rv = sslBuffer_Grow(&gs->buf, count);
+	if (rv) {
+	    return rv;
+	}
+    }
+    return ssl2_GatherData(ss, gs, 0);
+}
+
+/* Caller should hold RecvBufLock. */
+SECStatus
+ssl_InitGather(sslGather *gs)
+{
+    SECStatus status;
+
+    gs->state = GS_INIT;
+    gs->writeOffset = 0;
+    gs->readOffset  = 0;
+    status = sslBuffer_Grow(&gs->buf, 4096);
+    return status;
+}
+
+/* Caller must hold RecvBufLock. */
+void 
+ssl_DestroyGather(sslGather *gs)
+{
+    if (gs) {	/* the PORT_*Free functions check for NULL pointers. */
+	PORT_ZFree(gs->buf.buf, gs->buf.space);
+	PORT_Free(gs->inbuf.buf);
+    }
+}
+
+/* Caller must hold RecvBufLock. */
+static SECStatus
+ssl2_HandleV3HandshakeRecord(sslSocket *ss)
+{
+    SECStatus           rv;
+    SSL3ProtocolVersion version = (ss->gs.hdr[1] << 8) | ss->gs.hdr[2];
+
+    PORT_Assert( ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+
+    /* We've read in 3 bytes, there are 2 more to go in an ssl3 header. */
+    ss->gs.remainder         = 2;
+    ss->gs.count             = 0;
+
+    /* Clearing these handshake pointers ensures that 
+     * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return.
+     */
+    ss->nextHandshake     = 0;
+    ss->securityHandshake = 0;
+
+    /* Setting ss->version to an SSL 3.x value will cause 
+    ** ssl_GatherRecord1stHandshake to invoke ssl3_GatherCompleteHandshake() 
+    ** the next time it is called.
+    **/
+    rv = ssl3_NegotiateVersion(ss, version);
+    if (rv != SECSuccess) {
+	return rv;
+    }
+
+    ss->sec.send         = ssl3_SendApplicationData;
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
new file mode 100644
index 000000000..a1d09e814
--- /dev/null
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -0,0 +1,1302 @@
+/*
+ * This file is PRIVATE to SSL and should be the first thing included by
+ * any SSL implementation file.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ *	Dr Stephen Henson <stephen.henson@gemplus.com>
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef __sslimpl_h_
+#define __sslimpl_h_
+
+#ifdef DEBUG
+#undef NDEBUG
+#else
+#undef NDEBUG
+#define NDEBUG
+#endif
+#include "secport.h"
+#include "secerr.h"
+#include "sslerr.h"
+#include "ssl3prot.h"
+#include "hasht.h"
+#include "nssilock.h"
+#include "pkcs11t.h"
+#if defined(XP_UNIX) || defined(XP_BEOS)
+#include "unistd.h"
+#endif
+#include "nssrwlk.h"
+#include "prthread.h"
+
+#include "sslt.h" /* for some formerly private types, now public */
+
+/* to make some of these old enums public without namespace pollution,
+** it was necessary to prepend ssl_ to the names.
+** These #defines preserve compatibility with the old code here in libssl.
+*/
+typedef SSLKEAType      SSL3KEAType;
+typedef SSLMACAlgorithm SSL3MACAlgorithm;
+typedef SSLSignType     SSL3SignType;
+
+#define sign_null	ssl_sign_null
+#define sign_rsa	ssl_sign_rsa
+#define sign_dsa	ssl_sign_dsa
+
+#define calg_null	ssl_calg_null
+#define calg_rc4	ssl_calg_rc4
+#define calg_rc2	ssl_calg_rc2
+#define calg_des	ssl_calg_des
+#define calg_3des	ssl_calg_3des
+#define calg_idea	ssl_calg_idea
+#define calg_fortezza	ssl_calg_fortezza
+#define calg_aes	ssl_calg_aes
+
+#define mac_null	ssl_mac_null
+#define mac_md5 	ssl_mac_md5
+#define mac_sha 	ssl_mac_sha
+#define hmac_md5	ssl_hmac_md5
+#define hmac_sha	ssl_hmac_sha
+
+
+#if defined(DEBUG) || defined(TRACE)
+#ifdef __cplusplus
+#define Debug 1
+#else
+extern int Debug;
+#endif
+#else
+#undef Debug
+#endif
+#if defined(DEBUG)
+#define TRACE
+#endif
+
+#ifdef TRACE
+#define SSL_TRC(a,b) if (ssl_trace >= (a)) ssl_Trace b
+#define PRINT_BUF(a,b) if (ssl_trace >= (a)) ssl_PrintBuf b
+#define DUMP_MSG(a,b) if (ssl_trace >= (a)) ssl_DumpMsg b
+#else
+#define SSL_TRC(a,b)
+#define PRINT_BUF(a,b)
+#define DUMP_MSG(a,b)
+#endif
+
+#ifdef DEBUG
+#define SSL_DBG(b) if (ssl_debug) ssl_Trace b
+#else
+#define SSL_DBG(b)
+#endif
+
+#if defined (DEBUG)
+#ifdef macintosh
+#include "pprthred.h"
+#else
+#include "private/pprthred.h"	/* for PR_InMonitor() */
+#endif
+#define ssl_InMonitor(m) PZ_InMonitor(m)
+#endif
+
+#define LSB(x) ((unsigned char) (x & 0xff))
+#define MSB(x) ((unsigned char) (((unsigned)(x)) >> 8))
+
+/************************************************************************/
+
+typedef enum { SSLAppOpRead = 0,
+	       SSLAppOpWrite,
+	       SSLAppOpRDWR,
+	       SSLAppOpPost,
+	       SSLAppOpHeader
+} SSLAppOperation;
+
+#define SSL_MIN_MASTER_KEY_BYTES	5
+#define SSL_MAX_MASTER_KEY_BYTES	64
+
+#define SSL2_SESSIONID_BYTES		16
+#define SSL3_SESSIONID_BYTES		32
+
+#define SSL_MIN_CHALLENGE_BYTES		16
+#define SSL_MAX_CHALLENGE_BYTES		32
+#define SSL_CHALLENGE_BYTES		16
+
+#define SSL_CONNECTIONID_BYTES		16
+
+#define SSL_MIN_CYPHER_ARG_BYTES	0
+#define SSL_MAX_CYPHER_ARG_BYTES	32
+
+#define SSL_MAX_MAC_BYTES		16
+
+/* number of wrap mechanisms potentially used to wrap master secrets. */
+#define SSL_NUM_WRAP_MECHS              13
+
+/* This makes the cert cache entry exactly 4k. */
+#define SSL_MAX_CACHED_CERT_LEN		4060
+
+#ifndef BPB
+#define BPB 8 /* Bits Per Byte */
+#endif
+
+typedef struct sslBufferStr             sslBuffer;
+typedef struct sslConnectInfoStr        sslConnectInfo;
+typedef struct sslGatherStr             sslGather;
+typedef struct sslSecurityInfoStr       sslSecurityInfo;
+typedef struct sslSessionIDStr          sslSessionID;
+typedef struct sslSocketStr             sslSocket;
+typedef struct sslSocketOpsStr          sslSocketOps;
+
+typedef struct ssl3StateStr             ssl3State;
+typedef struct ssl3CertNodeStr          ssl3CertNode;
+typedef struct ssl3BulkCipherDefStr     ssl3BulkCipherDef;
+typedef struct ssl3MACDefStr            ssl3MACDef;
+typedef struct ssl3KeyPairStr		ssl3KeyPair;
+
+struct ssl3CertNodeStr {
+    struct ssl3CertNodeStr *next;
+    CERTCertificate *       cert;
+};
+
+typedef SECStatus (*sslHandshakeFunc)(sslSocket *ss);
+
+/* This type points to the low layer send func, 
+** e.g. ssl2_SendStream or ssl3_SendPlainText.
+** These functions return the same values as PR_Send, 
+** i.e.  >= 0 means number of bytes sent, < 0 means error.
+*/
+typedef PRInt32       (*sslSendFunc)(sslSocket *ss, const unsigned char *buf,
+			             PRInt32 n, PRInt32 flags);
+
+typedef void          (*sslSessionIDCacheFunc)  (sslSessionID *sid);
+typedef void          (*sslSessionIDUncacheFunc)(sslSessionID *sid);
+typedef sslSessionID *(*sslSessionIDLookupFunc)(const PRIPv6Addr    *addr,
+						unsigned char* sid,
+						unsigned int   sidLen,
+                                                CERTCertDBHandle * dbHandle);
+
+
+/* Socket ops */
+struct sslSocketOpsStr {
+    int         (*connect) (sslSocket *, const PRNetAddr *);
+    PRFileDesc *(*accept)  (sslSocket *, PRNetAddr *);
+    int         (*bind)    (sslSocket *, const PRNetAddr *);
+    int         (*listen)  (sslSocket *, int);
+    int         (*shutdown)(sslSocket *, int);
+    int         (*close)   (sslSocket *);
+
+    int         (*recv)    (sslSocket *, unsigned char *, int, int);
+
+    /* points to the higher-layer send func, e.g. ssl_SecureSend. */
+    int         (*send)    (sslSocket *, const unsigned char *, int, int);
+    int         (*read)    (sslSocket *, unsigned char *, int);
+    int         (*write)   (sslSocket *, const unsigned char *, int);
+
+    int         (*getpeername)(sslSocket *, PRNetAddr *);
+    int         (*getsockname)(sslSocket *, PRNetAddr *);
+};
+
+/* Flags interpreted by ssl send functions. */
+#define ssl_SEND_FLAG_FORCE_INTO_BUFFER	0x40000000
+#define ssl_SEND_FLAG_NO_BUFFER		0x20000000
+#define ssl_SEND_FLAG_MASK		0x7f000000
+
+/*
+** A buffer object.
+*/
+struct sslBufferStr {
+    unsigned char *	buf;
+    unsigned int 	len;
+    unsigned int 	space;
+};
+
+/*
+** SSL3 cipher suite policy and preference struct.
+*/
+typedef struct {
+#if !defined(_WIN32)
+    unsigned int    cipher_suite : 16;
+    unsigned int    policy       :  8;
+    unsigned int    enabled      :  1;
+    unsigned int    isPresent    :  1;
+#else
+    ssl3CipherSuite cipher_suite;
+    PRUint8         policy;
+    unsigned char   enabled   : 1;
+    unsigned char   isPresent : 1;
+#endif
+} ssl3CipherSuiteCfg;
+
+#define ssl_V3_SUITES_IMPLEMENTED 25
+
+typedef struct sslOptionsStr {
+    unsigned int useSecurity		: 1;  /*  1 */
+    unsigned int useSocks		: 1;  /*  2 */
+    unsigned int requestCertificate	: 1;  /*  3 */
+    unsigned int requireCertificate	: 2;  /*  4-5 */
+    unsigned int handshakeAsClient	: 1;  /*  6 */
+    unsigned int handshakeAsServer	: 1;  /*  7 */
+    unsigned int enableSSL2		: 1;  /*  8 */
+    unsigned int enableSSL3		: 1;  /*  9 */
+    unsigned int enableTLS		: 1;  /* 10 */
+    unsigned int noCache		: 1;  /* 11 */
+    unsigned int fdx			: 1;  /* 12 */
+    unsigned int v2CompatibleHello	: 1;  /* 13 */
+    unsigned int detectRollBack  	: 1;  /* 14 */
+} sslOptions;
+
+typedef enum { sslHandshakingUndetermined = 0,
+	       sslHandshakingAsClient,
+	       sslHandshakingAsServer 
+} sslHandshakingType;
+
+typedef struct sslServerCertsStr {
+    /* Configuration state for server sockets */
+    CERTCertificate *     serverCert;
+    CERTCertificateList * serverCertChain;
+    SECKEYPrivateKey *    serverKey;
+    unsigned int          serverKeyBits;
+} sslServerCerts;
+
+
+#define SSL_LOCK_RANK_SPEC 	255
+#define SSL_LOCK_RANK_GLOBAL 	NSS_RWLOCK_RANK_NONE
+
+/* These are the valid values for shutdownHow. 
+** These values are each 1 greater than the NSPR values, and the code
+** depends on that relation to efficiently convert PR_SHUTDOWN values 
+** into ssl_SHUTDOWN values.  These values use one bit for read, and 
+** another bit for write, and can be used as bitmasks.
+*/
+#define ssl_SHUTDOWN_NONE	0	/* NOT shutdown at all */
+#define ssl_SHUTDOWN_RCV	1	/* PR_SHUTDOWN_RCV  +1 */
+#define ssl_SHUTDOWN_SEND	2	/* PR_SHUTDOWN_SEND +1 */
+#define ssl_SHUTDOWN_BOTH	3	/* PR_SHUTDOWN_BOTH +1 */
+
+/*
+** A gather object. Used to read some data until a count has been
+** satisfied. Primarily for support of async sockets.
+** Everything in here is protected by the recvBufLock.
+*/
+struct sslGatherStr {
+    int           state;	/* see GS_ values below. */     /* ssl 2 & 3 */
+
+    /* "buf" holds received plaintext SSL records, after decrypt and MAC check.
+     * SSL2: recv'd ciphertext records are put here, then decrypted in place.
+     * SSL3: recv'd ciphertext records are put in inbuf (see below), then 
+     *       decrypted into buf.
+     */
+    sslBuffer     buf;				/*recvBufLock*/	/* ssl 2 & 3 */
+
+    /* number of bytes previously read into hdr or buf(ssl2) or inbuf (ssl3). 
+    ** (offset - writeOffset) is the number of ciphertext bytes read in but 
+    **     not yet deciphered.
+    */
+    unsigned int  offset;                                       /* ssl 2 & 3 */
+
+    /* number of bytes to read in next call to ssl_DefRecv (recv) */
+    unsigned int  remainder;                                    /* ssl 2 & 3 */
+
+    /* Number of ciphertext bytes to read in after 2-byte SSL record header. */
+    unsigned int  count;					/* ssl2 only */
+
+    /* size of the final plaintext record. 
+    ** == count - (recordPadding + MAC size)
+    */
+    unsigned int  recordLen;					/* ssl2 only */
+
+    /* number of bytes of padding to be removed after decrypting. */
+    /* This value is taken from the record's hdr[2], which means a too large
+     * value could crash us.
+     */
+    unsigned int  recordPadding;				/* ssl2 only */
+
+    /* plaintext DATA begins this many bytes into "buf".  */
+    unsigned int  recordOffset;					/* ssl2 only */
+
+    int           encrypted;    /* SSL2 session is now encrypted.  ssl2 only */
+
+    /* These next two values are used by SSL2 and SSL3.  
+    ** DoRecv uses them to extract application data.
+    ** The difference between writeOffset and readOffset is the amount of 
+    ** data available to the application.   Note that the actual offset of 
+    ** the data in "buf" is recordOffset (above), not readOffset.
+    ** In the current implementation, this is made available before the 
+    ** MAC is checked!!
+    */
+    unsigned int  readOffset;  /* Spot where DATA reader (e.g. application
+                               ** or handshake code) will read next.
+                               ** Always zero for SSl3 application data.
+			       */
+    /* offset in buf/inbuf/hdr into which new data will be read from socket. */
+    unsigned int  writeOffset; 
+
+    /* Buffer for ssl3 to read (encrypted) data from the socket */
+    sslBuffer     inbuf;			/*recvBufLock*/	/* ssl3 only */
+
+    /* The ssl[23]_GatherData functions read data into this buffer, rather
+    ** than into buf or inbuf, while in the GS_HEADER state.  
+    ** The portion of the SSL record header put here always comes off the wire 
+    ** as plaintext, never ciphertext.
+    ** For SSL2, the plaintext portion is two bytes long.  For SSl3 it is 5.
+    */
+    unsigned char hdr[5];					/* ssl 2 & 3 */
+};
+
+/* sslGather.state */
+#define GS_INIT		0
+#define GS_HEADER	1
+#define GS_MAC		2
+#define GS_DATA		3
+#define GS_PAD		4
+
+typedef SECStatus (*SSLCipher)(void *               context, 
+                               unsigned char *      out,
+			       int *                outlen, 
+			       int                  maxout, 
+			       const unsigned char *in,
+			       int                  inlen);
+typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
+
+
+
+/*
+** ssl3State and CipherSpec structs
+*/
+
+/* The SSL bulk cipher definition */
+typedef enum {
+    cipher_null,
+    cipher_rc4, 
+    cipher_rc4_40,
+    cipher_rc4_56,
+    cipher_rc2, 
+    cipher_rc2_40,
+    cipher_des, 
+    cipher_3des, 
+    cipher_des40,
+    cipher_idea, 
+    cipher_fortezza,
+    cipher_aes_128,
+    cipher_aes_256,
+    cipher_missing              /* reserved for no such supported cipher */
+} SSL3BulkCipher;
+
+typedef enum { type_stream, type_block } CipherType;
+
+#define MAX_IV_LENGTH 64
+
+/*
+ * Do not depend upon 64 bit arithmetic in the underlying machine. 
+ */
+typedef struct {
+    uint32         high;
+    uint32         low;
+} SSL3SequenceNumber;
+
+typedef struct {
+    SSL3Opaque write_iv[MAX_IV_LENGTH];
+    PK11SymKey *write_key;
+    PK11SymKey *write_mac_key;
+    PK11Context *write_mac_context;
+} ssl3KeyMaterial;
+
+typedef struct {
+    SSL3Opaque        wrapped_client_write_key[12]; /* wrapped with Ks */
+    SSL3Opaque        wrapped_server_write_key[12]; /* wrapped with Ks */
+    SSL3Opaque        client_write_iv         [24];
+    SSL3Opaque        server_write_iv         [24];
+    SSL3Opaque        wrapped_master_secret   [48];
+    PRUint16          wrapped_master_secret_len;
+} ssl3SidKeys;
+
+/*
+** These are the "specs" in the "ssl3" struct.
+** Access to the pointers to these specs, and all the specs' contents
+** (direct and indirect) is protected by the reader/writer lock ss->specLock.
+*/
+typedef struct {
+    const ssl3BulkCipherDef *cipher_def;
+    const ssl3MACDef * mac_def;
+    int                mac_size;
+    SSLCipher          encode;
+    void *             encodeContext;
+    SSLCipher          decode;
+    void *             decodeContext;
+    SSLDestroy         destroy;
+    PK11SymKey *       master_secret;
+    ssl3KeyMaterial    client;
+    ssl3KeyMaterial    server;
+    SSL3SequenceNumber write_seq_num;
+    SSL3SequenceNumber read_seq_num;
+    SSL3ProtocolVersion version;
+} ssl3CipherSpec;
+
+typedef enum {	never_cached, 
+		in_client_cache, 
+		in_server_cache, 
+		invalid_cache		/* no longer in any cache. */
+} Cached;
+
+struct sslSessionIDStr {
+    sslSessionID *        next;   /* chain used for client sockets, only */
+
+    CERTCertificate *     peerCert;
+    const char *          peerID;     /* client only */
+    const char *          urlSvrName; /* client only */
+    CERTCertificate *     localCert;
+
+    PRIPv6Addr            addr;
+    PRUint16              port;
+
+    SSL3ProtocolVersion   version;
+
+    PRUint32              creationTime;		/* seconds since Jan 1, 1970 */
+    PRUint32              lastAccessTime;	/* seconds since Jan 1, 1970 */
+    PRUint32              expirationTime;	/* seconds since Jan 1, 1970 */
+    Cached                cached;
+    int                   references;
+
+    SSLSignType           authAlgorithm;
+    PRUint32              authKeyBits;
+    SSLKEAType            keaType;
+    PRUint32              keaKeyBits;
+
+    union {
+	struct {
+	    /* the V2 code depends upon the size of sessionID.  */
+	    unsigned char         sessionID[SSL2_SESSIONID_BYTES];
+
+	    /* Stuff used to recreate key and read/write cipher objects */
+	    SECItem               masterKey;
+	    int                   cipherType;
+	    SECItem               cipherArg;
+	    int                   keyBits;
+	    int                   secretKeyBits;
+	} ssl2;
+	struct {
+	    /* values that are copied into the server's on-disk SID cache. */
+	    uint8                 sessionIDLength;
+	    SSL3Opaque            sessionID[SSL3_SESSIONID_BYTES];
+
+	    ssl3CipherSuite       cipherSuite;
+	    SSL3CompressionMethod compression;
+	    PRBool                resumable;
+	    int                   policy;
+	    PRBool                hasFortezza;
+	    ssl3SidKeys           keys;
+	    CK_MECHANISM_TYPE     masterWrapMech;
+				  /* mechanism used to wrap master secret */
+            SSL3KEAType           exchKeyType;
+				  /* key type used in exchange algorithm,
+				   * and to wrap the sym wrapping key. */
+
+	    /* The following values are NOT restored from the server's on-disk
+	     * session cache, but are restored from the client's cache.
+	     */
+ 	    PK11SymKey *      clientWriteKey;
+	    PK11SymKey *      serverWriteKey;
+	    PK11SymKey *      tek;
+
+	    /* The following values pertain to the slot that wrapped the 
+	    ** master secret. (used only in client)
+	    */
+	    SECMODModuleID    masterModuleID;
+				    /* what module wrapped the master secret */
+	    CK_SLOT_ID        masterSlotID;
+	    PRUint16	      masterWrapIndex;
+				/* what's the key index for the wrapping key */
+	    PRUint16          masterWrapSeries;
+	                        /* keep track of the slot series, so we don't 
+				 * accidently try to use new keys after the 
+				 * card gets removed and replaced.*/
+
+	    /* The following values pertain to the slot that did the signature
+	    ** for client auth.   (used only in client)
+	    */
+	    SECMODModuleID    clAuthModuleID;
+	    CK_SLOT_ID        clAuthSlotID;
+	    PRUint16          clAuthSeries;
+
+            char              masterValid;
+	    char              clAuthValid;
+
+	    /* the following values are used only in the client, and only 
+	     * with fortezza.
+	     */
+	    SSL3Opaque       clientWriteSave[80]; 
+	    int              clientWriteSaveLen;  
+	} ssl3;
+    } u;
+};
+
+
+typedef struct ssl3CipherSuiteDefStr {
+    ssl3CipherSuite          cipher_suite;
+    SSL3BulkCipher           bulk_cipher_alg;
+    SSL3MACAlgorithm         mac_alg;
+    SSL3KeyExchangeAlgorithm key_exchange_alg;
+} ssl3CipherSuiteDef;
+
+/*
+** There are tables of these, all const.
+*/
+typedef struct {
+    SSL3KeyExchangeAlgorithm kea;
+    SSL3KEAType              exchKeyType;
+    SSL3SignType             signKeyType;
+    PRBool                   is_limited;
+    int                      key_size_limit;
+    PRBool                   tls_keygen;
+} ssl3KEADef;
+
+typedef enum { kg_null, kg_strong, kg_export } SSL3KeyGenMode;
+
+/*
+** There are tables of these, all const.
+*/
+struct ssl3BulkCipherDefStr {
+    SSL3BulkCipher  cipher;
+    SSLCipherAlgorithm calg;
+    int             key_size;
+    int             secret_key_size;
+    CipherType      type;
+    int             iv_size;
+    int             block_size;
+    SSL3KeyGenMode  keygen_mode;
+};
+
+/*
+** There are tables of these, all const.
+*/
+struct ssl3MACDefStr {
+    SSL3MACAlgorithm mac;
+    CK_MECHANISM_TYPE mmech;
+    int              pad_size;
+    int              mac_size;
+};
+
+typedef enum {
+    wait_client_hello, 
+    wait_client_cert, 
+    wait_client_key,
+    wait_cert_verify, 
+    wait_change_cipher, 
+    wait_finished,
+    wait_server_hello, 
+    wait_server_cert, 
+    wait_server_key,
+    wait_cert_request, 
+    wait_hello_done,
+    idle_handshake
+} SSL3WaitState;
+
+/*
+** This is the "hs" member of the "ssl3" struct.
+** This entire struct is protected by ssl3HandshakeLock
+*/
+typedef struct SSL3HandshakeStateStr {
+    SSL3Random            server_random;
+    SSL3Random            client_random;
+    SSL3WaitState         ws;
+    PK11Context *         md5;            /* handshake running hashes */
+    PK11Context *         sha;
+const ssl3KEADef *        kea_def;
+    ssl3CipherSuite       cipher_suite;
+const ssl3CipherSuiteDef *suite_def;
+    SSL3CompressionMethod compression;
+    sslBuffer             msg_body;    /* protected by recvBufLock */
+                               /* partial handshake message from record layer */
+    unsigned int          header_bytes; 
+                               /* number of bytes consumed from handshake */
+                               /* message for message type and header length */
+    SSL3HandshakeType     msg_type;
+    unsigned long         msg_len;
+    SECItem               ca_list;     /* used only by client */
+    PRBool                isResuming;  /* are we resuming a session */
+    PRBool                rehandshake; /* immediately start another handshake 
+                                        * when this one finishes */
+    PRBool                usedStepDownKey;  /* we did a server key exchange. */
+    sslBuffer             msgState;    /* current state for handshake messages*/
+                                       /* protected by recvBufLock */
+} SSL3HandshakeState;
+
+struct SSL3FortezzaKEAParamsStr {
+    unsigned char R_s[128];		/* server's "random" public key	*/
+    PK11SymKey *  tek;
+};
+
+typedef struct SSL3FortezzaKEAParamsStr SSL3FortezzaKEAParams;
+
+/*
+** This is the "ssl3" struct, as in "ss->ssl3".
+** note:
+** usually,   crSpec == cwSpec and prSpec == pwSpec.  
+** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
+** But there are never more than 2 actual specs.  
+** No spec must ever be modified if either "current" pointer points to it.
+*/
+struct ssl3StateStr {
+
+    /*
+    ** The following Specs and Spec pointers must be protected using the 
+    ** Spec Lock.
+    */
+    ssl3CipherSpec *     crSpec; 	/* current read spec. */
+    ssl3CipherSpec *     prSpec; 	/* pending read spec. */
+    ssl3CipherSpec *     cwSpec; 	/* current write spec. */
+    ssl3CipherSpec *     pwSpec; 	/* pending write spec. */
+    ssl3CipherSpec       specs[2];	/* one is current, one is pending. */
+
+    SSL3HandshakeState   hs;
+
+    CERTCertificate *    clientCertificate;  /* used by client */
+    SECKEYPrivateKey *   clientPrivateKey;   /* used by client */
+    CERTCertificateList *clientCertChain;    /* used by client */
+    PRBool               sendEmptyCert;      /* used by client */
+
+    int                  policy;
+			/* This says what cipher suites we can do, and should 
+			 * be either SSL_ALLOWED or SSL_RESTRICTED 
+			 */
+    PRArenaPool *        peerCertArena;  
+			    /* These are used to keep track of the peer CA */
+    void *               peerCertChain;     
+			    /* chain while we are trying to validate it.   */
+    CERTDistNames *      ca_list; 
+			    /* used by server.  trusted CAs for this socket. */
+    SSL3FortezzaKEAParams fortezza;
+};
+
+typedef struct {
+    SSL3ContentType      type;
+    SSL3ProtocolVersion  version;
+    sslBuffer *          buf;
+} SSL3Ciphertext;
+
+struct ssl3KeyPairStr {
+    SECKEYPrivateKey *    privKey;		/* RSA step down key */
+    SECKEYPublicKey *     pubKey;		/* RSA step down key */
+    PRInt32               refCount;	/* use PR_Atomic calls for this. */
+};
+
+typedef struct SSLWrappedSymWrappingKeyStr {
+    SSL3Opaque        wrappedSymmetricWrappingkey[512];
+    SSL3Opaque        wrapIV[24];
+    CK_MECHANISM_TYPE symWrapMechanism;  
+		    /* unwrapped symmetric wrapping key uses this mechanism */
+    CK_MECHANISM_TYPE asymWrapMechanism; 
+		    /* mechanism used to wrap the SymmetricWrappingKey using
+		     * server's public and/or private keys. */
+    SSL3KEAType       exchKeyType;   /* type of keys used to wrap SymWrapKey*/
+    PRInt32           symWrapMechIndex;
+    PRUint16          wrappedSymKeyLen;
+    PRUint16          wrapIVLen;
+} SSLWrappedSymWrappingKey;
+
+
+
+
+
+
+
+
+
+
+/*
+ * SSL2 buffers used in SSL3.
+ *     writeBuf in the SecurityInfo maintained by sslsecur.c is used
+ *              to hold the data just about to be passed to the kernel
+ *     sendBuf in the ConnectInfo maintained by sslcon.c is used
+ *              to hold handshake messages as they are accumulated
+ */
+
+/*
+** This is "ci", as in "ss->sec->ci".
+**
+** Protection:  All the variables in here are protected by 
+** firstHandshakeLock AND (in ssl3) ssl3HandshakeLock 
+*/
+struct sslConnectInfoStr {
+    /* outgoing handshakes appended to this. */
+    sslBuffer       sendBuf;	                /*xmitBufLock*/ /* ssl 2 & 3 */
+
+    PRIPv6Addr      peer;                                       /* ssl 2 & 3 */
+    unsigned short  port;                                       /* ssl 2 & 3 */
+
+    sslSessionID   *sid;                                        /* ssl 2 & 3 */
+
+    /* see CIS_HAVE defines below for the bit values in *elements. */
+    char            elements;					/* ssl2 only */
+    char            requiredElements;				/* ssl2 only */
+    char            sentElements;                               /* ssl2 only */
+
+    char            sentFinished;                               /* ssl2 only */
+
+    /* Length of server challenge.  Used by client when saving challenge */
+    int             serverChallengeLen;                         /* ssl2 only */
+    /* type of authentication requested by server */
+    unsigned char   authType;                                   /* ssl2 only */
+
+    /* Challenge sent by client to server in client-hello message */
+    /* SSL3 gets a copy of this.  See ssl3_StartHandshakeHash().  */
+    unsigned char   clientChallenge[SSL_MAX_CHALLENGE_BYTES];   /* ssl 2 & 3 */
+
+    /* Connection-id sent by server to client in server-hello message */
+    unsigned char   connectionID[SSL_CONNECTIONID_BYTES];	/* ssl2 only */
+
+    /* Challenge sent by server to client in request-certificate message */
+    unsigned char   serverChallenge[SSL_MAX_CHALLENGE_BYTES];	/* ssl2 only */
+
+    /* Information kept to handle a request-certificate message */
+    unsigned char   readKey[SSL_MAX_MASTER_KEY_BYTES];		/* ssl2 only */
+    unsigned char   writeKey[SSL_MAX_MASTER_KEY_BYTES];		/* ssl2 only */
+    unsigned        keySize;					/* ssl2 only */
+};
+
+/* bit values for ci->elements, ci->requiredElements, sentElements. */
+#define CIS_HAVE_MASTER_KEY		0x01
+#define CIS_HAVE_CERTIFICATE		0x02
+#define CIS_HAVE_FINISHED		0x04
+#define CIS_HAVE_VERIFY			0x08
+
+/* Note: The entire content of this struct and whatever it points to gets
+ * blown away by SSL_ResetHandshake().  This is "sec" as in "ss->sec".
+ *
+ * Unless otherwise specified below, the contents of this struct are 
+ * protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock.
+ */
+struct sslSecurityInfoStr {
+    sslSendFunc      send;			/*xmitBufLock*/	/* ssl 2 & 3 */
+    int              isServer;			/* Spec Lock?*/	/* ssl 2 & 3 */
+    sslBuffer        writeBuf;			/*xmitBufLock*/	/* ssl 2 & 3 */
+
+    int              cipherType;				/* ssl 2 & 3 */
+    int              keyBits;					/* ssl 2 & 3 */
+    int              secretKeyBits;				/* ssl 2 & 3 */
+    CERTCertificate *localCert;					/* ssl 2 & 3 */
+    CERTCertificate *peerCert;					/* ssl 2 & 3 */
+    SECKEYPublicKey *peerKey;					/* ssl3 only */
+
+    SSLSignType      authAlgorithm;
+    PRUint32         authKeyBits;
+    SSLKEAType       keaType;
+    PRUint32         keaKeyBits;
+
+    /*
+    ** Procs used for SID cache (nonce) management. 
+    ** Different implementations exist for clients/servers 
+    ** The lookup proc is only used for servers.  Baloney!
+    */
+    sslSessionIDCacheFunc     cache;				/* ssl 2 & 3 */
+    sslSessionIDUncacheFunc   uncache;				/* ssl 2 & 3 */
+
+    /*
+    ** everything below here is for ssl2 only.
+    ** This stuff is equivalent to SSL3's "spec", and is protected by the 
+    ** same "Spec Lock" as used for SSL3's specs.
+    */
+    uint32           sendSequence;		/*xmitBufLock*/	/* ssl2 only */
+    uint32           rcvSequence;		/*recvBufLock*/	/* ssl2 only */
+
+    /* Hash information; used for one-way-hash functions (MD2, MD5, etc.) */
+    const SECHashObject   *hash;		/* Spec Lock */ /* ssl2 only */
+    void            *hashcx;			/* Spec Lock */	/* ssl2 only */
+
+    SECItem          sendSecret;		/* Spec Lock */	/* ssl2 only */
+    SECItem          rcvSecret;			/* Spec Lock */	/* ssl2 only */
+
+    /* Session cypher contexts; one for each direction */
+    void            *readcx;			/* Spec Lock */	/* ssl2 only */
+    void            *writecx;			/* Spec Lock */	/* ssl2 only */
+    SSLCipher        enc;			/* Spec Lock */	/* ssl2 only */
+    SSLCipher        dec;			/* Spec Lock */	/* ssl2 only */
+    void           (*destroy)(void *, PRBool);	/* Spec Lock */	/* ssl2 only */
+
+    /* Blocking information for the session cypher */
+    int              blockShift;		/* Spec Lock */	/* ssl2 only */
+    int              blockSize;			/* Spec Lock */	/* ssl2 only */
+
+    /* These are used during a connection handshake */
+    sslConnectInfo   ci;					/* ssl 2 & 3 */
+
+};
+
+
+/*
+** SSL Socket struct
+**
+** Protection:  XXX
+*/
+struct sslSocketStr {
+    PRFileDesc *	fd;
+
+    /* Pointer to operations vector for this socket */
+    const sslSocketOps * ops;
+
+    /* State flags */
+    unsigned int     useSocks		: 1;
+    unsigned int     useSecurity	: 1;
+    unsigned int     requestCertificate	: 1;
+    unsigned int     requireCertificate	: 2;
+    unsigned int     handshakeAsClient	: 1;
+    unsigned int     handshakeAsServer	: 1;
+    unsigned int     enableSSL2		: 1;
+
+    unsigned int     enableSSL3		: 1;
+    unsigned int     enableTLS		: 1;
+    unsigned int     clientAuthRequested: 1;
+    unsigned int     noCache		: 1;
+    unsigned int     fdx		: 1; /* simultaneous R/W threads */
+    unsigned int     v2CompatibleHello	: 1; /* Send v3+ client hello in v2 format */
+    unsigned int     detectRollBack   	: 1; /* Detect rollback to SSL v3 */
+    unsigned int     firstHsDone	: 1; /* first handshake is complete. */
+
+    unsigned int     recvdCloseNotify	: 1; /* received SSL EOF. */
+    unsigned int     lastWriteBlocked   : 1;
+    unsigned int     TCPconnected       : 1;
+    unsigned int     handshakeBegun     : 1;
+    unsigned int     delayDisabled      : 1; /* Nagle delay disabled */
+
+    /* version of the protocol to use */
+    SSL3ProtocolVersion version;
+    SSL3ProtocolVersion clientHelloVersion; /* version sent in client hello. */
+
+    sslSecurityInfo  sec;		/* not a pointer any more */
+
+    /* protected by firstHandshakeLock AND (in ssl3) ssl3HandshakeLock. */
+    const char      *url;				/* ssl 2 & 3 */
+
+    /* Gather object used for gathering data */
+    sslGather        gs;				/*recvBufLock*/
+
+    sslHandshakeFunc handshake;				/*firstHandshakeLock*/
+    sslHandshakeFunc nextHandshake;			/*firstHandshakeLock*/
+    sslHandshakeFunc securityHandshake;			/*firstHandshakeLock*/
+
+    sslBuffer        saveBuf;				/*xmitBufLock*/
+    sslBuffer        pendingBuf;			/*xmitBufLock*/
+
+    /* the following variable is only used with socks or other proxies. */
+    char *           peerID;	/* String uniquely identifies target server. */
+
+    ssl3State *      ssl3;
+    unsigned char *  cipherSpecs;
+    unsigned int     sizeCipherSpecs;
+const unsigned char *  preferredCipher;
+
+    /* Configuration state for server sockets */
+    /* server cert and key for each KEA type */
+    sslServerCerts        serverCerts[kt_kea_size];
+
+    ssl3KeyPair *         stepDownKeyPair;	/* RSA step down keys */
+
+    /* Callbacks */
+    SSLAuthCertificate        authCertificate;
+    void                     *authCertificateArg;
+    SSLGetClientAuthData      getClientAuthData;
+    void                     *getClientAuthDataArg;
+    SSLBadCertHandler         handleBadCert;
+    void                     *badCertArg;
+    SSLHandshakeCallback      handshakeCallback;
+    void                     *handshakeCallbackData;
+    void                     *pkcs11PinArg;
+
+    PRIntervalTime            rTimeout; /* timeout for NSPR I/O */
+    PRIntervalTime            wTimeout; /* timeout for NSPR I/O */
+    PRIntervalTime            cTimeout; /* timeout for NSPR I/O */
+
+    PZLock *      recvLock;	/* lock against multiple reader threads. */
+    PZLock *      sendLock;	/* lock against multiple sender threads. */
+
+    PZMonitor *   recvBufLock;	/* locks low level recv buffers. */
+    PZMonitor *   xmitBufLock;	/* locks low level xmit buffers. */
+
+    /* Only one thread may operate on the socket until the initial handshake
+    ** is complete.  This Monitor ensures that.  Since SSL2 handshake is
+    ** only done once, this is also effectively the SSL2 handshake lock.
+    */
+    PZMonitor *   firstHandshakeLock; 
+
+    /* This monitor protects the ssl3 handshake state machine data.
+    ** Only one thread (reader or writer) may be in the ssl3 handshake state
+    ** machine at any time.  */
+    PZMonitor *   ssl3HandshakeLock;
+
+    /* reader/writer lock, protects the secret data needed to encrypt and MAC
+    ** outgoing records, and to decrypt and MAC check incoming ciphertext 
+    ** records.  */
+    NSSRWLock *   specLock;
+
+    /* handle to perm cert db (and implicitly to the temp cert db) used 
+    ** with this socket. 
+    */
+    CERTCertDBHandle * dbHandle;
+
+    PRThread *  writerThread;   /* thread holds SSL_LOCK_WRITER lock */
+
+    PRUint16	shutdownHow; 	/* See ssl_SHUTDOWN defines below. */
+
+    PRUint16	allowedByPolicy;          /* copy of global policy bits. */
+    PRUint16	maybeAllowedByPolicy;     /* copy of global policy bits. */
+    PRUint16	chosenPreference;         /* SSL2 cipher preferences. */
+
+    sslHandshakingType handshaking;
+
+    ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED];
+
+};
+
+
+
+/* All the global data items declared here should be protected using the 
+** ssl_global_data_lock, which is a reader/writer lock.
+*/
+extern NSSRWLock *             ssl_global_data_lock;
+extern char                    ssl_debug;
+extern char                    ssl_trace;
+extern CERTDistNames *         ssl3_server_ca_list;
+extern PRUint32                ssl_sid_timeout;
+extern PRUint32                ssl3_sid_timeout;
+extern PRBool                  ssl3_global_policy_some_restricted;
+
+extern const char * const      ssl_cipherName[];
+extern const char * const      ssl3_cipherName[];
+
+extern sslSessionIDLookupFunc  ssl_sid_lookup;
+extern sslSessionIDCacheFunc   ssl_sid_cache;
+extern sslSessionIDUncacheFunc ssl_sid_uncache;
+
+/************************************************************************/
+
+SEC_BEGIN_PROTOS
+
+/* Implementation of ops for default (non socks, non secure) case */
+extern int ssl_DefConnect(sslSocket *ss, const PRNetAddr *addr);
+extern PRFileDesc *ssl_DefAccept(sslSocket *ss, PRNetAddr *addr);
+extern int ssl_DefBind(sslSocket *ss, const PRNetAddr *addr);
+extern int ssl_DefListen(sslSocket *ss, int backlog);
+extern int ssl_DefShutdown(sslSocket *ss, int how);
+extern int ssl_DefClose(sslSocket *ss);
+extern int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
+extern int ssl_DefSend(sslSocket *ss, const unsigned char *buf,
+		       int len, int flags);
+extern int ssl_DefRead(sslSocket *ss, unsigned char *buf, int len);
+extern int ssl_DefWrite(sslSocket *ss, const unsigned char *buf, int len);
+extern int ssl_DefGetpeername(sslSocket *ss, PRNetAddr *name);
+extern int ssl_DefGetsockname(sslSocket *ss, PRNetAddr *name);
+extern int ssl_DefGetsockopt(sslSocket *ss, PRSockOption optname,
+			     void *optval, PRInt32 *optlen);
+extern int ssl_DefSetsockopt(sslSocket *ss, PRSockOption optname,
+			     const void *optval, PRInt32 optlen);
+
+/* Implementation of ops for socks only case */
+extern int ssl_SocksConnect(sslSocket *ss, const PRNetAddr *addr);
+extern PRFileDesc *ssl_SocksAccept(sslSocket *ss, PRNetAddr *addr);
+extern int ssl_SocksBind(sslSocket *ss, const PRNetAddr *addr);
+extern int ssl_SocksListen(sslSocket *ss, int backlog);
+extern int ssl_SocksGetsockname(sslSocket *ss, PRNetAddr *name);
+extern int ssl_SocksRecv(sslSocket *ss, unsigned char *buf, int len, int flags);
+extern int ssl_SocksSend(sslSocket *ss, const unsigned char *buf,
+			 int len, int flags);
+extern int ssl_SocksRead(sslSocket *ss, unsigned char *buf, int len);
+extern int ssl_SocksWrite(sslSocket *ss, const unsigned char *buf, int len);
+
+/* Implementation of ops for secure only case */
+extern int ssl_SecureConnect(sslSocket *ss, const PRNetAddr *addr);
+extern PRFileDesc *ssl_SecureAccept(sslSocket *ss, PRNetAddr *addr);
+extern int ssl_SecureRecv(sslSocket *ss, unsigned char *buf,
+			  int len, int flags);
+extern int ssl_SecureSend(sslSocket *ss, const unsigned char *buf,
+			  int len, int flags);
+extern int ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len);
+extern int ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len);
+extern int ssl_SecureShutdown(sslSocket *ss, int how);
+extern int ssl_SecureClose(sslSocket *ss);
+
+/* Implementation of ops for secure socks case */
+extern int ssl_SecureSocksConnect(sslSocket *ss, const PRNetAddr *addr);
+extern PRFileDesc *ssl_SecureSocksAccept(sslSocket *ss, PRNetAddr *addr);
+extern PRFileDesc *ssl_FindTop(sslSocket *ss);
+
+/* Gather funcs. */
+extern sslGather * ssl_NewGather(void);
+extern SECStatus   ssl_InitGather(sslGather *gs);
+extern void        ssl_DestroyGather(sslGather *gs);
+extern int         ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags);
+extern int         ssl2_GatherRecord(sslSocket *ss, int flags);
+extern SECStatus   ssl_GatherRecord1stHandshake(sslSocket *ss);
+
+extern SECStatus   ssl2_HandleClientHelloMessage(sslSocket *ss);
+extern SECStatus   ssl2_HandleServerHelloMessage(sslSocket *ss);
+extern int         ssl2_StartGatherBytes(sslSocket *ss, sslGather *gs, 
+                                         unsigned int count);
+
+extern SECStatus   ssl_CreateSecurityInfo(sslSocket *ss);
+extern SECStatus   ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os);
+extern void        ssl_ResetSecurityInfo(sslSecurityInfo *sec);
+extern void        ssl_DestroySecurityInfo(sslSecurityInfo *sec);
+
+extern sslSocket * ssl_DupSocket(sslSocket *old);
+
+extern void        ssl_PrintBuf(sslSocket *ss, const char *msg, const void *cp, int len);
+extern void        ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len);
+
+extern int         ssl_SendSavedWriteData(sslSocket *ss, sslBuffer *buf,
+				          sslSendFunc fp);
+extern SECStatus ssl_SaveWriteData(sslSocket *ss, sslBuffer *buf, 
+                                   const void* p, unsigned int l);
+extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss);
+extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss);
+extern int       ssl_Do1stHandshake(sslSocket *ss);
+
+extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen);
+
+extern void      ssl2_UseClearSendFunc(sslSocket *ss);
+extern void      ssl_ChooseSessionIDProcs(sslSecurityInfo *sec);
+
+extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, 
+                                   const char *peerID, const char *urlSvrName);
+extern void      ssl_FreeSID(sslSessionID *sid);
+
+extern int       ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
+				          int len, int flags);
+
+extern PRBool    ssl_FdIsBlocking(PRFileDesc *fd);
+
+extern PRBool    ssl_SocketIsBlocking(sslSocket *ss);
+
+extern void      ssl_SetAlwaysBlock(sslSocket *ss);
+
+extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
+
+#define SSL_LOCK_READER(ss)		if (ss->recvLock) PZ_Lock(ss->recvLock)
+#define SSL_UNLOCK_READER(ss)	if (ss->recvLock) PZ_Unlock(ss->recvLock)
+#define SSL_LOCK_WRITER(ss)		if (ss->sendLock) PZ_Lock(ss->sendLock)
+#define SSL_UNLOCK_WRITER(ss)	if (ss->sendLock) PZ_Unlock(ss->sendLock)
+
+#define ssl_Get1stHandshakeLock(ss)    PZ_EnterMonitor((ss)->firstHandshakeLock)
+#define ssl_Release1stHandshakeLock(ss) PZ_ExitMonitor((ss)->firstHandshakeLock)
+#define ssl_Have1stHandshakeLock(ss)	PZ_InMonitor(  (ss)->firstHandshakeLock)
+
+#define ssl_GetSSL3HandshakeLock(ss)	PZ_EnterMonitor((ss)->ssl3HandshakeLock)
+#define ssl_ReleaseSSL3HandshakeLock(ss) PZ_ExitMonitor((ss)->ssl3HandshakeLock)
+#define ssl_HaveSSL3HandshakeLock(ss)	PZ_InMonitor(   (ss)->ssl3HandshakeLock)
+
+#define ssl_GetSpecReadLock(ss)		NSSRWLock_LockRead(     (ss)->specLock)
+#define ssl_ReleaseSpecReadLock(ss)	NSSRWLock_UnlockRead(   (ss)->specLock)
+
+#define ssl_GetSpecWriteLock(ss)	NSSRWLock_LockWrite(  (ss)->specLock)
+#define ssl_ReleaseSpecWriteLock(ss)	NSSRWLock_UnlockWrite((ss)->specLock)
+#define ssl_HaveSpecWriteLock(ss)	NSSRWLock_HaveWriteLock((ss)->specLock)
+
+#define ssl_GetRecvBufLock(ss)		PZ_EnterMonitor((ss)->recvBufLock)
+#define ssl_ReleaseRecvBufLock(ss)	PZ_ExitMonitor( (ss)->recvBufLock)
+#define ssl_HaveRecvBufLock(ss)		PZ_InMonitor(   (ss)->recvBufLock)
+
+#define ssl_GetXmitBufLock(ss)		PZ_EnterMonitor((ss)->xmitBufLock)
+#define ssl_ReleaseXmitBufLock(ss)	PZ_ExitMonitor( (ss)->xmitBufLock)
+#define ssl_HaveXmitBufLock(ss)		PZ_InMonitor(   (ss)->xmitBufLock)
+
+
+/* These functions are called from secnav, even though they're "private". */
+
+extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error);
+extern int SSL_RestartHandshakeAfterServerCert(struct sslSocketStr *ss);
+extern int SSL_RestartHandshakeAfterCertReq(struct sslSocketStr *ss,
+					    CERTCertificate *cert,
+					    SECKEYPrivateKey *key,
+					    CERTCertificateList *certChain);
+extern sslSocket *ssl_FindSocket(PRFileDesc *fd);
+extern void ssl_FreeSocket(struct sslSocketStr *ssl);
+extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level,
+				SSL3AlertDescription desc);
+
+extern int ssl2_RestartHandshakeAfterCertReq(sslSocket *          ss,
+					     CERTCertificate *    cert, 
+					     SECKEYPrivateKey *   key);
+
+extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket *    ss,
+					     CERTCertificate *    cert, 
+					     SECKEYPrivateKey *   key,
+					     CERTCertificateList *certChain);
+
+extern int ssl2_RestartHandshakeAfterServerCert(sslSocket *ss);
+extern int ssl3_RestartHandshakeAfterServerCert(sslSocket *ss);
+
+/*
+ * for dealing with SSL 3.0 clients sending SSL 2.0 format hellos
+ */
+extern SECStatus ssl3_HandleV2ClientHello(
+    sslSocket *ss, unsigned char *buffer, int length);
+extern SECStatus ssl3_StartHandshakeHash(
+    sslSocket *ss, unsigned char *buf, int length);
+
+/*
+ * SSL3 specific routines
+ */
+SECStatus ssl3_SendClientHello(sslSocket *ss);
+
+/*
+ * input into the SSL3 machinery from the actualy network reading code
+ */
+SECStatus ssl3_HandleRecord(
+    sslSocket *ss, SSL3Ciphertext *cipher, sslBuffer *out);
+
+int ssl3_GatherAppDataRecord(sslSocket *ss, int flags);
+int ssl3_GatherCompleteHandshake(sslSocket *ss, int flags);
+/*
+ * When talking to export clients or using export cipher suites, servers 
+ * with public RSA keys larger than 512 bits need to use a 512-bit public
+ * key, signed by the larger key.  The smaller key is a "step down" key.
+ * Generate that key pair and keep it around.
+ */
+extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
+
+extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
+extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
+extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
+extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled);
+
+extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
+extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
+extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
+extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
+
+extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
+extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
+extern SECStatus ssl2_SetPolicy(PRInt32 which, PRInt32 policy);
+extern SECStatus ssl2_GetPolicy(PRInt32 which, PRInt32 *policy);
+
+extern void      ssl2_InitSocketPolicy(sslSocket *ss);
+extern void      ssl3_InitSocketPolicy(sslSocket *ss);
+
+extern SECStatus ssl3_ConstructV2CipherSpecsHack(sslSocket *ss,
+						 unsigned char *cs, int *size);
+
+extern SECStatus ssl3_RedoHandshake(sslSocket *ss, PRBool flushCache);
+
+extern void ssl3_DestroySSL3Info(ssl3State *ssl3);
+
+extern SECStatus ssl3_NegotiateVersion(sslSocket *ss, 
+                                       SSL3ProtocolVersion peerVersion);
+
+extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
+
+/* Construct a new NSPR socket for the app to use */
+extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
+extern void ssl_FreePRSocket(PRFileDesc *fd);
+
+/* Internal config function so SSL2 can initialize the present state of 
+ * various ciphers */
+extern int ssl3_config_match_init(sslSocket *);
+
+
+/* Create a new ref counted key pair object from two keys. */
+extern ssl3KeyPair * ssl3_NewKeyPair( SECKEYPrivateKey * privKey, 
+                                      SECKEYPublicKey * pubKey);
+
+/* get a new reference (bump ref count) to an ssl3KeyPair. */
+extern ssl3KeyPair * ssl3_GetKeyPairRef(ssl3KeyPair * keyPair);
+
+/* Decrement keypair's ref count and free if zero. */
+extern void ssl3_FreeKeyPair(ssl3KeyPair * keyPair);
+
+/* calls for accessing wrapping keys across processes. */
+extern PRBool
+ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
+                    SSL3KEAType               exchKeyType, 
+		    SSLWrappedSymWrappingKey *wswk);
+
+/* The caller passes in the new value it wants
+ * to set.  This code tests the wrapped sym key entry in the file on disk.  
+ * If it is uninitialized, this function writes the caller's value into 
+ * the disk entry, and returns false.  
+ * Otherwise, it overwrites the caller's wswk with the value obtained from 
+ * the disk, and returns PR_TRUE.  
+ * This is all done while holding the locks/semaphores necessary to make 
+ * the operation atomic.
+ */
+extern PRBool
+ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk);
+
+/********************** misc calls *********************/
+
+extern int ssl_MapLowLevelError(int hiLevelError);
+
+extern PRUint32 ssl_Time(void);
+
+/* emulation of NSPR routines. */
+extern PRInt32 
+ssl_EmulateAcceptRead(	PRFileDesc *   sd, 
+			PRFileDesc **  nd,
+			PRNetAddr **   raddr, 
+			void *         buf, 
+			PRInt32        amount, 
+			PRIntervalTime timeout);
+extern PRInt32 
+ssl_EmulateTransmitFile(    PRFileDesc *        sd, 
+			    PRFileDesc *        fd,
+			    const void *        headers, 
+			    PRInt32             hlen, 
+			    PRTransmitFileFlags flags,
+			    PRIntervalTime      timeout);
+extern PRInt32 
+ssl_EmulateSendFile( PRFileDesc *        sd, 
+		     PRSendFileData *    sfd,
+                     PRTransmitFileFlags flags, 
+		     PRIntervalTime      timeout);
+
+#ifdef TRACE
+#define SSL_TRACE(msg) ssl_Trace msg
+#else
+#define SSL_TRACE(msg)
+#endif
+
+void ssl_Trace(const char *format, ...);
+
+SEC_END_PROTOS
+
+#ifdef XP_OS2_VACPP
+#include <process.h>
+#endif
+
+#if defined(XP_UNIX) || defined(XP_OS2) || defined(XP_BEOS)
+#define SSL_GETPID() getpid()
+#elif defined(WIN32)
+
+extern int __cdecl _getpid(void);
+/* #define SSL_GETPID() GetCurrentProcessId() */
+#define SSL_GETPID() _getpid()
+#else
+#define SSL_GETPID() 0
+#endif
+
+#endif /* __sslimpl_h_ */
diff --git a/security/nss/lib/ssl/sslinfo.c b/security/nss/lib/ssl/sslinfo.c
new file mode 100644
index 000000000..98b4f21d2
--- /dev/null
+++ b/security/nss/lib/ssl/sslinfo.c
@@ -0,0 +1,197 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All 
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+
+SECStatus 
+SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
+{
+    sslSocket *      ss;
+    SSLChannelInfo   inf;
+    sslSessionID *   sid;
+
+    if (!info || len < sizeof inf.length) { 
+    	return SECSuccess;
+    }
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelInfo",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    memset(&inf, 0, sizeof inf);
+    inf.length = PR_MIN(sizeof inf, len);
+
+    if (ss->useSecurity && ss->firstHsDone) {
+        sid = ss->sec.ci.sid;
+	inf.protocolVersion  = ss->version;
+	inf.authKeyBits      = ss->sec.authKeyBits;
+	inf.keaKeyBits       = ss->sec.keaKeyBits;
+	if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */
+	    inf.cipherSuite      = ss->sec.cipherType | 0xff00;
+	} else if (ss->ssl3) { 		/* SSL3 and TLS */
+
+	    /* XXX  These should come from crSpec */
+	    inf.cipherSuite      = ss->ssl3->hs.cipher_suite;
+#if 0
+	    /* misc */
+	    inf.isFIPS =  (inf.symCipher == ssl_calg_des   || inf.symCipher == ssl_calg_3des)
+		       && (inf.macAlgorithm == ssl_mac_sha || inf.macAlgorithm == ssl_hmac_sha)
+		       && (inf.protocolVersion > SSL_LIBRARY_VERSION_3_0 ||
+		           inf.cipherSuite >= 0xfef0);
+#endif
+	}
+	if (sid) {
+	    inf.creationTime   = sid->creationTime;
+	    inf.lastAccessTime = sid->lastAccessTime;
+	    inf.expirationTime = sid->expirationTime;
+	    if (ss->version < SSL_LIBRARY_VERSION_3_0) { /* SSL2 */
+	        inf.sessionIDLength = SSL2_SESSIONID_BYTES;
+		memcpy(inf.sessionID, sid->u.ssl2.sessionID, SSL2_SESSIONID_BYTES);
+	    } else {
+		unsigned int sidLen = sid->u.ssl3.sessionIDLength;
+	        sidLen = PR_MIN(sidLen, sizeof inf.sessionID);
+	        inf.sessionIDLength = sidLen;
+		memcpy(inf.sessionID, sid->u.ssl3.sessionID, sidLen);
+	    }
+	}
+    }
+
+    memcpy(info, &inf, inf.length);
+
+    return SECSuccess;
+}
+
+#define kt_kea kt_fortezza
+#define calg_sj calg_fortezza
+
+#define CS(x) x, #x
+#define CK(x) x | 0xff00, #x
+
+#define S_DSA   "DSA", ssl_auth_dsa
+#define S_RSA	"RSA", ssl_auth_rsa
+#define S_KEA   "KEA", ssl_auth_kea
+
+#define K_DHE	"DHE", kt_dh
+#define K_RSA	"RSA", kt_rsa
+#define K_KEA	"KEA", kt_kea
+
+#define C_AES	"AES", calg_aes
+#define C_RC4	"RC4", calg_rc4
+#define C_RC2	"RC2", calg_rc2
+#define C_DES	"DES", calg_des
+#define C_3DES	"3DES", calg_3des
+#define C_NULL  "NULL", calg_null
+#define C_SJ 	"SKIPJACK", calg_sj
+
+#define B_256	256, 256, 256
+#define B_128	128, 128, 128
+#define B_3DES  192, 156, 112
+#define B_SJ     96,  80,  80
+#define B_DES    64,  56,  56
+#define B_56    128,  56,  56
+#define B_40    128,  40,  40
+#define B_0  	  0,   0,   0
+
+#define M_SHA	"SHA1", ssl_mac_sha, 160
+#define M_MD5	"MD5",  ssl_mac_md5, 128
+
+static const SSLCipherSuiteInfo suiteInfo[] = {
+/* <------ Cipher suite --------------------> <auth> <KEA>  <bulk cipher> <MAC> <FIPS> */
+{0,CS(TLS_DHE_RSA_WITH_AES_256_CBC_SHA),      S_RSA, K_DHE, C_AES, B_256, M_SHA, 0, 0, 0, },
+{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA),      S_DSA, K_DHE, C_AES, B_256, M_SHA, 0, 0, 0, },
+{0,CS(TLS_RSA_WITH_AES_256_CBC_SHA),          S_RSA, K_RSA, C_AES, B_256, M_SHA, 0, 0, 0, },
+
+{0,CS(SSL_FORTEZZA_DMS_WITH_RC4_128_SHA),     S_KEA, K_KEA, C_RC4, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA),          S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA),      S_RSA, K_DHE, C_AES, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA),      S_DSA, K_DHE, C_AES, B_128, M_SHA, 0, 0, 0, },
+{0,CS(SSL_RSA_WITH_RC4_128_MD5),              S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
+{0,CS(SSL_RSA_WITH_RC4_128_SHA),              S_RSA, K_RSA, C_RC4, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_RSA_WITH_AES_128_CBC_SHA),          S_RSA, K_RSA, C_AES, B_128, M_SHA, 0, 0, 0, },
+
+{0,CS(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA),     S_RSA, K_DHE, C_3DES,B_3DES,M_SHA, 0, 0, 0, },
+{0,CS(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA),     S_DSA, K_DHE, C_3DES,B_3DES,M_SHA, 0, 0, 0, },
+{0,CS(SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA),    S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 1, },
+{0,CS(SSL_RSA_WITH_3DES_EDE_CBC_SHA),         S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
+
+{0,CS(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA),S_KEA, K_KEA, C_SJ,  B_SJ,  M_SHA, 1, 0, 0, },
+{0,CS(SSL_DHE_RSA_WITH_DES_CBC_SHA),          S_RSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, },
+{0,CS(SSL_DHE_DSS_WITH_DES_CBC_SHA),          S_DSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, },
+{0,CS(SSL_RSA_FIPS_WITH_DES_CBC_SHA),         S_RSA, K_RSA, C_DES, B_DES, M_SHA, 1, 0, 1, },
+{0,CS(SSL_RSA_WITH_DES_CBC_SHA),              S_RSA, K_RSA, C_DES, B_DES, M_SHA, 1, 0, 0, },
+
+{0,CS(TLS_RSA_EXPORT1024_WITH_RC4_56_SHA),    S_RSA, K_RSA, C_RC4, B_56,  M_SHA, 0, 1, 0, },
+{0,CS(TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA),   S_RSA, K_RSA, C_DES, B_DES, M_SHA, 1, 1, 0, },
+{0,CS(SSL_RSA_EXPORT_WITH_RC4_40_MD5),        S_RSA, K_RSA, C_RC4, B_40,  M_MD5, 0, 1, 0, },
+{0,CS(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5),    S_RSA, K_RSA, C_RC2, B_40,  M_MD5, 0, 1, 0, },
+{0,CS(SSL_FORTEZZA_DMS_WITH_NULL_SHA),        S_KEA, K_KEA, C_NULL,B_0,   M_SHA, 0, 1, 0, },
+{0,CS(SSL_RSA_WITH_NULL_MD5),                 S_RSA, K_RSA, C_NULL,B_0,   M_MD5, 0, 1, 0, },
+
+/* SSL 2 table */
+{0,CK(SSL_CK_RC4_128_WITH_MD5),               S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
+{0,CK(SSL_CK_RC2_128_CBC_WITH_MD5),           S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, 0, 0, },
+{0,CK(SSL_CK_DES_192_EDE3_CBC_WITH_MD5),      S_RSA, K_RSA, C_3DES,B_3DES,M_MD5, 0, 0, 0, },
+{0,CK(SSL_CK_DES_64_CBC_WITH_MD5),            S_RSA, K_RSA, C_DES, B_DES, M_MD5, 0, 0, 0, },
+{0,CK(SSL_CK_RC4_128_EXPORT40_WITH_MD5),      S_RSA, K_RSA, C_RC4, B_40,  M_MD5, 0, 1, 0, },
+{0,CK(SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5),  S_RSA, K_RSA, C_RC2, B_40,  M_MD5, 0, 1, 0, }
+};
+
+#define NUM_SUITEINFOS ((sizeof suiteInfo) / (sizeof suiteInfo[0]))
+
+
+SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, 
+                                 SSLCipherSuiteInfo *info, PRUintn len)
+{
+    unsigned int i;
+
+    len = PR_MIN(len, sizeof suiteInfo[0]);
+    if (!info || len < sizeof suiteInfo[0].length) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    	return SECFailure;
+    }
+    for (i = 0; i < NUM_SUITEINFOS; i++) {
+    	if (suiteInfo[i].cipherSuite == cipherSuite) {
+	    memcpy(info, &suiteInfo[i], len);
+	    info->length = len;
+	    return SECSuccess;
+	}
+    }
+    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    return SECFailure;
+}
diff --git a/security/nss/lib/ssl/sslmutex.c b/security/nss/lib/ssl/sslmutex.c
new file mode 100644
index 000000000..6f88c27d8
--- /dev/null
+++ b/security/nss/lib/ssl/sslmutex.c
@@ -0,0 +1,654 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "sslmutex.h"
+#include "prerr.h"
+
+static SECStatus single_process_sslMutex_Init(sslMutex* pMutex)
+{
+    PR_ASSERT(pMutex != 0 && pMutex->u.sslLock == 0 );
+    
+    pMutex->u.sslLock = PR_NewLock();
+    if (!pMutex->u.sslLock) {
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static SECStatus single_process_sslMutex_Destroy(sslMutex* pMutex)
+{
+    PR_ASSERT(pMutex != 0);
+    PR_ASSERT(pMutex->u.sslLock!= 0);
+    if (!pMutex->u.sslLock) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    PR_DestroyLock(pMutex->u.sslLock);
+    return SECSuccess;
+}
+
+static SECStatus single_process_sslMutex_Unlock(sslMutex* pMutex)
+{
+    PR_ASSERT(pMutex != 0 );
+    PR_ASSERT(pMutex->u.sslLock !=0);
+    if (!pMutex->u.sslLock) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    PR_Unlock(pMutex->u.sslLock);
+    return SECSuccess;
+}
+
+static SECStatus single_process_sslMutex_Lock(sslMutex* pMutex)
+{
+    PR_ASSERT(pMutex != 0);
+    PR_ASSERT(pMutex->u.sslLock != 0 );
+    if (!pMutex->u.sslLock) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    PR_Lock(pMutex->u.sslLock);
+    return SECSuccess;
+}
+
+#if defined(LINUX) || defined(AIX) || defined(VMS) || defined(BEOS) || defined(BSDI)
+
+#include <unistd.h>
+#include <fcntl.h>
+#include <string.h>
+#include <errno.h>
+#include "unix_err.h"
+#include "pratom.h"
+
+#define SSL_MUTEX_MAGIC 0xfeedfd
+#define NONBLOCKING_POSTS 1	/* maybe this is faster */
+
+#if NONBLOCKING_POSTS
+
+#ifndef FNONBLOCK
+#define FNONBLOCK O_NONBLOCK
+#endif
+
+static int
+setNonBlocking(int fd, int nonBlocking)
+{
+    int flags;
+    int err;
+
+    flags = fcntl(fd, F_GETFL, 0);
+    if (0 > flags)
+	return flags;
+    if (nonBlocking)
+	flags |= FNONBLOCK;
+    else
+	flags &= ~FNONBLOCK;
+    err = fcntl(fd, F_SETFL, flags);
+    return err;
+}
+#endif
+
+SECStatus
+sslMutex_Init(sslMutex *pMutex, int shared)
+{
+    int  err;
+    PR_ASSERT(pMutex);
+    pMutex->isMultiProcess = (PRBool)(shared != 0);
+    if (!shared) {
+        return single_process_sslMutex_Init(pMutex);
+    }
+    pMutex->u.pipeStr.mPipes[0] = -1;
+    pMutex->u.pipeStr.mPipes[1] = -1;
+    pMutex->u.pipeStr.mPipes[2] = -1;
+    pMutex->u.pipeStr.nWaiters  =  0;
+
+    err = pipe(pMutex->u.pipeStr.mPipes);
+    if (err) {
+	return err;
+    }
+    /* close-on-exec is false by default */
+    if (!shared) {
+	err = fcntl(pMutex->u.pipeStr.mPipes[0], F_SETFD, FD_CLOEXEC);
+	if (err) 
+	    goto loser;
+
+	err = fcntl(pMutex->u.pipeStr.mPipes[1], F_SETFD, FD_CLOEXEC);
+	if (err) 
+	    goto loser;
+    }
+
+#if NONBLOCKING_POSTS
+    err = setNonBlocking(pMutex->u.pipeStr.mPipes[1], 1);
+    if (err)
+	goto loser;
+#endif
+
+    pMutex->u.pipeStr.mPipes[2] = SSL_MUTEX_MAGIC;
+
+#if defined(LINUX) && defined(i386)
+    /* Pipe starts out empty */
+    return SECSuccess;
+#else
+    /* Pipe starts with one byte. */
+    return sslMutex_Unlock(pMutex);
+#endif
+
+loser:
+    nss_MD_unix_map_default_error(errno);
+    close(pMutex->u.pipeStr.mPipes[0]);
+    close(pMutex->u.pipeStr.mPipes[1]);
+    return SECFailure;
+}
+
+SECStatus
+sslMutex_Destroy(sslMutex *pMutex)
+{
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Destroy(pMutex);
+    }
+    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+    close(pMutex->u.pipeStr.mPipes[0]);
+    close(pMutex->u.pipeStr.mPipes[1]);
+
+    pMutex->u.pipeStr.mPipes[0] = -1;
+    pMutex->u.pipeStr.mPipes[1] = -1;
+    pMutex->u.pipeStr.mPipes[2] = -1;
+    pMutex->u.pipeStr.nWaiters  =  0;
+
+    return SECSuccess;
+}
+
+#if defined(LINUX) && defined(i386)
+/* No memory barrier needed for this platform */
+
+SECStatus 
+sslMutex_Unlock(sslMutex *pMutex)
+{
+    PRInt32 oldValue;
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Unlock(pMutex);
+    }
+
+    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+    /* Do Memory Barrier here. */
+    oldValue = PR_AtomicDecrement(&pMutex->u.pipeStr.nWaiters);
+    if (oldValue > 1) {
+	int  cc;
+	char c  = 1;
+	do {
+	    cc = write(pMutex->u.pipeStr.mPipes[1], &c, 1);
+	} while (cc < 0 && (errno == EINTR || errno == EAGAIN));
+	if (cc != 1) {
+	    if (cc < 0)
+		nss_MD_unix_map_default_error(errno);
+	    else
+		PORT_SetError(PR_UNKNOWN_ERROR);
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+sslMutex_Lock(sslMutex *pMutex)
+{
+    PRInt32 oldValue;
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Lock(pMutex);
+    }
+
+    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+    oldValue = PR_AtomicDecrement(&pMutex->u.pipeStr.nWaiters);
+    /* Do Memory Barrier here. */
+    if (oldValue > 0) {
+	int   cc;
+	char  c;
+	do {
+	    cc = read(pMutex->u.pipeStr.mPipes[0], &c, 1);
+	} while (cc < 0 && errno == EINTR);
+	if (cc != 1) {
+	    if (cc < 0)
+		nss_MD_unix_map_default_error(errno);
+	    else
+		PORT_SetError(PR_UNKNOWN_ERROR);
+	    return SECFailure;
+	}
+    }
+    return SECSuccess;
+}
+
+#else
+
+/* Using Atomic operations requires the use of a memory barrier instruction 
+** on PowerPC, Sparc, and Alpha.  NSPR's PR_Atomic functions do not perform
+** them, and NSPR does not provide a function that does them (e.g. PR_Barrier).
+** So, we don't use them on those platforms. 
+*/
+
+SECStatus 
+sslMutex_Unlock(sslMutex *pMutex)
+{
+    int  cc;
+    char c  = 1;
+
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Unlock(pMutex);
+    }
+
+    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+    do {
+	cc = write(pMutex->u.pipeStr.mPipes[1], &c, 1);
+    } while (cc < 0 && (errno == EINTR || errno == EAGAIN));
+    if (cc != 1) {
+	if (cc < 0)
+	    nss_MD_unix_map_default_error(errno);
+	else
+	    PORT_SetError(PR_UNKNOWN_ERROR);
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+SECStatus 
+sslMutex_Lock(sslMutex *pMutex)
+{
+    int   cc;
+    char  c;
+
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Lock(pMutex);
+    }
+ 
+    if (pMutex->u.pipeStr.mPipes[2] != SSL_MUTEX_MAGIC) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return SECFailure;
+    }
+
+    do {
+	cc = read(pMutex->u.pipeStr.mPipes[0], &c, 1);
+    } while (cc < 0 && errno == EINTR);
+    if (cc != 1) {
+	if (cc < 0)
+	    nss_MD_unix_map_default_error(errno);
+	else
+	    PORT_SetError(PR_UNKNOWN_ERROR);
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+#endif
+
+#elif defined(WIN32)
+
+#include "win32err.h"
+
+/* on Windows, we need to find the optimal type of locking mechanism to use
+ for the sslMutex.
+
+ There are 3 cases :
+ 1) single-process, use a PRLock, as for all other platforms
+ 2) Win95 multi-process, use a Win32 mutex
+ 3) on WINNT multi-process, use a PRLock + a Win32 mutex
+
+*/
+
+#ifdef WINNT
+
+SECStatus sslMutex_2LevelInit(sslMutex *sem)
+{
+    /*  the following adds a PRLock to sslMutex . This is done in each
+        process of a multi-process server and is only needed on WINNT, if
+        using fibers. We can't tell if native threads or fibers are used, so
+        we always do it on WINNT
+    */
+    PR_ASSERT(sem);
+    if (sem) {
+        /* we need to reset the sslLock in the children or the single_process init
+           function below will assert */
+        sem->u.sslLock = NULL;
+    }
+    return single_process_sslMutex_Init(sem);
+}
+
+static SECStatus sslMutex_2LevelDestroy(sslMutex *sem)
+{
+    return single_process_sslMutex_Destroy(sem);
+}
+
+#endif
+
+SECStatus
+sslMutex_Init(sslMutex *pMutex, int shared)
+{
+    SECStatus retvalue;
+    HANDLE hMutex;
+    SECURITY_ATTRIBUTES attributes =
+                                { sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };
+
+    PR_ASSERT(pMutex != 0 && (pMutex->u.sslMutx == 0 || 
+              pMutex->u.sslMutx == INVALID_HANDLE_VALUE) );
+    
+    pMutex->isMultiProcess = (PRBool)(shared != 0);
+    
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Init(pMutex);
+    }
+    
+#ifdef WINNT
+    /*  we need a lock on WINNT for fibers in the parent process */
+    retvalue = sslMutex_2LevelInit(pMutex);
+    if (SECSuccess != retvalue)
+        return SECFailure;
+#endif
+    
+    if (!pMutex || ((hMutex = pMutex->u.sslMutx) != 0 && 
+        hMutex != INVALID_HANDLE_VALUE)) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    attributes.bInheritHandle = (shared ? TRUE : FALSE);
+    hMutex = CreateMutex(&attributes, FALSE, NULL);
+    if (hMutex == NULL) {
+        hMutex = INVALID_HANDLE_VALUE;
+        nss_MD_win32_map_default_error(GetLastError());
+        return SECFailure;
+    }
+    pMutex->u.sslMutx = hMutex;
+    return SECSuccess;
+}
+
+SECStatus
+sslMutex_Destroy(sslMutex *pMutex)
+{
+    HANDLE hMutex;
+    int    rv;
+    int retvalue = SECSuccess;
+
+    PR_ASSERT(pMutex != 0);
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Destroy(pMutex);
+    }
+
+    /*  multi-process mode */    
+#ifdef WINNT
+    /* on NT, get rid of the PRLock used for fibers within a process */
+    retvalue = sslMutex_2LevelDestroy(pMutex);
+#endif
+    
+    PR_ASSERT( pMutex->u.sslMutx != 0 && 
+               pMutex->u.sslMutx != INVALID_HANDLE_VALUE);
+    if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 
+        || hMutex == INVALID_HANDLE_VALUE) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    
+    rv = CloseHandle(hMutex); /* ignore error */
+    if (rv) {
+        pMutex->u.sslMutx = hMutex = INVALID_HANDLE_VALUE;
+    } else {
+        nss_MD_win32_map_default_error(GetLastError());
+        retvalue = SECFailure;
+    }
+    return retvalue;
+}
+
+int 
+sslMutex_Unlock(sslMutex *pMutex)
+{
+    BOOL   success = FALSE;
+    HANDLE hMutex;
+
+    PR_ASSERT(pMutex != 0 );
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Unlock(pMutex);
+    }
+    
+    PR_ASSERT(pMutex->u.sslMutx != 0 && 
+              pMutex->u.sslMutx != INVALID_HANDLE_VALUE);
+    if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 ||
+        hMutex == INVALID_HANDLE_VALUE) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;
+    }
+    success = ReleaseMutex(hMutex);
+    if (!success) {
+        nss_MD_win32_map_default_error(GetLastError());
+        return SECFailure;
+    }
+#ifdef WINNT
+    return single_process_sslMutex_Unlock(pMutex);
+    /* release PRLock for other fibers in the process */
+#else
+    return SECSuccess;
+#endif
+}
+
+int 
+sslMutex_Lock(sslMutex *pMutex)
+{
+    HANDLE    hMutex;
+    DWORD     event;
+    DWORD     lastError;
+    SECStatus rv;
+    SECStatus retvalue = SECSuccess;
+    PR_ASSERT(pMutex != 0);
+
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Lock(pMutex);
+    }
+#ifdef WINNT
+    /* lock first to preserve from other threads/fibers
+       in the same process */
+    retvalue = single_process_sslMutex_Lock(pMutex);
+#endif
+    PR_ASSERT(pMutex->u.sslMutx != 0 && 
+              pMutex->u.sslMutx != INVALID_HANDLE_VALUE);
+    if (!pMutex || (hMutex = pMutex->u.sslMutx) == 0 || 
+        hMutex == INVALID_HANDLE_VALUE) {
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return SECFailure;      /* what else ? */
+    }
+    /* acquire the mutex to be the only owner accross all other processes */
+    event = WaitForSingleObject(hMutex, INFINITE);
+    switch (event) {
+    case WAIT_OBJECT_0:
+    case WAIT_ABANDONED:
+        rv = SECSuccess;
+        break;
+
+    case WAIT_TIMEOUT:
+    case WAIT_IO_COMPLETION:
+    default:            /* should never happen. nothing we can do. */
+        PR_ASSERT(!("WaitForSingleObject returned invalid value."));
+	PORT_SetError(PR_UNKNOWN_ERROR);
+	rv = SECFailure;
+	break;
+
+    case WAIT_FAILED:           /* failure returns this */
+        rv = SECFailure;
+        lastError = GetLastError();     /* for debugging */
+        nss_MD_win32_map_default_error(lastError);
+        break;
+    }
+
+    if (! (SECSuccess == retvalue && SECSuccess == rv)) {
+        return SECFailure;
+    }
+    
+    return SECSuccess;
+}
+
+#elif defined(XP_UNIX)
+
+#include <errno.h>
+#include "unix_err.h"
+
+SECStatus 
+sslMutex_Init(sslMutex *pMutex, int shared)
+{
+    int rv;
+    PR_ASSERT(pMutex);
+    pMutex->isMultiProcess = (PRBool)(shared != 0);
+    if (!shared) {
+        return single_process_sslMutex_Init(pMutex);
+    }
+    do {
+        rv = sem_init(&pMutex->u.sem, shared, 1);
+    } while (rv < 0 && errno == EINTR);
+    if (rv < 0) {
+        nss_MD_unix_map_default_error(errno);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+sslMutex_Destroy(sslMutex *pMutex)
+{
+    int rv;
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Destroy(pMutex);
+    }
+    do {
+	rv = sem_destroy(&pMutex->u.sem);
+    } while (rv < 0 && errno == EINTR);
+    if (rv < 0) {
+	nss_MD_unix_map_default_error(errno);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+sslMutex_Unlock(sslMutex *pMutex)
+{
+    int rv;
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Unlock(pMutex);
+    }
+    do {
+	rv = sem_post(&pMutex->u.sem);
+    } while (rv < 0 && errno == EINTR);
+    if (rv < 0) {
+	nss_MD_unix_map_default_error(errno);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus 
+sslMutex_Lock(sslMutex *pMutex)
+{
+    int rv;
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Lock(pMutex);
+    }
+    do {
+	rv = sem_wait(&pMutex->u.sem);
+    } while (rv < 0 && errno == EINTR);
+    if (rv < 0) {
+	nss_MD_unix_map_default_error(errno);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+#else
+
+SECStatus 
+sslMutex_Init(sslMutex *pMutex, int shared)
+{
+    PR_ASSERT(pMutex);
+    pMutex->isMultiProcess = (PRBool)(shared != 0);
+    if (!shared) {
+        return single_process_sslMutex_Init(pMutex);
+    }
+    PORT_Assert(!("sslMutex_Init not implemented for multi-process applications !"));
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+SECStatus 
+sslMutex_Destroy(sslMutex *pMutex)
+{
+    PR_ASSERT(pMutex);
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Destroy(pMutex);
+    }
+    PORT_Assert(!("sslMutex_Destroy not implemented for multi-process applications !"));
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+SECStatus 
+sslMutex_Unlock(sslMutex *pMutex)
+{
+    PR_ASSERT(pMutex);
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Unlock(pMutex);
+    }
+    PORT_Assert(!("sslMutex_Unlock not implemented for multi-process applications !"));
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+SECStatus 
+sslMutex_Lock(sslMutex *pMutex)
+{
+    PR_ASSERT(pMutex);
+    if (PR_FALSE == pMutex->isMultiProcess) {
+        return single_process_sslMutex_Lock(pMutex);
+    }
+    PORT_Assert(!("sslMutex_Lock not implemented for multi-process applications !"));
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+#endif
diff --git a/security/nss/lib/ssl/sslmutex.h b/security/nss/lib/ssl/sslmutex.h
new file mode 100644
index 000000000..4ede0eba3
--- /dev/null
+++ b/security/nss/lib/ssl/sslmutex.h
@@ -0,0 +1,149 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+#ifndef __SSLMUTEX_H_
+#define __SSLMUTEX_H_ 1
+
+/* What SSL really wants is portable process-shared unnamed mutexes in 
+ * shared memory, that have the property that if the process that holds
+ * them dies, they are released automatically, and that (unlike fcntl 
+ * record locking) lock to the thread, not to the process.  
+ * NSPR doesn't provide that.  
+ * Windows has mutexes that meet that description, but they're not portable.  
+ * POSIX mutexes are not automatically released when the holder dies, 
+ * and other processes/threads cannot release the mutex on behalf of the 
+ * dead holder.  
+ * POSIX semaphores can be used to accomplish this on systems that implement 
+ * process-shared unnamed POSIX semaphores, because a watchdog thread can 
+ * discover and release semaphores that were held by a dead process.  
+ * On systems that do not support process-shared POSIX unnamed semaphores, 
+ * they can be emulated using pipes.  
+ * The performance cost of doing that is not yet measured.
+ *
+ * So, this API looks a lot like POSIX pthread mutexes.
+ */
+
+#include "prtypes.h"
+#include "prlock.h"
+
+#if defined(WIN32)
+
+#include <wtypes.h>
+
+typedef struct 
+{
+    PRBool isMultiProcess;
+#ifdef WINNT
+    /* on WINNT we need both the PRLock and the Win32 mutex for fibers */
+    struct {
+#else
+    union {
+#endif
+        PRLock* sslLock;
+        HANDLE sslMutx;
+    } u;
+} sslMutex;
+
+typedef int    sslPID;
+
+#elif defined(LINUX) || defined(AIX) || defined(VMS) || defined(BEOS) || defined(BSDI)
+
+#include <sys/types.h>
+#include "prtypes.h"
+
+typedef struct { 
+    PRBool isMultiProcess;
+    union {
+        PRLock* sslLock;
+        struct {
+            int      mPipes[3]; 
+            PRInt32  nWaiters;
+        } pipeStr;
+    } u;
+} sslMutex;
+typedef pid_t sslPID;
+
+#elif defined(XP_UNIX) /* other types of Unix */
+
+#include <sys/types.h>	/* for pid_t */
+#include <semaphore.h>  /* for sem_t, and sem_* functions */
+
+typedef struct
+{
+    PRBool isMultiProcess;
+    union {
+        PRLock* sslLock;
+        sem_t  sem;
+    } u;
+} sslMutex;
+
+typedef pid_t sslPID;
+
+#else
+
+/* what platform is this ?? */
+
+typedef struct { 
+    PRBool isMultiProcess;
+    union {
+        PRLock* sslLock;
+        /* include cross-process locking mechanism here */
+    } u;
+} sslMutex;
+
+typedef int sslPID;
+
+#endif
+
+#include "seccomon.h"
+
+SEC_BEGIN_PROTOS
+
+extern SECStatus sslMutex_Init(sslMutex *sem, int shared);
+
+extern SECStatus sslMutex_Destroy(sslMutex *sem);
+
+extern SECStatus sslMutex_Unlock(sslMutex *sem);
+
+extern SECStatus sslMutex_Lock(sslMutex *sem);
+
+#ifdef WINNT
+
+extern SECStatus sslMutex_2LevelInit(sslMutex *sem);
+
+#endif
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c
new file mode 100644
index 000000000..36dd7f073
--- /dev/null
+++ b/security/nss/lib/ssl/sslnonce.c
@@ -0,0 +1,365 @@
+/* 
+ * This file implements the CLIENT Session ID cache.  
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "nssrenam.h"
+#include "cert.h"
+#include "secitem.h"
+#include "ssl.h"
+
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "nssilock.h"
+#include "nsslocks.h"
+#if defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)
+#include <time.h>
+#endif
+
+PRUint32 ssl_sid_timeout = 100;
+PRUint32 ssl3_sid_timeout = 86400L; /* 24 hours */
+
+static sslSessionID *cache;
+static PZLock *      cacheLock;
+
+/* sids can be in one of 4 states:
+ *
+ * never_cached, 	created, but not yet put into cache. 
+ * in_client_cache, 	in the client cache's linked list.
+ * in_server_cache, 	entry came from the server's cache file.
+ * invalid_cache	has been removed from the cache. 
+ */
+
+#define LOCK_CACHE 	lock_cache()
+#define UNLOCK_CACHE	PZ_Unlock(cacheLock)
+
+static void 
+lock_cache(void)
+{
+    /* XXX Since the client session cache has no init function, we must
+     * XXX init the cacheLock on the first call.  Fix in NSS 3.0.
+     */
+    if (!cacheLock)
+	nss_InitLock(&cacheLock, nssILockCache);
+    PZ_Lock(cacheLock);
+}
+
+/* BEWARE: This function gets called for both client and server SIDs !!
+ * If the unreferenced sid is not in the cache, Free sid and its contents.
+ */
+static void
+ssl_DestroySID(sslSessionID *sid)
+{
+    SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
+    PORT_Assert((sid->references == 0));
+
+    if (sid->cached == in_client_cache)
+    	return;	/* it will get taken care of next time cache is traversed. */
+
+    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
+	SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
+	SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
+    }
+    if (sid->peerID != NULL)
+	PORT_Free((void *)sid->peerID);		/* CONST */
+
+    if (sid->urlSvrName != NULL)
+	PORT_Free((void *)sid->urlSvrName);	/* CONST */
+
+    if ( sid->peerCert ) {
+	CERT_DestroyCertificate(sid->peerCert);
+    }
+    if ( sid->localCert ) {
+	CERT_DestroyCertificate(sid->localCert);
+    }
+    
+    PORT_ZFree(sid, sizeof(sslSessionID));
+}
+
+/* BEWARE: This function gets called for both client and server SIDs !!
+ * Decrement reference count, and 
+ *    free sid if ref count is zero, and sid is not in the cache. 
+ * Does NOT remove from the cache first.  
+ * If the sid is still in the cache, it is left there until next time
+ * the cache list is traversed.
+ */
+static void 
+ssl_FreeLockedSID(sslSessionID *sid)
+{
+    PORT_Assert(sid->references >= 1);
+    if (--sid->references == 0) {
+	ssl_DestroySID(sid);
+    }
+}
+
+/* BEWARE: This function gets called for both client and server SIDs !!
+ * Decrement reference count, and 
+ *    free sid if ref count is zero, and sid is not in the cache. 
+ * Does NOT remove from the cache first.  
+ * These locks are necessary because the sid _might_ be in the cache list.
+ */
+void
+ssl_FreeSID(sslSessionID *sid)
+{
+    LOCK_CACHE;
+    ssl_FreeLockedSID(sid);
+    UNLOCK_CACHE;
+}
+
+/************************************************************************/
+
+/*
+**  Lookup sid entry in cache by Address, port, and peerID string.
+**  If found, Increment reference count, and return pointer to caller.
+**  If it has timed out or ref count is zero, remove from list and free it.
+*/
+
+sslSessionID *
+ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID, 
+              const char * urlSvrName)
+{
+    sslSessionID **sidp;
+    sslSessionID * sid;
+    PRUint32       now;
+
+    if (!urlSvrName)
+    	return NULL;
+    now = ssl_Time();
+    LOCK_CACHE;
+    sidp = &cache;
+    while ((sid = *sidp) != 0) {
+	PORT_Assert(sid->cached == in_client_cache);
+	PORT_Assert(sid->references >= 1);
+
+	SSL_TRC(8, ("SSL: Lookup1: sid=0x%x", sid));
+
+	if (sid->expirationTime < now || !sid->references) {
+	    /*
+	    ** This session-id timed out, or was orphaned.
+	    ** Don't even care who it belongs to, blow it out of our cache.
+	    */
+	    SSL_TRC(7, ("SSL: lookup1, throwing sid out, age=%d refs=%d",
+			now - sid->creationTime, sid->references));
+
+	    *sidp = sid->next; 			/* delink it from the list. */
+	    sid->cached = invalid_cache;	/* mark not on list. */
+	    if (!sid->references)
+	    	ssl_DestroySID(sid);
+	    else
+		ssl_FreeLockedSID(sid);		/* drop ref count, free. */
+
+	} else if (!memcmp(&sid->addr, addr, sizeof(PRIPv6Addr)) && /* server IP addr matches */
+	           (sid->port == port) && /* server port matches */
+		   /* proxy (peerID) matches */
+		   (((peerID == NULL) && (sid->peerID == NULL)) ||
+		    ((peerID != NULL) && (sid->peerID != NULL) &&
+		     PORT_Strcmp(sid->peerID, peerID) == 0)) &&
+		   /* is cacheable */
+		   (sid->version < SSL_LIBRARY_VERSION_3_0 ||
+		    sid->u.ssl3.resumable) &&
+		   /* server hostname matches. */
+	           (sid->urlSvrName != NULL) &&
+		   ((0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) ||
+		    ((sid->peerCert != NULL) && (SECSuccess == 
+		      CERT_VerifyCertName(sid->peerCert, urlSvrName))) )
+		  ) {
+	    /* Hit */
+	    sid->lastAccessTime = now;
+	    sid->references++;
+	    break;
+	} else {
+	    sidp = &sid->next;
+	}
+    }
+    UNLOCK_CACHE;
+    return sid;
+}
+
+/*
+** Add an sid to the cache or return a previously cached entry to the cache.
+** Although this is static, it is called via ss->sec.cache().
+*/
+static void 
+CacheSID(sslSessionID *sid)
+{
+    PRUint32  expirationPeriod;
+    SSL_TRC(8, ("SSL: Cache: sid=0x%x cached=%d addr=0x%08x%08x%08x%08x port=0x%04x "
+		"time=%x cached=%d",
+		sid, sid->cached, sid->addr.pr_s6_addr32[0], 
+		sid->addr.pr_s6_addr32[1], sid->addr.pr_s6_addr32[2],
+		sid->addr.pr_s6_addr32[3],  sid->port, sid->creationTime,
+		sid->cached));
+
+    if (sid->cached == in_client_cache)
+	return;
+
+    /* XXX should be different trace for version 2 vs. version 3 */
+    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
+	expirationPeriod = ssl_sid_timeout;
+	PRINT_BUF(8, (0, "sessionID:",
+		  sid->u.ssl2.sessionID, sizeof(sid->u.ssl2.sessionID)));
+	PRINT_BUF(8, (0, "masterKey:",
+		  sid->u.ssl2.masterKey.data, sid->u.ssl2.masterKey.len));
+	PRINT_BUF(8, (0, "cipherArg:",
+		  sid->u.ssl2.cipherArg.data, sid->u.ssl2.cipherArg.len));
+    } else {
+	if (sid->u.ssl3.sessionIDLength == 0) 
+	    return;
+	expirationPeriod = ssl3_sid_timeout;
+	PRINT_BUF(8, (0, "sessionID:",
+		      sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength));
+    }
+    PORT_Assert(sid->creationTime != 0 && sid->expirationTime != 0);
+    if (!sid->creationTime)
+	sid->lastAccessTime = sid->creationTime = ssl_Time();
+    if (!sid->expirationTime)
+	sid->expirationTime = sid->creationTime + expirationPeriod;
+
+    /*
+     * Put sid into the cache.  Bump reference count to indicate that
+     * cache is holding a reference. Uncache will reduce the cache
+     * reference.
+     */
+    LOCK_CACHE;
+    sid->references++;
+    sid->cached = in_client_cache;
+    sid->next   = cache;
+    cache       = sid;
+    UNLOCK_CACHE;
+}
+
+/* 
+ * If sid "zap" is in the cache,
+ *    removes sid from cache, and decrements reference count.
+ * Caller must hold cache lock.
+ */
+static void
+UncacheSID(sslSessionID *zap)
+{
+    sslSessionID **sidp = &cache;
+    sslSessionID *sid;
+
+    if (zap->cached != in_client_cache) {
+	return;
+    }
+
+    SSL_TRC(8,("SSL: Uncache: zap=0x%x cached=%d addr=0x%08x%08x%08x%08x port=0x%04x "
+	       "time=%x cipher=%d",
+	       zap, zap->cached, zap->addr.pr_s6_addr32[0],
+	       zap->addr.pr_s6_addr32[1], zap->addr.pr_s6_addr32[2],
+	       zap->addr.pr_s6_addr32[3], zap->port, zap->creationTime,
+	       zap->u.ssl2.cipherType));
+    if (zap->version < SSL_LIBRARY_VERSION_3_0) {
+	PRINT_BUF(8, (0, "sessionID:",
+		      zap->u.ssl2.sessionID, sizeof(zap->u.ssl2.sessionID)));
+	PRINT_BUF(8, (0, "masterKey:",
+		      zap->u.ssl2.masterKey.data, zap->u.ssl2.masterKey.len));
+	PRINT_BUF(8, (0, "cipherArg:",
+		      zap->u.ssl2.cipherArg.data, zap->u.ssl2.cipherArg.len));
+    }
+
+    /* See if it's in the cache, if so nuke it */
+    while ((sid = *sidp) != 0) {
+	if (sid == zap) {
+	    /*
+	    ** Bingo. Reduce reference count by one so that when
+	    ** everyone is done with the sid we can free it up.
+	    */
+	    *sidp = zap->next;
+	    zap->cached = invalid_cache;
+	    ssl_FreeLockedSID(zap);
+	    return;
+	}
+	sidp = &sid->next;
+    }
+}
+
+/* If sid "zap" is in the cache,
+ *    removes sid from cache, and decrements reference count.
+ * Although this function is static, it is called externally via 
+ *    ss->sec.uncache().
+ */
+static void
+LockAndUncacheSID(sslSessionID *zap)
+{
+    LOCK_CACHE;
+    UncacheSID(zap);
+    UNLOCK_CACHE;
+
+}
+
+/* choose client or server cache functions for this sslsocket. */
+void 
+ssl_ChooseSessionIDProcs(sslSecurityInfo *sec)
+{
+    if (sec->isServer) {
+	sec->cache   = ssl_sid_cache;
+	sec->uncache = ssl_sid_uncache;
+    } else {
+	sec->cache   = CacheSID;
+	sec->uncache = LockAndUncacheSID;
+    }
+}
+
+/* wipe out the entire client session cache. */
+void
+SSL_ClearSessionCache(void)
+{
+    LOCK_CACHE;
+    while(cache != NULL)
+	UncacheSID(cache);
+    UNLOCK_CACHE;
+}
+
+/* returns an unsigned int containing the number of seconds in PR_Now() */
+PRUint32
+ssl_Time(void)
+{
+    PRUint32 myTime;
+#if defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)
+    myTime = time(NULL);	/* accurate until the year 2038. */
+#else
+    /* portable, but possibly slower */
+    PRTime now;
+    PRInt64 ll;
+
+    now = PR_Now();
+    LL_I2L(ll, 1000000L);
+    LL_DIV(now, now, ll);
+    LL_L2UI(myTime, now);
+#endif
+    return myTime;
+}
+
diff --git a/security/nss/lib/ssl/sslproto.h b/security/nss/lib/ssl/sslproto.h
new file mode 100644
index 000000000..408f2b2a4
--- /dev/null
+++ b/security/nss/lib/ssl/sslproto.h
@@ -0,0 +1,172 @@
+/*
+ * Various and sundry protocol constants. DON'T CHANGE THESE. These values 
+ * are mostly defined by the SSL2, SSL3, or TLS protocol specifications.
+ * Cipher kinds and ciphersuites are part of the public API.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef __sslproto_h_
+#define __sslproto_h_
+
+/* All versions less than 3_0 are treated as SSL version 2 */
+#define SSL_LIBRARY_VERSION_2			0x0002
+#define SSL_LIBRARY_VERSION_3_0			0x0300
+#define SSL_LIBRARY_VERSION_3_1_TLS		0x0301
+
+/* Header lengths of some of the messages */
+#define SSL_HL_ERROR_HBYTES			3
+#define SSL_HL_CLIENT_HELLO_HBYTES		9
+#define SSL_HL_CLIENT_MASTER_KEY_HBYTES		10
+#define SSL_HL_CLIENT_FINISHED_HBYTES		1
+#define SSL_HL_SERVER_HELLO_HBYTES		11
+#define SSL_HL_SERVER_VERIFY_HBYTES		1
+#define SSL_HL_SERVER_FINISHED_HBYTES		1
+#define SSL_HL_REQUEST_CERTIFICATE_HBYTES	2
+#define SSL_HL_CLIENT_CERTIFICATE_HBYTES	6
+
+/* Security handshake protocol codes */
+#define SSL_MT_ERROR				0
+#define SSL_MT_CLIENT_HELLO			1
+#define SSL_MT_CLIENT_MASTER_KEY		2
+#define SSL_MT_CLIENT_FINISHED			3
+#define SSL_MT_SERVER_HELLO			4
+#define SSL_MT_SERVER_VERIFY			5
+#define SSL_MT_SERVER_FINISHED			6
+#define SSL_MT_REQUEST_CERTIFICATE		7
+#define SSL_MT_CLIENT_CERTIFICATE		8
+
+/* Certificate types */
+#define SSL_CT_X509_CERTIFICATE			0x01
+#if 0 /* XXX Not implemented yet */
+#define SSL_PKCS6_CERTIFICATE			0x02
+#endif
+#define SSL_AT_MD5_WITH_RSA_ENCRYPTION		0x01
+
+/* Error codes */
+#define SSL_PE_NO_CYPHERS			0x0001
+#define SSL_PE_NO_CERTIFICATE			0x0002
+#define SSL_PE_BAD_CERTIFICATE			0x0004
+#define SSL_PE_UNSUPPORTED_CERTIFICATE_TYPE	0x0006
+
+/* Cypher kinds (not the spec version!) */
+#define SSL_CK_RC4_128_WITH_MD5			0x01
+#define SSL_CK_RC4_128_EXPORT40_WITH_MD5	0x02
+#define SSL_CK_RC2_128_CBC_WITH_MD5		0x03
+#define SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5	0x04
+#define SSL_CK_IDEA_128_CBC_WITH_MD5		0x05
+#define SSL_CK_DES_64_CBC_WITH_MD5		0x06
+#define SSL_CK_DES_192_EDE3_CBC_WITH_MD5	0x07
+
+/* Cipher enables.  These are used only for SSL_EnableCipher 
+ * These values define the SSL2 suites, and do not colide with the 
+ * SSL3 Cipher suites defined below.
+ */
+#define SSL_EN_RC4_128_WITH_MD5			0xFF01
+#define SSL_EN_RC4_128_EXPORT40_WITH_MD5	0xFF02
+#define SSL_EN_RC2_128_CBC_WITH_MD5		0xFF03
+#define SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5	0xFF04
+#define SSL_EN_IDEA_128_CBC_WITH_MD5		0xFF05
+#define SSL_EN_DES_64_CBC_WITH_MD5		0xFF06
+#define SSL_EN_DES_192_EDE3_CBC_WITH_MD5	0xFF07
+
+/* SSL v3 Cipher Suites */
+#define SSL_NULL_WITH_NULL_NULL			0x0000
+
+#define SSL_RSA_WITH_NULL_MD5			0x0001
+#define SSL_RSA_WITH_NULL_SHA			0x0002
+#define SSL_RSA_EXPORT_WITH_RC4_40_MD5		0x0003
+#define SSL_RSA_WITH_RC4_128_MD5		0x0004
+#define SSL_RSA_WITH_RC4_128_SHA		0x0005
+#define SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0x0006
+#define SSL_RSA_WITH_IDEA_CBC_SHA		0x0007
+#define SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0008
+#define SSL_RSA_WITH_DES_CBC_SHA		0x0009
+#define SSL_RSA_WITH_3DES_EDE_CBC_SHA		0x000a
+						       
+#define SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA	0x000b
+#define SSL_DH_DSS_WITH_DES_CBC_SHA		0x000c
+#define SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA	0x000d
+#define SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA	0x000e
+#define SSL_DH_RSA_WITH_DES_CBC_SHA		0x000f
+#define SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA	0x0010
+						       
+#define SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA	0x0011
+#define SSL_DHE_DSS_WITH_DES_CBC_SHA		0x0012
+#define SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA	0x0013
+#define SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0014
+#define SSL_DHE_RSA_WITH_DES_CBC_SHA		0x0015
+#define SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA	0x0016
+						       
+#define SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5	0x0017
+#define SSL_DH_ANON_WITH_RC4_128_MD5		0x0018
+#define SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA	0x0019
+#define SSL_DH_ANON_WITH_DES_CBC_SHA		0x001a
+#define SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA	0x001b
+
+#define SSL_FORTEZZA_DMS_WITH_NULL_SHA		0x001c
+#define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA	0x001d
+#define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA	0x001e
+
+/* New TLS cipher suites */
+#define TLS_RSA_WITH_AES_128_CBC_SHA      	0x002F
+#define TLS_DH_DSS_WITH_AES_128_CBC_SHA   	0x0030
+#define TLS_DH_RSA_WITH_AES_128_CBC_SHA   	0x0031
+#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA  	0x0032
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA  	0x0033
+#define TLS_DH_ANON_WITH_AES_128_CBC_SHA  	0x0034
+
+#define TLS_RSA_WITH_AES_256_CBC_SHA      	0x0035
+#define TLS_DH_DSS_WITH_AES_256_CBC_SHA   	0x0036
+#define TLS_DH_RSA_WITH_AES_256_CBC_SHA   	0x0037
+#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA  	0x0038
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA  	0x0039
+#define TLS_DH_ANON_WITH_AES_256_CBC_SHA  	0x003A
+
+#define TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     0x0062
+#define TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      0x0064
+
+#define TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x0063
+#define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  0x0065
+#define TLS_DHE_DSS_WITH_RC4_128_SHA            0x0066
+
+/* Netscape "experimental" cipher suites. */
+#define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA	0xffe0
+#define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA	0xffe1
+
+/* New non-experimental openly spec'ed versions of those cipher suites. */
+#define SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 	0xfeff
+#define SSL_RSA_FIPS_WITH_DES_CBC_SHA      	0xfefe
+
+#endif /* __sslproto_h_ */
diff --git a/security/nss/lib/ssl/sslreveal.c b/security/nss/lib/ssl/sslreveal.c
new file mode 100644
index 000000000..44ae47810
--- /dev/null
+++ b/security/nss/lib/ssl/sslreveal.c
@@ -0,0 +1,97 @@
+/* 
+ * Accessor functions for SSLSocket private members.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "cert.h"
+#include "ssl.h"
+#include "certt.h"
+#include "sslimpl.h"
+
+/* given PRFileDesc, returns a copy of certificate associated with the socket
+ * the caller should delete the cert when done with SSL_DestroyCertificate
+ */
+CERTCertificate * 
+SSL_RevealCert(PRFileDesc * fd)
+{
+  CERTCertificate * cert = NULL;
+  sslSocket * sslsocket = NULL;
+
+  sslsocket = ssl_FindSocket(fd);
+  
+  /* CERT_DupCertificate increases reference count and returns pointer to 
+   * the same cert
+   */
+  if (sslsocket && sslsocket->sec.peerCert)
+    cert = CERT_DupCertificate(sslsocket->sec.peerCert);
+  
+  return cert;
+}
+
+/* given PRFileDesc, returns a pointer to PinArg associated with the socket
+ */
+void * 
+SSL_RevealPinArg(PRFileDesc * fd)
+{
+  sslSocket * sslsocket = NULL;
+  void * PinArg = NULL;
+  
+  sslsocket = ssl_FindSocket(fd);
+  
+  /* is pkcs11PinArg part of the sslSocket or sslSecurityInfo ? */
+  if (sslsocket)
+    PinArg = sslsocket->pkcs11PinArg;
+  
+  return PinArg;
+}
+
+
+/* given PRFileDesc, returns a pointer to the URL associated with the socket
+ * the caller should free url when done  
+ */
+char * 
+SSL_RevealURL(PRFileDesc * fd)
+{
+  sslSocket * sslsocket = NULL;
+  char * url = NULL;
+
+  sslsocket = ssl_FindSocket(fd);
+  
+  if (sslsocket && sslsocket->url)
+    url = PL_strdup(sslsocket->url);
+  
+  return url;
+}
+
diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c
new file mode 100644
index 000000000..85bb024c8
--- /dev/null
+++ b/security/nss/lib/ssl/sslsecur.c
@@ -0,0 +1,1292 @@
+/*
+ * Various SSL functions.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+#include "cert.h"
+#include "secitem.h"
+#include "keyhi.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "secoid.h"	/* for SECOID_GetALgorithmTag */
+#include "pk11func.h"	/* for PK11_GenerateRandom */
+
+#if defined(_WINDOWS)
+#include "winsock.h"	/* for MSG_PEEK */
+#elif defined(XP_MAC)
+#include "macsocket.h"
+#elif defined(BEOS)
+#define MSG_PEEK 0x2
+#else
+#include <sys/socket.h> /* for MSG_PEEK */
+#endif
+
+#define MAX_BLOCK_CYPHER_SIZE	32
+
+#define TEST_FOR_FAILURE	/* reminder */
+#define SET_ERROR_CODE		/* reminder */
+
+/* Returns a SECStatus: SECSuccess or SECFailure, NOT SECWouldBlock. 
+ * 
+ * Currently, the list of functions called through ss->handshake is:
+ * 
+ * In sslsocks.c:
+ *  SocksGatherRecord
+ *  SocksHandleReply	
+ *  SocksStartGather
+ *
+ * In sslcon.c:
+ *  ssl_GatherRecord1stHandshake
+ *  ssl2_HandleClientSessionKeyMessage
+ *  ssl2_HandleMessage
+ *  ssl2_HandleVerifyMessage
+ *  ssl2_BeginClientHandshake
+ *  ssl2_BeginServerHandshake
+ *  ssl2_HandleClientHelloMessage
+ *  ssl2_HandleServerHelloMessage
+ * 
+ * The ss->handshake function returns SECWouldBlock under these conditions:
+ * 1.	ssl_GatherRecord1stHandshake called ssl2_GatherData which read in 
+ *	the beginning of an SSL v3 hello message and returned SECWouldBlock 
+ *	to switch to SSL v3 handshake processing.
+ *
+ * 2.	ssl2_HandleClientHelloMessage discovered version 3.0 in the incoming
+ *	v2 client hello msg, and called ssl3_HandleV2ClientHello which 
+ *	returned SECWouldBlock.
+ *
+ * 3.   SECWouldBlock was returned by one of the callback functions, via
+ *	one of these paths:
+ * -	ssl2_HandleMessage() -> ssl2_HandleRequestCertificate() -> ss->getClientAuthData()
+ *
+ * -	ssl2_HandleServerHelloMessage() -> ss->handleBadCert()
+ *
+ * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 
+ *	ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 
+ *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificate() -> 
+ *	ss->handleBadCert()
+ *
+ * -	ssl_GatherRecord1stHandshake() -> ssl3_GatherCompleteHandshake() -> 
+ *	ssl3_HandleRecord() -> ssl3_HandleHandshake() -> 
+ *	ssl3_HandleHandshakeMessage() -> ssl3_HandleCertificateRequest() -> 
+ *	ss->getClientAuthData()
+ *
+ * Called from: SSL_ForceHandshake	(below), 
+ *              ssl_SecureRecv 		(below) and
+ *              ssl_SecureSend		(below)
+ *	  from: WaitForResponse 	in sslsocks.c
+ *	        ssl_SocksRecv   	in sslsocks.c
+ *              ssl_SocksSend   	in sslsocks.c
+ *
+ * Caller must hold the (write) handshakeLock.
+ */
+int 
+ssl_Do1stHandshake(sslSocket *ss)
+{
+    int rv        = SECSuccess;
+    int loopCount = 0;
+
+    do {
+	PORT_Assert( ssl_Have1stHandshakeLock(ss) );
+	PORT_Assert( !ssl_HaveRecvBufLock(ss)   );
+	PORT_Assert( !ssl_HaveXmitBufLock(ss)   );
+
+	if (ss->handshake == 0) {
+	    /* Previous handshake finished. Switch to next one */
+	    ss->handshake = ss->nextHandshake;
+	    ss->nextHandshake = 0;
+	}
+	if (ss->handshake == 0) {
+	    /* Previous handshake finished. Switch to security handshake */
+	    ss->handshake = ss->securityHandshake;
+	    ss->securityHandshake = 0;
+	}
+	if (ss->handshake == 0) {
+	    ssl_GetRecvBufLock(ss);
+	    ss->gs.recordLen = 0;
+	    ssl_ReleaseRecvBufLock(ss);
+
+	    SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
+			SSL_GETPID(), ss->fd));
+            /* call handshake callback for ssl v2 */
+	    /* for v3 this is done in ssl3_HandleFinished() */
+	    if ((ss->handshakeCallback != NULL) && /* has callback */
+		(!ss->firstHsDone) &&              /* only first time */
+		(ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
+		ss->firstHsDone     = PR_TRUE;
+		(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
+	    }
+	    ss->firstHsDone         = PR_TRUE;
+	    ss->gs.writeOffset = 0;
+	    ss->gs.readOffset  = 0;
+	    break;
+	}
+	rv = (*ss->handshake)(ss);
+	++loopCount;
+    /* This code must continue to loop on SECWouldBlock, 
+     * or any positive value.	See XXX_1 comments.
+     */
+    } while (rv != SECFailure);  	/* was (rv >= 0); XXX_1 */
+
+    PORT_Assert( !ssl_HaveRecvBufLock(ss)   );
+    PORT_Assert( !ssl_HaveXmitBufLock(ss)   );
+
+    if (rv == SECWouldBlock) {
+	PORT_SetError(PR_WOULD_BLOCK_ERROR);
+	rv = SECFailure;
+    }
+    return rv;
+}
+
+/*
+ * Handshake function that blocks.  Used to force a
+ * retry on a connection on the next read/write.
+ */
+static SECStatus
+AlwaysBlock(sslSocket *ss)
+{
+    PORT_SetError(PR_WOULD_BLOCK_ERROR);	/* perhaps redundant. */
+    return SECWouldBlock;
+}
+
+/*
+ * set the initial handshake state machine to block
+ */
+void
+ssl_SetAlwaysBlock(sslSocket *ss)
+{
+    if (!ss->firstHsDone) {
+	ss->handshake = AlwaysBlock;
+	ss->nextHandshake = 0;
+    }
+}
+
+/* Acquires and releases HandshakeLock.
+*/
+SECStatus
+SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
+{
+    sslSocket *ss;
+    SECStatus status;
+    PRNetAddr addr;
+
+    ss = ssl_FindSocket(s);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in ResetHandshake", SSL_GETPID(), s));
+	return SECFailure;
+    }
+
+    /* Don't waste my time */
+    if (!ss->useSecurity)
+	return SECSuccess;
+
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+
+    /* Reset handshake state */
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    ss->firstHsDone = PR_FALSE;
+    if ( asServer ) {
+	ss->handshake = ssl2_BeginServerHandshake;
+	ss->handshaking = sslHandshakingAsServer;
+    } else {
+	ss->handshake = ssl2_BeginClientHandshake;
+	ss->handshaking = sslHandshakingAsClient;
+    }
+    ss->nextHandshake       = 0;
+    ss->securityHandshake   = 0;
+
+    ssl_GetRecvBufLock(ss);
+    status = ssl_InitGather(&ss->gs);
+    ssl_ReleaseRecvBufLock(ss);
+
+    /*
+    ** Blow away old security state and get a fresh setup.
+    */
+    ssl_GetXmitBufLock(ss); 
+    ssl_ResetSecurityInfo(&ss->sec);
+    status = ssl_CreateSecurityInfo(ss);
+    ssl_ReleaseXmitBufLock(ss); 
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    if (!ss->TCPconnected)
+	ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
+
+    SSL_UNLOCK_WRITER(ss);
+    SSL_UNLOCK_READER(ss);
+
+    return status;
+}
+
+/* For SSLv2, does nothing but return an error.
+** For SSLv3, flushes SID cache entry (if requested),
+** and then starts new client hello or hello request.
+** Acquires and releases HandshakeLock.
+*/
+SECStatus
+SSL_ReHandshake(PRFileDesc *fd, PRBool flushCache)
+{
+    sslSocket *ss;
+    SECStatus  rv;
+    
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in RedoHandshake", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    if (!ss->useSecurity)
+	return SECSuccess;
+    
+    ssl_Get1stHandshakeLock(ss);
+
+    /* SSL v2 protocol does not support subsequent handshakes. */
+    if (ss->version < SSL_LIBRARY_VERSION_3_0) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    } else {
+	ssl_GetSSL3HandshakeLock(ss);
+	rv = ssl3_RedoHandshake(ss, flushCache); /* force full handshake. */
+	ssl_ReleaseSSL3HandshakeLock(ss);
+    }
+
+    ssl_Release1stHandshakeLock(ss);
+
+    return rv;
+}
+
+SECStatus
+SSL_RedoHandshake(PRFileDesc *fd)
+{
+    return SSL_ReHandshake(fd, PR_TRUE);
+}
+
+/* Register an application callback to be called when SSL handshake completes.
+** Acquires and releases HandshakeLock.
+*/
+SECStatus
+SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb,
+		      void *client_data)
+{
+    sslSocket *ss;
+    
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in HandshakeCallback",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    if (!ss->useSecurity) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    ss->handshakeCallback     = cb;
+    ss->handshakeCallbackData = client_data;
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    return SECSuccess;
+}
+
+/* Try to make progress on an SSL handshake by attempting to read the 
+** next handshake from the peer, and sending any responses.
+** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 
+** read the next handshake from the underlying socket.
+** For SSLv2, returns when handshake is complete or fatal error occurs.
+** For SSLv3, returns when handshake is complete, or application data has
+** arrived that must be taken by application before handshake can continue, 
+** or a fatal error occurs.
+** Application should use handshake completion callback to tell which. 
+*/
+SECStatus
+SSL_ForceHandshake(PRFileDesc *fd)
+{
+    sslSocket *ss;
+    SECStatus  rv = SECFailure;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in ForceHandshake",
+		 SSL_GETPID(), fd));
+	return rv;
+    }
+
+    /* Don't waste my time */
+    if (!ss->useSecurity) 
+    	return SECSuccess;
+
+    ssl_Get1stHandshakeLock(ss);
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	int gatherResult;
+
+    	ssl_GetRecvBufLock(ss);
+	gatherResult = ssl3_GatherCompleteHandshake(ss, 0);
+	ssl_ReleaseRecvBufLock(ss);
+	if (gatherResult > 0) {
+	    rv = SECSuccess;
+	} else if (gatherResult == 0) {
+	    PORT_SetError(PR_END_OF_FILE_ERROR);
+	} else if (gatherResult == SECWouldBlock) {
+	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
+	}
+    } else if (!ss->firstHsDone) {
+	rv = ssl_Do1stHandshake(ss);
+    } else {
+	/* tried to force handshake on an SSL 2 socket that has 
+	** already completed the handshake. */
+    	rv = SECSuccess;	/* just pretend we did it. */
+    }
+
+    ssl_Release1stHandshakeLock(ss);
+
+    return rv;
+}
+
+/************************************************************************/
+
+/*
+** Grow a buffer to hold newLen bytes of data.
+** Called for both recv buffers and xmit buffers.
+** Caller must hold xmitBufLock or recvBufLock, as appropriate.
+*/
+SECStatus
+sslBuffer_Grow(sslBuffer *b, unsigned int newLen)
+{
+    if (newLen > b->space) {
+	if (b->buf) {
+	    b->buf = (unsigned char *) PORT_Realloc(b->buf, newLen);
+	} else {
+	    b->buf = (unsigned char *) PORT_Alloc(newLen);
+	}
+	if (!b->buf) {
+	    return SECFailure;
+	}
+	SSL_TRC(10, ("%d: SSL: grow buffer from %d to %d",
+		     SSL_GETPID(), b->space, newLen));
+	b->space = newLen;
+    }
+    return SECSuccess;
+}
+
+/*
+** Save away write data that is trying to be written before the security
+** handshake has been completed. When the handshake is completed, we will
+** flush this data out.
+** Caller must hold xmitBufLock
+*/
+SECStatus 
+ssl_SaveWriteData(sslSocket *ss, sslBuffer *buf, const void *data, 
+                      unsigned int len)
+{
+    unsigned int newlen;
+    SECStatus    rv;
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+    newlen = buf->len + len;
+    if (newlen > buf->space) {
+	rv = sslBuffer_Grow(buf, newlen);
+	if (rv) {
+	    return rv;
+	}
+    }
+    SSL_TRC(5, ("%d: SSL[%d]: saving %d bytes of data (%d total saved so far)",
+		 SSL_GETPID(), ss->fd, len, newlen));
+    PORT_Memcpy(buf->buf + buf->len, data, len);
+    buf->len = newlen;
+    return SECSuccess;
+}
+
+/*
+** Send saved write data. This will flush out data sent prior to a
+** complete security handshake. Hopefully there won't be too much of it.
+** Returns count of the bytes sent, NOT a SECStatus.
+** Caller must hold xmitBufLock
+*/
+int 
+ssl_SendSavedWriteData(sslSocket *ss, sslBuffer *buf, sslSendFunc send)
+{
+    int rv	= 0;
+    int len	= buf->len;
+
+    PORT_Assert( ssl_HaveXmitBufLock(ss) );
+    if (len != 0) {
+	SSL_TRC(5, ("%d: SSL[%d]: sending %d bytes of saved data",
+		     SSL_GETPID(), ss->fd, len));
+	rv = (*send)(ss, buf->buf, len, 0);
+	if (rv < 0) {
+	    return rv;
+	} 
+	if (rv < len) {
+	    /* UGH !! This shifts the whole buffer down by copying it, and 
+	    ** it depends on PORT_Memmove doing overlapping moves correctly!
+	    ** It should advance the pointer offset instead !!
+	    */
+	    PORT_Memmove(buf->buf, buf->buf + rv, len - rv);
+	    buf->len = len - rv;
+	} else {
+	    buf->len = 0;
+    	}
+    }
+    return rv;
+}
+
+/************************************************************************/
+
+/*
+** Receive some application data on a socket.  Reads SSL records from the input
+** stream, decrypts them and then copies them to the output buffer.
+** Called from ssl_SecureRecv() below.
+**
+** Caller does NOT hold 1stHandshakeLock because that handshake is over.
+** Caller doesn't call this until initial handshake is complete.
+** For SSLv2, there is no subsequent handshake.
+** For SSLv3, the call to ssl3_GatherAppDataRecord may encounter handshake
+** messages from a subsequent handshake.
+**
+** This code is similar to, and easily confused with, 
+**   ssl_GatherRecord1stHandshake() in sslcon.c
+*/
+static int 
+DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
+{
+    int              rv;
+    int              amount;
+    int              available;
+
+    ssl_GetRecvBufLock(ss);
+
+    available = ss->gs.writeOffset - ss->gs.readOffset;
+    if (available == 0) {
+	/* Get some more data */
+	if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	    /* Wait for application data to arrive.  */
+	    rv = ssl3_GatherAppDataRecord(ss, 0);
+	} else {
+	    /* See if we have a complete record */
+	    rv = ssl2_GatherRecord(ss, 0);
+	}
+	if (rv <= 0) {
+	    if (rv == 0) {
+		/* EOF */
+		SSL_TRC(10, ("%d: SSL[%d]: ssl_recv EOF",
+			     SSL_GETPID(), ss->fd));
+		goto done;
+	    }
+	    if ((rv != SECWouldBlock) && 
+	        (PR_GetError() != PR_WOULD_BLOCK_ERROR)) {
+		/* Some random error */
+		goto done;
+	    }
+
+	    /*
+	    ** Gather record is blocked waiting for more record data to
+	    ** arrive. Try to process what we have already received
+	    */
+	} else {
+	    /* Gather record has finished getting a complete record */
+	}
+
+	/* See if any clear data is now available */
+	available = ss->gs.writeOffset - ss->gs.readOffset;
+	if (available == 0) {
+	    /*
+	    ** No partial data is available. Force error code to
+	    ** EWOULDBLOCK so that caller will try again later. Note
+	    ** that the error code is probably EWOULDBLOCK already,
+	    ** but if it isn't (for example, if we received a zero
+	    ** length record) then this will force it to be correct.
+	    */
+	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
+	    rv = SECFailure;
+	    goto done;
+	}
+	SSL_TRC(30, ("%d: SSL[%d]: partial data ready, available=%d",
+		     SSL_GETPID(), ss->fd, available));
+    }
+
+    /* Dole out clear data to reader */
+    amount = PR_MIN(len, available);
+    PORT_Memcpy(out, ss->gs.buf.buf + ss->gs.readOffset, amount);
+    if (!(flags & MSG_PEEK)) {
+	ss->gs.readOffset += amount;
+    }
+    rv = amount;
+
+    SSL_TRC(30, ("%d: SSL[%d]: amount=%d available=%d",
+		 SSL_GETPID(), ss->fd, amount, available));
+    PRINT_BUF(4, (ss, "DoRecv receiving plaintext:", out, amount));
+
+done:
+    ssl_ReleaseRecvBufLock(ss);
+    return rv;
+}
+
+/************************************************************************/
+
+SSLKEAType
+ssl_FindCertKEAType(CERTCertificate * cert)
+{
+  SSLKEAType keaType = kt_null; 
+  int tag;
+  
+  if (!cert) goto loser;
+  
+  tag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
+  
+  switch (tag) {
+  case SEC_OID_X500_RSA_ENCRYPTION:
+  case SEC_OID_PKCS1_RSA_ENCRYPTION:
+    keaType = kt_rsa;
+    break;
+  case SEC_OID_MISSI_KEA_DSS_OLD:
+  case SEC_OID_MISSI_KEA_DSS:
+  case SEC_OID_MISSI_DSS_OLD:
+  case SEC_OID_MISSI_DSS:
+    keaType = kt_fortezza;
+    break;
+  case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+    keaType = kt_dh;
+    break;
+  default:
+    keaType = kt_null;
+  }
+  
+ loser:
+  
+  return keaType;
+
+}
+
+
+/* XXX need to protect the data that gets changed here.!! */
+
+SECStatus
+SSL_ConfigSecureServer(PRFileDesc *fd, CERTCertificate *cert,
+		       SECKEYPrivateKey *key, SSL3KEAType kea)
+{
+    SECStatus rv;
+    sslSocket *ss;
+    sslServerCerts  *sc;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	return SECFailure;
+    }
+
+    /* Both key and cert must have a value or be NULL */
+    /* Passing a value of NULL will turn off key exchange algorithms that were
+     * previously turned on */
+    if (!cert != !key) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /* make sure the key exchange is recognized */
+    if ((kea >= kt_kea_size) || (kea < kt_null)) {
+	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+	return SECFailure;
+    }
+
+    if (kea != ssl_FindCertKEAType(cert)) {
+    	PORT_SetError(SSL_ERROR_CERT_KEA_MISMATCH);
+	return SECFailure;
+    }
+
+    sc = ss->serverCerts + kea;
+    /* load the server certificate */
+    if (sc->serverCert != NULL) {
+	CERT_DestroyCertificate(sc->serverCert);
+    	sc->serverCert = NULL;
+    }
+    if (cert) {
+	SECKEYPublicKey * pubKey;
+	sc->serverCert = CERT_DupCertificate(cert);
+	if (!sc->serverCert)
+	    goto loser;
+    	/* get the size of the cert's public key, and remember it */
+	pubKey = CERT_ExtractPublicKey(cert);
+	if (!pubKey) 
+	    goto loser;
+	sc->serverKeyBits = SECKEY_PublicKeyStrength(pubKey) * BPB;
+	SECKEY_DestroyPublicKey(pubKey); 
+	pubKey = NULL;
+    }
+
+
+    /* load the server cert chain */
+    if (sc->serverCertChain != NULL) {
+	CERT_DestroyCertificateList(sc->serverCertChain);
+    	sc->serverCertChain = NULL;
+    }
+    if (cert) {
+	sc->serverCertChain = CERT_CertChainFromCert(
+			    sc->serverCert, certUsageSSLServer, PR_TRUE);
+	if (sc->serverCertChain == NULL)
+	     goto loser;
+    }
+
+    /* load the private key */
+    if (sc->serverKey != NULL) {
+	SECKEY_DestroyPrivateKey(sc->serverKey);
+    	sc->serverKey = NULL;
+    }
+    if (key) {
+	sc->serverKey = SECKEY_CopyPrivateKey(key);
+	if (sc->serverKey == NULL)
+	    goto loser;
+    }
+
+    if (kea == kt_rsa) {
+        rv = ssl3_CreateRSAStepDownKeys(ss);
+	if (rv != SECSuccess) {
+	    return SECFailure;	/* err set by ssl3_CreateRSAStepDownKeys */
+	}
+    }
+
+    /* Only do this once because it's global. */
+    if (ssl3_server_ca_list == NULL)
+	ssl3_server_ca_list = CERT_GetSSLCACerts(ss->dbHandle);
+
+    return SECSuccess;
+
+loser:
+    if (sc->serverCert != NULL) {
+	CERT_DestroyCertificate(sc->serverCert);
+	sc->serverCert = NULL;
+    }
+    if (sc->serverCertChain != NULL) {
+	CERT_DestroyCertificateList(sc->serverCertChain);
+	sc->serverCertChain = NULL;
+    }
+    if (sc->serverKey != NULL) {
+	SECKEY_DestroyPrivateKey(sc->serverKey);
+	sc->serverKey = NULL;
+    }
+    return SECFailure;
+}
+
+/************************************************************************/
+
+SECStatus
+ssl_CreateSecurityInfo(sslSocket *ss)
+{
+    SECStatus status;
+
+    /* initialize sslv2 socket to send data in the clear. */
+    ssl2_UseClearSendFunc(ss);
+
+    ss->sec.blockSize  = 1;
+    ss->sec.blockShift = 0;
+
+    ssl_GetXmitBufLock(ss); 
+    status = sslBuffer_Grow(&ss->sec.writeBuf, 4096);
+    ssl_ReleaseXmitBufLock(ss); 
+
+    return status;
+}
+
+SECStatus
+ssl_CopySecurityInfo(sslSocket *ss, sslSocket *os)
+{
+    int rv;
+
+    ss->sec.send 		= os->sec.send;
+    ss->sec.isServer 		= os->sec.isServer;
+    ss->sec.keyBits    		= os->sec.keyBits;
+    ss->sec.secretKeyBits 	= os->sec.secretKeyBits;
+
+    ss->sec.peerCert   		= CERT_DupCertificate(os->sec.peerCert);
+    if (os->sec.peerCert && !ss->sec.peerCert)
+    	goto loser;
+
+    ss->sec.cache      		= os->sec.cache;
+    ss->sec.uncache    		= os->sec.uncache;
+
+    /* we don't dup the connection info. */
+
+    ss->sec.sendSequence 	= os->sec.sendSequence;
+    ss->sec.rcvSequence 	= os->sec.rcvSequence;
+
+    if (os->sec.hash && os->sec.hashcx) {
+	ss->sec.hash 		= os->sec.hash;
+	ss->sec.hashcx 		= os->sec.hash->clone(os->sec.hashcx);
+	if (os->sec.hashcx && !ss->sec.hashcx)
+	    goto loser;
+    } else {
+	ss->sec.hash 		= NULL;
+	ss->sec.hashcx 		= NULL;
+    }
+
+    SECITEM_CopyItem(0, &ss->sec.sendSecret, &os->sec.sendSecret);
+    if (os->sec.sendSecret.data && !ss->sec.sendSecret.data)
+    	goto loser;
+    SECITEM_CopyItem(0, &ss->sec.rcvSecret,  &os->sec.rcvSecret);
+    if (os->sec.rcvSecret.data && !ss->sec.rcvSecret.data)
+    	goto loser;
+
+    /* XXX following code is wrong if either cx != 0 */
+    PORT_Assert(os->sec.readcx  == 0);
+    PORT_Assert(os->sec.writecx == 0);
+    ss->sec.readcx     		= os->sec.readcx;
+    ss->sec.writecx    		= os->sec.writecx;
+    ss->sec.destroy    		= 0;	
+
+    ss->sec.enc        		= os->sec.enc;
+    ss->sec.dec        		= os->sec.dec;
+
+    ss->sec.blockShift 		= os->sec.blockShift;
+    ss->sec.blockSize  		= os->sec.blockSize;
+
+    return SECSuccess;
+
+loser:
+    return SECFailure;
+}
+
+/* Reset sec back to its initial state.
+** Caller holds any relevant locks.
+*/
+void 
+ssl_ResetSecurityInfo(sslSecurityInfo *sec)
+{
+    /* Destroy MAC */
+    if (sec->hash && sec->hashcx) {
+	(*sec->hash->destroy)(sec->hashcx, PR_TRUE);
+	sec->hashcx = NULL;
+	sec->hash = NULL;
+    }
+    SECITEM_ZfreeItem(&sec->sendSecret, PR_FALSE);
+    SECITEM_ZfreeItem(&sec->rcvSecret, PR_FALSE);
+
+    /* Destroy ciphers */
+    if (sec->destroy) {
+	(*sec->destroy)(sec->readcx, PR_TRUE);
+	(*sec->destroy)(sec->writecx, PR_TRUE);
+	sec->readcx = NULL;
+	sec->writecx = NULL;
+    } else {
+	PORT_Assert(sec->readcx == 0);
+	PORT_Assert(sec->writecx == 0);
+    }
+    sec->readcx = 0;
+    sec->writecx = 0;
+
+    if (sec->localCert) {
+	CERT_DestroyCertificate(sec->localCert);
+	sec->localCert = NULL;
+    }
+    if (sec->peerCert) {
+	CERT_DestroyCertificate(sec->peerCert);
+	sec->peerCert = NULL;
+    }
+    if (sec->peerKey) {
+	SECKEY_DestroyPublicKey(sec->peerKey);
+	sec->peerKey = NULL;
+    }
+
+    /* cleanup the ci */
+    if (sec->ci.sid != NULL) {
+	ssl_FreeSID(sec->ci.sid);
+    }
+    PORT_ZFree(sec->ci.sendBuf.buf, sec->ci.sendBuf.space);
+    memset(&sec->ci, 0, sizeof sec->ci);
+}
+
+/*
+** Called from SSL_ResetHandshake (above), and 
+**        from ssl_FreeSocket     in sslsock.c
+** Caller should hold relevant locks (e.g. XmitBufLock)
+*/
+void 
+ssl_DestroySecurityInfo(sslSecurityInfo *sec)
+{
+    ssl_ResetSecurityInfo(sec);
+
+    PORT_ZFree(sec->writeBuf.buf, sec->writeBuf.space);
+    sec->writeBuf.buf = 0;
+
+    memset(sec, 0, sizeof *sec);
+}
+
+/************************************************************************/
+
+int 
+ssl_SecureConnect(sslSocket *ss, const PRNetAddr *sa)
+{
+    PRFileDesc *osfd = ss->fd->lower;
+    int rv;
+
+    if ( ss->handshakeAsServer ) {
+	ss->securityHandshake = ssl2_BeginServerHandshake;
+	ss->handshaking = sslHandshakingAsServer;
+    } else {
+	ss->securityHandshake = ssl2_BeginClientHandshake;
+	ss->handshaking = sslHandshakingAsClient;
+    }
+
+    /* connect to server */
+    rv = osfd->methods->connect(osfd, sa, ss->cTimeout);
+    if (rv == PR_SUCCESS) {
+	ss->TCPconnected = 1;
+    } else {
+	int err = PR_GetError();
+	SSL_DBG(("%d: SSL[%d]: connect failed, errno=%d",
+		 SSL_GETPID(), ss->fd, err));
+	if (err == PR_IS_CONNECTED_ERROR) {
+	    ss->TCPconnected = 1;
+	} 
+    }
+
+    SSL_TRC(5, ("%d: SSL[%d]: secure connect completed, rv == %d",
+		SSL_GETPID(), ss->fd, rv));
+    return rv;
+}
+
+int
+ssl_SecureClose(sslSocket *ss)
+{
+    int rv;
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0 	&&
+    	ss->firstHsDone 			&& 
+	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)	&&
+	!ss->recvdCloseNotify                   &&
+	(ss->ssl3 != NULL)) {
+
+	/* We don't want the final alert to be Nagle delayed. */
+	if (!ss->delayDisabled) {
+	    ssl_EnableNagleDelay(ss, PR_FALSE);
+	    ss->delayDisabled = 1;
+	}
+
+	(void) SSL3_SendAlert(ss, alert_warning, close_notify);
+    }
+    rv = ssl_DefClose(ss);
+    return rv;
+}
+
+/* Caller handles all locking */
+int
+ssl_SecureShutdown(sslSocket *ss, int nsprHow)
+{
+    PRFileDesc *osfd = ss->fd->lower;
+    int 	rv;
+    PRIntn	sslHow	= nsprHow + 1;
+
+    if ((unsigned)nsprHow > PR_SHUTDOWN_BOTH) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+    	return PR_FAILURE;
+    }
+
+    if ((sslHow & ssl_SHUTDOWN_SEND) != 0 		&&
+	!(ss->shutdownHow & ssl_SHUTDOWN_SEND)		&&
+    	(ss->version >= SSL_LIBRARY_VERSION_3_0)	&&
+	ss->firstHsDone 				&& 
+	!ss->recvdCloseNotify                   	&&
+	(ss->ssl3 != NULL)) {
+
+	(void) SSL3_SendAlert(ss, alert_warning, close_notify);
+    }
+
+    rv = osfd->methods->shutdown(osfd, nsprHow);
+
+    ss->shutdownHow |= sslHow;
+
+    return rv;
+}
+
+/************************************************************************/
+
+
+int
+ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
+{
+    sslSecurityInfo *sec;
+    int              rv   = 0;
+
+    sec = &ss->sec;
+
+    if (ss->shutdownHow & ssl_SHUTDOWN_RCV) {
+	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
+    	return PR_FAILURE;
+    }
+    if (flags & ~MSG_PEEK) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+    	return PR_FAILURE;
+    }
+
+    if (!ssl_SocketIsBlocking(ss) && !ss->fdx) {
+	ssl_GetXmitBufLock(ss);
+	if (ss->pendingBuf.len != 0) {
+	    rv = ssl_SendSavedWriteData(ss, &ss->pendingBuf, ssl_DefSend);
+	    if ((rv < 0) && (PORT_GetError() != PR_WOULD_BLOCK_ERROR)) {
+		ssl_ReleaseXmitBufLock(ss);
+		return SECFailure;
+	    }
+	    /* XXX short write? */
+	}
+	ssl_ReleaseXmitBufLock(ss);
+    }
+    
+    rv = 0;
+    /* If any of these is non-zero, the initial handshake is not done. */
+    if (!ss->firstHsDone) {
+	ssl_Get1stHandshakeLock(ss);
+	if (ss->handshake || ss->nextHandshake || ss->securityHandshake) {
+	    rv = ssl_Do1stHandshake(ss);
+	}
+	ssl_Release1stHandshakeLock(ss);
+    }
+    if (rv < 0) {
+	return rv;
+    }
+
+    if (len == 0) return 0;
+
+    rv = DoRecv(ss, (unsigned char*) buf, len, flags);
+    SSL_TRC(2, ("%d: SSL[%d]: recving %d bytes securely (errno=%d)",
+		SSL_GETPID(), ss->fd, rv, PORT_GetError()));
+    return rv;
+}
+
+int
+ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len)
+{
+    return ssl_SecureRecv(ss, buf, len, 0);
+}
+
+/* Caller holds the SSL Socket's write lock. SSL_LOCK_WRITER(ss) */
+int
+ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
+{
+    int              rv		= 0;
+
+    if (ss->shutdownHow & ssl_SHUTDOWN_SEND) {
+	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
+    	return PR_FAILURE;
+    }
+    if (flags) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+    	return PR_FAILURE;
+    }
+
+    ssl_GetXmitBufLock(ss);
+    if (ss->pendingBuf.len != 0) {
+	PORT_Assert(ss->pendingBuf.len > 0);
+	rv = ssl_SendSavedWriteData(ss, &ss->pendingBuf, ssl_DefSend);
+	if (rv >= 0 && ss->pendingBuf.len != 0) {
+	    PORT_Assert(ss->pendingBuf.len > 0);
+	    PORT_SetError(PR_WOULD_BLOCK_ERROR);
+	    rv = SECFailure;
+	}
+    }
+    ssl_ReleaseXmitBufLock(ss);
+    if (rv < 0) {
+	return rv;
+    }
+
+    if (len > 0) 
+    	ss->writerThread = PR_GetCurrentThread();
+    /* If any of these is non-zero, the initial handshake is not done. */
+    if (!ss->firstHsDone) {
+	ssl_Get1stHandshakeLock(ss);
+	if (ss->handshake || ss->nextHandshake || ss->securityHandshake) {
+	    rv = ssl_Do1stHandshake(ss);
+	}
+	ssl_Release1stHandshakeLock(ss);
+    }
+    if (rv < 0) {
+    	ss->writerThread = NULL;
+	return rv;
+    }
+
+    /* Check for zero length writes after we do housekeeping so we make forward
+     * progress.
+     */
+    if (len == 0) {
+    	return 0;
+    }
+    PORT_Assert(buf != NULL);
+    
+    SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes",
+		SSL_GETPID(), ss->fd, len));
+
+    /* Send out the data using one of these functions:
+     *	ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock, 
+     *  ssl3_SendApplicationData
+     */
+    ssl_GetXmitBufLock(ss);
+    rv = (*ss->sec.send)(ss, buf, len, flags);
+    ssl_ReleaseXmitBufLock(ss);
+    ss->writerThread = NULL;
+    return rv;
+}
+
+int
+ssl_SecureWrite(sslSocket *ss, const unsigned char *buf, int len)
+{
+    return ssl_SecureSend(ss, buf, len, 0);
+}
+
+SECStatus
+SSL_BadCertHook(PRFileDesc *fd, SSLBadCertHandler f, void *arg)
+{
+    sslSocket *ss;
+    SECStatus rv;
+    
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSLBadCertHook",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    ss->handleBadCert = f;
+    ss->badCertArg = arg;
+
+    return SECSuccess;
+}
+
+/*
+ * Allow the application to pass the url or hostname into the SSL library
+ * so that we can do some checking on it.
+ */
+SECStatus
+SSL_SetURL(PRFileDesc *fd, const char *url)
+{
+    sslSocket *   ss = ssl_FindSocket(fd);
+    SECStatus     rv = SECSuccess;
+
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSLSetURL",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    if ( ss->url ) {
+	PORT_Free((void *)ss->url);	/* CONST */
+    }
+
+    ss->url = (const char *)PORT_Strdup(url);
+    if ( ss->url == NULL ) {
+	rv = SECFailure;
+    }
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    return rv;
+}
+
+/*
+** Returns Negative number on error, zero or greater on success.
+** Returns the amount of data immediately available to be read.
+*/
+int
+SSL_DataPending(PRFileDesc *fd)
+{
+    sslSocket *ss;
+    int        rv  = 0;
+
+    ss = ssl_FindSocket(fd);
+
+    if (ss && ss->useSecurity) {
+
+	ssl_Get1stHandshakeLock(ss);
+	ssl_GetSSL3HandshakeLock(ss);
+
+	ssl_GetRecvBufLock(ss);
+	rv = ss->gs.writeOffset - ss->gs.readOffset;
+	ssl_ReleaseRecvBufLock(ss);
+
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	ssl_Release1stHandshakeLock(ss);
+    }
+
+    return rv;
+}
+
+SECStatus
+SSL_InvalidateSession(PRFileDesc *fd)
+{
+    sslSocket *   ss = ssl_FindSocket(fd);
+    SECStatus     rv = SECFailure;
+
+    if (ss) {
+	ssl_Get1stHandshakeLock(ss);
+	ssl_GetSSL3HandshakeLock(ss);
+
+	if (ss->sec.ci.sid) {
+	    ss->sec.uncache(ss->sec.ci.sid);
+	    rv = SECSuccess;
+	}
+
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	ssl_Release1stHandshakeLock(ss);
+    }
+    return rv;
+}
+
+SECItem *
+SSL_GetSessionID(PRFileDesc *fd)
+{
+    sslSocket *    ss;
+    SECItem *      item = NULL;
+
+    ss = ssl_FindSocket(fd);
+    if (ss) {
+	ssl_Get1stHandshakeLock(ss);
+	ssl_GetSSL3HandshakeLock(ss);
+
+	if (ss->useSecurity && ss->firstHsDone && ss->sec.ci.sid) {
+	    item = (SECItem *)PORT_Alloc(sizeof(SECItem));
+	    if (item) {
+		sslSessionID * sid = ss->sec.ci.sid;
+		if (sid->version < SSL_LIBRARY_VERSION_3_0) {
+		    item->len = SSL2_SESSIONID_BYTES;
+		    item->data = (unsigned char*)PORT_Alloc(item->len);
+		    PORT_Memcpy(item->data, sid->u.ssl2.sessionID, item->len);
+		} else {
+		    item->len = sid->u.ssl3.sessionIDLength;
+		    item->data = (unsigned char*)PORT_Alloc(item->len);
+		    PORT_Memcpy(item->data, sid->u.ssl3.sessionID, item->len);
+		}
+	    }
+	}
+
+	ssl_ReleaseSSL3HandshakeLock(ss);
+	ssl_Release1stHandshakeLock(ss);
+    }
+    return item;
+}
+
+SECStatus
+SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle)
+{
+    sslSocket *    ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss)
+    	return SECFailure;
+    if (!dbHandle) {
+    	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    ss->dbHandle = dbHandle;
+    return SECSuccess;
+}
+
+/*
+ * attempt to restart the handshake after asynchronously handling
+ * a request for the client's certificate.
+ *
+ * inputs:  
+ *	cert	Client cert chosen by application.
+ *		Note: ssl takes this reference, and does not bump the 
+ *		reference count.  The caller should drop its reference
+ *		without calling CERT_DestroyCert after calling this function.
+ *
+ *	key	Private key associated with cert.  This function makes a 
+ *		copy of the private key, so the caller remains responsible 
+ *		for destroying its copy after this function returns.
+ *
+ *	certChain  Chain of signers for cert.  
+ *		Note: ssl takes this reference, and does not copy the chain.
+ *		The caller should drop its reference without destroying the 
+ *		chain.  SSL will free the chain when it is done with it.
+ *
+ * Return value: XXX
+ *
+ * XXX This code only works on the initial handshake on a connection, XXX
+ *     It does not work on a subsequent handshake (redo).
+ */
+int
+SSL_RestartHandshakeAfterCertReq(sslSocket *         ss,
+				CERTCertificate *    cert, 
+				SECKEYPrivateKey *   key,
+				CERTCertificateList *certChain)
+{
+    int              ret;
+
+    ssl_Get1stHandshakeLock(ss);   /************************************/
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain);
+    } else {
+    	ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key);
+    }
+
+    ssl_Release1stHandshakeLock(ss);  /************************************/
+    return ret;
+}
+
+
+/* restart an SSL connection that we stopped to run certificate dialogs 
+** XXX	Need to document here how an application marks a cert to show that
+**	the application has accepted it (overridden CERT_VerifyCert).
+ *
+ * XXX This code only works on the initial handshake on a connection, XXX
+ *     It does not work on a subsequent handshake (redo).
+ *
+ * Return value: XXX
+*/
+int
+SSL_RestartHandshakeAfterServerCert(sslSocket *ss)
+{
+    int rv	= SECSuccess;
+
+    ssl_Get1stHandshakeLock(ss); 
+
+    if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
+	rv = ssl3_RestartHandshakeAfterServerCert(ss);
+    } else {
+	rv = ssl2_RestartHandshakeAfterServerCert(ss);
+    }
+
+    ssl_Release1stHandshakeLock(ss);
+    return rv;
+}
diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c
new file mode 100644
index 000000000..f69f3fd42
--- /dev/null
+++ b/security/nss/lib/ssl/sslsnce.c
@@ -0,0 +1,1623 @@
+/* This file implements the SERVER Session ID cache. 
+ * NOTE:  The contents of this file are NOT used by the client.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+/* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server 
+ * cache sids!
+ *
+ * About record locking among different server processes:
+ *
+ * All processes that are part of the same conceptual server (serving on 
+ * the same address and port) MUST share a common SSL session cache. 
+ * This code makes the content of the shared cache accessible to all
+ * processes on the same "server".  This code works on Unix and Win32 only.
+ *
+ * We use NSPR anonymous shared memory and move data to & from shared memory.
+ * We must do explicit locking of the records for all reads and writes.
+ * The set of Cache entries are divided up into "sets" of 128 entries. 
+ * Each set is protected by a lock.  There may be one or more sets protected
+ * by each lock.  That is, locks to sets are 1:N.
+ * There is one lock for the entire cert cache.
+ * There is one lock for the set of wrapped sym wrap keys.
+ *
+ * The anonymous shared memory is laid out as if it were declared like this:
+ *
+ * struct {
+ *     cacheDescriptor          desc;
+ *     sidCacheLock             sidCacheLocks[ numSIDCacheLocks];
+ *     sidCacheLock             keyCacheLock;
+ *     sidCacheLock             certCacheLock;
+ *     sidCacheSet              sidCacheSets[ numSIDCacheSets ];
+ *     sidCacheEntry            sidCacheData[ numSIDCacheEntries];
+ *     certCacheEntry           certCacheData[numCertCacheEntries];
+ *     SSLWrappedSymWrappingKey keyCacheData[kt_kea_size][SSL_NUM_WRAP_MECHS];
+ * } sharedMemCacheData;
+ */
+#include "nssrenam.h"
+#include "seccomon.h"
+
+#if defined(XP_UNIX) || defined(XP_WIN32) || defined (XP_OS2) || defined(XP_BEOS)
+
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "pk11func.h"
+#include "base64.h"
+
+#include <stdio.h>
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+
+#include <syslog.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <signal.h>
+#include "unix_err.h"
+
+#else
+
+#ifdef XP_WIN32
+#include <wtypes.h>
+#include "win32err.h"
+#endif
+
+#endif 
+#include <sys/types.h>
+
+#define SET_ERROR_CODE /* reminder */
+
+#include "nspr.h"
+#include "nsslocks.h"
+#include "sslmutex.h"
+
+#ifdef XP_OS2_VACPP
+#pragma pack(1)
+#endif
+
+/*
+** Format of a cache entry in the shared memory.
+*/ 
+struct sidCacheEntryStr {
+/* 16 */    PRIPv6Addr  addr;	/* client's IP address */
+/*  4 */    PRUint32    creationTime;
+/*  4 */    PRUint32    lastAccessTime;	
+/*  4 */    PRUint32    expirationTime;
+/*  2 */    PRUint16	version;
+/*  1 */    PRUint8	valid;
+/*  1 */    PRUint8     sessionIDLength;
+/* 32 */    PRUint8     sessionID[SSL3_SESSIONID_BYTES];
+/*  2 */    PRUint16    authAlgorithm;
+/*  2 */    PRUint16    authKeyBits;
+/*  2 */    PRUint16    keaType;
+/*  2 */    PRUint16    keaKeyBits;
+/* 72  - common header total */
+
+    union {
+	struct {
+/* 64 */    PRUint8	masterKey[SSL_MAX_MASTER_KEY_BYTES];
+/* 32 */    PRUint8	cipherArg[SSL_MAX_CYPHER_ARG_BYTES];
+
+/*  1 */    PRUint8	cipherType;
+/*  1 */    PRUint8	masterKeyLen;
+/*  1 */    PRUint8	keyBits;
+/*  1 */    PRUint8	secretKeyBits;
+/*  1 */    PRUint8	cipherArgLen;
+/*101 */} ssl2;
+
+	struct {
+/*  2 */    ssl3CipherSuite  cipherSuite;
+/*  2 */    PRUint16    compression; 	/* SSL3CompressionMethod */
+
+/*122 */    ssl3SidKeys keys;	/* keys and ivs, wrapped as needed. */
+/*  1 */    PRUint8     hasFortezza;
+/*  1 */    PRUint8     resumable;
+
+/*  4 */    PRUint32    masterWrapMech; 
+/*  4 */    SSL3KEAType exchKeyType;
+/*  4 */    PRInt32     certIndex;
+/*140 */} ssl3;
+#if defined(LINUX)
+	struct {
+	    PRUint8     filler[144];	
+	} forceSize;
+#endif
+    } u;
+};
+typedef struct sidCacheEntryStr sidCacheEntry;
+
+/* The length of this struct is supposed to be a power of 2, e.g. 4KB */
+struct certCacheEntryStr {
+    PRUint16    certLength;				/*    2 */
+    PRUint16    sessionIDLength;			/*    2 */
+    PRUint8 	sessionID[SSL3_SESSIONID_BYTES];	/*   32 */
+    PRUint8 	cert[SSL_MAX_CACHED_CERT_LEN];		/* 4060 */
+};						/* total   4096 */
+typedef struct certCacheEntryStr certCacheEntry;
+
+struct sidCacheLockStr {
+    PRUint32	timeStamp;
+    sslMutex	mutex;
+    sslPID	pid;
+};
+typedef struct sidCacheLockStr sidCacheLock;
+
+struct sidCacheSetStr {
+    PRIntn	next;
+};
+typedef struct sidCacheSetStr sidCacheSet;
+
+struct cacheDescStr {
+
+    PRUint32            sharedMemSize;
+
+    PRUint32		numSIDCacheLocks;
+    PRUint32		numSIDCacheSets;
+    PRUint32		numSIDCacheSetsPerLock;
+
+    PRUint32            numSIDCacheEntries; 
+    PRUint32            sidCacheSize;
+
+    PRUint32            numCertCacheEntries;
+    PRUint32            certCacheSize;
+
+    PRUint32            numKeyCacheEntries;
+    PRUint32            keyCacheSize;
+
+    PRUint32		ssl2Timeout;
+    PRUint32		ssl3Timeout;
+
+    /* These values are volatile, and are accessed through sharedCache-> */
+    PRUint32		nextCertCacheEntry;	/* certCacheLock protects */
+    PRBool      	stopPolling;
+
+    /* The private copies of these values are pointers into shared mem */
+    /* The copies of these values in shared memory are merely offsets */
+    sidCacheLock    *          sidCacheLocks;
+    sidCacheLock    *          keyCacheLock;
+    sidCacheLock    *          certCacheLock;
+    sidCacheSet     *          sidCacheSets;
+    sidCacheEntry   *          sidCacheData;
+    certCacheEntry  *          certCacheData;
+    SSLWrappedSymWrappingKey * keyCacheData;
+
+    /* Only the private copies of these pointers are valid */
+    char *                     sharedMem;
+    struct cacheDescStr *      sharedCache;  /* shared copy of this struct */
+    PRFileMap *                cacheMemMap;
+    PRThread  *                poller;
+};
+typedef struct cacheDescStr cacheDesc;
+
+static cacheDesc globalCache;
+
+static const char envVarName[] = { SSL_ENV_VAR_NAME };
+
+static PRBool isMultiProcess  = PR_FALSE;
+
+
+#define DEF_SID_CACHE_ENTRIES  10000
+#define DEF_CERT_CACHE_ENTRIES 250
+#define MIN_CERT_CACHE_ENTRIES 125 /* the effective size in old releases. */
+#define DEF_KEY_CACHE_ENTRIES  250
+
+#define SID_CACHE_ENTRIES_PER_SET  128
+#define SID_ALIGNMENT          16
+
+#define DEF_SSL2_TIMEOUT	100   /* seconds */
+#define MAX_SSL2_TIMEOUT	100   /* seconds */
+#define MIN_SSL2_TIMEOUT	  5   /* seconds */
+
+#define DEF_SSL3_TIMEOUT      86400L  /* 24 hours */
+#define MAX_SSL3_TIMEOUT      86400L  /* 24 hours */
+#define MIN_SSL3_TIMEOUT          5   /* seconds  */
+
+#if defined(AIX) || defined(LINUX) || defined(VMS)
+#define MAX_SID_CACHE_LOCKS 8	/* two FDs per lock */
+#elif defined(OSF1)
+#define MAX_SID_CACHE_LOCKS 16	/* one FD per lock */
+#else
+#define MAX_SID_CACHE_LOCKS 256
+#endif
+
+#define SID_HOWMANY(val, size) (((val) + ((size) - 1)) / (size))
+#define SID_ROUNDUP(val, size) ((size) * SID_HOWMANY((val), (size)))
+
+
+static sslPID myPid;
+static PRUint32  ssl_max_sid_cache_locks = MAX_SID_CACHE_LOCKS;
+
+/* forward static function declarations */
+static void IOError(int rv, char *type);
+static PRUint32 SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, unsigned nl);
+static SECStatus LaunchLockPoller(cacheDesc *cache);
+
+
+
+
+struct inheritanceStr {
+    PRUint32 sharedMemSize;
+    PRUint16 fmStrLen;
+};
+
+typedef struct inheritanceStr inheritance;
+
+#if defined(_WIN32) || defined(XP_OS2)
+
+#define DEFAULT_CACHE_DIRECTORY "\\temp"
+
+#endif /* _win32 */
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+
+#define DEFAULT_CACHE_DIRECTORY "/tmp"
+
+#endif /* XP_UNIX || XP_BEOS */
+
+
+/************************************************************************/
+
+static void 
+IOError(int rv, char *type)
+{
+#if defined(XP_UNIX) || defined(XP_BEOS)
+    syslog(LOG_ALERT,
+	   "SSL: %s error with session-id cache, pid=%d, rv=%d, error='%m'",
+	   type, myPid, rv);
+#else /* XP_WIN32 */
+    /* wish win32 had something like syslog() */
+#endif /* XP_UNIX */
+}
+
+static PRUint32
+LockSidCacheLock(sidCacheLock *lock, PRUint32 now)
+{
+    SECStatus      rv      = sslMutex_Lock(&lock->mutex);
+    if (rv != SECSuccess)
+    	return 0;
+    if (!now)
+	now  = ssl_Time();
+    lock->timeStamp = now;
+    lock->pid       = myPid;
+    return now;
+}
+
+static SECStatus
+UnlockSidCacheLock(sidCacheLock *lock)
+{
+    SECStatus      rv;
+
+    lock->pid = 0;
+    rv        = sslMutex_Unlock(&lock->mutex);
+    return rv;
+}
+
+/* returns the value of ssl_Time on success, zero on failure. */
+static PRUint32
+LockSet(cacheDesc *cache, PRUint32 set, PRUint32 now)
+{
+    PRUint32       lockNum = set % cache->numSIDCacheLocks;
+    sidCacheLock * lock    = cache->sidCacheLocks + lockNum;
+
+    return LockSidCacheLock(lock, now);
+}
+
+static SECStatus
+UnlockSet(cacheDesc *cache, PRUint32 set)
+{
+    PRUint32       lockNum = set % cache->numSIDCacheLocks;
+    sidCacheLock * lock    = cache->sidCacheLocks + lockNum;
+
+    return UnlockSidCacheLock(lock);
+}
+
+/************************************************************************/
+
+
+/* Put a certificate in the cache.  Update the cert index in the sce.
+*/
+static PRUint32
+CacheCert(cacheDesc * cache, CERTCertificate *cert, sidCacheEntry *sce)
+{
+    PRUint32        now;
+    certCacheEntry  cce;
+
+    if ((cert->derCert.len > SSL_MAX_CACHED_CERT_LEN) ||
+        (cert->derCert.len <= 0) ||
+	(cert->derCert.data == NULL)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return 0;
+    }
+
+    cce.sessionIDLength = sce->sessionIDLength;
+    PORT_Memcpy(cce.sessionID, sce->sessionID, cce.sessionIDLength);
+
+    cce.certLength = cert->derCert.len;
+    PORT_Memcpy(cce.cert, cert->derCert.data, cce.certLength);
+
+    /* get lock on cert cache */
+    now = LockSidCacheLock(cache->certCacheLock, 0);
+    if (now) {
+
+	/* Find where to place the next cert cache entry. */
+	cacheDesc * sharedCache = cache->sharedCache;
+	PRUint32    ndx         = sharedCache->nextCertCacheEntry;
+
+	/* write the entry */
+	cache->certCacheData[ndx] = cce;
+
+	/* remember where we put it. */
+	sce->u.ssl3.certIndex = ndx;
+
+	/* update the "next" cache entry index */
+	sharedCache->nextCertCacheEntry = 
+					(ndx + 1) % cache->numCertCacheEntries;
+
+	UnlockSidCacheLock(cache->certCacheLock);
+    }
+    return now;
+
+}
+
+/*
+** Convert local SID to shared memory one
+*/
+static void 
+ConvertFromSID(sidCacheEntry *to, sslSessionID *from)
+{
+    to->valid   = 1;
+    to->version = from->version;
+    to->addr    = from->addr;
+    to->creationTime    = from->creationTime;
+    to->lastAccessTime  = from->lastAccessTime;
+    to->expirationTime  = from->expirationTime;
+    to->authAlgorithm	= from->authAlgorithm;
+    to->authKeyBits	= from->authKeyBits;
+    to->keaType		= from->keaType;
+    to->keaKeyBits	= from->keaKeyBits;
+
+    if (from->version < SSL_LIBRARY_VERSION_3_0) {
+	if ((from->u.ssl2.masterKey.len > SSL_MAX_MASTER_KEY_BYTES) ||
+	    (from->u.ssl2.cipherArg.len > SSL_MAX_CYPHER_ARG_BYTES)) {
+	    SSL_DBG(("%d: SSL: masterKeyLen=%d cipherArgLen=%d",
+		     myPid, from->u.ssl2.masterKey.len,
+		     from->u.ssl2.cipherArg.len));
+	    to->valid = 0;
+	    return;
+	}
+
+	to->u.ssl2.cipherType    = from->u.ssl2.cipherType;
+	to->u.ssl2.masterKeyLen  = from->u.ssl2.masterKey.len;
+	to->u.ssl2.cipherArgLen  = from->u.ssl2.cipherArg.len;
+	to->u.ssl2.keyBits       = from->u.ssl2.keyBits;
+	to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits;
+	to->sessionIDLength      = SSL2_SESSIONID_BYTES;
+	PORT_Memcpy(to->sessionID, from->u.ssl2.sessionID, SSL2_SESSIONID_BYTES);
+	PORT_Memcpy(to->u.ssl2.masterKey, from->u.ssl2.masterKey.data,
+		  from->u.ssl2.masterKey.len);
+	PORT_Memcpy(to->u.ssl2.cipherArg, from->u.ssl2.cipherArg.data,
+		  from->u.ssl2.cipherArg.len);
+#ifdef DEBUG
+	PORT_Memset(to->u.ssl2.masterKey+from->u.ssl2.masterKey.len, 0,
+		  sizeof(to->u.ssl2.masterKey) - from->u.ssl2.masterKey.len);
+	PORT_Memset(to->u.ssl2.cipherArg+from->u.ssl2.cipherArg.len, 0,
+		  sizeof(to->u.ssl2.cipherArg) - from->u.ssl2.cipherArg.len);
+#endif
+	SSL_TRC(8, ("%d: SSL: ConvertSID: masterKeyLen=%d cipherArgLen=%d "
+		    "time=%d addr=0x%08x%08x%08x%08x cipherType=%d", myPid,
+		    to->u.ssl2.masterKeyLen, to->u.ssl2.cipherArgLen,
+		    to->creationTime, to->addr.pr_s6_addr32[0],
+		    to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2],
+		    to->addr.pr_s6_addr32[3], to->u.ssl2.cipherType));
+    } else {
+	/* This is an SSL v3 session */
+
+	to->u.ssl3.cipherSuite      = from->u.ssl3.cipherSuite;
+	to->u.ssl3.compression      = (uint16)from->u.ssl3.compression;
+	to->u.ssl3.resumable        = from->u.ssl3.resumable;
+	to->u.ssl3.hasFortezza      = from->u.ssl3.hasFortezza;
+	to->u.ssl3.keys             = from->u.ssl3.keys;
+	to->u.ssl3.masterWrapMech   = from->u.ssl3.masterWrapMech;
+	to->u.ssl3.exchKeyType      = from->u.ssl3.exchKeyType;
+	to->sessionIDLength         = from->u.ssl3.sessionIDLength;
+	to->u.ssl3.certIndex        = -1;
+
+	PORT_Memcpy(to->sessionID, from->u.ssl3.sessionID,
+		    to->sessionIDLength);
+
+	SSL_TRC(8, ("%d: SSL3: ConvertSID: time=%d addr=0x%08x%08x%08x%08x "
+	            "cipherSuite=%d",
+		    myPid, to->creationTime, to->addr.pr_s6_addr32[0],
+		    to->addr.pr_s6_addr32[1], to->addr.pr_s6_addr32[2],
+		    to->addr.pr_s6_addr32[3], to->u.ssl3.cipherSuite));
+    }
+}
+
+/*
+** Convert shared memory cache-entry to local memory based one
+** This is only called from ServerSessionIDLookup().
+** Caller must hold cache lock when calling this.
+*/
+static sslSessionID *
+ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, 
+             CERTCertDBHandle * dbHandle)
+{
+    sslSessionID *to;
+    uint16 version = from->version;
+
+    to = (sslSessionID*) PORT_ZAlloc(sizeof(sslSessionID));
+    if (!to) {
+	return 0;
+    }
+
+    if (version < SSL_LIBRARY_VERSION_3_0) {
+	/* This is an SSL v2 session */
+	to->u.ssl2.masterKey.data =
+	    (unsigned char*) PORT_Alloc(from->u.ssl2.masterKeyLen);
+	if (!to->u.ssl2.masterKey.data) {
+	    goto loser;
+	}
+	if (from->u.ssl2.cipherArgLen) {
+	    to->u.ssl2.cipherArg.data = 
+	    	(unsigned char*)PORT_Alloc(from->u.ssl2.cipherArgLen);
+	    if (!to->u.ssl2.cipherArg.data) {
+		goto loser;
+	    }
+	    PORT_Memcpy(to->u.ssl2.cipherArg.data, from->u.ssl2.cipherArg,
+		        from->u.ssl2.cipherArgLen);
+	}
+
+	to->u.ssl2.cipherType    = from->u.ssl2.cipherType;
+	to->u.ssl2.masterKey.len = from->u.ssl2.masterKeyLen;
+	to->u.ssl2.cipherArg.len = from->u.ssl2.cipherArgLen;
+	to->u.ssl2.keyBits       = from->u.ssl2.keyBits;
+	to->u.ssl2.secretKeyBits = from->u.ssl2.secretKeyBits;
+/*	to->sessionIDLength      = SSL2_SESSIONID_BYTES; */
+	PORT_Memcpy(to->u.ssl2.sessionID, from->sessionID, SSL2_SESSIONID_BYTES);
+	PORT_Memcpy(to->u.ssl2.masterKey.data, from->u.ssl2.masterKey,
+		    from->u.ssl2.masterKeyLen);
+
+	SSL_TRC(8, ("%d: SSL: ConvertToSID: masterKeyLen=%d cipherArgLen=%d "
+		    "time=%d addr=0x%08x%08x%08x%08x cipherType=%d",
+		    myPid, to->u.ssl2.masterKey.len,
+		    to->u.ssl2.cipherArg.len, to->creationTime,
+		    to->addr.pr_s6_addr32[0], to->addr.pr_s6_addr32[1],
+		    to->addr.pr_s6_addr32[2], to->addr.pr_s6_addr32[3],
+		    to->u.ssl2.cipherType));
+    } else {
+	/* This is an SSL v3 session */
+
+	to->u.ssl3.sessionIDLength  = from->sessionIDLength;
+	to->u.ssl3.cipherSuite      = from->u.ssl3.cipherSuite;
+	to->u.ssl3.compression      = (SSL3CompressionMethod)from->u.ssl3.compression;
+	to->u.ssl3.resumable        = from->u.ssl3.resumable;
+	to->u.ssl3.hasFortezza      = from->u.ssl3.hasFortezza;
+	to->u.ssl3.keys             = from->u.ssl3.keys;
+	to->u.ssl3.masterWrapMech   = from->u.ssl3.masterWrapMech;
+	to->u.ssl3.exchKeyType      = from->u.ssl3.exchKeyType;
+
+	PORT_Memcpy(to->u.ssl3.sessionID, from->sessionID, from->sessionIDLength);
+
+	/* the portions of the SID that are only restored on the client
+	 * are set to invalid values on the server.
+	 */
+	to->u.ssl3.clientWriteKey   = NULL;
+	to->u.ssl3.serverWriteKey   = NULL;
+	to->u.ssl3.tek              = NULL;
+	to->urlSvrName              = NULL;
+
+	to->u.ssl3.masterModuleID   = (SECMODModuleID)-1; /* invalid value */
+	to->u.ssl3.masterSlotID     = (CK_SLOT_ID)-1;     /* invalid value */
+	to->u.ssl3.masterWrapIndex  = 0;
+	to->u.ssl3.masterWrapSeries = 0;
+	to->u.ssl3.masterValid      = PR_FALSE;
+
+	to->u.ssl3.clAuthModuleID   = (SECMODModuleID)-1; /* invalid value */
+	to->u.ssl3.clAuthSlotID     = (CK_SLOT_ID)-1;     /* invalid value */
+	to->u.ssl3.clAuthSeries     = 0;
+	to->u.ssl3.clAuthValid      = PR_FALSE;
+
+	to->u.ssl3.clientWriteSaveLen = 0;
+
+	if (from->u.ssl3.certIndex != -1 && pcce) {
+	    SECItem          derCert;
+
+	    derCert.len  = pcce->certLength;
+	    derCert.data = pcce->cert;
+
+	    to->peerCert = CERT_NewTempCertificate(dbHandle, &derCert, NULL,
+					           PR_FALSE, PR_TRUE);
+	    if (to->peerCert == NULL)
+		goto loser;
+	}
+    }
+
+    to->version         = from->version;
+    to->creationTime    = from->creationTime;
+    to->lastAccessTime  = from->lastAccessTime;
+    to->expirationTime  = from->expirationTime;
+    to->cached          = in_server_cache;
+    to->addr            = from->addr;
+    to->references      = 1;
+    to->authAlgorithm	= from->authAlgorithm;
+    to->authKeyBits	= from->authKeyBits;
+    to->keaType		= from->keaType;
+    to->keaKeyBits	= from->keaKeyBits;
+    
+    return to;
+
+  loser:
+    if (to) {
+	if (version < SSL_LIBRARY_VERSION_3_0) {
+	    if (to->u.ssl2.masterKey.data)
+		PORT_Free(to->u.ssl2.masterKey.data);
+	    if (to->u.ssl2.cipherArg.data)
+		PORT_Free(to->u.ssl2.cipherArg.data);
+	}
+	PORT_Free(to);
+    }
+    return NULL;
+}
+
+
+
+/*
+** Perform some mumbo jumbo on the ip-address and the session-id value to
+** compute a hash value.
+*/
+static PRUint32 
+SIDindex(cacheDesc *cache, const PRIPv6Addr *addr, PRUint8 *s, unsigned nl)
+{
+    PRUint32 rv;
+    PRUint32 x[8];
+
+    memset(x, 0, sizeof x);
+    if (nl > sizeof x)
+    	nl = sizeof x;
+    memcpy(x, s, nl);
+
+    rv = (addr->pr_s6_addr32[0] ^ addr->pr_s6_addr32[1] ^
+	  addr->pr_s6_addr32[2] ^ addr->pr_s6_addr32[3] ^
+          x[0] ^ x[1] ^ x[2] ^ x[3] ^ x[4] ^ x[5] ^ x[6] ^ x[7])
+	  % cache->numSIDCacheSets;
+    return rv;
+}
+
+
+
+/*
+** Look something up in the cache. This will invalidate old entries
+** in the process. Caller has locked the cache set!
+** Returns PR_TRUE if found a valid match.  PR_FALSE otherwise.
+*/
+static sidCacheEntry *
+FindSID(cacheDesc *cache, PRUint32 setNum, PRUint32 now,
+        const PRIPv6Addr *addr, unsigned char *sessionID,
+	unsigned sessionIDLength)
+{
+    PRUint32      ndx   = cache->sidCacheSets[setNum].next;
+    int           i;
+
+    sidCacheEntry * set = cache->sidCacheData + 
+    			 (setNum * SID_CACHE_ENTRIES_PER_SET);
+
+    for (i = SID_CACHE_ENTRIES_PER_SET; i > 0; --i) {
+	sidCacheEntry * sce;
+
+	ndx  = (ndx - 1) % SID_CACHE_ENTRIES_PER_SET;
+	sce = set + ndx;
+
+	if (!sce->valid)
+	    continue;
+
+	if (now > sce->expirationTime) {
+	    /* SessionID has timed out. Invalidate the entry. */
+	    SSL_TRC(7, ("%d: timed out sid entry addr=%08x%08x%08x%08x now=%x "
+			"time+=%x",
+			myPid, sce->addr.pr_s6_addr32[0],
+			sce->addr.pr_s6_addr32[1], sce->addr.pr_s6_addr32[2],
+			sce->addr.pr_s6_addr32[3], now,
+			sce->expirationTime ));
+	    sce->valid = 0;
+	    continue;
+	}
+
+	/*
+	** Next, examine specific session-id/addr data to see if the cache
+	** entry matches our addr+session-id value
+	*/
+	if (sessionIDLength == sce->sessionIDLength      &&
+	    !memcmp(&sce->addr, addr, sizeof(PRIPv6Addr)) &&
+	    !memcmp(sce->sessionID, sessionID, sessionIDLength)) {
+	    /* Found it */
+	    return sce;
+	}
+    }
+
+    PORT_SetError(SSL_ERROR_SESSION_NOT_FOUND);
+    return NULL;
+}
+
+/************************************************************************/
+
+/* This is the primary function for finding entries in the server's sid cache.
+ * Although it is static, this function is called via the global function 
+ * pointer ssl_sid_lookup.
+ */
+static sslSessionID *
+ServerSessionIDLookup(const PRIPv6Addr *addr,
+			unsigned char *sessionID,
+			unsigned int   sessionIDLength,
+                        CERTCertDBHandle * dbHandle)
+{
+    sslSessionID *  sid      = 0;
+    sidCacheEntry * psce;
+    certCacheEntry *pcce     = 0;
+    cacheDesc *     cache    = &globalCache;
+    PRUint32        now;
+    PRUint32        set;
+    PRInt32         cndx;
+    sidCacheEntry   sce;
+    certCacheEntry  cce;
+
+    set = SIDindex(cache, addr, sessionID, sessionIDLength);
+    now = LockSet(cache, set, 0);
+    if (!now)
+    	return NULL;
+
+    psce = FindSID(cache, set, now, addr, sessionID, sessionIDLength);
+    if (psce) {
+	if (psce->version >= SSL_LIBRARY_VERSION_3_0 && 
+	    (cndx = psce->u.ssl3.certIndex) != -1) {
+
+	    PRUint32 gotLock = LockSidCacheLock(cache->certCacheLock, now);
+	    if (gotLock) {
+		pcce = &cache->certCacheData[cndx];
+
+		/* See if the cert's session ID matches the sce cache. */
+		if ((pcce->sessionIDLength == psce->sessionIDLength) &&
+		    !PORT_Memcmp(pcce->sessionID, psce->sessionID, 
+		                 pcce->sessionIDLength)) {
+		    cce = *pcce;
+		} else {
+		    /* The cert doesen't match the SID cache entry, 
+		    ** so invalidate the SID cache entry. 
+		    */
+		    psce->valid = 0;
+		    psce = 0;
+		    pcce = 0;
+		}
+		UnlockSidCacheLock(cache->certCacheLock);
+	    } else {
+		/* what the ??.  Didn't get the cert cache lock.
+		** Don't invalidate the SID cache entry, but don't find it.
+		*/
+		PORT_Assert(!("Didn't get cert Cache Lock!"));
+		psce = 0;
+		pcce = 0;
+	    }
+	}
+	if (psce) {
+	    psce->lastAccessTime = now;
+	    sce = *psce;	/* grab a copy while holding the lock */
+    	}
+    }
+    UnlockSet(cache, set);
+    if (psce) {
+	/* sce conains a copy of the cache entry.
+	** Convert shared memory format to local format 
+	*/
+	sid = ConvertToSID(&sce, pcce ? &cce : 0, dbHandle);
+    }
+    return sid;
+}
+
+/*
+** Place a sid into the cache, if it isn't already there. 
+*/
+static void 
+ServerSessionIDCache(sslSessionID *sid)
+{
+    sidCacheEntry sce;
+    PRUint32      now     = 0;
+    uint16        version = sid->version;
+    cacheDesc *   cache   = &globalCache;
+
+    if ((version >= SSL_LIBRARY_VERSION_3_0) &&
+	(sid->u.ssl3.sessionIDLength == 0)) {
+	return;
+    }
+
+    if (sid->cached == never_cached || sid->cached == invalid_cache) {
+	PRUint32 set;
+
+	PORT_Assert(sid->creationTime != 0 && sid->expirationTime != 0);
+	if (!sid->creationTime)
+	    sid->lastAccessTime = sid->creationTime = ssl_Time();
+	if (version < SSL_LIBRARY_VERSION_3_0) {
+	    if (!sid->expirationTime)
+		sid->expirationTime = sid->creationTime + ssl_sid_timeout;
+	    SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x "
+			"cipher=%d", myPid, sid->cached,
+			sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
+			sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
+			sid->creationTime, sid->u.ssl2.cipherType));
+	    PRINT_BUF(8, (0, "sessionID:", sid->u.ssl2.sessionID,
+			  SSL2_SESSIONID_BYTES));
+	    PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
+			  sid->u.ssl2.masterKey.len));
+	    PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
+			  sid->u.ssl2.cipherArg.len));
+
+	} else {
+	    if (!sid->expirationTime)
+		sid->expirationTime = sid->creationTime + ssl3_sid_timeout;
+	    SSL_TRC(8, ("%d: SSL: CacheMT: cached=%d addr=0x%08x%08x%08x%08x time=%x "
+			"cipherSuite=%d", myPid, sid->cached,
+			sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
+			sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
+			sid->creationTime, sid->u.ssl3.cipherSuite));
+	    PRINT_BUF(8, (0, "sessionID:", sid->u.ssl3.sessionID,
+			  sid->u.ssl3.sessionIDLength));
+	}
+
+	ConvertFromSID(&sce, sid);
+
+	if ((version >= SSL_LIBRARY_VERSION_3_0) && 
+	    (sid->peerCert != NULL)) {
+	    now = CacheCert(cache, sid->peerCert, &sce);
+	}
+
+	set = SIDindex(cache, &sce.addr, sce.sessionID, sce.sessionIDLength);
+	now = LockSet(cache, set, now);
+	if (now) {
+	    PRUint32  next = cache->sidCacheSets[set].next;
+	    PRUint32  ndx  = set * SID_CACHE_ENTRIES_PER_SET + next;
+
+	    /* Write out new cache entry */
+	    cache->sidCacheData[ndx] = sce;
+
+	    cache->sidCacheSets[set].next = 
+	    				(next + 1) % SID_CACHE_ENTRIES_PER_SET;
+
+	    UnlockSet(cache, set);
+	    sid->cached = in_server_cache;
+	}
+    }
+}
+
+/*
+** Although this is static, it is called from ssl via global function pointer
+**	ssl_sid_uncache.  This invalidates the referenced cache entry.
+*/
+static void 
+ServerSessionIDUncache(sslSessionID *sid)
+{
+    cacheDesc *    cache   = &globalCache;
+    PRUint8 *      sessionID;
+    unsigned int   sessionIDLength;
+    PRErrorCode    err;
+    PRUint32       set;
+    PRUint32       now;
+    sidCacheEntry *psce;
+
+    if (sid == NULL) 
+    	return;
+    
+    /* Uncaching a SID should never change the error code. 
+    ** So save it here and restore it before exiting.
+    */
+    err = PR_GetError();
+
+    if (sid->version < SSL_LIBRARY_VERSION_3_0) {
+	sessionID       = sid->u.ssl2.sessionID;
+	sessionIDLength = SSL2_SESSIONID_BYTES;
+	SSL_TRC(8, ("%d: SSL: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x "
+		    "cipher=%d", myPid, sid->cached,
+		    sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
+		    sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
+		    sid->creationTime, sid->u.ssl2.cipherType));
+	PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength));
+	PRINT_BUF(8, (0, "masterKey:", sid->u.ssl2.masterKey.data,
+		      sid->u.ssl2.masterKey.len));
+	PRINT_BUF(8, (0, "cipherArg:", sid->u.ssl2.cipherArg.data,
+		      sid->u.ssl2.cipherArg.len));
+    } else {
+	sessionID       = sid->u.ssl3.sessionID;
+	sessionIDLength = sid->u.ssl3.sessionIDLength;
+	SSL_TRC(8, ("%d: SSL3: UncacheMT: valid=%d addr=0x%08x%08x%08x%08x time=%x "
+		    "cipherSuite=%d", myPid, sid->cached,
+		    sid->addr.pr_s6_addr32[0], sid->addr.pr_s6_addr32[1],
+		    sid->addr.pr_s6_addr32[2], sid->addr.pr_s6_addr32[3],
+		    sid->creationTime, sid->u.ssl3.cipherSuite));
+	PRINT_BUF(8, (0, "sessionID:", sessionID, sessionIDLength));
+    }
+    set = SIDindex(cache, &sid->addr, sessionID, sessionIDLength);
+    now = LockSet(cache, set, 0);
+    if (now) {
+	psce = FindSID(cache, set, now, &sid->addr, sessionID, sessionIDLength);
+	if (psce) {
+	    psce->valid = 0;
+	}
+	UnlockSet(cache, set);
+    }
+    sid->cached = invalid_cache;
+    PORT_SetError(err);
+}
+
+#ifdef XP_OS2
+
+#define INCL_DOSPROCESS
+#include <os2.h>
+
+long gettid(void)
+{
+    PTIB ptib;
+    PPIB ppib;
+    DosGetInfoBlocks(&ptib, &ppib);
+    return ((long)ptib->tib_ordinal); /* thread id */
+}
+#endif
+
+static SECStatus
+InitCache(cacheDesc *cache, int maxCacheEntries, PRUint32 ssl2_timeout, 
+          PRUint32 ssl3_timeout, const char *directory)
+{
+    ptrdiff_t     ptr;
+    sidCacheLock *pLock;
+    char *        sharedMem;
+    PRFileMap *   cacheMemMap;
+    char *        cfn = NULL;	/* cache file name */
+    int           locks_initialized = 0;
+    int           locks_to_initialize = 0;
+    PRUint32      init_time;
+
+    if (cache->sharedMem) {
+	/* Already done */
+	return SECSuccess;
+    }
+
+    cache->numSIDCacheEntries = maxCacheEntries ? maxCacheEntries 
+                                                : DEF_SID_CACHE_ENTRIES;
+    cache->numSIDCacheSets    = 
+    	SID_HOWMANY(cache->numSIDCacheEntries, SID_CACHE_ENTRIES_PER_SET);
+
+    cache->numSIDCacheEntries = 
+    	cache->numSIDCacheSets * SID_CACHE_ENTRIES_PER_SET;
+
+    cache->numSIDCacheLocks   = 
+    	PR_MIN(cache->numSIDCacheSets, ssl_max_sid_cache_locks);
+
+    cache->numSIDCacheSetsPerLock = 
+    	SID_HOWMANY(cache->numSIDCacheSets, cache->numSIDCacheLocks);
+
+    /* compute size of shared memory, and offsets of all pointers */
+    ptr = 0;
+    cache->sharedMem     = (char *)ptr;
+    ptr += SID_ROUNDUP(sizeof(cacheDesc), SID_ALIGNMENT);
+
+    cache->sidCacheLocks = (sidCacheLock *)ptr;
+    cache->keyCacheLock  = cache->sidCacheLocks + cache->numSIDCacheLocks;
+    cache->certCacheLock = cache->keyCacheLock  + 1;
+    ptr = (ptrdiff_t)(cache->certCacheLock + 1);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->sidCacheSets  = (sidCacheSet *)ptr;
+    ptr = (ptrdiff_t)(cache->sidCacheSets + cache->numSIDCacheSets);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->sidCacheData  = (sidCacheEntry *)ptr;
+    ptr = (ptrdiff_t)(cache->sidCacheData + cache->numSIDCacheEntries);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->certCacheData = (certCacheEntry *)ptr;
+    cache->sidCacheSize  = 
+    	(char *)cache->certCacheData - (char *)cache->sidCacheData;
+
+    /* This is really a poor way to computer this! */
+    cache->numCertCacheEntries = cache->sidCacheSize / sizeof(certCacheEntry);
+    if (cache->numCertCacheEntries < MIN_CERT_CACHE_ENTRIES)
+    	cache->numCertCacheEntries = MIN_CERT_CACHE_ENTRIES;
+    ptr = (ptrdiff_t)(cache->certCacheData + cache->numCertCacheEntries);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->keyCacheData  = (SSLWrappedSymWrappingKey *)ptr;
+    cache->certCacheSize = 
+    	(char *)cache->keyCacheData - (char *)cache->certCacheData;
+
+    cache->numKeyCacheEntries = kt_kea_size * SSL_NUM_WRAP_MECHS;
+    ptr = (ptrdiff_t)(cache->keyCacheData + cache->numKeyCacheEntries);
+    ptr = SID_ROUNDUP(ptr, SID_ALIGNMENT);
+
+    cache->sharedMemSize = ptr;
+
+    cache->keyCacheSize  = (char *)ptr - (char *)cache->keyCacheData;
+
+    if (ssl2_timeout) {   
+	if (ssl2_timeout > MAX_SSL2_TIMEOUT) {
+	    ssl2_timeout = MAX_SSL2_TIMEOUT;
+	}
+	if (ssl2_timeout < MIN_SSL2_TIMEOUT) {
+	    ssl2_timeout = MIN_SSL2_TIMEOUT;
+	}
+	cache->ssl2Timeout = ssl2_timeout;
+    } else {
+	cache->ssl2Timeout = DEF_SSL2_TIMEOUT;
+    }
+
+    if (ssl3_timeout) {   
+	if (ssl3_timeout > MAX_SSL3_TIMEOUT) {
+	    ssl3_timeout = MAX_SSL3_TIMEOUT;
+	}
+	if (ssl3_timeout < MIN_SSL3_TIMEOUT) {
+	    ssl3_timeout = MIN_SSL3_TIMEOUT;
+	}
+	cache->ssl3Timeout = ssl3_timeout;
+    } else {
+	cache->ssl3Timeout = DEF_SSL3_TIMEOUT;
+    }
+
+    /* Create file names */
+#if defined(XP_UNIX) || defined(XP_BEOS)
+    /* there's some confusion here about whether PR_OpenAnonFileMap wants
+    ** a directory name or a file name for its first argument.
+    cfn = PR_smprintf("%s/.sslsvrcache.%d", directory, myPid);
+    */
+    cfn = PR_smprintf("%s", directory);
+#endif
+ 
+#ifdef XP_WIN32
+    cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid, 
+    			GetCurrentThreadId());
+#endif
+
+#ifdef XP_OS2
+    cfn = PR_smprintf("%s/svrcache_%d_%x.ssl", directory, myPid, 
+    			gettid());
+#endif
+    if (!cfn) {
+	goto loser;
+    }
+
+    /* Create cache */
+    cacheMemMap = PR_OpenAnonFileMap(cfn, cache->sharedMemSize, 
+                                            PR_PROT_READWRITE);
+    PR_smprintf_free(cfn);
+    if(! cacheMemMap) {
+	goto loser;
+    }
+    sharedMem = PR_MemMap(cacheMemMap, 0, cache->sharedMemSize);
+    if (! sharedMem) {
+	goto loser;
+    }
+
+    /* Initialize shared memory. This may not be necessary on all platforms */
+    memset(sharedMem, 0, cache->sharedMemSize);
+
+    /* Copy cache descriptor header into shared memory */
+    memcpy(sharedMem, cache, sizeof *cache);
+
+    /* save private copies of these values */
+    cache->cacheMemMap = cacheMemMap;
+    cache->sharedMem   = sharedMem;
+    cache->sharedCache = (cacheDesc *)sharedMem;
+
+    /* Fix pointers in our private copy of cache descriptor to point to 
+    ** spaces in shared memory 
+    */
+    ptr = (ptrdiff_t)cache->sharedMem;
+    *(ptrdiff_t *)(&cache->sidCacheLocks) += ptr;
+    *(ptrdiff_t *)(&cache->keyCacheLock ) += ptr;
+    *(ptrdiff_t *)(&cache->certCacheLock) += ptr;
+    *(ptrdiff_t *)(&cache->sidCacheSets ) += ptr;
+    *(ptrdiff_t *)(&cache->sidCacheData ) += ptr;
+    *(ptrdiff_t *)(&cache->certCacheData) += ptr;
+    *(ptrdiff_t *)(&cache->keyCacheData ) += ptr;
+
+    /* initialize the locks */
+    init_time = ssl_Time();
+    pLock = cache->sidCacheLocks;
+    for (locks_to_initialize = cache->numSIDCacheLocks + 2;
+         locks_initialized < locks_to_initialize; 
+	 ++locks_initialized, ++pLock ) {
+
+	SECStatus err = sslMutex_Init(&pLock->mutex, isMultiProcess);
+	if (err)
+	    goto loser;
+        pLock->timeStamp = init_time;
+	pLock->pid       = 0;
+    }
+
+    return SECSuccess;
+
+loser:
+    if (cache->cacheMemMap) {
+	if (cache->sharedMem) {
+	    if (locks_initialized > 0) {
+		pLock = cache->sidCacheLocks;
+		for (; locks_initialized > 0; --locks_initialized, ++pLock ) {
+		    sslMutex_Destroy(&pLock->mutex);
+		}
+	    }
+	    PR_MemUnmap(cache->sharedMem, cache->sharedMemSize);
+	    cache->sharedMem = NULL;
+	}
+    	PR_CloseFileMap(cache->cacheMemMap);
+	cache->cacheMemMap = NULL;
+    }
+    return SECFailure;
+}
+
+PRUint32
+SSL_GetMaxServerCacheLocks(void)
+{
+    return ssl_max_sid_cache_locks + 2;
+    /* The extra two are the cert cache lock and the key cache lock. */
+}
+
+SECStatus
+SSL_SetMaxServerCacheLocks(PRUint32 maxLocks)
+{
+    /* Minimum is 1 sid cache lock, 1 cert cache lock and 1 key cache lock.
+    ** We'd like to test for a maximum value, but not all platforms' header
+    ** files provide a symbol or function or other means of determining
+    ** the maximum, other than trial and error.
+    */
+    if (maxLocks < 3) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    ssl_max_sid_cache_locks = maxLocks - 2;
+    /* The extra two are the cert cache lock and the key cache lock. */
+    return SECSuccess;
+}
+
+SECStatus
+SSL_ConfigServerSessionIDCacheInstance(	cacheDesc *cache,
+                                int      maxCacheEntries, 
+				PRUint32 ssl2_timeout,
+			       	PRUint32 ssl3_timeout, 
+			  const char *   directory)
+{
+    SECStatus rv;
+
+#if defined(DEBUG_nelsonb)
+    printf("sizeof(sidCacheEntry) == %u\n", sizeof(sidCacheEntry));
+#endif
+#if !(defined(SOLARIS) && defined(i386))
+#ifndef XP_OS2
+    PORT_Assert(sizeof(sidCacheEntry) % 8 == 0);
+#endif
+#endif
+    PORT_Assert(sizeof(certCacheEntry) == 4096);
+
+    myPid = SSL_GETPID();
+    if (!directory) {
+	directory = DEFAULT_CACHE_DIRECTORY;
+    }
+    rv = InitCache(cache, maxCacheEntries, ssl2_timeout, ssl3_timeout, 
+                   directory);
+    if (rv) {
+	SET_ERROR_CODE
+    	return SECFailure;
+    }
+
+    ssl_sid_lookup  = ServerSessionIDLookup;
+    ssl_sid_cache   = ServerSessionIDCache;
+    ssl_sid_uncache = ServerSessionIDUncache;
+    return SECSuccess;
+}
+
+SECStatus
+SSL_ConfigServerSessionIDCache(	int      maxCacheEntries, 
+				PRUint32 ssl2_timeout,
+			       	PRUint32 ssl3_timeout, 
+			  const char *   directory)
+{
+    return SSL_ConfigServerSessionIDCacheInstance(&globalCache, 
+    		maxCacheEntries, ssl2_timeout, ssl3_timeout, directory);
+}
+
+/* Use this function, instead of SSL_ConfigServerSessionIDCache,
+ * if the cache will be shared by multiple processes.
+ */
+SECStatus
+SSL_ConfigMPServerSIDCache(	int      maxCacheEntries, 
+				PRUint32 ssl2_timeout,
+			       	PRUint32 ssl3_timeout, 
+		          const char *   directory)
+{
+    char *	envValue;
+    char *	inhValue;
+    cacheDesc * cache         = &globalCache;
+    PRUint32    fmStrLen;
+    SECStatus 	result;
+    PRStatus 	prStatus;
+    SECStatus	putEnvFailed;
+    inheritance inherit;
+    char        fmString[PR_FILEMAP_STRING_BUFSIZE];
+
+    isMultiProcess = PR_TRUE;
+    result = SSL_ConfigServerSessionIDCacheInstance(cache, maxCacheEntries, 
+					ssl2_timeout, ssl3_timeout, directory);
+    if (result != SECSuccess) 
+        return result;
+
+    prStatus = PR_ExportFileMapAsString(cache->cacheMemMap, 
+                                        sizeof fmString, fmString);
+    if ((prStatus != PR_SUCCESS) || !(fmStrLen = strlen(fmString))) {
+	SET_ERROR_CODE
+	return SECFailure;
+    }
+
+    inherit.sharedMemSize	= cache->sharedMemSize;
+    inherit.fmStrLen            = fmStrLen;
+
+    inhValue = BTOA_DataToAscii((unsigned char *)&inherit, sizeof inherit);
+    if (!inhValue || !strlen(inhValue)) {
+	SET_ERROR_CODE
+	return SECFailure;
+    }
+    envValue = PR_smprintf("%s,%s", inhValue, fmString);
+    if (!envValue || !strlen(envValue)) {
+	SET_ERROR_CODE
+	return SECFailure;
+    }
+    PORT_Free(inhValue);
+
+    putEnvFailed = (SECStatus)NSS_PutEnv(envVarName, envValue);
+    PR_smprintf_free(envValue);
+    if (putEnvFailed) {
+        SET_ERROR_CODE
+        result = SECFailure;
+    }
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+    /* Launch thread to poll cache for expired locks on Unix */
+    LaunchLockPoller(cache);
+#endif
+    return result;
+}
+
+SECStatus
+SSL_InheritMPServerSIDCacheInstance(cacheDesc *cache, const char * envString)
+{
+    unsigned char * decoString = NULL;
+    char *          fmString   = NULL;
+    unsigned int    decoLen;
+    ptrdiff_t       ptr;
+    inheritance     inherit;
+    cacheDesc       my;
+#ifdef WINNT
+    sidCacheLock* newLocks;
+    int           locks_initialized = 0;
+    int           locks_to_initialize = 0;
+#endif
+
+    myPid = SSL_GETPID();
+
+    /* If this child was created by fork(), and not by exec() on unix,
+    ** then isMultiProcess will already be set.
+    ** If not, we'll set it below.
+    */
+    if (isMultiProcess)
+    	return SECSuccess;	/* already done. */
+
+    ssl_sid_lookup  = ServerSessionIDLookup;
+    ssl_sid_cache   = ServerSessionIDCache;
+    ssl_sid_uncache = ServerSessionIDUncache;
+
+    if (!envString) {
+    	envString  = getenv(envVarName);
+	if (!envString) {
+	    SET_ERROR_CODE
+	    return SECFailure;
+	}
+    }
+    envString = PORT_Strdup(envString);
+    if (!envString) 
+	return SECFailure;
+    fmString = strchr(envString, ',');
+    if (!fmString) 
+    	goto loser;
+    *fmString++ = 0;
+
+    decoString = ATOB_AsciiToData(envString, &decoLen);
+    if (!decoString) {
+    	SET_ERROR_CODE
+	goto loser;
+    }
+    if (decoLen != sizeof inherit) {
+    	SET_ERROR_CODE
+    	goto loser;
+    }
+
+    PORT_Memcpy(&inherit, decoString, sizeof inherit);
+
+    if (strlen(fmString)  != inherit.fmStrLen ) {
+    	goto loser;
+    }
+
+    memset(&my, 0, sizeof my);
+    my.sharedMemSize	= inherit.sharedMemSize;
+
+    /* Create cache */
+    my.cacheMemMap = PR_ImportFileMapFromString(fmString);
+    if(! my.cacheMemMap) {
+	goto loser;
+    }
+    my.sharedMem = PR_MemMap(my.cacheMemMap, 0, my.sharedMemSize);
+    if (! my.sharedMem) {
+	goto loser;
+    }
+    my.sharedCache   = (cacheDesc *)my.sharedMem;
+
+    if (my.sharedCache->sharedMemSize != my.sharedMemSize) {
+	SET_ERROR_CODE
+    	goto loser;
+    }
+
+    memcpy(cache, my.sharedCache, sizeof *cache);
+    cache->cacheMemMap = my.cacheMemMap;
+    cache->sharedMem   = my.sharedMem;
+    cache->sharedCache = my.sharedCache;
+
+    /* Fix pointers in our private copy of cache descriptor to point to 
+    ** spaces in shared memory 
+    */
+    ptr = (ptrdiff_t)cache->sharedMem;
+    *(ptrdiff_t *)(&cache->sidCacheLocks) += ptr;
+    *(ptrdiff_t *)(&cache->keyCacheLock ) += ptr;
+    *(ptrdiff_t *)(&cache->certCacheLock) += ptr;
+    *(ptrdiff_t *)(&cache->sidCacheSets ) += ptr;
+    *(ptrdiff_t *)(&cache->sidCacheData ) += ptr;
+    *(ptrdiff_t *)(&cache->certCacheData) += ptr;
+    *(ptrdiff_t *)(&cache->keyCacheData ) += ptr;
+
+#ifdef WINNT
+    /*  On Windows NT we need to "fix" the sidCacheLocks here to support fibers
+        When NT fibers are used in a multi-process server, a second level of
+        locking is needed to prevent a deadlock, in case a fiber acquires the
+        cross-process mutex, yields, and another fiber is later scheduled on
+        the same native thread and tries to acquire the cross-process mutex.
+        We do this by using a PRLock in the sslMutex. However, it is stored in
+        shared memory as part of sidCacheLocks, and we don't want to overwrite
+        the PRLock of the parent process. So we need to make new, private
+        copies of sidCacheLocks before modifying the sslMutex with our own
+        PRLock
+    */
+    
+    newLocks = (sidCacheLock*)PORT_Alloc(sizeof(sidCacheLock)*(cache->numSIDCacheLocks + 2));
+    /* note from jpierre : this should be free'd in child processes when
+       a function is added to delete the SSL session cache in the future */
+    /* fix the locks */		
+    for (locks_to_initialize = cache->numSIDCacheLocks + 2;
+         locks_initialized < locks_to_initialize; 
+         ++locks_initialized) {
+        /* copy the old lock */
+        memcpy(&newLocks[locks_initialized], &cache->sidCacheLocks[locks_initialized], sizeof(sidCacheLock));
+        /* now, make a local PRLock in this sslMutex for this child process */
+        sslMutex_2LevelInit(&newLocks[locks_initialized].mutex);
+    }
+    
+    /* then, make our cache object point to our new private sidCacheLocks */
+    /* first the session cache */
+    cache->sidCacheLocks = newLocks;
+    /* also fix the key and cert cache which use the last 2 lock entries */
+    cache->keyCacheLock  = cache->sidCacheLocks + cache->numSIDCacheLocks;
+    cache->certCacheLock = cache->keyCacheLock  + 1;
+#endif
+
+    PORT_Free(decoString);
+    isMultiProcess = PR_TRUE;
+    return SECSuccess;
+
+loser:
+    if (decoString) 
+	PORT_Free(decoString);
+    return SECFailure;
+
+}
+
+SECStatus
+SSL_InheritMPServerSIDCache(const char * envString)
+{
+    return SSL_InheritMPServerSIDCacheInstance(&globalCache, envString);
+}
+
+#if defined(XP_UNIX) || defined(XP_BEOS)
+
+#define SID_LOCK_EXPIRATION_TIMEOUT  30 /* seconds */
+
+static void
+LockPoller(void * arg)
+{
+    cacheDesc *    cache         = (cacheDesc *)arg;
+    cacheDesc *    sharedCache   = cache->sharedCache;
+    sidCacheLock * pLock;
+    const char *   timeoutString;
+    PRIntervalTime timeout;
+    PRUint32       now;
+    PRUint32       then;
+    int            locks_polled  = 0;
+    int            locks_to_poll = cache->numSIDCacheLocks + 2;
+    PRUint32       expiration    = SID_LOCK_EXPIRATION_TIMEOUT;
+
+    timeoutString = getenv("NSS_SSL_SERVER_CACHE_MUTEX_TIMEOUT");
+    if (timeoutString) {
+	long newTime = strtol(timeoutString, 0, 0);
+	if (newTime == 0) 
+	    return;  /* application doesn't want this function */
+	if (newTime > 0)
+	    expiration = (PRUint32)newTime;
+	/* if error (newTime < 0) ignore it and use default */
+    }
+
+    timeout = PR_SecondsToInterval(expiration);
+    while(!sharedCache->stopPolling) {
+    	PR_Sleep(timeout);
+	if (sharedCache->stopPolling)
+	    break;
+
+	now   = ssl_Time();
+	then  = now - expiration;
+	for (pLock = cache->sidCacheLocks, locks_polled = 0;
+	     locks_to_poll > locks_polled && !sharedCache->stopPolling; 
+	     ++locks_polled, ++pLock ) {
+	    pid_t pid;
+
+	    if (pLock->timeStamp   < then && 
+	        pLock->timeStamp   != 0 && 
+		(pid = pLock->pid) != 0) {
+
+	    	/* maybe we should try the lock? */
+		int result = kill(pid, 0);
+		if (result < 0 && errno == ESRCH) {
+		    SECStatus rv;
+		    /* No process exists by that pid any more.
+		    ** Treat this mutex as abandoned.
+		    */
+		    pLock->timeStamp = now;
+		    pLock->pid       = 0;
+		    rv = sslMutex_Unlock(&pLock->mutex);
+		    if (rv != SECSuccess) {
+		    	/* Now what? */
+		    }
+		}
+	    }
+	} /* end of loop over locks */
+    } /* end of entire polling loop */
+}
+
+/* Launch thread to poll cache for expired locks */
+static SECStatus 
+LaunchLockPoller(cacheDesc *cache)
+{
+    PRThread * pollerThread;
+
+    pollerThread = 
+	PR_CreateThread(PR_USER_THREAD, LockPoller, cache, PR_PRIORITY_NORMAL, 
+	                PR_GLOBAL_THREAD, PR_UNJOINABLE_THREAD, 0);
+    if (!pollerThread) {
+    	return SECFailure;
+    }
+    cache->poller = pollerThread;
+    return SECSuccess;
+}
+#endif
+
+/************************************************************************
+ *  Code dealing with shared wrapped symmetric wrapping keys below      *
+ ************************************************************************/
+
+/* If now is zero, it implies that the lock is not held, and must be 
+** aquired here.  
+*/
+static PRBool
+getSvrWrappingKey(PRInt32                symWrapMechIndex,
+               SSL3KEAType               exchKeyType, 
+               SSLWrappedSymWrappingKey *wswk, 
+	       cacheDesc *               cache,
+	       PRUint32                  lockTime)
+{
+    PRUint32  ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex;
+    SSLWrappedSymWrappingKey * pwswk = cache->keyCacheData + ndx;
+    PRUint32  now = 0;
+    PRBool    rv  = PR_FALSE;
+
+    if (!lockTime) {
+	lockTime = now = LockSidCacheLock(cache->keyCacheLock, now);
+	if (!lockTime) {
+	    return rv;
+	}
+    }
+    if (pwswk->exchKeyType      == exchKeyType && 
+	pwswk->symWrapMechIndex == symWrapMechIndex &&
+	pwswk->wrappedSymKeyLen != 0) {
+	*wswk = *pwswk;
+	rv = PR_TRUE;
+    }
+    if (now) {
+	UnlockSidCacheLock(cache->keyCacheLock);
+    }
+    return rv;
+}
+
+PRBool
+ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
+                    SSL3KEAType               exchKeyType, 
+		    SSLWrappedSymWrappingKey *wswk)
+{
+    PRBool rv;
+
+    PORT_Assert( (unsigned)exchKeyType < kt_kea_size);
+    PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
+    if ((unsigned)exchKeyType < kt_kea_size &&
+        (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS) {
+	rv = getSvrWrappingKey(symWrapMechIndex, exchKeyType, wswk, 
+	                       &globalCache, 0);
+    } else {
+    	rv = PR_FALSE;
+    }
+
+    return rv;
+}
+
+/* The caller passes in the new value it wants
+ * to set.  This code tests the wrapped sym key entry in the shared memory.
+ * If it is uninitialized, this function writes the caller's value into 
+ * the disk entry, and returns false.  
+ * Otherwise, it overwrites the caller's wswk with the value obtained from 
+ * the disk, and returns PR_TRUE.  
+ * This is all done while holding the locks/mutexes necessary to make 
+ * the operation atomic.
+ */
+PRBool
+ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
+{
+    cacheDesc *   cache            = &globalCache;
+    PRBool        rv               = PR_FALSE;
+    SSL3KEAType   exchKeyType      = wswk->exchKeyType;   
+                                /* type of keys used to wrap SymWrapKey*/
+    PRInt32       symWrapMechIndex = wswk->symWrapMechIndex;
+    PRUint32      ndx;
+    PRUint32      now = 0;
+    SSLWrappedSymWrappingKey myWswk;
+
+    PORT_Assert( (unsigned)exchKeyType < kt_kea_size);
+    if ((unsigned)exchKeyType >= kt_kea_size)
+    	return 0;
+
+    PORT_Assert( (unsigned)symWrapMechIndex < SSL_NUM_WRAP_MECHS);
+    if ((unsigned)symWrapMechIndex >=  SSL_NUM_WRAP_MECHS)
+    	return 0;
+
+    ndx = (exchKeyType * SSL_NUM_WRAP_MECHS) + symWrapMechIndex;
+    PORT_Memset(&myWswk, 0, sizeof myWswk);	/* eliminate UMRs. */
+
+    now = LockSidCacheLock(cache->keyCacheLock, now);
+    if (now) {
+	rv = getSvrWrappingKey(wswk->symWrapMechIndex, wswk->exchKeyType, 
+	                       &myWswk, cache, now);
+	if (rv) {
+	    /* we found it on disk, copy it out to the caller. */
+	    PORT_Memcpy(wswk, &myWswk, sizeof *wswk);
+	} else {
+	    /* Wasn't on disk, and we're still holding the lock, so write it. */
+	    cache->keyCacheData[ndx] = *wswk;
+	}
+	UnlockSidCacheLock(cache->keyCacheLock);
+    }
+    return rv;
+}
+
+#else  /* MAC version or other platform */
+
+#include "seccomon.h"
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+
+SECStatus
+SSL_ConfigServerSessionIDCache(	int      maxCacheEntries, 
+				PRUint32 ssl2_timeout,
+			       	PRUint32 ssl3_timeout, 
+			  const char *   directory)
+{
+    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigServerSessionIDCache)");    
+    return SECFailure;
+}
+
+SECStatus
+SSL_ConfigMPServerSIDCache(	int      maxCacheEntries, 
+				PRUint32 ssl2_timeout,
+			       	PRUint32 ssl3_timeout, 
+		          const char *   directory)
+{
+    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_ConfigMPServerSIDCache)");    
+    return SECFailure;
+}
+
+SECStatus
+SSL_InheritMPServerSIDCache(const char * envString)
+{
+    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_InheritMPServerSIDCache)");    
+    return SECFailure;
+}
+
+PRBool
+ssl_GetWrappingKey( PRInt32                   symWrapMechIndex,
+                    SSL3KEAType               exchKeyType, 
+		    SSLWrappedSymWrappingKey *wswk)
+{
+    PRBool rv = PR_FALSE;
+    PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_GetWrappingKey)");    
+    return rv;
+}
+
+/* This is a kind of test-and-set.  The caller passes in the new value it wants
+ * to set.  This code tests the wrapped sym key entry in the shared memory.
+ * If it is uninitialized, this function writes the caller's value into 
+ * the disk entry, and returns false.  
+ * Otherwise, it overwrites the caller's wswk with the value obtained from 
+ * the disk, and returns PR_TRUE.  
+ * This is all done while holding the locks/mutexes necessary to make 
+ * the operation atomic.
+ */
+PRBool
+ssl_SetWrappingKey(SSLWrappedSymWrappingKey *wswk)
+{
+    PRBool        rv = PR_FALSE;
+    PR_ASSERT(!"SSL servers are not supported on this platform. (ssl_SetWrappingKey)");
+    return rv;
+}
+
+PRUint32  
+SSL_GetMaxServerCacheLocks(void)
+{
+    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_GetMaxServerCacheLocks)");
+    return -1;
+}
+
+SECStatus 
+SSL_SetMaxServerCacheLocks(PRUint32 maxLocks)
+{
+    PR_ASSERT(!"SSL servers are not supported on this platform. (SSL_SetMaxServerCacheLocks)");
+    return SECFailure;
+}
+
+#endif /* XP_UNIX || XP_WIN32 */
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
new file mode 100644
index 000000000..0042924b8
--- /dev/null
+++ b/security/nss/lib/ssl/sslsock.c
@@ -0,0 +1,1912 @@
+/*
+ * vtables (and methods that call through them) for the 4 types of 
+ * SSLSockets supported.  Only one type is still supported.
+ * Various other functions.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s): 
+ *	Dr Stephen Henson <stephen.henson@gemplus.com>
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+#include "seccomon.h"
+#include "cert.h"
+#include "keyhi.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "nspr.h"
+
+#define SET_ERROR_CODE   /* reminder */
+
+struct cipherPolicyStr {
+	int		cipher;
+	unsigned char 	export;	/* policy value for export policy */
+	unsigned char 	france;	/* policy value for france policy */
+};
+
+typedef struct cipherPolicyStr cipherPolicy;
+
+/* This table contains two preconfigured policies: Export and France.
+** It is used only by the functions SSL_SetDomesticPolicy, 
+** SSL_SetExportPolicy, and SSL_SetFrancyPolicy.
+** Order of entries is not important.
+*/
+static cipherPolicy ssl_ciphers[] = {	   /*   Export           France   */
+ {  SSL_EN_RC4_128_WITH_MD5,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_EN_RC4_128_EXPORT40_WITH_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
+ {  SSL_EN_RC2_128_CBC_WITH_MD5,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,   SSL_ALLOWED,     SSL_ALLOWED },
+ {  SSL_EN_DES_64_CBC_WITH_MD5,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_EN_DES_192_EDE3_CBC_WITH_MD5,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_RSA_WITH_RC4_128_MD5,		    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
+ {  SSL_RSA_WITH_RC4_128_SHA,		    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
+ {  SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_RSA_WITH_3DES_EDE_CBC_SHA,	    SSL_RESTRICTED,  SSL_NOT_ALLOWED },
+ {  SSL_RSA_FIPS_WITH_DES_CBC_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_RSA_WITH_DES_CBC_SHA,		    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_RSA_EXPORT_WITH_RC4_40_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
+ {  SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,	    SSL_ALLOWED,     SSL_ALLOWED },
+ {  SSL_FORTEZZA_DMS_WITH_NULL_SHA,	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  SSL_RSA_WITH_NULL_MD5,		    SSL_ALLOWED,     SSL_ALLOWED },
+ {  TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_RSA_WITH_AES_128_CBC_SHA,     	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_RSA_WITH_AES_256_CBC_SHA,     	    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED },
+ {  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_ALLOWED,     SSL_NOT_ALLOWED },
+ {  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_ALLOWED,     SSL_NOT_ALLOWED },
+ {  0,					    SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }
+};
+
+static const sslSocketOps ssl_default_ops = {	/* No SSL. */
+    ssl_DefConnect,
+    NULL,
+    ssl_DefBind,
+    ssl_DefListen,
+    ssl_DefShutdown,
+    ssl_DefClose,
+    ssl_DefRecv,
+    ssl_DefSend,
+    ssl_DefRead,
+    ssl_DefWrite,
+    ssl_DefGetpeername,
+    ssl_DefGetsockname
+};
+
+static const sslSocketOps ssl_secure_ops = {	/* SSL. */
+    ssl_SecureConnect,
+    NULL,
+    ssl_DefBind,
+    ssl_DefListen,
+    ssl_SecureShutdown,
+    ssl_SecureClose,
+    ssl_SecureRecv,
+    ssl_SecureSend,
+    ssl_SecureRead,
+    ssl_SecureWrite,
+    ssl_DefGetpeername,
+    ssl_DefGetsockname
+};
+
+/*
+** default settings for socket enables
+*/
+static sslOptions ssl_defaults = {
+    PR_TRUE, 	/* useSecurity        */
+    PR_FALSE,	/* useSocks           */
+    PR_FALSE,	/* requestCertificate */
+    2,	        /* requireCertificate */
+    PR_FALSE,	/* handshakeAsClient  */
+    PR_FALSE,	/* handshakeAsServer  */
+    PR_TRUE,	/* enableSSL2         */
+    PR_TRUE,	/* enableSSL3         */
+    PR_TRUE, 	/* enableTLS          */ /* now defaults to on in NSS 3.0 */
+    PR_FALSE,	/* noCache            */
+    PR_FALSE,	/* fdx                */
+    PR_TRUE,	/* v2CompatibleHello  */
+    PR_TRUE,	/* detectRollBack     */
+};
+
+sslSessionIDLookupFunc  ssl_sid_lookup;
+sslSessionIDCacheFunc   ssl_sid_cache;
+sslSessionIDUncacheFunc ssl_sid_uncache;
+
+static PRBool ssl_inited = PR_FALSE;
+static PRDescIdentity ssl_layer_id;
+
+int                     ssl_lock_readers	= 1;	/* default true. */
+char                    ssl_debug;
+char                    ssl_trace;
+
+
+/* forward declarations. */
+static sslSocket *ssl_NewSocket(void);
+static PRStatus   ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, 
+                                  PRDescIdentity id);
+
+/************************************************************************/
+
+/*
+** Lookup a socket structure from a file descriptor.
+** Only functions called through the PRIOMethods table should use this.
+** Other app-callable functions should use ssl_FindSocket.
+*/
+static sslSocket *
+ssl_GetPrivate(PRFileDesc *fd)
+{
+    sslSocket *ss;
+
+    PORT_Assert(fd != NULL);
+    PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED);
+    PORT_Assert(fd->identity == ssl_layer_id);
+
+    ss = (sslSocket *)fd->secret;
+    ss->fd = fd;
+    return ss;
+}
+
+sslSocket *
+ssl_FindSocket(PRFileDesc *fd)
+{
+    PRFileDesc *layer;
+    sslSocket *ss;
+
+    PORT_Assert(fd != NULL);
+    PORT_Assert(ssl_layer_id != 0);
+
+    layer = PR_GetIdentitiesLayer(fd, ssl_layer_id);
+    if (layer == NULL) {
+	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
+	return NULL;
+    }
+
+    ss = (sslSocket *)layer->secret;
+    ss->fd = layer;
+    return ss;
+}
+
+sslSocket *
+ssl_DupSocket(sslSocket *os)
+{
+    sslSocket *ss;
+    SECStatus rv;
+
+    ss = ssl_NewSocket();
+    if (ss) {
+	ss->useSocks           = PR_FALSE;
+	ss->useSecurity        = os->useSecurity;
+	ss->requestCertificate = os->requestCertificate;
+	ss->requireCertificate = os->requireCertificate;
+	ss->handshakeAsClient  = os->handshakeAsClient;
+	ss->handshakeAsServer  = os->handshakeAsServer;
+	ss->enableSSL2         = os->enableSSL2;
+	ss->enableSSL3         = os->enableSSL3;
+	ss->enableTLS          = os->enableTLS;
+	ss->noCache            = os->noCache;
+	ss->fdx                = os->fdx;
+	ss->v2CompatibleHello  = os->v2CompatibleHello;
+	ss->detectRollBack     = os->detectRollBack;
+
+	ss->peerID             = !os->peerID ? NULL : PORT_Strdup(os->peerID);
+	ss->url                = !os->url    ? NULL : PORT_Strdup(os->url);
+
+	ss->ops      = os->ops;
+	ss->rTimeout = os->rTimeout;
+	ss->wTimeout = os->wTimeout;
+	ss->cTimeout = os->cTimeout;
+	ss->dbHandle = os->dbHandle;
+
+	/* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
+	ss->allowedByPolicy	= os->allowedByPolicy;
+	ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
+	ss->chosenPreference 	= os->chosenPreference;
+	PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
+
+	if (os->cipherSpecs) {
+	    ss->cipherSpecs  = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
+	    if (ss->cipherSpecs) 
+	    	PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, 
+		            os->sizeCipherSpecs);
+	    ss->sizeCipherSpecs    = os->sizeCipherSpecs;
+	    ss->preferredCipher    = os->preferredCipher;
+	} else {
+	    ss->cipherSpecs        = NULL;  /* produced lazily */
+	    ss->sizeCipherSpecs    = 0;
+	    ss->preferredCipher    = NULL;
+	}
+	if (ss->useSecurity) {
+	    /* This int should be SSLKEAType, but CC on Irix complains,
+	     * during the for loop.
+	     */
+	    int i;
+	    sslServerCerts * oc = os->serverCerts;
+	    sslServerCerts * sc = ss->serverCerts;
+
+	    for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) {
+		if (oc->serverCert && oc->serverCertChain) {
+		    sc->serverCert      = CERT_DupCertificate(oc->serverCert);
+		    sc->serverCertChain = CERT_DupCertList(oc->serverCertChain);
+		    if (!sc->serverCertChain) 
+		    	goto loser;
+		} else {
+		    sc->serverCert      = NULL;
+		    sc->serverCertChain = NULL;
+		}
+		sc->serverKey = oc->serverKey ?
+				SECKEY_CopyPrivateKey(oc->serverKey) : NULL;
+		if (oc->serverKey && !sc->serverKey)
+		    goto loser;
+	        sc->serverKeyBits = oc->serverKeyBits;
+	    }
+	    ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL :
+		                  ssl3_GetKeyPairRef(os->stepDownKeyPair);
+/*
+ * XXX the preceeding CERT_ and SECKEY_ functions can fail and return NULL.
+ * XXX We should detect this, and not just march on with NULL pointers.
+ */
+	    ss->authCertificate       = os->authCertificate;
+	    ss->authCertificateArg    = os->authCertificateArg;
+	    ss->getClientAuthData     = os->getClientAuthData;
+	    ss->getClientAuthDataArg  = os->getClientAuthDataArg;
+	    ss->handleBadCert         = os->handleBadCert;
+	    ss->badCertArg            = os->badCertArg;
+	    ss->handshakeCallback     = os->handshakeCallback;
+	    ss->handshakeCallbackData = os->handshakeCallbackData;
+	    ss->pkcs11PinArg          = os->pkcs11PinArg;
+    
+	    /* Create security data */
+	    rv = ssl_CopySecurityInfo(ss, os);
+	    if (rv != SECSuccess) {
+		goto loser;
+	    }
+	}
+    }
+    return ss;
+
+loser:
+    ssl_FreeSocket(ss);
+    return NULL;
+}
+
+static void
+ssl_DestroyLocks(sslSocket *ss)
+{
+
+    /* Destroy locks. */
+    if (ss->firstHandshakeLock) {
+    	PZ_DestroyMonitor(ss->firstHandshakeLock);
+	ss->firstHandshakeLock = NULL;
+    }
+    if (ss->ssl3HandshakeLock) {
+    	PZ_DestroyMonitor(ss->ssl3HandshakeLock);
+	ss->ssl3HandshakeLock = NULL;
+    }
+    if (ss->specLock) {
+    	NSSRWLock_Destroy(ss->specLock);
+	ss->specLock = NULL;
+    }
+
+    if (ss->recvLock) {
+    	PZ_DestroyLock(ss->recvLock);
+	ss->recvLock = NULL;
+    }
+    if (ss->sendLock) {
+    	PZ_DestroyLock(ss->sendLock);
+	ss->sendLock = NULL;
+    }
+    if (ss->xmitBufLock) {
+    	PZ_DestroyMonitor(ss->xmitBufLock);
+	ss->xmitBufLock = NULL;
+    }
+    if (ss->recvBufLock) {
+    	PZ_DestroyMonitor(ss->recvBufLock);
+	ss->recvBufLock = NULL;
+    }
+}
+
+/* Caller holds any relevant locks */
+static void
+ssl_DestroySocketContents(sslSocket *ss)
+{
+    /* "i" should be of type SSLKEAType, but CC on IRIX complains during
+     * the for loop.
+     */
+    int        i;
+
+    /* Free up socket */
+    ssl_DestroySecurityInfo(&ss->sec);
+
+    ssl3_DestroySSL3Info(ss->ssl3);
+
+    PORT_Free(ss->saveBuf.buf);
+    PORT_Free(ss->pendingBuf.buf);
+    ssl_DestroyGather(&ss->gs);
+
+    if (ss->peerID != NULL)
+	PORT_Free(ss->peerID);
+    if (ss->url != NULL)
+	PORT_Free((void *)ss->url);	/* CONST */
+    if (ss->cipherSpecs) {
+	PORT_Free(ss->cipherSpecs);
+	ss->cipherSpecs     = NULL;
+	ss->sizeCipherSpecs = 0;
+    }
+
+    /* Clean up server configuration */
+    for (i=kt_null; i < kt_kea_size; i++) {
+	sslServerCerts * sc = ss->serverCerts + i;
+	if (sc->serverCert != NULL)
+	    CERT_DestroyCertificate(sc->serverCert);
+	if (sc->serverCertChain != NULL)
+	    CERT_DestroyCertificateList(sc->serverCertChain);
+	if (sc->serverKey != NULL)
+	    SECKEY_DestroyPrivateKey(sc->serverKey);
+    }
+    if (ss->stepDownKeyPair) {
+	ssl3_FreeKeyPair(ss->stepDownKeyPair);
+	ss->stepDownKeyPair = NULL;
+    }
+}
+
+/*
+ * free an sslSocket struct, and all the stuff that hangs off of it
+ */
+void
+ssl_FreeSocket(sslSocket *ss)
+{
+#ifdef DEBUG
+    sslSocket *fs;
+    sslSocket  lSock;
+#endif
+
+/* Get every lock you can imagine!
+** Caller already holds these:
+**  SSL_LOCK_READER(ss);
+**  SSL_LOCK_WRITER(ss);
+*/
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetRecvBufLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+    ssl_GetXmitBufLock(ss);
+    ssl_GetSpecWriteLock(ss);
+
+#ifdef DEBUG
+    fs = &lSock;
+    *fs = *ss;				/* Copy the old socket structure, */
+    PORT_Memset(ss, 0x1f, sizeof *ss);  /* then blast the old struct ASAP. */
+#else
+#define fs ss
+#endif
+
+    ssl_DestroySocketContents(fs);
+
+    /* Release all the locks acquired above.  */
+    SSL_UNLOCK_READER(fs);
+    SSL_UNLOCK_WRITER(fs);
+    ssl_Release1stHandshakeLock(fs);
+    ssl_ReleaseRecvBufLock(fs);
+    ssl_ReleaseSSL3HandshakeLock(fs);
+    ssl_ReleaseXmitBufLock(fs);
+    ssl_ReleaseSpecWriteLock(fs);
+
+    ssl_DestroyLocks(fs);
+
+    PORT_Free(ss);	/* free the caller's copy, not ours. */
+    return;
+}
+#undef fs
+
+/************************************************************************/
+SECStatus 
+ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled)
+{
+    PRFileDesc *       osfd = ss->fd->lower;
+    int 	       rv;
+    PRSocketOptionData opt;
+
+    opt.option         = PR_SockOpt_NoDelay;
+    opt.value.no_delay = (PRBool)!enabled;
+
+    rv = osfd->methods->setsocketoption(osfd, &opt);
+
+    return rv;
+}
+
+static void
+ssl_ChooseOps(sslSocket *ss)
+{
+    ss->ops = ss->useSecurity ? &ssl_secure_ops       : &ssl_default_ops;
+}
+
+/* Called from SSL_Enable (immediately below) */
+static SECStatus
+PrepareSocket(sslSocket *ss)
+{
+    SECStatus     rv = SECSuccess;
+
+    ssl_ChooseOps(ss);
+    return rv;
+}
+
+SECStatus
+SSL_Enable(PRFileDesc *fd, int which, PRBool on)
+{
+    return SSL_OptionSet(fd, which, on);
+}
+
+SECStatus
+SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
+{
+    sslSocket *ss = ssl_FindSocket(fd);
+    SECStatus  rv = SECSuccess;
+
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    switch (which) {
+      case SSL_SOCKS:
+	ss->useSocks = PR_FALSE;
+	rv = PrepareSocket(ss);
+	if (on) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    rv = SECFailure;
+	}
+	break;
+
+      case SSL_SECURITY:
+	ss->useSecurity = on;
+	rv = PrepareSocket(ss);
+	break;
+
+      case SSL_REQUEST_CERTIFICATE:
+	ss->requestCertificate = on;
+	break;
+
+      case SSL_REQUIRE_CERTIFICATE:
+	ss->requireCertificate = on;
+	break;
+
+      case SSL_HANDSHAKE_AS_CLIENT:
+	if ( ss->handshakeAsServer && on ) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    rv = SECFailure;
+	    break;
+	}
+	ss->handshakeAsClient = on;
+	break;
+
+      case SSL_HANDSHAKE_AS_SERVER:
+	if ( ss->handshakeAsClient && on ) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    rv = SECFailure;
+	    break;
+	}
+	ss->handshakeAsServer = on;
+	break;
+
+      case SSL_ENABLE_TLS:
+	ss->enableTLS           = on;
+	ss->preferredCipher     = NULL;
+	if (ss->cipherSpecs) {
+	    PORT_Free(ss->cipherSpecs);
+	    ss->cipherSpecs     = NULL;
+	    ss->sizeCipherSpecs = 0;
+	}
+	break;
+
+      case SSL_ENABLE_SSL3:
+	ss->enableSSL3          = on;
+	ss->preferredCipher     = NULL;
+	if (ss->cipherSpecs) {
+	    PORT_Free(ss->cipherSpecs);
+	    ss->cipherSpecs     = NULL;
+	    ss->sizeCipherSpecs = 0;
+	}
+	break;
+
+      case SSL_ENABLE_SSL2:
+	ss->enableSSL2          = on;
+	if (on) {
+	    ss->v2CompatibleHello = on;
+	}
+	ss->preferredCipher     = NULL;
+	if (ss->cipherSpecs) {
+	    PORT_Free(ss->cipherSpecs);
+	    ss->cipherSpecs     = NULL;
+	    ss->sizeCipherSpecs = 0;
+	}
+	break;
+
+      case SSL_NO_CACHE:
+	ss->noCache = on;
+	break;
+
+      case SSL_ENABLE_FDX:
+      	ss->fdx = on;
+	break;
+
+      case SSL_V2_COMPATIBLE_HELLO:
+      	ss->v2CompatibleHello = on;
+	if (!on) {
+	    ss->enableSSL2    = on;
+	}
+	break;
+
+      case SSL_ROLLBACK_DETECTION:  
+	ss->detectRollBack = on;
+        break;
+
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    }
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    return rv;
+}
+
+SECStatus
+SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
+{
+    sslSocket *ss = ssl_FindSocket(fd);
+    SECStatus  rv = SECSuccess;
+    PRBool     on = PR_FALSE;
+
+    if (!pOn) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
+	*pOn = PR_FALSE;
+	return SECFailure;
+    }
+
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    switch (which) {
+    case SSL_SOCKS:               on = PR_FALSE;               break;
+    case SSL_SECURITY:            on = ss->useSecurity;        break;
+    case SSL_REQUEST_CERTIFICATE: on = ss->requestCertificate; break;
+    case SSL_REQUIRE_CERTIFICATE: on = ss->requireCertificate; break;
+    case SSL_HANDSHAKE_AS_CLIENT: on = ss->handshakeAsClient;  break;
+    case SSL_HANDSHAKE_AS_SERVER: on = ss->handshakeAsServer;  break;
+    case SSL_ENABLE_TLS:          on = ss->enableTLS;          break;
+    case SSL_ENABLE_SSL3:         on = ss->enableSSL3;         break;
+    case SSL_ENABLE_SSL2:         on = ss->enableSSL2;         break;
+    case SSL_NO_CACHE:            on = ss->noCache;            break;
+    case SSL_ENABLE_FDX:          on = ss->fdx;                break;
+    case SSL_V2_COMPATIBLE_HELLO: on = ss->v2CompatibleHello;  break;
+    case SSL_ROLLBACK_DETECTION:  on = ss->detectRollBack;     break;
+
+    default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    }
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+
+    *pOn = on;
+    return rv;
+}
+
+SECStatus
+SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
+{
+    SECStatus  rv = SECSuccess;
+    PRBool     on = PR_FALSE;
+
+    if (!pOn) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    switch (which) {
+    case SSL_SOCKS:               on = PR_FALSE;                        break;
+    case SSL_SECURITY:            on = ssl_defaults.useSecurity;        break;
+    case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break;
+    case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break;
+    case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient;  break;
+    case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer;  break;
+    case SSL_ENABLE_TLS:          on = ssl_defaults.enableTLS;          break;
+    case SSL_ENABLE_SSL3:         on = ssl_defaults.enableSSL3;         break;
+    case SSL_ENABLE_SSL2:         on = ssl_defaults.enableSSL2;         break;
+    case SSL_NO_CACHE:            on = ssl_defaults.noCache;		break;
+    case SSL_ENABLE_FDX:          on = ssl_defaults.fdx;                break;
+    case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello;  break;
+    case SSL_ROLLBACK_DETECTION:  on = ssl_defaults.detectRollBack;     break;
+
+    default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	rv = SECFailure;
+    }
+
+    *pOn = on;
+    return rv;
+}
+
+/* XXX Use Global Lock to protect this stuff. */
+SECStatus
+SSL_EnableDefault(int which, PRBool on)
+{
+    return SSL_OptionSetDefault(which, on);
+}
+
+SECStatus
+SSL_OptionSetDefault(PRInt32 which, PRBool on)
+{
+    switch (which) {
+      case SSL_SOCKS:
+	ssl_defaults.useSocks = PR_FALSE;
+	if (on) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	break;
+
+      case SSL_SECURITY:
+	ssl_defaults.useSecurity = on;
+	break;
+
+      case SSL_REQUEST_CERTIFICATE:
+	ssl_defaults.requestCertificate = on;
+	break;
+
+      case SSL_REQUIRE_CERTIFICATE:
+	ssl_defaults.requireCertificate = on;
+	break;
+
+      case SSL_HANDSHAKE_AS_CLIENT:
+	if ( ssl_defaults.handshakeAsServer && on ) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	ssl_defaults.handshakeAsClient = on;
+	break;
+
+      case SSL_HANDSHAKE_AS_SERVER:
+	if ( ssl_defaults.handshakeAsClient && on ) {
+	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	    return SECFailure;
+	}
+	ssl_defaults.handshakeAsServer = on;
+	break;
+
+      case SSL_ENABLE_TLS:
+	ssl_defaults.enableTLS = on;
+	break;
+
+      case SSL_ENABLE_SSL3:
+	ssl_defaults.enableSSL3 = on;
+	break;
+
+      case SSL_ENABLE_SSL2:
+	ssl_defaults.enableSSL2 = on;
+	if (on) {
+	    ssl_defaults.v2CompatibleHello = on;
+	}
+	break;
+
+      case SSL_NO_CACHE:
+	ssl_defaults.noCache = on;
+	break;
+
+      case SSL_ENABLE_FDX:
+      	ssl_defaults.fdx = on;
+
+      case SSL_V2_COMPATIBLE_HELLO:
+      	ssl_defaults.v2CompatibleHello = on;
+	if (!on) {
+	    ssl_defaults.enableSSL2    = on;
+	}
+	break;
+
+      case SSL_ROLLBACK_DETECTION:  
+	ssl_defaults.detectRollBack = on;
+	break;
+
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/* Part of the public NSS API.
+ * Since this is a global (not per-socket) setting, we cannot use the
+ * HandshakeLock to protect this.  Probably want a global lock.
+ */
+SECStatus
+SSL_SetPolicy(long which, int policy)
+{
+    if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
+    	/* one of the two old FIPS ciphers */
+	if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
+	    which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
+	else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
+	    which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
+    }
+    return SSL_CipherPolicySet(which, policy);
+}
+
+SECStatus
+SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
+{
+    SECStatus rv;
+
+    if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_SetPolicy(which, policy);
+    } else {
+	rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+    }
+    return rv;
+}
+
+SECStatus
+SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
+{
+    SECStatus rv;
+
+    if (!oPolicy) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_GetPolicy(which, oPolicy);
+    } else {
+	rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
+    }
+    return rv;
+}
+
+/* Part of the public NSS API.
+ * Since this is a global (not per-socket) setting, we cannot use the
+ * HandshakeLock to protect this.  Probably want a global lock.
+ * These changes have no effect on any sslSockets already created. 
+ */
+SECStatus
+SSL_EnableCipher(long which, PRBool enabled)
+{
+    if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
+    	/* one of the two old FIPS ciphers */
+	if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
+	    which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
+	else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
+	    which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
+    }
+    return SSL_CipherPrefSetDefault(which, enabled);
+}
+
+SECStatus
+SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
+{
+    SECStatus rv;
+    
+    if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_CipherPrefSetDefault(which, enabled);
+    } else {
+	rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled);
+    }
+    return rv;
+}
+
+SECStatus 
+SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
+{
+    SECStatus  rv;
+    
+    if (!enabled) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_CipherPrefGetDefault(which, enabled);
+    } else {
+	rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled);
+    }
+    return rv;
+}
+
+SECStatus
+SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled)
+{
+    SECStatus rv;
+    sslSocket *ss = ssl_FindSocket(fd);
+    
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_CipherPrefSet(ss, which, enabled);
+    } else {
+	rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);
+    }
+    return rv;
+}
+
+SECStatus 
+SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
+{
+    SECStatus  rv;
+    sslSocket *ss = ssl_FindSocket(fd);
+    
+    if (!enabled) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd));
+	*enabled = PR_FALSE;
+	return SECFailure;
+    }
+    if (SSL_IS_SSL2_CIPHER(which)) {
+	rv = ssl2_CipherPrefGet(ss, which, enabled);
+    } else {
+	rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
+    }
+    return rv;
+}
+
+SECStatus
+NSS_SetDomesticPolicy(void)
+{
+#ifndef EXPORT_VERSION
+    SECStatus      status = SECSuccess;
+    cipherPolicy * policy;
+
+    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
+	status = SSL_SetPolicy(policy->cipher, SSL_ALLOWED);
+	if (status != SECSuccess)
+	    break;
+    }
+    return status;
+#else
+    return NSS_SetExportPolicy();
+#endif
+}
+
+SECStatus
+NSS_SetExportPolicy(void)
+{
+    SECStatus      status = SECSuccess;
+    cipherPolicy * policy;
+
+    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
+	status = SSL_SetPolicy(policy->cipher, policy->export);
+	if (status != SECSuccess)
+	    break;
+    }
+    return status;
+}
+
+SECStatus
+NSS_SetFrancePolicy(void)
+{
+    SECStatus      status = SECSuccess;
+    cipherPolicy * policy;
+
+    for (policy = ssl_ciphers; policy->cipher != 0; ++policy) {
+	status = SSL_SetPolicy(policy->cipher, policy->france);
+	if (status != SECSuccess)
+	    break;
+    }
+    return status;
+}
+
+
+
+/* LOCKS ??? XXX */
+PRFileDesc *
+SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
+{
+    sslSocket * ns = NULL;
+    PRStatus    rv;
+    PRNetAddr   addr;
+
+    if (model == NULL) {
+	/* Just create a default socket if we're given NULL for the model */
+	ns = ssl_NewSocket();
+    } else {
+	sslSocket * ss = ssl_FindSocket(model);
+	if (ss == NULL) {
+	    SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", 
+	    	      SSL_GETPID(), model));
+	    return NULL;
+	}
+	ns = ssl_DupSocket(ss);
+    }
+    if (ns == NULL)
+    	return NULL;
+
+    rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER);
+    if (rv != PR_SUCCESS) {
+	ssl_FreeSocket(ns);
+	SET_ERROR_CODE
+	return NULL;
+    }
+#ifdef _WIN32
+    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */
+#endif
+    ns = ssl_FindSocket(fd);
+    PORT_Assert(ns);
+    if (ns)
+	ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
+    return fd;
+}
+
+/************************************************************************/
+/* The following functions are the TOP LEVEL SSL functions.
+** They all get called through the NSPRIOMethods table below.
+*/
+
+static PRFileDesc * PR_CALLBACK
+ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
+{
+    sslSocket  *ss;
+    sslSocket  *ns 	= NULL;
+    PRFileDesc *newfd 	= NULL;
+    PRFileDesc *osfd;
+    PRStatus    status;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd));
+	return NULL;
+    }
+
+    /* IF this is a listen socket, there shouldn't be any I/O going on */
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+    ssl_Get1stHandshakeLock(ss);
+    ssl_GetSSL3HandshakeLock(ss);
+
+    ss->cTimeout = timeout;
+
+    osfd = ss->fd->lower;
+
+    /* First accept connection */
+    newfd = osfd->methods->accept(osfd, sockaddr, timeout);
+    if (newfd == NULL) {
+	SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d",
+		 SSL_GETPID(), ss->fd, PORT_GetError()));
+    } else {
+	/* Create ssl module */
+	ns = ssl_DupSocket(ss);
+    }
+
+    ssl_ReleaseSSL3HandshakeLock(ss);
+    ssl_Release1stHandshakeLock(ss);
+    SSL_UNLOCK_WRITER(ss);
+    SSL_UNLOCK_READER(ss);			/* ss isn't used below here. */
+
+    if (ns == NULL)
+	goto loser;
+
+    /* push ssl module onto the new socket */
+    status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER);
+    if (status != PR_SUCCESS)
+	goto loser;
+
+    /* Now start server connection handshake with client.
+    ** Don't need locks here because nobody else has a reference to ns yet.
+    */
+    if ( ns->useSecurity ) {
+	if ( ns->handshakeAsClient ) {
+	    ns->handshake = ssl2_BeginClientHandshake;
+	    ss->handshaking = sslHandshakingAsClient;
+	} else {
+	    ns->handshake = ssl2_BeginServerHandshake;
+	    ss->handshaking = sslHandshakingAsServer;
+	}
+    }
+    ns->TCPconnected = 1;
+    return newfd;
+
+loser:
+    if (ns != NULL)
+	ssl_FreeSocket(ns);
+    if (newfd != NULL)
+	PR_Close(newfd);
+    return NULL;
+}
+
+static PRStatus PR_CALLBACK
+ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout)
+{
+    sslSocket *ss;
+    PRStatus   rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+
+    /* IF this is a listen socket, there shouldn't be any I/O going on */
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+
+    ss->cTimeout = timeout;
+    rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr);
+#ifdef _WIN32
+    PR_Sleep(PR_INTERVAL_NO_WAIT);     /* workaround NT winsock connect bug. */
+#endif
+
+    SSL_UNLOCK_WRITER(ss);
+    SSL_UNLOCK_READER(ss);
+
+    return rv;
+}
+
+static PRStatus PR_CALLBACK
+ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr)
+{
+    sslSocket * ss = ssl_GetPrivate(fd);
+    PRStatus    rv;
+
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+
+    rv = (PRStatus)(*ss->ops->bind)(ss, addr);
+
+    SSL_UNLOCK_WRITER(ss);
+    SSL_UNLOCK_READER(ss);
+    return rv;
+}
+
+static PRStatus PR_CALLBACK
+ssl_Listen(PRFileDesc *fd, PRIntn backlog)
+{
+    sslSocket * ss = ssl_GetPrivate(fd);
+    PRStatus    rv;
+
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+
+    rv = (PRStatus)(*ss->ops->listen)(ss, backlog);
+
+    SSL_UNLOCK_WRITER(ss);
+    SSL_UNLOCK_READER(ss);
+    return rv;
+}
+
+static PRStatus PR_CALLBACK
+ssl_Shutdown(PRFileDesc *fd, PRIntn how)
+{
+    sslSocket * ss = ssl_GetPrivate(fd);
+    PRStatus    rv;
+
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+    if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
+    	SSL_LOCK_READER(ss);
+    }
+    if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
+    	SSL_LOCK_WRITER(ss);
+    }
+
+    rv = (PRStatus)(*ss->ops->shutdown)(ss, how);
+
+    if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
+    	SSL_UNLOCK_WRITER(ss);
+    }
+    if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
+    	SSL_UNLOCK_READER(ss);
+    }
+    return rv;
+}
+
+static PRStatus PR_CALLBACK
+ssl_Close(PRFileDesc *fd)
+{
+    sslSocket *ss;
+    PRStatus   rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+
+    /* There must not be any I/O going on */
+    SSL_LOCK_READER(ss);
+    SSL_LOCK_WRITER(ss);
+
+    /* By the time this function returns, 
+    ** ss is an invalid pointer, and the locks to which it points have 
+    ** been unlocked and freed.  So, this is the ONE PLACE in all of SSL
+    ** where the LOCK calls and the corresponding UNLOCK calls are not in
+    ** the same function scope.  The unlock calls are in ssl_FreeSocket().
+    */
+    rv = (PRStatus)(*ss->ops->close)(ss);
+
+    return rv;
+}
+
+static int PR_CALLBACK
+ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags,
+	 PRIntervalTime timeout)
+{
+    sslSocket *ss;
+    int        rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    SSL_LOCK_READER(ss);
+    ss->rTimeout = timeout;
+    if (!ss->fdx)
+	ss->wTimeout = timeout;
+    rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags);
+    SSL_UNLOCK_READER(ss);
+    return rv;
+}
+
+static int PR_CALLBACK
+ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
+	 PRIntervalTime timeout)
+{
+    sslSocket *ss;
+    int        rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    SSL_LOCK_WRITER(ss);
+    ss->wTimeout = timeout;
+    if (!ss->fdx)
+	ss->rTimeout = timeout;
+    rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags);
+    SSL_UNLOCK_WRITER(ss);
+    return rv;
+}
+
+static int PR_CALLBACK
+ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len)
+{
+    sslSocket *ss;
+    int        rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    SSL_LOCK_READER(ss);
+    ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
+    if (!ss->fdx)
+	ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
+    rv = (*ss->ops->read)(ss, (unsigned char*)buf, len);
+    SSL_UNLOCK_READER(ss);
+    return rv;
+}
+
+static int PR_CALLBACK
+ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
+{
+    sslSocket *ss;
+    int        rv;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd));
+	return SECFailure;
+    }
+    SSL_LOCK_WRITER(ss);
+    ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
+    if (!ss->fdx)
+	ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
+    rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len);
+    SSL_UNLOCK_WRITER(ss);
+    return rv;
+}
+
+static PRStatus PR_CALLBACK
+ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr)
+{
+    sslSocket *ss;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+    return (PRStatus)(*ss->ops->getpeername)(ss, addr);
+}
+
+/*
+*/
+SECStatus
+ssl_GetPeerInfo(sslSocket *ss)
+{
+    PRFileDesc *      osfd;
+    int               rv;
+    PRNetAddr         sin;
+
+    osfd = ss->fd->lower;
+
+    PORT_Memset(&sin, 0, sizeof(sin));
+    rv = osfd->methods->getpeername(osfd, &sin);
+    if (rv < 0) {
+	return SECFailure;
+    }
+    ss->TCPconnected = 1;
+    if (sin.inet.family == PR_AF_INET) {
+        PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer);
+	ss->sec.ci.port = sin.inet.port;
+    } else if (sin.ipv6.family == PR_AF_INET6) {
+	ss->sec.ci.peer = sin.ipv6.ip;
+	ss->sec.ci.port = sin.ipv6.port;
+    } else {
+	PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR);
+    	return SECFailure;
+    }
+    return SECSuccess;
+}
+
+static PRStatus PR_CALLBACK
+ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name)
+{
+    sslSocket *ss;
+
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd));
+	return PR_FAILURE;
+    }
+    return (PRStatus)(*ss->ops->getsockname)(ss, name);
+}
+
+SECStatus PR_CALLBACK
+SSL_SetSockPeerID(PRFileDesc *fd, char *peerID)
+{
+    sslSocket *ss;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCacheIndex",
+		 SSL_GETPID(), fd));
+	return SECFailure;
+    }
+
+    ss->peerID = PORT_Strdup(peerID);
+    return SECSuccess;
+}
+
+#define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ)
+
+static PRInt16 PR_CALLBACK
+ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
+{
+    sslSocket *ss;
+    PRInt16    new_flags = how_flags;	/* should select on these flags. */
+    PRNetAddr  addr;
+
+    *p_out_flags = 0;
+    ss = ssl_GetPrivate(fd);
+    if (!ss) {
+	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll",
+		 SSL_GETPID(), fd));
+	return 0;	/* don't poll on this socket */
+    }
+
+    if (ss->useSecurity && 
+	ss->handshaking != sslHandshakingUndetermined &&
+        !ss->firstHsDone &&
+	(how_flags & PR_POLL_RW)) {
+	if (!ss->TCPconnected) {
+	    ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
+	}
+	/* If it's not connected, then presumably the application is polling
+	** on read or write appropriately, so don't change it. 
+	*/
+	if (ss->TCPconnected) {
+	    if (!ss->handshakeBegun) {
+		/* If the handshake has not begun, poll on read or write 
+		** based on the local application's role in the handshake,
+		** not based on what the application requested.
+		*/
+		new_flags &= ~PR_POLL_RW;
+		if (ss->handshaking == sslHandshakingAsClient) {
+		    new_flags |= PR_POLL_WRITE;
+		} else { /* handshaking as server */
+		    new_flags |= PR_POLL_READ;
+		}
+	    } else 
+	    /* First handshake is in progress */
+	    if (ss->lastWriteBlocked) {
+		if (new_flags & PR_POLL_READ) {
+		    /* The caller is waiting for data to be received, 
+		    ** but the initial handshake is blocked on write, or the 
+		    ** client's first handshake record has not been written.
+		    ** The code should select on write, not read.
+		    */
+		    new_flags ^=  PR_POLL_READ;	   /* don't select on read. */
+		    new_flags |=  PR_POLL_WRITE;   /* do    select on write. */
+		}
+	    } else if (new_flags & PR_POLL_WRITE) {
+		    /* The caller is trying to write, but the handshake is 
+		    ** blocked waiting for data to read, and the first 
+		    ** handshake has been sent.  so do NOT to poll on write.
+		    */
+		    new_flags ^=  PR_POLL_WRITE;   /* don't select on write. */
+		    new_flags |=  PR_POLL_READ;	   /* do    select on read. */
+	    }
+	}
+    } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
+	*p_out_flags = PR_POLL_READ;	/* it's ready already. */
+	return new_flags;
+    } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) &&
+	       (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */
+	new_flags |=  PR_POLL_WRITE;   /* also select on write. */
+    } 
+    if (new_flags && (fd->lower->methods->poll != NULL)) {
+	PRInt16    lower_out_flags = 0;
+	PRInt16    lower_new_flags;
+        lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, 
+					           &lower_out_flags);
+	if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) {
+	    PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW;
+	    if (lower_out_flags & PR_POLL_READ) 
+		out_flags |= PR_POLL_WRITE;
+	    if (lower_out_flags & PR_POLL_WRITE) 
+		out_flags |= PR_POLL_READ;
+	    *p_out_flags = out_flags;
+	    new_flags = how_flags;
+	} else {
+	    *p_out_flags = lower_out_flags;
+	    new_flags    = lower_new_flags;
+	}
+    }
+
+    return new_flags;
+}
+
+
+PRBool
+ssl_FdIsBlocking(PRFileDesc *fd)
+{
+    PRSocketOptionData opt;
+    PRStatus           status;
+
+    opt.option             = PR_SockOpt_Nonblocking;
+    opt.value.non_blocking = PR_FALSE;
+    status = PR_GetSocketOption(fd, &opt);
+    if (status != PR_SUCCESS)
+	return PR_FALSE;
+    return (PRBool)!opt.value.non_blocking;
+}
+
+PRBool
+ssl_SocketIsBlocking(sslSocket *ss)
+{
+    return ssl_FdIsBlocking(ss->fd);
+}
+
+PRInt32  sslFirstBufSize = 8 * 1024;
+PRInt32  sslCopyLimit    = 1024;
+
+static PRInt32 PR_CALLBACK
+ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, 
+           PRIntervalTime timeout)
+{
+    PRInt32            bufLen;
+    PRInt32            left;
+    PRInt32            rv;
+    PRInt32            sent      =  0;
+    const PRInt32      first_len = sslFirstBufSize;
+    const PRInt32      limit     = sslCopyLimit;
+    PRBool             blocking;
+    PRIOVec            myIov	 = { 0, 0 };
+    char               buf[MAX_FRAGMENT_LENGTH];
+
+    if (vectors > PR_MAX_IOVECTOR_SIZE) {
+    	PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
+	return -1;
+    }
+    blocking = ssl_FdIsBlocking(fd);
+
+#define K16 sizeof(buf)
+#define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; }
+#define GET_VECTOR   do { myIov = *iov++; --vectors; KILL_VECTORS } while (0)
+#define HANDLE_ERR(rv, len) \
+    if (rv != len) { \
+	if (rv < 0) { \
+	    if (!blocking \
+		&& (PR_GetError() == PR_WOULD_BLOCK_ERROR) \
+		&& (sent > 0)) { \
+		return sent; \
+	    } else { \
+		return -1; \
+	    } \
+	} \
+	/* Only a nonblocking socket can have partial sends */ \
+	PR_ASSERT(!blocking); \
+	return sent; \
+    } 
+#define SEND(bfr, len) \
+    do { \
+	rv = ssl_Send(fd, bfr, len, 0, timeout); \
+	HANDLE_ERR(rv, len) \
+	sent += len; \
+    } while (0)
+
+    /* Make sure the first write is at least 8 KB, if possible. */
+    KILL_VECTORS
+    if (!vectors)
+	return ssl_Send(fd, 0, 0, 0, timeout);
+    GET_VECTOR;
+    if (!vectors) {
+	return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout);
+    }
+    if (myIov.iov_len < first_len) {
+	PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
+	bufLen = myIov.iov_len;
+	left = first_len - bufLen;
+	while (vectors && left) {
+	    int toCopy;
+	    GET_VECTOR;
+	    toCopy = PR_MIN(left, myIov.iov_len);
+	    PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy);
+	    bufLen         += toCopy;
+	    left           -= toCopy;
+	    myIov.iov_base += toCopy;
+	    myIov.iov_len  -= toCopy;
+	}
+	SEND( buf, bufLen );
+    }
+
+    while (vectors || myIov.iov_len) {
+	PRInt32   addLen;
+	if (!myIov.iov_len) {
+	    GET_VECTOR;
+	}
+	while (myIov.iov_len >= K16) {
+	    SEND(myIov.iov_base, K16);
+	    myIov.iov_base += K16;
+	    myIov.iov_len  -= K16;
+	}
+	if (!myIov.iov_len)
+	    continue;
+
+	if (!vectors || myIov.iov_len > limit) {
+	    addLen = 0;
+	} else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
+	    /* Addlen is already computed. */;
+	} else if (vectors > 1 && 
+	     iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
+	     addLen = limit - myIov.iov_len;
+	} else 
+	    addLen = 0;
+
+	if (!addLen) {
+	    SEND( myIov.iov_base, myIov.iov_len );
+	    myIov.iov_len = 0;
+	    continue;
+	}
+	PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
+	bufLen = myIov.iov_len;
+	do {
+	    GET_VECTOR;
+	    PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen);
+	    myIov.iov_base += addLen;
+	    myIov.iov_len  -= addLen;
+	    bufLen         += addLen;
+
+	    left = PR_MIN( limit, K16 - bufLen);
+	    if (!vectors 		/* no more left */
+	    ||  myIov.iov_len > 0	/* we didn't use that one all up */
+	    ||  bufLen >= K16		/* it's full. */
+	    ) {
+		addLen = 0;
+	    } else if ((addLen = iov->iov_len % K16) <= left) {
+		/* Addlen is already computed. */;
+	    } else if (vectors > 1 && 
+		 iov[1].iov_len % K16 + addLen <= left + limit) {
+		 addLen = left;
+	    } else 
+		addLen = 0;
+
+	} while (addLen);
+	SEND( buf, bufLen );
+    } 
+    return sent;
+}
+
+/*
+ * These functions aren't implemented.
+ */
+
+static PRInt32 PR_CALLBACK
+ssl_Available(PRFileDesc *fd)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return SECFailure;
+}
+
+static PRInt64 PR_CALLBACK
+ssl_Available64(PRFileDesc *fd)
+{
+    PRInt64 res;
+
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    LL_I2L(res, -1L);
+    return res;
+}
+
+static PRStatus PR_CALLBACK
+ssl_FSync(PRFileDesc *fd)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return PR_FAILURE;
+}
+
+static PRInt32 PR_CALLBACK
+ssl_Seek(PRFileDesc *fd, PRInt32 offset, PRSeekWhence how) {
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return SECFailure;
+}
+
+static PRInt64 PR_CALLBACK
+ssl_Seek64(PRFileDesc *fd, PRInt64 offset, PRSeekWhence how) {
+    PRInt64 res;
+
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    LL_I2L(res, -1L);
+    return res;
+}
+
+static PRStatus PR_CALLBACK
+ssl_FileInfo(PRFileDesc *fd, PRFileInfo *info)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return PR_FAILURE;
+}
+
+static PRStatus PR_CALLBACK
+ssl_FileInfo64(PRFileDesc *fd, PRFileInfo64 *info)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return PR_FAILURE;
+}
+
+static PRInt32 PR_CALLBACK
+ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags,
+	     PRNetAddr *addr, PRIntervalTime timeout)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return SECFailure;
+}
+
+static PRInt32 PR_CALLBACK
+ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags,
+	   const PRNetAddr *addr, PRIntervalTime timeout)
+{
+    PORT_Assert(0);
+    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+    return SECFailure;
+}
+
+static const PRIOMethods ssl_methods = {
+    PR_DESC_LAYERED,
+    ssl_Close,           	/* close        */
+    ssl_Read,            	/* read         */
+    ssl_Write,           	/* write        */
+    ssl_Available,       	/* available    */
+    ssl_Available64,     	/* available64  */
+    ssl_FSync,           	/* fsync        */
+    ssl_Seek,            	/* seek         */
+    ssl_Seek64,          	/* seek64       */
+    ssl_FileInfo,        	/* fileInfo     */
+    ssl_FileInfo64,      	/* fileInfo64   */
+    ssl_WriteV,          	/* writev       */
+    ssl_Connect,         	/* connect      */
+    ssl_Accept,          	/* accept       */
+    ssl_Bind,            	/* bind         */
+    ssl_Listen,          	/* listen       */
+    ssl_Shutdown,        	/* shutdown     */
+    ssl_Recv,            	/* recv         */
+    ssl_Send,            	/* send         */
+    ssl_RecvFrom,        	/* recvfrom     */
+    ssl_SendTo,          	/* sendto       */
+    ssl_Poll,            	/* poll         */
+    ssl_EmulateAcceptRead,      /* acceptread   */
+    ssl_EmulateTransmitFile,    /* transmitfile */
+    ssl_GetSockName,     	/* getsockname  */
+    ssl_GetPeerName,     	/* getpeername  */
+    NULL,                	/* getsockopt   OBSOLETE */
+    NULL,                	/* setsockopt   OBSOLETE */
+    NULL,                	/* getsocketoption   */
+    NULL,                	/* setsocketoption   */
+    ssl_EmulateSendFile, 	/* Send a (partial) file with header/trailer*/
+    NULL,                	/* reserved for future use */
+    NULL,                	/* reserved for future use */
+    NULL,                	/* reserved for future use */
+    NULL,                	/* reserved for future use */
+    NULL                 	/* reserved for future use */
+};
+
+
+static PRIOMethods combined_methods;
+
+static void
+ssl_SetupIOMethods(void)
+{
+          PRIOMethods *new_methods  = &combined_methods;
+    const PRIOMethods *nspr_methods = PR_GetDefaultIOMethods();
+    const PRIOMethods *my_methods   = &ssl_methods;
+
+    *new_methods = *nspr_methods;
+
+    new_methods->file_type         = my_methods->file_type;
+    new_methods->close             = my_methods->close;
+    new_methods->read              = my_methods->read;
+    new_methods->write             = my_methods->write;
+    new_methods->available         = my_methods->available;
+    new_methods->available64       = my_methods->available64;
+    new_methods->fsync             = my_methods->fsync;
+    new_methods->seek              = my_methods->seek;
+    new_methods->seek64            = my_methods->seek64;
+    new_methods->fileInfo          = my_methods->fileInfo;
+    new_methods->fileInfo64        = my_methods->fileInfo64;
+    new_methods->writev            = my_methods->writev;
+    new_methods->connect           = my_methods->connect;
+    new_methods->accept            = my_methods->accept;
+    new_methods->bind              = my_methods->bind;
+    new_methods->listen            = my_methods->listen;
+    new_methods->shutdown          = my_methods->shutdown;
+    new_methods->recv              = my_methods->recv;
+    new_methods->send              = my_methods->send;
+    new_methods->recvfrom          = my_methods->recvfrom;
+    new_methods->sendto            = my_methods->sendto;
+    new_methods->poll              = my_methods->poll;
+    new_methods->acceptread        = my_methods->acceptread;
+    new_methods->transmitfile      = my_methods->transmitfile;
+    new_methods->getsockname       = my_methods->getsockname;
+    new_methods->getpeername       = my_methods->getpeername;
+/*  new_methods->getsocketoption   = my_methods->getsocketoption;	*/
+/*  new_methods->setsocketoption   = my_methods->setsocketoption;	*/
+    new_methods->sendfile          = my_methods->sendfile;
+
+}
+
+static PRCallOnceType initIoLayerOnce;
+
+static PRStatus  
+ssl_InitIOLayer(void)
+{
+    ssl_layer_id = PR_GetUniqueIdentity("SSL");
+    ssl_SetupIOMethods();
+    ssl_inited = PR_TRUE;
+    return PR_SUCCESS;
+}
+
+static PRStatus
+ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id)
+{
+    PRFileDesc *layer	= NULL;
+    PRStatus    status;
+
+    if (!ssl_inited) {
+	PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
+    }
+
+    if (ns == NULL)
+	goto loser;
+
+    layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods);
+    if (layer == NULL)
+	goto loser;
+    layer->secret = (PRFilePrivate *)ns;
+
+    /* Here, "stack" points to the PRFileDesc on the top of the stack.
+    ** "layer" points to a new FD that is to be inserted into the stack.
+    ** If layer is being pushed onto the top of the stack, then 
+    ** PR_PushIOLayer switches the contents of stack and layer, and then
+    ** puts stack on top of layer, so that after it is done, the top of 
+    ** stack is the same "stack" as it was before, and layer is now the 
+    ** FD for the former top of stack.
+    ** After this call, stack always points to the top PRFD on the stack.
+    ** If this function fails, the contents of stack and layer are as 
+    ** they were before the call.
+    */
+    status = PR_PushIOLayer(stack, id, layer);
+    if (status != PR_SUCCESS)
+	goto loser;
+
+    ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer;
+    return PR_SUCCESS;
+
+loser:
+    if (layer) {
+	layer->dtor(layer); /* free layer */
+    }
+    return PR_FAILURE;
+}
+
+/*
+** Create a newsocket structure for a file descriptor.
+*/
+static sslSocket *
+ssl_NewSocket(void)
+{
+    sslSocket *ss;
+#ifdef DEBUG
+#if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)
+    static int firsttime = 1;
+
+    if (firsttime) {
+	firsttime = 0;
+	{
+	    char *ev = getenv("SSLDEBUG");
+	    if (ev && ev[0]) {
+		ssl_debug = atoi(ev);
+		SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
+	    }
+	}
+#ifdef TRACE
+	{
+	    char *ev = getenv("SSLTRACE");
+	    if (ev && ev[0]) {
+		ssl_trace = atoi(ev);
+		SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
+	    }
+	}
+#endif /* TRACE */
+    }
+#endif /* XP_UNIX || XP_WIN32 */
+#endif /* DEBUG */
+
+    /* Make a new socket and get it ready */
+    ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket));
+    if (ss) {
+        /* This should be of type SSLKEAType, but CC on IRIX
+	 * complains during the for loop.
+	 */
+	int i;
+	SECStatus status;
+ 
+	ss->useSecurity        = ssl_defaults.useSecurity;
+	ss->useSocks           = PR_FALSE;
+	ss->requestCertificate = ssl_defaults.requestCertificate;
+	ss->requireCertificate = ssl_defaults.requireCertificate;
+	ss->handshakeAsClient  = ssl_defaults.handshakeAsClient;
+	ss->handshakeAsServer  = ssl_defaults.handshakeAsServer;
+	ss->enableSSL2         = ssl_defaults.enableSSL2;
+	ss->enableSSL3         = ssl_defaults.enableSSL3;
+	ss->enableTLS          = ssl_defaults.enableTLS ;
+	ss->fdx                = ssl_defaults.fdx;
+	ss->v2CompatibleHello  = ssl_defaults.v2CompatibleHello;
+	ss->detectRollBack     = ssl_defaults.detectRollBack;
+	ss->noCache            = ssl_defaults.noCache;
+	ss->peerID             = NULL;
+	ss->rTimeout	       = PR_INTERVAL_NO_TIMEOUT;
+	ss->wTimeout	       = PR_INTERVAL_NO_TIMEOUT;
+	ss->cTimeout	       = PR_INTERVAL_NO_TIMEOUT;
+	ss->cipherSpecs        = NULL;
+        ss->sizeCipherSpecs    = 0;  /* produced lazily */
+        ss->preferredCipher    = NULL;
+        ss->url                = NULL;
+
+	for (i=kt_null; i < kt_kea_size; i++) {
+	    sslServerCerts * sc = ss->serverCerts + i;
+	    sc->serverCert      = NULL;
+	    sc->serverCertChain = NULL;
+	    sc->serverKey       = NULL;
+	    sc->serverKeyBits   = 0;
+	}
+	ss->stepDownKeyPair    = NULL;
+	ss->dbHandle           = CERT_GetDefaultCertDB();
+
+	/* Provide default implementation of hooks */
+	ss->authCertificate    = SSL_AuthCertificate;
+	ss->authCertificateArg = (void *)ss->dbHandle;
+	ss->getClientAuthData  = NULL;
+	ss->handleBadCert      = NULL;
+	ss->badCertArg         = NULL;
+	ss->pkcs11PinArg       = NULL;
+
+	ssl_ChooseOps(ss);
+	ssl2_InitSocketPolicy(ss);
+	ssl3_InitSocketPolicy(ss);
+
+	ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL);
+	if (!ss->firstHandshakeLock) goto loser;
+	ss->ssl3HandshakeLock  = PZ_NewMonitor(nssILockSSL);
+	if (!ss->ssl3HandshakeLock) goto loser;
+	ss->specLock           = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL);
+	if (!ss->specLock) goto loser;
+	ss->recvBufLock        = PZ_NewMonitor(nssILockSSL);
+	if (!ss->recvBufLock) goto loser;
+	ss->xmitBufLock        = PZ_NewMonitor(nssILockSSL);
+	if (!ss->xmitBufLock) goto loser;
+	ss->writerThread       = NULL;
+	if (ssl_lock_readers) {
+	    ss->recvLock       = PZ_NewLock(nssILockSSL);
+	    if (!ss->recvLock) goto loser;
+	    ss->sendLock       = PZ_NewLock(nssILockSSL);
+	    if (!ss->sendLock) goto loser;
+	}
+	status = ssl_CreateSecurityInfo(ss);
+	if (status != SECSuccess) goto loser;
+	status = ssl_InitGather(&ss->gs);
+	if (status != SECSuccess) {
+loser:
+	    ssl_DestroySocketContents(ss);
+	    ssl_DestroyLocks(ss);
+	    PORT_Free(ss);
+	    ss = NULL;
+	}
+    }
+    return ss;
+}
+
diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h
new file mode 100644
index 000000000..a60c1cd8d
--- /dev/null
+++ b/security/nss/lib/ssl/sslt.h
@@ -0,0 +1,165 @@
+/*
+ * This file contains prototypes for the public SSL functions.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef __sslt_h_
+#define __sslt_h_
+
+#include "prtypes.h"
+
+typedef struct SSL3StatisticsStr {
+    /* statistics from ssl3_SendClientHello (sch) */
+    long sch_sid_cache_hits;
+    long sch_sid_cache_misses;
+    long sch_sid_cache_not_ok;
+
+    /* statistics from ssl3_HandleServerHello (hsh) */
+    long hsh_sid_cache_hits;
+    long hsh_sid_cache_misses;
+    long hsh_sid_cache_not_ok;
+
+    /* statistics from ssl3_HandleClientHello (hch) */
+    long hch_sid_cache_hits;
+    long hch_sid_cache_misses;
+    long hch_sid_cache_not_ok;
+} SSL3Statistics;
+
+/* Key Exchange algorithm values */
+typedef enum {
+    ssl_kea_null     = 0,
+    ssl_kea_rsa      = 1,
+    ssl_kea_dh       = 2,
+    ssl_kea_fortezza = 3,
+    ssl_kea_size		/* number of ssl_kea_ algorithms */
+} SSLKEAType;
+
+/* The following defines are for backwards compatibility.
+** They will be removed in a forthcoming release to reduce namespace pollution.
+** programs that use the kt_ symbols should convert to the ssl_kt_ symbols
+** soon.
+*/
+#define kt_null   	ssl_kea_null
+#define kt_rsa   	ssl_kea_rsa
+#define kt_dh   	ssl_kea_dh
+#define kt_fortezza	ssl_kea_fortezza
+#define kt_kea_size	ssl_kea_size
+
+typedef enum {
+    ssl_sign_null   = 0, 
+    ssl_sign_rsa    = 1,
+    ssl_sign_dsa    = 2
+} SSLSignType;
+
+typedef enum {
+    ssl_auth_null   = 0, 
+    ssl_auth_rsa    = 1,
+    ssl_auth_dsa    = 2,
+    ssl_auth_kea    = 3
+} SSLAuthType;
+
+typedef enum {
+    ssl_calg_null     = 0,
+    ssl_calg_rc4      = 1,
+    ssl_calg_rc2      = 2,
+    ssl_calg_des      = 3,
+    ssl_calg_3des     = 4,
+    ssl_calg_idea     = 5,
+    ssl_calg_fortezza = 6,      /* skipjack */
+    ssl_calg_aes      = 7       /* coming soon */
+} SSLCipherAlgorithm;
+
+typedef enum { 
+    ssl_mac_null      = 0, 
+    ssl_mac_md5       = 1, 
+    ssl_mac_sha       = 2, 
+    ssl_hmac_md5      = 3, 	/* TLS HMAC version of mac_md5 */
+    ssl_hmac_sha      = 4 	/* TLS HMAC version of mac_sha */
+} SSLMACAlgorithm;
+
+typedef struct SSLChannelInfoStr {
+    PRUint32             length;
+    PRUint16             protocolVersion;
+    PRUint16             cipherSuite;
+
+    /* server authentication info */
+    PRUint32             authKeyBits;
+
+    /* key exchange algorithm info */
+    PRUint32             keaKeyBits;
+
+    /* session info */
+    PRUint32             creationTime;		/* seconds since Jan 1, 1970 */
+    PRUint32             lastAccessTime;	/* seconds since Jan 1, 1970 */
+    PRUint32             expirationTime;	/* seconds since Jan 1, 1970 */
+    PRUint32             sessionIDLength;	/* up to 32 */
+    PRUint8              sessionID    [32];
+} SSLChannelInfo;
+
+typedef struct SSLCipherSuiteInfoStr {
+    PRUint16             length;
+    PRUint16             cipherSuite;
+
+    /* Cipher Suite Name */
+    const char *         cipherSuiteName;
+
+    /* server authentication info */
+    const char *         authAlgorithmName;
+    SSLAuthType          authAlgorithm;
+
+    /* key exchange algorithm info */
+    const char *         keaTypeName;
+    SSLKEAType           keaType;
+
+    /* symmetric encryption info */
+    const char *         symCipherName;
+    SSLCipherAlgorithm   symCipher;
+    PRUint16             symKeyBits;
+    PRUint16             symKeySpace;
+    PRUint16             effectiveKeyBits;
+
+    /* MAC info */
+    const char *         macAlgorithmName;
+    SSLMACAlgorithm      macAlgorithm;
+    PRUint16             macBits;
+
+    PRUintn              isFIPS       : 1;
+    PRUintn              isExportable : 1;
+    PRUintn              nonStandard  : 1;
+    PRUintn              reservedBits :29;
+
+} SSLCipherSuiteInfo;
+
+#endif /* __sslt_h_ */
diff --git a/security/nss/lib/ssl/ssltrace.c b/security/nss/lib/ssl/ssltrace.c
new file mode 100644
index 000000000..15f064813
--- /dev/null
+++ b/security/nss/lib/ssl/ssltrace.c
@@ -0,0 +1,269 @@
+/*
+ * Functions to trace SSL protocol behavior in DEBUG builds.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+#include <stdarg.h>
+#include "cert.h"
+#include "ssl.h"
+#include "sslimpl.h"
+#include "sslproto.h"
+#include "prprf.h"
+
+#if defined(DEBUG) || defined(TRACE)
+static const char *hex = "0123456789abcdef";
+
+static const char printable[257] = {
+	"................"	/* 0x */
+	"................"	/* 1x */
+	" !\"#$%&'()*+,-./"	/* 2x */
+	"0123456789:;<=>?"	/* 3x */
+	"@ABCDEFGHIJKLMNO"	/* 4x */
+	"PQRSTUVWXYZ[\\]^_"	/* 5x */
+	"`abcdefghijklmno"	/* 6x */
+	"pqrstuvwxyz{|}~."	/* 7x */
+	"................"	/* 8x */
+	"................"	/* 9x */
+	"................"	/* ax */
+	"................"	/* bx */
+	"................"	/* cx */
+	"................"	/* dx */
+	"................"	/* ex */
+	"................"	/* fx */
+};
+
+void ssl_PrintBuf(sslSocket *ss, const char *msg, const void *vp, int len)
+{
+    const unsigned char *cp = (const unsigned char *)vp;
+    char buf[80];
+    char *bp;
+    char *ap;
+
+    if (ss) {
+	SSL_TRACE(("%d: SSL[%d]: %s [Len: %d]", SSL_GETPID(), ss->fd,
+		   msg, len));
+    } else {
+	SSL_TRACE(("%d: SSL: %s [Len: %d]", SSL_GETPID(), msg, len));
+    }
+    memset(buf, ' ', sizeof buf);
+    bp = buf;
+    ap = buf + 50;
+    while (--len >= 0) {
+	unsigned char ch = *cp++;
+	*bp++ = hex[(ch >> 4) & 0xf];
+	*bp++ = hex[ch & 0xf];
+	*bp++ = ' ';
+	*ap++ = printable[ch];
+	if (ap - buf >= 66) {
+	    *ap = 0;
+	    SSL_TRACE(("   %s", buf));
+	    memset(buf, ' ', sizeof buf);
+	    bp = buf;
+	    ap = buf + 50;
+	}
+    }
+    if (bp > buf) {
+	*ap = 0;
+	SSL_TRACE(("   %s", buf));
+    }
+}
+
+#define LEN(cp)		(((cp)[0] << 8) | ((cp)[1]))
+
+static void PrintType(sslSocket *ss, char *msg)
+{
+    if (ss) {
+	SSL_TRACE(("%d: SSL[%d]: dump-msg: %s", SSL_GETPID(), ss->fd,
+		   msg));
+    } else {
+	SSL_TRACE(("%d: SSL: dump-msg: %s", SSL_GETPID(), msg));
+    }
+}
+
+static void PrintInt(sslSocket *ss, char *msg, unsigned v)
+{
+    if (ss) {
+	SSL_TRACE(("%d: SSL[%d]:           %s=%u", SSL_GETPID(), ss->fd,
+		   msg, v));
+    } else {
+	SSL_TRACE(("%d: SSL:           %s=%u", SSL_GETPID(), msg, v));
+    }
+}
+
+/* PrintBuf is just like ssl_PrintBuf above, except that:
+ * a) It prefixes each line of the buffer with "XX: SSL[xxx]           "
+ * b) It dumps only hex, not ASCII.
+ */
+static void PrintBuf(sslSocket *ss, char *msg, unsigned char *cp, int len)
+{
+    char buf[80];
+    char *bp;
+
+    if (ss) {
+	SSL_TRACE(("%d: SSL[%d]:           %s [Len: %d]", 
+		   SSL_GETPID(), ss->fd, msg, len));
+    } else {
+	SSL_TRACE(("%d: SSL:           %s [Len: %d]", 
+		   SSL_GETPID(), msg, len));
+    }
+    bp = buf;
+    while (--len >= 0) {
+	unsigned char ch = *cp++;
+	*bp++ = hex[(ch >> 4) & 0xf];
+	*bp++ = hex[ch & 0xf];
+	*bp++ = ' ';
+	if (bp + 4 > buf + 50) {
+	    *bp = 0;
+	    if (ss) {
+		SSL_TRACE(("%d: SSL[%d]:             %s",
+			   SSL_GETPID(), ss->fd, buf));
+	    } else {
+		SSL_TRACE(("%d: SSL:             %s", SSL_GETPID(), buf));
+	    }
+	    bp = buf;
+	}
+    }
+    if (bp > buf) {
+	*bp = 0;
+	if (ss) {
+	    SSL_TRACE(("%d: SSL[%d]:             %s",
+		       SSL_GETPID(), ss->fd, buf));
+	} else {
+	    SSL_TRACE(("%d: SSL:             %s", SSL_GETPID(), buf));
+	}
+    }
+}
+
+void ssl_DumpMsg(sslSocket *ss, unsigned char *bp, unsigned len)
+{
+    switch (bp[0]) {
+      case SSL_MT_ERROR:
+	PrintType(ss, "Error");
+	PrintInt(ss, "error", LEN(bp+1));
+	break;
+
+      case SSL_MT_CLIENT_HELLO:
+	{
+	    unsigned lcs = LEN(bp+3);
+	    unsigned ls  = LEN(bp+5);
+	    unsigned lc  = LEN(bp+7);
+
+	    PrintType(ss, "Client-Hello");
+
+	    PrintInt(ss, "version (Major)",                   bp[1]);
+	    PrintInt(ss, "version (minor)",                   bp[2]);
+
+	    PrintBuf(ss, "cipher-specs",         bp+9,        lcs);
+	    PrintBuf(ss, "session-id",           bp+9+lcs,    ls);
+	    PrintBuf(ss, "challenge",            bp+9+lcs+ls, lc);
+	}
+	break;
+      case SSL_MT_CLIENT_MASTER_KEY:
+	{
+	    unsigned lck = LEN(bp+4);
+	    unsigned lek = LEN(bp+6);
+	    unsigned lka = LEN(bp+8);
+
+	    PrintType(ss, "Client-Master-Key");
+
+	    PrintInt(ss, "cipher-choice",                       bp[1]);
+	    PrintInt(ss, "key-length",                          LEN(bp+2));
+
+	    PrintBuf(ss, "clear-key",            bp+10,         lck);
+	    PrintBuf(ss, "encrypted-key",        bp+10+lck,     lek);
+	    PrintBuf(ss, "key-arg",              bp+10+lck+lek, lka);
+	}
+	break;
+      case SSL_MT_CLIENT_FINISHED:
+	PrintType(ss, "Client-Finished");
+	PrintBuf(ss, "connection-id",            bp+1,          len-1);
+	break;
+      case SSL_MT_SERVER_HELLO:
+	{
+	    unsigned lc = LEN(bp+5);
+	    unsigned lcs = LEN(bp+7);
+	    unsigned lci = LEN(bp+9);
+
+	    PrintType(ss, "Server-Hello");
+
+	    PrintInt(ss, "session-id-hit",                     bp[1]);
+	    PrintInt(ss, "certificate-type",                   bp[2]);
+	    PrintInt(ss, "version (Major)",                    bp[3]);
+	    PrintInt(ss, "version (minor)",                    bp[3]);
+	    PrintBuf(ss, "certificate",          bp+11,        lc);
+	    PrintBuf(ss, "cipher-specs",         bp+11+lc,     lcs);
+	    PrintBuf(ss, "connection-id",        bp+11+lc+lcs, lci);
+	}
+	break;
+      case SSL_MT_SERVER_VERIFY:
+	PrintType(ss, "Server-Verify");
+	PrintBuf(ss, "challenge",                bp+1,         len-1);
+	break;
+      case SSL_MT_SERVER_FINISHED:
+	PrintType(ss, "Server-Finished");
+	PrintBuf(ss, "session-id",               bp+1,         len-1);
+	break;
+      case SSL_MT_REQUEST_CERTIFICATE:
+	PrintType(ss, "Request-Certificate");
+	PrintInt(ss, "authentication-type",                    bp[1]);
+	PrintBuf(ss, "certificate-challenge",    bp+2,         len-2);
+	break;
+      case SSL_MT_CLIENT_CERTIFICATE:
+	{
+	    unsigned lc = LEN(bp+2);
+	    unsigned lr = LEN(bp+4);
+	    PrintType(ss, "Client-Certificate");
+	    PrintInt(ss, "certificate-type",                   bp[1]);
+	    PrintBuf(ss, "certificate",          bp+6,         lc);
+	    PrintBuf(ss, "response",             bp+6+lc,      lr);
+	}
+	break;
+      default:
+	ssl_PrintBuf(ss, "sending *unknown* message type", bp, len);
+	return;
+    }
+}
+
+void
+ssl_Trace(const char *format, ... )
+{
+    char buf[2000]; 
+
+    va_list args;
+    va_start(args, format);
+    PR_vsnprintf(buf, sizeof(buf), format, args);
+    va_end(args);
+    puts(buf);
+}
+#endif
diff --git a/security/nss/lib/ssl/sslver.c b/security/nss/lib/ssl/sslver.c
new file mode 100644
index 000000000..58bcdd858
--- /dev/null
+++ b/security/nss/lib/ssl/sslver.c
@@ -0,0 +1,53 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 2001 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/* Library identity and versioning */
+
+#include "nss.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_ssl_rcsid[] = "$Header: NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_ssl_sccsid[] = "@(#)NSS " NSS_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/ssl/unix_err.c b/security/nss/lib/ssl/unix_err.c
new file mode 100644
index 000000000..7e125c880
--- /dev/null
+++ b/security/nss/lib/ssl/unix_err.c
@@ -0,0 +1,547 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * this code will continue to need to be replicated.
+ * 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#if 0
+#include "primpl.h"
+#else
+#define _PR_POLL_AVAILABLE 1
+#include "prerror.h"
+#endif
+
+#if defined (__bsdi__) || defined(NTO) || defined(DARWIN) || defined(BEOS)
+#undef _PR_POLL_AVAILABLE
+#endif
+
+#if defined(_PR_POLL_AVAILABLE)
+#include <poll.h>
+#endif
+#include <errno.h>
+
+/* forward declarations. */
+void nss_MD_unix_map_default_error(int err);
+
+void nss_MD_unix_map_opendir_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_closedir_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_readdir_error(int err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+    case ENOENT:	prError = PR_NO_MORE_FILES_ERROR; break;
+#ifdef EOVERFLOW
+    case EOVERFLOW:	prError = PR_IO_ERROR; break;
+#endif
+    case EINVAL:	prError = PR_IO_ERROR; break;
+    case ENXIO:		prError = PR_IO_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_unlink_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EPERM:		prError = PR_IS_DIRECTORY_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_stat_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_fstat_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_rename_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EEXIST:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_access_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_mkdir_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_rmdir_error(int err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+    case EEXIST:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
+    case EINVAL:	prError = PR_DIRECTORY_NOT_EMPTY_ERROR; break;
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_read_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
+    case ENXIO:		prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_write_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
+    case ENXIO:		prError = PR_INVALID_METHOD_ERROR; break;
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_lseek_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_fsync_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    case EINVAL:	prError = PR_INVALID_METHOD_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_close_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_socket_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_socketavailable_error(int err)
+{
+    PR_SetError(PR_BAD_DESCRIPTOR_ERROR, err);
+}
+
+void nss_MD_unix_map_recv_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_recvfrom_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_send_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_sendto_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_writev_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_accept_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ENODEV:	prError = PR_NOT_TCP_SOCKET_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_connect_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EACCES:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+#if defined(UNIXWARE) || defined(SNI) || defined(NEC)
+    /*
+     * On some platforms, if we connect to a port on the local host 
+     * (the loopback address) that no process is listening on, we get 
+     * EIO instead of ECONNREFUSED.
+     */
+    case EIO:		prError = PR_CONNECT_REFUSED_ERROR; break;
+#endif
+    case ELOOP:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ENOENT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ENXIO:		prError = PR_IO_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_bind_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
+        /*
+         * UNIX domain sockets are not supported in NSPR
+         */
+    case EIO:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case EISDIR:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ELOOP:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ENOENT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ENOTDIR:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case EROFS:		prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_listen_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_shutdown_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_socketpair_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_getsockname_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_getpeername_error(int err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_getsockopt_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_setsockopt_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_open_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case EBUSY:		prError = PR_IO_ERROR; break;
+    case ENODEV:	prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case ENOMEM:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case ETIMEDOUT:	prError = PR_REMOTE_FILE_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_mmap_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case EMFILE:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case ENODEV:	prError = PR_OPERATION_NOT_SUPPORTED_ERROR; break;
+    case ENXIO:		prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_gethostname_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+void nss_MD_unix_map_select_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+
+#ifdef _PR_POLL_AVAILABLE
+void nss_MD_unix_map_poll_error(int err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+    case EAGAIN:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_poll_revents_error(int err)
+{
+    if (err & POLLNVAL)
+        PR_SetError(PR_BAD_DESCRIPTOR_ERROR, EBADF);
+    else if (err & POLLHUP)
+        PR_SetError(PR_CONNECT_RESET_ERROR, EPIPE);
+    else if (err & POLLERR)
+        PR_SetError(PR_IO_ERROR, EIO);
+    else
+        PR_SetError(PR_UNKNOWN_ERROR, err);
+}
+#endif /* _PR_POLL_AVAILABLE */
+
+
+void nss_MD_unix_map_flock_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EINVAL:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    case EWOULDBLOCK:	prError = PR_FILE_IS_LOCKED_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_unix_map_lockf_error(int err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case EACCES:	prError = PR_FILE_IS_LOCKED_ERROR; break;
+    case EDEADLK:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    default:		nss_MD_unix_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+#ifdef HPUX11
+void nss_MD_hpux_map_sendfile_error(int err)
+{
+    nss_MD_unix_map_default_error(err);
+}
+#endif /* HPUX11 */
+
+
+void nss_MD_unix_map_default_error(int err)
+{
+    PRErrorCode prError;
+    switch (err ) {
+    case EACCES:	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case EADDRINUSE:	prError = PR_ADDRESS_IN_USE_ERROR; break;
+    case EADDRNOTAVAIL:	prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break;
+    case EAFNOSUPPORT:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case EAGAIN:	prError = PR_WOULD_BLOCK_ERROR; break;
+    /*
+     * On QNX and Neutrino, EALREADY is defined as EBUSY.
+     */
+#if EALREADY != EBUSY
+    case EALREADY:	prError = PR_ALREADY_INITIATED_ERROR; break;
+#endif
+    case EBADF:		prError = PR_BAD_DESCRIPTOR_ERROR; break;
+#ifdef EBADMSG
+    case EBADMSG:	prError = PR_IO_ERROR; break;
+#endif
+    case EBUSY:		prError = PR_FILESYSTEM_MOUNTED_ERROR; break;
+    case ECONNREFUSED:	prError = PR_CONNECT_REFUSED_ERROR; break;
+    case ECONNRESET:	prError = PR_CONNECT_RESET_ERROR; break;
+    case EDEADLK:	prError = PR_DEADLOCK_ERROR; break;
+#ifdef EDIRCORRUPTED
+    case EDIRCORRUPTED:	prError = PR_DIRECTORY_CORRUPTED_ERROR; break;
+#endif
+#ifdef EDQUOT
+    case EDQUOT:	prError = PR_NO_DEVICE_SPACE_ERROR; break;
+#endif
+    case EEXIST:	prError = PR_FILE_EXISTS_ERROR; break;
+    case EFAULT:	prError = PR_ACCESS_FAULT_ERROR; break;
+    case EFBIG:		prError = PR_FILE_TOO_BIG_ERROR; break;
+    case EINPROGRESS:	prError = PR_IN_PROGRESS_ERROR; break;
+    case EINTR:		prError = PR_PENDING_INTERRUPT_ERROR; break;
+    case EINVAL:	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case EIO:		prError = PR_IO_ERROR; break;
+    case EISCONN:	prError = PR_IS_CONNECTED_ERROR; break;
+    case EISDIR:	prError = PR_IS_DIRECTORY_ERROR; break;
+    case ELOOP:		prError = PR_LOOP_ERROR; break;
+    case EMFILE:	prError = PR_PROC_DESC_TABLE_FULL_ERROR; break;
+    case EMLINK:	prError = PR_MAX_DIRECTORY_ENTRIES_ERROR; break;
+    case EMSGSIZE:	prError = PR_INVALID_ARGUMENT_ERROR; break;
+#ifdef EMULTIHOP
+    case EMULTIHOP:	prError = PR_REMOTE_FILE_ERROR; break;
+#endif
+    case ENAMETOOLONG:	prError = PR_NAME_TOO_LONG_ERROR; break;
+    case ENETUNREACH:	prError = PR_NETWORK_UNREACHABLE_ERROR; break;
+    case ENFILE:	prError = PR_SYS_DESC_TABLE_FULL_ERROR; break;
+#if !defined(SCO)
+    case ENOBUFS:	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+#endif
+    case ENODEV:	prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case ENOENT:	prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case ENOLCK:	prError = PR_FILE_IS_LOCKED_ERROR; break;
+#ifdef ENOLINK 
+    case ENOLINK:	prError = PR_REMOTE_FILE_ERROR; break;
+#endif
+    case ENOMEM:	prError = PR_OUT_OF_MEMORY_ERROR; break;
+    case ENOPROTOOPT:	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case ENOSPC:	prError = PR_NO_DEVICE_SPACE_ERROR; break;
+#ifdef ENOSR 
+    case ENOSR:		prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+#endif
+    case ENOTCONN:	prError = PR_NOT_CONNECTED_ERROR; break;
+    case ENOTDIR:	prError = PR_NOT_DIRECTORY_ERROR; break;
+    case ENOTSOCK:	prError = PR_NOT_SOCKET_ERROR; break;
+    case ENXIO:		prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case EOPNOTSUPP:	prError = PR_NOT_TCP_SOCKET_ERROR; break;
+#ifdef EOVERFLOW
+    case EOVERFLOW:	prError = PR_BUFFER_OVERFLOW_ERROR; break;
+#endif
+    case EPERM:		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case EPIPE:		prError = PR_CONNECT_RESET_ERROR; break;
+#ifdef EPROTO
+    case EPROTO:	prError = PR_IO_ERROR; break;
+#endif
+    case EPROTONOSUPPORT: prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break;
+    case EPROTOTYPE:	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case ERANGE:	prError = PR_INVALID_METHOD_ERROR; break;
+    case EROFS:		prError = PR_READ_ONLY_FILESYSTEM_ERROR; break;
+    case ESPIPE:	prError = PR_INVALID_METHOD_ERROR; break;
+    case ETIMEDOUT:	prError = PR_IO_TIMEOUT_ERROR; break;
+#if EWOULDBLOCK != EAGAIN
+    case EWOULDBLOCK:	prError = PR_WOULD_BLOCK_ERROR; break;
+#endif
+    case EXDEV:		prError = PR_NOT_SAME_DEVICE_ERROR; break;
+
+    default:		prError = PR_UNKNOWN_ERROR; break;
+    }
+    PR_SetError(prError, err);
+}
diff --git a/security/nss/lib/ssl/unix_err.h b/security/nss/lib/ssl/unix_err.h
new file mode 100644
index 000000000..2611baf81
--- /dev/null
+++ b/security/nss/lib/ssl/unix_err.h
@@ -0,0 +1,87 @@
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * this code will continue to need to be replicated.
+ * 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+/*  NSPR doesn't make these functions public, so we have to duplicate
+**  them in NSS.
+*/
+extern void nss_MD_hpux_map_sendfile_error(int err);
+extern void nss_MD_unix_map_accept_error(int err);
+extern void nss_MD_unix_map_access_error(int err);
+extern void nss_MD_unix_map_bind_error(int err);
+extern void nss_MD_unix_map_close_error(int err);
+extern void nss_MD_unix_map_closedir_error(int err);
+extern void nss_MD_unix_map_connect_error(int err);
+extern void nss_MD_unix_map_default_error(int err);
+extern void nss_MD_unix_map_flock_error(int err);
+extern void nss_MD_unix_map_fstat_error(int err);
+extern void nss_MD_unix_map_fsync_error(int err);
+extern void nss_MD_unix_map_gethostname_error(int err);
+extern void nss_MD_unix_map_getpeername_error(int err);
+extern void nss_MD_unix_map_getsockname_error(int err);
+extern void nss_MD_unix_map_getsockopt_error(int err);
+extern void nss_MD_unix_map_listen_error(int err);
+extern void nss_MD_unix_map_lockf_error(int err);
+extern void nss_MD_unix_map_lseek_error(int err);
+extern void nss_MD_unix_map_mkdir_error(int err);
+extern void nss_MD_unix_map_mmap_error(int err);
+extern void nss_MD_unix_map_open_error(int err);
+extern void nss_MD_unix_map_opendir_error(int err);
+extern void nss_MD_unix_map_poll_error(int err);
+extern void nss_MD_unix_map_poll_revents_error(int err);
+extern void nss_MD_unix_map_read_error(int err);
+extern void nss_MD_unix_map_readdir_error(int err);
+extern void nss_MD_unix_map_recv_error(int err);
+extern void nss_MD_unix_map_recvfrom_error(int err);
+extern void nss_MD_unix_map_rename_error(int err);
+extern void nss_MD_unix_map_rmdir_error(int err);
+extern void nss_MD_unix_map_select_error(int err);
+extern void nss_MD_unix_map_send_error(int err);
+extern void nss_MD_unix_map_sendto_error(int err);
+extern void nss_MD_unix_map_setsockopt_error(int err);
+extern void nss_MD_unix_map_shutdown_error(int err);
+extern void nss_MD_unix_map_socket_error(int err);
+extern void nss_MD_unix_map_socketavailable_error(int err);
+extern void nss_MD_unix_map_socketpair_error(int err);
+extern void nss_MD_unix_map_stat_error(int err);
+extern void nss_MD_unix_map_unlink_error(int err);
+extern void nss_MD_unix_map_write_error(int err);
+extern void nss_MD_unix_map_writev_error(int err);
diff --git a/security/nss/lib/ssl/win32err.c b/security/nss/lib/ssl/win32err.c
new file mode 100644
index 000000000..acfce2c9d
--- /dev/null
+++ b/security/nss/lib/ssl/win32err.c
@@ -0,0 +1,373 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * this code will continue to need to be replicated.
+ * 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#include "prerror.h"
+#include "prlog.h"
+#include <errno.h>
+#include <windows.h>
+
+/*
+ * On Win32, we map three kinds of error codes:
+ * - GetLastError(): for Win32 functions
+ * - WSAGetLastError(): for Winsock functions
+ * - errno: for standard C library functions
+ *
+ * We do not check for WSAEINPROGRESS and WSAEINTR because we do not
+ * use blocking Winsock 1.1 calls.
+ *
+ * Except for the 'socket' call, we do not check for WSAEINITIALISED.
+ * It is assumed that if Winsock is not initialized, that fact will
+ * be detected at the time we create new sockets.
+ */
+
+/* forward declaration. */
+void nss_MD_win32_map_default_error(PRInt32 err);
+
+void nss_MD_win32_map_opendir_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_closedir_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_readdir_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_delete_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+/* The error code for stat() is in errno. */
+void nss_MD_win32_map_stat_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_fstat_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_rename_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+/* The error code for access() is in errno. */
+void nss_MD_win32_map_access_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_mkdir_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_rmdir_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_read_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_transmitfile_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_write_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_lseek_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_fsync_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+/*
+ * For both CloseHandle() and closesocket().
+ */
+void nss_MD_win32_map_close_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_socket_error(PRInt32 err)
+{
+    PR_ASSERT(err != WSANOTINITIALISED);
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_recv_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_recvfrom_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_send_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_sendto_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEMSGSIZE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_accept_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
+    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_acceptex_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_connect_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEWOULDBLOCK: prError = PR_IN_PROGRESS_ERROR; break;
+    case WSAEINVAL: 	prError = PR_ALREADY_INITIATED_ERROR; break;
+    case WSAETIMEDOUT: 	prError = PR_IO_TIMEOUT_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_bind_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEINVAL: 	prError = PR_SOCKET_ADDRESS_IS_BOUND_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_listen_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break;
+    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_shutdown_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_getsockname_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAEINVAL: 	prError = PR_INVALID_STATE_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_getpeername_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_getsockopt_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_setsockopt_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_open_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+void nss_MD_win32_map_gethostname_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+/* Win32 select() only works on sockets.  So in this
+** context, WSAENOTSOCK is equivalent to EBADF on Unix.  
+*/
+void nss_MD_win32_map_select_error(PRInt32 err)
+{
+    PRErrorCode prError;
+    switch (err) {
+    case WSAENOTSOCK:	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    default:		nss_MD_win32_map_default_error(err); return;
+    }
+    PR_SetError(prError, err);
+}
+
+void nss_MD_win32_map_lockf_error(PRInt32 err)
+{
+    nss_MD_win32_map_default_error(err);
+}
+
+
+
+void nss_MD_win32_map_default_error(PRInt32 err)
+{
+    PRErrorCode prError;
+
+    switch (err) {
+    case EACCES: 		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case ENOENT: 		prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case ERROR_ACCESS_DENIED: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case ERROR_ALREADY_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
+    case ERROR_DISK_CORRUPT: 	prError = PR_IO_ERROR; break;
+    case ERROR_DISK_FULL: 	prError = PR_NO_DEVICE_SPACE_ERROR; break;
+    case ERROR_DISK_OPERATION_FAILED: prError = PR_IO_ERROR; break;
+    case ERROR_DRIVE_LOCKED: 	prError = PR_FILE_IS_LOCKED_ERROR; break;
+    case ERROR_FILENAME_EXCED_RANGE: prError = PR_NAME_TOO_LONG_ERROR; break;
+    case ERROR_FILE_CORRUPT: 	prError = PR_IO_ERROR; break;
+    case ERROR_FILE_EXISTS: 	prError = PR_FILE_EXISTS_ERROR; break;
+    case ERROR_FILE_INVALID: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+#if ERROR_FILE_NOT_FOUND != ENOENT
+    case ERROR_FILE_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
+#endif
+    case ERROR_HANDLE_DISK_FULL: prError = PR_NO_DEVICE_SPACE_ERROR; break;
+    case ERROR_INVALID_ADDRESS: prError = PR_ACCESS_FAULT_ERROR; break;
+    case ERROR_INVALID_HANDLE: 	prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    case ERROR_INVALID_NAME: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case ERROR_INVALID_PARAMETER: prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case ERROR_INVALID_USER_BUFFER: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case ERROR_LOCKED:	 	prError = PR_FILE_IS_LOCKED_ERROR; break;
+    case ERROR_NETNAME_DELETED: prError = PR_CONNECT_RESET_ERROR; break;
+    case ERROR_NOACCESS: 	prError = PR_ACCESS_FAULT_ERROR; break;
+    case ERROR_NOT_ENOUGH_MEMORY: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case ERROR_NOT_ENOUGH_QUOTA: prError = PR_OUT_OF_MEMORY_ERROR; break;
+    case ERROR_NOT_READY: 	prError = PR_IO_ERROR; break;
+    case ERROR_NO_MORE_FILES: 	prError = PR_NO_MORE_FILES_ERROR; break;
+    case ERROR_OPEN_FAILED: 	prError = PR_IO_ERROR; break;
+    case ERROR_OPEN_FILES: 	prError = PR_IO_ERROR; break;
+    case ERROR_OUTOFMEMORY: 	prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case ERROR_PATH_BUSY: 	prError = PR_IO_ERROR; break;
+    case ERROR_PATH_NOT_FOUND: 	prError = PR_FILE_NOT_FOUND_ERROR; break;
+    case ERROR_SEEK_ON_DEVICE: 	prError = PR_IO_ERROR; break;
+    case ERROR_SHARING_VIOLATION: prError = PR_FILE_IS_BUSY_ERROR; break;
+    case ERROR_STACK_OVERFLOW: 	prError = PR_ACCESS_FAULT_ERROR; break;
+    case ERROR_TOO_MANY_OPEN_FILES: prError = PR_SYS_DESC_TABLE_FULL_ERROR; break;
+    case ERROR_WRITE_PROTECT: 	prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case WSAEACCES: 		prError = PR_NO_ACCESS_RIGHTS_ERROR; break;
+    case WSAEADDRINUSE: 	prError = PR_ADDRESS_IN_USE_ERROR; break;
+    case WSAEADDRNOTAVAIL: 	prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break;
+    case WSAEAFNOSUPPORT: 	prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break;
+    case WSAEALREADY: 		prError = PR_ALREADY_INITIATED_ERROR; break;
+    case WSAEBADF: 		prError = PR_BAD_DESCRIPTOR_ERROR; break;
+    case WSAECONNABORTED: 	prError = PR_CONNECT_ABORTED_ERROR; break;
+    case WSAECONNREFUSED: 	prError = PR_CONNECT_REFUSED_ERROR; break;
+    case WSAECONNRESET: 	prError = PR_CONNECT_RESET_ERROR; break;
+    case WSAEDESTADDRREQ: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case WSAEFAULT: 		prError = PR_ACCESS_FAULT_ERROR; break;
+    case WSAEHOSTUNREACH: 	prError = PR_HOST_UNREACHABLE_ERROR; break;
+    case WSAEINVAL: 		prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case WSAEISCONN: 		prError = PR_IS_CONNECTED_ERROR; break;
+    case WSAEMFILE: 		prError = PR_PROC_DESC_TABLE_FULL_ERROR; break;
+    case WSAEMSGSIZE: 		prError = PR_BUFFER_OVERFLOW_ERROR; break;
+    case WSAENETDOWN: 		prError = PR_NETWORK_DOWN_ERROR; break;
+    case WSAENETRESET: 		prError = PR_CONNECT_ABORTED_ERROR; break;
+    case WSAENETUNREACH: 	prError = PR_NETWORK_UNREACHABLE_ERROR; break;
+    case WSAENOBUFS: 		prError = PR_INSUFFICIENT_RESOURCES_ERROR; break;
+    case WSAENOPROTOOPT: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case WSAENOTCONN: 		prError = PR_NOT_CONNECTED_ERROR; break;
+    case WSAENOTSOCK: 		prError = PR_NOT_SOCKET_ERROR; break;
+    case WSAEOPNOTSUPP: 	prError = PR_OPERATION_NOT_SUPPORTED_ERROR; break;
+    case WSAEPROTONOSUPPORT: 	prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break;
+    case WSAEPROTOTYPE: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case WSAESHUTDOWN: 		prError = PR_SOCKET_SHUTDOWN_ERROR; break;
+    case WSAESOCKTNOSUPPORT: 	prError = PR_INVALID_ARGUMENT_ERROR; break;
+    case WSAETIMEDOUT: 		prError = PR_CONNECT_ABORTED_ERROR; break;
+    case WSAEWOULDBLOCK: 	prError = PR_WOULD_BLOCK_ERROR; break;
+    default: 			prError = PR_UNKNOWN_ERROR; break;
+    }
+    PR_SetError(prError, err);
+}
+
diff --git a/security/nss/lib/ssl/win32err.h b/security/nss/lib/ssl/win32err.h
new file mode 100644
index 000000000..b87dfefd4
--- /dev/null
+++ b/security/nss/lib/ssl/win32err.h
@@ -0,0 +1,81 @@
+/*
+ * This file essentially replicates NSPR's source for the functions that
+ * map system-specific error codes to NSPR error codes.  We would use 
+ * NSPR's functions, instead of duplicating them, but they're private.
+ * As long as SSL's server session cache code must do platform native I/O
+ * to accomplish its job, and NSPR's error mapping functions remain private,
+ * This code will continue to need to be replicated.
+ * 
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+/*  NSPR doesn't make these functions public, so we have to duplicate
+**  them in NSS.
+*/
+extern void nss_MD_win32_map_accept_error(PRInt32 err);
+extern void nss_MD_win32_map_acceptex_error(PRInt32 err);
+extern void nss_MD_win32_map_access_error(PRInt32 err);
+extern void nss_MD_win32_map_bind_error(PRInt32 err);
+extern void nss_MD_win32_map_close_error(PRInt32 err);
+extern void nss_MD_win32_map_closedir_error(PRInt32 err);
+extern void nss_MD_win32_map_connect_error(PRInt32 err);
+extern void nss_MD_win32_map_default_error(PRInt32 err);
+extern void nss_MD_win32_map_delete_error(PRInt32 err);
+extern void nss_MD_win32_map_fstat_error(PRInt32 err);
+extern void nss_MD_win32_map_fsync_error(PRInt32 err);
+extern void nss_MD_win32_map_gethostname_error(PRInt32 err);
+extern void nss_MD_win32_map_getpeername_error(PRInt32 err);
+extern void nss_MD_win32_map_getsockname_error(PRInt32 err);
+extern void nss_MD_win32_map_getsockopt_error(PRInt32 err);
+extern void nss_MD_win32_map_listen_error(PRInt32 err);
+extern void nss_MD_win32_map_lockf_error(PRInt32 err);
+extern void nss_MD_win32_map_lseek_error(PRInt32 err);
+extern void nss_MD_win32_map_mkdir_error(PRInt32 err);
+extern void nss_MD_win32_map_open_error(PRInt32 err);
+extern void nss_MD_win32_map_opendir_error(PRInt32 err);
+extern void nss_MD_win32_map_read_error(PRInt32 err);
+extern void nss_MD_win32_map_readdir_error(PRInt32 err);
+extern void nss_MD_win32_map_recv_error(PRInt32 err);
+extern void nss_MD_win32_map_recvfrom_error(PRInt32 err);
+extern void nss_MD_win32_map_rename_error(PRInt32 err);
+extern void nss_MD_win32_map_rmdir_error(PRInt32 err);
+extern void nss_MD_win32_map_select_error(PRInt32 err);
+extern void nss_MD_win32_map_send_error(PRInt32 err);
+extern void nss_MD_win32_map_sendto_error(PRInt32 err);
+extern void nss_MD_win32_map_setsockopt_error(PRInt32 err);
+extern void nss_MD_win32_map_shutdown_error(PRInt32 err);
+extern void nss_MD_win32_map_socket_error(PRInt32 err);
+extern void nss_MD_win32_map_stat_error(PRInt32 err);
+extern void nss_MD_win32_map_transmitfile_error(PRInt32 err);
+extern void nss_MD_win32_map_write_error(PRInt32 err);
diff --git a/security/nss/lib/util/Makefile b/security/nss/lib/util/Makefile
new file mode 100644
index 000000000..26b783874
--- /dev/null
+++ b/security/nss/lib/util/Makefile
@@ -0,0 +1,86 @@
+#! gmake
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+# include $(CORE_DEPTH)/coreconf/arch.mk
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+ifeq ($(OS_TARGET),HP-UX)
+	ASFILES += ret_cr16.s
+endif
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+tests:: $(OBJDIR)/test_utf8
+
+$(OBJDIR)/test_utf8: utf8.c
+	@$(MAKE_OBJDIR)
+	$(CCF) -o $(OBJDIR)/test_utf8 -DTEST_UTF8 utf8.c $(OS_LIBS)
diff --git a/security/nss/lib/util/base64.h b/security/nss/lib/util/base64.h
new file mode 100644
index 000000000..92dc54d7c
--- /dev/null
+++ b/security/nss/lib/util/base64.h
@@ -0,0 +1,71 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * base64.h - prototypes for base64 encoding/decoding
+ * Note: These functions are deprecated; see nssb64.h for new routines.
+ *
+ * $Id$
+ */
+#ifndef _BASE64_H_
+#define _BASE64_H_
+
+#include "seccomon.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+** Return an PORT_Alloc'd ascii string which is the base64 encoded
+** version of the input string.
+*/
+extern char *BTOA_DataToAscii(const unsigned char *data, unsigned int len);
+
+/*
+** Return an PORT_Alloc'd string which is the base64 decoded version
+** of the input string; set *lenp to the length of the returned data.
+*/
+extern unsigned char *ATOB_AsciiToData(const char *string, unsigned int *lenp);
+ 
+/*
+** Convert from ascii to binary encoding of an item.
+*/
+extern SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii);
+
+/*
+** Convert from binary encoding of an item to ascii.
+*/
+extern char *BTOA_ConvertItemToAscii(SECItem *binary_item);
+
+SEC_END_PROTOS
+
+#endif /* _BASE64_H_ */
diff --git a/security/nss/lib/util/ciferfam.h b/security/nss/lib/util/ciferfam.h
new file mode 100644
index 000000000..fd2f3bd0f
--- /dev/null
+++ b/security/nss/lib/util/ciferfam.h
@@ -0,0 +1,87 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * ciferfam.h - cipher familie IDs used for configuring ciphers for export
+ *              control
+ *
+ * $Id$
+ */
+
+#ifndef _CIFERFAM_H_
+#define _CIFERFAM_H_
+
+/* Cipher Suite "Families" */
+#define CIPHER_FAMILY_PKCS12			"PKCS12"
+#define CIPHER_FAMILY_SMIME			"SMIME"
+#define CIPHER_FAMILY_SSL2			"SSLv2"
+#define CIPHER_FAMILY_SSL3			"SSLv3"
+#define CIPHER_FAMILY_SSL			"SSL"
+#define CIPHER_FAMILY_ALL			""
+#define CIPHER_FAMILY_UNKNOWN			"UNKNOWN"
+
+#define CIPHER_FAMILYID_MASK			0xFFFF0000L
+#define CIPHER_FAMILYID_SSL			0x00000000L
+#define CIPHER_FAMILYID_SMIME			0x00010000L
+#define CIPHER_FAMILYID_PKCS12			0x00020000L
+
+/* SMIME "Cipher Suites" */
+/*
+ * Note that it is assumed that the cipher number itself can be used
+ * as a bit position in a mask, and that mask is currently 32 bits wide.
+ * So, if you want to add a cipher that is greater than 0033, secmime.c
+ * needs to be made smarter at the same time.
+ */
+#define	SMIME_RC2_CBC_40		(CIPHER_FAMILYID_SMIME | 0001)
+#define	SMIME_RC2_CBC_64		(CIPHER_FAMILYID_SMIME | 0002)
+#define	SMIME_RC2_CBC_128		(CIPHER_FAMILYID_SMIME | 0003)
+#define	SMIME_DES_CBC_56		(CIPHER_FAMILYID_SMIME | 0011)
+#define	SMIME_DES_EDE3_168		(CIPHER_FAMILYID_SMIME | 0012)
+#define	SMIME_RC5PAD_64_16_40		(CIPHER_FAMILYID_SMIME | 0021)
+#define	SMIME_RC5PAD_64_16_64		(CIPHER_FAMILYID_SMIME | 0022)
+#define	SMIME_RC5PAD_64_16_128		(CIPHER_FAMILYID_SMIME | 0023)
+#define	SMIME_FORTEZZA			(CIPHER_FAMILYID_SMIME | 0031)
+
+/* PKCS12 "Cipher Suites" */
+
+#define	PKCS12_RC2_CBC_40		(CIPHER_FAMILYID_PKCS12 | 0001)
+#define	PKCS12_RC2_CBC_128		(CIPHER_FAMILYID_PKCS12 | 0002)
+#define	PKCS12_RC4_40			(CIPHER_FAMILYID_PKCS12 | 0011)
+#define	PKCS12_RC4_128			(CIPHER_FAMILYID_PKCS12 | 0012)
+#define	PKCS12_DES_56			(CIPHER_FAMILYID_PKCS12 | 0021)
+#define	PKCS12_DES_EDE3_168		(CIPHER_FAMILYID_PKCS12 | 0022)
+
+/* SMIME version numbers are negative, to avoid colliding with SSL versions */
+#define SMIME_LIBRARY_VERSION_1_0			-0x0100
+
+#endif /* _CIFERFAM_H_ */
diff --git a/security/nss/lib/util/config.mk b/security/nss/lib/util/config.mk
new file mode 100644
index 000000000..0a00dc61e
--- /dev/null
+++ b/security/nss/lib/util/config.mk
@@ -0,0 +1,43 @@
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+
+#
+#  Override TARGETS variable so that only static libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(LIBRARY)
+SHARED_LIBRARY =
+IMPORT_LIBRARY =
+PROGRAM        =
+
diff --git a/security/nss/lib/util/derdec.c b/security/nss/lib/util/derdec.c
new file mode 100644
index 000000000..914701e33
--- /dev/null
+++ b/security/nss/lib/util/derdec.c
@@ -0,0 +1,552 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "secder.h"
+#include "secerr.h"
+
+static uint32
+der_indefinite_length(unsigned char *buf, unsigned char *end)
+{
+    uint32 len, ret, dataLen;
+    unsigned char tag, lenCode;
+    int dataLenLen;
+
+    len = 0;
+    while ( 1 ) {
+	if ((buf + 2) > end) {
+	    return(0);
+	}
+	
+	tag = *buf++;
+	lenCode = *buf++;
+	len += 2;
+	
+	if ( ( tag == 0 ) && ( lenCode == 0 ) ) {
+	    return(len);
+	}
+	
+	if ( lenCode == 0x80 ) {	/* indefinite length */
+	    ret = der_indefinite_length(buf, end); /* recurse to find length */
+	    if (ret == 0)
+		return 0;
+	    len += ret;
+	    buf += ret;
+	} else {			/* definite length */
+	    if (lenCode & 0x80) {
+		/* Length of data is in multibyte format */
+		dataLenLen = lenCode & 0x7f;
+		switch (dataLenLen) {
+		  case 1:
+		    dataLen = buf[0];
+		    break;
+		  case 2:
+		    dataLen = (buf[0]<<8)|buf[1];
+		    break;
+		  case 3:
+		    dataLen = ((unsigned long)buf[0]<<16)|(buf[1]<<8)|buf[2];
+		    break;
+		  case 4:
+		    dataLen = ((unsigned long)buf[0]<<24)|
+			((unsigned long)buf[1]<<16)|(buf[2]<<8)|buf[3];
+		    break;
+		  default:
+		    PORT_SetError(SEC_ERROR_BAD_DER);
+		    return SECFailure;
+		}
+	    } else {
+		/* Length of data is in single byte */
+		dataLen = lenCode;
+		dataLenLen = 0;
+	    }
+
+	    /* skip this item */
+	    buf = buf + dataLenLen + dataLen;
+	    len = len + dataLenLen + dataLen;
+	}
+    }
+}
+
+/*
+** Capture the next thing in the buffer.
+** Returns the length of the header and the length of the contents.
+*/
+static SECStatus
+der_capture(unsigned char *buf, unsigned char *end,
+	    int *header_len_p, uint32 *contents_len_p)
+{
+    unsigned char *bp;
+    unsigned char whole_tag;
+    uint32 contents_len;
+    int tag_number;
+
+    if ((buf + 2) > end) {
+	*header_len_p = 0;
+	*contents_len_p = 0;
+	if (buf == end)
+	    return SECSuccess;
+	return SECFailure;
+    }
+
+    bp = buf;
+
+    /* Get tag and verify that it is ok. */
+    whole_tag = *bp++;
+    tag_number = whole_tag & DER_TAGNUM_MASK;
+
+    /*
+     * XXX This code does not (yet) handle the high-tag-number form!
+     */
+    if (tag_number == DER_HIGH_TAG_NUMBER) {
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return SECFailure;
+    }
+
+    if ((whole_tag & DER_CLASS_MASK) == DER_UNIVERSAL) {
+	/* Check that the universal tag number is one we implement.  */
+	switch (tag_number) {
+	  case DER_BOOLEAN:
+	  case DER_INTEGER:
+	  case DER_BIT_STRING:
+	  case DER_OCTET_STRING:
+	  case DER_NULL:
+	  case DER_OBJECT_ID:
+	  case DER_SEQUENCE:
+	  case DER_SET:
+	  case DER_PRINTABLE_STRING:
+	  case DER_T61_STRING:
+	  case DER_IA5_STRING:
+	  case DER_VISIBLE_STRING:
+	  case DER_UTC_TIME:
+	  case 0:			/* end-of-contents tag */
+	    break;
+	  default:
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return SECFailure;
+	}
+    }
+
+    /*
+     * Get first byte of length code (might contain entire length, might not).
+     */
+    contents_len = *bp++;
+
+    /*
+     * If the high bit is set, then the length is in multibyte format,
+     * or the thing has an indefinite-length.
+     */
+    if (contents_len & 0x80) {
+	int bytes_of_encoded_len;
+
+	bytes_of_encoded_len = contents_len & 0x7f;
+	contents_len = 0;
+
+	switch (bytes_of_encoded_len) {
+	  case 4:
+	    contents_len |= *bp++;
+	    contents_len <<= 8;
+	    /* fallthru */
+	  case 3:
+	    contents_len |= *bp++;
+	    contents_len <<= 8;
+	    /* fallthru */
+	  case 2:
+	    contents_len |= *bp++;
+	    contents_len <<= 8;
+	    /* fallthru */
+	  case 1:
+	    contents_len |= *bp++;
+	    break;
+
+	  case 0:
+	    contents_len = der_indefinite_length (bp, end);
+	    if (contents_len)
+		break;
+	    /* fallthru */
+	  default:
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return SECFailure;
+	}
+    }
+
+    if ((bp + contents_len) > end) {
+	/* Ran past end of buffer */
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return SECFailure;
+    }
+
+    *header_len_p = bp - buf;
+    *contents_len_p = contents_len;
+
+    return SECSuccess;
+}
+
+static unsigned char *
+der_decode(PRArenaPool *arena, void *dest, DERTemplate *dtemplate,
+	   unsigned char *buf, int header_len, uint32 contents_len)
+{
+    unsigned char *orig_buf, *end;
+    unsigned long encode_kind, under_kind;
+    PRBool explicit, optional, universal, check_tag;
+    SECItem *item;
+    SECStatus rv;
+    PRBool indefinite_length, explicit_indefinite_length;
+
+    encode_kind = dtemplate->kind;
+    explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
+    optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
+    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+
+    PORT_Assert (!(explicit && universal));	/* bad templates */
+
+    if (header_len == 0) {
+	if (optional || (encode_kind & DER_ANY))
+	    return buf;
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return NULL;
+    }
+
+    if (encode_kind & DER_POINTER) {
+	void *place, **placep;
+	int offset;
+
+	if (dtemplate->sub != NULL) {
+	    dtemplate = dtemplate->sub;
+	    under_kind = dtemplate->kind;
+	    if (universal) {
+		encode_kind = under_kind;
+	    }
+	    place = PORT_ArenaZAlloc(arena, dtemplate->arg);
+	    offset = dtemplate->offset;
+	} else {
+	    if (universal) {
+		under_kind = encode_kind & ~DER_POINTER;
+	    } else {
+		under_kind = dtemplate->arg;
+	    }
+	    place = PORT_ArenaZAlloc(arena, sizeof(SECItem));
+	    offset = 0;
+	}
+	if (place == NULL) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return NULL;		/* Out of memory */
+	}
+	placep = (void **)dest;
+	*placep = place;
+	dest = (void *)((char *)place + offset);
+    } else if (encode_kind & DER_INLINE) {
+	PORT_Assert (dtemplate->sub != NULL);
+	dtemplate = dtemplate->sub;
+	under_kind = dtemplate->kind;
+	if (universal) {
+	    encode_kind = under_kind;
+	}
+	dest = (void *)((char *)dest + dtemplate->offset);
+    } else if (universal) {
+	under_kind = encode_kind;
+    } else {
+	under_kind = dtemplate->arg;
+    }
+
+    orig_buf = buf;
+    end = buf + header_len + contents_len;
+
+    explicit_indefinite_length = PR_FALSE;
+
+    if (explicit) {
+	/*
+	 * This tag is expected to match exactly.
+	 * (The template has all of the bits specified.)
+	 */
+	if (*buf != (encode_kind & DER_TAG_MASK)) {
+	    if (optional)
+		return buf;
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return NULL;
+	}
+	if ((header_len == 2) && (*(buf + 1) == 0x80))
+	    explicit_indefinite_length = PR_TRUE;
+	buf += header_len;
+	rv = der_capture (buf, end, &header_len, &contents_len);
+	if (rv != SECSuccess)
+	    return NULL;
+	if (header_len == 0) {		/* XXX is this right? */
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return NULL;
+	}
+	optional = PR_FALSE;		/* can no longer be optional */
+	encode_kind = under_kind;
+    }
+
+    check_tag = PR_TRUE;
+    if (encode_kind & (DER_DERPTR | DER_ANY | DER_FORCE | DER_SKIP)) {
+	PORT_Assert ((encode_kind & DER_ANY) || !optional);
+	encode_kind = encode_kind & (~DER_FORCE);
+	under_kind = under_kind & (~DER_FORCE);
+	check_tag = PR_FALSE;
+    }
+
+    if (check_tag) {
+	PRBool wrong;
+	unsigned char expect_tag, expect_num;
+
+	/*
+	 * This tag is expected to match, but the simple types
+	 * may or may not have the constructed bit set, so we
+	 * have to have all this extra logic.
+	 */
+	wrong = PR_TRUE;
+	expect_tag = encode_kind & DER_TAG_MASK;
+	expect_num = expect_tag & DER_TAGNUM_MASK;
+	if (expect_num == DER_SET || expect_num == DER_SEQUENCE) {
+	    if (*buf == (expect_tag | DER_CONSTRUCTED))
+		wrong = PR_FALSE;
+	} else {
+	    if (*buf == expect_tag)
+		wrong = PR_FALSE;
+	    else if (*buf == (expect_tag | DER_CONSTRUCTED))
+		wrong = PR_FALSE;
+	}
+	if (wrong) {
+	    if (optional)
+		return buf;
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return NULL;
+	}
+    }
+
+    if (under_kind & DER_DERPTR) {
+	item = (SECItem *)dest;
+	if (under_kind & DER_OUTER) {
+	    item->data = buf;
+	    item->len = header_len + contents_len;
+	} else {
+	    item->data = buf + header_len;
+	    item->len = contents_len;
+	}
+	return orig_buf;
+    }
+
+    if (encode_kind & DER_ANY) {
+	contents_len += header_len;
+	header_len = 0;
+    }
+
+    if ((header_len == 2) && (*(buf + 1) == 0x80))
+	indefinite_length = PR_TRUE;
+    else
+	indefinite_length = PR_FALSE;
+
+    buf += header_len;
+
+    if (contents_len == 0)
+	return buf;
+
+    under_kind &= ~DER_OPTIONAL;
+
+    if (under_kind & DER_INDEFINITE) {
+	int count, thing_size;
+	unsigned char *sub_buf;
+	DERTemplate *tmpt;
+	void *things, **indp, ***placep;
+
+	under_kind &= ~DER_INDEFINITE;
+
+	/*
+	 * Count items.
+	 */
+	count = 0;
+	sub_buf = buf;
+	while (sub_buf < end) {
+	    if (indefinite_length && sub_buf[0] == 0 && sub_buf[1] == 0) {
+		break; 
+	    }
+	    rv = der_capture (sub_buf, end, &header_len, &contents_len);
+	    if (rv != SECSuccess)
+		return NULL;
+	    count++;
+	    sub_buf += header_len + contents_len;
+	}
+
+	/*
+	 * Allocate an array of pointers to items; extra one is for a NULL.
+	 */
+	indp = (void**)PORT_ArenaZAlloc(arena, (count + 1) * sizeof(void *));
+	if (indp == NULL) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return NULL;
+	}
+
+	/*
+	 * Prepare.
+	 */
+	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
+	    tmpt = dtemplate->sub;
+	    PORT_Assert (tmpt != NULL);
+	    thing_size = tmpt->arg;
+	    PORT_Assert (thing_size != 0);
+	} else {
+	    tmpt = NULL;
+	    thing_size = sizeof(SECItem);
+	}
+
+	/*
+	 * Allocate the items themselves.
+	 */
+	things = PORT_ArenaZAlloc(arena, count * thing_size);
+	if (things == NULL) {
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    return NULL;
+	}
+
+	placep = (void ***)dest;
+	*placep = indp;
+
+	while (count) {
+	    /* ignore return value because we already did whole thing above */
+	    (void) der_capture (buf, end, &header_len, &contents_len);
+	    if (tmpt != NULL) {
+		void *sub_thing;
+
+		sub_thing = (void *)((char *)things + tmpt->offset);
+		buf = der_decode (arena, sub_thing, tmpt,
+				  buf, header_len, contents_len);
+		if (buf == NULL)
+		    return NULL;
+	    } else {
+		item = (SECItem *)things;
+		if (under_kind == DER_ANY) {
+		    contents_len += header_len;
+		    header_len = 0;
+		}
+		buf += header_len;
+		if (under_kind == DER_BIT_STRING) {
+		    item->data = buf + 1;
+		    item->len = ((contents_len - 1) << 3) - *buf;
+		} else {
+		    item->data = buf;
+		    item->len = contents_len;
+		}
+		buf += contents_len;
+	    }
+	    *indp++ = things;
+	    things = (void *)((char *)things + thing_size);
+	    count--;
+	}
+
+	*indp = NULL;
+
+	goto der_decode_done;
+    }
+
+    switch (under_kind) {
+      case DER_SEQUENCE:
+      case DER_SET:
+	{
+	    DERTemplate *tmpt;
+	    void *sub_dest;
+
+	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
+		sub_dest = (void *)((char *)dest + tmpt->offset);
+		rv = der_capture (buf, end, &header_len, &contents_len);
+		if (rv != SECSuccess)
+		    return NULL;
+		buf = der_decode (arena, sub_dest, tmpt,
+				  buf, header_len, contents_len);
+		if (buf == NULL)
+		    return NULL;
+	    }
+	}
+	break;
+
+      case DER_BIT_STRING:
+	item = (SECItem *)dest;
+	item->data = buf + 1;
+	item->len = ((contents_len - 1) << 3) - *buf;
+	buf += contents_len;
+	break;
+
+      case DER_SKIP:
+	buf += contents_len;
+	break;
+
+      default:
+	item = (SECItem *)dest;
+	item->data = buf;
+	item->len = contents_len;
+	buf += contents_len;
+	break;
+    }
+
+der_decode_done:
+
+    if (indefinite_length && buf[0] == 0 && buf[1] == 0) {
+	buf += 2;
+    }
+
+    if (explicit_indefinite_length && buf[0] == 0 && buf[1] == 0) {
+	buf += 2;
+    }
+
+    return buf;
+}
+
+SECStatus
+DER_Decode(PRArenaPool *arena, void *dest, DERTemplate *dtemplate, SECItem *src)
+{
+    unsigned char *buf;
+    uint32 buf_len, contents_len;
+    int header_len;
+    SECStatus rv;
+
+    buf = src->data;
+    buf_len = src->len;
+
+    rv = der_capture (buf, buf + buf_len, &header_len, &contents_len);
+    if (rv != SECSuccess)
+	return rv;
+
+    dest = (void *)((char *)dest + dtemplate->offset);
+    buf = der_decode (arena, dest, dtemplate, buf, header_len, contents_len);
+    if (buf == NULL)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+SECStatus
+DER_Lengths(SECItem *item, int *header_len_p, uint32 *contents_len_p)
+{
+    return(der_capture(item->data, &item->data[item->len], header_len_p,
+		       contents_len_p));
+}
diff --git a/security/nss/lib/util/derenc.c b/security/nss/lib/util/derenc.c
new file mode 100644
index 000000000..191b00528
--- /dev/null
+++ b/security/nss/lib/util/derenc.c
@@ -0,0 +1,504 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "secder.h"
+#include "secerr.h"
+/*
+ * Generic templates for individual/simple items.
+ */
+
+DERTemplate SECAnyTemplate[] = {
+    { DER_ANY,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECBitStringTemplate[] = {
+    { DER_BIT_STRING,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECBooleanTemplate[] = {
+    { DER_BOOLEAN,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECIA5StringTemplate[] = {
+    { DER_IA5_STRING,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECIntegerTemplate[] = {
+    { DER_INTEGER,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECNullTemplate[] = {
+    { DER_NULL,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECObjectIDTemplate[] = {
+    { DER_OBJECT_ID,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECOctetStringTemplate[] = {
+    { DER_OCTET_STRING,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECPrintableStringTemplate[] = {
+    { DER_PRINTABLE_STRING,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECT61StringTemplate[] = {
+    { DER_T61_STRING,
+	  0, NULL, sizeof(SECItem) }
+};
+
+DERTemplate SECUTCTimeTemplate[] = {
+    { DER_UTC_TIME,
+	  0, NULL, sizeof(SECItem) }
+};
+
+
+static int
+header_length(DERTemplate *dtemplate, uint32 contents_len)
+{
+    uint32 len;
+    unsigned long encode_kind, under_kind;
+    PRBool explicit, optional, universal;
+
+    encode_kind = dtemplate->kind;
+
+    explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
+    optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
+    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+
+    PORT_Assert (!(explicit && universal));	/* bad templates */
+
+    if (encode_kind & DER_POINTER) {
+	if (dtemplate->sub != NULL) {
+	    under_kind = dtemplate->sub->kind;
+	    if (universal) {
+		encode_kind = under_kind;
+	    }
+	} else if (universal) {
+	    under_kind = encode_kind & ~DER_POINTER;
+	} else {
+	    under_kind = dtemplate->arg;
+	}
+    } else if (encode_kind & DER_INLINE) {
+	under_kind = dtemplate->sub->kind;
+	if (universal) {
+	    encode_kind = under_kind;
+	}
+    } else if (universal) {
+	under_kind = encode_kind;
+    } else {
+	under_kind = dtemplate->arg;
+    }
+
+    /* This is only used in decoding; it plays no part in encoding.  */
+    if (under_kind & DER_DERPTR)
+	return 0;
+
+    /* No header at all for an "empty" optional.  */
+    if ((contents_len == 0) && optional)
+	return 0;
+
+    /* And no header for a full DER_ANY.  */
+    if (encode_kind & DER_ANY)
+	return 0;
+
+    /*
+     * The common case: one octet for identifier and as many octets
+     * as necessary to hold the content length.
+     */
+    len = 1 + DER_LengthLength(contents_len);
+
+    /* Account for the explicit wrapper, if necessary.  */
+    if (explicit) {
+#if 0		/*
+		 * Well, I was trying to do something useful, but these
+		 * assertions are too restrictive on valid templates.
+		 * I wanted to make sure that the top-level "kind" of
+		 * a template does not also specify DER_EXPLICIT, which
+		 * should only modify a component field.  Maybe later
+		 * I can figure out a better way to detect such a problem,
+		 * but for now I must remove these checks altogether.
+		 */
+	/*
+	 * This modifier applies only to components of a set or sequence;
+	 * it should never be used on a set/sequence itself -- confirm.
+	 */
+	PORT_Assert (under_kind != DER_SEQUENCE);
+	PORT_Assert (under_kind != DER_SET);
+#endif
+
+	len += 1 + DER_LengthLength(len + contents_len);
+    }
+
+    return len;
+}
+
+
+static uint32
+contents_length(DERTemplate *dtemplate, void *src)
+{
+    uint32 len;
+    unsigned long encode_kind, under_kind;
+    PRBool universal;
+
+
+    PORT_Assert (src != NULL);
+
+    encode_kind = dtemplate->kind;
+
+    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+    encode_kind &= ~DER_OPTIONAL;
+
+    if (encode_kind & DER_POINTER) {
+	src = *(void **)src;
+	if (src == NULL) {
+	    return 0;
+	}
+	if (dtemplate->sub != NULL) {
+	    dtemplate = dtemplate->sub;
+	    under_kind = dtemplate->kind;
+	    src = (void *)((char *)src + dtemplate->offset);
+	} else if (universal) {
+	    under_kind = encode_kind & ~DER_POINTER;
+	} else {
+	    under_kind = dtemplate->arg;
+	}
+    } else if (encode_kind & DER_INLINE) {
+	PORT_Assert (dtemplate->sub != NULL);
+	dtemplate = dtemplate->sub;
+	under_kind = dtemplate->kind;
+	src = (void *)((char *)src + dtemplate->offset);
+    } else if (universal) {
+	under_kind = encode_kind;
+    } else {
+	under_kind = dtemplate->arg;
+    }
+
+    /* Having any of these bits is not expected here...  */
+    PORT_Assert ((under_kind & (DER_EXPLICIT | DER_INLINE | DER_OPTIONAL
+				| DER_POINTER | DER_SKIP)) == 0);
+
+    /* This is only used in decoding; it plays no part in encoding.  */
+    if (under_kind & DER_DERPTR)
+	return 0;
+
+    if (under_kind & DER_INDEFINITE) {
+	uint32 sub_len;
+	void **indp;
+
+	indp = *(void ***)src;
+	if (indp == NULL)
+	    return 0;
+
+	len = 0;
+	under_kind &= ~DER_INDEFINITE;
+
+	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
+	    DERTemplate *tmpt;
+	    void *sub_src;
+
+	    tmpt = dtemplate->sub;
+
+	    for (; *indp != NULL; indp++) {
+		sub_src = (void *)((char *)(*indp) + tmpt->offset);
+		sub_len = contents_length (tmpt, sub_src);
+		len += sub_len + header_length (tmpt, sub_len);
+	    }
+	} else {
+	    /*
+	     * XXX Lisa is not sure this code (for handling, for example,
+	     * DER_INDEFINITE | DER_OCTET_STRING) is right.
+	     */
+	    for (; *indp != NULL; indp++) {
+		SECItem *item;
+		item = (SECItem *)(*indp);
+		sub_len = item->len;
+		if (under_kind == DER_BIT_STRING) {
+		    sub_len = (sub_len + 7) >> 3;
+		    /* bit string contents involve an extra octet */
+		    if (sub_len)
+			sub_len++;
+		}
+		if (under_kind != DER_ANY)
+		    len += 1 + DER_LengthLength (sub_len);
+	    }
+	}
+
+	return len;
+    }
+
+    switch (under_kind) {
+      case DER_SEQUENCE:
+      case DER_SET:
+	{
+	    DERTemplate *tmpt;
+	    void *sub_src;
+	    uint32 sub_len;
+
+	    len = 0;
+	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
+		sub_src = (void *)((char *)src + tmpt->offset);
+		sub_len = contents_length (tmpt, sub_src);
+		len += sub_len + header_length (tmpt, sub_len);
+	    }
+	}
+	break;
+
+      case DER_BIT_STRING:
+	len = (((SECItem *)src)->len + 7) >> 3;
+	/* bit string contents involve an extra octet */
+	if (len)
+	    len++;
+	break;
+
+      default:
+	len = ((SECItem *)src)->len;
+	break;
+    }
+
+    return len;
+}
+
+
+static unsigned char *
+der_encode(unsigned char *buf, DERTemplate *dtemplate, void *src)
+{
+    int header_len;
+    uint32 contents_len;
+    unsigned long encode_kind, under_kind;
+    PRBool explicit, optional, universal;
+
+
+    /*
+     * First figure out how long the encoding will be.  Do this by
+     * traversing the template from top to bottom and accumulating
+     * the length of each leaf item.
+     */
+    contents_len = contents_length (dtemplate, src);
+    header_len = header_length (dtemplate, contents_len);
+
+    /*
+     * Enough smarts was involved already, so that if both the
+     * header and the contents have a length of zero, then we
+     * are not doing any encoding for this element.
+     */
+    if (header_len == 0 && contents_len == 0)
+	return buf;
+
+    encode_kind = dtemplate->kind;
+
+    explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
+    optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~DER_OPTIONAL;
+    universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+
+    if (encode_kind & DER_POINTER) {
+	if (contents_len) {
+	    src = *(void **)src;
+	    PORT_Assert (src != NULL);
+	}
+	if (dtemplate->sub != NULL) {
+	    dtemplate = dtemplate->sub;
+	    under_kind = dtemplate->kind;
+	    if (universal) {
+		encode_kind = under_kind;
+	    }
+	    src = (void *)((char *)src + dtemplate->offset);
+	} else if (universal) {
+	    under_kind = encode_kind & ~DER_POINTER;
+	} else {
+	    under_kind = dtemplate->arg;
+	}
+    } else if (encode_kind & DER_INLINE) {
+	dtemplate = dtemplate->sub;
+	under_kind = dtemplate->kind;
+	if (universal) {
+	    encode_kind = under_kind;
+	}
+	src = (void *)((char *)src + dtemplate->offset);
+    } else if (universal) {
+	under_kind = encode_kind;
+    } else {
+	under_kind = dtemplate->arg;
+    }
+
+    if (explicit) {
+	buf = DER_StoreHeader (buf, encode_kind,
+			       (1 + DER_LengthLength(contents_len)
+				+ contents_len));
+	encode_kind = under_kind;
+    }
+
+    if ((encode_kind & DER_ANY) == 0) {	/* DER_ANY already contains header */
+	buf = DER_StoreHeader (buf, encode_kind, contents_len);
+    }
+
+    /* If no real contents to encode, then we are done.  */
+    if (contents_len == 0)
+	return buf;
+
+    if (under_kind & DER_INDEFINITE) {
+	void **indp;
+
+	indp = *(void ***)src;
+	PORT_Assert (indp != NULL);
+
+	under_kind &= ~DER_INDEFINITE;
+	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
+	    DERTemplate *tmpt;
+	    void *sub_src;
+
+	    tmpt = dtemplate->sub;
+	    for (; *indp != NULL; indp++) {
+		sub_src = (void *)((char *)(*indp) + tmpt->offset);
+		buf = der_encode (buf, tmpt, sub_src);
+	    }
+	} else {
+	    for (; *indp != NULL; indp++) {
+		SECItem *item;
+		int sub_len;
+
+		item = (SECItem *)(*indp);
+		sub_len = item->len;
+		if (under_kind == DER_BIT_STRING) {
+		    if (sub_len) {
+			int rem;
+
+			sub_len = (sub_len + 7) >> 3;
+			buf = DER_StoreHeader (buf, under_kind, sub_len + 1);
+			rem = (sub_len << 3) - item->len;
+			*buf++ = rem;		/* remaining bits */
+		    } else {
+			buf = DER_StoreHeader (buf, under_kind, 0);
+		    }
+		} else if (under_kind != DER_ANY) {
+		    buf = DER_StoreHeader (buf, under_kind, sub_len);
+		}
+		PORT_Memcpy (buf, item->data, sub_len);
+		buf += sub_len;
+	    }
+	}
+	return buf;
+    }
+
+    switch (under_kind) {
+      case DER_SEQUENCE:
+      case DER_SET:
+	{
+	    DERTemplate *tmpt;
+	    void *sub_src;
+
+	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
+		sub_src = (void *)((char *)src + tmpt->offset);
+		buf = der_encode (buf, tmpt, sub_src);
+	    }
+	}
+	break;
+
+      case DER_BIT_STRING:
+	{
+	    SECItem *item;
+	    int rem;
+
+	    /*
+	     * The contents length includes our extra octet; subtract
+	     * it off so we just have the real string length there.
+	     */
+	    contents_len--;
+	    item = (SECItem *)src;
+	    PORT_Assert (contents_len == ((item->len + 7) >> 3));
+	    rem = (contents_len << 3) - item->len;
+	    *buf++ = rem;		/* remaining bits */
+	    PORT_Memcpy (buf, item->data, contents_len);
+	    buf += contents_len;
+	}
+	break;
+
+      default:
+	{
+	    SECItem *item;
+
+	    item = (SECItem *)src;
+	    PORT_Assert (contents_len == item->len);
+	    PORT_Memcpy (buf, item->data, contents_len);
+	    buf += contents_len;
+	}
+	break;
+    }
+
+    return buf;
+}
+
+
+SECStatus
+DER_Encode(PRArenaPool *arena, SECItem *dest, DERTemplate *dtemplate, void *src)
+{
+    unsigned int contents_len, header_len;
+
+    src = (void **)((char *)src + dtemplate->offset);
+
+    /*
+     * First figure out how long the encoding will be. Do this by
+     * traversing the template from top to bottom and accumulating
+     * the length of each leaf item.
+     */
+    contents_len = contents_length (dtemplate, src);
+    header_len = header_length (dtemplate, contents_len);
+
+    dest->len = contents_len + header_len;
+
+    /* Allocate storage to hold the encoding */
+    dest->data = (unsigned char*) PORT_ArenaAlloc(arena, dest->len);
+    if (dest->data == NULL) {
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+	return SECFailure;
+    }
+
+    /* Now encode into the buffer */
+    (void) der_encode (dest->data, dtemplate, src);
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/util/dersubr.c b/security/nss/lib/util/dersubr.c
new file mode 100644
index 000000000..dc91ffe6f
--- /dev/null
+++ b/security/nss/lib/util/dersubr.c
@@ -0,0 +1,258 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "secder.h"
+#include <limits.h>
+#include "secerr.h"
+
+int
+DER_LengthLength(uint32 len)
+{
+    if (len > 127) {
+	if (len > 255) {
+	    if (len > 65535L) {
+		if (len > 16777215L) {
+		    return 5;
+		} else {
+		    return 4;
+		}
+	    } else {
+		return 3;
+	    }
+	} else {
+	    return 2;
+	}
+    } else {
+	return 1;
+    }
+}
+
+unsigned char *
+DER_StoreHeader(unsigned char *buf, unsigned int code, uint32 len)
+{
+    unsigned char b[4];
+
+    b[0] = (len >> 24) & 0xff;
+    b[1] = (len >> 16) & 0xff;
+    b[2] = (len >> 8) & 0xff;
+    b[3] = len & 0xff;
+    if ((code & DER_TAGNUM_MASK) == DER_SET
+	|| (code & DER_TAGNUM_MASK) == DER_SEQUENCE)
+	code |= DER_CONSTRUCTED;
+    *buf++ = code;
+    if (len > 127) {
+	if (len > 255) {
+	    if (len > 65535) {
+		if (len > 16777215) {
+		    *buf++ = 0x84;
+		    *buf++ = b[0];
+		    *buf++ = b[1];
+		    *buf++ = b[2];
+		    *buf++ = b[3];
+		} else {
+		    *buf++ = 0x83;
+		    *buf++ = b[1];
+		    *buf++ = b[2];
+		    *buf++ = b[3];
+		}
+	    } else {
+		*buf++ = 0x82;
+		*buf++ = b[2];
+		*buf++ = b[3];
+	    }
+	} else {
+	    *buf++ = 0x81;
+	    *buf++ = b[3];
+	}
+    } else {
+	*buf++ = b[3];
+    }
+    return buf;
+}
+
+/*
+ * XXX This should be rewritten, generalized, to take a long instead
+ * of an int32.
+ */
+SECStatus
+DER_SetInteger(PRArenaPool *arena, SECItem *it, int32 i)
+{
+    unsigned char bb[4];
+    unsigned len;
+
+    bb[0] = (unsigned char) (i >> 24);
+    bb[1] = (unsigned char) (i >> 16);
+    bb[2] = (unsigned char) (i >> 8);
+    bb[3] = (unsigned char) (i);
+
+    /*
+    ** Small integers are encoded in a single byte. Larger integers
+    ** require progressively more space.
+    */
+    if (i < -128) {
+	if (i < -32768L) {
+	    if (i < -8388608L) {
+		len = 4;
+	    } else {
+		len = 3;
+	    }
+	} else {
+	    len = 2;
+	}
+    } else if (i > 127) {
+	if (i > 32767L) {
+	    if (i > 8388607L) {
+		len = 4;
+	    } else {
+		len = 3;
+	    }
+	} else {
+	    len = 2;
+	}
+    } else {
+	len = 1;
+    }
+    it->data = (unsigned char*) PORT_ArenaAlloc(arena, len);
+    if (!it->data) {
+	return SECFailure;
+    }
+    it->len = len;
+    PORT_Memcpy(it->data, bb + (4 - len), len);
+    return SECSuccess;
+}
+
+/*
+ * XXX This should be rewritten, generalized, to take an unsigned long instead
+ * of a uint32.
+ */
+SECStatus
+DER_SetUInteger(PRArenaPool *arena, SECItem *it, uint32 ui)
+{
+    unsigned char bb[5];
+    int len;
+
+    bb[0] = 0;
+    bb[1] = (unsigned char) (ui >> 24);
+    bb[2] = (unsigned char) (ui >> 16);
+    bb[3] = (unsigned char) (ui >> 8);
+    bb[4] = (unsigned char) (ui);
+
+    /*
+    ** Small integers are encoded in a single byte. Larger integers
+    ** require progressively more space.
+    */
+    if (ui > 0x7f) {
+	if (ui > 0x7fff) {
+	    if (ui > 0x7fffffL) {
+		if (ui >= 0x80000000L) {
+		    len = 5;
+		} else {
+		    len = 4;
+		}
+	    } else {
+		len = 3;
+	    }
+	} else {
+	    len = 2;
+	}
+    } else {
+	len = 1;
+    }
+
+    it->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
+    if (it->data == NULL) {
+	return SECFailure;
+    }
+
+    it->len = len;
+    PORT_Memcpy(it->data, bb + (sizeof(bb) - len), len);
+
+    return SECSuccess;
+}
+
+/*
+** Convert a der encoded *signed* integer into a machine integral value.
+** If an underflow/overflow occurs, sets error code and returns min/max.
+*/
+long
+DER_GetInteger(SECItem *it)
+{
+    long ival = 0;
+    unsigned len = it->len;
+    unsigned char *cp = it->data;
+    unsigned long overflow = ((unsigned long)0xffL) << ((sizeof(ival) - 1)*8);
+
+    while (len) {
+	if (ival & overflow) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    if (ival < 0) {
+		return LONG_MIN;
+	    }
+	    return LONG_MAX;
+	}
+	ival = ival << 8;
+	ival |= *cp++;
+	--len;
+    }
+    return ival;
+}
+
+/*
+** Convert a der encoded *unsigned* integer into a machine integral value.
+** If an underflow/overflow occurs, sets error code and returns min/max.
+*/
+unsigned long
+DER_GetUInteger(SECItem *it)
+{
+    unsigned long ival = 0;
+    unsigned len = it->len;
+    unsigned char *cp = it->data;
+    unsigned long overflow = ((unsigned long)0xffL) << ((sizeof(ival) - 1)*8);
+
+    /* Cannot put a negative value into an unsigned container. */
+    if (*cp & 0x80) {
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return 0;
+    }
+
+    while (len) {
+	if (ival & overflow) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return ULONG_MAX;
+	}
+	ival = ival << 8;
+	ival |= *cp++;
+	--len;
+    }
+    return ival;
+}
diff --git a/security/nss/lib/util/dertime.c b/security/nss/lib/util/dertime.c
new file mode 100644
index 000000000..5fbdca656
--- /dev/null
+++ b/security/nss/lib/util/dertime.c
@@ -0,0 +1,334 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "prtypes.h"
+#include "prtime.h"
+#include "secder.h"
+#include "prlong.h"
+#include "secerr.h"
+
+#define HIDIGIT(v) (((v) / 10) + '0')
+#define LODIGIT(v) (((v) % 10) + '0')
+
+#define C_SINGLE_QUOTE '\047'
+
+#define DIGITHI(dig) (((dig) - '0') * 10)
+#define DIGITLO(dig) ((dig) - '0')
+#define ISDIGIT(dig) (((dig) >= '0') && ((dig) <= '9'))
+#define CAPTURE(var,p,label)				  \
+{							  \
+    if (!ISDIGIT((p)[0]) || !ISDIGIT((p)[1])) goto label; \
+    (var) = ((p)[0] - '0') * 10 + ((p)[1] - '0');	  \
+}
+
+#define SECMIN ((time_t) 60L)
+#define SECHOUR (60L*SECMIN)
+#define SECDAY (24L*SECHOUR)
+#define SECYEAR (365L*SECDAY)
+
+static long monthToDayInYear[12] = {
+    0,
+    31,
+    31+28,
+    31+28+31,
+    31+28+31+30,
+    31+28+31+30+31,
+    31+28+31+30+31+30,
+    31+28+31+30+31+30+31,
+    31+28+31+30+31+30+31+31,
+    31+28+31+30+31+30+31+31+30,
+    31+28+31+30+31+30+31+31+30+31,
+    31+28+31+30+31+30+31+31+30+31+30,
+};
+
+/* gmttime must contains UTC time in micro-seconds unit */
+SECStatus
+DER_TimeToUTCTime(SECItem *dst, int64 gmttime)
+{
+    PRExplodedTime printableTime;
+    unsigned char *d;
+
+    dst->len = 13;
+    dst->data = d = (unsigned char*) PORT_Alloc(13);
+    if (!d) {
+	return SECFailure;
+    }
+
+    /* Convert an int64 time to a printable format.  */
+    PR_ExplodeTime(gmttime, PR_GMTParameters, &printableTime);
+
+    /* The month in UTC time is base one */
+    printableTime.tm_month++;
+
+    /* UTC time does not handle the years before 1950 */
+    if (printableTime.tm_year < 1950)
+	    return SECFailure;
+
+    /* remove the century since it's added to the tm_year by the 
+       PR_ExplodeTime routine, but is not needed for UTC time */
+    printableTime.tm_year %= 100; 
+
+    d[0] = HIDIGIT(printableTime.tm_year);
+    d[1] = LODIGIT(printableTime.tm_year);
+    d[2] = HIDIGIT(printableTime.tm_month);
+    d[3] = LODIGIT(printableTime.tm_month);
+    d[4] = HIDIGIT(printableTime.tm_mday);
+    d[5] = LODIGIT(printableTime.tm_mday);
+    d[6] = HIDIGIT(printableTime.tm_hour);
+    d[7] = LODIGIT(printableTime.tm_hour);
+    d[8] = HIDIGIT(printableTime.tm_min);
+    d[9] = LODIGIT(printableTime.tm_min);
+    d[10] = HIDIGIT(printableTime.tm_sec);
+    d[11] = LODIGIT(printableTime.tm_sec);
+    d[12] = 'Z';
+    return SECSuccess;
+}
+
+SECStatus
+DER_AsciiToTime(int64 *dst, char *string)
+{
+    long year, month, mday, hour, minute, second, hourOff, minOff, days;
+    int64 result, tmp1, tmp2;
+    
+    /* Verify time is formatted properly and capture information */
+    second = 0;
+    hourOff = 0;
+    minOff = 0;
+    CAPTURE(year,string+0,loser);
+    if (year < 50) {
+	/* ASSUME that year # is in the 2000's, not the 1900's */
+	year += 100;
+    }
+    CAPTURE(month,string+2,loser);
+    if ((month == 0) || (month > 12)) goto loser;
+    CAPTURE(mday,string+4,loser);
+    if ((mday == 0) || (mday > 31)) goto loser;
+    CAPTURE(hour,string+6,loser);
+    if (hour > 23) goto loser;
+    CAPTURE(minute,string+8,loser);
+    if (minute > 59) goto loser;
+    if (ISDIGIT(string[10])) {
+	CAPTURE(second,string+10,loser);
+	if (second > 59) goto loser;
+	string += 2;
+    }
+    if (string[10] == '+') {
+	CAPTURE(hourOff,string+11,loser);
+	if (hourOff > 23) goto loser;
+	CAPTURE(minOff,string+13,loser);
+	if (minOff > 59) goto loser;
+    } else if (string[10] == '-') {
+	CAPTURE(hourOff,string+11,loser);
+	if (hourOff > 23) goto loser;
+	hourOff = -hourOff;
+	CAPTURE(minOff,string+13,loser);
+	if (minOff > 59) goto loser;
+	minOff = -minOff;
+    } else if (string[10] != 'Z') {
+	goto loser;
+    }
+    
+    
+    /* Convert pieces back into a single value year  */
+    LL_I2L(tmp1, (year-70L));
+    LL_I2L(tmp2, SECYEAR);
+    LL_MUL(result, tmp1, tmp2);
+    
+    LL_I2L(tmp1, ( (mday-1L)*SECDAY + hour*SECHOUR + minute*SECMIN -
+		  hourOff*SECHOUR - minOff*SECMIN + second ) );
+    LL_ADD(result, result, tmp1);
+
+    /*
+    ** Have to specially handle the day in the month and the year, to
+    ** take into account leap days. The return time value is in
+    ** seconds since January 1st, 12:00am 1970, so start examining
+    ** the time after that. We can't represent a time before that.
+    */
+
+    /* Using two digit years, we can only represent dates from 1970
+       to 2069. As a result, we cannot run into the leap year rule
+       that states that 1700, 2100, etc. are not leap years (but 2000
+       is). In other words, there are no years in the span of time
+       that we can represent that are == 0 mod 4 but are not leap
+       years. Whew.
+       */
+
+    days = monthToDayInYear[month-1];
+    days += (year - 68)/4;
+
+    if (((year % 4) == 0) && (month < 3)) {
+	days--;
+    }
+   
+    LL_I2L(tmp1, (days * SECDAY) );
+    LL_ADD(result, result, tmp1 );
+
+    /* convert to micro seconds */
+    LL_I2L(tmp1, PR_USEC_PER_SEC);
+    LL_MUL(result, result, tmp1);
+
+    *dst = result;
+    return SECSuccess;
+
+  loser:
+    PORT_SetError(SEC_ERROR_INVALID_TIME);
+    return SECFailure;
+	
+}
+
+SECStatus
+DER_UTCTimeToTime(int64 *dst, SECItem *time)
+{
+    return DER_AsciiToTime(dst, (char*) time->data);
+}
+
+/*
+   gmttime must contains UTC time in micro-seconds unit.
+   Note: the caller should make sure that Generalized time
+   should only be used for certifiate validities after the
+   year 2049.  Otherwise, UTC time should be used.  This routine
+   does not check this case, since it can be used to encode
+   certificate extension, which does not have this restriction. 
+ */
+SECStatus
+DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime)
+{
+    PRExplodedTime printableTime;
+    unsigned char *d;
+
+    dst->len = 15;
+    dst->data = d = (unsigned char*) PORT_Alloc(15);
+    if (!d) {
+	return SECFailure;
+    }
+
+    /*Convert a int64 time to a printable format. This is a temporary call
+	  until we change to NSPR 2.0
+     */
+    PR_ExplodeTime(gmttime, PR_GMTParameters, &printableTime);
+
+    /* The month in Generalized time is base one */
+    printableTime.tm_month++;
+
+    d[0] = (printableTime.tm_year /1000) + '0';
+    d[1] = ((printableTime.tm_year % 1000) / 100) + '0';
+    d[2] = ((printableTime.tm_year % 100) / 10) + '0';
+    d[3] = (printableTime.tm_year % 10) + '0';
+    d[4] = HIDIGIT(printableTime.tm_month);
+    d[5] = LODIGIT(printableTime.tm_month);
+    d[6] = HIDIGIT(printableTime.tm_mday);
+    d[7] = LODIGIT(printableTime.tm_mday);
+    d[8] = HIDIGIT(printableTime.tm_hour);
+    d[9] = LODIGIT(printableTime.tm_hour);
+    d[10] = HIDIGIT(printableTime.tm_min);
+    d[11] = LODIGIT(printableTime.tm_min);
+    d[12] = HIDIGIT(printableTime.tm_sec);
+    d[13] = LODIGIT(printableTime.tm_sec);
+    d[14] = 'Z';
+    return SECSuccess;
+}
+
+/*
+    The caller should make sure that the generalized time should only
+    be used for the certificate validity after the year 2051; otherwise,
+    the certificate should be consider invalid!?
+ */
+SECStatus
+DER_GeneralizedTimeToTime(int64 *dst, SECItem *time)
+{
+    PRExplodedTime genTime;
+    char *string;
+    long hourOff, minOff;
+    uint16 century;
+
+    string = (char *)time->data;
+    PORT_Memset (&genTime, 0, sizeof (genTime));
+
+    /* Verify time is formatted properly and capture information */
+    hourOff = 0;
+    minOff = 0;
+
+    CAPTURE(century, string+0, loser);
+    century *= 100;
+    CAPTURE(genTime.tm_year,string+2,loser);
+    genTime.tm_year += century;
+
+    CAPTURE(genTime.tm_month,string+4,loser);
+    if ((genTime.tm_month == 0) || (genTime.tm_month > 12)) goto loser;
+
+    /* NSPR month base is 0 */
+    --genTime.tm_month;
+    
+    CAPTURE(genTime.tm_mday,string+6,loser);
+    if ((genTime.tm_mday == 0) || (genTime.tm_mday > 31)) goto loser;
+    
+    CAPTURE(genTime.tm_hour,string+8,loser);
+    if (genTime.tm_hour > 23) goto loser;
+    
+    CAPTURE(genTime.tm_min,string+10,loser);
+    if (genTime.tm_min > 59) goto loser;
+    
+    if (ISDIGIT(string[12])) {
+	CAPTURE(genTime.tm_sec,string+12,loser);
+	if (genTime.tm_sec > 59) goto loser;
+	string += 2;
+    }
+    if (string[12] == '+') {
+	CAPTURE(hourOff,string+13,loser);
+	if (hourOff > 23) goto loser;
+	CAPTURE(minOff,string+15,loser);
+	if (minOff > 59) goto loser;
+    } else if (string[12] == '-') {
+	CAPTURE(hourOff,string+13,loser);
+	if (hourOff > 23) goto loser;
+	hourOff = -hourOff;
+	CAPTURE(minOff,string+15,loser);
+	if (minOff > 59) goto loser;
+	minOff = -minOff;
+    } else if (string[12] != 'Z') {
+	goto loser;
+    }
+
+    /* Since the values of hourOff and minOff are small, there will
+       be no loss of data by the conversion to int8 */
+    /* Convert the GMT offset to seconds and save it it genTime
+       for the implode time process */
+    genTime.tm_params.tp_gmt_offset = (PRInt32)((hourOff * 60L + minOff) * 60L);
+    *dst = PR_ImplodeTime (&genTime);
+    return SECSuccess;
+
+  loser:
+    PORT_SetError(SEC_ERROR_INVALID_TIME);
+    return SECFailure;
+	
+}
diff --git a/security/nss/lib/util/manifest.mn b/security/nss/lib/util/manifest.mn
new file mode 100644
index 000000000..60ebb1fae
--- /dev/null
+++ b/security/nss/lib/util/manifest.mn
@@ -0,0 +1,91 @@
+# 
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+# 
+# The Original Code is the Netscape security libraries.
+# 
+# The Initial Developer of the Original Code is Netscape
+# Communications Corporation.  Portions created by Netscape are 
+# Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+# Rights Reserved.
+# 
+# Contributor(s):
+# 
+# Alternatively, the contents of this file may be used under the
+# terms of the GNU General Public License Version 2 or later (the
+# "GPL"), in which case the provisions of the GPL are applicable 
+# instead of those above.  If you wish to allow use of your 
+# version of this file only under the terms of the GPL and not to
+# allow others to use your version of this file under the MPL,
+# indicate your decision by deleting the provisions above and
+# replace them with the notice and other provisions required by
+# the GPL.  If you do not delete the provisions above, a recipient
+# may use your version of this file under either the MPL or the
+# GPL.
+#
+CORE_DEPTH = ../../..
+
+EXPORTS = \
+	base64.h \
+	ciferfam.h \
+	nssb64.h \
+	nssb64t.h \
+	nsslocks.h \
+	nssilock.h \
+	nssilckt.h \
+	nssrwlk.h \
+	nssrwlkt.h \
+	portreg.h \
+	pqgutil.h \
+	secasn1.h \
+	secasn1t.h \
+	seccomon.h \
+	secder.h \
+	secdert.h \
+	secdig.h \
+	secdigt.h \
+	secitem.h \
+	secoid.h \
+	secoidt.h \
+	secport.h \
+	secerr.h \
+	watcomfx.h \
+	$(NULL)
+
+MODULE = security
+
+CSRCS = \
+	secdig.c \
+	derdec.c \
+	derenc.c \
+	dersubr.c \
+	dertime.c \
+	nssb64d.c \
+	nssb64e.c \
+	nssrwlk.c \
+	nssilock.c \
+	nsslocks.c \
+	portreg.c \
+	pqgutil.c \
+	secalgid.c \
+	secasn1d.c \
+	secasn1e.c \
+	secasn1u.c \
+	secitem.c \
+	secoid.c \
+	sectime.c \
+	secport.c \
+	secinit.c \
+	utf8.c \
+	$(NULL)
+
+REQUIRES = security dbm
+
+LIBRARY_NAME = secutil
diff --git a/security/nss/lib/util/nssb64.h b/security/nss/lib/util/nssb64.h
new file mode 100644
index 000000000..1a813f3ea
--- /dev/null
+++ b/security/nss/lib/util/nssb64.h
@@ -0,0 +1,124 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Public prototypes for base64 encoding/decoding.
+ *
+ * $Id$
+ */
+#ifndef _NSSB64_H_
+#define _NSSB64_H_
+
+#include "seccomon.h"
+#include "nssb64t.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * Functions to start a base64 decoding/encoding context.
+ */
+
+extern NSSBase64Decoder *
+NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
+					       PRInt32),
+			 void *output_arg);
+
+extern NSSBase64Encoder *
+NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
+			 void *output_arg);
+
+/*
+ * Push data through the decoder/encoder, causing the output_fn (provided
+ * to Create) to be called with the decoded/encoded data.
+ */
+
+extern SECStatus
+NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
+			 PRUint32 size);
+
+extern SECStatus
+NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
+			 PRUint32 size);
+
+/*
+ * When you're done processing, call this to close the context.
+ * If "abort_p" is false, then calling this may cause the output_fn
+ * to be called one last time (as the last buffered data is flushed out).
+ */
+
+extern SECStatus
+NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p);
+
+extern SECStatus
+NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p);
+
+/*
+ * Perform base64 decoding from an ascii string "inStr" to an Item.
+ * The length of the input must be provided as "inLen".  The Item
+ * may be provided (as "outItemOpt"); you can also pass in a NULL
+ * and the Item will be allocated for you.
+ *
+ * In any case, the data within the Item will be allocated for you.
+ * All allocation will happen out of the passed-in "arenaOpt", if non-NULL.
+ * If "arenaOpt" is NULL, standard allocation (heap) will be used and
+ * you will want to free the result via SECITEM_FreeItem.
+ *
+ * Return value is NULL on error, the Item (allocated or provided) otherwise.
+ */
+extern SECItem *
+NSSBase64_DecodeBuffer (PRArenaPool *arenaOpt, SECItem *outItemOpt,
+			const char *inStr, unsigned int inLen);
+
+/*
+ * Perform base64 encoding of binary data "inItem" to an ascii string.
+ * The output buffer may be provided (as "outStrOpt"); you can also pass
+ * in a NULL and the buffer will be allocated for you.  The result will
+ * be null-terminated, and if the buffer is provided, "maxOutLen" must
+ * specify the maximum length of the buffer and will be checked to
+ * supply sufficient space space for the encoded result.  (If "outStrOpt"
+ * is NULL, "maxOutLen" is ignored.)
+ *
+ * If "outStrOpt" is NULL, allocation will happen out of the passed-in
+ * "arenaOpt", if *it* is non-NULL, otherwise standard allocation (heap)
+ * will be used.
+ *
+ * Return value is NULL on error, the output buffer (allocated or provided)
+ * otherwise.
+ */
+extern char *
+NSSBase64_EncodeItem (PRArenaPool *arenaOpt, char *outStrOpt,
+		      unsigned int maxOutLen, SECItem *inItem);
+
+SEC_END_PROTOS
+
+#endif /* _NSSB64_H_ */
diff --git a/security/nss/lib/util/nssb64d.c b/security/nss/lib/util/nssb64d.c
new file mode 100644
index 000000000..c49e38f87
--- /dev/null
+++ b/security/nss/lib/util/nssb64d.c
@@ -0,0 +1,861 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Base64 decoding (ascii to binary).
+ *
+ * $Id$
+ */
+
+#include "nssb64.h"
+#include "nspr.h"
+#include "secitem.h"
+#include "secerr.h"
+
+/*
+ * XXX We want this basic support to go into NSPR (the PL part).
+ * Until that can happen, the PL interface is going to be kept entirely
+ * internal here -- all static functions and opaque data structures.
+ * When someone can get it moved over into NSPR, that should be done:
+ *    - giving everything names that are accepted by the NSPR module owners
+ *	(though I tried to choose ones that would work without modification)
+ *    - exporting the functions (remove static declarations and add
+ *	PR_IMPLEMENT as necessary)
+ *    - put prototypes into appropriate header file (probably replacing
+ *	the entire current lib/libc/include/plbase64.h in NSPR)
+ *	along with a typedef for the context structure (which should be
+ *	kept opaque -- definition in the source file only, but typedef
+ *	ala "typedef struct PLBase64FooStr PLBase64Foo;" in header file)
+ *    - modify anything else as necessary to conform to NSPR required style
+ *	(I looked but found no formatting guide to follow)
+ *
+ * You will want to move over everything from here down to the comment
+ * which says "XXX End of base64 decoding code to be moved into NSPR",
+ * into a new file in NSPR.
+ */
+
+/*
+ **************************************************************
+ * XXX Beginning of base64 decoding code to be moved into NSPR.
+ */
+
+/*
+ * This typedef would belong in the NSPR header file (i.e. plbase64.h).
+ */
+typedef struct PLBase64DecoderStr PLBase64Decoder;
+
+/*
+ * The following implementation of base64 decoding was based on code
+ * found in libmime (specifically, in mimeenc.c).  It has been adapted to
+ * use PR types and naming as well as to provide other necessary semantics
+ * (like buffer-in/buffer-out in addition to "streaming" without undue
+ * performance hit of extra copying if you made the buffer versions
+ * use the output_fn).  It also incorporates some aspects of the current
+ * NSPR base64 decoding code.  As such, you may find similarities to
+ * both of those implementations.  I tried to use names that reflected
+ * the original code when possible.  For this reason you may find some
+ * inconsistencies -- libmime used lots of "in" and "out" whereas the
+ * NSPR version uses "src" and "dest"; sometimes I changed one to the other
+ * and sometimes I left them when I thought the subroutines were at least
+ * self-consistent.
+ */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * Opaque object used by the decoder to store state.
+ */
+struct PLBase64DecoderStr {
+    /* Current token (or portion, if token_size < 4) being decoded. */
+    unsigned char token[4];
+    int token_size;
+
+    /*
+     * Where to write the decoded data (used when streaming, not when
+     * doing all in-memory (buffer) operations).
+     *
+     * Note that this definition is chosen to be compatible with PR_Write.
+     */
+    PRInt32 (*output_fn) (void *output_arg, const unsigned char *buf,
+			  PRInt32 size);
+    void *output_arg;
+
+    /*
+     * Where the decoded output goes -- either temporarily (in the streaming
+     * case, staged here before it goes to the output function) or what will
+     * be the entire buffered result for users of the buffer version.
+     */
+    unsigned char *output_buffer;
+    PRUint32 output_buflen;	/* the total length of allocated buffer */
+    PRUint32 output_length;	/* the length that is currently populated */
+};
+
+PR_END_EXTERN_C
+
+
+/*
+ * Table to convert an ascii "code" to its corresponding binary value.
+ * For ease of use, the binary values in the table are the actual values
+ * PLUS ONE.  This is so that the special value of zero can denote an
+ * invalid mapping; that was much easier than trying to fill in the other
+ * values with some value other than zero, and to check for it.
+ * Just remember to SUBTRACT ONE when using the value retrieved.
+ */
+static unsigned char base64_codetovaluep1[256] = {
+/*   0: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
+/*   8: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
+/*  16: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
+/*  24: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
+/*  32: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
+/*  40: */	  0,	  0,	  0,	 63,	  0,	  0,	  0,	 64,
+/*  48: */	 53,	 54,	 55,	 56,	 57,	 58,	 59,	 60,
+/*  56: */	 61,	 62,	  0,	  0,	  0,	  0,	  0,	  0,
+/*  64: */	  0,	  1,	  2,	  3,	  4,	  5,	  6,	  7,
+/*  72: */	  8,	  9,	 10,	 11,	 12,	 13,	 14,	 15,
+/*  80: */	 16,	 17,	 18,	 19,	 20,	 21,	 22,	 23,
+/*  88: */	 24,	 25,	 26,	  0,	  0,	  0,	  0,	  0,
+/*  96: */	  0,	 27,	 28,	 29,	 30,	 31,	 32,	 33,
+/* 104: */	 34,	 35,	 36,	 37,	 38,	 39,	 40,	 41,
+/* 112: */	 42,	 43,	 44,	 45,	 46,	 47,	 48,	 49,
+/* 120: */	 50,	 51,	 52,	  0,	  0,	  0,	  0,	  0,
+/* 128: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0
+/* and rest are all zero as well */
+};
+
+#define B64_PAD	'='
+
+
+/*
+ * Reads 4; writes 3 (known, or expected, to have no trailing padding).
+ * Returns bytes written; -1 on error (unexpected character).
+ */
+static int
+pl_base64_decode_4to3 (const unsigned char *in, unsigned char *out)
+{
+    int j;
+    PRUint32 num = 0;
+    unsigned char bits;
+
+    for (j = 0; j < 4; j++) {
+	bits = base64_codetovaluep1[in[j]];
+	if (bits == 0)
+	    return -1;
+	num = (num << 6) | (bits - 1);
+    }
+
+    out[0] = (unsigned char) (num >> 16);
+    out[1] = (unsigned char) ((num >> 8) & 0xFF);
+    out[2] = (unsigned char) (num & 0xFF);
+
+    return 3;
+}
+
+/*
+ * Reads 3; writes 2 (caller already confirmed EOF or trailing padding).
+ * Returns bytes written; -1 on error (unexpected character).
+ */
+static int
+pl_base64_decode_3to2 (const unsigned char *in, unsigned char *out)
+{
+    PRUint32 num = 0;
+    unsigned char bits1, bits2, bits3;
+
+    bits1 = base64_codetovaluep1[in[0]];
+    bits2 = base64_codetovaluep1[in[1]];
+    bits3 = base64_codetovaluep1[in[2]];
+
+    if ((bits1 == 0) || (bits2 == 0) || (bits3 == 0))
+	return -1;
+
+    num = ((PRUint32)(bits1 - 1)) << 10;
+    num |= ((PRUint32)(bits2 - 1)) << 4;
+    num |= ((PRUint32)(bits3 - 1)) >> 2;
+
+    out[0] = (unsigned char) (num >> 8);
+    out[1] = (unsigned char) (num & 0xFF);
+
+    return 2;
+}
+
+/*
+ * Reads 2; writes 1 (caller already confirmed EOF or trailing padding).
+ * Returns bytes written; -1 on error (unexpected character).
+ */
+static int
+pl_base64_decode_2to1 (const unsigned char *in, unsigned char *out)
+{
+    PRUint32 num = 0;
+    unsigned char bits1, bits2;
+
+    bits1 = base64_codetovaluep1[in[0]];
+    bits2 = base64_codetovaluep1[in[1]];
+
+    if ((bits1 == 0) || (bits2 == 0))
+	return -1;
+
+    num = ((PRUint32)(bits1 - 1)) << 2;
+    num |= ((PRUint32)(bits2 - 1)) >> 4;
+
+    out[0] = (unsigned char) num;
+
+    return 1;
+}
+
+/*
+ * Reads 4; writes 0-3.  Returns bytes written or -1 on error.
+ * (Writes less than 3 only at (presumed) EOF.)
+ */
+static int
+pl_base64_decode_token (const unsigned char *in, unsigned char *out)
+{
+    if (in[3] != B64_PAD)
+	return pl_base64_decode_4to3 (in, out);
+
+    if (in[2] == B64_PAD)
+	return pl_base64_decode_2to1 (in, out);
+
+    return pl_base64_decode_3to2 (in, out);
+}
+
+static PRStatus
+pl_base64_decode_buffer (PLBase64Decoder *data, const unsigned char *in,
+			 PRUint32 length)
+{
+    unsigned char *out = data->output_buffer;
+    unsigned char *token = data->token;
+    int i, n = 0;
+
+    i = data->token_size;
+    data->token_size = 0;
+
+    while (length > 0) {
+	while (i < 4 && length > 0) {
+	    /*
+	     * XXX Note that the following simply ignores any unexpected
+	     * characters.  This is exactly what the original code in
+	     * libmime did, and I am leaving it.  We certainly want to skip
+	     * over whitespace (we must); this does much more than that.
+	     * I am not confident changing it, and I don't want to slow
+	     * the processing down doing more complicated checking, but
+	     * someone else might have different ideas in the future.
+	     */
+	    if (base64_codetovaluep1[*in] > 0 || *in == B64_PAD)
+		token[i++] = *in;
+	    in++;
+	    length--;
+	}
+
+	if (i < 4) {
+	    /* Didn't get enough for a complete token. */
+	    data->token_size = i;
+	    break;
+	}
+	i = 0;
+
+	PR_ASSERT((out - data->output_buffer + 3) <= data->output_buflen);
+
+	/*
+	 * Assume we are not at the end; the following function only works
+	 * for an internal token (no trailing padding characters) but is
+	 * faster that way.  If it hits an invalid character (padding) it
+	 * will return an error; we break out of the loop and try again
+	 * calling the routine that will handle a final token.
+	 * Note that we intentionally do it this way rather than explicitly
+	 * add a check for padding here (because that would just slow down
+	 * the normal case) nor do we rely on checking whether we have more
+	 * input to process (because that would also slow it down but also
+	 * because we want to allow trailing garbage, especially white space
+	 * and cannot tell that without read-ahead, also a slow proposition).
+	 * Whew.  Understand?
+	 */
+	n = pl_base64_decode_4to3 (token, out);
+	if (n < 0)
+	    break;
+
+	/* Advance "out" by the number of bytes just written to it. */
+	out += n;
+	n = 0;
+    }
+
+    /*
+     * See big comment above, before call to pl_base64_decode_4to3.
+     * Here we check if we error'd out of loop, and allow for the case
+     * that we are processing the last interesting token.  If the routine
+     * which should handle padding characters also fails, then we just
+     * have bad input and give up.
+     */
+    if (n < 0) {
+	n = pl_base64_decode_token (token, out);
+	if (n < 0)
+	    return PR_FAILURE;
+
+	out += n;
+    }
+
+    /*
+     * As explained above, we can get here with more input remaining, but
+     * it should be all characters we do not care about (i.e. would be
+     * ignored when transferring from "in" to "token" in loop above,
+     * except here we choose to ignore extraneous pad characters, too).
+     * Swallow it, performing that check.  If we find more characters that
+     * we would expect to decode, something is wrong.
+     */
+    while (length > 0) {
+	if (base64_codetovaluep1[*in] > 0)
+	    return PR_FAILURE;
+	in++;
+	length--;
+    }
+
+    /* Record the length of decoded data we have left in output_buffer. */
+    data->output_length = (PRUint32) (out - data->output_buffer);
+    return PR_SUCCESS;
+}
+
+/*
+ * Flush any remaining buffered characters.  Given well-formed input,
+ * this will have nothing to do.  If the input was missing the padding
+ * characters at the end, though, there could be 1-3 characters left
+ * behind -- we will tolerate that by adding the padding for them.
+ */
+static PRStatus
+pl_base64_decode_flush (PLBase64Decoder *data)
+{
+    int count;
+
+    /*
+     * If no remaining characters, or all are padding (also not well-formed
+     * input, but again, be tolerant), then nothing more to do.  (And, that
+     * is considered successful.)
+     */
+    if (data->token_size == 0 || data->token[0] == B64_PAD)
+	return PR_SUCCESS;
+
+    /*
+     * Assume we have all the interesting input except for some expected
+     * padding characters.  Add them and decode the resulting token.
+     */
+    while (data->token_size < 4)
+	data->token[data->token_size++] = B64_PAD;
+
+    data->token_size = 0;	/* so a subsequent flush call is a no-op */
+
+    count = pl_base64_decode_token (data->token,
+				    data->output_buffer + data->output_length);
+    if (count < 0)
+	return PR_FAILURE;
+
+    /*
+     * If there is an output function, call it with this last bit of data.
+     * Otherwise we are doing all buffered output, and the decoded bytes
+     * are now there, we just need to reflect that in the length.
+     */
+    if (data->output_fn != NULL) {
+	PRInt32 output_result;
+
+	PR_ASSERT(data->output_length == 0);
+	output_result = data->output_fn (data->output_arg,
+					 data->output_buffer,
+					 (PRInt32) count);
+	if (output_result < 0)
+	    return  PR_FAILURE;
+    } else {
+	data->output_length += count;
+    }
+
+    return PR_SUCCESS;
+}
+
+
+/*
+ * The maximum space needed to hold the output of the decoder given
+ * input data of length "size".
+ */
+static PRUint32
+PL_Base64MaxDecodedLength (PRUint32 size)
+{
+    return ((size * 3) / 4);
+}
+
+
+/*
+ * A distinct internal creation function for the buffer version to use.
+ * (It does not want to specify an output_fn, and we want the normal
+ * Create function to require that.)  If more common initialization
+ * of the decoding context needs to be done, it should be done *here*.
+ */
+static PLBase64Decoder *
+pl_base64_create_decoder (void)
+{
+    return PR_NEWZAP(PLBase64Decoder);
+}
+
+/*
+ * Function to start a base64 decoding context.
+ * An "output_fn" is required; the "output_arg" parameter to that is optional.
+ */
+static PLBase64Decoder *
+PL_CreateBase64Decoder (PRInt32 (*output_fn) (void *, const unsigned char *,
+					      PRInt32),
+			void *output_arg)
+{
+    PLBase64Decoder *data;
+
+    if (output_fn == NULL) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return NULL;
+    }
+
+    data = pl_base64_create_decoder ();
+    if (data != NULL) {
+	data->output_fn = output_fn;
+	data->output_arg = output_arg;
+    }
+    return data;
+}
+
+
+/*
+ * Push data through the decoder, causing the output_fn (provided to Create)
+ * to be called with the decoded data.
+ */
+static PRStatus
+PL_UpdateBase64Decoder (PLBase64Decoder *data, const char *buffer,
+			PRUint32 size)
+{
+    PRUint32 need_length;
+    PRStatus status;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL || buffer == NULL || size == 0) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return PR_FAILURE;
+    }
+
+    /*
+     * How much space could this update need for decoding?
+     */
+    need_length = PL_Base64MaxDecodedLength (size + data->token_size);
+
+    /*
+     * Make sure we have at least that much.  If not, (re-)allocate.
+     */
+    if (need_length > data->output_buflen) {
+	unsigned char *output_buffer = data->output_buffer;
+
+	if (output_buffer != NULL)
+	    output_buffer = (unsigned char *) PR_Realloc(output_buffer,
+							 need_length);
+	else
+	    output_buffer = (unsigned char *) PR_Malloc(need_length);
+
+	if (output_buffer == NULL)
+	    return PR_FAILURE;
+
+	data->output_buffer = output_buffer;
+	data->output_buflen = need_length;
+    }
+
+    /* There should not have been any leftover output data in the buffer. */
+    PR_ASSERT(data->output_length == 0);
+    data->output_length = 0;
+
+    status = pl_base64_decode_buffer (data, (const unsigned char *) buffer,
+				      size);
+
+    /* Now that we have some decoded data, write it. */
+    if (status == PR_SUCCESS && data->output_length > 0) {
+	PRInt32 output_result;
+
+	PR_ASSERT(data->output_fn != NULL);
+	output_result = data->output_fn (data->output_arg,
+					 data->output_buffer,
+					 (PRInt32) data->output_length);
+	if (output_result < 0)
+	    status = PR_FAILURE;
+    }
+
+    data->output_length = 0;
+    return status;
+}
+
+
+/*
+ * When you're done decoding, call this to free the data.  If "abort_p"
+ * is false, then calling this may cause the output_fn to be called
+ * one last time (as the last buffered data is flushed out).
+ */
+static PRStatus
+PL_DestroyBase64Decoder (PLBase64Decoder *data, PRBool abort_p)
+{
+    PRStatus status = PR_SUCCESS;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return PR_FAILURE;
+    }
+
+    /* Flush out the last few buffered characters. */
+    if (!abort_p)
+	status = pl_base64_decode_flush (data);
+
+    if (data->output_buffer != NULL)
+	PR_Free(data->output_buffer);
+    PR_Free(data);
+
+    return status;
+}
+
+
+/*
+ * Perform base64 decoding from an input buffer to an output buffer.
+ * The output buffer can be provided (as "dest"); you can also pass in
+ * a NULL and this function will allocate a buffer large enough for you,
+ * and return it.  If you do provide the output buffer, you must also
+ * provide the maximum length of that buffer (as "maxdestlen").
+ * The actual decoded length of output will be returned to you in
+ * "output_destlen".
+ *
+ * Return value is NULL on error, the output buffer (allocated or provided)
+ * otherwise.
+ */
+static unsigned char *
+PL_Base64DecodeBuffer (const char *src, PRUint32 srclen, unsigned char *dest,
+		       PRUint32 maxdestlen, PRUint32 *output_destlen)
+{
+    PRUint32 need_length;
+    unsigned char *output_buffer = NULL;
+    PLBase64Decoder *data = NULL;
+    PRStatus status;
+
+    PR_ASSERT(srclen > 0);
+    if (srclen == 0)
+	return dest;
+
+    /*
+     * How much space could we possibly need for decoding this input?
+     */
+    need_length = PL_Base64MaxDecodedLength (srclen);
+
+    /*
+     * Make sure we have at least that much, if output buffer provided.
+     * If no output buffer provided, then we allocate that much.
+     */
+    if (dest != NULL) {
+	PR_ASSERT(maxdestlen >= need_length);
+	if (maxdestlen < need_length) {
+	    PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
+	    goto loser;
+	}
+	output_buffer = dest;
+    } else {
+	output_buffer = (unsigned char *) PR_Malloc(need_length);
+	if (output_buffer == NULL)
+	    goto loser;
+	maxdestlen = need_length;
+    }
+
+    data = pl_base64_create_decoder();
+    if (data == NULL)
+	goto loser;
+
+    data->output_buflen = maxdestlen;
+    data->output_buffer = output_buffer;
+
+    status = pl_base64_decode_buffer (data, (const unsigned char *) src,
+				      srclen);
+
+    /*
+     * We do not wait for Destroy to flush, because Destroy will also
+     * get rid of our decoder context, which we need to look at first!
+     */
+    if (status == PR_SUCCESS)
+	status = pl_base64_decode_flush (data);
+
+    /* Must clear this or Destroy will free it. */
+    data->output_buffer = NULL;
+
+    if (status == PR_SUCCESS) {
+	*output_destlen = data->output_length;
+	status = PL_DestroyBase64Decoder (data, PR_FALSE);
+	data = NULL;
+	if (status == PR_FAILURE)
+	    goto loser;
+	return output_buffer;
+    }
+
+loser:
+    if (dest == NULL && output_buffer != NULL)
+	PR_Free(output_buffer);
+    if (data != NULL)
+	(void) PL_DestroyBase64Decoder (data, PR_TRUE);
+    return NULL;
+}
+
+
+/*
+ * XXX End of base64 decoding code to be moved into NSPR.
+ ********************************************************
+ */
+
+/*
+ * This is the beginning of the NSS cover functions.  These will
+ * provide the interface we want to expose as NSS-ish.  For example,
+ * they will operate on our Items, do any special handling or checking
+ * we want to do, etc.
+ */
+
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * A boring cover structure for now.  Perhaps someday it will include
+ * some more interesting fields.
+ */
+struct NSSBase64DecoderStr {
+    PLBase64Decoder *pl_data;
+};
+
+PR_END_EXTERN_C
+
+
+/*
+ * Function to start a base64 decoding context.
+ */
+NSSBase64Decoder *
+NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
+					       PRInt32),
+			 void *output_arg)
+{
+    PLBase64Decoder *pl_data;
+    NSSBase64Decoder *nss_data;
+
+    nss_data = PORT_ZNew(NSSBase64Decoder);
+    if (nss_data == NULL)
+	return NULL;
+
+    pl_data = PL_CreateBase64Decoder (output_fn, output_arg);
+    if (pl_data == NULL) {
+	PORT_Free(nss_data);
+	return NULL;
+    }
+
+    nss_data->pl_data = pl_data;
+    return nss_data;
+}
+
+
+/*
+ * Push data through the decoder, causing the output_fn (provided to Create)
+ * to be called with the decoded data.
+ */
+SECStatus
+NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
+			 PRUint32 size)
+{
+    PRStatus pr_status;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    pr_status = PL_UpdateBase64Decoder (data->pl_data, buffer, size);
+    if (pr_status == PR_FAILURE)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+
+/*
+ * When you're done decoding, call this to free the data.  If "abort_p"
+ * is false, then calling this may cause the output_fn to be called
+ * one last time (as the last buffered data is flushed out).
+ */
+SECStatus
+NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p)
+{
+    PRStatus pr_status;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    pr_status = PL_DestroyBase64Decoder (data->pl_data, abort_p);
+
+    PORT_Free(data);
+
+    if (pr_status == PR_FAILURE)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Perform base64 decoding from an ascii string "inStr" to an Item.
+ * The length of the input must be provided as "inLen".  The Item
+ * may be provided (as "outItemOpt"); you can also pass in a NULL
+ * and the Item will be allocated for you.
+ *
+ * In any case, the data within the Item will be allocated for you.
+ * All allocation will happen out of the passed-in "arenaOpt", if non-NULL.
+ * If "arenaOpt" is NULL, standard allocation (heap) will be used and
+ * you will want to free the result via SECITEM_FreeItem.
+ *
+ * Return value is NULL on error, the Item (allocated or provided) otherwise.
+ */
+SECItem *
+NSSBase64_DecodeBuffer (PRArenaPool *arenaOpt, SECItem *outItemOpt,
+			const char *inStr, unsigned int inLen)
+{
+    SECItem *out_item = outItemOpt;
+    PRUint32 max_out_len = PL_Base64MaxDecodedLength (inLen);
+    PRUint32 out_len;
+    void *mark = NULL;
+    unsigned char *dummy;
+
+    PORT_Assert(outItemOpt == NULL || outItemOpt->data == NULL);
+
+    if (arenaOpt != NULL)
+	mark = PORT_ArenaMark (arenaOpt);
+
+    out_item = SECITEM_AllocItem (arenaOpt, outItemOpt, max_out_len);
+    if (out_item == NULL) {
+	if (arenaOpt != NULL)
+	    PORT_ArenaRelease (arenaOpt, mark);
+	return NULL;
+    }
+
+    dummy = PL_Base64DecodeBuffer (inStr, inLen, out_item->data,
+				   max_out_len, &out_len);
+    if (dummy == NULL) {
+	if (arenaOpt != NULL) {
+	    PORT_ArenaRelease (arenaOpt, mark);
+	    if (outItemOpt != NULL) {
+		outItemOpt->data = NULL;
+		outItemOpt->len = 0;
+	    }
+	} else {
+	    SECITEM_FreeItem (out_item,
+			      (outItemOpt == NULL) ? PR_TRUE : PR_FALSE);
+	}
+	return NULL;
+    }
+
+    if (arenaOpt != NULL)
+	PORT_ArenaUnmark (arenaOpt, mark);
+    out_item->len = out_len;
+    return out_item;
+}
+
+
+/*
+ * XXX Everything below is deprecated.  If you add new stuff, put it
+ * *above*, not below.
+ */
+
+/*
+ * XXX The following "ATOB" functions are provided for backward compatibility
+ * with current code.  They should be considered strongly deprecated.
+ * When we can convert all our code over to using the new NSSBase64Decoder_
+ * functions defined above, we should get rid of these altogether.  (Remove
+ * protoypes from base64.h as well -- actually, remove that file completely).
+ * If someone thinks either of these functions provides such a very useful
+ * interface (though, as shown, the same functionality can already be
+ * obtained by calling NSSBase64_DecodeBuffer directly), fine -- but then
+ * that API should be provided with a nice new NSSFoo name and using
+ * appropriate types, etc.
+ */
+
+#include "base64.h"
+
+/*
+** Return an PORT_Alloc'd string which is the base64 decoded version
+** of the input string; set *lenp to the length of the returned data.
+*/
+unsigned char *
+ATOB_AsciiToData(const char *string, unsigned int *lenp)
+{
+    SECItem binary_item, *dummy;
+
+    binary_item.data = NULL;
+    binary_item.len = 0;
+
+    dummy = NSSBase64_DecodeBuffer (NULL, &binary_item, string,
+				    (PRUint32) PORT_Strlen(string));
+    if (dummy == NULL)
+	return NULL;
+
+    PORT_Assert(dummy == &binary_item);
+
+    *lenp = dummy->len;
+    return dummy->data;
+}
+ 
+/*
+** Convert from ascii to binary encoding of an item.
+*/
+SECStatus
+ATOB_ConvertAsciiToItem(SECItem *binary_item, char *ascii)
+{
+    SECItem *dummy;
+
+    if (binary_item == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    /*
+     * XXX Would prefer to assert here if data is non-null (actually,
+     * don't need to, just let NSSBase64_DecodeBuffer do it), so as to
+     * to catch unintended memory leaks, but callers are not clean in
+     * this respect so we need to explicitly clear here to avoid the
+     * assert in NSSBase64_DecodeBuffer.
+     */
+    binary_item->data = NULL;
+    binary_item->len = 0;
+
+    dummy = NSSBase64_DecodeBuffer (NULL, binary_item, ascii,
+				    (PRUint32) PORT_Strlen(ascii));
+
+    if (dummy == NULL)
+	return SECFailure;
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/util/nssb64e.c b/security/nss/lib/util/nssb64e.c
new file mode 100644
index 000000000..9c802abcd
--- /dev/null
+++ b/security/nss/lib/util/nssb64e.c
@@ -0,0 +1,762 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Base64 encoding (binary to ascii).
+ *
+ * $Id$
+ */
+
+#include "nssb64.h"
+#include "nspr.h"
+#include "secitem.h"
+#include "secerr.h"
+
+/*
+ * XXX See the big comment at the top of nssb64d.c about moving the
+ * bulk of this code over into NSPR (the PL part).  It all applies
+ * here but I didn't want to duplicate it, to avoid divergence problems.
+ */ 
+
+/*
+ **************************************************************
+ * XXX Beginning of base64 encoding code to be moved into NSPR.
+ */
+
+
+struct PLBase64EncodeStateStr {
+    unsigned chunks;
+    unsigned saved;
+    unsigned char buf[3];
+};
+
+/*
+ * This typedef would belong in the NSPR header file (i.e. plbase64.h).
+ */
+typedef struct PLBase64EncoderStr PLBase64Encoder;
+
+/*
+ * The following implementation of base64 encoding was based on code
+ * found in libmime (specifically, in mimeenc.c).  It has been adapted to
+ * use PR types and naming as well as to provide other necessary semantics
+ * (like buffer-in/buffer-out in addition to "streaming" without undue
+ * performance hit of extra copying if you made the buffer versions
+ * use the output_fn).  It also incorporates some aspects of the current
+ * NSPR base64 encoding code.  As such, you may find similarities to
+ * both of those implementations.  I tried to use names that reflected
+ * the original code when possible.  For this reason you may find some
+ * inconsistencies -- libmime used lots of "in" and "out" whereas the
+ * NSPR version uses "src" and "dest"; sometimes I changed one to the other
+ * and sometimes I left them when I thought the subroutines were at least
+ * self-consistent.
+ */
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * Opaque object used by the encoder to store state.
+ */
+struct PLBase64EncoderStr {
+    /*
+     * The one or two bytes pending.  (We need 3 to create a "token",
+     * and hold the leftovers here.  in_buffer_count is *only* ever
+     * 0, 1, or 2.
+     */
+    unsigned char in_buffer[2];
+    int in_buffer_count;
+
+    /*
+     * If the caller wants linebreaks added, line_length specifies
+     * where they come out.  It must be a multiple of 4; if the caller
+     * provides one that isn't, we round it down to the nearest
+     * multiple of 4.
+     *
+     * The value of current_column counts how many characters have been
+     * added since the last linebreaks (or since the beginning, on the
+     * first line).  It is also always a multiple of 4; it is unused when
+     * line_length is 0.
+     */ 
+    PRUint32 line_length;
+    PRUint32 current_column;
+
+    /*
+     * Where to write the encoded data (used when streaming, not when
+     * doing all in-memory (buffer) operations).
+     *
+     * Note that this definition is chosen to be compatible with PR_Write.
+     */
+    PRInt32 (*output_fn) (void *output_arg, const char *buf, PRInt32 size);
+    void *output_arg;
+
+    /*
+     * Where the encoded output goes -- either temporarily (in the streaming
+     * case, staged here before it goes to the output function) or what will
+     * be the entire buffered result for users of the buffer version.
+     */
+    char *output_buffer;
+    PRUint32 output_buflen;	/* the total length of allocated buffer */
+    PRUint32 output_length;	/* the length that is currently populated */
+};
+
+PR_END_EXTERN_C
+
+
+/*
+ * Table to convert a binary value to its corresponding ascii "code".
+ */
+static unsigned char base64_valuetocode[64] =
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+#define B64_PAD	'='
+#define B64_CR	'\r'
+#define B64_LF	'\n'
+
+static PRStatus
+pl_base64_encode_buffer (PLBase64Encoder *data, const unsigned char *in,
+			 PRUint32 size)
+{
+    const unsigned char *end = in + size;
+    char *out = data->output_buffer + data->output_length;
+    int i = data->in_buffer_count;
+    PRUint32 n = 0;
+    int off;
+    PRUint32 output_threshold;
+
+    /* If this input buffer is too small, wait until next time. */
+    if (size < (3 - i)) {
+	data->in_buffer[i++] = in[0];
+	if (size > 1)
+	    data->in_buffer[i++] = in[1];
+	PR_ASSERT(i < 3);
+	data->in_buffer_count = i;
+	return PR_SUCCESS;
+    }
+
+    /* If there are bytes that were put back last time, take them now. */
+    if (i > 0) {
+	n = data->in_buffer[0];
+	if (i > 1)
+	    n = (n << 8) | data->in_buffer[1];
+	data->in_buffer_count = 0;
+    }
+
+    /* If our total is not a multiple of three, put one or two bytes back. */
+    off = (size + i) % 3;
+    if (off > 0) {
+	size -= off;
+	data->in_buffer[0] = in[size];
+	if (off > 1)
+	    data->in_buffer[1] = in[size + 1];
+	data->in_buffer_count = off;
+	end -= off;
+    }
+
+    output_threshold = data->output_buflen - 3;
+
+    /*
+     * Populate the output buffer with base64 data, one line (or buffer)
+     * at a time.
+     */
+    while (in < end) {
+	int j, k;
+
+	while (i < 3) {
+	    n = (n << 8) | *in++;
+	    i++;
+	}
+	i = 0;
+
+	if (data->line_length > 0) {
+	    if (data->current_column >= data->line_length) {
+		data->current_column = 0;
+		*out++ = B64_CR;
+		*out++ = B64_LF;
+		data->output_length += 2;
+	    }
+	    data->current_column += 4;	/* the bytes we are about to add */
+	}
+
+	for (j = 18; j >= 0; j -= 6) {
+	    k = (n >> j) & 0x3F;
+	    *out++ = base64_valuetocode[k];
+	}
+	n = 0;
+	data->output_length += 4;
+
+	if (data->output_length >= output_threshold) {
+	    PR_ASSERT(data->output_length <= data->output_buflen);
+	    if (data->output_fn != NULL) {
+		PRInt32 output_result;
+
+		output_result = data->output_fn (data->output_arg,
+						 data->output_buffer,
+						 (PRInt32) data->output_length);
+		if (output_result < 0)
+		    return PR_FAILURE;
+
+		out = data->output_buffer;
+		data->output_length = 0;
+	    } else {
+		/*
+		 * Check that we are about to exit the loop.  (Since we
+		 * are over the threshold, there isn't enough room in the
+		 * output buffer for another trip around.)
+		 */
+		PR_ASSERT(in == end);
+		if (in < end) {
+		    PR_SetError (PR_BUFFER_OVERFLOW_ERROR, 0);
+		    return PR_FAILURE;
+		}
+	    }
+	}
+    }
+
+    return PR_SUCCESS;
+}
+
+static PRStatus
+pl_base64_encode_flush (PLBase64Encoder *data)
+{
+    int i = data->in_buffer_count;
+
+    if (i == 0 && data->output_length == 0)
+	return PR_SUCCESS;
+
+    if (i > 0) {
+	char *out = data->output_buffer + data->output_length;
+	PRUint32 n;
+	int j, k;
+
+	n = ((PRUint32) data->in_buffer[0]) << 16;
+	if (i > 1)
+	    n |= ((PRUint32) data->in_buffer[1] << 8);
+
+	data->in_buffer_count = 0;
+
+	if (data->line_length > 0) {
+	    if (data->current_column >= data->line_length) {
+		data->current_column = 0;
+		*out++ = B64_CR;
+		*out++ = B64_LF;
+		data->output_length += 2;
+	    }
+	}
+
+	/*
+	 * This will fill in more than we really have data for, but the
+	 * valid parts will end up in the correct position and the extras
+	 * will be over-written with pad characters below.
+	 */
+	for (j = 18; j >= 0; j -= 6) {
+	    k = (n >> j) & 0x3F;
+	    *out++ = base64_valuetocode[k];
+	}
+
+	/* Pad with equal-signs. */
+	if (i == 1)
+	    out[-2] = B64_PAD;
+	out[-1] = B64_PAD;
+
+	data->output_length += 4;
+    }
+
+    if (data->output_fn != NULL) {
+	PRInt32 output_result;
+
+	output_result = data->output_fn (data->output_arg, data->output_buffer,
+					 (PRInt32) data->output_length);
+	data->output_length = 0;
+
+	if (output_result < 0)
+	    return PR_FAILURE;
+    }
+
+    return PR_SUCCESS;
+}
+
+
+/*
+ * The maximum space needed to hold the output of the encoder given input
+ * data of length "size", and allowing for CRLF added at least every
+ * line_length bytes (we will add it at nearest lower multiple of 4).
+ * There is no trailing CRLF.
+ */
+static PRUint32
+PL_Base64MaxEncodedLength (PRUint32 size, PRUint32 line_length)
+{
+    PRUint32 tokens, tokens_per_line, full_lines, line_break_chars, remainder;
+
+    tokens = (size + 2) / 3;
+
+    if (line_length == 0)
+	return tokens * 4;
+
+    if (line_length < 4)	/* too small! */
+	line_length = 4;
+
+    tokens_per_line = line_length / 4;
+    full_lines = tokens / tokens_per_line;
+    remainder = (tokens - (full_lines * tokens_per_line)) * 4;
+    line_break_chars = full_lines * 2;
+    if (remainder == 0)
+	line_break_chars -= 2;
+
+    return (full_lines * tokens_per_line * 4) + line_break_chars + remainder;
+}
+
+
+/*
+ * A distinct internal creation function for the buffer version to use.
+ * (It does not want to specify an output_fn, and we want the normal
+ * Create function to require that.)  All common initialization of the
+ * encoding context should be done *here*.
+ *
+ * Save "line_length", rounded down to nearest multiple of 4 (if not
+ * already even multiple).  Allocate output_buffer, if not provided --
+ * based on given size if specified, otherwise based on line_length.
+ */
+static PLBase64Encoder *
+pl_base64_create_encoder (PRUint32 line_length, char *output_buffer,
+			  PRUint32 output_buflen)
+{
+    PLBase64Encoder *data;
+    PRUint32 line_tokens;
+
+    data = PR_NEWZAP(PLBase64Encoder);
+    if (data == NULL)
+	return NULL;
+
+    if (line_length > 0 && line_length < 4)	/* too small! */
+	line_length = 4;
+
+    line_tokens = line_length / 4;
+    data->line_length = line_tokens * 4;
+
+    if (output_buffer == NULL) {
+	if (output_buflen == 0) {
+	    if (data->line_length > 0)	/* need to include room for CRLF */
+		output_buflen = data->line_length + 2;
+	    else
+		output_buflen = 64;		/* XXX what is a good size? */
+	}
+
+	output_buffer = (char *) PR_Malloc(output_buflen);
+	if (output_buffer == NULL) {
+	    PR_Free(data);
+	    return NULL;
+	}
+    }
+
+    data->output_buffer = output_buffer;
+    data->output_buflen = output_buflen;
+    return data;
+}
+
+/*
+ * Function to start a base64 encoding context.
+ * An "output_fn" is required; the "output_arg" parameter to that is optional.
+ * If linebreaks in the encoded output are desired, "line_length" specifies
+ * where to place them -- it will be rounded down to the nearest multiple of 4
+ * (if it is not already an even multiple of 4).  If it is zero, no linebreaks
+ * will be added.  (FYI, a linebreak is CRLF -- two characters.)
+ */
+static PLBase64Encoder *
+PL_CreateBase64Encoder (PRInt32 (*output_fn) (void *, const char *, PRInt32),
+			void *output_arg, PRUint32 line_length)
+{
+    PLBase64Encoder *data;
+
+    if (output_fn == NULL) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return NULL;
+    }
+
+    data = pl_base64_create_encoder (line_length, NULL, 0);
+    if (data == NULL)
+	return NULL;
+
+    data->output_fn = output_fn;
+    data->output_arg = output_arg;
+
+    return data;
+}
+
+
+/*
+ * Push data through the encoder, causing the output_fn (provided to Create)
+ * to be called with the encoded data.
+ */
+static PRStatus
+PL_UpdateBase64Encoder (PLBase64Encoder *data, const unsigned char *buffer,
+			PRUint32 size)
+{
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL || buffer == NULL || size == 0) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return PR_FAILURE;
+    }
+
+    return pl_base64_encode_buffer (data, buffer, size);
+}
+
+
+/*
+ * When you're done encoding, call this to free the data.  If "abort_p"
+ * is false, then calling this may cause the output_fn to be called
+ * one last time (as the last buffered data is flushed out).
+ */
+static PRStatus
+PL_DestroyBase64Encoder (PLBase64Encoder *data, PRBool abort_p)
+{
+    PRStatus status = PR_SUCCESS;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
+	return PR_FAILURE;
+    }
+
+    /* Flush out the last few buffered characters. */
+    if (!abort_p)
+	status = pl_base64_encode_flush (data);
+
+    if (data->output_buffer != NULL)
+	PR_Free(data->output_buffer);
+    PR_Free(data);
+
+    return status;
+}
+
+
+/*
+ * Perform base64 encoding from an input buffer to an output buffer.
+ * The output buffer can be provided (as "dest"); you can also pass in
+ * a NULL and this function will allocate a buffer large enough for you,
+ * and return it.  If you do provide the output buffer, you must also
+ * provide the maximum length of that buffer (as "maxdestlen").
+ * The actual encoded length of output will be returned to you in
+ * "output_destlen".
+ *
+ * If linebreaks in the encoded output are desired, "line_length" specifies
+ * where to place them -- it will be rounded down to the nearest multiple of 4
+ * (if it is not already an even multiple of 4).  If it is zero, no linebreaks
+ * will be added.  (FYI, a linebreak is CRLF -- two characters.)
+ *
+ * Return value is NULL on error, the output buffer (allocated or provided)
+ * otherwise.
+ */
+static char *
+PL_Base64EncodeBuffer (const unsigned char *src, PRUint32 srclen,
+		       PRUint32 line_length, char *dest, PRUint32 maxdestlen,
+		       PRUint32 *output_destlen)
+{
+    PRUint32 need_length;
+    PLBase64Encoder *data = NULL;
+    PRStatus status;
+
+    PR_ASSERT(srclen > 0);
+    if (srclen == 0)
+	return dest;
+
+    /*
+     * How much space could we possibly need for encoding this input?
+     */
+    need_length = PL_Base64MaxEncodedLength (srclen, line_length);
+
+    /*
+     * Make sure we have at least that much, if output buffer provided.
+     */
+    if (dest != NULL) {
+	PR_ASSERT(maxdestlen >= need_length);
+	if (maxdestlen < need_length) {
+	    PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
+	    return NULL;
+	}
+    } else {
+	maxdestlen = need_length;
+    }
+
+    data = pl_base64_create_encoder(line_length, dest, maxdestlen);
+    if (data == NULL)
+	return NULL;
+
+    status = pl_base64_encode_buffer (data, src, srclen);
+
+    /*
+     * We do not wait for Destroy to flush, because Destroy will also
+     * get rid of our encoder context, which we need to look at first!
+     */
+    if (status == PR_SUCCESS)
+	status = pl_base64_encode_flush (data);
+
+    if (status != PR_SUCCESS) {
+	(void) PL_DestroyBase64Encoder (data, PR_TRUE);
+	return NULL;
+    }
+
+    dest = data->output_buffer;
+
+    /* Must clear this or Destroy will free it. */
+    data->output_buffer = NULL;
+
+    *output_destlen = data->output_length;
+    status = PL_DestroyBase64Encoder (data, PR_FALSE);
+    if (status == PR_FAILURE) {
+	PR_Free(dest);
+	return NULL;
+    }
+
+    return dest;
+}
+
+/*
+ * XXX End of base64 encoding code to be moved into NSPR.
+ ********************************************************
+ */
+
+/*
+ * This is the beginning of the NSS cover functions.  These will
+ * provide the interface we want to expose as NSS-ish.  For example,
+ * they will operate on our Items, do any special handling or checking
+ * we want to do, etc.
+ */
+
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * A boring cover structure for now.  Perhaps someday it will include
+ * some more interesting fields.
+ */
+struct NSSBase64EncoderStr {
+    PLBase64Encoder *pl_data;
+};
+
+PR_END_EXTERN_C
+
+
+/*
+ * Function to start a base64 encoding context.
+ */
+NSSBase64Encoder *
+NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
+			 void *output_arg)
+{
+    PLBase64Encoder *pl_data;
+    NSSBase64Encoder *nss_data;
+
+    nss_data = PORT_ZNew(NSSBase64Encoder);
+    if (nss_data == NULL)
+	return NULL;
+
+    pl_data = PL_CreateBase64Encoder (output_fn, output_arg, 64);
+    if (pl_data == NULL) {
+	PORT_Free(nss_data);
+	return NULL;
+    }
+
+    nss_data->pl_data = pl_data;
+    return nss_data;
+}
+
+
+/*
+ * Push data through the encoder, causing the output_fn (provided to Create)
+ * to be called with the encoded data.
+ */
+SECStatus
+NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
+			 PRUint32 size)
+{
+    PRStatus pr_status;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    pr_status = PL_UpdateBase64Encoder (data->pl_data, buffer, size);
+    if (pr_status == PR_FAILURE)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+
+/*
+ * When you're done encoding, call this to free the data.  If "abort_p"
+ * is false, then calling this may cause the output_fn to be called
+ * one last time (as the last buffered data is flushed out).
+ */
+SECStatus
+NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p)
+{
+    PRStatus pr_status;
+
+    /* XXX Should we do argument checking only in debug build? */
+    if (data == NULL) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    pr_status = PL_DestroyBase64Encoder (data->pl_data, abort_p);
+
+    PORT_Free(data);
+
+    if (pr_status == PR_FAILURE)
+	return SECFailure;
+
+    return SECSuccess;
+}
+
+
+/*
+ * Perform base64 encoding of binary data "inItem" to an ascii string.
+ * The output buffer may be provided (as "outStrOpt"); you can also pass
+ * in a NULL and the buffer will be allocated for you.  The result will
+ * be null-terminated, and if the buffer is provided, "maxOutLen" must
+ * specify the maximum length of the buffer and will be checked to
+ * supply sufficient space space for the encoded result.  (If "outStrOpt"
+ * is NULL, "maxOutLen" is ignored.)
+ *
+ * If "outStrOpt" is NULL, allocation will happen out of the passed-in
+ * "arenaOpt", if *it* is non-NULL, otherwise standard allocation (heap)
+ * will be used.
+ *
+ * Return value is NULL on error, the output buffer (allocated or provided)
+ * otherwise.
+ */
+char *
+NSSBase64_EncodeItem (PRArenaPool *arenaOpt, char *outStrOpt,
+		      unsigned int maxOutLen, SECItem *inItem)
+{
+    char *out_string = outStrOpt;
+    PRUint32 max_out_len;
+    PRUint32 out_len;
+    void *mark = NULL;
+    char *dummy;
+
+    PORT_Assert(inItem != NULL && inItem->data != NULL && inItem->len != 0);
+    if (inItem == NULL || inItem->data == NULL || inItem->len == 0) {
+	PORT_SetError (SEC_ERROR_INVALID_ARGS);
+	return NULL;
+    }
+
+    max_out_len = PL_Base64MaxEncodedLength (inItem->len, 64);
+
+    if (arenaOpt != NULL)
+	mark = PORT_ArenaMark (arenaOpt);
+
+    if (out_string == NULL) {
+	if (arenaOpt != NULL)
+	    out_string = PORT_ArenaAlloc (arenaOpt, max_out_len + 1);
+	else
+	    out_string = PORT_Alloc (max_out_len + 1);
+
+	if (out_string == NULL) {
+	    if (arenaOpt != NULL)
+		PORT_ArenaRelease (arenaOpt, mark);
+	    return NULL;
+	}
+    } else {
+	if ((max_out_len + 1) > maxOutLen) {
+	    PORT_SetError (SEC_ERROR_OUTPUT_LEN);
+	    return NULL;
+	}
+	max_out_len = maxOutLen;
+    }
+
+
+    dummy = PL_Base64EncodeBuffer (inItem->data, inItem->len, 64,
+				   out_string, max_out_len, &out_len);
+    if (dummy == NULL) {
+	if (arenaOpt != NULL) {
+	    PORT_ArenaRelease (arenaOpt, mark);
+	} else {
+	    PORT_Free (out_string);
+	}
+	return NULL;
+    }
+
+    if (arenaOpt != NULL)
+	PORT_ArenaUnmark (arenaOpt, mark);
+
+    out_string[out_len] = '\0';
+    return out_string;
+}
+
+
+/*
+ * XXX Everything below is deprecated.  If you add new stuff, put it
+ * *above*, not below.
+ */
+
+/*
+ * XXX The following "BTOA" functions are provided for backward compatibility
+ * with current code.  They should be considered strongly deprecated.
+ * When we can convert all our code over to using the new NSSBase64Encoder_
+ * functions defined above, we should get rid of these altogether.  (Remove
+ * protoypes from base64.h as well -- actually, remove that file completely).
+ * If someone thinks either of these functions provides such a very useful
+ * interface (though, as shown, the same functionality can already be
+ * obtained by calling NSSBase64_EncodeItem directly), fine -- but then
+ * that API should be provided with a nice new NSSFoo name and using
+ * appropriate types, etc.
+ */
+
+#include "base64.h"
+
+/*
+** Return an PORT_Alloc'd ascii string which is the base64 encoded
+** version of the input string.
+*/
+char *
+BTOA_DataToAscii(const unsigned char *data, unsigned int len)
+{
+    SECItem binary_item;
+
+    binary_item.data = (unsigned char *)data;
+    binary_item.len = len;
+
+    return NSSBase64_EncodeItem (NULL, NULL, 0, &binary_item);
+}
+
+/*
+** Convert from binary encoding of an item to ascii.
+*/
+char *
+BTOA_ConvertItemToAscii (SECItem *binary_item)
+{
+    return NSSBase64_EncodeItem (NULL, NULL, 0, binary_item);
+}
diff --git a/security/nss/lib/util/nssb64t.h b/security/nss/lib/util/nssb64t.h
new file mode 100644
index 000000000..b7b079d8c
--- /dev/null
+++ b/security/nss/lib/util/nssb64t.h
@@ -0,0 +1,45 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Public data structures for base64 encoding/decoding.
+ *
+ * $Id$
+ */
+#ifndef _NSSB64T_H_
+#define _NSSB64T_H_
+
+typedef struct NSSBase64DecoderStr NSSBase64Decoder;
+typedef struct NSSBase64EncoderStr NSSBase64Encoder;
+
+#endif /* _NSSB64T_H_ */
diff --git a/security/nss/lib/util/nssilckt.h b/security/nss/lib/util/nssilckt.h
new file mode 100644
index 000000000..e0b49902f
--- /dev/null
+++ b/security/nss/lib/util/nssilckt.h
@@ -0,0 +1,220 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+** nssilock.h - Instrumented locking functions for NSS
+**
+** Description:
+**    nssilock provides instrumentation for locks and monitors in
+**    the NSS libraries. The instrumentation, when enabled, causes
+**    each call to the instrumented function to record data about
+**    the call to an external file. The external file
+**    subsequently used to extract performance data and other
+**    statistical information about the operation of locks used in
+**    the nss library.
+**     
+**    To enable compilation with instrumentation, build NSS with 
+**    the compile time switch NEED_NSS_ILOCK defined.
+**
+**    say:  "gmake OS_CFLAGS+=-DNEED_NSS_ILOCK" at make time.
+**
+**    At runtime, to enable recording from nssilock, one or more
+**    environment variables must be set. For each nssILockType to
+**    be recorded, an environment variable of the form NSS_ILOCK_x
+**    must be set to 1. For example:
+**
+**       set NSS_ILOCK_Cert=1
+**
+**    nssilock uses PRLOG is used to record to trace data. The
+**    PRLogModule name associated with nssilock data is: "nssilock".
+**    To enable recording of nssilock data you will need to set the
+**    environment variable NSPR_LOG_MODULES to enable
+**    recording for the nssilock log module. Similarly, you will
+**    need to set the environment variable NSPR_LOG_FILE to specify
+**    the filename to receive the recorded data. See prlog.h for usage.
+**    Example:
+**
+**        export NSPR_LOG_MODULES=nssilock:6
+**        export NSPR_LOG_FILE=xxxLogfile
+**
+** Operation:
+**    nssilock wraps calls to NSPR's PZLock and PZMonitor functions
+**    with similarly named functions: PZ_NewLock(), etc. When NSS is
+**    built with lock instrumentation enabled, the PZ* functions are
+**    compiled into NSS; when lock instrumentation is disabled,
+**    calls to PZ* functions are directly mapped to PR* functions
+**    and the instrumentation arguments to the PZ* functions are
+**    compiled away.
+**
+**
+** File Format:
+**    The format of the external file is implementation
+**    dependent. Where NSPR's PR_LOG() function is used, the file
+**    contains data defined for PR_LOG() plus the data written by
+**    the wrapped function. On some platforms and under some
+**    circumstances, platform dependent logging or
+**    instrumentation probes may be used. In any case, the
+**    relevant data provided by the lock instrumentation is:
+**    
+**      lockType, func, address, duration, line, file [heldTime]
+** 
+**    where:
+**    
+**       lockType: a character representation of nssILockType for the
+**       call. e.g. ... "cert"
+**    
+**       func: the function doing the tracing. e.g. "NewLock"
+**    
+**       address: address of the instrumented lock or monitor
+**    
+**       duration: is how long was spent in the instrumented function,
+**       in PRIntervalTime "ticks".
+**    
+**       line: the line number within the calling function
+**    
+**       file: the file from which the call was made
+**    
+**       heldTime: how long the lock/monitor was held. field
+**       present only for PZ_Unlock() and PZ_ExitMonitor().
+**    
+** Design Notes:
+**    The design for lock instrumentation was influenced by the
+**    need to gather performance data on NSS 3.x. It is intended
+**    that the effort to modify NSS to use lock instrumentation
+**    be minimized. Existing calls to locking functions need only
+**    have their names changed to the instrumentation function
+**    names.
+**    
+** Private NSS Interface:
+**    nssilock.h defines a private interface for use by NSS.
+**    nssilock.h is experimental in nature and is subject to
+**    change or revocation without notice. ... Don't mess with
+**    it.
+**    
+*/
+
+/*
+ * $Id:
+ */
+
+#ifndef _NSSILCKT_H_
+#define _NSSILCKT_H_
+
+#include "prtypes.h"
+#include "prmon.h"
+#include "prlock.h"
+#include "prcvar.h"
+
+typedef enum {
+    nssILockArena = 0,
+    nssILockSession = 1,
+    nssILockObject = 2,
+    nssILockRefLock = 3,
+    nssILockCert = 4,
+    nssILockCertDB = 5,
+    nssILockDBM = 6,
+    nssILockCache = 7,
+    nssILockSSL = 8,
+    nssILockList = 9,
+    nssILockSlot = 10,
+    nssILockFreelist = 11,
+    nssILockOID = 12,
+    nssILockAttribute = 13,
+    nssILockPK11cxt = 14,  /* pk11context */
+    nssILockRWLock = 15,
+    nssILockOther = 16,
+    nssILockSelfServ = 17,
+    nssILockLast  /* don't use this one! */
+} nssILockType;
+
+/*
+** Declare operation type enumerator
+** enumerations identify the function being performed
+*/
+typedef enum  {
+    FlushTT = 0,
+    NewLock = 1,
+    Lock = 2,
+    Unlock = 3,
+    DestroyLock = 4,
+    NewCondVar = 5,
+    WaitCondVar = 6,
+    NotifyCondVar = 7,
+    NotifyAllCondVar = 8,
+    DestroyCondVar = 9,
+    NewMonitor = 10,
+    EnterMonitor = 11,
+    ExitMonitor = 12,
+    Notify = 13,
+    NotifyAll = 14,
+    Wait = 15,
+    DestroyMonitor = 16
+} nssILockOp;
+
+/*
+** Declare the trace record
+*/
+struct pzTrace_s {
+    PRUint32        threadID; /* PR_GetThreadID() */
+    nssILockOp      op;       /* operation being performed */
+    nssILockType    ltype;    /* lock type identifier */
+    PRIntervalTime  callTime; /* time spent in function */
+    PRIntervalTime  heldTime; /* lock held time, or -1 */
+    void            *lock;    /* address of lock structure */    
+    PRIntn          line;     /* line number */
+    char            file[24]; /* filename */
+};
+
+PR_BEGIN_EXTERN_C
+/*
+** conditionally compile in nssilock features
+*/
+#if defined(NEED_NSS_ILOCK)
+
+/*
+** declare opaque types. See: nssilock.c
+*/
+typedef struct pzlock_s PZLock;
+typedef struct pzcondvar_s PZCondVar;
+typedef struct pzmonitor_s PZMonitor;
+
+#else /* NEED_NSS_ILOCK */
+
+#define PZLock                  PRLock
+#define PZCondVar               PRCondVar
+#define PZMonitor               PRMonitor
+    
+#endif /* NEED_NSS_ILOCK */
+
+PR_END_EXTERN_C
+#endif /* _NSSILCKT_H_ */
diff --git a/security/nss/lib/util/nssilock.c b/security/nss/lib/util/nssilock.c
new file mode 100644
index 000000000..056ee6e73
--- /dev/null
+++ b/security/nss/lib/util/nssilock.c
@@ -0,0 +1,519 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * nssilock.c - NSS lock instrumentation wrapper functions
+ *
+ * NOTE - These are not public interfaces
+ *
+ * Implementation Notes:
+ * I've tried to make the instrumentation relatively non-intrusive.
+ * To do this, I have used a single PR_LOG() call in each
+ * instrumented function. There's room for improvement.
+ *
+ *
+ */
+
+#include "prinit.h"
+#include "prerror.h"
+#include "prlock.h"
+#include "prmem.h"
+#include "prenv.h"
+#include "prcvar.h"
+#include "prio.h"
+
+#if defined(NEED_NSS_ILOCK)
+#include "prlog.h"
+#include "nssilock.h"
+
+/*
+** Declare the instrumented PZLock 
+*/
+struct pzlock_s {
+    PRLock *lock;  /* the PZLock to be instrumented */
+    PRIntervalTime time; /* timestamp when the lock was aquired */
+    nssILockType ltype;
+};
+
+/*
+** Declare the instrumented PZMonitor 
+*/
+struct pzmonitor_s {
+    PRMonitor *mon;   /* the PZMonitor to be instrumented */
+    PRIntervalTime time; /* timestamp when the monitor was aquired */
+    nssILockType ltype;
+};
+
+/*
+** Declare the instrumented PZCondVar
+*/
+struct pzcondvar_s  {
+    PRCondVar   *cvar;  /* the PZCondVar to be instrumented */
+    nssILockType ltype;
+};
+
+
+/*
+** Define a CallOnce type to ensure serialized self-initialization
+*/
+static PRCallOnceType coNssILock;     /* CallOnce type */
+static PRIntn  nssILockInitialized;   /* initialization done when 1 */
+static PRLogModuleInfo *nssILog;      /* Log instrumentation to this handle */
+
+
+#define NUM_TT_ENTRIES 6000000
+static PRInt32  traceIndex = -1;      /* index into trace table */
+static struct pzTrace_s *tt;          /* pointer to trace table */
+static PRInt32  ttBufSize = (NUM_TT_ENTRIES * sizeof(struct pzTrace_s ));
+static PRCondVar *ttCVar;
+static PRLock    *ttLock;
+static PRFileDesc *ttfd;              /* trace table file */
+
+/*
+** Vtrace() -- Trace events, write events to external media
+**
+** Vtrace() records traced events in an in-memory trace table
+** when the trace table fills, Vtrace writes the entire table
+** to a file.
+**
+** data can be lost!
+**
+*/
+static void Vtrace(
+    nssILockOp      op,
+    nssILockType    ltype,
+    PRIntervalTime  callTime,
+    PRIntervalTime  heldTime,
+    void            *lock,
+    PRIntn          line,
+    char            *file
+)  {
+    PRInt32 idx;
+    struct pzTrace_s *tp;
+
+RetryTrace:
+    idx = PR_AtomicIncrement( &traceIndex );
+    while( NUM_TT_ENTRIES <= idx || op == FlushTT ) {
+        if( NUM_TT_ENTRIES == idx  || op == FlushTT )  {
+            int writeSize = idx * sizeof(struct pzTrace_s);
+            PR_Lock(ttLock);
+            PR_Write( ttfd, tt, writeSize );
+            traceIndex = -1;
+            PR_NotifyAllCondVar( ttCVar );
+            PR_Unlock(ttLock);
+            goto RetryTrace;
+        } else {
+            PR_Lock(ttLock);
+            while( NUM_TT_ENTRIES < idx )
+                PR_WaitCondVar(ttCVar, PR_INTERVAL_NO_WAIT);
+            PR_Unlock(ttLock);
+            goto RetryTrace;
+        }
+    } /* end while() */
+
+    /* create the trace entry */
+    tp = tt + idx;
+    tp->threadID = PR_GetThreadID(PR_GetCurrentThread());
+    tp->op = op;
+    tp->ltype = ltype;
+    tp->callTime = callTime;
+    tp->heldTime = heldTime;
+    tp->lock = lock;
+    tp ->line = line;
+    strcpy(tp->file, file );
+    return;
+} /* --- end Vtrace() --- */
+
+/*
+** pz_TraceFlush() -- Force trace table write to file
+**
+*/
+extern void pz_TraceFlush( void )
+{
+    Vtrace( FlushTT, nssILockSelfServ, 0, 0, NULL, 0, "" );
+    return;
+} /* --- end pz_TraceFlush() --- */
+
+/*
+** nssILockInit() -- Initialization for nssilock
+**
+** This function is called from the CallOnce mechanism.
+*/
+static PRStatus
+    nssILockInit( void ) 
+{   
+    int i;
+    nssILockInitialized = 1;
+
+    /* new log module */
+    nssILog = PR_NewLogModule("nssilock");
+    if ( NULL == nssILog )  {
+        return(PR_FAILURE);
+    }
+
+    tt = PR_Calloc( NUM_TT_ENTRIES, sizeof(struct pzTrace_s));
+    if (NULL == tt ) {
+        fprintf(stderr, "nssilock: can't allocate trace table\n");
+        exit(1);
+    }
+
+    ttfd = PR_Open( "xxxTTLog", PR_CREATE_FILE | PR_WRONLY, 0666 );
+    if ( NULL == ttfd )  {
+        fprintf( stderr, "Oh Drat! Can't open 'xxxTTLog'\n");
+        exit(1);
+    }
+
+    ttLock = PR_NewLock();
+    ttCVar = PR_NewCondVar(ttLock);
+
+    return(PR_SUCCESS);
+} /* --- end nssILockInit() --- */
+
+extern PZLock * pz_NewLock( 
+    nssILockType ltype,
+    char *file,  
+    PRIntn line )
+{
+    PRStatus rc;
+    PZLock  *lock;
+    
+    /* Self Initialize the nssILock feature */
+    if (!nssILockInitialized)  {
+        rc = PR_CallOnce( &coNssILock, nssILockInit );
+        if ( PR_FAILURE == rc ) {
+            PR_SetError( PR_UNKNOWN_ERROR, 0 );
+            return( NULL );
+        }
+    }
+
+    lock = PR_NEWZAP( PZLock );
+    if ( NULL != lock )  {
+        lock->lock = PR_NewLock();
+        if ( NULL == lock->lock )  {
+            PR_DELETE( lock );
+            lock = NULL;
+        }
+    }
+    lock->ltype = ltype;
+
+    Vtrace( NewLock, ltype, 0, 0, lock, line, file );
+    return(lock);
+} /* --- end pz_NewLock() --- */
+
+extern void
+    pz_Lock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    )
+{            
+    PRIntervalTime callTime;
+
+    callTime = PR_IntervalNow();
+    PR_Lock( lock->lock );
+    lock->time = PR_IntervalNow();
+    callTime = lock->time - callTime;
+
+    Vtrace( Lock, lock->ltype, callTime, 0, lock, line, file );
+    return;
+} /* --- end  pz_Lock() --- */
+
+extern PRStatus
+    pz_Unlock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    ) 
+{
+    PRStatus rc;
+    PRIntervalTime callTime, now, heldTime;
+
+    callTime = PR_IntervalNow();
+    rc = PR_Unlock( lock->lock );
+    now = PR_IntervalNow(); 
+    callTime = now - callTime;
+    heldTime = now - lock->time;
+    Vtrace( Unlock, lock->ltype, callTime, heldTime, lock, line, file );
+    return( rc );
+} /* --- end  pz_Unlock() --- */
+
+extern void
+    pz_DestroyLock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    )
+{
+    Vtrace( DestroyLock, lock->ltype, 0, 0, lock, line, file );
+    PR_DestroyLock( lock->lock );
+    PR_DELETE( lock );
+    return;
+} /* --- end  pz_DestroyLock() --- */
+
+
+
+extern PZCondVar *
+    pz_NewCondVar(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    )
+{
+    PZCondVar *cvar;
+
+    cvar = PR_NEWZAP( PZCondVar );
+    if ( NULL == cvar ) return(NULL);
+   
+    cvar->ltype = lock->ltype; 
+    cvar->cvar = PR_NewCondVar( lock->lock );
+    if ( NULL == cvar->cvar )  {
+        PR_DELETE( cvar );
+    }
+    Vtrace( NewCondVar, cvar->ltype, 0, 0, cvar, line, file );
+    return( cvar );
+} /* --- end  pz_NewCondVar() --- */
+
+extern void
+    pz_DestroyCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    )
+{
+    Vtrace( DestroyCondVar, cvar->ltype, 0, 0, cvar, line, file );
+    PR_DestroyCondVar( cvar->cvar );
+    PR_DELETE( cvar );
+} /* --- end  pz_DestroyCondVar() --- */
+
+extern PRStatus
+    pz_WaitCondVar(
+        PZCondVar *cvar,
+        PRIntervalTime timeout,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus    rc;
+    PRIntervalTime callTime;
+
+    callTime = PR_IntervalNow();
+    rc = PR_WaitCondVar( cvar->cvar, timeout );
+    callTime = PR_IntervalNow() - callTime;
+    
+    Vtrace( WaitCondVar, cvar->ltype, callTime, 0, cvar, line, file );
+    return(rc);
+} /* --- end  pz_WaitCondVar() --- */
+
+extern PRStatus
+    pz_NotifyCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus    rc;
+    
+    rc = PR_NotifyCondVar( cvar->cvar );
+    
+    Vtrace( NotifyCondVar, cvar->ltype, 0, 0, cvar, line, file );
+    return(rc);
+} /* --- end  pz_NotifyCondVar() --- */
+
+extern PRStatus
+    pz_NotifyAllCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus    rc;
+    
+    rc = PR_NotifyAllCondVar( cvar->cvar );
+    
+    Vtrace( NotifyAllCondVar, cvar->ltype, 0, 0, cvar, line, file );
+    return(rc);
+} /* --- end  pz_NotifyAllCondVar() --- */
+
+extern PZMonitor *
+    pz_NewMonitor( 
+        nssILockType ltype,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus rc;
+    PZMonitor   *mon;
+
+    /* Self Initialize the nssILock feature */
+    if (!nssILockInitialized)  {
+        rc = PR_CallOnce( &coNssILock, nssILockInit );
+        if ( PR_FAILURE == rc ) {
+            PR_SetError( PR_UNKNOWN_ERROR, 0 );
+            return( NULL );
+        }
+    }
+
+    mon = PR_NEWZAP( PZMonitor );
+    if ( NULL != mon )  {
+        mon->mon = PR_NewMonitor();
+        if ( NULL == mon->mon )  {
+            PR_DELETE( mon );
+            return NULL;
+        }
+    }
+    mon->ltype = ltype;
+
+    Vtrace( NewMonitor, mon->ltype, 0, 0, mon, line, file );
+    return(mon);
+} /* --- end  pz_NewMonitor() --- */
+
+extern void
+    pz_DestroyMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    Vtrace( DestroyMonitor, mon->ltype, 0, 0, mon, line, file );
+    PR_DestroyMonitor( mon->mon );
+    PR_DELETE( mon );
+    return;                
+} /* --- end  pz_DestroyMonitor() --- */
+
+extern void
+    pz_EnterMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    PRIntervalTime callTime, now;
+
+    callTime = PR_IntervalNow();
+    PR_EnterMonitor( mon->mon );
+    now = PR_IntervalNow();
+    callTime = now - callTime;
+    if ( PR_GetMonitorEntryCount(mon->mon) == 1 )  {
+        mon->time = now;
+    }
+    Vtrace( EnterMonitor, mon->ltype, callTime, 0, mon, line, file );
+    return;
+} /* --- end  pz_EnterMonitor() --- */
+
+extern PRStatus
+    pz_ExitMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus rc;
+    PRIntervalTime callTime, now, heldTime;
+    PRIntn  mec = PR_GetMonitorEntryCount( mon->mon );
+   
+    heldTime = (PRIntervalTime)-1; 
+    callTime = PR_IntervalNow();
+    rc = PR_ExitMonitor( mon->mon );
+    now = PR_IntervalNow();
+    callTime = now - callTime;
+    if ( mec == 1 )
+        heldTime = now - mon->time;
+    Vtrace( ExitMonitor, mon->ltype, callTime, heldTime, mon, line, file );
+    return( rc );
+} /* --- end  pz_ExitMonitor() --- */
+
+extern PRIntn
+    pz_GetMonitorEntryCount(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    return( PR_GetMonitorEntryCount(mon->mon));
+} /* --- end pz_GetMonitorEntryCount() --- */
+
+
+extern PRStatus
+    pz_Wait(
+        PZMonitor *mon,
+        PRIntervalTime ticks,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus rc;
+    PRIntervalTime callTime;
+
+    callTime = PR_IntervalNow();
+    rc = PR_Wait( mon->mon, ticks );
+    callTime = PR_IntervalNow() - callTime;
+    Vtrace( Wait, mon->ltype, callTime, 0, mon, line, file );
+    return( rc );
+} /* --- end  pz_Wait() --- */
+
+extern PRStatus
+    pz_Notify(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus rc;
+    PRIntervalTime callTime;
+
+    callTime = PR_IntervalNow();
+    rc = PR_Notify( mon->mon );
+    callTime = PR_IntervalNow() - callTime;
+    Vtrace( Notify, mon->ltype, callTime, 0, mon, line, file );
+    return( rc );
+} /* --- end  pz_Notify() --- */
+
+extern PRStatus
+    pz_NotifyAll(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    )
+{
+    PRStatus rc;
+    PRIntervalTime callTime;
+
+    callTime = PR_IntervalNow();
+    rc = PR_NotifyAll( mon->mon );
+    callTime = PR_IntervalNow() - callTime;
+    Vtrace( NotifyAll, mon->ltype, callTime, 0, mon, line, file );
+    return( rc );
+} /* --- end  pz_NotifyAll() --- */
+
+#endif /* NEED_NSS_ILOCK */
+/* --- end nssilock.c --------------------------------- */
diff --git a/security/nss/lib/util/nssilock.h b/security/nss/lib/util/nssilock.h
new file mode 100644
index 000000000..38b457387
--- /dev/null
+++ b/security/nss/lib/util/nssilock.h
@@ -0,0 +1,316 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+** nssilock.h - Instrumented locking functions for NSS
+**
+** Description:
+**    nssilock provides instrumentation for locks and monitors in
+**    the NSS libraries. The instrumentation, when enabled, causes
+**    each call to the instrumented function to record data about
+**    the call to an external file. The external file
+**    subsequently used to extract performance data and other
+**    statistical information about the operation of locks used in
+**    the nss library.
+**     
+**    To enable compilation with instrumentation, build NSS with 
+**    the compile time switch NEED_NSS_ILOCK defined.
+**
+**    say:  "gmake OS_CFLAGS+=-DNEED_NSS_ILOCK" at make time.
+**
+**    At runtime, to enable recording from nssilock, one or more
+**    environment variables must be set. For each nssILockType to
+**    be recorded, an environment variable of the form NSS_ILOCK_x
+**    must be set to 1. For example:
+**
+**       set NSS_ILOCK_Cert=1
+**
+**    nssilock uses PRLOG is used to record to trace data. The
+**    PRLogModule name associated with nssilock data is: "nssilock".
+**    To enable recording of nssilock data you will need to set the
+**    environment variable NSPR_LOG_MODULES to enable
+**    recording for the nssilock log module. Similarly, you will
+**    need to set the environment variable NSPR_LOG_FILE to specify
+**    the filename to receive the recorded data. See prlog.h for usage.
+**    Example:
+**
+**        export NSPR_LOG_MODULES=nssilock:6
+**        export NSPR_LOG_FILE=xxxLogfile
+**
+** Operation:
+**    nssilock wraps calls to NSPR's PZLock and PZMonitor functions
+**    with similarly named functions: PZ_NewLock(), etc. When NSS is
+**    built with lock instrumentation enabled, the PZ* functions are
+**    compiled into NSS; when lock instrumentation is disabled,
+**    calls to PZ* functions are directly mapped to PR* functions
+**    and the instrumentation arguments to the PZ* functions are
+**    compiled away.
+**
+**
+** File Format:
+**    The format of the external file is implementation
+**    dependent. Where NSPR's PR_LOG() function is used, the file
+**    contains data defined for PR_LOG() plus the data written by
+**    the wrapped function. On some platforms and under some
+**    circumstances, platform dependent logging or
+**    instrumentation probes may be used. In any case, the
+**    relevant data provided by the lock instrumentation is:
+**    
+**      lockType, func, address, duration, line, file [heldTime]
+** 
+**    where:
+**    
+**       lockType: a character representation of nssILockType for the
+**       call. e.g. ... "cert"
+**    
+**       func: the function doing the tracing. e.g. "NewLock"
+**    
+**       address: address of the instrumented lock or monitor
+**    
+**       duration: is how long was spent in the instrumented function,
+**       in PRIntervalTime "ticks".
+**    
+**       line: the line number within the calling function
+**    
+**       file: the file from which the call was made
+**    
+**       heldTime: how long the lock/monitor was held. field
+**       present only for PZ_Unlock() and PZ_ExitMonitor().
+**    
+** Design Notes:
+**    The design for lock instrumentation was influenced by the
+**    need to gather performance data on NSS 3.x. It is intended
+**    that the effort to modify NSS to use lock instrumentation
+**    be minimized. Existing calls to locking functions need only
+**    have their names changed to the instrumentation function
+**    names.
+**    
+** Private NSS Interface:
+**    nssilock.h defines a private interface for use by NSS.
+**    nssilock.h is experimental in nature and is subject to
+**    change or revocation without notice. ... Don't mess with
+**    it.
+**    
+*/
+
+/*
+ * $Id:
+ */
+
+#ifndef _NSSILOCK_H_
+#define _NSSILOCK_H_
+
+#include "prtypes.h"
+#include "prmon.h"
+#include "prlock.h"
+#include "prcvar.h"
+
+#include "nssilckt.h"
+
+PR_BEGIN_EXTERN_C
+
+#if defined(NEED_NSS_ILOCK)
+
+#define PZ_NewLock(t) pz_NewLock((t),__FILE__,__LINE__)
+extern PZLock * 
+    pz_NewLock(
+        nssILockType ltype,
+        char *file,
+        PRIntn  line
+    );
+
+#define PZ_Lock(k)  pz_Lock((k),__FILE__,__LINE__)
+extern void
+    pz_Lock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_Unlock(k) pz_Unlock((k),__FILE__,__LINE__)
+extern PRStatus
+    pz_Unlock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_DestroyLock(k) pz_DestroyLock((k),__FILE__,__LINE__)
+extern void
+    pz_DestroyLock(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    );
+
+
+#define PZ_NewCondVar(l)        pz_NewCondVar((l),__FILE__,__LINE__)
+extern PZCondVar *
+    pz_NewCondVar(
+        PZLock *lock,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_DestroyCondVar(v)    pz_DestroyCondVar((v),__FILE__,__LINE__)
+extern void
+    pz_DestroyCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_WaitCondVar(v,t)       pz_WaitCondVar((v),(t),__FILE__,__LINE__)
+extern PRStatus
+    pz_WaitCondVar(
+        PZCondVar *cvar,
+        PRIntervalTime timeout,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_NotifyCondVar(v)     pz_NotifyCondVar((v),__FILE__,__LINE__)
+extern PRStatus
+    pz_NotifyCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_NotifyAllCondVar(v)  pz_NotifyAllCondVar((v),__FILE__,__LINE__)
+extern PRStatus
+    pz_NotifyAllCondVar(
+        PZCondVar *cvar,
+        char *file,
+        PRIntn line
+    );
+
+
+#define PZ_NewMonitor(t) pz_NewMonitor((t),__FILE__,__LINE__)
+extern PZMonitor *
+    pz_NewMonitor( 
+        nssILockType ltype,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_DestroyMonitor(m) pz_DestroyMonitor((m),__FILE__,__LINE__)
+extern void
+    pz_DestroyMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_EnterMonitor(m) pz_EnterMonitor((m),__FILE__,__LINE__)
+extern void
+    pz_EnterMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+
+#define PZ_ExitMonitor(m) pz_ExitMonitor((m),__FILE__,__LINE__)
+extern PRStatus
+    pz_ExitMonitor(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_InMonitor(m)  (PZ_GetMonitorEntryCount(m) > 0 )
+#define PZ_GetMonitorEntryCount(m) pz_GetMonitorEntryCount((m),__FILE__,__LINE__)
+extern PRIntn
+    pz_GetMonitorEntryCount(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_Wait(m,i) pz_Wait((m),((i)),__FILE__,__LINE__)
+extern PRStatus
+    pz_Wait(
+        PZMonitor *mon,
+        PRIntervalTime ticks,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_Notify(m) pz_Notify((m),__FILE__,__LINE__)
+extern PRStatus
+    pz_Notify(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_NotifyAll(m) pz_NotifyAll((m),__FILE__,__LINE__)
+extern PRStatus
+    pz_NotifyAll(
+        PZMonitor *mon,
+        char *file,
+        PRIntn line
+    );
+
+#define PZ_TraceFlush() pz_TraceFlush()
+extern void pz_TraceFlush( void );
+
+#else /* NEED_NSS_ILOCK */
+
+#define PZ_NewLock(t)           PR_NewLock()
+#define PZ_DestroyLock(k)       PR_DestroyLock((k))
+#define PZ_Lock(k)              PR_Lock((k))
+#define PZ_Unlock(k)            PR_Unlock((k))
+
+#define PZ_NewCondVar(l)        PR_NewCondVar((l))
+#define PZ_DestroyCondVar(v)    PR_DestroyCondVar((v))
+#define PZ_WaitCondVar(v,t)     PR_WaitCondVar((v),(t))
+#define PZ_NotifyCondVar(v)     PR_NotifyCondVar((v))
+#define PZ_NotifyAllCondVar(v)  PR_NotifyAllCondVar((v))
+
+#define PZ_NewMonitor(t)        PR_NewMonitor()
+#define PZ_DestroyMonitor(m)    PR_DestroyMonitor((m))
+#define PZ_EnterMonitor(m)      PR_EnterMonitor((m))
+#define PZ_ExitMonitor(m)       PR_ExitMonitor((m))
+#define PZ_InMonitor(m)         PR_InMonitor((m))
+#define PZ_Wait(m,t)            PR_Wait(((m)),((t)))
+#define PZ_Notify(m)            PR_Notify((m))
+#define PZ_NotifyAll(m)         PR_Notify((m))
+#define PZ_TraceFlush()         /* nothing */
+
+    
+#endif /* NEED_NSS_ILOCK */
+
+PR_END_EXTERN_C
+#endif /* _NSSILOCK_H_ */
diff --git a/security/nss/lib/util/nsslocks.c b/security/nss/lib/util/nsslocks.c
new file mode 100644
index 000000000..ce9072c68
--- /dev/null
+++ b/security/nss/lib/util/nsslocks.c
@@ -0,0 +1,105 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * nsslocks.h - threadsafe functions to initialize lock pointers.
+ *
+ * NOTE - These are not public interfaces
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "nsslocks.h"
+#include "pratom.h"
+#include "prthread.h"
+
+/* Given the address of a (global) pointer to a PZLock, 
+ * atomicly create the lock and initialize the (global) pointer, 
+ * if it is not already created/initialized.
+ */
+
+SECStatus 
+__nss_InitLock(   PZLock    **ppLock, nssILockType ltype )
+{
+    static PRInt32  initializers;
+
+    PORT_Assert( ppLock != NULL);
+
+    /* atomically initialize the lock */
+    while (!*ppLock) {
+        PRInt32 myAttempt = PR_AtomicIncrement(&initializers);
+        if (myAttempt == 1) {
+	    *ppLock = PZ_NewLock(ltype);
+            (void) PR_AtomicDecrement(&initializers);
+            break;
+        }
+        PR_Sleep(PR_INTERVAL_NO_WAIT);          /* PR_Yield() */
+        (void) PR_AtomicDecrement(&initializers);
+    }
+
+    return (*ppLock != NULL) ? SECSuccess : SECFailure;
+}
+
+SECStatus 
+nss_InitLock(   PZLock    **ppLock, nssILockType ltype )
+{
+    return __nss_InitLock(ppLock, ltype);
+}
+
+/* Given the address of a (global) pointer to a PZMonitor, 
+ * atomicly create the monitor and initialize the (global) pointer, 
+ * if it is not already created/initialized.
+ */
+
+SECStatus 
+nss_InitMonitor(PZMonitor **ppMonitor, nssILockType ltype )
+{
+    static PRInt32  initializers;
+
+    PORT_Assert( ppMonitor != NULL);
+
+    /* atomically initialize the lock */
+    while (!*ppMonitor) {
+        PRInt32 myAttempt = PR_AtomicIncrement(&initializers);
+        if (myAttempt == 1) {
+	    *ppMonitor = PZ_NewMonitor(ltype);
+            (void) PR_AtomicDecrement(&initializers);
+            break;
+        }
+        PR_Sleep(PR_INTERVAL_NO_WAIT);          /* PR_Yield() */
+        (void) PR_AtomicDecrement(&initializers);
+    }
+
+    return (*ppMonitor != NULL) ? SECSuccess : SECFailure;
+}
diff --git a/security/nss/lib/util/nsslocks.h b/security/nss/lib/util/nsslocks.h
new file mode 100644
index 000000000..8510cf6b8
--- /dev/null
+++ b/security/nss/lib/util/nsslocks.h
@@ -0,0 +1,67 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * nsslocks.h - threadsafe functions to initialize lock pointers.
+ *
+ * NOTE - These are not public interfaces
+ *
+ * $Id$
+ */
+
+#ifndef _NSSLOCKS_H_
+#define _NSSLOCKS_H_
+
+#include "seccomon.h"
+#include "nssilock.h"
+#include "prmon.h"
+
+SEC_BEGIN_PROTOS
+
+/* Given the address of a (global) pointer to a PZLock, 
+ * atomicly create the lock and initialize the (global) pointer, 
+ * if it is not already created/initialized.
+ */
+
+extern SECStatus nss_InitLock(   PZLock    **ppLock, nssILockType ltype );
+
+/* Given the address of a (global) pointer to a PZMonitor, 
+ * atomicly create the monitor and initialize the (global) pointer, 
+ * if it is not already created/initialized.
+ */
+
+extern SECStatus nss_InitMonitor(PZMonitor **ppMonitor, nssILockType ltype );
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/util/nssrwlk.c b/security/nss/lib/util/nssrwlk.c
new file mode 100644
index 000000000..6913b4165
--- /dev/null
+++ b/security/nss/lib/util/nssrwlk.c
@@ -0,0 +1,509 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nssrwlk.h"
+#include "nspr.h"
+
+PR_BEGIN_EXTERN_C
+
+/*
+ * Reader-writer lock
+ */
+struct nssRWLockStr {
+    PZLock *        rw_lock;
+    char   *        rw_name;            /* lock name                    */
+    PRUint32        rw_rank;            /* rank of the lock             */
+    PRInt32         rw_writer_locks;    /* ==  0, if unlocked           */
+    PRInt32         rw_reader_locks;    /* ==  0, if unlocked           */
+                                        /* > 0  , # of read locks       */
+    PRUint32        rw_waiting_readers; /* number of waiting readers    */
+    PRUint32        rw_waiting_writers; /* number of waiting writers    */
+    PZCondVar *     rw_reader_waitq;    /* cvar for readers             */
+    PZCondVar *     rw_writer_waitq;    /* cvar for writers             */
+    PRThread  *     rw_owner;           /* lock owner for write-lock    */
+                                        /* Non-null if write lock held. */
+};
+
+PR_END_EXTERN_C
+
+#include <string.h>
+
+#ifdef DEBUG_RANK_ORDER
+#define NSS_RWLOCK_RANK_ORDER_DEBUG /* enable deadlock detection using
+                                       rank-order for locks
+                                    */
+#endif
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+
+static PRUintn  nss_thread_rwlock_initialized;
+static PRUintn  nss_thread_rwlock;               /* TPD key for lock stack */
+static PRUintn  nss_thread_rwlock_alloc_failed;
+
+#define _NSS_RWLOCK_RANK_ORDER_LIMIT 10
+
+typedef struct thread_rwlock_stack {
+    PRInt32     trs_index;                                  /* top of stack */
+    NSSRWLock    *trs_stack[_NSS_RWLOCK_RANK_ORDER_LIMIT];  /* stack of lock
+                                                               pointers */
+} thread_rwlock_stack;
+
+/* forward static declarations. */
+static PRUint32 nssRWLock_GetThreadRank(PRThread *me);
+static void     nssRWLock_SetThreadRank(PRThread *me, NSSRWLock *rwlock);
+static void     nssRWLock_UnsetThreadRank(PRThread *me, NSSRWLock *rwlock);
+static void     nssRWLock_ReleaseLockStack(void *lock_stack);
+
+#endif
+
+#define UNTIL(x) while(!(x))
+
+/*
+ * Reader/Writer Locks
+ */
+
+/*
+ * NSSRWLock_New
+ *      Create a reader-writer lock, with the given lock rank and lock name
+ *
+ */
+
+PR_IMPLEMENT(NSSRWLock *)
+NSSRWLock_New(PRUint32 lock_rank, const char *lock_name)
+{
+    NSSRWLock *rwlock;
+
+    rwlock = PR_NEWZAP(NSSRWLock);
+    if (rwlock == NULL)
+        return NULL;
+
+    rwlock->rw_lock = PZ_NewLock(nssILockRWLock);
+    if (rwlock->rw_lock == NULL) {
+	goto loser;
+    }
+    rwlock->rw_reader_waitq = PZ_NewCondVar(rwlock->rw_lock);
+    if (rwlock->rw_reader_waitq == NULL) {
+	goto loser;
+    }
+    rwlock->rw_writer_waitq = PZ_NewCondVar(rwlock->rw_lock);
+    if (rwlock->rw_writer_waitq == NULL) {
+	goto loser;
+    }
+    if (lock_name != NULL) {
+        rwlock->rw_name = (char*) PR_Malloc(strlen(lock_name) + 1);
+        if (rwlock->rw_name == NULL) {
+	    goto loser;
+        }
+        strcpy(rwlock->rw_name, lock_name);
+    } else {
+        rwlock->rw_name = NULL;
+    }
+    rwlock->rw_rank            = lock_rank;
+    rwlock->rw_waiting_readers = 0;
+    rwlock->rw_waiting_writers = 0;
+    rwlock->rw_reader_locks    = 0;
+    rwlock->rw_writer_locks    = 0;
+
+    return rwlock;
+
+loser:
+    NSSRWLock_Destroy(rwlock);
+    return(NULL);
+}
+
+/*
+** Destroy the given RWLock "lock".
+*/
+PR_IMPLEMENT(void)
+NSSRWLock_Destroy(NSSRWLock *rwlock)
+{
+    PR_ASSERT(rwlock != NULL);
+    PR_ASSERT(rwlock->rw_waiting_readers == 0);
+
+    /* XXX Shouldn't we lock the PZLock before destroying this?? */
+
+    if (rwlock->rw_name)
+    	PR_Free(rwlock->rw_name);
+    if (rwlock->rw_reader_waitq)
+    	PZ_DestroyCondVar(rwlock->rw_reader_waitq);
+    if (rwlock->rw_writer_waitq)
+	PZ_DestroyCondVar(rwlock->rw_writer_waitq);
+    if (rwlock->rw_lock)
+	PZ_DestroyLock(rwlock->rw_lock);
+    PR_DELETE(rwlock);
+}
+
+/***********************************************************************
+**  Given the address of a NULL pointer to a NSSRWLock, 
+**  atomically initializes that pointer to a newly created NSSRWLock.
+**  Returns the value placed into that pointer, or NULL.
+**   If the lock cannot be created because of resource constraints, 
+**   the pointer will be left NULL.
+**  
+***********************************************************************/
+PR_IMPLEMENT(NSSRWLock *)
+nssRWLock_AtomicCreate( NSSRWLock  ** prwlock, 
+			PRUint32      lock_rank, 
+			const char *  lock_name)
+{
+    NSSRWLock  *    rwlock;
+    static PRInt32  initializers;
+
+    PR_ASSERT(prwlock != NULL);
+
+    /* atomically initialize the lock */
+    while (NULL == (rwlock = *prwlock)) {
+        PRInt32 myAttempt = PR_AtomicIncrement(&initializers);
+        if (myAttempt == 1) {
+	    *prwlock = rwlock = NSSRWLock_New(lock_rank, lock_name);
+            (void) PR_AtomicDecrement(&initializers);
+            break;
+        }
+        PR_Sleep(PR_INTERVAL_NO_WAIT);          /* PR_Yield() */
+        (void) PR_AtomicDecrement(&initializers);
+    }
+
+    return rwlock;
+}
+
+/*
+** Read-lock the RWLock.
+*/
+PR_IMPLEMENT(void)
+NSSRWLock_LockRead(NSSRWLock *rwlock)
+{
+    PRThread *me = PR_GetCurrentThread();
+
+    PZ_Lock(rwlock->rw_lock);
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+
+    /*
+     * assert that rank ordering is not violated; the rank of 'rwlock' should
+     * be equal to or greater than the highest rank of all the locks held by
+     * the thread.
+     */
+    PR_ASSERT((rwlock->rw_rank == NSS_RWLOCK_RANK_NONE) ||
+              (rwlock->rw_rank >= nssRWLock_GetThreadRank(me)));
+#endif
+    /*
+     * wait if write-locked or if a writer is waiting; preference for writers
+     */
+    UNTIL ( (rwlock->rw_owner == me) ||		  /* I own it, or        */
+	   ((rwlock->rw_owner == NULL) &&	  /* no-one owns it, and */
+	    (rwlock->rw_waiting_writers == 0))) { /* no-one is waiting to own */
+
+	rwlock->rw_waiting_readers++;
+	PZ_WaitCondVar(rwlock->rw_reader_waitq, PR_INTERVAL_NO_TIMEOUT);
+	rwlock->rw_waiting_readers--;
+    }
+    rwlock->rw_reader_locks++; 		/* Increment read-lock count */
+
+    PZ_Unlock(rwlock->rw_lock);
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+    nssRWLock_SetThreadRank(me, rwlock);/* update thread's lock rank */
+#endif
+}
+
+/* Unlock a Read lock held on this RW lock.
+*/
+PR_IMPLEMENT(void)
+NSSRWLock_UnlockRead(NSSRWLock *rwlock)
+{
+    PZ_Lock(rwlock->rw_lock);
+
+    PR_ASSERT(rwlock->rw_reader_locks > 0); /* lock must be read locked */
+
+    if ((  rwlock->rw_reader_locks  > 0)  &&	/* caller isn't screwey */
+        (--rwlock->rw_reader_locks == 0)  &&	/* not read locked any more */
+	(  rwlock->rw_owner        == NULL) &&	/* not write locked */
+	(  rwlock->rw_waiting_writers > 0)) {	/* someone's waiting. */
+
+	PZ_NotifyCondVar(rwlock->rw_writer_waitq); /* wake him up. */
+    }
+
+    PZ_Unlock(rwlock->rw_lock);
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+    /*
+     * update thread's lock rank
+     */
+    nssRWLock_UnsetThreadRank(me, rwlock);
+#endif
+    return;
+}
+
+/*
+** Write-lock the RWLock.
+*/
+PR_IMPLEMENT(void)
+NSSRWLock_LockWrite(NSSRWLock *rwlock)
+{
+    PRThread *me = PR_GetCurrentThread();
+
+    PZ_Lock(rwlock->rw_lock);
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+    /*
+     * assert that rank ordering is not violated; the rank of 'rwlock' should
+     * be equal to or greater than the highest rank of all the locks held by
+     * the thread.
+     */
+    PR_ASSERT((rwlock->rw_rank == NSS_RWLOCK_RANK_NONE) ||
+                    (rwlock->rw_rank >= nssRWLock_GetThreadRank(me)));
+#endif
+    /*
+     * wait if read locked or write locked.
+     */
+    PR_ASSERT(rwlock->rw_reader_locks >= 0);
+    PR_ASSERT(me != NULL);
+
+    UNTIL ( (rwlock->rw_owner == me) ||           /* I own write lock, or */
+	   ((rwlock->rw_owner == NULL) &&	  /* no writer   and */
+	    (rwlock->rw_reader_locks == 0))) {    /* no readers, either. */
+
+        rwlock->rw_waiting_writers++;
+        PZ_WaitCondVar(rwlock->rw_writer_waitq, PR_INTERVAL_NO_TIMEOUT);
+        rwlock->rw_waiting_writers--;
+	PR_ASSERT(rwlock->rw_reader_locks >= 0);
+    }
+
+    PR_ASSERT(rwlock->rw_reader_locks == 0);
+    /*
+     * apply write lock
+     */
+    rwlock->rw_owner = me;
+    rwlock->rw_writer_locks++; 		/* Increment write-lock count */
+
+    PZ_Unlock(rwlock->rw_lock);
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+    /*
+     * update thread's lock rank
+     */
+    nssRWLock_SetThreadRank(me,rwlock);
+#endif
+}
+
+/* Unlock a Read lock held on this RW lock.
+*/
+PR_IMPLEMENT(void)
+NSSRWLock_UnlockWrite(NSSRWLock *rwlock)
+{
+    PRThread *me = PR_GetCurrentThread();
+
+    PZ_Lock(rwlock->rw_lock);
+    PR_ASSERT(rwlock->rw_owner == me); /* lock must be write-locked by me.  */
+    PR_ASSERT(rwlock->rw_writer_locks > 0); /* lock must be write locked */
+
+    if (  rwlock->rw_owner        == me  &&	/* I own it, and            */
+          rwlock->rw_writer_locks  > 0   &&	/* I own it, and            */
+        --rwlock->rw_writer_locks == 0) {	/* I'm all done with it     */
+
+	rwlock->rw_owner = NULL;		/* I don't own it any more. */
+
+	if (rwlock->rw_reader_locks == 0) { /* no readers, wake up somebody. */
+	    /* Give preference to waiting writers. */
+	    if (rwlock->rw_waiting_writers > 0) 
+		PZ_NotifyCondVar(rwlock->rw_writer_waitq);
+	    else if (rwlock->rw_waiting_readers > 0)
+		PZ_NotifyAllCondVar(rwlock->rw_reader_waitq);
+	}
+    }
+    PZ_Unlock(rwlock->rw_lock);
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+    /*
+     * update thread's lock rank
+     */
+    nssRWLock_UnsetThreadRank(me, rwlock);
+#endif
+    return;
+}
+
+/* This is primarily for debugging, i.e. for inclusion in ASSERT calls. */
+PR_IMPLEMENT(PRBool)
+NSSRWLock_HaveWriteLock(NSSRWLock *rwlock) {
+    PRBool ownWriteLock;
+    PRThread *me = PR_GetCurrentThread();
+
+    /* This lock call isn't really necessary.
+    ** If this thread is the owner, that fact cannot change during this call,
+    ** because this thread is in this call.
+    ** If this thread is NOT the owner, the owner could change, but it 
+    ** could not become this thread.  
+    */
+#if UNNECESSARY
+    PZ_Lock(rwlock->rw_lock);	
+#endif
+    ownWriteLock = (PRBool)(me == rwlock->rw_owner);
+#if UNNECESSARY
+    PZ_Unlock(rwlock->rw_lock);
+#endif
+    return ownWriteLock;
+}
+
+#ifdef NSS_RWLOCK_RANK_ORDER_DEBUG
+
+/*
+ * nssRWLock_SetThreadRank
+ *      Set a thread's lock rank, which is the highest of the ranks of all
+ *      the locks held by the thread. Pointers to the locks are added to a
+ *      per-thread list, which is anchored off a thread-private data key.
+ */
+
+static void
+nssRWLock_SetThreadRank(PRThread *me, NSSRWLock *rwlock)
+{
+    thread_rwlock_stack *lock_stack;
+    PRStatus rv;
+
+    /*
+     * allocated thread-private-data for rwlock list, if not already allocated
+     */
+    if (!nss_thread_rwlock_initialized) {
+        /*
+         * allocate tpd, only if not failed already
+         */
+        if (!nss_thread_rwlock_alloc_failed) {
+            if (PR_NewThreadPrivateIndex(&nss_thread_rwlock,
+                                        nssRWLock_ReleaseLockStack)
+                                                == PR_FAILURE) {
+                nss_thread_rwlock_alloc_failed = 1;
+                return;
+            }
+        } else
+            return;
+    }
+    /*
+     * allocate a lock stack
+     */
+    if ((lock_stack = PR_GetThreadPrivate(nss_thread_rwlock)) == NULL) {
+        lock_stack = (thread_rwlock_stack *)
+                        PR_CALLOC(1 * sizeof(thread_rwlock_stack));
+        if (lock_stack) {
+            rv = PR_SetThreadPrivate(nss_thread_rwlock, lock_stack);
+            if (rv == PR_FAILURE) {
+                PR_DELETE(lock_stack);
+                nss_thread_rwlock_alloc_failed = 1;
+                return;
+            }
+        } else {
+            nss_thread_rwlock_alloc_failed = 1;
+            return;
+        }
+    }
+    /*
+     * add rwlock to lock stack, if limit is not exceeded
+     */
+    if (lock_stack) {
+        if (lock_stack->trs_index < _NSS_RWLOCK_RANK_ORDER_LIMIT)
+            lock_stack->trs_stack[lock_stack->trs_index++] = rwlock;
+    }
+    nss_thread_rwlock_initialized = 1;
+}
+
+static void
+nssRWLock_ReleaseLockStack(void *lock_stack)
+{
+    PR_ASSERT(lock_stack);
+    PR_DELETE(lock_stack);
+}
+
+/*
+ * nssRWLock_GetThreadRank
+ *
+ *      return thread's lock rank. If thread-private-data for the lock
+ *      stack is not allocated, return NSS_RWLOCK_RANK_NONE.
+ */
+
+static PRUint32
+nssRWLock_GetThreadRank(PRThread *me)
+{
+    thread_rwlock_stack *lock_stack;
+
+    if (nss_thread_rwlock_initialized) {
+        if ((lock_stack = PR_GetThreadPrivate(nss_thread_rwlock)) == NULL)
+            return (NSS_RWLOCK_RANK_NONE);
+        else
+            return(lock_stack->trs_stack[lock_stack->trs_index - 1]->rw_rank);
+
+    } else
+            return (NSS_RWLOCK_RANK_NONE);
+}
+
+/*
+ * nssRWLock_UnsetThreadRank
+ *
+ *      remove the rwlock from the lock stack. Since locks may not be
+ *      unlocked in a FIFO order, the entire lock stack is searched.
+ */
+
+static void
+nssRWLock_UnsetThreadRank(PRThread *me, NSSRWLock *rwlock)
+{
+    thread_rwlock_stack *lock_stack;
+    int new_index = 0, index, done = 0;
+
+    if (!nss_thread_rwlock_initialized)
+        return;
+
+    lock_stack = PR_GetThreadPrivate(nss_thread_rwlock);
+
+    PR_ASSERT(lock_stack != NULL);
+
+    index = lock_stack->trs_index - 1;
+    while (index-- >= 0) {
+        if ((lock_stack->trs_stack[index] == rwlock) && !done)  {
+            /*
+             * reset the slot for rwlock
+             */
+            lock_stack->trs_stack[index] = NULL;
+            done = 1;
+        }
+        /*
+         * search for the lowest-numbered empty slot, above which there are
+         * no non-empty slots
+         */
+        if ((lock_stack->trs_stack[index] != NULL) && !new_index)
+            new_index = index + 1;
+        if (done && new_index)
+            break;
+    }
+    /*
+     * set top of stack to highest numbered empty slot
+     */
+    lock_stack->trs_index = new_index;
+
+}
+
+#endif  /* NSS_RWLOCK_RANK_ORDER_DEBUG */
diff --git a/security/nss/lib/util/nssrwlk.h b/security/nss/lib/util/nssrwlk.h
new file mode 100644
index 000000000..3cad4b72d
--- /dev/null
+++ b/security/nss/lib/util/nssrwlk.h
@@ -0,0 +1,160 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+** File:		nsrwlock.h
+** Description:	API to basic reader-writer lock functions of NSS.
+**	These are re-entrant reader writer locks; that is,
+**	If I hold the write lock, I can ask for it and get it again.
+**	If I hold the write lock, I can also ask for and get a read lock.
+**      I can then release the locks in any order (read or write).
+**	I must release each lock type as many times as I acquired it.
+**	Otherwise, these are normal reader/writer locks.
+**
+** For deadlock detection, locks should be ranked, and no lock may be aquired
+** while I hold a lock of higher rank number.
+** If you don't want that feature, always use NSS_RWLOCK_RANK_NONE.
+** Lock name is for debugging, and is optional (may be NULL)
+**/
+
+#ifndef nssrwlk_h___
+#define nssrwlk_h___
+
+#include "prtypes.h"
+#include "nssrwlkt.h"
+
+#define	NSS_RWLOCK_RANK_NONE	0
+
+/* SEC_BEGIN_PROTOS */
+PR_BEGIN_EXTERN_C
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_New
+** DESCRIPTION:
+**  Returns a pointer to a newly created reader-writer lock object.
+** INPUTS:      Lock rank
+**		Lock name
+** OUTPUTS:     void
+** RETURN:      NSSRWLock*
+**   If the lock cannot be created because of resource constraints, NULL
+**   is returned.
+**  
+***********************************************************************/
+PR_EXTERN(NSSRWLock*) NSSRWLock_New(PRUint32 lock_rank, const char *lock_name);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_AtomicCreate
+** DESCRIPTION:
+**  Given the address of a NULL pointer to a NSSRWLock, 
+**  atomically initializes that pointer to a newly created NSSRWLock.
+**  Returns the value placed into that pointer, or NULL.
+**
+** INPUTS:      address of NSRWLock pointer
+**              Lock rank
+**		Lock name
+** OUTPUTS:     NSSRWLock*
+** RETURN:      NSSRWLock*
+**   If the lock cannot be created because of resource constraints, 
+**   the pointer will be left NULL.
+**  
+***********************************************************************/
+PR_EXTERN(NSSRWLock *)
+nssRWLock_AtomicCreate( NSSRWLock  ** prwlock, 
+			PRUint32      lock_rank, 
+			const char *  lock_name);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_Destroy
+** DESCRIPTION:
+**  Destroys a given RW lock object.
+** INPUTS:      NSSRWLock *lock - Lock to be freed.
+** OUTPUTS:     void
+** RETURN:      None
+***********************************************************************/
+PR_EXTERN(void) NSSRWLock_Destroy(NSSRWLock *lock);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_LockRead
+** DESCRIPTION:
+**  Apply a read lock (non-exclusive) on a RWLock
+** INPUTS:      NSSRWLock *lock - Lock to be read-locked.
+** OUTPUTS:     void
+** RETURN:      None
+***********************************************************************/
+PR_EXTERN(void) NSSRWLock_LockRead(NSSRWLock *lock);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_LockWrite
+** DESCRIPTION:
+**  Apply a write lock (exclusive) on a RWLock
+** INPUTS:      NSSRWLock *lock - Lock to write-locked.
+** OUTPUTS:     void
+** RETURN:      None
+***********************************************************************/
+PR_EXTERN(void) NSSRWLock_LockWrite(NSSRWLock *lock);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_UnlockRead
+** DESCRIPTION:
+**  Release a Read lock. Unlocking an unlocked lock has undefined results.
+** INPUTS:      NSSRWLock *lock - Lock to unlocked.
+** OUTPUTS:     void
+** RETURN:      void
+***********************************************************************/
+PR_EXTERN(void) NSSRWLock_UnlockRead(NSSRWLock *lock);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_UnlockWrite
+** DESCRIPTION:
+**  Release a Write lock. Unlocking an unlocked lock has undefined results.
+** INPUTS:      NSSRWLock *lock - Lock to unlocked.
+** OUTPUTS:     void
+** RETURN:      void
+***********************************************************************/
+PR_EXTERN(void) NSSRWLock_UnlockWrite(NSSRWLock *lock);
+
+/***********************************************************************
+** FUNCTION:    NSSRWLock_HaveWriteLock
+** DESCRIPTION:
+**  Tells caller whether the current thread holds the write lock, or not.
+** INPUTS:      NSSRWLock *lock - Lock to test.
+** OUTPUTS:     void
+** RETURN:      PRBool	PR_TRUE IFF the current thread holds the write lock.
+***********************************************************************/
+
+PR_EXTERN(PRBool) NSSRWLock_HaveWriteLock(NSSRWLock *rwlock);
+
+/* SEC_END_PROTOS */
+PR_END_EXTERN_C
+
+#endif /* nsrwlock_h___ */
diff --git a/security/nss/lib/util/nssrwlkt.h b/security/nss/lib/util/nssrwlkt.h
new file mode 100644
index 000000000..e4bd37c4a
--- /dev/null
+++ b/security/nss/lib/util/nssrwlkt.h
@@ -0,0 +1,47 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef nssrwlkt_h___
+#define nssrwlkt_h___
+#include "nssilock.h"
+/*
+ * NSSRWLock --
+ *
+ *	The reader writer lock, NSSRWLock, is an opaque object to the clients
+ *	of NSS.  All routines operate on a pointer to this opaque entity.
+ */
+
+typedef struct nssRWLockStr NSSRWLock;
+
+
+#endif /* nsrwlock_h___ */
diff --git a/security/nss/lib/util/portreg.c b/security/nss/lib/util/portreg.c
new file mode 100644
index 000000000..79d13d67c
--- /dev/null
+++ b/security/nss/lib/util/portreg.c
@@ -0,0 +1,317 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/* 
+ * shexp.c: shell-like wildcard match routines
+ *
+ *
+ * See shexp.h for public documentation.
+ *
+ */
+
+#include "seccomon.h"
+#include "portreg.h"
+
+/* ----------------------------- shexp_valid ------------------------------ */
+
+
+static int 
+_valid_subexp(char *exp, char stop) 
+{
+    register int x,y,t;
+    int nsc,np,tld;
+
+    x=0;nsc=0;tld=0;
+
+    while(exp[x] && (exp[x] != stop)) {
+        switch(exp[x]) {
+          case '~':
+            if(tld) return INVALID_SXP;
+            else ++tld;
+          case '*':
+          case '?':
+          case '^':
+          case '$':
+            ++nsc;
+            break;
+          case '[':
+            ++nsc;
+            if((!exp[++x]) || (exp[x] == ']'))
+                return INVALID_SXP;
+            for(++x;exp[x] && (exp[x] != ']');++x)
+                if(exp[x] == '\\')
+                    if(!exp[++x])
+                        return INVALID_SXP;
+            if(!exp[x])
+                return INVALID_SXP;
+            break;
+          case '(':
+            ++nsc;np = 0;
+            while(1) {
+                if(exp[++x] == ')')
+                    return INVALID_SXP;
+                for(y=x;(exp[y]) && (exp[y] != '|') && (exp[y] != ')');++y)
+                    if(exp[y] == '\\')
+                        if(!exp[++y])
+                            return INVALID_SXP;
+                if(!exp[y])
+                    return INVALID_SXP;
+                if(exp[y] == '|')
+                    ++np;
+                t = _valid_subexp(&exp[x],exp[y]);
+                if(t == INVALID_SXP)
+                    return INVALID_SXP;
+                x+=t;
+                if(exp[x] == ')') {
+                    if(!np)
+                        return INVALID_SXP;
+                    break;
+                }
+            }
+            break;
+          case ')':
+          case ']':
+            return INVALID_SXP;
+          case '\\':
+            if(!exp[++x])
+                return INVALID_SXP;
+          default:
+            break;
+        }
+        ++x;
+    }
+    if((!stop) && (!nsc))
+        return NON_SXP;
+    return ((exp[x] == stop) ? x : INVALID_SXP);
+}
+
+int 
+PORT_RegExpValid(char *exp) 
+{
+    int x;
+
+    x = _valid_subexp(exp, '\0');
+    return (x < 0 ? x : VALID_SXP);
+}
+
+
+/* ----------------------------- shexp_match ----------------------------- */
+
+
+#define MATCH 0
+#define NOMATCH 1
+#define ABORTED -1
+
+static int _shexp_match(char *str, char *exp, PRBool case_insensitive);
+
+static int 
+_handle_union(char *str, char *exp, PRBool case_insensitive) 
+{
+    char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
+    register int t,p2,p1 = 1;
+    int cp;
+
+    while(1) {
+        for(cp=1;exp[cp] != ')';cp++)
+            if(exp[cp] == '\\')
+                ++cp;
+        for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
+            if(exp[p1] == '\\')
+                e2[p2++] = exp[p1++];
+            e2[p2] = exp[p1];
+        }
+        for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
+        if(_shexp_match(str,e2, case_insensitive) == MATCH) {
+            PORT_Free(e2);
+            return MATCH;
+        }
+        if(p1 == cp) {
+            PORT_Free(e2);
+            return NOMATCH;
+        }
+        else ++p1;
+    }
+}
+
+
+static int 
+_shexp_match(char *str, char *exp, PRBool case_insensitive) 
+{
+    register int x,y;
+    int ret,neg;
+
+    ret = 0;
+    for(x=0,y=0;exp[y];++y,++x) {
+        if((!str[x]) && (exp[y] != '(') && (exp[y] != '$') && (exp[y] != '*'))
+            ret = ABORTED;
+        else {
+            switch(exp[y]) {
+              case '$':
+                if( (str[x]) )
+                    ret = NOMATCH;
+                else
+                    --x;             /* we don't want loop to increment x */
+                break;
+              case '*':
+                while(exp[++y] == '*'){}
+                if(!exp[y])
+                    return MATCH;
+                while(str[x]) {
+                    switch(_shexp_match(&str[x++],&exp[y], case_insensitive)) {
+                    case NOMATCH:
+                        continue;
+                    case ABORTED:
+                        ret = ABORTED;
+                        break;
+                    default:
+                        return MATCH;
+                    }
+                    break;
+                }
+                if((exp[y] == '$') && (exp[y+1] == '\0') && (!str[x]))
+                    return MATCH;
+                else
+                    ret = ABORTED;
+                break;
+              case '[':
+              	neg = ((exp[++y] == '^') && (exp[y+1] != ']'));
+                if (neg)
+                    ++y;
+                
+                if ((isalnum(exp[y])) && (exp[y+1] == '-') && 
+                   (isalnum(exp[y+2])) && (exp[y+3] == ']'))
+                    {
+                        int start = exp[y], end = exp[y+2];
+                        
+                        /* no safeguards here */
+                        if(neg ^ ((str[x] < start) || (str[x] > end))) {
+                            ret = NOMATCH;
+                            break;
+                        }
+                        y+=3;
+                    }
+                else {
+                    int matched;
+                    
+                    for (matched=0;exp[y] != ']';y++)
+                        matched |= (str[x] == exp[y]);
+                    if (neg ^ (!matched))
+                        ret = NOMATCH;
+                }
+                break;
+              case '(':
+                return _handle_union(&str[x],&exp[y], case_insensitive);
+                break;
+              case '?':
+                break;
+              case '\\':
+                ++y;
+              default:
+				if(case_insensitive)
+				  {
+                    if(toupper(str[x]) != toupper(exp[y]))
+                        ret = NOMATCH;
+				  }
+				else
+				  {
+                    if(str[x] != exp[y])
+                        ret = NOMATCH;
+				  }
+                break;
+            }
+        }
+        if(ret)
+            break;
+    }
+    return (ret ? ret : (str[x] ? NOMATCH : MATCH));
+}
+
+int 
+PORT_RegExpMatch(char *str, char *xp, PRBool case_insensitive) {
+    register int x;
+    char *exp = 0;
+
+    exp = PORT_Strdup(xp);
+
+    if(!exp)
+	return 1;
+
+    for(x=strlen(exp)-1;x;--x) {
+        if((exp[x] == '~') && (exp[x-1] != '\\')) {
+            exp[x] = '\0';
+            if(_shexp_match(str,&exp[++x], case_insensitive) == MATCH)
+                goto punt;
+            break;
+        }
+    }
+    if(_shexp_match(str,exp, PR_FALSE) == MATCH) {
+        PORT_Free(exp);
+        return 0;
+    }
+
+  punt:
+    PORT_Free(exp);
+    return 1;
+}
+
+
+/* ------------------------------ shexp_cmp ------------------------------- */
+
+int 
+PORT_RegExpSearch(char *str, char *exp)
+{
+    switch(PORT_RegExpValid(exp)) 
+	  {
+        case INVALID_SXP:
+            return -1;
+        case NON_SXP:
+            return (strcmp(exp,str) ? 1 : 0);
+        default:
+            return PORT_RegExpMatch(str, exp, PR_FALSE);
+      }
+}
+
+int
+PORT_RegExpCaseSearch(char *str, char *exp)
+{
+    switch(PORT_RegExpValid(exp))
+      {
+        case INVALID_SXP:
+            return -1;
+        case NON_SXP:
+            return (strcmp(exp,str) ? 1 : 0);
+        default:
+            return PORT_RegExpMatch(str, exp, PR_TRUE);
+      }
+}
+
diff --git a/security/nss/lib/util/portreg.h b/security/nss/lib/util/portreg.h
new file mode 100644
index 000000000..39a2df9d5
--- /dev/null
+++ b/security/nss/lib/util/portreg.h
@@ -0,0 +1,92 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * shexp.h: Defines and prototypes for shell exp. match routines
+ * 
+ *
+ * This routine will match a string with a shell expression. The expressions
+ * accepted are based loosely on the expressions accepted by zsh.
+ * 
+ * o * matches anything
+ * o ? matches one character
+ * o \ will escape a special character
+ * o $ matches the end of the string
+ * o [abc] matches one occurence of a, b, or c. The only character that needs
+ *         to be escaped in this is ], all others are not special.
+ * o [a-z] matches any character between a and z
+ * o [^az] matches any character except a or z
+ * o ~ followed by another shell expression will remove any pattern
+ *     matching the shell expression from the match list
+ * o (foo|bar) will match either the substring foo, or the substring bar.
+ *             These can be shell expressions as well.
+ * 
+ * The public interface to these routines is documented below.
+ * 
+ */
+ 
+#ifndef SHEXP_H
+#define SHEXP_H
+
+/*
+ * Requires that the macro MALLOC be set to a "safe" malloc that will 
+ * exit if no memory is available. 
+ */
+
+
+/* --------------------------- Public routines ---------------------------- */
+
+
+/*
+ * shexp_valid takes a shell expression exp as input. It returns:
+ * 
+ *  NON_SXP      if exp is a standard string
+ *  INVALID_SXP  if exp is a shell expression, but invalid
+ *  VALID_SXP    if exp is a valid shell expression
+ */
+
+#define NON_SXP -1
+#define INVALID_SXP -2
+#define VALID_SXP 1
+
+SEC_BEGIN_PROTOS
+
+extern int PORT_RegExpValid(char *exp);
+
+/* same as above but uses case insensitive search
+ */
+extern int PORT_RegExpCaseSearch(char *str, char *exp);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/util/pqgutil.c b/security/nss/lib/util/pqgutil.c
new file mode 100644
index 000000000..24e1f62fb
--- /dev/null
+++ b/security/nss/lib/util/pqgutil.c
@@ -0,0 +1,267 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#include "pqgutil.h"
+#include "prerror.h"
+#include "secitem.h"
+
+#define PQG_DEFAULT_CHUNKSIZE 2048	/* bytes */
+
+/**************************************************************************
+ *  Return a pointer to a new PQGParams struct that is a duplicate of     *
+ *  the one passed as an argument.                                        *
+ *  Return NULL on failure, or if NULL was passed in.                     *
+ *                                                                        *
+ **************************************************************************/
+
+PQGParams *
+PQG_DupParams(const PQGParams *src)
+{
+    PRArenaPool *arena;
+    PQGParams *dest;
+    SECStatus status;
+
+    if (src == NULL) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return NULL;
+    }
+
+    arena = PORT_NewArena(PQG_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+	goto loser;
+
+    dest = (PQGParams*)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
+    if (dest == NULL)
+	goto loser;
+
+    dest->arena = arena;
+
+    status = SECITEM_CopyItem(arena, &dest->prime, &src->prime);
+    if (status != SECSuccess)
+	goto loser;
+
+    status = SECITEM_CopyItem(arena, &dest->subPrime, &src->subPrime);
+    if (status != SECSuccess)
+	goto loser;
+
+    status = SECITEM_CopyItem(arena, &dest->base, &src->base);
+    if (status != SECSuccess)
+	goto loser;
+
+    return dest;
+
+loser:
+    if (arena != NULL)
+	PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+/**************************************************************************
+ *  Return a pointer to a new PQGParams struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+
+PQGParams *
+PQG_NewParams(const SECItem * prime, const SECItem * subPrime, 
+              const SECItem * base)
+{
+    PQGParams *  dest;
+    PQGParams    src;
+
+    src.arena    = NULL;
+    src.prime    = *prime;
+    src.subPrime = *subPrime;
+    src.base     = *base;
+    dest         = PQG_DupParams(&src);
+    return dest;
+}
+
+/**************************************************************************
+ * Fills in caller's "prime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
+ **************************************************************************/
+SECStatus
+PQG_GetPrimeFromParams(const PQGParams *params, SECItem * prime)
+{
+    return SECITEM_CopyItem(NULL, prime, &params->prime);
+}
+
+/**************************************************************************
+ * Fills in caller's "subPrime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
+ **************************************************************************/
+SECStatus
+PQG_GetSubPrimeFromParams(const PQGParams *params, SECItem * subPrime)
+{
+    return SECITEM_CopyItem(NULL, subPrime, &params->subPrime);
+}
+
+/**************************************************************************
+ * Fills in caller's "base" SECItem with the base value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
+ **************************************************************************/
+SECStatus
+PQG_GetBaseFromParams(const PQGParams *params, SECItem * base)
+{
+    return SECITEM_CopyItem(NULL, base, &params->base);
+}
+
+/**************************************************************************
+ *  Free the PQGParams struct and the things it points to.                *
+ **************************************************************************/
+void
+PQG_DestroyParams(PQGParams *params)
+{
+    if (params == NULL) 
+    	return;
+    if (params->arena != NULL) {
+	PORT_FreeArena(params->arena, PR_FALSE);	/* don't zero it */
+    } else {
+	SECITEM_FreeItem(&params->prime,    PR_FALSE); /* don't free prime */
+	SECITEM_FreeItem(&params->subPrime, PR_FALSE); /* don't free subPrime */
+	SECITEM_FreeItem(&params->base,     PR_FALSE); /* don't free base */
+	PORT_Free(params);
+    }
+}
+
+/**************************************************************************
+ *  Return a pointer to a new PQGVerify struct that is a duplicate of     *
+ *  the one passed as an argument.                                        *
+ *  Return NULL on failure, or if NULL was passed in.                     *
+ **************************************************************************/
+
+PQGVerify *
+PQG_DupVerify(const PQGVerify *src)
+{
+    PRArenaPool *arena;
+    PQGVerify *  dest;
+    SECStatus    status;
+
+    if (src == NULL) {
+	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return NULL;
+    }
+
+    arena = PORT_NewArena(PQG_DEFAULT_CHUNKSIZE);
+    if (arena == NULL)
+	goto loser;
+
+    dest = (PQGVerify*)PORT_ArenaZAlloc(arena, sizeof(PQGVerify));
+    if (dest == NULL)
+	goto loser;
+
+    dest->arena   = arena;
+    dest->counter = src->counter;
+
+    status = SECITEM_CopyItem(arena, &dest->seed, &src->seed);
+    if (status != SECSuccess)
+	goto loser;
+
+    status = SECITEM_CopyItem(arena, &dest->h, &src->h);
+    if (status != SECSuccess)
+	goto loser;
+
+    return dest;
+
+loser:
+    if (arena != NULL)
+	PORT_FreeArena(arena, PR_FALSE);
+    return NULL;
+}
+
+/**************************************************************************
+ *  Return a pointer to a new PQGVerify struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+
+PQGVerify *
+PQG_NewVerify(unsigned int counter, const SECItem * seed, const SECItem * h)
+{
+    PQGVerify *  dest;
+    PQGVerify    src;
+
+    src.arena    = NULL;
+    src.counter  = counter;
+    src.seed     = *seed;
+    src.h        = *h;
+    dest         = PQG_DupVerify(&src);
+    return dest;
+}
+
+/**************************************************************************
+ * Returns the "counter" value from the PQGVerify.
+ **************************************************************************/
+unsigned int
+PQG_GetCounterFromVerify(const PQGVerify *verify)
+{
+    return verify->counter;
+}
+
+/**************************************************************************
+ * Fills in caller's "seed" SECItem with the seed value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
+ **************************************************************************/
+SECStatus
+PQG_GetSeedFromVerify(const PQGVerify *verify, SECItem * seed)
+{
+    return SECITEM_CopyItem(NULL, seed, &verify->seed);
+}
+
+/**************************************************************************
+ * Fills in caller's "h" SECItem with the h value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
+ **************************************************************************/
+SECStatus
+PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h)
+{
+    return SECITEM_CopyItem(NULL, h, &verify->h);
+}
+
+/**************************************************************************
+ *  Free the PQGVerify struct and the things it points to.                *
+ **************************************************************************/
+
+void
+PQG_DestroyVerify(PQGVerify *vfy)
+{
+    if (vfy == NULL) 
+    	return;
+    if (vfy->arena != NULL) {
+	PORT_FreeArena(vfy->arena, PR_FALSE);	/* don't zero it */
+    } else {
+	SECITEM_FreeItem(&vfy->seed,   PR_FALSE); /* don't free seed */
+	SECITEM_FreeItem(&vfy->h,      PR_FALSE); /* don't free h */
+	PORT_Free(vfy);
+    }
+}
diff --git a/security/nss/lib/util/pqgutil.h b/security/nss/lib/util/pqgutil.h
new file mode 100644
index 000000000..1ceb87803
--- /dev/null
+++ b/security/nss/lib/util/pqgutil.h
@@ -0,0 +1,127 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+#ifndef _PQGUTIL_H_
+#define _PQGUTIL_H_ 1
+
+#include "blapi.h"
+
+/**************************************************************************
+ *  Return a pointer to a new PQGParams struct that is a duplicate of     *
+ *  the one passed as an argument.                                        *
+ *  Return NULL on failure, or if NULL was passed in.                     *
+ **************************************************************************/
+extern PQGParams * PQG_DupParams(const PQGParams *src);
+
+
+/**************************************************************************
+ *  Return a pointer to a new PQGParams struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+extern PQGParams * PQG_NewParams(const SECItem * prime, 
+                                 const SECItem * subPrime, 
+                                 const SECItem * base);
+
+
+/**************************************************************************
+ * Fills in caller's "prime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PQG_GetPrimeFromParams(const PQGParams *params, 
+                                        SECItem * prime);
+
+
+/**************************************************************************
+ * Fills in caller's "subPrime" SECItem with the prime value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PQG_GetSubPrimeFromParams(const PQGParams *params, 
+                                           SECItem * subPrime);
+
+
+/**************************************************************************
+ * Fills in caller's "base" SECItem with the base value in params.
+ * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PQG_GetBaseFromParams(const PQGParams *params, SECItem *base);
+
+
+/**************************************************************************
+ *  Free the PQGParams struct and the things it points to.                *
+ **************************************************************************/
+extern void PQG_DestroyParams(PQGParams *params);
+
+
+/**************************************************************************
+ *  Return a pointer to a new PQGVerify struct that is a duplicate of     *
+ *  the one passed as an argument.                                        *
+ *  Return NULL on failure, or if NULL was passed in.                     *
+ **************************************************************************/
+extern PQGVerify * PQG_DupVerify(const PQGVerify *src);
+
+
+/**************************************************************************
+ *  Return a pointer to a new PQGVerify struct that is constructed from   *
+ *  copies of the arguments passed in.                                    *
+ *  Return NULL on failure.                                               *
+ **************************************************************************/
+extern PQGVerify * PQG_NewVerify(unsigned int counter, const SECItem * seed, 
+                                 const SECItem * h);
+
+
+/**************************************************************************
+ * Returns "counter" value from the PQGVerify.
+ **************************************************************************/
+extern unsigned int PQG_GetCounterFromVerify(const PQGVerify *verify);
+
+/**************************************************************************
+ * Fills in caller's "seed" SECItem with the seed value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PQG_GetSeedFromVerify(const PQGVerify *verify, SECItem *seed);
+
+
+/**************************************************************************
+ * Fills in caller's "h" SECItem with the h value in verify.
+ * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE);	
+ **************************************************************************/
+extern SECStatus PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h);
+
+
+/**************************************************************************
+ *  Free the PQGVerify struct and the things it points to.                *
+ **************************************************************************/
+extern void PQG_DestroyVerify(PQGVerify *vfy);
+
+
+#endif
diff --git a/security/nss/lib/util/ret_cr16.s b/security/nss/lib/util/ret_cr16.s
new file mode 100644
index 000000000..d1fffc577
--- /dev/null
+++ b/security/nss/lib/util/ret_cr16.s
@@ -0,0 +1,54 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef __LP64__
+        .LEVEL   2.0W
+#else
+        .LEVEL   1.1
+#endif
+
+	.CODE	; equivalent to the following two lines
+;       .SPACE   $TEXT$,SORT=8
+;       .SUBSPA  $CODE$,QUAD=0,ALIGN=4,ACCESS=0x2c,CODE_ONLY,SORT=24
+
+ret_cr16
+	.PROC
+	.CALLINFO 	FRAME=0, NO_CALLS
+	.EXPORT 	ret_cr16,ENTRY
+	.ENTER
+;	BV		%r0(%rp)
+	BV		0(%rp)
+	MFCTL		%cr16,%ret0
+        .LEAVE
+        .PROCEND
+        .END
diff --git a/security/nss/lib/util/secalgid.c b/security/nss/lib/util/secalgid.c
new file mode 100644
index 000000000..a9ef62d95
--- /dev/null
+++ b/security/nss/lib/util/secalgid.c
@@ -0,0 +1,173 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "secoid.h"
+#include "secder.h"	/* XXX remove this when remove the DERTemplate */
+#include "secasn1.h"
+#include "secitem.h"
+#include "secerr.h"
+
+/* XXX Old template; want to expunge it eventually. */
+DERTemplate SECAlgorithmIDTemplate[] = {
+    { DER_SEQUENCE,
+	  0, NULL, sizeof(SECAlgorithmID) },
+    { DER_OBJECT_ID,
+	  offsetof(SECAlgorithmID,algorithm), },
+    { DER_OPTIONAL | DER_ANY,
+	  offsetof(SECAlgorithmID,parameters), },
+    { 0, }
+};
+
+const SEC_ASN1Template SECOID_AlgorithmIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SECAlgorithmID) },
+    { SEC_ASN1_OBJECT_ID,
+	  offsetof(SECAlgorithmID,algorithm), },
+    { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY,
+	  offsetof(SECAlgorithmID,parameters), },
+    { 0, }
+};
+
+SECOidTag
+SECOID_GetAlgorithmTag(SECAlgorithmID *id)
+{
+    if (id == NULL || id->algorithm.data == NULL)
+	return SEC_OID_UNKNOWN;
+
+    return SECOID_FindOIDTag (&(id->algorithm));
+}
+
+SECStatus
+SECOID_SetAlgorithmID(PRArenaPool *arena, SECAlgorithmID *id, SECOidTag which,
+		      SECItem *params)
+{
+    SECOidData *oiddata;
+    PRBool add_null_param;
+
+    oiddata = SECOID_FindOIDByTag(which);
+    if ( !oiddata ) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return SECFailure;
+    }
+
+    if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
+	return SECFailure;
+
+    switch (which) {
+      case SEC_OID_MD2:
+      case SEC_OID_MD4:
+      case SEC_OID_MD5:
+      case SEC_OID_SHA1:
+      case SEC_OID_PKCS1_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+      case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+	add_null_param = PR_TRUE;
+	break;
+      default:
+	add_null_param = PR_FALSE;
+	break;
+    }
+
+    if (params) {
+	/*
+	 * I am specifically *not* enforcing the following assertion
+	 * (by following it up with an error and a return of failure)
+	 * because I do not want to introduce any change in the current
+	 * behavior.  But I do want for us to notice if the following is
+	 * ever true, because I do not think it should be so and probably
+	 * signifies an error/bug somewhere.
+	 */
+	PORT_Assert(!add_null_param || (params->len == 2
+					&& params->data[0] == SEC_ASN1_NULL
+					&& params->data[1] == 0));
+	if (SECITEM_CopyItem(arena, &id->parameters, params)) {
+	    return SECFailure;
+	}
+    } else {
+	/*
+	 * Again, this is not considered an error.  But if we assume
+	 * that nobody tries to set the parameters field themselves
+	 * (but always uses this routine to do that), then we should
+	 * not hit the following assertion.  Unless they forgot to zero
+	 * the structure, which could also be a bad (and wrong) thing.
+	 */
+	PORT_Assert(id->parameters.data == NULL);
+
+	if (add_null_param) {
+	    (void) SECITEM_AllocItem(arena, &id->parameters, 2);
+	    if (id->parameters.data == NULL) {
+		return SECFailure;
+	    }
+	    id->parameters.data[0] = SEC_ASN1_NULL;
+	    id->parameters.data[1] = 0;
+	}
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+SECOID_CopyAlgorithmID(PRArenaPool *arena, SECAlgorithmID *to, SECAlgorithmID *from)
+{
+    SECStatus rv;
+
+    rv = SECITEM_CopyItem(arena, &to->algorithm, &from->algorithm);
+    if (rv) return rv;
+    rv = SECITEM_CopyItem(arena, &to->parameters, &from->parameters);
+    return rv;
+}
+
+void SECOID_DestroyAlgorithmID(SECAlgorithmID *algid, PRBool freeit)
+{
+    SECITEM_FreeItem(&algid->parameters, PR_FALSE);
+    SECITEM_FreeItem(&algid->algorithm, PR_FALSE);
+    if(freeit == PR_TRUE)
+        PORT_Free(algid);
+}
+
+SECComparison
+SECOID_CompareAlgorithmID(SECAlgorithmID *a, SECAlgorithmID *b)
+{
+    SECComparison rv;
+
+    rv = SECITEM_CompareItem(&a->algorithm, &b->algorithm);
+    if (rv) return rv;
+    rv = SECITEM_CompareItem(&a->parameters, &b->parameters);
+    return rv;
+}
+
+/* This functions simply returns the address of the above-declared template. */
+SEC_ASN1_CHOOSER_IMPLEMENT(SECOID_AlgorithmIDTemplate)
+
diff --git a/security/nss/lib/util/secasn1.h b/security/nss/lib/util/secasn1.h
new file mode 100644
index 000000000..4d5c9971c
--- /dev/null
+++ b/security/nss/lib/util/secasn1.h
@@ -0,0 +1,284 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Support for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
+ * Encoding Rules).  The routines are found in and used extensively by the
+ * security library, but exported for other use.
+ *
+ * $Id$
+ */
+
+#ifndef _SECASN1_H_
+#define _SECASN1_H_
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secasn1t.h"
+
+
+/************************************************************************/
+SEC_BEGIN_PROTOS
+
+/*
+ * XXX These function prototypes need full, explanatory comments.
+ */
+
+/*
+** Decoding.
+*/
+
+extern SEC_ASN1DecoderContext *SEC_ASN1DecoderStart(PRArenaPool *pool,
+						    void *dest,
+						    const SEC_ASN1Template *t);
+
+/* XXX char or unsigned char? */
+extern SECStatus SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx,
+				       const char *buf,
+				       unsigned long len);
+
+extern SECStatus SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx);
+
+extern void SEC_ASN1DecoderSetFilterProc(SEC_ASN1DecoderContext *cx,
+					 SEC_ASN1WriteProc fn,
+					 void *arg, PRBool no_store);
+
+extern void SEC_ASN1DecoderClearFilterProc(SEC_ASN1DecoderContext *cx);
+
+extern void SEC_ASN1DecoderSetNotifyProc(SEC_ASN1DecoderContext *cx,
+					 SEC_ASN1NotifyProc fn,
+					 void *arg);
+
+extern void SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx);
+
+extern SECStatus SEC_ASN1Decode(PRArenaPool *pool, void *dest,
+				const SEC_ASN1Template *t,
+				const char *buf, long len);
+
+extern SECStatus SEC_ASN1DecodeItem(PRArenaPool *pool, void *dest,
+				    const SEC_ASN1Template *t,
+				    SECItem *item);
+/*
+** Encoding.
+*/
+
+extern SEC_ASN1EncoderContext *SEC_ASN1EncoderStart(void *src,
+						    const SEC_ASN1Template *t,
+						    SEC_ASN1WriteProc fn,
+						    void *output_arg);
+
+/* XXX char or unsigned char? */
+extern SECStatus SEC_ASN1EncoderUpdate(SEC_ASN1EncoderContext *cx,
+				       const char *buf,
+				       unsigned long len);
+
+extern void SEC_ASN1EncoderFinish(SEC_ASN1EncoderContext *cx);
+
+extern void SEC_ASN1EncoderSetNotifyProc(SEC_ASN1EncoderContext *cx,
+					 SEC_ASN1NotifyProc fn,
+					 void *arg);
+
+extern void SEC_ASN1EncoderClearNotifyProc(SEC_ASN1EncoderContext *cx);
+
+extern void SEC_ASN1EncoderSetStreaming(SEC_ASN1EncoderContext *cx);
+
+extern void SEC_ASN1EncoderClearStreaming(SEC_ASN1EncoderContext *cx);
+
+extern void sec_ASN1EncoderSetDER(SEC_ASN1EncoderContext *cx);
+
+extern void sec_ASN1EncoderClearDER(SEC_ASN1EncoderContext *cx);
+
+extern void SEC_ASN1EncoderSetTakeFromBuf(SEC_ASN1EncoderContext *cx);
+
+extern void SEC_ASN1EncoderClearTakeFromBuf(SEC_ASN1EncoderContext *cx);
+
+extern SECStatus SEC_ASN1Encode(void *src, const SEC_ASN1Template *t,
+				SEC_ASN1WriteProc output_proc,
+				void *output_arg);
+
+extern SECItem * SEC_ASN1EncodeItem(PRArenaPool *pool, SECItem *dest,
+				    void *src, const SEC_ASN1Template *t);
+
+extern SECItem * SEC_ASN1EncodeInteger(PRArenaPool *pool,
+				       SECItem *dest, long value);
+
+extern SECItem * SEC_ASN1EncodeUnsignedInteger(PRArenaPool *pool,
+					       SECItem *dest,
+					       unsigned long value);
+
+extern SECStatus SEC_ASN1DecodeInteger(SECItem *src,
+				       unsigned long *value);
+
+/*
+** Utilities.
+*/
+
+/*
+ * We have a length that needs to be encoded; how many bytes will the
+ * encoding take?
+ */
+extern int SEC_ASN1LengthLength (unsigned long len);
+
+/* encode the length and return the number of bytes we encoded. Buffer
+ * must be pre allocated  */
+extern int SEC_ASN1EncodeLength(unsigned char *buf,int value);
+
+/*
+ * Find the appropriate subtemplate for the given template.
+ * This may involve calling a "chooser" function, or it may just
+ * be right there.  In either case, it is expected to *have* a
+ * subtemplate; this is asserted in debug builds (in non-debug
+ * builds, NULL will be returned).
+ *
+ * "thing" is a pointer to the structure being encoded/decoded
+ * "encoding", when true, means that we are in the process of encoding
+ *	(as opposed to in the process of decoding)
+ */
+extern const SEC_ASN1Template *
+SEC_ASN1GetSubtemplate (const SEC_ASN1Template *inTemplate, void *thing,
+			PRBool encoding);
+
+/************************************************************************/
+
+/*
+ * Generic Templates
+ * One for each of the simple types, plus a special one for ANY, plus:
+ *	- a pointer to each one of those
+ *	- a set of each one of those
+ *	- a sequence of each one of those
+ *
+ * Note that these are alphabetical (case insensitive); please add new
+ * ones in the appropriate place.
+ */
+
+extern const SEC_ASN1Template SEC_AnyTemplate[];
+extern const SEC_ASN1Template SEC_BitStringTemplate[];
+extern const SEC_ASN1Template SEC_BMPStringTemplate[];
+extern const SEC_ASN1Template SEC_BooleanTemplate[];
+extern const SEC_ASN1Template SEC_EnumeratedTemplate[];
+extern const SEC_ASN1Template SEC_GeneralizedTimeTemplate[];
+extern const SEC_ASN1Template SEC_IA5StringTemplate[];
+extern const SEC_ASN1Template SEC_IntegerTemplate[];
+extern const SEC_ASN1Template SEC_NullTemplate[];
+extern const SEC_ASN1Template SEC_ObjectIDTemplate[];
+extern const SEC_ASN1Template SEC_OctetStringTemplate[];
+extern const SEC_ASN1Template SEC_PrintableStringTemplate[];
+extern const SEC_ASN1Template SEC_T61StringTemplate[];
+extern const SEC_ASN1Template SEC_UniversalStringTemplate[];
+extern const SEC_ASN1Template SEC_UTCTimeTemplate[];
+extern const SEC_ASN1Template SEC_UTF8StringTemplate[];
+extern const SEC_ASN1Template SEC_VisibleStringTemplate[];
+
+extern const SEC_ASN1Template SEC_PointerToAnyTemplate[];
+extern const SEC_ASN1Template SEC_PointerToBitStringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToBMPStringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToBooleanTemplate[];
+extern const SEC_ASN1Template SEC_PointerToEnumeratedTemplate[];
+extern const SEC_ASN1Template SEC_PointerToGeneralizedTimeTemplate[];
+extern const SEC_ASN1Template SEC_PointerToIA5StringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToIntegerTemplate[];
+extern const SEC_ASN1Template SEC_PointerToNullTemplate[];
+extern const SEC_ASN1Template SEC_PointerToObjectIDTemplate[];
+extern const SEC_ASN1Template SEC_PointerToOctetStringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToPrintableStringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToT61StringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToUniversalStringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToUTCTimeTemplate[];
+extern const SEC_ASN1Template SEC_PointerToUTF8StringTemplate[];
+extern const SEC_ASN1Template SEC_PointerToVisibleStringTemplate[];
+
+extern const SEC_ASN1Template SEC_SequenceOfAnyTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfBitStringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfBMPStringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfBooleanTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfEnumeratedTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfGeneralizedTimeTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfIA5StringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfIntegerTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfNullTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfObjectIDTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfOctetStringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfPrintableStringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfT61StringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfUniversalStringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfUTCTimeTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfUTF8StringTemplate[];
+extern const SEC_ASN1Template SEC_SequenceOfVisibleStringTemplate[];
+
+extern const SEC_ASN1Template SEC_SetOfAnyTemplate[];
+extern const SEC_ASN1Template SEC_SetOfBitStringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfBMPStringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfBooleanTemplate[];
+extern const SEC_ASN1Template SEC_SetOfEnumeratedTemplate[];
+extern const SEC_ASN1Template SEC_SetOfGeneralizedTimeTemplate[];
+extern const SEC_ASN1Template SEC_SetOfIA5StringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfIntegerTemplate[];
+extern const SEC_ASN1Template SEC_SetOfNullTemplate[];
+extern const SEC_ASN1Template SEC_SetOfObjectIDTemplate[];
+extern const SEC_ASN1Template SEC_SetOfOctetStringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfPrintableStringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfT61StringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfUniversalStringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfUTCTimeTemplate[];
+extern const SEC_ASN1Template SEC_SetOfUTF8StringTemplate[];
+extern const SEC_ASN1Template SEC_SetOfVisibleStringTemplate[];
+
+/*
+ * Template for skipping a subitem; this only makes sense when decoding.
+ */
+extern const SEC_ASN1Template SEC_SkipTemplate[];
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_DECLARE(SEC_AnyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_BMPStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_BooleanTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_BitStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_GeneralizedTimeTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_IA5StringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_IntegerTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_NullTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_ObjectIDTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_OctetStringTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_UTCTimeTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_UTF8StringTemplate)
+
+SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToAnyTemplate)
+SEC_ASN1_CHOOSER_DECLARE(SEC_PointerToOctetStringTemplate)
+
+SEC_ASN1_CHOOSER_DECLARE(SEC_SetOfAnyTemplate)
+
+SEC_END_PROTOS
+#endif /* _SECASN1_H_ */
diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c
new file mode 100644
index 000000000..b0f62b75c
--- /dev/null
+++ b/security/nss/lib/util/secasn1d.c
@@ -0,0 +1,2997 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Support for DEcoding ASN.1 data based on BER/DER (Basic/Distinguished
+ * Encoding Rules).
+ *
+ * $Id$
+ */
+
+#include "secasn1.h"
+#include "secerr.h"
+
+typedef enum {
+    beforeIdentifier,
+    duringIdentifier,
+    afterIdentifier,
+    beforeLength,
+    duringLength,
+    afterLength,
+    beforeBitString,
+    duringBitString,
+    duringConstructedString,
+    duringGroup,
+    duringLeaf,
+    duringSaveEncoding,
+    duringSequence,
+    afterConstructedString,
+    afterGroup,
+    afterExplicit,
+    afterImplicit,
+    afterInline,
+    afterPointer,
+    afterSaveEncoding,
+    beforeEndOfContents,
+    duringEndOfContents,
+    afterEndOfContents,
+    beforeChoice,
+    duringChoice,
+    afterChoice,
+    notInUse
+} sec_asn1d_parse_place;
+
+#ifdef DEBUG_ASN1D_STATES
+static const char *place_names[] = {
+    "beforeIdentifier",
+    "duringIdentifier",
+    "afterIdentifier",
+    "beforeLength",
+    "duringLength",
+    "afterLength",
+    "beforeBitString",
+    "duringBitString",
+    "duringConstructedString",
+    "duringGroup",
+    "duringLeaf",
+    "duringSaveEncoding",
+    "duringSequence",
+    "afterConstructedString",
+    "afterGroup",
+    "afterExplicit",
+    "afterImplicit",
+    "afterInline",
+    "afterPointer",
+    "afterSaveEncoding",
+    "beforeEndOfContents",
+    "duringEndOfContents",
+    "afterEndOfContents",
+    "beforeChoice",
+    "duringChoice",
+    "afterChoice",
+    "notInUse"
+};
+#endif /* DEBUG_ASN1D_STATES */
+
+typedef enum {
+    allDone,
+    decodeError,
+    keepGoing,
+    needBytes
+} sec_asn1d_parse_status;
+
+struct subitem {
+    const void *data;
+    unsigned long len;		/* only used for substrings */
+    struct subitem *next;
+};
+
+typedef struct sec_asn1d_state_struct {
+    SEC_ASN1DecoderContext *top;
+    const SEC_ASN1Template *theTemplate;
+    void *dest;
+
+    void *our_mark;	/* free on completion */
+
+    struct sec_asn1d_state_struct *parent;	/* aka prev */
+    struct sec_asn1d_state_struct *child;	/* aka next */
+
+    sec_asn1d_parse_place place;
+
+    /*
+     * XXX explain the next fields as clearly as possible...
+     */
+    unsigned char found_tag_modifiers;
+    unsigned char expect_tag_modifiers;
+    unsigned long check_tag_mask;
+    unsigned long found_tag_number;
+    unsigned long expect_tag_number;
+    unsigned long underlying_kind;
+
+    unsigned long contents_length;
+    unsigned long pending;
+    unsigned long consumed;
+
+    int depth;
+
+    /*
+     * Bit strings have their length adjusted -- the first octet of the
+     * contents contains a value between 0 and 7 which says how many bits
+     * at the end of the octets are not actually part of the bit string;
+     * when parsing bit strings we put that value here because we need it
+     * later, for adjustment of the length (when the whole string is done).
+     */
+    unsigned int bit_string_unused_bits;
+
+    /*
+     * The following are used for indefinite-length constructed strings.
+     */
+    struct subitem *subitems_head;
+    struct subitem *subitems_tail;
+
+    PRPackedBool
+	allocate,	/* when true, need to allocate the destination */
+	endofcontents,	/* this state ended up parsing end-of-contents octets */
+	explicit,	/* we are handling an explicit header */
+	indefinite,	/* the current item has indefinite-length encoding */
+	missing,	/* an optional field that was not present */
+	optional,	/* the template says this field may be omitted */
+	substring;	/* this is a substring of a constructed string */
+
+} sec_asn1d_state;
+
+#define IS_HIGH_TAG_NUMBER(n)	((n) == SEC_ASN1_HIGH_TAG_NUMBER)
+#define LAST_TAG_NUMBER_BYTE(b)	(((b) & 0x80) == 0)
+#define TAG_NUMBER_BITS		7
+#define TAG_NUMBER_MASK		0x7f
+
+#define LENGTH_IS_SHORT_FORM(b)	(((b) & 0x80) == 0)
+#define LONG_FORM_LENGTH(b)	((b) & 0x7f)
+
+#define HIGH_BITS(field,cnt)	((field) >> ((sizeof(field) * 8) - (cnt)))
+
+
+/*
+ * An "outsider" will have an opaque pointer to this, created by calling
+ * SEC_ASN1DecoderStart().  It will be passed back in to all subsequent
+ * calls to SEC_ASN1DecoderUpdate(), and when done it is passed to
+ * SEC_ASN1DecoderFinish().
+ */
+struct sec_DecoderContext_struct {
+    PRArenaPool *our_pool;		/* for our internal allocs */
+    PRArenaPool *their_pool;		/* for destination structure allocs */
+#ifdef SEC_ASN1D_FREE_ON_ERROR		/*
+					 * XXX see comment below (by same
+					 * ifdef) that explains why this
+					 * does not work (need more smarts
+					 * in order to free back to mark)
+					 */
+    /*
+     * XXX how to make their_mark work in the case where they do NOT
+     * give us a pool pointer?
+     */
+    void *their_mark;			/* free on error */
+#endif
+
+    sec_asn1d_state *current;
+    sec_asn1d_parse_status status;
+
+    SEC_ASN1NotifyProc notify_proc;	/* call before/after handling field */
+    void *notify_arg;			/* argument to notify_proc */
+    PRBool during_notify;		/* true during call to notify_proc */
+
+    SEC_ASN1WriteProc filter_proc;	/* pass field bytes to this  */
+    void *filter_arg;			/* argument to that function */
+    PRBool filter_only;			/* do not allocate/store fields */
+};
+
+
+/*
+ * XXX this is a fairly generic function that may belong elsewhere
+ */
+static void *
+sec_asn1d_alloc (PRArenaPool *poolp, unsigned long len)
+{
+    void *thing;
+
+    if (poolp != NULL) {
+	/*
+	 * Allocate from the pool.
+	 */
+	thing = PORT_ArenaAlloc (poolp, len);
+    } else {
+	/*
+	 * Allocate generically.
+	 */
+	thing = PORT_Alloc (len);
+    }
+
+    return thing;
+}
+
+
+/*
+ * XXX this is a fairly generic function that may belong elsewhere
+ */
+static void *
+sec_asn1d_zalloc (PRArenaPool *poolp, unsigned long len)
+{
+    void *thing;
+
+    thing = sec_asn1d_alloc (poolp, len);
+    if (thing != NULL)
+	PORT_Memset (thing, 0, len);
+    return thing;
+}
+
+
+static sec_asn1d_state *
+sec_asn1d_push_state (SEC_ASN1DecoderContext *cx,
+		      const SEC_ASN1Template *theTemplate,
+		      void *dest, PRBool new_depth)
+{
+    sec_asn1d_state *state, *new_state;
+
+    state = cx->current;
+
+    PORT_Assert (state == NULL || state->child == NULL);
+
+    if (state != NULL) {
+	PORT_Assert (state->our_mark == NULL);
+	state->our_mark = PORT_ArenaMark (cx->our_pool);
+    }
+
+    new_state = (sec_asn1d_state*)sec_asn1d_zalloc (cx->our_pool, 
+						    sizeof(*new_state));
+    if (new_state == NULL) {
+	cx->status = decodeError;
+	if (state != NULL) {
+	    PORT_ArenaRelease(cx->our_pool, state->our_mark);
+	    state->our_mark = NULL;
+	}
+	return NULL;
+    }
+
+    new_state->top         = cx;
+    new_state->parent      = state;
+    new_state->theTemplate = theTemplate;
+    new_state->place       = notInUse;
+    if (dest != NULL)
+	new_state->dest = (char *)dest + theTemplate->offset;
+
+    if (state != NULL) {
+	new_state->depth = state->depth;
+	if (new_depth)
+	    new_state->depth++;
+	state->child = new_state;
+    }
+
+    cx->current = new_state;
+    return new_state;
+}
+
+
+static void
+sec_asn1d_scrub_state (sec_asn1d_state *state)
+{
+    /*
+     * Some default "scrubbing".
+     * XXX right set of initializations?
+     */
+    state->place = beforeIdentifier;
+    state->endofcontents = PR_FALSE;
+    state->indefinite = PR_FALSE;
+    state->missing = PR_FALSE;
+    PORT_Assert (state->consumed == 0);
+}
+
+
+static void
+sec_asn1d_notify_before (SEC_ASN1DecoderContext *cx, void *dest, int depth)
+{
+    if (cx->notify_proc == NULL)
+	return;
+
+    cx->during_notify = PR_TRUE;
+    (* cx->notify_proc) (cx->notify_arg, PR_TRUE, dest, depth);
+    cx->during_notify = PR_FALSE;
+}
+
+
+static void
+sec_asn1d_notify_after (SEC_ASN1DecoderContext *cx, void *dest, int depth)
+{
+    if (cx->notify_proc == NULL)
+	return;
+
+    cx->during_notify = PR_TRUE;
+    (* cx->notify_proc) (cx->notify_arg, PR_FALSE, dest, depth);
+    cx->during_notify = PR_FALSE;
+}
+
+
+static sec_asn1d_state *
+sec_asn1d_init_state_based_on_template (sec_asn1d_state *state)
+{
+    PRBool explicit, optional, universal;
+    unsigned char expect_tag_modifiers;
+    unsigned long encode_kind, under_kind;
+    unsigned long check_tag_mask, expect_tag_number;
+
+
+    /* XXX Check that both of these tests are really needed/appropriate. */
+    if (state == NULL || state->top->status == decodeError)
+	return state;
+
+    encode_kind = state->theTemplate->kind;
+
+    if (encode_kind & SEC_ASN1_SAVE) {
+	/*
+	 * This is a "magic" field that saves away all bytes, allowing
+	 * the immediately following field to still be decoded from this
+	 * same spot -- sort of a fork.
+	 */
+	/* check that there are no extraneous bits */
+	PORT_Assert (encode_kind == SEC_ASN1_SAVE);
+	if (state->top->filter_only) {
+	    /*
+	     * If we are not storing, then we do not do the SAVE field
+	     * at all.  Just move ahead to the "real" field instead,
+	     * doing the appropriate notify calls before and after.
+	     */
+	    sec_asn1d_notify_after (state->top, state->dest, state->depth);
+	    /*
+	     * Since we are not storing, allow for our current dest value
+	     * to be NULL.  (This might not actually occur, but right now I
+	     * cannot convince myself one way or the other.)  If it is NULL,
+	     * assume that our parent dest can help us out.
+	     */
+	    if (state->dest == NULL)
+		state->dest = state->parent->dest;
+	    else
+		state->dest = (char *)state->dest - state->theTemplate->offset;
+	    state->theTemplate++;
+	    if (state->dest != NULL)
+		state->dest = (char *)state->dest + state->theTemplate->offset;
+	    sec_asn1d_notify_before (state->top, state->dest, state->depth);
+	    encode_kind = state->theTemplate->kind;
+	    PORT_Assert ((encode_kind & SEC_ASN1_SAVE) == 0);
+	} else {
+	    sec_asn1d_scrub_state (state);
+	    state->place = duringSaveEncoding;
+	    state = sec_asn1d_push_state (state->top, SEC_AnyTemplate,
+					  state->dest, PR_FALSE);
+	    if (state != NULL)
+		state = sec_asn1d_init_state_based_on_template (state);
+	    return state;
+	}
+    }
+
+
+    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+
+    explicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_EXPLICIT;
+
+    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_OPTIONAL;
+
+    PORT_Assert (!(explicit && universal));	/* bad templates */
+
+    encode_kind &= ~SEC_ASN1_DYNAMIC;
+    encode_kind &= ~SEC_ASN1_MAY_STREAM;
+
+    if( encode_kind & SEC_ASN1_CHOICE ) {
+#if 0	/* XXX remove? */
+      sec_asn1d_state *child = sec_asn1d_push_state(state->top, state->theTemplate, state->dest, PR_FALSE);
+      if( (sec_asn1d_state *)NULL == child ) {
+        return (sec_asn1d_state *)NULL;
+      }
+
+      child->allocate = state->allocate;
+      child->place = beforeChoice;
+      return child;
+#else
+      state->place = beforeChoice;
+      return state;
+#endif
+    }
+
+    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || (!universal
+							      && !explicit)) {
+	const SEC_ASN1Template *subt;
+	void *dest;
+	PRBool child_allocate;
+
+	PORT_Assert ((encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) == 0);
+
+	sec_asn1d_scrub_state (state);
+	child_allocate = PR_FALSE;
+
+	if (encode_kind & SEC_ASN1_POINTER) {
+	    /*
+	     * A POINTER means we need to allocate the destination for
+	     * this field.  But, since it may also be an optional field,
+	     * we defer the allocation until later; we just record that
+	     * it needs to be done.
+	     *
+	     * There are two possible scenarios here -- one is just a
+	     * plain POINTER (kind of like INLINE, except with allocation)
+	     * and the other is an implicitly-tagged POINTER.  We don't
+	     * need to do anything special here for the two cases, but
+	     * since the template definition can be tricky, we do check
+	     * that there are no extraneous bits set in encode_kind.
+	     *
+	     * XXX The same conditions which assert should set an error.
+	     */
+	    if (universal) {
+		/*
+		 * "universal" means this entry is a standalone POINTER;
+		 * there should be no other bits set in encode_kind.
+		 */
+		PORT_Assert (encode_kind == SEC_ASN1_POINTER);
+	    } else {
+		/*
+		 * If we get here we have an implicitly-tagged field
+		 * that needs to be put into a POINTER.  The subtemplate
+		 * will determine how to decode the field, but encode_kind
+		 * describes the (implicit) tag we are looking for.
+		 * The non-tag bits of encode_kind will be ignored by
+		 * the code below; none of them should be set, however,
+		 * except for the POINTER bit itself -- so check that.
+		 */
+		PORT_Assert ((encode_kind & ~SEC_ASN1_TAG_MASK)
+			     == SEC_ASN1_POINTER);
+	    }
+	    if (!state->top->filter_only)
+		child_allocate = PR_TRUE;
+	    dest = NULL;
+	    state->place = afterPointer;
+	} else {
+	    dest = state->dest;
+	    if (encode_kind & SEC_ASN1_INLINE) {
+		/* check that there are no extraneous bits */
+		PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional);
+		state->place = afterInline;
+	    } else {
+		state->place = afterImplicit;
+	    }
+	}
+
+	state->optional = optional;
+	subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->dest, PR_FALSE);
+	state = sec_asn1d_push_state (state->top, subt, dest, PR_FALSE);
+	if (state == NULL)
+	    return NULL;
+
+	state->allocate = child_allocate;
+
+	if (universal) {
+	    state = sec_asn1d_init_state_based_on_template (state);
+	    if (state != NULL) {
+		/*
+		 * If this field is optional, we need to record that on
+		 * the pushed child so it won't fail if the field isn't
+		 * found.  I can't think of a way that this new state
+		 * could already have optional set (which we would wipe
+		 * out below if our local optional is not set) -- but
+		 * just to be sure, assert that it isn't set.
+		 */
+		PORT_Assert (!state->optional);
+		state->optional = optional;
+	    }
+	    return state;
+	}
+
+	under_kind = state->theTemplate->kind;
+	under_kind &= ~SEC_ASN1_MAY_STREAM;
+    } else if (explicit) {
+	/*
+	 * For explicit, we only need to match the encoding tag next,
+	 * then we will push another state to handle the entire inner
+	 * part.  In this case, there is no underlying kind which plays
+	 * any part in the determination of the outer, explicit tag.
+	 * So we just set under_kind to 0, which is not a valid tag,
+	 * and the rest of the tag matching stuff should be okay.
+	 */
+	under_kind = 0;
+    } else {
+	/*
+	 * Nothing special; the underlying kind and the given encoding
+	 * information are the same.
+	 */
+	under_kind = encode_kind;
+    }
+
+    /* XXX is this the right set of bits to test here? */
+    PORT_Assert ((under_kind & (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL
+				| SEC_ASN1_MAY_STREAM
+				| SEC_ASN1_INLINE | SEC_ASN1_POINTER)) == 0);
+
+    if (encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) {
+	PORT_Assert (encode_kind == under_kind);
+	if (encode_kind & SEC_ASN1_SKIP) {
+	    PORT_Assert (!optional);
+	    PORT_Assert (encode_kind == SEC_ASN1_SKIP);
+	    state->dest = NULL;
+	}
+	check_tag_mask = 0;
+	expect_tag_modifiers = 0;
+	expect_tag_number = 0;
+    } else {
+	check_tag_mask = SEC_ASN1_TAG_MASK;
+	expect_tag_modifiers = encode_kind & SEC_ASN1_TAG_MASK
+				& ~SEC_ASN1_TAGNUM_MASK;
+	/*
+	 * XXX This assumes only single-octet identifiers.  To handle
+	 * the HIGH TAG form we would need to do some more work, especially
+	 * in how to specify them in the template, because right now we
+	 * do not provide a way to specify more *tag* bits in encode_kind.
+	 */
+	expect_tag_number = encode_kind & SEC_ASN1_TAGNUM_MASK;
+
+	switch (under_kind & SEC_ASN1_TAGNUM_MASK) {
+	  case SEC_ASN1_SET:
+	    /*
+	     * XXX A plain old SET (as opposed to a SET OF) is not implemented.
+	     * If it ever is, remove this assert...
+	     */
+	    PORT_Assert ((under_kind & SEC_ASN1_GROUP) != 0);
+	    /* fallthru */
+	  case SEC_ASN1_SEQUENCE:
+	    expect_tag_modifiers |= SEC_ASN1_CONSTRUCTED;
+	    break;
+	  case SEC_ASN1_BIT_STRING:
+	  case SEC_ASN1_BMP_STRING:
+	  case SEC_ASN1_GENERALIZED_TIME:
+	  case SEC_ASN1_IA5_STRING:
+	  case SEC_ASN1_OCTET_STRING:
+	  case SEC_ASN1_PRINTABLE_STRING:
+	  case SEC_ASN1_T61_STRING:
+	  case SEC_ASN1_UNIVERSAL_STRING:
+	  case SEC_ASN1_UTC_TIME:
+	  case SEC_ASN1_UTF8_STRING:
+	  case SEC_ASN1_VISIBLE_STRING:
+	    check_tag_mask &= ~SEC_ASN1_CONSTRUCTED;
+	    break;
+	}
+    }
+
+    state->check_tag_mask = check_tag_mask;
+    state->expect_tag_modifiers = expect_tag_modifiers;
+    state->expect_tag_number = expect_tag_number;
+    state->underlying_kind = under_kind;
+    state->explicit = explicit;
+    state->optional = optional;
+
+    sec_asn1d_scrub_state (state);
+
+    return state;
+}
+
+
+static unsigned long
+sec_asn1d_parse_identifier (sec_asn1d_state *state,
+			    const char *buf, unsigned long len)
+{
+    unsigned char byte;
+    unsigned char tag_number;
+
+    PORT_Assert (state->place == beforeIdentifier);
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    byte = (unsigned char) *buf;
+    tag_number = byte & SEC_ASN1_TAGNUM_MASK;
+
+    if (IS_HIGH_TAG_NUMBER (tag_number)) {
+	state->place = duringIdentifier;
+	state->found_tag_number = 0;
+	/*
+	 * Actually, we have no idea how many bytes are pending, but we
+	 * do know that it is at least 1.  That is all we know; we have
+	 * to look at each byte to know if there is another, etc.
+	 */
+	state->pending = 1;
+    } else {
+	if (byte == 0 && state->parent != NULL &&
+		    (state->parent->indefinite ||
+			(
+			    (state->parent->place == afterImplicit ||
+			     state->parent->place == afterPointer)
+			    && state->parent->parent != NULL && state->parent->parent->indefinite
+			)
+		    )
+	    ) {
+	    /*
+	     * Our parent has indefinite-length encoding, and the
+	     * entire tag found is 0, so it seems that we have hit the
+	     * end-of-contents octets.  To handle this, we just change
+	     * our state to that which expects to get the bytes of the
+	     * end-of-contents octets and let that code re-read this byte
+	     * so that our categorization of field types is correct.
+	     * After that, our parent will then deal with everything else.
+	     */
+	    state->place = duringEndOfContents;
+	    state->pending = 2;
+	    state->found_tag_number = 0;
+	    state->found_tag_modifiers = 0;
+	    /*
+	     * We might be an optional field that is, as we now find out,
+	     * missing.  Give our parent a clue that this happened.
+	     */
+	    if (state->optional)
+		state->missing = PR_TRUE;
+	    return 0;
+	}
+	state->place = afterIdentifier;
+	state->found_tag_number = tag_number;
+    }
+    state->found_tag_modifiers = byte & ~SEC_ASN1_TAGNUM_MASK;
+
+    return 1;
+}
+
+
+static unsigned long
+sec_asn1d_parse_more_identifier (sec_asn1d_state *state,
+				 const char *buf, unsigned long len)
+{
+    unsigned char byte;
+    int count;
+
+    PORT_Assert (state->pending == 1);
+    PORT_Assert (state->place == duringIdentifier);
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    count = 0;
+
+    while (len && state->pending) {
+	if (HIGH_BITS (state->found_tag_number, TAG_NUMBER_BITS) != 0) {
+	    /*
+	     * The given high tag number overflows our container;
+	     * just give up.  This is not likely to *ever* happen.
+	     */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return 0;
+	}
+
+	state->found_tag_number <<= TAG_NUMBER_BITS;
+
+	byte = (unsigned char) buf[count++];
+	state->found_tag_number |= (byte & TAG_NUMBER_MASK);
+
+	len--;
+	if (LAST_TAG_NUMBER_BYTE (byte))
+	    state->pending = 0;
+    }
+
+    if (state->pending == 0)
+	state->place = afterIdentifier;
+
+    return count;
+}
+
+
+static void
+sec_asn1d_confirm_identifier (sec_asn1d_state *state)
+{
+    PRBool match;
+
+    PORT_Assert (state->place == afterIdentifier);
+
+    match = (PRBool)(((state->found_tag_modifiers & state->check_tag_mask)
+	     == state->expect_tag_modifiers)
+	    && ((state->found_tag_number & state->check_tag_mask)
+		== state->expect_tag_number));
+    if (match) {
+	state->place = beforeLength;
+    } else {
+	if (state->optional) {
+	    state->missing = PR_TRUE;
+	    state->place = afterEndOfContents;
+	} else {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	}
+    }
+}
+
+
+static unsigned long
+sec_asn1d_parse_length (sec_asn1d_state *state,
+			const char *buf, unsigned long len)
+{
+    unsigned char byte;
+
+    PORT_Assert (state->place == beforeLength);
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    /*
+     * The default/likely outcome.  It may get adjusted below.
+     */
+    state->place = afterLength;
+
+    byte = (unsigned char) *buf;
+
+    if (LENGTH_IS_SHORT_FORM (byte)) {
+	state->contents_length = byte;
+    } else {
+	state->contents_length = 0;
+	state->pending = LONG_FORM_LENGTH (byte);
+	if (state->pending == 0) {
+	    state->indefinite = PR_TRUE;
+	} else {
+	    state->place = duringLength;
+	}
+    }
+
+    return 1;
+}
+
+
+static unsigned long
+sec_asn1d_parse_more_length (sec_asn1d_state *state,
+			     const char *buf, unsigned long len)
+{
+    int count;
+
+    PORT_Assert (state->pending > 0);
+    PORT_Assert (state->place == duringLength);
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    count = 0;
+
+    while (len && state->pending) {
+	if (HIGH_BITS (state->contents_length, 8) != 0) {
+	    /*
+	     * The given full content length overflows our container;
+	     * just give up.
+	     */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return 0;
+	}
+
+	state->contents_length <<= 8;
+	state->contents_length |= (unsigned char) buf[count++];
+
+	len--;
+	state->pending--;
+    }
+
+    if (state->pending == 0)
+	state->place = afterLength;
+
+    return count;
+}
+
+
+static void
+sec_asn1d_prepare_for_contents (sec_asn1d_state *state)
+{
+    SECItem *item;
+    PRArenaPool *poolp;
+    unsigned long alloc_len;
+
+
+    /*
+     * XXX I cannot decide if this allocation should exclude the case
+     *     where state->endofcontents is true -- figure it out!
+     */
+    if (state->allocate) {
+	void *dest;
+
+	PORT_Assert (state->dest == NULL);
+	/*
+	 * We are handling a POINTER or a member of a GROUP, and need to
+	 * allocate for the data structure.
+	 */
+	dest = sec_asn1d_zalloc (state->top->their_pool,
+				 state->theTemplate->size);
+	if (dest == NULL) {
+	    state->top->status = decodeError;
+	    return;
+	}
+	state->dest = (char *)dest + state->theTemplate->offset;
+
+	/*
+	 * For a member of a GROUP, our parent will later put the
+	 * pointer wherever it belongs.  But for a POINTER, we need
+	 * to record the destination now, in case notify or filter
+	 * procs need access to it -- they cannot find it otherwise,
+	 * until it is too late (for one-pass processing).
+	 */
+	if (state->parent->place == afterPointer) {
+	    void **placep;
+
+	    placep = state->parent->dest;
+	    *placep = dest;
+	}
+    }
+
+    /*
+     * Remember, length may be indefinite here!  In that case,
+     * both contents_length and pending will be zero.
+     */
+    state->pending = state->contents_length;
+
+    /*
+     * An EXPLICIT is nothing but an outer header, which we have
+     * already parsed and accepted.  Now we need to do the inner
+     * header and its contents.
+     */
+    if (state->explicit) {
+	state->place = afterExplicit;
+	state = sec_asn1d_push_state (state->top,
+				      SEC_ASN1GetSubtemplate(state->theTemplate,
+							     state->dest,
+							     PR_FALSE),
+				      state->dest, PR_TRUE);
+	if (state != NULL)
+	    state = sec_asn1d_init_state_based_on_template (state);
+	return;
+    }
+
+    /*
+     * For GROUP (SET OF, SEQUENCE OF), even if we know the length here
+     * we cannot tell how many items we will end up with ... so push a
+     * state that can keep track of "children" (the individual members
+     * of the group; we will allocate as we go and put them all together
+     * at the end.
+     */
+    if (state->underlying_kind & SEC_ASN1_GROUP) {
+	/* XXX If this assertion holds (should be able to confirm it via
+	 * inspection, too) then move this code into the switch statement
+	 * below under cases SET_OF and SEQUENCE_OF; it will be cleaner.
+	 */
+	PORT_Assert (state->underlying_kind == SEC_ASN1_SET_OF
+	   || state->underlying_kind == SEC_ASN1_SEQUENCE_OF
+	   || state->underlying_kind == (SEC_ASN1_SEQUENCE_OF|SEC_ASN1_DYNAMIC)
+	   || state->underlying_kind == (SEC_ASN1_SEQUENCE_OF|SEC_ASN1_DYNAMIC)
+		     );
+	if (state->contents_length != 0 || state->indefinite) {
+	    const SEC_ASN1Template *subt;
+
+	    state->place = duringGroup;
+	    subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->dest,
+					   PR_FALSE);
+	    state = sec_asn1d_push_state (state->top, subt, NULL, PR_TRUE);
+	    if (state != NULL) {
+		if (!state->top->filter_only)
+		    state->allocate = PR_TRUE;	/* XXX propogate this? */
+		/*
+		 * Do the "before" field notification for next in group.
+		 */
+		sec_asn1d_notify_before (state->top, state->dest, state->depth);
+		state = sec_asn1d_init_state_based_on_template (state);
+	    }
+	} else {
+	    /*
+	     * A group of zero; we are done.
+	     * XXX Should we store a NULL here?  Or set state to
+	     * afterGroup and let that code do it?
+	     */
+	    state->place = afterEndOfContents;
+	}
+	return;
+    }
+
+    switch (state->underlying_kind) {
+      case SEC_ASN1_SEQUENCE:
+	/*
+	 * We need to push a child to handle the individual fields.
+	 */
+	state->place = duringSequence;
+	state = sec_asn1d_push_state (state->top, state->theTemplate + 1,
+				      state->dest, PR_TRUE);
+	if (state != NULL) {
+	    /*
+	     * Do the "before" field notification.
+	     */
+	    sec_asn1d_notify_before (state->top, state->dest, state->depth);
+	    state = sec_asn1d_init_state_based_on_template (state);
+	}
+	break;
+
+      case SEC_ASN1_SET:	/* XXX SET is not really implemented */
+	/*
+	 * XXX A plain SET requires special handling; scanning of a
+	 * template to see where a field should go (because by definition,
+	 * they are not in any particular order, and you have to look at
+	 * each tag to disambiguate what the field is).  We may never
+	 * implement this because in practice, it seems to be unused.
+	 */
+	PORT_Assert(0);
+	state->top->status = decodeError;
+	break;
+
+      case SEC_ASN1_NULL:
+	/*
+	 * The NULL type, by definition, is "nothing", content length of zero.
+	 * An indefinite-length encoding is not alloweed.
+	 */
+	if (state->contents_length || state->indefinite) {
+	    state->top->status = decodeError;
+	    break;
+	}
+	if (state->dest != NULL) {
+	    item = (SECItem *)(state->dest);
+	    item->data = NULL;
+	    item->len = 0;
+	}
+	state->place = afterEndOfContents;
+	break;
+
+      case SEC_ASN1_BMP_STRING:
+	/* Error if length is not divisable by 2 */
+	if (state->contents_length % 2) {
+	   state->top->status = decodeError;
+	   break;
+	}   
+	/* otherwise, handle as other string types */
+	goto regular_string_type;
+
+      case SEC_ASN1_UNIVERSAL_STRING:
+	/* Error if length is not divisable by 4 */
+	if (state->contents_length % 4) {
+	   state->top->status = decodeError;
+	   break;
+	}   
+	/* otherwise, handle as other string types */
+	goto regular_string_type;
+
+      case SEC_ASN1_SKIP:
+      case SEC_ASN1_ANY:
+      case SEC_ASN1_ANY_CONTENTS:
+	/*
+	 * These are not (necessarily) strings, but they need nearly
+	 * identical handling (especially when we need to deal with
+	 * constructed sub-pieces), so we pretend they are.
+	 */
+	/* fallthru */
+regular_string_type:
+      case SEC_ASN1_BIT_STRING:
+      case SEC_ASN1_IA5_STRING:
+      case SEC_ASN1_OCTET_STRING:
+      case SEC_ASN1_PRINTABLE_STRING:
+      case SEC_ASN1_T61_STRING:
+      case SEC_ASN1_UTC_TIME:
+      case SEC_ASN1_UTF8_STRING:
+      case SEC_ASN1_VISIBLE_STRING:
+	/*
+	 * We are allocating for a primitive or a constructed string.
+	 * If it is a constructed string, it may also be indefinite-length.
+	 * If it is primitive, the length can (legally) be zero.
+	 * Our first order of business is to allocate the memory for
+	 * the string, if we can (if we know the length).
+	 */
+	item = (SECItem *)(state->dest);
+
+	/*
+	 * If the item is a definite-length constructed string, then
+	 * the contents_length is actually larger than what we need
+	 * (because it also counts each intermediate header which we
+	 * will be throwing away as we go), but it is a perfectly good
+	 * upper bound that we just allocate anyway, and then concat
+	 * as we go; we end up wasting a few extra bytes but save a
+	 * whole other copy.
+	 */
+	alloc_len = state->contents_length;
+	poolp = NULL;	/* quiet compiler warnings about unused... */
+
+	if (item == NULL || state->top->filter_only) {
+	    if (item != NULL) {
+		item->data = NULL;
+		item->len = 0;
+	    }
+	    alloc_len = 0;
+	} else if (state->substring) {
+	    /*
+	     * If we are a substring of a constructed string, then we may
+	     * not have to allocate anything (because our parent, the
+	     * actual constructed string, did it for us).  If we are a
+	     * substring and we *do* have to allocate, that means our
+	     * parent is an indefinite-length, so we allocate from our pool;
+	     * later our parent will copy our string into the aggregated
+	     * whole and free our pool allocation.
+	     */
+	    if (item->data == NULL) {
+		PORT_Assert (item->len == 0);
+		poolp = state->top->our_pool;
+	    } else {
+		alloc_len = 0;
+	    }
+	} else {
+	    item->len = 0;
+	    item->data = NULL;
+	    poolp = state->top->their_pool;
+	}
+
+	if (alloc_len || ((! state->indefinite)
+			  && (state->subitems_head != NULL))) {
+	    struct subitem *subitem;
+	    int len;
+
+	    PORT_Assert (item->len == 0 && item->data == NULL);
+	    /*
+	     * Check for and handle an ANY which has stashed aside the
+	     * header (identifier and length) bytes for us to include
+	     * in the saved contents.
+	     */
+	    if (state->subitems_head != NULL) {
+		PORT_Assert (state->underlying_kind == SEC_ASN1_ANY);
+		for (subitem = state->subitems_head;
+		     subitem != NULL; subitem = subitem->next)
+		    alloc_len += subitem->len;
+	    }
+
+	    item->data = (unsigned char*)sec_asn1d_zalloc (poolp, alloc_len);
+	    if (item->data == NULL) {
+		state->top->status = decodeError;
+		break;
+	    }
+
+	    len = 0;
+	    for (subitem = state->subitems_head;
+		 subitem != NULL; subitem = subitem->next) {
+		PORT_Memcpy (item->data + len, subitem->data, subitem->len);
+		len += subitem->len;
+	    }
+	    item->len = len;
+
+	    /*
+	     * Because we use arenas and have a mark set, we later free
+	     * everything we have allocated, so this does *not* present
+	     * a memory leak (it is just temporarily left dangling).
+	     */
+	    state->subitems_head = state->subitems_tail = NULL;
+	}
+
+	if (state->contents_length == 0 && (! state->indefinite)) {
+	    /*
+	     * A zero-length simple or constructed string; we are done.
+	     */
+	    state->place = afterEndOfContents;
+	} else if (state->found_tag_modifiers & SEC_ASN1_CONSTRUCTED) {
+	    const SEC_ASN1Template *sub;
+
+	    switch (state->underlying_kind) {
+	      case SEC_ASN1_ANY:
+	      case SEC_ASN1_ANY_CONTENTS:
+		sub = SEC_AnyTemplate;
+		break;
+	      case SEC_ASN1_BIT_STRING:
+		sub = SEC_BitStringTemplate;
+		break;
+	      case SEC_ASN1_BMP_STRING:
+		sub = SEC_BMPStringTemplate;
+		break;
+	      case SEC_ASN1_GENERALIZED_TIME:
+		sub = SEC_GeneralizedTimeTemplate;
+		break;
+	      case SEC_ASN1_IA5_STRING:
+		sub = SEC_IA5StringTemplate;
+		break;
+	      case SEC_ASN1_OCTET_STRING:
+		sub = SEC_OctetStringTemplate;
+		break;
+	      case SEC_ASN1_PRINTABLE_STRING:
+		sub = SEC_PrintableStringTemplate;
+		break;
+	      case SEC_ASN1_T61_STRING:
+		sub = SEC_T61StringTemplate;
+		break;
+	      case SEC_ASN1_UNIVERSAL_STRING:
+		sub = SEC_UniversalStringTemplate;
+		break;
+	      case SEC_ASN1_UTC_TIME:
+		sub = SEC_UTCTimeTemplate;
+		break;
+	      case SEC_ASN1_UTF8_STRING:
+		sub = SEC_UTF8StringTemplate;
+		break;
+	      case SEC_ASN1_VISIBLE_STRING:
+		sub = SEC_VisibleStringTemplate;
+		break;
+	      case SEC_ASN1_SKIP:
+		sub = SEC_SkipTemplate;
+		break;
+	      default:		/* redundant given outer switch cases, but */
+		PORT_Assert(0);	/* the compiler does not seem to know that, */
+		sub = NULL;	/* so just do enough to quiet it. */
+		break;
+	    }
+
+	    state->place = duringConstructedString;
+	    state = sec_asn1d_push_state (state->top, sub, item, PR_TRUE);
+	    if (state != NULL) {
+		state->substring = PR_TRUE;	/* XXX propogate? */
+		state = sec_asn1d_init_state_based_on_template (state);
+	    }
+	} else if (state->indefinite) {
+	    /*
+	     * An indefinite-length string *must* be constructed!
+	     */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	} else {
+	    /*
+	     * A non-zero-length simple string.
+	     */
+	    if (state->underlying_kind == SEC_ASN1_BIT_STRING)
+		state->place = beforeBitString;
+	    else
+		state->place = duringLeaf;
+	}
+	break;
+
+      default:
+	/*
+	 * We are allocating for a simple leaf item.
+	 */
+	if (state->contents_length) {
+	    if (state->dest != NULL) {
+		item = (SECItem *)(state->dest);
+		item->len = 0;
+		if (state->top->filter_only) {
+		    item->data = NULL;
+		} else {
+		    item->data = (unsigned char*)
+		                  sec_asn1d_zalloc (state->top->their_pool,
+						   state->contents_length);
+		    if (item->data == NULL) {
+			state->top->status = decodeError;
+			return;
+		    }
+		}
+	    }
+	    state->place = duringLeaf;
+	} else {
+	    /*
+	     * An indefinite-length or zero-length item is not allowed.
+	     * (All legal cases of such were handled above.)
+	     */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	}
+    }
+}
+
+
+static void
+sec_asn1d_free_child (sec_asn1d_state *state, PRBool error)
+{
+    if (state->child != NULL) {
+	PORT_Assert (error || state->child->consumed == 0);
+	PORT_Assert (state->our_mark != NULL);
+	PORT_ArenaRelease (state->top->our_pool, state->our_mark);
+	if (error && state->top->their_pool == NULL) {
+	    /*
+	     * XXX We need to free anything allocated.
+	     */
+	    PORT_Assert (0);
+	}
+	state->child = NULL;
+	state->our_mark = NULL;
+    } else {
+	/*
+	 * It is important that we do not leave a mark unreleased/unmarked.
+	 * But I do not think we should ever have one set in this case, only
+	 * if we had a child (handled above).  So check for that.  If this
+	 * assertion should ever get hit, then we probably need to add code
+	 * here to release back to our_mark (and then set our_mark to NULL).
+	 */
+	PORT_Assert (state->our_mark == NULL);
+    }
+    state->place = beforeEndOfContents;
+}
+
+
+static void
+sec_asn1d_reuse_encoding (sec_asn1d_state *state)
+{
+    sec_asn1d_state *child;
+    unsigned long consumed;
+    SECItem *item;
+    void *dest;
+
+
+    child = state->child;
+    PORT_Assert (child != NULL);
+
+    consumed = child->consumed;
+    child->consumed = 0;
+
+    item = (SECItem *)(state->dest);
+    PORT_Assert (item != NULL);
+
+    PORT_Assert (item->len == consumed);
+
+    /*
+     * Free any grandchild.
+     */
+    sec_asn1d_free_child (child, PR_FALSE);
+
+    /*
+     * Notify after the SAVE field.
+     */
+    sec_asn1d_notify_after (state->top, state->dest, state->depth);
+
+    /*
+     * Adjust to get new dest and move forward.
+     */
+    dest = (char *)state->dest - state->theTemplate->offset;
+    state->theTemplate++;
+    child->dest = (char *)dest + state->theTemplate->offset;
+    child->theTemplate = state->theTemplate;
+
+    /*
+     * Notify before the "real" field.
+     */
+    PORT_Assert (state->depth == child->depth);
+    sec_asn1d_notify_before (state->top, child->dest, child->depth);
+
+    /*
+     * This will tell DecoderUpdate to return when it is done.
+     */
+    state->place = afterSaveEncoding;
+
+    /*
+     * We already have a child; "push" it by making it current.
+     */
+    state->top->current = child;
+
+    /*
+     * And initialize it so it is ready to parse.
+     */
+    (void) sec_asn1d_init_state_based_on_template(child);
+
+    /*
+     * Now parse that out of our data.
+     */
+    if (SEC_ASN1DecoderUpdate (state->top,
+			       (char *) item->data, item->len) != SECSuccess)
+	return;
+
+    PORT_Assert (state->top->current == state);
+    PORT_Assert (state->child == child);
+
+    /*
+     * That should have consumed what we consumed before.
+     */
+    PORT_Assert (consumed == child->consumed);
+    child->consumed = 0;
+
+    /*
+     * Done.
+     */
+    state->consumed += consumed;
+    child->place = notInUse;
+    state->place = afterEndOfContents;
+}
+
+
+static unsigned long
+sec_asn1d_parse_leaf (sec_asn1d_state *state,
+		      const char *buf, unsigned long len)
+{
+    SECItem *item;
+    unsigned long bufLen;
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    if (state->pending < len)
+	len = state->pending;
+
+    bufLen = len;
+
+    item = (SECItem *)(state->dest);
+    if (item != NULL && item->data != NULL) {
+	/* Strip leading zeroes when target is unsigned integer */
+	if (state->underlying_kind == SEC_ASN1_INTEGER && /* INTEGER   */
+	    item->len == 0 &&                             /* MSB       */
+	    item->type == siUnsignedInteger)              /* unsigned  */
+	{
+	    while (len > 1 && buf[0] == 0) {              /* leading 0 */
+		buf++;
+		len--;
+	    }
+	}
+	PORT_Memcpy (item->data + item->len, buf, len);
+	item->len += len;
+    }
+    state->pending -= bufLen;
+    if (state->pending == 0)
+	state->place = beforeEndOfContents;
+
+    return bufLen;
+}
+
+
+static unsigned long
+sec_asn1d_parse_bit_string (sec_asn1d_state *state,
+			    const char *buf, unsigned long len)
+{
+    unsigned char byte;
+
+    /*PORT_Assert (state->pending > 0); */
+    PORT_Assert (state->place == beforeBitString);
+
+    if (state->pending == 0) {
+	if (state->dest != NULL) {
+	    SECItem *item = (SECItem *)(state->dest);
+	    item->data = NULL;
+	    item->len = 0;
+	    state->place = beforeEndOfContents;
+	    return 0;
+	}
+    }
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    byte = (unsigned char) *buf;
+    if (byte > 7) {
+	PORT_SetError (SEC_ERROR_BAD_DER);
+	state->top->status = decodeError;
+	return 0;
+    }
+
+    state->bit_string_unused_bits = byte;
+    state->place = duringBitString;
+    state->pending -= 1;
+
+    return 1;
+}
+
+
+static unsigned long
+sec_asn1d_parse_more_bit_string (sec_asn1d_state *state,
+				 const char *buf, unsigned long len)
+{
+    PORT_Assert (state->pending > 0);
+    PORT_Assert (state->place == duringBitString);
+
+    len = sec_asn1d_parse_leaf (state, buf, len);
+    if (state->place == beforeEndOfContents && state->dest != NULL) {
+	SECItem *item;
+
+	item = (SECItem *)(state->dest);
+	if (item->len)
+	    item->len = (item->len << 3) - state->bit_string_unused_bits;
+    }
+
+    return len;
+}
+
+
+/*
+ * XXX All callers should be looking at return value to detect
+ * out-of-memory errors (and stop!).
+ */
+static struct subitem *
+sec_asn1d_add_to_subitems (sec_asn1d_state *state,
+			   const void *data, unsigned long len,
+			   PRBool copy_data)
+{
+    struct subitem *thing;
+
+    thing = (struct subitem*)sec_asn1d_zalloc (state->top->our_pool,
+				sizeof (struct subitem));
+    if (thing == NULL) {
+	state->top->status = decodeError;
+	return NULL;
+    }
+
+    if (copy_data) {
+	void *copy;
+	copy = sec_asn1d_alloc (state->top->our_pool, len);
+	if (copy == NULL) {
+	    state->top->status = decodeError;
+	    return NULL;
+	}
+	PORT_Memcpy (copy, data, len);
+	thing->data = copy;
+    } else {
+	thing->data = data;
+    }
+    thing->len = len;
+    thing->next = NULL;
+
+    if (state->subitems_head == NULL) {
+	PORT_Assert (state->subitems_tail == NULL);
+	state->subitems_head = state->subitems_tail = thing;
+    } else {
+	state->subitems_tail->next = thing;
+	state->subitems_tail = thing;
+    }
+
+    return thing;
+}
+
+
+static void
+sec_asn1d_record_any_header (sec_asn1d_state *state,
+			     const char *buf,
+			     unsigned long len)
+{
+    SECItem *item;
+
+    item = (SECItem *)(state->dest);
+    if (item != NULL && item->data != NULL) {
+	PORT_Assert (state->substring);
+	PORT_Memcpy (item->data + item->len, buf, len);
+	item->len += len;
+    } else {
+	sec_asn1d_add_to_subitems (state, buf, len, PR_TRUE);
+    }
+}
+
+
+/*
+ * We are moving along through the substrings of a constructed string,
+ * and have just finished parsing one -- we need to save our child data
+ * (if the child was not already writing directly into the destination)
+ * and then move forward by one.
+ *
+ * We also have to detect when we are done:
+ *	- a definite-length encoding stops when our pending value hits 0
+ *	- an indefinite-length encoding stops when our child is empty
+ *	  (which means it was the end-of-contents octets)
+ */
+static void
+sec_asn1d_next_substring (sec_asn1d_state *state)
+{
+    sec_asn1d_state *child;
+    SECItem *item;
+    unsigned long child_consumed;
+    PRBool done;
+
+    PORT_Assert (state->place == duringConstructedString);
+    PORT_Assert (state->child != NULL);
+
+    child = state->child;
+
+    child_consumed = child->consumed;
+    child->consumed = 0;
+    state->consumed += child_consumed;
+
+    done = PR_FALSE;
+
+    if (state->pending) {
+	PORT_Assert (!state->indefinite);
+	PORT_Assert (child_consumed <= state->pending);
+
+	state->pending -= child_consumed;
+	if (state->pending == 0)
+	    done = PR_TRUE;
+    } else {
+	PORT_Assert (state->indefinite);
+
+	item = (SECItem *)(child->dest);
+	if (item != NULL && item->data != NULL) {
+	    /*
+	     * Save the string away for later concatenation.
+	     */
+	    PORT_Assert (item->data != NULL);
+	    sec_asn1d_add_to_subitems (state, item->data, item->len, PR_FALSE);
+	    /*
+	     * Clear the child item for the next round.
+	     */
+	    item->data = NULL;
+	    item->len = 0;
+	}
+
+	/*
+	 * If our child was just our end-of-contents octets, we are done.
+	 */
+	if (child->endofcontents)
+	    done = PR_TRUE;
+    }
+
+    /*
+     * Stop or do the next one.
+     */
+    if (done) {
+	child->place = notInUse;
+	state->place = afterConstructedString;
+    } else {
+	sec_asn1d_scrub_state (child);
+	state->top->current = child;
+    }
+}
+
+
+/*
+ * We are doing a SET OF or SEQUENCE OF, and have just finished an item.
+ */
+static void
+sec_asn1d_next_in_group (sec_asn1d_state *state)
+{
+    sec_asn1d_state *child;
+    unsigned long child_consumed;
+
+    PORT_Assert (state->place == duringGroup);
+    PORT_Assert (state->child != NULL);
+
+    child = state->child;
+
+    child_consumed = child->consumed;
+    child->consumed = 0;
+    state->consumed += child_consumed;
+
+    /*
+     * If our child was just our end-of-contents octets, we are done.
+     */
+    if (child->endofcontents) {
+	/* XXX I removed the PORT_Assert (child->dest == NULL) because there
+	 * was a bug in that a template that was a sequence of which also had
+	 * a child of a sequence of, in an indefinite group was not working 
+	 * properly.  This fix seems to work, (added the if statement below),
+	 * and nothing appears broken, but I am putting this note here just
+	 * in case. */
+	/*
+	 * XXX No matter how many times I read that comment,
+	 * I cannot figure out what case he was fixing.  I believe what he
+	 * did was deliberate, so I am loathe to touch it.  I need to
+	 * understand how it could ever be that child->dest != NULL but
+	 * child->endofcontents is true, and why it is important to check
+	 * that state->subitems_head is NULL.  This really needs to be
+	 * figured out, as I am not sure if the following code should be
+	 * compensating for "offset", as is done a little farther below
+	 * in the more normal case.
+	 */
+	PORT_Assert (state->indefinite);
+	PORT_Assert (state->pending == 0);
+	if(child->dest && !state->subitems_head) {
+	    sec_asn1d_add_to_subitems (state, child->dest, 0, PR_FALSE);
+	    child->dest = NULL;
+	}
+
+	child->place = notInUse;
+	state->place = afterGroup;
+	return;
+    }
+
+    /* 
+     * Do the "after" field notification for next in group.
+     */
+    sec_asn1d_notify_after (state->top, child->dest, child->depth);
+
+    /*
+     * Save it away (unless we are not storing).
+     */
+    if (child->dest != NULL) {
+	void *dest;
+
+	dest = child->dest;
+	dest = (char *)dest - child->theTemplate->offset;
+	sec_asn1d_add_to_subitems (state, dest, 0, PR_FALSE);
+	child->dest = NULL;
+    }
+
+    /*
+     * Account for those bytes; see if we are done.
+     */
+    if (state->pending) {
+	PORT_Assert (!state->indefinite);
+	PORT_Assert (child_consumed <= state->pending);
+
+	state->pending -= child_consumed;
+	if (state->pending == 0) {
+	    child->place = notInUse;
+	    state->place = afterGroup;
+	    return;
+	}
+    }
+
+    /*
+     * Do the "before" field notification for next item in group.
+     */
+    sec_asn1d_notify_before (state->top, child->dest, child->depth);
+
+    /*
+     * Now we do the next one.
+     */
+    sec_asn1d_scrub_state (child);
+
+    /* Initialize child state from the template */
+    sec_asn1d_init_state_based_on_template(child);
+
+    state->top->current = child;
+}
+
+
+/*
+ * We are moving along through a sequence; move forward by one,
+ * (detecting end-of-sequence when it happens).
+ * XXX The handling of "missing" is ugly.  Fix it.
+ */
+static void
+sec_asn1d_next_in_sequence (sec_asn1d_state *state)
+{
+    sec_asn1d_state *child;
+    unsigned long child_consumed;
+    PRBool child_missing;
+
+    PORT_Assert (state->place == duringSequence);
+    PORT_Assert (state->child != NULL);
+
+    child = state->child;
+
+    /*
+     * Do the "after" field notification.
+     */
+    sec_asn1d_notify_after (state->top, child->dest, child->depth);
+
+    child_missing = (PRBool) child->missing;
+    child_consumed = child->consumed;
+    child->consumed = 0;
+
+    /*
+     * Take care of accounting.
+     */
+    if (child_missing) {
+	PORT_Assert (child->optional);
+    } else {
+	state->consumed += child_consumed;
+	/*
+	 * Free any grandchild.
+	 */
+	sec_asn1d_free_child (child, PR_FALSE);
+	if (state->pending) {
+	    PORT_Assert (!state->indefinite);
+	    PORT_Assert (child_consumed <= state->pending);
+	    state->pending -= child_consumed;
+	    if (state->pending == 0) {
+		child->theTemplate++;
+		while (child->theTemplate->kind != 0) {
+		    if ((child->theTemplate->kind & SEC_ASN1_OPTIONAL) == 0) {
+			PORT_SetError (SEC_ERROR_BAD_DER);
+			state->top->status = decodeError;
+			return;
+		    }
+		    child->theTemplate++;
+		}
+		child->place = notInUse;
+		state->place = afterEndOfContents;
+		return;
+	    }
+	}
+    }
+
+    /*
+     * Move forward.
+     */
+    child->theTemplate++;
+    if (child->theTemplate->kind == 0) {
+	/*
+	 * We are done with this sequence.
+	 */
+	child->place = notInUse;
+	if (state->pending) {
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	} else if (child_missing) {
+	    /*
+	     * We got to the end, but have a child that started parsing
+	     * and ended up "missing".  The only legitimate reason for
+	     * this is that we had one or more optional fields at the
+	     * end of our sequence, and we were encoded indefinite-length,
+	     * so when we went looking for those optional fields we
+	     * found our end-of-contents octets instead.
+	     * (Yes, this is ugly; dunno a better way to handle it.)
+	     * So, first confirm the situation, and then mark that we
+	     * are done.
+	     */
+	    if (state->indefinite && child->endofcontents) {
+		PORT_Assert (child_consumed == 2);
+		state->consumed += child_consumed;
+		state->place = afterEndOfContents;
+	    } else {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		state->top->status = decodeError;
+	    }
+	} else {
+	    /*
+	     * We have to finish out, maybe reading end-of-contents octets;
+	     * let the normal logic do the right thing.
+	     */
+	    state->place = beforeEndOfContents;
+	}
+    } else {
+	unsigned char child_found_tag_modifiers = 0;
+	unsigned long child_found_tag_number = 0;
+
+	/*
+	 * Reset state and push.
+	 */
+	if (state->dest != NULL)
+	    child->dest = (char *)state->dest + child->theTemplate->offset;
+
+	/*
+	 * Do the "before" field notification.
+	 */
+	sec_asn1d_notify_before (state->top, child->dest, child->depth);
+
+	if (child_missing) { /* if previous child was missing, copy the tag data we already have */
+	    child_found_tag_modifiers = child->found_tag_modifiers;
+	    child_found_tag_number = child->found_tag_number;
+	}
+	state->top->current = child;
+	child = sec_asn1d_init_state_based_on_template (child);
+	if (child_missing) {
+	    child->place = afterIdentifier;
+	    child->found_tag_modifiers = child_found_tag_modifiers;
+	    child->found_tag_number = child_found_tag_number;
+	    child->consumed = child_consumed;
+	    if (child->underlying_kind == SEC_ASN1_ANY
+		&& !child->top->filter_only) {
+		/*
+		 * If the new field is an ANY, and we are storing, then
+		 * we need to save the tag out.  We would have done this
+		 * already in the normal case, but since we were looking
+		 * for an optional field, and we did not find it, we only
+		 * now realize we need to save the tag.
+		 */
+		unsigned char identifier;
+
+		/*
+		 * Check that we did not end up with a high tag; for that
+		 * we need to re-encode the tag into multiple bytes in order
+		 * to store it back to look like what we parsed originally.
+		 * In practice this does not happen, but for completeness
+		 * sake it should probably be made to work at some point.
+		 */
+		PORT_Assert (child_found_tag_number < SEC_ASN1_HIGH_TAG_NUMBER);
+		identifier = child_found_tag_modifiers | child_found_tag_number;
+		sec_asn1d_record_any_header (child, (char *) &identifier, 1);
+	    }
+	}
+    }
+}
+
+
+static void
+sec_asn1d_concat_substrings (sec_asn1d_state *state)
+{
+    PORT_Assert (state->place == afterConstructedString);
+
+    if (state->subitems_head != NULL) {
+	struct subitem *substring;
+	unsigned long alloc_len, item_len;
+	unsigned char *where;
+	SECItem *item;
+	PRBool is_bit_string;
+
+	item_len = 0;
+	is_bit_string = (state->underlying_kind == SEC_ASN1_BIT_STRING)
+			? PR_TRUE : PR_FALSE;
+
+	substring = state->subitems_head;
+	while (substring != NULL) {
+	    /*
+	     * All bit-string substrings except the last one should be
+	     * a clean multiple of 8 bits.
+	     */
+	    if (is_bit_string && (substring->next == NULL)
+			      && (substring->len & 0x7)) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		state->top->status = decodeError;
+		return;
+	    }
+	    item_len += substring->len;
+	    substring = substring->next;
+	}
+
+	if (is_bit_string) {
+#ifdef XP_WIN16		/* win16 compiler gets an internal error otherwise */
+	    alloc_len = (((long)item_len + 7) / 8);
+#else
+	    alloc_len = ((item_len + 7) >> 3);
+#endif
+	} else {
+	    /*
+	     * Add 2 for the end-of-contents octets of an indefinite-length
+	     * ANY that is *not* also an INNER.  Because we zero-allocate
+	     * below, all we need to do is increase the length here.
+	     */
+	    if (state->underlying_kind == SEC_ASN1_ANY && state->indefinite)
+		item_len += 2; 
+	    alloc_len = item_len;
+	}
+
+	item = (SECItem *)(state->dest);
+	PORT_Assert (item != NULL);
+	PORT_Assert (item->data == NULL);
+	item->data = (unsigned char*)sec_asn1d_zalloc (state->top->their_pool, 
+						       alloc_len);
+	if (item->data == NULL) {
+	    state->top->status = decodeError;
+	    return;
+	}
+	item->len = item_len;
+
+	where = item->data;
+	substring = state->subitems_head;
+	while (substring != NULL) {
+	    if (is_bit_string)
+		item_len = (substring->len + 7) >> 3;
+	    else
+		item_len = substring->len;
+	    PORT_Memcpy (where, substring->data, item_len);
+	    where += item_len;
+	    substring = substring->next;
+	}
+
+	/*
+	 * Because we use arenas and have a mark set, we later free
+	 * everything we have allocated, so this does *not* present
+	 * a memory leak (it is just temporarily left dangling).
+	 */
+	state->subitems_head = state->subitems_tail = NULL;
+    }
+
+    state->place = afterEndOfContents;
+}
+
+
+static void
+sec_asn1d_concat_group (sec_asn1d_state *state)
+{
+    const void ***placep;
+
+    PORT_Assert (state->place == afterGroup);
+
+    placep = (const void***)state->dest;
+    if (state->subitems_head != NULL) {
+	struct subitem *item;
+	const void **group;
+	int count;
+
+	count = 0;
+	item = state->subitems_head;
+	while (item != NULL) {
+	    PORT_Assert (item->next != NULL || item == state->subitems_tail);
+	    count++;
+	    item = item->next;
+	}
+
+	group = (const void**)sec_asn1d_zalloc (state->top->their_pool,
+				  (count + 1) * (sizeof(void *)));
+	if (group == NULL) {
+	    state->top->status = decodeError;
+	    return;
+	}
+
+	PORT_Assert (placep != NULL);
+	*placep = group;
+
+	item = state->subitems_head;
+	while (item != NULL) {
+	    *group++ = item->data;
+	    item = item->next;
+	}
+	*group = NULL;
+
+	/*
+	 * Because we use arenas and have a mark set, we later free
+	 * everything we have allocated, so this does *not* present
+	 * a memory leak (it is just temporarily left dangling).
+	 */
+	state->subitems_head = state->subitems_tail = NULL;
+    } else if (placep != NULL) {
+	*placep = NULL;
+    }
+
+    state->place = afterEndOfContents;
+}
+
+
+/*
+ * For those states that push a child to handle a subtemplate,
+ * "absorb" that child (transfer necessary information).
+ */
+static void
+sec_asn1d_absorb_child (sec_asn1d_state *state)
+{
+    /*
+     * There is absolutely supposed to be a child there.
+     */
+    PORT_Assert (state->child != NULL);
+
+    /*
+     * Inherit the missing status of our child, and do the ugly
+     * backing-up if necessary.
+     * (Only IMPLICIT or POINTER should encounter such; all other cases
+     * should have confirmed a tag *before* pushing a child.)
+     */
+    state->missing = state->child->missing;
+    if (state->missing) {
+	PORT_Assert (state->place == afterImplicit
+		     || state->place == afterPointer);
+	state->found_tag_number = state->child->found_tag_number;
+	state->found_tag_modifiers = state->child->found_tag_modifiers;
+	state->endofcontents = state->child->endofcontents;
+    }
+
+    /*
+     * Add in number of bytes consumed by child.
+     * (Only EXPLICIT should have already consumed bytes itself.)
+     */
+    PORT_Assert (state->place == afterExplicit || state->consumed == 0);
+    state->consumed += state->child->consumed;
+
+    /*
+     * Subtract from bytes pending; this only applies to a definite-length
+     * EXPLICIT field.
+     */
+    if (state->pending) {
+	PORT_Assert (!state->indefinite);
+	PORT_Assert (state->place == afterExplicit);
+
+	/*
+	 * If we had a definite-length explicit, then what the child
+	 * consumed should be what was left pending.
+	 */
+	if (state->pending != state->child->consumed) {
+	    if (state->pending < state->child->consumed) {
+		PORT_SetError (SEC_ERROR_BAD_DER);
+		state->top->status = decodeError;
+		return;
+	    }
+	    /*
+	     * Okay, this is a hack.  It *should* be an error whether
+	     * pending is too big or too small, but it turns out that
+	     * we had a bug in our *old* DER encoder that ended up
+	     * counting an explicit header twice in the case where
+	     * the underlying type was an ANY.  So, because we cannot
+	     * prevent receiving these (our own certificate server can
+	     * send them to us), we need to be lenient and accept them.
+	     * To do so, we need to pretend as if we read all of the
+	     * bytes that the header said we would find, even though
+	     * we actually came up short.
+	     */
+	    state->consumed += (state->pending - state->child->consumed);
+	}
+	state->pending = 0;
+    }
+
+    /*
+     * Indicate that we are done with child.
+     */
+    state->child->consumed = 0;
+
+    /*
+     * And move on to final state.
+     * (Technically everybody could move to afterEndOfContents except
+     * for an indefinite-length EXPLICIT; for simplicity though we assert
+     * that but let the end-of-contents code do the real determination.)
+     */
+    PORT_Assert (state->place == afterExplicit || (! state->indefinite));
+    state->place = beforeEndOfContents;
+}
+
+
+static void
+sec_asn1d_prepare_for_end_of_contents (sec_asn1d_state *state)
+{
+    PORT_Assert (state->place == beforeEndOfContents);
+
+    if (state->indefinite) {
+	state->place = duringEndOfContents;
+	state->pending = 2;
+    } else {
+	state->place = afterEndOfContents;
+    }
+}
+
+
+static unsigned long
+sec_asn1d_parse_end_of_contents (sec_asn1d_state *state,
+				 const char *buf, unsigned long len)
+{
+    int i;
+
+    PORT_Assert (state->pending <= 2);
+    PORT_Assert (state->place == duringEndOfContents);
+
+    if (len == 0) {
+	state->top->status = needBytes;
+	return 0;
+    }
+
+    if (state->pending < len)
+	len = state->pending;
+
+    for (i = 0; i < len; i++) {
+	if (buf[i] != 0) {
+	    /*
+	     * We expect to find only zeros; if not, just give up.
+	     */
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    state->top->status = decodeError;
+	    return 0;
+	}
+    }
+
+    state->pending -= len;
+
+    if (state->pending == 0) {
+	state->place = afterEndOfContents;
+	state->endofcontents = PR_TRUE;
+    }
+
+    return len;
+}
+
+
+static void
+sec_asn1d_pop_state (sec_asn1d_state *state)
+{
+#if 0	/* XXX I think this should always be handled explicitly by parent? */
+    /*
+     * Account for our child.
+     */
+    if (state->child != NULL) {
+	state->consumed += state->child->consumed;
+	if (state->pending) {
+	    PORT_Assert (!state->indefinite);
+	    PORT_Assert (state->child->consumed <= state->pending);
+	    state->pending -= state->child->consumed;
+	}
+	state->child->consumed = 0;
+    }
+#endif	/* XXX */
+
+    /*
+     * Free our child.
+     */
+    sec_asn1d_free_child (state, PR_FALSE);
+
+    /*
+     * Just make my parent be the current state.  It will then clean
+     * up after me and free me (or reuse me).
+     */
+    state->top->current = state->parent;
+}
+
+static sec_asn1d_state *
+sec_asn1d_before_choice
+(
+  sec_asn1d_state *state
+)
+{
+  sec_asn1d_state *child;
+
+  if( state->allocate ) {
+    void *dest;
+
+    dest = sec_asn1d_zalloc(state->top->their_pool, state->theTemplate->size);
+    if( (void *)NULL == dest ) {
+      state->top->status = decodeError;
+      return (sec_asn1d_state *)NULL;
+    }
+
+    state->dest = (char *)dest + state->theTemplate->offset;
+  }
+
+  child = sec_asn1d_push_state(state->top, state->theTemplate + 1, 
+                               state->dest, PR_FALSE);
+  if( (sec_asn1d_state *)NULL == child ) {
+    return (sec_asn1d_state *)NULL;
+  }
+
+  sec_asn1d_scrub_state(child);
+  child = sec_asn1d_init_state_based_on_template(child);
+  if( (sec_asn1d_state *)NULL == child ) {
+    return (sec_asn1d_state *)NULL;
+  }
+
+  child->optional = PR_TRUE;
+
+  state->place = duringChoice;
+
+  return child;
+}
+
+static sec_asn1d_state *
+sec_asn1d_during_choice
+(
+  sec_asn1d_state *state
+)
+{
+  sec_asn1d_state *child = state->child;
+  
+  PORT_Assert((sec_asn1d_state *)NULL != child);
+
+  if( child->missing ) {
+    unsigned char child_found_tag_modifiers = 0;
+    unsigned long child_found_tag_number = 0;
+
+    child->theTemplate++;
+
+    if( 0 == child->theTemplate->kind ) {
+      /* Ran out of choices */
+      PORT_SetError(SEC_ERROR_BAD_DER);
+      state->top->status = decodeError;
+      return (sec_asn1d_state *)NULL;
+    }
+
+    state->consumed += child->consumed;
+
+    /* cargo'd from next_in_sequence innards */
+    if( state->pending ) {
+      PORT_Assert(!state->indefinite);
+      PORT_Assert(child->consumed <= state->pending);
+      state->pending -= child->consumed;
+      if( 0 == state->pending ) {
+        /* XXX uh.. not sure if I should have stopped this
+         * from happening before. */
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        state->top->status = decodeError;
+        return (sec_asn1d_state *)NULL;
+      }
+    }
+
+    child->consumed = 0;
+    sec_asn1d_scrub_state(child);
+
+    /* move it on top again */
+    state->top->current = child;
+
+    child_found_tag_modifiers = child->found_tag_modifiers;
+    child_found_tag_number = child->found_tag_number;
+
+    child = sec_asn1d_init_state_based_on_template(child);
+    if( (sec_asn1d_state *)NULL == child ) {
+      return (sec_asn1d_state *)NULL;
+    }
+
+    /* copy our findings to the new top */
+    child->found_tag_modifiers = child_found_tag_modifiers;
+    child->found_tag_number = child_found_tag_number;
+
+    child->optional = PR_TRUE;
+    child->place = afterIdentifier;
+
+    return child;
+  } else {
+    if( (void *)NULL != state->dest ) {
+      /* Store the enum */
+      int *which = (int *)((char *)state->dest + state->theTemplate->offset);
+      *which = (int)child->theTemplate->size;
+    }
+
+    child->place = notInUse;
+
+    state->place = afterChoice;
+    return state;
+  }
+}
+
+static void
+sec_asn1d_after_choice
+(
+  sec_asn1d_state *state
+)
+{
+  state->consumed += state->child->consumed;
+  state->child->consumed = 0;
+  state->place = afterEndOfContents;
+  sec_asn1d_pop_state(state);
+}
+
+unsigned long
+sec_asn1d_uinteger(SECItem *src)
+{
+    unsigned long value;
+    int len;
+
+    if (src->len > 5 || (src->len > 4 && src->data[0] == 0))
+	return 0;
+
+    value = 0;
+    len = src->len;
+    while (len) {
+	value <<= 8;
+	value |= src->data[--len];
+    }
+    return value;
+}
+
+SECStatus
+SEC_ASN1DecodeInteger(SECItem *src, unsigned long *value)
+{
+    unsigned long v;
+    int i;
+    
+    if (src == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (src->len > sizeof(unsigned long)) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	return SECFailure;
+    }
+
+    if (src->data == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    	return SECFailure;
+    }
+
+    if (src->data[0] & 0x80)
+	v = -1;		/* signed and negative - start with all 1's */
+    else
+	v = 0;
+
+    for (i= 0; i < src->len; i++) {
+	/* shift in next byte */
+	v <<= 8;
+	v |= src->data[i];
+    }
+    *value = v;
+    return SECSuccess;
+}
+
+#ifdef DEBUG_ASN1D_STATES
+static void
+dump_states
+(
+  SEC_ASN1DecoderContext *cx
+)
+{
+  sec_asn1d_state *state;
+
+  for( state = cx->current; state->parent; state = state->parent ) {
+    ;
+  }
+
+  for( ; state; state = state->child ) {
+    int i;
+    for( i = 0; i < state->depth; i++ ) {
+      printf("  ");
+    }
+
+    printf("%s: template[0]->kind = 0x%02x, expect tag number = 0x%02x\n",
+           (state == cx->current) ? "STATE" : "State",
+           state->theTemplate->kind, state->expect_tag_number);
+  }
+
+  return;
+}
+#endif /* DEBUG_ASN1D_STATES */
+
+SECStatus
+SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx,
+		       const char *buf, unsigned long len)
+{
+    sec_asn1d_state *state = NULL;
+    unsigned long consumed;
+    SEC_ASN1EncodingPart what;
+    sec_asn1d_state *stateEnd = cx->current;
+
+    if (cx->status == needBytes)
+	cx->status = keepGoing;
+
+    while (cx->status == keepGoing) {
+	state = cx->current;
+	what = SEC_ASN1_Contents;
+	consumed = 0;
+#ifdef DEBUG_ASN1D_STATES
+        printf("\nPLACE = %s, next byte = 0x%02x\n",
+               (state->place >= 0 && state->place <= notInUse) ?
+               place_names[ state->place ] : "(undefined)",
+               (unsigned int)((unsigned char *)buf)[ consumed ]);
+        dump_states(cx);
+#endif /* DEBUG_ASN1D_STATES */
+	switch (state->place) {
+	  case beforeIdentifier:
+	    consumed = sec_asn1d_parse_identifier (state, buf, len);
+	    what = SEC_ASN1_Identifier;
+	    break;
+	  case duringIdentifier:
+	    consumed = sec_asn1d_parse_more_identifier (state, buf, len);
+	    what = SEC_ASN1_Identifier;
+	    break;
+	  case afterIdentifier:
+	    sec_asn1d_confirm_identifier (state);
+	    break;
+	  case beforeLength:
+	    consumed = sec_asn1d_parse_length (state, buf, len);
+	    what = SEC_ASN1_Length;
+	    break;
+	  case duringLength:
+	    consumed = sec_asn1d_parse_more_length (state, buf, len);
+	    what = SEC_ASN1_Length;
+	    break;
+	  case afterLength:
+	    sec_asn1d_prepare_for_contents (state);
+	    break;
+	  case beforeBitString:
+	    consumed = sec_asn1d_parse_bit_string (state, buf, len);
+	    break;
+	  case duringBitString:
+	    consumed = sec_asn1d_parse_more_bit_string (state, buf, len);
+	    break;
+	  case duringConstructedString:
+	    sec_asn1d_next_substring (state);
+	    break;
+	  case duringGroup:
+	    sec_asn1d_next_in_group (state);
+	    break;
+	  case duringLeaf:
+	    consumed = sec_asn1d_parse_leaf (state, buf, len);
+	    break;
+	  case duringSaveEncoding:
+	    sec_asn1d_reuse_encoding (state);
+	    break;
+	  case duringSequence:
+	    sec_asn1d_next_in_sequence (state);
+	    break;
+	  case afterConstructedString:
+	    sec_asn1d_concat_substrings (state);
+	    break;
+	  case afterExplicit:
+	  case afterImplicit:
+	  case afterInline:
+	  case afterPointer:
+	    sec_asn1d_absorb_child (state);
+	    break;
+	  case afterGroup:
+	    sec_asn1d_concat_group (state);
+	    break;
+	  case afterSaveEncoding:
+	    /* XXX comment! */
+	    return SECSuccess;
+	  case beforeEndOfContents:
+	    sec_asn1d_prepare_for_end_of_contents (state);
+	    break;
+	  case duringEndOfContents:
+	    consumed = sec_asn1d_parse_end_of_contents (state, buf, len);
+	    what = SEC_ASN1_EndOfContents;
+	    break;
+	  case afterEndOfContents:
+	    sec_asn1d_pop_state (state);
+	    break;
+          case beforeChoice:
+            state = sec_asn1d_before_choice(state);
+            break;
+          case duringChoice:
+            state = sec_asn1d_during_choice(state);
+            break;
+          case afterChoice:
+            sec_asn1d_after_choice(state);
+            break;
+	  case notInUse:
+	  default:
+	    /* This is not an error, but rather a plain old BUG! */
+	    PORT_Assert (0);
+	    PORT_SetError (SEC_ERROR_BAD_DER);
+	    cx->status = decodeError;
+	    break;
+	}
+
+	if (cx->status == decodeError)
+	    break;
+
+	/* We should not consume more than we have.  */
+	PORT_Assert (consumed <= len);
+
+	/* It might have changed, so we have to update our local copy.  */
+	state = cx->current;
+
+	/* If it is NULL, we have popped all the way to the top.  */
+	if (state == NULL) {
+	    PORT_Assert (consumed == 0);
+#if 0	/* XXX I want this here, but it seems that we have situations (like
+	 * downloading a pkcs7 cert chain from some issuers) that give us a
+	 * length which is greater than the entire encoding.  So, we cannot
+	 * have this be an error.
+	 */
+	    if (len > 0)
+		cx->status = decodeError;
+	    else
+#endif
+		cx->status = allDone;
+	    break;
+	}
+	else if (state->theTemplate->kind == SEC_ASN1_SKIP_REST) {
+	    cx->status = allDone;
+	    break;
+	}
+	  
+	if (consumed == 0)
+	    continue;
+
+	/*
+	 * The following check is specifically looking for an ANY
+	 * that is *not* also an INNER, because we need to save aside
+	 * all bytes in that case -- the contents parts will get
+	 * handled like all other contents, and the end-of-contents
+	 * bytes are added by the concat code, but the outer header
+	 * bytes need to get saved too, so we do them explicitly here.
+	 */
+	if (state->underlying_kind == SEC_ASN1_ANY
+	    && !cx->filter_only && (what == SEC_ASN1_Identifier
+				    || what == SEC_ASN1_Length)) {
+	    sec_asn1d_record_any_header (state, buf, consumed);
+	}
+
+	/*
+	 * We had some number of good, accepted bytes.  If the caller
+	 * has registered to see them, pass them along.
+	 */
+	if (state->top->filter_proc != NULL) {
+	    int depth;
+
+	    depth = state->depth;
+	    if (what == SEC_ASN1_EndOfContents && !state->indefinite) {
+		PORT_Assert (state->parent != NULL
+			     && state->parent->indefinite);
+		depth--;
+		PORT_Assert (depth == state->parent->depth);
+	    }
+	    (* state->top->filter_proc) (state->top->filter_arg,
+					 buf, consumed, depth, what);
+	}
+
+	state->consumed += consumed;
+	buf += consumed;
+	len -= consumed;
+    }
+
+    if (cx->status == decodeError) {
+	while (state != NULL && stateEnd->parent!=state) {
+	    sec_asn1d_free_child (state, PR_TRUE);
+	    state = state->parent;
+	}
+#ifdef SEC_ASN1D_FREE_ON_ERROR	/*
+				 * XXX This does not work because we can
+				 * end up leaving behind dangling pointers
+				 * to stuff that was allocated.  In order
+				 * to make this really work (which would
+				 * be a good thing, I think), we need to
+				 * keep track of every place/pointer that
+				 * was allocated and make sure to NULL it
+				 * out before we then free back to the mark.	
+				 */
+	if (cx->their_pool != NULL) {
+	    PORT_Assert (cx->their_mark != NULL);
+	    PORT_ArenaRelease (cx->their_pool, cx->their_mark);
+	}
+#endif
+	return SECFailure;
+    }
+
+#if 0	/* XXX This is what I want, but cannot have because it seems we
+	 * have situations (like when downloading a pkcs7 cert chain from
+	 * some issuers) that give us a total length which is greater than
+	 * the entire encoding.  So, we have to allow allDone to have a
+	 * remaining length greater than zero.  I wanted to catch internal
+	 * bugs with this, noticing when we do not have the right length.
+	 * Oh well.
+	 */
+    PORT_Assert (len == 0
+		 && (cx->status == needBytes || cx->status == allDone));
+#else
+    PORT_Assert ((len == 0 && cx->status == needBytes)
+		 || cx->status == allDone);
+#endif
+    return SECSuccess;
+}
+
+
+SECStatus
+SEC_ASN1DecoderFinish (SEC_ASN1DecoderContext *cx)
+{
+    SECStatus rv;
+
+    if (cx->status == needBytes) {
+	PORT_SetError (SEC_ERROR_BAD_DER);
+	rv = SECFailure;
+    } else {
+	rv = SECSuccess;
+    }
+
+    /*
+     * XXX anything else that needs to be finished?
+     */
+
+    PORT_FreeArena (cx->our_pool, PR_FALSE);
+
+    return rv;
+}
+
+
+SEC_ASN1DecoderContext *
+SEC_ASN1DecoderStart (PRArenaPool *their_pool, void *dest,
+		      const SEC_ASN1Template *theTemplate)
+{
+    PRArenaPool *our_pool;
+    SEC_ASN1DecoderContext *cx;
+
+    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (our_pool == NULL)
+	return NULL;
+
+    cx = (SEC_ASN1DecoderContext*)PORT_ArenaZAlloc (our_pool, sizeof(*cx));
+    if (cx == NULL) {
+	PORT_FreeArena (our_pool, PR_FALSE);
+	return NULL;
+    }
+
+    cx->our_pool = our_pool;
+    if (their_pool != NULL) {
+	cx->their_pool = their_pool;
+#ifdef SEC_ASN1D_FREE_ON_ERROR
+	cx->their_mark = PORT_ArenaMark (their_pool);
+#endif
+    }
+
+    cx->status = needBytes;
+
+    if (sec_asn1d_push_state(cx, theTemplate, dest, PR_FALSE) == NULL
+	|| sec_asn1d_init_state_based_on_template (cx->current) == NULL) {
+	/*
+	 * Trouble initializing (probably due to failed allocations)
+	 * requires that we just give up.
+	 */
+	PORT_FreeArena (our_pool, PR_FALSE);
+	return NULL;
+    }
+
+    return cx;
+}
+
+
+void
+SEC_ASN1DecoderSetFilterProc (SEC_ASN1DecoderContext *cx,
+			      SEC_ASN1WriteProc fn, void *arg,
+			      PRBool only)
+{
+    /* check that we are "between" fields here */
+    PORT_Assert (cx->during_notify);
+
+    cx->filter_proc = fn;
+    cx->filter_arg = arg;
+    cx->filter_only = only;
+}
+
+
+void
+SEC_ASN1DecoderClearFilterProc (SEC_ASN1DecoderContext *cx)
+{
+    /* check that we are "between" fields here */
+    PORT_Assert (cx->during_notify);
+
+    cx->filter_proc = NULL;
+    cx->filter_arg = NULL;
+    cx->filter_only = PR_FALSE;
+}
+
+
+void
+SEC_ASN1DecoderSetNotifyProc (SEC_ASN1DecoderContext *cx,
+			      SEC_ASN1NotifyProc fn, void *arg)
+{
+    cx->notify_proc = fn;
+    cx->notify_arg = arg;
+}
+
+
+void
+SEC_ASN1DecoderClearNotifyProc (SEC_ASN1DecoderContext *cx)
+{
+    cx->notify_proc = NULL;
+    cx->notify_arg = NULL;	/* not necessary; just being clean */
+}
+
+
+SECStatus
+SEC_ASN1Decode (PRArenaPool *poolp, void *dest,
+		const SEC_ASN1Template *theTemplate,
+		const char *buf, long len)
+{
+    SEC_ASN1DecoderContext *dcx;
+    SECStatus urv, frv;
+
+    dcx = SEC_ASN1DecoderStart (poolp, dest, theTemplate);
+    if (dcx == NULL)
+	return SECFailure;
+
+    urv = SEC_ASN1DecoderUpdate (dcx, buf, len);
+    frv = SEC_ASN1DecoderFinish (dcx);
+
+    if (urv != SECSuccess)
+	return urv;
+
+    return frv;
+}
+
+
+SECStatus
+SEC_ASN1DecodeItem (PRArenaPool *poolp, void *dest,
+		    const SEC_ASN1Template *theTemplate,
+		    SECItem *item)
+{
+    return SEC_ASN1Decode (poolp, dest, theTemplate,
+			   (char *) item->data, item->len);
+}
+
+
+/*
+ * Generic templates for individual/simple items and pointers to
+ * and sets of same.
+ *
+ * If you need to add a new one, please note the following:
+ *	 - For each new basic type you should add *four* templates:
+ *	one plain, one PointerTo, one SequenceOf and one SetOf.
+ *	 - If the new type can be constructed (meaning, it is a
+ *	*string* type according to BER/DER rules), then you should
+ *	or-in SEC_ASN1_MAY_STREAM to the type in the basic template.
+ *	See the definition of the OctetString template for an example.
+ *	 - It may not be obvious, but these are in *alphabetical*
+ *	order based on the SEC_ASN1_XXX name; so put new ones in
+ *	the appropriate place.
+ */
+
+const SEC_ASN1Template SEC_AnyTemplate[] = {
+    { SEC_ASN1_ANY | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToAnyTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_AnyTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfAnyTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfAnyTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_AnyTemplate }
+};
+
+const SEC_ASN1Template SEC_BitStringTemplate[] = {
+    { SEC_ASN1_BIT_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToBitStringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_BitStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfBitStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BitStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfBitStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_BitStringTemplate }
+};
+
+const SEC_ASN1Template SEC_BMPStringTemplate[] = {
+    { SEC_ASN1_BMP_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToBMPStringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_BMPStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfBMPStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BMPStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfBMPStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_BMPStringTemplate }
+};
+
+const SEC_ASN1Template SEC_BooleanTemplate[] = {
+    { SEC_ASN1_BOOLEAN, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToBooleanTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_BooleanTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfBooleanTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_BooleanTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfBooleanTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_BooleanTemplate }
+};
+
+const SEC_ASN1Template SEC_EnumeratedTemplate[] = {
+    { SEC_ASN1_ENUMERATED, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToEnumeratedTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_EnumeratedTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfEnumeratedTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_EnumeratedTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfEnumeratedTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_EnumeratedTemplate }
+};
+
+const SEC_ASN1Template SEC_GeneralizedTimeTemplate[] = {
+    { SEC_ASN1_GENERALIZED_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
+};
+
+const SEC_ASN1Template SEC_PointerToGeneralizedTimeTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_GeneralizedTimeTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfGeneralizedTimeTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_GeneralizedTimeTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfGeneralizedTimeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_GeneralizedTimeTemplate }
+};
+
+const SEC_ASN1Template SEC_IA5StringTemplate[] = {
+    { SEC_ASN1_IA5_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToIA5StringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_IA5StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfIA5StringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_IA5StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfIA5StringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_IA5StringTemplate }
+};
+
+const SEC_ASN1Template SEC_IntegerTemplate[] = {
+    { SEC_ASN1_INTEGER, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToIntegerTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_IntegerTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfIntegerTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_IntegerTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfIntegerTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_IntegerTemplate }
+};
+
+const SEC_ASN1Template SEC_NullTemplate[] = {
+    { SEC_ASN1_NULL, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToNullTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_NullTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfNullTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_NullTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfNullTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_NullTemplate }
+};
+
+const SEC_ASN1Template SEC_ObjectIDTemplate[] = {
+    { SEC_ASN1_OBJECT_ID, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToObjectIDTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_ObjectIDTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfObjectIDTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_ObjectIDTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfObjectIDTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_ObjectIDTemplate }
+};
+
+const SEC_ASN1Template SEC_OctetStringTemplate[] = {
+    { SEC_ASN1_OCTET_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToOctetStringTemplate[] = {
+    { SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM, 0, SEC_OctetStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfOctetStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_OctetStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfOctetStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_OctetStringTemplate }
+};
+
+const SEC_ASN1Template SEC_PrintableStringTemplate[] = {
+    { SEC_ASN1_PRINTABLE_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
+};
+
+const SEC_ASN1Template SEC_PointerToPrintableStringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_PrintableStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfPrintableStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_PrintableStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfPrintableStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_PrintableStringTemplate }
+};
+
+const SEC_ASN1Template SEC_T61StringTemplate[] = {
+    { SEC_ASN1_T61_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToT61StringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_T61StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfT61StringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_T61StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfT61StringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_T61StringTemplate }
+};
+
+const SEC_ASN1Template SEC_UniversalStringTemplate[] = {
+    { SEC_ASN1_UNIVERSAL_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
+};
+
+const SEC_ASN1Template SEC_PointerToUniversalStringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_UniversalStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfUniversalStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UniversalStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfUniversalStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_UniversalStringTemplate }
+};
+
+const SEC_ASN1Template SEC_UTCTimeTemplate[] = {
+    { SEC_ASN1_UTC_TIME | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToUTCTimeTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_UTCTimeTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfUTCTimeTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UTCTimeTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfUTCTimeTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_UTCTimeTemplate }
+};
+
+const SEC_ASN1Template SEC_UTF8StringTemplate[] = {
+    { SEC_ASN1_UTF8_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem)}
+};
+
+const SEC_ASN1Template SEC_PointerToUTF8StringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_UTF8StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfUTF8StringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_UTF8StringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfUTF8StringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_UTF8StringTemplate }
+};
+
+const SEC_ASN1Template SEC_VisibleStringTemplate[] = {
+    { SEC_ASN1_VISIBLE_STRING | SEC_ASN1_MAY_STREAM, 0, NULL, sizeof(SECItem) }
+};
+
+const SEC_ASN1Template SEC_PointerToVisibleStringTemplate[] = {
+    { SEC_ASN1_POINTER, 0, SEC_VisibleStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SequenceOfVisibleStringTemplate[] = {
+    { SEC_ASN1_SEQUENCE_OF, 0, SEC_VisibleStringTemplate }
+};
+
+const SEC_ASN1Template SEC_SetOfVisibleStringTemplate[] = {
+    { SEC_ASN1_SET_OF, 0, SEC_VisibleStringTemplate }
+};
+
+
+/*
+ * Template for skipping a subitem.
+ *
+ * Note that it only makes sense to use this for decoding (when you want
+ * to decode something where you are only interested in one or two of
+ * the fields); you cannot encode a SKIP!
+ */
+const SEC_ASN1Template SEC_SkipTemplate[] = {
+    { SEC_ASN1_SKIP }
+};
+
+
+/* These functions simply return the address of the above-declared templates.
+** This is necessary for Windows DLLs.  Sigh.
+*/
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_AnyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_BMPStringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_BooleanTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_BitStringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_IA5StringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_GeneralizedTimeTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_IntegerTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_NullTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_ObjectIDTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_OctetStringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_PointerToAnyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_PointerToOctetStringTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_SetOfAnyTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_UTCTimeTemplate)
+SEC_ASN1_CHOOSER_IMPLEMENT(SEC_UTF8StringTemplate)
+
diff --git a/security/nss/lib/util/secasn1e.c b/security/nss/lib/util/secasn1e.c
new file mode 100644
index 000000000..4a23bcbba
--- /dev/null
+++ b/security/nss/lib/util/secasn1e.c
@@ -0,0 +1,1567 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Support for ENcoding ASN.1 data based on BER/DER (Basic/Distinguished
+ * Encoding Rules).
+ *
+ * $Id$
+ */
+
+#include "secasn1.h"
+
+typedef enum {
+    beforeHeader,
+    duringContents,
+    duringGroup,
+    duringSequence,
+    afterContents,
+    afterImplicit,
+    afterInline,
+    afterPointer,
+    afterChoice,
+    notInUse
+} sec_asn1e_parse_place;
+
+typedef enum {
+    allDone,
+    encodeError,
+    keepGoing,
+    needBytes
+} sec_asn1e_parse_status;
+
+typedef struct sec_asn1e_state_struct {
+    SEC_ASN1EncoderContext *top;
+    const SEC_ASN1Template *theTemplate;
+    void *src;
+
+    struct sec_asn1e_state_struct *parent;	/* aka prev */
+    struct sec_asn1e_state_struct *child;	/* aka next */
+
+    sec_asn1e_parse_place place;	/* where we are in encoding process */
+
+    /*
+     * XXX explain the next fields as clearly as possible...
+     */
+    unsigned char tag_modifiers;
+    unsigned char tag_number;
+    unsigned long underlying_kind;
+
+    int depth;
+
+    PRBool explicit,		/* we are handling an explicit header */
+	   indefinite,		/* need end-of-contents */
+	   is_string,		/* encoding a simple string or an ANY */
+	   may_stream,		/* when streaming, do indefinite encoding */
+	   optional,		/* omit field if it has no contents */
+	   ignore_stream;	/* ignore streaming value of sub-template */	
+} sec_asn1e_state;
+
+/*
+ * An "outsider" will have an opaque pointer to this, created by calling
+ * SEC_ASN1EncoderStart().  It will be passed back in to all subsequent
+ * calls to SEC_ASN1EncoderUpdate() and related routines, and when done
+ * it is passed to SEC_ASN1EncoderFinish().
+ */
+struct sec_EncoderContext_struct {
+    PRArenaPool *our_pool;		/* for our internal allocs */
+
+    sec_asn1e_state *current;
+    sec_asn1e_parse_status status;
+
+    PRBool streaming;
+    PRBool from_buf;
+
+    SEC_ASN1NotifyProc notify_proc;	/* call before/after handling field */
+    void *notify_arg;			/* argument to notify_proc */
+    PRBool during_notify;		/* true during call to notify_proc */
+
+    SEC_ASN1WriteProc output_proc;	/* pass encoded bytes to this  */
+    void *output_arg;			/* argument to that function */
+};
+
+
+static sec_asn1e_state *
+sec_asn1e_push_state (SEC_ASN1EncoderContext *cx,
+		      const SEC_ASN1Template *theTemplate,
+		      void *src, PRBool new_depth)
+{
+    sec_asn1e_state *state, *new_state;
+
+    state = cx->current;
+
+    new_state = (sec_asn1e_state*)PORT_ArenaZAlloc (cx->our_pool, 
+						    sizeof(*new_state));
+    if (new_state == NULL) {
+	cx->status = encodeError;
+	return NULL;
+    }
+
+    new_state->top = cx;
+    new_state->parent = state;
+    new_state->theTemplate = theTemplate;
+    new_state->place = notInUse;
+    if (src != NULL)
+	new_state->src = (char *)src + theTemplate->offset;
+
+    if (state != NULL) {
+	new_state->depth = state->depth;
+	if (new_depth)
+	    new_state->depth++;
+	state->child = new_state;
+    }
+
+    cx->current = new_state;
+    return new_state;
+}
+
+
+static void
+sec_asn1e_scrub_state (sec_asn1e_state *state)
+{
+    /*
+     * Some default "scrubbing".
+     * XXX right set of initializations?
+     */
+    state->place = beforeHeader;
+    state->indefinite = PR_FALSE;
+}
+
+
+static void
+sec_asn1e_notify_before (SEC_ASN1EncoderContext *cx, void *src, int depth)
+{
+    if (cx->notify_proc == NULL)
+	return;
+
+    cx->during_notify = PR_TRUE;
+    (* cx->notify_proc) (cx->notify_arg, PR_TRUE, src, depth);
+    cx->during_notify = PR_FALSE;
+}
+
+
+static void
+sec_asn1e_notify_after (SEC_ASN1EncoderContext *cx, void *src, int depth)
+{
+    if (cx->notify_proc == NULL)
+	return;
+
+    cx->during_notify = PR_TRUE;
+    (* cx->notify_proc) (cx->notify_arg, PR_FALSE, src, depth);
+    cx->during_notify = PR_FALSE;
+}
+
+
+static sec_asn1e_state *
+sec_asn1e_init_state_based_on_template (sec_asn1e_state *state)
+{
+    PRBool explicit, is_string, may_stream, optional, universal, ignore_stream;
+    unsigned char tag_modifiers;
+    unsigned long encode_kind, under_kind;
+    unsigned long tag_number;
+
+
+    encode_kind = state->theTemplate->kind;
+
+    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+
+    explicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_EXPLICIT;
+
+    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_OPTIONAL;
+
+    PORT_Assert (!(explicit && universal));	/* bad templates */
+
+    may_stream = (encode_kind & SEC_ASN1_MAY_STREAM) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_MAY_STREAM;
+
+    ignore_stream = (encode_kind & SEC_ASN1_NO_STREAM) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_NO_STREAM;
+
+    /* Just clear this to get it out of the way; we do not need it here */
+    encode_kind &= ~SEC_ASN1_DYNAMIC;
+
+    if( encode_kind & SEC_ASN1_CHOICE ) {
+      under_kind = SEC_ASN1_CHOICE;
+    } else
+
+    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || (!universal
+							      && !explicit)) {
+	const SEC_ASN1Template *subt;
+	void *src;
+
+	PORT_Assert ((encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) == 0);
+
+	sec_asn1e_scrub_state (state);
+
+	if (encode_kind & SEC_ASN1_POINTER) {
+	    /*
+	     * XXX This used to PORT_Assert (encode_kind == SEC_ASN1_POINTER);
+	     * but that was too restrictive.  This needs to be fixed,
+	     * probably copying what the decoder now checks for, and
+	     * adding a big comment here to explain what the checks mean.
+	     */
+	    src = *(void **)state->src;
+	    state->place = afterPointer;
+	    if (src == NULL) {
+		/*
+		 * If this is optional, but NULL, then the field does
+		 * not need to be encoded.  In this case we are done;
+		 * we do not want to push a subtemplate.
+		 */
+		if (optional)
+		    return state;
+
+		/*
+		 * XXX this is an error; need to figure out
+		 * how to handle this
+		 */
+	    }
+	} else {
+	    src = state->src;
+	    if (encode_kind & SEC_ASN1_INLINE) {
+		/* check that there are no extraneous bits */
+		PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional);
+		state->place = afterInline;
+	    } else {
+		/*
+		 * Save the tag modifiers and tag number here before moving
+		 * on to the next state in case this is a member of a
+		 * SEQUENCE OF
+		 */
+		state->tag_modifiers = encode_kind & SEC_ASN1_TAG_MASK
+					& ~SEC_ASN1_TAGNUM_MASK;
+		state->tag_number = encode_kind & SEC_ASN1_TAGNUM_MASK;
+		
+		state->place = afterImplicit;
+		state->optional = optional;
+	    }
+	}
+
+	subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->src, PR_TRUE);
+	state = sec_asn1e_push_state (state->top, subt, src, PR_FALSE);
+	if (state == NULL)
+	    return NULL;
+
+	if (universal) {
+	    /*
+	     * This is a POINTER or INLINE; just init based on that
+	     * and we are done.
+	     */
+	    return sec_asn1e_init_state_based_on_template (state);
+	}
+
+	/*
+	 * This is an implicit, non-universal (meaning, application-private
+	 * or context-specific) field.  This results in a "magic" tag but
+	 * encoding based on the underlying type.  We pushed a new state
+	 * that is based on the subtemplate (the underlying type), but
+	 * now we will sort of alias it to give it some of our properties
+	 * (tag, optional status, etc.).
+	 */
+
+	under_kind = state->theTemplate->kind;
+	if (under_kind & SEC_ASN1_MAY_STREAM) {
+	    if (!ignore_stream)
+	      may_stream = PR_TRUE;
+	    under_kind &= ~SEC_ASN1_MAY_STREAM;
+	}
+    } else {
+	under_kind = encode_kind;
+    }
+
+    /*
+     * Sanity check that there are no unwanted bits marked in under_kind.
+     * These bits were either removed above (after we recorded them) or
+     * they simply should not be found (signalling a bad/broken template).
+     * XXX is this the right set of bits to test here? (i.e. need to add
+     * or remove any?)
+     */
+    PORT_Assert ((under_kind & (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL
+				| SEC_ASN1_SKIP | SEC_ASN1_INNER
+				| SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
+				| SEC_ASN1_INLINE | SEC_ASN1_POINTER)) == 0);
+
+    if (encode_kind & SEC_ASN1_ANY) {
+	PORT_Assert (encode_kind == under_kind);
+	tag_modifiers = 0;
+	tag_number = 0;
+	is_string = PR_TRUE;
+    } else {
+	tag_modifiers = encode_kind & SEC_ASN1_TAG_MASK & ~SEC_ASN1_TAGNUM_MASK;
+	/*
+	 * XXX This assumes only single-octet identifiers.  To handle
+	 * the HIGH TAG form we would need to do some more work, especially
+	 * in how to specify them in the template, because right now we
+	 * do not provide a way to specify more *tag* bits in encode_kind.
+	 */
+	tag_number = encode_kind & SEC_ASN1_TAGNUM_MASK;
+
+	is_string = PR_FALSE;
+	switch (under_kind & SEC_ASN1_TAGNUM_MASK) {
+	  case SEC_ASN1_SET:
+	    /*
+	     * XXX A plain old SET (as opposed to a SET OF) is not implemented.
+	     * If it ever is, remove this assert...
+	     */
+	    PORT_Assert ((under_kind & SEC_ASN1_GROUP) != 0);
+	    /* fallthru */
+	  case SEC_ASN1_SEQUENCE:
+	    tag_modifiers |= SEC_ASN1_CONSTRUCTED;
+	    break;
+	  case SEC_ASN1_BIT_STRING:
+	  case SEC_ASN1_BMP_STRING: 
+	  case SEC_ASN1_GENERALIZED_TIME:
+	  case SEC_ASN1_IA5_STRING:
+	  case SEC_ASN1_OCTET_STRING:
+	  case SEC_ASN1_PRINTABLE_STRING:
+	  case SEC_ASN1_T61_STRING:
+	  case SEC_ASN1_UNIVERSAL_STRING: 
+	  case SEC_ASN1_UTC_TIME:
+	  case SEC_ASN1_UTF8_STRING:
+	  case SEC_ASN1_VISIBLE_STRING: 
+	    /*
+	     * We do not yet know if we will be constructing the string,
+	     * so we have to wait to do this final tag modification.
+	     */
+	    is_string = PR_TRUE;
+	    break;
+	}
+    }
+
+    state->tag_modifiers = tag_modifiers;
+    state->tag_number = tag_number;
+    state->underlying_kind = under_kind;
+    state->explicit = explicit;
+    state->may_stream = may_stream;
+    state->is_string = is_string;
+    state->optional = optional;
+    state->ignore_stream = ignore_stream;
+
+    sec_asn1e_scrub_state (state);
+
+    return state;
+}
+
+
+static void
+sec_asn1e_write_part (sec_asn1e_state *state,
+		      const char *buf, unsigned long len,
+		      SEC_ASN1EncodingPart part)
+{
+    SEC_ASN1EncoderContext *cx;
+
+    cx = state->top;
+    (* cx->output_proc) (cx->output_arg, buf, len, state->depth, part);
+}
+
+
+/*
+ * XXX This assumes only single-octet identifiers.  To handle
+ * the HIGH TAG form we would need to modify this interface and
+ * teach it to properly encode the special form.
+ */
+static void
+sec_asn1e_write_identifier_bytes (sec_asn1e_state *state, unsigned char value)
+{
+    char byte;
+
+    byte = (char) value;
+    sec_asn1e_write_part (state, &byte, 1, SEC_ASN1_Identifier);
+}
+
+int
+SEC_ASN1EncodeLength(unsigned char *buf,int value) {
+    int lenlen;
+
+    lenlen = SEC_ASN1LengthLength (value);
+    if (lenlen == 1) {
+	buf[0] = value;
+    } else {
+	int i;
+
+	i = lenlen - 1;
+	buf[0] = 0x80 | i;
+	while (i) {
+	    buf[i--] = value;
+	    value >>= 8;
+	}
+        PORT_Assert (value == 0);
+    }
+    return lenlen;
+}
+
+static void
+sec_asn1e_write_length_bytes (sec_asn1e_state *state, unsigned long value,
+			      PRBool indefinite)
+{
+    int lenlen;
+    unsigned char buf[sizeof(unsigned long) + 1];
+
+    if (indefinite) {
+	PORT_Assert (value == 0);
+	buf[0] = 0x80;
+	lenlen = 1;
+    } else {
+	lenlen = SEC_ASN1EncodeLength(buf,value);
+    }
+
+    sec_asn1e_write_part (state, (char *) buf, lenlen, SEC_ASN1_Length);
+}
+
+
+static void
+sec_asn1e_write_contents_bytes (sec_asn1e_state *state,
+				const char *buf, unsigned long len)
+{
+    sec_asn1e_write_part (state, buf, len, SEC_ASN1_Contents);
+}
+
+
+static void
+sec_asn1e_write_end_of_contents_bytes (sec_asn1e_state *state)
+{
+    const char eoc[2] = {0, 0};
+
+    sec_asn1e_write_part (state, eoc, 2, SEC_ASN1_EndOfContents);
+}
+
+static int
+sec_asn1e_which_choice
+(
+  void *src,
+  const SEC_ASN1Template *theTemplate
+)
+{
+  int rv;
+  int which = *(int *)((char *)src + theTemplate->offset);
+
+  for( rv = 1, theTemplate++; theTemplate->kind != 0; rv++, theTemplate++ ) {
+    if( which == theTemplate->size ) {
+      return rv;
+    }
+  }
+
+  return 0;
+}
+
+static unsigned long
+sec_asn1e_contents_length (const SEC_ASN1Template *theTemplate, void *src,
+			   PRBool ignoresubstream, PRBool *noheaderp)
+{
+    unsigned long encode_kind, underlying_kind;
+    PRBool explicit, optional, universal, may_stream;
+    unsigned long len;
+
+    /*
+     * This function currently calculates the length in all cases
+     * except the following: when writing out the contents of a 
+     * template that belongs to a state where it was a sub-template
+     * with the SEC_ASN1_MAY_STREAM bit set and it's parent had the
+     * optional bit set.  The information that the parent is optional
+     * and that we should return the length of 0 when that length is 
+     * present since that means the optional field is no longer present.
+     * So we add the ignoresubstream flag which is passed in when
+     * writing the contents, but for all recursive calls to 
+     * sec_asn1e_contents_length, we pass PR_FALSE, because this
+     * function correctly calculates the length for children templates
+     * from that point on.  Confused yet?  At least you didn't have
+     * to figure it out.  ;)  -javi
+     */
+    encode_kind = theTemplate->kind;
+
+    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
+		? PR_TRUE : PR_FALSE;
+
+    explicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_EXPLICIT;
+
+    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_OPTIONAL;
+
+    PORT_Assert (!(explicit && universal));	/* bad templates */
+
+    may_stream = (encode_kind & SEC_ASN1_MAY_STREAM) ? PR_TRUE : PR_FALSE;
+    encode_kind &= ~SEC_ASN1_MAY_STREAM;
+
+    /* Just clear this to get it out of the way; we do not need it here */
+    encode_kind &= ~SEC_ASN1_DYNAMIC;
+    encode_kind &= ~SEC_ASN1_NO_STREAM;
+
+    if( encode_kind & SEC_ASN1_CHOICE ) {
+      void *src2;
+      int indx = sec_asn1e_which_choice(src, theTemplate);
+      if( 0 == indx ) {
+        /* XXX set an error? "choice not found" */
+        /* state->top->status = encodeError; */
+        return 0;
+      }
+
+      src2 = (void *)((char *)src + theTemplate[indx].offset);
+
+      return sec_asn1e_contents_length(&theTemplate[indx], src2, 
+                                       PR_FALSE, noheaderp);
+    }
+
+    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || !universal) {
+
+	/* XXX any bits we want to disallow (PORT_Assert against) here? */
+
+	theTemplate = SEC_ASN1GetSubtemplate (theTemplate, src, PR_TRUE);
+
+	if (encode_kind & SEC_ASN1_POINTER) {
+	    /*
+	     * XXX This used to PORT_Assert (encode_kind == SEC_ASN1_POINTER);
+	     * but that was too restrictive.  This needs to be fixed,
+	     * probably copying what the decoder now checks for, and
+	     * adding a big comment here to explain what the checks mean.
+	     * Alternatively, the check here could be omitted altogether
+	     * just letting sec_asn1e_init_state_based_on_template
+	     * do it, since that routine can do better error handling, too.
+	     */
+	    src = *(void **)src;
+	    if (src == NULL) {
+		if (optional)
+		    *noheaderp = PR_TRUE;
+		else 
+		    *noheaderp = PR_FALSE;
+		return 0;
+	    }
+	} else if (encode_kind & SEC_ASN1_INLINE) {
+	    /* check that there are no extraneous bits */
+	    PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional);
+	}
+
+	src = (char *)src + theTemplate->offset;
+
+	if (explicit) {
+	    len = sec_asn1e_contents_length (theTemplate, src, PR_FALSE,
+                                             noheaderp);
+	    if (len == 0 && optional) {
+		*noheaderp = PR_TRUE;
+	    } else if (*noheaderp) {
+		/* Okay, *we* do not want to add in a header, but our caller still does. */
+		*noheaderp = PR_FALSE;
+	    } else {
+		/* if the inner content exists, our length is
+		 * len(identifier) + len(length) + len(innercontent)
+		 * XXX we currently assume len(identifier) == 1;
+		 * to support a high-tag-number this would need to be smarter.
+		 */
+		len += 1 + SEC_ASN1LengthLength (len);
+	    }
+	    return len;
+	}
+
+	underlying_kind = theTemplate->kind;
+	underlying_kind &= ~SEC_ASN1_MAY_STREAM;
+
+	/* XXX Should we recurse here? */
+    } else {
+	underlying_kind = encode_kind;
+    }
+
+    /* This is only used in decoding; it plays no part in encoding.  */
+    if (underlying_kind & SEC_ASN1_SAVE) {
+	/* check that there are no extraneous bits */
+	PORT_Assert (underlying_kind == SEC_ASN1_SAVE);
+	*noheaderp = PR_TRUE;
+	return 0;
+    }
+
+    /* Having any of these bits is not expected here...  */
+    PORT_Assert ((underlying_kind & (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL
+				     | SEC_ASN1_INLINE | SEC_ASN1_POINTER
+				     | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
+				     | SEC_ASN1_SAVE | SEC_ASN1_SKIP)) == 0);
+
+    if( underlying_kind & SEC_ASN1_CHOICE ) {
+      void *src2;
+      int indx = sec_asn1e_which_choice(src, theTemplate);
+      if( 0 == indx ) {
+        /* XXX set an error? "choice not found" */
+        /* state->top->status = encodeError; */
+        return 0;
+      }
+
+      src2 = (void *)((char *)src - theTemplate->offset + theTemplate[indx].offset);
+      len = sec_asn1e_contents_length(&theTemplate[indx], src2, PR_FALSE,
+                                      noheaderp);
+    } else
+
+    switch (underlying_kind) {
+      case SEC_ASN1_SEQUENCE_OF:
+      case SEC_ASN1_SET_OF:
+	{
+	    const SEC_ASN1Template *tmpt;
+	    void *sub_src;
+	    unsigned long sub_len;
+	    void **group;
+
+	    len = 0;
+
+	    group = *(void ***)src;
+	    if (group == NULL)
+		break;
+
+	    tmpt = SEC_ASN1GetSubtemplate (theTemplate, src, PR_TRUE);
+
+	    for (; *group != NULL; group++) {
+		sub_src = (char *)(*group) + tmpt->offset;
+		sub_len = sec_asn1e_contents_length (tmpt, sub_src, PR_FALSE,
+                                                     noheaderp);
+		len += sub_len;
+		/*
+		 * XXX The 1 below is the presumed length of the identifier;
+		 * to support a high-tag-number this would need to be smarter.
+		 */
+		if (!*noheaderp)
+		    len += 1 + SEC_ASN1LengthLength (sub_len);
+	    }
+	}
+	break;
+
+      case SEC_ASN1_SEQUENCE:
+      case SEC_ASN1_SET:
+	{
+	    const SEC_ASN1Template *tmpt;
+	    void *sub_src;
+	    unsigned long sub_len;
+
+	    len = 0;
+	    for (tmpt = theTemplate + 1; tmpt->kind; tmpt++) {
+		sub_src = (char *)src + tmpt->offset;
+		sub_len = sec_asn1e_contents_length (tmpt, sub_src, PR_FALSE,
+                                                     noheaderp);
+		len += sub_len;
+		/*
+		 * XXX The 1 below is the presumed length of the identifier;
+		 * to support a high-tag-number this would need to be smarter.
+		 */
+		if (!*noheaderp)
+		    len += 1 + SEC_ASN1LengthLength (sub_len);
+	    }
+	}
+	break;
+
+      case SEC_ASN1_BIT_STRING:
+	/* convert bit length to byte */
+	len = (((SECItem *)src)->len + 7) >> 3;
+	/* bit string contents involve an extra octet */
+	if (len)
+	    len++;
+	break;
+
+      case SEC_ASN1_INTEGER:
+	/* ASN.1 INTEGERs are signed.
+	 * If the source is an unsigned integer, the encoder will need 
+	 * to handle the conversion here.
+	 */
+	{
+	    unsigned char *buf = ((SECItem *)src)->data;
+	    SECItemType integerType = ((SECItem *)src)->type;
+	    len = ((SECItem *)src)->len;
+	    while (len > 0) {
+		if (*buf != 0) {
+		    if (*buf & 0x80 && integerType == siUnsignedInteger) {
+			len++; /* leading zero needed to make number signed */
+		    }
+		    break; /* reached beginning of number */
+		}
+		if (len == 1) {
+		    break; /* the number 0 */
+		}
+		if (buf[1] & 0x80) {
+		    break; /* leading zero already present */
+		} 
+		/* extraneous leading zero, keep going */
+		buf++;
+		len--;
+	    }
+	}
+	break;
+
+      default:
+	len = ((SECItem *)src)->len;
+	if (may_stream && len == 0 && !ignoresubstream)
+	    len = 1;	/* if we're streaming, we may have a secitem w/len 0 as placeholder */
+	break;
+    }
+
+    if ((len == 0 && optional) || underlying_kind == SEC_ASN1_ANY)
+	*noheaderp = PR_TRUE;
+    else 
+	*noheaderp = PR_FALSE;
+
+    return len;
+}
+
+
+static void
+sec_asn1e_write_header (sec_asn1e_state *state)
+{
+    unsigned long contents_length;
+    unsigned char tag_number, tag_modifiers;
+    PRBool noheader;
+
+    PORT_Assert (state->place == beforeHeader);
+
+    tag_number = state->tag_number;
+    tag_modifiers = state->tag_modifiers;
+
+    if (state->underlying_kind == SEC_ASN1_ANY) {
+	state->place = duringContents;
+	return;
+    }
+
+    if( state->underlying_kind & SEC_ASN1_CHOICE ) {
+      int indx = sec_asn1e_which_choice(state->src, state->theTemplate);
+      if( 0 == indx ) {
+        /* XXX set an error? "choice not found" */
+        state->top->status = encodeError;
+        return;
+      }
+
+      state->place = afterChoice;
+      state = sec_asn1e_push_state(state->top, &state->theTemplate[indx],
+                                   state->src, PR_TRUE);
+
+      if( (sec_asn1e_state *)NULL != state ) {
+        /*
+         * Do the "before" field notification.
+         */
+        sec_asn1e_notify_before (state->top, state->src, state->depth);
+        state = sec_asn1e_init_state_based_on_template (state);
+      }
+      
+      return;
+    }
+
+    /*
+     * We are doing a definite-length encoding.  First we have to
+     * walk the data structure to calculate the entire contents length.
+     */
+    contents_length = sec_asn1e_contents_length (state->theTemplate,
+						 state->src, 
+                                                 state->ignore_stream,
+                                                 &noheader);
+    /*
+     * We might be told explicitly not to put out a header.
+     * But it can also be the case, via a pushed subtemplate, that
+     * sec_asn1e_contents_length could not know that this field is
+     * really optional.  So check for that explicitly, too.
+     */
+    if (noheader || (contents_length == 0 && state->optional)) {
+	state->place = afterContents;
+	if (state->top->streaming && state->may_stream && state->top->from_buf)
+	    /* we did not find an optional indefinite string, so we don't encode it.
+	     * However, if TakeFromBuf is on, we stop here anyway to give our caller
+	     * a chance to intercept at the same point where we would stop if the
+	     * field were present. */
+	    state->top->status = needBytes;
+	return;
+    }
+
+    if (state->top->streaming && state->may_stream
+			      && (state->top->from_buf || !state->is_string)) {
+	/*
+	 * We need to put out an indefinite-length encoding.
+	 */
+	state->indefinite = PR_TRUE;
+	/*
+	 * The only universal types that can be constructed are SETs,
+	 * SEQUENCEs, and strings; so check that it is one of those,
+	 * or that it is not universal (e.g. context-specific).
+	 */
+	PORT_Assert ((tag_number == SEC_ASN1_SET)
+		     || (tag_number == SEC_ASN1_SEQUENCE)
+		     || ((tag_modifiers & SEC_ASN1_CLASS_MASK) != 0)
+		     || state->is_string);
+	tag_modifiers |= SEC_ASN1_CONSTRUCTED;
+	contents_length = 0;
+    }
+
+    sec_asn1e_write_identifier_bytes (state, tag_number | tag_modifiers);
+    sec_asn1e_write_length_bytes (state, contents_length, state->indefinite);
+
+    if (contents_length == 0 && !state->indefinite) {
+	/*
+	 * If no real contents to encode, then we are done with this field.
+	 */
+	state->place = afterContents;
+	return;
+    }
+
+    /*
+     * An EXPLICIT is nothing but an outer header, which we have already
+     * written.  Now we need to do the inner header and contents.
+     */
+    if (state->explicit) {
+	state->place = afterContents;
+	state = sec_asn1e_push_state (state->top,
+				      SEC_ASN1GetSubtemplate(state->theTemplate,
+							     state->src,
+							     PR_TRUE),
+				      state->src, PR_TRUE);
+	if (state != NULL)
+	    state = sec_asn1e_init_state_based_on_template (state);
+	return;
+    }
+
+    switch (state->underlying_kind) {
+      case SEC_ASN1_SET_OF:
+      case SEC_ASN1_SEQUENCE_OF:
+	/*
+	 * We need to push a child to handle each member.
+	 */
+	{
+	    void **group;
+	    const SEC_ASN1Template *subt;
+
+	    group = *(void ***)state->src;
+	    if (group == NULL || *group == NULL) {
+		/*
+		 * Group is empty; we are done.
+		 */
+		state->place = afterContents;
+		return;
+	    }
+	    state->place = duringGroup;
+	    subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->src,
+					   PR_TRUE);
+	    state = sec_asn1e_push_state (state->top, subt, *group, PR_TRUE);
+	    if (state != NULL)
+		state = sec_asn1e_init_state_based_on_template (state);
+	}
+	break;
+
+      case SEC_ASN1_SEQUENCE:
+      case SEC_ASN1_SET:
+	/*
+	 * We need to push a child to handle the individual fields.
+	 */
+	state->place = duringSequence;
+	state = sec_asn1e_push_state (state->top, state->theTemplate + 1,
+				      state->src, PR_TRUE);
+	if (state != NULL) {
+	    /*
+	     * Do the "before" field notification.
+	     */
+	    sec_asn1e_notify_before (state->top, state->src, state->depth);
+	    state = sec_asn1e_init_state_based_on_template (state);
+	}
+	break;
+
+      default:
+	/*
+	 * I think we do not need to do anything else.
+	 * XXX Correct?
+	 */
+	state->place = duringContents;
+	break;
+    }
+}
+
+
+static void
+sec_asn1e_write_contents (sec_asn1e_state *state,
+			  const char *buf, unsigned long len)
+{
+    PORT_Assert (state->place == duringContents);
+
+    if (state->top->from_buf) {
+	/*
+	 * Probably they just turned on "take from buf", but have not
+	 * yet given us any bytes.  If there is nothing in the buffer
+	 * then we have nothing to do but return and wait.
+	 */
+	if (buf == NULL || len == 0) {
+	    state->top->status = needBytes;
+	    return;
+	}
+	/*
+	 * We are streaming, reading from a passed-in buffer.
+	 * This means we are encoding a simple string or an ANY.
+	 * For the former, we need to put out a substring, with its
+	 * own identifier and length.  For an ANY, we just write it
+	 * out as is (our caller is required to ensure that it
+	 * is a properly encoded entity).
+	 */
+	PORT_Assert (state->is_string);		/* includes ANY */
+	if (state->underlying_kind != SEC_ASN1_ANY) {
+	    unsigned char identifier;
+
+	    /*
+	     * Create the identifier based on underlying_kind.  We cannot
+	     * use tag_number and tag_modifiers because this can be an
+	     * implicitly encoded field.  In that case, the underlying
+	     * substrings *are* encoded with their real tag.
+	     */
+	    identifier = state->underlying_kind & SEC_ASN1_TAG_MASK;
+	    /*
+	     * The underlying kind should just be a simple string; there
+	     * should be no bits like CONTEXT_SPECIFIC or CONSTRUCTED set.
+	     */
+	    PORT_Assert ((identifier & SEC_ASN1_TAGNUM_MASK) == identifier);
+	    /*
+	     * Write out the tag and length for the substring.
+	     */
+	    sec_asn1e_write_identifier_bytes (state, identifier);
+	    if (state->underlying_kind == SEC_ASN1_BIT_STRING) {
+		char byte;
+		/*
+		 * Assume we have a length in bytes but we need to output
+		 * a proper bit string.  This interface only works for bit
+		 * strings that are full multiples of 8.  If support for
+		 * real, variable length bit strings is needed then the
+		 * caller will have to know to pass in a bit length instead
+		 * of a byte length and then this code will have to
+		 * perform the encoding necessary (length written is length
+		 * in bytes plus 1, and the first octet of string is the
+		 * number of bits remaining between the end of the bit
+		 * string and the next byte boundary).
+		 */
+		sec_asn1e_write_length_bytes (state, len + 1, PR_FALSE);
+		byte = 0;
+		sec_asn1e_write_contents_bytes (state, &byte, 1);
+	    } else {
+		sec_asn1e_write_length_bytes (state, len, PR_FALSE);
+	    }
+	}
+	sec_asn1e_write_contents_bytes (state, buf, len);
+	state->top->status = needBytes;
+    } else {
+	switch (state->underlying_kind) {
+	  case SEC_ASN1_SET:
+	  case SEC_ASN1_SEQUENCE:
+	    PORT_Assert (0);
+	    break;
+
+	  case SEC_ASN1_BIT_STRING:
+	    {
+		SECItem *item;
+		char rem;
+
+		item = (SECItem *)state->src;
+		len = (item->len + 7) >> 3;
+		rem = (len << 3) - item->len;	/* remaining bits */
+		sec_asn1e_write_contents_bytes (state, &rem, 1);
+		sec_asn1e_write_contents_bytes (state, (char *) item->data,
+						len);
+	    }
+	    break;
+
+	  case SEC_ASN1_BMP_STRING:
+	    /* The number of bytes must be divisable by 2 */
+	    if ((((SECItem *)state->src)->len) % 2) {
+		SEC_ASN1EncoderContext *cx;
+
+		cx = state->top;
+		cx->status = encodeError;
+		break;
+	    }
+	    /* otherwise, fall through to write the content */
+	    goto process_string;
+
+	  case SEC_ASN1_UNIVERSAL_STRING:
+	    /* The number of bytes must be divisable by 4 */
+	    if ((((SECItem *)state->src)->len) % 4) {
+		SEC_ASN1EncoderContext *cx;
+
+		cx = state->top;
+		cx->status = encodeError;
+		break;
+	    }
+	    /* otherwise, fall through to write the content */
+	    goto process_string;
+
+	  case SEC_ASN1_INTEGER:
+	   /* ASN.1 INTEGERs are signed.  If the source is an unsigned
+	    * integer, the encoder will need to handle the conversion here.
+	    */
+	    {
+		unsigned int blen;
+		unsigned char *buf;
+		SECItemType integerType;
+		blen = ((SECItem *)state->src)->len;
+		buf = ((SECItem *)state->src)->data;
+		integerType = ((SECItem *)state->src)->type;
+		while (blen > 0) {
+		    if (*buf & 0x80 && integerType == siUnsignedInteger) {
+			char zero = 0; /* write a leading 0 */
+			sec_asn1e_write_contents_bytes(state, &zero, 1);
+			/* and then the remaining buffer */
+			sec_asn1e_write_contents_bytes(state, 
+			                               (char *)buf, blen); 
+			break;
+		    } 
+		    /* Check three possibilities:
+		     * 1.  No leading zeros, msb of MSB is not 1;
+		     * 2.  The number is zero itself;
+		     * 3.  Encoding a signed integer with a leading zero,
+		     *     keep the zero so that the number is positive.
+		     */
+		    if (*buf != 0 || 
+		         blen == 1 || 
+		         (buf[1] & 0x80 && integerType != siUnsignedInteger) ) 
+		    {
+			sec_asn1e_write_contents_bytes(state, 
+			                               (char *)buf, blen); 
+			break;
+		    }
+		    /* byte is 0, continue */
+		    buf++;
+		    blen--;
+		}
+	    }
+	    /* done with this content */
+	    break;
+			
+process_string:			
+	  default:
+	    {
+		SECItem *item;
+
+		item = (SECItem *)state->src;
+		sec_asn1e_write_contents_bytes (state, (char *) item->data,
+						item->len);
+	    }
+	    break;
+	}
+	state->place = afterContents;
+    }
+}
+
+
+/*
+ * We are doing a SET OF or SEQUENCE OF, and have just finished an item.
+ */
+static void
+sec_asn1e_next_in_group (sec_asn1e_state *state)
+{
+    sec_asn1e_state *child;
+    void **group;
+    void *member;
+
+    PORT_Assert (state->place == duringGroup);
+    PORT_Assert (state->child != NULL);
+
+    child = state->child;
+
+    group = *(void ***)state->src;
+
+    /*
+     * Find placement of current item.
+     */
+    member = (char *)(state->child->src) - child->theTemplate->offset;
+    while (*group != member)
+	group++;
+
+    /*
+     * Move forward to next item.
+     */
+    group++;
+    if (*group == NULL) {
+	/*
+	 * That was our last one; we are done now.
+	 */
+	child->place = notInUse;
+	state->place = afterContents;
+	return;
+    }
+    child->src = (char *)(*group) + child->theTemplate->offset;
+
+    /*
+     * Re-"push" child.
+     */
+    sec_asn1e_scrub_state (child);
+    state->top->current = child;
+}
+
+
+/*
+ * We are moving along through a sequence; move forward by one,
+ * (detecting end-of-sequence when it happens).
+ */
+static void
+sec_asn1e_next_in_sequence (sec_asn1e_state *state)
+{
+    sec_asn1e_state *child;
+
+    PORT_Assert (state->place == duringSequence);
+    PORT_Assert (state->child != NULL);
+
+    child = state->child;
+
+    /*
+     * Do the "after" field notification.
+     */
+    sec_asn1e_notify_after (state->top, child->src, child->depth);
+
+    /*
+     * Move forward.
+     */
+    child->theTemplate++;
+    if (child->theTemplate->kind == 0) {
+	/*
+	 * We are done with this sequence.
+	 */
+	child->place = notInUse;
+	state->place = afterContents;
+	return;
+    }
+
+    /*
+     * Reset state and push.
+     */
+
+    child->src = (char *)state->src + child->theTemplate->offset;
+
+    /*
+     * Do the "before" field notification.
+     */
+    sec_asn1e_notify_before (state->top, child->src, child->depth);
+
+    state->top->current = child;
+    (void) sec_asn1e_init_state_based_on_template (child);
+}
+
+
+static void
+sec_asn1e_after_contents (sec_asn1e_state *state)
+{
+    PORT_Assert (state->place == afterContents);
+
+    if (state->indefinite)
+	sec_asn1e_write_end_of_contents_bytes (state);
+
+    /*
+     * Just make my parent be the current state.  It will then clean
+     * up after me and free me (or reuse me).
+     */
+    state->top->current = state->parent;
+}
+
+
+/*
+ * This function is called whether or not we are streaming; if we
+ * *are* streaming, our caller can also instruct us to take bytes
+ * from the passed-in buffer (at buf, for length len, which is likely
+ * bytes but could even mean bits if the current field is a bit string).
+ * If we have been so instructed, we will gobble up bytes from there
+ * (rather than from our src structure) and output them, and then
+ * we will just return, expecting to be called again -- either with
+ * more bytes or after our caller has instructed us that we are done
+ * (for now) with the buffer.
+ */
+SECStatus
+SEC_ASN1EncoderUpdate (SEC_ASN1EncoderContext *cx,
+		       const char *buf, unsigned long len)
+{
+    sec_asn1e_state *state;
+
+    if (cx->status == needBytes) {
+	PORT_Assert (buf != NULL && len != 0);
+	cx->status = keepGoing;
+    }
+
+    while (cx->status == keepGoing) {
+	state = cx->current;
+	switch (state->place) {
+	  case beforeHeader:
+	    sec_asn1e_write_header (state);
+	    break;
+	  case duringContents:
+	    sec_asn1e_write_contents (state, buf, len);
+	    break;
+	  case duringGroup:
+	    sec_asn1e_next_in_group (state);
+	    break;
+	  case duringSequence:
+	    sec_asn1e_next_in_sequence (state);
+	    break;
+	  case afterContents:
+	    sec_asn1e_after_contents (state);
+	    break;
+	  case afterImplicit:
+	  case afterInline:
+	  case afterPointer:
+	  case afterChoice:
+	    /*
+	     * These states are more documentation than anything.
+	     * They just need to force a pop.
+	     */
+	    PORT_Assert (!state->indefinite);
+	    state->place = afterContents;
+	    break;
+	  case notInUse:
+	  default:
+	    /* This is not an error, but rather a plain old BUG! */
+	    PORT_Assert (0);
+	    cx->status = encodeError;
+	    break;
+	}
+
+	if (cx->status == encodeError)
+	    break;
+
+	/* It might have changed, so we have to update our local copy.  */
+	state = cx->current;
+
+	/* If it is NULL, we have popped all the way to the top.  */
+	if (state == NULL) {
+	    cx->status = allDone;
+	    break;
+	}
+    }
+
+    if (cx->status == encodeError) {
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+
+void
+SEC_ASN1EncoderFinish (SEC_ASN1EncoderContext *cx)
+{
+    /*
+     * XXX anything else that needs to be finished?
+     */
+
+    PORT_FreeArena (cx->our_pool, PR_FALSE);
+}
+
+
+SEC_ASN1EncoderContext *
+SEC_ASN1EncoderStart (void *src, const SEC_ASN1Template *theTemplate,
+		      SEC_ASN1WriteProc output_proc, void *output_arg)
+{
+    PRArenaPool *our_pool;
+    SEC_ASN1EncoderContext *cx;
+
+    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if (our_pool == NULL)
+	return NULL;
+
+    cx = (SEC_ASN1EncoderContext*)PORT_ArenaZAlloc (our_pool, sizeof(*cx));
+    if (cx == NULL) {
+	PORT_FreeArena (our_pool, PR_FALSE);
+	return NULL;
+    }
+
+    cx->our_pool = our_pool;
+    cx->output_proc = output_proc;
+    cx->output_arg = output_arg;
+
+    cx->status = keepGoing;
+
+    if (sec_asn1e_push_state(cx, theTemplate, src, PR_FALSE) == NULL
+	|| sec_asn1e_init_state_based_on_template (cx->current) == NULL) {
+	/*
+	 * Trouble initializing (probably due to failed allocations)
+	 * requires that we just give up.
+	 */
+	PORT_FreeArena (our_pool, PR_FALSE);
+	return NULL;
+    }
+
+    return cx;
+}
+
+
+/*
+ * XXX Do we need a FilterProc, too?
+ */
+
+
+void
+SEC_ASN1EncoderSetNotifyProc (SEC_ASN1EncoderContext *cx,
+			      SEC_ASN1NotifyProc fn, void *arg)
+{
+    cx->notify_proc = fn;
+    cx->notify_arg = arg;
+}
+
+
+void
+SEC_ASN1EncoderClearNotifyProc (SEC_ASN1EncoderContext *cx)
+{
+    cx->notify_proc = NULL;
+    cx->notify_arg = NULL;	/* not necessary; just being clean */
+}
+
+
+void
+SEC_ASN1EncoderSetStreaming (SEC_ASN1EncoderContext *cx)
+{
+    /* XXX is there a way to check that we are "between" fields here? */
+
+    cx->streaming = PR_TRUE;
+}
+
+
+void
+SEC_ASN1EncoderClearStreaming (SEC_ASN1EncoderContext *cx)
+{
+    /* XXX is there a way to check that we are "between" fields here? */
+
+    cx->streaming = PR_FALSE;
+}
+
+
+void
+SEC_ASN1EncoderSetTakeFromBuf (SEC_ASN1EncoderContext *cx)
+{
+    /* 
+     * XXX is there a way to check that we are "between" fields here?  this
+     * needs to include a check for being in between groups of items in
+     * a SET_OF or SEQUENCE_OF.
+     */
+    PORT_Assert (cx->streaming);
+
+    cx->from_buf = PR_TRUE;
+}
+
+
+void
+SEC_ASN1EncoderClearTakeFromBuf (SEC_ASN1EncoderContext *cx)
+{
+    /* we should actually be taking from buf *now* */
+    PORT_Assert (cx->from_buf);
+    if (! cx->from_buf)		/* if not, just do nothing */
+	return;
+
+    cx->from_buf = PR_FALSE;
+
+    if (cx->status == needBytes) {
+	cx->status = keepGoing;
+	cx->current->place = afterContents;
+    }
+}
+
+
+SECStatus
+SEC_ASN1Encode (void *src, const SEC_ASN1Template *theTemplate,
+		SEC_ASN1WriteProc output_proc, void *output_arg)
+{
+    SEC_ASN1EncoderContext *ecx;
+    SECStatus rv;
+
+    ecx = SEC_ASN1EncoderStart (src, theTemplate, output_proc, output_arg);
+    if (ecx == NULL)
+	return SECFailure;
+
+    rv = SEC_ASN1EncoderUpdate (ecx, NULL, 0);
+
+    SEC_ASN1EncoderFinish (ecx);
+    return rv;
+}
+
+
+/*
+ * XXX depth and data_kind are unused; is there a PC way to silence warnings?
+ * (I mean "politically correct", not anything to do with intel/win platform) 
+ */
+static void
+sec_asn1e_encode_item_count (void *arg, const char *buf, unsigned long len,
+			     int depth, SEC_ASN1EncodingPart data_kind)
+{
+    unsigned long *count;
+
+    count = (unsigned long*)arg;
+    PORT_Assert (count != NULL);
+
+    *count += len;
+}
+
+
+/* XXX depth and data_kind are unused; is there a PC way to silence warnings? */
+static void
+sec_asn1e_encode_item_store (void *arg, const char *buf, unsigned long len,
+			     int depth, SEC_ASN1EncodingPart data_kind)
+{
+    SECItem *dest;
+
+    dest = (SECItem*)arg;
+    PORT_Assert (dest != NULL);
+
+    PORT_Memcpy (dest->data + dest->len, buf, len);
+    dest->len += len;
+}
+
+
+/*
+ * Allocate an entire SECItem, or just the data part of it, to hold
+ * "len" bytes of stuff.  Allocate from the given pool, if specified,
+ * otherwise just do a vanilla PORT_Alloc.
+ *
+ * XXX This seems like a reasonable general-purpose function (for SECITEM_)?
+ */
+static SECItem *
+sec_asn1e_allocate_item (PRArenaPool *poolp, SECItem *dest, unsigned long len)
+{
+    if (poolp != NULL) {
+	void *release;
+
+	release = PORT_ArenaMark (poolp);
+	if (dest == NULL)
+	    dest = (SECItem*)PORT_ArenaAlloc (poolp, sizeof(SECItem));
+	if (dest != NULL) {
+	    dest->data = (unsigned char*)PORT_ArenaAlloc (poolp, len);
+	    if (dest->data == NULL) {
+		dest = NULL;
+	    }
+	}
+	if (dest == NULL) {
+	    /* one or both allocations failed; release everything */
+	    PORT_ArenaRelease (poolp, release);
+	} else {
+	    /* everything okay; unmark the arena */
+	    PORT_ArenaUnmark (poolp, release);
+	}
+    } else {
+	SECItem *indest;
+
+	indest = dest;
+	if (dest == NULL)
+	    dest = (SECItem*)PORT_Alloc (sizeof(SECItem));
+	if (dest != NULL) {
+	    dest->data = (unsigned char*)PORT_Alloc (len);
+	    if (dest->data == NULL) {
+		if (indest == NULL)
+		    PORT_Free (dest);
+		dest = NULL;
+	    }
+	}
+    }
+
+    return dest;
+}
+
+
+SECItem *
+SEC_ASN1EncodeItem (PRArenaPool *poolp, SECItem *dest, void *src,
+		    const SEC_ASN1Template *theTemplate)
+{
+    unsigned long encoding_length;
+    SECStatus rv;
+
+    PORT_Assert (dest == NULL || dest->data == NULL);
+
+    encoding_length = 0;
+    rv = SEC_ASN1Encode (src, theTemplate,
+			 sec_asn1e_encode_item_count, &encoding_length);
+    if (rv != SECSuccess)
+	return NULL;
+
+    dest = sec_asn1e_allocate_item (poolp, dest, encoding_length);
+    if (dest == NULL)
+	return NULL;
+
+    /* XXX necessary?  This really just checks for a bug in the allocate fn */
+    PORT_Assert (dest->data != NULL);
+    if (dest->data == NULL)
+	return NULL;
+
+    dest->len = 0;
+    (void) SEC_ASN1Encode (src, theTemplate, sec_asn1e_encode_item_store, dest);
+
+    PORT_Assert (encoding_length == dest->len);
+    return dest;
+}
+
+
+static SECItem *
+sec_asn1e_integer(PRArenaPool *poolp, SECItem *dest, unsigned long value,
+		  PRBool make_unsigned)
+{
+    unsigned long copy;
+    unsigned char sign;
+    int len = 0;
+
+    /*
+     * Determine the length of the encoded value (minimum of 1).
+     */
+    copy = value;
+    do {
+	len++;
+	sign = copy & 0x80;
+	copy >>= 8;
+    } while (copy);
+
+    /*
+     * If this is an unsigned encoding, and the high bit of the last
+     * byte we counted was set, we need to add one to the length so
+     * we put a high-order zero byte in the encoding.
+     */
+    if (sign && make_unsigned)
+	len++;
+
+    /*
+     * Allocate the item (if necessary) and the data pointer within.
+     */
+    dest = sec_asn1e_allocate_item (poolp, dest, len);
+    if (dest == NULL)
+	return NULL;
+
+    /*
+     * Store the value, byte by byte, in the item.
+     */
+    dest->len = len;
+    while (len) {
+	dest->data[--len] = value;
+	value >>= 8;
+    }
+    PORT_Assert (value == 0);
+
+    return dest;
+}
+
+
+SECItem *
+SEC_ASN1EncodeInteger(PRArenaPool *poolp, SECItem *dest, long value)
+{
+    return sec_asn1e_integer (poolp, dest, (unsigned long) value, PR_FALSE);
+}
+
+
+extern SECItem *
+SEC_ASN1EncodeUnsignedInteger(PRArenaPool *poolp,
+			      SECItem *dest, unsigned long value)
+{
+    return sec_asn1e_integer (poolp, dest, value, PR_TRUE);
+}
diff --git a/security/nss/lib/util/secasn1t.h b/security/nss/lib/util/secasn1t.h
new file mode 100644
index 000000000..cb56a0bd7
--- /dev/null
+++ b/security/nss/lib/util/secasn1t.h
@@ -0,0 +1,287 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Types for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished
+ * Encoding Rules).
+ *
+ * $Id$
+ */
+
+#ifndef _SECASN1T_H_
+#define _SECASN1T_H_
+
+/*
+** An array of these structures defines a BER/DER encoding for an object.
+**
+** The array usually starts with a dummy entry whose kind is SEC_ASN1_SEQUENCE;
+** such an array is terminated with an entry where kind == 0.  (An array
+** which consists of a single component does not require a second dummy
+** entry -- the array is only searched as long as previous component(s)
+** instruct it.)
+*/
+typedef struct sec_ASN1Template_struct {
+    /*
+    ** Kind of item being decoded/encoded, including tags and modifiers.
+    */
+    unsigned long kind;
+
+    /*
+    ** The value is the offset from the base of the structure to the
+    ** field that holds the value being decoded/encoded.
+    */
+    unsigned long offset;
+
+    /*
+    ** When kind suggests it (SEC_ASN1_POINTER, SEC_ASN1_GROUP, SEC_ASN1_INLINE,
+    ** or a component that is *not* a SEC_ASN1_UNIVERSAL), this points to
+    ** a sub-template for nested encoding/decoding,
+    ** OR, iff SEC_ASN1_DYNAMIC is set, then this is a pointer to a pointer
+    ** to a function which will return the appropriate template when called
+    ** at runtime.  NOTE! that explicit level of indirection, which is
+    ** necessary because ANSI does not allow you to store a function
+    ** pointer directly as a "void *" so we must store it separately and
+    ** dereference it to get at the function pointer itself.
+    */
+    const void *sub;
+
+    /*
+    ** In the first element of a template array, the value is the size
+    ** of the structure to allocate when this template is being referenced
+    ** by another template via SEC_ASN1_POINTER or SEC_ASN1_GROUP.
+    ** In all other cases, the value is ignored.
+    */
+    unsigned int size;
+} SEC_ASN1Template;
+
+
+/* default size used for allocation of encoding/decoding stuff */
+/* XXX what is the best value here? */
+#define SEC_ASN1_DEFAULT_ARENA_SIZE	(2048)
+
+/*
+** BER/DER values for ASN.1 identifier octets.
+*/
+#define SEC_ASN1_TAG_MASK		0xff
+
+/*
+ * BER/DER universal type tag numbers.
+ * The values are defined by the X.208 standard; do not change them!
+ * NOTE: if you add anything to this list, you must add code to secasn1d.c
+ * to accept the tag, and probably also to secasn1e.c to encode it.
+ * XXX It appears some have been added recently without being added to
+ * the code; so need to go through the list now and double-check them all.
+ * (Look especially at those added in revision 1.10.)
+ */
+#define SEC_ASN1_TAGNUM_MASK		0x1f
+#define SEC_ASN1_BOOLEAN		0x01
+#define SEC_ASN1_INTEGER		0x02
+#define SEC_ASN1_BIT_STRING		0x03
+#define SEC_ASN1_OCTET_STRING		0x04
+#define SEC_ASN1_NULL			0x05
+#define SEC_ASN1_OBJECT_ID		0x06
+#define SEC_ASN1_OBJECT_DESCRIPTOR      0x07
+/* External type and instance-of type   0x08 */
+#define SEC_ASN1_REAL                   0x09
+#define SEC_ASN1_ENUMERATED		0x0a
+#define SEC_ASN1_EMBEDDED_PDV           0x0b
+#define SEC_ASN1_UTF8_STRING		0x0c
+#define SEC_ASN1_SEQUENCE		0x10
+#define SEC_ASN1_SET			0x11
+#define SEC_ASN1_NUMERIC_STRING         0x12
+#define SEC_ASN1_PRINTABLE_STRING	0x13
+#define SEC_ASN1_T61_STRING		0x14
+#define SEC_ASN1_TELETEX_STRING SEC_ASN1_T61_STRING
+#define SEC_ASN1_VIDEOTEX_STRING        0x15
+#define SEC_ASN1_IA5_STRING		0x16
+#define SEC_ASN1_UTC_TIME		0x17
+#define SEC_ASN1_GENERALIZED_TIME	0x18
+#define SEC_ASN1_GRAPHIC_STRING         0x19
+#define SEC_ASN1_VISIBLE_STRING		0x1a
+#define SEC_ASN1_GENERAL_STRING         0x1b
+#define SEC_ASN1_UNIVERSAL_STRING	0x1c
+/*                                      0x1d */
+#define SEC_ASN1_BMP_STRING		0x1e
+#define SEC_ASN1_HIGH_TAG_NUMBER	0x1f
+
+/*
+** Modifiers to type tags.  These are also specified by a/the
+** standard, and must not be changed.
+*/
+
+#define SEC_ASN1_METHOD_MASK		0x20
+#define SEC_ASN1_PRIMITIVE		0x00
+#define SEC_ASN1_CONSTRUCTED		0x20
+
+#define SEC_ASN1_CLASS_MASK		0xc0
+#define SEC_ASN1_UNIVERSAL		0x00
+#define SEC_ASN1_APPLICATION		0x40
+#define SEC_ASN1_CONTEXT_SPECIFIC	0x80
+#define SEC_ASN1_PRIVATE		0xc0
+
+/*
+** Our additions, used for templates.
+** These are not defined by any standard; the values are used internally only.
+** Just be careful to keep them out of the low 8 bits.
+** XXX finish comments
+*/
+#define SEC_ASN1_OPTIONAL	0x00100
+#define SEC_ASN1_EXPLICIT	0x00200
+#define SEC_ASN1_ANY		0x00400
+#define SEC_ASN1_INLINE		0x00800
+#define SEC_ASN1_POINTER	0x01000
+#define SEC_ASN1_GROUP		0x02000	/* with SET or SEQUENCE means
+					 * SET OF or SEQUENCE OF */
+#define SEC_ASN1_DYNAMIC	0x04000 /* subtemplate is found by calling
+					 * a function at runtime */
+#define SEC_ASN1_SKIP		0x08000 /* skip a field; only for decoding */
+#define SEC_ASN1_INNER		0x10000	/* with ANY means capture the
+					 * contents only (not the id, len,
+					 * or eoc); only for decoding */
+#define SEC_ASN1_SAVE		0x20000 /* stash away the encoded bytes first;
+					 * only for decoding */
+#define SEC_ASN1_MAY_STREAM	0x40000	/* field or one of its sub-fields may
+					 * stream in and so should encode as
+					 * indefinite-length when streaming
+					 * has been indicated; only for
+					 * encoding */
+#define SEC_ASN1_SKIP_REST	0x80000	/* skip all following fields;
+					   only for decoding */
+#define SEC_ASN1_CHOICE        0x100000 /* pick one from a template */
+#define SEC_ASN1_NO_STREAM     0X200000 /* This entry will not stream
+                                           even if the sub-template says
+                                           streaming is possible.  Helps
+                                           to solve ambiguities with potential
+                                           streaming entries that are 
+                                           optional */
+                                          
+
+/* Shorthand/Aliases */
+#define SEC_ASN1_SEQUENCE_OF	(SEC_ASN1_GROUP | SEC_ASN1_SEQUENCE)
+#define SEC_ASN1_SET_OF		(SEC_ASN1_GROUP | SEC_ASN1_SET)
+#define SEC_ASN1_ANY_CONTENTS	(SEC_ASN1_ANY | SEC_ASN1_INNER)
+
+
+/*
+** Function used for SEC_ASN1_DYNAMIC.
+** "arg" is a pointer to the structure being encoded/decoded
+** "enc", when true, means that we are encoding (false means decoding)
+*/
+typedef const SEC_ASN1Template * SEC_ASN1TemplateChooser(void *arg, PRBool enc);
+typedef SEC_ASN1TemplateChooser * SEC_ASN1TemplateChooserPtr;
+
+#if defined(_WIN32)
+#define SEC_ASN1_GET(x)        NSS_Get_##x(NULL, PR_FALSE)
+#define SEC_ASN1_SUB(x)        &p_NSS_Get_##x
+#define SEC_ASN1_XTRN          SEC_ASN1_DYNAMIC
+#define SEC_ASN1_MKSUB(x) \
+static const SEC_ASN1TemplateChooserPtr p_NSS_Get_##x = &NSS_Get_##x;
+#else
+#define SEC_ASN1_GET(x)        x
+#define SEC_ASN1_SUB(x)        x
+#define SEC_ASN1_XTRN          0
+#define SEC_ASN1_MKSUB(x) 
+#endif
+
+#define SEC_ASN1_CHOOSER_DECLARE(x) \
+extern const SEC_ASN1Template * NSS_Get_##x (void *arg, PRBool enc);
+
+#define SEC_ASN1_CHOOSER_IMPLEMENT(x) \
+const SEC_ASN1Template * NSS_Get_##x(void * arg, PRBool enc) \
+{ return x; }
+
+/*
+** Opaque object used by the decoder to store state.
+*/
+typedef struct sec_DecoderContext_struct SEC_ASN1DecoderContext;
+
+/*
+** Opaque object used by the encoder to store state.
+*/
+typedef struct sec_EncoderContext_struct SEC_ASN1EncoderContext;
+
+/*
+ * This is used to describe to a filter function the bytes that are
+ * being passed to it.  This is only useful when the filter is an "outer"
+ * one, meaning it expects to get *all* of the bytes not just the
+ * contents octets.
+ */
+typedef enum {
+    SEC_ASN1_Identifier = 0,
+    SEC_ASN1_Length = 1,
+    SEC_ASN1_Contents = 2,
+    SEC_ASN1_EndOfContents = 3
+} SEC_ASN1EncodingPart;
+
+/*
+ * Type of the function pointer used either for decoding or encoding,
+ * when doing anything "funny" (e.g. manipulating the data stream)
+ */ 
+typedef void (* SEC_ASN1NotifyProc)(void *arg, PRBool before,
+				    void *dest, int real_depth);
+
+/*
+ * Type of the function pointer used for grabbing encoded bytes.
+ * This can be used during either encoding or decoding, as follows...
+ *
+ * When decoding, this can be used to filter the encoded bytes as they
+ * are parsed.  This is what you would do if you wanted to process the data
+ * along the way (like to decrypt it, or to perform a hash on it in order
+ * to do a signature check later).  See SEC_ASN1DecoderSetFilterProc().
+ * When processing only part of the encoded bytes is desired, you "watch"
+ * for the field(s) you are interested in with a "notify proc" (see
+ * SEC_ASN1DecoderSetNotifyProc()) and for even finer granularity (e.g. to
+ * ignore all by the contents bytes) you pay attention to the "data_kind"
+ * parameter.
+ *
+ * When encoding, this is the specification for the output function which
+ * will receive the bytes as they are encoded.  The output function can
+ * perform any postprocessing necessary (like hashing (some of) the data
+ * to create a digest that gets included at the end) as well as shoving
+ * the data off wherever it needs to go.  (In order to "tune" any processing,
+ * you can set a "notify proc" as described above in the decoding case.)
+ *
+ * The parameters:
+ * - "arg" is an opaque pointer that you provided at the same time you
+ *   specified a function of this type
+ * - "data" is a buffer of length "len", containing the encoded bytes
+ * - "depth" is how deep in a nested encoding we are (it is not usually
+ *   valuable, but can be useful sometimes so I included it)
+ * - "data_kind" tells you if these bytes are part of the ASN.1 encoded
+ *   octets for identifier, length, contents, or end-of-contents
+ */ 
+typedef void (* SEC_ASN1WriteProc)(void *arg,
+				   const char *data, unsigned long len,
+				   int depth, SEC_ASN1EncodingPart data_kind);
+
+#endif /* _SECASN1T_H_ */
diff --git a/security/nss/lib/util/secasn1u.c b/security/nss/lib/util/secasn1u.c
new file mode 100644
index 000000000..83673ca0b
--- /dev/null
+++ b/security/nss/lib/util/secasn1u.c
@@ -0,0 +1,106 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Utility routines to complement the ASN.1 encoding and decoding functions.
+ *
+ * $Id$
+ */
+
+#include "secasn1.h"
+
+
+/*
+ * We have a length that needs to be encoded; how many bytes will the
+ * encoding take?
+ *
+ * The rules are that 0 - 0x7f takes one byte (the length itself is the
+ * entire encoding); everything else takes one plus the number of bytes
+ * in the length.
+ */
+int
+SEC_ASN1LengthLength (unsigned long len)
+{
+    int lenlen = 1;
+
+    if (len > 0x7f) {
+	do {
+	    lenlen++;
+	    len >>= 8;
+	} while (len);
+    }
+
+    return lenlen;
+}
+
+
+/*
+ * XXX Move over (and rewrite as appropriate) the rest of the
+ * stuff in dersubr.c!
+ */
+
+
+/*
+ * Find the appropriate subtemplate for the given template.
+ * This may involve calling a "chooser" function, or it may just
+ * be right there.  In either case, it is expected to *have* a
+ * subtemplate; this is asserted in debug builds (in non-debug
+ * builds, NULL will be returned).
+ *
+ * "thing" is a pointer to the structure being encoded/decoded
+ * "encoding", when true, means that we are in the process of encoding
+ *	(as opposed to in the process of decoding)
+ */
+const SEC_ASN1Template *
+SEC_ASN1GetSubtemplate (const SEC_ASN1Template *theTemplate, void *thing,
+			PRBool encoding)
+{
+    const SEC_ASN1Template *subt = NULL;
+
+    PORT_Assert (theTemplate->sub != NULL);
+    if (theTemplate->sub != NULL) {
+	if (theTemplate->kind & SEC_ASN1_DYNAMIC) {
+	    SEC_ASN1TemplateChooserPtr chooserp;
+
+	    chooserp = *(SEC_ASN1TemplateChooserPtr *) theTemplate->sub;
+	    if (chooserp) {
+		if (thing != NULL)
+		    thing = (char *)thing - theTemplate->offset;
+		subt = (* chooserp)(thing, encoding);
+	    }
+	} else {
+	    subt = (SEC_ASN1Template*)theTemplate->sub;
+	}
+    }
+    return subt;
+}
diff --git a/security/nss/lib/util/seccomon.h b/security/nss/lib/util/seccomon.h
new file mode 100644
index 000000000..f55f1311d
--- /dev/null
+++ b/security/nss/lib/util/seccomon.h
@@ -0,0 +1,110 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * seccomon.h - common data structures for security libraries
+ *
+ * This file should have lowest-common-denominator datastructures
+ * for security libraries.  It should not be dependent on any other
+ * headers, and should not require linking with any libraries.
+ *
+ * $Id$
+ */
+
+#ifndef _SECCOMMON_H_
+#define _SECCOMMON_H_
+
+#include "prtypes.h"
+
+
+#ifdef __cplusplus 
+# define SEC_BEGIN_PROTOS extern "C" {
+# define SEC_END_PROTOS }
+#else
+# define SEC_BEGIN_PROTOS
+# define SEC_END_PROTOS
+#endif
+
+#include "secport.h"
+
+typedef enum {
+    siBuffer = 0,
+    siClearDataBuffer = 1,
+    siCipherDataBuffer = 2,
+    siDERCertBuffer = 3,
+    siEncodedCertBuffer = 4,
+    siDERNameBuffer = 5,
+    siEncodedNameBuffer = 6,
+    siAsciiNameString = 7,
+    siAsciiString = 8,
+    siDEROID = 9,
+    siUnsignedInteger = 10
+} SECItemType;
+
+typedef struct SECItemStr SECItem;
+
+struct SECItemStr {
+    SECItemType type;
+    unsigned char *data;
+    unsigned int len;
+};
+
+/*
+** A status code. Status's are used by procedures that return status
+** values. Again the motivation is so that a compiler can generate
+** warnings when return values are wrong. Correct testing of status codes:
+**
+**	SECStatus rv;
+**	rv = some_function (some_argument);
+**	if (rv != SECSuccess)
+**		do_an_error_thing();
+**
+*/
+typedef enum _SECStatus {
+    SECWouldBlock = -2,
+    SECFailure = -1,
+    SECSuccess = 0
+} SECStatus;
+
+/*
+** A comparison code. Used for procedures that return comparision
+** values. Again the motivation is so that a compiler can generate
+** warnings when return values are wrong.
+*/
+typedef enum _SECComparison {
+    SECLessThan = -1,
+    SECEqual = 0,
+    SECGreaterThan = 1
+} SECComparison;
+
+#endif /* _SECCOMMON_H_ */
diff --git a/security/nss/lib/util/secder.h b/security/nss/lib/util/secder.h
new file mode 100644
index 000000000..3f957ab9c
--- /dev/null
+++ b/security/nss/lib/util/secder.h
@@ -0,0 +1,193 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _SECDER_H_
+#define _SECDER_H_
+
+/*
+ * secder.h - public data structures and prototypes for the DER encoding and
+ *	      decoding utilities library
+ *
+ * $Id$
+ */
+
+#include <time.h>
+#include "plarena.h"
+#include "prlong.h"
+
+#include "seccomon.h"
+#include "secdert.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+** Decode a piece of der encoded data.
+** 	"dest" points to a structure that will be filled in with the
+**	   decoding results.  (NOTE: it should be zeroed before calling;
+**	   optional/missing fields are not zero-filled by DER_Decode.)
+**	"t" is a template structure which defines the shape of the
+**	   expected data.
+**	"src" is the der encoded data.
+** NOTE: substructures of "dest" will be allocated as needed from
+** "arena", but data subfields will point directly into the buffer
+** passed in as src->data.  That is, the resulting "dest" structure
+** will contain pointers back into src->data, which must remain
+** active (allocated) and unmodified for as long as "dest" is active.
+** If this is a potential problem, you may want to just dup the buffer
+** (allocated from "arena", probably) and pass *that* in instead.
+*/
+extern SECStatus DER_Decode(PRArenaPool *arena, void *dest, DERTemplate *t,
+			   SECItem *src);
+
+/*
+** Encode a data structure into DER.
+**	"dest" will be filled in (and memory allocated) to hold the der
+**	   encoded structure in "src"
+**	"t" is a template structure which defines the shape of the
+**	   stored data
+**	"src" is a pointer to the structure that will be encoded
+*/
+extern SECStatus DER_Encode(PRArenaPool *arena, SECItem *dest, DERTemplate *t,
+			   void *src);
+
+extern SECStatus DER_Lengths(SECItem *item, int *header_len_p, uint32 *contents_len_p);
+
+/*
+** Lower level der subroutine that stores the standard header into "to".
+** The header is of variable length, based on encodingLen.
+** The return value is the new value of "to" after skipping over the header.
+**	"to" is where the header will be stored
+**	"code" is the der code to write
+**	"encodingLen" is the number of bytes of data that will follow
+**	   the header
+*/
+extern unsigned char *DER_StoreHeader(unsigned char *to, unsigned int code,
+				      uint32 encodingLen);
+
+/*
+** Return the number of bytes it will take to hold a der encoded length.
+*/
+extern int DER_LengthLength(uint32 len);
+
+/*
+** Store a der encoded *signed* integer (whose value is "src") into "dst".
+** XXX This should really be enhanced to take a long.
+*/
+extern SECStatus DER_SetInteger(PRArenaPool *arena, SECItem *dst, int32 src);
+
+/*
+** Store a der encoded *unsigned* integer (whose value is "src") into "dst".
+** XXX This should really be enhanced to take an unsigned long.
+*/
+extern SECStatus DER_SetUInteger(PRArenaPool *arena, SECItem *dst, uint32 src);
+
+/*
+** Decode a der encoded *signed* integer that is stored in "src".
+** If "-1" is returned, then the caller should check the error in
+** XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
+*/
+extern long DER_GetInteger(SECItem *src);
+
+/*
+** Decode a der encoded *unsigned* integer that is stored in "src".
+** If the ULONG_MAX is returned, then the caller should check the error
+** in XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER).
+*/
+extern unsigned long DER_GetUInteger(SECItem *src);
+
+/*
+** Convert a "UNIX" time value to a der encoded time value.
+**	"result" is the der encoded time (memory is allocated)
+**	"time" is the "UNIX" time value (Since Jan 1st, 1970).
+** The caller is responsible for freeing up the buffer which
+** result->data points to upon a successfull operation.
+*/
+extern SECStatus DER_TimeToUTCTime(SECItem *result, int64 time);
+
+/*
+** Convert an ascii encoded time value (according to DER rules) into
+** a UNIX time value.
+**	"result" the resulting "UNIX" time
+**	"string" the der notation ascii value to decode
+*/
+extern SECStatus DER_AsciiToTime(int64 *result, char *string);
+
+/*
+** Same as DER_AsciiToTime except takes an SECItem instead of a string
+*/
+extern SECStatus DER_UTCTimeToTime(int64 *result, SECItem *time);
+
+/*
+** Convert a DER encoded UTC time to an ascii time representation
+** "utctime" is the DER encoded UTC time to be converted. The
+** caller is responsible for deallocating the returned buffer.
+*/
+extern char *DER_UTCTimeToAscii(SECItem *utcTime);
+
+/*
+** Convert a DER encoded UTC time to an ascii time representation, but only
+** include the day, not the time.
+**	"utctime" is the DER encoded UTC time to be converted.
+** The caller is responsible for deallocating the returned buffer.
+*/
+extern char *DER_UTCDayToAscii(SECItem *utctime);
+
+/*
+** Convert a int64 time to a DER encoded Generalized time
+*/
+extern SECStatus DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime);
+
+/*
+** Convert a DER encoded Generalized time value into a UNIX time value.
+**	"dst" the resulting "UNIX" time
+**	"string" the der notation ascii value to decode
+*/
+extern SECStatus DER_GeneralizedTimeToTime(int64 *dst, SECItem *time);
+
+/*
+** Convert from a int64 UTC time value to a formatted ascii value. The
+** caller is responsible for deallocating the returned buffer.
+*/
+extern char *CERT_UTCTime2FormattedAscii (int64 utcTime, char *format);
+
+
+/*
+** Convert from a int64 Generalized time value to a formatted ascii value. The
+** caller is responsible for deallocating the returned buffer.
+*/
+extern char *CERT_GenTime2FormattedAscii (int64 genTime, char *format);
+
+SEC_END_PROTOS
+
+#endif /* _SECDER_H_ */
+
diff --git a/security/nss/lib/util/secdert.h b/security/nss/lib/util/secdert.h
new file mode 100644
index 000000000..86f3451cf
--- /dev/null
+++ b/security/nss/lib/util/secdert.h
@@ -0,0 +1,170 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _SECDERT_H_
+#define _SECDERT_H_
+/*
+ * secdert.h - public data structures for the DER encoding and
+ *	       decoding utilities library
+ *
+ * $Id$
+ */
+
+typedef struct DERTemplateStr DERTemplate;
+
+/*
+** An array of these structures defines an encoding for an object using DER.
+** The array usually starts with a dummy entry whose kind is DER_SEQUENCE;
+** such an array is terminated with an entry where kind == 0.  (An array
+** which consists of a single component does not require a second dummy
+** entry -- the array is only searched as long as previous component(s)
+** instruct it.)
+*/
+struct DERTemplateStr {
+    /*
+    ** Kind of item being decoded/encoded, including tags and modifiers.
+    */
+    unsigned long kind;
+
+    /*
+    ** Offset from base of structure to field that holds the value
+    ** being decoded/encoded.
+    */
+    unsigned int offset;
+
+    /*
+    ** When kind suggests it (DER_POINTER, DER_INDEFINITE, DER_INLINE),
+    ** this points to a sub-template for nested encoding/decoding.
+    */
+    DERTemplate *sub;
+
+    /*
+    ** Argument value, dependent on "kind" and/or template placement
+    ** within an array of templates:
+    **	- In the first element of a template array, the value is the
+    **	  size of the structure to allocate when this template is being
+    **	  referenced by another template via DER_POINTER or DER_INDEFINITE.
+    **  - In a component of a DER_SET or DER_SEQUENCE which is *not* a
+    **	  DER_UNIVERSAL type (that is, it has a class tag for either
+    **	  DER_APPLICATION, DER_CONTEXT_SPECIFIC, or DER_PRIVATE), the
+    **	  value is the underlying type of item being decoded/encoded.
+    */
+    unsigned long arg;
+};
+
+/************************************************************************/
+
+/* default chunksize for arenas used for DER stuff */
+#define DER_DEFAULT_CHUNKSIZE (2048)
+
+/*
+** BER/DER values for ASN.1 identifier octets.
+*/
+#define DER_TAG_MASK		0xff
+
+/*
+ * BER/DER universal type tag numbers.
+ * The values are defined by the X.208 standard; do not change them!
+ * NOTE: if you add anything to this list, you must add code to derdec.c
+ * to accept the tag, and probably also to derenc.c to encode it.
+ */
+#define DER_TAGNUM_MASK		0x1f
+#define DER_BOOLEAN		0x01
+#define DER_INTEGER		0x02
+#define DER_BIT_STRING		0x03
+#define DER_OCTET_STRING	0x04
+#define DER_NULL		0x05
+#define DER_OBJECT_ID		0x06
+#define DER_SEQUENCE		0x10
+#define DER_SET			0x11
+#define DER_PRINTABLE_STRING	0x13
+#define DER_T61_STRING		0x14
+#define DER_IA5_STRING		0x16
+#define DER_UTC_TIME		0x17
+#define DER_VISIBLE_STRING	0x1a
+#define DER_HIGH_TAG_NUMBER	0x1f
+
+/*
+** Modifiers to type tags.  These are also specified by a/the
+** standard, and must not be changed.
+*/
+
+#define DER_METHOD_MASK		0x20
+#define DER_PRIMITIVE		0x00
+#define DER_CONSTRUCTED		0x20
+
+#define DER_CLASS_MASK		0xc0
+#define DER_UNIVERSAL		0x00
+#define DER_APPLICATION		0x40
+#define DER_CONTEXT_SPECIFIC	0x80
+#define DER_PRIVATE		0xc0
+
+/*
+** Our additions, used for templates.
+** These are not defined by any standard; the values are used internally only.
+** Just be careful to keep them out of the low 8 bits.
+*/
+#define DER_OPTIONAL		0x00100
+#define DER_EXPLICIT		0x00200
+#define DER_ANY			0x00400
+#define DER_INLINE		0x00800
+#define DER_POINTER		0x01000
+#define DER_INDEFINITE		0x02000
+#define DER_DERPTR		0x04000
+#define DER_SKIP		0x08000
+#define DER_FORCE		0x10000
+#define DER_OUTER		0x40000 /* for DER_DERPTR */
+
+/*
+** Macro to convert der decoded bit string into a decoded octet
+** string. All it needs to do is fiddle with the length code.
+*/
+#define DER_ConvertBitString(item)	  \
+{					  \
+    (item)->len = ((item)->len + 7) >> 3; \
+}
+
+extern DERTemplate SECAnyTemplate[];
+extern DERTemplate SECBitStringTemplate[];
+extern DERTemplate SECBooleanTemplate[];
+extern DERTemplate SECIA5StringTemplate[];
+extern DERTemplate SECIntegerTemplate[];
+extern DERTemplate SECNullTemplate[];
+extern DERTemplate SECObjectIDTemplate[];
+extern DERTemplate SECOctetStringTemplate[];
+extern DERTemplate SECPrintableStringTemplate[];
+extern DERTemplate SECT61StringTemplate[];
+extern DERTemplate SECUTCTimeTemplate[];
+extern DERTemplate SECAlgorithmIDTemplate[];
+
+#endif /* _SECDERT_H_ */
diff --git a/security/nss/lib/util/secdig.c b/security/nss/lib/util/secdig.c
new file mode 100644
index 000000000..056068222
--- /dev/null
+++ b/security/nss/lib/util/secdig.c
@@ -0,0 +1,232 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+#include "secdig.h"
+
+#include "secoid.h"
+#include "secasn1.h" 
+#include "secerr.h"
+
+/*
+ * XXX OLD Template.  Once all uses have been switched over to new one,
+ * remove this.
+ */
+DERTemplate SGNDigestInfoTemplate[] = {
+    { DER_SEQUENCE,
+	  0, NULL, sizeof(SGNDigestInfo) },
+    { DER_INLINE,
+	  offsetof(SGNDigestInfo,digestAlgorithm),
+	  SECAlgorithmIDTemplate, },
+    { DER_OCTET_STRING,
+	  offsetof(SGNDigestInfo,digest), },
+    { 0, }
+};
+
+/* XXX See comment below about SGN_DecodeDigestInfo -- keep this static! */
+/* XXX Changed from static -- need to change name? */
+const SEC_ASN1Template sgn_DigestInfoTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(SGNDigestInfo) },
+    { SEC_ASN1_INLINE,
+	  offsetof(SGNDigestInfo,digestAlgorithm),
+	  SECOID_AlgorithmIDTemplate },
+    { SEC_ASN1_OCTET_STRING,
+	  offsetof(SGNDigestInfo,digest) },
+    { 0 }
+};
+
+SEC_ASN1_CHOOSER_IMPLEMENT(sgn_DigestInfoTemplate)
+
+/*
+ * XXX Want to have a SGN_DecodeDigestInfo, like:
+ *	SGNDigestInfo *SGN_DecodeDigestInfo(SECItem *didata);
+ * that creates a pool and allocates from it and decodes didata into
+ * the newly allocated DigestInfo structure.  Then fix secvfy.c (it
+ * will no longer need an arena itself) to call this and then call
+ * DestroyDigestInfo when it is done, then can remove the old template
+ * above and keep our new template static and "hidden".
+ */
+
+/*
+ * XXX It might be nice to combine the following two functions (create
+ * and encode).  I think that is all anybody ever wants to do anyway.
+ */
+
+SECItem *
+SGN_EncodeDigestInfo(PRArenaPool *poolp, SECItem *dest, SGNDigestInfo *diginfo)
+{
+    return SEC_ASN1EncodeItem (poolp, dest, diginfo, sgn_DigestInfoTemplate);
+}
+
+SGNDigestInfo *
+SGN_CreateDigestInfo(SECOidTag algorithm, unsigned char *sig, unsigned len)
+{
+    SGNDigestInfo *di;
+    SECStatus rv;
+    PRArenaPool *arena;
+    SECItem *null_param;
+    SECItem dummy_value;
+
+    switch (algorithm) {
+      case SEC_OID_MD2:
+      case SEC_OID_MD5:
+      case SEC_OID_SHA1:
+	break;
+      default:
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return NULL;
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == NULL) {
+	return NULL;
+    }
+
+    di = (SGNDigestInfo *) PORT_ArenaZAlloc(arena, sizeof(SGNDigestInfo));
+    if (di == NULL) {
+	PORT_FreeArena(arena, PR_FALSE);
+	return NULL;
+    }
+
+    di->arena = arena;
+
+    /*
+     * PKCS #1 specifies that the AlgorithmID must have a NULL parameter
+     * (as opposed to no parameter at all).
+     */
+    dummy_value.data = NULL;
+    dummy_value.len = 0;
+    null_param = SEC_ASN1EncodeItem(NULL, NULL, &dummy_value, SEC_NullTemplate);
+    if (null_param == NULL) {
+	goto loser;
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, &di->digestAlgorithm, algorithm,
+			       null_param);
+
+    SECITEM_FreeItem(null_param, PR_TRUE);
+
+    if (rv != SECSuccess) {
+	goto loser;
+    }
+
+    di->digest.data = (unsigned char *) PORT_ArenaAlloc(arena, len);
+    if (di->digest.data == NULL) {
+	goto loser;
+    }
+
+    di->digest.len = len;
+    PORT_Memcpy(di->digest.data, sig, len);
+    return di;
+
+  loser:
+    SGN_DestroyDigestInfo(di);
+    return NULL;
+}
+
+SGNDigestInfo *
+SGN_DecodeDigestInfo(SECItem *didata)
+{
+    PRArenaPool *arena;
+    SGNDigestInfo *di;
+    SECStatus rv = SECFailure;
+
+    arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+    if(arena == NULL)
+	return NULL;
+
+    di = (SGNDigestInfo *)PORT_ArenaZAlloc(arena, sizeof(SGNDigestInfo));
+    if(di != NULL)
+    {
+	di->arena = arena;
+	rv = SEC_ASN1DecodeItem(arena, di, sgn_DigestInfoTemplate, didata);
+    }
+	
+    if((di == NULL) || (rv != SECSuccess))
+    {
+	PORT_FreeArena(arena, PR_TRUE);
+	di = NULL;
+    }
+
+    return di;
+}
+
+void
+SGN_DestroyDigestInfo(SGNDigestInfo *di)
+{
+    if (di && di->arena) {
+	PORT_FreeArena(di->arena, PR_FALSE);
+    }
+
+    return;
+}
+
+SECStatus 
+SGN_CopyDigestInfo(PRArenaPool *poolp, SGNDigestInfo *a, SGNDigestInfo *b)
+{
+    SECStatus rv;
+    void *mark;
+
+    if((poolp == NULL) || (a == NULL) || (b == NULL))
+	return SECFailure;
+
+    mark = PORT_ArenaMark(poolp);
+    a->arena = poolp;
+    rv = SECOID_CopyAlgorithmID(poolp, &a->digestAlgorithm, 
+	&b->digestAlgorithm);
+    if (rv == SECSuccess)
+	rv = SECITEM_CopyItem(poolp, &a->digest, &b->digest);
+
+    if (rv != SECSuccess) {
+	PORT_ArenaRelease(poolp, mark);
+    } else {
+	PORT_ArenaUnmark(poolp, mark);
+    }
+
+    return rv;
+}
+
+SECComparison
+SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b)
+{
+    SECComparison rv;
+
+    /* Check signature algorithm's */
+    rv = SECOID_CompareAlgorithmID(&a->digestAlgorithm, &b->digestAlgorithm);
+    if (rv) return rv;
+
+    /* Compare signature block length's */
+    rv = SECITEM_CompareItem(&a->digest, &b->digest);
+    return rv;
+}
diff --git a/security/nss/lib/util/secdig.h b/security/nss/lib/util/secdig.h
new file mode 100644
index 000000000..048604554
--- /dev/null
+++ b/security/nss/lib/util/secdig.h
@@ -0,0 +1,135 @@
+/*
+ * crypto.h - public data structures and prototypes for the crypto library
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef _SECDIG_H_
+#define _SECDIG_H_
+
+#include "secdigt.h"
+
+#include "seccomon.h"
+#include "secasn1t.h" 
+#include "secdert.h"
+
+SEC_BEGIN_PROTOS
+
+
+extern const SEC_ASN1Template sgn_DigestInfoTemplate[];
+
+SEC_ASN1_CHOOSER_DECLARE(sgn_DigestInfoTemplate)
+
+extern DERTemplate SGNDigestInfoTemplate[];
+
+
+/****************************************/
+/*
+** Digest-info functions
+*/
+
+/*
+** Create a new digest-info object
+** 	"algorithm" one of SEC_OID_MD2, SEC_OID_MD5, or SEC_OID_SHA1
+** 	"sig" the raw signature data (from MD2 or MD5)
+** 	"sigLen" the length of the signature data
+**
+** NOTE: this is a low level routine used to prepare some data for PKCS#1
+** digital signature formatting.
+**
+** XXX It might be nice to combine the create and encode functions.
+** I think that is all anybody ever wants to do anyway.
+*/
+extern SGNDigestInfo *SGN_CreateDigestInfo(SECOidTag algorithm,
+					   unsigned char *sig,
+					   unsigned int sigLen);
+
+/*
+** Destroy a digest-info object
+*/
+extern void SGN_DestroyDigestInfo(SGNDigestInfo *info);
+
+/*
+** Encode a digest-info object
+**	"poolp" is where to allocate the result from; it can be NULL in
+**		which case generic heap allocation (XP_ALLOC) will be used
+**	"dest" is where to store the result; it can be NULL, in which case
+**		it will be allocated (from poolp or heap, as explained above)
+**	"diginfo" is the object to be encoded
+** The return value is NULL if any error occurred, otherwise it is the
+** resulting SECItem (either allocated or the same as the "dest" parameter).
+**
+** XXX It might be nice to combine the create and encode functions.
+** I think that is all anybody ever wants to do anyway.
+*/
+extern SECItem *SGN_EncodeDigestInfo(PRArenaPool *poolp, SECItem *dest,
+				     SGNDigestInfo *diginfo);
+
+/*
+** Decode a DER encoded digest info objct.
+**  didata is thr source of the encoded digest.  
+** The return value is NULL if an error occurs.  Otherwise, a
+** digest info object which is allocated within it's own
+** pool is returned.  The digest info should be deleted
+** by later calling SGN_DestroyDigestInfo.
+*/
+extern SGNDigestInfo *SGN_DecodeDigestInfo(SECItem *didata);
+
+
+/*
+** Copy digest info.
+**  poolp is the arena to which the digest will be copied.
+**  a is the destination digest, it must be non-NULL.
+**  b is the source digest
+** This function is for copying digests.  It allows digests
+** to be copied into a specified pool.  If the digest is in
+** the same pool as other data, you do not want to delete
+** the digest by calling SGN_DestroyDigestInfo.  
+** A return value of SECFailure indicates an error.  A return
+** of SECSuccess indicates no error occured.
+*/
+extern SECStatus  SGN_CopyDigestInfo(PRArenaPool *poolp,
+					SGNDigestInfo *a, 
+					SGNDigestInfo *b);
+
+/*
+** Compare two digest-info objects, returning the difference between
+** them.
+*/
+extern SECComparison SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b);
+
+
+SEC_END_PROTOS
+
+#endif /* _SECDIG_H_ */
diff --git a/security/nss/lib/util/secdigt.h b/security/nss/lib/util/secdigt.h
new file mode 100644
index 000000000..fea6daa99
--- /dev/null
+++ b/security/nss/lib/util/secdigt.h
@@ -0,0 +1,57 @@
+/*
+ * secdigt.h - public data structures for digestinfos from the util lib.
+ *
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * $Id$
+ */
+
+#ifndef _SECDIGT_H_
+#define _SECDIGT_H_
+
+#include "plarena.h"
+#include "secoidt.h"
+#include "secitem.h"
+
+/*
+** A PKCS#1 digest-info object
+*/
+struct SGNDigestInfoStr {
+    PLArenaPool *  arena;
+    SECAlgorithmID digestAlgorithm;
+    SECItem        digest;
+};
+typedef struct SGNDigestInfoStr SGNDigestInfo;
+
+
+
+#endif /* _SECDIGT_H_ */
diff --git a/security/nss/lib/util/secerr.h b/security/nss/lib/util/secerr.h
new file mode 100644
index 000000000..ff9c784ee
--- /dev/null
+++ b/security/nss/lib/util/secerr.h
@@ -0,0 +1,187 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef __SEC_ERR_H_
+#define __SEC_ERR_H_
+
+
+#define SEC_ERROR_BASE				(-0x2000)
+#define SEC_ERROR_LIMIT				(SEC_ERROR_BASE + 1000)
+
+#define IS_SEC_ERROR(code) \
+    (((code) >= SEC_ERROR_BASE) && ((code) < SEC_ERROR_LIMIT))
+
+#ifndef NO_SECURITY_ERROR_ENUM
+typedef enum {
+SEC_ERROR_IO 				    =	SEC_ERROR_BASE + 0,
+SEC_ERROR_LIBRARY_FAILURE 		    =	SEC_ERROR_BASE + 1,
+SEC_ERROR_BAD_DATA 			    =	SEC_ERROR_BASE + 2,
+SEC_ERROR_OUTPUT_LEN 			    =	SEC_ERROR_BASE + 3,
+SEC_ERROR_INPUT_LEN 			    =	SEC_ERROR_BASE + 4,
+SEC_ERROR_INVALID_ARGS 			    =	SEC_ERROR_BASE + 5,
+SEC_ERROR_INVALID_ALGORITHM 		    =	SEC_ERROR_BASE + 6,
+SEC_ERROR_INVALID_AVA 			    =	SEC_ERROR_BASE + 7,
+SEC_ERROR_INVALID_TIME 			    =	SEC_ERROR_BASE + 8,
+SEC_ERROR_BAD_DER 			    =	SEC_ERROR_BASE + 9,
+SEC_ERROR_BAD_SIGNATURE 		    =	SEC_ERROR_BASE + 10,
+SEC_ERROR_EXPIRED_CERTIFICATE 		    =	SEC_ERROR_BASE + 11,
+SEC_ERROR_REVOKED_CERTIFICATE 		    =	SEC_ERROR_BASE + 12,
+SEC_ERROR_UNKNOWN_ISSUER 		    =	SEC_ERROR_BASE + 13,
+SEC_ERROR_BAD_KEY 			    =	SEC_ERROR_BASE + 14,
+SEC_ERROR_BAD_PASSWORD 			    =	SEC_ERROR_BASE + 15,
+SEC_ERROR_RETRY_PASSWORD 		    =	SEC_ERROR_BASE + 16,
+SEC_ERROR_NO_NODELOCK 			    =	SEC_ERROR_BASE + 17,
+SEC_ERROR_BAD_DATABASE 			    =	SEC_ERROR_BASE + 18,
+SEC_ERROR_NO_MEMORY 			    =	SEC_ERROR_BASE + 19,
+SEC_ERROR_UNTRUSTED_ISSUER 		    =	SEC_ERROR_BASE + 20,
+SEC_ERROR_UNTRUSTED_CERT 		    =	SEC_ERROR_BASE + 21,
+SEC_ERROR_DUPLICATE_CERT 		    =	(SEC_ERROR_BASE + 22),
+SEC_ERROR_DUPLICATE_CERT_NAME 		    =	(SEC_ERROR_BASE + 23),
+SEC_ERROR_ADDING_CERT 			    =	(SEC_ERROR_BASE + 24),
+SEC_ERROR_FILING_KEY 			    =	(SEC_ERROR_BASE + 25),
+SEC_ERROR_NO_KEY 			    =	(SEC_ERROR_BASE + 26),
+SEC_ERROR_CERT_VALID 			    =	(SEC_ERROR_BASE + 27),
+SEC_ERROR_CERT_NOT_VALID 		    =	(SEC_ERROR_BASE + 28),
+SEC_ERROR_CERT_NO_RESPONSE 		    =	(SEC_ERROR_BASE + 29),
+SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE 	    =	(SEC_ERROR_BASE + 30),
+SEC_ERROR_CRL_EXPIRED 			    =	(SEC_ERROR_BASE + 31),
+SEC_ERROR_CRL_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 32),
+SEC_ERROR_CRL_INVALID 			    =	(SEC_ERROR_BASE + 33),
+SEC_ERROR_EXTENSION_VALUE_INVALID 	    = 	(SEC_ERROR_BASE + 34),
+SEC_ERROR_EXTENSION_NOT_FOUND 		    = 	(SEC_ERROR_BASE + 35),
+SEC_ERROR_CA_CERT_INVALID 		    = 	(SEC_ERROR_BASE + 36),
+SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID 	    = 	(SEC_ERROR_BASE + 37),
+SEC_ERROR_CERT_USAGES_INVALID 		    = 	(SEC_ERROR_BASE + 38),
+SEC_INTERNAL_ONLY 			    =	(SEC_ERROR_BASE + 39),
+SEC_ERROR_INVALID_KEY 			    =	(SEC_ERROR_BASE + 40),
+SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION 	    = 	(SEC_ERROR_BASE + 41),
+SEC_ERROR_OLD_CRL 			    =	(SEC_ERROR_BASE + 42),
+SEC_ERROR_NO_EMAIL_CERT 		    =	(SEC_ERROR_BASE + 43),
+SEC_ERROR_NO_RECIPIENT_CERTS_QUERY 	    =	(SEC_ERROR_BASE + 44),
+SEC_ERROR_NOT_A_RECIPIENT 		    =	(SEC_ERROR_BASE + 45),
+SEC_ERROR_PKCS7_KEYALG_MISMATCH 	    =	(SEC_ERROR_BASE + 46),
+SEC_ERROR_PKCS7_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 47),
+SEC_ERROR_UNSUPPORTED_KEYALG 		    =	(SEC_ERROR_BASE + 48),
+SEC_ERROR_DECRYPTION_DISALLOWED 	    =	(SEC_ERROR_BASE + 49),
+/* Fortezza Alerts */
+XP_SEC_FORTEZZA_BAD_CARD 		    =	(SEC_ERROR_BASE + 50),
+XP_SEC_FORTEZZA_NO_CARD 		    =	(SEC_ERROR_BASE + 51),
+XP_SEC_FORTEZZA_NONE_SELECTED 		    =	(SEC_ERROR_BASE + 52),
+XP_SEC_FORTEZZA_MORE_INFO 		    =	(SEC_ERROR_BASE + 53),
+XP_SEC_FORTEZZA_PERSON_NOT_FOUND 	    =	(SEC_ERROR_BASE + 54),
+XP_SEC_FORTEZZA_NO_MORE_INFO 		    =	(SEC_ERROR_BASE + 55),
+XP_SEC_FORTEZZA_BAD_PIN 		    =	(SEC_ERROR_BASE + 56),
+XP_SEC_FORTEZZA_PERSON_ERROR 		    =	(SEC_ERROR_BASE + 57),
+SEC_ERROR_NO_KRL 			    =	(SEC_ERROR_BASE + 58),
+SEC_ERROR_KRL_EXPIRED 			    =	(SEC_ERROR_BASE + 59),
+SEC_ERROR_KRL_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 60),
+SEC_ERROR_REVOKED_KEY 			    =	(SEC_ERROR_BASE + 61),
+SEC_ERROR_KRL_INVALID 			    =	(SEC_ERROR_BASE + 62),
+SEC_ERROR_NEED_RANDOM 			    =	(SEC_ERROR_BASE + 63),
+SEC_ERROR_NO_MODULE 			    =	(SEC_ERROR_BASE + 64),
+SEC_ERROR_NO_TOKEN 			    =	(SEC_ERROR_BASE + 65),
+SEC_ERROR_READ_ONLY 			    =	(SEC_ERROR_BASE + 66),
+SEC_ERROR_NO_SLOT_SELECTED 		    =	(SEC_ERROR_BASE + 67),
+SEC_ERROR_CERT_NICKNAME_COLLISION 	    =	(SEC_ERROR_BASE + 68),
+SEC_ERROR_KEY_NICKNAME_COLLISION 	    =	(SEC_ERROR_BASE + 69),
+SEC_ERROR_SAFE_NOT_CREATED 		    =	(SEC_ERROR_BASE + 70),
+SEC_ERROR_BAGGAGE_NOT_CREATED 		    =	(SEC_ERROR_BASE + 71),
+XP_JAVA_REMOVE_PRINCIPAL_ERROR 		    =	(SEC_ERROR_BASE + 72),
+XP_JAVA_DELETE_PRIVILEGE_ERROR 		    =	(SEC_ERROR_BASE + 73),
+XP_JAVA_CERT_NOT_EXISTS_ERROR 		    =	(SEC_ERROR_BASE + 74),
+SEC_ERROR_BAD_EXPORT_ALGORITHM 		    =	(SEC_ERROR_BASE + 75),
+SEC_ERROR_EXPORTING_CERTIFICATES 	    =	(SEC_ERROR_BASE + 76),
+SEC_ERROR_IMPORTING_CERTIFICATES 	    =	(SEC_ERROR_BASE + 77),
+SEC_ERROR_PKCS12_DECODING_PFX 		    =	(SEC_ERROR_BASE + 78),
+SEC_ERROR_PKCS12_INVALID_MAC 		    =	(SEC_ERROR_BASE + 79),
+SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM  =	(SEC_ERROR_BASE + 80),
+SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE =	(SEC_ERROR_BASE + 81),
+SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE 	    =	(SEC_ERROR_BASE + 82),
+SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM  = 	(SEC_ERROR_BASE + 83),
+SEC_ERROR_PKCS12_UNSUPPORTED_VERSION 	    =	(SEC_ERROR_BASE + 84),
+SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT =	(SEC_ERROR_BASE + 85),
+SEC_ERROR_PKCS12_CERT_COLLISION 	    =	(SEC_ERROR_BASE + 86),
+SEC_ERROR_USER_CANCELLED 		    =	(SEC_ERROR_BASE + 87),
+SEC_ERROR_PKCS12_DUPLICATE_DATA 	    =	(SEC_ERROR_BASE + 88),
+SEC_ERROR_MESSAGE_SEND_ABORTED 		    =	(SEC_ERROR_BASE + 89),
+SEC_ERROR_INADEQUATE_KEY_USAGE 		    =	(SEC_ERROR_BASE + 90),
+SEC_ERROR_INADEQUATE_CERT_TYPE 		    =	(SEC_ERROR_BASE + 91),
+SEC_ERROR_CERT_ADDR_MISMATCH 		    =	(SEC_ERROR_BASE + 92),
+SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY 	    =	(SEC_ERROR_BASE + 93),
+SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN 	    =	(SEC_ERROR_BASE + 94),
+SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME = (SEC_ERROR_BASE + 95),
+SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY 	    =	(SEC_ERROR_BASE + 96),
+SEC_ERROR_PKCS12_UNABLE_TO_WRITE 	    = 	(SEC_ERROR_BASE + 97),
+SEC_ERROR_PKCS12_UNABLE_TO_READ 	    =	(SEC_ERROR_BASE + 98),
+SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED 	 = (SEC_ERROR_BASE + 99),
+SEC_ERROR_KEYGEN_FAIL 			    =	(SEC_ERROR_BASE + 100),
+SEC_ERROR_INVALID_PASSWORD 		    =	(SEC_ERROR_BASE + 101),
+SEC_ERROR_RETRY_OLD_PASSWORD 		    =	(SEC_ERROR_BASE + 102),
+SEC_ERROR_BAD_NICKNAME 			    =	(SEC_ERROR_BASE + 103),
+SEC_ERROR_NOT_FORTEZZA_ISSUER 		    = 	(SEC_ERROR_BASE + 104),
+SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY         =   (SEC_ERROR_BASE + 105),
+SEC_ERROR_JS_INVALID_MODULE_NAME 	    =	(SEC_ERROR_BASE + 106),
+SEC_ERROR_JS_INVALID_DLL 		    =	(SEC_ERROR_BASE + 107),
+SEC_ERROR_JS_ADD_MOD_FAILURE 		    =	(SEC_ERROR_BASE + 108),
+SEC_ERROR_JS_DEL_MOD_FAILURE 		    =	(SEC_ERROR_BASE + 109),
+SEC_ERROR_OLD_KRL 			    =	(SEC_ERROR_BASE + 110),
+SEC_ERROR_CKL_CONFLICT 			    =	(SEC_ERROR_BASE + 111),
+SEC_ERROR_CERT_NOT_IN_NAME_SPACE 	    =	(SEC_ERROR_BASE + 112),
+SEC_ERROR_KRL_NOT_YET_VALID 		    =	(SEC_ERROR_BASE + 113),
+SEC_ERROR_CRL_NOT_YET_VALID 		    =	(SEC_ERROR_BASE + 114),
+SEC_ERROR_UNKNOWN_CERT 			    =	(SEC_ERROR_BASE + 115),
+SEC_ERROR_UNKNOWN_SIGNER 		    =	(SEC_ERROR_BASE + 116),
+SEC_ERROR_CERT_BAD_ACCESS_LOCATION 	    =	(SEC_ERROR_BASE + 117),
+SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE 	    =	(SEC_ERROR_BASE + 118),
+SEC_ERROR_OCSP_BAD_HTTP_RESPONSE 	    =	(SEC_ERROR_BASE + 119),
+SEC_ERROR_OCSP_MALFORMED_REQUEST 	    =	(SEC_ERROR_BASE + 120),
+SEC_ERROR_OCSP_SERVER_ERROR 		    =	(SEC_ERROR_BASE + 121),
+SEC_ERROR_OCSP_TRY_SERVER_LATER 	    =	(SEC_ERROR_BASE + 122),
+SEC_ERROR_OCSP_REQUEST_NEEDS_SIG 	    =	(SEC_ERROR_BASE + 123),
+SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST 	    =	(SEC_ERROR_BASE + 124),
+SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS 	    =	(SEC_ERROR_BASE + 125),
+SEC_ERROR_OCSP_UNKNOWN_CERT 		    =	(SEC_ERROR_BASE + 126),
+SEC_ERROR_OCSP_NOT_ENABLED 		    =	(SEC_ERROR_BASE + 127),
+SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER 	    =	(SEC_ERROR_BASE + 128),
+SEC_ERROR_OCSP_MALFORMED_RESPONSE 	    =	(SEC_ERROR_BASE + 129),
+SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE 	    =	(SEC_ERROR_BASE + 130),
+SEC_ERROR_OCSP_FUTURE_RESPONSE 		    =	(SEC_ERROR_BASE + 131),
+SEC_ERROR_OCSP_OLD_RESPONSE 		    =	(SEC_ERROR_BASE + 132),
+/* smime stuff */
+SEC_ERROR_DIGEST_NOT_FOUND		    =	(SEC_ERROR_BASE + 133),
+SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE	    =	(SEC_ERROR_BASE + 134)
+
+} SECErrorCodes;
+#endif /* NO_SECURITY_ERROR_ENUM */
+
+#endif /* __SEC_ERR_H_ */
diff --git a/security/nss/lib/util/secinit.c b/security/nss/lib/util/secinit.c
new file mode 100644
index 000000000..a18b1243b
--- /dev/null
+++ b/security/nss/lib/util/secinit.c
@@ -0,0 +1,50 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "nspr.h"
+#include "secport.h"
+
+static int sec_inited = 0;
+
+void 
+SEC_Init(void)
+{
+    /* PR_Init() must be called before SEC_Init() */
+#if !defined(SERVER_BUILD)
+    PORT_Assert(PR_Initialized() == PR_TRUE);
+#endif
+    if (sec_inited)
+	return;
+
+    sec_inited = 1;
+}
diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
new file mode 100644
index 000000000..9144818da
--- /dev/null
+++ b/security/nss/lib/util/secitem.c
@@ -0,0 +1,283 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * Support routines for SECItem data structure.
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "base64.h"
+#include "secerr.h"
+
+SECItem *
+SECITEM_AllocItem(PRArenaPool *arena, SECItem *item, unsigned int len)
+{
+    SECItem *result = NULL;
+    void *mark = NULL;
+
+    if (arena != NULL) {
+	mark = PORT_ArenaMark(arena);
+    }
+
+    if (item == NULL) {
+	if (arena != NULL) {
+	    result = PORT_ArenaZAlloc(arena, sizeof(SECItem));
+	} else {
+	    result = PORT_ZAlloc(sizeof(SECItem));
+	}
+	if (result == NULL) {
+	    goto loser;
+	}
+    } else {
+	PORT_Assert(item->data == NULL);
+	result = item;
+    }
+
+    result->len = len;
+    if (len) {
+	if (arena != NULL) {
+	    result->data = PORT_ArenaAlloc(arena, len);
+	} else {
+	    result->data = PORT_Alloc(len);
+	}
+    }
+
+    if (mark) {
+	PORT_ArenaUnmark(arena, mark);
+    }
+    return(result);
+
+loser:
+    if ( arena != NULL ) {
+	if (mark) {
+	    PORT_ArenaRelease(arena, mark);
+	}
+	if (item != NULL) {
+	    item->data = NULL;
+	    item->len = 0;
+	}
+    } else {
+	if (result != NULL) {
+	    SECITEM_FreeItem(result, (item == NULL) ? PR_TRUE : PR_FALSE);
+	}
+    }
+    return(NULL);
+}
+
+SECStatus
+SECITEM_ReallocItem(PRArenaPool *arena, SECItem *item, unsigned int oldlen,
+		    unsigned int newlen)
+{
+    PORT_Assert(item != NULL);
+    if (item == NULL) {
+	/* XXX Set error.  But to what? */
+	return SECFailure;
+    }
+
+    /*
+     * If no old length, degenerate to just plain alloc.
+     */
+    if (oldlen == 0) {
+	PORT_Assert(item->data == NULL || item->len == 0);
+	if (newlen == 0) {
+	    /* Nothing to do.  Weird, but not a failure.  */
+	    return SECSuccess;
+	}
+	item->len = newlen;
+	if (arena != NULL) {
+	    item->data = PORT_ArenaAlloc(arena, newlen);
+	} else {
+	    item->data = PORT_Alloc(newlen);
+	}
+    } else {
+	if (arena != NULL) {
+	    item->data = PORT_ArenaGrow(arena, item->data, oldlen, newlen);
+	} else {
+	    item->data = PORT_Realloc(item->data, newlen);
+	}
+    }
+
+    if (item->data == NULL) {
+	return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+SECComparison
+SECITEM_CompareItem(const SECItem *a, const SECItem *b)
+{
+    unsigned m;
+    SECComparison rv;
+
+    m = ( ( a->len < b->len ) ? a->len : b->len );
+    
+    rv = (SECComparison) PORT_Memcmp(a->data, b->data, m);
+    if (rv) {
+	return rv;
+    }
+    if (a->len < b->len) {
+	return SECLessThan;
+    }
+    if (a->len == b->len) {
+	return SECEqual;
+    }
+    return SECGreaterThan;
+}
+
+PRBool
+SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b)
+{
+    if (SECITEM_CompareItem(a, b) == SECEqual)
+	return PR_TRUE;
+
+    return PR_FALSE;
+}
+
+SECItem *
+SECITEM_DupItem(const SECItem *from)
+{
+    SECItem *to;
+    
+    if ( from == NULL ) {
+	return(NULL);
+    }
+    
+    to = (SECItem *)PORT_Alloc(sizeof(SECItem));
+    if ( to == NULL ) {
+	return(NULL);
+    }
+
+    to->data = (unsigned char *)PORT_Alloc(from->len);
+    if ( to->data == NULL ) {
+	PORT_Free(to);
+	return(NULL);
+    }
+
+    to->len = from->len;
+    PORT_Memcpy(to->data, from->data, to->len);
+    
+    return(to);
+}
+
+SECStatus
+SECITEM_CopyItem(PRArenaPool *arena, SECItem *to, const SECItem *from)
+{
+    to->type = from->type;
+    if (from->data && from->len) {
+	if ( arena ) {
+	    to->data = (unsigned char*) PORT_ArenaAlloc(arena, from->len);
+	} else {
+	    to->data = (unsigned char*) PORT_Alloc(from->len);
+	}
+	
+	if (!to->data) {
+	    return SECFailure;
+	}
+	PORT_Memcpy(to->data, from->data, from->len);
+	to->len = from->len;
+    } else {
+	to->data = 0;
+	to->len = 0;
+    }
+    return SECSuccess;
+}
+
+void
+SECITEM_FreeItem(SECItem *zap, PRBool freeit)
+{
+    if (zap) {
+	PORT_Free(zap->data);
+	zap->data = 0;
+	zap->len = 0;
+	if (freeit) {
+	    PORT_Free(zap);
+	}
+    }
+}
+
+void
+SECITEM_ZfreeItem(SECItem *zap, PRBool freeit)
+{
+    if (zap) {
+	PORT_ZFree(zap->data, zap->len);
+	zap->data = 0;
+	zap->len = 0;
+	if (freeit) {
+	    PORT_ZFree(zap, sizeof(SECItem));
+	}
+    }
+}
+/* these reroutines were taken from pkix oid.c, which is supposed to
+ * replace this file some day */
+/*
+ * This is the hash function.  We simply XOR the encoded form with
+ * itself in sizeof(PLHashNumber)-byte chunks.  Improving this
+ * routine is left as an excercise for the more mathematically
+ * inclined student.
+ */
+PLHashNumber PR_CALLBACK
+SECITEM_Hash ( const void *key)
+{
+    const SECItem *item = (const SECItem *)key;
+    PLHashNumber rv = 0;
+
+    PRUint8 *data = (PRUint8 *)item->data;
+    PRUint32 i;
+    PRUint8 *rvc = (PRUint8 *)&rv;
+
+    for( i = 0; i < item->len; i++ ) {
+        rvc[ i % sizeof(rv) ] ^= *data;
+        data++;
+    }
+
+    return rv;
+}
+
+/*
+ * This is the key-compare function.  It simply does a lexical
+ * comparison on the item data.  This does not result in
+ * quite the same ordering as the "sequence of numbers" order,
+ * but heck it's only used internally by the hash table anyway.
+ */
+PRIntn PR_CALLBACK
+SECITEM_HashCompare ( const void *k1, const void *k2)
+{
+    const SECItem *i1 = (const SECItem *)k1;
+    const SECItem *i2 = (const SECItem *)k2;
+
+    return SECITEM_ItemsAreEqual(i1,i2);
+}
diff --git a/security/nss/lib/util/secitem.h b/security/nss/lib/util/secitem.h
new file mode 100644
index 000000000..76a5d16fb
--- /dev/null
+++ b/security/nss/lib/util/secitem.h
@@ -0,0 +1,112 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _SECITEM_H_
+#define _SECITEM_H_
+/*
+ * secitem.h - public data structures and prototypes for handling
+ *	       SECItems
+ *
+ * $Id$
+ */
+
+#include "plarena.h"
+#include "plhash.h"
+#include "seccomon.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+** Allocate an item.  If "arena" is not NULL, then allocate from there,
+** otherwise allocate from the heap.  If "item" is not NULL, allocate
+** only the data for the item, not the item itself.  The item structure
+** is allocated zero-filled; the data buffer is not zeroed.
+**
+** The resulting item is returned; NULL if any error occurs.
+**
+** XXX This probably should take a SECItemType, but since that is mostly
+** unused and our improved APIs (aka Stan) are looming, I left it out.
+*/
+extern SECItem *SECITEM_AllocItem(PRArenaPool *arena, SECItem *item,
+				  unsigned int len);
+
+/*
+** Reallocate the data for the specified "item".  If "arena" is not NULL,
+** then reallocate from there, otherwise reallocate from the heap.
+** In the case where oldlen is 0, the data is allocated (not reallocated).
+** In any case, "item" is expected to be a valid SECItem pointer;
+** SECFailure is returned if it is not.  If the allocation succeeds,
+** SECSuccess is returned.
+*/
+extern SECStatus SECITEM_ReallocItem(PRArenaPool *arena, SECItem *item,
+				     unsigned int oldlen, unsigned int newlen);
+
+/*
+** Compare two items returning the difference between them.
+*/
+extern SECComparison SECITEM_CompareItem(const SECItem *a, const SECItem *b);
+
+/*
+** Compare two items -- if they are the same, return true; otherwise false.
+*/
+extern PRBool SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b);
+
+/*
+** Copy "from" to "to"
+*/
+extern SECStatus SECITEM_CopyItem(PRArenaPool *arena, SECItem *to, 
+                                  const SECItem *from);
+
+/*
+** Allocate an item and copy "from" into it.
+*/
+extern SECItem *SECITEM_DupItem(const SECItem *from);
+
+/*
+** Free "zap". If freeit is PR_TRUE then "zap" itself is freed.
+*/
+extern void SECITEM_FreeItem(SECItem *zap, PRBool freeit);
+
+/*
+** Zero and then free "zap". If freeit is PR_TRUE then "zap" itself is freed.
+*/
+extern void SECITEM_ZfreeItem(SECItem *zap, PRBool freeit);
+
+PLHashNumber PR_CALLBACK SECITEM_Hash ( const void *key);
+
+PRIntn PR_CALLBACK SECITEM_HashCompare ( const void *k1, const void *k2);
+
+
+SEC_END_PROTOS
+
+#endif /* _SECITEM_H_ */
diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
new file mode 100644
index 000000000..d7a74ae7a
--- /dev/null
+++ b/security/nss/lib/util/secoid.c
@@ -0,0 +1,1321 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "secoid.h"
+#include "pkcs11t.h"
+#include "secmodt.h"
+#include "secitem.h"
+#include "secerr.h"
+#include "plhash.h"
+
+/* MISSI Mosaic Object ID space */
+#define USGOV                   0x60, 0x86, 0x48, 0x01, 0x65
+#define MISSI	                USGOV, 0x02, 0x01, 0x01
+#define MISSI_OLD_KEA_DSS	MISSI, 0x0c
+#define MISSI_OLD_DSS		MISSI, 0x02
+#define MISSI_KEA_DSS		MISSI, 0x14
+#define MISSI_DSS		MISSI, 0x13
+#define MISSI_KEA               MISSI, 0x0a
+#define MISSI_ALT_KEA           MISSI, 0x16
+
+#define NISTALGS    USGOV, 3, 4
+#define AES         NISTALGS, 1
+
+/**
+ ** The Netscape OID space is allocated by Terry Hayes.  If you need
+ ** a piece of the space, contact him at thayes@netscape.com.
+ **/
+
+/* Netscape Communications Corporation Object ID space */
+/* { 2 16 840 1 113730 } */
+#define NETSCAPE_OID	          0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42
+#define NETSCAPE_CERT_EXT 	  NETSCAPE_OID, 0x01
+#define NETSCAPE_DATA_TYPE 	  NETSCAPE_OID, 0x02
+/* netscape directory oid - owned by Tim Howes(howes@netscape.com) */
+#define NETSCAPE_DIRECTORY 	  NETSCAPE_OID, 0x03
+#define NETSCAPE_POLICY 	  NETSCAPE_OID, 0x04
+#define NETSCAPE_CERT_SERVER 	  NETSCAPE_OID, 0x05
+#define NETSCAPE_ALGS 		  NETSCAPE_OID, 0x06 /* algorithm OIDs */
+#define NETSCAPE_NAME_COMPONENTS  NETSCAPE_OID, 0x07
+
+#define NETSCAPE_CERT_EXT_AIA     NETSCAPE_CERT_EXT, 0x10
+#define NETSCAPE_CERT_SERVER_CRMF NETSCAPE_CERT_SERVER, 0x01
+
+/* these are old and should go away soon */
+#define OLD_NETSCAPE		0x60, 0x86, 0x48, 0xd8, 0x6a
+#define NS_CERT_EXT		OLD_NETSCAPE, 0x01
+#define NS_FILE_TYPE		OLD_NETSCAPE, 0x02
+#define NS_IMAGE_TYPE		OLD_NETSCAPE, 0x03
+
+/* RSA OID name space */
+#define RSADSI			0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d
+#define PKCS			RSADSI, 0x01
+#define DIGEST			RSADSI, 0x02
+#define CIPHER			RSADSI, 0x03
+#define PKCS1			PKCS, 0x01
+#define PKCS5			PKCS, 0x05
+#define PKCS7			PKCS, 0x07
+#define PKCS9			PKCS, 0x09
+#define PKCS12			PKCS, 0x0c
+
+/* Fortezza algorithm OID space: { 2 16 840 1 101 2 1 1 } */
+/* ### mwelch -- Is this just for algorithms, or all of Fortezza? */
+#define FORTEZZA_ALG 0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01, 0x01
+
+/* Other OID name spaces */
+#define ALGORITHM		0x2b, 0x0e, 0x03, 0x02
+#define X500			0x55
+#define X520_ATTRIBUTE_TYPE	X500, 0x04
+#define X500_ALG		X500, 0x08
+#define X500_ALG_ENCRYPTION	X500_ALG, 0x01
+
+/** X.509 v3 Extension OID 
+ ** {joint-iso-ccitt (2) ds(5) 29}
+ **/
+#define	ID_CE_OID 		X500, 0x1d
+
+#define RFC1274_ATTR_TYPE  0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x1
+/* #define RFC2247_ATTR_TYPE  0x09, 0x92, 0x26, 0xf5, 0x98, 0x1e, 0x64, 0x1 this is WRONG! */
+
+/* PKCS #12 name spaces */
+#define PKCS12_MODE_IDS		PKCS12, 0x01
+#define PKCS12_ESPVK_IDS	PKCS12, 0x02
+#define PKCS12_BAG_IDS		PKCS12, 0x03
+#define PKCS12_CERT_BAG_IDS	PKCS12, 0x04
+#define PKCS12_OIDS		PKCS12, 0x05
+#define PKCS12_PBE_IDS		PKCS12_OIDS, 0x01
+#define PKCS12_ENVELOPING_IDS	PKCS12_OIDS, 0x02
+#define PKCS12_SIGNATURE_IDS	PKCS12_OIDS, 0x03
+#define PKCS12_V2_PBE_IDS	PKCS12, 0x01
+#define PKCS9_CERT_TYPES	PKCS9, 0x16
+#define PKCS9_CRL_TYPES		PKCS9, 0x17
+#define PKCS9_SMIME_IDS		PKCS9, 0x10
+#define PKCS9_SMIME_ATTRS	PKCS9_SMIME_IDS, 2
+#define PKCS9_SMIME_ALGS	PKCS9_SMIME_IDS, 3
+#define PKCS12_VERSION1		PKCS12, 0x0a
+#define PKCS12_V1_BAG_IDS	PKCS12_VERSION1, 1
+
+/* for DSA algorithm */
+/* { iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) } */
+#define ANSI_X9_ALGORITHM  0x2a, 0x86, 0x48, 0xce, 0x38, 0x4
+
+/* for DH algorithm */
+/* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */
+/* need real OID person to look at this, copied the above line
+ * and added 6 to second to last value (and changed '4' to '2' */
+#define ANSI_X942_ALGORITHM  0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2
+
+#define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45
+
+#define PKIX 			0x2b, 0x06, 0x01, 0x05, 0x05, 0x07
+#define PKIX_CERT_EXTENSIONS    PKIX, 1
+#define PKIX_POLICY_QUALIFIERS  PKIX, 2
+#define PKIX_KEY_USAGE 		PKIX, 3
+#define PKIX_ACCESS_DESCRIPTION PKIX, 0x30
+#define PKIX_OCSP 		PKIX_ACCESS_DESCRIPTION, 1
+
+#define PKIX_ID_PKIP     	PKIX, 5
+#define PKIX_ID_REGCTRL  	PKIX_ID_PKIP, 1 
+#define PKIX_ID_REGINFO  	PKIX_ID_PKIP, 2
+
+#define CONST_OID static const unsigned char
+
+CONST_OID md2[]        				= { DIGEST, 0x02 };
+CONST_OID md4[]        				= { DIGEST, 0x04 };
+CONST_OID md5[]        				= { DIGEST, 0x05 };
+
+CONST_OID rc2cbc[]     				= { CIPHER, 0x02 };
+CONST_OID rc4[]        				= { CIPHER, 0x04 };
+CONST_OID desede3cbc[] 				= { CIPHER, 0x07 };
+CONST_OID rc5cbcpad[]  				= { CIPHER, 0x09 };
+
+CONST_OID desecb[]                           = { ALGORITHM, 0x06 };
+CONST_OID descbc[]                           = { ALGORITHM, 0x07 };
+CONST_OID desofb[]                           = { ALGORITHM, 0x08 };
+CONST_OID descfb[]                           = { ALGORITHM, 0x09 };
+CONST_OID desmac[]                           = { ALGORITHM, 0x0a };
+CONST_OID sdn702DSASignature[]               = { ALGORITHM, 0x0c };
+CONST_OID isoSHAWithRSASignature[]           = { ALGORITHM, 0x0f };
+CONST_OID desede[]                           = { ALGORITHM, 0x11 };
+CONST_OID sha1[]                             = { ALGORITHM, 0x1a };
+CONST_OID bogusDSASignaturewithSHA1Digest[]  = { ALGORITHM, 0x1b };
+
+CONST_OID pkcs1RSAEncryption[]         		= { PKCS1, 0x01 };
+CONST_OID pkcs1MD2WithRSAEncryption[]  		= { PKCS1, 0x02 };
+CONST_OID pkcs1MD4WithRSAEncryption[]  		= { PKCS1, 0x03 };
+CONST_OID pkcs1MD5WithRSAEncryption[]  		= { PKCS1, 0x04 };
+CONST_OID pkcs1SHA1WithRSAEncryption[] 		= { PKCS1, 0x05 };
+
+CONST_OID pkcs5PbeWithMD2AndDEScbc[]  		= { PKCS5, 0x01 };
+CONST_OID pkcs5PbeWithMD5AndDEScbc[]  		= { PKCS5, 0x03 };
+CONST_OID pkcs5PbeWithSha1AndDEScbc[] 		= { PKCS5, 0x0a };
+
+CONST_OID pkcs7[]                     		= { PKCS7 };
+CONST_OID pkcs7Data[]                 		= { PKCS7, 0x01 };
+CONST_OID pkcs7SignedData[]           		= { PKCS7, 0x02 };
+CONST_OID pkcs7EnvelopedData[]        		= { PKCS7, 0x03 };
+CONST_OID pkcs7SignedEnvelopedData[]  		= { PKCS7, 0x04 };
+CONST_OID pkcs7DigestedData[]         		= { PKCS7, 0x05 };
+CONST_OID pkcs7EncryptedData[]        		= { PKCS7, 0x06 };
+
+CONST_OID pkcs9EmailAddress[]                  = { PKCS9, 0x01 };
+CONST_OID pkcs9UnstructuredName[]              = { PKCS9, 0x02 };
+CONST_OID pkcs9ContentType[]                   = { PKCS9, 0x03 };
+CONST_OID pkcs9MessageDigest[]                 = { PKCS9, 0x04 };
+CONST_OID pkcs9SigningTime[]                   = { PKCS9, 0x05 };
+CONST_OID pkcs9CounterSignature[]              = { PKCS9, 0x06 };
+CONST_OID pkcs9ChallengePassword[]             = { PKCS9, 0x07 };
+CONST_OID pkcs9UnstructuredAddress[]           = { PKCS9, 0x08 };
+CONST_OID pkcs9ExtendedCertificateAttributes[] = { PKCS9, 0x09 };
+CONST_OID pkcs9SMIMECapabilities[]             = { PKCS9, 15 };
+CONST_OID pkcs9FriendlyName[]                  = { PKCS9, 20 };
+CONST_OID pkcs9LocalKeyID[]                    = { PKCS9, 21 };
+
+CONST_OID pkcs9X509Certificate[]        	= { PKCS9_CERT_TYPES, 1 };
+CONST_OID pkcs9SDSICertificate[]        	= { PKCS9_CERT_TYPES, 2 };
+CONST_OID pkcs9X509CRL[]                	= { PKCS9_CRL_TYPES, 1 };
+
+/* RFC2630 (CMS) OIDs */
+CONST_OID cmsESDH[]     			= { PKCS9_SMIME_ALGS, 5 };
+CONST_OID cms3DESwrap[] 			= { PKCS9_SMIME_ALGS, 6 };
+CONST_OID cmsRC2wrap[]  			= { PKCS9_SMIME_ALGS, 7 };
+
+/* RFC2633 SMIME message attributes */
+CONST_OID smimeEncryptionKeyPreference[] 	= { PKCS9_SMIME_ATTRS, 11 };
+
+CONST_OID x520CommonName[]          		= { X520_ATTRIBUTE_TYPE, 3 };
+CONST_OID x520CountryName[]         		= { X520_ATTRIBUTE_TYPE, 6 };
+CONST_OID x520LocalityName[]        		= { X520_ATTRIBUTE_TYPE, 7 };
+CONST_OID x520StateOrProvinceName[] 		= { X520_ATTRIBUTE_TYPE, 8 };
+CONST_OID x520OrgName[]             		= { X520_ATTRIBUTE_TYPE, 10 };
+CONST_OID x520OrgUnitName[]         		= { X520_ATTRIBUTE_TYPE, 11 };
+CONST_OID x520DnQualifier[]         		= { X520_ATTRIBUTE_TYPE, 46 };
+
+CONST_OID nsTypeGIF[]          			= { NETSCAPE_DATA_TYPE, 0x01 };
+CONST_OID nsTypeJPEG[]         			= { NETSCAPE_DATA_TYPE, 0x02 };
+CONST_OID nsTypeURL[]          			= { NETSCAPE_DATA_TYPE, 0x03 };
+CONST_OID nsTypeHTML[]         			= { NETSCAPE_DATA_TYPE, 0x04 };
+CONST_OID nsTypeCertSeq[]      			= { NETSCAPE_DATA_TYPE, 0x05 };
+
+CONST_OID missiCertKEADSSOld[] 			= { MISSI_OLD_KEA_DSS };
+CONST_OID missiCertDSSOld[]    			= { MISSI_OLD_DSS };
+CONST_OID missiCertKEADSS[]    			= { MISSI_KEA_DSS };
+CONST_OID missiCertDSS[]       			= { MISSI_DSS };
+CONST_OID missiCertKEA[]       			= { MISSI_KEA };
+CONST_OID missiCertAltKEA[]    			= { MISSI_ALT_KEA };
+CONST_OID x500RSAEncryption[]  			= { X500_ALG_ENCRYPTION, 0x01 };
+
+/* added for alg 1485 */
+CONST_OID rfc1274Uid[]             		= { RFC1274_ATTR_TYPE, 1 };
+CONST_OID rfc1274Mail[]            		= { RFC1274_ATTR_TYPE, 3 };
+CONST_OID rfc2247DomainComponent[] 		= { RFC1274_ATTR_TYPE, 25 };
+
+/* Netscape private certificate extensions */
+CONST_OID nsCertExtNetscapeOK[]  		= { NS_CERT_EXT, 1 };
+CONST_OID nsCertExtIssuerLogo[]  		= { NS_CERT_EXT, 2 };
+CONST_OID nsCertExtSubjectLogo[] 		= { NS_CERT_EXT, 3 };
+CONST_OID nsExtCertType[]        		= { NETSCAPE_CERT_EXT, 0x01 };
+CONST_OID nsExtBaseURL[]         		= { NETSCAPE_CERT_EXT, 0x02 };
+CONST_OID nsExtRevocationURL[]   		= { NETSCAPE_CERT_EXT, 0x03 };
+CONST_OID nsExtCARevocationURL[] 		= { NETSCAPE_CERT_EXT, 0x04 };
+CONST_OID nsExtCACRLURL[]        		= { NETSCAPE_CERT_EXT, 0x05 };
+CONST_OID nsExtCACertURL[]       		= { NETSCAPE_CERT_EXT, 0x06 };
+CONST_OID nsExtCertRenewalURL[]  		= { NETSCAPE_CERT_EXT, 0x07 };
+CONST_OID nsExtCAPolicyURL[]     		= { NETSCAPE_CERT_EXT, 0x08 };
+CONST_OID nsExtHomepageURL[]     		= { NETSCAPE_CERT_EXT, 0x09 };
+CONST_OID nsExtEntityLogo[]      		= { NETSCAPE_CERT_EXT, 0x0a };
+CONST_OID nsExtUserPicture[]     		= { NETSCAPE_CERT_EXT, 0x0b };
+CONST_OID nsExtSSLServerName[]   		= { NETSCAPE_CERT_EXT, 0x0c };
+CONST_OID nsExtComment[]         		= { NETSCAPE_CERT_EXT, 0x0d };
+
+/* the following 2 extensions are defined for and used by Cartman(NSM) */
+CONST_OID nsExtLostPasswordURL[] 		= { NETSCAPE_CERT_EXT, 0x0e };
+CONST_OID nsExtCertRenewalTime[] 		= { NETSCAPE_CERT_EXT, 0x0f };
+
+CONST_OID nsExtAIACertRenewal[]    	= { NETSCAPE_CERT_EXT_AIA, 0x01 };
+CONST_OID nsExtCertScopeOfUse[]    	= { NETSCAPE_CERT_EXT, 0x11 };
+CONST_OID nsKeyUsageGovtApproved[] 	= { NETSCAPE_POLICY, 0x01 };
+
+/* Netscape other name types */
+CONST_OID netscapeNickname[] 		= { NETSCAPE_NAME_COMPONENTS, 0x01};
+
+/* OIDs needed for cert server */
+CONST_OID netscapeRecoveryRequest[] 	= { NETSCAPE_CERT_SERVER_CRMF, 0x01 };
+
+
+/* Standard x.509 v3 Certificate Extensions */
+CONST_OID x509SubjectDirectoryAttr[]  		= { ID_CE_OID,  9 };
+CONST_OID x509SubjectKeyID[]          		= { ID_CE_OID, 14 };
+CONST_OID x509KeyUsage[]              		= { ID_CE_OID, 15 };
+CONST_OID x509PrivateKeyUsagePeriod[] 		= { ID_CE_OID, 16 };
+CONST_OID x509SubjectAltName[]        		= { ID_CE_OID, 17 };
+CONST_OID x509IssuerAltName[]         		= { ID_CE_OID, 18 };
+CONST_OID x509BasicConstraints[]      		= { ID_CE_OID, 19 };
+CONST_OID x509NameConstraints[]       		= { ID_CE_OID, 30 };
+CONST_OID x509CRLDistPoints[]         		= { ID_CE_OID, 31 };
+CONST_OID x509CertificatePolicies[]   		= { ID_CE_OID, 32 };
+CONST_OID x509PolicyMappings[]        		= { ID_CE_OID, 33 };
+CONST_OID x509PolicyConstraints[]     		= { ID_CE_OID, 34 };
+CONST_OID x509AuthKeyID[]             		= { ID_CE_OID, 35 };
+CONST_OID x509ExtKeyUsage[]           		= { ID_CE_OID, 37 };
+CONST_OID x509AuthInfoAccess[]        		= { PKIX_CERT_EXTENSIONS, 1 };
+
+/* Standard x.509 v3 CRL Extensions */
+CONST_OID x509CrlNumber[]                    	= { ID_CE_OID, 20};
+CONST_OID x509ReasonCode[]                   	= { ID_CE_OID, 21};
+CONST_OID x509InvalidDate[]                  	= { ID_CE_OID, 24};
+
+/* pkcs 12 additions */
+CONST_OID pkcs12[]                           = { PKCS12 };
+CONST_OID pkcs12ModeIDs[]                    = { PKCS12_MODE_IDS };
+CONST_OID pkcs12ESPVKIDs[]                   = { PKCS12_ESPVK_IDS };
+CONST_OID pkcs12BagIDs[]                     = { PKCS12_BAG_IDS };
+CONST_OID pkcs12CertBagIDs[]                 = { PKCS12_CERT_BAG_IDS };
+CONST_OID pkcs12OIDs[]                       = { PKCS12_OIDS };
+CONST_OID pkcs12PBEIDs[]                     = { PKCS12_PBE_IDS };
+CONST_OID pkcs12EnvelopingIDs[]              = { PKCS12_ENVELOPING_IDS };
+CONST_OID pkcs12SignatureIDs[]               = { PKCS12_SIGNATURE_IDS };
+CONST_OID pkcs12PKCS8KeyShrouding[]          = { PKCS12_ESPVK_IDS, 0x01 };
+CONST_OID pkcs12KeyBagID[]                   = { PKCS12_BAG_IDS, 0x01 };
+CONST_OID pkcs12CertAndCRLBagID[]            = { PKCS12_BAG_IDS, 0x02 };
+CONST_OID pkcs12SecretBagID[]                = { PKCS12_BAG_IDS, 0x03 };
+CONST_OID pkcs12X509CertCRLBag[]             = { PKCS12_CERT_BAG_IDS, 0x01 };
+CONST_OID pkcs12SDSICertBag[]                = { PKCS12_CERT_BAG_IDS, 0x02 };
+CONST_OID pkcs12PBEWithSha1And128BitRC4[]    = { PKCS12_PBE_IDS, 0x01 };
+CONST_OID pkcs12PBEWithSha1And40BitRC4[]     = { PKCS12_PBE_IDS, 0x02 };
+CONST_OID pkcs12PBEWithSha1AndTripleDESCBC[] = { PKCS12_PBE_IDS, 0x03 };
+CONST_OID pkcs12PBEWithSha1And128BitRC2CBC[] = { PKCS12_PBE_IDS, 0x04 };
+CONST_OID pkcs12PBEWithSha1And40BitRC2CBC[]  = { PKCS12_PBE_IDS, 0x05 };
+CONST_OID pkcs12RSAEncryptionWith128BitRC4[] = { PKCS12_ENVELOPING_IDS, 0x01 };
+CONST_OID pkcs12RSAEncryptionWith40BitRC4[]  = { PKCS12_ENVELOPING_IDS, 0x02 };
+CONST_OID pkcs12RSAEncryptionWithTripleDES[] = { PKCS12_ENVELOPING_IDS, 0x03 }; 
+CONST_OID pkcs12RSASignatureWithSHA1Digest[] = { PKCS12_SIGNATURE_IDS, 0x01 };
+
+/* pkcs 12 version 1.0 ids */
+CONST_OID pkcs12V2PBEWithSha1And128BitRC4[]       = { PKCS12_V2_PBE_IDS, 0x01 };
+CONST_OID pkcs12V2PBEWithSha1And40BitRC4[]        = { PKCS12_V2_PBE_IDS, 0x02 };
+CONST_OID pkcs12V2PBEWithSha1And3KeyTripleDEScbc[]= { PKCS12_V2_PBE_IDS, 0x03 };
+CONST_OID pkcs12V2PBEWithSha1And2KeyTripleDEScbc[]= { PKCS12_V2_PBE_IDS, 0x04 };
+CONST_OID pkcs12V2PBEWithSha1And128BitRC2cbc[]    = { PKCS12_V2_PBE_IDS, 0x05 };
+CONST_OID pkcs12V2PBEWithSha1And40BitRC2cbc[]     = { PKCS12_V2_PBE_IDS, 0x06 };
+
+CONST_OID pkcs12SafeContentsID[]                  = { PKCS12_BAG_IDS, 0x04 };
+CONST_OID pkcs12PKCS8ShroudedKeyBagID[]           = { PKCS12_BAG_IDS, 0x05 };
+
+CONST_OID pkcs12V1KeyBag[]              	= { PKCS12_V1_BAG_IDS, 0x01 };
+CONST_OID pkcs12V1PKCS8ShroudedKeyBag[] 	= { PKCS12_V1_BAG_IDS, 0x02 };
+CONST_OID pkcs12V1CertBag[]             	= { PKCS12_V1_BAG_IDS, 0x03 };
+CONST_OID pkcs12V1CRLBag[]              	= { PKCS12_V1_BAG_IDS, 0x04 };
+CONST_OID pkcs12V1SecretBag[]           	= { PKCS12_V1_BAG_IDS, 0x05 };
+CONST_OID pkcs12V1SafeContentsBag[]     	= { PKCS12_V1_BAG_IDS, 0x06 };
+
+CONST_OID pkcs12KeyUsageAttr[]          	= { 2, 5, 29, 15 };
+
+CONST_OID ansix9DSASignature[]               	= { ANSI_X9_ALGORITHM, 0x01 };
+CONST_OID ansix9DSASignaturewithSHA1Digest[] 	= { ANSI_X9_ALGORITHM, 0x03 };
+
+/* verisign OIDs */
+CONST_OID verisignUserNotices[]     		= { VERISIGN, 1, 7, 1, 1 };
+
+/* pkix OIDs */
+CONST_OID pkixCPSPointerQualifier[] 		= { PKIX_POLICY_QUALIFIERS, 1 };
+CONST_OID pkixUserNoticeQualifier[] 		= { PKIX_POLICY_QUALIFIERS, 2 };
+
+CONST_OID pkixOCSP[]				= { PKIX_OCSP };
+CONST_OID pkixOCSPBasicResponse[]		= { PKIX_OCSP, 1 };
+CONST_OID pkixOCSPNonce[]			= { PKIX_OCSP, 2 };
+CONST_OID pkixOCSPCRL[] 			= { PKIX_OCSP, 3 };
+CONST_OID pkixOCSPResponse[]			= { PKIX_OCSP, 4 };
+CONST_OID pkixOCSPNoCheck[]			= { PKIX_OCSP, 5 };
+CONST_OID pkixOCSPArchiveCutoff[]		= { PKIX_OCSP, 6 };
+CONST_OID pkixOCSPServiceLocator[]		= { PKIX_OCSP, 7 };
+
+CONST_OID pkixRegCtrlRegToken[]       		= { PKIX_ID_REGCTRL, 1};
+CONST_OID pkixRegCtrlAuthenticator[]  		= { PKIX_ID_REGCTRL, 2};
+CONST_OID pkixRegCtrlPKIPubInfo[]     		= { PKIX_ID_REGCTRL, 3};
+CONST_OID pkixRegCtrlPKIArchOptions[] 		= { PKIX_ID_REGCTRL, 4};
+CONST_OID pkixRegCtrlOldCertID[]      		= { PKIX_ID_REGCTRL, 5};
+CONST_OID pkixRegCtrlProtEncKey[]     		= { PKIX_ID_REGCTRL, 6};
+CONST_OID pkixRegInfoUTF8Pairs[]      		= { PKIX_ID_REGINFO, 1};
+CONST_OID pkixRegInfoCertReq[]        		= { PKIX_ID_REGINFO, 2};
+
+CONST_OID pkixExtendedKeyUsageServerAuth[]    	= { PKIX_KEY_USAGE, 1 };
+CONST_OID pkixExtendedKeyUsageClientAuth[]    	= { PKIX_KEY_USAGE, 2 };
+CONST_OID pkixExtendedKeyUsageCodeSign[]      	= { PKIX_KEY_USAGE, 3 };
+CONST_OID pkixExtendedKeyUsageEMailProtect[]  	= { PKIX_KEY_USAGE, 4 };
+CONST_OID pkixExtendedKeyUsageTimeStamp[]     	= { PKIX_KEY_USAGE, 8 };
+CONST_OID pkixOCSPResponderExtendedKeyUsage[] 	= { PKIX_KEY_USAGE, 9 };
+
+/* OIDs for Netscape defined algorithms */
+CONST_OID netscapeSMimeKEA[] 			= { NETSCAPE_ALGS, 0x01 };
+
+/* Fortezza algorithm OIDs */
+CONST_OID skipjackCBC[] 			= { FORTEZZA_ALG, 0x04 };
+CONST_OID dhPublicKey[] 			= { ANSI_X942_ALGORITHM, 0x1 };
+
+CONST_OID aes128_ECB[] 				= { AES, 1 };
+CONST_OID aes128_CBC[] 				= { AES, 2 };
+#ifdef DEFINE_ALL_AES_CIPHERS
+CONST_OID aes128_OFB[] 				= { AES, 3 };
+CONST_OID aes128_CFB[] 				= { AES, 4 };
+#endif
+
+CONST_OID aes192_ECB[] 				= { AES, 21 };
+CONST_OID aes192_CBC[] 				= { AES, 22 };
+#ifdef DEFINE_ALL_AES_CIPHERS
+CONST_OID aes192_OFB[] 				= { AES, 23 };
+CONST_OID aes192_CFB[] 				= { AES, 24 };
+#endif
+
+CONST_OID aes256_ECB[] 				= { AES, 41 };
+CONST_OID aes256_CBC[] 				= { AES, 42 };
+#ifdef DEFINE_ALL_AES_CIPHERS
+CONST_OID aes256_OFB[] 				= { AES, 43 };
+CONST_OID aes256_CFB[] 				= { AES, 44 };
+#endif
+
+#define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
+#ifndef SECOID_NO_STRINGS
+#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, desc, mech, ext }
+#else
+#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, 0, mech, ext }
+#endif
+
+/*
+ * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h!
+ */
+const static SECOidData oids[] = {
+    { { siDEROID, NULL, 0 }, SEC_OID_UNKNOWN,
+	"Unknown OID", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
+    OD( md2, SEC_OID_MD2, "MD2", CKM_MD2, INVALID_CERT_EXTENSION ),
+    OD( md4, SEC_OID_MD4,
+	"MD4", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( md5, SEC_OID_MD5, "MD5", CKM_MD5, INVALID_CERT_EXTENSION ),
+    OD( sha1, SEC_OID_SHA1, "SHA-1", CKM_SHA_1, INVALID_CERT_EXTENSION ),
+    OD( rc2cbc, SEC_OID_RC2_CBC,
+	"RC2-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION ),
+    OD( rc4, SEC_OID_RC4, "RC4", CKM_RC4, INVALID_CERT_EXTENSION ),
+    OD( desede3cbc, SEC_OID_DES_EDE3_CBC,
+	"DES-EDE3-CBC", CKM_DES3_CBC, INVALID_CERT_EXTENSION ),
+    OD( rc5cbcpad, SEC_OID_RC5_CBC_PAD,
+	"RC5-CBCPad", CKM_RC5_CBC, INVALID_CERT_EXTENSION ),
+    OD( desecb, SEC_OID_DES_ECB,
+	"DES-ECB", CKM_DES_ECB, INVALID_CERT_EXTENSION ),
+    OD( descbc, SEC_OID_DES_CBC,
+	"DES-CBC", CKM_DES_CBC, INVALID_CERT_EXTENSION ),
+    OD( desofb, SEC_OID_DES_OFB,
+	"DES-OFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( descfb, SEC_OID_DES_CFB,
+	"DES-CFB", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( desmac, SEC_OID_DES_MAC,
+	"DES-MAC", CKM_DES_MAC, INVALID_CERT_EXTENSION ),
+    OD( desede, SEC_OID_DES_EDE,
+	"DES-EDE", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( isoSHAWithRSASignature, SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE,
+	"ISO SHA with RSA Signature", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs1RSAEncryption, SEC_OID_PKCS1_RSA_ENCRYPTION,
+	"PKCS #1 RSA Encryption", CKM_RSA_PKCS, INVALID_CERT_EXTENSION ),
+
+    /* the following Signing mechanisms should get new CKM_ values when
+     * values for CKM_RSA_WITH_MDX and CKM_RSA_WITH_SHA_1 get defined in
+     * PKCS #11.
+     */
+    OD( pkcs1MD2WithRSAEncryption, SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION,
+	"PKCS #1 MD2 With RSA Encryption", CKM_MD2_RSA_PKCS,
+	INVALID_CERT_EXTENSION ),
+    OD( pkcs1MD4WithRSAEncryption, SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION,
+	"PKCS #1 MD4 With RSA Encryption", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs1MD5WithRSAEncryption, SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
+	"PKCS #1 MD5 With RSA Encryption", CKM_MD5_RSA_PKCS,
+	INVALID_CERT_EXTENSION ),
+    OD( pkcs1SHA1WithRSAEncryption, SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
+	"PKCS #1 SHA-1 With RSA Encryption", CKM_SHA1_RSA_PKCS,
+	INVALID_CERT_EXTENSION ),
+
+    OD( pkcs5PbeWithMD2AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC,
+	"PKCS #5 Password Based Encryption with MD2 and DES CBC",
+	CKM_PBE_MD2_DES_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs5PbeWithMD5AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
+	"PKCS #5 Password Based Encryption with MD5 and DES CBC",
+	CKM_PBE_MD5_DES_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs5PbeWithSha1AndDEScbc, SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC,
+	"PKCS #5 Password Based Encryption with SHA1 and DES CBC", 
+	CKM_NETSCAPE_PBE_SHA1_DES_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs7, SEC_OID_PKCS7,
+	"PKCS #7", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7Data, SEC_OID_PKCS7_DATA,
+	"PKCS #7 Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7SignedData, SEC_OID_PKCS7_SIGNED_DATA,
+	"PKCS #7 Signed Data", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7EnvelopedData, SEC_OID_PKCS7_ENVELOPED_DATA,
+	"PKCS #7 Enveloped Data", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7SignedEnvelopedData, SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA,
+	"PKCS #7 Signed And Enveloped Data", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7DigestedData, SEC_OID_PKCS7_DIGESTED_DATA,
+	"PKCS #7 Digested Data", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs7EncryptedData, SEC_OID_PKCS7_ENCRYPTED_DATA,
+	"PKCS #7 Encrypted Data", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9EmailAddress, SEC_OID_PKCS9_EMAIL_ADDRESS,
+	"PKCS #9 Email Address", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9UnstructuredName, SEC_OID_PKCS9_UNSTRUCTURED_NAME,
+	"PKCS #9 Unstructured Name", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9ContentType, SEC_OID_PKCS9_CONTENT_TYPE,
+	"PKCS #9 Content Type", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9MessageDigest, SEC_OID_PKCS9_MESSAGE_DIGEST,
+	"PKCS #9 Message Digest", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9SigningTime, SEC_OID_PKCS9_SIGNING_TIME,
+	"PKCS #9 Signing Time", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9CounterSignature, SEC_OID_PKCS9_COUNTER_SIGNATURE,
+	"PKCS #9 Counter Signature", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9ChallengePassword, SEC_OID_PKCS9_CHALLENGE_PASSWORD,
+	"PKCS #9 Challenge Password", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9UnstructuredAddress, SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS,
+	"PKCS #9 Unstructured Address", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9ExtendedCertificateAttributes,
+	SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES,
+	"PKCS #9 Extended Certificate Attributes", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9SMIMECapabilities, SEC_OID_PKCS9_SMIME_CAPABILITIES,
+	"PKCS #9 S/MIME Capabilities", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520CommonName, SEC_OID_AVA_COMMON_NAME,
+	"X520 Common Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520CountryName, SEC_OID_AVA_COUNTRY_NAME,
+	"X520 Country Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520LocalityName, SEC_OID_AVA_LOCALITY,
+	"X520 Locality Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520StateOrProvinceName, SEC_OID_AVA_STATE_OR_PROVINCE,
+	"X520 State Or Province Name", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520OrgName, SEC_OID_AVA_ORGANIZATION_NAME,
+	"X520 Organization Name", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520OrgUnitName, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
+	"X520 Organizational Unit Name", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( x520DnQualifier, SEC_OID_AVA_DN_QUALIFIER,
+	"X520 DN Qualifier", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( rfc2247DomainComponent, SEC_OID_AVA_DC,
+	"RFC 2247 Domain Component", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    OD( nsTypeGIF, SEC_OID_NS_TYPE_GIF,
+	"GIF", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( nsTypeJPEG, SEC_OID_NS_TYPE_JPEG,
+	"JPEG", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( nsTypeURL, SEC_OID_NS_TYPE_URL,
+	"URL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( nsTypeHTML, SEC_OID_NS_TYPE_HTML,
+	"HTML", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( nsTypeCertSeq, SEC_OID_NS_TYPE_CERT_SEQUENCE,
+	"Certificate Sequence", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertKEADSSOld, SEC_OID_MISSI_KEA_DSS_OLD, 
+	"MISSI KEA and DSS Algorithm (Old)",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertDSSOld, SEC_OID_MISSI_DSS_OLD, 
+	"MISSI DSS Algorithm (Old)",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertKEADSS, SEC_OID_MISSI_KEA_DSS, 
+	"MISSI KEA and DSS Algorithm",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertDSS, SEC_OID_MISSI_DSS, 
+	"MISSI DSS Algorithm",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertKEA, SEC_OID_MISSI_KEA, 
+	"MISSI KEA Algorithm",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( missiCertAltKEA, SEC_OID_MISSI_ALT_KEA, 
+	"MISSI Alternate KEA Algorithm",
+          CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* Netscape private extensions */
+    OD( nsCertExtNetscapeOK, SEC_OID_NS_CERT_EXT_NETSCAPE_OK,
+	"Netscape says this cert is OK",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsCertExtIssuerLogo, SEC_OID_NS_CERT_EXT_ISSUER_LOGO,
+	"Certificate Issuer Logo",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsCertExtSubjectLogo, SEC_OID_NS_CERT_EXT_SUBJECT_LOGO,
+	"Certificate Subject Logo",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCertType, SEC_OID_NS_CERT_EXT_CERT_TYPE,
+	"Certificate Type",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtBaseURL, SEC_OID_NS_CERT_EXT_BASE_URL,
+	"Certificate Extension Base URL",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtRevocationURL, SEC_OID_NS_CERT_EXT_REVOCATION_URL,
+	"Certificate Revocation URL",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCARevocationURL, SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL,
+	"Certificate Authority Revocation URL",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCACRLURL, SEC_OID_NS_CERT_EXT_CA_CRL_URL,
+	"Certificate Authority CRL Download URL",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCACertURL, SEC_OID_NS_CERT_EXT_CA_CERT_URL,
+	"Certificate Authority Certificate Download URL",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCertRenewalURL, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL,
+	"Certificate Renewal URL", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ), 
+    OD( nsExtCAPolicyURL, SEC_OID_NS_CERT_EXT_CA_POLICY_URL,
+	"Certificate Authority Policy URL",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtHomepageURL, SEC_OID_NS_CERT_EXT_HOMEPAGE_URL,
+	"Certificate Homepage URL", 
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtEntityLogo, SEC_OID_NS_CERT_EXT_ENTITY_LOGO,
+	"Certificate Entity Logo", 
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtUserPicture, SEC_OID_NS_CERT_EXT_USER_PICTURE,
+	"Certificate User Picture", 
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( nsExtSSLServerName, SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME,
+	"Certificate SSL Server Name", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtComment, SEC_OID_NS_CERT_EXT_COMMENT,
+	"Certificate Comment", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtLostPasswordURL, SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL,
+        "Lost Password URL", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsExtCertRenewalTime, SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME, 
+	"Certificate Renewal Time", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( nsKeyUsageGovtApproved, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED,
+	"Strong Crypto Export Approved",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+
+
+    /* x.509 v3 certificate extensions */
+    OD( x509SubjectDirectoryAttr, SEC_OID_X509_SUBJECT_DIRECTORY_ATTR,
+	"Certificate Subject Directory Attributes",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION),
+    OD( x509SubjectKeyID, SEC_OID_X509_SUBJECT_KEY_ID, 
+	"Certificate Subject Key ID",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509KeyUsage, SEC_OID_X509_KEY_USAGE, 
+	"Certificate Key Usage",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509PrivateKeyUsagePeriod, SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD,
+	"Certificate Private Key Usage Period",
+        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509SubjectAltName, SEC_OID_X509_SUBJECT_ALT_NAME, 
+	"Certificate Subject Alt Name",
+        CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509IssuerAltName, SEC_OID_X509_ISSUER_ALT_NAME, 
+	"Certificate Issuer Alt Name",
+        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509BasicConstraints, SEC_OID_X509_BASIC_CONSTRAINTS, 
+	"Certificate Basic Constraints",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509NameConstraints, SEC_OID_X509_NAME_CONSTRAINTS, 
+	"Certificate Name Constraints",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509CRLDistPoints, SEC_OID_X509_CRL_DIST_POINTS, 
+	"CRL Distribution Points",
+	CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509CertificatePolicies, SEC_OID_X509_CERTIFICATE_POLICIES,
+	"Certificate Policies",
+        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509PolicyMappings, SEC_OID_X509_POLICY_MAPPINGS, 
+	"Certificate Policy Mappings",
+        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509PolicyConstraints, SEC_OID_X509_POLICY_CONSTRAINTS, 
+	"Certificate Policy Constraints",
+        CKM_INVALID_MECHANISM, UNSUPPORTED_CERT_EXTENSION ),
+    OD( x509AuthKeyID, SEC_OID_X509_AUTH_KEY_ID, 
+	"Certificate Authority Key Identifier",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509ExtKeyUsage, SEC_OID_X509_EXT_KEY_USAGE, 
+	"Extended Key Usage",
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509AuthInfoAccess, SEC_OID_X509_AUTH_INFO_ACCESS, 
+	"Authority Information Access",
+        CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+
+    /* x.509 v3 CRL extensions */
+    OD( x509CrlNumber, SEC_OID_X509_CRL_NUMBER, 
+	"CRL Number", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509ReasonCode, SEC_OID_X509_REASON_CODE, 
+	"CRL reason code", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( x509InvalidDate, SEC_OID_X509_INVALID_DATE, 
+	"Invalid Date", CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+	
+    OD( x500RSAEncryption, SEC_OID_X500_RSA_ENCRYPTION,
+	"X500 RSA Encryption", CKM_RSA_X_509, INVALID_CERT_EXTENSION ),
+
+    /* added for alg 1485 */
+    OD( rfc1274Uid, SEC_OID_RFC1274_UID,
+	"RFC1274 User Id", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( rfc1274Mail, SEC_OID_RFC1274_MAIL,
+	"RFC1274 E-mail Address", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* pkcs 12 additions */
+    OD( pkcs12, SEC_OID_PKCS12,
+	"PKCS #12", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12ModeIDs, SEC_OID_PKCS12_MODE_IDS,
+	"PKCS #12 Mode IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12ESPVKIDs, SEC_OID_PKCS12_ESPVK_IDS,
+	"PKCS #12 ESPVK IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12BagIDs, SEC_OID_PKCS12_BAG_IDS,
+	"PKCS #12 Bag IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12CertBagIDs, SEC_OID_PKCS12_CERT_BAG_IDS,
+	"PKCS #12 Cert Bag IDs", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12OIDs, SEC_OID_PKCS12_OIDS,
+	"PKCS #12 OIDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEIDs, SEC_OID_PKCS12_PBE_IDS,
+	"PKCS #12 PBE IDs", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12SignatureIDs, SEC_OID_PKCS12_SIGNATURE_IDS,
+	"PKCS #12 Signature IDs", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12EnvelopingIDs, SEC_OID_PKCS12_ENVELOPING_IDS,
+	"PKCS #12 Enveloping IDs", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PKCS8KeyShrouding, SEC_OID_PKCS12_PKCS8_KEY_SHROUDING,
+	"PKCS #12 Key Shrouding", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12KeyBagID, SEC_OID_PKCS12_KEY_BAG_ID,
+	"PKCS #12 Key Bag ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12CertAndCRLBagID, SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID,
+	"PKCS #12 Cert And CRL Bag ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12SecretBagID, SEC_OID_PKCS12_SECRET_BAG_ID,
+	"PKCS #12 Secret Bag ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12X509CertCRLBag, SEC_OID_PKCS12_X509_CERT_CRL_BAG,
+	"PKCS #12 X509 Cert CRL Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12SDSICertBag, SEC_OID_PKCS12_SDSI_CERT_BAG,
+	"PKCS #12 SDSI Cert Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEWithSha1And128BitRC4,
+	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4,
+	"PKCS #12 PBE With Sha1 and 128 Bit RC4", 
+	CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEWithSha1And40BitRC4,
+	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4,
+	"PKCS #12 PBE With Sha1 and 40 Bit RC4", 
+	CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEWithSha1AndTripleDESCBC,
+	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC,
+	"PKCS #12 PBE With Sha1 and Triple DES CBC", 
+	CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEWithSha1And128BitRC2CBC,
+	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
+	"PKCS #12 PBE With Sha1 and 128 Bit RC2 CBC", 
+	CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PBEWithSha1And40BitRC2CBC,
+	SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
+	"PKCS #12 PBE With Sha1 and 40 Bit RC2 CBC", 
+	CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12RSAEncryptionWith128BitRC4,
+	SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4,
+	"PKCS #12 RSA Encryption with 128 Bit RC4",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12RSAEncryptionWith40BitRC4,
+	SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4,
+	"PKCS #12 RSA Encryption with 40 Bit RC4",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12RSAEncryptionWithTripleDES,
+	SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES,
+	"PKCS #12 RSA Encryption with Triple DES",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12RSASignatureWithSHA1Digest,
+	SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST,
+	"PKCS #12 RSA Encryption with Triple DES",
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* DSA signatures */
+    OD( ansix9DSASignature, SEC_OID_ANSIX9_DSA_SIGNATURE,
+	"ANSI X9.57 DSA Signature", CKM_DSA, INVALID_CERT_EXTENSION ),
+    OD( ansix9DSASignaturewithSHA1Digest,
+        SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST,
+	"ANSI X9.57 DSA Signature with SHA1 Digest", 
+	CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
+    OD( bogusDSASignaturewithSHA1Digest,
+        SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST,
+	"FORTEZZA DSA Signature with SHA1 Digest", 
+	CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
+
+    /* verisign oids */
+    OD( verisignUserNotices, SEC_OID_VERISIGN_USER_NOTICES,
+	"Verisign User Notices", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* pkix oids */
+    OD( pkixCPSPointerQualifier, SEC_OID_PKIX_CPS_POINTER_QUALIFIER,
+	"PKIX CPS Pointer Qualifier", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixUserNoticeQualifier, SEC_OID_PKIX_USER_NOTICE_QUALIFIER,
+	"PKIX User Notice Qualifier", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    OD( pkixOCSP, SEC_OID_PKIX_OCSP,
+	"PKIX Online Certificate Status Protocol", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPBasicResponse, SEC_OID_PKIX_OCSP_BASIC_RESPONSE,
+	"OCSP Basic Response", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPNonce, SEC_OID_PKIX_OCSP_NONCE,
+	"OCSP Nonce Extension", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPCRL, SEC_OID_PKIX_OCSP_CRL,
+	"OCSP CRL Reference Extension", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPResponse, SEC_OID_PKIX_OCSP_RESPONSE,
+	"OCSP Response Types Extension", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPNoCheck, SEC_OID_PKIX_OCSP_NO_CHECK,
+	"OCSP No Check Extension", 
+	CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION ),
+    OD( pkixOCSPArchiveCutoff, SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF,
+	"OCSP Archive Cutoff Extension", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixOCSPServiceLocator, SEC_OID_PKIX_OCSP_SERVICE_LOCATOR,
+	"OCSP Service Locator Extension", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    OD( pkixRegCtrlRegToken, SEC_OID_PKIX_REGCTRL_REGTOKEN,
+        "PKIX CRMF Registration Control, Registration Token", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixRegCtrlAuthenticator, SEC_OID_PKIX_REGCTRL_AUTHENTICATOR,
+        "PKIX CRMF Registration Control, Registration Authenticator", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkixRegCtrlPKIPubInfo, SEC_OID_PKIX_REGCTRL_PKIPUBINFO,
+        "PKIX CRMF Registration Control, PKI Publication Info", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixRegCtrlPKIArchOptions,
+        SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS,
+        "PKIX CRMF Registration Control, PKI Archive Options", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixRegCtrlOldCertID, SEC_OID_PKIX_REGCTRL_OLD_CERT_ID,
+        "PKIX CRMF Registration Control, Old Certificate ID", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixRegCtrlProtEncKey, SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY,
+        "PKIX CRMF Registration Control, Protocol Encryption Key", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixRegInfoUTF8Pairs, SEC_OID_PKIX_REGINFO_UTF8_PAIRS,
+        "PKIX CRMF Registration Info, UTF8 Pairs", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixRegInfoCertReq, SEC_OID_PKIX_REGINFO_CERT_REQUEST,
+        "PKIX CRMF Registration Info, Certificate Request", 
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixExtendedKeyUsageServerAuth,
+        SEC_OID_EXT_KEY_USAGE_SERVER_AUTH,
+        "TLS Web Server Authentication Certificate",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixExtendedKeyUsageClientAuth,
+        SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH,
+        "TLS Web Client Authentication Certificate",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixExtendedKeyUsageCodeSign, SEC_OID_EXT_KEY_USAGE_CODE_SIGN,
+        "Code Signing Certificate",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixExtendedKeyUsageEMailProtect,
+        SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT,
+        "E-Mail Protection Certificate",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixExtendedKeyUsageTimeStamp,
+        SEC_OID_EXT_KEY_USAGE_TIME_STAMP,
+        "Time Stamping Certifcate",
+        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD( pkixOCSPResponderExtendedKeyUsage, SEC_OID_OCSP_RESPONDER,
+          "OCSP Responder Certificate",
+          CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+
+    /* Netscape Algorithm OIDs */
+
+    OD( netscapeSMimeKEA, SEC_OID_NETSCAPE_SMIME_KEA,
+	"Netscape S/MIME KEA", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+      /* Skipjack OID -- ### mwelch temporary */
+    OD( skipjackCBC, SEC_OID_FORTEZZA_SKIPJACK,
+	"Skipjack CBC64", CKM_SKIPJACK_CBC64, INVALID_CERT_EXTENSION ),
+
+    /* pkcs12 v2 oids */
+    OD( pkcs12V2PBEWithSha1And128BitRC4,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4,
+	"PKCS12 V2 PBE With SHA1 And 128 Bit RC4", 
+	CKM_PBE_SHA1_RC4_128, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V2PBEWithSha1And40BitRC4,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4,
+	"PKCS12 V2 PBE With SHA1 And 40 Bit RC4", 
+	CKM_PBE_SHA1_RC4_40, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V2PBEWithSha1And3KeyTripleDEScbc,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
+	"PKCS12 V2 PBE With SHA1 And 3KEY Triple DES-cbc", 
+	CKM_PBE_SHA1_DES3_EDE_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V2PBEWithSha1And2KeyTripleDEScbc,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC,
+	"PKCS12 V2 PBE With SHA1 And 2KEY Triple DES-cbc", 
+	CKM_PBE_SHA1_DES2_EDE_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V2PBEWithSha1And128BitRC2cbc,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
+	"PKCS12 V2 PBE With SHA1 And 128 Bit RC2 CBC", 
+	CKM_PBE_SHA1_RC2_128_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V2PBEWithSha1And40BitRC2cbc,
+        SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
+	"PKCS12 V2 PBE With SHA1 And 40 Bit RC2 CBC", 
+	CKM_PBE_SHA1_RC2_40_CBC, INVALID_CERT_EXTENSION ),
+    OD( pkcs12SafeContentsID, SEC_OID_PKCS12_SAFE_CONTENTS_ID,
+	"PKCS #12 Safe Contents ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12PKCS8ShroudedKeyBagID,
+	SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID,
+	"PKCS #12 Safe Contents ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1KeyBag, SEC_OID_PKCS12_V1_KEY_BAG_ID,
+	"PKCS #12 V1 Key Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1PKCS8ShroudedKeyBag,
+	SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID,
+	"PKCS #12 V1 PKCS8 Shrouded Key Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1CertBag, SEC_OID_PKCS12_V1_CERT_BAG_ID,
+	"PKCS #12 V1 Cert Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1CRLBag, SEC_OID_PKCS12_V1_CRL_BAG_ID,
+	"PKCS #12 V1 CRL Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1SecretBag, SEC_OID_PKCS12_V1_SECRET_BAG_ID,
+	"PKCS #12 V1 Secret Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs12V1SafeContentsBag, SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID,
+	"PKCS #12 V1 Safe Contents Bag", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    OD( pkcs9X509Certificate, SEC_OID_PKCS9_X509_CERT,
+	"PKCS #9 X509 Certificate", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9SDSICertificate, SEC_OID_PKCS9_SDSI_CERT,
+	"PKCS #9 SDSI Certificate", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9X509CRL, SEC_OID_PKCS9_X509_CRL,
+	"PKCS #9 X509 CRL", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9FriendlyName, SEC_OID_PKCS9_FRIENDLY_NAME,
+	"PKCS #9 Friendly Name", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( pkcs9LocalKeyID, SEC_OID_PKCS9_LOCAL_KEY_ID,
+	"PKCS #9 Local Key ID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), 
+    OD( pkcs12KeyUsageAttr, SEC_OID_PKCS12_KEY_USAGE,
+	"PKCS 12 Key Usage", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+    OD( dhPublicKey, SEC_OID_X942_DIFFIE_HELMAN_KEY,
+	"Diffie-Helman Public Key", CKM_DH_PKCS_DERIVE,
+	INVALID_CERT_EXTENSION ),
+    OD( netscapeNickname, SEC_OID_NETSCAPE_NICKNAME,
+	"Netscape Nickname", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* Cert Server specific OIDs */
+    OD( netscapeRecoveryRequest, SEC_OID_NETSCAPE_RECOVERY_REQUEST,
+        "Recovery Request OID", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    OD( nsExtAIACertRenewal, SEC_OID_CERT_RENEWAL_LOCATOR,
+        "Certificate Renewal Locator OID", CKM_INVALID_MECHANISM,
+        INVALID_CERT_EXTENSION ), 
+
+    OD( nsExtCertScopeOfUse, SEC_OID_NS_CERT_EXT_SCOPE_OF_USE,
+        "Certificate Scope-of-Use Extension", CKM_INVALID_MECHANISM,
+        SUPPORTED_CERT_EXTENSION ),
+
+    /* CMS stuff */
+    OD( cmsESDH, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN,
+        "Ephemeral-Static Diffie-Hellman", CKM_INVALID_MECHANISM /* XXX */,
+        INVALID_CERT_EXTENSION ),
+    OD( cms3DESwrap, SEC_OID_CMS_3DES_KEY_WRAP,
+        "CMS 3DES Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
+        INVALID_CERT_EXTENSION ),
+    OD( cmsRC2wrap, SEC_OID_CMS_RC2_KEY_WRAP,
+        "CMS RC2 Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
+        INVALID_CERT_EXTENSION ),
+    OD( smimeEncryptionKeyPreference, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE,
+	"S/MIME Encryption Key Preference", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+    /* AES algorithm OIDs */
+    OD( aes128_ECB, SEC_OID_AES_128_ECB,
+	"AES-128-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
+    OD( aes128_CBC, SEC_OID_AES_128_CBC,
+	"AES-128-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
+    OD( aes192_ECB, SEC_OID_AES_192_ECB,
+	"AES-192-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
+    OD( aes192_CBC, SEC_OID_AES_192_CBC,
+	"AES-192-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
+    OD( aes256_ECB, SEC_OID_AES_256_ECB,
+	"AES-256-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION ),
+    OD( aes256_CBC, SEC_OID_AES_256_CBC,
+	"AES-256-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION ),
+
+    /* More bogus DSA OIDs */
+    OD( sdn702DSASignature, SEC_OID_SDN702_DSA_SIGNATURE, 
+	"SDN.702 DSA Signature", CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
+};
+
+/*
+ * now the dynamic table. The dynamic table gets build at init time.
+ *  and gets modified if the user loads new crypto modules.
+ */
+
+static PLHashTable *oid_d_hash = 0;
+static SECOidData **secoidDynamicTable = NULL;
+static int secoidDynamicTableSize = 0;
+static int secoidLastDynamicEntry = 0;
+static int secoidLastHashEntry = 0;
+
+static SECStatus
+secoid_DynamicRehash(void)
+{
+    SECOidData *oid;
+    PLHashEntry *entry;
+    int i;
+    int last = secoidLastDynamicEntry;
+
+    if (!oid_d_hash) {
+        oid_d_hash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
+			PL_CompareValues, NULL, NULL);
+    }
+
+
+    if ( !oid_d_hash ) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	return(SECFailure);
+    }
+
+    for ( i = secoidLastHashEntry; i < last; i++ ) {
+	oid = secoidDynamicTable[i];
+
+	entry = PL_HashTableAdd( oid_d_hash, &oid->oid, oid );
+	if ( entry == NULL ) {
+	    return(SECFailure);
+	}
+    }
+    secoidLastHashEntry = last;
+    return(SECSuccess);
+}
+
+
+
+/*
+ * Lookup a Dynamic OID. Dynamic OID's still change slowly, so it's
+ * cheaper to rehash the table when it changes than it is to do the loop
+ * each time. Worry: what about thread safety here? Global Static data with
+ * no locks.... (sigh).
+ */
+static SECOidData *
+secoid_FindDynamic(SECItem *key) {
+    SECOidData *ret = NULL;
+    if (secoidDynamicTable == NULL) {
+	/* PORT_SetError! */
+	return NULL;
+    }
+    if (secoidLastHashEntry != secoidLastDynamicEntry) {
+	SECStatus rv = secoid_DynamicRehash();
+	if ( rv != SECSuccess ) {
+	    return NULL;
+	}
+    }
+    ret = (SECOidData *)PL_HashTableLookup (oid_d_hash, key);
+    return ret;
+	
+}
+
+static SECOidData *
+secoid_FindDynamicByTag(SECOidTag tagnum)
+{
+    int tagNumDiff;
+
+    if (secoidDynamicTable == NULL) {
+	return NULL;
+    }
+
+    if (tagnum < SEC_OID_TOTAL) {
+	return NULL;
+    }
+
+    tagNumDiff = tagnum - SEC_OID_TOTAL;
+    if (tagNumDiff >= secoidLastDynamicEntry) {
+	return NULL;
+    }
+
+    return(secoidDynamicTable[tagNumDiff]);
+}
+
+/*
+ * this routine is definately not thread safe. It is only called out
+ * of the UI, or at init time. If we want to call it any other time,
+ * we need to make it thread safe.
+ */
+SECStatus
+SECOID_AddEntry(SECItem *oid, char *description, unsigned long mech) {
+    SECOidData *oiddp = (SECOidData *)PORT_Alloc(sizeof(SECOidData));
+    int last = secoidLastDynamicEntry;
+    int tableSize = secoidDynamicTableSize;
+    int next = last++;
+    SECOidData **newTable = secoidDynamicTable;
+    SECOidData **oldTable = NULL;
+
+    if (oid == NULL) {
+	return SECFailure;
+    }
+
+    /* fill in oid structure */
+    if (SECITEM_CopyItem(NULL,&oiddp->oid,oid) != SECSuccess) {
+	PORT_Free(oiddp);
+	return SECFailure;
+    }
+    oiddp->offset = (SECOidTag)(next + SEC_OID_TOTAL);
+    /* may we should just reference the copy passed to us? */
+    oiddp->desc = PORT_Strdup(description);
+    oiddp->mechanism = mech;
+
+
+    if (last > tableSize) {
+	int oldTableSize = tableSize;
+	tableSize += 10;
+	oldTable = newTable;
+	newTable = (SECOidData **)PORT_ZAlloc(sizeof(SECOidData *)*tableSize);
+	if (newTable == NULL) {
+	   PORT_Free(oiddp->oid.data);
+	   PORT_Free(oiddp);
+	   return SECFailure;
+	}
+	PORT_Memcpy(newTable,oldTable,sizeof(SECOidData *)*oldTableSize);
+	PORT_Free(oldTable);
+    }
+
+    newTable[next] = oiddp;
+    secoidDynamicTable = newTable;
+    secoidDynamicTableSize = tableSize;
+    secoidLastDynamicEntry= last;
+    return SECSuccess;
+}
+	
+
+/* normal static table processing */
+static PLHashTable *oidhash     = NULL;
+static PLHashTable *oidmechhash = NULL;
+
+static PLHashNumber
+secoid_HashNumber(const void *key)
+{
+    return (PLHashNumber) key;
+}
+
+
+static SECStatus
+InitOIDHash(void)
+{
+    PLHashEntry *entry;
+    const SECOidData *oid;
+    int i;
+    
+    oidhash = PL_NewHashTable(0, SECITEM_Hash, SECITEM_HashCompare,
+			PL_CompareValues, NULL, NULL);
+    oidmechhash = PL_NewHashTable(0, secoid_HashNumber, PL_CompareValues,
+			PL_CompareValues, NULL, NULL);
+
+    if ( !oidhash || !oidmechhash) {
+	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ 	PORT_Assert(0); /*This function should never fail. */
+	return(SECFailure);
+    }
+
+    for ( i = 0; i < ( sizeof(oids) / sizeof(SECOidData) ); i++ ) {
+	oid = &oids[i];
+
+	PORT_Assert ( oid->offset == i );
+
+	entry = PL_HashTableAdd( oidhash, &oid->oid, (void *)oid );
+	if ( entry == NULL ) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            PORT_Assert(0); /*This function should never fail. */
+	    return(SECFailure);
+	}
+
+	if ( oid->mechanism != CKM_INVALID_MECHANISM ) {
+	    entry = PL_HashTableAdd( oidmechhash, 
+					(void *)oid->mechanism, (void *)oid );
+	    if ( entry == NULL ) {
+	        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+                PORT_Assert(0); /* This function should never fail. */
+		return(SECFailure);
+	    }
+	}
+    }
+
+    PORT_Assert (i == SEC_OID_TOTAL);
+
+    return(SECSuccess);
+}
+
+SECOidData *
+SECOID_FindOIDByMechanism(unsigned long mechanism)
+{
+    SECOidData *ret;
+    int rv;
+
+    if ( !oidhash ) {
+        rv = InitOIDHash();
+	if ( rv != SECSuccess ) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return NULL;
+	}
+    }
+    ret = PL_HashTableLookupConst ( oidmechhash, (void *)mechanism);
+    if ( ret == NULL ) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+    }
+
+    return (ret);
+}
+
+SECOidData *
+SECOID_FindOID(SECItem *oid)
+{
+    SECOidData *ret;
+    int rv;
+    
+    if ( !oidhash ) {
+	rv = InitOIDHash();
+	if ( rv != SECSuccess ) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    return NULL;
+	}
+    }
+    
+    ret = PL_HashTableLookupConst ( oidhash, oid );
+    if ( ret == NULL ) {
+	ret  = secoid_FindDynamic(oid);
+	if (ret == NULL) {
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	}
+    }
+
+    return(ret);
+}
+
+SECOidTag
+SECOID_FindOIDTag(SECItem *oid)
+{
+    SECOidData *oiddata;
+
+    oiddata = SECOID_FindOID (oid);
+    if (oiddata == NULL)
+	return SEC_OID_UNKNOWN;
+
+    return oiddata->offset;
+}
+
+/* This really should return const. */
+SECOidData *
+SECOID_FindOIDByTag(SECOidTag tagnum)
+{
+
+    if (tagnum >= SEC_OID_TOTAL) {
+	return secoid_FindDynamicByTag(tagnum);
+    }
+
+    PORT_Assert((unsigned int)tagnum < (sizeof(oids) / sizeof(SECOidData)));
+    return (SECOidData *)(&oids[tagnum]);
+}
+
+PRBool SECOID_KnownCertExtenOID (SECItem *extenOid)
+{
+    SECOidData * oidData;
+
+    oidData = SECOID_FindOID (extenOid);
+    if (oidData == (SECOidData *)NULL)
+	return (PR_FALSE);
+    return ((oidData->supportedExtension == SUPPORTED_CERT_EXTENSION) ?
+            PR_TRUE : PR_FALSE);
+}
+
+
+const char *
+SECOID_FindOIDTagDescription(SECOidTag tagnum)
+{
+  const SECOidData *oidData = SECOID_FindOIDByTag(tagnum);
+  return oidData ? oidData->desc : 0;
+}
+
+/*
+ * free up the oid tables.
+ */
+SECStatus
+SECOID_Shutdown(void)
+{
+    int i;
+
+    if (oidhash) {
+	PL_HashTableDestroy(oidhash);
+	oidhash = NULL;
+    }
+    if (oidmechhash) {
+	PL_HashTableDestroy(oidmechhash);
+	oidmechhash = NULL;
+    }
+    if (oid_d_hash) {
+	PL_HashTableDestroy(oid_d_hash);
+	oid_d_hash = NULL;
+    }
+    if (secoidDynamicTable) {
+	for (i=0; i < secoidLastDynamicEntry; i++) {
+	    PORT_Free(secoidDynamicTable[i]);
+	}
+	PORT_Free(secoidDynamicTable);
+	secoidDynamicTable = NULL;
+	secoidDynamicTableSize = 0;
+	secoidLastDynamicEntry = 0;
+	secoidLastHashEntry = 0;
+    }
+    return SECSuccess;
+}
diff --git a/security/nss/lib/util/secoid.h b/security/nss/lib/util/secoid.h
new file mode 100644
index 000000000..a77bc60ba
--- /dev/null
+++ b/security/nss/lib/util/secoid.h
@@ -0,0 +1,120 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _SECOID_H_
+#define _SECOID_H_
+/*
+ * secoid.h - public data structures and prototypes for ASN.1 OID functions
+ *
+ * $Id$
+ */
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secasn1t.h"
+
+SEC_BEGIN_PROTOS
+
+extern const SEC_ASN1Template SECOID_AlgorithmIDTemplate[];
+
+/* This functions simply returns the address of the above-declared template. */
+SEC_ASN1_CHOOSER_DECLARE(SECOID_AlgorithmIDTemplate)
+
+/*
+ * OID handling routines
+ */
+extern SECOidData *SECOID_FindOID(SECItem *oid);
+extern SECOidTag SECOID_FindOIDTag(SECItem *oid);
+extern SECOidData *SECOID_FindOIDByTag(SECOidTag tagnum);
+extern SECOidData *SECOID_FindOIDByMechanism(unsigned long mechanism);
+
+/****************************************/
+/*
+** Algorithm id handling operations
+*/
+
+/*
+** Fill in an algorithm-ID object given a tag and some parameters.
+** 	"aid" where the DER encoded algorithm info is stored (memory
+**	   is allocated)
+**	"tag" the tag defining the algorithm (SEC_OID_*)
+**	"params" if not NULL, the parameters to go with the algorithm
+*/
+extern SECStatus SECOID_SetAlgorithmID(PRArenaPool *arena, SECAlgorithmID *aid,
+				   SECOidTag tag, SECItem *params);
+
+/*
+** Copy the "src" object to "dest". Memory is allocated in "dest" for
+** each of the appropriate sub-objects. Memory in "dest" is not freed
+** before memory is allocated (use SECOID_DestroyAlgorithmID(dest, PR_FALSE)
+** to do that).
+*/
+extern SECStatus SECOID_CopyAlgorithmID(PRArenaPool *arena, SECAlgorithmID *dest,
+				    SECAlgorithmID *src);
+
+/*
+** Get the SEC_OID_* tag for the given algorithm-id object.
+*/
+extern SECOidTag SECOID_GetAlgorithmTag(SECAlgorithmID *aid);
+
+/*
+** Destroy an algorithm-id object.
+**	"aid" the certificate-request to destroy
+**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void SECOID_DestroyAlgorithmID(SECAlgorithmID *aid, PRBool freeit);
+
+/*
+** Compare two algorithm-id objects, returning the difference between
+** them.
+*/
+extern SECComparison SECOID_CompareAlgorithmID(SECAlgorithmID *a,
+					   SECAlgorithmID *b);
+
+extern PRBool SECOID_KnownCertExtenOID (SECItem *extenOid);
+
+/* Given a SEC_OID_* tag, return a string describing it.
+ */
+extern const char *SECOID_FindOIDTagDescription(SECOidTag tagnum);
+
+/*
+ * free up the oid data structures.
+ */
+extern SECStatus SECOID_Shutdown(void);
+
+
+SEC_END_PROTOS
+
+#endif /* _SECOID_H_ */
diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h
new file mode 100644
index 000000000..7ce1f4cf4
--- /dev/null
+++ b/security/nss/lib/util/secoidt.h
@@ -0,0 +1,320 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef _SECOIDT_H_
+#define _SECOIDT_H_
+/*
+ * secoidt.h - public data structures for ASN.1 OID functions
+ *
+ * $Id$
+ */
+
+#include "secitem.h"
+
+typedef struct SECOidDataStr SECOidData;
+typedef struct SECAlgorithmIDStr SECAlgorithmID;
+
+/*
+** An X.500 algorithm identifier
+*/
+struct SECAlgorithmIDStr {
+    SECItem algorithm;
+    SECItem parameters;
+};
+
+/*
+ * Misc object IDs - these numbers are for convenient handling.
+ * They are mapped into real object IDs
+ *
+ * NOTE: the order of these entries must mach the array "oids" of SECOidData
+ * in util/secoid.c.
+ */
+typedef enum {
+    SEC_OID_UNKNOWN = 0,
+    SEC_OID_MD2 = 1,
+    SEC_OID_MD4 = 2,
+    SEC_OID_MD5 = 3,
+    SEC_OID_SHA1 = 4,
+    SEC_OID_RC2_CBC = 5,
+    SEC_OID_RC4 = 6,
+    SEC_OID_DES_EDE3_CBC = 7,
+    SEC_OID_RC5_CBC_PAD = 8,
+    SEC_OID_DES_ECB = 9,
+    SEC_OID_DES_CBC = 10,
+    SEC_OID_DES_OFB = 11,
+    SEC_OID_DES_CFB = 12,
+    SEC_OID_DES_MAC = 13,
+    SEC_OID_DES_EDE = 14,
+    SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE = 15,
+    SEC_OID_PKCS1_RSA_ENCRYPTION = 16,
+    SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION = 17,
+    SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION = 18,
+    SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION = 19,
+    SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION = 20,
+    SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC = 21,
+    SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC = 22,
+    SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC = 23,
+    SEC_OID_PKCS7 = 24,
+    SEC_OID_PKCS7_DATA = 25,
+    SEC_OID_PKCS7_SIGNED_DATA = 26,
+    SEC_OID_PKCS7_ENVELOPED_DATA = 27,
+    SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA = 28,
+    SEC_OID_PKCS7_DIGESTED_DATA = 29,
+    SEC_OID_PKCS7_ENCRYPTED_DATA = 30,
+    SEC_OID_PKCS9_EMAIL_ADDRESS = 31,
+    SEC_OID_PKCS9_UNSTRUCTURED_NAME = 32,
+    SEC_OID_PKCS9_CONTENT_TYPE = 33,
+    SEC_OID_PKCS9_MESSAGE_DIGEST = 34,
+    SEC_OID_PKCS9_SIGNING_TIME = 35,
+    SEC_OID_PKCS9_COUNTER_SIGNATURE = 36,
+    SEC_OID_PKCS9_CHALLENGE_PASSWORD = 37,
+    SEC_OID_PKCS9_UNSTRUCTURED_ADDRESS = 38,
+    SEC_OID_PKCS9_EXTENDED_CERTIFICATE_ATTRIBUTES = 39,
+    SEC_OID_PKCS9_SMIME_CAPABILITIES = 40,
+    SEC_OID_AVA_COMMON_NAME = 41,
+    SEC_OID_AVA_COUNTRY_NAME = 42,
+    SEC_OID_AVA_LOCALITY = 43,
+    SEC_OID_AVA_STATE_OR_PROVINCE = 44,
+    SEC_OID_AVA_ORGANIZATION_NAME = 45,
+    SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME = 46,
+    SEC_OID_AVA_DN_QUALIFIER = 47,
+    SEC_OID_AVA_DC = 48,
+
+    SEC_OID_NS_TYPE_GIF = 49,
+    SEC_OID_NS_TYPE_JPEG = 50,
+    SEC_OID_NS_TYPE_URL = 51,
+    SEC_OID_NS_TYPE_HTML = 52,
+    SEC_OID_NS_TYPE_CERT_SEQUENCE = 53,
+    SEC_OID_MISSI_KEA_DSS_OLD = 54,
+    SEC_OID_MISSI_DSS_OLD = 55,
+    SEC_OID_MISSI_KEA_DSS = 56,
+    SEC_OID_MISSI_DSS = 57,
+    SEC_OID_MISSI_KEA = 58,
+    SEC_OID_MISSI_ALT_KEA = 59,
+
+    /* Netscape private certificate extensions */
+    SEC_OID_NS_CERT_EXT_NETSCAPE_OK = 60,
+    SEC_OID_NS_CERT_EXT_ISSUER_LOGO = 61,
+    SEC_OID_NS_CERT_EXT_SUBJECT_LOGO = 62,
+    SEC_OID_NS_CERT_EXT_CERT_TYPE = 63,
+    SEC_OID_NS_CERT_EXT_BASE_URL = 64,
+    SEC_OID_NS_CERT_EXT_REVOCATION_URL = 65,
+    SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL = 66,
+    SEC_OID_NS_CERT_EXT_CA_CRL_URL = 67,
+    SEC_OID_NS_CERT_EXT_CA_CERT_URL = 68,
+    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL = 69,
+    SEC_OID_NS_CERT_EXT_CA_POLICY_URL = 70,
+    SEC_OID_NS_CERT_EXT_HOMEPAGE_URL = 71,
+    SEC_OID_NS_CERT_EXT_ENTITY_LOGO = 72,
+    SEC_OID_NS_CERT_EXT_USER_PICTURE = 73,
+    SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME = 74,
+    SEC_OID_NS_CERT_EXT_COMMENT = 75,
+    SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL = 76,
+    SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME = 77,
+    SEC_OID_NS_KEY_USAGE_GOVT_APPROVED = 78,
+
+    /* x.509 v3 Extensions */
+    SEC_OID_X509_SUBJECT_DIRECTORY_ATTR = 79,
+    SEC_OID_X509_SUBJECT_KEY_ID = 80,
+    SEC_OID_X509_KEY_USAGE = 81,
+    SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD = 82,
+    SEC_OID_X509_SUBJECT_ALT_NAME = 83,
+    SEC_OID_X509_ISSUER_ALT_NAME = 84,
+    SEC_OID_X509_BASIC_CONSTRAINTS = 85,
+    SEC_OID_X509_NAME_CONSTRAINTS = 86,
+    SEC_OID_X509_CRL_DIST_POINTS = 87,
+    SEC_OID_X509_CERTIFICATE_POLICIES = 88,
+    SEC_OID_X509_POLICY_MAPPINGS = 89,
+    SEC_OID_X509_POLICY_CONSTRAINTS = 90,
+    SEC_OID_X509_AUTH_KEY_ID = 91,
+    SEC_OID_X509_EXT_KEY_USAGE = 92,
+    SEC_OID_X509_AUTH_INFO_ACCESS = 93,
+
+    SEC_OID_X509_CRL_NUMBER = 94,
+    SEC_OID_X509_REASON_CODE = 95,
+    SEC_OID_X509_INVALID_DATE = 96,
+    /* End of x.509 v3 Extensions */    
+
+    SEC_OID_X500_RSA_ENCRYPTION = 97,
+
+    /* alg 1485 additions */
+    SEC_OID_RFC1274_UID = 98,
+    SEC_OID_RFC1274_MAIL = 99,
+
+    /* PKCS 12 additions */
+    SEC_OID_PKCS12 = 100,
+    SEC_OID_PKCS12_MODE_IDS = 101,
+    SEC_OID_PKCS12_ESPVK_IDS = 102,
+    SEC_OID_PKCS12_BAG_IDS = 103,
+    SEC_OID_PKCS12_CERT_BAG_IDS = 104,
+    SEC_OID_PKCS12_OIDS = 105,
+    SEC_OID_PKCS12_PBE_IDS = 106,
+    SEC_OID_PKCS12_SIGNATURE_IDS = 107,
+    SEC_OID_PKCS12_ENVELOPING_IDS = 108,
+   /* SEC_OID_PKCS12_OFFLINE_TRANSPORT_MODE,
+    SEC_OID_PKCS12_ONLINE_TRANSPORT_MODE, */
+    SEC_OID_PKCS12_PKCS8_KEY_SHROUDING = 109,
+    SEC_OID_PKCS12_KEY_BAG_ID = 110,
+    SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID = 111,
+    SEC_OID_PKCS12_SECRET_BAG_ID = 112,
+    SEC_OID_PKCS12_X509_CERT_CRL_BAG = 113,
+    SEC_OID_PKCS12_SDSI_CERT_BAG = 114,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4 = 115,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4 = 116,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC = 117,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = 118,
+    SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = 119,
+    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4 = 120,
+    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_40_BIT_RC4 = 121,
+    SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_TRIPLE_DES = 122,
+    SEC_OID_PKCS12_RSA_SIGNATURE_WITH_SHA1_DIGEST = 123,
+    /* end of PKCS 12 additions */
+
+    /* DSA signatures */
+    SEC_OID_ANSIX9_DSA_SIGNATURE = 124,
+    SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST = 125,
+    SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST = 126,
+
+    /* Verisign OIDs */
+    SEC_OID_VERISIGN_USER_NOTICES = 127,
+
+    /* PKIX OIDs */
+    SEC_OID_PKIX_CPS_POINTER_QUALIFIER = 128,
+    SEC_OID_PKIX_USER_NOTICE_QUALIFIER = 129,
+    SEC_OID_PKIX_OCSP = 130,
+    SEC_OID_PKIX_OCSP_BASIC_RESPONSE = 131,
+    SEC_OID_PKIX_OCSP_NONCE = 132,
+    SEC_OID_PKIX_OCSP_CRL = 133,
+    SEC_OID_PKIX_OCSP_RESPONSE = 134,
+    SEC_OID_PKIX_OCSP_NO_CHECK = 135,
+    SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF = 136,
+    SEC_OID_PKIX_OCSP_SERVICE_LOCATOR = 137,
+    SEC_OID_PKIX_REGCTRL_REGTOKEN = 138,
+    SEC_OID_PKIX_REGCTRL_AUTHENTICATOR = 139,
+    SEC_OID_PKIX_REGCTRL_PKIPUBINFO = 140,
+    SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS = 141,
+    SEC_OID_PKIX_REGCTRL_OLD_CERT_ID = 142,
+    SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY = 143,
+    SEC_OID_PKIX_REGINFO_UTF8_PAIRS = 144,
+    SEC_OID_PKIX_REGINFO_CERT_REQUEST = 145,
+    SEC_OID_EXT_KEY_USAGE_SERVER_AUTH = 146,
+    SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH = 147,
+    SEC_OID_EXT_KEY_USAGE_CODE_SIGN = 148,
+    SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT = 149,
+    SEC_OID_EXT_KEY_USAGE_TIME_STAMP = 150,
+    SEC_OID_OCSP_RESPONDER = 151,
+
+    /* Netscape Algorithm OIDs */
+    SEC_OID_NETSCAPE_SMIME_KEA = 152,
+
+    /* Skipjack OID -- ### mwelch temporary */
+    SEC_OID_FORTEZZA_SKIPJACK = 153,
+
+    /* PKCS 12 V2 oids */
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4 = 154,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4 = 155,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC = 156,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC = 157,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC = 158,
+    SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC = 159,
+    SEC_OID_PKCS12_SAFE_CONTENTS_ID = 160,
+    SEC_OID_PKCS12_PKCS8_SHROUDED_KEY_BAG_ID = 161,
+
+    SEC_OID_PKCS12_V1_KEY_BAG_ID = 162,
+    SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID = 163,
+    SEC_OID_PKCS12_V1_CERT_BAG_ID = 164,
+    SEC_OID_PKCS12_V1_CRL_BAG_ID = 165,
+    SEC_OID_PKCS12_V1_SECRET_BAG_ID = 166,
+    SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID = 167,
+    SEC_OID_PKCS9_X509_CERT = 168,
+    SEC_OID_PKCS9_SDSI_CERT = 169,
+    SEC_OID_PKCS9_X509_CRL = 170,
+    SEC_OID_PKCS9_FRIENDLY_NAME = 171,
+    SEC_OID_PKCS9_LOCAL_KEY_ID = 172,
+    SEC_OID_PKCS12_KEY_USAGE = 173,
+
+    /*Diffe Helman OIDS */
+    SEC_OID_X942_DIFFIE_HELMAN_KEY = 174,
+
+    /* Netscape other name types */
+    SEC_OID_NETSCAPE_NICKNAME = 175,
+
+    /* Cert Server OIDS */
+    SEC_OID_NETSCAPE_RECOVERY_REQUEST = 176,
+
+    /* New PSM certificate management OIDs */
+    SEC_OID_CERT_RENEWAL_LOCATOR = 177,
+    SEC_OID_NS_CERT_EXT_SCOPE_OF_USE = 178,
+    
+    /* CMS (RFC2630) OIDs */
+    SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN = 179,
+    SEC_OID_CMS_3DES_KEY_WRAP = 180,
+    SEC_OID_CMS_RC2_KEY_WRAP = 181,
+
+    /* SMIME attributes */
+    SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE = 182,
+
+    /* AES OIDs */
+    SEC_OID_AES_128_ECB 	= 183,
+    SEC_OID_AES_128_CBC 	= 184,
+    SEC_OID_AES_192_ECB 	= 185,
+    SEC_OID_AES_192_CBC 	= 186,
+    SEC_OID_AES_256_ECB 	= 187,
+    SEC_OID_AES_256_CBC 	= 188,
+
+    SEC_OID_SDN702_DSA_SIGNATURE = 189,
+
+    SEC_OID_TOTAL
+} SECOidTag;
+
+/* fake OID for DSS sign/verify */
+#define SEC_OID_SHA SEC_OID_MISS_DSS
+
+typedef enum {
+    INVALID_CERT_EXTENSION = 0,
+    UNSUPPORTED_CERT_EXTENSION = 1,
+    SUPPORTED_CERT_EXTENSION = 2
+} SECSupportExtenTag;
+
+struct SECOidDataStr {
+    SECItem            oid;
+    SECOidTag          offset;
+    const char *       desc;
+    unsigned long      mechanism;
+    SECSupportExtenTag supportedExtension;	
+    				/* only used for x.509 v3 extensions, so
+				   that we can print the names of those
+				   extensions that we don't even support */
+};
+
+#endif /* _SECOIDT_H_ */
diff --git a/security/nss/lib/util/secplcy.c b/security/nss/lib/util/secplcy.c
new file mode 100644
index 000000000..b7f42080d
--- /dev/null
+++ b/security/nss/lib/util/secplcy.c
@@ -0,0 +1,114 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "secplcy.h"
+#include "prmem.h"
+
+SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed,
+				  secCPStruct *policy,
+				  long *ciphers)
+{
+  SECCipherFind *find = PR_NEWZAP(SECCipherFind);
+  if (find)
+    {
+      find->policy = policy;
+      find->ciphers = ciphers;
+      find->onlyAllowed = onlyAllowed;
+      find->index = -1;
+    }
+  return find;
+}
+
+long sec_CipherFindNext(SECCipherFind *find)
+{
+  char *policy;
+  long rv = -1;
+  secCPStruct *policies = (secCPStruct *) find->policy;
+  long *ciphers = (long *) find->ciphers;
+  long numCiphers = policies->num_ciphers;
+
+  find->index++;
+  while((find->index < numCiphers) && (rv == -1))
+    {
+      /* Translate index to cipher. */
+      rv = ciphers[find->index];
+
+      /* If we're only looking for allowed ciphers, and if this
+	 cipher isn't allowed, loop around.*/
+      if (find->onlyAllowed)
+	{
+	  /* Find the appropriate policy flag. */
+	  policy = (&(policies->begin_ciphers)) + find->index + 1;
+
+	  /* If this cipher isn't allowed by policy, continue. */
+	  if (! (*policy))
+	    {
+	      rv = -1;
+	      find->index++;
+	    }
+	}
+    }
+
+  return rv;
+}
+
+char sec_IsCipherAllowed(long cipher, secCPStruct *policies,
+			 long *ciphers)
+{
+  char result = SEC_CIPHER_NOT_ALLOWED; /* our default answer */
+  long numCiphers = policies->num_ciphers;
+  char *policy;
+  int i;
+  
+  /* Convert the cipher number into a policy flag location. */
+  for (i=0, policy=(&(policies->begin_ciphers) + 1);
+       i<numCiphers;
+       i++, policy++)
+    {
+      if (cipher == ciphers[i])
+	break;
+    }
+
+  if (i < numCiphers)
+    {
+      /* Found the cipher, get the policy value. */
+      result = *policy;
+    }
+
+  return result;
+}
+
+void sec_CipherFindEnd(SECCipherFind *find)
+{
+  PR_FREEIF(find);
+}
diff --git a/security/nss/lib/util/secplcy.h b/security/nss/lib/util/secplcy.h
new file mode 100644
index 000000000..add5d8fac
--- /dev/null
+++ b/security/nss/lib/util/secplcy.h
@@ -0,0 +1,133 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifndef __secplcy_h__
+#define __secplcy_h__
+
+#include "prtypes.h"
+
+/*
+** Cipher policy enforcement. This code isn't very pretty, but it accomplishes
+** the purpose of obscuring policy information from potential fortifiers. :-)
+**
+** The following routines are generic and intended for anywhere where cipher
+** policy enforcement is to be done, e.g. SSL and PKCS7&12.
+*/
+
+#define SEC_CIPHER_NOT_ALLOWED 0
+#define SEC_CIPHER_ALLOWED 1
+#define SEC_CIPHER_RESTRICTED 2 /* cipher is allowed in limited cases 
+				   e.g. step-up */
+
+/* The length of the header string for each cipher table. 
+   (It's the same regardless of whether we're using md5 strings or not.) */
+#define SEC_POLICY_HEADER_LENGTH 48
+
+/* If we're testing policy stuff, we may want to use the plaintext version */
+#define SEC_POLICY_USE_MD5_STRINGS 1
+
+#define SEC_POLICY_THIS_IS_THE \
+    "\x2a\x3a\x51\xbf\x2f\x71\xb7\x73\xaa\xca\x6b\x57\x70\xcd\xc8\x9f"
+#define SEC_POLICY_STRING_FOR_THE \
+    "\x97\x15\xe2\x70\xd2\x8a\xde\xa9\xe7\xa7\x6a\xe2\x83\xe5\xb1\xf6"
+#define SEC_POLICY_SSL_TAIL \
+    "\x70\x16\x25\xc0\x2a\xb2\x4a\xca\xb6\x67\xb1\x89\x20\xdf\x87\xca"
+#define SEC_POLICY_SMIME_TAIL \
+    "\xdf\xd4\xe7\x2a\xeb\xc4\x1b\xb5\xd8\xe5\xe0\x2a\x16\x9f\xc4\xb9"
+#define SEC_POLICY_PKCS12_TAIL \
+    "\x1c\xf8\xa4\x85\x4a\xc6\x8a\xfe\xe6\xca\x03\x72\x50\x1c\xe2\xc8"
+
+#if defined(SEC_POLICY_USE_MD5_STRINGS)
+
+/* We're not testing. 
+   Use md5 checksums of the strings. */
+
+#define SEC_POLICY_SSL_HEADER \
+    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SSL_TAIL
+
+#define SEC_POLICY_SMIME_HEADER \
+    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SMIME_TAIL
+
+#define SEC_POLICY_PKCS12_HEADER \
+    SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_PKCS12_TAIL
+
+#else
+
+/* We're testing. 
+   Use plaintext versions of the strings, for testing purposes. */
+#define SEC_POLICY_SSL_HEADER \
+    "This is the string for the SSL policy table.    "
+#define SEC_POLICY_SMIME_HEADER \
+    "This is the string for the PKCS7 policy table.  "
+#define SEC_POLICY_PKCS12_HEADER \
+    "This is the string for the PKCS12 policy table. "
+
+#endif
+
+/* Local cipher tables have to have these members at the top. */
+typedef struct _sec_cp_struct
+{
+  char policy_string[SEC_POLICY_HEADER_LENGTH];
+  long unused; /* placeholder for max keybits in pkcs12 struct */
+  char num_ciphers;
+  char begin_ciphers;
+  /* cipher policy settings follow. each is a char. */
+} secCPStruct;
+
+struct SECCipherFindStr
+{
+  /* (policy) and (ciphers) are opaque to the outside world */
+  void *policy;
+  void *ciphers;
+  long index;
+  PRBool onlyAllowed;
+};
+
+typedef struct SECCipherFindStr SECCipherFind;
+
+SEC_BEGIN_PROTOS
+
+SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed,
+				  secCPStruct *policy,
+				  long *ciphers);
+
+long sec_CipherFindNext(SECCipherFind *find);
+
+char sec_IsCipherAllowed(long cipher, secCPStruct *policies,
+			 long *ciphers);
+
+void sec_CipherFindEnd(SECCipherFind *find);
+
+SEC_END_PROTOS
+
+#endif /* __SECPLCY_H__ */
diff --git a/security/nss/lib/util/secport.c b/security/nss/lib/util/secport.c
new file mode 100644
index 000000000..bfde55a81
--- /dev/null
+++ b/security/nss/lib/util/secport.c
@@ -0,0 +1,562 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * secport.c - portability interfaces for security libraries
+ *
+ * This file abstracts out libc functionality that libsec depends on
+ * 
+ * NOTE - These are not public interfaces
+ *
+ * $Id$
+ */
+
+#include "seccomon.h"
+#include "prmem.h"
+#include "prerror.h"
+#include "plarena.h"
+#include "secerr.h"
+#include "prmon.h"
+#include "nsslocks.h"
+#include "secport.h"
+#include "prvrsion.h"
+#include "prenv.h"
+
+#ifdef DEBUG
+#define THREADMARK
+#endif /* DEBUG */
+
+#ifdef THREADMARK
+#include "prthread.h"
+#endif /* THREADMARK */
+
+#if defined(XP_UNIX) || defined(XP_MAC) || defined(XP_OS2) || defined(XP_BEOS)
+#include <stdlib.h>
+#else
+#include "wtypes.h"
+#endif
+
+#define SET_ERROR_CODE	/* place holder for code to set PR error code. */
+
+#ifdef THREADMARK
+typedef struct threadmark_mark_str {
+  struct threadmark_mark_str *next;
+  void *mark;
+} threadmark_mark;
+
+#endif /* THREADMARK */
+
+/* The value of this magic must change each time PORTArenaPool changes. */
+#define ARENAPOOL_MAGIC 0xB8AC9BDF 
+
+typedef struct PORTArenaPool_str {
+  PLArenaPool arena;
+  PRUint32    magic;
+  PRLock *    lock;
+#ifdef THREADMARK
+  PRThread *marking_thread;
+  threadmark_mark *first_mark;
+#endif
+} PORTArenaPool;
+
+
+/* count of allocation failures. */
+unsigned long port_allocFailures;
+
+/* locations for registering Unicode conversion functions.  
+ * XXX is this the appropriate location?  or should they be
+ *     moved to client/server specific locations?
+ */
+PORTCharConversionFunc ucs4Utf8ConvertFunc;
+PORTCharConversionFunc ucs2Utf8ConvertFunc;
+PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
+
+void *
+PORT_Alloc(size_t bytes)
+{
+    void *rv;
+
+    /* Always allocate a non-zero amount of bytes */
+    rv = (void *)PR_Malloc(bytes ? bytes : 1);
+    if (!rv) {
+	++port_allocFailures;
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+    return rv;
+}
+
+void *
+PORT_Realloc(void *oldptr, size_t bytes)
+{
+    void *rv;
+
+    rv = (void *)PR_Realloc(oldptr, bytes);
+    if (!rv) {
+	++port_allocFailures;
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+    return rv;
+}
+
+void *
+PORT_ZAlloc(size_t bytes)
+{
+    void *rv;
+
+    /* Always allocate a non-zero amount of bytes */
+    rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
+    if (!rv) {
+	++port_allocFailures;
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+    return rv;
+}
+
+void
+PORT_Free(void *ptr)
+{
+    if (ptr) {
+	PR_Free(ptr);
+    }
+}
+
+void
+PORT_ZFree(void *ptr, size_t len)
+{
+    if (ptr) {
+	memset(ptr, 0, len);
+	PR_Free(ptr);
+    }
+}
+
+void
+PORT_SetError(int value)
+{	
+    PR_SetError(value, 0);
+    return;
+}
+
+int
+PORT_GetError(void)
+{
+    return(PR_GetError());
+}
+
+/********************* Arena code follows *****************************/
+
+PLArenaPool *
+PORT_NewArena(unsigned long chunksize)
+{
+    PORTArenaPool *pool;
+    
+    pool = PORT_ZNew(PORTArenaPool);
+    if (!pool) {
+	return NULL;
+    }
+    pool->magic = ARENAPOOL_MAGIC;
+    pool->lock = PZ_NewLock(nssILockArena);
+    if (!pool->lock) {
+	++port_allocFailures;
+	PORT_Free(pool);
+	return NULL;
+    }
+    PL_InitArenaPool(&pool->arena, "security", chunksize, sizeof(double));
+    return(&pool->arena);
+}
+
+void *
+PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
+{
+    void *p;
+
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+
+    /* Is it one of ours?  Assume so and check the magic */
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	PZ_Lock(pool->lock);
+#ifdef THREADMARK
+        /* Most likely one of ours.  Is there a thread id? */
+	if (pool->marking_thread  &&
+	    pool->marking_thread != PR_GetCurrentThread() ) {
+	    /* Another thread holds a mark in this arena */
+	    PZ_Unlock(pool->lock);
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    PORT_Assert(0);
+	    return NULL;
+	} /* tid != null */
+#endif /* THREADMARK */
+	PL_ARENA_ALLOCATE(p, arena, size);
+	PZ_Unlock(pool->lock);
+    } else {
+	PL_ARENA_ALLOCATE(p, arena, size);
+    }
+
+    if (!p) {
+	++port_allocFailures;
+	PORT_SetError(SEC_ERROR_NO_MEMORY);
+    }
+
+    return(p);
+}
+
+void *
+PORT_ArenaZAlloc(PLArenaPool *arena, size_t size)
+{
+    void *p = PORT_ArenaAlloc(arena, size);
+
+    if (p) {
+	PORT_Memset(p, 0, size);
+    }
+
+    return(p);
+}
+
+/* XXX - need to zeroize!! - jsw */
+void
+PORT_FreeArena(PLArenaPool *arena, PRBool zero)
+{
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+    PRLock *       lock = (PRLock *)0;
+    size_t         len  = sizeof *arena;
+    extern const PRVersionDescription * libVersionPoint(void);
+    static const PRVersionDescription * pvd;
+    static PRBool  doFreeArenaPool = PR_FALSE;
+
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	len  = sizeof *pool;
+	lock = pool->lock;
+	PZ_Lock(lock);
+    }
+    if (!pvd) {
+	/* no need for thread protection here */
+	pvd = libVersionPoint();
+	if ((pvd->vMajor > 4) || 
+	    (pvd->vMajor == 4 && pvd->vMinor > 1) ||
+	    (pvd->vMajor == 4 && pvd->vMinor == 1 && pvd->vPatch >= 1)) {
+	    const char *ev = PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST");
+	    if (!ev) doFreeArenaPool = PR_TRUE;
+	}
+    }
+    if (doFreeArenaPool) {
+	PL_FreeArenaPool(arena);
+    } else {
+	PL_FinishArenaPool(arena);
+    }
+    PORT_ZFree(arena, len);
+    if (lock) {
+	PZ_Unlock(lock);
+	PZ_DestroyLock(lock);
+    }
+}
+
+void *
+PORT_ArenaGrow(PLArenaPool *arena, void *ptr, size_t oldsize, size_t newsize)
+{
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+    PORT_Assert(newsize >= oldsize);
+    
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	PZ_Lock(pool->lock);
+	/* Do we do a THREADMARK check here? */
+	PL_ARENA_GROW(ptr, arena, oldsize, ( newsize - oldsize ) );
+	PZ_Unlock(pool->lock);
+    } else {
+	PL_ARENA_GROW(ptr, arena, oldsize, ( newsize - oldsize ) );
+    }
+    
+    return(ptr);
+}
+
+void *
+PORT_ArenaMark(PLArenaPool *arena)
+{
+    void * result;
+
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	PZ_Lock(pool->lock);
+#ifdef THREADMARK
+	{
+	  threadmark_mark *tm, **pw;
+	  PRThread * currentThread = PR_GetCurrentThread();
+
+	    if (! pool->marking_thread ) {
+		/* First mark */
+		pool->marking_thread = currentThread;
+	    } else if (currentThread != pool->marking_thread ) {
+		PZ_Unlock(pool->lock);
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		PORT_Assert(0);
+		return NULL;
+	    }
+
+	    result = PL_ARENA_MARK(arena);
+	    PL_ARENA_ALLOCATE(tm, arena, sizeof(threadmark_mark));
+	    if (!tm) {
+		PZ_Unlock(pool->lock);
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		return NULL;
+	    }
+
+	    tm->mark = result;
+	    tm->next = (threadmark_mark *)NULL;
+
+	    pw = &pool->first_mark;
+	    while( *pw ) {
+		 pw = &(*pw)->next;
+	    }
+
+	    *pw = tm;
+	}
+#else /* THREADMARK */
+	result = PL_ARENA_MARK(arena);
+#endif /* THREADMARK */
+	PZ_Unlock(pool->lock);
+    } else {
+	/* a "pure" NSPR arena */
+	result = PL_ARENA_MARK(arena);
+    }
+    return result;
+}
+
+void
+PORT_ArenaRelease(PLArenaPool *arena, void *mark)
+{
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	PZ_Lock(pool->lock);
+#ifdef THREADMARK
+	{
+	    threadmark_mark **pw, *tm;
+
+	    if (PR_GetCurrentThread() != pool->marking_thread ) {
+		PZ_Unlock(pool->lock);
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		PORT_Assert(0);
+		return /* no error indication available */ ;
+	    }
+
+	    pw = &pool->first_mark;
+	    while( *pw && (mark != (*pw)->mark) ) {
+		pw = &(*pw)->next;
+	    }
+
+	    if (! *pw ) {
+		/* bad mark */
+		PZ_Unlock(pool->lock);
+		PORT_SetError(SEC_ERROR_NO_MEMORY);
+		PORT_Assert(0);
+		return /* no error indication available */ ;
+	    }
+
+	    tm = *pw;
+	    *pw = (threadmark_mark *)NULL;
+
+	    PL_ARENA_RELEASE(arena, mark);
+
+	    if (! pool->first_mark ) {
+		pool->marking_thread = (PRThread *)NULL;
+	    }
+	}
+#else /* THREADMARK */
+	PL_ARENA_RELEASE(arena, mark);
+#endif /* THREADMARK */
+	PZ_Unlock(pool->lock);
+    } else {
+	PL_ARENA_RELEASE(arena, mark);
+    }
+}
+
+void
+PORT_ArenaUnmark(PLArenaPool *arena, void *mark)
+{
+#ifdef THREADMARK
+    PORTArenaPool *pool = (PORTArenaPool *)arena;
+    if (ARENAPOOL_MAGIC == pool->magic ) {
+	threadmark_mark **pw, *tm;
+
+	PZ_Lock(pool->lock);
+
+	if (PR_GetCurrentThread() != pool->marking_thread ) {
+	    PZ_Unlock(pool->lock);
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    PORT_Assert(0);
+	    return /* no error indication available */ ;
+	}
+
+	pw = &pool->first_mark;
+	while( ((threadmark_mark *)NULL != *pw) && (mark != (*pw)->mark) ) {
+	    pw = &(*pw)->next;
+	}
+
+	if ((threadmark_mark *)NULL == *pw ) {
+	    /* bad mark */
+	    PZ_Unlock(pool->lock);
+	    PORT_SetError(SEC_ERROR_NO_MEMORY);
+	    PORT_Assert(0);
+	    return /* no error indication available */ ;
+	}
+
+	tm = *pw;
+	*pw = (threadmark_mark *)NULL;
+
+	if (! pool->first_mark ) {
+	    pool->marking_thread = (PRThread *)NULL;
+	}
+
+	PZ_Unlock(pool->lock);
+    }
+#endif /* THREADMARK */
+}
+
+char *
+PORT_ArenaStrdup(PLArenaPool *arena, char *str) {
+    int len = PORT_Strlen(str)+1;
+    char *newstr;
+
+    newstr = (char*)PORT_ArenaAlloc(arena,len);
+    if (newstr) {
+        PORT_Memcpy(newstr,str,len);
+    }
+    return newstr;
+}
+
+/********************** end of arena functions ***********************/
+
+/****************** unicode conversion functions ***********************/
+/*
+ * NOTE: These conversion functions all assume that the multibyte
+ * characters are going to be in NETWORK BYTE ORDER, not host byte
+ * order.  This is because the only time we deal with UCS-2 and UCS-4
+ * are when the data was received from or is going to be sent out
+ * over the wire (in, e.g. certificates).
+ */
+
+void
+PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
+{ 
+    ucs4Utf8ConvertFunc = convFunc;
+}
+
+void
+PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc)
+{ 
+    ucs2AsciiConvertFunc = convFunc;
+}
+
+void
+PORT_SetUCS2_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
+{ 
+    ucs2Utf8ConvertFunc = convFunc;
+}
+
+PRBool 
+PORT_UCS4_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
+			 unsigned int inBufLen, unsigned char *outBuf,
+			 unsigned int maxOutBufLen, unsigned int *outBufLen)
+{
+    if(!ucs4Utf8ConvertFunc) {
+      return sec_port_ucs4_utf8_conversion_function(toUnicode,
+        inBuf, inBufLen, outBuf, maxOutBufLen, outBufLen);
+    }
+
+    return (*ucs4Utf8ConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
+				  maxOutBufLen, outBufLen);
+}
+
+PRBool 
+PORT_UCS2_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
+			 unsigned int inBufLen, unsigned char *outBuf,
+			 unsigned int maxOutBufLen, unsigned int *outBufLen)
+{
+    if(!ucs2Utf8ConvertFunc) {
+      return sec_port_ucs2_utf8_conversion_function(toUnicode,
+        inBuf, inBufLen, outBuf, maxOutBufLen, outBufLen);
+    }
+
+    return (*ucs2Utf8ConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
+				  maxOutBufLen, outBufLen);
+}
+
+PRBool 
+PORT_UCS2_ASCIIConversion(PRBool toUnicode, unsigned char *inBuf,
+			  unsigned int inBufLen, unsigned char *outBuf,
+			  unsigned int maxOutBufLen, unsigned int *outBufLen,
+			  PRBool swapBytes)
+{
+    if(!ucs2AsciiConvertFunc) {
+	return PR_FALSE;
+    }
+
+    return (*ucs2AsciiConvertFunc)(toUnicode, inBuf, inBufLen, outBuf, 
+				  maxOutBufLen, outBufLen, swapBytes);
+}
+
+
+/* Portable putenv.  Creates/replaces an environment variable of the form
+ *  envVarName=envValue
+ */
+int
+NSS_PutEnv(const char * envVarName, const char * envValue)
+{
+#if  defined(XP_MAC)
+    return SECFailure;
+#else
+    SECStatus result = SECSuccess;
+    char *    encoded;
+    int       putEnvFailed;
+#ifdef _WIN32
+    PRBool      setOK;
+
+    setOK = SetEnvironmentVariable(envVarName, envValue);
+    if (!setOK) {
+        SET_ERROR_CODE
+        return SECFailure;
+    }
+#endif
+
+    encoded = (char *)PORT_ZAlloc(strlen(envVarName) + 2 + strlen(envValue));
+    strcpy(encoded, envVarName);
+    strcat(encoded, "=");
+    strcat(encoded, envValue);
+
+    putEnvFailed = putenv(encoded); /* adopt. */
+    if (putEnvFailed) {
+        SET_ERROR_CODE
+        result = SECFailure;
+        PORT_Free(encoded);
+    }
+    return result;
+#endif
+}
+
diff --git a/security/nss/lib/util/secport.h b/security/nss/lib/util/secport.h
new file mode 100644
index 000000000..c89c7dcd5
--- /dev/null
+++ b/security/nss/lib/util/secport.h
@@ -0,0 +1,276 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+/*
+ * secport.h - portability interfaces for security libraries
+ *
+ * This file abstracts out libc functionality that libsec depends on
+ * 
+ * NOTE - These are not public interfaces
+ *
+ * $Id$
+ */
+
+#ifndef _SECPORT_H_
+#define _SECPORT_H_
+
+/*
+ * define XP_MAC, XP_WIN, XP_BEOS, or XP_UNIX, in case they are not defined
+ * by anyone else
+ */
+#ifdef macintosh
+# ifndef XP_MAC
+# define XP_MAC 1
+# endif
+#endif
+
+#ifdef _WINDOWS
+# ifndef XP_WIN
+# define XP_WIN
+# endif
+#if defined(_WIN32) || defined(WIN32)
+# ifndef XP_WIN32
+# define XP_WIN32
+# endif
+#else
+# ifndef XP_WIN16
+# define XP_WIN16
+# endif
+#endif
+#endif
+
+#ifdef __BEOS__
+# ifndef XP_BEOS
+# define XP_BEOS
+# endif
+#endif
+
+#ifdef unix
+# ifndef XP_UNIX
+# define XP_UNIX
+# endif
+#endif
+
+#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__)
+#include "watcomfx.h"
+#endif
+
+#ifdef XP_MAC
+#include <types.h>
+#include <time.h> /* for time_t below */
+#else
+#include <sys/types.h>
+#endif
+
+#ifdef notdef
+#ifdef XP_MAC
+#include "NSString.h"
+#endif
+#endif
+
+#include <ctype.h>
+#include <string.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include "prtypes.h"
+#include "prlog.h"	/* for PR_ASSERT */
+#include "plarena.h"
+#include "plstr.h"
+
+/*
+ * HACK for NSS 2.8 to allow Admin to compile without source changes.
+ */
+#ifndef SEC_BEGIN_PROTOS
+#include "seccomon.h"
+#endif
+
+SEC_BEGIN_PROTOS
+
+extern void *PORT_Alloc(size_t len);
+extern void *PORT_Realloc(void *old, size_t len);
+extern void *PORT_AllocBlock(size_t len);
+extern void *PORT_ReallocBlock(void *old, size_t len);
+extern void PORT_FreeBlock(void *ptr);
+extern void *PORT_ZAlloc(size_t len);
+extern void PORT_Free(void *ptr);
+extern void PORT_ZFree(void *ptr, size_t len);
+extern time_t PORT_Time(void);
+extern void PORT_SetError(int value);
+extern int PORT_GetError(void);
+
+extern PLArenaPool *PORT_NewArena(unsigned long chunksize);
+extern void *PORT_ArenaAlloc(PLArenaPool *arena, size_t size);
+extern void *PORT_ArenaZAlloc(PLArenaPool *arena, size_t size);
+extern void PORT_FreeArena(PLArenaPool *arena, PRBool zero);
+extern void *PORT_ArenaGrow(PLArenaPool *arena, void *ptr,
+			    size_t oldsize, size_t newsize);
+extern void *PORT_ArenaMark(PLArenaPool *arena);
+extern void PORT_ArenaRelease(PLArenaPool *arena, void *mark);
+extern void PORT_ArenaUnmark(PLArenaPool *arena, void *mark);
+extern char *PORT_ArenaStrdup(PLArenaPool *arena, char *str);
+
+#ifdef __cplusplus
+}
+#endif
+
+#define PORT_Assert PR_ASSERT
+#define PORT_ZNew(type) (type*)PORT_ZAlloc(sizeof(type))
+#define PORT_New(type) (type*)PORT_Alloc(sizeof(type))
+#define PORT_ArenaNew(poolp, type)	\
+		(type*) PORT_ArenaAlloc(poolp, sizeof(type))
+#define PORT_ArenaZNew(poolp, type)	\
+		(type*) PORT_ArenaZAlloc(poolp, sizeof(type))
+#define PORT_NewArray(type, num)	\
+		(type*) PORT_Alloc (sizeof(type)*(num))
+#define PORT_ZNewArray(type, num)	\
+		(type*) PORT_ZAlloc (sizeof(type)*(num))
+#define PORT_ArenaNewArray(poolp, type, num)	\
+		(type*) PORT_ArenaAlloc (poolp, sizeof(type)*(num))
+#define PORT_ArenaZNewArray(poolp, type, num)	\
+		(type*) PORT_ArenaZAlloc (poolp, sizeof(type)*(num))
+
+/* Please, keep these defines sorted alphbetically.  Thanks! */
+
+#ifdef XP_STRING_FUNCS
+
+#define PORT_Atoi 	XP_ATOI
+
+#define PORT_Memcmp 	XP_MEMCMP
+#define PORT_Memcpy 	XP_MEMCPY
+#define PORT_Memmove 	XP_MEMMOVE
+#define PORT_Memset 	XP_MEMSET
+
+#define PORT_Strcasecmp XP_STRCASECMP
+#define PORT_Strcat 	XP_STRCAT
+#define PORT_Strchr 	XP_STRCHR
+#define PORT_Strrchr	XP_STRRCHR
+#define PORT_Strcmp 	XP_STRCMP
+#define PORT_Strcpy 	XP_STRCPY
+#define PORT_Strdup 	XP_STRDUP
+#define PORT_Strlen(s) 	XP_STRLEN(s)
+#define PORT_Strncasecmp XP_STRNCASECMP
+#define PORT_Strncat 	strncat
+#define PORT_Strncmp 	XP_STRNCMP
+#define PORT_Strncpy 	strncpy
+#define PORT_Strstr 	XP_STRSTR
+#define PORT_Strtok 	XP_STRTOK_R
+
+#define PORT_Tolower 	XP_TO_LOWER
+
+#else /* XP_STRING_FUNCS */
+
+#define PORT_Atoi 	atoi
+
+#define PORT_Memcmp 	memcmp
+#define PORT_Memcpy 	memcpy
+#ifndef SUNOS4
+#define PORT_Memmove 	memmove
+#else /*SUNOS4*/
+#define PORT_Memmove(s,ct,n)    bcopy ((ct), (s), (n))
+#endif/*SUNOS4*/
+#define PORT_Memset 	memset
+
+#define PORT_Strcasecmp PL_strcasecmp
+#define PORT_Strcat 	strcat
+#define PORT_Strchr 	strchr
+#define PORT_Strrchr    PL_strrchr
+#define PORT_Strcmp 	strcmp
+#define PORT_Strcpy 	strcpy
+#define PORT_Strdup 	PL_strdup
+#define PORT_Strlen(s) 	strlen(s)
+#define PORT_Strncasecmp PL_strncasecmp
+#define PORT_Strncat 	strncat
+#define PORT_Strncmp 	strncmp
+#define PORT_Strncpy 	strncpy
+#define PORT_Strstr 	strstr
+#define PORT_Strtok 	strtok
+
+#define PORT_Tolower 	tolower
+
+#endif /* XP_STRING_FUNCS */
+
+typedef PRBool (PR_CALLBACK * PORTCharConversionWSwapFunc) (PRBool toUnicode,
+			unsigned char *inBuf, unsigned int inBufLen,
+			unsigned char *outBuf, unsigned int maxOutBufLen,
+			unsigned int *outBufLen, PRBool swapBytes);
+
+typedef PRBool (PR_CALLBACK * PORTCharConversionFunc) (PRBool toUnicode,
+			unsigned char *inBuf, unsigned int inBufLen,
+			unsigned char *outBuf, unsigned int maxOutBufLen,
+			unsigned int *outBufLen);
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+void PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc);
+void PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc);
+PRBool PORT_UCS4_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
+			unsigned int inBufLen, unsigned char *outBuf,
+			unsigned int maxOutBufLen, unsigned int *outBufLen);
+PRBool PORT_UCS2_ASCIIConversion(PRBool toUnicode, unsigned char *inBuf,
+			unsigned int inBufLen, unsigned char *outBuf,
+			unsigned int maxOutBufLen, unsigned int *outBufLen,
+			PRBool swapBytes);
+void PORT_SetUCS2_UTF8ConversionFunction(PORTCharConversionFunc convFunc);
+PRBool PORT_UCS2_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
+			unsigned int inBufLen, unsigned char *outBuf,
+			unsigned int maxOutBufLen, unsigned int *outBufLen);
+
+PR_EXTERN(PRBool)
+sec_port_ucs4_utf8_conversion_function
+(
+  PRBool toUnicode,
+  unsigned char *inBuf,
+  unsigned int inBufLen,
+  unsigned char *outBuf,
+  unsigned int maxOutBufLen,
+  unsigned int *outBufLen
+);
+
+PR_EXTERN(PRBool)
+sec_port_ucs2_utf8_conversion_function
+(
+  PRBool toUnicode,
+  unsigned char *inBuf,
+  unsigned int inBufLen,
+  unsigned char *outBuf,
+  unsigned int maxOutBufLen,
+  unsigned int *outBufLen
+);
+
+extern int NSS_PutEnv(const char * envVarName, const char * envValue);
+
+SEC_END_PROTOS
+
+#endif /* _SECPORT_H_ */
diff --git a/security/nss/lib/util/sectime.c b/security/nss/lib/util/sectime.c
new file mode 100644
index 000000000..d3cca6f87
--- /dev/null
+++ b/security/nss/lib/util/sectime.c
@@ -0,0 +1,177 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#include "prlong.h"
+#include "prtime.h"
+#include "secder.h"
+#include "cert.h"
+#include "secitem.h"
+
+const SEC_ASN1Template CERT_ValidityTemplate[] = {
+    { SEC_ASN1_SEQUENCE,
+	  0, NULL, sizeof(CERTValidity) },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTValidity,notBefore) },
+    { SEC_ASN1_UTC_TIME,
+	  offsetof(CERTValidity,notAfter) },
+    { 0 }
+};
+
+DERTemplate CERTValidityTemplate[] = {
+    { DER_SEQUENCE,
+	  0, NULL, sizeof(CERTValidity) },
+    { DER_UTC_TIME,
+	  offsetof(CERTValidity,notBefore), },
+    { DER_UTC_TIME,
+	  offsetof(CERTValidity,notAfter), },
+    { 0, }
+};
+
+static char *DecodeUTCTime2FormattedAscii (SECItem *utcTimeDER, char *format);
+
+/* convert DER utc time to ascii time string */
+char *
+DER_UTCTimeToAscii(SECItem *utcTime)
+{
+    return (DecodeUTCTime2FormattedAscii (utcTime, "%a %b %d %H:%M:%S %Y"));
+}
+
+/* convert DER utc time to ascii time string, only include day, not time */
+char *
+DER_UTCDayToAscii(SECItem *utctime)
+{
+    return (DecodeUTCTime2FormattedAscii (utctime, "%a %b %d, %Y"));
+}
+
+CERTValidity *
+CERT_CreateValidity(int64 notBefore, int64 notAfter)
+{
+    CERTValidity *v;
+    int rv;
+    PRArenaPool *arena;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    
+    if ( !arena ) {
+	return(0);
+    }
+    
+    v = (CERTValidity*) PORT_ArenaZAlloc(arena, sizeof(CERTValidity));
+    if (v) {
+	v->arena = arena;
+	rv = DER_TimeToUTCTime(&v->notBefore, notBefore);
+	if (rv) goto loser;
+	rv = DER_TimeToUTCTime(&v->notAfter, notAfter);
+	if (rv) goto loser;
+    }
+    return v;
+
+  loser:
+    CERT_DestroyValidity(v);
+    return 0;
+}
+
+SECStatus
+CERT_CopyValidity(PRArenaPool *arena, CERTValidity *to, CERTValidity *from)
+{
+    SECStatus rv;
+
+    CERT_DestroyValidity(to);
+    to->arena = arena;
+    
+    rv = SECITEM_CopyItem(arena, &to->notBefore, &from->notBefore);
+    if (rv) return rv;
+    rv = SECITEM_CopyItem(arena, &to->notAfter, &from->notAfter);
+    return rv;
+}
+
+void
+CERT_DestroyValidity(CERTValidity *v)
+{
+    if (v && v->arena) {
+	PORT_FreeArena(v->arena, PR_FALSE);
+    }
+    return;
+}
+
+char *
+CERT_UTCTime2FormattedAscii (int64 utcTime, char *format)
+{
+    PRExplodedTime printableTime; 
+    char *timeString;
+   
+    /* Converse time to local time and decompose it into components */
+    PR_ExplodeTime(utcTime, PR_LocalTimeParameters, &printableTime);
+    
+    timeString = (char *)PORT_Alloc(100);
+
+    if ( timeString ) {
+        PR_FormatTime( timeString, 100, format, &printableTime );
+    }
+    
+    return (timeString);
+}
+
+char *CERT_GenTime2FormattedAscii (int64 genTime, char *format)
+{
+    PRExplodedTime printableTime; 
+    char *timeString;
+   
+    /* Decompose time into components */
+    PR_ExplodeTime(genTime, PR_GMTParameters, &printableTime);
+    
+    timeString = (char *)PORT_Alloc(100);
+
+    if ( timeString ) {
+        PR_FormatTime( timeString, 100, format, &printableTime );
+    }
+    
+    return (timeString);
+}
+
+
+/* convert DER utc time to ascii time string, The format of the time string
+   depends on the input "format"
+ */
+static char *
+DecodeUTCTime2FormattedAscii (SECItem *utcTimeDER,  char *format)
+{
+    int64 utcTime;
+    int rv;
+   
+    rv = DER_UTCTimeToTime(&utcTime, utcTimeDER);
+    if (rv) {
+        return(NULL);
+    }
+    return (CERT_UTCTime2FormattedAscii (utcTime, format));
+}
diff --git a/security/nss/lib/util/utf8.c b/security/nss/lib/util/utf8.c
new file mode 100644
index 000000000..7a3c3954d
--- /dev/null
+++ b/security/nss/lib/util/utf8.c
@@ -0,0 +1,2061 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
+#endif /* DEBUG */
+
+#include "seccomon.h"
+#include "secport.h"
+
+/*
+ * Define this if you want to support UTF-16 in UCS-2
+ */
+#define UTF16
+
+/*
+ * From RFC 2044:
+ *
+ * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
+ * 0000 0000-0000 007F   0xxxxxxx
+ * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
+ * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
+ * 0001 0000-001F FFFF   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+ * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
+ * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
+ */  
+
+/*
+ * From http://www.imc.org/draft-hoffman-utf16
+ *
+ * For U on [0x00010000,0x0010FFFF]:  Let U' = U - 0x00010000
+ *
+ * U' = yyyyyyyyyyxxxxxxxxxx
+ * W1 = 110110yyyyyyyyyy
+ * W2 = 110111xxxxxxxxxx
+ */
+
+/*
+ * This code is assuming NETWORK BYTE ORDER for the 16- and 32-bit
+ * character values.  If you wish to use this code for working with
+ * host byte order values, define the following:
+ *
+ * #if IS_BIG_ENDIAN
+ * #define L_0 0
+ * #define L_1 1
+ * #define L_2 2
+ * #define L_3 3
+ * #define H_0 0
+ * #define H_1 1
+ * #else / * not everyone has elif * /
+ * #if IS_LITTLE_ENDIAN
+ * #define L_0 3
+ * #define L_1 2
+ * #define L_2 1
+ * #define L_3 0
+ * #define H_0 1
+ * #define H_1 0
+ * #else
+ * #error "PDP and NUXI support deferred"
+ * #endif / * IS_LITTLE_ENDIAN * /
+ * #endif / * IS_BIG_ENDIAN * /
+ */
+
+#define L_0 0
+#define L_1 1
+#define L_2 2
+#define L_3 3
+#define H_0 0
+#define H_1 1
+
+PR_IMPLEMENT(PRBool)
+sec_port_ucs4_utf8_conversion_function
+(
+  PRBool toUnicode,
+  unsigned char *inBuf,
+  unsigned int inBufLen,
+  unsigned char *outBuf,
+  unsigned int maxOutBufLen,
+  unsigned int *outBufLen
+)
+{
+#ifndef TEST_UTF8
+  PORT_Assert((unsigned int *)NULL != outBufLen);
+#endif /* TEST_UTF8 */
+
+  if( toUnicode ) {
+    unsigned int i, len = 0;
+
+    for( i = 0; i < inBufLen; ) {
+      if( (inBuf[i] & 0x80) == 0x00 ) i += 1;
+      else if( (inBuf[i] & 0xE0) == 0xC0 ) i += 2;
+      else if( (inBuf[i] & 0xF0) == 0xE0 ) i += 3;
+      else if( (inBuf[i] & 0xF8) == 0xF0 ) i += 4;
+      else if( (inBuf[i] & 0xFC) == 0xF8 ) i += 5;
+      else if( (inBuf[i] & 0xFE) == 0xFC ) i += 6;
+      else return PR_FALSE;
+
+      len += 4;
+    }
+
+    if( len > maxOutBufLen ) {
+      *outBufLen = len;
+      return PR_FALSE;
+    }
+
+    len = 0;
+
+    for( i = 0; i < inBufLen; ) {
+      if( (inBuf[i] & 0x80) == 0x00 ) {
+        /* 0000 0000-0000 007F <- 0xxxxxx */
+        /* 0abcdefg -> 
+           00000000 00000000 00000000 0abcdefg */
+
+        outBuf[len+L_0] = 0x00;
+        outBuf[len+L_1] = 0x00;
+        outBuf[len+L_2] = 0x00;
+        outBuf[len+L_3] = inBuf[i+0] & 0x7F;
+
+        i += 1;
+      } else if( (inBuf[i] & 0xE0) == 0xC0 ) {
+
+        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
+
+        /* 0000 0080-0000 07FF <- 110xxxxx 10xxxxxx */
+        /* 110abcde 10fghijk ->
+           00000000 00000000 00000abc defghijk */
+
+        outBuf[len+L_0] = 0x00;
+        outBuf[len+L_1] = 0x00;
+        outBuf[len+L_2] = ((inBuf[i+0] & 0x1C) >> 2);
+        outBuf[len+L_3] = ((inBuf[i+0] & 0x03) << 6) | ((inBuf[i+1] & 0x3F) >> 0);
+
+        i += 2;
+      } else if( (inBuf[i] & 0xF0) == 0xE0 ) {
+
+        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
+
+        /* 0000 0800-0000 FFFF <- 1110xxxx 10xxxxxx 10xxxxxx */
+        /* 1110abcd 10efghij 10klmnop ->
+           00000000 00000000 abcdefgh ijklmnop */
+
+        outBuf[len+L_0] = 0x00;
+        outBuf[len+L_1] = 0x00;
+        outBuf[len+L_2] = ((inBuf[i+0] & 0x0F) << 4) | ((inBuf[i+1] & 0x3C) >> 2);
+        outBuf[len+L_3] = ((inBuf[i+1] & 0x03) << 6) | ((inBuf[i+2] & 0x3F) >> 0);
+
+        i += 3;
+      } else if( (inBuf[i] & 0xF8) == 0xF0 ) {
+
+        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+3] & 0xC0) != 0x80 ) return PR_FALSE;
+
+        /* 0001 0000-001F FFFF <- 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
+        /* 11110abc 10defghi 10jklmno 10pqrstu -> 
+           00000000 000abcde fghijklm nopqrstu */
+           
+        outBuf[len+L_0] = 0x00;
+        outBuf[len+L_1] = ((inBuf[i+0] & 0x07) << 2) | ((inBuf[i+1] & 0x30) >> 4);
+        outBuf[len+L_2] = ((inBuf[i+1] & 0x0F) << 4) | ((inBuf[i+2] & 0x3C) >> 2);
+        outBuf[len+L_3] = ((inBuf[i+2] & 0x03) << 6) | ((inBuf[i+3] & 0x3F) >> 0);
+
+        i += 4;
+      } else if( (inBuf[i] & 0xFC) == 0xF8 ) {
+
+        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+3] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+4] & 0xC0) != 0x80 ) return PR_FALSE;
+
+        /* 0020 0000-03FF FFFF <- 111110xx 10xxxxxx ... 10xxxxxx */
+        /* 111110ab 10cdefgh 10ijklmn 10opqrst 10uvwxyz -> 
+           000000ab cdefghij klmnopqr stuvwxyz */
+
+        outBuf[len+L_0] = inBuf[i+0] & 0x03;
+        outBuf[len+L_1] = ((inBuf[i+1] & 0x3F) << 2) | ((inBuf[i+2] & 0x30) >> 4);
+        outBuf[len+L_2] = ((inBuf[i+2] & 0x0F) << 4) | ((inBuf[i+3] & 0x3C) >> 2);
+        outBuf[len+L_3] = ((inBuf[i+3] & 0x03) << 6) | ((inBuf[i+4] & 0x3F) >> 0);
+
+        i += 5;
+      } else /* if( (inBuf[i] & 0xFE) == 0xFC ) */ {
+
+        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+3] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+4] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+5] & 0xC0) != 0x80 ) return PR_FALSE;
+
+        /* 0400 0000-7FFF FFFF <- 1111110x 10xxxxxx ... 10xxxxxx */
+        /* 1111110a 10bcdefg 10hijklm 10nopqrs 10tuvwxy 10zABCDE -> 
+           0abcdefg hijklmno pqrstuvw xyzABCDE */
+
+        outBuf[len+L_0] = ((inBuf[i+0] & 0x01) << 6) | ((inBuf[i+1] & 0x3F) >> 0);
+        outBuf[len+L_1] = ((inBuf[i+2] & 0x3F) << 2) | ((inBuf[i+3] & 0x30) >> 4);
+        outBuf[len+L_2] = ((inBuf[i+3] & 0x0F) << 4) | ((inBuf[i+4] & 0x3C) >> 2);
+        outBuf[len+L_3] = ((inBuf[i+4] & 0x03) << 6) | ((inBuf[i+5] & 0x3F) >> 0);
+
+        i += 6;
+      }
+
+      len += 4;
+    }
+
+    *outBufLen = len;
+    return PR_TRUE;
+  } else {
+    unsigned int i, len = 0;
+
+    for( i = 0; i < inBufLen; i += 4 ) {
+      if( inBuf[i+L_0] >= 0x04 ) len += 6;
+      else if( (inBuf[i+L_0] > 0x00) || (inBuf[i+L_1] >= 0x20) ) len += 5;
+      else if( inBuf[i+L_1] >= 0x01 ) len += 4;
+      else if( inBuf[i+L_2] >= 0x08 ) len += 3;
+      else if( (inBuf[i+L_2] > 0x00) || (inBuf[i+L_3] >= 0x80) ) len += 2;
+      else len += 1;
+    }
+
+    if( len > maxOutBufLen ) {
+      *outBufLen = len;
+      return PR_FALSE;
+    }
+
+    len = 0;
+
+    for( i = 0; i < inBufLen; i += 4 ) {
+      if( inBuf[i+L_0] >= 0x04 ) {
+        /* 0400 0000-7FFF FFFF -> 1111110x 10xxxxxx ... 10xxxxxx */
+        /* 0abcdefg hijklmno pqrstuvw xyzABCDE ->
+           1111110a 10bcdefg 10hijklm 10nopqrs 10tuvwxy 10zABCDE */
+
+        outBuf[len+0] = 0xFC | ((inBuf[i+L_0] & 0x40) >> 6);
+        outBuf[len+1] = 0x80 | ((inBuf[i+L_0] & 0x3F) >> 0);
+        outBuf[len+2] = 0x80 | ((inBuf[i+L_1] & 0xFC) >> 2);
+        outBuf[len+3] = 0x80 | ((inBuf[i+L_1] & 0x03) << 4)
+                             | ((inBuf[i+L_2] & 0xF0) >> 4);
+        outBuf[len+4] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
+                             | ((inBuf[i+L_3] & 0xC0) >> 6);
+        outBuf[len+5] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
+
+        len += 6;
+      } else if( (inBuf[i+L_0] > 0x00) || (inBuf[i+L_1] >= 0x20) ) {
+        /* 0020 0000-03FF FFFF -> 111110xx 10xxxxxx ... 10xxxxxx */
+        /* 000000ab cdefghij klmnopqr stuvwxyz ->
+           111110ab 10cdefgh 10ijklmn 10opqrst 10uvwxyz */
+
+        outBuf[len+0] = 0xF8 | ((inBuf[i+L_0] & 0x03) >> 0);
+        outBuf[len+1] = 0x80 | ((inBuf[i+L_1] & 0xFC) >> 2);
+        outBuf[len+2] = 0x80 | ((inBuf[i+L_1] & 0x03) << 4)
+                             | ((inBuf[i+L_2] & 0xF0) >> 4);
+        outBuf[len+3] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
+                             | ((inBuf[i+L_3] & 0xC0) >> 6);
+        outBuf[len+4] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
+
+        len += 5;
+      } else if( inBuf[i+L_1] >= 0x01 ) {
+        /* 0001 0000-001F FFFF -> 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
+        /* 00000000 000abcde fghijklm nopqrstu ->
+           11110abc 10defghi 10jklmno 10pqrstu */
+
+        outBuf[len+0] = 0xF0 | ((inBuf[i+L_1] & 0x1C) >> 2);
+        outBuf[len+1] = 0x80 | ((inBuf[i+L_1] & 0x03) << 4)
+                             | ((inBuf[i+L_2] & 0xF0) >> 4);
+        outBuf[len+2] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
+                             | ((inBuf[i+L_3] & 0xC0) >> 6);
+        outBuf[len+3] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
+
+        len += 4;
+      } else if( inBuf[i+L_2] >= 0x08 ) {
+        /* 0000 0800-0000 FFFF -> 1110xxxx 10xxxxxx 10xxxxxx */
+        /* 00000000 00000000 abcdefgh ijklmnop ->
+           1110abcd 10efghij 10klmnop */
+
+        outBuf[len+0] = 0xE0 | ((inBuf[i+L_2] & 0xF0) >> 4);
+        outBuf[len+1] = 0x80 | ((inBuf[i+L_2] & 0x0F) << 2)
+                             | ((inBuf[i+L_3] & 0xC0) >> 6);
+        outBuf[len+2] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
+
+        len += 3;
+      } else if( (inBuf[i+L_2] > 0x00) || (inBuf[i+L_3] >= 0x80) ) {
+        /* 0000 0080-0000 07FF -> 110xxxxx 10xxxxxx */
+        /* 00000000 00000000 00000abc defghijk ->
+           110abcde 10fghijk */
+
+        outBuf[len+0] = 0xC0 | ((inBuf[i+L_2] & 0x07) << 2)
+                             | ((inBuf[i+L_3] & 0xC0) >> 6);
+        outBuf[len+1] = 0x80 | ((inBuf[i+L_3] & 0x3F) >> 0);
+
+        len += 2;
+      } else {
+        /* 0000 0000-0000 007F -> 0xxxxxx */
+        /* 00000000 00000000 00000000 0abcdefg ->
+           0abcdefg */
+
+        outBuf[len+0] = (inBuf[i+L_3] & 0x7F);
+
+        len += 1;
+      }
+    }
+                            
+    *outBufLen = len;
+    return PR_TRUE;
+  }
+}
+
+PR_IMPLEMENT(PRBool)
+sec_port_ucs2_utf8_conversion_function
+(
+  PRBool toUnicode,
+  unsigned char *inBuf,
+  unsigned int inBufLen,
+  unsigned char *outBuf,
+  unsigned int maxOutBufLen,
+  unsigned int *outBufLen
+)
+{
+#ifndef TEST_UTF8
+  PORT_Assert((unsigned int *)NULL != outBufLen);
+#endif /* TEST_UTF8 */
+
+  if( toUnicode ) {
+    unsigned int i, len = 0;
+
+    for( i = 0; i < inBufLen; ) {
+      if( (inBuf[i] & 0x80) == 0x00 ) {
+        i += 1;
+        len += 2;
+      } else if( (inBuf[i] & 0xE0) == 0xC0 ) {
+        i += 2;
+        len += 2;
+      } else if( (inBuf[i] & 0xF0) == 0xE0 ) {
+        i += 3;
+        len += 2;
+#ifdef UTF16
+      } else if( (inBuf[i] & 0xF8) == 0xF0 ) { 
+        i += 4;
+        len += 4;
+
+        if( (inBuf[i] & 0x04) && 
+            ((inBuf[i] & 0x03) || (inBuf[i+1] & 0x30)) ) {
+          /* Not representable as UTF16 */
+          return PR_FALSE;
+        }
+
+#endif /* UTF16 */
+      } else return PR_FALSE;
+    }
+
+    if( len > maxOutBufLen ) {
+      *outBufLen = len;
+      return PR_FALSE;
+    }
+
+    len = 0;
+
+    for( i = 0; i < inBufLen; ) {
+      if( (inBuf[i] & 0x80) == 0x00 ) {
+        /* 0000-007F <- 0xxxxxx */
+        /* 0abcdefg -> 00000000 0abcdefg */
+
+        outBuf[len+H_0] = 0x00;
+        outBuf[len+H_1] = inBuf[i+0] & 0x7F;
+
+        i += 1;
+        len += 2;
+      } else if( (inBuf[i] & 0xE0) == 0xC0 ) {
+
+        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
+
+        /* 0080-07FF <- 110xxxxx 10xxxxxx */
+        /* 110abcde 10fghijk -> 00000abc defghijk */
+
+        outBuf[len+H_0] = ((inBuf[i+0] & 0x1C) >> 2);
+        outBuf[len+H_1] = ((inBuf[i+0] & 0x03) << 6) | ((inBuf[i+1] & 0x3F) >> 0);
+
+        i += 2;
+        len += 2;
+      } else if( (inBuf[i] & 0xF0) == 0xE0 ) {
+
+        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
+
+        /* 0800-FFFF <- 1110xxxx 10xxxxxx 10xxxxxx */
+        /* 1110abcd 10efghij 10klmnop -> abcdefgh ijklmnop */
+
+        outBuf[len+H_0] = ((inBuf[i+0] & 0x0F) << 4) | ((inBuf[i+1] & 0x3C) >> 2);
+        outBuf[len+H_1] = ((inBuf[i+1] & 0x03) << 6) | ((inBuf[i+2] & 0x3F) >> 0);
+
+        i += 3;
+        len += 2;
+#ifdef UTF16
+      } else if( (inBuf[i] & 0xF8) == 0xF0 ) { 
+        int abcde, BCDE;
+
+        if( (inBuf[i+1] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+2] & 0xC0) != 0x80 ) return PR_FALSE;
+        if( (inBuf[i+3] & 0xC0) != 0x80 ) return PR_FALSE;
+
+        /* 0001 0000-001F FFFF <- 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
+        /* 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx -> [D800-DBFF] [DC00-DFFF] */
+           
+        /* 11110abc 10defghi 10jklmno 10pqrstu -> 
+           { Let 0BCDE = abcde - 1 }
+           110110BC DEfghijk 110111lm nopqrstu */
+
+        abcde = ((inBuf[i+0] & 0x07) << 2) | ((inBuf[i+1] & 0x30) >> 4);
+        BCDE = abcde - 1;
+
+#ifndef TEST_UTF8
+        PORT_Assert(BCDE < 0x10); /* should have been caught above */
+#endif /* TEST_UTF8 */
+
+        outBuf[len+0+H_0] = 0xD8 | ((BCDE & 0x0C) >> 2);
+        outBuf[len+0+H_1] = ((BCDE & 0x03) << 6) 
+                      | ((inBuf[i+1] & 0x0F) << 2)
+                      | ((inBuf[i+2] & 0x30) >> 4);
+        outBuf[len+2+H_0] = 0xDC | ((inBuf[i+2] & 0x0C) >> 2);
+        outBuf[len+2+H_1] = ((inBuf[i+2] & 0x03) << 6) | ((inBuf[i+3] & 0x3F) >> 0);
+
+        i += 4;
+        len += 4;
+#endif /* UTF16 */
+      } else return PR_FALSE;
+    }
+
+    *outBufLen = len;
+    return PR_TRUE;
+  } else {
+    unsigned int i, len = 0;
+
+    for( i = 0; i < inBufLen; i += 2 ) {
+      if( (inBuf[i+H_0] == 0x00) && ((inBuf[i+H_0] & 0x80) == 0x00) ) len += 1;
+      else if( inBuf[i+H_0] < 0x08 ) len += 2;
+#ifdef UTF16
+      else if( ((inBuf[i+0+H_0] & 0xDC) == 0xD8) ) {
+        if( ((inBuf[i+2+H_0] & 0xDC) == 0xDC) && ((inBufLen - i) > 2) ) {
+          i += 2;
+          len += 4;
+        } else {
+          return PR_FALSE;
+        }
+      }
+#endif /* UTF16 */
+      else len += 3;
+    }
+
+    if( len > maxOutBufLen ) {
+      *outBufLen = len;
+      return PR_FALSE;
+    }
+
+    len = 0;
+
+    for( i = 0; i < inBufLen; i += 2 ) {
+      if( (inBuf[i+H_0] == 0x00) && ((inBuf[i+H_1] & 0x80) == 0x00) ) {
+        /* 0000-007F -> 0xxxxxx */
+        /* 00000000 0abcdefg -> 0abcdefg */
+
+        outBuf[len] = inBuf[i+H_1] & 0x7F;
+
+        len += 1;
+      } else if( inBuf[i+H_0] < 0x08 ) {
+        /* 0080-07FF -> 110xxxxx 10xxxxxx */
+        /* 00000abc defghijk -> 110abcde 10fghijk */
+
+        outBuf[len+0] = 0xC0 | ((inBuf[i+H_0] & 0x07) << 2) 
+                             | ((inBuf[i+H_1] & 0xC0) >> 6);
+        outBuf[len+1] = 0x80 | ((inBuf[i+H_1] & 0x3F) >> 0);
+
+        len += 2;
+#ifdef UTF16
+      } else if( (inBuf[i+H_0] & 0xDC) == 0xD8 ) {
+        int abcde, BCDE;
+
+#ifndef TEST_UTF8
+        PORT_Assert(((inBuf[i+2+H_0] & 0xDC) == 0xDC) && ((inBufLen - i) > 2));
+#endif /* TEST_UTF8 */
+
+        /* D800-DBFF DC00-DFFF -> 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */
+        /* 110110BC DEfghijk 110111lm nopqrstu ->
+           { Let abcde = BCDE + 1 }
+           11110abc 10defghi 10jklmno 10pqrstu */
+
+        BCDE = ((inBuf[i+H_0] & 0x03) << 2) | ((inBuf[i+H_1] & 0xC0) >> 6);
+        abcde = BCDE + 1;
+
+        outBuf[len+0] = 0xF0 | ((abcde & 0x1C) >> 2);
+        outBuf[len+1] = 0x80 | ((abcde & 0x03) << 4) 
+                             | ((inBuf[i+0+H_1] & 0x3C) >> 2);
+        outBuf[len+2] = 0x80 | ((inBuf[i+0+H_1] & 0x03) << 4)
+                             | ((inBuf[i+2+H_0] & 0x03) << 2)
+                             | ((inBuf[i+2+H_1] & 0xC0) >> 6);
+        outBuf[len+3] = 0x80 | ((inBuf[i+2+H_1] & 0x3F) >> 0);
+
+        i += 2;
+        len += 4;
+#endif /* UTF16 */
+      } else {
+        /* 0800-FFFF -> 1110xxxx 10xxxxxx 10xxxxxx */
+        /* abcdefgh ijklmnop -> 1110abcd 10efghij 10klmnop */
+
+        outBuf[len+0] = 0xE0 | ((inBuf[i+H_0] & 0xF0) >> 4);
+        outBuf[len+1] = 0x80 | ((inBuf[i+H_0] & 0x0F) << 2) 
+                             | ((inBuf[i+H_1] & 0xC0) >> 6);
+        outBuf[len+2] = 0x80 | ((inBuf[i+H_1] & 0x3F) >> 0);
+
+        len += 3;
+      }
+    }
+
+    *outBufLen = len;
+    return PR_TRUE;
+  }
+}
+
+#ifdef TEST_UTF8
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <netinet/in.h> /* for htonl and htons */
+
+/*
+ * UCS-4 vectors
+ */
+
+struct ucs4 {
+  PRUint32 c;
+  char *utf8;
+};
+
+/*
+ * UCS-2 vectors
+ */
+
+struct ucs2 {
+  PRUint16 c;
+  char *utf8;
+};
+
+#ifdef UTF16
+/*
+ * UTF-16 vectors
+ */
+
+struct utf16 {
+  PRUint32 c;
+  PRUint16 w[2];
+};
+#endif /* UTF16 */
+
+
+/*
+ * UCS-4 vectors
+ */
+
+struct ucs4 ucs4[] = {
+  { 0x00000001, "\x01" },
+  { 0x00000002, "\x02" },
+  { 0x00000003, "\x03" },
+  { 0x00000004, "\x04" },
+  { 0x00000007, "\x07" },
+  { 0x00000008, "\x08" },
+  { 0x0000000F, "\x0F" },
+  { 0x00000010, "\x10" },
+  { 0x0000001F, "\x1F" },
+  { 0x00000020, "\x20" },
+  { 0x0000003F, "\x3F" },
+  { 0x00000040, "\x40" },
+  { 0x0000007F, "\x7F" },
+          
+  { 0x00000080, "\xC2\x80" },
+  { 0x00000081, "\xC2\x81" },
+  { 0x00000082, "\xC2\x82" },
+  { 0x00000084, "\xC2\x84" },
+  { 0x00000088, "\xC2\x88" },
+  { 0x00000090, "\xC2\x90" },
+  { 0x000000A0, "\xC2\xA0" },
+  { 0x000000C0, "\xC3\x80" },
+  { 0x000000FF, "\xC3\xBF" },
+  { 0x00000100, "\xC4\x80" },
+  { 0x00000101, "\xC4\x81" },
+  { 0x00000102, "\xC4\x82" },
+  { 0x00000104, "\xC4\x84" },
+  { 0x00000108, "\xC4\x88" },
+  { 0x00000110, "\xC4\x90" },
+  { 0x00000120, "\xC4\xA0" },
+  { 0x00000140, "\xC5\x80" },
+  { 0x00000180, "\xC6\x80" },
+  { 0x000001FF, "\xC7\xBF" },
+  { 0x00000200, "\xC8\x80" },
+  { 0x00000201, "\xC8\x81" },
+  { 0x00000202, "\xC8\x82" },
+  { 0x00000204, "\xC8\x84" },
+  { 0x00000208, "\xC8\x88" },
+  { 0x00000210, "\xC8\x90" },
+  { 0x00000220, "\xC8\xA0" },
+  { 0x00000240, "\xC9\x80" },
+  { 0x00000280, "\xCA\x80" },
+  { 0x00000300, "\xCC\x80" },
+  { 0x000003FF, "\xCF\xBF" },
+  { 0x00000400, "\xD0\x80" },
+  { 0x00000401, "\xD0\x81" },
+  { 0x00000402, "\xD0\x82" },
+  { 0x00000404, "\xD0\x84" },
+  { 0x00000408, "\xD0\x88" },
+  { 0x00000410, "\xD0\x90" },
+  { 0x00000420, "\xD0\xA0" },
+  { 0x00000440, "\xD1\x80" },
+  { 0x00000480, "\xD2\x80" },
+  { 0x00000500, "\xD4\x80" },
+  { 0x00000600, "\xD8\x80" },
+  { 0x000007FF, "\xDF\xBF" },
+          
+  { 0x00000800, "\xE0\xA0\x80" },
+  { 0x00000801, "\xE0\xA0\x81" },
+  { 0x00000802, "\xE0\xA0\x82" },
+  { 0x00000804, "\xE0\xA0\x84" },
+  { 0x00000808, "\xE0\xA0\x88" },
+  { 0x00000810, "\xE0\xA0\x90" },
+  { 0x00000820, "\xE0\xA0\xA0" },
+  { 0x00000840, "\xE0\xA1\x80" },
+  { 0x00000880, "\xE0\xA2\x80" },
+  { 0x00000900, "\xE0\xA4\x80" },
+  { 0x00000A00, "\xE0\xA8\x80" },
+  { 0x00000C00, "\xE0\xB0\x80" },
+  { 0x00000FFF, "\xE0\xBF\xBF" },
+  { 0x00001000, "\xE1\x80\x80" },
+  { 0x00001001, "\xE1\x80\x81" },
+  { 0x00001002, "\xE1\x80\x82" },
+  { 0x00001004, "\xE1\x80\x84" },
+  { 0x00001008, "\xE1\x80\x88" },
+  { 0x00001010, "\xE1\x80\x90" },
+  { 0x00001020, "\xE1\x80\xA0" },
+  { 0x00001040, "\xE1\x81\x80" },
+  { 0x00001080, "\xE1\x82\x80" },
+  { 0x00001100, "\xE1\x84\x80" },
+  { 0x00001200, "\xE1\x88\x80" },
+  { 0x00001400, "\xE1\x90\x80" },
+  { 0x00001800, "\xE1\xA0\x80" },
+  { 0x00001FFF, "\xE1\xBF\xBF" },
+  { 0x00002000, "\xE2\x80\x80" },
+  { 0x00002001, "\xE2\x80\x81" },
+  { 0x00002002, "\xE2\x80\x82" },
+  { 0x00002004, "\xE2\x80\x84" },
+  { 0x00002008, "\xE2\x80\x88" },
+  { 0x00002010, "\xE2\x80\x90" },
+  { 0x00002020, "\xE2\x80\xA0" },
+  { 0x00002040, "\xE2\x81\x80" },
+  { 0x00002080, "\xE2\x82\x80" },
+  { 0x00002100, "\xE2\x84\x80" },
+  { 0x00002200, "\xE2\x88\x80" },
+  { 0x00002400, "\xE2\x90\x80" },
+  { 0x00002800, "\xE2\xA0\x80" },
+  { 0x00003000, "\xE3\x80\x80" },
+  { 0x00003FFF, "\xE3\xBF\xBF" },
+  { 0x00004000, "\xE4\x80\x80" },
+  { 0x00004001, "\xE4\x80\x81" },
+  { 0x00004002, "\xE4\x80\x82" },
+  { 0x00004004, "\xE4\x80\x84" },
+  { 0x00004008, "\xE4\x80\x88" },
+  { 0x00004010, "\xE4\x80\x90" },
+  { 0x00004020, "\xE4\x80\xA0" },
+  { 0x00004040, "\xE4\x81\x80" },
+  { 0x00004080, "\xE4\x82\x80" },
+  { 0x00004100, "\xE4\x84\x80" },
+  { 0x00004200, "\xE4\x88\x80" },
+  { 0x00004400, "\xE4\x90\x80" },
+  { 0x00004800, "\xE4\xA0\x80" },
+  { 0x00005000, "\xE5\x80\x80" },
+  { 0x00006000, "\xE6\x80\x80" },
+  { 0x00007FFF, "\xE7\xBF\xBF" },
+  { 0x00008000, "\xE8\x80\x80" },
+  { 0x00008001, "\xE8\x80\x81" },
+  { 0x00008002, "\xE8\x80\x82" },
+  { 0x00008004, "\xE8\x80\x84" },
+  { 0x00008008, "\xE8\x80\x88" },
+  { 0x00008010, "\xE8\x80\x90" },
+  { 0x00008020, "\xE8\x80\xA0" },
+  { 0x00008040, "\xE8\x81\x80" },
+  { 0x00008080, "\xE8\x82\x80" },
+  { 0x00008100, "\xE8\x84\x80" },
+  { 0x00008200, "\xE8\x88\x80" },
+  { 0x00008400, "\xE8\x90\x80" },
+  { 0x00008800, "\xE8\xA0\x80" },
+  { 0x00009000, "\xE9\x80\x80" },
+  { 0x0000A000, "\xEA\x80\x80" },
+  { 0x0000C000, "\xEC\x80\x80" },
+  { 0x0000FFFF, "\xEF\xBF\xBF" },
+          
+  { 0x00010000, "\xF0\x90\x80\x80" },
+  { 0x00010001, "\xF0\x90\x80\x81" },
+  { 0x00010002, "\xF0\x90\x80\x82" },
+  { 0x00010004, "\xF0\x90\x80\x84" },
+  { 0x00010008, "\xF0\x90\x80\x88" },
+  { 0x00010010, "\xF0\x90\x80\x90" },
+  { 0x00010020, "\xF0\x90\x80\xA0" },
+  { 0x00010040, "\xF0\x90\x81\x80" },
+  { 0x00010080, "\xF0\x90\x82\x80" },
+  { 0x00010100, "\xF0\x90\x84\x80" },
+  { 0x00010200, "\xF0\x90\x88\x80" },
+  { 0x00010400, "\xF0\x90\x90\x80" },
+  { 0x00010800, "\xF0\x90\xA0\x80" },
+  { 0x00011000, "\xF0\x91\x80\x80" },
+  { 0x00012000, "\xF0\x92\x80\x80" },
+  { 0x00014000, "\xF0\x94\x80\x80" },
+  { 0x00018000, "\xF0\x98\x80\x80" },
+  { 0x0001FFFF, "\xF0\x9F\xBF\xBF" },
+  { 0x00020000, "\xF0\xA0\x80\x80" },
+  { 0x00020001, "\xF0\xA0\x80\x81" },
+  { 0x00020002, "\xF0\xA0\x80\x82" },
+  { 0x00020004, "\xF0\xA0\x80\x84" },
+  { 0x00020008, "\xF0\xA0\x80\x88" },
+  { 0x00020010, "\xF0\xA0\x80\x90" },
+  { 0x00020020, "\xF0\xA0\x80\xA0" },
+  { 0x00020040, "\xF0\xA0\x81\x80" },
+  { 0x00020080, "\xF0\xA0\x82\x80" },
+  { 0x00020100, "\xF0\xA0\x84\x80" },
+  { 0x00020200, "\xF0\xA0\x88\x80" },
+  { 0x00020400, "\xF0\xA0\x90\x80" },
+  { 0x00020800, "\xF0\xA0\xA0\x80" },
+  { 0x00021000, "\xF0\xA1\x80\x80" },
+  { 0x00022000, "\xF0\xA2\x80\x80" },
+  { 0x00024000, "\xF0\xA4\x80\x80" },
+  { 0x00028000, "\xF0\xA8\x80\x80" },
+  { 0x00030000, "\xF0\xB0\x80\x80" },
+  { 0x0003FFFF, "\xF0\xBF\xBF\xBF" },
+  { 0x00040000, "\xF1\x80\x80\x80" },
+  { 0x00040001, "\xF1\x80\x80\x81" },
+  { 0x00040002, "\xF1\x80\x80\x82" },
+  { 0x00040004, "\xF1\x80\x80\x84" },
+  { 0x00040008, "\xF1\x80\x80\x88" },
+  { 0x00040010, "\xF1\x80\x80\x90" },
+  { 0x00040020, "\xF1\x80\x80\xA0" },
+  { 0x00040040, "\xF1\x80\x81\x80" },
+  { 0x00040080, "\xF1\x80\x82\x80" },
+  { 0x00040100, "\xF1\x80\x84\x80" },
+  { 0x00040200, "\xF1\x80\x88\x80" },
+  { 0x00040400, "\xF1\x80\x90\x80" },
+  { 0x00040800, "\xF1\x80\xA0\x80" },
+  { 0x00041000, "\xF1\x81\x80\x80" },
+  { 0x00042000, "\xF1\x82\x80\x80" },
+  { 0x00044000, "\xF1\x84\x80\x80" },
+  { 0x00048000, "\xF1\x88\x80\x80" },
+  { 0x00050000, "\xF1\x90\x80\x80" },
+  { 0x00060000, "\xF1\xA0\x80\x80" },
+  { 0x0007FFFF, "\xF1\xBF\xBF\xBF" },
+  { 0x00080000, "\xF2\x80\x80\x80" },
+  { 0x00080001, "\xF2\x80\x80\x81" },
+  { 0x00080002, "\xF2\x80\x80\x82" },
+  { 0x00080004, "\xF2\x80\x80\x84" },
+  { 0x00080008, "\xF2\x80\x80\x88" },
+  { 0x00080010, "\xF2\x80\x80\x90" },
+  { 0x00080020, "\xF2\x80\x80\xA0" },
+  { 0x00080040, "\xF2\x80\x81\x80" },
+  { 0x00080080, "\xF2\x80\x82\x80" },
+  { 0x00080100, "\xF2\x80\x84\x80" },
+  { 0x00080200, "\xF2\x80\x88\x80" },
+  { 0x00080400, "\xF2\x80\x90\x80" },
+  { 0x00080800, "\xF2\x80\xA0\x80" },
+  { 0x00081000, "\xF2\x81\x80\x80" },
+  { 0x00082000, "\xF2\x82\x80\x80" },
+  { 0x00084000, "\xF2\x84\x80\x80" },
+  { 0x00088000, "\xF2\x88\x80\x80" },
+  { 0x00090000, "\xF2\x90\x80\x80" },
+  { 0x000A0000, "\xF2\xA0\x80\x80" },
+  { 0x000C0000, "\xF3\x80\x80\x80" },
+  { 0x000FFFFF, "\xF3\xBF\xBF\xBF" },
+  { 0x00100000, "\xF4\x80\x80\x80" },
+  { 0x00100001, "\xF4\x80\x80\x81" },
+  { 0x00100002, "\xF4\x80\x80\x82" },
+  { 0x00100004, "\xF4\x80\x80\x84" },
+  { 0x00100008, "\xF4\x80\x80\x88" },
+  { 0x00100010, "\xF4\x80\x80\x90" },
+  { 0x00100020, "\xF4\x80\x80\xA0" },
+  { 0x00100040, "\xF4\x80\x81\x80" },
+  { 0x00100080, "\xF4\x80\x82\x80" },
+  { 0x00100100, "\xF4\x80\x84\x80" },
+  { 0x00100200, "\xF4\x80\x88\x80" },
+  { 0x00100400, "\xF4\x80\x90\x80" },
+  { 0x00100800, "\xF4\x80\xA0\x80" },
+  { 0x00101000, "\xF4\x81\x80\x80" },
+  { 0x00102000, "\xF4\x82\x80\x80" },
+  { 0x00104000, "\xF4\x84\x80\x80" },
+  { 0x00108000, "\xF4\x88\x80\x80" },
+  { 0x00110000, "\xF4\x90\x80\x80" },
+  { 0x00120000, "\xF4\xA0\x80\x80" },
+  { 0x00140000, "\xF5\x80\x80\x80" },
+  { 0x00180000, "\xF6\x80\x80\x80" },
+  { 0x001FFFFF, "\xF7\xBF\xBF\xBF" },
+          
+  { 0x00200000, "\xF8\x88\x80\x80\x80" },
+  { 0x00200001, "\xF8\x88\x80\x80\x81" },
+  { 0x00200002, "\xF8\x88\x80\x80\x82" },
+  { 0x00200004, "\xF8\x88\x80\x80\x84" },
+  { 0x00200008, "\xF8\x88\x80\x80\x88" },
+  { 0x00200010, "\xF8\x88\x80\x80\x90" },
+  { 0x00200020, "\xF8\x88\x80\x80\xA0" },
+  { 0x00200040, "\xF8\x88\x80\x81\x80" },
+  { 0x00200080, "\xF8\x88\x80\x82\x80" },
+  { 0x00200100, "\xF8\x88\x80\x84\x80" },
+  { 0x00200200, "\xF8\x88\x80\x88\x80" },
+  { 0x00200400, "\xF8\x88\x80\x90\x80" },
+  { 0x00200800, "\xF8\x88\x80\xA0\x80" },
+  { 0x00201000, "\xF8\x88\x81\x80\x80" },
+  { 0x00202000, "\xF8\x88\x82\x80\x80" },
+  { 0x00204000, "\xF8\x88\x84\x80\x80" },
+  { 0x00208000, "\xF8\x88\x88\x80\x80" },
+  { 0x00210000, "\xF8\x88\x90\x80\x80" },
+  { 0x00220000, "\xF8\x88\xA0\x80\x80" },
+  { 0x00240000, "\xF8\x89\x80\x80\x80" },
+  { 0x00280000, "\xF8\x8A\x80\x80\x80" },
+  { 0x00300000, "\xF8\x8C\x80\x80\x80" },
+  { 0x003FFFFF, "\xF8\x8F\xBF\xBF\xBF" },
+  { 0x00400000, "\xF8\x90\x80\x80\x80" },
+  { 0x00400001, "\xF8\x90\x80\x80\x81" },
+  { 0x00400002, "\xF8\x90\x80\x80\x82" },
+  { 0x00400004, "\xF8\x90\x80\x80\x84" },
+  { 0x00400008, "\xF8\x90\x80\x80\x88" },
+  { 0x00400010, "\xF8\x90\x80\x80\x90" },
+  { 0x00400020, "\xF8\x90\x80\x80\xA0" },
+  { 0x00400040, "\xF8\x90\x80\x81\x80" },
+  { 0x00400080, "\xF8\x90\x80\x82\x80" },
+  { 0x00400100, "\xF8\x90\x80\x84\x80" },
+  { 0x00400200, "\xF8\x90\x80\x88\x80" },
+  { 0x00400400, "\xF8\x90\x80\x90\x80" },
+  { 0x00400800, "\xF8\x90\x80\xA0\x80" },
+  { 0x00401000, "\xF8\x90\x81\x80\x80" },
+  { 0x00402000, "\xF8\x90\x82\x80\x80" },
+  { 0x00404000, "\xF8\x90\x84\x80\x80" },
+  { 0x00408000, "\xF8\x90\x88\x80\x80" },
+  { 0x00410000, "\xF8\x90\x90\x80\x80" },
+  { 0x00420000, "\xF8\x90\xA0\x80\x80" },
+  { 0x00440000, "\xF8\x91\x80\x80\x80" },
+  { 0x00480000, "\xF8\x92\x80\x80\x80" },
+  { 0x00500000, "\xF8\x94\x80\x80\x80" },
+  { 0x00600000, "\xF8\x98\x80\x80\x80" },
+  { 0x007FFFFF, "\xF8\x9F\xBF\xBF\xBF" },
+  { 0x00800000, "\xF8\xA0\x80\x80\x80" },
+  { 0x00800001, "\xF8\xA0\x80\x80\x81" },
+  { 0x00800002, "\xF8\xA0\x80\x80\x82" },
+  { 0x00800004, "\xF8\xA0\x80\x80\x84" },
+  { 0x00800008, "\xF8\xA0\x80\x80\x88" },
+  { 0x00800010, "\xF8\xA0\x80\x80\x90" },
+  { 0x00800020, "\xF8\xA0\x80\x80\xA0" },
+  { 0x00800040, "\xF8\xA0\x80\x81\x80" },
+  { 0x00800080, "\xF8\xA0\x80\x82\x80" },
+  { 0x00800100, "\xF8\xA0\x80\x84\x80" },
+  { 0x00800200, "\xF8\xA0\x80\x88\x80" },
+  { 0x00800400, "\xF8\xA0\x80\x90\x80" },
+  { 0x00800800, "\xF8\xA0\x80\xA0\x80" },
+  { 0x00801000, "\xF8\xA0\x81\x80\x80" },
+  { 0x00802000, "\xF8\xA0\x82\x80\x80" },
+  { 0x00804000, "\xF8\xA0\x84\x80\x80" },
+  { 0x00808000, "\xF8\xA0\x88\x80\x80" },
+  { 0x00810000, "\xF8\xA0\x90\x80\x80" },
+  { 0x00820000, "\xF8\xA0\xA0\x80\x80" },
+  { 0x00840000, "\xF8\xA1\x80\x80\x80" },
+  { 0x00880000, "\xF8\xA2\x80\x80\x80" },
+  { 0x00900000, "\xF8\xA4\x80\x80\x80" },
+  { 0x00A00000, "\xF8\xA8\x80\x80\x80" },
+  { 0x00C00000, "\xF8\xB0\x80\x80\x80" },
+  { 0x00FFFFFF, "\xF8\xBF\xBF\xBF\xBF" },
+  { 0x01000000, "\xF9\x80\x80\x80\x80" },
+  { 0x01000001, "\xF9\x80\x80\x80\x81" },
+  { 0x01000002, "\xF9\x80\x80\x80\x82" },
+  { 0x01000004, "\xF9\x80\x80\x80\x84" },
+  { 0x01000008, "\xF9\x80\x80\x80\x88" },
+  { 0x01000010, "\xF9\x80\x80\x80\x90" },
+  { 0x01000020, "\xF9\x80\x80\x80\xA0" },
+  { 0x01000040, "\xF9\x80\x80\x81\x80" },
+  { 0x01000080, "\xF9\x80\x80\x82\x80" },
+  { 0x01000100, "\xF9\x80\x80\x84\x80" },
+  { 0x01000200, "\xF9\x80\x80\x88\x80" },
+  { 0x01000400, "\xF9\x80\x80\x90\x80" },
+  { 0x01000800, "\xF9\x80\x80\xA0\x80" },
+  { 0x01001000, "\xF9\x80\x81\x80\x80" },
+  { 0x01002000, "\xF9\x80\x82\x80\x80" },
+  { 0x01004000, "\xF9\x80\x84\x80\x80" },
+  { 0x01008000, "\xF9\x80\x88\x80\x80" },
+  { 0x01010000, "\xF9\x80\x90\x80\x80" },
+  { 0x01020000, "\xF9\x80\xA0\x80\x80" },
+  { 0x01040000, "\xF9\x81\x80\x80\x80" },
+  { 0x01080000, "\xF9\x82\x80\x80\x80" },
+  { 0x01100000, "\xF9\x84\x80\x80\x80" },
+  { 0x01200000, "\xF9\x88\x80\x80\x80" },
+  { 0x01400000, "\xF9\x90\x80\x80\x80" },
+  { 0x01800000, "\xF9\xA0\x80\x80\x80" },
+  { 0x01FFFFFF, "\xF9\xBF\xBF\xBF\xBF" },
+  { 0x02000000, "\xFA\x80\x80\x80\x80" },
+  { 0x02000001, "\xFA\x80\x80\x80\x81" },
+  { 0x02000002, "\xFA\x80\x80\x80\x82" },
+  { 0x02000004, "\xFA\x80\x80\x80\x84" },
+  { 0x02000008, "\xFA\x80\x80\x80\x88" },
+  { 0x02000010, "\xFA\x80\x80\x80\x90" },
+  { 0x02000020, "\xFA\x80\x80\x80\xA0" },
+  { 0x02000040, "\xFA\x80\x80\x81\x80" },
+  { 0x02000080, "\xFA\x80\x80\x82\x80" },
+  { 0x02000100, "\xFA\x80\x80\x84\x80" },
+  { 0x02000200, "\xFA\x80\x80\x88\x80" },
+  { 0x02000400, "\xFA\x80\x80\x90\x80" },
+  { 0x02000800, "\xFA\x80\x80\xA0\x80" },
+  { 0x02001000, "\xFA\x80\x81\x80\x80" },
+  { 0x02002000, "\xFA\x80\x82\x80\x80" },
+  { 0x02004000, "\xFA\x80\x84\x80\x80" },
+  { 0x02008000, "\xFA\x80\x88\x80\x80" },
+  { 0x02010000, "\xFA\x80\x90\x80\x80" },
+  { 0x02020000, "\xFA\x80\xA0\x80\x80" },
+  { 0x02040000, "\xFA\x81\x80\x80\x80" },
+  { 0x02080000, "\xFA\x82\x80\x80\x80" },
+  { 0x02100000, "\xFA\x84\x80\x80\x80" },
+  { 0x02200000, "\xFA\x88\x80\x80\x80" },
+  { 0x02400000, "\xFA\x90\x80\x80\x80" },
+  { 0x02800000, "\xFA\xA0\x80\x80\x80" },
+  { 0x03000000, "\xFB\x80\x80\x80\x80" },
+  { 0x03FFFFFF, "\xFB\xBF\xBF\xBF\xBF" },
+          
+  { 0x04000000, "\xFC\x84\x80\x80\x80\x80" },
+  { 0x04000001, "\xFC\x84\x80\x80\x80\x81" },
+  { 0x04000002, "\xFC\x84\x80\x80\x80\x82" },
+  { 0x04000004, "\xFC\x84\x80\x80\x80\x84" },
+  { 0x04000008, "\xFC\x84\x80\x80\x80\x88" },
+  { 0x04000010, "\xFC\x84\x80\x80\x80\x90" },
+  { 0x04000020, "\xFC\x84\x80\x80\x80\xA0" },
+  { 0x04000040, "\xFC\x84\x80\x80\x81\x80" },
+  { 0x04000080, "\xFC\x84\x80\x80\x82\x80" },
+  { 0x04000100, "\xFC\x84\x80\x80\x84\x80" },
+  { 0x04000200, "\xFC\x84\x80\x80\x88\x80" },
+  { 0x04000400, "\xFC\x84\x80\x80\x90\x80" },
+  { 0x04000800, "\xFC\x84\x80\x80\xA0\x80" },
+  { 0x04001000, "\xFC\x84\x80\x81\x80\x80" },
+  { 0x04002000, "\xFC\x84\x80\x82\x80\x80" },
+  { 0x04004000, "\xFC\x84\x80\x84\x80\x80" },
+  { 0x04008000, "\xFC\x84\x80\x88\x80\x80" },
+  { 0x04010000, "\xFC\x84\x80\x90\x80\x80" },
+  { 0x04020000, "\xFC\x84\x80\xA0\x80\x80" },
+  { 0x04040000, "\xFC\x84\x81\x80\x80\x80" },
+  { 0x04080000, "\xFC\x84\x82\x80\x80\x80" },
+  { 0x04100000, "\xFC\x84\x84\x80\x80\x80" },
+  { 0x04200000, "\xFC\x84\x88\x80\x80\x80" },
+  { 0x04400000, "\xFC\x84\x90\x80\x80\x80" },
+  { 0x04800000, "\xFC\x84\xA0\x80\x80\x80" },
+  { 0x05000000, "\xFC\x85\x80\x80\x80\x80" },
+  { 0x06000000, "\xFC\x86\x80\x80\x80\x80" },
+  { 0x07FFFFFF, "\xFC\x87\xBF\xBF\xBF\xBF" },
+  { 0x08000000, "\xFC\x88\x80\x80\x80\x80" },
+  { 0x08000001, "\xFC\x88\x80\x80\x80\x81" },
+  { 0x08000002, "\xFC\x88\x80\x80\x80\x82" },
+  { 0x08000004, "\xFC\x88\x80\x80\x80\x84" },
+  { 0x08000008, "\xFC\x88\x80\x80\x80\x88" },
+  { 0x08000010, "\xFC\x88\x80\x80\x80\x90" },
+  { 0x08000020, "\xFC\x88\x80\x80\x80\xA0" },
+  { 0x08000040, "\xFC\x88\x80\x80\x81\x80" },
+  { 0x08000080, "\xFC\x88\x80\x80\x82\x80" },
+  { 0x08000100, "\xFC\x88\x80\x80\x84\x80" },
+  { 0x08000200, "\xFC\x88\x80\x80\x88\x80" },
+  { 0x08000400, "\xFC\x88\x80\x80\x90\x80" },
+  { 0x08000800, "\xFC\x88\x80\x80\xA0\x80" },
+  { 0x08001000, "\xFC\x88\x80\x81\x80\x80" },
+  { 0x08002000, "\xFC\x88\x80\x82\x80\x80" },
+  { 0x08004000, "\xFC\x88\x80\x84\x80\x80" },
+  { 0x08008000, "\xFC\x88\x80\x88\x80\x80" },
+  { 0x08010000, "\xFC\x88\x80\x90\x80\x80" },
+  { 0x08020000, "\xFC\x88\x80\xA0\x80\x80" },
+  { 0x08040000, "\xFC\x88\x81\x80\x80\x80" },
+  { 0x08080000, "\xFC\x88\x82\x80\x80\x80" },
+  { 0x08100000, "\xFC\x88\x84\x80\x80\x80" },
+  { 0x08200000, "\xFC\x88\x88\x80\x80\x80" },
+  { 0x08400000, "\xFC\x88\x90\x80\x80\x80" },
+  { 0x08800000, "\xFC\x88\xA0\x80\x80\x80" },
+  { 0x09000000, "\xFC\x89\x80\x80\x80\x80" },
+  { 0x0A000000, "\xFC\x8A\x80\x80\x80\x80" },
+  { 0x0C000000, "\xFC\x8C\x80\x80\x80\x80" },
+  { 0x0FFFFFFF, "\xFC\x8F\xBF\xBF\xBF\xBF" },
+  { 0x10000000, "\xFC\x90\x80\x80\x80\x80" },
+  { 0x10000001, "\xFC\x90\x80\x80\x80\x81" },
+  { 0x10000002, "\xFC\x90\x80\x80\x80\x82" },
+  { 0x10000004, "\xFC\x90\x80\x80\x80\x84" },
+  { 0x10000008, "\xFC\x90\x80\x80\x80\x88" },
+  { 0x10000010, "\xFC\x90\x80\x80\x80\x90" },
+  { 0x10000020, "\xFC\x90\x80\x80\x80\xA0" },
+  { 0x10000040, "\xFC\x90\x80\x80\x81\x80" },
+  { 0x10000080, "\xFC\x90\x80\x80\x82\x80" },
+  { 0x10000100, "\xFC\x90\x80\x80\x84\x80" },
+  { 0x10000200, "\xFC\x90\x80\x80\x88\x80" },
+  { 0x10000400, "\xFC\x90\x80\x80\x90\x80" },
+  { 0x10000800, "\xFC\x90\x80\x80\xA0\x80" },
+  { 0x10001000, "\xFC\x90\x80\x81\x80\x80" },
+  { 0x10002000, "\xFC\x90\x80\x82\x80\x80" },
+  { 0x10004000, "\xFC\x90\x80\x84\x80\x80" },
+  { 0x10008000, "\xFC\x90\x80\x88\x80\x80" },
+  { 0x10010000, "\xFC\x90\x80\x90\x80\x80" },
+  { 0x10020000, "\xFC\x90\x80\xA0\x80\x80" },
+  { 0x10040000, "\xFC\x90\x81\x80\x80\x80" },
+  { 0x10080000, "\xFC\x90\x82\x80\x80\x80" },
+  { 0x10100000, "\xFC\x90\x84\x80\x80\x80" },
+  { 0x10200000, "\xFC\x90\x88\x80\x80\x80" },
+  { 0x10400000, "\xFC\x90\x90\x80\x80\x80" },
+  { 0x10800000, "\xFC\x90\xA0\x80\x80\x80" },
+  { 0x11000000, "\xFC\x91\x80\x80\x80\x80" },
+  { 0x12000000, "\xFC\x92\x80\x80\x80\x80" },
+  { 0x14000000, "\xFC\x94\x80\x80\x80\x80" },
+  { 0x18000000, "\xFC\x98\x80\x80\x80\x80" },
+  { 0x1FFFFFFF, "\xFC\x9F\xBF\xBF\xBF\xBF" },
+  { 0x20000000, "\xFC\xA0\x80\x80\x80\x80" },
+  { 0x20000001, "\xFC\xA0\x80\x80\x80\x81" },
+  { 0x20000002, "\xFC\xA0\x80\x80\x80\x82" },
+  { 0x20000004, "\xFC\xA0\x80\x80\x80\x84" },
+  { 0x20000008, "\xFC\xA0\x80\x80\x80\x88" },
+  { 0x20000010, "\xFC\xA0\x80\x80\x80\x90" },
+  { 0x20000020, "\xFC\xA0\x80\x80\x80\xA0" },
+  { 0x20000040, "\xFC\xA0\x80\x80\x81\x80" },
+  { 0x20000080, "\xFC\xA0\x80\x80\x82\x80" },
+  { 0x20000100, "\xFC\xA0\x80\x80\x84\x80" },
+  { 0x20000200, "\xFC\xA0\x80\x80\x88\x80" },
+  { 0x20000400, "\xFC\xA0\x80\x80\x90\x80" },
+  { 0x20000800, "\xFC\xA0\x80\x80\xA0\x80" },
+  { 0x20001000, "\xFC\xA0\x80\x81\x80\x80" },
+  { 0x20002000, "\xFC\xA0\x80\x82\x80\x80" },
+  { 0x20004000, "\xFC\xA0\x80\x84\x80\x80" },
+  { 0x20008000, "\xFC\xA0\x80\x88\x80\x80" },
+  { 0x20010000, "\xFC\xA0\x80\x90\x80\x80" },
+  { 0x20020000, "\xFC\xA0\x80\xA0\x80\x80" },
+  { 0x20040000, "\xFC\xA0\x81\x80\x80\x80" },
+  { 0x20080000, "\xFC\xA0\x82\x80\x80\x80" },
+  { 0x20100000, "\xFC\xA0\x84\x80\x80\x80" },
+  { 0x20200000, "\xFC\xA0\x88\x80\x80\x80" },
+  { 0x20400000, "\xFC\xA0\x90\x80\x80\x80" },
+  { 0x20800000, "\xFC\xA0\xA0\x80\x80\x80" },
+  { 0x21000000, "\xFC\xA1\x80\x80\x80\x80" },
+  { 0x22000000, "\xFC\xA2\x80\x80\x80\x80" },
+  { 0x24000000, "\xFC\xA4\x80\x80\x80\x80" },
+  { 0x28000000, "\xFC\xA8\x80\x80\x80\x80" },
+  { 0x30000000, "\xFC\xB0\x80\x80\x80\x80" },
+  { 0x3FFFFFFF, "\xFC\xBF\xBF\xBF\xBF\xBF" },
+  { 0x40000000, "\xFD\x80\x80\x80\x80\x80" },
+  { 0x40000001, "\xFD\x80\x80\x80\x80\x81" },
+  { 0x40000002, "\xFD\x80\x80\x80\x80\x82" },
+  { 0x40000004, "\xFD\x80\x80\x80\x80\x84" },
+  { 0x40000008, "\xFD\x80\x80\x80\x80\x88" },
+  { 0x40000010, "\xFD\x80\x80\x80\x80\x90" },
+  { 0x40000020, "\xFD\x80\x80\x80\x80\xA0" },
+  { 0x40000040, "\xFD\x80\x80\x80\x81\x80" },
+  { 0x40000080, "\xFD\x80\x80\x80\x82\x80" },
+  { 0x40000100, "\xFD\x80\x80\x80\x84\x80" },
+  { 0x40000200, "\xFD\x80\x80\x80\x88\x80" },
+  { 0x40000400, "\xFD\x80\x80\x80\x90\x80" },
+  { 0x40000800, "\xFD\x80\x80\x80\xA0\x80" },
+  { 0x40001000, "\xFD\x80\x80\x81\x80\x80" },
+  { 0x40002000, "\xFD\x80\x80\x82\x80\x80" },
+  { 0x40004000, "\xFD\x80\x80\x84\x80\x80" },
+  { 0x40008000, "\xFD\x80\x80\x88\x80\x80" },
+  { 0x40010000, "\xFD\x80\x80\x90\x80\x80" },
+  { 0x40020000, "\xFD\x80\x80\xA0\x80\x80" },
+  { 0x40040000, "\xFD\x80\x81\x80\x80\x80" },
+  { 0x40080000, "\xFD\x80\x82\x80\x80\x80" },
+  { 0x40100000, "\xFD\x80\x84\x80\x80\x80" },
+  { 0x40200000, "\xFD\x80\x88\x80\x80\x80" },
+  { 0x40400000, "\xFD\x80\x90\x80\x80\x80" },
+  { 0x40800000, "\xFD\x80\xA0\x80\x80\x80" },
+  { 0x41000000, "\xFD\x81\x80\x80\x80\x80" },
+  { 0x42000000, "\xFD\x82\x80\x80\x80\x80" },
+  { 0x44000000, "\xFD\x84\x80\x80\x80\x80" },
+  { 0x48000000, "\xFD\x88\x80\x80\x80\x80" },
+  { 0x50000000, "\xFD\x90\x80\x80\x80\x80" },
+  { 0x60000000, "\xFD\xA0\x80\x80\x80\x80" },
+  { 0x7FFFFFFF, "\xFD\xBF\xBF\xBF\xBF\xBF" }
+};
+
+/*
+ * UCS-2 vectors
+ */
+
+struct ucs2 ucs2[] = {
+  { 0x0001, "\x01" },
+  { 0x0002, "\x02" },
+  { 0x0003, "\x03" },
+  { 0x0004, "\x04" },
+  { 0x0007, "\x07" },
+  { 0x0008, "\x08" },
+  { 0x000F, "\x0F" },
+  { 0x0010, "\x10" },
+  { 0x001F, "\x1F" },
+  { 0x0020, "\x20" },
+  { 0x003F, "\x3F" },
+  { 0x0040, "\x40" },
+  { 0x007F, "\x7F" },
+          
+  { 0x0080, "\xC2\x80" },
+  { 0x0081, "\xC2\x81" },
+  { 0x0082, "\xC2\x82" },
+  { 0x0084, "\xC2\x84" },
+  { 0x0088, "\xC2\x88" },
+  { 0x0090, "\xC2\x90" },
+  { 0x00A0, "\xC2\xA0" },
+  { 0x00C0, "\xC3\x80" },
+  { 0x00FF, "\xC3\xBF" },
+  { 0x0100, "\xC4\x80" },
+  { 0x0101, "\xC4\x81" },
+  { 0x0102, "\xC4\x82" },
+  { 0x0104, "\xC4\x84" },
+  { 0x0108, "\xC4\x88" },
+  { 0x0110, "\xC4\x90" },
+  { 0x0120, "\xC4\xA0" },
+  { 0x0140, "\xC5\x80" },
+  { 0x0180, "\xC6\x80" },
+  { 0x01FF, "\xC7\xBF" },
+  { 0x0200, "\xC8\x80" },
+  { 0x0201, "\xC8\x81" },
+  { 0x0202, "\xC8\x82" },
+  { 0x0204, "\xC8\x84" },
+  { 0x0208, "\xC8\x88" },
+  { 0x0210, "\xC8\x90" },
+  { 0x0220, "\xC8\xA0" },
+  { 0x0240, "\xC9\x80" },
+  { 0x0280, "\xCA\x80" },
+  { 0x0300, "\xCC\x80" },
+  { 0x03FF, "\xCF\xBF" },
+  { 0x0400, "\xD0\x80" },
+  { 0x0401, "\xD0\x81" },
+  { 0x0402, "\xD0\x82" },
+  { 0x0404, "\xD0\x84" },
+  { 0x0408, "\xD0\x88" },
+  { 0x0410, "\xD0\x90" },
+  { 0x0420, "\xD0\xA0" },
+  { 0x0440, "\xD1\x80" },
+  { 0x0480, "\xD2\x80" },
+  { 0x0500, "\xD4\x80" },
+  { 0x0600, "\xD8\x80" },
+  { 0x07FF, "\xDF\xBF" },
+          
+  { 0x0800, "\xE0\xA0\x80" },
+  { 0x0801, "\xE0\xA0\x81" },
+  { 0x0802, "\xE0\xA0\x82" },
+  { 0x0804, "\xE0\xA0\x84" },
+  { 0x0808, "\xE0\xA0\x88" },
+  { 0x0810, "\xE0\xA0\x90" },
+  { 0x0820, "\xE0\xA0\xA0" },
+  { 0x0840, "\xE0\xA1\x80" },
+  { 0x0880, "\xE0\xA2\x80" },
+  { 0x0900, "\xE0\xA4\x80" },
+  { 0x0A00, "\xE0\xA8\x80" },
+  { 0x0C00, "\xE0\xB0\x80" },
+  { 0x0FFF, "\xE0\xBF\xBF" },
+  { 0x1000, "\xE1\x80\x80" },
+  { 0x1001, "\xE1\x80\x81" },
+  { 0x1002, "\xE1\x80\x82" },
+  { 0x1004, "\xE1\x80\x84" },
+  { 0x1008, "\xE1\x80\x88" },
+  { 0x1010, "\xE1\x80\x90" },
+  { 0x1020, "\xE1\x80\xA0" },
+  { 0x1040, "\xE1\x81\x80" },
+  { 0x1080, "\xE1\x82\x80" },
+  { 0x1100, "\xE1\x84\x80" },
+  { 0x1200, "\xE1\x88\x80" },
+  { 0x1400, "\xE1\x90\x80" },
+  { 0x1800, "\xE1\xA0\x80" },
+  { 0x1FFF, "\xE1\xBF\xBF" },
+  { 0x2000, "\xE2\x80\x80" },
+  { 0x2001, "\xE2\x80\x81" },
+  { 0x2002, "\xE2\x80\x82" },
+  { 0x2004, "\xE2\x80\x84" },
+  { 0x2008, "\xE2\x80\x88" },
+  { 0x2010, "\xE2\x80\x90" },
+  { 0x2020, "\xE2\x80\xA0" },
+  { 0x2040, "\xE2\x81\x80" },
+  { 0x2080, "\xE2\x82\x80" },
+  { 0x2100, "\xE2\x84\x80" },
+  { 0x2200, "\xE2\x88\x80" },
+  { 0x2400, "\xE2\x90\x80" },
+  { 0x2800, "\xE2\xA0\x80" },
+  { 0x3000, "\xE3\x80\x80" },
+  { 0x3FFF, "\xE3\xBF\xBF" },
+  { 0x4000, "\xE4\x80\x80" },
+  { 0x4001, "\xE4\x80\x81" },
+  { 0x4002, "\xE4\x80\x82" },
+  { 0x4004, "\xE4\x80\x84" },
+  { 0x4008, "\xE4\x80\x88" },
+  { 0x4010, "\xE4\x80\x90" },
+  { 0x4020, "\xE4\x80\xA0" },
+  { 0x4040, "\xE4\x81\x80" },
+  { 0x4080, "\xE4\x82\x80" },
+  { 0x4100, "\xE4\x84\x80" },
+  { 0x4200, "\xE4\x88\x80" },
+  { 0x4400, "\xE4\x90\x80" },
+  { 0x4800, "\xE4\xA0\x80" },
+  { 0x5000, "\xE5\x80\x80" },
+  { 0x6000, "\xE6\x80\x80" },
+  { 0x7FFF, "\xE7\xBF\xBF" },
+  { 0x8000, "\xE8\x80\x80" },
+  { 0x8001, "\xE8\x80\x81" },
+  { 0x8002, "\xE8\x80\x82" },
+  { 0x8004, "\xE8\x80\x84" },
+  { 0x8008, "\xE8\x80\x88" },
+  { 0x8010, "\xE8\x80\x90" },
+  { 0x8020, "\xE8\x80\xA0" },
+  { 0x8040, "\xE8\x81\x80" },
+  { 0x8080, "\xE8\x82\x80" },
+  { 0x8100, "\xE8\x84\x80" },
+  { 0x8200, "\xE8\x88\x80" },
+  { 0x8400, "\xE8\x90\x80" },
+  { 0x8800, "\xE8\xA0\x80" },
+  { 0x9000, "\xE9\x80\x80" },
+  { 0xA000, "\xEA\x80\x80" },
+  { 0xC000, "\xEC\x80\x80" },
+  { 0xFFFF, "\xEF\xBF\xBF" }
+
+};
+
+#ifdef UTF16
+/*
+ * UTF-16 vectors
+ */
+
+struct utf16 utf16[] = {
+  { 0x00010000, { 0xD800, 0xDC00 } },
+  { 0x00010001, { 0xD800, 0xDC01 } },
+  { 0x00010002, { 0xD800, 0xDC02 } },
+  { 0x00010003, { 0xD800, 0xDC03 } },
+  { 0x00010004, { 0xD800, 0xDC04 } },
+  { 0x00010007, { 0xD800, 0xDC07 } },
+  { 0x00010008, { 0xD800, 0xDC08 } },
+  { 0x0001000F, { 0xD800, 0xDC0F } },
+  { 0x00010010, { 0xD800, 0xDC10 } },
+  { 0x0001001F, { 0xD800, 0xDC1F } },
+  { 0x00010020, { 0xD800, 0xDC20 } },
+  { 0x0001003F, { 0xD800, 0xDC3F } },
+  { 0x00010040, { 0xD800, 0xDC40 } },
+  { 0x0001007F, { 0xD800, 0xDC7F } },
+  { 0x00010080, { 0xD800, 0xDC80 } },
+  { 0x00010081, { 0xD800, 0xDC81 } },
+  { 0x00010082, { 0xD800, 0xDC82 } },
+  { 0x00010084, { 0xD800, 0xDC84 } },
+  { 0x00010088, { 0xD800, 0xDC88 } },
+  { 0x00010090, { 0xD800, 0xDC90 } },
+  { 0x000100A0, { 0xD800, 0xDCA0 } },
+  { 0x000100C0, { 0xD800, 0xDCC0 } },
+  { 0x000100FF, { 0xD800, 0xDCFF } },
+  { 0x00010100, { 0xD800, 0xDD00 } },
+  { 0x00010101, { 0xD800, 0xDD01 } },
+  { 0x00010102, { 0xD800, 0xDD02 } },
+  { 0x00010104, { 0xD800, 0xDD04 } },
+  { 0x00010108, { 0xD800, 0xDD08 } },
+  { 0x00010110, { 0xD800, 0xDD10 } },
+  { 0x00010120, { 0xD800, 0xDD20 } },
+  { 0x00010140, { 0xD800, 0xDD40 } },
+  { 0x00010180, { 0xD800, 0xDD80 } },
+  { 0x000101FF, { 0xD800, 0xDDFF } },
+  { 0x00010200, { 0xD800, 0xDE00 } },
+  { 0x00010201, { 0xD800, 0xDE01 } },
+  { 0x00010202, { 0xD800, 0xDE02 } },
+  { 0x00010204, { 0xD800, 0xDE04 } },
+  { 0x00010208, { 0xD800, 0xDE08 } },
+  { 0x00010210, { 0xD800, 0xDE10 } },
+  { 0x00010220, { 0xD800, 0xDE20 } },
+  { 0x00010240, { 0xD800, 0xDE40 } },
+  { 0x00010280, { 0xD800, 0xDE80 } },
+  { 0x00010300, { 0xD800, 0xDF00 } },
+  { 0x000103FF, { 0xD800, 0xDFFF } },
+  { 0x00010400, { 0xD801, 0xDC00 } },
+  { 0x00010401, { 0xD801, 0xDC01 } },
+  { 0x00010402, { 0xD801, 0xDC02 } },
+  { 0x00010404, { 0xD801, 0xDC04 } },
+  { 0x00010408, { 0xD801, 0xDC08 } },
+  { 0x00010410, { 0xD801, 0xDC10 } },
+  { 0x00010420, { 0xD801, 0xDC20 } },
+  { 0x00010440, { 0xD801, 0xDC40 } },
+  { 0x00010480, { 0xD801, 0xDC80 } },
+  { 0x00010500, { 0xD801, 0xDD00 } },
+  { 0x00010600, { 0xD801, 0xDE00 } },
+  { 0x000107FF, { 0xD801, 0xDFFF } },
+  { 0x00010800, { 0xD802, 0xDC00 } },
+  { 0x00010801, { 0xD802, 0xDC01 } },
+  { 0x00010802, { 0xD802, 0xDC02 } },
+  { 0x00010804, { 0xD802, 0xDC04 } },
+  { 0x00010808, { 0xD802, 0xDC08 } },
+  { 0x00010810, { 0xD802, 0xDC10 } },
+  { 0x00010820, { 0xD802, 0xDC20 } },
+  { 0x00010840, { 0xD802, 0xDC40 } },
+  { 0x00010880, { 0xD802, 0xDC80 } },
+  { 0x00010900, { 0xD802, 0xDD00 } },
+  { 0x00010A00, { 0xD802, 0xDE00 } },
+  { 0x00010C00, { 0xD803, 0xDC00 } },
+  { 0x00010FFF, { 0xD803, 0xDFFF } },
+  { 0x00011000, { 0xD804, 0xDC00 } },
+  { 0x00011001, { 0xD804, 0xDC01 } },
+  { 0x00011002, { 0xD804, 0xDC02 } },
+  { 0x00011004, { 0xD804, 0xDC04 } },
+  { 0x00011008, { 0xD804, 0xDC08 } },
+  { 0x00011010, { 0xD804, 0xDC10 } },
+  { 0x00011020, { 0xD804, 0xDC20 } },
+  { 0x00011040, { 0xD804, 0xDC40 } },
+  { 0x00011080, { 0xD804, 0xDC80 } },
+  { 0x00011100, { 0xD804, 0xDD00 } },
+  { 0x00011200, { 0xD804, 0xDE00 } },
+  { 0x00011400, { 0xD805, 0xDC00 } },
+  { 0x00011800, { 0xD806, 0xDC00 } },
+  { 0x00011FFF, { 0xD807, 0xDFFF } },
+  { 0x00012000, { 0xD808, 0xDC00 } },
+  { 0x00012001, { 0xD808, 0xDC01 } },
+  { 0x00012002, { 0xD808, 0xDC02 } },
+  { 0x00012004, { 0xD808, 0xDC04 } },
+  { 0x00012008, { 0xD808, 0xDC08 } },
+  { 0x00012010, { 0xD808, 0xDC10 } },
+  { 0x00012020, { 0xD808, 0xDC20 } },
+  { 0x00012040, { 0xD808, 0xDC40 } },
+  { 0x00012080, { 0xD808, 0xDC80 } },
+  { 0x00012100, { 0xD808, 0xDD00 } },
+  { 0x00012200, { 0xD808, 0xDE00 } },
+  { 0x00012400, { 0xD809, 0xDC00 } },
+  { 0x00012800, { 0xD80A, 0xDC00 } },
+  { 0x00013000, { 0xD80C, 0xDC00 } },
+  { 0x00013FFF, { 0xD80F, 0xDFFF } },
+  { 0x00014000, { 0xD810, 0xDC00 } },
+  { 0x00014001, { 0xD810, 0xDC01 } },
+  { 0x00014002, { 0xD810, 0xDC02 } },
+  { 0x00014004, { 0xD810, 0xDC04 } },
+  { 0x00014008, { 0xD810, 0xDC08 } },
+  { 0x00014010, { 0xD810, 0xDC10 } },
+  { 0x00014020, { 0xD810, 0xDC20 } },
+  { 0x00014040, { 0xD810, 0xDC40 } },
+  { 0x00014080, { 0xD810, 0xDC80 } },
+  { 0x00014100, { 0xD810, 0xDD00 } },
+  { 0x00014200, { 0xD810, 0xDE00 } },
+  { 0x00014400, { 0xD811, 0xDC00 } },
+  { 0x00014800, { 0xD812, 0xDC00 } },
+  { 0x00015000, { 0xD814, 0xDC00 } },
+  { 0x00016000, { 0xD818, 0xDC00 } },
+  { 0x00017FFF, { 0xD81F, 0xDFFF } },
+  { 0x00018000, { 0xD820, 0xDC00 } },
+  { 0x00018001, { 0xD820, 0xDC01 } },
+  { 0x00018002, { 0xD820, 0xDC02 } },
+  { 0x00018004, { 0xD820, 0xDC04 } },
+  { 0x00018008, { 0xD820, 0xDC08 } },
+  { 0x00018010, { 0xD820, 0xDC10 } },
+  { 0x00018020, { 0xD820, 0xDC20 } },
+  { 0x00018040, { 0xD820, 0xDC40 } },
+  { 0x00018080, { 0xD820, 0xDC80 } },
+  { 0x00018100, { 0xD820, 0xDD00 } },
+  { 0x00018200, { 0xD820, 0xDE00 } },
+  { 0x00018400, { 0xD821, 0xDC00 } },
+  { 0x00018800, { 0xD822, 0xDC00 } },
+  { 0x00019000, { 0xD824, 0xDC00 } },
+  { 0x0001A000, { 0xD828, 0xDC00 } },
+  { 0x0001C000, { 0xD830, 0xDC00 } },
+  { 0x0001FFFF, { 0xD83F, 0xDFFF } },
+  { 0x00020000, { 0xD840, 0xDC00 } },
+  { 0x00020001, { 0xD840, 0xDC01 } },
+  { 0x00020002, { 0xD840, 0xDC02 } },
+  { 0x00020004, { 0xD840, 0xDC04 } },
+  { 0x00020008, { 0xD840, 0xDC08 } },
+  { 0x00020010, { 0xD840, 0xDC10 } },
+  { 0x00020020, { 0xD840, 0xDC20 } },
+  { 0x00020040, { 0xD840, 0xDC40 } },
+  { 0x00020080, { 0xD840, 0xDC80 } },
+  { 0x00020100, { 0xD840, 0xDD00 } },
+  { 0x00020200, { 0xD840, 0xDE00 } },
+  { 0x00020400, { 0xD841, 0xDC00 } },
+  { 0x00020800, { 0xD842, 0xDC00 } },
+  { 0x00021000, { 0xD844, 0xDC00 } },
+  { 0x00022000, { 0xD848, 0xDC00 } },
+  { 0x00024000, { 0xD850, 0xDC00 } },
+  { 0x00028000, { 0xD860, 0xDC00 } },
+  { 0x0002FFFF, { 0xD87F, 0xDFFF } },
+  { 0x00030000, { 0xD880, 0xDC00 } },
+  { 0x00030001, { 0xD880, 0xDC01 } },
+  { 0x00030002, { 0xD880, 0xDC02 } },
+  { 0x00030004, { 0xD880, 0xDC04 } },
+  { 0x00030008, { 0xD880, 0xDC08 } },
+  { 0x00030010, { 0xD880, 0xDC10 } },
+  { 0x00030020, { 0xD880, 0xDC20 } },
+  { 0x00030040, { 0xD880, 0xDC40 } },
+  { 0x00030080, { 0xD880, 0xDC80 } },
+  { 0x00030100, { 0xD880, 0xDD00 } },
+  { 0x00030200, { 0xD880, 0xDE00 } },
+  { 0x00030400, { 0xD881, 0xDC00 } },
+  { 0x00030800, { 0xD882, 0xDC00 } },
+  { 0x00031000, { 0xD884, 0xDC00 } },
+  { 0x00032000, { 0xD888, 0xDC00 } },
+  { 0x00034000, { 0xD890, 0xDC00 } },
+  { 0x00038000, { 0xD8A0, 0xDC00 } },
+  { 0x0003FFFF, { 0xD8BF, 0xDFFF } },
+  { 0x00040000, { 0xD8C0, 0xDC00 } },
+  { 0x00040001, { 0xD8C0, 0xDC01 } },
+  { 0x00040002, { 0xD8C0, 0xDC02 } },
+  { 0x00040004, { 0xD8C0, 0xDC04 } },
+  { 0x00040008, { 0xD8C0, 0xDC08 } },
+  { 0x00040010, { 0xD8C0, 0xDC10 } },
+  { 0x00040020, { 0xD8C0, 0xDC20 } },
+  { 0x00040040, { 0xD8C0, 0xDC40 } },
+  { 0x00040080, { 0xD8C0, 0xDC80 } },
+  { 0x00040100, { 0xD8C0, 0xDD00 } },
+  { 0x00040200, { 0xD8C0, 0xDE00 } },
+  { 0x00040400, { 0xD8C1, 0xDC00 } },
+  { 0x00040800, { 0xD8C2, 0xDC00 } },
+  { 0x00041000, { 0xD8C4, 0xDC00 } },
+  { 0x00042000, { 0xD8C8, 0xDC00 } },
+  { 0x00044000, { 0xD8D0, 0xDC00 } },
+  { 0x00048000, { 0xD8E0, 0xDC00 } },
+  { 0x0004FFFF, { 0xD8FF, 0xDFFF } },
+  { 0x00050000, { 0xD900, 0xDC00 } },
+  { 0x00050001, { 0xD900, 0xDC01 } },
+  { 0x00050002, { 0xD900, 0xDC02 } },
+  { 0x00050004, { 0xD900, 0xDC04 } },
+  { 0x00050008, { 0xD900, 0xDC08 } },
+  { 0x00050010, { 0xD900, 0xDC10 } },
+  { 0x00050020, { 0xD900, 0xDC20 } },
+  { 0x00050040, { 0xD900, 0xDC40 } },
+  { 0x00050080, { 0xD900, 0xDC80 } },
+  { 0x00050100, { 0xD900, 0xDD00 } },
+  { 0x00050200, { 0xD900, 0xDE00 } },
+  { 0x00050400, { 0xD901, 0xDC00 } },
+  { 0x00050800, { 0xD902, 0xDC00 } },
+  { 0x00051000, { 0xD904, 0xDC00 } },
+  { 0x00052000, { 0xD908, 0xDC00 } },
+  { 0x00054000, { 0xD910, 0xDC00 } },
+  { 0x00058000, { 0xD920, 0xDC00 } },
+  { 0x00060000, { 0xD940, 0xDC00 } },
+  { 0x00070000, { 0xD980, 0xDC00 } },
+  { 0x0007FFFF, { 0xD9BF, 0xDFFF } },
+  { 0x00080000, { 0xD9C0, 0xDC00 } },
+  { 0x00080001, { 0xD9C0, 0xDC01 } },
+  { 0x00080002, { 0xD9C0, 0xDC02 } },
+  { 0x00080004, { 0xD9C0, 0xDC04 } },
+  { 0x00080008, { 0xD9C0, 0xDC08 } },
+  { 0x00080010, { 0xD9C0, 0xDC10 } },
+  { 0x00080020, { 0xD9C0, 0xDC20 } },
+  { 0x00080040, { 0xD9C0, 0xDC40 } },
+  { 0x00080080, { 0xD9C0, 0xDC80 } },
+  { 0x00080100, { 0xD9C0, 0xDD00 } },
+  { 0x00080200, { 0xD9C0, 0xDE00 } },
+  { 0x00080400, { 0xD9C1, 0xDC00 } },
+  { 0x00080800, { 0xD9C2, 0xDC00 } },
+  { 0x00081000, { 0xD9C4, 0xDC00 } },
+  { 0x00082000, { 0xD9C8, 0xDC00 } },
+  { 0x00084000, { 0xD9D0, 0xDC00 } },
+  { 0x00088000, { 0xD9E0, 0xDC00 } },
+  { 0x0008FFFF, { 0xD9FF, 0xDFFF } },
+  { 0x00090000, { 0xDA00, 0xDC00 } },
+  { 0x00090001, { 0xDA00, 0xDC01 } },
+  { 0x00090002, { 0xDA00, 0xDC02 } },
+  { 0x00090004, { 0xDA00, 0xDC04 } },
+  { 0x00090008, { 0xDA00, 0xDC08 } },
+  { 0x00090010, { 0xDA00, 0xDC10 } },
+  { 0x00090020, { 0xDA00, 0xDC20 } },
+  { 0x00090040, { 0xDA00, 0xDC40 } },
+  { 0x00090080, { 0xDA00, 0xDC80 } },
+  { 0x00090100, { 0xDA00, 0xDD00 } },
+  { 0x00090200, { 0xDA00, 0xDE00 } },
+  { 0x00090400, { 0xDA01, 0xDC00 } },
+  { 0x00090800, { 0xDA02, 0xDC00 } },
+  { 0x00091000, { 0xDA04, 0xDC00 } },
+  { 0x00092000, { 0xDA08, 0xDC00 } },
+  { 0x00094000, { 0xDA10, 0xDC00 } },
+  { 0x00098000, { 0xDA20, 0xDC00 } },
+  { 0x000A0000, { 0xDA40, 0xDC00 } },
+  { 0x000B0000, { 0xDA80, 0xDC00 } },
+  { 0x000C0000, { 0xDAC0, 0xDC00 } },
+  { 0x000D0000, { 0xDB00, 0xDC00 } },
+  { 0x000FFFFF, { 0xDBBF, 0xDFFF } },
+  { 0x0010FFFF, { 0xDBFF, 0xDFFF } }
+
+};
+#endif /* UTF16 */
+
+static void
+dump_utf8
+(
+  char *word,
+  unsigned char *utf8,
+  char *end
+)
+{
+  fprintf(stdout, "%s ", word);
+  for( ; *utf8; utf8++ ) {
+    fprintf(stdout, "%02.2x ", (unsigned int)*utf8);
+  }
+  fprintf(stdout, "%s", end);
+}
+
+static PRBool
+test_ucs4_chars
+(
+  void
+)
+{
+  PRBool rv = PR_TRUE;
+  int i;
+
+  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
+    struct ucs4 *e = &ucs4[i];
+    PRBool result;
+    unsigned char utf8[8];
+    unsigned int len = 0;
+    PRUint32 back = 0;
+
+    (void)memset(utf8, 0, sizeof(utf8));
+    
+    result = sec_port_ucs4_utf8_conversion_function(PR_FALSE, 
+      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
+
+    if( !result ) {
+      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8\n", e->c);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (len >= sizeof(utf8)) ||
+        (strlen(e->utf8) != len) ||
+        (utf8[len] = '\0', 0 != strcmp(e->utf8, utf8)) ) {
+      fprintf(stdout, "Wrong conversion of UCS-4 0x%08.8x to UTF-8: ", e->c);
+      dump_utf8("expected", e->utf8, ", ");
+      dump_utf8("received", utf8, "\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
+      utf8, len, (unsigned char *)&back, sizeof(back), &len);
+
+    if( !result ) {
+      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-4\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (sizeof(back) != len) || (e->c != back) ) {
+      dump_utf8("Wrong conversion of UTF-8", utf8, " to UCS-4:");
+      fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back);
+      rv = PR_FALSE;
+      continue;
+    }
+  }
+
+  return rv;
+}
+
+static PRBool
+test_ucs2_chars
+(
+  void
+)
+{
+  PRBool rv = PR_TRUE;
+  int i;
+
+  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
+    struct ucs2 *e = &ucs2[i];
+    PRBool result;
+    unsigned char utf8[8];
+    unsigned int len = 0;
+    PRUint16 back = 0;
+
+    (void)memset(utf8, 0, sizeof(utf8));
+    
+    result = sec_port_ucs2_utf8_conversion_function(PR_FALSE,
+      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
+
+    if( !result ) {
+      fprintf(stdout, "Failed to convert UCS-2 0x%04.4x to UTF-8\n", e->c);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (len >= sizeof(utf8)) ||
+        (strlen(e->utf8) != len) ||
+        (utf8[len] = '\0', 0 != strcmp(e->utf8, utf8)) ) {
+      fprintf(stdout, "Wrong conversion of UCS-2 0x%04.4x to UTF-8: ", e->c);
+      dump_utf8("expected", e->utf8, ", ");
+      dump_utf8("received", utf8, "\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
+      utf8, len, (unsigned char *)&back, sizeof(back), &len);
+
+    if( !result ) {
+      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-2\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (sizeof(back) != len) || (e->c != back) ) {
+      dump_utf8("Wrong conversion of UTF-8", utf8, "to UCS-2:");
+      fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back);
+      rv = PR_FALSE;
+      continue;
+    }
+  }
+
+  return rv;
+}
+
+#ifdef UTF16
+static PRBool
+test_utf16_chars
+(
+  void
+)
+{
+  PRBool rv = PR_TRUE;
+  int i;
+
+  for( i = 0; i < sizeof(utf16)/sizeof(utf16[0]); i++ ) {
+    struct utf16 *e = &utf16[i];
+    PRBool result;
+    unsigned char utf8[8];
+    unsigned int len = 0;
+    PRUint32 back32 = 0;
+    PRUint16 back[2];
+
+    (void)memset(utf8, 0, sizeof(utf8));
+    
+    result = sec_port_ucs2_utf8_conversion_function(PR_FALSE, 
+      (unsigned char *)&e->w[0], sizeof(e->w), utf8, sizeof(utf8), &len);
+
+    if( !result ) {
+      fprintf(stdout, "Failed to convert UTF-16 0x%04.4x 0x%04.4x to UTF-8\n", 
+              e->w[0], e->w[1]);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
+      utf8, len, (unsigned char *)&back32, sizeof(back32), &len);
+
+    if( 4 != len ) {
+      fprintf(stdout, "Failed to convert UTF-16 0x%04.4x 0x%04.4x to UTF-8: "
+              "unexpected len %d\n", e->w[0], e->w[1], len);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    utf8[len] = '\0'; /* null-terminate for printing */
+
+    if( !result ) {
+      dump_utf8("Failed to convert UTF-8", utf8, "to UCS-4 (utf-16 test)\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (sizeof(back32) != len) || (e->c != back32) ) {
+      fprintf(stdout, "Wrong conversion of UTF-16 0x%04.4x 0x%04.4x ", 
+              e->w[0], e->w[1]);
+      dump_utf8("to UTF-8", utf8, "and then to UCS-4: ");
+      if( sizeof(back32) != len ) {
+        fprintf(stdout, "len is %d\n", len);
+      } else {
+        fprintf(stdout, "expected 0x%08.8x, received 0x%08.8x\n", e->c, back32);
+      }
+      rv = PR_FALSE;
+      continue;
+    }
+
+    (void)memset(utf8, 0, sizeof(utf8));
+    back[0] = back[1] = 0;
+
+    result = sec_port_ucs4_utf8_conversion_function(PR_FALSE,
+      (unsigned char *)&e->c, sizeof(e->c), utf8, sizeof(utf8), &len);
+
+    if( !result ) {
+      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8 (utf-16 test)\n",
+              e->c);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
+      utf8, len, (unsigned char *)&back[0], sizeof(back), &len);
+
+    if( 4 != len ) {
+      fprintf(stdout, "Failed to convert UCS-4 0x%08.8x to UTF-8: "
+              "unexpected len %d\n", e->c, len);
+      rv = PR_FALSE;
+      continue;
+    }
+
+    utf8[len] = '\0'; /* null-terminate for printing */
+
+    if( !result ) {
+      dump_utf8("Failed to convert UTF-8", utf8, "to UTF-16\n");
+      rv = PR_FALSE;
+      continue;
+    }
+
+    if( (sizeof(back) != len) || (e->w[0] != back[0]) || (e->w[1] != back[1]) ) {
+      fprintf(stdout, "Wrong conversion of UCS-4 0x%08.8x to UTF-8", e->c);
+      dump_utf8("", utf8, "and then to UTF-16:");
+      if( sizeof(back) != len ) {
+        fprintf(stdout, "len is %d\n", len);
+      } else {
+        fprintf(stdout, "expected 0x%04.4x 0x%04.4x, received 0x%04.4x 0x%04.4xx\n",
+                e->w[0], e->w[1], back[0], back[1]);
+      }
+      rv = PR_FALSE;
+      continue;
+    }
+  }
+
+  return rv;
+}
+#endif /* UTF16 */
+
+static PRBool
+test_zeroes
+(
+  void
+)
+{
+  PRBool rv = PR_TRUE;
+  PRBool result;
+  PRUint32 lzero = 0;
+  PRUint16 szero = 0;
+  unsigned char utf8[8];
+  unsigned int len = 0;
+  PRUint32 lback = 1;
+  PRUint16 sback = 1;
+
+  (void)memset(utf8, 1, sizeof(utf8));
+
+  result = sec_port_ucs4_utf8_conversion_function(PR_FALSE, 
+    (unsigned char *)&lzero, sizeof(lzero), utf8, sizeof(utf8), &len);
+
+  if( !result ) {
+    fprintf(stdout, "Failed to convert UCS-4 0x00000000 to UTF-8\n");
+    rv = PR_FALSE;
+  } else if( 1 != len ) {
+    fprintf(stdout, "Wrong conversion of UCS-4 0x00000000: len = %d\n", len);
+    rv = PR_FALSE;
+  } else if( '\0' != *utf8 ) {
+    fprintf(stdout, "Wrong conversion of UCS-4 0x00000000: expected 00 ,"
+            "received %02.2x\n", (unsigned int)*utf8);
+    rv = PR_FALSE;
+  }
+
+  result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
+    "", 1, (unsigned char *)&lback, sizeof(lback), &len);
+
+  if( !result ) {
+    fprintf(stdout, "Failed to convert UTF-8 00 to UCS-4\n");
+    rv = PR_FALSE;
+  } else if( 4 != len ) {
+    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-4: len = %d\n", len);
+    rv = PR_FALSE;
+  } else if( 0 != lback ) {
+    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-4: "
+            "expected 0x00000000, received 0x%08.8x\n", lback);
+    rv = PR_FALSE;
+  }
+
+  (void)memset(utf8, 1, sizeof(utf8));
+
+  result = sec_port_ucs2_utf8_conversion_function(PR_FALSE, 
+    (unsigned char *)&szero, sizeof(szero), utf8, sizeof(utf8), &len);
+
+  if( !result ) {
+    fprintf(stdout, "Failed to convert UCS-2 0x0000 to UTF-8\n");
+    rv = PR_FALSE;
+  } else if( 1 != len ) {
+    fprintf(stdout, "Wrong conversion of UCS-2 0x0000: len = %d\n", len);
+    rv = PR_FALSE;
+  } else if( '\0' != *utf8 ) {
+    fprintf(stdout, "Wrong conversion of UCS-2 0x0000: expected 00 ,"
+            "received %02.2x\n", (unsigned int)*utf8);
+    rv = PR_FALSE;
+  }
+
+  result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
+    "", 1, (unsigned char *)&sback, sizeof(sback), &len);
+
+  if( !result ) {
+    fprintf(stdout, "Failed to convert UTF-8 00 to UCS-2\n");
+    rv = PR_FALSE;
+  } else if( 2 != len ) {
+    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-2: len = %d\n", len);
+    rv = PR_FALSE;
+  } else if( 0 != sback ) {
+    fprintf(stdout, "Wrong conversion of UTF-8 00 to UCS-2: "
+            "expected 0x0000, received 0x%04.4x\n", sback);
+    rv = PR_FALSE;
+  }
+
+  return rv;
+}
+
+static PRBool
+test_multichars
+(
+  void
+)
+{
+  int i;
+  unsigned int len, lenout;
+  PRUint32 *ucs4s;
+  char *ucs4_utf8;
+  PRUint16 *ucs2s;
+  char *ucs2_utf8;
+  void *tmp;
+  PRBool result;
+
+  ucs4s = (PRUint32 *)calloc(sizeof(ucs4)/sizeof(ucs4[0]), sizeof(PRUint32));
+  ucs2s = (PRUint16 *)calloc(sizeof(ucs2)/sizeof(ucs2[0]), sizeof(PRUint16));
+
+  if( ((PRUint32 *)NULL == ucs4s) || ((PRUint16 *)NULL == ucs2s) ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  len = 0;
+  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
+    ucs4s[i] = ucs4[i].c;
+    len += strlen(ucs4[i].utf8);
+  }
+
+  ucs4_utf8 = (char *)malloc(len);
+
+  len = 0;
+  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
+    ucs2s[i] = ucs2[i].c;
+    len += strlen(ucs2[i].utf8);
+  }
+
+  ucs2_utf8 = (char *)malloc(len);
+
+  if( ((char *)NULL == ucs4_utf8) || ((char *)NULL == ucs2_utf8) ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  *ucs4_utf8 = '\0';
+  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
+    strcat(ucs4_utf8, ucs4[i].utf8);
+  }
+
+  *ucs2_utf8 = '\0';
+  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
+    strcat(ucs2_utf8, ucs2[i].utf8);
+  }
+
+  /* UTF-8 -> UCS-4 */
+  len = sizeof(ucs4)/sizeof(ucs4[0]) * sizeof(PRUint32);
+  tmp = calloc(len, 1);
+  if( (void *)NULL == tmp ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  result = sec_port_ucs4_utf8_conversion_function(PR_TRUE,
+    ucs4_utf8, strlen(ucs4_utf8), tmp, len, &lenout);
+  if( !result ) {
+    fprintf(stdout, "Failed to convert much UTF-8 to UCS-4\n");
+    goto done;
+  }
+
+  if( lenout != len ) {
+    fprintf(stdout, "Unexpected length converting much UTF-8 to UCS-4\n");
+    goto loser;
+  }
+
+  if( 0 != memcmp(ucs4s, tmp, len) ) {
+    fprintf(stdout, "Wrong conversion of much UTF-8 to UCS-4\n");
+    goto loser;
+  }
+
+  free(tmp); tmp = (void *)NULL;
+
+  /* UCS-4 -> UTF-8 */
+  len = strlen(ucs4_utf8);
+  tmp = calloc(len, 1);
+  if( (void *)NULL == tmp ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  result = sec_port_ucs4_utf8_conversion_function(PR_FALSE,
+    (unsigned char *)ucs4s, sizeof(ucs4)/sizeof(ucs4[0]) * sizeof(PRUint32), 
+    tmp, len, &lenout);
+  if( !result ) {
+    fprintf(stdout, "Failed to convert much UCS-4 to UTF-8\n");
+    goto done;
+  }
+
+  if( lenout != len ) {
+    fprintf(stdout, "Unexpected length converting much UCS-4 to UTF-8\n");
+    goto loser;
+  }
+
+  if( 0 != strncmp(ucs4_utf8, tmp, len) ) {
+    fprintf(stdout, "Wrong conversion of much UCS-4 to UTF-8\n");
+    goto loser;
+  }
+
+  free(tmp); tmp = (void *)NULL;
+
+  /* UTF-8 -> UCS-2 */
+  len = sizeof(ucs2)/sizeof(ucs2[0]) * sizeof(PRUint16);
+  tmp = calloc(len, 1);
+  if( (void *)NULL == tmp ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  result = sec_port_ucs2_utf8_conversion_function(PR_TRUE,
+    ucs2_utf8, strlen(ucs2_utf8), tmp, len, &lenout);
+  if( !result ) {
+    fprintf(stdout, "Failed to convert much UTF-8 to UCS-2\n");
+    goto done;
+  }
+
+  if( lenout != len ) {
+    fprintf(stdout, "Unexpected length converting much UTF-8 to UCS-2\n");
+    goto loser;
+  }
+
+  if( 0 != memcmp(ucs2s, tmp, len) ) {
+    fprintf(stdout, "Wrong conversion of much UTF-8 to UCS-2\n");
+    goto loser;
+  }
+
+  free(tmp); tmp = (void *)NULL;
+
+  /* UCS-2 -> UTF-8 */
+  len = strlen(ucs2_utf8);
+  tmp = calloc(len, 1);
+  if( (void *)NULL == tmp ) {
+    fprintf(stderr, "out of memory\n");
+    exit(1);
+  }
+
+  result = sec_port_ucs2_utf8_conversion_function(PR_FALSE,
+    (unsigned char *)ucs2s, sizeof(ucs2)/sizeof(ucs2[0]) * sizeof(PRUint16), 
+    tmp, len, &lenout);
+  if( !result ) {
+    fprintf(stdout, "Failed to convert much UCS-2 to UTF-8\n");
+    goto done;
+  }
+
+  if( lenout != len ) {
+    fprintf(stdout, "Unexpected length converting much UCS-2 to UTF-8\n");
+    goto loser;
+  }
+
+  if( 0 != strncmp(ucs2_utf8, tmp, len) ) {
+    fprintf(stdout, "Wrong conversion of much UCS-2 to UTF-8\n");
+    goto loser;
+  }
+
+#ifdef UTF16
+  /* implement me */
+#endif /* UTF16 */
+
+  result = PR_TRUE;
+  goto done;
+
+ loser:
+  result = PR_FALSE;
+ done:
+  free(ucs4s);
+  free(ucs4_utf8);
+  free(ucs2s);
+  free(ucs2_utf8);
+  if( (void *)NULL != tmp ) free(tmp);
+  return result;
+}
+
+void
+byte_order
+(
+  void
+)
+{
+  /*
+   * The implementation (now) expects the 16- and 32-bit characters
+   * to be in network byte order, not host byte order.  Therefore I
+   * have to byteswap all those test vectors above.  hton[ls] may be
+   * functions, so I have to do this dynamically.  If you want to 
+   * use this code to do host byte order conversions, just remove
+   * the call in main() to this function.
+   */
+
+  int i;
+
+  for( i = 0; i < sizeof(ucs4)/sizeof(ucs4[0]); i++ ) {
+    struct ucs4 *e = &ucs4[i];
+    e->c = htonl(e->c);
+  }
+
+  for( i = 0; i < sizeof(ucs2)/sizeof(ucs2[0]); i++ ) {
+    struct ucs2 *e = &ucs2[i];
+    e->c = htons(e->c);
+  }
+
+#ifdef UTF16
+  for( i = 0; i < sizeof(utf16)/sizeof(utf16[0]); i++ ) {
+    struct utf16 *e = &utf16[i];
+    e->c = htonl(e->c);
+    e->w[0] = htons(e->w[0]);
+    e->w[1] = htons(e->w[1]);
+  }
+#endif /* UTF16 */
+
+  return;
+}
+
+int
+main
+(
+  int argc,
+  char *argv[]
+)
+{
+  byte_order();
+
+  if( test_ucs4_chars() &&
+      test_ucs2_chars() &&
+#ifdef UTF16
+      test_utf16_chars() &&
+#endif /* UTF16 */
+      test_zeroes() &&
+      test_multichars() &&
+      PR_TRUE ) {
+    fprintf(stderr, "PASS\n");
+    return 1;
+  } else {
+    fprintf(stderr, "FAIL\n");
+    return 0;
+  }
+}
+
+#endif /* TEST_UTF8 */
diff --git a/security/nss/lib/util/watcomfx.h b/security/nss/lib/util/watcomfx.h
new file mode 100644
index 000000000..bc1d20f72
--- /dev/null
+++ b/security/nss/lib/util/watcomfx.h
@@ -0,0 +1,59 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ * 
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ * 
+ * The Original Code is the Netscape security libraries.
+ * 
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are 
+ * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
+ * Rights Reserved.
+ * 
+ * Contributor(s):
+ * 
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable 
+ * instead of those above.  If you wish to allow use of your 
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL.  If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+
+#if defined(__WATCOMC__) || defined(__WATCOM_CPLUSPLUS__)
+#ifndef __WATCOM_FIX_H__
+#define __WATCOM_FIX_H__ 1
+/*
+ * WATCOM's C compiler doesn't default to "__cdecl" conventions for external
+ * symbols and functions.  Rather than adding an explicit __cdecl modifier to 
+ * every external symbol and function declaration and definition, we use the 
+ * following pragma to (attempt to) change WATCOM c's default to __cdecl.
+ * These pragmas were taken from pages 180-181, 266 & 269 of the 
+ * Watcom C/C++ version 11 User's Guide, 3rd edition.
+ */
+#if defined(XP_WIN16) || defined(WIN16) 
+#pragma aux default "_*" \
+	parm caller [] \
+	value struct float struct routine [ax] \
+	modify [ax bx cx dx es]
+#else
+#pragma aux default "_*" \
+	parm caller [] \
+	value struct float struct routine [eax] \
+	modify [eax ecx edx]
+#endif
+#pragma aux default far
+
+#endif /* once */
+#endif /* WATCOM compiler */